Home Home > GIT Browse > SLE12-SP3-AZURE
summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorKernel Build Daemon <kbuild@suse.de>2019-02-22 07:01:08 +0100
committerKernel Build Daemon <kbuild@suse.de>2019-02-22 07:01:08 +0100
commit23a9ccb5cae9f391afe8f418681bd01809802537 (patch)
treea9e5515c90a31d59817cc6800845f4131f8ae22f
parent7e31bdd77345b8eda56d5a7828744ec5d5014d7a (diff)
parent047a6d3830bd9a82ac9e3255f163d70303839117 (diff)
Merge branch 'SLE12-SP3' into SLE12-SP3-AZURESLE12-SP3-AZURE
-rw-r--r--patches.arch/0015-x86-platform-uv-add-obtaining-gam-range-table-from-uv-bios21
-rw-r--r--patches.arch/arm64-bsc1031492-0077-KVM-arm-arm64-Move-shared-files-to-virt-kvm-arm.patch36
-rw-r--r--patches.drivers/0088-fs-have-submit_bh-users-pass-in-op-and-flags-separat.patch245
-rw-r--r--patches.drivers/RDMA-bnxt_re-Synchronize-destroy_qp-with-poll_cq.patch190
-rw-r--r--patches.drivers/bnxt_re-Fix-couple-of-memory-leaks-that-could-lead-t.patch44
-rw-r--r--patches.drivers/dm-thin-fix-a-race-condition-between-discarding-and-.patch39
-rw-r--r--patches.drivers/treewide-replace-dev-trans_start-update-with-helper.patch64
-rw-r--r--patches.fixes/0001-KVM-VMX-Fix-x2apic-check-in-vmx_msr_bitmap_mode.patch51
-rw-r--r--patches.fixes/0001-KVM-VMX-Missing-part-of-upstream-commit-904e14fb7cb9.patch36
-rw-r--r--patches.kabi/kabi-protect-kfifo-include-in-hid-debug.patch42
-rw-r--r--patches.kabi/kabi-protect-struct-hda_bus.patch30
-rw-r--r--patches.kabi/revert-most-of-4.4.174.patch332
-rw-r--r--patches.kernel.org/4.4.175-001-drm-bufs-Fix-Spectre-v1-vulnerability.patch58
-rw-r--r--patches.kernel.org/4.4.175-002-staging-iio-adc-ad7280a-handle-error-from-__a.patch74
-rw-r--r--patches.kernel.org/4.4.175-003-ASoC-Intel-mrfld-fix-uninitialized-variable-a.patch57
-rw-r--r--patches.kernel.org/4.4.175-004-scsi-lpfc-Correct-LCB-RJT-handling.patch40
-rw-r--r--patches.kernel.org/4.4.175-005-ARM-8808-1-kexec-offline-panic_smp_self_stop-.patch66
-rw-r--r--patches.kernel.org/4.4.175-006-dlm-Don-t-swamp-the-CPU-with-callbacks-queued.patch64
-rw-r--r--patches.kernel.org/4.4.175-007-x86-PCI-Fix-Broadcom-CNB20LE-unintended-sign-.patch46
-rw-r--r--patches.kernel.org/4.4.175-008-powerpc-pseries-add-of_node_put-in-dlpar_deta.patch48
-rw-r--r--patches.kernel.org/4.4.175-009-serial-fsl_lpuart-clear-parity-enable-bit-whe.patch53
-rw-r--r--patches.kernel.org/4.4.175-010-ptp-check-gettime64-return-code-in-PTP_SYS_OF.patch48
-rw-r--r--patches.kernel.org/4.4.175-011-staging-iio-ad2s90-Make-probe-handle-spi_setu.patch49
-rw-r--r--patches.kernel.org/4.4.175-012-staging-iio-ad7780-update-voltage-on-read.patch47
-rw-r--r--patches.kernel.org/4.4.175-013-ARM-OMAP2-hwmod-Fix-some-section-annotations.patch79
-rw-r--r--patches.kernel.org/4.4.175-014-modpost-validate-symbol-names-also-in-find_el.patch105
-rw-r--r--patches.kernel.org/4.4.175-015-perf-tools-Add-Hygon-Dhyana-support.patch45
-rw-r--r--patches.kernel.org/4.4.175-016-soc-tegra-Don-t-leak-device-tree-node-referen.patch47
-rw-r--r--patches.kernel.org/4.4.175-017-f2fs-move-dir-data-flush-to-write-checkpoint-.patch51
-rw-r--r--patches.kernel.org/4.4.175-018-f2fs-fix-wrong-return-value-of-f2fs_acl_creat.patch64
-rw-r--r--patches.kernel.org/4.4.175-019-sunvdc-Do-not-spin-in-an-infinite-loop-when-v.patch57
-rw-r--r--patches.kernel.org/4.4.175-020-nfsd4-fix-crash-on-writing-v4_end_grace-befor.patch43
-rw-r--r--patches.kernel.org/4.4.175-021-arm64-ftrace-don-t-adjust-the-LR-value.patch56
-rw-r--r--patches.kernel.org/4.4.175-022-ARM-dts-mmp2-fix-TWSI2.patch59
-rw-r--r--patches.kernel.org/4.4.175-023-x86-fpu-Add-might_fault-to-user_insn.patch57
-rw-r--r--patches.kernel.org/4.4.175-024-media-DaVinci-VPBE-fix-error-handling-in-vpbe.patch58
-rw-r--r--patches.kernel.org/4.4.175-025-smack-fix-access-permissions-for-keyring.patch69
-rw-r--r--patches.kernel.org/4.4.175-026-usb-hub-delay-hub-autosuspend-if-USB3-port-is.patch53
-rw-r--r--patches.kernel.org/4.4.175-027-timekeeping-Use-proper-seqcount-initializer.patch48
-rw-r--r--patches.kernel.org/4.4.175-028-ARM-dts-Fix-OMAP4430-SDP-Ethernet-startup.patch68
-rw-r--r--patches.kernel.org/4.4.175-029-mips-bpf-fix-encoding-bug-for-mm_srlv32_op.patch50
-rw-r--r--patches.kernel.org/4.4.175-030-iommu-arm-smmu-v3-Use-explicit-mb-when-moving.patch51
-rw-r--r--patches.kernel.org/4.4.175-031-sata_rcar-fix-deferred-probing.patch44
-rw-r--r--patches.kernel.org/4.4.175-032-clk-imx6sl-ensure-MMDC-CH0-handshake-is-bypas.patch49
-rw-r--r--patches.kernel.org/4.4.175-033-cpuidle-big.LITTLE-fix-refcount-leak.patch50
-rw-r--r--patches.kernel.org/4.4.175-034-i2c-axxia-check-for-error-conditions-first.patch88
-rw-r--r--patches.kernel.org/4.4.175-035-udf-Fix-BUG-on-corrupted-inode.patch41
-rw-r--r--patches.kernel.org/4.4.175-036-ARM-pxa-avoid-section-mismatch-warning.patch79
-rw-r--r--patches.kernel.org/4.4.175-037-ASoC-fsl-Fix-SND_SOC_EUKREA_TLV320-build-erro.patch48
-rw-r--r--patches.kernel.org/4.4.175-038-memstick-Prevent-memstick-host-from-getting-r.patch60
-rw-r--r--patches.kernel.org/4.4.175-039-tty-serial-samsung-Properly-set-flags-in-auto.patch48
-rw-r--r--patches.kernel.org/4.4.175-040-arm64-KVM-Skip-MMIO-insn-after-emulation.patch66
-rw-r--r--patches.kernel.org/4.4.175-041-powerpc-uaccess-fix-warning-error-with-access.patch48
-rw-r--r--patches.kernel.org/4.4.175-042-mac80211-fix-radiotap-vendor-presence-bitmap-.patch53
-rw-r--r--patches.kernel.org/4.4.175-043-xfrm6_tunnel-Fix-spi-check-in-__xfrm6_tunnel_.patch42
-rw-r--r--patches.kernel.org/4.4.175-044-Bluetooth-Fix-unnecessary-error-message-for-H.patch47
-rw-r--r--patches.kernel.org/4.4.175-045-cw1200-Fix-concurrency-use-after-free-bugs-in.patch85
-rw-r--r--patches.kernel.org/4.4.175-046-drbd-narrow-rcu_read_lock-in-drbd_sync_handsh.patch85
-rw-r--r--patches.kernel.org/4.4.175-047-drbd-disconnect-if-the-wrong-UUIDs-are-attach.patch50
-rw-r--r--patches.kernel.org/4.4.175-048-drbd-skip-spurious-timeout-ping-timeo-when-fa.patch63
-rw-r--r--patches.kernel.org/4.4.175-049-drbd-Avoid-Clang-warning-about-pointless-swit.patch75
-rw-r--r--patches.kernel.org/4.4.175-050-video-clps711x-fb-release-disp-device-node-in.patch50
-rw-r--r--patches.kernel.org/4.4.175-051-fbdev-fbmem-behave-better-with-small-rotated-.patch (renamed from patches.fixes/0001-fbdev-fbmem-behave-better-with-small-rotated-display.patch)19
-rw-r--r--patches.kernel.org/4.4.175-052-igb-Fix-an-issue-that-PME-is-not-enabled-duri.patch52
-rw-r--r--patches.kernel.org/4.4.175-053-fbdev-fbcon-Fix-unregister-crash-when-more-th.patch (renamed from patches.fixes/0001-fbdev-fbcon-Fix-unregister-crash-when-more-than-one-.patch)20
-rw-r--r--patches.kernel.org/4.4.175-054-KVM-x86-svm-report-MSR_IA32_MCG_EXT_CTL-as-un.patch48
-rw-r--r--patches.kernel.org/4.4.175-055-NFS-nfs_compare_mount_options-always-compare-.patch58
-rw-r--r--patches.kernel.org/4.4.175-056-hwmon-lm80-fix-a-missing-check-of-the-status-.patch61
-rw-r--r--patches.kernel.org/4.4.175-057-hwmon-lm80-fix-a-missing-check-of-bus-read-in.patch56
-rw-r--r--patches.kernel.org/4.4.175-058-seq_buf-Make-seq_buf_puts-null-terminate-the-.patch72
-rw-r--r--patches.kernel.org/4.4.175-059-crypto-ux500-Use-proper-enum-in-cryp_set_dma_.patch65
-rw-r--r--patches.kernel.org/4.4.175-060-crypto-ux500-Use-proper-enum-in-hash_set_dma_.patch50
-rw-r--r--patches.kernel.org/4.4.175-061-cifs-check-ntwrk_buf_start-for-NULL-before-de.patch51
-rw-r--r--patches.kernel.org/4.4.175-062-um-Avoid-marking-pages-with-changed-protectio.patch59
-rw-r--r--patches.kernel.org/4.4.175-063-niu-fix-missing-checks-of-niu_pci_eeprom_read.patch52
-rw-r--r--patches.kernel.org/4.4.175-064-scripts-decode_stacktrace-only-strip-base-pat.patch51
-rw-r--r--patches.kernel.org/4.4.175-065-ocfs2-don-t-clear-bh-uptodate-for-block-read.patch71
-rw-r--r--patches.kernel.org/4.4.175-066-isdn-hisax-hfc_pci-Fix-a-possible-concurrency.patch56
-rw-r--r--patches.kernel.org/4.4.175-067-gdrom-fix-a-memory-leak-bug.patch42
-rw-r--r--patches.kernel.org/4.4.175-068-block-swim3-Fix-EBUSY-error-when-re-opening-d.patch (renamed from patches.suse/0001-block-swim3-Fix-EBUSY-error-when-re-opening-device-a.patch)16
-rw-r--r--patches.kernel.org/4.4.175-069-HID-lenovo-Add-checks-to-fix-of_led_classdev_.patch51
-rw-r--r--patches.kernel.org/4.4.175-070-kernel-hung_task.c-break-RCU-locks-based-on-j.patch72
-rw-r--r--patches.kernel.org/4.4.175-071-fs-epoll-drop-ovflist-branch-prediction.patch58
-rw-r--r--patches.kernel.org/4.4.175-072-exec-load_script-don-t-blindly-truncate-sheba.patch57
-rw-r--r--patches.kernel.org/4.4.175-073-thermal-hwmon-inline-helpers-when-CONFIG_THER.patch49
-rw-r--r--patches.kernel.org/4.4.175-074-test_hexdump-use-memcpy-instead-of-strncpy.patch43
-rw-r--r--patches.kernel.org/4.4.175-075-tipc-use-destination-length-for-copy-string.patch48
-rw-r--r--patches.kernel.org/4.4.175-076-string-drop-__must_check-from-strscpy-and-res.patch (renamed from patches.fixes/string-drop-__must_check-from-strscpy-and-restore-st.patch)33
-rw-r--r--patches.kernel.org/4.4.175-077-dccp-fool-proof-ccid_hc_-rt-x_parse_options.patch112
-rw-r--r--patches.kernel.org/4.4.175-078-enic-fix-checksum-validation-for-IPv6.patch36
-rw-r--r--patches.kernel.org/4.4.175-079-net-dp83640-expire-old-TX-skb.patch89
-rw-r--r--patches.kernel.org/4.4.175-080-skge-potential-memory-corruption-in-skge_get_.patch43
-rw-r--r--patches.kernel.org/4.4.175-081-net-systemport-Fix-WoL-with-password-after-de.patch112
-rw-r--r--patches.kernel.org/4.4.175-082-net-dsa-slave-Don-t-propagate-flag-changes-on.patch60
-rw-r--r--patches.kernel.org/4.4.175-083-ALSA-compress-Fix-stop-handling-on-compressed.patch57
-rw-r--r--patches.kernel.org/4.4.175-084-ALSA-hda-Serialize-codec-registrations.patch79
-rw-r--r--patches.kernel.org/4.4.175-085-fuse-call-pipe_buf_release-under-pipe-lock.patch48
-rw-r--r--patches.kernel.org/4.4.175-086-fuse-decrement-NR_WRITEBACK_TEMP-on-the-right.patch37
-rw-r--r--patches.kernel.org/4.4.175-087-fuse-handle-zero-sized-retrieve-correctly.patch45
-rw-r--r--patches.kernel.org/4.4.175-088-dmaengine-imx-dma-fix-wrong-callback-invoke.patch69
-rw-r--r--patches.kernel.org/4.4.175-089-usb-phy-am335x-fix-race-condition-in-_probe.patch50
-rw-r--r--patches.kernel.org/4.4.175-090-usb-gadget-udc-net2272-Fix-bitwise-and-boolea.patch48
-rw-r--r--patches.kernel.org/4.4.175-091-KVM-x86-work-around-leak-of-uninitialized-sta.patch (renamed from patches.arch/kvm-x86-work-around-leak-of-uninitialized-stack-contents-cve-2019-7222)20
-rw-r--r--patches.kernel.org/4.4.175-092-KVM-nVMX-unconditionally-cancel-preemption-ti.patch (renamed from patches.arch/kvm-nvmx-unconditionally-cancel-preemption-timer-in-free_nested-cve-2019-7221)22
-rw-r--r--patches.kernel.org/4.4.175-093-perf-x86-intel-uncore-Add-Node-ID-mask.patch68
-rw-r--r--patches.kernel.org/4.4.175-094-x86-MCE-Initialize-mce.bank-in-the-case-of-a-.patch57
-rw-r--r--patches.kernel.org/4.4.175-095-perf-core-Don-t-WARN-for-impossible-ring-buff.patch60
-rw-r--r--patches.kernel.org/4.4.175-096-perf-tests-evsel-tp-sched-Fix-bitwise-operato.patch48
-rw-r--r--patches.kernel.org/4.4.175-097-mtd-rawnand-gpmi-fix-MX28-bus-master-lockup-p.patch91
-rw-r--r--patches.kernel.org/4.4.175-098-signal-Always-notice-exiting-tasks.patch70
-rw-r--r--patches.kernel.org/4.4.175-099-signal-Better-detection-of-synchronous-signal.patch121
-rw-r--r--patches.kernel.org/4.4.175-100-misc-vexpress-Off-by-one-in-vexpress_syscfg_e.patch40
-rw-r--r--patches.kernel.org/4.4.175-101-debugfs-fix-debugfs_rename-parameter-checking.patch44
-rw-r--r--patches.kernel.org/4.4.175-102-mips-cm-reprime-error-cause.patch47
-rw-r--r--patches.kernel.org/4.4.175-103-MIPS-OCTEON-don-t-set-octeon_dma_bar_type-if-.patch55
-rw-r--r--patches.kernel.org/4.4.175-104-MIPS-VDSO-Include-ccflags-vdso-in-o32-n32-.ld.patch67
-rw-r--r--patches.kernel.org/4.4.175-105-ARM-iop32x-n2100-fix-PCI-IRQ-mapping.patch38
-rw-r--r--patches.kernel.org/4.4.175-106-mac80211-ensure-that-mgmt-tx-skbs-have-tailro.patch63
-rw-r--r--patches.kernel.org/4.4.175-107-drm-modes-Prevent-division-by-zero-htotal.patch107
-rw-r--r--patches.kernel.org/4.4.175-108-drm-vmwgfx-Fix-setting-of-dma-masks.patch (renamed from patches.fixes/0001-drm-vmwgfx-Fix-setting-of-dma-masks.patch)21
-rw-r--r--patches.kernel.org/4.4.175-109-drm-vmwgfx-Return-error-code-from-vmw_execbuf.patch (renamed from patches.fixes/0001-drm-vmwgfx-Return-error-code-from-vmw_execbuf_copy_f.patch)17
-rw-r--r--patches.kernel.org/4.4.175-110-HID-debug-fix-the-ring-buffer-implementation.patch281
-rw-r--r--patches.kernel.org/4.4.175-111-NFC-nxp-nci-Include-unaligned.h-instead-of-ac.patch68
-rw-r--r--patches.kernel.org/4.4.175-112-Revert-cifs-In-Kconfig-CONFIG_CIFS_POSIX-need.patch47
-rw-r--r--patches.kernel.org/4.4.175-113-libceph-avoid-KEEPALIVE_PENDING-races-in-ceph.patch (renamed from patches.fixes/libceph-avoid-keepalive_pending-races-in-ceph_con_keepalive.patch)21
-rw-r--r--patches.kernel.org/4.4.175-114-xfrm-refine-validation-of-template-and-select.patch69
-rw-r--r--patches.kernel.org/4.4.175-115-batman-adv-Avoid-WARN-on-net_device-without-p.patch57
-rw-r--r--patches.kernel.org/4.4.175-116-batman-adv-Force-mac-header-to-start-of-data-.patch48
-rw-r--r--patches.kernel.org/4.4.175-117-Revert-exec-load_script-don-t-blindly-truncat.patch51
-rw-r--r--patches.kernel.org/4.4.175-118-uapi-if_ether.h-prevent-redefinition-of-struc.patch70
-rw-r--r--patches.kernel.org/4.4.175-119-ARM-dts-da850-evm-Correct-the-sound-card-name.patch39
-rw-r--r--patches.kernel.org/4.4.175-120-ARM-dts-kirkwood-Fix-polarity-of-GPIO-fan-lin.patch51
-rw-r--r--patches.kernel.org/4.4.175-121-gpio-pl061-handle-failed-allocations.patch46
-rw-r--r--patches.kernel.org/4.4.175-122-cifs-Limit-memory-used-by-lock-request-calls-.patch76
-rw-r--r--patches.kernel.org/4.4.175-123-Documentation-network-reword-kernel-version-r.patch34
-rw-r--r--patches.kernel.org/4.4.175-124-Revert-Input-elan_i2c-add-ACPI-ID-for-touchpa.patch40
-rw-r--r--patches.kernel.org/4.4.175-125-Input-elan_i2c-add-ACPI-ID-for-touchpad-in-Le.patch37
-rw-r--r--patches.kernel.org/4.4.175-126-perf-core-Fix-impossible-ring-buffer-sizes-wa.patch69
-rw-r--r--patches.kernel.org/4.4.175-127-ALSA-hda-Add-quirk-for-HP-EliteBook-840-G5.patch36
-rw-r--r--patches.kernel.org/4.4.175-128-ALSA-usb-audio-Fix-implicit-fb-endpoint-setup.patch63
-rw-r--r--patches.kernel.org/4.4.175-129-Input-bma150-register-input-device-after-sett.patch112
-rw-r--r--patches.kernel.org/4.4.175-130-Input-elantech-enable-3rd-button-support-on-F.patch58
-rw-r--r--patches.kernel.org/4.4.175-131-alpha-fix-page-fault-handling-for-r16-r18-tar.patch123
-rw-r--r--patches.kernel.org/4.4.175-132-alpha-Fix-Eiger-NR_IRQS-to-128.patch56
-rw-r--r--patches.kernel.org/4.4.175-133-tracing-uprobes-Fix-output-for-multiple-strin.patch84
-rw-r--r--patches.kernel.org/4.4.175-134-x86-platform-UV-Use-efi_runtime_lock-to-seria.patch135
-rw-r--r--patches.kernel.org/4.4.175-135-signal-Restore-the-stop-PTRACE_EVENT_EXIT.patch63
-rw-r--r--patches.kernel.org/4.4.175-136-x86-a.out-Clear-the-dump-structure-initially.patch64
-rw-r--r--patches.kernel.org/4.4.175-137-dm-thin-fix-bug-where-bio-that-overwrites-thi.patch162
-rw-r--r--patches.kernel.org/4.4.175-138-smsc95xx-Use-skb_cow_head-to-deal-with-cloned.patch52
-rw-r--r--patches.kernel.org/4.4.175-139-ch9200-use-skb_cow_head-to-deal-with-cloned-s.patch (renamed from patches.fixes/0001-ch9200-use-skb_cow_head-to-deal-with-cloned-skbs.patch)17
-rw-r--r--patches.kernel.org/4.4.175-140-kaweth-use-skb_cow_head-to-deal-with-cloned-s.patch55
-rw-r--r--patches.kernel.org/4.4.175-141-usb-dwc2-Remove-unnecessary-kfree.patch36
-rw-r--r--patches.kernel.org/4.4.175-142-pinctrl-msm-fix-gpio-hog-related-boot-issues.patch106
-rw-r--r--patches.kernel.org/4.4.175-143-uapi-if_ether.h-move-__UAPI_DEF_ETHHDR-libc-d.patch94
-rw-r--r--patches.kernel.org/4.4.175-144-Linux-4.4.175.patch27
-rw-r--r--patches.suse/0020-perf-x86-intel-uncore-remove-hard-coded-implementation-for-node-id-mapping-location.patch6
-rw-r--r--patches.suse/hwmon-lm80-Fix-missing-unlock-on-error-in-set_fan_di.patch32
-rw-r--r--series.conf162
159 files changed, 9164 insertions, 745 deletions
diff --git a/patches.arch/0015-x86-platform-uv-add-obtaining-gam-range-table-from-uv-bios b/patches.arch/0015-x86-platform-uv-add-obtaining-gam-range-table-from-uv-bios
index c9d3e1bf1f..88d15f5996 100644
--- a/patches.arch/0015-x86-platform-uv-add-obtaining-gam-range-table-from-uv-bios
+++ b/patches.arch/0015-x86-platform-uv-add-obtaining-gam-range-table-from-uv-bios
@@ -33,15 +33,15 @@ Link: http://lkml.kernel.org/r/20160429215405.329827545@asylum.americas.sgi.com
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Acked-by: Joerg Roedel <jroedel@suse.de>
---
- arch/x86/include/asm/uv/bios.h | 59 +++++++++++++++++++++++++++++++++++++++--
- arch/x86/platform/uv/bios_uv.c | 48 ++++++++++++++++-----------------
- arch/x86/platform/uv/uv_sysfs.c | 2 +-
+ arch/x86/include/asm/uv/bios.h | 59 ++++++++++++++++++++++++++++++++++++++--
+ arch/x86/platform/uv/bios_uv.c | 48 +++++++++++++++-----------------
+ arch/x86/platform/uv/uv_sysfs.c | 2 -
3 files changed, 81 insertions(+), 28 deletions(-)
--- a/arch/x86/include/asm/uv/bios.h
+++ b/arch/x86/include/asm/uv/bios.h
-@@ -51,15 +51,66 @@ enum {
- BIOS_STATUS_UNAVAIL = -EBUSY
+@@ -52,15 +52,66 @@ enum {
+ BIOS_STATUS_ABORT = -EINTR,
};
+/* Address map parameters */
@@ -108,7 +108,7 @@ Acked-by: Joerg Roedel <jroedel@suse.de>
enum {
BIOS_FREQ_BASE_PLATFORM = 0,
-@@ -99,7 +150,11 @@ extern s64 uv_bios_change_memprotect(u64
+@@ -100,7 +151,11 @@ extern s64 uv_bios_change_memprotect(u64
extern s64 uv_bios_reserved_page_pa(u64, u64 *, u64 *, u64 *);
extern int uv_bios_set_legacy_vga_target(bool decode, int domain, int bus);
@@ -120,7 +120,7 @@ Acked-by: Joerg Roedel <jroedel@suse.de>
extern unsigned long sn_rtc_cycles_per_second;
extern int uv_type;
-@@ -107,7 +162,7 @@ extern long sn_partition_id;
+@@ -108,7 +163,7 @@ extern long sn_partition_id;
extern long sn_coherency_id;
extern long sn_region_size;
extern long system_serial_number;
@@ -131,7 +131,7 @@ Acked-by: Joerg Roedel <jroedel@suse.de>
--- a/arch/x86/platform/uv/bios_uv.c
+++ b/arch/x86/platform/uv/bios_uv.c
-@@ -21,19 +21,20 @@
+@@ -21,20 +21,21 @@
#include <linux/efi.h>
#include <linux/export.h>
@@ -144,7 +144,8 @@ Acked-by: Joerg Roedel <jroedel@suse.de>
-static struct uv_systab uv_systab;
+struct uv_systab *uv_systab;
- s64 uv_bios_call(enum uv_bios_cmd which, u64 a1, u64 a2, u64 a3, u64 a4, u64 a5)
+ static s64 __uv_bios_call(enum uv_bios_cmd which, u64 a1, u64 a2, u64 a3,
+ u64 a4, u64 a5)
{
- struct uv_systab *tab = &uv_systab;
+ struct uv_systab *tab = uv_systab;
@@ -155,7 +156,7 @@ Acked-by: Joerg Roedel <jroedel@suse.de>
/*
* BIOS does not support UV systab
*/
-@@ -183,34 +184,31 @@ int uv_bios_set_legacy_vga_target(bool d
+@@ -202,34 +203,31 @@ int uv_bios_set_legacy_vga_target(bool d
}
EXPORT_SYMBOL_GPL(uv_bios_set_legacy_vga_target);
diff --git a/patches.arch/arm64-bsc1031492-0077-KVM-arm-arm64-Move-shared-files-to-virt-kvm-arm.patch b/patches.arch/arm64-bsc1031492-0077-KVM-arm-arm64-Move-shared-files-to-virt-kvm-arm.patch
index ef7c5a6581..80baae6ed9 100644
--- a/patches.arch/arm64-bsc1031492-0077-KVM-arm-arm64-Move-shared-files-to-virt-kvm-arm.patch
+++ b/patches.arch/arm64-bsc1031492-0077-KVM-arm-arm64-Move-shared-files-to-virt-kvm-arm.patch
@@ -25,22 +25,22 @@ Signed-off-by: Alexander Graf <agraf@suse.de>
---
arch/arm/kvm/Makefile | 7
- arch/arm/kvm/arm.c | 1483 ----------------------------------
- arch/arm/kvm/mmio.c | 217 ----
+ arch/arm/kvm/arm.c | 1476 ---------------------------------
+ arch/arm/kvm/mmio.c | 218 -----
arch/arm/kvm/mmu.c | 2001 ----------------------------------------------
arch/arm/kvm/perf.c | 68 -
arch/arm/kvm/psci.c | 332 -------
arch/arm/kvm/trace.h | 247 -----
arch/arm64/kvm/Makefile | 5
- virt/kvm/arm/arm.c | 1483 ++++++++++++++++++++++++++++++++++
- virt/kvm/arm/mmio.c | 217 ++++
+ virt/kvm/arm/arm.c | 1476 +++++++++++++++++++++++++++++++++
+ virt/kvm/arm/mmio.c | 218 +++++
virt/kvm/arm/mmu.c | 2001 ++++++++++++++++++++++++++++++++++++++++++++++
virt/kvm/arm/perf.c | 68 +
virt/kvm/arm/psci.c | 332 +++++++
virt/kvm/arm/trace.h | 246 +++++
virt/kvm/arm/vgic/trace.h | 37
virt/kvm/arm/vgic/vgic.c | 2
- 16 files changed, 4381 insertions(+), 4365 deletions(-)
+ 16 files changed, 4375 insertions(+), 4359 deletions(-)
delete mode 100644 arch/arm/kvm/arm.c
delete mode 100644 arch/arm/kvm/mmio.c
delete mode 100644 arch/arm/kvm/mmu.c
@@ -1551,7 +1551,7 @@ Signed-off-by: Alexander Graf <agraf@suse.de>
-module_init(arm_init);
--- a/arch/arm/kvm/mmio.c
+++ /dev/null
-@@ -1,217 +0,0 @@
+@@ -1,218 +0,0 @@
-/*
- * Copyright (C) 2012 - Virtual Open Systems and Columbia University
- * Author: Christoffer Dall <c.dall@virtualopensystems.com>
@@ -1671,6 +1671,12 @@ Signed-off-by: Alexander Graf <agraf@suse.de>
- vcpu_set_reg(vcpu, vcpu->arch.mmio_decode.rt, data);
- }
-
+- /*
+- * The MMIO instruction is emulated and should not be re-executed
+- * in the guest.
+- */
+- kvm_skip_instr(vcpu, kvm_vcpu_trap_il_is32bit(vcpu));
+-
- return 0;
-}
-
@@ -1698,11 +1704,6 @@ Signed-off-by: Alexander Graf <agraf@suse.de>
- vcpu->arch.mmio_decode.sign_extend = sign_extend;
- vcpu->arch.mmio_decode.rt = rt;
-
-- /*
-- * The MMIO instruction is emulated and should not be re-executed
-- * in the guest.
-- */
-- kvm_skip_instr(vcpu, kvm_vcpu_trap_il_is32bit(vcpu));
- return 0;
-}
-
@@ -5949,7 +5950,7 @@ Signed-off-by: Alexander Graf <agraf@suse.de>
+module_init(arm_init);
--- /dev/null
+++ b/virt/kvm/arm/mmio.c
-@@ -0,0 +1,217 @@
+@@ -0,0 +1,218 @@
+/*
+ * Copyright (C) 2012 - Virtual Open Systems and Columbia University
+ * Author: Christoffer Dall <c.dall@virtualopensystems.com>
@@ -6069,6 +6070,12 @@ Signed-off-by: Alexander Graf <agraf@suse.de>
+ vcpu_set_reg(vcpu, vcpu->arch.mmio_decode.rt, data);
+ }
+
++ /*
++ * The MMIO instruction is emulated and should not be re-executed
++ * in the guest.
++ */
++ kvm_skip_instr(vcpu, kvm_vcpu_trap_il_is32bit(vcpu));
++
+ return 0;
+}
+
@@ -6096,11 +6103,6 @@ Signed-off-by: Alexander Graf <agraf@suse.de>
+ vcpu->arch.mmio_decode.sign_extend = sign_extend;
+ vcpu->arch.mmio_decode.rt = rt;
+
-+ /*
-+ * The MMIO instruction is emulated and should not be re-executed
-+ * in the guest.
-+ */
-+ kvm_skip_instr(vcpu, kvm_vcpu_trap_il_is32bit(vcpu));
+ return 0;
+}
+
diff --git a/patches.drivers/0088-fs-have-submit_bh-users-pass-in-op-and-flags-separat.patch b/patches.drivers/0088-fs-have-submit_bh-users-pass-in-op-and-flags-separat.patch
index 0c60fab6e3..a34c92475e 100644
--- a/patches.drivers/0088-fs-have-submit_bh-users-pass-in-op-and-flags-separat.patch
+++ b/patches.drivers/0088-fs-have-submit_bh-users-pass-in-op-and-flags-separat.patch
@@ -15,43 +15,41 @@ Reviewed-by: Hannes Reinecke <hare@suse.com>
Signed-off-by: Jens Axboe <axboe@fb.com>
Acked-by: Hannes Reinecke <hare@suse.de>
---
- drivers/md/bitmap.c | 4 ++--
- fs/btrfs/check-integrity.c | 24 ++++++++++----------
- fs/btrfs/check-integrity.h | 2 +-
- fs/btrfs/disk-io.c | 4 ++--
- fs/buffer.c | 53 +++++++++++++++++++++++----------------------
- fs/ext4/balloc.c | 2 +-
- fs/ext4/ialloc.c | 2 +-
- fs/ext4/inode.c | 2 +-
- fs/ext4/mmp.c | 4 ++--
- fs/fat/misc.c | 2 +-
- fs/gfs2/bmap.c | 2 +-
- fs/gfs2/dir.c | 2 +-
- fs/gfs2/meta_io.c | 8 +++----
- fs/jbd2/commit.c | 6 ++---
- fs/jbd2/journal.c | 8 +++----
- fs/nilfs2/btnode.c | 6 ++---
- fs/nilfs2/btnode.h | 2 +-
- fs/nilfs2/btree.c | 6 +++--
- fs/nilfs2/gcinode.c | 5 +++--
- fs/nilfs2/mdt.c | 11 +++++-----
- fs/ntfs/aops.c | 6 ++---
- fs/ntfs/compress.c | 2 +-
- fs/ntfs/file.c | 2 +-
- fs/ntfs/logfile.c | 2 +-
- fs/ntfs/mft.c | 4 ++--
- fs/ocfs2/buffer_head_io.c | 8 +++----
- fs/reiserfs/inode.c | 4 ++--
- fs/reiserfs/journal.c | 6 ++---
- fs/ufs/util.c | 2 +-
- include/linux/buffer_head.h | 9 ++++----
+ drivers/md/bitmap.c | 4 +--
+ fs/btrfs/check-integrity.c | 24 +++++++++----------
+ fs/btrfs/check-integrity.h | 2 -
+ fs/btrfs/disk-io.c | 4 +--
+ fs/buffer.c | 53 ++++++++++++++++++++++----------------------
+ fs/ext4/balloc.c | 2 -
+ fs/ext4/ialloc.c | 2 -
+ fs/ext4/inode.c | 2 -
+ fs/ext4/mmp.c | 4 +--
+ fs/fat/misc.c | 2 -
+ fs/gfs2/bmap.c | 2 -
+ fs/gfs2/dir.c | 2 -
+ fs/gfs2/meta_io.c | 8 +++---
+ fs/jbd2/commit.c | 6 ++--
+ fs/jbd2/journal.c | 8 +++---
+ fs/nilfs2/btnode.c | 6 ++--
+ fs/nilfs2/btnode.h | 2 -
+ fs/nilfs2/btree.c | 6 +++-
+ fs/nilfs2/gcinode.c | 5 ++--
+ fs/nilfs2/mdt.c | 11 ++++-----
+ fs/ntfs/aops.c | 6 ++--
+ fs/ntfs/compress.c | 2 -
+ fs/ntfs/file.c | 2 -
+ fs/ntfs/logfile.c | 2 -
+ fs/ntfs/mft.c | 4 +--
+ fs/ocfs2/buffer_head_io.c | 8 +++---
+ fs/reiserfs/inode.c | 4 +--
+ fs/reiserfs/journal.c | 6 ++--
+ fs/ufs/util.c | 2 -
+ include/linux/buffer_head.h | 9 ++++---
30 files changed, 103 insertions(+), 97 deletions(-)
-diff --git a/drivers/md/bitmap.c b/drivers/md/bitmap.c
-index c160055..4829e1c 100644
--- a/drivers/md/bitmap.c
+++ b/drivers/md/bitmap.c
-@@ -297,7 +297,7 @@ static void write_page(struct bitmap *bitmap, struct page *page, int wait)
+@@ -297,7 +297,7 @@ static void write_page(struct bitmap *bi
atomic_inc(&bitmap->pending_writes);
set_buffer_locked(bh);
set_buffer_mapped(bh);
@@ -60,7 +58,7 @@ index c160055..4829e1c 100644
bh = bh->b_this_page;
}
-@@ -392,7 +392,7 @@ static int read_page(struct file *file, unsigned long index,
+@@ -392,7 +392,7 @@ static int read_page(struct file *file,
atomic_inc(&bitmap->pending_writes);
set_buffer_locked(bh);
set_buffer_mapped(bh);
@@ -69,11 +67,9 @@ index c160055..4829e1c 100644
}
block++;
bh = bh->b_this_page;
-diff --git a/fs/btrfs/check-integrity.c b/fs/btrfs/check-integrity.c
-index dff4ab4..036598f 100644
--- a/fs/btrfs/check-integrity.c
+++ b/fs/btrfs/check-integrity.c
-@@ -2898,12 +2898,12 @@ static struct btrfsic_dev_state *btrfsic_dev_state_lookup(
+@@ -2898,12 +2898,12 @@ static struct btrfsic_dev_state *btrfsic
return ds;
}
@@ -88,7 +84,7 @@ index dff4ab4..036598f 100644
mutex_lock(&btrfsic_mutex);
/* since btrfsic_submit_bh() might also be called before
-@@ -2912,26 +2912,26 @@ int btrfsic_submit_bh(int rw, struct buffer_head *bh)
+@@ -2912,26 +2912,26 @@ int btrfsic_submit_bh(int rw, struct buf
/* Only called to write the superblock (incl. FLUSH/FUA) */
if (NULL != dev_state &&
@@ -123,7 +119,7 @@ index dff4ab4..036598f 100644
if (!dev_state->dummy_block_for_bio_bh_flush.is_iodone) {
if ((dev_state->state->print_mask &
(BTRFSIC_PRINT_MASK_SUBMIT_BIO_BH |
-@@ -2949,7 +2949,7 @@ int btrfsic_submit_bh(int rw, struct buffer_head *bh)
+@@ -2949,7 +2949,7 @@ int btrfsic_submit_bh(int rw, struct buf
block->never_written = 0;
block->iodone_w_error = 0;
block->flush_gen = dev_state->last_flush_gen + 1;
@@ -132,7 +128,7 @@ index dff4ab4..036598f 100644
block->orig_bio_bh_private = bh->b_private;
block->orig_bio_bh_end_io.bh = bh->b_end_io;
block->next_in_same_bio = NULL;
-@@ -2958,7 +2958,7 @@ int btrfsic_submit_bh(int rw, struct buffer_head *bh)
+@@ -2958,7 +2958,7 @@ int btrfsic_submit_bh(int rw, struct buf
}
}
mutex_unlock(&btrfsic_mutex);
@@ -141,8 +137,6 @@ index dff4ab4..036598f 100644
}
static void __btrfsic_submit_bio(struct bio *bio)
-diff --git a/fs/btrfs/check-integrity.h b/fs/btrfs/check-integrity.h
-index c04e249..f78dff1 100644
--- a/fs/btrfs/check-integrity.h
+++ b/fs/btrfs/check-integrity.h
@@ -20,7 +20,7 @@
@@ -154,11 +148,9 @@ index c04e249..f78dff1 100644
void btrfsic_submit_bio(struct bio *bio);
int btrfsic_submit_bio_wait(struct bio *bio);
#else
-diff --git a/fs/btrfs/disk-io.c b/fs/btrfs/disk-io.c
-index 3f41f08..ced8279 100644
--- a/fs/btrfs/disk-io.c
+++ b/fs/btrfs/disk-io.c
-@@ -3369,9 +3369,9 @@ static int write_dev_supers(struct btrfs_device *device,
+@@ -3304,9 +3304,9 @@ static int write_dev_supers(struct btrfs
* to go down lazy.
*/
if (i == 0)
@@ -170,8 +162,6 @@ index 3f41f08..ced8279 100644
if (ret)
errors++;
}
-diff --git a/fs/buffer.c b/fs/buffer.c
-index ffef54d..bc13eeb 100644
--- a/fs/buffer.c
+++ b/fs/buffer.c
@@ -45,7 +45,7 @@
@@ -183,7 +173,7 @@ index ffef54d..bc13eeb 100644
unsigned long bio_flags,
struct writeback_control *wbc);
-@@ -1236,7 +1236,7 @@ static struct buffer_head *__bread_slow(struct buffer_head *bh)
+@@ -1236,7 +1236,7 @@ static struct buffer_head *__bread_slow(
} else {
get_bh(bh);
bh->b_end_io = end_buffer_read_sync;
@@ -192,7 +182,7 @@ index ffef54d..bc13eeb 100644
wait_on_buffer(bh);
if (buffer_uptodate(bh))
return bh;
-@@ -1708,7 +1708,7 @@ static int __block_write_full_page(struct inode *inode, struct page *page,
+@@ -1708,7 +1708,7 @@ static int __block_write_full_page(struc
struct buffer_head *bh, *head;
unsigned int blocksize, bbits;
int nr_underway = 0;
@@ -201,7 +191,7 @@ index ffef54d..bc13eeb 100644
head = create_page_buffers(page, inode,
(1 << BH_Dirty)|(1 << BH_Uptodate));
-@@ -1797,7 +1797,7 @@ static int __block_write_full_page(struct inode *inode, struct page *page,
+@@ -1797,7 +1797,7 @@ static int __block_write_full_page(struc
do {
struct buffer_head *next = bh->b_this_page;
if (buffer_async_write(bh)) {
@@ -219,7 +209,7 @@ index ffef54d..bc13eeb 100644
nr_underway++;
}
bh = next;
-@@ -2259,7 +2259,7 @@ int block_read_full_page(struct page *page, get_block_t *get_block)
+@@ -2259,7 +2259,7 @@ int block_read_full_page(struct page *pa
if (buffer_uptodate(bh))
end_buffer_async_read(bh, 1);
else
@@ -228,7 +218,7 @@ index ffef54d..bc13eeb 100644
}
return 0;
}
-@@ -2593,7 +2593,7 @@ int nobh_write_begin(struct address_space *mapping,
+@@ -2593,7 +2593,7 @@ int nobh_write_begin(struct address_spac
if (block_start < from || block_end > to) {
lock_buffer(bh);
bh->b_end_io = end_buffer_read_nobh;
@@ -237,7 +227,7 @@ index ffef54d..bc13eeb 100644
nr_reads++;
}
}
-@@ -2960,7 +2960,7 @@ static void end_bio_bh_io_sync(struct bio *bio)
+@@ -2960,7 +2960,7 @@ static void end_bio_bh_io_sync(struct bi
* errors, this only handles the "we need to be able to
* do IO at the final sector" case.
*/
@@ -246,7 +236,7 @@ index ffef54d..bc13eeb 100644
{
sector_t maxsector;
struct bio_vec *bvec = &bio->bi_io_vec[bio->bi_vcnt - 1];
-@@ -2990,13 +2990,13 @@ void guard_bio_eod(int rw, struct bio *bio)
+@@ -2990,13 +2990,13 @@ void guard_bio_eod(int rw, struct bio *b
bvec->bv_len -= truncated_bytes;
/* ..and clear the end of the buffer for reads */
@@ -262,7 +252,7 @@ index ffef54d..bc13eeb 100644
unsigned long bio_flags, struct writeback_control *wbc)
{
struct bio *bio;
-@@ -3010,7 +3010,7 @@ static int submit_bh_wbc(int rw, struct buffer_head *bh,
+@@ -3010,7 +3010,7 @@ static int submit_bh_wbc(int rw, struct
/*
* Only clear out a write error when rewriting
*/
@@ -271,7 +261,7 @@ index ffef54d..bc13eeb 100644
clear_buffer_write_io_error(bh);
/*
-@@ -3035,27 +3035,28 @@ static int submit_bh_wbc(int rw, struct buffer_head *bh,
+@@ -3035,27 +3035,28 @@ static int submit_bh_wbc(int rw, struct
bio->bi_flags |= bio_flags;
/* Take care of bh's that straddle the end of the device */
@@ -308,7 +298,7 @@ index ffef54d..bc13eeb 100644
}
EXPORT_SYMBOL(submit_bh);
-@@ -3097,14 +3098,14 @@ void ll_rw_block(int rw, int nr, struct buffer_head *bhs[])
+@@ -3097,14 +3098,14 @@ void ll_rw_block(int rw, int nr, struct
if (test_clear_buffer_dirty(bh)) {
bh->b_end_io = end_buffer_write_sync;
get_bh(bh);
@@ -325,7 +315,7 @@ index ffef54d..bc13eeb 100644
continue;
}
}
-@@ -3113,7 +3114,7 @@ void ll_rw_block(int rw, int nr, struct buffer_head *bhs[])
+@@ -3113,7 +3114,7 @@ void ll_rw_block(int rw, int nr, struct
}
EXPORT_SYMBOL(ll_rw_block);
@@ -334,7 +324,7 @@ index ffef54d..bc13eeb 100644
{
lock_buffer(bh);
if (!test_clear_buffer_dirty(bh)) {
-@@ -3122,7 +3123,7 @@ void write_dirty_buffer(struct buffer_head *bh, int rw)
+@@ -3122,7 +3123,7 @@ void write_dirty_buffer(struct buffer_he
}
bh->b_end_io = end_buffer_write_sync;
get_bh(bh);
@@ -352,7 +342,7 @@ index ffef54d..bc13eeb 100644
{
int ret = 0;
-@@ -3140,7 +3141,7 @@ int __sync_dirty_buffer(struct buffer_head *bh, int rw)
+@@ -3140,7 +3141,7 @@ int __sync_dirty_buffer(struct buffer_he
if (test_clear_buffer_dirty(bh)) {
get_bh(bh);
bh->b_end_io = end_buffer_write_sync;
@@ -361,7 +351,7 @@ index ffef54d..bc13eeb 100644
wait_on_buffer(bh);
if (!ret && !buffer_uptodate(bh))
ret = -EIO;
-@@ -3403,7 +3404,7 @@ int bh_submit_read(struct buffer_head *bh)
+@@ -3403,7 +3404,7 @@ int bh_submit_read(struct buffer_head *b
get_bh(bh);
bh->b_end_io = end_buffer_read_sync;
@@ -370,11 +360,9 @@ index ffef54d..bc13eeb 100644
wait_on_buffer(bh);
if (buffer_uptodate(bh))
return 0;
-diff --git a/fs/ext4/balloc.c b/fs/ext4/balloc.c
-index 1ea5054..2dacc9c0 100644
--- a/fs/ext4/balloc.c
+++ b/fs/ext4/balloc.c
-@@ -473,7 +473,7 @@ ext4_read_block_bitmap_nowait(struct super_block *sb, ext4_group_t block_group)
+@@ -493,7 +493,7 @@ ext4_read_block_bitmap_nowait(struct sup
trace_ext4_read_block_bitmap_load(sb, block_group);
bh->b_end_io = ext4_end_bitmap_read;
get_bh(bh);
@@ -383,11 +371,9 @@ index 1ea5054..2dacc9c0 100644
return bh;
verify:
err = ext4_validate_block_bitmap(sb, desc, block_group, bh);
-diff --git a/fs/ext4/ialloc.c b/fs/ext4/ialloc.c
-index 5388207..1348763 100644
--- a/fs/ext4/ialloc.c
+++ b/fs/ext4/ialloc.c
-@@ -214,7 +214,7 @@ ext4_read_inode_bitmap(struct super_block *sb, ext4_group_t block_group)
+@@ -192,7 +192,7 @@ ext4_read_inode_bitmap(struct super_bloc
trace_ext4_load_inode_bitmap(sb, block_group);
bh->b_end_io = ext4_end_bitmap_read;
get_bh(bh);
@@ -396,11 +382,9 @@ index 5388207..1348763 100644
wait_on_buffer(bh);
if (!buffer_uptodate(bh)) {
put_bh(bh);
-diff --git a/fs/ext4/inode.c b/fs/ext4/inode.c
-index f18b96905..8e0d5c4 100644
--- a/fs/ext4/inode.c
+++ b/fs/ext4/inode.c
-@@ -4303,7 +4303,7 @@ make_io:
+@@ -4340,7 +4340,7 @@ make_io:
trace_ext4_load_inode(inode);
get_bh(bh);
bh->b_end_io = end_buffer_read_sync;
@@ -409,11 +393,9 @@ index f18b96905..8e0d5c4 100644
wait_on_buffer(bh);
if (!buffer_uptodate(bh)) {
EXT4_ERROR_INODE_BLOCK(inode, block,
-diff --git a/fs/ext4/mmp.c b/fs/ext4/mmp.c
-index ec67ce3..517d902 100644
--- a/fs/ext4/mmp.c
+++ b/fs/ext4/mmp.c
-@@ -52,7 +52,7 @@ static int write_mmp_block(struct super_block *sb, struct buffer_head *bh)
+@@ -51,7 +51,7 @@ static int write_mmp_block(struct super_
lock_buffer(bh);
bh->b_end_io = end_buffer_write_sync;
get_bh(bh);
@@ -422,7 +404,7 @@ index ec67ce3..517d902 100644
wait_on_buffer(bh);
sb_end_write(sb);
if (unlikely(!buffer_uptodate(bh)))
-@@ -88,7 +88,7 @@ static int read_mmp_block(struct super_block *sb, struct buffer_head **bh,
+@@ -87,7 +87,7 @@ static int read_mmp_block(struct super_b
get_bh(*bh);
lock_buffer(*bh);
(*bh)->b_end_io = end_buffer_read_sync;
@@ -431,11 +413,9 @@ index ec67ce3..517d902 100644
wait_on_buffer(*bh);
if (!buffer_uptodate(*bh)) {
brelse(*bh);
-diff --git a/fs/fat/misc.c b/fs/fat/misc.c
-index c4589e9..8a86981 100644
--- a/fs/fat/misc.c
+++ b/fs/fat/misc.c
-@@ -267,7 +267,7 @@ int fat_sync_bhs(struct buffer_head **bhs, int nr_bhs)
+@@ -267,7 +267,7 @@ int fat_sync_bhs(struct buffer_head **bh
int i, err = 0;
for (i = 0; i < nr_bhs; i++)
@@ -444,11 +424,9 @@ index c4589e9..8a86981 100644
for (i = 0; i < nr_bhs; i++) {
wait_on_buffer(bhs[i]);
-diff --git a/fs/gfs2/bmap.c b/fs/gfs2/bmap.c
-index 61296ec..967154c 100644
--- a/fs/gfs2/bmap.c
+++ b/fs/gfs2/bmap.c
-@@ -285,7 +285,7 @@ static void gfs2_metapath_ra(struct gfs2_glock *gl,
+@@ -285,7 +285,7 @@ static void gfs2_metapath_ra(struct gfs2
if (trylock_buffer(rabh)) {
if (!buffer_uptodate(rabh)) {
rabh->b_end_io = end_buffer_read_sync;
@@ -457,11 +435,9 @@ index 61296ec..967154c 100644
continue;
}
unlock_buffer(rabh);
-diff --git a/fs/gfs2/dir.c b/fs/gfs2/dir.c
-index ad8a5b7..d16f556 100644
--- a/fs/gfs2/dir.c
+++ b/fs/gfs2/dir.c
-@@ -1423,7 +1423,7 @@ static void gfs2_dir_readahead(struct inode *inode, unsigned hsize, u32 index,
+@@ -1423,7 +1423,7 @@ static void gfs2_dir_readahead(struct in
continue;
}
bh->b_end_io = end_buffer_read_sync;
@@ -470,11 +446,9 @@ index ad8a5b7..d16f556 100644
continue;
}
brelse(bh);
-diff --git a/fs/gfs2/meta_io.c b/fs/gfs2/meta_io.c
-index 0e1d4be..ff483bc 100644
--- a/fs/gfs2/meta_io.c
+++ b/fs/gfs2/meta_io.c
-@@ -37,8 +37,8 @@ static int gfs2_aspace_writepage(struct page *page, struct writeback_control *wb
+@@ -37,8 +37,8 @@ static int gfs2_aspace_writepage(struct
{
struct buffer_head *bh, *head;
int nr_underway = 0;
@@ -485,7 +459,7 @@ index 0e1d4be..ff483bc 100644
BUG_ON(!PageLocked(page));
BUG_ON(!page_has_buffers(page));
-@@ -79,7 +79,7 @@ static int gfs2_aspace_writepage(struct page *page, struct writeback_control *wb
+@@ -79,7 +79,7 @@ static int gfs2_aspace_writepage(struct
do {
struct buffer_head *next = bh->b_this_page;
if (buffer_async_write(bh)) {
@@ -494,7 +468,7 @@ index 0e1d4be..ff483bc 100644
nr_underway++;
}
bh = next;
-@@ -217,7 +217,7 @@ int gfs2_meta_read(struct gfs2_glock *gl, u64 blkno, int flags,
+@@ -217,7 +217,7 @@ int gfs2_meta_read(struct gfs2_glock *gl
}
bh->b_end_io = end_buffer_read_sync;
get_bh(bh);
@@ -503,11 +477,9 @@ index 0e1d4be..ff483bc 100644
if (!(flags & DIO_WAIT))
return 0;
-diff --git a/fs/jbd2/commit.c b/fs/jbd2/commit.c
-index 2d964ce..71cdc16 100644
--- a/fs/jbd2/commit.c
+++ b/fs/jbd2/commit.c
-@@ -157,9 +157,9 @@ static int journal_submit_commit_record(journal_t *journal,
+@@ -157,9 +157,9 @@ static int journal_submit_commit_record(
if (journal->j_flags & JBD2_BARRIER &&
!jbd2_has_feature_async_commit(journal))
@@ -528,11 +500,9 @@ index 2d964ce..71cdc16 100644
}
cond_resched();
stats.run.rs_blocks_logged += bufs;
-diff --git a/fs/jbd2/journal.c b/fs/jbd2/journal.c
-index f1c8cdc..babfb6a 100644
--- a/fs/jbd2/journal.c
+++ b/fs/jbd2/journal.c
-@@ -1325,15 +1325,15 @@ static int journal_reset(journal_t *journal)
+@@ -1323,15 +1323,15 @@ static int journal_reset(journal_t *jour
return jbd2_journal_start_thread(journal);
}
@@ -551,7 +521,7 @@ index f1c8cdc..babfb6a 100644
lock_buffer(bh);
if (buffer_write_io_error(bh)) {
/*
-@@ -1353,7 +1353,7 @@ static int jbd2_write_superblock(journal_t *journal, int write_op)
+@@ -1351,7 +1351,7 @@ static int jbd2_write_superblock(journal
jbd2_superblock_csum_set(journal, sb);
get_bh(bh);
bh->b_end_io = end_buffer_write_sync;
@@ -560,11 +530,9 @@ index f1c8cdc..babfb6a 100644
wait_on_buffer(bh);
if (buffer_write_io_error(bh)) {
clear_buffer_write_io_error(bh);
-diff --git a/fs/nilfs2/btnode.c b/fs/nilfs2/btnode.c
-index a35ae35..07fe874 100644
--- a/fs/nilfs2/btnode.c
+++ b/fs/nilfs2/btnode.c
-@@ -67,7 +67,7 @@ nilfs_btnode_create_block(struct address_space *btnc, __u64 blocknr)
+@@ -67,7 +67,7 @@ nilfs_btnode_create_block(struct address
}
int nilfs_btnode_submit_block(struct address_space *btnc, __u64 blocknr,
@@ -573,7 +541,7 @@ index a35ae35..07fe874 100644
struct buffer_head **pbh, sector_t *submit_ptr)
{
struct buffer_head *bh;
-@@ -100,7 +100,7 @@ int nilfs_btnode_submit_block(struct address_space *btnc, __u64 blocknr,
+@@ -100,7 +100,7 @@ int nilfs_btnode_submit_block(struct add
}
}
@@ -582,7 +550,7 @@ index a35ae35..07fe874 100644
if (pblocknr != *submit_ptr + 1 || !trylock_buffer(bh)) {
err = -EBUSY; /* internal code */
brelse(bh);
-@@ -119,7 +119,7 @@ int nilfs_btnode_submit_block(struct address_space *btnc, __u64 blocknr,
+@@ -119,7 +119,7 @@ int nilfs_btnode_submit_block(struct add
bh->b_blocknr = pblocknr; /* set block address for read */
bh->b_end_io = end_buffer_read_sync;
get_bh(bh);
@@ -591,11 +559,9 @@ index a35ae35..07fe874 100644
bh->b_blocknr = blocknr; /* set back to the given block address */
*submit_ptr = pblocknr;
err = 0;
-diff --git a/fs/nilfs2/btnode.h b/fs/nilfs2/btnode.h
-index d876b56..3f93197 100644
--- a/fs/nilfs2/btnode.h
+++ b/fs/nilfs2/btnode.h
-@@ -47,7 +47,7 @@ void nilfs_btnode_cache_clear(struct address_space *);
+@@ -47,7 +47,7 @@ void nilfs_btnode_cache_clear(struct add
struct buffer_head *nilfs_btnode_create_block(struct address_space *btnc,
__u64 blocknr);
int nilfs_btnode_submit_block(struct address_space *, __u64, sector_t, int,
@@ -604,11 +570,9 @@ index d876b56..3f93197 100644
void nilfs_btnode_delete(struct buffer_head *);
int nilfs_btnode_prepare_change_key(struct address_space *,
struct nilfs_btnode_chkey_ctxt *);
-diff --git a/fs/nilfs2/btree.c b/fs/nilfs2/btree.c
-index 3a3821b..5d6a2c6 100644
--- a/fs/nilfs2/btree.c
+++ b/fs/nilfs2/btree.c
-@@ -480,7 +480,8 @@ static int __nilfs_btree_get_block(const struct nilfs_bmap *btree, __u64 ptr,
+@@ -480,7 +480,8 @@ static int __nilfs_btree_get_block(const
sector_t submit_ptr = 0;
int ret;
@@ -618,7 +582,7 @@ index 3a3821b..5d6a2c6 100644
if (ret) {
if (ret != -EEXIST)
return ret;
-@@ -496,7 +497,8 @@ static int __nilfs_btree_get_block(const struct nilfs_bmap *btree, __u64 ptr,
+@@ -496,7 +497,8 @@ static int __nilfs_btree_get_block(const
n > 0 && i < ra->ncmax; n--, i++) {
ptr2 = nilfs_btree_node_get_ptr(ra->node, i, ra->ncmax);
@@ -628,11 +592,9 @@ index 3a3821b..5d6a2c6 100644
&ra_bh, &submit_ptr);
if (likely(!ret || ret == -EEXIST))
brelse(ra_bh);
-diff --git a/fs/nilfs2/gcinode.c b/fs/nilfs2/gcinode.c
-index 748ca23..1f18ffc 100644
--- a/fs/nilfs2/gcinode.c
+++ b/fs/nilfs2/gcinode.c
-@@ -106,7 +106,7 @@ int nilfs_gccache_submit_read_data(struct inode *inode, sector_t blkoff,
+@@ -106,7 +106,7 @@ int nilfs_gccache_submit_read_data(struc
bh->b_blocknr = pbn;
bh->b_end_io = end_buffer_read_sync;
get_bh(bh);
@@ -641,7 +603,7 @@ index 748ca23..1f18ffc 100644
if (vbn)
bh->b_blocknr = vbn;
out:
-@@ -143,7 +143,8 @@ int nilfs_gccache_submit_read_node(struct inode *inode, sector_t pbn,
+@@ -143,7 +143,8 @@ int nilfs_gccache_submit_read_node(struc
int ret;
ret = nilfs_btnode_submit_block(&NILFS_I(inode)->i_btnode_cache,
@@ -651,11 +613,9 @@ index 748ca23..1f18ffc 100644
if (ret == -EEXIST) /* internal code (cache hit) */
ret = 0;
return ret;
-diff --git a/fs/nilfs2/mdt.c b/fs/nilfs2/mdt.c
-index 1125f40..92e627d 100644
--- a/fs/nilfs2/mdt.c
+++ b/fs/nilfs2/mdt.c
-@@ -124,7 +124,7 @@ static int nilfs_mdt_create_block(struct inode *inode, unsigned long block,
+@@ -124,7 +124,7 @@ static int nilfs_mdt_create_block(struct
static int
nilfs_mdt_submit_block(struct inode *inode, unsigned long blkoff,
@@ -664,7 +624,7 @@ index 1125f40..92e627d 100644
{
struct buffer_head *bh;
__u64 blknum = 0;
-@@ -138,7 +138,7 @@ nilfs_mdt_submit_block(struct inode *inode, unsigned long blkoff,
+@@ -138,7 +138,7 @@ nilfs_mdt_submit_block(struct inode *ino
if (buffer_uptodate(bh))
goto out;
@@ -673,7 +633,7 @@ index 1125f40..92e627d 100644
if (!trylock_buffer(bh)) {
ret = -EBUSY;
goto failed_bh;
-@@ -160,7 +160,7 @@ nilfs_mdt_submit_block(struct inode *inode, unsigned long blkoff,
+@@ -160,7 +160,7 @@ nilfs_mdt_submit_block(struct inode *ino
bh->b_end_io = end_buffer_read_sync;
get_bh(bh);
@@ -682,7 +642,7 @@ index 1125f40..92e627d 100644
ret = 0;
trace_nilfs2_mdt_submit_block(inode, inode->i_ino, blkoff, mode);
-@@ -184,7 +184,7 @@ static int nilfs_mdt_read_block(struct inode *inode, unsigned long block,
+@@ -184,7 +184,7 @@ static int nilfs_mdt_read_block(struct i
int i, nr_ra_blocks = NILFS_MDT_MAX_RA_BLOCKS;
int err;
@@ -691,7 +651,7 @@ index 1125f40..92e627d 100644
if (err == -EEXIST) /* internal code */
goto out;
-@@ -194,7 +194,8 @@ static int nilfs_mdt_read_block(struct inode *inode, unsigned long block,
+@@ -194,7 +194,8 @@ static int nilfs_mdt_read_block(struct i
if (readahead) {
blkoff = block + 1;
for (i = 0; i < nr_ra_blocks; i++, blkoff++) {
@@ -701,8 +661,6 @@ index 1125f40..92e627d 100644
if (likely(!err || err == -EEXIST))
brelse(bh);
else if (err != -EBUSY)
-diff --git a/fs/ntfs/aops.c b/fs/ntfs/aops.c
-index 7521e11..57c64bd 100644
--- a/fs/ntfs/aops.c
+++ b/fs/ntfs/aops.c
@@ -362,7 +362,7 @@ handle_zblock:
@@ -732,8 +690,6 @@ index 7521e11..57c64bd 100644
}
/* Synchronize the mft mirror now if not @sync. */
if (is_mft && !sync)
-diff --git a/fs/ntfs/compress.c b/fs/ntfs/compress.c
-index f82498c..1fd482c 100644
--- a/fs/ntfs/compress.c
+++ b/fs/ntfs/compress.c
@@ -674,7 +674,7 @@ lock_retry_remap:
@@ -745,11 +701,9 @@ index f82498c..1fd482c 100644
}
/* Wait for io completion on all buffer heads. */
-diff --git a/fs/ntfs/file.c b/fs/ntfs/file.c
-index 9d383e5..03a1a32 100644
--- a/fs/ntfs/file.c
+++ b/fs/ntfs/file.c
-@@ -553,7 +553,7 @@ static inline int ntfs_submit_bh_for_read(struct buffer_head *bh)
+@@ -553,7 +553,7 @@ static inline int ntfs_submit_bh_for_rea
lock_buffer(bh);
get_bh(bh);
bh->b_end_io = end_buffer_read_sync;
@@ -758,8 +712,6 @@ index 9d383e5..03a1a32 100644
}
/**
-diff --git a/fs/ntfs/logfile.c b/fs/ntfs/logfile.c
-index c71de29..1c95c41 100644
--- a/fs/ntfs/logfile.c
+++ b/fs/ntfs/logfile.c
@@ -821,7 +821,7 @@ map_vcn:
@@ -771,11 +723,9 @@ index c71de29..1c95c41 100644
if (should_wait) {
should_wait = false;
wait_on_buffer(bh);
-diff --git a/fs/ntfs/mft.c b/fs/ntfs/mft.c
-index 3014a36..38c6f7a 100644
--- a/fs/ntfs/mft.c
+++ b/fs/ntfs/mft.c
-@@ -592,7 +592,7 @@ int ntfs_sync_mft_mirror(ntfs_volume *vol, const unsigned long mft_no,
+@@ -592,7 +592,7 @@ int ntfs_sync_mft_mirror(ntfs_volume *vo
clear_buffer_dirty(tbh);
get_bh(tbh);
tbh->b_end_io = end_buffer_write_sync;
@@ -784,7 +734,7 @@ index 3014a36..38c6f7a 100644
}
/* Wait on i/o completion of buffers. */
for (i_bhs = 0; i_bhs < nr_bhs; i_bhs++) {
-@@ -785,7 +785,7 @@ int write_mft_record_nolock(ntfs_inode *ni, MFT_RECORD *m, int sync)
+@@ -785,7 +785,7 @@ int write_mft_record_nolock(ntfs_inode *
clear_buffer_dirty(tbh);
get_bh(tbh);
tbh->b_end_io = end_buffer_write_sync;
@@ -793,11 +743,9 @@ index 3014a36..38c6f7a 100644
}
/* Synchronize the mft mirror now if not @sync. */
if (!sync && ni->mft_no < vol->mftmirr_size)
-diff --git a/fs/ocfs2/buffer_head_io.c b/fs/ocfs2/buffer_head_io.c
-index fe50ded..fb775c9 100644
--- a/fs/ocfs2/buffer_head_io.c
+++ b/fs/ocfs2/buffer_head_io.c
-@@ -79,7 +79,7 @@ int ocfs2_write_block(struct ocfs2_super *osb, struct buffer_head *bh,
+@@ -79,7 +79,7 @@ int ocfs2_write_block(struct ocfs2_super
get_bh(bh); /* for end_buffer_write_sync() */
bh->b_end_io = end_buffer_write_sync;
@@ -806,8 +754,8 @@ index fe50ded..fb775c9 100644
wait_on_buffer(bh);
-@@ -149,7 +149,7 @@ int ocfs2_read_blocks_sync(struct ocfs2_super *osb, u64 block,
- clear_buffer_uptodate(bh);
+@@ -148,7 +148,7 @@ int ocfs2_read_blocks_sync(struct ocfs2_
+
get_bh(bh); /* for end_buffer_read_sync() */
bh->b_end_io = end_buffer_read_sync;
- submit_bh(READ, bh);
@@ -815,7 +763,7 @@ index fe50ded..fb775c9 100644
}
for (i = nr; i > 0; i--) {
-@@ -305,7 +305,7 @@ int ocfs2_read_blocks(struct ocfs2_caching_info *ci, u64 block, int nr,
+@@ -303,7 +303,7 @@ int ocfs2_read_blocks(struct ocfs2_cachi
if (validate)
set_buffer_needs_validate(bh);
bh->b_end_io = end_buffer_read_sync;
@@ -824,7 +772,7 @@ index fe50ded..fb775c9 100644
continue;
}
}
-@@ -419,7 +419,7 @@ int ocfs2_write_super_or_backup(struct ocfs2_super *osb,
+@@ -418,7 +418,7 @@ int ocfs2_write_super_or_backup(struct o
get_bh(bh); /* for end_buffer_write_sync() */
bh->b_end_io = end_buffer_write_sync;
ocfs2_compute_meta_ecc(osb->sb, bh->b_data, &di->i_check);
@@ -833,11 +781,9 @@ index fe50ded..fb775c9 100644
wait_on_buffer(bh);
-diff --git a/fs/reiserfs/inode.c b/fs/reiserfs/inode.c
-index c0db7f3..5822c06 100644
--- a/fs/reiserfs/inode.c
+++ b/fs/reiserfs/inode.c
-@@ -2667,7 +2667,7 @@ static int reiserfs_write_full_page(struct page *page,
+@@ -2667,7 +2667,7 @@ static int reiserfs_write_full_page(stru
do {
struct buffer_head *next = bh->b_this_page;
if (buffer_async_write(bh)) {
@@ -855,11 +801,9 @@ index c0db7f3..5822c06 100644
nr++;
}
put_bh(bh);
-diff --git a/fs/reiserfs/journal.c b/fs/reiserfs/journal.c
-index 9d6486d..9e63bc2 100644
--- a/fs/reiserfs/journal.c
+++ b/fs/reiserfs/journal.c
-@@ -654,7 +654,7 @@ static void submit_logged_buffer(struct buffer_head *bh)
+@@ -654,7 +654,7 @@ static void submit_logged_buffer(struct
BUG();
if (!buffer_uptodate(bh))
BUG();
@@ -868,7 +812,7 @@ index 9d6486d..9e63bc2 100644
}
static void submit_ordered_buffer(struct buffer_head *bh)
-@@ -664,7 +664,7 @@ static void submit_ordered_buffer(struct buffer_head *bh)
+@@ -664,7 +664,7 @@ static void submit_ordered_buffer(struct
clear_buffer_dirty(bh);
if (!buffer_uptodate(bh))
BUG();
@@ -886,11 +830,9 @@ index 9d6486d..9e63bc2 100644
}
for (i = 0; i < get_desc_trans_len(desc); i++) {
wait_on_buffer(real_blocks[i]);
-diff --git a/fs/ufs/util.c b/fs/ufs/util.c
-index b6c2f94..5f68b1a 100644
--- a/fs/ufs/util.c
+++ b/fs/ufs/util.c
-@@ -118,7 +118,7 @@ void ubh_sync_block(struct ufs_buffer_head *ubh)
+@@ -118,7 +118,7 @@ void ubh_sync_block(struct ufs_buffer_he
unsigned i;
for (i = 0; i < ubh->count; i++)
@@ -899,11 +841,9 @@ index b6c2f94..5f68b1a 100644
for (i = 0; i < ubh->count; i++)
wait_on_buffer(ubh->bh[i]);
-diff --git a/include/linux/buffer_head.h b/include/linux/buffer_head.h
-index 89d9aa9e..f7cc163 100644
--- a/include/linux/buffer_head.h
+++ b/include/linux/buffer_head.h
-@@ -189,10 +189,11 @@ void unlock_buffer(struct buffer_head *bh);
+@@ -189,10 +189,11 @@ void unlock_buffer(struct buffer_head *b
void __lock_buffer(struct buffer_head *bh);
void ll_rw_block(int, int, struct buffer_head * bh[]);
int sync_dirty_buffer(struct buffer_head *bh);
@@ -919,6 +859,3 @@ index 89d9aa9e..f7cc163 100644
void write_boundary_block(struct block_device *bdev,
sector_t bblock, unsigned blocksize);
int bh_uptodate_or_lock(struct buffer_head *bh);
---
-1.8.5.6
-
diff --git a/patches.drivers/RDMA-bnxt_re-Synchronize-destroy_qp-with-poll_cq.patch b/patches.drivers/RDMA-bnxt_re-Synchronize-destroy_qp-with-poll_cq.patch
deleted file mode 100644
index 5e921636f4..0000000000
--- a/patches.drivers/RDMA-bnxt_re-Synchronize-destroy_qp-with-poll_cq.patch
+++ /dev/null
@@ -1,190 +0,0 @@
-From: Selvin Xavier <selvin.xavier@broadcom.com>
-Date: Thu, 15 Feb 2018 21:20:11 -0800
-Subject: RDMA/bnxt_re: Synchronize destroy_qp with poll_cq
-Patch-mainline: v4.16-rc3
-Git-commit: 3b921e3bc4c20af58a663ed238ad57e87493dde2
-References: bsc#1125446
-
-Avoid system crash when destroy_qp is invoked while
-the driver is processing the poll_cq. Synchronize these
-functions using the cq_lock.
-
-Signed-off-by: Selvin Xavier <selvin.xavier@broadcom.com>
-Signed-off-by: Doug Ledford <dledford@redhat.com>
-Acked-by: Denis Kirjanov <dkirjanov@suse.com>
----
- drivers/infiniband/hw/bnxt_re/ib_verbs.c | 39 +++++++++++++++++++++++++++++---
- drivers/infiniband/hw/bnxt_re/ib_verbs.h | 2 ++
- drivers/infiniband/hw/bnxt_re/qplib_fp.c | 21 +++++------------
- drivers/infiniband/hw/bnxt_re/qplib_fp.h | 4 +++-
- 4 files changed, 47 insertions(+), 19 deletions(-)
---- a/drivers/infiniband/hw/bnxt_re/ib_verbs.c
-+++ b/drivers/infiniband/hw/bnxt_re/ib_verbs.c
-@@ -803,19 +803,50 @@ int bnxt_re_query_ah(struct ib_ah *ib_ah
- return 0;
- }
-
-+static unsigned long bnxt_re_lock_cqs(struct bnxt_re_qp *qp)
-+ __acquires(&qp->scq->cq_lock) __acquires(&qp->rcq->cq_lock)
-+{
-+ unsigned long flags;
-+
-+ spin_lock_irqsave(&qp->scq->cq_lock, flags);
-+ if (qp->rcq != qp->scq)
-+ spin_lock(&qp->rcq->cq_lock);
-+ else
-+ __acquire(&qp->rcq->cq_lock);
-+
-+ return flags;
-+}
-+
-+static void bnxt_re_unlock_cqs(struct bnxt_re_qp *qp,
-+ unsigned long flags)
-+ __releases(&qp->scq->cq_lock) __releases(&qp->rcq->cq_lock)
-+{
-+ if (qp->rcq != qp->scq)
-+ spin_unlock(&qp->rcq->cq_lock);
-+ else
-+ __release(&qp->rcq->cq_lock);
-+ spin_unlock_irqrestore(&qp->scq->cq_lock, flags);
-+}
-+
- /* Queue Pairs */
- int bnxt_re_destroy_qp(struct ib_qp *ib_qp)
- {
- struct bnxt_re_qp *qp = container_of(ib_qp, struct bnxt_re_qp, ib_qp);
- struct bnxt_re_dev *rdev = qp->rdev;
- int rc;
-+ unsigned int flags;
-
-- bnxt_qplib_del_flush_qp(&qp->qplib_qp);
- rc = bnxt_qplib_destroy_qp(&rdev->qplib_res, &qp->qplib_qp);
- if (rc) {
- dev_err(rdev_to_dev(rdev), "Failed to destroy HW QP");
- return rc;
- }
-+
-+ flags = bnxt_re_lock_cqs(qp);
-+ bnxt_qplib_clean_qp(&qp->qplib_qp);
-+ bnxt_re_unlock_cqs(qp, flags);
-+ bnxt_qplib_free_qp_res(&rdev->qplib_res, &qp->qplib_qp);
-+
- if (ib_qp->qp_type == IB_QPT_GSI && rdev->qp1_sqp) {
- rc = bnxt_qplib_destroy_ah(&rdev->qplib_res,
- &rdev->sqp_ah->qplib_ah);
-@@ -825,7 +856,7 @@ int bnxt_re_destroy_qp(struct ib_qp *ib_
- return rc;
- }
-
-- bnxt_qplib_del_flush_qp(&qp->qplib_qp);
-+ bnxt_qplib_clean_qp(&qp->qplib_qp);
- rc = bnxt_qplib_destroy_qp(&rdev->qplib_res,
- &rdev->qp1_sqp->qplib_qp);
- if (rc) {
-@@ -1085,6 +1116,7 @@ struct ib_qp *bnxt_re_create_qp(struct i
- goto fail;
- }
- qp->qplib_qp.scq = &cq->qplib_cq;
-+ qp->scq = cq;
- }
-
- if (qp_init_attr->recv_cq) {
-@@ -1096,6 +1128,7 @@ struct ib_qp *bnxt_re_create_qp(struct i
- goto fail;
- }
- qp->qplib_qp.rcq = &cq->qplib_cq;
-+ qp->rcq = cq;
- }
-
- if (qp_init_attr->srq) {
-@@ -1385,7 +1418,7 @@ int bnxt_re_modify_qp(struct ib_qp *ib_q
- dev_dbg(rdev_to_dev(rdev),
- "Move QP = %p out of flush list\n",
- qp);
-- bnxt_qplib_del_flush_qp(&qp->qplib_qp);
-+ bnxt_qplib_clean_qp(&qp->qplib_qp);
- }
- }
- if (qp_attr_mask & IB_QP_EN_SQD_ASYNC_NOTIFY) {
---- a/drivers/infiniband/hw/bnxt_re/ib_verbs.h
-+++ b/drivers/infiniband/hw/bnxt_re/ib_verbs.h
-@@ -80,6 +80,8 @@ struct bnxt_re_qp {
- /* QP1 */
- u32 send_psn;
- struct ib_ud_header qp1_hdr;
-+ struct bnxt_re_cq *scq;
-+ struct bnxt_re_cq *rcq;
- };
-
- struct bnxt_re_cq {
---- a/drivers/infiniband/hw/bnxt_re/qplib_fp.c
-+++ b/drivers/infiniband/hw/bnxt_re/qplib_fp.c
-@@ -115,7 +115,7 @@ void bnxt_qplib_add_flush_qp(struct bnxt
- }
- }
-
--void bnxt_qplib_del_flush_qp(struct bnxt_qplib_qp *qp)
-+void bnxt_qplib_clean_qp(struct bnxt_qplib_qp *qp)
- {
- struct bnxt_qplib_cq *scq, *rcq;
- unsigned long flags;
-@@ -1096,7 +1096,6 @@ int bnxt_qplib_destroy_qp(struct bnxt_qp
- struct bnxt_qplib_rcfw *rcfw = res->rcfw;
- struct cmdq_destroy_qp req;
- struct creq_destroy_qp_resp resp;
-- unsigned long flags;
- u16 cmd_flags = 0;
- int rc;
-
-@@ -1114,18 +1113,13 @@ int bnxt_qplib_destroy_qp(struct bnxt_qp
- return rc;
- }
-
-- /* Must walk the associated CQs to nullified the QP ptr */
-- spin_lock_irqsave(&qp->scq->hwq.lock, flags);
-+ return 0;
-+}
-
-- __clean_cq(qp->scq, (u64)(unsigned long)qp);
-
-- if (qp->rcq && qp->rcq != qp->scq) {
-- spin_lock(&qp->rcq->hwq.lock);
-- __clean_cq(qp->rcq, (u64)(unsigned long)qp);
-- spin_unlock(&qp->rcq->hwq.lock);
-- }
--
-- spin_unlock_irqrestore(&qp->scq->hwq.lock, flags);
-+void bnxt_qplib_free_qp_res(struct bnxt_qplib_res *res,
-+ struct bnxt_qplib_qp *qp)
-+{
-
- bnxt_qplib_free_qp_hdr_buf(res, qp);
- bnxt_qplib_free_hwq(res->pdev, &qp->sq.hwq);
-@@ -1139,7 +1133,6 @@ int bnxt_qplib_destroy_qp(struct bnxt_qp
- if (qp->orrq.max_elements)
- bnxt_qplib_free_hwq(res->pdev, &qp->orrq);
-
-- return 0;
- }
-
- void *bnxt_qplib_get_qp1_sq_buf(struct bnxt_qplib_qp *qp,
---- a/drivers/infiniband/hw/bnxt_re/qplib_fp.h
-+++ b/drivers/infiniband/hw/bnxt_re/qplib_fp.h
-@@ -449,6 +449,9 @@ int bnxt_qplib_create_qp(struct bnxt_qpl
- int bnxt_qplib_modify_qp(struct bnxt_qplib_res *res, struct bnxt_qplib_qp *qp);
- int bnxt_qplib_query_qp(struct bnxt_qplib_res *res, struct bnxt_qplib_qp *qp);
- int bnxt_qplib_destroy_qp(struct bnxt_qplib_res *res, struct bnxt_qplib_qp *qp);
-+void bnxt_qplib_clean_qp(struct bnxt_qplib_qp *qp);
-+void bnxt_qplib_free_qp_res(struct bnxt_qplib_res *res,
-+ struct bnxt_qplib_qp *qp);
- void *bnxt_qplib_get_qp1_sq_buf(struct bnxt_qplib_qp *qp,
- struct bnxt_qplib_sge *sge);
- void *bnxt_qplib_get_qp1_rq_buf(struct bnxt_qplib_qp *qp,
-@@ -470,7 +473,6 @@ void bnxt_qplib_req_notify_cq(struct bnx
- void bnxt_qplib_free_nq(struct bnxt_qplib_nq *nq);
- int bnxt_qplib_alloc_nq(struct pci_dev *pdev, struct bnxt_qplib_nq *nq);
- void bnxt_qplib_add_flush_qp(struct bnxt_qplib_qp *qp);
--void bnxt_qplib_del_flush_qp(struct bnxt_qplib_qp *qp);
- int bnxt_qplib_process_flush_list(struct bnxt_qplib_cq *cq,
- struct bnxt_qplib_cqe *cqe,
- int num_cqes);
diff --git a/patches.drivers/bnxt_re-Fix-couple-of-memory-leaks-that-could-lead-t.patch b/patches.drivers/bnxt_re-Fix-couple-of-memory-leaks-that-could-lead-t.patch
deleted file mode 100644
index c247b20a9c..0000000000
--- a/patches.drivers/bnxt_re-Fix-couple-of-memory-leaks-that-could-lead-t.patch
+++ /dev/null
@@ -1,44 +0,0 @@
-From: Somnath Kotur <somnath.kotur@broadcom.com>
-Date: Wed, 5 Sep 2018 13:20:34 +0530
-Subject: bnxt_re: Fix couple of memory leaks that could lead to IOMMU call
- traces
-Patch-mainline: v4.19-rc4
-Git-commit: f40f299bbe806a2e2c8b0d7cdda822fa3bdd171b
-References: bsc#1020413, FATE#321905
-
-1. DMA-able memory allocated for Shadow QP was not being freed.
