Home Home > GIT Browse > SLE12-SP4-AZURE
summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorOlaf Hering <ohering@suse.de>2019-05-24 10:42:59 +0200
committerOlaf Hering <ohering@suse.de>2019-05-24 10:42:59 +0200
commit0d6a5d96712f74de0ebf1fe7b998d0d82169392b (patch)
tree4450aacb8b5140ea91e319f4727233dd49acbf89
parent10c0a4c2a5088f1fb8da2508297967054b56cfa1 (diff)
parent24645bb2af71194288712f13f6e10747cde1bc4d (diff)
Merge remote-tracking branch 'kerncvs/SLE12-SP4' into SLE12-SP4-AZURESLE12-SP4-AZURE
-rw-r--r--blacklist.conf16
-rw-r--r--config/ppc64le/debug2
-rw-r--r--config/x86_64/debug2
-rw-r--r--patches.arch/ARM-8824-1-fix-a-migrating-irq-bug-when-hotplug-cpu.patch158
-rw-r--r--patches.arch/ARM-8833-1-Ensure-that-NEON-code-always-compiles-wit.patch113
-rw-r--r--patches.arch/ARM-8839-1-kprobe-make-patch_lock-a-raw_spinlock_t.patch69
-rw-r--r--patches.arch/ARM-8840-1-use-a-raw_spinlock_t-in-unwind.patch94
-rw-r--r--patches.arch/ARM-OMAP2-Variable-reg-in-function-omap4_dsi_mux_pad.patch49
-rw-r--r--patches.arch/ARM-OMAP2-fix-lack-of-timer-interrupts-on-CPU1-after.patch81
-rw-r--r--patches.arch/ARM-avoid-Cortex-A9-livelock-on-tight-dmb-loops.patch194
-rw-r--r--patches.arch/ARM-imx6q-cpuidle-fix-bug-that-CPU-might-not-wake-up.patch80
-rw-r--r--patches.arch/ARM-pxa-ssp-unneeded-to-free-devm_-allocated-data.patch46
-rw-r--r--patches.arch/ARM-s3c24xx-Fix-boolean-expressions-in-osiris_dvs_no.patch52
-rw-r--r--patches.arch/ARM-samsung-Limit-SAMSUNG_PM_CHECK-config-option-to-.patch60
-rw-r--r--patches.arch/kvm-x86-report-stibp-on-get_supported_cpuid.patch2
-rw-r--r--patches.arch/locking-atomics-asm-generic-move-some-macros-from-linux-bitops-h-to-a-new-linux-bits-h-file.patch2
-rw-r--r--patches.arch/powerpc-numa-document-topology_updates_enabled-disab.patch3
-rw-r--r--patches.arch/powerpc-numa-improve-control-of-topology-updates.patch3
-rw-r--r--patches.arch/s390-qdio-clear-intparm-during-shutdown44
-rw-r--r--patches.arch/x86-cpu-sanitize-fam6_atom-naming.patch2
-rw-r--r--patches.arch/x86-kvm-expose-x86_feature_md_clear-to-guests.patch4
-rw-r--r--patches.arch/x86-kvm-vmx-add-mds-protection-when-l1d-flush-is-not-active.patch4
-rw-r--r--patches.arch/x86-msr-index-cleanup-bit-defines.patch4
-rw-r--r--patches.arch/x86-speculation-consolidate-cpu-whitelists.patch4
-rw-r--r--patches.arch/x86-speculation-mds-add-basic-bug-infrastructure-for-mds.patch4
-rw-r--r--patches.arch/x86-speculation-mds-add-bug_msbds_only.patch4
-rw-r--r--patches.arch/x86-speculation-mds-add-mds-full-nosmt-cmdline-option.patch5
-rw-r--r--patches.arch/x86-speculation-mds-add-mds_clear_cpu_buffers.patch4
-rw-r--r--patches.arch/x86-speculation-mds-add-mitigation-control-for-mds.patch4
-rw-r--r--patches.arch/x86-speculation-mds-add-mitigation-mode-vmwerv.patch4
-rw-r--r--patches.arch/x86-speculation-mds-add-mitigations-support-for-mds.patch5
-rw-r--r--patches.arch/x86-speculation-mds-add-smt-warning-message.patch5
-rw-r--r--patches.arch/x86-speculation-mds-add-sysfs-reporting-for-mds.patch4
-rw-r--r--patches.arch/x86-speculation-mds-clear-cpu-buffers-on-exit-to-user.patch4
-rw-r--r--patches.arch/x86-speculation-mds-conditionally-clear-cpu-buffers-on-idle-entry.patch4
-rw-r--r--patches.arch/x86-speculation-mds-print-smt-vulnerable-on-msbds-with-mitigations-off.patch5
-rw-r--r--patches.arch/x86-speculation-move-arch_smt_update-call-to-after-mitigation-decisions.patch5
-rw-r--r--patches.arch/x86-speculation-simplify-the-cpu-bug-detection-logic.patch2
-rw-r--r--patches.drivers/ALSA-hda-Use-a-macro-for-snd_array-iteration-loops.patch422
-rw-r--r--patches.drivers/ALSA-hda-realtek-Avoid-superfluous-COEF-EAPD-setups.patch143
-rw-r--r--patches.drivers/ALSA-hda-realtek-Corrected-fixup-for-System76-Gazell.patch43
-rw-r--r--patches.drivers/ALSA-hda-realtek-Fix-for-Lenovo-B50-70-inverted-inte.patch44
-rw-r--r--patches.drivers/ALSA-hda-realtek-Fixup-headphone-noise-via-runtime-s.patch113
-rw-r--r--patches.drivers/HID-input-add-mapping-for-Expose-Overview-key.patch39
-rw-r--r--patches.drivers/HID-input-add-mapping-for-Toggle-Display-key.patch41
-rw-r--r--patches.drivers/HID-input-add-mapping-for-keyboard-Brightness-Up-Dow.patch36
-rw-r--r--patches.drivers/Input-elan_i2c-add-hardware-ID-for-multiple-Lenovo-l.patch70
-rw-r--r--patches.drivers/Input-synaptics-rmi4-fix-possible-double-free.patch47
-rw-r--r--patches.drivers/PCI-Mark-AMD-Stoney-Radeon-R7-GPU-ATS-as-broken.patch43
-rw-r--r--patches.drivers/PCI-Mark-Atheros-AR9462-to-avoid-bus-reset.patch38
-rw-r--r--patches.drivers/backlight-lm3630a-Return-0-on-success-in-update_stat.patch50
-rw-r--r--patches.drivers/iio-adc-xilinx-fix-potential-use-after-free-on-remov.patch35
-rw-r--r--patches.drivers/ipmi-ssif-compare-block-number-correctly-for-multi-p.patch2
-rw-r--r--patches.drivers/iw_cxgb4-only-allow-1-flush-on-user-qps.patch60
-rw-r--r--patches.drivers/leds-pwm-silently-error-out-on-EPROBE_DEFER.patch38
-rw-r--r--patches.drivers/mac8390-Fix-mmio-access-size-probe.patch74
-rw-r--r--patches.drivers/media-atmel-atmel-isc-fix-INIT_WORK-misplacement.patch46
-rw-r--r--patches.drivers/media-davinci-vpbe-array-underflow-in-vpbe_enum_outp.patch54
-rw-r--r--patches.drivers/media-omap_vout-potential-buffer-overflow-in-vidioc_.patch68
-rw-r--r--patches.drivers/power-supply-axp20x_usb_power-Fix-typo-in-VBUS-curre.patch66
-rw-r--r--patches.drivers/power-supply-axp288_charger-Fix-unchecked-return-val.patch46
-rw-r--r--patches.drivers/serial-fix-race-between-flush_to_ldisc-and-tty_open.patch4
-rw-r--r--patches.drivers/soc-fsl-qe-Fix-an-error-code-in-qe_pin_request.patch38
-rw-r--r--patches.drivers/spi-Micrel-eth-switch-declare-missing-of-table.patch65
-rw-r--r--patches.drivers/spi-ST-ST95HF-NFC-declare-missing-of-table.patch57
-rw-r--r--patches.drivers/thermal-cpu_cooling-Actually-trace-CPU-load-in-therm.patch58
-rw-r--r--patches.drm/0001-drm-i915-gvt-Fix-mmap-range-check.patch2
-rw-r--r--patches.drm/drm-bridge-adv7511-Fix-low-refresh-rate-selection.patch51
-rw-r--r--patches.drm/drm-i915-Disable-LP3-watermarks-on-all-SNB-machines.patch140
-rw-r--r--patches.drm/drm-i915-Downgrade-Gen9-Plane-WM-latency-error.patch41
-rw-r--r--patches.drm/drm-i915-fbc-disable-framebuffer-compression-on-Gemi.patch55
-rw-r--r--patches.drm/drm-imx-don-t-skip-DP-channel-disable-for-background.patch34
-rw-r--r--patches.drm/drm-rockchip-fix-for-mailbox-read-validation.patch39
-rw-r--r--patches.drm/gpu-ipu-v3-dp-fix-CSC-handling.patch71
-rw-r--r--patches.fixes/0001-netfilter-nf_log-fix-uninit-read-in-nf_log_proc_dost.patch37
-rw-r--r--patches.fixes/0001-netlink-fix-uninit-value-in-netlink_sendmsg.patch36
-rw-r--r--patches.fixes/0001-packet-fix-reserve-calculation.patch49
-rw-r--r--patches.fixes/0001-tools-lib-traceevent-Fix-missing-equality-check-for-.patch60
-rw-r--r--patches.fixes/0001-x86-speculation-mds-Fix-documentation-typo.patch34
-rw-r--r--patches.fixes/0002-net-fix-rtnh_ok.patch40
-rw-r--r--patches.fixes/0002-netfilter-nf_log-don-t-hold-nf_log_mutex-during-user.patch52
-rw-r--r--patches.fixes/0002-packet-reset-network-header-if-packet-shorter-than-l.patch37
-rw-r--r--patches.fixes/0003-l2tp-fix-missing-refcount-drop-in-pppol2tp_tunnel_io.patch48
-rw-r--r--patches.fixes/0003-net-initialize-skb-peeked-when-cloning.patch35
-rw-r--r--patches.fixes/0003-xfrm_user-prevent-leaking-2-bytes-of-kernel-memory.patch116
-rw-r--r--patches.fixes/0004-net-fix-uninit-value-in-__hw_addr_add_ex.patch57
-rw-r--r--patches.fixes/0004-rxrpc-Fix-transport-sockopts-to-get-IPv4-errors-on-a.patch82
-rw-r--r--patches.fixes/0004-xfrm-fix-missing-dst_release-after-policy-blocking-l.patch70
-rw-r--r--patches.fixes/0005-inetpeer-fix-uninit-value-in-inet_getpeer.patch119
-rw-r--r--patches.fixes/0005-net-socket-fix-potential-spectre-v1-gadget-in-socket.patch47
-rw-r--r--patches.fixes/0006-ipvs-fix-rtnl_lock-lockups-caused-by-start_sync_thre.patch641
-rw-r--r--patches.fixes/0006-packet-refine-ring-v3-block-size-test-to-hold-one-fr.patch68
-rw-r--r--patches.fixes/0007-net-ipv6-fix-addrconf_sysctl_addr_gen_mode.patch99
-rw-r--r--patches.fixes/0007-netfilter-nf_tables-can-t-fail-after-linking-rule-in.patch112
-rw-r--r--patches.fixes/0008-net-ipv6-don-t-reinitialize-ndev-cnf.addr_gen_mode-o.patch36
-rw-r--r--patches.fixes/0008-rxrpc-Fix-error-reception-on-AF_INET6-sockets.patch95
-rw-r--r--patches.fixes/0009-net-ipv6-reserve-room-for-IFLA_INET6_ADDR_GEN_MODE.patch38
-rw-r--r--patches.fixes/0009-packet-in-packet_snd-start-writing-at-link-layer-all.patch59
-rw-r--r--patches.fixes/0010-ipvs-fix-stats-update-from-local-clients.patch124
-rw-r--r--patches.fixes/0010-net-ipv6-propagate-net.ipv6.conf.all.addr_gen_mode-t.patch45
-rw-r--r--patches.fixes/0011-tcp-purge-write-queue-in-tcp_connect_init.patch90
-rw-r--r--patches.fixes/0011-xfrm-fix-passing-zero-to-ERR_PTR-warning.patch41
-rw-r--r--patches.fixes/0012-ip6_tunnel-collect_md-xmit-Use-ip_tunnel_key-s-provi.patch62
-rw-r--r--patches.fixes/0012-net-test-tailroom-before-appending-to-linear-skb.patch58
-rw-r--r--patches.fixes/0013-ipv6-fix-cleanup-ordering-for-ip6_mr-failure.patch65
-rw-r--r--patches.fixes/0013-net-Fix-a-bug-in-removing-queues-from-XPS-map.patch35
-rw-r--r--patches.fixes/0014-ipv6-fix-cleanup-ordering-for-pingv6-registration.patch58
-rw-r--r--patches.fixes/0014-netfilter-nf_tables-fix-NULL-pointer-dereference-on-.patch164
-rw-r--r--patches.fixes/0015-igmp-fix-incorrect-unsolicit-report-count-when-join-.patch39
-rw-r--r--patches.fixes/0015-netfilter-ebtables-handle-string-from-userspace-with.patch102
-rw-r--r--patches.fixes/0016-ipvs-fix-buffer-overflow-with-sync-daemon-and-servic.patch147
-rw-r--r--patches.fixes/0016-netfilter-nf_tables-release-chain-in-flushing-set.patch79
-rw-r--r--patches.fixes/0017-netfilter-bridge-Don-t-sabotage-nf_hook-calls-from-a.patch56
-rw-r--r--patches.fixes/0017-xfrm6-avoid-potential-infinite-loop-in-_decode_sessi.patch100
-rw-r--r--patches.fixes/0018-sctp-fix-identification-of-new-acks-for-SFR-CACC.patch120
-rw-r--r--patches.fixes/0018-xfrm-Validate-address-prefix-lengths-in-the-xfrm-sel.patch64
-rw-r--r--patches.fixes/0019-ip_tunnel-Fix-name-string-concatenate-in-__ip_tunnel.patch39
-rw-r--r--patches.fixes/0019-xfrm6-call-kfree_skb-when-skb-is-toobig.patch46
-rw-r--r--patches.fixes/0020-netfilter-nf_tables-check-msg_type-before-nft_trans_.patch145
-rw-r--r--patches.fixes/0020-xfrm-reset-transport-header-back-to-network-header-a.patch99
-rw-r--r--patches.fixes/0021-xfrm-reset-crypto_done-when-iterating-over-multiple-.patch37
-rw-r--r--patches.fixes/0022-ipvs-fix-check-on-xmit-to-non-local-addresses.patch42
-rw-r--r--patches.fixes/0023-netfilter-ebtables-reject-non-bridge-targets.patch66
-rw-r--r--patches.fixes/0024-netfilter-x_tables-initialise-match-target-check-par.patch77
-rw-r--r--patches.fixes/0025-l2tp-only-accept-PPP-sessions-in-pppol2tp_connect.patch40
-rw-r--r--patches.fixes/0026-l2tp-prevent-pppol2tp_connect-from-creating-kernel-s.patch49
-rw-r--r--patches.fixes/0027-l2tp-filter-out-non-PPP-sessions-in-pppol2tp_tunnel_.patch41
-rw-r--r--patches.fixes/0028-ipv6-mcast-fix-unsolicited-report-interval-after-rec.patch60
-rw-r--r--patches.fixes/0038-xfs-split-xfs_bmap_shift_extents.patch32
-rw-r--r--patches.fixes/9p-locks-add-mount-option-for-lock-retry-interval.patch123
-rw-r--r--patches.fixes/9p-locks-fix-glock.client_id-leak-in-do_lock.patch12
-rw-r--r--patches.fixes/ACPI-button-reinitialize-button-state-upon-resume.patch46
-rw-r--r--patches.fixes/ACPI-utils-Drop-reference-in-test-for-device-presenc.patch35
-rw-r--r--patches.fixes/ACPICA-AML-interpreter-add-region-addresses-in-globa.patch49
-rw-r--r--patches.fixes/ACPICA-Namespace-remove-address-node-from-global-lis.patch66
-rw-r--r--patches.fixes/CIFS-keep-FileInfo-handle-live-during-oplock-break.patch186
-rw-r--r--patches.fixes/MD-fix-invalid-stored-role-for-a-disk.patch47
-rw-r--r--patches.fixes/appletalk-Fix-compile-regression.patch71
-rw-r--r--patches.fixes/appletalk-Fix-use-after-free-in-atalk_proc_exit.patch204
-rw-r--r--patches.fixes/arm64-Export-save_stack_trace_tsk.patch35
-rw-r--r--patches.fixes/block-do-not-leak-memory-in-bio_copy_user_iov.patch46
-rw-r--r--patches.fixes/block-fix-the-return-errno-for-direct-IO.patch59
-rw-r--r--patches.fixes/block-fix-use-after-free-on-gendisk.patch135
-rw-r--r--patches.fixes/configfs-fix-possible-use-after-free-in-configfs_reg.patch134
-rw-r--r--patches.fixes/crypto-caam-fix-caam_dump_sg-that-iterates-through-s.patch40
-rw-r--r--patches.fixes/crypto-vmx-CTR-always-increment-IV-as-quadword.patch61
-rw-r--r--patches.fixes/dccp-Fix-memleak-in-__feat_register_sp.patch43
-rw-r--r--patches.fixes/debugfs-fix-use-after-free-on-symlink-traversal.patch51
-rw-r--r--patches.fixes/devres-Align-data-to-ARCH_KMALLOC_MINALIGN.patch62
-rw-r--r--patches.fixes/ext4-actually-request-zeroing-of-inode-table-after-g.patch41
-rw-r--r--patches.fixes/ext4-fix-ext4_show_options-for-file-systems-w-o-jour.patch39
-rw-r--r--patches.fixes/ext4-fix-use-after-free-race-with-debug_want_extra_i.patch105
-rw-r--r--patches.fixes/ext4-zero-out-the-unused-memory-region-in-the-extent.patch87
-rw-r--r--patches.fixes/ipconfig-Correctly-initialise-ic_nameservers.patch85
-rw-r--r--patches.fixes/ipvlan-Add-the-skb-mark-as-flow4-s-member-to-lookup-.patch34
-rw-r--r--patches.fixes/ipvlan-fix-ipv6-outbound-device.patch36
-rw-r--r--patches.fixes/ipvlan-use-ETH_MAX_MTU-as-max-mtu.patch35
-rw-r--r--patches.fixes/ipvs-Fix-signed-integer-overflow-when-setsockopt-tim.patch93
-rw-r--r--patches.fixes/ipvs-fix-race-between-ip_vs_conn_new-and-ip_vs_del_d.patch87
-rw-r--r--patches.fixes/l2tp-cleanup-l2tp_tunnel_delete-calls.patch58
-rw-r--r--patches.fixes/l2tp-revert-l2tp-fix-missing-print-session-offset-in.patch35
-rw-r--r--patches.fixes/mISDN-Check-address-length-before-reading-address-fa.patch39
-rw-r--r--patches.fixes/mac80211-fix-memory-accounting-with-A-MSDU-aggregati.patch49
-rw-r--r--patches.fixes/mac80211-fix-unaligned-access-in-mesh-table-hash-fun.patch35
-rw-r--r--patches.fixes/mm-huge_memory-fix-vmf_insert_pfn_-pmd-pud-crash-han.patch79
-rw-r--r--patches.fixes/mm-mincore-c-make-mincore-more-conservative.patch91
-rw-r--r--patches.fixes/net-smc-check-for-ip-prefix-and-subnet76
-rw-r--r--patches.fixes/net-smc-cleanup-of-get-vlan-id74
-rw-r--r--patches.fixes/net-smc-code-cleanup-smc_listen_work118
-rw-r--r--patches.fixes/net-smc-consolidate-function-parameters750
-rw-r--r--patches.fixes/net-smc-fallback-to-tcp-after-connect-problems36
-rw-r--r--patches.fixes/net-smc-fix-a-null-pointer-dereference32
-rw-r--r--patches.fixes/net-smc-fix-return-code-from-flush-command37
-rw-r--r--patches.fixes/net-smc-improve-smc_conn_create-reason-codes375
-rw-r--r--patches.fixes/net-smc-improve-smc_listen_work-reason-codes201
-rw-r--r--patches.fixes/net-smc-move-unhash-before-release-of-clcsock66
-rw-r--r--patches.fixes/net-smc-nonblocking-connect-rework218
-rw-r--r--patches.fixes/net-smc-propagate-file-from-smc-to-tcp-socket115
-rw-r--r--patches.fixes/net-smc-wait-for-pending-work-before-clcsock-release_sock127
-rw-r--r--patches.fixes/nl80211-Add-NL80211_FLAG_CLEAR_SKB-flag-for-other-NL.patch85
-rw-r--r--patches.fixes/nvme-multipath-split-bios-with-the-ns_head-bio_set-b.patch3
-rw-r--r--patches.fixes/team-set-slave-to-promisc-if-team-is-already-in-prom.patch78
-rw-r--r--patches.fixes/ufs-fix-braino-in-ufs_get_inode_gid-for-solaris-UFS-.patch38
-rw-r--r--patches.fixes/vsock-virtio-Initialize-core-virtio-vsock-before-reg.patch113
-rw-r--r--patches.fixes/vt-always-call-notifier-with-the-console-lock-held.patch32
-rw-r--r--patches.fixes/xfs-add-log-item-pinning-error-injection-tag.patch120
-rw-r--r--patches.fixes/xfs-buffer-lru-reference-count-error-injection-tag.patch137
-rw-r--r--patches.fixes/xfs-check-_btree_check_block-value.patch49
-rw-r--r--patches.fixes/xfs-convert-drop_writes-to-use-the-errortag-mechanis.patch194
-rw-r--r--patches.fixes/xfs-create-block-pointer-check-functions.patch137
-rw-r--r--patches.fixes/xfs-create-inode-pointer-verifiers.patch212
-rw-r--r--patches.fixes/xfs-export-_inobt_btrec_to_irec-and-_ialloc_cluster_.patch111
-rw-r--r--patches.fixes/xfs-export-various-function-for-the-online-scrubber.patch277
-rw-r--r--patches.fixes/xfs-expose-errortag-knobs-via-sysfs.patch244
-rw-r--r--patches.fixes/xfs-fix-unused-variable-warning-in-xfs_buf_set_ref.patch45
-rw-r--r--patches.fixes/xfs-force-summary-counter-recalc-at-next-mount.patch131
-rw-r--r--patches.fixes/xfs-make-errortag-a-per-mountpoint-structure.patch336
-rw-r--r--patches.fixes/xfs-move-error-injection-tags-into-their-own-file.patch425
-rw-r--r--patches.fixes/xfs-refactor-btree-block-header-checking-functions.patch279
-rw-r--r--patches.fixes/xfs-refactor-btree-pointer-checks.patch162
-rw-r--r--patches.fixes/xfs-refactor-unmount-record-write.patch203
-rw-r--r--patches.fixes/xfs-remove-unneeded-parameter-from-XFS_TEST_ERROR.patch306
-rw-r--r--patches.fixes/xfs-rename-MAXPATHLEN-to-XFS_SYMLINK_MAXLEN.patch138
-rw-r--r--patches.fixes/xfs-replace-log_badcrc_factor-knob-with-error-inject.patch158
-rw-r--r--patches.fixes/xfs-sanity-check-the-unused-space-before-trying-to-u.patch321
-rw-r--r--patches.kabi/kabi-protect-ip_options_rcv_srr.patch66
-rw-r--r--patches.kabi/kabi-protect-struct-mlx5_td.patch30
-rw-r--r--patches.kabi/s390-net-smc-add-infrastructure-to-send-delete-rkey-messa.patch2
-rw-r--r--patches.suse/0001-btrfs-extent-tree-Fix-a-bug-that-btrfs-is-unable-to-.patch87
-rw-r--r--patches.suse/0003-btrfs-delayed-ref-Use-btrfs_ref-to-refactor-btrfs_ad.patch213
-rw-r--r--patches.suse/0004-btrfs-delayed-ref-Use-btrfs_ref-to-refactor-btrfs_ad.patch124
-rw-r--r--patches.suse/0006-btrfs-extent-tree-Use-btrfs_ref-to-refactor-add_pinn.patch70
-rw-r--r--patches.suse/0007-btrfs-extent-tree-Use-btrfs_ref-to-refactor-btrfs_in.patch370
-rw-r--r--patches.suse/0008-btrfs-extent-tree-Use-btrfs_ref-to-refactor-btrfs_fr.patch257
-rw-r--r--patches.suse/0009-btrfs-qgroup-Don-t-scan-leaf-if-we-re-modifying-relo.patch68
-rw-r--r--patches.suse/TTY-serial_core-add-install.patch128
-rw-r--r--patches.suse/bnxt_en-Improve-RX-consumer-index-validity-check.patch54
-rw-r--r--patches.suse/bnxt_en-Reset-device-on-RX-buffer-errors.patch39
-rw-r--r--patches.suse/btrfs-do-not-allow-trimming-when-a-fs-is-mounted-wit.patch55
-rw-r--r--patches.suse/btrfs-improve-performance-on-fsync-of-files-with-mul.patch362
-rw-r--r--patches.suse/btrfs-send-flush-dellaloc-in-order-to-avoid-data-los.patch136
-rw-r--r--patches.suse/dccp-do-not-use-ipv6-header-for-ipv4-flow.patch37
-rw-r--r--patches.suse/genetlink-Fix-a-memory-leak-on-error-path.patch45
-rw-r--r--patches.suse/ip6_tunnel-Match-to-ARPHRD_TUNNEL6-for-dev-type.patch48
-rw-r--r--patches.suse/net-aquantia-fix-rx-checksum-offload-for-UDP-TCP-ove.patch39
-rw-r--r--patches.suse/net-ethtool-not-call-vzalloc-for-zero-sized-memory-r.patch94
-rw-r--r--patches.suse/net-gro-Fix-GRO-flush-when-receiving-a-GSO-packet.patch37
-rw-r--r--patches.suse/net-mlx5-Decrease-default-mr-cache-size.patch55
-rw-r--r--patches.suse/net-mlx5e-Add-a-lock-on-tir-list.patch78
-rw-r--r--patches.suse/net-mlx5e-Fix-error-handling-when-refreshing-TIRs.patch43
-rw-r--r--patches.suse/net-rose-fix-a-possible-stack-overflow.patch129
-rw-r--r--patches.suse/net-sched-act_sample-fix-divide-by-zero-in-the-traff.patch96
-rw-r--r--patches.suse/net-sched-fix-get-helper-of-the-matchall-cls.patch54
-rw-r--r--patches.suse/net-stmmac-fix-memory-corruption-with-large-MTUs.patch62
-rw-r--r--patches.suse/packets-Always-register-packet-sk-in-the-same-order.patch69
-rw-r--r--patches.suse/revert-btrfs-qgroup-move-half-of-the-qgroup-accounting-time-out-of-commit-trans.patch24
-rw-r--r--patches.suse/sched-do-not-re-read-h_load_next-during-hierarchical-load-calculation.patch11
-rw-r--r--patches.suse/sctp-get-sctphdr-by-offset-in-sctp_compute_cksum.patch38
-rw-r--r--patches.suse/sctp-initialize-_pad-of-sockaddr_in-before-copying-t.patch53
-rw-r--r--patches.suse/tcp-Ensure-DCTCP-reacts-to-losses.patch140
-rw-r--r--patches.suse/tcp-do-not-use-ipv6-header-for-ipv4-flow.patch43
-rw-r--r--patches.suse/thunderx-eliminate-extra-calls-to-put_page-for-pages.patch62
-rw-r--r--patches.suse/thunderx-enable-page-recycling-for-non-XDP-case.patch62
-rw-r--r--patches.suse/tun-add-a-missing-rcu_read_unlock-in-error-path.patch29
-rw-r--r--patches.suse/tun-allow-positive-return-values-on-dev_get_valid_na.patch2
-rw-r--r--patches.suse/tun-call-dev_get_valid_name-before-register_netdevic.patch2
-rw-r--r--patches.suse/tun-properly-test-for-IFF_UP.patch80
-rw-r--r--patches.suse/vrf-check-accept_source_route-on-the-original-netdev.patch89
-rw-r--r--patches.suse/vxlan-Don-t-call-gro_cells_destroy-before-device-is-.patch45
-rw-r--r--series.conf261
250 files changed, 20563 insertions, 126 deletions
diff --git a/blacklist.conf b/blacklist.conf
index f3540b02d0..538e08fc3b 100644
--- a/blacklist.conf
+++ b/blacklist.conf
@@ -64,6 +64,7 @@ drivers/ide # IDE not shipped since SLE12
# -----------------------
CVE-2018-16880 # bsc#1122767, needed only for SLE15-SP1+
CVE-2019-9003 # bsc#1126704, needed only for SLE15-SP1+
+CVE-2019-11811 # bsc#1134397, needed only for SLE15-SP1+
# Blacklisted Commits
# -------------------
@@ -1114,5 +1115,20 @@ f58213637206e190453e3bd91f98f535566290a3 # regulator: missing regulator_lock() A
f7a621728a6a23bfd2c6ac4d3e42e1303aefde0f # regulator: missing regulator_lock() API in SLE15
8be64b6d87bd47d81753b60ddafe70102ebfd76b # regulator: missing regulator_lock() API in SLE15
401e7e88d4ef80188ffa07095ac00456f901b8c4 # base patch missing in SLE12-SP4
+b01531db6cec2aa330dbc91bfbfaaef4a0d387a4 # ext4 encryption not supported and this is rare race with mostly benign consequences
+a5fdd713d256887b5f012608701149fa939e5645 # Just a cleanup
+0bf3d5c1604ecbbd4e49e9f5b3c79152b87adb0d # fscrypt not supported
+71921ef85928e95e3d942c747c9d40443a5ff775 # GFS2 not supported, just a performance optimization
+7959cf3a7506d4a2100d5d6f37f605c2f54af488 # ubifs not supported, no CC to stable
+988bec41318f3fa897e2f8af271bd456936d6caf # ubifs not supported, no CC to stable
+9ca2d732644484488db31123ecd3bf122b551566 # ubifs not supported, no CC to stable
98fdaaca9537b997062f1abc0aa87c61b50ce40a # Duplicate of fc89a38d99d4b1b33ca5b0e2329f5ddea02ecfb5: drm/i915/opregion: fix version check
a0f52c3d357af218a9c1f7cd906ab70426176a1a # Duplicate of 16eb0f34cdf4cf04cd92762c7a79f98aa51e053f: drm/i915/opregion: rvda is relative from opregion base in opregion 2.1+
+ed180abba7f1fc3cf04ffa27767b1bcc8e8c842a # sound/hda: breaks kABI
+e2771deb5dece1acde9a406538e4f7ef9262d5cd # recently dropped: drm/sun4i: rgb: Change the pixel clock validation check
+75fdb811d93c8aa4a9f73b63db032b1e6a8668ef # Duplicate of 1e8b15a1988ed3c7429402017d589422628cdf47: drm/i915/gvt: Add in context mmio 0x20D8 to gen9 mmio list
+6fcc44d1d77fea3c7230e4d109b37f6977aa675a # Duplicate of 2c88e3c7ec32d7a40cc7c9b4a487cf90e4671bdd: block: fix use-after-free on gendisk
+c8ea3663f7a8e6996d44500ee818c9330ac4fd88 # virt/fsl: no supported platform
+6a024330650e24556b8a18cc654ad00cfecf6c6c # virt/fsl: no supported platform
+92ff42645028fa6f9b8aa767718457b9264316b4 # ipvlan: reverted in below
+918150cbd6103199fe326e8b1462a7f0d81475e4 # ipvlan: reverting the above
diff --git a/config/ppc64le/debug b/config/ppc64le/debug
index cabd222ac1..9f873a8747 100644
--- a/config/ppc64le/debug
+++ b/config/ppc64le/debug
@@ -51,9 +51,9 @@ CONFIG_REISERFS_PROC_INFO=y
CONFIG_RT2X00_DEBUG=y
CONFIG_RT2X00_LIB_DEBUGFS=y
CONFIG_SCSI_LPFC_DEBUG_FS=y
+# CONFIG_SUSE_KERNEL_SUPPORTED is not set
CONFIG_TCM_QLA2XXX_DEBUG=y
CONFIG_TTY_PRINTK=y
CONFIG_UNINLINE_SPIN_UNLOCK=y
CONFIG_MODULES=y
CONFIG_MODULE_SIG=y
-CONFIG_SUSE_KERNEL_SUPPORTED=y
diff --git a/config/x86_64/debug b/config/x86_64/debug
index cb6c71aa63..e32a88d4e9 100644
--- a/config/x86_64/debug
+++ b/config/x86_64/debug
@@ -70,6 +70,7 @@ CONFIG_RT2X00_LIB_DEBUGFS=y
CONFIG_RTC_DRV_TEST=m
CONFIG_SND_DEBUG_VERBOSE=y
CONFIG_SSB_DEBUG=y
+# CONFIG_SUSE_KERNEL_SUPPORTED is not set
CONFIG_TCM_QLA2XXX_DEBUG=y
CONFIG_THINKPAD_ACPI_DEBUG=y
CONFIG_THINKPAD_ACPI_DEBUGFACILITIES=y
@@ -82,5 +83,4 @@ CONFIG_VIDEO_PVRUSB2_DEBUGIFC=y
CONFIG_XFS_DEBUG=y
CONFIG_MODULES=y
CONFIG_MODULE_SIG=y
-CONFIG_SUSE_KERNEL_SUPPORTED=y
CONFIG_EFI_STUB=y
diff --git a/patches.arch/ARM-8824-1-fix-a-migrating-irq-bug-when-hotplug-cpu.patch b/patches.arch/ARM-8824-1-fix-a-migrating-irq-bug-when-hotplug-cpu.patch
new file mode 100644
index 0000000000..04477fa20f
--- /dev/null
+++ b/patches.arch/ARM-8824-1-fix-a-migrating-irq-bug-when-hotplug-cpu.patch
@@ -0,0 +1,158 @@
+From 1b5ba350784242eb1f899bcffd95d2c7cff61e84 Mon Sep 17 00:00:00 2001
+From: Dietmar Eggemann <dietmar.eggemann@arm.com>
+Date: Mon, 21 Jan 2019 14:42:42 +0100
+Subject: [PATCH] ARM: 8824/1: fix a migrating irq bug when hotplug cpu
+Git-commit: 1b5ba350784242eb1f899bcffd95d2c7cff61e84
+Patch-mainline: v5.0-rc8
+References: bsc#1051510
+
+Arm TC2 fails cpu hotplug stress test.
+
+This issue was tracked down to a missing copy of the new affinity
+cpumask for the vexpress-spc interrupt into struct
+irq_common_data.affinity when the interrupt is migrated in
+migrate_one_irq().
+
+Fix it by replacing the arm specific hotplug cpu migration with the
+generic irq code.
+
+This is the counterpart implementation to commit 217d453d473c ("arm64:
+fix a migrating irq bug when hotplug cpu").
+
+Tested with cpu hotplug stress test on Arm TC2 (multi_v7_defconfig plus
+CONFIG_ARM_BIG_LITTLE_CPUFREQ=y and CONFIG_ARM_VEXPRESS_SPC_CPUFREQ=y).
+The vexpress-spc interrupt (irq=22) on this board is affine to CPU0.
+Its affinity cpumask now changes correctly e.g. from 0 to 1-4 when
+CPU0 is hotplugged out.
+
+Suggested-by: Marc Zyngier <marc.zyngier@arm.com>
+Signed-off-by: Dietmar Eggemann <dietmar.eggemann@arm.com>
+Acked-by: Marc Zyngier <marc.zyngier@arm.com>
+Reviewed-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ arch/arm/Kconfig | 1 +
+ arch/arm/include/asm/irq.h | 1 -
+ arch/arm/kernel/irq.c | 62 ----------------------------------------------
+ arch/arm/kernel/smp.c | 2 +-
+ 4 files changed, 2 insertions(+), 64 deletions(-)
+
+diff --git a/arch/arm/Kconfig b/arch/arm/Kconfig
+index 664e918e2624..26524b75970a 100644
+--- a/arch/arm/Kconfig
++++ b/arch/arm/Kconfig
+@@ -1400,6 +1400,7 @@ config NR_CPUS
+ config HOTPLUG_CPU
+ bool "Support for hot-pluggable CPUs"
+ depends on SMP
++ select GENERIC_IRQ_MIGRATION
+ help
+ Say Y here to experiment with turning CPUs off and on. CPUs
+ can be controlled through /sys/devices/system/cpu.
+diff --git a/arch/arm/include/asm/irq.h b/arch/arm/include/asm/irq.h
+index c883fcbe93b6..46d41140df27 100644
+--- a/arch/arm/include/asm/irq.h
++++ b/arch/arm/include/asm/irq.h
+@@ -25,7 +25,6 @@
+ #ifndef __ASSEMBLY__
+ struct irqaction;
+ struct pt_regs;
+-extern void migrate_irqs(void);
+
+ extern void asm_do_IRQ(unsigned int, struct pt_regs *);
+ void handle_IRQ(unsigned int, struct pt_regs *);
+diff --git a/arch/arm/kernel/irq.c b/arch/arm/kernel/irq.c
+index 9908dacf9229..844861368cd5 100644
+--- a/arch/arm/kernel/irq.c
++++ b/arch/arm/kernel/irq.c
+@@ -31,7 +31,6 @@
+ #include <linux/smp.h>
+ #include <linux/init.h>
+ #include <linux/seq_file.h>
+-#include <linux/ratelimit.h>
+ #include <linux/errno.h>
+ #include <linux/list.h>
+ #include <linux/kallsyms.h>
+@@ -109,64 +108,3 @@ int __init arch_probe_nr_irqs(void)
+ return nr_irqs;
+ }
+ #endif
+-
+-#ifdef CONFIG_HOTPLUG_CPU
+-static bool migrate_one_irq(struct irq_desc *desc)
+-{
+- struct irq_data *d = irq_desc_get_irq_data(desc);
+- const struct cpumask *affinity = irq_data_get_affinity_mask(d);
+- struct irq_chip *c;
+- bool ret = false;
+-
+- /*
+- * If this is a per-CPU interrupt, or the affinity does not
+- * include this CPU, then we have nothing to do.
+- */
+- if (irqd_is_per_cpu(d) || !cpumask_test_cpu(smp_processor_id(), affinity))
+- return false;
+-
+- if (cpumask_any_and(affinity, cpu_online_mask) >= nr_cpu_ids) {
+- affinity = cpu_online_mask;
+- ret = true;
+- }
+-
+- c = irq_data_get_irq_chip(d);
+- if (!c->irq_set_affinity)
+- pr_debug("IRQ%u: unable to set affinity\n", d->irq);
+- else if (c->irq_set_affinity(d, affinity, false) == IRQ_SET_MASK_OK && ret)
+- cpumask_copy(irq_data_get_affinity_mask(d), affinity);
+-
+- return ret;
+-}
+-
+-/*
+- * The current CPU has been marked offline. Migrate IRQs off this CPU.
+- * If the affinity settings do not allow other CPUs, force them onto any
+- * available CPU.
+- *
+- * Note: we must iterate over all IRQs, whether they have an attached
+- * action structure or not, as we need to get chained interrupts too.
+- */
+-void migrate_irqs(void)
+-{
+- unsigned int i;
+- struct irq_desc *desc;
+- unsigned long flags;
+-
+- local_irq_save(flags);
+-
+- for_each_irq_desc(i, desc) {
+- bool affinity_broken;
+-
+- raw_spin_lock(&desc->lock);
+- affinity_broken = migrate_one_irq(desc);
+- raw_spin_unlock(&desc->lock);
+-
+- if (affinity_broken)
+- pr_warn_ratelimited("IRQ%u no longer affine to CPU%u\n",
+- i, smp_processor_id());
+- }
+-
+- local_irq_restore(flags);
+-}
+-#endif /* CONFIG_HOTPLUG_CPU */
+diff --git a/arch/arm/kernel/smp.c b/arch/arm/kernel/smp.c
+index 3bf82232b1be..1d6f5ea522f4 100644
+--- a/arch/arm/kernel/smp.c
++++ b/arch/arm/kernel/smp.c
+@@ -254,7 +254,7 @@ int __cpu_disable(void)
+ /*
+ * OK - migrate IRQs away from this CPU
+ */
+- migrate_irqs();
++ irq_migrate_all_off_this_cpu();
+
+ /*
+ * Flush user cache and TLB mappings, and then remove this CPU
+--
+2.16.4
+
diff --git a/patches.arch/ARM-8833-1-Ensure-that-NEON-code-always-compiles-wit.patch b/patches.arch/ARM-8833-1-Ensure-that-NEON-code-always-compiles-wit.patch
new file mode 100644
index 0000000000..be2709021a
--- /dev/null
+++ b/patches.arch/ARM-8833-1-Ensure-that-NEON-code-always-compiles-wit.patch
@@ -0,0 +1,113 @@
+From de9c0d49d85dc563549972edc5589d195cd5e859 Mon Sep 17 00:00:00 2001
+From: Nathan Chancellor <natechancellor@gmail.com>
+Date: Sat, 2 Feb 2019 03:34:36 +0100
+Subject: [PATCH] ARM: 8833/1: Ensure that NEON code always compiles with Clang
+Git-commit: de9c0d49d85dc563549972edc5589d195cd5e859
+Patch-mainline: v5.1-rc1
+References: bsc#1051510
+
+While building arm32 allyesconfig, I ran into the following errors:
+
+ arch/arm/lib/xor-neon.c:17:2: error: You should compile this file with
+ '-mfloat-abi=softfp -mfpu=neon'
+
+ In file included from lib/raid6/neon1.c:27:
+ /home/nathan/cbl/prebuilt/lib/clang/8.0.0/include/arm_neon.h:28:2:
+ error: "NEON support not enabled"
+
+Building V=1 showed NEON_FLAGS getting passed along to Clang but
+__ARM_NEON__ was not getting defined. Ultimately, it boils down to Clang
+only defining __ARM_NEON__ when targeting armv7, rather than armv6k,
+which is the '-march' value for allyesconfig.
+
+>From lib/Basic/Targets/ARM.cpp in the Clang source:
+
+ // This only gets set when Neon instructions are actually available, unlike
+ // the VFP define, hence the soft float and arch check. This is subtly
+ // different from gcc, we follow the intent which was that it should be set
+ // when Neon instructions are actually available.
+ if ((FPU & NeonFPU) && !SoftFloat && ArchVersion >= 7) {
+ Builder.defineMacro("__ARM_NEON", "1");
+ Builder.defineMacro("__ARM_NEON__");
+ // current AArch32 NEON implementations do not support double-precision
+ // floating-point even when it is present in VFP.
+ Builder.defineMacro("__ARM_NEON_FP",
+ "0x" + Twine::utohexstr(HW_FP & ~HW_FP_DP));
+ }
+
+Ard Biesheuvel recommended explicitly adding '-march=armv7-a' at the
+beginning of the NEON_FLAGS definitions so that __ARM_NEON__ always gets
+definined by Clang. This doesn't functionally change anything because
+that code will only run where NEON is supported, which is implicitly
+armv7.
+
+Link: https://github.com/ClangBuiltLinux/linux/issues/287
+
+Suggested-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+Signed-off-by: Nathan Chancellor <natechancellor@gmail.com>
+Acked-by: Nicolas Pitre <nico@linaro.org>
+Reviewed-by: Nick Desaulniers <ndesaulniers@google.com>
+Reviewed-by: Stefan Agner <stefan@agner.ch>
+Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ Documentation/arm/kernel_mode_neon.txt | 4 ++--
+ arch/arm/lib/Makefile | 2 +-
+ arch/arm/lib/xor-neon.c | 2 +-
+ lib/raid6/Makefile | 2 +-
+ 4 files changed, 5 insertions(+), 5 deletions(-)
+
+--- a/Documentation/arm/kernel_mode_neon.txt
++++ b/Documentation/arm/kernel_mode_neon.txt
+@@ -6,7 +6,7 @@ TL;DR summary
+ * Use only NEON instructions, or VFP instructions that don't rely on support
+ code
+ * Isolate your NEON code in a separate compilation unit, and compile it with
+- '-mfpu=neon -mfloat-abi=softfp'
++ '-march=armv7-a -mfpu=neon -mfloat-abi=softfp'
+ * Put kernel_neon_begin() and kernel_neon_end() calls around the calls into your
+ NEON code
+ * Don't sleep in your NEON code, and be aware that it will be executed with
+@@ -87,7 +87,7 @@ instructions appearing in unexpected pla
+ Therefore, the recommended and only supported way of using NEON/VFP in the
+ kernel is by adhering to the following rules:
+ * isolate the NEON code in a separate compilation unit and compile it with
+- '-mfpu=neon -mfloat-abi=softfp';
++ '-march=armv7-a -mfpu=neon -mfloat-abi=softfp';
+ * issue the calls to kernel_neon_begin(), kernel_neon_end() as well as the calls
+ into the unit containing the NEON code from a compilation unit which is *not*
+ built with the GCC flag '-mfpu=neon' set.
+--- a/arch/arm/lib/Makefile
++++ b/arch/arm/lib/Makefile
+@@ -38,7 +38,7 @@ $(obj)/csumpartialcopy.o: $(obj)/csumpar
+ $(obj)/csumpartialcopyuser.o: $(obj)/csumpartialcopygeneric.S
+
+ ifeq ($(CONFIG_KERNEL_MODE_NEON),y)
+- NEON_FLAGS := -mfloat-abi=softfp -mfpu=neon
++ NEON_FLAGS := -march=armv7-a -mfloat-abi=softfp -mfpu=neon
+ CFLAGS_xor-neon.o += $(NEON_FLAGS)
+ obj-$(CONFIG_XOR_BLOCKS) += xor-neon.o
+ endif
+--- a/arch/arm/lib/xor-neon.c
++++ b/arch/arm/lib/xor-neon.c
+@@ -14,7 +14,7 @@
+ MODULE_LICENSE("GPL");
+
+ #ifndef __ARM_NEON__
+-#error You should compile this file with '-mfloat-abi=softfp -mfpu=neon'
++#error You should compile this file with '-march=armv7-a -mfloat-abi=softfp -mfpu=neon'
+ #endif
+
+ /*
+--- a/lib/raid6/Makefile
++++ b/lib/raid6/Makefile
+@@ -23,7 +23,7 @@ endif
+ ifeq ($(CONFIG_KERNEL_MODE_NEON),y)
+ NEON_FLAGS := -ffreestanding
+ ifeq ($(ARCH),arm)
+-NEON_FLAGS += -mfloat-abi=softfp -mfpu=neon
++NEON_FLAGS += -march=armv7-a -mfloat-abi=softfp -mfpu=neon
+ endif
+ ifeq ($(ARCH),arm64)
+ CFLAGS_REMOVE_neon1.o += -mgeneral-regs-only
diff --git a/patches.arch/ARM-8839-1-kprobe-make-patch_lock-a-raw_spinlock_t.patch b/patches.arch/ARM-8839-1-kprobe-make-patch_lock-a-raw_spinlock_t.patch
new file mode 100644
index 0000000000..202e544be1
--- /dev/null
+++ b/patches.arch/ARM-8839-1-kprobe-make-patch_lock-a-raw_spinlock_t.patch
@@ -0,0 +1,69 @@
+From 143c2a89e0e5fda6c6fd08d7bc1126438c19ae90 Mon Sep 17 00:00:00 2001
+From: Yang Shi <yang.shi@linaro.org>
+Date: Wed, 13 Feb 2019 17:14:23 +0100
+Subject: [PATCH] ARM: 8839/1: kprobe: make patch_lock a raw_spinlock_t
+Git-commit: 143c2a89e0e5fda6c6fd08d7bc1126438c19ae90
+Patch-mainline: v5.1-rc1
+References: bsc#1051510
+
+When running kprobe on -rt kernel, the below bug is caught:
+
+|bug: sleeping function called from invalid context at kernel/locking/rtmutex.c:931
+|in_atomic(): 1, irqs_disabled(): 128, pid: 14, name: migration/0
+|Preemption disabled at:[<802f2b98>] cpu_stopper_thread+0xc0/0x140
+|cpu: 0 PID: 14 Comm: migration/0 Tainted: G O 4.8.3-rt2 #1
+|Hardware name: Freescale LS1021A
+|[<8025a43c>] (___might_sleep)
+|[<80b5b324>] (rt_spin_lock)
+|[<80b5c31c>] (__patch_text_real)
+|[<80b5c3ac>] (patch_text_stop_machine)
+|[<802f2920>] (multi_cpu_stop)
+
+Since patch_text_stop_machine() is called in stop_machine() which
+disables IRQ, sleepable lock should be not used in this atomic context,
+ so replace patch_lock to raw lock.
+
+Signed-off-by: Yang Shi <yang.shi@linaro.org>
+Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
+Reviewed-by: Arnd Bergmann <arnd@arndb.de>
+Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ arch/arm/kernel/patch.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/arch/arm/kernel/patch.c b/arch/arm/kernel/patch.c
+index a50dc00d79a2..d0a05a3bdb96 100644
+--- a/arch/arm/kernel/patch.c
++++ b/arch/arm/kernel/patch.c
+@@ -16,7 +16,7 @@ struct patch {
+ unsigned int insn;
+ };
+
+-static DEFINE_SPINLOCK(patch_lock);
++static DEFINE_RAW_SPINLOCK(patch_lock);
+
+ static void __kprobes *patch_map(void *addr, int fixmap, unsigned long *flags)
+ __acquires(&patch_lock)
+@@ -33,7 +33,7 @@ static void __kprobes *patch_map(void *addr, int fixmap, unsigned long *flags)
+ return addr;
+
+ if (flags)
+- spin_lock_irqsave(&patch_lock, *flags);
++ raw_spin_lock_irqsave(&patch_lock, *flags);
+ else
+ __acquire(&patch_lock);
+
+@@ -48,7 +48,7 @@ static void __kprobes patch_unmap(int fixmap, unsigned long *flags)
+ clear_fixmap(fixmap);
+
+ if (flags)
+- spin_unlock_irqrestore(&patch_lock, *flags);
++ raw_spin_unlock_irqrestore(&patch_lock, *flags);
+ else
+ __release(&patch_lock);
+ }
+--
+2.16.4
+
diff --git a/patches.arch/ARM-8840-1-use-a-raw_spinlock_t-in-unwind.patch b/patches.arch/ARM-8840-1-use-a-raw_spinlock_t-in-unwind.patch
new file mode 100644
index 0000000000..7becf9ba4b
--- /dev/null
+++ b/patches.arch/ARM-8840-1-use-a-raw_spinlock_t-in-unwind.patch
@@ -0,0 +1,94 @@
+From 74ffe79ae538283bbf7c155e62339f1e5c87b55a Mon Sep 17 00:00:00 2001
+From: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
+Date: Wed, 13 Feb 2019 17:14:42 +0100
+Subject: [PATCH] ARM: 8840/1: use a raw_spinlock_t in unwind
+Git-commit: 74ffe79ae538283bbf7c155e62339f1e5c87b55a
+Patch-mainline: v5.1-rc1
+References: bsc#1051510
+
+Mostly unwind is done with irqs enabled however SLUB may call it with
+irqs disabled while creating a new SLUB cache.
+
+I had system freeze while loading a module which called
+kmem_cache_create() on init. That means SLUB's __slab_alloc() disabled
+interrupts and then
+
+->new_slab_objects()
+ ->new_slab()
+ ->setup_object()
+ ->setup_object_debug()
+ ->init_tracking()
+ ->set_track()
+ ->save_stack_trace()
+ ->save_stack_trace_tsk()
+ ->walk_stackframe()
+ ->unwind_frame()
+ ->unwind_find_idx()
+ =>spin_lock_irqsave(&unwind_lock);
+
+Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
+Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ arch/arm/kernel/unwind.c | 14 +++++++-------
+ 1 file changed, 7 insertions(+), 7 deletions(-)
+
+diff --git a/arch/arm/kernel/unwind.c b/arch/arm/kernel/unwind.c
+index 0bee233fef9a..314cfb232a63 100644
+--- a/arch/arm/kernel/unwind.c
++++ b/arch/arm/kernel/unwind.c
+@@ -93,7 +93,7 @@ extern const struct unwind_idx __start_unwind_idx[];
+ static const struct unwind_idx *__origin_unwind_idx;
+ extern const struct unwind_idx __stop_unwind_idx[];
+
+-static DEFINE_SPINLOCK(unwind_lock);
++static DEFINE_RAW_SPINLOCK(unwind_lock);
+ static LIST_HEAD(unwind_tables);
+
+ /* Convert a prel31 symbol to an absolute address */
+@@ -201,7 +201,7 @@ static const struct unwind_idx *unwind_find_idx(unsigned long addr)
+ /* module unwind tables */
+ struct unwind_table *table;
+
+- spin_lock_irqsave(&unwind_lock, flags);
++ raw_spin_lock_irqsave(&unwind_lock, flags);
+ list_for_each_entry(table, &unwind_tables, list) {
+ if (addr >= table->begin_addr &&
+ addr < table->end_addr) {
+@@ -213,7 +213,7 @@ static const struct unwind_idx *unwind_find_idx(unsigned long addr)
+ break;
+ }
+ }
+- spin_unlock_irqrestore(&unwind_lock, flags);
++ raw_spin_unlock_irqrestore(&unwind_lock, flags);
+ }
+
+ pr_debug("%s: idx = %p\n", __func__, idx);
+@@ -529,9 +529,9 @@ struct unwind_table *unwind_table_add(unsigned long start, unsigned long size,
+ tab->begin_addr = text_addr;
+ tab->end_addr = text_addr + text_size;
+
+- spin_lock_irqsave(&unwind_lock, flags);
++ raw_spin_lock_irqsave(&unwind_lock, flags);
+ list_add_tail(&tab->list, &unwind_tables);
+- spin_unlock_irqrestore(&unwind_lock, flags);
++ raw_spin_unlock_irqrestore(&unwind_lock, flags);
+
+ return tab;
+ }
+@@ -543,9 +543,9 @@ void unwind_table_del(struct unwind_table *tab)
+ if (!tab)
+ return;
+
+- spin_lock_irqsave(&unwind_lock, flags);
++ raw_spin_lock_irqsave(&unwind_lock, flags);
+ list_del(&tab->list);
+- spin_unlock_irqrestore(&unwind_lock, flags);
++ raw_spin_unlock_irqrestore(&unwind_lock, flags);
+
+ kfree(tab);
+ }
+--
+2.16.4
+
diff --git a/patches.arch/ARM-OMAP2-Variable-reg-in-function-omap4_dsi_mux_pad.patch b/patches.arch/ARM-OMAP2-Variable-reg-in-function-omap4_dsi_mux_pad.patch
new file mode 100644
index 0000000000..9471c70785
--- /dev/null
+++ b/patches.arch/ARM-OMAP2-Variable-reg-in-function-omap4_dsi_mux_pad.patch
@@ -0,0 +1,49 @@
+From dc30e70391376ba3987aeb856ae6d9c0706534f1 Mon Sep 17 00:00:00 2001
+From: Yizhuo <yzhai003@ucr.edu>
+Date: Fri, 25 Jan 2019 22:32:20 -0800
+Subject: [PATCH] ARM: OMAP2+: Variable "reg" in function omap4_dsi_mux_pads() could be uninitialized
+Git-commit: dc30e70391376ba3987aeb856ae6d9c0706534f1
+Patch-mainline: v5.0-rc7
+References: bsc#1051510
+
+In function omap4_dsi_mux_pads(), local variable "reg" could
+be uninitialized if function regmap_read() returns -EINVAL.
+However, it will be used directly in the later context, which
+is potentially unsafe.
+
+Signed-off-by: Yizhuo <yzhai003@ucr.edu>
+Signed-off-by: Tony Lindgren <tony@atomide.com>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ arch/arm/mach-omap2/display.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/arch/arm/mach-omap2/display.c b/arch/arm/mach-omap2/display.c
+index f86b72d1d59e..1444b4b4bd9f 100644
+--- a/arch/arm/mach-omap2/display.c
++++ b/arch/arm/mach-omap2/display.c
+@@ -83,6 +83,7 @@ static int omap4_dsi_mux_pads(int dsi_id, unsigned lanes)
+ u32 enable_mask, enable_shift;
+ u32 pipd_mask, pipd_shift;
+ u32 reg;
++ int ret;
+
+ if (dsi_id == 0) {
+ enable_mask = OMAP4_DSI1_LANEENABLE_MASK;
+@@ -98,7 +99,11 @@ static int omap4_dsi_mux_pads(int dsi_id, unsigned lanes)
+ return -ENODEV;
+ }
+
+- regmap_read(omap4_dsi_mux_syscon, OMAP4_DSIPHY_SYSCON_OFFSET, &reg);
++ ret = regmap_read(omap4_dsi_mux_syscon,
++ OMAP4_DSIPHY_SYSCON_OFFSET,
++ &reg);
++ if (ret)
++ return ret;
+
+ reg &= ~enable_mask;
+ reg &= ~pipd_mask;
+--
+2.16.4
+
diff --git a/patches.arch/ARM-OMAP2-fix-lack-of-timer-interrupts-on-CPU1-after.patch b/patches.arch/ARM-OMAP2-fix-lack-of-timer-interrupts-on-CPU1-after.patch
new file mode 100644
index 0000000000..019c5ac314
--- /dev/null
+++ b/patches.arch/ARM-OMAP2-fix-lack-of-timer-interrupts-on-CPU1-after.patch
@@ -0,0 +1,81 @@
+From 50d6b3cf9403879911e06d69c7ef41e43f8f7b4b Mon Sep 17 00:00:00 2001
+From: Russell King <rmk+kernel@armlinux.org.uk>
+Date: Wed, 12 Dec 2018 11:49:47 +0000
+Subject: [PATCH] ARM: OMAP2+: fix lack of timer interrupts on CPU1 after hotplug
+Git-commit: 50d6b3cf9403879911e06d69c7ef41e43f8f7b4b
+Patch-mainline: v5.0-rc7
+References: bsc#1051510
+
+If we have a kernel configured for periodic timer interrupts, and we
+have cpuidle enabled, then we end up with CPU1 losing timer interupts
+after a hotplug.
+
+This can manifest itself in RCU stall warnings, or userspace becoming
+unresponsive.
+
+The problem is that the kernel initially wants to use the TWD timer
+for interrupts, but the TWD loses context when we enter the C3 cpuidle
+state. Nothing reprograms the TWD after idle.
+
+We have solved this in the past by switching to broadcast timer ticks,
+and cpuidle44xx switches to that mode at boot time. However, there is
+nothing to switch from periodic mode local timers after a hotplug
+operation.
+
+We call tick_broadcast_enter() in omap_enter_idle_coupled(), which one
+would expect would take care of the issue, but internally this only
+deals with one-shot local timers - tick_broadcast_enable() on the other
+hand only deals with periodic local timers. So, we need to call both.
+
+Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk>
+[tony@atomide.com: just standardized the subject line]
+Signed-off-by: Tony Lindgren <tony@atomide.com>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ arch/arm/mach-omap2/cpuidle44xx.c | 16 ++++------------
+ 1 file changed, 4 insertions(+), 12 deletions(-)
+
+diff --git a/arch/arm/mach-omap2/cpuidle44xx.c b/arch/arm/mach-omap2/cpuidle44xx.c
+index a8b291f00109..dae514c8276a 100644
+--- a/arch/arm/mach-omap2/cpuidle44xx.c
++++ b/arch/arm/mach-omap2/cpuidle44xx.c
+@@ -152,6 +152,10 @@ static int omap_enter_idle_coupled(struct cpuidle_device *dev,
+ mpuss_can_lose_context = (cx->mpu_state == PWRDM_POWER_RET) &&
+ (cx->mpu_logic_state == PWRDM_POWER_OFF);
+
++ /* Enter broadcast mode for periodic timers */
++ tick_broadcast_enable();
++
++ /* Enter broadcast mode for one-shot timers */
+ tick_broadcast_enter();
+
+ /*
+@@ -218,15 +222,6 @@ static int omap_enter_idle_coupled(struct cpuidle_device *dev,
+ return index;
+ }
+
+-/*
+- * For each cpu, setup the broadcast timer because local timers
+- * stops for the states above C1.
+- */
+-static void omap_setup_broadcast_timer(void *arg)
+-{
+- tick_broadcast_enable();
+-}
+-
+ static struct cpuidle_driver omap4_idle_driver = {
+ .name = "omap4_idle",
+ .owner = THIS_MODULE,
+@@ -319,8 +314,5 @@ int __init omap4_idle_init(void)
+ if (!cpu_clkdm[0] || !cpu_clkdm[1])
+ return -ENODEV;
+
+- /* Configure the broadcast timer on each cpu */
+- on_each_cpu(omap_setup_broadcast_timer, NULL, 1);
+-
+ return cpuidle_register(idle_driver, cpu_online_mask);
+ }
+--
+2.16.4
+
diff --git a/patches.arch/ARM-avoid-Cortex-A9-livelock-on-tight-dmb-loops.patch b/patches.arch/ARM-avoid-Cortex-A9-livelock-on-tight-dmb-loops.patch
new file mode 100644
index 0000000000..900fb560ff
--- /dev/null
+++ b/patches.arch/ARM-avoid-Cortex-A9-livelock-on-tight-dmb-loops.patch
@@ -0,0 +1,194 @@
+From 5388a5b82199facacd3d7ac0d05aca6e8f902fed Mon Sep 17 00:00:00 2001
+From: Russell King <rmk+kernel@armlinux.org.uk>
+Date: Tue, 10 Apr 2018 11:35:36 +0100
+Subject: [PATCH] ARM: avoid Cortex-A9 livelock on tight dmb loops
+Git-commit: 5388a5b82199facacd3d7ac0d05aca6e8f902fed
+Patch-mainline: v5.1-rc1
+References: bsc#1051510
+
+machine_crash_nonpanic_core() does this:
+
+ while (1)
+ cpu_relax();
+
+because the kernel has crashed, and we have no known safe way to deal
+with the CPU. So, we place the CPU into an infinite loop which we
+expect it to never exit - at least not until the system as a whole is
+reset by some method.
+
+In the absence of erratum 754327, this code assembles to:
+
+ b .
+
+In other words, an infinite loop. When erratum 754327 is enabled,
+this becomes:
+
+1: dmb b 1b
+
+It has been observed that on some systems (eg, OMAP4) where, if a
+crash is triggered, the system tries to kexec into the panic kernel,
+but fails after taking the secondary CPU down - placing it into one
+of these loops. This causes the system to livelock, and the most
+noticable effect is the system stops after issuing:
+
+ Loading crashdump kernel...
+
+to the system console.
+
+The tested as working solution I came up with was to add wfe() to
+these infinite loops thusly:
+
+ while (1) {
+ cpu_relax();
+ wfe();
+ }
+
+which, without 754327 builds to:
+
+1: wfe b 1b
+
+or with 754327 is enabled:
+
+1: dmb wfe b 1b
+
+Adding "wfe" does two things depending on the environment we're running
+Under:
+- where we're running on bare metal, and the processor implements
+ "wfe", it stops us spinning endlessly in a loop where we're never
+ going to do any useful work.
+- if we're running in a VM, it allows the CPU to be given back to the
+ hypervisor and rescheduled for other purposes (maybe a different VM)
+ rather than wasting CPU cycles inside a crashed VM.
+
+However, in light of erratum 794072, Will Deacon wanted to see 10 nops
+as well - which is reasonable to cover the case where we have erratum
+754327 enabled _and_ we have a processor that doesn't implement the
+wfe hint.
+
+So, we now end up with:
+
+1: wfe b 1b
+
+when erratum 754327 is disabled, or:
+
+1: dmb nop nop nop nop nop nop nop nop nop nop wfe b 1b
+
+when erratum 754327 is enabled. We also get the dmb + 10 nop
+sequence elsewhere in the kernel, in terminating loops.
+
+This is reasonable - it means we get the workaround for erratum
+794072 when erratum 754327 is enabled, but still relinquish the dead
+processor - either by placing it in a lower power mode when wfe is
+implemented as such or by returning it to the hypervisior, or in the
+case where wfe is a no-op, we use the workaround specified in erratum
+794072 to avoid the problem.
+
+These as two entirely orthogonal problems - the 10 nops addresses
+erratum 794072, and the wfe is an optimisation that makes the system
+more efficient when crashed either in terms of power consumption or
+by allowing the host/other VMs to make use of the CPU.
+
+I don't see any reason not to use kexec() inside a VM - it has the
+potential to provide automated recovery from a failure of the VMs
+kernel with the opportunity for saving a crashdump of the failure.
+A panic() with a reboot timeout won't do that, and reading the
+libvirt documentation, setting on_reboot to "preserve" won't either
+(the documentation states "The preserve action for an on_reboot event
+is treated as a destroy".) Surely it has to be a good thing to
+avoiding having CPUs spinning inside a VM that is doing no useful
+work.
+
+Acked-by: Will Deacon <will.deacon@arm.com>
+Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ arch/arm/include/asm/barrier.h | 2 ++
+ arch/arm/include/asm/processor.h | 6 +++++-
+ arch/arm/kernel/machine_kexec.c | 5 ++++-
+ arch/arm/kernel/smp.c | 4 +++-
+ arch/arm/mach-omap2/prm_common.c | 4 +++-
+ 5 files changed, 17 insertions(+), 4 deletions(-)
+
+diff --git a/arch/arm/include/asm/barrier.h b/arch/arm/include/asm/barrier.h
+index 69772e742a0a..83ae97c049d9 100644
+--- a/arch/arm/include/asm/barrier.h
++++ b/arch/arm/include/asm/barrier.h
+@@ -11,6 +11,8 @@
+ #define sev() __asm__ __volatile__ ("sev" : : : "memory")
+ #define wfe() __asm__ __volatile__ ("wfe" : : : "memory")
+ #define wfi() __asm__ __volatile__ ("wfi" : : : "memory")
++#else
++#define wfe() do { } while (0)
+ #endif
+
+ #if __LINUX_ARM_ARCH__ >= 7
+diff --git a/arch/arm/include/asm/processor.h b/arch/arm/include/asm/processor.h
+index 120f4c9bbfde..57fe73ea0f72 100644
+--- a/arch/arm/include/asm/processor.h
++++ b/arch/arm/include/asm/processor.h
+@@ -89,7 +89,11 @@ extern void release_thread(struct task_struct *);
+ unsigned long get_wchan(struct task_struct *p);
+
+ #if __LINUX_ARM_ARCH__ == 6 || defined(CONFIG_ARM_ERRATA_754327)
+-#define cpu_relax() smp_mb()
++#define cpu_relax() \
++ do { \
++ smp_mb(); \
++ __asm__ __volatile__("nop; nop; nop; nop; nop; nop; nop; nop; nop; nop;"); \
++ } while (0)
+ #else
+ #define cpu_relax() barrier()
+ #endif
+diff --git a/arch/arm/kernel/machine_kexec.c b/arch/arm/kernel/machine_kexec.c
+index dd2eb5f76b9f..76300f3813e8 100644
+--- a/arch/arm/kernel/machine_kexec.c
++++ b/arch/arm/kernel/machine_kexec.c
+@@ -91,8 +91,11 @@ void machine_crash_nonpanic_core(void *unused)
+
+ set_cpu_online(smp_processor_id(), false);
+ atomic_dec(&waiting_for_crash_ipi);
+- while (1)
++
++ while (1) {
+ cpu_relax();
++ wfe();
++ }
+ }
+
+ void crash_smp_send_stop(void)
+diff --git a/arch/arm/kernel/smp.c b/arch/arm/kernel/smp.c
+index 3bf82232b1be..7f0b99e1fff3 100644
+--- a/arch/arm/kernel/smp.c
++++ b/arch/arm/kernel/smp.c
+@@ -604,8 +604,10 @@ static void ipi_cpu_stop(unsigned int cpu)
+ local_fiq_disable();
+ local_irq_disable();
+
+- while (1)
++ while (1) {
+ cpu_relax();
++ wfe();
++ }
+ }
+
+ static DEFINE_PER_CPU(struct completion *, cpu_completion);
+diff --git a/arch/arm/mach-omap2/prm_common.c b/arch/arm/mach-omap2/prm_common.c
+index 058a37e6d11c..fd6e0671f957 100644
+--- a/arch/arm/mach-omap2/prm_common.c
++++ b/arch/arm/mach-omap2/prm_common.c
+@@ -523,8 +523,10 @@ void omap_prm_reset_system(void)
+
+ prm_ll_data->reset_system();
+
+- while (1)
++ while (1) {
+ cpu_relax();
++ wfe();
++ }
+ }
+
+ /**
+--
+2.16.4
+
diff --git a/patches.arch/ARM-imx6q-cpuidle-fix-bug-that-CPU-might-not-wake-up.patch b/patches.arch/ARM-imx6q-cpuidle-fix-bug-that-CPU-might-not-wake-up.patch
new file mode 100644
index 0000000000..7bf87e1631
--- /dev/null
+++ b/patches.arch/ARM-imx6q-cpuidle-fix-bug-that-CPU-might-not-wake-up.patch
@@ -0,0 +1,80 @@
+From 91740fc8242b4f260cfa4d4536d8551804777fae Mon Sep 17 00:00:00 2001
+From: Kohji Okuno <okuno.kohji@jp.panasonic.com>
+Date: Tue, 26 Feb 2019 11:34:13 +0900
+Subject: [PATCH] ARM: imx6q: cpuidle: fix bug that CPU might not wake up at expected time
+Git-commit: 91740fc8242b4f260cfa4d4536d8551804777fae
+Patch-mainline: v5.1-rc3
+References: bsc#1051510
+
+In the current cpuidle implementation for i.MX6q, the CPU that sets
+'WAIT_UNCLOCKED' and the CPU that returns to 'WAIT_CLOCKED' are always
+the same. While the CPU that sets 'WAIT_UNCLOCKED' is in IDLE state of
+"WAIT", if the other CPU wakes up and enters IDLE state of "WFI"
+istead of "WAIT", this CPU can not wake up at expired time.
