Home Home > GIT Browse > SLE12-SP4
summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJohannes Thumshirn <jthumshirn@suse.de>2019-05-21 10:11:53 +0200
committerJohannes Thumshirn <jthumshirn@suse.de>2019-05-21 10:11:53 +0200
commit171f45d297aa60767333144d7ad8b463cbe3c5a3 (patch)
tree8f791e104d2a08884f2afa5c90ba98ba7bdb7f18
parent57e9c31f0c46a9738cddb800d4e7a26aa506c361 (diff)
parent06931d795ab1ba9aff9738e1c08b71f21e0a2d61 (diff)
Merge remote-tracking branch 'origin/SLE15' into SLE12-SP4SLE12-SP4
Conflicts: blacklist.conf
-rw-r--r--blacklist.conf10
-rw-r--r--patches.drivers/serial-fix-race-between-flush_to_ldisc-and-tty_open.patch4
-rw-r--r--patches.drivers/soc-fsl-qe-Fix-an-error-code-in-qe_pin_request.patch38
-rw-r--r--patches.fixes/block-do-not-leak-memory-in-bio_copy_user_iov.patch46
-rw-r--r--patches.fixes/block-fix-the-return-errno-for-direct-IO.patch59
-rw-r--r--patches.fixes/block-fix-use-after-free-on-gendisk.patch135
-rw-r--r--patches.fixes/ext4-actually-request-zeroing-of-inode-table-after-g.patch41
-rw-r--r--patches.fixes/ext4-fix-ext4_show_options-for-file-systems-w-o-jour.patch39
-rw-r--r--patches.fixes/ext4-fix-use-after-free-race-with-debug_want_extra_i.patch105
-rw-r--r--patches.fixes/mm-huge_memory-fix-vmf_insert_pfn_-pmd-pud-crash-han.patch79
-rw-r--r--patches.fixes/ufs-fix-braino-in-ufs_get_inode_gid-for-solaris-UFS-.patch38
-rw-r--r--patches.fixes/vsock-virtio-Initialize-core-virtio-vsock-before-reg.patch113
-rw-r--r--patches.suse/TTY-serial_core-add-install.patch128
-rw-r--r--patches.suse/tun-allow-positive-return-values-on-dev_get_valid_na.patch2
-rw-r--r--patches.suse/tun-call-dev_get_valid_name-before-register_netdevic.patch2
-rw-r--r--series.conf11
16 files changed, 846 insertions, 4 deletions
diff --git a/blacklist.conf b/blacklist.conf
index 3d39a0ce08..af8faa524c 100644
--- a/blacklist.conf
+++ b/blacklist.conf
@@ -1114,6 +1114,16 @@ f58213637206e190453e3bd91f98f535566290a3 # regulator: missing regulator_lock() A
f7a621728a6a23bfd2c6ac4d3e42e1303aefde0f # regulator: missing regulator_lock() API in SLE15
8be64b6d87bd47d81753b60ddafe70102ebfd76b # regulator: missing regulator_lock() API in SLE15
401e7e88d4ef80188ffa07095ac00456f901b8c4 # base patch missing in SLE12-SP4
+b01531db6cec2aa330dbc91bfbfaaef4a0d387a4 # ext4 encryption not supported and this is rare race with mostly benign consequences
+a5fdd713d256887b5f012608701149fa939e5645 # Just a cleanup
+0bf3d5c1604ecbbd4e49e9f5b3c79152b87adb0d # fscrypt not supported
+71921ef85928e95e3d942c747c9d40443a5ff775 # GFS2 not supported, just a performance optimization
+7959cf3a7506d4a2100d5d6f37f605c2f54af488 # ubifs not supported, no CC to stable
+988bec41318f3fa897e2f8af271bd456936d6caf # ubifs not supported, no CC to stable
+9ca2d732644484488db31123ecd3bf122b551566 # ubifs not supported, no CC to stable
98fdaaca9537b997062f1abc0aa87c61b50ce40a # Duplicate of fc89a38d99d4b1b33ca5b0e2329f5ddea02ecfb5: drm/i915/opregion: fix version check
a0f52c3d357af218a9c1f7cd906ab70426176a1a # Duplicate of 16eb0f34cdf4cf04cd92762c7a79f98aa51e053f: drm/i915/opregion: rvda is relative from opregion base in opregion 2.1+
ed180abba7f1fc3cf04ffa27767b1bcc8e8c842a # sound/hda: breaks kABI
+e2771deb5dece1acde9a406538e4f7ef9262d5cd # recently dropped: drm/sun4i: rgb: Change the pixel clock validation check
+75fdb811d93c8aa4a9f73b63db032b1e6a8668ef # Duplicate of 1e8b15a1988ed3c7429402017d589422628cdf47: drm/i915/gvt: Add in context mmio 0x20D8 to gen9 mmio list
+6fcc44d1d77fea3c7230e4d109b37f6977aa675a # Duplicate of 2c88e3c7ec32d7a40cc7c9b4a487cf90e4671bdd: block: fix use-after-free on gendisk
diff --git a/patches.drivers/serial-fix-race-between-flush_to_ldisc-and-tty_open.patch b/patches.drivers/serial-fix-race-between-flush_to_ldisc-and-tty_open.patch
index 8730ce5efd..d8580a7a50 100644
--- a/patches.drivers/serial-fix-race-between-flush_to_ldisc-and-tty_open.patch
+++ b/patches.drivers/serial-fix-race-between-flush_to_ldisc-and-tty_open.patch
@@ -73,9 +73,9 @@ Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
port = uart_port_lock(state, flags);
__uart_start(tty);
uart_port_unlock(port, flags);
-@@ -2403,6 +2406,9 @@ static void uart_poll_put_char(struct tt
- struct uart_state *state = drv->state + line;
+@@ -719,6 +722,9 @@ static void uart_unthrottle(struct tty_s
struct uart_port *port;
+ upstat_t mask = 0;
+ if (!state)
+ return;
diff --git a/patches.drivers/soc-fsl-qe-Fix-an-error-code-in-qe_pin_request.patch b/patches.drivers/soc-fsl-qe-Fix-an-error-code-in-qe_pin_request.patch
new file mode 100644
index 0000000000..386aed57b4
--- /dev/null
+++ b/patches.drivers/soc-fsl-qe-Fix-an-error-code-in-qe_pin_request.patch
@@ -0,0 +1,38 @@
+From 5674a92ca4b7e5a6a19231edd10298d30324cd27 Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Thu, 28 Mar 2019 17:18:41 +0300
+Subject: [PATCH] soc/fsl/qe: Fix an error code in qe_pin_request()
+Git-commit: 5674a92ca4b7e5a6a19231edd10298d30324cd27
+Patch-mainline: v5.2-rc1
+References: bsc#1051510
+
+We forgot to set "err" on this error path.
