Home Home > GIT Browse > SLE12-SP3
summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJiri Slaby <jslaby@suse.cz>2019-01-15 07:14:13 +0100
committerJiri Slaby <jslaby@suse.cz>2019-01-15 10:06:02 +0100
commit5698b8ae04f37a54cc752447a6f73769a9991aac (patch)
treef423afdb373aba1e139099a2b6f16f4ee4abc7e3
parentd7fef27dc68ba8520f49d1ad41798d83e70143e2 (diff)
- Linux 4.4.170 (bnc#1012382).
- xhci: Don't prevent USB2 bus suspend in state check intended for USB3 only (bnc#1012382). - USB: serial: option: add GosunCn ZTE WeLink ME3630 (bnc#1012382). - USB: serial: option: add HP lt4132 (bnc#1012382). - USB: serial: option: add Simcom SIM7500/SIM7600 (MBIM mode) (bnc#1012382). - USB: serial: option: add Fibocom NL668 series (bnc#1012382). - USB: serial: option: add Telit LN940 series (bnc#1012382). - mmc: core: Reset HPI enabled state during re-init and in case of errors (bnc#1012382). - mmc: omap_hsmmc: fix DMA API warning (bnc#1012382). - gpio: max7301: fix driver for use with CONFIG_VMAP_STACK (bnc#1012382). - Drivers: hv: vmbus: Return -EINVAL for the sys files for unopened channels (bnc#1012382). - x86/mtrr: Don't copy uninitialized gentry fields back to userspace (bnc#1012382). - drm/ioctl: Fix Spectre v1 vulnerabilities (bnc#1012382). - ip6mr: Fix potential Spectre v1 vulnerability (bnc#1012382). - ipv4: Fix potential Spectre v1 vulnerability (bnc#1012382). - ax25: fix a use-after-free in ax25_fillin_cb() (bnc#1012382). - ibmveth: fix DMA unmap error in ibmveth_xmit_start error path (bnc#1012382). - ieee802154: lowpan_header_create check must check daddr (bnc#1012382). - ipv6: explicitly initialize udp6_addr in udp_sock_create6() (bnc#1012382). - isdn: fix kernel-infoleak in capi_unlocked_ioctl (bnc#1012382). - netrom: fix locking in nr_find_socket() (bnc#1012382). - packet: validate address length (bnc#1012382). - packet: validate address length if non-zero (bnc#1012382). - sctp: initialize sin6_flowinfo for ipv6 addrs in sctp_inet6addr_event (bnc#1012382). - vhost: make sure used idx is seen before log in vhost_add_used_n() (bnc#1012382). - VSOCK: Send reset control packet when socket is partially bound (bnc#1012382). - xen/netfront: tolerate frags with no data (bnc#1012382). - gro_cell: add napi_disable in gro_cells_destroy (bnc#1012382). - sock: Make sock->sk_stamp thread-safe (bnc#1012382). - ALSA: rme9652: Fix potential Spectre v1 vulnerability (bnc#1012382). - ALSA: emu10k1: Fix potential Spectre v1 vulnerabilities (bnc#1012382). - ALSA: pcm: Fix potential Spectre v1 vulnerability (bnc#1012382). - ALSA: emux: Fix potential Spectre v1 vulnerabilities (bnc#1012382). - ALSA: hda: add mute LED support for HP EliteBook 840 G4 (bnc#1012382). - ALSA: hda/tegra: clear pending irq handlers (bnc#1012382). - USB: serial: pl2303: add ids for Hewlett-Packard HP POS pole displays (bnc#1012382). - USB: serial: option: add Fibocom NL678 series (bnc#1012382). - usb: r8a66597: Fix a possible concurrency use-after-free bug in r8a66597_endpoint_disable() (bnc#1012382). - Input: elan_i2c - add ACPI ID for touchpad in ASUS Aspire F5-573G (bnc#1012382). - KVM: x86: Use jmp to invoke kvm_spurious_fault() from .fixup (bnc#1012382). - perf pmu: Suppress potential format-truncation warning (bnc#1012382). - ext4: fix possible use after free in ext4_quota_enable (bnc#1012382). - ext4: missing unlock/put_page() in ext4_try_to_write_inline_data() (bnc#1012382). - ext4: fix EXT4_IOC_GROUP_ADD ioctl (bnc#1012382). - ext4: force inode writes when nfsd calls commit_metadata() (bnc#1012382). - spi: bcm2835: Fix race on DMA termination (bnc#1012382). - spi: bcm2835: Fix book-keeping of DMA termination (bnc#1012382). - spi: bcm2835: Avoid finishing transfer prematurely in IRQ mode (bnc#1012382). - cdc-acm: fix abnormal DATA RX issue for Mediatek Preloader (bnc#1012382). - media: vivid: free bitmap_cap when updating std/timings/etc (bnc#1012382). - MIPS: Ensure pmd_present() returns false after pmd_mknotpresent() (bnc#1012382). - MIPS: Align kernel load address to 64KB (bnc#1012382). - CIFS: Fix error mapping for SMB2_LOCK command which caused OFD lock problem (bnc#1012382). - spi: bcm2835: Unbreak the build of esoteric configs (bnc#1012382). - powerpc: Fix COFF zImage booting on old powermacs (bnc#1012382). - ARM: imx: update the cpu power up timing setting on i.mx6sx (bnc#1012382). - Input: restore EV_ABS ABS_RESERVED (bnc#1012382). - checkstack.pl: fix for aarch64 (bnc#1012382). - xfrm: Fix bucket count reported to userspace (bnc#1012382). - scsi: bnx2fc: Fix NULL dereference in error handling (bnc#1012382). - Input: omap-keypad - fix idle configuration to not block SoC idle states (bnc#1012382). - scsi: zfcp: fix posting too many status read buffers leading to adapter shutdown (bnc#1012382). - fork: record start_time late (bnc#1012382). - mm, devm_memremap_pages: kill mapping "System RAM" support (bnc#1012382). - sunrpc: fix cache_head leak due to queued request (bnc#1012382). - crypto: x86/chacha20 - avoid sleeping with preemption disabled (bnc#1012382). - ALSA: cs46xx: Potential NULL dereference in probe (bnc#1012382). - ALSA: usb-audio: Avoid access before bLength check in build_audio_procunit() (bnc#1012382). - ALSA: usb-audio: Fix an out-of-bound read in create_composite_quirks (bnc#1012382). - dlm: fixed memory leaks after failed ls_remove_names allocation (bnc#1012382). - dlm: possible memory leak on error path in create_lkb() (bnc#1012382). - dlm: lost put_lkb on error path in receive_convert() and receive_unlock() (bnc#1012382). - dlm: memory leaks on error path in dlm_user_request() (bnc#1012382). - gfs2: Fix loop in gfs2_rbm_find (bnc#1012382). - b43: Fix error in cordic routine (bnc#1012382). - 9p/net: put a lower bound on msize (bnc#1012382). - genwqe: Fix size check (bnc#1012382). - intel_th: msu: Fix an off-by-one in attribute store (bnc#1012382). - power: supply: olpc_battery: correct the temperature units (bnc#1012382). - Refresh patches.drivers/0019-x86-mm-introduce-vmem_altmap-to-augment-vmemmap_populate.patch. - Refresh patches.drivers/genwqe-ensure-zero-initialization.patch. - Refresh patches.drivers/mm-dax-pmem-introduce-get_put-dev_pagemap-for-dax-gup.patch. - Refresh patches.drivers/net-next-treewide-use-is_vlan_dev-helper-function.patch. - Refresh patches.fixes/0003-memremap-add-scheduling-point-to-devm_memremap_pages.patch. - Refresh patches.suse/0046-perf-tools-omit-unnecessary-cast-in-perf_pmu__parse_scale. - Refresh patches.suse/0047-perf-pmu-factor-out-scale-conversion-code. - Refresh patches.suse/mm-compaction-introduce-kcompactd.patch.
-rw-r--r--patches.drivers/0019-x86-mm-introduce-vmem_altmap-to-augment-vmemmap_populate.patch52
-rw-r--r--patches.drivers/genwqe-ensure-zero-initialization.patch17
-rw-r--r--patches.drivers/mm-dax-pmem-introduce-get_put-dev_pagemap-for-dax-gup.patch54
-rw-r--r--patches.drivers/net-next-treewide-use-is_vlan_dev-helper-function.patch32
-rw-r--r--patches.fixes/0003-memremap-add-scheduling-point-to-devm_memremap_pages.patch8
-rw-r--r--patches.kernel.org/4.4.170-001-USB-hso-Fix-OOB-memory-access-in-hso_probe-hs.patch (renamed from patches.drivers/USB-hso-Fix-OOB-memory-access-in-hso_probe-hso_get_c.patch)20
-rw-r--r--patches.kernel.org/4.4.170-002-xhci-Don-t-prevent-USB2-bus-suspend-in-state-.patch45
-rw-r--r--patches.kernel.org/4.4.170-003-USB-serial-option-add-GosunCn-ZTE-WeLink-ME36.patch75
-rw-r--r--patches.kernel.org/4.4.170-004-USB-serial-option-add-HP-lt4132.patch88
-rw-r--r--patches.kernel.org/4.4.170-005-USB-serial-option-add-Simcom-SIM7500-SIM7600-.patch54
-rw-r--r--patches.kernel.org/4.4.170-006-USB-serial-option-add-Fibocom-NL668-series.patch71
-rw-r--r--patches.kernel.org/4.4.170-007-USB-serial-option-add-Telit-LN940-series.patch71
-rw-r--r--patches.kernel.org/4.4.170-008-mmc-core-Reset-HPI-enabled-state-during-re-in.patch44
-rw-r--r--patches.kernel.org/4.4.170-009-mmc-omap_hsmmc-fix-DMA-API-warning.patch71
-rw-r--r--patches.kernel.org/4.4.170-010-gpio-max7301-fix-driver-for-use-with-CONFIG_V.patch59
-rw-r--r--patches.kernel.org/4.4.170-011-Drivers-hv-vmbus-Return-EINVAL-for-the-sys-fi.patch125
-rw-r--r--patches.kernel.org/4.4.170-012-x86-mtrr-Don-t-copy-uninitialized-gentry-fiel.patch47
-rw-r--r--patches.kernel.org/4.4.170-013-drm-ioctl-Fix-Spectre-v1-vulnerabilities.patch80
-rw-r--r--patches.kernel.org/4.4.170-014-ip6mr-Fix-potential-Spectre-v1-vulnerability.patch65
-rw-r--r--patches.kernel.org/4.4.170-015-ipv4-Fix-potential-Spectre-v1-vulnerability.patch56
-rw-r--r--patches.kernel.org/4.4.170-016-ax25-fix-a-use-after-free-in-ax25_fillin_cb.patch81
-rw-r--r--patches.kernel.org/4.4.170-017-ibmveth-fix-DMA-unmap-error-in-ibmveth_xmit_s.patch66
-rw-r--r--patches.kernel.org/4.4.170-018-ieee802154-lowpan_header_create-check-must-ch.patch39
-rw-r--r--patches.kernel.org/4.4.170-019-ipv6-explicitly-initialize-udp6_addr-in-udp_s.patch54
-rw-r--r--patches.kernel.org/4.4.170-020-isdn-fix-kernel-infoleak-in-capi_unlocked_ioc.patch86
-rw-r--r--patches.kernel.org/4.4.170-021-netrom-fix-locking-in-nr_find_socket.patch107
-rw-r--r--patches.kernel.org/4.4.170-022-packet-validate-address-length.patch46
-rw-r--r--patches.kernel.org/4.4.170-023-packet-validate-address-length-if-non-zero.patch47
-rw-r--r--patches.kernel.org/4.4.170-024-sctp-initialize-sin6_flowinfo-for-ipv6-addrs-.patch68
-rw-r--r--patches.kernel.org/4.4.170-025-vhost-make-sure-used-idx-is-seen-before-log-i.patch40
-rw-r--r--patches.kernel.org/4.4.170-026-VSOCK-Send-reset-control-packet-when-socket-i.patch135
-rw-r--r--patches.kernel.org/4.4.170-027-xen-netfront-tolerate-frags-with-no-data.patch41
-rw-r--r--patches.kernel.org/4.4.170-028-gro_cell-add-napi_disable-in-gro_cells_destro.patch83
-rw-r--r--patches.kernel.org/4.4.170-029-sock-Make-sock-sk_stamp-thread-safe.patch192
-rw-r--r--patches.kernel.org/4.4.170-030-ALSA-rme9652-Fix-potential-Spectre-v1-vulnera.patch76
-rw-r--r--patches.kernel.org/4.4.170-031-ALSA-emu10k1-Fix-potential-Spectre-v1-vulnera.patch67
-rw-r--r--patches.kernel.org/4.4.170-032-ALSA-pcm-Fix-potential-Spectre-v1-vulnerabili.patch56
-rw-r--r--patches.kernel.org/4.4.170-033-ALSA-emux-Fix-potential-Spectre-v1-vulnerabil.patch74
-rw-r--r--patches.kernel.org/4.4.170-034-ALSA-hda-add-mute-LED-support-for-HP-EliteBoo.patch41
-rw-r--r--patches.kernel.org/4.4.170-035-ALSA-hda-tegra-clear-pending-irq-handlers.patch48
-rw-r--r--patches.kernel.org/4.4.170-036-USB-serial-pl2303-add-ids-for-Hewlett-Packard.patch69
-rw-r--r--patches.kernel.org/4.4.170-037-USB-serial-option-add-Fibocom-NL678-series.patch72
-rw-r--r--patches.kernel.org/4.4.170-038-usb-r8a66597-Fix-a-possible-concurrency-use-a.patch73
-rw-r--r--patches.kernel.org/4.4.170-039-Input-elan_i2c-add-ACPI-ID-for-touchpad-in-AS.patch37
-rw-r--r--patches.kernel.org/4.4.170-040-KVM-x86-Use-jmp-to-invoke-kvm_spurious_fault-.patch141
-rw-r--r--patches.kernel.org/4.4.170-041-perf-pmu-Suppress-potential-format-truncation.patch81
-rw-r--r--patches.kernel.org/4.4.170-042-ext4-fix-possible-use-after-free-in-ext4_quot.patch42
-rw-r--r--patches.kernel.org/4.4.170-043-ext4-missing-unlock-put_page-in-ext4_try_to_w.patch43
-rw-r--r--patches.kernel.org/4.4.170-044-ext4-fix-EXT4_IOC_GROUP_ADD-ioctl.patch45
-rw-r--r--patches.kernel.org/4.4.170-045-ext4-force-inode-writes-when-nfsd-calls-commi.patch93
-rw-r--r--patches.kernel.org/4.4.170-046-spi-bcm2835-Fix-race-on-DMA-termination.patch67
-rw-r--r--patches.kernel.org/4.4.170-047-spi-bcm2835-Fix-book-keeping-of-DMA-terminati.patch50
-rw-r--r--patches.kernel.org/4.4.170-048-spi-bcm2835-Avoid-finishing-transfer-prematur.patch66
-rw-r--r--patches.kernel.org/4.4.170-049-cdc-acm-fix-abnormal-DATA-RX-issue-for-Mediat.patch87
-rw-r--r--patches.kernel.org/4.4.170-050-media-vivid-free-bitmap_cap-when-updating-std.patch38
-rw-r--r--patches.kernel.org/4.4.170-051-MIPS-Ensure-pmd_present-returns-false-after-p.patch50
-rw-r--r--patches.kernel.org/4.4.170-052-MIPS-Align-kernel-load-address-to-64KB.patch62
-rw-r--r--patches.kernel.org/4.4.170-053-CIFS-Fix-error-mapping-for-SMB2_LOCK-command-.patch58
-rw-r--r--patches.kernel.org/4.4.170-054-x86-kvm-vmx-do-not-use-vm-exit-instruction-le.patch (renamed from patches.fixes/x86-kvm-vmx-do-not-use-vm-exit-instruction-length-fo.patch)61
-rw-r--r--patches.kernel.org/4.4.170-055-spi-bcm2835-Unbreak-the-build-of-esoteric-con.patch47
-rw-r--r--patches.kernel.org/4.4.170-056-powerpc-Fix-COFF-zImage-booting-on-old-powerm.patch59
-rw-r--r--patches.kernel.org/4.4.170-057-ARM-imx-update-the-cpu-power-up-timing-settin.patch43
-rw-r--r--patches.kernel.org/4.4.170-058-Input-restore-EV_ABS-ABS_RESERVED.patch46
-rw-r--r--patches.kernel.org/4.4.170-059-checkstack.pl-fix-for-aarch64.patch49
-rw-r--r--patches.kernel.org/4.4.170-060-xfrm-Fix-bucket-count-reported-to-userspace.patch37
-rw-r--r--patches.kernel.org/4.4.170-061-scsi-bnx2fc-Fix-NULL-dereference-in-error-han.patch37
-rw-r--r--patches.kernel.org/4.4.170-062-Input-omap-keypad-fix-idle-configuration-to-n.patch86
-rw-r--r--patches.kernel.org/4.4.170-063-scsi-zfcp-fix-posting-too-many-status-read-bu.patch98
-rw-r--r--patches.kernel.org/4.4.170-064-fork-record-start_time-late.patch83
-rw-r--r--patches.kernel.org/4.4.170-065-hwpoison-memory_hotplug-allow-hwpoisoned-page.patch (renamed from patches.fixes/0001-hwpoison-memory_hotplug-allow-hwpoisoned-pages-to-be.patch)114
-rw-r--r--patches.kernel.org/4.4.170-067-mm-devm_memremap_pages-kill-mapping-System-RA.patch65
-rw-r--r--patches.kernel.org/4.4.170-068-sunrpc-fix-cache_head-leak-due-to-queued-requ.patch74
-rw-r--r--patches.kernel.org/4.4.170-069-sunrpc-use-SVC_NET-in-svcauth_gss_-functions.patch (renamed from patches.fixes/sunrpc-use-SVC_NET-in-svcauth_gss_-functions.patch)28
-rw-r--r--patches.kernel.org/4.4.170-070-crypto-x86-chacha20-avoid-sleeping-with-preem.patch43
-rw-r--r--patches.kernel.org/4.4.170-071-ALSA-cs46xx-Potential-NULL-dereference-in-pro.patch39
-rw-r--r--patches.kernel.org/4.4.170-072-ALSA-usb-audio-Avoid-access-before-bLength-ch.patch54
-rw-r--r--patches.kernel.org/4.4.170-073-ALSA-usb-audio-Fix-an-out-of-bound-read-in-cr.patch51
-rw-r--r--patches.kernel.org/4.4.170-074-dlm-fixed-memory-leaks-after-failed-ls_remove.patch46
-rw-r--r--patches.kernel.org/4.4.170-075-dlm-possible-memory-leak-on-error-path-in-cre.patch35
-rw-r--r--patches.kernel.org/4.4.170-076-dlm-lost-put_lkb-on-error-path-in-receive_con.patch44
-rw-r--r--patches.kernel.org/4.4.170-077-dlm-memory-leaks-on-error-path-in-dlm_user_re.patch61
-rw-r--r--patches.kernel.org/4.4.170-078-gfs2-Fix-loop-in-gfs2_rbm_find.patch42
-rw-r--r--patches.kernel.org/4.4.170-079-b43-Fix-error-in-cordic-routine.patch48
-rw-r--r--patches.kernel.org/4.4.170-080-9p-net-put-a-lower-bound-on-msize.patch86
-rw-r--r--patches.kernel.org/4.4.170-081-iommu-vt-d-Handle-domain-agaw-being-less-than.patch (renamed from patches.drivers/iommu-vt-d-handle-domain-agaw-being-less-than-iommu-agaw)18
-rw-r--r--patches.kernel.org/4.4.170-082-ceph-don-t-update-importing-cap-s-mseq-when-h.patch (renamed from patches.fixes/ceph-don-t-update-importing-cap-s-mseq-when-handing-cap-export.patch)18
-rw-r--r--patches.kernel.org/4.4.170-083-genwqe-Fix-size-check.patch70
-rw-r--r--patches.kernel.org/4.4.170-084-intel_th-msu-Fix-an-off-by-one-in-attribute-s.patch57
-rw-r--r--patches.kernel.org/4.4.170-085-power-supply-olpc_battery-correct-the-tempera.patch56
-rw-r--r--patches.kernel.org/4.4.170-086-Linux-4.4.170.patch27
-rw-r--r--patches.suse/0046-perf-tools-omit-unnecessary-cast-in-perf_pmu__parse_scale11
-rw-r--r--patches.suse/0047-perf-pmu-factor-out-scale-conversion-code15
-rw-r--r--patches.suse/mm-compaction-introduce-kcompactd.patch56
-rw-r--r--series.conf91
94 files changed, 5394 insertions, 256 deletions
diff --git a/patches.drivers/0019-x86-mm-introduce-vmem_altmap-to-augment-vmemmap_populate.patch b/patches.drivers/0019-x86-mm-introduce-vmem_altmap-to-augment-vmemmap_populate.patch
index dadc54e379..47241e7cec 100644
--- a/patches.drivers/0019-x86-mm-introduce-vmem_altmap-to-augment-vmemmap_populate.patch
+++ b/patches.drivers/0019-x86-mm-introduce-vmem_altmap-to-augment-vmemmap_populate.patch
@@ -46,7 +46,7 @@ Acked-by: Johannes Thumshirn <jthumshirn@suse.com>
#include <linux/nmi.h>
#include <linux/gfp.h>
#include <linux/kcore.h>
-@@ -722,6 +723,12 @@ static void __meminit free_pagetable(str
+@@ -724,6 +725,12 @@ static void __meminit free_pagetable(str
{
unsigned long magic;
unsigned int nr_pages = 1 << order;
@@ -59,7 +59,7 @@ Acked-by: Johannes Thumshirn <jthumshirn@suse.com>
/* bootmem page has reserved flag */
if (PageReserved(page)) {
-@@ -1026,13 +1033,19 @@ int __ref arch_remove_memory(u64 start,
+@@ -1028,13 +1035,19 @@ int __ref arch_remove_memory(u64 start,
{
unsigned long start_pfn = start >> PAGE_SHIFT;
unsigned long nr_pages = size >> PAGE_SHIFT;
@@ -81,7 +81,7 @@ Acked-by: Johannes Thumshirn <jthumshirn@suse.com>
return ret;
}
-@@ -1244,7 +1257,7 @@ static void __meminitdata *p_start, *p_e
+@@ -1246,7 +1259,7 @@ static void __meminitdata *p_start, *p_e
static int __meminitdata node_start;
static int __meminit vmemmap_populate_hugepages(unsigned long start,
@@ -90,7 +90,7 @@ Acked-by: Johannes Thumshirn <jthumshirn@suse.com>
{
unsigned long addr;
unsigned long next;
-@@ -1267,7 +1280,7 @@ static int __meminit vmemmap_populate_hu
+@@ -1269,7 +1282,7 @@ static int __meminit vmemmap_populate_hu
if (pmd_none(*pmd)) {
void *p;
@@ -99,7 +99,7 @@ Acked-by: Johannes Thumshirn <jthumshirn@suse.com>
if (p) {
pte_t entry;
-@@ -1288,7 +1301,8 @@ static int __meminit vmemmap_populate_hu
+@@ -1290,7 +1303,8 @@ static int __meminit vmemmap_populate_hu
addr_end = addr + PMD_SIZE;
p_end = p + PMD_SIZE;
continue;
@@ -109,7 +109,7 @@ Acked-by: Johannes Thumshirn <jthumshirn@suse.com>
} else if (pmd_large(*pmd)) {
vmemmap_verify((pte_t *)pmd, node, addr, next);
continue;
-@@ -1301,11 +1315,16 @@ static int __meminit vmemmap_populate_hu
+@@ -1304,11 +1318,16 @@ static int __meminit vmemmap_populate_hu
int __meminit vmemmap_populate(unsigned long start, unsigned long end, int node)
{
@@ -140,7 +140,7 @@ Acked-by: Johannes Thumshirn <jthumshirn@suse.com>
pmem->pfn_flags |= PFN_MAP;
} else
pmem->virt_addr = (void __pmem *) devm_memremap(dev,
-@@ -386,7 +387,8 @@ static int nvdimm_namespace_attach_pfn(s
+@@ -387,7 +388,8 @@ static int nvdimm_namespace_attach_pfn(s
/* establish pfn range for lookup, and switch to direct map */
pmem = dev_get_drvdata(dev);
devm_memunmap(dev, (void __force *) pmem->virt_addr);
@@ -229,7 +229,7 @@ Acked-by: Johannes Thumshirn <jthumshirn@suse.com>
#endif /* _LINUX_MEMREMAP_H_ */
--- a/include/linux/mm.h
+++ b/include/linux/mm.h
-@@ -2250,7 +2250,14 @@ pud_t *vmemmap_pud_populate(pgd_t *pgd,
+@@ -2236,7 +2236,14 @@ pud_t *vmemmap_pud_populate(pgd_t *pgd,
pmd_t *vmemmap_pmd_populate(pud_t *pud, unsigned long addr, int node);
pte_t *vmemmap_pte_populate(pmd_t *pmd, unsigned long addr, int node);
void *vmemmap_alloc_block(unsigned long size, int node);
@@ -297,9 +297,9 @@ Acked-by: Johannes Thumshirn <jthumshirn@suse.com>
struct page_map *page_map;
int error, nid;
-@@ -224,14 +240,27 @@ void *devm_memremap_pages(struct device
- if (is_ram == REGION_INTERSECTS)
- return __va(res->start);
+@@ -221,14 +237,27 @@ void *devm_memremap_pages(struct device
+ return ERR_PTR(-ENXIO);
+ }
+ if (altmap && !IS_ENABLED(CONFIG_SPARSEMEM_VMEMMAP)) {
+ dev_err(dev, "%s: altmap requires CONFIG_SPARSEMEM_VMEMMAP=y\n",
@@ -326,7 +326,7 @@ Acked-by: Johannes Thumshirn <jthumshirn@suse.com>
mutex_lock(&pgmap_lock);
error = 0;
for (key = res->start; key <= res->end; key += SECTION_SIZE) {
-@@ -283,4 +312,43 @@ void *devm_memremap_pages(struct device
+@@ -276,4 +305,43 @@ void *devm_memremap_pages(struct device
return ERR_PTR(error);
}
EXPORT_SYMBOL(devm_memremap_pages);
@@ -380,7 +380,7 @@ Acked-by: Johannes Thumshirn <jthumshirn@suse.com>
#include <linux/memory_hotplug.h>
#include <linux/highmem.h>
#include <linux/vmalloc.h>
-@@ -321,13 +322,27 @@ int __ref __add_pages(int nid, unsigned
+@@ -506,6 +507,7 @@ int __ref __add_pages(int nid, struct zo
unsigned long i;
int err = 0;
int start_sec, end_sec;
@@ -388,7 +388,7 @@ Acked-by: Johannes Thumshirn <jthumshirn@suse.com>
clear_zone_contiguous(zone);
- /* during initialize mem_map, align hot-added range to section */
+@@ -513,6 +515,19 @@ int __ref __add_pages(int nid, struct zo
start_sec = pfn_to_section_nr(phys_start_pfn);
end_sec = pfn_to_section_nr(phys_start_pfn + nr_pages - 1);
@@ -408,7 +408,7 @@ Acked-by: Johannes Thumshirn <jthumshirn@suse.com>
for (i = start_sec; i <= end_sec; i++) {
err = __add_section(nid, zone, section_nr_to_pfn(i));
-@@ -548,7 +563,8 @@ static void __remove_zone(struct zone *z
+@@ -736,7 +751,8 @@ static void __remove_zone(struct zone *z
pgdat_resize_unlock(zone->zone_pgdat, &flags);
}
@@ -418,7 +418,7 @@ Acked-by: Johannes Thumshirn <jthumshirn@suse.com>
{
unsigned long start_pfn;
int scn_nr;
-@@ -565,7 +581,7 @@ static int __remove_section(struct zone
+@@ -753,7 +769,7 @@ static int __remove_section(struct zone
start_pfn = section_nr_to_pfn(scn_nr);
__remove_zone(zone, start_pfn);
@@ -427,7 +427,7 @@ Acked-by: Johannes Thumshirn <jthumshirn@suse.com>
return 0;
}
-@@ -584,9 +600,32 @@ int __remove_pages(struct zone *zone, un
+@@ -772,9 +788,32 @@ int __remove_pages(struct zone *zone, un
unsigned long nr_pages)
{
unsigned long i;
@@ -463,7 +463,7 @@ Acked-by: Johannes Thumshirn <jthumshirn@suse.com>
clear_zone_contiguous(zone);
-@@ -596,23 +635,11 @@ int __remove_pages(struct zone *zone, un
+@@ -784,23 +823,11 @@ int __remove_pages(struct zone *zone, un
BUG_ON(phys_start_pfn & ~PAGE_SECTION_MASK);
BUG_ON(nr_pages % PAGES_PER_SECTION);
@@ -499,7 +499,7 @@ Acked-by: Johannes Thumshirn <jthumshirn@suse.com>
#include <linux/stop_machine.h>
#include <linux/sort.h>
#include <linux/pfn.h>
-@@ -4914,8 +4915,9 @@ void __ref build_all_zonelists(pg_data_t
+@@ -4912,8 +4913,9 @@ static inline unsigned long wait_table_b
void __meminit memmap_init_zone(unsigned long size, int nid, unsigned long zone,
unsigned long start_pfn, enum memmap_context context)
{
@@ -510,7 +510,7 @@ Acked-by: Johannes Thumshirn <jthumshirn@suse.com>
unsigned long pfn;
struct zone *z;
unsigned long nr_initialised = 0;
-@@ -4926,6 +4928,13 @@ void __meminit memmap_init_zone(unsigned
+@@ -4921,6 +4923,13 @@ void __meminit memmap_init_zone(unsigned
if (highest_memmap_pfn < end_pfn - 1)
highest_memmap_pfn = end_pfn - 1;
@@ -534,7 +534,7 @@ Acked-by: Johannes Thumshirn <jthumshirn@suse.com>
#include <linux/highmem.h>
#include <linux/slab.h>
#include <linux/spinlock.h>
-@@ -74,7 +75,7 @@ void * __meminit vmemmap_alloc_block(uns
+@@ -70,7 +71,7 @@ void * __meminit vmemmap_alloc_block(uns
}
/* need to make sure size is all the same during early stage */
@@ -543,7 +543,7 @@ Acked-by: Johannes Thumshirn <jthumshirn@suse.com>
{
void *ptr;
-@@ -91,6 +92,77 @@ void * __meminit vmemmap_alloc_block_buf
+@@ -87,6 +88,77 @@ void * __meminit vmemmap_alloc_block_buf
return ptr;
}
@@ -621,7 +621,7 @@ Acked-by: Johannes Thumshirn <jthumshirn@suse.com>
void __meminit vmemmap_verify(pte_t *pte, int node,
unsigned long start, unsigned long end)
{
-@@ -107,7 +179,7 @@ pte_t * __meminit vmemmap_pte_populate(p
+@@ -103,7 +175,7 @@ pte_t * __meminit vmemmap_pte_populate(p
pte_t *pte = pte_offset_kernel(pmd, addr);
if (pte_none(*pte)) {
pte_t entry;
@@ -632,7 +632,7 @@ Acked-by: Johannes Thumshirn <jthumshirn@suse.com>
entry = pfn_pte(__pa(p) >> PAGE_SHIFT, PAGE_KERNEL);
--- a/mm/sparse.c
+++ b/mm/sparse.c
-@@ -747,7 +747,7 @@ static void clear_hwpoisoned_pages(struc
+@@ -748,7 +748,7 @@ static void clear_hwpoisoned_pages(struc
if (!memmap)
return;
@@ -641,7 +641,7 @@ Acked-by: Johannes Thumshirn <jthumshirn@suse.com>
if (PageHWPoison(&memmap[i])) {
atomic_long_sub(1, &num_poisoned_pages);
ClearPageHWPoison(&memmap[i]);
-@@ -787,7 +787,8 @@ static void free_section_usemap(struct p
+@@ -788,7 +788,8 @@ static void free_section_usemap(struct p
free_map_bootmem(memmap);
}
@@ -651,7 +651,7 @@ Acked-by: Johannes Thumshirn <jthumshirn@suse.com>
{
struct page *memmap = NULL;
unsigned long *usemap = NULL, flags;
-@@ -803,7 +804,8 @@ void sparse_remove_one_section(struct zo
+@@ -804,7 +805,8 @@ void sparse_remove_one_section(struct zo
}
pgdat_resize_unlock(pgdat, &flags);
diff --git a/patches.drivers/genwqe-ensure-zero-initialization.patch b/patches.drivers/genwqe-ensure-zero-initialization.patch
index 679bcbfbe5..350da36811 100644
--- a/patches.drivers/genwqe-ensure-zero-initialization.patch
+++ b/patches.drivers/genwqe-ensure-zero-initialization.patch
@@ -18,15 +18,13 @@ Signed-off-by: Frank Haverkamp <haver@linux.vnet.ibm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Acked-by: Michal Suchanek <msuchanek@suse.de>
---
- drivers/misc/genwqe/card_ddcb.c | 2 --
- drivers/misc/genwqe/card_utils.c | 4 ++--
+ drivers/misc/genwqe/card_ddcb.c | 2 --
+ drivers/misc/genwqe/card_utils.c | 4 ++--
2 files changed, 2 insertions(+), 4 deletions(-)
-diff --git a/drivers/misc/genwqe/card_ddcb.c b/drivers/misc/genwqe/card_ddcb.c
-index 353ee0c..ddfeefe 100644
--- a/drivers/misc/genwqe/card_ddcb.c
+++ b/drivers/misc/genwqe/card_ddcb.c
-@@ -1048,8 +1048,6 @@ static int setup_ddcb_queue(struct genwqe_dev *cd, struct ddcb_queue *queue)
+@@ -1048,8 +1048,6 @@ static int setup_ddcb_queue(struct genwq
"[%s] **err: could not allocate DDCB **\n", __func__);
return -ENOMEM;
}
@@ -35,12 +33,10 @@ index 353ee0c..ddfeefe 100644
queue->ddcb_req = kzalloc(sizeof(struct ddcb_requ *) *
queue->ddcb_max, GFP_KERNEL);
if (!queue->ddcb_req) {
-diff --git a/drivers/misc/genwqe/card_utils.c b/drivers/misc/genwqe/card_utils.c
-index 222367c..8a679ec 100644
--- a/drivers/misc/genwqe/card_utils.c
+++ b/drivers/misc/genwqe/card_utils.c
-@@ -220,8 +220,8 @@ void *__genwqe_alloc_consistent(struct genwqe_dev *cd, size_t size,
- if (get_order(size) > MAX_ORDER)
+@@ -220,8 +220,8 @@ void *__genwqe_alloc_consistent(struct g
+ if (get_order(size) >= MAX_ORDER)
return NULL;
- return dma_alloc_coherent(&cd->pci_dev->dev, size, dma_handle,
@@ -50,6 +46,3 @@ index 222367c..8a679ec 100644
}
void __genwqe_free_consistent(struct genwqe_dev *cd, size_t size,
---
-2.10.2
-
diff --git a/patches.drivers/mm-dax-pmem-introduce-get_put-dev_pagemap-for-dax-gup.patch b/patches.drivers/mm-dax-pmem-introduce-get_put-dev_pagemap-for-dax-gup.patch
index 3be6e02df6..e3405e30f8 100644
--- a/patches.drivers/mm-dax-pmem-introduce-get_put-dev_pagemap-for-dax-gup.patch
+++ b/patches.drivers/mm-dax-pmem-introduce-get_put-dev_pagemap-for-dax-gup.patch
@@ -35,19 +35,17 @@ Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Acked-by: Jeff Mahoney <jeffm@suse.com>
---
- drivers/nvdimm/pmem.c | 6 ++++--
- include/linux/list.h | 11 ++++++++++
- include/linux/memremap.h | 49 ++++++++++++++++++++++++++++++++++++++++++--
- include/linux/mm_types.h | 5 +++++
- kernel/memremap.c | 53 ++++++++++++++++++++++++++++++++++++++++++++----
- lib/list_debug.c | 9 ++++++++
+ drivers/nvdimm/pmem.c | 6 +++--
+ include/linux/list.h | 11 +++++++++
+ include/linux/memremap.h | 49 +++++++++++++++++++++++++++++++++++++++++--
+ include/linux/mm_types.h | 5 ++++
+ kernel/memremap.c | 53 +++++++++++++++++++++++++++++++++++++++++++----
+ lib/list_debug.c | 9 +++++++
6 files changed, 125 insertions(+), 8 deletions(-)
-diff --git a/drivers/nvdimm/pmem.c b/drivers/nvdimm/pmem.c
-index 328173d..7edf316 100644
--- a/drivers/nvdimm/pmem.c
+++ b/drivers/nvdimm/pmem.c
-@@ -184,7 +184,7 @@ static struct pmem_device *pmem_alloc(struct device *dev,
+@@ -184,7 +184,7 @@ static struct pmem_device *pmem_alloc(st
pmem->pfn_flags = PFN_DEV;
if (pmem_should_map_pages(dev)) {
pmem->virt_addr = (void __pmem *) devm_memremap_pages(dev, res,
@@ -56,7 +54,7 @@ index 328173d..7edf316 100644
pmem->pfn_flags |= PFN_MAP;
} else
pmem->virt_addr = (void __pmem *) devm_memremap(dev,
-@@ -365,6 +365,7 @@ static int nvdimm_namespace_attach_pfn(struct nd_namespace_common *ndns)
+@@ -365,6 +365,7 @@ static int nvdimm_namespace_attach_pfn(s
struct vmem_altmap *altmap;
struct nd_pfn_sb *pfn_sb;
struct pmem_device *pmem;
@@ -64,7 +62,7 @@ index 328173d..7edf316 100644
phys_addr_t offset;
int rc;
struct vmem_altmap __altmap = {
-@@ -406,9 +407,10 @@ static int nvdimm_namespace_attach_pfn(struct nd_namespace_common *ndns)
+@@ -406,9 +407,10 @@ static int nvdimm_namespace_attach_pfn(s
/* establish pfn range for lookup, and switch to direct map */
pmem = dev_get_drvdata(dev);
@@ -76,11 +74,9 @@ index 328173d..7edf316 100644
pmem->pfn_flags |= PFN_MAP;
if (IS_ERR(pmem->virt_addr)) {
rc = PTR_ERR(pmem->virt_addr);
-diff --git a/include/linux/list.h b/include/linux/list.h
-index 5356f4d..30cf420 100644
--- a/include/linux/list.h
+++ b/include/linux/list.h
-@@ -113,6 +113,17 @@ extern void __list_del_entry(struct list_head *entry);
+@@ -113,6 +113,17 @@ extern void __list_del_entry(struct list
extern void list_del(struct list_head *entry);
#endif
@@ -98,8 +94,6 @@ index 5356f4d..30cf420 100644
/**
* list_replace - replace old entry by new one
* @old : the element to be replaced
-diff --git a/include/linux/memremap.h b/include/linux/memremap.h
-index aa3e82a..bcaa634 100644
--- a/include/linux/memremap.h
+++ b/include/linux/memremap.h
@@ -1,6 +1,8 @@
@@ -111,7 +105,7 @@ index aa3e82a..bcaa634 100644
struct resource;
struct device;
-@@ -36,21 +38,25 @@ static inline struct vmem_altmap *to_vmem_altmap(unsigned long memmap_start)
+@@ -36,21 +38,25 @@ static inline struct vmem_altmap *to_vme
/**
* struct dev_pagemap - metadata for ZONE_DEVICE mappings
* @altmap: pre-allocated/reserved memory for vmemmap allocations
@@ -139,7 +133,7 @@ index aa3e82a..bcaa634 100644
{
/*
* Fail attempts to call devm_memremap_pages() without
-@@ -66,4 +72,43 @@ static inline struct dev_pagemap *find_dev_pagemap(resource_size_t phys)
+@@ -66,4 +72,43 @@ static inline struct dev_pagemap *find_d
return NULL;
}
#endif
@@ -183,11 +177,9 @@ index aa3e82a..bcaa634 100644
+ percpu_ref_put(pgmap->ref);
+}
#endif /* _LINUX_MEMREMAP_H_ */
-diff --git a/include/linux/mm_types.h b/include/linux/mm_types.h
-index 2dd9c31..d3ebb9d 100644
--- a/include/linux/mm_types.h
+++ b/include/linux/mm_types.h
-@@ -116,6 +116,11 @@ struct page {
+@@ -124,6 +124,11 @@ struct page {
* Can be used as a generic list
* by the page owner.