+ Because, in the case of "WFI", the CPU must be waked up by the local
+timer interrupt. But, while 'WAIT_UNCLOCKED' is set, the local timer
+is stopped, when all CPUs execute "wfi" instruction. As a result, the
+local timer interrupt is not fired.
+ In this situation, this CPU will wake up by IRQ different from local
+timer. (e.g. broacast timer)
+
+So, this fix changes CPU to return to 'WAIT_CLOCKED'.
+
+Signed-off-by: Kohji Okuno <okuno.kohji@jp.panasonic.com>
+Fixes: e5f9dec8ff5f ("ARM: imx6q: support WAIT mode using cpuidle")
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Shawn Guo <shawnguo@kernel.org>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ arch/arm/mach-imx/cpuidle-imx6q.c | 27 ++++++++++-----------------
+ 1 file changed, 10 insertions(+), 17 deletions(-)
+
+diff --git a/arch/arm/mach-imx/cpuidle-imx6q.c b/arch/arm/mach-imx/cpuidle-imx6q.c
+index bfeb25aaf9a2..326e870d7123 100644
+--- a/arch/arm/mach-imx/cpuidle-imx6q.c
++++ b/arch/arm/mach-imx/cpuidle-imx6q.c
+@@ -16,30 +16,23 @@
+ #include "cpuidle.h"
+ #include "hardware.h"
+
+-static atomic_t master = ATOMIC_INIT(0);
+-static DEFINE_SPINLOCK(master_lock);
++static int num_idle_cpus = 0;
++static DEFINE_SPINLOCK(cpuidle_lock);
+
+ static int imx6q_enter_wait(struct cpuidle_device *dev,
+ struct cpuidle_driver *drv, int index)
+ {
+- if (atomic_inc_return(&master) == num_online_cpus()) {
+- /*
+- * With this lock, we prevent other cpu to exit and enter
+- * this function again and become the master.
+- */
+- if (!spin_trylock(&master_lock))
+- goto idle;
++ spin_lock(&cpuidle_lock);
++ if (++num_idle_cpus == num_online_cpus())
+ imx6_set_lpm(WAIT_UNCLOCKED);
+- cpu_do_idle();
+- imx6_set_lpm(WAIT_CLOCKED);
+- spin_unlock(&master_lock);
+- goto done;
+- }
++ spin_unlock(&cpuidle_lock);
+
+-idle:
+ cpu_do_idle();
+-done:
+- atomic_dec(&master);
++
++ spin_lock(&cpuidle_lock);
++ if (num_idle_cpus-- == num_online_cpus())
++ imx6_set_lpm(WAIT_CLOCKED);
++ spin_unlock(&cpuidle_lock);
+
+ return index;
+ }
+--
+2.16.4
+
diff --git a/patches.arch/ARM-pxa-ssp-unneeded-to-free-devm_-allocated-data.patch b/patches.arch/ARM-pxa-ssp-unneeded-to-free-devm_-allocated-data.patch
new file mode 100644
index 0000000000..6dd365306a
--- /dev/null
+++ b/patches.arch/ARM-pxa-ssp-unneeded-to-free-devm_-allocated-data.patch
@@ -0,0 +1,46 @@
+From ba16adeb346387eb2d1ada69003588be96f098fa Mon Sep 17 00:00:00 2001
+From: Peng Hao <peng.hao2@zte.com.cn>
+Date: Sat, 29 Dec 2018 13:10:06 +0800
+Subject: [PATCH] ARM: pxa: ssp: unneeded to free devm_ allocated data
+Git-commit: ba16adeb346387eb2d1ada69003588be96f098fa
+Patch-mainline: v5.0-rc6
+References: bsc#1051510
+
+devm_ allocated data will be automatically freed. The free
+of devm_ allocated data is invalid.
+
+Fixes: 1c459de1e645 ("ARM: pxa: ssp: use devm_ functions")
+Signed-off-by: Peng Hao <peng.hao2@zte.com.cn>
+[title's prefix changed]
+
+Signed-off-by: Robert Jarzmik <robert.jarzmik@free.fr>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ arch/arm/plat-pxa/ssp.c | 3 ---
+ 1 file changed, 3 deletions(-)
+
+diff --git a/arch/arm/plat-pxa/ssp.c b/arch/arm/plat-pxa/ssp.c
+index ed36dcab80f1..f51919974183 100644
+--- a/arch/arm/plat-pxa/ssp.c
++++ b/arch/arm/plat-pxa/ssp.c
+@@ -190,8 +190,6 @@ static int pxa_ssp_remove(struct platform_device *pdev)
+ if (ssp == NULL)
+ return -ENODEV;
+
+- iounmap(ssp->mmio_base);
+-
+ res = platform_get_resource(pdev, IORESOURCE_MEM, 0);
+ release_mem_region(res->start, resource_size(res));
+
+@@ -201,7 +199,6 @@ static int pxa_ssp_remove(struct platform_device *pdev)
+ list_del(&ssp->node);
+ mutex_unlock(&ssp_lock);
+
+- kfree(ssp);
+ return 0;
+ }
+
+--
+2.16.4
+
diff --git a/patches.arch/ARM-s3c24xx-Fix-boolean-expressions-in-osiris_dvs_no.patch b/patches.arch/ARM-s3c24xx-Fix-boolean-expressions-in-osiris_dvs_no.patch
new file mode 100644
index 0000000000..64795704fa
--- /dev/null
+++ b/patches.arch/ARM-s3c24xx-Fix-boolean-expressions-in-osiris_dvs_no.patch
@@ -0,0 +1,52 @@
+From e2477233145f2156434afb799583bccd878f3e9f Mon Sep 17 00:00:00 2001
+From: "Gustavo A. R. Silva" <gustavo@embeddedor.com>
+Date: Thu, 3 Jan 2019 14:14:08 -0600
+Subject: [PATCH] ARM: s3c24xx: Fix boolean expressions in osiris_dvs_notify
+Git-commit: e2477233145f2156434afb799583bccd878f3e9f
+Patch-mainline: v5.1-rc1
+References: bsc#1051510
+
+Fix boolean expressions by using logical AND operator '&&' instead of
+bitwise operator '&'.
+
+This issue was detected with the help of Coccinelle.
+
+Fixes: 4fa084af28ca ("ARM: OSIRIS: DVS (Dynamic Voltage Scaling) supoort.")
+Cc: stable@vger.kernel.org
+Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com>
+[krzk: Fix -Wparentheses warning]
+Signed-off-by: Krzysztof Kozlowski <krzk@kernel.org>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ arch/arm/mach-s3c24xx/mach-osiris-dvs.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/arch/arm/mach-s3c24xx/mach-osiris-dvs.c b/arch/arm/mach-s3c24xx/mach-osiris-dvs.c
+index 058ce73137e8..5d819b6ea428 100644
+--- a/arch/arm/mach-s3c24xx/mach-osiris-dvs.c
++++ b/arch/arm/mach-s3c24xx/mach-osiris-dvs.c
+@@ -65,16 +65,16 @@ static int osiris_dvs_notify(struct notifier_block *nb,
+
+ switch (val) {
+ case CPUFREQ_PRECHANGE:
+- if (old_dvs & !new_dvs ||
+- cur_dvs & !new_dvs) {
++ if ((old_dvs && !new_dvs) ||
++ (cur_dvs && !new_dvs)) {
+ pr_debug("%s: exiting dvs\n", __func__);
+ cur_dvs = false;
+ gpio_set_value(OSIRIS_GPIO_DVS, 1);
+ }
+ break;
+ case CPUFREQ_POSTCHANGE:
+- if (!old_dvs & new_dvs ||
+- !cur_dvs & new_dvs) {
++ if ((!old_dvs && new_dvs) ||
++ (!cur_dvs && new_dvs)) {
+ pr_debug("entering dvs\n");
+ cur_dvs = true;
+ gpio_set_value(OSIRIS_GPIO_DVS, 0);
+--
+2.16.4
+
diff --git a/patches.arch/ARM-samsung-Limit-SAMSUNG_PM_CHECK-config-option-to-.patch b/patches.arch/ARM-samsung-Limit-SAMSUNG_PM_CHECK-config-option-to-.patch
new file mode 100644
index 0000000000..5329980ef9
--- /dev/null
+++ b/patches.arch/ARM-samsung-Limit-SAMSUNG_PM_CHECK-config-option-to-.patch
@@ -0,0 +1,60 @@
+From 6862fdf2201ab67cd962dbf0643d37db909f4860 Mon Sep 17 00:00:00 2001
+From: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>
+Date: Fri, 28 Sep 2018 15:32:46 +0200
+Subject: [PATCH] ARM: samsung: Limit SAMSUNG_PM_CHECK config option to non-Exynos platforms
+Git-commit: 6862fdf2201ab67cd962dbf0643d37db909f4860
+Patch-mainline: v4.20-rc1
+References: bsc#1051510
+
+"S3C2410 PM Suspend Memory CRC" feature (controlled by
+SAMSUNG_PM_CHECK config option) is incompatible with highmem
+(uses phys_to_virt() instead of proper mapping) which is used by
+the majority of Exynos boards. The issue manifests itself in OOPS
+on affected boards, i.e. on Odroid-U3 I got the following one:
+
+Unable to handle kernel paging request at virtual address f0000000
+pgd = 1c0f9bb4
+[f0000000] *pgd=00000000
+Internal error: Oops: 5 [#1] PREEMPT SMP ARM
+[<c0458034>] (crc32_le) from [<c0121f8c>] (s3c_pm_makecheck+0x34/0x54)
+[<c0121f8c>] (s3c_pm_makecheck) from [<c0121efc>] (s3c_pm_run_res+0x74/0x8c)
+[<c0121efc>] (s3c_pm_run_res) from [<c0121ecc>] (s3c_pm_run_res+0x44/0x8c)
+[<c0121ecc>] (s3c_pm_run_res) from [<c01210b8>] (exynos_suspend_enter+0x64/0x148)
+[<c01210b8>] (exynos_suspend_enter) from [<c018893c>] (suspend_devices_and_enter+0x9ec/0xe74)
+[<c018893c>] (suspend_devices_and_enter) from [<c0189534>] (pm_suspend+0x770/0xc04)
+[<c0189534>] (pm_suspend) from [<c0186ce8>] (state_store+0x6c/0xcc)
+[<c0186ce8>] (state_store) from [<c09db434>] (kobj_attr_store+0x14/0x20)
+[<c09db434>] (kobj_attr_store) from [<c02fa63c>] (sysfs_kf_write+0x4c/0x50)
+[<c02fa63c>] (sysfs_kf_write) from [<c02f97a4>] (kernfs_fop_write+0xfc/0x1e4)
+[<c02f97a4>] (kernfs_fop_write) from [<c027b198>] (__vfs_write+0x2c/0x140)
+[<c027b198>] (__vfs_write) from [<c027b418>] (vfs_write+0xa4/0x160)
+[<c027b418>] (vfs_write) from [<c027b5d8>] (ksys_write+0x40/0x8c)
+[<c027b5d8>] (ksys_write) from [<c0101000>] (ret_fast_syscall+0x0/0x28)
+
+Add PLAT_S3C24XX, ARCH_S3C64XX and ARCH_S5PV210 dependencies to
+SAMSUNG_PM_CHECK config option to hide it on Exynos platforms.
+
+Signed-off-by: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>
+Signed-off-by: Krzysztof Kozlowski <krzk@kernel.org>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ arch/arm/plat-samsung/Kconfig | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/arm/plat-samsung/Kconfig b/arch/arm/plat-samsung/Kconfig
+index b600e38364eb..377ff9cda667 100644
+--- a/arch/arm/plat-samsung/Kconfig
++++ b/arch/arm/plat-samsung/Kconfig
+@@ -256,7 +256,7 @@ config S3C_PM_DEBUG_LED_SMDK
+
+ config SAMSUNG_PM_CHECK
+ bool "S3C2410 PM Suspend Memory CRC"
+- depends on PM
++ depends on PM && (PLAT_S3C24XX || ARCH_S3C64XX || ARCH_S5PV210)
+ select CRC32
+ help
+ Enable the PM code's memory area checksum over sleep. This option
+--
+2.16.4
+
diff --git a/patches.arch/kvm-x86-report-stibp-on-get_supported_cpuid.patch b/patches.arch/kvm-x86-report-stibp-on-get_supported_cpuid.patch
index bec39883f1..cf5063beee 100644
--- a/patches.arch/kvm-x86-report-stibp-on-get_supported_cpuid.patch
+++ b/patches.arch/kvm-x86-report-stibp-on-get_supported_cpuid.patch
@@ -3,7 +3,7 @@ Date: Wed, 5 Dec 2018 17:19:56 -0200
Subject: kvm: x86: Report STIBP on GET_SUPPORTED_CPUID
Git-commit: d7b09c827a6cf291f66637a36f46928dd1423184
Patch-mainline: v5.0-rc1
-References: bsc#1111331, CVE-2018-12126, CVE-2018-12127, CVE-2018-12130
+References: bsc#1111331, CVE-2018-12126, CVE-2018-12127, CVE-2018-12130, CVE-2019-11091
Months ago, we have added code to allow direct access to MSR_IA32_SPEC_CTRL
to the guest, which makes STIBP available to guests. This was implemented
diff --git a/patches.arch/locking-atomics-asm-generic-move-some-macros-from-linux-bitops-h-to-a-new-linux-bits-h-file.patch b/patches.arch/locking-atomics-asm-generic-move-some-macros-from-linux-bitops-h-to-a-new-linux-bits-h-file.patch
index e431bdf60d..cec803db31 100644
--- a/patches.arch/locking-atomics-asm-generic-move-some-macros-from-linux-bitops-h-to-a-new-linux-bits-h-file.patch
+++ b/patches.arch/locking-atomics-asm-generic-move-some-macros-from-linux-bitops-h-to-a-new-linux-bits-h-file.patch
@@ -4,7 +4,7 @@ Subject: locking/atomics, asm-generic: Move some macros from <linux/bitops.h>
to a new <linux/bits.h> file
Git-commit: 8bd9cb51daac89337295b6f037b0486911e1b408
Patch-mainline: v4.19-rc1
-References: bsc#1111331, CVE-2018-12126, CVE-2018-12127, CVE-2018-12130
+References: bsc#1111331, CVE-2018-12126, CVE-2018-12127, CVE-2018-12130, CVE-2019-11091
In preparation for implementing the asm-generic atomic bitops in terms
of atomic_long_*(), we need to prevent <asm/atomic.h> implementations from
diff --git a/patches.arch/powerpc-numa-document-topology_updates_enabled-disab.patch b/patches.arch/powerpc-numa-document-topology_updates_enabled-disab.patch
index ce83ac8841..9f5a29a14b 100644
--- a/patches.arch/powerpc-numa-document-topology_updates_enabled-disab.patch
+++ b/patches.arch/powerpc-numa-document-topology_updates_enabled-disab.patch
@@ -5,8 +5,7 @@ Subject: [PATCH] powerpc/numa: document topology_updates_enabled, disable by
default
References: bsc#1133584
-Patch-mainline: queued
-Git-repo: https://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux.git
+Patch-mainline: v5.2-rc1
Git-commit: 558f86493df09f68f79fe056d9028d317a3ce8ab
Changing the NUMA associations for CPUs and memory at runtime is
diff --git a/patches.arch/powerpc-numa-improve-control-of-topology-updates.patch b/patches.arch/powerpc-numa-improve-control-of-topology-updates.patch
index f62c6c2bae..3a04a469dd 100644
--- a/patches.arch/powerpc-numa-improve-control-of-topology-updates.patch
+++ b/patches.arch/powerpc-numa-improve-control-of-topology-updates.patch
@@ -4,8 +4,7 @@ Date: Thu, 18 Apr 2019 13:56:57 -0500
Subject: [PATCH] powerpc/numa: improve control of topology updates
References: bsc#1133584
-Patch-mainline: queued
-Git-repo: https://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux.git
+Patch-mainline: v5.2-rc1
Git-commit: 2d4d9b308f8f8dec68f6dbbff18c68ec7c6bd26f
When booted with "topology_updates=no", or when "off" is written to
diff --git a/patches.arch/s390-qdio-clear-intparm-during-shutdown b/patches.arch/s390-qdio-clear-intparm-during-shutdown
new file mode 100644
index 0000000000..771cba3836
--- /dev/null
+++ b/patches.arch/s390-qdio-clear-intparm-during-shutdown
@@ -0,0 +1,44 @@
+From: Julian Wiedmann <jwi@linux.vnet.ibm.com>
+Date: Wed, 21 Mar 2018 17:14:00 +0100
+Subject: s390/qdio: clear intparm during shutdown
+Git-commit: 89286320a236d245834075fa13adb0bdd827ecaa
+Patch-mainline: v4.17-rc1
+References: bsc#1134591 bsc#1134597 LTC#177515 LTC#177516
+
+During shutdown, qdio returns its ccw device back to control by the
+upper-layer driver. But there is a remote chance that by the time where the
+IRQ handler gets switched back, the interrupt for the preceding
+ccw_device_{clear,halt} hasn't been presented yet.
+Upper-layer drivers would then need to handle this IRQ - and since the IO
+is issued with an intparm, it could very well be confused with whatever
+intparm mechanism the driver uses itself (eg intparm == request address).
+
+So when switching over the IRQ handler, also clear the intparm and have
+upper-layer drivers deal with any such delayed interrupt as if it was
+unsolicited.
+
+Suggested-by: Sebastian Ott <sebott@linux.vnet.ibm.com>
+Signed-off-by: Julian Wiedmann <jwi@linux.vnet.ibm.com>
+Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
+Acked-by: Petr Tesarik <ptesarik@suse.com>
+---
+ drivers/s390/cio/qdio_main.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/s390/cio/qdio_main.c b/drivers/s390/cio/qdio_main.c
+index a337281337a7..f4ca72dd862f 100644
+--- a/drivers/s390/cio/qdio_main.c
++++ b/drivers/s390/cio/qdio_main.c
+@@ -1207,8 +1207,10 @@ int qdio_shutdown(struct ccw_device *cdev, int how)
+ qdio_shutdown_thinint(irq_ptr);
+
+ /* restore interrupt handler */
+- if ((void *)cdev->handler == (void *)qdio_int_handler)
++ if ((void *)cdev->handler == (void *)qdio_int_handler) {
+ cdev->handler = irq_ptr->orig_handler;
++ cdev->private->intparm = 0;
++ }
+ spin_unlock_irq(get_ccwdev_lock(cdev));
+
+ qdio_set_state(irq_ptr, QDIO_IRQ_STATE_INACTIVE);
+
diff --git a/patches.arch/x86-cpu-sanitize-fam6_atom-naming.patch b/patches.arch/x86-cpu-sanitize-fam6_atom-naming.patch
index 5cdecdb444..70223a4371 100644
--- a/patches.arch/x86-cpu-sanitize-fam6_atom-naming.patch
+++ b/patches.arch/x86-cpu-sanitize-fam6_atom-naming.patch
@@ -3,7 +3,7 @@ Date: Tue, 7 Aug 2018 10:17:27 -0700
Subject: x86/cpu: Sanitize FAM6_ATOM naming
Git-commit: f2c4db1bd80720cd8cb2a5aa220d9bc9f374f04e
Patch-mainline: v5.1-rc1
-References: bsc#1111331, CVE-2018-12126, CVE-2018-12127, CVE-2018-12130
+References: bsc#1111331, CVE-2018-12126, CVE-2018-12127, CVE-2018-12130, CVE-2019-11091
commit f2c4db1bd80720cd8cb2a5aa220d9bc9f374f04e upstream
diff --git a/patches.arch/x86-kvm-expose-x86_feature_md_clear-to-guests.patch b/patches.arch/x86-kvm-expose-x86_feature_md_clear-to-guests.patch
index ef439ddf46..81e943fc30 100644
--- a/patches.arch/x86-kvm-expose-x86_feature_md_clear-to-guests.patch
+++ b/patches.arch/x86-kvm-expose-x86_feature_md_clear-to-guests.patch
@@ -2,8 +2,8 @@ From: Andi Kleen <ak@linux.intel.com>
Date: Fri, 18 Jan 2019 16:50:23 -0800
Subject: x86/kvm: Expose X86_FEATURE_MD_CLEAR to guests
Git-commit: 6c4dbbd14730c43f4ed808a9c42ca41625925c22
-Patch-mainline: v5.1-rc1
-References: bsc#1111331, CVE-2018-12126, CVE-2018-12127, CVE-2018-12130
+Patch-mainline: v5.2-rc1
+References: bsc#1111331, CVE-2018-12126, CVE-2018-12127, CVE-2018-12130, CVE-2019-11091
X86_FEATURE_MD_CLEAR is a new CPUID bit which is set when microcode
provides the mechanism to invoke a flush of various exploitable CPU buffers
diff --git a/patches.arch/x86-kvm-vmx-add-mds-protection-when-l1d-flush-is-not-active.patch b/patches.arch/x86-kvm-vmx-add-mds-protection-when-l1d-flush-is-not-active.patch
index 72dc41269e..bd2e7c97e7 100644
--- a/patches.arch/x86-kvm-vmx-add-mds-protection-when-l1d-flush-is-not-active.patch
+++ b/patches.arch/x86-kvm-vmx-add-mds-protection-when-l1d-flush-is-not-active.patch
@@ -2,8 +2,8 @@ From: Thomas Gleixner <tglx@linutronix.de>
Date: Wed, 27 Feb 2019 12:48:14 +0100
Subject: x86/kvm/vmx: Add MDS protection when L1D Flush is not active
Git-commit: 650b68a0622f933444a6d66936abb3103029413b
-Patch-mainline: v5.1-rc1
-References: bsc#1111331, CVE-2018-12126, CVE-2018-12127, CVE-2018-12130
+Patch-mainline: v5.2-rc1
+References: bsc#1111331, CVE-2018-12126, CVE-2018-12127, CVE-2018-12130, CVE-2019-11091
CPUs which are affected by L1TF and MDS mitigate MDS with the L1D Flush on
VMENTER when updated microcode is installed.
diff --git a/patches.arch/x86-msr-index-cleanup-bit-defines.patch b/patches.arch/x86-msr-index-cleanup-bit-defines.patch
index 4fed2b84e7..8552aa7dfe 100644
--- a/patches.arch/x86-msr-index-cleanup-bit-defines.patch
+++ b/patches.arch/x86-msr-index-cleanup-bit-defines.patch
@@ -2,8 +2,8 @@ From: Thomas Gleixner <tglx@linutronix.de>
Date: Thu, 21 Feb 2019 12:36:50 +0100
Subject: x86/msr-index: Cleanup bit defines
Git-commit: d8eabc37310a92df40d07c5a8afc53cebf996716
-Patch-mainline: v5.1-rc1
-References: bsc#1111331, CVE-2018-12126, CVE-2018-12127, CVE-2018-12130
+Patch-mainline: v5.2-rc1
+References: bsc#1111331, CVE-2018-12126, CVE-2018-12127, CVE-2018-12130, CVE-2019-11091
Greg pointed out that speculation related bit defines are using (1 << N)
format instead of BIT(N). Aside of that (1 << N) is wrong as it should use
diff --git a/patches.arch/x86-speculation-consolidate-cpu-whitelists.patch b/patches.arch/x86-speculation-consolidate-cpu-whitelists.patch
index a8953a02a2..9662a8077a 100644
--- a/patches.arch/x86-speculation-consolidate-cpu-whitelists.patch
+++ b/patches.arch/x86-speculation-consolidate-cpu-whitelists.patch
@@ -2,8 +2,8 @@ From: Thomas Gleixner <tglx@linutronix.de>
Date: Wed, 27 Feb 2019 10:10:23 +0100
Subject: x86/speculation: Consolidate CPU whitelists
Git-commit: 36ad35131adacc29b328b9c8b6277a8bf0d6fd5d
-Patch-mainline: v5.1-rc1
-References: bsc#1111331, CVE-2018-12126, CVE-2018-12127, CVE-2018-12130
+Patch-mainline: v5.2-rc1
+References: bsc#1111331, CVE-2018-12126, CVE-2018-12127, CVE-2018-12130, CVE-2019-11091
The CPU vulnerability whitelists have some overlap and there are more
whitelists coming along.
diff --git a/patches.arch/x86-speculation-mds-add-basic-bug-infrastructure-for-mds.patch b/patches.arch/x86-speculation-mds-add-basic-bug-infrastructure-for-mds.patch
index 3b673bacec..736111e827 100644
--- a/patches.arch/x86-speculation-mds-add-basic-bug-infrastructure-for-mds.patch
+++ b/patches.arch/x86-speculation-mds-add-basic-bug-infrastructure-for-mds.patch
@@ -2,8 +2,8 @@ From: Andi Kleen <ak@linux.intel.com>
Date: Fri, 18 Jan 2019 16:50:16 -0800
Subject: x86/speculation/mds: Add basic bug infrastructure for MDS
Git-commit: ed5194c2732c8084af9fd159c146ea92bf137128
-Patch-mainline: v5.1-rc1
-References: bsc#1111331, CVE-2018-12126, CVE-2018-12127, CVE-2018-12130
+Patch-mainline: v5.2-rc1
+References: bsc#1111331, CVE-2018-12126, CVE-2018-12127, CVE-2018-12130, CVE-2019-11091
Microarchitectural Data Sampling (MDS), is a class of side channel attacks
on internal buffers in Intel CPUs. The variants are:
diff --git a/patches.arch/x86-speculation-mds-add-bug_msbds_only.patch b/patches.arch/x86-speculation-mds-add-bug_msbds_only.patch
index b6ebab3b9e..7dd8ba527c 100644
--- a/patches.arch/x86-speculation-mds-add-bug_msbds_only.patch
+++ b/patches.arch/x86-speculation-mds-add-bug_msbds_only.patch
@@ -2,8 +2,8 @@ From: Thomas Gleixner <tglx@linutronix.de>
Date: Fri, 1 Mar 2019 20:21:08 +0100
Subject: x86/speculation/mds: Add BUG_MSBDS_ONLY
Git-commit: e261f209c3666e842fd645a1e31f001c3a26def9
-Patch-mainline: v5.1-rc1
-References: bsc#1111331, CVE-2018-12126, CVE-2018-12127, CVE-2018-12130
+Patch-mainline: v5.2-rc1
+References: bsc#1111331, CVE-2018-12126, CVE-2018-12127, CVE-2018-12130, CVE-2019-11091
This bug bit is set on CPUs which are only affected by Microarchitectural
Store Buffer Data Sampling (MSBDS) and not by any other MDS variant.
diff --git a/patches.arch/x86-speculation-mds-add-mds-full-nosmt-cmdline-option.patch b/patches.arch/x86-speculation-mds-add-mds-full-nosmt-cmdline-option.patch
index d3303c9f25..5c918bf56f 100644
--- a/patches.arch/x86-speculation-mds-add-mds-full-nosmt-cmdline-option.patch
+++ b/patches.arch/x86-speculation-mds-add-mds-full-nosmt-cmdline-option.patch
@@ -1,10 +1,9 @@
From: Josh Poimboeuf <jpoimboe@redhat.com>
Date: Tue, 2 Apr 2019 09:59:33 -0500
Subject: x86/speculation/mds: Add mds=full,nosmt cmdline option
-Git-repo: tip/tip
Git-commit: d71eb0ce109a124b0fa714832823b9452f2762cf
-Patch-mainline: Queued in a subsystem tree
-References: bsc#1111331, CVE-2018-12126, CVE-2018-12127, CVE-2018-12130
+Patch-mainline: v5.2-rc1
+References: bsc#1111331, CVE-2018-12126, CVE-2018-12127, CVE-2018-12130, CVE-2019-11091
Add the mds=full,nosmt cmdline option. This is like mds=full, but with
SMT disabled if the CPU is vulnerable.
diff --git a/patches.arch/x86-speculation-mds-add-mds_clear_cpu_buffers.patch b/patches.arch/x86-speculation-mds-add-mds_clear_cpu_buffers.patch
index 3d563bb801..acb480422a 100644
--- a/patches.arch/x86-speculation-mds-add-mds_clear_cpu_buffers.patch
+++ b/patches.arch/x86-speculation-mds-add-mds_clear_cpu_buffers.patch
@@ -2,8 +2,8 @@ From: Thomas Gleixner <tglx@linutronix.de>
Date: Mon, 18 Feb 2019 23:13:06 +0100
Subject: x86/speculation/mds: Add mds_clear_cpu_buffers()
Git-commit: 6a9e529272517755904b7afa639f6db59ddb793e
-Patch-mainline: v5.1-rc1
-References: bsc#1111331, CVE-2018-12126, CVE-2018-12127, CVE-2018-12130
+Patch-mainline: v5.2-rc1
+References: bsc#1111331, CVE-2018-12126, CVE-2018-12127, CVE-2018-12130, CVE-2019-11091
The Microarchitectural Data Sampling (MDS) vulernabilities are mitigated by
clearing the affected CPU buffers. The mechanism for clearing the buffers
diff --git a/patches.arch/x86-speculation-mds-add-mitigation-control-for-mds.patch b/patches.arch/x86-speculation-mds-add-mitigation-control-for-mds.patch
index 0cc8bfbf56..dff5a6ac26 100644
--- a/patches.arch/x86-speculation-mds-add-mitigation-control-for-mds.patch
+++ b/patches.arch/x86-speculation-mds-add-mitigation-control-for-mds.patch
@@ -2,8 +2,8 @@ From: Thomas Gleixner <tglx@linutronix.de>
Date: Mon, 18 Feb 2019 22:04:08 +0100
Subject: x86/speculation/mds: Add mitigation control for MDS
Git-commit: bc1241700acd82ec69fde98c5763ce51086269f8
-Patch-mainline: v5.1-rc1
-References: bsc#1111331, CVE-2018-12126, CVE-2018-12127, CVE-2018-12130
+Patch-mainline: v5.2-rc1
+References: bsc#1111331, CVE-2018-12126, CVE-2018-12127, CVE-2018-12130, CVE-2019-11091
Now that the mitigations are in place, add a command line parameter to
control the mitigation, a mitigation selector function and a SMT update
diff --git a/patches.arch/x86-speculation-mds-add-mitigation-mode-vmwerv.patch b/patches.arch/x86-speculation-mds-add-mitigation-mode-vmwerv.patch
index 4f0e1f0f07..1e3397de1c 100644
--- a/patches.arch/x86-speculation-mds-add-mitigation-mode-vmwerv.patch
+++ b/patches.arch/x86-speculation-mds-add-mitigation-mode-vmwerv.patch
@@ -2,8 +2,8 @@ From: Thomas Gleixner <tglx@linutronix.de>
Date: Wed, 20 Feb 2019 09:40:40 +0100
Subject: x86/speculation/mds: Add mitigation mode VMWERV
Git-commit: 22dd8365088b6403630b82423cf906491859b65e
-Patch-mainline: v5.1-rc1
-References: bsc#1111331, CVE-2018-12126, CVE-2018-12127, CVE-2018-12130
+Patch-mainline: v5.2-rc1
+References: bsc#1111331, CVE-2018-12126, CVE-2018-12127, CVE-2018-12130, CVE-2019-11091
In virtualized environments it can happen that the host has the microcode
update which utilizes the VERW instruction to clear CPU buffers, but the
diff --git a/patches.arch/x86-speculation-mds-add-mitigations-support-for-mds.patch b/patches.arch/x86-speculation-mds-add-mitigations-support-for-mds.patch
index 4405b7c895..abb38f06fe 100644
--- a/patches.arch/x86-speculation-mds-add-mitigations-support-for-mds.patch
+++ b/patches.arch/x86-speculation-mds-add-mitigations-support-for-mds.patch
@@ -1,10 +1,9 @@
From: Josh Poimboeuf <jpoimboe@redhat.com>
Date: Wed, 17 Apr 2019 16:39:02 -0500
Subject: x86/speculation/mds: Add 'mitigations=' support for MDS
-Git-repo: tip/tip
Git-commit: 5c14068f87d04adc73ba3f41c2a303d3c3d1fa12
-Patch-mainline: Queued in a subsystem tree
-References: bsc#1111331, CVE-2018-12126, CVE-2018-12127, CVE-2018-12130
+Patch-mainline: v5.2-rc1
+References: bsc#1111331, CVE-2018-12126, CVE-2018-12127, CVE-2018-12130, CVE-2019-11091
Add MDS to the new 'mitigations=' cmdline option.
diff --git a/patches.arch/x86-speculation-mds-add-smt-warning-message.patch b/patches.arch/x86-speculation-mds-add-smt-warning-message.patch
index 0ba3c2f544..fd6806f607 100644
--- a/patches.arch/x86-speculation-mds-add-smt-warning-message.patch
+++ b/patches.arch/x86-speculation-mds-add-smt-warning-message.patch
@@ -2,9 +2,8 @@ From: Josh Poimboeuf <jpoimboe@redhat.com>
Date: Tue, 2 Apr 2019 10:00:51 -0500
Subject: x86/speculation/mds: Add SMT warning message
Git-commit: 39226ef02bfb43248b7db12a4fdccb39d95318e3
-Git-repo: tip/tip
-Patch-mainline: Queued in a subsystem tree
-References: bsc#1111331, CVE-2018-12126, CVE-2018-12127, CVE-2018-12130
+Patch-mainline: v5.2-rc1
+References: bsc#1111331, CVE-2018-12126, CVE-2018-12127, CVE-2018-12130, CVE-2019-11091
MDS is vulnerable with SMT. Make that clear with a one-time printk
whenever SMT first gets enabled.
diff --git a/patches.arch/x86-speculation-mds-add-sysfs-reporting-for-mds.patch b/patches.arch/x86-speculation-mds-add-sysfs-reporting-for-mds.patch
index 2a1c7ad669..163d8311e7 100644
--- a/patches.arch/x86-speculation-mds-add-sysfs-reporting-for-mds.patch
+++ b/patches.arch/x86-speculation-mds-add-sysfs-reporting-for-mds.patch
@@ -2,8 +2,8 @@ From: Thomas Gleixner <tglx@linutronix.de>
Date: Mon, 18 Feb 2019 22:51:43 +0100
Subject: x86/speculation/mds: Add sysfs reporting for MDS
Git-commit: 8a4b06d391b0a42a373808979b5028f5c84d9c6a
-Patch-mainline: v5.1-rc1
-References: bsc#1111331, CVE-2018-12126, CVE-2018-12127, CVE-2018-12130
+Patch-mainline: v5.2-rc1
+References: bsc#1111331, CVE-2018-12126, CVE-2018-12127, CVE-2018-12130, CVE-2019-11091
Add the sysfs reporting file for MDS. It exposes the vulnerability and
mitigation state similar to the existing files for the other speculative
diff --git a/patches.arch/x86-speculation-mds-clear-cpu-buffers-on-exit-to-user.patch b/patches.arch/x86-speculation-mds-clear-cpu-buffers-on-exit-to-user.patch
index 8501ae91ae..5ee1d96733 100644
--- a/patches.arch/x86-speculation-mds-clear-cpu-buffers-on-exit-to-user.patch
+++ b/patches.arch/x86-speculation-mds-clear-cpu-buffers-on-exit-to-user.patch
@@ -2,8 +2,8 @@ From: Thomas Gleixner <tglx@linutronix.de>
Date: Mon, 18 Feb 2019 23:42:51 +0100
Subject: x86/speculation/mds: Clear CPU buffers on exit to user
Git-commit: 04dcbdb8057827b043b3c71aa397c4c63e67d086
-Patch-mainline: v5.1-rc1
-References: bsc#1111331, CVE-2018-12126, CVE-2018-12127, CVE-2018-12130
+Patch-mainline: v5.2-rc1
+References: bsc#1111331, CVE-2018-12126, CVE-2018-12127, CVE-2018-12130, CVE-2019-11091
Add a static key which controls the invocation of the CPU buffer clear
mechanism on exit to user space and add the call into
diff --git a/patches.arch/x86-speculation-mds-conditionally-clear-cpu-buffers-on-idle-entry.patch b/patches.arch/x86-speculation-mds-conditionally-clear-cpu-buffers-on-idle-entry.patch
index e55065d925..09385844b6 100644
--- a/patches.arch/x86-speculation-mds-conditionally-clear-cpu-buffers-on-idle-entry.patch
+++ b/patches.arch/x86-speculation-mds-conditionally-clear-cpu-buffers-on-idle-entry.patch
@@ -2,8 +2,8 @@ From: Thomas Gleixner <tglx@linutronix.de>
Date: Mon, 18 Feb 2019 23:04:01 +0100
Subject: x86/speculation/mds: Conditionally clear CPU buffers on idle entry
Git-commit: 07f07f55a29cb705e221eda7894dd67ab81ef343
-Patch-mainline: v5.1-rc1
-References: bsc#1111331, CVE-2018-12126, CVE-2018-12127, CVE-2018-12130
+Patch-mainline: v5.2-rc1
+References: bsc#1111331, CVE-2018-12126, CVE-2018-12127, CVE-2018-12130, CVE-2019-11091
Add a static key which controls the invocation of the CPU buffer clear
mechanism on idle entry. This is independent of other MDS mitigations
diff --git a/patches.arch/x86-speculation-mds-print-smt-vulnerable-on-msbds-with-mitigations-off.patch b/patches.arch/x86-speculation-mds-print-smt-vulnerable-on-msbds-with-mitigations-off.patch
index c9762dddd2..080d53e2d0 100644
--- a/patches.arch/x86-speculation-mds-print-smt-vulnerable-on-msbds-with-mitigations-off.patch
+++ b/patches.arch/x86-speculation-mds-print-smt-vulnerable-on-msbds-with-mitigations-off.patch
@@ -1,10 +1,9 @@
From: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
Date: Fri, 12 Apr 2019 17:50:58 -0400
Subject: x86/speculation/mds: Print SMT vulnerable on MSBDS with mitigations off
-Git-repo: tip/tip
Git-commit: e2c3c94788b08891dcf3dbe608f9880523ecd71b
-Patch-mainline: Queued in a subsystem tree
-References: bsc#1111331, CVE-2018-12126, CVE-2018-12127, CVE-2018-12130
+Patch-mainline: v5.2-rc1
+References: bsc#1111331, CVE-2018-12126, CVE-2018-12127, CVE-2018-12130, CVE-2019-11091
This code is only for CPUs which are affected by MSBDS, but are *not*
affected by the other two MDS issues.
diff --git a/patches.arch/x86-speculation-move-arch_smt_update-call-to-after-mitigation-decisions.patch b/patches.arch/x86-speculation-move-arch_smt_update-call-to-after-mitigation-decisions.patch
index cfcda3d0e4..a0516bdfdc 100644
--- a/patches.arch/x86-speculation-move-arch_smt_update-call-to-after-mitigation-decisions.patch
+++ b/patches.arch/x86-speculation-move-arch_smt_update-call-to-after-mitigation-decisions.patch
@@ -1,10 +1,9 @@
From: Josh Poimboeuf <jpoimboe@redhat.com>
Date: Tue, 2 Apr 2019 10:00:14 -0500
Subject: x86/speculation: Move arch_smt_update() call to after mitigation decisions
-Git-repo: tip/tip
Git-commit: 7c3658b20194a5b3209a143f63bc9c643c6a3ae2
-Patch-mainline: Queued in a subsystem tree
-References: bsc#1111331, CVE-2018-12126, CVE-2018-12127, CVE-2018-12130
+Patch-mainline: v5.2-rc1
+References: bsc#1111331, CVE-2018-12126, CVE-2018-12127, CVE-2018-12130, CVE-2019-11091
arch_smt_update() now has a dependency on both Spectre v2 and MDS
mitigations. Move its initial call to after all the mitigation decisions
diff --git a/patches.arch/x86-speculation-simplify-the-cpu-bug-detection-logic.patch b/patches.arch/x86-speculation-simplify-the-cpu-bug-detection-logic.patch
index 2ca003db81..1182e16ed4 100644
--- a/patches.arch/x86-speculation-simplify-the-cpu-bug-detection-logic.patch
+++ b/patches.arch/x86-speculation-simplify-the-cpu-bug-detection-logic.patch
@@ -3,7 +3,7 @@ Date: Tue, 22 May 2018 11:05:39 +0200
Subject: x86/speculation: Simplify the CPU bug detection logic
Git-commit: 8ecc4979b1bd9c94168e6fc92960033b7a951336
Patch-mainline: v4.17-rc7
-References: bsc#1111331, CVE-2018-12126, CVE-2018-12127, CVE-2018-12130
+References: bsc#1111331, CVE-2018-12126, CVE-2018-12127, CVE-2018-12130, CVE-2019-11091
Only CPUs which speculate can speculate. Therefore, it seems prudent
to test for cpu_no_speculation first and only then determine whether
diff --git a/patches.drivers/ALSA-hda-Use-a-macro-for-snd_array-iteration-loops.patch b/patches.drivers/ALSA-hda-Use-a-macro-for-snd_array-iteration-loops.patch
new file mode 100644
index 0000000000..8a80fee511
--- /dev/null
+++ b/patches.drivers/ALSA-hda-Use-a-macro-for-snd_array-iteration-loops.patch
@@ -0,0 +1,422 @@
+From a9c2dfc8527318a27db045cd7ea51e8ecab8c884 Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Mon, 23 Apr 2018 17:24:56 +0200
+Subject: [PATCH] ALSA: hda - Use a macro for snd_array iteration loops
+Git-commit: a9c2dfc8527318a27db045cd7ea51e8ecab8c884
+Patch-mainline: v4.18-rc1
+References: bsc#1051510
+
+Introduce a new helper macro, snd_array_for_each(), to iterate for
+each snd_array element. It slightly improves the readability than
+lengthy open codes at each place.
+
+Along with it, add const prefix to some obvious places.
+
+There should be no functional changes by this.
+
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ include/sound/hdaudio.h | 5 +++++
+ sound/hda/hdac_regmap.c | 4 ++--
+ sound/pci/hda/hda_auto_parser.c | 10 +++++-----
+ sound/pci/hda/hda_codec.c | 36 ++++++++++++++++++------------------
+ sound/pci/hda/hda_generic.c | 27 +++++++++++++--------------
+ sound/pci/hda/hda_sysfs.c | 20 ++++++++++----------
+ sound/pci/hda/patch_conexant.c | 5 ++---
+ sound/pci/hda/patch_realtek.c | 4 ++--
+ 8 files changed, 57 insertions(+), 54 deletions(-)
+
+diff --git a/include/sound/hdaudio.h b/include/sound/hdaudio.h
+index 06536e01ed94..c052afc27547 100644
+--- a/include/sound/hdaudio.h
++++ b/include/sound/hdaudio.h
+@@ -571,4 +571,9 @@ static inline unsigned int snd_array_index(struct snd_array *array, void *ptr)
+ return (unsigned long)(ptr - array->list) / array->elem_size;
+ }
+
++/* a helper macro to iterate for each snd_array element */
++#define snd_array_for_each(array, idx, ptr) \
++ for ((idx) = 0, (ptr) = (array)->list; (idx) < (array)->used; \
++ (ptr) = snd_array_elem(array, ++(idx)))
++
+ #endif /* __SOUND_HDAUDIO_H */
+diff --git a/sound/hda/hdac_regmap.c b/sound/hda/hdac_regmap.c
+index 47a358fab132..419e285e0226 100644
+--- a/sound/hda/hdac_regmap.c
++++ b/sound/hda/hdac_regmap.c
+@@ -65,10 +65,10 @@ static bool hda_writeable_reg(struct device *dev, unsigned int reg)
+ {
+ struct hdac_device *codec = dev_to_hdac_dev(dev);
+ unsigned int verb = get_verb(reg);
++ const unsigned int *v;
+ int i;
+
+- for (i = 0; i < codec->vendor_verbs.used; i++) {
+- unsigned int *v = snd_array_elem(&codec->vendor_verbs, i);
++ snd_array_for_each(&codec->vendor_verbs, i, v) {
+ if (verb == *v)
+ return true;
+ }
+diff --git a/sound/pci/hda/hda_auto_parser.c b/sound/pci/hda/hda_auto_parser.c
+index d3ea73171a3d..b9a6b66aeb0e 100644
+--- a/sound/pci/hda/hda_auto_parser.c
++++ b/sound/pci/hda/hda_auto_parser.c
+@@ -793,11 +793,11 @@ EXPORT_SYMBOL_GPL(snd_hda_add_verbs);
+ */
+ void snd_hda_apply_verbs(struct hda_codec *codec)
+ {
++ const struct hda_verb **v;
+ int i;
+- for (i = 0; i < codec->verbs.used; i++) {
+- struct hda_verb **v = snd_array_elem(&codec->verbs, i);
++
++ snd_array_for_each(&codec->verbs, i, v)
+ snd_hda_sequence_write(codec, *v);
+- }
+ }
+ EXPORT_SYMBOL_GPL(snd_hda_apply_verbs);
+
+@@ -890,10 +890,10 @@ EXPORT_SYMBOL_GPL(snd_hda_apply_fixup);
+ static bool pin_config_match(struct hda_codec *codec,
+ const struct hda_pintbl *pins)
+ {
++ const struct hda_pincfg *pin;
+ int i;
+
+- for (i = 0; i < codec->init_pins.used; i++) {
+- struct hda_pincfg *pin = snd_array_elem(&codec->init_pins, i);
++ snd_array_for_each(&codec->init_pins, i, pin) {
+ hda_nid_t nid = pin->nid;
+ u32 cfg = pin->cfg;
+ const struct hda_pintbl *t_pins;
+diff --git a/sound/pci/hda/hda_codec.c b/sound/pci/hda/hda_codec.c
+index 5bc3a7468e17..0aa923d129f5 100644
+--- a/sound/pci/hda/hda_codec.c
++++ b/sound/pci/hda/hda_codec.c
+@@ -481,9 +481,10 @@ static struct hda_pincfg *look_up_pincfg(struct hda_codec *codec,
+ struct snd_array *array,
+ hda_nid_t nid)
+ {
++ struct hda_pincfg *pin;
+ int i;
+- for (i = 0; i < array->used; i++) {
+- struct hda_pincfg *pin = snd_array_elem(array, i);
++
++ snd_array_for_each(array, i, pin) {
+ if (pin->nid == nid)
+ return pin;
+ }
+@@ -618,14 +619,15 @@ EXPORT_SYMBOL_GPL(snd_hda_codec_get_pin_target);
+ */
+ void snd_hda_shutup_pins(struct hda_codec *codec)
+ {
++ const struct hda_pincfg *pin;
+ int i;
++
+ /* don't shut up pins when unloading the driver; otherwise it breaks
+ * the default pin setup at the next load of the driver
+ */
+ if (codec->bus->shutdown)
+ return;
+- for (i = 0; i < codec->init_pins.used; i++) {
+- struct hda_pincfg *pin = snd_array_elem(&codec->init_pins, i);
++ snd_array_for_each(&codec->init_pins, i, pin) {
+ /* use read here for syncing after issuing each verb */
+ snd_hda_codec_read(codec, pin->nid, 0,
+ AC_VERB_SET_PIN_WIDGET_CONTROL, 0);
+@@ -638,13 +640,14 @@ EXPORT_SYMBOL_GPL(snd_hda_shutup_pins);
+ /* Restore the pin controls cleared previously via snd_hda_shutup_pins() */
+ static void restore_shutup_pins(struct hda_codec *codec)
+ {
++ const struct hda_pincfg *pin;
+ int i;
++
+ if (!codec->pins_shutup)
+ return;
+ if (codec->bus->shutdown)
+ return;
+- for (i = 0; i < codec->init_pins.used; i++) {
+- struct hda_pincfg *pin = snd_array_elem(&codec->init_pins, i);
++ snd_array_for_each(&codec->init_pins, i, pin) {
+ snd_hda_codec_write(codec, pin->nid, 0,
+ AC_VERB_SET_PIN_WIDGET_CONTROL,
+ pin->ctrl);
+@@ -697,8 +700,7 @@ get_hda_cvt_setup(struct hda_codec *codec, hda_nid_t nid)
+ struct hda_cvt_setup *p;
+ int i;
+
+- for (i = 0; i < codec->cvt_setups.used; i++) {
+- p = snd_array_elem(&codec->cvt_setups, i);
++ snd_array_for_each(&codec->cvt_setups, i, p) {
+ if (p->nid == nid)
+ return p;
+ }
+@@ -1076,8 +1078,7 @@ void snd_hda_codec_setup_stream(struct hda_codec *codec, hda_nid_t nid,
+ /* make other inactive cvts with the same stream-tag dirty */
+ type = get_wcaps_type(get_wcaps(codec, nid));
+ list_for_each_codec(c, codec->bus) {
+- for (i = 0; i < c->cvt_setups.used; i++) {
+- p = snd_array_elem(&c->cvt_setups, i);
++ snd_array_for_each(&c->cvt_setups, i, p) {
+ if (!p->active && p->stream_tag == stream_tag &&
+ get_wcaps_type(get_wcaps(c, p->nid)) == type)
+ p->dirty = 1;
+@@ -1140,12 +1141,11 @@ static void really_cleanup_stream(struct hda_codec *codec,
+ static void purify_inactive_streams(struct hda_codec *codec)
+ {
+ struct hda_codec *c;
++ struct hda_cvt_setup *p;
+ int i;
+
+ list_for_each_codec(c, codec->bus) {
+- for (i = 0; i < c->cvt_setups.used; i++) {
+- struct hda_cvt_setup *p;
+- p = snd_array_elem(&c->cvt_setups, i);
++ snd_array_for_each(&c->cvt_setups, i, p) {
+ if (p->dirty)
+ really_cleanup_stream(c, p);
+ }
+@@ -1156,10 +1156,10 @@ static void purify_inactive_streams(struct hda_codec *codec)
+ /* clean up all streams; called from suspend */
+ static void hda_cleanup_all_streams(struct hda_codec *codec)
+ {
++ struct hda_cvt_setup *p;
+ int i;
+
+- for (i = 0; i < codec->cvt_setups.used; i++) {
+- struct hda_cvt_setup *p = snd_array_elem(&codec->cvt_setups, i);
++ snd_array_for_each(&codec->cvt_setups, i, p) {
+ if (p->stream_tag)
+ really_cleanup_stream(codec, p);
+ }
+@@ -2461,10 +2461,10 @@ EXPORT_SYMBOL_GPL(snd_hda_create_dig_out_ctls);
+ struct hda_spdif_out *snd_hda_spdif_out_of_nid(struct hda_codec *codec,
+ hda_nid_t nid)
+ {
++ struct hda_spdif_out *spdif;
+ int i;
+- for (i = 0; i < codec->spdif_out.used; i++) {
+- struct hda_spdif_out *spdif =
+- snd_array_elem(&codec->spdif_out, i);
++
++ snd_array_for_each(&codec->spdif_out, i, spdif) {
+ if (spdif->nid == nid)
+ return spdif;
+ }
+diff --git a/sound/pci/hda/hda_generic.c b/sound/pci/hda/hda_generic.c
+index 5cc65093d941..51030f040745 100644
+--- a/sound/pci/hda/hda_generic.c
++++ b/sound/pci/hda/hda_generic.c
+@@ -264,10 +264,10 @@ static struct nid_path *get_nid_path(struct hda_codec *codec,
+ int anchor_nid)
+ {
+ struct hda_gen_spec *spec = codec->spec;
++ struct nid_path *path;
+ int i;
+
+- for (i = 0; i < spec->paths.used; i++) {
+- struct nid_path *path = snd_array_elem(&spec->paths, i);
++ snd_array_for_each(&spec->paths, i, path) {
+ if (path->depth <= 0)
+ continue;
+ if ((!from_nid || path->path[0] == from_nid) &&
+@@ -325,10 +325,10 @@ EXPORT_SYMBOL_GPL(snd_hda_get_path_from_idx);
+ static bool is_dac_already_used(struct hda_codec *codec, hda_nid_t nid)
+ {
+ struct hda_gen_spec *spec = codec->spec;
++ const struct nid_path *path;
+ int i;
+
+- for (i = 0; i < spec->paths.used; i++) {
+- struct nid_path *path = snd_array_elem(&spec->paths, i);
++ snd_array_for_each(&spec->paths, i, path) {
+ if (path->path[0] == nid)
+ return true;
+ }
+@@ -351,11 +351,11 @@ static bool is_reachable_path(struct hda_codec *codec,
+ static bool is_ctl_used(struct hda_codec *codec, unsigned int val, int type)
+ {
+ struct hda_gen_spec *spec = codec->spec;
++ const struct nid_path *path;
+ int i;
+
+ val &= AMP_VAL_COMPARE_MASK;
+- for (i = 0; i < spec->paths.used; i++) {
+- struct nid_path *path = snd_array_elem(&spec->paths, i);
++ snd_array_for_each(&spec->paths, i, path) {
+ if ((path->ctls[type] & AMP_VAL_COMPARE_MASK) == val)
+ return true;
+ }
+@@ -638,13 +638,13 @@ static bool is_active_nid(struct hda_codec *codec, hda_nid_t nid,
+ {
+ struct hda_gen_spec *spec = codec->spec;
+ int type = get_wcaps_type(get_wcaps(codec, nid));
++ const struct nid_path *path;
+ int i, n;
+
+ if (nid == codec->core.afg)
+ return true;
+
+- for (n = 0; n < spec->paths.used; n++) {
+- struct nid_path *path = snd_array_elem(&spec->paths, n);
++ snd_array_for_each(&spec->paths, n, path) {
+ if (!path->active)
+ continue;
+ if (codec->power_save_node) {
+@@ -2696,10 +2696,10 @@ static const struct snd_kcontrol_new out_jack_mode_enum = {
+ static bool find_kctl_name(struct hda_codec *codec, const char *name, int idx)
+ {
+ struct hda_gen_spec *spec = codec->spec;
++ const struct snd_kcontrol_new *kctl;
+ int i;
+
+- for (i = 0; i < spec->kctls.used; i++) {
+- struct snd_kcontrol_new *kctl = snd_array_elem(&spec->kctls, i);
++ snd_array_for_each(&spec->kctls, i, kctl) {
+ if (!strcmp(kctl->name, name) && kctl->index == idx)
+ return true;
+ }
+@@ -4021,8 +4021,7 @@ static hda_nid_t set_path_power(struct hda_codec *codec, hda_nid_t nid,
+ struct nid_path *path;
+ int n;
+
+- for (n = 0; n < spec->paths.used; n++) {
+- path = snd_array_elem(&spec->paths, n);
++ snd_array_for_each(&spec->paths, n, path) {
+ if (!path->depth)
+ continue;
+ if (path->path[0] == nid ||
+@@ -5831,10 +5830,10 @@ static void init_digital(struct hda_codec *codec)
+ */
+ static void clear_unsol_on_unused_pins(struct hda_codec *codec)
+ {
++ const struct hda_pincfg *pin;
+ int i;
+
+- for (i = 0; i < codec->init_pins.used; i++) {
+- struct hda_pincfg *pin = snd_array_elem(&codec->init_pins, i);
++ snd_array_for_each(&codec->init_pins, i, pin) {
+ hda_nid_t nid = pin->nid;
+ if (is_jack_detectable(codec, nid) &&
+ !snd_hda_jack_tbl_get(codec, nid))
+diff --git a/sound/pci/hda/hda_sysfs.c b/sound/pci/hda/hda_sysfs.c
+index 9b7efece4484..6ec79c58d48d 100644
+--- a/sound/pci/hda/hda_sysfs.c
++++ b/sound/pci/hda/hda_sysfs.c
+@@ -80,10 +80,10 @@ static ssize_t pin_configs_show(struct hda_codec *codec,
+ struct snd_array *list,
+ char *buf)
+ {
++ const struct hda_pincfg *pin;
+ int i, len = 0;
+ mutex_lock(&codec->user_mutex);
+- for (i = 0; i < list->used; i++) {
+- struct hda_pincfg *pin = snd_array_elem(list, i);
++ snd_array_for_each(list, i, pin) {
+ len += sprintf(buf + len, "0x%02x 0x%08x\n",
+ pin->nid, pin->cfg);
+ }
+@@ -217,10 +217,10 @@ static ssize_t init_verbs_show(struct device *dev,
+ char *buf)
+ {
+ struct hda_codec *codec = dev_get_drvdata(dev);
++ const struct hda_verb *v;
+ int i, len = 0;
+ mutex_lock(&codec->user_mutex);
+- for (i = 0; i < codec->init_verbs.used; i++) {
+- struct hda_verb *v = snd_array_elem(&codec->init_verbs, i);
++ snd_array_for_each(&codec->init_verbs, i, v) {
+ len += snprintf(buf + len, PAGE_SIZE - len,
+ "0x%02x 0x%03x 0x%04x\n",
+ v->nid, v->verb, v->param);
+@@ -267,10 +267,10 @@ static ssize_t hints_show(struct device *dev,
+ char *buf)
+ {
+ struct hda_codec *codec = dev_get_drvdata(dev);
++ const struct hda_hint *hint;
+ int i, len = 0;
+ mutex_lock(&codec->user_mutex);
+- for (i = 0; i < codec->hints.used; i++) {
+- struct hda_hint *hint = snd_array_elem(&codec->hints, i);
++ snd_array_for_each(&codec->hints, i, hint) {
+ len += snprintf(buf + len, PAGE_SIZE - len,
+ "%s = %s\n", hint->key, hint->val);
+ }
+@@ -280,10 +280,10 @@ static ssize_t hints_show(struct device *dev,
+
+ static struct hda_hint *get_hint(struct hda_codec *codec, const char *key)
+ {
++ struct hda_hint *hint;
+ int i;
+
+- for (i = 0; i < codec->hints.used; i++) {
+- struct hda_hint *hint = snd_array_elem(&codec->hints, i);
++ snd_array_for_each(&codec->hints, i, hint) {
+ if (!strcmp(hint->key, key))
+ return hint;
+ }
+@@ -783,13 +783,13 @@ void snd_hda_sysfs_init(struct hda_codec *codec)
+ void snd_hda_sysfs_clear(struct hda_codec *codec)
+ {
+ #ifdef CONFIG_SND_HDA_RECONFIG
++ struct hda_hint *hint;
+ int i;
+
+ /* clear init verbs */
+ snd_array_free(&codec->init_verbs);
+ /* clear hints */
+- for (i = 0; i < codec->hints.used; i++) {
+- struct hda_hint *hint = snd_array_elem(&codec->hints, i);
++ snd_array_for_each(&codec->hints, i, hint) {
+ kfree(hint->key); /* we don't need to free hint->val */
+ }
+ snd_array_free(&codec->hints);
+diff --git a/sound/pci/hda/patch_conexant.c b/sound/pci/hda/patch_conexant.c
+index 5b4dbcec6de8..093d2a9ece85 100644
+--- a/sound/pci/hda/patch_conexant.c
++++ b/sound/pci/hda/patch_conexant.c
+@@ -588,6 +588,7 @@ static void cxt_fixup_olpc_xo(struct hda_codec *codec,
+ const struct hda_fixup *fix, int action)
+ {
+ struct conexant_spec *spec = codec->spec;
++ struct snd_kcontrol_new *kctl;
+ int i;
+
+ if (action != HDA_FIXUP_ACT_PROBE)
+@@ -606,9 +607,7 @@ static void cxt_fixup_olpc_xo(struct hda_codec *codec,
+ snd_hda_codec_set_pin_target(codec, 0x1a, PIN_VREF50);
+
+ /* override mic boost control */
+- for (i = 0; i < spec->gen.kctls.used; i++) {
+- struct snd_kcontrol_new *kctl =
+- snd_array_elem(&spec->gen.kctls, i);
++ snd_array_for_each(&spec->gen.kctls, i, kctl) {
+ if (!strcmp(kctl->name, "Mic Boost Volume")) {
+ kctl->put = olpc_xo_mic_boost_put;
+ break;
+diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c
+index aef1f52db7d9..7f2d5b157b75 100644
+--- a/sound/pci/hda/patch_realtek.c
++++ b/sound/pci/hda/patch_realtek.c
+@@ -2828,6 +2828,7 @@ static int find_ext_mic_pin(struct hda_codec *codec);
+
+ static void alc286_shutup(struct hda_codec *codec)
+ {
++ const struct hda_pincfg *pin;
+ int i;
+ int mic_pin = find_ext_mic_pin(codec);
+ /* don't shut up pins when unloading the driver; otherwise it breaks
+@@ -2835,8 +2836,7 @@ static void alc286_shutup(struct hda_codec *codec)
+ */
+ if (codec->bus->shutdown)
+ return;
+- for (i = 0; i < codec->init_pins.used; i++) {
+- struct hda_pincfg *pin = snd_array_elem(&codec->init_pins, i);
++ snd_array_for_each(&codec->init_pins, i, pin) {
+ /* use read here for syncing after issuing each verb */
+ if (pin->nid != mic_pin)
+ snd_hda_codec_read(codec, pin->nid, 0,
+--
+2.16.4
+
diff --git a/patches.drivers/ALSA-hda-realtek-Avoid-superfluous-COEF-EAPD-setups.patch b/patches.drivers/ALSA-hda-realtek-Avoid-superfluous-COEF-EAPD-setups.patch
new file mode 100644
index 0000000000..5644dd7536
--- /dev/null
+++ b/patches.drivers/ALSA-hda-realtek-Avoid-superfluous-COEF-EAPD-setups.patch
@@ -0,0 +1,143 @@
+From c9af753f26bdf80291eb2c2279b9de1989fbc591 Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Fri, 10 May 2019 11:01:43 +0200
+Subject: [PATCH] ALSA: hda/realtek - Avoid superfluous COEF EAPD setups
+Git-commit: c9af753f26bdf80291eb2c2279b9de1989fbc591
+Patch-mainline: v5.2-rc1
+References: bsc#1051510
+
+Realtek codec driver applied the COEF setups to change the EAPD
+control to the default mode (i.e. control by EPAD verbs) at the init
+callback. It works, but this is too excessive at the same time, since
+it's called at each runtime PM resume. That is, the initialization
+should be done only once after the probe. One may think that moving
+this to the probe should be OK, but no -- there is a catch; when a
+system resumes from S4 (hibernation), we need to re-initialize this
+again manually, because it's out of regcache restoration.
+
+This patch addresses the issue by introducing alc_pre_init() function
+that performs such a task. This is called from each codec probe
+function, and it's called from the resume callback conditionally only
+from S4 resume.
+
+Reported-and-tested-by: Kailang Yang <kailang@realtek.com>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ sound/pci/hda/patch_realtek.c | 31 ++++++++++++++++++++++++++++++-
+ 1 file changed, 30 insertions(+), 1 deletion(-)
+
+--- a/sound/pci/hda/patch_realtek.c
++++ b/sound/pci/hda/patch_realtek.c
+@@ -509,7 +509,6 @@ static void alc_eapd_shutup(struct hda_c
+ /* generic EAPD initialization */
+ static void alc_auto_init_amp(struct hda_codec *codec, int type)
+ {
+- alc_fill_eapd_coef(codec);
+ alc_auto_setup_eapd(codec, true);
+ alc_write_gpio(codec);
+ switch (type) {
+@@ -837,10 +836,22 @@ static int alc_build_controls(struct hda
+ * Common callbacks
+ */
+
++static void alc_pre_init(struct hda_codec *codec)
++{
++ alc_fill_eapd_coef(codec);
++}
++
++#define is_s4_resume(codec) \
++ ((codec)->core.dev.power.power_state.event == PM_EVENT_RESTORE)
++
+ static int alc_init(struct hda_codec *codec)
+ {
+ struct alc_spec *spec = codec->spec;
+
++ /* hibernation resume needs the full chip initialization */
++ if (is_s4_resume(codec))
++ alc_pre_init(codec);
++
+ if (spec->init_hook)
+ spec->init_hook(codec);
+
+@@ -1556,6 +1567,8 @@ static int patch_alc880(struct hda_codec
+
+ codec->patch_ops.unsol_event = alc880_unsol_event;
+
++ alc_pre_init(codec);
++
+ snd_hda_pick_fixup(codec, alc880_fixup_models, alc880_fixup_tbl,
+ alc880_fixups);
+ snd_hda_apply_fixup(codec, HDA_FIXUP_ACT_PRE_PROBE);
+@@ -1804,6 +1817,8 @@ static int patch_alc260(struct hda_codec
+
+ spec->shutup = alc_eapd_shutup;
+
++ alc_pre_init(codec);
++
+ snd_hda_pick_fixup(codec, alc260_fixup_models, alc260_fixup_tbl,
+ alc260_fixups);
+ snd_hda_apply_fixup(codec, HDA_FIXUP_ACT_PRE_PROBE);
+@@ -2512,6 +2527,8 @@ static int patch_alc882(struct hda_codec
+ break;
+ }
+
++ alc_pre_init(codec);
++
+ snd_hda_pick_fixup(codec, alc882_fixup_models, alc882_fixup_tbl,
+ alc882_fixups);
+ snd_hda_apply_fixup(codec, HDA_FIXUP_ACT_PRE_PROBE);
+@@ -2675,6 +2692,8 @@ static int patch_alc262(struct hda_codec
+ #endif
+ alc_fix_pll_init(codec, 0x20, 0x0a, 10);
+
++ alc_pre_init(codec);
++
+ snd_hda_pick_fixup(codec, alc262_fixup_models, alc262_fixup_tbl,
+ alc262_fixups);
+ snd_hda_apply_fixup(codec, HDA_FIXUP_ACT_PRE_PROBE);
+@@ -2816,6 +2835,8 @@ static int patch_alc268(struct hda_codec
+
+ spec->shutup = alc_eapd_shutup;
+
++ alc_pre_init(codec);
++
+ snd_hda_pick_fixup(codec, alc268_fixup_models, alc268_fixup_tbl, alc268_fixups);
+ snd_hda_apply_fixup(codec, HDA_FIXUP_ACT_PRE_PROBE);
+
+@@ -7518,6 +7539,8 @@ static int patch_alc269(struct hda_codec
+ spec->shutup = alc_default_shutup;
+ spec->init_hook = alc_default_init;
+
++ alc_pre_init(codec);
++
+ snd_hda_pick_fixup(codec, alc269_fixup_models,
+ alc269_fixup_tbl, alc269_fixups);
+ snd_hda_pick_pin_fixup(codec, alc269_pin_fixup_tbl, alc269_fixups);
+@@ -7782,6 +7805,8 @@ static int patch_alc861(struct hda_codec
+ spec->power_hook = alc_power_eapd;
+ #endif
+
++ alc_pre_init(codec);
++
+ snd_hda_pick_fixup(codec, NULL, alc861_fixup_tbl, alc861_fixups);
+ snd_hda_apply_fixup(codec, HDA_FIXUP_ACT_PRE_PROBE);
+
+@@ -7871,6 +7896,8 @@ static int patch_alc861vd(struct hda_cod
+
+ spec->shutup = alc_eapd_shutup;
+
++ alc_pre_init(codec);
++
+ snd_hda_pick_fixup(codec, NULL, alc861vd_fixup_tbl, alc861vd_fixups);
+ snd_hda_apply_fixup(codec, HDA_FIXUP_ACT_PRE_PROBE);
+
+@@ -8592,6 +8619,8 @@ static int patch_alc662(struct hda_codec
+ break;
+ }
+
++ alc_pre_init(codec);
++
+ snd_hda_pick_fixup(codec, alc662_fixup_models,
+ alc662_fixup_tbl, alc662_fixups);
+ snd_hda_pick_pin_fixup(codec, alc662_pin_fixup_tbl, alc662_fixups);
diff --git a/patches.drivers/ALSA-hda-realtek-Corrected-fixup-for-System76-Gazell.patch b/patches.drivers/ALSA-hda-realtek-Corrected-fixup-for-System76-Gazell.patch
new file mode 100644
index 0000000000..1814966393
--- /dev/null
+++ b/patches.drivers/ALSA-hda-realtek-Corrected-fixup-for-System76-Gazell.patch
@@ -0,0 +1,43 @@
+From 891afcf2462d2cc4ef7caf94215358ca61fa32cb Mon Sep 17 00:00:00 2001
+From: Jeremy Soller <jeremy@system76.com>
+Date: Fri, 10 May 2019 10:15:07 -0400
+Subject: [PATCH] ALSA: hda/realtek - Corrected fixup for System76 Gazelle (gaze14)
+Git-commit: 891afcf2462d2cc4ef7caf94215358ca61fa32cb
+Patch-mainline: v5.2-rc1
+References: bsc#1051510
+
+A mistake was made in the identification of the four variants of the
+System76 Gazelle (gaze14). This patch corrects the PCI ID of the
+17-inch, GTX 1660 Ti variant from 0x8560 to 0x8551. This patch also
+adds the correct fixups for the 15-inch and 17-inch GTX 1650 variants
+with PCI IDs 0x8560 and 0x8561.
+
+Tests were done on all four variants ensuring full audio capability.
