Home Home > GIT Browse > SLE12-SP3-AZURE
summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorTakashi Iwai <tiwai@suse.de>2017-10-06 15:31:05 +0200
committerTakashi Iwai <tiwai@suse.de>2017-10-06 15:31:05 +0200
commita068031920bf7f7bbe83d5d894e71a157f506066 (patch)
tree93d90d244c4dd6207b0b5dbfcf8457b019ebdcea
parent199fa5bc31cb2b78503ebeb8e3993e2124b49963 (diff)
parenta4faa0795424a10382cdb597a6ef8bd5d2b766ec (diff)
Merge branch 'SLE12-SP3' into openSUSE-42.3rpm-4.4.90-28
-rw-r--r--patches.arch/0004-kvm-pkeys-save-restore-pkru-when-guest-host-switches14
-rw-r--r--patches.arch/cxl-Fix-coredump-generation-when-cxl_get_fd-is-used.patch41
-rw-r--r--patches.arch/cxl-Introduce-implementation-specific-API.patch30
-rw-r--r--patches.drivers/RDMA-bnxt_re-Allocate-multiple-notification-queues.patch359
-rw-r--r--patches.drivers/RDMA-bnxt_re-Implement-the-alloc-get_hw_stats-callba.patch246
-rw-r--r--patches.drivers/iw_cxgb4-put-ep-reference-in-pass_accept_req.patch38
-rw-r--r--patches.fixes/0001-KVM-VMX-Do-not-BUG-on-out-of-bounds-guest-IRQ.patch46
-rw-r--r--patches.fixes/kvm-vmx-check-apicv-is-active-before-using-vt-d-posted-interrupt14
-rw-r--r--patches.kernel.org/4.4.90-001-cifs-release-auth_key.response-for-reconnect.patch63
-rw-r--r--patches.kernel.org/4.4.90-002-mac80211-flush-hw_roc_start-work-before-cancel.patch50
-rw-r--r--patches.kernel.org/4.4.90-003-KVM-PPC-Book3S-Fix-race-and-leak-in-kvm_vm_ioc.patch126
-rw-r--r--patches.kernel.org/4.4.90-004-tracing-Fix-trace_pipe-behavior-for-instance-t.patch51
-rw-r--r--patches.kernel.org/4.4.90-005-tracing-Erase-irqsoff-trace-with-empty-write.patch56
-rw-r--r--patches.kernel.org/4.4.90-006-md-raid5-fix-a-race-condition-in-stripe-batch.patch (renamed from patches.fixes/0001-md-raid5-fix-a-race-condition-in-stripe-batch.patch)26
-rw-r--r--patches.kernel.org/4.4.90-007-md-raid5-preserve-STRIPE_ON_UNPLUG_LIST-in-bre.patch54
-rw-r--r--patches.kernel.org/4.4.90-008-scsi-scsi_transport_iscsi-fix-the-issue-that-i.patch (renamed from patches.drivers/scsi-scsi_transport_iscsi-fix-the-issue-that.patch)19
-rw-r--r--patches.kernel.org/4.4.90-009-crypto-talitos-Don-t-provide-setkey-for-non-hm.patch48
-rw-r--r--patches.kernel.org/4.4.90-010-crypto-talitos-fix-sha224.patch44
-rw-r--r--patches.kernel.org/4.4.90-011-KEYS-fix-writing-past-end-of-user-supplied-buf.patch72
-rw-r--r--patches.kernel.org/4.4.90-012-KEYS-prevent-creating-a-different-user-s-keyri.patch164
-rw-r--r--patches.kernel.org/4.4.90-013-KEYS-prevent-KEYCTL_READ-on-negative-key.patch85
-rw-r--r--patches.kernel.org/4.4.90-014-powerpc-pseries-Fix-parent_dn-reference-leak-i.patch45
-rw-r--r--patches.kernel.org/4.4.90-015-Fix-SMB3.1.1-guest-authentication-to-Samba.patch37
-rw-r--r--patches.kernel.org/4.4.90-016-SMB-Validate-negotiate-to-protect-against-down.patch62
-rw-r--r--patches.kernel.org/4.4.90-017-SMB3-Don-t-ignore-O_SYNC-O_DSYNC-and-O_DIRECT-.patch39
-rw-r--r--patches.kernel.org/4.4.90-018-vfs-Return-ENXIO-for-negative-SEEK_HOLE-SEEK_D.patch49
-rw-r--r--patches.kernel.org/4.4.90-019-nl80211-check-for-the-required-netlink-attribu.patch (renamed from patches.fixes/nl80211-check-for-the-required-netlink-attributes-pr.patch)21
-rw-r--r--patches.kernel.org/4.4.90-020-bsg-lib-don-t-free-job-in-bsg_prepare_job.patch36
-rw-r--r--patches.kernel.org/4.4.90-021-seccomp-fix-the-usage-of-get-put_seccomp_filte.patch97
-rw-r--r--patches.kernel.org/4.4.90-022-arm64-Make-sure-SPsel-is-always-set.patch45
-rw-r--r--patches.kernel.org/4.4.90-023-arm64-fault-Route-pte-translation-faults-via-d.patch71
-rw-r--r--patches.kernel.org/4.4.90-024-KVM-VMX-Do-not-BUG-on-out-of-bounds-guest-IRQ.patch62
-rw-r--r--patches.kernel.org/4.4.90-025-kvm-nVMX-Don-t-allow-L2-to-access-the-hardware.patch (renamed from patches.fixes/0001-kvm-nVMX-Don-t-allow-L2-to-access-the-hardware-CR8.patch)19
-rw-r--r--patches.kernel.org/4.4.90-026-PCI-Fix-race-condition-with-driver_override.patch71
-rw-r--r--patches.kernel.org/4.4.90-027-btrfs-fix-NULL-pointer-dereference-from-free_r.patch44
-rw-r--r--patches.kernel.org/4.4.90-028-btrfs-propagate-error-to-btrfs_cmp_data_prepar.patch43
-rw-r--r--patches.kernel.org/4.4.90-029-btrfs-prevent-to-set-invalid-default-subvolid.patch42
-rw-r--r--patches.kernel.org/4.4.90-030-x86-fpu-Don-t-let-userspace-set-bogus-xcomp_bv.patch203
-rw-r--r--patches.kernel.org/4.4.90-031-gfs2-Fix-debugfs-glocks-dump.patch123
-rw-r--r--patches.kernel.org/4.4.90-032-timer-sysclt-Restrict-timer-migration-sysctl-v.patch57
-rw-r--r--patches.kernel.org/4.4.90-033-KVM-VMX-do-not-change-SN-bit-in-vmx_update_pi_.patch (renamed from patches.arch/0004-kvm-vmx-do-not-change-sn-bit-in-vmx_update_pi_irte)18
-rw-r--r--patches.kernel.org/4.4.90-034-KVM-VMX-remove-WARN_ON_ONCE-in-kvm_vcpu_trigge.patch (renamed from patches.arch/0002-kvm-vmx-remove-warn_on_once-in-kvm_vcpu_trigger_posted_interrupt)19
-rw-r--r--patches.kernel.org/4.4.90-035-cxl-Fix-driver-use-count.patch88
-rw-r--r--patches.kernel.org/4.4.90-036-dmaengine-mmp-pdma-add-number-of-requestors.patch37
-rw-r--r--patches.kernel.org/4.4.90-037-ARM-pxa-add-the-number-of-DMA-requestor-lines.patch128
-rw-r--r--patches.kernel.org/4.4.90-038-ARM-pxa-fix-the-number-of-DMA-requestor-lines.patch34
-rw-r--r--patches.kernel.org/4.4.90-039-KVM-VMX-use-cmpxchg64.patch58
-rw-r--r--patches.kernel.org/4.4.90-040-video-fbdev-aty-do-not-leak-uninitialized-padd.patch40
-rw-r--r--patches.kernel.org/4.4.90-041-swiotlb-xen-implement-xen_swiotlb_dma_mmap-cal.patch79
-rw-r--r--patches.kernel.org/4.4.90-042-fix-xen_swiotlb_dma_mmap-prototype.patch55
-rw-r--r--patches.kernel.org/4.4.90-043-Linux-4.4.90.patch27
-rw-r--r--series.conf60
52 files changed, 3296 insertions, 159 deletions
diff --git a/patches.arch/0004-kvm-pkeys-save-restore-pkru-when-guest-host-switches b/patches.arch/0004-kvm-pkeys-save-restore-pkru-when-guest-host-switches
index c9ed4d8810..98a8eca0f5 100644
--- a/patches.arch/0004-kvm-pkeys-save-restore-pkru-when-guest-host-switches
+++ b/patches.arch/0004-kvm-pkeys-save-restore-pkru-when-guest-host-switches
@@ -18,7 +18,7 @@ Signed-off-by: Xiao Guangrong <guangrong.xiao@linux.intel.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Acked-by: Joerg Roedel <jroedel@suse.de>
---
- arch/x86/kvm/vmx.c | 23 +++++++++++++++++++++++
+ arch/x86/kvm/vmx.c | 23 +++++++++++++++++++++++
1 file changed, 23 insertions(+)
--- a/arch/x86/kvm/vmx.c
@@ -34,15 +34,15 @@ Acked-by: Joerg Roedel <jroedel@suse.de>
};
enum segment_cache_field {
-@@ -2033,6 +2037,7 @@ static void vmx_vcpu_pi_load(struct kvm_
- } while (cmpxchg(&pi_desc->control, old.control,
- new.control) != old.control);
+@@ -2032,6 +2036,7 @@ static void vmx_vcpu_pi_load(struct kvm_
+ } while (cmpxchg64(&pi_desc->control, old.control,
+ new.control) != old.control);
}
+
/*
* Switches to specified vcpu, until a matching vcpu_put(), but assumes
* vcpu mutex is already taken.
-@@ -2093,6 +2098,7 @@ static void vmx_vcpu_load(struct kvm_vcp
+@@ -2092,6 +2097,7 @@ static void vmx_vcpu_load(struct kvm_vcp
}
vmx_vcpu_pi_load(vcpu, cpu);
@@ -50,7 +50,7 @@ Acked-by: Joerg Roedel <jroedel@suse.de>
}
static void vmx_vcpu_pi_put(struct kvm_vcpu *vcpu)
-@@ -8578,6 +8584,9 @@ static void __noclone vmx_vcpu_run(struc
+@@ -8586,6 +8592,9 @@ static void __noclone vmx_vcpu_run(struc
if (vcpu->guest_debug & KVM_GUESTDBG_SINGLESTEP)
vmx_set_interrupt_shadow(vcpu, 0);
@@ -60,7 +60,7 @@ Acked-by: Joerg Roedel <jroedel@suse.de>
atomic_switch_perf_msrs(vmx);
debugctlmsr = get_debugctlmsr();
-@@ -8718,6 +8727,20 @@ static void __noclone vmx_vcpu_run(struc
+@@ -8726,6 +8735,20 @@ static void __noclone vmx_vcpu_run(struc
vmx->exit_reason = vmcs_read32(VM_EXIT_REASON);
/*
diff --git a/patches.arch/cxl-Fix-coredump-generation-when-cxl_get_fd-is-used.patch b/patches.arch/cxl-Fix-coredump-generation-when-cxl_get_fd-is-used.patch
index e73c96c2a2..d4a2f016e2 100644
--- a/patches.arch/cxl-Fix-coredump-generation-when-cxl_get_fd-is-used.patch
+++ b/patches.arch/cxl-Fix-coredump-generation-when-cxl_get_fd-is-used.patch
@@ -55,14 +55,12 @@ Signed-off-by: Frederic Barrat <fbarrat@linux.vnet.ibm.com>
Reviewed-by: Matthew R. Ochs <mrochs@linux.vnet.ibm.com>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
---
- drivers/misc/cxl/api.c | 137 +++++++++++++++++++++++++++++++++++++--------
- drivers/misc/cxl/context.c | 17 ++++--
- drivers/misc/cxl/cxl.h | 6 +-
- drivers/misc/cxl/file.c | 5 +-
+ drivers/misc/cxl/api.c | 137 +++++++++++++++++++++++++++++++++++++--------
+ drivers/misc/cxl/context.c | 17 +++--
+ drivers/misc/cxl/cxl.h | 6 +
+ drivers/misc/cxl/file.c | 5 +
4 files changed, 135 insertions(+), 30 deletions(-)
-diff --git a/drivers/misc/cxl/api.c b/drivers/misc/cxl/api.c
-index 2107c94..687cb7e 100644
--- a/drivers/misc/cxl/api.c
+++ b/drivers/misc/cxl/api.c
@@ -9,16 +9,118 @@
@@ -186,7 +184,7 @@ index 2107c94..687cb7e 100644
struct cxl_afu *afu;
struct cxl_context *ctx;
int rc;
-@@ -33,28 +135,13 @@ struct cxl_context *cxl_dev_context_init(struct pci_dev *dev)
+@@ -33,28 +135,13 @@ struct cxl_context *cxl_dev_context_init
ctx->kernelapi = true;
@@ -217,7 +215,7 @@ index 2107c94..687cb7e 100644
err_ctx:
kfree(ctx);
err_dev:
-@@ -269,6 +356,11 @@ struct file *cxl_get_fd(struct cxl_context *ctx, struct file_operations *fops,
+@@ -273,6 +360,11 @@ struct file *cxl_get_fd(struct cxl_conte
{
struct file *file;
int rc, flags, fdtmp;
@@ -229,7 +227,7 @@ index 2107c94..687cb7e 100644
flags = O_RDWR | O_CLOEXEC;
-@@ -292,12 +384,13 @@ struct file *cxl_get_fd(struct cxl_context *ctx, struct file_operations *fops,
+@@ -296,12 +388,13 @@ struct file *cxl_get_fd(struct cxl_conte
} else /* use default ops */
fops = (struct file_operations *)&afu_fops;
@@ -246,11 +244,9 @@ index 2107c94..687cb7e 100644
*fd = fdtmp;
return file;
-diff --git a/drivers/misc/cxl/context.c b/drivers/misc/cxl/context.c
-index 7edea9c..256fc09 100644
--- a/drivers/misc/cxl/context.c
+++ b/drivers/misc/cxl/context.c
-@@ -34,8 +34,7 @@ struct cxl_context *cxl_context_alloc(void)
+@@ -34,8 +34,7 @@ struct cxl_context *cxl_context_alloc(vo
/*
* Initialises a CXL context.
*/
@@ -260,7 +256,7 @@ index 7edea9c..256fc09 100644
{
int i;
-@@ -44,7 +43,7 @@ int cxl_context_init(struct cxl_context *ctx, struct cxl_afu *afu, bool master,
+@@ -44,7 +43,7 @@ int cxl_context_init(struct cxl_context
ctx->master = master;
ctx->pid = ctx->glpid = NULL; /* Set in start work ioctl */
mutex_init(&ctx->mapping_lock);
@@ -269,7 +265,7 @@ index 7edea9c..256fc09 100644
/*
* Allocate the segment table before we put it in the IDR so that we
-@@ -111,6 +110,14 @@ int cxl_context_init(struct cxl_context *ctx, struct cxl_afu *afu, bool master,
+@@ -111,6 +110,14 @@ int cxl_context_init(struct cxl_context
return 0;
}
@@ -284,7 +280,7 @@ index 7edea9c..256fc09 100644
static int cxl_mmap_fault(struct vm_area_struct *vma, struct vm_fault *vmf)
{
struct cxl_context *ctx = vma->vm_file->private_data;
-@@ -294,8 +301,6 @@ static void reclaim_ctx(struct rcu_head *rcu)
+@@ -294,8 +301,6 @@ static void reclaim_ctx(struct rcu_head
if (ctx->ff_page)
__free_page(ctx->ff_page);
ctx->sstp = NULL;
@@ -293,7 +289,7 @@ index 7edea9c..256fc09 100644
if (ctx->irq_bitmap)
kfree(ctx->irq_bitmap);
-@@ -308,6 +313,8 @@ static void reclaim_ctx(struct rcu_head *rcu)
+@@ -308,6 +313,8 @@ static void reclaim_ctx(struct rcu_head
void cxl_context_free(struct cxl_context *ctx)
{
@@ -302,11 +298,9 @@ index 7edea9c..256fc09 100644
mutex_lock(&ctx->afu->contexts_lock);
idr_remove(&ctx->afu->contexts_idr, ctx->pe);
mutex_unlock(&ctx->afu->contexts_lock);
-diff --git a/drivers/misc/cxl/cxl.h b/drivers/misc/cxl/cxl.h
-index 139b16f..78f3336 100644
--- a/drivers/misc/cxl/cxl.h
+++ b/drivers/misc/cxl/cxl.h
-@@ -762,8 +762,9 @@ void cxl_dump_debug_buffer(void *addr, size_t size);
+@@ -762,8 +762,9 @@ void cxl_dump_debug_buffer(void *addr, s
void init_cxl_native(void);
struct cxl_context *cxl_context_alloc(void);
@@ -326,11 +320,9 @@ index 139b16f..78f3336 100644
extern struct pci_driver cxl_pci_driver;
extern struct platform_driver cxl_of_driver;
-diff --git a/drivers/misc/cxl/file.c b/drivers/misc/cxl/file.c
-index eec468f..2224bac 100644
--- a/drivers/misc/cxl/file.c
+++ b/drivers/misc/cxl/file.c
-@@ -86,9 +86,12 @@ static int __afu_open(struct inode *inode, struct file *file, bool master)
+@@ -86,9 +86,12 @@ static int __afu_open(struct inode *inod
goto err_put_afu;
}
@@ -343,7 +335,4 @@ index eec468f..2224bac 100644
+
pr_devel("afu_open pe: %i\n", ctx->pe);
file->private_data = ctx;
- cxl_ctx_get();
---
-2.10.2
-
+
diff --git a/patches.arch/cxl-Introduce-implementation-specific-API.patch b/patches.arch/cxl-Introduce-implementation-specific-API.patch
index ddbcdd9ef4..a8dd4e6ba0 100644
--- a/patches.arch/cxl-Introduce-implementation-specific-API.patch
+++ b/patches.arch/cxl-Introduce-implementation-specific-API.patch
@@ -43,8 +43,8 @@ Acked-by: Dinar Valeev <dvaleev@suse.com>
}
EXPORT_SYMBOL_GPL(cxl_free_afu_irqs);
-@@ -176,7 +176,7 @@ int cxl_start_context(struct cxl_context
-
+@@ -180,7 +180,7 @@ int cxl_start_context(struct cxl_context
+ */
cxl_ctx_get();
- if ((rc = cxl_attach_process(ctx, kernel, wed , 0))) {
@@ -52,7 +52,7 @@ Acked-by: Dinar Valeev <dvaleev@suse.com>
put_pid(ctx->pid);
cxl_ctx_put();
goto out;
-@@ -342,11 +342,11 @@ int cxl_afu_reset(struct cxl_context *ct
+@@ -346,11 +346,11 @@ int cxl_afu_reset(struct cxl_context *ct
struct cxl_afu *afu = ctx->afu;
int rc;
@@ -211,7 +211,7 @@ Acked-by: Dinar Valeev <dvaleev@suse.com>
rc = -EIO;
goto err_put_afu;
}
-@@ -210,8 +210,8 @@ static long afu_ioctl_start_work(struct
+@@ -212,8 +212,8 @@ static long afu_ioctl_start_work(struct
trace_cxl_attach(ctx, work.work_element_descriptor, work.num_interrupts, amr);
@@ -220,9 +220,9 @@ Acked-by: Dinar Valeev <dvaleev@suse.com>
+ if ((rc = cxl_ops->attach_process(ctx, false, work.work_element_descriptor,
+ amr))) {
afu_release_irqs(ctx, ctx);
+ cxl_ctx_put();
goto out;
- }
-@@ -222,6 +222,7 @@ out:
+@@ -225,6 +225,7 @@ out:
mutex_unlock(&ctx->status_mutex);
return rc;
}
@@ -230,7 +230,7 @@ Acked-by: Dinar Valeev <dvaleev@suse.com>
static long afu_ioctl_process_element(struct cxl_context *ctx,
int __user *upe)
{
-@@ -259,7 +260,7 @@ long afu_ioctl(struct file *file, unsign
+@@ -262,7 +263,7 @@ long afu_ioctl(struct file *file, unsign
if (ctx->status == CLOSED)
return -EIO;
@@ -239,7 +239,7 @@ Acked-by: Dinar Valeev <dvaleev@suse.com>
return -EIO;
pr_devel("afu_ioctl\n");
-@@ -289,7 +290,7 @@ int afu_mmap(struct file *file, struct v
+@@ -292,7 +293,7 @@ int afu_mmap(struct file *file, struct v
if (ctx->status != STARTED)
return -EIO;
@@ -248,7 +248,7 @@ Acked-by: Dinar Valeev <dvaleev@suse.com>
return -EIO;
return cxl_context_iomap(ctx, vm);
-@@ -336,7 +337,7 @@ ssize_t afu_read(struct file *file, char
+@@ -339,7 +340,7 @@ ssize_t afu_read(struct file *file, char
int rc;
DEFINE_WAIT(wait);
@@ -257,7 +257,7 @@ Acked-by: Dinar Valeev <dvaleev@suse.com>
return -EIO;
if (count < CXL_READ_MIN_SIZE)
-@@ -349,7 +350,7 @@ ssize_t afu_read(struct file *file, char
+@@ -352,7 +353,7 @@ ssize_t afu_read(struct file *file, char
if (ctx_event_pending(ctx))
break;
@@ -297,7 +297,7 @@ Acked-by: Dinar Valeev <dvaleev@suse.com>
pr_devel("hwirq %#lx mapped to virq %u\n", hwirq, virq);
-@@ -195,7 +197,7 @@ int cxl_register_one_irq(struct cxl *ada
+@@ -194,7 +196,7 @@ int cxl_register_one_irq(struct cxl *ada
{
int hwirq, virq;
@@ -306,7 +306,7 @@ Acked-by: Dinar Valeev <dvaleev@suse.com>
return hwirq;
if (!(virq = cxl_map_irq(adapter, hwirq, handler, cookie, name)))
-@@ -207,7 +209,7 @@ int cxl_register_one_irq(struct cxl *ada
+@@ -206,7 +208,7 @@ int cxl_register_one_irq(struct cxl *ada
return 0;
err:
@@ -315,7 +315,7 @@ Acked-by: Dinar Valeev <dvaleev@suse.com>
return -ENOMEM;
}
-@@ -230,7 +232,8 @@ int afu_allocate_irqs(struct cxl_context
+@@ -229,7 +231,8 @@ int afu_allocate_irqs(struct cxl_context
/* Initialize the list head to hold irq names */
INIT_LIST_HEAD(&ctx->irq_names);
@@ -325,7 +325,7 @@ Acked-by: Dinar Valeev <dvaleev@suse.com>
return rc;
/* Multiplexed PSL Interrupt */
-@@ -268,7 +271,7 @@ int afu_allocate_irqs(struct cxl_context
+@@ -267,7 +270,7 @@ int afu_allocate_irqs(struct cxl_context
return 0;
out:
@@ -334,7 +334,7 @@ Acked-by: Dinar Valeev <dvaleev@suse.com>
afu_irq_name_free(ctx);
return -ENOMEM;
}
-@@ -319,7 +322,7 @@ void afu_release_irqs(struct cxl_context
+@@ -318,7 +321,7 @@ void afu_release_irqs(struct cxl_context
}
afu_irq_name_free(ctx);
diff --git a/patches.drivers/RDMA-bnxt_re-Allocate-multiple-notification-queues.patch b/patches.drivers/RDMA-bnxt_re-Allocate-multiple-notification-queues.patch
new file mode 100644
index 0000000000..8783d5301c
--- /dev/null
+++ b/patches.drivers/RDMA-bnxt_re-Allocate-multiple-notification-queues.patch
@@ -0,0 +1,359 @@
+From: Selvin Xavier <selvin.xavier@broadcom.com>
+Date: Wed, 2 Aug 2017 01:46:18 -0700
+Subject: RDMA/bnxt_re: Allocate multiple notification queues
+Patch-mainline: v4.14-rc1
+Git-commit: 6a5df91baf2528e584bf4493c30bbafe2db74c9e
+References: bsc#1037579
+
+Enables multiple Interrupt vectors. Driver is requesting the max
+MSIX vectors based on the number of online cpus and creates upto
+9 MSIx vectors (1 for control path and 8 for data path).
+A tasklet is created for each of these vectors. NQs are assigned
+to CQs in round robin fashion.
+This patch also adds IRQ affinity hint for the MSIX vector of each NQ.
+
+Signed-off-by: Ray Jui <ray.jui@broadcom.com>
+Signed-off-by: Selvin Xavier <selvin.xavier@broadcom.com>
+Signed-off-by: Doug Ledford <dledford@redhat.com>
+Acked-by: Johannes Thumshirn <jthumshirn@suse.de>
+---
+ drivers/infiniband/hw/bnxt_re/bnxt_re.h | 5 -
+ drivers/infiniband/hw/bnxt_re/ib_verbs.c | 17 +++-
+ drivers/infiniband/hw/bnxt_re/main.c | 108 +++++++++++++++++++------------
+ drivers/infiniband/hw/bnxt_re/qplib_fp.c | 21 +++++-
+ drivers/infiniband/hw/bnxt_re/qplib_fp.h | 4 -
+ 5 files changed, 105 insertions(+), 50 deletions(-)
+
+--- a/drivers/infiniband/hw/bnxt_re/bnxt_re.h
++++ b/drivers/infiniband/hw/bnxt_re/bnxt_re.h
+@@ -78,7 +78,7 @@ struct bnxt_re_sqp_entries {
+ };
+
+ #define BNXT_RE_MIN_MSIX 2
+-#define BNXT_RE_MAX_MSIX 16
++#define BNXT_RE_MAX_MSIX 9
+ #define BNXT_RE_AEQ_IDX 0
+ #define BNXT_RE_NQ_IDX 1
+
+@@ -111,7 +111,7 @@ struct bnxt_re_dev {
+ struct bnxt_qplib_rcfw rcfw;
+
+ /* NQ */
+- struct bnxt_qplib_nq nq;
++ struct bnxt_qplib_nq nq[BNXT_RE_MAX_MSIX];
+
+ /* Device Resources */
+ struct bnxt_qplib_dev_attr dev_attr;
+@@ -136,6 +136,7 @@ struct bnxt_re_dev {
+ struct bnxt_re_ah *sqp_ah;
+ struct bnxt_re_sqp_entries sqp_tbl[1024];
+ u32 espeed;
++ atomic_t nq_alloc_cnt;
+ };
+
+ #define to_bnxt_re_dev(ptr, member) \
+--- a/drivers/infiniband/hw/bnxt_re/ib_verbs.c
++++ b/drivers/infiniband/hw/bnxt_re/ib_verbs.c
+@@ -2331,6 +2331,7 @@ int bnxt_re_destroy_cq(struct ib_cq *ib_
+ struct bnxt_re_cq *cq = container_of(ib_cq, struct bnxt_re_cq, ib_cq);
+ struct bnxt_re_dev *rdev = cq->rdev;
+ int rc;
++ struct bnxt_qplib_nq *nq = cq->qplib_cq.nq;
+
+ rc = bnxt_qplib_destroy_cq(&rdev->qplib_res, &cq->qplib_cq);
+ if (rc) {
+@@ -2345,7 +2346,7 @@ int bnxt_re_destroy_cq(struct ib_cq *ib_
+ kfree(cq);
+ }
+ atomic_dec(&rdev->cq_count);
+- rdev->nq.budget--;
++ nq->budget--;
+ return 0;
+ }
+
+@@ -2359,6 +2360,8 @@ struct ib_cq *bnxt_re_create_cq(struct i
+ struct bnxt_re_cq *cq = NULL;
+ int rc, entries;
+ int cqe = attr->cqe;
++ struct bnxt_qplib_nq *nq = NULL;
++ unsigned int nq_alloc_cnt;
+
+ /* Validate CQ fields */
+ if (cqe < 1 || cqe > dev_attr->max_cq_wqes) {
+@@ -2410,9 +2413,15 @@ struct ib_cq *bnxt_re_create_cq(struct i
+ cq->qplib_cq.sghead = NULL;
+ cq->qplib_cq.nmap = 0;
+ }
++ /*
++ * Allocating the NQ in a round robin fashion. nq_alloc_cnt is a
++ * used for getting the NQ index.