*/
@@ -199,11 +191,9 @@ index 2dd9c31..d3ebb9d 100644
struct { /* slub per cpu partial pages */
struct page *next; /* Next partial slab */
#ifdef CONFIG_64BIT
-diff --git a/kernel/memremap.c b/kernel/memremap.c
-index 562f647..3eb8944 100644
--- a/kernel/memremap.c
+++ b/kernel/memremap.c
-@@ -179,6 +179,29 @@ static void pgmap_radix_release(struct resource *res)
+@@ -181,6 +181,29 @@ static void pgmap_radix_release(struct r
mutex_unlock(&pgmap_lock);
}
@@ -233,7 +223,7 @@ index 562f647..3eb8944 100644
static void devm_memremap_pages_release(struct device *dev, void *data)
{
struct page_map *page_map = data;
-@@ -186,6 +209,11 @@ static void devm_memremap_pages_release(struct device *dev, void *data)
+@@ -188,6 +211,11 @@ static void devm_memremap_pages_release(
resource_size_t align_start, align_size;
struct dev_pagemap *pgmap = &page_map->pgmap;
@@ -245,7 +235,7 @@ index 562f647..3eb8944 100644
pgmap_radix_release(res);
/* pages are dead and unused, undo the arch mapping */
-@@ -211,20 +239,26 @@ struct dev_pagemap *find_dev_pagemap(resource_size_t phys)
+@@ -215,20 +243,26 @@ struct dev_pagemap *find_dev_pagemap(res
* devm_memremap_pages - remap and provide memmap backing for the given resource
* @dev: hosting device for @res
* @res: "host memory" address range
@@ -275,8 +265,8 @@ index 562f647..3eb8944 100644
+ unsigned long pfn;
int error, nid;
- if (is_ram == REGION_MIXED) {
-@@ -242,6 +276,9 @@ void *devm_memremap_pages(struct device *dev, struct resource *res,
+ if (is_ram != REGION_DISJOINT) {
+@@ -243,6 +277,9 @@ void *devm_memremap_pages(struct device
return ERR_PTR(-ENXIO);
}
@@ -286,7 +276,7 @@ index 562f647..3eb8944 100644
page_map = devres_alloc_node(devm_memremap_pages_release,
sizeof(*page_map), GFP_KERNEL, dev_to_node(dev));
if (!page_map)
-@@ -255,6 +292,7 @@ void *devm_memremap_pages(struct device *dev, struct resource *res,
+@@ -256,6 +293,7 @@ void *devm_memremap_pages(struct device
memcpy(&page_map->altmap, altmap, sizeof(*altmap));
pgmap->altmap = &page_map->altmap;
}
@@ -294,7 +284,7 @@ index 562f647..3eb8944 100644
pgmap->res = &page_map->res;
mutex_lock(&pgmap_lock);
-@@ -292,6 +330,13 @@ void *devm_memremap_pages(struct device *dev, struct resource *res,
+@@ -295,6 +333,13 @@ void *devm_memremap_pages(struct device
if (error)
goto err_add_memory;
@@ -308,8 +298,6 @@ index 562f647..3eb8944 100644
devres_add(dev, page_map);
return __va(res->start);
-diff --git a/lib/list_debug.c b/lib/list_debug.c
-index 3859bf6..3345a08 100644
--- a/lib/list_debug.c
+++ b/lib/list_debug.c
@@ -12,6 +12,13 @@
@@ -335,5 +323,3 @@ index 3859bf6..3345a08 100644
WARN(next->prev != prev,
"list_add corruption. next->prev should be "
"prev (%p), but was %p. (next=%p).\n",
-
-
diff --git a/patches.drivers/net-next-treewide-use-is_vlan_dev-helper-function.patch b/patches.drivers/net-next-treewide-use-is_vlan_dev-helper-function.patch
index 0426975277..4516da66e6 100644
--- a/patches.drivers/net-next-treewide-use-is_vlan_dev-helper-function.patch
+++ b/patches.drivers/net-next-treewide-use-is_vlan_dev-helper-function.patch
@@ -35,7 +35,7 @@ Acked-by: David Chang <dchang@suse.com>
--- a/drivers/infiniband/core/cma.c
+++ b/drivers/infiniband/core/cma.c
-@@ -2417,14 +2417,12 @@ static int iboe_tos_to_sl(struct net_dev
+@@ -2480,14 +2480,12 @@ static int iboe_tos_to_sl(struct net_dev
struct net_device *dev;
prio = rt_tos2priority(tos);
@@ -87,7 +87,7 @@ Acked-by: David Chang <dchang@suse.com>
e->vlan = VLAN_NONE;
--- a/drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c
+++ b/drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c
-@@ -2223,7 +2223,7 @@ static void check_neigh_update(struct ne
+@@ -1805,7 +1805,7 @@ static void check_neigh_update(struct ne
const struct device *parent;
const struct net_device *netdev = neigh->dev;
@@ -96,7 +96,7 @@ Acked-by: David Chang <dchang@suse.com>
netdev = vlan_dev_real_dev(netdev);
parent = netdev->dev.parent;
if (parent && parent->driver == &cxgb4_driver.driver)
-@@ -2643,7 +2643,7 @@ static int cxgb4_inet6addr_handler(struc
+@@ -2111,7 +2111,7 @@ static int cxgb4_inet6addr_handler(struc
#if IS_ENABLED(CONFIG_BONDING)
struct adapter *adap;
#endif
@@ -176,7 +176,7 @@ Acked-by: David Chang <dchang@suse.com>
}
--- a/drivers/net/hyperv/netvsc_drv.c
+++ b/drivers/net/hyperv/netvsc_drv.c
-@@ -1495,7 +1495,7 @@ static int netvsc_netdev_event(struct no
+@@ -1604,7 +1604,7 @@ static int netvsc_netdev_event(struct no
return NOTIFY_DONE;
/* Avoid Vlan dev with same MAC registering as VF */
@@ -187,7 +187,7 @@ Acked-by: David Chang <dchang@suse.com>
/* Avoid Bonding master dev with same MAC registering as VF */
--- a/drivers/scsi/bnx2fc/bnx2fc_fcoe.c
+++ b/drivers/scsi/bnx2fc/bnx2fc_fcoe.c
-@@ -2290,7 +2290,7 @@ static int _bnx2fc_create(struct net_dev
+@@ -2295,7 +2295,7 @@ static int _bnx2fc_create(struct net_dev
}
/* obtain physical netdev */
@@ -196,8 +196,8 @@ Acked-by: David Chang <dchang@suse.com>
phys_dev = vlan_dev_real_dev(netdev);
/* verify if the physical device is a netxtreme2 device */
-@@ -2328,7 +2328,7 @@ static int _bnx2fc_create(struct net_dev
- goto ifput_err;
+@@ -2333,7 +2333,7 @@ static int _bnx2fc_create(struct net_dev
+ goto netdev_err;
}
- if (netdev->priv_flags & IFF_802_1Q_VLAN) {
@@ -205,7 +205,7 @@ Acked-by: David Chang <dchang@suse.com>
vlan_id = vlan_dev_vlan_id(netdev);
interface->vlan_enabled = 1;
}
-@@ -2546,7 +2546,7 @@ static bool bnx2fc_match(struct net_devi
+@@ -2551,7 +2551,7 @@ static bool bnx2fc_match(struct net_devi
struct net_device *phys_dev = netdev;
mutex_lock(&bnx2fc_dev_lock);
@@ -216,7 +216,7 @@ Acked-by: David Chang <dchang@suse.com>
if (bnx2fc_hba_lookup(phys_dev)) {
--- a/drivers/scsi/cxgbi/libcxgbi.c
+++ b/drivers/scsi/cxgbi/libcxgbi.c
-@@ -220,7 +220,7 @@ struct cxgbi_device *cxgbi_device_find_b
+@@ -223,7 +223,7 @@ struct cxgbi_device *cxgbi_device_find_b
struct cxgbi_device *cdev, *tmp;
int i;
@@ -225,7 +225,7 @@ Acked-by: David Chang <dchang@suse.com>
vdev = ndev;
ndev = vlan_dev_real_dev(ndev);
log_debug(1 << CXGBI_DBG_DEV,
-@@ -253,7 +253,7 @@ struct cxgbi_device *cxgbi_device_find_b
+@@ -256,7 +256,7 @@ struct cxgbi_device *cxgbi_device_find_b
struct cxgbi_device *cdev;
int i;
@@ -234,7 +234,7 @@ Acked-by: David Chang <dchang@suse.com>
vdev = ndev;
ndev = vlan_dev_real_dev(ndev);
pr_info("vlan dev %s -> %s.\n", vdev->name, ndev->name);
-@@ -287,7 +287,7 @@ static struct cxgbi_device *cxgbi_device
+@@ -290,7 +290,7 @@ static struct cxgbi_device *cxgbi_device
struct cxgbi_device *cdev, *tmp;
int i;
@@ -255,7 +255,7 @@ Acked-by: David Chang <dchang@suse.com>
fcoe->realdev = real_dev;
rcu_read_lock();
for_each_dev_addr(real_dev, ha) {
-@@ -746,7 +745,7 @@ static int fcoe_netdev_config(struct fc_
+@@ -752,7 +751,7 @@ static int fcoe_netdev_config(struct fc_
ctlr = fcoe_to_ctlr(fcoe);
/* Figure out the VLAN ID, if any */
@@ -264,7 +264,7 @@ Acked-by: David Chang <dchang@suse.com>
lport->vlan = vlan_dev_vlan_id(netdev);
else
lport->vlan = 0;
-@@ -975,13 +974,13 @@ static inline int fcoe_em_config(struct
+@@ -981,13 +980,13 @@ static inline int fcoe_em_config(struct
* Reuse existing offload em instance in case
* it is already allocated on real eth device
*/
@@ -280,7 +280,7 @@ Acked-by: David Chang <dchang@suse.com>
old_real_dev = vlan_dev_real_dev(oldfcoe->netdev);
else
old_real_dev = oldfcoe->netdev;
-@@ -1579,7 +1578,7 @@ static int fcoe_xmit(struct fc_lport *lp
+@@ -1585,7 +1584,7 @@ static int fcoe_xmit(struct fc_lport *lp
skb->protocol = htons(ETH_P_FCOE);
skb->priority = fcoe->priority;
@@ -289,7 +289,7 @@ Acked-by: David Chang <dchang@suse.com>
fcoe->realdev->features & NETIF_F_HW_VLAN_CTAG_TX) {
/* must set skb->dev before calling vlan_put_tag */
skb->dev = fcoe->realdev;
-@@ -1809,7 +1808,7 @@ fcoe_hostlist_lookup_realdev_port(struct
+@@ -1815,7 +1814,7 @@ fcoe_hostlist_lookup_realdev_port(struct
struct net_device *real_dev;
list_for_each_entry(fcoe, &fcoe_hostlist, list) {
@@ -300,7 +300,7 @@ Acked-by: David Chang <dchang@suse.com>
real_dev = fcoe->netdev;
--- a/include/rdma/ib_addr.h
+++ b/include/rdma/ib_addr.h
-@@ -160,8 +160,7 @@ static inline int rdma_addr_gid_offset(s
+@@ -162,8 +162,7 @@ static inline int rdma_addr_gid_offset(s
static inline u16 rdma_vlan_dev_vlan_id(const struct net_device *dev)
{
diff --git a/patches.fixes/0003-memremap-add-scheduling-point-to-devm_memremap_pages.patch b/patches.fixes/0003-memremap-add-scheduling-point-to-devm_memremap_pages.patch
index 02b15ab04a..2dec33b881 100644
--- a/patches.fixes/0003-memremap-add-scheduling-point-to-devm_memremap_pages.patch
+++ b/patches.fixes/0003-memremap-add-scheduling-point-to-devm_memremap_pages.patch
@@ -45,16 +45,16 @@ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
--- a/kernel/memremap.c
+++ b/kernel/memremap.c
-@@ -275,7 +275,7 @@ void *devm_memremap_pages(struct device
+@@ -290,7 +290,7 @@ void *devm_memremap_pages(struct device
struct dev_pagemap *pgmap;
struct page_map *page_map;
unsigned long pfn;
- int error, nid;
+ int error, nid, i = 0;
- if (is_ram == REGION_MIXED) {
- WARN_ONCE(1, "%s attempted on mixed region %pr\n",
-@@ -358,6 +358,8 @@ void *devm_memremap_pages(struct device
+ if (is_ram != REGION_DISJOINT) {
+ WARN_ONCE(1, "%s attempted on %s region %pr\n", __func__,
+@@ -376,6 +376,8 @@ void *devm_memremap_pages(struct device
/* ZONE_DEVICE pages must never appear on a slab lru */
list_force_poison(&page->lru);
page->pgmap = pgmap;
diff --git a/patches.drivers/USB-hso-Fix-OOB-memory-access-in-hso_probe-hso_get_c.patch b/patches.kernel.org/4.4.170-001-USB-hso-Fix-OOB-memory-access-in-hso_probe-hs.patch
index b37f019f89..df3a869902 100644
--- a/patches.drivers/USB-hso-Fix-OOB-memory-access-in-hso_probe-hso_get_c.patch
+++ b/patches.kernel.org/4.4.170-001-USB-hso-Fix-OOB-memory-access-in-hso_probe-hs.patch
@@ -1,10 +1,12 @@
-From 5146f95df782b0ac61abde36567e718692725c89 Mon Sep 17 00:00:00 2001
From: Hui Peng <benquike@gmail.com>
Date: Wed, 12 Dec 2018 12:42:24 +0100
-Subject: [PATCH] USB: hso: Fix OOB memory access in hso_probe/hso_get_config_data
+Subject: [PATCH] USB: hso: Fix OOB memory access in
+ hso_probe/hso_get_config_data
+Patch-mainline: 4.4.170
+References: CVE-2018-19985 bnc#1012382 bsc#1120743
Git-commit: 5146f95df782b0ac61abde36567e718692725c89
-Patch-mainline: v4.20
-References: CVE-2018-19985,bsc#1120743
+
+commit 5146f95df782b0ac61abde36567e718692725c89 upstream.
The function hso_probe reads if_num from the USB device (as an u8) and uses
it without a length check to index an array, resulting in an OOB memory read
@@ -22,17 +24,17 @@ Signed-off-by: Mathias Payer <mathias.payer@nebelwelt.net>
Reviewed-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
-Acked-by: Takashi Iwai <tiwai@suse.de>
-
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
drivers/net/usb/hso.c | 18 ++++++++++++++++--
1 file changed, 16 insertions(+), 2 deletions(-)
diff --git a/drivers/net/usb/hso.c b/drivers/net/usb/hso.c
-index 184c24baca15..d6916f787fce 100644
+index 111d907e0c11..79cede19e0c4 100644
--- a/drivers/net/usb/hso.c
+++ b/drivers/net/usb/hso.c
-@@ -2807,6 +2807,12 @@ static int hso_get_config_data(struct usb_interface *interface)
+@@ -2825,6 +2825,12 @@ static int hso_get_config_data(struct usb_interface *interface)
return -EIO;
}
@@ -45,7 +47,7 @@ index 184c24baca15..d6916f787fce 100644
switch (config_data[if_num]) {
case 0x0:
result = 0;
-@@ -2877,10 +2883,18 @@ static int hso_probe(struct usb_interface *interface,
+@@ -2895,10 +2901,18 @@ static int hso_probe(struct usb_interface *interface,
/* Get the interface/port specification from either driver_info or from
* the device itself */
diff --git a/patches.kernel.org/4.4.170-002-xhci-Don-t-prevent-USB2-bus-suspend-in-state-.patch b/patches.kernel.org/4.4.170-002-xhci-Don-t-prevent-USB2-bus-suspend-in-state-.patch
new file mode 100644
index 0000000000..79bc545794
--- /dev/null
+++ b/patches.kernel.org/4.4.170-002-xhci-Don-t-prevent-USB2-bus-suspend-in-state-.patch
@@ -0,0 +1,45 @@
+From: Mathias Nyman <mathias.nyman@linux.intel.com>
+Date: Fri, 14 Dec 2018 10:54:43 +0200
+Subject: [PATCH] xhci: Don't prevent USB2 bus suspend in state check intended
+ for USB3 only
+References: bnc#1012382
+Patch-mainline: 4.4.170
+Git-commit: 45f750c16cae3625014c14c77bd9005eda975d35
+
+commit 45f750c16cae3625014c14c77bd9005eda975d35 upstream.
+
+The code to prevent a bus suspend if a USB3 port was still in link training
+also reacted to USB2 port polling state.
+This caused bus suspend to busyloop in some cases.
+USB2 polling state is different from USB3, and should not prevent bus
+suspend.
+
+Limit the USB3 link training state check to USB3 root hub ports only.
+The origial commit went to stable so this need to be applied there as well
+
+Fixes: 2f31a67f01a8 ("usb: xhci: Prevent bus suspend if a port connect change or polling state is detected")
+Cc: stable@vger.kernel.org
+Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/usb/host/xhci-hub.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/usb/host/xhci-hub.c b/drivers/usb/host/xhci-hub.c
+index 5d21cd8359d4..421825b44202 100644
+--- a/drivers/usb/host/xhci-hub.c
++++ b/drivers/usb/host/xhci-hub.c
+@@ -1329,7 +1329,8 @@ int xhci_bus_suspend(struct usb_hcd *hcd)
+ portsc_buf[port_index] = 0;
+
+ /* Bail out if a USB3 port has a new device in link training */
+- if ((t1 & PORT_PLS_MASK) == XDEV_POLLING) {
++ if ((hcd->speed >= HCD_USB3) &&
++ (t1 & PORT_PLS_MASK) == XDEV_POLLING) {
+ bus_state->bus_suspended = 0;
+ spin_unlock_irqrestore(&xhci->lock, flags);
+ xhci_dbg(xhci, "Bus suspend bailout, port in polling\n");
+--
+2.20.1
+
diff --git a/patches.kernel.org/4.4.170-003-USB-serial-option-add-GosunCn-ZTE-WeLink-ME36.patch b/patches.kernel.org/4.4.170-003-USB-serial-option-add-GosunCn-ZTE-WeLink-ME36.patch
new file mode 100644
index 0000000000..8e475f64b2
--- /dev/null
+++ b/patches.kernel.org/4.4.170-003-USB-serial-option-add-GosunCn-ZTE-WeLink-ME36.patch
@@ -0,0 +1,75 @@
+From: =?UTF-8?q?J=C3=B6rgen=20Storvist?= <jorgen.storvist@gmail.com>
+Date: Tue, 11 Dec 2018 18:28:28 +0100
+Subject: [PATCH] USB: serial: option: add GosunCn ZTE WeLink ME3630
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+References: bnc#1012382
+Patch-mainline: 4.4.170
+Git-commit: 70a7444c550a75584ffcfae95267058817eff6a7
+
+commit 70a7444c550a75584ffcfae95267058817eff6a7 upstream.
+
+Added USB serial option driver support for GosunCn ZTE WeLink ME3630
+series cellular modules for USB modes ECM/NCM and MBIM.
+
+usb-devices output MBIM mode:
+T: Bus=01 Lev=01 Prnt=01 Port=00 Cnt=01 Dev#= 10 Spd=480 MxCh= 0
+D: Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1
+P: Vendor=19d2 ProdID=0602 Rev=03.18
+S: Manufacturer=Android
+S: Product=Android
+S: SerialNumber=
+C: #Ifs= 5 Cfg#= 1 Atr=a0 MxPwr=500mA
+I: If#= 0 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=option
+I: If#= 1 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
+I: If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
+I: If#= 3 Alt= 0 #EPs= 1 Cls=02(commc) Sub=0e Prot=00 Driver=cdc_mbim
+I: If#= 4 Alt= 1 #EPs= 2 Cls=0a(data ) Sub=00 Prot=02 Driver=cdc_mbim
+
+usb-devices output ECM/NCM mode:
+T: Bus=01 Lev=01 Prnt=01 Port=00 Cnt=01 Dev#= 11 Spd=480 MxCh= 0
+D: Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1
+P: Vendor=19d2 ProdID=1476 Rev=03.18
+S: Manufacturer=Android
+S: Product=Android
+S: SerialNumber=
+C: #Ifs= 5 Cfg#= 1 Atr=a0 MxPwr=500mA
+I: If#= 0 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=option
+I: If#= 1 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
+I: If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
+I: If#= 3 Alt= 0 #EPs= 1 Cls=02(commc) Sub=06 Prot=00 Driver=cdc_ether
+I: If#= 4 Alt= 1 #EPs= 2 Cls=0a(data ) Sub=00 Prot=00 Driver=cdc_ether
+
+Signed-off-by: Jörgen Storvist <jorgen.storvist@gmail.com>
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/usb/serial/option.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/usb/serial/option.c b/drivers/usb/serial/option.c
+index 2b81939fecd7..b2aa7c70560f 100644
+--- a/drivers/usb/serial/option.c
++++ b/drivers/usb/serial/option.c
+@@ -1327,6 +1327,7 @@ static const struct usb_device_id option_ids[] = {
+ .driver_info = RSVD(4) },
+ { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0414, 0xff, 0xff, 0xff) },
+ { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0417, 0xff, 0xff, 0xff) },
++ { USB_DEVICE_INTERFACE_CLASS(ZTE_VENDOR_ID, 0x0602, 0xff) }, /* GosunCn ZTE WeLink ME3630 (MBIM mode) */
+ { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x1008, 0xff, 0xff, 0xff),
+ .driver_info = RSVD(4) },
+ { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x1010, 0xff, 0xff, 0xff),
+@@ -1530,6 +1531,7 @@ static const struct usb_device_id option_ids[] = {
+ .driver_info = RSVD(2) },
+ { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x1428, 0xff, 0xff, 0xff), /* Telewell TW-LTE 4G v2 */
+ .driver_info = RSVD(2) },
++ { USB_DEVICE_INTERFACE_CLASS(ZTE_VENDOR_ID, 0x1476, 0xff) }, /* GosunCn ZTE WeLink ME3630 (ECM/NCM mode) */
+ { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x1533, 0xff, 0xff, 0xff) },
+ { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x1534, 0xff, 0xff, 0xff) },
+ { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x1535, 0xff, 0xff, 0xff) },
+--
+2.20.1
+
diff --git a/patches.kernel.org/4.4.170-004-USB-serial-option-add-HP-lt4132.patch b/patches.kernel.org/4.4.170-004-USB-serial-option-add-HP-lt4132.patch
new file mode 100644
index 0000000000..8161be467a
--- /dev/null
+++ b/patches.kernel.org/4.4.170-004-USB-serial-option-add-HP-lt4132.patch
@@ -0,0 +1,88 @@
+From: Tore Anderson <tore@fud.no>
+Date: Sat, 8 Dec 2018 19:05:12 +0100
+Subject: [PATCH] USB: serial: option: add HP lt4132
+References: bnc#1012382
+Patch-mainline: 4.4.170
+Git-commit: d57ec3c83b5153217a70b561d4fb6ed96f2f7a25
+
+commit d57ec3c83b5153217a70b561d4fb6ed96f2f7a25 upstream.
+
+The HP lt4132 is a rebranded Huawei ME906s-158 LTE modem.
+
+The interface with protocol 0x16 is "CDC ECM & NCM" according to the *.inf
+files included with the Windows driver. Attaching the option driver to it
+doesn't result in a /dev/ttyUSB* device being created, so I've excluded it.
+Note that it is also excluded for corresponding Huawei-branded devices, cf.
+commit d544db293a44 ("USB: support new huawei devices in option.c").
+
+T: Bus=01 Lev=01 Prnt=01 Port=02 Cnt=02 Dev#= 3 Spd=480 MxCh= 0
+D: Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=ff MxPS=64 #Cfgs= 3
+P: Vendor=03f0 ProdID=a31d Rev=01.02
+S: Manufacturer=HP Inc.
+S: Product=HP lt4132 LTE/HSPA+ 4G Module
+S: SerialNumber=0123456789ABCDEF
+C: #Ifs= 6 Cfg#= 1 Atr=a0 MxPwr=2mA
+I: If#=0x0 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=06 Prot=10 Driver=option
+I: If#=0x1 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=06 Prot=13 Driver=option
+I: If#=0x2 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=06 Prot=12 Driver=option
+I: If#=0x3 Alt= 0 #EPs= 1 Cls=ff(vend.) Sub=06 Prot=16 Driver=(none)
+I: If#=0x4 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=06 Prot=14 Driver=option
+I: If#=0x5 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=06 Prot=1b Driver=option
+
+T: Bus=01 Lev=01 Prnt=01 Port=02 Cnt=02 Dev#= 3 Spd=480 MxCh= 0
+D: Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=ff MxPS=64 #Cfgs= 3
+P: Vendor=03f0 ProdID=a31d Rev=01.02
+S: Manufacturer=HP Inc.
+S: Product=HP lt4132 LTE/HSPA+ 4G Module
+S: SerialNumber=0123456789ABCDEF
+C: #Ifs= 7 Cfg#= 2 Atr=a0 MxPwr=2mA
+I: If#=0x0 Alt= 0 #EPs= 1 Cls=02(commc) Sub=06 Prot=00 Driver=cdc_ether
+I: If#=0x1 Alt= 0 #EPs= 2 Cls=0a(data ) Sub=06 Prot=00 Driver=cdc_ether
+I: If#=0x2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=06 Prot=10 Driver=option
+I: If#=0x3 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=06 Prot=13 Driver=option
+I: If#=0x4 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=06 Prot=12 Driver=option
+I: If#=0x5 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=06 Prot=14 Driver=option
+I: If#=0x6 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=06 Prot=1b Driver=option
+
+T: Bus=01 Lev=01 Prnt=01 Port=02 Cnt=02 Dev#= 3 Spd=480 MxCh= 0
+D: Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=ff MxPS=64 #Cfgs= 3
+P: Vendor=03f0 ProdID=a31d Rev=01.02
+S: Manufacturer=HP Inc.
+S: Product=HP lt4132 LTE/HSPA+ 4G Module
+S: SerialNumber=0123456789ABCDEF
+C: #Ifs= 3 Cfg#= 3 Atr=a0 MxPwr=2mA
+I: If#=0x0 Alt= 0 #EPs= 1 Cls=02(commc) Sub=0e Prot=00 Driver=cdc_mbim
+I: If#=0x1 Alt= 1 #EPs= 2 Cls=0a(data ) Sub=00 Prot=02 Driver=cdc_mbim
+I: If#=0x2 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=06 Prot=14 Driver=option
+
+Signed-off-by: Tore Anderson <tore@fud.no>
+Cc: stable@vger.kernel.org
+[ johan: drop id defines ]
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/usb/serial/option.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/usb/serial/option.c b/drivers/usb/serial/option.c
+index b2aa7c70560f..4cd445efe249 100644
+--- a/drivers/usb/serial/option.c
++++ b/drivers/usb/serial/option.c
+@@ -1943,7 +1943,12 @@ static const struct usb_device_id option_ids[] = {
+ { USB_DEVICE_AND_INTERFACE_INFO(WETELECOM_VENDOR_ID, WETELECOM_PRODUCT_WMD200, 0xff, 0xff, 0xff) },
+ { USB_DEVICE_AND_INTERFACE_INFO(WETELECOM_VENDOR_ID, WETELECOM_PRODUCT_6802, 0xff, 0xff, 0xff) },
+ { USB_DEVICE_AND_INTERFACE_INFO(WETELECOM_VENDOR_ID, WETELECOM_PRODUCT_WMD300, 0xff, 0xff, 0xff) },
+- { USB_DEVICE_AND_INTERFACE_INFO(0x03f0, 0x421d, 0xff, 0xff, 0xff) }, /* HP lt2523 (Novatel E371) */
++ { USB_DEVICE_AND_INTERFACE_INFO(0x03f0, 0x421d, 0xff, 0xff, 0xff) }, /* HP lt2523 (Novatel E371) */
++ { USB_DEVICE_AND_INTERFACE_INFO(0x03f0, 0xa31d, 0xff, 0x06, 0x10) }, /* HP lt4132 (Huawei ME906s-158) */
++ { USB_DEVICE_AND_INTERFACE_INFO(0x03f0, 0xa31d, 0xff, 0x06, 0x12) },
++ { USB_DEVICE_AND_INTERFACE_INFO(0x03f0, 0xa31d, 0xff, 0x06, 0x13) },
++ { USB_DEVICE_AND_INTERFACE_INFO(0x03f0, 0xa31d, 0xff, 0x06, 0x14) },
++ { USB_DEVICE_AND_INTERFACE_INFO(0x03f0, 0xa31d, 0xff, 0x06, 0x1b) },
+ { } /* Terminating entry */
+ };
+ MODULE_DEVICE_TABLE(usb, option_ids);
+--
+2.20.1
+
diff --git a/patches.kernel.org/4.4.170-005-USB-serial-option-add-Simcom-SIM7500-SIM7600-.patch b/patches.kernel.org/4.4.170-005-USB-serial-option-add-Simcom-SIM7500-SIM7600-.patch
new file mode 100644
index 0000000000..99eea54c91
--- /dev/null
+++ b/patches.kernel.org/4.4.170-005-USB-serial-option-add-Simcom-SIM7500-SIM7600-.patch
@@ -0,0 +1,54 @@
+From: =?UTF-8?q?J=C3=B6rgen=20Storvist?= <jorgen.storvist@gmail.com>
+Date: Wed, 12 Dec 2018 08:39:39 +0100
+Subject: [PATCH] USB: serial: option: add Simcom SIM7500/SIM7600 (MBIM mode)
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+References: bnc#1012382
+Patch-mainline: 4.4.170
+Git-commit: cc6730df08a291e51e145bc65e24ffb5e2f17ab6
+
+commit cc6730df08a291e51e145bc65e24ffb5e2f17ab6 upstream.
+
+Added USB serial option driver support for Simcom SIM7500/SIM7600 series
+cellular modules exposing MBIM interface (VID 0x1e0e,PID 0x9003)
+
+T: Bus=01 Lev=01 Prnt=01 Port=00 Cnt=01 Dev#= 14 Spd=480 MxCh= 0
+D: Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1
+P: Vendor=1e0e ProdID=9003 Rev=03.18
+S: Manufacturer=SimTech, Incorporated
+S: Product=SimTech, Incorporated
+S: SerialNumber=0123456789ABCDEF
+C: #Ifs= 7 Cfg#= 1 Atr=a0 MxPwr=500mA
+I: If#= 0 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=option
+I: If#= 1 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
+I: If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
+I: If#= 3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
+I: If#= 4 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
+I: If#= 5 Alt= 0 #EPs= 1 Cls=02(commc) Sub=0e Prot=00 Driver=cdc_mbim
+I: If#= 6 Alt= 1 #EPs= 2 Cls=0a(data ) Sub=00 Prot=02 Driver=cdc_mbim
+
+Signed-off-by: Jörgen Storvist <jorgen.storvist@gmail.com>
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/usb/serial/option.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/usb/serial/option.c b/drivers/usb/serial/option.c
+index 4cd445efe249..f7c13e5f7cae 100644
+--- a/drivers/usb/serial/option.c
++++ b/drivers/usb/serial/option.c
+@@ -1759,6 +1759,7 @@ static const struct usb_device_id option_ids[] = {
+ { USB_DEVICE_AND_INTERFACE_INFO(ALINK_VENDOR_ID, ALINK_PRODUCT_3GU, 0xff, 0xff, 0xff) },
+ { USB_DEVICE(ALINK_VENDOR_ID, SIMCOM_PRODUCT_SIM7100E),
+ .driver_info = RSVD(5) | RSVD(6) },
++ { USB_DEVICE_INTERFACE_CLASS(0x1e0e, 0x9003, 0xff) }, /* Simcom SIM7500/SIM7600 MBIM mode */
+ { USB_DEVICE(ALCATEL_VENDOR_ID, ALCATEL_PRODUCT_X060S_X200),
+ .driver_info = NCTRL(0) | NCTRL(1) | RSVD(4) },
+ { USB_DEVICE(ALCATEL_VENDOR_ID, ALCATEL_PRODUCT_X220_X500D),
+--
+2.20.1
+
diff --git a/patches.kernel.org/4.4.170-006-USB-serial-option-add-Fibocom-NL668-series.patch b/patches.kernel.org/4.4.170-006-USB-serial-option-add-Fibocom-NL668-series.patch
new file mode 100644
index 0000000000..6a4307d1e5
--- /dev/null
+++ b/patches.kernel.org/4.4.170-006-USB-serial-option-add-Fibocom-NL668-series.patch
@@ -0,0 +1,71 @@
+From: =?UTF-8?q?J=C3=B6rgen=20Storvist?= <jorgen.storvist@gmail.com>
+Date: Wed, 12 Dec 2018 21:47:36 +0100
+Subject: [PATCH] USB: serial: option: add Fibocom NL668 series
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+References: bnc#1012382
+Patch-mainline: 4.4.170
+Git-commit: 30360224441ce89a98ed627861e735beb4010775
+
+commit 30360224441ce89a98ed627861e735beb4010775 upstream.
+
+Added USB serial option driver support for Fibocom NL668 series cellular
+modules. Reserved USB endpoints 4, 5 and 6 for network + ADB interfaces.
+
+usb-devices output (QMI mode)
+T: Bus=01 Lev=01 Prnt=01 Port=00 Cnt=01 Dev#= 16 Spd=480 MxCh= 0
+D: Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1
+P: Vendor=1508 ProdID=1001 Rev=03.18
+S: Manufacturer=Nodecom NL668 Modem
+S: Product=Nodecom NL668-CN Modem
+S: SerialNumber=
+C: #Ifs= 6 Cfg#= 1 Atr=a0 MxPwr=500mA
+I: If#= 0 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=option
+I: If#= 1 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
+I: If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
+I: If#= 3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
+I: If#= 4 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=ff Driver=qmi_wwan
+I: If#= 5 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=42 Prot=01 Driver=(none)
+
+usb-devices output (ECM mode)
+T: Bus=01 Lev=01 Prnt=01 Port=00 Cnt=01 Dev#= 17 Spd=480 MxCh= 0
+D: Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1
+P: Vendor=1508 ProdID=1001 Rev=03.18
+S: Manufacturer=Nodecom NL668 Modem
+S: Product=Nodecom NL668-CN Modem
+S: SerialNumber=
+C: #Ifs= 7 Cfg#= 1 Atr=a0 MxPwr=500mA
+I: If#= 0 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=option
+I: If#= 1 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
+I: If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
+I: If#= 3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
+I: If#= 4 Alt= 0 #EPs= 1 Cls=02(commc) Sub=06 Prot=00 Driver=cdc_ether
+I: If#= 5 Alt= 1 #EPs= 2 Cls=0a(data ) Sub=00 Prot=00 Driver=cdc_ether
+I: If#= 6 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=42 Prot=01 Driver=(none)
+
+Signed-off-by: Jörgen Storvist <jorgen.storvist@gmail.com>
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/usb/serial/option.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/usb/serial/option.c b/drivers/usb/serial/option.c
+index f7c13e5f7cae..412d9442a760 100644
+--- a/drivers/usb/serial/option.c
++++ b/drivers/usb/serial/option.c
+@@ -1950,6 +1950,8 @@ static const struct usb_device_id option_ids[] = {
+ { USB_DEVICE_AND_INTERFACE_INFO(0x03f0, 0xa31d, 0xff, 0x06, 0x13) },
+ { USB_DEVICE_AND_INTERFACE_INFO(0x03f0, 0xa31d, 0xff, 0x06, 0x14) },
+ { USB_DEVICE_AND_INTERFACE_INFO(0x03f0, 0xa31d, 0xff, 0x06, 0x1b) },
++ { USB_DEVICE(0x1508, 0x1001), /* Fibocom NL668 */
++ .driver_info = RSVD(4) | RSVD(5) | RSVD(6) },
+ { } /* Terminating entry */
+ };
+ MODULE_DEVICE_TABLE(usb, option_ids);
+--
+2.20.1
+
diff --git a/patches.kernel.org/4.4.170-007-USB-serial-option-add-Telit-LN940-series.patch b/patches.kernel.org/4.4.170-007-USB-serial-option-add-Telit-LN940-series.patch
new file mode 100644
index 0000000000..d414d62b27
--- /dev/null
+++ b/patches.kernel.org/4.4.170-007-USB-serial-option-add-Telit-LN940-series.patch
@@ -0,0 +1,71 @@
+From: =?UTF-8?q?J=C3=B6rgen=20Storvist?= <jorgen.storvist@gmail.com>
+Date: Thu, 13 Dec 2018 17:32:08 +0100
+Subject: [PATCH] USB: serial: option: add Telit LN940 series
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+References: bnc#1012382
+Patch-mainline: 4.4.170
+Git-commit: 28a86092b1753b802ef7e3de8a4c4a69a9c1bb03
+
+commit 28a86092b1753b802ef7e3de8a4c4a69a9c1bb03 upstream.
+
+Added USB serial option driver support for Telit LN940 series cellular
+modules. Covering both QMI and MBIM modes.
+
+usb-devices output (0x1900):
+T: Bus=01 Lev=01 Prnt=01 Port=00 Cnt=01 Dev#= 21 Spd=480 MxCh= 0
+D: Ver= 2.00 Cls=ef(misc ) Sub=02 Prot=01 MxPS=64 #Cfgs= 1
+P: Vendor=1bc7 ProdID=1900 Rev=03.10
+S: Manufacturer=Telit
+S: Product=Telit LN940 Mobile Broadband
+S: SerialNumber=0123456789ABCDEF
+C: #Ifs= 5 Cfg#= 1 Atr=a0 MxPwr=500mA
+I: If#= 0 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=option
+I: If#= 1 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=ff Driver=qmi_wwan
+I: If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
+I: If#= 3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
+I: If#= 4 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
+
+usb-devices output (0x1901):
+T: Bus=01 Lev=01 Prnt=01 Port=00 Cnt=01 Dev#= 20 Spd=480 MxCh= 0
+D: Ver= 2.00 Cls=ef(misc ) Sub=02 Prot=01 MxPS=64 #Cfgs= 1
+P: Vendor=1bc7 ProdID=1901 Rev=03.10
+S: Manufacturer=Telit
+S: Product=Telit LN940 Mobile Broadband
+S: SerialNumber=0123456789ABCDEF
+C: #Ifs= 6 Cfg#= 1 Atr=a0 MxPwr=500mA
+I: If#= 0 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=option
+I: If#= 1 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
+I: If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
+I: If#= 3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
+I: If#= 4 Alt= 0 #EPs= 1 Cls=02(commc) Sub=0e Prot=00 Driver=cdc_mbim
+I: If#= 5 Alt= 1 #EPs= 2 Cls=0a(data ) Sub=00 Prot=02 Driver=cdc_mbim
+
+Signed-off-by: Jörgen Storvist <jorgen.storvist@gmail.com>
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/usb/serial/option.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/usb/serial/option.c b/drivers/usb/serial/option.c
+index 412d9442a760..1e3445dd84b2 100644
+--- a/drivers/usb/serial/option.c
++++ b/drivers/usb/serial/option.c
+@@ -1163,6 +1163,10 @@ static const struct usb_device_id option_ids[] = {
+ { USB_DEVICE_INTERFACE_CLASS(TELIT_VENDOR_ID, TELIT_PRODUCT_LE920A4_1213, 0xff) },
+ { USB_DEVICE(TELIT_VENDOR_ID, TELIT_PRODUCT_LE920A4_1214),
+ .driver_info = NCTRL(0) | RSVD(1) | RSVD(2) | RSVD(3) },
++ { USB_DEVICE(TELIT_VENDOR_ID, 0x1900), /* Telit LN940 (QMI) */
++ .driver_info = NCTRL(0) | RSVD(1) },
++ { USB_DEVICE_INTERFACE_CLASS(TELIT_VENDOR_ID, 0x1901, 0xff), /* Telit LN940 (MBIM) */
++ .driver_info = NCTRL(0) },
+ { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, ZTE_PRODUCT_MF622, 0xff, 0xff, 0xff) }, /* ZTE WCDMA products */
+ { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0002, 0xff, 0xff, 0xff),
+ .driver_info = RSVD(1) },
+--
+2.20.1
+
diff --git a/patches.kernel.org/4.4.170-008-mmc-core-Reset-HPI-enabled-state-during-re-in.patch b/patches.kernel.org/4.4.170-008-mmc-core-Reset-HPI-enabled-state-during-re-in.patch
new file mode 100644
index 0000000000..8f86d9b884
--- /dev/null
+++ b/patches.kernel.org/4.4.170-008-mmc-core-Reset-HPI-enabled-state-during-re-in.patch
@@ -0,0 +1,44 @@
+From: Ulf Hansson <ulf.hansson@linaro.org>
+Date: Mon, 10 Dec 2018 17:52:36 +0100
+Subject: [PATCH] mmc: core: Reset HPI enabled state during re-init and in case
+ of errors
+References: bnc#1012382
+Patch-mainline: 4.4.170
+Git-commit: a0741ba40a009f97c019ae7541dc61c1fdf41efb
+
+commit a0741ba40a009f97c019ae7541dc61c1fdf41efb upstream.
+
+During a re-initialization of the eMMC card, we may fail to re-enable HPI.
+In these cases, that isn't properly reflected in the card->ext_csd.hpi_en
+bit, as it keeps being set. This may cause following attempts to use HPI,
+even if's not enabled. Let's fix this!
+
+Fixes: eb0d8f135b67 ("mmc: core: support HPI send command")
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/mmc/core/mmc.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/mmc/core/mmc.c b/drivers/mmc/core/mmc.c
+index 79a0c26e1419..a31789be0840 100644
+--- a/drivers/mmc/core/mmc.c
++++ b/drivers/mmc/core/mmc.c
+@@ -1608,9 +1608,11 @@ static int mmc_init_card(struct mmc_host *host, u32 ocr,
+ if (err) {
+ pr_warn("%s: Enabling HPI failed\n",
+ mmc_hostname(card->host));
++ card->ext_csd.hpi_en = 0;
+ err = 0;
+- } else
++ } else {
+ card->ext_csd.hpi_en = 1;
++ }
+ }
+
+ /*
+--
+2.20.1
+
diff --git a/patches.kernel.org/4.4.170-009-mmc-omap_hsmmc-fix-DMA-API-warning.patch b/patches.kernel.org/4.4.170-009-mmc-omap_hsmmc-fix-DMA-API-warning.patch
new file mode 100644
index 0000000000..114e1faed7
--- /dev/null
+++ b/patches.kernel.org/4.4.170-009-mmc-omap_hsmmc-fix-DMA-API-warning.patch
@@ -0,0 +1,71 @@
+From: Russell King <rmk+kernel@armlinux.org.uk>
+Date: Tue, 11 Dec 2018 14:41:31 +0000
+Subject: [PATCH] mmc: omap_hsmmc: fix DMA API warning
+References: bnc#1012382
+Patch-mainline: 4.4.170
+Git-commit: 0b479790684192ab7024ce6a621f93f6d0a64d92
+
+commit 0b479790684192ab7024ce6a621f93f6d0a64d92 upstream.
+
+While booting with rootfs on MMC, the following warning is encountered
+on OMAP4430:
+
+omap-dma-engine 4a056000.dma-controller: DMA-API: mapping sg segment longer than device claims to support [len=69632] [max=65536]
+
+This is because the DMA engine has a default maximum segment size of 64K
+but HSMMC sets:
+
+ mmc->max_blk_size = 512; /* Block Length at max can be 1024 */
+ mmc->max_blk_count = 0xFFFF; /* No. of Blocks is 16 bits */
+ mmc->max_req_size = mmc->max_blk_size * mmc->max_blk_count;
+ mmc->max_seg_size = mmc->max_req_size;
+
+which ends up telling the block layer that we support a maximum segment
+size of 65535*512, which exceeds the advertised DMA engine capabilities.
+
+Fix this by clamping the maximum segment size to the lower of the
+maximum request size and of the DMA engine device used for either DMA
+channel.
+
+Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/mmc/host/omap_hsmmc.c | 12 +++++++++++-
+ 1 file changed, 11 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/mmc/host/omap_hsmmc.c b/drivers/mmc/host/omap_hsmmc.c
+index 6b814d7d6560..af937d3e8c3e 100644
+--- a/drivers/mmc/host/omap_hsmmc.c
++++ b/drivers/mmc/host/omap_hsmmc.c
+@@ -2117,7 +2117,6 @@ static int omap_hsmmc_probe(struct platform_device *pdev)
+ mmc->max_blk_size = 512; /* Block Length at max can be 1024 */
+ mmc->max_blk_count = 0xFFFF; /* No. of Blocks is 16 bits */
+ mmc->max_req_size = mmc->max_blk_size * mmc->max_blk_count;
+- mmc->max_seg_size = mmc->max_req_size;
+
+ mmc->caps |= MMC_CAP_MMC_HIGHSPEED | MMC_CAP_SD_HIGHSPEED |
+ MMC_CAP_WAIT_WHILE_BUSY | MMC_CAP_ERASE;
+@@ -2174,6 +2173,17 @@ static int omap_hsmmc_probe(struct platform_device *pdev)
+ goto err_irq;
+ }
+
++ /*
++ * Limit the maximum segment size to the lower of the request size
++ * and the DMA engine device segment size limits. In reality, with
++ * 32-bit transfers, the DMA engine can do longer segments than this
++ * but there is no way to represent that in the DMA model - if we
++ * increase this figure here, we get warnings from the DMA API debug.
++ */
++ mmc->max_seg_size = min3(mmc->max_req_size,
++ dma_get_max_seg_size(host->rx_chan->device->dev),
++ dma_get_max_seg_size(host->tx_chan->device->dev));
++
+ /* Request IRQ for MMC operations */
+ ret = devm_request_irq(&pdev->dev, host->irq, omap_hsmmc_irq, 0,
+ mmc_hostname(mmc), host);
+--
+2.20.1
+
diff --git a/patches.kernel.org/4.4.170-010-gpio-max7301-fix-driver-for-use-with-CONFIG_V.patch b/patches.kernel.org/4.4.170-010-gpio-max7301-fix-driver-for-use-with-CONFIG_V.patch
new file mode 100644
index 0000000000..2313f64653
--- /dev/null
+++ b/patches.kernel.org/4.4.170-010-gpio-max7301-fix-driver-for-use-with-CONFIG_V.patch
@@ -0,0 +1,59 @@
+From: Christophe Leroy <christophe.leroy@c-s.fr>
+Date: Fri, 7 Dec 2018 13:07:55 +0000
+Subject: [PATCH] gpio: max7301: fix driver for use with CONFIG_VMAP_STACK
+References: bnc#1012382
+Patch-mainline: 4.4.170
+Git-commit: abf221d2f51b8ce7b9959a8953f880a8b0a1400d
+
+commit abf221d2f51b8ce7b9959a8953f880a8b0a1400d upstream.
+
+spi_read() and spi_write() require DMA-safe memory. When
+CONFIG_VMAP_STACK is selected, those functions cannot be used
+with buffers on stack.
+
+This patch replaces calls to spi_read() and spi_write() by
+spi_write_then_read() which doesn't require DMA-safe buffers.
+
+Fixes: 0c36ec314735 ("gpio: gpio driver for max7301 SPI GPIO expander")
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Christophe Leroy <christophe.leroy@c-s.fr>
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/gpio/gpio-max7301.c | 12 +++---------
+ 1 file changed, 3 insertions(+), 9 deletions(-)
+
+diff --git a/drivers/gpio/gpio-max7301.c b/drivers/gpio/gpio-max7301.c
+index 05813fbf3daf..647dfbbc4e1c 100644
+--- a/drivers/gpio/gpio-max7301.c
++++ b/drivers/gpio/gpio-max7301.c
+@@ -25,7 +25,7 @@ static int max7301_spi_write(struct device *dev, unsigned int reg,
+ struct spi_device *spi = to_spi_device(dev);
+ u16 word = ((reg & 0x7F) << 8) | (val & 0xFF);
+
+- return spi_write(spi, (const u8 *)&word, sizeof(word));
++ return spi_write_then_read(spi, &word, sizeof(word), NULL, 0);
+ }
+
+ /* A read from the MAX7301 means two transfers; here, one message each */
+@@ -37,14 +37,8 @@ static int max7301_spi_read(struct device *dev, unsigned int reg)
+ struct spi_device *spi = to_spi_device(dev);
+
+ word = 0x8000 | (reg << 8);
+- ret = spi_write(spi, (const u8 *)&word, sizeof(word));
+- if (ret)
+- return ret;
+- /*
+- * This relies on the fact, that a transfer with NULL tx_buf shifts out
+- * zero bytes (=NOOP for MAX7301)
+- */
+- ret = spi_read(spi, (u8 *)&word, sizeof(word));
++ ret = spi_write_then_read(spi, &word, sizeof(word), &word,
++ sizeof(word));
+ if (ret)
+ return ret;
+ return word & 0xff;
+--
+2.20.1
+
diff --git a/patches.kernel.org/4.4.170-011-Drivers-hv-vmbus-Return-EINVAL-for-the-sys-fi.patch b/patches.kernel.org/4.4.170-011-Drivers-hv-vmbus-Return-EINVAL-for-the-sys-fi.patch
new file mode 100644
index 0000000000..b11d1bf9e3
--- /dev/null
+++ b/patches.kernel.org/4.4.170-011-Drivers-hv-vmbus-Return-EINVAL-for-the-sys-fi.patch
@@ -0,0 +1,125 @@
+From: Dexuan Cui <decui@microsoft.com>
+Date: Thu, 13 Dec 2018 16:35:43 +0000
+Subject: [PATCH] Drivers: hv: vmbus: Return -EINVAL for the sys files for
+ unopened channels
+References: bnc#1012382
+Patch-mainline: 4.4.170
+Git-commit: fc96df16a1ce80cbb3c316ab7d4dc8cd5c2852ce
+
+commit fc96df16a1ce80cbb3c316ab7d4dc8cd5c2852ce upstream.
+
+Before 98f4c651762c, we returned zeros for unopened channels.
+With 98f4c651762c, we started to return random on-stack values.
+
+We'd better return -EINVAL instead.