+
+Fixes: 80a5052db751 ("ALSA: hdea/realtek - Headset fixup for System76 Gazelle (gaze14)")
+Signed-off-by: Jeremy Soller <jeremy@system76.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ sound/pci/hda/patch_realtek.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c
+index 2a50e580aa56..3511ea91eae8 100644
+--- a/sound/pci/hda/patch_realtek.c
++++ b/sound/pci/hda/patch_realtek.c
+@@ -6997,7 +6997,9 @@ static const struct snd_pci_quirk alc269_fixup_tbl[] = {
+ SND_PCI_QUIRK(0x1462, 0xb171, "Cubi N 8GL (MS-B171)", ALC283_FIXUP_HEADSET_MIC),
+ SND_PCI_QUIRK(0x1558, 0x1325, "System76 Darter Pro (darp5)", ALC293_FIXUP_SYSTEM76_MIC_NO_PRESENCE),
+ SND_PCI_QUIRK(0x1558, 0x8550, "System76 Gazelle (gaze14)", ALC293_FIXUP_SYSTEM76_MIC_NO_PRESENCE),
+- SND_PCI_QUIRK(0x1558, 0x8560, "System76 Gazelle (gaze14)", ALC293_FIXUP_SYSTEM76_MIC_NO_PRESENCE),
++ SND_PCI_QUIRK(0x1558, 0x8551, "System76 Gazelle (gaze14)", ALC293_FIXUP_SYSTEM76_MIC_NO_PRESENCE),
++ SND_PCI_QUIRK(0x1558, 0x8560, "System76 Gazelle (gaze14)", ALC269_FIXUP_HEADSET_MIC),
++ SND_PCI_QUIRK(0x1558, 0x8561, "System76 Gazelle (gaze14)", ALC269_FIXUP_HEADSET_MIC),
+ SND_PCI_QUIRK(0x17aa, 0x1036, "Lenovo P520", ALC233_FIXUP_LENOVO_MULTI_CODECS),
+ SND_PCI_QUIRK(0x17aa, 0x20f2, "Thinkpad SL410/510", ALC269_FIXUP_SKU_IGNORE),
+ SND_PCI_QUIRK(0x17aa, 0x215e, "Thinkpad L512", ALC269_FIXUP_SKU_IGNORE),
+--
+2.16.4
+
diff --git a/patches.drivers/ALSA-hda-realtek-Fix-for-Lenovo-B50-70-inverted-inte.patch b/patches.drivers/ALSA-hda-realtek-Fix-for-Lenovo-B50-70-inverted-inte.patch
new file mode 100644
index 0000000000..8d98d5c0bb
--- /dev/null
+++ b/patches.drivers/ALSA-hda-realtek-Fix-for-Lenovo-B50-70-inverted-inte.patch
@@ -0,0 +1,44 @@
+From 56df90b631fc027fe28b70d41352d820797239bb Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Micha=C5=82=20Wadowski?= <wadosm@gmail.com>
+Date: Tue, 14 May 2019 16:58:00 +0200
+Subject: [PATCH] ALSA: hda/realtek - Fix for Lenovo B50-70 inverted internal microphone bug
+Mime-version: 1.0
+Content-type: text/plain; charset=UTF-8
+Content-transfer-encoding: 8bit
+Git-commit: 56df90b631fc027fe28b70d41352d820797239bb
+Patch-mainline: v5.2-rc1
+References: bsc#1051510
+
+Add patch for realtek codec in Lenovo B50-70 that fixes inverted
+internal microphone channel.
+Device IdeaPad Y410P has the same PCI SSID as Lenovo B50-70,
+but first one is about fix the noise and it didn't seem help in a
+later kernel version.
+So I replaced IdeaPad Y410P device description with B50-70 and apply
+inverted microphone fix.
+
+Bugzilla: https://bugs.launchpad.net/ubuntu/+source/alsa-driver/+bug/1524215
+Signed-off-by: Michał Wadowski <wadosm@gmail.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ sound/pci/hda/patch_realtek.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c
+index 3511ea91eae8..f83f21d64dd4 100644
+--- a/sound/pci/hda/patch_realtek.c
++++ b/sound/pci/hda/patch_realtek.c
+@@ -7042,7 +7042,7 @@ static const struct snd_pci_quirk alc269_fixup_tbl[] = {
+ SND_PCI_QUIRK(0x17aa, 0x313c, "ThinkCentre Station", ALC294_FIXUP_LENOVO_MIC_LOCATION),
+ SND_PCI_QUIRK(0x17aa, 0x3902, "Lenovo E50-80", ALC269_FIXUP_DMIC_THINKPAD_ACPI),
+ SND_PCI_QUIRK(0x17aa, 0x3977, "IdeaPad S210", ALC283_FIXUP_INT_MIC),
+- SND_PCI_QUIRK(0x17aa, 0x3978, "IdeaPad Y410P", ALC269_FIXUP_NO_SHUTUP),
++ SND_PCI_QUIRK(0x17aa, 0x3978, "Lenovo B50-70", ALC269_FIXUP_DMIC_THINKPAD_ACPI),
+ SND_PCI_QUIRK(0x17aa, 0x5013, "Thinkpad", ALC269_FIXUP_LIMIT_INT_MIC_BOOST),
+ SND_PCI_QUIRK(0x17aa, 0x501a, "Thinkpad", ALC283_FIXUP_INT_MIC),
+ SND_PCI_QUIRK(0x17aa, 0x501e, "Thinkpad L440", ALC292_FIXUP_TPT440_DOCK),
+--
+2.16.4
+
diff --git a/patches.drivers/ALSA-hda-realtek-Fixup-headphone-noise-via-runtime-s.patch b/patches.drivers/ALSA-hda-realtek-Fixup-headphone-noise-via-runtime-s.patch
new file mode 100644
index 0000000000..8bb6f289b5
--- /dev/null
+++ b/patches.drivers/ALSA-hda-realtek-Fixup-headphone-noise-via-runtime-s.patch
@@ -0,0 +1,113 @@
+From dad3197da7a3817f27bb24f7fd3c135ffa707202 Mon Sep 17 00:00:00 2001
+From: Kailang Yang <kailang@realtek.com>
+Date: Fri, 10 May 2019 16:28:57 +0800
+Subject: [PATCH] ALSA: hda/realtek - Fixup headphone noise via runtime suspend
+Git-commit: dad3197da7a3817f27bb24f7fd3c135ffa707202
+Patch-mainline: v5.2-rc1
+References: bsc#1051510
+
+Dell platform with ALC298.
+system enter to runtime suspend. Headphone had noise.
+Let Headset Mic not shutup will solve this issue.
+
+[ Fixed minor coding style issues by tiwai ]
+
+Signed-off-by: Kailang Yang <kailang@realtek.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ sound/pci/hda/patch_realtek.c | 59 +++++++++++++++++++++++++------------------
+ 1 file changed, 35 insertions(+), 24 deletions(-)
+
+diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c
+index c53ca589c930..c39f48e02ee9 100644
+--- a/sound/pci/hda/patch_realtek.c
++++ b/sound/pci/hda/patch_realtek.c
+@@ -478,12 +478,45 @@ static void alc_auto_setup_eapd(struct hda_codec *codec, bool on)
+ set_eapd(codec, *p, on);
+ }
+
++static int find_ext_mic_pin(struct hda_codec *codec);
++
++static void alc_headset_mic_no_shutup(struct hda_codec *codec)
++{
++ const struct hda_pincfg *pin;
++ int mic_pin = find_ext_mic_pin(codec);
++ int i;
++
++ /* don't shut up pins when unloading the driver; otherwise it breaks
++ * the default pin setup at the next load of the driver
++ */
++ if (codec->bus->shutdown)
++ return;
++
++ snd_array_for_each(&codec->init_pins, i, pin) {
++ /* use read here for syncing after issuing each verb */
++ if (pin->nid != mic_pin)
++ snd_hda_codec_read(codec, pin->nid, 0,
++ AC_VERB_SET_PIN_WIDGET_CONTROL, 0);
++ }
++
++ codec->pins_shutup = 1;
++}
++
+ static void alc_shutup_pins(struct hda_codec *codec)
+ {
+ struct alc_spec *spec = codec->spec;
+
+- if (!spec->no_shutup_pins)
+- snd_hda_shutup_pins(codec);
++ switch (codec->core.vendor_id) {
++ case 0x10ec0286:
++ case 0x10ec0288:
++ case 0x10ec0298:
++ alc_headset_mic_no_shutup(codec);
++ break;
++ default:
++ if (!spec->no_shutup_pins)
++ snd_hda_shutup_pins(codec);
++ break;
++ }
+ }
+
+ /* generic shutup callback;
+@@ -2924,27 +2957,6 @@ static int alc269_parse_auto_config(struct hda_codec *codec)
+ return alc_parse_auto_config(codec, alc269_ignore, ssids);
+ }
+
+-static int find_ext_mic_pin(struct hda_codec *codec);
+-
+-static void alc286_shutup(struct hda_codec *codec)
+-{
+- const struct hda_pincfg *pin;
+- int i;
+- int mic_pin = find_ext_mic_pin(codec);
+- /* don't shut up pins when unloading the driver; otherwise it breaks
+- * the default pin setup at the next load of the driver
+- */
+- if (codec->bus->shutdown)
+- return;
+- snd_array_for_each(&codec->init_pins, i, pin) {
+- /* use read here for syncing after issuing each verb */
+- if (pin->nid != mic_pin)
+- snd_hda_codec_read(codec, pin->nid, 0,
+- AC_VERB_SET_PIN_WIDGET_CONTROL, 0);
+- }
+- codec->pins_shutup = 1;
+-}
+-
+ static void alc269vb_toggle_power_output(struct hda_codec *codec, int power_up)
+ {
+ alc_update_coef_idx(codec, 0x04, 1 << 11, power_up ? (1 << 11) : 0);
+@@ -7736,7 +7748,6 @@ static int patch_alc269(struct hda_codec *codec)
+ case 0x10ec0286:
+ case 0x10ec0288:
+ spec->codec_variant = ALC269_TYPE_ALC286;
+- spec->shutup = alc286_shutup;
+ break;
+ case 0x10ec0298:
+ spec->codec_variant = ALC269_TYPE_ALC298;
+--
+2.16.4
+
diff --git a/patches.drivers/HID-input-add-mapping-for-Expose-Overview-key.patch b/patches.drivers/HID-input-add-mapping-for-Expose-Overview-key.patch
new file mode 100644
index 0000000000..f7893ce1ca
--- /dev/null
+++ b/patches.drivers/HID-input-add-mapping-for-Expose-Overview-key.patch
@@ -0,0 +1,39 @@
+From 96dd86871e1fffbc39e4fa61c9c75ec54ee9af0f Mon Sep 17 00:00:00 2001
+From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Date: Fri, 18 Jan 2019 13:59:08 -0800
+Subject: [PATCH] HID: input: add mapping for Expose/Overview key
+Mime-version: 1.0
+Content-type: text/plain; charset=UTF-8
+Content-transfer-encoding: 8bit
+Git-commit: 96dd86871e1fffbc39e4fa61c9c75ec54ee9af0f
+Patch-mainline: v5.1-rc6
+References: bsc#1051510
+
+According to HUTRR77 usage 0x29f from the consumer page is reserved for
+the Desktop application to present all running user’s application windows.
+Linux defines KEY_SCALE to request Compiz Scale (Expose) mode, so let's
+add the mapping.
+
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/hid/hid-input.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/hid/hid-input.c b/drivers/hid/hid-input.c
+index def58c6aa835..5f800e7b04f2 100644
+--- a/drivers/hid/hid-input.c
++++ b/drivers/hid/hid-input.c
+@@ -1030,6 +1030,8 @@ static void hidinput_configure_usage(struct hid_input *hidinput, struct hid_fiel
+ case 0x2cb: map_key_clear(KEY_KBDINPUTASSIST_ACCEPT); break;
+ case 0x2cc: map_key_clear(KEY_KBDINPUTASSIST_CANCEL); break;
+
++ case 0x29f: map_key_clear(KEY_SCALE); break;
++
+ default: map_key_clear(KEY_UNKNOWN);
+ }
+ break;
+--
+2.16.4
+
diff --git a/patches.drivers/HID-input-add-mapping-for-Toggle-Display-key.patch b/patches.drivers/HID-input-add-mapping-for-Toggle-Display-key.patch
new file mode 100644
index 0000000000..106c5c7a36
--- /dev/null
+++ b/patches.drivers/HID-input-add-mapping-for-Toggle-Display-key.patch
@@ -0,0 +1,41 @@
+From c01908a14bf735b871170092807c618bb9dae654 Mon Sep 17 00:00:00 2001
+From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Date: Fri, 18 Jan 2019 14:35:45 -0800
+Subject: [PATCH] HID: input: add mapping for "Toggle Display" key
+Git-commit: c01908a14bf735b871170092807c618bb9dae654
+Patch-mainline: v5.1-rc6
+References: bsc#1051510
+
+According to HUT 1.12 usage 0xb5 from the generic desktop page is reserved
+for switching between external and internal display, so let's add the
+mapping.
+
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/hid/hid-input.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/drivers/hid/hid-input.c b/drivers/hid/hid-input.c
+index ecb1b6f26853..da76358cde06 100644
+--- a/drivers/hid/hid-input.c
++++ b/drivers/hid/hid-input.c
+@@ -677,6 +677,14 @@ static void hidinput_configure_usage(struct hid_input *hidinput, struct hid_fiel
+ break;
+ }
+
++ if ((usage->hid & 0xf0) == 0xb0) { /* SC - Display */
++ switch (usage->hid & 0xf) {
++ case 0x05: map_key_clear(KEY_SWITCHVIDEOMODE); break;
++ default: goto ignore;
++ }
++ break;
++ }
++
+ /*
+ * Some lazy vendors declare 255 usages for System Control,
+ * leading to the creation of ABS_X|Y axis and too many others.
+--
+2.16.4
+
diff --git a/patches.drivers/HID-input-add-mapping-for-keyboard-Brightness-Up-Dow.patch b/patches.drivers/HID-input-add-mapping-for-keyboard-Brightness-Up-Dow.patch
new file mode 100644
index 0000000000..4c91542c96
--- /dev/null
+++ b/patches.drivers/HID-input-add-mapping-for-keyboard-Brightness-Up-Dow.patch
@@ -0,0 +1,36 @@
+From 7975a1d6a7afeb3eb61c971a153d24dd8fa032f3 Mon Sep 17 00:00:00 2001
+From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Date: Fri, 18 Jan 2019 14:05:52 -0800
+Subject: [PATCH] HID: input: add mapping for keyboard Brightness Up/Down/Toggle keys
+Git-commit: 7975a1d6a7afeb3eb61c971a153d24dd8fa032f3
+Patch-mainline: v5.1-rc6
+References: bsc#1051510
+
+According to HUTRR73 usages 0x79, 0x7a and 0x7c from the consumer page
+correspond to Brightness Up/Down/Toggle keys, so let's add the mappings.
+
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/hid/hid-input.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/hid/hid-input.c b/drivers/hid/hid-input.c
+index 5f800e7b04f2..cebe8a8cce2e 100644
+--- a/drivers/hid/hid-input.c
++++ b/drivers/hid/hid-input.c
+@@ -900,6 +900,10 @@ static void hidinput_configure_usage(struct hid_input *hidinput, struct hid_fiel
+ case 0x074: map_key_clear(KEY_BRIGHTNESS_MAX); break;
+ case 0x075: map_key_clear(KEY_BRIGHTNESS_AUTO); break;
+
++ case 0x079: map_key_clear(KEY_KBDILLUMUP); break;
++ case 0x07a: map_key_clear(KEY_KBDILLUMDOWN); break;
++ case 0x07c: map_key_clear(KEY_KBDILLUMTOGGLE); break;
++
+ case 0x082: map_key_clear(KEY_VIDEO_NEXT); break;
+ case 0x083: map_key_clear(KEY_LAST); break;
+ case 0x084: map_key_clear(KEY_ENTER); break;
+--
+2.16.4
+
diff --git a/patches.drivers/Input-elan_i2c-add-hardware-ID-for-multiple-Lenovo-l.patch b/patches.drivers/Input-elan_i2c-add-hardware-ID-for-multiple-Lenovo-l.patch
new file mode 100644
index 0000000000..daab894a07
--- /dev/null
+++ b/patches.drivers/Input-elan_i2c-add-hardware-ID-for-multiple-Lenovo-l.patch
@@ -0,0 +1,70 @@
+From 738c06d0e4562e0acf9f2c7438a22b2d5afc67aa Mon Sep 17 00:00:00 2001
+From: KT Liao <kt.liao@emc.com.tw>
+Date: Tue, 26 Mar 2019 17:28:32 -0700
+Subject: [PATCH] Input: elan_i2c - add hardware ID for multiple Lenovo laptops
+Git-commit: 738c06d0e4562e0acf9f2c7438a22b2d5afc67aa
+Patch-mainline: v5.1-rc6
+References: bsc#1051510
+
+There are many Lenovo laptops which need elan_i2c support, this patch adds
+relevant IDs to the Elan driver so that touchpads are recognized.
+
+Signed-off-by: KT Liao <kt.liao@emc.com.tw>
+Cc: stable@vger.kernel.org
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/input/mouse/elan_i2c_core.c | 25 +++++++++++++++++++++++++
+ 1 file changed, 25 insertions(+)
+
+--- a/drivers/input/mouse/elan_i2c_core.c
++++ b/drivers/input/mouse/elan_i2c_core.c
+@@ -1225,22 +1225,47 @@ static const struct acpi_device_id elan_
+ { "ELAN0600", 0 },
+ { "ELAN0601", 0 },
+ { "ELAN0602", 0 },
++ { "ELAN0603", 0 },
++ { "ELAN0604", 0 },
+ { "ELAN0605", 0 },
++ { "ELAN0606", 0 },
++ { "ELAN0607", 0 },
+ { "ELAN0608", 0 },
+ { "ELAN0605", 0 },
+ { "ELAN0609", 0 },
+ { "ELAN060B", 0 },
+ { "ELAN060C", 0 },
++ { "ELAN060F", 0 },
++ { "ELAN0610", 0 },
+ { "ELAN0611", 0 },
+ { "ELAN0612", 0 },
++ { "ELAN0615", 0 },
++ { "ELAN0616", 0 },
+ { "ELAN0617", 0 },
+ { "ELAN0618", 0 },
++ { "ELAN0619", 0 },
++ { "ELAN061A", 0 },
++ { "ELAN061B", 0 },
+ { "ELAN061C", 0 },
+ { "ELAN061D", 0 },
+ { "ELAN061E", 0 },
++ { "ELAN061F", 0 },
+ { "ELAN0620", 0 },
+ { "ELAN0621", 0 },
+ { "ELAN0622", 0 },
++ { "ELAN0623", 0 },
++ { "ELAN0624", 0 },
++ { "ELAN0625", 0 },
++ { "ELAN0626", 0 },
++ { "ELAN0627", 0 },
++ { "ELAN0628", 0 },
++ { "ELAN0629", 0 },
++ { "ELAN062A", 0 },
++ { "ELAN062B", 0 },
++ { "ELAN062C", 0 },
++ { "ELAN062D", 0 },
++ { "ELAN0631", 0 },
++ { "ELAN0632", 0 },
+ { "ELAN1000", 0 },
+ { }
+ };
diff --git a/patches.drivers/Input-synaptics-rmi4-fix-possible-double-free.patch b/patches.drivers/Input-synaptics-rmi4-fix-possible-double-free.patch
new file mode 100644
index 0000000000..53b55e4051
--- /dev/null
+++ b/patches.drivers/Input-synaptics-rmi4-fix-possible-double-free.patch
@@ -0,0 +1,47 @@
+From bce1a78423961fce676ac65540a31b6ffd179e6d Mon Sep 17 00:00:00 2001
+From: Pan Bian <bianpan2016@163.com>
+Date: Fri, 19 Apr 2019 07:39:00 +0000
+Subject: [PATCH] Input: synaptics-rmi4 - fix possible double free
+Git-commit: bce1a78423961fce676ac65540a31b6ffd179e6d
+Patch-mainline: v5.1-rc7
+References: bsc#1051510
+
+The RMI4 function structure has been released in rmi_register_function
+if error occurs. However, it will be released again in the function
+rmi_create_function, which may result in a double-free bug.
+
+Signed-off-by: Pan Bian <bianpan2016@163.com>
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/input/rmi4/rmi_driver.c | 6 +-----
+ 1 file changed, 1 insertion(+), 5 deletions(-)
+
+diff --git a/drivers/input/rmi4/rmi_driver.c b/drivers/input/rmi4/rmi_driver.c
+index fc3ab93b7aea..7fb358f96195 100644
+--- a/drivers/input/rmi4/rmi_driver.c
++++ b/drivers/input/rmi4/rmi_driver.c
+@@ -860,7 +860,7 @@ static int rmi_create_function(struct rmi_device *rmi_dev,
+
+ error = rmi_register_function(fn);
+ if (error)
+- goto err_put_fn;
++ return error;
+
+ if (pdt->function_number == 0x01)
+ data->f01_container = fn;
+@@ -870,10 +870,6 @@ static int rmi_create_function(struct rmi_device *rmi_dev,
+ list_add_tail(&fn->node, &data->function_list);
+
+ return RMI_SCAN_CONTINUE;
+-
+-err_put_fn:
+- put_device(&fn->dev);
+- return error;
+ }
+
+ void rmi_enable_irq(struct rmi_device *rmi_dev, bool clear_wake)
+--
+2.16.4
+
diff --git a/patches.drivers/PCI-Mark-AMD-Stoney-Radeon-R7-GPU-ATS-as-broken.patch b/patches.drivers/PCI-Mark-AMD-Stoney-Radeon-R7-GPU-ATS-as-broken.patch
new file mode 100644
index 0000000000..1cf26f86de
--- /dev/null
+++ b/patches.drivers/PCI-Mark-AMD-Stoney-Radeon-R7-GPU-ATS-as-broken.patch
@@ -0,0 +1,43 @@
+From d28ca864c493637f3c957f4ed9348a94fca6de60 Mon Sep 17 00:00:00 2001
+From: Nikolai Kostrigin <nickel@altlinux.org>
+Date: Mon, 8 Apr 2019 13:37:25 +0300
+Subject: [PATCH] PCI: Mark AMD Stoney Radeon R7 GPU ATS as broken
+Git-commit: d28ca864c493637f3c957f4ed9348a94fca6de60
+Patch-mainline: v5.2-rc1
+References: bsc#1051510
+
+ATS is broken on the Radeon R7 GPU (at least for Stoney Ridge based laptop)
+and causes IOMMU stalls and system failure. Disable ATS on these devices
+to make them usable again with IOMMU enabled.
+
+Thanks to Joerg Roedel <jroedel@suse.de> for help.
+
+[bhelgaas: In the email thread mentioned below, Alex suspects the real
+problem is in sbios or iommu, so it may affect only certain systems, and it
+may affect other devices in those systems as well. However, per Joerg we
+lack the ability to debug further, so this quirk is the best we can do for
+now.]
+
+Link: https://bugzilla.kernel.org/show_bug.cgi?id=194521
+Link: https://lore.kernel.org/lkml/20190408103725.30426-1-nickel@altlinux.org
+Fixes: 9b44b0b09dec ("PCI: Mark AMD Stoney GPU ATS as broken")
+Signed-off-by: Nikolai Kostrigin <nickel@altlinux.org>
+Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
+Acked-by: Joerg Roedel <jroedel@suse.de>
+Cc: stable@vger.kernel.org
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/pci/quirks.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/pci/quirks.c
++++ b/drivers/pci/quirks.c
+@@ -4983,6 +4983,7 @@ static void quirk_no_ats(struct pci_dev
+
+ /* AMD Stoney platform GPU */
+ DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_ATI, 0x98e4, quirk_no_ats);
++DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_ATI, 0x6900, quirk_no_ats);
+ #endif /* CONFIG_PCI_ATS */
+
+ static void quirk_no_ext_tags(struct pci_dev *pdev)
diff --git a/patches.drivers/PCI-Mark-Atheros-AR9462-to-avoid-bus-reset.patch b/patches.drivers/PCI-Mark-Atheros-AR9462-to-avoid-bus-reset.patch
new file mode 100644
index 0000000000..39d5025202
--- /dev/null
+++ b/patches.drivers/PCI-Mark-Atheros-AR9462-to-avoid-bus-reset.patch
@@ -0,0 +1,38 @@
+From 6afb7e26978da5e86e57e540fdce65c8b04f398a Mon Sep 17 00:00:00 2001
+From: James Prestwood <james.prestwood@linux.intel.com>
+Date: Mon, 7 Jan 2019 13:32:48 -0800
+Subject: [PATCH] PCI: Mark Atheros AR9462 to avoid bus reset
+Git-commit: 6afb7e26978da5e86e57e540fdce65c8b04f398a
+Patch-mainline: v5.2-rc1
+References: bsc#1051510
+
+When using PCI passthrough with this device, the host machine locks up
+completely when starting the VM, requiring a hard reboot. Add a quirk to
+avoid bus resets on this device.
+
+Fixes: c3e59ee4e766 ("PCI: Mark Atheros AR93xx to avoid bus reset")
+Link: https://lore.kernel.org/linux-pci/20190107213248.3034-1-james.prestwood@linux.intel.com
+Signed-off-by: James Prestwood <james.prestwood@linux.intel.com>
+Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
+Cc: stable@vger.kernel.org # v3.14+
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/pci/quirks.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/pci/quirks.c b/drivers/pci/quirks.c
+index 68bee35fcafa..9b9e28854a58 100644
+--- a/drivers/pci/quirks.c
++++ b/drivers/pci/quirks.c
+@@ -3408,6 +3408,7 @@ DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_ATHEROS, 0x0030, quirk_no_bus_reset);
+ DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_ATHEROS, 0x0032, quirk_no_bus_reset);
+ DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_ATHEROS, 0x003c, quirk_no_bus_reset);
+ DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_ATHEROS, 0x0033, quirk_no_bus_reset);
++DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_ATHEROS, 0x0034, quirk_no_bus_reset);
+
+ /*
+ * Root port on some Cavium CN8xxx chips do not successfully complete a bus
+--
+2.16.4
+
diff --git a/patches.drivers/backlight-lm3630a-Return-0-on-success-in-update_stat.patch b/patches.drivers/backlight-lm3630a-Return-0-on-success-in-update_stat.patch
new file mode 100644
index 0000000000..9ad535a87b
--- /dev/null
+++ b/patches.drivers/backlight-lm3630a-Return-0-on-success-in-update_stat.patch
@@ -0,0 +1,50 @@
+From d3f48ec0954c6aac736ab21c34a35d7554409112 Mon Sep 17 00:00:00 2001
+From: Brian Masney <masneyb@onstation.org>
+Date: Wed, 24 Apr 2019 05:25:03 -0400
+Subject: [PATCH] backlight: lm3630a: Return 0 on success in update_status functions
+Git-commit: d3f48ec0954c6aac736ab21c34a35d7554409112
+Patch-mainline: v5.2-rc1
+References: bsc#1051510
+
+lm3630a_bank_a_update_status() and lm3630a_bank_b_update_status()
+both return the brightness value if the brightness was successfully
+updated. Writing to these attributes via sysfs would cause a 'Bad
+address' error to be returned. These functions should return 0 on
+success, so let's change it to correct that error.
+
+Fixes: 28e64a68a2ef ("backlight: lm3630: apply chip revision")
+Signed-off-by: Brian Masney <masneyb@onstation.org>
+Acked-by: Pavel Machek <pavel@ucw.cz>
+Acked-by: Daniel Thompson <daniel.thompson@linaro.org>
+Signed-off-by: Lee Jones <lee.jones@linaro.org>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/video/backlight/lm3630a_bl.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/video/backlight/lm3630a_bl.c b/drivers/video/backlight/lm3630a_bl.c
+index 2030a6b77a09..ef2553f452ca 100644
+--- a/drivers/video/backlight/lm3630a_bl.c
++++ b/drivers/video/backlight/lm3630a_bl.c
+@@ -201,7 +201,7 @@ static int lm3630a_bank_a_update_status(struct backlight_device *bl)
+ LM3630A_LEDA_ENABLE, LM3630A_LEDA_ENABLE);
+ if (ret < 0)
+ goto out_i2c_err;
+- return bl->props.brightness;
++ return 0;
+
+ out_i2c_err:
+ dev_err(pchip->dev, "i2c failed to access\n");
+@@ -278,7 +278,7 @@ static int lm3630a_bank_b_update_status(struct backlight_device *bl)
+ LM3630A_LEDB_ENABLE, LM3630A_LEDB_ENABLE);
+ if (ret < 0)
+ goto out_i2c_err;
+- return bl->props.brightness;
++ return 0;
+
+ out_i2c_err:
+ dev_err(pchip->dev, "i2c failed to access REG_CTRL\n");
+--
+2.16.4
+
diff --git a/patches.drivers/iio-adc-xilinx-fix-potential-use-after-free-on-remov.patch b/patches.drivers/iio-adc-xilinx-fix-potential-use-after-free-on-remov.patch
new file mode 100644
index 0000000000..94befeb519
--- /dev/null
+++ b/patches.drivers/iio-adc-xilinx-fix-potential-use-after-free-on-remov.patch
@@ -0,0 +1,35 @@
+From 62039b6aef63380ba7a37c113bbaeee8a55c5342 Mon Sep 17 00:00:00 2001
+From: Sven Van Asbroeck <thesven73@gmail.com>
+Date: Sun, 10 Mar 2019 14:58:24 -0400
+Subject: [PATCH] iio: adc: xilinx: fix potential use-after-free on remove
+Git-commit: 62039b6aef63380ba7a37c113bbaeee8a55c5342
+Patch-mainline: v5.1-rc6
+References: bsc#1051510
+
+When cancel_delayed_work() returns, the delayed work may still
+be running. This means that the core could potentially free
+the private structure (struct xadc) while the delayed work
+is still using it. This is a potential use-after-free.
+
+Fix by calling cancel_delayed_work_sync(), which waits for
+any residual work to finish before returning.
+
+Signed-off-by: Sven Van Asbroeck <TheSven73@gmail.com>
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/iio/adc/xilinx-xadc-core.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/iio/adc/xilinx-xadc-core.c
++++ b/drivers/iio/adc/xilinx-xadc-core.c
+@@ -1299,7 +1299,7 @@ static int xadc_remove(struct platform_d
+ }
+ free_irq(irq, indio_dev);
+ clk_disable_unprepare(xadc->clk);
+- cancel_delayed_work(&xadc->zynq_unmask_work);
++ cancel_delayed_work_sync(&xadc->zynq_unmask_work);
+ kfree(xadc->data);
+ kfree(indio_dev->channels);
+
diff --git a/patches.drivers/ipmi-ssif-compare-block-number-correctly-for-multi-p.patch b/patches.drivers/ipmi-ssif-compare-block-number-correctly-for-multi-p.patch
index 60159f93ca..db21f5422c 100644
--- a/patches.drivers/ipmi-ssif-compare-block-number-correctly-for-multi-p.patch
+++ b/patches.drivers/ipmi-ssif-compare-block-number-correctly-for-multi-p.patch
@@ -4,7 +4,7 @@ Date: Wed, 24 Apr 2019 11:50:43 +0000
Subject: [PATCH] ipmi:ssif: compare block number correctly for multi-part return messages
Git-commit: 55be8658c7e2feb11a5b5b33ee031791dbd23a69
Patch-mainline: v5.2-rc1
-References: bsc#1051510
+References: bsc#1051510, bsc#1135120
According to ipmi spec, block number is a number that is incremented,
starting with 0, for each new block of message data returned using the
diff --git a/patches.drivers/iw_cxgb4-only-allow-1-flush-on-user-qps.patch b/patches.drivers/iw_cxgb4-only-allow-1-flush-on-user-qps.patch
new file mode 100644
index 0000000000..615a0f40a3
--- /dev/null
+++ b/patches.drivers/iw_cxgb4-only-allow-1-flush-on-user-qps.patch
@@ -0,0 +1,60 @@
+From 308aa2b8f7b7db3332a7d41099fd37851fb793b2 Mon Sep 17 00:00:00 2001
+From: Steve Wise <swise@opengridcomputing.com>
+Date: Fri, 31 Aug 2018 07:15:56 -0700
+Subject: [PATCH] iw_cxgb4: only allow 1 flush on user qps
+Git-commit: 308aa2b8f7b7db3332a7d41099fd37851fb793b2
+Patch-mainline: v4.19-rc4
+References: bsc#1051510
+
+Once the qp has been flushed, it cannot be flushed again. The user qp
+flush logic wasn't enforcing it however. The bug can cause
+touch-after-free crashes like:
+
+Unable to handle kernel paging request for data at address 0x000001ec
+Faulting instruction address: 0xc008000016069100
+Oops: Kernel access of bad area, sig: 11 [#1]
+...
+NIP [c008000016069100] flush_qp+0x80/0x480 [iw_cxgb4]
+LR [c00800001606cd6c] c4iw_modify_qp+0x71c/0x11d0 [iw_cxgb4]
+Call Trace:
+[c00800001606cd6c] c4iw_modify_qp+0x71c/0x11d0 [iw_cxgb4]
+[c00800001606e868] c4iw_ib_modify_qp+0x118/0x200 [iw_cxgb4]
+[c0080000119eae80] ib_security_modify_qp+0xd0/0x3d0 [ib_core]
+[c0080000119c4e24] ib_modify_qp+0xc4/0x2c0 [ib_core]
+[c008000011df0284] iwcm_modify_qp_err+0x44/0x70 [iw_cm]
+[c008000011df0fec] destroy_cm_id+0xcc/0x370 [iw_cm]
+[c008000011ed4358] rdma_destroy_id+0x3c8/0x520 [rdma_cm]
+[c0080000134b0540] ucma_close+0x90/0x1b0 [rdma_ucm]
+[c000000000444da4] __fput+0xe4/0x2f0
+
+So fix flush_qp() to only flush the wq once.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Steve Wise <swise@opengridcomputing.com>
+Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/infiniband/hw/cxgb4/qp.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/drivers/infiniband/hw/cxgb4/qp.c b/drivers/infiniband/hw/cxgb4/qp.c
+index b3203afa3b1d..347fe18b1a41 100644
+--- a/drivers/infiniband/hw/cxgb4/qp.c
++++ b/drivers/infiniband/hw/cxgb4/qp.c
+@@ -1685,6 +1685,12 @@ static void flush_qp(struct c4iw_qp *qhp)
+ schp = to_c4iw_cq(qhp->ibqp.send_cq);
+
+ if (qhp->ibqp.uobject) {
++
++ /* for user qps, qhp->wq.flushed is protected by qhp->mutex */
++ if (qhp->wq.flushed)
++ return;
++
++ qhp->wq.flushed = 1;
+ t4_set_wq_in_error(&qhp->wq, 0);
+ t4_set_cq_in_error(&rchp->cq);
+ spin_lock_irqsave(&rchp->comp_handler_lock, flag);
+--
+2.16.4
+
diff --git a/patches.drivers/leds-pwm-silently-error-out-on-EPROBE_DEFER.patch b/patches.drivers/leds-pwm-silently-error-out-on-EPROBE_DEFER.patch
new file mode 100644
index 0000000000..f690b8f16b
--- /dev/null
+++ b/patches.drivers/leds-pwm-silently-error-out-on-EPROBE_DEFER.patch
@@ -0,0 +1,38 @@
+From 9aec30371fb095a0c9415f3f0146ae269c3713d8 Mon Sep 17 00:00:00 2001
+From: Jerome Brunet <jbrunet@baylibre.com>
+Date: Thu, 6 Sep 2018 15:59:04 +0200
+Subject: [PATCH] leds: pwm: silently error out on EPROBE_DEFER
+Git-commit: 9aec30371fb095a0c9415f3f0146ae269c3713d8
+Patch-mainline: v4.20-rc1
+References: bsc#1051510
+
+When probing, if we fail to get the pwm due to probe deferal, we shouldn't
+print an error message. Just be silent in this case.
+
+Signed-off-by: Jerome Brunet <jbrunet@baylibre.com>
+Signed-off-by: Jacek Anaszewski <jacek.anaszewski@gmail.com>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/leds/leds-pwm.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/leds/leds-pwm.c b/drivers/leds/leds-pwm.c
+index df80c89ebe7f..5d3faae51d59 100644
+--- a/drivers/leds/leds-pwm.c
++++ b/drivers/leds/leds-pwm.c
+@@ -100,8 +100,9 @@ static int led_pwm_add(struct device *dev, struct led_pwm_priv *priv,
+ led_data->pwm = devm_pwm_get(dev, led->name);
+ if (IS_ERR(led_data->pwm)) {
+ ret = PTR_ERR(led_data->pwm);
+- dev_err(dev, "unable to request PWM for %s: %d\n",
+- led->name, ret);
++ if (ret != -EPROBE_DEFER)
++ dev_err(dev, "unable to request PWM for %s: %d\n",
++ led->name, ret);
+ return ret;
+ }
+
+--
+2.16.4
+
diff --git a/patches.drivers/mac8390-Fix-mmio-access-size-probe.patch b/patches.drivers/mac8390-Fix-mmio-access-size-probe.patch
new file mode 100644
index 0000000000..47b238ce12
--- /dev/null
+++ b/patches.drivers/mac8390-Fix-mmio-access-size-probe.patch
@@ -0,0 +1,74 @@
+From bb9e5c5bcd76f4474eac3baf643d7a39f7bac7bb Mon Sep 17 00:00:00 2001
+From: Finn Thain <fthain@telegraphics.com.au>
+Date: Sat, 16 Mar 2019 14:21:19 +1100
+Subject: [PATCH] mac8390: Fix mmio access size probe
+Git-commit: bb9e5c5bcd76f4474eac3baf643d7a39f7bac7bb
+Patch-mainline: v5.1-rc3
+References: bsc#1051510
+
+The bug that Stan reported is as follows. After a restart, a 16-bit NIC
+may be incorrectly identified as a 32-bit NIC and stop working.
+
+mac8390 slot.E: Memory length resource not found, probing
+mac8390 slot.E: Farallon EtherMac II-C (type farallon)
+mac8390 slot.E: MAC 00:00:c5:30:c2:99, IRQ 61, 32 KB shared memory at 0xfeed0000, 32-bit access.
+
+The bug never arises after a cold start and only intermittently after a
+warm start. (I didn't investigate why the bug is intermittent.)
+
+It turns out that memcpy_toio() is deprecated and memcmp_withio() also
+has issues. Replacing these calls with mmio accessors fixes the problem.
+
+Reported-and-tested-by: Stan Johnson <userm57@yahoo.com>
+Fixes: 2964db0f5904 ("m68k: Mac DP8390 update")
+Signed-off-by: Finn Thain <fthain@telegraphics.com.au>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/net/ethernet/8390/mac8390.c | 19 ++++++++++++-------
+ 1 file changed, 12 insertions(+), 7 deletions(-)
+
+--- a/drivers/net/ethernet/8390/mac8390.c
++++ b/drivers/net/ethernet/8390/mac8390.c
+@@ -156,8 +156,6 @@ static void dayna_block_output(struct ne
+ #define memcpy_fromio(a, b, c) memcpy((a), (void *)(b), (c))
+ #define memcpy_toio(a, b, c) memcpy((void *)(a), (b), (c))
+
+-#define memcmp_withio(a, b, c) memcmp((a), (void *)(b), (c))
+-
+ /* Slow Sane (16-bit chunk memory read/write) Cabletron uses this */
+ static void slow_sane_get_8390_hdr(struct net_device *dev,
+ struct e8390_pkt_hdr *hdr, int ring_page);
+@@ -237,19 +235,26 @@ static enum mac8390_type __init mac8390_
+
+ static enum mac8390_access __init mac8390_testio(volatile unsigned long membase)
+ {
+- unsigned long outdata = 0xA5A0B5B0;
+- unsigned long indata = 0x00000000;
++ u32 outdata = 0xA5A0B5B0;
++ u32 indata = 0;
++
+ /* Try writing 32 bits */
+- memcpy_toio(membase, &outdata, 4);
+- /* Now compare them */
+- if (memcmp_withio(&outdata, membase, 4) == 0)
++ nubus_writel(outdata, membase);
++ /* Now read it back */
++ indata = nubus_readl(membase);
++ if (outdata == indata)
+ return ACCESS_32;
++
++ outdata = 0xC5C0D5D0;
++ indata = 0;
++
+ /* Write 16 bit output */
+ word_memcpy_tocard(membase, &outdata, 4);
+ /* Now read it back */
+ word_memcpy_fromcard(&indata, membase, 4);
+ if (outdata == indata)
+ return ACCESS_16;
++
+ return ACCESS_UNKNOWN;
+ }
+
diff --git a/patches.drivers/media-atmel-atmel-isc-fix-INIT_WORK-misplacement.patch b/patches.drivers/media-atmel-atmel-isc-fix-INIT_WORK-misplacement.patch
new file mode 100644
index 0000000000..91b7299f76
--- /dev/null
+++ b/patches.drivers/media-atmel-atmel-isc-fix-INIT_WORK-misplacement.patch
@@ -0,0 +1,46 @@
+From 79199002db5c571e335131856b3ff057ffd9f3c0 Mon Sep 17 00:00:00 2001
+From: Eugen Hristev <eugen.hristev@microchip.com>
+Date: Fri, 12 Apr 2019 06:19:46 -0400
+Subject: [PATCH] media: atmel: atmel-isc: fix INIT_WORK misplacement
+Git-commit: 79199002db5c571e335131856b3ff057ffd9f3c0
+Patch-mainline: v5.2-rc1
+References: bsc#1051510
+
+In case the completion function failes, unbind will be called
+which will call cancel_work for awb_work.
+This will trigger a WARN message from the workqueue.
+To avoid this, move the INIT_WORK call at the start of the completion
+function. This way the work is always initialized, which corresponds
+to the 'always canceled' unbind code.
+
+Fixes: 93d4a26c3d ("[media] atmel-isc: add the isc pipeline function")
+
+Signed-off-by: Eugen Hristev <eugen.hristev@microchip.com>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/media/platform/atmel/atmel-isc.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/media/platform/atmel/atmel-isc.c
++++ b/drivers/media/platform/atmel/atmel-isc.c
+@@ -1553,6 +1553,8 @@ static int isc_async_complete(struct v4l
+ struct vb2_queue *q = &isc->vb2_vidq;
+ int ret;
+
++ INIT_WORK(&isc->awb_work, isc_awb_work);
++
+ ret = v4l2_device_register_subdev_nodes(&isc->v4l2_dev);
+ if (ret < 0) {
+ v4l2_err(&isc->v4l2_dev, "Failed to register subdev nodes\n");
+@@ -1612,8 +1614,6 @@ static int isc_async_complete(struct v4l
+ return ret;
+ }
+
+- INIT_WORK(&isc->awb_work, isc_awb_work);
+-
+ /* Register video device */
+ strlcpy(vdev->name, ATMEL_ISC_NAME, sizeof(vdev->name));
+ vdev->release = video_device_release_empty;
diff --git a/patches.drivers/media-davinci-vpbe-array-underflow-in-vpbe_enum_outp.patch b/patches.drivers/media-davinci-vpbe-array-underflow-in-vpbe_enum_outp.patch
new file mode 100644
index 0000000000..94c1d793fa
--- /dev/null
+++ b/patches.drivers/media-davinci-vpbe-array-underflow-in-vpbe_enum_outp.patch
@@ -0,0 +1,54 @@
+From b72845ee5577b227131b1fef23f9d9a296621d7b Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Wed, 24 Apr 2019 05:46:27 -0400
+Subject: [PATCH] media: davinci/vpbe: array underflow in vpbe_enum_outputs()
+Git-commit: b72845ee5577b227131b1fef23f9d9a296621d7b
+Patch-mainline: v5.2-rc1
+References: bsc#1051510
+
+In vpbe_enum_outputs() we check if (temp_index >= cfg->num_outputs) but
+the problem is that "temp_index" can be negative. This patch changes
+the types to unsigned to address this array underflow bug.
+
+Fixes: 66715cdc3224 ("[media] davinci vpbe: VPBE display driver")
+
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Acked-by: "Lad, Prabhakar" <prabhakar.csengg@gmail.com>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/media/platform/davinci/vpbe.c | 2 +-
+ include/media/davinci/vpbe.h | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/media/platform/davinci/vpbe.c b/drivers/media/platform/davinci/vpbe.c
+index 8339163a5231..4e24f5d781f4 100644
+--- a/drivers/media/platform/davinci/vpbe.c
++++ b/drivers/media/platform/davinci/vpbe.c
+@@ -104,7 +104,7 @@ static int vpbe_enum_outputs(struct vpbe_device *vpbe_dev,
+ struct v4l2_output *output)
+ {
+ struct vpbe_config *cfg = vpbe_dev->cfg;
+- int temp_index = output->index;
++ unsigned int temp_index = output->index;
+
+ if (temp_index >= cfg->num_outputs)
+ return -EINVAL;
+diff --git a/include/media/davinci/vpbe.h b/include/media/davinci/vpbe.h
+index 5c31a7682492..f76d2f25a824 100644
+--- a/include/media/davinci/vpbe.h
++++ b/include/media/davinci/vpbe.h
+@@ -92,7 +92,7 @@ struct vpbe_config {
+ struct encoder_config_info *ext_encoders;
+ /* amplifier information goes here */
+ struct amp_config_info *amp;
+- int num_outputs;
++ unsigned int num_outputs;
+ /* Order is venc outputs followed by LCD and then external encoders */
+ struct vpbe_output *outputs;
+ };
+--
+2.16.4
+
diff --git a/patches.drivers/media-omap_vout-potential-buffer-overflow-in-vidioc_.patch b/patches.drivers/media-omap_vout-potential-buffer-overflow-in-vidioc_.patch
new file mode 100644
index 0000000000..04f40a3fb0
--- /dev/null
+++ b/patches.drivers/media-omap_vout-potential-buffer-overflow-in-vidioc_.patch
@@ -0,0 +1,68 @@
+From dd6e2a981bfe83aa4a493143fd8cf1edcda6c091 Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Thu, 11 Apr 2019 05:01:57 -0400
+Subject: [PATCH] media: omap_vout: potential buffer overflow in vidioc_dqbuf()
+Git-commit: dd6e2a981bfe83aa4a493143fd8cf1edcda6c091
+Patch-mainline: v5.2-rc1
+References: bsc#1051510
+
+The "b->index" is a u32 the comes from the user in the ioctl. It hasn't
+been checked. We aren't supposed to use it but we're instead supposed
+to use the value that gets written to it when we call videobuf_dqbuf().
+
+The videobuf_dqbuf() first memsets it to zero and then re-initializes it
+inside the videobuf_status() function. It's this final value which we
+want.
+
+Hans Verkuil pointed out that we need to check the return from
+videobuf_dqbuf(). I ended up doing a little cleanup related to that as
+well.
+
+Fixes: 72915e851da9 ("[media] V4L2: OMAP: VOUT: dma map and unmap v4l2 buffers in qbuf and dqbuf")
+
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/media/platform/omap/omap_vout.c | 15 ++++++---------
+ 1 file changed, 6 insertions(+), 9 deletions(-)
+
+diff --git a/drivers/media/platform/omap/omap_vout.c b/drivers/media/platform/omap/omap_vout.c
+index 37f0d7146dfa..cb6a9e3946b6 100644
+--- a/drivers/media/platform/omap/omap_vout.c
++++ b/drivers/media/platform/omap/omap_vout.c
+@@ -1527,23 +1527,20 @@ static int vidioc_dqbuf(struct file *file, void *fh, struct v4l2_buffer *b)
+ unsigned long size;
+ struct videobuf_buffer *vb;
+
+- vb = q->bufs[b->index];
+-
+ if (!vout->streaming)
+ return -EINVAL;
+
+- if (file->f_flags & O_NONBLOCK)
+- /* Call videobuf_dqbuf for non blocking mode */
+- ret = videobuf_dqbuf(q, (struct v4l2_buffer *)b, 1);
+- else
+- /* Call videobuf_dqbuf for blocking mode */
+- ret = videobuf_dqbuf(q, (struct v4l2_buffer *)b, 0);
++ ret = videobuf_dqbuf(q, b, !!(file->f_flags & O_NONBLOCK));
++ if (ret)
++ return ret;
++
++ vb = q->bufs[b->index];
+
+ addr = (unsigned long) vout->buf_phy_addr[vb->i];
+ size = (unsigned long) vb->size;
+ dma_unmap_single(vout->vid_dev->v4l2_dev.dev, addr,
+ size, DMA_TO_DEVICE);
+- return ret;
++ return 0;
+ }
+
+ static int vidioc_streamon(struct file *file, void *fh, enum v4l2_buf_type i)
+--
+2.16.4
+
diff --git a/patches.drivers/power-supply-axp20x_usb_power-Fix-typo-in-VBUS-curre.patch b/patches.drivers/power-supply-axp20x_usb_power-Fix-typo-in-VBUS-curre.patch
new file mode 100644
index 0000000000..f842e339af
--- /dev/null
+++ b/patches.drivers/power-supply-axp20x_usb_power-Fix-typo-in-VBUS-curre.patch
@@ -0,0 +1,66 @@
+From c11f0b8f226a411915f8d7467bd554a8c9ceec42 Mon Sep 17 00:00:00 2001
+From: Chen-Yu Tsai <wens@csie.org>
+Date: Tue, 16 Apr 2019 14:40:19 +0800
+Subject: [PATCH] power: supply: axp20x_usb_power: Fix typo in VBUS current limit macros
+Git-commit: c11f0b8f226a411915f8d7467bd554a8c9ceec42
+Patch-mainline: v5.2-rc1
+References: bsc#1051510
+
+The VBUS current limit value macros have VBUS typed as VBUC, while
+the bitmask macro is named correctly. Fix it.
+
+Fixes: 69fb4dcada77 ("power: Add an axp20x-usb-power driver")
+Signed-off-by: Chen-Yu Tsai <wens@csie.org>
+Signed-off-by: Sebastian Reichel <sebastian.reichel@collabora.com>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/power/supply/axp20x_usb_power.c | 16 ++++++++--------
+ 1 file changed, 8 insertions(+), 8 deletions(-)
+
+diff --git a/drivers/power/supply/axp20x_usb_power.c b/drivers/power/supply/axp20x_usb_power.c
+index f52fe77edb6f..cd9b90d79839 100644
+--- a/drivers/power/supply/axp20x_usb_power.c
++++ b/drivers/power/supply/axp20x_usb_power.c
+@@ -36,10 +36,10 @@
+ #define AXP20X_VBUS_VHOLD_MASK GENMASK(5, 3)
+ #define AXP20X_VBUS_VHOLD_OFFSET 3
+ #define AXP20X_VBUS_CLIMIT_MASK 3
+-#define AXP20X_VBUC_CLIMIT_900mA 0
+-#define AXP20X_VBUC_CLIMIT_500mA 1
+-#define AXP20X_VBUC_CLIMIT_100mA 2
+-#define AXP20X_VBUC_CLIMIT_NONE 3
++#define AXP20X_VBUS_CLIMIT_900mA 0
++#define AXP20X_VBUS_CLIMIT_500mA 1
++#define AXP20X_VBUS_CLIMIT_100mA 2
++#define AXP20X_VBUS_CLIMIT_NONE 3
+
+ #define AXP20X_ADC_EN1_VBUS_CURR BIT(2)
+ #define AXP20X_ADC_EN1_VBUS_VOLT BIT(3)
+@@ -107,19 +107,19 @@ static int axp20x_usb_power_get_property(struct power_supply *psy,
+ return ret;
+
+ switch (v & AXP20X_VBUS_CLIMIT_MASK) {
+- case AXP20X_VBUC_CLIMIT_100mA:
++ case AXP20X_VBUS_CLIMIT_100mA:
+ if (power->axp20x_id == AXP221_ID)
+ val->intval = -1; /* No 100mA limit */
+ else
+ val->intval = 100000;
+ break;
+- case AXP20X_VBUC_CLIMIT_500mA:
++ case AXP20X_VBUS_CLIMIT_500mA:
+ val->intval = 500000;
+ break;
+- case AXP20X_VBUC_CLIMIT_900mA:
++ case AXP20X_VBUS_CLIMIT_900mA:
+ val->intval = 900000;
+ break;
+- case AXP20X_VBUC_CLIMIT_NONE:
++ case AXP20X_VBUS_CLIMIT_NONE:
+ val->intval = -1;
+ break;
+ }
+--
+2.16.4
+
diff --git a/patches.drivers/power-supply-axp288_charger-Fix-unchecked-return-val.patch b/patches.drivers/power-supply-axp288_charger-Fix-unchecked-return-val.patch
new file mode 100644
index 0000000000..115d9f2bb3
--- /dev/null
+++ b/patches.drivers/power-supply-axp288_charger-Fix-unchecked-return-val.patch
@@ -0,0 +1,46 @@
+From c3422ad5f84a66739ec6a37251ca27638c85b6be Mon Sep 17 00:00:00 2001
+From: "Gustavo A. R. Silva" <gustavo@embeddedor.com>
+Date: Mon, 18 Mar 2019 11:14:39 -0500
+Subject: [PATCH] power: supply: axp288_charger: Fix unchecked return value
+Git-commit: c3422ad5f84a66739ec6a37251ca27638c85b6be
+Patch-mainline: v5.2-rc1
+References: bsc#1051510
+
+Currently there is no check on platform_get_irq() return value
+in case it fails, hence never actually reporting any errors and
+causing unexpected behavior when using such value as argument
+for function regmap_irq_get_virq().
+
+Fix this by adding a proper check, a message reporting any errors
+and returning *pirq*
+
+Addresses-coverity-id: 1443940 ("Improper use of negative value")
+Fixes: 843735b788a4 ("power: axp288_charger: axp288 charger driver")
+Cc: stable@vger.kernel.org
+Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com>
+Reviewed-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Sebastian Reichel <sebastian.reichel@collabora.com>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/power/supply/axp288_charger.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/power/supply/axp288_charger.c b/drivers/power/supply/axp288_charger.c
+index f8c6da9277b3..00b961890a38 100644
+--- a/drivers/power/supply/axp288_charger.c
++++ b/drivers/power/supply/axp288_charger.c
+@@ -833,6 +833,10 @@ static int axp288_charger_probe(struct platform_device *pdev)
+ /* Register charger interrupts */
+ for (i = 0; i < CHRG_INTR_END; i++) {
+ pirq = platform_get_irq(info->pdev, i);
++ if (pirq < 0) {
++ dev_err(&pdev->dev, "Failed to get IRQ: %d\n", pirq);
++ return pirq;
++ }
+ info->irq[i] = regmap_irq_get_virq(info->regmap_irqc, pirq);
+ if (info->irq[i] < 0) {
+ dev_warn(&info->pdev->dev,
+--
+2.16.4
+
diff --git a/patches.drivers/serial-fix-race-between-flush_to_ldisc-and-tty_open.patch b/patches.drivers/serial-fix-race-between-flush_to_ldisc-and-tty_open.patch
index 8730ce5efd..d8580a7a50 100644
--- a/patches.drivers/serial-fix-race-between-flush_to_ldisc-and-tty_open.patch
+++ b/patches.drivers/serial-fix-race-between-flush_to_ldisc-and-tty_open.patch
@@ -73,9 +73,9 @@ Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
port = uart_port_lock(state, flags);
__uart_start(tty);
uart_port_unlock(port, flags);
-@@ -2403,6 +2406,9 @@ static void uart_poll_put_char(struct tt
- struct uart_state *state = drv->state + line;
+@@ -719,6 +722,9 @@ static void uart_unthrottle(struct tty_s
struct uart_port *port;
+ upstat_t mask = 0;
+ if (!state)
+ return;
diff --git a/patches.drivers/soc-fsl-qe-Fix-an-error-code-in-qe_pin_request.patch b/patches.drivers/soc-fsl-qe-Fix-an-error-code-in-qe_pin_request.patch
new file mode 100644
index 0000000000..386aed57b4
--- /dev/null
+++ b/patches.drivers/soc-fsl-qe-Fix-an-error-code-in-qe_pin_request.patch
@@ -0,0 +1,38 @@
+From 5674a92ca4b7e5a6a19231edd10298d30324cd27 Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Thu, 28 Mar 2019 17:18:41 +0300
+Subject: [PATCH] soc/fsl/qe: Fix an error code in qe_pin_request()
+Git-commit: 5674a92ca4b7e5a6a19231edd10298d30324cd27
+Patch-mainline: v5.2-rc1
+References: bsc#1051510
+
+We forgot to set "err" on this error path.
+
+Fixes: 1a2d397a6eb5 ("gpio/powerpc: Eliminate duplication of of_get_named_gpio_flags()")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Li Yang <leoyang.li@nxp.com>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/soc/fsl/qe/gpio.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/soc/fsl/qe/gpio.c b/drivers/soc/fsl/qe/gpio.c
+index 819bed0f5667..51b3a47b5a55 100644
+--- a/drivers/soc/fsl/qe/gpio.c
++++ b/drivers/soc/fsl/qe/gpio.c
+@@ -179,8 +179,10 @@ struct qe_pin *qe_pin_request(struct device_node *np, int index)
+ if (err < 0)
+ goto err0;
+ gc = gpio_to_chip(err);
+- if (WARN_ON(!gc))
++ if (WARN_ON(!gc)) {
++ err = -ENODEV;
+ goto err0;
++ }
+
+ if (!of_device_is_compatible(gc->of_node, "fsl,mpc8323-qe-pario-bank")) {
+ pr_debug("%s: tried to get a non-qe pin\n", __func__);
+--
+2.16.4
+
diff --git a/patches.drivers/spi-Micrel-eth-switch-declare-missing-of-table.patch b/patches.drivers/spi-Micrel-eth-switch-declare-missing-of-table.patch
new file mode 100644
index 0000000000..2a1715bd58
--- /dev/null
+++ b/patches.drivers/spi-Micrel-eth-switch-declare-missing-of-table.patch
@@ -0,0 +1,65 @@
+From 2f23a2a768bee7ad2ff1e9527c3f7e279e794a46 Mon Sep 17 00:00:00 2001
+From: Daniel Gomez <dagmcr@gmail.com>
+Date: Mon, 22 Apr 2019 21:08:03 +0200
+Subject: [PATCH] spi: Micrel eth switch: declare missing of table
+Git-commit: 2f23a2a768bee7ad2ff1e9527c3f7e279e794a46
+Patch-mainline: v5.1-rc7
+References: bsc#1051510
+
+Add missing <of_device_id> table for SPI driver relying on SPI
+device match since compatible is in a DT binding or in a DTS.
+
+Before this patch:
+modinfo drivers/net/phy/spi_ks8995.ko | grep alias
+Alias: spi:ksz8795
+Alias: spi:ksz8864
+Alias: spi:ks8995
+
+After this patch:
+modinfo drivers/net/phy/spi_ks8995.ko | grep alias
+Alias: of:N*T*Cmicrel,ksz8795C*
+Alias: of:N*T*Cmicrel,ksz8795
+Alias: of:N*T*Cmicrel,ksz8864C*
+Alias: of:N*T*Cmicrel,ksz8864
+Alias: of:N*T*Cmicrel,ks8995C*
+Alias: of:N*T*Cmicrel,ks8995
+
+Reported-by: Javier Martinez Canillas <javier@dowhile0.org>
+Signed-off-by: Daniel Gomez <dagmcr@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/net/phy/spi_ks8995.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/drivers/net/phy/spi_ks8995.c b/drivers/net/phy/spi_ks8995.c
+index 92b64e254b44..7475cef17cf7 100644
+--- a/drivers/net/phy/spi_ks8995.c
++++ b/drivers/net/phy/spi_ks8995.c
+@@ -159,6 +159,14 @@ static const struct spi_device_id ks8995_id[] = {
+ };
+ MODULE_DEVICE_TABLE(spi, ks8995_id);
+
++static const struct of_device_id ks8895_spi_of_match[] = {
++ { .compatible = "micrel,ks8995" },
++ { .compatible = "micrel,ksz8864" },
++ { .compatible = "micrel,ksz8795" },
++ { },
++ };
++MODULE_DEVICE_TABLE(of, ks8895_spi_of_match);
++
+ static inline u8 get_chip_id(u8 val)
+ {
+ return (val >> ID1_CHIPID_S) & ID1_CHIPID_M;
+@@ -526,6 +534,7 @@ static int ks8995_remove(struct spi_device *spi)
+ static struct spi_driver ks8995_driver = {
+ .driver = {
+ .name = "spi-ks8995",
++ .of_match_table = of_match_ptr(ks8895_spi_of_match),
+ },
+ .probe = ks8995_probe,
+ .remove = ks8995_remove,
+--
+2.16.4
+
diff --git a/patches.drivers/spi-ST-ST95HF-NFC-declare-missing-of-table.patch b/patches.drivers/spi-ST-ST95HF-NFC-declare-missing-of-table.patch
new file mode 100644
index 0000000000..2cc18f34ea
--- /dev/null
+++ b/patches.drivers/spi-ST-ST95HF-NFC-declare-missing-of-table.patch
@@ -0,0 +1,57 @@
+From d04830531d0c4a99c897a44038e5da3d23331d2f Mon Sep 17 00:00:00 2001
+From: Daniel Gomez <dagmcr@gmail.com>
+Date: Mon, 22 Apr 2019 21:08:04 +0200
+Subject: [PATCH] spi: ST ST95HF NFC: declare missing of table
+Git-commit: d04830531d0c4a99c897a44038e5da3d23331d2f
+Patch-mainline: v5.1-rc7
+References: bsc#1051510
+
+Add missing <of_device_id> table for SPI driver relying on SPI
+device match since compatible is in a DT binding or in a DTS.
+
+Before this patch:
+modinfo drivers/nfc/st95hf/st95hf.ko | grep alias
+Alias: spi:st95hf
+
+After this patch:
+modinfo drivers/nfc/st95hf/st95hf.ko | grep alias
+Alias: of:N*T*Cst,st95hfC*
+Alias: of:N*T*Cst,st95hf
+
+Reported-by: Javier Martinez Canillas <javier@dowhile0.org>
+Signed-off-by: Daniel Gomez <dagmcr@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/nfc/st95hf/core.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/drivers/nfc/st95hf/core.c b/drivers/nfc/st95hf/core.c
+index 2b26f762fbc3..01acb6e53365 100644
+--- a/drivers/nfc/st95hf/core.c
++++ b/drivers/nfc/st95hf/core.c
+@@ -1074,6 +1074,12 @@ static const struct spi_device_id st95hf_id[] = {
+ };
+ MODULE_DEVICE_TABLE(spi, st95hf_id);
+
++static const struct of_device_id st95hf_spi_of_match[] = {
++ { .compatible = "st,st95hf" },
++ { },
++};
++MODULE_DEVICE_TABLE(of, st95hf_spi_of_match);
++
+ static int st95hf_probe(struct spi_device *nfc_spi_dev)
+ {
+ int ret;
+@@ -1260,6 +1266,7 @@ static struct spi_driver st95hf_driver = {
+ .driver = {
+ .name = "st95hf",
+ .owner = THIS_MODULE,
++ .of_match_table = of_match_ptr(st95hf_spi_of_match),
+ },
+ .id_table = st95hf_id,
+ .probe = st95hf_probe,
+--
+2.16.4
+
diff --git a/patches.drivers/thermal-cpu_cooling-Actually-trace-CPU-load-in-therm.patch b/patches.drivers/thermal-cpu_cooling-Actually-trace-CPU-load-in-therm.patch
new file mode 100644
index 0000000000..2f43967f7e
--- /dev/null
+++ b/patches.drivers/thermal-cpu_cooling-Actually-trace-CPU-load-in-therm.patch
@@ -0,0 +1,58 @@
+From bf45ac18b78038e43af3c1a273cae4ab5704d2ce Mon Sep 17 00:00:00 2001
+From: Matthias Kaehlcke <mka@chromium.org>
+Date: Thu, 2 May 2019 11:32:38 -0700
+Subject: [PATCH] thermal: cpu_cooling: Actually trace CPU load in thermal_power_cpu_get_power
+Git-commit: bf45ac18b78038e43af3c1a273cae4ab5704d2ce
+Patch-mainline: v5.2-rc1
+References: bsc#1051510
+
+The CPU load values passed to the thermal_power_cpu_get_power
+tracepoint are zero for all CPUs, unless, unless the
+thermal_power_cpu_limit tracepoint is enabled too:
+
+ irq/41-rockchip-98 [000] .... 290.972410: thermal_power_cpu_get_power:
+ cpus=0000000f freq=1800000 load={{0x0,0x0,0x0,0x0}} dynamic_power=4815
+
+vs
+
+ irq/41-rockchip-96 [000] .... 95.773585: thermal_power_cpu_get_power:
+ cpus=0000000f freq=1800000 load={{0x56,0x64,0x64,0x5e}} dynamic_power=4959
+ irq/41-rockchip-96 [000] .... 95.773596: thermal_power_cpu_limit:
+ cpus=0000000f freq=408000 cdev_state=10 power=416
+
+There seems to be no good reason for omitting the CPU load information
+depending on another tracepoint. My guess is that the intention was to
+check whether thermal_power_cpu_get_power is (still) enabled, however
+'load_cpu != NULL' already indicates that it was at least enabled when
+cpufreq_get_requested_power() was entered, there seems little gain
+from omitting the assignment if the tracepoint was just disabled, so
+just remove the check.
+
+Fixes: 6828a4711f99 ("thermal: add trace events to the power allocator governor")
+Signed-off-by: Matthias Kaehlcke <mka@chromium.org>
+Reviewed-by: Daniel Lezcano <daniel.lezcano@linaro.org>
+Acked-by: Javi Merino <javi.merino@kernel.org>
+Acked-by: Viresh Kumar <viresh.kumar@linaro.org>
+Signed-off-by: Eduardo Valentin <edubezval@gmail.com>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/thermal/cpu_cooling.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/thermal/cpu_cooling.c b/drivers/thermal/cpu_cooling.c
+index 9b014d0e8e70..4c5db59a619b 100644
+--- a/drivers/thermal/cpu_cooling.c
++++ b/drivers/thermal/cpu_cooling.c
+@@ -444,7 +444,7 @@ static int cpufreq_get_requested_power(struct thermal_cooling_device *cdev,
+ load = 0;
+
+ total_load += load;
+- if (trace_thermal_power_cpu_limit_enabled() && load_cpu)
++ if (load_cpu)
+ load_cpu[i] = load;
+
+ i++;
+--
+2.16.4
+
diff --git a/patches.drm/0001-drm-i915-gvt-Fix-mmap-range-check.patch b/patches.drm/0001-drm-i915-gvt-Fix-mmap-range-check.patch
index b92d55bb53..643bb857f6 100644
--- a/patches.drm/0001-drm-i915-gvt-Fix-mmap-range-check.patch
+++ b/patches.drm/0001-drm-i915-gvt-Fix-mmap-range-check.patch
@@ -4,7 +4,7 @@ Date: Fri, 11 Jan 2019 13:58:53 +0800
Subject: drm/i915/gvt: Fix mmap range check
Git-commit: 51b00d8509dc69c98740da2ad07308b630d3eb7d
Patch-mainline: v5.0-rc3
-References: bsc#1120902
+References: bsc#1120902, CVE-2019-11085, bsc#1135278
This is to fix missed mmap range check on vGPU bar2 region
and only allow to map vGPU allocated GMADDR range, which means
diff --git a/patches.drm/drm-bridge-adv7511-Fix-low-refresh-rate-selection.patch b/patches.drm/drm-bridge-adv7511-Fix-low-refresh-rate-selection.patch
new file mode 100644
index 0000000000..e105b76f1c
--- /dev/null
+++ b/patches.drm/drm-bridge-adv7511-Fix-low-refresh-rate-selection.patch
@@ -0,0 +1,51 @@
+From 67793bd3b3948dc8c8384b6430e036a30a0ecb43 Mon Sep 17 00:00:00 2001
+From: Matt Redfearn <matt.redfearn@thinci.com>
+Date: Wed, 24 Apr 2019 13:22:27 +0000
+Subject: [PATCH] drm/bridge: adv7511: Fix low refresh rate selection
+Git-commit: 67793bd3b3948dc8c8384b6430e036a30a0ecb43
+Patch-mainline: v5.2-rc1
+References: bsc#1051510
+
+The driver currently sets register 0xfb (Low Refresh Rate) based on the
+value of mode->vrefresh. Firstly, this field is specified to be in Hz,
+but the magic numbers used by the code are Hz * 1000. This essentially
+leads to the low refresh rate always being set to 0x01, since the
+vrefresh value will always be less than 24000. Fix the magic numbers to
+be in Hz.
+Secondly, according to the comment in drm_modes.h, the field is not
+supposed to be used in a functional way anyway. Instead, use the helper
+function drm_mode_vrefresh().
+
+Fixes: 9c8af882bf12 ("drm: Add adv7511 encoder driver")
+Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
+Signed-off-by: Matt Redfearn <matt.redfearn@thinci.com>
+Signed-off-by: Sean Paul <seanpaul@chromium.org>
+Link: https://patchwork.freedesktop.org/patch/msgid/20190424132210.26338-1-matt.redfearn@thinci.com
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/gpu/drm/bridge/adv7511/adv7511_drv.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/gpu/drm/bridge/adv7511/adv7511_drv.c b/drivers/gpu/drm/bridge/adv7511/adv7511_drv.c
+index ec2ca71e1323..c532e9c9e491 100644
+--- a/drivers/gpu/drm/bridge/adv7511/adv7511_drv.c
++++ b/drivers/gpu/drm/bridge/adv7511/adv7511_drv.c
+@@ -748,11 +748,11 @@ static void adv7511_mode_set(struct adv7511 *adv7511,
+ vsync_polarity = 1;
+ }
+
+- if (mode->vrefresh <= 24000)
++ if (drm_mode_vrefresh(mode) <= 24)
+ low_refresh_rate = ADV7511_LOW_REFRESH_RATE_24HZ;
+- else if (mode->vrefresh <= 25000)
++ else if (drm_mode_vrefresh(mode) <= 25)
+ low_refresh_rate = ADV7511_LOW_REFRESH_RATE_25HZ;
+- else if (mode->vrefresh <= 30000)
++ else if (drm_mode_vrefresh(mode) <= 30)
+ low_refresh_rate = ADV7511_LOW_REFRESH_RATE_30HZ;
+ else
+ low_refresh_rate = ADV7511_LOW_REFRESH_RATE_NONE;
+--
+2.16.4
+
diff --git a/patches.drm/drm-i915-Disable-LP3-watermarks-on-all-SNB-machines.patch b/patches.drm/drm-i915-Disable-LP3-watermarks-on-all-SNB-machines.patch
new file mode 100644
index 0000000000..583c8df452
--- /dev/null
+++ b/patches.drm/drm-i915-Disable-LP3-watermarks-on-all-SNB-machines.patch
@@ -0,0 +1,140 @@
+From 03981c6ebec4fc7056b9b45f847393aeac90d060 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Ville=20Syrj=C3=A4l=C3=A4?= <ville.syrjala@linux.intel.com>
+Date: Wed, 14 Nov 2018 19:34:40 +0200
+Subject: [PATCH] drm/i915: Disable LP3 watermarks on all SNB machines
+Mime-version: 1.0
+Content-type: text/plain; charset=UTF-8
+Content-transfer-encoding: 8bit
+Git-commit: 03981c6ebec4fc7056b9b45f847393aeac90d060
+No-fix: 21556350ade3cb5d7afecc8b3544e56431d21695
+Patch-mainline: v5.0-rc1
+References: bsc#1051510
+
+I have a Thinkpad X220 Tablet in my hands that is losing vblank
+interrupts whenever LP3 watermarks are used.