+
+Fixes: 1a2d397a6eb5 ("gpio/powerpc: Eliminate duplication of of_get_named_gpio_flags()")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Li Yang <leoyang.li@nxp.com>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/soc/fsl/qe/gpio.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/soc/fsl/qe/gpio.c b/drivers/soc/fsl/qe/gpio.c
+index 819bed0f5667..51b3a47b5a55 100644
+--- a/drivers/soc/fsl/qe/gpio.c
++++ b/drivers/soc/fsl/qe/gpio.c
+@@ -179,8 +179,10 @@ struct qe_pin *qe_pin_request(struct device_node *np, int index)
+ if (err < 0)
+ goto err0;
+ gc = gpio_to_chip(err);
+- if (WARN_ON(!gc))
++ if (WARN_ON(!gc)) {
++ err = -ENODEV;
+ goto err0;
++ }
+
+ if (!of_device_is_compatible(gc->of_node, "fsl,mpc8323-qe-pario-bank")) {
+ pr_debug("%s: tried to get a non-qe pin\n", __func__);
+--
+2.16.4
+
diff --git a/patches.fixes/block-do-not-leak-memory-in-bio_copy_user_iov.patch b/patches.fixes/block-do-not-leak-memory-in-bio_copy_user_iov.patch
new file mode 100644
index 0000000000..c54c2fda61
--- /dev/null
+++ b/patches.fixes/block-do-not-leak-memory-in-bio_copy_user_iov.patch
@@ -0,0 +1,46 @@
+From a3761c3c91209b58b6f33bf69dd8bb8ec0c9d925 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?J=C3=A9r=C3=B4me=20Glisse?= <jglisse@redhat.com>
+Date: Wed, 10 Apr 2019 16:27:51 -0400
+Subject: [PATCH] block: do not leak memory in bio_copy_user_iov()
+Mime-version: 1.0
+Content-type: text/plain; charset=UTF-8
+Content-transfer-encoding: 8bit
+Git-commit: a3761c3c91209b58b6f33bf69dd8bb8ec0c9d925
+Patch-mainline: v5.1-rc5
+References: bsc#1135309
+
+When bio_add_pc_page() fails in bio_copy_user_iov() we should free
+the page we just allocated otherwise we are leaking it.
+
+Cc: linux-block@vger.kernel.org
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: stable@vger.kernel.org
+Reviewed-by: Chaitanya Kulkarni <chaitanya.kulkarni@wdc.com>
+Signed-off-by: Jérôme Glisse <jglisse@redhat.com>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Acked-by: Jan Kara <jack@suse.cz>
+
+---
+ block/bio.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/block/bio.c b/block/bio.c
+index b64cedc7f87c..716510ecd7ff 100644
+--- a/block/bio.c
++++ b/block/bio.c
+@@ -1298,8 +1298,11 @@ struct bio *bio_copy_user_iov(struct request_queue *q,
+ }
+ }
+
+- if (bio_add_pc_page(q, bio, page, bytes, offset) < bytes)
++ if (bio_add_pc_page(q, bio, page, bytes, offset) < bytes) {
++ if (!map_data)
++ __free_page(page);
+ break;
++ }
+
+ len -= bytes;
+ offset = 0;
+--
+2.16.4
+
diff --git a/patches.fixes/block-fix-the-return-errno-for-direct-IO.patch b/patches.fixes/block-fix-the-return-errno-for-direct-IO.patch
new file mode 100644
index 0000000000..4b4b6f3a05
--- /dev/null
+++ b/patches.fixes/block-fix-the-return-errno-for-direct-IO.patch
@@ -0,0 +1,59 @@
+From a89afe58f1a74aac768a5eb77af95ef4ee15beaa Mon Sep 17 00:00:00 2001
+From: Jason Yan <yanaijie@huawei.com>
+Date: Fri, 12 Apr 2019 10:09:16 +0800
+Subject: [PATCH] block: fix the return errno for direct IO
+Git-commit: a89afe58f1a74aac768a5eb77af95ef4ee15beaa
+Patch-mainline: v5.1-rc5
+References: bsc#1135320
+
+If the last bio returned is not dio->bio, the status of the bio will
+not assigned to dio->bio if it is error. This will cause the whole IO
+status wrong.
+
+ ksoftirqd/21-117 [021] ..s. 4017.966090: 8,0 C N 4883648 [0]
+ <idle>-0 [018] ..s. 4017.970888: 8,0 C WS 4924800 + 1024 [0]
+ <idle>-0 [018] ..s. 4017.970909: 8,0 D WS 4935424 + 1024 [<idle>]
+ <idle>-0 [018] ..s. 4017.970924: 8,0 D WS 4936448 + 321 [<idle>]
+ ksoftirqd/21-117 [021] ..s. 4017.995033: 8,0 C R 4883648 + 336 [65475]
+ ksoftirqd/21-117 [021] d.s. 4018.001988: myprobe1: (blkdev_bio_end_io+0x0/0x168) bi_status=7
+ ksoftirqd/21-117 [021] d.s. 4018.001992: myprobe: (aio_complete_rw+0x0/0x148) x0=0xffff802f2595ad80 res=0x12a000 res2=0x0
+
+We always have to assign bio->bi_status to dio->bio.bi_status because we
+will only check dio->bio.bi_status when we return the whole IO to
+the upper layer.
+
+Fixes: 542ff7bf18c6 ("block: new direct I/O implementation")
+Cc: stable@vger.kernel.org
+Cc: Christoph Hellwig <hch@lst.de>
+Cc: Jens Axboe <axboe@kernel.dk>
+Reviewed-by: Ming Lei <ming.lei@redhat.com>
+Signed-off-by: Jason Yan <yanaijie@huawei.com>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Acked-by: Jan Kara <jack@suse.cz>
+
+---
+ fs/block_dev.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/fs/block_dev.c b/fs/block_dev.c
+index 78d3257435c0..24615c76c1d0 100644
+--- a/fs/block_dev.c
++++ b/fs/block_dev.c
+@@ -307,10 +307,10 @@ static void blkdev_bio_end_io(struct bio *bio)
+ struct blkdev_dio *dio = bio->bi_private;
+ bool should_dirty = dio->should_dirty;
+
+- if (dio->multi_bio && !atomic_dec_and_test(&dio->ref)) {
+- if (bio->bi_status && !dio->bio.bi_status)
+- dio->bio.bi_status = bio->bi_status;
+- } else {
++ if (bio->bi_status && !dio->bio.bi_status)
++ dio->bio.bi_status = bio->bi_status;
++
++ if (!dio->multi_bio || atomic_dec_and_test(&dio->ref)) {
+ if (!dio->is_sync) {
+ struct kiocb *iocb = dio->iocb;
+ ssize_t ret;
+--
+2.16.4
+
diff --git a/patches.fixes/block-fix-use-after-free-on-gendisk.patch b/patches.fixes/block-fix-use-after-free-on-gendisk.patch
new file mode 100644
index 0000000000..a2a239138c
--- /dev/null
+++ b/patches.fixes/block-fix-use-after-free-on-gendisk.patch
@@ -0,0 +1,135 @@
+From 2c88e3c7ec32d7a40cc7c9b4a487cf90e4671bdd Mon Sep 17 00:00:00 2001
+From: Yufen Yu <yuyufen@huawei.com>
+Date: Tue, 2 Apr 2019 20:06:34 +0800
+Subject: [PATCH] block: fix use-after-free on gendisk
+Git-commit: 2c88e3c7ec32d7a40cc7c9b4a487cf90e4671bdd
+Patch-mainline: v5.2-rc1
+References: bsc#1135312
+
+commit 2da78092dda "block: Fix dev_t minor allocation lifetime"
+specifically moved blk_free_devt(dev->devt) call to part_release()
+to avoid reallocating device number before the device is fully
+shutdown.