+
+Fixes: 98f4c651762c ("hv: move ringbuffer bus attributes to dev_groups")
+Cc: stable@vger.kernel.org
+Cc: K. Y. Srinivasan <kys@microsoft.com>
+Cc: Haiyang Zhang <haiyangz@microsoft.com>
+Cc: Stephen Hemminger <sthemmin@microsoft.com>
+Signed-off-by: Dexuan Cui <decui@microsoft.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/hv/vmbus_drv.c | 20 ++++++++++++++++++++
+ 1 file changed, 20 insertions(+)
+
+diff --git a/drivers/hv/vmbus_drv.c b/drivers/hv/vmbus_drv.c
+index 802dcb409030..b877cce0409b 100644
+--- a/drivers/hv/vmbus_drv.c
++++ b/drivers/hv/vmbus_drv.c
+@@ -316,6 +316,8 @@ static ssize_t out_intr_mask_show(struct device *dev,
+
+ if (!hv_dev->channel)
+ return -ENODEV;
++ if (hv_dev->channel->state != CHANNEL_OPENED_STATE)
++ return -EINVAL;
+ hv_ringbuffer_get_debuginfo(&hv_dev->channel->outbound, &outbound);
+ return sprintf(buf, "%d\n", outbound.current_interrupt_mask);
+ }
+@@ -329,6 +331,8 @@ static ssize_t out_read_index_show(struct device *dev,
+
+ if (!hv_dev->channel)
+ return -ENODEV;
++ if (hv_dev->channel->state != CHANNEL_OPENED_STATE)
++ return -EINVAL;
+ hv_ringbuffer_get_debuginfo(&hv_dev->channel->outbound, &outbound);
+ return sprintf(buf, "%d\n", outbound.current_read_index);
+ }
+@@ -343,6 +347,8 @@ static ssize_t out_write_index_show(struct device *dev,
+
+ if (!hv_dev->channel)
+ return -ENODEV;
++ if (hv_dev->channel->state != CHANNEL_OPENED_STATE)
++ return -EINVAL;
+ hv_ringbuffer_get_debuginfo(&hv_dev->channel->outbound, &outbound);
+ return sprintf(buf, "%d\n", outbound.current_write_index);
+ }
+@@ -357,6 +363,8 @@ static ssize_t out_read_bytes_avail_show(struct device *dev,
+
+ if (!hv_dev->channel)
+ return -ENODEV;
++ if (hv_dev->channel->state != CHANNEL_OPENED_STATE)
++ return -EINVAL;
+ hv_ringbuffer_get_debuginfo(&hv_dev->channel->outbound, &outbound);
+ return sprintf(buf, "%d\n", outbound.bytes_avail_toread);
+ }
+@@ -371,6 +379,8 @@ static ssize_t out_write_bytes_avail_show(struct device *dev,
+
+ if (!hv_dev->channel)
+ return -ENODEV;
++ if (hv_dev->channel->state != CHANNEL_OPENED_STATE)
++ return -EINVAL;
+ hv_ringbuffer_get_debuginfo(&hv_dev->channel->outbound, &outbound);
+ return sprintf(buf, "%d\n", outbound.bytes_avail_towrite);
+ }
+@@ -384,6 +394,8 @@ static ssize_t in_intr_mask_show(struct device *dev,
+
+ if (!hv_dev->channel)
+ return -ENODEV;
++ if (hv_dev->channel->state != CHANNEL_OPENED_STATE)
++ return -EINVAL;
+ hv_ringbuffer_get_debuginfo(&hv_dev->channel->inbound, &inbound);
+ return sprintf(buf, "%d\n", inbound.current_interrupt_mask);
+ }
+@@ -397,6 +409,8 @@ static ssize_t in_read_index_show(struct device *dev,
+
+ if (!hv_dev->channel)
+ return -ENODEV;
++ if (hv_dev->channel->state != CHANNEL_OPENED_STATE)
++ return -EINVAL;
+ hv_ringbuffer_get_debuginfo(&hv_dev->channel->inbound, &inbound);
+ return sprintf(buf, "%d\n", inbound.current_read_index);
+ }
+@@ -410,6 +424,8 @@ static ssize_t in_write_index_show(struct device *dev,
+
+ if (!hv_dev->channel)
+ return -ENODEV;
++ if (hv_dev->channel->state != CHANNEL_OPENED_STATE)
++ return -EINVAL;
+ hv_ringbuffer_get_debuginfo(&hv_dev->channel->inbound, &inbound);
+ return sprintf(buf, "%d\n", inbound.current_write_index);
+ }
+@@ -424,6 +440,8 @@ static ssize_t in_read_bytes_avail_show(struct device *dev,
+
+ if (!hv_dev->channel)
+ return -ENODEV;
++ if (hv_dev->channel->state != CHANNEL_OPENED_STATE)
++ return -EINVAL;
+ hv_ringbuffer_get_debuginfo(&hv_dev->channel->inbound, &inbound);
+ return sprintf(buf, "%d\n", inbound.bytes_avail_toread);
+ }
+@@ -438,6 +456,8 @@ static ssize_t in_write_bytes_avail_show(struct device *dev,
+
+ if (!hv_dev->channel)
+ return -ENODEV;
++ if (hv_dev->channel->state != CHANNEL_OPENED_STATE)
++ return -EINVAL;
+ hv_ringbuffer_get_debuginfo(&hv_dev->channel->inbound, &inbound);
+ return sprintf(buf, "%d\n", inbound.bytes_avail_towrite);
+ }
+--
+2.20.1
+
diff --git a/patches.kernel.org/4.4.170-012-x86-mtrr-Don-t-copy-uninitialized-gentry-fiel.patch b/patches.kernel.org/4.4.170-012-x86-mtrr-Don-t-copy-uninitialized-gentry-fiel.patch
new file mode 100644
index 0000000000..361dc8c88b
--- /dev/null
+++ b/patches.kernel.org/4.4.170-012-x86-mtrr-Don-t-copy-uninitialized-gentry-fiel.patch
@@ -0,0 +1,47 @@
+From: Colin Ian King <colin.king@canonical.com>
+Date: Tue, 18 Dec 2018 17:29:56 +0000
+Subject: [PATCH] x86/mtrr: Don't copy uninitialized gentry fields back to
+ userspace
+References: bnc#1012382
+Patch-mainline: 4.4.170
+Git-commit: 32043fa065b51e0b1433e48d118821c71b5cd65d
+
+commit 32043fa065b51e0b1433e48d118821c71b5cd65d upstream.
+
+Currently the copy_to_user of data in the gentry struct is copying
+uninitiaized data in field _pad from the stack to userspace.
+
+Fix this by explicitly memset'ing gentry to zero, this also will zero any
+compiler added padding fields that may be in struct (currently there are
+none).
+
+Detected by CoverityScan, CID#200783 ("Uninitialized scalar variable")
+
+Fixes: b263b31e8ad6 ("x86, mtrr: Use explicit sizing and padding for the 64-bit ioctls")
+Signed-off-by: Colin Ian King <colin.king@canonical.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Reviewed-by: Tyler Hicks <tyhicks@canonical.com>
+Cc: security@kernel.org
+Link: https://lkml.kernel.org/r/20181218172956.1440-1-colin.king@canonical.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ arch/x86/kernel/cpu/mtrr/if.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/arch/x86/kernel/cpu/mtrr/if.c b/arch/x86/kernel/cpu/mtrr/if.c
+index d76f13d6d8d6..ec894bf5eeb0 100644
+--- a/arch/x86/kernel/cpu/mtrr/if.c
++++ b/arch/x86/kernel/cpu/mtrr/if.c
+@@ -173,6 +173,8 @@ mtrr_ioctl(struct file *file, unsigned int cmd, unsigned long __arg)
+ struct mtrr_gentry gentry;
+ void __user *arg = (void __user *) __arg;
+
++ memset(&gentry, 0, sizeof(gentry));
++
+ switch (cmd) {
+ case MTRRIOC_ADD_ENTRY:
+ case MTRRIOC_SET_ENTRY:
+--
+2.20.1
+
diff --git a/patches.kernel.org/4.4.170-013-drm-ioctl-Fix-Spectre-v1-vulnerabilities.patch b/patches.kernel.org/4.4.170-013-drm-ioctl-Fix-Spectre-v1-vulnerabilities.patch
new file mode 100644
index 0000000000..42ad4ba542
--- /dev/null
+++ b/patches.kernel.org/4.4.170-013-drm-ioctl-Fix-Spectre-v1-vulnerabilities.patch
@@ -0,0 +1,80 @@
+From: "Gustavo A. R. Silva" <gustavo@embeddedor.com>
+Date: Wed, 19 Dec 2018 18:00:15 -0600
+Subject: [PATCH] drm/ioctl: Fix Spectre v1 vulnerabilities
+References: bnc#1012382
+Patch-mainline: 4.4.170
+Git-commit: 505b5240329b922f21f91d5b5d1e535c805eca6d
+
+commit 505b5240329b922f21f91d5b5d1e535c805eca6d upstream.
+
+nr is indirectly controlled by user-space, hence leading to a
+potential exploitation of the Spectre variant 1 vulnerability.
+
+This issue was detected with the help of Smatch:
+
+drivers/gpu/drm/drm_ioctl.c:805 drm_ioctl() warn: potential spectre issue 'dev->driver->ioctls' [r]
+drivers/gpu/drm/drm_ioctl.c:810 drm_ioctl() warn: potential spectre issue 'drm_ioctls' [r] (local cap)
+drivers/gpu/drm/drm_ioctl.c:892 drm_ioctl_flags() warn: potential spectre issue 'drm_ioctls' [r] (local cap)
+
+Fix this by sanitizing nr before using it to index dev->driver->ioctls
+and drm_ioctls.
+
+Notice that given that speculation windows are large, the policy is
+to kill the speculation on the first load and not worry if it can be
+completed with a dependent load/store [1].
+
+[1] https://marc.info/?l=linux-kernel&m=152449131114778&w=2
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com>
+Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
+Link: https://patchwork.freedesktop.org/patch/msgid/20181220000015.GA18973@embeddedor
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/gpu/drm/drm_ioctl.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/gpu/drm/drm_ioctl.c b/drivers/gpu/drm/drm_ioctl.c
+index 8ce2a0c59116..a7030ada81fd 100644
+--- a/drivers/gpu/drm/drm_ioctl.c
++++ b/drivers/gpu/drm/drm_ioctl.c
+@@ -36,6 +36,7 @@
+
+ #include <linux/pci.h>
+ #include <linux/export.h>
++#include <linux/nospec.h>
+
+ static int drm_version(struct drm_device *dev, void *data,
+ struct drm_file *file_priv);
+@@ -702,13 +703,17 @@ long drm_ioctl(struct file *filp,
+
+ if (is_driver_ioctl) {
+ /* driver ioctl */
+- if (nr - DRM_COMMAND_BASE >= dev->driver->num_ioctls)
++ unsigned int index = nr - DRM_COMMAND_BASE;
++
++ if (index >= dev->driver->num_ioctls)
+ goto err_i1;
+- ioctl = &dev->driver->ioctls[nr - DRM_COMMAND_BASE];
++ index = array_index_nospec(index, dev->driver->num_ioctls);
++ ioctl = &dev->driver->ioctls[index];
+ } else {
+ /* core ioctl */
+ if (nr >= DRM_CORE_IOCTL_COUNT)
+ goto err_i1;
++ nr = array_index_nospec(nr, DRM_CORE_IOCTL_COUNT);
+ ioctl = &drm_ioctls[nr];
+ }
+
+@@ -810,6 +815,7 @@ bool drm_ioctl_flags(unsigned int nr, unsigned int *flags)
+
+ if (nr >= DRM_CORE_IOCTL_COUNT)
+ return false;
++ nr = array_index_nospec(nr, DRM_CORE_IOCTL_COUNT);
+
+ *flags = drm_ioctls[nr].flags;
+ return true;
+--
+2.20.1
+
diff --git a/patches.kernel.org/4.4.170-014-ip6mr-Fix-potential-Spectre-v1-vulnerability.patch b/patches.kernel.org/4.4.170-014-ip6mr-Fix-potential-Spectre-v1-vulnerability.patch
new file mode 100644
index 0000000000..c186e2b772
--- /dev/null
+++ b/patches.kernel.org/4.4.170-014-ip6mr-Fix-potential-Spectre-v1-vulnerability.patch
@@ -0,0 +1,65 @@
+From: "Gustavo A. R. Silva" <gustavo@embeddedor.com>
+Date: Tue, 11 Dec 2018 14:10:08 -0600
+Subject: [PATCH] ip6mr: Fix potential Spectre v1 vulnerability
+References: bnc#1012382
+Patch-mainline: 4.4.170
+Git-commit: 69d2c86766da2ded2b70281f1bf242cb0d58a778
+
+[ Upstream commit 69d2c86766da2ded2b70281f1bf242cb0d58a778 ]
+
+vr.mifi is indirectly controlled by user-space, hence leading to
+a potential exploitation of the Spectre variant 1 vulnerability.
+
+This issue was detected with the help of Smatch:
+
+net/ipv6/ip6mr.c:1845 ip6mr_ioctl() warn: potential spectre issue 'mrt->vif_table' [r] (local cap)
+net/ipv6/ip6mr.c:1919 ip6mr_compat_ioctl() warn: potential spectre issue 'mrt->vif_table' [r] (local cap)
+
+Fix this by sanitizing vr.mifi before using it to index mrt->vif_table'
+
+Notice that given that speculation windows are large, the policy is
+to kill the speculation on the first load and not worry if it can be
+completed with a dependent load/store [1].
+
+[1] https://marc.info/?l=linux-kernel&m=152449131114778&w=2
+
+Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ net/ipv6/ip6mr.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/net/ipv6/ip6mr.c b/net/ipv6/ip6mr.c
+index 9b92960f024d..74b3e9718e84 100644
+--- a/net/ipv6/ip6mr.c
++++ b/net/ipv6/ip6mr.c
+@@ -72,6 +72,8 @@ struct mr6_table {
+ #endif
+ };
+
++#include <linux/nospec.h>
++
+ struct ip6mr_rule {
+ struct fib_rule common;
+ };
+@@ -1871,6 +1873,7 @@ int ip6mr_ioctl(struct sock *sk, int cmd, void __user *arg)
+ return -EFAULT;
+ if (vr.mifi >= mrt->maxvif)
+ return -EINVAL;
++ vr.mifi = array_index_nospec(vr.mifi, mrt->maxvif);
+ read_lock(&mrt_lock);
+ vif = &mrt->vif6_table[vr.mifi];
+ if (MIF_EXISTS(mrt, vr.mifi)) {
+@@ -1945,6 +1948,7 @@ int ip6mr_compat_ioctl(struct sock *sk, unsigned int cmd, void __user *arg)
+ return -EFAULT;
+ if (vr.mifi >= mrt->maxvif)
+ return -EINVAL;
++ vr.mifi = array_index_nospec(vr.mifi, mrt->maxvif);
+ read_lock(&mrt_lock);
+ vif = &mrt->vif6_table[vr.mifi];
+ if (MIF_EXISTS(mrt, vr.mifi)) {
+--
+2.20.1
+
diff --git a/patches.kernel.org/4.4.170-015-ipv4-Fix-potential-Spectre-v1-vulnerability.patch b/patches.kernel.org/4.4.170-015-ipv4-Fix-potential-Spectre-v1-vulnerability.patch
new file mode 100644
index 0000000000..d9dbe88579
--- /dev/null
+++ b/patches.kernel.org/4.4.170-015-ipv4-Fix-potential-Spectre-v1-vulnerability.patch
@@ -0,0 +1,56 @@
+From: "Gustavo A. R. Silva" <gustavo@embeddedor.com>
+Date: Mon, 10 Dec 2018 12:41:24 -0600
+Subject: [PATCH] ipv4: Fix potential Spectre v1 vulnerability
+References: bnc#1012382
+Patch-mainline: 4.4.170
+Git-commit: 5648451e30a0d13d11796574919a359025d52cce
+
+[ Upstream commit 5648451e30a0d13d11796574919a359025d52cce ]
+
+vr.vifi is indirectly controlled by user-space, hence leading to
+a potential exploitation of the Spectre variant 1 vulnerability.
+
+This issue was detected with the help of Smatch:
+
+net/ipv4/ipmr.c:1616 ipmr_ioctl() warn: potential spectre issue 'mrt->vif_table' [r] (local cap)
+net/ipv4/ipmr.c:1690 ipmr_compat_ioctl() warn: potential spectre issue 'mrt->vif_table' [r] (local cap)
+
+Fix this by sanitizing vr.vifi before using it to index mrt->vif_table'
+
+Notice that given that speculation windows are large, the policy is
+to kill the speculation on the first load and not worry if it can be
+completed with a dependent load/store [1].
+
+[1] https://marc.info/?l=linux-kernel&m=152449131114778&w=2
+
+Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ net/ipv4/ipmr.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/net/ipv4/ipmr.c b/net/ipv4/ipmr.c
+index 8e77786549c6..1cb865fcc91b 100644
+--- a/net/ipv4/ipmr.c
++++ b/net/ipv4/ipmr.c
+@@ -66,6 +66,7 @@
+ #include <net/netlink.h>
+ #include <net/fib_rules.h>
+ #include <linux/netconf.h>
++#include <linux/nospec.h>
+
+ #if defined(CONFIG_IP_PIMSM_V1) || defined(CONFIG_IP_PIMSM_V2)
+ #define CONFIG_IP_PIMSM 1
+@@ -1574,6 +1575,7 @@ int ipmr_compat_ioctl(struct sock *sk, unsigned int cmd, void __user *arg)
+ return -EFAULT;
+ if (vr.vifi >= mrt->maxvif)
+ return -EINVAL;
++ vr.vifi = array_index_nospec(vr.vifi, mrt->maxvif);
+ read_lock(&mrt_lock);
+ vif = &mrt->vif_table[vr.vifi];
+ if (VIF_EXISTS(mrt, vr.vifi)) {
+--
+2.20.1
+
diff --git a/patches.kernel.org/4.4.170-016-ax25-fix-a-use-after-free-in-ax25_fillin_cb.patch b/patches.kernel.org/4.4.170-016-ax25-fix-a-use-after-free-in-ax25_fillin_cb.patch
new file mode 100644
index 0000000000..e3a3880ffa
--- /dev/null
+++ b/patches.kernel.org/4.4.170-016-ax25-fix-a-use-after-free-in-ax25_fillin_cb.patch
@@ -0,0 +1,81 @@
+From: Cong Wang <xiyou.wangcong@gmail.com>
+Date: Sat, 29 Dec 2018 13:56:36 -0800
+Subject: [PATCH] ax25: fix a use-after-free in ax25_fillin_cb()
+References: bnc#1012382
+Patch-mainline: 4.4.170
+Git-commit: c433570458e49bccea5c551df628d058b3526289
+
+[ Upstream commit c433570458e49bccea5c551df628d058b3526289 ]
+
+There are multiple issues here:
+
+1. After freeing dev->ax25_ptr, we need to set it to NULL otherwise
+ we may use a dangling pointer.
+
+2. There is a race between ax25_setsockopt() and device notifier as
+ reported by syzbot. Close it by holding RTNL lock.
+
+3. We need to test if dev->ax25_ptr is NULL before using it.
+
+Reported-and-tested-by: syzbot+ae6bb869cbed29b29040@syzkaller.appspotmail.com
+Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ net/ax25/af_ax25.c | 11 +++++++++--
+ net/ax25/ax25_dev.c | 2 ++
+ 2 files changed, 11 insertions(+), 2 deletions(-)
+
+diff --git a/net/ax25/af_ax25.c b/net/ax25/af_ax25.c
+index 2fdebabbfacd..2772f6a13fcb 100644
+--- a/net/ax25/af_ax25.c
++++ b/net/ax25/af_ax25.c
+@@ -654,15 +654,22 @@ static int ax25_setsockopt(struct socket *sock, int level, int optname,
+ break;
+ }
+
+- dev = dev_get_by_name(&init_net, devname);
++ rtnl_lock();
++ dev = __dev_get_by_name(&init_net, devname);
+ if (!dev) {
++ rtnl_unlock();
+ res = -ENODEV;
+ break;
+ }
+
+ ax25->ax25_dev = ax25_dev_ax25dev(dev);
++ if (!ax25->ax25_dev) {
++ rtnl_unlock();
++ res = -ENODEV;
++ break;
++ }
+ ax25_fillin_cb(ax25, ax25->ax25_dev);
+- dev_put(dev);
++ rtnl_unlock();
+ break;
+
+ default:
+diff --git a/net/ax25/ax25_dev.c b/net/ax25/ax25_dev.c
+index 3d106767b272..5faca5db6385 100644
+--- a/net/ax25/ax25_dev.c
++++ b/net/ax25/ax25_dev.c
+@@ -116,6 +116,7 @@ void ax25_dev_device_down(struct net_device *dev)
+ if ((s = ax25_dev_list) == ax25_dev) {
+ ax25_dev_list = s->next;
+ spin_unlock_bh(&ax25_dev_lock);
++ dev->ax25_ptr = NULL;
+ dev_put(dev);
+ kfree(ax25_dev);
+ return;
+@@ -125,6 +126,7 @@ void ax25_dev_device_down(struct net_device *dev)
+ if (s->next == ax25_dev) {
+ s->next = ax25_dev->next;
+ spin_unlock_bh(&ax25_dev_lock);
++ dev->ax25_ptr = NULL;
+ dev_put(dev);
+ kfree(ax25_dev);
+ return;
+--
+2.20.1
+
diff --git a/patches.kernel.org/4.4.170-017-ibmveth-fix-DMA-unmap-error-in-ibmveth_xmit_s.patch b/patches.kernel.org/4.4.170-017-ibmveth-fix-DMA-unmap-error-in-ibmveth_xmit_s.patch
new file mode 100644
index 0000000000..74ed595dfb
--- /dev/null
+++ b/patches.kernel.org/4.4.170-017-ibmveth-fix-DMA-unmap-error-in-ibmveth_xmit_s.patch
@@ -0,0 +1,66 @@
+From: Tyrel Datwyler <tyreld@linux.vnet.ibm.com>
+Date: Mon, 31 Dec 2018 15:43:01 -0600
+Subject: [PATCH] ibmveth: fix DMA unmap error in ibmveth_xmit_start error path
+References: bnc#1012382
+Patch-mainline: 4.4.170
+Git-commit: 756af9c642329d54f048bac2a62f829b391f6944
+
+[ Upstream commit 756af9c642329d54f048bac2a62f829b391f6944 ]
+
+Commit 33a48ab105a7 ("ibmveth: Fix DMA unmap error") fixed an issue in the
+normal code path of ibmveth_xmit_start() that was originally introduced by
+Commit 6e8ab30ec677 ("ibmveth: Add scatter-gather support"). This original
+fix missed the error path where dma_unmap_page is wrongly called on the
+header portion in descs[0] which was mapped with dma_map_single. As a
+result a failure to DMA map any of the frags results in a dmesg warning
+when CONFIG_DMA_API_DEBUG is enabled.
+
+------------[ cut here ]------------
+DMA-API: ibmveth 30000002: device driver frees DMA memory with wrong function
+ [device address=0x000000000a430000] [size=172 bytes] [mapped as page] [unmapped as single]
+WARNING: CPU: 1 PID: 8426 at kernel/dma/debug.c:1085 check_unmap+0x4fc/0xe10
+...
+<snip>
+...
+DMA-API: Mapped at:
+ibmveth_start_xmit+0x30c/0xb60
+dev_hard_start_xmit+0x100/0x450
+sch_direct_xmit+0x224/0x490
+__qdisc_run+0x20c/0x980
+__dev_queue_xmit+0x1bc/0xf20
+
+This fixes the API misuse by unampping descs[0] with dma_unmap_single.
+
+Fixes: 6e8ab30ec677 ("ibmveth: Add scatter-gather support")
+Signed-off-by: Tyrel Datwyler <tyreld@linux.vnet.ibm.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/net/ethernet/ibm/ibmveth.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/ibm/ibmveth.c b/drivers/net/ethernet/ibm/ibmveth.c
+index 2f9b12cf9ee5..61a9ab4fe047 100644
+--- a/drivers/net/ethernet/ibm/ibmveth.c
++++ b/drivers/net/ethernet/ibm/ibmveth.c
+@@ -1163,11 +1163,15 @@ static netdev_tx_t ibmveth_start_xmit(struct sk_buff *skb,
+
+ map_failed_frags:
+ last = i+1;
+- for (i = 0; i < last; i++)
++ for (i = 1; i < last; i++)
+ dma_unmap_page(&adapter->vdev->dev, descs[i].fields.address,
+ descs[i].fields.flags_len & IBMVETH_BUF_LEN_MASK,
+ DMA_TO_DEVICE);
+
++ dma_unmap_single(&adapter->vdev->dev,
++ descs[0].fields.address,
++ descs[0].fields.flags_len & IBMVETH_BUF_LEN_MASK,
++ DMA_TO_DEVICE);
+ map_failed:
+ if (!firmware_has_feature(FW_FEATURE_CMO))
+ netdev_err(netdev, "tx: unable to map xmit buffer\n");
+--
+2.20.1
+
diff --git a/patches.kernel.org/4.4.170-018-ieee802154-lowpan_header_create-check-must-ch.patch b/patches.kernel.org/4.4.170-018-ieee802154-lowpan_header_create-check-must-ch.patch
new file mode 100644
index 0000000000..de8b5cafe9
--- /dev/null
+++ b/patches.kernel.org/4.4.170-018-ieee802154-lowpan_header_create-check-must-ch.patch
@@ -0,0 +1,39 @@
+From: Willem de Bruijn <willemb@google.com>
+Date: Sun, 23 Dec 2018 12:52:18 -0500
+Subject: [PATCH] ieee802154: lowpan_header_create check must check daddr
+References: bnc#1012382
+Patch-mainline: 4.4.170
+Git-commit: 40c3ff6d5e0809505a067dd423c110c5658c478c
+
+[ Upstream commit 40c3ff6d5e0809505a067dd423c110c5658c478c ]
+
+Packet sockets may call dev_header_parse with NULL daddr. Make
+lowpan_header_ops.create fail.
+
+Fixes: 87a93e4eceb4 ("ieee802154: change needed headroom/tailroom")
+Signed-off-by: Willem de Bruijn <willemb@google.com>
+Acked-by: Alexander Aring <aring@mojatatu.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ net/ieee802154/6lowpan/tx.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/net/ieee802154/6lowpan/tx.c b/net/ieee802154/6lowpan/tx.c
+index a10db45b2e1e..df32134da924 100644
+--- a/net/ieee802154/6lowpan/tx.c
++++ b/net/ieee802154/6lowpan/tx.c
+@@ -55,6 +55,9 @@ int lowpan_header_create(struct sk_buff *skb, struct net_device *ldev,
+ const u8 *daddr = _daddr;
+ struct lowpan_addr_info *info;
+
++ if (!daddr)
++ return -EINVAL;
++
+ /* TODO:
+ * if this package isn't ipv6 one, where should it be routed?
+ */
+--
+2.20.1
+
diff --git a/patches.kernel.org/4.4.170-019-ipv6-explicitly-initialize-udp6_addr-in-udp_s.patch b/patches.kernel.org/4.4.170-019-ipv6-explicitly-initialize-udp6_addr-in-udp_s.patch
new file mode 100644
index 0000000000..c37ef75c19
--- /dev/null
+++ b/patches.kernel.org/4.4.170-019-ipv6-explicitly-initialize-udp6_addr-in-udp_s.patch
@@ -0,0 +1,54 @@
+From: Cong Wang <xiyou.wangcong@gmail.com>
+Date: Tue, 18 Dec 2018 21:17:44 -0800
+Subject: [PATCH] ipv6: explicitly initialize udp6_addr in udp_sock_create6()
+References: bnc#1012382
+Patch-mainline: 4.4.170
+Git-commit: fb24274546310872eeeaf3d1d53799d8414aa0f2
+
+[ Upstream commit fb24274546310872eeeaf3d1d53799d8414aa0f2 ]
+
+syzbot reported the use of uninitialized udp6_addr::sin6_scope_id.
+We can just set ::sin6_scope_id to zero, as tunnels are unlikely
+to use an IPv6 address that needs a scope id and there is no
+interface to bind in this context.
+
+For net-next, it looks different as we have cfg->bind_ifindex there
+so we can probably call ipv6_iface_scope_id().
+
+Same for ::sin6_flowinfo, tunnels don't use it.
+
+Fixes: 8024e02879dd ("udp: Add udp_sock_create for UDP tunnels to open listener socket")
+Reported-by: syzbot+c56449ed3652e6720f30@syzkaller.appspotmail.com
+Cc: Jon Maloy <jon.maloy@ericsson.com>
+Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ net/ipv6/ip6_udp_tunnel.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/net/ipv6/ip6_udp_tunnel.c b/net/ipv6/ip6_udp_tunnel.c
+index 14dacf1df529..30b03d8e321a 100644
+--- a/net/ipv6/ip6_udp_tunnel.c
++++ b/net/ipv6/ip6_udp_tunnel.c
+@@ -15,7 +15,7 @@
+ int udp_sock_create6(struct net *net, struct udp_port_cfg *cfg,
+ struct socket **sockp)
+ {
+- struct sockaddr_in6 udp6_addr;
++ struct sockaddr_in6 udp6_addr = {};
+ int err;
+ struct socket *sock = NULL;
+
+@@ -42,6 +42,7 @@ int udp_sock_create6(struct net *net, struct udp_port_cfg *cfg,
+ goto error;
+
+ if (cfg->peer_udp_port) {
++ memset(&udp6_addr, 0, sizeof(udp6_addr));
+ udp6_addr.sin6_family = AF_INET6;
+ memcpy(&udp6_addr.sin6_addr, &cfg->peer_ip6,
+ sizeof(udp6_addr.sin6_addr));
+--
+2.20.1
+
diff --git a/patches.kernel.org/4.4.170-020-isdn-fix-kernel-infoleak-in-capi_unlocked_ioc.patch b/patches.kernel.org/4.4.170-020-isdn-fix-kernel-infoleak-in-capi_unlocked_ioc.patch
new file mode 100644
index 0000000000..2ee7adec52
--- /dev/null
+++ b/patches.kernel.org/4.4.170-020-isdn-fix-kernel-infoleak-in-capi_unlocked_ioc.patch
@@ -0,0 +1,86 @@
+From: Eric Dumazet <edumazet@google.com>
+Date: Wed, 2 Jan 2019 09:20:27 -0800
+Subject: [PATCH] isdn: fix kernel-infoleak in capi_unlocked_ioctl
+References: bnc#1012382
+Patch-mainline: 4.4.170
+Git-commit: d63967e475ae10f286dbd35e189cb241e0b1f284
+
+[ Upstream commit d63967e475ae10f286dbd35e189cb241e0b1f284 ]
+
+Since capi_ioctl() copies 64 bytes after calling
+capi20_get_manufacturer() we need to ensure to not leak
+information to user.
+
+BUG: KMSAN: kernel-infoleak in _copy_to_user+0x16b/0x1f0 lib/usercopy.c:32
+CPU: 0 PID: 11245 Comm: syz-executor633 Not tainted 4.20.0-rc7+ #2
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+Call Trace:
+ __dump_stack lib/dump_stack.c:77 [inline]
+ dump_stack+0x173/0x1d0 lib/dump_stack.c:113
+ kmsan_report+0x12e/0x2a0 mm/kmsan/kmsan.c:613
+ kmsan_internal_check_memory+0x9d4/0xb00 mm/kmsan/kmsan.c:704
+ kmsan_copy_to_user+0xab/0xc0 mm/kmsan/kmsan_hooks.c:601
+ _copy_to_user+0x16b/0x1f0 lib/usercopy.c:32
+ capi_ioctl include/linux/uaccess.h:177 [inline]
+ capi_unlocked_ioctl+0x1a0b/0x1bf0 drivers/isdn/capi/capi.c:939
+ do_vfs_ioctl+0xebd/0x2bf0 fs/ioctl.c:46
+ ksys_ioctl fs/ioctl.c:713 [inline]
+ __do_sys_ioctl fs/ioctl.c:720 [inline]
+ __se_sys_ioctl+0x1da/0x270 fs/ioctl.c:718
+ __x64_sys_ioctl+0x4a/0x70 fs/ioctl.c:718
+ do_syscall_64+0xbc/0xf0 arch/x86/entry/common.c:291
+ entry_SYSCALL_64_after_hwframe+0x63/0xe7
+RIP: 0033:0x440019
+Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 fb 13 fc ff c3 66 2e 0f 1f 84 00 00 00 00
+RSP: 002b:00007ffdd4659fb8 EFLAGS: 00000213 ORIG_RAX: 0000000000000010
+RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 0000000000440019
+RDX: 0000000020000080 RSI: 00000000c0044306 RDI: 0000000000000003
+RBP: 00000000006ca018 R08: 0000000000000000 R09: 00000000004002c8
+R10: 0000000000000000 R11: 0000000000000213 R12: 00000000004018a0
+R13: 0000000000401930 R14: 0000000000000000 R15: 0000000000000000
+
+Local variable description: ----data.i@capi_unlocked_ioctl
+Variable was created at:
+ capi_ioctl drivers/isdn/capi/capi.c:747 [inline]
+ capi_unlocked_ioctl+0x82/0x1bf0 drivers/isdn/capi/capi.c:939
+ do_vfs_ioctl+0xebd/0x2bf0 fs/ioctl.c:46
+
+Bytes 12-63 of 64 are uninitialized
+Memory access of size 64 starts at ffff88807ac5fce8
+Data copied to user address 0000000020000080
+
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Cc: Karsten Keil <isdn@linux-pingi.de>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/isdn/capi/kcapi.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/isdn/capi/kcapi.c b/drivers/isdn/capi/kcapi.c
+index dd7e38ac29bd..d15347de415a 100644
+--- a/drivers/isdn/capi/kcapi.c
++++ b/drivers/isdn/capi/kcapi.c
+@@ -851,7 +851,7 @@ u16 capi20_get_manufacturer(u32 contr, u8 *buf)
+ u16 ret;
+
+ if (contr == 0) {
+- strlcpy(buf, capi_manufakturer, CAPI_MANUFACTURER_LEN);
++ strncpy(buf, capi_manufakturer, CAPI_MANUFACTURER_LEN);
+ return CAPI_NOERROR;
+ }
+
+@@ -859,7 +859,7 @@ u16 capi20_get_manufacturer(u32 contr, u8 *buf)
+
+ ctr = get_capi_ctr_by_nr(contr);
+ if (ctr && ctr->state == CAPI_CTR_RUNNING) {
+- strlcpy(buf, ctr->manu, CAPI_MANUFACTURER_LEN);
++ strncpy(buf, ctr->manu, CAPI_MANUFACTURER_LEN);
+ ret = CAPI_NOERROR;
+ } else
+ ret = CAPI_REGNOTINSTALLED;
+--
+2.20.1
+
diff --git a/patches.kernel.org/4.4.170-021-netrom-fix-locking-in-nr_find_socket.patch b/patches.kernel.org/4.4.170-021-netrom-fix-locking-in-nr_find_socket.patch
new file mode 100644
index 0000000000..40b485675e
--- /dev/null
+++ b/patches.kernel.org/4.4.170-021-netrom-fix-locking-in-nr_find_socket.patch
@@ -0,0 +1,107 @@
+From: Cong Wang <xiyou.wangcong@gmail.com>
+Date: Sat, 29 Dec 2018 13:56:38 -0800
+Subject: [PATCH] netrom: fix locking in nr_find_socket()
+References: bnc#1012382
+Patch-mainline: 4.4.170
+Git-commit: 7314f5480f3e37e570104dc5e0f28823ef849e72
+
+[ Upstream commit 7314f5480f3e37e570104dc5e0f28823ef849e72 ]
+
+nr_find_socket(), nr_find_peer() and nr_find_listener() lock the
+sock after finding it in the global list. However, the call path
+requires BH disabled for the sock lock consistently.
+
+Actually the locking is unnecessary at this point, we can just hold
+the sock refcnt to make sure it is not gone after we unlock the global
+list, and lock it later only when needed.
+
+Reported-and-tested-by: syzbot+f621cda8b7e598908efa@syzkaller.appspotmail.com
+Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ net/netrom/af_netrom.c | 15 ++++++++++-----
+ 1 file changed, 10 insertions(+), 5 deletions(-)
+
+diff --git a/net/netrom/af_netrom.c b/net/netrom/af_netrom.c
+index ed212ffc1d9d..046ae1caecea 100644
+--- a/net/netrom/af_netrom.c
++++ b/net/netrom/af_netrom.c
+@@ -153,7 +153,7 @@ static struct sock *nr_find_listener(ax25_address *addr)
+ sk_for_each(s, &nr_list)
+ if (!ax25cmp(&nr_sk(s)->source_addr, addr) &&
+ s->sk_state == TCP_LISTEN) {
+- bh_lock_sock(s);
++ sock_hold(s);
+ goto found;
+ }
+ s = NULL;
+@@ -174,7 +174,7 @@ static struct sock *nr_find_socket(unsigned char index, unsigned char id)
+ struct nr_sock *nr = nr_sk(s);
+
+ if (nr->my_index == index && nr->my_id == id) {
+- bh_lock_sock(s);
++ sock_hold(s);
+ goto found;
+ }
+ }
+@@ -198,7 +198,7 @@ static struct sock *nr_find_peer(unsigned char index, unsigned char id,
+
+ if (nr->your_index == index && nr->your_id == id &&
+ !ax25cmp(&nr->dest_addr, dest)) {
+- bh_lock_sock(s);
++ sock_hold(s);
+ goto found;
+ }
+ }
+@@ -224,7 +224,7 @@ static unsigned short nr_find_next_circuit(void)
+ if (i != 0 && j != 0) {
+ if ((sk=nr_find_socket(i, j)) == NULL)
+ break;
+- bh_unlock_sock(sk);
++ sock_put(sk);
+ }
+
+ id++;
+@@ -918,6 +918,7 @@ int nr_rx_frame(struct sk_buff *skb, struct net_device *dev)
+ }
+
+ if (sk != NULL) {
++ bh_lock_sock(sk);
+ skb_reset_transport_header(skb);
+
+ if (frametype == NR_CONNACK && skb->len == 22)
+@@ -927,6 +928,7 @@ int nr_rx_frame(struct sk_buff *skb, struct net_device *dev)
+
+ ret = nr_process_rx_frame(sk, skb);
+ bh_unlock_sock(sk);
++ sock_put(sk);
+ return ret;
+ }
+
+@@ -958,10 +960,12 @@ int nr_rx_frame(struct sk_buff *skb, struct net_device *dev)
+ (make = nr_make_new(sk)) == NULL) {
+ nr_transmit_refusal(skb, 0);
+ if (sk)
+- bh_unlock_sock(sk);
++ sock_put(sk);
+ return 0;
+ }
+
++ bh_lock_sock(sk);
++
+ window = skb->data[20];
+
+ skb->sk = make;
+@@ -1014,6 +1018,7 @@ int nr_rx_frame(struct sk_buff *skb, struct net_device *dev)
+ sk->sk_data_ready(sk);
+
+ bh_unlock_sock(sk);
++ sock_put(sk);
+
+ nr_insert_socket(make);
+
+--
+2.20.1
+
diff --git a/patches.kernel.org/4.4.170-022-packet-validate-address-length.patch b/patches.kernel.org/4.4.170-022-packet-validate-address-length.patch
new file mode 100644
index 0000000000..76af422f1f
--- /dev/null
+++ b/patches.kernel.org/4.4.170-022-packet-validate-address-length.patch
@@ -0,0 +1,46 @@
+From: Willem de Bruijn <willemb@google.com>
+Date: Fri, 21 Dec 2018 12:06:59 -0500
+Subject: [PATCH] packet: validate address length
+References: bnc#1012382
+Patch-mainline: 4.4.170
+Git-commit: 99137b7888f4058087895d035d81c6b2d31015c5
+
+[ Upstream commit 99137b7888f4058087895d035d81c6b2d31015c5 ]
+
+Packet sockets with SOCK_DGRAM may pass an address for use in
+dev_hard_header. Ensure that it is of sufficient length.
+
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: Willem de Bruijn <willemb@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ net/packet/af_packet.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c
+index 07668f152a3a..050dcb71e54e 100644
+--- a/net/packet/af_packet.c
++++ b/net/packet/af_packet.c
+@@ -2513,6 +2513,8 @@ static int tpacket_snd(struct packet_sock *po, struct msghdr *msg)
+ proto = saddr->sll_protocol;
+ addr = saddr->sll_addr;
+ dev = dev_get_by_index(sock_net(&po->sk), saddr->sll_ifindex);
++ if (addr && dev && saddr->sll_halen < dev->addr_len)
++ goto out;
+ }
+
+ err = -ENXIO;
+@@ -2680,6 +2682,8 @@ static int packet_snd(struct socket *sock, struct msghdr *msg, size_t len)
+ proto = saddr->sll_protocol;
+ addr = saddr->sll_addr;
+ dev = dev_get_by_index(sock_net(sk), saddr->sll_ifindex);
++ if (addr && dev && saddr->sll_halen < dev->addr_len)
++ goto out;
+ }
+
+ err = -ENXIO;
+--
+2.20.1
+
diff --git a/patches.kernel.org/4.4.170-023-packet-validate-address-length-if-non-zero.patch b/patches.kernel.org/4.4.170-023-packet-validate-address-length-if-non-zero.patch
new file mode 100644
index 0000000000..fc5d30c172
--- /dev/null
+++ b/patches.kernel.org/4.4.170-023-packet-validate-address-length-if-non-zero.patch
@@ -0,0 +1,47 @@
+From: Willem de Bruijn <willemb@google.com>
+Date: Sat, 22 Dec 2018 16:53:45 -0500
+Subject: [PATCH] packet: validate address length if non-zero
+References: bnc#1012382
+Patch-mainline: 4.4.170
+Git-commit: 6b8d95f1795c42161dc0984b6863e95d6acf24ed
+
+[ Upstream commit 6b8d95f1795c42161dc0984b6863e95d6acf24ed ]
+
+Validate packet socket address length if a length is given. Zero
+length is equivalent to not setting an address.
+
+Fixes: 99137b7888f4 ("packet: validate address length")
+Reported-by: Ido Schimmel <idosch@idosch.org>
+Signed-off-by: Willem de Bruijn <willemb@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ net/packet/af_packet.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c
+index 050dcb71e54e..0f50977ed53b 100644
+--- a/net/packet/af_packet.c
++++ b/net/packet/af_packet.c
+@@ -2511,7 +2511,7 @@ static int tpacket_snd(struct packet_sock *po, struct msghdr *msg)
+ sll_addr)))
+ goto out;
+ proto = saddr->sll_protocol;
+- addr = saddr->sll_addr;
++ addr = saddr->sll_halen ? saddr->sll_addr : NULL;
+ dev = dev_get_by_index(sock_net(&po->sk), saddr->sll_ifindex);
+ if (addr && dev && saddr->sll_halen < dev->addr_len)
+ goto out;
+@@ -2680,7 +2680,7 @@ static int packet_snd(struct socket *sock, struct msghdr *msg, size_t len)
+ if (msg->msg_namelen < (saddr->sll_halen + offsetof(struct sockaddr_ll, sll_addr)))
+ goto out;
+ proto = saddr->sll_protocol;
+- addr = saddr->sll_addr;
++ addr = saddr->sll_halen ? saddr->sll_addr : NULL;
+ dev = dev_get_by_index(sock_net(sk), saddr->sll_ifindex);
+ if (addr && dev && saddr->sll_halen < dev->addr_len)
+ goto out;
+--
+2.20.1
+
diff --git a/patches.kernel.org/4.4.170-024-sctp-initialize-sin6_flowinfo-for-ipv6-addrs-.patch b/patches.kernel.org/4.4.170-024-sctp-initialize-sin6_flowinfo-for-ipv6-addrs-.patch
new file mode 100644
index 0000000000..eaa9821176
--- /dev/null
+++ b/patches.kernel.org/4.4.170-024-sctp-initialize-sin6_flowinfo-for-ipv6-addrs-.patch
@@ -0,0 +1,68 @@
+From: Xin Long <lucien.xin@gmail.com>
+Date: Mon, 10 Dec 2018 18:00:52 +0800
+Subject: [PATCH] sctp: initialize sin6_flowinfo for ipv6 addrs in
+ sctp_inet6addr_event
+References: bnc#1012382
+Patch-mainline: 4.4.170
+Git-commit: 4a2eb0c37b4759416996fbb4c45b932500cf06d3
+
+[ Upstream commit 4a2eb0c37b4759416996fbb4c45b932500cf06d3 ]
+
+syzbot reported a kernel-infoleak, which is caused by an uninitialized
+field(sin6_flowinfo) of addr->a.v6 in sctp_inet6addr_event().
+The call trace is as below:
+
+ BUG: KMSAN: kernel-infoleak in _copy_to_user+0x19a/0x230 lib/usercopy.c:33
+ CPU: 1 PID: 8164 Comm: syz-executor2 Not tainted 4.20.0-rc3+ #95
+ Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
+ Google 01/01/2011
+ Call Trace:
+ __dump_stack lib/dump_stack.c:77 [inline]
+ dump_stack+0x32d/0x480 lib/dump_stack.c:113
+ kmsan_report+0x12c/0x290 mm/kmsan/kmsan.c:683
+ kmsan_internal_check_memory+0x32a/0xa50 mm/kmsan/kmsan.c:743
+ kmsan_copy_to_user+0x78/0xd0 mm/kmsan/kmsan_hooks.c:634
+ _copy_to_user+0x19a/0x230 lib/usercopy.c:33
+ copy_to_user include/linux/uaccess.h:183 [inline]
+ sctp_getsockopt_local_addrs net/sctp/socket.c:5998 [inline]
+ sctp_getsockopt+0x15248/0x186f0 net/sctp/socket.c:7477
+ sock_common_getsockopt+0x13f/0x180 net/core/sock.c:2937
+ __sys_getsockopt+0x489/0x550 net/socket.c:1939
+ __do_sys_getsockopt net/socket.c:1950 [inline]
+ __se_sys_getsockopt+0xe1/0x100 net/socket.c:1947
+ __x64_sys_getsockopt+0x62/0x80 net/socket.c:1947
+ do_syscall_64+0xcf/0x110 arch/x86/entry/common.c:291
+ entry_SYSCALL_64_after_hwframe+0x63/0xe7
+
+sin6_flowinfo is not really used by SCTP, so it will be fixed by simply
+setting it to 0.
+
+The issue exists since very beginning.
+Thanks Alexander for the reproducer provided.