+
+If I nudge the latency value written to the WM3 register just
+by one in either direction the problem disappears. That to me
+suggests that the punit will not enter the corrsponding
+powersave mode (MPLL shutdown IIRC) unless the latency value
+in the register matches exactly what we read from SSKPD. Ie.
+it's not really a latency value but rather just a cookie
+by which the punit can identify the desired power saving state.
+On HSW/BDW this was changed such that we actually just write
+the WM level number into those bits, which makes much more
+sense given the observed behaviour.
+
+We could try to handle this by disallowing LP3 watermarks
+only when vblank interrupts are enabled but we'd first have
+to prove that only vblank interrupts are affected, which
+seems unlikely. Also we can't grab the wm mutex from the
+vblank enable/disable hooks because those are called with
+various spinlocks held. Thus we'd have to redesigne the
+watermark locking. So to play it safe and keep the code
+simple we simply disable LP3 watermarks on all SNB machines.
+
+To do that we simply zero out the latency values for
+watermark level 3, and we adjust the watermark computation
+to check for that. The behaviour now matches that of the
+g4x/vlv/skl wm code in the presence of a zeroed latency
+value.
+
+V2: s/USHRT_MAX/U32_MAX/ for consistency with the types (Chris)
+
+Cc: stable@vger.kernel.org
+Cc: Chris Wilson <chris@chris-wilson.co.uk>
+Acked-by: Chris Wilson <chris@chris-wilson.co.uk>
+Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=101269
+Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=103713
+Signed-off-by: Ville Syrjälä <ville.syrjala@linux.intel.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20181114173440.6730-1-ville.syrjala@linux.intel.com
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/gpu/drm/i915/intel_pm.c | 41 ++++++++++++++++++++++++++++++++++++++++-
+ 1 file changed, 40 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/i915/intel_pm.c b/drivers/gpu/drm/i915/intel_pm.c
+index 27498ded4949..897a791662c5 100644
+--- a/drivers/gpu/drm/i915/intel_pm.c
++++ b/drivers/gpu/drm/i915/intel_pm.c
+@@ -2493,6 +2493,9 @@ static uint32_t ilk_compute_pri_wm(const struct intel_crtc_state *cstate,
+ uint32_t method1, method2;
+ int cpp;
+
++ if (mem_value == 0)
++ return U32_MAX;
++
+ if (!intel_wm_plane_visible(cstate, pstate))
+ return 0;
+
+@@ -2522,6 +2525,9 @@ static uint32_t ilk_compute_spr_wm(const struct intel_crtc_state *cstate,
+ uint32_t method1, method2;
+ int cpp;
+
++ if (mem_value == 0)
++ return U32_MAX;
++
+ if (!intel_wm_plane_visible(cstate, pstate))
+ return 0;
+
+@@ -2545,6 +2551,9 @@ static uint32_t ilk_compute_cur_wm(const struct intel_crtc_state *cstate,
+ {
+ int cpp;
+
++ if (mem_value == 0)
++ return U32_MAX;
++
+ if (!intel_wm_plane_visible(cstate, pstate))
+ return 0;
+
+@@ -3008,6 +3017,34 @@ static void snb_wm_latency_quirk(struct drm_i915_private *dev_priv)
+ intel_print_wm_latency(dev_priv, "Cursor", dev_priv->wm.cur_latency);
+ }
+
++static void snb_wm_lp3_irq_quirk(struct drm_i915_private *dev_priv)
++{
++ /*
++ * On some SNB machines (Thinkpad X220 Tablet at least)
++ * LP3 usage can cause vblank interrupts to be lost.
++ * The DEIIR bit will go high but it looks like the CPU
++ * never gets interrupted.
++ *
++ * It's not clear whether other interrupt source could
++ * be affected or if this is somehow limited to vblank
++ * interrupts only. To play it safe we disable LP3
++ * watermarks entirely.
++ */
++ if (dev_priv->wm.pri_latency[3] == 0 &&
++ dev_priv->wm.spr_latency[3] == 0 &&
++ dev_priv->wm.cur_latency[3] == 0)
++ return;
++
++ dev_priv->wm.pri_latency[3] = 0;
++ dev_priv->wm.spr_latency[3] = 0;
++ dev_priv->wm.cur_latency[3] = 0;
++
++ DRM_DEBUG_KMS("LP3 watermarks disabled due to potential for lost interrupts\n");
++ intel_print_wm_latency(dev_priv, "Primary", dev_priv->wm.pri_latency);
++ intel_print_wm_latency(dev_priv, "Sprite", dev_priv->wm.spr_latency);
++ intel_print_wm_latency(dev_priv, "Cursor", dev_priv->wm.cur_latency);
++}
++
+ static void ilk_setup_wm_latency(struct drm_i915_private *dev_priv)
+ {
+ intel_read_wm_latency(dev_priv, dev_priv->wm.pri_latency);
+@@ -3024,8 +3061,10 @@ static void ilk_setup_wm_latency(struct drm_i915_private *dev_priv)
+ intel_print_wm_latency(dev_priv, "Sprite", dev_priv->wm.spr_latency);
+ intel_print_wm_latency(dev_priv, "Cursor", dev_priv->wm.cur_latency);
+
+- if (IS_GEN6(dev_priv))
++ if (IS_GEN6(dev_priv)) {
+ snb_wm_latency_quirk(dev_priv);
++ snb_wm_lp3_irq_quirk(dev_priv);
++ }
+ }
+
+ static void skl_setup_wm_latency(struct drm_i915_private *dev_priv)
+--
+2.16.4
+
diff --git a/patches.drm/drm-i915-Downgrade-Gen9-Plane-WM-latency-error.patch b/patches.drm/drm-i915-Downgrade-Gen9-Plane-WM-latency-error.patch
new file mode 100644
index 0000000000..0fc56eddf2
--- /dev/null
+++ b/patches.drm/drm-i915-Downgrade-Gen9-Plane-WM-latency-error.patch
@@ -0,0 +1,41 @@
+From 86c1c87d0e6241cbe35bd52badfc84b154e1b959 Mon Sep 17 00:00:00 2001
+From: Chris Wilson <chris@chris-wilson.co.uk>
+Date: Thu, 26 Jul 2018 17:15:27 +0100
+Subject: [PATCH] drm/i915: Downgrade Gen9 Plane WM latency error
+Git-commit: 86c1c87d0e6241cbe35bd52badfc84b154e1b959
+Patch-mainline: v4.20-rc1
+References: bsc#1051510
+
+According to intel_read_wm_latency() it is perfectly legal for one WM
+and all subsequent levels to be 0 (and the deeper powersaving states
+disabled), so don't shout *ERROR*, over and over again.
+
+Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
+Cc: Maarten Lankhorst <maarten.lankhorst@linux.intel.com>
+Cc: Ville Syrjala <ville.syrjala@linux.intel.com>
+Acked-by: Maarten Lankhorst <maarten.lankhorst@linux.intel.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20180726161527.10516-1-chris@chris-wilson.co.uk
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/gpu/drm/i915/intel_pm.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/gpu/drm/i915/intel_pm.c b/drivers/gpu/drm/i915/intel_pm.c
+index f175923939ae..8a4152244571 100644
+--- a/drivers/gpu/drm/i915/intel_pm.c
++++ b/drivers/gpu/drm/i915/intel_pm.c
+@@ -2942,8 +2942,8 @@ static void intel_print_wm_latency(struct drm_i915_private *dev_priv,
+ unsigned int latency = wm[level];
+
+ if (latency == 0) {
+- DRM_ERROR("%s WM%d latency not provided\n",
+- name, level);
++ DRM_DEBUG_KMS("%s WM%d latency not provided\n",
++ name, level);
+ continue;
+ }
+
+--
+2.16.4
+
diff --git a/patches.drm/drm-i915-fbc-disable-framebuffer-compression-on-Gemi.patch b/patches.drm/drm-i915-fbc-disable-framebuffer-compression-on-Gemi.patch
new file mode 100644
index 0000000000..e222d5d735
--- /dev/null
+++ b/patches.drm/drm-i915-fbc-disable-framebuffer-compression-on-Gemi.patch
@@ -0,0 +1,55 @@
+From 396dd8143bdd94bd1c358a228a631c8c895a1126 Mon Sep 17 00:00:00 2001
+From: Daniel Drake <drake@endlessm.com>
+Date: Tue, 23 Apr 2019 17:28:10 +0800
+Subject: [PATCH] drm/i915/fbc: disable framebuffer compression on GeminiLake
+Git-commit: 396dd8143bdd94bd1c358a228a631c8c895a1126
+Patch-mainline: v5.2-rc1
+No-fix: 1d25724b41fad7eeb2c3058a5c8190d6ece73e08
+References: bsc#1051510
+
+On many (all?) the Gemini Lake systems we work with, there is frequent
+momentary graphical corruption at the top of the screen, and it seems
+that disabling framebuffer compression can avoid this.
+
+The ticket was reported 6 months ago and has already affected a
+multitude of users, without any real progress being made. So, lets
+disable framebuffer compression on GeminiLake until a solution is found.
+
+Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=108085
+Fixes: fd7d6c5c8f3e ("drm/i915: enable FBC on gen9+ too")
+Cc: Paulo Zanoni <paulo.r.zanoni@intel.com>
+Cc: Daniel Vetter <daniel.vetter@ffwll.ch>
+Cc: Jani Nikula <jani.nikula@linux.intel.com>
+Cc: <stable@vger.kernel.org> # v4.11+
+Reviewed-by: Paulo Zanoni <paulo.r.zanoni@intel.com>
+Signed-off-by: Daniel Drake <drake@endlessm.com>
+Signed-off-by: Jian-Hong Pan <jian-hong@endlessm.com>
+Signed-off-by: Jani Nikula <jani.nikula@intel.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20190423092810.28359-1-jian-hong@endlessm.com
+(cherry picked from commit 1d25724b41fad7eeb2c3058a5c8190d6ece73e08)
+
+Signed-off-by: Joonas Lahtinen <joonas.lahtinen@linux.intel.com>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/gpu/drm/i915/intel_fbc.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/gpu/drm/i915/intel_fbc.c b/drivers/gpu/drm/i915/intel_fbc.c
+index c805a0966395..5679f2fffb7c 100644
+--- a/drivers/gpu/drm/i915/intel_fbc.c
++++ b/drivers/gpu/drm/i915/intel_fbc.c
+@@ -1280,6 +1280,10 @@ static int intel_sanitize_fbc_option(struct drm_i915_private *dev_priv)
+ if (!HAS_FBC(dev_priv))
+ return 0;
+
++ /* https://bugs.freedesktop.org/show_bug.cgi?id=108085 */
++ if (IS_GEMINILAKE(dev_priv))
++ return 0;
++
+ if (IS_BROADWELL(dev_priv) || INTEL_GEN(dev_priv) >= 9)
+ return 1;
+
+--
+2.16.4
+
diff --git a/patches.drm/drm-imx-don-t-skip-DP-channel-disable-for-background.patch b/patches.drm/drm-imx-don-t-skip-DP-channel-disable-for-background.patch
new file mode 100644
index 0000000000..e27805258f
--- /dev/null
+++ b/patches.drm/drm-imx-don-t-skip-DP-channel-disable-for-background.patch
@@ -0,0 +1,34 @@
+From 7bcde275eb1d0ac8793c77c7e666a886eb16633d Mon Sep 17 00:00:00 2001
+From: Lucas Stach <l.stach@pengutronix.de>
+Date: Fri, 12 Apr 2019 17:59:41 +0200
+Subject: [PATCH] drm/imx: don't skip DP channel disable for background plane
+Git-commit: 7bcde275eb1d0ac8793c77c7e666a886eb16633d
+Patch-mainline: v5.1-rc7
+References: bsc#1051510
+
+In order to make sure that the plane color space gets reset correctly.
+
+Signed-off-by: Lucas Stach <l.stach@pengutronix.de>
+Signed-off-by: Philipp Zabel <p.zabel@pengutronix.de>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/gpu/drm/imx/ipuv3-crtc.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/imx/ipuv3-crtc.c b/drivers/gpu/drm/imx/ipuv3-crtc.c
+index ec3602ebbc1c..54011df8c2e8 100644
+--- a/drivers/gpu/drm/imx/ipuv3-crtc.c
++++ b/drivers/gpu/drm/imx/ipuv3-crtc.c
+@@ -71,7 +71,7 @@ static void ipu_crtc_disable_planes(struct ipu_crtc *ipu_crtc,
+ if (disable_partial)
+ ipu_plane_disable(ipu_crtc->plane[1], true);
+ if (disable_full)
+- ipu_plane_disable(ipu_crtc->plane[0], false);
++ ipu_plane_disable(ipu_crtc->plane[0], true);
+ }
+
+ static void ipu_crtc_atomic_disable(struct drm_crtc *crtc,
+--
+2.16.4
+
diff --git a/patches.drm/drm-rockchip-fix-for-mailbox-read-validation.patch b/patches.drm/drm-rockchip-fix-for-mailbox-read-validation.patch
new file mode 100644
index 0000000000..73e6a37375
--- /dev/null
+++ b/patches.drm/drm-rockchip-fix-for-mailbox-read-validation.patch
@@ -0,0 +1,39 @@
+From e4056bbb6719fe713bfc4030ac78e8e97ddf7574 Mon Sep 17 00:00:00 2001
+From: Damian Kos <dkos@cadence.com>
+Date: Mon, 19 Nov 2018 15:14:14 +0000
+Subject: [PATCH] drm/rockchip: fix for mailbox read validation.
+Git-commit: e4056bbb6719fe713bfc4030ac78e8e97ddf7574
+Patch-mainline: v5.1-rc1
+References: bsc#1051510
+
+This is basically the same fix as in
+commit fa68d4f8476b ("drm/rockchip: fix for mailbox read size")
+but for cdn_dp_mailbox_validate_receive function.
+
+See patchwork.kernel.org/patch/10671981/ for details.
+
+Signed-off-by: Damian Kos <dkos@cadence.com>
+Signed-off-by: Heiko Stuebner <heiko@sntech.de>
+Link: https://patchwork.freedesktop.org/patch/msgid/1542640463-18332-1-git-send-email-dkos@cadence.com
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/gpu/drm/rockchip/cdn-dp-reg.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/rockchip/cdn-dp-reg.c b/drivers/gpu/drm/rockchip/cdn-dp-reg.c
+index 5a485489a1e2..6c8b14fb1d2f 100644
+--- a/drivers/gpu/drm/rockchip/cdn-dp-reg.c
++++ b/drivers/gpu/drm/rockchip/cdn-dp-reg.c
+@@ -113,7 +113,7 @@ static int cdp_dp_mailbox_write(struct cdn_dp_device *dp, u8 val)
+
+ static int cdn_dp_mailbox_validate_receive(struct cdn_dp_device *dp,
+ u8 module_id, u8 opcode,
+- u8 req_size)
++ u16 req_size)
+ {
+ u32 mbox_size, i;
+ u8 header[4];
+--
+2.16.4
+
diff --git a/patches.drm/gpu-ipu-v3-dp-fix-CSC-handling.patch b/patches.drm/gpu-ipu-v3-dp-fix-CSC-handling.patch
new file mode 100644
index 0000000000..088bcd1145
--- /dev/null
+++ b/patches.drm/gpu-ipu-v3-dp-fix-CSC-handling.patch
@@ -0,0 +1,71 @@
+From d4fad0a426c6e26f48c9a7cdd21a7fe9c198d645 Mon Sep 17 00:00:00 2001
+From: Lucas Stach <l.stach@pengutronix.de>
+Date: Fri, 12 Apr 2019 17:59:40 +0200
+Subject: [PATCH] gpu: ipu-v3: dp: fix CSC handling
+Git-commit: d4fad0a426c6e26f48c9a7cdd21a7fe9c198d645
+Patch-mainline: v5.1-rc7
+References: bsc#1051510
+
+Initialize the flow input colorspaces to unknown and reset to that value
+when the channel gets disabled. This avoids the state getting mixed up
+with a previous mode.
+
+Also keep the CSC settings for the background flow intact when disabling
+the foreground flow.
+
+Root-caused-by: Jonathan Marek <jonathan@marek.ca>
+Signed-off-by: Lucas Stach <l.stach@pengutronix.de>
+Signed-off-by: Philipp Zabel <p.zabel@pengutronix.de>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/gpu/ipu-v3/ipu-dp.c | 12 +++++++++---
+ 1 file changed, 9 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/gpu/ipu-v3/ipu-dp.c b/drivers/gpu/ipu-v3/ipu-dp.c
+index 9b2b3fa479c4..5e44ff1f2085 100644
+--- a/drivers/gpu/ipu-v3/ipu-dp.c
++++ b/drivers/gpu/ipu-v3/ipu-dp.c
+@@ -195,7 +195,8 @@ int ipu_dp_setup_channel(struct ipu_dp *dp,
+ ipu_dp_csc_init(flow, flow->foreground.in_cs, flow->out_cs,
+ DP_COM_CONF_CSC_DEF_BOTH);
+ } else {
+- if (flow->foreground.in_cs == flow->out_cs)
++ if (flow->foreground.in_cs == IPUV3_COLORSPACE_UNKNOWN ||
++ flow->foreground.in_cs == flow->out_cs)
+ /*
+ * foreground identical to output, apply color
+ * conversion on background
+@@ -261,6 +262,8 @@ void ipu_dp_disable_channel(struct ipu_dp *dp, bool sync)
+ struct ipu_dp_priv *priv = flow->priv;
+ u32 reg, csc;
+
++ dp->in_cs = IPUV3_COLORSPACE_UNKNOWN;
++
+ if (!dp->foreground)
+ return;
+
+@@ -268,8 +271,9 @@ void ipu_dp_disable_channel(struct ipu_dp *dp, bool sync)
+
+ reg = readl(flow->base + DP_COM_CONF);
+ csc = reg & DP_COM_CONF_CSC_DEF_MASK;
+- if (csc == DP_COM_CONF_CSC_DEF_FG)
+- reg &= ~DP_COM_CONF_CSC_DEF_MASK;
++ reg &= ~DP_COM_CONF_CSC_DEF_MASK;
++ if (csc == DP_COM_CONF_CSC_DEF_BOTH || csc == DP_COM_CONF_CSC_DEF_BG)
++ reg |= DP_COM_CONF_CSC_DEF_BG;
+
+ reg &= ~DP_COM_CONF_FG_EN;
+ writel(reg, flow->base + DP_COM_CONF);
+@@ -347,6 +351,8 @@ int ipu_dp_init(struct ipu_soc *ipu, struct device *dev, unsigned long base)
+ mutex_init(&priv->mutex);
+
+ for (i = 0; i < IPUV3_NUM_FLOWS; i++) {
++ priv->flow[i].background.in_cs = IPUV3_COLORSPACE_UNKNOWN;
++ priv->flow[i].foreground.in_cs = IPUV3_COLORSPACE_UNKNOWN;
+ priv->flow[i].foreground.foreground = true;
+ priv->flow[i].base = priv->base + ipu_dp_flow_base[i];
+ priv->flow[i].priv = priv;
+--
+2.16.4
+
diff --git a/patches.fixes/0001-netfilter-nf_log-fix-uninit-read-in-nf_log_proc_dost.patch b/patches.fixes/0001-netfilter-nf_log-fix-uninit-read-in-nf_log_proc_dost.patch
new file mode 100644
index 0000000000..047cf3ba05
--- /dev/null
+++ b/patches.fixes/0001-netfilter-nf_log-fix-uninit-read-in-nf_log_proc_dost.patch
@@ -0,0 +1,37 @@
+From: Jann Horn <jannh@google.com>
+Subject: netfilter: nf_log: fix uninit read in
+ nf_log_proc_dostring
+Patch-mainline: v4.18-rc4
+Git-commit: dffd22aed2aa1e804bccf19b30a421e89ee2ae61
+References: git-fixes
+
+When proc_dostring() is called with a non-zero offset in strict mode, it
+doesn't just write to the ->data buffer, it also reads. Make sure it
+doesn't read uninitialized data.
+
+Fixes: c6ac37d8d884 ("netfilter: nf_log: fix error on write NONE to [...]")
+Signed-off-by: Jann Horn <jannh@google.com>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Acked-by: Denis Kirjanov <dkirjanov@suse.com>
+---
+ net/netfilter/nf_log.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/net/netfilter/nf_log.c b/net/netfilter/nf_log.c
+index 8bb152a7cca4..91dad1afab05 100644
+--- a/net/netfilter/nf_log.c
++++ b/net/netfilter/nf_log.c
+@@ -440,6 +440,10 @@ static int nf_log_proc_dostring(struct ctl_table *table, int write,
+ if (write) {
+ struct ctl_table tmp = *table;
+
++ /* proc_dostring() can append to existing strings, so we need to
++ * initialize it as an empty string.
++ */
++ buf[0] = '\0';
+ tmp.data = buf;
+ r = proc_dostring(&tmp, write, buffer, lenp, ppos);
+ if (r)
+--
+2.12.3
+
diff --git a/patches.fixes/0001-netlink-fix-uninit-value-in-netlink_sendmsg.patch b/patches.fixes/0001-netlink-fix-uninit-value-in-netlink_sendmsg.patch
new file mode 100644
index 0000000000..b46b050f49
--- /dev/null
+++ b/patches.fixes/0001-netlink-fix-uninit-value-in-netlink_sendmsg.patch
@@ -0,0 +1,36 @@
+From: Eric Dumazet <edumazet@google.com>
+Subject: netlink: fix uninit-value in netlink_sendmsg
+Patch-mainline: v4.17-rc1
+Git-commit: 6091f09c2f79730d895149bcfe3d66140288cd0e
+References: git-fixes
+
+syzbot reported :
+
+BUG: KMSAN: uninit-value in ffs arch/x86/include/asm/bitops.h:432 [inline]
+BUG: KMSAN: uninit-value in netlink_sendmsg+0xb26/0x1310 net/netlink/af_netlink.c:1851
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Acked-by: Denis Kirjanov <dkirjanov@suse.com>
+---
+ net/netlink/af_netlink.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c
+index 3e012d578ccd..70cf781ececb 100644
+--- a/net/netlink/af_netlink.c
++++ b/net/netlink/af_netlink.c
+@@ -1812,6 +1812,8 @@ static int netlink_sendmsg(struct socket *sock, struct msghdr *msg, size_t len)
+
+ if (msg->msg_namelen) {
+ err = -EINVAL;
++ if (msg->msg_namelen < sizeof(struct sockaddr_nl))
++ goto out;
+ if (addr->nl_family != AF_NETLINK)
+ goto out;
+ dst_portid = addr->nl_pid;
+--
+2.12.3
+
diff --git a/patches.fixes/0001-packet-fix-reserve-calculation.patch b/patches.fixes/0001-packet-fix-reserve-calculation.patch
new file mode 100644
index 0000000000..4031fe8608
--- /dev/null
+++ b/patches.fixes/0001-packet-fix-reserve-calculation.patch
@@ -0,0 +1,49 @@
+From: Willem de Bruijn <willemb@google.com>
+Subject: packet: fix reserve calculation
+Patch-mainline: v4.17-rc7
+Git-commit: 9aad13b087ab0a588cd68259de618f100053360e
+References: git-fixes
+
+
+Commit b84bbaf7a6c8 ("packet: in packet_snd start writing at link
+layer allocation") ensures that packet_snd always starts writing
+the link layer header in reserved headroom allocated for this
+purpose.
+
+This is needed because packets may be shorter than hard_header_len,
+in which case the space up to hard_header_len may be zeroed. But
+that necessary padding is not accounted for in skb->len.
+
+The fix, however, is buggy. It calls skb_push, which grows skb->len
+when moving skb->data back. But in this case packet length should not
+change.
+
+Instead, call skb_reserve, which moves both skb->data and skb->tail
+back, without changing length.
+
+Fixes: b84bbaf7a6c8 ("packet: in packet_snd start writing at link layer allocation")
+Reported-by: Tariq Toukan <tariqt@mellanox.com>
+Signed-off-by: Willem de Bruijn <willemb@google.com>
+Acked-by: Soheil Hassas Yeganeh <soheil@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Acked-by: Denis Kirjanov <dkirjanov@suse.com>
+---
+ net/packet/af_packet.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c
+index 901618eb2725..9689622eaef7 100644
+--- a/net/packet/af_packet.c
++++ b/net/packet/af_packet.c
+@@ -2933,7 +2933,7 @@ static int packet_snd(struct socket *sock, struct msghdr *msg, size_t len)
+ if (unlikely(offset < 0))
+ goto out_free;
+ } else if (reserve) {
+- skb_push(skb, reserve);
++ skb_reserve(skb, -reserve);
+ }
+
+ /* Returns -EFAULT on error */
+--
+2.12.3
+
diff --git a/patches.fixes/0001-tools-lib-traceevent-Fix-missing-equality-check-for-.patch b/patches.fixes/0001-tools-lib-traceevent-Fix-missing-equality-check-for-.patch
new file mode 100644
index 0000000000..9cbd9afd6c
--- /dev/null
+++ b/patches.fixes/0001-tools-lib-traceevent-Fix-missing-equality-check-for-.patch
@@ -0,0 +1,60 @@
+From f32c2877bcb068a718bb70094cd59ccc29d4d082 Mon Sep 17 00:00:00 2001
+From: Rikard Falkeborn <rikard.falkeborn@gmail.com>
+Date: Tue, 9 Apr 2019 11:15:29 +0200
+Subject: [PATCH] tools lib traceevent: Fix missing equality check for strcmp
+Git-commit: f32c2877bcb068a718bb70094cd59ccc29d4d082
+Patch-mainline: v5.1
+References: bsc#1129770
+
+There was a missing comparison with 0 when checking if type is "s64" or
+"u64". Therefore, the body of the if-statement was entered if "type" was
+"u64" or not "s64", which made the first strcmp() redundant since if
+type is "u64", it's not "s64".
+
+If type is "s64", the body of the if-statement is not entered but since
+the remainder of the function consists of if-statements which will not
+be entered if type is "s64", we will just return "val", which is
+correct, albeit at the cost of a few more calls to strcmp(), i.e., it
+will behave just as if the if-statement was entered.
+
+If type is neither "s64" or "u64", the body of the if-statement will be
+entered incorrectly and "val" returned. This means that any type that is
+checked after "s64" and "u64" is handled the same way as "s64" and
+"u64", i.e., the limiting of "val" to fit in for example "s8" is never
+reached.
+
+This was introduced in the kernel tree when the sources were copied from
+trace-cmd in commit f7d82350e597 ("tools/events: Add files to create
+libtraceevent.a"), and in the trace-cmd repo in 1cdbae6035cei
+("Implement typecasting in parser") when the function was introduced,
+i.e., it has always behaved the wrong way.
+
+Detected by cppcheck.
+
+Signed-off-by: Rikard Falkeborn <rikard.falkeborn@gmail.com>
+Reviewed-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
+Cc: Tzvetomir Stoyanov <tstoyanov@vmware.com>
+Fixes: f7d82350e597 ("tools/events: Add files to create libtraceevent.a")
+Link: http://lkml.kernel.org/r/20190409091529.2686-1-rikard.falkeborn@gmail.com
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Reviewed-by: Fabian Baumanis <fabian.baumanis@suse.com>
+---
+ tools/lib/traceevent/event-parse.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tools/lib/traceevent/event-parse.c b/tools/lib/traceevent/event-parse.c
+index 87494c7c619d..981c6ce2da2c 100644
+--- a/tools/lib/traceevent/event-parse.c
++++ b/tools/lib/traceevent/event-parse.c
+@@ -2233,7 +2233,7 @@ eval_type_str(unsigned long long val, const char *type, int pointer)
+ return val & 0xffffffff;
+
+ if (strcmp(type, "u64") == 0 ||
+- strcmp(type, "s64"))
++ strcmp(type, "s64") == 0)
+ return val;
+
+ if (strcmp(type, "s8") == 0)
+--
+2.16.4
+
diff --git a/patches.fixes/0001-x86-speculation-mds-Fix-documentation-typo.patch b/patches.fixes/0001-x86-speculation-mds-Fix-documentation-typo.patch
new file mode 100644
index 0000000000..ad682831da
--- /dev/null
+++ b/patches.fixes/0001-x86-speculation-mds-Fix-documentation-typo.patch
@@ -0,0 +1,34 @@
+From 95310e348a321b45fb746c176961d4da72344282 Mon Sep 17 00:00:00 2001
+From: Josh Poimboeuf <jpoimboe@redhat.com>
+Date: Tue, 7 May 2019 15:05:22 -0500
+Subject: [PATCH] x86/speculation/mds: Fix documentation typo
+Git-commit: 95310e348a321b45fb746c176961d4da72344282
+Patch-mainline: v5.2-rc1
+References: bsc#1135642
+
+Fix a minor typo in the MDS documentation: "eanbled" -> "enabled".
+
+Reported-by: Jeff Bastian <jbastian@redhat.com>
+Signed-off-by: Josh Poimboeuf <jpoimboe@redhat.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Reviewed-by: Fabian Baumanis <fabian.baumanis@suse.com>
+---
+ Documentation/x86/mds.rst | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/Documentation/x86/mds.rst b/Documentation/x86/mds.rst
+index 979945be257a..534e9baa4e1d 100644
+--- a/Documentation/x86/mds.rst
++++ b/Documentation/x86/mds.rst
+@@ -116,7 +116,7 @@ Kernel internal mitigation modes
+ off Mitigation is disabled. Either the CPU is not affected or
+ mds=off is supplied on the kernel command line
+
+- full Mitigation is eanbled. CPU is affected and MD_CLEAR is
++ full Mitigation is enabled. CPU is affected and MD_CLEAR is
+ advertised in CPUID.
+
+ vmwerv Mitigation is enabled. CPU is affected and MD_CLEAR is not
+--
+2.16.4
+
diff --git a/patches.fixes/0002-net-fix-rtnh_ok.patch b/patches.fixes/0002-net-fix-rtnh_ok.patch
new file mode 100644
index 0000000000..ff95b40996
--- /dev/null
+++ b/patches.fixes/0002-net-fix-rtnh_ok.patch
@@ -0,0 +1,40 @@
+From: Eric Dumazet <edumazet@google.com>
+Subject: fix rtnh_ok()
+Patch-mainline: v4.17-rc1
+Git-commit: b1993a2de12c9e75c35729e2ffbc3a92d50c0d31
+References: git-fixes
+
+syzbot reported :
+
+BUG: KMSAN: uninit-value in rtnh_ok include/net/nexthop.h:11 [inline]
+BUG: KMSAN: uninit-value in fib_count_nexthops net/ipv4/fib_semantics.c:469 [inline]
+BUG: KMSAN: uninit-value in fib_create_info+0x554/0x8d20 net/ipv4/fib_semantics.c:1091
+
+@remaining is an integer, coming from user space.
+If it is negative we want rtnh_ok() to return false.
+
+Fixes: 4e902c57417c ("[IPv4]: FIB configuration using struct fib_config")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Acked-by: Denis Kirjanov <dkirjanov@suse.com>
+---
+ include/net/nexthop.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/include/net/nexthop.h b/include/net/nexthop.h
+index 3334dbfa5aa4..7fc78663ec9d 100644
+--- a/include/net/nexthop.h
++++ b/include/net/nexthop.h
+@@ -6,7 +6,7 @@
+
+ static inline int rtnh_ok(const struct rtnexthop *rtnh, int remaining)
+ {
+- return remaining >= sizeof(*rtnh) &&
++ return remaining >= (int)sizeof(*rtnh) &&
+ rtnh->rtnh_len >= sizeof(*rtnh) &&
+ rtnh->rtnh_len <= remaining;
+ }
+--
+2.12.3
+
diff --git a/patches.fixes/0002-netfilter-nf_log-don-t-hold-nf_log_mutex-during-user.patch b/patches.fixes/0002-netfilter-nf_log-don-t-hold-nf_log_mutex-during-user.patch
new file mode 100644
index 0000000000..7a3835aa28
--- /dev/null
+++ b/patches.fixes/0002-netfilter-nf_log-don-t-hold-nf_log_mutex-during-user.patch
@@ -0,0 +1,52 @@
+From: Jann Horn <jannh@google.com>
+Subject: netfilter: nf_log: don't hold nf_log_mutex during user
+ access
+Patch-mainline: v4.18-rc4
+Git-commit: ce00bf07cc95a57cd20b208e02b3c2604e532ae8
+References: git-fixes
+
+
+The old code would indefinitely block other users of nf_log_mutex if
+a userspace access in proc_dostring() blocked e.g. due to a userfaultfd
+region. Fix it by moving proc_dostring() out of the locked region.
+
+This is a followup to commit 266d07cb1c9a ("netfilter: nf_log: fix
+sleeping function called from invalid context"), which changed this code
+from using rcu_read_lock() to taking nf_log_mutex.
+
+Fixes: 266d07cb1c9a ("netfilter: nf_log: fix sleeping function calle[...]")
+Signed-off-by: Jann Horn <jannh@google.com>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Acked-by: Denis Kirjanov <dkirjanov@suse.com>
+---
+ net/netfilter/nf_log.c | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+diff --git a/net/netfilter/nf_log.c b/net/netfilter/nf_log.c
+index 91dad1afab05..cdc744aa5889 100644
+--- a/net/netfilter/nf_log.c
++++ b/net/netfilter/nf_log.c
+@@ -462,14 +462,17 @@ static int nf_log_proc_dostring(struct ctl_table *table, int write,
+ rcu_assign_pointer(net->nf.nf_loggers[tindex], logger);
+ mutex_unlock(&nf_log_mutex);
+ } else {
++ struct ctl_table tmp = *table;
++
++ tmp.data = buf;
+ mutex_lock(&nf_log_mutex);
+ logger = nft_log_dereference(net->nf.nf_loggers[tindex]);
+ if (!logger)
+- table->data = "NONE";
++ strlcpy(buf, "NONE", sizeof(buf));
+ else
+- table->data = logger->name;
+- r = proc_dostring(table, write, buffer, lenp, ppos);
++ strlcpy(buf, logger->name, sizeof(buf));
+ mutex_unlock(&nf_log_mutex);
++ r = proc_dostring(&tmp, write, buffer, lenp, ppos);
+ }
+
+ return r;
+--
+2.12.3
+
diff --git a/patches.fixes/0002-packet-reset-network-header-if-packet-shorter-than-l.patch b/patches.fixes/0002-packet-reset-network-header-if-packet-shorter-than-l.patch
new file mode 100644
index 0000000000..a826f3d726
--- /dev/null
+++ b/patches.fixes/0002-packet-reset-network-header-if-packet-shorter-than-l.patch
@@ -0,0 +1,37 @@
+From: Willem de Bruijn <willemb@google.com>
+Subject: packet: reset network header if packet shorter than ll
+ reserved space
+Patch-mainline: v4.18-rc6
+Git-commit: 993675a3100b16a4c80dfd70cbcde8ea7127b31d
+References: git-fixes
+
+If variable length link layer headers result in a packet shorter
+than dev->hard_header_len, reset the network header offset. Else
+skb->mac_len may exceed skb->len after skb_mac_reset_len.
+
+packet_sendmsg_spkt already has similar logic.
+
+Fixes: b84bbaf7a6c8 ("packet: in packet_snd start writing at link layer allocation")
+Signed-off-by: Willem de Bruijn <willemb@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Acked-by: Denis Kirjanov <dkirjanov@suse.com>
+---
+ net/packet/af_packet.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c
+index 9689622eaef7..cf7652bb2218 100644
+--- a/net/packet/af_packet.c
++++ b/net/packet/af_packet.c
+@@ -2934,6 +2934,8 @@ static int packet_snd(struct socket *sock, struct msghdr *msg, size_t len)
+ goto out_free;
+ } else if (reserve) {
+ skb_reserve(skb, -reserve);
++ if (len < reserve)
++ skb_reset_network_header(skb);
+ }
+
+ /* Returns -EFAULT on error */
+--
+2.12.3
+
diff --git a/patches.fixes/0003-l2tp-fix-missing-refcount-drop-in-pppol2tp_tunnel_io.patch b/patches.fixes/0003-l2tp-fix-missing-refcount-drop-in-pppol2tp_tunnel_io.patch
new file mode 100644
index 0000000000..fbe8993bb3
--- /dev/null
+++ b/patches.fixes/0003-l2tp-fix-missing-refcount-drop-in-pppol2tp_tunnel_io.patch
@@ -0,0 +1,48 @@
+From: Guillaume Nault <g.nault@alphalink.fr>
+Subject: l2tp: fix missing refcount drop in
+ pppol2tp_tunnel_ioctl()
+Patch-mainline: v4.18-rc8
+Git-commit: f664e37dcc525768280cb94321424a09beb1c992
+References: git-fixes
+
+If 'session' is not NULL and is not a PPP pseudo-wire, then we fail to
+drop the reference taken by l2tp_session_get().
+
+Fixes: ecd012e45ab5 ("l2tp: filter out non-PPP sessions in pppol2tp_tunnel_ioctl()")
+Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Acked-by: Denis Kirjanov <dkirjanov@suse.com>
+---
+ net/l2tp/l2tp_ppp.c | 13 +++++++++----
+ 1 file changed, 9 insertions(+), 4 deletions(-)
+
+diff --git a/net/l2tp/l2tp_ppp.c b/net/l2tp/l2tp_ppp.c
+index 3cd4cce8338c..93d4c72e4ee5 100644
+--- a/net/l2tp/l2tp_ppp.c
++++ b/net/l2tp/l2tp_ppp.c
+@@ -1214,13 +1214,18 @@ static int pppol2tp_tunnel_ioctl(struct l2tp_tunnel *tunnel,
+ l2tp_session_get(sock_net(sk), tunnel,
+ stats.session_id);
+
+- if (session && session->pwtype == L2TP_PWTYPE_PPP) {
+- err = pppol2tp_session_ioctl(session, cmd,
+- arg);
++ if (!session) {
++ err = -EBADR;
++ break;
++ }
++ if (session->pwtype != L2TP_PWTYPE_PPP) {
+ l2tp_session_dec_refcount(session);
+- } else {
+ err = -EBADR;
++ break;
+ }
++
++ err = pppol2tp_session_ioctl(session, cmd, arg);
++ l2tp_session_dec_refcount(session);
+ break;
+ }
+ #ifdef CONFIG_XFRM
+--
+2.12.3
+
diff --git a/patches.fixes/0003-net-initialize-skb-peeked-when-cloning.patch b/patches.fixes/0003-net-initialize-skb-peeked-when-cloning.patch
new file mode 100644
index 0000000000..9f11b92b6c
--- /dev/null
+++ b/patches.fixes/0003-net-initialize-skb-peeked-when-cloning.patch
@@ -0,0 +1,35 @@
+From: Eric Dumazet <edumazet@google.com>
+Subject: net: initialize skb->peeked when cloning
+Patch-mainline: v4.17-rc1
+Git-commit: b13dda9f9aa7caceeee61c080c2e544d5f5d85e5
+References: git-fixes
+
+syzbot reported __skb_try_recv_from_queue() was using skb->peeked
+while it was potentially unitialized.
+
+We need to clear it in __skb_clone()
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Acked-by: Denis Kirjanov <dkirjanov@suse.com>
+---
+ net/core/skbuff.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/net/core/skbuff.c b/net/core/skbuff.c
+index 4fd1eec0b79f..c160048283bc 100644
+--- a/net/core/skbuff.c
++++ b/net/core/skbuff.c
+@@ -896,6 +896,7 @@ static struct sk_buff *__skb_clone(struct sk_buff *n, struct sk_buff *skb)
+ n->hdr_len = skb->nohdr ? skb_headroom(skb) : skb->hdr_len;
+ n->cloned = 1;
+ n->nohdr = 0;
++ n->peeked = 0;
+ n->destructor = NULL;
+ C(tail);
+ C(end);
+--
+2.12.3
+
diff --git a/patches.fixes/0003-xfrm_user-prevent-leaking-2-bytes-of-kernel-memory.patch b/patches.fixes/0003-xfrm_user-prevent-leaking-2-bytes-of-kernel-memory.patch
new file mode 100644
index 0000000000..b84a27b9a0
--- /dev/null
+++ b/patches.fixes/0003-xfrm_user-prevent-leaking-2-bytes-of-kernel-memory.patch
@@ -0,0 +1,116 @@
+From: Eric Dumazet <edumazet@google.com>
+Subject: xfrm_user: prevent leaking 2 bytes of kernel memory
+Patch-mainline: v4.18-rc8
+Git-commit: 45c180bc29babbedd6b8c01b975780ef44d9d09c
+References: git-fixes
+
+struct xfrm_userpolicy_type has two holes, so we should not
+use C99 style initializer.
+
+KMSAN report:
+
+BUG: KMSAN: kernel-infoleak in copyout lib/iov_iter.c:140 [inline]
+BUG: KMSAN: kernel-infoleak in _copy_to_iter+0x1b14/0x2800 lib/iov_iter.c:571
+CPU: 1 PID: 4520 Comm: syz-executor841 Not tainted 4.17.0+ #5
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+Call Trace:
+ __dump_stack lib/dump_stack.c:77 [inline]
+ dump_stack+0x185/0x1d0 lib/dump_stack.c:113
+ kmsan_report+0x188/0x2a0 mm/kmsan/kmsan.c:1117
+ kmsan_internal_check_memory+0x138/0x1f0 mm/kmsan/kmsan.c:1211
+ kmsan_copy_to_user+0x7a/0x160 mm/kmsan/kmsan.c:1253
+ copyout lib/iov_iter.c:140 [inline]
+ _copy_to_iter+0x1b14/0x2800 lib/iov_iter.c:571
+ copy_to_iter include/linux/uio.h:106 [inline]
+ skb_copy_datagram_iter+0x422/0xfa0 net/core/datagram.c:431
+ skb_copy_datagram_msg include/linux/skbuff.h:3268 [inline]
+ netlink_recvmsg+0x6f1/0x1900 net/netlink/af_netlink.c:1959
+ sock_recvmsg_nosec net/socket.c:802 [inline]
+ sock_recvmsg+0x1d6/0x230 net/socket.c:809
+ ___sys_recvmsg+0x3fe/0x810 net/socket.c:2279
+ __sys_recvmmsg+0x58e/0xe30 net/socket.c:2391
+ do_sys_recvmmsg+0x2a6/0x3e0 net/socket.c:2472
+ __do_sys_recvmmsg net/socket.c:2485 [inline]
+ __se_sys_recvmmsg net/socket.c:2481 [inline]
+ __x64_sys_recvmmsg+0x15d/0x1c0 net/socket.c:2481
+ do_syscall_64+0x15b/0x230 arch/x86/entry/common.c:287
+ entry_SYSCALL_64_after_hwframe+0x44/0xa9
+RIP: 0033:0x446ce9
+RSP: 002b:00007fc307918db8 EFLAGS: 00000293 ORIG_RAX: 000000000000012b
+RAX: ffffffffffffffda RBX: 00000000006dbc24 RCX: 0000000000446ce9
+RDX: 000000000000000a RSI: 0000000020005040 RDI: 0000000000000003
+RBP: 00000000006dbc20 R08: 0000000020004e40 R09: 0000000000000000
+R10: 0000000040000000 R11: 0000000000000293 R12: 0000000000000000
+R13: 00007ffc8d2df32f R14: 00007fc3079199c0 R15: 0000000000000001
+
+Uninit was stored to memory at:
+ kmsan_save_stack_with_flags mm/kmsan/kmsan.c:279 [inline]
+ kmsan_save_stack mm/kmsan/kmsan.c:294 [inline]
+ kmsan_internal_chain_origin+0x12b/0x210 mm/kmsan/kmsan.c:685
+ kmsan_memcpy_origins+0x11d/0x170 mm/kmsan/kmsan.c:527
+ __msan_memcpy+0x109/0x160 mm/kmsan/kmsan_instr.c:413
+ __nla_put lib/nlattr.c:569 [inline]
+ nla_put+0x276/0x340 lib/nlattr.c:627
+ copy_to_user_policy_type net/xfrm/xfrm_user.c:1678 [inline]
+ dump_one_policy+0xbe1/0x1090 net/xfrm/xfrm_user.c:1708
+ xfrm_policy_walk+0x45a/0xd00 net/xfrm/xfrm_policy.c:1013
+ xfrm_dump_policy+0x1c0/0x2a0 net/xfrm/xfrm_user.c:1749
+ netlink_dump+0x9b5/0x1550 net/netlink/af_netlink.c:2226
+ __netlink_dump_start+0x1131/0x1270 net/netlink/af_netlink.c:2323
+ netlink_dump_start include/linux/netlink.h:214 [inline]
+ xfrm_user_rcv_msg+0x8a3/0x9b0 net/xfrm/xfrm_user.c:2577
+ netlink_rcv_skb+0x37e/0x600 net/netlink/af_netlink.c:2448
+ xfrm_netlink_rcv+0xb2/0xf0 net/xfrm/xfrm_user.c:2598
+ netlink_unicast_kernel net/netlink/af_netlink.c:1310 [inline]
+ netlink_unicast+0x1680/0x1750 net/netlink/af_netlink.c:1336
+ netlink_sendmsg+0x104f/0x1350 net/netlink/af_netlink.c:1901
+ sock_sendmsg_nosec net/socket.c:629 [inline]
+ sock_sendmsg net/socket.c:639 [inline]
+ ___sys_sendmsg+0xec8/0x1320 net/socket.c:2117
+ __sys_sendmsg net/socket.c:2155 [inline]
+ __do_sys_sendmsg net/socket.c:2164 [inline]
+ __se_sys_sendmsg net/socket.c:2162 [inline]
+ __x64_sys_sendmsg+0x331/0x460 net/socket.c:2162
+ do_syscall_64+0x15b/0x230 arch/x86/entry/common.c:287
+ entry_SYSCALL_64_after_hwframe+0x44/0xa9
+Local variable description: ----upt.i@dump_one_policy
+Variable was created at:
+ dump_one_policy+0x78/0x1090 net/xfrm/xfrm_user.c:1689
+ xfrm_policy_walk+0x45a/0xd00 net/xfrm/xfrm_policy.c:1013
+
+Byte 130 of 137 is uninitialized
+Memory access starts at ffff88019550407f
+
+Fixes: c0144beaeca42 ("[XFRM] netlink: Use nla_put()/NLA_PUT() variantes")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Cc: Steffen Klassert <steffen.klassert@secunet.com>
+Cc: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Acked-by: Denis Kirjanov <dkirjanov@suse.com>
+---
+ net/xfrm/xfrm_user.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
+index e2287bc70691..5e8f4f3fbe6b 100644
+--- a/net/xfrm/xfrm_user.c
++++ b/net/xfrm/xfrm_user.c
+@@ -1642,9 +1642,11 @@ static inline size_t userpolicy_type_attrsize(void)
+ #ifdef CONFIG_XFRM_SUB_POLICY
+ static int copy_to_user_policy_type(u8 type, struct sk_buff *skb)
+ {
+- struct xfrm_userpolicy_type upt = {
+- .type = type,
+- };
++ struct xfrm_userpolicy_type upt;
++
++ /* Sadly there are two holes in struct xfrm_userpolicy_type */
++ memset(&upt, 0, sizeof(upt));
++ upt.type = type;
+
+ return nla_put(skb, XFRMA_POLICY_TYPE, sizeof(upt), &upt);
+ }
+--
+2.12.3
+
diff --git a/patches.fixes/0004-net-fix-uninit-value-in-__hw_addr_add_ex.patch b/patches.fixes/0004-net-fix-uninit-value-in-__hw_addr_add_ex.patch
new file mode 100644
index 0000000000..61ccd449bc
--- /dev/null
+++ b/patches.fixes/0004-net-fix-uninit-value-in-__hw_addr_add_ex.patch
@@ -0,0 +1,57 @@
+From: Eric Dumazet <edumazet@google.com>
+Subject: net: fix uninit-value in __hw_addr_add_ex()
+Patch-mainline: v4.17-rc1
+Git-commit: 77d36398d99f2565c0a8d43a86fd520a82e64bb8
+References: git-fixes
+
+syzbot complained :
+
+BUG: KMSAN: uninit-value in memcmp+0x119/0x180 lib/string.c:861
+CPU: 0 PID: 3 Comm: kworker/0:0 Not tainted 4.16.0+ #82
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+Workqueue: ipv6_addrconf addrconf_dad_work
+Call Trace:
+ __dump_stack lib/dump_stack.c:17 [inline]
+ dump_stack+0x185/0x1d0 lib/dump_stack.c:53
+ kmsan_report+0x142/0x240 mm/kmsan/kmsan.c:1067
+ __msan_warning_32+0x6c/0xb0 mm/kmsan/kmsan_instr.c:676
+ memcmp+0x119/0x180 lib/string.c:861
+ __hw_addr_add_ex net/core/dev_addr_lists.c:60 [inline]
+ __dev_mc_add+0x1c2/0x8e0 net/core/dev_addr_lists.c:670
+ dev_mc_add+0x6d/0x80 net/core/dev_addr_lists.c:687
+ igmp6_group_added+0x2db/0xa00 net/ipv6/mcast.c:662
+ ipv6_dev_mc_inc+0xe9e/0x1130 net/ipv6/mcast.c:914
+ addrconf_join_solict net/ipv6/addrconf.c:2078 [inline]
+ addrconf_dad_begin net/ipv6/addrconf.c:3828 [inline]
+ addrconf_dad_work+0x427/0x2150 net/ipv6/addrconf.c:3954
+ process_one_work+0x12c6/0x1f60 kernel/workqueue.c:2113
+ worker_thread+0x113c/0x24f0 kernel/workqueue.c:2247
+ kthread+0x539/0x720 kernel/kthread.c:239
+
+Fixes: f001fde5eadd ("net: introduce a list of device addresses dev_addr_list (v6)")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Acked-by: Denis Kirjanov <dkirjanov@suse.com>
+---
+ net/core/dev_addr_lists.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/net/core/dev_addr_lists.c b/net/core/dev_addr_lists.c
+index c0548d268e1a..e3e6a3e2ca22 100644
+--- a/net/core/dev_addr_lists.c
++++ b/net/core/dev_addr_lists.c
+@@ -57,8 +57,8 @@ static int __hw_addr_add_ex(struct netdev_hw_addr_list *list,
+ return -EINVAL;
+
+ list_for_each_entry(ha, &list->list, list) {
+- if (!memcmp(ha->addr, addr, addr_len) &&
+- ha->type == addr_type) {
++ if (ha->type == addr_type &&
++ !memcmp(ha->addr, addr, addr_len)) {
+ if (global) {
+ /* check if addr is already used as global */
+ if (ha->global_use)
+--
+2.12.3
+
diff --git a/patches.fixes/0004-rxrpc-Fix-transport-sockopts-to-get-IPv4-errors-on-a.patch b/patches.fixes/0004-rxrpc-Fix-transport-sockopts-to-get-IPv4-errors-on-a.patch
new file mode 100644
index 0000000000..b3b9fdbd1c
--- /dev/null
+++ b/patches.fixes/0004-rxrpc-Fix-transport-sockopts-to-get-IPv4-errors-on-a.patch
@@ -0,0 +1,82 @@
+From: David Howells <dhowells@redhat.com>
+Subject: rxrpc: Fix transport sockopts to get IPv4 errors on an
+ IPv6 socket
+Patch-mainline: v4.19-rc7
+Git-commit: 37a675e768d7606fe8a53e0c459c9b53e121ac20
+References: git-fixes
+
+It seems that enabling IPV6_RECVERR on an IPv6 socket doesn't also turn on
+IP_RECVERR, so neither local errors nor ICMP-transported remote errors from
+IPv4 peer addresses are returned to the AF_RXRPC protocol.
+
+Make the sockopt setting code in rxrpc_open_socket() fall through from the
+AF_INET6 case to the AF_INET case to turn on all the AF_INET options too in
+the AF_INET6 case.
+
+Fixes: f2aeed3a591f ("rxrpc: Fix error reception on AF_INET6 sockets")
+Signed-off-by: David Howells <dhowells@redhat.com>
+Acked-by: Denis Kirjanov <dkirjanov@suse.com>
+---
+ net/rxrpc/local_object.c | 23 +++++++++++++----------
+ 1 file changed, 13 insertions(+), 10 deletions(-)
+
+diff --git a/net/rxrpc/local_object.c b/net/rxrpc/local_object.c
+index adc49d8285bf..852a036c775e 100644
+--- a/net/rxrpc/local_object.c
++++ b/net/rxrpc/local_object.c
+@@ -134,10 +134,10 @@ static int rxrpc_open_socket(struct rxrpc_local *local)
+ }
+
+ switch (local->srx.transport.family) {
+- case AF_INET:
+- /* we want to receive ICMP errors */
++ case AF_INET6:
++ /* we want to receive ICMPv6 errors */
+ opt = 1;
+- ret = kernel_setsockopt(local->socket, SOL_IP, IP_RECVERR,
++ ret = kernel_setsockopt(local->socket, SOL_IPV6, IPV6_RECVERR,
+ (char *) &opt, sizeof(opt));
+ if (ret < 0) {
+ _debug("setsockopt failed");
+@@ -145,19 +145,22 @@ static int rxrpc_open_socket(struct rxrpc_local *local)
+ }
+
+ /* we want to set the don't fragment bit */
+- opt = IP_PMTUDISC_DO;
+- ret = kernel_setsockopt(local->socket, SOL_IP, IP_MTU_DISCOVER,
++ opt = IPV6_PMTUDISC_DO;
++ ret = kernel_setsockopt(local->socket, SOL_IPV6, IPV6_MTU_DISCOVER,
+ (char *) &opt, sizeof(opt));
+ if (ret < 0) {
+ _debug("setsockopt failed");
+ goto error;
+ }
+- break;
+
+- case AF_INET6:
++ /* Fall through and set IPv4 options too otherwise we don't get
++ * errors from IPv4 packets sent through the IPv6 socket.
++ */
++
++ case AF_INET:
+ /* we want to receive ICMP errors */
+ opt = 1;
+- ret = kernel_setsockopt(local->socket, SOL_IPV6, IPV6_RECVERR,
++ ret = kernel_setsockopt(local->socket, SOL_IP, IP_RECVERR,
+ (char *) &opt, sizeof(opt));
+ if (ret < 0) {
+ _debug("setsockopt failed");
+@@ -165,8 +168,8 @@ static int rxrpc_open_socket(struct rxrpc_local *local)
+ }
+
+ /* we want to set the don't fragment bit */
+- opt = IPV6_PMTUDISC_DO;
+- ret = kernel_setsockopt(local->socket, SOL_IPV6, IPV6_MTU_DISCOVER,
++ opt = IP_PMTUDISC_DO;
++ ret = kernel_setsockopt(local->socket, SOL_IP, IP_MTU_DISCOVER,
+ (char *) &opt, sizeof(opt));
+ if (ret < 0) {
+ _debug("setsockopt failed");
+--
+2.12.3
+
diff --git a/patches.fixes/0004-xfrm-fix-missing-dst_release-after-policy-blocking-l.patch b/patches.fixes/0004-xfrm-fix-missing-dst_release-after-policy-blocking-l.patch
new file mode 100644
index 0000000000..1b96095957
--- /dev/null
+++ b/patches.fixes/0004-xfrm-fix-missing-dst_release-after-policy-blocking-l.patch
@@ -0,0 +1,70 @@
+From: Tommi Rantala <tommi.t.rantala@nokia.com>
+Subject: xfrm: fix missing dst_release() after policy blocking
+ lbcast and multicast
+Patch-mainline: v4.18-rc8
+Git-commit: 8cc88773855f988d6a3bbf102bbd9dd9c828eb81
+References: git-fixes
+
+
+Fix missing dst_release() when local broadcast or multicast traffic is
+xfrm policy blocked.
+
+For IPv4 this results to dst leak: ip_route_output_flow() allocates
+dst_entry via __ip_route_output_key() and passes it to
+xfrm_lookup_route(). xfrm_lookup returns ERR_PTR(-EPERM) that is
+propagated. The dst that was allocated is never released.
+
+IPv4 local broadcast testcase:
+ ping -b 192.168.1.255 &
+ sleep 1
+ ip xfrm policy add src 0.0.0.0/0 dst 192.168.1.255/32 dir out action block
+
+IPv4 multicast testcase:
+ ping 224.0.0.1 &
+ sleep 1
+ ip xfrm policy add src 0.0.0.0/0 dst 224.0.0.1/32 dir out action block
+
+For IPv6 the missing dst_release() causes trouble e.g. when used in netns:
+ ip netns add TEST
+ ip netns exec TEST ip link set lo up
+ ip link add dummy0 type dummy
+ ip link set dev dummy0 netns TEST
+ ip netns exec TEST ip addr add fd00::1111 dev dummy0
+ ip netns exec TEST ip link set dummy0 up
+ ip netns exec TEST ping -6 -c 5 ff02::1%dummy0 &
+ sleep 1
+ ip netns exec TEST ip xfrm policy add src ::/0 dst ff02::1 dir out action block
+ wait
+ ip netns del TEST
+
+After netns deletion we see:
+[ 258.239097] unregister_netdevice: waiting for lo to become free. Usage count = 2
+[ 268.279061] unregister_netdevice: waiting for lo to become free. Usage count = 2
+[ 278.367018] unregister_netdevice: waiting for lo to become free. Usage count = 2
+[ 288.375259] unregister_netdevice: waiting for lo to become free. Usage count = 2
+
+Fixes: ac37e2515c1a ("xfrm: release dst_orig in case of error in xfrm_lookup()")
+Signed-off-by: Tommi Rantala <tommi.t.rantala@nokia.com>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Acked-by: Denis Kirjanov <dkirjanov@suse.com>
+---
+ net/xfrm/xfrm_policy.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c
+index 736bddd6bf0d..e86a65292879 100644
+--- a/net/xfrm/xfrm_policy.c
++++ b/net/xfrm/xfrm_policy.c
+@@ -2350,6 +2350,9 @@ struct dst_entry *xfrm_lookup_route(struct net *net, struct dst_entry *dst_orig,
+ if (IS_ERR(dst) && PTR_ERR(dst) == -EREMOTE)
+ return make_blackhole(net, dst_orig->ops->family, dst_orig);
+
++ if (IS_ERR(dst))
++ dst_release(dst_orig);
++
+ return dst;
+ }
+ EXPORT_SYMBOL(xfrm_lookup_route);
+--
+2.12.3
+
diff --git a/patches.fixes/0005-inetpeer-fix-uninit-value-in-inet_getpeer.patch b/patches.fixes/0005-inetpeer-fix-uninit-value-in-inet_getpeer.patch
new file mode 100644
index 0000000000..1a25b0ee0f
--- /dev/null
+++ b/patches.fixes/0005-inetpeer-fix-uninit-value-in-inet_getpeer.patch
@@ -0,0 +1,119 @@
+From: Eric Dumazet <edumazet@google.com>
+Subject: inetpeer: fix uninit-value in inet_getpeer
+Patch-mainline: v4.17-rc1
+Git-commit: b6a37e5e25414df4b8e9140a5c6f5ee0ec6f3b90
+References: git-fixes
+
+syzbot/KMSAN reported that p->dtime was read while it was
+not yet initialized in :
+
+ delta = (__u32)jiffies - p->dtime;
+ if (delta < ttl || !refcount_dec_if_one(&p->refcnt))
+ gc_stack[i] = NULL;
+
+This is a false positive, because the inetpeer wont be erased
+from rb-tree if the refcount_dec_if_one(&p->refcnt) does not
+succeed. And this wont happen before first inet_putpeer() call
+for this inetpeer has been done, and ->dtime field is written
+exactly before the refcount_dec_and_test(&p->refcnt).
+
+The KMSAN report was :
+
+BUG: KMSAN: uninit-value in inet_peer_gc net/ipv4/inetpeer.c:163 [inline]
+BUG: KMSAN: uninit-value in inet_getpeer+0x1567/0x1e70 net/ipv4/inetpeer.c:228
+CPU: 0 PID: 9494 Comm: syz-executor5 Not tainted 4.16.0+ #82
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+Call Trace:
+ __dump_stack lib/dump_stack.c:17 [inline]
+ dump_stack+0x185/0x1d0 lib/dump_stack.c:53
+ kmsan_report+0x142/0x240 mm/kmsan/kmsan.c:1067
+ __msan_warning_32+0x6c/0xb0 mm/kmsan/kmsan_instr.c:676
+ inet_peer_gc net/ipv4/inetpeer.c:163 [inline]
+ inet_getpeer+0x1567/0x1e70 net/ipv4/inetpeer.c:228
+ inet_getpeer_v4 include/net/inetpeer.h:110 [inline]
+ icmpv4_xrlim_allow net/ipv4/icmp.c:330 [inline]
+ icmp_send+0x2b44/0x3050 net/ipv4/icmp.c:725
+ ip_options_compile+0x237c/0x29f0 net/ipv4/ip_options.c:472
+ ip_rcv_options net/ipv4/ip_input.c:284 [inline]
+ ip_rcv_finish+0xda8/0x16d0 net/ipv4/ip_input.c:365
+ NF_HOOK include/linux/netfilter.h:288 [inline]
+ ip_rcv+0x119d/0x16f0 net/ipv4/ip_input.c:493
+ __netif_receive_skb_core+0x47cf/0x4a80 net/core/dev.c:4562
+ __netif_receive_skb net/core/dev.c:4627 [inline]
+ netif_receive_skb_internal+0x49d/0x630 net/core/dev.c:4701
+ netif_receive_skb+0x230/0x240 net/core/dev.c:4725
+ tun_rx_batched drivers/net/tun.c:1555 [inline]
+ tun_get_user+0x6d88/0x7580 drivers/net/tun.c:1962
+ tun_chr_write_iter+0x1d4/0x330 drivers/net/tun.c:1990
+ do_iter_readv_writev+0x7bb/0x970 include/linux/fs.h:1776
+ do_iter_write+0x30d/0xd40 fs/read_write.c:932
+ vfs_writev fs/read_write.c:977 [inline]
+ do_writev+0x3c9/0x830 fs/read_write.c:1012
+ SYSC_writev+0x9b/0xb0 fs/read_write.c:1085
+ SyS_writev+0x56/0x80 fs/read_write.c:1082
+ do_syscall_64+0x309/0x430 arch/x86/entry/common.c:287
+ entry_SYSCALL_64_after_hwframe+0x3d/0xa2
+RIP: 0033:0x455111
+RSP: 002b:00007fae0365cba0 EFLAGS: 00000293 ORIG_RAX: 0000000000000014
+RAX: ffffffffffffffda RBX: 000000000000002e RCX: 0000000000455111
+RDX: 0000000000000001 RSI: 00007fae0365cbf0 RDI: 00000000000000fc
+RBP: 0000000020000040 R08: 00000000000000fc R09: 0000000000000000
+R10: 000000000000002e R11: 0000000000000293 R12: 00000000ffffffff
+R13: 0000000000000658 R14: 00000000006fc8e0 R15: 0000000000000000
+
+Uninit was created at:
+ kmsan_save_stack_with_flags mm/kmsan/kmsan.c:278 [inline]
+ kmsan_internal_poison_shadow+0xb8/0x1b0 mm/kmsan/kmsan.c:188
+ kmsan_kmalloc+0x94/0x100 mm/kmsan/kmsan.c:314
+ kmem_cache_alloc+0xaab/0xb90 mm/slub.c:2756
+ inet_getpeer+0xed8/0x1e70 net/ipv4/inetpeer.c:210
+ inet_getpeer_v4 include/net/inetpeer.h:110 [inline]
+ ip4_frag_init+0x4d1/0x740 net/ipv4/ip_fragment.c:153
+ inet_frag_alloc net/ipv4/inet_fragment.c:369 [inline]
+ inet_frag_create net/ipv4/inet_fragment.c:385 [inline]
+ inet_frag_find+0x7da/0x1610 net/ipv4/inet_fragment.c:418
+ ip_find net/ipv4/ip_fragment.c:275 [inline]
+ ip_defrag+0x448/0x67a0 net/ipv4/ip_fragment.c:676
+ ip_check_defrag+0x775/0xda0 net/ipv4/ip_fragment.c:724
+ packet_rcv_fanout+0x2a8/0x8d0 net/packet/af_packet.c:1447
+ deliver_skb net/core/dev.c:1897 [inline]
+ deliver_ptype_list_skb net/core/dev.c:1912 [inline]
+ __netif_receive_skb_core+0x314a/0x4a80 net/core/dev.c:4545
+ __netif_receive_skb net/core/dev.c:4627 [inline]
+ netif_receive_skb_internal+0x49d/0x630 net/core/dev.c:4701
+ netif_receive_skb+0x230/0x240 net/core/dev.c:4725
+ tun_rx_batched drivers/net/tun.c:1555 [inline]
+ tun_get_user+0x6d88/0x7580 drivers/net/tun.c:1962
+ tun_chr_write_iter+0x1d4/0x330 drivers/net/tun.c:1990
+ do_iter_readv_writev+0x7bb/0x970 include/linux/fs.h:1776
+ do_iter_write+0x30d/0xd40 fs/read_write.c:932
+ vfs_writev fs/read_write.c:977 [inline]
+ do_writev+0x3c9/0x830 fs/read_write.c:1012
+ SYSC_writev+0x9b/0xb0 fs/read_write.c:1085
+ SyS_writev+0x56/0x80 fs/read_write.c:1082
+ do_syscall_64+0x309/0x430 arch/x86/entry/common.c:287
+ entry_SYSCALL_64_after_hwframe+0x3d/0xa2
+
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Acked-by: Denis Kirjanov <dkirjanov@suse.com>
+---
+ net/ipv4/inetpeer.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/net/ipv4/inetpeer.c b/net/ipv4/inetpeer.c
+index b20c8ac64081..64007ce87273 100644
+--- a/net/ipv4/inetpeer.c
++++ b/net/ipv4/inetpeer.c
+@@ -210,6 +210,7 @@ struct inet_peer *inet_getpeer(struct inet_peer_base *base,
+ p = kmem_cache_alloc(peer_cachep, GFP_ATOMIC);
+ if (p) {
+ p->daddr = *daddr;
++ p->dtime = (__u32)jiffies;
+ refcount_set(&p->refcnt, 2);
+ atomic_set(&p->rid, 0);
+ p->metrics[RTAX_LOCK-1] = INETPEER_METRICS_NEW;
+--
+2.12.3
+
diff --git a/patches.fixes/0005-net-socket-fix-potential-spectre-v1-gadget-in-socket.patch b/patches.fixes/0005-net-socket-fix-potential-spectre-v1-gadget-in-socket.patch
new file mode 100644
index 0000000000..1e08c72521
--- /dev/null
+++ b/patches.fixes/0005-net-socket-fix-potential-spectre-v1-gadget-in-socket.patch
@@ -0,0 +1,47 @@
+From: Jeremy Cline <jcline@redhat.com>
+Subject: net: socket: fix potential spectre v1 gadget in
+ socketcall
+Patch-mainline: v4.18-rc8
+Git-commit: c8e8cd579bb4265651df8223730105341e61a2d1
+References: git-fixes
+
+'call' is a user-controlled value, so sanitize the array index after the
+bounds check to avoid speculating past the bounds of the 'nargs' array.
+
+Found with the help of Smatch:
+
+net/socket.c:2508 __do_sys_socketcall() warn: potential spectre issue
+'nargs' [r] (local cap)
+
+Cc: Josh Poimboeuf <jpoimboe@redhat.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Jeremy Cline <jcline@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Acked-by: Denis Kirjanov <dkirjanov@suse.com>
+---
+ net/socket.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/net/socket.c b/net/socket.c
+index 24bb6684bdda..6a0427b79727 100644
+--- a/net/socket.c
++++ b/net/socket.c
+@@ -89,6 +89,7 @@
+ #include <linux/magic.h>
+ #include <linux/slab.h>
+ #include <linux/xattr.h>
++#include <linux/nospec.h>
+
+ #include <linux/uaccess.h>
+ #include <asm/unistd.h>
+@@ -2433,6 +2434,7 @@ SYSCALL_DEFINE2(socketcall, int, call, unsigned long __user *, args)
+
+ if (call < 1 || call > SYS_SENDMMSG)
+ return -EINVAL;
++ call = array_index_nospec(call, SYS_SENDMMSG + 1);
+
+ len = nargs[call];
+ if (len > sizeof(a))
+--
+2.12.3
+
diff --git a/patches.fixes/0006-ipvs-fix-rtnl_lock-lockups-caused-by-start_sync_thre.patch b/patches.fixes/0006-ipvs-fix-rtnl_lock-lockups-caused-by-start_sync_thre.patch
new file mode 100644
index 0000000000..a3796b4c6b
--- /dev/null
+++ b/patches.fixes/0006-ipvs-fix-rtnl_lock-lockups-caused-by-start_sync_thre.patch
@@ -0,0 +1,641 @@
+From: Julian Anastasov <ja@ssi.bg>
+Subject: ipvs: fix rtnl_lock lockups caused by start_sync_thread
+Patch-mainline: v4.17-rc3
+Git-commit: 5c64576a77894a50be80be0024bed27171b55989
+References: git-fixes
+
+syzkaller reports for wrong rtnl_lock usage in sync code [1] and [2]
+
+We have 2 problems in start_sync_thread if error path is
+taken, eg. on memory allocation error or failure to configure
+sockets for mcast group or addr/port binding:
+
+1. recursive locking: holding rtnl_lock while calling sock_release
+which in turn calls again rtnl_lock in ip_mc_drop_socket to leave
+the mcast group, as noticed by Florian Westphal. Additionally,
+sock_release can not be called while holding sync_mutex (ABBA
+deadlock).