-2. bnxt_qplib_alloc_qp_hdr_buf() had a bug wherein the SQ pointer was
- erroneously pointing to the RQ. But since the corresponding
- free_qp_hdr_buf() was correct, memory being free was less than what was
- allocated.
-
-Fixes: 1ac5a4047975 ("RDMA/bnxt_re: Add bnxt_re RoCE driver")
-Signed-off-by: Somnath Kotur <somnath.kotur@broadcom.com>
-Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
-Acked-by: Denis Kirjanov <dkirjanov@suse.com>
----
- drivers/infiniband/hw/bnxt_re/ib_verbs.c | 2 ++
- drivers/infiniband/hw/bnxt_re/qplib_fp.c | 2 +-
- 2 files changed, 3 insertions(+), 1 deletion(-)
---- a/drivers/infiniband/hw/bnxt_re/ib_verbs.c
-+++ b/drivers/infiniband/hw/bnxt_re/ib_verbs.c
-@@ -864,6 +864,8 @@ int bnxt_re_destroy_qp(struct ib_qp *ib_
- "Failed to destroy Shadow QP");
- return rc;
- }
-+ bnxt_qplib_free_qp_res(&rdev->qplib_res,
-+ &rdev->qp1_sqp->qplib_qp);
- mutex_lock(&rdev->qp_lock);
- list_del(&rdev->qp1_sqp->list);
- atomic_dec(&rdev->qp_count);
---- a/drivers/infiniband/hw/bnxt_re/qplib_fp.c
-+++ b/drivers/infiniband/hw/bnxt_re/qplib_fp.c
-@@ -186,7 +186,7 @@ static int bnxt_qplib_alloc_qp_hdr_buf(s
- struct bnxt_qplib_qp *qp)
- {
- struct bnxt_qplib_q *rq = &qp->rq;
-- struct bnxt_qplib_q *sq = &qp->rq;
-+ struct bnxt_qplib_q *sq = &qp->sq;
- int rc = 0;
-
- if (qp->sq_hdr_buf_size && sq->hwq.max_elements) {
diff --git a/patches.drivers/dm-thin-fix-a-race-condition-between-discarding-and-.patch b/patches.drivers/dm-thin-fix-a-race-condition-between-discarding-and-.patch
index b637ef06b9..f7f9cfc366 100644
--- a/patches.drivers/dm-thin-fix-a-race-condition-between-discarding-and-.patch
+++ b/patches.drivers/dm-thin-fix-a-race-condition-between-discarding-and-.patch
@@ -28,16 +28,14 @@ Signed-off-by: Joe Thornber <ejt@redhat.com>
Signed-off-by: Mike Snitzer <snitzer@redhat.com>
Acked-by: Hannes Reinecke <hare@suse.de>
---
- drivers/md/dm-thin-metadata.c | 30 +++++++++++++
- drivers/md/dm-thin-metadata.h | 3 ++
- drivers/md/dm-thin.c | 102 +++++++++++++++++++++++++++++++++++++-----
+ drivers/md/dm-thin-metadata.c | 30 ++++++++++++
+ drivers/md/dm-thin-metadata.h | 3 +
+ drivers/md/dm-thin.c | 102 +++++++++++++++++++++++++++++++++++++-----
3 files changed, 124 insertions(+), 11 deletions(-)
-diff --git a/drivers/md/dm-thin-metadata.c b/drivers/md/dm-thin-metadata.c
-index 43824d7..a15091a 100644
--- a/drivers/md/dm-thin-metadata.c
+++ b/drivers/md/dm-thin-metadata.c
-@@ -1677,6 +1677,36 @@ int dm_pool_block_is_used(struct dm_pool_metadata *pmd, dm_block_t b, bool *resu
+@@ -1703,6 +1703,36 @@ int dm_pool_block_is_used(struct dm_pool
return r;
}
@@ -74,11 +72,9 @@ index 43824d7..a15091a 100644
bool dm_thin_changed_this_transaction(struct dm_thin_device *td)
{
int r;
-diff --git a/drivers/md/dm-thin-metadata.h b/drivers/md/dm-thin-metadata.h
-index a938bab..35e954e 100644
--- a/drivers/md/dm-thin-metadata.h
+++ b/drivers/md/dm-thin-metadata.h
-@@ -197,6 +197,9 @@ int dm_pool_get_data_dev_size(struct dm_pool_metadata *pmd, dm_block_t *result);
+@@ -197,6 +197,9 @@ int dm_pool_get_data_dev_size(struct dm_
int dm_pool_block_is_used(struct dm_pool_metadata *pmd, dm_block_t b, bool *result);
@@ -88,19 +84,17 @@ index a938bab..35e954e 100644
/*
* Returns -ENOSPC if the new size is too small and already allocated
* blocks would be lost.
-diff --git a/drivers/md/dm-thin.c b/drivers/md/dm-thin.c
-index 5f9e3d7..197ea20 100644
--- a/drivers/md/dm-thin.c
+++ b/drivers/md/dm-thin.c
-@@ -253,6 +253,7 @@ struct pool {
- struct bio_list deferred_flush_bios;
+@@ -260,6 +260,7 @@ struct pool {
+ struct bio_list deferred_flush_completions;
struct list_head prepared_mappings;
struct list_head prepared_discards;
+ struct list_head prepared_discards_pt2;
struct list_head active_thins;
struct dm_deferred_set *shared_read_ds;
-@@ -269,6 +270,7 @@ struct pool {
+@@ -276,6 +277,7 @@ struct pool {
process_mapping_fn process_prepared_mapping;
process_mapping_fn process_prepared_discard;
@@ -108,7 +102,7 @@ index 5f9e3d7..197ea20 100644
struct dm_bio_prison_cell **cell_sort_array;
};
-@@ -1001,7 +1003,8 @@ static void process_prepared_discard_no_passdown(struct dm_thin_new_mapping *m)
+@@ -1041,7 +1043,8 @@ static void process_prepared_discard_no_
/*----------------------------------------------------------------*/
@@ -118,7 +112,7 @@ index 5f9e3d7..197ea20 100644
{
/*
* We've already unmapped this range of blocks, but before we
-@@ -1014,7 +1017,7 @@ static void passdown_double_checking_shared_status(struct dm_thin_new_mapping *m
+@@ -1054,7 +1057,7 @@ static void passdown_double_checking_sha
dm_block_t b = m->data_block, e, end = m->data_block + m->virt_end - m->virt_begin;
struct discard_op op;
@@ -127,7 +121,7 @@ index 5f9e3d7..197ea20 100644
while (b != end) {
/* find start of unmapped run */
for (; b < end; b++) {
-@@ -1049,28 +1052,101 @@ out:
+@@ -1089,28 +1092,101 @@ out:
end_discard(&op, r);
}
@@ -237,7 +231,7 @@ index 5f9e3d7..197ea20 100644
cell_defer_no_holder(tc, m->cell);
mempool_free(m, pool->mapping_pool);
}
-@@ -2215,6 +2291,8 @@ static void do_worker(struct work_struct *ws)
+@@ -2316,6 +2392,8 @@ static void do_worker(struct work_struct
throttle_work_update(&pool->throttle);
process_prepared(pool, &pool->prepared_discards, &pool->process_prepared_discard);
throttle_work_update(&pool->throttle);
@@ -246,7 +240,7 @@ index 5f9e3d7..197ea20 100644
process_deferred_bios(pool);
throttle_work_complete(&pool->throttle);
}
-@@ -2343,7 +2421,8 @@ static void set_discard_callbacks(struct pool *pool)
+@@ -2444,7 +2522,8 @@ static void set_discard_callbacks(struct
if (passdown_enabled(pt)) {
pool->process_discard_cell = process_discard_cell_passdown;
@@ -256,14 +250,11 @@ index 5f9e3d7..197ea20 100644
} else {
pool->process_discard_cell = process_discard_cell_no_passdown;
pool->process_prepared_discard = process_prepared_discard_no_passdown;
-@@ -2830,6 +2909,7 @@ static struct pool *pool_create(struct mapped_device *pool_md,
- bio_list_init(&pool->deferred_flush_bios);
+@@ -2933,6 +3012,7 @@ static struct pool *pool_create(struct m
+ bio_list_init(&pool->deferred_flush_completions);
INIT_LIST_HEAD(&pool->prepared_mappings);
INIT_LIST_HEAD(&pool->prepared_discards);
+ INIT_LIST_HEAD(&pool->prepared_discards_pt2);
INIT_LIST_HEAD(&pool->active_thins);
pool->low_water_triggered = false;
pool->suspended = true;
---
-1.8.5.6
-
diff --git a/patches.drivers/treewide-replace-dev-trans_start-update-with-helper.patch b/patches.drivers/treewide-replace-dev-trans_start-update-with-helper.patch
index 064e8a80c6..bd0a058849 100644
--- a/patches.drivers/treewide-replace-dev-trans_start-update-with-helper.patch
+++ b/patches.drivers/treewide-replace-dev-trans_start-update-with-helper.patch
@@ -284,7 +284,7 @@ Acked-by: Benjamin Poirier <bpoirier@suse.com>
if (++priv->tx_outstanding == ipoib_sendq_size) {
--- a/drivers/infiniband/ulp/ipoib/ipoib_ib.c
+++ b/drivers/infiniband/ulp/ipoib/ipoib_ib.c
-@@ -633,7 +633,7 @@ void ipoib_send(struct net_device *dev,
+@@ -635,7 +635,7 @@ void ipoib_send(struct net_device *dev,
if (netif_queue_stopped(dev))
netif_wake_queue(dev);
} else {
@@ -379,7 +379,7 @@ Acked-by: Benjamin Poirier <bpoirier@suse.com>
if (!test_bit(F_TX_WAIT_ALL, &priv->flags))
--- a/drivers/net/can/usb/ems_usb.c
+++ b/drivers/net/can/usb/ems_usb.c
-@@ -523,7 +523,7 @@ static void ems_usb_write_bulk_callback(
+@@ -525,7 +525,7 @@ static void ems_usb_write_bulk_callback(
if (urb->status)
netdev_info(netdev, "Tx URB aborted (%d)\n", urb->status);
@@ -388,7 +388,7 @@ Acked-by: Benjamin Poirier <bpoirier@suse.com>
/* transmission complete interrupt */
netdev->stats.tx_packets++;
-@@ -837,7 +837,7 @@ static netdev_tx_t ems_usb_start_xmit(st
+@@ -839,7 +839,7 @@ static netdev_tx_t ems_usb_start_xmit(st
stats->tx_dropped++;
}
} else {
@@ -399,7 +399,7 @@ Acked-by: Benjamin Poirier <bpoirier@suse.com>
if (atomic_read(&dev->active_tx_urbs) >= MAX_TX_URBS ||
--- a/drivers/net/can/usb/esd_usb2.c
+++ b/drivers/net/can/usb/esd_usb2.c
-@@ -480,7 +480,7 @@ static void esd_usb2_write_bulk_callback
+@@ -482,7 +482,7 @@ static void esd_usb2_write_bulk_callback
if (urb->status)
netdev_info(netdev, "Tx URB aborted (%d)\n", urb->status);
@@ -408,7 +408,7 @@ Acked-by: Benjamin Poirier <bpoirier@suse.com>
}
static ssize_t show_firmware(struct device *d,
-@@ -820,7 +820,7 @@ static netdev_tx_t esd_usb2_start_xmit(s
+@@ -822,7 +822,7 @@ static netdev_tx_t esd_usb2_start_xmit(s
goto releasebuf;
}
@@ -773,7 +773,7 @@ Acked-by: Benjamin Poirier <bpoirier@suse.com>
netif_tx_disable(alx->dev);
--- a/drivers/net/ethernet/broadcom/bcmsysport.c
+++ b/drivers/net/ethernet/broadcom/bcmsysport.c
-@@ -1128,7 +1128,7 @@ static void bcm_sysport_tx_timeout(struc
+@@ -1116,7 +1116,7 @@ static void bcm_sysport_tx_timeout(struc
{
netdev_warn(dev, "transmit timeout!\n");
@@ -784,7 +784,7 @@ Acked-by: Benjamin Poirier <bpoirier@suse.com>
netif_tx_wake_all_queues(dev);
--- a/drivers/net/ethernet/broadcom/genet/bcmgenet.c
+++ b/drivers/net/ethernet/broadcom/genet/bcmgenet.c
-@@ -3032,7 +3032,7 @@ static void bcmgenet_timeout(struct net_
+@@ -3083,7 +3083,7 @@ static void bcmgenet_timeout(struct net_
bcmgenet_intrl2_0_writel(priv, int0_enable, INTRL2_CPU_MASK_CLEAR);
bcmgenet_intrl2_1_writel(priv, int1_enable, INTRL2_CPU_MASK_CLEAR);
@@ -826,7 +826,7 @@ Acked-by: Benjamin Poirier <bpoirier@suse.com>
stats->tx_done++;
stats->tx_tot_bytes += skb->len;
-@@ -2930,7 +2930,7 @@ static void liquidio_tx_timeout(struct n
+@@ -2931,7 +2931,7 @@ static void liquidio_tx_timeout(struct n
netif_info(lio, tx_err, lio->netdev,
"Transmit timeout tx_dropped:%ld, waking up queues now!!\n",
netdev->stats.tx_dropped);
@@ -1032,7 +1032,7 @@ Acked-by: Benjamin Poirier <bpoirier@suse.com>
}
--- a/drivers/net/ethernet/freescale/gianfar.c
+++ b/drivers/net/ethernet/freescale/gianfar.c
-@@ -2077,7 +2077,7 @@ void gfar_start(struct gfar_private *pri
+@@ -2079,7 +2079,7 @@ void gfar_start(struct gfar_private *pri
gfar_ints_enable(priv);
@@ -1094,7 +1094,7 @@ Acked-by: Benjamin Poirier <bpoirier@suse.com>
hns_nic_net_reinit(priv->netdev);
--- a/drivers/net/ethernet/hp/hp100.c
+++ b/drivers/net/ethernet/hp/hp100.c
-@@ -1106,7 +1106,7 @@ static int hp100_open(struct net_device
+@@ -1102,7 +1102,7 @@ static int hp100_open(struct net_device
return -EAGAIN;
}
@@ -1156,7 +1156,7 @@ Acked-by: Benjamin Poirier <bpoirier@suse.com>
mal_poll_disable(dev->mal, &dev->commac);
netif_tx_disable(dev->ndev);
}
-@@ -1377,7 +1377,7 @@ static inline int emac_xmit_finish(struc
+@@ -1395,7 +1395,7 @@ static inline int emac_xmit_finish(struc
DBG2(dev, "stopped TX queue" NL);
}
@@ -1397,7 +1397,7 @@ Acked-by: Benjamin Poirier <bpoirier@suse.com>
--- a/drivers/net/ethernet/qualcomm/qca_spi.c
+++ b/drivers/net/ethernet/qualcomm/qca_spi.c
-@@ -719,7 +719,7 @@ qcaspi_netdev_xmit(struct sk_buff *skb,
+@@ -720,7 +720,7 @@ qcaspi_netdev_xmit(struct sk_buff *skb,
qca->stats.ring_full++;
}
@@ -1570,7 +1570,7 @@ Acked-by: Benjamin Poirier <bpoirier@suse.com>
--- a/drivers/net/ethernet/sun/niu.c
+++ b/drivers/net/ethernet/sun/niu.c
-@@ -6431,7 +6431,7 @@ static int niu_ioctl(struct net_device *
+@@ -6430,7 +6430,7 @@ static int niu_ioctl(struct net_device *
static void niu_netif_stop(struct niu *np)
{
@@ -1581,7 +1581,7 @@ Acked-by: Benjamin Poirier <bpoirier@suse.com>
--- a/drivers/net/ethernet/sun/sungem.c
+++ b/drivers/net/ethernet/sun/sungem.c
-@@ -227,7 +227,7 @@ static void gem_put_cell(struct gem *gp)
+@@ -226,7 +226,7 @@ static void gem_put_cell(struct gem *gp)
static inline void gem_netif_stop(struct gem *gp)
{
@@ -1623,7 +1623,7 @@ Acked-by: Benjamin Poirier <bpoirier@suse.com>
ndev->stats.tx_bytes += skb->len;
--- a/drivers/net/ethernet/ti/cpsw.c
+++ b/drivers/net/ethernet/ti/cpsw.c
-@@ -1389,7 +1389,7 @@ static netdev_tx_t cpsw_ndo_start_xmit(s
+@@ -1414,7 +1414,7 @@ static netdev_tx_t cpsw_ndo_start_xmit(s
struct cpsw_priv *priv = netdev_priv(ndev);
int ret;
@@ -1742,7 +1742,7 @@ Acked-by: Benjamin Poirier <bpoirier@suse.com>
/**
--- a/drivers/net/ethernet/xilinx/xilinx_emaclite.c
+++ b/drivers/net/ethernet/xilinx/xilinx_emaclite.c
-@@ -531,7 +531,7 @@ static void xemaclite_tx_timeout(struct
+@@ -543,7 +543,7 @@ static void xemaclite_tx_timeout(struct
}
/* To exclude tx timeout */
@@ -1751,7 +1751,7 @@ Acked-by: Benjamin Poirier <bpoirier@suse.com>
/* We're all ready to go. Start the queue */
netif_wake_queue(dev);
-@@ -563,7 +563,7 @@ static void xemaclite_tx_handler(struct
+@@ -575,7 +575,7 @@ static void xemaclite_tx_handler(struct
dev->stats.tx_bytes += lp->deferred_skb->len;
dev_kfree_skb_irq(lp->deferred_skb);
lp->deferred_skb = NULL;
@@ -1773,7 +1773,7 @@ Acked-by: Benjamin Poirier <bpoirier@suse.com>
--- a/drivers/net/fjes/fjes_main.c
+++ b/drivers/net/fjes/fjes_main.c
-@@ -702,7 +702,7 @@ fjes_xmit_frame(struct sk_buff *skb, str
+@@ -705,7 +705,7 @@ fjes_xmit_frame(struct sk_buff *skb, str
ret = NETDEV_TX_OK;
} else {
@@ -2015,7 +2015,7 @@ Acked-by: Benjamin Poirier <bpoirier@suse.com>
netif_wake_queue(catc->netdev);
--- a/drivers/net/usb/kaweth.c
+++ b/drivers/net/usb/kaweth.c
-@@ -938,7 +938,7 @@ static void kaweth_tx_timeout(struct net
+@@ -932,7 +932,7 @@ static void kaweth_tx_timeout(struct net
dev_warn(&net->dev, "%s: Tx timed out. Resetting.\n", net->name);
kaweth->stats.tx_errors++;
@@ -2026,7 +2026,7 @@ Acked-by: Benjamin Poirier <bpoirier@suse.com>
}
--- a/drivers/net/usb/lan78xx.c
+++ b/drivers/net/usb/lan78xx.c
-@@ -2661,7 +2661,7 @@ gso_skb:
+@@ -2651,7 +2651,7 @@ gso_skb:
ret = usb_submit_urb(urb, GFP_ATOMIC);
switch (ret) {
case 0:
@@ -2035,7 +2035,7 @@ Acked-by: Benjamin Poirier <bpoirier@suse.com>
lan78xx_queue_skb(&dev->txq, skb, tx_start);
if (skb_queue_len(&dev->txq) >= dev->tx_qlen)
netif_stop_queue(dev->net);
-@@ -3303,7 +3303,7 @@ int lan78xx_resume(struct usb_interface
+@@ -3293,7 +3293,7 @@ int lan78xx_resume(struct usb_interface
usb_free_urb(res);
usb_autopm_put_interface_async(dev->intf);
} else {
@@ -2046,7 +2046,7 @@ Acked-by: Benjamin Poirier <bpoirier@suse.com>
}
--- a/drivers/net/usb/pegasus.c
+++ b/drivers/net/usb/pegasus.c
-@@ -615,7 +615,7 @@ static void write_bulk_callback(struct u
+@@ -636,7 +636,7 @@ static void write_bulk_callback(struct u
break;
}
@@ -2057,7 +2057,7 @@ Acked-by: Benjamin Poirier <bpoirier@suse.com>
--- a/drivers/net/usb/rtl8150.c
+++ b/drivers/net/usb/rtl8150.c
-@@ -451,7 +451,7 @@ static void write_bulk_callback(struct u
+@@ -471,7 +471,7 @@ static void write_bulk_callback(struct u
if (status)
dev_info(&urb->dev->dev, "%s: Tx status %d\n",
dev->netdev->name, status);
@@ -2066,7 +2066,7 @@ Acked-by: Benjamin Poirier <bpoirier@suse.com>
netif_wake_queue(dev->netdev);
}
-@@ -694,7 +694,7 @@ static netdev_tx_t rtl8150_start_xmit(st
+@@ -714,7 +714,7 @@ static netdev_tx_t rtl8150_start_xmit(st
} else {
netdev->stats.tx_packets++;
netdev->stats.tx_bytes += skb->len;
@@ -2077,7 +2077,7 @@ Acked-by: Benjamin Poirier <bpoirier@suse.com>
return NETDEV_TX_OK;
--- a/drivers/net/usb/usbnet.c
+++ b/drivers/net/usb/usbnet.c
-@@ -1412,7 +1412,7 @@ netdev_tx_t usbnet_start_xmit (struct sk
+@@ -1413,7 +1413,7 @@ netdev_tx_t usbnet_start_xmit (struct sk
"tx: submit urb err %d\n", retval);
break;
case 0:
@@ -2086,7 +2086,7 @@ Acked-by: Benjamin Poirier <bpoirier@suse.com>
__usbnet_queue_skb(&dev->txq, skb, tx_start);
if (dev->txq.qlen >= TX_QLEN (dev))
netif_stop_queue (net);
-@@ -1841,7 +1841,7 @@ int usbnet_resume (struct usb_interface
+@@ -1842,7 +1842,7 @@ int usbnet_resume (struct usb_interface
usb_free_urb(res);
usb_autopm_put_interface_async(dev->intf);
} else {
@@ -2215,7 +2215,7 @@ Acked-by: Benjamin Poirier <bpoirier@suse.com>
priv->fids[fid] &= 0xffff;
--- a/drivers/net/wireless/hostap/hostap_hw.c
+++ b/drivers/net/wireless/hostap/hostap_hw.c
-@@ -1789,7 +1789,7 @@ static int prism2_transmit(struct net_de
+@@ -1794,7 +1794,7 @@ static int prism2_transmit(struct net_de
netif_wake_queue(dev);
return -1;
}
@@ -2454,7 +2454,7 @@ Acked-by: Benjamin Poirier <bpoirier@suse.com>
/* count only the packet payload */
--- a/drivers/tty/n_gsm.c
+++ b/drivers/tty/n_gsm.c
-@@ -2679,7 +2679,7 @@ static int gsm_mux_net_start_xmit(struct
+@@ -2700,7 +2700,7 @@ static int gsm_mux_net_start_xmit(struct
STATS(net).tx_bytes += skb->len;
gsm_dlci_data_kick(dlci);
/* And tell the kernel when the last transmit started. */
@@ -2525,7 +2525,7 @@ Acked-by: Benjamin Poirier <bpoirier@suse.com>
/* inform generic HDLC layer of current DCD status */
--- a/drivers/usb/gadget/function/u_ether.c
+++ b/drivers/usb/gadget/function/u_ether.c
-@@ -600,7 +600,7 @@ static netdev_tx_t eth_start_xmit(struct
+@@ -590,7 +590,7 @@ static netdev_tx_t eth_start_xmit(struct
DBG(dev, "tx queue err %d\n", retval);
break;
case 0:
@@ -2536,7 +2536,7 @@ Acked-by: Benjamin Poirier <bpoirier@suse.com>
--- a/net/atm/lec.c
+++ b/net/atm/lec.c
-@@ -194,7 +194,7 @@ lec_send(struct atm_vcc *vcc, struct sk_
+@@ -197,7 +197,7 @@ lec_send(struct atm_vcc *vcc, struct sk_
static void lec_tx_timeout(struct net_device *dev)
{
pr_info("%s\n", dev->name);
@@ -2545,7 +2545,7 @@ Acked-by: Benjamin Poirier <bpoirier@suse.com>
netif_wake_queue(dev);
}
-@@ -324,7 +324,7 @@ static netdev_tx_t lec_start_xmit(struct
+@@ -327,7 +327,7 @@ static netdev_tx_t lec_start_xmit(struct
out:
if (entry)
lec_arp_put(entry);
@@ -2563,8 +2563,8 @@ Acked-by: Benjamin Poirier <bpoirier@suse.com>
- soft_iface->trans_start = jiffies;
+ netif_trans_update(soft_iface);
vid = batadv_get_vid(skb, 0);
- ethhdr = eth_hdr(skb);
+ skb_reset_mac_header(skb);
--- a/net/bluetooth/bnep/netdev.c
+++ b/net/bluetooth/bnep/netdev.c
@@ -188,7 +188,7 @@ static netdev_tx_t bnep_net_xmit(struct
diff --git a/patches.fixes/0001-KVM-VMX-Fix-x2apic-check-in-vmx_msr_bitmap_mode.patch b/patches.fixes/0001-KVM-VMX-Fix-x2apic-check-in-vmx_msr_bitmap_mode.patch
new file mode 100644
index 0000000000..2b2234c853
--- /dev/null
+++ b/patches.fixes/0001-KVM-VMX-Fix-x2apic-check-in-vmx_msr_bitmap_mode.patch
@@ -0,0 +1,51 @@
+From 4265b6f6e5f5e2bba956e36f74aeb1411c3bffb4 Mon Sep 17 00:00:00 2001
+From: Joerg Roedel <jroedel@suse.de>
+Date: Thu, 21 Feb 2019 13:43:19 +0100
+Subject: [PATCH] KVM: VMX: Fix x2apic check in vmx_msr_bitmap_mode()
+Patch-mainline: No, submitted for inclusion to stable-4.4.y
+References: bsc#1124166
+
+The stable backport of upstream commit
+
+ 904e14fb7cb96 KVM: VMX: make MSR bitmaps per-VCPU
+
+has a bug in vmx_msr_bitmap_mode(). It enables the x2apic
+MSR-bitmap when the kernel emulates x2apic for the guest in
+software. The upstream version of the commit checkes whether
+the hardware has virtualization enabled for x2apic
+emulation.
+
+Since KVM emulates x2apic for guests even when the host does
+not support x2apic in hardware, this causes the intercept of
+at least the X2APIC_TASKPRI MSR to be disabled on machines
+not supporting that MSR. The result is undefined behavior,
+on some machines (Intel Westmere based) it causes a crash of
+the guest kernel when it tries to access that MSR.
+
+Change the check in vmx_msr_bitmap_mode() to match the upstream
+code. This fixes the guest crashes observed with stable
+kernels starting with v4.4.168 through v4.4.175.
+
+Signed-off-by: Joerg Roedel <jroedel@suse.de>
+---
+ arch/x86/kvm/vmx.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c
+index aee2886a387c..14553f6c03a6 100644
+--- a/arch/x86/kvm/vmx.c
++++ b/arch/x86/kvm/vmx.c
+@@ -4628,7 +4628,9 @@ static u8 vmx_msr_bitmap_mode(struct kvm_vcpu *vcpu)
+ {
+ u8 mode = 0;
+
+- if (irqchip_in_kernel(vcpu->kvm) && apic_x2apic_mode(vcpu->arch.apic)) {
++ if (cpu_has_secondary_exec_ctrls() &&
++ (vmcs_read32(SECONDARY_VM_EXEC_CONTROL) &
++ SECONDARY_EXEC_VIRTUALIZE_X2APIC_MODE)) {
+ mode |= MSR_BITMAP_MODE_X2APIC;
+ if (enable_apicv)
+ mode |= MSR_BITMAP_MODE_X2APIC_APICV;
+--
+2.16.3
+
diff --git a/patches.fixes/0001-KVM-VMX-Missing-part-of-upstream-commit-904e14fb7cb9.patch b/patches.fixes/0001-KVM-VMX-Missing-part-of-upstream-commit-904e14fb7cb9.patch
new file mode 100644
index 0000000000..3a0c97175f
--- /dev/null
+++ b/patches.fixes/0001-KVM-VMX-Missing-part-of-upstream-commit-904e14fb7cb9.patch
@@ -0,0 +1,36 @@
+From c2c190f127d51fe1067687aa7bb1cd26613ba914 Mon Sep 17 00:00:00 2001
+From: Joerg Roedel <jroedel@suse.de>
+Date: Thu, 21 Feb 2019 14:49:58 +0100
+Subject: [PATCH] KVM: VMX: Missing part of upstream commit 904e14fb7cb9
+Git-commit: 904e14fb7cb96401a7dc803ca2863fd5ba32ffe6
+Patch-mainline: v4.16-rc1
+References: bsc#1124166
+
+Stable backport of upstream commit removed the check added
+here because stable-4.4.y does not have support for per-vcpu
+apicv disabling.
+
+SLE12-SP3 adds support for this so we need to add the check
+too.
+
+Signed-off-by: Joerg Roedel <jroedel@suse.de>
+---
+ arch/x86/kvm/vmx.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c
+index 14553f6c03a6..e28b67e33300 100644
+--- a/arch/x86/kvm/vmx.c
++++ b/arch/x86/kvm/vmx.c
+@@ -4632,7 +4632,7 @@ static u8 vmx_msr_bitmap_mode(struct kvm_vcpu *vcpu)
+ (vmcs_read32(SECONDARY_VM_EXEC_CONTROL) &
+ SECONDARY_EXEC_VIRTUALIZE_X2APIC_MODE)) {
+ mode |= MSR_BITMAP_MODE_X2APIC;
+- if (enable_apicv)
++ if (enable_apicv && kvm_vcpu_apicv_active(vcpu))
+ mode |= MSR_BITMAP_MODE_X2APIC_APICV;
+ }
+
+--
+2.16.3
+
diff --git a/patches.kabi/kabi-protect-kfifo-include-in-hid-debug.patch b/patches.kabi/kabi-protect-kfifo-include-in-hid-debug.patch
new file mode 100644
index 0000000000..b489dad6f2
--- /dev/null
+++ b/patches.kabi/kabi-protect-kfifo-include-in-hid-debug.patch
@@ -0,0 +1,42 @@
+From: Jiri Slaby <jslaby@suse.cz>
+Subject: kABI: protect linux/kfifo.h include in hid-debug
+Patch-mainline: never, kabi
+References: kabi
+
+In 4.4.175, commit b661fff5f8a0f19824df91cc3905ba2c5b54dc87 (HID:
+debug: fix the ring buffer implementation), upstream commit
+13054abbaa4f1fd4e6f3b4b63439ec033b4c8035 added linux/kfifo.h include
+to hid-debug.c and it made some of the symbols defined.
+
+Protect the include by __GENKSYMS__ to satisfy the kABI checker.
+
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/hid/hid-debug.c | 2 ++
+ include/linux/hid-debug.h | 2 ++
+ 2 files changed, 4 insertions(+)
+
+--- a/drivers/hid/hid-debug.c
++++ b/drivers/hid/hid-debug.c
+@@ -30,7 +30,9 @@
+
+ #include <linux/debugfs.h>
+ #include <linux/seq_file.h>
++#ifndef __GENKSYMS__
+ #include <linux/kfifo.h>
++#endif
+ #include <linux/sched.h>
+ #include <linux/export.h>
+ #include <linux/slab.h>
+--- a/include/linux/hid-debug.h
++++ b/include/linux/hid-debug.h
+@@ -24,7 +24,9 @@
+
+ #ifdef CONFIG_DEBUG_FS
+
++#ifndef __GENKSYMS__
+ #include <linux/kfifo.h>
++#endif
+
+ #define HID_DEBUG_BUFSIZE 512
+ #define HID_DEBUG_FIFOSIZE 512
diff --git a/patches.kabi/kabi-protect-struct-hda_bus.patch b/patches.kabi/kabi-protect-struct-hda_bus.patch
new file mode 100644
index 0000000000..b2ee7f97e5
--- /dev/null
+++ b/patches.kabi/kabi-protect-struct-hda_bus.patch
@@ -0,0 +1,30 @@
+From: Jiri Slaby <jslaby@suse.cz>
+Subject: kABI: protect struct hda_bus
+Patch-mainline: never, kabi
+References: kabi
+
+In 4.4.175, commit 71ce2e8957ff6eed31953f54a02fc3bd083f0d26 (ALSA: hda
+- Serialize codec registrations), upstream commit
+305a0ade180981686eec1f92aa6252a7c6ebb1cf added a bit to struct
+hda_bus. It made the kABI checker to complain.
+
+Given this is only an HDA's internal header, just hide the change from
+the kABI checker.
+
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ sound/pci/hda/hda_codec.h | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/sound/pci/hda/hda_codec.h
++++ b/sound/pci/hda/hda_codec.h
+@@ -68,7 +68,9 @@ struct hda_bus {
+ unsigned int response_reset:1; /* controller was reset */
+ unsigned int in_reset:1; /* during reset operation */
+ unsigned int no_response_fallback:1; /* don't fallback at RIRB error */
++#ifndef __GENKSYMS__
+ unsigned int bus_probing :1; /* during probing process */
++#endif
+
+ int primary_dig_out_type; /* primary digital out PCM type */
+ unsigned int mixer_assigned; /* codec addr for mixer name */
diff --git a/patches.kabi/revert-most-of-4.4.174.patch b/patches.kabi/revert-most-of-4.4.174.patch
index 4e28ab44df..f2de9d895d 100644
--- a/patches.kabi/revert-most-of-4.4.174.patch
+++ b/patches.kabi/revert-most-of-4.4.174.patch
@@ -43,29 +43,30 @@ ca26893f05e8 (rhashtable: Add rhashtable_lookup())
093ba72914b6 (inet: frags: add a pointer to struct netns_frags)
5eb2471ef43e (inet: frags: change inet_frags_init_net() return value)
+And this 4.4.175 commit:
+29c84aa9f2a2 (Documentation/network: reword kernel version reference)
+
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
- Documentation/networking/ip-sysctl.txt | 13 +-
- include/linux/rhashtable.h | 143 ++----
- include/linux/skbuff.h | 16 +-
- include/net/inet_frag.h | 133 +++---
- include/net/ip.h | 1 +
- include/net/ipv6.h | 26 +-
- include/uapi/linux/snmp.h | 1 -
- lib/rhashtable.c | 15 +-
- net/core/skbuff.c | 21 +-
- net/ieee802154/6lowpan/6lowpan_i.h | 26 +-
- net/ieee802154/6lowpan/reassembly.c | 148 +++---
- net/ipv4/inet_fragment.c | 389 ++++++++++++----
- net/ipv4/ip_fragment.c | 571 +++++++++++-------------
- net/ipv4/proc.c | 7 +-
- net/ipv6/netfilter/nf_conntrack_reasm.c | 100 +++--
- net/ipv6/proc.c | 5 +-
- net/ipv6/reassembly.c | 209 +++++----
- 17 files changed, 959 insertions(+), 865 deletions(-)
+ Documentation/networking/ip-sysctl.txt | 11
+ include/linux/rhashtable.h | 143 +-------
+ include/linux/skbuff.h | 16
+ include/net/inet_frag.h | 133 +++----
+ include/net/ip.h | 1
+ include/net/ipv6.h | 26 +
+ include/uapi/linux/snmp.h | 1
+ lib/rhashtable.c | 15
+ net/core/skbuff.c | 21 -
+ net/ieee802154/6lowpan/6lowpan_i.h | 26 +
+ net/ieee802154/6lowpan/reassembly.c | 150 ++++----
+ net/ipv4/inet_fragment.c | 387 ++++++++++++++++-----
+ net/ipv4/ip_fragment.c | 571 ++++++++++++++------------------
+ net/ipv4/proc.c | 7
+ net/ipv6/netfilter/nf_conntrack_reasm.c | 96 +++--
+ net/ipv6/proc.c | 5
+ net/ipv6/reassembly.c | 211 +++++------
+ 17 files changed, 957 insertions(+), 863 deletions(-)
-diff --git a/Documentation/networking/ip-sysctl.txt b/Documentation/networking/ip-sysctl.txt
-index 7c229f59016f..2ea4c45cf1c8 100644
--- a/Documentation/networking/ip-sysctl.txt
+++ b/Documentation/networking/ip-sysctl.txt
@@ -112,11 +112,14 @@ min_adv_mss - INTEGER
@@ -74,22 +75,19 @@ index 7c229f59016f..2ea4c45cf1c8 100644
-ipfrag_high_thresh - LONG INTEGER
- Maximum memory used to reassemble IP fragments.
--
--ipfrag_low_thresh - LONG INTEGER
-- (Obsolete since linux-4.17)
+ipfrag_high_thresh - INTEGER
+ Maximum memory used to reassemble IP fragments. When
+ ipfrag_high_thresh bytes of memory is allocated for this purpose,
+ the fragment handler will toss packets until ipfrag_low_thresh
+ is reached. This also serves as a maximum limit to namespaces
+ different from the initial one.
-+
+
+-ipfrag_low_thresh - LONG INTEGER
+- (Obsolete since linux-4.4.174, backported from linux-4.17)
+ipfrag_low_thresh - INTEGER
Maximum memory used to reassemble IP fragments before the kernel
begins to remove incomplete fragment queues to free up resources.
The kernel still accepts new fragments for defragmentation.
-diff --git a/include/linux/rhashtable.h b/include/linux/rhashtable.h
-index e97cdfd6cba9..e50b31d18462 100644
--- a/include/linux/rhashtable.h
+++ b/include/linux/rhashtable.h
@@ -133,23 +133,23 @@ struct rhashtable_params {
@@ -118,7 +116,7 @@ index e97cdfd6cba9..e50b31d18462 100644
};
/**
-@@ -343,8 +343,7 @@ int rhashtable_init(struct rhashtable *ht,
+@@ -343,8 +343,7 @@ int rhashtable_init(struct rhashtable *h
struct bucket_table *rhashtable_insert_slow(struct rhashtable *ht,
const void *key,
struct rhash_head *obj,
@@ -128,7 +126,7 @@ index e97cdfd6cba9..e50b31d18462 100644
int rhashtable_insert_rehash(struct rhashtable *ht, struct bucket_table *tbl);
int rhashtable_walk_init(struct rhashtable *ht, struct rhashtable_iter *iter);
-@@ -515,8 +514,18 @@ static inline int rhashtable_compare(struct rhashtable_compare_arg *arg,
+@@ -515,8 +514,18 @@ static inline int rhashtable_compare(str
return memcmp(ptr + ht->p.key_offset, arg->key, ht->p.key_len);
}
@@ -149,7 +147,7 @@ index e97cdfd6cba9..e50b31d18462 100644
struct rhashtable *ht, const void *key,
const struct rhashtable_params params)
{
-@@ -528,6 +537,8 @@ static inline struct rhash_head *__rhashtable_lookup(
+@@ -528,6 +537,8 @@ static inline struct rhash_head *__rhash
struct rhash_head *he;
unsigned int hash;
@@ -236,7 +234,7 @@ index e97cdfd6cba9..e50b31d18462 100644
struct rhashtable *ht, const void *key, struct rhash_head *obj,
const struct rhashtable_params params)
{
-@@ -615,7 +576,6 @@ static inline void *__rhashtable_insert_fast(
+@@ -615,7 +576,6 @@ static inline void *__rhashtable_insert_
spinlock_t *lock;
unsigned int elasticity;
unsigned int hash;
@@ -300,7 +298,7 @@ index e97cdfd6cba9..e50b31d18462 100644
}
/**
-@@ -717,13 +674,7 @@ static inline int rhashtable_insert_fast(
+@@ -717,13 +674,7 @@ static inline int rhashtable_insert_fast
struct rhashtable *ht, struct rhash_head *obj,
const struct rhashtable_params params)
{
@@ -315,7 +313,7 @@ index e97cdfd6cba9..e50b31d18462 100644
}
/**
-@@ -752,15 +703,11 @@ static inline int rhashtable_lookup_insert_fast(
+@@ -752,15 +703,11 @@ static inline int rhashtable_lookup_inse
const struct rhashtable_params params)
{
const char *key = rht_obj(ht, obj);
@@ -333,11 +331,10 @@ index e97cdfd6cba9..e50b31d18462 100644
}
/**
-@@ -788,32 +735,6 @@ static inline int rhashtable_lookup_insert_fast(
- static inline int rhashtable_lookup_insert_key(
+@@ -789,32 +736,6 @@ static inline int rhashtable_lookup_inse
struct rhashtable *ht, const void *key, struct rhash_head *obj,
const struct rhashtable_params params)
--{
+ {
- void *ret;
-
- BUG_ON(!ht->p.obj_hashfn || !key);
@@ -363,11 +360,10 @@ index e97cdfd6cba9..e50b31d18462 100644
-static inline void *rhashtable_lookup_get_insert_key(
- struct rhashtable *ht, const void *key, struct rhash_head *obj,
- const struct rhashtable_params params)
- {
+-{
BUG_ON(!ht->p.obj_hashfn || !key);
-diff --git a/include/linux/skbuff.h b/include/linux/skbuff.h
-index 502787c29ce9..6d39d81d3c38 100644
+ return __rhashtable_insert_fast(ht, key, obj, params);
--- a/include/linux/skbuff.h
+++ b/include/linux/skbuff.h
@@ -556,14 +556,9 @@ struct sk_buff {
@@ -387,7 +383,7 @@ index 502787c29ce9..6d39d81d3c38 100644
struct net_device *dev;
/*
-@@ -2278,7 +2273,7 @@ static inline void __skb_queue_purge(struct sk_buff_head *list)
+@@ -2278,7 +2273,7 @@ static inline void __skb_queue_purge(str
kfree_skb(skb);
}
@@ -396,7 +392,7 @@ index 502787c29ce9..6d39d81d3c38 100644
void *netdev_alloc_frag(unsigned int fragsz);
-@@ -2796,7 +2791,6 @@ static inline unsigned char *skb_push_rcsum(struct sk_buff *skb,
+@@ -2796,7 +2791,6 @@ static inline unsigned char *skb_push_rc
return skb->data;
}
@@ -404,7 +400,7 @@ index 502787c29ce9..6d39d81d3c38 100644
/**
* pskb_trim_rcsum - trim received skb and update checksum
* @skb: buffer to trim
-@@ -2811,7 +2805,9 @@ static inline int pskb_trim_rcsum(struct sk_buff *skb, unsigned int len)
+@@ -2811,7 +2805,9 @@ static inline int pskb_trim_rcsum(struct
{
if (likely(len >= skb->len))
return 0;
@@ -415,8 +411,6 @@ index 502787c29ce9..6d39d81d3c38 100644
}
#define rb_to_skb(rb) rb_entry_safe(rb, struct sk_buff, rbnode)
-diff --git a/include/net/inet_frag.h b/include/net/inet_frag.h
-index 6260ec146142..c26a6e4dc306 100644
--- a/include/net/inet_frag.h
+++ b/include/net/inet_frag.h
@@ -1,19 +1,13 @@
@@ -627,11 +621,9 @@ index 6260ec146142..c26a6e4dc306 100644
}
/* RFC 3168 support :
-diff --git a/include/net/ip.h b/include/net/ip.h
-index 7b968927477d..0530bcdbc212 100644
--- a/include/net/ip.h
+++ b/include/net/ip.h
-@@ -524,6 +524,7 @@ static inline struct sk_buff *ip_check_defrag(struct net *net, struct sk_buff *s
+@@ -524,6 +524,7 @@ static inline struct sk_buff *ip_check_d
return skb;
}
#endif
@@ -639,11 +631,9 @@ index 7b968927477d..0530bcdbc212 100644
/*
* Functions provided by ip_forward.c
-diff --git a/include/net/ipv6.h b/include/net/ipv6.h
-index c07cf9596b6f..0e01d570fa22 100644
--- a/include/net/ipv6.h
+++ b/include/net/ipv6.h
-@@ -320,6 +320,13 @@ static inline bool ipv6_accept_ra(struct inet6_dev *idev)
+@@ -320,6 +320,13 @@ static inline bool ipv6_accept_ra(struct
idev->cnf.accept_ra;
}
@@ -676,7 +666,7 @@ index c07cf9596b6f..0e01d570fa22 100644
/*
* Equivalent of ipv4 struct ip
-@@ -507,13 +523,19 @@ extern const struct rhashtable_params ip6_rhash_params;
+@@ -507,13 +523,19 @@ extern const struct rhashtable_params ip
struct frag_queue {
struct inet_frag_queue q;
@@ -697,8 +687,6 @@ index c07cf9596b6f..0e01d570fa22 100644
static inline bool ipv6_addr_any(const struct in6_addr *a)
{
-diff --git a/include/uapi/linux/snmp.h b/include/uapi/linux/snmp.h
-index 9de808ebce05..25a9ad8bcef1 100644
--- a/include/uapi/linux/snmp.h
+++ b/include/uapi/linux/snmp.h
@@ -55,7 +55,6 @@ enum
@@ -709,11 +697,9 @@ index 9de808ebce05..25a9ad8bcef1 100644
__IPSTATS_MIB_MAX
};
-diff --git a/lib/rhashtable.c b/lib/rhashtable.c
-index 7bb8649429bf..37ea94b636a3 100644
--- a/lib/rhashtable.c
+++ b/lib/rhashtable.c
-@@ -250,10 +250,8 @@ static int rhashtable_rehash_table(struct rhashtable *ht)
+@@ -250,10 +250,8 @@ static int rhashtable_rehash_table(struc
if (!new_tbl)
return 0;
@@ -725,7 +711,7 @@ index 7bb8649429bf..37ea94b636a3 100644
/* Publish the new table pointer. */
rcu_assign_pointer(ht->tbl, new_tbl);
-@@ -443,8 +441,7 @@ EXPORT_SYMBOL_GPL(rhashtable_insert_rehash);
+@@ -443,8 +441,7 @@ EXPORT_SYMBOL_GPL(rhashtable_insert_reha
struct bucket_table *rhashtable_insert_slow(struct rhashtable *ht,
const void *key,
struct rhash_head *obj,
@@ -735,7 +721,7 @@ index 7bb8649429bf..37ea94b636a3 100644
{
struct rhash_head *head;
unsigned int hash;
-@@ -455,11 +452,8 @@ struct bucket_table *rhashtable_insert_slow(struct rhashtable *ht,
+@@ -455,11 +452,8 @@ struct bucket_table *rhashtable_insert_s
spin_lock_nested(rht_bucket_lock(tbl, hash), SINGLE_DEPTH_NESTING);
err = -EEXIST;
@@ -749,7 +735,7 @@ index 7bb8649429bf..37ea94b636a3 100644
err = -E2BIG;
if (unlikely(rht_grow_above_max(ht, tbl)))
-@@ -844,7 +838,6 @@ void rhashtable_free_and_destroy(struct rhashtable *ht,
+@@ -844,7 +838,6 @@ void rhashtable_free_and_destroy(struct
for (i = 0; i < tbl->size; i++) {
struct rhash_head *pos, *next;
@@ -757,8 +743,6 @@ index 7bb8649429bf..37ea94b636a3 100644
for (pos = rht_dereference(tbl->buckets[i], ht),
next = !rht_is_a_nulls(pos) ?
rht_dereference(pos->next, ht) : NULL;
-diff --git a/net/core/skbuff.c b/net/core/skbuff.c
-index fea7c24e99d0..8a57bbaf7452 100644
--- a/net/core/skbuff.c
+++ b/net/core/skbuff.c
@@ -1502,21 +1502,6 @@ done:
@@ -812,11 +796,9 @@ index fea7c24e99d0..8a57bbaf7452 100644
}
/**
-diff --git a/net/ieee802154/6lowpan/6lowpan_i.h b/net/ieee802154/6lowpan/6lowpan_i.h
-index fdbebe51446f..b4e17a7c0df0 100644
--- a/net/ieee802154/6lowpan/6lowpan_i.h
+++ b/net/ieee802154/6lowpan/6lowpan_i.h
-@@ -16,19 +16,37 @@ typedef unsigned __bitwise__ lowpan_rx_result;
+@@ -16,19 +16,37 @@ typedef unsigned __bitwise__ lowpan_rx_r
#define LOWPAN_DISPATCH_FRAG1 0xc0
#define LOWPAN_DISPATCH_FRAGN 0xe0
@@ -858,8 +840,6 @@ index fdbebe51446f..b4e17a7c0df0 100644
/* private device info */
struct lowpan_dev_info {
struct net_device *wdev; /* wpan device ptr */
-diff --git a/net/ieee802154/6lowpan/reassembly.c b/net/ieee802154/6lowpan/reassembly.c
-index 6183730d38db..12e8cf4bda9f 100644
--- a/net/ieee802154/6lowpan/reassembly.c
+++ b/net/ieee802154/6lowpan/reassembly.c
@@ -37,15 +37,47 @@ static struct inet_frags lowpan_frags;
@@ -913,7 +893,7 @@ index 6183730d38db..12e8cf4bda9f 100644
}
static void lowpan_frag_expire(unsigned long data)
-@@ -61,10 +93,10 @@ static void lowpan_frag_expire(unsigned long data)
+@@ -61,10 +93,10 @@ static void lowpan_frag_expire(unsigned
if (fq->q.flags & INET_FRAG_COMPLETE)
goto out;
@@ -926,7 +906,7 @@ index 6183730d38db..12e8cf4bda9f 100644
}
static inline struct lowpan_frag_queue *
-@@ -72,20 +104,25 @@ fq_find(struct net *net, const struct lowpan_802154_cb *cb,
+@@ -72,20 +104,25 @@ fq_find(struct net *net, const struct lo
const struct ieee802154_addr *src,
const struct ieee802154_addr *dst)
{
@@ -942,26 +922,27 @@ index 6183730d38db..12e8cf4bda9f 100644
- key.d_size = cb->d_size;
- key.src = *src;
- key.dst = *dst;
+-
+- q = inet_frag_find(&ieee802154_lowpan->frags, &key);
+- if (!q)
+ arg.tag = cb->d_tag;
+ arg.d_size = cb->d_size;
+ arg.src = src;
+ arg.dst = dst;
-
-- q = inet_frag_find(&ieee802154_lowpan->frags, &key);
-- if (!q)
-- return NULL;
++
+ hash = lowpan_hash_frag(cb->d_tag, cb->d_size, src, dst);
-
++
+ q = inet_frag_find(&ieee802154_lowpan->frags,
+ &lowpan_frags, &arg, hash);
+ if (IS_ERR_OR_NULL(q)) {
+ inet_frag_maybe_warn_overflow(q, pr_fmt());
-+ return NULL;
+ return NULL;
+-
+ }
return container_of(q, struct lowpan_frag_queue, q);
}
-@@ -192,7 +229,7 @@ static int lowpan_frag_reasm(struct lowpan_frag_queue *fq, struct sk_buff *prev,
+@@ -192,7 +229,7 @@ static int lowpan_frag_reasm(struct lowp
struct sk_buff *fp, *head = fq->q.fragments;
int sum_truesize;
@@ -970,7 +951,7 @@ index 6183730d38db..12e8cf4bda9f 100644
/* Make the one we just received the head. */
if (prev) {
-@@ -371,7 +408,7 @@ int lowpan_frag_rcv(struct sk_buff *skb, u8 frag_type)
+@@ -371,7 +408,7 @@ int lowpan_frag_rcv(struct sk_buff *skb,
struct lowpan_frag_queue *fq;
struct net *net = dev_net(skb->dev);
struct lowpan_802154_cb *cb = lowpan_802154_cb(skb);
@@ -979,7 +960,7 @@ index 6183730d38db..12e8cf4bda9f 100644
int err;
if (ieee802154_hdr_peek_addrs(skb, &hdr) < 0)
-@@ -400,7 +437,7 @@ int lowpan_frag_rcv(struct sk_buff *skb, u8 frag_type)
+@@ -400,7 +437,7 @@ int lowpan_frag_rcv(struct sk_buff *skb,
ret = lowpan_frag_queue(fq, skb, frag_type);
spin_unlock(&fq->q.lock);
@@ -1017,7 +998,7 @@ index 6183730d38db..12e8cf4bda9f 100644
.extra2 = &init_net.ieee802154_lowpan.frags.high_thresh
},
{
-@@ -541,20 +580,14 @@ static int __net_init lowpan_frags_init_net(struct net *net)
+@@ -541,20 +580,14 @@ static int __net_init lowpan_frags_init_
{
struct netns_ieee802154_lowpan *ieee802154_lowpan =
net_ieee802154_lowpan(net);
@@ -1041,7 +1022,7 @@ index 6183730d38db..12e8cf4bda9f 100644
}
static void __net_exit lowpan_frags_exit_net(struct net *net)
-@@ -563,7 +596,7 @@ static void __net_exit lowpan_frags_exit_net(struct net *net)
+@@ -563,7 +596,7 @@ static void __net_exit lowpan_frags_exit
net_ieee802154_lowpan(net);
lowpan_frags_ns_sysctl_unregister(net);
@@ -1050,7 +1031,7 @@ index 6183730d38db..12e8cf4bda9f 100644
}
static struct pernet_operations lowpan_frags_ops = {
-@@ -571,64 +604,33 @@ static struct pernet_operations lowpan_frags_ops = {
+@@ -571,64 +604,33 @@ static struct pernet_operations lowpan_f
.exit = lowpan_frags_exit_net,
};
@@ -1106,7 +1087,7 @@ index 6183730d38db..12e8cf4bda9f 100644
lowpan_frags.frags_cache_name = lowpan_frags_cache_name;
- lowpan_frags.rhash_params = lowpan_rhash_params;
ret = inet_frags_init(&lowpan_frags);
-- if (ret)
+ if (ret)
- goto out;
-
- ret = lowpan_frags_sysctl_register();
@@ -1114,7 +1095,7 @@ index 6183730d38db..12e8cf4bda9f 100644
- goto err_sysctl;
-
- ret = register_pernet_subsys(&lowpan_frags_ops);
- if (ret)
+- if (ret)
goto err_pernet;
-out:
+
@@ -1126,8 +1107,6 @@ index 6183730d38db..12e8cf4bda9f 100644
return ret;
}
-diff --git a/net/ipv4/inet_fragment.c b/net/ipv4/inet_fragment.c
-index c03e5f5859e1..b2001b20e029 100644
--- a/net/ipv4/inet_fragment.c
+++ b/net/ipv4/inet_fragment.c
@@ -25,6 +25,12 @@
@@ -1402,7 +1381,7 @@ index c03e5f5859e1..b2001b20e029 100644
atomic_dec(&fq->refcnt);
}
}
-@@ -119,23 +294,11 @@ static inline void frag_kfree_skb(struct netns_frags *nf, struct inet_frags *f,
+@@ -119,23 +294,11 @@ static inline void frag_kfree_skb(struct
kfree_skb(skb);
}
@@ -1427,7 +1406,7 @@ index c03e5f5859e1..b2001b20e029 100644
WARN_ON(!(q->flags & INET_FRAG_COMPLETE));
WARN_ON(del_timer(&q->timer) != 0);
-@@ -143,35 +306,64 @@ void inet_frag_destroy(struct inet_frag_queue *q)
+@@ -143,35 +306,64 @@ void inet_frag_destroy(struct inet_frag_
/* Release all fragment data. */
fp = q->fragments;
nf = q->net;
@@ -1507,7 +1486,7 @@ index c03e5f5859e1..b2001b20e029 100644
q = kmem_cache_zalloc(f->frags_cachep, GFP_ATOMIC);
if (!q)
return NULL;
-@@ -182,52 +374,75 @@ static struct inet_frag_queue *inet_frag_alloc(struct netns_frags *nf,
+@@ -182,52 +374,75 @@ static struct inet_frag_queue *inet_frag
setup_timer(&q->timer, f->frag_expire, (unsigned long)q);
spin_lock_init(&q->lock);
@@ -1529,21 +1508,20 @@ index c03e5f5859e1..b2001b20e029 100644
q = inet_frag_alloc(nf, f, arg);
- if (!q) {
- *prev = ERR_PTR(-ENOMEM);
-- return NULL;
++ if (!q)
+ return NULL;
- }
- mod_timer(&q->timer, jiffies + nf->timeout);
--
+
- *prev = rhashtable_lookup_get_insert_key(&nf->rhashtable, &q->key,
- &q->node, f->rhash_params);
- if (*prev) {
- q->flags |= INET_FRAG_COMPLETE;
- inet_frag_kill(q);
- inet_frag_destroy(q);
-+ if (!q)
- return NULL;
+- return NULL;
- }
- return q;
-+
+ return inet_frag_intern(nf, q, f, arg);
}
-EXPORT_SYMBOL(inet_frag_create);
@@ -1558,11 +1536,21 @@ index c03e5f5859e1..b2001b20e029 100644
+ struct inet_frag_bucket *hb;
+ struct inet_frag_queue *q;
+ int depth = 0;
-+
+
+- rcu_read_lock();
+- prev = rhashtable_lookup(&nf->rhashtable, key, nf->f->rhash_params);
+- if (!prev)
+- fq = inet_frag_create(nf, key, &prev);
+- if (prev && !IS_ERR(prev)) {
+- fq = prev;
+- if (!atomic_inc_not_zero(&fq->refcnt))
+- fq = NULL;
+ if (!nf->high_thresh || frag_mem_limit(nf) > nf->high_thresh) {
+ inet_frag_schedule_worker(f);
+ return NULL;
-+ }
+ }
+- rcu_read_unlock();
+- return fq;
+
+ if (frag_mem_limit(nf) > nf->low_thresh)
+ inet_frag_schedule_worker(f);
@@ -1583,22 +1571,12 @@ index c03e5f5859e1..b2001b20e029 100644
+
+ if (depth <= INETFRAGS_MAXDEPTH)
+ return inet_frag_create(nf, f, key);
-
-- rcu_read_lock();
-- prev = rhashtable_lookup(&nf->rhashtable, key, nf->f->rhash_params);
-- if (!prev)
-- fq = inet_frag_create(nf, key, &prev);
-- if (prev && !IS_ERR(prev)) {
-- fq = prev;
-- if (!atomic_inc_not_zero(&fq->refcnt))
-- fq = NULL;
++
+ if (inet_frag_may_rebuild(f)) {
+ if (!f->rebuild)
+ f->rebuild = true;
+ inet_frag_schedule_worker(f);
- }
-- rcu_read_unlock();
-- return fq;
++ }
+
+ return ERR_PTR(-ENOBUFS);
}
@@ -1615,8 +1593,6 @@ index c03e5f5859e1..b2001b20e029 100644
+ net_dbg_ratelimited("%s%s", prefix, msg);
+}
+EXPORT_SYMBOL(inet_frag_maybe_warn_overflow);
-diff --git a/net/ipv4/ip_fragment.c b/net/ipv4/ip_fragment.c
-index 9b09a9b5a4fe..72915658a6b1 100644
--- a/net/ipv4/ip_fragment.c
+++ b/net/ipv4/ip_fragment.c
@@ -58,64 +58,27 @@
@@ -1713,7 +1689,7 @@ index 9b09a9b5a4fe..72915658a6b1 100644
+ u32 user;
+ int vif;
+};
-
++
+static unsigned int ipqhashfn(__be16 id, __be32 saddr, __be32 daddr, u8 prot)
+{
+ net_get_random_once(&ip4_frags.rnd, sizeof(ip4_frags.rnd));
@@ -1734,7 +1710,7 @@ index 9b09a9b5a4fe..72915658a6b1 100644
+{
+ const struct ipq *qp;
+ const struct ip4_create_arg *arg = a;
-+
+
+ qp = container_of(q, struct ipq, q);
+ return qp->id == arg->iph->id &&
+ qp->saddr == arg->iph->saddr &&
@@ -1746,7 +1722,7 @@ index 9b09a9b5a4fe..72915658a6b1 100644
static void ip4_frag_init(struct inet_frag_queue *q, const void *a)
{
-@@ -138,12 +141,17 @@ static void ip4_frag_init(struct inet_frag_queue *q, const void *a)
+@@ -138,12 +141,17 @@ static void ip4_frag_init(struct inet_fr
frags);
struct net *net = container_of(ipv4, struct net, ipv4);
@@ -1768,7 +1744,7 @@ index 9b09a9b5a4fe..72915658a6b1 100644
NULL;
}
-@@ -161,7 +169,7 @@ static void ip4_frag_free(struct inet_frag_queue *q)
+@@ -161,7 +169,7 @@ static void ip4_frag_free(struct inet_fr
static void ipq_put(struct ipq *ipq)
{
@@ -1786,7 +1762,7 @@ index 9b09a9b5a4fe..72915658a6b1 100644
}
static bool frag_expire_skip_icmp(u32 user)
-@@ -186,11 +194,8 @@ static bool frag_expire_skip_icmp(u32 user)
+@@ -186,11 +194,8 @@ static bool frag_expire_skip_icmp(u32 us
*/
static void ip_expire(unsigned long arg)
{
@@ -1914,22 +1890,22 @@ index 9b09a9b5a4fe..72915658a6b1 100644
- q = inet_frag_find(&net->ipv4.frags, &key);
- if (!q)
-- return NULL;
+ arg.iph = iph;
+ arg.user = user;
+ arg.vif = vif;
+
+ hash = ipqhashfn(iph->id, iph->saddr, iph->daddr, iph->protocol);
-
++
+ q = inet_frag_find(&net->ipv4.frags, &ip4_frags, &arg, hash);
+ if (IS_ERR_OR_NULL(q)) {
+ inet_frag_maybe_warn_overflow(q, pr_fmt());
-+ return NULL;
+ return NULL;
+-
+ }
return container_of(q, struct ipq, q);
}
-@@ -304,7 +296,7 @@ static int ip_frag_too_far(struct ipq *qp)
+@@ -304,7 +296,7 @@ static int ip_frag_too_far(struct ipq *q
end = atomic_inc_return(&peer->rid);
qp->rid = end;
@@ -1938,7 +1914,7 @@ index 9b09a9b5a4fe..72915658a6b1 100644
if (rc) {
struct net *net;
-@@ -318,6 +310,7 @@ static int ip_frag_too_far(struct ipq *qp)
+@@ -318,6 +310,7 @@ static int ip_frag_too_far(struct ipq *q
static int ip_frag_reinit(struct ipq *qp)
{
@@ -1946,7 +1922,7 @@ index 9b09a9b5a4fe..72915658a6b1 100644
unsigned int sum_truesize = 0;
if (!mod_timer(&qp->q.timer, jiffies + qp->q.net->timeout)) {
-@@ -325,16 +318,21 @@ static int ip_frag_reinit(struct ipq *qp)
+@@ -325,16 +318,21 @@ static int ip_frag_reinit(struct ipq *qp
return -ETIMEDOUT;
}
@@ -1971,7 +1947,7 @@ index 9b09a9b5a4fe..72915658a6b1 100644
qp->iif = 0;
qp->ecn = 0;
-@@ -344,13 +342,11 @@ static int ip_frag_reinit(struct ipq *qp)
+@@ -344,13 +342,11 @@ static int ip_frag_reinit(struct ipq *qp
/* Add new segment to existing queue. */
static int ip_frag_queue(struct ipq *qp, struct sk_buff *skb)
{
@@ -1987,7 +1963,7 @@ index 9b09a9b5a4fe..72915658a6b1 100644
int err = -ENOENT;
u8 ecn;
-@@ -409,68 +405,94 @@ static int ip_frag_queue(struct ipq *qp, struct sk_buff *skb)
+@@ -409,68 +405,94 @@ static int ip_frag_queue(struct ipq *qp,
if (err)
goto err;
@@ -2008,7 +1984,7 @@ index 9b09a9b5a4fe..72915658a6b1 100644
+ /* Find out which fragments are in front and at the back of us
+ * in the chain of fragments so far. We must know where to put
+ * this fragment, right?
- */
++ */
+ prev = qp->q.fragments_tail;
+ if (!prev || FRAG_CB(prev)->offset < offset) {
+ next = NULL;
@@ -2020,6 +1996,14 @@ index 9b09a9b5a4fe..72915658a6b1 100644
+ break; /* bingo! */
+ prev = next;
+ }
++
++found:
++ /* We found where to put this one. Check for overlap with
++ * preceding fragment, and, if needed, align things so that
++ * any overlaps are eliminated.
+ */
++ if (prev) {
++ int i = (FRAG_CB(prev)->offset + prev->len) - offset;
- err = -EINVAL;
- /* Find out where to put this fragment. */
@@ -2052,14 +2036,6 @@ index 9b09a9b5a4fe..72915658a6b1 100644
- else if (offset >= skb1->ip_defrag_offset &&
- end <= skb1_run_end)
- goto err; /* No new data, potential duplicate */
-+found:
-+ /* We found where to put this one. Check for overlap with
-+ * preceding fragment, and, if needed, align things so that
-+ * any overlaps are eliminated.
-+ */
-+ if (prev) {
-+ int i = (FRAG_CB(prev)->offset + prev->len) - offset;
-+
+ if (i > 0) {
+ offset += i;
+ err = -EINVAL;
@@ -2138,7 +2114,7 @@ index 9b09a9b5a4fe..72915658a6b1 100644
qp->q.stamp = skb->tstamp;
qp->q.meat += skb->len;
qp->ecn |= ecn;
-@@ -492,7 +514,7 @@ static int ip_frag_queue(struct ipq *qp, struct sk_buff *skb)
+@@ -492,7 +514,7 @@ static int ip_frag_queue(struct ipq *qp,
unsigned long orefdst = skb->_skb_refdst;
skb->_skb_refdst = 0UL;
@@ -2147,7 +2123,7 @@ index 9b09a9b5a4fe..72915658a6b1 100644
skb->_skb_refdst = orefdst;
return err;
}
-@@ -500,23 +522,20 @@ static int ip_frag_queue(struct ipq *qp, struct sk_buff *skb)
+@@ -500,23 +522,20 @@ static int ip_frag_queue(struct ipq *qp,
skb_dst_drop(skb);
return -EINPROGRESS;
@@ -2176,7 +2152,7 @@ index 9b09a9b5a4fe..72915658a6b1 100644
int len;
int ihlen;
int err;
-@@ -530,27 +549,26 @@ static int ip_frag_reasm(struct ipq *qp, struct sk_buff *skb,
+@@ -530,27 +549,26 @@ static int ip_frag_reasm(struct ipq *qp,
goto out_fail;
}
/* Make the one we just received the head. */
@@ -2219,7 +2195,7 @@ index 9b09a9b5a4fe..72915658a6b1 100644
/* Allocate a new buffer for the datagram. */
ihlen = ip_hdrlen(head);
-@@ -574,61 +592,35 @@ static int ip_frag_reasm(struct ipq *qp, struct sk_buff *skb,
+@@ -574,61 +592,35 @@ static int ip_frag_reasm(struct ipq *qp,
clone = alloc_skb(0, GFP_ATOMIC);
if (!clone)
goto out_nomem;
@@ -2294,7 +2270,7 @@ index 9b09a9b5a4fe..72915658a6b1 100644
head->dev = dev;
head->tstamp = qp->q.stamp;
IPCB(head)->frag_max_size = max(qp->max_df_size, qp->q.max_size);
-@@ -656,9 +648,7 @@ static int ip_frag_reasm(struct ipq *qp, struct sk_buff *skb,
+@@ -656,9 +648,7 @@ static int ip_frag_reasm(struct ipq *qp,
IP_INC_STATS_BH(net, IPSTATS_MIB_REASMOKS);
qp->q.fragments = NULL;
@@ -2313,7 +2289,7 @@ index 9b09a9b5a4fe..72915658a6b1 100644
out_fail:
IP_INC_STATS_BH(net, IPSTATS_MIB_REASMFAILS);
return err;
-@@ -744,46 +734,25 @@ struct sk_buff *ip_check_defrag(struct net *net, struct sk_buff *skb, u32 user)
+@@ -744,46 +734,25 @@ struct sk_buff *ip_check_defrag(struct n
}
EXPORT_SYMBOL(ip_check_defrag);
@@ -2366,7 +2342,7 @@ index 9b09a9b5a4fe..72915658a6b1 100644
.extra2 = &init_net.ipv4.frags.high_thresh
},
{
-@@ -812,7 +781,7 @@ static struct ctl_table ip4_frags_ctl_table[] = {
+@@ -812,7 +781,7 @@ static struct ctl_table ip4_frags_ctl_ta
.maxlen = sizeof(int),
.mode = 0644,
.proc_handler = proc_dointvec_minmax,
@@ -2375,7 +2351,7 @@ index 9b09a9b5a4fe..72915658a6b1 100644
},
{ }
};
-@@ -884,8 +853,6 @@ static void __init ip4_frags_ctl_register(void)
+@@ -884,8 +853,6 @@ static void __init ip4_frags_ctl_registe
static int __net_init ipv4_frags_init_net(struct net *net)
{
@@ -2384,7 +2360,7 @@ index 9b09a9b5a4fe..72915658a6b1 100644
/* Fragment cache limits.