++ */
++ nq_alloc_cnt = atomic_inc_return(&rdev->nq_alloc_cnt);
++ nq = &rdev->nq[nq_alloc_cnt % (rdev->num_msix - 1)];
+ cq->qplib_cq.max_wqe = entries;
+- cq->qplib_cq.cnq_hw_ring_id = rdev->nq.ring_id;
+- cq->qplib_cq.nq = &rdev->nq;
++ cq->qplib_cq.cnq_hw_ring_id = nq->ring_id;
++ cq->qplib_cq.nq = nq;
+
+ rc = bnxt_qplib_create_cq(&rdev->qplib_res, &cq->qplib_cq);
+ if (rc) {
+@@ -2422,7 +2431,7 @@ struct ib_cq *bnxt_re_create_cq(struct i
+
+ cq->ib_cq.cqe = entries;
+ cq->cq_period = cq->qplib_cq.period;
+- rdev->nq.budget++;
++ nq->budget++;
+
+ atomic_inc(&rdev->cq_count);
+
+--- a/drivers/infiniband/hw/bnxt_re/main.c
++++ b/drivers/infiniband/hw/bnxt_re/main.c
+@@ -166,7 +166,7 @@ static int bnxt_re_free_msix(struct bnxt
+
+ static int bnxt_re_request_msix(struct bnxt_re_dev *rdev)
+ {
+- int rc = 0, num_msix_want = BNXT_RE_MIN_MSIX, num_msix_got;
++ int rc = 0, num_msix_want = BNXT_RE_MAX_MSIX, num_msix_got;
+ struct bnxt_en_dev *en_dev;
+
+ if (!rdev)
+@@ -174,6 +174,8 @@ static int bnxt_re_request_msix(struct b
+
+ en_dev = rdev->en_dev;
+
++ num_msix_want = min_t(u32, BNXT_RE_MAX_MSIX, num_online_cpus());
++
+ rtnl_lock();
+ num_msix_got = en_dev->en_ops->bnxt_request_msix(en_dev, BNXT_ROCE_ULP,
+ rdev->msix_entries,
+@@ -659,8 +661,12 @@ static int bnxt_re_cqn_handler(struct bn
+
+ static void bnxt_re_cleanup_res(struct bnxt_re_dev *rdev)
+ {
+- if (rdev->nq.hwq.max_elements)
+- bnxt_qplib_disable_nq(&rdev->nq);
++ int i;
++
++ if (rdev->nq[0].hwq.max_elements) {
++ for (i = 1; i < rdev->num_msix; i++)
++ bnxt_qplib_disable_nq(&rdev->nq[i - 1]);
++ }
+
+ if (rdev->qplib_res.rcfw)
+ bnxt_qplib_cleanup_res(&rdev->qplib_res);
+@@ -668,31 +674,41 @@ static void bnxt_re_cleanup_res(struct b
+
+ static int bnxt_re_init_res(struct bnxt_re_dev *rdev)
+ {
+- int rc = 0;
++ int rc = 0, i;
+
+ bnxt_qplib_init_res(&rdev->qplib_res);
+
+- if (rdev->msix_entries[BNXT_RE_NQ_IDX].vector <= 0)
+- return -EINVAL;
+-
+- rc = bnxt_qplib_enable_nq(rdev->en_dev->pdev, &rdev->nq,
+- rdev->msix_entries[BNXT_RE_NQ_IDX].vector,
+- rdev->msix_entries[BNXT_RE_NQ_IDX].db_offset,
+- &bnxt_re_cqn_handler,
+- NULL);
++ for (i = 1; i < rdev->num_msix ; i++) {
++ rc = bnxt_qplib_enable_nq(rdev->en_dev->pdev, &rdev->nq[i - 1],
++ i - 1, rdev->msix_entries[i].vector,
++ rdev->msix_entries[i].db_offset,
++ &bnxt_re_cqn_handler, NULL);
++
++ if (rc) {
++ dev_err(rdev_to_dev(rdev),
++ "Failed to enable NQ with rc = 0x%x", rc);
++ goto fail;
++ }
++ }
++ return 0;
++fail:
++ return rc;
++}
+
+- if (rc)
+- dev_err(rdev_to_dev(rdev), "Failed to enable NQ: %#x", rc);
++static void bnxt_re_free_nq_res(struct bnxt_re_dev *rdev, bool lock_wait)
++{
++ int i;
+
+- return rc;
++ for (i = 0; i < rdev->num_msix - 1; i++) {
++ bnxt_re_net_ring_free(rdev, rdev->nq[i].ring_id, lock_wait);
++ bnxt_qplib_free_nq(&rdev->nq[i]);
++ }
+ }
+
+ static void bnxt_re_free_res(struct bnxt_re_dev *rdev, bool lock_wait)
+ {
+- if (rdev->nq.hwq.max_elements) {
+- bnxt_re_net_ring_free(rdev, rdev->nq.ring_id, lock_wait);
+- bnxt_qplib_free_nq(&rdev->nq);
+- }
++ bnxt_re_free_nq_res(rdev, lock_wait);
++
+ if (rdev->qplib_res.dpi_tbl.max) {
+ bnxt_qplib_dealloc_dpi(&rdev->qplib_res,
+ &rdev->qplib_res.dpi_tbl,
+@@ -706,7 +722,7 @@ static void bnxt_re_free_res(struct bnxt
+
+ static int bnxt_re_alloc_res(struct bnxt_re_dev *rdev)
+ {
+- int rc = 0;
++ int rc = 0, i;
+
+ /* Configure and allocate resources for qplib */
+ rdev->qplib_res.rcfw = &rdev->rcfw;
+@@ -723,30 +739,42 @@ static int bnxt_re_alloc_res(struct bnxt
+ &rdev->dpi_privileged,
+ rdev);
+ if (rc)
+- goto fail;
++ goto dealloc_res;
+
+- rdev->nq.hwq.max_elements = BNXT_RE_MAX_CQ_COUNT +
+- BNXT_RE_MAX_SRQC_COUNT + 2;
+- rc = bnxt_qplib_alloc_nq(rdev->en_dev->pdev, &rdev->nq);
+- if (rc) {
+- dev_err(rdev_to_dev(rdev),
+- "Failed to allocate NQ memory: %#x", rc);
+- goto fail;
+- }
+- rc = bnxt_re_net_ring_alloc
+- (rdev, rdev->nq.hwq.pbl[PBL_LVL_0].pg_map_arr,
+- rdev->nq.hwq.pbl[rdev->nq.hwq.level].pg_count,
+- HWRM_RING_ALLOC_CMPL, BNXT_QPLIB_NQE_MAX_CNT - 1,
+- rdev->msix_entries[BNXT_RE_NQ_IDX].ring_idx,
+- &rdev->nq.ring_id);
+- if (rc) {
+- dev_err(rdev_to_dev(rdev),
+- "Failed to allocate NQ ring: %#x", rc);
+- goto free_nq;
++ for (i = 0; i < rdev->num_msix - 1; i++) {
++ rdev->nq[i].hwq.max_elements = BNXT_RE_MAX_CQ_COUNT +
++ BNXT_RE_MAX_SRQC_COUNT + 2;
++ rc = bnxt_qplib_alloc_nq(rdev->en_dev->pdev, &rdev->nq[i]);
++ if (rc) {
++ dev_err(rdev_to_dev(rdev), "Alloc Failed NQ%d rc:%#x",
++ i, rc);
++ goto dealloc_dpi;
++ }
++ rc = bnxt_re_net_ring_alloc
++ (rdev, rdev->nq[i].hwq.pbl[PBL_LVL_0].pg_map_arr,
++ rdev->nq[i].hwq.pbl[rdev->nq[i].hwq.level].pg_count,
++ HWRM_RING_ALLOC_CMPL,
++ BNXT_QPLIB_NQE_MAX_CNT - 1,
++ rdev->msix_entries[i + 1].ring_idx,
++ &rdev->nq[i].ring_id);
++ if (rc) {
++ dev_err(rdev_to_dev(rdev),
++ "Failed to allocate NQ fw id with rc = 0x%x",
++ rc);
++ goto free_nq;
++ }
+ }
+ return 0;
+ free_nq:
+- bnxt_qplib_free_nq(&rdev->nq);
++ for (i = 0; i < rdev->num_msix - 1; i++)
++ bnxt_qplib_free_nq(&rdev->nq[i]);
++dealloc_dpi:
++ bnxt_qplib_dealloc_dpi(&rdev->qplib_res,
++ &rdev->qplib_res.dpi_tbl,
++ &rdev->dpi_privileged);
++dealloc_res:
++ bnxt_qplib_free_res(&rdev->qplib_res);
++
+ fail:
+ rdev->qplib_res.rcfw = NULL;
+ return rc;
+--- a/drivers/infiniband/hw/bnxt_re/qplib_fp.c
++++ b/drivers/infiniband/hw/bnxt_re/qplib_fp.c
+@@ -311,6 +311,7 @@ void bnxt_qplib_disable_nq(struct bnxt_q
+ tasklet_kill(&nq->worker);
+
+ if (nq->requested) {
++ irq_set_affinity_hint(nq->vector, NULL);
+ free_irq(nq->vector, nq);
+ nq->requested = false;
+ }
+@@ -324,7 +325,7 @@ void bnxt_qplib_disable_nq(struct bnxt_q
+ }
+
+ int bnxt_qplib_enable_nq(struct pci_dev *pdev, struct bnxt_qplib_nq *nq,
+- int msix_vector, int bar_reg_offset,
++ int nq_idx, int msix_vector, int bar_reg_offset,
+ int (*cqn_handler)(struct bnxt_qplib_nq *nq,
+ struct bnxt_qplib_cq *),
+ int (*srqn_handler)(struct bnxt_qplib_nq *nq,
+@@ -348,13 +349,25 @@ int bnxt_qplib_enable_nq(struct pci_dev
+ goto fail;
+
+ nq->requested = false;
+- rc = request_irq(nq->vector, bnxt_qplib_nq_irq, 0, "bnxt_qplib_nq", nq);
++ memset(nq->name, 0, 32);
++ sprintf(nq->name, "bnxt_qplib_nq-%d", nq_idx);
++ rc = request_irq(nq->vector, bnxt_qplib_nq_irq, 0, nq->name, nq);
+ if (rc) {
+ dev_err(&nq->pdev->dev,
+ "Failed to request IRQ for NQ: %#x", rc);
+ bnxt_qplib_disable_nq(nq);
+ goto fail;
+ }
++
++ cpumask_clear(&nq->mask);
++ cpumask_set_cpu(nq_idx, &nq->mask);
++ rc = irq_set_affinity_hint(nq->vector, &nq->mask);
++ if (rc) {
++ dev_warn(&nq->pdev->dev,
++ "QPLIB: set affinity failed; vector: %d nq_idx: %d\n",
++ nq->vector, nq_idx);
++ }
++
+ nq->requested = true;
+ nq->bar_reg = NQ_CONS_PCI_BAR_REGION;
+ nq->bar_reg_off = bar_reg_offset;
+@@ -378,8 +391,10 @@ fail:
+
+ void bnxt_qplib_free_nq(struct bnxt_qplib_nq *nq)
+ {
+- if (nq->hwq.max_elements)
++ if (nq->hwq.max_elements) {
+ bnxt_qplib_free_hwq(nq->pdev, &nq->hwq);
++ nq->hwq.max_elements = 0;
++ }
+ }
+
+ int bnxt_qplib_alloc_nq(struct pci_dev *pdev, struct bnxt_qplib_nq *nq)
+--- a/drivers/infiniband/hw/bnxt_re/qplib_fp.h
++++ b/drivers/infiniband/hw/bnxt_re/qplib_fp.h
+@@ -408,6 +408,7 @@ struct bnxt_qplib_nq {
+ struct pci_dev *pdev;
+
+ int vector;
++ cpumask_t mask;
+ int budget;
+ bool requested;
+ struct tasklet_struct worker;
+@@ -426,6 +427,7 @@ struct bnxt_qplib_nq {
+ void *srq,
+ u8 event);
+ struct workqueue_struct *cqn_wq;
++ char name[32];
+ };
+
+ struct bnxt_qplib_nq_work {
+@@ -436,7 +438,7 @@ struct bnxt_qplib_nq_work {
+
+ void bnxt_qplib_disable_nq(struct bnxt_qplib_nq *nq);
+ int bnxt_qplib_enable_nq(struct pci_dev *pdev, struct bnxt_qplib_nq *nq,
+- int msix_vector, int bar_reg_offset,
++ int nq_idx, int msix_vector, int bar_reg_offset,
+ int (*cqn_handler)(struct bnxt_qplib_nq *nq,
+ struct bnxt_qplib_cq *cq),
+ int (*srqn_handler)(struct bnxt_qplib_nq *nq,
diff --git a/patches.drivers/RDMA-bnxt_re-Implement-the-alloc-get_hw_stats-callba.patch b/patches.drivers/RDMA-bnxt_re-Implement-the-alloc-get_hw_stats-callba.patch
new file mode 100644
index 0000000000..072e9b7a79
--- /dev/null
+++ b/patches.drivers/RDMA-bnxt_re-Implement-the-alloc-get_hw_stats-callba.patch
@@ -0,0 +1,246 @@
+From: Somnath Kotur <somnath.kotur@broadcom.com>
+Date: Wed, 2 Aug 2017 01:46:19 -0700
+Subject: RDMA/bnxt_re: Implement the alloc/get_hw_stats callback
+Patch-mainline: v4.14-rc1
+Git-commit: 225937d6ccff3ba49b7065672ce35f21465aaeb9
+References: bsc#1037579
+
+Expose HW counters using the get_hw_stats callback
+
+Signed-off-by: Somnath Kotur <somnath.kotur@broadcom.com>
+Signed-off-by: Selvin Xavier <selvin.xavier@broadcom.com>
+Reviewed-by: Leon Romanovsky <leonro@mellanox.com>
+Signed-off-by: Doug Ledford <dledford@redhat.com>
+Acked-by: Johannes Thumshirn <jthumshirn@suse.de>
+---
+ drivers/infiniband/hw/bnxt_re/Makefile | 2 +-
+ drivers/infiniband/hw/bnxt_re/hw_counters.c | 114 ++++++++++++++++++++++++++++
+ drivers/infiniband/hw/bnxt_re/hw_counters.h | 62 +++++++++++++++
+ drivers/infiniband/hw/bnxt_re/main.c | 4 +
+ 4 files changed, 181 insertions(+), 1 deletion(-)
+ create mode 100644 drivers/infiniband/hw/bnxt_re/hw_counters.c
+ create mode 100644 drivers/infiniband/hw/bnxt_re/hw_counters.h
+
+diff --git a/drivers/infiniband/hw/bnxt_re/Makefile b/drivers/infiniband/hw/bnxt_re/Makefile
+index 036f84efbc73..afbaa0e20670 100644
+--- a/drivers/infiniband/hw/bnxt_re/Makefile
++++ b/drivers/infiniband/hw/bnxt_re/Makefile
+@@ -3,4 +3,4 @@ ccflags-y := -Idrivers/net/ethernet/broadcom/bnxt
+ obj-$(CONFIG_INFINIBAND_BNXT_RE) += bnxt_re.o
+ bnxt_re-y := main.o ib_verbs.o \
+ qplib_res.o qplib_rcfw.o \
+- qplib_sp.o qplib_fp.o
++ qplib_sp.o qplib_fp.o hw_counters.o
+diff --git a/drivers/infiniband/hw/bnxt_re/hw_counters.c b/drivers/infiniband/hw/bnxt_re/hw_counters.c
+new file mode 100644
+index 000000000000..7b28219eba46
+--- /dev/null
++++ b/drivers/infiniband/hw/bnxt_re/hw_counters.c
+@@ -0,0 +1,114 @@
++/*
++ * Broadcom NetXtreme-E RoCE driver.
++ *
++ * Copyright (c) 2016 - 2017, Broadcom. All rights reserved. The term
++ * Broadcom refers to Broadcom Limited and/or its subsidiaries.
++ *
++ * This software is available to you under a choice of one of two
++ * licenses. You may choose to be licensed under the terms of the GNU
++ * General Public License (GPL) Version 2, available from the file
++ * COPYING in the main directory of this source tree, or the
++ * BSD license below:
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions
++ * are met:
++ *
++ * 1. Redistributions of source code must retain the above copyright
++ * notice, this list of conditions and the following disclaimer.
++ * 2. Redistributions in binary form must reproduce the above copyright
++ * notice, this list of conditions and the following disclaimer in
++ * the documentation and/or other materials provided with the
++ * distribution.
++ *
++ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS''
++ * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
++ * THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
++ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS
++ * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
++ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
++ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
++ * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
++ * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
++ * OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
++ * IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
++ *
++ * Description: Statistics
++ *
++ */
++
++#include <linux/interrupt.h>
++#include <linux/types.h>
++#include <linux/spinlock.h>
++#include <linux/sched.h>
++#include <linux/slab.h>
++#include <linux/pci.h>
++#include <linux/prefetch.h>
++#include <linux/delay.h>
++
++#include <rdma/ib_addr.h>
++
++#include "bnxt_ulp.h"
++#include "roce_hsi.h"
++#include "qplib_res.h"
++#include "qplib_sp.h"
++#include "qplib_fp.h"
++#include "qplib_rcfw.h"
++#include "bnxt_re.h"
++#include "hw_counters.h"
++
++static const char * const bnxt_re_stat_name[] = {
++ [BNXT_RE_ACTIVE_QP] = "active_qps",
++ [BNXT_RE_ACTIVE_SRQ] = "active_srqs",
++ [BNXT_RE_ACTIVE_CQ] = "active_cqs",
++ [BNXT_RE_ACTIVE_MR] = "active_mrs",
++ [BNXT_RE_ACTIVE_MW] = "active_mws",
++ [BNXT_RE_RX_PKTS] = "rx_pkts",
++ [BNXT_RE_RX_BYTES] = "rx_bytes",
++ [BNXT_RE_TX_PKTS] = "tx_pkts",
++ [BNXT_RE_TX_BYTES] = "tx_bytes",
++ [BNXT_RE_RECOVERABLE_ERRORS] = "recoverable_errors"
++};
++
++int bnxt_re_ib_get_hw_stats(struct ib_device *ibdev,
++ struct rdma_hw_stats *stats,
++ u8 port, int index)
++{
++ struct bnxt_re_dev *rdev = to_bnxt_re_dev(ibdev, ibdev);
++ struct ctx_hw_stats *bnxt_re_stats = rdev->qplib_ctx.stats.dma;
++
++ if (!port || !stats)
++ return -EINVAL;
++
++ stats->value[BNXT_RE_ACTIVE_QP] = atomic_read(&rdev->qp_count);
++ stats->value[BNXT_RE_ACTIVE_SRQ] = atomic_read(&rdev->srq_count);
++ stats->value[BNXT_RE_ACTIVE_CQ] = atomic_read(&rdev->cq_count);
++ stats->value[BNXT_RE_ACTIVE_MR] = atomic_read(&rdev->mr_count);
++ stats->value[BNXT_RE_ACTIVE_MW] = atomic_read(&rdev->mw_count);
++ if (bnxt_re_stats) {
++ stats->value[BNXT_RE_RECOVERABLE_ERRORS] =
++ le64_to_cpu(bnxt_re_stats->tx_bcast_pkts);
++ stats->value[BNXT_RE_RX_PKTS] =
++ le64_to_cpu(bnxt_re_stats->rx_ucast_pkts);
++ stats->value[BNXT_RE_RX_BYTES] =
++ le64_to_cpu(bnxt_re_stats->rx_ucast_bytes);
++ stats->value[BNXT_RE_TX_PKTS] =
++ le64_to_cpu(bnxt_re_stats->tx_ucast_pkts);
++ stats->value[BNXT_RE_TX_BYTES] =
++ le64_to_cpu(bnxt_re_stats->tx_ucast_bytes);
++ }
++ return ARRAY_SIZE(bnxt_re_stat_name);
++}
++
++struct rdma_hw_stats *bnxt_re_ib_alloc_hw_stats(struct ib_device *ibdev,
++ u8 port_num)
++{
++ BUILD_BUG_ON(ARRAY_SIZE(bnxt_re_stat_name) != BNXT_RE_NUM_COUNTERS);
++ /* We support only per port stats */
++ if (!port_num)
++ return NULL;
++
++ return rdma_alloc_hw_stats_struct(bnxt_re_stat_name,
++ ARRAY_SIZE(bnxt_re_stat_name),
++ RDMA_HW_STATS_DEFAULT_LIFESPAN);
++}
+diff --git a/drivers/infiniband/hw/bnxt_re/hw_counters.h b/drivers/infiniband/hw/bnxt_re/hw_counters.h
+new file mode 100644
+index 000000000000..be0dc0093b58
+--- /dev/null
++++ b/drivers/infiniband/hw/bnxt_re/hw_counters.h
+@@ -0,0 +1,62 @@
++/*
++ * Broadcom NetXtreme-E RoCE driver.
++ *
++ * Copyright (c) 2016 - 2017, Broadcom. All rights reserved. The term
++ * Broadcom refers to Broadcom Limited and/or its subsidiaries.
++ *
++ * This software is available to you under a choice of one of two
++ * licenses. You may choose to be licensed under the terms of the GNU
++ * General Public License (GPL) Version 2, available from the file
++ * COPYING in the main directory of this source tree, or the
++ * BSD license below:
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions
++ * are met:
++ *
++ * 1. Redistributions of source code must retain the above copyright
++ * notice, this list of conditions and the following disclaimer.
++ * 2. Redistributions in binary form must reproduce the above copyright
++ * notice, this list of conditions and the following disclaimer in
++ * the documentation and/or other materials provided with the
++ * distribution.
++ *
++ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS''
++ * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
++ * THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
++ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS
++ * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
++ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
++ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
++ * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
++ * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
++ * OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
++ * IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
++ *
++ * Description: Statistics (header)
++ *
++ */
++
++#ifndef __BNXT_RE_HW_STATS_H__
++#define __BNXT_RE_HW_STATS_H__
++
++enum bnxt_re_hw_stats {
++ BNXT_RE_ACTIVE_QP,
++ BNXT_RE_ACTIVE_SRQ,
++ BNXT_RE_ACTIVE_CQ,
++ BNXT_RE_ACTIVE_MR,
++ BNXT_RE_ACTIVE_MW,
++ BNXT_RE_RX_PKTS,
++ BNXT_RE_RX_BYTES,
++ BNXT_RE_TX_PKTS,
++ BNXT_RE_TX_BYTES,
++ BNXT_RE_RECOVERABLE_ERRORS,
++ BNXT_RE_NUM_COUNTERS
++};
++
++struct rdma_hw_stats *bnxt_re_ib_alloc_hw_stats(struct ib_device *ibdev,
++ u8 port_num);
++int bnxt_re_ib_get_hw_stats(struct ib_device *ibdev,
++ struct rdma_hw_stats *stats,
++ u8 port, int index);
++#endif /* __BNXT_RE_HW_STATS_H__ */
+diff --git a/drivers/infiniband/hw/bnxt_re/main.c b/drivers/infiniband/hw/bnxt_re/main.c
+index 5b78d8fc28dc..82d1cbc27aee 100644
+--- a/drivers/infiniband/hw/bnxt_re/main.c
++++ b/drivers/infiniband/hw/bnxt_re/main.c
+@@ -64,6 +64,8 @@
+ #include "ib_verbs.h"
+ #include <rdma/bnxt_re-abi.h>
+ #include "bnxt.h"
++#include "hw_counters.h"
++
+ static char version[] =
+ BNXT_RE_DESC " v" ROCE_DRV_MODULE_VERSION "\n";
+
+@@ -513,6 +515,8 @@ static int bnxt_re_register_ib(struct bnxt_re_dev *rdev)
+ ibdev->alloc_ucontext = bnxt_re_alloc_ucontext;
+ ibdev->dealloc_ucontext = bnxt_re_dealloc_ucontext;
+ ibdev->mmap = bnxt_re_mmap;
++ ibdev->get_hw_stats = bnxt_re_ib_get_hw_stats;
++ ibdev->alloc_hw_stats = bnxt_re_ib_alloc_hw_stats;
+
+ return ib_register_device(ibdev, NULL);
+ }
+--
+2.12.3
+
diff --git a/patches.drivers/iw_cxgb4-put-ep-reference-in-pass_accept_req.patch b/patches.drivers/iw_cxgb4-put-ep-reference-in-pass_accept_req.patch
new file mode 100644
index 0000000000..7e06021ec4
--- /dev/null
+++ b/patches.drivers/iw_cxgb4-put-ep-reference-in-pass_accept_req.patch
@@ -0,0 +1,38 @@
+From: Steve Wise <swise@opengridcomputing.com>
+Date: Wed, 13 Sep 2017 09:52:32 -0700
+Subject: iw_cxgb4: put ep reference in pass_accept_req()
+Patch-mainline: v4.14-rc2
+Git-commit: 3d318605f5e32ff44fb290d9b67573b34213c4c8
+References: bsc#321658 FATE#1005778 bsc#321660 FATE#1005780 bsc#321661 FATE#1005781
+
+The listening endpoint should always be dereferenced at the end of
+pass_accept_req().