+
+2. task hung: holding rtnl_lock while calling kthread_stop to
+stop the running kthreads. As the kthreads do the same to leave
+the mcast group (sock_release -> ip_mc_drop_socket -> rtnl_lock)
+they hang.
+
+Fix the problems by calling rtnl_unlock early in the error path,
+now sock_release is called after unlocking both mutexes.
+
+Problem 3 (task hung reported by syzkaller [2]) is variant of
+problem 2: use _trylock to prevent one user to call rtnl_lock and
+then while waiting for sync_mutex to block kthreads that execute
+sock_release when they are stopped by stop_sync_thread.
+
+[1]
+IPVS: stopping backup sync thread 4500 ...
+WARNING: possible recursive locking detected
+4.16.0-rc7+ #3 Not tainted
+--------------------------------------------
+syzkaller688027/4497 is trying to acquire lock:
+ (rtnl_mutex){+.+.}, at: [<00000000bb14d7fb>] rtnl_lock+0x17/0x20
+net/core/rtnetlink.c:74
+
+but task is already holding lock:
+IPVS: stopping backup sync thread 4495 ...
+ (rtnl_mutex){+.+.}, at: [<00000000bb14d7fb>] rtnl_lock+0x17/0x20
+net/core/rtnetlink.c:74
+
+other info that might help us debug this:
+ Possible unsafe locking scenario:
+
+ CPU0
+ ----
+ lock(rtnl_mutex);
+ lock(rtnl_mutex);
+
+ *** DEADLOCK ***
+
+ May be due to missing lock nesting notation
+
+2 locks held by syzkaller688027/4497:
+ #0: (rtnl_mutex){+.+.}, at: [<00000000bb14d7fb>] rtnl_lock+0x17/0x20
+net/core/rtnetlink.c:74
+ #1: (ipvs->sync_mutex){+.+.}, at: [<00000000703f78e3>]
+do_ip_vs_set_ctl+0x10f8/0x1cc0 net/netfilter/ipvs/ip_vs_ctl.c:2388
+
+stack backtrace:
+CPU: 1 PID: 4497 Comm: syzkaller688027 Not tainted 4.16.0-rc7+ #3
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
+Google 01/01/2011
+Call Trace:
+ __dump_stack lib/dump_stack.c:17 [inline]
+ dump_stack+0x194/0x24d lib/dump_stack.c:53
+ print_deadlock_bug kernel/locking/lockdep.c:1761 [inline]
+ check_deadlock kernel/locking/lockdep.c:1805 [inline]
+ validate_chain kernel/locking/lockdep.c:2401 [inline]
+ __lock_acquire+0xe8f/0x3e00 kernel/locking/lockdep.c:3431
+ lock_acquire+0x1d5/0x580 kernel/locking/lockdep.c:3920
+ __mutex_lock_common kernel/locking/mutex.c:756 [inline]
+ __mutex_lock+0x16f/0x1a80 kernel/locking/mutex.c:893
+ mutex_lock_nested+0x16/0x20 kernel/locking/mutex.c:908
+ rtnl_lock+0x17/0x20 net/core/rtnetlink.c:74
+ ip_mc_drop_socket+0x88/0x230 net/ipv4/igmp.c:2643
+ inet_release+0x4e/0x1c0 net/ipv4/af_inet.c:413
+ sock_release+0x8d/0x1e0 net/socket.c:595
+ start_sync_thread+0x2213/0x2b70 net/netfilter/ipvs/ip_vs_sync.c:1924
+ do_ip_vs_set_ctl+0x1139/0x1cc0 net/netfilter/ipvs/ip_vs_ctl.c:2389
+ nf_sockopt net/netfilter/nf_sockopt.c:106 [inline]
+ nf_setsockopt+0x67/0xc0 net/netfilter/nf_sockopt.c:115
+ ip_setsockopt+0x97/0xa0 net/ipv4/ip_sockglue.c:1261
+ udp_setsockopt+0x45/0x80 net/ipv4/udp.c:2406
+ sock_common_setsockopt+0x95/0xd0 net/core/sock.c:2975
+ SYSC_setsockopt net/socket.c:1849 [inline]
+ SyS_setsockopt+0x189/0x360 net/socket.c:1828
+ do_syscall_64+0x281/0x940 arch/x86/entry/common.c:287
+ entry_SYSCALL_64_after_hwframe+0x42/0xb7
+RIP: 0033:0x446a69
+RSP: 002b:00007fa1c3a64da8 EFLAGS: 00000246 ORIG_RAX: 0000000000000036
+RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000446a69
+RDX: 000000000000048b RSI: 0000000000000000 RDI: 0000000000000003
+RBP: 00000000006e29fc R08: 0000000000000018 R09: 0000000000000000
+R10: 00000000200000c0 R11: 0000000000000246 R12: 00000000006e29f8
+R13: 00676e697279656b R14: 00007fa1c3a659c0 R15: 00000000006e2b60
+
+[2]
+IPVS: sync thread started: state = BACKUP, mcast_ifn = syz_tun, syncid = 4,
+id = 0
+IPVS: stopping backup sync thread 25415 ...
+INFO: task syz-executor7:25421 blocked for more than 120 seconds.
+ Not tainted 4.16.0-rc6+ #284
+"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
+syz-executor7 D23688 25421 4408 0x00000004
+Call Trace:
+ context_switch kernel/sched/core.c:2862 [inline]
+ __schedule+0x8fb/0x1ec0 kernel/sched/core.c:3440
+ schedule+0xf5/0x430 kernel/sched/core.c:3499
+ schedule_timeout+0x1a3/0x230 kernel/time/timer.c:1777
+ do_wait_for_common kernel/sched/completion.c:86 [inline]
+ __wait_for_common kernel/sched/completion.c:107 [inline]
+ wait_for_common kernel/sched/completion.c:118 [inline]
+ wait_for_completion+0x415/0x770 kernel/sched/completion.c:139
+ kthread_stop+0x14a/0x7a0 kernel/kthread.c:530
+ stop_sync_thread+0x3d9/0x740 net/netfilter/ipvs/ip_vs_sync.c:1996
+ do_ip_vs_set_ctl+0x2b1/0x1cc0 net/netfilter/ipvs/ip_vs_ctl.c:2394
+ nf_sockopt net/netfilter/nf_sockopt.c:106 [inline]
+ nf_setsockopt+0x67/0xc0 net/netfilter/nf_sockopt.c:115
+ ip_setsockopt+0x97/0xa0 net/ipv4/ip_sockglue.c:1253
+ sctp_setsockopt+0x2ca/0x63e0 net/sctp/socket.c:4154
+ sock_common_setsockopt+0x95/0xd0 net/core/sock.c:3039
+ SYSC_setsockopt net/socket.c:1850 [inline]
+ SyS_setsockopt+0x189/0x360 net/socket.c:1829
+ do_syscall_64+0x281/0x940 arch/x86/entry/common.c:287
+ entry_SYSCALL_64_after_hwframe+0x42/0xb7
+RIP: 0033:0x454889
+RSP: 002b:00007fc927626c68 EFLAGS: 00000246 ORIG_RAX: 0000000000000036
+RAX: ffffffffffffffda RBX: 00007fc9276276d4 RCX: 0000000000454889
+RDX: 000000000000048c RSI: 0000000000000000 RDI: 0000000000000017
+RBP: 000000000072bf58 R08: 0000000000000018 R09: 0000000000000000
+R10: 0000000020000000 R11: 0000000000000246 R12: 00000000ffffffff
+R13: 000000000000051c R14: 00000000006f9b40 R15: 0000000000000001
+
+Showing all locks held in the system:
+2 locks held by khungtaskd/868:
+ #0: (rcu_read_lock){....}, at: [<00000000a1a8f002>]
+check_hung_uninterruptible_tasks kernel/hung_task.c:175 [inline]
+ #0: (rcu_read_lock){....}, at: [<00000000a1a8f002>] watchdog+0x1c5/0xd60
+kernel/hung_task.c:249
+ #1: (tasklist_lock){.+.+}, at: [<0000000037c2f8f9>]
+debug_show_all_locks+0xd3/0x3d0 kernel/locking/lockdep.c:4470
+1 lock held by rsyslogd/4247:
+ #0: (&f->f_pos_lock){+.+.}, at: [<000000000d8d6983>]
+__fdget_pos+0x12b/0x190 fs/file.c:765
+2 locks held by getty/4338:
+ #0: (&tty->ldisc_sem){++++}, at: [<00000000bee98654>]
+ldsem_down_read+0x37/0x40 drivers/tty/tty_ldsem.c:365
+ #1: (&ldata->atomic_read_lock){+.+.}, at: [<00000000c1d180aa>]
+n_tty_read+0x2ef/0x1a40 drivers/tty/n_tty.c:2131
+2 locks held by getty/4339:
+ #0: (&tty->ldisc_sem){++++}, at: [<00000000bee98654>]
+ldsem_down_read+0x37/0x40 drivers/tty/tty_ldsem.c:365
+ #1: (&ldata->atomic_read_lock){+.+.}, at: [<00000000c1d180aa>]
+n_tty_read+0x2ef/0x1a40 drivers/tty/n_tty.c:2131
+2 locks held by getty/4340:
+ #0: (&tty->ldisc_sem){++++}, at: [<00000000bee98654>]
+ldsem_down_read+0x37/0x40 drivers/tty/tty_ldsem.c:365
+ #1: (&ldata->atomic_read_lock){+.+.}, at: [<00000000c1d180aa>]
+n_tty_read+0x2ef/0x1a40 drivers/tty/n_tty.c:2131
+2 locks held by getty/4341:
+ #0: (&tty->ldisc_sem){++++}, at: [<00000000bee98654>]
+ldsem_down_read+0x37/0x40 drivers/tty/tty_ldsem.c:365
+ #1: (&ldata->atomic_read_lock){+.+.}, at: [<00000000c1d180aa>]
+n_tty_read+0x2ef/0x1a40 drivers/tty/n_tty.c:2131
+2 locks held by getty/4342:
+ #0: (&tty->ldisc_sem){++++}, at: [<00000000bee98654>]
+ldsem_down_read+0x37/0x40 drivers/tty/tty_ldsem.c:365
+ #1: (&ldata->atomic_read_lock){+.+.}, at: [<00000000c1d180aa>]
+n_tty_read+0x2ef/0x1a40 drivers/tty/n_tty.c:2131
+2 locks held by getty/4343:
+ #0: (&tty->ldisc_sem){++++}, at: [<00000000bee98654>]
+ldsem_down_read+0x37/0x40 drivers/tty/tty_ldsem.c:365
+ #1: (&ldata->atomic_read_lock){+.+.}, at: [<00000000c1d180aa>]
+n_tty_read+0x2ef/0x1a40 drivers/tty/n_tty.c:2131
+2 locks held by getty/4344:
+ #0: (&tty->ldisc_sem){++++}, at: [<00000000bee98654>]
+ldsem_down_read+0x37/0x40 drivers/tty/tty_ldsem.c:365
+ #1: (&ldata->atomic_read_lock){+.+.}, at: [<00000000c1d180aa>]
+n_tty_read+0x2ef/0x1a40 drivers/tty/n_tty.c:2131
+3 locks held by kworker/0:5/6494:
+ #0: ((wq_completion)"%s"("ipv6_addrconf")){+.+.}, at:
+[<00000000a062b18e>] work_static include/linux/workqueue.h:198 [inline]
+ #0: ((wq_completion)"%s"("ipv6_addrconf")){+.+.}, at:
+[<00000000a062b18e>] set_work_data kernel/workqueue.c:619 [inline]
+ #0: ((wq_completion)"%s"("ipv6_addrconf")){+.+.}, at:
+[<00000000a062b18e>] set_work_pool_and_clear_pending kernel/workqueue.c:646
+[inline]
+ #0: ((wq_completion)"%s"("ipv6_addrconf")){+.+.}, at:
+[<00000000a062b18e>] process_one_work+0xb12/0x1bb0 kernel/workqueue.c:2084
+ #1: ((addr_chk_work).work){+.+.}, at: [<00000000278427d5>]
+process_one_work+0xb89/0x1bb0 kernel/workqueue.c:2088
+ #2: (rtnl_mutex){+.+.}, at: [<00000000066e35ac>] rtnl_lock+0x17/0x20
+net/core/rtnetlink.c:74
+1 lock held by syz-executor7/25421:
+ #0: (ipvs->sync_mutex){+.+.}, at: [<00000000d414a689>]
+do_ip_vs_set_ctl+0x277/0x1cc0 net/netfilter/ipvs/ip_vs_ctl.c:2393
+2 locks held by syz-executor7/25427:
+ #0: (rtnl_mutex){+.+.}, at: [<00000000066e35ac>] rtnl_lock+0x17/0x20
+net/core/rtnetlink.c:74
+ #1: (ipvs->sync_mutex){+.+.}, at: [<00000000e6d48489>]
+do_ip_vs_set_ctl+0x10f8/0x1cc0 net/netfilter/ipvs/ip_vs_ctl.c:2388
+1 lock held by syz-executor7/25435:
+ #0: (rtnl_mutex){+.+.}, at: [<00000000066e35ac>] rtnl_lock+0x17/0x20
+net/core/rtnetlink.c:74
+1 lock held by ipvs-b:2:0/25415:
+ #0: (rtnl_mutex){+.+.}, at: [<00000000066e35ac>] rtnl_lock+0x17/0x20
+net/core/rtnetlink.c:74
+
+Reported-and-tested-by: syzbot+a46d6abf9d56b1365a72@syzkaller.appspotmail.com
+Reported-and-tested-by: syzbot+5fe074c01b2032ce9618@syzkaller.appspotmail.com
+Fixes: e0b26cc997d5 ("ipvs: call rtnl_lock early")
+Signed-off-by: Julian Anastasov <ja@ssi.bg>
+Signed-off-by: Simon Horman <horms@verge.net.au>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Acked-by: Denis Kirjanov <dkirjanov@suse.com>
+---
+ net/netfilter/ipvs/ip_vs_ctl.c | 8 ---
+ net/netfilter/ipvs/ip_vs_sync.c | 155 +++++++++++++++++++++-------------------
+ 2 files changed, 80 insertions(+), 83 deletions(-)
+
+diff --git a/net/netfilter/ipvs/ip_vs_ctl.c b/net/netfilter/ipvs/ip_vs_ctl.c
+index 1fa3c2307b6e..ce51ba12c605 100644
+--- a/net/netfilter/ipvs/ip_vs_ctl.c
++++ b/net/netfilter/ipvs/ip_vs_ctl.c
+@@ -2386,11 +2386,7 @@ do_ip_vs_set_ctl(struct sock *sk, int cmd, void __user *user, unsigned int len)
+ strlcpy(cfg.mcast_ifn, dm->mcast_ifn,
+ sizeof(cfg.mcast_ifn));
+ cfg.syncid = dm->syncid;
+- rtnl_lock();
+- mutex_lock(&ipvs->sync_mutex);
+ ret = start_sync_thread(ipvs, &cfg, dm->state);
+- mutex_unlock(&ipvs->sync_mutex);
+- rtnl_unlock();
+ } else {
+ mutex_lock(&ipvs->sync_mutex);
+ ret = stop_sync_thread(ipvs, dm->state);
+@@ -3483,12 +3479,8 @@ static int ip_vs_genl_new_daemon(struct netns_ipvs *ipvs, struct nlattr **attrs)
+ if (ipvs->mixed_address_family_dests > 0)
+ return -EINVAL;
+
+- rtnl_lock();
+- mutex_lock(&ipvs->sync_mutex);
+ ret = start_sync_thread(ipvs, &c,
+ nla_get_u32(attrs[IPVS_DAEMON_ATTR_STATE]));
+- mutex_unlock(&ipvs->sync_mutex);
+- rtnl_unlock();
+ return ret;
+ }
+
+diff --git a/net/netfilter/ipvs/ip_vs_sync.c b/net/netfilter/ipvs/ip_vs_sync.c
+index 0e5b64a75da0..9f1aa78e837d 100644
+--- a/net/netfilter/ipvs/ip_vs_sync.c
++++ b/net/netfilter/ipvs/ip_vs_sync.c
+@@ -48,6 +48,7 @@
+ #include <linux/kthread.h>
+ #include <linux/wait.h>
+ #include <linux/kernel.h>
++#include <linux/sched/signal.h>
+
+ #include <asm/unaligned.h> /* Used for ntoh_seq and hton_seq */
+
+@@ -1359,15 +1360,9 @@ static void set_mcast_pmtudisc(struct sock *sk, int val)
+ /*
+ * Specifiy default interface for outgoing multicasts
+ */
+-static int set_mcast_if(struct sock *sk, char *ifname)
++static int set_mcast_if(struct sock *sk, struct net_device *dev)
+ {
+- struct net_device *dev;
+ struct inet_sock *inet = inet_sk(sk);
+- struct net *net = sock_net(sk);
+-
+- dev = __dev_get_by_name(net, ifname);
+- if (!dev)
+- return -ENODEV;
+
+ if (sk->sk_bound_dev_if && dev->ifindex != sk->sk_bound_dev_if)
+ return -EINVAL;
+@@ -1395,19 +1390,14 @@ static int set_mcast_if(struct sock *sk, char *ifname)
+ * in the in_addr structure passed in as a parameter.
+ */
+ static int
+-join_mcast_group(struct sock *sk, struct in_addr *addr, char *ifname)
++join_mcast_group(struct sock *sk, struct in_addr *addr, struct net_device *dev)
+ {
+- struct net *net = sock_net(sk);
+ struct ip_mreqn mreq;
+- struct net_device *dev;
+ int ret;
+
+ memset(&mreq, 0, sizeof(mreq));
+ memcpy(&mreq.imr_multiaddr, addr, sizeof(struct in_addr));
+
+- dev = __dev_get_by_name(net, ifname);
+- if (!dev)
+- return -ENODEV;
+ if (sk->sk_bound_dev_if && dev->ifindex != sk->sk_bound_dev_if)
+ return -EINVAL;
+
+@@ -1422,15 +1412,10 @@ join_mcast_group(struct sock *sk, struct in_addr *addr, char *ifname)
+
+ #ifdef CONFIG_IP_VS_IPV6
+ static int join_mcast_group6(struct sock *sk, struct in6_addr *addr,
+- char *ifname)
++ struct net_device *dev)
+ {
+- struct net *net = sock_net(sk);
+- struct net_device *dev;
+ int ret;
+
+- dev = __dev_get_by_name(net, ifname);
+- if (!dev)
+- return -ENODEV;
+ if (sk->sk_bound_dev_if && dev->ifindex != sk->sk_bound_dev_if)
+ return -EINVAL;
+
+@@ -1442,24 +1427,18 @@ static int join_mcast_group6(struct sock *sk, struct in6_addr *addr,
+ }
+ #endif
+
+-static int bind_mcastif_addr(struct socket *sock, char *ifname)
++static int bind_mcastif_addr(struct socket *sock, struct net_device *dev)
+ {
+- struct net *net = sock_net(sock->sk);
+- struct net_device *dev;
+ __be32 addr;
+ struct sockaddr_in sin;
+
+- dev = __dev_get_by_name(net, ifname);
+- if (!dev)
+- return -ENODEV;
+-
+ addr = inet_select_addr(dev, 0, RT_SCOPE_UNIVERSE);
+ if (!addr)
+ pr_err("You probably need to specify IP address on "
+ "multicast interface.\n");
+
+ IP_VS_DBG(7, "binding socket with (%s) %pI4\n",
+- ifname, &addr);
++ dev->name, &addr);
+
+ /* Now bind the socket with the address of multicast interface */
+ sin.sin_family = AF_INET;
+@@ -1492,7 +1471,8 @@ static void get_mcast_sockaddr(union ipvs_sockaddr *sa, int *salen,
+ /*
+ * Set up sending multicast socket over UDP
+ */
+-static struct socket *make_send_sock(struct netns_ipvs *ipvs, int id)
++static int make_send_sock(struct netns_ipvs *ipvs, int id,
++ struct net_device *dev, struct socket **sock_ret)
+ {
+ /* multicast addr */
+ union ipvs_sockaddr mcast_addr;
+@@ -1504,9 +1484,10 @@ static struct socket *make_send_sock(struct netns_ipvs *ipvs, int id)
+ IPPROTO_UDP, &sock);
+ if (result < 0) {
+ pr_err("Error during creation of socket; terminating\n");
+- return ERR_PTR(result);
++ goto error;
+ }
+- result = set_mcast_if(sock->sk, ipvs->mcfg.mcast_ifn);
++ *sock_ret = sock;
++ result = set_mcast_if(sock->sk, dev);
+ if (result < 0) {
+ pr_err("Error setting outbound mcast interface\n");
+ goto error;
+@@ -1521,7 +1502,7 @@ static struct socket *make_send_sock(struct netns_ipvs *ipvs, int id)
+ set_sock_size(sock->sk, 1, result);
+
+ if (AF_INET == ipvs->mcfg.mcast_af)
+- result = bind_mcastif_addr(sock, ipvs->mcfg.mcast_ifn);
++ result = bind_mcastif_addr(sock, dev);
+ else
+ result = 0;
+ if (result < 0) {
+@@ -1537,19 +1518,18 @@ static struct socket *make_send_sock(struct netns_ipvs *ipvs, int id)
+ goto error;
+ }
+
+- return sock;
++ return 0;
+
+ error:
+- sock_release(sock);
+- return ERR_PTR(result);
++ return result;
+ }
+
+
+ /*
+ * Set up receiving multicast socket over UDP
+ */
+-static struct socket *make_receive_sock(struct netns_ipvs *ipvs, int id,
+- int ifindex)
++static int make_receive_sock(struct netns_ipvs *ipvs, int id,
++ struct net_device *dev, struct socket **sock_ret)
+ {
+ /* multicast addr */
+ union ipvs_sockaddr mcast_addr;
+@@ -1561,8 +1541,9 @@ static struct socket *make_receive_sock(struct netns_ipvs *ipvs, int id,
+ IPPROTO_UDP, &sock);
+ if (result < 0) {
+ pr_err("Error during creation of socket; terminating\n");
+- return ERR_PTR(result);
++ goto error;
+ }
++ *sock_ret = sock;
+ /* it is equivalent to the REUSEADDR option in user-space */
+ sock->sk->sk_reuse = SK_CAN_REUSE;
+ result = sysctl_sync_sock_size(ipvs);
+@@ -1570,7 +1551,7 @@ static struct socket *make_receive_sock(struct netns_ipvs *ipvs, int id,
+ set_sock_size(sock->sk, 0, result);
+
+ get_mcast_sockaddr(&mcast_addr, &salen, &ipvs->bcfg, id);
+- sock->sk->sk_bound_dev_if = ifindex;
++ sock->sk->sk_bound_dev_if = dev->ifindex;
+ result = sock->ops->bind(sock, (struct sockaddr *)&mcast_addr, salen);
+ if (result < 0) {
+ pr_err("Error binding to the multicast addr\n");
+@@ -1581,21 +1562,20 @@ static struct socket *make_receive_sock(struct netns_ipvs *ipvs, int id,
+ #ifdef CONFIG_IP_VS_IPV6
+ if (ipvs->bcfg.mcast_af == AF_INET6)
+ result = join_mcast_group6(sock->sk, &mcast_addr.in6.sin6_addr,
+- ipvs->bcfg.mcast_ifn);
++ dev);
+ else
+ #endif
+ result = join_mcast_group(sock->sk, &mcast_addr.in.sin_addr,
+- ipvs->bcfg.mcast_ifn);
++ dev);
+ if (result < 0) {
+ pr_err("Error joining to the multicast group\n");
+ goto error;
+ }
+
+- return sock;
++ return 0;
+
+ error:
+- sock_release(sock);
+- return ERR_PTR(result);
++ return result;
+ }
+
+
+@@ -1780,13 +1760,12 @@ static int sync_thread_backup(void *data)
+ int start_sync_thread(struct netns_ipvs *ipvs, struct ipvs_sync_daemon_cfg *c,
+ int state)
+ {
+- struct ip_vs_sync_thread_data *tinfo;
++ struct ip_vs_sync_thread_data *tinfo = NULL;
+ struct task_struct **array = NULL, *task;
+- struct socket *sock;
+ struct net_device *dev;
+ char *name;
+ int (*threadfn)(void *data);
+- int id, count, hlen;
++ int id = 0, count, hlen;
+ int result = -ENOMEM;
+ u16 mtu, min_mtu;
+
+@@ -1794,6 +1773,18 @@ int start_sync_thread(struct netns_ipvs *ipvs, struct ipvs_sync_daemon_cfg *c,
+ IP_VS_DBG(7, "Each ip_vs_sync_conn entry needs %zd bytes\n",
+ sizeof(struct ip_vs_sync_conn_v0));
+
++ /* Do not hold one mutex and then to block on another */
++ for (;;) {
++ rtnl_lock();
++ if (mutex_trylock(&ipvs->sync_mutex))
++ break;
++ rtnl_unlock();
++ mutex_lock(&ipvs->sync_mutex);
++ if (rtnl_trylock())
++ break;
++ mutex_unlock(&ipvs->sync_mutex);
++ }
++
+ if (!ipvs->sync_state) {
+ count = clamp(sysctl_sync_ports(ipvs), 1, IPVS_SYNC_PORTS_MAX);
+ ipvs->threads_mask = count - 1;
+@@ -1812,7 +1803,8 @@ int start_sync_thread(struct netns_ipvs *ipvs, struct ipvs_sync_daemon_cfg *c,
+ dev = __dev_get_by_name(ipvs->net, c->mcast_ifn);
+ if (!dev) {
+ pr_err("Unknown mcast interface: %s\n", c->mcast_ifn);
+- return -ENODEV;
++ result = -ENODEV;
++ goto out_early;
+ }
+ hlen = (AF_INET6 == c->mcast_af) ?
+ sizeof(struct ipv6hdr) + sizeof(struct udphdr) :
+@@ -1829,26 +1821,30 @@ int start_sync_thread(struct netns_ipvs *ipvs, struct ipvs_sync_daemon_cfg *c,
+ c->sync_maxlen = mtu - hlen;
+
+ if (state == IP_VS_STATE_MASTER) {
++ result = -EEXIST;
+ if (ipvs->ms)
+- return -EEXIST;
++ goto out_early;
+
+ ipvs->mcfg = *c;
+ name = "ipvs-m:%d:%d";
+ threadfn = sync_thread_master;
+ } else if (state == IP_VS_STATE_BACKUP) {
++ result = -EEXIST;
+ if (ipvs->backup_threads)
+- return -EEXIST;
++ goto out_early;
+
+ ipvs->bcfg = *c;
+ name = "ipvs-b:%d:%d";
+ threadfn = sync_thread_backup;
+ } else {
+- return -EINVAL;
++ result = -EINVAL;
++ goto out_early;
+ }
+
+ if (state == IP_VS_STATE_MASTER) {
+ struct ipvs_master_sync_state *ms;
+
++ result = -ENOMEM;
+ ipvs->ms = kcalloc(count, sizeof(ipvs->ms[0]), GFP_KERNEL);
+ if (!ipvs->ms)
+ goto out;
+@@ -1864,39 +1860,38 @@ int start_sync_thread(struct netns_ipvs *ipvs, struct ipvs_sync_daemon_cfg *c,
+ } else {
+ array = kcalloc(count, sizeof(struct task_struct *),
+ GFP_KERNEL);
++ result = -ENOMEM;
+ if (!array)
+ goto out;
+ }
+
+- tinfo = NULL;
+ for (id = 0; id < count; id++) {
+- if (state == IP_VS_STATE_MASTER)
+- sock = make_send_sock(ipvs, id);
+- else
+- sock = make_receive_sock(ipvs, id, dev->ifindex);
+- if (IS_ERR(sock)) {
+- result = PTR_ERR(sock);
+- goto outtinfo;
+- }
++ result = -ENOMEM;
+ tinfo = kmalloc(sizeof(*tinfo), GFP_KERNEL);
+ if (!tinfo)
+- goto outsocket;
++ goto out;
+ tinfo->ipvs = ipvs;
+- tinfo->sock = sock;
++ tinfo->sock = NULL;
+ if (state == IP_VS_STATE_BACKUP) {
+ tinfo->buf = kmalloc(ipvs->bcfg.sync_maxlen,
+ GFP_KERNEL);
+ if (!tinfo->buf)
+- goto outtinfo;
++ goto out;
+ } else {
+ tinfo->buf = NULL;
+ }
+ tinfo->id = id;
++ if (state == IP_VS_STATE_MASTER)
++ result = make_send_sock(ipvs, id, dev, &tinfo->sock);
++ else
++ result = make_receive_sock(ipvs, id, dev, &tinfo->sock);
++ if (result < 0)
++ goto out;
+
+ task = kthread_run(threadfn, tinfo, name, ipvs->gen, id);
+ if (IS_ERR(task)) {
+ result = PTR_ERR(task);
+- goto outtinfo;
++ goto out;
+ }
+ tinfo = NULL;
+ if (state == IP_VS_STATE_MASTER)
+@@ -1913,20 +1908,20 @@ int start_sync_thread(struct netns_ipvs *ipvs, struct ipvs_sync_daemon_cfg *c,
+ ipvs->sync_state |= state;
+ spin_unlock_bh(&ipvs->sync_buff_lock);
+
++ mutex_unlock(&ipvs->sync_mutex);
++ rtnl_unlock();
++
+ /* increase the module use count */
+ ip_vs_use_count_inc();
+
+ return 0;
+
+-outsocket:
+- sock_release(sock);
+-
+-outtinfo:
+- if (tinfo) {
+- sock_release(tinfo->sock);
+- kfree(tinfo->buf);
+- kfree(tinfo);
+- }
++out:
++ /* We do not need RTNL lock anymore, release it here so that
++ * sock_release below and in the kthreads can use rtnl_lock
++ * to leave the mcast group.
++ */
++ rtnl_unlock();
+ count = id;
+ while (count-- > 0) {
+ if (state == IP_VS_STATE_MASTER)
+@@ -1934,13 +1929,23 @@ int start_sync_thread(struct netns_ipvs *ipvs, struct ipvs_sync_daemon_cfg *c,
+ else
+ kthread_stop(array[count]);
+ }
+- kfree(array);
+-
+-out:
+ if (!(ipvs->sync_state & IP_VS_STATE_MASTER)) {
+ kfree(ipvs->ms);
+ ipvs->ms = NULL;
+ }
++ mutex_unlock(&ipvs->sync_mutex);
++ if (tinfo) {
++ if (tinfo->sock)
++ sock_release(tinfo->sock);
++ kfree(tinfo->buf);
++ kfree(tinfo);
++ }
++ kfree(array);
++ return result;
++
++out_early:
++ mutex_unlock(&ipvs->sync_mutex);
++ rtnl_unlock();
+ return result;
+ }
+
+--
+2.12.3
+
diff --git a/patches.fixes/0006-packet-refine-ring-v3-block-size-test-to-hold-one-fr.patch b/patches.fixes/0006-packet-refine-ring-v3-block-size-test-to-hold-one-fr.patch
new file mode 100644
index 0000000000..7e241b76d4
--- /dev/null
+++ b/patches.fixes/0006-packet-refine-ring-v3-block-size-test-to-hold-one-fr.patch
@@ -0,0 +1,68 @@
+From: Willem de Bruijn <willemb@google.com>
+Subject: packet: refine ring v3 block size test to hold one
+ frame
+Patch-mainline: v4.18
+Git-commit: 4576cd469d980317c4edd9173f8b694aa71ea3a3
+References: git-fixes
+
+TPACKET_V3 stores variable length frames in fixed length blocks.
+Blocks must be able to store a block header, optional private space
+and at least one minimum sized frame.
+
+Frames, even for a zero snaplen packet, store metadata headers and
+optional reserved space.
+
+In the block size bounds check, ensure that the frame of the
+chosen configuration fits. This includes sockaddr_ll and optional
+tp_reserve.
+
+Syzbot was able to construct a ring with insuffient room for the
+sockaddr_ll in the header of a zero-length frame, triggering an
+out-of-bounds write in dev_parse_header.
+
+Convert the comparison to less than, as zero is a valid snap len.
+This matches the test for minimum tp_frame_size immediately below.
+
+Fixes: f6fb8f100b80 ("af-packet: TPACKET_V3 flexible buffer implementation.")
+Fixes: eb73190f4fbe ("net/packet: refine check for priv area size")
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: Willem de Bruijn <willemb@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Acked-by: Denis Kirjanov <dkirjanov@suse.com>
+---
+ net/packet/af_packet.c | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c
+index cf7652bb2218..aefda8127760 100644
+--- a/net/packet/af_packet.c
++++ b/net/packet/af_packet.c
+@@ -4285,6 +4285,8 @@ static int packet_set_ring(struct sock *sk, union tpacket_req_u *req_u,
+ }
+
+ if (req->tp_block_nr) {
++ unsigned int min_frame_size;
++
+ /* Sanity tests and some calculations */
+ err = -EBUSY;
+ if (unlikely(rb->pg_vec))
+@@ -4307,12 +4309,12 @@ static int packet_set_ring(struct sock *sk, union tpacket_req_u *req_u,
+ goto out;
+ if (unlikely(!PAGE_ALIGNED(req->tp_block_size)))
+ goto out;
++ min_frame_size = po->tp_hdrlen + po->tp_reserve;
+ if (po->tp_version >= TPACKET_V3 &&
+- req->tp_block_size <=
+- BLK_PLUS_PRIV((u64)req_u->req3.tp_sizeof_priv) + sizeof(struct tpacket3_hdr))
++ req->tp_block_size <
++ BLK_PLUS_PRIV((u64)req_u->req3.tp_sizeof_priv) + min_frame_size)
+ goto out;
+- if (unlikely(req->tp_frame_size < po->tp_hdrlen +
+- po->tp_reserve))
++ if (unlikely(req->tp_frame_size < min_frame_size))
+ goto out;
+ if (unlikely(req->tp_frame_size & (TPACKET_ALIGNMENT - 1)))
+ goto out;
+--
+2.12.3
+
diff --git a/patches.fixes/0007-net-ipv6-fix-addrconf_sysctl_addr_gen_mode.patch b/patches.fixes/0007-net-ipv6-fix-addrconf_sysctl_addr_gen_mode.patch
new file mode 100644
index 0000000000..c8eb608238
--- /dev/null
+++ b/patches.fixes/0007-net-ipv6-fix-addrconf_sysctl_addr_gen_mode.patch
@@ -0,0 +1,99 @@
+From: Sabrina Dubroca <sd@queasysnail.net>
+Subject: net/ipv6: fix addrconf_sysctl_addr_gen_mode
+Patch-mainline: v4.19-rc1
+Git-commit: c6dbf7aaa48289d2eeacbef06785c069869ed0c0
+References: git-fixes
+
+
+addrconf_sysctl_addr_gen_mode() has multiple problems. First, it ignores
+the errors returned by proc_dointvec().
+
+addrconf_sysctl_addr_gen_mode() calls proc_dointvec() directly, which
+writes the value to memory, and then checks if it's valid and may return
+EINVAL. If a bad value is given, the value displayed when reading
+net.ipv6.conf.foo.addr_gen_mode next time will be invalid. In case the
+value provided by the user was valid, addrconf_dev_config() won't be
+called since idev->cnf.addr_gen_mode has already been updated.
+
+Fix this in the usual way we deal with values that need to be checked
+after the proc_do*() helper has returned: define a local ctl_table and
+storage, call proc_dointvec() on that temporary area, then check and
+store.
+
+addrconf_sysctl_addr_gen_mode() also writes the new value to the global
+ipv6_devconf_dflt, when we're writing to some netns's default, so that
+new netns will inherit the value that was set by the change occuring in
+any netns. That doesn't make any sense, so let's drop this assignment.
+
+Finally, since addr_gen_mode is a __u32, switch to proc_douintvec().
+
+Fixes: d35a00b8e33d ("net/ipv6: allow sysctl to change link-local address generation mode")
+Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
+Reviewed-by: David Ahern <dsahern@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Acked-by: Denis Kirjanov <dkirjanov@suse.com>
+---
+ net/ipv6/addrconf.c | 27 ++++++++++++++-------------
+ 1 file changed, 14 insertions(+), 13 deletions(-)
+
+diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c
+index 4a21afaacc59..1e72d02dd061 100644
+--- a/net/ipv6/addrconf.c
++++ b/net/ipv6/addrconf.c
+@@ -5790,32 +5790,31 @@ static int addrconf_sysctl_addr_gen_mode(struct ctl_table *ctl, int write,
+ loff_t *ppos)
+ {
+ int ret = 0;
+- int new_val;
++ u32 new_val;
+ struct inet6_dev *idev = (struct inet6_dev *)ctl->extra1;
+ struct net *net = (struct net *)ctl->extra2;
++ struct ctl_table tmp = {
++ .data = &new_val,
++ .maxlen = sizeof(new_val),
++ .mode = ctl->mode,
++ };
+
+ if (!rtnl_trylock())
+ return restart_syscall();
+
+- ret = proc_dointvec(ctl, write, buffer, lenp, ppos);
++ new_val = *((u32 *)ctl->data);
+
+- if (write) {
+- new_val = *((int *)ctl->data);
++ ret = proc_douintvec(&tmp, write, buffer, lenp, ppos);
++ if (ret != 0)
++ goto out;
+
++ if (write) {
+ if (check_addr_gen_mode(new_val) < 0) {
+ ret = -EINVAL;
+ goto out;
+ }
+
+- /* request for default */
+- if (&net->ipv6.devconf_dflt->addr_gen_mode == ctl->data) {
+- ipv6_devconf_dflt.addr_gen_mode = new_val;
+-
+- /* request for individual net device */
+- } else {
+- if (!idev)
+- goto out;
+-
++ if (idev) {
+ if (check_stable_privacy(idev, net, new_val) < 0) {
+ ret = -EINVAL;
+ goto out;
+@@ -5826,6 +5825,8 @@ static int addrconf_sysctl_addr_gen_mode(struct ctl_table *ctl, int write,
+ addrconf_dev_config(idev->dev);
+ }
+ }
++
++ *((u32 *)ctl->data) = new_val;
+ }
+
+ out:
+--
+2.12.3
+
diff --git a/patches.fixes/0007-netfilter-nf_tables-can-t-fail-after-linking-rule-in.patch b/patches.fixes/0007-netfilter-nf_tables-can-t-fail-after-linking-rule-in.patch
new file mode 100644
index 0000000000..36254a92b1
--- /dev/null
+++ b/patches.fixes/0007-netfilter-nf_tables-can-t-fail-after-linking-rule-in.patch
@@ -0,0 +1,112 @@
+From: Florian Westphal <fw@strlen.de>
+Subject: netfilter: nf_tables: can't fail after linking rule
+ into active rule list
+Patch-mainline: v4.17-rc3
+Git-commit: 569ccae68b38654f04b6842b034aa33857f605fe
+References: git-fixes
+
+rules in nftables a free'd using kfree, but protected by rcu, i.e. we
+must wait for a grace period to elapse.
+
+Normal removal patch does this, but nf_tables_newrule() doesn't obey
+this rule during error handling.
+
+It calls nft_trans_rule_add() *after* linking rule, and, if that
+fails to allocate memory, it unlinks the rule and then kfree() it --
+this is unsafe.
+
+Switch order -- first add rule to transaction list, THEN link it
+to public list.
+
+Note: nft_trans_rule_add() uses GFP_KERNEL; it will not fail so this
+is not a problem in practice (spotted only during code review).
+
+Fixes: 0628b123c96d12 ("netfilter: nfnetlink: add batch support and use it from nf_tables")
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Acked-by: Denis Kirjanov <dkirjanov@suse.com>
+---
+ net/netfilter/nf_tables_api.c | 59 +++++++++++++++++++++++--------------------
+ 1 file changed, 32 insertions(+), 27 deletions(-)
+
+diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
+index 595004098410..d627a479e332 100644
+--- a/net/netfilter/nf_tables_api.c
++++ b/net/netfilter/nf_tables_api.c
+@@ -2251,41 +2251,46 @@ static int nf_tables_newrule(struct net *net, struct sock *nlsk,
+ }
+
+ if (nlh->nlmsg_flags & NLM_F_REPLACE) {
+- if (nft_is_active_next(net, old_rule)) {
+- trans = nft_trans_rule_add(&ctx, NFT_MSG_DELRULE,
+- old_rule);
+- if (trans == NULL) {
+- err = -ENOMEM;
+- goto err2;
+- }
+- nft_deactivate_next(net, old_rule);
+- chain->use--;
+- list_add_tail_rcu(&rule->list, &old_rule->list);
+- } else {
++ if (!nft_is_active_next(net, old_rule)) {
+ err = -ENOENT;
+ goto err2;
+ }
+- } else if (nlh->nlmsg_flags & NLM_F_APPEND)
+- if (old_rule)
+- list_add_rcu(&rule->list, &old_rule->list);
+- else
+- list_add_tail_rcu(&rule->list, &chain->rules);
+- else {
+- if (old_rule)
+- list_add_tail_rcu(&rule->list, &old_rule->list);
+- else
+- list_add_rcu(&rule->list, &chain->rules);
+- }
++ trans = nft_trans_rule_add(&ctx, NFT_MSG_DELRULE,
++ old_rule);
++ if (trans == NULL) {
++ err = -ENOMEM;
++ goto err2;
++ }
++ nft_deactivate_next(net, old_rule);
++ chain->use--;
+
+- if (nft_trans_rule_add(&ctx, NFT_MSG_NEWRULE, rule) == NULL) {
+- err = -ENOMEM;
+- goto err3;
++ if (nft_trans_rule_add(&ctx, NFT_MSG_NEWRULE, rule) == NULL) {
++ err = -ENOMEM;
++ goto err2;
++ }
++
++ list_add_tail_rcu(&rule->list, &old_rule->list);
++ } else {
++ if (nft_trans_rule_add(&ctx, NFT_MSG_NEWRULE, rule) == NULL) {
++ err = -ENOMEM;
++ goto err2;
++ }
++
++ if (nlh->nlmsg_flags & NLM_F_APPEND) {
++ if (old_rule)
++ list_add_rcu(&rule->list, &old_rule->list);
++ else
++ list_add_tail_rcu(&rule->list, &chain->rules);
++ } else {
++ if (old_rule)
++ list_add_tail_rcu(&rule->list, &old_rule->list);
++ else
++ list_add_rcu(&rule->list, &chain->rules);
++ }
+ }
+ chain->use++;
+ return 0;
+
+-err3:
+- list_del_rcu(&rule->list);
+ err2:
+ nf_tables_rule_destroy(&ctx, rule);
+ err1:
+--
+2.12.3
+
diff --git a/patches.fixes/0008-net-ipv6-don-t-reinitialize-ndev-cnf.addr_gen_mode-o.patch b/patches.fixes/0008-net-ipv6-don-t-reinitialize-ndev-cnf.addr_gen_mode-o.patch
new file mode 100644
index 0000000000..6ccd45d7b5
--- /dev/null
+++ b/patches.fixes/0008-net-ipv6-don-t-reinitialize-ndev-cnf.addr_gen_mode-o.patch
@@ -0,0 +1,36 @@
+From: Sabrina Dubroca <sd@queasysnail.net>
+Subject: net/ipv6: don't reinitialize ndev->cnf.addr_gen_mode on
+ new inet6_dev
+Patch-mainline: v4.19-rc1
+Git-commit: 70c30d76e580fe4aefe6facdf0f1edb1aa9a0e7a
+References: git-fixes
+
+
+The value has already been copied from this netns's devconf_dflt, it
+shouldn't be reset to the global kernel default.
+
+Fixes: d35a00b8e33d ("net/ipv6: allow sysctl to change link-local address generation mode")
+Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
+Reviewed-by: David Ahern <dsahern@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Acked-by: Denis Kirjanov <dkirjanov@suse.com>
+---
+ net/ipv6/addrconf.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c
+index 1e72d02dd061..8a8bb3eb9b1e 100644
+--- a/net/ipv6/addrconf.c
++++ b/net/ipv6/addrconf.c
+@@ -395,8 +395,6 @@ static struct inet6_dev *ipv6_add_dev(struct net_device *dev)
+
+ if (ndev->cnf.stable_secret.initialized)
+ ndev->cnf.addr_gen_mode = IN6_ADDR_GEN_MODE_STABLE_PRIVACY;
+- else
+- ndev->cnf.addr_gen_mode = ipv6_devconf_dflt.addr_gen_mode;
+
+ ndev->cnf.mtu6 = dev->mtu;
+ ndev->nd_parms = neigh_parms_alloc(dev, &nd_tbl);
+--
+2.12.3
+
diff --git a/patches.fixes/0008-rxrpc-Fix-error-reception-on-AF_INET6-sockets.patch b/patches.fixes/0008-rxrpc-Fix-error-reception-on-AF_INET6-sockets.patch
new file mode 100644
index 0000000000..995ee8bf73
--- /dev/null
+++ b/patches.fixes/0008-rxrpc-Fix-error-reception-on-AF_INET6-sockets.patch
@@ -0,0 +1,95 @@
+From: David Howells <dhowells@redhat.com>
+Subject: rxrpc: Fix error reception on AF_INET6 sockets
+Patch-mainline: v4.17-rc5
+Git-commit: f2aeed3a591ff29a82495eeaa92ac4780bad7487
+References: git-fixes
+
+AF_RXRPC tries to turn on IP_RECVERR and IP_MTU_DISCOVER on the UDP socket
+it just opened for communications with the outside world, regardless of the
+type of socket. Unfortunately, this doesn't work with an AF_INET6 socket.
+
+Fix this by turning on IPV6_RECVERR and IPV6_MTU_DISCOVER instead if the
+socket is of the AF_INET6 family.
+
+Without this, kAFS server and address rotation doesn't work correctly
+because the algorithm doesn't detect received network errors.
+
+Fixes: 75b54cb57ca3 ("rxrpc: Add IPv6 support")
+Signed-off-by: David Howells <dhowells@redhat.com>
+Acked-by: Denis Kirjanov <dkirjanov@suse.com>
+---
+ net/rxrpc/local_object.c | 57 +++++++++++++++++++++++++++++++++++-------------
+ 1 file changed, 42 insertions(+), 15 deletions(-)
+
+diff --git a/net/rxrpc/local_object.c b/net/rxrpc/local_object.c
+index ff4864d550b8..adc49d8285bf 100644
+--- a/net/rxrpc/local_object.c
++++ b/net/rxrpc/local_object.c
+@@ -133,22 +133,49 @@ static int rxrpc_open_socket(struct rxrpc_local *local)
+ }
+ }
+
+- /* we want to receive ICMP errors */
+- opt = 1;
+- ret = kernel_setsockopt(local->socket, SOL_IP, IP_RECVERR,
+- (char *) &opt, sizeof(opt));
+- if (ret < 0) {
+- _debug("setsockopt failed");
+- goto error;
+- }
++ switch (local->srx.transport.family) {
++ case AF_INET:
++ /* we want to receive ICMP errors */
++ opt = 1;
++ ret = kernel_setsockopt(local->socket, SOL_IP, IP_RECVERR,
++ (char *) &opt, sizeof(opt));
++ if (ret < 0) {
++ _debug("setsockopt failed");
++ goto error;
++ }
+
+- /* we want to set the don't fragment bit */
+- opt = IP_PMTUDISC_DO;
+- ret = kernel_setsockopt(local->socket, SOL_IP, IP_MTU_DISCOVER,
+- (char *) &opt, sizeof(opt));
+- if (ret < 0) {
+- _debug("setsockopt failed");
+- goto error;
++ /* we want to set the don't fragment bit */
++ opt = IP_PMTUDISC_DO;
++ ret = kernel_setsockopt(local->socket, SOL_IP, IP_MTU_DISCOVER,
++ (char *) &opt, sizeof(opt));
++ if (ret < 0) {
++ _debug("setsockopt failed");
++ goto error;
++ }
++ break;
++
++ case AF_INET6:
++ /* we want to receive ICMP errors */
++ opt = 1;
++ ret = kernel_setsockopt(local->socket, SOL_IPV6, IPV6_RECVERR,
++ (char *) &opt, sizeof(opt));
++ if (ret < 0) {
++ _debug("setsockopt failed");
++ goto error;
++ }
++
++ /* we want to set the don't fragment bit */
++ opt = IPV6_PMTUDISC_DO;
++ ret = kernel_setsockopt(local->socket, SOL_IPV6, IPV6_MTU_DISCOVER,
++ (char *) &opt, sizeof(opt));
++ if (ret < 0) {
++ _debug("setsockopt failed");
++ goto error;
++ }
++ break;
++
++ default:
++ BUG();
+ }
+
+ /* set the socket up */
+--
+2.12.3
+
diff --git a/patches.fixes/0009-net-ipv6-reserve-room-for-IFLA_INET6_ADDR_GEN_MODE.patch b/patches.fixes/0009-net-ipv6-reserve-room-for-IFLA_INET6_ADDR_GEN_MODE.patch
new file mode 100644
index 0000000000..9fd786f94f
--- /dev/null
+++ b/patches.fixes/0009-net-ipv6-reserve-room-for-IFLA_INET6_ADDR_GEN_MODE.patch
@@ -0,0 +1,38 @@
+From: Sabrina Dubroca <sd@queasysnail.net>
+Subject: net/ipv6: reserve room for IFLA_INET6_ADDR_GEN_MODE
+Patch-mainline: v4.19-rc1
+Git-commit: bdd72f41333d9f61a22e4c4494e95782e9731fdb
+References: git-fixes
+
+
+inet6_ifla6_size() is called to check how much space is needed by
+inet6_fill_link_af() and inet6_fill_ifinfo(), both of which include
+the IFLA_INET6_ADDR_GEN_MODE attribute. Reserve some room for it.
+
+Fixes: bc91b0f07ada ("ipv6: addrconf: implement address generation modes")
+Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
+Reviewed-by: David Ahern <dsahern@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Acked-by: Denis Kirjanov <dkirjanov@suse.com>
+---
+ net/ipv6/addrconf.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c
+index 8a8bb3eb9b1e..bbe616f991e9 100644
+--- a/net/ipv6/addrconf.c
++++ b/net/ipv6/addrconf.c
+@@ -5107,7 +5107,9 @@ static inline size_t inet6_ifla6_size(void)
+ + nla_total_size(DEVCONF_MAX * 4) /* IFLA_INET6_CONF */
+ + nla_total_size(IPSTATS_MIB_MAX * 8) /* IFLA_INET6_STATS */
+ + nla_total_size(ICMP6_MIB_MAX * 8) /* IFLA_INET6_ICMP6STATS */
+- + nla_total_size(sizeof(struct in6_addr)); /* IFLA_INET6_TOKEN */
++ + nla_total_size(sizeof(struct in6_addr)) /* IFLA_INET6_TOKEN */
++ + nla_total_size(1) /* IFLA_INET6_ADDR_GEN_MODE */
++ + 0;
+ }
+
+ static inline size_t inet6_if_nlmsg_size(void)
+--
+2.12.3
+
diff --git a/patches.fixes/0009-packet-in-packet_snd-start-writing-at-link-layer-all.patch b/patches.fixes/0009-packet-in-packet_snd-start-writing-at-link-layer-all.patch
new file mode 100644
index 0000000000..98f7330676
--- /dev/null
+++ b/patches.fixes/0009-packet-in-packet_snd-start-writing-at-link-layer-all.patch
@@ -0,0 +1,59 @@
+From: Willem de Bruijn <willemb@google.com>
+Subject: packet: in packet_snd start writing at link layer
+ allocation
+Patch-mainline: v4.17-rc7
+Git-commit: b84bbaf7a6c8cca24f8acf25a2c8e46913a947ba
+References: git-fixes
+
+Packet sockets allow construction of packets shorter than
+dev->hard_header_len to accommodate protocols with variable length
+link layer headers. These packets are padded to dev->hard_header_len,
+because some device drivers interpret that as a minimum packet size.
+
+packet_snd reserves dev->hard_header_len bytes on allocation.
+SOCK_DGRAM sockets call skb_push in dev_hard_header() to ensure that
+link layer headers are stored in the reserved range. SOCK_RAW sockets
+do the same in tpacket_snd, but not in packet_snd.
+
+Syzbot was able to send a zero byte packet to a device with massive
+116B link layer header, causing padding to cross over into skb_shinfo.
+Fix this by writing from the start of the llheader reserved range also
+in the case of packet_snd/SOCK_RAW.
+
+Update skb_set_network_header to the new offset. This also corrects
+it for SOCK_DGRAM, where it incorrectly double counted reserve due to
+the skb_push in dev_hard_header.
+
+Fixes: 9ed988cd5915 ("packet: validate variable length ll headers")
+Reported-by: syzbot+71d74a5406d02057d559@syzkaller.appspotmail.com
+Signed-off-by: Willem de Bruijn <willemb@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Acked-by: Denis Kirjanov <dkirjanov@suse.com>
+---
+ net/packet/af_packet.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c
+index c6c4d9be2276..901618eb2725 100644
+--- a/net/packet/af_packet.c
++++ b/net/packet/af_packet.c
+@@ -2925,13 +2925,15 @@ static int packet_snd(struct socket *sock, struct msghdr *msg, size_t len)
+ if (skb == NULL)
+ goto out_unlock;
+
+- skb_set_network_header(skb, reserve);
++ skb_reset_network_header(skb);
+
+ err = -EINVAL;
+ if (sock->type == SOCK_DGRAM) {
+ offset = dev_hard_header(skb, dev, ntohs(proto), addr, NULL, len);
+ if (unlikely(offset < 0))
+ goto out_free;
++ } else if (reserve) {
++ skb_push(skb, reserve);
+ }
+
+ /* Returns -EFAULT on error */
+--
+2.12.3
+
diff --git a/patches.fixes/0010-ipvs-fix-stats-update-from-local-clients.patch b/patches.fixes/0010-ipvs-fix-stats-update-from-local-clients.patch
new file mode 100644
index 0000000000..f77c884071
--- /dev/null
+++ b/patches.fixes/0010-ipvs-fix-stats-update-from-local-clients.patch
@@ -0,0 +1,124 @@
+From: Julian Anastasov <ja@ssi.bg>
+Subject: ipvs: fix stats update from local clients
+Patch-mainline: v4.17-rc7
+Git-commit: d5e032fc5697b6c0d6b4958bcacb981a08f8174e
+References: git-fixes
+
+
+Local clients are not properly synchronized on 32-bit CPUs when
+updating stats (3.10+). Now it is possible estimation_timer (timer),
+a stats reader, to interrupt the local client in the middle of
+write_seqcount_{begin,end} sequence leading to loop (DEADLOCK).
+The same interrupt can happen from received packet (SoftIRQ)
+which updates the same per-CPU stats.
+
+Fix it by disabling BH while updating stats.
+
+Found with debug:
+
+WARNING: inconsistent lock state
+4.17.0-rc2-00105-g35cb6d7-dirty #2 Not tainted
+--------------------------------
+inconsistent {IN-SOFTIRQ-R} -> {SOFTIRQ-ON-W} usage.
+ftp/2545 [HC0[0]:SC0[0]:HE1:SE1] takes:
+86845479 (&syncp->seq#6){+.+-}, at: ip_vs_schedule+0x1c5/0x59e [ip_vs]
+{IN-SOFTIRQ-R} state was registered at:
+ lock_acquire+0x44/0x5b
+ estimation_timer+0x1b3/0x341 [ip_vs]
+ call_timer_fn+0x54/0xcd
+ run_timer_softirq+0x10c/0x12b
+ __do_softirq+0xc1/0x1a9
+ do_softirq_own_stack+0x1d/0x23
+ irq_exit+0x4a/0x64
+ smp_apic_timer_interrupt+0x63/0x71
+ apic_timer_interrupt+0x3a/0x40
+ default_idle+0xa/0xc
+ arch_cpu_idle+0x9/0xb
+ default_idle_call+0x21/0x23
+ do_idle+0xa0/0x167
+ cpu_startup_entry+0x19/0x1b
+ start_secondary+0x133/0x182
+ startup_32_smp+0x164/0x168
+irq event stamp: 42213
+
+other info that might help us debug this:
+Possible unsafe locking scenario:
+
+ CPU0
+ ----
+ lock(&syncp->seq#6);
+ <Interrupt>
+ lock(&syncp->seq#6);
+
+*** DEADLOCK ***
+
+Fixes: ac69269a45e8 ("ipvs: do not disable bh for long time")
+Signed-off-by: Julian Anastasov <ja@ssi.bg>
+Acked-by: Simon Horman <horms@verge.net.au>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Acked-by: Denis Kirjanov <dkirjanov@suse.com>
+---
+ net/netfilter/ipvs/ip_vs_core.c | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+diff --git a/net/netfilter/ipvs/ip_vs_core.c b/net/netfilter/ipvs/ip_vs_core.c
+index ad99c1ceea6f..62ed310e2397 100644
+--- a/net/netfilter/ipvs/ip_vs_core.c
++++ b/net/netfilter/ipvs/ip_vs_core.c
+@@ -119,6 +119,8 @@ ip_vs_in_stats(struct ip_vs_conn *cp, struct sk_buff *skb)
+ struct ip_vs_cpu_stats *s;
+ struct ip_vs_service *svc;
+
++ local_bh_disable();
++
+ s = this_cpu_ptr(dest->stats.cpustats);
+ u64_stats_update_begin(&s->syncp);
+ s->cnt.inpkts++;
+@@ -139,6 +141,8 @@ ip_vs_in_stats(struct ip_vs_conn *cp, struct sk_buff *skb)
+ s->cnt.inpkts++;
+ s->cnt.inbytes += skb->len;
+ u64_stats_update_end(&s->syncp);
++
++ local_bh_enable();
+ }
+ }
+
+@@ -153,6 +157,8 @@ ip_vs_out_stats(struct ip_vs_conn *cp, struct sk_buff *skb)
+ struct ip_vs_cpu_stats *s;
+ struct ip_vs_service *svc;
+
++ local_bh_disable();
++
+ s = this_cpu_ptr(dest->stats.cpustats);
+ u64_stats_update_begin(&s->syncp);
+ s->cnt.outpkts++;
+@@ -173,6 +179,8 @@ ip_vs_out_stats(struct ip_vs_conn *cp, struct sk_buff *skb)
+ s->cnt.outpkts++;
+ s->cnt.outbytes += skb->len;
+ u64_stats_update_end(&s->syncp);
++
++ local_bh_enable();
+ }
+ }
+
+@@ -183,6 +191,8 @@ ip_vs_conn_stats(struct ip_vs_conn *cp, struct ip_vs_service *svc)
+ struct netns_ipvs *ipvs = svc->ipvs;
+ struct ip_vs_cpu_stats *s;
+
++ local_bh_disable();
++
+ s = this_cpu_ptr(cp->dest->stats.cpustats);
+ u64_stats_update_begin(&s->syncp);
+ s->cnt.conns++;
+@@ -197,6 +207,8 @@ ip_vs_conn_stats(struct ip_vs_conn *cp, struct ip_vs_service *svc)
+ u64_stats_update_begin(&s->syncp);
+ s->cnt.conns++;
+ u64_stats_update_end(&s->syncp);
++
++ local_bh_enable();
+ }
+
+
+--
+2.12.3
+
diff --git a/patches.fixes/0010-net-ipv6-propagate-net.ipv6.conf.all.addr_gen_mode-t.patch b/patches.fixes/0010-net-ipv6-propagate-net.ipv6.conf.all.addr_gen_mode-t.patch
new file mode 100644
index 0000000000..0ace619829
--- /dev/null
+++ b/patches.fixes/0010-net-ipv6-propagate-net.ipv6.conf.all.addr_gen_mode-t.patch
@@ -0,0 +1,45 @@
+From: Sabrina Dubroca <sd@queasysnail.net>
+Subject: net/ipv6: propagate net.ipv6.conf.all.addr_gen_mode to
+ devices
+Patch-mainline: v4.19-rc1
+Git-commit: f24c5987dddd28b23443e7b21b55d47549207755
+References: git-fixes
+
+This aligns the addr_gen_mode sysctl with the expected behavior of the
+"all" variant.
+
+Fixes: d35a00b8e33d ("net/ipv6: allow sysctl to change link-local address generation mode")
+Suggested-by: David Ahern <dsahern@gmail.com>
+Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Acked-by: Denis Kirjanov <dkirjanov@suse.com>
+---
+ net/ipv6/addrconf.c | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c
+index bbe616f991e9..106da7d7052b 100644
+--- a/net/ipv6/addrconf.c
++++ b/net/ipv6/addrconf.c
+@@ -5824,6 +5824,18 @@ static int addrconf_sysctl_addr_gen_mode(struct ctl_table *ctl, int write,
+ idev->cnf.addr_gen_mode = new_val;
+ addrconf_dev_config(idev->dev);
+ }
++ } else if (&net->ipv6.devconf_all->addr_gen_mode == ctl->data) {
++ struct net_device *dev;
++
++ net->ipv6.devconf_dflt->addr_gen_mode = new_val;
++ for_each_netdev(net, dev) {
++ idev = __in6_dev_get(dev);
++ if (idev &&
++ idev->cnf.addr_gen_mode != new_val) {
++ idev->cnf.addr_gen_mode = new_val;
++ addrconf_dev_config(idev->dev);
++ }
++ }
+ }
+
+ *((u32 *)ctl->data) = new_val;
+--
+2.12.3
+
diff --git a/patches.fixes/0011-tcp-purge-write-queue-in-tcp_connect_init.patch b/patches.fixes/0011-tcp-purge-write-queue-in-tcp_connect_init.patch
new file mode 100644
index 0000000000..fa8a24755f
--- /dev/null
+++ b/patches.fixes/0011-tcp-purge-write-queue-in-tcp_connect_init.patch
@@ -0,0 +1,90 @@
+From: Eric Dumazet <edumazet@google.com>
+Subject: tcp: purge write queue in tcp_connect_init()
+Patch-mainline: v4.17-rc7
+Git-commit: 7f582b248d0a86bae5788c548d7bb5bca6f7691a
+References: git-fixes
+
+syzkaller found a reliable way to crash the host, hitting a BUG()
+in __tcp_retransmit_skb()
+
+Malicous MSG_FASTOPEN is the root cause. We need to purge write queue
+in tcp_connect_init() at the point we init snd_una/write_seq.
+
+This patch also replaces the BUG() by a less intrusive WARN_ON_ONCE()
+
+kernel BUG at net/ipv4/tcp_output.c:2837!
+invalid opcode: 0000 [#1] SMP KASAN
+Dumping ftrace buffer:
+ (ftrace buffer empty)
+Modules linked in:
+CPU: 0 PID: 5276 Comm: syz-executor0 Not tainted 4.17.0-rc3+ #51
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+RIP: 0010:__tcp_retransmit_skb+0x2992/0x2eb0 net/ipv4/tcp_output.c:2837
+RSP: 0000:ffff8801dae06ff8 EFLAGS: 00010206
+RAX: ffff8801b9fe61c0 RBX: 00000000ffc18a16 RCX: ffffffff864e1a49
+RDX: 0000000000000100 RSI: ffffffff864e2e12 RDI: 0000000000000005
+RBP: ffff8801dae073a0 R08: ffff8801b9fe61c0 R09: ffffed0039c40dd2
+R10: ffffed0039c40dd2 R11: ffff8801ce206e93 R12: 00000000421eeaad
+R13: ffff8801ce206d4e R14: ffff8801ce206cc0 R15: ffff8801cd4f4a80
+FS: 0000000000000000(0000) GS:ffff8801dae00000(0063) knlGS:00000000096bc900
+CS: 0010 DS: 002b ES: 002b CR0: 0000000080050033
+CR2: 0000000020000000 CR3: 00000001c47b6000 CR4: 00000000001406f0
+DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+Call Trace:
+ <IRQ>
+ tcp_retransmit_skb+0x2e/0x250 net/ipv4/tcp_output.c:2923
+ tcp_retransmit_timer+0xc50/0x3060 net/ipv4/tcp_timer.c:488
+ tcp_write_timer_handler+0x339/0x960 net/ipv4/tcp_timer.c:573
+ tcp_write_timer+0x111/0x1d0 net/ipv4/tcp_timer.c:593
+ call_timer_fn+0x230/0x940 kernel/time/timer.c:1326
+ expire_timers kernel/time/timer.c:1363 [inline]
+ __run_timers+0x79e/0xc50 kernel/time/timer.c:1666
+ run_timer_softirq+0x4c/0x70 kernel/time/timer.c:1692
+ __do_softirq+0x2e0/0xaf5 kernel/softirq.c:285
+ invoke_softirq kernel/softirq.c:365 [inline]
+ irq_exit+0x1d1/0x200 kernel/softirq.c:405
+ exiting_irq arch/x86/include/asm/apic.h:525 [inline]
+ smp_apic_timer_interrupt+0x17e/0x710 arch/x86/kernel/apic/apic.c:1052
+ apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:863
+
+Fixes: cf60af03ca4e ("net-tcp: Fast Open client - sendmsg(MSG_FASTOPEN)")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Cc: Yuchung Cheng <ycheng@google.com>
+Cc: Neal Cardwell <ncardwell@google.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Acked-by: Neal Cardwell <ncardwell@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Acked-by: Denis Kirjanov <dkirjanov@suse.com>
+---
+ net/ipv4/tcp_output.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c
+index 2d139697bcd8..beda69aad37d 100644
+--- a/net/ipv4/tcp_output.c
++++ b/net/ipv4/tcp_output.c
+@@ -2842,8 +2842,10 @@ int __tcp_retransmit_skb(struct sock *sk, struct sk_buff *skb, int segs)
+ return -EBUSY;
+
+ if (before(TCP_SKB_CB(skb)->seq, tp->snd_una)) {
+- if (before(TCP_SKB_CB(skb)->end_seq, tp->snd_una))
+- BUG();
++ if (unlikely(before(TCP_SKB_CB(skb)->end_seq, tp->snd_una))) {
++ WARN_ON_ONCE(1);
++ return -EINVAL;
++ }
+ if (tcp_trim_head(sk, skb, tp->snd_una - TCP_SKB_CB(skb)->seq))
+ return -ENOMEM;
+ }
+@@ -3332,6 +3334,7 @@ static void tcp_connect_init(struct sock *sk)
+ sock_reset_flag(sk, SOCK_DONE);
+ tp->snd_wnd = 0;
+ tcp_init_wl(tp, 0);
++ tcp_write_queue_purge(sk);
+ tp->snd_una = tp->write_seq;
+ tp->snd_sml = tp->write_seq;
+ tp->snd_up = tp->write_seq;
+--
+2.12.3
+
diff --git a/patches.fixes/0011-xfrm-fix-passing-zero-to-ERR_PTR-warning.patch b/patches.fixes/0011-xfrm-fix-passing-zero-to-ERR_PTR-warning.patch
new file mode 100644
index 0000000000..a0cca58803
--- /dev/null
+++ b/patches.fixes/0011-xfrm-fix-passing-zero-to-ERR_PTR-warning.patch
@@ -0,0 +1,41 @@
+From: YueHaibing <yuehaibing@huawei.com>
+Subject: xfrm: fix 'passing zero to ERR_PTR()' warning
+Patch-mainline: v4.19-rc1
+Git-commit: 934ffce1343f22ed5e2d0bd6da4440f4848074de
+References: git-fixes
+
+
+Fix a static code checker warning:
+
+ net/xfrm/xfrm_policy.c:1836 xfrm_resolve_and_create_bundle() warn: passing zero to 'ERR_PTR'
+
+xfrm_tmpl_resolve return 0 just means no xdst found, return NULL
+instead of passing zero to ERR_PTR.
+
+Fixes: d809ec895505 ("xfrm: do not assume that template resolving always returns xfrms")
+Signed-off-by: YueHaibing <yuehaibing@huawei.com>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Acked-by: Denis Kirjanov <dkirjanov@suse.com>
+---
+ net/xfrm/xfrm_policy.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c
+index e86a65292879..c82c695fa3fd 100644
+--- a/net/xfrm/xfrm_policy.c
++++ b/net/xfrm/xfrm_policy.c
+@@ -1864,7 +1864,10 @@ xfrm_resolve_and_create_bundle(struct xfrm_policy **pols, int num_pols,
+ /* Try to instantiate a bundle */
+ err = xfrm_tmpl_resolve(pols, num_pols, fl, xfrm, family);
+ if (err <= 0) {
+- if (err != 0 && err != -EAGAIN)
++ if (err == 0)
++ return NULL;
++
++ if (err != -EAGAIN)
+ XFRM_INC_STATS(net, LINUX_MIB_XFRMOUTPOLERROR);
+ return ERR_PTR(err);
+ }
+--
+2.12.3
+
diff --git a/patches.fixes/0012-ip6_tunnel-collect_md-xmit-Use-ip_tunnel_key-s-provi.patch b/patches.fixes/0012-ip6_tunnel-collect_md-xmit-Use-ip_tunnel_key-s-provi.patch
new file mode 100644
index 0000000000..0fb0103115
--- /dev/null
+++ b/patches.fixes/0012-ip6_tunnel-collect_md-xmit-Use-ip_tunnel_key-s-provi.patch
@@ -0,0 +1,62 @@
+From: Shmulik Ladkani <shmulik@metanetworks.com>
+Subject: ip6_tunnel: collect_md xmit: Use ip_tunnel_key's
+ provided src address
+Patch-mainline: v4.19-rc1
+Git-commit: 3789cabaab1a939eb56edd76bbde2c2e49f081da
+References: git-fixes
+
+
+calculation purposes (flowi6 construction) and for assigning the
+packet's final ipv6h->saddr.
+
+This makes it impossible specifying a desired ipv6 local address in the
+encapsulating header (for example, when using tc action tunnel_key).
+
+This is also not aligned with behavior of ipip (ipv4) in collect_md
+mode, where the key->u.ipv4.src gets used.
+
+Fix, by assigning fl6.saddr with given key->u.ipv6.src.