*
* The fragment memory accounting code, (tries to) account for
-@@ -909,21 +876,15 @@ static int __net_init ipv4_frags_init_net(struct net *net)
+@@ -909,21 +876,15 @@ static int __net_init ipv4_frags_init_ne
*/
net->ipv4.frags.timeout = IP_FRAG_TIME;
@@ -2409,7 +2385,7 @@ index 9b09a9b5a4fe..72915658a6b1 100644
}
static struct pernet_operations ip4_frags_ops = {
-@@ -931,50 +892,18 @@ static struct pernet_operations ip4_frags_ops = {
+@@ -931,50 +892,18 @@ static struct pernet_operations ip4_frag
.exit = ipv4_frags_exit_net,
};
@@ -2464,8 +2440,6 @@ index 9b09a9b5a4fe..72915658a6b1 100644
- ip4_frags_ctl_register();
- register_pernet_subsys(&ip4_frags_ops);
}
-diff --git a/net/ipv4/proc.c b/net/ipv4/proc.c
-index b001ad668108..3abd9d7a3adf 100644
--- a/net/ipv4/proc.c
+++ b/net/ipv4/proc.c
@@ -52,6 +52,7 @@
@@ -2476,7 +2450,7 @@ index b001ad668108..3abd9d7a3adf 100644
int orphans, sockets;
local_bh_disable();
-@@ -71,9 +72,8 @@ static int sockstat_seq_show(struct seq_file *seq, void *v)
+@@ -71,9 +72,8 @@ static int sockstat_seq_show(struct seq_
sock_prot_inuse_get(net, &udplite_prot));
seq_printf(seq, "RAW: inuse %d\n",
sock_prot_inuse_get(net, &raw_prot));
@@ -2488,7 +2462,7 @@ index b001ad668108..3abd9d7a3adf 100644
return 0;
}
-@@ -132,7 +132,6 @@ static const struct snmp_mib snmp4_ipextstats_list[] = {
+@@ -132,7 +132,6 @@ static const struct snmp_mib snmp4_ipext
SNMP_MIB_ITEM("InECT1Pkts", IPSTATS_MIB_ECT1PKTS),
SNMP_MIB_ITEM("InECT0Pkts", IPSTATS_MIB_ECT0PKTS),
SNMP_MIB_ITEM("InCEPkts", IPSTATS_MIB_CEPKTS),
@@ -2496,8 +2470,6 @@ index b001ad668108..3abd9d7a3adf 100644
SNMP_MIB_SENTINEL
};
-diff --git a/net/ipv6/netfilter/nf_conntrack_reasm.c b/net/ipv6/netfilter/nf_conntrack_reasm.c
-index 664c84e47bab..5a9ae56e7868 100644
--- a/net/ipv6/netfilter/nf_conntrack_reasm.c
+++ b/net/ipv6/netfilter/nf_conntrack_reasm.c
@@ -64,6 +64,7 @@ struct nf_ct_frag6_skb_cb
@@ -2508,7 +2480,7 @@ index 664c84e47bab..5a9ae56e7868 100644
static struct ctl_table nf_ct_frag6_sysctl_table[] = {
{
-@@ -76,17 +77,18 @@ static struct ctl_table nf_ct_frag6_sysctl_table[] = {
+@@ -76,17 +77,18 @@ static struct ctl_table nf_ct_frag6_sysc
{
.procname = "nf_conntrack_frag6_low_thresh",
.data = &init_net.nf_frag.frags.low_thresh,
@@ -2531,7 +2503,7 @@ index 664c84e47bab..5a9ae56e7868 100644
.extra1 = &init_net.nf_frag.frags.low_thresh
},
{ }
-@@ -151,6 +153,23 @@ static inline u8 ip6_frag_ecn(const struct ipv6hdr *ipv6h)
+@@ -151,6 +153,23 @@ static inline u8 ip6_frag_ecn(const stru
return 1 << (ipv6_get_dsfield(ipv6h) & INET_ECN_MASK);
}
@@ -2555,7 +2527,7 @@ index 664c84e47bab..5a9ae56e7868 100644
static void nf_skb_free(struct sk_buff *skb)
{
if (NFCT_FRAG6_CB(skb)->orig)
-@@ -165,26 +184,34 @@ static void nf_ct_frag6_expire(unsigned long data)
+@@ -165,26 +184,34 @@ static void nf_ct_frag6_expire(unsigned
fq = container_of((struct inet_frag_queue *)data, struct frag_queue, q);
net = container_of(fq->q.net, struct net, nf_frag.frags);
@@ -2578,12 +2550,11 @@ index 664c84e47bab..5a9ae56e7868 100644
- .iif = iif,
- };
struct inet_frag_queue *q;
--
-- q = inet_frag_find(&net->nf_frag.frags, &key);
-- if (!q)
+ struct ip6_create_arg arg;
+ unsigned int hash;
-+
+
+- q = inet_frag_find(&net->nf_frag.frags, &key);
+- if (!q)
+ arg.id = id;
+ arg.user = user;
+ arg.src = src;
@@ -2613,7 +2584,7 @@ index 664c84e47bab..5a9ae56e7868 100644
err:
return -1;
}
-@@ -356,7 +383,7 @@ nf_ct_frag6_reasm(struct frag_queue *fq, struct net_device *dev)
+@@ -356,7 +383,7 @@ nf_ct_frag6_reasm(struct frag_queue *fq,
int payload_len;
u8 ecn;
@@ -2622,7 +2593,7 @@ index 664c84e47bab..5a9ae56e7868 100644
WARN_ON(head == NULL);
WARN_ON(NFCT_FRAG6_CB(head)->offset != 0);
-@@ -427,7 +454,6 @@ nf_ct_frag6_reasm(struct frag_queue *fq, struct net_device *dev)
+@@ -427,7 +454,6 @@ nf_ct_frag6_reasm(struct frag_queue *fq,
else if (head->ip_summed == CHECKSUM_COMPLETE)
head->csum = csum_add(head->csum, fp->csum);
head->truesize += fp->truesize;
@@ -2630,7 +2601,7 @@ index 664c84e47bab..5a9ae56e7868 100644
}
sub_frag_mem_limit(fq->q.net, head->truesize);
-@@ -446,7 +472,6 @@ nf_ct_frag6_reasm(struct frag_queue *fq, struct net_device *dev)
+@@ -446,7 +472,6 @@ nf_ct_frag6_reasm(struct frag_queue *fq,
head->csum);
fq->q.fragments = NULL;
@@ -2638,7 +2609,7 @@ index 664c84e47bab..5a9ae56e7868 100644
fq->q.fragments_tail = NULL;
/* all original skbs are linked into the NFCT_FRAG6_CB(head).orig */
-@@ -576,13 +601,9 @@ struct sk_buff *nf_ct_frag6_gather(struct net *net, struct sk_buff *skb, u32 use
+@@ -576,13 +601,9 @@ struct sk_buff *nf_ct_frag6_gather(struc
hdr = ipv6_hdr(clone);
fhdr = (struct frag_hdr *)skb_transport_header(clone);
@@ -2654,7 +2625,7 @@ index 664c84e47bab..5a9ae56e7868 100644
if (fq == NULL) {
pr_debug("Can't find and can't create new queue\n");
goto ret_orig;
-@@ -593,7 +614,7 @@ struct sk_buff *nf_ct_frag6_gather(struct net *net, struct sk_buff *skb, u32 use
+@@ -593,7 +614,7 @@ struct sk_buff *nf_ct_frag6_gather(struc
if (nf_ct_frag6_queue(fq, clone, fhdr, nhoff) < 0) {
spin_unlock_bh(&fq->q.lock);
pr_debug("Can't insert skb to queue\n");
@@ -2663,7 +2634,7 @@ index 664c84e47bab..5a9ae56e7868 100644
goto ret_orig;
}
-@@ -605,7 +626,7 @@ struct sk_buff *nf_ct_frag6_gather(struct net *net, struct sk_buff *skb, u32 use
+@@ -605,7 +626,7 @@ struct sk_buff *nf_ct_frag6_gather(struc
}
spin_unlock_bh(&fq->q.lock);
@@ -2672,7 +2643,7 @@ index 664c84e47bab..5a9ae56e7868 100644
return ret_skb;
ret_orig:
-@@ -629,26 +650,18 @@ EXPORT_SYMBOL_GPL(nf_ct_frag6_consume_orig);
+@@ -629,26 +650,18 @@ EXPORT_SYMBOL_GPL(nf_ct_frag6_consume_or
static int nf_ct_net_init(struct net *net)
{
@@ -2682,7 +2653,8 @@ index 664c84e47bab..5a9ae56e7868 100644
net->nf_frag.frags.low_thresh = IPV6_FRAG_LOW_THRESH;
net->nf_frag.frags.timeout = IPV6_FRAG_TIMEOUT;
- net->nf_frag.frags.f = &nf_frags;
--
++ inet_frags_init_net(&net->nf_frag.frags);
+
- res = inet_frags_init_net(&net->nf_frag.frags);
- if (res < 0)
- return res;
@@ -2690,8 +2662,6 @@ index 664c84e47bab..5a9ae56e7868 100644
- if (res < 0)
- inet_frags_exit_net(&net->nf_frag.frags);
- return res;
-+ inet_frags_init_net(&net->nf_frag.frags);
-+
+ return nf_ct_frag6_sysctl_register(net);
}
@@ -2719,8 +2689,6 @@ index 664c84e47bab..5a9ae56e7868 100644
ret = inet_frags_init(&nf_frags);
if (ret)
goto out;
-diff --git a/net/ipv6/proc.c b/net/ipv6/proc.c
-index 73e766e7bc37..679253d0af84 100644
--- a/net/ipv6/proc.c
+++ b/net/ipv6/proc.c
@@ -33,6 +33,7 @@
@@ -2731,7 +2699,7 @@ index 73e766e7bc37..679253d0af84 100644
seq_printf(seq, "TCP6: inuse %d\n",
sock_prot_inuse_get(net, &tcpv6_prot));
-@@ -42,9 +43,7 @@ static int sockstat6_seq_show(struct seq_file *seq, void *v)
+@@ -42,9 +43,7 @@ static int sockstat6_seq_show(struct seq
sock_prot_inuse_get(net, &udplitev6_prot));
seq_printf(seq, "RAW6: inuse %d\n",
sock_prot_inuse_get(net, &rawv6_prot));
@@ -2742,8 +2710,6 @@ index 73e766e7bc37..679253d0af84 100644
return 0;
}
-diff --git a/net/ipv6/reassembly.c b/net/ipv6/reassembly.c
-index ec917f58d105..58f2139ebb5e 100644
--- a/net/ipv6/reassembly.c
+++ b/net/ipv6/reassembly.c
@@ -79,58 +79,94 @@ static struct inet_frags ip6_frags;
@@ -2863,7 +2829,7 @@ index ec917f58d105..58f2139ebb5e 100644
}
EXPORT_SYMBOL(ip6_expire_frag_queue);
-@@ -142,29 +178,31 @@ static void ip6_frag_expire(unsigned long data)
+@@ -142,29 +178,31 @@ static void ip6_frag_expire(unsigned lon
fq = container_of((struct inet_frag_queue *)data, struct frag_queue, q);
net = container_of(fq->q.net, struct net, ipv6.frags);
@@ -2890,22 +2856,23 @@ index ec917f58d105..58f2139ebb5e 100644
- if (!(ipv6_addr_type(&hdr->daddr) & (IPV6_ADDR_MULTICAST |
- IPV6_ADDR_LINKLOCAL)))
- key.iif = 0;
+-
+- q = inet_frag_find(&net->ipv6.frags, &key);
+- if (!q)
+ arg.id = id;
+ arg.user = IP6_DEFRAG_LOCAL_DELIVER;
+ arg.src = src;
+ arg.dst = dst;
+ arg.iif = iif;
+ arg.ecn = ecn;
-
-- q = inet_frag_find(&net->ipv6.frags, &key);
-- if (!q)
-- return NULL;
++
+ hash = inet6_hash_frag(id, src, dst);
-
++
+ q = inet_frag_find(&net->ipv6.frags, &ip6_frags, &arg, hash);
+ if (IS_ERR_OR_NULL(q)) {
+ inet_frag_maybe_warn_overflow(q, pr_fmt());
-+ return NULL;
+ return NULL;
+-
+ }
return container_of(q, struct frag_queue, q);
}
@@ -2919,7 +2886,7 @@ index ec917f58d105..58f2139ebb5e 100644
err:
IP6_INC_STATS_BH(net, ip6_dst_idev(skb_dst(skb)),
IPSTATS_MIB_REASMFAILS);
-@@ -348,7 +386,7 @@ static int ip6_frag_reasm(struct frag_queue *fq, struct sk_buff *prev,
+@@ -348,7 +386,7 @@ static int ip6_frag_reasm(struct frag_qu
int sum_truesize;
u8 ecn;
@@ -2928,7 +2895,7 @@ index ec917f58d105..58f2139ebb5e 100644
ecn = ip_frag_ecn_table[fq->ecn];
if (unlikely(ecn == 0xff))
-@@ -465,7 +503,6 @@ static int ip6_frag_reasm(struct frag_queue *fq, struct sk_buff *prev,
+@@ -465,7 +503,6 @@ static int ip6_frag_reasm(struct frag_qu
IP6_INC_STATS_BH(net, __in6_dev_get(dev), IPSTATS_MIB_REASMOKS);
rcu_read_unlock();
fq->q.fragments = NULL;
@@ -2936,7 +2903,7 @@ index ec917f58d105..58f2139ebb5e 100644
fq->q.fragments_tail = NULL;
return 1;
-@@ -487,7 +524,6 @@ static int ipv6_frag_rcv(struct sk_buff *skb)
+@@ -487,7 +524,6 @@ static int ipv6_frag_rcv(struct sk_buff
struct frag_queue *fq;
const struct ipv6hdr *hdr = ipv6_hdr(skb);
struct net *net = dev_net(skb_dst(skb)->dev);
@@ -2944,7 +2911,7 @@ index ec917f58d105..58f2139ebb5e 100644
if (IP6CB(skb)->flags & IP6SKB_FRAGMENTED)
goto fail_hdr;
-@@ -516,22 +552,17 @@ static int ipv6_frag_rcv(struct sk_buff *skb)
+@@ -516,22 +552,17 @@ static int ipv6_frag_rcv(struct sk_buff
return 1;
}
@@ -2970,7 +2937,7 @@ index ec917f58d105..58f2139ebb5e 100644
return ret;
}
-@@ -552,22 +583,24 @@ static const struct inet6_protocol frag_protocol = {
+@@ -552,22 +583,24 @@ static const struct inet6_protocol frag_
};
#ifdef CONFIG_SYSCTL
@@ -2999,7 +2966,7 @@ index ec917f58d105..58f2139ebb5e 100644
.extra2 = &init_net.ipv6.frags.high_thresh
},
{
-@@ -675,27 +708,19 @@ static void ip6_frags_sysctl_unregister(void)
+@@ -675,27 +708,19 @@ static void ip6_frags_sysctl_unregister(
static int __net_init ipv6_frags_init_net(struct net *net)
{
@@ -3030,7 +2997,7 @@ index ec917f58d105..58f2139ebb5e 100644
}
static struct pernet_operations ip6_frags_ops = {
-@@ -703,54 +728,13 @@ static struct pernet_operations ip6_frags_ops = {
+@@ -703,54 +728,13 @@ static struct pernet_operations ip6_frag
.exit = ipv6_frags_exit_net,
};
@@ -3113,6 +3080,3 @@ index ec917f58d105..58f2139ebb5e 100644
goto out;
}
---
-2.20.1
-
diff --git a/patches.kernel.org/4.4.175-001-drm-bufs-Fix-Spectre-v1-vulnerability.patch b/patches.kernel.org/4.4.175-001-drm-bufs-Fix-Spectre-v1-vulnerability.patch
new file mode 100644
index 0000000000..ff9e0b49bd
--- /dev/null
+++ b/patches.kernel.org/4.4.175-001-drm-bufs-Fix-Spectre-v1-vulnerability.patch
@@ -0,0 +1,58 @@
+From: "Gustavo A. R. Silva" <gustavo@embeddedor.com>
+Date: Tue, 16 Oct 2018 11:55:49 +0200
+Subject: [PATCH] drm/bufs: Fix Spectre v1 vulnerability
+References: bnc#1012382
+Patch-mainline: 4.4.175
+Git-commit: a37805098900a6e73a55b3a43b7d3bcd987bb3f4
+
+[ Upstream commit a37805098900a6e73a55b3a43b7d3bcd987bb3f4 ]
+
+idx can be indirectly controlled by user-space, hence leading to a
+potential exploitation of the Spectre variant 1 vulnerability.
+
+This issue was detected with the help of Smatch:
+
+drivers/gpu/drm/drm_bufs.c:1420 drm_legacy_freebufs() warn: potential
+spectre issue 'dma->buflist' [r] (local cap)
+
+Fix this by sanitizing idx before using it to index dma->buflist
+
+Notice that given that speculation windows are large, the policy is
+to kill the speculation on the first load and not worry if it can be
+completed with a dependent load/store [1].
+
+[1] https://marc.info/?l=linux-kernel&m=152449131114778&w=2
+
+Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com>
+Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
+Link: https://patchwork.freedesktop.org/patch/msgid/20181016095549.GA23586@embeddedor.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/gpu/drm/drm_bufs.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/gpu/drm/drm_bufs.c b/drivers/gpu/drm/drm_bufs.c
+index f1a204d253cc..ac22b8d86249 100644
+--- a/drivers/gpu/drm/drm_bufs.c
++++ b/drivers/gpu/drm/drm_bufs.c
+@@ -36,6 +36,8 @@
+ #include <drm/drmP.h>
+ #include "drm_legacy.h"
+
++#include <linux/nospec.h>
++
+ static struct drm_map_list *drm_find_matching_map(struct drm_device *dev,
+ struct drm_local_map *map)
+ {
+@@ -1332,6 +1334,7 @@ int drm_legacy_freebufs(struct drm_device *dev, void *data,
+ idx, dma->buf_count - 1);
+ return -EINVAL;
+ }
++ idx = array_index_nospec(idx, dma->buf_count);
+ buf = dma->buflist[idx];
+ if (buf->file_priv != file_priv) {
+ DRM_ERROR("Process %d freeing buffer not owned\n",
+--
+2.20.1
+
diff --git a/patches.kernel.org/4.4.175-002-staging-iio-adc-ad7280a-handle-error-from-__a.patch b/patches.kernel.org/4.4.175-002-staging-iio-adc-ad7280a-handle-error-from-__a.patch
new file mode 100644
index 0000000000..1913ac25cd
--- /dev/null
+++ b/patches.kernel.org/4.4.175-002-staging-iio-adc-ad7280a-handle-error-from-__a.patch
@@ -0,0 +1,74 @@
+From: Slawomir Stepien <sst@poczta.fm>
+Date: Sat, 20 Oct 2018 23:04:11 +0200
+Subject: [PATCH] staging: iio: adc: ad7280a: handle error from
+ __ad7280_read32()
+References: bnc#1012382
+Patch-mainline: 4.4.175
+Git-commit: 0559ef7fde67bc6c83c6eb6329dbd6649528263e
+
+[ Upstream commit 0559ef7fde67bc6c83c6eb6329dbd6649528263e ]
+
+Inside __ad7280_read32(), the spi_sync_transfer() can fail with negative
+error code. This change will ensure that this error is being passed up
+in the call stack, so it can be handled.
+
+Signed-off-by: Slawomir Stepien <sst@poczta.fm>
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/staging/iio/adc/ad7280a.c | 17 +++++++++++++----
+ 1 file changed, 13 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/staging/iio/adc/ad7280a.c b/drivers/staging/iio/adc/ad7280a.c
+index 35acb1a4669b..db8390022732 100644
+--- a/drivers/staging/iio/adc/ad7280a.c
++++ b/drivers/staging/iio/adc/ad7280a.c
+@@ -250,7 +250,9 @@ static int ad7280_read(struct ad7280_state *st, unsigned devaddr,
+ if (ret)
+ return ret;
+
+- __ad7280_read32(st, &tmp);
++ ret = __ad7280_read32(st, &tmp);
++ if (ret)
++ return ret;
+
+ if (ad7280_check_crc(st, tmp))
+ return -EIO;
+@@ -288,7 +290,9 @@ static int ad7280_read_channel(struct ad7280_state *st, unsigned devaddr,
+
+ ad7280_delay(st);
+
+- __ad7280_read32(st, &tmp);
++ ret = __ad7280_read32(st, &tmp);
++ if (ret)
++ return ret;
+
+ if (ad7280_check_crc(st, tmp))
+ return -EIO;
+@@ -321,7 +325,9 @@ static int ad7280_read_all_channels(struct ad7280_state *st, unsigned cnt,
+ ad7280_delay(st);
+
+ for (i = 0; i < cnt; i++) {
+- __ad7280_read32(st, &tmp);
++ ret = __ad7280_read32(st, &tmp);
++ if (ret)
++ return ret;
+
+ if (ad7280_check_crc(st, tmp))
+ return -EIO;
+@@ -364,7 +370,10 @@ static int ad7280_chain_setup(struct ad7280_state *st)
+ return ret;
+
+ for (n = 0; n <= AD7280A_MAX_CHAIN; n++) {
+- __ad7280_read32(st, &val);
++ ret = __ad7280_read32(st, &val);
++ if (ret)
++ return ret;
++
+ if (val == 0)
+ return n - 1;
+
+--
+2.20.1
+
diff --git a/patches.kernel.org/4.4.175-003-ASoC-Intel-mrfld-fix-uninitialized-variable-a.patch b/patches.kernel.org/4.4.175-003-ASoC-Intel-mrfld-fix-uninitialized-variable-a.patch
new file mode 100644
index 0000000000..e2bc8481e7
--- /dev/null
+++ b/patches.kernel.org/4.4.175-003-ASoC-Intel-mrfld-fix-uninitialized-variable-a.patch
@@ -0,0 +1,57 @@
+From: Arnd Bergmann <arnd@arndb.de>
+Date: Sat, 3 Nov 2018 22:21:22 +0100
+Subject: [PATCH] ASoC: Intel: mrfld: fix uninitialized variable access
+References: bnc#1012382
+Patch-mainline: 4.4.175
+Git-commit: 1539c7f23f256120f89f8b9ec53160790bce9ed2
+
+[ Upstream commit 1539c7f23f256120f89f8b9ec53160790bce9ed2 ]
+
+Randconfig testing revealed a very old bug, with gcc-8:
+
+sound/soc/intel/atom/sst/sst_loader.c: In function 'sst_load_fw':
+sound/soc/intel/atom/sst/sst_loader.c:357:5: error: 'fw' may be used uninitialized in this function [-Werror=maybe-uninitialized]
+ if (fw == NULL) {
+ ^
+sound/soc/intel/atom/sst/sst_loader.c:354:25: note: 'fw' was declared here
+ const struct firmware *fw;
+
+We must check the return code of request_firmware() before we look at the
+pointer result that may be uninitialized when the function fails.
+
+Fixes: 9012c9544eea ("ASoC: Intel: mrfld - Add DSP load and management")
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Acked-by: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ sound/soc/intel/atom/sst/sst_loader.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/sound/soc/intel/atom/sst/sst_loader.c b/sound/soc/intel/atom/sst/sst_loader.c
+index 33917146d9c4..054b1d514e8a 100644
+--- a/sound/soc/intel/atom/sst/sst_loader.c
++++ b/sound/soc/intel/atom/sst/sst_loader.c
+@@ -354,14 +354,14 @@ static int sst_request_fw(struct intel_sst_drv *sst)
+ const struct firmware *fw;
+
+ retval = request_firmware(&fw, sst->firmware_name, sst->dev);
+- if (fw == NULL) {
+- dev_err(sst->dev, "fw is returning as null\n");
+- return -EINVAL;
+- }
+ if (retval) {
+ dev_err(sst->dev, "request fw failed %d\n", retval);
+ return retval;
+ }
++ if (fw == NULL) {
++ dev_err(sst->dev, "fw is returning as null\n");
++ return -EINVAL;
++ }
+ mutex_lock(&sst->sst_lock);
+ retval = sst_cache_and_parse_fw(sst, fw);
+ mutex_unlock(&sst->sst_lock);
+--
+2.20.1
+
diff --git a/patches.kernel.org/4.4.175-004-scsi-lpfc-Correct-LCB-RJT-handling.patch b/patches.kernel.org/4.4.175-004-scsi-lpfc-Correct-LCB-RJT-handling.patch
new file mode 100644
index 0000000000..fdd62310cf
--- /dev/null
+++ b/patches.kernel.org/4.4.175-004-scsi-lpfc-Correct-LCB-RJT-handling.patch
@@ -0,0 +1,40 @@
+From: James Smart <jsmart2021@gmail.com>
+Date: Tue, 23 Oct 2018 13:41:07 -0700
+Subject: [PATCH] scsi: lpfc: Correct LCB RJT handling
+References: bnc#1012382
+Patch-mainline: 4.4.175
+Git-commit: b114d9009d386276bfc3352289fc235781ae3353
+
+[ Upstream commit b114d9009d386276bfc3352289fc235781ae3353 ]
+
+When LCB's are rejected, if beaconing was already in progress, the
+Reason Code Explanation was not being set. Should have been set to
+command in progress.
+
+Signed-off-by: Dick Kennedy <dick.kennedy@broadcom.com>
+Signed-off-by: James Smart <jsmart2021@gmail.com>
+Reviewed-by: Hannes Reinecke <hare@suse.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/scsi/lpfc/lpfc_els.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/scsi/lpfc/lpfc_els.c b/drivers/scsi/lpfc/lpfc_els.c
+index fd8fe1202dbe..398c9a0a5ade 100644
+--- a/drivers/scsi/lpfc/lpfc_els.c
++++ b/drivers/scsi/lpfc/lpfc_els.c
+@@ -5105,6 +5105,9 @@ lpfc_els_lcb_rsp(struct lpfc_hba *phba, LPFC_MBOXQ_t *pmb)
+ stat = (struct ls_rjt *)(pcmd + sizeof(uint32_t));
+ stat->un.b.lsRjtRsnCode = LSRJT_UNABLE_TPC;
+
++ if (shdr_add_status == ADD_STATUS_OPERATION_ALREADY_ACTIVE)
++ stat->un.b.lsRjtRsnCodeExp = LSEXP_CMD_IN_PROGRESS;
++
+ elsiocb->iocb_cmpl = lpfc_cmpl_els_rsp;
+ phba->fc_stat.elsXmitLSRJT++;
+ rc = lpfc_sli_issue_iocb(phba, LPFC_ELS_RING, elsiocb, 0);
+--
+2.20.1
+
diff --git a/patches.kernel.org/4.4.175-005-ARM-8808-1-kexec-offline-panic_smp_self_stop-.patch b/patches.kernel.org/4.4.175-005-ARM-8808-1-kexec-offline-panic_smp_self_stop-.patch
new file mode 100644
index 0000000000..9eadf281de
--- /dev/null
+++ b/patches.kernel.org/4.4.175-005-ARM-8808-1-kexec-offline-panic_smp_self_stop-.patch
@@ -0,0 +1,66 @@
+From: Yufen Wang <wangyufen@huawei.com>
+Date: Fri, 2 Nov 2018 11:51:31 +0100
+Subject: [PATCH] ARM: 8808/1: kexec:offline panic_smp_self_stop CPU
+References: bnc#1012382
+Patch-mainline: 4.4.175
+Git-commit: 82c08c3e7f171aa7f579b231d0abbc1d62e91974
+
+[ Upstream commit 82c08c3e7f171aa7f579b231d0abbc1d62e91974 ]
+
+In case panic() and panic() called at the same time on different CPUS.
+For example:
+CPU 0:
+ panic()
+ __crash_kexec
+ machine_crash_shutdown
+ crash_smp_send_stop
+ machine_kexec
+ BUG_ON(num_online_cpus() > 1);
+
+CPU 1:
+ panic()
+ local_irq_disable
+ panic_smp_self_stop
+
+If CPU 1 calls panic_smp_self_stop() before crash_smp_send_stop(), kdump
+fails. CPU1 can't receive the ipi irq, CPU1 will be always online.
+To fix this problem, this patch split out the panic_smp_self_stop()
+and add set_cpu_online(smp_processor_id(), false).
+
+Signed-off-by: Yufen Wang <wangyufen@huawei.com>
+Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ arch/arm/kernel/smp.c | 15 +++++++++++++++
+ 1 file changed, 15 insertions(+)
+
+diff --git a/arch/arm/kernel/smp.c b/arch/arm/kernel/smp.c
+index b26361355dae..e42be5800f37 100644
+--- a/arch/arm/kernel/smp.c
++++ b/arch/arm/kernel/smp.c
+@@ -687,6 +687,21 @@ void smp_send_stop(void)
+ pr_warn("SMP: failed to stop secondary CPUs\n");
+ }
+
++/* In case panic() and panic() called at the same time on CPU1 and CPU2,
++ * and CPU 1 calls panic_smp_self_stop() before crash_smp_send_stop()
++ * CPU1 can't receive the ipi irqs from CPU2, CPU1 will be always online,
++ * kdump fails. So split out the panic_smp_self_stop() and add
++ * set_cpu_online(smp_processor_id(), false).
++ */
++void panic_smp_self_stop(void)
++{
++ pr_debug("CPU %u will stop doing anything useful since another CPU has paniced\n",
++ smp_processor_id());
++ set_cpu_online(smp_processor_id(), false);
++ while (1)
++ cpu_relax();
++}
++
+ /*
+ * not supported here
+ */
+--
+2.20.1
+
diff --git a/patches.kernel.org/4.4.175-006-dlm-Don-t-swamp-the-CPU-with-callbacks-queued.patch b/patches.kernel.org/4.4.175-006-dlm-Don-t-swamp-the-CPU-with-callbacks-queued.patch
new file mode 100644
index 0000000000..8bd706eb8c
--- /dev/null
+++ b/patches.kernel.org/4.4.175-006-dlm-Don-t-swamp-the-CPU-with-callbacks-queued.patch
@@ -0,0 +1,64 @@
+From: Bob Peterson <rpeterso@redhat.com>
+Date: Thu, 8 Nov 2018 14:04:50 -0500
+Subject: [PATCH] dlm: Don't swamp the CPU with callbacks queued during
+ recovery
+References: bnc#1012382
+Patch-mainline: 4.4.175
+Git-commit: 216f0efd19b9cc32207934fd1b87a45f2c4c593e
+
+[ Upstream commit 216f0efd19b9cc32207934fd1b87a45f2c4c593e ]
+
+Before this patch, recovery would cause all callbacks to be delayed,
+put on a queue, and afterward they were all queued to the callback
+work queue. This patch does the same thing, but occasionally takes
+a break after 25 of them so it won't swamp the CPU at the expense
+of other RT processes like corosync.
+
+Signed-off-by: Bob Peterson <rpeterso@redhat.com>
+Signed-off-by: David Teigland <teigland@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ fs/dlm/ast.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/fs/dlm/ast.c b/fs/dlm/ast.c
+index dcea1e37a1b7..f18619bc2e09 100644
+--- a/fs/dlm/ast.c
++++ b/fs/dlm/ast.c
+@@ -290,6 +290,8 @@ void dlm_callback_suspend(struct dlm_ls *ls)
+ flush_workqueue(ls->ls_callback_wq);
+ }
+
++#define MAX_CB_QUEUE 25
++
+ void dlm_callback_resume(struct dlm_ls *ls)
+ {
+ struct dlm_lkb *lkb, *safe;
+@@ -300,15 +302,23 @@ void dlm_callback_resume(struct dlm_ls *ls)
+ if (!ls->ls_callback_wq)
+ return;
+
++more:
+ mutex_lock(&ls->ls_cb_mutex);
+ list_for_each_entry_safe(lkb, safe, &ls->ls_cb_delay, lkb_cb_list) {
+ list_del_init(&lkb->lkb_cb_list);
+ queue_work(ls->ls_callback_wq, &lkb->lkb_cb_work);
+ count++;
++ if (count == MAX_CB_QUEUE)
++ break;
+ }
+ mutex_unlock(&ls->ls_cb_mutex);
+
+ if (count)
+ log_rinfo(ls, "dlm_callback_resume %d", count);
++ if (count == MAX_CB_QUEUE) {
++ count = 0;
++ cond_resched();
++ goto more;
++ }
+ }
+
+--
+2.20.1
+
diff --git a/patches.kernel.org/4.4.175-007-x86-PCI-Fix-Broadcom-CNB20LE-unintended-sign-.patch b/patches.kernel.org/4.4.175-007-x86-PCI-Fix-Broadcom-CNB20LE-unintended-sign-.patch
new file mode 100644
index 0000000000..8809dd61da
--- /dev/null
+++ b/patches.kernel.org/4.4.175-007-x86-PCI-Fix-Broadcom-CNB20LE-unintended-sign-.patch
@@ -0,0 +1,46 @@
+From: Colin Ian King <colin.king@canonical.com>
+Date: Thu, 25 Oct 2018 14:52:31 +0100
+Subject: [PATCH] x86/PCI: Fix Broadcom CNB20LE unintended sign extension
+ (redux)
+References: bnc#1012382
+Patch-mainline: 4.4.175
+Git-commit: 53bb565fc5439f2c8c57a786feea5946804aa3e9
+
+[ Upstream commit 53bb565fc5439f2c8c57a786feea5946804aa3e9 ]
+
+In the expression "word1 << 16", word1 starts as u16, but is promoted to a
+signed int, then sign-extended to resource_size_t, which is probably not
+what was intended. Cast to resource_size_t to avoid the sign extension.
+
+This fixes an identical issue as fixed by commit 0b2d70764bb3 ("x86/PCI:
+Fix Broadcom CNB20LE unintended sign extension") back in 2014.
+
+Detected by CoverityScan, CID#138749, 138750 ("Unintended sign extension")
+
+Fixes: 3f6ea84a3035 ("PCI: read memory ranges out of Broadcom CNB20LE host bridge")
+Signed-off-by: Colin Ian King <colin.king@canonical.com>
+Signed-off-by: Bjorn Helgaas <helgaas@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ arch/x86/pci/broadcom_bus.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/arch/x86/pci/broadcom_bus.c b/arch/x86/pci/broadcom_bus.c
+index 526536c81ddc..ca1e8e6dccc8 100644
+--- a/arch/x86/pci/broadcom_bus.c
++++ b/arch/x86/pci/broadcom_bus.c
+@@ -50,8 +50,8 @@ static void __init cnb20le_res(u8 bus, u8 slot, u8 func)
+ word1 = read_pci_config_16(bus, slot, func, 0xc0);
+ word2 = read_pci_config_16(bus, slot, func, 0xc2);
+ if (word1 != word2) {
+- res.start = (word1 << 16) | 0x0000;
+- res.end = (word2 << 16) | 0xffff;
++ res.start = ((resource_size_t) word1 << 16) | 0x0000;
++ res.end = ((resource_size_t) word2 << 16) | 0xffff;
+ res.flags = IORESOURCE_MEM;
+ update_res(info, res.start, res.end, res.flags, 0);
+ }
+--
+2.20.1
+
diff --git a/patches.kernel.org/4.4.175-008-powerpc-pseries-add-of_node_put-in-dlpar_deta.patch b/patches.kernel.org/4.4.175-008-powerpc-pseries-add-of_node_put-in-dlpar_deta.patch
new file mode 100644
index 0000000000..0fc79a2aff
--- /dev/null
+++ b/patches.kernel.org/4.4.175-008-powerpc-pseries-add-of_node_put-in-dlpar_deta.patch
@@ -0,0 +1,48 @@
+From: Frank Rowand <frank.rowand@sony.com>
+Date: Thu, 4 Oct 2018 20:27:16 -0700
+Subject: [PATCH] powerpc/pseries: add of_node_put() in dlpar_detach_node()
+References: bnc#1012382
+Patch-mainline: 4.4.175
+Git-commit: 5b3f5c408d8cc59b87e47f1ab9803dbd006e4a91
+
+[ Upstream commit 5b3f5c408d8cc59b87e47f1ab9803dbd006e4a91 ]
+
+The previous commit, "of: overlay: add missing of_node_get() in
+__of_attach_node_sysfs" added a missing of_node_get() to
+__of_attach_node_sysfs(). This results in a refcount imbalance
+for nodes attached with dlpar_attach_node(). The calling sequence
+from dlpar_attach_node() to __of_attach_node_sysfs() is:
+
+ dlpar_attach_node()
+ of_attach_node()
+ __of_attach_node_sysfs()
+
+For more detailed description of the node refcount, see
+commit 68baf692c435 ("powerpc/pseries: Fix of_node_put() underflow
+during DLPAR remove").
+
+Tested-by: Alan Tull <atull@kernel.org>
+Acked-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Frank Rowand <frank.rowand@sony.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ arch/powerpc/platforms/pseries/dlpar.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/arch/powerpc/platforms/pseries/dlpar.c b/arch/powerpc/platforms/pseries/dlpar.c
+index 96536c969c9c..a8efed3b4691 100644
+--- a/arch/powerpc/platforms/pseries/dlpar.c
++++ b/arch/powerpc/platforms/pseries/dlpar.c
+@@ -280,6 +280,8 @@ int dlpar_detach_node(struct device_node *dn)
+ if (rc)
+ return rc;
+
++ of_node_put(dn);
++
+ return 0;
+ }
+
+--
+2.20.1
+
diff --git a/patches.kernel.org/4.4.175-009-serial-fsl_lpuart-clear-parity-enable-bit-whe.patch b/patches.kernel.org/4.4.175-009-serial-fsl_lpuart-clear-parity-enable-bit-whe.patch
new file mode 100644
index 0000000000..a2da0823f9
--- /dev/null
+++ b/patches.kernel.org/4.4.175-009-serial-fsl_lpuart-clear-parity-enable-bit-whe.patch
@@ -0,0 +1,53 @@
+From: Andy Duan <fugang.duan@nxp.com>
+Date: Tue, 16 Oct 2018 07:32:22 +0000
+Subject: [PATCH] serial: fsl_lpuart: clear parity enable bit when disable
+ parity
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+References: bnc#1012382
+Patch-mainline: 4.4.175
+Git-commit: 397bd9211fe014b347ca8f95a8f4e1017bac1aeb
+
+[ Upstream commit 397bd9211fe014b347ca8f95a8f4e1017bac1aeb ]
+
+Current driver only enable parity enable bit and never clear it
+when user set the termios. The fix clear the parity enable bit when
+PARENB flag is not set in termios->c_cflag.
+
+Cc: Lukas Wunner <lukas@wunner.de>
+Signed-off-by: Andy Duan <fugang.duan@nxp.com>
+Reviewed-by: Fabio Estevam <festevam@gmail.com>
+Acked-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/tty/serial/fsl_lpuart.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/tty/serial/fsl_lpuart.c b/drivers/tty/serial/fsl_lpuart.c
+index 01e2274b23f2..8b5ec9386f0f 100644
+--- a/drivers/tty/serial/fsl_lpuart.c
++++ b/drivers/tty/serial/fsl_lpuart.c
+@@ -1267,6 +1267,8 @@ lpuart_set_termios(struct uart_port *port, struct ktermios *termios,
+ else
+ cr1 &= ~UARTCR1_PT;
+ }
++ } else {
++ cr1 &= ~UARTCR1_PE;
+ }
+
+ /* ask the core to calculate the divisor */
+@@ -1402,6 +1404,8 @@ lpuart32_set_termios(struct uart_port *port, struct ktermios *termios,
+ else
+ ctrl &= ~UARTCTRL_PT;
+ }
++ } else {
++ ctrl &= ~UARTCTRL_PE;
+ }
+
+ /* ask the core to calculate the divisor */
+--
+2.20.1
+
diff --git a/patches.kernel.org/4.4.175-010-ptp-check-gettime64-return-code-in-PTP_SYS_OF.patch b/patches.kernel.org/4.4.175-010-ptp-check-gettime64-return-code-in-PTP_SYS_OF.patch
new file mode 100644
index 0000000000..14a80fe5cc
--- /dev/null
+++ b/patches.kernel.org/4.4.175-010-ptp-check-gettime64-return-code-in-PTP_SYS_OF.patch
@@ -0,0 +1,48 @@
+From: Miroslav Lichvar <mlichvar@redhat.com>
+Date: Fri, 9 Nov 2018 11:14:43 +0100
+Subject: [PATCH] ptp: check gettime64 return code in PTP_SYS_OFFSET ioctl
+References: bnc#1012382
+Patch-mainline: 4.4.175
+Git-commit: 83d0bdc7390b890905634186baaa294475cd6a06
+
+[ Upstream commit 83d0bdc7390b890905634186baaa294475cd6a06 ]
+
+If a gettime64 call fails, return the error and avoid copying data back
+to user.
+
+Cc: Richard Cochran <richardcochran@gmail.com>
+Cc: Jacob Keller <jacob.e.keller@intel.com>
+Signed-off-by: Miroslav Lichvar <mlichvar@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/ptp/ptp_chardev.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/ptp/ptp_chardev.c b/drivers/ptp/ptp_chardev.c
+index 4eb254a273f8..4861cfddcdd3 100644
+--- a/drivers/ptp/ptp_chardev.c
++++ b/drivers/ptp/ptp_chardev.c
+@@ -204,7 +204,9 @@ long ptp_ioctl(struct posix_clock *pc, unsigned int cmd, unsigned long arg)
+ pct->sec = ts.tv_sec;
+ pct->nsec = ts.tv_nsec;
+ pct++;
+- ptp->info->gettime64(ptp->info, &ts);
++ err = ptp->info->gettime64(ptp->info, &ts);
++ if (err)
++ goto out;
+ pct->sec = ts.tv_sec;
+ pct->nsec = ts.tv_nsec;
+ pct++;
+@@ -257,6 +259,7 @@ long ptp_ioctl(struct posix_clock *pc, unsigned int cmd, unsigned long arg)
+ break;
+ }
+
++out:
+ kfree(sysoff);
+ return err;
+ }
+--
+2.20.1
+
diff --git a/patches.kernel.org/4.4.175-011-staging-iio-ad2s90-Make-probe-handle-spi_setu.patch b/patches.kernel.org/4.4.175-011-staging-iio-ad2s90-Make-probe-handle-spi_setu.patch
new file mode 100644
index 0000000000..963db3d59f
--- /dev/null
+++ b/patches.kernel.org/4.4.175-011-staging-iio-ad2s90-Make-probe-handle-spi_setu.patch
@@ -0,0 +1,49 @@
+From: Matheus Tavares <matheus.bernardino@usp.br>
+Date: Sat, 3 Nov 2018 19:49:44 -0300
+Subject: [PATCH] staging:iio:ad2s90: Make probe handle spi_setup failure
+References: bnc#1012382
+Patch-mainline: 4.4.175
+Git-commit: b3a3eafeef769c6982e15f83631dcbf8d1794efb
+
+[ Upstream commit b3a3eafeef769c6982e15f83631dcbf8d1794efb ]
+
+Previously, ad2s90_probe ignored the return code from spi_setup, not
+handling its possible failure. This patch makes ad2s90_probe check if
+the code is an error code and, if so, do the following:
+
+- Call dev_err with an appropriate error message.
+- Return the spi_setup's error code.
+
+Note: The 'return ret' statement could be out of the 'if' block, but
+this whole block will be moved up in the function in the patch:
+'staging:iio:ad2s90: Move device registration to the end of probe'.
+
+Signed-off-by: Matheus Tavares <matheus.bernardino@usp.br>
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/staging/iio/resolver/ad2s90.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/staging/iio/resolver/ad2s90.c b/drivers/staging/iio/resolver/ad2s90.c
+index 5b1c0db33e7f..b44253eb62ec 100644
+--- a/drivers/staging/iio/resolver/ad2s90.c
++++ b/drivers/staging/iio/resolver/ad2s90.c
+@@ -86,7 +86,12 @@ static int ad2s90_probe(struct spi_device *spi)
+ /* need 600ns between CS and the first falling edge of SCLK */
+ spi->max_speed_hz = 830000;
+ spi->mode = SPI_MODE_3;
+- spi_setup(spi);
++ ret = spi_setup(spi);
++
++ if (ret < 0) {
++ dev_err(&spi->dev, "spi_setup failed!\n");
++ return ret;
++ }
+
+ return 0;
+ }
+--
+2.20.1
+
diff --git a/patches.kernel.org/4.4.175-012-staging-iio-ad7780-update-voltage-on-read.patch b/patches.kernel.org/4.4.175-012-staging-iio-ad7780-update-voltage-on-read.patch
new file mode 100644
index 0000000000..4a03668502
--- /dev/null
+++ b/patches.kernel.org/4.4.175-012-staging-iio-ad7780-update-voltage-on-read.patch
@@ -0,0 +1,47 @@
+From: Renato Lui Geh <renatogeh@gmail.com>
+Date: Mon, 5 Nov 2018 17:14:58 -0200
+Subject: [PATCH] staging: iio: ad7780: update voltage on read
+References: bnc#1012382
+Patch-mainline: 4.4.175
+Git-commit: 336650c785b62c3bea7c8cf6061c933a90241f67
+
+[ Upstream commit 336650c785b62c3bea7c8cf6061c933a90241f67 ]
+
+The ad7780 driver previously did not read the correct device output, as
+it read an outdated value set at initialization. It now updates its
+voltage on read.
+
+Signed-off-by: Renato Lui Geh <renatogeh@gmail.com>
+Acked-by: Alexandru Ardelean <alexandru.ardelean@analog.com>
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/staging/iio/adc/ad7780.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/staging/iio/adc/ad7780.c b/drivers/staging/iio/adc/ad7780.c
+index 3abc7789237f..531338ea5eb4 100644
+--- a/drivers/staging/iio/adc/ad7780.c
++++ b/drivers/staging/iio/adc/ad7780.c
+@@ -90,12 +90,16 @@ static int ad7780_read_raw(struct iio_dev *indio_dev,
+ long m)
+ {
+ struct ad7780_state *st = iio_priv(indio_dev);
++ int voltage_uv;
+
+ switch (m) {
+ case IIO_CHAN_INFO_RAW:
+ return ad_sigma_delta_single_conversion(indio_dev, chan, val);
+ case IIO_CHAN_INFO_SCALE:
+- *val = st->int_vref_mv * st->gain;
++ voltage_uv = regulator_get_voltage(st->reg);
++ if (voltage_uv < 0)
++ return voltage_uv;
++ *val = (voltage_uv / 1000) * st->gain;
+ *val2 = chan->scan_type.realbits - 1;
+ return IIO_VAL_FRACTIONAL_LOG2;
+ case IIO_CHAN_INFO_OFFSET:
+--
+2.20.1
+
diff --git a/patches.kernel.org/4.4.175-013-ARM-OMAP2-hwmod-Fix-some-section-annotations.patch b/patches.kernel.org/4.4.175-013-ARM-OMAP2-hwmod-Fix-some-section-annotations.patch
new file mode 100644
index 0000000000..f03dd0878b
--- /dev/null
+++ b/patches.kernel.org/4.4.175-013-ARM-OMAP2-hwmod-Fix-some-section-annotations.patch
@@ -0,0 +1,79 @@
+From: Nathan Chancellor <natechancellor@gmail.com>
+Date: Wed, 17 Oct 2018 17:52:07 -0700
+Subject: [PATCH] ARM: OMAP2+: hwmod: Fix some section annotations
+References: bnc#1012382
+Patch-mainline: 4.4.175
+Git-commit: c10b26abeb53cabc1e6271a167d3f3d396ce0218
+
+[ Upstream commit c10b26abeb53cabc1e6271a167d3f3d396ce0218 ]
+
+When building the kernel with Clang, the following section mismatch
+warnings appears:
+
+WARNING: vmlinux.o(.text+0x2d398): Section mismatch in reference from
+the function _setup() to the function .init.text:_setup_iclk_autoidle()
+The function _setup() references
+the function __init _setup_iclk_autoidle().
+This is often because _setup lacks a __init
+annotation or the annotation of _setup_iclk_autoidle is wrong.
+
+WARNING: vmlinux.o(.text+0x2d3a0): Section mismatch in reference from
+the function _setup() to the function .init.text:_setup_reset()
+The function _setup() references
+the function __init _setup_reset().
+This is often because _setup lacks a __init
+annotation or the annotation of _setup_reset is wrong.
+
+WARNING: vmlinux.o(.text+0x2d408): Section mismatch in reference from
+the function _setup() to the function .init.text:_setup_postsetup()
+The function _setup() references
+the function __init _setup_postsetup().
+This is often because _setup lacks a __init
+annotation or the annotation of _setup_postsetup is wrong.
+
+_setup is used in omap_hwmod_allocate_module, which isn't marked __init
+and looks like it shouldn't be, meaning to fix these warnings, those
+functions must be moved out of the init section, which this patch does.
+
+Signed-off-by: Nathan Chancellor <natechancellor@gmail.com>
+Signed-off-by: Tony Lindgren <tony@atomide.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ arch/arm/mach-omap2/omap_hwmod.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/arch/arm/mach-omap2/omap_hwmod.c b/arch/arm/mach-omap2/omap_hwmod.c
+index 147c90e70b2e..36706d32d656 100644
+--- a/arch/arm/mach-omap2/omap_hwmod.c
++++ b/arch/arm/mach-omap2/omap_hwmod.c
+@@ -2526,7 +2526,7 @@ static int __init _init(struct omap_hwmod *oh, void *data)
+ * a stub; implementing this properly requires iclk autoidle usecounting in
+ * the clock code. No return value.
+ */
+-static void __init _setup_iclk_autoidle(struct omap_hwmod *oh)
++static void _setup_iclk_autoidle(struct omap_hwmod *oh)
+ {
+ struct omap_hwmod_ocp_if *os;
+ struct list_head *p;
+@@ -2561,7 +2561,7 @@ static void __init _setup_iclk_autoidle(struct omap_hwmod *oh)
+ * reset. Returns 0 upon success or a negative error code upon
+ * failure.
+ */
+-static int __init _setup_reset(struct omap_hwmod *oh)
++static int _setup_reset(struct omap_hwmod *oh)
+ {
+ int r;
+
+@@ -2622,7 +2622,7 @@ static int __init _setup_reset(struct omap_hwmod *oh)
+ *
+ * No return value.
+ */
+-static void __init _setup_postsetup(struct omap_hwmod *oh)
++static void _setup_postsetup(struct omap_hwmod *oh)
+ {
+ u8 postsetup_state;
+
+--
+2.20.1
+
diff --git a/patches.kernel.org/4.4.175-014-modpost-validate-symbol-names-also-in-find_el.patch b/patches.kernel.org/4.4.175-014-modpost-validate-symbol-names-also-in-find_el.patch
new file mode 100644
index 0000000000..963deb77fd
--- /dev/null
+++ b/patches.kernel.org/4.4.175-014-modpost-validate-symbol-names-also-in-find_el.patch
@@ -0,0 +1,105 @@
+From: Sami Tolvanen <samitolvanen@google.com>
+Date: Tue, 23 Oct 2018 15:15:35 -0700
+Subject: [PATCH] modpost: validate symbol names also in find_elf_symbol
+References: bnc#1012382
+Patch-mainline: 4.4.175
+Git-commit: 5818c683a619c534c113e1f66d24f636defc29bc
+
+[ Upstream commit 5818c683a619c534c113e1f66d24f636defc29bc ]
+
+If an ARM mapping symbol shares an address with a valid symbol,
+find_elf_symbol can currently return the mapping symbol instead, as the
+symbol is not validated. This can result in confusing warnings:
+
+ WARNING: vmlinux.o(.text+0x18f4028): Section mismatch in reference
+ from the function set_reset_devices() to the variable .init.text:$x.0
+
+This change adds a call to is_valid_name to find_elf_symbol, similarly
+to how it's already used in find_elf_symbol2.
+
+Signed-off-by: Sami Tolvanen <samitolvanen@google.com>
+Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ scripts/mod/modpost.c | 50 ++++++++++++++++++++++---------------------
+ 1 file changed, 26 insertions(+), 24 deletions(-)
+
+diff --git a/scripts/mod/modpost.c b/scripts/mod/modpost.c
+index 064fbfbbb22c..81b1c02a76fa 100644
+--- a/scripts/mod/modpost.c
++++ b/scripts/mod/modpost.c
+@@ -1197,6 +1197,30 @@ static int secref_whitelist(const struct sectioncheck *mismatch,
+ return 1;
+ }
+
++static inline int is_arm_mapping_symbol(const char *str)
++{
++ return str[0] == '$' && strchr("axtd", str[1])
++ && (str[2] == '\0' || str[2] == '.');
++}
++
++/*
++ * If there's no name there, ignore it; likewise, ignore it if it's
++ * one of the magic symbols emitted used by current ARM tools.
++ *
++ * Otherwise if find_symbols_between() returns those symbols, they'll
++ * fail the whitelist tests and cause lots of false alarms ... fixable
++ * only by merging __exit and __init sections into __text, bloating
++ * the kernel (which is especially evil on embedded platforms).
++ */
++static inline int is_valid_name(struct elf_info *elf, Elf_Sym *sym)
++{
++ const char *name = elf->strtab + sym->st_name;
++
++ if (!name || !strlen(name))
++ return 0;
++ return !is_arm_mapping_symbol(name);
++}
++
+ /**
+ * Find symbol based on relocation record info.
+ * In some cases the symbol supplied is a valid symbol so
+@@ -1222,6 +1246,8 @@ static Elf_Sym *find_elf_symbol(struct elf_info *elf, Elf64_Sword addr,
+ continue;
+ if (ELF_ST_TYPE(sym->st_info) == STT_SECTION)
+ continue;
++ if (!is_valid_name(elf, sym))
++ continue;
+ if (sym->st_value == addr)
+ return sym;
+ /* Find a symbol nearby - addr are maybe negative */
+@@ -1240,30 +1266,6 @@ static Elf_Sym *find_elf_symbol(struct elf_info *elf, Elf64_Sword addr,
+ return NULL;
+ }
+
+-static inline int is_arm_mapping_symbol(const char *str)
+-{
+- return str[0] == '$' && strchr("axtd", str[1])
+- && (str[2] == '\0' || str[2] == '.');
+-}
+-
+-/*
+- * If there's no name there, ignore it; likewise, ignore it if it's
+- * one of the magic symbols emitted used by current ARM tools.
+- *
+- * Otherwise if find_symbols_between() returns those symbols, they'll
+- * fail the whitelist tests and cause lots of false alarms ... fixable
+- * only by merging __exit and __init sections into __text, bloating
+- * the kernel (which is especially evil on embedded platforms).
+- */
+-static inline int is_valid_name(struct elf_info *elf, Elf_Sym *sym)
+-{
+- const char *name = elf->strtab + sym->st_name;
+-
+- if (!name || !strlen(name))
+- return 0;
+- return !is_arm_mapping_symbol(name);
+-}
+-
+ /*
+ * Find symbols before or equal addr and after addr - in the section sec.
+ * If we find two symbols with equal offset prefer one with a valid name.
+--
+2.20.1
+
diff --git a/patches.kernel.org/4.4.175-015-perf-tools-Add-Hygon-Dhyana-support.patch b/patches.kernel.org/4.4.175-015-perf-tools-Add-Hygon-Dhyana-support.patch
new file mode 100644
index 0000000000..cf7feed785
--- /dev/null
+++ b/patches.kernel.org/4.4.175-015-perf-tools-Add-Hygon-Dhyana-support.patch
@@ -0,0 +1,45 @@
+From: Pu Wen <puwen@hygon.cn>
+Date: Mon, 12 Nov 2018 15:40:51 +0800
+Subject: [PATCH] perf tools: Add Hygon Dhyana support
+References: bnc#1012382
+Patch-mainline: 4.4.175
+Git-commit: 4787eff3fa88f62fede6ed7afa06477ae6bf984d
+
+[ Upstream commit 4787eff3fa88f62fede6ed7afa06477ae6bf984d ]
+
+The tool perf is useful for the performance analysis on the Hygon Dhyana
+platform. But right now there is no Hygon support for it to analyze the
+KVM guest os data. So add Hygon Dhyana support to it by checking vendor
+string to share the code path of AMD.
+
+Signed-off-by: Pu Wen <puwen@hygon.cn>
+Acked-by: Borislav Petkov <bp@suse.de>
+Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Cc: Jiri Olsa <jolsa@kernel.org>
+Cc: Namhyung Kim <namhyung@kernel.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Link: http://lkml.kernel.org/r/1542008451-31735-1-git-send-email-puwen@hygon.cn
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ tools/perf/arch/x86/util/kvm-stat.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tools/perf/arch/x86/util/kvm-stat.c b/tools/perf/arch/x86/util/kvm-stat.c
+index 14e4e668fad7..f97696a418cc 100644
+--- a/tools/perf/arch/x86/util/kvm-stat.c
++++ b/tools/perf/arch/x86/util/kvm-stat.c
+@@ -146,7 +146,7 @@ int cpu_isa_init(struct perf_kvm_stat *kvm, const char *cpuid)
+ if (strstr(cpuid, "Intel")) {
+ kvm->exit_reasons = vmx_exit_reasons;
+ kvm->exit_reasons_isa = "VMX";
+- } else if (strstr(cpuid, "AMD")) {
++ } else if (strstr(cpuid, "AMD") || strstr(cpuid, "Hygon")) {
+ kvm->exit_reasons = svm_exit_reasons;
+ kvm->exit_reasons_isa = "SVM";
+ } else
+--
+2.20.1
+
diff --git a/patches.kernel.org/4.4.175-016-soc-tegra-Don-t-leak-device-tree-node-referen.patch b/patches.kernel.org/4.4.175-016-soc-tegra-Don-t-leak-device-tree-node-referen.patch
new file mode 100644
index 0000000000..ee07df7115
--- /dev/null
+++ b/patches.kernel.org/4.4.175-016-soc-tegra-Don-t-leak-device-tree-node-referen.patch
@@ -0,0 +1,47 @@
+From: Yangtao Li <tiny.windzz@gmail.com>
+Date: Wed, 21 Nov 2018 07:49:12 -0500
+Subject: [PATCH] soc/tegra: Don't leak device tree node reference
+References: bnc#1012382
+Patch-mainline: 4.4.175
+Git-commit: 9eb40fa2cd2d1f6829e7b49bb22692f754b9cfe0
+
+[ Upstream commit 9eb40fa2cd2d1f6829e7b49bb22692f754b9cfe0 ]
+
+of_find_node_by_path() acquires a reference to the node returned by it
+and that reference needs to be dropped by its caller. soc_is_tegra()
+doesn't do that, so fix it.
+
+Signed-off-by: Yangtao Li <tiny.windzz@gmail.com>
+Acked-by: Jon Hunter <jonathanh@nvidia.com>
+[treding: slightly rewrite to avoid inline comparison]
+Signed-off-by: Thierry Reding <treding@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/soc/tegra/common.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/soc/tegra/common.c b/drivers/soc/tegra/common.c
+index cd8f41351add..7bfb154d6fa5 100644
+--- a/drivers/soc/tegra/common.c
++++ b/drivers/soc/tegra/common.c
+@@ -22,11 +22,15 @@ static const struct of_device_id tegra_machine_match[] = {
+
+ bool soc_is_tegra(void)
+ {
++ const struct of_device_id *match;
+ struct device_node *root;
+
+ root = of_find_node_by_path("/");
+ if (!root)
+ return false;
+
+- return of_match_node(tegra_machine_match, root) != NULL;
++ match = of_match_node(tegra_machine_match, root);
++ of_node_put(root);
++
++ return match != NULL;
+ }
+--
+2.20.1
+
diff --git a/patches.kernel.org/4.4.175-017-f2fs-move-dir-data-flush-to-write-checkpoint-.patch b/patches.kernel.org/4.4.175-017-f2fs-move-dir-data-flush-to-write-checkpoint-.patch
new file mode 100644
index 0000000000..87d1bb67de
--- /dev/null
+++ b/patches.kernel.org/4.4.175-017-f2fs-move-dir-data-flush-to-write-checkpoint-.patch
@@ -0,0 +1,51 @@
+From: Yunlei He <heyunlei@huawei.com>
+Date: Tue, 6 Nov 2018 10:25:29 +0800
+Subject: [PATCH] f2fs: move dir data flush to write checkpoint process
+References: bnc#1012382
+Patch-mainline: 4.4.175
+Git-commit: b61ac5b720146c619c7cdf17eff2551b934399e5
+
+[ Upstream commit b61ac5b720146c619c7cdf17eff2551b934399e5 ]
+
+This patch move dir data flush to write checkpoint process, by
+doing this, it may reduce some time for dir fsync.
+
+pre:
+ -f2fs_do_sync_file enter
+ -file_write_and_wait_range <- flush & wait
+ -write_checkpoint
+ -do_checkpoint <- wait all
+ -f2fs_do_sync_file exit
+
+now:
+ -f2fs_do_sync_file enter
+ -write_checkpoint
+ -block_operations <- flush dir & no wait
+ -do_checkpoint <- wait all
+ -f2fs_do_sync_file exit
+
+Signed-off-by: Yunlei He <heyunlei@huawei.com>
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ fs/f2fs/file.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/fs/f2fs/file.c b/fs/f2fs/file.c
+index 96bfd9f0ea02..bee3bc7a16ac 100644
+--- a/fs/f2fs/file.c
++++ b/fs/f2fs/file.c
+@@ -200,6 +200,9 @@ int f2fs_sync_file(struct file *file, loff_t start, loff_t end, int datasync)
+
+ trace_f2fs_sync_file_enter(inode);
+
++ if (S_ISDIR(inode->i_mode))
++ goto go_write;
++
+ /* if fdatasync is triggered, let's do in-place-update */
+ if (get_dirty_pages(inode) <= SM_I(sbi)->min_fsync_blocks)
+ set_inode_flag(fi, FI_NEED_IPU);
+--
+2.20.1
+
diff --git a/patches.kernel.org/4.4.175-018-f2fs-fix-wrong-return-value-of-f2fs_acl_creat.patch b/patches.kernel.org/4.4.175-018-f2fs-fix-wrong-return-value-of-f2fs_acl_creat.patch
new file mode 100644
index 0000000000..3d0b1fe1c5
--- /dev/null
+++ b/patches.kernel.org/4.4.175-018-f2fs-fix-wrong-return-value-of-f2fs_acl_creat.patch
@@ -0,0 +1,64 @@
+From: Tiezhu Yang <kernelpatch@126.com>
+Date: Wed, 21 Nov 2018 07:21:38 +0800
+Subject: [PATCH] f2fs: fix wrong return value of f2fs_acl_create
+References: bnc#1012382
+Patch-mainline: 4.4.175
+Git-commit: f6176473a0c7472380eef72ebeb330cf9485bf0a
+
+[ Upstream commit f6176473a0c7472380eef72ebeb330cf9485bf0a ]
+
+When call f2fs_acl_create_masq() failed, the caller f2fs_acl_create()
+should return -EIO instead of -ENOMEM, this patch makes it consistent
+with posix_acl_create() which has been fixed in commit beaf226b863a
+("posix_acl: don't ignore return value of posix_acl_create_masq()").
+
+Fixes: 83dfe53c185e ("f2fs: fix reference leaks in f2fs_acl_create")
+Signed-off-by: Tiezhu Yang <kernelpatch@126.com>
+Reviewed-by: Chao Yu <yuchao0@huawei.com>
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ fs/f2fs/acl.c | 14 ++++++++------
+ 1 file changed, 8 insertions(+), 6 deletions(-)
+
+diff --git a/fs/f2fs/acl.c b/fs/f2fs/acl.c
+index 83dcf7bfd7b8..f0ea91925343 100644
+--- a/fs/f2fs/acl.c
++++ b/fs/f2fs/acl.c
+@@ -350,12 +350,14 @@ static int f2fs_acl_create(struct inode *dir, umode_t *mode,
+ return PTR_ERR(p);
+
+ clone = f2fs_acl_clone(p, GFP_NOFS);
+- if (!clone)
+- goto no_mem;
++ if (!clone) {
++ ret = -ENOMEM;
++ goto release_acl;
++ }
+
+ ret = f2fs_acl_create_masq(clone, mode);
+ if (ret < 0)
+- goto no_mem_clone;
++ goto release_clone;
+
+ if (ret == 0)
+ posix_acl_release(clone);
+@@ -369,11 +371,11 @@ static int f2fs_acl_create(struct inode *dir, umode_t *mode,
+
+ return 0;
+
+-no_mem_clone:
++release_clone:
+ posix_acl_release(clone);
+-no_mem:
++release_acl:
+ posix_acl_release(p);
+- return -ENOMEM;
++ return ret;
+ }
+
+ int f2fs_init_acl(struct inode *inode, struct inode *dir, struct page *ipage,
+--
+2.20.1
+
diff --git a/patches.kernel.org/4.4.175-019-sunvdc-Do-not-spin-in-an-infinite-loop-when-v.patch b/patches.kernel.org/4.4.175-019-sunvdc-Do-not-spin-in-an-infinite-loop-when-v.patch
new file mode 100644
index 0000000000..1f043b1165
--- /dev/null
+++ b/patches.kernel.org/4.4.175-019-sunvdc-Do-not-spin-in-an-infinite-loop-when-v.patch
@@ -0,0 +1,57 @@
+From: Young Xiao <YangX92@hotmail.com>
+Date: Wed, 28 Nov 2018 12:36:39 +0000
+Subject: [PATCH] sunvdc: Do not spin in an infinite loop when vio_ldc_send()
+ returns EAGAIN
+References: bnc#1012382
+Patch-mainline: 4.4.175
+Git-commit: a11f6ca9aef989b56cd31ff4ee2af4fb31a172ec
+
+[ Upstream commit a11f6ca9aef989b56cd31ff4ee2af4fb31a172ec ]
+
+__vdc_tx_trigger should only loop on EAGAIN a finite
+number of times.
+
+See commit adddc32d6fde ("sunvnet: Do not spin in an
+infinite loop when vio_ldc_send() returns EAGAIN") for detail.
+
+Signed-off-by: Young Xiao <YangX92@hotmail.com>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/block/sunvdc.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/drivers/block/sunvdc.c b/drivers/block/sunvdc.c
+index 4b911ed96ea3..31219fb9e7f4 100644
+--- a/drivers/block/sunvdc.c
++++ b/drivers/block/sunvdc.c
+@@ -40,6 +40,8 @@ MODULE_VERSION(DRV_MODULE_VERSION);
+ #define WAITING_FOR_GEN_CMD 0x04
+ #define WAITING_FOR_ANY -1
+
++#define VDC_MAX_RETRIES 10
++
+ static struct workqueue_struct *sunvdc_wq;
+
+ struct vdc_req_entry {
+@@ -419,6 +421,7 @@ static int __vdc_tx_trigger(struct vdc_port *port)
+ .end_idx = dr->prod,
+ };
+ int err, delay;
++ int retries = 0;
+
+ hdr.seq = dr->snd_nxt;
+ delay = 1;
+@@ -431,6 +434,8 @@ static int __vdc_tx_trigger(struct vdc_port *port)
+ udelay(delay);
+ if ((delay <<= 1) > 128)
+ delay = 128;
++ if (retries++ > VDC_MAX_RETRIES)
++ break;
+ } while (err == -EAGAIN);
+
+ if (err == -ENOTCONN)
+--
+2.20.1
+
diff --git a/patches.kernel.org/4.4.175-020-nfsd4-fix-crash-on-writing-v4_end_grace-befor.patch b/patches.kernel.org/4.4.175-020-nfsd4-fix-crash-on-writing-v4_end_grace-befor.patch
new file mode 100644
index 0000000000..25e39ee28c
--- /dev/null
+++ b/patches.kernel.org/4.4.175-020-nfsd4-fix-crash-on-writing-v4_end_grace-befor.patch
@@ -0,0 +1,43 @@
+From: "J. Bruce Fields" <bfields@redhat.com>
+Date: Tue, 27 Nov 2018 15:54:17 -0500
+Subject: [PATCH] nfsd4: fix crash on writing v4_end_grace before nfsd startup
+References: bnc#1012382
+Patch-mainline: 4.4.175
+Git-commit: 62a063b8e7d1db684db3f207261a466fa3194e72
+
+[ Upstream commit 62a063b8e7d1db684db3f207261a466fa3194e72 ]
+
+Anatoly Trosinenko reports that this:
+
+1) Checkout fresh master Linux branch (tested with commit e195ca6cb)
+2) Copy x84_64-config-4.14 to .config, then enable NFS server v4 and build
+3) From `kvm-xfstests shell`:
+
+results in NULL dereference in locks_end_grace.
+
+Check that nfsd has been started before trying to end the grace period.
+
+Reported-by: Anatoly Trosinenko <anatoly.trosinenko@gmail.com>
+Signed-off-by: J. Bruce Fields <bfields@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ fs/nfsd/nfsctl.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/fs/nfsd/nfsctl.c b/fs/nfsd/nfsctl.c
+index 9690cb4dd588..03c7a4e7b6ba 100644
+--- a/fs/nfsd/nfsctl.c
++++ b/fs/nfsd/nfsctl.c
+@@ -1106,6 +1106,8 @@ static ssize_t write_v4_end_grace(struct file *file, char *buf, size_t size)
+ case 'Y':
+ case 'y':
+ case '1':
++ if (nn->nfsd_serv)
++ return -EBUSY;
+ nfsd4_end_grace(nn);
+ break;
+ default:
+--
+2.20.1
+
diff --git a/patches.kernel.org/4.4.175-021-arm64-ftrace-don-t-adjust-the-LR-value.patch b/patches.kernel.org/4.4.175-021-arm64-ftrace-don-t-adjust-the-LR-value.patch
new file mode 100644
index 0000000000..26fdc5797c
--- /dev/null
+++ b/patches.kernel.org/4.4.175-021-arm64-ftrace-don-t-adjust-the-LR-value.patch
@@ -0,0 +1,56 @@
+From: Mark Rutland <mark.rutland@arm.com>
+Date: Thu, 15 Nov 2018 22:42:01 +0000
+Subject: [PATCH] arm64: ftrace: don't adjust the LR value
+References: bnc#1012382
+Patch-mainline: 4.4.175
+Git-commit: 6e803e2e6e367db9a0d6ecae1bd24bb5752011bd
+
+[ Upstream commit 6e803e2e6e367db9a0d6ecae1bd24bb5752011bd ]
+
+The core ftrace code requires that when it is handed the PC of an
+instrumented function, this PC is the address of the instrumented
+instruction. This is necessary so that the core ftrace code can identify
+the specific instrumentation site. Since the instrumented function will
+be a BL, the address of the instrumented function is LR - 4 at entry to
+the ftrace code.
+
+This fixup is applied in the mcount_get_pc and mcount_get_pc0 helpers,
+which acquire the PC of the instrumented function.
+
+The mcount_get_lr helper is used to acquire the LR of the instrumented
+function, whose value does not require this adjustment, and cannot be
+adjusted to anything meaningful. No adjustment of this value is made on
+other architectures, including arm. However, arm64 adjusts this value by
+4.
+
+This patch brings arm64 in line with other architectures and removes the
+adjustment of the LR value.
+
+Signed-off-by: Mark Rutland <mark.rutland@arm.com>
+Cc: AKASHI Takahiro <takahiro.akashi@linaro.org>
+Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+Cc: Catalin Marinas <catalin.marinas@arm.com>
+Cc: Torsten Duwe <duwe@suse.de>
+Cc: Will Deacon <will.deacon@arm.com>
+Signed-off-by: Will Deacon <will.deacon@arm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ arch/arm64/kernel/entry-ftrace.S | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/arch/arm64/kernel/entry-ftrace.S b/arch/arm64/kernel/entry-ftrace.S
+index 0f03a8fe2314..d18d15810d19 100644
+--- a/arch/arm64/kernel/entry-ftrace.S
++++ b/arch/arm64/kernel/entry-ftrace.S
+@@ -78,7 +78,6 @@
+ .macro mcount_get_lr reg
+ ldr \reg, [x29]
+ ldr \reg, [\reg, #8]
+- mcount_adjust_addr \reg, \reg
+ .endm
+
+ .macro mcount_get_lr_addr reg
+--
+2.20.1
+
diff --git a/patches.kernel.org/4.4.175-022-ARM-dts-mmp2-fix-TWSI2.patch b/patches.kernel.org/4.4.175-022-ARM-dts-mmp2-fix-TWSI2.patch
new file mode 100644
index 0000000000..742c2bc0b8
--- /dev/null
+++ b/patches.kernel.org/4.4.175-022-ARM-dts-mmp2-fix-TWSI2.patch
@@ -0,0 +1,59 @@
+From: Lubomir Rintel <lkundrak@v3.sk>
+Date: Wed, 28 Nov 2018 18:53:10 +0100
+Subject: [PATCH] ARM: dts: mmp2: fix TWSI2
+References: bnc#1012382
+Patch-mainline: 4.4.175
+Git-commit: 1147e05ac9fc2ef86a3691e7ca5c2db7602d81dd
+
+[ Upstream commit 1147e05ac9fc2ef86a3691e7ca5c2db7602d81dd ]
+
+Marvell keeps their MMP2 datasheet secret, but there are good clues
+that TWSI2 is not on 0xd4025000 on that platform, not does it use
+IRQ 58. In fact, the IRQ 58 on MMP2 seems to be a signal processor:
+
+ arch/arm/mach-mmp/irqs.h:#define IRQ_MMP2_MSP 58
+
+I'm taking a somewhat educated guess that is probably a copy & paste
+error from PXA168 or PXA910 and that the real controller in fact hides
+at address 0xd4031000 and uses an interrupt line multiplexed via IRQ 17.
+
+I'm also copying some properties from TWSI1 that were missing or
+incorrect.
+
+Tested on a OLPC XO 1.75 machine, where the RTC is on TWSI2.
+
+Signed-off-by: Lubomir Rintel <lkundrak@v3.sk>
+Tested-by: Pavel Machek <pavel@ucw.cz>
+Signed-off-by: Olof Johansson <olof@lixom.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ arch/arm/boot/dts/mmp2.dtsi | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+diff --git a/arch/arm/boot/dts/mmp2.dtsi b/arch/arm/boot/dts/mmp2.dtsi
+index 766bbb8495b6..47e5b63339d1 100644
+--- a/arch/arm/boot/dts/mmp2.dtsi
++++ b/arch/arm/boot/dts/mmp2.dtsi
+@@ -220,12 +220,15 @@
+ status = "disabled";
+ };
+
+- twsi2: i2c@d4025000 {
++ twsi2: i2c@d4031000 {
+ compatible = "mrvl,mmp-twsi";
+- reg = <0xd4025000 0x1000>;
+- interrupts = <58>;
++ reg = <0xd4031000 0x1000>;
++ interrupt-parent = <&intcmux17>;
++ interrupts = <0>;
+ clocks = <&soc_clocks MMP2_CLK_TWSI1>;
+ resets = <&soc_clocks MMP2_CLK_TWSI1>;
++ #address-cells = <1>;
++ #size-cells = <0>;
+ status = "disabled";
+ };
+
+--
+2.20.1
+
diff --git a/patches.kernel.org/4.4.175-023-x86-fpu-Add-might_fault-to-user_insn.patch b/patches.kernel.org/4.4.175-023-x86-fpu-Add-might_fault-to-user_insn.patch
new file mode 100644
index 0000000000..4be371ea6f
--- /dev/null
+++ b/patches.kernel.org/4.4.175-023-x86-fpu-Add-might_fault-to-user_insn.patch
@@ -0,0 +1,57 @@
+From: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
+Date: Wed, 28 Nov 2018 23:20:11 +0100
+Subject: [PATCH] x86/fpu: Add might_fault() to user_insn()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+References: bnc#1012382
+Patch-mainline: 4.4.175
+Git-commit: 6637401c35b2f327a35d27f44bda05e327f2f017
+
+[ Upstream commit 6637401c35b2f327a35d27f44bda05e327f2f017 ]
+
+Every user of user_insn() passes an user memory pointer to this macro.
+
+Add might_fault() to user_insn() so we can spot users which are using
+this macro in sections where page faulting is not allowed.
+
+ [ bp: Space it out to make it more visible. ]
+
+Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
+Signed-off-by: Borislav Petkov <bp@suse.de>
+Reviewed-by: Rik van Riel <riel@surriel.com>
+Cc: "H. Peter Anvin" <hpa@zytor.com>
+Cc: "Jason A. Donenfeld" <Jason@zx2c4.com>
+Cc: Andy Lutomirski <luto@kernel.org>
+Cc: Dave Hansen <dave.hansen@linux.intel.com>
+Cc: Ingo Molnar <mingo@redhat.com>
+Cc: Jann Horn <jannh@google.com>
+Cc: Paolo Bonzini <pbonzini@redhat.com>
+Cc: Radim Krčmář <rkrcmar@redhat.com>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: kvm ML <kvm@vger.kernel.org>
+Cc: x86-ml <x86@kernel.org>
+Link: https://lkml.kernel.org/r/20181128222035.2996-6-bigeasy@linutronix.de
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ arch/x86/include/asm/fpu/internal.h | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/arch/x86/include/asm/fpu/internal.h b/arch/x86/include/asm/fpu/internal.h
+index 16825dda18dc..66a5e60f60c4 100644
+--- a/arch/x86/include/asm/fpu/internal.h
++++ b/arch/x86/include/asm/fpu/internal.h
+@@ -94,6 +94,9 @@ extern void fpstate_sanitize_xstate(struct fpu *fpu);
+ #define user_insn(insn, output, input...) \
+ ({ \
+ int err; \
++ \
++ might_fault(); \
++ \
+ asm volatile(ASM_STAC "\n" \
+ "1:" #insn "\n\t" \
+ "2: " ASM_CLAC "\n" \
+--
+2.20.1
+
diff --git a/patches.kernel.org/4.4.175-024-media-DaVinci-VPBE-fix-error-handling-in-vpbe.patch b/patches.kernel.org/4.4.175-024-media-DaVinci-VPBE-fix-error-handling-in-vpbe.patch
new file mode 100644
index 0000000000..c1b5cca8a7
--- /dev/null
+++ b/patches.kernel.org/4.4.175-024-media-DaVinci-VPBE-fix-error-handling-in-vpbe.patch
@@ -0,0 +1,58 @@
+From: Alexey Khoroshilov <khoroshilov@ispras.ru>
+Date: Fri, 23 Nov 2018 16:56:26 -0500
+Subject: [PATCH] media: DaVinci-VPBE: fix error handling in vpbe_initialize()
+References: bnc#1012382
+Patch-mainline: 4.4.175
+Git-commit: aa35dc3c71950e3fec3e230c06c27c0fbd0067f8
+
+[ Upstream commit aa35dc3c71950e3fec3e230c06c27c0fbd0067f8 ]
+
+If vpbe_set_default_output() or vpbe_set_default_mode() fails,
+vpbe_initialize() returns error code without releasing resources.
+
+The patch adds error handling for that case.
+
+Found by Linux Driver Verification project (linuxtesting.org).
+
+Signed-off-by: Alexey Khoroshilov <khoroshilov@ispras.ru>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/media/platform/davinci/vpbe.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/media/platform/davinci/vpbe.c b/drivers/media/platform/davinci/vpbe.c
+index 9a6c2cc38acb..abce9c4a1a8e 100644
+--- a/drivers/media/platform/davinci/vpbe.c
++++ b/drivers/media/platform/davinci/vpbe.c
+@@ -753,7 +753,7 @@ static int vpbe_initialize(struct device *dev, struct vpbe_device *vpbe_dev)
+ if (ret) {
+ v4l2_err(&vpbe_dev->v4l2_dev, "Failed to set default output %s",
+ def_output);
+- return ret;
++ goto fail_kfree_amp;
+ }
+
+ printk(KERN_NOTICE "Setting default mode to %s\n", def_mode);
+@@ -761,12 +761,15 @@ static int vpbe_initialize(struct device *dev, struct vpbe_device *vpbe_dev)
+ if (ret) {
+ v4l2_err(&vpbe_dev->v4l2_dev, "Failed to set default mode %s",
+ def_mode);
+- return ret;
++ goto fail_kfree_amp;
+ }
+ vpbe_dev->initialized = 1;
+ /* TBD handling of bootargs for default output and mode */
+ return 0;
+
++fail_kfree_amp:
++ mutex_lock(&vpbe_dev->lock);
++ kfree(vpbe_dev->amp);
+ fail_kfree_encoders:
+ kfree(vpbe_dev->encoders);
+ fail_dev_unregister:
+--
+2.20.1
+
diff --git a/patches.kernel.org/4.4.175-025-smack-fix-access-permissions-for-keyring.patch b/patches.kernel.org/4.4.175-025-smack-fix-access-permissions-for-keyring.patch
new file mode 100644
index 0000000000..924fd9d4c3
--- /dev/null
+++ b/patches.kernel.org/4.4.175-025-smack-fix-access-permissions-for-keyring.patch
@@ -0,0 +1,69 @@
+From: Zoran Markovic <zmarkovic@sierrawireless.com>
+Date: Wed, 17 Oct 2018 16:25:44 -0700
+Subject: [PATCH] smack: fix access permissions for keyring
+References: bnc#1012382
+Patch-mainline: 4.4.175
+Git-commit: 5b841bfab695e3b8ae793172a9ff7990f99cc3e2
+
+[ Upstream commit 5b841bfab695e3b8ae793172a9ff7990f99cc3e2 ]
+
+Function smack_key_permission() only issues smack requests for the
+following operations:
+ - KEY_NEED_READ (issues MAY_READ)
+ - KEY_NEED_WRITE (issues MAY_WRITE)
+ - KEY_NEED_LINK (issues MAY_WRITE)
+ - KEY_NEED_SETATTR (issues MAY_WRITE)
+A blank smack request is issued in all other cases, resulting in
+smack access being granted if there is any rule defined between
+subject and object, or denied with -EACCES otherwise.
+
+Request MAY_READ access for KEY_NEED_SEARCH and KEY_NEED_VIEW.
+Fix the logic in the unlikely case when both MAY_READ and
+MAY_WRITE are needed. Validate access permission field for valid
+contents.
+
+Signed-off-by: Zoran Markovic <zmarkovic@sierrawireless.com>
+Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
+Cc: Casey Schaufler <casey@schaufler-ca.com>
+Cc: James Morris <jmorris@namei.org>
+Cc: "Serge E. Hallyn" <serge@hallyn.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ security/smack/smack_lsm.c | 12 +++++++++---
+ 1 file changed, 9 insertions(+), 3 deletions(-)
+
+diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
+index c73361859d11..9db7c80a74aa 100644
+--- a/security/smack/smack_lsm.c
++++ b/security/smack/smack_lsm.c
+@@ -4311,6 +4311,12 @@ static int smack_key_permission(key_ref_t key_ref,
+ int request = 0;
+ int rc;
+
++ /*
++ * Validate requested permissions
++ */
++ if (perm & ~KEY_NEED_ALL)
++ return -EINVAL;
++
+ keyp = key_ref_to_ptr(key_ref);
+ if (keyp == NULL)
+ return -EINVAL;
+@@ -4330,10 +4336,10 @@ static int smack_key_permission(key_ref_t key_ref,
+ ad.a.u.key_struct.key = keyp->serial;
+ ad.a.u.key_struct.key_desc = keyp->description;
+ #endif
+- if (perm & KEY_NEED_READ)
+- request = MAY_READ;
++ if (perm & (KEY_NEED_READ | KEY_NEED_SEARCH | KEY_NEED_VIEW))
++ request |= MAY_READ;
+ if (perm & (KEY_NEED_WRITE | KEY_NEED_LINK | KEY_NEED_SETATTR))
+- request = MAY_WRITE;
++ request |= MAY_WRITE;
+ rc = smk_access(tkp, keyp->security, request, &ad);
+ rc = smk_bu_note("key access", tkp, keyp->security, request, rc);
+ return rc;
+--
+2.20.1
+
diff --git a/patches.kernel.org/4.4.175-026-usb-hub-delay-hub-autosuspend-if-USB3-port-is.patch b/patches.kernel.org/4.4.175-026-usb-hub-delay-hub-autosuspend-if-USB3-port-is.patch
new file mode 100644
index 0000000000..2ea9da481e
--- /dev/null
+++ b/patches.kernel.org/4.4.175-026-usb-hub-delay-hub-autosuspend-if-USB3-port-is.patch
@@ -0,0 +1,53 @@
+From: Mathias Nyman <mathias.nyman@linux.intel.com>
+Date: Wed, 28 Nov 2018 15:55:21 +0200
+Subject: [PATCH] usb: hub: delay hub autosuspend if USB3 port is still link
+ training
+References: bnc#1012382
+Patch-mainline: 4.4.175
+Git-commit: e86108940e541febf35813402ff29fa6f4a9ac0b
+
+[ Upstream commit e86108940e541febf35813402ff29fa6f4a9ac0b ]
+
+When initializing a hub we want to give a USB3 port in link training
+the same debounce delay time before autosuspening the hub as already
+trained, connected enabled ports.
+
+USB3 ports won't reach the enabled state with "current connect status" and
+"connect status change" bits set until the USB3 link training finishes.
+
+Catching the port in link training (polling) and adding the debounce delay
+prevents unnecessary failed attempts to autosuspend the hub.
+
+Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
+Acked-by: Alan Stern <stern@rowland.harvard.edu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/usb/core/hub.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/drivers/usb/core/hub.c b/drivers/usb/core/hub.c
+index be63db142d3f..3a6978458d95 100644
+--- a/drivers/usb/core/hub.c
++++ b/drivers/usb/core/hub.c
+@@ -1092,6 +1092,16 @@ static void hub_activate(struct usb_hub *hub, enum hub_activation_type type)
+ USB_PORT_FEAT_ENABLE);
+ }
+
++ /*
++ * Add debounce if USB3 link is in polling/link training state.
++ * Link will automatically transition to Enabled state after
++ * link training completes.