+
+Fixes: f86fac79afec ("RDMA/iw_cxgb4: atomic find and reference for listening endpoints")
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Steve Wise <swise@opengridcomputing.com>
+Signed-off-by: Doug Ledford <dledford@redhat.com>
+Acked-by: Thomas Bogendoerfer <tbogendoerfer@suse.de>
+---
+ drivers/infiniband/hw/cxgb4/cm.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/infiniband/hw/cxgb4/cm.c b/drivers/infiniband/hw/cxgb4/cm.c
+index ceaa2fa54d32..83322dbc4711 100644
+--- a/drivers/infiniband/hw/cxgb4/cm.c
++++ b/drivers/infiniband/hw/cxgb4/cm.c
+@@ -2594,9 +2594,9 @@ fail:
+ c4iw_put_ep(&child_ep->com);
+ reject:
+ reject_cr(dev, hwtid, skb);
++out:
+ if (parent_ep)
+ c4iw_put_ep(&parent_ep->com);
+-out:
+ return 0;
+ }
+
+--
+2.12.3
+
diff --git a/patches.fixes/0001-KVM-VMX-Do-not-BUG-on-out-of-bounds-guest-IRQ.patch b/patches.fixes/0001-KVM-VMX-Do-not-BUG-on-out-of-bounds-guest-IRQ.patch
deleted file mode 100644
index bce4a16070..0000000000
--- a/patches.fixes/0001-KVM-VMX-Do-not-BUG-on-out-of-bounds-guest-IRQ.patch
+++ /dev/null
@@ -1,46 +0,0 @@
-From: jschoenh@amazon.de
-Date: Thu, 7 Sep 2017 19:02:30 +0100
-Subject: [PATCH 1/2] KVM: VMX: Do not BUG() on out-of-bounds guest IRQ
-Git-commit: 3a8b0677fc6180a467e26cc32ce6b0c09a32f9bb
-Patch-mainline: v4.14-rc1
-References: bsc#1058038, CVE-2017-1000252
-
-The value of the guest_irq argument to vmx_update_pi_irte() is
-ultimately coming from a KVM_IRQFD API call. Do not BUG() in
-vmx_update_pi_irte() if the value is out-of bounds. (Especially,
-since KVM as a whole seems to hang after that.)
-
-Instead, WARN_ONCE() if we find that we don't have a route for a
-certain IRQ (which can be out-of-bounds or within the array).
-
-Signed-off-by: Jan H. Schönherr <jschoenh@amazon.de>
-Acked-by: Joerg Roedel <jroedel@suse.de>
----
- arch/x86/kvm/vmx.c | 9 +++++++--
- 1 file changed, 7 insertions(+), 2 deletions(-)
-
---- a/arch/x86/kvm/vmx.c
-+++ b/arch/x86/kvm/vmx.c
-@@ -10798,7 +10798,7 @@ static int vmx_update_pi_irte(struct kvm
- struct kvm_lapic_irq irq;
- struct kvm_vcpu *vcpu;
- struct vcpu_data vcpu_info;
-- int idx, ret = -EINVAL;
-+ int idx, ret = 0;
-
- if (!kvm_arch_has_assigned_device(kvm) ||
- !irq_remapping_cap(IRQ_POSTING_CAP) ||
-@@ -10807,7 +10807,12 @@ static int vmx_update_pi_irte(struct kvm
-
- idx = srcu_read_lock(&kvm->irq_srcu);
- irq_rt = srcu_dereference(kvm->irq_routing, &kvm->irq_srcu);
-- BUG_ON(guest_irq >= irq_rt->nr_rt_entries);
-+ if (guest_irq >= irq_rt->nr_rt_entries ||
-+ hlist_empty(&irq_rt->map[guest_irq])) {
-+ WARN_ONCE(1, "no route for guest_irq %u/%u (broken user space?)\n",
-+ guest_irq, irq_rt->nr_rt_entries);
-+ goto out;
-+ }
-
- hlist_for_each_entry(e, &irq_rt->map[guest_irq], link) {
- if (e->type != KVM_IRQ_ROUTING_MSI)
diff --git a/patches.fixes/kvm-vmx-check-apicv-is-active-before-using-vt-d-posted-interrupt b/patches.fixes/kvm-vmx-check-apicv-is-active-before-using-vt-d-posted-interrupt
index d538a623b1..6923ee3a94 100644
--- a/patches.fixes/kvm-vmx-check-apicv-is-active-before-using-vt-d-posted-interrupt
+++ b/patches.fixes/kvm-vmx-check-apicv-is-active-before-using-vt-d-posted-interrupt
@@ -16,12 +16,12 @@ Signed-off-by: Shengge Ding <shengge.dsg@alibaba-inc.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Acked-by: Joerg Roedel <jroedel@suse.de>
---
- arch/x86/kvm/vmx.c | 15 ++++++++++-----
+ arch/x86/kvm/vmx.c | 15 ++++++++++-----
1 file changed, 10 insertions(+), 5 deletions(-)
--- a/arch/x86/kvm/vmx.c
+++ b/arch/x86/kvm/vmx.c
-@@ -1997,7 +1997,8 @@ static void vmx_vcpu_pi_load(struct kvm_
+@@ -1996,7 +1996,8 @@ static void vmx_vcpu_pi_load(struct kvm_
unsigned int dest;
if (!kvm_arch_has_assigned_device(vcpu->kvm) ||
@@ -31,7 +31,7 @@ Acked-by: Joerg Roedel <jroedel@suse.de>
return;
do {
-@@ -2105,7 +2106,8 @@ static void vmx_vcpu_pi_put(struct kvm_v
+@@ -2104,7 +2105,8 @@ static void vmx_vcpu_pi_put(struct kvm_v
struct pi_desc *pi_desc = vcpu_to_pi_desc(vcpu);
if (!kvm_arch_has_assigned_device(vcpu->kvm) ||
@@ -41,7 +41,7 @@ Acked-by: Joerg Roedel <jroedel@suse.de>
return;
/* Set SN when the vCPU is preempted */
-@@ -10649,7 +10651,8 @@ static int vmx_pre_block(struct kvm_vcpu
+@@ -10677,7 +10679,8 @@ static int vmx_pre_block(struct kvm_vcpu
struct pi_desc *pi_desc = vcpu_to_pi_desc(vcpu);
if (!kvm_arch_has_assigned_device(vcpu->kvm) ||
@@ -51,7 +51,7 @@ Acked-by: Joerg Roedel <jroedel@suse.de>
return 0;
vcpu->pre_pcpu = vcpu->cpu;
-@@ -10715,7 +10718,8 @@ static void vmx_post_block(struct kvm_vc
+@@ -10743,7 +10746,8 @@ static void vmx_post_block(struct kvm_vc
unsigned long flags;
if (!kvm_arch_has_assigned_device(vcpu->kvm) ||
@@ -61,8 +61,8 @@ Acked-by: Joerg Roedel <jroedel@suse.de>
return;
do {
-@@ -10768,7 +10772,8 @@ static int vmx_update_pi_irte(struct kvm
- int idx, ret = -EINVAL;
+@@ -10796,7 +10800,8 @@ static int vmx_update_pi_irte(struct kvm
+ int idx, ret = 0;
if (!kvm_arch_has_assigned_device(kvm) ||
- !irq_remapping_cap(IRQ_POSTING_CAP))
diff --git a/patches.kernel.org/4.4.90-001-cifs-release-auth_key.response-for-reconnect.patch b/patches.kernel.org/4.4.90-001-cifs-release-auth_key.response-for-reconnect.patch
new file mode 100644
index 0000000000..e531e0ba9b
--- /dev/null
+++ b/patches.kernel.org/4.4.90-001-cifs-release-auth_key.response-for-reconnect.patch
@@ -0,0 +1,63 @@
+From: Shu Wang <shuwang@redhat.com>
+Date: Fri, 8 Sep 2017 18:48:33 +0800
+Subject: [PATCH] cifs: release auth_key.response for reconnect.
+References: bnc#1012382
+Patch-mainline: 4.4.90
+Git-commit: f5c4ba816315d3b813af16f5571f86c8d4e897bd
+
+commit f5c4ba816315d3b813af16f5571f86c8d4e897bd upstream.
+
+There is a race that cause cifs reconnect in cifs_mount,
+- cifs_mount
+ - cifs_get_tcp_session
+ - [ start thread cifs_demultiplex_thread
+ - cifs_read_from_socket: -ECONNABORTED
+ - DELAY_WORK smb2_reconnect_server ]
+ - cifs_setup_session
+ - [ smb2_reconnect_server ]
+
+auth_key.response was allocated in cifs_setup_session, and
+will release when the session destoried. So when session re-
+connect, auth_key.response should be check and released.
+
+Tested with my system:
+CIFS VFS: Free previous auth_key.response = ffff8800320bbf80
+
+A simple auth_key.response allocation call trace:
+- cifs_setup_session
+- SMB2_sess_setup
+- SMB2_sess_auth_rawntlmssp_authenticate
+- build_ntlmssp_auth_blob
+- setup_ntlmv2_rsp
+
+Signed-off-by: Shu Wang <shuwang@redhat.com>
+Signed-off-by: Steve French <smfrench@gmail.com>
+Reviewed-by: Ronnie Sahlberg <lsahlber@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ fs/cifs/connect.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/fs/cifs/connect.c b/fs/cifs/connect.c
+index 53a827c6d8b1..b377aa8f266f 100644
+--- a/fs/cifs/connect.c
++++ b/fs/cifs/connect.c
+@@ -4060,6 +4060,14 @@ cifs_setup_session(const unsigned int xid, struct cifs_ses *ses,
+ cifs_dbg(FYI, "Security Mode: 0x%x Capabilities: 0x%x TimeAdjust: %d\n",
+ server->sec_mode, server->capabilities, server->timeAdj);
+
++ if (ses->auth_key.response) {
++ cifs_dbg(VFS, "Free previous auth_key.response = %p\n",
++ ses->auth_key.response);
++ kfree(ses->auth_key.response);
++ ses->auth_key.response = NULL;
++ ses->auth_key.len = 0;
++ }
++
+ if (server->ops->sess_setup)
+ rc = server->ops->sess_setup(xid, ses, nls_info);
+
+--
+2.14.2
+
diff --git a/patches.kernel.org/4.4.90-002-mac80211-flush-hw_roc_start-work-before-cancel.patch b/patches.kernel.org/4.4.90-002-mac80211-flush-hw_roc_start-work-before-cancel.patch
new file mode 100644
index 0000000000..07d720fcc7
--- /dev/null
+++ b/patches.kernel.org/4.4.90-002-mac80211-flush-hw_roc_start-work-before-cancel.patch
@@ -0,0 +1,50 @@
+From: Avraham Stern <avraham.stern@intel.com>
+Date: Fri, 18 Aug 2017 15:33:57 +0300
+Subject: [PATCH] mac80211: flush hw_roc_start work before cancelling the ROC
+References: bnc#1012382
+Patch-mainline: 4.4.90
+Git-commit: 6e46d8ce894374fc135c96a8d1057c6af1fef237
+
+commit 6e46d8ce894374fc135c96a8d1057c6af1fef237 upstream.
+
+When HW ROC is supported it is possible that after the HW notified
+that the ROC has started, the ROC was cancelled and another ROC was
+added while the hw_roc_start worker is waiting on the mutex (since
+cancelling the ROC and adding another one also holds the same mutex).
+As a result, the hw_roc_start worker will continue to run after the
+new ROC is added but before it is actually started by the HW.
+This may result in notifying userspace that the ROC has started before
+it actually does, or in case of management tx ROC, in an attempt to
+tx while not on the right channel.
+
+In addition, when the driver will notify mac80211 that the second ROC
+has started, mac80211 will warn that this ROC has already been
+notified.
+
+Fix this by flushing the hw_roc_start work before cancelling an ROC.
+
+Signed-off-by: Avraham Stern <avraham.stern@intel.com>
+Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ net/mac80211/offchannel.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/net/mac80211/offchannel.c b/net/mac80211/offchannel.c
+index 04401037140e..b6be51940ead 100644
+--- a/net/mac80211/offchannel.c
++++ b/net/mac80211/offchannel.c
+@@ -469,6 +469,8 @@ void ieee80211_roc_purge(struct ieee80211_local *local,
+ struct ieee80211_roc_work *roc, *tmp;
+ LIST_HEAD(tmp_list);
+
++ flush_work(&local->hw_roc_start);
++
+ mutex_lock(&local->mtx);
+ list_for_each_entry_safe(roc, tmp, &local->roc_list, list) {
+ if (sdata && roc->sdata != sdata)
+--
+2.14.2
+
diff --git a/patches.kernel.org/4.4.90-003-KVM-PPC-Book3S-Fix-race-and-leak-in-kvm_vm_ioc.patch b/patches.kernel.org/4.4.90-003-KVM-PPC-Book3S-Fix-race-and-leak-in-kvm_vm_ioc.patch
new file mode 100644
index 0000000000..2f30a1bd70
--- /dev/null
+++ b/patches.kernel.org/4.4.90-003-KVM-PPC-Book3S-Fix-race-and-leak-in-kvm_vm_ioc.patch
@@ -0,0 +1,126 @@
+From: Paul Mackerras <paulus@ozlabs.org>
+Date: Tue, 12 Sep 2017 15:54:14 +1000
+Subject: [PATCH] KVM: PPC: Book3S: Fix race and leak in
+ kvm_vm_ioctl_create_spapr_tce()
+References: bnc#1012382
+Patch-mainline: 4.4.90
+Git-commit: f75c0042f120179aedf005de1da461296cda0308
+
+commit 47c5310a8dbe7c2cb9f0083daa43ceed76c257fa upstream, with part
+of commit edd03602d97236e8fea13cd76886c576186aa307 folded in.
+
+Nixiaoming pointed out that there is a memory leak in
+kvm_vm_ioctl_create_spapr_tce() if the call to anon_inode_getfd()
+fails; the memory allocated for the kvmppc_spapr_tce_table struct
+is not freed, and nor are the pages allocated for the iommu
+tables.
+
+David Hildenbrand pointed out that there is a race in that the
+function checks early on that there is not already an entry in the
+stt->iommu_tables list with the same LIOBN, but an entry with the
+same LIOBN could get added between then and when the new entry is
+added to the list.
+
+This fixes both problems. To simplify things, we now call
+anon_inode_getfd() before placing the new entry in the list. The
+check for an existing entry is done while holding the kvm->lock
+mutex, immediately before adding the new entry to the list.
+
+[paulus@ozlabs.org - folded in that part of edd03602d972 ("KVM:
+ PPC: Book3S HV: Protect updates to spapr_tce_tables list", 2017-08-28)
+ which restructured the code that 47c5310a8dbe modified, to avoid
+ a build failure caused by the absence of put_unused_fd().
+ Also removed the locked memory accounting, since it doesn't exist
+ in this version, and adjusted the commit message.]
+
+Fixes: 54738c097163 ("KVM: PPC: Accelerate H_PUT_TCE by implementing it in real mode")
+Reported-by: Nixiaoming <nixiaoming@huawei.com>
+Reported-by: David Hildenbrand <david@redhat.com>
+Signed-off-by: Paul Mackerras <paulus@ozlabs.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ arch/powerpc/kvm/book3s_64_vio.c | 46 +++++++++++++++++++++++-----------------
+ 1 file changed, 27 insertions(+), 19 deletions(-)
+
+diff --git a/arch/powerpc/kvm/book3s_64_vio.c b/arch/powerpc/kvm/book3s_64_vio.c
+index 54cf9bc94dad..3a095670b0c4 100644
+--- a/arch/powerpc/kvm/book3s_64_vio.c
++++ b/arch/powerpc/kvm/book3s_64_vio.c
+@@ -101,22 +101,17 @@ long kvm_vm_ioctl_create_spapr_tce(struct kvm *kvm,
+ struct kvm_create_spapr_tce *args)
+ {
+ struct kvmppc_spapr_tce_table *stt = NULL;
++ struct kvmppc_spapr_tce_table *siter;
+ long npages;
+ int ret = -ENOMEM;
+ int i;
+
+- /* Check this LIOBN hasn't been previously allocated */
+- list_for_each_entry(stt, &kvm->arch.spapr_tce_tables, list) {
+- if (stt->liobn == args->liobn)
+- return -EBUSY;
+- }
+-
+ npages = kvmppc_stt_npages(args->window_size);
+
+ stt = kzalloc(sizeof(*stt) + npages * sizeof(struct page *),
+ GFP_KERNEL);
+ if (!stt)
+- goto fail;
++ return ret;
+
+ stt->liobn = args->liobn;
+ stt->window_size = args->window_size;
+@@ -128,23 +123,36 @@ long kvm_vm_ioctl_create_spapr_tce(struct kvm *kvm,
+ goto fail;
+ }
+
+- kvm_get_kvm(kvm);
+-
+ mutex_lock(&kvm->lock);
+- list_add(&stt->list, &kvm->arch.spapr_tce_tables);
++
++ /* Check this LIOBN hasn't been previously allocated */
++ ret = 0;
++ list_for_each_entry(siter, &kvm->arch.spapr_tce_tables, list) {
++ if (siter->liobn == args->liobn) {
++ ret = -EBUSY;
++ break;
++ }
++ }
++
++ if (!ret)
++ ret = anon_inode_getfd("kvm-spapr-tce", &kvm_spapr_tce_fops,
++ stt, O_RDWR | O_CLOEXEC);
++
++ if (ret >= 0) {
++ list_add(&stt->list, &kvm->arch.spapr_tce_tables);
++ kvm_get_kvm(kvm);
++ }
+
+ mutex_unlock(&kvm->lock);
+
+- return anon_inode_getfd("kvm-spapr-tce", &kvm_spapr_tce_fops,
+- stt, O_RDWR | O_CLOEXEC);
++ if (ret >= 0)
++ return ret;
+
+-fail:
+- if (stt) {
+- for (i = 0; i < npages; i++)
+- if (stt->pages[i])
+- __free_page(stt->pages[i]);
++ fail:
++ for (i = 0; i < npages; i++)
++ if (stt->pages[i])
++ __free_page(stt->pages[i]);
+
+- kfree(stt);
+- }
++ kfree(stt);
+ return ret;
+ }
+--
+2.14.2
+
diff --git a/patches.kernel.org/4.4.90-004-tracing-Fix-trace_pipe-behavior-for-instance-t.patch b/patches.kernel.org/4.4.90-004-tracing-Fix-trace_pipe-behavior-for-instance-t.patch
new file mode 100644
index 0000000000..79a5df92af
--- /dev/null
+++ b/patches.kernel.org/4.4.90-004-tracing-Fix-trace_pipe-behavior-for-instance-t.patch
@@ -0,0 +1,51 @@
+From: Tahsin Erdogan <tahsin@google.com>
+Date: Sun, 17 Sep 2017 03:23:48 -0700
+Subject: [PATCH] tracing: Fix trace_pipe behavior for instance traces
+References: bnc#1012382
+Patch-mainline: 4.4.90
+Git-commit: 75df6e688ccd517e339a7c422ef7ad73045b18a2
+
+commit 75df6e688ccd517e339a7c422ef7ad73045b18a2 upstream.
+
+When reading data from trace_pipe, tracing_wait_pipe() performs a
+check to see if tracing has been turned off after some data was read.
+Currently, this check always looks at global trace state, but it
+should be checking the trace instance where trace_pipe is located at.
+
+Because of this bug, cat instances/i1/trace_pipe in the following
+script will immediately exit instead of waiting for data:
+
+cd /sys/kernel/debug/tracing
+echo 0 > tracing_on
+mkdir -p instances/i1
+echo 1 > instances/i1/tracing_on
+echo 1 > instances/i1/events/sched/sched_process_exec/enable
+cat instances/i1/trace_pipe
+
+Link: http://lkml.kernel.org/r/20170917102348.1615-1-tahsin@google.com
+
+Fixes: 10246fa35d4f ("tracing: give easy way to clear trace buffer")
+Signed-off-by: Tahsin Erdogan <tahsin@google.com>
+Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ kernel/trace/trace.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/kernel/trace/trace.c b/kernel/trace/trace.c
+index 4743066010c4..6baf340fa172 100644
+--- a/kernel/trace/trace.c
++++ b/kernel/trace/trace.c
+@@ -4701,7 +4701,7 @@ static int tracing_wait_pipe(struct file *filp)
+ *
+ * iter->pos will be 0 if we haven't read anything.
+ */
+- if (!tracing_is_on() && iter->pos)
++ if (!tracer_tracing_is_on(iter->tr) && iter->pos)
+ break;
+
+ mutex_unlock(&iter->mutex);
+--
+2.14.2
+
diff --git a/patches.kernel.org/4.4.90-005-tracing-Erase-irqsoff-trace-with-empty-write.patch b/patches.kernel.org/4.4.90-005-tracing-Erase-irqsoff-trace-with-empty-write.patch
new file mode 100644
index 0000000000..0f6d33bdd4
--- /dev/null
+++ b/patches.kernel.org/4.4.90-005-tracing-Erase-irqsoff-trace-with-empty-write.patch
@@ -0,0 +1,56 @@
+From: Bo Yan <byan@nvidia.com>
+Date: Mon, 18 Sep 2017 10:03:35 -0700
+Subject: [PATCH] tracing: Erase irqsoff trace with empty write
+References: bnc#1012382
+Patch-mainline: 4.4.90
+Git-commit: 8dd33bcb7050dd6f8c1432732f930932c9d3a33e
+
+commit 8dd33bcb7050dd6f8c1432732f930932c9d3a33e upstream.
+
+One convenient way to erase trace is "echo > trace". However, this
+is currently broken if the current tracer is irqsoff tracer. This
+is because irqsoff tracer use max_buffer as the default trace
+buffer.
+
+Set the max_buffer as the one to be cleared when it's the trace
+buffer currently in use.
+
+Link: http://lkml.kernel.org/r/1505754215-29411-1-git-send-email-byan@nvidia.com
+
+Cc: <mingo@redhat.com>
+Fixes: 4acd4d00f ("tracing: give easy way to clear trace buffer")
+Signed-off-by: Bo Yan <byan@nvidia.com>
+Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ kernel/trace/trace.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/kernel/trace/trace.c b/kernel/trace/trace.c
+index 6baf340fa172..b64f35afee4e 100644
+--- a/kernel/trace/trace.c
++++ b/kernel/trace/trace.c
+@@ -3226,11 +3226,17 @@ static int tracing_open(struct inode *inode, struct file *file)
+ /* If this file was open for write, then erase contents */
+ if ((file->f_mode & FMODE_WRITE) && (file->f_flags & O_TRUNC)) {
+ int cpu = tracing_get_cpu(inode);
++ struct trace_buffer *trace_buf = &tr->trace_buffer;
++
++#ifdef CONFIG_TRACER_MAX_TRACE
++ if (tr->current_trace->print_max)
++ trace_buf = &tr->max_buffer;
++#endif
+
+ if (cpu == RING_BUFFER_ALL_CPUS)
+- tracing_reset_online_cpus(&tr->trace_buffer);
++ tracing_reset_online_cpus(trace_buf);
+ else
+- tracing_reset(&tr->trace_buffer, cpu);
++ tracing_reset(trace_buf, cpu);
+ }
+
+ if (file->f_mode & FMODE_READ) {
+--
+2.14.2
+
diff --git a/patches.fixes/0001-md-raid5-fix-a-race-condition-in-stripe-batch.patch b/patches.kernel.org/4.4.90-006-md-raid5-fix-a-race-condition-in-stripe-batch.patch
index b5b549dd4c..de906fe776 100644
--- a/patches.fixes/0001-md-raid5-fix-a-race-condition-in-stripe-batch.patch
+++ b/patches.kernel.org/4.4.90-006-md-raid5-fix-a-race-condition-in-stripe-batch.patch
@@ -1,10 +1,11 @@
From: Shaohua Li <shli@fb.com>
Date: Fri, 25 Aug 2017 10:40:02 -0700
Subject: [PATCH] md/raid5: fix a race condition in stripe batch
+References: bnc#1012382
+Patch-mainline: 4.4.90
Git-commit: 3664847d95e60a9a943858b7800f8484669740fc
-Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/shli/md.git
-Patch-mainline: Queued in subsystem maintainer repository
-References: linux-stable
+
+commit 3664847d95e60a9a943858b7800f8484669740fc upstream.
We have a race condition in below scenario, say have 3 continuous stripes, sh1,
sh2 and sh3, sh1 is the stripe_head of sh2 and sh3:
@@ -22,10 +23,6 @@ handle_stripe(sh3)
-> unlock(sh1) and batch_lock(sh1)
->clear_batch_ready(sh3)
-->test_and_clear_bit(STRIPE_BATCH_READY, sh3)
-
-Acked-by: NeilBrown <neilb@suse.com>
-Signed-off-by: Neil Brown <neilb@suse.com>
-
--->return 0 as sh->batch == NULL
-> sh3->batch_head = sh1
-> unlock (sh2, sh3)
@@ -37,15 +34,19 @@ impossible to clear STRIPE_BATCH_READY before batch_head is set.
Thanks Stephane for helping debug this tricky issue.
Reported-and-tested-by: Stephane Thiell <sthiell@stanford.edu>
-Cc: stable@vger.kernel.org (v4.1+)
Signed-off-by: Shaohua Li <shli@fb.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
- drivers/md/raid5.c | 10 ++++++++--
+ drivers/md/raid5.c | 10 ++++++++--
1 file changed, 8 insertions(+), 2 deletions(-)
+diff --git a/drivers/md/raid5.c b/drivers/md/raid5.c
+index 5eac08ffc697..dfd07cc1d167 100644
--- a/drivers/md/raid5.c
+++ b/drivers/md/raid5.c
-@@ -816,6 +816,14 @@ static void stripe_add_to_batch_list(str
+@@ -818,6 +818,14 @@ static void stripe_add_to_batch_list(struct r5conf *conf, struct stripe_head *sh
spin_unlock(&head->batch_head->batch_lock);
goto unlock_out;
}
@@ -60,7 +61,7 @@ Signed-off-by: Shaohua Li <shli@fb.com>
/*
* at this point, head's BATCH_READY could be cleared, but we
-@@ -823,8 +831,6 @@ static void stripe_add_to_batch_list(str
+@@ -825,8 +833,6 @@ static void stripe_add_to_batch_list(struct r5conf *conf, struct stripe_head *sh
*/
list_add(&sh->batch_list, &head->batch_list);
spin_unlock(&head->batch_head->batch_lock);
@@ -69,3 +70,6 @@ Signed-off-by: Shaohua Li <shli@fb.com>
} else {
head->batch_head = head;
sh->batch_head = head->batch_head;
+--
+2.14.2
+
diff --git a/patches.kernel.org/4.4.90-007-md-raid5-preserve-STRIPE_ON_UNPLUG_LIST-in-bre.patch b/patches.kernel.org/4.4.90-007-md-raid5-preserve-STRIPE_ON_UNPLUG_LIST-in-bre.patch
new file mode 100644
index 0000000000..6ecdeb0aa9
--- /dev/null
+++ b/patches.kernel.org/4.4.90-007-md-raid5-preserve-STRIPE_ON_UNPLUG_LIST-in-bre.patch
@@ -0,0 +1,54 @@
+From: Dennis Yang <dennisyang@qnap.com>
+Date: Wed, 6 Sep 2017 11:02:35 +0800
+Subject: [PATCH] md/raid5: preserve STRIPE_ON_UNPLUG_LIST in
+ break_stripe_batch_list
+References: bnc#1012382
+Patch-mainline: 4.4.90
+Git-commit: 184a09eb9a2fe425e49c9538f1604b05ed33cfef
+
+commit 184a09eb9a2fe425e49c9538f1604b05ed33cfef upstream.