+
+However, it can cause use-after-free on gendisk in get_gendisk().
+We use md device as example to show the race scenes:
+
+Process1 Worker Process2
+md_free
+ blkdev_open
+del_gendisk
+ add delete_partition_work_fn() to wq
+ __blkdev_get
+ get_gendisk
+put_disk
+ disk_release
+ kfree(disk)
+ find part from ext_devt_idr
+ get_disk_and_module(disk)
+ cause use after free
+
+ delete_partition_work_fn
+ put_device(part)
+ part_release
+ remove part from ext_devt_idr
+
+Before <devt, hd_struct pointer> is removed from ext_devt_idr by
+delete_partition_work_fn(), we can find the devt and then access
+gendisk by hd_struct pointer. But, if we access the gendisk after
+it have been freed, it can cause in use-after-freeon gendisk in
+get_gendisk().
+
+We fix this by adding a new helper blk_invalidate_devt() in
+delete_partition() and del_gendisk(). It replaces hd_struct
+pointer in idr with value 'NULL', and deletes the entry from
+idr in part_release() as we do now.
+
+Thanks to Jan Kara for providing the solution and more clear comments
+for the code.
+
+Fixes: 2da78092dda1 ("block: Fix dev_t minor allocation lifetime")
+Cc: Al Viro <viro@zeniv.linux.org.uk>
+Reviewed-by: Bart Van Assche <bvanassche@acm.org>
+Reviewed-by: Keith Busch <keith.busch@intel.com>
+Reviewed-by: Jan Kara <jack@suse.cz>
+Suggested-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Yufen Yu <yuyufen@huawei.com>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Acked-by: Jan Kara <jack@suse.cz>
+
+---
+ block/genhd.c | 19 +++++++++++++++++++
+ block/partition-generic.c | 7 +++++++
+ include/linux/genhd.h | 1 +
+ 3 files changed, 27 insertions(+)
+
+diff --git a/block/genhd.c b/block/genhd.c
+index 1d0d25f7b0fe..83f5c33d1e80 100644
+--- a/block/genhd.c
++++ b/block/genhd.c
+@@ -531,6 +531,18 @@ void blk_free_devt(dev_t devt)
+ }
+ }
+
++/**
++ * We invalidate devt by assigning NULL pointer for devt in idr.
++ */
++void blk_invalidate_devt(dev_t devt)
++{
++ if (MAJOR(devt) == BLOCK_EXT_MAJOR) {
++ spin_lock_bh(&ext_devt_lock);
++ idr_replace(&ext_devt_idr, NULL, blk_mangle_minor(MINOR(devt)));
++ spin_unlock_bh(&ext_devt_lock);
++ }
++}
++
+ static char *bdevt_str(dev_t devt, char *buf)
+ {
+ if (MAJOR(devt) <= 0xff && MINOR(devt) <= 0xff) {
+@@ -793,6 +805,13 @@ void del_gendisk(struct gendisk *disk)
+
+ if (!(disk->flags & GENHD_FL_HIDDEN))
+ blk_unregister_region(disk_devt(disk), disk->minors);
++ /*
++ * Remove gendisk pointer from idr so that it cannot be looked up
++ * while RCU period before freeing gendisk is running to prevent
++ * use-after-free issues. Note that the device number stays
++ * "in-use" until we really free the gendisk.
++ */
++ blk_invalidate_devt(disk_devt(disk));
+
+ kobject_put(disk->part0.holder_dir);
+ kobject_put(disk->slave_dir);
+diff --git a/block/partition-generic.c b/block/partition-generic.c
+index 8e596a8dff32..aee643ce13d1 100644
+--- a/block/partition-generic.c
++++ b/block/partition-generic.c
+@@ -285,6 +285,13 @@ void delete_partition(struct gendisk *disk, int partno)
+ kobject_put(part->holder_dir);
+ device_del(part_to_dev(part));
+
++ /*
++ * Remove gendisk pointer from idr so that it cannot be looked up
++ * while RCU period before freeing gendisk is running to prevent
++ * use-after-free issues. Note that the device number stays
++ * "in-use" until we really free the gendisk.
++ */
++ blk_invalidate_devt(part_devt(part));
+ hd_struct_kill(part);
+ }
+
+diff --git a/include/linux/genhd.h b/include/linux/genhd.h
+index 6547c9256d5c..8b5330dd5ac0 100644
+--- a/include/linux/genhd.h
++++ b/include/linux/genhd.h
+@@ -617,6 +617,7 @@ struct unixware_disklabel {
+
+ extern int blk_alloc_devt(struct hd_struct *part, dev_t *devt);
+ extern void blk_free_devt(dev_t devt);
++extern void blk_invalidate_devt(dev_t devt);
+ extern dev_t blk_lookup_devt(const char *name, int partno);
+ extern char *disk_name (struct gendisk *hd, int partno, char *buf);
+
+--
+2.16.4
+
diff --git a/patches.fixes/ext4-actually-request-zeroing-of-inode-table-after-g.patch b/patches.fixes/ext4-actually-request-zeroing-of-inode-table-after-g.patch
new file mode 100644
index 0000000000..79dc98bdc3
--- /dev/null
+++ b/patches.fixes/ext4-actually-request-zeroing-of-inode-table-after-g.patch
@@ -0,0 +1,41 @@
+From 310a997fd74de778b9a4848a64be9cda9f18764a Mon Sep 17 00:00:00 2001
+From: Kirill Tkhai <ktkhai@virtuozzo.com>
+Date: Thu, 25 Apr 2019 13:06:18 -0400
+Subject: [PATCH] ext4: actually request zeroing of inode table after grow
+Git-commit: 310a997fd74de778b9a4848a64be9cda9f18764a
+Patch-mainline: v5.2-rc1
+References: bsc#1135315
+
+It is never possible, that number of block groups decreases,
+since only online grow is supported.
+
+But after a growing occured, we have to zero inode tables
+for just created new block groups.