++ */
++ if (hub_is_superspeed(hdev) &&
++ ((portstatus & USB_PORT_STAT_LINK_STATE) ==
++ USB_SS_PORT_LS_POLLING))
++ need_debounce_delay = true;
++
+ /* Clear status-change flags; we'll debounce later */
+ if (portchange & USB_PORT_STAT_C_CONNECTION) {
+ need_debounce_delay = true;
+--
+2.20.1
+
diff --git a/patches.kernel.org/4.4.175-027-timekeeping-Use-proper-seqcount-initializer.patch b/patches.kernel.org/4.4.175-027-timekeeping-Use-proper-seqcount-initializer.patch
new file mode 100644
index 0000000000..cb1b866028
--- /dev/null
+++ b/patches.kernel.org/4.4.175-027-timekeeping-Use-proper-seqcount-initializer.patch
@@ -0,0 +1,48 @@
+From: Bart Van Assche <bvanassche@acm.org>
+Date: Wed, 28 Nov 2018 15:43:09 -0800
+Subject: [PATCH] timekeeping: Use proper seqcount initializer
+References: bnc#1012382
+Patch-mainline: 4.4.175
+Git-commit: ce10a5b3954f2514af726beb78ed8d7350c5e41c
+
+[ Upstream commit ce10a5b3954f2514af726beb78ed8d7350c5e41c ]
+
+tk_core.seq is initialized open coded, but that misses to initialize the
+lockdep map when lockdep is enabled. Lockdep splats involving tk_core seq
+consequently lack a name and are hard to read.
+
+Use the proper initializer which takes care of the lockdep map
+initialization.
+
+[ tglx: Massaged changelog ]
+
+Signed-off-by: Bart Van Assche <bvanassche@acm.org>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Cc: peterz@infradead.org
+Cc: tj@kernel.org
+Cc: johannes.berg@intel.com
+Link: https://lkml.kernel.org/r/20181128234325.110011-12-bvanassche@acm.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ kernel/time/timekeeping.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/kernel/time/timekeeping.c b/kernel/time/timekeeping.c
+index fed86b2dfc89..d9837d25dfe0 100644
+--- a/kernel/time/timekeeping.c
++++ b/kernel/time/timekeeping.c
+@@ -39,7 +39,9 @@
+ static struct {
+ seqcount_t seq;
+ struct timekeeper timekeeper;
+-} tk_core ____cacheline_aligned;
++} tk_core ____cacheline_aligned = {
++ .seq = SEQCNT_ZERO(tk_core.seq),
++};
+
+ static DEFINE_RAW_SPINLOCK(timekeeper_lock);
+ static struct timekeeper shadow_timekeeper;
+--
+2.20.1
+
diff --git a/patches.kernel.org/4.4.175-028-ARM-dts-Fix-OMAP4430-SDP-Ethernet-startup.patch b/patches.kernel.org/4.4.175-028-ARM-dts-Fix-OMAP4430-SDP-Ethernet-startup.patch
new file mode 100644
index 0000000000..f62f9742a3
--- /dev/null
+++ b/patches.kernel.org/4.4.175-028-ARM-dts-Fix-OMAP4430-SDP-Ethernet-startup.patch
@@ -0,0 +1,68 @@
+From: Russell King - ARM Linux <linux@armlinux.org.uk>
+Date: Fri, 7 Dec 2018 09:17:07 -0800
+Subject: [PATCH] ARM: dts: Fix OMAP4430 SDP Ethernet startup
+References: bnc#1012382
+Patch-mainline: 4.4.175
+Git-commit: 84fb6c7feb1494ebb7d1ec8b95cfb7ada0264465
+
+[ Upstream commit 84fb6c7feb1494ebb7d1ec8b95cfb7ada0264465 ]
+
+It was noticed that unbinding and rebinding the KSZ8851 ethernet
+resulted in the driver reporting "failed to read device ID" at probe.
+Probing the reset line with a 'scope while repeatedly attempting to
+bind the driver in a shell loop revealed that the KSZ8851 RSTN pin is
+constantly held at zero, meaning the device is held in reset, and
+does not respond on the SPI bus.
+
+Experimentation with the startup delay on the regulator set to 50ms
+shows that the reset is positively released after 20ms.
+
+Schematics for this board are not available, and the traces are buried
+in the inner layers of the board which makes tracing where the RSTN pin
+extremely difficult. We can only guess that the RSTN pin is wired to a
+reset generator chip driven off the ethernet supply, which fits the
+observed behaviour.
+
+Include this delay in the regulator startup delay - effectively
+treating the reset as a "supply stable" indicator.
+
+This can not be modelled as a delay in the KSZ8851 driver since the
+reset generation is board specific - if the RSTN pin had been wired to
+a GPIO, reset could be released earlier via the already provided support
+in the KSZ8851 driver.
+
+This also got confirmed by Peter Ujfalusi <peter.ujfalusi@ti.com> based
+on Blaze schematics that should be very close to SDP4430:
+
+TPS22902YFPR is used as the regulator switch (gpio48 controlled):
+Convert arm boot_lock to raw The VOUT is routed to TPS3808G01DBV.
+(SCH Note: Threshold set at 90%. Vsense: 0.405V).
+
+According to the TPS3808 data sheet the RESET delay time when Ct is
+open (this is the case in the schema): MIN/TYP/MAX: 12/20/28 ms.
+
+Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk>
+Reviewed-by: Peter Ujfalusi <peter.ujfalusi@ti.com>
+[tony@atomide.com: updated with notes from schematics from Peter]
+Signed-off-by: Tony Lindgren <tony@atomide.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ arch/arm/boot/dts/omap4-sdp.dts | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/arch/arm/boot/dts/omap4-sdp.dts b/arch/arm/boot/dts/omap4-sdp.dts
+index f0bdc41f8eff..235d1493f8aa 100644
+--- a/arch/arm/boot/dts/omap4-sdp.dts
++++ b/arch/arm/boot/dts/omap4-sdp.dts
+@@ -33,6 +33,7 @@
+ gpio = <&gpio2 16 GPIO_ACTIVE_HIGH>; /* gpio line 48 */
+ enable-active-high;
+ regulator-boot-on;
++ startup-delay-us = <25000>;
+ };
+
+ vbat: fixedregulator-vbat {
+--
+2.20.1
+
diff --git a/patches.kernel.org/4.4.175-029-mips-bpf-fix-encoding-bug-for-mm_srlv32_op.patch b/patches.kernel.org/4.4.175-029-mips-bpf-fix-encoding-bug-for-mm_srlv32_op.patch
new file mode 100644
index 0000000000..092ea0da54
--- /dev/null
+++ b/patches.kernel.org/4.4.175-029-mips-bpf-fix-encoding-bug-for-mm_srlv32_op.patch
@@ -0,0 +1,50 @@
+From: Jiong Wang <jiong.wang@netronome.com>
+Date: Mon, 3 Dec 2018 17:27:54 -0500
+Subject: [PATCH] mips: bpf: fix encoding bug for mm_srlv32_op
+References: bnc#1012382
+Patch-mainline: 4.4.175
+Git-commit: 17f6c83fb5ebf7db4fcc94a5be4c22d5a7bfe428
+
+[ Upstream commit 17f6c83fb5ebf7db4fcc94a5be4c22d5a7bfe428 ]
+
+For micro-mips, srlv inside POOL32A encoding space should use 0x50
+sub-opcode, NOT 0x90.
+
+Some early version ISA doc describes the encoding as 0x90 for both srlv and
+srav, this looks to me was a typo. I checked Binutils libopcode
+implementation which is using 0x50 for srlv and 0x90 for srav.
+
+v1->v2:
+ - Keep mm_srlv32_op sorted by value.
+
+Fixes: f31318fdf324 ("MIPS: uasm: Add srlv uasm instruction")
+Cc: Markos Chandras <markos.chandras@imgtec.com>
+Cc: Paul Burton <paul.burton@mips.com>
+Cc: linux-mips@vger.kernel.org
+Acked-by: Jakub Kicinski <jakub.kicinski@netronome.com>
+Acked-by: Song Liu <songliubraving@fb.com>
+Signed-off-by: Jiong Wang <jiong.wang@netronome.com>
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ arch/mips/include/uapi/asm/inst.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/mips/include/uapi/asm/inst.h b/arch/mips/include/uapi/asm/inst.h
+index 1b6f2f219298..9db764b51ffe 100644
+--- a/arch/mips/include/uapi/asm/inst.h
++++ b/arch/mips/include/uapi/asm/inst.h
+@@ -290,8 +290,8 @@ enum mm_32a_minor_op {
+ mm_ext_op = 0x02c,
+ mm_pool32axf_op = 0x03c,
+ mm_srl32_op = 0x040,
++ mm_srlv32_op = 0x050,
+ mm_sra_op = 0x080,
+- mm_srlv32_op = 0x090,
+ mm_rotr_op = 0x0c0,
+ mm_lwxs_op = 0x118,
+ mm_addu32_op = 0x150,
+--
+2.20.1
+
diff --git a/patches.kernel.org/4.4.175-030-iommu-arm-smmu-v3-Use-explicit-mb-when-moving.patch b/patches.kernel.org/4.4.175-030-iommu-arm-smmu-v3-Use-explicit-mb-when-moving.patch
new file mode 100644
index 0000000000..6b59de47da
--- /dev/null
+++ b/patches.kernel.org/4.4.175-030-iommu-arm-smmu-v3-Use-explicit-mb-when-moving.patch
@@ -0,0 +1,51 @@
+From: Will Deacon <will.deacon@arm.com>
+Date: Wed, 7 Nov 2018 22:58:24 +0000
+Subject: [PATCH] iommu/arm-smmu-v3: Use explicit mb() when moving cons pointer
+References: bnc#1012382
+Patch-mainline: 4.4.175
+Git-commit: a868e8530441286342f90c1fd9c5f24de3aa2880
+
+[ Upstream commit a868e8530441286342f90c1fd9c5f24de3aa2880 ]
+
+After removing an entry from a queue (e.g. reading an event in
+arm_smmu_evtq_thread()) it is necessary to advance the MMIO consumer
+pointer to free the queue slot back to the SMMU. A memory barrier is
+required here so that all reads targetting the queue entry have
+completed before the consumer pointer is updated.
+
+The implementation of queue_inc_cons() relies on a writel() to complete
+the previous reads, but this is incorrect because writel() is only
+guaranteed to complete prior writes. This patch replaces the call to
+writel() with an mb(); writel_relaxed() sequence, which gives us the
+read->write ordering which we require.
+
+Cc: Robin Murphy <robin.murphy@arm.com>
+Signed-off-by: Will Deacon <will.deacon@arm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/iommu/arm-smmu-v3.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/iommu/arm-smmu-v3.c b/drivers/iommu/arm-smmu-v3.c
+index fc6eb752ab35..eb9937225d64 100644
+--- a/drivers/iommu/arm-smmu-v3.c
++++ b/drivers/iommu/arm-smmu-v3.c
+@@ -683,7 +683,13 @@ static void queue_inc_cons(struct arm_smmu_queue *q)
+ u32 cons = (Q_WRP(q, q->cons) | Q_IDX(q, q->cons)) + 1;
+
+ q->cons = Q_OVF(q, q->cons) | Q_WRP(q, cons) | Q_IDX(q, cons);
+- writel(q->cons, q->cons_reg);
++
++ /*
++ * Ensure that all CPU accesses (reads and writes) to the queue
++ * are complete before we update the cons pointer.
++ */
++ mb();
++ writel_relaxed(q->cons, q->cons_reg);
+ }
+
+ static int queue_sync_prod(struct arm_smmu_queue *q)
+--
+2.20.1
+
diff --git a/patches.kernel.org/4.4.175-031-sata_rcar-fix-deferred-probing.patch b/patches.kernel.org/4.4.175-031-sata_rcar-fix-deferred-probing.patch
new file mode 100644
index 0000000000..e6ccd10a99
--- /dev/null
+++ b/patches.kernel.org/4.4.175-031-sata_rcar-fix-deferred-probing.patch
@@ -0,0 +1,44 @@
+From: Sergei Shtylyov <sergei.shtylyov@cogentembedded.com>
+Date: Sat, 24 Nov 2018 21:14:16 +0300
+Subject: [PATCH] sata_rcar: fix deferred probing
+References: bnc#1012382
+Patch-mainline: 4.4.175
+Git-commit: 9f83cfdb1ace3ef268ecc6fda50058d2ec37d603
+
+[ Upstream commit 9f83cfdb1ace3ef268ecc6fda50058d2ec37d603 ]
+
+The driver overrides the error codes returned by platform_get_irq() to
+-EINVAL, so if it returns -EPROBE_DEFER, the driver would fail the probe
+permanently instead of the deferred probing. Switch to propagating the
+error code upstream, still checking/overriding IRQ0 as libata regards it
+as "no IRQ" (thus polling) anyway...
+
+Fixes: 9ec36cafe43b ("of/irq: do irq resolution in platform_get_irq")
+Reviewed-by: Simon Horman <horms+renesas@verge.net.au>
+Reviewed-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Signed-off-by: Sergei Shtylyov <sergei.shtylyov@cogentembedded.com>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/ata/sata_rcar.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/ata/sata_rcar.c b/drivers/ata/sata_rcar.c
+index 8804127b108c..21b80f5ee092 100644
+--- a/drivers/ata/sata_rcar.c
++++ b/drivers/ata/sata_rcar.c
+@@ -875,7 +875,9 @@ static int sata_rcar_probe(struct platform_device *pdev)
+ int ret = 0;
+
+ irq = platform_get_irq(pdev, 0);
+- if (irq <= 0)
++ if (irq < 0)
++ return irq;
++ if (!irq)
+ return -EINVAL;
+
+ priv = devm_kzalloc(&pdev->dev, sizeof(struct sata_rcar_priv),
+--
+2.20.1
+
diff --git a/patches.kernel.org/4.4.175-032-clk-imx6sl-ensure-MMDC-CH0-handshake-is-bypas.patch b/patches.kernel.org/4.4.175-032-clk-imx6sl-ensure-MMDC-CH0-handshake-is-bypas.patch
new file mode 100644
index 0000000000..869bd34071
--- /dev/null
+++ b/patches.kernel.org/4.4.175-032-clk-imx6sl-ensure-MMDC-CH0-handshake-is-bypas.patch
@@ -0,0 +1,49 @@
+From: Anson Huang <anson.huang@nxp.com>
+Date: Fri, 30 Nov 2018 07:23:47 +0000
+Subject: [PATCH] clk: imx6sl: ensure MMDC CH0 handshake is bypassed
+References: bnc#1012382
+Patch-mainline: 4.4.175
+Git-commit: 0efcc2c0fd2001a83240a8c3d71f67770484917e
+
+[ Upstream commit 0efcc2c0fd2001a83240a8c3d71f67770484917e ]
+
+Same as other i.MX6 SoCs, ensure unused MMDC channel's
+handshake is bypassed, this is to make sure no request
+signal will be generated when periphe_clk_sel is changed
+or SRC warm reset is triggered.
+
+Signed-off-by: Anson Huang <Anson.Huang@nxp.com>
+Signed-off-by: Stephen Boyd <sboyd@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/clk/imx/clk-imx6sl.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/drivers/clk/imx/clk-imx6sl.c b/drivers/clk/imx/clk-imx6sl.c
+index 1be6230a07af..8b6306dc5fc6 100644
+--- a/drivers/clk/imx/clk-imx6sl.c
++++ b/drivers/clk/imx/clk-imx6sl.c
+@@ -17,6 +17,8 @@
+
+ #include "clk.h"
+
++#define CCDR 0x4
++#define BM_CCM_CCDR_MMDC_CH0_MASK (1 << 17)
+ #define CCSR 0xc
+ #define BM_CCSR_PLL1_SW_CLK_SEL (1 << 2)
+ #define CACRR 0x10
+@@ -414,6 +416,10 @@ static void __init imx6sl_clocks_init(struct device_node *ccm_node)
+ clks[IMX6SL_CLK_USDHC3] = imx_clk_gate2("usdhc3", "usdhc3_podf", base + 0x80, 6);
+ clks[IMX6SL_CLK_USDHC4] = imx_clk_gate2("usdhc4", "usdhc4_podf", base + 0x80, 8);
+
++ /* Ensure the MMDC CH0 handshake is bypassed */
++ writel_relaxed(readl_relaxed(base + CCDR) |
++ BM_CCM_CCDR_MMDC_CH0_MASK, base + CCDR);
++
+ imx_check_clocks(clks, ARRAY_SIZE(clks));
+
+ clk_data.clks = clks;
+--
+2.20.1
+
diff --git a/patches.kernel.org/4.4.175-033-cpuidle-big.LITTLE-fix-refcount-leak.patch b/patches.kernel.org/4.4.175-033-cpuidle-big.LITTLE-fix-refcount-leak.patch
new file mode 100644
index 0000000000..fbeeae32e3
--- /dev/null
+++ b/patches.kernel.org/4.4.175-033-cpuidle-big.LITTLE-fix-refcount-leak.patch
@@ -0,0 +1,50 @@
+From: Yangtao Li <tiny.windzz@gmail.com>
+Date: Mon, 10 Dec 2018 11:26:41 -0500
+Subject: [PATCH] cpuidle: big.LITTLE: fix refcount leak
+References: bnc#1012382
+Patch-mainline: 4.4.175
+Git-commit: 9456823c842f346c74265fcd98d008d87a7eb6f5
+
+[ Upstream commit 9456823c842f346c74265fcd98d008d87a7eb6f5 ]
+
+of_find_node_by_path() acquires a reference to the node
+returned by it and that reference needs to be dropped by its caller.
+bl_idle_init() doesn't do that, so fix it.
+
+Signed-off-by: Yangtao Li <tiny.windzz@gmail.com>
+Acked-by: Daniel Lezcano <daniel.lezcano@linaro.org>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/cpuidle/cpuidle-big_little.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/cpuidle/cpuidle-big_little.c b/drivers/cpuidle/cpuidle-big_little.c
+index db2ede565f1a..b44476a1b7ad 100644
+--- a/drivers/cpuidle/cpuidle-big_little.c
++++ b/drivers/cpuidle/cpuidle-big_little.c
+@@ -167,6 +167,7 @@ static int __init bl_idle_init(void)
+ {
+ int ret;
+ struct device_node *root = of_find_node_by_path("/");
++ const struct of_device_id *match_id;
+
+ if (!root)
+ return -ENODEV;
+@@ -174,7 +175,11 @@ static int __init bl_idle_init(void)
+ /*
+ * Initialize the driver just for a compliant set of machines
+ */
+- if (!of_match_node(compatible_machine_match, root))
++ match_id = of_match_node(compatible_machine_match, root);
++
++ of_node_put(root);
++
++ if (!match_id)
+ return -ENODEV;
+
+ if (!mcpm_is_available())
+--
+2.20.1
+
diff --git a/patches.kernel.org/4.4.175-034-i2c-axxia-check-for-error-conditions-first.patch b/patches.kernel.org/4.4.175-034-i2c-axxia-check-for-error-conditions-first.patch
new file mode 100644
index 0000000000..59e9d03053
--- /dev/null
+++ b/patches.kernel.org/4.4.175-034-i2c-axxia-check-for-error-conditions-first.patch
@@ -0,0 +1,88 @@
+From: "Adamski, Krzysztof (Nokia - PL/Wroclaw)" <krzysztof.adamski@nokia.com>
+Date: Mon, 10 Dec 2018 15:01:27 +0000
+Subject: [PATCH] i2c-axxia: check for error conditions first
+References: bnc#1012382
+Patch-mainline: 4.4.175
+Git-commit: 4f5c85fe3a60ace555d09898166af372547f97fc
+
+[ Upstream commit 4f5c85fe3a60ace555d09898166af372547f97fc ]
+
+It was observed that when using seqentional mode contrary to the
+documentation, the SS bit (which is supposed to only be set if
+automatic/sequence command completed normally), is sometimes set
+together with NA (NAK in address phase) causing transfer to falsely be
+considered successful.
+
+My assumption is that this does not happen during manual mode since the
+controller is stopping its work the moment it sets NA/ND bit in status
+register. This is not the case in Automatic/Sequentional mode where it
+is still working to send STOP condition and the actual status we get
+depends on the time when the ISR is run.
+
+This patch changes the order of checking status bits in ISR - error
+conditions are checked first and only if none of them occurred, the
+transfer may be considered successful. This is required to introduce
+using of sequentional mode in next patch.
+
+Signed-off-by: Krzysztof Adamski <krzysztof.adamski@nokia.com>
+Reviewed-by: Alexander Sverdlin <alexander.sverdlin@nokia.com>
+Signed-off-by: Wolfram Sang <wsa@the-dreams.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/i2c/busses/i2c-axxia.c | 32 ++++++++++++++++----------------
+ 1 file changed, 16 insertions(+), 16 deletions(-)
+
+diff --git a/drivers/i2c/busses/i2c-axxia.c b/drivers/i2c/busses/i2c-axxia.c
+index 9c9fd2e87a4b..1c68b05c8649 100644
+--- a/drivers/i2c/busses/i2c-axxia.c
++++ b/drivers/i2c/busses/i2c-axxia.c
+@@ -296,22 +296,7 @@ static irqreturn_t axxia_i2c_isr(int irq, void *_dev)
+ i2c_int_disable(idev, MST_STATUS_TFL);
+ }
+
+- if (status & MST_STATUS_SCC) {
+- /* Stop completed */
+- i2c_int_disable(idev, ~MST_STATUS_TSS);
+- complete(&idev->msg_complete);
+- } else if (status & MST_STATUS_SNS) {
+- /* Transfer done */
+- i2c_int_disable(idev, ~MST_STATUS_TSS);
+- if (i2c_m_rd(idev->msg) && idev->msg_xfrd < idev->msg->len)
+- axxia_i2c_empty_rx_fifo(idev);
+- complete(&idev->msg_complete);
+- } else if (status & MST_STATUS_TSS) {
+- /* Transfer timeout */
+- idev->msg_err = -ETIMEDOUT;
+- i2c_int_disable(idev, ~MST_STATUS_TSS);
+- complete(&idev->msg_complete);
+- } else if (unlikely(status & MST_STATUS_ERR)) {
++ if (unlikely(status & MST_STATUS_ERR)) {
+ /* Transfer error */
+ i2c_int_disable(idev, ~0);
+ if (status & MST_STATUS_AL)
+@@ -328,6 +313,21 @@ static irqreturn_t axxia_i2c_isr(int irq, void *_dev)
+ readl(idev->base + MST_TX_BYTES_XFRD),
+ readl(idev->base + MST_TX_XFER));
+ complete(&idev->msg_complete);
++ } else if (status & MST_STATUS_SCC) {
++ /* Stop completed */
++ i2c_int_disable(idev, ~MST_STATUS_TSS);
++ complete(&idev->msg_complete);
++ } else if (status & MST_STATUS_SNS) {
++ /* Transfer done */
++ i2c_int_disable(idev, ~MST_STATUS_TSS);
++ if (i2c_m_rd(idev->msg) && idev->msg_xfrd < idev->msg->len)
++ axxia_i2c_empty_rx_fifo(idev);
++ complete(&idev->msg_complete);
++ } else if (status & MST_STATUS_TSS) {
++ /* Transfer timeout */
++ idev->msg_err = -ETIMEDOUT;
++ i2c_int_disable(idev, ~MST_STATUS_TSS);
++ complete(&idev->msg_complete);
+ }
+
+ out:
+--
+2.20.1
+
diff --git a/patches.kernel.org/4.4.175-035-udf-Fix-BUG-on-corrupted-inode.patch b/patches.kernel.org/4.4.175-035-udf-Fix-BUG-on-corrupted-inode.patch
new file mode 100644
index 0000000000..356e9a96d0
--- /dev/null
+++ b/patches.kernel.org/4.4.175-035-udf-Fix-BUG-on-corrupted-inode.patch
@@ -0,0 +1,41 @@
+From: Jan Kara <jack@suse.cz>
+Date: Wed, 12 Dec 2018 14:29:20 +0100
+Subject: [PATCH] udf: Fix BUG on corrupted inode
+References: bnc#1012382
+Patch-mainline: 4.4.175
+Git-commit: d288d95842f1503414b7eebce3773bac3390457e
+
+[ Upstream commit d288d95842f1503414b7eebce3773bac3390457e ]
+
+When inode is corrupted so that extent type is invalid, some functions
+(such as udf_truncate_extents()) will just BUG. Check that extent type
+is valid when loading the inode to memory.
+
+Reported-by: Anatoly Trosinenko <anatoly.trosinenko@gmail.com>
+Signed-off-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ fs/udf/inode.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/fs/udf/inode.c b/fs/udf/inode.c
+index 0e659d9c69a1..613193c6bb42 100644
+--- a/fs/udf/inode.c
++++ b/fs/udf/inode.c
+@@ -1364,6 +1364,12 @@ static int udf_read_inode(struct inode *inode, bool hidden_inode)
+
+ iinfo->i_alloc_type = le16_to_cpu(fe->icbTag.flags) &
+ ICBTAG_FLAG_AD_MASK;
++ if (iinfo->i_alloc_type != ICBTAG_FLAG_AD_SHORT &&
++ iinfo->i_alloc_type != ICBTAG_FLAG_AD_LONG &&
++ iinfo->i_alloc_type != ICBTAG_FLAG_AD_IN_ICB) {
++ ret = -EIO;
++ goto out;
++ }
+ iinfo->i_unique = 0;
+ iinfo->i_lenEAttr = 0;
+ iinfo->i_lenExtents = 0;
+--
+2.20.1
+
diff --git a/patches.kernel.org/4.4.175-036-ARM-pxa-avoid-section-mismatch-warning.patch b/patches.kernel.org/4.4.175-036-ARM-pxa-avoid-section-mismatch-warning.patch
new file mode 100644
index 0000000000..6bd866b5a0
--- /dev/null
+++ b/patches.kernel.org/4.4.175-036-ARM-pxa-avoid-section-mismatch-warning.patch
@@ -0,0 +1,79 @@
+From: Arnd Bergmann <arnd@arndb.de>
+Date: Mon, 10 Dec 2018 22:58:39 +0100
+Subject: [PATCH] ARM: pxa: avoid section mismatch warning
+References: bnc#1012382
+Patch-mainline: 4.4.175
+Git-commit: 88af3209aa0881aa5ffd99664b6080a4be5f24e5
+
+[ Upstream commit 88af3209aa0881aa5ffd99664b6080a4be5f24e5 ]
+
+WARNING: vmlinux.o(.text+0x19f90): Section mismatch in reference from the function littleton_init_lcd() to the function .init.text:pxa_set_fb_info()
+The function littleton_init_lcd() references
+the function __init pxa_set_fb_info().
+This is often because littleton_init_lcd lacks a __init
+annotation or the annotation of pxa_set_fb_info is wrong.
+
+WARNING: vmlinux.o(.text+0xf824): Section mismatch in reference from the function zeus_register_ohci() to the function .init.text:pxa_set_ohci_info()
+The function zeus_register_ohci() references
+the function __init pxa_set_ohci_info().
+This is often because zeus_register_ohci lacks a __init
+annotation or the annotation of pxa_set_ohci_info is wrong.
+
+WARNING: vmlinux.o(.text+0xf95c): Section mismatch in reference from the function cm_x300_init_u2d() to the function .init.text:pxa3xx_set_u2d_info()
+The function cm_x300_init_u2d() references
+the function __init pxa3xx_set_u2d_info().
+This is often because cm_x300_init_u2d lacks a __init
+annotation or the annotation of pxa3xx_set_u2d_info is wrong.
+
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Signed-off-by: Olof Johansson <olof@lixom.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ arch/arm/mach-pxa/cm-x300.c | 2 +-
+ arch/arm/mach-pxa/littleton.c | 2 +-
+ arch/arm/mach-pxa/zeus.c | 2 +-
+ 3 files changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/arch/arm/mach-pxa/cm-x300.c b/arch/arm/mach-pxa/cm-x300.c
+index a7dae60810e8..307fc18edede 100644
+--- a/arch/arm/mach-pxa/cm-x300.c
++++ b/arch/arm/mach-pxa/cm-x300.c
+@@ -547,7 +547,7 @@ static struct pxa3xx_u2d_platform_data cm_x300_u2d_platform_data = {
+ .exit = cm_x300_u2d_exit,
+ };
+
+-static void cm_x300_init_u2d(void)
++static void __init cm_x300_init_u2d(void)
+ {
+ pxa3xx_set_u2d_info(&cm_x300_u2d_platform_data);
+ }
+diff --git a/arch/arm/mach-pxa/littleton.c b/arch/arm/mach-pxa/littleton.c
+index 5d665588c7eb..05aa7071efd6 100644
+--- a/arch/arm/mach-pxa/littleton.c
++++ b/arch/arm/mach-pxa/littleton.c
+@@ -183,7 +183,7 @@ static struct pxafb_mach_info littleton_lcd_info = {
+ .lcd_conn = LCD_COLOR_TFT_16BPP,
+ };
+
+-static void littleton_init_lcd(void)
++static void __init littleton_init_lcd(void)
+ {
+ pxa_set_fb_info(NULL, &littleton_lcd_info);
+ }
+diff --git a/arch/arm/mach-pxa/zeus.c b/arch/arm/mach-pxa/zeus.c
+index d757cfb5f8a6..4da2458d7f32 100644
+--- a/arch/arm/mach-pxa/zeus.c
++++ b/arch/arm/mach-pxa/zeus.c
+@@ -558,7 +558,7 @@ static struct pxaohci_platform_data zeus_ohci_platform_data = {
+ .flags = ENABLE_PORT_ALL | POWER_SENSE_LOW,
+ };
+
+-static void zeus_register_ohci(void)
++static void __init zeus_register_ohci(void)
+ {
+ /* Port 2 is shared between host and client interface. */
+ UP2OCR = UP2OCR_HXOE | UP2OCR_HXS | UP2OCR_DMPDE | UP2OCR_DPPDE;
+--
+2.20.1
+
diff --git a/patches.kernel.org/4.4.175-037-ASoC-fsl-Fix-SND_SOC_EUKREA_TLV320-build-erro.patch b/patches.kernel.org/4.4.175-037-ASoC-fsl-Fix-SND_SOC_EUKREA_TLV320-build-erro.patch
new file mode 100644
index 0000000000..85e27b4612
--- /dev/null
+++ b/patches.kernel.org/4.4.175-037-ASoC-fsl-Fix-SND_SOC_EUKREA_TLV320-build-erro.patch
@@ -0,0 +1,48 @@
+From: Fabio Estevam <festevam@gmail.com>
+Date: Thu, 13 Dec 2018 00:08:38 -0200
+Subject: [PATCH] ASoC: fsl: Fix SND_SOC_EUKREA_TLV320 build error on i.MX8M
+References: bnc#1012382
+Patch-mainline: 4.4.175
+Git-commit: add6883619a9e3bf9658eaff1a547354131bbcd9
+
+[ Upstream commit add6883619a9e3bf9658eaff1a547354131bbcd9 ]
+
+eukrea-tlv320.c machine driver runs on non-DT platforms
+and include <asm/mach-types.h> header file in order to be able
+to use some machine_is_eukrea_xxx() macros.
+
+Building it for ARM64 causes the following build error:
+
+sound/soc/fsl/eukrea-tlv320.c:28:10: fatal error: asm/mach-types.h: No such file or directory
+
+Avoid this error by not allowing to build the SND_SOC_EUKREA_TLV320
+driver when ARM64 is selected.
+
+This is needed in preparation for the i.MX8M support.
+
+Reported-by: kbuild test robot <lkp@intel.com>
+Signed-off-by: Fabio Estevam <festevam@gmail.com>
+Acked-by: Shawn Guo <shawnguo@kernel.org>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ sound/soc/fsl/Kconfig | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/sound/soc/fsl/Kconfig b/sound/soc/fsl/Kconfig
+index 14dfdee05fd5..3066e068aae5 100644
+--- a/sound/soc/fsl/Kconfig
++++ b/sound/soc/fsl/Kconfig
+@@ -219,7 +219,7 @@ config SND_SOC_PHYCORE_AC97
+
+ config SND_SOC_EUKREA_TLV320
+ tristate "Eukrea TLV320"
+- depends on ARCH_MXC && I2C
++ depends on ARCH_MXC && !ARM64 && I2C
+ select SND_SOC_TLV320AIC23_I2C
+ select SND_SOC_IMX_AUDMUX
+ select SND_SOC_IMX_SSI
+--
+2.20.1
+
diff --git a/patches.kernel.org/4.4.175-038-memstick-Prevent-memstick-host-from-getting-r.patch b/patches.kernel.org/4.4.175-038-memstick-Prevent-memstick-host-from-getting-r.patch
new file mode 100644
index 0000000000..285696461b
--- /dev/null
+++ b/patches.kernel.org/4.4.175-038-memstick-Prevent-memstick-host-from-getting-r.patch
@@ -0,0 +1,60 @@
+From: Kai-Heng Feng <kai.heng.feng@canonical.com>
+Date: Mon, 5 Nov 2018 16:45:04 +0800
+Subject: [PATCH] memstick: Prevent memstick host from getting runtime
+ suspended during card detection
+References: bnc#1012382
+Patch-mainline: 4.4.175
+Git-commit: e03e303edf1c63e6dd455ccd568c74e93ef3ba8c
+
+[ Upstream commit e03e303edf1c63e6dd455ccd568c74e93ef3ba8c ]
+
+We can use MEMSTICK_POWER_{ON,OFF} along with pm_runtime_{get,put}
+helpers to let memstick host support runtime pm.
+
+The rpm count may go down to zero before the memstick host powers on, so
+the host can be runtime suspended.
+
+So before doing card detection, increment the rpm count to avoid the
+host gets runtime suspended. Balance the rpm count after card detection
+is done.
+
+Signed-off-by: Kai-Heng Feng <kai.heng.feng@canonical.com>
+Tested-by: Oleksandr Natalenko <oleksandr@natalenko.name>
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/memstick/core/memstick.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/memstick/core/memstick.c b/drivers/memstick/core/memstick.c
+index a0547dbf9806..4d673a626db4 100644
+--- a/drivers/memstick/core/memstick.c
++++ b/drivers/memstick/core/memstick.c
+@@ -18,6 +18,7 @@
+ #include <linux/delay.h>
+ #include <linux/slab.h>
+ #include <linux/module.h>
++#include <linux/pm_runtime.h>
+
+ #define DRIVER_NAME "memstick"
+
+@@ -436,6 +437,7 @@ static void memstick_check(struct work_struct *work)
+ struct memstick_dev *card;
+
+ dev_dbg(&host->dev, "memstick_check started\n");
++ pm_runtime_get_noresume(host->dev.parent);
+ mutex_lock(&host->lock);
+ if (!host->card) {
+ if (memstick_power_on(host))
+@@ -479,6 +481,7 @@ static void memstick_check(struct work_struct *work)
+ host->set_param(host, MEMSTICK_POWER, MEMSTICK_POWER_OFF);
+
+ mutex_unlock(&host->lock);
++ pm_runtime_put(host->dev.parent);
+ dev_dbg(&host->dev, "memstick_check finished\n");
+ }
+
+--
+2.20.1
+
diff --git a/patches.kernel.org/4.4.175-039-tty-serial-samsung-Properly-set-flags-in-auto.patch b/patches.kernel.org/4.4.175-039-tty-serial-samsung-Properly-set-flags-in-auto.patch
new file mode 100644
index 0000000000..7fbfb5a707
--- /dev/null
+++ b/patches.kernel.org/4.4.175-039-tty-serial-samsung-Properly-set-flags-in-auto.patch
@@ -0,0 +1,48 @@
+From: Beomho Seo <beomho.seo@samsung.com>
+Date: Fri, 14 Dec 2018 12:34:08 +0100
+Subject: [PATCH] tty: serial: samsung: Properly set flags in autoCTS mode
+References: bnc#1012382
+Patch-mainline: 4.4.175
+Git-commit: 31e933645742ee6719d37573a27cce0761dcf92b
+
+[ Upstream commit 31e933645742ee6719d37573a27cce0761dcf92b ]
+
+Commit 391f93f2ec9f ("serial: core: Rework hw-assited flow control support")
+has changed the way the autoCTS mode is handled.
+
+According to that change, serial drivers which enable H/W autoCTS mode must
+set UPSTAT_AUTOCTS to prevent the serial core from inadvertently disabling
+TX. This patch adds proper handling of UPSTAT_AUTOCTS flag.
+
+Signed-off-by: Beomho Seo <beomho.seo@samsung.com>
+[mszyprow: rephrased commit message]
+Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/tty/serial/samsung.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/tty/serial/samsung.c b/drivers/tty/serial/samsung.c
+index 4d532a085db9..12bac2cbae4b 100644
+--- a/drivers/tty/serial/samsung.c
++++ b/drivers/tty/serial/samsung.c
+@@ -1329,11 +1329,14 @@ static void s3c24xx_serial_set_termios(struct uart_port *port,
+ wr_regl(port, S3C2410_ULCON, ulcon);
+ wr_regl(port, S3C2410_UBRDIV, quot);
+
++ port->status &= ~UPSTAT_AUTOCTS;
++
+ umcon = rd_regl(port, S3C2410_UMCON);
+ if (termios->c_cflag & CRTSCTS) {
+ umcon |= S3C2410_UMCOM_AFC;
+ /* Disable RTS when RX FIFO contains 63 bytes */
+ umcon &= ~S3C2412_UMCON_AFC_8;
++ port->status = UPSTAT_AUTOCTS;
+ } else {
+ umcon &= ~S3C2410_UMCOM_AFC;
+ }
+--
+2.20.1
+
diff --git a/patches.kernel.org/4.4.175-040-arm64-KVM-Skip-MMIO-insn-after-emulation.patch b/patches.kernel.org/4.4.175-040-arm64-KVM-Skip-MMIO-insn-after-emulation.patch
new file mode 100644
index 0000000000..8129d12477
--- /dev/null
+++ b/patches.kernel.org/4.4.175-040-arm64-KVM-Skip-MMIO-insn-after-emulation.patch
@@ -0,0 +1,66 @@
+From: Mark Rutland <mark.rutland@arm.com>
+Date: Fri, 9 Nov 2018 15:07:10 +0000
+Subject: [PATCH] arm64: KVM: Skip MMIO insn after emulation
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+References: bnc#1012382
+Patch-mainline: 4.4.175
+Git-commit: 0d640732dbebed0f10f18526de21652931f0b2f2
+
+[ Upstream commit 0d640732dbebed0f10f18526de21652931f0b2f2 ]
+
+When we emulate an MMIO instruction, we advance the CPU state within
+decode_hsr(), before emulating the instruction effects.
+
+Having this logic in decode_hsr() is opaque, and advancing the state
+before emulation is problematic. It gets in the way of applying
+consistent single-step logic, and it prevents us from being able to fail
+an MMIO instruction with a synchronous exception.
+
+Clean this up by only advancing the CPU state *after* the effects of the
+instruction are emulated.
+
+Cc: Peter Maydell <peter.maydell@linaro.org>
+Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
+Reviewed-by: Christoffer Dall <christoffer.dall@arm.com>
+Signed-off-by: Mark Rutland <mark.rutland@arm.com>
+Signed-off-by: Marc Zyngier <marc.zyngier@arm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ arch/arm/kvm/mmio.c | 11 ++++++-----
+ 1 file changed, 6 insertions(+), 5 deletions(-)
+
+diff --git a/arch/arm/kvm/mmio.c b/arch/arm/kvm/mmio.c
+index 387ee2a11e36..885cd0e0015b 100644
+--- a/arch/arm/kvm/mmio.c
++++ b/arch/arm/kvm/mmio.c
+@@ -118,6 +118,12 @@ int kvm_handle_mmio_return(struct kvm_vcpu *vcpu, struct kvm_run *run)
+ vcpu_set_reg(vcpu, vcpu->arch.mmio_decode.rt, data);
+ }
+
++ /*
++ * The MMIO instruction is emulated and should not be re-executed
++ * in the guest.
++ */
++ kvm_skip_instr(vcpu, kvm_vcpu_trap_il_is32bit(vcpu));
++
+ return 0;
+ }
+
+@@ -151,11 +157,6 @@ static int decode_hsr(struct kvm_vcpu *vcpu, bool *is_write, int *len)
+ vcpu->arch.mmio_decode.sign_extend = sign_extend;
+ vcpu->arch.mmio_decode.rt = rt;
+
+- /*
+- * The MMIO instruction is emulated and should not be re-executed
+- * in the guest.
+- */
+- kvm_skip_instr(vcpu, kvm_vcpu_trap_il_is32bit(vcpu));
+ return 0;
+ }
+
+--
+2.20.1
+
diff --git a/patches.kernel.org/4.4.175-041-powerpc-uaccess-fix-warning-error-with-access.patch b/patches.kernel.org/4.4.175-041-powerpc-uaccess-fix-warning-error-with-access.patch
new file mode 100644
index 0000000000..7e3320da29
--- /dev/null
+++ b/patches.kernel.org/4.4.175-041-powerpc-uaccess-fix-warning-error-with-access.patch
@@ -0,0 +1,48 @@
+From: Christophe Leroy <christophe.leroy@c-s.fr>
+Date: Mon, 10 Dec 2018 06:50:09 +0000
+Subject: [PATCH] powerpc/uaccess: fix warning/error with access_ok()
+References: bnc#1012382
+Patch-mainline: 4.4.175
+Git-commit: 05a4ab823983d9136a460b7b5e0d49ee709a6f86
+
+[ Upstream commit 05a4ab823983d9136a460b7b5e0d49ee709a6f86 ]
+
+With the following piece of code, the following compilation warning
+is encountered:
+
+ if (_IOC_DIR(ioc) != _IOC_NONE) {
+ int verify = _IOC_DIR(ioc) & _IOC_READ ? VERIFY_WRITE : VERIFY_READ;
+
+ if (!access_ok(verify, ioarg, _IOC_SIZE(ioc))) {
+
+drivers/platform/test/dev.c: In function 'my_ioctl':
+drivers/platform/test/dev.c:219:7: warning: unused variable 'verify' [-Wunused-variable]
+ int verify = _IOC_DIR(ioc) & _IOC_READ ? VERIFY_WRITE : VERIFY_READ;
+
+This patch fixes it by referencing 'type' in the macro allthough
+doing nothing with it.
+
+Signed-off-by: Christophe Leroy <christophe.leroy@c-s.fr>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ arch/powerpc/include/asm/uaccess.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/powerpc/include/asm/uaccess.h b/arch/powerpc/include/asm/uaccess.h
+index a5ffe0207c16..05f1389228d2 100644
+--- a/arch/powerpc/include/asm/uaccess.h
++++ b/arch/powerpc/include/asm/uaccess.h
+@@ -59,7 +59,7 @@
+ #endif
+
+ #define access_ok(type, addr, size) \
+- (__chk_user_ptr(addr), \
++ (__chk_user_ptr(addr), (void)(type), \
+ __access_ok((__force unsigned long)(addr), (size), get_fs()))
+
+ /*
+--
+2.20.1
+
diff --git a/patches.kernel.org/4.4.175-042-mac80211-fix-radiotap-vendor-presence-bitmap-.patch b/patches.kernel.org/4.4.175-042-mac80211-fix-radiotap-vendor-presence-bitmap-.patch
new file mode 100644
index 0000000000..8eab171ffa
--- /dev/null
+++ b/patches.kernel.org/4.4.175-042-mac80211-fix-radiotap-vendor-presence-bitmap-.patch
@@ -0,0 +1,53 @@
+From: Johannes Berg <johannes.berg@intel.com>
+Date: Sat, 15 Dec 2018 11:03:12 +0200
+Subject: [PATCH] mac80211: fix radiotap vendor presence bitmap handling
+References: bnc#1012382
+Patch-mainline: 4.4.175
+Git-commit: efc38dd7d5fa5c8cdd0c917c5d00947aa0539443
+
+[ Upstream commit efc38dd7d5fa5c8cdd0c917c5d00947aa0539443 ]
+
+Due to the alignment handling, it actually matters where in the code
+we add the 4 bytes for the presence bitmap to the length; the first
+field is the timestamp with 8 byte alignment so we need to add the
+space for the extra vendor namespace presence bitmap *before* we do
+any alignment for the fields.
+
+Move the presence bitmap length accounting to the right place to fix
+the alignment for the data properly.
+
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ net/mac80211/rx.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/net/mac80211/rx.c b/net/mac80211/rx.c
+index 64f76f88f819..acacceec8cd8 100644
+--- a/net/mac80211/rx.c
++++ b/net/mac80211/rx.c
+@@ -149,6 +149,9 @@ ieee80211_rx_radiotap_hdrlen(struct ieee80211_local *local,
+ /* allocate extra bitmaps */
+ if (status->chains)
+ len += 4 * hweight8(status->chains);
++ /* vendor presence bitmap */
++ if (status->flag & RX_FLAG_RADIOTAP_VENDOR_DATA)
++ len += 4;
+
+ if (ieee80211_have_rx_timestamp(status)) {
+ len = ALIGN(len, 8);
+@@ -185,8 +188,6 @@ ieee80211_rx_radiotap_hdrlen(struct ieee80211_local *local,
+ if (status->flag & RX_FLAG_RADIOTAP_VENDOR_DATA) {
+ struct ieee80211_vendor_radiotap *rtap = (void *)skb->data;
+
+- /* vendor presence bitmap */
+- len += 4;
+ /* alignment for fixed 6-byte vendor data header */
+ len = ALIGN(len, 2);
+ /* vendor data header */
+--
+2.20.1
+
diff --git a/patches.kernel.org/4.4.175-043-xfrm6_tunnel-Fix-spi-check-in-__xfrm6_tunnel_.patch b/patches.kernel.org/4.4.175-043-xfrm6_tunnel-Fix-spi-check-in-__xfrm6_tunnel_.patch
new file mode 100644
index 0000000000..bab4254408
--- /dev/null
+++ b/patches.kernel.org/4.4.175-043-xfrm6_tunnel-Fix-spi-check-in-__xfrm6_tunnel_.patch
@@ -0,0 +1,42 @@
+From: YueHaibing <yuehaibing@huawei.com>
+Date: Wed, 19 Dec 2018 14:45:09 +0800
+Subject: [PATCH] xfrm6_tunnel: Fix spi check in __xfrm6_tunnel_alloc_spi
+References: bnc#1012382
+Patch-mainline: 4.4.175
+Git-commit: fa89a4593b927b3f59c3b69379f31d3b22272e4e
+
+[ Upstream commit fa89a4593b927b3f59c3b69379f31d3b22272e4e ]
+
+gcc warn this:
+
+net/ipv6/xfrm6_tunnel.c:143 __xfrm6_tunnel_alloc_spi() warn:
+ always true condition '(spi <= 4294967295) => (0-u32max <= u32max)'
+
+'spi' is u32, which always not greater than XFRM6_TUNNEL_SPI_MAX
+because of wrap around. So the second forloop will never reach.
+
+Signed-off-by: YueHaibing <yuehaibing@huawei.com>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ net/ipv6/xfrm6_tunnel.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/net/ipv6/xfrm6_tunnel.c b/net/ipv6/xfrm6_tunnel.c
+index 5743044cd660..56b72cada346 100644
+--- a/net/ipv6/xfrm6_tunnel.c
++++ b/net/ipv6/xfrm6_tunnel.c
+@@ -144,6 +144,9 @@ static u32 __xfrm6_tunnel_alloc_spi(struct net *net, xfrm_address_t *saddr)
+ index = __xfrm6_tunnel_spi_check(net, spi);
+ if (index >= 0)
+ goto alloc_spi;
++
++ if (spi == XFRM6_TUNNEL_SPI_MAX)
++ break;
+ }
+ for (spi = XFRM6_TUNNEL_SPI_MIN; spi < xfrm6_tn->spi; spi++) {
+ index = __xfrm6_tunnel_spi_check(net, spi);
+--
+2.20.1
+
diff --git a/patches.kernel.org/4.4.175-044-Bluetooth-Fix-unnecessary-error-message-for-H.patch b/patches.kernel.org/4.4.175-044-Bluetooth-Fix-unnecessary-error-message-for-H.patch
new file mode 100644
index 0000000000..cee96f3462
--- /dev/null
+++ b/patches.kernel.org/4.4.175-044-Bluetooth-Fix-unnecessary-error-message-for-H.patch
@@ -0,0 +1,47 @@
+From: Johan Hedberg <johan.hedberg@intel.com>
+Date: Tue, 27 Nov 2018 11:37:46 +0200
+Subject: [PATCH] Bluetooth: Fix unnecessary error message for HCI request
+ completion
+References: bnc#1012382
+Patch-mainline: 4.4.175
+Git-commit: 1629db9c75342325868243d6bca5853017d91cf8
+
+[ Upstream commit 1629db9c75342325868243d6bca5853017d91cf8 ]
+
+In case a command which completes in Command Status was sent using the
+hci_cmd_send-family of APIs there would be a misleading error in the
+hci_get_cmd_complete function, since the code would be trying to fetch
+the Command Complete parameters when there are none.
+
+Avoid the misleading error and silently bail out from the function in
+case the received event is a command status.
+
+Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
+Acked-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ net/bluetooth/hci_event.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c
+index d40d32a2c12d..37fe2b158c2a 100644
+--- a/net/bluetooth/hci_event.c
++++ b/net/bluetooth/hci_event.c
+@@ -5185,6 +5185,12 @@ static bool hci_get_cmd_complete(struct hci_dev *hdev, u16 opcode,
+ return true;
+ }
+
++ /* Check if request ended in Command Status - no way to retreive
++ * any extra parameters in this case.
++ */
++ if (hdr->evt == HCI_EV_CMD_STATUS)
++ return false;
++
+ if (hdr->evt != HCI_EV_CMD_COMPLETE) {
+ BT_DBG("Last event is not cmd complete (0x%2.2x)", hdr->evt);
+ return false;
+--
+2.20.1
+
diff --git a/patches.kernel.org/4.4.175-045-cw1200-Fix-concurrency-use-after-free-bugs-in.patch b/patches.kernel.org/4.4.175-045-cw1200-Fix-concurrency-use-after-free-bugs-in.patch
new file mode 100644
index 0000000000..7d322be0d5
--- /dev/null
+++ b/patches.kernel.org/4.4.175-045-cw1200-Fix-concurrency-use-after-free-bugs-in.patch
@@ -0,0 +1,85 @@
+From: Jia-Ju Bai <baijiaju1990@gmail.com>
+Date: Fri, 14 Dec 2018 11:55:21 +0800
+Subject: [PATCH] cw1200: Fix concurrency use-after-free bugs in
+ cw1200_hw_scan()
+References: bnc#1012382
+Patch-mainline: 4.4.175
+Git-commit: 4f68ef64cd7feb1220232bd8f501d8aad340a099
+
+[ Upstream commit 4f68ef64cd7feb1220232bd8f501d8aad340a099 ]
+
+The function cw1200_bss_info_changed() and cw1200_hw_scan() can be
+concurrently executed.
+The two functions both access a possible shared variable "frame.skb".
+
+This shared variable is freed by dev_kfree_skb() in cw1200_upload_beacon(),
+which is called by cw1200_bss_info_changed(). The free operation is
+protected by a mutex lock "priv->conf_mutex" in cw1200_bss_info_changed().
+
+In cw1200_hw_scan(), this shared variable is accessed without the
+protection of the mutex lock "priv->conf_mutex".
+Thus, concurrency use-after-free bugs may occur.
+
+To fix these bugs, the original calls to mutex_lock(&priv->conf_mutex) and
+mutex_unlock(&priv->conf_mutex) are moved to the places, which can
+protect the accesses to the shared variable.
+
+Signed-off-by: Jia-Ju Bai <baijiaju1990@gmail.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/net/wireless/cw1200/scan.c | 13 ++++++-------
+ 1 file changed, 6 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/net/wireless/cw1200/scan.c b/drivers/net/wireless/cw1200/scan.c
+index bff81b8d4164..9f1037e7e55c 100644
+--- a/drivers/net/wireless/cw1200/scan.c
++++ b/drivers/net/wireless/cw1200/scan.c
+@@ -78,6 +78,10 @@ int cw1200_hw_scan(struct ieee80211_hw *hw,
+ if (req->n_ssids > WSM_SCAN_MAX_NUM_OF_SSIDS)
+ return -EINVAL;
+
++ /* will be unlocked in cw1200_scan_work() */
++ down(&priv->scan.lock);
++ mutex_lock(&priv->conf_mutex);
++
+ frame.skb = ieee80211_probereq_get(hw, priv->vif->addr, NULL, 0,
+ req->ie_len);
+ if (!frame.skb)
+@@ -86,19 +90,15 @@ int cw1200_hw_scan(struct ieee80211_hw *hw,
+ if (req->ie_len)
+ memcpy(skb_put(frame.skb, req->ie_len), req->ie, req->ie_len);
+
+- /* will be unlocked in cw1200_scan_work() */
+- down(&priv->scan.lock);
+- mutex_lock(&priv->conf_mutex);
+-
+ ret = wsm_set_template_frame(priv, &frame);
+ if (!ret) {
+ /* Host want to be the probe responder. */
+ ret = wsm_set_probe_responder(priv, true);
+ }
+ if (ret) {
++ dev_kfree_skb(frame.skb);
+ mutex_unlock(&priv->conf_mutex);
+ up(&priv->scan.lock);
+- dev_kfree_skb(frame.skb);
+ return ret;
+ }
+
+@@ -120,10 +120,9 @@ int cw1200_hw_scan(struct ieee80211_hw *hw,
+ ++priv->scan.n_ssids;
+ }
+
+- mutex_unlock(&priv->conf_mutex);
+-
+ if (frame.skb)
+ dev_kfree_skb(frame.skb);
++ mutex_unlock(&priv->conf_mutex);
+ queue_work(priv->workqueue, &priv->scan.work);
+ return 0;
+ }
+--
+2.20.1
+
diff --git a/patches.kernel.org/4.4.175-046-drbd-narrow-rcu_read_lock-in-drbd_sync_handsh.patch b/patches.kernel.org/4.4.175-046-drbd-narrow-rcu_read_lock-in-drbd_sync_handsh.patch
new file mode 100644
index 0000000000..39ac038a09
--- /dev/null
+++ b/patches.kernel.org/4.4.175-046-drbd-narrow-rcu_read_lock-in-drbd_sync_handsh.patch
@@ -0,0 +1,85 @@
+From: Roland Kammerer <roland.kammerer@linbit.com>
+Date: Thu, 20 Dec 2018 17:23:28 +0100
+Subject: [PATCH] drbd: narrow rcu_read_lock in drbd_sync_handshake
+References: bnc#1012382
+Patch-mainline: 4.4.175
+Git-commit: d29e89e34952a9ad02c77109c71a80043544296e
+
+[ Upstream commit d29e89e34952a9ad02c77109c71a80043544296e ]
+
+So far there was the possibility that we called
+genlmsg_new(GFP_NOIO)/mutex_lock() while holding an rcu_read_lock().
+
+This included cases like:
+
+drbd_sync_handshake (acquire the RCU lock)
+ drbd_asb_recover_1p
+ drbd_khelper
+ drbd_bcast_event
+ genlmsg_new(GFP_NOIO) --> may sleep
+
+drbd_sync_handshake (acquire the RCU lock)
+ drbd_asb_recover_1p
+ drbd_khelper
+ notify_helper
+ genlmsg_new(GFP_NOIO) --> may sleep
+
+drbd_sync_handshake (acquire the RCU lock)
+ drbd_asb_recover_1p
+ drbd_khelper
+ notify_helper
+ mutex_lock --> may sleep
+
+While using GFP_ATOMIC whould have been possible in the first two cases,
+the real fix is to narrow the rcu_read_lock.
+
+Reported-by: Jia-Ju Bai <baijiaju1990@163.com>
+Reviewed-by: Lars Ellenberg <lars.ellenberg@linbit.com>
+Signed-off-by: Roland Kammerer <roland.kammerer@linbit.com>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/block/drbd/drbd_receiver.c | 11 ++++++-----
+ 1 file changed, 6 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/block/drbd/drbd_receiver.c b/drivers/block/drbd/drbd_receiver.c
+index b4b5680ac6ad..2fedab9349f6 100644
+--- a/drivers/block/drbd/drbd_receiver.c
++++ b/drivers/block/drbd/drbd_receiver.c
+@@ -3126,7 +3126,7 @@ static enum drbd_conns drbd_sync_handshake(struct drbd_peer_device *peer_device,
+ enum drbd_conns rv = C_MASK;
+ enum drbd_disk_state mydisk;
+ struct net_conf *nc;
+- int hg, rule_nr, rr_conflict, tentative;
++ int hg, rule_nr, rr_conflict, tentative, always_asbp;
+
+ mydisk = device->state.disk;
+ if (mydisk == D_NEGOTIATING)
+@@ -3168,8 +3168,12 @@ static enum drbd_conns drbd_sync_handshake(struct drbd_peer_device *peer_device,
+
+ rcu_read_lock();
+ nc = rcu_dereference(peer_device->connection->net_conf);
++ always_asbp = nc->always_asbp;
++ rr_conflict = nc->rr_conflict;
++ tentative = nc->tentative;
++ rcu_read_unlock();
+
+- if (hg == 100 || (hg == -100 && nc->always_asbp)) {
++ if (hg == 100 || (hg == -100 && always_asbp)) {
+ int pcount = (device->state.role == R_PRIMARY)
+ + (peer_role == R_PRIMARY);
+ int forced = (hg == -100);
+@@ -3208,9 +3212,6 @@ static enum drbd_conns drbd_sync_handshake(struct drbd_peer_device *peer_device,
+ "Sync from %s node\n",
+ (hg < 0) ? "peer" : "this");
+ }
+- rr_conflict = nc->rr_conflict;
+- tentative = nc->tentative;
+- rcu_read_unlock();
+
+ if (hg == -100) {
+ /* FIXME this log message is not correct if we end up here
+--
+2.20.1
+
diff --git a/patches.kernel.org/4.4.175-047-drbd-disconnect-if-the-wrong-UUIDs-are-attach.patch b/patches.kernel.org/4.4.175-047-drbd-disconnect-if-the-wrong-UUIDs-are-attach.patch
new file mode 100644
index 0000000000..a1610943a3
--- /dev/null
+++ b/patches.kernel.org/4.4.175-047-drbd-disconnect-if-the-wrong-UUIDs-are-attach.patch
@@ -0,0 +1,50 @@
+From: Lars Ellenberg <lars.ellenberg@linbit.com>
+Date: Thu, 20 Dec 2018 17:23:32 +0100
+Subject: [PATCH] drbd: disconnect, if the wrong UUIDs are attached on a
+ connected peer
+References: bnc#1012382
+Patch-mainline: 4.4.175
+Git-commit: b17b59602b6dcf8f97a7dc7bc489a48388d7063a
+
+[ Upstream commit b17b59602b6dcf8f97a7dc7bc489a48388d7063a ]
+
+With "on-no-data-accessible suspend-io", DRBD requires the next attach
+or connect to be to the very same data generation uuid tag it lost last.
+
+If we first lost connection to the peer,
+then later lost connection to our own disk,
+we would usually refuse to re-connect to the peer,
+because it presents the wrong data set.
+
+However, if the peer first connects without a disk,
+and then attached its disk, we accepted that same wrong data set,
+which would be "unexpected" by any user of that DRBD
+and cause "undefined results" (read: very likely data corruption).
+
+The fix is to forcefully disconnect as soon as we notice that the peer
+attached to the "wrong" dataset.
+
+Signed-off-by: Lars Ellenberg <lars.ellenberg@linbit.com>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/block/drbd/drbd_receiver.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/block/drbd/drbd_receiver.c b/drivers/block/drbd/drbd_receiver.c
+index 2fedab9349f6..b1ee358edd3b 100644
+--- a/drivers/block/drbd/drbd_receiver.c
++++ b/drivers/block/drbd/drbd_receiver.c
+@@ -3890,7 +3890,7 @@ static int receive_uuids(struct drbd_connection *connection, struct packet_info
+ kfree(device->p_uuid);
+ device->p_uuid = p_uuid;
+
+- if (device->state.conn < C_CONNECTED &&
++ if ((device->state.conn < C_CONNECTED || device->state.pdsk == D_DISKLESS) &&
+ device->state.disk < D_INCONSISTENT &&
+ device->state.role == R_PRIMARY &&
+ (device->ed_uuid & ~((u64)1)) != (p_uuid[UI_CURRENT] & ~((u64)1))) {
+--
+2.20.1
+
diff --git a/patches.kernel.org/4.4.175-048-drbd-skip-spurious-timeout-ping-timeo-when-fa.patch b/patches.kernel.org/4.4.175-048-drbd-skip-spurious-timeout-ping-timeo-when-fa.patch
new file mode 100644
index 0000000000..58204f2c6d
--- /dev/null
+++ b/patches.kernel.org/4.4.175-048-drbd-skip-spurious-timeout-ping-timeo-when-fa.patch
@@ -0,0 +1,63 @@
+From: Lars Ellenberg <lars.ellenberg@linbit.com>
+Date: Thu, 20 Dec 2018 17:23:41 +0100
+Subject: [PATCH] drbd: skip spurious timeout (ping-timeo) when failing promote
+References: bnc#1012382
+Patch-mainline: 4.4.175
+Git-commit: 9848b6ddd8c92305252f94592c5e278574e7a6ac
+
+[ Upstream commit 9848b6ddd8c92305252f94592c5e278574e7a6ac ]
+
+If you try to promote a Secondary while connected to a Primary
+and allow-two-primaries is NOT set, we will wait for "ping-timeout"
+to give this node a chance to detect a dead primary,
+in case the cluster manager noticed faster than we did.
+
+But if we then are *still* connected to a Primary,
+we fail (after an additional timeout of ping-timout).
+
+This change skips the spurious second timeout.
+
+Most people won't notice really,
+since "ping-timeout" by default is half a second.
+
+But in some installations, ping-timeout may be 10 or 20 seconds or more,
+and spuriously delaying the error return becomes annoying.
+
+Signed-off-by: Lars Ellenberg <lars.ellenberg@linbit.com>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/block/drbd/drbd_nl.c | 15 ++++++++-------
+ 1 file changed, 8 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/block/drbd/drbd_nl.c b/drivers/block/drbd/drbd_nl.c
+index e80cbefbc2b5..27e1abcf5710 100644
+--- a/drivers/block/drbd/drbd_nl.c
++++ b/drivers/block/drbd/drbd_nl.c
+@@ -632,14 +632,15 @@ drbd_set_role(struct drbd_device *const device, enum drbd_role new_role, int for
+ if (rv == SS_TWO_PRIMARIES) {
+ /* Maybe the peer is detected as dead very soon...
+ retry at most once more in this case. */
+- int timeo;
+- rcu_read_lock();
+- nc = rcu_dereference(connection->net_conf);
+- timeo = nc ? (nc->ping_timeo + 1) * HZ / 10 : 1;
+- rcu_read_unlock();
+- schedule_timeout_interruptible(timeo);
+- if (try < max_tries)
++ if (try < max_tries) {
++ int timeo;
+ try = max_tries - 1;
++ rcu_read_lock();
++ nc = rcu_dereference(connection->net_conf);
++ timeo = nc ? (nc->ping_timeo + 1) * HZ / 10 : 1;
++ rcu_read_unlock();
++ schedule_timeout_interruptible(timeo);
++ }
+ continue;
+ }
+ if (rv < SS_SUCCESS) {
+--
+2.20.1
+
diff --git a/patches.kernel.org/4.4.175-049-drbd-Avoid-Clang-warning-about-pointless-swit.patch b/patches.kernel.org/4.4.175-049-drbd-Avoid-Clang-warning-about-pointless-swit.patch
new file mode 100644
index 0000000000..52ce1eb0fe
--- /dev/null
+++ b/patches.kernel.org/4.4.175-049-drbd-Avoid-Clang-warning-about-pointless-swit.patch
@@ -0,0 +1,75 @@
+From: Nathan Chancellor <natechancellor@gmail.com>
+Date: Thu, 20 Dec 2018 17:23:43 +0100
+Subject: [PATCH] drbd: Avoid Clang warning about pointless switch statment
+References: bnc#1012382
+Patch-mainline: 4.4.175
+Git-commit: a52c5a16cf19d8a85831bb1b915a221dd4ffae3c
+
+[ Upstream commit a52c5a16cf19d8a85831bb1b915a221dd4ffae3c ]
+
+There are several warnings from Clang about no case statement matching
+the constant 0:
+
+In file included from drivers/block/drbd/drbd_receiver.c:48:
+In file included from drivers/block/drbd/drbd_int.h:48:
+In file included from ./include/linux/drbd_genl_api.h:54:
+In file included from ./include/linux/genl_magic_struct.h:236:
+./include/linux/drbd_genl.h:321:1: warning: no case matching constant
+switch condition '0'
+GENL_struct(DRBD_NLA_HELPER, 24, drbd_helper_info,
+^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+./include/linux/genl_magic_struct.h:220:10: note: expanded from macro
+'GENL_struct'
+ switch (0) {
+ ^
+
+Silence this warning by adding a 'case 0:' statement. Additionally,
+adjust the alignment of the statements in the ct_assert_unique macro to
+avoid a checkpatch warning.
+
+This solution was originally sent by Arnd Bergmann with a default case
+statement: https://lore.kernel.org/patchwork/patch/756723/
+
+Link: https://github.com/ClangBuiltLinux/linux/issues/43
+Suggested-by: Lars Ellenberg <lars.ellenberg@linbit.com>
+Signed-off-by: Nathan Chancellor <natechancellor@gmail.com>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ include/linux/genl_magic_struct.h | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/include/linux/genl_magic_struct.h b/include/linux/genl_magic_struct.h
+index eecd19b37001..250e9be65e74 100644
+--- a/include/linux/genl_magic_struct.h
++++ b/include/linux/genl_magic_struct.h
+@@ -185,6 +185,7 @@ static inline void ct_assert_unique_operations(void)
+ {
+ switch (0) {
+ #include GENL_MAGIC_INCLUDE_FILE
++ case 0:
+ ;
+ }
+ }
+@@ -203,6 +204,7 @@ static inline void ct_assert_unique_top_level_attributes(void)
+ {
+ switch (0) {
+ #include GENL_MAGIC_INCLUDE_FILE
++ case 0:
+ ;
+ }
+ }
+@@ -212,7 +214,8 @@ static inline void ct_assert_unique_top_level_attributes(void)
+ static inline void ct_assert_unique_ ## s_name ## _attributes(void) \
+ { \
+ switch (0) { \
+- s_fields \
++ s_fields \
++ case 0: \
+ ; \
+ } \
+ }
+--
+2.20.1
+
diff --git a/patches.kernel.org/4.4.175-050-video-clps711x-fb-release-disp-device-node-in.patch b/patches.kernel.org/4.4.175-050-video-clps711x-fb-release-disp-device-node-in.patch
new file mode 100644
index 0000000000..f179c5600c
--- /dev/null
+++ b/patches.kernel.org/4.4.175-050-video-clps711x-fb-release-disp-device-node-in.patch
@@ -0,0 +1,50 @@
+From: Alexey Khoroshilov <khoroshilov@ispras.ru>
+Date: Thu, 20 Dec 2018 19:13:07 +0100
+Subject: [PATCH] video: clps711x-fb: release disp device node in probe()
+References: bnc#1012382
+Patch-mainline: 4.4.175
+Git-commit: fdac751355cd76e049f628afe6acb8ff4b1399f7
+
+[ Upstream commit fdac751355cd76e049f628afe6acb8ff4b1399f7 ]
+
+clps711x_fb_probe() increments refcnt of disp device node by
+of_parse_phandle() and leaves it undecremented on both
+successful and error paths.
+
+Found by Linux Driver Verification project (linuxtesting.org).
+
+Signed-off-by: Alexey Khoroshilov <khoroshilov@ispras.ru>
+Cc: Alexander Shiyan <shc_work@mail.ru>
+Signed-off-by: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/video/fbdev/clps711x-fb.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/video/fbdev/clps711x-fb.c b/drivers/video/fbdev/clps711x-fb.c
+index 649b32f78c08..c55109524fd5 100644
+--- a/drivers/video/fbdev/clps711x-fb.c
++++ b/drivers/video/fbdev/clps711x-fb.c
+@@ -287,14 +287,17 @@ static int clps711x_fb_probe(struct platform_device *pdev)
+ }
+
+ ret = of_get_fb_videomode(disp, &cfb->mode, OF_USE_NATIVE_MODE);
+- if (ret)
++ if (ret) {
++ of_node_put(disp);
+ goto out_fb_release;
++ }
+
+ of_property_read_u32(disp, "ac-prescale", &cfb->ac_prescale);
+ cfb->cmap_invert = of_property_read_bool(disp, "cmap-invert");
+
+ ret = of_property_read_u32(disp, "bits-per-pixel",
+ &info->var.bits_per_pixel);
++ of_node_put(disp);
+ if (ret)
+ goto out_fb_release;
+
+--
+2.20.1
+
diff --git a/patches.fixes/0001-fbdev-fbmem-behave-better-with-small-rotated-display.patch b/patches.kernel.org/4.4.175-051-fbdev-fbmem-behave-better-with-small-rotated-.patch
index 29fdfd8d35..dc7bb8f13d 100644
--- a/patches.fixes/0001-fbdev-fbmem-behave-better-with-small-rotated-display.patch
+++ b/patches.kernel.org/4.4.175-051-fbdev-fbmem-behave-better-with-small-rotated-.patch
@@ -1,10 +1,12 @@
-From f75df8d4b4fabfad7e3cba2debfad12741c6fde7 Mon Sep 17 00:00:00 2001
From: Peter Rosin <peda@axentia.se>
Date: Thu, 20 Dec 2018 19:13:07 +0100
-Subject: fbdev: fbmem: behave better with small rotated displays and many CPUs
+Subject: [PATCH] fbdev: fbmem: behave better with small rotated displays and
+ many CPUs
+Patch-mainline: 4.4.175
+References: bnc#1012382 bsc#1106929
Git-commit: f75df8d4b4fabfad7e3cba2debfad12741c6fde7
-Patch-mainline: v5.0-rc1
-References: bsc#1106929
+
+[ Upstream commit f75df8d4b4fabfad7e3cba2debfad12741c6fde7 ]
Blitting an image with "negative" offsets is not working since there
is no clipping. It hopefully just crashes. For the bootup logo, there
@@ -27,16 +29,17 @@ Cc: Geert Uytterhoeven <geert+renesas@glider.be>
cc: Geoff Levand <geoff@infradead.org>
Cc: James Simmons <jsimmons@users.sf.net>
Signed-off-by: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>
-Acked-by: Thomas Zimmermann <tzimmermann@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
drivers/video/fbdev/core/fbmem.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/drivers/video/fbdev/core/fbmem.c b/drivers/video/fbdev/core/fbmem.c
-index 861bf8081619..7dd6924feaa8 100644
+index 8a29ec5992fd..ea2bd6208a2f 100644
--- a/drivers/video/fbdev/core/fbmem.c
+++ b/drivers/video/fbdev/core/fbmem.c
-@@ -436,7 +436,9 @@ static void fb_do_show_logo(struct fb_info *info, struct fb_image *image,
+@@ -433,7 +433,9 @@ static void fb_do_show_logo(struct fb_info *info, struct fb_image *image,
image->dx += image->width + 8;
}
} else if (rotate == FB_ROTATE_UD) {
@@ -47,7 +50,7 @@ index 861bf8081619..7dd6924feaa8 100644
info->fbops->fb_imageblit(info, image);
image->dx -= image->width + 8;
}
-@@ -448,7 +450,9 @@ static void fb_do_show_logo(struct fb_info *info, struct fb_image *image,
+@@ -445,7 +447,9 @@ static void fb_do_show_logo(struct fb_info *info, struct fb_image *image,
image->dy += image->height + 8;
}
} else if (rotate == FB_ROTATE_CCW) {
diff --git a/patches.kernel.org/4.4.175-052-igb-Fix-an-issue-that-PME-is-not-enabled-duri.patch b/patches.kernel.org/4.4.175-052-igb-Fix-an-issue-that-PME-is-not-enabled-duri.patch
new file mode 100644
index 0000000000..5bd9660314
--- /dev/null
+++ b/patches.kernel.org/4.4.175-052-igb-Fix-an-issue-that-PME-is-not-enabled-duri.patch
@@ -0,0 +1,52 @@
+From: Kai-Heng Feng <kai.heng.feng@canonical.com>
+Date: Mon, 3 Dec 2018 13:54:38 +0800
+Subject: [PATCH] igb: Fix an issue that PME is not enabled during runtime
+ suspend
+References: bnc#1012382
+Patch-mainline: 4.4.175
+Git-commit: 1fb3a7a75e2efcc83ef21f2434069cddd6fae6f5
+
+[ Upstream commit 1fb3a7a75e2efcc83ef21f2434069cddd6fae6f5 ]
+
+I210 ethernet card doesn't wakeup when a cable gets plugged. It's
+because its PME is not set.
+
+Since commit 42eca2302146 ("PCI: Don't touch card regs after runtime
+suspend D3"), if the PCI state is saved, pci_pm_runtime_suspend() stops
+calling pci_finish_runtime_suspend(), which enables the PCI PME.
+
+To fix the issue, let's not to save PCI states when it's runtime
+suspend, to let the PCI subsystem enables PME.
+
+Fixes: 42eca2302146 ("PCI: Don't touch card regs after runtime suspend D3")
+Signed-off-by: Kai-Heng Feng <kai.heng.feng@canonical.com>
+Tested-by: Aaron Brown <aaron.f.brown@intel.com>
+Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/net/ethernet/intel/igb/igb_main.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/net/ethernet/intel/igb/igb_main.c b/drivers/net/ethernet/intel/igb/igb_main.c
+index 02b23f6277fb..c1796aa2dde5 100644
+--- a/drivers/net/ethernet/intel/igb/igb_main.c
++++ b/drivers/net/ethernet/intel/igb/igb_main.c
+@@ -7339,9 +7339,11 @@ static int __igb_shutdown(struct pci_dev *pdev, bool *enable_wake,
+ rtnl_unlock();
+
+ #ifdef CONFIG_PM
+- retval = pci_save_state(pdev);
+- if (retval)
+- return retval;
++ if (!runtime) {
++ retval = pci_save_state(pdev);
++ if (retval)
++ return retval;
++ }
+ #endif
+
+ status = rd32(E1000_STATUS);
+--
+2.20.1
+
diff --git a/patches.fixes/0001-fbdev-fbcon-Fix-unregister-crash-when-more-than-one-.patch b/patches.kernel.org/4.4.175-053-fbdev-fbcon-Fix-unregister-crash-when-more-th.patch
index aadbe3083d..b40fdaa941 100644
--- a/patches.fixes/0001-fbdev-fbcon-Fix-unregister-crash-when-more-than-one-.patch
+++ b/patches.kernel.org/4.4.175-053-fbdev-fbcon-Fix-unregister-crash-when-more-th.patch
@@ -1,13 +1,15 @@
-From 2122b40580dd9d0620398739c773d07a7b7939d0 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Noralf=20Tr=C3=B8nnes?= <noralf@tronnes.org>
Date: Thu, 20 Dec 2018 19:13:09 +0100
-Subject: fbdev: fbcon: Fix unregister crash when more than one framebuffer
+Subject: [PATCH] fbdev: fbcon: Fix unregister crash when more than one
+ framebuffer
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
+Patch-mainline: 4.4.175
+References: bnc#1012382 bsc#1106929
Git-commit: 2122b40580dd9d0620398739c773d07a7b7939d0
-Patch-mainline: v5.0-rc1
-References: bsc#1106929
+
+[ Upstream commit 2122b40580dd9d0620398739c773d07a7b7939d0 ]
When unregistering fbdev using unregister_framebuffer(), any bound
console will unbind automatically. This is working fine if this is the
@@ -62,11 +64,14 @@ Signed-off-by: Noralf Trønnes <noralf@tronnes.org>
Reviewed-by: Mikulas Patocka <mpatocka@redhat.com>
Acked-by: Daniel Vetter <daniel.vetter@ffwll.ch>
Signed-off-by: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>
-Acked-by: Thomas Zimmermann <tzimmermann@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
- drivers/video/console/fbcon.c | 2 +-
+ drivers/video/console/fbcon.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
+diff --git a/drivers/video/console/fbcon.c b/drivers/video/console/fbcon.c
+index 4e3c78d88832..c03c5b9602bb 100644
--- a/drivers/video/console/fbcon.c
+++ b/drivers/video/console/fbcon.c
@@ -3032,7 +3032,7 @@ static int fbcon_fb_unbind(int idx)
@@ -78,3 +83,6 @@ Acked-by: Thomas Zimmermann <tzimmermann@suse.de>
break;
}
}
+--
+2.20.1
+
diff --git a/patches.kernel.org/4.4.175-054-KVM-x86-svm-report-MSR_IA32_MCG_EXT_CTL-as-un.patch b/patches.kernel.org/4.4.175-054-KVM-x86-svm-report-MSR_IA32_MCG_EXT_CTL-as-un.patch
new file mode 100644
index 0000000000..fb5504e30e
--- /dev/null
+++ b/patches.kernel.org/4.4.175-054-KVM-x86-svm-report-MSR_IA32_MCG_EXT_CTL-as-un.patch
@@ -0,0 +1,48 @@
+From: Vitaly Kuznetsov <vkuznets@redhat.com>
+Date: Wed, 19 Dec 2018 12:06:13 +0100
+Subject: [PATCH] KVM: x86: svm: report MSR_IA32_MCG_EXT_CTL as unsupported
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+References: bnc#1012382
+Patch-mainline: 4.4.175
+Git-commit: e87555e550cef4941579cd879759a7c0dee24e68
+
+[ Upstream commit e87555e550cef4941579cd879759a7c0dee24e68 ]
+
+AMD doesn't seem to implement MSR_IA32_MCG_EXT_CTL and svm code in kvm
+knows nothing about it, however, this MSR is among emulated_msrs and
+thus returned with KVM_GET_MSR_INDEX_LIST. The consequent KVM_GET_MSRS,
+of course, fails.
+
+Report the MSR as unsupported to not confuse userspace.
+
+Signed-off-by: Vitaly Kuznetsov <vkuznets@redhat.com>
+Signed-off-by: Radim Krčmář <rkrcmar@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ arch/x86/kvm/svm.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/arch/x86/kvm/svm.c b/arch/x86/kvm/svm.c
+index ecdf724da371..7ce1a19d9d8b 100644
+--- a/arch/x86/kvm/svm.c
++++ b/arch/x86/kvm/svm.c
+@@ -4156,6 +4156,13 @@ static bool svm_cpu_has_accelerated_tpr(void)
+
+ static bool svm_has_emulated_msr(int index)
+ {
++ switch (index) {
++ case MSR_IA32_MCG_EXT_CTL:
++ return false;
++ default:
++ break;
++ }
++
+ return true;
+ }
+
+--
+2.20.1
+
diff --git a/patches.kernel.org/4.4.175-055-NFS-nfs_compare_mount_options-always-compare-.patch b/patches.kernel.org/4.4.175-055-NFS-nfs_compare_mount_options-always-compare-.patch
new file mode 100644
index 0000000000..1b08a1d2df
--- /dev/null
+++ b/patches.kernel.org/4.4.175-055-NFS-nfs_compare_mount_options-always-compare-.patch
@@ -0,0 +1,58 @@
+From: Chris Perl <cperl@janestreet.com>
+Date: Mon, 17 Dec 2018 10:56:38 -0500
+Subject: [PATCH] NFS: nfs_compare_mount_options always compare auth flavors.