+
+Reported-by: syzbot+ad5d327e6936a2e284be@syzkaller.appspotmail.com
+Signed-off-by: Xin Long <lucien.xin@gmail.com>
+Acked-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
+Acked-by: Neil Horman <nhorman@tuxdriver.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ net/sctp/ipv6.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/net/sctp/ipv6.c b/net/sctp/ipv6.c
+index 5ca8309ea7b1..7dffc97a953c 100644
+--- a/net/sctp/ipv6.c
++++ b/net/sctp/ipv6.c
+@@ -101,6 +101,7 @@ static int sctp_inet6addr_event(struct notifier_block *this, unsigned long ev,
+ if (addr) {
+ addr->a.v6.sin6_family = AF_INET6;
+ addr->a.v6.sin6_port = 0;
++ addr->a.v6.sin6_flowinfo = 0;
+ addr->a.v6.sin6_addr = ifa->addr;
+ addr->a.v6.sin6_scope_id = ifa->idev->dev->ifindex;
+ addr->valid = 1;
+--
+2.20.1
+
diff --git a/patches.kernel.org/4.4.170-025-vhost-make-sure-used-idx-is-seen-before-log-i.patch b/patches.kernel.org/4.4.170-025-vhost-make-sure-used-idx-is-seen-before-log-i.patch
new file mode 100644
index 0000000000..38de96249d
--- /dev/null
+++ b/patches.kernel.org/4.4.170-025-vhost-make-sure-used-idx-is-seen-before-log-i.patch
@@ -0,0 +1,40 @@
+From: Jason Wang <jasowang@redhat.com>
+Date: Thu, 13 Dec 2018 10:53:37 +0800
+Subject: [PATCH] vhost: make sure used idx is seen before log in
+ vhost_add_used_n()
+References: bnc#1012382
+Patch-mainline: 4.4.170
+Git-commit: 841df922417eb82c835e93d4b93eb6a68c99d599
+
+[ Upstream commit 841df922417eb82c835e93d4b93eb6a68c99d599 ]
+
+We miss a write barrier that guarantees used idx is updated and seen
+before log. This will let userspace sync and copy used ring before
+used idx is update. Fix this by adding a barrier before log_write().
+
+Fixes: 8dd014adfea6f ("vhost-net: mergeable buffers support")
+Acked-by: Michael S. Tsirkin <mst@redhat.com>
+Signed-off-by: Jason Wang <jasowang@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/vhost/vhost.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/vhost/vhost.c b/drivers/vhost/vhost.c
+index c54d388310f0..2ed0a356d1d3 100644
+--- a/drivers/vhost/vhost.c
++++ b/drivers/vhost/vhost.c
+@@ -1550,6 +1550,8 @@ int vhost_add_used_n(struct vhost_virtqueue *vq, struct vring_used_elem *heads,
+ return -EFAULT;
+ }
+ if (unlikely(vq->log_used)) {
++ /* Make sure used idx is seen before log. */
++ smp_wmb();
+ /* Log used index update. */
+ log_write(vq->log_base,
+ vq->log_addr + offsetof(struct vring_used, idx),
+--
+2.20.1
+
diff --git a/patches.kernel.org/4.4.170-026-VSOCK-Send-reset-control-packet-when-socket-i.patch b/patches.kernel.org/4.4.170-026-VSOCK-Send-reset-control-packet-when-socket-i.patch
new file mode 100644
index 0000000000..04408e1786
--- /dev/null
+++ b/patches.kernel.org/4.4.170-026-VSOCK-Send-reset-control-packet-when-socket-i.patch
@@ -0,0 +1,135 @@
+From: Jorgen Hansen <jhansen@vmware.com>
+Date: Tue, 18 Dec 2018 00:34:06 -0800
+Subject: [PATCH] VSOCK: Send reset control packet when socket is partially
+ bound
+References: bnc#1012382
+Patch-mainline: 4.4.170
+Git-commit: a915b982d8f5e4295f64b8dd37ce753874867e88
+
+[ Upstream commit a915b982d8f5e4295f64b8dd37ce753874867e88 ]
+
+If a server side socket is bound to an address, but not in the listening
+state yet, incoming connection requests should receive a reset control
+packet in response. However, the function used to send the reset
+silently drops the reset packet if the sending socket isn't bound
+to a remote address (as is the case for a bound socket not yet in
+the listening state). This change fixes this by using the src
+of the incoming packet as destination for the reset packet in
+this case.
+
+Fixes: d021c344051a ("VSOCK: Introduce VM Sockets")
+Reviewed-by: Adit Ranadive <aditr@vmware.com>
+Reviewed-by: Vishnu Dasa <vdasa@vmware.com>
+Signed-off-by: Jorgen Hansen <jhansen@vmware.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ net/vmw_vsock/vmci_transport.c | 67 +++++++++++++++++++++++++---------
+ 1 file changed, 50 insertions(+), 17 deletions(-)
+
+diff --git a/net/vmw_vsock/vmci_transport.c b/net/vmw_vsock/vmci_transport.c
+index 589c8b9908a5..d24773552b64 100644
+--- a/net/vmw_vsock/vmci_transport.c
++++ b/net/vmw_vsock/vmci_transport.c
+@@ -272,6 +272,31 @@ vmci_transport_send_control_pkt_bh(struct sockaddr_vm *src,
+ false);
+ }
+
++static int
++vmci_transport_alloc_send_control_pkt(struct sockaddr_vm *src,
++ struct sockaddr_vm *dst,
++ enum vmci_transport_packet_type type,
++ u64 size,
++ u64 mode,
++ struct vmci_transport_waiting_info *wait,
++ u16 proto,
++ struct vmci_handle handle)
++{
++ struct vmci_transport_packet *pkt;
++ int err;
++
++ pkt = kmalloc(sizeof(*pkt), GFP_KERNEL);
++ if (!pkt)
++ return -ENOMEM;
++
++ err = __vmci_transport_send_control_pkt(pkt, src, dst, type, size,
++ mode, wait, proto, handle,
++ true);
++ kfree(pkt);
++
++ return err;
++}
++
+ static int
+ vmci_transport_send_control_pkt(struct sock *sk,
+ enum vmci_transport_packet_type type,
+@@ -281,9 +306,7 @@ vmci_transport_send_control_pkt(struct sock *sk,
+ u16 proto,
+ struct vmci_handle handle)
+ {
+- struct vmci_transport_packet *pkt;
+ struct vsock_sock *vsk;
+- int err;
+
+ vsk = vsock_sk(sk);
+
+@@ -293,17 +316,10 @@ vmci_transport_send_control_pkt(struct sock *sk,
+ if (!vsock_addr_bound(&vsk->remote_addr))
+ return -EINVAL;
+
+- pkt = kmalloc(sizeof(*pkt), GFP_KERNEL);
+- if (!pkt)
+- return -ENOMEM;
+-
+- err = __vmci_transport_send_control_pkt(pkt, &vsk->local_addr,
+- &vsk->remote_addr, type, size,
+- mode, wait, proto, handle,
+- true);
+- kfree(pkt);
+-
+- return err;
++ return vmci_transport_alloc_send_control_pkt(&vsk->local_addr,
++ &vsk->remote_addr,
++ type, size, mode,
++ wait, proto, handle);
+ }
+
+ static int vmci_transport_send_reset_bh(struct sockaddr_vm *dst,
+@@ -321,12 +337,29 @@ static int vmci_transport_send_reset_bh(struct sockaddr_vm *dst,
+ static int vmci_transport_send_reset(struct sock *sk,
+ struct vmci_transport_packet *pkt)
+ {
++ struct sockaddr_vm *dst_ptr;
++ struct sockaddr_vm dst;
++ struct vsock_sock *vsk;
++
+ if (pkt->type == VMCI_TRANSPORT_PACKET_TYPE_RST)
+ return 0;
+- return vmci_transport_send_control_pkt(sk,
+- VMCI_TRANSPORT_PACKET_TYPE_RST,
+- 0, 0, NULL, VSOCK_PROTO_INVALID,
+- VMCI_INVALID_HANDLE);
++
++ vsk = vsock_sk(sk);
++
++ if (!vsock_addr_bound(&vsk->local_addr))
++ return -EINVAL;
++
++ if (vsock_addr_bound(&vsk->remote_addr)) {
++ dst_ptr = &vsk->remote_addr;
++ } else {
++ vsock_addr_init(&dst, pkt->dg.src.context,
++ pkt->src_port);
++ dst_ptr = &dst;
++ }
++ return vmci_transport_alloc_send_control_pkt(&vsk->local_addr, dst_ptr,
++ VMCI_TRANSPORT_PACKET_TYPE_RST,
++ 0, 0, NULL, VSOCK_PROTO_INVALID,
++ VMCI_INVALID_HANDLE);
+ }
+
+ static int vmci_transport_send_negotiate(struct sock *sk, size_t size)
+--
+2.20.1
+
diff --git a/patches.kernel.org/4.4.170-027-xen-netfront-tolerate-frags-with-no-data.patch b/patches.kernel.org/4.4.170-027-xen-netfront-tolerate-frags-with-no-data.patch
new file mode 100644
index 0000000000..e90747ca8f
--- /dev/null
+++ b/patches.kernel.org/4.4.170-027-xen-netfront-tolerate-frags-with-no-data.patch
@@ -0,0 +1,41 @@
+From: Juergen Gross <jgross@suse.com>
+Date: Tue, 18 Dec 2018 16:06:19 +0100
+Subject: [PATCH] xen/netfront: tolerate frags with no data
+References: bnc#1012382
+Patch-mainline: 4.4.170
+Git-commit: d81c5054a5d1d4999c7cdead7636b6cd4af83d36
+
+[ Upstream commit d81c5054a5d1d4999c7cdead7636b6cd4af83d36 ]
+
+At least old Xen net backends seem to send frags with no real data
+sometimes. In case such a fragment happens to occur with the frag limit
+already reached the frontend will BUG currently even if this situation
+is easily recoverable.
+
+Modify the BUG_ON() condition accordingly.
+
+Tested-by: Dietmar Hahn <dietmar.hahn@ts.fujitsu.com>
+Signed-off-by: Juergen Gross <jgross@suse.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/net/xen-netfront.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/xen-netfront.c b/drivers/net/xen-netfront.c
+index 0a4bd73caae5..6f55ab4f7959 100644
+--- a/drivers/net/xen-netfront.c
++++ b/drivers/net/xen-netfront.c
+@@ -889,7 +889,7 @@ static RING_IDX xennet_fill_frags(struct netfront_queue *queue,
+ if (skb_shinfo(skb)->nr_frags == MAX_SKB_FRAGS) {
+ unsigned int pull_to = NETFRONT_SKB_CB(skb)->pull_to;
+
+- BUG_ON(pull_to <= skb_headlen(skb));
++ BUG_ON(pull_to < skb_headlen(skb));
+ __pskb_pull_tail(skb, pull_to - skb_headlen(skb));
+ }
+ if (unlikely(skb_shinfo(skb)->nr_frags >= MAX_SKB_FRAGS)) {
+--
+2.20.1
+
diff --git a/patches.kernel.org/4.4.170-028-gro_cell-add-napi_disable-in-gro_cells_destro.patch b/patches.kernel.org/4.4.170-028-gro_cell-add-napi_disable-in-gro_cells_destro.patch
new file mode 100644
index 0000000000..1d01b29b85
--- /dev/null
+++ b/patches.kernel.org/4.4.170-028-gro_cell-add-napi_disable-in-gro_cells_destro.patch
@@ -0,0 +1,83 @@
+From: Lorenzo Bianconi <lorenzo.bianconi@redhat.com>
+Date: Wed, 19 Dec 2018 23:23:00 +0100
+Subject: [PATCH] gro_cell: add napi_disable in gro_cells_destroy
+References: bnc#1012382
+Patch-mainline: 4.4.170
+Git-commit: 8e1da73acded4751a93d4166458a7e640f37d26c
+
+[ Upstream commit 8e1da73acded4751a93d4166458a7e640f37d26c ]
+
+Add napi_disable routine in gro_cells_destroy since starting from
+commit c42858eaf492 ("gro_cells: remove spinlock protecting receive
+queues") gro_cell_poll and gro_cells_destroy can run concurrently on
+napi_skbs list producing a kernel Oops if the tunnel interface is
+removed while gro_cell_poll is running. The following Oops has been
+triggered removing a vxlan device while the interface is receiving
+traffic
+
+[ 5628.948853] BUG: unable to handle kernel NULL pointer dereference at 0000000000000008
+[ 5628.949981] PGD 0 P4D 0
+[ 5628.950308] Oops: 0002 [#1] SMP PTI
+[ 5628.950748] CPU: 0 PID: 9 Comm: ksoftirqd/0 Not tainted 4.20.0-rc6+ #41
+[ 5628.952940] RIP: 0010:gro_cell_poll+0x49/0x80
+[ 5628.955615] RSP: 0018:ffffc9000004fdd8 EFLAGS: 00010202
+[ 5628.956250] RAX: 0000000000000000 RBX: ffffe8ffffc08150 RCX: 0000000000000000
+[ 5628.957102] RDX: 0000000000000000 RSI: ffff88802356bf00 RDI: ffffe8ffffc08150
+[ 5628.957940] RBP: 0000000000000026 R08: 0000000000000000 R09: 0000000000000000
+[ 5628.958803] R10: 0000000000000001 R11: 0000000000000000 R12: 0000000000000040
+[ 5628.959661] R13: ffffe8ffffc08100 R14: 0000000000000000 R15: 0000000000000040
+[ 5628.960682] FS: 0000000000000000(0000) GS:ffff88803ea00000(0000) knlGS:0000000000000000
+[ 5628.961616] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 5628.962359] CR2: 0000000000000008 CR3: 000000000221c000 CR4: 00000000000006b0
+[ 5628.963188] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+[ 5628.964034] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+[ 5628.964871] Call Trace:
+[ 5628.965179] net_rx_action+0xf0/0x380
+[ 5628.965637] __do_softirq+0xc7/0x431
+[ 5628.966510] run_ksoftirqd+0x24/0x30
+[ 5628.966957] smpboot_thread_fn+0xc5/0x160
+[ 5628.967436] kthread+0x113/0x130
+[ 5628.968283] ret_from_fork+0x3a/0x50
+[ 5628.968721] Modules linked in:
+[ 5628.969099] CR2: 0000000000000008
+[ 5628.969510] ---[ end trace 9d9dedc7181661fe ]---
+[ 5628.970073] RIP: 0010:gro_cell_poll+0x49/0x80
+[ 5628.972965] RSP: 0018:ffffc9000004fdd8 EFLAGS: 00010202
+[ 5628.973611] RAX: 0000000000000000 RBX: ffffe8ffffc08150 RCX: 0000000000000000
+[ 5628.974504] RDX: 0000000000000000 RSI: ffff88802356bf00 RDI: ffffe8ffffc08150
+[ 5628.975462] RBP: 0000000000000026 R08: 0000000000000000 R09: 0000000000000000
+[ 5628.976413] R10: 0000000000000001 R11: 0000000000000000 R12: 0000000000000040
+[ 5628.977375] R13: ffffe8ffffc08100 R14: 0000000000000000 R15: 0000000000000040
+[ 5628.978296] FS: 0000000000000000(0000) GS:ffff88803ea00000(0000) knlGS:0000000000000000
+[ 5628.979327] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 5628.980044] CR2: 0000000000000008 CR3: 000000000221c000 CR4: 00000000000006b0
+[ 5628.980929] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+[ 5628.981736] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+[ 5628.982409] Kernel panic - not syncing: Fatal exception in interrupt
+[ 5628.983307] Kernel Offset: disabled
+
+Fixes: c42858eaf492 ("gro_cells: remove spinlock protecting receive queues")
+Signed-off-by: Lorenzo Bianconi <lorenzo.bianconi@redhat.com>
+Acked-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ include/net/gro_cells.h | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/include/net/gro_cells.h b/include/net/gro_cells.h
+index cf6c74550baa..86316f90ea1e 100644
+--- a/include/net/gro_cells.h
++++ b/include/net/gro_cells.h
+@@ -84,6 +84,7 @@ static inline void gro_cells_destroy(struct gro_cells *gcells)
+ for_each_possible_cpu(i) {
+ struct gro_cell *cell = per_cpu_ptr(gcells->cells, i);
+
++ napi_disable(&cell->napi);
+ netif_napi_del(&cell->napi);
+ __skb_queue_purge(&cell->napi_skbs);
+ }
+--
+2.20.1
+
diff --git a/patches.kernel.org/4.4.170-029-sock-Make-sock-sk_stamp-thread-safe.patch b/patches.kernel.org/4.4.170-029-sock-Make-sock-sk_stamp-thread-safe.patch
new file mode 100644
index 0000000000..1e4497d9ae
--- /dev/null
+++ b/patches.kernel.org/4.4.170-029-sock-Make-sock-sk_stamp-thread-safe.patch
@@ -0,0 +1,192 @@
+From: Deepa Dinamani <deepa.kernel@gmail.com>
+Date: Thu, 27 Dec 2018 18:55:09 -0800
+Subject: [PATCH] sock: Make sock->sk_stamp thread-safe
+References: bnc#1012382
+Patch-mainline: 4.4.170
+Git-commit: 3a0ed3e9619738067214871e9cb826fa23b2ddb9
+
+[ Upstream commit 3a0ed3e9619738067214871e9cb826fa23b2ddb9 ]
+
+Al Viro mentioned (Message-ID
+<20170626041334.GZ10672@ZenIV.linux.org.uk>)
+that there is probably a race condition
+lurking in accesses of sk_stamp on 32-bit machines.
+
+sock->sk_stamp is of type ktime_t which is always an s64.
+On a 32 bit architecture, we might run into situations of
+unsafe access as the access to the field becomes non atomic.
+
+Use seqlocks for synchronization.
+This allows us to avoid using spinlocks for readers as
+readers do not need mutual exclusion.
+
+Another approach to solve this is to require sk_lock for all
+modifications of the timestamps. The current approach allows
+for timestamps to have their own lock: sk_stamp_lock.
+This allows for the patch to not compete with already
+existing critical sections, and side effects are limited
+to the paths in the patch.
+
+The addition of the new field maintains the data locality
+optimizations from
+commit 9115e8cd2a0c ("net: reorganize struct sock for better data
+locality")
+
+Note that all the instances of the sk_stamp accesses
+are either through the ioctl or the syscall recvmsg.
+
+Signed-off-by: Deepa Dinamani <deepa.kernel@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ include/net/sock.h | 36 ++++++++++++++++++++++++++++++++++--
+ net/compat.c | 15 +++++++++------
+ net/core/sock.c | 3 +++
+ net/sunrpc/svcsock.c | 2 +-
+ 4 files changed, 47 insertions(+), 9 deletions(-)
+
+diff --git a/include/net/sock.h b/include/net/sock.h
+index 577075713ad5..7420299c31f5 100644
+--- a/include/net/sock.h
++++ b/include/net/sock.h
+@@ -299,6 +299,7 @@ struct cg_proto;
+ * @sk_filter: socket filtering instructions
+ * @sk_timer: sock cleanup timer
+ * @sk_stamp: time stamp of last packet received
++ * @sk_stamp_seq: lock for accessing sk_stamp on 32 bit architectures only
+ * @sk_tsflags: SO_TIMESTAMPING socket options
+ * @sk_tskey: counter to disambiguate concurrent tstamp requests
+ * @sk_socket: Identd and reporting IO signals
+@@ -434,6 +435,9 @@ struct sock {
+ long sk_sndtimeo;
+ struct timer_list sk_timer;
+ ktime_t sk_stamp;
++#if BITS_PER_LONG==32
++ seqlock_t sk_stamp_seq;
++#endif
+ u16 sk_tsflags;
+ u32 sk_tskey;
+ struct socket *sk_socket;
+@@ -2146,6 +2150,34 @@ static inline void sk_drops_add(struct sock *sk, const struct sk_buff *skb)
+ atomic_add(segs, &sk->sk_drops);
+ }
+
++static inline ktime_t sock_read_timestamp(struct sock *sk)
++{
++#if BITS_PER_LONG==32
++ unsigned int seq;
++ ktime_t kt;
++
++ do {
++ seq = read_seqbegin(&sk->sk_stamp_seq);
++ kt = sk->sk_stamp;
++ } while (read_seqretry(&sk->sk_stamp_seq, seq));
++
++ return kt;
++#else
++ return sk->sk_stamp;
++#endif
++}
++
++static inline void sock_write_timestamp(struct sock *sk, ktime_t kt)
++{
++#if BITS_PER_LONG==32
++ write_seqlock(&sk->sk_stamp_seq);
++ sk->sk_stamp = kt;
++ write_sequnlock(&sk->sk_stamp_seq);
++#else
++ sk->sk_stamp = kt;
++#endif
++}
++
+ void __sock_recv_timestamp(struct msghdr *msg, struct sock *sk,
+ struct sk_buff *skb);
+ void __sock_recv_wifi_status(struct msghdr *msg, struct sock *sk,
+@@ -2170,7 +2202,7 @@ sock_recv_timestamp(struct msghdr *msg, struct sock *sk, struct sk_buff *skb)
+ (sk->sk_tsflags & SOF_TIMESTAMPING_RAW_HARDWARE)))
+ __sock_recv_timestamp(msg, sk, skb);
+ else
+- sk->sk_stamp = kt;
++ sock_write_timestamp(sk, kt);
+
+ if (sock_flag(sk, SOCK_WIFI_STATUS) && skb->wifi_acked_valid)
+ __sock_recv_wifi_status(msg, sk, skb);
+@@ -2190,7 +2222,7 @@ static inline void sock_recv_ts_and_drops(struct msghdr *msg, struct sock *sk,
+ if (sk->sk_flags & FLAGS_TS_OR_DROPS || sk->sk_tsflags & TSFLAGS_ANY)
+ __sock_recv_ts_and_drops(msg, sk, skb);
+ else
+- sk->sk_stamp = skb->tstamp;
++ sock_write_timestamp(sk, skb->tstamp);
+ }
+
+ void __sock_tx_timestamp(const struct sock *sk, __u8 *tx_flags);
+diff --git a/net/compat.c b/net/compat.c
+index 17e97b106458..d67684010455 100644
+--- a/net/compat.c
++++ b/net/compat.c
+@@ -443,12 +443,14 @@ int compat_sock_get_timestamp(struct sock *sk, struct timeval __user *userstamp)
+ err = -ENOENT;
+ if (!sock_flag(sk, SOCK_TIMESTAMP))
+ sock_enable_timestamp(sk, SOCK_TIMESTAMP);
+- tv = ktime_to_timeval(sk->sk_stamp);
++ tv = ktime_to_timeval(sock_read_timestamp(sk));
++
+ if (tv.tv_sec == -1)
+ return err;
+ if (tv.tv_sec == 0) {
+- sk->sk_stamp = ktime_get_real();
+- tv = ktime_to_timeval(sk->sk_stamp);
++ ktime_t kt = ktime_get_real();
++ sock_write_timestamp(sk, kt);
++ tv = ktime_to_timeval(kt);
+ }
+ err = 0;
+ if (put_user(tv.tv_sec, &ctv->tv_sec) ||
+@@ -471,12 +473,13 @@ int compat_sock_get_timestampns(struct sock *sk, struct timespec __user *usersta
+ err = -ENOENT;
+ if (!sock_flag(sk, SOCK_TIMESTAMP))
+ sock_enable_timestamp(sk, SOCK_TIMESTAMP);
+- ts = ktime_to_timespec(sk->sk_stamp);
++ ts = ktime_to_timespec(sock_read_timestamp(sk));
+ if (ts.tv_sec == -1)
+ return err;
+ if (ts.tv_sec == 0) {
+- sk->sk_stamp = ktime_get_real();
+- ts = ktime_to_timespec(sk->sk_stamp);
++ ktime_t kt = ktime_get_real();
++ sock_write_timestamp(sk, kt);
++ ts = ktime_to_timespec(kt);
+ }
+ err = 0;
+ if (put_user(ts.tv_sec, &ctv->tv_sec) ||
+diff --git a/net/core/sock.c b/net/core/sock.c
+index 4238835a0e4e..9fb1c073d0c4 100644
+--- a/net/core/sock.c
++++ b/net/core/sock.c
+@@ -2423,6 +2423,9 @@ void sock_init_data(struct socket *sock, struct sock *sk)
+ sk->sk_sndtimeo = MAX_SCHEDULE_TIMEOUT;
+
+ sk->sk_stamp = ktime_set(-1L, 0);
++#if BITS_PER_LONG==32
++ seqlock_init(&sk->sk_stamp_seq);
++#endif
+
+ #ifdef CONFIG_NET_RX_BUSY_POLL
+ sk->sk_napi_id = 0;
+diff --git a/net/sunrpc/svcsock.c b/net/sunrpc/svcsock.c
+index 1413cdcc131c..9701fcca002c 100644
+--- a/net/sunrpc/svcsock.c
++++ b/net/sunrpc/svcsock.c
+@@ -614,7 +614,7 @@ static int svc_udp_recvfrom(struct svc_rqst *rqstp)
+ /* Don't enable netstamp, sunrpc doesn't
+ need that much accuracy */
+ }
+- svsk->sk_sk->sk_stamp = skb->tstamp;
++ sock_write_timestamp(svsk->sk_sk, skb->tstamp);
+ set_bit(XPT_DATA, &svsk->sk_xprt.xpt_flags); /* there may be more data... */
+
+ len = skb->len - sizeof(struct udphdr);
+--
+2.20.1
+
diff --git a/patches.kernel.org/4.4.170-030-ALSA-rme9652-Fix-potential-Spectre-v1-vulnera.patch b/patches.kernel.org/4.4.170-030-ALSA-rme9652-Fix-potential-Spectre-v1-vulnera.patch
new file mode 100644
index 0000000000..a28abcca22
--- /dev/null
+++ b/patches.kernel.org/4.4.170-030-ALSA-rme9652-Fix-potential-Spectre-v1-vulnera.patch
@@ -0,0 +1,76 @@
+From: "Gustavo A. R. Silva" <gustavo@embeddedor.com>
+Date: Tue, 18 Dec 2018 11:18:34 -0600
+Subject: [PATCH] ALSA: rme9652: Fix potential Spectre v1 vulnerability
+References: bnc#1012382
+Patch-mainline: 4.4.170
+Git-commit: 0b84304ef5da92add8dc75a1b07879c5374cdb05
+
+commit 0b84304ef5da92add8dc75a1b07879c5374cdb05 upstream.
+
+info->channel is indirectly controlled by user-space, hence leading to
+a potential exploitation of the Spectre variant 1 vulnerability.
+
+This issue was detected with the help of Smatch:
+
+sound/pci/rme9652/hdsp.c:4100 snd_hdsp_channel_info() warn: potential spectre issue 'hdsp->channel_map' [r] (local cap)
+
+Fix this by sanitizing info->channel before using it to index hdsp->channel_map
+
+Notice that given that speculation windows are large, the policy is
+to kill the speculation on the first load and not worry if it can be
+completed with a dependent load/store [1].
+
+Also, notice that I refactored the code a bit in order to get rid of the
+following checkpatch warning:
+
+ERROR: do not use assignment in if condition
+FILE: sound/pci/rme9652/hdsp.c:4103:
+ if ((mapped_channel = hdsp->channel_map[info->channel]) < 0)
+
+[1] https://marc.info/?l=linux-kernel&m=152449131114778&w=2
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ sound/pci/rme9652/hdsp.c | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+diff --git a/sound/pci/rme9652/hdsp.c b/sound/pci/rme9652/hdsp.c
+index 7c8941b8b2de..dd6c9e6a1d53 100644
+--- a/sound/pci/rme9652/hdsp.c
++++ b/sound/pci/rme9652/hdsp.c
+@@ -30,6 +30,7 @@
+ #include <linux/math64.h>
+ #include <linux/vmalloc.h>
+ #include <linux/io.h>
++#include <linux/nospec.h>
+
+ #include <sound/core.h>
+ #include <sound/control.h>
+@@ -4065,15 +4066,16 @@ static int snd_hdsp_channel_info(struct snd_pcm_substream *substream,
+ struct snd_pcm_channel_info *info)
+ {
+ struct hdsp *hdsp = snd_pcm_substream_chip(substream);
+- int mapped_channel;
++ unsigned int channel = info->channel;
+
+- if (snd_BUG_ON(info->channel >= hdsp->max_channels))
++ if (snd_BUG_ON(channel >= hdsp->max_channels))
+ return -EINVAL;
++ channel = array_index_nospec(channel, hdsp->max_channels);
+
+- if ((mapped_channel = hdsp->channel_map[info->channel]) < 0)
++ if (hdsp->channel_map[channel] < 0)
+ return -EINVAL;
+
+- info->offset = mapped_channel * HDSP_CHANNEL_BUFFER_BYTES;
++ info->offset = hdsp->channel_map[channel] * HDSP_CHANNEL_BUFFER_BYTES;
+ info->first = 0;
+ info->step = 32;
+ return 0;
+--
+2.20.1
+
diff --git a/patches.kernel.org/4.4.170-031-ALSA-emu10k1-Fix-potential-Spectre-v1-vulnera.patch b/patches.kernel.org/4.4.170-031-ALSA-emu10k1-Fix-potential-Spectre-v1-vulnera.patch
new file mode 100644
index 0000000000..315998c849
--- /dev/null
+++ b/patches.kernel.org/4.4.170-031-ALSA-emu10k1-Fix-potential-Spectre-v1-vulnera.patch
@@ -0,0 +1,67 @@
+From: "Gustavo A. R. Silva" <gustavo@embeddedor.com>
+Date: Tue, 18 Dec 2018 11:52:16 -0600
+Subject: [PATCH] ALSA: emu10k1: Fix potential Spectre v1 vulnerabilities
+References: bnc#1012382
+Patch-mainline: 4.4.170
+Git-commit: 5ae4f61f012a097df93de2285070ec8e34716d29
+
+commit 5ae4f61f012a097df93de2285070ec8e34716d29 upstream.
+
+ipcm->substream is indirectly controlled by user-space, hence leading to
+a potential exploitation of the Spectre variant 1 vulnerability.
+
+This issue was detected with the help of Smatch:
+
+sound/pci/emu10k1/emufx.c:1031 snd_emu10k1_ipcm_poke() warn: potential spectre issue 'emu->fx8010.pcm' [r] (local cap)
+sound/pci/emu10k1/emufx.c:1075 snd_emu10k1_ipcm_peek() warn: potential spectre issue 'emu->fx8010.pcm' [r] (local cap)
+
+Fix this by sanitizing ipcm->substream before using it to index emu->fx8010.pcm
+
+Notice that given that speculation windows are large, the policy is
+to kill the speculation on the first load and not worry if it can be
+completed with a dependent load/store [1].
+
+[1] https://marc.info/?l=linux-kernel&m=152449131114778&w=2
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ sound/pci/emu10k1/emufx.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/sound/pci/emu10k1/emufx.c b/sound/pci/emu10k1/emufx.c
+index 50b216fc369f..5d422d65e62b 100644
+--- a/sound/pci/emu10k1/emufx.c
++++ b/sound/pci/emu10k1/emufx.c
+@@ -36,6 +36,7 @@
+ #include <linux/init.h>
+ #include <linux/mutex.h>
+ #include <linux/moduleparam.h>
++#include <linux/nospec.h>
+
+ #include <sound/core.h>
+ #include <sound/tlv.h>
+@@ -1000,6 +1001,8 @@ static int snd_emu10k1_ipcm_poke(struct snd_emu10k1 *emu,
+
+ if (ipcm->substream >= EMU10K1_FX8010_PCM_COUNT)
+ return -EINVAL;
++ ipcm->substream = array_index_nospec(ipcm->substream,
++ EMU10K1_FX8010_PCM_COUNT);
+ if (ipcm->channels > 32)
+ return -EINVAL;
+ pcm = &emu->fx8010.pcm[ipcm->substream];
+@@ -1046,6 +1049,8 @@ static int snd_emu10k1_ipcm_peek(struct snd_emu10k1 *emu,
+
+ if (ipcm->substream >= EMU10K1_FX8010_PCM_COUNT)
+ return -EINVAL;
++ ipcm->substream = array_index_nospec(ipcm->substream,
++ EMU10K1_FX8010_PCM_COUNT);
+ pcm = &emu->fx8010.pcm[ipcm->substream];
+ mutex_lock(&emu->fx8010.lock);
+ spin_lock_irq(&emu->reg_lock);
+--
+2.20.1
+
diff --git a/patches.kernel.org/4.4.170-032-ALSA-pcm-Fix-potential-Spectre-v1-vulnerabili.patch b/patches.kernel.org/4.4.170-032-ALSA-pcm-Fix-potential-Spectre-v1-vulnerabili.patch
new file mode 100644
index 0000000000..7bfb372de5
--- /dev/null
+++ b/patches.kernel.org/4.4.170-032-ALSA-pcm-Fix-potential-Spectre-v1-vulnerabili.patch
@@ -0,0 +1,56 @@
+From: "Gustavo A. R. Silva" <gustavo@embeddedor.com>
+Date: Wed, 12 Dec 2018 15:36:28 -0600
+Subject: [PATCH] ALSA: pcm: Fix potential Spectre v1 vulnerability
+References: bnc#1012382
+Patch-mainline: 4.4.170
+Git-commit: 94ffb030b6d31ec840bb811be455dd2e26a4f43e
+
+commit 94ffb030b6d31ec840bb811be455dd2e26a4f43e upstream.
+
+stream is indirectly controlled by user-space, hence leading to
+a potential exploitation of the Spectre variant 1 vulnerability.
+
+This issue was detected with the help of Smatch:
+
+sound/core/pcm.c:140 snd_pcm_control_ioctl() warn: potential spectre issue 'pcm->streams' [r] (local cap)
+
+Fix this by sanitizing stream before using it to index pcm->streams
+
+Notice that given that speculation windows are large, the policy is
+to kill the speculation on the first load and not worry if it can be
+completed with a dependent load/store [1].
+
+[1] https://marc.info/?l=linux-kernel&m=152449131114778&w=2
+
+Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ sound/core/pcm.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/sound/core/pcm.c b/sound/core/pcm.c
+index 6bda8f6c5f84..cdff5f976480 100644
+--- a/sound/core/pcm.c
++++ b/sound/core/pcm.c
+@@ -25,6 +25,7 @@
+ #include <linux/time.h>
+ #include <linux/mutex.h>
+ #include <linux/device.h>
++#include <linux/nospec.h>
+ #include <sound/core.h>
+ #include <sound/minors.h>
+ #include <sound/pcm.h>
+@@ -125,6 +126,7 @@ static int snd_pcm_control_ioctl(struct snd_card *card,
+ return -EFAULT;
+ if (stream < 0 || stream > 1)
+ return -EINVAL;
++ stream = array_index_nospec(stream, 2);
+ if (get_user(subdevice, &info->subdevice))
+ return -EFAULT;
+ mutex_lock(&register_mutex);
+--
+2.20.1
+
diff --git a/patches.kernel.org/4.4.170-033-ALSA-emux-Fix-potential-Spectre-v1-vulnerabil.patch b/patches.kernel.org/4.4.170-033-ALSA-emux-Fix-potential-Spectre-v1-vulnerabil.patch
new file mode 100644
index 0000000000..ec3bde23a3
--- /dev/null
+++ b/patches.kernel.org/4.4.170-033-ALSA-emux-Fix-potential-Spectre-v1-vulnerabil.patch
@@ -0,0 +1,74 @@
+From: "Gustavo A. R. Silva" <gustavo@embeddedor.com>
+Date: Wed, 12 Dec 2018 11:20:49 -0600
+Subject: [PATCH] ALSA: emux: Fix potential Spectre v1 vulnerabilities
+References: bnc#1012382
+Patch-mainline: 4.4.170
+Git-commit: 4aea96f4237cea0c51a8bc87c0db31f0f932f1f0
+
+commit 4aea96f4237cea0c51a8bc87c0db31f0f932f1f0 upstream.
+
+info.mode and info.port are indirectly controlled by user-space,
+hence leading to a potential exploitation of the Spectre variant 1
+vulnerability.
+
+These issues were detected with the help of Smatch:
+
+sound/synth/emux/emux_hwdep.c:72 snd_emux_hwdep_misc_mode() warn: potential spectre issue 'emu->portptrs[i]->ctrls' [w] (local cap)
+sound/synth/emux/emux_hwdep.c:75 snd_emux_hwdep_misc_mode() warn: potential spectre issue 'emu->portptrs' [w] (local cap)
+sound/synth/emux/emux_hwdep.c:75 snd_emux_hwdep_misc_mode() warn: potential spectre issue 'emu->portptrs[info.port]->ctrls' [w] (local cap)
+
+Fix this by sanitizing both info.mode and info.port before using them
+to index emu->portptrs[i]->ctrls, emu->portptrs[info.port]->ctrls and
+emu->portptrs.
+
+Notice that given that speculation windows are large, the policy is
+to kill the speculation on the first load and not worry if it can be
+completed with a dependent load/store [1].
+
+[1] https://marc.info/?l=linux-kernel&m=152449131114778&w=2
+
+Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ sound/synth/emux/emux_hwdep.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/sound/synth/emux/emux_hwdep.c b/sound/synth/emux/emux_hwdep.c
+index e557946718a9..d9fcae071b47 100644
+--- a/sound/synth/emux/emux_hwdep.c
++++ b/sound/synth/emux/emux_hwdep.c
+@@ -22,9 +22,9 @@
+ #include <sound/core.h>
+ #include <sound/hwdep.h>
+ #include <linux/uaccess.h>
++#include <linux/nospec.h>
+ #include "emux_voice.h"
+
+-
+ #define TMP_CLIENT_ID 0x1001
+
+ /*
+@@ -66,13 +66,16 @@ snd_emux_hwdep_misc_mode(struct snd_emux *emu, void __user *arg)
+ return -EFAULT;
+ if (info.mode < 0 || info.mode >= EMUX_MD_END)
+ return -EINVAL;
++ info.mode = array_index_nospec(info.mode, EMUX_MD_END);
+
+ if (info.port < 0) {
+ for (i = 0; i < emu->num_ports; i++)
+ emu->portptrs[i]->ctrls[info.mode] = info.value;
+ } else {
+- if (info.port < emu->num_ports)
++ if (info.port < emu->num_ports) {
++ info.port = array_index_nospec(info.port, emu->num_ports);
+ emu->portptrs[info.port]->ctrls[info.mode] = info.value;
++ }
+ }
+ return 0;
+ }
+--
+2.20.1
+
diff --git a/patches.kernel.org/4.4.170-034-ALSA-hda-add-mute-LED-support-for-HP-EliteBoo.patch b/patches.kernel.org/4.4.170-034-ALSA-hda-add-mute-LED-support-for-HP-EliteBoo.patch
new file mode 100644
index 0000000000..ef3103a76b
--- /dev/null
+++ b/patches.kernel.org/4.4.170-034-ALSA-hda-add-mute-LED-support-for-HP-EliteBoo.patch
@@ -0,0 +1,41 @@
+From: =?UTF-8?q?Mantas=20Mikul=C4=97nas?= <grawity@gmail.com>
+Date: Sun, 16 Dec 2018 15:44:47 +0200
+Subject: [PATCH] ALSA: hda: add mute LED support for HP EliteBook 840 G4
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+References: bnc#1012382
+Patch-mainline: 4.4.170
+Git-commit: 40906ebe3af6a48457151b3c6726b480f6a6cb13
+
+commit 40906ebe3af6a48457151b3c6726b480f6a6cb13 upstream.
+
+Tested with 4.19.9.
+
+v2: Changed from CXT_FIXUP_MUTE_LED_GPIO to CXT_FIXUP_HP_DOCK because
+ that's what the existing fixups for EliteBooks use.
+
+Signed-off-by: Mantas Mikulėnas <grawity@gmail.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ sound/pci/hda/patch_conexant.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/sound/pci/hda/patch_conexant.c b/sound/pci/hda/patch_conexant.c
+index aea3cc2abe3a..536184ac315d 100644
+--- a/sound/pci/hda/patch_conexant.c
++++ b/sound/pci/hda/patch_conexant.c
+@@ -853,6 +853,7 @@ static const struct snd_pci_quirk cxt5066_fixups[] = {
+ SND_PCI_QUIRK(0x103c, 0x8079, "HP EliteBook 840 G3", CXT_FIXUP_HP_DOCK),
+ SND_PCI_QUIRK(0x103c, 0x807C, "HP EliteBook 820 G3", CXT_FIXUP_HP_DOCK),
+ SND_PCI_QUIRK(0x103c, 0x80FD, "HP ProBook 640 G2", CXT_FIXUP_HP_DOCK),
++ SND_PCI_QUIRK(0x103c, 0x828c, "HP EliteBook 840 G4", CXT_FIXUP_HP_DOCK),
+ SND_PCI_QUIRK(0x103c, 0x83b3, "HP EliteBook 830 G5", CXT_FIXUP_HP_DOCK),
+ SND_PCI_QUIRK(0x103c, 0x83d3, "HP ProBook 640 G4", CXT_FIXUP_HP_DOCK),
+ SND_PCI_QUIRK(0x103c, 0x8174, "HP Spectre x360", CXT_FIXUP_HP_SPECTRE),
+--
+2.20.1
+
diff --git a/patches.kernel.org/4.4.170-035-ALSA-hda-tegra-clear-pending-irq-handlers.patch b/patches.kernel.org/4.4.170-035-ALSA-hda-tegra-clear-pending-irq-handlers.patch
new file mode 100644
index 0000000000..e4093a3f7d
--- /dev/null
+++ b/patches.kernel.org/4.4.170-035-ALSA-hda-tegra-clear-pending-irq-handlers.patch
@@ -0,0 +1,48 @@
+From: Sameer Pujar <spujar@nvidia.com>
+Date: Wed, 26 Dec 2018 16:04:49 +0530
+Subject: [PATCH] ALSA: hda/tegra: clear pending irq handlers
+References: bnc#1012382
+Patch-mainline: 4.4.170
+Git-commit: 63d2a9ec310d8bcc955574220d4631aa55c1a80c
+
+commit 63d2a9ec310d8bcc955574220d4631aa55c1a80c upstream.
+
+Even after disabling interrupts on the module, it could be possible
+that irq handlers are still running. System hang is seen during
+suspend path. It was found that, there were pending writes on the
+HDA bus and clock was disabled by that time.
+
+Above mentioned issue is fixed by clearing any pending irq handlers
+before disabling clocks and returning from hda suspend.
+
+Suggested-by: Mohan Kumar <mkumard@nvidia.com>
+Suggested-by: Dara Ramesh <dramesh@nvidia.com>
+Signed-off-by: Sameer Pujar <spujar@nvidia.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ sound/pci/hda/hda_tegra.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/sound/pci/hda/hda_tegra.c b/sound/pci/hda/hda_tegra.c
+index 17fd81736d3d..039fbbb1e53c 100644
+--- a/sound/pci/hda/hda_tegra.c
++++ b/sound/pci/hda/hda_tegra.c
+@@ -249,10 +249,12 @@ static int hda_tegra_suspend(struct device *dev)
+ struct snd_card *card = dev_get_drvdata(dev);
+ struct azx *chip = card->private_data;
+ struct hda_tegra *hda = container_of(chip, struct hda_tegra, chip);
++ struct hdac_bus *bus = azx_bus(chip);
+
+ snd_power_change_state(card, SNDRV_CTL_POWER_D3hot);
+
+ azx_stop_chip(chip);
++ synchronize_irq(bus->irq);
+ azx_enter_link_reset(chip);
+ hda_tegra_disable_clocks(hda);
+
+--
+2.20.1
+
diff --git a/patches.kernel.org/4.4.170-036-USB-serial-pl2303-add-ids-for-Hewlett-Packard.patch b/patches.kernel.org/4.4.170-036-USB-serial-pl2303-add-ids-for-Hewlett-Packard.patch
new file mode 100644
index 0000000000..03a460300b
--- /dev/null
+++ b/patches.kernel.org/4.4.170-036-USB-serial-pl2303-add-ids-for-Hewlett-Packard.patch
@@ -0,0 +1,69 @@
+From: Scott Chen <scott@labau.com.tw>
+Date: Thu, 13 Dec 2018 06:01:47 -0500
+Subject: [PATCH] USB: serial: pl2303: add ids for Hewlett-Packard HP POS pole
+ displays
+References: bnc#1012382
+Patch-mainline: 4.4.170
+Git-commit: 8d503f206c336677954160ac62f0c7d9c219cd89
+
+commit 8d503f206c336677954160ac62f0c7d9c219cd89 upstream.