+
+Fixes: 19c5246d2516 ("ext4: add new online resize interface")
+Signed-off-by: Kirill Tkhai <ktkhai@virtuozzo.com>
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Reviewed-by: Jan Kara <jack@suse.cz>
+Cc: stable@kernel.org
+Acked-by: Jan Kara <jack@suse.cz>
+
+---
+ fs/ext4/ioctl.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/ext4/ioctl.c b/fs/ext4/ioctl.c
+index bab3da4f1e0d..20faa6a69238 100644
+--- a/fs/ext4/ioctl.c
++++ b/fs/ext4/ioctl.c
+@@ -978,7 +978,7 @@ long ext4_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
+ if (err == 0)
+ err = err2;
+ mnt_drop_write_file(filp);
+- if (!err && (o_group > EXT4_SB(sb)->s_groups_count) &&
++ if (!err && (o_group < EXT4_SB(sb)->s_groups_count) &&
+ ext4_has_group_desc_csum(sb) &&
+ test_opt(sb, INIT_INODE_TABLE))
+ err = ext4_register_li_request(sb, o_group);
+--
+2.16.4
+
diff --git a/patches.fixes/ext4-fix-ext4_show_options-for-file-systems-w-o-jour.patch b/patches.fixes/ext4-fix-ext4_show_options-for-file-systems-w-o-jour.patch
new file mode 100644
index 0000000000..32e7d064c0
--- /dev/null
+++ b/patches.fixes/ext4-fix-ext4_show_options-for-file-systems-w-o-jour.patch
@@ -0,0 +1,39 @@
+From 50b29d8f033a7c88c5bc011abc2068b1691ab755 Mon Sep 17 00:00:00 2001
+From: Debabrata Banerjee <dbanerje@akamai.com>
+Date: Tue, 30 Apr 2019 23:08:15 -0400
+Subject: [PATCH] ext4: fix ext4_show_options for file systems w/o journal
+Git-commit: 50b29d8f033a7c88c5bc011abc2068b1691ab755
+Patch-mainline: v5.2-rc1
+References: bsc#1135316
+
+Instead of removing EXT4_MOUNT_JOURNAL_CHECKSUM from s_def_mount_opt as
+I assume was intended, all other options were blown away leading to
+_ext4_show_options() output being incorrect.
+
+Fixes: 1e381f60dad9 ("ext4: do not allow journal_opts for fs w/o journal")
+Signed-off-by: Debabrata Banerjee <dbanerje@akamai.com>
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Reviewed-by: Jan Kara <jack@suse.cz>
+Cc: stable@kernel.org
+Acked-by: Jan Kara <jack@suse.cz>
+
+---
+ fs/ext4/super.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/ext4/super.c b/fs/ext4/super.c
+index aeb6d22ea0ad..fc6fa2c93e77 100644
+--- a/fs/ext4/super.c
++++ b/fs/ext4/super.c
+@@ -4349,7 +4349,7 @@ static int ext4_fill_super(struct super_block *sb, void *data, int silent)
+ "data=, fs mounted w/o journal");
+ goto failed_mount_wq;
+ }
+- sbi->s_def_mount_opt &= EXT4_MOUNT_JOURNAL_CHECKSUM;
++ sbi->s_def_mount_opt &= ~EXT4_MOUNT_JOURNAL_CHECKSUM;
+ clear_opt(sb, JOURNAL_CHECKSUM);
+ clear_opt(sb, DATA_FLAGS);
+ sbi->s_journal = NULL;
+--
+2.16.4
+
diff --git a/patches.fixes/ext4-fix-use-after-free-race-with-debug_want_extra_i.patch b/patches.fixes/ext4-fix-use-after-free-race-with-debug_want_extra_i.patch
new file mode 100644
index 0000000000..a7215eb4ba
--- /dev/null
+++ b/patches.fixes/ext4-fix-use-after-free-race-with-debug_want_extra_i.patch
@@ -0,0 +1,105 @@
+From 7bc04c5c2cc467c5b40f2b03ba08da174a0d5fa7 Mon Sep 17 00:00:00 2001
+From: Barret Rhoden <brho@google.com>
+Date: Thu, 25 Apr 2019 11:55:50 -0400
+Subject: [PATCH] ext4: fix use-after-free race with debug_want_extra_isize
+Git-commit: 7bc04c5c2cc467c5b40f2b03ba08da174a0d5fa7
+Patch-mainline: v5.2-rc1
+References: bsc#1135314
+
+When remounting with debug_want_extra_isize, we were not performing the
+same checks that we do during a normal mount. That allowed us to set a
+value for s_want_extra_isize that reached outside the s_inode_size.
+
+Fixes: e2b911c53584 ("ext4: clean up feature test macros with predicate functions")
+Reported-by: syzbot+f584efa0ac7213c226b7@syzkaller.appspotmail.com
+Reviewed-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Barret Rhoden <brho@google.com>
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Cc: stable@vger.kernel.org
+Acked-by: Jan Kara <jack@suse.cz>
+
+---
+ fs/ext4/super.c | 58 ++++++++++++++++++++++++++++++++------------------------
+ 1 file changed, 34 insertions(+), 24 deletions(-)
+
+--- a/fs/ext4/super.c
++++ b/fs/ext4/super.c
+@@ -3425,6 +3425,37 @@ int ext4_calculate_overhead(struct super
+ return 0;
+ }
+
++static void ext4_clamp_want_extra_isize(struct super_block *sb)
++{
++ struct ext4_sb_info *sbi = EXT4_SB(sb);
++ struct ext4_super_block *es = sbi->s_es;
++
++ /* determine the minimum size of new large inodes, if present */
++ if (sbi->s_inode_size > EXT4_GOOD_OLD_INODE_SIZE &&
++ sbi->s_want_extra_isize == 0) {
++ sbi->s_want_extra_isize = sizeof(struct ext4_inode) -
++ EXT4_GOOD_OLD_INODE_SIZE;
++ if (ext4_has_feature_extra_isize(sb)) {
++ if (sbi->s_want_extra_isize <
++ le16_to_cpu(es->s_want_extra_isize))
++ sbi->s_want_extra_isize =
++ le16_to_cpu(es->s_want_extra_isize);
++ if (sbi->s_want_extra_isize <
++ le16_to_cpu(es->s_min_extra_isize))
++ sbi->s_want_extra_isize =
++ le16_to_cpu(es->s_min_extra_isize);
++ }
++ }
++ /* Check if enough inode space is available */
++ if (EXT4_GOOD_OLD_INODE_SIZE + sbi->s_want_extra_isize >
++ sbi->s_inode_size) {
++ sbi->s_want_extra_isize = sizeof(struct ext4_inode) -
++ EXT4_GOOD_OLD_INODE_SIZE;
++ ext4_msg(sb, KERN_INFO,
++ "required extra inode space not available");
++ }
++}
++
+ static void ext4_set_resv_clusters(struct super_block *sb)
+ {
+ ext4_fsblk_t resv_clusters;
+@@ -4259,30 +4290,7 @@ no_journal:
+ if (ext4_setup_super(sb, es, sb->s_flags & MS_RDONLY))
+ sb->s_flags |= MS_RDONLY;