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+References: bnc#1012382
+Patch-mainline: 4.4.175
+Git-commit: 594d1644cd59447f4fceb592448d5cd09eb09b5e
+
+[ Upstream commit 594d1644cd59447f4fceb592448d5cd09eb09b5e ]
+
+This patch removes the check from nfs_compare_mount_options to see if a
+`sec' option was passed for the current mount before comparing auth
+flavors and instead just always compares auth flavors.
+
+Consider the following scenario:
+
+You have a server with the address 192.168.1.1 and two exports /export/a
+and /export/b. The first export supports `sys' and `krb5' security, the
+second just `sys'.
+
+Assume you start with no mounts from the server.
+
+The following results in EIOs being returned as the kernel nfs client
+incorrectly thinks it can share the underlying `struct nfs_server's:
+
+$ mkdir /tmp/{a,b}
+$ sudo mount -t nfs -o vers=3,sec=krb5 192.168.1.1:/export/a /tmp/a
+$ sudo mount -t nfs -o vers=3 192.168.1.1:/export/b /tmp/b
+$ df >/dev/null
+df: ‘/tmp/b’: Input/output error
+
+Signed-off-by: Chris Perl <cperl@janestreet.com>
+Signed-off-by: Anna Schumaker <Anna.Schumaker@Netapp.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ fs/nfs/super.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/fs/nfs/super.c b/fs/nfs/super.c
+index 62f358f67764..412fcfbc50e2 100644
+--- a/fs/nfs/super.c
++++ b/fs/nfs/super.c
+@@ -2376,8 +2376,7 @@ static int nfs_compare_mount_options(const struct super_block *s, const struct n
+ goto Ebusy;
+ if (a->acdirmax != b->acdirmax)
+ goto Ebusy;
+- if (b->auth_info.flavor_len > 0 &&
+- clnt_a->cl_auth->au_flavor != clnt_b->cl_auth->au_flavor)
++ if (clnt_a->cl_auth->au_flavor != clnt_b->cl_auth->au_flavor)
+ goto Ebusy;
+ return 1;
+ Ebusy:
+--
+2.20.1
+
diff --git a/patches.kernel.org/4.4.175-056-hwmon-lm80-fix-a-missing-check-of-the-status-.patch b/patches.kernel.org/4.4.175-056-hwmon-lm80-fix-a-missing-check-of-the-status-.patch
new file mode 100644
index 0000000000..49cd80c558
--- /dev/null
+++ b/patches.kernel.org/4.4.175-056-hwmon-lm80-fix-a-missing-check-of-the-status-.patch
@@ -0,0 +1,61 @@
+From: Kangjie Lu <kjlu@umn.edu>
+Date: Fri, 21 Dec 2018 13:01:33 -0600
+Subject: [PATCH] hwmon: (lm80) fix a missing check of the status of SMBus read
+References: bnc#1012382
+Patch-mainline: 4.4.175
+Git-commit: c9c63915519b1def7043b184680f33c24cd49d7b
+
+[ Upstream commit c9c63915519b1def7043b184680f33c24cd49d7b ]
+
+If lm80_read_value() fails, it returns a negative number instead of the
+correct read data. Therefore, we should avoid using the data if it
+fails.
+
+The fix checks if lm80_read_value() fails, and if so, returns with the
+error number.
+
+Signed-off-by: Kangjie Lu <kjlu@umn.edu>
+[groeck: One variable for return values is enough]
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/hwmon/lm80.c | 15 ++++++++++-----
+ 1 file changed, 10 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/hwmon/lm80.c b/drivers/hwmon/lm80.c
+index 4bcd9b882948..47ddae6b7038 100644
+--- a/drivers/hwmon/lm80.c
++++ b/drivers/hwmon/lm80.c
+@@ -360,9 +360,11 @@ static ssize_t set_fan_div(struct device *dev, struct device_attribute *attr,
+ struct i2c_client *client = data->client;
+ unsigned long min, val;
+ u8 reg;
+- int err = kstrtoul(buf, 10, &val);
+- if (err < 0)
+- return err;
++ int rv;
++
++ rv = kstrtoul(buf, 10, &val);
++ if (rv < 0)
++ return rv;
+
+ /* Save fan_min */
+ mutex_lock(&data->update_lock);
+@@ -390,8 +392,11 @@ static ssize_t set_fan_div(struct device *dev, struct device_attribute *attr,
+ return -EINVAL;
+ }
+
+- reg = (lm80_read_value(client, LM80_REG_FANDIV) &
+- ~(3 << (2 * (nr + 1)))) | (data->fan_div[nr] << (2 * (nr + 1)));
++ rv = lm80_read_value(client, LM80_REG_FANDIV);
++ if (rv < 0)
++ return rv;
++ reg = (rv & ~(3 << (2 * (nr + 1))))
++ | (data->fan_div[nr] << (2 * (nr + 1)));
+ lm80_write_value(client, LM80_REG_FANDIV, reg);
+
+ /* Restore fan_min */
+--
+2.20.1
+
diff --git a/patches.kernel.org/4.4.175-057-hwmon-lm80-fix-a-missing-check-of-bus-read-in.patch b/patches.kernel.org/4.4.175-057-hwmon-lm80-fix-a-missing-check-of-bus-read-in.patch
new file mode 100644
index 0000000000..754d47acd4
--- /dev/null
+++ b/patches.kernel.org/4.4.175-057-hwmon-lm80-fix-a-missing-check-of-bus-read-in.patch
@@ -0,0 +1,56 @@
+From: Kangjie Lu <kjlu@umn.edu>
+Date: Fri, 21 Dec 2018 13:10:39 -0600
+Subject: [PATCH] hwmon: (lm80) fix a missing check of bus read in lm80 probe
+References: bnc#1012382
+Patch-mainline: 4.4.175
+Git-commit: 9aa3aa15f4c2f74f47afd6c5db4b420fadf3f315
+
+[ Upstream commit 9aa3aa15f4c2f74f47afd6c5db4b420fadf3f315 ]
+
+In lm80_probe(), if lm80_read_value() fails, it returns a negative
+error number which is stored to data->fan[f_min] and will be further
+used. We should avoid using the data if the read fails.
+
+The fix checks if lm80_read_value() fails, and if so, returns with the
+error number.
+
+Signed-off-by: Kangjie Lu <kjlu@umn.edu>
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/hwmon/lm80.c | 11 +++++++++--
+ 1 file changed, 9 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/hwmon/lm80.c b/drivers/hwmon/lm80.c
+index 47ddae6b7038..cb6606a0470d 100644
+--- a/drivers/hwmon/lm80.c
++++ b/drivers/hwmon/lm80.c
+@@ -628,6 +628,7 @@ static int lm80_probe(struct i2c_client *client,
+ struct device *dev = &client->dev;
+ struct device *hwmon_dev;
+ struct lm80_data *data;
++ int rv;
+
+ data = devm_kzalloc(dev, sizeof(struct lm80_data), GFP_KERNEL);
+ if (!data)
+@@ -640,8 +641,14 @@ static int lm80_probe(struct i2c_client *client,
+ lm80_init_client(client);
+
+ /* A few vars need to be filled upon startup */
+- data->fan[f_min][0] = lm80_read_value(client, LM80_REG_FAN_MIN(1));
+- data->fan[f_min][1] = lm80_read_value(client, LM80_REG_FAN_MIN(2));
++ rv = lm80_read_value(client, LM80_REG_FAN_MIN(1));
++ if (rv < 0)
++ return rv;
++ data->fan[f_min][0] = rv;
++ rv = lm80_read_value(client, LM80_REG_FAN_MIN(2));
++ if (rv < 0)
++ return rv;
++ data->fan[f_min][1] = rv;
+
+ hwmon_dev = devm_hwmon_device_register_with_groups(dev, client->name,
+ data, lm80_groups);
+--
+2.20.1
+
diff --git a/patches.kernel.org/4.4.175-058-seq_buf-Make-seq_buf_puts-null-terminate-the-.patch b/patches.kernel.org/4.4.175-058-seq_buf-Make-seq_buf_puts-null-terminate-the-.patch
new file mode 100644
index 0000000000..4b8d091eea
--- /dev/null
+++ b/patches.kernel.org/4.4.175-058-seq_buf-Make-seq_buf_puts-null-terminate-the-.patch
@@ -0,0 +1,72 @@
+From: Michael Ellerman <mpe@ellerman.id.au>
+Date: Fri, 19 Oct 2018 15:21:08 +1100
+Subject: [PATCH] seq_buf: Make seq_buf_puts() null-terminate the buffer
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+References: bnc#1012382
+Patch-mainline: 4.4.175
+Git-commit: 0464ed24380905d640030d368cd84a4e4d1e15e2
+
+[ Upstream commit 0464ed24380905d640030d368cd84a4e4d1e15e2 ]
+
+Currently seq_buf_puts() will happily create a non null-terminated
+string for you in the buffer. This is particularly dangerous if the
+buffer is on the stack.
+
+For example:
+
+ char buf[8];
+ char secret = "secret";
+ struct seq_buf s;
+
+ seq_buf_init(&s, buf, sizeof(buf));
+ seq_buf_puts(&s, "foo");
+ printk("Message is %s\n", buf);
+
+Can result in:
+
+ Message is fooªªªªªsecret
+
+We could require all users to memset() their buffer to zero before
+use. But that seems likely to be forgotten and lead to bugs.
+
+Instead we can change seq_buf_puts() to always leave the buffer in a
+null-terminated state.
+
+The only downside is that this makes the buffer 1 character smaller
+for seq_buf_puts(), but that seems like a good trade off.
+
+Link: http://lkml.kernel.org/r/20181019042109.8064-1-mpe@ellerman.id.au
+
+Acked-by: Kees Cook <keescook@chromium.org>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ lib/seq_buf.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/lib/seq_buf.c b/lib/seq_buf.c
+index 5c94e1012a91..cbef5ee4c459 100644
+--- a/lib/seq_buf.c
++++ b/lib/seq_buf.c
+@@ -143,9 +143,13 @@ int seq_buf_puts(struct seq_buf *s, const char *str)
+
+ WARN_ON(s->size == 0);
+
++ /* Add 1 to len for the trailing null byte which must be there */
++ len += 1;
++
+ if (seq_buf_can_fit(s, len)) {
+ memcpy(s->buffer + s->len, str, len);
+- s->len += len;
++ /* Don't count the trailing null byte against the capacity */
++ s->len += len - 1;
+ return 0;
+ }
+ seq_buf_set_overflow(s);
+--
+2.20.1
+
diff --git a/patches.kernel.org/4.4.175-059-crypto-ux500-Use-proper-enum-in-cryp_set_dma_.patch b/patches.kernel.org/4.4.175-059-crypto-ux500-Use-proper-enum-in-cryp_set_dma_.patch
new file mode 100644
index 0000000000..5e79ed55b4
--- /dev/null
+++ b/patches.kernel.org/4.4.175-059-crypto-ux500-Use-proper-enum-in-cryp_set_dma_.patch
@@ -0,0 +1,65 @@
+From: Nathan Chancellor <natechancellor@gmail.com>
+Date: Mon, 10 Dec 2018 16:49:29 -0700
+Subject: [PATCH] crypto: ux500 - Use proper enum in cryp_set_dma_transfer
+References: bnc#1012382
+Patch-mainline: 4.4.175
+Git-commit: 9d880c5945c748d8edcac30965f3349a602158c4
+
+[ Upstream commit 9d880c5945c748d8edcac30965f3349a602158c4 ]
+
+Clang warns when one enumerated type is implicitly converted to another:
+
+drivers/crypto/ux500/cryp/cryp_core.c:559:5: warning: implicit
+conversion from enumeration type 'enum dma_data_direction' to different
+enumeration type 'enum dma_transfer_direction' [-Wenum-conversion]
+ direction, DMA_CTRL_ACK);
+ ^~~~~~~~~
+drivers/crypto/ux500/cryp/cryp_core.c:583:5: warning: implicit
+conversion from enumeration type 'enum dma_data_direction' to different
+enumeration type 'enum dma_transfer_direction' [-Wenum-conversion]
+ direction,
+ ^~~~~~~~~
+2 warnings generated.
+
+dmaengine_prep_slave_sg expects an enum from dma_transfer_direction.
+Because we know the value of the dma_data_direction enum from the
+switch statement, we can just use the proper value from
+dma_transfer_direction so there is no more conversion.
+
+DMA_TO_DEVICE = DMA_MEM_TO_DEV = 1
+DMA_FROM_DEVICE = DMA_DEV_TO_MEM = 2
+
+Signed-off-by: Nathan Chancellor <natechancellor@gmail.com>
+Reviewed-by: Nick Desaulniers <ndesaulniers@google.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/crypto/ux500/cryp/cryp_core.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/crypto/ux500/cryp/cryp_core.c b/drivers/crypto/ux500/cryp/cryp_core.c
+index 790f7cadc1ed..efebc484e371 100644
+--- a/drivers/crypto/ux500/cryp/cryp_core.c
++++ b/drivers/crypto/ux500/cryp/cryp_core.c
+@@ -555,7 +555,7 @@ static int cryp_set_dma_transfer(struct cryp_ctx *ctx,
+ desc = dmaengine_prep_slave_sg(channel,
+ ctx->device->dma.sg_src,
+ ctx->device->dma.sg_src_len,
+- direction, DMA_CTRL_ACK);
++ DMA_MEM_TO_DEV, DMA_CTRL_ACK);
+ break;
+
+ case DMA_FROM_DEVICE:
+@@ -579,7 +579,7 @@ static int cryp_set_dma_transfer(struct cryp_ctx *ctx,
+ desc = dmaengine_prep_slave_sg(channel,
+ ctx->device->dma.sg_dst,
+ ctx->device->dma.sg_dst_len,
+- direction,
++ DMA_DEV_TO_MEM,
+ DMA_CTRL_ACK |
+ DMA_PREP_INTERRUPT);
+
+--
+2.20.1
+
diff --git a/patches.kernel.org/4.4.175-060-crypto-ux500-Use-proper-enum-in-hash_set_dma_.patch b/patches.kernel.org/4.4.175-060-crypto-ux500-Use-proper-enum-in-hash_set_dma_.patch
new file mode 100644
index 0000000000..1d570a3b7b
--- /dev/null
+++ b/patches.kernel.org/4.4.175-060-crypto-ux500-Use-proper-enum-in-hash_set_dma_.patch
@@ -0,0 +1,50 @@
+From: Nathan Chancellor <natechancellor@gmail.com>
+Date: Mon, 10 Dec 2018 16:49:54 -0700
+Subject: [PATCH] crypto: ux500 - Use proper enum in hash_set_dma_transfer
+References: bnc#1012382
+Patch-mainline: 4.4.175
+Git-commit: 5ac93f808338f4dd465402e91869702eb87db241
+
+[ Upstream commit 5ac93f808338f4dd465402e91869702eb87db241 ]
+
+Clang warns when one enumerated type is implicitly converted to another:
+
+drivers/crypto/ux500/hash/hash_core.c:169:4: warning: implicit
+conversion from enumeration type 'enum dma_data_direction' to different
+enumeration type 'enum dma_transfer_direction' [-Wenum-conversion]
+ direction, DMA_CTRL_ACK | DMA_PREP_INTERRUPT);
+ ^~~~~~~~~
+1 warning generated.
+
+dmaengine_prep_slave_sg expects an enum from dma_transfer_direction.
+We know that the only direction supported by this function is
+DMA_TO_DEVICE because of the check at the top of this function so we can
+just use the equivalent value from dma_transfer_direction.
+
+DMA_TO_DEVICE = DMA_MEM_TO_DEV = 1
+
+Signed-off-by: Nathan Chancellor <natechancellor@gmail.com>
+Reviewed-by: Nick Desaulniers <ndesaulniers@google.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/crypto/ux500/hash/hash_core.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/crypto/ux500/hash/hash_core.c b/drivers/crypto/ux500/hash/hash_core.c
+index cd4398498495..bca6b701c067 100644
+--- a/drivers/crypto/ux500/hash/hash_core.c
++++ b/drivers/crypto/ux500/hash/hash_core.c
+@@ -181,7 +181,7 @@ static int hash_set_dma_transfer(struct hash_ctx *ctx, struct scatterlist *sg,
+ __func__);
+ desc = dmaengine_prep_slave_sg(channel,
+ ctx->device->dma.sg, ctx->device->dma.sg_len,
+- direction, DMA_CTRL_ACK | DMA_PREP_INTERRUPT);
++ DMA_MEM_TO_DEV, DMA_CTRL_ACK | DMA_PREP_INTERRUPT);
+ if (!desc) {
+ dev_err(ctx->device->dev,
+ "%s: dmaengine_prep_slave_sg() failed!\n", __func__);
+--
+2.20.1
+
diff --git a/patches.kernel.org/4.4.175-061-cifs-check-ntwrk_buf_start-for-NULL-before-de.patch b/patches.kernel.org/4.4.175-061-cifs-check-ntwrk_buf_start-for-NULL-before-de.patch
new file mode 100644
index 0000000000..ee98cc88cd
--- /dev/null
+++ b/patches.kernel.org/4.4.175-061-cifs-check-ntwrk_buf_start-for-NULL-before-de.patch
@@ -0,0 +1,51 @@
+From: Ronnie Sahlberg <lsahlber@redhat.com>
+Date: Thu, 13 Dec 2018 08:06:16 +1000
+Subject: [PATCH] cifs: check ntwrk_buf_start for NULL before dereferencing it
+References: bnc#1012382
+Patch-mainline: 4.4.175
+Git-commit: 59a63e479ce36a3f24444c3a36efe82b78e4a8e0
+
+[ Upstream commit 59a63e479ce36a3f24444c3a36efe82b78e4a8e0 ]
+
+RHBZ: 1021460
+
+There is an issue where when multiple threads open/close the same directory
+ntwrk_buf_start might end up being NULL, causing the call to smbCalcSize
+later to oops with a NULL deref.
+
+The real bug is why this happens and why this can become NULL for an
+open cfile, which should not be allowed.
+This patch tries to avoid a oops until the time when we fix the underlying
+issue.
+
+Signed-off-by: Ronnie Sahlberg <lsahlber@redhat.com>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ fs/cifs/readdir.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/fs/cifs/readdir.c b/fs/cifs/readdir.c
+index 57b039ebfb1f..43fa471c88d7 100644
+--- a/fs/cifs/readdir.c
++++ b/fs/cifs/readdir.c
+@@ -652,7 +652,14 @@ find_cifs_entry(const unsigned int xid, struct cifs_tcon *tcon, loff_t pos,
+ /* scan and find it */
+ int i;
+ char *cur_ent;
+- char *end_of_smb = cfile->srch_inf.ntwrk_buf_start +
++ char *end_of_smb;
++
++ if (cfile->srch_inf.ntwrk_buf_start == NULL) {
++ cifs_dbg(VFS, "ntwrk_buf_start is NULL during readdir\n");
++ return -EIO;
++ }
++
++ end_of_smb = cfile->srch_inf.ntwrk_buf_start +
+ server->ops->calc_smb_size(
+ cfile->srch_inf.ntwrk_buf_start);
+
+--
+2.20.1
+
diff --git a/patches.kernel.org/4.4.175-062-um-Avoid-marking-pages-with-changed-protectio.patch b/patches.kernel.org/4.4.175-062-um-Avoid-marking-pages-with-changed-protectio.patch
new file mode 100644
index 0000000000..a2d45a1962
--- /dev/null
+++ b/patches.kernel.org/4.4.175-062-um-Avoid-marking-pages-with-changed-protectio.patch
@@ -0,0 +1,59 @@
+From: Anton Ivanov <anton.ivanov@cambridgegreys.com>
+Date: Wed, 5 Dec 2018 12:37:41 +0000
+Subject: [PATCH] um: Avoid marking pages with "changed protection"
+References: bnc#1012382
+Patch-mainline: 4.4.175
+Git-commit: 8892d8545f2d0342b9c550defbfb165db237044b
+
+[ Upstream commit 8892d8545f2d0342b9c550defbfb165db237044b ]
+
+Changing protection is a very high cost operation in UML
+because in addition to an extra syscall it also interrupts
+mmap merge sequences generated by the tlb.
+
+While the condition is not particularly common it is worth
+avoiding.
+
+Signed-off-by: Anton Ivanov <anton.ivanov@cambridgegreys.com>
+Signed-off-by: Richard Weinberger <richard@nod.at>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ arch/um/include/asm/pgtable.h | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/arch/um/include/asm/pgtable.h b/arch/um/include/asm/pgtable.h
+index 18eb9924dda3..aeb430212947 100644
+--- a/arch/um/include/asm/pgtable.h
++++ b/arch/um/include/asm/pgtable.h
+@@ -197,12 +197,17 @@ static inline pte_t pte_mkold(pte_t pte)
+
+ static inline pte_t pte_wrprotect(pte_t pte)
+ {
+- pte_clear_bits(pte, _PAGE_RW);
++ if (likely(pte_get_bits(pte, _PAGE_RW)))
++ pte_clear_bits(pte, _PAGE_RW);
++ else
++ return pte;
+ return(pte_mknewprot(pte));
+ }
+
+ static inline pte_t pte_mkread(pte_t pte)
+ {
++ if (unlikely(pte_get_bits(pte, _PAGE_USER)))
++ return pte;
+ pte_set_bits(pte, _PAGE_USER);
+ return(pte_mknewprot(pte));
+ }
+@@ -221,6 +226,8 @@ static inline pte_t pte_mkyoung(pte_t pte)
+
+ static inline pte_t pte_mkwrite(pte_t pte)
+ {
++ if (unlikely(pte_get_bits(pte, _PAGE_RW)))
++ return pte;
+ pte_set_bits(pte, _PAGE_RW);
+ return(pte_mknewprot(pte));
+ }
+--
+2.20.1
+
diff --git a/patches.kernel.org/4.4.175-063-niu-fix-missing-checks-of-niu_pci_eeprom_read.patch b/patches.kernel.org/4.4.175-063-niu-fix-missing-checks-of-niu_pci_eeprom_read.patch
new file mode 100644
index 0000000000..eb5530f63a
--- /dev/null
+++ b/patches.kernel.org/4.4.175-063-niu-fix-missing-checks-of-niu_pci_eeprom_read.patch
@@ -0,0 +1,52 @@
+From: Kangjie Lu <kjlu@umn.edu>
+Date: Tue, 25 Dec 2018 01:56:14 -0600
+Subject: [PATCH] niu: fix missing checks of niu_pci_eeprom_read
+References: bnc#1012382
+Patch-mainline: 4.4.175
+Git-commit: 26fd962bde0b15e54234fe762d86bc0349df1de4
+
+[ Upstream commit 26fd962bde0b15e54234fe762d86bc0349df1de4 ]
+
+niu_pci_eeprom_read() may fail, so we should check its return value
+before using the read data.
+
+Signed-off-by: Kangjie Lu <kjlu@umn.edu>
+Acked-by: Shannon Nelson <shannon.lee.nelson@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/net/ethernet/sun/niu.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/sun/niu.c b/drivers/net/ethernet/sun/niu.c
+index ccebf89aa1e4..85f3a2c0d4dd 100644
+--- a/drivers/net/ethernet/sun/niu.c
++++ b/drivers/net/ethernet/sun/niu.c
+@@ -8121,6 +8121,8 @@ static int niu_pci_vpd_scan_props(struct niu *np, u32 start, u32 end)
+ start += 3;
+
+ prop_len = niu_pci_eeprom_read(np, start + 4);
++ if (prop_len < 0)
++ return prop_len;
+ err = niu_pci_vpd_get_propname(np, start + 5, namebuf, 64);
+ if (err < 0)
+ return err;
+@@ -8165,8 +8167,12 @@ static int niu_pci_vpd_scan_props(struct niu *np, u32 start, u32 end)
+ netif_printk(np, probe, KERN_DEBUG, np->dev,
+ "VPD_SCAN: Reading in property [%s] len[%d]\n",
+ namebuf, prop_len);
+- for (i = 0; i < prop_len; i++)
+- *prop_buf++ = niu_pci_eeprom_read(np, off + i);
++ for (i = 0; i < prop_len; i++) {
++ err = niu_pci_eeprom_read(np, off + i);
++ if (err >= 0)
++ *prop_buf = err;
++ ++prop_buf;
++ }
+ }
+
+ start += len;
+--
+2.20.1
+
diff --git a/patches.kernel.org/4.4.175-064-scripts-decode_stacktrace-only-strip-base-pat.patch b/patches.kernel.org/4.4.175-064-scripts-decode_stacktrace-only-strip-base-pat.patch
new file mode 100644
index 0000000000..dc0a7bd60c
--- /dev/null
+++ b/patches.kernel.org/4.4.175-064-scripts-decode_stacktrace-only-strip-base-pat.patch
@@ -0,0 +1,51 @@
+From: Marc Zyngier <marc.zyngier@arm.com>
+Date: Fri, 28 Dec 2018 00:31:25 -0800
+Subject: [PATCH] scripts/decode_stacktrace: only strip base path when a prefix
+ of the path
+References: bnc#1012382
+Patch-mainline: 4.4.175
+Git-commit: 67a28de47faa83585dd644bd4c31e5a1d9346c50
+
+[ Upstream commit 67a28de47faa83585dd644bd4c31e5a1d9346c50 ]
+
+Running something like:
+
+ decodecode vmlinux .
+
+leads to interested results where not only the leading "." gets stripped
+from the displayed paths, but also anywhere in the string, displaying
+something like:
+
+ kvm_vcpu_check_block (arch/arm64/kvm/virt/kvm/kvm_mainc:2141)
+
+which doesn't help further processing.
+
+Fix it by only stripping the base path if it is a prefix of the path.
+
+Link: http://lkml.kernel.org/r/20181210174659.31054-3-marc.zyngier@arm.com
+Signed-off-by: Marc Zyngier <marc.zyngier@arm.com>
+Cc: Will Deacon <will.deacon@arm.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ scripts/decode_stacktrace.sh | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/scripts/decode_stacktrace.sh b/scripts/decode_stacktrace.sh
+index 00d6d53c2681..ffc46c7c3afb 100755
+--- a/scripts/decode_stacktrace.sh
++++ b/scripts/decode_stacktrace.sh
+@@ -64,7 +64,7 @@ parse_symbol() {
+ fi
+
+ # Strip out the base of the path
+- code=${code//$basepath/""}
++ code=${code//^$basepath/""}
+
+ # In the case of inlines, move everything to same line
+ code=${code//$'\n'/' '}
+--
+2.20.1
+
diff --git a/patches.kernel.org/4.4.175-065-ocfs2-don-t-clear-bh-uptodate-for-block-read.patch b/patches.kernel.org/4.4.175-065-ocfs2-don-t-clear-bh-uptodate-for-block-read.patch
new file mode 100644
index 0000000000..332e2c0b69
--- /dev/null
+++ b/patches.kernel.org/4.4.175-065-ocfs2-don-t-clear-bh-uptodate-for-block-read.patch
@@ -0,0 +1,71 @@
+From: Junxiao Bi <junxiao.bi@oracle.com>
+Date: Fri, 28 Dec 2018 00:32:57 -0800
+Subject: [PATCH] ocfs2: don't clear bh uptodate for block read
+References: bnc#1012382
+Patch-mainline: 4.4.175
+Git-commit: 70306d9dce75abde855cefaf32b3f71eed8602a3
+
+[ Upstream commit 70306d9dce75abde855cefaf32b3f71eed8602a3 ]
+
+For sync io read in ocfs2_read_blocks_sync(), first clear bh uptodate flag
+and submit the io, second wait io done, last check whether bh uptodate, if
+not return io error.
+
+If two sync io for the same bh were issued, it could be the first io done
+and set uptodate flag, but just before check that flag, the second io came
+in and cleared uptodate, then ocfs2_read_blocks_sync() for the first io
+will return IO error.
+
+Indeed it's not necessary to clear uptodate flag, as the io end handler
+end_buffer_read_sync() will set or clear it based on io succeed or failed.
+
+The following message was found from a nfs server but the underlying
+storage returned no error.
+
+[4106438.567376] (nfsd,7146,3):ocfs2_get_suballoc_slot_bit:2780 ERROR: read block 1238823695 failed -5
+[4106438.567569] (nfsd,7146,3):ocfs2_get_suballoc_slot_bit:2812 ERROR: status = -5
+[4106438.567611] (nfsd,7146,3):ocfs2_test_inode_bit:2894 ERROR: get alloc slot and bit failed -5
+[4106438.567643] (nfsd,7146,3):ocfs2_test_inode_bit:2932 ERROR: status = -5
+[4106438.567675] (nfsd,7146,3):ocfs2_get_dentry:94 ERROR: test inode bit failed -5
+
+Same issue in non sync read ocfs2_read_blocks(), fixed it as well.
+
+Link: http://lkml.kernel.org/r/20181121020023.3034-4-junxiao.bi@oracle.com
+Signed-off-by: Junxiao Bi <junxiao.bi@oracle.com>
+Reviewed-by: Changwei Ge <ge.changwei@h3c.com>
+Reviewed-by: Yiwen Jiang <jiangyiwen@huawei.com>
+Cc: Joel Becker <jlbec@evilplan.org>
+Cc: Joseph Qi <jiangqi903@gmail.com>
+Cc: Jun Piao <piaojun@huawei.com>
+Cc: Mark Fasheh <mfasheh@versity.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ fs/ocfs2/buffer_head_io.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+diff --git a/fs/ocfs2/buffer_head_io.c b/fs/ocfs2/buffer_head_io.c
+index 272269f1c310..9ee8bcfbf00f 100644
+--- a/fs/ocfs2/buffer_head_io.c
++++ b/fs/ocfs2/buffer_head_io.c
+@@ -146,7 +146,6 @@ int ocfs2_read_blocks_sync(struct ocfs2_super *osb, u64 block,
+ BUG();
+ }
+
+- clear_buffer_uptodate(bh);
+ get_bh(bh); /* for end_buffer_read_sync() */
+ bh->b_end_io = end_buffer_read_sync;
+ submit_bh(READ, bh);
+@@ -300,7 +299,6 @@ int ocfs2_read_blocks(struct ocfs2_caching_info *ci, u64 block, int nr,
+ continue;
+ }
+
+- clear_buffer_uptodate(bh);
+ get_bh(bh); /* for end_buffer_read_sync() */
+ if (validate)
+ set_buffer_needs_validate(bh);
+--
+2.20.1
+
diff --git a/patches.kernel.org/4.4.175-066-isdn-hisax-hfc_pci-Fix-a-possible-concurrency.patch b/patches.kernel.org/4.4.175-066-isdn-hisax-hfc_pci-Fix-a-possible-concurrency.patch
new file mode 100644
index 0000000000..4582c85fb4
--- /dev/null
+++ b/patches.kernel.org/4.4.175-066-isdn-hisax-hfc_pci-Fix-a-possible-concurrency.patch
@@ -0,0 +1,56 @@
+From: Jia-Ju Bai <baijiaju1990@gmail.com>
+Date: Wed, 26 Dec 2018 22:09:34 +0800
+Subject: [PATCH] isdn: hisax: hfc_pci: Fix a possible concurrency
+ use-after-free bug in HFCPCI_l1hw()
+References: bnc#1012382
+Patch-mainline: 4.4.175
+Git-commit: 7418e6520f22a2e35815122fa5a53d5bbfa2c10f
+
+[ Upstream commit 7418e6520f22a2e35815122fa5a53d5bbfa2c10f ]
+
+In drivers/isdn/hisax/hfc_pci.c, the functions hfcpci_interrupt() and
+HFCPCI_l1hw() may be concurrently executed.
+
+HFCPCI_l1hw()
+ line 1173: if (!cs->tx_skb)
+
+hfcpci_interrupt()
+ line 942: spin_lock_irqsave();
+ line 1066: dev_kfree_skb_irq(cs->tx_skb);
+
+Thus, a possible concurrency use-after-free bug may occur
+in HFCPCI_l1hw().
+
+To fix these bugs, the calls to spin_lock_irqsave() and
+spin_unlock_irqrestore() are added in HFCPCI_l1hw(), to protect the
+access to cs->tx_skb.
+
+Signed-off-by: Jia-Ju Bai <baijiaju1990@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/isdn/hisax/hfc_pci.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/isdn/hisax/hfc_pci.c b/drivers/isdn/hisax/hfc_pci.c
+index 90449e1e91e5..1b1453d62fed 100644
+--- a/drivers/isdn/hisax/hfc_pci.c
++++ b/drivers/isdn/hisax/hfc_pci.c
+@@ -1169,11 +1169,13 @@ HFCPCI_l1hw(struct PStack *st, int pr, void *arg)
+ if (cs->debug & L1_DEB_LAPD)
+ debugl1(cs, "-> PH_REQUEST_PULL");
+ #endif
++ spin_lock_irqsave(&cs->lock, flags);
+ if (!cs->tx_skb) {
+ test_and_clear_bit(FLG_L1_PULL_REQ, &st->l1.Flags);
+ st->l1.l1l2(st, PH_PULL | CONFIRM, NULL);
+ } else
+ test_and_set_bit(FLG_L1_PULL_REQ, &st->l1.Flags);
++ spin_unlock_irqrestore(&cs->lock, flags);
+ break;
+ case (HW_RESET | REQUEST):
+ spin_lock_irqsave(&cs->lock, flags);
+--
+2.20.1
+
diff --git a/patches.kernel.org/4.4.175-067-gdrom-fix-a-memory-leak-bug.patch b/patches.kernel.org/4.4.175-067-gdrom-fix-a-memory-leak-bug.patch
new file mode 100644
index 0000000000..3f8de6fb02
--- /dev/null
+++ b/patches.kernel.org/4.4.175-067-gdrom-fix-a-memory-leak-bug.patch
@@ -0,0 +1,42 @@
+From: Wenwen Wang <wang6495@umn.edu>
+Date: Wed, 26 Dec 2018 20:15:13 -0600
+Subject: [PATCH] gdrom: fix a memory leak bug
+References: bnc#1012382
+Patch-mainline: 4.4.175
+Git-commit: 093c48213ee37c3c3ff1cf5ac1aa2a9d8bc66017
+
+[ Upstream commit 093c48213ee37c3c3ff1cf5ac1aa2a9d8bc66017 ]
+
+In probe_gdrom(), the buffer pointed by 'gd.cd_info' is allocated through
+kzalloc() and is used to hold the information of the gdrom device. To
+register and unregister the device, the pointer 'gd.cd_info' is passed to
+the functions register_cdrom() and unregister_cdrom(), respectively.
+However, this buffer is not freed after it is used, which can cause a
+memory leak bug.
+
+This patch simply frees the buffer 'gd.cd_info' in exit_gdrom() to fix the
+above issue.
+
+Signed-off-by: Wenwen Wang <wang6495@umn.edu>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/cdrom/gdrom.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/cdrom/gdrom.c b/drivers/cdrom/gdrom.c
+index e2808fefbb78..1852d19d0d7b 100644
+--- a/drivers/cdrom/gdrom.c
++++ b/drivers/cdrom/gdrom.c
+@@ -882,6 +882,7 @@ static void __exit exit_gdrom(void)
+ platform_device_unregister(pd);
+ platform_driver_unregister(&gdrom_driver);
+ kfree(gd.toc);
++ kfree(gd.cd_info);
+ }
+
+ module_init(init_gdrom);
+--
+2.20.1
+
diff --git a/patches.suse/0001-block-swim3-Fix-EBUSY-error-when-re-opening-device-a.patch b/patches.kernel.org/4.4.175-068-block-swim3-Fix-EBUSY-error-when-re-opening-d.patch
index 814542abed..50c1d7821a 100644
--- a/patches.suse/0001-block-swim3-Fix-EBUSY-error-when-re-opening-device-a.patch
+++ b/patches.kernel.org/4.4.175-068-block-swim3-Fix-EBUSY-error-when-re-opening-d.patch
@@ -1,11 +1,12 @@
-From 296dcc40f2f2e402facf7cd26cf3f2c8f4b17d47 Mon Sep 17 00:00:00 2001
From: Finn Thain <fthain@telegraphics.com.au>
Date: Mon, 31 Dec 2018 16:44:09 +1100
Subject: [PATCH] block/swim3: Fix -EBUSY error when re-opening device after
unmount
+Patch-mainline: 4.4.175
+References: Git-fixes bnc#1012382
Git-commit: 296dcc40f2f2e402facf7cd26cf3f2c8f4b17d47
-Patch-mainline: v5.0-rc1
-References: Git-fixes
+
+[ Upstream commit 296dcc40f2f2e402facf7cd26cf3f2c8f4b17d47 ]
When the block device is opened with FMODE_EXCL, ref_count is set to -1.
This value doesn't get reset when the device is closed which means the
@@ -17,16 +18,17 @@ Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Cc: linuxppc-dev@lists.ozlabs.org
Signed-off-by: Finn Thain <fthain@telegraphics.com.au>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
-Signed-off-by: Coly Li <colyli@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
drivers/block/swim3.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/drivers/block/swim3.c b/drivers/block/swim3.c
-index ba1190f1276b..87ca8f207c7c 100644
+index c264f2d284a7..2e0a9e2531cb 100644
--- a/drivers/block/swim3.c
+++ b/drivers/block/swim3.c
-@@ -995,7 +995,11 @@ static void floppy_release(struct gendisk *disk, fmode_t mode)
+@@ -1027,7 +1027,11 @@ static void floppy_release(struct gendisk *disk, fmode_t mode)
struct swim3 __iomem *sw = fs->swim3;
mutex_lock(&swim3_mutex);
@@ -40,5 +42,5 @@ index ba1190f1276b..87ca8f207c7c 100644
out_8(&sw->control_bic, 0xff);
swim3_select(fs, RELAX);
--
-2.16.4
+2.20.1
diff --git a/patches.kernel.org/4.4.175-069-HID-lenovo-Add-checks-to-fix-of_led_classdev_.patch b/patches.kernel.org/4.4.175-069-HID-lenovo-Add-checks-to-fix-of_led_classdev_.patch
new file mode 100644
index 0000000000..3fa479be7e
--- /dev/null
+++ b/patches.kernel.org/4.4.175-069-HID-lenovo-Add-checks-to-fix-of_led_classdev_.patch
@@ -0,0 +1,51 @@
+From: Aditya Pakki <pakki001@umn.edu>
+Date: Mon, 24 Dec 2018 15:39:14 -0600
+Subject: [PATCH] HID: lenovo: Add checks to fix of_led_classdev_register
+References: bnc#1012382
+Patch-mainline: 4.4.175
+Git-commit: 6ae16dfb61bce538d48b7fe98160fada446056c5
+
+[ Upstream commit 6ae16dfb61bce538d48b7fe98160fada446056c5 ]
+
+In lenovo_probe_tpkbd(), the function of_led_classdev_register() could
+return an error value that is unchecked. The fix adds these checks.
+
+Signed-off-by: Aditya Pakki <pakki001@umn.edu>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/hid/hid-lenovo.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/hid/hid-lenovo.c b/drivers/hid/hid-lenovo.c
+index 8979f1fd5208..24a4a23bdc90 100644
+--- a/drivers/hid/hid-lenovo.c
++++ b/drivers/hid/hid-lenovo.c
+@@ -703,7 +703,9 @@ static int lenovo_probe_tpkbd(struct hid_device *hdev)
+ data_pointer->led_mute.brightness_get = lenovo_led_brightness_get_tpkbd;
+ data_pointer->led_mute.brightness_set = lenovo_led_brightness_set_tpkbd;
+ data_pointer->led_mute.dev = dev;
+- led_classdev_register(dev, &data_pointer->led_mute);
++ ret = led_classdev_register(dev, &data_pointer->led_mute);
++ if (ret < 0)
++ goto err;
+
+ data_pointer->led_micmute.name = name_micmute;
+ data_pointer->led_micmute.brightness_get =
+@@ -711,7 +713,11 @@ static int lenovo_probe_tpkbd(struct hid_device *hdev)
+ data_pointer->led_micmute.brightness_set =
+ lenovo_led_brightness_set_tpkbd;
+ data_pointer->led_micmute.dev = dev;
+- led_classdev_register(dev, &data_pointer->led_micmute);
++ ret = led_classdev_register(dev, &data_pointer->led_micmute);
++ if (ret < 0) {
++ led_classdev_unregister(&data_pointer->led_mute);
++ goto err;
++ }
+
+ lenovo_features_set_tpkbd(hdev);
+
+--
+2.20.1
+
diff --git a/patches.kernel.org/4.4.175-070-kernel-hung_task.c-break-RCU-locks-based-on-j.patch b/patches.kernel.org/4.4.175-070-kernel-hung_task.c-break-RCU-locks-based-on-j.patch
new file mode 100644
index 0000000000..5cd96aa72d
--- /dev/null
+++ b/patches.kernel.org/4.4.175-070-kernel-hung_task.c-break-RCU-locks-based-on-j.patch
@@ -0,0 +1,72 @@
+From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+Date: Thu, 3 Jan 2019 15:26:31 -0800
+Subject: [PATCH] kernel/hung_task.c: break RCU locks based on jiffies
+References: bnc#1012382
+Patch-mainline: 4.4.175
+Git-commit: 304ae42739b108305f8d7b3eb3c1aec7c2b643a9
+
+[ Upstream commit 304ae42739b108305f8d7b3eb3c1aec7c2b643a9 ]
+
+check_hung_uninterruptible_tasks() is currently calling rcu_lock_break()
+for every 1024 threads. But check_hung_task() is very slow if printk()
+was called, and is very fast otherwise.
+
+If many threads within some 1024 threads called printk(), the RCU grace
+period might be extended enough to trigger RCU stall warnings.
+Therefore, calling rcu_lock_break() for every some fixed jiffies will be
+safer.
+
+Link: http://lkml.kernel.org/r/1544800658-11423-1-git-send-email-penguin-kernel@I-love.SAKURA.ne.jp
+Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+Acked-by: Paul E. McKenney <paulmck@linux.ibm.com>
+Cc: Petr Mladek <pmladek@suse.com>
+Cc: Sergey Senozhatsky <sergey.senozhatsky@gmail.com>
+Cc: Dmitry Vyukov <dvyukov@google.com>
+Cc: "Rafael J. Wysocki" <rafael.j.wysocki@intel.com>
+Cc: Vitaly Kuznetsov <vkuznets@redhat.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ kernel/hung_task.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/kernel/hung_task.c b/kernel/hung_task.c
+index e0f90c2b57aa..cc05b97ba569 100644
+--- a/kernel/hung_task.c
++++ b/kernel/hung_task.c
+@@ -30,7 +30,7 @@ int __read_mostly sysctl_hung_task_check_count = PID_MAX_LIMIT;
+ * is disabled during the critical section. It also controls the size of
+ * the RCU grace period. So it needs to be upper-bound.
+ */
+-#define HUNG_TASK_BATCHING 1024
++#define HUNG_TASK_LOCK_BREAK (HZ / 10)
+
+ /*
+ * Zero means infinite timeout - no checking done:
+@@ -158,7 +158,7 @@ static bool rcu_lock_break(struct task_struct *g, struct task_struct *t)
+ static void check_hung_uninterruptible_tasks(unsigned long timeout)
+ {
+ int max_count = sysctl_hung_task_check_count;
+- int batch_count = HUNG_TASK_BATCHING;
++ unsigned long last_break = jiffies;
+ struct task_struct *g, *t;
+
+ /*
+@@ -172,10 +172,10 @@ static void check_hung_uninterruptible_tasks(unsigned long timeout)
+ for_each_process_thread(g, t) {
+ if (!max_count--)
+ goto unlock;
+- if (!--batch_count) {
+- batch_count = HUNG_TASK_BATCHING;
++ if (time_after(jiffies, last_break + HUNG_TASK_LOCK_BREAK)) {
+ if (!rcu_lock_break(g, t))
+ goto unlock;
++ last_break = jiffies;
+ }
+ /* use "==" to skip the TASK_KILLABLE tasks waiting on NFS */
+ if (t->state == TASK_UNINTERRUPTIBLE)
+--
+2.20.1
+
diff --git a/patches.kernel.org/4.4.175-071-fs-epoll-drop-ovflist-branch-prediction.patch b/patches.kernel.org/4.4.175-071-fs-epoll-drop-ovflist-branch-prediction.patch
new file mode 100644
index 0000000000..22fc95f5c1
--- /dev/null
+++ b/patches.kernel.org/4.4.175-071-fs-epoll-drop-ovflist-branch-prediction.patch
@@ -0,0 +1,58 @@
+From: Davidlohr Bueso <dave@stgolabs.net>
+Date: Thu, 3 Jan 2019 15:27:09 -0800
+Subject: [PATCH] fs/epoll: drop ovflist branch prediction
+References: bnc#1012382
+Patch-mainline: 4.4.175
+Git-commit: 76699a67f3041ff4c7af6d6ee9be2bfbf1ffb671
+
+[ Upstream commit 76699a67f3041ff4c7af6d6ee9be2bfbf1ffb671 ]
+
+The ep->ovflist is a secondary ready-list to temporarily store events
+that might occur when doing sproc without holding the ep->wq.lock. This
+accounts for every time we check for ready events and also send events
+back to userspace; both callbacks, particularly the latter because of
+copy_to_user, can account for a non-trivial time.
+
+As such, the unlikely() check to see if the pointer is being used, seems
+both misleading and sub-optimal. In fact, we go to an awful lot of
+trouble to sync both lists, and populating the ovflist is far from an
+uncommon scenario.
+
+For example, profiling a concurrent epoll_wait(2) benchmark, with
+CONFIG_PROFILE_ANNOTATED_BRANCHES shows that for a two threads a 33%
+incorrect rate was seen; and when incrementally increasing the number of
+epoll instances (which is used, for example for multiple queuing load
+balancing models), up to a 90% incorrect rate was seen.
+
+Similarly, by deleting the prediction, 3% throughput boost was seen
+across incremental threads.
+
+Link: http://lkml.kernel.org/r/20181108051006.18751-4-dave@stgolabs.net
+Signed-off-by: Davidlohr Bueso <dbueso@suse.de>
+Reviewed-by: Andrew Morton <akpm@linux-foundation.org>
+Cc: Al Viro <viro@zeniv.linux.org.uk>
+Cc: Jason Baron <jbaron@akamai.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ fs/eventpoll.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/eventpoll.c b/fs/eventpoll.c
+index 1b08556776ce..240d9ceb8d0c 100644
+--- a/fs/eventpoll.c
++++ b/fs/eventpoll.c
+@@ -1034,7 +1034,7 @@ static int ep_poll_callback(wait_queue_t *wait, unsigned mode, int sync, void *k
+ * semantics). All the events that happen during that period of time are
+ * chained in ep->ovflist and requeued later on.
+ */
+- if (unlikely(ep->ovflist != EP_UNACTIVE_PTR)) {
++ if (ep->ovflist != EP_UNACTIVE_PTR) {
+ if (epi->next == EP_UNACTIVE_PTR) {
+ epi->next = ep->ovflist;
+ ep->ovflist = epi;
+--
+2.20.1
+
diff --git a/patches.kernel.org/4.4.175-072-exec-load_script-don-t-blindly-truncate-sheba.patch b/patches.kernel.org/4.4.175-072-exec-load_script-don-t-blindly-truncate-sheba.patch
new file mode 100644
index 0000000000..cc39f6b697
--- /dev/null
+++ b/patches.kernel.org/4.4.175-072-exec-load_script-don-t-blindly-truncate-sheba.patch
@@ -0,0 +1,57 @@
+From: Oleg Nesterov <oleg@redhat.com>
+Date: Thu, 3 Jan 2019 15:28:07 -0800
+Subject: [PATCH] exec: load_script: don't blindly truncate shebang string
+References: bnc#1012382
+Patch-mainline: 4.4.175
+Git-commit: 8099b047ecc431518b9bb6bdbba3549bbecdc343
+
+[ Upstream commit 8099b047ecc431518b9bb6bdbba3549bbecdc343 ]
+
+load_script() simply truncates bprm->buf and this is very wrong if the
+length of shebang string exceeds BINPRM_BUF_SIZE-2. This can silently
+truncate i_arg or (worse) we can execute the wrong binary if buf[2:126]
+happens to be the valid executable path.
+
+Change load_script() to return ENOEXEC if it can't find '\n' or zero in
+bprm->buf. Note that '\0' can come from either
+prepare_binprm()->memset() or from kernel_read(), we do not care.
+
+Link: http://lkml.kernel.org/r/20181112160931.GA28463@redhat.com
+Signed-off-by: Oleg Nesterov <oleg@redhat.com>
+Acked-by: Kees Cook <keescook@chromium.org>
+Acked-by: Michal Hocko <mhocko@suse.com>
+Cc: Ben Woodard <woodard@redhat.com>
+Cc: "Eric W. Biederman" <ebiederm@xmission.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ fs/binfmt_script.c | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+diff --git a/fs/binfmt_script.c b/fs/binfmt_script.c
+index afdf4e3cafc2..634bdbb23851 100644
+--- a/fs/binfmt_script.c
++++ b/fs/binfmt_script.c
+@@ -43,10 +43,14 @@ static int load_script(struct linux_binprm *bprm)
+ fput(bprm->file);
+ bprm->file = NULL;
+
+- bprm->buf[BINPRM_BUF_SIZE - 1] = '\0';
+- if ((cp = strchr(bprm->buf, '\n')) == NULL)
+- cp = bprm->buf+BINPRM_BUF_SIZE-1;
++ for (cp = bprm->buf+2;; cp++) {
++ if (cp >= bprm->buf + BINPRM_BUF_SIZE)
++ return -ENOEXEC;
++ if (!*cp || (*cp == '\n'))
++ break;
++ }
+ *cp = '\0';
++
+ while (cp > bprm->buf) {
+ cp--;
+ if ((*cp == ' ') || (*cp == '\t'))
+--
+2.20.1
+
diff --git a/patches.kernel.org/4.4.175-073-thermal-hwmon-inline-helpers-when-CONFIG_THER.patch b/patches.kernel.org/4.4.175-073-thermal-hwmon-inline-helpers-when-CONFIG_THER.patch
new file mode 100644
index 0000000000..f27e880a38
--- /dev/null
+++ b/patches.kernel.org/4.4.175-073-thermal-hwmon-inline-helpers-when-CONFIG_THER.patch
@@ -0,0 +1,49 @@
+From: Eduardo Valentin <edubezval@gmail.com>
+Date: Wed, 2 Jan 2019 00:34:03 +0000
+Subject: [PATCH] thermal: hwmon: inline helpers when CONFIG_THERMAL_HWMON is
+ not set
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+References: bnc#1012382
+Patch-mainline: 4.4.175
+Git-commit: 03334ba8b425b2ad275c8f390cf83c7b081c3095
+
+commit 03334ba8b425b2ad275c8f390cf83c7b081c3095 upstream.
+
+Avoid warnings like this:
+thermal_hwmon.h:29:1: warning: ‘thermal_remove_hwmon_sysfs’ defined but not used [-Wunused-function]
+ thermal_remove_hwmon_sysfs(struct thermal_zone_device *tz)
+
+Fixes: 0dd88793aacd ("thermal: hwmon: move hwmon support to single file")
+Reviewed-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Signed-off-by: Eduardo Valentin <edubezval@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/thermal/thermal_hwmon.h | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/thermal/thermal_hwmon.h b/drivers/thermal/thermal_hwmon.h
+index c798fdb2ae43..f97f76691bd0 100644
+--- a/drivers/thermal/thermal_hwmon.h
++++ b/drivers/thermal/thermal_hwmon.h
+@@ -34,13 +34,13 @@
+ int thermal_add_hwmon_sysfs(struct thermal_zone_device *tz);
+ void thermal_remove_hwmon_sysfs(struct thermal_zone_device *tz);
+ #else
+-static int
++static inline int
+ thermal_add_hwmon_sysfs(struct thermal_zone_device *tz)
+ {
+ return 0;
+ }
+
+-static void
++static inline void
+ thermal_remove_hwmon_sysfs(struct thermal_zone_device *tz)
+ {
+ }
+--
+2.20.1
+
diff --git a/patches.kernel.org/4.4.175-074-test_hexdump-use-memcpy-instead-of-strncpy.patch b/patches.kernel.org/4.4.175-074-test_hexdump-use-memcpy-instead-of-strncpy.patch
new file mode 100644
index 0000000000..49de781da8
--- /dev/null
+++ b/patches.kernel.org/4.4.175-074-test_hexdump-use-memcpy-instead-of-strncpy.patch
@@ -0,0 +1,43 @@
+From: Linus Torvalds <torvalds@linux-foundation.org>
+Date: Fri, 30 Nov 2018 12:13:15 -0800
+Subject: [PATCH] test_hexdump: use memcpy instead of strncpy
+References: bnc#1012382
+Patch-mainline: 4.4.175
+Git-commit: b1286ed7158e9b62787508066283ab0b8850b518
+
+commit b1286ed7158e9b62787508066283ab0b8850b518 upstream.
+
+New versions of gcc reasonably warn about the odd pattern of
+
+ strncpy(p, q, strlen(q));
+
+which really doesn't make sense: the strncpy() ends up being just a slow
+and odd way to write memcpy() in this case.
+
+Apparently there was a patch for this floating around earlier, but it
+got lost.
+
+Acked-again-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ lib/test-hexdump.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/lib/test-hexdump.c b/lib/test-hexdump.c
+index 5241df36eedf..dadcabe50988 100644
+--- a/lib/test-hexdump.c
++++ b/lib/test-hexdump.c
+@@ -81,7 +81,7 @@ static void __init test_hexdump(size_t len, int rowsize, int groupsize,
+ const char *q = *result++;
+ size_t amount = strlen(q);
+
+- strncpy(p, q, amount);
++ memcpy(p, q, amount);
+ p += amount + 1;
+ }
+ if (i)
+--
+2.20.1
+
diff --git a/patches.kernel.org/4.4.175-075-tipc-use-destination-length-for-copy-string.patch b/patches.kernel.org/4.4.175-075-tipc-use-destination-length-for-copy-string.patch
new file mode 100644
index 0000000000..eef5836a5c
--- /dev/null
+++ b/patches.kernel.org/4.4.175-075-tipc-use-destination-length-for-copy-string.patch
@@ -0,0 +1,48 @@
+From: Guoqing Jiang <gqjiang@suse.com>
+Date: Fri, 19 Oct 2018 12:08:22 +0800
+Subject: [PATCH] tipc: use destination length for copy string
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+References: bnc#1012382
+Patch-mainline: 4.4.175
+Git-commit: 29e270fc32192e7729057963ae7120663856c93e
+
+commit 29e270fc32192e7729057963ae7120663856c93e upstream.
+
+Got below warning with gcc 8.2 compiler.
+
+net/tipc/topsrv.c: In function ‘tipc_topsrv_start’:
+net/tipc/topsrv.c:660:2: warning: ‘strncpy’ specified bound depends on the length of the source argument [-Wstringop-overflow=]
+ strncpy(srv->name, name, strlen(name) + 1);
+ ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+net/tipc/topsrv.c:660:27: note: length computed here
+ strncpy(srv->name, name, strlen(name) + 1);
+ ^~~~~~~~~~~~
+So change it to correct length and use strscpy.
+
+Signed-off-by: Guoqing Jiang <gqjiang@suse.com>
+Acked-by: Ying Xue <ying.xue@windriver.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ net/tipc/subscr.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/tipc/subscr.c b/net/tipc/subscr.c
+index f9ff73a8d815..500c9e614a06 100644
+--- a/net/tipc/subscr.c
++++ b/net/tipc/subscr.c
+@@ -337,7 +337,7 @@ int tipc_topsrv_start(struct net *net)
+ topsrv->tipc_conn_new = tipc_subscrb_connect_cb;
+ topsrv->tipc_conn_shutdown = tipc_subscrb_shutdown_cb;
+
+- strncpy(topsrv->name, name, strlen(name) + 1);
++ strscpy(topsrv->name, name, sizeof(topsrv->name));
+ tn->topsrv = topsrv;
+ atomic_set(&tn->subscription_count, 0);
+
+--
+2.20.1
+
diff --git a/patches.fixes/string-drop-__must_check-from-strscpy-and-restore-st.patch b/patches.kernel.org/4.4.175-076-string-drop-__must_check-from-strscpy-and-res.patch
index 89c5811b46..d0cb160106 100644
--- a/patches.fixes/string-drop-__must_check-from-strscpy-and-restore-st.patch
+++ b/patches.kernel.org/4.4.175-076-string-drop-__must_check-from-strscpy-and-res.patch
@@ -1,16 +1,15 @@
-From 08a77676f9c5fc69a681ccd2cd8140e65dcb26c7 Mon Sep 17 00:00:00 2001
From: Tejun Heo <tj@kernel.org>
Date: Tue, 9 Jan 2018 07:21:15 -0800
-Subject: [PATCH] string: drop __must_check from strscpy() and restore strscpy() usages in cgroup
-Mime-version: 1.0
-Content-type: text/plain; charset=UTF-8
-Content-transfer-encoding: 8bit
-Git-commit: 08a77676f9c5fc69a681ccd2cd8140e65dcb26c7 (partial)
-Patch-mainline: v4.16-rc1
-References: bsc#1107319
+Subject: [PATCH] string: drop __must_check from strscpy() and restore
+ strscpy() usages in cgroup
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+Patch-mainline: 4.4.175
+References: bnc#1012382 bsc#1107319
+Git-commit: 08a77676f9c5fc69a681ccd2cd8140e65dcb26c7
-[ backport note: this patch contains *only* the change in string.h.
- cgroup code changes are dropped as not applicable to SLE12-SP3 -- tiwai ]
+commit 08a77676f9c5fc69a681ccd2cd8140e65dcb26c7 upstream.
e7fd37ba1217 ("cgroup: avoid copying strings longer than the buffers")
converted possibly unsafe strncpy() usages in cgroup to strscpy().
@@ -47,15 +46,18 @@ Suggested-by: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Ma Shimiao <mashimiao.fnst@cn.fujitsu.com>
Cc: Arnd Bergmann <arnd@arndb.de>
Cc: Chris Metcalf <cmetcalf@ezchip.com>
-Acked-by: Takashi Iwai <tiwai@suse.de>
-
+[backport only the string.h portion to remove build warnings starting to show up - gregkh]
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
- include/linux/string.h | 2 +-
+ include/linux/string.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
+diff --git a/include/linux/string.h b/include/linux/string.h
+index 98bb781a2eff..c026b7a19e26 100644
--- a/include/linux/string.h
+++ b/include/linux/string.h
-@@ -27,7 +27,7 @@ extern char * strncpy(char *,const char
+@@ -26,7 +26,7 @@ extern char * strncpy(char *,const char *, __kernel_size_t);
size_t strlcpy(char *, const char *, size_t);
#endif
#ifndef __HAVE_ARCH_STRSCPY
@@ -64,3 +66,6 @@ Acked-by: Takashi Iwai <tiwai@suse.de>
#endif
#ifndef __HAVE_ARCH_STRCAT
extern char * strcat(char *, const char *);
+--
+2.20.1
+
diff --git a/patches.kernel.org/4.4.175-077-dccp-fool-proof-ccid_hc_-rt-x_parse_options.patch b/patches.kernel.org/4.4.175-077-dccp-fool-proof-ccid_hc_-rt-x_parse_options.patch
new file mode 100644
index 0000000000..5af381252f
--- /dev/null
+++ b/patches.kernel.org/4.4.175-077-dccp-fool-proof-ccid_hc_-rt-x_parse_options.patch
@@ -0,0 +1,112 @@
+From: Eric Dumazet <edumazet@google.com>
+Date: Wed, 30 Jan 2019 11:39:41 -0800
+Subject: [PATCH] dccp: fool proof ccid_hc_[rt]x_parse_options()
+References: bnc#1012382
+Patch-mainline: 4.4.175
+Git-commit: 9b1f19d810e92d6cdc68455fbc22d9f961a58ce1
+
+[ Upstream commit 9b1f19d810e92d6cdc68455fbc22d9f961a58ce1 ]
+
+Similarly to commit 276bdb82dedb ("dccp: check ccid before dereferencing")
+it is wise to test for a NULL ccid.
+
+kasan: CONFIG_KASAN_INLINE enabled
+kasan: GPF could be caused by NULL-ptr deref or user memory access
+general protection fault: 0000 [#1] PREEMPT SMP KASAN
+CPU: 1 PID: 16 Comm: ksoftirqd/1 Not tainted 5.0.0-rc3+ #37
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+RIP: 0010:ccid_hc_tx_parse_options net/dccp/ccid.h:205 [inline]
+RIP: 0010:dccp_parse_options+0x8d9/0x12b0 net/dccp/options.c:233
+Code: c5 0f b6 75 b3 80 38 00 0f 85 d6 08 00 00 48 b9 00 00 00 00 00 fc ff df 48 8b 45 b8 4c 8b b8 f8 07 00 00 4c 89 f8 48 c1 e8 03 <80> 3c 08 00 0f 85 95 08 00 00 48 b8 00 00 00 00 00 fc ff df 4d 8b
+kobject: 'loop5' (0000000080f78fc1): kobject_uevent_env
+RSP: 0018:ffff8880a94df0b8 EFLAGS: 00010246
+RAX: 0000000000000000 RBX: ffff8880858ac723 RCX: dffffc0000000000
+RDX: 0000000000000100 RSI: 0000000000000007 RDI: 0000000000000001
+RBP: ffff8880a94df140 R08: 0000000000000001 R09: ffff888061b83a80
+R10: ffffed100c370752 R11: ffff888061b83a97 R12: 0000000000000026
+R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000000
+FS: 0000000000000000(0000) GS:ffff8880ae700000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 00007f0defa33518 CR3: 000000008db5e000 CR4: 00000000001406e0
+kobject: 'loop5' (0000000080f78fc1): fill_kobj_path: path = '/devices/virtual/block/loop5'
+DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+Call Trace:
+ dccp_rcv_state_process+0x2b6/0x1af6 net/dccp/input.c:654
+ dccp_v4_do_rcv+0x100/0x190 net/dccp/ipv4.c:688
+ sk_backlog_rcv include/net/sock.h:936 [inline]
+ __sk_receive_skb+0x3a9/0xea0 net/core/sock.c:473
+ dccp_v4_rcv+0x10cb/0x1f80 net/dccp/ipv4.c:880
+ ip_protocol_deliver_rcu+0xb6/0xa20 net/ipv4/ip_input.c:208
+ ip_local_deliver_finish+0x23b/0x390 net/ipv4/ip_input.c:234
+ NF_HOOK include/linux/netfilter.h:289 [inline]
+ NF_HOOK include/linux/netfilter.h:283 [inline]
+ ip_local_deliver+0x1f0/0x740 net/ipv4/ip_input.c:255
+ dst_input include/net/dst.h:450 [inline]
+ ip_rcv_finish+0x1f4/0x2f0 net/ipv4/ip_input.c:414
+ NF_HOOK include/linux/netfilter.h:289 [inline]
+ NF_HOOK include/linux/netfilter.h:283 [inline]
+ ip_rcv+0xed/0x620 net/ipv4/ip_input.c:524
+ __netif_receive_skb_one_core+0x160/0x210 net/core/dev.c:4973
+ __netif_receive_skb+0x2c/0x1c0 net/core/dev.c:5083
+ process_backlog+0x206/0x750 net/core/dev.c:5923
+ napi_poll net/core/dev.c:6346 [inline]
+ net_rx_action+0x76d/0x1930 net/core/dev.c:6412
+ __do_softirq+0x30b/0xb11 kernel/softirq.c:292
+ run_ksoftirqd kernel/softirq.c:654 [inline]
+ run_ksoftirqd+0x8e/0x110 kernel/softirq.c:646
+ smpboot_thread_fn+0x6ab/0xa10 kernel/smpboot.c:164
+ kthread+0x357/0x430 kernel/kthread.c:246
+ ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:352
+Modules linked in:
+---[ end trace 58a0ba03bea2c376 ]---
+RIP: 0010:ccid_hc_tx_parse_options net/dccp/ccid.h:205 [inline]
+RIP: 0010:dccp_parse_options+0x8d9/0x12b0 net/dccp/options.c:233
+Code: c5 0f b6 75 b3 80 38 00 0f 85 d6 08 00 00 48 b9 00 00 00 00 00 fc ff df 48 8b 45 b8 4c 8b b8 f8 07 00 00 4c 89 f8 48 c1 e8 03 <80> 3c 08 00 0f 85 95 08 00 00 48 b8 00 00 00 00 00 fc ff df 4d 8b
+RSP: 0018:ffff8880a94df0b8 EFLAGS: 00010246
+RAX: 0000000000000000 RBX: ffff8880858ac723 RCX: dffffc0000000000
+RDX: 0000000000000100 RSI: 0000000000000007 RDI: 0000000000000001
+RBP: ffff8880a94df140 R08: 0000000000000001 R09: ffff888061b83a80
+R10: ffffed100c370752 R11: ffff888061b83a97 R12: 0000000000000026
+R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000000
+FS: 0000000000000000(0000) GS:ffff8880ae700000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 00007f0defa33518 CR3: 0000000009871000 CR4: 00000000001406e0
+DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Cc: Gerrit Renker <gerrit@erg.abdn.ac.uk>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ net/dccp/ccid.h | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/net/dccp/ccid.h b/net/dccp/ccid.h
+index 6eb837a47b5c..baaaeb2b2c42 100644
+--- a/net/dccp/ccid.h
++++ b/net/dccp/ccid.h
+@@ -202,7 +202,7 @@ static inline void ccid_hc_tx_packet_recv(struct ccid *ccid, struct sock *sk,
+ static inline int ccid_hc_tx_parse_options(struct ccid *ccid, struct sock *sk,
+ u8 pkt, u8 opt, u8 *val, u8 len)
+ {
+- if (ccid->ccid_ops->ccid_hc_tx_parse_options == NULL)
++ if (!ccid || !ccid->ccid_ops->ccid_hc_tx_parse_options)
+ return 0;
+ return ccid->ccid_ops->ccid_hc_tx_parse_options(sk, pkt, opt, val, len);
+ }
+@@ -214,7 +214,7 @@ static inline int ccid_hc_tx_parse_options(struct ccid *ccid, struct sock *sk,
+ static inline int ccid_hc_rx_parse_options(struct ccid *ccid, struct sock *sk,
+ u8 pkt, u8 opt, u8 *val, u8 len)
+ {
+- if (ccid->ccid_ops->ccid_hc_rx_parse_options == NULL)
++ if (!ccid || !ccid->ccid_ops->ccid_hc_rx_parse_options)
+ return 0;
+ return ccid->ccid_ops->ccid_hc_rx_parse_options(sk, pkt, opt, val, len);
+ }
+--
+2.20.1
+
diff --git a/patches.kernel.org/4.4.175-078-enic-fix-checksum-validation-for-IPv6.patch b/patches.kernel.org/4.4.175-078-enic-fix-checksum-validation-for-IPv6.patch
new file mode 100644
index 0000000000..8db63b6937
--- /dev/null
+++ b/patches.kernel.org/4.4.175-078-enic-fix-checksum-validation-for-IPv6.patch
@@ -0,0 +1,36 @@
+From: Govindarajulu Varadarajan <gvaradar@cisco.com>
+Date: Wed, 30 Jan 2019 06:59:00 -0800
+Subject: [PATCH] enic: fix checksum validation for IPv6
+References: bnc#1012382
+Patch-mainline: 4.4.175
+Git-commit: 7596175e99b3d4bce28022193efd954c201a782a
+
+[ Upstream commit 7596175e99b3d4bce28022193efd954c201a782a ]
+
+In case of IPv6 pkts, ipv4_csum_ok is 0. Because of this, driver does
+not set skb->ip_summed. So IPv6 rx checksum is not offloaded.
+
+Signed-off-by: Govindarajulu Varadarajan <gvaradar@cisco.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/net/ethernet/cisco/enic/enic_main.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/cisco/enic/enic_main.c b/drivers/net/ethernet/cisco/enic/enic_main.c
+index 0433fdebda25..9ef4caa4b84d 100644
+--- a/drivers/net/ethernet/cisco/enic/enic_main.c
++++ b/drivers/net/ethernet/cisco/enic/enic_main.c
+@@ -1180,7 +1180,7 @@ static void enic_rq_indicate_buf(struct vnic_rq *rq,
+ * CHECSUM_UNNECESSARY.
+ */
+ if ((netdev->features & NETIF_F_RXCSUM) && tcp_udp_csum_ok &&
+- ipv4_csum_ok)
++ (ipv4_csum_ok || ipv6))
+ skb->ip_summed = CHECKSUM_UNNECESSARY;
+
+ if (vlan_stripped)
+--
+2.20.1
+
diff --git a/patches.kernel.org/4.4.175-079-net-dp83640-expire-old-TX-skb.patch b/patches.kernel.org/4.4.175-079-net-dp83640-expire-old-TX-skb.patch
new file mode 100644
index 0000000000..8388bf392c
--- /dev/null
+++ b/patches.kernel.org/4.4.175-079-net-dp83640-expire-old-TX-skb.patch
@@ -0,0 +1,89 @@
+From: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
+Date: Mon, 4 Feb 2019 11:20:29 +0100
+Subject: [PATCH] net: dp83640: expire old TX-skb
+References: bnc#1012382
+Patch-mainline: 4.4.175
+Git-commit: 53bc8d2af08654659abfadfd3e98eb9922ff787c
+
+[ Upstream commit 53bc8d2af08654659abfadfd3e98eb9922ff787c ]
+
+During sendmsg() a cloned skb is saved via dp83640_txtstamp() in
+->tx_queue. After the NIC sends this packet, the PHY will reply with a
+timestamp for that TX packet. If the cable is pulled at the right time I
+don't see that packet. It might gets flushed as part of queue shutdown
+on NIC's side.
+Once the link is up again then after the next sendmsg() we enqueue
+another skb in dp83640_txtstamp() and have two on the list. Then the PHY
+will send a reply and decode_txts() attaches it to the first skb on the
+list.
+No crash occurs since refcounting works but we are one packet behind.
+linuxptp/ptp4l usually closes the socket and opens a new one (in such a
+timeout case) so those "stale" replies never get there. However it does
+not resume normal operation anymore.
+
+Purge old skbs in decode_txts().
+
+Fixes: cb646e2b02b2 ("ptp: Added a clock driver for the National Semiconductor PHYTER.")
+Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
+Reviewed-by: Kurt Kanzenbach <kurt@linutronix.de>
+Acked-by: Richard Cochran <richardcochran@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/net/phy/dp83640.c | 13 ++++++++++---
+ 1 file changed, 10 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/net/phy/dp83640.c b/drivers/net/phy/dp83640.c
+index dc934347ae28..e6f564d50663 100644
+--- a/drivers/net/phy/dp83640.c
++++ b/drivers/net/phy/dp83640.c
+@@ -890,14 +890,14 @@ static void decode_txts(struct dp83640_private *dp83640,
+ struct phy_txts *phy_txts)
+ {
+ struct skb_shared_hwtstamps shhwtstamps;
++ struct dp83640_skb_info *skb_info;
+ struct sk_buff *skb;
+- u64 ns;
+ u8 overflow;
++ u64 ns;
+
+ /* We must already have the skb that triggered this. */
+-
++again:
+ skb = skb_dequeue(&dp83640->tx_queue);
+-
+ if (!skb) {
+ pr_debug("have timestamp but tx_queue empty\n");
+ return;
+@@ -912,6 +912,11 @@ static void decode_txts(struct dp83640_private *dp83640,
+ }
+ return;
+ }
++ skb_info = (struct dp83640_skb_info *)skb->cb;
++ if (time_after(jiffies, skb_info->tmo)) {
++ kfree_skb(skb);
++ goto again;
++ }
+
+ ns = phy2txts(phy_txts);
+ memset(&shhwtstamps, 0, sizeof(shhwtstamps));
+@@ -1461,6 +1466,7 @@ static bool dp83640_rxtstamp(struct phy_device *phydev,
+ static void dp83640_txtstamp(struct phy_device *phydev,
+ struct sk_buff *skb, int type)
+ {
++ struct dp83640_skb_info *skb_info = (struct dp83640_skb_info *)skb->cb;
+ struct dp83640_private *dp83640 = phydev->priv;
+
+ switch (dp83640->hwts_tx_en) {
+@@ -1473,6 +1479,7 @@ static void dp83640_txtstamp(struct phy_device *phydev,
+ /* fall through */
+ case HWTSTAMP_TX_ON:
+ skb_shinfo(skb)->tx_flags |= SKBTX_IN_PROGRESS;
++ skb_info->tmo = jiffies + SKB_TIMESTAMP_TIMEOUT;
+ skb_queue_tail(&dp83640->tx_queue, skb);
+ break;
+
+--
+2.20.1
+
diff --git a/patches.kernel.org/4.4.175-080-skge-potential-memory-corruption-in-skge_get_.patch b/patches.kernel.org/4.4.175-080-skge-potential-memory-corruption-in-skge_get_.patch
new file mode 100644
index 0000000000..a19f1294e2
--- /dev/null
+++ b/patches.kernel.org/4.4.175-080-skge-potential-memory-corruption-in-skge_get_.patch
@@ -0,0 +1,43 @@
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Fri, 1 Feb 2019 11:28:16 +0300
+Subject: [PATCH] skge: potential memory corruption in skge_get_regs()
+References: bnc#1012382
+Patch-mainline: 4.4.175
+Git-commit: 294c149a209c6196c2de85f512b52ef50f519949
+
+[ Upstream commit 294c149a209c6196c2de85f512b52ef50f519949 ]
+
+The "p" buffer is 0x4000 bytes long. B3_RI_WTO_R1 is 0x190. The value
+of "regs->len" is in the 1-0x4000 range. The bug here is that
+"regs->len - B3_RI_WTO_R1" can be a negative value which would lead to
+memory corruption and an abrupt crash.
+
+Fixes: c3f8be961808 ("[PATCH] skge: expand ethtool debug register dump")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/net/ethernet/marvell/skge.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/marvell/skge.c b/drivers/net/ethernet/marvell/skge.c
+index 7173836fe361..c9f4b5412844 100644
+--- a/drivers/net/ethernet/marvell/skge.c
++++ b/drivers/net/ethernet/marvell/skge.c
+@@ -152,8 +152,10 @@ static void skge_get_regs(struct net_device *dev, struct ethtool_regs *regs,
+ memset(p, 0, regs->len);
+ memcpy_fromio(p, io, B3_RAM_ADDR);
+
+- memcpy_fromio(p + B3_RI_WTO_R1, io + B3_RI_WTO_R1,
+- regs->len - B3_RI_WTO_R1);
++ if (regs->len > B3_RI_WTO_R1) {
++ memcpy_fromio(p + B3_RI_WTO_R1, io + B3_RI_WTO_R1,
++ regs->len - B3_RI_WTO_R1);
++ }
+ }
+
+ /* Wake on Lan only supported on Yukon chips with rev 1 or above */
+--
+2.20.1
+
diff --git a/patches.kernel.org/4.4.175-081-net-systemport-Fix-WoL-with-password-after-de.patch b/patches.kernel.org/4.4.175-081-net-systemport-Fix-WoL-with-password-after-de.patch
new file mode 100644
index 0000000000..1fd24602fc
--- /dev/null
+++ b/patches.kernel.org/4.4.175-081-net-systemport-Fix-WoL-with-password-after-de.patch
@@ -0,0 +1,112 @@
+From: Florian Fainelli <f.fainelli@gmail.com>
+Date: Fri, 1 Feb 2019 13:23:38 -0800
+Subject: [PATCH] net: systemport: Fix WoL with password after deep sleep
+References: bnc#1012382
+Patch-mainline: 4.4.175
+Git-commit: 8dfb8d2cceb76b74ad5b58cc65c75994329b4d5e
+
+[ Upstream commit 8dfb8d2cceb76b74ad5b58cc65c75994329b4d5e ]
+
+Broadcom STB chips support a deep sleep mode where all register
+contents are lost. Because we were stashing the MagicPacket password
+into some of these registers a suspend into that deep sleep then a
+resumption would not lead to being able to wake-up from MagicPacket with
+password again.
+
+Fix this by keeping a software copy of the password and program it
+during suspend.