+In case ipv6.src is not specified, ip6_tnl_xmit uses existing saddr
+selection code.
+
+Fixes: 8d79266bc48c ("ip6_tunnel: add collect_md mode to IPv6 tunnels")
+Signed-off-by: Shmulik Ladkani <shmulik.ladkani@gmail.com>
+Reviewed-by: Eyal Birger <eyal.birger@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Acked-by: Denis Kirjanov <dkirjanov@suse.com>
+---
+ net/ipv6/ip6_tunnel.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/net/ipv6/ip6_tunnel.c b/net/ipv6/ip6_tunnel.c
+index f626d3e5c8dc..92a0ff707023 100644
+--- a/net/ipv6/ip6_tunnel.c
++++ b/net/ipv6/ip6_tunnel.c
+@@ -1115,7 +1115,7 @@ int ip6_tnl_xmit(struct sk_buff *skb, struct net_device *dev, __u8 dsfield,
+ dst = NULL;
+ goto tx_err_link_failure;
+ }
+- if (t->parms.collect_md &&
++ if (t->parms.collect_md && ipv6_addr_any(&fl6->saddr) &&
+ ipv6_dev_get_saddr(net, ip6_dst_idev(dst)->dev,
+ &fl6->daddr, 0, &fl6->saddr))
+ goto tx_err_link_failure;
+@@ -1253,6 +1253,7 @@ ip4ip6_tnl_xmit(struct sk_buff *skb, struct net_device *dev)
+ key = &tun_info->key;
+ memset(&fl6, 0, sizeof(fl6));
+ fl6.flowi6_proto = IPPROTO_IPIP;
++ fl6.saddr = key->u.ipv6.src;
+ fl6.daddr = key->u.ipv6.dst;
+ fl6.flowlabel = key->label;
+ dsfield = key->tos;
+@@ -1325,6 +1326,7 @@ ip6ip6_tnl_xmit(struct sk_buff *skb, struct net_device *dev)
+ key = &tun_info->key;
+ memset(&fl6, 0, sizeof(fl6));
+ fl6.flowi6_proto = IPPROTO_IPV6;
++ fl6.saddr = key->u.ipv6.src;
+ fl6.daddr = key->u.ipv6.dst;
+ fl6.flowlabel = key->label;
+ dsfield = key->tos;
+--
+2.12.3
+
diff --git a/patches.fixes/0012-net-test-tailroom-before-appending-to-linear-skb.patch b/patches.fixes/0012-net-test-tailroom-before-appending-to-linear-skb.patch
new file mode 100644
index 0000000000..705d0dab79
--- /dev/null
+++ b/patches.fixes/0012-net-test-tailroom-before-appending-to-linear-skb.patch
@@ -0,0 +1,58 @@
+From: Willem de Bruijn <willemb@google.com>
+Subject: net: test tailroom before appending to linear skb
+Patch-mainline: v4.17-rc7
+Git-commit: 113f99c3358564a0647d444c2ae34e8b1abfd5b9
+References: git-fixes
+
+Device features may change during transmission. In particular with
+corking, a device may toggle scatter-gather in between allocating
+and writing to an skb.
+
+Do not unconditionally assume that !NETIF_F_SG at write time implies
+that the same held at alloc time and thus the skb has sufficient
+tailroom.
+
+This issue predates git history.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Reported-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: Willem de Bruijn <willemb@google.com>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Acked-by: Denis Kirjanov <dkirjanov@suse.com>
+---
+ net/ipv4/ip_output.c | 3 ++-
+ net/ipv6/ip6_output.c | 3 ++-
+ 2 files changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/net/ipv4/ip_output.c b/net/ipv4/ip_output.c
+index 41c5d8bdc768..c81916930652 100644
+--- a/net/ipv4/ip_output.c
++++ b/net/ipv4/ip_output.c
+@@ -1042,7 +1042,8 @@ static int __ip_append_data(struct sock *sk,
+ if (copy > length)
+ copy = length;
+
+- if (!(rt->dst.dev->features&NETIF_F_SG)) {
++ if (!(rt->dst.dev->features&NETIF_F_SG) &&
++ skb_tailroom(skb) >= copy) {
+ unsigned int off;
+
+ off = skb->len;
+diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c
+index 42a97e490737..04729272dfb3 100644
+--- a/net/ipv6/ip6_output.c
++++ b/net/ipv6/ip6_output.c
+@@ -1484,7 +1484,8 @@ static int __ip6_append_data(struct sock *sk,
+ if (copy > length)
+ copy = length;
+
+- if (!(rt->dst.dev->features&NETIF_F_SG)) {
++ if (!(rt->dst.dev->features&NETIF_F_SG) &&
++ skb_tailroom(skb) >= copy) {
+ unsigned int off;
+
+ off = skb->len;
+--
+2.12.3
+
diff --git a/patches.fixes/0013-ipv6-fix-cleanup-ordering-for-ip6_mr-failure.patch b/patches.fixes/0013-ipv6-fix-cleanup-ordering-for-ip6_mr-failure.patch
new file mode 100644
index 0000000000..5afd71b135
--- /dev/null
+++ b/patches.fixes/0013-ipv6-fix-cleanup-ordering-for-ip6_mr-failure.patch
@@ -0,0 +1,65 @@
+From: Sabrina Dubroca <sd@queasysnail.net>
+Subject: ipv6: fix cleanup ordering for ip6_mr failure
+Patch-mainline: v4.19-rc3
+Git-commit: afe49de44c27a89e8e9631c44b5ffadf6ace65e2
+References: git-fixes
+
+
+Commit 15e668070a64 ("ipv6: reorder icmpv6_init() and ip6_mr_init()")
+moved the cleanup label for ipmr_fail, but should have changed the
+contents of the cleanup labels as well. Now we can end up cleaning up
+icmpv6 even though it hasn't been initialized (jump to icmp_fail or
+ipmr_fail).
+
+Simply undo things in the reverse order of their initialization.
+
+Example of panic (triggered by faking a failure of icmpv6_init):
+
+ kasan: GPF could be caused by NULL-ptr deref or user memory access
+ general protection fault: 0000 [#1] PREEMPT SMP KASAN PTI
+ [...]
+ RIP: 0010:__list_del_entry_valid+0x79/0x160
+ [...]
+ Call Trace:
+ ? lock_release+0x8a0/0x8a0
+ unregister_pernet_operations+0xd4/0x560
+ ? ops_free_list+0x480/0x480
+ ? down_write+0x91/0x130
+ ? unregister_pernet_subsys+0x15/0x30
+ ? down_read+0x1b0/0x1b0
+ ? up_read+0x110/0x110
+ ? kmem_cache_create_usercopy+0x1b4/0x240
+ unregister_pernet_subsys+0x1d/0x30
+ icmpv6_cleanup+0x1d/0x30
+ inet6_init+0x1b5/0x23f
+
+Fixes: 15e668070a64 ("ipv6: reorder icmpv6_init() and ip6_mr_init()")
+Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Acked-by: Denis Kirjanov <dkirjanov@suse.com>
+---
+ net/ipv6/af_inet6.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/net/ipv6/af_inet6.c b/net/ipv6/af_inet6.c
+index 94b0cf2c2829..45873b1025d4 100644
+--- a/net/ipv6/af_inet6.c
++++ b/net/ipv6/af_inet6.c
+@@ -1085,11 +1085,11 @@ static int __init inet6_init(void)
+ igmp_fail:
+ ndisc_cleanup();
+ ndisc_fail:
+- ip6_mr_cleanup();
++ icmpv6_cleanup();
+ icmp_fail:
+- unregister_pernet_subsys(&inet6_net_ops);
++ ip6_mr_cleanup();
+ ipmr_fail:
+- icmpv6_cleanup();
++ unregister_pernet_subsys(&inet6_net_ops);
+ register_pernet_fail:
+ sock_unregister(PF_INET6);
+ rtnl_unregister_all(PF_INET6);
+--
+2.12.3
+
diff --git a/patches.fixes/0013-net-Fix-a-bug-in-removing-queues-from-XPS-map.patch b/patches.fixes/0013-net-Fix-a-bug-in-removing-queues-from-XPS-map.patch
new file mode 100644
index 0000000000..c833d893d3
--- /dev/null
+++ b/patches.fixes/0013-net-Fix-a-bug-in-removing-queues-from-XPS-map.patch
@@ -0,0 +1,35 @@
+From: Amritha Nambiar <amritha.nambiar@intel.com>
+Subject: net: Fix a bug in removing queues from XPS map
+Patch-mainline: v4.17-rc7
+Git-commit: 6358d49ac23995fdfe157cc8747ab0f274d3954b
+References: git-fixes
+
+While removing queues from the XPS map, the individual CPU ID
+alone was used to index the CPUs map, this should be changed to also
+factor in the traffic class mapping for the CPU-to-queue lookup.
+
+Fixes: 184c449f91fe ("net: Add support for XPS with QoS via traffic classes")
+Signed-off-by: Amritha Nambiar <amritha.nambiar@intel.com>
+Acked-by: Alexander Duyck <alexander.h.duyck@intel.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Acked-by: Denis Kirjanov <dkirjanov@suse.com>
+---
+ net/core/dev.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/core/dev.c b/net/core/dev.c
+index 15880ba084a9..f259eb1b21b8 100644
+--- a/net/core/dev.c
++++ b/net/core/dev.c
+@@ -2078,7 +2078,7 @@ static bool remove_xps_queue_cpu(struct net_device *dev,
+ int i, j;
+
+ for (i = count, j = offset; i--; j++) {
+- if (!remove_xps_queue(dev_maps, cpu, j))
++ if (!remove_xps_queue(dev_maps, tci, j))
+ break;
+ }
+
+--
+2.12.3
+
diff --git a/patches.fixes/0014-ipv6-fix-cleanup-ordering-for-pingv6-registration.patch b/patches.fixes/0014-ipv6-fix-cleanup-ordering-for-pingv6-registration.patch
new file mode 100644
index 0000000000..af792c0fe8
--- /dev/null
+++ b/patches.fixes/0014-ipv6-fix-cleanup-ordering-for-pingv6-registration.patch
@@ -0,0 +1,58 @@
+From: Sabrina Dubroca <sd@queasysnail.net>
+Subject: ipv6: fix cleanup ordering for pingv6 registration
+Patch-mainline: v4.19-rc3
+Git-commit: a03dc36bdca6b614651fedfcd8559cf914d2d21d
+References: git-fixes
+
+
+Commit 6d0bfe226116 ("net: ipv6: Add IPv6 support to the ping socket.")
+contains an error in the cleanup path of inet6_init(): when
+proto_register(&pingv6_prot, 1) fails, we try to unregister
+&pingv6_prot. When rawv6_init() fails, we skip unregistering
+&pingv6_prot.
+
+Example of panic (triggered by faking a failure of
+ proto_register(&pingv6_prot, 1)):
+
+ general protection fault: 0000 [#1] PREEMPT SMP KASAN PTI
+ [...]
+ RIP: 0010:__list_del_entry_valid+0x79/0x160
+ [...]
+ Call Trace:
+ proto_unregister+0xbb/0x550
+ ? trace_preempt_on+0x6f0/0x6f0
+ ? sock_no_shutdown+0x10/0x10
+ inet6_init+0x153/0x1b8
+
+Fixes: 6d0bfe226116 ("net: ipv6: Add IPv6 support to the ping socket.")
+Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Acked-by: Denis Kirjanov <dkirjanov@suse.com>
+---
+ net/ipv6/af_inet6.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/net/ipv6/af_inet6.c b/net/ipv6/af_inet6.c
+index 45873b1025d4..7f6e15e03ef5 100644
+--- a/net/ipv6/af_inet6.c
++++ b/net/ipv6/af_inet6.c
+@@ -911,14 +911,14 @@ static int __init inet6_init(void)
+
+ err = proto_register(&pingv6_prot, 1);
+ if (err)
+- goto out_unregister_ping_proto;
++ goto out_unregister_raw_proto;
+
+ /* We MUST register RAW sockets before we create the ICMP6,
+ * IGMP6, or NDISC control sockets.
+ */
+ err = rawv6_init();
+ if (err)
+- goto out_unregister_raw_proto;
++ goto out_unregister_ping_proto;
+
+ /* Register the family here so that the init calls below will
+ * be able to create sockets. (?? is this dangerous ??)
+--
+2.12.3
+
diff --git a/patches.fixes/0014-netfilter-nf_tables-fix-NULL-pointer-dereference-on-.patch b/patches.fixes/0014-netfilter-nf_tables-fix-NULL-pointer-dereference-on-.patch
new file mode 100644
index 0000000000..59aff0b412
--- /dev/null
+++ b/patches.fixes/0014-netfilter-nf_tables-fix-NULL-pointer-dereference-on-.patch
@@ -0,0 +1,164 @@
+From: Taehee Yoo <ap420073@gmail.com>
+Subject: netfilter: nf_tables: fix NULL pointer dereference on
+ nft_ct_helper_obj_dump()
+Patch-mainline: v4.17
+Git-commit: b71534583f22d08c3e3563bf5100aeb5f5c9fbe5
+References: git-fixes
+
+
+In the nft_ct_helper_obj_dump(), always priv->helper4 is dereferenced.
+But if family is ipv6, priv->helper6 should be dereferenced.
+
+Steps to reproduces:
+
+ #test.nft
+ table ip6 filter {
+ ct helper ftp {
+ type "ftp" protocol tcp
+ }
+ chain input {
+ type filter hook input priority 4;
+ ct helper set "ftp"
+ }
+ }
+
+ %nft -f test.nft
+ %nft list ruleset
+
+we can see the below messages:
+
+[ 916.286233] kasan: GPF could be caused by NULL-ptr deref or user memory access
+[ 916.294777] general protection fault: 0000 [#1] SMP DEBUG_PAGEALLOC KASAN PTI
+[ 916.302613] Modules linked in: nft_objref nf_conntrack_sip nf_conntrack_snmp nf_conntrack_broadcast nf_conntrack_ftp nft_ct nf_conntrack nf_tables nfnetlink [last unloaded: nfnetlink]
+[ 916.318758] CPU: 1 PID: 2093 Comm: nft Not tainted 4.17.0-rc4+ #181
+[ 916.326772] Hardware name: To be filled by O.E.M. To be filled by O.E.M./Aptio CRB, BIOS 5.6.5 07/08/2015
+[ 916.338773] RIP: 0010:strlen+0x1a/0x90
+[ 916.342781] RSP: 0018:ffff88010ff0f2f8 EFLAGS: 00010292
+[ 916.346773] RAX: dffffc0000000000 RBX: ffff880119b26ee8 RCX: ffff88010c150038
+[ 916.354777] RDX: 0000000000000002 RSI: ffff880119b26ee8 RDI: 0000000000000010
+[ 916.362773] RBP: 0000000000000010 R08: 0000000000007e88 R09: ffff88010c15003c
+[ 916.370773] R10: ffff88010c150037 R11: ffffed002182a007 R12: ffff88010ff04040
+[ 916.378779] R13: 0000000000000010 R14: ffff880119b26f30 R15: ffff88010ff04110
+[ 916.387265] FS: 00007f57a1997700(0000) GS:ffff88011b800000(0000) knlGS:0000000000000000
+[ 916.394785] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 916.402778] CR2: 00007f57a0ac80f0 CR3: 000000010ff02000 CR4: 00000000001006e0
+[ 916.410772] Call Trace:
+[ 916.414787] nft_ct_helper_obj_dump+0x94/0x200 [nft_ct]
+[ 916.418779] ? nft_ct_set_eval+0x560/0x560 [nft_ct]
+[ 916.426771] ? memset+0x1f/0x40
+[ 916.426771] ? __nla_reserve+0x92/0xb0
+[ 916.434774] ? memcpy+0x34/0x50
+[ 916.434774] nf_tables_fill_obj_info+0x484/0x860 [nf_tables]
+[ 916.442773] ? __nft_release_basechain+0x600/0x600 [nf_tables]
+[ 916.450779] ? lock_acquire+0x193/0x380
+[ 916.454771] ? lock_acquire+0x193/0x380
+[ 916.458789] ? nf_tables_dump_obj+0x148/0xcb0 [nf_tables]
+[ 916.462777] nf_tables_dump_obj+0x5f0/0xcb0 [nf_tables]
+[ 916.470769] ? __alloc_skb+0x30b/0x500
+[ 916.474779] netlink_dump+0x752/0xb50
+[ 916.478775] __netlink_dump_start+0x4d3/0x750
+[ 916.482784] nf_tables_getobj+0x27a/0x930 [nf_tables]
+[ 916.490774] ? nft_obj_notify+0x100/0x100 [nf_tables]
+[ 916.494772] ? nf_tables_getobj+0x930/0x930 [nf_tables]
+[ 916.502579] ? nf_tables_dump_flowtable_done+0x70/0x70 [nf_tables]
+[ 916.506774] ? nft_obj_notify+0x100/0x100 [nf_tables]
+[ 916.514808] nfnetlink_rcv_msg+0x8ab/0xa86 [nfnetlink]
+[ 916.518771] ? nfnetlink_rcv_msg+0x550/0xa86 [nfnetlink]
+[ 916.526782] netlink_rcv_skb+0x23e/0x360
+[ 916.530773] ? nfnetlink_bind+0x200/0x200 [nfnetlink]
+[ 916.534778] ? debug_check_no_locks_freed+0x280/0x280
+[ 916.542770] ? netlink_ack+0x870/0x870
+[ 916.546786] ? ns_capable_common+0xf4/0x130
+[ 916.550765] nfnetlink_rcv+0x172/0x16c0 [nfnetlink]
+[ 916.554771] ? sched_clock_local+0xe2/0x150
+[ 916.558774] ? sched_clock_cpu+0x144/0x180
+[ 916.566575] ? lock_acquire+0x380/0x380
+[ 916.570775] ? sched_clock_local+0xe2/0x150
+[ 916.574765] ? nfnetlink_net_init+0x130/0x130 [nfnetlink]
+[ 916.578763] ? sched_clock_cpu+0x144/0x180
+[ 916.582770] ? lock_acquire+0x193/0x380
+[ 916.590771] ? lock_acquire+0x193/0x380
+[ 916.594766] ? lock_acquire+0x380/0x380
+[ 916.598760] ? netlink_deliver_tap+0x262/0xa60
+[ 916.602766] ? lock_acquire+0x193/0x380
+[ 916.606766] netlink_unicast+0x3ef/0x5a0
+[ 916.610771] ? netlink_attachskb+0x630/0x630
+[ 916.614763] netlink_sendmsg+0x72a/0xb00
+[ 916.618769] ? netlink_unicast+0x5a0/0x5a0
+[ 916.626766] ? _copy_from_user+0x92/0xc0
+[ 916.630773] __sys_sendto+0x202/0x300
+[ 916.634772] ? __ia32_sys_getpeername+0xb0/0xb0
+[ 916.638759] ? lock_acquire+0x380/0x380
+[ 916.642769] ? lock_acquire+0x193/0x380
+[ 916.646761] ? finish_task_switch+0xf4/0x560
+[ 916.650763] ? __schedule+0x582/0x19a0
+[ 916.655301] ? __sched_text_start+0x8/0x8
+[ 916.655301] ? up_read+0x1c/0x110
+[ 916.655301] ? __do_page_fault+0x48b/0xaa0
+[ 916.655301] ? entry_SYSCALL_64_after_hwframe+0x59/0xbe
+[ 916.655301] __x64_sys_sendto+0xdd/0x1b0
+[ 916.655301] do_syscall_64+0x96/0x3d0
+[ 916.655301] entry_SYSCALL_64_after_hwframe+0x49/0xbe
+[ 916.655301] RIP: 0033:0x7f57a0ff5e03
+[ 916.655301] RSP: 002b:00007fff6367e0a8 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
+[ 916.655301] RAX: ffffffffffffffda RBX: 00007fff6367f1e0 RCX: 00007f57a0ff5e03
+[ 916.655301] RDX: 0000000000000020 RSI: 00007fff6367e110 RDI: 0000000000000003
+[ 916.655301] RBP: 00007fff6367e100 R08: 00007f57a0ce9160 R09: 000000000000000c
+[ 916.655301] R10: 0000000000000000 R11: 0000000000000246 R12: 00007fff6367e110
+[ 916.655301] R13: 0000000000000020 R14: 00007f57a153c610 R15: 0000562417258de0
+[ 916.655301] Code: ff ff ff 0f 1f 40 00 66 2e 0f 1f 84 00 00 00 00 00 55 48 89 fa 53 48 c1 ea 03 48 b8 00 00 00 00 00 fc ff df 48 89 fd 48 83 ec 08 <0f> b6 04 02 48 89 fa 83 e2 07 38 d0 7f
+[ 916.655301] RIP: strlen+0x1a/0x90 RSP: ffff88010ff0f2f8
+[ 916.771929] ---[ end trace 1065e048e72479fe ]---
+[ 916.777204] Kernel panic - not syncing: Fatal exception
+[ 916.778158] Kernel Offset: 0x14000000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff)
+
+Signed-off-by: Taehee Yoo <ap420073@gmail.com>
+Acked-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Acked-by: Denis Kirjanov <dkirjanov@suse.com>
+---
+ net/netfilter/nft_ct.c | 20 ++++++++++++--------
+ 1 file changed, 12 insertions(+), 8 deletions(-)
+
+diff --git a/net/netfilter/nft_ct.c b/net/netfilter/nft_ct.c
+index 1678e9e75e8e..2cded8ee6d30 100644
+--- a/net/netfilter/nft_ct.c
++++ b/net/netfilter/nft_ct.c
+@@ -875,22 +875,26 @@ static int nft_ct_helper_obj_dump(struct sk_buff *skb,
+ struct nft_object *obj, bool reset)
+ {
+ const struct nft_ct_helper_obj *priv = nft_obj_data(obj);
+- const struct nf_conntrack_helper *helper = priv->helper4;
++ const struct nf_conntrack_helper *helper;
+ u16 family;
+
++ if (priv->helper4 && priv->helper6) {
++ family = NFPROTO_INET;
++ helper = priv->helper4;
++ } else if (priv->helper6) {
++ family = NFPROTO_IPV6;
++ helper = priv->helper6;
++ } else {
++ family = NFPROTO_IPV4;
++ helper = priv->helper4;
++ }
++
+ if (nla_put_string(skb, NFTA_CT_HELPER_NAME, helper->name))
+ return -1;
+
+ if (nla_put_u8(skb, NFTA_CT_HELPER_L4PROTO, priv->l4proto))
+ return -1;
+
+- if (priv->helper4 && priv->helper6)
+- family = NFPROTO_INET;
+- else if (priv->helper6)
+- family = NFPROTO_IPV6;
+- else
+- family = NFPROTO_IPV4;
+-
+ if (nla_put_be16(skb, NFTA_CT_HELPER_L3PROTO, htons(family)))
+ return -1;
+
+--
+2.12.3
+
diff --git a/patches.fixes/0015-igmp-fix-incorrect-unsolicit-report-count-when-join-.patch b/patches.fixes/0015-igmp-fix-incorrect-unsolicit-report-count-when-join-.patch
new file mode 100644
index 0000000000..64f8a446a1
--- /dev/null
+++ b/patches.fixes/0015-igmp-fix-incorrect-unsolicit-report-count-when-join-.patch
@@ -0,0 +1,39 @@
+From: Hangbin Liu <liuhangbin@gmail.com>
+Subject: igmp: fix incorrect unsolicit report count when join
+ group
+Patch-mainline: v4.19-rc3
+Git-commit: 4fb7253e4f9a8f06a986a3b317e2f79d9b43d552
+References: git-fixes
+
+We should not start timer if im->unsolicit_count equal to 0 after decrease.
+Or we will send one more unsolicit report message. i.e. 3 instead of 2 by
+default.
+
+Fixes: 1da177e4c3f41 ("Linux-2.6.12-rc2")
+Signed-off-by: Hangbin Liu <liuhangbin@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Acked-by: Denis Kirjanov <dkirjanov@suse.com>
+---
+ net/ipv4/igmp.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+diff --git a/net/ipv4/igmp.c b/net/ipv4/igmp.c
+index eaec888f3b6c..6afb20af0f93 100644
+--- a/net/ipv4/igmp.c
++++ b/net/ipv4/igmp.c
+@@ -820,10 +820,9 @@ static void igmp_timer_expire(unsigned long data)
+ spin_lock(&im->lock);
+ im->tm_running = 0;
+
+- if (im->unsolicit_count) {
+- im->unsolicit_count--;
++ if (im->unsolicit_count && --im->unsolicit_count)
+ igmp_start_timer(im, unsolicited_report_interval(in_dev));
+- }
++
+ im->reporter = 1;
+ spin_unlock(&im->lock);
+
+--
+2.12.3
+
diff --git a/patches.fixes/0015-netfilter-ebtables-handle-string-from-userspace-with.patch b/patches.fixes/0015-netfilter-ebtables-handle-string-from-userspace-with.patch
new file mode 100644
index 0000000000..f97ecde4f7
--- /dev/null
+++ b/patches.fixes/0015-netfilter-ebtables-handle-string-from-userspace-with.patch
@@ -0,0 +1,102 @@
+From: Paolo Abeni <pabeni@redhat.com>
+Subject: netfilter: ebtables: handle string from userspace with
+ care
+Patch-mainline: v4.17
+Git-commit: 94c752f99954797da583a84c4907ff19e92550a4
+References: git-fixes
+
+strlcpy() can't be safely used on a user-space provided string,
+as it can try to read beyond the buffer's end, if the latter is
+not NULL terminated.
+
+Leveraging the above, syzbot has been able to trigger the following
+splat:
+
+BUG: KASAN: stack-out-of-bounds in strlcpy include/linux/string.h:300
+[inline]
+BUG: KASAN: stack-out-of-bounds in compat_mtw_from_user
+net/bridge/netfilter/ebtables.c:1957 [inline]
+BUG: KASAN: stack-out-of-bounds in ebt_size_mwt
+net/bridge/netfilter/ebtables.c:2059 [inline]
+BUG: KASAN: stack-out-of-bounds in size_entry_mwt
+net/bridge/netfilter/ebtables.c:2155 [inline]
+BUG: KASAN: stack-out-of-bounds in compat_copy_entries+0x96c/0x14a0
+net/bridge/netfilter/ebtables.c:2194
+Write of size 33 at addr ffff8801b0abf888 by task syz-executor0/4504
+
+CPU: 0 PID: 4504 Comm: syz-executor0 Not tainted 4.17.0-rc2+ #40
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
+Google 01/01/2011
+Call Trace:
+ __dump_stack lib/dump_stack.c:77 [inline]
+ dump_stack+0x1b9/0x294 lib/dump_stack.c:113
+ print_address_description+0x6c/0x20b mm/kasan/report.c:256
+ kasan_report_error mm/kasan/report.c:354 [inline]
+ kasan_report.cold.7+0x242/0x2fe mm/kasan/report.c:412
+ check_memory_region_inline mm/kasan/kasan.c:260 [inline]
+ check_memory_region+0x13e/0x1b0 mm/kasan/kasan.c:267
+ memcpy+0x37/0x50 mm/kasan/kasan.c:303
+ strlcpy include/linux/string.h:300 [inline]
+ compat_mtw_from_user net/bridge/netfilter/ebtables.c:1957 [inline]
+ ebt_size_mwt net/bridge/netfilter/ebtables.c:2059 [inline]
+ size_entry_mwt net/bridge/netfilter/ebtables.c:2155 [inline]
+ compat_copy_entries+0x96c/0x14a0 net/bridge/netfilter/ebtables.c:2194
+ compat_do_replace+0x483/0x900 net/bridge/netfilter/ebtables.c:2285
+ compat_do_ebt_set_ctl+0x2ac/0x324 net/bridge/netfilter/ebtables.c:2367
+ compat_nf_sockopt net/netfilter/nf_sockopt.c:144 [inline]
+ compat_nf_setsockopt+0x9b/0x140 net/netfilter/nf_sockopt.c:156
+ compat_ip_setsockopt+0xff/0x140 net/ipv4/ip_sockglue.c:1279
+ inet_csk_compat_setsockopt+0x97/0x120 net/ipv4/inet_connection_sock.c:1041
+ compat_tcp_setsockopt+0x49/0x80 net/ipv4/tcp.c:2901
+ compat_sock_common_setsockopt+0xb4/0x150 net/core/sock.c:3050
+ __compat_sys_setsockopt+0x1ab/0x7c0 net/compat.c:403
+ __do_compat_sys_setsockopt net/compat.c:416 [inline]
+ __se_compat_sys_setsockopt net/compat.c:413 [inline]
+ __ia32_compat_sys_setsockopt+0xbd/0x150 net/compat.c:413
+ do_syscall_32_irqs_on arch/x86/entry/common.c:323 [inline]
+ do_fast_syscall_32+0x345/0xf9b arch/x86/entry/common.c:394
+ entry_SYSENTER_compat+0x70/0x7f arch/x86/entry/entry_64_compat.S:139
+RIP: 0023:0xf7fb3cb9
+RSP: 002b:00000000fff0c26c EFLAGS: 00000282 ORIG_RAX: 000000000000016e
+RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000000000
+RDX: 0000000000000080 RSI: 0000000020000300 RDI: 00000000000005f4
+RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
+R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
+R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
+
+The buggy address belongs to the page:
+page:ffffea0006c2afc0 count:0 mapcount:0 mapping:0000000000000000 index:0x0
+flags: 0x2fffc0000000000()
+raw: 02fffc0000000000 0000000000000000 0000000000000000 00000000ffffffff
+raw: 0000000000000000 ffffea0006c20101 0000000000000000 0000000000000000
+page dumped because: kasan: bad access detected
+
+Fix the issue replacing the unsafe function with strscpy() and
+taking care of possible errors.
+
+Fixes: 81e675c227ec ("netfilter: ebtables: add CONFIG_COMPAT support")
+Reported-and-tested-by: syzbot+4e42a04e0bc33cb6c087@syzkaller.appspotmail.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Acked-by: Denis Kirjanov <dkirjanov@suse.com>
+---
+ net/bridge/netfilter/ebtables.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c
+index 9b11e61c4b7e..546c20cf632e 100644
+--- a/net/bridge/netfilter/ebtables.c
++++ b/net/bridge/netfilter/ebtables.c
+@@ -1950,7 +1950,8 @@ static int compat_mtw_from_user(struct compat_ebt_entry_mwt *mwt,
+ int off, pad = 0;
+ unsigned int size_kern, match_size = mwt->match_size;
+
+- strlcpy(name, mwt->u.name, sizeof(name));
++ if (strscpy(name, mwt->u.name, sizeof(name)) < 0)
++ return -EINVAL;
+
+ if (state->buf_kern_start)
+ dst = state->buf_kern_start + state->buf_kern_offset;
+--
+2.12.3
+
diff --git a/patches.fixes/0016-ipvs-fix-buffer-overflow-with-sync-daemon-and-servic.patch b/patches.fixes/0016-ipvs-fix-buffer-overflow-with-sync-daemon-and-servic.patch
new file mode 100644
index 0000000000..08f73e30d6
--- /dev/null
+++ b/patches.fixes/0016-ipvs-fix-buffer-overflow-with-sync-daemon-and-servic.patch
@@ -0,0 +1,147 @@
+From: Julian Anastasov <ja@ssi.bg>
+Subject: ipvs: fix buffer overflow with sync daemon and service
+Patch-mainline: v4.17
+Git-commit: 52f96757905bbf0edef47f3ee6c7c784e7f8ff8a
+References: git-fixes
+
+syzkaller reports for buffer overflow for interface name
+when starting sync daemons [1]
+
+What we do is that we copy user structure into larger stack
+buffer but later we search NUL past the stack buffer.
+The same happens for sched_name when adding/editing virtual server.
+
+We are restricted by IP_VS_SCHEDNAME_MAXLEN and IP_VS_IFNAME_MAXLEN
+being used as size in include/uapi/linux/ip_vs.h, so they
+include the space for NUL.
+
+As using strlcpy is wrong for unsafe source, replace it with
+strscpy and add checks to return EINVAL if source string is not
+NUL-terminated. The incomplete strlcpy fix comes from 2.6.13.
+
+For the netlink interface reduce the len parameter for
+IPVS_DAEMON_ATTR_MCAST_IFN and IPVS_SVC_ATTR_SCHED_NAME,
+so that we get proper EINVAL.
+
+[1]
+kernel BUG at lib/string.c:1052!
+invalid opcode: 0000 [#1] SMP KASAN
+Dumping ftrace buffer:
+ (ftrace buffer empty)
+Modules linked in:
+CPU: 1 PID: 373 Comm: syz-executor936 Not tainted 4.17.0-rc4+ #45
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
+Google 01/01/2011
+RIP: 0010:fortify_panic+0x13/0x20 lib/string.c:1051
+RSP: 0018:ffff8801c976f800 EFLAGS: 00010282
+RAX: 0000000000000022 RBX: 0000000000000040 RCX: 0000000000000000
+RDX: 0000000000000022 RSI: ffffffff8160f6f1 RDI: ffffed00392edef6
+RBP: ffff8801c976f800 R08: ffff8801cf4c62c0 R09: ffffed003b5e4fb0
+R10: ffffed003b5e4fb0 R11: ffff8801daf27d87 R12: ffff8801c976fa20
+R13: ffff8801c976fae4 R14: ffff8801c976fae0 R15: 000000000000048b
+FS: 00007fd99f75e700(0000) GS:ffff8801daf00000(0000)
+knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 00000000200001c0 CR3: 00000001d6843000 CR4: 00000000001406e0
+DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+Call Trace:
+ strlen include/linux/string.h:270 [inline]
+ strlcpy include/linux/string.h:293 [inline]
+ do_ip_vs_set_ctl+0x31c/0x1d00 net/netfilter/ipvs/ip_vs_ctl.c:2388
+ nf_sockopt net/netfilter/nf_sockopt.c:106 [inline]
+ nf_setsockopt+0x7d/0xd0 net/netfilter/nf_sockopt.c:115
+ ip_setsockopt+0xd8/0xf0 net/ipv4/ip_sockglue.c:1253
+ udp_setsockopt+0x62/0xa0 net/ipv4/udp.c:2487
+ ipv6_setsockopt+0x149/0x170 net/ipv6/ipv6_sockglue.c:917
+ tcp_setsockopt+0x93/0xe0 net/ipv4/tcp.c:3057
+ sock_common_setsockopt+0x9a/0xe0 net/core/sock.c:3046
+ __sys_setsockopt+0x1bd/0x390 net/socket.c:1903
+ __do_sys_setsockopt net/socket.c:1914 [inline]
+ __se_sys_setsockopt net/socket.c:1911 [inline]
+ __x64_sys_setsockopt+0xbe/0x150 net/socket.c:1911
+ do_syscall_64+0x1b1/0x800 arch/x86/entry/common.c:287
+ entry_SYSCALL_64_after_hwframe+0x49/0xbe
+RIP: 0033:0x447369
+RSP: 002b:00007fd99f75dda8 EFLAGS: 00000246 ORIG_RAX: 0000000000000036
+RAX: ffffffffffffffda RBX: 00000000006e39e4 RCX: 0000000000447369
+RDX: 000000000000048b RSI: 0000000000000000 RDI: 0000000000000003
+RBP: 0000000000000000 R08: 0000000000000018 R09: 0000000000000000
+R10: 00000000200001c0 R11: 0000000000000246 R12: 00000000006e39e0
+R13: 75a1ff93f0896195 R14: 6f745f3168746576 R15: 0000000000000001
+Code: 08 5b 41 5c 41 5d 41 5e 41 5f 5d c3 0f 0b 48 89 df e8 d2 8f 48 fa eb
+de 55 48 89 fe 48 c7 c7 60 65 64 88 48 89 e5 e8 91 dd f3 f9 <0f> 0b 90 90
+90 90 90 90 90 90 90 90 90 55 48 89 e5 41 57 41 56
+RIP: fortify_panic+0x13/0x20 lib/string.c:1051 RSP: ffff8801c976f800
+
+Reported-and-tested-by: syzbot+aac887f77319868646df@syzkaller.appspotmail.com
+Fixes: e4ff67513096 ("ipvs: add sync_maxlen parameter for the sync daemon")
+Fixes: 4da62fc70d7c ("[IPVS]: Fix for overflows")
+Signed-off-by: Julian Anastasov <ja@ssi.bg>
+Acked-by: Simon Horman <horms+renesas@verge.net.au>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Acked-by: Denis Kirjanov <dkirjanov@suse.com>
+---
+ net/netfilter/ipvs/ip_vs_ctl.c | 21 +++++++++++++++------
+ 1 file changed, 15 insertions(+), 6 deletions(-)
+
+diff --git a/net/netfilter/ipvs/ip_vs_ctl.c b/net/netfilter/ipvs/ip_vs_ctl.c
+index ce51ba12c605..90dc25c5d938 100644
+--- a/net/netfilter/ipvs/ip_vs_ctl.c
++++ b/net/netfilter/ipvs/ip_vs_ctl.c
+@@ -2383,8 +2383,10 @@ do_ip_vs_set_ctl(struct sock *sk, int cmd, void __user *user, unsigned int len)
+ struct ipvs_sync_daemon_cfg cfg;
+
+ memset(&cfg, 0, sizeof(cfg));
+- strlcpy(cfg.mcast_ifn, dm->mcast_ifn,
+- sizeof(cfg.mcast_ifn));
++ ret = -EINVAL;
++ if (strscpy(cfg.mcast_ifn, dm->mcast_ifn,
++ sizeof(cfg.mcast_ifn)) <= 0)
++ goto out_dec;
+ cfg.syncid = dm->syncid;
+ ret = start_sync_thread(ipvs, &cfg, dm->state);
+ } else {
+@@ -2422,12 +2424,19 @@ do_ip_vs_set_ctl(struct sock *sk, int cmd, void __user *user, unsigned int len)
+ }
+ }
+
++ if ((cmd == IP_VS_SO_SET_ADD || cmd == IP_VS_SO_SET_EDIT) &&
++ strnlen(usvc.sched_name, IP_VS_SCHEDNAME_MAXLEN) ==
++ IP_VS_SCHEDNAME_MAXLEN) {
++ ret = -EINVAL;
++ goto out_unlock;
++ }
++
+ /* Check for valid protocol: TCP or UDP or SCTP, even for fwmark!=0 */
+ if (usvc.protocol != IPPROTO_TCP && usvc.protocol != IPPROTO_UDP &&
+ usvc.protocol != IPPROTO_SCTP) {
+- pr_err("set_ctl: invalid protocol: %d %pI4:%d %s\n",
++ pr_err("set_ctl: invalid protocol: %d %pI4:%d\n",
+ usvc.protocol, &usvc.addr.ip,
+- ntohs(usvc.port), usvc.sched_name);
++ ntohs(usvc.port));
+ ret = -EFAULT;
+ goto out_unlock;
+ }
+@@ -2849,7 +2858,7 @@ static const struct nla_policy ip_vs_cmd_policy[IPVS_CMD_ATTR_MAX + 1] = {
+ static const struct nla_policy ip_vs_daemon_policy[IPVS_DAEMON_ATTR_MAX + 1] = {
+ [IPVS_DAEMON_ATTR_STATE] = { .type = NLA_U32 },
+ [IPVS_DAEMON_ATTR_MCAST_IFN] = { .type = NLA_NUL_STRING,
+- .len = IP_VS_IFNAME_MAXLEN },
++ .len = IP_VS_IFNAME_MAXLEN - 1 },
+ [IPVS_DAEMON_ATTR_SYNC_ID] = { .type = NLA_U32 },
+ [IPVS_DAEMON_ATTR_SYNC_MAXLEN] = { .type = NLA_U16 },
+ [IPVS_DAEMON_ATTR_MCAST_GROUP] = { .type = NLA_U32 },
+@@ -2867,7 +2876,7 @@ static const struct nla_policy ip_vs_svc_policy[IPVS_SVC_ATTR_MAX + 1] = {
+ [IPVS_SVC_ATTR_PORT] = { .type = NLA_U16 },
+ [IPVS_SVC_ATTR_FWMARK] = { .type = NLA_U32 },
+ [IPVS_SVC_ATTR_SCHED_NAME] = { .type = NLA_NUL_STRING,
+- .len = IP_VS_SCHEDNAME_MAXLEN },
++ .len = IP_VS_SCHEDNAME_MAXLEN - 1 },
+ [IPVS_SVC_ATTR_PE_NAME] = { .type = NLA_NUL_STRING,
+ .len = IP_VS_PENAME_MAXLEN },
+ [IPVS_SVC_ATTR_FLAGS] = { .type = NLA_BINARY,
+--
+2.12.3
+
diff --git a/patches.fixes/0016-netfilter-nf_tables-release-chain-in-flushing-set.patch b/patches.fixes/0016-netfilter-nf_tables-release-chain-in-flushing-set.patch
new file mode 100644
index 0000000000..5e4f5e883a
--- /dev/null
+++ b/patches.fixes/0016-netfilter-nf_tables-release-chain-in-flushing-set.patch
@@ -0,0 +1,79 @@
+From: Taehee Yoo <ap420073@gmail.com>
+Subject: netfilter: nf_tables: release chain in flushing set
+Patch-mainline: v4.19-rc4
+Git-commit: 7acfda539c0b9636a58bfee56abfb3aeee806d96
+References: git-fixes
+
+When element of verdict map is deleted, the delete routine should
+release chain. however, flush element of verdict map routine doesn't
+release chain.
+
+test commands:
+ %nft add table ip filter
+ %nft add chain ip filter c1
+ %nft add map ip filter map1 { type ipv4_addr : verdict \; }
+ %nft add element ip filter map1 { 1 : jump c1 }
+ %nft flush map ip filter map1
+ %nft flush ruleset
+
+splat looks like:
+[ 4895.170899] kernel BUG at net/netfilter/nf_tables_api.c:1415!
+[ 4895.178114] invalid opcode: 0000 [#1] SMP DEBUG_PAGEALLOC KASAN PTI
+[ 4895.178880] CPU: 0 PID: 1670 Comm: nft Not tainted 4.18.0+ #55
+[ 4895.178880] RIP: 0010:nf_tables_chain_destroy.isra.28+0x39/0x220 [nf_tables]
+[ 4895.178880] Code: fc ff df 53 48 89 fb 48 83 c7 50 48 89 fa 48 c1 ea 03 0f b6 04 02 84 c0 74 09 3c 03 7f 05 e8 3e 4c 25 e1 8b 43 50 85 c0 74 02 <0f> 0b 48 89 da 48 b8 00 00 00 00 00 fc ff df 48 c1 ea 03 80 3c 02
+[ 4895.228342] RSP: 0018:ffff88010b98f4c0 EFLAGS: 00010202
+[ 4895.234841] RAX: 0000000000000001 RBX: ffff8801131c6968 RCX: ffff8801146585b0
+[ 4895.234841] RDX: 1ffff10022638d37 RSI: ffff8801191a9348 RDI: ffff8801131c69b8
+[ 4895.234841] RBP: ffff8801146585a8 R08: 1ffff1002323526a R09: 0000000000000000
+[ 4895.234841] R10: 0000000000000000 R11: 0000000000000000 R12: dead000000000200
+[ 4895.234841] R13: dead000000000100 R14: ffffffffa3638af8 R15: dffffc0000000000
+[ 4895.234841] FS: 00007f6d188e6700(0000) GS:ffff88011b600000(0000) knlGS:0000000000000000
+[ 4895.234841] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 4895.234841] CR2: 00007ffe72b8df88 CR3: 000000010e2d4000 CR4: 00000000001006f0
+[ 4895.234841] Call Trace:
+[ 4895.234841] nf_tables_commit+0x2704/0x2c70 [nf_tables]
+[ 4895.234841] ? nfnetlink_rcv_batch+0xa4f/0x11b0 [nfnetlink]
+[ 4895.234841] ? nf_tables_setelem_notify.constprop.48+0x1a0/0x1a0 [nf_tables]
+[ 4895.323824] ? __lock_is_held+0x9d/0x130
+[ 4895.323824] ? kasan_unpoison_shadow+0x30/0x40
+[ 4895.333299] ? kasan_kmalloc+0xa9/0xc0
+[ 4895.333299] ? kmem_cache_alloc_trace+0x2c0/0x310
+[ 4895.333299] ? nfnetlink_rcv_batch+0xa4f/0x11b0 [nfnetlink]
+[ 4895.333299] nfnetlink_rcv_batch+0xdb9/0x11b0 [nfnetlink]
+[ 4895.333299] ? debug_show_all_locks+0x290/0x290
+[ 4895.333299] ? nfnetlink_net_init+0x150/0x150 [nfnetlink]
+[ 4895.333299] ? sched_clock_cpu+0xe5/0x170
+[ 4895.333299] ? sched_clock_local+0xff/0x130
+[ 4895.333299] ? sched_clock_cpu+0xe5/0x170
+[ 4895.333299] ? find_held_lock+0x39/0x1b0
+[ 4895.333299] ? sched_clock_local+0xff/0x130
+[ 4895.333299] ? memset+0x1f/0x40
+[ 4895.333299] ? nla_parse+0x33/0x260
+[ 4895.333299] ? ns_capable_common+0x6e/0x110
+[ 4895.333299] nfnetlink_rcv+0x2c0/0x310 [nfnetlink]
+[ ... ]
+
+Fixes: 591054469b3e ("netfilter: nf_tables: revisit chain/object refcounting from elements")
+Signed-off-by: Taehee Yoo <ap420073@gmail.com>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Acked-by: Denis Kirjanov <dkirjanov@suse.com>
+---
+ net/netfilter/nf_tables_api.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
+index 02b79bde519f..4d424069b5d8 100644
+--- a/net/netfilter/nf_tables_api.c
++++ b/net/netfilter/nf_tables_api.c
+@@ -4066,6 +4066,7 @@ static int nft_flush_set(const struct nft_ctx *ctx,
+ }
+ set->ndeact++;
+
++ nft_set_elem_deactivate(ctx->net, set, elem);
+ nft_trans_elem_set(trans) = set;
+ nft_trans_elem(trans) = *elem;
+ list_add_tail(&trans->list, &ctx->net->nft.commit_list);
+--
+2.12.3
+
diff --git a/patches.fixes/0017-netfilter-bridge-Don-t-sabotage-nf_hook-calls-from-a.patch b/patches.fixes/0017-netfilter-bridge-Don-t-sabotage-nf_hook-calls-from-a.patch
new file mode 100644
index 0000000000..08807b67fd
--- /dev/null
+++ b/patches.fixes/0017-netfilter-bridge-Don-t-sabotage-nf_hook-calls-from-a.patch
@@ -0,0 +1,56 @@
+From: David Ahern <dsahern@gmail.com>
+Subject: netfilter: bridge: Don't sabotage nf_hook calls from an
+ l3mdev
+Patch-mainline: v4.19-rc7
+Git-commit: a173f066c7cfc031acb8f541708041e009fc9812
+References: git-fixes
+
+
+For starters, the bridge netfilter code registers operations that
+are invoked any time nh_hook is called. Specifically, ip_sabotage_in
+watches for nested calls for NF_INET_PRE_ROUTING when a bridge is in
+the stack.
+
+Packet wise, the bridge netfilter hook runs first. br_nf_pre_routing
+allocates nf_bridge, sets in_prerouting to 1 and calls NF_HOOK for
+NF_INET_PRE_ROUTING. It's finish function, br_nf_pre_routing_finish,
+then resets in_prerouting flag to 0 and the packet continues up the
+stack. The packet eventually makes it to the VRF driver and it invokes
+nf_hook for NF_INET_PRE_ROUTING in case any rules have been added against
+the vrf device.
+
+Because of the registered operations the call to nf_hook causes
+ip_sabotage_in to be invoked. That function sees the nf_bridge on the
+skb and that in_prerouting is not set. Thinking it is an invalid nested
+call it steals (drops) the packet.
+
+Update ip_sabotage_in to recognize that the bridge or one of its upper
+devices (e.g., vlan) can be enslaved to a VRF (L3 master device) and
+allow the packet to go through the nf_hook a second time.
+
+Fixes: 73e20b761acf ("net: vrf: Add support for PREROUTING rules on vrf device")
+Reported-by: D'Souza, Nelson <ndsouza@ciena.com>
+Signed-off-by: David Ahern <dsahern@gmail.com>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Acked-by: Denis Kirjanov <dkirjanov@suse.com>
+---
+ net/bridge/br_netfilter_hooks.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/net/bridge/br_netfilter_hooks.c b/net/bridge/br_netfilter_hooks.c
+index e13952d3c0b1..0a2771c13276 100644
+--- a/net/bridge/br_netfilter_hooks.c
++++ b/net/bridge/br_netfilter_hooks.c
+@@ -833,7 +833,8 @@ static unsigned int ip_sabotage_in(void *priv,
+ struct sk_buff *skb,
+ const struct nf_hook_state *state)
+ {
+- if (skb->nf_bridge && !skb->nf_bridge->in_prerouting) {
++ if (skb->nf_bridge && !skb->nf_bridge->in_prerouting &&
++ !netif_is_l3_master(skb->dev)) {
+ state->okfn(state->net, state->sk, skb);
+ return NF_STOLEN;
+ }
+--
+2.12.3
+
diff --git a/patches.fixes/0017-xfrm6-avoid-potential-infinite-loop-in-_decode_sessi.patch b/patches.fixes/0017-xfrm6-avoid-potential-infinite-loop-in-_decode_sessi.patch
new file mode 100644
index 0000000000..445826bdfa
--- /dev/null
+++ b/patches.fixes/0017-xfrm6-avoid-potential-infinite-loop-in-_decode_sessi.patch
@@ -0,0 +1,100 @@
+From: Eric Dumazet <edumazet@google.com>
+Subject: xfrm6: avoid potential infinite loop in
+ _decode_session6()
+Patch-mainline: v4.17
+Git-commit: d9f92772e8ec388d070752ee8f187ef8fa18621f
+References: git-fixes
+
+
+syzbot found a way to trigger an infinitie loop by overflowing
+@offset variable that has been forced to use u16 for some very
+obscure reason in the past.
+
+We probably want to look at NEXTHDR_FRAGMENT handling which looks
+wrong, in a separate patch.
+
+In net-next, we shall try to use skb_header_pointer() instead of
+pskb_may_pull().
+
+watchdog: BUG: soft lockup - CPU#1 stuck for 134s! [syz-executor738:4553]
+Modules linked in:
+irq event stamp: 13885653
+hardirqs last enabled at (13885652): [<ffffffff878009d5>] restore_regs_and_return_to_kernel+0x0/0x2b
+hardirqs last disabled at (13885653): [<ffffffff87800905>] interrupt_entry+0xb5/0xf0 arch/x86/entry/entry_64.S:625
+softirqs last enabled at (13614028): [<ffffffff84df0809>] tun_napi_alloc_frags drivers/net/tun.c:1478 [inline]
+softirqs last enabled at (13614028): [<ffffffff84df0809>] tun_get_user+0x1dd9/0x4290 drivers/net/tun.c:1825
+softirqs last disabled at (13614032): [<ffffffff84df1b6f>] tun_get_user+0x313f/0x4290 drivers/net/tun.c:1942
+CPU: 1 PID: 4553 Comm: syz-executor738 Not tainted 4.17.0-rc3+ #40
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+RIP: 0010:check_kcov_mode kernel/kcov.c:67 [inline]
+RIP: 0010:__sanitizer_cov_trace_pc+0x20/0x50 kernel/kcov.c:101
+RSP: 0018:ffff8801d8cfe250 EFLAGS: 00000246 ORIG_RAX: ffffffffffffff13
+RAX: ffff8801d88a8080 RBX: ffff8801d7389e40 RCX: 0000000000000006
+RDX: 0000000000000000 RSI: ffffffff868da4ad RDI: ffff8801c8a53277
+RBP: ffff8801d8cfe250 R08: ffff8801d88a8080 R09: ffff8801d8cfe3e8
+R10: ffffed003b19fc87 R11: ffff8801d8cfe43f R12: ffff8801c8a5327f
+R13: 0000000000000000 R14: ffff8801c8a4e5fe R15: ffff8801d8cfe3e8
+FS: 0000000000d88940(0000) GS:ffff8801daf00000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: ffffffffff600400 CR3: 00000001acab3000 CR4: 00000000001406e0
+DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+Call Trace:
+ _decode_session6+0xc1d/0x14f0 net/ipv6/xfrm6_policy.c:150
+ __xfrm_decode_session+0x71/0x140 net/xfrm/xfrm_policy.c:2368
+ xfrm_decode_session_reverse include/net/xfrm.h:1213 [inline]
+ icmpv6_route_lookup+0x395/0x6e0 net/ipv6/icmp.c:372
+ icmp6_send+0x1982/0x2da0 net/ipv6/icmp.c:551
+ icmpv6_send+0x17a/0x300 net/ipv6/ip6_icmp.c:43
+ ip6_input_finish+0x14e1/0x1a30 net/ipv6/ip6_input.c:305
+ NF_HOOK include/linux/netfilter.h:288 [inline]
+ ip6_input+0xe1/0x5e0 net/ipv6/ip6_input.c:327
+ dst_input include/net/dst.h:450 [inline]
+ ip6_rcv_finish+0x29c/0xa10 net/ipv6/ip6_input.c:71
+ NF_HOOK include/linux/netfilter.h:288 [inline]
+ ipv6_rcv+0xeb8/0x2040 net/ipv6/ip6_input.c:208
+ __netif_receive_skb_core+0x2468/0x3650 net/core/dev.c:4646
+ __netif_receive_skb+0x2c/0x1e0 net/core/dev.c:4711
+ netif_receive_skb_internal+0x126/0x7b0 net/core/dev.c:4785
+ napi_frags_finish net/core/dev.c:5226 [inline]
+ napi_gro_frags+0x631/0xc40 net/core/dev.c:5299
+ tun_get_user+0x3168/0x4290 drivers/net/tun.c:1951
+ tun_chr_write_iter+0xb9/0x154 drivers/net/tun.c:1996
+ call_write_iter include/linux/fs.h:1784 [inline]
+ do_iter_readv_writev+0x859/0xa50 fs/read_write.c:680
+ do_iter_write+0x185/0x5f0 fs/read_write.c:959
+ vfs_writev+0x1c7/0x330 fs/read_write.c:1004
+ do_writev+0x112/0x2f0 fs/read_write.c:1039
+ __do_sys_writev fs/read_write.c:1112 [inline]
+ __se_sys_writev fs/read_write.c:1109 [inline]
+ __x64_sys_writev+0x75/0xb0 fs/read_write.c:1109
+ do_syscall_64+0x1b1/0x800 arch/x86/entry/common.c:287
+ entry_SYSCALL_64_after_hwframe+0x49/0xbe
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Cc: Steffen Klassert <steffen.klassert@secunet.com>
+Cc: Nicolas Dichtel <nicolas.dichtel@6wind.com>
+Reported-by: syzbot+0053c8...@syzkaller.appspotmail.com
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Acked-by: Denis Kirjanov <dkirjanov@suse.com>
+---
+ net/ipv6/xfrm6_policy.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/ipv6/xfrm6_policy.c b/net/ipv6/xfrm6_policy.c
+index 79651bc71bf0..7d89acf2fdd6 100644
+--- a/net/ipv6/xfrm6_policy.c
++++ b/net/ipv6/xfrm6_policy.c
+@@ -119,7 +119,7 @@ _decode_session6(struct sk_buff *skb, struct flowi *fl, int reverse)
+ struct flowi6 *fl6 = &fl->u.ip6;
+ int onlyproto = 0;
+ const struct ipv6hdr *hdr = ipv6_hdr(skb);
+- u16 offset = sizeof(*hdr);
++ u32 offset = sizeof(*hdr);
+ struct ipv6_opt_hdr *exthdr;
+ const unsigned char *nh = skb_network_header(skb);
+ u16 nhoff = IP6CB(skb)->nhoff;
+--
+2.12.3
+
diff --git a/patches.fixes/0018-sctp-fix-identification-of-new-acks-for-SFR-CACC.patch b/patches.fixes/0018-sctp-fix-identification-of-new-acks-for-SFR-CACC.patch
new file mode 100644
index 0000000000..4c76abe212
--- /dev/null
+++ b/patches.fixes/0018-sctp-fix-identification-of-new-acks-for-SFR-CACC.patch
@@ -0,0 +1,120 @@
+From: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
+Subject: sctp: fix identification of new acks for SFR-CACC
+Patch-mainline: v4.18-rc1
+Git-commit: 51446780fc33e45cb790c05a7fa2c5bf7e8bc53b
+References: git-fixes
+
+
+It's currently written as:
+
+if (!tchunk->tsn_gap_acked) { [1]
+ tchunk->tsn_gap_acked = 1;
+ ...
+}
+
+if (TSN_lte(tsn, sack_ctsn)) {
+ if (!tchunk->tsn_gap_acked) {
+ /* SFR-CACC processing */
+ ...
+ }
+}
+
+Which causes the SFR-CACC processing on ack reception to never process,
+as tchunk->tsn_gap_acked is always true by then. Block [1] was
+moved to that position by the commit marked below.
+
+This patch fixes it by doing SFR-CACC processing earlier, before
+tsn_gap_acked is set to true.
+
+Fixes: 31b02e154940 ("sctp: Failover transmitted list on transport delete")
+Signed-off-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
+Reviewed-by: Xin Long <lucien.xin@gmail.com>
+Acked-by: Neil Horman <nhorman@tuxdriver.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Acked-by: Denis Kirjanov <dkirjanov@suse.com>
+---
+ net/sctp/outqueue.c | 48 +++++++++++++++++++++++-------------------------
+ 1 file changed, 23 insertions(+), 25 deletions(-)
+
+diff --git a/net/sctp/outqueue.c b/net/sctp/outqueue.c
+index 05be058255ea..b3f44daf3af6 100644
+--- a/net/sctp/outqueue.c
++++ b/net/sctp/outqueue.c
+@@ -1447,7 +1447,7 @@ static void sctp_check_transmitted(struct sctp_outq *q,
+ * the outstanding bytes for this chunk, so only
+ * count bytes associated with a transport.
+ */
+- if (transport) {
++ if (transport && !tchunk->tsn_gap_acked) {
+ /* If this chunk is being used for RTT
+ * measurement, calculate the RTT and update
+ * the RTO using this value.
+@@ -1459,14 +1459,34 @@ static void sctp_check_transmitted(struct sctp_outq *q,
+ * first instance of the packet or a later
+ * instance).
+ */
+- if (!tchunk->tsn_gap_acked &&
+- !sctp_chunk_retransmitted(tchunk) &&
++ if (!sctp_chunk_retransmitted(tchunk) &&
+ tchunk->rtt_in_progress) {
+ tchunk->rtt_in_progress = 0;
+ rtt = jiffies - tchunk->sent_at;
+ sctp_transport_update_rto(transport,
+ rtt);
+ }
++
++ if (TSN_lte(tsn, sack_ctsn)) {
++ /*
++ * SFR-CACC algorithm:
++ * 2) If the SACK contains gap acks
++ * and the flag CHANGEOVER_ACTIVE is
++ * set the receiver of the SACK MUST
++ * take the following action:
++ *
++ * B) For each TSN t being acked that
++ * has not been acked in any SACK so
++ * far, set cacc_saw_newack to 1 for
++ * the destination that the TSN was
++ * sent to.
++ */
++ if (sack->num_gap_ack_blocks &&
++ q->asoc->peer.primary_path->cacc.
++ changeover_active)
++ transport->cacc.cacc_saw_newack
++ = 1;
++ }
+ }
+
+ /* If the chunk hasn't been marked as ACKED,
+@@ -1498,28 +1518,6 @@ static void sctp_check_transmitted(struct sctp_outq *q,
+ restart_timer = 1;
+ forward_progress = true;
+
+- if (!tchunk->tsn_gap_acked) {
+- /*
+- * SFR-CACC algorithm:
+- * 2) If the SACK contains gap acks
+- * and the flag CHANGEOVER_ACTIVE is
+- * set the receiver of the SACK MUST
+- * take the following action:
+- *
+- * B) For each TSN t being acked that
+- * has not been acked in any SACK so
+- * far, set cacc_saw_newack to 1 for
+- * the destination that the TSN was
+- * sent to.
+- */
+- if (transport &&
+- sack->num_gap_ack_blocks &&
+- q->asoc->peer.primary_path->cacc.
+- changeover_active)
+- transport->cacc.cacc_saw_newack
+- = 1;
+- }
+-
+ list_add_tail(&tchunk->transmitted_list,
+ &q->sacked);
+ } else {
+--
+2.12.3
+
diff --git a/patches.fixes/0018-xfrm-Validate-address-prefix-lengths-in-the-xfrm-sel.patch b/patches.fixes/0018-xfrm-Validate-address-prefix-lengths-in-the-xfrm-sel.patch
new file mode 100644
index 0000000000..ff30ba6ee7
--- /dev/null
+++ b/patches.fixes/0018-xfrm-Validate-address-prefix-lengths-in-the-xfrm-sel.patch
@@ -0,0 +1,64 @@
+From: Steffen Klassert <steffen.klassert@secunet.com>
+Subject: xfrm: Validate address prefix lengths in the xfrm
+ selector
+Patch-mainline: v4.19-rc7
+Git-commit: 07bf7908950a8b14e81aa1807e3c667eab39287a
+References: git-fixes
+
+
+We don't validate the address prefix lengths in the xfrm
+selector we got from userspace. This can lead to undefined
+behaviour in the address matching functions if the prefix
+is too big for the given address family. Fix this by checking
+the prefixes and refuse SA/policy insertation when a prefix
+is invalid.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Reported-by: Air Icy <icytxw@gmail.com>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Acked-by: Denis Kirjanov <dkirjanov@suse.com>
+---
+ net/xfrm/xfrm_user.c | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
+index 5e8f4f3fbe6b..aff0fce28555 100644
+--- a/net/xfrm/xfrm_user.c
++++ b/net/xfrm/xfrm_user.c
+@@ -156,10 +156,16 @@ static int verify_newsa_info(struct xfrm_usersa_info *p,
+ err = -EINVAL;
+ switch (p->family) {
+ case AF_INET:
++ if (p->sel.prefixlen_d > 32 || p->sel.prefixlen_s > 32)
++ goto out;
++
+ break;
+
+ case AF_INET6:
+ #if IS_ENABLED(CONFIG_IPV6)
++ if (p->sel.prefixlen_d > 128 || p->sel.prefixlen_s > 128)
++ goto out;
++
+ break;
+ #else
+ err = -EAFNOSUPPORT;
+@@ -1352,10 +1358,16 @@ static int verify_newpolicy_info(struct xfrm_userpolicy_info *p)
+
+ switch (p->sel.family) {
+ case AF_INET:
++ if (p->sel.prefixlen_d > 32 || p->sel.prefixlen_s > 32)
++ return -EINVAL;
++
+ break;
+
+ case AF_INET6:
+ #if IS_ENABLED(CONFIG_IPV6)
++ if (p->sel.prefixlen_d > 128 || p->sel.prefixlen_s > 128)
++ return -EINVAL;
++
+ break;
+ #else
+ return -EAFNOSUPPORT;
+--
+2.12.3
+
diff --git a/patches.fixes/0019-ip_tunnel-Fix-name-string-concatenate-in-__ip_tunnel.patch b/patches.fixes/0019-ip_tunnel-Fix-name-string-concatenate-in-__ip_tunnel.patch
new file mode 100644
index 0000000000..e06411857d
--- /dev/null
+++ b/patches.fixes/0019-ip_tunnel-Fix-name-string-concatenate-in-__ip_tunnel.patch
@@ -0,0 +1,39 @@
+From: Sultan Alsawaf <sultanxda@gmail.com>
+Subject: ip_tunnel: Fix name string concatenate in
+ __ip_tunnel_create()
+Patch-mainline: v4.18-rc1
+Git-commit: 000ade8016400d93b4d7c89970d96b8c14773d45
+References: git-fixes
+
+
+By passing a limit of 2 bytes to strncat, strncat is limited to writing
+fewer bytes than what it's supposed to append to the name here.
+
+Since the bounds are checked on the line above this, just remove the string
+bounds checks entirely since they're unneeded.
+
+Signed-off-by: Sultan Alsawaf <sultanxda@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Acked-by: Denis Kirjanov <dkirjanov@suse.com>
+---
+ net/ipv4/ip_tunnel.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/net/ipv4/ip_tunnel.c b/net/ipv4/ip_tunnel.c
+index 440a289ebd68..9b5d313f445c 100644
+--- a/net/ipv4/ip_tunnel.c
++++ b/net/ipv4/ip_tunnel.c
+@@ -261,8 +261,8 @@ static struct net_device *__ip_tunnel_create(struct net *net,
+ } else {
+ if (strlen(ops->kind) > (IFNAMSIZ - 3))
+ goto failed;
+- strlcpy(name, ops->kind, IFNAMSIZ);
+- strncat(name, "%d", 2);
++ strcpy(name, ops->kind);
++ strcat(name, "%d");
+ }
+
+ ASSERT_RTNL();
+--
+2.12.3
+
diff --git a/patches.fixes/0019-xfrm6-call-kfree_skb-when-skb-is-toobig.patch b/patches.fixes/0019-xfrm6-call-kfree_skb-when-skb-is-toobig.patch
new file mode 100644
index 0000000000..0e43e4edac
--- /dev/null
+++ b/patches.fixes/0019-xfrm6-call-kfree_skb-when-skb-is-toobig.patch
@@ -0,0 +1,46 @@
+From: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
+Subject: xfrm6: call kfree_skb when skb is toobig
+Patch-mainline: v4.19-rc7
+Git-commit: 215ab0f021c9fea3c18b75e7d522400ee6a49990
+References: git-fixes
+
+
+After commit d6990976af7c5d8f55903bfb4289b6fb030bf754 ("vti6: fix PMTU caching
+and reporting on xmit"), some too big skbs might be potentially passed down to
+__xfrm6_output, causing it to fail to transmit but not free the skb, causing a
+leak of skb, and consequentially a leak of dst references.
+
+After running pmtu.sh, that shows as failure to unregister devices in a namespace:
+
+[ 311.397671] unregister_netdevice: waiting for veth_b to become free. Usage count = 1
+
+The fix is to call kfree_skb in case of transmit failures.
+
+Fixes: dd767856a36e ("xfrm6: Don't call icmpv6_send on local error")
+Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
+Reviewed-by: Sabrina Dubroca <sd@queasysnail.net>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Acked-by: Denis Kirjanov <dkirjanov@suse.com>
+---
+ net/ipv6/xfrm6_output.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/net/ipv6/xfrm6_output.c b/net/ipv6/xfrm6_output.c
+index 8ae87d4ec5ff..29dae7f2ff14 100644
+--- a/net/ipv6/xfrm6_output.c
++++ b/net/ipv6/xfrm6_output.c
+@@ -170,9 +170,11 @@ static int __xfrm6_output(struct net *net, struct sock *sk, struct sk_buff *skb)
+
+ if (toobig && xfrm6_local_dontfrag(skb)) {
+ xfrm6_local_rxpmtu(skb, mtu);
++ kfree_skb(skb);
+ return -EMSGSIZE;
+ } else if (!skb->ignore_df && toobig && skb->sk) {
+ xfrm_local_error(skb, mtu);
++ kfree_skb(skb);
+ return -EMSGSIZE;
+ }
+
+--
+2.12.3
+
diff --git a/patches.fixes/0020-netfilter-nf_tables-check-msg_type-before-nft_trans_.patch b/patches.fixes/0020-netfilter-nf_tables-check-msg_type-before-nft_trans_.patch
new file mode 100644
index 0000000000..a1ededb25d
--- /dev/null
+++ b/patches.fixes/0020-netfilter-nf_tables-check-msg_type-before-nft_trans_.patch
@@ -0,0 +1,145 @@
+From: Alexey Kodanev <alexey.kodanev@oracle.com>
+Subject: netfilter: nf_tables: check msg_type before
+ nft_trans_set(trans)
+Patch-mainline: v4.18-rc1
+Git-commit: 9c7f96fd77b0dbe1fe7ed1f9c462c45dc48a1076
+References: git-fixes
+
+
+The patch moves the "trans->msg_type == NFT_MSG_NEWSET" check before
+using nft_trans_set(trans). Otherwise we can get out of bounds read.
+
+For example, KASAN reported the one when running 0001_cache_handling_0 nft
+test. In this case "trans->msg_type" was NFT_MSG_NEWTABLE:
+
+[75517.177808] BUG: KASAN: slab-out-of-bounds in nft_set_lookup_global+0x22f/0x270 [nf_tables]
+[75517.279094] Read of size 8 at addr ffff881bdb643fc8 by task nft/7356
+...