+
+- /* determine the minimum size of new large inodes, if present */
+- if (sbi->s_inode_size > EXT4_GOOD_OLD_INODE_SIZE &&
+- sbi->s_want_extra_isize == 0) {
+- sbi->s_want_extra_isize = sizeof(struct ext4_inode) -
+- EXT4_GOOD_OLD_INODE_SIZE;
+- if (ext4_has_feature_extra_isize(sb)) {
+- if (sbi->s_want_extra_isize <
+- le16_to_cpu(es->s_want_extra_isize))
+- sbi->s_want_extra_isize =
+- le16_to_cpu(es->s_want_extra_isize);
+- if (sbi->s_want_extra_isize <
+- le16_to_cpu(es->s_min_extra_isize))
+- sbi->s_want_extra_isize =
+- le16_to_cpu(es->s_min_extra_isize);
+- }
+- }
+- /* Check if enough inode space is available */
+- if (EXT4_GOOD_OLD_INODE_SIZE + sbi->s_want_extra_isize >
+- sbi->s_inode_size) {
+- sbi->s_want_extra_isize = sizeof(struct ext4_inode) -
+- EXT4_GOOD_OLD_INODE_SIZE;
+- ext4_msg(sb, KERN_INFO, "required extra inode space not"
+- "available");
+- }
++ ext4_clamp_want_extra_isize(sb);
+
+ ext4_set_resv_clusters(sb);
+
+@@ -5064,6 +5072,8 @@ static int ext4_remount(struct super_blo
+ goto restore_opts;
+ }
+
++ ext4_clamp_want_extra_isize(sb);
++
+ if ((old_opts.s_mount_opt & EXT4_MOUNT_JOURNAL_CHECKSUM) ^
+ test_opt(sb, JOURNAL_CHECKSUM)) {
+ ext4_msg(sb, KERN_ERR, "changing journal_checksum "
diff --git a/patches.fixes/mm-huge_memory-fix-vmf_insert_pfn_-pmd-pud-crash-han.patch b/patches.fixes/mm-huge_memory-fix-vmf_insert_pfn_-pmd-pud-crash-han.patch
new file mode 100644
index 0000000000..4529e50b35
--- /dev/null
+++ b/patches.fixes/mm-huge_memory-fix-vmf_insert_pfn_-pmd-pud-crash-han.patch
@@ -0,0 +1,79 @@
+From fce86ff5802bac3a7b19db171aa1949ef9caac31 Mon Sep 17 00:00:00 2001
+From: Dan Williams <dan.j.williams@intel.com>
+Date: Mon, 13 May 2019 17:15:33 -0700
+Subject: [PATCH] mm/huge_memory: fix vmf_insert_pfn_{pmd, pud}() crash, handle
+ unaligned addresses
+Git-commit: fce86ff5802bac3a7b19db171aa1949ef9caac31
+Patch-mainline: v5.2-rc1
+References: bsc#1135330
+
+Starting with c6f3c5ee40c1 ("mm/huge_memory.c: fix modifying of page
+protection by insert_pfn_pmd()") vmf_insert_pfn_pmd() internally calls
+pmdp_set_access_flags(). That helper enforces a pmd aligned @address
+argument via VM_BUG_ON() assertion.
+
+Update the implementation to take a 'struct vm_fault' argument directly
+and apply the address alignment fixup internally to fix crash signatures
+Like:
+
+ kernel BUG at arch/x86/mm/pgtable.c:515!
+ invalid opcode: 0000 [#1] SMP NOPTI
+ CPU: 51 PID: 43713 Comm: java Tainted: G OE 4.19.35 #1
+ [..]
+ RIP: 0010:pmdp_set_access_flags+0x48/0x50
+ [..]
+ Call Trace:
+ vmf_insert_pfn_pmd+0x198/0x350
+ dax_iomap_fault+0xe82/0x1190
+ ext4_dax_huge_fault+0x103/0x1f0
+ ? __switch_to_asm+0x40/0x70
+ __handle_mm_fault+0x3f6/0x1370
+ ? __switch_to_asm+0x34/0x70
+ ? __switch_to_asm+0x40/0x70
+ handle_mm_fault+0xda/0x200
+ __do_page_fault+0x249/0x4f0
+ do_page_fault+0x32/0x110
+ ? page_fault+0x8/0x30
+ page_fault+0x1e/0x30
+
+Link: http://lkml.kernel.org/r/155741946350.372037.11148198430068238140.stgit@dwillia2-desk3.amr.corp.intel.com
+Fixes: c6f3c5ee40c1 ("mm/huge_memory.c: fix modifying of page protection by insert_pfn_pmd()")
+Signed-off-by: Dan Williams <dan.j.williams@intel.com>
+Reported-by: Piotr Balcer <piotr.balcer@intel.com>
+Tested-by: Yan Ma <yan.ma@intel.com>
+Tested-by: Pankaj Gupta <pagupta@redhat.com>
+Reviewed-by: Matthew Wilcox <willy@infradead.org>
+Reviewed-by: Jan Kara <jack@suse.cz>
+Reviewed-by: Aneesh Kumar K.V <aneesh.kumar@linux.ibm.com>
+Cc: Chandan Rajendra <chandan@linux.ibm.com>
+Cc: Souptick Joarder <jrdr.linux@gmail.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Acked-by: Jan Kara <jack@suse.cz>
+[JK: Removed changes in vmf_insert_pfn_pmd/pud() prototypes to maintain kABI]
+
+---
+ mm/huge_memory.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/mm/huge_memory.c
++++ b/mm/huge_memory.c
+@@ -780,6 +780,8 @@ int vmf_insert_pfn_pmd(struct vm_area_st
+ {
+ pgprot_t pgprot = vma->vm_page_prot;
+ pgtable_t pgtable = NULL;
++
++ addr &= PMD_MASK;
+ /*
+ * If we had pmd_special, we could avoid all these restrictions,
+ * but we need to be consistent with PTEs and architectures that
+@@ -855,6 +857,8 @@ int vmf_insert_pfn_pud(struct vm_area_st
+ pud_t *pud, pfn_t pfn, bool write)
+ {
+ pgprot_t pgprot = vma->vm_page_prot;
++
++ addr &= PUD_MASK;
+ /*
+ * If we had pud_special, we could avoid all these restrictions,
+ * but we need to be consistent with PTEs and architectures that
diff --git a/patches.fixes/ufs-fix-braino-in-ufs_get_inode_gid-for-solaris-UFS-.patch b/patches.fixes/ufs-fix-braino-in-ufs_get_inode_gid-for-solaris-UFS-.patch
new file mode 100644
index 0000000000..24e5cafecf
--- /dev/null
+++ b/patches.fixes/ufs-fix-braino-in-ufs_get_inode_gid-for-solaris-UFS-.patch
@@ -0,0 +1,38 @@
+From 4e9036042fedaffcd868d7f7aa948756c48c637d Mon Sep 17 00:00:00 2001
+From: Al Viro <viro@zeniv.linux.org.uk>
+Date: Wed, 1 May 2019 22:46:11 -0400
+Subject: [PATCH] ufs: fix braino in ufs_get_inode_gid() for solaris UFS
+ flavour
+Git-commit: 4e9036042fedaffcd868d7f7aa948756c48c637d
+Patch-mainline: v5.1
+References: bsc#1135323
+
+To choose whether to pick the GID from the old (16bit) or new (32bit)
+field, we should check if the old gid field is set to 0xffff. Mainline
+checks the old *UID* field instead - cut'n'paste from the corresponding
+code in ufs_get_inode_uid().