+
+Add device ids to pl2303 for the HP POS pole displays:
+LM920: 03f0:026b
+TD620: 03f0:0956
+LD960TA: 03f0:4439
+LD220TA: 03f0:4349
+LM940: 03f0:5039
+
+Signed-off-by: Scott Chen <scott@labau.com.tw>
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/usb/serial/pl2303.c | 5 +++++
+ drivers/usb/serial/pl2303.h | 5 +++++
+ 2 files changed, 10 insertions(+)
+
+diff --git a/drivers/usb/serial/pl2303.c b/drivers/usb/serial/pl2303.c
+index 3da25ad267a2..4966768d3c98 100644
+--- a/drivers/usb/serial/pl2303.c
++++ b/drivers/usb/serial/pl2303.c
+@@ -86,9 +86,14 @@ static const struct usb_device_id id_table[] = {
+ { USB_DEVICE(YCCABLE_VENDOR_ID, YCCABLE_PRODUCT_ID) },
+ { USB_DEVICE(SUPERIAL_VENDOR_ID, SUPERIAL_PRODUCT_ID) },
+ { USB_DEVICE(HP_VENDOR_ID, HP_LD220_PRODUCT_ID) },
++ { USB_DEVICE(HP_VENDOR_ID, HP_LD220TA_PRODUCT_ID) },
+ { USB_DEVICE(HP_VENDOR_ID, HP_LD960_PRODUCT_ID) },
++ { USB_DEVICE(HP_VENDOR_ID, HP_LD960TA_PRODUCT_ID) },
+ { USB_DEVICE(HP_VENDOR_ID, HP_LCM220_PRODUCT_ID) },
+ { USB_DEVICE(HP_VENDOR_ID, HP_LCM960_PRODUCT_ID) },
++ { USB_DEVICE(HP_VENDOR_ID, HP_LM920_PRODUCT_ID) },
++ { USB_DEVICE(HP_VENDOR_ID, HP_LM940_PRODUCT_ID) },
++ { USB_DEVICE(HP_VENDOR_ID, HP_TD620_PRODUCT_ID) },
+ { USB_DEVICE(CRESSI_VENDOR_ID, CRESSI_EDY_PRODUCT_ID) },
+ { USB_DEVICE(ZEAGLE_VENDOR_ID, ZEAGLE_N2ITION3_PRODUCT_ID) },
+ { USB_DEVICE(SONY_VENDOR_ID, SONY_QN3USB_PRODUCT_ID) },
+diff --git a/drivers/usb/serial/pl2303.h b/drivers/usb/serial/pl2303.h
+index 123289085ee2..a84f0959ab34 100644
+--- a/drivers/usb/serial/pl2303.h
++++ b/drivers/usb/serial/pl2303.h
+@@ -123,10 +123,15 @@
+
+ /* Hewlett-Packard POS Pole Displays */
+ #define HP_VENDOR_ID 0x03f0
++#define HP_LM920_PRODUCT_ID 0x026b
++#define HP_TD620_PRODUCT_ID 0x0956
+ #define HP_LD960_PRODUCT_ID 0x0b39
+ #define HP_LCM220_PRODUCT_ID 0x3139
+ #define HP_LCM960_PRODUCT_ID 0x3239
+ #define HP_LD220_PRODUCT_ID 0x3524
++#define HP_LD220TA_PRODUCT_ID 0x4349
++#define HP_LD960TA_PRODUCT_ID 0x4439
++#define HP_LM940_PRODUCT_ID 0x5039
+
+ /* Cressi Edy (diving computer) PC interface */
+ #define CRESSI_VENDOR_ID 0x04b8
+--
+2.20.1
+
diff --git a/patches.kernel.org/4.4.170-037-USB-serial-option-add-Fibocom-NL678-series.patch b/patches.kernel.org/4.4.170-037-USB-serial-option-add-Fibocom-NL678-series.patch
new file mode 100644
index 0000000000..9d07704c7e
--- /dev/null
+++ b/patches.kernel.org/4.4.170-037-USB-serial-option-add-Fibocom-NL678-series.patch
@@ -0,0 +1,72 @@
+From: =?UTF-8?q?J=C3=B6rgen=20Storvist?= <jorgen.storvist@gmail.com>
+Date: Fri, 21 Dec 2018 14:40:44 +0100
+Subject: [PATCH] USB: serial: option: add Fibocom NL678 series
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+References: bnc#1012382
+Patch-mainline: 4.4.170
+Git-commit: 4b2c01ad902ec02fa962b233decd2f14be3714ba
+
+commit 4b2c01ad902ec02fa962b233decd2f14be3714ba upstream.
+
+Added USB serial option driver support for Fibocom NL678 series cellular
+module: VID 2cb7 and PIDs 0x0104 and 0x0105.
+Reserved network and ADB interfaces.
+
+T: Bus=01 Lev=01 Prnt=01 Port=00 Cnt=01 Dev#= 2 Spd=480 MxCh= 0
+D: Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1
+P: Vendor=2cb7 ProdID=0104 Rev=03.10
+S: Manufacturer=Fibocom
+S: Product=Fibocom NL678-E Modem
+S: SerialNumber=12345678
+C: #Ifs= 6 Cfg#= 1 Atr=a0 MxPwr=500mA
+I: If#= 0 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=option
+I: If#= 1 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
+I: If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
+I: If#= 3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
+I: If#= 4 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=ff Driver=qmi_wwan
+I: If#= 5 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=42 Prot=01 Driver=(none)
+
+T: Bus=01 Lev=01 Prnt=01 Port=00 Cnt=01 Dev#= 3 Spd=480 MxCh= 0
+D: Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1
+P: Vendor=2cb7 ProdID=0105 Rev=03.10
+S: Manufacturer=Fibocom
+S: Product=Fibocom NL678-E Modem
+S: SerialNumber=12345678
+C: #Ifs= 7 Cfg#= 1 Atr=a0 MxPwr=500mA
+I: If#= 0 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=option
+I: If#= 1 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
+I: If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
+I: If#= 3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
+I: If#= 4 Alt= 0 #EPs= 1 Cls=02(commc) Sub=06 Prot=00 Driver=cdc_ether
+I: If#= 5 Alt= 1 #EPs= 2 Cls=0a(data ) Sub=00 Prot=00 Driver=cdc_ether
+I: If#= 6 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=42 Prot=01 Driver=(none)
+
+Signed-off-by: Jörgen Storvist <jorgen.storvist@gmail.com>
+Cc: stable <stable@vger.kernel.org>
+Acked-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/usb/serial/option.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/usb/serial/option.c b/drivers/usb/serial/option.c
+index 1e3445dd84b2..7bc2c9fef605 100644
+--- a/drivers/usb/serial/option.c
++++ b/drivers/usb/serial/option.c
+@@ -1956,6 +1956,10 @@ static const struct usb_device_id option_ids[] = {
+ { USB_DEVICE_AND_INTERFACE_INFO(0x03f0, 0xa31d, 0xff, 0x06, 0x1b) },
+ { USB_DEVICE(0x1508, 0x1001), /* Fibocom NL668 */
+ .driver_info = RSVD(4) | RSVD(5) | RSVD(6) },
++ { USB_DEVICE(0x2cb7, 0x0104), /* Fibocom NL678 series */
++ .driver_info = RSVD(4) | RSVD(5) },
++ { USB_DEVICE_INTERFACE_CLASS(0x2cb7, 0x0105, 0xff), /* Fibocom NL678 series */
++ .driver_info = RSVD(6) },
+ { } /* Terminating entry */
+ };
+ MODULE_DEVICE_TABLE(usb, option_ids);
+--
+2.20.1
+
diff --git a/patches.kernel.org/4.4.170-038-usb-r8a66597-Fix-a-possible-concurrency-use-a.patch b/patches.kernel.org/4.4.170-038-usb-r8a66597-Fix-a-possible-concurrency-use-a.patch
new file mode 100644
index 0000000000..9668882407
--- /dev/null
+++ b/patches.kernel.org/4.4.170-038-usb-r8a66597-Fix-a-possible-concurrency-use-a.patch
@@ -0,0 +1,73 @@
+From: Jia-Ju Bai <baijiaju1990@gmail.com>
+Date: Tue, 18 Dec 2018 20:04:25 +0800
+Subject: [PATCH] usb: r8a66597: Fix a possible concurrency use-after-free bug
+ in r8a66597_endpoint_disable()
+References: bnc#1012382
+Patch-mainline: 4.4.170
+Git-commit: c85400f886e3d41e69966470879f635a2b50084c
+
+commit c85400f886e3d41e69966470879f635a2b50084c upstream.
+
+The function r8a66597_endpoint_disable() and r8a66597_urb_enqueue() may
+be concurrently executed.
+The two functions both access a possible shared variable "hep->hcpriv".
+
+This shared variable is freed by r8a66597_endpoint_disable() via the
+call path:
+r8a66597_endpoint_disable
+ kfree(hep->hcpriv) (line 1995 in Linux-4.19)
+
+This variable is read by r8a66597_urb_enqueue() via the call path:
+r8a66597_urb_enqueue
+ spin_lock_irqsave(&r8a66597->lock)
+ init_pipe_info
+ enable_r8a66597_pipe
+ pipe = hep->hcpriv (line 802 in Linux-4.19)
+
+The read operation is protected by a spinlock, but the free operation
+is not protected by this spinlock, thus a concurrency use-after-free bug
+may occur.
+
+To fix this bug, the spin-lock and spin-unlock function calls in
+r8a66597_endpoint_disable() are moved to protect the free operation.
+
+Signed-off-by: Jia-Ju Bai <baijiaju1990@gmail.com>
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/usb/host/r8a66597-hcd.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/usb/host/r8a66597-hcd.c b/drivers/usb/host/r8a66597-hcd.c
+index a11c2c8bda53..a217f71b45c6 100644
+--- a/drivers/usb/host/r8a66597-hcd.c
++++ b/drivers/usb/host/r8a66597-hcd.c
+@@ -1990,6 +1990,8 @@ static int r8a66597_urb_dequeue(struct usb_hcd *hcd, struct urb *urb,
+
+ static void r8a66597_endpoint_disable(struct usb_hcd *hcd,
+ struct usb_host_endpoint *hep)
++__acquires(r8a66597->lock)
++__releases(r8a66597->lock)
+ {
+ struct r8a66597 *r8a66597 = hcd_to_r8a66597(hcd);
+ struct r8a66597_pipe *pipe = (struct r8a66597_pipe *)hep->hcpriv;
+@@ -2002,13 +2004,14 @@ static void r8a66597_endpoint_disable(struct usb_hcd *hcd,
+ return;
+ pipenum = pipe->info.pipenum;
+
++ spin_lock_irqsave(&r8a66597->lock, flags);
+ if (pipenum == 0) {
+ kfree(hep->hcpriv);
+ hep->hcpriv = NULL;
++ spin_unlock_irqrestore(&r8a66597->lock, flags);
+ return;
+ }
+
+- spin_lock_irqsave(&r8a66597->lock, flags);
+ pipe_stop(r8a66597, pipe);
+ pipe_irq_disable(r8a66597, pipenum);
+ disable_irq_empty(r8a66597, pipenum);
+--
+2.20.1
+
diff --git a/patches.kernel.org/4.4.170-039-Input-elan_i2c-add-ACPI-ID-for-touchpad-in-AS.patch b/patches.kernel.org/4.4.170-039-Input-elan_i2c-add-ACPI-ID-for-touchpad-in-AS.patch
new file mode 100644
index 0000000000..f43389f72a
--- /dev/null
+++ b/patches.kernel.org/4.4.170-039-Input-elan_i2c-add-ACPI-ID-for-touchpad-in-AS.patch
@@ -0,0 +1,37 @@
+From: Patrick Dreyer <Patrick@Dreyer.name>
+Date: Sun, 23 Dec 2018 10:06:35 -0800
+Subject: [PATCH] Input: elan_i2c - add ACPI ID for touchpad in ASUS Aspire
+ F5-573G
+References: bnc#1012382
+Patch-mainline: 4.4.170
+Git-commit: 7db54c89f0b30a101584e09d3729144e6170059d
+
+commit 7db54c89f0b30a101584e09d3729144e6170059d upstream.
+
+This adds ELAN0501 to the ACPI table to support Elan touchpad found in ASUS
+Aspire F5-573G.
+
+Signed-off-by: Patrick Dreyer <Patrick.Dreyer@gmail.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/input/mouse/elan_i2c_core.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/input/mouse/elan_i2c_core.c b/drivers/input/mouse/elan_i2c_core.c
+index 471984ec2db0..30adc5745cba 100644
+--- a/drivers/input/mouse/elan_i2c_core.c
++++ b/drivers/input/mouse/elan_i2c_core.c
+@@ -1240,6 +1240,7 @@ MODULE_DEVICE_TABLE(i2c, elan_id);
+ static const struct acpi_device_id elan_acpi_id[] = {
+ { "ELAN0000", 0 },
+ { "ELAN0100", 0 },
++ { "ELAN0501", 0 },
+ { "ELAN0600", 0 },
+ { "ELAN0602", 0 },
+ { "ELAN0605", 0 },
+--
+2.20.1
+
diff --git a/patches.kernel.org/4.4.170-040-KVM-x86-Use-jmp-to-invoke-kvm_spurious_fault-.patch b/patches.kernel.org/4.4.170-040-KVM-x86-Use-jmp-to-invoke-kvm_spurious_fault-.patch
new file mode 100644
index 0000000000..e2f6310bd3
--- /dev/null
+++ b/patches.kernel.org/4.4.170-040-KVM-x86-Use-jmp-to-invoke-kvm_spurious_fault-.patch
@@ -0,0 +1,141 @@
+From: Sean Christopherson <sean.j.christopherson@intel.com>
+Date: Thu, 20 Dec 2018 14:21:08 -0800
+Subject: [PATCH] KVM: x86: Use jmp to invoke kvm_spurious_fault() from .fixup
+References: bnc#1012382
+Patch-mainline: 4.4.170
+Git-commit: e81434995081fd7efb755fd75576b35dbb0850b1
+
+commit e81434995081fd7efb755fd75576b35dbb0850b1 upstream.
+
+____kvm_handle_fault_on_reboot() provides a generic exception fixup
+handler that is used to cleanly handle faults on VMX/SVM instructions
+during reboot (or at least try to). If there isn't a reboot in
+progress, ____kvm_handle_fault_on_reboot() treats any exception as
+fatal to KVM and invokes kvm_spurious_fault(), which in turn generates
+a BUG() to get a stack trace and die.
+
+When it was originally added by commit 4ecac3fd6dc2 ("KVM: Handle
+virtualization instruction #UD faults during reboot"), the "call" to
+kvm_spurious_fault() was handcoded as PUSH+JMP, where the PUSH'd value
+is the RIP of the faulting instructing.
+
+The PUSH+JMP trickery is necessary because the exception fixup handler
+code lies outside of its associated function, e.g. right after the
+function. An actual CALL from the .fixup code would show a slightly
+bogus stack trace, e.g. an extra "random" function would be inserted
+into the trace, as the return RIP on the stack would point to no known
+function (and the unwinder will likely try to guess who owns the RIP).
+
+Unfortunately, the JMP was replaced with a CALL when the macro was
+reworked to not spin indefinitely during reboot (commit b7c4145ba2eb
+"KVM: Don't spin on virt instruction faults during reboot"). This
+causes the aforementioned behavior where a bogus function is inserted
+into the stack trace, e.g. my builds like to blame free_kvm_area().
+
+Revert the CALL back to a JMP. The changelog for commit b7c4145ba2eb
+("KVM: Don't spin on virt instruction faults during reboot") contains
+nothing that indicates the switch to CALL was deliberate. This is
+backed up by the fact that the PUSH <insn RIP> was left intact.
+
+Note that an alternative to the PUSH+JMP magic would be to JMP back
+to the "real" code and CALL from there, but that would require adding
+a JMP in the non-faulting path to avoid calling kvm_spurious_fault()
+and would add no value, i.e. the stack trace would be the same.
+
+Using CALL:
+
+------------[ cut here ]------------
+kernel BUG at /home/sean/go/src/kernel.org/linux/arch/x86/kvm/x86.c:356!
+invalid opcode: 0000 [#1] SMP
+CPU: 4 PID: 1057 Comm: qemu-system-x86 Not tainted 4.20.0-rc6+ #75
+Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015
+RIP: 0010:kvm_spurious_fault+0x5/0x10 [kvm]
+Code: <0f> 0b 66 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 41 55 49 89 fd 41
+RSP: 0018:ffffc900004bbcc8 EFLAGS: 00010046
+RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffffffffffffff
+RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
+RBP: ffff888273fd8000 R08: 00000000000003e8 R09: 0000000000000000
+R10: 0000000000000000 R11: 0000000000000784 R12: ffffc90000371fb0
+R13: 0000000000000000 R14: 000000026d763cf4 R15: ffff888273fd8000
+FS: 00007f3d69691700(0000) GS:ffff888277800000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 000055f89bc56fe0 CR3: 0000000271a5a001 CR4: 0000000000362ee0
+Call Trace:
+ free_kvm_area+0x1044/0x43ea [kvm_intel]
+ ? vmx_vcpu_run+0x156/0x630 [kvm_intel]
+ ? kvm_arch_vcpu_ioctl_run+0x447/0x1a40 [kvm]
+ ? kvm_vcpu_ioctl+0x368/0x5c0 [kvm]
+ ? kvm_vcpu_ioctl+0x368/0x5c0 [kvm]
+ ? __set_task_blocked+0x38/0x90
+ ? __set_current_blocked+0x50/0x60
+ ? __fpu__restore_sig+0x97/0x490
+ ? do_vfs_ioctl+0xa1/0x620
+ ? __x64_sys_futex+0x89/0x180
+ ? ksys_ioctl+0x66/0x70
+ ? __x64_sys_ioctl+0x16/0x20
+ ? do_syscall_64+0x4f/0x100
+ ? entry_SYSCALL_64_after_hwframe+0x44/0xa9
+Modules linked in: vhost_net vhost tap kvm_intel kvm irqbypass bridge stp llc
+---[ end trace 9775b14b123b1713 ]---
+
+Using JMP:
+
+------------[ cut here ]------------
+kernel BUG at /home/sean/go/src/kernel.org/linux/arch/x86/kvm/x86.c:356!
+invalid opcode: 0000 [#1] SMP
+CPU: 6 PID: 1067 Comm: qemu-system-x86 Not tainted 4.20.0-rc6+ #75
+Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015
+RIP: 0010:kvm_spurious_fault+0x5/0x10 [kvm]
+Code: <0f> 0b 66 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 41 55 49 89 fd 41
+RSP: 0018:ffffc90000497cd0 EFLAGS: 00010046
+RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffffffffffffff
+RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
+RBP: ffff88827058bd40 R08: 00000000000003e8 R09: 0000000000000000
+R10: 0000000000000000 R11: 0000000000000784 R12: ffffc90000369fb0
+R13: 0000000000000000 R14: 00000003c8fc6642 R15: ffff88827058bd40
+FS: 00007f3d7219e700(0000) GS:ffff888277900000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 00007f3d64001000 CR3: 0000000271c6b004 CR4: 0000000000362ee0
+Call Trace:
+ vmx_vcpu_run+0x156/0x630 [kvm_intel]
+ ? kvm_arch_vcpu_ioctl_run+0x447/0x1a40 [kvm]
+ ? kvm_vcpu_ioctl+0x368/0x5c0 [kvm]
+ ? kvm_vcpu_ioctl+0x368/0x5c0 [kvm]
+ ? __set_task_blocked+0x38/0x90
+ ? __set_current_blocked+0x50/0x60
+ ? __fpu__restore_sig+0x97/0x490
+ ? do_vfs_ioctl+0xa1/0x620
+ ? __x64_sys_futex+0x89/0x180
+ ? ksys_ioctl+0x66/0x70
+ ? __x64_sys_ioctl+0x16/0x20
+ ? do_syscall_64+0x4f/0x100
+ ? entry_SYSCALL_64_after_hwframe+0x44/0xa9
+Modules linked in: vhost_net vhost tap kvm_intel kvm irqbypass bridge stp llc
+---[ end trace f9daedb85ab3ddba ]---
+
+Fixes: b7c4145ba2eb ("KVM: Don't spin on virt instruction faults during reboot")
+Cc: stable@vger.kernel.org
+Signed-off-by: Sean Christopherson <sean.j.christopherson@intel.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ arch/x86/include/asm/kvm_host.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/x86/include/asm/kvm_host.h b/arch/x86/include/asm/kvm_host.h
+index c048d0d70cc4..2cb49ac1b2b2 100644
+--- a/arch/x86/include/asm/kvm_host.h
++++ b/arch/x86/include/asm/kvm_host.h
+@@ -1200,7 +1200,7 @@ asmlinkage void kvm_spurious_fault(void);
+ "cmpb $0, kvm_rebooting \n\t" \
+ "jne 668b \n\t" \
+ __ASM_SIZE(push) " $666b \n\t" \
+- "call kvm_spurious_fault \n\t" \
++ "jmp kvm_spurious_fault \n\t" \
+ ".popsection \n\t" \
+ _ASM_EXTABLE(666b, 667b)
+
+--
+2.20.1
+
diff --git a/patches.kernel.org/4.4.170-041-perf-pmu-Suppress-potential-format-truncation.patch b/patches.kernel.org/4.4.170-041-perf-pmu-Suppress-potential-format-truncation.patch
new file mode 100644
index 0000000000..a885ff8200
--- /dev/null
+++ b/patches.kernel.org/4.4.170-041-perf-pmu-Suppress-potential-format-truncation.patch
@@ -0,0 +1,81 @@
+From: Ben Hutchings <ben@decadent.org.uk>
+Date: Sun, 11 Nov 2018 18:45:24 +0000
+Subject: [PATCH] perf pmu: Suppress potential format-truncation warning
+References: bnc#1012382
+Patch-mainline: 4.4.170
+Git-commit: 11a64a05dc649815670b1be9fe63d205cb076401
+
+commit 11a64a05dc649815670b1be9fe63d205cb076401 upstream.
+
+Depending on which functions are inlined in util/pmu.c, the snprintf()
+calls in perf_pmu__parse_{scale,unit,per_pkg,snapshot}() might trigger a
+warning:
+
+ util/pmu.c: In function 'pmu_aliases':
+ util/pmu.c:178:31: error: '%s' directive output may be truncated writing up to 255 bytes into a region of size between 0 and 4095 [-Werror=format-truncation=]
+ snprintf(path, PATH_MAX, "%s/%s.unit", dir, name);
+ ^~
+
+I found this when trying to build perf from Linux 3.16 with gcc 8.
+However I can reproduce the problem in mainline if I force
+__perf_pmu__new_alias() to be inlined.
+
+Suppress this by using scnprintf() as has been done elsewhere in perf.
+
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Cc: Jiri Olsa <jolsa@redhat.com>
+Cc: Namhyung Kim <namhyung@kernel.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: stable@vger.kernel.org
+Link: http://lkml.kernel.org/r/20181111184524.fux4taownc6ndbx6@decadent.org.uk
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ tools/perf/util/pmu.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/tools/perf/util/pmu.c b/tools/perf/util/pmu.c
+index 593066c68e3d..4f650ebd564a 100644
+--- a/tools/perf/util/pmu.c
++++ b/tools/perf/util/pmu.c
+@@ -100,7 +100,7 @@ static int perf_pmu__parse_scale(struct perf_pmu_alias *alias, char *dir, char *
+ char path[PATH_MAX];
+ const char *lc;
+
+- snprintf(path, PATH_MAX, "%s/%s.scale", dir, name);
++ scnprintf(path, PATH_MAX, "%s/%s.scale", dir, name);
+
+ fd = open(path, O_RDONLY);
+ if (fd == -1)
+@@ -147,7 +147,7 @@ static int perf_pmu__parse_unit(struct perf_pmu_alias *alias, char *dir, char *n
+ ssize_t sret;
+ int fd;
+
+- snprintf(path, PATH_MAX, "%s/%s.unit", dir, name);
++ scnprintf(path, PATH_MAX, "%s/%s.unit", dir, name);
+
+ fd = open(path, O_RDONLY);
+ if (fd == -1)
+@@ -177,7 +177,7 @@ perf_pmu__parse_per_pkg(struct perf_pmu_alias *alias, char *dir, char *name)
+ char path[PATH_MAX];
+ int fd;
+
+- snprintf(path, PATH_MAX, "%s/%s.per-pkg", dir, name);
++ scnprintf(path, PATH_MAX, "%s/%s.per-pkg", dir, name);
+
+ fd = open(path, O_RDONLY);
+ if (fd == -1)
+@@ -195,7 +195,7 @@ static int perf_pmu__parse_snapshot(struct perf_pmu_alias *alias,
+ char path[PATH_MAX];
+ int fd;
+
+- snprintf(path, PATH_MAX, "%s/%s.snapshot", dir, name);
++ scnprintf(path, PATH_MAX, "%s/%s.snapshot", dir, name);
+
+ fd = open(path, O_RDONLY);
+ if (fd == -1)
+--
+2.20.1
+
diff --git a/patches.kernel.org/4.4.170-042-ext4-fix-possible-use-after-free-in-ext4_quot.patch b/patches.kernel.org/4.4.170-042-ext4-fix-possible-use-after-free-in-ext4_quot.patch
new file mode 100644
index 0000000000..839ca4c7ed
--- /dev/null
+++ b/patches.kernel.org/4.4.170-042-ext4-fix-possible-use-after-free-in-ext4_quot.patch
@@ -0,0 +1,42 @@
+From: Pan Bian <bianpan2016@163.com>
+Date: Mon, 3 Dec 2018 23:28:02 -0500
+Subject: [PATCH] ext4: fix possible use after free in ext4_quota_enable
+References: bnc#1012382
+Patch-mainline: 4.4.170
+Git-commit: 61157b24e60fb3cd1f85f2c76a7b1d628f970144
+
+commit 61157b24e60fb3cd1f85f2c76a7b1d628f970144 upstream.
+
+The function frees qf_inode via iput but then pass qf_inode to
+lockdep_set_quota_inode on the failure path. This may result in a
+use-after-free bug. The patch frees df_inode only when it is never used.
+
+Fixes: daf647d2dd5 ("ext4: add lockdep annotations for i_data_sem")
+Cc: stable@kernel.org # 4.6
+Reviewed-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Pan Bian <bianpan2016@163.com>
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ fs/ext4/super.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/ext4/super.c b/fs/ext4/super.c
+index cd9cd581fd92..62a6b75969cf 100644
+--- a/fs/ext4/super.c
++++ b/fs/ext4/super.c
+@@ -5184,9 +5184,9 @@ static int ext4_quota_enable(struct super_block *sb, int type, int format_id,
+ qf_inode->i_flags |= S_NOQUOTA;
+ lockdep_set_quota_inode(qf_inode, I_DATA_SEM_QUOTA);
+ err = dquot_enable(qf_inode, type, format_id, flags);
+- iput(qf_inode);
+ if (err)
+ lockdep_set_quota_inode(qf_inode, I_DATA_SEM_NORMAL);
++ iput(qf_inode);
+
+ return err;
+ }
+--
+2.20.1
+
diff --git a/patches.kernel.org/4.4.170-043-ext4-missing-unlock-put_page-in-ext4_try_to_w.patch b/patches.kernel.org/4.4.170-043-ext4-missing-unlock-put_page-in-ext4_try_to_w.patch
new file mode 100644
index 0000000000..8b00b9a607
--- /dev/null
+++ b/patches.kernel.org/4.4.170-043-ext4-missing-unlock-put_page-in-ext4_try_to_w.patch
@@ -0,0 +1,43 @@
+From: Maurizio Lombardi <mlombard@redhat.com>
+Date: Tue, 4 Dec 2018 00:06:53 -0500
+Subject: [PATCH] ext4: missing unlock/put_page() in
+ ext4_try_to_write_inline_data()
+References: bnc#1012382
+Patch-mainline: 4.4.170
+Git-commit: 132d00becb31e88469334e1e62751c81345280e0
+
+commit 132d00becb31e88469334e1e62751c81345280e0 upstream.
+
+In case of error, ext4_try_to_write_inline_data() should unlock
+and release the page it holds.
+
+Fixes: f19d5870cbf7 ("ext4: add normal write support for inline data")
+Cc: stable@kernel.org # 3.8
+Signed-off-by: Maurizio Lombardi <mlombard@redhat.com>
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ fs/ext4/inline.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/fs/ext4/inline.c b/fs/ext4/inline.c
+index 1aec46733ef8..46d4fac48cf4 100644
+--- a/fs/ext4/inline.c
++++ b/fs/ext4/inline.c
+@@ -701,8 +701,11 @@ int ext4_try_to_write_inline_data(struct address_space *mapping,
+
+ if (!PageUptodate(page)) {
+ ret = ext4_read_inline_page(inode, page);
+- if (ret < 0)
++ if (ret < 0) {
++ unlock_page(page);
++ put_page(page);
+ goto out_up_read;
++ }
+ }
+
+ ret = 1;
+--
+2.20.1
+
diff --git a/patches.kernel.org/4.4.170-044-ext4-fix-EXT4_IOC_GROUP_ADD-ioctl.patch b/patches.kernel.org/4.4.170-044-ext4-fix-EXT4_IOC_GROUP_ADD-ioctl.patch
new file mode 100644
index 0000000000..6983fbfaa1
--- /dev/null
+++ b/patches.kernel.org/4.4.170-044-ext4-fix-EXT4_IOC_GROUP_ADD-ioctl.patch
@@ -0,0 +1,45 @@
+From: =?UTF-8?q?ruippan=20=28=E6=BD=98=E7=9D=BF=29?= <ruippan@tencent.com>
+Date: Tue, 4 Dec 2018 01:04:12 -0500
+Subject: [PATCH] ext4: fix EXT4_IOC_GROUP_ADD ioctl
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+References: bnc#1012382
+Patch-mainline: 4.4.170
+Git-commit: e647e29196b7f802f8242c39ecb7cc937f5ef217
+
+commit e647e29196b7f802f8242c39ecb7cc937f5ef217 upstream.
+
+Commit e2b911c53584 ("ext4: clean up feature test macros with
+predicate functions") broke the EXT4_IOC_GROUP_ADD ioctl. This was
+not noticed since only very old versions of resize2fs (before
+e2fsprogs 1.42) use this ioctl. However, using a new kernel with an
+enterprise Linux userspace will cause attempts to use online resize to
+fail with "No reserved GDT blocks".
+
+Fixes: e2b911c53584 ("ext4: clean up feature test macros with predicate...")
+Cc: stable@kernel.org # v4.4
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: ruippan (潘睿) <ruippan@tencent.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ fs/ext4/resize.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/ext4/resize.c b/fs/ext4/resize.c
+index bad13f049fb0..2fc1564f62dd 100644
+--- a/fs/ext4/resize.c
++++ b/fs/ext4/resize.c
+@@ -1600,7 +1600,7 @@ int ext4_group_add(struct super_block *sb, struct ext4_new_group_data *input)
+ }
+
+ if (reserved_gdb || gdb_off == 0) {
+- if (ext4_has_feature_resize_inode(sb) ||
++ if (!ext4_has_feature_resize_inode(sb) ||
+ !le16_to_cpu(es->s_reserved_gdt_blocks)) {
+ ext4_warning(sb,
+ "No reserved GDT blocks, can't resize");
+--
+2.20.1
+
diff --git a/patches.kernel.org/4.4.170-045-ext4-force-inode-writes-when-nfsd-calls-commi.patch b/patches.kernel.org/4.4.170-045-ext4-force-inode-writes-when-nfsd-calls-commi.patch
new file mode 100644
index 0000000000..a0adffcf72
--- /dev/null
+++ b/patches.kernel.org/4.4.170-045-ext4-force-inode-writes-when-nfsd-calls-commi.patch
@@ -0,0 +1,93 @@
+From: Theodore Ts'o <tytso@mit.edu>
+Date: Wed, 19 Dec 2018 14:07:58 -0500
+Subject: [PATCH] ext4: force inode writes when nfsd calls commit_metadata()
+References: bnc#1012382
+Patch-mainline: 4.4.170
+Git-commit: fde872682e175743e0c3ef939c89e3c6008a1529
+
+commit fde872682e175743e0c3ef939c89e3c6008a1529 upstream.
+
+Some time back, nfsd switched from calling vfs_fsync() to using a new
+commit_metadata() hook in export_operations(). If the file system did
+not provide a commit_metadata() hook, it fell back to using
+sync_inode_metadata(). Unfortunately doesn't work on all file
+systems. In particular, it doesn't work on ext4 due to how the inode
+gets journalled --- the VFS writeback code will not always call
+ext4_write_inode().
+
+So we need to provide our own ext4_nfs_commit_metdata() method which
+calls ext4_write_inode() directly.
+
+Google-Bug-Id: 121195940
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Cc: stable@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ fs/ext4/super.c | 11 +++++++++++
+ include/trace/events/ext4.h | 20 ++++++++++++++++++++
+ 2 files changed, 31 insertions(+)
+
+diff --git a/fs/ext4/super.c b/fs/ext4/super.c
+index 62a6b75969cf..6a7df72cb3da 100644
+--- a/fs/ext4/super.c
++++ b/fs/ext4/super.c
+@@ -1049,6 +1049,16 @@ static struct dentry *ext4_fh_to_parent(struct super_block *sb, struct fid *fid,
+ ext4_nfs_get_inode);
+ }
+
++static int ext4_nfs_commit_metadata(struct inode *inode)
++{
++ struct writeback_control wbc = {
++ .sync_mode = WB_SYNC_ALL
++ };
++
++ trace_ext4_nfs_commit_metadata(inode);
++ return ext4_write_inode(inode, &wbc);
++}
++
+ /*
+ * Try to release metadata pages (indirect blocks, directories) which are
+ * mapped via the block device. Since these pages could have journal heads
+@@ -1143,6 +1153,7 @@ static const struct export_operations ext4_export_ops = {
+ .fh_to_dentry = ext4_fh_to_dentry,
+ .fh_to_parent = ext4_fh_to_parent,
+ .get_parent = ext4_get_parent,
++ .commit_metadata = ext4_nfs_commit_metadata,
+ };
+
+ enum {
+diff --git a/include/trace/events/ext4.h b/include/trace/events/ext4.h
+index 594b4b29a224..7ef11b97cb2a 100644
+--- a/include/trace/events/ext4.h
++++ b/include/trace/events/ext4.h
+@@ -223,6 +223,26 @@ TRACE_EVENT(ext4_drop_inode,
+ (unsigned long) __entry->ino, __entry->drop)
+ );
+
++TRACE_EVENT(ext4_nfs_commit_metadata,
++ TP_PROTO(struct inode *inode),
++
++ TP_ARGS(inode),
++
++ TP_STRUCT__entry(
++ __field( dev_t, dev )
++ __field( ino_t, ino )
++ ),
++
++ TP_fast_assign(
++ __entry->dev = inode->i_sb->s_dev;
++ __entry->ino = inode->i_ino;
++ ),
++
++ TP_printk("dev %d,%d ino %lu",
++ MAJOR(__entry->dev), MINOR(__entry->dev),
++ (unsigned long) __entry->ino)
++);
++
+ TRACE_EVENT(ext4_mark_inode_dirty,
+ TP_PROTO(struct inode *inode, unsigned long IP),
+
+--
+2.20.1
+
diff --git a/patches.kernel.org/4.4.170-046-spi-bcm2835-Fix-race-on-DMA-termination.patch b/patches.kernel.org/4.4.170-046-spi-bcm2835-Fix-race-on-DMA-termination.patch
new file mode 100644
index 0000000000..438d96da60
--- /dev/null
+++ b/patches.kernel.org/4.4.170-046-spi-bcm2835-Fix-race-on-DMA-termination.patch
@@ -0,0 +1,67 @@
+From: Lukas Wunner <lukas@wunner.de>
+Date: Thu, 8 Nov 2018 08:06:10 +0100
+Subject: [PATCH] spi: bcm2835: Fix race on DMA termination
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+References: bnc#1012382
+Patch-mainline: 4.4.170
+Git-commit: e82b0b3828451c1cd331d9f304c6078fcd43b62e
+
+commit e82b0b3828451c1cd331d9f304c6078fcd43b62e upstream.
+
+If a DMA transfer finishes orderly right when spi_transfer_one_message()
+determines that it has timed out, the callbacks bcm2835_spi_dma_done()
+and bcm2835_spi_handle_err() race to call dmaengine_terminate_all(),
+potentially leading to double termination.
+
+Prevent by atomically changing the dma_pending flag before calling
+dmaengine_terminate_all().
+
+Signed-off-by: Lukas Wunner <lukas@wunner.de>
+Fixes: 3ecd37edaa2a ("spi: bcm2835: enable dma modes for transfers meeting certain conditions")
+Cc: stable@vger.kernel.org # v4.2+
+Cc: Mathias Duckeck <m.duckeck@kunbus.de>
+Cc: Frank Pavlic <f.pavlic@kunbus.de>
+Cc: Martin Sperl <kernel@martin.sperl.org>
+Cc: Noralf Trønnes <noralf@tronnes.org>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/spi/spi-bcm2835.c | 10 ++++------
+ 1 file changed, 4 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/spi/spi-bcm2835.c b/drivers/spi/spi-bcm2835.c
+index cf04960cc3e6..62875d855627 100644
+--- a/drivers/spi/spi-bcm2835.c
++++ b/drivers/spi/spi-bcm2835.c
+@@ -233,10 +233,9 @@ static void bcm2835_spi_dma_done(void *data)
+ * is called the tx-dma must have finished - can't get to this
+ * situation otherwise...
+ */
+- dmaengine_terminate_all(master->dma_tx);
+-
+- /* mark as no longer pending */
+- bs->dma_pending = 0;
++ if (cmpxchg(&bs->dma_pending, true, false)) {
++ dmaengine_terminate_all(master->dma_tx);
++ }
+
+ /* and mark as completed */;
+ complete(&master->xfer_completion);
+@@ -617,10 +616,9 @@ static void bcm2835_spi_handle_err(struct spi_master *master,
+ struct bcm2835_spi *bs = spi_master_get_devdata(master);
+
+ /* if an error occurred and we have an active dma, then terminate */
+- if (bs->dma_pending) {
++ if (cmpxchg(&bs->dma_pending, true, false)) {
+ dmaengine_terminate_all(master->dma_tx);
+ dmaengine_terminate_all(master->dma_rx);
+- bs->dma_pending = 0;
+ }
+ /* and reset */
+ bcm2835_spi_reset_hw(master);
+--
+2.20.1
+
diff --git a/patches.kernel.org/4.4.170-047-spi-bcm2835-Fix-book-keeping-of-DMA-terminati.patch b/patches.kernel.org/4.4.170-047-spi-bcm2835-Fix-book-keeping-of-DMA-terminati.patch
new file mode 100644
index 0000000000..27062809cc
--- /dev/null
+++ b/patches.kernel.org/4.4.170-047-spi-bcm2835-Fix-book-keeping-of-DMA-terminati.patch
@@ -0,0 +1,50 @@
+From: Lukas Wunner <lukas@wunner.de>
+Date: Thu, 8 Nov 2018 08:06:10 +0100
+Subject: [PATCH] spi: bcm2835: Fix book-keeping of DMA termination
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+References: bnc#1012382
+Patch-mainline: 4.4.170
+Git-commit: dbc944115eed48af110646992893dc43321368d8
+
+commit dbc944115eed48af110646992893dc43321368d8 upstream.
+
+If submission of a DMA TX transfer succeeds but submission of the
+corresponding RX transfer does not, the BCM2835 SPI driver terminates
+the TX transfer but neglects to reset the dma_pending flag to false.
+
+Thus, if the next transfer uses interrupt mode (because it is shorter
+than BCM2835_SPI_DMA_MIN_LENGTH) and runs into a timeout,
+dmaengine_terminate_all() will be called both for TX (once more) and
+for RX (which was never started in the first place). Fix it.
+
+Signed-off-by: Lukas Wunner <lukas@wunner.de>
+Fixes: 3ecd37edaa2a ("spi: bcm2835: enable dma modes for transfers meeting certain conditions")
+Cc: stable@vger.kernel.org # v4.2+
+Cc: Mathias Duckeck <m.duckeck@kunbus.de>
+Cc: Frank Pavlic <f.pavlic@kunbus.de>
+Cc: Martin Sperl <kernel@martin.sperl.org>
+Cc: Noralf Trønnes <noralf@tronnes.org>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/spi/spi-bcm2835.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/spi/spi-bcm2835.c b/drivers/spi/spi-bcm2835.c
+index 62875d855627..bb0ea7b578d1 100644
+--- a/drivers/spi/spi-bcm2835.c
++++ b/drivers/spi/spi-bcm2835.c
+@@ -341,6 +341,7 @@ static int bcm2835_spi_transfer_one_dma(struct spi_master *master,
+ if (ret) {
+ /* need to reset on errors */
+ dmaengine_terminate_all(master->dma_tx);
++ bs->dma_pending = false;
+ bcm2835_spi_reset_hw(master);
+ return ret;
+ }
+--
+2.20.1
+
diff --git a/patches.kernel.org/4.4.170-048-spi-bcm2835-Avoid-finishing-transfer-prematur.patch b/patches.kernel.org/4.4.170-048-spi-bcm2835-Avoid-finishing-transfer-prematur.patch
new file mode 100644
index 0000000000..39b6953854
--- /dev/null
+++ b/patches.kernel.org/4.4.170-048-spi-bcm2835-Avoid-finishing-transfer-prematur.patch
@@ -0,0 +1,66 @@
+From: Lukas Wunner <lukas@wunner.de>
+Date: Thu, 8 Nov 2018 08:06:10 +0100
+Subject: [PATCH] spi: bcm2835: Avoid finishing transfer prematurely in IRQ
+ mode
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+References: bnc#1012382
+Patch-mainline: 4.4.170
+Git-commit: 56c1723426d3cfd4723bfbfce531d7b38bae6266
+
+commit 56c1723426d3cfd4723bfbfce531d7b38bae6266 upstream.
+
+The IRQ handler bcm2835_spi_interrupt() first reads as much as possible
+from the RX FIFO, then writes as much as possible to the TX FIFO.
+Afterwards it decides whether the transfer is finished by checking if
+the TX FIFO is empty.
+
+If very few bytes were written to the TX FIFO, they may already have
+been transmitted by the time the FIFO's emptiness is checked. As a
+result, the transfer will be declared finished and the chip will be
+reset without reading the corresponding received bytes from the RX FIFO.
+
+The odds of this happening increase with a high clock frequency (such
+that the TX FIFO drains quickly) and either passing "threadirqs" on the
+command line or enabling CONFIG_PREEMPT_RT_BASE (such that the IRQ
+handler may be preempted between filling the TX FIFO and checking its
+emptiness).
+
+Fix by instead checking whether rx_len has reached zero, which means
+that the transfer has been received in full. This is also more
+efficient as it avoids one bus read access per interrupt. Note that
+bcm2835_spi_transfer_one_poll() likewise uses rx_len to determine
+whether the transfer has finished.
+
+Signed-off-by: Lukas Wunner <lukas@wunner.de>
+Fixes: e34ff011c70e ("spi: bcm2835: move to the transfer_one driver model")
+Cc: stable@vger.kernel.org # v4.1+
+Cc: Mathias Duckeck <m.duckeck@kunbus.de>
+Cc: Frank Pavlic <f.pavlic@kunbus.de>
+Cc: Martin Sperl <kernel@martin.sperl.org>
+Cc: Noralf Trønnes <noralf@tronnes.org>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/spi/spi-bcm2835.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/drivers/spi/spi-bcm2835.c b/drivers/spi/spi-bcm2835.c
+index bb0ea7b578d1..92f45b6fd278 100644
+--- a/drivers/spi/spi-bcm2835.c
++++ b/drivers/spi/spi-bcm2835.c
+@@ -155,8 +155,7 @@ static irqreturn_t bcm2835_spi_interrupt(int irq, void *dev_id)
+ /* Write as many bytes as possible to FIFO */
+ bcm2835_wr_fifo(bs);
+
+- /* based on flags decide if we can finish the transfer */
+- if (bcm2835_rd(bs, BCM2835_SPI_CS) & BCM2835_SPI_CS_DONE) {
++ if (!bs->rx_len) {
+ /* Transfer complete - reset SPI HW */
+ bcm2835_spi_reset_hw(master);
+ /* wake up the framework */
+--
+2.20.1
+
diff --git a/patches.kernel.org/4.4.170-049-cdc-acm-fix-abnormal-DATA-RX-issue-for-Mediat.patch b/patches.kernel.org/4.4.170-049-cdc-acm-fix-abnormal-DATA-RX-issue-for-Mediat.patch
new file mode 100644
index 0000000000..154e590ff5
--- /dev/null
+++ b/patches.kernel.org/4.4.170-049-cdc-acm-fix-abnormal-DATA-RX-issue-for-Mediat.patch
@@ -0,0 +1,87 @@
+From: Macpaul Lin <macpaul.lin@mediatek.com>
+Date: Wed, 19 Dec 2018 12:11:03 +0800
+Subject: [PATCH] cdc-acm: fix abnormal DATA RX issue for Mediatek Preloader.
+References: bnc#1012382
+Patch-mainline: 4.4.170
+Git-commit: eafb27fa5283599ce6c5492ea18cf636a28222bb
+
+commit eafb27fa5283599ce6c5492ea18cf636a28222bb upstream.
+
+Mediatek Preloader is a proprietary embedded boot loader for loading
+Little Kernel and Linux into device DRAM.
+
+This boot loader also handle firmware update. Mediatek Preloader will be
+enumerated as a virtual COM port when the device is connected to Windows
+or Linux OS via CDC-ACM class driver. When the USB enumeration has been
+done, Mediatek Preloader will send out handshake command "READY" to PC
+actively instead of waiting command from the download tool.
+
+Since Linux 4.12, the commit "tty: reset termios state on device
+registration" (93857edd9829e144acb6c7e72d593f6e01aead66) causes Mediatek
+Preloader receiving some abnoraml command like "READYXX" as it sent.
+This will be recognized as an incorrect response. The behavior change
+also causes the download handshake fail. This change only affects
+subsequent connects if the reconnected device happens to get the same minor
+number.
+
+By disabling the ECHO termios flag could avoid this problem. However, it
+cannot be done by user space configuration when download tool open
+/dev/ttyACM0. This is because the device running Mediatek Preloader will
+send handshake command "READY" immediately once the CDC-ACM driver is
+ready.
+
+This patch wants to fix above problem by introducing "DISABLE_ECHO"
+property in driver_info. When Mediatek Preloader is connected, the
+CDC-ACM driver could disable ECHO flag in termios to avoid the problem.
+
+Signed-off-by: Macpaul Lin <macpaul.lin@mediatek.com>
+Cc: stable@vger.kernel.org
+Reviewed-by: Johan Hovold <johan@kernel.org>
+Acked-by: Oliver Neukum <oneukum@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/usb/class/cdc-acm.c | 10 ++++++++++
+ drivers/usb/class/cdc-acm.h | 1 +
+ 2 files changed, 11 insertions(+)
+
+diff --git a/drivers/usb/class/cdc-acm.c b/drivers/usb/class/cdc-acm.c
+index 0a8e5ac891d4..3919ea066bf9 100644
+--- a/drivers/usb/class/cdc-acm.c
++++ b/drivers/usb/class/cdc-acm.c
+@@ -507,6 +507,13 @@ static int acm_tty_install(struct tty_driver *driver, struct tty_struct *tty)
+ if (retval)
+ goto error_init_termios;
+
++ /*
++ * Suppress initial echoing for some devices which might send data
++ * immediately after acm driver has been installed.