+
+In release_stripe_plug(), if a stripe_head has its STRIPE_ON_UNPLUG_LIST
+set, it indicates that this stripe_head is already in the raid5_plug_cb
+list and release_stripe() would be called instead to drop a reference
+count. Otherwise, the STRIPE_ON_UNPLUG_LIST bit would be set for this
+stripe_head and it will get queued into the raid5_plug_cb list.
+
+Since break_stripe_batch_list() did not preserve STRIPE_ON_UNPLUG_LIST,
+A stripe could be re-added to plug list while it is still on that list
+in the following situation. If stripe_head A is added to another
+stripe_head B's batch list, in this case A will have its
+batch_head != NULL and be added into the plug list. After that,
+stripe_head B gets handled and called break_stripe_batch_list() to
+reset all the batched stripe_head(including A which is still on
+the plug list)'s state and reset their batch_head to NULL.
+Before the plug list gets processed, if there is another write request
+comes in and get stripe_head A, A will have its batch_head == NULL
+(cleared by calling break_stripe_batch_list() on B) and be added to
+plug list once again.
+
+Signed-off-by: Dennis Yang <dennisyang@qnap.com>
+Signed-off-by: Shaohua Li <shli@fb.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/md/raid5.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/md/raid5.c b/drivers/md/raid5.c
+index dfd07cc1d167..d55bf85b76ce 100644
+--- a/drivers/md/raid5.c
++++ b/drivers/md/raid5.c
+@@ -4264,7 +4264,8 @@ static void break_stripe_batch_list(struct stripe_head *head_sh,
+
+ set_mask_bits(&sh->state, ~(STRIPE_EXPAND_SYNC_FLAGS |
+ (1 << STRIPE_PREREAD_ACTIVE) |
+- (1 << STRIPE_DEGRADED)),
++ (1 << STRIPE_DEGRADED) |
++ (1 << STRIPE_ON_UNPLUG_LIST)),
+ head_sh->state & (1 << STRIPE_INSYNC));
+
+ sh->check_state = head_sh->check_state;
+--
+2.14.2
+
diff --git a/patches.drivers/scsi-scsi_transport_iscsi-fix-the-issue-that.patch b/patches.kernel.org/4.4.90-008-scsi-scsi_transport_iscsi-fix-the-issue-that-i.patch
index 6341511b5f..69fdc1b49c 100644
--- a/patches.drivers/scsi-scsi_transport_iscsi-fix-the-issue-that.patch
+++ b/patches.kernel.org/4.4.90-008-scsi-scsi_transport_iscsi-fix-the-issue-that-i.patch
@@ -1,12 +1,13 @@
From: Xin Long <lucien.xin@gmail.com>
Date: Sun, 27 Aug 2017 20:25:26 +0800
Subject: [PATCH] scsi: scsi_transport_iscsi: fix the issue that iscsi_if_rx
- doesn't parse nlmsg properly
-Patch-mainline: Queued in subsystem maintainer repository
-References: bsc#1059051 CVE-2017-14489
-Git-repo: git.kernel.org/pub/scm/linux/kernel/git/mkp/scsi.git branch 4.14/scsi-fixes
+ doesn't parse nlmsg properly
+Patch-mainline: 4.4.90
+References: CVE-2017-14489 bnc#1012382 bsc#1059051
Git-commit: c88f0e6b06f4092995688211a631bb436125d77b
+commit c88f0e6b06f4092995688211a631bb436125d77b upstream.
+
ChunYu found a kernel crash by syzkaller:
[ 651.617875] kasan: CONFIG_KASAN_INLINE enabled
@@ -42,16 +43,17 @@ Reported-by: ChunYu Wang <chunwang@redhat.com>
Signed-off-by: Xin Long <lucien.xin@gmail.com>
Acked-by: Chris Leech <cleech@redhat.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
-Acked-by: Lee Duncan <lduncan@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
drivers/scsi/scsi_transport_iscsi.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/scsi/scsi_transport_iscsi.c b/drivers/scsi/scsi_transport_iscsi.c
-index 8934f19bce8e..0190aeff5f7f 100644
+index e4b3d8f4fd85..bb4ed7b1f5df 100644
--- a/drivers/scsi/scsi_transport_iscsi.c
+++ b/drivers/scsi/scsi_transport_iscsi.c
-@@ -3689,7 +3689,7 @@ iscsi_if_rx(struct sk_buff *skb)
+@@ -3697,7 +3697,7 @@ iscsi_if_rx(struct sk_buff *skb)
uint32_t group;
nlh = nlmsg_hdr(skb);
@@ -61,6 +63,5 @@ index 8934f19bce8e..0190aeff5f7f 100644
break;
}
--
-2.12.3
-
+2.14.2
diff --git a/patches.kernel.org/4.4.90-009-crypto-talitos-Don-t-provide-setkey-for-non-hm.patch b/patches.kernel.org/4.4.90-009-crypto-talitos-Don-t-provide-setkey-for-non-hm.patch
new file mode 100644
index 0000000000..15df6dcc02
--- /dev/null
+++ b/patches.kernel.org/4.4.90-009-crypto-talitos-Don-t-provide-setkey-for-non-hm.patch
@@ -0,0 +1,48 @@
+From: LEROY Christophe <christophe.leroy@c-s.fr>
+Date: Tue, 12 Sep 2017 11:03:39 +0200
+Subject: [PATCH] crypto: talitos - Don't provide setkey for non hmac hashing
+ algs.
+References: bnc#1012382
+Patch-mainline: 4.4.90
+Git-commit: 56136631573baa537a15e0012055ffe8cfec1a33
+
+commit 56136631573baa537a15e0012055ffe8cfec1a33 upstream.
+
+Today, md5sum fails with error -ENOKEY because a setkey
+function is set for non hmac hashing algs, see strace output below:
+
+mmap(NULL, 378880, PROT_READ, MAP_SHARED, 6, 0) = 0x77f50000
+accept(3, 0, NULL) = 7
+vmsplice(5, [{"bin/\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 378880}], 1, SPLICE_F_MORE|SPLICE_F_GIFT) = 262144
+splice(4, NULL, 7, NULL, 262144, SPLICE_F_MORE) = -1 ENOKEY (Required key not available)
+write(2, "Generation of hash for file kcap"..., 50) = 50
+munmap(0x77f50000, 378880) = 0
+
+This patch ensures that setkey() function is set only
+for hmac hashing.
+
+Signed-off-by: Christophe Leroy <christophe.leroy@c-s.fr>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/crypto/talitos.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/crypto/talitos.c b/drivers/crypto/talitos.c
+index 6a60936b46e0..00772faa5306 100644
+--- a/drivers/crypto/talitos.c
++++ b/drivers/crypto/talitos.c
+@@ -2770,7 +2770,8 @@ static struct talitos_crypto_alg *talitos_alg_alloc(struct device *dev,
+ t_alg->algt.alg.hash.final = ahash_final;
+ t_alg->algt.alg.hash.finup = ahash_finup;
+ t_alg->algt.alg.hash.digest = ahash_digest;
+- t_alg->algt.alg.hash.setkey = ahash_setkey;
++ if (!strncmp(alg->cra_name, "hmac", 4))
++ t_alg->algt.alg.hash.setkey = ahash_setkey;
+ t_alg->algt.alg.hash.import = ahash_import;
+ t_alg->algt.alg.hash.export = ahash_export;
+
+--
+2.14.2
+
diff --git a/patches.kernel.org/4.4.90-010-crypto-talitos-fix-sha224.patch b/patches.kernel.org/4.4.90-010-crypto-talitos-fix-sha224.patch
new file mode 100644
index 0000000000..0f6a986c11
--- /dev/null
+++ b/patches.kernel.org/4.4.90-010-crypto-talitos-fix-sha224.patch
@@ -0,0 +1,44 @@
+From: LEROY Christophe <christophe.leroy@c-s.fr>
+Date: Wed, 13 Sep 2017 12:44:51 +0200
+Subject: [PATCH] crypto: talitos - fix sha224
+References: bnc#1012382
+Patch-mainline: 4.4.90
+Git-commit: afd62fa26343be6445479e75de9f07092a061459
+
+commit afd62fa26343be6445479e75de9f07092a061459 upstream.
+
+Kernel crypto tests report the following error at startup
+
+[ 2.752626] alg: hash: Test 4 failed for sha224-talitos
+[ 2.757907] 00000000: 30 e2 86 e2 e7 8a dd 0d d7 eb 9f d5 83 fe f1 b0
+00000010: 2d 5a 6c a5 f9 55 ea fd 0e 72 05 22
+
+This patch fixes it
+
+Signed-off-by: Christophe Leroy <christophe.leroy@c-s.fr>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/crypto/talitos.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/crypto/talitos.c b/drivers/crypto/talitos.c
+index 00772faa5306..62ce93568e11 100644
+--- a/drivers/crypto/talitos.c
++++ b/drivers/crypto/talitos.c
+@@ -1749,9 +1749,9 @@ static int common_nonsnoop_hash(struct talitos_edesc *edesc,
+ req_ctx->swinit = 0;
+ } else {
+ desc->ptr[1] = zero_entry;
+- /* Indicate next op is not the first. */
+- req_ctx->first = 0;
+ }
++ /* Indicate next op is not the first. */
++ req_ctx->first = 0;
+
+ /* HMAC key */
+ if (ctx->keylen)
+--
+2.14.2
+
diff --git a/patches.kernel.org/4.4.90-011-KEYS-fix-writing-past-end-of-user-supplied-buf.patch b/patches.kernel.org/4.4.90-011-KEYS-fix-writing-past-end-of-user-supplied-buf.patch
new file mode 100644
index 0000000000..9f28b96f0d
--- /dev/null
+++ b/patches.kernel.org/4.4.90-011-KEYS-fix-writing-past-end-of-user-supplied-buf.patch
@@ -0,0 +1,72 @@
+From: Eric Biggers <ebiggers@google.com>
+Date: Mon, 18 Sep 2017 11:36:45 -0700
+Subject: [PATCH] KEYS: fix writing past end of user-supplied buffer in
+ keyring_read()
+References: bnc#1012382
+Patch-mainline: 4.4.90
+Git-commit: e645016abc803dafc75e4b8f6e4118f088900ffb
+
+commit e645016abc803dafc75e4b8f6e4118f088900ffb upstream.
+
+Userspace can call keyctl_read() on a keyring to get the list of IDs of
+keys in the keyring. But if the user-supplied buffer is too small, the
+kernel would write the full list anyway --- which will corrupt whatever
+userspace memory happened to be past the end of the buffer. Fix it by
+only filling the space that is available.
+
+Fixes: b2a4df200d57 ("KEYS: Expand the capacity of a keyring")
+Signed-off-by: Eric Biggers <ebiggers@google.com>
+Signed-off-by: David Howells <dhowells@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ security/keys/keyring.c | 14 +++++---------
+ 1 file changed, 5 insertions(+), 9 deletions(-)
+
+diff --git a/security/keys/keyring.c b/security/keys/keyring.c
+index f931ccfeefb0..262ed2a6b360 100644
+--- a/security/keys/keyring.c
++++ b/security/keys/keyring.c
+@@ -416,7 +416,7 @@ static void keyring_describe(const struct key *keyring, struct seq_file *m)
+ }
+
+ struct keyring_read_iterator_context {
+- size_t qty;
++ size_t buflen;
+ size_t count;
+ key_serial_t __user *buffer;
+ };
+@@ -428,9 +428,9 @@ static int keyring_read_iterator(const void *object, void *data)
+ int ret;
+
+ kenter("{%s,%d},,{%zu/%zu}",
+- key->type->name, key->serial, ctx->count, ctx->qty);
++ key->type->name, key->serial, ctx->count, ctx->buflen);
+
+- if (ctx->count >= ctx->qty)
++ if (ctx->count >= ctx->buflen)
+ return 1;
+
+ ret = put_user(key->serial, ctx->buffer);
+@@ -465,16 +465,12 @@ static long keyring_read(const struct key *keyring,
+ return 0;
+
+ /* Calculate how much data we could return */
+- ctx.qty = nr_keys * sizeof(key_serial_t);
+-
+ if (!buffer || !buflen)
+- return ctx.qty;
+-
+- if (buflen > ctx.qty)
+- ctx.qty = buflen;
++ return nr_keys * sizeof(key_serial_t);
+
+ /* Copy the IDs of the subscribed keys into the buffer */
+ ctx.buffer = (key_serial_t __user *)buffer;
++ ctx.buflen = buflen;
+ ctx.count = 0;
+ ret = assoc_array_iterate(&keyring->keys, keyring_read_iterator, &ctx);
+ if (ret < 0) {
+--
+2.14.2
+
diff --git a/patches.kernel.org/4.4.90-012-KEYS-prevent-creating-a-different-user-s-keyri.patch b/patches.kernel.org/4.4.90-012-KEYS-prevent-creating-a-different-user-s-keyri.patch
new file mode 100644
index 0000000000..65e53e71dd
--- /dev/null
+++ b/patches.kernel.org/4.4.90-012-KEYS-prevent-creating-a-different-user-s-keyri.patch
@@ -0,0 +1,164 @@
+From: Eric Biggers <ebiggers@google.com>
+Date: Mon, 18 Sep 2017 11:37:03 -0700
+Subject: [PATCH] KEYS: prevent creating a different user's keyrings
+References: bnc#1012382
+Patch-mainline: 4.4.90
+Git-commit: 237bbd29f7a049d310d907f4b2716a7feef9abf3
+
+commit 237bbd29f7a049d310d907f4b2716a7feef9abf3 upstream.
+
+It was possible for an unprivileged user to create the user and user
+session keyrings for another user. For example:
+
+ sudo -u '#3000' sh -c 'keyctl add keyring _uid.4000 "" @u
+ keyctl add keyring _uid_ses.4000 "" @u
+ sleep 15' &
+ sleep 1
+ sudo -u '#4000' keyctl describe @u
+ sudo -u '#4000' keyctl describe @us
+
+This is problematic because these "fake" keyrings won't have the right
+permissions. In particular, the user who created them first will own
+them and will have full access to them via the possessor permissions,
+which can be used to compromise the security of a user's keys:
+
+ -4: alswrv-----v------------ 3000 0 keyring: _uid.4000
+ -5: alswrv-----v------------ 3000 0 keyring: _uid_ses.4000
+
+Fix it by marking user and user session keyrings with a flag
+KEY_FLAG_UID_KEYRING. Then, when searching for a user or user session
+keyring by name, skip all keyrings that don't have the flag set.
+
+Fixes: 69664cf16af4 ("keys: don't generate user and user session keyrings unless they're accessed")
+Signed-off-by: Eric Biggers <ebiggers@google.com>
+Signed-off-by: David Howells <dhowells@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ include/linux/key.h | 2 ++
+ security/keys/internal.h | 2 +-
+ security/keys/key.c | 2 ++
+ security/keys/keyring.c | 23 ++++++++++++++---------
+ security/keys/process_keys.c | 8 ++++++--
+ 5 files changed, 25 insertions(+), 12 deletions(-)
+
+diff --git a/include/linux/key.h b/include/linux/key.h
+index 66f705243985..dcc115e8dd03 100644
+--- a/include/linux/key.h
++++ b/include/linux/key.h
+@@ -177,6 +177,7 @@ struct key {
+ #define KEY_FLAG_TRUSTED_ONLY 9 /* set if keyring only accepts links to trusted keys */
+ #define KEY_FLAG_BUILTIN 10 /* set if key is builtin */
+ #define KEY_FLAG_ROOT_CAN_INVAL 11 /* set if key can be invalidated by root without permission */
++#define KEY_FLAG_UID_KEYRING 12 /* set if key is a user or user session keyring */
+
+ /* the key type and key description string
+ * - the desc is used to match a key against search criteria
+@@ -218,6 +219,7 @@ extern struct key *key_alloc(struct key_type *type,
+ #define KEY_ALLOC_QUOTA_OVERRUN 0x0001 /* add to quota, permit even if overrun */
+ #define KEY_ALLOC_NOT_IN_QUOTA 0x0002 /* not in quota */
+ #define KEY_ALLOC_TRUSTED 0x0004 /* Key should be flagged as trusted */
++#define KEY_ALLOC_UID_KEYRING 0x0010 /* allocating a user or user session keyring */
+
+ extern void key_revoke(struct key *key);
+ extern void key_invalidate(struct key *key);
+diff --git a/security/keys/internal.h b/security/keys/internal.h
+index 5105c2c2da75..51ffb9cde073 100644
+--- a/security/keys/internal.h
++++ b/security/keys/internal.h
+@@ -136,7 +136,7 @@ extern key_ref_t keyring_search_aux(key_ref_t keyring_ref,
+ extern key_ref_t search_my_process_keyrings(struct keyring_search_context *ctx);
+ extern key_ref_t search_process_keyrings(struct keyring_search_context *ctx);
+
+-extern struct key *find_keyring_by_name(const char *name, bool skip_perm_check);
++extern struct key *find_keyring_by_name(const char *name, bool uid_keyring);
+
+ extern int install_user_keyrings(void);
+ extern int install_thread_keyring_to_cred(struct cred *);
+diff --git a/security/keys/key.c b/security/keys/key.c
+index 09c10b181881..51d23c623424 100644
+--- a/security/keys/key.c
++++ b/security/keys/key.c
+@@ -296,6 +296,8 @@ struct key *key_alloc(struct key_type *type, const char *desc,
+ key->flags |= 1 << KEY_FLAG_IN_QUOTA;
+ if (flags & KEY_ALLOC_TRUSTED)
+ key->flags |= 1 << KEY_FLAG_TRUSTED;
++ if (flags & KEY_ALLOC_UID_KEYRING)
++ key->flags |= 1 << KEY_FLAG_UID_KEYRING;
+
+ #ifdef KEY_DEBUGGING
+ key->magic = KEY_DEBUG_MAGIC;
+diff --git a/security/keys/keyring.c b/security/keys/keyring.c
+index 262ed2a6b360..0c8dd4fbe130 100644
+--- a/security/keys/keyring.c
++++ b/security/keys/keyring.c
+@@ -961,15 +961,15 @@ key_ref_t find_key_to_update(key_ref_t keyring_ref,
+ /*
+ * Find a keyring with the specified name.
+ *
+- * All named keyrings in the current user namespace are searched, provided they
+- * grant Search permission directly to the caller (unless this check is
+- * skipped). Keyrings whose usage points have reached zero or who have been
+- * revoked are skipped.
++ * Only keyrings that have nonzero refcount, are not revoked, and are owned by a
++ * user in the current user namespace are considered. If @uid_keyring is %true,
++ * the keyring additionally must have been allocated as a user or user session
++ * keyring; otherwise, it must grant Search permission directly to the caller.
+ *
+ * Returns a pointer to the keyring with the keyring's refcount having being
+ * incremented on success. -ENOKEY is returned if a key could not be found.
+ */
+-struct key *find_keyring_by_name(const char *name, bool skip_perm_check)
++struct key *find_keyring_by_name(const char *name, bool uid_keyring)
+ {
+ struct key *keyring;
+ int bucket;
+@@ -997,10 +997,15 @@ struct key *find_keyring_by_name(const char *name, bool skip_perm_check)
+ if (strcmp(keyring->description, name) != 0)
+ continue;
+
+- if (!skip_perm_check &&
+- key_permission(make_key_ref(keyring, 0),
+- KEY_NEED_SEARCH) < 0)
+- continue;
++ if (uid_keyring) {
++ if (!test_bit(KEY_FLAG_UID_KEYRING,
++ &keyring->flags))
++ continue;
++ } else {
++ if (key_permission(make_key_ref(keyring, 0),
++ KEY_NEED_SEARCH) < 0)
++ continue;
++ }
+
+ /* we've got a match but we might end up racing with
+ * key_cleanup() if the keyring is currently 'dead'
+diff --git a/security/keys/process_keys.c b/security/keys/process_keys.c
+index 4ed909142956..7dd050f24261 100644
+--- a/security/keys/process_keys.c
++++ b/security/keys/process_keys.c
+@@ -76,7 +76,9 @@ int install_user_keyrings(void)
+ if (IS_ERR(uid_keyring)) {
+ uid_keyring = keyring_alloc(buf, user->uid, INVALID_GID,
+ cred, user_keyring_perm,
+- KEY_ALLOC_IN_QUOTA, NULL);
++ KEY_ALLOC_UID_KEYRING |
++ KEY_ALLOC_IN_QUOTA,
++ NULL);
+ if (IS_ERR(uid_keyring)) {
+ ret = PTR_ERR(uid_keyring);
+ goto error;
+@@ -92,7 +94,9 @@ int install_user_keyrings(void)
+ session_keyring =
+ keyring_alloc(buf, user->uid, INVALID_GID,
+ cred, user_keyring_perm,
+- KEY_ALLOC_IN_QUOTA, NULL);
++ KEY_ALLOC_UID_KEYRING |
++ KEY_ALLOC_IN_QUOTA,
++ NULL);
+ if (IS_ERR(session_keyring)) {
+ ret = PTR_ERR(session_keyring);
+ goto error_release;
+--
+2.14.2
+
diff --git a/patches.kernel.org/4.4.90-013-KEYS-prevent-KEYCTL_READ-on-negative-key.patch b/patches.kernel.org/4.4.90-013-KEYS-prevent-KEYCTL_READ-on-negative-key.patch
new file mode 100644
index 0000000000..7a3a9cdbc1
--- /dev/null
+++ b/patches.kernel.org/4.4.90-013-KEYS-prevent-KEYCTL_READ-on-negative-key.patch
@@ -0,0 +1,85 @@
+From: Eric Biggers <ebiggers@google.com>
+Date: Mon, 18 Sep 2017 11:37:23 -0700
+Subject: [PATCH] KEYS: prevent KEYCTL_READ on negative key
+References: bnc#1012382
+Patch-mainline: 4.4.90
+Git-commit: 37863c43b2c6464f252862bf2e9768264e961678
+
+commit 37863c43b2c6464f252862bf2e9768264e961678 upstream.
+
+Because keyctl_read_key() looks up the key with no permissions
+requested, it may find a negatively instantiated key. If the key is
+also possessed, we went ahead and called ->read() on the key. But the
+key payload will actually contain the ->reject_error rather than the
+normal payload. Thus, the kernel oopses trying to read the
+user_key_payload from memory address (int)-ENOKEY = 0x00000000ffffff82.
+
+Fortunately the payload data is stored inline, so it shouldn't be
+possible to abuse this as an arbitrary memory read primitive...
+
+Reproducer:
+ keyctl new_session
+ keyctl request2 user desc '' @s
+ keyctl read $(keyctl show | awk '/user: desc/ {print $1}')
+
+It causes a crash like the following:
+ BUG: unable to handle kernel paging request at 00000000ffffff92
+ IP: user_read+0x33/0xa0
+ PGD 36a54067 P4D 36a54067 PUD 0
+ Oops: 0000 [#1] SMP
+ CPU: 0 PID: 211 Comm: keyctl Not tainted 4.14.0-rc1 #337
+ Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-20170228_101828-anatol 04/01/2014
+ task: ffff90aa3b74c3c0 task.stack: ffff9878c0478000
+ RIP: 0010:user_read+0x33/0xa0
+ RSP: 0018:ffff9878c047bee8 EFLAGS: 00010246
+ RAX: 0000000000000001 RBX: ffff90aa3d7da340 RCX: 0000000000000017
+ RDX: 0000000000000000 RSI: 00000000ffffff82 RDI: ffff90aa3d7da340
+ RBP: ffff9878c047bf00 R08: 00000024f95da94f R09: 0000000000000000
+ R10: 0000000000000001 R11: 0000000000000000 R12: 0000000000000000
+ R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
+ FS: 00007f58ece69740(0000) GS:ffff90aa3e200000(0000) knlGS:0000000000000000
+ CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+ CR2: 00000000ffffff92 CR3: 0000000036adc001 CR4: 00000000003606f0
+ Call Trace:
+ keyctl_read_key+0xac/0xe0
+ SyS_keyctl+0x99/0x120
+ entry_SYSCALL_64_fastpath+0x1f/0xbe
+ RIP: 0033:0x7f58ec787bb9
+ RSP: 002b:00007ffc8d401678 EFLAGS: 00000206 ORIG_RAX: 00000000000000fa
+ RAX: ffffffffffffffda RBX: 00007ffc8d402800 RCX: 00007f58ec787bb9
+ RDX: 0000000000000000 RSI: 00000000174a63ac RDI: 000000000000000b
+ RBP: 0000000000000004 R08: 00007ffc8d402809 R09: 0000000000000020
+ R10: 0000000000000000 R11: 0000000000000206 R12: 00007ffc8d402800
+ R13: 00007ffc8d4016e0 R14: 0000000000000000 R15: 0000000000000000
+ Code: e5 41 55 49 89 f5 41 54 49 89 d4 53 48 89 fb e8 a4 b4 ad ff 85 c0 74 09 80 3d b9 4c 96 00 00 74 43 48 8b b3 20 01 00 00 4d 85 ed <0f> b7 5e 10 74 29 4d 85 e4 74 24 4c 39 e3 4c 89 e2 4c 89 ef 48
+ RIP: user_read+0x33/0xa0 RSP: ffff9878c047bee8
+ CR2: 00000000ffffff92
+
+Fixes: 61ea0c0ba904 ("KEYS: Skip key state checks when checking for possession")
+Signed-off-by: Eric Biggers <ebiggers@google.com>
+Signed-off-by: David Howells <dhowells@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ security/keys/keyctl.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/security/keys/keyctl.c b/security/keys/keyctl.c
+index 671709d8610d..a009dc66eb8f 100644
+--- a/security/keys/keyctl.c
++++ b/security/keys/keyctl.c
+@@ -738,6 +738,11 @@ long keyctl_read_key(key_serial_t keyid, char __user *buffer, size_t buflen)
+
+ key = key_ref_to_ptr(key_ref);
+
++ if (test_bit(KEY_FLAG_NEGATIVE, &key->flags)) {
++ ret = -ENOKEY;
++ goto error2;
++ }
++
+ /* see if we can read it directly */
+ ret = key_permission(key_ref, KEY_NEED_READ);
+ if (ret == 0)
+--
+2.14.2
+
diff --git a/patches.kernel.org/4.4.90-014-powerpc-pseries-Fix-parent_dn-reference-leak-i.patch b/patches.kernel.org/4.4.90-014-powerpc-pseries-Fix-parent_dn-reference-leak-i.patch
new file mode 100644
index 0000000000..58fb4f8229
--- /dev/null
+++ b/patches.kernel.org/4.4.90-014-powerpc-pseries-Fix-parent_dn-reference-leak-i.patch
@@ -0,0 +1,45 @@
+From: Tyrel Datwyler <tyreld@linux.vnet.ibm.com>
+Date: Wed, 20 Sep 2017 17:02:52 -0400
+Subject: [PATCH] powerpc/pseries: Fix parent_dn reference leak in
+ add_dt_node()
+References: bnc#1012382
+Patch-mainline: 4.4.90
+Git-commit: b537ca6fede69a281dc524983e5e633d79a10a08
+
+commit b537ca6fede69a281dc524983e5e633d79a10a08 upstream.