+
+Fixes: 252e211e90ce
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Acked-by: Jan Kara <jack@suse.cz>
+
+---
+ fs/ufs/util.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/ufs/util.h b/fs/ufs/util.h
+index 1fd3011ea623..7fd4802222b8 100644
+--- a/fs/ufs/util.h
++++ b/fs/ufs/util.h
+@@ -229,7 +229,7 @@ ufs_get_inode_gid(struct super_block *sb, struct ufs_inode *inode)
+ case UFS_UID_44BSD:
+ return fs32_to_cpu(sb, inode->ui_u3.ui_44.ui_gid);
+ case UFS_UID_EFT:
+- if (inode->ui_u1.oldids.ui_suid == 0xFFFF)
++ if (inode->ui_u1.oldids.ui_sgid == 0xFFFF)
+ return fs32_to_cpu(sb, inode->ui_u3.ui_sun.ui_gid);
+ /* Fall through */
+ default:
+--
+2.16.4
+
diff --git a/patches.fixes/vsock-virtio-Initialize-core-virtio-vsock-before-reg.patch b/patches.fixes/vsock-virtio-Initialize-core-virtio-vsock-before-reg.patch
new file mode 100644
index 0000000000..da0d0c5f09
--- /dev/null
+++ b/patches.fixes/vsock-virtio-Initialize-core-virtio-vsock-before-reg.patch
@@ -0,0 +1,113 @@
+From ba95e5dfd36647622d8897a2a0470dde60e59ffd Mon Sep 17 00:00:00 2001
+From: "Jorge E. Moreira" <jemoreira@google.com>
+Date: Thu, 16 May 2019 13:51:07 -0700
+Subject: [PATCH] vsock/virtio: Initialize core virtio vsock before registering the driver
+Git-commit: ba95e5dfd36647622d8897a2a0470dde60e59ffd
+Patch-mainline: v5.2-rc2
+References: bsc#1051510
+
+Avoid a race in which static variables in net/vmw_vsock/af_vsock.c are
+accessed (while handling interrupts) before they are initialized.
+
+[ 4.201410] BUG: unable to handle kernel paging request at ffffffffffffffe8
+[ 4.207829] IP: vsock_addr_equals_addr+0x3/0x20
+[ 4.211379] PGD 28210067 P4D 28210067 PUD 28212067 PMD 0
+[ 4.211379] Oops: 0000 [#1] PREEMPT SMP PTI
+[ 4.211379] Modules linked in:
+[ 4.211379] CPU: 1 PID: 30 Comm: kworker/1:1 Not tainted 4.14.106-419297-gd7e28cc1f241 #1
+[ 4.211379] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1 04/01/2014
+[ 4.211379] Workqueue: virtio_vsock virtio_transport_rx_work
+[ 4.211379] task: ffffa3273d175280 task.stack: ffffaea1800e8000
+[ 4.211379] RIP: 0010:vsock_addr_equals_addr+0x3/0x20
+[ 4.211379] RSP: 0000:ffffaea1800ebd28 EFLAGS: 00010286
+[ 4.211379] RAX: 0000000000000002 RBX: 0000000000000000 RCX: ffffffffb94e42f0
+[ 4.211379] RDX: 0000000000000400 RSI: ffffffffffffffe0 RDI: ffffaea1800ebdd0
+[ 4.211379] RBP: ffffaea1800ebd58 R08: 0000000000000001 R09: 0000000000000001
+[ 4.211379] R10: 0000000000000000 R11: ffffffffb89d5d60 R12: ffffaea1800ebdd0
+[ 4.211379] R13: 00000000828cbfbf R14: 0000000000000000 R15: ffffaea1800ebdc0
+[ 4.211379] FS: 0000000000000000(0000) GS:ffffa3273fd00000(0000) knlGS:0000000000000000
+[ 4.211379] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 4.211379] CR2: ffffffffffffffe8 CR3: 000000002820e001 CR4: 00000000001606e0
+[ 4.211379] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+[ 4.211379] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+[ 4.211379] Call Trace:
+[ 4.211379] ? vsock_find_connected_socket+0x6c/0xe0
+[ 4.211379] virtio_transport_recv_pkt+0x15f/0x740
+[ 4.211379] ? detach_buf+0x1b5/0x210
+[ 4.211379] virtio_transport_rx_work+0xb7/0x140
+[ 4.211379] process_one_work+0x1ef/0x480
+[ 4.211379] worker_thread+0x312/0x460
+[ 4.211379] kthread+0x132/0x140
+[ 4.211379] ? process_one_work+0x480/0x480
+[ 4.211379] ? kthread_destroy_worker+0xd0/0xd0
+[ 4.211379] ret_from_fork+0x35/0x40
+[ 4.211379] Code: c7 47 08 00 00 00 00 66 c7 07 28 00 c7 47 08 ff ff ff ff c7 47 04 ff ff ff ff c3 0f 1f 00 66 2e 0f 1f 84 00 00 00 00 00 8b 47 08 <3b> 46 08 75 0a 8b 47 04 3b 46 04 0f 94 c0 c3 31 c0 c3 90 66 2e
+[ 4.211379] RIP: vsock_addr_equals_addr+0x3/0x20 RSP: ffffaea1800ebd28
+[ 4.211379] CR2: ffffffffffffffe8
+[ 4.211379] ---[ end trace f31cc4a2e6df3689 ]---
+[ 4.211379] Kernel panic - not syncing: Fatal exception in interrupt
+[ 4.211379] Kernel Offset: 0x37000000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff)
+[ 4.211379] Rebooting in 5 seconds..