++ */
++ if (acm->quirks & DISABLE_ECHO)
++ tty->termios.c_lflag &= ~ECHO;
++
+ tty->driver_data = acm;
+
+ return 0;
+@@ -1677,6 +1684,9 @@ static const struct usb_device_id acm_ids[] = {
+ { USB_DEVICE(0x0e8d, 0x0003), /* FIREFLY, MediaTek Inc; andrey.arapov@gmail.com */
+ .driver_info = NO_UNION_NORMAL, /* has no union descriptor */
+ },
++ { USB_DEVICE(0x0e8d, 0x2000), /* MediaTek Inc Preloader */
++ .driver_info = DISABLE_ECHO, /* DISABLE ECHO in termios flag */
++ },
+ { USB_DEVICE(0x0e8d, 0x3329), /* MediaTek Inc GPS */
+ .driver_info = NO_UNION_NORMAL, /* has no union descriptor */
+ },
+diff --git a/drivers/usb/class/cdc-acm.h b/drivers/usb/class/cdc-acm.h
+index b30ac5fcde68..1ad9ff9f493d 100644
+--- a/drivers/usb/class/cdc-acm.h
++++ b/drivers/usb/class/cdc-acm.h
+@@ -134,3 +134,4 @@ struct acm {
+ #define QUIRK_CONTROL_LINE_STATE BIT(6)
+ #define CLEAR_HALT_CONDITIONS BIT(7)
+ #define SEND_ZERO_PACKET BIT(8)
++#define DISABLE_ECHO BIT(9)
+--
+2.20.1
+
diff --git a/patches.kernel.org/4.4.170-050-media-vivid-free-bitmap_cap-when-updating-std.patch b/patches.kernel.org/4.4.170-050-media-vivid-free-bitmap_cap-when-updating-std.patch
new file mode 100644
index 0000000000..cb38a4d11a
--- /dev/null
+++ b/patches.kernel.org/4.4.170-050-media-vivid-free-bitmap_cap-when-updating-std.patch
@@ -0,0 +1,38 @@
+From: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Date: Fri, 9 Nov 2018 08:37:44 -0500
+Subject: [PATCH] media: vivid: free bitmap_cap when updating std/timings/etc.
+References: bnc#1012382
+Patch-mainline: 4.4.170
+Git-commit: 560ccb75c2caa6b1039dec1a53cd2ef526f5bf03
+
+commit 560ccb75c2caa6b1039dec1a53cd2ef526f5bf03 upstream.
+
+When vivid_update_format_cap() is called it should free any overlay
+bitmap since the compose size will change.
+
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Reported-by: syzbot+0cc8e3cc63ca373722c6@syzkaller.appspotmail.com
+Cc: <stable@vger.kernel.org> # for v3.18 and up
+Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/media/platform/vivid/vivid-vid-cap.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/media/platform/vivid/vivid-vid-cap.c b/drivers/media/platform/vivid/vivid-vid-cap.c
+index ef5412311b2f..a84954f1be34 100644
+--- a/drivers/media/platform/vivid/vivid-vid-cap.c
++++ b/drivers/media/platform/vivid/vivid-vid-cap.c
+@@ -461,6 +461,8 @@ void vivid_update_format_cap(struct vivid_dev *dev, bool keep_controls)
+ tpg_s_rgb_range(&dev->tpg, v4l2_ctrl_g_ctrl(dev->rgb_range_cap));
+ break;
+ }
++ vfree(dev->bitmap_cap);
++ dev->bitmap_cap = NULL;
+ vivid_update_quality(dev);
+ tpg_reset_source(&dev->tpg, dev->src_rect.width, dev->src_rect.height, dev->field_cap);
+ dev->crop_cap = dev->src_rect;
+--
+2.20.1
+
diff --git a/patches.kernel.org/4.4.170-051-MIPS-Ensure-pmd_present-returns-false-after-p.patch b/patches.kernel.org/4.4.170-051-MIPS-Ensure-pmd_present-returns-false-after-p.patch
new file mode 100644
index 0000000000..01f9b292af
--- /dev/null
+++ b/patches.kernel.org/4.4.170-051-MIPS-Ensure-pmd_present-returns-false-after-p.patch
@@ -0,0 +1,50 @@
+From: Huacai Chen <chenhc@lemote.com>
+Date: Thu, 15 Nov 2018 15:53:54 +0800
+Subject: [PATCH] MIPS: Ensure pmd_present() returns false after
+ pmd_mknotpresent()
+References: bnc#1012382
+Patch-mainline: 4.4.170
+Git-commit: 92aa0718c9fa5160ad2f0e7b5bffb52f1ea1e51a
+
+commit 92aa0718c9fa5160ad2f0e7b5bffb52f1ea1e51a upstream.
+
+This patch is borrowed from ARM64 to ensure pmd_present() returns false
+after pmd_mknotpresent(). This is needed for THP.
+
+References: 5bb1cc0ff9a6 ("arm64: Ensure pmd_present() returns false after pmd_mknotpresent()")
+Reviewed-by: James Hogan <jhogan@kernel.org>
+Signed-off-by: Huacai Chen <chenhc@lemote.com>
+Signed-off-by: Paul Burton <paul.burton@mips.com>
+Patchwork: https://patchwork.linux-mips.org/patch/21135/
+Cc: Ralf Baechle <ralf@linux-mips.org>
+Cc: James Hogan <james.hogan@mips.com>
+Cc: Steven J . Hill <Steven.Hill@cavium.com>
+Cc: linux-mips@linux-mips.org
+Cc: Fuxin Zhang <zhangfx@lemote.com>
+Cc: Zhangjin Wu <wuzhangjin@gmail.com>
+Cc: <stable@vger.kernel.org> # 3.8+
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ arch/mips/include/asm/pgtable-64.h | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/arch/mips/include/asm/pgtable-64.h b/arch/mips/include/asm/pgtable-64.h
+index cf661a2fb141..16fade4f49dd 100644
+--- a/arch/mips/include/asm/pgtable-64.h
++++ b/arch/mips/include/asm/pgtable-64.h
+@@ -189,6 +189,11 @@ static inline int pmd_bad(pmd_t pmd)
+
+ static inline int pmd_present(pmd_t pmd)
+ {
++#ifdef CONFIG_MIPS_HUGE_TLB_SUPPORT
++ if (unlikely(pmd_val(pmd) & _PAGE_HUGE))
++ return pmd_val(pmd) & _PAGE_PRESENT;
++#endif
++
+ return pmd_val(pmd) != (unsigned long) invalid_pte_table;
+ }
+
+--
+2.20.1
+
diff --git a/patches.kernel.org/4.4.170-052-MIPS-Align-kernel-load-address-to-64KB.patch b/patches.kernel.org/4.4.170-052-MIPS-Align-kernel-load-address-to-64KB.patch
new file mode 100644
index 0000000000..18e13e683b
--- /dev/null
+++ b/patches.kernel.org/4.4.170-052-MIPS-Align-kernel-load-address-to-64KB.patch
@@ -0,0 +1,62 @@
+From: Huacai Chen <chenhc@lemote.com>
+Date: Thu, 15 Nov 2018 15:53:56 +0800
+Subject: [PATCH] MIPS: Align kernel load address to 64KB
+References: bnc#1012382
+Patch-mainline: 4.4.170
+Git-commit: bec0de4cfad21bd284dbddee016ed1767a5d2823
+
+commit bec0de4cfad21bd284dbddee016ed1767a5d2823 upstream.
+
+KEXEC needs the new kernel's load address to be aligned on a page
+boundary (see sanity_check_segment_list()), but on MIPS the default
+vmlinuz load address is only explicitly aligned to 16 bytes.
+
+Since the largest PAGE_SIZE supported by MIPS kernels is 64KB, increase
+the alignment calculated by calc_vmlinuz_load_addr to 64KB.
+
+Signed-off-by: Huacai Chen <chenhc@lemote.com>
+Signed-off-by: Paul Burton <paul.burton@mips.com>
+Patchwork: https://patchwork.linux-mips.org/patch/21131/
+Cc: Ralf Baechle <ralf@linux-mips.org>
+Cc: James Hogan <james.hogan@mips.com>
+Cc: Steven J . Hill <Steven.Hill@cavium.com>
+Cc: linux-mips@linux-mips.org
+Cc: Fuxin Zhang <zhangfx@lemote.com>
+Cc: Zhangjin Wu <wuzhangjin@gmail.com>
+Cc: <stable@vger.kernel.org> # 2.6.36+
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ arch/mips/boot/compressed/calc_vmlinuz_load_addr.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/arch/mips/boot/compressed/calc_vmlinuz_load_addr.c b/arch/mips/boot/compressed/calc_vmlinuz_load_addr.c
+index 37fe58c19a90..542c3ede9722 100644
+--- a/arch/mips/boot/compressed/calc_vmlinuz_load_addr.c
++++ b/arch/mips/boot/compressed/calc_vmlinuz_load_addr.c
+@@ -13,6 +13,7 @@
+ #include <stdint.h>
+ #include <stdio.h>
+ #include <stdlib.h>
++#include "../../../../include/linux/sizes.h"
+
+ int main(int argc, char *argv[])
+ {
+@@ -45,11 +46,11 @@ int main(int argc, char *argv[])
+ vmlinuz_load_addr = vmlinux_load_addr + vmlinux_size;
+
+ /*
+- * Align with 16 bytes: "greater than that used for any standard data
+- * types by a MIPS compiler." -- See MIPS Run Linux (Second Edition).
++ * Align with 64KB: KEXEC needs load sections to be aligned to PAGE_SIZE,
++ * which may be as large as 64KB depending on the kernel configuration.
+ */
+
+- vmlinuz_load_addr += (16 - vmlinux_size % 16);
++ vmlinuz_load_addr += (SZ_64K - vmlinux_size % SZ_64K);
+
+ printf("0x%llx\n", vmlinuz_load_addr);
+
+--
+2.20.1
+
diff --git a/patches.kernel.org/4.4.170-053-CIFS-Fix-error-mapping-for-SMB2_LOCK-command-.patch b/patches.kernel.org/4.4.170-053-CIFS-Fix-error-mapping-for-SMB2_LOCK-command-.patch
new file mode 100644
index 0000000000..072742ff9a
--- /dev/null
+++ b/patches.kernel.org/4.4.170-053-CIFS-Fix-error-mapping-for-SMB2_LOCK-command-.patch
@@ -0,0 +1,58 @@
+From: Georgy A Bystrenin <gkot@altlinux.org>
+Date: Fri, 21 Dec 2018 00:11:42 -0600
+Subject: [PATCH] CIFS: Fix error mapping for SMB2_LOCK command which caused
+ OFD lock problem
+References: bnc#1012382
+Patch-mainline: 4.4.170
+Git-commit: 9a596f5b39593414c0ec80f71b94a226286f084e
+
+commit 9a596f5b39593414c0ec80f71b94a226286f084e upstream.
+
+While resolving a bug with locks on samba shares found a strange behavior.
+When a file locked by one node and we trying to lock it from another node
+it fail with errno 5 (EIO) but in that case errno must be set to
+(EACCES | EAGAIN).
+This isn't happening when we try to lock file second time on same node.
+In this case it returns EACCES as expected.
+Also this issue not reproduces when we use SMB1 protocol (vers=1.0 in
+mount options).
+
+Further investigation showed that the mapping from status_to_posix_error
+is different for SMB1 and SMB2+ implementations.
+For SMB1 mapping is [NT_STATUS_LOCK_NOT_GRANTED to ERRlock]
+(See fs/cifs/netmisc.c line 66)
+but for SMB2+ mapping is [STATUS_LOCK_NOT_GRANTED to -EIO]
+(see fs/cifs/smb2maperror.c line 383)
+
+Quick changes in SMB2+ mapping from EIO to EACCES has fixed issue.
+
+BUG: https://bugzilla.kernel.org/show_bug.cgi?id=201971
+
+Signed-off-by: Georgy A Bystrenin <gkot@altlinux.org>
+Reviewed-by: Pavel Shilovsky <pshilov@microsoft.com>
+CC: Stable <stable@vger.kernel.org>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ fs/cifs/smb2maperror.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/fs/cifs/smb2maperror.c b/fs/cifs/smb2maperror.c
+index 8257a5a97cc0..98c25b969ab8 100644
+--- a/fs/cifs/smb2maperror.c
++++ b/fs/cifs/smb2maperror.c
+@@ -377,8 +377,8 @@ static const struct status_to_posix_error smb2_error_map_table[] = {
+ {STATUS_NONEXISTENT_EA_ENTRY, -EIO, "STATUS_NONEXISTENT_EA_ENTRY"},
+ {STATUS_NO_EAS_ON_FILE, -ENODATA, "STATUS_NO_EAS_ON_FILE"},
+ {STATUS_EA_CORRUPT_ERROR, -EIO, "STATUS_EA_CORRUPT_ERROR"},
+- {STATUS_FILE_LOCK_CONFLICT, -EIO, "STATUS_FILE_LOCK_CONFLICT"},
+- {STATUS_LOCK_NOT_GRANTED, -EIO, "STATUS_LOCK_NOT_GRANTED"},
++ {STATUS_FILE_LOCK_CONFLICT, -EACCES, "STATUS_FILE_LOCK_CONFLICT"},
++ {STATUS_LOCK_NOT_GRANTED, -EACCES, "STATUS_LOCK_NOT_GRANTED"},
+ {STATUS_DELETE_PENDING, -ENOENT, "STATUS_DELETE_PENDING"},
+ {STATUS_CTL_FILE_NOT_SUPPORTED, -ENOSYS,
+ "STATUS_CTL_FILE_NOT_SUPPORTED"},
+--
+2.20.1
+
diff --git a/patches.fixes/x86-kvm-vmx-do-not-use-vm-exit-instruction-length-fo.patch b/patches.kernel.org/4.4.170-054-x86-kvm-vmx-do-not-use-vm-exit-instruction-le.patch
index f85b8bb4c4..1a24412a9b 100644
--- a/patches.fixes/x86-kvm-vmx-do-not-use-vm-exit-instruction-length-fo.patch
+++ b/patches.kernel.org/4.4.170-054-x86-kvm-vmx-do-not-use-vm-exit-instruction-le.patch
@@ -1,13 +1,15 @@
-From d391f1207067268261add0485f0f34503539c5b0 Mon Sep 17 00:00:00 2001
From: Vitaly Kuznetsov <vkuznets@redhat.com>
Date: Thu, 25 Jan 2018 16:37:07 +0100
-Subject: [PATCH] x86/kvm/vmx: do not use vm-exit instruction length for fast MMIO when running nested
-Mime-version: 1.0
-Content-type: text/plain; charset=UTF-8
-Content-transfer-encoding: 8bit
+Subject: [PATCH] x86/kvm/vmx: do not use vm-exit instruction length for fast
+ MMIO when running nested
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+Patch-mainline: 4.4.170
+References: bnc#1012382 bsc#1081431
Git-commit: d391f1207067268261add0485f0f34503539c5b0
-Patch-mainline: v4.16-rc1
-References: bsc#1081431
+
+commit d391f1207067268261add0485f0f34503539c5b0 upstream.
I was investigating an issue with seabios >= 1.10 which stopped working
for nested KVM on Hyper-V. The problem appears to be in
@@ -33,17 +35,21 @@ Suggested-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Vitaly Kuznetsov <vkuznets@redhat.com>
Acked-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Radim Krčmář <rkrcmar@redhat.com>
-Signed-off-by: Matwey V. Kornilov <matwey.kornilov@gmail.com>
-Acked-by: Takashi Iwai <tiwai@suse.de>
-
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+[mhaboustak: backport to 4.9.y]
+Signed-off-by: Mike Haboustak <haboustak@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
- arch/x86/kvm/vmx.c | 19 +++++++++++++++++--
- arch/x86/kvm/x86.c | 3 ++-
+ arch/x86/kvm/vmx.c | 19 +++++++++++++++++--
+ arch/x86/kvm/x86.c | 3 ++-
2 files changed, 19 insertions(+), 3 deletions(-)
+diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c
+index e4b5fd72ca24..3bdb2e747b89 100644
--- a/arch/x86/kvm/vmx.c
+++ b/arch/x86/kvm/vmx.c
-@@ -5986,9 +5986,24 @@ static int handle_ept_misconfig(struct k
+@@ -6163,9 +6163,24 @@ static int handle_ept_misconfig(struct kvm_vcpu *vcpu)
gpa = vmcs_read64(GUEST_PHYSICAL_ADDRESS);
if (!kvm_io_bus_write(vcpu, KVM_FAST_MMIO_BUS, gpa, 0, NULL)) {
@@ -51,28 +57,30 @@ Acked-by: Takashi Iwai <tiwai@suse.de>
trace_kvm_fast_mmio(gpa);
- return 1;
+ /*
-+ * Doing kvm_skip_emulated_instruction() depends on undefined
-+ * behavior: Intel's manual doesn't mandate
-+ * VM_EXIT_INSTRUCTION_LEN to be set in VMCS when EPT MISCONFIG
-+ * occurs and while on real hardware it was observed to be set,
-+ * other hypervisors (namely Hyper-V) don't set it, we end up
-+ * advancing IP with some random value. Disable fast mmio when
-+ * running nested and keep it for real hardware in hope that
-+ * VM_EXIT_INSTRUCTION_LEN will always be set correctly.
-+ */
++ * Doing kvm_skip_emulated_instruction() depends on undefined
++ * behavior: Intel's manual doesn't mandate
++ * VM_EXIT_INSTRUCTION_LEN to be set in VMCS when EPT MISCONFIG
++ * occurs and while on real hardware it was observed to be set,
++ * other hypervisors (namely Hyper-V) don't set it, we end up
++ * advancing IP with some random value. Disable fast mmio when
++ * running nested and keep it for real hardware in hope that
++ * VM_EXIT_INSTRUCTION_LEN will always be set correctly.
++ */
+ if (!static_cpu_has(X86_FEATURE_HYPERVISOR)) {
+ skip_emulated_instruction(vcpu);
+ return 1;
-+ } else {
++ }
++ else
+ return x86_emulate_instruction(vcpu, gpa, EMULTYPE_SKIP,
+ NULL, 0) == EMULATE_DONE;
-+ }
}
ret = handle_mmio_page_fault(vcpu, gpa, true);
+diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
+index aa1a0277a678..1a934bb8ed1c 100644
--- a/arch/x86/kvm/x86.c
+++ b/arch/x86/kvm/x86.c
-@@ -5408,7 +5408,8 @@ int x86_emulate_instruction(struct kvm_v
+@@ -5436,7 +5436,8 @@ int x86_emulate_instruction(struct kvm_vcpu *vcpu,
* handle watchpoints yet, those would be handled in
* the emulate_ops.
*/
@@ -82,3 +90,6 @@ Acked-by: Takashi Iwai <tiwai@suse.de>
return r;
ctxt->interruptibility = 0;
+--
+2.20.1
+
diff --git a/patches.kernel.org/4.4.170-055-spi-bcm2835-Unbreak-the-build-of-esoteric-con.patch b/patches.kernel.org/4.4.170-055-spi-bcm2835-Unbreak-the-build-of-esoteric-con.patch
new file mode 100644
index 0000000000..fe24f342d3
--- /dev/null
+++ b/patches.kernel.org/4.4.170-055-spi-bcm2835-Unbreak-the-build-of-esoteric-con.patch
@@ -0,0 +1,47 @@
+From: Lukas Wunner <lukas@wunner.de>
+Date: Thu, 29 Nov 2018 15:14:49 +0100
+Subject: [PATCH] spi: bcm2835: Unbreak the build of esoteric configs
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+References: bnc#1012382
+Patch-mainline: 4.4.170
+Git-commit: 29bdedfd9cf40e59456110ca417a8cb672ac9b92
+
+commit 29bdedfd9cf40e59456110ca417a8cb672ac9b92 upstream.
+
+Commit e82b0b382845 ("spi: bcm2835: Fix race on DMA termination") broke
+the build with COMPILE_TEST=y on arches whose cmpxchg() requires 32-bit
+operands (xtensa, older arm ISAs).
+
+Fix by changing the dma_pending flag's type from bool to unsigned int.
+
+Fixes: e82b0b382845 ("spi: bcm2835: Fix race on DMA termination")
+Signed-off-by: Lukas Wunner <lukas@wunner.de>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Cc: Frank Pavlic <f.pavlic@kunbus.de>
+Cc: Martin Sperl <kernel@martin.sperl.org>
+Cc: Noralf Trønnes <noralf@tronnes.org>
+Cc: Sudip Mukherjee <sudipm.mukherjee@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/spi/spi-bcm2835.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/spi/spi-bcm2835.c b/drivers/spi/spi-bcm2835.c
+index 92f45b6fd278..1a1368f5863c 100644
+--- a/drivers/spi/spi-bcm2835.c
++++ b/drivers/spi/spi-bcm2835.c
+@@ -88,7 +88,7 @@ struct bcm2835_spi {
+ u8 *rx_buf;
+ int tx_len;
+ int rx_len;
+- bool dma_pending;
++ unsigned int dma_pending;
+ };
+
+ static inline u32 bcm2835_rd(struct bcm2835_spi *bs, unsigned reg)
+--
+2.20.1
+
diff --git a/patches.kernel.org/4.4.170-056-powerpc-Fix-COFF-zImage-booting-on-old-powerm.patch b/patches.kernel.org/4.4.170-056-powerpc-Fix-COFF-zImage-booting-on-old-powerm.patch
new file mode 100644
index 0000000000..60bb177616
--- /dev/null
+++ b/patches.kernel.org/4.4.170-056-powerpc-Fix-COFF-zImage-booting-on-old-powerm.patch
@@ -0,0 +1,59 @@
+From: Paul Mackerras <paulus@ozlabs.org>
+Date: Tue, 27 Nov 2018 09:01:54 +1100
+Subject: [PATCH] powerpc: Fix COFF zImage booting on old powermacs
+References: bnc#1012382
+Patch-mainline: 4.4.170
+Git-commit: 5564597d51c8ff5b88d95c76255e18b13b760879
+
+[ Upstream commit 5564597d51c8ff5b88d95c76255e18b13b760879 ]
+
+Commit 6975a783d7b4 ("powerpc/boot: Allow building the zImage wrapper
+as a relocatable ET_DYN", 2011-04-12) changed the procedure descriptor
+at the start of crt0.S to have a hard-coded start address of 0x500000
+rather than a reference to _zimage_start, presumably because having
+a reference to a symbol introduced a relocation which is awkward to
+handle in a position-independent executable. Unfortunately, what is
+at 0x500000 in the COFF image is not the first instruction, but the
+procedure descriptor itself, that is, a word containing 0x500000,
+which is not a valid instruction. Hence, booting a COFF zImage
+results in a "DEFAULT CATCH!, code=FFF00700" message from Open
+Firmware.
+
+This fixes the problem by (a) putting the procedure descriptor in the
+data section and (b) adding a branch to _zimage_start as the first
+instruction in the program.
+
+Fixes: 6975a783d7b4 ("powerpc/boot: Allow building the zImage wrapper as a relocatable ET_DYN")
+Signed-off-by: Paul Mackerras <paulus@ozlabs.org>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ arch/powerpc/boot/crt0.S | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/arch/powerpc/boot/crt0.S b/arch/powerpc/boot/crt0.S
+index 5c2199857aa8..a3550e8f1a77 100644
+--- a/arch/powerpc/boot/crt0.S
++++ b/arch/powerpc/boot/crt0.S
+@@ -15,7 +15,7 @@
+ RELA = 7
+ RELACOUNT = 0x6ffffff9
+
+- .text
++ .data
+ /* A procedure descriptor used when booting this as a COFF file.
+ * When making COFF, this comes first in the link and we're
+ * linked at 0x500000.
+@@ -23,6 +23,8 @@ RELACOUNT = 0x6ffffff9
+ .globl _zimage_start_opd
+ _zimage_start_opd:
+ .long 0x500000, 0, 0, 0
++ .text
++ b _zimage_start
+
+ #ifdef __powerpc64__
+ .balign 8
+--
+2.20.1
+
diff --git a/patches.kernel.org/4.4.170-057-ARM-imx-update-the-cpu-power-up-timing-settin.patch b/patches.kernel.org/4.4.170-057-ARM-imx-update-the-cpu-power-up-timing-settin.patch
new file mode 100644
index 0000000000..6a50bbe816
--- /dev/null
+++ b/patches.kernel.org/4.4.170-057-ARM-imx-update-the-cpu-power-up-timing-settin.patch
@@ -0,0 +1,43 @@
+From: Anson Huang <anson.huang@nxp.com>
+Date: Tue, 4 Dec 2018 03:17:45 +0000
+Subject: [PATCH] ARM: imx: update the cpu power up timing setting on i.mx6sx
+References: bnc#1012382
+Patch-mainline: 4.4.170
+Git-commit: 1e434b703248580b7aaaf8a115d93e682f57d29f
+
+[ Upstream commit 1e434b703248580b7aaaf8a115d93e682f57d29f ]
+
+The sw2iso count should cover ARM LDO ramp-up time,
+the MAX ARM LDO ramp-up time may be up to more than
+100us on some boards, this patch sets sw2iso to 0xf
+(~384us) which is the reset value, and it is much
+more safe to cover different boards, since we have
+observed that some customer boards failed with current
+setting of 0x2.
+
+Fixes: 05136f0897b5 ("ARM: imx: support arm power off in cpuidle for i.mx6sx")
+Signed-off-by: Anson Huang <Anson.Huang@nxp.com>
+Reviewed-by: Fabio Estevam <festevam@gmail.com>
+Signed-off-by: Shawn Guo <shawnguo@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ arch/arm/mach-imx/cpuidle-imx6sx.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/arm/mach-imx/cpuidle-imx6sx.c b/arch/arm/mach-imx/cpuidle-imx6sx.c
+index 3c6672b3796b..7f5df8992008 100644
+--- a/arch/arm/mach-imx/cpuidle-imx6sx.c
++++ b/arch/arm/mach-imx/cpuidle-imx6sx.c
+@@ -97,7 +97,7 @@ int __init imx6sx_cpuidle_init(void)
+ * except for power up sw2iso which need to be
+ * larger than LDO ramp up time.
+ */
+- imx_gpc_set_arm_power_up_timing(2, 1);
++ imx_gpc_set_arm_power_up_timing(0xf, 1);
+ imx_gpc_set_arm_power_down_timing(1, 1);
+
+ return cpuidle_register(&imx6sx_cpuidle_driver, NULL);
+--
+2.20.1
+
diff --git a/patches.kernel.org/4.4.170-058-Input-restore-EV_ABS-ABS_RESERVED.patch b/patches.kernel.org/4.4.170-058-Input-restore-EV_ABS-ABS_RESERVED.patch
new file mode 100644
index 0000000000..1be1144c2d
--- /dev/null
+++ b/patches.kernel.org/4.4.170-058-Input-restore-EV_ABS-ABS_RESERVED.patch
@@ -0,0 +1,46 @@
+From: Peter Hutterer <peter.hutterer@who-t.net>
+Date: Thu, 6 Dec 2018 09:03:36 +1000
+Subject: [PATCH] Input: restore EV_ABS ABS_RESERVED
+References: bnc#1012382
+Patch-mainline: 4.4.170
+Git-commit: c201e3808e0e4be9b98d192802085a9f491bd80c
+
+[ Upstream commit c201e3808e0e4be9b98d192802085a9f491bd80c ]
+
+ABS_RESERVED was added in d9ca1c990a7 and accidentally removed as part of
+ffe0e7cf290f5c9 when the high-resolution scrolling code was removed.
+
+Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
+Reviewed-by: Martin Kepplinger <martin.kepplinger@ginzinger.com>
+Acked-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
+Acked-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ include/uapi/linux/input-event-codes.h | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/include/uapi/linux/input-event-codes.h b/include/uapi/linux/input-event-codes.h
+index 87cf351bab03..9e07bf4259e1 100644
+--- a/include/uapi/linux/input-event-codes.h
++++ b/include/uapi/linux/input-event-codes.h
+@@ -708,6 +708,15 @@
+
+ #define ABS_MISC 0x28
+
++/*
++ * 0x2e is reserved and should not be used in input drivers.
++ * It was used by HID as ABS_MISC+6 and userspace needs to detect if
++ * the next ABS_* event is correct or is just ABS_MISC + n.
++ * We define here ABS_RESERVED so userspace can rely on it and detect
++ * the situation described above.
++ */
++#define ABS_RESERVED 0x2e
++
+ #define ABS_MT_SLOT 0x2f /* MT slot being modified */
+ #define ABS_MT_TOUCH_MAJOR 0x30 /* Major axis of touching ellipse */
+ #define ABS_MT_TOUCH_MINOR 0x31 /* Minor axis (omit if circular) */
+--
+2.20.1
+
diff --git a/patches.kernel.org/4.4.170-059-checkstack.pl-fix-for-aarch64.patch b/patches.kernel.org/4.4.170-059-checkstack.pl-fix-for-aarch64.patch
new file mode 100644
index 0000000000..cc39e4e4cc
--- /dev/null
+++ b/patches.kernel.org/4.4.170-059-checkstack.pl-fix-for-aarch64.patch
@@ -0,0 +1,49 @@
+From: Qian Cai <cai@lca.pw>
+Date: Fri, 14 Dec 2018 14:17:20 -0800
+Subject: [PATCH] checkstack.pl: fix for aarch64
+References: bnc#1012382
+Patch-mainline: 4.4.170
+Git-commit: f1733a1d3cd32a9492f4cf866be37bb46e10163d
+
+[ Upstream commit f1733a1d3cd32a9492f4cf866be37bb46e10163d ]
+
+There is actually a space after "sp," like this,
+
+ ffff2000080813c8: a9bb7bfd stp x29, x30, [sp, #-80]!
+
+Right now, checkstack.pl isn't able to print anything on aarch64,
+because it won't be able to match the stating objdump line of a function
+due to this missing space. Hence, it displays every stack as zero-size.
+
+After this patch, checkpatch.pl is able to match the start of a
+function's objdump, and is then able to calculate each function's stack
+correctly.
+
+Link: http://lkml.kernel.org/r/20181207195843.38528-1-cai@lca.pw
+Signed-off-by: Qian Cai <cai@lca.pw>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ scripts/checkstack.pl | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/scripts/checkstack.pl b/scripts/checkstack.pl
+index dd8397894d5c..12a6940741fe 100755
+--- a/scripts/checkstack.pl
++++ b/scripts/checkstack.pl
+@@ -46,8 +46,8 @@ my (@stack, $re, $dre, $x, $xs, $funcre);
+ $xs = "[0-9a-f ]"; # hex character or space
+ $funcre = qr/^$x* <(.*)>:$/;
+ if ($arch eq 'aarch64') {
+- #ffffffc0006325cc: a9bb7bfd stp x29, x30, [sp,#-80]!
+- $re = qr/^.*stp.*sp,\#-([0-9]{1,8})\]\!/o;
++ #ffffffc0006325cc: a9bb7bfd stp x29, x30, [sp, #-80]!
++ $re = qr/^.*stp.*sp, \#-([0-9]{1,8})\]\!/o;
+ } elsif ($arch eq 'arm') {
+ #c0008ffc: e24dd064 sub sp, sp, #100 ; 0x64
+ $re = qr/.*sub.*sp, sp, #(([0-9]{2}|[3-9])[0-9]{2})/o;
+--
+2.20.1
+
diff --git a/patches.kernel.org/4.4.170-060-xfrm-Fix-bucket-count-reported-to-userspace.patch b/patches.kernel.org/4.4.170-060-xfrm-Fix-bucket-count-reported-to-userspace.patch
new file mode 100644
index 0000000000..db67a06235
--- /dev/null
+++ b/patches.kernel.org/4.4.170-060-xfrm-Fix-bucket-count-reported-to-userspace.patch
@@ -0,0 +1,37 @@
+From: Benjamin Poirier <bpoirier@suse.com>
+Date: Mon, 5 Nov 2018 17:00:53 +0900
+Subject: [PATCH] xfrm: Fix bucket count reported to userspace
+References: bnc#1012382
+Patch-mainline: 4.4.170
+Git-commit: ca92e173ab34a4f7fc4128bd372bd96f1af6f507
+
+[ Upstream commit ca92e173ab34a4f7fc4128bd372bd96f1af6f507 ]
+
+sadhcnt is reported by `ip -s xfrm state count` as "buckets count", not the
+hash mask.
+
+Fixes: 28d8909bc790 ("[XFRM]: Export SAD info.")
+Signed-off-by: Benjamin Poirier <bpoirier@suse.com>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ net/xfrm/xfrm_state.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/xfrm/xfrm_state.c b/net/xfrm/xfrm_state.c
+index 9b6e51450fc5..13f261feb75c 100644
+--- a/net/xfrm/xfrm_state.c
++++ b/net/xfrm/xfrm_state.c
+@@ -623,7 +623,7 @@ void xfrm_sad_getinfo(struct net *net, struct xfrmk_sadinfo *si)
+ {
+ spin_lock_bh(&net->xfrm.xfrm_state_lock);
+ si->sadcnt = net->xfrm.state_num;
+- si->sadhcnt = net->xfrm.state_hmask;
++ si->sadhcnt = net->xfrm.state_hmask + 1;
+ si->sadhmcnt = xfrm_state_hashmax;
+ spin_unlock_bh(&net->xfrm.xfrm_state_lock);
+ }
+--
+2.20.1
+
diff --git a/patches.kernel.org/4.4.170-061-scsi-bnx2fc-Fix-NULL-dereference-in-error-han.patch b/patches.kernel.org/4.4.170-061-scsi-bnx2fc-Fix-NULL-dereference-in-error-han.patch
new file mode 100644
index 0000000000..b833e1a875
--- /dev/null
+++ b/patches.kernel.org/4.4.170-061-scsi-bnx2fc-Fix-NULL-dereference-in-error-han.patch
@@ -0,0 +1,37 @@
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Thu, 1 Nov 2018 08:25:30 +0300
+Subject: [PATCH] scsi: bnx2fc: Fix NULL dereference in error handling
+References: bnc#1012382
+Patch-mainline: 4.4.170
+Git-commit: 9ae4f8420ed7be4b13c96600e3568c144d101a23
+
+[ Upstream commit 9ae4f8420ed7be4b13c96600e3568c144d101a23 ]
+
+If "interface" is NULL then we can't release it and trying to will only
+lead to an Oops.
+
+Fixes: aea71a024914 ("[SCSI] bnx2fc: Introduce interface structure for each vlan interface")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/scsi/bnx2fc/bnx2fc_fcoe.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/scsi/bnx2fc/bnx2fc_fcoe.c b/drivers/scsi/bnx2fc/bnx2fc_fcoe.c
+index d0b227ffbd5f..573aeec7a02b 100644
+--- a/drivers/scsi/bnx2fc/bnx2fc_fcoe.c
++++ b/drivers/scsi/bnx2fc/bnx2fc_fcoe.c
+@@ -2279,7 +2279,7 @@ static int _bnx2fc_create(struct net_device *netdev,
+ if (!interface) {
+ printk(KERN_ERR PFX "bnx2fc_interface_create failed\n");
+ rc = -ENOMEM;
+- goto ifput_err;
++ goto netdev_err;
+ }
+
+ if (netdev->priv_flags & IFF_802_1Q_VLAN) {
+--
+2.20.1
+
diff --git a/patches.kernel.org/4.4.170-062-Input-omap-keypad-fix-idle-configuration-to-n.patch b/patches.kernel.org/4.4.170-062-Input-omap-keypad-fix-idle-configuration-to-n.patch
new file mode 100644
index 0000000000..d0129cb3e1
--- /dev/null
+++ b/patches.kernel.org/4.4.170-062-Input-omap-keypad-fix-idle-configuration-to-n.patch
@@ -0,0 +1,86 @@
+From: Tony Lindgren <tony@atomide.com>
+Date: Tue, 4 Dec 2018 13:52:49 -0800
+Subject: [PATCH] Input: omap-keypad - fix idle configuration to not block SoC
+ idle states
+References: bnc#1012382
+Patch-mainline: 4.4.170
+Git-commit: e2ca26ec4f01486661b55b03597c13e2b9c18b73
+
+[ Upstream commit e2ca26ec4f01486661b55b03597c13e2b9c18b73 ]
+
+With PM enabled, I noticed that pressing a key on the droid4 keyboard will
+block deeper idle states for the SoC. Let's fix this by using IRQF_ONESHOT
+and stop constantly toggling the device OMAP4_KBD_IRQENABLE register as
+suggested by Dmitry Torokhov <dmitry.torokhov@gmail.com>.
+
+From the hardware point of view, looks like we need to manage the registers
+for OMAP4_KBD_IRQENABLE and OMAP4_KBD_WAKEUPENABLE together to avoid
+blocking deeper SoC idle states. And with toggling of OMAP4_KBD_IRQENABLE
+register now gone with IRQF_ONESHOT, also the SoC idle state problem is
+gone during runtime. We still also need to clear OMAP4_KBD_WAKEUPENABLE in
+omap4_keypad_close() though to pair it with omap4_keypad_open() to prevent
+blocking deeper SoC idle states after rmmod omap4-keypad.
+
+Reported-by: Pavel Machek <pavel@ucw.cz>
+Signed-off-by: Tony Lindgren <tony@atomide.com>
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/input/keyboard/omap4-keypad.c | 16 ++++------------
+ 1 file changed, 4 insertions(+), 12 deletions(-)
+
+diff --git a/drivers/input/keyboard/omap4-keypad.c b/drivers/input/keyboard/omap4-keypad.c
+index f78c464899db..3d2c60c8de83 100644
+--- a/drivers/input/keyboard/omap4-keypad.c
++++ b/drivers/input/keyboard/omap4-keypad.c
+@@ -126,12 +126,8 @@ static irqreturn_t omap4_keypad_irq_handler(int irq, void *dev_id)
+ {
+ struct omap4_keypad *keypad_data = dev_id;
+
+- if (kbd_read_irqreg(keypad_data, OMAP4_KBD_IRQSTATUS)) {
+- /* Disable interrupts */
+- kbd_write_irqreg(keypad_data, OMAP4_KBD_IRQENABLE,
+- OMAP4_VAL_IRQDISABLE);
++ if (kbd_read_irqreg(keypad_data, OMAP4_KBD_IRQSTATUS))
+ return IRQ_WAKE_THREAD;
+- }
+
+ return IRQ_NONE;
+ }
+@@ -173,11 +169,6 @@ static irqreturn_t omap4_keypad_irq_thread_fn(int irq, void *dev_id)
+ kbd_write_irqreg(keypad_data, OMAP4_KBD_IRQSTATUS,
+ kbd_read_irqreg(keypad_data, OMAP4_KBD_IRQSTATUS));
+
+- /* enable interrupts */
+- kbd_write_irqreg(keypad_data, OMAP4_KBD_IRQENABLE,
+- OMAP4_DEF_IRQENABLE_EVENTEN |
+- OMAP4_DEF_IRQENABLE_LONGKEY);
+-
+ return IRQ_HANDLED;
+ }
+
+@@ -214,9 +205,10 @@ static void omap4_keypad_close(struct input_dev *input)
+
+ disable_irq(keypad_data->irq);
+
+- /* Disable interrupts */
++ /* Disable interrupts and wake-up events */
+ kbd_write_irqreg(keypad_data, OMAP4_KBD_IRQENABLE,
+ OMAP4_VAL_IRQDISABLE);
++ kbd_writel(keypad_data, OMAP4_KBD_WAKEUPENABLE, 0);
+
+ /* clear pending interrupts */
+ kbd_write_irqreg(keypad_data, OMAP4_KBD_IRQSTATUS,
+@@ -364,7 +356,7 @@ static int omap4_keypad_probe(struct platform_device *pdev)
+ }
+
+ error = request_threaded_irq(keypad_data->irq, omap4_keypad_irq_handler,
+- omap4_keypad_irq_thread_fn, 0,
++ omap4_keypad_irq_thread_fn, IRQF_ONESHOT,
+ "omap4-keypad", keypad_data);
+ if (error) {
+ dev_err(&pdev->dev, "failed to register interrupt\n");
+--
+2.20.1
+
diff --git a/patches.kernel.org/4.4.170-063-scsi-zfcp-fix-posting-too-many-status-read-bu.patch b/patches.kernel.org/4.4.170-063-scsi-zfcp-fix-posting-too-many-status-read-bu.patch
new file mode 100644
index 0000000000..c7154b441c
--- /dev/null
+++ b/patches.kernel.org/4.4.170-063-scsi-zfcp-fix-posting-too-many-status-read-bu.patch
@@ -0,0 +1,98 @@
+From: Steffen Maier <maier@linux.ibm.com>
+Date: Thu, 6 Dec 2018 17:31:20 +0100
+Subject: [PATCH] scsi: zfcp: fix posting too many status read buffers leading
+ to adapter shutdown
+References: bnc#1012382
+Patch-mainline: 4.4.170
+Git-commit: 60a161b7e5b2a252ff0d4c622266a7d8da1120ce
+
+commit 60a161b7e5b2a252ff0d4c622266a7d8da1120ce upstream.
+
+Suppose adapter (open) recovery is between opened QDIO queues and before
+(the end of) initial posting of status read buffers (SRBs). This time
+window can be seconds long due to FSF_PROT_HOST_CONNECTION_INITIALIZING
+causing by design looping with exponential increase sleeps in the function
+performing exchange config data during recovery
+[zfcp_erp_adapter_strat_fsf_xconf()]. Recovery triggered by local link up.
+
+Suppose an event occurs for which the FCP channel would send an unsolicited
+notification to zfcp by means of a previously posted SRB. We saw it with
+local cable pull (link down) in multi-initiator zoning with multiple
+NPIV-enabled subchannels of the same shared FCP channel.
+
+As soon as zfcp_erp_adapter_strategy_open_fsf() starts posting the initial
+status read buffers from within the adapter's ERP thread, the channel does
+send an unsolicited notification.
+
+Since v2.6.27 commit d26ab06ede83 ("[SCSI] zfcp: receiving an unsolicted
+status can lead to I/O stall"), zfcp_fsf_status_read_handler() schedules
+adapter->stat_work to re-fill the just consumed SRB from a work item.
+
+Now the ERP thread and the work item post SRBs in parallel. Both contexts
+call the helper function zfcp_status_read_refill(). The tracking of
+missing (to be posted / re-filled) SRBs is not thread-safe due to separate
+atomic_read() and atomic_dec(), in order to depend on posting
+success. Hence, both contexts can see
+atomic_read(&adapter->stat_miss) == 1. One of the two contexts posts
+one too many SRB. Zfcp gets QDIO_ERROR_SLSB_STATE on the output queue
+(trace tag "qdireq1") leading to zfcp_erp_adapter_shutdown() in
+zfcp_qdio_handler_error().
+
+An obvious and seemingly clean fix would be to schedule stat_work from the
+ERP thread and wait for it to finish. This would serialize all SRB
+re-fills. However, we already have another work item wait on the ERP
+thread: adapter->scan_work runs zfcp_fc_scan_ports() which calls
+zfcp_fc_eval_gpn_ft(). The latter calls zfcp_erp_wait() to wait for all the
+open port recoveries during zfcp auto port scan, but in fact it waits for
+any pending recovery including an adapter recovery. This approach leads to
+a deadlock. [see also v3.19 commit 18f87a67e6d6 ("zfcp: auto port scan
+resiliency"); v2.6.37 commit d3e1088d6873
+("[SCSI] zfcp: No ERP escalation on gpn_ft eval");
+v2.6.28 commit fca55b6fb587
+("[SCSI] zfcp: fix deadlock between wq triggered port scan and ERP")
+fixing v2.6.27 commit c57a39a45a76
+("[SCSI] zfcp: wait until adapter is finished with ERP during auto-port");
+v2.6.27 commit cc8c282963bd
+("[SCSI] zfcp: Automatically attach remote ports")]
+
+Instead make the accounting of missing SRBs atomic for parallel execution
+in both the ERP thread and adapter->stat_work.
+
+Signed-off-by: Steffen Maier <maier@linux.ibm.com>
+Fixes: d26ab06ede83 ("[SCSI] zfcp: receiving an unsolicted status can lead to I/O stall")
+Cc: <stable@vger.kernel.org> #2.6.27+
+Reviewed-by: Jens Remus <jremus@linux.ibm.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/s390/scsi/zfcp_aux.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/s390/scsi/zfcp_aux.c b/drivers/s390/scsi/zfcp_aux.c
+index 38c8e308d4c8..a96c98e3fc73 100644
+--- a/drivers/s390/scsi/zfcp_aux.c
++++ b/drivers/s390/scsi/zfcp_aux.c
+@@ -275,16 +275,16 @@ static void zfcp_free_low_mem_buffers(struct zfcp_adapter *adapter)
+ */
+ int zfcp_status_read_refill(struct zfcp_adapter *adapter)
+ {
+- while (atomic_read(&adapter->stat_miss) > 0)
++ while (atomic_add_unless(&adapter->stat_miss, -1, 0))
+ if (zfcp_fsf_status_read(adapter->qdio)) {
++ atomic_inc(&adapter->stat_miss); /* undo add -1 */
+ if (atomic_read(&adapter->stat_miss) >=
+ adapter->stat_read_buf_num) {
+ zfcp_erp_adapter_reopen(adapter, 0, "axsref1");
+ return 1;
+ }
+ break;
+- } else
+- atomic_dec(&adapter->stat_miss);
++ }
+ return 0;
+ }
+
+--
+2.20.1
+
diff --git a/patches.kernel.org/4.4.170-064-fork-record-start_time-late.patch b/patches.kernel.org/4.4.170-064-fork-record-start_time-late.patch
new file mode 100644
index 0000000000..d1a04b69b8
--- /dev/null
+++ b/patches.kernel.org/4.4.170-064-fork-record-start_time-late.patch
@@ -0,0 +1,83 @@
+From: David Herrmann <dh.herrmann@gmail.com>
+Date: Tue, 8 Jan 2019 13:58:52 +0100
+Subject: [PATCH] fork: record start_time late
+References: bnc#1012382
+Patch-mainline: 4.4.170
+Git-commit: 7b55851367136b1efd84d98fea81ba57a98304cf
+
+commit 7b55851367136b1efd84d98fea81ba57a98304cf upstream.