+[75517.375605] CPU: 26 PID: 7356 Comm: nft Tainted: G E 4.17.0-rc7.1.x86_64 #1
+[75517.489587] Hardware name: Oracle Corporation SUN SERVER X4-2
+[75517.618129] Call Trace:
+[75517.648821] dump_stack+0xd1/0x13b
+[75517.691040] ? show_regs_print_info+0x5/0x5
+[75517.742519] ? kmsg_dump_rewind_nolock+0xf5/0xf5
+[75517.799300] ? lock_acquire+0x143/0x310
+[75517.846738] print_address_description+0x85/0x3a0
+[75517.904547] kasan_report+0x18d/0x4b0
+[75517.949892] ? nft_set_lookup_global+0x22f/0x270 [nf_tables]
+[75518.019153] ? nft_set_lookup_global+0x22f/0x270 [nf_tables]
+[75518.088420] ? nft_set_lookup_global+0x22f/0x270 [nf_tables]
+[75518.157689] nft_set_lookup_global+0x22f/0x270 [nf_tables]
+[75518.224869] nf_tables_newsetelem+0x1a5/0x5d0 [nf_tables]
+[75518.291024] ? nft_add_set_elem+0x2280/0x2280 [nf_tables]
+[75518.357154] ? nla_parse+0x1a5/0x300
+[75518.401455] ? kasan_kmalloc+0xa6/0xd0
+[75518.447842] nfnetlink_rcv+0xc43/0x1bdf [nfnetlink]
+[75518.507743] ? nfnetlink_rcv+0x7a5/0x1bdf [nfnetlink]
+[75518.569745] ? nfnl_err_reset+0x3c0/0x3c0 [nfnetlink]
+[75518.631711] ? lock_acquire+0x143/0x310
+[75518.679133] ? netlink_deliver_tap+0x9b/0x1070
+[75518.733840] ? kasan_unpoison_shadow+0x31/0x40
+[75518.788542] netlink_unicast+0x45d/0x680
+[75518.837111] ? __isolate_free_page+0x890/0x890
+[75518.891913] ? netlink_attachskb+0x6b0/0x6b0
+[75518.944542] netlink_sendmsg+0x6fa/0xd30
+[75518.993107] ? netlink_unicast+0x680/0x680
+[75519.043758] ? netlink_unicast+0x680/0x680
+[75519.094402] sock_sendmsg+0xd9/0x160
+[75519.138810] ___sys_sendmsg+0x64d/0x980
+[75519.186234] ? copy_msghdr_from_user+0x350/0x350
+[75519.243118] ? lock_downgrade+0x650/0x650
+[75519.292738] ? do_raw_spin_unlock+0x5d/0x250
+[75519.345456] ? _raw_spin_unlock+0x24/0x30
+[75519.395065] ? __handle_mm_fault+0xbde/0x3410
+[75519.448830] ? sock_setsockopt+0x3d2/0x1940
+[75519.500516] ? __lock_acquire.isra.25+0xdc/0x19d0
+[75519.558448] ? lock_downgrade+0x650/0x650
+[75519.608057] ? __audit_syscall_entry+0x317/0x720
+[75519.664960] ? __fget_light+0x58/0x250
+[75519.711325] ? __sys_sendmsg+0xde/0x170
+[75519.758850] __sys_sendmsg+0xde/0x170
+[75519.804193] ? __ia32_sys_shutdown+0x90/0x90
+[75519.856725] ? syscall_trace_enter+0x897/0x10e0
+[75519.912354] ? trace_event_raw_event_sys_enter+0x920/0x920
+[75519.979432] ? __audit_syscall_entry+0x720/0x720
+[75520.036118] do_syscall_64+0xa3/0x3d0
+[75520.081248] ? prepare_exit_to_usermode+0x47/0x1d0
+[75520.139904] entry_SYSCALL_64_after_hwframe+0x44/0xa9
+[75520.201680] RIP: 0033:0x7fc153320ba0
+[75520.245772] RSP: 002b:00007ffe294c3638 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
+[75520.337708] RAX: ffffffffffffffda RBX: 00007ffe294c4820 RCX: 00007fc153320ba0
+[75520.424547] RDX: 0000000000000000 RSI: 00007ffe294c46b0 RDI: 0000000000000003
+[75520.511386] RBP: 00007ffe294c47b0 R08: 0000000000000004 R09: 0000000002114090
+[75520.598225] R10: 00007ffe294c30a0 R11: 0000000000000246 R12: 00007ffe294c3660
+[75520.684961] R13: 0000000000000001 R14: 00007ffe294c3650 R15: 0000000000000001
+
+[75520.790946] Allocated by task 7356:
+[75520.833994] kasan_kmalloc+0xa6/0xd0
+[75520.878088] __kmalloc+0x189/0x450
+[75520.920107] nft_trans_alloc_gfp+0x20/0x190 [nf_tables]
+[75520.983961] nf_tables_newtable+0xcd0/0x1bd0 [nf_tables]
+[75521.048857] nfnetlink_rcv+0xc43/0x1bdf [nfnetlink]
+[75521.108655] netlink_unicast+0x45d/0x680
+[75521.157013] netlink_sendmsg+0x6fa/0xd30
+[75521.205271] sock_sendmsg+0xd9/0x160
+[75521.249365] ___sys_sendmsg+0x64d/0x980
+[75521.296686] __sys_sendmsg+0xde/0x170
+[75521.341822] do_syscall_64+0xa3/0x3d0
+[75521.386957] entry_SYSCALL_64_after_hwframe+0x44/0xa9
+
+[75521.467867] Freed by task 23454:
+[75521.507804] __kasan_slab_free+0x132/0x180
+[75521.558137] kfree+0x14d/0x4d0
+[75521.596005] free_rt_sched_group+0x153/0x280
+[75521.648410] sched_autogroup_create_attach+0x19a/0x520
+[75521.711330] ksys_setsid+0x2ba/0x400
+[75521.755529] __ia32_sys_setsid+0xa/0x10
+[75521.802850] do_syscall_64+0xa3/0x3d0
+[75521.848090] entry_SYSCALL_64_after_hwframe+0x44/0xa9
+
+[75521.929000] The buggy address belongs to the object at ffff881bdb643f80
+ which belongs to the cache kmalloc-96 of size 96
+[75522.079797] The buggy address is located 72 bytes inside of
+ 96-byte region [ffff881bdb643f80, ffff881bdb643fe0)
+[75522.221234] The buggy address belongs to the page:
+[75522.280100] page:ffffea006f6d90c0 count:1 mapcount:0 mapping:0000000000000000 index:0x0
+[75522.377443] flags: 0x2fffff80000100(slab)
+[75522.426956] raw: 002fffff80000100 0000000000000000 0000000000000000 0000000180200020
+[75522.521275] raw: ffffea006e6fafc0 0000000c0000000c ffff881bf180f400 0000000000000000
+[75522.615601] page dumped because: kasan: bad access detected
+
+Fixes: 37a9cc525525 ("netfilter: nf_tables: add generation mask to sets")
+Signed-off-by: Alexey Kodanev <alexey.kodanev@oracle.com>
+Acked-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Acked-by: Denis Kirjanov <dkirjanov@suse.com>
+---
+ net/netfilter/nf_tables_api.c | 11 ++++++-----
+ 1 file changed, 6 insertions(+), 5 deletions(-)
+
+diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
+index d627a479e332..02b79bde519f 100644
+--- a/net/netfilter/nf_tables_api.c
++++ b/net/netfilter/nf_tables_api.c
+@@ -2564,12 +2564,13 @@ static struct nft_set *nf_tables_set_lookup_byid(const struct net *net,
+ u32 id = ntohl(nla_get_be32(nla));
+
+ list_for_each_entry(trans, &net->nft.commit_list, list) {
+- struct nft_set *set = nft_trans_set(trans);
++ if (trans->msg_type == NFT_MSG_NEWSET) {
++ struct nft_set *set = nft_trans_set(trans);
+
+- if (trans->msg_type == NFT_MSG_NEWSET &&
+- id == nft_trans_set_id(trans) &&
+- nft_active_genmask(set, genmask))
+- return set;
++ if (id == nft_trans_set_id(trans) &&
++ nft_active_genmask(set, genmask))
++ return set;
++ }
+ }
+ return ERR_PTR(-ENOENT);
+ }
+--
+2.12.3
+
diff --git a/patches.fixes/0020-xfrm-reset-transport-header-back-to-network-header-a.patch b/patches.fixes/0020-xfrm-reset-transport-header-back-to-network-header-a.patch
new file mode 100644
index 0000000000..44631019c5
--- /dev/null
+++ b/patches.fixes/0020-xfrm-reset-transport-header-back-to-network-header-a.patch
@@ -0,0 +1,99 @@
+From: Sowmini Varadhan <sowmini.varadhan@oracle.com>
+Subject: xfrm: reset transport header back to network header
+ after all input transforms ahave been applied
+Patch-mainline: v4.19-rc7
+Git-commit: bfc0698bebcb16d19ecfc89574ad4d696955e5d3
+References: git-fixes
+
+A policy may have been set up with multiple transforms (e.g., ESP
+and ipcomp). In this situation, the ingress IPsec processing
+iterates in xfrm_input() and applies each transform in turn,
+processing the nexthdr to find any additional xfrm that may apply.
+
+This patch resets the transport header back to network header
+only after the last transformation so that subsequent xfrms
+can find the correct transport header.
+
+Fixes: 7785bba299a8 ("esp: Add a software GRO codepath")
+Suggested-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Sowmini Varadhan <sowmini.varadhan@oracle.com>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Acked-by: Denis Kirjanov <dkirjanov@suse.com>
+---
+ net/ipv4/xfrm4_input.c | 1 +
+ net/ipv4/xfrm4_mode_transport.c | 4 +---
+ net/ipv6/xfrm6_input.c | 1 +
+ net/ipv6/xfrm6_mode_transport.c | 4 +---
+ 4 files changed, 4 insertions(+), 6 deletions(-)
+
+diff --git a/net/ipv4/xfrm4_input.c b/net/ipv4/xfrm4_input.c
+index c794a9aa15f5..38018229b9d1 100644
+--- a/net/ipv4/xfrm4_input.c
++++ b/net/ipv4/xfrm4_input.c
+@@ -66,6 +66,7 @@ int xfrm4_transport_finish(struct sk_buff *skb, int async)
+
+ if (xo && (xo->flags & XFRM_GRO)) {
+ skb_mac_header_rebuild(skb);
++ skb_reset_transport_header(skb);
+ return 0;
+ }
+
+diff --git a/net/ipv4/xfrm4_mode_transport.c b/net/ipv4/xfrm4_mode_transport.c
+index 3d36644890bb..1ad2c2c4e250 100644
+--- a/net/ipv4/xfrm4_mode_transport.c
++++ b/net/ipv4/xfrm4_mode_transport.c
+@@ -46,7 +46,6 @@ static int xfrm4_transport_output(struct xfrm_state *x, struct sk_buff *skb)
+ static int xfrm4_transport_input(struct xfrm_state *x, struct sk_buff *skb)
+ {
+ int ihl = skb->data - skb_transport_header(skb);
+- struct xfrm_offload *xo = xfrm_offload(skb);
+
+ if (skb->transport_header != skb->network_header) {
+ memmove(skb_transport_header(skb),
+@@ -54,8 +53,7 @@ static int xfrm4_transport_input(struct xfrm_state *x, struct sk_buff *skb)
+ skb->network_header = skb->transport_header;
+ }
+ ip_hdr(skb)->tot_len = htons(skb->len + ihl);
+- if (!xo || !(xo->flags & XFRM_GRO))
+- skb_reset_transport_header(skb);
++ skb_reset_transport_header(skb);
+ return 0;
+ }
+
+diff --git a/net/ipv6/xfrm6_input.c b/net/ipv6/xfrm6_input.c
+index 7c5e582b1af8..520e9592d402 100644
+--- a/net/ipv6/xfrm6_input.c
++++ b/net/ipv6/xfrm6_input.c
+@@ -56,6 +56,7 @@ int xfrm6_transport_finish(struct sk_buff *skb, int async)
+
+ if (xo && (xo->flags & XFRM_GRO)) {
+ skb_mac_header_rebuild(skb);
++ skb_reset_transport_header(skb);
+ return -1;
+ }
+
+diff --git a/net/ipv6/xfrm6_mode_transport.c b/net/ipv6/xfrm6_mode_transport.c
+index 9ad07a91708e..3c29da5defe6 100644
+--- a/net/ipv6/xfrm6_mode_transport.c
++++ b/net/ipv6/xfrm6_mode_transport.c
+@@ -51,7 +51,6 @@ static int xfrm6_transport_output(struct xfrm_state *x, struct sk_buff *skb)
+ static int xfrm6_transport_input(struct xfrm_state *x, struct sk_buff *skb)
+ {
+ int ihl = skb->data - skb_transport_header(skb);
+- struct xfrm_offload *xo = xfrm_offload(skb);
+
+ if (skb->transport_header != skb->network_header) {
+ memmove(skb_transport_header(skb),
+@@ -60,8 +59,7 @@ static int xfrm6_transport_input(struct xfrm_state *x, struct sk_buff *skb)
+ }
+ ipv6_hdr(skb)->payload_len = htons(skb->len + ihl -
+ sizeof(struct ipv6hdr));
+- if (!xo || !(xo->flags & XFRM_GRO))
+- skb_reset_transport_header(skb);
++ skb_reset_transport_header(skb);
+ return 0;
+ }
+
+--
+2.12.3
+
diff --git a/patches.fixes/0021-xfrm-reset-crypto_done-when-iterating-over-multiple-.patch b/patches.fixes/0021-xfrm-reset-crypto_done-when-iterating-over-multiple-.patch
new file mode 100644
index 0000000000..4f976d99f7
--- /dev/null
+++ b/patches.fixes/0021-xfrm-reset-crypto_done-when-iterating-over-multiple-.patch
@@ -0,0 +1,37 @@
+From: Sowmini Varadhan <sowmini.varadhan@oracle.com>
+Subject: xfrm: reset crypto_done when iterating over multiple
+ input xfrms
+Patch-mainline: v4.19-rc7
+Git-commit: 782710e333a526780d65918d669cb96646983ba2
+References: git-fixes
+
+
+We only support one offloaded xfrm (we do not have devices that
+can handle more than one offload), so reset crypto_done in
+xfrm_input() when iterating over multiple transforms in xfrm_input,
+so that we can invoke the appropriate x->type->input for the
+non-offloaded transforms
+
+Fixes: d77e38e612a0 ("xfrm: Add an IPsec hardware offloading API")
+Signed-off-by: Sowmini Varadhan <sowmini.varadhan@oracle.com>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Acked-by: Denis Kirjanov <dkirjanov@suse.com>
+---
+ net/xfrm/xfrm_input.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/net/xfrm/xfrm_input.c b/net/xfrm/xfrm_input.c
+index 2ad91eb793fc..d212a0308f33 100644
+--- a/net/xfrm/xfrm_input.c
++++ b/net/xfrm/xfrm_input.c
+@@ -441,6 +441,7 @@ int xfrm_input(struct sk_buff *skb, int nexthdr, __be32 spi, int encap_type)
+ XFRM_INC_STATS(net, LINUX_MIB_XFRMINHDRERROR);
+ goto drop;
+ }
++ crypto_done = false;
+ } while (!err);
+
+ err = xfrm_rcv_cb(skb, family, x->type->proto, 0);
+--
+2.12.3
+
diff --git a/patches.fixes/0022-ipvs-fix-check-on-xmit-to-non-local-addresses.patch b/patches.fixes/0022-ipvs-fix-check-on-xmit-to-non-local-addresses.patch
new file mode 100644
index 0000000000..ecf4e516f3
--- /dev/null
+++ b/patches.fixes/0022-ipvs-fix-check-on-xmit-to-non-local-addresses.patch
@@ -0,0 +1,42 @@
+From: Julian Anastasov <ja@ssi.bg>
+Subject: ipvs: fix check on xmit to non-local addresses
+Patch-mainline: v4.18-rc1
+Git-commit: 6fcc02e3c2bddeaf628fde3c6a5ab3216d45691a
+References: git-fixes
+
+There is mistake in the rt_mode_allow_non_local assignment.
+It should be used to check if sending to non-local addresses is
+allowed, now it checks if local addresses are allowed.
+
+As local addresses are allowed for most of the cases, the only
+places that are affected are for traffic to transparent cache
+servers:
+
+- bypass connections when cache server is not available
+- related ICMP in FORWARD hook when sent to cache server
+
+Fixes: 4a4739d56b00 ("ipvs: Pull out crosses_local_route_boundary logic")
+Signed-off-by: Julian Anastasov <ja@ssi.bg>
+Acked-by: Simon Horman <horms@verge.net.au>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Acked-by: Denis Kirjanov <dkirjanov@suse.com>
+---
+ net/netfilter/ipvs/ip_vs_xmit.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/netfilter/ipvs/ip_vs_xmit.c b/net/netfilter/ipvs/ip_vs_xmit.c
+index 2eab1e0400f4..6edbd8db80af 100644
+--- a/net/netfilter/ipvs/ip_vs_xmit.c
++++ b/net/netfilter/ipvs/ip_vs_xmit.c
+@@ -168,7 +168,7 @@ static inline bool crosses_local_route_boundary(int skb_af, struct sk_buff *skb,
+ bool new_rt_is_local)
+ {
+ bool rt_mode_allow_local = !!(rt_mode & IP_VS_RT_MODE_LOCAL);
+- bool rt_mode_allow_non_local = !!(rt_mode & IP_VS_RT_MODE_LOCAL);
++ bool rt_mode_allow_non_local = !!(rt_mode & IP_VS_RT_MODE_NON_LOCAL);
+ bool rt_mode_allow_redirect = !!(rt_mode & IP_VS_RT_MODE_RDR);
+ bool source_is_loopback;
+ bool old_rt_is_local;
+--
+2.12.3
+
diff --git a/patches.fixes/0023-netfilter-ebtables-reject-non-bridge-targets.patch b/patches.fixes/0023-netfilter-ebtables-reject-non-bridge-targets.patch
new file mode 100644
index 0000000000..d24b7de86e
--- /dev/null
+++ b/patches.fixes/0023-netfilter-ebtables-reject-non-bridge-targets.patch
@@ -0,0 +1,66 @@
+From: Florian Westphal <fw@strlen.de>
+Subject: netfilter: ebtables: reject non-bridge targets
+Patch-mainline: v4.18-rc1
+Git-commit: 11ff7288beb2b7da889a014aff0a7b80bf8efcf3
+References: git-fixes
+
+
+the ebtables evaluation loop expects targets to return
+positive values (jumps), or negative values (absolute verdicts).
+
+This is completely different from what xtables does.
+In xtables, targets are expected to return the standard netfilter
+verdicts, i.e. NF_DROP, NF_ACCEPT, etc.
+
+ebtables will consider these as jumps.
+
+Therefore reject any target found due to unspec fallback.
+v2: also reject watchers. ebtables ignores their return value, so
+a target that assumes skb ownership (and returns NF_STOLEN) causes
+use-after-free.
+
+The only watchers in the 'ebtables' front-end are log and nflog;
+both have AF_BRIDGE specific wrappers on kernel side.
+
+Reported-by: syzbot+2b43f681169a2a0d306a@syzkaller.appspotmail.com
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Acked-by: Denis Kirjanov <dkirjanov@suse.com>
+---
+ net/bridge/netfilter/ebtables.c | 13 +++++++++++++
+ 1 file changed, 13 insertions(+)
+
+diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c
+index 546c20cf632e..a97cd8c3f1a7 100644
+--- a/net/bridge/netfilter/ebtables.c
++++ b/net/bridge/netfilter/ebtables.c
+@@ -402,6 +402,12 @@ ebt_check_watcher(struct ebt_entry_watcher *w, struct xt_tgchk_param *par,
+ watcher = xt_request_find_target(NFPROTO_BRIDGE, w->u.name, 0);
+ if (IS_ERR(watcher))
+ return PTR_ERR(watcher);
++
++ if (watcher->family != NFPROTO_BRIDGE) {
++ module_put(watcher->me);
++ return -ENOENT;
++ }
++
+ w->u.watcher = watcher;
+
+ par->target = watcher;
+@@ -721,6 +727,13 @@ ebt_check_entry(struct ebt_entry *e, struct net *net,
+ goto cleanup_watchers;
+ }
+
++ /* Reject UNSPEC, xtables verdicts/return values are incompatible */
++ if (target->family != NFPROTO_BRIDGE) {
++ module_put(target->me);
++ ret = -ENOENT;
++ goto cleanup_watchers;
++ }
++
+ t->u.target = target;
+ if (t->u.target == &ebt_standard_target) {
+ if (gap < sizeof(struct ebt_standard_target)) {
+--
+2.12.3
+
diff --git a/patches.fixes/0024-netfilter-x_tables-initialise-match-target-check-par.patch b/patches.fixes/0024-netfilter-x_tables-initialise-match-target-check-par.patch
new file mode 100644
index 0000000000..24704aa03b
--- /dev/null
+++ b/patches.fixes/0024-netfilter-x_tables-initialise-match-target-check-par.patch
@@ -0,0 +1,77 @@
+From: Florian Westphal <fw@strlen.de>
+Subject: netfilter: x_tables: initialise match/target check
+ parameter struct
+Patch-mainline: 4.18-rc1
+Git-commit: c568503ef02030f169c9e19204def610a3510918
+References: git-fixes
+
+
+syzbot reports following splat:
+
+BUG: KMSAN: uninit-value in ebt_stp_mt_check+0x24b/0x450
+ net/bridge/netfilter/ebt_stp.c:162
+ ebt_stp_mt_check+0x24b/0x450 net/bridge/netfilter/ebt_stp.c:162
+ xt_check_match+0x1438/0x1650 net/netfilter/x_tables.c:506
+ ebt_check_match net/bridge/netfilter/ebtables.c:372 [inline]
+ ebt_check_entry net/bridge/netfilter/ebtables.c:702 [inline]
+
+The uninitialised access is
+ xt_mtchk_param->nft_compat
+
+... which should be set to 0.
+Fix it by zeroing the struct beforehand, same for tgchk.
+
+ip(6)tables targetinfo uses c99-style initialiser, so no change
+needed there.
+
+Reported-by: syzbot+da4494182233c23a5fcf@syzkaller.appspotmail.com
+Fixes: 55917a21d0cc0 ("netfilter: x_tables: add context to know if extension runs from nft_compat")
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Acked-by: Denis Kirjanov <dkirjanov@suse.com>
+---
+ net/bridge/netfilter/ebtables.c | 2 ++
+ net/ipv4/netfilter/ip_tables.c | 1 +
+ net/ipv6/netfilter/ip6_tables.c | 1 +
+ 3 files changed, 4 insertions(+)
+
+diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c
+index a97cd8c3f1a7..d7418e1d70e8 100644
+--- a/net/bridge/netfilter/ebtables.c
++++ b/net/bridge/netfilter/ebtables.c
+@@ -706,6 +706,8 @@ ebt_check_entry(struct ebt_entry *e, struct net *net,
+ }
+ i = 0;
+
++ memset(&mtpar, 0, sizeof(mtpar));
++ memset(&tgpar, 0, sizeof(tgpar));
+ mtpar.net = tgpar.net = net;
+ mtpar.table = tgpar.table = name;
+ mtpar.entryinfo = tgpar.entryinfo = e;
+diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c
+index b3b49c07b7af..7bf9d034112f 100644
+--- a/net/ipv4/netfilter/ip_tables.c
++++ b/net/ipv4/netfilter/ip_tables.c
+@@ -546,6 +546,7 @@ find_check_entry(struct ipt_entry *e, struct net *net, const char *name,
+ return -ENOMEM;
+
+ j = 0;
++ memset(&mtpar, 0, sizeof(mtpar));
+ mtpar.net = net;
+ mtpar.table = name;
+ mtpar.entryinfo = &e->ip;
+diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c
+index 7d2228be6fa5..f2b3b5879536 100644
+--- a/net/ipv6/netfilter/ip6_tables.c
++++ b/net/ipv6/netfilter/ip6_tables.c
+@@ -567,6 +567,7 @@ find_check_entry(struct ip6t_entry *e, struct net *net, const char *name,
+ return -ENOMEM;
+
+ j = 0;
++ memset(&mtpar, 0, sizeof(mtpar));
+ mtpar.net = net;
+ mtpar.table = name;
+ mtpar.entryinfo = &e->ipv6;
+--
+2.12.3
+
diff --git a/patches.fixes/0025-l2tp-only-accept-PPP-sessions-in-pppol2tp_connect.patch b/patches.fixes/0025-l2tp-only-accept-PPP-sessions-in-pppol2tp_connect.patch
new file mode 100644
index 0000000000..504fa0cd1e
--- /dev/null
+++ b/patches.fixes/0025-l2tp-only-accept-PPP-sessions-in-pppol2tp_connect.patch
@@ -0,0 +1,40 @@
+From: Guillaume Nault <g.nault@alphalink.fr>
+Subject: l2tp: only accept PPP sessions in pppol2tp_connect()
+Patch-mainline: v4.18-rc1
+Git-commit: 7ac6ab1f8a38ba7f8d97f95475bb6a2575db4658
+References: git-fixes
+
+l2tp_session_priv() returns a struct pppol2tp_session pointer only for
+PPPoL2TP sessions. In particular, if the session is an L2TP_PWTYPE_ETH
+pseudo-wire, l2tp_session_priv() returns a pointer to an l2tp_eth_sess
+structure, which is much smaller than struct pppol2tp_session. This
+leads to invalid memory dereference when trying to lock ps->sk_lock.
+
+Fixes: d9e31d17ceba ("l2tp: Add L2TP ethernet pseudowire support")
+Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Acked-by: Denis Kirjanov <dkirjanov@suse.com>
+---
+ net/l2tp/l2tp_ppp.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/net/l2tp/l2tp_ppp.c b/net/l2tp/l2tp_ppp.c
+index 6541e8103187..4718916e9bdc 100644
+--- a/net/l2tp/l2tp_ppp.c
++++ b/net/l2tp/l2tp_ppp.c
+@@ -746,6 +746,12 @@ static int pppol2tp_connect(struct socket *sock, struct sockaddr *uservaddr,
+ session = l2tp_session_get(sock_net(sk), tunnel, session_id);
+ if (session) {
+ drop_refcnt = true;
++
++ if (session->pwtype != L2TP_PWTYPE_PPP) {
++ error = -EPROTOTYPE;
++ goto end;
++ }
++
+ ps = l2tp_session_priv(session);
+
+ /* Using a pre-existing session is fine as long as it hasn't
+--
+2.12.3
+
diff --git a/patches.fixes/0026-l2tp-prevent-pppol2tp_connect-from-creating-kernel-s.patch b/patches.fixes/0026-l2tp-prevent-pppol2tp_connect-from-creating-kernel-s.patch
new file mode 100644
index 0000000000..025c5cdc0b
--- /dev/null
+++ b/patches.fixes/0026-l2tp-prevent-pppol2tp_connect-from-creating-kernel-s.patch
@@ -0,0 +1,49 @@
+From: Guillaume Nault <g.nault@alphalink.fr>
+Subject: l2tp: prevent pppol2tp_connect() from creating kernel
+ sockets
+Patch-mainline: v4.18-rc1
+Git-commit: 3e1bc8bf974e2d4e7beb842a4c801c2542eff3bd
+References: git-fixes
+
+
+If 'fd' is negative, l2tp_tunnel_create() creates a tunnel socket using
+the configuration passed in 'tcfg'. Currently, pppol2tp_connect() sets
+the relevant fields to zero, tricking l2tp_tunnel_create() into setting
+up an unusable kernel socket.
+
+We can't set 'tcfg' with the required fields because there's no way to
+get them from the current connect() parameters. So let's restrict
+kernel sockets creation to the netlink API, which is the original use
+case.
+
+Fixes: 789a4a2c61d8 ("l2tp: Add support for static unmanaged L2TPv3 tunnels")
+Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Acked-by: Denis Kirjanov <dkirjanov@suse.com>
+---
+ net/l2tp/l2tp_ppp.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/net/l2tp/l2tp_ppp.c b/net/l2tp/l2tp_ppp.c
+index 4718916e9bdc..a28829c2eb41 100644
+--- a/net/l2tp/l2tp_ppp.c
++++ b/net/l2tp/l2tp_ppp.c
+@@ -722,6 +722,15 @@ static int pppol2tp_connect(struct socket *sock, struct sockaddr *uservaddr,
+ .encap = L2TP_ENCAPTYPE_UDP,
+ .debug = 0,
+ };
++
++ /* Prevent l2tp_tunnel_register() from trying to set up
++ * a kernel socket.
++ */
++ if (fd < 0) {
++ error = -EBADF;
++ goto end;
++ }
++
+ error = l2tp_tunnel_create(sock_net(sk), fd, ver, tunnel_id, peer_tunnel_id, &tcfg, &tunnel);
+ if (error < 0)
+ goto end;
+--
+2.12.3
+
diff --git a/patches.fixes/0027-l2tp-filter-out-non-PPP-sessions-in-pppol2tp_tunnel_.patch b/patches.fixes/0027-l2tp-filter-out-non-PPP-sessions-in-pppol2tp_tunnel_.patch
new file mode 100644
index 0000000000..6505086df6
--- /dev/null
+++ b/patches.fixes/0027-l2tp-filter-out-non-PPP-sessions-in-pppol2tp_tunnel_.patch
@@ -0,0 +1,41 @@
+From: Guillaume Nault <g.nault@alphalink.fr>
+Subject: l2tp: filter out non-PPP sessions in
+ pppol2tp_tunnel_ioctl()
+Patch-mainline: v4.18-rc1
+Git-commit: ecd012e45ab5fd76ed57546865897ce35920f56b
+References: git-fixes
+
+
+pppol2tp_tunnel_ioctl() can act on an L2TPv3 tunnel, in which case
+'session' may be an Ethernet pseudo-wire.
+
+However, pppol2tp_session_ioctl() expects a PPP pseudo-wire, as it
+assumes l2tp_session_priv() points to a pppol2tp_session structure. For
+an Ethernet pseudo-wire l2tp_session_priv() points to an l2tp_eth_sess
+structure instead, making pppol2tp_session_ioctl() access invalid
+memory.
+
+Fixes: d9e31d17ceba ("l2tp: Add L2TP ethernet pseudowire support")
+Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Acked-by: Denis Kirjanov <dkirjanov@suse.com>
+---
+ net/l2tp/l2tp_ppp.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/l2tp/l2tp_ppp.c b/net/l2tp/l2tp_ppp.c
+index a28829c2eb41..3cd4cce8338c 100644
+--- a/net/l2tp/l2tp_ppp.c
++++ b/net/l2tp/l2tp_ppp.c
+@@ -1214,7 +1214,7 @@ static int pppol2tp_tunnel_ioctl(struct l2tp_tunnel *tunnel,
+ l2tp_session_get(sock_net(sk), tunnel,
+ stats.session_id);
+
+- if (session) {
++ if (session && session->pwtype == L2TP_PWTYPE_PPP) {
+ err = pppol2tp_session_ioctl(session, cmd,
+ arg);
+ l2tp_session_dec_refcount(session);
+--
+2.12.3
+
diff --git a/patches.fixes/0028-ipv6-mcast-fix-unsolicited-report-interval-after-rec.patch b/patches.fixes/0028-ipv6-mcast-fix-unsolicited-report-interval-after-rec.patch
new file mode 100644
index 0000000000..91b46dde8e
--- /dev/null
+++ b/patches.fixes/0028-ipv6-mcast-fix-unsolicited-report-interval-after-rec.patch
@@ -0,0 +1,60 @@
+From: Hangbin Liu <liuhangbin@gmail.com>
+Subject: ipv6: mcast: fix unsolicited report interval after
+ receiving querys
+Patch-mainline: v4.18-rc3
+Git-commit: 6c6da92808442908287fae8ebb0ca041a52469f4
+References: git-fixes
+
+After recieving MLD querys, we update idev->mc_maxdelay with max_delay
+from query header. This make the later unsolicited reports have the same
+interval with mc_maxdelay, which means we may send unsolicited reports with
+long interval time instead of default configured interval time.
+
+Also as we will not call ipv6_mc_reset() after device up. This issue will
+be there even after leave the group and join other groups.
+
+Fixes: fc4eba58b4c14 ("ipv6: make unsolicited report intervals configurable for mld")
+Signed-off-by: Hangbin Liu <liuhangbin@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Acked-by: Denis Kirjanov <dkirjanov@suse.com>
+---
+ net/ipv6/mcast.c | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+diff --git a/net/ipv6/mcast.c b/net/ipv6/mcast.c
+index 0642884bb08f..3c6479b32b97 100644
+--- a/net/ipv6/mcast.c
++++ b/net/ipv6/mcast.c
+@@ -2084,7 +2084,8 @@ void ipv6_mc_dad_complete(struct inet6_dev *idev)
+ mld_send_initial_cr(idev);
+ idev->mc_dad_count--;
+ if (idev->mc_dad_count)
+- mld_dad_start_timer(idev, idev->mc_maxdelay);
++ mld_dad_start_timer(idev,
++ unsolicited_report_interval(idev));
+ }
+ }
+
+@@ -2096,7 +2097,8 @@ static void mld_dad_timer_expire(unsigned long data)
+ if (idev->mc_dad_count) {
+ idev->mc_dad_count--;
+ if (idev->mc_dad_count)
+- mld_dad_start_timer(idev, idev->mc_maxdelay);
++ mld_dad_start_timer(idev,
++ unsolicited_report_interval(idev));
+ }
+ in6_dev_put(idev);
+ }
+@@ -2454,7 +2456,8 @@ static void mld_ifc_timer_expire(unsigned long data)
+ if (idev->mc_ifc_count) {
+ idev->mc_ifc_count--;
+ if (idev->mc_ifc_count)
+- mld_ifc_start_timer(idev, idev->mc_maxdelay);
++ mld_ifc_start_timer(idev,
++ unsolicited_report_interval(idev));
+ }
+ in6_dev_put(idev);
+ }
+--
+2.12.3
+
diff --git a/patches.fixes/0038-xfs-split-xfs_bmap_shift_extents.patch b/patches.fixes/0038-xfs-split-xfs_bmap_shift_extents.patch
index 38b5598818..960381715b 100644
--- a/patches.fixes/0038-xfs-split-xfs_bmap_shift_extents.patch
+++ b/patches.fixes/0038-xfs-split-xfs_bmap_shift_extents.patch
@@ -23,10 +23,10 @@ Acked-by: Nikolay Borisov <nborisov@suse.com>
3 files changed, 148 insertions(+), 73 deletions(-)
diff --git a/fs/xfs/libxfs/xfs_bmap.c b/fs/xfs/libxfs/xfs_bmap.c
-index 4062ec298497..186f4719a582 100644
+index d0118a2e51d3..47fb51774fcc 100644
--- a/fs/xfs/libxfs/xfs_bmap.c
+++ b/fs/xfs/libxfs/xfs_bmap.c
-@@ -5687,57 +5687,151 @@ xfs_bmse_shift_one(
+@@ -5700,57 +5700,151 @@ xfs_bmse_shift_one(
return xfs_rmap_map_extent(mp, dfops, ip, whichfork, &new);
}
@@ -78,10 +78,10 @@ index 4062ec298497..186f4719a582 100644
if (unlikely(XFS_TEST_ERROR(
(XFS_IFORK_FORMAT(ip, whichfork) != XFS_DINODE_FMT_EXTENTS &&
XFS_IFORK_FORMAT(ip, whichfork) != XFS_DINODE_FMT_BTREE),
- mp, XFS_ERRTAG_BMAPIFORMAT, XFS_RANDOM_BMAPIFORMAT))) {
+ mp, XFS_ERRTAG_BMAPIFORMAT))) {
- XFS_ERROR_REPORT("xfs_bmap_shift_extents",
- XFS_ERRLEVEL_LOW, mp);
-+ XFS_ERROR_REPORT("__func__", XFS_ERRLEVEL_LOW, mp);
++ XFS_ERROR_REPORT(__func__, XFS_ERRLEVEL_LOW, mp);
return -EFSCORRUPTED;
}
@@ -192,7 +192,7 @@ index 4062ec298497..186f4719a582 100644
+ if (unlikely(XFS_TEST_ERROR(
+ (XFS_IFORK_FORMAT(ip, whichfork) != XFS_DINODE_FMT_EXTENTS &&
+ XFS_IFORK_FORMAT(ip, whichfork) != XFS_DINODE_FMT_BTREE),
-+ mp, XFS_ERRTAG_BMAPIFORMAT, XFS_RANDOM_BMAPIFORMAT))) {
++ mp, XFS_ERRTAG_BMAPIFORMAT))) {
+ XFS_ERROR_REPORT(__func__, XFS_ERRLEVEL_LOW, mp);
+ return -EFSCORRUPTED;
+ }
@@ -208,7 +208,7 @@ index 4062ec298497..186f4719a582 100644
error = xfs_iread_extents(tp, ip, whichfork);
if (error)
return error;
-@@ -5757,7 +5851,7 @@ xfs_bmap_shift_extents(
+@@ -5770,7 +5864,7 @@ xfs_bmap_shift_extents(
*/
total_extents = xfs_iext_count(ifp);
if (total_extents == 0) {
@@ -217,7 +217,7 @@ index 4062ec298497..186f4719a582 100644
goto del_cursor;
}
-@@ -5765,12 +5859,10 @@ xfs_bmap_shift_extents(
+@@ -5778,12 +5872,10 @@ xfs_bmap_shift_extents(
* In case of first right shift, we need to initialize next_fsb
*/
if (*next_fsb == NULLFSBLOCK) {
@@ -231,7 +231,7 @@ index 4062ec298497..186f4719a582 100644
goto del_cursor;
}
*next_fsb = got.br_startoff;
-@@ -5785,46 +5877,27 @@ xfs_bmap_shift_extents(
+@@ -5798,46 +5890,27 @@ xfs_bmap_shift_extents(
*/
if (!xfs_iext_lookup_extent(ip, ifp, *next_fsb, &current_ext,
&got)) {
@@ -288,7 +288,7 @@ index 4062ec298497..186f4719a582 100644
}
xfs_iext_get_extent(ifp, current_ext, &got);
diff --git a/fs/xfs/libxfs/xfs_bmap.h b/fs/xfs/libxfs/xfs_bmap.h
-index 7eb1cf199138..cee680f01d87 100644
+index ba5a4835bb13..ca37030f4cfb 100644
--- a/fs/xfs/libxfs/xfs_bmap.h
+++ b/fs/xfs/libxfs/xfs_bmap.h
@@ -228,10 +228,14 @@ int xfs_bmap_del_extent_delay(struct xfs_inode *ip, int whichfork,
@@ -310,10 +310,10 @@ index 7eb1cf199138..cee680f01d87 100644
int xfs_bmapi_reserve_delalloc(struct xfs_inode *ip, int whichfork,
xfs_fileoff_t off, xfs_filblks_t len, xfs_filblks_t prealloc,
diff --git a/fs/xfs/xfs_bmap_util.c b/fs/xfs/xfs_bmap_util.c
-index 29b999e86571..09e21f704444 100644
+index 3273f083c496..034f3429ca8c 100644
--- a/fs/xfs/xfs_bmap_util.c
+++ b/fs/xfs/xfs_bmap_util.c
-@@ -1303,7 +1303,6 @@ xfs_collapse_file_space(
+@@ -1322,7 +1322,6 @@ xfs_collapse_file_space(
xfs_off_t offset,
xfs_off_t len)
{
@@ -321,7 +321,7 @@ index 29b999e86571..09e21f704444 100644
struct xfs_mount *mp = ip->i_mount;
struct xfs_trans *tp;
int error;
-@@ -1313,6 +1312,7 @@ xfs_collapse_file_space(
+@@ -1332,6 +1331,7 @@ xfs_collapse_file_space(
xfs_fileoff_t next_fsb = XFS_B_TO_FSB(mp, offset + len);
xfs_fileoff_t shift_fsb = XFS_B_TO_FSB(mp, len);
uint resblks = XFS_DIOSTRAT_SPACE_RES(mp, 0);
@@ -329,7 +329,7 @@ index 29b999e86571..09e21f704444 100644
ASSERT(xfs_isilocked(ip, XFS_IOLOCK_EXCL));
trace_xfs_collapse_file_space(ip);
-@@ -1340,9 +1340,8 @@ xfs_collapse_file_space(
+@@ -1359,9 +1359,8 @@ xfs_collapse_file_space(
xfs_trans_ijoin(tp, ip, XFS_ILOCK_EXCL);
xfs_defer_init(&dfops, &first_block);
@@ -341,7 +341,7 @@ index 29b999e86571..09e21f704444 100644
if (error)
goto out_bmap_cancel;
-@@ -1387,7 +1386,7 @@ xfs_insert_file_space(
+@@ -1406,7 +1405,7 @@ xfs_insert_file_space(
xfs_fileoff_t stop_fsb = XFS_B_TO_FSB(mp, offset);
xfs_fileoff_t next_fsb = NULLFSBLOCK;
xfs_fileoff_t shift_fsb = XFS_B_TO_FSB(mp, len);
@@ -350,7 +350,7 @@ index 29b999e86571..09e21f704444 100644
ASSERT(xfs_isilocked(ip, XFS_IOLOCK_EXCL));
trace_xfs_insert_file_space(ip);
-@@ -1414,9 +1413,8 @@ xfs_insert_file_space(
+@@ -1433,9 +1432,8 @@ xfs_insert_file_space(
xfs_ilock(ip, XFS_ILOCK_EXCL);
xfs_trans_ijoin(tp, ip, XFS_ILOCK_EXCL);
xfs_defer_init(&dfops, &first_block);
@@ -363,5 +363,5 @@ index 29b999e86571..09e21f704444 100644
goto out_bmap_cancel;
--
-2.7.4
+2.16.4
diff --git a/patches.fixes/9p-locks-add-mount-option-for-lock-retry-interval.patch b/patches.fixes/9p-locks-add-mount-option-for-lock-retry-interval.patch
new file mode 100644
index 0000000000..b16e7d6bcb
--- /dev/null
+++ b/patches.fixes/9p-locks-add-mount-option-for-lock-retry-interval.patch
@@ -0,0 +1,123 @@
+From 5e172f75e51e3de1b4274146d9b990f803cb5c2a Mon Sep 17 00:00:00 2001
+From: Dinu-Razvan Chis-Serban <justcsdr@gmail.com>
+Date: Wed, 5 Sep 2018 16:44:12 +0900
+Subject: [PATCH] 9p locks: add mount option for lock retry interval
+Git-commit: 5e172f75e51e3de1b4274146d9b990f803cb5c2a
+Patch-mainline: v4.20-rc1
+References: bsc#1051510
+
+The default P9_LOCK_TIMEOUT can be too long for some users exporting
+a local file system to a guest VM (30s), make this configurable at
+mount time.
+
+Link: http://lkml.kernel.org/r/1536295827-3181-1-git-send-email-asmadeus@codewreck.org
+Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=195727
+Signed-off-by: Dinu-Razvan Chis-Serban <justcsdr@gmail.com>
+Signed-off-by: Dominique Martinet <dominique.martinet@cea.fr>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ fs/9p/v9fs.c | 21 +++++++++++++++++++++
+ fs/9p/v9fs.h | 1 +
+ fs/9p/vfs_file.c | 6 +++++-
+ 3 files changed, 27 insertions(+), 1 deletion(-)
+
+diff --git a/fs/9p/v9fs.c b/fs/9p/v9fs.c
+index 89bac3d2f05b..619128b55837 100644
+--- a/fs/9p/v9fs.c
++++ b/fs/9p/v9fs.c
+@@ -61,6 +61,8 @@ enum {
+ Opt_cache_loose, Opt_fscache, Opt_mmap,
+ /* Access options */
+ Opt_access, Opt_posixacl,
++ /* Lock timeout option */
++ Opt_locktimeout,
+ /* Error token */
+ Opt_err
+ };
+@@ -80,6 +82,7 @@ static const match_table_t tokens = {
+ {Opt_cachetag, "cachetag=%s"},
+ {Opt_access, "access=%s"},
+ {Opt_posixacl, "posixacl"},
++ {Opt_locktimeout, "locktimeout=%u"},
+ {Opt_err, NULL}
+ };
+
+@@ -187,6 +190,7 @@ static int v9fs_parse_options(struct v9fs_session_info *v9ses, char *opts)
+ #ifdef CONFIG_9P_FSCACHE
+ v9ses->cachetag = NULL;
+ #endif
++ v9ses->session_lock_timeout = P9_LOCK_TIMEOUT;
+
+ if (!opts)
+ return 0;
+@@ -359,6 +363,23 @@ static int v9fs_parse_options(struct v9fs_session_info *v9ses, char *opts)
+ #endif
+ break;
+
++ case Opt_locktimeout:
++ r = match_int(&args[0], &option);
++ if (r < 0) {
++ p9_debug(P9_DEBUG_ERROR,
++ "integer field, but no integer?\n");
++ ret = r;
++ continue;
++ }
++ if (option < 1) {
++ p9_debug(P9_DEBUG_ERROR,
++ "locktimeout must be a greater than zero integer.\n");
++ ret = -EINVAL;
++ continue;
++ }
++ v9ses->session_lock_timeout = (long)option * HZ;
++ break;
++
+ default:
+ continue;
+ }
+diff --git a/fs/9p/v9fs.h b/fs/9p/v9fs.h
+index 982e017acadb..129e5243a6bf 100644
+--- a/fs/9p/v9fs.h
++++ b/fs/9p/v9fs.h
+@@ -116,6 +116,7 @@ struct v9fs_session_info {
+ struct p9_client *clnt; /* 9p client */
+ struct list_head slist; /* list of sessions registered with v9fs */
+ struct rw_semaphore rename_sem;
++ long session_lock_timeout; /* retry interval for blocking locks */
+ };
+
+ /* cache_validity flags */
+diff --git a/fs/9p/vfs_file.c b/fs/9p/vfs_file.c
+index 374bc1c72048..73857ebaedfb 100644
+--- a/fs/9p/vfs_file.c
++++ b/fs/9p/vfs_file.c
+@@ -154,6 +154,7 @@ static int v9fs_file_do_lock(struct file *filp, int cmd, struct file_lock *fl)
+ uint8_t status = P9_LOCK_ERROR;
+ int res = 0;
+ unsigned char fl_type;
++ struct v9fs_session_info *v9ses;
+
+ fid = filp->private_data;
+ BUG_ON(fid == NULL);
+@@ -189,6 +190,8 @@ static int v9fs_file_do_lock(struct file *filp, int cmd, struct file_lock *fl)
+ if (IS_SETLKW(cmd))
+ flock.flags = P9_LOCK_FLAGS_BLOCK;
+
++ v9ses = v9fs_inode2v9ses(file_inode(filp));
++
+ /*
+ * if its a blocked request and we get P9_LOCK_BLOCKED as the status
+ * for lock request, keep on trying
+@@ -202,7 +205,8 @@ static int v9fs_file_do_lock(struct file *filp, int cmd, struct file_lock *fl)
+ break;
+ if (status == P9_LOCK_BLOCKED && !IS_SETLKW(cmd))
+ break;
+- if (schedule_timeout_interruptible(P9_LOCK_TIMEOUT) != 0)
++ if (schedule_timeout_interruptible(v9ses->session_lock_timeout)
++ != 0)
+ break;
+ }
+
+--
+2.16.4
+
diff --git a/patches.fixes/9p-locks-fix-glock.client_id-leak-in-do_lock.patch b/patches.fixes/9p-locks-fix-glock.client_id-leak-in-do_lock.patch
index cc0d63583c..f55828c93d 100644
--- a/patches.fixes/9p-locks-fix-glock.client_id-leak-in-do_lock.patch
+++ b/patches.fixes/9p-locks-fix-glock.client_id-leak-in-do_lock.patch
@@ -27,9 +27,9 @@ Acked-by: Takashi Iwai <tiwai@suse.de>
--- a/fs/9p/vfs_file.c
+++ b/fs/9p/vfs_file.c
-@@ -204,6 +204,14 @@ static int v9fs_file_do_lock(struct file
- break;
- if (schedule_timeout_interruptible(P9_LOCK_TIMEOUT) != 0)
+@@ -208,6 +208,14 @@ static int v9fs_file_do_lock(struct file
+ if (schedule_timeout_interruptible(v9ses->session_lock_timeout)
+ != 0)
break;
+ /*
+ * p9_client_lock_dotl overwrites flock.client_id with the
@@ -42,7 +42,7 @@ Acked-by: Takashi Iwai <tiwai@suse.de>
}
/* map 9p status to VFS status */
-@@ -235,6 +243,8 @@ out_unlock:
+@@ -239,6 +247,8 @@ out_unlock:
locks_lock_file_wait(filp, fl);
fl->fl_type = fl_type;
}
@@ -51,7 +51,7 @@ Acked-by: Takashi Iwai <tiwai@suse.de>
out:
return res;
}
-@@ -269,7 +279,7 @@ static int v9fs_file_getlock(struct file
+@@ -273,7 +283,7 @@ static int v9fs_file_getlock(struct file
res = p9_client_getlock_dotl(fid, &glock);
if (res < 0)
@@ -60,7 +60,7 @@ Acked-by: Takashi Iwai <tiwai@suse.de>
/* map 9p lock type to os lock type */
switch (glock.type) {
case P9_LOCK_TYPE_RDLCK:
-@@ -290,7 +300,9 @@ static int v9fs_file_getlock(struct file
+@@ -294,7 +304,9 @@ static int v9fs_file_getlock(struct file
fl->fl_end = glock.start + glock.length - 1;
fl->fl_pid = glock.proc_id;
}
diff --git a/patches.fixes/ACPI-button-reinitialize-button-state-upon-resume.patch b/patches.fixes/ACPI-button-reinitialize-button-state-upon-resume.patch
new file mode 100644
index 0000000000..d9752fa0cd
--- /dev/null
+++ b/patches.fixes/ACPI-button-reinitialize-button-state-upon-resume.patch
@@ -0,0 +1,46 @@
+From 13e962140be671f31a011543f11477af67a6c33e Mon Sep 17 00:00:00 2001
+From: Zhang Rui <rui.zhang@intel.com>
+Date: Tue, 2 Apr 2019 21:38:32 +0800
+Subject: [PATCH] ACPI: button: reinitialize button state upon resume
+Git-commit: 13e962140be671f31a011543f11477af67a6c33e
+Patch-mainline: v5.2-rc1
+References: bsc#1051510
+
+With commit dfa46c50f65b ("ACPI / button: Fix an issue in
+button.lid_init_state=ignore mode"), the lid device is considered to be
+not compliant to SW_LID if the Lid state is unchanged when updating it.
+
+This is not wrong, but we overlooked the resume case, where Lid state is
+updated unconditionally in the button driver .resume() callback. And this
+results in warning message "ACPI: button: The lid device is not compliant
+to SW_LID." after resume, if the machine is suspended with Lid opened and
+then resumed with Lid opened.
+
+Fix this by flushing the cached lid state before updating the Lid device
+in .resume() callback.
+
+Fixes: dfa46c50f65b ("ACPI / button: Fix an issue in button.lid_init_state=ignore mode")
+Reported-and-tested-by: Zhao Lijian <lijian.zhao@intel.com>
+Signed-off-by: Zhang Rui <rui.zhang@intel.com>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/acpi/button.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/drivers/acpi/button.c
++++ b/drivers/acpi/button.c
+@@ -442,8 +442,11 @@ static int acpi_button_resume(struct dev
+ struct acpi_button *button = acpi_driver_data(device);
+
+ button->suspended = false;
+- if (button->type == ACPI_BUTTON_TYPE_LID)
++ if (button->type == ACPI_BUTTON_TYPE_LID) {
++ button->last_state = !!acpi_lid_evaluate_state(device);
++ button->last_time = ktime_get();
+ acpi_lid_initialize_state(device);
++ }
+ return 0;
+ }
+ #endif
diff --git a/patches.fixes/ACPI-utils-Drop-reference-in-test-for-device-presenc.patch b/patches.fixes/ACPI-utils-Drop-reference-in-test-for-device-presenc.patch
new file mode 100644
index 0000000000..6e27ead003
--- /dev/null
+++ b/patches.fixes/ACPI-utils-Drop-reference-in-test-for-device-presenc.patch
@@ -0,0 +1,35 @@
+From 54e3aca84e571559915998aa6cc05e5ac37c043b Mon Sep 17 00:00:00 2001
+From: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Date: Mon, 18 Mar 2019 21:47:09 +0300
+Subject: [PATCH] ACPI / utils: Drop reference in test for device presence
+Git-commit: 54e3aca84e571559915998aa6cc05e5ac37c043b
+Patch-mainline: v5.1-rc2
+References: bsc#1051510
+
+When commit 8661423eea1a ("ACPI / utils: Add new acpi_dev_present
+helper") introduced acpi_dev_present(), it missed the fact that
+bus_find_device() took a reference on the device found by it and
+the callers of acpi_dev_present() don't drop that reference.
+
+Drop the reference on the device in acpi_dev_present().
+
+Fixes: 8661423eea1a ("ACPI / utils: Add new acpi_dev_present helper")
+Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Reviewed-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/acpi/utils.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/acpi/utils.c
++++ b/drivers/acpi/utils.c
+@@ -798,6 +798,7 @@ bool acpi_dev_present(const char *hid, c
+ dev = bus_find_device(&acpi_bus_type, NULL, &match,
+ acpi_dev_present_cb);
+
++ put_device(dev);
+ return !!dev;
+ }
+ EXPORT_SYMBOL(acpi_dev_present);
diff --git a/patches.fixes/ACPICA-AML-interpreter-add-region-addresses-in-globa.patch b/patches.fixes/ACPICA-AML-interpreter-add-region-addresses-in-globa.patch
new file mode 100644
index 0000000000..87b2a9052c
--- /dev/null
+++ b/patches.fixes/ACPICA-AML-interpreter-add-region-addresses-in-globa.patch
@@ -0,0 +1,49 @@
+From 4abb951b73ff0a8a979113ef185651aa3c8da19b Mon Sep 17 00:00:00 2001
+From: Erik Schmauss <erik.schmauss@intel.com>
+Date: Wed, 17 Oct 2018 14:09:35 -0700
+Subject: [PATCH] ACPICA: AML interpreter: add region addresses in global list during initialization
+Git-commit: 4abb951b73ff0a8a979113ef185651aa3c8da19b
+Patch-mainline: v4.20-rc1
+References: bsc#1051510
+
+The table load process omitted adding the operation region address
+range to the global list. This omission is problematic because the OS
+queries the global list to check for address range conflicts before
+deciding which drivers to load. This commit may result in warning
+messages that look like the following:
+
+[ 7.871761] ACPI Warning: system_IO range 0x00000428-0x0000042F conflicts with op_region 0x00000400-0x0000047F (\PMIO) (20180531/utaddress-213)
+[ 7.871769] ACPI: If an ACPI driver is available for this device, you should use it instead of the native driver
+
+However, these messages do not signify regressions. It is a result of
+properly adding address ranges within the global address list.
+
+Link: https://bugzilla.kernel.org/show_bug.cgi?id=200011
+Tested-by: Jean-Marc Lenoir <archlinux@jihemel.com>
+Signed-off-by: Erik Schmauss <erik.schmauss@intel.com>
+Cc: All applicable <stable@vger.kernel.org>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/acpi/acpica/dsopcode.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/acpi/acpica/dsopcode.c b/drivers/acpi/acpica/dsopcode.c
+index e9fb0bf3c8d2..78f9de260d5f 100644
+--- a/drivers/acpi/acpica/dsopcode.c
++++ b/drivers/acpi/acpica/dsopcode.c
+@@ -417,6 +417,10 @@ acpi_ds_eval_region_operands(struct acpi_walk_state *walk_state,
+ ACPI_FORMAT_UINT64(obj_desc->region.address),
+ obj_desc->region.length));
+
++ status = acpi_ut_add_address_range(obj_desc->region.space_id,
++ obj_desc->region.address,
++ obj_desc->region.length, node);
++
+ /* Now the address and length are valid for this opregion */
+
+ obj_desc->region.flags |= AOPOBJ_DATA_VALID;
+--
+2.16.4
+
diff --git a/patches.fixes/ACPICA-Namespace-remove-address-node-from-global-lis.patch b/patches.fixes/ACPICA-Namespace-remove-address-node-from-global-lis.patch
new file mode 100644
index 0000000000..a60359796c
--- /dev/null
+++ b/patches.fixes/ACPICA-Namespace-remove-address-node-from-global-lis.patch
@@ -0,0 +1,66 @@
+From c5781ffbbd4f742a58263458145fe7f0ac01d9e0 Mon Sep 17 00:00:00 2001
+From: Erik Schmauss <erik.schmauss@intel.com>
+Date: Mon, 8 Apr 2019 13:42:26 -0700
+Subject: [PATCH] ACPICA: Namespace: remove address node from global list after method termination
+Git-commit: c5781ffbbd4f742a58263458145fe7f0ac01d9e0
+Patch-mainline: v5.1-rc5
+References: bsc#1051510
+
+ACPICA commit b233720031a480abd438f2e9c643080929d144c3
+
+ASL operation_regions declare a range of addresses that it uses. In a
+perfect world, the range of addresses should be used exclusively by
+the AML interpreter. The OS can use this information to decide which
+drivers to load so that the AML interpreter and device drivers use
+different regions of memory.
+
+During table load, the address information is added to a global
+address range list. Each node in this list contains an address range
+as well as a namespace node of the operation_region. This list is
+deleted at ACPI shutdown.
+
+Unfortunately, ASL operation_regions can be declared inside of control
+methods. Although this is not recommended, modern firmware contains
+such code. New module level code changes unintentionally removed the
+functionality of adding and removing nodes to the global address
+range list.
+
+A few months ago, support for adding addresses has been re-
+implemented. However, the removal of the address range list was
+missed and resulted in some systems to crash due to the address list
+containing bogus namespace nodes from operation_regions declared in
+control methods. In order to fix the crash, this change removes
+dynamic operation_regions after control method termination.
+
+Link: https://github.com/acpica/acpica/commit/b2337200
+Link: https://bugzilla.kernel.org/show_bug.cgi?id=202475
+Fixes: 4abb951b73ff ("ACPICA: AML interpreter: add region addresses in global list during initialization")
+Reported-by: Michael J Gruber <mjg@fedoraproject.org>
+Signed-off-by: Erik Schmauss <erik.schmauss@intel.com>
+Signed-off-by: Bob Moore <robert.moore@intel.com>
+Cc: 4.20+ <stable@vger.kernel.org> # 4.20+
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/acpi/acpica/nsobject.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/acpi/acpica/nsobject.c b/drivers/acpi/acpica/nsobject.c
+index 8638f43cfc3d..79d86da1c892 100644
+--- a/drivers/acpi/acpica/nsobject.c
++++ b/drivers/acpi/acpica/nsobject.c
+@@ -186,6 +186,10 @@ void acpi_ns_detach_object(struct acpi_namespace_node *node)
+ }
+ }
+
++ if (obj_desc->common.type == ACPI_TYPE_REGION) {
++ acpi_ut_remove_address_range(obj_desc->region.space_id, node);
++ }
++
+ /* Clear the Node entry in all cases */
+
+ node->object = NULL;
+--
+2.16.4
+
diff --git a/patches.fixes/CIFS-keep-FileInfo-handle-live-during-oplock-break.patch b/patches.fixes/CIFS-keep-FileInfo-handle-live-during-oplock-break.patch
new file mode 100644
index 0000000000..39873058a0
--- /dev/null
+++ b/patches.fixes/CIFS-keep-FileInfo-handle-live-during-oplock-break.patch
@@ -0,0 +1,186 @@
+From: Aurelien Aptel <aaptel@suse.com>
+Date: Fri, 29 Mar 2019 10:49:12 +0100
+Subject: [PATCH] CIFS: keep FileInfo handle live during oplock break
+Git-commit: b98749cac4a695f084a5ff076f4510b23e353ecd
+References: bsc#1106284, bsc#1131565
+Patch-mainline: v5.1-rc6
+
+In the oplock break handler, writing pending changes from pages puts
+the FileInfo handle. If the refcount reaches zero it closes the handle
+and waits for any oplock break handler to return, thus causing a deadlock.
+
+To prevent this situation:
+
+* We add a wait flag to cifsFileInfo_put() to decide whether we should
+ wait for running/pending oplock break handlers
+
+* We keep an additionnal reference of the SMB FileInfo handle so that
+ for the rest of the handler putting the handle won't close it.
+ - The ref is bumped everytime we queue the handler via the
+ cifs_queue_oplock_break() helper.
+ - The ref is decremented at the end of the handler
+
+This bug was triggered by xfstest 464.
+
+Also important fix to address the various reports of
+oops in smb2_push_mandatory_locks
+
+Signed-off-by: Aurelien Aptel <aaptel@suse.com>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Reviewed-by: Pavel Shilovsky <pshilov@microsoft.com>
+CC: Stable <stable@vger.kernel.org>
+---
+ fs/cifs/cifsglob.h | 2 ++
+ fs/cifs/file.c | 30 +++++++++++++++++++++++++-----
+ fs/cifs/misc.c | 25 +++++++++++++++++++++++--
+ fs/cifs/smb2misc.c | 6 +++---
+ 4 files changed, 53 insertions(+), 10 deletions(-)
+
+diff --git a/fs/cifs/cifsglob.h b/fs/cifs/cifsglob.h
+index 5b18d4585740..585ad3207cb1 100644
+--- a/fs/cifs/cifsglob.h
++++ b/fs/cifs/cifsglob.h
+@@ -1333,6 +1333,7 @@ cifsFileInfo_get_locked(struct cifsFileInfo *cifs_file)
+ }
+
+ struct cifsFileInfo *cifsFileInfo_get(struct cifsFileInfo *cifs_file);
++void _cifsFileInfo_put(struct cifsFileInfo *cifs_file, bool wait_oplock_hdlr);
+ void cifsFileInfo_put(struct cifsFileInfo *cifs_file);
+
+ #define CIFS_CACHE_READ_FLG 1
+@@ -1855,6 +1856,7 @@ GLOBAL_EXTERN spinlock_t gidsidlock;
+ #endif /* CONFIG_CIFS_ACL */
+
+ void cifs_oplock_break(struct work_struct *work);
++void cifs_queue_oplock_break(struct cifsFileInfo *cfile);
+
+ extern const struct slow_work_ops cifs_oplock_break_ops;
+ extern struct workqueue_struct *cifsiod_wq;
+diff --git a/fs/cifs/file.c b/fs/cifs/file.c
+index 89006e044973..9c0ccc06d172 100644
+--- a/fs/cifs/file.c
++++ b/fs/cifs/file.c
+@@ -360,12 +360,30 @@ cifsFileInfo_get(struct cifsFileInfo *cifs_file)
+ return cifs_file;
+ }
+
+-/*
+- * Release a reference on the file private data. This may involve closing
+- * the filehandle out on the server. Must be called without holding
+- * tcon->open_file_lock and cifs_file->file_info_lock.
++/**
++ * cifsFileInfo_put - release a reference of file priv data
++ *
++ * Always potentially wait for oplock handler. See _cifsFileInfo_put().
+ */
+ void cifsFileInfo_put(struct cifsFileInfo *cifs_file)
++{
++ _cifsFileInfo_put(cifs_file, true);
++}
++
++/**
++ * _cifsFileInfo_put - release a reference of file priv data
++ *
++ * This may involve closing the filehandle @cifs_file out on the
++ * server. Must be called without holding tcon->open_file_lock and
++ * cifs_file->file_info_lock.
++ *
++ * If @wait_for_oplock_handler is true and we are releasing the last
++ * reference, wait for any running oplock break handler of the file
++ * and cancel any pending one. If calling this function from the
++ * oplock break handler, you need to pass false.
++ *
++ */
++void _cifsFileInfo_put(struct cifsFileInfo *cifs_file, bool wait_oplock_handler)
+ {
+ struct inode *inode = d_inode(cifs_file->dentry);
+ struct cifs_tcon *tcon = tlink_tcon(cifs_file->tlink);
+@@ -414,7 +432,8 @@ void cifsFileInfo_put(struct cifsFileInfo *cifs_file)
+
+ spin_unlock(&tcon->open_file_lock);
+
+- oplock_break_cancelled = cancel_work_sync(&cifs_file->oplock_break);
++ oplock_break_cancelled = wait_oplock_handler ?
++ cancel_work_sync(&cifs_file->oplock_break) : false;
+
+ if (!tcon->need_reconnect && !cifs_file->invalidHandle) {
+ struct TCP_Server_Info *server = tcon->ses->server;
+@@ -4603,6 +4622,7 @@ void cifs_oplock_break(struct work_struct *work)
+ cinode);
+ cifs_dbg(FYI, "Oplock release rc = %d\n", rc);
+ }
++ _cifsFileInfo_put(cfile, false /* do not wait for ourself */);
+ cifs_done_oplock_break(cinode);
+ }
+
+diff --git a/fs/cifs/misc.c b/fs/cifs/misc.c
+index bee203055b30..1e1626a2cfc3 100644
+--- a/fs/cifs/misc.c
++++ b/fs/cifs/misc.c
+@@ -501,8 +501,7 @@ is_valid_oplock_break(char *buffer, struct TCP_Server_Info *srv)
+ CIFS_INODE_DOWNGRADE_OPLOCK_TO_L2,
+ &pCifsInode->flags);
+
+- queue_work(cifsoplockd_wq,
+- &netfile->oplock_break);
++ cifs_queue_oplock_break(netfile);
+ netfile->oplock_break_cancelled = false;
+
+ spin_unlock(&tcon->open_file_lock);
+@@ -607,6 +606,28 @@ void cifs_put_writer(struct cifsInodeInfo *cinode)
+ spin_unlock(&cinode->writers_lock);
+ }
+
++/**
++ * cifs_queue_oplock_break - queue the oplock break handler for cfile
++ *
++ * This function is called from the demultiplex thread when it
++ * receives an oplock break for @cfile.
++ *
++ * Assumes the tcon->open_file_lock is held.
++ * Assumes cfile->file_info_lock is NOT held.
++ */
++void cifs_queue_oplock_break(struct cifsFileInfo *cfile)
++{
++ /*
++ * Bump the handle refcount now while we hold the
++ * open_file_lock to enforce the validity of it for the oplock
++ * break handler. The matching put is done at the end of the
++ * handler.
++ */
++ cifsFileInfo_get(cfile);
++
++ queue_work(cifsoplockd_wq, &cfile->oplock_break);
++}
++
+ void cifs_done_oplock_break(struct cifsInodeInfo *cinode)
+ {
+ clear_bit(CIFS_INODE_PENDING_OPLOCK_BREAK, &cinode->flags);
+diff --git a/fs/cifs/smb2misc.c b/fs/cifs/smb2misc.c
+index 0e3570e40ff8..e311f58dc1c8 100644
+--- a/fs/cifs/smb2misc.c
++++ b/fs/cifs/smb2misc.c
+@@ -555,7 +555,7 @@ smb2_tcon_has_lease(struct cifs_tcon *tcon, struct smb2_lease_break *rsp,
+ clear_bit(CIFS_INODE_DOWNGRADE_OPLOCK_TO_L2,
+ &cinode->flags);
+
+- queue_work(cifsoplockd_wq, &cfile->oplock_break);
++ cifs_queue_oplock_break(cfile);
+ kfree(lw);
+ return true;
+ }
+@@ -712,8 +712,8 @@ smb2_is_valid_oplock_break(char *buffer, struct TCP_Server_Info *server)
+ CIFS_INODE_DOWNGRADE_OPLOCK_TO_L2,
+ &cinode->flags);
+ spin_unlock(&cfile->file_info_lock);
+- queue_work(cifsoplockd_wq,
+- &cfile->oplock_break);
++
++ cifs_queue_oplock_break(cfile);
+
+ spin_unlock(&tcon->open_file_lock);
+ spin_unlock(&cifs_tcp_ses_lock);
+--
+2.16.4
+
+
diff --git a/patches.fixes/MD-fix-invalid-stored-role-for-a-disk.patch b/patches.fixes/MD-fix-invalid-stored-role-for-a-disk.patch
new file mode 100644
index 0000000000..bf361ee1c2
--- /dev/null
+++ b/patches.fixes/MD-fix-invalid-stored-role-for-a-disk.patch
@@ -0,0 +1,47 @@
+From d595567dc4f0c1d90685ec1e2e296e2cad2643ac Mon Sep 17 00:00:00 2001
+From: Shaohua Li <shli@fb.com>
+Date: Mon, 1 Oct 2018 18:36:36 -0700
+Subject: [PATCH] MD: fix invalid stored role for a disk
+Git-commit: d595567dc4f0c1d90685ec1e2e296e2cad2643ac
+Patch-mainline: v4.20-rc1
+References: bsc#1051510
+
+If we change the number of array's device after device is removed from array,
+then add the device back to array, we can see that device is added as active
+role instead of spare which we expected.
+
+Please see the below link for details:
+https://marc.info/?l=linux-raid&m=153736982015076&w=2
+
+This is caused by that we prefer to use device's previous role which is
+recorded by saved_raid_disk, but we should respect the new number of
+conf->raid_disks since it could be changed after device is removed.
+
+Reported-by: Gioh Kim <gi-oh.kim@profitbricks.com>
+Tested-by: Gioh Kim <gi-oh.kim@profitbricks.com>
+Acked-by: Guoqing Jiang <gqjiang@suse.com>
+Signed-off-by: Shaohua Li <shli@fb.com>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/md/md.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/md/md.c b/drivers/md/md.c
+index 63ceabb4e020..a25ebf81b266 100644
+--- a/drivers/md/md.c
++++ b/drivers/md/md.c
+@@ -1774,6 +1774,10 @@ static int super_1_validate(struct mddev *mddev, struct md_rdev *rdev)
+ } else
+ set_bit(In_sync, &rdev->flags);
+ rdev->raid_disk = role;
++ if (role >= mddev->raid_disks) {
++ rdev->saved_raid_disk = -1;
++ rdev->raid_disk = -1;
++ }
+ break;
+ }
+ if (sb->devflags & WriteMostly1)
+--
+2.16.4
+
diff --git a/patches.fixes/appletalk-Fix-compile-regression.patch b/patches.fixes/appletalk-Fix-compile-regression.patch
new file mode 100644
index 0000000000..bb0bdee640
--- /dev/null
+++ b/patches.fixes/appletalk-Fix-compile-regression.patch
@@ -0,0 +1,71 @@
+From 27da0d2ef998e222a876c0cec72aa7829a626266 Mon Sep 17 00:00:00 2001
+From: Arnd Bergmann <arnd@arndb.de>
+Date: Wed, 6 Mar 2019 11:52:36 +0100
+Subject: [PATCH] appletalk: Fix compile regression
+Git-commit: 27da0d2ef998e222a876c0cec72aa7829a626266
+Patch-mainline: v5.1-rc1
+References: bsc#1051510
+
+A bugfix just broke compilation of appletalk when CONFIG_SYSCTL
+is disabled:
+
+In file included from net/appletalk/ddp.c:65:
+Net/appletalk/ddp.c: In function 'atalk_init':
+include/linux/atalk.h:164:34: error: expected expression before 'do'
+ #define atalk_register_sysctl() do { } while(0)
+ ^~
+net/appletalk/ddp.c:1934:7: note: in expansion of macro 'atalk_register_sysctl'
+ rc = atalk_register_sysctl();
+
+This is easier to avoid by using conventional inline functions
+as stubs rather than macros. The header already has inline
+functions for other purposes, so I'm changing over all the
+macros for consistency.