+
+Fixes: 22b5c0b63f32 ("vsock/virtio: fix kernel panic after device hot-unplug")
+Cc: Stefan Hajnoczi <stefanha@redhat.com>
+Cc: Stefano Garzarella <sgarzare@redhat.com>
+Cc: "David S. Miller" <davem@davemloft.net>
+Cc: kvm@vger.kernel.org
+Cc: virtualization@lists.linux-foundation.org
+Cc: netdev@vger.kernel.org
+Cc: kernel-team@android.com
+Cc: stable@vger.kernel.org [4.9+]
+Signed-off-by: Jorge E. Moreira <jemoreira@google.com>
+Reviewed-by: Stefano Garzarella <sgarzare@redhat.com>
+Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
+Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ net/vmw_vsock/virtio_transport.c | 13 ++++++-------
+ 1 file changed, 6 insertions(+), 7 deletions(-)
+
+diff --git a/net/vmw_vsock/virtio_transport.c b/net/vmw_vsock/virtio_transport.c
+index 15eb5d3d4750..96ab344f17bb 100644
+--- a/net/vmw_vsock/virtio_transport.c
++++ b/net/vmw_vsock/virtio_transport.c
+@@ -702,28 +702,27 @@ static int __init virtio_vsock_init(void)
+ if (!virtio_vsock_workqueue)
+ return -ENOMEM;
+
+- ret = register_virtio_driver(&virtio_vsock_driver);
++ ret = vsock_core_init(&virtio_transport.transport);
+ if (ret)
+ goto out_wq;
+
+- ret = vsock_core_init(&virtio_transport.transport);
++ ret = register_virtio_driver(&virtio_vsock_driver);
+ if (ret)
+- goto out_vdr;
++ goto out_vci;
+
+ return 0;
+
+-out_vdr:
+- unregister_virtio_driver(&virtio_vsock_driver);
++out_vci:
++ vsock_core_exit();
+ out_wq:
+ destroy_workqueue(virtio_vsock_workqueue);
+ return ret;
+-
+ }
+
+ static void __exit virtio_vsock_exit(void)
+ {
+- vsock_core_exit();
+ unregister_virtio_driver(&virtio_vsock_driver);
++ vsock_core_exit();
+ destroy_workqueue(virtio_vsock_workqueue);
+ }
+
+--
+2.16.4
+
diff --git a/patches.suse/TTY-serial_core-add-install.patch b/patches.suse/TTY-serial_core-add-install.patch
new file mode 100644
index 0000000000..c70ad23c1a
--- /dev/null
+++ b/patches.suse/TTY-serial_core-add-install.patch
@@ -0,0 +1,128 @@
+From: Jiri Slaby <jslaby@suse.cz>
+Date: Wed, 17 Apr 2019 10:58:53 +0200
+Subject: TTY: serial_core, add ->install
+Git-commit: 4cdd17ba1dff20ffc99fdbd2e6f0201fc7fe67df
+Patch-mainline: v5.2-rc1
+References: bnc#1129693
+
+We need to compute the uart state only on the first open. This is
+usually what is done in the ->install hook. serial_core used to do this
+in ->open on every open. So move it to ->install.
+
+As a side effect, it ensures the state is set properly in the window
+after tty_init_dev is called, but before uart_open. This fixes a bunch
+of races between tty_open and flush_to_ldisc we were dealing with
+recently.
+
+One of such bugs was attempted to fix in commit fedb5760648a (serial:
+fix race between flush_to_ldisc and tty_open), but it only took care of
+a couple of functions (uart_start and uart_unthrottle). I was able to
+reproduce the crash on a SLE system, but in uart_write_room which is
+also called from flush_to_ldisc via process_echoes. I was *unable* to
+reproduce the bug locally. It is due to having this patch in my queue
+since 2012!
+
+ general protection fault: 0000 [#1] SMP KASAN PTI
+ CPU: 1 PID: 5 Comm: kworker/u4:0 Tainted: G L 4.12.14-396-default #1 SLE15-SP1 (unreleased)
+ Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.0-0-ga698c89-prebuilt.qemu.org 04/01/2014
+ Workqueue: events_unbound flush_to_ldisc
+ task: ffff8800427d8040 task.stack: ffff8800427f0000
+ RIP: 0010:uart_write_room+0xc4/0x590
+ RSP: 0018:ffff8800427f7088 EFLAGS: 00010202
+ RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000000
+ RDX: 000000000000002f RSI: 00000000000000ee RDI: ffff88003888bd90
+ RBP: ffffffffb9545850 R08: 0000000000000001 R09: 0000000000000400
+ R10: ffff8800427d825c R11: 000000000000006e R12: 1ffff100084fee12
+ R13: ffffc900004c5000 R14: ffff88003888bb28 R15: 0000000000000178
+ FS: 0000000000000000(0000) GS:ffff880043300000(0000) knlGS:0000000000000000
+ CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+ CR2: 0000561da0794148 CR3: 000000000ebf4000 CR4: 00000000000006e0
+ Call Trace:
+ tty_write_room+0x6d/0xc0
+ __process_echoes+0x55/0x870
+ n_tty_receive_buf_common+0x105e/0x26d0
+ tty_ldisc_receive_buf+0xb7/0x1c0
+ tty_port_default_receive_buf+0x107/0x180
+ flush_to_ldisc+0x35d/0x5c0
+...
+
+0 in rbx means tty->driver_data is NULL in uart_write_room. 0x178 is
+tried to be dereferenced (0x178 >> 3 is 0x2f in rdx) at
+uart_write_room+0xc4. 0x178 is exactly (struct uart_state *)NULL->refcount
+used in uart_port_lock from uart_write_room.
+
+So revert the upstream commit here as my local patch should fix the
+whole family.
+
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+Cc: Li RongQing <lirongqing@baidu.com>
+Cc: Wang Li <wangli39@baidu.com>
+Cc: Zhang Yu <zhangyu31@baidu.com>
+Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/tty/serial/serial_core.c | 24 +++++++++++++-----------
+ 1 file changed, 13 insertions(+), 11 deletions(-)
+
+--- a/drivers/tty/serial/serial_core.c
++++ b/drivers/tty/serial/serial_core.c
+@@ -143,9 +143,6 @@ static void uart_start(struct tty_struct
+ struct uart_port *port;
+ unsigned long flags;
+
+- if (!state)
+- return;
+-
+ port = uart_port_lock(state, flags);
+ __uart_start(tty);
+ uart_port_unlock(port, flags);
+@@ -722,9 +719,6 @@ static void uart_unthrottle(struct tty_s
+ struct uart_port *port;
+ upstat_t mask = 0;
+
+- if (!state)
+- return;
+-
+ port = uart_port_ref(state);
+ if (!port)
+ return;
+@@ -1707,6 +1701,16 @@ static void uart_dtr_rts(struct tty_port
+ uart_port_deref(uport);
+ }
+
++static int uart_install(struct tty_driver *driver, struct tty_struct *tty)
++{
++ struct uart_driver *drv = driver->driver_state;
++ struct uart_state *state = drv->state + tty->index;
++
++ tty->driver_data = state;
++
++ return tty_standard_install(driver, tty);
++}
++
+ /*
+ * Calls to uart_open are serialised by the tty_lock in
+ * drivers/tty/tty_io.c:tty_open()