+
+Fixes: 83e82f4c706b ("net: systemport: add Wake-on-LAN support")
+Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/net/ethernet/broadcom/bcmsysport.c | 25 +++++++++-------------
+ drivers/net/ethernet/broadcom/bcmsysport.h | 2 ++
+ 2 files changed, 12 insertions(+), 15 deletions(-)
+
+diff --git a/drivers/net/ethernet/broadcom/bcmsysport.c b/drivers/net/ethernet/broadcom/bcmsysport.c
+index 7a6dd5e5e498..143b9a384af8 100644
+--- a/drivers/net/ethernet/broadcom/bcmsysport.c
++++ b/drivers/net/ethernet/broadcom/bcmsysport.c
+@@ -400,7 +400,6 @@ static void bcm_sysport_get_wol(struct net_device *dev,
+ struct ethtool_wolinfo *wol)
+ {
+ struct bcm_sysport_priv *priv = netdev_priv(dev);
+- u32 reg;
+
+ wol->supported = WAKE_MAGIC | WAKE_MAGICSECURE;
+ wol->wolopts = priv->wolopts;
+@@ -408,11 +407,7 @@ static void bcm_sysport_get_wol(struct net_device *dev,
+ if (!(priv->wolopts & WAKE_MAGICSECURE))
+ return;
+
+- /* Return the programmed SecureOn password */
+- reg = umac_readl(priv, UMAC_PSW_MS);
+- put_unaligned_be16(reg, &wol->sopass[0]);
+- reg = umac_readl(priv, UMAC_PSW_LS);
+- put_unaligned_be32(reg, &wol->sopass[2]);
++ memcpy(wol->sopass, priv->sopass, sizeof(priv->sopass));
+ }
+
+ static int bcm_sysport_set_wol(struct net_device *dev,
+@@ -428,13 +423,8 @@ static int bcm_sysport_set_wol(struct net_device *dev,
+ if (wol->wolopts & ~supported)
+ return -EINVAL;
+
+- /* Program the SecureOn password */
+- if (wol->wolopts & WAKE_MAGICSECURE) {
+- umac_writel(priv, get_unaligned_be16(&wol->sopass[0]),
+- UMAC_PSW_MS);
+- umac_writel(priv, get_unaligned_be32(&wol->sopass[2]),
+- UMAC_PSW_LS);
+- }
++ if (wol->wolopts & WAKE_MAGICSECURE)
++ memcpy(priv->sopass, wol->sopass, sizeof(priv->sopass));
+
+ /* Flag the device and relevant IRQ as wakeup capable */
+ if (wol->wolopts) {
+@@ -1889,12 +1879,17 @@ static int bcm_sysport_suspend_to_wol(struct bcm_sysport_priv *priv)
+ unsigned int timeout = 1000;
+ u32 reg;
+
+- /* Password has already been programmed */
+ reg = umac_readl(priv, UMAC_MPD_CTRL);
+ reg |= MPD_EN;
+ reg &= ~PSW_EN;
+- if (priv->wolopts & WAKE_MAGICSECURE)
++ if (priv->wolopts & WAKE_MAGICSECURE) {
++ /* Program the SecureOn password */
++ umac_writel(priv, get_unaligned_be16(&priv->sopass[0]),
++ UMAC_PSW_MS);
++ umac_writel(priv, get_unaligned_be32(&priv->sopass[2]),
++ UMAC_PSW_LS);
+ reg |= PSW_EN;
++ }
+ umac_writel(priv, reg, UMAC_MPD_CTRL);
+
+ /* Make sure RBUF entered WoL mode as result */
+diff --git a/drivers/net/ethernet/broadcom/bcmsysport.h b/drivers/net/ethernet/broadcom/bcmsysport.h
+index 8ace6ecb5f79..e668b1ce5828 100644
+--- a/drivers/net/ethernet/broadcom/bcmsysport.h
++++ b/drivers/net/ethernet/broadcom/bcmsysport.h
+@@ -11,6 +11,7 @@
+ #ifndef __BCM_SYSPORT_H
+ #define __BCM_SYSPORT_H
+
++#include <linux/ethtool.h>
+ #include <linux/if_vlan.h>
+
+ /* Receive/transmit descriptor format */
+@@ -682,6 +683,7 @@ struct bcm_sysport_priv {
+ unsigned int crc_fwd:1;
+ u16 rev;
+ u32 wolopts;
++ u8 sopass[SOPASS_MAX];
+ unsigned int wol_irq_disabled:1;
+
+ /* MIB related fields */
+--
+2.20.1
+
diff --git a/patches.kernel.org/4.4.175-082-net-dsa-slave-Don-t-propagate-flag-changes-on.patch b/patches.kernel.org/4.4.175-082-net-dsa-slave-Don-t-propagate-flag-changes-on.patch
new file mode 100644
index 0000000000..4ad769fcc3
--- /dev/null
+++ b/patches.kernel.org/4.4.175-082-net-dsa-slave-Don-t-propagate-flag-changes-on.patch
@@ -0,0 +1,60 @@
+From: Rundong Ge <rdong.ge@gmail.com>
+Date: Sat, 2 Feb 2019 14:29:35 +0000
+Subject: [PATCH] net: dsa: slave: Don't propagate flag changes on down slave
+ interfaces
+References: bnc#1012382
+Patch-mainline: 4.4.175
+Git-commit: 17ab4f61b8cd6f9c38e9d0b935d86d73b5d0d2b5
+
+[ Upstream commit 17ab4f61b8cd6f9c38e9d0b935d86d73b5d0d2b5 ]
+
+The unbalance of master's promiscuity or allmulti will happen after ifdown
+and ifup a slave interface which is in a bridge.
+
+When we ifdown a slave interface , both the 'dsa_slave_close' and
+'dsa_slave_change_rx_flags' will clear the master's flags. The flags
+of master will be decrease twice.
+In the other hand, if we ifup the slave interface again, since the
+slave's flags were cleared the 'dsa_slave_open' won't set the master's
+flag, only 'dsa_slave_change_rx_flags' that triggered by 'br_add_if'
+will set the master's flags. The flags of master is increase once.
+
+Only propagating flag changes when a slave interface is up makes
+sure this does not happen. The 'vlan_dev_change_rx_flags' had the
+same problem and was fixed, and changes here follows that fix.
+
+Fixes: 91da11f870f0 ("net: Distributed Switch Architecture protocol support")
+Signed-off-by: Rundong Ge <rdong.ge@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ net/dsa/slave.c | 12 ++++++++----
+ 1 file changed, 8 insertions(+), 4 deletions(-)
+
+diff --git a/net/dsa/slave.c b/net/dsa/slave.c
+index 48b28a7ecc7a..4256ac95a141 100644
+--- a/net/dsa/slave.c
++++ b/net/dsa/slave.c
+@@ -157,10 +157,14 @@ static void dsa_slave_change_rx_flags(struct net_device *dev, int change)
+ struct dsa_slave_priv *p = netdev_priv(dev);
+ struct net_device *master = p->parent->dst->master_netdev;
+
+- if (change & IFF_ALLMULTI)
+- dev_set_allmulti(master, dev->flags & IFF_ALLMULTI ? 1 : -1);
+- if (change & IFF_PROMISC)
+- dev_set_promiscuity(master, dev->flags & IFF_PROMISC ? 1 : -1);
++ if (dev->flags & IFF_UP) {
++ if (change & IFF_ALLMULTI)
++ dev_set_allmulti(master,
++ dev->flags & IFF_ALLMULTI ? 1 : -1);
++ if (change & IFF_PROMISC)
++ dev_set_promiscuity(master,
++ dev->flags & IFF_PROMISC ? 1 : -1);
++ }
+ }
+
+ static void dsa_slave_set_rx_mode(struct net_device *dev)
+--
+2.20.1
+
diff --git a/patches.kernel.org/4.4.175-083-ALSA-compress-Fix-stop-handling-on-compressed.patch b/patches.kernel.org/4.4.175-083-ALSA-compress-Fix-stop-handling-on-compressed.patch
new file mode 100644
index 0000000000..31ae93de3e
--- /dev/null
+++ b/patches.kernel.org/4.4.175-083-ALSA-compress-Fix-stop-handling-on-compressed.patch
@@ -0,0 +1,57 @@
+From: Charles Keepax <ckeepax@opensource.cirrus.com>
+Date: Tue, 5 Feb 2019 16:29:40 +0000
+Subject: [PATCH] ALSA: compress: Fix stop handling on compressed capture
+ streams
+References: bnc#1012382
+Patch-mainline: 4.4.175
+Git-commit: 4f2ab5e1d13d6aa77c55f4914659784efd776eb4
+
+commit 4f2ab5e1d13d6aa77c55f4914659784efd776eb4 upstream.
+
+It is normal user behaviour to start, stop, then start a stream
+again without closing it. Currently this works for compressed
+playback streams but not capture ones.
+
+The states on a compressed capture stream go directly from OPEN to
+PREPARED, unlike a playback stream which moves to SETUP and waits
+for a write of data before moving to PREPARED. Currently however,
+when a stop is sent the state is set to SETUP for both types of
+streams. This leaves a capture stream in the situation where a new
+start can't be sent as that requires the state to be PREPARED and
+a new set_params can't be sent as that requires the state to be
+OPEN. The only option being to close the stream, and then reopen.
+
+Correct this issues by allowing snd_compr_drain_notify to set the
+state depending on the stream direction, as we already do in
+set_params.
+
+Fixes: 49bb6402f1aa ("ALSA: compress_core: Add support for capture streams")
+Signed-off-by: Charles Keepax <ckeepax@opensource.cirrus.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ include/sound/compress_driver.h | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/include/sound/compress_driver.h b/include/sound/compress_driver.h
+index fa1d05512c09..85ff3181e6f1 100644
+--- a/include/sound/compress_driver.h
++++ b/include/sound/compress_driver.h
+@@ -178,7 +178,11 @@ static inline void snd_compr_drain_notify(struct snd_compr_stream *stream)
+ if (snd_BUG_ON(!stream))
+ return;
+
+- stream->runtime->state = SNDRV_PCM_STATE_SETUP;
++ if (stream->direction == SND_COMPRESS_PLAYBACK)
++ stream->runtime->state = SNDRV_PCM_STATE_SETUP;
++ else
++ stream->runtime->state = SNDRV_PCM_STATE_PREPARED;
++
+ wake_up(&stream->runtime->sleep);
+ }
+
+--
+2.20.1
+
diff --git a/patches.kernel.org/4.4.175-084-ALSA-hda-Serialize-codec-registrations.patch b/patches.kernel.org/4.4.175-084-ALSA-hda-Serialize-codec-registrations.patch
new file mode 100644
index 0000000000..5aea5df72e
--- /dev/null
+++ b/patches.kernel.org/4.4.175-084-ALSA-hda-Serialize-codec-registrations.patch
@@ -0,0 +1,79 @@
+From: Takashi Iwai <tiwai@suse.de>
+Date: Wed, 30 Jan 2019 17:46:03 +0100
+Subject: [PATCH] ALSA: hda - Serialize codec registrations
+References: bnc#1012382
+Patch-mainline: 4.4.175
+Git-commit: 305a0ade180981686eec1f92aa6252a7c6ebb1cf
+
+commit 305a0ade180981686eec1f92aa6252a7c6ebb1cf upstream.
+
+In the current code, the codec registration may happen both at the
+codec bind time and the end of the controller probe time. In a rare
+occasion, they race with each other, leading to Oops due to the still
+uninitialized card device.
+
+This patch introduces a simple flag to prevent the codec registration
+at the codec bind time as long as the controller probe is going on.
+The controller probe invokes snd_card_register() that does the whole
+registration task, and we don't need to register each piece
+beforehand.
+
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ sound/pci/hda/hda_bind.c | 3 ++-
+ sound/pci/hda/hda_codec.h | 1 +
+ sound/pci/hda/hda_intel.c | 2 ++
+ 3 files changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/sound/pci/hda/hda_bind.c b/sound/pci/hda/hda_bind.c
+index 6efadbfb3fe3..7ea201c05e5d 100644
+--- a/sound/pci/hda/hda_bind.c
++++ b/sound/pci/hda/hda_bind.c
+@@ -109,7 +109,8 @@ static int hda_codec_driver_probe(struct device *dev)
+ err = snd_hda_codec_build_controls(codec);
+ if (err < 0)
+ goto error_module;
+- if (codec->card->registered) {
++ /* only register after the bus probe finished; otherwise it's racy */
++ if (!codec->bus->bus_probing && codec->card->registered) {
+ err = snd_card_register(codec->card);
+ if (err < 0)
+ goto error_module;
+diff --git a/sound/pci/hda/hda_codec.h b/sound/pci/hda/hda_codec.h
+index 776dffa88aee..171e11be938d 100644
+--- a/sound/pci/hda/hda_codec.h
++++ b/sound/pci/hda/hda_codec.h
+@@ -68,6 +68,7 @@ struct hda_bus {
+ unsigned int response_reset:1; /* controller was reset */
+ unsigned int in_reset:1; /* during reset operation */
+ unsigned int no_response_fallback:1; /* don't fallback at RIRB error */
++ unsigned int bus_probing :1; /* during probing process */
+
+ int primary_dig_out_type; /* primary digital out PCM type */
+ unsigned int mixer_assigned; /* codec addr for mixer name */
+diff --git a/sound/pci/hda/hda_intel.c b/sound/pci/hda/hda_intel.c
+index f964743b104c..74c9600876d6 100644
+--- a/sound/pci/hda/hda_intel.c
++++ b/sound/pci/hda/hda_intel.c
+@@ -2100,6 +2100,7 @@ static int azx_probe_continue(struct azx *chip)
+ int val;
+ int err;
+
++ to_hda_bus(bus)->bus_probing = 1;
+ hda->probe_continued = 1;
+
+ /* Request display power well for the HDA controller or codec. For
+@@ -2200,6 +2201,7 @@ static int azx_probe_continue(struct azx *chip)
+ if (err < 0)
+ hda->init_failed = 1;
+ complete_all(&hda->probe_wait);
++ to_hda_bus(bus)->bus_probing = 0;
+ return err;
+ }
+
+--
+2.20.1
+
diff --git a/patches.kernel.org/4.4.175-085-fuse-call-pipe_buf_release-under-pipe-lock.patch b/patches.kernel.org/4.4.175-085-fuse-call-pipe_buf_release-under-pipe-lock.patch
new file mode 100644
index 0000000000..ca76b3ddff
--- /dev/null
+++ b/patches.kernel.org/4.4.175-085-fuse-call-pipe_buf_release-under-pipe-lock.patch
@@ -0,0 +1,48 @@
+From: Jann Horn <jannh@google.com>
+Date: Sat, 12 Jan 2019 02:39:05 +0100
+Subject: [PATCH] fuse: call pipe_buf_release() under pipe lock
+References: bnc#1012382
+Patch-mainline: 4.4.175
+Git-commit: 9509941e9c534920ccc4771ae70bd6cbbe79df1c
+
+commit 9509941e9c534920ccc4771ae70bd6cbbe79df1c upstream.
+
+Some of the pipe_buf_release() handlers seem to assume that the pipe is
+locked - in particular, anon_pipe_buf_release() accesses pipe->tmp_page
+without taking any extra locks. From a glance through the callers of
+pipe_buf_release(), it looks like FUSE is the only one that calls
+pipe_buf_release() without having the pipe locked.
+
+This bug should only lead to a memory leak, nothing terrible.
+
+Fixes: dd3bb14f44a6 ("fuse: support splice() writing to fuse device")
+Cc: stable@vger.kernel.org
+Signed-off-by: Jann Horn <jannh@google.com>
+Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ fs/fuse/dev.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/fs/fuse/dev.c b/fs/fuse/dev.c
+index e566652ac922..a2cd166a6c69 100644
+--- a/fs/fuse/dev.c
++++ b/fs/fuse/dev.c
+@@ -2074,10 +2074,13 @@ static ssize_t fuse_dev_splice_write(struct pipe_inode_info *pipe,
+
+ ret = fuse_dev_do_write(fud, &cs, len);
+
++ pipe_lock(pipe);
+ for (idx = 0; idx < nbuf; idx++) {
+ struct pipe_buffer *buf = &bufs[idx];
+ buf->ops->release(pipe, buf);
+ }
++ pipe_unlock(pipe);
++
+ out:
+ kfree(bufs);
+ return ret;
+--
+2.20.1
+
diff --git a/patches.kernel.org/4.4.175-086-fuse-decrement-NR_WRITEBACK_TEMP-on-the-right.patch b/patches.kernel.org/4.4.175-086-fuse-decrement-NR_WRITEBACK_TEMP-on-the-right.patch
new file mode 100644
index 0000000000..d68db753a8
--- /dev/null
+++ b/patches.kernel.org/4.4.175-086-fuse-decrement-NR_WRITEBACK_TEMP-on-the-right.patch
@@ -0,0 +1,37 @@
+From: Miklos Szeredi <mszeredi@redhat.com>
+Date: Wed, 16 Jan 2019 10:27:59 +0100
+Subject: [PATCH] fuse: decrement NR_WRITEBACK_TEMP on the right page
+References: bnc#1012382
+Patch-mainline: 4.4.175
+Git-commit: a2ebba824106dabe79937a9f29a875f837e1b6d4
+
+commit a2ebba824106dabe79937a9f29a875f837e1b6d4 upstream.
+
+NR_WRITEBACK_TEMP is accounted on the temporary page in the request, not
+the page cache page.
+
+Fixes: 8b284dc47291 ("fuse: writepages: handle same page rewrites")
+Cc: <stable@vger.kernel.org> # v3.13
+Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ fs/fuse/file.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/fuse/file.c b/fs/fuse/file.c
+index 7014318f6d18..d40c2451487c 100644
+--- a/fs/fuse/file.c
++++ b/fs/fuse/file.c
+@@ -1784,7 +1784,7 @@ static bool fuse_writepage_in_flight(struct fuse_req *new_req,
+ spin_unlock(&fc->lock);
+
+ dec_wb_stat(&bdi->wb, WB_WRITEBACK);
+- dec_zone_page_state(page, NR_WRITEBACK_TEMP);
++ dec_zone_page_state(new_req->pages[0], NR_WRITEBACK_TEMP);
+ wb_writeout_inc(&bdi->wb);
+ fuse_writepage_free(fc, new_req);
+ fuse_request_free(new_req);
+--
+2.20.1
+
diff --git a/patches.kernel.org/4.4.175-087-fuse-handle-zero-sized-retrieve-correctly.patch b/patches.kernel.org/4.4.175-087-fuse-handle-zero-sized-retrieve-correctly.patch
new file mode 100644
index 0000000000..1a7dc713fd
--- /dev/null
+++ b/patches.kernel.org/4.4.175-087-fuse-handle-zero-sized-retrieve-correctly.patch
@@ -0,0 +1,45 @@
+From: Miklos Szeredi <mszeredi@redhat.com>
+Date: Wed, 16 Jan 2019 10:27:59 +0100
+Subject: [PATCH] fuse: handle zero sized retrieve correctly
+References: bnc#1012382
+Patch-mainline: 4.4.175
+Git-commit: 97e1532ef81acb31c30f9e75bf00306c33a77812
+
+commit 97e1532ef81acb31c30f9e75bf00306c33a77812 upstream.
+
+Dereferencing req->page_descs[0] will Oops if req->max_pages is zero.
+
+Reported-by: syzbot+c1e36d30ee3416289cc0@syzkaller.appspotmail.com
+Tested-by: syzbot+c1e36d30ee3416289cc0@syzkaller.appspotmail.com
+Fixes: b2430d7567a3 ("fuse: add per-page descriptor <offset, length> to fuse_req")
+Cc: <stable@vger.kernel.org> # v3.9
+Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ fs/fuse/dev.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/fuse/dev.c b/fs/fuse/dev.c
+index a2cd166a6c69..341196338e48 100644
+--- a/fs/fuse/dev.c
++++ b/fs/fuse/dev.c
+@@ -1741,7 +1741,6 @@ static int fuse_retrieve(struct fuse_conn *fc, struct inode *inode,
+ req->in.h.nodeid = outarg->nodeid;
+ req->in.numargs = 2;
+ req->in.argpages = 1;
+- req->page_descs[0].offset = offset;
+ req->end = fuse_retrieve_end;
+
+ index = outarg->offset >> PAGE_CACHE_SHIFT;
+@@ -1756,6 +1755,7 @@ static int fuse_retrieve(struct fuse_conn *fc, struct inode *inode,
+
+ this_num = min_t(unsigned, num, PAGE_CACHE_SIZE - offset);
+ req->pages[req->num_pages] = page;
++ req->page_descs[req->num_pages].offset = offset;
+ req->page_descs[req->num_pages].length = this_num;
+ req->num_pages++;
+
+--
+2.20.1
+
diff --git a/patches.kernel.org/4.4.175-088-dmaengine-imx-dma-fix-wrong-callback-invoke.patch b/patches.kernel.org/4.4.175-088-dmaengine-imx-dma-fix-wrong-callback-invoke.patch
new file mode 100644
index 0000000000..005eb8833d
--- /dev/null
+++ b/patches.kernel.org/4.4.175-088-dmaengine-imx-dma-fix-wrong-callback-invoke.patch
@@ -0,0 +1,69 @@
+From: Leonid Iziumtsev <leonid.iziumtsev@gmail.com>
+Date: Tue, 15 Jan 2019 17:15:23 +0000
+Subject: [PATCH] dmaengine: imx-dma: fix wrong callback invoke
+References: bnc#1012382
+Patch-mainline: 4.4.175
+Git-commit: 341198eda723c8c1cddbb006a89ad9e362502ea2
+
+commit 341198eda723c8c1cddbb006a89ad9e362502ea2 upstream.
+
+Once the "ld_queue" list is not empty, next descriptor will migrate
+into "ld_active" list. The "desc" variable will be overwritten
+during that transition. And later the dmaengine_desc_get_callback_invoke()
+will use it as an argument. As result we invoke wrong callback.
+
+That behaviour was in place since:
+commit fcaaba6c7136 ("dmaengine: imx-dma: fix callback path in tasklet").
+But after commit 4cd13c21b207 ("softirq: Let ksoftirqd do its job")
+things got worse, since possible delay between tasklet_schedule()
+from DMA irq handler and actual tasklet function execution got bigger.
+And that gave more time for new DMA request to be submitted and
+to be put into "ld_queue" list.
+
+It has been noticed that DMA issue is causing problems for "mxc-mmc"
+driver. While stressing the system with heavy network traffic and
+writing/reading to/from sd card simultaneously the timeout may happen:
+
+10013000.sdhci: mxcmci_watchdog: read time out (status = 0x30004900)
+
+That often lead to file system corruption.
+
+Signed-off-by: Leonid Iziumtsev <leonid.iziumtsev@gmail.com>
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/dma/imx-dma.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/dma/imx-dma.c b/drivers/dma/imx-dma.c
+index 48d85f8b95fe..dfa337ae06fc 100644
+--- a/drivers/dma/imx-dma.c
++++ b/drivers/dma/imx-dma.c
+@@ -619,7 +619,7 @@ static void imxdma_tasklet(unsigned long data)
+ {
+ struct imxdma_channel *imxdmac = (void *)data;
+ struct imxdma_engine *imxdma = imxdmac->imxdma;
+- struct imxdma_desc *desc;
++ struct imxdma_desc *desc, *next_desc;
+ unsigned long flags;
+
+ spin_lock_irqsave(&imxdma->lock, flags);
+@@ -649,10 +649,10 @@ static void imxdma_tasklet(unsigned long data)
+ list_move_tail(imxdmac->ld_active.next, &imxdmac->ld_free);
+
+ if (!list_empty(&imxdmac->ld_queue)) {
+- desc = list_first_entry(&imxdmac->ld_queue, struct imxdma_desc,
+- node);
++ next_desc = list_first_entry(&imxdmac->ld_queue,
++ struct imxdma_desc, node);
+ list_move_tail(imxdmac->ld_queue.next, &imxdmac->ld_active);
+- if (imxdma_xfer_desc(desc) < 0)
++ if (imxdma_xfer_desc(next_desc) < 0)
+ dev_warn(imxdma->dev, "%s: channel: %d couldn't xfer desc\n",
+ __func__, imxdmac->channel);
+ }
+--
+2.20.1
+
diff --git a/patches.kernel.org/4.4.175-089-usb-phy-am335x-fix-race-condition-in-_probe.patch b/patches.kernel.org/4.4.175-089-usb-phy-am335x-fix-race-condition-in-_probe.patch
new file mode 100644
index 0000000000..7e7650c801
--- /dev/null
+++ b/patches.kernel.org/4.4.175-089-usb-phy-am335x-fix-race-condition-in-_probe.patch
@@ -0,0 +1,50 @@
+From: Bin Liu <b-liu@ti.com>
+Date: Wed, 16 Jan 2019 11:54:07 -0600
+Subject: [PATCH] usb: phy: am335x: fix race condition in _probe
+References: bnc#1012382
+Patch-mainline: 4.4.175
+Git-commit: a53469a68eb886e84dd8b69a1458a623d3591793
+
+commit a53469a68eb886e84dd8b69a1458a623d3591793 upstream.
+
+power off the phy should be done before populate the phy. Otherwise,
+am335x_init() could be called by the phy owner to power on the phy first,
+then am335x_phy_probe() turns off the phy again without the caller knowing
+it.
+
+Fixes: 2fc711d76352 ("usb: phy: am335x: Enable USB remote wakeup using PHY wakeup")
+Cc: stable@vger.kernel.org # v3.18+
+Signed-off-by: Bin Liu <b-liu@ti.com>
+Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/usb/phy/phy-am335x.c | 5 +----
+ 1 file changed, 1 insertion(+), 4 deletions(-)
+
+diff --git a/drivers/usb/phy/phy-am335x.c b/drivers/usb/phy/phy-am335x.c
+index 90b67a4ca221..558f33a75fd9 100644
+--- a/drivers/usb/phy/phy-am335x.c
++++ b/drivers/usb/phy/phy-am335x.c
+@@ -56,9 +56,6 @@ static int am335x_phy_probe(struct platform_device *pdev)
+ if (ret)
+ return ret;
+
+- ret = usb_add_phy_dev(&am_phy->usb_phy_gen.phy);
+- if (ret)
+- return ret;
+ am_phy->usb_phy_gen.phy.init = am335x_init;
+ am_phy->usb_phy_gen.phy.shutdown = am335x_shutdown;
+
+@@ -77,7 +74,7 @@ static int am335x_phy_probe(struct platform_device *pdev)
+ device_set_wakeup_enable(dev, false);
+ phy_ctrl_power(am_phy->phy_ctrl, am_phy->id, false);
+
+- return 0;
++ return usb_add_phy_dev(&am_phy->usb_phy_gen.phy);
+ }
+
+ static int am335x_phy_remove(struct platform_device *pdev)
+--
+2.20.1
+
diff --git a/patches.kernel.org/4.4.175-090-usb-gadget-udc-net2272-Fix-bitwise-and-boolea.patch b/patches.kernel.org/4.4.175-090-usb-gadget-udc-net2272-Fix-bitwise-and-boolea.patch
new file mode 100644
index 0000000000..b6aa1cf248
--- /dev/null
+++ b/patches.kernel.org/4.4.175-090-usb-gadget-udc-net2272-Fix-bitwise-and-boolea.patch
@@ -0,0 +1,48 @@
+From: "Gustavo A. R. Silva" <gustavo@embeddedor.com>
+Date: Tue, 22 Jan 2019 15:28:08 -0600
+Subject: [PATCH] usb: gadget: udc: net2272: Fix bitwise and boolean operations
+References: bnc#1012382
+Patch-mainline: 4.4.175
+Git-commit: 07c69f1148da7de3978686d3af9263325d9d60bd
+
+commit 07c69f1148da7de3978686d3af9263325d9d60bd upstream.
+
+(!x & y) strikes again.
+
+Fix bitwise and boolean operations by enclosing the expression:
+
+ intcsr & (1 << NET2272_PCI_IRQ)
+
+in parentheses, before applying the boolean operator '!'.
+
+Notice that this code has been there since 2011. So, it would
+be helpful if someone can double-check this.
+
+This issue was detected with the help of Coccinelle.
+
+Fixes: ceb80363b2ec ("USB: net2272: driver for PLX NET2272 USB device controller")
+Cc: stable@vger.kernel.org
+Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com>
+Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/usb/gadget/udc/net2272.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/usb/gadget/udc/net2272.c b/drivers/usb/gadget/udc/net2272.c
+index 18f5ebd447b8..3b6e34fc032b 100644
+--- a/drivers/usb/gadget/udc/net2272.c
++++ b/drivers/usb/gadget/udc/net2272.c
+@@ -2100,7 +2100,7 @@ static irqreturn_t net2272_irq(int irq, void *_dev)
+ #if defined(PLX_PCI_RDK2)
+ /* see if PCI int for us by checking irqstat */
+ intcsr = readl(dev->rdk2.fpga_base_addr + RDK2_IRQSTAT);
+- if (!intcsr & (1 << NET2272_PCI_IRQ)) {
++ if (!(intcsr & (1 << NET2272_PCI_IRQ))) {
+ spin_unlock(&dev->lock);
+ return IRQ_NONE;
+ }
+--
+2.20.1
+
diff --git a/patches.arch/kvm-x86-work-around-leak-of-uninitialized-stack-contents-cve-2019-7222 b/patches.kernel.org/4.4.175-091-KVM-x86-work-around-leak-of-uninitialized-sta.patch
index 61206e844e..d66b06a42f 100644
--- a/patches.arch/kvm-x86-work-around-leak-of-uninitialized-stack-contents-cve-2019-7222
+++ b/patches.kernel.org/4.4.175-091-KVM-x86-work-around-leak-of-uninitialized-sta.patch
@@ -1,10 +1,12 @@
From: Paolo Bonzini <pbonzini@redhat.com>
Date: Tue, 29 Jan 2019 18:41:16 +0100
-Subject: KVM: x86: work around leak of uninitialized stack contents
+Subject: [PATCH] KVM: x86: work around leak of uninitialized stack contents
(CVE-2019-7222)
+Patch-mainline: 4.4.175
+References: CVE-2019-7222 bnc#1012382 bsc#1124735
Git-commit: 353c0956a618a07ba4bbe7ad00ff29fe70e8412a
-Patch-mainline: v5.0-rc6
-References: CVE-2019-7222 bsc#1124735
+
+commit 353c0956a618a07ba4bbe7ad00ff29fe70e8412a upstream.
Bugzilla: 1671930
@@ -22,14 +24,17 @@ Embargoed until Feb 7th 2019.
Reported-by: Felix Wilhelm <fwilhelm@google.com>
Cc: stable@kernel.org
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
-Acked-by: Joerg Roedel <jroedel@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
- arch/x86/kvm/x86.c | 7 +++++++
+ arch/x86/kvm/x86.c | 7 +++++++
1 file changed, 7 insertions(+)
+diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
+index 758e2b39567d..6bd0538d8ebf 100644
--- a/arch/x86/kvm/x86.c
+++ b/arch/x86/kvm/x86.c
-@@ -4315,6 +4315,13 @@ int kvm_read_guest_virt(struct kvm_vcpu
+@@ -4247,6 +4247,13 @@ int kvm_read_guest_virt(struct kvm_vcpu *vcpu,
{
u32 access = (kvm_x86_ops->get_cpl(vcpu) == 3) ? PFERR_USER_MASK : 0;
@@ -43,3 +48,6 @@ Acked-by: Joerg Roedel <jroedel@suse.de>
return kvm_read_guest_virt_helper(addr, val, bytes, vcpu, access,
exception);
}
+--
+2.20.1
+
diff --git a/patches.arch/kvm-nvmx-unconditionally-cancel-preemption-timer-in-free_nested-cve-2019-7221 b/patches.kernel.org/4.4.175-092-KVM-nVMX-unconditionally-cancel-preemption-ti.patch
index 1e35bb04dd..344e2cc71c 100644
--- a/patches.arch/kvm-nvmx-unconditionally-cancel-preemption-timer-in-free_nested-cve-2019-7221
+++ b/patches.kernel.org/4.4.175-092-KVM-nVMX-unconditionally-cancel-preemption-ti.patch
@@ -1,10 +1,12 @@
From: Peter Shier <pshier@google.com>
Date: Thu, 11 Oct 2018 11:46:46 -0700
-Subject: KVM: nVMX: unconditionally cancel preemption timer in free_nested
- (CVE-2019-7221)
+Subject: [PATCH] KVM: nVMX: unconditionally cancel preemption timer in
+ free_nested (CVE-2019-7221)
+Patch-mainline: 4.4.175
+References: CVE-2019-7221 bnc#1012382 bsc#1124732
Git-commit: ecec76885bcfe3294685dc363fd1273df0d5d65f
-Patch-mainline: v5.0-rc6
-References: CVE-2019-7221 bsc#1124732
+
+commit ecec76885bcfe3294685dc363fd1273df0d5d65f upstream.
Bugzilla: 1671904
@@ -22,14 +24,17 @@ Reported-by: Felix Wilhelm <fwilhelm@google.com>
Cc: stable@kernel.org
Message-Id: <20181011184646.154065-1-pshier@google.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
-Acked-by: Joerg Roedel <jroedel@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
- arch/x86/kvm/vmx/nested.c | 1 +
+ arch/x86/kvm/vmx.c | 1 +
1 file changed, 1 insertion(+)
+diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c
+index 3bdb2e747b89..aee2886a387c 100644
--- a/arch/x86/kvm/vmx.c
+++ b/arch/x86/kvm/vmx.c
-@@ -6887,6 +6887,7 @@ static void free_nested(struct vcpu_vmx
+@@ -6965,6 +6965,7 @@ static void free_nested(struct vcpu_vmx *vmx)
if (!vmx->nested.vmxon)
return;
@@ -37,3 +42,6 @@ Acked-by: Joerg Roedel <jroedel@suse.de>
vmx->nested.vmxon = false;
free_vpid(vmx->nested.vpid02);
nested_release_vmcs12(vmx);
+--
+2.20.1
+
diff --git a/patches.kernel.org/4.4.175-093-perf-x86-intel-uncore-Add-Node-ID-mask.patch b/patches.kernel.org/4.4.175-093-perf-x86-intel-uncore-Add-Node-ID-mask.patch
new file mode 100644
index 0000000000..fbf3977b87
--- /dev/null
+++ b/patches.kernel.org/4.4.175-093-perf-x86-intel-uncore-Add-Node-ID-mask.patch
@@ -0,0 +1,68 @@
+From: Kan Liang <kan.liang@linux.intel.com>
+Date: Sun, 27 Jan 2019 06:53:14 -0800
+Subject: [PATCH] perf/x86/intel/uncore: Add Node ID mask
+References: bnc#1012382
+Patch-mainline: 4.4.175
+Git-commit: 9e63a7894fd302082cf3627fe90844421a6cbe7f
+
+commit 9e63a7894fd302082cf3627fe90844421a6cbe7f upstream.
+
+Some PCI uncore PMUs cannot be registered on an 8-socket system (HPE
+Superdome Flex).
+
+To understand which Socket the PCI uncore PMUs belongs to, perf retrieves
+the local Node ID of the uncore device from CPUNODEID(0xC0) of the PCI
+configuration space, and the mapping between Socket ID and Node ID from
+GIDNIDMAP(0xD4). The Socket ID can be calculated accordingly.
+
+The local Node ID is only available at bit 2:0, but current code doesn't
+mask it. If a BIOS doesn't clear the rest of the bits, an incorrect Node ID
+will be fetched.
+
+Filter the Node ID by adding a mask.
+
+Reported-by: Song Liu <songliubraving@fb.com>
+Tested-by: Song Liu <songliubraving@fb.com>
+Signed-off-by: Kan Liang <kan.liang@linux.intel.com>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Cc: Arnaldo Carvalho de Melo <acme@redhat.com>
+Cc: Jiri Olsa <jolsa@redhat.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: <stable@vger.kernel.org> # v3.7+
+Fixes: 7c94ee2e0917 ("perf/x86: Add Intel Nehalem and Sandy Bridge-EP uncore support")
+Link: https://lkml.kernel.org/r/1548600794-33162-1-git-send-email-kan.liang@linux.intel.com
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ arch/x86/kernel/cpu/perf_event_intel_uncore_snbep.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/arch/x86/kernel/cpu/perf_event_intel_uncore_snbep.c b/arch/x86/kernel/cpu/perf_event_intel_uncore_snbep.c
+index f0f4fcba252e..947579425861 100644
+--- a/arch/x86/kernel/cpu/perf_event_intel_uncore_snbep.c
++++ b/arch/x86/kernel/cpu/perf_event_intel_uncore_snbep.c
+@@ -1081,6 +1081,8 @@ static struct pci_driver snbep_uncore_pci_driver = {
+ .id_table = snbep_uncore_pci_ids,
+ };
+
++#define NODE_ID_MASK 0x7
++
+ /*
+ * build pci bus to socket mapping
+ */
+@@ -1102,7 +1104,7 @@ static int snbep_pci2phy_map_init(int devid)
+ err = pci_read_config_dword(ubox_dev, 0x40, &config);
+ if (err)
+ break;
+- nodeid = config;
++ nodeid = config & NODE_ID_MASK;
+ /* get the Node ID mapping */
+ err = pci_read_config_dword(ubox_dev, 0x54, &config);
+ if (err)
+--
+2.20.1
+
diff --git a/patches.kernel.org/4.4.175-094-x86-MCE-Initialize-mce.bank-in-the-case-of-a-.patch b/patches.kernel.org/4.4.175-094-x86-MCE-Initialize-mce.bank-in-the-case-of-a-.patch
new file mode 100644
index 0000000000..2f004a5479
--- /dev/null
+++ b/patches.kernel.org/4.4.175-094-x86-MCE-Initialize-mce.bank-in-the-case-of-a-.patch
@@ -0,0 +1,57 @@
+From: Tony Luck <tony.luck@intel.com>
+Date: Thu, 31 Jan 2019 16:33:41 -0800
+Subject: [PATCH] x86/MCE: Initialize mce.bank in the case of a fatal error in
+ mce_no_way_out()
+References: bnc#1012382
+Patch-mainline: 4.4.175
+Git-commit: d28af26faa0b1daf3c692603d46bc4687c16f19e
+
+commit d28af26faa0b1daf3c692603d46bc4687c16f19e upstream.
+
+Internal injection testing crashed with a console log that said:
+
+ mce: [Hardware Error]: CPU 7: Machine Check Exception: f Bank 0: bd80000000100134
+
+This caused a lot of head scratching because the MCACOD (bits 15:0) of
+that status is a signature from an L1 data cache error. But Linux says
+that it found it in "Bank 0", which on this model CPU only reports L1
+instruction cache errors.
+
+The answer was that Linux doesn't initialize "m->bank" in the case that
+it finds a fatal error in the mce_no_way_out() pre-scan of banks. If
+this was a local machine check, then this partially initialized struct
+mce is being passed to mce_panic().
+
+Fix is simple: just initialize m->bank in the case of a fatal error.
+
+Fixes: 40c36e2741d7 ("x86/mce: Fix incorrect "Machine check from unknown source" message")
+Signed-off-by: Tony Luck <tony.luck@intel.com>
+Signed-off-by: Borislav Petkov <bp@suse.de>
+Cc: "H. Peter Anvin" <hpa@zytor.com>
+Cc: Ingo Molnar <mingo@redhat.com>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: Vishal Verma <vishal.l.verma@intel.com>
+Cc: x86-ml <x86@kernel.org>
+Cc: stable@vger.kernel.org # v4.18 Note pre-v5.0 arch/x86/kernel/cpu/mce/core.c was called arch/x86/kernel/cpu/mcheck/mce.c
+Link: https://lkml.kernel.org/r/20190201003341.10638-1-tony.luck@intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ arch/x86/kernel/cpu/mcheck/mce.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/arch/x86/kernel/cpu/mcheck/mce.c b/arch/x86/kernel/cpu/mcheck/mce.c
+index 7b8c8c838191..77f7580e22c6 100644
+--- a/arch/x86/kernel/cpu/mcheck/mce.c
++++ b/arch/x86/kernel/cpu/mcheck/mce.c
+@@ -670,6 +670,7 @@ static int mce_no_way_out(struct mce *m, char **msg, unsigned long *validp,
+ }
+
+ if (mce_severity(m, mca_cfg.tolerant, &tmp, true) >= MCE_PANIC_SEVERITY) {
++ m->bank = i;
+ *msg = tmp;
+ ret = 1;
+ }
+--
+2.20.1
+
diff --git a/patches.kernel.org/4.4.175-095-perf-core-Don-t-WARN-for-impossible-ring-buff.patch b/patches.kernel.org/4.4.175-095-perf-core-Don-t-WARN-for-impossible-ring-buff.patch
new file mode 100644
index 0000000000..d4fa223ae8
--- /dev/null
+++ b/patches.kernel.org/4.4.175-095-perf-core-Don-t-WARN-for-impossible-ring-buff.patch
@@ -0,0 +1,60 @@
+From: Mark Rutland <mark.rutland@arm.com>
+Date: Thu, 10 Jan 2019 14:27:45 +0000
+Subject: [PATCH] perf/core: Don't WARN() for impossible ring-buffer sizes
+References: bnc#1012382
+Patch-mainline: 4.4.175
+Git-commit: 9dff0aa95a324e262ffb03f425d00e4751f3294e
+
+commit 9dff0aa95a324e262ffb03f425d00e4751f3294e upstream.
+
+The perf tool uses /proc/sys/kernel/perf_event_mlock_kb to determine how
+large its ringbuffer mmap should be. This can be configured to arbitrary
+values, which can be larger than the maximum possible allocation from
+kmalloc.
+
+When this is configured to a suitably large value (e.g. thanks to the
+perf fuzzer), attempting to use perf record triggers a WARN_ON_ONCE() in
+__alloc_pages_nodemask():
+
+ WARNING: CPU: 2 PID: 5666 at mm/page_alloc.c:4511 __alloc_pages_nodemask+0x3f8/0xbc8
+
+Let's avoid this by checking that the requested allocation is possible
+before calling kzalloc.
+
+Reported-by: Julien Thierry <julien.thierry@arm.com>
+Signed-off-by: Mark Rutland <mark.rutland@arm.com>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Reviewed-by: Julien Thierry <julien.thierry@arm.com>
+Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Cc: Arnaldo Carvalho de Melo <acme@redhat.com>
+Cc: Jiri Olsa <jolsa@redhat.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Namhyung Kim <namhyung@kernel.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: <stable@vger.kernel.org>
+Link: https://lkml.kernel.org/r/20190110142745.25495-1-mark.rutland@arm.com
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ kernel/events/ring_buffer.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/kernel/events/ring_buffer.c b/kernel/events/ring_buffer.c
+index 58013ef228a1..93bfb61506fa 100644
+--- a/kernel/events/ring_buffer.c
++++ b/kernel/events/ring_buffer.c
+@@ -637,6 +637,9 @@ struct ring_buffer *rb_alloc(int nr_pages, long watermark, int cpu, int flags)
+ size = sizeof(struct ring_buffer);
+ size += nr_pages * sizeof(void *);
+
++ if (order_base_2(size) >= MAX_ORDER)
++ goto fail;
++
+ rb = kzalloc(size, GFP_KERNEL);
+ if (!rb)
+ goto fail;
+--
+2.20.1
+
diff --git a/patches.kernel.org/4.4.175-096-perf-tests-evsel-tp-sched-Fix-bitwise-operato.patch b/patches.kernel.org/4.4.175-096-perf-tests-evsel-tp-sched-Fix-bitwise-operato.patch
new file mode 100644
index 0000000000..89c43b246c
--- /dev/null
+++ b/patches.kernel.org/4.4.175-096-perf-tests-evsel-tp-sched-Fix-bitwise-operato.patch
@@ -0,0 +1,48 @@
+From: "Gustavo A. R. Silva" <gustavo@embeddedor.com>
+Date: Tue, 22 Jan 2019 17:34:39 -0600
+Subject: [PATCH] perf tests evsel-tp-sched: Fix bitwise operator
+References: bnc#1012382
+Patch-mainline: 4.4.175
+Git-commit: 489338a717a0dfbbd5a3fabccf172b78f0ac9015
+
+commit 489338a717a0dfbbd5a3fabccf172b78f0ac9015 upstream.
+
+Notice that the use of the bitwise OR operator '|' always leads to true
+in this particular case, which seems a bit suspicious due to the context
+in which this expression is being used.
+
+Fix this by using bitwise AND operator '&' instead.
+
+This bug was detected with the help of Coccinelle.
+
+Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com>
+Acked-by: Jiri Olsa <jolsa@kernel.org>
+Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Cc: Namhyung Kim <namhyung@kernel.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: stable@vger.kernel.org
+Fixes: 6a6cd11d4e57 ("perf test: Add test for the sched tracepoint format fields")
+Link: http://lkml.kernel.org/r/20190122233439.GA5868@embeddedor
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ tools/perf/tests/evsel-tp-sched.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tools/perf/tests/evsel-tp-sched.c b/tools/perf/tests/evsel-tp-sched.c
+index 790e413d9a1f..da474d743b6a 100644
+--- a/tools/perf/tests/evsel-tp-sched.c
++++ b/tools/perf/tests/evsel-tp-sched.c
+@@ -16,7 +16,7 @@ static int perf_evsel__test_field(struct perf_evsel *evsel, const char *name,
+ return -1;
+ }
+
+- is_signed = !!(field->flags | FIELD_IS_SIGNED);
++ is_signed = !!(field->flags & FIELD_IS_SIGNED);
+ if (should_be_signed && !is_signed) {
+ pr_debug("%s: \"%s\" signedness(%d) is wrong, should be %d\n",
+ evsel->name, name, is_signed, should_be_signed);
+--
+2.20.1
+
diff --git a/patches.kernel.org/4.4.175-097-mtd-rawnand-gpmi-fix-MX28-bus-master-lockup-p.patch b/patches.kernel.org/4.4.175-097-mtd-rawnand-gpmi-fix-MX28-bus-master-lockup-p.patch
new file mode 100644
index 0000000000..a17eba2bba
--- /dev/null
+++ b/patches.kernel.org/4.4.175-097-mtd-rawnand-gpmi-fix-MX28-bus-master-lockup-p.patch
@@ -0,0 +1,91 @@
+From: Martin Kepplinger <martin.kepplinger@ginzinger.com>
+Date: Tue, 5 Feb 2019 16:52:51 +0100
+Subject: [PATCH] mtd: rawnand: gpmi: fix MX28 bus master lockup problem
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+References: bnc#1012382
+Patch-mainline: 4.4.175
+Git-commit: d5d27fd9826b59979b184ec288e4812abac0e988
+
+commit d5d27fd9826b59979b184ec288e4812abac0e988 upstream.
+
+Disable BCH soft reset according to MX23 erratum #2847 ("BCH soft
+reset may cause bus master lock up") for MX28 too. It has the same
+problem.
+
+Observed problem: once per 100,000+ MX28 reboots NAND read failed on
+DMA timeout errors:
+[ 1.770823] UBI: attaching mtd3 to ubi0
+[ 2.768088] gpmi_nand: DMA timeout, last DMA :1
+[ 3.958087] gpmi_nand: BCH timeout, last DMA :1
+[ 4.156033] gpmi_nand: Error in ECC-based read: -110
+[ 4.161136] UBI warning: ubi_io_read: error -110 while reading 64
+bytes from PEB 0:0, read only 0 bytes, retry
+[ 4.171283] step 1 error
+[ 4.173846] gpmi_nand: Chip: 0, Error -1
+
+Without BCH soft reset we successfully executed 1,000,000 MX28 reboots.
+
+I have a quote from NXP regarding this problem, from July 18th 2016:
+
+"As the i.MX23 and i.MX28 are of the same generation, they share many
+characteristics. Unfortunately, also the erratas may be shared.
+In case of the documented erratas and the workarounds, you can also
+apply the workaround solution of one device on the other one. This have
+been reported, but I’m afraid that there are not an estimated date for
+updating the Errata documents.
+Please accept our apologies for any inconveniences this may cause."
+
+Fixes: 6f2a6a52560a ("mtd: nand: gpmi: reset BCH earlier, too, to avoid NAND startup problems")
+Cc: stable@vger.kernel.org
+Signed-off-by: Manfred Schlaegl <manfred.schlaegl@ginzinger.com>
+Signed-off-by: Martin Kepplinger <martin.kepplinger@ginzinger.com>
+Reviewed-by: Miquel Raynal <miquel.raynal@bootlin.com>
+Reviewed-by: Fabio Estevam <festevam@gmail.com>
+Acked-by: Han Xu <han.xu@nxp.com>
+Signed-off-by: Boris Brezillon <bbrezillon@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/mtd/nand/gpmi-nand/gpmi-lib.c | 15 +++++++--------
+ 1 file changed, 7 insertions(+), 8 deletions(-)
+
+diff --git a/drivers/mtd/nand/gpmi-nand/gpmi-lib.c b/drivers/mtd/nand/gpmi-nand/gpmi-lib.c
+index 43fa16b5f510..672c02e32a39 100644
+--- a/drivers/mtd/nand/gpmi-nand/gpmi-lib.c
++++ b/drivers/mtd/nand/gpmi-nand/gpmi-lib.c
+@@ -168,9 +168,10 @@ int gpmi_init(struct gpmi_nand_data *this)
+
+ /*
+ * Reset BCH here, too. We got failures otherwise :(
+- * See later BCH reset for explanation of MX23 handling
++ * See later BCH reset for explanation of MX23 and MX28 handling
+ */
+- ret = gpmi_reset_block(r->bch_regs, GPMI_IS_MX23(this));
++ ret = gpmi_reset_block(r->bch_regs,
++ GPMI_IS_MX23(this) || GPMI_IS_MX28(this));
+ if (ret)
+ goto err_out;
+
+@@ -274,13 +275,11 @@ int bch_set_geometry(struct gpmi_nand_data *this)
+
+ /*
+ * Due to erratum #2847 of the MX23, the BCH cannot be soft reset on this
+- * chip, otherwise it will lock up. So we skip resetting BCH on the MX23.
+- * On the other hand, the MX28 needs the reset, because one case has been
+- * seen where the BCH produced ECC errors constantly after 10000
+- * consecutive reboots. The latter case has not been seen on the MX23
+- * yet, still we don't know if it could happen there as well.
++ * chip, otherwise it will lock up. So we skip resetting BCH on the MX23
++ * and MX28.
+ */
+- ret = gpmi_reset_block(r->bch_regs, GPMI_IS_MX23(this));
++ ret = gpmi_reset_block(r->bch_regs,
++ GPMI_IS_MX23(this) || GPMI_IS_MX28(this));
+ if (ret)
+ goto err_out;
+
+--
+2.20.1
+
diff --git a/patches.kernel.org/4.4.175-098-signal-Always-notice-exiting-tasks.patch b/patches.kernel.org/4.4.175-098-signal-Always-notice-exiting-tasks.patch
new file mode 100644
index 0000000000..7b8e343f43
--- /dev/null
+++ b/patches.kernel.org/4.4.175-098-signal-Always-notice-exiting-tasks.patch
@@ -0,0 +1,70 @@
+From: "Eric W. Biederman" <ebiederm@xmission.com>
+Date: Wed, 6 Feb 2019 18:39:40 -0600
+Subject: [PATCH] signal: Always notice exiting tasks
+References: bnc#1012382
+Patch-mainline: 4.4.175
+Git-commit: 35634ffa1751b6efd8cf75010b509dcb0263e29b
+
+commit 35634ffa1751b6efd8cf75010b509dcb0263e29b upstream.
+
+Recently syzkaller was able to create unkillablle processes by
+creating a timer that is delivered as a thread local signal on SIGHUP,
+and receiving SIGHUP SA_NODEFERER. Ultimately causing a loop
+failing to deliver SIGHUP but always trying.
+
+Upon examination it turns out part of the problem is actually most of
+the solution. Since 2.5 signal delivery has found all fatal signals,
+marked the signal group for death, and queued SIGKILL in every threads
+thread queue relying on signal->group_exit_code to preserve the
+information of which was the actual fatal signal.
+
+The conversion of all fatal signals to SIGKILL results in the
+synchronous signal heuristic in next_signal kicking in and preferring
+SIGHUP to SIGKILL. Which is especially problematic as all
+fatal signals have already been transformed into SIGKILL.
+
+Instead of dequeueing signals and depending upon SIGKILL to
+be the first signal dequeued, first test if the signal group
+has already been marked for death. This guarantees that
+nothing in the signal queue can prevent a process that needs
+to exit from exiting.
+
+Cc: stable@vger.kernel.org
+Tested-by: Dmitry Vyukov <dvyukov@google.com>
+Reported-by: Dmitry Vyukov <dvyukov@google.com>
+Ref: ebf5ebe31d2c ("[PATCH] signal-fixes-2.5.59-A4")
+History Tree: https://git.kernel.org/pub/scm/linux/kernel/git/tglx/history.git
+Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ kernel/signal.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/kernel/signal.c b/kernel/signal.c
+index 5b1313309356..f26cabeb705d 100644
+--- a/kernel/signal.c
++++ b/kernel/signal.c
+@@ -2198,6 +2198,11 @@ int get_signal(struct ksignal *ksig)
+ goto relock;
+ }
+
++ /* Has this task already been marked for death? */
++ ksig->info.si_signo = signr = SIGKILL;
++ if (signal_group_exit(signal))
++ goto fatal;
++
+ for (;;) {
+ struct k_sigaction *ka;
+
+@@ -2293,6 +2298,7 @@ int get_signal(struct ksignal *ksig)
+ continue;
+ }
+
++ fatal:
+ spin_unlock_irq(&sighand->siglock);
+
+ /*
+--
+2.20.1
+
diff --git a/patches.kernel.org/4.4.175-099-signal-Better-detection-of-synchronous-signal.patch b/patches.kernel.org/4.4.175-099-signal-Better-detection-of-synchronous-signal.patch
new file mode 100644
index 0000000000..d89f023a8e
--- /dev/null
+++ b/patches.kernel.org/4.4.175-099-signal-Better-detection-of-synchronous-signal.patch
@@ -0,0 +1,121 @@
+From: "Eric W. Biederman" <ebiederm@xmission.com>
+Date: Wed, 6 Feb 2019 17:51:47 -0600
+Subject: [PATCH] signal: Better detection of synchronous signals
+References: bnc#1012382
+Patch-mainline: 4.4.175
+Git-commit: 7146db3317c67b517258cb5e1b08af387da0618b
+
+commit 7146db3317c67b517258cb5e1b08af387da0618b upstream.
+
+Recently syzkaller was able to create unkillablle processes by
+creating a timer that is delivered as a thread local signal on SIGHUP,
+and receiving SIGHUP SA_NODEFERER. Ultimately causing a loop failing
+to deliver SIGHUP but always trying.
+
+When the stack overflows delivery of SIGHUP fails and force_sigsegv is
+called. Unfortunately because SIGSEGV is numerically higher than
+SIGHUP next_signal tries again to deliver a SIGHUP.
+
+From a quality of implementation standpoint attempting to deliver the
+timer SIGHUP signal is wrong. We should attempt to deliver the
+synchronous SIGSEGV signal we just forced.
+
+We can make that happening in a fairly straight forward manner by
+instead of just looking at the signal number we also look at the
+si_code. In particular for exceptions (aka synchronous signals) the
+si_code is always greater than 0.
+
+That still has the potential to pick up a number of asynchronous
+signals as in a few cases the same si_codes that are used
+for synchronous signals are also used for asynchronous signals,
+and SI_KERNEL is also included in the list of possible si_codes.
+
+Still the heuristic is much better and timer signals are definitely
+excluded. Which is enough to prevent all known ways for someone
+sending a process signals fast enough to cause unexpected and
+arguably incorrect behavior.
+
+Cc: stable@vger.kernel.org
+Fixes: a27341cd5fcb ("Prioritize synchronous signals over 'normal' signals")
+Tested-by: Dmitry Vyukov <dvyukov@google.com>
+Reported-by: Dmitry Vyukov <dvyukov@google.com>
+Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ kernel/signal.c | 52 ++++++++++++++++++++++++++++++++++++++++++++++++-
+ 1 file changed, 51 insertions(+), 1 deletion(-)
+
+diff --git a/kernel/signal.c b/kernel/signal.c
+index f26cabeb705d..e464a2ef4ff5 100644
+--- a/kernel/signal.c
++++ b/kernel/signal.c
+@@ -696,6 +696,48 @@ static inline bool si_fromuser(const struct siginfo *info)
+ (!is_si_special(info) && SI_FROMUSER(info));
+ }
+
++static int dequeue_synchronous_signal(siginfo_t *info)
++{
++ struct task_struct *tsk = current;
++ struct sigpending *pending = &tsk->pending;
++ struct sigqueue *q, *sync = NULL;
++
++ /*
++ * Might a synchronous signal be in the queue?
++ */
++ if (!((pending->signal.sig[0] & ~tsk->blocked.sig[0]) & SYNCHRONOUS_MASK))
++ return 0;
++
++ /*
++ * Return the first synchronous signal in the queue.
++ */
++ list_for_each_entry(q, &pending->list, list) {
++ /* Synchronous signals have a postive si_code */
++ if ((q->info.si_code > SI_USER) &&
++ (sigmask(q->info.si_signo) & SYNCHRONOUS_MASK)) {
++ sync = q;
++ goto next;
++ }
++ }
++ return 0;
++next:
++ /*
++ * Check if there is another siginfo for the same signal.
++ */
++ list_for_each_entry_continue(q, &pending->list, list) {
++ if (q->info.si_signo == sync->info.si_signo)
++ goto still_pending;
++ }
++
++ sigdelset(&pending->signal, sync->info.si_signo);
++ recalc_sigpending();
++still_pending:
++ list_del_init(&sync->list);
++ copy_siginfo(info, &sync->info);
++ __sigqueue_free(sync);
++ return info->si_signo;
++}
++
+ /*
+ * called with RCU read lock from check_kill_permission()
+ */
+@@ -2216,7 +2258,15 @@ int get_signal(struct ksignal *ksig)
+ goto relock;
+ }
+
+- signr = dequeue_signal(current, &current->blocked, &ksig->info);
++ /*
++ * Signals generated by the execution of an instruction
++ * need to be delivered before any other pending signals
++ * so that the instruction pointer in the signal stack
++ * frame points to the faulting instruction.
++ */
++ signr = dequeue_synchronous_signal(&ksig->info);
++ if (!signr)
++ signr = dequeue_signal(current, &current->blocked, &ksig->info);
+
+ if (!signr)
+ break; /* will return 0 */
+--
+2.20.1
+
diff --git a/patches.kernel.org/4.4.175-100-misc-vexpress-Off-by-one-in-vexpress_syscfg_e.patch b/patches.kernel.org/4.4.175-100-misc-vexpress-Off-by-one-in-vexpress_syscfg_e.patch
new file mode 100644
index 0000000000..7f506d1b7d
--- /dev/null
+++ b/patches.kernel.org/4.4.175-100-misc-vexpress-Off-by-one-in-vexpress_syscfg_e.patch
@@ -0,0 +1,40 @@
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Mon, 3 Dec 2018 17:52:19 +0300
+Subject: [PATCH] misc: vexpress: Off by one in vexpress_syscfg_exec()
+References: bnc#1012382
+Patch-mainline: 4.4.175
+Git-commit: f8a70d8b889f180e6860cb1f85fed43d37844c5a
+
+commit f8a70d8b889f180e6860cb1f85fed43d37844c5a upstream.
+
+The > comparison should be >= to prevent reading beyond the end of the
+func->template[] array.
+
+(The func->template array is allocated in vexpress_syscfg_regmap_init()
+and it has func->num_templates elements.)
+
+Fixes: 974cc7b93441 ("mfd: vexpress: Define the device as MFD cells")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Acked-by: Sudeep Holla <sudeep.holla@arm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/misc/vexpress-syscfg.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/misc/vexpress-syscfg.c b/drivers/misc/vexpress-syscfg.c
+index c344483fa7d6..9f257c53e6d4 100644
+--- a/drivers/misc/vexpress-syscfg.c
++++ b/drivers/misc/vexpress-syscfg.c
+@@ -61,7 +61,7 @@ static int vexpress_syscfg_exec(struct vexpress_syscfg_func *func,
+ int tries;
+ long timeout;
+
+- if (WARN_ON(index > func->num_templates))
++ if (WARN_ON(index >= func->num_templates))
+ return -EINVAL;
+
+ command = readl(syscfg->base + SYS_CFGCTRL);
+--
+2.20.1
+
diff --git a/patches.kernel.org/4.4.175-101-debugfs-fix-debugfs_rename-parameter-checking.patch b/patches.kernel.org/4.4.175-101-debugfs-fix-debugfs_rename-parameter-checking.patch
new file mode 100644
index 0000000000..5d86a142a5
--- /dev/null
+++ b/patches.kernel.org/4.4.175-101-debugfs-fix-debugfs_rename-parameter-checking.patch
@@ -0,0 +1,44 @@
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Date: Wed, 23 Jan 2019 11:27:02 +0100
+Subject: [PATCH] debugfs: fix debugfs_rename parameter checking
+References: bnc#1012382
+Patch-mainline: 4.4.175
+Git-commit: d88c93f090f708c18195553b352b9f205e65418f
+
+commit d88c93f090f708c18195553b352b9f205e65418f upstream.
+
+debugfs_rename() needs to check that the dentries passed into it really
+are valid, as sometimes they are not (i.e. if the return value of
+another debugfs call is passed into this one.) So fix this up by
+properly checking if the two parent directories are errors (they are
+allowed to be NULL), and if the dentry to rename is not NULL or an
+error.
+
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ fs/debugfs/inode.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/fs/debugfs/inode.c b/fs/debugfs/inode.c
+index e49ba072bd64..22fe11baef2b 100644
+--- a/fs/debugfs/inode.c
++++ b/fs/debugfs/inode.c
+@@ -671,6 +671,13 @@ struct dentry *debugfs_rename(struct dentry *old_dir, struct dentry *old_dentry,
+ struct dentry *dentry = NULL, *trap;
+ struct name_snapshot old_name;
+
++ if (IS_ERR(old_dir))
++ return old_dir;
++ if (IS_ERR(new_dir))
++ return new_dir;
++ if (IS_ERR_OR_NULL(old_dentry))
++ return old_dentry;
++
+ trap = lock_rename(new_dir, old_dir);
+ /* Source or destination directories don't exist? */
+ if (d_really_is_negative(old_dir) || d_really_is_negative(new_dir))
+--
+2.20.1
+
diff --git a/patches.kernel.org/4.4.175-102-mips-cm-reprime-error-cause.patch b/patches.kernel.org/4.4.175-102-mips-cm-reprime-error-cause.patch
new file mode 100644
index 0000000000..00950851dc
--- /dev/null
+++ b/patches.kernel.org/4.4.175-102-mips-cm-reprime-error-cause.patch
@@ -0,0 +1,47 @@
+From: Vladimir Kondratiev <vladimir.kondratiev@linux.intel.com>
+Date: Wed, 6 Feb 2019 13:46:17 +0200
+Subject: [PATCH] mips: cm: reprime error cause
+References: bnc#1012382
+Patch-mainline: 4.4.175
+Git-commit: 05dc6001af0630e200ad5ea08707187fe5537e6d
+
+commit 05dc6001af0630e200ad5ea08707187fe5537e6d upstream.
+
+Accordingly to the documentation
+---cut---
+The GCR_ERROR_CAUSE.ERR_TYPE field and the GCR_ERROR_MULT.ERR_TYPE
+fields can be cleared by either a reset or by writing the current
+value of GCR_ERROR_CAUSE.ERR_TYPE to the
+GCR_ERROR_CAUSE.ERR_TYPE register.
+---cut---
+Do exactly this. Original value of cm_error may be safely written back;
+it clears error cause and keeps other bits untouched.
+
+Fixes: 3885c2b463f6 ("MIPS: CM: Add support for reporting CM cache errors")
+Signed-off-by: Vladimir Kondratiev <vladimir.kondratiev@linux.intel.com>
+Signed-off-by: Paul Burton <paul.burton@mips.com>
+Cc: Ralf Baechle <ralf@linux-mips.org>
+Cc: James Hogan <jhogan@kernel.org>
+Cc: linux-mips@vger.kernel.org
+Cc: linux-kernel@vger.kernel.org
+Cc: stable@vger.kernel.org # v4.3+
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ arch/mips/kernel/mips-cm.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/mips/kernel/mips-cm.c b/arch/mips/kernel/mips-cm.c
+index 1448c1f43d4e..76f18c56141c 100644
+--- a/arch/mips/kernel/mips-cm.c
++++ b/arch/mips/kernel/mips-cm.c
+@@ -424,5 +424,5 @@ void mips_cm_error_report(void)
+ }
+
+ /* reprime cause register */
+- write_gcr_error_cause(0);
++ write_gcr_error_cause(cm_error);
+ }
+--
+2.20.1
+
diff --git a/patches.kernel.org/4.4.175-103-MIPS-OCTEON-don-t-set-octeon_dma_bar_type-if-.patch b/patches.kernel.org/4.4.175-103-MIPS-OCTEON-don-t-set-octeon_dma_bar_type-if-.patch
new file mode 100644
index 0000000000..8a54bb39b2
--- /dev/null
+++ b/patches.kernel.org/4.4.175-103-MIPS-OCTEON-don-t-set-octeon_dma_bar_type-if-.patch
@@ -0,0 +1,55 @@
+From: Aaro Koskinen <aaro.koskinen@iki.fi>
+Date: Sun, 27 Jan 2019 23:28:33 +0200
+Subject: [PATCH] MIPS: OCTEON: don't set octeon_dma_bar_type if PCI is
+ disabled
+References: bnc#1012382
+Patch-mainline: 4.4.175
+Git-commit: dcf300a69ac307053dfb35c2e33972e754a98bce
+
+commit dcf300a69ac307053dfb35c2e33972e754a98bce upstream.
+
+Don't set octeon_dma_bar_type if PCI is disabled. This avoids creation
+of the MSI irqchip later on, and saves a bit of memory.
+
+Signed-off-by: Aaro Koskinen <aaro.koskinen@iki.fi>
+Signed-off-by: Paul Burton <paul.burton@mips.com>
+Fixes: a214720cbf50 ("Disable MSI also when pcie-octeon.pcie_disable on")
+Cc: stable@vger.kernel.org # v3.3+
+Cc: linux-mips@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ arch/mips/pci/pci-octeon.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/arch/mips/pci/pci-octeon.c b/arch/mips/pci/pci-octeon.c
+index c258cd406fbb..b36bbda31058 100644
+--- a/arch/mips/pci/pci-octeon.c
++++ b/arch/mips/pci/pci-octeon.c
+@@ -571,6 +571,11 @@ static int __init octeon_pci_setup(void)
+ if (octeon_has_feature(OCTEON_FEATURE_PCIE))
+ return 0;
+
++ if (!octeon_is_pci_host()) {
++ pr_notice("Not in host mode, PCI Controller not initialized\n");
++ return 0;
++ }
++
+ /* Point pcibios_map_irq() to the PCI version of it */
+ octeon_pcibios_map_irq = octeon_pci_pcibios_map_irq;
+
+@@ -582,11 +587,6 @@ static int __init octeon_pci_setup(void)
+ else
+ octeon_dma_bar_type = OCTEON_DMA_BAR_TYPE_BIG;
+
+- if (!octeon_is_pci_host()) {
+- pr_notice("Not in host mode, PCI Controller not initialized\n");
+- return 0;
+- }
+-
+ /* PCI I/O and PCI MEM values */
+ set_io_port_base(OCTEON_PCI_IOSPACE_BASE);
+ ioport_resource.start = 0;
+--
+2.20.1
+
diff --git a/patches.kernel.org/4.4.175-104-MIPS-VDSO-Include-ccflags-vdso-in-o32-n32-.ld.patch b/patches.kernel.org/4.4.175-104-MIPS-VDSO-Include-ccflags-vdso-in-o32-n32-.ld.patch
new file mode 100644
index 0000000000..7f6d22e949
--- /dev/null
+++ b/patches.kernel.org/4.4.175-104-MIPS-VDSO-Include-ccflags-vdso-in-o32-n32-.ld.patch
@@ -0,0 +1,67 @@
+From: Paul Burton <paul.burton@mips.com>
+Date: Mon, 28 Jan 2019 23:16:22 +0000
+Subject: [PATCH] MIPS: VDSO: Include $(ccflags-vdso) in o32,n32 .lds builds
+References: bnc#1012382
+Patch-mainline: 4.4.175
+Git-commit: 67fc5dc8a541e8f458d7f08bf88ff55933bf9f9d
+
+commit 67fc5dc8a541e8f458d7f08bf88ff55933bf9f9d upstream.
+
+When generating vdso-o32.lds & vdso-n32.lds for use with programs
+running as compat ABIs under 64b kernels, we previously haven't included
+the compiler flags that are supposedly common to all ABIs - ie. those in
+the ccflags-vdso variable.
+
+This is problematic in cases where we need to provide the -m%-float flag
+in order to ensure that we don't attempt to use a floating point ABI
+that's incompatible with the target CPU & ABI. For example a toolchain
+using current gcc trunk configured --with-fp-32=xx fails to build a
+64r6el_defconfig kernel with the following error:
+
+ cc1: error: '-march=mips1' requires '-mfp32'
+ make[2]: *** [arch/mips/vdso/Makefile:135: arch/mips/vdso/vdso-o32.lds] Error 1
+
+Include $(ccflags-vdso) for the compat VDSO .lds builds, just as it is
+included for the native VDSO .lds & when compiling objects for the
+compat VDSOs. This ensures we consistently provide the -msoft-float flag
+amongst others, avoiding the problem by ensuring we're agnostic to the
+toolchain defaults.
+
+Signed-off-by: Paul Burton <paul.burton@mips.com>
+Fixes: ebb5e78cc634 ("MIPS: Initial implementation of a VDSO")
+Cc: linux-mips@vger.kernel.org
+Cc: Kevin Hilman <khilman@baylibre.com>
+Cc: Guenter Roeck <linux@roeck-us.net>
+Cc: Maciej W . Rozycki <macro@linux-mips.org>
+Cc: stable@vger.kernel.org # v4.4+
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ arch/mips/vdso/Makefile | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/arch/mips/vdso/Makefile b/arch/mips/vdso/Makefile
+index 6c7d78546eee..886005b1e87d 100644
+--- a/arch/mips/vdso/Makefile
++++ b/arch/mips/vdso/Makefile
+@@ -107,7 +107,7 @@ $(obj)/%-o32.o: $(src)/%.c FORCE
+ $(call cmd,force_checksrc)
+ $(call if_changed_rule,cc_o_c)
+
+-$(obj)/vdso-o32.lds: KBUILD_CPPFLAGS := -mabi=32
++$(obj)/vdso-o32.lds: KBUILD_CPPFLAGS := $(ccflags-vdso) -mabi=32
+ $(obj)/vdso-o32.lds: $(src)/vdso.lds.S FORCE
+ $(call if_changed_dep,cpp_lds_S)
+
+@@ -143,7 +143,7 @@ $(obj)/%-n32.o: $(src)/%.c FORCE
+ $(call cmd,force_checksrc)
+ $(call if_changed_rule,cc_o_c)
+
+-$(obj)/vdso-n32.lds: KBUILD_CPPFLAGS := -mabi=n32
++$(obj)/vdso-n32.lds: KBUILD_CPPFLAGS := $(ccflags-vdso) -mabi=n32
+ $(obj)/vdso-n32.lds: $(src)/vdso.lds.S FORCE
+ $(call if_changed_dep,cpp_lds_S)
+
+--
+2.20.1
+
diff --git a/patches.kernel.org/4.4.175-105-ARM-iop32x-n2100-fix-PCI-IRQ-mapping.patch b/patches.kernel.org/4.4.175-105-ARM-iop32x-n2100-fix-PCI-IRQ-mapping.patch
new file mode 100644
index 0000000000..925bd2ffbf
--- /dev/null
+++ b/patches.kernel.org/4.4.175-105-ARM-iop32x-n2100-fix-PCI-IRQ-mapping.patch
@@ -0,0 +1,38 @@
+From: Russell King <rmk+kernel@armlinux.org.uk>
+Date: Fri, 25 Jan 2019 20:10:15 +0000
+Subject: [PATCH] ARM: iop32x/n2100: fix PCI IRQ mapping
+References: bnc#1012382
+Patch-mainline: 4.4.175
+Git-commit: db4090920ba2d61a5827a23e441447926a02ffee
+
+commit db4090920ba2d61a5827a23e441447926a02ffee upstream.
+
+Booting 4.20 on a TheCUS N2100 results in a kernel oops while probing
+PCI, due to n2100_pci_map_irq() having been discarded during boot.
+
+Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk>
+Cc: stable@vger.kernel.org # 2.6.18+
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ arch/arm/mach-iop32x/n2100.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/arch/arm/mach-iop32x/n2100.c b/arch/arm/mach-iop32x/n2100.c
+index c1cd80ecc219..a904244264ce 100644
+--- a/arch/arm/mach-iop32x/n2100.c
++++ b/arch/arm/mach-iop32x/n2100.c
+@@ -75,8 +75,7 @@ void __init n2100_map_io(void)
+ /*
+ * N2100 PCI.
+ */
+-static int __init
+-n2100_pci_map_irq(const struct pci_dev *dev, u8 slot, u8 pin)
++static int n2100_pci_map_irq(const struct pci_dev *dev, u8 slot, u8 pin)
+ {
+ int irq;
+
+--
+2.20.1
+
diff --git a/patches.kernel.org/4.4.175-106-mac80211-ensure-that-mgmt-tx-skbs-have-tailro.patch b/patches.kernel.org/4.4.175-106-mac80211-ensure-that-mgmt-tx-skbs-have-tailro.patch
new file mode 100644
index 0000000000..932890c4b0
--- /dev/null
+++ b/patches.kernel.org/4.4.175-106-mac80211-ensure-that-mgmt-tx-skbs-have-tailro.patch
@@ -0,0 +1,63 @@
+From: Felix Fietkau <nbd@nbd.name>
+Date: Tue, 29 Jan 2019 11:10:57 +0100
+Subject: [PATCH] mac80211: ensure that mgmt tx skbs have tailroom for
+ encryption
+References: bnc#1012382
+Patch-mainline: 4.4.175
+Git-commit: 9d0f50b80222dc273e67e4e14410fcfa4130a90c
+
+commit 9d0f50b80222dc273e67e4e14410fcfa4130a90c upstream.
+
+Some drivers use IEEE80211_KEY_FLAG_SW_MGMT_TX to indicate that management
+frames need to be software encrypted. Since normal data packets are still
+encrypted by the hardware, crypto_tx_tailroom_needed_cnt gets decremented
+after key upload to hw. This can lead to passing skbs to ccmp_encrypt_skb,
+which don't have the necessary tailroom for software encryption.
+
+Change the code to add tailroom for encrypted management packets, even if
+crypto_tx_tailroom_needed_cnt is 0.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Felix Fietkau <nbd@nbd.name>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ net/mac80211/tx.c | 12 +++++++++---
+ 1 file changed, 9 insertions(+), 3 deletions(-)
+
+diff --git a/net/mac80211/tx.c b/net/mac80211/tx.c
+index c1c27a516e45..41f3eb565ef3 100644
+--- a/net/mac80211/tx.c
++++ b/net/mac80211/tx.c
+@@ -1599,9 +1599,16 @@ static int ieee80211_skb_resize(struct ieee80211_sub_if_data *sdata,
+ int head_need, bool may_encrypt)
+ {
+ struct ieee80211_local *local = sdata->local;
++ struct ieee80211_hdr *hdr;
++ bool enc_tailroom;
+ int tail_need = 0;
+
+- if (may_encrypt && sdata->crypto_tx_tailroom_needed_cnt) {
++ hdr = (struct ieee80211_hdr *) skb->data;
++ enc_tailroom = may_encrypt &&
++ (sdata->crypto_tx_tailroom_needed_cnt ||
++ ieee80211_is_mgmt(hdr->frame_control));
++
++ if (enc_tailroom) {
+ tail_need = IEEE80211_ENCRYPT_TAILROOM;
+ tail_need -= skb_tailroom(skb);
+ tail_need = max_t(int, tail_need, 0);
+@@ -1609,8 +1616,7 @@ static int ieee80211_skb_resize(struct ieee80211_sub_if_data *sdata,
+
+ if (skb_cloned(skb) &&
+ (!ieee80211_hw_check(&local->hw, SUPPORTS_CLONED_SKBS) ||
+- !skb_clone_writable(skb, ETH_HLEN) ||
+- (may_encrypt && sdata->crypto_tx_tailroom_needed_cnt)))
++ !skb_clone_writable(skb, ETH_HLEN) || enc_tailroom))
+ I802_DEBUG_INC(local->tx_expand_skb_head_cloned);
+ else if (head_need || tail_need)
+ I802_DEBUG_INC(local->tx_expand_skb_head);
+--
+2.20.1
+
diff --git a/patches.kernel.org/4.4.175-107-drm-modes-Prevent-division-by-zero-htotal.patch b/patches.kernel.org/4.4.175-107-drm-modes-Prevent-division-by-zero-htotal.patch
new file mode 100644
index 0000000000..972f6709af
--- /dev/null
+++ b/patches.kernel.org/4.4.175-107-drm-modes-Prevent-division-by-zero-htotal.patch
@@ -0,0 +1,107 @@
+From: Tina Zhang <tina.zhang@intel.com>
+Date: Wed, 23 Jan 2019 15:28:59 +0800
+Subject: [PATCH] drm/modes: Prevent division by zero htotal
+References: bnc#1012382
+Patch-mainline: 4.4.175
+Git-commit: a2fcd5c84f7a7825e028381b10182439067aa90d
+
+commit a2fcd5c84f7a7825e028381b10182439067aa90d upstream.
+
+This patch prevents division by zero htotal.
+
+In a follow-up mail Tina writes:
+
+> > How did you manage to get here with htotal == 0? This needs backtraces (or if
+> > this is just about static checkers, a mention of that).
+> > -Daniel
+>
+> In GVT-g, we are trying to enable a virtual display w/o setting timings for a pipe
+> (a.k.a htotal=0), then we met the following kernel panic:
+>
+> [ 32.832048] divide error: 0000 [#1] SMP PTI
+> [ 32.833614] CPU: 0 PID: 1 Comm: swapper/0 Not tainted 4.18.0-rc4-sriov+ #33
+> [ 32.834438] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.10.1-0-g8891697-dirty-20180511_165818-tinazhang-linux-1 04/01/2014
+> [ 32.835901] RIP: 0010:drm_mode_hsync+0x1e/0x40
+> [ 32.836004] Code: 31 c0 c3 90 90 90 90 90 90 90 90 90 0f 1f 44 00 00 8b 87 d8 00 00 00 85 c0 75 22 8b 4f 68 85 c9 78 1b 69 47 58 e8 03 00 00 99 <f7> f9 b9 d3 4d 62 10 05 f4 01 00 00 f7 e1 89 d0 c1 e8 06 f3 c3 66
+> [ 32.836004] RSP: 0000:ffffc900000ebb90 EFLAGS: 00010206
+> [ 32.836004] RAX: 0000000000000000 RBX: ffff88001c67c8a0 RCX: 0000000000000000
+> [ 32.836004] RDX: 0000000000000000 RSI: ffff88001c67c000 RDI: ffff88001c67c8a0
+> [ 32.836004] RBP: ffff88001c7d03a0 R08: ffff88001c67c8a0 R09: ffff88001c7d0330
+> [ 32.836004] R10: ffffffff822c3a98 R11: 0000000000000001 R12: ffff88001c67c000
+> [ 32.836004] R13: ffff88001c7d0370 R14: ffffffff8207eb78 R15: ffff88001c67c800
+> [ 32.836004] FS: 0000000000000000(0000) GS:ffff88001da00000(0000) knlGS:0000000000000000
+> [ 32.836004] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+> [ 32.836004] CR2: 0000000000000000 CR3: 000000000220a000 CR4: 00000000000006f0
+> [ 32.836004] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+> [ 32.836004] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+> [ 32.836004] Call Trace:
+> [ 32.836004] intel_mode_from_pipe_config+0x72/0x90
+> [ 32.836004] intel_modeset_setup_hw_state+0x569/0xf90
+> [ 32.836004] intel_modeset_init+0x905/0x1db0
+> [ 32.836004] i915_driver_load+0xb8c/0x1120
+> [ 32.836004] i915_pci_probe+0x4d/0xb0
+> [ 32.836004] local_pci_probe+0x44/0xa0
+> [ 32.836004] ? pci_assign_irq+0x27/0x130
+> [ 32.836004] pci_device_probe+0x102/0x1c0
+> [ 32.836004] driver_probe_device+0x2b8/0x480
+> [ 32.836004] __driver_attach+0x109/0x110
+> [ 32.836004] ? driver_probe_device+0x480/0x480
+> [ 32.836004] bus_for_each_dev+0x67/0xc0
+> [ 32.836004] ? klist_add_tail+0x3b/0x70
+> [ 32.836004] bus_add_driver+0x1e8/0x260
+> [ 32.836004] driver_register+0x5b/0xe0
+> [ 32.836004] ? mipi_dsi_bus_init+0x11/0x11
+> [ 32.836004] do_one_initcall+0x4d/0x1eb
+> [ 32.836004] kernel_init_freeable+0x197/0x237
+> [ 32.836004] ? rest_init+0xd0/0xd0
+> [ 32.836004] kernel_init+0xa/0x110
+> [ 32.836004] ret_from_fork+0x35/0x40
+> [ 32.836004] Modules linked in:
+> [ 32.859183] ---[ end trace 525608b0ed0e8665 ]---
+> [ 32.859722] RIP: 0010:drm_mode_hsync+0x1e/0x40
+> [ 32.860287] Code: 31 c0 c3 90 90 90 90 90 90 90 90 90 0f 1f 44 00 00 8b 87 d8 00 00 00 85 c0 75 22 8b 4f 68 85 c9 78 1b 69 47 58 e8 03 00 00 99 <f7> f9 b9 d3 4d 62 10 05 f4 01 00 00 f7 e1 89 d0 c1 e8 06 f3 c3 66
+> [ 32.862680] RSP: 0000:ffffc900000ebb90 EFLAGS: 00010206
+> [ 32.863309] RAX: 0000000000000000 RBX: ffff88001c67c8a0 RCX: 0000000000000000
+> [ 32.864182] RDX: 0000000000000000 RSI: ffff88001c67c000 RDI: ffff88001c67c8a0
+> [ 32.865206] RBP: ffff88001c7d03a0 R08: ffff88001c67c8a0 R09: ffff88001c7d0330
+> [ 32.866359] R10: ffffffff822c3a98 R11: 0000000000000001 R12: ffff88001c67c000
+> [ 32.867213] R13: ffff88001c7d0370 R14: ffffffff8207eb78 R15: ffff88001c67c800
+> [ 32.868075] FS: 0000000000000000(0000) GS:ffff88001da00000(0000) knlGS:0000000000000000
+> [ 32.868983] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+> [ 32.869659] CR2: 0000000000000000 CR3: 000000000220a000 CR4: 00000000000006f0
+> [ 32.870599] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+> [ 32.871598] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+> [ 32.872549] Kernel panic - not syncing: Attempted to kill init! exitcode=0x0000000b
+>
+> Since drm_mode_hsync() has the logic to check mode->htotal, I just extend it to cover the case htotal==0.