+
+A reference to the parent device node is held by add_dt_node() for the
+node to be added. If the call to dlpar_configure_connector() fails
+add_dt_node() returns ENOENT and that reference is not freed.
+
+Add a call to of_node_put(parent_dn) prior to bailing out after a
+failed dlpar_configure_connector() call.
+
+Fixes: 8d5ff320766f ("powerpc/pseries: Make dlpar_configure_connector parent node aware")
+Signed-off-by: Tyrel Datwyler <tyreld@linux.vnet.ibm.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ arch/powerpc/platforms/pseries/mobility.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/arch/powerpc/platforms/pseries/mobility.c b/arch/powerpc/platforms/pseries/mobility.c
+index ceb18d349459..8dd0c8edefd6 100644
+--- a/arch/powerpc/platforms/pseries/mobility.c
++++ b/arch/powerpc/platforms/pseries/mobility.c
+@@ -225,8 +225,10 @@ static int add_dt_node(__be32 parent_phandle, __be32 drc_index)
+ return -ENOENT;
+
+ dn = dlpar_configure_connector(drc_index, parent_dn);
+- if (!dn)
++ if (!dn) {
++ of_node_put(parent_dn);
+ return -ENOENT;
++ }
+
+ rc = dlpar_attach_node(dn);
+ if (rc)
+--
+2.14.2
+
diff --git a/patches.kernel.org/4.4.90-015-Fix-SMB3.1.1-guest-authentication-to-Samba.patch b/patches.kernel.org/4.4.90-015-Fix-SMB3.1.1-guest-authentication-to-Samba.patch
new file mode 100644
index 0000000000..4d4e368996
--- /dev/null
+++ b/patches.kernel.org/4.4.90-015-Fix-SMB3.1.1-guest-authentication-to-Samba.patch
@@ -0,0 +1,37 @@
+From: Steve French <smfrench@gmail.com>
+Date: Mon, 18 Sep 2017 18:18:45 -0500
+Subject: [PATCH] Fix SMB3.1.1 guest authentication to Samba
+References: bnc#1012382
+Patch-mainline: 4.4.90
+Git-commit: 23586b66d84ba3184b8820277f3fc42761640f87
+
+commit 23586b66d84ba3184b8820277f3fc42761640f87 upstream.
+
+Samba rejects SMB3.1.1 dialect (vers=3.1.1) negotiate requests from
+the kernel client due to the two byte pad at the end of the negotiate
+contexts.
+
+Signed-off-by: Steve French <smfrench@gmail.com>
+Reviewed-by: Ronnie Sahlberg <lsahlber@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ fs/cifs/smb2pdu.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/cifs/smb2pdu.c b/fs/cifs/smb2pdu.c
+index 6c484ddf26a9..7123289787d8 100644
+--- a/fs/cifs/smb2pdu.c
++++ b/fs/cifs/smb2pdu.c
+@@ -361,7 +361,7 @@ assemble_neg_contexts(struct smb2_negotiate_req *req)
+ build_encrypt_ctxt((struct smb2_encryption_neg_context *)pneg_ctxt);
+ req->NegotiateContextOffset = cpu_to_le32(OFFSET_OF_NEG_CONTEXT);
+ req->NegotiateContextCount = cpu_to_le16(2);
+- inc_rfc1001_len(req, 4 + sizeof(struct smb2_preauth_neg_context) + 2
++ inc_rfc1001_len(req, 4 + sizeof(struct smb2_preauth_neg_context)
+ + sizeof(struct smb2_encryption_neg_context)); /* calculate hash */
+ }
+ #else
+--
+2.14.2
+
diff --git a/patches.kernel.org/4.4.90-016-SMB-Validate-negotiate-to-protect-against-down.patch b/patches.kernel.org/4.4.90-016-SMB-Validate-negotiate-to-protect-against-down.patch
new file mode 100644
index 0000000000..01c4186871
--- /dev/null
+++ b/patches.kernel.org/4.4.90-016-SMB-Validate-negotiate-to-protect-against-down.patch
@@ -0,0 +1,62 @@
+From: Steve French <smfrench@gmail.com>
+Date: Wed, 20 Sep 2017 19:57:18 -0500
+Subject: [PATCH] SMB: Validate negotiate (to protect against downgrade) even
+ if signing off
+References: bnc#1012382
+Patch-mainline: 4.4.90
+Git-commit: 0603c96f3af50e2f9299fa410c224ab1d465e0f9
+
+commit 0603c96f3af50e2f9299fa410c224ab1d465e0f9 upstream.
+
+As long as signing is supported (ie not a guest user connection) and
+connection is SMB3 or SMB3.02, then validate negotiate (protect
+against man in the middle downgrade attacks). We had been doing this
+only when signing was required, not when signing was just enabled,
+but this more closely matches recommended SMB3 behavior and is
+better security. Suggested by Metze.
+
+Signed-off-by: Steve French <smfrench@gmail.com>
+Reviewed-by: Jeremy Allison <jra@samba.org>
+Acked-by: Stefan Metzmacher <metze@samba.org>
+Reviewed-by: Ronnie Sahlberg <lsahlber@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ fs/cifs/smb2pdu.c | 17 ++++++++++++-----
+ 1 file changed, 12 insertions(+), 5 deletions(-)
+
+diff --git a/fs/cifs/smb2pdu.c b/fs/cifs/smb2pdu.c
+index 7123289787d8..f2ff60e58ec8 100644
+--- a/fs/cifs/smb2pdu.c
++++ b/fs/cifs/smb2pdu.c
+@@ -526,15 +526,22 @@ int smb3_validate_negotiate(const unsigned int xid, struct cifs_tcon *tcon)
+
+ /*
+ * validation ioctl must be signed, so no point sending this if we
+- * can not sign it. We could eventually change this to selectively
++ * can not sign it (ie are not known user). Even if signing is not
++ * required (enabled but not negotiated), in those cases we selectively
+ * sign just this, the first and only signed request on a connection.
+- * This is good enough for now since a user who wants better security
+- * would also enable signing on the mount. Having validation of
+- * negotiate info for signed connections helps reduce attack vectors
++ * Having validation of negotiate info helps reduce attack vectors.
+ */
+- if (tcon->ses->server->sign == false)
++ if (tcon->ses->session_flags & SMB2_SESSION_FLAG_IS_GUEST)
+ return 0; /* validation requires signing */
+
++ if (tcon->ses->user_name == NULL) {
++ cifs_dbg(FYI, "Can't validate negotiate: null user mount\n");
++ return 0; /* validation requires signing */
++ }
++
++ if (tcon->ses->session_flags & SMB2_SESSION_FLAG_IS_NULL)
++ cifs_dbg(VFS, "Unexpected null user (anonymous) auth flag sent by server\n");
++
+ vneg_inbuf.Capabilities =
+ cpu_to_le32(tcon->ses->server->vals->req_capabilities);
+ memcpy(vneg_inbuf.Guid, tcon->ses->server->client_guid,
+--
+2.14.2
+
diff --git a/patches.kernel.org/4.4.90-017-SMB3-Don-t-ignore-O_SYNC-O_DSYNC-and-O_DIRECT-.patch b/patches.kernel.org/4.4.90-017-SMB3-Don-t-ignore-O_SYNC-O_DSYNC-and-O_DIRECT-.patch
new file mode 100644
index 0000000000..07e54e6cce
--- /dev/null
+++ b/patches.kernel.org/4.4.90-017-SMB3-Don-t-ignore-O_SYNC-O_DSYNC-and-O_DIRECT-.patch
@@ -0,0 +1,39 @@
+From: Steve French <smfrench@gmail.com>
+Date: Fri, 22 Sep 2017 01:40:27 -0500
+Subject: [PATCH] SMB3: Don't ignore O_SYNC/O_DSYNC and O_DIRECT flags
+References: bnc#1012382
+Patch-mainline: 4.4.90
+Git-commit: 1013e760d10e614dc10b5624ce9fc41563ba2e65
+
+commit 1013e760d10e614dc10b5624ce9fc41563ba2e65 upstream.
+
+Signed-off-by: Steve French <smfrench@gmail.com>
+Reviewed-by: Ronnie Sahlberg <lsahlber@redhat.com>
+Reviewed-by: Pavel Shilovsky <pshilov@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ fs/cifs/file.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/fs/cifs/file.c b/fs/cifs/file.c
+index a0c0a49b6620..ec2d07bb9beb 100644
+--- a/fs/cifs/file.c
++++ b/fs/cifs/file.c
+@@ -224,6 +224,13 @@ cifs_nt_open(char *full_path, struct inode *inode, struct cifs_sb_info *cifs_sb,
+ if (backup_cred(cifs_sb))
+ create_options |= CREATE_OPEN_BACKUP_INTENT;
+
++ /* O_SYNC also has bit for O_DSYNC so following check picks up either */
++ if (f_flags & O_SYNC)
++ create_options |= CREATE_WRITE_THROUGH;
++
++ if (f_flags & O_DIRECT)
++ create_options |= CREATE_NO_BUFFER;
++
+ oparms.tcon = tcon;
+ oparms.cifs_sb = cifs_sb;
+ oparms.desired_access = desired_access;
+--
+2.14.2
+
diff --git a/patches.kernel.org/4.4.90-018-vfs-Return-ENXIO-for-negative-SEEK_HOLE-SEEK_D.patch b/patches.kernel.org/4.4.90-018-vfs-Return-ENXIO-for-negative-SEEK_HOLE-SEEK_D.patch
new file mode 100644
index 0000000000..53631254a2
--- /dev/null
+++ b/patches.kernel.org/4.4.90-018-vfs-Return-ENXIO-for-negative-SEEK_HOLE-SEEK_D.patch
@@ -0,0 +1,49 @@
+From: Andreas Gruenbacher <agruenba@redhat.com>
+Date: Mon, 25 Sep 2017 12:23:03 +0200
+Subject: [PATCH] vfs: Return -ENXIO for negative SEEK_HOLE / SEEK_DATA offsets
+References: bnc#1012382
+Patch-mainline: 4.4.90
+Git-commit: fc46820b27a2d9a46f7e90c9ceb4a64a1bc5fab8
+
+commit fc46820b27a2d9a46f7e90c9ceb4a64a1bc5fab8 upstream.
+
+In generic_file_llseek_size, return -ENXIO for negative offsets as well
+as offsets beyond EOF. This affects filesystems which don't implement
+SEEK_HOLE / SEEK_DATA internally, possibly because they don't support
+holes.
+
+Fixes xfstest generic/448.
+
+Signed-off-by: Andreas Gruenbacher <agruenba@redhat.com>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ fs/read_write.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/fs/read_write.c b/fs/read_write.c
+index 819ef3faf1bb..bfd1a5dddf6e 100644
+--- a/fs/read_write.c
++++ b/fs/read_write.c
+@@ -112,7 +112,7 @@ generic_file_llseek_size(struct file *file, loff_t offset, int whence,
+ * In the generic case the entire file is data, so as long as
+ * offset isn't at the end of the file then the offset is data.
+ */
+- if (offset >= eof)
++ if ((unsigned long long)offset >= eof)
+ return -ENXIO;
+ break;
+ case SEEK_HOLE:
+@@ -120,7 +120,7 @@ generic_file_llseek_size(struct file *file, loff_t offset, int whence,
+ * There is a virtual hole at the end of the file, so as long as
+ * offset isn't i_size or larger, return i_size.
+ */
+- if (offset >= eof)
++ if ((unsigned long long)offset >= eof)
+ return -ENXIO;
+ offset = eof;
+ break;
+--
+2.14.2
+
diff --git a/patches.fixes/nl80211-check-for-the-required-netlink-attributes-pr.patch b/patches.kernel.org/4.4.90-019-nl80211-check-for-the-required-netlink-attribu.patch
index 2a2eaaf0f7..defa0382f1 100644
--- a/patches.fixes/nl80211-check-for-the-required-netlink-attributes-pr.patch
+++ b/patches.kernel.org/4.4.90-019-nl80211-check-for-the-required-netlink-attribu.patch
@@ -1,11 +1,11 @@
-From 18fcba9922c4fd90c3798d3d62e798d62aeeec74 Mon Sep 17 00:00:00 2001
From: Vladis Dronov <vdronov@redhat.com>
-Date: Sat, 16 Sep 2017 02:35:10 -0700
+Date: Wed, 13 Sep 2017 00:21:21 +0200
Subject: [PATCH] nl80211: check for the required netlink attributes presence
-References: bsc#1058410 CVE-2017-12153
-Git-repo: https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git
+Patch-mainline: 4.4.90
+References: CVE-2017-12153 bnc#1012382 bsc#1058410
Git-commit: e785fa0a164aa11001cba931367c7f94ffaff888
-Patch-mainline: Queued in subsystem maintainer repo
+
+commit e785fa0a164aa11001cba931367c7f94ffaff888 upstream.
nl80211_set_rekey_data() does not check if the required attributes
NL80211_REKEY_DATA_{REPLAY_CTR,KEK,KCK} are present when processing
@@ -18,19 +18,20 @@ This fixes CVE-2017-12153.
References: https://bugzilla.redhat.com/show_bug.cgi?id=1491046
Fixes: e5497d766ad ("cfg80211/nl80211: support GTK rekey offload")
-Cc: <stable@vger.kernel.org> # v3.1-rc1
Reported-by: bo Zhang <zhangbo5891001@gmail.com>
Signed-off-by: Vladis Dronov <vdronov@redhat.com>
-Signed-off-by: Luis R. Rodriguez <mcgrof@suse.com>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
net/wireless/nl80211.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c
-index 626dc3b5fd8d..2aec75b86b48 100644
+index de10e3c0e2a4..8ece212aa3d2 100644
--- a/net/wireless/nl80211.c
+++ b/net/wireless/nl80211.c
-@@ -8483,6 +8483,9 @@ static int nl80211_set_rekey_data(struct sk_buff *skb, struct genl_info *info)
+@@ -9786,6 +9786,9 @@ static int nl80211_set_rekey_data(struct sk_buff *skb, struct genl_info *info)
if (err)
return err;
@@ -41,5 +42,5 @@ index 626dc3b5fd8d..2aec75b86b48 100644
return -ERANGE;
if (nla_len(tb[NL80211_REKEY_DATA_KEK]) != NL80211_KEK_LEN)
--
-2.14.0
+2.14.2
diff --git a/patches.kernel.org/4.4.90-020-bsg-lib-don-t-free-job-in-bsg_prepare_job.patch b/patches.kernel.org/4.4.90-020-bsg-lib-don-t-free-job-in-bsg_prepare_job.patch
new file mode 100644
index 0000000000..02303adad6
--- /dev/null
+++ b/patches.kernel.org/4.4.90-020-bsg-lib-don-t-free-job-in-bsg_prepare_job.patch
@@ -0,0 +1,36 @@
+From: Christoph Hellwig <hch@lst.de>
+Date: Thu, 7 Sep 2017 13:54:35 +0200
+Subject: [PATCH] bsg-lib: don't free job in bsg_prepare_job
+References: bnc#1012382
+Patch-mainline: 4.4.90
+Git-commit: f507b54dccfd8000c517d740bc45f20c74532d18
+
+commit f507b54dccfd8000c517d740bc45f20c74532d18 upstream.
+
+The job structure is allocated as part of the request, so we should not
+free it in the error path of bsg_prepare_job.
+
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Reviewed-by: Ming Lei <ming.lei@redhat.com>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ block/bsg-lib.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/block/bsg-lib.c b/block/bsg-lib.c
+index 650f427d915b..341b8d858e67 100644
+--- a/block/bsg-lib.c
++++ b/block/bsg-lib.c
+@@ -147,7 +147,6 @@ static int bsg_create_job(struct device *dev, struct request *req)
+ failjob_rls_rqst_payload:
+ kfree(job->request_payload.sg_list);
+ failjob_rls_job:
+- kfree(job);
+ return -ENOMEM;
+ }
+
+--
+2.14.2
+
diff --git a/patches.kernel.org/4.4.90-021-seccomp-fix-the-usage-of-get-put_seccomp_filte.patch b/patches.kernel.org/4.4.90-021-seccomp-fix-the-usage-of-get-put_seccomp_filte.patch
new file mode 100644
index 0000000000..32c4c32420
--- /dev/null
+++ b/patches.kernel.org/4.4.90-021-seccomp-fix-the-usage-of-get-put_seccomp_filte.patch
@@ -0,0 +1,97 @@
+From: Oleg Nesterov <oleg@redhat.com>
+Date: Wed, 27 Sep 2017 09:25:30 -0600
+Subject: [PATCH] seccomp: fix the usage of get/put_seccomp_filter() in
+ seccomp_get_filter()
+References: bnc#1012382
+Patch-mainline: 4.4.90
+Git-commit: 66a733ea6b611aecf0119514d2dddab5f9d6c01e
+
+commit 66a733ea6b611aecf0119514d2dddab5f9d6c01e upstream.
+
+As Chris explains, get_seccomp_filter() and put_seccomp_filter() can end
+up using different filters. Once we drop ->siglock it is possible for
+task->seccomp.filter to have been replaced by SECCOMP_FILTER_FLAG_TSYNC.
+
+Fixes: f8e529ed941b ("seccomp, ptrace: add support for dumping seccomp filters")
+Reported-by: Chris Salls <chrissalls5@gmail.com>
+Signed-off-by: Oleg Nesterov <oleg@redhat.com>
+[tycho: add __get_seccomp_filter vs. open coding refcount_inc()]
+Signed-off-by: Tycho Andersen <tycho@docker.com>
+[kees: tweak commit log]
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ kernel/seccomp.c | 23 ++++++++++++++++-------
+ 1 file changed, 16 insertions(+), 7 deletions(-)
+
+diff --git a/kernel/seccomp.c b/kernel/seccomp.c
+index 15a1795bbba1..efd384f3f852 100644
+--- a/kernel/seccomp.c
++++ b/kernel/seccomp.c
+@@ -457,14 +457,19 @@ static long seccomp_attach_filter(unsigned int flags,
+ return 0;
+ }
+
++void __get_seccomp_filter(struct seccomp_filter *filter)
++{
++ /* Reference count is bounded by the number of total processes. */
++ atomic_inc(&filter->usage);
++}
++
+ /* get_seccomp_filter - increments the reference count of the filter on @tsk */
+ void get_seccomp_filter(struct task_struct *tsk)
+ {
+ struct seccomp_filter *orig = tsk->seccomp.filter;
+ if (!orig)
+ return;
+- /* Reference count is bounded by the number of total processes. */
+- atomic_inc(&orig->usage);
++ __get_seccomp_filter(orig);
+ }
+
+ static inline void seccomp_filter_free(struct seccomp_filter *filter)
+@@ -475,10 +480,8 @@ static inline void seccomp_filter_free(struct seccomp_filter *filter)
+ }
+ }
+
+-/* put_seccomp_filter - decrements the ref count of tsk->seccomp.filter */
+-void put_seccomp_filter(struct task_struct *tsk)
++static void __put_seccomp_filter(struct seccomp_filter *orig)
+ {
+- struct seccomp_filter *orig = tsk->seccomp.filter;
+ /* Clean up single-reference branches iteratively. */
+ while (orig && atomic_dec_and_test(&orig->usage)) {
+ struct seccomp_filter *freeme = orig;
+@@ -487,6 +490,12 @@ void put_seccomp_filter(struct task_struct *tsk)
+ }
+ }
+
++/* put_seccomp_filter - decrements the ref count of tsk->seccomp.filter */
++void put_seccomp_filter(struct task_struct *tsk)
++{
++ __put_seccomp_filter(tsk->seccomp.filter);
++}
++
+ /**
+ * seccomp_send_sigsys - signals the task to allow in-process syscall emulation
+ * @syscall: syscall number to send to userland
+@@ -927,13 +936,13 @@ long seccomp_get_filter(struct task_struct *task, unsigned long filter_off,
+ if (!data)
+ goto out;
+
+- get_seccomp_filter(task);
++ __get_seccomp_filter(filter);
+ spin_unlock_irq(&task->sighand->siglock);
+
+ if (copy_to_user(data, fprog->filter, bpf_classic_proglen(fprog)))
+ ret = -EFAULT;
+
+- put_seccomp_filter(task);
++ __put_seccomp_filter(filter);
+ return ret;
+
+ out:
+--
+2.14.2
+
diff --git a/patches.kernel.org/4.4.90-022-arm64-Make-sure-SPsel-is-always-set.patch b/patches.kernel.org/4.4.90-022-arm64-Make-sure-SPsel-is-always-set.patch
new file mode 100644
index 0000000000..2edf9d3739
--- /dev/null
+++ b/patches.kernel.org/4.4.90-022-arm64-Make-sure-SPsel-is-always-set.patch
@@ -0,0 +1,45 @@
+From: Marc Zyngier <marc.zyngier@arm.com>
+Date: Tue, 26 Sep 2017 15:57:16 +0100
+Subject: [PATCH] arm64: Make sure SPsel is always set
+References: bnc#1012382
+Patch-mainline: 4.4.90
+Git-commit: 5371513fb338fb9989c569dc071326d369d6ade8
+
+commit 5371513fb338fb9989c569dc071326d369d6ade8 upstream.
+
+When the kernel is entered at EL2 on an ARMv8.0 system, we construct
+the EL1 pstate and make sure this uses the the EL1 stack pointer
+(we perform an exception return to EL1h).
+
+But if the kernel is either entered at EL1 or stays at EL2 (because
+we're on a VHE-capable system), we fail to set SPsel, and use whatever
+stack selection the higher exception level has choosen for us.
+
+Let's not take any chance, and make sure that SPsel is set to one
+before we decide the mode we're going to run in.
+
+Acked-by: Mark Rutland <mark.rutland@arm.com>
+Signed-off-by: Marc Zyngier <marc.zyngier@arm.com>
+Signed-off-by: Will Deacon <will.deacon@arm.com>
+Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ arch/arm64/kernel/head.S | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/arch/arm64/kernel/head.S b/arch/arm64/kernel/head.S
+index 20ceb5edf7b8..d019c3a58cc2 100644
+--- a/arch/arm64/kernel/head.S
++++ b/arch/arm64/kernel/head.S
+@@ -446,6 +446,7 @@ ENDPROC(__mmap_switched)
+ * booted in EL1 or EL2 respectively.
+ */
+ ENTRY(el2_setup)
++ msr SPsel, #1 // We want to use SP_EL{1,2}
+ mrs x0, CurrentEL
+ cmp x0, #CurrentEL_EL2
+ b.ne 1f
+--
+2.14.2
+
diff --git a/patches.kernel.org/4.4.90-023-arm64-fault-Route-pte-translation-faults-via-d.patch b/patches.kernel.org/4.4.90-023-arm64-fault-Route-pte-translation-faults-via-d.patch
new file mode 100644
index 0000000000..7c82dffc01
--- /dev/null
+++ b/patches.kernel.org/4.4.90-023-arm64-fault-Route-pte-translation-faults-via-d.patch
@@ -0,0 +1,71 @@
+From: Will Deacon <will.deacon@arm.com>
+Date: Fri, 29 Sep 2017 12:27:41 +0100
+Subject: [PATCH] arm64: fault: Route pte translation faults via
+ do_translation_fault
+References: bnc#1012382
+Patch-mainline: 4.4.90
+Git-commit: 760bfb47c36a07741a089bf6a28e854ffbee7dc9
+
+commit 760bfb47c36a07741a089bf6a28e854ffbee7dc9 upstream.
+
+We currently route pte translation faults via do_page_fault, which elides
+the address check against TASK_SIZE before invoking the mm fault handling
+code. However, this can cause issues with the path walking code in
+conjunction with our word-at-a-time implementation because
+load_unaligned_zeropad can end up faulting in kernel space if it reads
+across a page boundary and runs into a page fault (e.g. by attempting to
+read from a guard region).
+
+In the case of such a fault, load_unaligned_zeropad has registered a
+fixup to shift the valid data and pad with zeroes, however the abort is
+reported as a level 3 translation fault and we dispatch it straight to
+do_page_fault, despite it being a kernel address. This results in calling
+a sleeping function from atomic context:
+
+ BUG: sleeping function called from invalid context at arch/arm64/mm/fault.c:313
+ in_atomic(): 0, irqs_disabled(): 0, pid: 10290
+ Internal error: Oops - BUG: 0 [#1] PREEMPT SMP
+ [...]
+ [<ffffff8e016cd0cc>] ___might_sleep+0x134/0x144
+ [<ffffff8e016cd158>] __might_sleep+0x7c/0x8c
+ [<ffffff8e016977f0>] do_page_fault+0x140/0x330
+ [<ffffff8e01681328>] do_mem_abort+0x54/0xb0
+ Exception stack(0xfffffffb20247a70 to 0xfffffffb20247ba0)
+ [...]