+@@ -1719,11 +1723,8 @@ static void uart_dtr_rts(struct tty_port
+ */
+ static int uart_open(struct tty_struct *tty, struct file *filp)
+ {
+- struct uart_driver *drv = tty->driver->driver_state;
+- int retval, line = tty->index;
+- struct uart_state *state = drv->state + line;
+-
+- tty->driver_data = state;
++ struct uart_state *state = tty->driver_data;
++ int retval;
+
+ retval = tty_port_open(&state->port, tty, filp);
+ if (retval > 0)
+@@ -2421,6 +2422,7 @@ static void uart_poll_put_char(struct tt
+ #endif
+
+ static const struct tty_operations uart_ops = {
++ .install = uart_install,
+ .open = uart_open,
+ .close = uart_close,
+ .write = uart_write,
diff --git a/patches.suse/tun-allow-positive-return-values-on-dev_get_valid_na.patch b/patches.suse/tun-allow-positive-return-values-on-dev_get_valid_na.patch
index f5a9202739..1213f3350c 100644
--- a/patches.suse/tun-allow-positive-return-values-on-dev_get_valid_na.patch
+++ b/patches.suse/tun-allow-positive-return-values-on-dev_get_valid_na.patch
@@ -3,7 +3,7 @@ Date: Wed, 25 Oct 2017 11:50:50 -0700
Subject: tun: allow positive return values on dev_get_valid_name() call
Git-commit: 5c25f65fd1e42685f7ccd80e0621829c105785d9
Patch-mainline: v4.14-rc7
-References: networking-stable-17_11_14
+References: networking-stable-17_11_14, CVE-2018-7191, bsc#1135603
If the name argument of dev_get_valid_name() contains "%d", it will try
to assign it a unit number in __dev__alloc_name() and return either the
diff --git a/patches.suse/tun-call-dev_get_valid_name-before-register_netdevic.patch b/patches.suse/tun-call-dev_get_valid_name-before-register_netdevic.patch
index 776b56d4d7..a92f442870 100644
--- a/patches.suse/tun-call-dev_get_valid_name-before-register_netdevic.patch
+++ b/patches.suse/tun-call-dev_get_valid_name-before-register_netdevic.patch
@@ -3,7 +3,7 @@ Date: Fri, 13 Oct 2017 11:58:53 -0700
Subject: tun: call dev_get_valid_name() before register_netdevice()
Git-commit: 0ad646c81b2182f7fa67ec0c8c825e0ee165696d
Patch-mainline: v4.14-rc6
-References: networking-stable-17_11_14
+References: networking-stable-17_11_14, CVE-2018-7191, bsc#1135603
register_netdevice() could fail early when we have an invalid
dev name, in which case ->ndo_uninit() is not called. For tun
diff --git a/series.conf b/series.conf
index 3606ed74ae..59f535c536 100644
--- a/series.conf
+++ b/series.conf
@@ -22055,6 +22055,8 @@
patches.fixes/clk-x86-Add-system-specific-quirk-to-mark-clocks-as-.patch
patches.drivers/platform-x86-pmc_atom-Drop-__initconst-on-dmi-table.patch
patches.fixes/virtio-blk-limit-number-of-hw-queues-by-nr_cpu_ids.patch
+ patches.fixes/block-do-not-leak-memory-in-bio_copy_user_iov.patch
+ patches.fixes/block-fix-the-return-errno-for-direct-IO.patch
patches.arch/svm-avic-fix-invalidate-logical-apic-id-entry
patches.arch/kvm-x86-svm-make-sure-nmi-is-injected-after-nmi_singlestep
patches.arch/kvm-x86-don-t-clear-efer-during-smm-transitions-for-32-bit-vcpu
@@ -22129,6 +22131,7 @@
patches.drivers/ALSA-hda-realtek-Fixed-Dell-AIO-speaker-noise.patch
patches.drivers/ALSA-line6-use-dynamic-buffers.patch
patches.drivers/ALSA-hda-realtek-Apply-the-fixup-for-ASUS-Q325UAR.patch
+ patches.fixes/ufs-fix-braino-in-ufs_get_inode_gid-for-solaris-UFS-.patch
patches.arch/cpu-speculation-add-mitigations-cmdline-option.patch
patches.arch/x86-speculation-support-mitigations-cmdline-option.patch
patches.arch/powerpc-speculation-support-mitigations-cmdline-option.patch
@@ -22179,8 +22182,12 @@
patches.fixes/Revert-ide-unexport-DISK_EVENT_MEDIA_CHANGE-for-ide-.patch
patches.suse/Revert-block-unexport-DISK_EVENT_MEDIA_CHANGE-for.patch
patches.suse/block-check_events-don-t-bother-with-events-if-un.patch
+ patches.fixes/block-fix-use-after-free-on-gendisk.patch
patches.fixes/nvme-multipath-split-bios-with-the-ns_head-bio_set-b.patch
patches.fixes/audit-fix-a-memleak-caused-by-auditing-load-module.patch
+ patches.fixes/ext4-fix-use-after-free-race-with-debug_want_extra_i.patch
+ patches.fixes/ext4-actually-request-zeroing-of-inode-table-after-g.patch
+ patches.fixes/ext4-fix-ext4_show_options-for-file-systems-w-o-jour.patch
patches.drivers/ibmvnic-Report-actual-backing-device-speed-and-duple.patch
patches.fixes/openvswitch-add-seqadj-extension-when-NAT-is-used.patch
patches.drivers/b43-shut-up-clang-Wuninitialized-variable-warning.patch
@@ -22204,6 +22211,7 @@
patches.drivers/tty-vt.c-Fix-TIOCL_BLANKSCREEN-console-blanking-if-b.patch
patches.drivers/tty-pty-Fix-race-condition-between-release_one_tty-a.patch
patches.drivers/Revert-tty-pty-Fix-race-condition-between-release_on.patch
+ patches.suse/TTY-serial_core-add-install.patch
patches.drivers/ipmi-ssif-compare-block-number-correctly-for-multi-p.patch
patches.drivers/media-ivtv-update-pos-correctly-in-ivtv_read_pos.patch
patches.drivers/media-cx18-update-pos-correctly-in-cx18_read_pos.patch
@@ -22299,6 +22307,7 @@
patches.arch/x86-speculation-mds-add-smt-warning-message.patch
patches.arch/x86-speculation-mds-print-smt-vulnerable-on-msbds-with-mitigations-off.patch
patches.arch/x86-speculation-mds-add-mitigations-support-for-mds.patch
+ patches.fixes/mm-huge_memory-fix-vmf_insert_pfn_-pmd-pud-crash-han.patch
patches.drivers/PCI-Mark-AMD-Stoney-Radeon-R7-GPU-ATS-as-broken.patch
patches.drivers/PCI-Mark-Atheros-AR9462-to-avoid-bus-reset.patch
patches.drivers/backlight-lm3630a-Return-0-on-success-in-update_stat.patch
@@ -22316,6 +22325,8 @@
patches.drivers/ALSA-hda-realtek-Avoid-superfluous-COEF-EAPD-setups.patch
patches.drivers/ALSA-hda-realtek-Corrected-fixup-for-System76-Gazell.patch
patches.drivers/ALSA-hda-realtek-Fix-for-Lenovo-B50-70-inverted-inte.patch
+ patches.drivers/soc-fsl-qe-Fix-an-error-code-in-qe_pin_request.patch
+ patches.fixes/vsock-virtio-Initialize-core-virtio-vsock-before-reg.patch
# dhowells/linux-fs keys-uefi
patches.suse/0001-KEYS-Allow-unrestricted-boot-time-addition-of-keys-t.patch