+
+Signed-off-by: Tina Zhang <tina.zhang@intel.com>
+Cc: Adam Jackson <ajax@redhat.com>
+Cc: Dave Airlie <airlied@redhat.com>
+Cc: Daniel Vetter <daniel@ffwll.ch>
+[danvet: Add additional explanations + cc: stable.]
+Cc: stable@vger.kernel.org
+Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
+Link: https://patchwork.freedesktop.org/patch/msgid/1548228539-3061-1-git-send-email-tina.zhang@intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/gpu/drm/drm_modes.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/drm_modes.c b/drivers/gpu/drm/drm_modes.c
+index 71a10f08522e..a5b052203c2c 100644
+--- a/drivers/gpu/drm/drm_modes.c
++++ b/drivers/gpu/drm/drm_modes.c
+@@ -722,7 +722,7 @@ int drm_mode_hsync(const struct drm_display_mode *mode)
+ if (mode->hsync)
+ return mode->hsync;
+
+- if (mode->htotal < 0)
++ if (mode->htotal <= 0)
+ return 0;
+
+ calc_val = (mode->clock * 1000) / mode->htotal; /* hsync in Hz */
+--
+2.20.1
+
diff --git a/patches.fixes/0001-drm-vmwgfx-Fix-setting-of-dma-masks.patch b/patches.kernel.org/4.4.175-108-drm-vmwgfx-Fix-setting-of-dma-masks.patch
index f096e24b5b..2f6421ebee 100644
--- a/patches.fixes/0001-drm-vmwgfx-Fix-setting-of-dma-masks.patch
+++ b/patches.kernel.org/4.4.175-108-drm-vmwgfx-Fix-setting-of-dma-masks.patch
@@ -1,10 +1,11 @@
-From 4cbfa1e6c09e98450aab3240e5119b0ab2c9795b Mon Sep 17 00:00:00 2001
From: Thomas Hellstrom <thellstrom@vmware.com>
Date: Mon, 28 Jan 2019 10:31:33 +0100
-Subject: drm/vmwgfx: Fix setting of dma masks
+Subject: [PATCH] drm/vmwgfx: Fix setting of dma masks
+Patch-mainline: 4.4.175
+References: bnc#1012382 bsc#1106929
Git-commit: 4cbfa1e6c09e98450aab3240e5119b0ab2c9795b
-Patch-mainline: v5.0-rc6
-References: bsc#1106929
+
+commit 4cbfa1e6c09e98450aab3240e5119b0ab2c9795b upstream.
Previously we set only the dma mask and not the coherent mask. Fix that.
Also, for clarity, make sure both are initially set to 64 bits.
@@ -13,14 +14,17 @@ Cc: <stable@vger.kernel.org>
Fixes: 0d00c488f3de: ("drm/vmwgfx: Fix the driver for large dma addresses")
Signed-off-by: Thomas Hellstrom <thellstrom@vmware.com>
Reviewed-by: Deepak Rawat <drawat@vmware.com>
-Acked-by: Thomas Zimmermann <tzimmermann@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
- drivers/gpu/drm/vmwgfx/vmwgfx_drv.c | 9 ++++++---
+ drivers/gpu/drm/vmwgfx/vmwgfx_drv.c | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)
+diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_drv.c b/drivers/gpu/drm/vmwgfx/vmwgfx_drv.c
+index be3971b22a02..ed92b9ac01b2 100644
--- a/drivers/gpu/drm/vmwgfx/vmwgfx_drv.c
+++ b/drivers/gpu/drm/vmwgfx/vmwgfx_drv.c
-@@ -594,13 +594,16 @@ out_fixup:
+@@ -594,13 +594,16 @@ static int vmw_dma_select_mode(struct vmw_private *dev_priv)
static int vmw_dma_masks(struct vmw_private *dev_priv)
{
struct drm_device *dev = dev_priv->dev;
@@ -40,3 +44,6 @@ Acked-by: Thomas Zimmermann <tzimmermann@suse.de>
}
#else
static int vmw_dma_masks(struct vmw_private *dev_priv)
+--
+2.20.1
+
diff --git a/patches.fixes/0001-drm-vmwgfx-Return-error-code-from-vmw_execbuf_copy_f.patch b/patches.kernel.org/4.4.175-109-drm-vmwgfx-Return-error-code-from-vmw_execbuf.patch
index e7bbade1f0..433e986421 100644
--- a/patches.fixes/0001-drm-vmwgfx-Return-error-code-from-vmw_execbuf_copy_f.patch
+++ b/patches.kernel.org/4.4.175-109-drm-vmwgfx-Return-error-code-from-vmw_execbuf.patch
@@ -1,10 +1,12 @@
-From 728354c005c36eaf44b6e5552372b67e60d17f56 Mon Sep 17 00:00:00 2001
From: Thomas Hellstrom <thellstrom@vmware.com>
Date: Thu, 31 Jan 2019 10:55:37 +0100
-Subject: drm/vmwgfx: Return error code from vmw_execbuf_copy_fence_user
+Subject: [PATCH] drm/vmwgfx: Return error code from
+ vmw_execbuf_copy_fence_user
+Patch-mainline: 4.4.175
+References: bnc#1012382 bsc#1106929
Git-commit: 728354c005c36eaf44b6e5552372b67e60d17f56
-Patch-mainline: v5.0-rc6
-References: bsc#1106929
+
+commit 728354c005c36eaf44b6e5552372b67e60d17f56 upstream.
The function was unconditionally returning 0, and a caller would have to
rely on the returned fence pointer being NULL to detect errors. However,
@@ -18,16 +20,17 @@ Cc: <stable@vger.kernel.org>
Fixes: ae2a104058e2: ("vmwgfx: Implement fence objects")
Signed-off-by: Thomas Hellstrom <thellstrom@vmware.com>
Reviewed-by: Deepak Rawat <drawat@vmware.com>
-Acked-by: Thomas Zimmermann <tzimmermann@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c b/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c
-index f2d13a72c05d..88b8178d4687 100644
+index fda8e85dd5a2..ad0dd566aded 100644
--- a/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c
+++ b/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c
-@@ -3570,7 +3570,7 @@ int vmw_execbuf_fence_commands(struct drm_file *file_priv,
+@@ -3663,7 +3663,7 @@ int vmw_execbuf_fence_commands(struct drm_file *file_priv,
*p_fence = NULL;
}
diff --git a/patches.kernel.org/4.4.175-110-HID-debug-fix-the-ring-buffer-implementation.patch b/patches.kernel.org/4.4.175-110-HID-debug-fix-the-ring-buffer-implementation.patch
new file mode 100644
index 0000000000..36bd8d91aa
--- /dev/null
+++ b/patches.kernel.org/4.4.175-110-HID-debug-fix-the-ring-buffer-implementation.patch
@@ -0,0 +1,281 @@
+From: Vladis Dronov <vdronov@redhat.com>
+Date: Tue, 29 Jan 2019 11:58:35 +0100
+Subject: [PATCH] HID: debug: fix the ring buffer implementation
+References: bnc#1012382
+Patch-mainline: 4.4.175
+Git-commit: 13054abbaa4f1fd4e6f3b4b63439ec033b4c8035
+
+commit 13054abbaa4f1fd4e6f3b4b63439ec033b4c8035 upstream.
+
+Ring buffer implementation in hid_debug_event() and hid_debug_events_read()
+is strange allowing lost or corrupted data. After commit 717adfdaf147
+("HID: debug: check length before copy_to_user()") it is possible to enter
+an infinite loop in hid_debug_events_read() by providing 0 as count, this
+locks up a system. Fix this by rewriting the ring buffer implementation
+with kfifo and simplify the code.
+
+This fixes CVE-2019-3819.
+
+v2: fix an execution logic and add a comment
+v3: use __set_current_state() instead of set_current_state()
+
+Backport to v4.4: some (tree-wide) patches are missing in v4.4 so
+cherry-pick relevant pieces from:
+ * 6396bb22151 ("treewide: kzalloc() -> kcalloc()")
+ * a9a08845e9ac ("vfs: do bulk POLL* -> EPOLL* replacement")
+ * 92529623d242 ("HID: debug: improve hid_debug_event()")
+ * 174cd4b1e5fb ("sched/headers: Prepare to move signal wakeup & sigpending
+ methods from <linux/sched.h> into <linux/sched/signal.h>")
+
+Link: https://bugzilla.redhat.com/show_bug.cgi?id=1669187
+Cc: stable@vger.kernel.org # v4.18+
+Fixes: cd667ce24796 ("HID: use debugfs for events/reports dumping")
+Fixes: 717adfdaf147 ("HID: debug: check length before copy_to_user()")
+Signed-off-by: Vladis Dronov <vdronov@redhat.com>
+Reviewed-by: Oleg Nesterov <oleg@redhat.com>
+Signed-off-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/hid/hid-debug.c | 122 +++++++++++++++-----------------------
+ include/linux/hid-debug.h | 9 ++-
+ 2 files changed, 52 insertions(+), 79 deletions(-)
+
+diff --git a/drivers/hid/hid-debug.c b/drivers/hid/hid-debug.c
+index 6c60f4b63d21..d7179dd3c9ef 100644
+--- a/drivers/hid/hid-debug.c
++++ b/drivers/hid/hid-debug.c
+@@ -30,6 +30,7 @@
+
+ #include <linux/debugfs.h>
+ #include <linux/seq_file.h>
++#include <linux/kfifo.h>
+ #include <linux/sched.h>
+ #include <linux/export.h>
+ #include <linux/slab.h>
+@@ -455,7 +456,7 @@ static char *resolv_usage_page(unsigned page, struct seq_file *f) {
+ char *buf = NULL;
+
+ if (!f) {
+- buf = kzalloc(sizeof(char) * HID_DEBUG_BUFSIZE, GFP_ATOMIC);
++ buf = kzalloc(HID_DEBUG_BUFSIZE, GFP_ATOMIC);
+ if (!buf)
+ return ERR_PTR(-ENOMEM);
+ }
+@@ -659,17 +660,12 @@ EXPORT_SYMBOL_GPL(hid_dump_device);
+ /* enqueue string to 'events' ring buffer */
+ void hid_debug_event(struct hid_device *hdev, char *buf)
+ {
+- int i;
+ struct hid_debug_list *list;
+ unsigned long flags;
+
+ spin_lock_irqsave(&hdev->debug_list_lock, flags);
+- list_for_each_entry(list, &hdev->debug_list, node) {
+- for (i = 0; i < strlen(buf); i++)
+- list->hid_debug_buf[(list->tail + i) % HID_DEBUG_BUFSIZE] =
+- buf[i];
+- list->tail = (list->tail + i) % HID_DEBUG_BUFSIZE;
+- }
++ list_for_each_entry(list, &hdev->debug_list, node)
++ kfifo_in(&list->hid_debug_fifo, buf, strlen(buf));
+ spin_unlock_irqrestore(&hdev->debug_list_lock, flags);
+
+ wake_up_interruptible(&hdev->debug_wait);
+@@ -720,8 +716,7 @@ void hid_dump_input(struct hid_device *hdev, struct hid_usage *usage, __s32 valu
+ hid_debug_event(hdev, buf);
+
+ kfree(buf);
+- wake_up_interruptible(&hdev->debug_wait);
+-
++ wake_up_interruptible(&hdev->debug_wait);
+ }
+ EXPORT_SYMBOL_GPL(hid_dump_input);
+
+@@ -1086,8 +1081,8 @@ static int hid_debug_events_open(struct inode *inode, struct file *file)
+ goto out;
+ }
+
+- if (!(list->hid_debug_buf = kzalloc(sizeof(char) * HID_DEBUG_BUFSIZE, GFP_KERNEL))) {
+- err = -ENOMEM;
++ err = kfifo_alloc(&list->hid_debug_fifo, HID_DEBUG_FIFOSIZE, GFP_KERNEL);
++ if (err) {
+ kfree(list);
+ goto out;
+ }
+@@ -1107,77 +1102,57 @@ static ssize_t hid_debug_events_read(struct file *file, char __user *buffer,
+ size_t count, loff_t *ppos)
+ {
+ struct hid_debug_list *list = file->private_data;
+- int ret = 0, len;
++ int ret = 0, copied;
+ DECLARE_WAITQUEUE(wait, current);
+
+ mutex_lock(&list->read_mutex);
+- while (ret == 0) {
+- if (list->head == list->tail) {
+- add_wait_queue(&list->hdev->debug_wait, &wait);
+- set_current_state(TASK_INTERRUPTIBLE);
+-
+- while (list->head == list->tail) {
+- if (file->f_flags & O_NONBLOCK) {
+- ret = -EAGAIN;
+- break;
+- }
+- if (signal_pending(current)) {
+- ret = -ERESTARTSYS;
+- break;
+- }
++ if (kfifo_is_empty(&list->hid_debug_fifo)) {
++ add_wait_queue(&list->hdev->debug_wait, &wait);
++ set_current_state(TASK_INTERRUPTIBLE);
++
++ while (kfifo_is_empty(&list->hid_debug_fifo)) {
++ if (file->f_flags & O_NONBLOCK) {
++ ret = -EAGAIN;
++ break;
++ }
+
+- if (!list->hdev || !list->hdev->debug) {
+- ret = -EIO;
+- set_current_state(TASK_RUNNING);
+- goto out;
+- }
++ if (signal_pending(current)) {
++ ret = -ERESTARTSYS;
++ break;
++ }
+
+- /* allow O_NONBLOCK from other threads */
+- mutex_unlock(&list->read_mutex);
+- schedule();
+- mutex_lock(&list->read_mutex);
+- set_current_state(TASK_INTERRUPTIBLE);
++ /* if list->hdev is NULL we cannot remove_wait_queue().
++ * if list->hdev->debug is 0 then hid_debug_unregister()
++ * was already called and list->hdev is being destroyed.
++ * if we add remove_wait_queue() here we can hit a race.
++ */
++ if (!list->hdev || !list->hdev->debug) {
++ ret = -EIO;
++ set_current_state(TASK_RUNNING);
++ goto out;
+ }
+
+- set_current_state(TASK_RUNNING);
+- remove_wait_queue(&list->hdev->debug_wait, &wait);
++ /* allow O_NONBLOCK from other threads */
++ mutex_unlock(&list->read_mutex);
++ schedule();
++ mutex_lock(&list->read_mutex);
++ set_current_state(TASK_INTERRUPTIBLE);
+ }
+
+- if (ret)
+- goto out;
++ __set_current_state(TASK_RUNNING);
++ remove_wait_queue(&list->hdev->debug_wait, &wait);
+
+- /* pass the ringbuffer contents to userspace */
+-copy_rest:
+- if (list->tail == list->head)
++ if (ret)
+ goto out;
+- if (list->tail > list->head) {
+- len = list->tail - list->head;
+- if (len > count)
+- len = count;
+-
+- if (copy_to_user(buffer + ret, &list->hid_debug_buf[list->head], len)) {
+- ret = -EFAULT;
+- goto out;
+- }
+- ret += len;
+- list->head += len;
+- } else {
+- len = HID_DEBUG_BUFSIZE - list->head;
+- if (len > count)
+- len = count;
+-
+- if (copy_to_user(buffer, &list->hid_debug_buf[list->head], len)) {
+- ret = -EFAULT;
+- goto out;
+- }
+- list->head = 0;
+- ret += len;
+- count -= len;
+- if (count > 0)
+- goto copy_rest;
+- }
+-
+ }
++
++ /* pass the fifo content to userspace, locking is not needed with only
++ * one concurrent reader and one concurrent writer
++ */
++ ret = kfifo_to_user(&list->hid_debug_fifo, buffer, count, &copied);
++ if (ret)
++ goto out;
++ ret = copied;
+ out:
+ mutex_unlock(&list->read_mutex);
+ return ret;
+@@ -1188,7 +1163,7 @@ static unsigned int hid_debug_events_poll(struct file *file, poll_table *wait)
+ struct hid_debug_list *list = file->private_data;
+
+ poll_wait(file, &list->hdev->debug_wait, wait);
+- if (list->head != list->tail)
++ if (!kfifo_is_empty(&list->hid_debug_fifo))
+ return POLLIN | POLLRDNORM;
+ if (!list->hdev->debug)
+ return POLLERR | POLLHUP;
+@@ -1203,7 +1178,7 @@ static int hid_debug_events_release(struct inode *inode, struct file *file)
+ spin_lock_irqsave(&list->hdev->debug_list_lock, flags);
+ list_del(&list->node);
+ spin_unlock_irqrestore(&list->hdev->debug_list_lock, flags);
+- kfree(list->hid_debug_buf);
++ kfifo_free(&list->hid_debug_fifo);
+ kfree(list);
+
+ return 0;
+@@ -1254,4 +1229,3 @@ void hid_debug_exit(void)
+ {
+ debugfs_remove_recursive(hid_debug_root);
+ }
+-
+diff --git a/include/linux/hid-debug.h b/include/linux/hid-debug.h
+index 8663f216c563..2d6100edf204 100644
+--- a/include/linux/hid-debug.h
++++ b/include/linux/hid-debug.h
+@@ -24,7 +24,10 @@
+
+ #ifdef CONFIG_DEBUG_FS
+
++#include <linux/kfifo.h>
++
+ #define HID_DEBUG_BUFSIZE 512
++#define HID_DEBUG_FIFOSIZE 512
+
+ void hid_dump_input(struct hid_device *, struct hid_usage *, __s32);
+ void hid_dump_report(struct hid_device *, int , u8 *, int);
+@@ -37,11 +40,8 @@ void hid_debug_init(void);
+ void hid_debug_exit(void);
+ void hid_debug_event(struct hid_device *, char *);
+
+-
+ struct hid_debug_list {
+- char *hid_debug_buf;
+- int head;
+- int tail;
++ DECLARE_KFIFO_PTR(hid_debug_fifo, char);
+ struct fasync_struct *fasync;
+ struct hid_device *hdev;
+ struct list_head node;
+@@ -64,4 +64,3 @@ struct hid_debug_list {
+ #endif
+
+ #endif
+-
+--
+2.20.1
+
diff --git a/patches.kernel.org/4.4.175-111-NFC-nxp-nci-Include-unaligned.h-instead-of-ac.patch b/patches.kernel.org/4.4.175-111-NFC-nxp-nci-Include-unaligned.h-instead-of-ac.patch
new file mode 100644
index 0000000000..3d45c069ef
--- /dev/null
+++ b/patches.kernel.org/4.4.175-111-NFC-nxp-nci-Include-unaligned.h-instead-of-ac.patch
@@ -0,0 +1,68 @@
+From: Guenter Roeck <linux@roeck-us.net>
+Date: Sat, 1 Aug 2015 06:59:29 -0700
+Subject: [PATCH] NFC: nxp-nci: Include unaligned.h instead of access_ok.h
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+References: bnc#1012382
+Patch-mainline: 4.4.175
+Git-commit: 2eee74b7e2a496dea49847c36fd09320505f45b7
+
+commit 2eee74b7e2a496dea49847c36fd09320505f45b7 upstream.
+
+Directly including access_ok.h can result in the following compile errors
+if an architecture such as ia64 does not support direct unaligned accesses.
+
+include/linux/unaligned/access_ok.h:7:19: error:
+ redefinition of 'get_unaligned_le16'
+include/linux/unaligned/le_struct.h:6:19: note:
+ previous definition of 'get_unaligned_le16' was here
+include/linux/unaligned/access_ok.h:12:19: error:
+ redefinition of 'get_unaligned_le32'
+include/linux/unaligned/le_struct.h:11:19: note:
+ previous definition of 'get_unaligned_le32' was here
+
+Include asm/unaligned.h instead and let the architecture decide which
+access functions to use.
+
+Cc: Clément Perrochaud <clement.perrochaud@effinnov.com>
+Cc: Samuel Ortiz <sameo@linux.intel.com>
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
+Cc: Matthias Kaehlcke <mka@chromium.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/nfc/nxp-nci/firmware.c | 2 +-
+ drivers/nfc/nxp-nci/i2c.c | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/nfc/nxp-nci/firmware.c b/drivers/nfc/nxp-nci/firmware.c
+index 5291797324ba..553011f58339 100644
+--- a/drivers/nfc/nxp-nci/firmware.c
++++ b/drivers/nfc/nxp-nci/firmware.c
+@@ -24,7 +24,7 @@
+ #include <linux/completion.h>
+ #include <linux/firmware.h>
+ #include <linux/nfc.h>
+-#include <linux/unaligned/access_ok.h>
++#include <asm/unaligned.h>
+
+ #include "nxp-nci.h"
+
+diff --git a/drivers/nfc/nxp-nci/i2c.c b/drivers/nfc/nxp-nci/i2c.c
+index df4333c7ee0f..0b1122cb5d0c 100644
+--- a/drivers/nfc/nxp-nci/i2c.c
++++ b/drivers/nfc/nxp-nci/i2c.c
+@@ -36,7 +36,7 @@
+ #include <linux/of_gpio.h>
+ #include <linux/of_irq.h>
+ #include <linux/platform_data/nxp-nci.h>
+-#include <linux/unaligned/access_ok.h>
++#include <asm/unaligned.h>
+
+ #include <net/nfc/nfc.h>
+
+--
+2.20.1
+
diff --git a/patches.kernel.org/4.4.175-112-Revert-cifs-In-Kconfig-CONFIG_CIFS_POSIX-need.patch b/patches.kernel.org/4.4.175-112-Revert-cifs-In-Kconfig-CONFIG_CIFS_POSIX-need.patch
new file mode 100644
index 0000000000..01a6e0fd75
--- /dev/null
+++ b/patches.kernel.org/4.4.175-112-Revert-cifs-In-Kconfig-CONFIG_CIFS_POSIX-need.patch
@@ -0,0 +1,47 @@
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Date: Wed, 13 Feb 2019 16:01:54 +0100
+Subject: [PATCH] Revert "cifs: In Kconfig CONFIG_CIFS_POSIX needs depends on
+ legacy (insecure cifs)"
+References: bnc#1012382
+Patch-mainline: 4.4.175
+Git-commit: 6e785302dad32228819d8066e5376acd15d0e6ba
+
+This reverts commit 60da90b224ba77a934decbb8129dabc861edd526 which is
+commit 6e785302dad32228819d8066e5376acd15d0e6ba upstream.
+
+Yi writes:
+ I notice that 4.4.169 merged 60da90b224ba7 ("cifs: In Kconfig
+ CONFIG_CIFS_POSIX needs depends on legacy (insecure cifs)") add
+ a Kconfig dependency CIFS_ALLOW_INSECURE_LEGACY, which was not
+ defined in 4.4 stable, so after this patch we are not able to
+ enable CIFS_POSIX anymore. Linux 4.4 stable didn't merge the
+ legacy dialects codes, so do we really need this patch for 4.4?
+
+So revert this patch.
+
+Reported-by: "zhangyi (F)" <yi.zhang@huawei.com>
+Cc: Steve French <stfrench@microsoft.com>
+Cc: Pavel Shilovsky <pshilov@microsoft.com>
+Cc: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ fs/cifs/Kconfig | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/cifs/Kconfig b/fs/cifs/Kconfig
+index 8bef27b8f85d..e7b478b49985 100644
+--- a/fs/cifs/Kconfig
++++ b/fs/cifs/Kconfig
+@@ -111,7 +111,7 @@ config CIFS_XATTR
+
+ config CIFS_POSIX
+ bool "CIFS POSIX Extensions"
+- depends on CIFS && CIFS_ALLOW_INSECURE_LEGACY && CIFS_XATTR
++ depends on CIFS_XATTR
+ help
+ Enabling this option will cause the cifs client to attempt to
+ negotiate a newer dialect with servers, such as Samba 3.0.5
+--
+2.20.1
+
diff --git a/patches.fixes/libceph-avoid-keepalive_pending-races-in-ceph_con_keepalive.patch b/patches.kernel.org/4.4.175-113-libceph-avoid-KEEPALIVE_PENDING-races-in-ceph.patch
index d0b84ee127..e2b003110d 100644
--- a/patches.fixes/libceph-avoid-keepalive_pending-races-in-ceph_con_keepalive.patch
+++ b/patches.kernel.org/4.4.175-113-libceph-avoid-KEEPALIVE_PENDING-races-in-ceph.patch
@@ -1,9 +1,12 @@
From: Ilya Dryomov <idryomov@gmail.com>
Date: Mon, 14 Jan 2019 21:13:10 +0100
-Subject: libceph: avoid KEEPALIVE_PENDING races in ceph_con_keepalive()
+Subject: [PATCH] libceph: avoid KEEPALIVE_PENDING races in
+ ceph_con_keepalive()
+Patch-mainline: 4.4.175
+References: bnc#1012382 bsc#1125810
Git-commit: 4aac9228d16458cedcfd90c7fb37211cf3653ac3
-Patch-mainline: v5.0-rc4
-References: bsc#1125810
+
+commit 4aac9228d16458cedcfd90c7fb37211cf3653ac3 upstream.
con_fault() can transition the connection into STANDBY right after
ceph_con_keepalive() clears STANDBY in clear_standby():
@@ -35,14 +38,17 @@ could have been a non-atomic flag.
Reported-by: syzbot+acdeb633f6211ccdf886@syzkaller.appspotmail.com
Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
Tested-by: Myungho Jung <mhjungk@gmail.com>
-Acked-by: Luis Henriques <lhenriques@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
- net/ceph/messenger.c | 5 +++--
+ net/ceph/messenger.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
+diff --git a/net/ceph/messenger.c b/net/ceph/messenger.c
+index ad3c9e96a275..3e6897efe1eb 100644
--- a/net/ceph/messenger.c
+++ b/net/ceph/messenger.c
-@@ -3208,9 +3208,10 @@ void ceph_con_keepalive(struct ceph_conn
+@@ -3181,9 +3181,10 @@ void ceph_con_keepalive(struct ceph_connection *con)
dout("con_keepalive %p\n", con);
mutex_lock(&con->mutex);
clear_standby(con);
@@ -55,3 +61,6 @@ Acked-by: Luis Henriques <lhenriques@suse.com>
queue_con(con);
}
EXPORT_SYMBOL(ceph_con_keepalive);
+--
+2.20.1
+
diff --git a/patches.kernel.org/4.4.175-114-xfrm-refine-validation-of-template-and-select.patch b/patches.kernel.org/4.4.175-114-xfrm-refine-validation-of-template-and-select.patch
new file mode 100644
index 0000000000..b883962d21
--- /dev/null
+++ b/patches.kernel.org/4.4.175-114-xfrm-refine-validation-of-template-and-select.patch
@@ -0,0 +1,69 @@
+From: Florian Westphal <fw@strlen.de>
+Date: Wed, 9 Jan 2019 14:37:34 +0100
+Subject: [PATCH] xfrm: refine validation of template and selector families
+References: bnc#1012382
+Patch-mainline: 4.4.175
+Git-commit: 35e6103861a3a970de6c84688c6e7a1f65b164ca
+
+commit 35e6103861a3a970de6c84688c6e7a1f65b164ca upstream.
+
+The check assumes that in transport mode, the first templates family
+must match the address family of the policy selector.
+
+Syzkaller managed to build a template using MODE_ROUTEOPTIMIZATION,
+with ipv4-in-ipv6 chain, leading to following splat:
+
+BUG: KASAN: stack-out-of-bounds in xfrm_state_find+0x1db/0x1854
+Read of size 4 at addr ffff888063e57aa0 by task a.out/2050
+ xfrm_state_find+0x1db/0x1854
+ xfrm_tmpl_resolve+0x100/0x1d0
+ xfrm_resolve_and_create_bundle+0x108/0x1000 [..]
+
+Problem is that addresses point into flowi4 struct, but xfrm_state_find
+treats them as being ipv6 because it uses templ->encap_family is used
+(AF_INET6 in case of reproducer) rather than family (AF_INET).
+
+This patch inverts the logic: Enforce 'template family must match
+selector' EXCEPT for tunnel and BEET mode.
+
+In BEET and Tunnel mode, xfrm_tmpl_resolve_one will have remote/local
+address pointers changed to point at the addresses found in the template,
+rather than the flowi ones, so no oob read will occur.
+
+Reported-by: 3ntr0py1337@gmail.com
+Reported-by: Daniel Borkmann <daniel@iogearbox.net>
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ net/xfrm/xfrm_user.c | 13 +++++++++----
+ 1 file changed, 9 insertions(+), 4 deletions(-)
+
+diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
+index 476f1fc6d655..177a6c75f136 100644
+--- a/net/xfrm/xfrm_user.c
++++ b/net/xfrm/xfrm_user.c
+@@ -1404,10 +1404,15 @@ static int validate_tmpl(int nr, struct xfrm_user_tmpl *ut, u16 family)
+ if (!ut[i].family)
+ ut[i].family = family;
+
+- if ((ut[i].mode == XFRM_MODE_TRANSPORT) &&
+- (ut[i].family != prev_family))
+- return -EINVAL;
+-
++ switch (ut[i].mode) {
++ case XFRM_MODE_TUNNEL:
++ case XFRM_MODE_BEET:
++ break;
++ default:
++ if (ut[i].family != prev_family)
++ return -EINVAL;
++ break;
++ }
+ if (ut[i].mode >= XFRM_MODE_MAX)
+ return -EINVAL;
+
+--
+2.20.1
+
diff --git a/patches.kernel.org/4.4.175-115-batman-adv-Avoid-WARN-on-net_device-without-p.patch b/patches.kernel.org/4.4.175-115-batman-adv-Avoid-WARN-on-net_device-without-p.patch
new file mode 100644
index 0000000000..26568734ea
--- /dev/null
+++ b/patches.kernel.org/4.4.175-115-batman-adv-Avoid-WARN-on-net_device-without-p.patch
@@ -0,0 +1,57 @@
+From: Sven Eckelmann <sven@narfation.org>
+Date: Sun, 30 Dec 2018 12:46:01 +0100
+Subject: [PATCH] batman-adv: Avoid WARN on net_device without parent in netns
+References: bnc#1012382
+Patch-mainline: 4.4.175
+Git-commit: 955d3411a17f590364238bd0d3329b61f20c1cd2
+
+commit 955d3411a17f590364238bd0d3329b61f20c1cd2 upstream.
+
+It is not allowed to use WARN* helpers on potential incorrect input from
+the user or transient problems because systems configured as panic_on_warn
+will reboot due to such a problem.
+
+A NULL return value of __dev_get_by_index can be caused by various problems
+which can either be related to the system configuration or problems
+(incorrectly returned network namespaces) in other (virtual) net_device
+drivers. batman-adv should not cause a (harmful) WARN in this situation and
+instead only report it via a simple message.
+
+Fixes: b7eddd0b3950 ("batman-adv: prevent using any virtual device created on batman-adv as hard-interface")
+Reported-by: syzbot+c764de0fcfadca9a8595@syzkaller.appspotmail.com
+Reported-by: Dmitry Vyukov <dvyukov@google.com>
+Signed-off-by: Sven Eckelmann <sven@narfation.org>
+Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ net/batman-adv/hard-interface.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/net/batman-adv/hard-interface.c b/net/batman-adv/hard-interface.c
+index f11345e163d7..3c8d8142e8c6 100644
+--- a/net/batman-adv/hard-interface.c
++++ b/net/batman-adv/hard-interface.c
+@@ -18,7 +18,6 @@
+ #include "hard-interface.h"
+ #include "main.h"
+
+-#include <linux/bug.h>
+ #include <linux/byteorder/generic.h>
+ #include <linux/errno.h>
+ #include <linux/fs.h>
+@@ -104,8 +103,10 @@ static bool batadv_is_on_batman_iface(const struct net_device *net_dev)
+ /* recurse over the parent device */
+ parent_dev = __dev_get_by_index(&init_net, dev_get_iflink(net_dev));
+ /* if we got a NULL parent_dev there is something broken.. */
+- if (WARN(!parent_dev, "Cannot find parent device"))
++ if (!parent_dev) {
++ pr_err("Cannot find parent device\n");
+ return false;
++ }
+
+ ret = batadv_is_on_batman_iface(parent_dev);
+
+--
+2.20.1
+
diff --git a/patches.kernel.org/4.4.175-116-batman-adv-Force-mac-header-to-start-of-data-.patch b/patches.kernel.org/4.4.175-116-batman-adv-Force-mac-header-to-start-of-data-.patch
new file mode 100644
index 0000000000..cf6aeae9c7
--- /dev/null
+++ b/patches.kernel.org/4.4.175-116-batman-adv-Force-mac-header-to-start-of-data-.patch
@@ -0,0 +1,48 @@
+From: Sven Eckelmann <sven@narfation.org>
+Date: Mon, 31 Dec 2018 22:31:01 +0100
+Subject: [PATCH] batman-adv: Force mac header to start of data on xmit
+References: bnc#1012382
+Patch-mainline: 4.4.175
+Git-commit: 9114daa825fc3f335f9bea3313ce667090187280
+
+commit 9114daa825fc3f335f9bea3313ce667090187280 upstream.
+
+The caller of ndo_start_xmit may not already have called
+skb_reset_mac_header. The returned value of skb_mac_header/eth_hdr
+therefore can be in the wrong position and even outside the current skbuff.
+This for example happens when the user binds to the device using a
+PF_PACKET-SOCK_RAW with enabled qdisc-bypass:
+
+ int opt = 4;
+ setsockopt(sock, SOL_PACKET, PACKET_QDISC_BYPASS, &opt, sizeof(opt));
+
+Since eth_hdr is used all over the codebase, the batadv_interface_tx
+function must always take care of resetting it.
+
+Fixes: c6c8fea29769 ("net: Add batman-adv meshing protocol")
+Reported-by: syzbot+9d7405c7faa390e60b4e@syzkaller.appspotmail.com
+Reported-by: syzbot+7d20bc3f1ddddc0f9079@syzkaller.appspotmail.com
+Signed-off-by: Sven Eckelmann <sven@narfation.org>
+Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ net/batman-adv/soft-interface.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/net/batman-adv/soft-interface.c b/net/batman-adv/soft-interface.c
+index 9f1fe6169bef..5aeb585571ed 100644
+--- a/net/batman-adv/soft-interface.c
++++ b/net/batman-adv/soft-interface.c
+@@ -209,6 +209,8 @@ static int batadv_interface_tx(struct sk_buff *skb,
+
+ soft_iface->trans_start = jiffies;
+ vid = batadv_get_vid(skb, 0);
++
++ skb_reset_mac_header(skb);
+ ethhdr = eth_hdr(skb);
+
+ switch (ntohs(ethhdr->h_proto)) {
+--
+2.20.1
+
diff --git a/patches.kernel.org/4.4.175-117-Revert-exec-load_script-don-t-blindly-truncat.patch b/patches.kernel.org/4.4.175-117-Revert-exec-load_script-don-t-blindly-truncat.patch
new file mode 100644
index 0000000000..7644151a48
--- /dev/null
+++ b/patches.kernel.org/4.4.175-117-Revert-exec-load_script-don-t-blindly-truncat.patch
@@ -0,0 +1,51 @@
+From: Linus Torvalds <torvalds@linux-foundation.org>
+Date: Thu, 14 Feb 2019 15:02:18 -0800
+Subject: [PATCH] Revert "exec: load_script: don't blindly truncate shebang
+ string"
+References: bnc#1012382
+Patch-mainline: 4.4.175
+Git-commit: cb5b020a8d38f77209d0472a0fea755299a8ec78
+
+commit cb5b020a8d38f77209d0472a0fea755299a8ec78 upstream.
+
+This reverts commit 8099b047ecc431518b9bb6bdbba3549bbecdc343.
+
+It turns out that people do actually depend on the shebang string being
+truncated, and on the fact that an interpreter (like perl) will often
+just re-interpret it entirely to get the full argument list.
+
+Reported-by: Samuel Dionne-Riel <samuel@dionne-riel.com>
+Acked-by: Kees Cook <keescook@chromium.org>
+Cc: Oleg Nesterov <oleg@redhat.com>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ fs/binfmt_script.c | 10 +++-------
+ 1 file changed, 3 insertions(+), 7 deletions(-)
+
+diff --git a/fs/binfmt_script.c b/fs/binfmt_script.c
+index 634bdbb23851..afdf4e3cafc2 100644
+--- a/fs/binfmt_script.c
++++ b/fs/binfmt_script.c
+@@ -43,14 +43,10 @@ static int load_script(struct linux_binprm *bprm)
+ fput(bprm->file);
+ bprm->file = NULL;
+
+- for (cp = bprm->buf+2;; cp++) {
+- if (cp >= bprm->buf + BINPRM_BUF_SIZE)
+- return -ENOEXEC;
+- if (!*cp || (*cp == '\n'))
+- break;
+- }
++ bprm->buf[BINPRM_BUF_SIZE - 1] = '\0';
++ if ((cp = strchr(bprm->buf, '\n')) == NULL)
++ cp = bprm->buf+BINPRM_BUF_SIZE-1;
+ *cp = '\0';
+-
+ while (cp > bprm->buf) {
+ cp--;
+ if ((*cp == ' ') || (*cp == '\t'))
+--
+2.20.1
+
diff --git a/patches.kernel.org/4.4.175-118-uapi-if_ether.h-prevent-redefinition-of-struc.patch b/patches.kernel.org/4.4.175-118-uapi-if_ether.h-prevent-redefinition-of-struc.patch
new file mode 100644
index 0000000000..0e50d7a3a5
--- /dev/null
+++ b/patches.kernel.org/4.4.175-118-uapi-if_ether.h-prevent-redefinition-of-struc.patch
@@ -0,0 +1,70 @@
+From: Hauke Mehrtens <hauke@hauke-m.de>
+Date: Thu, 14 Feb 2019 14:18:00 +0100
+Subject: [PATCH] uapi/if_ether.h: prevent redefinition of struct ethhdr
+References: bnc#1012382
+Patch-mainline: 4.4.175
+Git-commit: 6926e041a8920c8ec27e4e155efa760aa01551fd
+
+commit 6926e041a8920c8ec27e4e155efa760aa01551fd upstream.
+
+Musl provides its own ethhdr struct definition. Add a guard to prevent
+its definition of the appropriate musl header has already been included.
+
+glibc does not implement this header, but when glibc will implement this
+they can just define __UAPI_DEF_ETHHDR 0 to make it work with the
+kernel.
+
+Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ include/uapi/linux/if_ether.h | 3 +++
+ include/uapi/linux/libc-compat.h | 6 ++++++
+ 2 files changed, 9 insertions(+)
+
+diff --git a/include/uapi/linux/if_ether.h b/include/uapi/linux/if_ether.h
+index 064d2026ab38..cb490cd9376f 100644
+--- a/include/uapi/linux/if_ether.h
++++ b/include/uapi/linux/if_ether.h
+@@ -22,6 +22,7 @@
+ #define _UAPI_LINUX_IF_ETHER_H
+
+ #include <linux/types.h>
++#include <linux/libc-compat.h>
+
+ /*
+ * IEEE 802.3 Ethernet magic constants. The frame sizes omit the preamble
+@@ -136,11 +137,13 @@
+ * This is an Ethernet frame header.
+ */
+
++#if __UAPI_DEF_ETHHDR
+ struct ethhdr {
+ unsigned char h_dest[ETH_ALEN]; /* destination eth addr */
+ unsigned char h_source[ETH_ALEN]; /* source ether addr */
+ __be16 h_proto; /* packet type ID field */
+ } __attribute__((packed));
++#endif
+
+
+ #endif /* _UAPI_LINUX_IF_ETHER_H */
+diff --git a/include/uapi/linux/libc-compat.h b/include/uapi/linux/libc-compat.h
+index e4f048ee7043..5da44c571cdd 100644
+--- a/include/uapi/linux/libc-compat.h
++++ b/include/uapi/linux/libc-compat.h
+@@ -184,4 +184,10 @@
+
+ #endif /* __GLIBC__ */
+
++/* Definitions for if_ether.h */
++/* allow libcs like musl to deactivate this, glibc does not implement this. */
++#ifndef __UAPI_DEF_ETHHDR
++#define __UAPI_DEF_ETHHDR 1
++#endif
++
+ #endif /* _UAPI_LIBC_COMPAT_H */
+--
+2.20.1
+
diff --git a/patches.kernel.org/4.4.175-119-ARM-dts-da850-evm-Correct-the-sound-card-name.patch b/patches.kernel.org/4.4.175-119-ARM-dts-da850-evm-Correct-the-sound-card-name.patch
new file mode 100644
index 0000000000..1dbb329df4
--- /dev/null
+++ b/patches.kernel.org/4.4.175-119-ARM-dts-da850-evm-Correct-the-sound-card-name.patch
@@ -0,0 +1,39 @@
+From: Peter Ujfalusi <peter.ujfalusi@ti.com>
+Date: Wed, 19 Dec 2018 13:47:24 +0200
+Subject: [PATCH] ARM: dts: da850-evm: Correct the sound card name
+References: bnc#1012382
+Patch-mainline: 4.4.175
+Git-commit: 7fca69d4e43fa1ae9cb4f652772c132dc5a659c6
+
+[ Upstream commit 7fca69d4e43fa1ae9cb4f652772c132dc5a659c6 ]
+
+To avoid the following error:
+asoc-simple-card sound: ASoC: Failed to create card debugfs directory
+
+Which is because the card name contains '/' character, which can not be
+used in file or directory names.
+
+Signed-off-by: Peter Ujfalusi <peter.ujfalusi@ti.com>
+Signed-off-by: Sekhar Nori <nsekhar@ti.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ arch/arm/boot/dts/da850-evm.dts | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/arm/boot/dts/da850-evm.dts b/arch/arm/boot/dts/da850-evm.dts
+index 6881757b03e8..67369f284b91 100644
+--- a/arch/arm/boot/dts/da850-evm.dts
++++ b/arch/arm/boot/dts/da850-evm.dts
+@@ -147,7 +147,7 @@
+
+ sound {
+ compatible = "simple-audio-card";
+- simple-audio-card,name = "DA850/OMAP-L138 EVM";
++ simple-audio-card,name = "DA850-OMAPL138 EVM";
+ simple-audio-card,widgets =
+ "Line", "Line In",
+ "Line", "Line Out";
+--
+2.20.1
+
diff --git a/patches.kernel.org/4.4.175-120-ARM-dts-kirkwood-Fix-polarity-of-GPIO-fan-lin.patch b/patches.kernel.org/4.4.175-120-ARM-dts-kirkwood-Fix-polarity-of-GPIO-fan-lin.patch
new file mode 100644
index 0000000000..8b7cb14ced
--- /dev/null
+++ b/patches.kernel.org/4.4.175-120-ARM-dts-kirkwood-Fix-polarity-of-GPIO-fan-lin.patch
@@ -0,0 +1,51 @@
+From: Linus Walleij <linus.walleij@linaro.org>
+Date: Tue, 8 Jan 2019 00:08:18 +0100
+Subject: [PATCH] ARM: dts: kirkwood: Fix polarity of GPIO fan lines
+References: bnc#1012382
+Patch-mainline: 4.4.175
+Git-commit: b5f034845e70916fd33e172fad5ad530a29c10ab
+
+[ Upstream commit b5f034845e70916fd33e172fad5ad530a29c10ab ]
+
+These two lines are active high, not active low. The bug was
+found when we changed the kernel to respect the polarity defined
+in the device tree.
+
+Fixes: 1b90e06b1429 ("ARM: kirkwood: Use devicetree to define DNS-32[05] fan")
+Cc: Jamie Lentin <jm@lentin.co.uk>
+Cc: Guenter Roeck <linux@roeck-us.net>
+Cc: Jason Cooper <jason@lakedaemon.net>
+Cc: Andrew Lunn <andrew@lunn.ch>
+Cc: Gregory Clement <gregory.clement@bootlin.com>
+Cc: Sebastian Hesselbarth <sebastian.hesselbarth@gmail.com>
+Cc: Julien D'Ascenzio <jdascenzio@posteo.net>
+Reviewed-by: Andrew Lunn <andrew@lunn.ch>
+Tested-by: Jamie Lentin <jm@lentin.co.uk>
+Reported-by: Julien D'Ascenzio <jdascenzio@posteo.net>
+Tested-by: Julien D'Ascenzio <jdascenzio@posteo.net>
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Gregory CLEMENT <gregory.clement@bootlin.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ arch/arm/boot/dts/kirkwood-dnskw.dtsi | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/arch/arm/boot/dts/kirkwood-dnskw.dtsi b/arch/arm/boot/dts/kirkwood-dnskw.dtsi
+index 113dcf056dcf..1b2dacfa6132 100644
+--- a/arch/arm/boot/dts/kirkwood-dnskw.dtsi
++++ b/arch/arm/boot/dts/kirkwood-dnskw.dtsi
+@@ -35,8 +35,8 @@
+ compatible = "gpio-fan";
+ pinctrl-0 = <&pmx_fan_high_speed &pmx_fan_low_speed>;
+ pinctrl-names = "default";
+- gpios = <&gpio1 14 GPIO_ACTIVE_LOW
+- &gpio1 13 GPIO_ACTIVE_LOW>;
++ gpios = <&gpio1 14 GPIO_ACTIVE_HIGH
++ &gpio1 13 GPIO_ACTIVE_HIGH>;
+ gpio-fan,speed-map = <0 0
+ 3000 1
+ 6000 2>;
+--
+2.20.1
+
diff --git a/patches.kernel.org/4.4.175-121-gpio-pl061-handle-failed-allocations.patch b/patches.kernel.org/4.4.175-121-gpio-pl061-handle-failed-allocations.patch
new file mode 100644
index 0000000000..170b60fff5
--- /dev/null
+++ b/patches.kernel.org/4.4.175-121-gpio-pl061-handle-failed-allocations.patch
@@ -0,0 +1,46 @@
+From: Nicholas Mc Guire <hofrat@osadl.org>
+Date: Sat, 1 Dec 2018 12:57:18 +0100
+Subject: [PATCH] gpio: pl061: handle failed allocations
+References: bnc#1012382
+Patch-mainline: 4.4.175
+Git-commit: df209c43a0e8258e096fb722dfbdae4f0dd13fde
+
+[ Upstream commit df209c43a0e8258e096fb722dfbdae4f0dd13fde ]
+
+devm_kzalloc(), devm_kstrdup() and devm_kasprintf() all can
+fail internal allocation and return NULL. Using any of the assigned
+objects without checking is not safe. As this is early in the boot
+phase and these allocations really should not fail, any failure here
+is probably an indication of a more serious issue so it makes little
+sense to try and rollback the previous allocated resources or try to
+continue; but rather the probe function is simply exited with -ENOMEM.
+
+Signed-off-by: Nicholas Mc Guire <hofrat@osadl.org>
+Fixes: 684284b64aae ("ARM: integrator: add MMCI device to IM-PD1")
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ arch/arm/mach-integrator/impd1.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/arch/arm/mach-integrator/impd1.c b/arch/arm/mach-integrator/impd1.c
+index 38b0da300dd5..423a88ff908c 100644
+--- a/arch/arm/mach-integrator/impd1.c
++++ b/arch/arm/mach-integrator/impd1.c
+@@ -394,7 +394,11 @@ static int __init_refok impd1_probe(struct lm_device *dev)
+ sizeof(*lookup) + 3 * sizeof(struct gpiod_lookup),
+ GFP_KERNEL);
+ chipname = devm_kstrdup(&dev->dev, devname, GFP_KERNEL);
+- mmciname = kasprintf(GFP_KERNEL, "lm%x:00700", dev->id);
++ mmciname = devm_kasprintf(&dev->dev, GFP_KERNEL,
++ "lm%x:00700", dev->id);
++ if (!lookup || !chipname || !mmciname)
++ return -ENOMEM;
++
+ lookup->dev_id = mmciname;
+ /*
+ * Offsets on GPIO block 1:
+--
+2.20.1
+
diff --git a/patches.kernel.org/4.4.175-122-cifs-Limit-memory-used-by-lock-request-calls-.patch b/patches.kernel.org/4.4.175-122-cifs-Limit-memory-used-by-lock-request-calls-.patch
new file mode 100644
index 0000000000..a795288b8b
--- /dev/null
+++ b/patches.kernel.org/4.4.175-122-cifs-Limit-memory-used-by-lock-request-calls-.patch
@@ -0,0 +1,76 @@
+From: Ross Lagerwall <ross.lagerwall@citrix.com>
+Date: Tue, 8 Jan 2019 18:30:56 +0000
+Subject: [PATCH] cifs: Limit memory used by lock request calls to a page
+References: bnc#1012382
+Patch-mainline: 4.4.175
+Git-commit: 92a8109e4d3a34fb6b115c9098b51767dc933444
+
+[ Upstream commit 92a8109e4d3a34fb6b115c9098b51767dc933444 ]
+
+The code tries to allocate a contiguous buffer with a size supplied by
+the server (maxBuf). This could fail if memory is fragmented since it
+results in high order allocations for commonly used server
+implementations. It is also wasteful since there are probably
+few locks in the usual case. Limit the buffer to be no larger than a
+page to avoid memory allocation failures due to fragmentation.
+
+Signed-off-by: Ross Lagerwall <ross.lagerwall@citrix.com>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ fs/cifs/file.c | 8 ++++++++
+ fs/cifs/smb2file.c | 4 ++++
+ 2 files changed, 12 insertions(+)
+
+diff --git a/fs/cifs/file.c b/fs/cifs/file.c
+index 026b399af215..1062e96ee272 100644
+--- a/fs/cifs/file.c
++++ b/fs/cifs/file.c
+@@ -1081,6 +1081,10 @@ cifs_push_mandatory_locks(struct cifsFileInfo *cfile)
+ return -EINVAL;
+ }
+
++ BUILD_BUG_ON(sizeof(struct smb_hdr) + sizeof(LOCKING_ANDX_RANGE) >
++ PAGE_SIZE);
++ max_buf = min_t(unsigned int, max_buf - sizeof(struct smb_hdr),
++ PAGE_SIZE);
+ max_num = (max_buf - sizeof(struct smb_hdr)) /
+ sizeof(LOCKING_ANDX_RANGE);
+ buf = kcalloc(max_num, sizeof(LOCKING_ANDX_RANGE), GFP_KERNEL);
+@@ -1410,6 +1414,10 @@ cifs_unlock_range(struct cifsFileInfo *cfile, struct file_lock *flock,
+ if (max_buf < (sizeof(struct smb_hdr) + sizeof(LOCKING_ANDX_RANGE)))
+ return -EINVAL;
+
++ BUILD_BUG_ON(sizeof(struct smb_hdr) + sizeof(LOCKING_ANDX_RANGE) >
++ PAGE_SIZE);
++ max_buf = min_t(unsigned int, max_buf - sizeof(struct smb_hdr),
++ PAGE_SIZE);
+ max_num = (max_buf - sizeof(struct smb_hdr)) /
+ sizeof(LOCKING_ANDX_RANGE);
+ buf = kcalloc(max_num, sizeof(LOCKING_ANDX_RANGE), GFP_KERNEL);
+diff --git a/fs/cifs/smb2file.c b/fs/cifs/smb2file.c
+index b7885dc0d9bb..dee5250701de 100644
+--- a/fs/cifs/smb2file.c
++++ b/fs/cifs/smb2file.c
+@@ -129,6 +129,8 @@ smb2_unlock_range(struct cifsFileInfo *cfile, struct file_lock *flock,
+ if (max_buf < sizeof(struct smb2_lock_element))
+ return -EINVAL;
+
++ BUILD_BUG_ON(sizeof(struct smb2_lock_element) > PAGE_SIZE);
++ max_buf = min_t(unsigned int, max_buf, PAGE_SIZE);
+ max_num = max_buf / sizeof(struct smb2_lock_element);
+ buf = kcalloc(max_num, sizeof(struct smb2_lock_element), GFP_KERNEL);
+ if (!buf)
+@@ -265,6 +267,8 @@ smb2_push_mandatory_locks(struct cifsFileInfo *cfile)
+ return -EINVAL;
+ }
+
++ BUILD_BUG_ON(sizeof(struct smb2_lock_element) > PAGE_SIZE);
++ max_buf = min_t(unsigned int, max_buf, PAGE_SIZE);
+ max_num = max_buf / sizeof(struct smb2_lock_element);
+ buf = kcalloc(max_num, sizeof(struct smb2_lock_element), GFP_KERNEL);
+ if (!buf) {
+--
+2.20.1
+
diff --git a/patches.kernel.org/4.4.175-123-Documentation-network-reword-kernel-version-r.patch b/patches.kernel.org/4.4.175-123-Documentation-network-reword-kernel-version-r.patch
new file mode 100644
index 0000000000..d57e8d6613
--- /dev/null
+++ b/patches.kernel.org/4.4.175-123-Documentation-network-reword-kernel-version-r.patch
@@ -0,0 +1,34 @@
+From: Mark Rustad <mrustad@gmail.com>
+Date: Fri, 15 Feb 2019 08:19:55 -0800
+Subject: [PATCH] Documentation/network: reword kernel version reference
+References: bnc#1012382
+Patch-mainline: 4.4.175
+Git-commit: 29c84aa9f2a2c5215b910685549e798e7514ae6c
+
+It seemed odd to say "since 4.17" in a 4.4 kernel. Consider
+rewording the reference to indicate where in the stable series
+it was introduced as well as where it originated.
+
+Signed-off-by: Mark Rustad <mrustad@gmail.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ Documentation/networking/ip-sysctl.txt | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/Documentation/networking/ip-sysctl.txt b/Documentation/networking/ip-sysctl.txt
+index 7c229f59016f..2fb35658d151 100644
+--- a/Documentation/networking/ip-sysctl.txt
++++ b/Documentation/networking/ip-sysctl.txt
+@@ -116,7 +116,7 @@ ipfrag_high_thresh - LONG INTEGER
+ Maximum memory used to reassemble IP fragments.
+
+ ipfrag_low_thresh - LONG INTEGER
+- (Obsolete since linux-4.17)
++ (Obsolete since linux-4.4.174, backported from linux-4.17)
+ Maximum memory used to reassemble IP fragments before the kernel
+ begins to remove incomplete fragment queues to free up resources.
+ The kernel still accepts new fragments for defragmentation.
+--
+2.20.1
+
diff --git a/patches.kernel.org/4.4.175-124-Revert-Input-elan_i2c-add-ACPI-ID-for-touchpa.patch b/patches.kernel.org/4.4.175-124-Revert-Input-elan_i2c-add-ACPI-ID-for-touchpa.patch
new file mode 100644
index 0000000000..260c81beeb
--- /dev/null
+++ b/patches.kernel.org/4.4.175-124-Revert-Input-elan_i2c-add-ACPI-ID-for-touchpa.patch
@@ -0,0 +1,40 @@
+From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Date: Mon, 11 Feb 2019 14:32:40 -0800
+Subject: [PATCH] Revert "Input: elan_i2c - add ACPI ID for touchpad in ASUS
+ Aspire F5-573G"
+References: bnc#1012382
+Patch-mainline: 4.4.175
+Git-commit: f420c54e4b12c1361c6ed313002ee7bd7ac58362
+
+commit f420c54e4b12c1361c6ed313002ee7bd7ac58362 upstream.
+
+This reverts commit 7db54c89f0b30a101584e09d3729144e6170059d as it
+breaks Acer Aspire V-371 and other devices. According to Elan:
+
+"Acer Aspire F5-573G is MS Precision touchpad which should use hid
+ multitouch driver. ELAN0501 should not be added in elan_i2c."
+
+Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=202503
+Cc: stable@vger.kernel.org
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/input/mouse/elan_i2c_core.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/drivers/input/mouse/elan_i2c_core.c b/drivers/input/mouse/elan_i2c_core.c
+index 30adc5745cba..471984ec2db0 100644
+--- a/drivers/input/mouse/elan_i2c_core.c
++++ b/drivers/input/mouse/elan_i2c_core.c
+@@ -1240,7 +1240,6 @@ MODULE_DEVICE_TABLE(i2c, elan_id);
+ static const struct acpi_device_id elan_acpi_id[] = {
+ { "ELAN0000", 0 },
+ { "ELAN0100", 0 },
+- { "ELAN0501", 0 },
+ { "ELAN0600", 0 },
+ { "ELAN0602", 0 },
+ { "ELAN0605", 0 },
+--
+2.20.1
+
diff --git a/patches.kernel.org/4.4.175-125-Input-elan_i2c-add-ACPI-ID-for-touchpad-in-Le.patch b/patches.kernel.org/4.4.175-125-Input-elan_i2c-add-ACPI-ID-for-touchpad-in-Le.patch
new file mode 100644
index 0000000000..a23f75149b
--- /dev/null
+++ b/patches.kernel.org/4.4.175-125-Input-elan_i2c-add-ACPI-ID-for-touchpad-in-Le.patch
@@ -0,0 +1,37 @@
+From: Mauro Ciancio <mauro@acadeu.com>
+Date: Mon, 14 Jan 2019 10:24:53 -0300
+Subject: [PATCH] Input: elan_i2c - add ACPI ID for touchpad in Lenovo
+ V330-15ISK
+References: bnc#1012382
+Patch-mainline: 4.4.175
+Git-commit: 7ad222b3aed350adfc27ee7eec4587ffe55dfdce
+
+commit 7ad222b3aed350adfc27ee7eec4587ffe55dfdce upstream.
+
+This adds ELAN0617 to the ACPI table to support Elan touchpad found in
+Lenovo V330-15ISK.
+
+Signed-off-by: Mauro Ciancio <mauro@acadeu.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/input/mouse/elan_i2c_core.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/input/mouse/elan_i2c_core.c b/drivers/input/mouse/elan_i2c_core.c
+index 471984ec2db0..25ce9047b682 100644
+--- a/drivers/input/mouse/elan_i2c_core.c
++++ b/drivers/input/mouse/elan_i2c_core.c
+@@ -1250,6 +1250,7 @@ static const struct acpi_device_id elan_acpi_id[] = {
+ { "ELAN060C", 0 },
+ { "ELAN0611", 0 },
+ { "ELAN0612", 0 },
++ { "ELAN0617", 0 },
+ { "ELAN0618", 0 },
+ { "ELAN061C", 0 },
+ { "ELAN061D", 0 },
+--
+2.20.1
+
diff --git a/patches.kernel.org/4.4.175-126-perf-core-Fix-impossible-ring-buffer-sizes-wa.patch b/patches.kernel.org/4.4.175-126-perf-core-Fix-impossible-ring-buffer-sizes-wa.patch
new file mode 100644
index 0000000000..515a50fc08
--- /dev/null
+++ b/patches.kernel.org/4.4.175-126-perf-core-Fix-impossible-ring-buffer-sizes-wa.patch
@@ -0,0 +1,69 @@
+From: Ingo Molnar <mingo@kernel.org>
+Date: Wed, 13 Feb 2019 07:57:02 +0100
+Subject: [PATCH] perf/core: Fix impossible ring-buffer sizes warning
+References: bnc#1012382
+Patch-mainline: 4.4.175
+Git-commit: 528871b456026e6127d95b1b2bd8e3a003dc1614
+
+commit 528871b456026e6127d95b1b2bd8e3a003dc1614 upstream.
+
+The following commit:
+
+ 9dff0aa95a32 ("perf/core: Don't WARN() for impossible ring-buffer sizes")
+
+results in perf recording failures with larger mmap areas:
+
+ root@skl:/tmp# perf record -g -a
+ failed to mmap with 12 (Cannot allocate memory)
+
+The root cause is that the following condition is buggy:
+
+ if (order_base_2(size) >= MAX_ORDER)
+ goto fail;
+
+The problem is that @size is in bytes and MAX_ORDER is in pages,
+so the right test is:
+
+ if (order_base_2(size) >= PAGE_SHIFT+MAX_ORDER)
+ goto fail;
+
+Fix it.
+
+Reported-by: "Jin, Yao" <yao.jin@linux.intel.com>
+Bisected-by: Borislav Petkov <bp@alien8.de>
+Analyzed-by: Peter Zijlstra <peterz@infradead.org>
+Cc: Julien Thierry <julien.thierry@arm.com>
+Cc: Mark Rutland <mark.rutland@arm.com>
+Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Cc: Arnaldo Carvalho de Melo <acme@redhat.com>
+Cc: Jiri Olsa <jolsa@redhat.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Namhyung Kim <namhyung@kernel.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Cc: <stable@vger.kernel.org>
+Fixes: 9dff0aa95a32 ("perf/core: Don't WARN() for impossible ring-buffer sizes")
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ kernel/events/ring_buffer.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/kernel/events/ring_buffer.c b/kernel/events/ring_buffer.c
+index 93bfb61506fa..358bb53c1e74 100644
+--- a/kernel/events/ring_buffer.c
++++ b/kernel/events/ring_buffer.c
+@@ -637,7 +637,7 @@ struct ring_buffer *rb_alloc(int nr_pages, long watermark, int cpu, int flags)
+ size = sizeof(struct ring_buffer);
+ size += nr_pages * sizeof(void *);
+
+- if (order_base_2(size) >= MAX_ORDER)
++ if (order_base_2(size) >= PAGE_SHIFT+MAX_ORDER)
+ goto fail;
+
+ rb = kzalloc(size, GFP_KERNEL);
+--
+2.20.1
+
diff --git a/patches.kernel.org/4.4.175-127-ALSA-hda-Add-quirk-for-HP-EliteBook-840-G5.patch b/patches.kernel.org/4.4.175-127-ALSA-hda-Add-quirk-for-HP-EliteBook-840-G5.patch
new file mode 100644
index 0000000000..7fdf747747
--- /dev/null
+++ b/patches.kernel.org/4.4.175-127-ALSA-hda-Add-quirk-for-HP-EliteBook-840-G5.patch
@@ -0,0 +1,36 @@
+From: Jurica Vukadin <jurica.vukadin@rt-rk.com>
+Date: Thu, 7 Feb 2019 16:29:37 +0100
+Subject: [PATCH] ALSA: hda - Add quirk for HP EliteBook 840 G5
+References: bnc#1012382
+Patch-mainline: 4.4.175
+Git-commit: 4cd3016ce996494f78fdfd87ea35c8ca5d0b413e
+
+commit 4cd3016ce996494f78fdfd87ea35c8ca5d0b413e upstream.
+
+This enables mute LED support and fixes switching jacks when the laptop
+is docked.
+
+Signed-off-by: Jurica Vukadin <jurica.vukadin@rt-rk.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ sound/pci/hda/patch_conexant.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/sound/pci/hda/patch_conexant.c b/sound/pci/hda/patch_conexant.c
+index 536184ac315d..40dd46556452 100644
+--- a/sound/pci/hda/patch_conexant.c
++++ b/sound/pci/hda/patch_conexant.c
+@@ -854,6 +854,7 @@ static const struct snd_pci_quirk cxt5066_fixups[] = {
+ SND_PCI_QUIRK(0x103c, 0x807C, "HP EliteBook 820 G3", CXT_FIXUP_HP_DOCK),
+ SND_PCI_QUIRK(0x103c, 0x80FD, "HP ProBook 640 G2", CXT_FIXUP_HP_DOCK),
+ SND_PCI_QUIRK(0x103c, 0x828c, "HP EliteBook 840 G4", CXT_FIXUP_HP_DOCK),
++ SND_PCI_QUIRK(0x103c, 0x83b2, "HP EliteBook 840 G5", CXT_FIXUP_HP_DOCK),
+ SND_PCI_QUIRK(0x103c, 0x83b3, "HP EliteBook 830 G5", CXT_FIXUP_HP_DOCK),
+ SND_PCI_QUIRK(0x103c, 0x83d3, "HP ProBook 640 G4", CXT_FIXUP_HP_DOCK),
+ SND_PCI_QUIRK(0x103c, 0x8174, "HP Spectre x360", CXT_FIXUP_HP_SPECTRE),
+--
+2.20.1
+
diff --git a/patches.kernel.org/4.4.175-128-ALSA-usb-audio-Fix-implicit-fb-endpoint-setup.patch b/patches.kernel.org/4.4.175-128-ALSA-usb-audio-Fix-implicit-fb-endpoint-setup.patch
new file mode 100644
index 0000000000..e5a0c2f28c
--- /dev/null
+++ b/patches.kernel.org/4.4.175-128-ALSA-usb-audio-Fix-implicit-fb-endpoint-setup.patch
@@ -0,0 +1,63 @@
+From: Manuel Reinhardt <manuel.rhdt@gmail.com>
+Date: Thu, 31 Jan 2019 15:32:35 +0100
+Subject: [PATCH] ALSA: usb-audio: Fix implicit fb endpoint setup by quirk
+References: bnc#1012382
+Patch-mainline: 4.4.175
+Git-commit: 2bc16b9f3223d049b57202ee702fcb5b9b507019
+
+commit 2bc16b9f3223d049b57202ee702fcb5b9b507019 upstream.
+
+The commit a60945fd08e4 ("ALSA: usb-audio: move implicit fb quirks to
+separate function") introduced an error in the handling of quirks for
+implicit feedback endpoints. This commit fixes this.
+
+If a quirk successfully sets up an implicit feedback endpoint, usb-audio
+no longer tries to find the implicit fb endpoint itself.
+
+Fixes: a60945fd08e4 ("ALSA: usb-audio: move implicit fb quirks to separate function")
+Signed-off-by: Manuel Reinhardt <manuel.rhdt@gmail.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ sound/usb/pcm.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/sound/usb/pcm.c b/sound/usb/pcm.c
+index a9079654107c..1ea1384bc236 100644
+--- a/sound/usb/pcm.c
++++ b/sound/usb/pcm.c
+@@ -313,6 +313,9 @@ static int search_roland_implicit_fb(struct usb_device *dev, int ifnum,
+ return 0;
+ }
+
++/* Setup an implicit feedback endpoint from a quirk. Returns 0 if no quirk
++ * applies. Returns 1 if a quirk was found.
++ */
+ static int set_sync_ep_implicit_fb_quirk(struct snd_usb_substream *subs,
+ struct usb_device *dev,
+ struct usb_interface_descriptor *altsd,
+@@ -381,7 +384,7 @@ static int set_sync_ep_implicit_fb_quirk(struct snd_usb_substream *subs,
+
+ subs->data_endpoint->sync_master = subs->sync_endpoint;
+
+- return 0;
++ return 1;
+ }
+
+ static int set_sync_endpoint(struct snd_usb_substream *subs,
+@@ -420,6 +423,10 @@ static int set_sync_endpoint(struct snd_usb_substream *subs,
+ if (err < 0)
+ return err;
+
++ /* endpoint set by quirk */
++ if (err > 0)
++ return 0;
++
+ if (altsd->bNumEndpoints < 2)
+ return 0;
+
+--
+2.20.1
+
diff --git a/patches.kernel.org/4.4.175-129-Input-bma150-register-input-device-after-sett.patch b/patches.kernel.org/4.4.175-129-Input-bma150-register-input-device-after-sett.patch
new file mode 100644
index 0000000000..da973200c4
--- /dev/null
+++ b/patches.kernel.org/4.4.175-129-Input-bma150-register-input-device-after-sett.patch
@@ -0,0 +1,112 @@
+From: Jonathan Bakker <xc-racer2@live.ca>
+Date: Wed, 6 Feb 2019 10:45:37 -0800
+Subject: [PATCH] Input: bma150 - register input device after setting private
+ data
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+References: bnc#1012382
+Patch-mainline: 4.4.175
+Git-commit: 90cc55f067f6ca0e64e5e52883ece47d8af7b67b
+
+commit 90cc55f067f6ca0e64e5e52883ece47d8af7b67b upstream.
+
+Otherwise we introduce a race condition where userspace can request input
+before we're ready leading to null pointer dereference such as
+
+input: bma150 as /devices/platform/i2c-gpio-2/i2c-5/5-0038/input/input3
+Unable to handle kernel NULL pointer dereference at virtual address 00000018
+pgd = (ptrval)
+[00000018] *pgd=55dac831, *pte=00000000, *ppte=00000000
+Internal error: Oops: 17 [#1] PREEMPT ARM
+Modules linked in: bma150 input_polldev [last unloaded: bma150]
+CPU: 0 PID: 2870 Comm: accelerometer Not tainted 5.0.0-rc3-dirty #46
+Hardware name: Samsung S5PC110/S5PV210-based board
+PC is at input_event+0x8/0x60
+LR is at bma150_report_xyz+0x9c/0xe0 [bma150]
+pc : [<80450f70>] lr : [<7f0a614c>] psr: 800d0013
+sp : a4c1fd78 ip : 00000081 fp : 00020000
+r10: 00000000 r9 : a5e2944c r8 : a7455000
+r7 : 00000016 r6 : 00000101 r5 : a7617940 r4 : 80909048
+r3 : fffffff2 r2 : 00000000 r1 : 00000003 r0 : 00000000
+Flags: Nzcv IRQs on FIQs on Mode SVC_32 ISA ARM Segment none
+Control: 10c5387d Table: 54e34019 DAC: 00000051
+Process accelerometer (pid: 2870, stack limit = 0x(ptrval))
+Stackck: (0xa4c1fd78 to 0xa4c20000)
+fd60: fffffff3 fc813f6c
+fd80: 40410581 d7530ce3 a5e2817c a7617f00 a5e29404 a5e2817c 00000000 7f008324
+fda0: a5e28000 8044f59c a5fdd9d0 a5e2945c a46a4a00 a5e29668 a7455000 80454f10
+fdc0: 80909048 a5e29668 a5fdd9d0 a46a4a00 806316d0 00000000 a46a4a00 801df5f0
+fde0: 00000000 d7530ce3 a4c1fec0 a46a4a00 00000000 a5fdd9d0 a46a4a08 801df53c
+fe00: 00000000 801d74bc a4c1fec0 00000000 a4c1ff70 00000000 a7038da8 00000000
+fe20: a46a4a00 801e91fc a411bbe0 801f2e88 00000004 00000000 80909048 00000041
+fe40: 00000000 00020000 00000000 dead4ead a6a88da0 00000000 ffffe000 806fcae8
+fe60: a4c1fec8 00000000 80909048 00000002 a5fdd9d0 a7660110 a411bab0 00000001
+fe80: dead4ead ffffffff ffffffff a4c1fe8c a4c1fe8c d7530ce3 20000013 80909048
+fea0: 80909048 a4c1ff70 00000001 fffff000 a4c1e000 00000005 00026038 801eabd8
+fec0: a7660110 a411bab0 b9394901 00000006 a696201b 76fb3000 00000000 a7039720
+fee0: a5fdd9d0 00000101 00000002 00000096 00000000 00000000 00000000 a4c1ff00
+ff00: a6b310f4 805cb174 a6b310f4 00000010 00000fe0 00000010 a4c1e000 d7530ce3
+ff20: 00000003 a5f41400 a5f41424 00000000 a6962000 00000000 00000003 00000002
+ff40: ffffff9c 000a0000 80909048 d7530ce3 a6962000 00000003 80909048 ffffff9c
+ff60: a6962000 801d890c 00000000 00000000 00020000 a7590000 00000004 00000100
+ff80: 00000001 d7530ce3 000288b8 00026320 000288b8 00000005 80101204 a4c1e000
+ffa0: 00000005 80101000 000288b8 00026320 000288b8 000a0000 00000000 00000000
+ffc0: 000288b8 00026320 000288b8 00000005 7eef3bac 000264e8 00028ad8 00026038
+ffe0: 00000005 7eef3300 76f76e91 76f78546 800d0030 000288b8 00000000 00000000
+[<80450f70>] (input_event) from [<a5e2817c>] (0xa5e2817c)
+Code: e1a08148 eaffffa8 e351001f 812fff1e (e590c018)
+---[ end trace 1c691ee85f2ff243 ]---
+
+Signed-off-by: Jonathan Bakker <xc-racer2@live.ca>
+Signed-off-by: Paweł Chmiel <pawel.mikolaj.chmiel@gmail.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/input/misc/bma150.c | 9 +++++----
+ 1 file changed, 5 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/input/misc/bma150.c b/drivers/input/misc/bma150.c
+index 1d0e61d7c131..b6c1d1d482c1 100644
+--- a/drivers/input/misc/bma150.c
++++ b/drivers/input/misc/bma150.c
+@@ -482,13 +482,14 @@ static int bma150_register_input_device(struct bma150_data *bma150)
+ idev->close = bma150_irq_close;
+ input_set_drvdata(idev, bma150);
+
++ bma150->input = idev;
++
+ error = input_register_device(idev);
+ if (error) {
+ input_free_device(idev);
+ return error;
+ }
+
+- bma150->input = idev;
+ return 0;
+ }
+
+@@ -511,15 +512,15 @@ static int bma150_register_polled_device(struct bma150_data *bma150)
+
+ bma150_init_input_device(bma150, ipoll_dev->input);
+
++ bma150->input_polled = ipoll_dev;
++ bma150->input = ipoll_dev->input;
++
+ error = input_register_polled_device(ipoll_dev);
+ if (error) {
+ input_free_polled_device(ipoll_dev);
+ return error;
+ }
+
+- bma150->input_polled = ipoll_dev;
+- bma150->input = ipoll_dev->input;
+-
+ return 0;
+ }
+
+--
+2.20.1
+
diff --git a/patches.kernel.org/4.4.175-130-Input-elantech-enable-3rd-button-support-on-F.patch b/patches.kernel.org/4.4.175-130-Input-elantech-enable-3rd-button-support-on-F.patch
new file mode 100644
index 0000000000..c4a4c04cbf
--- /dev/null
+++ b/patches.kernel.org/4.4.175-130-Input-elantech-enable-3rd-button-support-on-F.patch
@@ -0,0 +1,58 @@
+From: Matti Kurkela <Matti.Kurkela@iki.fi>
+Date: Thu, 7 Feb 2019 23:49:23 -0800
+Subject: [PATCH] Input: elantech - enable 3rd button support on Fujitsu
+ CELSIUS H780
+References: bnc#1012382
+Patch-mainline: 4.4.175
+Git-commit: e8b22d0a329f0fb5c7ef95406872d268f01ee3b1
+
+commit e8b22d0a329f0fb5c7ef95406872d268f01ee3b1 upstream.
+
+Like Fujitsu CELSIUS H760, the H780 also has a three-button Elantech
+touchpad, but the driver needs to be told so to enable the middle touchpad
+button.
+
+The elantech_dmi_force_crc_enabled quirk was not necessary with the H780.
+
+Also document the fw_version and caps values detected for both H760 and
+H780 models.
+
+Signed-off-by: Matti Kurkela <Matti.Kurkela@iki.fi>
+Cc: stable@vger.kernel.org
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/input/mouse/elantech.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/drivers/input/mouse/elantech.c b/drivers/input/mouse/elantech.c
+index 84aead19622c..4c1e527f14a5 100644
+--- a/drivers/input/mouse/elantech.c
++++ b/drivers/input/mouse/elantech.c
+@@ -1121,6 +1121,8 @@ static int elantech_get_resolution_v4(struct psmouse *psmouse,
+ * Asus UX31 0x361f00 20, 15, 0e clickpad
+ * Asus UX32VD 0x361f02 00, 15, 0e clickpad
+ * Avatar AVIU-145A2 0x361f00 ? clickpad
++ * Fujitsu CELSIUS H760 0x570f02 40, 14, 0c 3 hw buttons (**)
++ * Fujitsu CELSIUS H780 0x5d0f02 41, 16, 0d 3 hw buttons (**)
+ * Fujitsu LIFEBOOK E544 0x470f00 d0, 12, 09 2 hw buttons
+ * Fujitsu LIFEBOOK E546 0x470f00 50, 12, 09 2 hw buttons
+ * Fujitsu LIFEBOOK E547 0x470f00 50, 12, 09 2 hw buttons
+@@ -1173,6 +1175,13 @@ static const struct dmi_system_id elantech_dmi_has_middle_button[] = {
+ DMI_MATCH(DMI_PRODUCT_NAME, "CELSIUS H760"),
+ },
+ },
++ {
++ /* Fujitsu H780 also has a middle button */
++ .matches = {
++ DMI_MATCH(DMI_SYS_VENDOR, "FUJITSU"),
++ DMI_MATCH(DMI_PRODUCT_NAME, "CELSIUS H780"),
++ },
++ },
+ #endif
+ { }
+ };
+--
+2.20.1
+
diff --git a/patches.kernel.org/4.4.175-131-alpha-fix-page-fault-handling-for-r16-r18-tar.patch b/patches.kernel.org/4.4.175-131-alpha-fix-page-fault-handling-for-r16-r18-tar.patch
new file mode 100644
index 0000000000..e3aa5a176b
--- /dev/null
+++ b/patches.kernel.org/4.4.175-131-alpha-fix-page-fault-handling-for-r16-r18-tar.patch
@@ -0,0 +1,123 @@
+From: Sergei Trofimovich <slyfox@gentoo.org>
+Date: Mon, 31 Dec 2018 11:53:55 +0000
+Subject: [PATCH] alpha: fix page fault handling for r16-r18 targets
+References: bnc#1012382
+Patch-mainline: 4.4.175
+Git-commit: 491af60ffb848b59e82f7c9145833222e0bf27a5
+
+commit 491af60ffb848b59e82f7c9145833222e0bf27a5 upstream.