+ [<ffffff8e016844fc>] el1_da+0x18/0x78
+ [<ffffff8e017f399c>] path_parentat+0x44/0x88
+ [<ffffff8e017f4c9c>] filename_parentat+0x5c/0xd8
+ [<ffffff8e017f5044>] filename_create+0x4c/0x128
+ [<ffffff8e017f59e4>] SyS_mkdirat+0x50/0xc8
+ [<ffffff8e01684e30>] el0_svc_naked+0x24/0x28
+ Code: 36380080 d5384100 f9400800 9402566d (d4210000)
+ ---[ end trace 2d01889f2bca9b9f ]---
+
+Fix this by dispatching all translation faults to do_translation_faults,
+which avoids invoking the page fault logic for faults on kernel addresses.
+
+Reported-by: Ankit Jain <ankijain@codeaurora.org>
+Signed-off-by: Will Deacon <will.deacon@arm.com>
+Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ arch/arm64/mm/fault.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/arm64/mm/fault.c b/arch/arm64/mm/fault.c
+index 7fabf49f2aeb..86485415c5f0 100644
+--- a/arch/arm64/mm/fault.c
++++ b/arch/arm64/mm/fault.c
+@@ -447,7 +447,7 @@ static struct fault_info {
+ { do_translation_fault, SIGSEGV, SEGV_MAPERR, "level 0 translation fault" },
+ { do_translation_fault, SIGSEGV, SEGV_MAPERR, "level 1 translation fault" },
+ { do_translation_fault, SIGSEGV, SEGV_MAPERR, "level 2 translation fault" },
+- { do_page_fault, SIGSEGV, SEGV_MAPERR, "level 3 translation fault" },
++ { do_translation_fault, SIGSEGV, SEGV_MAPERR, "level 3 translation fault" },
+ { do_bad, SIGBUS, 0, "unknown 8" },
+ { do_page_fault, SIGSEGV, SEGV_ACCERR, "level 1 access flag fault" },
+ { do_page_fault, SIGSEGV, SEGV_ACCERR, "level 2 access flag fault" },
+--
+2.14.2
+
diff --git a/patches.kernel.org/4.4.90-024-KVM-VMX-Do-not-BUG-on-out-of-bounds-guest-IRQ.patch b/patches.kernel.org/4.4.90-024-KVM-VMX-Do-not-BUG-on-out-of-bounds-guest-IRQ.patch
new file mode 100644
index 0000000000..ef56a85602
--- /dev/null
+++ b/patches.kernel.org/4.4.90-024-KVM-VMX-Do-not-BUG-on-out-of-bounds-guest-IRQ.patch
@@ -0,0 +1,62 @@
+From: =?UTF-8?q?Jan=20H=2E=20Sch=C3=B6nherr?= <jschoenh@amazon.de>
+Date: Thu, 7 Sep 2017 19:02:30 +0100
+Subject: [PATCH] KVM: VMX: Do not BUG() on out-of-bounds guest IRQ
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+Patch-mainline: 4.4.90
+References: CVE-2017-1000252 bnc#1012382 bsc#1058038
+Git-commit: 3a8b0677fc6180a467e26cc32ce6b0c09a32f9bb
+
+commit 3a8b0677fc6180a467e26cc32ce6b0c09a32f9bb upstream.
+
+The value of the guest_irq argument to vmx_update_pi_irte() is
+ultimately coming from a KVM_IRQFD API call. Do not BUG() in
+vmx_update_pi_irte() if the value is out-of bounds. (Especially,
+since KVM as a whole seems to hang after that.)
+
+Instead, print a message only once if we find that we don't have a
+route for a certain IRQ (which can be out-of-bounds or within the
+array).
+
+This fixes CVE-2017-1000252.
+
+Fixes: efc644048ecde54 ("KVM: x86: Update IRTE for posted-interrupts")
+Signed-off-by: Jan H. Schönherr <jschoenh@amazon.de>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ arch/x86/kvm/vmx.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c
+index b12391119ce8..bd3407a7a9ee 100644
+--- a/arch/x86/kvm/vmx.c
++++ b/arch/x86/kvm/vmx.c
+@@ -10755,7 +10755,7 @@ static int vmx_update_pi_irte(struct kvm *kvm, unsigned int host_irq,
+ struct kvm_lapic_irq irq;
+ struct kvm_vcpu *vcpu;
+ struct vcpu_data vcpu_info;
+- int idx, ret = -EINVAL;
++ int idx, ret = 0;
+
+ if (!kvm_arch_has_assigned_device(kvm) ||
+ !irq_remapping_cap(IRQ_POSTING_CAP))
+@@ -10763,7 +10763,12 @@ static int vmx_update_pi_irte(struct kvm *kvm, unsigned int host_irq,
+
+ idx = srcu_read_lock(&kvm->irq_srcu);
+ irq_rt = srcu_dereference(kvm->irq_routing, &kvm->irq_srcu);
+- BUG_ON(guest_irq >= irq_rt->nr_rt_entries);
++ if (guest_irq >= irq_rt->nr_rt_entries ||
++ hlist_empty(&irq_rt->map[guest_irq])) {
++ pr_warn_once("no route for guest_irq %u/%u (broken user space?)\n",
++ guest_irq, irq_rt->nr_rt_entries);
++ goto out;
++ }
+
+ hlist_for_each_entry(e, &irq_rt->map[guest_irq], link) {
+ if (e->type != KVM_IRQ_ROUTING_MSI)
+--
+2.14.2
+
diff --git a/patches.fixes/0001-kvm-nVMX-Don-t-allow-L2-to-access-the-hardware-CR8.patch b/patches.kernel.org/4.4.90-025-kvm-nVMX-Don-t-allow-L2-to-access-the-hardware.patch
index 1ed6a730cb..3d40674925 100644
--- a/patches.fixes/0001-kvm-nVMX-Don-t-allow-L2-to-access-the-hardware-CR8.patch
+++ b/patches.kernel.org/4.4.90-025-kvm-nVMX-Don-t-allow-L2-to-access-the-hardware.patch
@@ -1,8 +1,11 @@
From: Jim Mattson <jmattson@google.com>
Date: Tue, 12 Sep 2017 13:02:54 -0700
Subject: [PATCH] kvm: nVMX: Don't allow L2 to access the hardware CR8
-Patch-mainline: Not yet, CVE fix
-References: bsc#1058507, CVE-2017-12154
+References: bnc#1012382 bsc#1058507 CVE-2017-12154
+Patch-mainline: 4.4.90
+Git-commit: 51aa68e7d57e3217192d88ce90fd5b8ef29ec94f
+
+commit 51aa68e7d57e3217192d88ce90fd5b8ef29ec94f upstream.
If L1 does not specify the "use TPR shadow" VM-execution control in
vmcs12, then L0 must specify the "CR8-load exiting" and "CR8-store
@@ -12,14 +15,19 @@ the L2 VM unrestricted read/write access to the hardware CR8.
This fixes CVE-2017-12154.
Signed-off-by: Jim Mattson <jmattson@google.com>
-Acked-by: Joerg Roedel <jroedel@suse.de>
+Reviewed-by: David Hildenbrand <david@redhat.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
arch/x86/kvm/vmx.c | 5 +++++
1 file changed, 5 insertions(+)
+diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c
+index bd3407a7a9ee..ee7ae9e937b2 100644
--- a/arch/x86/kvm/vmx.c
+++ b/arch/x86/kvm/vmx.c
-@@ -9661,6 +9661,11 @@ static void prepare_vmcs02(struct kvm_vc
+@@ -9683,6 +9683,11 @@ static void prepare_vmcs02(struct kvm_vcpu *vcpu, struct vmcs12 *vmcs12)
vmcs_write64(VIRTUAL_APIC_PAGE_ADDR,
page_to_phys(vmx->nested.virtual_apic_page));
vmcs_write32(TPR_THRESHOLD, vmcs12->tpr_threshold);
@@ -31,3 +39,6 @@ Acked-by: Joerg Roedel <jroedel@suse.de>
}
if (cpu_has_vmx_msr_bitmap() &&
+--
+2.14.2
+
diff --git a/patches.kernel.org/4.4.90-026-PCI-Fix-race-condition-with-driver_override.patch b/patches.kernel.org/4.4.90-026-PCI-Fix-race-condition-with-driver_override.patch
new file mode 100644
index 0000000000..f00756942a
--- /dev/null
+++ b/patches.kernel.org/4.4.90-026-PCI-Fix-race-condition-with-driver_override.patch
@@ -0,0 +1,71 @@
+From: Nicolai Stange <nstange@suse.de>
+Date: Mon, 11 Sep 2017 09:45:40 +0200
+Subject: [PATCH] PCI: Fix race condition with driver_override
+References: bnc#1012382
+Patch-mainline: 4.4.90
+Git-commit: 9561475db680f7144d2223a409dd3d7e322aca03
+
+commit 9561475db680f7144d2223a409dd3d7e322aca03 upstream.
+
+The driver_override implementation is susceptible to a race condition when
+different threads are reading vs. storing a different driver override. Add
+locking to avoid the race condition.
+
+This is in close analogy to commit 6265539776a0 ("driver core: platform:
+fix race condition with driver_override") from Adrian Salido.
+
+Fixes: 782a985d7af2 ("PCI: Introduce new device binding path using pci_dev.driver_override")
+Signed-off-by: Nicolai Stange <nstange@suse.de>
+Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/pci/pci-sysfs.c | 11 +++++++++--
+ 1 file changed, 9 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/pci/pci-sysfs.c b/drivers/pci/pci-sysfs.c
+index f8b2b5987ea9..ec91cd17bf34 100644
+--- a/drivers/pci/pci-sysfs.c
++++ b/drivers/pci/pci-sysfs.c
+@@ -522,7 +522,7 @@ static ssize_t driver_override_store(struct device *dev,
+ const char *buf, size_t count)
+ {
+ struct pci_dev *pdev = to_pci_dev(dev);
+- char *driver_override, *old = pdev->driver_override, *cp;
++ char *driver_override, *old, *cp;
+
+ /* We need to keep extra room for a newline */
+ if (count >= (PAGE_SIZE - 1))
+@@ -536,12 +536,15 @@ static ssize_t driver_override_store(struct device *dev,
+ if (cp)
+ *cp = '\0';
+
++ device_lock(dev);
++ old = pdev->driver_override;
+ if (strlen(driver_override)) {
+ pdev->driver_override = driver_override;
+ } else {
+ kfree(driver_override);
+ pdev->driver_override = NULL;
+ }
++ device_unlock(dev);
+
+ kfree(old);
+
+@@ -552,8 +555,12 @@ static ssize_t driver_override_show(struct device *dev,
+ struct device_attribute *attr, char *buf)
+ {
+ struct pci_dev *pdev = to_pci_dev(dev);
++ ssize_t len;
+
+- return snprintf(buf, PAGE_SIZE, "%s\n", pdev->driver_override);
++ device_lock(dev);
++ len = snprintf(buf, PAGE_SIZE, "%s\n", pdev->driver_override);
++ device_unlock(dev);
++ return len;
+ }
+ static DEVICE_ATTR_RW(driver_override);
+
+--
+2.14.2
+
diff --git a/patches.kernel.org/4.4.90-027-btrfs-fix-NULL-pointer-dereference-from-free_r.patch b/patches.kernel.org/4.4.90-027-btrfs-fix-NULL-pointer-dereference-from-free_r.patch
new file mode 100644
index 0000000000..7b67c96f09
--- /dev/null
+++ b/patches.kernel.org/4.4.90-027-btrfs-fix-NULL-pointer-dereference-from-free_r.patch
@@ -0,0 +1,44 @@
+From: Naohiro Aota <naohiro.aota@wdc.com>
+Date: Fri, 25 Aug 2017 14:15:14 +0900
+Subject: [PATCH] btrfs: fix NULL pointer dereference from free_reloc_roots()
+References: bnc#1012382
+Patch-mainline: 4.4.90
+Git-commit: bb166d7207432d3c7d10c45dc052f12ba3a2121d
+
+commit bb166d7207432d3c7d10c45dc052f12ba3a2121d upstream.
+
+__del_reloc_root should be called before freeing up reloc_root->node.
+If not, calling __del_reloc_root() dereference reloc_root->node, causing
+the system BUG.
+
+Fixes: 6bdf131fac23 ("Btrfs: don't leak reloc root nodes on error")
+Signed-off-by: Naohiro Aota <naohiro.aota@wdc.com>
+Reviewed-by: Nikolay Borisov <nborisov@suse.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ fs/btrfs/relocation.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/btrfs/relocation.c b/fs/btrfs/relocation.c
+index 8ca9aa92972d..9ebe027cc4b7 100644
+--- a/fs/btrfs/relocation.c
++++ b/fs/btrfs/relocation.c
+@@ -2350,11 +2350,11 @@ void free_reloc_roots(struct list_head *list)
+ while (!list_empty(list)) {
+ reloc_root = list_entry(list->next, struct btrfs_root,
+ root_list);
++ __del_reloc_root(reloc_root);
+ free_extent_buffer(reloc_root->node);
+ free_extent_buffer(reloc_root->commit_root);
+ reloc_root->node = NULL;
+ reloc_root->commit_root = NULL;
+- __del_reloc_root(reloc_root);
+ }
+ }
+
+--
+2.14.2
+
diff --git a/patches.kernel.org/4.4.90-028-btrfs-propagate-error-to-btrfs_cmp_data_prepar.patch b/patches.kernel.org/4.4.90-028-btrfs-propagate-error-to-btrfs_cmp_data_prepar.patch
new file mode 100644
index 0000000000..dbd3a2a0c3
--- /dev/null
+++ b/patches.kernel.org/4.4.90-028-btrfs-propagate-error-to-btrfs_cmp_data_prepar.patch
@@ -0,0 +1,43 @@
+From: Naohiro Aota <naohiro.aota@wdc.com>
+Date: Fri, 8 Sep 2017 17:48:55 +0900
+Subject: [PATCH] btrfs: propagate error to btrfs_cmp_data_prepare caller
+References: bnc#1012382
+Patch-mainline: 4.4.90
+Git-commit: 78ad4ce014d025f41b8dde3a81876832ead643cf
+
+commit 78ad4ce014d025f41b8dde3a81876832ead643cf upstream.
+
+btrfs_cmp_data_prepare() (almost) always returns 0 i.e. ignoring errors
+from gather_extent_pages(). While the pages are freed by
+btrfs_cmp_data_free(), cmp->num_pages still has > 0. Then,
+btrfs_extent_same() try to access the already freed pages causing faults
+(or violates PageLocked assertion).
+
+This patch just return the error as is so that the caller stop the process.
+
+Signed-off-by: Naohiro Aota <naohiro.aota@wdc.com>
+Fixes: f441460202cb ("btrfs: fix deadlock with extent-same and readpage")
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ fs/btrfs/ioctl.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/btrfs/ioctl.c b/fs/btrfs/ioctl.c
+index 317b99acdf4b..be43d1c5b5fb 100644
+--- a/fs/btrfs/ioctl.c
++++ b/fs/btrfs/ioctl.c
+@@ -2984,7 +2984,7 @@ static int btrfs_cmp_data_prepare(struct inode *src, u64 loff,
+ out:
+ if (ret)
+ btrfs_cmp_data_free(cmp);
+- return 0;
++ return ret;
+ }
+
+ static int btrfs_cmp_data(struct inode *src, u64 loff, struct inode *dst,
+--
+2.14.2
+
diff --git a/patches.kernel.org/4.4.90-029-btrfs-prevent-to-set-invalid-default-subvolid.patch b/patches.kernel.org/4.4.90-029-btrfs-prevent-to-set-invalid-default-subvolid.patch
new file mode 100644
index 0000000000..fb96ecbd95
--- /dev/null
+++ b/patches.kernel.org/4.4.90-029-btrfs-prevent-to-set-invalid-default-subvolid.patch
@@ -0,0 +1,42 @@
+From: satoru takeuchi <satoru.takeuchi@gmail.com>
+Date: Tue, 12 Sep 2017 22:42:52 +0900
+Subject: [PATCH] btrfs: prevent to set invalid default subvolid
+References: bnc#1012382
+Patch-mainline: 4.4.90
+Git-commit: 6d6d282932d1a609e60dc4467677e0e863682f57
+
+commit 6d6d282932d1a609e60dc4467677e0e863682f57 upstream.
+
+`btrfs sub set-default` succeeds to set an ID which isn't corresponding to any
+fs/file tree. If such the bad ID is set to a filesystem, we can't mount this
+filesystem without specifying `subvol` or `subvolid` mount options.
+
+Fixes: 6ef5ed0d386b ("Btrfs: add ioctl and incompat flag to set the default mount subvol")
+Signed-off-by: Satoru Takeuchi <satoru.takeuchi@gmail.com>
+Reviewed-by: Qu Wenruo <quwenruo.btrfs@gmx.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ fs/btrfs/ioctl.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/fs/btrfs/ioctl.c b/fs/btrfs/ioctl.c
+index be43d1c5b5fb..9c3b9d07f341 100644
+--- a/fs/btrfs/ioctl.c
++++ b/fs/btrfs/ioctl.c
+@@ -4118,6 +4118,10 @@ static long btrfs_ioctl_default_subvol(struct file *file, void __user *argp)
+ ret = PTR_ERR(new_root);
+ goto out;
+ }
++ if (!is_fstree(new_root->objectid)) {
++ ret = -ENOENT;
++ goto out;
++ }
+
+ path = btrfs_alloc_path();
+ if (!path) {
+--
+2.14.2
+
diff --git a/patches.kernel.org/4.4.90-030-x86-fpu-Don-t-let-userspace-set-bogus-xcomp_bv.patch b/patches.kernel.org/4.4.90-030-x86-fpu-Don-t-let-userspace-set-bogus-xcomp_bv.patch
new file mode 100644
index 0000000000..9bda3cb347
--- /dev/null
+++ b/patches.kernel.org/4.4.90-030-x86-fpu-Don-t-let-userspace-set-bogus-xcomp_bv.patch
@@ -0,0 +1,203 @@
+From: Eric Biggers <ebiggers@google.com>
+Date: Mon, 2 Oct 2017 11:04:09 -0700
+Subject: [PATCH] x86/fpu: Don't let userspace set bogus xcomp_bv
+References: bnc#1012382
+Patch-mainline: 4.4.90
+Git-commit: 814fb7bb7db5433757d76f4c4502c96fc53b0b5e
+
+commit 814fb7bb7db5433757d76f4c4502c96fc53b0b5e upstream.
+
+[Please apply to 4.4-stable. Note: the backport includes the
+fpstate_init() call in xstateregs_set(), since fix is useless without
+it. It was added by commit 91c3dba7dbc1 ("x86/fpu/xstate: Fix PTRACE
+frames for XSAVES"), but it doesn't make sense to backport that whole
+commit.]
+
+On x86, userspace can use the ptrace() or rt_sigreturn() system calls to
+set a task's extended state (xstate) or "FPU" registers. ptrace() can
+set them for another task using the PTRACE_SETREGSET request with
+NT_X86_XSTATE, while rt_sigreturn() can set them for the current task.
+In either case, registers can be set to any value, but the kernel
+assumes that the XSAVE area itself remains valid in the sense that the
+CPU can restore it.
+
+However, in the case where the kernel is using the uncompacted xstate
+format (which it does whenever the XSAVES instruction is unavailable),
+it was possible for userspace to set the xcomp_bv field in the
+xstate_header to an arbitrary value. However, all bits in that field
+are reserved in the uncompacted case, so when switching to a task with
+nonzero xcomp_bv, the XRSTOR instruction failed with a #GP fault. This
+caused the WARN_ON_FPU(err) in copy_kernel_to_xregs() to be hit. In
+addition, since the error is otherwise ignored, the FPU registers from
+the task previously executing on the CPU were leaked.
+
+Fix the bug by checking that the user-supplied value of xcomp_bv is 0 in
+the uncompacted case, and returning an error otherwise.
+
+The reason for validating xcomp_bv rather than simply overwriting it
+with 0 is that we want userspace to see an error if it (incorrectly)
+provides an XSAVE area in compacted format rather than in uncompacted
+format.
+
+Note that as before, in case of error we clear the task's FPU state.
+This is perhaps non-ideal, especially for PTRACE_SETREGSET; it might be
+better to return an error before changing anything. But it seems the
+"clear on error" behavior is fine for now, and it's a little tricky to
+do otherwise because it would mean we couldn't simply copy the full
+userspace state into kernel memory in one __copy_from_user().
+
+This bug was found by syzkaller, which hit the above-mentioned
+WARN_ON_FPU():
+
+ WARNING: CPU: 1 PID: 0 at ./arch/x86/include/asm/fpu/internal.h:373 __switch_to+0x5b5/0x5d0
+ CPU: 1 PID: 0 Comm: swapper/1 Not tainted 4.13.0 #453
+ Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
+ task: ffff9ba2bc8e42c0 task.stack: ffffa78cc036c000
+ RIP: 0010:__switch_to+0x5b5/0x5d0
+ RSP: 0000:ffffa78cc08bbb88 EFLAGS: 00010082
+ RAX: 00000000fffffffe RBX: ffff9ba2b8bf2180 RCX: 00000000c0000100
+ RDX: 00000000ffffffff RSI: 000000005cb10700 RDI: ffff9ba2b8bf36c0
+ RBP: ffffa78cc08bbbd0 R08: 00000000929fdf46 R09: 0000000000000001
+ R10: 0000000000000000 R11: 0000000000000000 R12: ffff9ba2bc8e42c0
+ R13: 0000000000000000 R14: ffff9ba2b8bf3680 R15: ffff9ba2bf5d7b40
+ FS: 00007f7e5cb10700(0000) GS:ffff9ba2bf400000(0000) knlGS:0000000000000000
+ CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+ CR2: 00000000004005cc CR3: 0000000079fd5000 CR4: 00000000001406e0
+ Call Trace:
+ Code: 84 00 00 00 00 00 e9 11 fd ff ff 0f ff 66 0f 1f 84 00 00 00 00 00 e9 e7 fa ff ff 0f ff 66 0f 1f 84 00 00 00 00 00 e9 c2 fa ff ff <0f> ff 66 0f 1f 84 00 00 00 00 00 e9 d4 fc ff ff 66 66 2e 0f 1f
+
+Here is a C reproducer. The expected behavior is that the program spin
+forever with no output. However, on a buggy kernel running on a
+processor with the "xsave" feature but without the "xsaves" feature
+(e.g. Sandy Bridge through Broadwell for Intel), within a second or two
+the program reports that the xmm registers were corrupted, i.e. were not
+restored correctly. With CONFIG_X86_DEBUG_FPU=y it also hits the above
+kernel warning.
+
+ #define _GNU_SOURCE
+ #include <stdbool.h>
+ #include <inttypes.h>
+ #include <linux/elf.h>
+ #include <stdio.h>
+ #include <sys/ptrace.h>
+ #include <sys/uio.h>
+ #include <sys/wait.h>
+ #include <unistd.h>
+
+ int main(void)
+ {
+ int pid = fork();
+ uint64_t xstate[512];
+ struct iovec iov = { .iov_base = xstate, .iov_len = sizeof(xstate) };
+
+ if (pid == 0) {
+ bool tracee = true;
+ for (int i = 0; i < sysconf(_SC_NPROCESSORS_ONLN) && tracee; i++)
+ tracee = (fork() != 0);
+ uint32_t xmm0[4] = { [0 ... 3] = tracee ? 0x00000000 : 0xDEADBEEF };
+ asm volatile(" movdqu %0, %%xmm0\n"
+ " mov %0, %%rbx\n"
+ "1: movdqu %%xmm0, %0\n"
+ " mov %0, %%rax\n"
+ " cmp %%rax, %%rbx\n"
+ " je 1b\n"
+ : "+m" (xmm0) : : "rax", "rbx", "xmm0");
+ printf("BUG: xmm registers corrupted! tracee=%d, xmm0=%08X%08X%08X%08X\n",
+ tracee, xmm0[0], xmm0[1], xmm0[2], xmm0[3]);
+ } else {
+ usleep(100000);
+ ptrace(PTRACE_ATTACH, pid, 0, 0);
+ wait(NULL);
+ ptrace(PTRACE_GETREGSET, pid, NT_X86_XSTATE, &iov);
+ xstate[65] = -1;
+ ptrace(PTRACE_SETREGSET, pid, NT_X86_XSTATE, &iov);
+ ptrace(PTRACE_CONT, pid, 0, 0);
+ wait(NULL);
+ }
+ return 1;
+ }
+
+Note: the program only tests for the bug using the ptrace() system call.
+The bug can also be reproduced using the rt_sigreturn() system call, but
+only when called from a 32-bit program, since for 64-bit programs the
+kernel restores the FPU state from the signal frame by doing XRSTOR
+directly from userspace memory (with proper error checking).
+
+Reported-by: Dmitry Vyukov <dvyukov@google.com>
+Signed-off-by: Eric Biggers <ebiggers@google.com>
+Reviewed-by: Kees Cook <keescook@chromium.org>
+Reviewed-by: Rik van Riel <riel@redhat.com>
+Acked-by: Dave Hansen <dave.hansen@linux.intel.com>
+Cc: Andrew Morton <akpm@linux-foundation.org>
+Cc: Andy Lutomirski <luto@amacapital.net>
+Cc: Andy Lutomirski <luto@kernel.org>
+Cc: Borislav Petkov <bp@alien8.de>
+Cc: Eric Biggers <ebiggers3@gmail.com>
+Cc: Fenghua Yu <fenghua.yu@intel.com>
+Cc: Kevin Hao <haokexin@gmail.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Michael Halcrow <mhalcrow@google.com>
+Cc: Oleg Nesterov <oleg@redhat.com>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: Wanpeng Li <wanpeng.li@hotmail.com>
+Cc: Yu-cheng Yu <yu-cheng.yu@intel.com>
+Cc: kernel-hardening@lists.openwall.com
+Fixes: 0b29643a5843 ("x86/xsaves: Change compacted format xsave area header")
+Link: http://lkml.kernel.org/r/20170922174156.16780-2-ebiggers3@gmail.com
+Link: http://lkml.kernel.org/r/20170923130016.21448-25-mingo@kernel.org
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ arch/x86/kernel/fpu/regset.c | 11 +++++++++++
+ arch/x86/kernel/fpu/signal.c | 4 +++-
+ 2 files changed, 14 insertions(+), 1 deletion(-)
+
+diff --git a/arch/x86/kernel/fpu/regset.c b/arch/x86/kernel/fpu/regset.c
+index 0bc3490420c5..72a483c295f2 100644
+--- a/arch/x86/kernel/fpu/regset.c
++++ b/arch/x86/kernel/fpu/regset.c
+@@ -116,6 +116,11 @@ int xstateregs_set(struct task_struct *target, const struct user_regset *regset,
+ xsave = &fpu->state.xsave;
+
+ ret = user_regset_copyin(&pos, &count, &kbuf, &ubuf, xsave, 0, -1);
++
++ /* xcomp_bv must be 0 when using uncompacted format */
++ if (!ret && xsave->header.xcomp_bv)
++ ret = -EINVAL;
++
+ /*
+ * mxcsr reserved bits must be masked to zero for security reasons.