+
+This changes the fork(2) syscall to record the process start_time after
+initializing the basic task structure but still before making the new
+process visible to user-space.
+
+Technically, we could record the start_time anytime during fork(2). But
+this might lead to scenarios where a start_time is recorded long before
+a process becomes visible to user-space. For instance, with
+userfaultfd(2) and TLS, user-space can delay the execution of fork(2)
+for an indefinite amount of time (and will, if this causes network
+access, or similar).
+
+By recording the start_time late, it much closer reflects the point in
+time where the process becomes live and can be observed by other
+processes.
+
+Lastly, this makes it much harder for user-space to predict and control
+the start_time they get assigned. Previously, user-space could fork a
+process and stall it in copy_thread_tls() before its pid is allocated,
+but after its start_time is recorded. This can be misused to later-on
+cycle through PIDs and resume the stalled fork(2) yielding a process
+that has the same pid and start_time as a process that existed before.
+This can be used to circumvent security systems that identify processes
+by their pid+start_time combination.
+
+Even though user-space was always aware that start_time recording is
+flaky (but several projects are known to still rely on start_time-based
+identification), changing the start_time to be recorded late will help
+mitigate existing attacks and make it much harder for user-space to
+control the start_time a process gets assigned.
+
+Reported-by: Jann Horn <jannh@google.com>
+Signed-off-by: Tom Gundersen <teg@jklm.no>
+Signed-off-by: David Herrmann <dh.herrmann@gmail.com>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ kernel/fork.c | 13 +++++++++++--
+ 1 file changed, 11 insertions(+), 2 deletions(-)
+
+diff --git a/kernel/fork.c b/kernel/fork.c
+index dd2f79ac0771..e4b81913a998 100644
+--- a/kernel/fork.c
++++ b/kernel/fork.c
+@@ -1411,8 +1411,6 @@ static struct task_struct *copy_process(unsigned long clone_flags,
+
+ posix_cpu_timers_init(p);
+
+- p->start_time = ktime_get_ns();
+- p->real_start_time = ktime_get_boot_ns();
+ p->io_context = NULL;
+ p->audit_context = NULL;
+ cgroup_fork(p);
+@@ -1572,6 +1570,17 @@ static struct task_struct *copy_process(unsigned long clone_flags,
+ if (retval)
+ goto bad_fork_free_pid;
+
++ /*
++ * From this point on we must avoid any synchronous user-space
++ * communication until we take the tasklist-lock. In particular, we do
++ * not want user-space to be able to predict the process start-time by
++ * stalling fork(2) after we recorded the start_time but before it is
++ * visible to the system.
++ */
++
++ p->start_time = ktime_get_ns();
++ p->real_start_time = ktime_get_boot_ns();
++
+ /*
+ * Make it visible to the rest of the system, but dont wake it up yet.
+ * Need tasklist lock for parent etc handling!
+--
+2.20.1
+
diff --git a/patches.fixes/0001-hwpoison-memory_hotplug-allow-hwpoisoned-pages-to-be.patch b/patches.kernel.org/4.4.170-065-hwpoison-memory_hotplug-allow-hwpoisoned-page.patch
index 95eb48f8b2..158eb70bd4 100644
--- a/patches.fixes/0001-hwpoison-memory_hotplug-allow-hwpoisoned-pages-to-be.patch
+++ b/patches.kernel.org/4.4.170-065-hwpoison-memory_hotplug-allow-hwpoisoned-page.patch
@@ -1,52 +1,55 @@
-From 51c2cfdd270f76f068ea875fba77384e49156ac6 Mon Sep 17 00:00:00 2001
From: Michal Hocko <mhocko@suse.com>
-Date: Mon, 3 Dec 2018 10:27:18 +0100
-Subject: [RFC PATCH] hwpoison, memory_hotplug: allow hwpoisoned pages to be
+Date: Fri, 28 Dec 2018 00:38:01 -0800
+Subject: [PATCH] hwpoison, memory_hotplug: allow hwpoisoned pages to be
offlined
-Patch-mainline: not yet, under discussion
-References: bnc#1116336
+References: bnc#1012382 bnc#1116336
+Patch-mainline: 4.4.170
+Git-commit: b15c87263a69272423771118c653e9a1d0672caa
+
+commit b15c87263a69272423771118c653e9a1d0672caa upstream.
We have received a bug report that an injected MCE about faulty memory
-prevents memory offline to succeed on 4.4 base kernel. The underlying
-reason was that the HWPoison page has an elevated reference count and
-the migration keeps failing. There are two problems with that. First
-of all it is dubious to migrate the poisoned page because we know that
-accessing that memory is possible to fail. Secondly it doesn't make any
-sense to migrate a potentially broken content and preserve the memory
-corruption over to a new location.
+prevents memory offline to succeed on 4.4 base kernel. The underlying
+reason was that the HWPoison page has an elevated reference count and the
+migration keeps failing. There are two problems with that. First of all
+it is dubious to migrate the poisoned page because we know that accessing
+that memory is possible to fail. Secondly it doesn't make any sense to
+migrate a potentially broken content and preserve the memory corruption
+over to a new location.
Oscar has found out that 4.4 and the current upstream kernels behave
slightly differently with his simply testcase
+
===
int main(void)
{
- int ret;
- int i;
- int fd;
- char *array = malloc(4096);
- char *array_locked = malloc(4096);
+ int ret;
+ int i;
+ int fd;
+ char *array = malloc(4096);
+ char *array_locked = malloc(4096);
- fd = open("/tmp/data", O_RDONLY);
- read(fd, array, 4095);
+ fd = open("/tmp/data", O_RDONLY);
+ read(fd, array, 4095);
- for (i = 0; i < 4096; i++)
- array_locked[i] = 'd';
+ for (i = 0; i < 4096; i++)
+ array_locked[i] = 'd';
- ret = mlock((void *)PAGE_ALIGN((unsigned long)array_locked), sizeof(array_locked));
- if (ret)
- perror("mlock");
+ ret = mlock((void *)PAGE_ALIGN((unsigned long)array_locked), sizeof(array_locked));
+ if (ret)
+ perror("mlock");
- sleep (20);
+ sleep (20);
- ret = madvise((void *)PAGE_ALIGN((unsigned long)array_locked), 4096, MADV_HWPOISON);
- if (ret)
- perror("madvise");
+ ret = madvise((void *)PAGE_ALIGN((unsigned long)array_locked), 4096, MADV_HWPOISON);
+ if (ret)
+ perror("madvise");
- for (i = 0; i < 4096; i++)
- array_locked[i] = 'd';
+ for (i = 0; i < 4096; i++)
+ array_locked[i] = 'd';
- return 0;
+ return 0;
}
===
@@ -75,27 +78,29 @@ kernel: [<ffffffff81215f08>] do_execve+0x28/0x30
kernel: [<ffffffff81095ddb>] call_usermodehelper_exec_async+0xfb/0x130
kernel: [<ffffffff8161c045>] ret_from_fork+0x55/0x80
-And that later confuses the hotremove path because an LRU page is
+And that latter confuses the hotremove path because an LRU page is
attempted to be migrated and that fails due to an elevated reference
-count. It is quite possible that the reuse of the HWPoisoned page is
-some kind of fixed race condition but I am not really sure about that.
+count. It is quite possible that the reuse of the HWPoisoned page is some
+kind of fixed race condition but I am not really sure about that.
-With the upstream kernel the failure is slightly different. The page
-doesn't seem to have LRU bit set but isolate_movable_page simply fails
-and do_migrate_range simply puts all the isolated pages back to LRU and
+With the upstream kernel the failure is slightly different. The page
+doesn't seem to have LRU bit set but isolate_movable_page simply fails and
+do_migrate_range simply puts all the isolated pages back to LRU and
therefore no progress is made and scan_movable_pages finds same set of
pages over and over again.
-Fix both cases by explicitly checking HWPoisoned pages before we even
-try to get a reference on the page, try to unmap it if it is still
-mapped. As explained by Naoya
+Fix both cases by explicitly checking HWPoisoned pages before we even try
+to get reference on the page, try to unmap it if it is still mapped. As
+explained by Naoya:
+
: Hwpoison code never unmapped those for no big reason because
: Ksm pages never dominate memory, so we simply didn't have strong
: motivation to save the pages.
Also put WARN_ON(PageLRU) in case there is a race and we can hit LRU
-HWPoison pages which shouldn't happen but I couldn't convince myself
-about that. Naoya has noted the following
+HWPoison pages which shouldn't happen but I couldn't convince myself about
+that. Naoya has noted the following:
+
: Theoretically no such gurantee, because try_to_unmap() doesn't have a
: guarantee of success and then memory_failure() returns immediately
: when hwpoison_user_mappings fails.
@@ -115,29 +120,35 @@ about that. Naoya has noted the following
: So I think it's OK to keep "if (WARN_ON(PageLRU(page)))" block in
: current version of your patch.
-Debugged-by: Oscar Salvador <osalvador@suse.com>
-Cc: stable
+Link: http://lkml.kernel.org/r/20181206120135.14079-1-mhocko@kernel.org
+Signed-off-by: Michal Hocko <mhocko@suse.com>
Reviewed-by: Oscar Salvador <osalvador@suse.com>
+Debugged-by: Oscar Salvador <osalvador@suse.com>
Tested-by: Oscar Salvador <osalvador@suse.com>
Acked-by: David Hildenbrand <david@redhat.com>
Acked-by: Naoya Horiguchi <n-horiguchi@ah.jp.nec.com>
-Signed-off-by: Michal Hocko <mhocko@suse.com>
-
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
- mm/memory_hotplug.c | 16 ++++++++++++++++
+ mm/memory_hotplug.c | 16 ++++++++++++++++
1 file changed, 16 insertions(+)
+diff --git a/mm/memory_hotplug.c b/mm/memory_hotplug.c
+index a18923e4359d..0addef5f8aa3 100644
--- a/mm/memory_hotplug.c
+++ b/mm/memory_hotplug.c
-@@ -34,6 +34,7 @@
+@@ -32,6 +32,7 @@
+ #include <linux/hugetlb.h>
#include <linux/memblock.h>
#include <linux/bootmem.h>
- #include <linux/compaction.h>
+#include <linux/rmap.h>
#include <asm/tlbflush.h>
-@@ -1453,6 +1454,21 @@ do_migrate_range(unsigned long start_pfn
+@@ -1471,6 +1472,21 @@ do_migrate_range(unsigned long start_pfn, unsigned long end_pfn)
continue;
}
@@ -159,3 +170,6 @@ Signed-off-by: Michal Hocko <mhocko@suse.com>
if (!get_page_unless_zero(page))
continue;
/*
+--
+2.20.1
+
diff --git a/patches.kernel.org/4.4.170-067-mm-devm_memremap_pages-kill-mapping-System-RA.patch b/patches.kernel.org/4.4.170-067-mm-devm_memremap_pages-kill-mapping-System-RA.patch
new file mode 100644
index 0000000000..5c3dda2d35
--- /dev/null
+++ b/patches.kernel.org/4.4.170-067-mm-devm_memremap_pages-kill-mapping-System-RA.patch
@@ -0,0 +1,65 @@
+From: Dan Williams <dan.j.williams@intel.com>
+Date: Fri, 28 Dec 2018 00:34:54 -0800
+Subject: [PATCH] mm, devm_memremap_pages: kill mapping "System RAM" support
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+References: bnc#1012382
+Patch-mainline: 4.4.170
+Git-commit: 06489cfbd915ff36c8e36df27f1c2dc60f97ca56
+
+commit 06489cfbd915ff36c8e36df27f1c2dc60f97ca56 upstream.
+
+Given the fact that devm_memremap_pages() requires a percpu_ref that is
+torn down by devm_memremap_pages_release() the current support for mapping
+RAM is broken.
+
+Support for remapping "System RAM" has been broken since the beginning and
+there is no existing user of this this code path, so just kill the support
+and make it an explicit error.
+
+This cleanup also simplifies a follow-on patch to fix the error path when
+setting a devm release action for devm_memremap_pages_release() fails.
+
+Link: http://lkml.kernel.org/r/154275557997.76910.14689813630968180480.stgit@dwillia2-desk3.amr.corp.intel.com
+Signed-off-by: Dan Williams <dan.j.williams@intel.com>
+Reviewed-by: "Jérôme Glisse" <jglisse@redhat.com>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Reviewed-by: Logan Gunthorpe <logang@deltatee.com>
+Cc: Balbir Singh <bsingharora@gmail.com>
+Cc: Michal Hocko <mhocko@suse.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ kernel/memremap.c | 9 +++------
+ 1 file changed, 3 insertions(+), 6 deletions(-)
+
+diff --git a/kernel/memremap.c b/kernel/memremap.c
+index 71d28a5dbfc2..1be42f9b3e00 100644
+--- a/kernel/memremap.c
++++ b/kernel/memremap.c
+@@ -171,15 +171,12 @@ void *devm_memremap_pages(struct device *dev, struct resource *res)
+ struct page_map *page_map;
+ int error, nid;
+
+- if (is_ram == REGION_MIXED) {
+- WARN_ONCE(1, "%s attempted on mixed region %pr\n",
+- __func__, res);
++ if (is_ram != REGION_DISJOINT) {
++ WARN_ONCE(1, "%s attempted on %s region %pr\n", __func__,
++ is_ram == REGION_MIXED ? "mixed" : "ram", res);
+ return ERR_PTR(-ENXIO);
+ }
+
+- if (is_ram == REGION_INTERSECTS)
+- return __va(res->start);
+-
+ page_map = devres_alloc_node(devm_memremap_pages_release,
+ sizeof(*page_map), GFP_KERNEL, dev_to_node(dev));
+ if (!page_map)
+--
+2.20.1
+
diff --git a/patches.kernel.org/4.4.170-068-sunrpc-fix-cache_head-leak-due-to-queued-requ.patch b/patches.kernel.org/4.4.170-068-sunrpc-fix-cache_head-leak-due-to-queued-requ.patch
new file mode 100644
index 0000000000..bcbd91e004
--- /dev/null
+++ b/patches.kernel.org/4.4.170-068-sunrpc-fix-cache_head-leak-due-to-queued-requ.patch
@@ -0,0 +1,74 @@
+From: Vasily Averin <vvs@virtuozzo.com>
+Date: Wed, 28 Nov 2018 11:45:57 +0300
+Subject: [PATCH] sunrpc: fix cache_head leak due to queued request
+References: bnc#1012382
+Patch-mainline: 4.4.170
+Git-commit: 4ecd55ea074217473f94cfee21bb72864d39f8d7
+
+commit 4ecd55ea074217473f94cfee21bb72864d39f8d7 upstream.
+
+After commit d202cce8963d, an expired cache_head can be removed from the
+cache_detail's hash.
+
+However, the expired cache_head may be waiting for a reply from a
+previously submitted request. Such a cache_head has an increased
+refcounter and therefore it won't be freed after cache_put(freeme).
+
+Because the cache_head was removed from the hash it cannot be found
+during cache_clean() and can be leaked forever, together with stalled
+cache_request and other taken resources.
+
+In our case we noticed it because an entry in the export cache was
+holding a reference on a filesystem.
+
+Fixes d202cce8963d ("sunrpc: never return expired entries in sunrpc_cache_lookup")
+Cc: Pavel Tikhomirov <ptikhomirov@virtuozzo.com>
+Cc: stable@kernel.org # 2.6.35
+Signed-off-by: Vasily Averin <vvs@virtuozzo.com>
+Reviewed-by: NeilBrown <neilb@suse.com>
+Signed-off-by: J. Bruce Fields <bfields@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ net/sunrpc/cache.c | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+diff --git a/net/sunrpc/cache.c b/net/sunrpc/cache.c
+index 63fb5ee212cf..af17b00145e1 100644
+--- a/net/sunrpc/cache.c
++++ b/net/sunrpc/cache.c
+@@ -54,6 +54,11 @@ static void cache_init(struct cache_head *h, struct cache_detail *detail)
+ h->last_refresh = now;
+ }
+
++static void cache_fresh_locked(struct cache_head *head, time_t expiry,
++ struct cache_detail *detail);
++static void cache_fresh_unlocked(struct cache_head *head,
++ struct cache_detail *detail);
++
+ struct cache_head *sunrpc_cache_lookup(struct cache_detail *detail,
+ struct cache_head *key, int hash)
+ {
+@@ -95,6 +100,7 @@ struct cache_head *sunrpc_cache_lookup(struct cache_detail *detail,
+ if (cache_is_expired(detail, tmp)) {
+ hlist_del_init(&tmp->cache_list);
+ detail->entries --;
++ cache_fresh_locked(tmp, 0, detail);
+ freeme = tmp;
+ break;
+ }
+@@ -110,8 +116,10 @@ struct cache_head *sunrpc_cache_lookup(struct cache_detail *detail,
+ cache_get(new);
+ write_unlock(&detail->hash_lock);
+
+- if (freeme)
++ if (freeme) {
++ cache_fresh_unlocked(freeme, detail);
+ cache_put(freeme, detail);
++ }
+ return new;
+ }
+ EXPORT_SYMBOL_GPL(sunrpc_cache_lookup);
+--
+2.20.1
+
diff --git a/patches.fixes/sunrpc-use-SVC_NET-in-svcauth_gss_-functions.patch b/patches.kernel.org/4.4.170-069-sunrpc-use-SVC_NET-in-svcauth_gss_-functions.patch
index ba4231c4ba..a7ac7feeb7 100644
--- a/patches.fixes/sunrpc-use-SVC_NET-in-svcauth_gss_-functions.patch
+++ b/patches.kernel.org/4.4.170-069-sunrpc-use-SVC_NET-in-svcauth_gss_-functions.patch
@@ -1,21 +1,26 @@
From: Vasily Averin <vvs@virtuozzo.com>
Date: Mon, 24 Dec 2018 14:44:42 +0300
Subject: [PATCH] sunrpc: use SVC_NET() in svcauth_gss_* functions
-Patch-mainline: Submitted, Mon, 24 Dec 2018 14:44:42 +0300 - linux-nfs@vger.kernel.org
-References: bsc#1119946 CVE-2018-16884
+References: bnc#1012382 bsc#1119946 CVE-2018-16884
+Patch-mainline: 4.4.170
+Git-commit: b8be5674fa9a6f3677865ea93f7803c4212f3e10
+commit b8be5674fa9a6f3677865ea93f7803c4212f3e10 upstream.
Signed-off-by: Vasily Averin <vvs@virtuozzo.com>
-Signed-off-by: NeilBrown <neilb@suse.com>
-Acked-by: NeilBrown <neilb@suse.com>
-
+Cc: stable@vger.kernel.org
+Signed-off-by: J. Bruce Fields <bfields@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
- net/sunrpc/auth_gss/svcauth_gss.c | 8 ++++----
+ net/sunrpc/auth_gss/svcauth_gss.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
+diff --git a/net/sunrpc/auth_gss/svcauth_gss.c b/net/sunrpc/auth_gss/svcauth_gss.c
+index 036bbf2b44c1..b5291ea54a3d 100644
--- a/net/sunrpc/auth_gss/svcauth_gss.c
+++ b/net/sunrpc/auth_gss/svcauth_gss.c
-@@ -1104,7 +1104,7 @@ static int svcauth_gss_legacy_init(struc
+@@ -1105,7 +1105,7 @@ static int svcauth_gss_legacy_init(struct svc_rqst *rqstp,
struct kvec *resv = &rqstp->rq_res.head[0];
struct rsi *rsip, rsikey;
int ret;
@@ -24,7 +29,7 @@ Acked-by: NeilBrown <neilb@suse.com>
memset(&rsikey, 0, sizeof(rsikey));
ret = gss_read_verf(gc, argv, authp,
-@@ -1215,7 +1215,7 @@ static int svcauth_gss_proxy_init(struct
+@@ -1216,7 +1216,7 @@ static int svcauth_gss_proxy_init(struct svc_rqst *rqstp,
uint64_t handle;
int status;
int ret;
@@ -33,7 +38,7 @@ Acked-by: NeilBrown <neilb@suse.com>
struct sunrpc_net *sn = net_generic(net, sunrpc_net_id);
memset(&ud, 0, sizeof(ud));
-@@ -1405,7 +1405,7 @@ svcauth_gss_accept(struct svc_rqst *rqst
+@@ -1406,7 +1406,7 @@ svcauth_gss_accept(struct svc_rqst *rqstp, __be32 *authp)
__be32 *rpcstart;
__be32 *reject_stat = resv->iov_base + resv->iov_len;
int ret;
@@ -42,7 +47,7 @@ Acked-by: NeilBrown <neilb@suse.com>
dprintk("RPC: svcauth_gss: argv->iov_len = %zd\n",
argv->iov_len);
-@@ -1693,7 +1693,7 @@ svcauth_gss_release(struct svc_rqst *rqs
+@@ -1694,7 +1694,7 @@ svcauth_gss_release(struct svc_rqst *rqstp)
struct rpc_gss_wire_cred *gc = &gsd->clcred;
struct xdr_buf *resbuf = &rqstp->rq_res;
int stat = -EINVAL;
@@ -51,3 +56,6 @@ Acked-by: NeilBrown <neilb@suse.com>
if (gc->gc_proc != RPC_GSS_PROC_DATA)
goto out;
+--
+2.20.1
+
diff --git a/patches.kernel.org/4.4.170-070-crypto-x86-chacha20-avoid-sleeping-with-preem.patch b/patches.kernel.org/4.4.170-070-crypto-x86-chacha20-avoid-sleeping-with-preem.patch
new file mode 100644
index 0000000000..3f95bde17f
--- /dev/null
+++ b/patches.kernel.org/4.4.170-070-crypto-x86-chacha20-avoid-sleeping-with-preem.patch
@@ -0,0 +1,43 @@
+From: Eric Biggers <ebiggers@google.com>
+Date: Mon, 7 Jan 2019 15:15:59 -0800
+Subject: [PATCH] crypto: x86/chacha20 - avoid sleeping with preemption
+ disabled
+References: bnc#1012382
+Patch-mainline: 4.4.170
+Git-commit: 557f16c7fe26a2d16013c2821c5ce5a90a7da97e
+
+In chacha20-simd, clear the MAY_SLEEP flag in the blkcipher_desc to
+prevent sleeping with preemption disabled, under kernel_fpu_begin().
+
+This was fixed upstream incidentally by a large refactoring,
+commit 9ae433bc79f9 ("crypto: chacha20 - convert generic and x86
+versions to skcipher"). But syzkaller easily trips over this when
+running on older kernels, as it's easily reachable via AF_ALG.
+Therefore, this patch makes the minimal fix for older kernels.
+
+Fixes: c9320b6dcb89 ("crypto: chacha20 - Add a SSSE3 SIMD variant for x86_64")
+Cc: linux-crypto@vger.kernel.org
+Cc: Martin Willi <martin@strongswan.org>
+Signed-off-by: Eric Biggers <ebiggers@google.com>
+Acked-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ arch/x86/crypto/chacha20_glue.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/arch/x86/crypto/chacha20_glue.c b/arch/x86/crypto/chacha20_glue.c
+index 8baaff5af0b5..75b9d43069f1 100644
+--- a/arch/x86/crypto/chacha20_glue.c
++++ b/arch/x86/crypto/chacha20_glue.c
+@@ -77,6 +77,7 @@ static int chacha20_simd(struct blkcipher_desc *desc, struct scatterlist *dst,
+
+ blkcipher_walk_init(&walk, dst, src, nbytes);
+ err = blkcipher_walk_virt_block(desc, &walk, CHACHA20_BLOCK_SIZE);
++ desc->flags &= ~CRYPTO_TFM_REQ_MAY_SLEEP;
+
+ crypto_chacha20_init(state, crypto_blkcipher_ctx(desc->tfm), walk.iv);
+
+--
+2.20.1
+
diff --git a/patches.kernel.org/4.4.170-071-ALSA-cs46xx-Potential-NULL-dereference-in-pro.patch b/patches.kernel.org/4.4.170-071-ALSA-cs46xx-Potential-NULL-dereference-in-pro.patch
new file mode 100644
index 0000000000..50b46a3d02
--- /dev/null
+++ b/patches.kernel.org/4.4.170-071-ALSA-cs46xx-Potential-NULL-dereference-in-pro.patch
@@ -0,0 +1,39 @@
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Tue, 8 Jan 2019 10:43:30 +0300
+Subject: [PATCH] ALSA: cs46xx: Potential NULL dereference in probe
+References: bnc#1012382
+Patch-mainline: 4.4.170
+Git-commit: 1524f4e47f90b27a3ac84efbdd94c63172246a6f
+
+commit 1524f4e47f90b27a3ac84efbdd94c63172246a6f upstream.
+
+The "chip->dsp_spos_instance" can be NULL on some of the ealier error
+paths in snd_cs46xx_create().
+
+Reported-by: "Yavuz, Tuba" <tuba@ece.ufl.edu>
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ sound/pci/cs46xx/dsp_spos.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/sound/pci/cs46xx/dsp_spos.c b/sound/pci/cs46xx/dsp_spos.c
+index d2951ed4bf71..1984291ebd07 100644
+--- a/sound/pci/cs46xx/dsp_spos.c
++++ b/sound/pci/cs46xx/dsp_spos.c
+@@ -899,6 +899,9 @@ int cs46xx_dsp_proc_done (struct snd_cs46xx *chip)
+ struct dsp_spos_instance * ins = chip->dsp_spos_instance;
+ int i;
+
++ if (!ins)
++ return 0;
++
+ snd_info_free_entry(ins->proc_sym_info_entry);
+ ins->proc_sym_info_entry = NULL;
+
+--
+2.20.1
+
diff --git a/patches.kernel.org/4.4.170-072-ALSA-usb-audio-Avoid-access-before-bLength-ch.patch b/patches.kernel.org/4.4.170-072-ALSA-usb-audio-Avoid-access-before-bLength-ch.patch
new file mode 100644
index 0000000000..0bf9c172d3
--- /dev/null
+++ b/patches.kernel.org/4.4.170-072-ALSA-usb-audio-Avoid-access-before-bLength-ch.patch
@@ -0,0 +1,54 @@
+From: Takashi Iwai <tiwai@suse.de>
+Date: Wed, 19 Dec 2018 12:36:27 +0100
+Subject: [PATCH] ALSA: usb-audio: Avoid access before bLength check in
+ build_audio_procunit()
+References: bnc#1012382
+Patch-mainline: 4.4.170
+Git-commit: f4351a199cc120ff9d59e06d02e8657d08e6cc46
+
+commit f4351a199cc120ff9d59e06d02e8657d08e6cc46 upstream.
+
+The parser for the processing unit reads bNrInPins field before the
+bLength sanity check, which may lead to an out-of-bound access when a
+malformed descriptor is given. Fix it by assignment after the bLength
+check.
+
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ sound/usb/mixer.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/sound/usb/mixer.c b/sound/usb/mixer.c
+index 97d6a18e6956..f7eb0d2f797b 100644
+--- a/sound/usb/mixer.c
++++ b/sound/usb/mixer.c
+@@ -1816,7 +1816,7 @@ static int build_audio_procunit(struct mixer_build *state, int unitid,
+ char *name)
+ {
+ struct uac_processing_unit_descriptor *desc = raw_desc;
+- int num_ins = desc->bNrInPins;
++ int num_ins;
+ struct usb_mixer_elem_info *cval;
+ struct snd_kcontrol *kctl;
+ int i, err, nameid, type, len;
+@@ -1831,7 +1831,13 @@ static int build_audio_procunit(struct mixer_build *state, int unitid,
+ 0, NULL, default_value_info
+ };
+
+- if (desc->bLength < 13 || desc->bLength < 13 + num_ins ||
++ if (desc->bLength < 13) {
++ usb_audio_err(state->chip, "invalid %s descriptor (id %d)\n", name, unitid);
++ return -EINVAL;
++ }
++
++ num_ins = desc->bNrInPins;
++ if (desc->bLength < 13 + num_ins ||
+ desc->bLength < num_ins + uac_processing_unit_bControlSize(desc, state->mixer->protocol)) {
+ usb_audio_err(state->chip, "invalid %s descriptor (id %d)\n", name, unitid);
+ return -EINVAL;
+--
+2.20.1
+
diff --git a/patches.kernel.org/4.4.170-073-ALSA-usb-audio-Fix-an-out-of-bound-read-in-cr.patch b/patches.kernel.org/4.4.170-073-ALSA-usb-audio-Fix-an-out-of-bound-read-in-cr.patch
new file mode 100644
index 0000000000..74e0bc687a
--- /dev/null
+++ b/patches.kernel.org/4.4.170-073-ALSA-usb-audio-Fix-an-out-of-bound-read-in-cr.patch
@@ -0,0 +1,51 @@
+From: Hui Peng <benquike@163.com>
+Date: Tue, 25 Dec 2018 18:11:52 -0500
+Subject: [PATCH] ALSA: usb-audio: Fix an out-of-bound read in
+ create_composite_quirks
+References: bnc#1012382
+Patch-mainline: 4.4.170
+Git-commit: cbb2ebf70daf7f7d97d3811a2ff8e39655b8c184
+
+commit cbb2ebf70daf7f7d97d3811a2ff8e39655b8c184 upstream.
+
+In `create_composite_quirk`, the terminating condition of for loops is
+`quirk->ifnum < 0`. So any composite quirks should end with `struct
+snd_usb_audio_quirk` object with ifnum < 0.
+
+ for (quirk = quirk_comp->data; quirk->ifnum >= 0; ++quirk) {
+
+ .....
+ }
+
+the data field of Bower's & Wilkins PX headphones usb device device quirks
+do not end with {.ifnum = -1}, wihch may result in out-of-bound read.
+
+This Patch fix the bug by adding an ending quirk object.
+
+Fixes: 240a8af929c7 ("ALSA: usb-audio: Add a quirck for B&W PX headphones")
+Signed-off-by: Hui Peng <benquike@163.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ sound/usb/quirks-table.h | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/sound/usb/quirks-table.h b/sound/usb/quirks-table.h
+index 15cbe2565703..d32727c74a16 100644
+--- a/sound/usb/quirks-table.h
++++ b/sound/usb/quirks-table.h
+@@ -3321,6 +3321,9 @@ AU0828_DEVICE(0x2040, 0x7270, "Hauppauge", "HVR-950Q"),
+ }
+ }
+ },
++ {
++ .ifnum = -1
++ },
+ }
+ }
+ },
+--
+2.20.1
+
diff --git a/patches.kernel.org/4.4.170-074-dlm-fixed-memory-leaks-after-failed-ls_remove.patch b/patches.kernel.org/4.4.170-074-dlm-fixed-memory-leaks-after-failed-ls_remove.patch
new file mode 100644
index 0000000000..9e0f6342ce
--- /dev/null
+++ b/patches.kernel.org/4.4.170-074-dlm-fixed-memory-leaks-after-failed-ls_remove.patch
@@ -0,0 +1,46 @@
+From: Vasily Averin <vvs@virtuozzo.com>
+Date: Thu, 15 Nov 2018 13:15:05 +0300
+Subject: [PATCH] dlm: fixed memory leaks after failed ls_remove_names
+ allocation
+References: bnc#1012382
+Patch-mainline: 4.4.170
+Git-commit: b982896cdb6e6a6b89d86dfb39df489d9df51e14
+
+commit b982896cdb6e6a6b89d86dfb39df489d9df51e14 upstream.
+
+If allocation fails on last elements of array need to free already
+allocated elements.
+
+v2: just move existing out_rsbtbl label to right place
+
+Fixes 789924ba635f ("dlm: fix race between remove and lookup")
+Cc: stable@kernel.org # 3.6
+
+Signed-off-by: Vasily Averin <vvs@virtuozzo.com>
+Signed-off-by: David Teigland <teigland@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ fs/dlm/lockspace.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/dlm/lockspace.c b/fs/dlm/lockspace.c
+index f3e72787e7f9..30e4e01db35a 100644
+--- a/fs/dlm/lockspace.c
++++ b/fs/dlm/lockspace.c
+@@ -673,11 +673,11 @@ static int new_lockspace(const char *name, const char *cluster,
+ kfree(ls->ls_recover_buf);
+ out_lkbidr:
+ idr_destroy(&ls->ls_lkbidr);
++ out_rsbtbl:
+ for (i = 0; i < DLM_REMOVE_NAMES_MAX; i++) {
+ if (ls->ls_remove_names[i])
+ kfree(ls->ls_remove_names[i]);
+ }
+- out_rsbtbl:
+ vfree(ls->ls_rsbtbl);
+ out_lsfree:
+ if (do_unreg)
+--
+2.20.1
+
diff --git a/patches.kernel.org/4.4.170-075-dlm-possible-memory-leak-on-error-path-in-cre.patch b/patches.kernel.org/4.4.170-075-dlm-possible-memory-leak-on-error-path-in-cre.patch
new file mode 100644
index 0000000000..f6a3f03dc8
--- /dev/null
+++ b/patches.kernel.org/4.4.170-075-dlm-possible-memory-leak-on-error-path-in-cre.patch
@@ -0,0 +1,35 @@
+From: Vasily Averin <vvs@virtuozzo.com>
+Date: Thu, 15 Nov 2018 13:18:18 +0300
+Subject: [PATCH] dlm: possible memory leak on error path in create_lkb()
+References: bnc#1012382
+Patch-mainline: 4.4.170
+Git-commit: 23851e978f31eda8b2d01bd410d3026659ca06c7
+
+commit 23851e978f31eda8b2d01bd410d3026659ca06c7 upstream.
+
+Fixes 3d6aa675fff9 ("dlm: keep lkbs in idr")
+Cc: stable@kernel.org # 3.1
+
+Signed-off-by: Vasily Averin <vvs@virtuozzo.com>
+Signed-off-by: David Teigland <teigland@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ fs/dlm/lock.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/fs/dlm/lock.c b/fs/dlm/lock.c
+index 35502d4046f5..1d404c832e33 100644
+--- a/fs/dlm/lock.c
++++ b/fs/dlm/lock.c
+@@ -1210,6 +1210,7 @@ static int create_lkb(struct dlm_ls *ls, struct dlm_lkb **lkb_ret)
+
+ if (rv < 0) {
+ log_error(ls, "create_lkb idr error %d", rv);
++ dlm_free_lkb(lkb);
+ return rv;
+ }
+
+--
+2.20.1
+
diff --git a/patches.kernel.org/4.4.170-076-dlm-lost-put_lkb-on-error-path-in-receive_con.patch b/patches.kernel.org/4.4.170-076-dlm-lost-put_lkb-on-error-path-in-receive_con.patch
new file mode 100644
index 0000000000..587a30980e
--- /dev/null
+++ b/patches.kernel.org/4.4.170-076-dlm-lost-put_lkb-on-error-path-in-receive_con.patch
@@ -0,0 +1,44 @@
+From: Vasily Averin <vvs@virtuozzo.com>
+Date: Thu, 15 Nov 2018 13:18:24 +0300
+Subject: [PATCH] dlm: lost put_lkb on error path in receive_convert() and
+ receive_unlock()
+References: bnc#1012382
+Patch-mainline: 4.4.170
+Git-commit: c0174726c3976e67da8649ac62cae43220ae173a
+
+commit c0174726c3976e67da8649ac62cae43220ae173a upstream.
+
+Fixes 6d40c4a708e0 ("dlm: improve error and debug messages")
+Cc: stable@kernel.org # 3.5
+
+Signed-off-by: Vasily Averin <vvs@virtuozzo.com>
+Signed-off-by: David Teigland <teigland@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ fs/dlm/lock.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/fs/dlm/lock.c b/fs/dlm/lock.c
+index 1d404c832e33..1e6a3a391849 100644
+--- a/fs/dlm/lock.c
++++ b/fs/dlm/lock.c
+@@ -4178,6 +4178,7 @@ static int receive_convert(struct dlm_ls *ls, struct dlm_message *ms)
+ (unsigned long long)lkb->lkb_recover_seq,
+ ms->m_header.h_nodeid, ms->m_lkid);
+ error = -ENOENT;
++ dlm_put_lkb(lkb);
+ goto fail;
+ }
+
+@@ -4231,6 +4232,7 @@ static int receive_unlock(struct dlm_ls *ls, struct dlm_message *ms)
+ lkb->lkb_id, lkb->lkb_remid,
+ ms->m_header.h_nodeid, ms->m_lkid);
+ error = -ENOENT;
++ dlm_put_lkb(lkb);
+ goto fail;
+ }
+
+--
+2.20.1
+
diff --git a/patches.kernel.org/4.4.170-077-dlm-memory-leaks-on-error-path-in-dlm_user_re.patch b/patches.kernel.org/4.4.170-077-dlm-memory-leaks-on-error-path-in-dlm_user_re.patch
new file mode 100644
index 0000000000..5ea5b940ba
--- /dev/null
+++ b/patches.kernel.org/4.4.170-077-dlm-memory-leaks-on-error-path-in-dlm_user_re.patch
@@ -0,0 +1,61 @@
+From: Vasily Averin <vvs@virtuozzo.com>
+Date: Thu, 15 Nov 2018 13:18:56 +0300
+Subject: [PATCH] dlm: memory leaks on error path in dlm_user_request()
+References: bnc#1012382
+Patch-mainline: 4.4.170
+Git-commit: d47b41aceeadc6b58abc9c7c6485bef7cfb75636
+
+commit d47b41aceeadc6b58abc9c7c6485bef7cfb75636 upstream.
+
+According to comment in dlm_user_request() ua should be freed
+in dlm_free_lkb() after successful attach to lkb.
+
+However ua is attached to lkb not in set_lock_args() but later,
+inside request_lock().
+
+Fixes 597d0cae0f99 ("[DLM] dlm: user locks")
+Cc: stable@kernel.org # 2.6.19
+
+Signed-off-by: Vasily Averin <vvs@virtuozzo.com>
+Signed-off-by: David Teigland <teigland@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ fs/dlm/lock.c | 14 +++++++-------
+ 1 file changed, 7 insertions(+), 7 deletions(-)
+
+diff --git a/fs/dlm/lock.c b/fs/dlm/lock.c
+index 1e6a3a391849..3a7f401e943c 100644
+--- a/fs/dlm/lock.c
++++ b/fs/dlm/lock.c
+@@ -5795,20 +5795,20 @@ int dlm_user_request(struct dlm_ls *ls, struct dlm_user_args *ua,
+ goto out;
+ }
+ }
+-
+- /* After ua is attached to lkb it will be freed by dlm_free_lkb().
+- When DLM_IFL_USER is set, the dlm knows that this is a userspace
+- lock and that lkb_astparam is the dlm_user_args structure. */
+-
+ error = set_lock_args(mode, &ua->lksb, flags, namelen, timeout_cs,
+ fake_astfn, ua, fake_bastfn, &args);
+- lkb->lkb_flags |= DLM_IFL_USER;
+-
+ if (error) {
++ kfree(ua->lksb.sb_lvbptr);
++ ua->lksb.sb_lvbptr = NULL;
++ kfree(ua);
+ __put_lkb(ls, lkb);
+ goto out;
+ }
+
++ /* After ua is attached to lkb it will be freed by dlm_free_lkb().
++ When DLM_IFL_USER is set, the dlm knows that this is a userspace
++ lock and that lkb_astparam is the dlm_user_args structure. */
++ lkb->lkb_flags |= DLM_IFL_USER;
+ error = request_lock(ls, lkb, name, namelen, &args);
+
+ switch (error) {
+--
+2.20.1
+
diff --git a/patches.kernel.org/4.4.170-078-gfs2-Fix-loop-in-gfs2_rbm_find.patch b/patches.kernel.org/4.4.170-078-gfs2-Fix-loop-in-gfs2_rbm_find.patch
new file mode 100644
index 0000000000..65175eba55
--- /dev/null
+++ b/patches.kernel.org/4.4.170-078-gfs2-Fix-loop-in-gfs2_rbm_find.patch
@@ -0,0 +1,42 @@
+From: Andreas Gruenbacher <agruenba@redhat.com>
+Date: Tue, 4 Dec 2018 15:06:27 +0100
+Subject: [PATCH] gfs2: Fix loop in gfs2_rbm_find
+References: bnc#1012382
+Patch-mainline: 4.4.170
+Git-commit: 2d29f6b96d8f80322ed2dd895bca590491c38d34
+
+commit 2d29f6b96d8f80322ed2dd895bca590491c38d34 upstream.
+
+Fix the resource group wrap-around logic in gfs2_rbm_find that commit
+e579ed4f44 broke. The bug can lead to unnecessary repeated scanning of the
+same bitmaps; there is a risk that future changes will turn this into an
+endless loop.
+
+Fixes: e579ed4f44 ("GFS2: Introduce rbm field bii")
+Cc: stable@vger.kernel.org # v3.13+
+Signed-off-by: Andreas Gruenbacher <agruenba@redhat.com>
+Signed-off-by: Bob Peterson <rpeterso@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ fs/gfs2/rgrp.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/gfs2/rgrp.c b/fs/gfs2/rgrp.c
+index ef24894edecc..763fe7737065 100644
+--- a/fs/gfs2/rgrp.c
++++ b/fs/gfs2/rgrp.c
+@@ -1720,9 +1720,9 @@ static int gfs2_rbm_find(struct gfs2_rbm *rbm, u8 state, u32 *minext,
+ goto next_iter;
+ }
+ if (ret == -E2BIG) {
++ n += rbm->bii - initial_bii;
+ rbm->bii = 0;
+ rbm->offset = 0;
+- n += (rbm->bii - initial_bii);
+ goto res_covered_end_of_rgrp;
+ }
+ return ret;
+--
+2.20.1
+
diff --git a/patches.kernel.org/4.4.170-079-b43-Fix-error-in-cordic-routine.patch b/patches.kernel.org/4.4.170-079-b43-Fix-error-in-cordic-routine.patch
new file mode 100644
index 0000000000..2557b80ccf
--- /dev/null
+++ b/patches.kernel.org/4.4.170-079-b43-Fix-error-in-cordic-routine.patch
@@ -0,0 +1,48 @@
+From: Larry Finger <Larry.Finger@lwfinger.net>
+Date: Mon, 19 Nov 2018 20:01:24 +0200
+Subject: [PATCH] b43: Fix error in cordic routine
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+References: bnc#1012382
+Patch-mainline: 4.4.170
+Git-commit: 8ea3819c0bbef57a51d8abe579e211033e861677
+
+commit 8ea3819c0bbef57a51d8abe579e211033e861677 upstream.
+
+The cordic routine for calculating sines and cosines that was added in
+commit 6f98e62a9f1b ("b43: update cordic code to match current specs")
+contains an error whereby a quantity declared u32 can in fact go negative.
+
+This problem was detected by Priit Laes who is switching b43 to use the
+routine in the library functions of the kernel.
+
+Fixes: 986504540306 ("b43: make cordic common (LP-PHY and N-PHY need it)")
+Reported-by: Priit Laes <plaes@plaes.org>
+Cc: Rafał Miłecki <zajec5@gmail.com>
+Cc: Stable <stable@vger.kernel.org> # 2.6.34
+Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net>
+Signed-off-by: Priit Laes <plaes@plaes.org>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/net/wireless/b43/phy_common.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/b43/phy_common.c b/drivers/net/wireless/b43/phy_common.c
+index ec2b9c577b90..3644c9edaf81 100644
+--- a/drivers/net/wireless/b43/phy_common.c
++++ b/drivers/net/wireless/b43/phy_common.c
+@@ -616,7 +616,7 @@ struct b43_c32 b43_cordic(int theta)
+ u8 i;
+ s32 tmp;
+ s8 signx = 1;
+- u32 angle = 0;
++ s32 angle = 0;
+ struct b43_c32 ret = { .i = 39797, .q = 0, };
+
+ while (theta > (180 << 16))
+--
+2.20.1
+
diff --git a/patches.kernel.org/4.4.170-080-9p-net-put-a-lower-bound-on-msize.patch b/patches.kernel.org/4.4.170-080-9p-net-put-a-lower-bound-on-msize.patch
new file mode 100644
index 0000000000..d444f6b239
--- /dev/null
+++ b/patches.kernel.org/4.4.170-080-9p-net-put-a-lower-bound-on-msize.patch
@@ -0,0 +1,86 @@
+From: Dominique Martinet <dominique.martinet@cea.fr>
+Date: Mon, 5 Nov 2018 09:52:48 +0100
+Subject: [PATCH] 9p/net: put a lower bound on msize
+References: bnc#1012382
+Patch-mainline: 4.4.170
+Git-commit: 574d356b7a02c7e1b01a1d9cba8a26b3c2888f45
+
+commit 574d356b7a02c7e1b01a1d9cba8a26b3c2888f45 upstream.
+
+If the requested msize is too small (either from command line argument
+or from the server version reply), we won't get any work done.
+If it's *really* too small, nothing will work, and this got caught by
+syzbot recently (on a new kmem_cache_create_usercopy() call)
+
+Just set a minimum msize to 4k in both code paths, until someone
+complains they have a use-case for a smaller msize.