+
+Fix page fault handling code to fixup r16-r18 registers.
+Before the patch code had off-by-two registers bug.
+This bug caused overwriting of ps,pc,gp registers instead
+of fixing intended r16,r17,r18 (see `struct pt_regs`).
+
+More details:
+
+Initially Dmitry noticed a kernel bug as a failure
+on strace test suite. Test passes unmapped userspace
+pointer to io_submit:
+
+```c
+ #include <err.h>
+ #include <unistd.h>
+ #include <sys/mman.h>
+ #include <asm/unistd.h>
+ int main(void)
+ {
+ unsigned long ctx = 0;
+ if (syscall(__NR_io_setup, 1, &ctx))
+ err(1, "io_setup");
+ const size_t page_size = sysconf(_SC_PAGESIZE);
+ const size_t size = page_size * 2;
+ void *ptr = mmap(NULL, size, PROT_READ | PROT_WRITE,
+ MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
+ if (MAP_FAILED == ptr)
+ err(1, "mmap(%zu)", size);
+ if (munmap(ptr, size))
+ err(1, "munmap");
+ syscall(__NR_io_submit, ctx, 1, ptr + page_size);
+ syscall(__NR_io_destroy, ctx);
+ return 0;
+ }
+```
+
+Running this test causes kernel to crash when handling page fault:
+
+```
+ Unable to handle kernel paging request at virtual address ffffffffffff9468
+ CPU 3
+ aio(26027): Oops 0
+ pc = [<fffffc00004eddf8>] ra = [<fffffc00004edd5c>] ps = 0000 Not tainted
+ pc is at sys_io_submit+0x108/0x200
+ ra is at sys_io_submit+0x6c/0x200
+ v0 = fffffc00c58e6300 t0 = fffffffffffffff2 t1 = 000002000025e000
+ t2 = fffffc01f159fef8 t3 = fffffc0001009640 t4 = fffffc0000e0f6e0
+ t5 = 0000020001002e9e t6 = 4c41564e49452031 t7 = fffffc01f159c000
+ s0 = 0000000000000002 s1 = 000002000025e000 s2 = 0000000000000000
+ s3 = 0000000000000000 s4 = 0000000000000000 s5 = fffffffffffffff2
+ s6 = fffffc00c58e6300
+ a0 = fffffc00c58e6300 a1 = 0000000000000000 a2 = 000002000025e000
+ a3 = 00000200001ac260 a4 = 00000200001ac1e8 a5 = 0000000000000001
+ t8 = 0000000000000008 t9 = 000000011f8bce30 t10= 00000200001ac440
+ t11= 0000000000000000 pv = fffffc00006fd320 at = 0000000000000000
+ gp = 0000000000000000 sp = 00000000265fd174
+ Disabling lock debugging due to kernel taint
+ Trace:
+ [<fffffc0000311404>] entSys+0xa4/0xc0
+```
+
+Here `gp` has invalid value. `gp is s overwritten by a fixup for the
+following page fault handler in `io_submit` syscall handler:
+
+```
+ __se_sys_io_submit
+ ...
+ ldq a1,0(t1)
+ bne t0,4280 <__se_sys_io_submit+0x180>
+```
+
+After a page fault `t0` should contain -EFALUT and `a1` is 0.
+Instead `gp` was overwritten in place of `a1`.
+
+This happens due to a off-by-two bug in `dpf_reg()` for `r16-r18`
+(aka `a0-a2`).
+
+I think the bug went unnoticed for a long time as `gp` is one
+of scratch registers. Any kernel function call would re-calculate `gp`.
+
+Dmitry tracked down the bug origin back to 2.1.32 kernel version
+where trap_a{0,1,2} fields were inserted into struct pt_regs.
+And even before that `dpf_reg()` contained off-by-one error.
+
+Cc: Richard Henderson <rth@twiddle.net>
+Cc: Ivan Kokshaysky <ink@jurassic.park.msu.ru>
+Cc: linux-alpha@vger.kernel.org
+Cc: linux-kernel@vger.kernel.org
+Reported-and-reviewed-by: "Dmitry V. Levin" <ldv@altlinux.org>
+Cc: stable@vger.kernel.org # v2.1.32+
+Bug: https://bugs.gentoo.org/672040
+Signed-off-by: Sergei Trofimovich <slyfox@gentoo.org>
+Signed-off-by: Matt Turner <mattst88@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ arch/alpha/mm/fault.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/alpha/mm/fault.c b/arch/alpha/mm/fault.c
+index 4a905bd667e2..0f68f0de9b5e 100644
+--- a/arch/alpha/mm/fault.c
++++ b/arch/alpha/mm/fault.c
+@@ -77,7 +77,7 @@ __load_new_mm_context(struct mm_struct *next_mm)
+ /* Macro for exception fixup code to access integer registers. */
+ #define dpf_reg(r) \
+ (((unsigned long *)regs)[(r) <= 8 ? (r) : (r) <= 15 ? (r)-16 : \
+- (r) <= 18 ? (r)+8 : (r)-10])
++ (r) <= 18 ? (r)+10 : (r)-10])
+
+ asmlinkage void
+ do_page_fault(unsigned long address, unsigned long mmcsr,
+--
+2.20.1
+
diff --git a/patches.kernel.org/4.4.175-132-alpha-Fix-Eiger-NR_IRQS-to-128.patch b/patches.kernel.org/4.4.175-132-alpha-Fix-Eiger-NR_IRQS-to-128.patch
new file mode 100644
index 0000000000..9601c2b1af
--- /dev/null
+++ b/patches.kernel.org/4.4.175-132-alpha-Fix-Eiger-NR_IRQS-to-128.patch
@@ -0,0 +1,56 @@
+From: Meelis Roos <mroos@linux.ee>
+Date: Fri, 12 Oct 2018 12:27:51 +0300
+Subject: [PATCH] alpha: Fix Eiger NR_IRQS to 128
+References: bnc#1012382
+Patch-mainline: 4.4.175
+Git-commit: bfc913682464f45bc4d6044084e370f9048de9d5
+
+commit bfc913682464f45bc4d6044084e370f9048de9d5 upstream.
+
+Eiger machine vector definition has nr_irqs 128, and working 2.6.26
+boot shows SCSI getting IRQ-s 64 and 65. Current kernel boot fails
+because Symbios SCSI fails to request IRQ-s and does not find the disks.
+It has been broken at least since 3.18 - the earliest I could test with
+my gcc-5.
+
+The headers have moved around and possibly another order of defines has
+worked in the past - but since 128 seems to be correct and used, fix
+arch/alpha/include/asm/irq.h to have NR_IRQS=128 for Eiger.
+
+This fixes 4.19-rc7 boot on my Force Flexor A264 (Eiger subarch).
+
+Cc: stable@vger.kernel.org # v3.18+
+Signed-off-by: Meelis Roos <mroos@linux.ee>
+Signed-off-by: Matt Turner <mattst88@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ arch/alpha/include/asm/irq.h | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/arch/alpha/include/asm/irq.h b/arch/alpha/include/asm/irq.h
+index 06377400dc09..469642801a68 100644
+--- a/arch/alpha/include/asm/irq.h
++++ b/arch/alpha/include/asm/irq.h
+@@ -55,15 +55,15 @@
+
+ #elif defined(CONFIG_ALPHA_DP264) || \
+ defined(CONFIG_ALPHA_LYNX) || \
+- defined(CONFIG_ALPHA_SHARK) || \
+- defined(CONFIG_ALPHA_EIGER)
++ defined(CONFIG_ALPHA_SHARK)
+ # define NR_IRQS 64
+
+ #elif defined(CONFIG_ALPHA_TITAN)
+ #define NR_IRQS 80
+
+ #elif defined(CONFIG_ALPHA_RAWHIDE) || \
+- defined(CONFIG_ALPHA_TAKARA)
++ defined(CONFIG_ALPHA_TAKARA) || \
++ defined(CONFIG_ALPHA_EIGER)
+ # define NR_IRQS 128
+
+ #elif defined(CONFIG_ALPHA_WILDFIRE)
+--
+2.20.1
+
diff --git a/patches.kernel.org/4.4.175-133-tracing-uprobes-Fix-output-for-multiple-strin.patch b/patches.kernel.org/4.4.175-133-tracing-uprobes-Fix-output-for-multiple-strin.patch
new file mode 100644
index 0000000000..08f985862b
--- /dev/null
+++ b/patches.kernel.org/4.4.175-133-tracing-uprobes-Fix-output-for-multiple-strin.patch
@@ -0,0 +1,84 @@
+From: Andreas Ziegler <andreas.ziegler@fau.de>
+Date: Wed, 16 Jan 2019 15:16:29 +0100
+Subject: [PATCH] tracing/uprobes: Fix output for multiple string arguments
+References: bnc#1012382
+Patch-mainline: 4.4.175
+Git-commit: 0722069a5374b904ec1a67f91249f90e1cfae259
+
+commit 0722069a5374b904ec1a67f91249f90e1cfae259 upstream.
+
+When printing multiple uprobe arguments as strings the output for the
+earlier arguments would also include all later string arguments.
+
+This is best explained in an example:
+
+Consider adding a uprobe to a function receiving two strings as
+parameters which is at offset 0xa0 in strlib.so and we want to print
+both parameters when the uprobe is hit (on x86_64):
+
+$ echo 'p:func /lib/strlib.so:0xa0 +0(%di):string +0(%si):string' > \
+ /sys/kernel/debug/tracing/uprobe_events
+
+When the function is called as func("foo", "bar") and we hit the probe,
+the trace file shows a line like the following:
+
+ [...] func: (0x7f7e683706a0) arg1="foobar" arg2="bar"
+
+Note the extra "bar" printed as part of arg1. This behaviour stacks up
+for additional string arguments.
+
+The strings are stored in a dynamically growing part of the uprobe
+buffer by fetch_store_string() after copying them from userspace via
+strncpy_from_user(). The return value of strncpy_from_user() is then
+directly used as the required size for the string. However, this does
+not take the terminating null byte into account as the documentation
+for strncpy_from_user() cleary states that it "[...] returns the
+length of the string (not including the trailing NUL)" even though the
+null byte will be copied to the destination.
+
+Therefore, subsequent calls to fetch_store_string() will overwrite
+the terminating null byte of the most recently fetched string with
+the first character of the current string, leading to the
+"accumulation" of strings in earlier arguments in the output.
+
+Fix this by incrementing the return value of strncpy_from_user() by
+one if we did not hit the maximum buffer size.
+
+Link: http://lkml.kernel.org/r/20190116141629.5752-1-andreas.ziegler@fau.de
+
+Cc: Ingo Molnar <mingo@redhat.com>
+Cc: stable@vger.kernel.org
+Fixes: 5baaa59ef09e ("tracing/probes: Implement 'memory' fetch method for uprobes")
+Acked-by: Masami Hiramatsu <mhiramat@kernel.org>
+Signed-off-by: Andreas Ziegler <andreas.ziegler@fau.de>
+Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
+Signed-off-by: Masami Hiramatsu <mhiramat@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ kernel/trace/trace_uprobe.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/kernel/trace/trace_uprobe.c b/kernel/trace/trace_uprobe.c
+index 1dc887bab085..518e62a398d2 100644
+--- a/kernel/trace/trace_uprobe.c
++++ b/kernel/trace/trace_uprobe.c
+@@ -150,7 +150,14 @@ static void FETCH_FUNC_NAME(memory, string)(struct pt_regs *regs,
+
+ ret = strncpy_from_user(dst, src, maxlen);
+ if (ret == maxlen)
+- dst[--ret] = '\0';
++ dst[ret - 1] = '\0';
++ else if (ret >= 0)
++ /*
++ * Include the terminating null byte. In this case it
++ * was copied by strncpy_from_user but not accounted
++ * for in ret.
++ */
++ ret++;
+
+ if (ret < 0) { /* Failed to fetch string */
+ ((u8 *)get_rloc_data(dest))[0] = '\0';
+--
+2.20.1
+
diff --git a/patches.kernel.org/4.4.175-134-x86-platform-UV-Use-efi_runtime_lock-to-seria.patch b/patches.kernel.org/4.4.175-134-x86-platform-UV-Use-efi_runtime_lock-to-seria.patch
new file mode 100644
index 0000000000..48f8c836d1
--- /dev/null
+++ b/patches.kernel.org/4.4.175-134-x86-platform-UV-Use-efi_runtime_lock-to-seria.patch
@@ -0,0 +1,135 @@
+From: Hedi Berriche <hedi.berriche@hpe.com>
+Date: Wed, 13 Feb 2019 19:34:13 +0000
+Subject: [PATCH] x86/platform/UV: Use efi_runtime_lock to serialise BIOS calls
+References: bnc#1012382
+Patch-mainline: 4.4.175
+Git-commit: f331e766c4be33f4338574f3c9f7f77e98ab4571
+
+commit f331e766c4be33f4338574f3c9f7f77e98ab4571 upstream.
+
+Calls into UV firmware must be protected against concurrency, expose the
+efi_runtime_lock to the UV platform, and use it to serialise UV BIOS
+calls.
+
+Signed-off-by: Hedi Berriche <hedi.berriche@hpe.com>
+Signed-off-by: Borislav Petkov <bp@suse.de>
+Reviewed-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+Reviewed-by: Russ Anderson <rja@hpe.com>
+Reviewed-by: Dimitri Sivanich <sivanich@hpe.com>
+Reviewed-by: Mike Travis <mike.travis@hpe.com>
+Cc: Andy Shevchenko <andy@infradead.org>
+Cc: Bhupesh Sharma <bhsharma@redhat.com>
+Cc: Darren Hart <dvhart@infradead.org>
+Cc: "H. Peter Anvin" <hpa@zytor.com>
+Cc: Ingo Molnar <mingo@redhat.com>
+Cc: linux-efi <linux-efi@vger.kernel.org>
+Cc: platform-driver-x86@vger.kernel.org
+Cc: stable@vger.kernel.org # v4.9+
+Cc: Steve Wahl <steve.wahl@hpe.com>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: x86-ml <x86@kernel.org>
+Link: https://lkml.kernel.org/r/20190213193413.25560-5-hedi.berriche@hpe.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ arch/x86/include/asm/uv/bios.h | 8 +++++++-
+ arch/x86/platform/uv/bios_uv.c | 23 +++++++++++++++++++++--
+ drivers/firmware/efi/runtime-wrappers.c | 7 +++++++
+ 3 files changed, 35 insertions(+), 3 deletions(-)
+
+diff --git a/arch/x86/include/asm/uv/bios.h b/arch/x86/include/asm/uv/bios.h
+index 71605c7d5c5c..8b7594f2d48f 100644
+--- a/arch/x86/include/asm/uv/bios.h
++++ b/arch/x86/include/asm/uv/bios.h
+@@ -48,7 +48,8 @@ enum {
+ BIOS_STATUS_SUCCESS = 0,
+ BIOS_STATUS_UNIMPLEMENTED = -ENOSYS,
+ BIOS_STATUS_EINVAL = -EINVAL,
+- BIOS_STATUS_UNAVAIL = -EBUSY
++ BIOS_STATUS_UNAVAIL = -EBUSY,
++ BIOS_STATUS_ABORT = -EINTR,
+ };
+
+ /*
+@@ -111,4 +112,9 @@ extern long system_serial_number;
+
+ extern struct kobject *sgi_uv_kobj; /* /sys/firmware/sgi_uv */
+
++/*
++ * EFI runtime lock; cf. firmware/efi/runtime-wrappers.c for details
++ */
++extern struct semaphore __efi_uv_runtime_lock;
++
+ #endif /* _ASM_X86_UV_BIOS_H */
+diff --git a/arch/x86/platform/uv/bios_uv.c b/arch/x86/platform/uv/bios_uv.c
+index 1584cbed0dce..a45a1c5aabea 100644
+--- a/arch/x86/platform/uv/bios_uv.c
++++ b/arch/x86/platform/uv/bios_uv.c
+@@ -28,7 +28,8 @@
+
+ static struct uv_systab uv_systab;
+
+-s64 uv_bios_call(enum uv_bios_cmd which, u64 a1, u64 a2, u64 a3, u64 a4, u64 a5)
++static s64 __uv_bios_call(enum uv_bios_cmd which, u64 a1, u64 a2, u64 a3,
++ u64 a4, u64 a5)
+ {
+ struct uv_systab *tab = &uv_systab;
+ s64 ret;
+@@ -43,6 +44,19 @@ s64 uv_bios_call(enum uv_bios_cmd which, u64 a1, u64 a2, u64 a3, u64 a4, u64 a5)
+ a1, a2, a3, a4, a5);
+ return ret;
+ }
++
++s64 uv_bios_call(enum uv_bios_cmd which, u64 a1, u64 a2, u64 a3, u64 a4, u64 a5)
++{
++ s64 ret;
++
++ if (down_interruptible(&__efi_uv_runtime_lock))
++ return BIOS_STATUS_ABORT;
++
++ ret = __uv_bios_call(which, a1, a2, a3, a4, a5);
++ up(&__efi_uv_runtime_lock);
++
++ return ret;
++}
+ EXPORT_SYMBOL_GPL(uv_bios_call);
+
+ s64 uv_bios_call_irqsave(enum uv_bios_cmd which, u64 a1, u64 a2, u64 a3,
+@@ -51,10 +65,15 @@ s64 uv_bios_call_irqsave(enum uv_bios_cmd which, u64 a1, u64 a2, u64 a3,
+ unsigned long bios_flags;
+ s64 ret;
+
++ if (down_interruptible(&__efi_uv_runtime_lock))
++ return BIOS_STATUS_ABORT;
++
+ local_irq_save(bios_flags);
+- ret = uv_bios_call(which, a1, a2, a3, a4, a5);
++ ret = __uv_bios_call(which, a1, a2, a3, a4, a5);
+ local_irq_restore(bios_flags);
+
++ up(&__efi_uv_runtime_lock);
++
+ return ret;
+ }
+
+diff --git a/drivers/firmware/efi/runtime-wrappers.c b/drivers/firmware/efi/runtime-wrappers.c
+index 228bbf910461..906d0224f50d 100644
+--- a/drivers/firmware/efi/runtime-wrappers.c
++++ b/drivers/firmware/efi/runtime-wrappers.c
+@@ -87,6 +87,13 @@ static DEFINE_SPINLOCK(efi_runtime_lock);
+ * context through efi_pstore_write().
+ */
+
++/*
++ * Expose the EFI runtime lock to the UV platform
++ */
++#ifdef CONFIG_X86_UV
++extern struct semaphore __efi_uv_runtime_lock __alias(efi_runtime_lock);
++#endif
++
+ /*
+ * As per commit ef68c8f87ed1 ("x86: Serialize EFI time accesses on rtc_lock"),
+ * the EFI specification requires that callers of the time related runtime
+--
+2.20.1
+
diff --git a/patches.kernel.org/4.4.175-135-signal-Restore-the-stop-PTRACE_EVENT_EXIT.patch b/patches.kernel.org/4.4.175-135-signal-Restore-the-stop-PTRACE_EVENT_EXIT.patch
new file mode 100644
index 0000000000..fe9fbb7806
--- /dev/null
+++ b/patches.kernel.org/4.4.175-135-signal-Restore-the-stop-PTRACE_EVENT_EXIT.patch
@@ -0,0 +1,63 @@
+From: "Eric W. Biederman" <ebiederm@xmission.com>
+Date: Mon, 11 Feb 2019 23:27:42 -0600
+Subject: [PATCH] signal: Restore the stop PTRACE_EVENT_EXIT
+References: bnc#1012382
+Patch-mainline: 4.4.175
+Git-commit: cf43a757fd49442bc38f76088b70c2299eed2c2f
+
+commit cf43a757fd49442bc38f76088b70c2299eed2c2f upstream.
+
+In the middle of do_exit() there is there is a call
+"ptrace_event(PTRACE_EVENT_EXIT, code);" That call places the process
+in TACKED_TRACED aka "(TASK_WAKEKILL | __TASK_TRACED)" and waits for
+for the debugger to release the task or SIGKILL to be delivered.
+
+Skipping past dequeue_signal when we know a fatal signal has already
+been delivered resulted in SIGKILL remaining pending and
+TIF_SIGPENDING remaining set. This in turn caused the
+scheduler to not sleep in PTACE_EVENT_EXIT as it figured
+a fatal signal was pending. This also caused ptrace_freeze_traced
+in ptrace_check_attach to fail because it left a per thread
+SIGKILL pending which is what fatal_signal_pending tests for.
+
+This difference in signal state caused strace to report
+strace: Exit of unknown pid NNNNN ignored
+
+Therefore update the signal handling state like dequeue_signal
+would when removing a per thread SIGKILL, by removing SIGKILL
+from the per thread signal mask and clearing TIF_SIGPENDING.
+
+Acked-by: Oleg Nesterov <oleg@redhat.com>
+Reported-by: Oleg Nesterov <oleg@redhat.com>
+Reported-by: Ivan Delalande <colona@arista.com>
+Cc: stable@vger.kernel.org
+Fixes: 35634ffa1751 ("signal: Always notice exiting tasks")
+Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ kernel/signal.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/kernel/signal.c b/kernel/signal.c
+index e464a2ef4ff5..96e8c3cbfa38 100644
+--- a/kernel/signal.c
++++ b/kernel/signal.c
+@@ -2241,9 +2241,12 @@ int get_signal(struct ksignal *ksig)
+ }
+
+ /* Has this task already been marked for death? */
+- ksig->info.si_signo = signr = SIGKILL;
+- if (signal_group_exit(signal))
++ if (signal_group_exit(signal)) {
++ ksig->info.si_signo = signr = SIGKILL;
++ sigdelset(&current->pending.signal, SIGKILL);
++ recalc_sigpending();
+ goto fatal;
++ }
+
+ for (;;) {
+ struct k_sigaction *ka;
+--
+2.20.1
+
diff --git a/patches.kernel.org/4.4.175-136-x86-a.out-Clear-the-dump-structure-initially.patch b/patches.kernel.org/4.4.175-136-x86-a.out-Clear-the-dump-structure-initially.patch
new file mode 100644
index 0000000000..9611d59a82
--- /dev/null
+++ b/patches.kernel.org/4.4.175-136-x86-a.out-Clear-the-dump-structure-initially.patch
@@ -0,0 +1,64 @@
+From: Borislav Petkov <bp@suse.de>
+Date: Tue, 12 Feb 2019 14:28:03 +0100
+Subject: [PATCH] x86/a.out: Clear the dump structure initially
+References: bnc#1012382
+Patch-mainline: 4.4.175
+Git-commit: 10970e1b4be9c74fce8ab6e3c34a7d718f063f2c
+
+commit 10970e1b4be9c74fce8ab6e3c34a7d718f063f2c upstream.
+
+dump_thread32() in aout_core_dump() does not clear the user32 structure
+allocated on the stack as the first thing on function entry.
+
+As a result, the dump.u_comm, dump.u_ar0 and dump.signal which get
+assigned before the clearing, get overwritten.
+
+Rename that function to fill_dump() to make it clear what it does and
+call it first thing.
+
+This was caught while staring at a patch by Derek Robson
+<robsonde@gmail.com>.
+
+Signed-off-by: Borislav Petkov <bp@suse.de>
+Cc: Derek Robson <robsonde@gmail.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Michael Matz <matz@suse.de>
+Cc: x86@kernel.org
+Cc: <stable@vger.kernel.org>
+Link: https://lkml.kernel.org/r/20190202005512.3144-1-robsonde@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ arch/x86/ia32/ia32_aout.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/arch/x86/ia32/ia32_aout.c b/arch/x86/ia32/ia32_aout.c
+index ae6aad1d24f7..b348c4641312 100644
+--- a/arch/x86/ia32/ia32_aout.c
++++ b/arch/x86/ia32/ia32_aout.c
+@@ -50,7 +50,7 @@ static unsigned long get_dr(int n)
+ /*
+ * fill in the user structure for a core dump..
+ */
+-static void dump_thread32(struct pt_regs *regs, struct user32 *dump)
++static void fill_dump(struct pt_regs *regs, struct user32 *dump)
+ {
+ u32 fs, gs;
+ memset(dump, 0, sizeof(*dump));
+@@ -156,10 +156,12 @@ static int aout_core_dump(struct coredump_params *cprm)
+ fs = get_fs();
+ set_fs(KERNEL_DS);
+ has_dumped = 1;
++
++ fill_dump(cprm->regs, &dump);
++
+ strncpy(dump.u_comm, current->comm, sizeof(current->comm));
+ dump.u_ar0 = offsetof(struct user32, regs);
+ dump.signal = cprm->siginfo->si_signo;
+- dump_thread32(cprm->regs, &dump);
+
+ /*
+ * If the size of the dump file exceeds the rlimit, then see
+--
+2.20.1
+
diff --git a/patches.kernel.org/4.4.175-137-dm-thin-fix-bug-where-bio-that-overwrites-thi.patch b/patches.kernel.org/4.4.175-137-dm-thin-fix-bug-where-bio-that-overwrites-thi.patch
new file mode 100644
index 0000000000..c8e0d2d0be
--- /dev/null
+++ b/patches.kernel.org/4.4.175-137-dm-thin-fix-bug-where-bio-that-overwrites-thi.patch
@@ -0,0 +1,162 @@
+From: Nikos Tsironis <ntsironis@arrikto.com>
+Date: Thu, 14 Feb 2019 20:38:47 +0200
+Subject: [PATCH] dm thin: fix bug where bio that overwrites thin block ignores
+ FUA
+References: bnc#1012382
+Patch-mainline: 4.4.175
+Git-commit: 4ae280b4ee3463fa57bbe6eede26b97daff8a0f1
+
+commit 4ae280b4ee3463fa57bbe6eede26b97daff8a0f1 upstream.
+
+When provisioning a new data block for a virtual block, either because
+the block was previously unallocated or because we are breaking sharing,
+if the whole block of data is being overwritten the bio that triggered
+the provisioning is issued immediately, skipping copying or zeroing of
+the data block.
+
+When this bio completes the new mapping is inserted in to the pool's
+metadata by process_prepared_mapping(), where the bio completion is
+signaled to the upper layers.
+
+This completion is signaled without first committing the metadata. If
+the bio in question has the REQ_FUA flag set and the system crashes
+right after its completion and before the next metadata commit, then the
+write is lost despite the REQ_FUA flag requiring that I/O completion for
+this request must only be signaled after the data has been committed to
+non-volatile storage.
+
+Fix this by deferring the completion of overwrite bios, with the REQ_FUA
+flag set, until after the metadata has been committed.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Nikos Tsironis <ntsironis@arrikto.com>
+Acked-by: Joe Thornber <ejt@redhat.com>
+Acked-by: Mikulas Patocka <mpatocka@redhat.com>
+Signed-off-by: Mike Snitzer <snitzer@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/md/dm-thin.c | 55 ++++++++++++++++++++++++++++++++++++++++----
+ 1 file changed, 50 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/md/dm-thin.c b/drivers/md/dm-thin.c
+index bc4e6825ff62..07eaa9f90712 100644
+--- a/drivers/md/dm-thin.c
++++ b/drivers/md/dm-thin.c
+@@ -256,6 +256,7 @@ struct pool {
+
+ spinlock_t lock;
+ struct bio_list deferred_flush_bios;
++ struct bio_list deferred_flush_completions;
+ struct list_head prepared_mappings;
+ struct list_head prepared_discards;
+ struct list_head active_thins;
+@@ -920,6 +921,39 @@ static void process_prepared_mapping_fail(struct dm_thin_new_mapping *m)
+ mempool_free(m, m->tc->pool->mapping_pool);
+ }
+
++static void complete_overwrite_bio(struct thin_c *tc, struct bio *bio)
++{
++ struct pool *pool = tc->pool;
++ unsigned long flags;
++
++ /*
++ * If the bio has the REQ_FUA flag set we must commit the metadata
++ * before signaling its completion.
++ */
++ if (!bio_triggers_commit(tc, bio)) {
++ bio_endio(bio);
++ return;
++ }
++
++ /*
++ * Complete bio with an error if earlier I/O caused changes to the
++ * metadata that can't be committed, e.g, due to I/O errors on the
++ * metadata device.
++ */
++ if (dm_thin_aborted_changes(tc->td)) {
++ bio_io_error(bio);
++ return;
++ }
++
++ /*
++ * Batch together any bios that trigger commits and then issue a
++ * single commit for them in process_deferred_bios().
++ */
++ spin_lock_irqsave(&pool->lock, flags);
++ bio_list_add(&pool->deferred_flush_completions, bio);
++ spin_unlock_irqrestore(&pool->lock, flags);
++}
++
+ static void process_prepared_mapping(struct dm_thin_new_mapping *m)
+ {
+ struct thin_c *tc = m->tc;
+@@ -952,7 +986,7 @@ static void process_prepared_mapping(struct dm_thin_new_mapping *m)
+ */
+ if (bio) {
+ inc_remap_and_issue_cell(tc, m->cell, m->data_block);
+- bio_endio(bio);
++ complete_overwrite_bio(tc, bio);
+ } else {
+ inc_all_io_entry(tc->pool, m->cell->holder);
+ remap_and_issue(tc, m->cell->holder, m->data_block);
+@@ -2228,7 +2262,7 @@ static void process_deferred_bios(struct pool *pool)
+ {
+ unsigned long flags;
+ struct bio *bio;
+- struct bio_list bios;
++ struct bio_list bios, bio_completions;
+ struct thin_c *tc;
+
+ tc = get_first_thin(pool);
+@@ -2239,26 +2273,36 @@ static void process_deferred_bios(struct pool *pool)
+ }
+
+ /*
+- * If there are any deferred flush bios, we must commit
+- * the metadata before issuing them.
++ * If there are any deferred flush bios, we must commit the metadata
++ * before issuing them or signaling their completion.
+ */
+ bio_list_init(&bios);
++ bio_list_init(&bio_completions);
++
+ spin_lock_irqsave(&pool->lock, flags);
+ bio_list_merge(&bios, &pool->deferred_flush_bios);
+ bio_list_init(&pool->deferred_flush_bios);
++
++ bio_list_merge(&bio_completions, &pool->deferred_flush_completions);
++ bio_list_init(&pool->deferred_flush_completions);
+ spin_unlock_irqrestore(&pool->lock, flags);
+
+- if (bio_list_empty(&bios) &&
++ if (bio_list_empty(&bios) && bio_list_empty(&bio_completions) &&
+ !(dm_pool_changed_this_transaction(pool->pmd) && need_commit_due_to_time(pool)))
+ return;
+
+ if (commit(pool)) {
++ bio_list_merge(&bios, &bio_completions);
++
+ while ((bio = bio_list_pop(&bios)))
+ bio_io_error(bio);
+ return;
+ }
+ pool->last_commit_jiffies = jiffies;
+
++ while ((bio = bio_list_pop(&bio_completions)))
++ bio_endio(bio);
++
+ while ((bio = bio_list_pop(&bios)))
+ generic_make_request(bio);
+ }
+@@ -2885,6 +2929,7 @@ static struct pool *pool_create(struct mapped_device *pool_md,
+ INIT_DELAYED_WORK(&pool->no_space_timeout, do_no_space_timeout);
+ spin_lock_init(&pool->lock);
+ bio_list_init(&pool->deferred_flush_bios);
++ bio_list_init(&pool->deferred_flush_completions);
+ INIT_LIST_HEAD(&pool->prepared_mappings);
+ INIT_LIST_HEAD(&pool->prepared_discards);
+ INIT_LIST_HEAD(&pool->active_thins);
+--
+2.20.1
+
diff --git a/patches.kernel.org/4.4.175-138-smsc95xx-Use-skb_cow_head-to-deal-with-cloned.patch b/patches.kernel.org/4.4.175-138-smsc95xx-Use-skb_cow_head-to-deal-with-cloned.patch
new file mode 100644
index 0000000000..16dc7c6194
--- /dev/null
+++ b/patches.kernel.org/4.4.175-138-smsc95xx-Use-skb_cow_head-to-deal-with-cloned.patch
@@ -0,0 +1,52 @@
+From: James Hughes <james.hughes@raspberrypi.org>
+Date: Wed, 19 Apr 2017 11:13:40 +0100
+Subject: [PATCH] smsc95xx: Use skb_cow_head to deal with cloned skbs
+References: bnc#1012382
+Patch-mainline: 4.4.175
+Git-commit: e9156cd26a495a18706e796f02a81fee41ec14f4
+
+commit e9156cd26a495a18706e796f02a81fee41ec14f4 upstream.
+
+The driver was failing to check that the SKB wasn't cloned
+before adding checksum data.
+Replace existing handling to extend/copy the header buffer
+with skb_cow_head.
+
+Signed-off-by: James Hughes <james.hughes@raspberrypi.org>
+Acked-by: Eric Dumazet <edumazet@google.com>
+Acked-by: Woojung Huh <Woojung.Huh@microchip.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/net/usb/smsc95xx.c | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/net/usb/smsc95xx.c b/drivers/net/usb/smsc95xx.c
+index 7cee7777d13f..b6b8aec73b28 100644
+--- a/drivers/net/usb/smsc95xx.c
++++ b/drivers/net/usb/smsc95xx.c
+@@ -1838,13 +1838,13 @@ static struct sk_buff *smsc95xx_tx_fixup(struct usbnet *dev,
+ /* We do not advertise SG, so skbs should be already linearized */
+ BUG_ON(skb_shinfo(skb)->nr_frags);
+
+- if (skb_headroom(skb) < overhead) {
+- struct sk_buff *skb2 = skb_copy_expand(skb,
+- overhead, 0, flags);
++ /* Make writable and expand header space by overhead if required */
++ if (skb_cow_head(skb, overhead)) {
++ /* Must deallocate here as returning NULL to indicate error
++ * means the skb won't be deallocated in the caller.
++ */
+ dev_kfree_skb_any(skb);
+- skb = skb2;
+- if (!skb)
+- return NULL;
++ return NULL;
+ }
+
+ if (csum) {
+--
+2.20.1
+
diff --git a/patches.fixes/0001-ch9200-use-skb_cow_head-to-deal-with-cloned-skbs.patch b/patches.kernel.org/4.4.175-139-ch9200-use-skb_cow_head-to-deal-with-cloned-s.patch
index 11ccafd4ae..b2ba19f9f7 100644
--- a/patches.fixes/0001-ch9200-use-skb_cow_head-to-deal-with-cloned-skbs.patch
+++ b/patches.kernel.org/4.4.175-139-ch9200-use-skb_cow_head-to-deal-with-cloned-s.patch
@@ -1,10 +1,11 @@
-From 6bc6895bdd6744e0136eaa4a11fbdb20a7db4e40 Mon Sep 17 00:00:00 2001
From: Eric Dumazet <edumazet@google.com>
Date: Wed, 19 Apr 2017 09:59:25 -0700
Subject: [PATCH] ch9200: use skb_cow_head() to deal with cloned skbs
-References: bsc#1088684
+Patch-mainline: 4.4.175
+References: bnc#1012382 bsc#1088684
Git-commit: 6bc6895bdd6744e0136eaa4a11fbdb20a7db4e40
-Patch-mainline: v4.11
+
+commit 6bc6895bdd6744e0136eaa4a11fbdb20a7db4e40 upstream.
We need to ensure there is enough headroom to push extra header,
but we also need to check if we are allowed to change headers.
@@ -16,16 +17,18 @@ Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: James Hughes <james.hughes@raspberrypi.org>
Cc: Matthew Garrett <mjg59@srcf.ucam.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
-Signed-off-by: Oliver Neukum <oneukum@suse.com>
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
drivers/net/usb/ch9200.c | 9 ++-------
1 file changed, 2 insertions(+), 7 deletions(-)
diff --git a/drivers/net/usb/ch9200.c b/drivers/net/usb/ch9200.c
-index 8a40202c0a17..c4f1c363e24b 100644
+index 5e151e6a3e09..3c7715ea40c1 100644
--- a/drivers/net/usb/ch9200.c
+++ b/drivers/net/usb/ch9200.c
-@@ -254,14 +254,9 @@ static struct sk_buff *ch9200_tx_fixup(struct usbnet *dev, struct sk_buff *skb,
+@@ -255,14 +255,9 @@ static struct sk_buff *ch9200_tx_fixup(struct usbnet *dev, struct sk_buff *skb,
tx_overhead = 0x40;
len = skb->len;
@@ -43,5 +46,5 @@ index 8a40202c0a17..c4f1c363e24b 100644
__skb_push(skb, tx_overhead);
--
-2.13.6
+2.20.1
diff --git a/patches.kernel.org/4.4.175-140-kaweth-use-skb_cow_head-to-deal-with-cloned-s.patch b/patches.kernel.org/4.4.175-140-kaweth-use-skb_cow_head-to-deal-with-cloned-s.patch
new file mode 100644
index 0000000000..8094182199
--- /dev/null
+++ b/patches.kernel.org/4.4.175-140-kaweth-use-skb_cow_head-to-deal-with-cloned-s.patch
@@ -0,0 +1,55 @@
+From: Eric Dumazet <edumazet@google.com>
+Date: Wed, 19 Apr 2017 09:59:26 -0700
+Subject: [PATCH] kaweth: use skb_cow_head() to deal with cloned skbs
+References: bnc#1012382
+Patch-mainline: 4.4.175
+Git-commit: 39fba7835aacda65284a86e611774cbba71dac20
+
+commit 39fba7835aacda65284a86e611774cbba71dac20 upstream.
+
+We can use skb_cow_head() to properly deal with clones,
+especially the ones coming from TCP stack that allow their head being
+modified. This avoids a copy.
+
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Cc: James Hughes <james.hughes@raspberrypi.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/net/usb/kaweth.c | 18 ++++++------------
+ 1 file changed, 6 insertions(+), 12 deletions(-)
+
+diff --git a/drivers/net/usb/kaweth.c b/drivers/net/usb/kaweth.c
+index cd93220c9b45..a628db738b8a 100644
+--- a/drivers/net/usb/kaweth.c
++++ b/drivers/net/usb/kaweth.c
+@@ -812,18 +812,12 @@ static netdev_tx_t kaweth_start_xmit(struct sk_buff *skb,
+ }
+
+ /* We now decide whether we can put our special header into the sk_buff */
+- if (skb_cloned(skb) || skb_headroom(skb) < 2) {
+- /* no such luck - we make our own */
+- struct sk_buff *copied_skb;
+- copied_skb = skb_copy_expand(skb, 2, 0, GFP_ATOMIC);
+- dev_kfree_skb_irq(skb);
+- skb = copied_skb;
+- if (!copied_skb) {
+- kaweth->stats.tx_errors++;
+- netif_start_queue(net);
+- spin_unlock_irq(&kaweth->device_lock);
+- return NETDEV_TX_OK;
+- }
++ if (skb_cow_head(skb, 2)) {
++ kaweth->stats.tx_errors++;
++ netif_start_queue(net);
++ spin_unlock_irq(&kaweth->device_lock);
++ dev_kfree_skb_any(skb);
++ return NETDEV_TX_OK;
+ }
+
+ private_header = (__le16 *)__skb_push(skb, 2);
+--
+2.20.1
+
diff --git a/patches.kernel.org/4.4.175-141-usb-dwc2-Remove-unnecessary-kfree.patch b/patches.kernel.org/4.4.175-141-usb-dwc2-Remove-unnecessary-kfree.patch
new file mode 100644
index 0000000000..b219700b1b
--- /dev/null
+++ b/patches.kernel.org/4.4.175-141-usb-dwc2-Remove-unnecessary-kfree.patch
@@ -0,0 +1,36 @@
+From: John Youn <johnyoun@synopsys.com>
+Date: Thu, 3 Nov 2016 17:55:45 -0700
+Subject: [PATCH] usb: dwc2: Remove unnecessary kfree
+References: bnc#1012382
+Patch-mainline: 4.4.175
+Git-commit: cd4b1e34655d46950c065d9284b596cd8d7b28cd
+
+commit cd4b1e34655d46950c065d9284b596cd8d7b28cd upstream.
+
+This shouldn't be freed by the HCD as it is owned by the core and
+allocated with devm_kzalloc.
+
+Signed-off-by: John Youn <johnyoun@synopsys.com>
+Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/usb/dwc2/hcd.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/drivers/usb/dwc2/hcd.c b/drivers/usb/dwc2/hcd.c
+index 85fb6226770c..98339a850940 100644
+--- a/drivers/usb/dwc2/hcd.c
++++ b/drivers/usb/dwc2/hcd.c
+@@ -3164,7 +3164,6 @@ int dwc2_hcd_init(struct dwc2_hsotg *hsotg, int irq)
+ error2:
+ usb_put_hcd(hcd);
+ error1:
+- kfree(hsotg->core_params);
+
+ #ifdef CONFIG_USB_DWC2_TRACK_MISSED_SOFS
+ kfree(hsotg->last_frame_num_array);
+--
+2.20.1
+
diff --git a/patches.kernel.org/4.4.175-142-pinctrl-msm-fix-gpio-hog-related-boot-issues.patch b/patches.kernel.org/4.4.175-142-pinctrl-msm-fix-gpio-hog-related-boot-issues.patch
new file mode 100644
index 0000000000..8e0e84d99d
--- /dev/null
+++ b/patches.kernel.org/4.4.175-142-pinctrl-msm-fix-gpio-hog-related-boot-issues.patch
@@ -0,0 +1,106 @@
+From: Christian Lamparter <chunkeey@gmail.com>
+Date: Mon, 21 May 2018 22:57:37 +0200
+Subject: [PATCH] pinctrl: msm: fix gpio-hog related boot issues
+References: bnc#1012382
+Patch-mainline: 4.4.175
+Git-commit: a86caa9ba5d70696ceb35d1d39caa20d8b641387
+
+commit a86caa9ba5d70696ceb35d1d39caa20d8b641387 upstream.
+
+Sven Eckelmann reported an issue with the current IPQ4019 pinctrl.
+Setting up any gpio-hog in the device-tree for his device would
+"kill the bootup completely":
+
+| [ 0.477838] msm_serial 78af000.serial: could not find pctldev for node /soc/pinctrl@1000000/serial_pinmux, deferring probe
+| [ 0.499828] spi_qup 78b5000.spi: could not find pctldev for node /soc/pinctrl@1000000/spi_0_pinmux, deferring probe
+| [ 1.298883] requesting hog GPIO enable USB2 power (chip 1000000.pinctrl, offset 58) failed, -517
+| [ 1.299609] gpiochip_add_data: GPIOs 0..99 (1000000.pinctrl) failed to register
+| [ 1.308589] ipq4019-pinctrl 1000000.pinctrl: Failed register gpiochip
+| [ 1.316586] msm_serial 78af000.serial: could not find pctldev for node /soc/pinctrl@1000000/serial_pinmux, deferring probe
+| [ 1.322415] spi_qup 78b5000.spi: could not find pctldev for node /soc/pinctrl@1000000/spi_0_pinmux, deferri
+
+This was also verified on a RT-AC58U (IPQ4018) which would
+no longer boot, if a gpio-hog was specified. (Tried forcing
+the USB LED PIN (GPIO0) to high.).
+
+The problem is that Pinctrl+GPIO registration is currently
+peformed in the following order in pinctrl-msm.c:
+ 1. pinctrl_register()
+ 2. gpiochip_add()
+ 3. gpiochip_add_pin_range()
+
+The actual error code -517 == -EPROBE_DEFER is coming from
+pinctrl_get_device_gpio_range(), which is called through:
+ gpiochip_add
+ of_gpiochip_add
+ of_gpiochip_scan_gpios
+ gpiod_hog
+ gpiochip_request_own_desc
+ __gpiod_request
+ chip->request
+ gpiochip_generic_request
+ pinctrl_gpio_request
+ pinctrl_get_device_gpio_range
+
+pinctrl_get_device_gpio_range() is unable to find any valid
+pin ranges, since nothing has been added to the pinctrldev_list yet.
+so the range can't be found, and the operation fails with -EPROBE_DEFER.
+
+This patch fixes the issue by adding the "gpio-ranges" property to
+the pinctrl device node of all upstream Qcom SoC. The pin ranges are
+then added by the gpio core.
+
+In order to remain compatible with older, existing DTs (and ACPI)
+a check for the "gpio-ranges" property has been added to
+msm_gpio_init(). This prevents the driver of adding the same entry
+to the pinctrldev_list twice.
+
+Reported-by: Sven Eckelmann <sven.eckelmann@openmesh.com>
+Tested-by: Sven Eckelmann <sven.eckelmann@openmesh.com> [ipq4019]
+Reviewed-by: Bjorn Andersson <bjorn.andersson@linaro.org>
+Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Amit Pundir <amit.pundir@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/pinctrl/qcom/pinctrl-msm.c | 23 ++++++++++++++++++-----
+ 1 file changed, 18 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/pinctrl/qcom/pinctrl-msm.c b/drivers/pinctrl/qcom/pinctrl-msm.c
+index 9736f9be5447..a9d2e8a0aa85 100644
+--- a/drivers/pinctrl/qcom/pinctrl-msm.c
++++ b/drivers/pinctrl/qcom/pinctrl-msm.c
+@@ -806,11 +806,24 @@ static int msm_gpio_init(struct msm_pinctrl *pctrl)
+ return ret;
+ }
+
+- ret = gpiochip_add_pin_range(&pctrl->chip, dev_name(pctrl->dev), 0, 0, chip->ngpio);
+- if (ret) {
+- dev_err(pctrl->dev, "Failed to add pin range\n");
+- gpiochip_remove(&pctrl->chip);
+- return ret;
++ /*
++ * For DeviceTree-supported systems, the gpio core checks the
++ * pinctrl's device node for the "gpio-ranges" property.
++ * If it is present, it takes care of adding the pin ranges
++ * for the driver. In this case the driver can skip ahead.
++ *
++ * In order to remain compatible with older, existing DeviceTree
++ * files which don't set the "gpio-ranges" property or systems that
++ * utilize ACPI the driver has to call gpiochip_add_pin_range().
++ */
++ if (!of_property_read_bool(pctrl->dev->of_node, "gpio-ranges")) {
++ ret = gpiochip_add_pin_range(&pctrl->chip,
++ dev_name(pctrl->dev), 0, 0, chip->ngpio);
++ if (ret) {
++ dev_err(pctrl->dev, "Failed to add pin range\n");
++ gpiochip_remove(&pctrl->chip);
++ return ret;
++ }
+ }
+
+ ret = gpiochip_irqchip_add(chip,
+--
+2.20.1
+
diff --git a/patches.kernel.org/4.4.175-143-uapi-if_ether.h-move-__UAPI_DEF_ETHHDR-libc-d.patch b/patches.kernel.org/4.4.175-143-uapi-if_ether.h-move-__UAPI_DEF_ETHHDR-libc-d.patch
new file mode 100644
index 0000000000..df931faf89
--- /dev/null
+++ b/patches.kernel.org/4.4.175-143-uapi-if_ether.h-move-__UAPI_DEF_ETHHDR-libc-d.patch
@@ -0,0 +1,94 @@
+From: Hauke Mehrtens <hauke@hauke-m.de>
+Date: Mon, 12 Feb 2018 23:59:51 +0100
+Subject: [PATCH] uapi/if_ether.h: move __UAPI_DEF_ETHHDR libc define
+References: bnc#1012382
+Patch-mainline: 4.4.175
+Git-commit: da360299b6734135a5f66d7db458dcc7801c826a
+
+commit da360299b6734135a5f66d7db458dcc7801c826a upstream.
+
+This fixes a compile problem of some user space applications by not
+including linux/libc-compat.h in uapi/if_ether.h.
+
+linux/libc-compat.h checks which "features" the header files, included
+from the libc, provide to make the Linux kernel uapi header files only
+provide no conflicting structures and enums. If a user application mixes
+kernel headers and libc headers it could happen that linux/libc-compat.h
+gets included too early where not all other libc headers are included
+yet. Then the linux/libc-compat.h would not prevent all the
+redefinitions and we run into compile problems.
+This patch removes the include of linux/libc-compat.h from
+uapi/if_ether.h to fix the recently introduced case, but not all as this
+is more or less impossible.
+
+It is no problem to do the check directly in the if_ether.h file and not
+in libc-compat.h as this does not need any fancy glibc header detection
+as glibc never provided struct ethhdr and should define
+__UAPI_DEF_ETHHDR by them self when they will provide this.
+
+The following test program did not compile correctly any more:
+
+#include <linux/if_ether.h>
+#include <netinet/in.h>
+#include <linux/in.h>
+
+int main(void)
+{
+ return 0;
+}
+
+Fixes: 6926e041a892 ("uapi/if_ether.h: prevent redefinition of struct ethhdr")
+Reported-by: Guillaume Nault <g.nault@alphalink.fr>
+Cc: <stable@vger.kernel.org> # 4.15
+Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Cc: Sudip Mukherjee <sudipm.mukherjee@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ include/uapi/linux/if_ether.h | 6 +++++-
+ include/uapi/linux/libc-compat.h | 6 ------
+ 2 files changed, 5 insertions(+), 7 deletions(-)
+
+diff --git a/include/uapi/linux/if_ether.h b/include/uapi/linux/if_ether.h
+index cb490cd9376f..373afec2ed34 100644
+--- a/include/uapi/linux/if_ether.h
++++ b/include/uapi/linux/if_ether.h
+@@ -22,7 +22,6 @@
+ #define _UAPI_LINUX_IF_ETHER_H
+
+ #include <linux/types.h>
+-#include <linux/libc-compat.h>
+
+ /*
+ * IEEE 802.3 Ethernet magic constants. The frame sizes omit the preamble
+@@ -137,6 +136,11 @@
+ * This is an Ethernet frame header.
+ */
+
++/* allow libcs like musl to deactivate this, glibc does not implement this. */
++#ifndef __UAPI_DEF_ETHHDR
++#define __UAPI_DEF_ETHHDR 1
++#endif
++
+ #if __UAPI_DEF_ETHHDR
+ struct ethhdr {
+ unsigned char h_dest[ETH_ALEN]; /* destination eth addr */
+diff --git a/include/uapi/linux/libc-compat.h b/include/uapi/linux/libc-compat.h
+index 5da44c571cdd..e4f048ee7043 100644
+--- a/include/uapi/linux/libc-compat.h
++++ b/include/uapi/linux/libc-compat.h
+@@ -184,10 +184,4 @@
+
+ #endif /* __GLIBC__ */
+
+-/* Definitions for if_ether.h */
+-/* allow libcs like musl to deactivate this, glibc does not implement this. */
+-#ifndef __UAPI_DEF_ETHHDR
+-#define __UAPI_DEF_ETHHDR 1
+-#endif
+-
+ #endif /* _UAPI_LIBC_COMPAT_H */
+--
+2.20.1
+
diff --git a/patches.kernel.org/4.4.175-144-Linux-4.4.175.patch b/patches.kernel.org/4.4.175-144-Linux-4.4.175.patch
new file mode 100644
index 0000000000..8eea1d8fef
--- /dev/null
+++ b/patches.kernel.org/4.4.175-144-Linux-4.4.175.patch
@@ -0,0 +1,27 @@
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Date: Wed, 20 Feb 2019 10:13:24 +0100
+Subject: [PATCH] Linux 4.4.175
+References: bnc#1012382
+Patch-mainline: 4.4.175
+Git-commit: 332deb1f5ce960682d35a2519f1bd50f8ba52820
+
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ Makefile | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/Makefile b/Makefile
+index 1fa281069379..5f0bdef2af99 100644
+--- a/Makefile
++++ b/Makefile
+@@ -1,6 +1,6 @@
+ VERSION = 4
+ PATCHLEVEL = 4
+-SUBLEVEL = 174
++SUBLEVEL = 175
+ EXTRAVERSION =
+ NAME = Blurry Fish Butt
+
+--
+2.20.1
+
diff --git a/patches.suse/0020-perf-x86-intel-uncore-remove-hard-coded-implementation-for-node-id-mapping-location.patch b/patches.suse/0020-perf-x86-intel-uncore-remove-hard-coded-implementation-for-node-id-mapping-location.patch
index bd1bbf1fd8..a07b432b44 100644
--- a/patches.suse/0020-perf-x86-intel-uncore-remove-hard-coded-implementation-for-node-id-mapping-location.patch
+++ b/patches.suse/0020-perf-x86-intel-uncore-remove-hard-coded-implementation-for-node-id-mapping-location.patch
@@ -74,7 +74,7 @@ Signed-off-by: Tony Jones <tonyj@suse.de>
+ err = pci_read_config_dword(ubox_dev, nodeid_loc, &config);
if (err)
break;
- nodeid = config;
+ nodeid = config & NODE_ID_MASK;
/* get the Node ID mapping */
- err = pci_read_config_dword(ubox_dev, 0x54, &config);
+ err = pci_read_config_dword(ubox_dev, idmap_loc, &config);
@@ -125,7 +125,7 @@ Signed-off-by: Tony Jones <tonyj@suse.de>
if (ret)
return ret;
uncore_pci_uncores = ivbep_pci_uncores;
-@@ -2901,7 +2914,7 @@ static struct pci_driver hswep_uncore_pc
+@@ -2899,7 +2912,7 @@ static struct pci_driver hswep_uncore_pc
int hswep_uncore_pci_init(void)
{
@@ -134,7 +134,7 @@ Signed-off-by: Tony Jones <tonyj@suse.de>
if (ret)
return ret;
uncore_pci_uncores = hswep_pci_uncores;
-@@ -3205,7 +3218,7 @@ static struct pci_driver bdx_uncore_pci_
+@@ -3188,7 +3201,7 @@ static struct pci_driver bdx_uncore_pci_
int bdx_uncore_pci_init(void)
{
diff --git a/patches.suse/hwmon-lm80-Fix-missing-unlock-on-error-in-set_fan_di.patch b/patches.suse/hwmon-lm80-Fix-missing-unlock-on-error-in-set_fan_di.patch
new file mode 100644
index 0000000000..8297262590
--- /dev/null
+++ b/patches.suse/hwmon-lm80-Fix-missing-unlock-on-error-in-set_fan_di.patch
@@ -0,0 +1,32 @@
+From: Wei Yongjun <weiyongjun1@huawei.com>
+Date: Wed, 26 Dec 2018 11:28:24 +0000
+Subject: hwmon: (lm80) Fix missing unlock on error in set_fan_div()
+Git-commit: 07bd14ccc3049f9c0147a91a4227a571f981601a
+Patch-mainline: v5.0-rc3
+References: git-fixes
+
+Add the missing unlock before return from function set_fan_div()
+in the error handling case.
+
+Fixes: c9c63915519b ("hwmon: (lm80) fix a missing check of the status of SMBus read")
+Signed-off-by: Wei Yongjun <weiyongjun1@huawei.com>
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/hwmon/lm80.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/hwmon/lm80.c
++++ b/drivers/hwmon/lm80.c
+@@ -393,8 +393,10 @@ static ssize_t set_fan_div(struct device
+ }
+
+ rv = lm80_read_value(client, LM80_REG_FANDIV);
+- if (rv < 0)
++ if (rv < 0) {
++ mutex_unlock(&data->update_lock);
+ return rv;
++ }
+ reg = (rv & ~(3 << (2 * (nr + 1))))
+ | (data->fan_div[nr] << (2 * (nr + 1)));
+ lm80_write_value(client, LM80_REG_FANDIV, reg);
diff --git a/series.conf b/series.conf
index 03516b2950..0023c3b2bc 100644
--- a/series.conf
+++ b/series.conf
@@ -5498,6 +5498,150 @@
patches.kernel.org/4.4.174-033-net-ipv4-do-not-handle-duplicate-fragments-as.patch
patches.kernel.org/4.4.174-034-rcu-Force-boolean-subscript-for-expedited-sta.patch
patches.kernel.org/4.4.174-035-Linux-4.4.174.patch
+ patches.kernel.org/4.4.175-001-drm-bufs-Fix-Spectre-v1-vulnerability.patch
+ patches.kernel.org/4.4.175-002-staging-iio-adc-ad7280a-handle-error-from-__a.patch
+ patches.kernel.org/4.4.175-003-ASoC-Intel-mrfld-fix-uninitialized-variable-a.patch
+ patches.kernel.org/4.4.175-004-scsi-lpfc-Correct-LCB-RJT-handling.patch
+ patches.kernel.org/4.4.175-005-ARM-8808-1-kexec-offline-panic_smp_self_stop-.patch
+ patches.kernel.org/4.4.175-006-dlm-Don-t-swamp-the-CPU-with-callbacks-queued.patch
+ patches.kernel.org/4.4.175-007-x86-PCI-Fix-Broadcom-CNB20LE-unintended-sign-.patch
+ patches.kernel.org/4.4.175-008-powerpc-pseries-add-of_node_put-in-dlpar_deta.patch
+ patches.kernel.org/4.4.175-009-serial-fsl_lpuart-clear-parity-enable-bit-whe.patch
+ patches.kernel.org/4.4.175-010-ptp-check-gettime64-return-code-in-PTP_SYS_OF.patch
+ patches.kernel.org/4.4.175-011-staging-iio-ad2s90-Make-probe-handle-spi_setu.patch
+ patches.kernel.org/4.4.175-012-staging-iio-ad7780-update-voltage-on-read.patch
+ patches.kernel.org/4.4.175-013-ARM-OMAP2-hwmod-Fix-some-section-annotations.patch
+ patches.kernel.org/4.4.175-014-modpost-validate-symbol-names-also-in-find_el.patch
+ patches.kernel.org/4.4.175-015-perf-tools-Add-Hygon-Dhyana-support.patch
+ patches.kernel.org/4.4.175-016-soc-tegra-Don-t-leak-device-tree-node-referen.patch
+ patches.kernel.org/4.4.175-017-f2fs-move-dir-data-flush-to-write-checkpoint-.patch
+ patches.kernel.org/4.4.175-018-f2fs-fix-wrong-return-value-of-f2fs_acl_creat.patch
+ patches.kernel.org/4.4.175-019-sunvdc-Do-not-spin-in-an-infinite-loop-when-v.patch
+ patches.kernel.org/4.4.175-020-nfsd4-fix-crash-on-writing-v4_end_grace-befor.patch
+ patches.kernel.org/4.4.175-021-arm64-ftrace-don-t-adjust-the-LR-value.patch
+ patches.kernel.org/4.4.175-022-ARM-dts-mmp2-fix-TWSI2.patch
+ patches.kernel.org/4.4.175-023-x86-fpu-Add-might_fault-to-user_insn.patch
+ patches.kernel.org/4.4.175-024-media-DaVinci-VPBE-fix-error-handling-in-vpbe.patch
+ patches.kernel.org/4.4.175-025-smack-fix-access-permissions-for-keyring.patch
+ patches.kernel.org/4.4.175-026-usb-hub-delay-hub-autosuspend-if-USB3-port-is.patch
+ patches.kernel.org/4.4.175-027-timekeeping-Use-proper-seqcount-initializer.patch
+ patches.kernel.org/4.4.175-028-ARM-dts-Fix-OMAP4430-SDP-Ethernet-startup.patch
+ patches.kernel.org/4.4.175-029-mips-bpf-fix-encoding-bug-for-mm_srlv32_op.patch
+ patches.kernel.org/4.4.175-030-iommu-arm-smmu-v3-Use-explicit-mb-when-moving.patch
+ patches.kernel.org/4.4.175-031-sata_rcar-fix-deferred-probing.patch
+ patches.kernel.org/4.4.175-032-clk-imx6sl-ensure-MMDC-CH0-handshake-is-bypas.patch
+ patches.kernel.org/4.4.175-033-cpuidle-big.LITTLE-fix-refcount-leak.patch
+ patches.kernel.org/4.4.175-034-i2c-axxia-check-for-error-conditions-first.patch
+ patches.kernel.org/4.4.175-035-udf-Fix-BUG-on-corrupted-inode.patch
+ patches.kernel.org/4.4.175-036-ARM-pxa-avoid-section-mismatch-warning.patch
+ patches.kernel.org/4.4.175-037-ASoC-fsl-Fix-SND_SOC_EUKREA_TLV320-build-erro.patch
+ patches.kernel.org/4.4.175-038-memstick-Prevent-memstick-host-from-getting-r.patch
+ patches.kernel.org/4.4.175-039-tty-serial-samsung-Properly-set-flags-in-auto.patch
+ patches.kernel.org/4.4.175-040-arm64-KVM-Skip-MMIO-insn-after-emulation.patch
+ patches.kernel.org/4.4.175-041-powerpc-uaccess-fix-warning-error-with-access.patch
+ patches.kernel.org/4.4.175-042-mac80211-fix-radiotap-vendor-presence-bitmap-.patch
+ patches.kernel.org/4.4.175-043-xfrm6_tunnel-Fix-spi-check-in-__xfrm6_tunnel_.patch
+ patches.kernel.org/4.4.175-044-Bluetooth-Fix-unnecessary-error-message-for-H.patch
+ patches.kernel.org/4.4.175-045-cw1200-Fix-concurrency-use-after-free-bugs-in.patch
+ patches.kernel.org/4.4.175-046-drbd-narrow-rcu_read_lock-in-drbd_sync_handsh.patch
+ patches.kernel.org/4.4.175-047-drbd-disconnect-if-the-wrong-UUIDs-are-attach.patch
+ patches.kernel.org/4.4.175-048-drbd-skip-spurious-timeout-ping-timeo-when-fa.patch
+ patches.kernel.org/4.4.175-049-drbd-Avoid-Clang-warning-about-pointless-swit.patch
+ patches.kernel.org/4.4.175-050-video-clps711x-fb-release-disp-device-node-in.patch
+ patches.kernel.org/4.4.175-051-fbdev-fbmem-behave-better-with-small-rotated-.patch
+ patches.kernel.org/4.4.175-052-igb-Fix-an-issue-that-PME-is-not-enabled-duri.patch
+ patches.kernel.org/4.4.175-053-fbdev-fbcon-Fix-unregister-crash-when-more-th.patch
+ patches.kernel.org/4.4.175-054-KVM-x86-svm-report-MSR_IA32_MCG_EXT_CTL-as-un.patch
+ patches.kernel.org/4.4.175-055-NFS-nfs_compare_mount_options-always-compare-.patch
+ patches.kernel.org/4.4.175-056-hwmon-lm80-fix-a-missing-check-of-the-status-.patch
+ patches.kernel.org/4.4.175-057-hwmon-lm80-fix-a-missing-check-of-bus-read-in.patch
+ patches.kernel.org/4.4.175-058-seq_buf-Make-seq_buf_puts-null-terminate-the-.patch
+ patches.kernel.org/4.4.175-059-crypto-ux500-Use-proper-enum-in-cryp_set_dma_.patch
+ patches.kernel.org/4.4.175-060-crypto-ux500-Use-proper-enum-in-hash_set_dma_.patch
+ patches.kernel.org/4.4.175-061-cifs-check-ntwrk_buf_start-for-NULL-before-de.patch
+ patches.kernel.org/4.4.175-062-um-Avoid-marking-pages-with-changed-protectio.patch
+ patches.kernel.org/4.4.175-063-niu-fix-missing-checks-of-niu_pci_eeprom_read.patch
+ patches.kernel.org/4.4.175-064-scripts-decode_stacktrace-only-strip-base-pat.patch
+ patches.kernel.org/4.4.175-065-ocfs2-don-t-clear-bh-uptodate-for-block-read.patch
+ patches.kernel.org/4.4.175-066-isdn-hisax-hfc_pci-Fix-a-possible-concurrency.patch
+ patches.kernel.org/4.4.175-067-gdrom-fix-a-memory-leak-bug.patch
+ patches.kernel.org/4.4.175-068-block-swim3-Fix-EBUSY-error-when-re-opening-d.patch
+ patches.kernel.org/4.4.175-069-HID-lenovo-Add-checks-to-fix-of_led_classdev_.patch
+ patches.kernel.org/4.4.175-070-kernel-hung_task.c-break-RCU-locks-based-on-j.patch
+ patches.kernel.org/4.4.175-071-fs-epoll-drop-ovflist-branch-prediction.patch
+ patches.kernel.org/4.4.175-072-exec-load_script-don-t-blindly-truncate-sheba.patch
+ patches.kernel.org/4.4.175-073-thermal-hwmon-inline-helpers-when-CONFIG_THER.patch
+ patches.kernel.org/4.4.175-074-test_hexdump-use-memcpy-instead-of-strncpy.patch
+ patches.kernel.org/4.4.175-075-tipc-use-destination-length-for-copy-string.patch
+ patches.kernel.org/4.4.175-076-string-drop-__must_check-from-strscpy-and-res.patch
+ patches.kernel.org/4.4.175-077-dccp-fool-proof-ccid_hc_-rt-x_parse_options.patch
+ patches.kernel.org/4.4.175-078-enic-fix-checksum-validation-for-IPv6.patch
+ patches.kernel.org/4.4.175-079-net-dp83640-expire-old-TX-skb.patch
+ patches.kernel.org/4.4.175-080-skge-potential-memory-corruption-in-skge_get_.patch
+ patches.kernel.org/4.4.175-081-net-systemport-Fix-WoL-with-password-after-de.patch
+ patches.kernel.org/4.4.175-082-net-dsa-slave-Don-t-propagate-flag-changes-on.patch
+ patches.kernel.org/4.4.175-083-ALSA-compress-Fix-stop-handling-on-compressed.patch
+ patches.kernel.org/4.4.175-084-ALSA-hda-Serialize-codec-registrations.patch
+ patches.kernel.org/4.4.175-085-fuse-call-pipe_buf_release-under-pipe-lock.patch
+ patches.kernel.org/4.4.175-086-fuse-decrement-NR_WRITEBACK_TEMP-on-the-right.patch
+ patches.kernel.org/4.4.175-087-fuse-handle-zero-sized-retrieve-correctly.patch
+ patches.kernel.org/4.4.175-088-dmaengine-imx-dma-fix-wrong-callback-invoke.patch
+ patches.kernel.org/4.4.175-089-usb-phy-am335x-fix-race-condition-in-_probe.patch
+ patches.kernel.org/4.4.175-090-usb-gadget-udc-net2272-Fix-bitwise-and-boolea.patch
+ patches.kernel.org/4.4.175-091-KVM-x86-work-around-leak-of-uninitialized-sta.patch
+ patches.kernel.org/4.4.175-092-KVM-nVMX-unconditionally-cancel-preemption-ti.patch
+ patches.kernel.org/4.4.175-093-perf-x86-intel-uncore-Add-Node-ID-mask.patch
+ patches.kernel.org/4.4.175-094-x86-MCE-Initialize-mce.bank-in-the-case-of-a-.patch
+ patches.kernel.org/4.4.175-095-perf-core-Don-t-WARN-for-impossible-ring-buff.patch
+ patches.kernel.org/4.4.175-096-perf-tests-evsel-tp-sched-Fix-bitwise-operato.patch
+ patches.kernel.org/4.4.175-097-mtd-rawnand-gpmi-fix-MX28-bus-master-lockup-p.patch
+ patches.kernel.org/4.4.175-098-signal-Always-notice-exiting-tasks.patch
+ patches.kernel.org/4.4.175-099-signal-Better-detection-of-synchronous-signal.patch
+ patches.kernel.org/4.4.175-100-misc-vexpress-Off-by-one-in-vexpress_syscfg_e.patch
+ patches.kernel.org/4.4.175-101-debugfs-fix-debugfs_rename-parameter-checking.patch
+ patches.kernel.org/4.4.175-102-mips-cm-reprime-error-cause.patch
+ patches.kernel.org/4.4.175-103-MIPS-OCTEON-don-t-set-octeon_dma_bar_type-if-.patch
+ patches.kernel.org/4.4.175-104-MIPS-VDSO-Include-ccflags-vdso-in-o32-n32-.ld.patch
+ patches.kernel.org/4.4.175-105-ARM-iop32x-n2100-fix-PCI-IRQ-mapping.patch
+ patches.kernel.org/4.4.175-106-mac80211-ensure-that-mgmt-tx-skbs-have-tailro.patch
+ patches.kernel.org/4.4.175-107-drm-modes-Prevent-division-by-zero-htotal.patch
+ patches.kernel.org/4.4.175-108-drm-vmwgfx-Fix-setting-of-dma-masks.patch
+ patches.kernel.org/4.4.175-109-drm-vmwgfx-Return-error-code-from-vmw_execbuf.patch
+ patches.kernel.org/4.4.175-110-HID-debug-fix-the-ring-buffer-implementation.patch
+ patches.kernel.org/4.4.175-111-NFC-nxp-nci-Include-unaligned.h-instead-of-ac.patch
+ patches.kernel.org/4.4.175-112-Revert-cifs-In-Kconfig-CONFIG_CIFS_POSIX-need.patch
+ patches.kernel.org/4.4.175-113-libceph-avoid-KEEPALIVE_PENDING-races-in-ceph.patch
+ patches.kernel.org/4.4.175-114-xfrm-refine-validation-of-template-and-select.patch
+ patches.kernel.org/4.4.175-115-batman-adv-Avoid-WARN-on-net_device-without-p.patch
+ patches.kernel.org/4.4.175-116-batman-adv-Force-mac-header-to-start-of-data-.patch
+ patches.kernel.org/4.4.175-117-Revert-exec-load_script-don-t-blindly-truncat.patch
+ patches.kernel.org/4.4.175-118-uapi-if_ether.h-prevent-redefinition-of-struc.patch
+ patches.kernel.org/4.4.175-119-ARM-dts-da850-evm-Correct-the-sound-card-name.patch
+ patches.kernel.org/4.4.175-120-ARM-dts-kirkwood-Fix-polarity-of-GPIO-fan-lin.patch
+ patches.kernel.org/4.4.175-121-gpio-pl061-handle-failed-allocations.patch
+ patches.kernel.org/4.4.175-122-cifs-Limit-memory-used-by-lock-request-calls-.patch
+ patches.kernel.org/4.4.175-123-Documentation-network-reword-kernel-version-r.patch
+ patches.kernel.org/4.4.175-124-Revert-Input-elan_i2c-add-ACPI-ID-for-touchpa.patch
+ patches.kernel.org/4.4.175-125-Input-elan_i2c-add-ACPI-ID-for-touchpad-in-Le.patch
+ patches.kernel.org/4.4.175-126-perf-core-Fix-impossible-ring-buffer-sizes-wa.patch
+ patches.kernel.org/4.4.175-127-ALSA-hda-Add-quirk-for-HP-EliteBook-840-G5.patch
+ patches.kernel.org/4.4.175-128-ALSA-usb-audio-Fix-implicit-fb-endpoint-setup.patch
+ patches.kernel.org/4.4.175-129-Input-bma150-register-input-device-after-sett.patch
+ patches.kernel.org/4.4.175-130-Input-elantech-enable-3rd-button-support-on-F.patch
+ patches.kernel.org/4.4.175-131-alpha-fix-page-fault-handling-for-r16-r18-tar.patch
+ patches.kernel.org/4.4.175-132-alpha-Fix-Eiger-NR_IRQS-to-128.patch
+ patches.kernel.org/4.4.175-133-tracing-uprobes-Fix-output-for-multiple-strin.patch
+ patches.kernel.org/4.4.175-134-x86-platform-UV-Use-efi_runtime_lock-to-seria.patch
+ patches.kernel.org/4.4.175-135-signal-Restore-the-stop-PTRACE_EVENT_EXIT.patch
+ patches.kernel.org/4.4.175-136-x86-a.out-Clear-the-dump-structure-initially.patch
+ patches.kernel.org/4.4.175-137-dm-thin-fix-bug-where-bio-that-overwrites-thi.patch
+ patches.kernel.org/4.4.175-138-smsc95xx-Use-skb_cow_head-to-deal-with-cloned.patch
+ patches.kernel.org/4.4.175-139-ch9200-use-skb_cow_head-to-deal-with-cloned-s.patch
+ patches.kernel.org/4.4.175-140-kaweth-use-skb_cow_head-to-deal-with-cloned-s.patch
+ patches.kernel.org/4.4.175-141-usb-dwc2-Remove-unnecessary-kfree.patch
+ patches.kernel.org/4.4.175-142-pinctrl-msm-fix-gpio-hog-related-boot-issues.patch
+ patches.kernel.org/4.4.175-143-uapi-if_ether.h-move-__UAPI_DEF_ETHHDR-libc-d.patch
+ patches.kernel.org/4.4.175-144-Linux-4.4.175.patch
########################################################
# Build fixes that apply to the vanilla kernel too.
@@ -20056,7 +20200,6 @@
patches.drivers/qed-sp3-0226-qed-Fix-sending-an-invalid-PFC-error-mask-to-MFW.patch
patches.drivers/qed-sp3-0227-qed-Fix-possible-system-hang-in-the-dcbnl-getdcbx-pa.patch
patches.drivers/qed-sp3-0228-qed-Fix-issue-in-populating-the-PFC-config-paramters.patch
- patches.fixes/0001-ch9200-use-skb_cow_head-to-deal-with-cloned-skbs.patch
patches.arch/x86-mce-make-the-mce-notifier-a-blocking-one.patch
patches.fixes/scsi-return-correct-blkprep-status-code-in-case-scsi.patch
patches.drivers/net-mlx5e-Fix-race-in-mlx5e_sw_stats-and-mlx5e_vport.patch
@@ -23030,7 +23173,6 @@
patches.arch/arm64-Run-enable-method-for-errata-work-arounds-on-l.patch
patches.suse/0027-arm64-Branch-predictor-hardening-for-Cavium-ThunderX.patch
patches.suse/0029-arm64-Turn-on-KPTI-only-on-CPUs-that-need-it.patch
- patches.fixes/string-drop-__must_check-from-strscpy-and-restore-st.patch
patches.fixes/xprtrdma-Fix-backchannel-allocation-of-extra-rpcrdma.patch
patches.drivers/scsi-lpfc-FLOGI-failures-are-reported-when-connected.patch
patches.drivers/scsi-lpfc-Expand-WQE-capability-of-every-NVME-hardwa.patch
@@ -23293,7 +23435,6 @@
patches.drivers/ibmvnic-Clean-RX-pool-buffers-during-device-close.patch
patches.drivers/PCI-cxgb4-Extend-T3-PCI-quirk-to-T4-devices.patch
patches.drivers/RDMA-uverbs-Protect-from-command-mask-overflow.patch
- patches.drivers/RDMA-bnxt_re-Synchronize-destroy_qp-with-poll_cq.patch
patches.drivers/scsi-mpt3sas-fix-an-out-of-bound-write
patches.drivers/scsi-qla2xxx-Fix-a-locking-imbalance-in-qlt_24xx_han.patch
patches.drivers/scsi-qla2xxx-Fix-double-free-bug-after-firmware-time.patch
@@ -24209,7 +24350,6 @@
patches.fixes/cifs-connect-to-servername-instead-of-IP-for-IPC-share.patch
patches.fixes/ceph-avoid-a-use-after-free-in-ceph_destroy_options.patch
patches.arch/0006-kvm-x86-do-not-re-try-execute-after-failed-emulation-in-l2
- patches.drivers/bnxt_re-Fix-couple-of-memory-leaks-that-could-lead-t.patch
patches.arch/s390-sles12sp3-22-01-01-net-af_iucv-drop-inbound-packets-with-invalid-flags.patch
patches.arch/s390-sles12sp3-22-01-02-net-af_iucv-fix-skb-handling-on-HiperTransport-xmit-.patch
patches.drivers/net-ena-fix-surprise-unplug-NULL-dereference-kernel-.patch
@@ -24417,13 +24557,10 @@
patches.suse/tty-ldsem-Decrement-wait_readers-on-timeouted-down_r.patch
patches.drivers/revert-iommu-io-pgtable-arm-check-for-v7s-incapable-systems
patches.drivers/iommu-amd-fix-amd_iommu-force_isolation
- patches.suse/0001-block-swim3-Fix-EBUSY-error-when-re-opening-device-a.patch
- patches.fixes/0001-fbdev-fbmem-behave-better-with-small-rotated-display.patch
- patches.fixes/0001-fbdev-fbcon-Fix-unregister-crash-when-more-than-one-.patch
patches.fixes/rbd-don-t-return-0-on-unmap-if-rbd_dev_flag_removing-is-set.patch
patches.suse/tty-Don-t-hold-ldisc-lock-in-tty_reopen-if-ldisc-pre.patch
+ patches.suse/hwmon-lm80-Fix-missing-unlock-on-error-in-set_fan_di.patch
patches.fixes/ceph-clear-inode-pointer-when-snap-realm-gets-dropped-by-its-inode.patch
- patches.fixes/libceph-avoid-keepalive_pending-races-in-ceph_con_keepalive.patch
patches.drivers/ibmveth-Do-not-process-frames-after-calling-napi_res.patch
patches.fixes/acpi-nfit-block-function-zero-dsms.patch
patches.fixes/acpi-nfit-fix-command-supported-detection.patch
@@ -24437,10 +24574,6 @@
patches.drivers/iommu-vt-d-fix-memory-leak-in-intel_iommu_put_resv_regions
patches.drivers/iommu-amd-fix-iommu-page-flush-when-detach-device-from-a-domain
patches.arch/kvm-fix-kvm_ioctl_create_device-reference-counting-cve-2019-6974
- patches.arch/kvm-x86-work-around-leak-of-uninitialized-stack-contents-cve-2019-7222
- patches.arch/kvm-nvmx-unconditionally-cancel-preemption-timer-in-free_nested-cve-2019-7221
- patches.fixes/0001-drm-vmwgfx-Return-error-code-from-vmw_execbuf_copy_f.patch
- patches.fixes/0001-drm-vmwgfx-Fix-setting-of-dma-masks.patch
patches.fixes/0001-gpu-ipu-v3-Fix-i.MX51-CSI-control-registers-offset.patch
patches.fixes/0002-gpu-ipu-v3-Fix-CSI-offsets-for-imx53.patch
patches.fixes/0003-drm-i915-Block-fbdev-HPD-processing-during-suspend.patch
@@ -25434,6 +25567,9 @@
patches.kabi/kabi-KVM-x86-kABI-workaround-for-PKRU-fixes.patch
+ patches.fixes/0001-KVM-VMX-Fix-x2apic-check-in-vmx_msr_bitmap_mode.patch
+ patches.fixes/0001-KVM-VMX-Missing-part-of-upstream-commit-904e14fb7cb9.patch
+
########################################################
# IOMMU patches
########################################################
@@ -25837,6 +25973,8 @@
patches.kabi/KVM-VMX-Work-around-kABI-breakage-in-enum-vmx_l1d_fl.patch
patches.kabi/bpf-ssbd-removal-workaround.patch
patches.kabi/fix-kvm-kabi.patch
+ patches.kabi/kabi-protect-struct-hda_bus.patch
+ patches.kabi/kabi-protect-kfifo-include-in-hid-debug.patch
# bsc#1114417
patches.suse/hpwdt-calculate-reload-each-use.patch