+ */
+@@ -126,6 +131,12 @@ int xstateregs_set(struct task_struct *target, const struct user_regset *regset,
+ */
+ memset(&xsave->header.reserved, 0, 48);
+
++ /*
++ * In case of failure, mark all states as init:
++ */
++ if (ret)
++ fpstate_init(&fpu->state);
++
+ return ret;
+ }
+
+diff --git a/arch/x86/kernel/fpu/signal.c b/arch/x86/kernel/fpu/signal.c
+index 31c6a60505e6..3de077116218 100644
+--- a/arch/x86/kernel/fpu/signal.c
++++ b/arch/x86/kernel/fpu/signal.c
+@@ -309,7 +309,9 @@ static int __fpu__restore_sig(void __user *buf, void __user *buf_fx, int size)
+ fpu__drop(fpu);
+
+ if (__copy_from_user(&fpu->state.xsave, buf_fx, state_size) ||
+- __copy_from_user(&env, buf, sizeof(env))) {
++ __copy_from_user(&env, buf, sizeof(env)) ||
++ (state_size > offsetof(struct xregs_state, header) &&
++ fpu->state.xsave.header.xcomp_bv)) {
+ fpstate_init(&fpu->state);
+ err = -1;
+ } else {
+--
+2.14.2
+
diff --git a/patches.kernel.org/4.4.90-031-gfs2-Fix-debugfs-glocks-dump.patch b/patches.kernel.org/4.4.90-031-gfs2-Fix-debugfs-glocks-dump.patch
new file mode 100644
index 0000000000..63dabcb7d7
--- /dev/null
+++ b/patches.kernel.org/4.4.90-031-gfs2-Fix-debugfs-glocks-dump.patch
@@ -0,0 +1,123 @@
+From: Andreas Gruenbacher <agruenba@redhat.com>
+Date: Tue, 19 Sep 2017 07:15:35 -0500
+Subject: [PATCH] gfs2: Fix debugfs glocks dump
+References: bnc#1012382
+Patch-mainline: 4.4.90
+Git-commit: 10201655b085df8e000822e496e5d4016a167a36
+
+commit 10201655b085df8e000822e496e5d4016a167a36 upstream.
+
+The switch to rhashtables (commit 88ffbf3e03) broke the debugfs glock
+dump (/sys/kernel/debug/gfs2/<device>/glocks) for dumps bigger than a
+single buffer: the right function for restarting an rhashtable iteration
+from the beginning of the hash table is rhashtable_walk_enter;
+rhashtable_walk_stop + rhashtable_walk_start will just resume from the
+current position.
+
+The upstream commit doesn't directly apply to 4.4.y because 4.4.y
+doesn't have rhashtable_walk_enter and the following mainline commits:
+
+ 92ecd73a887c4a2b94daf5fc35179d75d1c4ef95
+ gfs2: Deduplicate gfs2_{glocks,glstats}_open
+ cc37a62785a584f4875788689f3fd1fa6e4eb291
+ gfs2: Replace rhashtable_walk_init with rhashtable_walk_enter
+
+Other than rhashtable_walk_enter, rhashtable_walk_init can fail. To
+handle the failure case in gfs2_glock_seq_stop, we check if
+rhashtable_walk_init has initialized iter->walker; if it has not, we
+must not call rhashtable_walk_stop or rhashtable_walk_exit.
+
+Signed-off-by: Andreas Gruenbacher <agruenba@redhat.com>
+Signed-off-by: Bob Peterson <rpeterso@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ fs/gfs2/glock.c | 21 +++++++++------------
+ 1 file changed, 9 insertions(+), 12 deletions(-)
+
+diff --git a/fs/gfs2/glock.c b/fs/gfs2/glock.c
+index 070901e76653..ff36f5475d7e 100644
+--- a/fs/gfs2/glock.c
++++ b/fs/gfs2/glock.c
+@@ -1814,13 +1814,10 @@ static void *gfs2_glock_seq_start(struct seq_file *seq, loff_t *pos)
+ {
+ struct gfs2_glock_iter *gi = seq->private;
+ loff_t n = *pos;
+- int ret;
+-
+- if (gi->last_pos <= *pos)
+- n = (*pos - gi->last_pos);
+
+- ret = rhashtable_walk_start(&gi->hti);
+- if (ret)
++ if (rhashtable_walk_init(&gl_hash_table, &gi->hti) != 0)
++ return NULL;
++ if (rhashtable_walk_start(&gi->hti) != 0)
+ return NULL;
+
+ do {
+@@ -1828,6 +1825,7 @@ static void *gfs2_glock_seq_start(struct seq_file *seq, loff_t *pos)
+ } while (gi->gl && n--);
+
+ gi->last_pos = *pos;
++
+ return gi->gl;
+ }
+
+@@ -1839,6 +1837,7 @@ static void *gfs2_glock_seq_next(struct seq_file *seq, void *iter_ptr,
+ (*pos)++;
+ gi->last_pos = *pos;
+ gfs2_glock_iter_next(gi);
++
+ return gi->gl;
+ }
+
+@@ -1847,7 +1846,10 @@ static void gfs2_glock_seq_stop(struct seq_file *seq, void *iter_ptr)
+ struct gfs2_glock_iter *gi = seq->private;
+
+ gi->gl = NULL;
+- rhashtable_walk_stop(&gi->hti);
++ if (gi->hti.walker) {
++ rhashtable_walk_stop(&gi->hti);
++ rhashtable_walk_exit(&gi->hti);
++ }
+ }
+
+ static int gfs2_glock_seq_show(struct seq_file *seq, void *iter_ptr)
+@@ -1910,12 +1912,10 @@ static int gfs2_glocks_open(struct inode *inode, struct file *file)
+ struct gfs2_glock_iter *gi = seq->private;
+
+ gi->sdp = inode->i_private;
+- gi->last_pos = 0;
+ seq->buf = kmalloc(GFS2_SEQ_GOODSIZE, GFP_KERNEL | __GFP_NOWARN);
+ if (seq->buf)
+ seq->size = GFS2_SEQ_GOODSIZE;
+ gi->gl = NULL;
+- ret = rhashtable_walk_init(&gl_hash_table, &gi->hti);
+ }
+ return ret;
+ }
+@@ -1926,7 +1926,6 @@ static int gfs2_glocks_release(struct inode *inode, struct file *file)
+ struct gfs2_glock_iter *gi = seq->private;
+
+ gi->gl = NULL;
+- rhashtable_walk_exit(&gi->hti);
+ return seq_release_private(inode, file);
+ }
+
+@@ -1938,12 +1937,10 @@ static int gfs2_glstats_open(struct inode *inode, struct file *file)
+ struct seq_file *seq = file->private_data;
+ struct gfs2_glock_iter *gi = seq->private;
+ gi->sdp = inode->i_private;
+- gi->last_pos = 0;
+ seq->buf = kmalloc(GFS2_SEQ_GOODSIZE, GFP_KERNEL | __GFP_NOWARN);
+ if (seq->buf)
+ seq->size = GFS2_SEQ_GOODSIZE;
+ gi->gl = NULL;
+- ret = rhashtable_walk_init(&gl_hash_table, &gi->hti);
+ }
+ return ret;
+ }
+--
+2.14.2
+
diff --git a/patches.kernel.org/4.4.90-032-timer-sysclt-Restrict-timer-migration-sysctl-v.patch b/patches.kernel.org/4.4.90-032-timer-sysclt-Restrict-timer-migration-sysctl-v.patch
new file mode 100644
index 0000000000..0357c9834a
--- /dev/null
+++ b/patches.kernel.org/4.4.90-032-timer-sysclt-Restrict-timer-migration-sysctl-v.patch
@@ -0,0 +1,57 @@
+From: Myungho Jung <mhjungk@gmail.com>
+Date: Wed, 19 Apr 2017 15:24:50 -0700
+Subject: [PATCH] timer/sysclt: Restrict timer migration sysctl values to 0 and
+ 1
+References: bnc#1012382
+Patch-mainline: 4.4.90
+Git-commit: b94bf594cf8ed67cdd0439e70fa939783471597a
+
+commit b94bf594cf8ed67cdd0439e70fa939783471597a upstream.
+
+timer_migration sysctl acts as a boolean switch, so the allowed values
+should be restricted to 0 and 1.
+
+Add the necessary extra fields to the sysctl table entry to enforce that.
+
+[ tglx: Rewrote changelog ]
+
+Signed-off-by: Myungho Jung <mhjungk@gmail.com>
+Link: http://lkml.kernel.org/r/1492640690-3550-1-git-send-email-mhjungk@gmail.com
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Cc: Kazuhiro Hayashi <kazuhiro3.hayashi@toshiba.co.jp>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ kernel/sysctl.c | 2 ++
+ kernel/time/timer.c | 2 +-
+ 2 files changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/kernel/sysctl.c b/kernel/sysctl.c
+index 002ec084124b..17c59e78661b 100644
+--- a/kernel/sysctl.c
++++ b/kernel/sysctl.c
+@@ -1159,6 +1159,8 @@ static struct ctl_table kern_table[] = {
+ .maxlen = sizeof(unsigned int),
+ .mode = 0644,
+ .proc_handler = timer_migration_handler,
++ .extra1 = &zero,
++ .extra2 = &one,
+ },
+ #endif
+ #ifdef CONFIG_BPF_SYSCALL
+diff --git a/kernel/time/timer.c b/kernel/time/timer.c
+index bbc5d1114583..125407144c01 100644
+--- a/kernel/time/timer.c
++++ b/kernel/time/timer.c
+@@ -127,7 +127,7 @@ int timer_migration_handler(struct ctl_table *table, int write,
+ int ret;
+
+ mutex_lock(&mutex);
+- ret = proc_dointvec(table, write, buffer, lenp, ppos);
++ ret = proc_dointvec_minmax(table, write, buffer, lenp, ppos);
+ if (!ret && write)
+ timers_update_migration(false);
+ mutex_unlock(&mutex);
+--
+2.14.2
+
diff --git a/patches.arch/0004-kvm-vmx-do-not-change-sn-bit-in-vmx_update_pi_irte b/patches.kernel.org/4.4.90-033-KVM-VMX-do-not-change-SN-bit-in-vmx_update_pi_.patch
index 59bd1e88d3..4307a3befd 100644
--- a/patches.arch/0004-kvm-vmx-do-not-change-sn-bit-in-vmx_update_pi_irte
+++ b/patches.kernel.org/4.4.90-033-KVM-VMX-do-not-change-SN-bit-in-vmx_update_pi_.patch
@@ -1,12 +1,14 @@
From: Haozhong Zhang <haozhong.zhang@intel.com>
Date: Mon, 18 Sep 2017 09:56:49 +0800
-Subject: KVM: VMX: do not change SN bit in vmx_update_pi_irte()
+Subject: [PATCH] KVM: VMX: do not change SN bit in vmx_update_pi_irte()
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
+Patch-mainline: 4.4.90
+References: bnc#1012382 bsc#1061017
Git-commit: dc91f2eb1a4021eb6705c15e474942f84ab9b211
-Patch-mainline: v4.14-rc2
-References: bsc#1061017
+
+commit dc91f2eb1a4021eb6705c15e474942f84ab9b211 upstream.
In kvm_vcpu_trigger_posted_interrupt() and pi_pre_block(), KVM
assumes that PI notification events should not be suppressed when the
@@ -24,14 +26,17 @@ Reported-by: Dan Williams <dan.j.williams@intel.com>
Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
Fixes: 28b835d60fcc ("KVM: Update Posted-Interrupts Descriptor when vCPU is preempted")
Signed-off-by: Radim Krčmář <rkrcmar@redhat.com>
-Acked-by: Joerg Roedel <jroedel@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
arch/x86/kvm/vmx.c | 6 +-----
1 file changed, 1 insertion(+), 5 deletions(-)
+diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c
+index ee7ae9e937b2..5aeddea1e9d1 100644
--- a/arch/x86/kvm/vmx.c
+++ b/arch/x86/kvm/vmx.c
-@@ -10790,12 +10790,8 @@ static int vmx_update_pi_irte(struct kvm
+@@ -10803,12 +10803,8 @@ static int vmx_update_pi_irte(struct kvm *kvm, unsigned int host_irq,
if (set)
ret = irq_set_vcpu_affinity(host_irq, &vcpu_info);
@@ -45,3 +50,6 @@ Acked-by: Joerg Roedel <jroedel@suse.de>
if (ret < 0) {
printk(KERN_INFO "%s: failed to update PI IRTE\n",
+--
+2.14.2
+
diff --git a/patches.arch/0002-kvm-vmx-remove-warn_on_once-in-kvm_vcpu_trigger_posted_interrupt b/patches.kernel.org/4.4.90-034-KVM-VMX-remove-WARN_ON_ONCE-in-kvm_vcpu_trigge.patch
index 067cb3b3ff..0664ee5dee 100644
--- a/patches.arch/0002-kvm-vmx-remove-warn_on_once-in-kvm_vcpu_trigger_posted_interrupt
+++ b/patches.kernel.org/4.4.90-034-KVM-VMX-remove-WARN_ON_ONCE-in-kvm_vcpu_trigge.patch
@@ -1,12 +1,15 @@
From: Haozhong Zhang <haozhong.zhang@intel.com>
Date: Mon, 18 Sep 2017 09:56:50 +0800
-Subject: KVM: VMX: remove WARN_ON_ONCE in kvm_vcpu_trigger_posted_interrupt
+Subject: [PATCH] KVM: VMX: remove WARN_ON_ONCE in
+ kvm_vcpu_trigger_posted_interrupt
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
+Patch-mainline: 4.4.90
+References: bnc#1012382 bsc#1061017
Git-commit: 5753743fa5108b8f98bd61e40dc63f641b26c768
-Patch-mainline: v4.14-rc2
-References: bsc#1061017
+
+commit 5753743fa5108b8f98bd61e40dc63f641b26c768 upstream.
WARN_ON_ONCE(pi_test_sn(&vmx->pi_desc)) in kvm_vcpu_trigger_posted_interrupt()
intends to detect the violation of invariant that VT-d PI notification
@@ -26,14 +29,17 @@ Reported-by: Dan Williams <dan.j.williams@intel.com>
Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
Fixes: 28b835d60fcc ("KVM: Update Posted-Interrupts Descriptor when vCPU is preempted")
Signed-off-by: Radim Krčmář <rkrcmar@redhat.com>
-Acked-by: Joerg Roedel <jroedel@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
arch/x86/kvm/vmx.c | 33 +++++++++++++++++++++------------
1 file changed, 21 insertions(+), 12 deletions(-)
+diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c
+index 5aeddea1e9d1..67f27cc1d1b6 100644
--- a/arch/x86/kvm/vmx.c
+++ b/arch/x86/kvm/vmx.c
-@@ -4550,21 +4550,30 @@ static inline bool kvm_vcpu_trigger_post
+@@ -4541,21 +4541,30 @@ static inline bool kvm_vcpu_trigger_posted_interrupt(struct kvm_vcpu *vcpu)
{
#ifdef CONFIG_SMP
if (vcpu->mode == IN_GUEST_MODE) {
@@ -76,3 +82,6 @@ Acked-by: Joerg Roedel <jroedel@suse.de>
apic->send_IPI_mask(get_cpu_mask(vcpu->cpu),
POSTED_INTR_VECTOR);
+--
+2.14.2
+
diff --git a/patches.kernel.org/4.4.90-035-cxl-Fix-driver-use-count.patch b/patches.kernel.org/4.4.90-035-cxl-Fix-driver-use-count.patch
new file mode 100644
index 0000000000..213ffd2aa2
--- /dev/null
+++ b/patches.kernel.org/4.4.90-035-cxl-Fix-driver-use-count.patch
@@ -0,0 +1,88 @@
+From: Frederic Barrat <fbarrat@linux.vnet.ibm.com>
+Date: Wed, 30 Aug 2017 12:15:49 +0200
+Subject: [PATCH] cxl: Fix driver use count
+References: bnc#1012382
+Patch-mainline: 4.4.90
+Git-commit: 197267d0356004a31c4d6b6336598f5dff3301e1
+
+commit 197267d0356004a31c4d6b6336598f5dff3301e1 upstream.
+
+cxl keeps a driver use count, which is used with the hash memory model
+on p8 to know when to upgrade local TLBIs to global and to trigger
+callbacks to manage the MMU for PSL8.
+
+If a process opens a context and closes without attaching or fails the
+attachment, the driver use count is never decremented. As a
+consequence, TLB invalidations remain global, even if there are no
+active cxl contexts.
+
+We should increment the driver use count when the process is attaching
+to the cxl adapter, and not on open. It's not needed before the
+adapter starts using the context and the use count is decremented on
+the detach path, so it makes more sense.
+
+It affects only the user api. The kernel api is already doing The
+Right Thing.
+
+Signed-off-by: Frederic Barrat <fbarrat@linux.vnet.ibm.com>
+Fixes: 7bb5d91a4dda ("cxl: Rework context lifetimes")
+Acked-by: Andrew Donnellan <andrew.donnellan@au1.ibm.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+[ajd: backport to stable v4.4 tree]
+Signed-off-by: Andrew Donnellan <andrew.donnellan@au1.ibm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/misc/cxl/api.c | 4 ++++
+ drivers/misc/cxl/file.c | 8 +++++++-
+ 2 files changed, 11 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/misc/cxl/api.c b/drivers/misc/cxl/api.c
+index ea3eeb7011e1..690eb1a18caf 100644
+--- a/drivers/misc/cxl/api.c
++++ b/drivers/misc/cxl/api.c
+@@ -176,6 +176,10 @@ int cxl_start_context(struct cxl_context *ctx, u64 wed,
+ kernel = false;
+ }
+
++ /*
++ * Increment driver use count. Enables global TLBIs for hash
++ * and callbacks to handle the segment table
++ */
+ cxl_ctx_get();
+
+ if ((rc = cxl_attach_process(ctx, kernel, wed , 0))) {
+diff --git a/drivers/misc/cxl/file.c b/drivers/misc/cxl/file.c
+index 10a02934bfc0..013558f4da4f 100644
+--- a/drivers/misc/cxl/file.c
++++ b/drivers/misc/cxl/file.c
+@@ -94,7 +94,6 @@ static int __afu_open(struct inode *inode, struct file *file, bool master)
+
+ pr_devel("afu_open pe: %i\n", ctx->pe);
+ file->private_data = ctx;
+- cxl_ctx_get();
+
+ /* indicate success */
+ rc = 0;
+@@ -205,11 +204,18 @@ static long afu_ioctl_start_work(struct cxl_context *ctx,
+ ctx->pid = get_task_pid(current, PIDTYPE_PID);
+ ctx->glpid = get_task_pid(current->group_leader, PIDTYPE_PID);
+
++ /*
++ * Increment driver use count. Enables global TLBIs for hash
++ * and callbacks to handle the segment table
++ */
++ cxl_ctx_get();
++
+ trace_cxl_attach(ctx, work.work_element_descriptor, work.num_interrupts, amr);
+
+ if ((rc = cxl_attach_process(ctx, false, work.work_element_descriptor,
+ amr))) {
+ afu_release_irqs(ctx, ctx);
++ cxl_ctx_put();
+ goto out;
+ }
+
+--
+2.14.2
+
diff --git a/patches.kernel.org/4.4.90-036-dmaengine-mmp-pdma-add-number-of-requestors.patch b/patches.kernel.org/4.4.90-036-dmaengine-mmp-pdma-add-number-of-requestors.patch
new file mode 100644
index 0000000000..f8d2fd13c7
--- /dev/null
+++ b/patches.kernel.org/4.4.90-036-dmaengine-mmp-pdma-add-number-of-requestors.patch
@@ -0,0 +1,37 @@
+From: Robert Jarzmik <robert.jarzmik@free.fr>
+Date: Mon, 15 Feb 2016 21:57:46 +0100
+Subject: [PATCH] dmaengine: mmp-pdma: add number of requestors
+References: bnc#1012382
+Patch-mainline: 4.4.90
+Git-commit: c283e41ef32442f41e7180f9bb1c5aedf9255bfe
+
+commit c283e41ef32442f41e7180f9bb1c5aedf9255bfe upstream.
+
+The DMA chip has a fixed number of requestor lines used for flow
+control. This number is platform dependent. The pxa_dma dma driver will
+use this value to activate or not the flow control.
+
+There won't be any impact on mmp_pdma driver.
+
+Signed-off-by: Robert Jarzmik <robert.jarzmik@free.fr>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ include/linux/platform_data/mmp_dma.h | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/include/linux/platform_data/mmp_dma.h b/include/linux/platform_data/mmp_dma.h
+index 2a330ec9e2af..d1397c8ed94e 100644
+--- a/include/linux/platform_data/mmp_dma.h
++++ b/include/linux/platform_data/mmp_dma.h
+@@ -14,6 +14,7 @@
+
+ struct mmp_dma_platdata {
+ int dma_channels;
++ int nb_requestors;
+ };
+
+ #endif /* MMP_DMA_H */
+--
+2.14.2
+
diff --git a/patches.kernel.org/4.4.90-037-ARM-pxa-add-the-number-of-DMA-requestor-lines.patch b/patches.kernel.org/4.4.90-037-ARM-pxa-add-the-number-of-DMA-requestor-lines.patch
new file mode 100644
index 0000000000..1d83327f14
--- /dev/null
+++ b/patches.kernel.org/4.4.90-037-ARM-pxa-add-the-number-of-DMA-requestor-lines.patch
@@ -0,0 +1,128 @@
+From: Robert Jarzmik <robert.jarzmik@free.fr>
+Date: Mon, 15 Feb 2016 21:57:47 +0100
+Subject: [PATCH] ARM: pxa: add the number of DMA requestor lines
+References: bnc#1012382
+Patch-mainline: 4.4.90
+Git-commit: 72b195cb716284217e8b270af420bc7e5cf04b3c
+
+commit 72b195cb716284217e8b270af420bc7e5cf04b3c upstream.
+
+Declare the number of DMA requestor lines per platform :
+ - for pxa25x: 40 requestor lines
+ - for pxa27x: 75 requestor lines
+ - for pxa3xx: 100 requestor lines
+
+This information will be used to activate the DMA flow control or not.
+
+Signed-off-by: Robert Jarzmik <robert.jarzmik@free.fr>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ arch/arm/boot/dts/pxa27x.dtsi | 1 +
+ arch/arm/boot/dts/pxa3xx.dtsi | 1 +
+ arch/arm/mach-pxa/devices.c | 3 ++-
+ arch/arm/mach-pxa/pxa25x.c | 2 +-
+ arch/arm/mach-pxa/pxa27x.c | 2 +-
+ arch/arm/mach-pxa/pxa3xx.c | 2 +-
+ arch/arm/plat-pxa/include/plat/dma.h | 2 +-
+ 7 files changed, 8 insertions(+), 5 deletions(-)
+
+diff --git a/arch/arm/boot/dts/pxa27x.dtsi b/arch/arm/boot/dts/pxa27x.dtsi
+index 7f68a1ee7073..210192c38df3 100644
+--- a/arch/arm/boot/dts/pxa27x.dtsi
++++ b/arch/arm/boot/dts/pxa27x.dtsi
+@@ -13,6 +13,7 @@
+ interrupts = <25>;
+ #dma-channels = <32>;
+ #dma-cells = <2>;
++ #dma-requests = <75>;
+ status = "okay";
+ };
+
+diff --git a/arch/arm/boot/dts/pxa3xx.dtsi b/arch/arm/boot/dts/pxa3xx.dtsi
+index 564341af7e97..fec47bcd8292 100644
+--- a/arch/arm/boot/dts/pxa3xx.dtsi
++++ b/arch/arm/boot/dts/pxa3xx.dtsi
+@@ -12,6 +12,7 @@
+ interrupts = <25>;
+ #dma-channels = <32>;
+ #dma-cells = <2>;
++ #dma-requests = <100>;
+ status = "okay";
+ };
+
+diff --git a/arch/arm/mach-pxa/devices.c b/arch/arm/mach-pxa/devices.c
+index 2a6e0ae2b920..a944797e9d97 100644
+--- a/arch/arm/mach-pxa/devices.c
++++ b/arch/arm/mach-pxa/devices.c
+@@ -1203,6 +1203,7 @@ void __init pxa2xx_set_spi_info(unsigned id, struct pxa2xx_spi_master *info)
+
+ static struct mmp_dma_platdata pxa_dma_pdata = {
+ .dma_channels = 0,
++ .nb_requestors = 0,
+ };
+
+ static struct resource pxa_dma_resource[] = {
+@@ -1231,7 +1232,7 @@ static struct platform_device pxa2xx_pxa_dma = {
+ .resource = pxa_dma_resource,
+ };
+
+-void __init pxa2xx_set_dmac_info(int nb_channels)
++void __init pxa2xx_set_dmac_info(int nb_channels, int nb_requestors)
+ {
+ pxa_dma_pdata.dma_channels = nb_channels;
+ pxa_register_device(&pxa2xx_pxa_dma, &pxa_dma_pdata);
+diff --git a/arch/arm/mach-pxa/pxa25x.c b/arch/arm/mach-pxa/pxa25x.c
+index 1dc85ffc3e20..049b9cc22720 100644
+--- a/arch/arm/mach-pxa/pxa25x.c
++++ b/arch/arm/mach-pxa/pxa25x.c
+@@ -206,7 +206,7 @@ static int __init pxa25x_init(void)
+ register_syscore_ops(&pxa_irq_syscore_ops);
+ register_syscore_ops(&pxa2xx_mfp_syscore_ops);
+
+- pxa2xx_set_dmac_info(16);
++ pxa2xx_set_dmac_info(16, 40);
+ pxa_register_device(&pxa25x_device_gpio, &pxa25x_gpio_info);
+ ret = platform_add_devices(pxa25x_devices,
+ ARRAY_SIZE(pxa25x_devices));
+diff --git a/arch/arm/mach-pxa/pxa27x.c b/arch/arm/mach-pxa/pxa27x.c
+index ffc424028557..2fb6430b7a34 100644
+--- a/arch/arm/mach-pxa/pxa27x.c
++++ b/arch/arm/mach-pxa/pxa27x.c
+@@ -309,7 +309,7 @@ static int __init pxa27x_init(void)
+ if (!of_have_populated_dt()) {
+ pxa_register_device(&pxa27x_device_gpio,
+ &pxa27x_gpio_info);
+- pxa2xx_set_dmac_info(32);
++ pxa2xx_set_dmac_info(32, 75);
+ ret = platform_add_devices(devices,
+ ARRAY_SIZE(devices));
+ }
+diff --git a/arch/arm/mach-pxa/pxa3xx.c b/arch/arm/mach-pxa/pxa3xx.c
+index 20ce2d386f17..ca06f082497c 100644
+--- a/arch/arm/mach-pxa/pxa3xx.c
++++ b/arch/arm/mach-pxa/pxa3xx.c
+@@ -450,7 +450,7 @@ static int __init pxa3xx_init(void)
+ if (of_have_populated_dt())
+ return 0;
+
+- pxa2xx_set_dmac_info(32);
++ pxa2xx_set_dmac_info(32, 100);
+ ret = platform_add_devices(devices, ARRAY_SIZE(devices));
+ if (ret)
+ return ret;
+diff --git a/arch/arm/plat-pxa/include/plat/dma.h b/arch/arm/plat-pxa/include/plat/dma.h
+index 28848b344e2d..ceba3e4184fc 100644
+--- a/arch/arm/plat-pxa/include/plat/dma.h
++++ b/arch/arm/plat-pxa/include/plat/dma.h
+@@ -95,6 +95,6 @@ static inline int pxad_toggle_reserved_channel(int legacy_channel)
+ }
+ #endif
+
+-extern void __init pxa2xx_set_dmac_info(int nb_channels);
++extern void __init pxa2xx_set_dmac_info(int nb_channels, int nb_requestors);
+
+ #endif /* __PLAT_DMA_H */
+--
+2.14.2
+
diff --git a/patches.kernel.org/4.4.90-038-ARM-pxa-fix-the-number-of-DMA-requestor-lines.patch b/patches.kernel.org/4.4.90-038-ARM-pxa-fix-the-number-of-DMA-requestor-lines.patch
new file mode 100644
index 0000000000..87ea5f9907
--- /dev/null
+++ b/patches.kernel.org/4.4.90-038-ARM-pxa-fix-the-number-of-DMA-requestor-lines.patch
@@ -0,0 +1,34 @@
+From: Robert Jarzmik <robert.jarzmik@free.fr>
+Date: Wed, 9 Mar 2016 00:46:11 +0100
+Subject: [PATCH] ARM: pxa: fix the number of DMA requestor lines
+References: bnc#1012382
+Patch-mainline: 4.4.90
+Git-commit: 4c35430ad18f5a034302cb90e559ede5a27f93b9
+
+commit 4c35430ad18f5a034302cb90e559ede5a27f93b9 upstream.