+
+We need to check in both mount option and server reply individually
+because the msize for the first version request would be unchecked
+with just a global check on clnt->msize.
+
+Link: http://lkml.kernel.org/r/1541407968-31350-1-git-send-email-asmadeus@codewreck.org
+Reported-by: syzbot+0c1d61e4db7db94102ca@syzkaller.appspotmail.com
+Signed-off-by: Dominique Martinet <dominique.martinet@cea.fr>
+Cc: Eric Van Hensbergen <ericvh@gmail.com>
+Cc: Latchesar Ionkov <lucho@ionkov.net>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ net/9p/client.c | 21 +++++++++++++++++++++
+ 1 file changed, 21 insertions(+)
+
+diff --git a/net/9p/client.c b/net/9p/client.c
+index ed8738c4dc09..8fba9cd973c1 100644
+--- a/net/9p/client.c
++++ b/net/9p/client.c
+@@ -156,6 +156,12 @@ static int parse_opts(char *opts, struct p9_client *clnt)
+ ret = r;
+ continue;
+ }
++ if (option < 4096) {
++ p9_debug(P9_DEBUG_ERROR,
++ "msize should be at least 4k\n");
++ ret = -EINVAL;
++ continue;
++ }
+ clnt->msize = option;
+ break;
+ case Opt_trans:
+@@ -972,10 +978,18 @@ static int p9_client_version(struct p9_client *c)
+ else if (!strncmp(version, "9P2000", 6))
+ c->proto_version = p9_proto_legacy;
+ else {
++ p9_debug(P9_DEBUG_ERROR,
++ "server returned an unknown version: %s\n", version);
+ err = -EREMOTEIO;
+ goto error;
+ }
+
++ if (msize < 4096) {
++ p9_debug(P9_DEBUG_ERROR,
++ "server returned a msize < 4096: %d\n", msize);
++ err = -EREMOTEIO;
++ goto error;
++ }
+ if (msize < c->msize)
+ c->msize = msize;
+
+@@ -1040,6 +1054,13 @@ struct p9_client *p9_client_create(const char *dev_name, char *options)
+ if (clnt->msize > clnt->trans_mod->maxsize)
+ clnt->msize = clnt->trans_mod->maxsize;
+
++ if (clnt->msize < 4096) {
++ p9_debug(P9_DEBUG_ERROR,
++ "Please specify a msize of at least 4k\n");
++ err = -EINVAL;
++ goto free_client;
++ }
++
+ err = p9_client_version(clnt);
+ if (err)
+ goto close_trans;
+--
+2.20.1
+
diff --git a/patches.drivers/iommu-vt-d-handle-domain-agaw-being-less-than-iommu-agaw b/patches.kernel.org/4.4.170-081-iommu-vt-d-Handle-domain-agaw-being-less-than.patch
index 5ea5bb81ef..42b1e88d82 100644
--- a/patches.drivers/iommu-vt-d-handle-domain-agaw-being-less-than-iommu-agaw
+++ b/patches.kernel.org/4.4.170-081-iommu-vt-d-Handle-domain-agaw-being-less-than.patch
@@ -1,9 +1,11 @@
From: Sohil Mehta <sohil.mehta@intel.com>
Date: Wed, 21 Nov 2018 15:29:33 -0800
-Subject: iommu/vt-d: Handle domain agaw being less than iommu agaw
+Subject: [PATCH] iommu/vt-d: Handle domain agaw being less than iommu agaw
+Patch-mainline: 4.4.170
+References: bnc#1012382 bsc#1106105
Git-commit: 3569dd07aaad71920c5ea4da2d5cc9a167c1ffd4
-Patch-mainline: v5.0-rc1
-References: bsc#1106105
+
+commit 3569dd07aaad71920c5ea4da2d5cc9a167c1ffd4 upstream.
The Intel IOMMU driver opportunistically skips a few top level page
tables from the domain paging directory while programming the IOMMU
@@ -29,15 +31,17 @@ Reported-by: Ramos Falcon, Ernesto R <ernesto.r.ramos.falcon@intel.com>
Tested-by: Ricardo Neri <ricardo.neri-calderon@linux.intel.com>
Signed-off-by: Sohil Mehta <sohil.mehta@intel.com>
Signed-off-by: Joerg Roedel <jroedel@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
drivers/iommu/intel-iommu.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/iommu/intel-iommu.c b/drivers/iommu/intel-iommu.c
-index f3ccf025108b..fdf79baf1d79 100644
+index 7feaa82f8c7c..8b4a4d95669a 100644
--- a/drivers/iommu/intel-iommu.c
+++ b/drivers/iommu/intel-iommu.c
-@@ -2044,7 +2044,7 @@ static int domain_context_mapping_one(struct dmar_domain *domain,
+@@ -2041,7 +2041,7 @@ static int domain_context_mapping_one(struct dmar_domain *domain,
* than default. Unnecessary for PT mode.
*/
if (translation != CONTEXT_TT_PASS_THROUGH) {
@@ -46,7 +50,7 @@ index f3ccf025108b..fdf79baf1d79 100644
ret = -ENOMEM;
pgd = phys_to_virt(dma_pte_addr(pgd));
if (!dma_pte_present(pgd))
-@@ -2058,7 +2058,7 @@ static int domain_context_mapping_one(struct dmar_domain *domain,
+@@ -2055,7 +2055,7 @@ static int domain_context_mapping_one(struct dmar_domain *domain,
translation = CONTEXT_TT_MULTI_LEVEL;
context_set_address_root(context, virt_to_phys(pgd));
@@ -55,4 +59,6 @@ index f3ccf025108b..fdf79baf1d79 100644
} else {
/*
* In pass through mode, AW must be programmed to
+--
+2.20.1
diff --git a/patches.fixes/ceph-don-t-update-importing-cap-s-mseq-when-handing-cap-export.patch b/patches.kernel.org/4.4.170-082-ceph-don-t-update-importing-cap-s-mseq-when-h.patch
index 6d6a130efa..14884e1afa 100644
--- a/patches.fixes/ceph-don-t-update-importing-cap-s-mseq-when-handing-cap-export.patch
+++ b/patches.kernel.org/4.4.170-082-ceph-don-t-update-importing-cap-s-mseq-when-h.patch
@@ -1,9 +1,12 @@
From: "Yan, Zheng" <zyan@redhat.com>
Date: Thu, 29 Nov 2018 11:22:50 +0800
-Subject: ceph: don't update importing cap's mseq when handing cap export
+Subject: [PATCH] ceph: don't update importing cap's mseq when handing cap
+ export
+Patch-mainline: 4.4.170
+References: bnc#1012382 bsc#1121275
Git-commit: 3c1392d4c49962a31874af14ae9ff289cb2b3851
-Patch-mainline: v5.0-rc1
-References: bsc#1121275
+
+commit 3c1392d4c49962a31874af14ae9ff289cb2b3851 upstream.
Updating mseq makes client think importer mds has accepted all prior
cap messages and importer mds knows what caps client wants. Actually
@@ -15,16 +18,17 @@ reset by cap import message.
Cc: stable@vger.kernel.org
Signed-off-by: "Yan, Zheng" <zyan@redhat.com>
Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
-Acked-by: Luis Henriques <lhenriques@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
fs/ceph/caps.c | 1 -
1 file changed, 1 deletion(-)
diff --git a/fs/ceph/caps.c b/fs/ceph/caps.c
-index f3496db4bb3e..a58666a3f8dd 100644
+index 0e3de1bb6500..e7b54514d99a 100644
--- a/fs/ceph/caps.c
+++ b/fs/ceph/caps.c
-@@ -3569,7 +3569,6 @@ static void handle_cap_export(struct inode *inode, struct ceph_mds_caps *ex,
+@@ -3243,7 +3243,6 @@ static void handle_cap_export(struct inode *inode, struct ceph_mds_caps *ex,
tcap->cap_id = t_cap_id;
tcap->seq = t_seq - 1;
tcap->issue_seq = t_seq - 1;
@@ -32,4 +36,6 @@ index f3496db4bb3e..a58666a3f8dd 100644
tcap->issued |= issued;
tcap->implemented |= issued;
if (cap == ci->i_auth_cap)
+--
+2.20.1
diff --git a/patches.kernel.org/4.4.170-083-genwqe-Fix-size-check.patch b/patches.kernel.org/4.4.170-083-genwqe-Fix-size-check.patch
new file mode 100644
index 0000000000..653d40ca2b
--- /dev/null
+++ b/patches.kernel.org/4.4.170-083-genwqe-Fix-size-check.patch
@@ -0,0 +1,70 @@
+From: Christian Borntraeger <borntraeger@de.ibm.com>
+Date: Wed, 12 Dec 2018 14:45:18 +0100
+Subject: [PATCH] genwqe: Fix size check
+References: bnc#1012382
+Patch-mainline: 4.4.170
+Git-commit: fdd669684655c07dacbdb0d753fd13833de69a33
+
+commit fdd669684655c07dacbdb0d753fd13833de69a33 upstream.
+
+Calling the test program genwqe_cksum with the default buffer size of
+2MB triggers the following kernel warning on s390:
+
+WARNING: CPU: 30 PID: 9311 at mm/page_alloc.c:3189 __alloc_pages_nodemask+0x45c/0xbe0
+CPU: 30 PID: 9311 Comm: genwqe_cksum Kdump: loaded Not tainted 3.10.0-957.el7.s390x #1
+task: 00000005e5d13980 ti: 00000005e7c6c000 task.ti: 00000005e7c6c000
+Krnl PSW : 0704c00180000000 00000000002780ac (__alloc_pages_nodemask+0x45c/0xbe0)
+ R:0 T:1 IO:1 EX:1 Key:0 M:1 W:0 P:0 AS:3 CC:0 PM:0 EA:3
+Krnl GPRS: 00000000002932b8 0000000000b73d7c 0000000000000010 0000000000000009
+ 0000000000000041 00000005e7c6f9b8 0000000000000001 00000000000080d0
+ 0000000000000000 0000000000b70500 0000000000000001 0000000000000000
+ 0000000000b70528 00000000007682c0 0000000000277df2 00000005e7c6f9a0
+Krnl Code: 000000000027809e: de7195001000 ed 1280(114,%r9),0(%r1)
+ 00000000002780a4: a774fead brc 7,277dfe
+ #00000000002780a8: a7f40001 brc 15,2780aa
+ >00000000002780ac: 92011000 mvi 0(%r1),1
+ 00000000002780b0: a7f4fea7 brc 15,277dfe
+ 00000000002780b4: 9101c6b6 tm 1718(%r12),1
+ 00000000002780b8: a784ff3a brc 8,277f2c
+ 00000000002780bc: a7f4fe2e brc 15,277d18
+Call Trace:
+([<0000000000277df2>] __alloc_pages_nodemask+0x1a2/0xbe0)
+ [<000000000013afae>] s390_dma_alloc+0xfe/0x310
+ [<000003ff8065f362>] __genwqe_alloc_consistent+0xfa/0x148 [genwqe_card]
+ [<000003ff80658f7a>] genwqe_mmap+0xca/0x248 [genwqe_card]
+ [<00000000002b2712>] mmap_region+0x4e2/0x778
+ [<00000000002b2c54>] do_mmap+0x2ac/0x3e0
+ [<0000000000292d7e>] vm_mmap_pgoff+0xd6/0x118
+ [<00000000002b081c>] SyS_mmap_pgoff+0xdc/0x268
+ [<00000000002b0a34>] SyS_old_mmap+0x8c/0xb0
+ [<000000000074e518>] sysc_tracego+0x14/0x1e
+ [<000003ffacf87dc6>] 0x3ffacf87dc6
+
+turns out the check in __genwqe_alloc_consistent uses "> MAX_ORDER"
+while the mm code uses ">= MAX_ORDER". Fix genwqe.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Christian Borntraeger <borntraeger@de.ibm.com>
+Signed-off-by: Frank Haverkamp <haver@linux.vnet.ibm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/misc/genwqe/card_utils.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/misc/genwqe/card_utils.c b/drivers/misc/genwqe/card_utils.c
+index 524660510599..0c15ba21fa54 100644
+--- a/drivers/misc/genwqe/card_utils.c
++++ b/drivers/misc/genwqe/card_utils.c
+@@ -217,7 +217,7 @@ u32 genwqe_crc32(u8 *buff, size_t len, u32 init)
+ void *__genwqe_alloc_consistent(struct genwqe_dev *cd, size_t size,
+ dma_addr_t *dma_handle)
+ {
+- if (get_order(size) > MAX_ORDER)
++ if (get_order(size) >= MAX_ORDER)
+ return NULL;
+
+ return dma_alloc_coherent(&cd->pci_dev->dev, size, dma_handle,
+--
+2.20.1
+
diff --git a/patches.kernel.org/4.4.170-084-intel_th-msu-Fix-an-off-by-one-in-attribute-s.patch b/patches.kernel.org/4.4.170-084-intel_th-msu-Fix-an-off-by-one-in-attribute-s.patch
new file mode 100644
index 0000000000..5ab97df4ba
--- /dev/null
+++ b/patches.kernel.org/4.4.170-084-intel_th-msu-Fix-an-off-by-one-in-attribute-s.patch
@@ -0,0 +1,57 @@
+From: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Date: Wed, 19 Dec 2018 17:19:22 +0200
+Subject: [PATCH] intel_th: msu: Fix an off-by-one in attribute store
+References: bnc#1012382
+Patch-mainline: 4.4.170
+Git-commit: ec5b5ad6e272d8d6b92d1007f79574919862a2d2
+
+commit ec5b5ad6e272d8d6b92d1007f79574919862a2d2 upstream.
+
+The 'nr_pages' attribute of the 'msc' subdevices parses a comma-separated
+list of window sizes, passed from userspace. However, there is a bug in
+the string parsing logic wherein it doesn't exclude the comma character
+from the range of characters as it consumes them. This leads to an
+out-of-bounds access given a sufficiently long list. For example:
+
+> # echo 8,8,8,8 > /sys/bus/intel_th/devices/0-msc0/nr_pages
+> ==================================================================
+> BUG: KASAN: slab-out-of-bounds in memchr+0x1e/0x40
+> Read of size 1 at addr ffff8803ffcebcd1 by task sh/825
+>
+> CPU: 3 PID: 825 Comm: npktest.sh Tainted: G W 4.20.0-rc1+
+> Call Trace:
+> dump_stack+0x7c/0xc0
+> print_address_description+0x6c/0x23c
+> ? memchr+0x1e/0x40
+> kasan_report.cold.5+0x241/0x308
+> memchr+0x1e/0x40
+> nr_pages_store+0x203/0xd00 [intel_th_msu]
+
+Fix this by accounting for the comma character.
+
+Signed-off-by: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Fixes: ba82664c134ef ("intel_th: Add Memory Storage Unit driver")
+Cc: stable@vger.kernel.org # v4.4+
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/hwtracing/intel_th/msu.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/hwtracing/intel_th/msu.c b/drivers/hwtracing/intel_th/msu.c
+index 70ca27e45602..9d9e47eb0842 100644
+--- a/drivers/hwtracing/intel_th/msu.c
++++ b/drivers/hwtracing/intel_th/msu.c
+@@ -1418,7 +1418,8 @@ nr_pages_store(struct device *dev, struct device_attribute *attr,
+ if (!end)
+ break;
+
+- len -= end - p;
++ /* consume the number and the following comma, hence +1 */
++ len -= end - p + 1;
+ p = end + 1;
+ } while (len);
+
+--
+2.20.1
+
diff --git a/patches.kernel.org/4.4.170-085-power-supply-olpc_battery-correct-the-tempera.patch b/patches.kernel.org/4.4.170-085-power-supply-olpc_battery-correct-the-tempera.patch
new file mode 100644
index 0000000000..bee05dee49
--- /dev/null
+++ b/patches.kernel.org/4.4.170-085-power-supply-olpc_battery-correct-the-tempera.patch
@@ -0,0 +1,56 @@
+From: Lubomir Rintel <lkundrak@v3.sk>
+Date: Fri, 16 Nov 2018 17:23:47 +0100
+Subject: [PATCH] power: supply: olpc_battery: correct the temperature units
+References: bnc#1012382
+Patch-mainline: 4.4.170
+Git-commit: ed54ffbe554f0902689fd6d1712bbacbacd11376
+
+commit ed54ffbe554f0902689fd6d1712bbacbacd11376 upstream.
+
+According to [1] and [2], the temperature values are in tenths of degree
+Celsius. Exposing the Celsius value makes the battery appear on fire:
+
+ $ upower -i /org/freedesktop/UPower/devices/battery_olpc_battery
+ ...
+ temperature: 236.9 degrees C
+
+Tested on OLPC XO-1 and OLPC XO-1.75 laptops.
+
+[1] include/linux/power_supply.h
+[2] Documentation/power/power_supply_class.txt
+
+Fixes: fb972873a767 ("[BATTERY] One Laptop Per Child power/battery driver")
+Cc: stable@vger.kernel.org
+Signed-off-by: Lubomir Rintel <lkundrak@v3.sk>
+Acked-by: Pavel Machek <pavel@ucw.cz>
+Signed-off-by: Sebastian Reichel <sebastian.reichel@collabora.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/power/olpc_battery.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/power/olpc_battery.c b/drivers/power/olpc_battery.c
+index 9e29b1321648..15783869e1a0 100644
+--- a/drivers/power/olpc_battery.c
++++ b/drivers/power/olpc_battery.c
+@@ -427,14 +427,14 @@ static int olpc_bat_get_property(struct power_supply *psy,
+ if (ret)
+ return ret;
+
+- val->intval = (s16)be16_to_cpu(ec_word) * 100 / 256;
++ val->intval = (s16)be16_to_cpu(ec_word) * 10 / 256;
+ break;
+ case POWER_SUPPLY_PROP_TEMP_AMBIENT:
+ ret = olpc_ec_cmd(EC_AMB_TEMP, NULL, 0, (void *)&ec_word, 2);
+ if (ret)
+ return ret;
+
+- val->intval = (int)be16_to_cpu(ec_word) * 100 / 256;
++ val->intval = (int)be16_to_cpu(ec_word) * 10 / 256;
+ break;
+ case POWER_SUPPLY_PROP_CHARGE_COUNTER:
+ ret = olpc_ec_cmd(EC_BAT_ACR, NULL, 0, (void *)&ec_word, 2);
+--
+2.20.1
+
diff --git a/patches.kernel.org/4.4.170-086-Linux-4.4.170.patch b/patches.kernel.org/4.4.170-086-Linux-4.4.170.patch
new file mode 100644
index 0000000000..5c5018f9c9
--- /dev/null
+++ b/patches.kernel.org/4.4.170-086-Linux-4.4.170.patch
@@ -0,0 +1,27 @@
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Date: Sun, 13 Jan 2019 10:05:34 +0100
+Subject: [PATCH] Linux 4.4.170
+References: bnc#1012382
+Patch-mainline: 4.4.170
+Git-commit: b83b3fa78445387f351cef477a112e503d72b9f0
+
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ Makefile | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/Makefile b/Makefile
+index 0d41b0626c0c..bc58f206c0da 100644
+--- a/Makefile
++++ b/Makefile
+@@ -1,6 +1,6 @@
+ VERSION = 4
+ PATCHLEVEL = 4
+-SUBLEVEL = 169
++SUBLEVEL = 170
+ EXTRAVERSION =
+ NAME = Blurry Fish Butt
+
+--
+2.20.1
+
diff --git a/patches.suse/0046-perf-tools-omit-unnecessary-cast-in-perf_pmu__parse_scale b/patches.suse/0046-perf-tools-omit-unnecessary-cast-in-perf_pmu__parse_scale
index 39475866e0..78522abe34 100644
--- a/patches.suse/0046-perf-tools-omit-unnecessary-cast-in-perf_pmu__parse_scale
+++ b/patches.suse/0046-perf-tools-omit-unnecessary-cast-in-perf_pmu__parse_scale
@@ -19,23 +19,21 @@ Cc: Thomas Gleixner <tglx@linutronix.de>
Link: http://lkml.kernel.org/r/20160308184230.GB7897@krava.redhat.com
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
---
- tools/perf/util/pmu.c | 4 ++--
+ tools/perf/util/pmu.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
-diff --git a/tools/perf/util/pmu.c b/tools/perf/util/pmu.c
-index d8cd038baed2..adef23b1352e 100644
--- a/tools/perf/util/pmu.c
+++ b/tools/perf/util/pmu.c
-@@ -98,7 +98,7 @@ static int perf_pmu__parse_scale(struct perf_pmu_alias *alias, char *dir, char *
+@@ -98,7 +98,7 @@ static int perf_pmu__parse_scale(struct
char scale[128];
int fd, ret = -1;
char path[PATH_MAX];
- const char *lc;
+ char *lc;
- snprintf(path, PATH_MAX, "%s/%s.scale", dir, name);
+ scnprintf(path, PATH_MAX, "%s/%s.scale", dir, name);
-@@ -146,7 +146,7 @@ static int perf_pmu__parse_scale(struct perf_pmu_alias *alias, char *dir, char *
+@@ -146,7 +146,7 @@ static int perf_pmu__parse_scale(struct
/* restore locale */
setlocale(LC_NUMERIC, lc);
@@ -44,4 +42,3 @@ index d8cd038baed2..adef23b1352e 100644
ret = 0;
error:
-
diff --git a/patches.suse/0047-perf-pmu-factor-out-scale-conversion-code b/patches.suse/0047-perf-pmu-factor-out-scale-conversion-code
index 0f72b1728e..ffbf74e477 100644
--- a/patches.suse/0047-perf-pmu-factor-out-scale-conversion-code
+++ b/patches.suse/0047-perf-pmu-factor-out-scale-conversion-code
@@ -17,14 +17,12 @@ Link: http://lkml.kernel.org/r/20170103150833.6694-2-andi@firstfloor.org
[ Keep returning -ENOMEM when strdup() fails in perf_pmu__parse_scale()/convert_scale() ]
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
---
- tools/perf/util/pmu.c | 62 ++++++++++++++++++++++++++++-----------------------
+ tools/perf/util/pmu.c | 62 +++++++++++++++++++++++++++-----------------------
1 file changed, 34 insertions(+), 28 deletions(-)
-diff --git a/tools/perf/util/pmu.c b/tools/perf/util/pmu.c
-index dc6ccaa4e927..78b16100567d 100644
--- a/tools/perf/util/pmu.c
+++ b/tools/perf/util/pmu.c
-@@ -94,32 +94,10 @@ static int pmu_format(const char *name, struct list_head *format)
+@@ -94,32 +94,10 @@ static int pmu_format(const char *name,
return 0;
}
@@ -38,7 +36,7 @@ index dc6ccaa4e927..78b16100567d 100644
- char path[PATH_MAX];
char *lc;
-
-- snprintf(path, PATH_MAX, "%s/%s.scale", dir, name);
+- scnprintf(path, PATH_MAX, "%s/%s.scale", dir, name);
-
- fd = open(path, O_RDONLY);
- if (fd == -1)
@@ -59,7 +57,7 @@ index dc6ccaa4e927..78b16100567d 100644
/*
* save current locale
-@@ -134,7 +112,7 @@ static int perf_pmu__parse_scale(struct perf_pmu_alias *alias, char *dir, char *
+@@ -134,7 +112,7 @@ static int perf_pmu__parse_scale(struct
lc = strdup(lc);
if (!lc) {
ret = -ENOMEM;
@@ -68,7 +66,7 @@ index dc6ccaa4e927..78b16100567d 100644
}
/*
-@@ -144,14 +122,42 @@ static int perf_pmu__parse_scale(struct perf_pmu_alias *alias, char *dir, char *
+@@ -144,14 +122,42 @@ static int perf_pmu__parse_scale(struct
*/
setlocale(LC_NUMERIC, "C");
@@ -91,7 +89,7 @@ index dc6ccaa4e927..78b16100567d 100644
+ int fd, ret = -1;
+ char path[PATH_MAX];
+
-+ snprintf(path, PATH_MAX, "%s/%s.scale", dir, name);
++ scnprintf(path, PATH_MAX, "%s/%s.scale", dir, name);
+
+ fd = open(path, O_RDONLY);
+ if (fd == -1)
@@ -114,4 +112,3 @@ index dc6ccaa4e927..78b16100567d 100644
error:
close(fd);
return ret;
-
diff --git a/patches.suse/mm-compaction-introduce-kcompactd.patch b/patches.suse/mm-compaction-introduce-kcompactd.patch
index 141f8fc6f7..41aab0fdeb 100644
--- a/patches.suse/mm-compaction-introduce-kcompactd.patch
+++ b/patches.suse/mm-compaction-introduce-kcompactd.patch
@@ -96,21 +96,19 @@ Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Mel Gorman <mgorman@suse.de>
---
- include/linux/compaction.h | 16 +++
- include/linux/mmzone.h | 6 ++
- include/linux/vm_event_item.h | 1 +
- include/trace/events/compaction.h | 55 ++++++++++
- mm/compaction.c | 222 ++++++++++++++++++++++++++++++++++++++
- mm/memory_hotplug.c | 9 +-
- mm/page_alloc.c | 3 +
- mm/vmstat.c | 1 +
+ include/linux/compaction.h | 16 ++
+ include/linux/mmzone.h | 6 +
+ include/linux/vm_event_item.h | 1
+ include/trace/events/compaction.h | 55 +++++++++
+ mm/compaction.c | 222 ++++++++++++++++++++++++++++++++++++++
+ mm/memory_hotplug.c | 9 +
+ mm/page_alloc.c | 3
+ mm/vmstat.c | 1
8 files changed, 311 insertions(+), 2 deletions(-)
-diff --git a/include/linux/compaction.h b/include/linux/compaction.h
-index 4cd4ddf64cc7..d7c8de583a23 100644
--- a/include/linux/compaction.h
+++ b/include/linux/compaction.h
-@@ -52,6 +52,10 @@ extern void compaction_defer_reset(struct zone *zone, int order,
+@@ -52,6 +52,10 @@ extern void compaction_defer_reset(struc
bool alloc_success);
extern bool compaction_restarting(struct zone *zone, int order);
@@ -121,7 +119,7 @@ index 4cd4ddf64cc7..d7c8de583a23 100644
#else
static inline unsigned long try_to_compact_pages(gfp_t gfp_mask,
unsigned int order, int alloc_flags,
-@@ -84,6 +88,18 @@ static inline bool compaction_deferred(struct zone *zone, int order)
+@@ -84,6 +88,18 @@ static inline bool compaction_deferred(s
return true;
}
@@ -140,11 +138,9 @@ index 4cd4ddf64cc7..d7c8de583a23 100644
#endif /* CONFIG_COMPACTION */
#if defined(CONFIG_COMPACTION) && defined(CONFIG_SYSFS) && defined(CONFIG_NUMA)
-diff --git a/include/linux/mmzone.h b/include/linux/mmzone.h
-index 5a2c3d3d824f..5b557150f83f 100644
--- a/include/linux/mmzone.h
+++ b/include/linux/mmzone.h
-@@ -674,6 +674,12 @@ typedef struct pglist_data {
+@@ -669,6 +669,12 @@ typedef struct pglist_data {
mem_hotplug_begin/end() */
int kswapd_max_order;
enum zone_type classzone_idx;
@@ -157,11 +153,9 @@ index 5a2c3d3d824f..5b557150f83f 100644
#ifdef CONFIG_NUMA_BALANCING
/* Lock serializing the migrate rate limiting window */
spinlock_t numabalancing_migrate_lock;
-diff --git a/include/linux/vm_event_item.h b/include/linux/vm_event_item.h
-index e623d392db0c..823a629f9033 100644
--- a/include/linux/vm_event_item.h
+++ b/include/linux/vm_event_item.h
-@@ -52,6 +52,7 @@ enum vm_event_item { PGPGIN, PGPGOUT, PSWPIN, PSWPOUT,
+@@ -53,6 +53,7 @@ enum vm_event_item { PGPGIN, PGPGOUT, PS
COMPACTMIGRATE_SCANNED, COMPACTFREE_SCANNED,
COMPACTISOLATED,
COMPACTSTALL, COMPACTFAIL, COMPACTSUCCESS,
@@ -169,11 +163,9 @@ index e623d392db0c..823a629f9033 100644
#endif
#ifdef CONFIG_HUGETLB_PAGE
HTLB_BUDDY_PGALLOC, HTLB_BUDDY_PGALLOC_FAIL,
-diff --git a/include/trace/events/compaction.h b/include/trace/events/compaction.h
-index c92d1e1cbad9..223450aeb49e 100644
--- a/include/trace/events/compaction.h
+++ b/include/trace/events/compaction.h
-@@ -350,6 +350,61 @@ DEFINE_EVENT(mm_compaction_defer_template, mm_compaction_defer_reset,
+@@ -350,6 +350,61 @@ DEFINE_EVENT(mm_compaction_defer_templat
);
#endif
@@ -235,8 +227,6 @@ index c92d1e1cbad9..223450aeb49e 100644
#endif /* _TRACE_COMPACTION_H */
/* This part must be outside protection */
-diff --git a/mm/compaction.c b/mm/compaction.c
-index 1ffc62a05d27..da34d4397f1f 100644
--- a/mm/compaction.c
+++ b/mm/compaction.c
@@ -7,6 +7,7 @@
@@ -256,7 +246,7 @@ index 1ffc62a05d27..da34d4397f1f 100644
#include "internal.h"
#ifdef CONFIG_COMPACTION
-@@ -1732,4 +1735,223 @@ void compaction_unregister_node(struct node *node)
+@@ -1721,4 +1724,223 @@ void compaction_unregister_node(struct n
}
#endif /* CONFIG_SYSFS && CONFIG_NUMA */
@@ -480,19 +470,17 @@ index 1ffc62a05d27..da34d4397f1f 100644
+subsys_initcall(kcompactd_init)
+
#endif /* CONFIG_COMPACTION */
-diff --git a/mm/memory_hotplug.c b/mm/memory_hotplug.c
-index 6c3c05849484..afca0da46d6b 100644
--- a/mm/memory_hotplug.c
+++ b/mm/memory_hotplug.c
-@@ -32,6 +32,7 @@
+@@ -33,6 +33,7 @@
#include <linux/hugetlb.h>
#include <linux/memblock.h>
#include <linux/bootmem.h>
+#include <linux/compaction.h>
+ #include <linux/rmap.h>
#include <asm/tlbflush.h>
-
-@@ -1073,8 +1074,10 @@ int __ref online_pages(unsigned long pfn, unsigned long nr_pages, int online_typ
+@@ -1101,8 +1102,10 @@ int __ref online_pages(unsigned long pfn
init_per_zone_wmark_min();
@@ -504,7 +492,7 @@ index 6c3c05849484..afca0da46d6b 100644
vm_total_pages = nr_free_pagecache_pages();
-@@ -1838,8 +1841,10 @@ static int __ref __offline_pages(unsigned long start_pfn,
+@@ -1895,8 +1898,10 @@ repeat:
zone_pcp_update(zone);
node_states_clear_node(node, &arg);
@@ -516,11 +504,9 @@ index 6c3c05849484..afca0da46d6b 100644
vm_total_pages = nr_free_pagecache_pages();
writeback_set_ratelimit();
-diff --git a/mm/page_alloc.c b/mm/page_alloc.c
-index 33974cda62de..2a1031669034 100644
--- a/mm/page_alloc.c
+++ b/mm/page_alloc.c
-@@ -5282,6 +5282,9 @@ static void __paginginit free_area_init_core(struct pglist_data *pgdat)
+@@ -5737,6 +5737,9 @@ static void __paginginit free_area_init_
#endif
init_waitqueue_head(&pgdat->kswapd_wait);
init_waitqueue_head(&pgdat->pfmemalloc_wait);
@@ -530,11 +516,9 @@ index 33974cda62de..2a1031669034 100644
pgdat_page_ext_init(pgdat);
for (j = 0; j < MAX_NR_ZONES; j++) {
-diff --git a/mm/vmstat.c b/mm/vmstat.c
-index 88011eca5283..d267d426ce3b 100644
--- a/mm/vmstat.c
+++ b/mm/vmstat.c
-@@ -825,6 +825,7 @@ const char * const vmstat_text[] = {
+@@ -801,6 +801,7 @@ const char * const vmstat_text[] = {
"compact_stall",
"compact_fail",
"compact_success",
diff --git a/series.conf b/series.conf
index ebd8efad24..fe5f7bbdb1 100644
--- a/series.conf
+++ b/series.conf
@@ -5166,6 +5166,91 @@
patches.kernel.org/4.4.169-039-rtc-snvs-Add-timeouts-to-avoid-kernel-lockups.patch
patches.kernel.org/4.4.169-040-ALSA-isa-wavefront-prevent-some-out-of-bound-.patch
patches.kernel.org/4.4.169-041-Linux-4.4.169.patch
+ patches.kernel.org/4.4.170-001-USB-hso-Fix-OOB-memory-access-in-hso_probe-hs.patch
+ patches.kernel.org/4.4.170-002-xhci-Don-t-prevent-USB2-bus-suspend-in-state-.patch
+ patches.kernel.org/4.4.170-003-USB-serial-option-add-GosunCn-ZTE-WeLink-ME36.patch
+ patches.kernel.org/4.4.170-004-USB-serial-option-add-HP-lt4132.patch
+ patches.kernel.org/4.4.170-005-USB-serial-option-add-Simcom-SIM7500-SIM7600-.patch
+ patches.kernel.org/4.4.170-006-USB-serial-option-add-Fibocom-NL668-series.patch
+ patches.kernel.org/4.4.170-007-USB-serial-option-add-Telit-LN940-series.patch
+ patches.kernel.org/4.4.170-008-mmc-core-Reset-HPI-enabled-state-during-re-in.patch
+ patches.kernel.org/4.4.170-009-mmc-omap_hsmmc-fix-DMA-API-warning.patch
+ patches.kernel.org/4.4.170-010-gpio-max7301-fix-driver-for-use-with-CONFIG_V.patch
+ patches.kernel.org/4.4.170-011-Drivers-hv-vmbus-Return-EINVAL-for-the-sys-fi.patch
+ patches.kernel.org/4.4.170-012-x86-mtrr-Don-t-copy-uninitialized-gentry-fiel.patch
+ patches.kernel.org/4.4.170-013-drm-ioctl-Fix-Spectre-v1-vulnerabilities.patch
+ patches.kernel.org/4.4.170-014-ip6mr-Fix-potential-Spectre-v1-vulnerability.patch
+ patches.kernel.org/4.4.170-015-ipv4-Fix-potential-Spectre-v1-vulnerability.patch
+ patches.kernel.org/4.4.170-016-ax25-fix-a-use-after-free-in-ax25_fillin_cb.patch
+ patches.kernel.org/4.4.170-017-ibmveth-fix-DMA-unmap-error-in-ibmveth_xmit_s.patch
+ patches.kernel.org/4.4.170-018-ieee802154-lowpan_header_create-check-must-ch.patch
+ patches.kernel.org/4.4.170-019-ipv6-explicitly-initialize-udp6_addr-in-udp_s.patch
+ patches.kernel.org/4.4.170-020-isdn-fix-kernel-infoleak-in-capi_unlocked_ioc.patch
+ patches.kernel.org/4.4.170-021-netrom-fix-locking-in-nr_find_socket.patch
+ patches.kernel.org/4.4.170-022-packet-validate-address-length.patch
+ patches.kernel.org/4.4.170-023-packet-validate-address-length-if-non-zero.patch
+ patches.kernel.org/4.4.170-024-sctp-initialize-sin6_flowinfo-for-ipv6-addrs-.patch
+ patches.kernel.org/4.4.170-025-vhost-make-sure-used-idx-is-seen-before-log-i.patch
+ patches.kernel.org/4.4.170-026-VSOCK-Send-reset-control-packet-when-socket-i.patch
+ patches.kernel.org/4.4.170-027-xen-netfront-tolerate-frags-with-no-data.patch
+ patches.kernel.org/4.4.170-028-gro_cell-add-napi_disable-in-gro_cells_destro.patch
+ patches.kernel.org/4.4.170-029-sock-Make-sock-sk_stamp-thread-safe.patch
+ patches.kernel.org/4.4.170-030-ALSA-rme9652-Fix-potential-Spectre-v1-vulnera.patch
+ patches.kernel.org/4.4.170-031-ALSA-emu10k1-Fix-potential-Spectre-v1-vulnera.patch
+ patches.kernel.org/4.4.170-032-ALSA-pcm-Fix-potential-Spectre-v1-vulnerabili.patch
+ patches.kernel.org/4.4.170-033-ALSA-emux-Fix-potential-Spectre-v1-vulnerabil.patch
+ patches.kernel.org/4.4.170-034-ALSA-hda-add-mute-LED-support-for-HP-EliteBoo.patch
+ patches.kernel.org/4.4.170-035-ALSA-hda-tegra-clear-pending-irq-handlers.patch
+ patches.kernel.org/4.4.170-036-USB-serial-pl2303-add-ids-for-Hewlett-Packard.patch
+ patches.kernel.org/4.4.170-037-USB-serial-option-add-Fibocom-NL678-series.patch
+ patches.kernel.org/4.4.170-038-usb-r8a66597-Fix-a-possible-concurrency-use-a.patch
+ patches.kernel.org/4.4.170-039-Input-elan_i2c-add-ACPI-ID-for-touchpad-in-AS.patch
+ patches.kernel.org/4.4.170-040-KVM-x86-Use-jmp-to-invoke-kvm_spurious_fault-.patch
+ patches.kernel.org/4.4.170-041-perf-pmu-Suppress-potential-format-truncation.patch
+ patches.kernel.org/4.4.170-042-ext4-fix-possible-use-after-free-in-ext4_quot.patch
+ patches.kernel.org/4.4.170-043-ext4-missing-unlock-put_page-in-ext4_try_to_w.patch
+ patches.kernel.org/4.4.170-044-ext4-fix-EXT4_IOC_GROUP_ADD-ioctl.patch
+ patches.kernel.org/4.4.170-045-ext4-force-inode-writes-when-nfsd-calls-commi.patch
+ patches.kernel.org/4.4.170-046-spi-bcm2835-Fix-race-on-DMA-termination.patch
+ patches.kernel.org/4.4.170-047-spi-bcm2835-Fix-book-keeping-of-DMA-terminati.patch
+ patches.kernel.org/4.4.170-048-spi-bcm2835-Avoid-finishing-transfer-prematur.patch
+ patches.kernel.org/4.4.170-049-cdc-acm-fix-abnormal-DATA-RX-issue-for-Mediat.patch
+ patches.kernel.org/4.4.170-050-media-vivid-free-bitmap_cap-when-updating-std.patch
+ patches.kernel.org/4.4.170-051-MIPS-Ensure-pmd_present-returns-false-after-p.patch
+ patches.kernel.org/4.4.170-052-MIPS-Align-kernel-load-address-to-64KB.patch
+ patches.kernel.org/4.4.170-053-CIFS-Fix-error-mapping-for-SMB2_LOCK-command-.patch
+ patches.kernel.org/4.4.170-054-x86-kvm-vmx-do-not-use-vm-exit-instruction-le.patch
+ patches.kernel.org/4.4.170-055-spi-bcm2835-Unbreak-the-build-of-esoteric-con.patch
+ patches.kernel.org/4.4.170-056-powerpc-Fix-COFF-zImage-booting-on-old-powerm.patch
+ patches.kernel.org/4.4.170-057-ARM-imx-update-the-cpu-power-up-timing-settin.patch
+ patches.kernel.org/4.4.170-058-Input-restore-EV_ABS-ABS_RESERVED.patch
+ patches.kernel.org/4.4.170-059-checkstack.pl-fix-for-aarch64.patch
+ patches.kernel.org/4.4.170-060-xfrm-Fix-bucket-count-reported-to-userspace.patch
+ patches.kernel.org/4.4.170-061-scsi-bnx2fc-Fix-NULL-dereference-in-error-han.patch
+ patches.kernel.org/4.4.170-062-Input-omap-keypad-fix-idle-configuration-to-n.patch
+ patches.kernel.org/4.4.170-063-scsi-zfcp-fix-posting-too-many-status-read-bu.patch
+ patches.kernel.org/4.4.170-064-fork-record-start_time-late.patch
+ patches.kernel.org/4.4.170-065-hwpoison-memory_hotplug-allow-hwpoisoned-page.patch
+ patches.kernel.org/4.4.170-067-mm-devm_memremap_pages-kill-mapping-System-RA.patch
+ patches.kernel.org/4.4.170-068-sunrpc-fix-cache_head-leak-due-to-queued-requ.patch
+ patches.kernel.org/4.4.170-069-sunrpc-use-SVC_NET-in-svcauth_gss_-functions.patch
+ patches.kernel.org/4.4.170-070-crypto-x86-chacha20-avoid-sleeping-with-preem.patch
+ patches.kernel.org/4.4.170-071-ALSA-cs46xx-Potential-NULL-dereference-in-pro.patch
+ patches.kernel.org/4.4.170-072-ALSA-usb-audio-Avoid-access-before-bLength-ch.patch
+ patches.kernel.org/4.4.170-073-ALSA-usb-audio-Fix-an-out-of-bound-read-in-cr.patch
+ patches.kernel.org/4.4.170-074-dlm-fixed-memory-leaks-after-failed-ls_remove.patch
+ patches.kernel.org/4.4.170-075-dlm-possible-memory-leak-on-error-path-in-cre.patch
+ patches.kernel.org/4.4.170-076-dlm-lost-put_lkb-on-error-path-in-receive_con.patch
+ patches.kernel.org/4.4.170-077-dlm-memory-leaks-on-error-path-in-dlm_user_re.patch
+ patches.kernel.org/4.4.170-078-gfs2-Fix-loop-in-gfs2_rbm_find.patch
+ patches.kernel.org/4.4.170-079-b43-Fix-error-in-cordic-routine.patch
+ patches.kernel.org/4.4.170-080-9p-net-put-a-lower-bound-on-msize.patch
+ patches.kernel.org/4.4.170-081-iommu-vt-d-Handle-domain-agaw-being-less-than.patch
+ patches.kernel.org/4.4.170-082-ceph-don-t-update-importing-cap-s-mseq-when-h.patch
+ patches.kernel.org/4.4.170-083-genwqe-Fix-size-check.patch
+ patches.kernel.org/4.4.170-084-intel_th-msu-Fix-an-off-by-one-in-attribute-s.patch
+ patches.kernel.org/4.4.170-085-power-supply-olpc_battery-correct-the-tempera.patch
+ patches.kernel.org/4.4.170-086-Linux-4.4.170.patch
########################################################
# Build fixes that apply to the vanilla kernel too.
@@ -22843,7 +22928,6 @@
patches.drivers/ibmvnic-Remove-skb-protocol-checks-in-ibmvnic_xmit.patch
patches.fixes/0001-seq_file-fix-incomplete-reset-on-read-from-zero-offs.patch
patches.drivers/0004-KVM-arm-arm64-Handle-CPU_PM_ENTER_FAILED.patch
- patches.fixes/x86-kvm-vmx-do-not-use-vm-exit-instruction-length-fo.patch
patches.arch/KVM-PPC-Book3S-PR-Fix-svcpu-copying-with-preemption-.patch
patches.drivers/0040-bcache-add-journal-statistic.patch
patches.drivers/0041-bcache-fix-high-CPU-occupancy-during-journal.patch
@@ -23762,7 +23846,6 @@
patches.drivers/IB-hfi1-Fix-an-out-of-bounds-access-in-get_hw_stats.patch
patches.arch/ibmvnic-Convert-reset-work-item-mutex-to-spin-lock.patch
patches.arch/ibmvnic-Fix-non-atomic-memory-allocation-in-IRQ-cont.patch
- patches.drivers/USB-hso-Fix-OOB-memory-access-in-hso_probe-hso_get_c.patch
patches.fixes/net-ipv4-do-not-handle-duplicate-fragments-as-overla.patch
patches.fixes/0001-drm-rcar-du-Fix-vblank-initialization.patch
patches.fixes/0001-drm-rcar-du-Fix-external-clock-error-checks.patch
@@ -23770,9 +23853,7 @@
patches.fixes/scsi-target-add-emulate_pr-backstore-attr-to-toggle-.patch
patches.fixes/scsi-target-drop-unused-pi_prot_format-attribute-sto.patch
patches.drivers/revert-iommu-io-pgtable-arm-check-for-v7s-incapable-systems
- patches.drivers/iommu-vt-d-handle-domain-agaw-being-less-than-iommu-agaw
patches.drivers/iommu-amd-fix-amd_iommu-force_isolation
- patches.fixes/ceph-don-t-update-importing-cap-s-mseq-when-handing-cap-export.patch
patches.fixes/0001-fbdev-fbmem-behave-better-with-small-rotated-display.patch
patches.fixes/0001-fbdev-fbcon-Fix-unregister-crash-when-more-than-one-.patch
@@ -24051,7 +24132,6 @@
patches.fixes/0005-mm-memory_hotplug-be-more-verbose-for-memory-offline.patch
patches.fixes/mm-put_and_wait_on_page_locked-while-page-is-migrated.patch
- patches.fixes/0001-hwpoison-memory_hotplug-allow-hwpoisoned-pages-to-be.patch
patches.kabi/0001-hwpoison-memory_hotplug-allow-hwpoisoned-pages-to-be-kabi.patch
# bsc#1119204
@@ -24402,7 +24482,6 @@
patches.fixes/nfs-direct-write-fix.patch
patches.kabi/0008-pnfs-set-NFS_IOHDR_REDO-in-pnfs_read_resend_pnfs.patch
patches.kabi/0001-NFS-Ensure-we-commit-after-writeback-is-complete.kabi
- patches.fixes/sunrpc-use-SVC_NET-in-svcauth_gss_-functions.patch
patches.fixes/sunrpc-use-after-free-in-svc_process_common.patch
patches.kabi/sunrpc-use-after-free-in-svc_process_common.patch