+
+The number of requestor lines was clamped to 0 for all pxa architectures
+in the requestor declaration. Fix this by using the value.
+
+Fixes: 72b195cb7162 ("ARM: pxa: add the number of DMA requestor lines")
+Signed-off-by: Robert Jarzmik <robert.jarzmik@free.fr>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ arch/arm/mach-pxa/devices.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/arch/arm/mach-pxa/devices.c b/arch/arm/mach-pxa/devices.c
+index a944797e9d97..614e9d8f0a54 100644
+--- a/arch/arm/mach-pxa/devices.c
++++ b/arch/arm/mach-pxa/devices.c
+@@ -1235,5 +1235,6 @@ static struct platform_device pxa2xx_pxa_dma = {
+ void __init pxa2xx_set_dmac_info(int nb_channels, int nb_requestors)
+ {
+ pxa_dma_pdata.dma_channels = nb_channels;
++ pxa_dma_pdata.nb_requestors = nb_requestors;
+ pxa_register_device(&pxa2xx_pxa_dma, &pxa_dma_pdata);
+ }
+--
+2.14.2
+
diff --git a/patches.kernel.org/4.4.90-039-KVM-VMX-use-cmpxchg64.patch b/patches.kernel.org/4.4.90-039-KVM-VMX-use-cmpxchg64.patch
new file mode 100644
index 0000000000..2cb5b30ec2
--- /dev/null
+++ b/patches.kernel.org/4.4.90-039-KVM-VMX-use-cmpxchg64.patch
@@ -0,0 +1,58 @@
+From: Paolo Bonzini <pbonzini@redhat.com>
+Date: Thu, 28 Sep 2017 17:58:41 +0200
+Subject: [PATCH] KVM: VMX: use cmpxchg64
+References: bnc#1012382
+Patch-mainline: 4.4.90
+Git-commit: c0a1666bcb2a33e84187a15eabdcd54056be9a97
+
+commit c0a1666bcb2a33e84187a15eabdcd54056be9a97 upstream.
+
+This fixes a compilation failure on 32-bit systems.
+
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ arch/x86/kvm/vmx.c | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c
+index 67f27cc1d1b6..a018dff00808 100644
+--- a/arch/x86/kvm/vmx.c
++++ b/arch/x86/kvm/vmx.c
+@@ -2029,8 +2029,8 @@ static void vmx_vcpu_pi_load(struct kvm_vcpu *vcpu, int cpu)
+
+ /* Allow posting non-urgent interrupts */
+ new.sn = 0;
+- } while (cmpxchg(&pi_desc->control, old.control,
+- new.control) != old.control);
++ } while (cmpxchg64(&pi_desc->control, old.control,
++ new.control) != old.control);
+ }
+ /*
+ * Switches to specified vcpu, until a matching vcpu_put(), but assumes
+@@ -10705,8 +10705,8 @@ static int vmx_pre_block(struct kvm_vcpu *vcpu)
+
+ /* set 'NV' to 'wakeup vector' */
+ new.nv = POSTED_INTR_WAKEUP_VECTOR;
+- } while (cmpxchg(&pi_desc->control, old.control,
+- new.control) != old.control);
++ } while (cmpxchg64(&pi_desc->control, old.control,
++ new.control) != old.control);
+
+ return 0;
+ }
+@@ -10737,8 +10737,8 @@ static void vmx_post_block(struct kvm_vcpu *vcpu)
+
+ /* set 'NV' to 'notification vector' */
+ new.nv = POSTED_INTR_VECTOR;
+- } while (cmpxchg(&pi_desc->control, old.control,
+- new.control) != old.control);
++ } while (cmpxchg64(&pi_desc->control, old.control,
++ new.control) != old.control);
+
+ if(vcpu->pre_pcpu != -1) {
+ spin_lock_irqsave(
+--
+2.14.2
+
diff --git a/patches.kernel.org/4.4.90-040-video-fbdev-aty-do-not-leak-uninitialized-padd.patch b/patches.kernel.org/4.4.90-040-video-fbdev-aty-do-not-leak-uninitialized-padd.patch
new file mode 100644
index 0000000000..404cf105e5
--- /dev/null
+++ b/patches.kernel.org/4.4.90-040-video-fbdev-aty-do-not-leak-uninitialized-padd.patch
@@ -0,0 +1,40 @@
+From: Vladis Dronov <vdronov@redhat.com>
+Date: Mon, 4 Sep 2017 16:00:50 +0200
+Subject: [PATCH] video: fbdev: aty: do not leak uninitialized padding in clk
+ to userspace
+References: bnc#1012382
+Patch-mainline: 4.4.90
+Git-commit: 8e75f7a7a00461ef6d91797a60b606367f6e344d
+
+commit 8e75f7a7a00461ef6d91797a60b606367f6e344d upstream.
+
+'clk' is copied to a userland with padding byte(s) after 'vclk_post_div'
+field unitialized, leaking data from the stack. Fix this ensuring all of
+'clk' is initialized to zero.
+
+References: https://github.com/torvalds/linux/pull/441
+Reported-by: sohu0106 <sohu0106@126.com>
+Signed-off-by: Vladis Dronov <vdronov@redhat.com>
+Signed-off-by: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/video/fbdev/aty/atyfb_base.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/video/fbdev/aty/atyfb_base.c b/drivers/video/fbdev/aty/atyfb_base.c
+index f34ed47fcaf8..7f658fa4d22a 100644
+--- a/drivers/video/fbdev/aty/atyfb_base.c
++++ b/drivers/video/fbdev/aty/atyfb_base.c
+@@ -1861,7 +1861,7 @@ static int atyfb_ioctl(struct fb_info *info, u_int cmd, u_long arg)
+ #if defined(DEBUG) && defined(CONFIG_FB_ATY_CT)
+ case ATYIO_CLKR:
+ if (M64_HAS(INTEGRATED)) {
+- struct atyclk clk;
++ struct atyclk clk = { 0 };
+ union aty_pll *pll = &par->pll;
+ u32 dsp_config = pll->ct.dsp_config;
+ u32 dsp_on_off = pll->ct.dsp_on_off;
+--
+2.14.2
+
diff --git a/patches.kernel.org/4.4.90-041-swiotlb-xen-implement-xen_swiotlb_dma_mmap-cal.patch b/patches.kernel.org/4.4.90-041-swiotlb-xen-implement-xen_swiotlb_dma_mmap-cal.patch
new file mode 100644
index 0000000000..869b9033b1
--- /dev/null
+++ b/patches.kernel.org/4.4.90-041-swiotlb-xen-implement-xen_swiotlb_dma_mmap-cal.patch
@@ -0,0 +1,79 @@
+From: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
+Date: Tue, 7 Feb 2017 19:58:02 +0200
+Subject: [PATCH] swiotlb-xen: implement xen_swiotlb_dma_mmap callback
+References: bnc#1012382
+Patch-mainline: 4.4.90
+Git-commit: 7e91c7df29b5e196de3dc6f086c8937973bd0b88
+
+commit 7e91c7df29b5e196de3dc6f086c8937973bd0b88 upstream.
+
+This function creates userspace mapping for the DMA-coherent memory.
+
+Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
+Signed-off-by: Oleksandr Dmytryshyn <oleksandr.dmytryshyn@globallogic.com>
+Signed-off-by: Andrii Anisov <andrii_anisov@epam.com>
+Signed-off-by: Konrad Rzeszutek Wilk <konrad@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ arch/arm/xen/mm.c | 1 +
+ drivers/xen/swiotlb-xen.c | 19 +++++++++++++++++++
+ include/xen/swiotlb-xen.h | 5 +++++
+ 3 files changed, 25 insertions(+)
+
+diff --git a/arch/arm/xen/mm.c b/arch/arm/xen/mm.c
+index c5f9a9e3d1f3..28d83f536e93 100644
+--- a/arch/arm/xen/mm.c
++++ b/arch/arm/xen/mm.c
+@@ -199,6 +199,7 @@ static struct dma_map_ops xen_swiotlb_dma_ops = {
+ .unmap_page = xen_swiotlb_unmap_page,
+ .dma_supported = xen_swiotlb_dma_supported,
+ .set_dma_mask = xen_swiotlb_set_dma_mask,
++ .mmap = xen_swiotlb_dma_mmap,
+ };
+
+ int __init xen_mm_init(void)
+diff --git a/drivers/xen/swiotlb-xen.c b/drivers/xen/swiotlb-xen.c
+index 8a58bbc14de2..622f805fb382 100644
+--- a/drivers/xen/swiotlb-xen.c
++++ b/drivers/xen/swiotlb-xen.c
+@@ -680,3 +680,22 @@ xen_swiotlb_set_dma_mask(struct device *dev, u64 dma_mask)
+ return 0;
+ }
+ EXPORT_SYMBOL_GPL(xen_swiotlb_set_dma_mask);
++
++/*
++ * Create userspace mapping for the DMA-coherent memory.
++ * This function should be called with the pages from the current domain only,
++ * passing pages mapped from other domains would lead to memory corruption.
++ */
++int
++xen_swiotlb_dma_mmap(struct device *dev, struct vm_area_struct *vma,
++ void *cpu_addr, dma_addr_t dma_addr, size_t size,
++ unsigned long attrs)
++{
++#if defined(CONFIG_ARM) || defined(CONFIG_ARM64)
++ if (__generic_dma_ops(dev)->mmap)
++ return __generic_dma_ops(dev)->mmap(dev, vma, cpu_addr,
++ dma_addr, size, attrs);
++#endif
++ return dma_common_mmap(dev, vma, cpu_addr, dma_addr, size);
++}
++EXPORT_SYMBOL_GPL(xen_swiotlb_dma_mmap);
+diff --git a/include/xen/swiotlb-xen.h b/include/xen/swiotlb-xen.h
+index 8b2eb93ae8ba..fab4fb9c6442 100644
+--- a/include/xen/swiotlb-xen.h
++++ b/include/xen/swiotlb-xen.h
+@@ -58,4 +58,9 @@ xen_swiotlb_dma_supported(struct device *hwdev, u64 mask);
+
+ extern int
+ xen_swiotlb_set_dma_mask(struct device *dev, u64 dma_mask);
++
++extern int
++xen_swiotlb_dma_mmap(struct device *dev, struct vm_area_struct *vma,
++ void *cpu_addr, dma_addr_t dma_addr, size_t size,
++ unsigned long attrs);
+ #endif /* __LINUX_SWIOTLB_XEN_H */
+--
+2.14.2
+
diff --git a/patches.kernel.org/4.4.90-042-fix-xen_swiotlb_dma_mmap-prototype.patch b/patches.kernel.org/4.4.90-042-fix-xen_swiotlb_dma_mmap-prototype.patch
new file mode 100644
index 0000000000..8b92aa2335
--- /dev/null
+++ b/patches.kernel.org/4.4.90-042-fix-xen_swiotlb_dma_mmap-prototype.patch
@@ -0,0 +1,55 @@
+From: Arnd Bergmann <arnd@arndb.de>
+Date: Wed, 4 Oct 2017 15:51:29 +0200
+Subject: [PATCH] fix xen_swiotlb_dma_mmap prototype
+References: bnc#1012382
+Patch-mainline: 4.4.90
+Git-commit: 228969b4764fe2b0f58ef096f63666196f7b4881
+
+xen_swiotlb_dma_mmap was backported from v4.10, but older
+kernels before commit 00085f1efa38 ("dma-mapping: use unsigned long
+for dma_attrs") use a different signature:
+
+arm/xen/mm.c:202:10: error: initialization from incompatible pointer type [-Werror=incompatible-pointer-types]
+ .mmap = xen_swiotlb_dma_mmap,
+ ^~~~~~~~~~~~~~~~~~~~
+arm/xen/mm.c:202:10: note: (near initialization for 'xen_swiotlb_dma_ops.mmap')
+
+This adapts the patch to the old calling conventions.
+
+Fixes: "swiotlb-xen: implement xen_swiotlb_dma_mmap callback"
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Reviewed-by: Stefano Stabellini <sstabellini@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/xen/swiotlb-xen.c | 2 +-
+ include/xen/swiotlb-xen.h | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/xen/swiotlb-xen.c b/drivers/xen/swiotlb-xen.c
+index 622f805fb382..f7b19c25c3a4 100644
+--- a/drivers/xen/swiotlb-xen.c
++++ b/drivers/xen/swiotlb-xen.c
+@@ -689,7 +689,7 @@ EXPORT_SYMBOL_GPL(xen_swiotlb_set_dma_mask);
+ int
+ xen_swiotlb_dma_mmap(struct device *dev, struct vm_area_struct *vma,
+ void *cpu_addr, dma_addr_t dma_addr, size_t size,
+- unsigned long attrs)
++ struct dma_attrs *attrs)
+ {
+ #if defined(CONFIG_ARM) || defined(CONFIG_ARM64)
+ if (__generic_dma_ops(dev)->mmap)
+diff --git a/include/xen/swiotlb-xen.h b/include/xen/swiotlb-xen.h
+index fab4fb9c6442..4d7fdbf20eff 100644
+--- a/include/xen/swiotlb-xen.h
++++ b/include/xen/swiotlb-xen.h
+@@ -62,5 +62,5 @@ xen_swiotlb_set_dma_mask(struct device *dev, u64 dma_mask);
+ extern int
+ xen_swiotlb_dma_mmap(struct device *dev, struct vm_area_struct *vma,
+ void *cpu_addr, dma_addr_t dma_addr, size_t size,
+- unsigned long attrs);
++ struct dma_attrs *attrs);
+ #endif /* __LINUX_SWIOTLB_XEN_H */
+--
+2.14.2
+
diff --git a/patches.kernel.org/4.4.90-043-Linux-4.4.90.patch b/patches.kernel.org/4.4.90-043-Linux-4.4.90.patch
new file mode 100644
index 0000000000..cc68277db3
--- /dev/null
+++ b/patches.kernel.org/4.4.90-043-Linux-4.4.90.patch
@@ -0,0 +1,27 @@
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Date: Thu, 5 Oct 2017 09:41:59 +0200
+Subject: [PATCH] Linux 4.4.90
+References: bnc#1012382
+Patch-mainline: 4.4.90
+Git-commit: 37c2d0d3e85014b3e92ea61668c51503965e4c24
+
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ Makefile | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/Makefile b/Makefile
+index 7e4c46b375b3..ca5aaaf4aef7 100644
+--- a/Makefile
++++ b/Makefile
+@@ -1,6 +1,6 @@
+ VERSION = 4
+ PATCHLEVEL = 4
+-SUBLEVEL = 89
++SUBLEVEL = 90
+ EXTRAVERSION =
+ NAME = Blurry Fish Butt
+
+--
+2.14.2
+
diff --git a/series.conf b/series.conf
index 389c9c6b7b..246d54e556 100644
--- a/series.conf
+++ b/series.conf
@@ -181,6 +181,49 @@
patches.kernel.org/4.4.89-064-bcache-fix-bch_hprint-crash-and-improve-output.patch
patches.kernel.org/4.4.89-065-ftrace-Fix-memleak-when-unregistering-dynamic-.patch
patches.kernel.org/4.4.89-066-Linux-4.4.89.patch
+ patches.kernel.org/4.4.90-001-cifs-release-auth_key.response-for-reconnect.patch
+ patches.kernel.org/4.4.90-002-mac80211-flush-hw_roc_start-work-before-cancel.patch
+ patches.kernel.org/4.4.90-003-KVM-PPC-Book3S-Fix-race-and-leak-in-kvm_vm_ioc.patch
+ patches.kernel.org/4.4.90-004-tracing-Fix-trace_pipe-behavior-for-instance-t.patch
+ patches.kernel.org/4.4.90-005-tracing-Erase-irqsoff-trace-with-empty-write.patch
+ patches.kernel.org/4.4.90-006-md-raid5-fix-a-race-condition-in-stripe-batch.patch
+ patches.kernel.org/4.4.90-007-md-raid5-preserve-STRIPE_ON_UNPLUG_LIST-in-bre.patch
+ patches.kernel.org/4.4.90-008-scsi-scsi_transport_iscsi-fix-the-issue-that-i.patch
+ patches.kernel.org/4.4.90-009-crypto-talitos-Don-t-provide-setkey-for-non-hm.patch
+ patches.kernel.org/4.4.90-010-crypto-talitos-fix-sha224.patch
+ patches.kernel.org/4.4.90-011-KEYS-fix-writing-past-end-of-user-supplied-buf.patch
+ patches.kernel.org/4.4.90-012-KEYS-prevent-creating-a-different-user-s-keyri.patch
+ patches.kernel.org/4.4.90-013-KEYS-prevent-KEYCTL_READ-on-negative-key.patch
+ patches.kernel.org/4.4.90-014-powerpc-pseries-Fix-parent_dn-reference-leak-i.patch
+ patches.kernel.org/4.4.90-015-Fix-SMB3.1.1-guest-authentication-to-Samba.patch
+ patches.kernel.org/4.4.90-016-SMB-Validate-negotiate-to-protect-against-down.patch
+ patches.kernel.org/4.4.90-017-SMB3-Don-t-ignore-O_SYNC-O_DSYNC-and-O_DIRECT-.patch
+ patches.kernel.org/4.4.90-018-vfs-Return-ENXIO-for-negative-SEEK_HOLE-SEEK_D.patch
+ patches.kernel.org/4.4.90-019-nl80211-check-for-the-required-netlink-attribu.patch
+ patches.kernel.org/4.4.90-020-bsg-lib-don-t-free-job-in-bsg_prepare_job.patch
+ patches.kernel.org/4.4.90-021-seccomp-fix-the-usage-of-get-put_seccomp_filte.patch
+ patches.kernel.org/4.4.90-022-arm64-Make-sure-SPsel-is-always-set.patch
+ patches.kernel.org/4.4.90-023-arm64-fault-Route-pte-translation-faults-via-d.patch
+ patches.kernel.org/4.4.90-024-KVM-VMX-Do-not-BUG-on-out-of-bounds-guest-IRQ.patch
+ patches.kernel.org/4.4.90-025-kvm-nVMX-Don-t-allow-L2-to-access-the-hardware.patch
+ patches.kernel.org/4.4.90-026-PCI-Fix-race-condition-with-driver_override.patch
+ patches.kernel.org/4.4.90-027-btrfs-fix-NULL-pointer-dereference-from-free_r.patch
+ patches.kernel.org/4.4.90-028-btrfs-propagate-error-to-btrfs_cmp_data_prepar.patch
+ patches.kernel.org/4.4.90-029-btrfs-prevent-to-set-invalid-default-subvolid.patch
+ patches.kernel.org/4.4.90-030-x86-fpu-Don-t-let-userspace-set-bogus-xcomp_bv.patch
+ patches.kernel.org/4.4.90-031-gfs2-Fix-debugfs-glocks-dump.patch
+ patches.kernel.org/4.4.90-032-timer-sysclt-Restrict-timer-migration-sysctl-v.patch
+ patches.kernel.org/4.4.90-033-KVM-VMX-do-not-change-SN-bit-in-vmx_update_pi_.patch
+ patches.kernel.org/4.4.90-034-KVM-VMX-remove-WARN_ON_ONCE-in-kvm_vcpu_trigge.patch
+ patches.kernel.org/4.4.90-035-cxl-Fix-driver-use-count.patch
+ patches.kernel.org/4.4.90-036-dmaengine-mmp-pdma-add-number-of-requestors.patch
+ patches.kernel.org/4.4.90-037-ARM-pxa-add-the-number-of-DMA-requestor-lines.patch
+ patches.kernel.org/4.4.90-038-ARM-pxa-fix-the-number-of-DMA-requestor-lines.patch
+ patches.kernel.org/4.4.90-039-KVM-VMX-use-cmpxchg64.patch
+ patches.kernel.org/4.4.90-040-video-fbdev-aty-do-not-leak-uninitialized-padd.patch
+ patches.kernel.org/4.4.90-041-swiotlb-xen-implement-xen_swiotlb_dma_mmap-cal.patch
+ patches.kernel.org/4.4.90-042-fix-xen_swiotlb_dma_mmap-prototype.patch
+ patches.kernel.org/4.4.90-043-Linux-4.4.90.patch
########################################################
# Build fixes that apply to the vanilla kernel too.
@@ -11790,6 +11833,8 @@
patches.drivers/0017-RDMA-bnxt_re-Specify-RDMA-component-when-allocating-.patch
patches.drivers/0018-RDMA-bnxt_re-Update-the-driver-version.patch
patches.drivers/0020-RDMA-bnxt_re-Allow-posting-when-QPs-are-in-error.patch
+ patches.drivers/RDMA-bnxt_re-Implement-the-alloc-get_hw_stats-callba.patch
+ patches.drivers/RDMA-bnxt_re-Allocate-multiple-notification-queues.patch
patches.drivers/i40e-add-private-flag-to-control-source-pruning.patch
patches.drivers/i40e-i40evf-fix-out-of-bounds-read-of-cpumask.patch
@@ -13363,7 +13408,6 @@
patches.fixes/0001-md-use-a-separate-bio_set-for-synchronous-IO.patch
patches.fixes/0001-MD-fix-sleep-in-atomic.patch
- patches.fixes/0001-md-raid5-fix-a-race-condition-in-stripe-batch.patch
# FATE#321488, drivers/md back port upto 4.10, part 1
patches.drivers/0002-md-r5cache-Check-array-size-in-r5l_init_log.patch
@@ -14465,14 +14509,6 @@
patches.drivers/0002-clk-add-clk_unregister_fixed_rate.patch
patches.drivers/0001-clk-fixed-rate-add-clk_hw_unregister_fixed_rate.patch
- # bsc#976705
-
- # bsc#1059051 CVE-2017-14489
- patches.drivers/scsi-scsi_transport_iscsi-fix-the-issue-that.patch
-
- # bsc1058410 - CVE-2017-12153
- patches.fixes/nl80211-check-for-the-required-netlink-attributes-pr.patch
-
#AIO nowait FATE#321994
patches.suse/0001-fs-Separate-out-kiocb-flags-setup-based-on-RWF_-flag.patch
patches.suse/0002-fs-Introduce-filemap_range_has_page.patch
@@ -14803,6 +14839,7 @@
patches.drivers/chelsio-0046-crypto-chcr-Add-ctr-mode-and-process-large-sg-entrie.patch
patches.drivers/chelsio-0047-crypto-chcr-Ensure-Destination-sg-entry-size-less-th.patch
patches.drivers/cxgb4-Fix-stack-out-of-bounds-read-due-to-wrong-size.patch
+ patches.drivers/iw_cxgb4-put-ep-reference-in-pass_accept_req.patch
# bsc#1005779 FATE#321659
patches.drivers/scsi-libcxgbi-fix-skb-use-after-free
@@ -15883,11 +15920,8 @@
patches.fixes/kvm-nvmx-fix-nested-vpid-vmx-exec-control
patches.fixes/kvm-nvmx-fix-nested_vmx_check_msr_bitmap_controls
- # bsc#1058038 - VUL-0: EMBARGOED: CVE-2017-1000252: kernel: KVM denial of service (vmx_update_pi_irte())
- patches.fixes/0001-KVM-VMX-Do-not-BUG-on-out-of-bounds-guest-IRQ.patch
# bsc#1058507 - VUL-0: CVE-2017-12154: kernel-source: kvm: nVMX: L2 guest could access hardware(L0) CR8 register
- patches.fixes/0001-kvm-nVMX-Don-t-allow-L2-to-access-the-hardware-CR8.patch
# bsc#1055935 - Backport KVM pkey fixes from upstream
patches.arch/0001-kvm-x86-simplify-handling-of-pkru
@@ -15897,9 +15931,7 @@
# bsc#1061017 - Evaluate KVM fixes reported by git-fixes on 2017-09-25
patches.arch/0001-kvm-svm-add-a-missing-break-statement
- patches.arch/0002-kvm-vmx-remove-warn_on_once-in-kvm_vcpu_trigger_posted_interrupt
patches.arch/0003-kvm-async_pf-fix-df-due-to-inject-page-not-present-and-page-ready-exceptions-simultaneously
- patches.arch/0004-kvm-vmx-do-not-change-sn-bit-in-vmx_update_pi_irte
########################################################
# IOMMU patches