+
+Fixes: 6377f787aeb9 ("appletalk: Fix use-after-free in atalk_proc_exit")
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ include/linux/atalk.h | 18 ++++++++++++++----
+ 1 file changed, 14 insertions(+), 4 deletions(-)
+
+diff --git a/include/linux/atalk.h b/include/linux/atalk.h
+index 5a90f28d5ff2..d5cfc0b15b76 100644
+--- a/include/linux/atalk.h
++++ b/include/linux/atalk.h
+@@ -161,16 +161,26 @@ extern int sysctl_aarp_resolve_time;
+ extern int atalk_register_sysctl(void);
+ extern void atalk_unregister_sysctl(void);
+ #else
+-#define atalk_register_sysctl() do { } while(0)
+-#define atalk_unregister_sysctl() do { } while(0)
++static inline int atalk_register_sysctl(void)
++{
++ return 0;
++}
++static inline void atalk_unregister_sysctl(void)
++{
++}
+ #endif
+
+ #ifdef CONFIG_PROC_FS
+ extern int atalk_proc_init(void);
+ extern void atalk_proc_exit(void);
+ #else
+-#define atalk_proc_init() ({ 0; })
+-#define atalk_proc_exit() do { } while(0)
++static inline int atalk_proc_init(void)
++{
++ return 0;
++}
++static inline void atalk_proc_exit(void)
++{
++}
+ #endif /* CONFIG_PROC_FS */
+
+ #endif /* __LINUX_ATALK_H__ */
+--
+2.16.4
+
diff --git a/patches.fixes/appletalk-Fix-use-after-free-in-atalk_proc_exit.patch b/patches.fixes/appletalk-Fix-use-after-free-in-atalk_proc_exit.patch
new file mode 100644
index 0000000000..8bb642942b
--- /dev/null
+++ b/patches.fixes/appletalk-Fix-use-after-free-in-atalk_proc_exit.patch
@@ -0,0 +1,204 @@
+From 6377f787aeb945cae7abbb6474798de129e1f3ac Mon Sep 17 00:00:00 2001
+From: YueHaibing <yuehaibing@huawei.com>
+Date: Fri, 1 Mar 2019 10:57:57 +0800
+Subject: [PATCH] appletalk: Fix use-after-free in atalk_proc_exit
+Git-commit: 6377f787aeb945cae7abbb6474798de129e1f3ac
+Patch-mainline: v5.1-rc1
+References: bsc#1051510
+
+KASAN report this:
+
+Bug: KASAN: use-after-free in pde_subdir_find+0x12d/0x150 fs/proc/generic.c:71
+Read of size 8 at addr ffff8881f41fe5b0 by task syz-executor.0/2806
+
+Cpu: 0 PID: 2806 Comm: syz-executor.0 Not tainted 5.0.0-rc7+ #45
+Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014
+Call Trace:
+ __dump_stack lib/dump_stack.c:77 [inline]
+ dump_stack+0xfa/0x1ce lib/dump_stack.c:113
+ print_address_description+0x65/0x270 mm/kasan/report.c:187
+ kasan_report+0x149/0x18d mm/kasan/report.c:317
+ pde_subdir_find+0x12d/0x150 fs/proc/generic.c:71
+ remove_proc_entry+0xe8/0x420 fs/proc/generic.c:667
+ atalk_proc_exit+0x18/0x820 [appletalk]
+ atalk_exit+0xf/0x5a [appletalk]
+ __do_sys_delete_module kernel/module.c:1018 [inline]
+ __se_sys_delete_module kernel/module.c:961 [inline]
+ __x64_sys_delete_module+0x3dc/0x5e0 kernel/module.c:961
+ do_syscall_64+0x147/0x600 arch/x86/entry/common.c:290
+ entry_SYSCALL_64_after_hwframe+0x49/0xbe
+Rip: 0033:0x462e99
+Code: f7 d8 64 89 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
+Rsp: 002b:00007fb2de6b9c58 EFLAGS: 00000246 ORIG_RAX: 00000000000000b0
+Rax: ffffffffffffffda RBX: 000000000073bf00 RCX: 0000000000462e99
+Rdx: 0000000000000000 RSI: 0000000000000000 RDI: 00000000200001c0
+Rbp: 0000000000000002 R08: 0000000000000000 R09: 0000000000000000
+R10: 0000000000000000 R11: 0000000000000246 R12: 00007fb2de6ba6bc
+R13: 00000000004bccaa R14: 00000000006f6bc8 R15: 00000000ffffffff
+
+Allocated by task 2806:
+ set_track mm/kasan/common.c:85 [inline]
+ __kasan_kmalloc.constprop.3+0xa0/0xd0 mm/kasan/common.c:496
+ slab_post_alloc_hook mm/slab.h:444 [inline]
+ slab_alloc_node mm/slub.c:2739 [inline]
+ slab_alloc mm/slub.c:2747 [inline]
+ kmem_cache_alloc+0xcf/0x250 mm/slub.c:2752
+ kmem_cache_zalloc include/linux/slab.h:730 [inline]
+ __proc_create+0x30f/0xa20 fs/proc/generic.c:408
+ proc_mkdir_data+0x47/0x190 fs/proc/generic.c:469
+ 0xffffffffc10c01bb
+ 0xffffffffc10c0166
+ do_one_initcall+0xfa/0x5ca init/main.c:887
+ do_init_module+0x204/0x5f6 kernel/module.c:3460
+ load_module+0x66b2/0x8570 kernel/module.c:3808
+ __do_sys_finit_module+0x238/0x2a0 kernel/module.c:3902
+ do_syscall_64+0x147/0x600 arch/x86/entry/common.c:290
+ entry_SYSCALL_64_after_hwframe+0x49/0xbe
+
+Freed by task 2806:
+ set_track mm/kasan/common.c:85 [inline]
+ __kasan_slab_free+0x130/0x180 mm/kasan/common.c:458
+ slab_free_hook mm/slub.c:1409 [inline]
+ slab_free_freelist_hook mm/slub.c:1436 [inline]
+ slab_free mm/slub.c:2986 [inline]
+ kmem_cache_free+0xa6/0x2a0 mm/slub.c:3002
+ pde_put+0x6e/0x80 fs/proc/generic.c:647
+ remove_proc_entry+0x1d3/0x420 fs/proc/generic.c:684
+ 0xffffffffc10c031c
+ 0xffffffffc10c0166
+ do_one_initcall+0xfa/0x5ca init/main.c:887
+ do_init_module+0x204/0x5f6 kernel/module.c:3460
+ load_module+0x66b2/0x8570 kernel/module.c:3808
+ __do_sys_finit_module+0x238/0x2a0 kernel/module.c:3902
+ do_syscall_64+0x147/0x600 arch/x86/entry/common.c:290
+ entry_SYSCALL_64_after_hwframe+0x49/0xbe
+
+The buggy address belongs to the object at ffff8881f41fe500
+ which belongs to the cache proc_dir_entry of size 256
+The buggy address is located 176 bytes inside of
+ 256-byte region [ffff8881f41fe500, ffff8881f41fe600)
+The buggy address belongs to the page:
+page:ffffea0007d07f80 count:1 mapcount:0 mapping:ffff8881f6e69a00 index:0x0
+Flags: 0x2fffc0000000200(slab)
+Raw: 02fffc0000000200 dead000000000100 dead000000000200 ffff8881f6e69a00
+Raw: 0000000000000000 00000000800c000c 00000001ffffffff 0000000000000000
+page dumped because: kasan: bad access detected
+
+Memory state around the buggy address:
+ ffff8881f41fe480: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
+ ffff8881f41fe500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+>ffff8881f41fe580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8881f41fe600: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb ffff8881f41fe680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+
+It should check the return value of atalk_proc_init fails,
+otherwise atalk_exit will trgger use-after-free in pde_subdir_find
+while unload the module.This patch fix error cleanup path of atalk_init
+
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Signed-off-by: YueHaibing <yuehaibing@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ include/linux/atalk.h | 2 +-
+ net/appletalk/atalk_proc.c | 2 +-
+ net/appletalk/ddp.c | 37 +++++++++++++++++++++++++++++++------
+ net/appletalk/sysctl_net_atalk.c | 5 ++++-
+ 4 files changed, 37 insertions(+), 9 deletions(-)
+
+--- a/include/linux/atalk.h
++++ b/include/linux/atalk.h
+@@ -150,7 +150,7 @@ extern int sysctl_aarp_retransmit_limit;
+ extern int sysctl_aarp_resolve_time;
+
+ #ifdef CONFIG_SYSCTL
+-extern void atalk_register_sysctl(void);
++extern int atalk_register_sysctl(void);
+ extern void atalk_unregister_sysctl(void);
+ #else
+ #define atalk_register_sysctl() do { } while(0)
+--- a/net/appletalk/atalk_proc.c
++++ b/net/appletalk/atalk_proc.c
+@@ -293,7 +293,7 @@ out_interface:
+ goto out;
+ }
+
+-void __exit atalk_proc_exit(void)
++void atalk_proc_exit(void)
+ {
+ remove_proc_entry("interface", atalk_proc_dir);
+ remove_proc_entry("route", atalk_proc_dir);
+--- a/net/appletalk/ddp.c
++++ b/net/appletalk/ddp.c
+@@ -1912,12 +1912,16 @@ static const char atalk_err_snap[] __ini
+ /* Called by proto.c on kernel start up */
+ static int __init atalk_init(void)
+ {
+- int rc = proto_register(&ddp_proto, 0);
++ int rc;
+
+- if (rc != 0)
++ rc = proto_register(&ddp_proto, 0);
++ if (rc)
+ goto out;
+
+- (void)sock_register(&atalk_family_ops);
++ rc = sock_register(&atalk_family_ops);
++ if (rc)
++ goto out_proto;
++
+ ddp_dl = register_snap_client(ddp_snap_id, atalk_rcv);
+ if (!ddp_dl)
+ printk(atalk_err_snap);
+@@ -1925,12 +1929,33 @@ static int __init atalk_init(void)
+ dev_add_pack(&ltalk_packet_type);
+ dev_add_pack(&ppptalk_packet_type);
+
+- register_netdevice_notifier(&ddp_notifier);
++ rc = register_netdevice_notifier(&ddp_notifier);
++ if (rc)
++ goto out_sock;
++
+ aarp_proto_init();
+- atalk_proc_init();
+- atalk_register_sysctl();
++ rc = atalk_proc_init();
++ if (rc)
++ goto out_aarp;
++
++ rc = atalk_register_sysctl();
++ if (rc)
++ goto out_proc;
+ out:
+ return rc;
++out_proc:
++ atalk_proc_exit();
++out_aarp:
++ aarp_cleanup_module();
++ unregister_netdevice_notifier(&ddp_notifier);
++out_sock:
++ dev_remove_pack(&ppptalk_packet_type);
++ dev_remove_pack(&ltalk_packet_type);
++ unregister_snap_client(ddp_dl);
++ sock_unregister(PF_APPLETALK);
++out_proto:
++ proto_unregister(&ddp_proto);
++ goto out;
+ }
+ module_init(atalk_init);
+
+--- a/net/appletalk/sysctl_net_atalk.c
++++ b/net/appletalk/sysctl_net_atalk.c
+@@ -44,9 +44,12 @@ static struct ctl_table atalk_table[] =
+
+ static struct ctl_table_header *atalk_table_header;
+
+-void atalk_register_sysctl(void)
++int __init atalk_register_sysctl(void)
+ {
+ atalk_table_header = register_net_sysctl(&init_net, "net/appletalk", atalk_table);
++ if (!atalk_table_header)
++ return -ENOMEM;
++ return 0;
+ }
+
+ void atalk_unregister_sysctl(void)
diff --git a/patches.fixes/arm64-Export-save_stack_trace_tsk.patch b/patches.fixes/arm64-Export-save_stack_trace_tsk.patch
new file mode 100644
index 0000000000..ee7d0279e0
--- /dev/null
+++ b/patches.fixes/arm64-Export-save_stack_trace_tsk.patch
@@ -0,0 +1,35 @@
+From: Dustin Brown <dustinb@codeaurora.org>
+Date: Tue, 13 Jun 2017 11:40:56 -0700
+Subject: [PATCH] arm64: Export save_stack_trace_tsk()
+Git-commit: e27c7fa015d61c8be6a2c32b2144aad2ae6ec975
+Patch-mainline: v4.13
+References: jsc#SLE-4214
+
+The kernel watchdog is a great debugging tool for finding tasks that
+consume a disproportionate amount of CPU time in contiguous chunks. One
+can imagine building a similar watchdog for arbitrary driver threads
+using save_stack_trace_tsk() and print_stack_trace(). However, this is
+not viable for dynamically loaded driver modules on ARM platforms
+because save_stack_trace_tsk() is not exported for those architectures.
+Export save_stack_trace_tsk() for the ARM64 architecture to align with
+x86 and support various debugging use cases such as arbitrary driver
+thread watchdog timers.
+
+Signed-off-by: Dustin Brown <dustinb@codeaurora.org>
+Signed-off-by: Will Deacon <will.deacon@arm.com>
+Acked-by: NeilBrown <neilb@suse.com>
+
+---
+ arch/arm64/kernel/stacktrace.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/arch/arm64/kernel/stacktrace.c
++++ b/arch/arm64/kernel/stacktrace.c
+@@ -175,6 +175,7 @@ void save_stack_trace_tsk(struct task_st
+
+ put_task_stack(tsk);
+ }
++EXPORT_SYMBOL_GPL(save_stack_trace_tsk);
+
+ void save_stack_trace(struct stack_trace *trace)
+ {
diff --git a/patches.fixes/block-do-not-leak-memory-in-bio_copy_user_iov.patch b/patches.fixes/block-do-not-leak-memory-in-bio_copy_user_iov.patch
new file mode 100644
index 0000000000..c54c2fda61
--- /dev/null
+++ b/patches.fixes/block-do-not-leak-memory-in-bio_copy_user_iov.patch
@@ -0,0 +1,46 @@
+From a3761c3c91209b58b6f33bf69dd8bb8ec0c9d925 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?J=C3=A9r=C3=B4me=20Glisse?= <jglisse@redhat.com>
+Date: Wed, 10 Apr 2019 16:27:51 -0400
+Subject: [PATCH] block: do not leak memory in bio_copy_user_iov()
+Mime-version: 1.0
+Content-type: text/plain; charset=UTF-8
+Content-transfer-encoding: 8bit
+Git-commit: a3761c3c91209b58b6f33bf69dd8bb8ec0c9d925
+Patch-mainline: v5.1-rc5
+References: bsc#1135309
+
+When bio_add_pc_page() fails in bio_copy_user_iov() we should free
+the page we just allocated otherwise we are leaking it.
+
+Cc: linux-block@vger.kernel.org
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: stable@vger.kernel.org
+Reviewed-by: Chaitanya Kulkarni <chaitanya.kulkarni@wdc.com>
+Signed-off-by: Jérôme Glisse <jglisse@redhat.com>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Acked-by: Jan Kara <jack@suse.cz>
+
+---
+ block/bio.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/block/bio.c b/block/bio.c
+index b64cedc7f87c..716510ecd7ff 100644
+--- a/block/bio.c
++++ b/block/bio.c
+@@ -1298,8 +1298,11 @@ struct bio *bio_copy_user_iov(struct request_queue *q,
+ }
+ }
+
+- if (bio_add_pc_page(q, bio, page, bytes, offset) < bytes)
++ if (bio_add_pc_page(q, bio, page, bytes, offset) < bytes) {
++ if (!map_data)
++ __free_page(page);
+ break;
++ }
+
+ len -= bytes;
+ offset = 0;
+--
+2.16.4
+
diff --git a/patches.fixes/block-fix-the-return-errno-for-direct-IO.patch b/patches.fixes/block-fix-the-return-errno-for-direct-IO.patch
new file mode 100644
index 0000000000..4b4b6f3a05
--- /dev/null
+++ b/patches.fixes/block-fix-the-return-errno-for-direct-IO.patch
@@ -0,0 +1,59 @@
+From a89afe58f1a74aac768a5eb77af95ef4ee15beaa Mon Sep 17 00:00:00 2001
+From: Jason Yan <yanaijie@huawei.com>
+Date: Fri, 12 Apr 2019 10:09:16 +0800
+Subject: [PATCH] block: fix the return errno for direct IO
+Git-commit: a89afe58f1a74aac768a5eb77af95ef4ee15beaa
+Patch-mainline: v5.1-rc5
+References: bsc#1135320
+
+If the last bio returned is not dio->bio, the status of the bio will
+not assigned to dio->bio if it is error. This will cause the whole IO
+status wrong.
+
+ ksoftirqd/21-117 [021] ..s. 4017.966090: 8,0 C N 4883648 [0]
+ <idle>-0 [018] ..s. 4017.970888: 8,0 C WS 4924800 + 1024 [0]
+ <idle>-0 [018] ..s. 4017.970909: 8,0 D WS 4935424 + 1024 [<idle>]
+ <idle>-0 [018] ..s. 4017.970924: 8,0 D WS 4936448 + 321 [<idle>]
+ ksoftirqd/21-117 [021] ..s. 4017.995033: 8,0 C R 4883648 + 336 [65475]
+ ksoftirqd/21-117 [021] d.s. 4018.001988: myprobe1: (blkdev_bio_end_io+0x0/0x168) bi_status=7
+ ksoftirqd/21-117 [021] d.s. 4018.001992: myprobe: (aio_complete_rw+0x0/0x148) x0=0xffff802f2595ad80 res=0x12a000 res2=0x0
+
+We always have to assign bio->bi_status to dio->bio.bi_status because we
+will only check dio->bio.bi_status when we return the whole IO to
+the upper layer.
+
+Fixes: 542ff7bf18c6 ("block: new direct I/O implementation")
+Cc: stable@vger.kernel.org
+Cc: Christoph Hellwig <hch@lst.de>
+Cc: Jens Axboe <axboe@kernel.dk>
+Reviewed-by: Ming Lei <ming.lei@redhat.com>
+Signed-off-by: Jason Yan <yanaijie@huawei.com>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Acked-by: Jan Kara <jack@suse.cz>
+
+---
+ fs/block_dev.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/fs/block_dev.c b/fs/block_dev.c
+index 78d3257435c0..24615c76c1d0 100644
+--- a/fs/block_dev.c
++++ b/fs/block_dev.c
+@@ -307,10 +307,10 @@ static void blkdev_bio_end_io(struct bio *bio)
+ struct blkdev_dio *dio = bio->bi_private;
+ bool should_dirty = dio->should_dirty;
+
+- if (dio->multi_bio && !atomic_dec_and_test(&dio->ref)) {
+- if (bio->bi_status && !dio->bio.bi_status)
+- dio->bio.bi_status = bio->bi_status;
+- } else {
++ if (bio->bi_status && !dio->bio.bi_status)
++ dio->bio.bi_status = bio->bi_status;
++
++ if (!dio->multi_bio || atomic_dec_and_test(&dio->ref)) {
+ if (!dio->is_sync) {
+ struct kiocb *iocb = dio->iocb;
+ ssize_t ret;
+--
+2.16.4
+
diff --git a/patches.fixes/block-fix-use-after-free-on-gendisk.patch b/patches.fixes/block-fix-use-after-free-on-gendisk.patch
new file mode 100644
index 0000000000..a2a239138c
--- /dev/null
+++ b/patches.fixes/block-fix-use-after-free-on-gendisk.patch
@@ -0,0 +1,135 @@
+From 2c88e3c7ec32d7a40cc7c9b4a487cf90e4671bdd Mon Sep 17 00:00:00 2001
+From: Yufen Yu <yuyufen@huawei.com>
+Date: Tue, 2 Apr 2019 20:06:34 +0800
+Subject: [PATCH] block: fix use-after-free on gendisk
+Git-commit: 2c88e3c7ec32d7a40cc7c9b4a487cf90e4671bdd
+Patch-mainline: v5.2-rc1
+References: bsc#1135312
+
+commit 2da78092dda "block: Fix dev_t minor allocation lifetime"
+specifically moved blk_free_devt(dev->devt) call to part_release()
+to avoid reallocating device number before the device is fully
+shutdown.
+
+However, it can cause use-after-free on gendisk in get_gendisk().
+We use md device as example to show the race scenes:
+
+Process1 Worker Process2
+md_free
+ blkdev_open
+del_gendisk
+ add delete_partition_work_fn() to wq
+ __blkdev_get
+ get_gendisk
+put_disk
+ disk_release
+ kfree(disk)
+ find part from ext_devt_idr
+ get_disk_and_module(disk)
+ cause use after free
+
+ delete_partition_work_fn
+ put_device(part)
+ part_release
+ remove part from ext_devt_idr
+
+Before <devt, hd_struct pointer> is removed from ext_devt_idr by
+delete_partition_work_fn(), we can find the devt and then access
+gendisk by hd_struct pointer. But, if we access the gendisk after
+it have been freed, it can cause in use-after-freeon gendisk in
+get_gendisk().
+
+We fix this by adding a new helper blk_invalidate_devt() in
+delete_partition() and del_gendisk(). It replaces hd_struct
+pointer in idr with value 'NULL', and deletes the entry from
+idr in part_release() as we do now.
+
+Thanks to Jan Kara for providing the solution and more clear comments
+for the code.
+
+Fixes: 2da78092dda1 ("block: Fix dev_t minor allocation lifetime")
+Cc: Al Viro <viro@zeniv.linux.org.uk>
+Reviewed-by: Bart Van Assche <bvanassche@acm.org>
+Reviewed-by: Keith Busch <keith.busch@intel.com>
+Reviewed-by: Jan Kara <jack@suse.cz>
+Suggested-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Yufen Yu <yuyufen@huawei.com>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Acked-by: Jan Kara <jack@suse.cz>
+
+---
+ block/genhd.c | 19 +++++++++++++++++++
+ block/partition-generic.c | 7 +++++++
+ include/linux/genhd.h | 1 +
+ 3 files changed, 27 insertions(+)
+
+diff --git a/block/genhd.c b/block/genhd.c
+index 1d0d25f7b0fe..83f5c33d1e80 100644
+--- a/block/genhd.c
++++ b/block/genhd.c
+@@ -531,6 +531,18 @@ void blk_free_devt(dev_t devt)
+ }
+ }
+
++/**
++ * We invalidate devt by assigning NULL pointer for devt in idr.
++ */
++void blk_invalidate_devt(dev_t devt)
++{
++ if (MAJOR(devt) == BLOCK_EXT_MAJOR) {
++ spin_lock_bh(&ext_devt_lock);
++ idr_replace(&ext_devt_idr, NULL, blk_mangle_minor(MINOR(devt)));
++ spin_unlock_bh(&ext_devt_lock);
++ }
++}
++
+ static char *bdevt_str(dev_t devt, char *buf)
+ {
+ if (MAJOR(devt) <= 0xff && MINOR(devt) <= 0xff) {
+@@ -793,6 +805,13 @@ void del_gendisk(struct gendisk *disk)
+
+ if (!(disk->flags & GENHD_FL_HIDDEN))
+ blk_unregister_region(disk_devt(disk), disk->minors);
++ /*
++ * Remove gendisk pointer from idr so that it cannot be looked up
++ * while RCU period before freeing gendisk is running to prevent
++ * use-after-free issues. Note that the device number stays
++ * "in-use" until we really free the gendisk.
++ */
++ blk_invalidate_devt(disk_devt(disk));
+
+ kobject_put(disk->part0.holder_dir);
+ kobject_put(disk->slave_dir);
+diff --git a/block/partition-generic.c b/block/partition-generic.c
+index 8e596a8dff32..aee643ce13d1 100644
+--- a/block/partition-generic.c
++++ b/block/partition-generic.c
+@@ -285,6 +285,13 @@ void delete_partition(struct gendisk *disk, int partno)
+ kobject_put(part->holder_dir);
+ device_del(part_to_dev(part));
+
++ /*
++ * Remove gendisk pointer from idr so that it cannot be looked up
++ * while RCU period before freeing gendisk is running to prevent
++ * use-after-free issues. Note that the device number stays
++ * "in-use" until we really free the gendisk.
++ */
++ blk_invalidate_devt(part_devt(part));
+ hd_struct_kill(part);
+ }
+
+diff --git a/include/linux/genhd.h b/include/linux/genhd.h
+index 6547c9256d5c..8b5330dd5ac0 100644
+--- a/include/linux/genhd.h
++++ b/include/linux/genhd.h
+@@ -617,6 +617,7 @@ struct unixware_disklabel {
+
+ extern int blk_alloc_devt(struct hd_struct *part, dev_t *devt);
+ extern void blk_free_devt(dev_t devt);
++extern void blk_invalidate_devt(dev_t devt);
+ extern dev_t blk_lookup_devt(const char *name, int partno);
+ extern char *disk_name (struct gendisk *hd, int partno, char *buf);
+
+--
+2.16.4
+
diff --git a/patches.fixes/configfs-fix-possible-use-after-free-in-configfs_reg.patch b/patches.fixes/configfs-fix-possible-use-after-free-in-configfs_reg.patch
new file mode 100644
index 0000000000..d1317a9a1e
--- /dev/null
+++ b/patches.fixes/configfs-fix-possible-use-after-free-in-configfs_reg.patch
@@ -0,0 +1,134 @@
+From 35399f87e271f7cf3048eab00a421a6519ac8441 Mon Sep 17 00:00:00 2001
+From: YueHaibing <yuehaibing@huawei.com>
+Date: Sun, 5 May 2019 11:03:12 +0800
+Subject: [PATCH] configfs: fix possible use-after-free in configfs_register_group
+Git-commit: 35399f87e271f7cf3048eab00a421a6519ac8441
+Patch-mainline: v5.2-rc1
+References: bsc#1051510
+
+In configfs_register_group(), if create_default_group() failed, we
+forget to unlink the group. It will left a invalid item in the parent list,
+which may trigger the use-after-free issue seen below:
+
+Bug: KASAN: use-after-free in __list_add_valid+0xd4/0xe0 lib/list_debug.c:26
+Read of size 8 at addr ffff8881ef61ae20 by task syz-executor.0/5996
+
+Cpu: 1 PID: 5996 Comm: syz-executor.0 Tainted: G C 5.0.0+ #5
+Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014
+Call Trace:
+ __dump_stack lib/dump_stack.c:77 [inline]
+ dump_stack+0xa9/0x10e lib/dump_stack.c:113
+ print_address_description+0x65/0x270 mm/kasan/report.c:187
+ kasan_report+0x149/0x18d mm/kasan/report.c:317
+ __list_add_valid+0xd4/0xe0 lib/list_debug.c:26
+ __list_add include/linux/list.h:60 [inline]
+ list_add_tail include/linux/list.h:93 [inline]
+ link_obj+0xb0/0x190 fs/configfs/dir.c:759
+ link_group+0x1c/0x130 fs/configfs/dir.c:784
+ configfs_register_group+0x56/0x1e0 fs/configfs/dir.c:1751
+ configfs_register_default_group+0x72/0xc0 fs/configfs/dir.c:1834
+ ? 0xffffffffc1be0000
+ iio_sw_trigger_init+0x23/0x1000 [industrialio_sw_trigger]
+ do_one_initcall+0xbc/0x47d init/main.c:887
+ do_init_module+0x1b5/0x547 kernel/module.c:3456
+ load_module+0x6405/0x8c10 kernel/module.c:3804
+ __do_sys_finit_module+0x162/0x190 kernel/module.c:3898
+ do_syscall_64+0x9f/0x450 arch/x86/entry/common.c:290
+ entry_SYSCALL_64_after_hwframe+0x49/0xbe
+Rip: 0033:0x462e99
+Code: f7 d8 64 89 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
+Rsp: 002b:00007f494ecbcc58 EFLAGS: 00000246 ORIG_RAX: 0000000000000139
+Rax: ffffffffffffffda RBX: 000000000073bf00 RCX: 0000000000462e99
+Rdx: 0000000000000000 RSI: 0000000020000180 RDI: 0000000000000003
+Rbp: 00007f494ecbcc70 R08: 0000000000000000 R09: 0000000000000000
+R10: 0000000000000000 R11: 0000000000000246 R12: 00007f494ecbd6bc
+R13: 00000000004bcefa R14: 00000000006f6fb0 R15: 0000000000000004
+
+Allocated by task 5987:
+ set_track mm/kasan/common.c:87 [inline]
+ __kasan_kmalloc.constprop.3+0xa0/0xd0 mm/kasan/common.c:497
+ kmalloc include/linux/slab.h:545 [inline]
+ kzalloc include/linux/slab.h:740 [inline]
+ configfs_register_default_group+0x4c/0xc0 fs/configfs/dir.c:1829
+ 0xffffffffc1bd0023
+ do_one_initcall+0xbc/0x47d init/main.c:887
+ do_init_module+0x1b5/0x547 kernel/module.c:3456
+ load_module+0x6405/0x8c10 kernel/module.c:3804
+ __do_sys_finit_module+0x162/0x190 kernel/module.c:3898
+ do_syscall_64+0x9f/0x450 arch/x86/entry/common.c:290
+ entry_SYSCALL_64_after_hwframe+0x49/0xbe
+
+Freed by task 5987:
+ set_track mm/kasan/common.c:87 [inline]
+ __kasan_slab_free+0x130/0x180 mm/kasan/common.c:459
+ slab_free_hook mm/slub.c:1429 [inline]
+ slab_free_freelist_hook mm/slub.c:1456 [inline]
+ slab_free mm/slub.c:3003 [inline]
+ kfree+0xe1/0x270 mm/slub.c:3955
+ configfs_register_default_group+0x9a/0xc0 fs/configfs/dir.c:1836
+ 0xffffffffc1bd0023
+ do_one_initcall+0xbc/0x47d init/main.c:887
+ do_init_module+0x1b5/0x547 kernel/module.c:3456
+ load_module+0x6405/0x8c10 kernel/module.c:3804
+ __do_sys_finit_module+0x162/0x190 kernel/module.c:3898
+ do_syscall_64+0x9f/0x450 arch/x86/entry/common.c:290
+ entry_SYSCALL_64_after_hwframe+0x49/0xbe
+
+The buggy address belongs to the object at ffff8881ef61ae00
+ which belongs to the cache kmalloc-192 of size 192
+The buggy address is located 32 bytes inside of
+ 192-byte region [ffff8881ef61ae00, ffff8881ef61aec0)
+The buggy address belongs to the page:
+page:ffffea0007bd8680 count:1 mapcount:0 mapping:ffff8881f6c03000 index:0xffff8881ef61a700
+Flags: 0x2fffc0000000200(slab)
+Raw: 02fffc0000000200 ffffea0007ca4740 0000000500000005 ffff8881f6c03000
+Raw: ffff8881ef61a700 000000008010000c 00000001ffffffff 0000000000000000
+page dumped because: kasan: bad access detected
+
+Memory state around the buggy address:
+ ffff8881ef61ad00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+ ffff8881ef61ad80: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc
+>ffff8881ef61ae00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8881ef61ae80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc ffff8881ef61af00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+
+Fixes: 5cf6a51e6062 ("configfs: allow dynamic group creation")
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Signed-off-by: YueHaibing <yuehaibing@huawei.com>
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ fs/configfs/dir.c | 17 ++++++++++++-----
+ 1 file changed, 12 insertions(+), 5 deletions(-)
+
+diff --git a/fs/configfs/dir.c b/fs/configfs/dir.c
+index 39843fa7e11b..920d350df37b 100644
+--- a/fs/configfs/dir.c
++++ b/fs/configfs/dir.c
+@@ -1755,12 +1755,19 @@ int configfs_register_group(struct config_group *parent_group,
+
+ inode_lock_nested(d_inode(parent), I_MUTEX_PARENT);
+ ret = create_default_group(parent_group, group);
+- if (!ret) {
+- spin_lock(&configfs_dirent_lock);
+- configfs_dir_set_ready(group->cg_item.ci_dentry->d_fsdata);
+- spin_unlock(&configfs_dirent_lock);
+- }
++ if (ret)
++ goto err_out;
++
++ spin_lock(&configfs_dirent_lock);
++ configfs_dir_set_ready(group->cg_item.ci_dentry->d_fsdata);
++ spin_unlock(&configfs_dirent_lock);
++ inode_unlock(d_inode(parent));
++ return 0;
++err_out:
+ inode_unlock(d_inode(parent));
++ mutex_lock(&subsys->su_mutex);
++ unlink_group(group);
++ mutex_unlock(&subsys->su_mutex);
+ return ret;
+ }
+ EXPORT_SYMBOL(configfs_register_group);
+--
+2.16.4
+
diff --git a/patches.fixes/crypto-caam-fix-caam_dump_sg-that-iterates-through-s.patch b/patches.fixes/crypto-caam-fix-caam_dump_sg-that-iterates-through-s.patch
new file mode 100644
index 0000000000..9eb3e1cf24
--- /dev/null
+++ b/patches.fixes/crypto-caam-fix-caam_dump_sg-that-iterates-through-s.patch
@@ -0,0 +1,40 @@
+From 8c65d35435e8cbfdf953cafe5ebe3648ee9276a2 Mon Sep 17 00:00:00 2001
+From: Iuliana Prodan <iuliana.prodan@nxp.com>
+Date: Tue, 7 May 2019 16:37:03 +0300
+Subject: [PATCH] crypto: caam - fix caam_dump_sg that iterates through scatterlist
+Mime-version: 1.0
+Content-type: text/plain; charset=UTF-8
+Content-transfer-encoding: 8bit
+Git-commit: 8c65d35435e8cbfdf953cafe5ebe3648ee9276a2
+Patch-mainline: v5.2-rc1
+References: bsc#1051510
+
+Fix caam_dump_sg by correctly determining the next scatterlist
+entry in the list.
+
+Fixes: 5ecf8ef9103c ("crypto: caam - fix sg dump")
+Signed-off-by: Iuliana Prodan <iuliana.prodan@nxp.com>
+Reviewed-by: Horia Geantă <horia.geanta@nxp.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/crypto/caam/error.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/crypto/caam/error.c b/drivers/crypto/caam/error.c
+index a4129a35a330..4da844e4b61d 100644
+--- a/drivers/crypto/caam/error.c
++++ b/drivers/crypto/caam/error.c
+@@ -22,7 +22,7 @@ void caam_dump_sg(const char *level, const char *prefix_str, int prefix_type,
+ size_t len;
+ void *buf;
+
+- for (it = sg; it && tlen > 0 ; it = sg_next(sg)) {
++ for (it = sg; it && tlen > 0 ; it = sg_next(it)) {
+ /*
+ * make sure the scatterlist's page
+ * has a valid virtual memory mapping
+--
+2.16.4
+
diff --git a/patches.fixes/crypto-vmx-CTR-always-increment-IV-as-quadword.patch b/patches.fixes/crypto-vmx-CTR-always-increment-IV-as-quadword.patch
new file mode 100644
index 0000000000..a51ff9617e
--- /dev/null
+++ b/patches.fixes/crypto-vmx-CTR-always-increment-IV-as-quadword.patch
@@ -0,0 +1,61 @@
+From 009b30ac7444c17fae34c4f435ebce8e8e2b3250 Mon Sep 17 00:00:00 2001
+From: Daniel Axtens <dja@axtens.net>
+Date: Wed, 15 May 2019 20:24:50 +1000
+Subject: [PATCH] crypto: vmx - CTR: always increment IV as quadword
+Git-commit: 009b30ac7444c17fae34c4f435ebce8e8e2b3250
+Patch-mainline: v5.2-rc2
+References: bsc#1051510
+
+The kernel self-tests picked up an issue with CTR mode:
+Alg: skcipher: p8_aes_ctr encryption test failed (wrong result) on test vector 3, cfg="uneven misaligned splits, may sleep"
+
+Test vector 3 has an IV of FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFD, so
+after 3 increments it should wrap around to 0.
+
+In the aesp8-ppc code from OpenSSL, there are two paths that
+increment IVs: the bulk (8 at a time) path, and the individual
+path which is used when there are fewer than 8 AES blocks to
+process.
+
+In the bulk path, the IV is incremented with vadduqm: "Vector
+Add Unsigned Quadword Modulo", which does 128-bit addition.
+
+In the individual path, however, the IV is incremented with
+Vadduwm: "Vector Add Unsigned Word Modulo", which instead
+does 4 32-bit additions. Thus the IV would instead become
+FFFFFFFFFFFFFFFFFFFFFFFF00000000, throwing off the result.
+
+Use vadduqm.
+
+This was probably a typo originally, what with q and w being
+adjacent. It is a pretty narrow edge case: I am really
+impressed by the quality of the kernel self-tests!
+
+Fixes: 5c380d623ed3 ("crypto: vmx - Add support for VMS instructions by ASM")
+Cc: stable@vger.kernel.org
+Signed-off-by: Daniel Axtens <dja@axtens.net>
+Acked-by: Nayna Jain <nayna@linux.ibm.com>
+Tested-by: Nayna Jain <nayna@linux.ibm.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/crypto/vmx/aesp8-ppc.pl | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/crypto/vmx/aesp8-ppc.pl b/drivers/crypto/vmx/aesp8-ppc.pl
+index de78282b8f44..9c6b5c1d6a1a 100644
+--- a/drivers/crypto/vmx/aesp8-ppc.pl
++++ b/drivers/crypto/vmx/aesp8-ppc.pl
+@@ -1357,7 +1357,7 @@ Loop_ctr32_enc:
+ addi $idx,$idx,16
+ bdnz Loop_ctr32_enc
+
+- vadduwm $ivec,$ivec,$one
++ vadduqm $ivec,$ivec,$one
+ vmr $dat,$inptail
+ lvx $inptail,0,$inp
+ addi $inp,$inp,16
+--
+2.16.4
+
diff --git a/patches.fixes/dccp-Fix-memleak-in-__feat_register_sp.patch b/patches.fixes/dccp-Fix-memleak-in-__feat_register_sp.patch
new file mode 100644
index 0000000000..741eaaeb8c
--- /dev/null
+++ b/patches.fixes/dccp-Fix-memleak-in-__feat_register_sp.patch
@@ -0,0 +1,43 @@
+From 1d3ff0950e2b40dc861b1739029649d03f591820 Mon Sep 17 00:00:00 2001
+From: YueHaibing <yuehaibing@huawei.com>
+Date: Mon, 1 Apr 2019 09:35:54 +0800
+Subject: [PATCH] dccp: Fix memleak in __feat_register_sp
+Git-commit: 1d3ff0950e2b40dc861b1739029649d03f591820
+Patch-mainline: v5.1-rc4
+References: bsc#1051510
+
+If dccp_feat_push_change fails, we forget free the mem
+which is alloced by kmemdup in dccp_feat_clone_sp_val.
+
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Fixes: e8ef967a54f4 ("dccp: Registration routines for changing feature values")
+Reviewed-by: Mukesh Ojha <mojha@codeaurora.org>
+Signed-off-by: YueHaibing <yuehaibing@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ net/dccp/feat.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/net/dccp/feat.c b/net/dccp/feat.c
+index f227f002c73d..db87d9f58019 100644
+--- a/net/dccp/feat.c
++++ b/net/dccp/feat.c
+@@ -738,7 +738,12 @@ static int __feat_register_sp(struct list_head *fn, u8 feat, u8 is_local,
+ if (dccp_feat_clone_sp_val(&fval, sp_val, sp_len))
+ return -ENOMEM;
+
+- return dccp_feat_push_change(fn, feat, is_local, mandatory, &fval);
++ if (dccp_feat_push_change(fn, feat, is_local, mandatory, &fval)) {
++ kfree(fval.sp.vec);
++ return -ENOMEM;
++ }
++
++ return 0;
+ }
+
+ /**
+--
+2.16.4
+
diff --git a/patches.fixes/debugfs-fix-use-after-free-on-symlink-traversal.patch b/patches.fixes/debugfs-fix-use-after-free-on-symlink-traversal.patch
new file mode 100644
index 0000000000..ca58a3562e
--- /dev/null
+++ b/patches.fixes/debugfs-fix-use-after-free-on-symlink-traversal.patch
@@ -0,0 +1,51 @@
+From 93b919da64c15b90953f96a536e5e61df896ca57 Mon Sep 17 00:00:00 2001
+From: Al Viro <viro@zeniv.linux.org.uk>
+Date: Tue, 26 Mar 2019 01:43:37 +0000
+Subject: [PATCH] debugfs: fix use-after-free on symlink traversal
+Git-commit: 93b919da64c15b90953f96a536e5e61df896ca57
+Patch-mainline: v5.1-rc4
+References: bsc#1051510
+
+symlink body shouldn't be freed without an RCU delay. Switch debugfs to
+->destroy_inode() and use of call_rcu(); free both the inode and symlink
+body in the callback. Similar to solution for bpf, only here it's even
+more obvious that ->evict_inode() can be dropped.
+
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ fs/debugfs/inode.c | 13 +++++++++----
+ 1 file changed, 9 insertions(+), 4 deletions(-)
+
+--- a/fs/debugfs/inode.c
++++ b/fs/debugfs/inode.c
+@@ -170,19 +170,24 @@ static int debugfs_show_options(struct s
+ return 0;
+ }
+
+-static void debugfs_evict_inode(struct inode *inode)
++static void debugfs_i_callback(struct rcu_head *head)
+ {
+- truncate_inode_pages_final(&inode->i_data);
+- clear_inode(inode);
++ struct inode *inode = container_of(head, struct inode, i_rcu);
+ if (S_ISLNK(inode->i_mode))
+ kfree(inode->i_link);
++ free_inode_nonrcu(inode);
++}
++
++static void debugfs_destroy_inode(struct inode *inode)
++{
++ call_rcu(&inode->i_rcu, debugfs_i_callback);
+ }
+
+ static const struct super_operations debugfs_super_operations = {
+ .statfs = simple_statfs,
+ .remount_fs = debugfs_remount,
+ .show_options = debugfs_show_options,
+- .evict_inode = debugfs_evict_inode,
++ .destroy_inode = debugfs_destroy_inode,
+ };
+
+ static struct vfsmount *debugfs_automount(struct path *path)
diff --git a/patches.fixes/devres-Align-data-to-ARCH_KMALLOC_MINALIGN.patch b/patches.fixes/devres-Align-data-to-ARCH_KMALLOC_MINALIGN.patch
new file mode 100644
index 0000000000..97316dd307
--- /dev/null
+++ b/patches.fixes/devres-Align-data-to-ARCH_KMALLOC_MINALIGN.patch
@@ -0,0 +1,62 @@
+From a66d972465d15b1d89281258805eb8b47d66bd36 Mon Sep 17 00:00:00 2001
+From: Alexey Brodkin <alexey.brodkin@synopsys.com>
+Date: Wed, 31 Oct 2018 18:25:47 +0300
+Subject: [PATCH] devres: Align data[] to ARCH_KMALLOC_MINALIGN
+Git-commit: a66d972465d15b1d89281258805eb8b47d66bd36
+Patch-mainline: v4.20-rc5
+References: bsc#1051510
+
+Initially we bumped into problem with 32-bit aligned atomic64_t
+on ARC, see [1]. And then during quite lengthly discussion Peter Z.
+mentioned ARCH_KMALLOC_MINALIGN which IMHO makes perfect sense.
+If allocation is done by plain kmalloc() obtained buffer will be
+ARCH_KMALLOC_MINALIGN aligned and then why buffer obtained via
+devm_kmalloc() should have any other alignment?
+
+This way we at least get the same behavior for both types of
+allocation.
+
+[1] http://lists.infradead.org/pipermail/linux-snps-arc/2018-July/004009.html
+[2] http://lists.infradead.org/pipermail/linux-snps-arc/2018-July/004036.html
+
+Signed-off-by: Alexey Brodkin <abrodkin@synopsys.com>
+Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Cc: Geert Uytterhoeven <geert@linux-m68k.org>
+Cc: David Laight <David.Laight@ACULAB.COM>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: Vineet Gupta <vgupta@synopsys.com>
+Cc: Will Deacon <will.deacon@arm.com>
+Cc: Greg KH <greg@kroah.com>
+Cc: <stable@vger.kernel.org> # 4.8+
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/base/devres.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/base/devres.c b/drivers/base/devres.c
+index 4aaf00d2098b..e038e2b3b7ea 100644
+--- a/drivers/base/devres.c
++++ b/drivers/base/devres.c
+@@ -26,8 +26,14 @@ struct devres_node {
+
+ struct devres {
+ struct devres_node node;
+- /* -- 3 pointers */
+- unsigned long long data[]; /* guarantee ull alignment */
++ /*
++ * Some archs want to perform DMA into kmalloc caches
++ * and need a guaranteed alignment larger than
++ * the alignment of a 64-bit integer.
++ * Thus we use ARCH_KMALLOC_MINALIGN here and get exactly the same
++ * buffer alignment as if it was allocated by plain kmalloc().
++ */
++ u8 __aligned(ARCH_KMALLOC_MINALIGN) data[];
+ };
+
+ struct devres_group {
+--
+2.16.4
+
diff --git a/patches.fixes/ext4-actually-request-zeroing-of-inode-table-after-g.patch b/patches.fixes/ext4-actually-request-zeroing-of-inode-table-after-g.patch
new file mode 100644
index 0000000000..79dc98bdc3
--- /dev/null
+++ b/patches.fixes/ext4-actually-request-zeroing-of-inode-table-after-g.patch
@@ -0,0 +1,41 @@
+From 310a997fd74de778b9a4848a64be9cda9f18764a Mon Sep 17 00:00:00 2001
+From: Kirill Tkhai <ktkhai@virtuozzo.com>
+Date: Thu, 25 Apr 2019 13:06:18 -0400
+Subject: [PATCH] ext4: actually request zeroing of inode table after grow
+Git-commit: 310a997fd74de778b9a4848a64be9cda9f18764a
+Patch-mainline: v5.2-rc1
+References: bsc#1135315
+
+It is never possible, that number of block groups decreases,
+since only online grow is supported.
+
+But after a growing occured, we have to zero inode tables
+for just created new block groups.
+
+Fixes: 19c5246d2516 ("ext4: add new online resize interface")
+Signed-off-by: Kirill Tkhai <ktkhai@virtuozzo.com>
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Reviewed-by: Jan Kara <jack@suse.cz>
+Cc: stable@kernel.org
+Acked-by: Jan Kara <jack@suse.cz>
+
+---
+ fs/ext4/ioctl.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/ext4/ioctl.c b/fs/ext4/ioctl.c
+index bab3da4f1e0d..20faa6a69238 100644
+--- a/fs/ext4/ioctl.c
++++ b/fs/ext4/ioctl.c
+@@ -978,7 +978,7 @@ long ext4_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
+ if (err == 0)
+ err = err2;
+ mnt_drop_write_file(filp);
+- if (!err && (o_group > EXT4_SB(sb)->s_groups_count) &&
++ if (!err && (o_group < EXT4_SB(sb)->s_groups_count) &&
+ ext4_has_group_desc_csum(sb) &&
+ test_opt(sb, INIT_INODE_TABLE))
+ err = ext4_register_li_request(sb, o_group);
+--
+2.16.4
+
diff --git a/patches.fixes/ext4-fix-ext4_show_options-for-file-systems-w-o-jour.patch b/patches.fixes/ext4-fix-ext4_show_options-for-file-systems-w-o-jour.patch
new file mode 100644
index 0000000000..32e7d064c0
--- /dev/null
+++ b/patches.fixes/ext4-fix-ext4_show_options-for-file-systems-w-o-jour.patch
@@ -0,0 +1,39 @@
+From 50b29d8f033a7c88c5bc011abc2068b1691ab755 Mon Sep 17 00:00:00 2001
+From: Debabrata Banerjee <dbanerje@akamai.com>
+Date: Tue, 30 Apr 2019 23:08:15 -0400
+Subject: [PATCH] ext4: fix ext4_show_options for file systems w/o journal
+Git-commit: 50b29d8f033a7c88c5bc011abc2068b1691ab755
+Patch-mainline: v5.2-rc1
+References: bsc#1135316
+
+Instead of removing EXT4_MOUNT_JOURNAL_CHECKSUM from s_def_mount_opt as
+I assume was intended, all other options were blown away leading to
+_ext4_show_options() output being incorrect.
+
+Fixes: 1e381f60dad9 ("ext4: do not allow journal_opts for fs w/o journal")
+Signed-off-by: Debabrata Banerjee <dbanerje@akamai.com>
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Reviewed-by: Jan Kara <jack@suse.cz>
+Cc: stable@kernel.org
+Acked-by: Jan Kara <jack@suse.cz>
+
+---
+ fs/ext4/super.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/ext4/super.c b/fs/ext4/super.c
+index aeb6d22ea0ad..fc6fa2c93e77 100644
+--- a/fs/ext4/super.c
++++ b/fs/ext4/super.c
+@@ -4349,7 +4349,7 @@ static int ext4_fill_super(struct super_block *sb, void *data, int silent)
+ "data=, fs mounted w/o journal");
+ goto failed_mount_wq;
+ }
+- sbi->s_def_mount_opt &= EXT4_MOUNT_JOURNAL_CHECKSUM;
++ sbi->s_def_mount_opt &= ~EXT4_MOUNT_JOURNAL_CHECKSUM;
+ clear_opt(sb, JOURNAL_CHECKSUM);
+ clear_opt(sb, DATA_FLAGS);
+ sbi->s_journal = NULL;
+--
+2.16.4
+
diff --git a/patches.fixes/ext4-fix-use-after-free-race-with-debug_want_extra_i.patch b/patches.fixes/ext4-fix-use-after-free-race-with-debug_want_extra_i.patch
new file mode 100644
index 0000000000..a7215eb4ba
--- /dev/null
+++ b/patches.fixes/ext4-fix-use-after-free-race-with-debug_want_extra_i.patch
@@ -0,0 +1,105 @@
+From 7bc04c5c2cc467c5b40f2b03ba08da174a0d5fa7 Mon Sep 17 00:00:00 2001
+From: Barret Rhoden <brho@google.com>
+Date: Thu, 25 Apr 2019 11:55:50 -0400
+Subject: [PATCH] ext4: fix use-after-free race with debug_want_extra_isize
+Git-commit: 7bc04c5c2cc467c5b40f2b03ba08da174a0d5fa7
+Patch-mainline: v5.2-rc1
+References: bsc#1135314
+
+When remounting with debug_want_extra_isize, we were not performing the
+same checks that we do during a normal mount. That allowed us to set a
+value for s_want_extra_isize that reached outside the s_inode_size.
+
+Fixes: e2b911c53584 ("ext4: clean up feature test macros with predicate functions")
+Reported-by: syzbot+f584efa0ac7213c226b7@syzkaller.appspotmail.com
+Reviewed-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Barret Rhoden <brho@google.com>
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Cc: stable@vger.kernel.org
+Acked-by: Jan Kara <jack@suse.cz>
+
+---
+ fs/ext4/super.c | 58 ++++++++++++++++++++++++++++++++------------------------
+ 1 file changed, 34 insertions(+), 24 deletions(-)
+
+--- a/fs/ext4/super.c
++++ b/fs/ext4/super.c
+@@ -3425,6 +3425,37 @@ int ext4_calculate_overhead(struct super
+ return 0;
+ }
+
++static void ext4_clamp_want_extra_isize(struct super_block *sb)
++{
++ struct ext4_sb_info *sbi = EXT4_SB(sb);
++ struct ext4_super_block *es = sbi->s_es;
++
++ /* determine the minimum size of new large inodes, if present */
++ if (sbi->s_inode_size > EXT4_GOOD_OLD_INODE_SIZE &&
++ sbi->s_want_extra_isize == 0) {
++ sbi->s_want_extra_isize = sizeof(struct ext4_inode) -
++ EXT4_GOOD_OLD_INODE_SIZE;
++ if (ext4_has_feature_extra_isize(sb)) {
++ if (sbi->s_want_extra_isize <
++ le16_to_cpu(es->s_want_extra_isize))
++ sbi->s_want_extra_isize =
++ le16_to_cpu(es->s_want_extra_isize);
++ if (sbi->s_want_extra_isize <
++ le16_to_cpu(es->s_min_extra_isize))
++ sbi->s_want_extra_isize =
++ le16_to_cpu(es->s_min_extra_isize);
++ }
++ }
++ /* Check if enough inode space is available */
++ if (EXT4_GOOD_OLD_INODE_SIZE + sbi->s_want_extra_isize >
++ sbi->s_inode_size) {
++ sbi->s_want_extra_isize = sizeof(struct ext4_inode) -
++ EXT4_GOOD_OLD_INODE_SIZE;
++ ext4_msg(sb, KERN_INFO,
++ "required extra inode space not available");
++ }
++}
++
+ static void ext4_set_resv_clusters(struct super_block *sb)
+ {
+ ext4_fsblk_t resv_clusters;
+@@ -4259,30 +4290,7 @@ no_journal:
+ if (ext4_setup_super(sb, es, sb->s_flags & MS_RDONLY))
+ sb->s_flags |= MS_RDONLY;
+
+- /* determine the minimum size of new large inodes, if present */
+- if (sbi->s_inode_size > EXT4_GOOD_OLD_INODE_SIZE &&
+- sbi->s_want_extra_isize == 0) {
+- sbi->s_want_extra_isize = sizeof(struct ext4_inode) -
+- EXT4_GOOD_OLD_INODE_SIZE;
+- if (ext4_has_feature_extra_isize(sb)) {
+- if (sbi->s_want_extra_isize <
+- le16_to_cpu(es->s_want_extra_isize))
+- sbi->s_want_extra_isize =
+- le16_to_cpu(es->s_want_extra_isize);
+- if (sbi->s_want_extra_isize <
+- le16_to_cpu(es->s_min_extra_isize))
+- sbi->s_want_extra_isize =
+- le16_to_cpu(es->s_min_extra_isize);
+- }
+- }
+- /* Check if enough inode space is available */
+- if (EXT4_GOOD_OLD_INODE_SIZE + sbi->s_want_extra_isize >
+- sbi->s_inode_size) {
+- sbi->s_want_extra_isize = sizeof(struct ext4_inode) -
+- EXT4_GOOD_OLD_INODE_SIZE;
+- ext4_msg(sb, KERN_INFO, "required extra inode space not"
+- "available");
+- }
++ ext4_clamp_want_extra_isize(sb);
+
+ ext4_set_resv_clusters(sb);
+
+@@ -5064,6 +5072,8 @@ static int ext4_remount(struct super_blo
+ goto restore_opts;
+ }
+
++ ext4_clamp_want_extra_isize(sb);
++
+ if ((old_opts.s_mount_opt & EXT4_MOUNT_JOURNAL_CHECKSUM) ^
+ test_opt(sb, JOURNAL_CHECKSUM)) {
+ ext4_msg(sb, KERN_ERR, "changing journal_checksum "
diff --git a/patches.fixes/ext4-zero-out-the-unused-memory-region-in-the-extent.patch b/patches.fixes/ext4-zero-out-the-unused-memory-region-in-the-extent.patch
new file mode 100644
index 0000000000..cfdb379450
--- /dev/null
+++ b/patches.fixes/ext4-zero-out-the-unused-memory-region-in-the-extent.patch
@@ -0,0 +1,87 @@
+From 592acbf16821288ecdc4192c47e3774a4c48bb64 Mon Sep 17 00:00:00 2001
+From: Sriram Rajagopalan <sriramr@arista.com>
+Date: Fri, 10 May 2019 19:28:06 -0400
+Subject: [PATCH] ext4: zero out the unused memory region in the extent tree
+ block
+Git-commit: 592acbf16821288ecdc4192c47e3774a4c48bb64
+Patch-mainline: v5.2-rc1
+References: bsc#1135281 CVE-2019-11833
+
+This commit zeroes out the unused memory region in the buffer_head
+corresponding to the extent metablock after writing the extent header
+and the corresponding extent node entries.
+
+This is done to prevent random uninitialized data from getting into
+the filesystem when the extent block is synced.
+
+This fixes CVE-2019-11833.
+
+Signed-off-by: Sriram Rajagopalan <sriramr@arista.com>
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Cc: stable@kernel.org
+Acked-by: Jan Kara <jack@suse.cz>
+
+---
+ fs/ext4/extents.c | 17 +++++++++++++++--
+ 1 file changed, 15 insertions(+), 2 deletions(-)
+
+diff --git a/fs/ext4/extents.c b/fs/ext4/extents.c
+index 0f89f5190cd7..f2c62e2a0c98 100644
+--- a/fs/ext4/extents.c
++++ b/fs/ext4/extents.c
+@@ -1035,6 +1035,7 @@ static int ext4_ext_split(handle_t *handle, struct inode *inode,
+ __le32 border;
+ ext4_fsblk_t *ablocks = NULL; /* array of allocated blocks */
+ int err = 0;
++ size_t ext_size = 0;
+
+ /* make decision: where to split? */
+ /* FIXME: now decision is simplest: at current extent */
+@@ -1126,6 +1127,10 @@ static int ext4_ext_split(handle_t *handle, struct inode *inode,
+ le16_add_cpu(&neh->eh_entries, m);
+ }
+
++ /* zero out unused area in the extent block */
++ ext_size = sizeof(struct ext4_extent_header) +
++ sizeof(struct ext4_extent) * le16_to_cpu(neh->eh_entries);
++ memset(bh->b_data + ext_size, 0, inode->i_sb->s_blocksize - ext_size);
+ ext4_extent_block_csum_set(inode, neh);
+ set_buffer_uptodate(bh);
+ unlock_buffer(bh);
+@@ -1205,6 +1210,11 @@ static int ext4_ext_split(handle_t *handle, struct inode *inode,
+ sizeof(struct ext4_extent_idx) * m);
+ le16_add_cpu(&neh->eh_entries, m);
+ }
++ /* zero out unused area in the extent block */
++ ext_size = sizeof(struct ext4_extent_header) +
++ (sizeof(struct ext4_extent) * le16_to_cpu(neh->eh_entries));
++ memset(bh->b_data + ext_size, 0,
++ inode->i_sb->s_blocksize - ext_size);
+ ext4_extent_block_csum_set(inode, neh);
+ set_buffer_uptodate(bh);
+ unlock_buffer(bh);
+@@ -1270,6 +1280,7 @@ static int ext4_ext_grow_indepth(handle_t *handle, struct inode *inode,
+ ext4_fsblk_t newblock, goal = 0;
+ struct ext4_super_block *es = EXT4_SB(inode->i_sb)->s_es;
+ int err = 0;
++ size_t ext_size = 0;
+
+ /* Try to prepend new index to old one */
+ if (ext_depth(inode))
+@@ -1295,9 +1306,11 @@ static int ext4_ext_grow_indepth(handle_t *handle, struct inode *inode,
+ goto out;
+ }
+
++ ext_size = sizeof(EXT4_I(inode)->i_data);
+ /* move top-level index/leaf into new block */
+- memmove(bh->b_data, EXT4_I(inode)->i_data,
+- sizeof(EXT4_I(inode)->i_data));
++ memmove(bh->b_data, EXT4_I(inode)->i_data, ext_size);
++ /* zero out unused area in the extent block */
++ memset(bh->b_data + ext_size, 0, inode->i_sb->s_blocksize - ext_size);
+
+ /* set size of new block */
+ neh = ext_block_hdr(bh);
+--
+2.16.4
+
diff --git a/patches.fixes/ipconfig-Correctly-initialise-ic_nameservers.patch b/patches.fixes/ipconfig-Correctly-initialise-ic_nameservers.patch
new file mode 100644
index 0000000000..583e980b7c
--- /dev/null
+++ b/patches.fixes/ipconfig-Correctly-initialise-ic_nameservers.patch
@@ -0,0 +1,85 @@
+From 300eec7c0a2495f771709c7642aa15f7cc148b83 Mon Sep 17 00:00:00 2001
+From: Chris Novakovic <chris@chrisn.me.uk>
+Date: Tue, 24 Apr 2018 03:56:37 +0100
+Subject: [PATCH] ipconfig: Correctly initialise ic_nameservers
+Git-commit: 300eec7c0a2495f771709c7642aa15f7cc148b83
+Patch-mainline: v4.18-rc1
+References: bsc#1051510
+
+ic_nameservers, which stores the list of name servers discovered by
+ipconfig, is initialised (i.e. has all of its elements set to NONE, or
+0xffffffff) by ic_nameservers_predef() in the following scenarios:
+
+ - before the "ip=" and "nfsaddrs=" kernel command line parameters are
+ parsed (in ip_auto_config_setup());
+ - before autoconfiguring via DHCP or BOOTP (in ic_bootp_init()), in
+ order to clear any values that may have been set after parsing "ip="
+ or "nfsaddrs=" and are no longer needed.
+
+This means that ic_nameservers_predef() is not called when neither "ip="
+nor "nfsaddrs=" is specified on the kernel command line. In this
+scenario, every element in ic_nameservers remains set to 0x00000000,
+which is indistinguishable from ANY and causes pnp_seq_show() to write
+the following (bogus) information to /proc/net/pnp:
+
+ #MANUAL
+ nameserver 0.0.0.0
+ nameserver 0.0.0.0
+ nameserver 0.0.0.0
+
+This is potentially problematic for systems that blindly link
+/etc/resolv.conf to /proc/net/pnp.
+
+Ensure that ic_nameservers is also initialised when neither "ip=" nor
+"nfsaddrs=" are specified by calling ic_nameservers_predef() in
+ip_auto_config(), but only when ip_auto_config_setup() was not called
+earlier. This causes the following to be written to /proc/net/pnp, and
+is consistent with what gets written when ipconfig is configured
+manually but no name servers are specified on the kernel command line:
+
+ #MANUAL
+
+Signed-off-by: Chris Novakovic <chris@chrisn.me.uk>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ net/ipv4/ipconfig.c | 13 +++++++++++++
+ 1 file changed, 13 insertions(+)
+
+--- a/net/ipv4/ipconfig.c
++++ b/net/ipv4/ipconfig.c
+@@ -780,6 +780,11 @@ static void __init ic_bootp_init_ext(u8
+ */
+ static inline void __init ic_bootp_init(void)
+ {
++ /* Re-initialise all name servers to NONE, in case any were set via the
++ * "ip=" or "nfsaddrs=" kernel command line parameters: any IP addresses
++ * specified there will already have been decoded but are no longer
++ * needed
++ */
+ ic_nameservers_predef();
+
+ dev_add_pack(&bootp_packet_type);
+@@ -1401,6 +1406,13 @@ static int __init ip_auto_config(void)
+ int err;
+ unsigned int i;
+
++ /* Initialise all name servers to NONE (but only if the "ip=" or
++ * "nfsaddrs=" kernel command line parameters weren't decoded, otherwise
++ * we'll overwrite the IP addresses specified there)
++ */
++ if (ic_set_manually == 0)
++ ic_nameservers_predef();
++
+ #ifdef CONFIG_PROC_FS
+ proc_create("pnp", S_IRUGO, init_net.proc_net, &pnp_seq_fops);
+ #endif /* CONFIG_PROC_FS */
+@@ -1621,6 +1633,7 @@ static int __init ip_auto_config_setup(c
+ return 1;
+ }
+
++ /* Initialise all name servers to NONE */
+ ic_nameservers_predef();
+
+ /* Parse string for static IP assignment. */
diff --git a/patches.fixes/ipvlan-Add-the-skb-mark-as-flow4-s-member-to-lookup-.patch b/patches.fixes/ipvlan-Add-the-skb-mark-as-flow4-s-member-to-lookup-.patch
new file mode 100644
index 0000000000..34590bb5fc
--- /dev/null
+++ b/patches.fixes/ipvlan-Add-the-skb-mark-as-flow4-s-member-to-lookup-.patch
@@ -0,0 +1,34 @@
+From a98a4ebc8c61d20f0150d6be66e0e65223a347af Mon Sep 17 00:00:00 2001
+From: Gao Feng <gfree.wind@vip.163.com>
+Date: Fri, 1 Dec 2017 09:58:42 +0800
+Subject: [PATCH] ipvlan: Add the skb->mark as flow4's member to lookup route
+Git-commit: a98a4ebc8c61d20f0150d6be66e0e65223a347af
+Patch-mainline: v4.15-rc3
+References: bsc#1051510
+
+Current codes don't use skb->mark to assign flowi4_mark, it would
+make the policy route rule with fwmark doesn't work as expected.
+
+Signed-off-by: Gao Feng <gfree.wind@vip.163.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/net/ipvlan/ipvlan_core.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/net/ipvlan/ipvlan_core.c b/drivers/net/ipvlan/ipvlan_core.c
+index 11c1e7950fe5..77cc4fbaeace 100644
+--- a/drivers/net/ipvlan/ipvlan_core.c
++++ b/drivers/net/ipvlan/ipvlan_core.c
+@@ -393,6 +393,7 @@ static int ipvlan_process_v4_outbound(struct sk_buff *skb)
+ .flowi4_oif = dev->ifindex,
+ .flowi4_tos = RT_TOS(ip4h->tos),
+ .flowi4_flags = FLOWI_FLAG_ANYSRC,
++ .flowi4_mark = skb->mark,
+ .daddr = ip4h->daddr,
+ .saddr = ip4h->saddr,
+ };
+--
+2.16.4
+
diff --git a/patches.fixes/ipvlan-fix-ipv6-outbound-device.patch b/patches.fixes/ipvlan-fix-ipv6-outbound-device.patch
new file mode 100644
index 0000000000..d8545b8e1e
--- /dev/null
+++ b/patches.fixes/ipvlan-fix-ipv6-outbound-device.patch
@@ -0,0 +1,36 @@
+From ca29fd7cce5a6444d57fb86517589a1a31c759e1 Mon Sep 17 00:00:00 2001
+From: Keefe Liu <liuqifa@huawei.com>
+Date: Thu, 9 Nov 2017 20:09:31 +0800
+Subject: [PATCH] ipvlan: fix ipv6 outbound device
+Git-commit: ca29fd7cce5a6444d57fb86517589a1a31c759e1
+Patch-mainline: v4.15-rc1
+References: bsc#1051510
+
+When process the outbound packet of ipv6, we should assign the master
+device to output device other than input device.
+
+Signed-off-by: Keefe Liu <liuqifa@huawei.com>
+Acked-by: Mahesh Bandewar <maheshb@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/net/ipvlan/ipvlan_core.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ipvlan/ipvlan_core.c b/drivers/net/ipvlan/ipvlan_core.c
+index 034ae4c57196..f2a7e929316e 100644
+--- a/drivers/net/ipvlan/ipvlan_core.c
++++ b/drivers/net/ipvlan/ipvlan_core.c
+@@ -409,7 +409,7 @@ static int ipvlan_process_v6_outbound(struct sk_buff *skb)
+ struct dst_entry *dst;
+ int err, ret = NET_XMIT_DROP;
+ struct flowi6 fl6 = {
+- .flowi6_iif = dev->ifindex,
++ .flowi6_oif = dev->ifindex,
+ .daddr = ip6h->daddr,
+ .saddr = ip6h->saddr,
+ .flowi6_flags = FLOWI_FLAG_ANYSRC,
+--
+2.16.4
+
diff --git a/patches.fixes/ipvlan-use-ETH_MAX_MTU-as-max-mtu.patch b/patches.fixes/ipvlan-use-ETH_MAX_MTU-as-max-mtu.patch
new file mode 100644
index 0000000000..c23b3eca8a
--- /dev/null
+++ b/patches.fixes/ipvlan-use-ETH_MAX_MTU-as-max-mtu.patch
@@ -0,0 +1,35 @@
+From 548feb33c598dfaf9f8e066b842441ac49b84a8a Mon Sep 17 00:00:00 2001
+From: Xin Long <lucien.xin@gmail.com>
+Date: Mon, 18 Jun 2018 16:15:57 +0800
+Subject: [PATCH] ipvlan: use ETH_MAX_MTU as max mtu
+Git-commit: 548feb33c598dfaf9f8e066b842441ac49b84a8a
+Patch-mainline: v4.18-rc2
+References: bsc#1051510
+
+Similar to the fixes on team and bonding, this restores the ability
+to set an ipvlan device's mtu to anything higher than 1500.
+
+Fixes: 91572088e3fd ("net: use core MTU range checking in core net infra")
+Signed-off-by: Xin Long <lucien.xin@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/net/ipvlan/ipvlan_main.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/net/ipvlan/ipvlan_main.c b/drivers/net/ipvlan/ipvlan_main.c
+index 4377c26f714d..d02f0a7c534e 100644
+--- a/drivers/net/ipvlan/ipvlan_main.c
++++ b/drivers/net/ipvlan/ipvlan_main.c
+@@ -693,6 +693,7 @@ void ipvlan_link_setup(struct net_device *dev)
+ {
+ ether_setup(dev);
+
++ dev->max_mtu = ETH_MAX_MTU;
+ dev->priv_flags &= ~(IFF_XMIT_DST_RELEASE | IFF_TX_SKB_SHARING);
+ dev->priv_flags |= IFF_UNICAST_FLT | IFF_NO_QUEUE;
+ dev->netdev_ops = &ipvlan_netdev_ops;
+--
+2.16.4
+
diff --git a/patches.fixes/ipvs-Fix-signed-integer-overflow-when-setsockopt-tim.patch b/patches.fixes/ipvs-Fix-signed-integer-overflow-when-setsockopt-tim.patch
new file mode 100644
index 0000000000..b197288a02
--- /dev/null
+++ b/patches.fixes/ipvs-Fix-signed-integer-overflow-when-setsockopt-tim.patch
@@ -0,0 +1,93 @@
+From 53ab60baa1ac4f20b080a22c13b77b6373922fd7 Mon Sep 17 00:00:00 2001
+From: ZhangXiaoxu <zhangxiaoxu5@huawei.com>
+Date: Thu, 10 Jan 2019 16:39:06 +0800
+Subject: [PATCH] ipvs: Fix signed integer overflow when setsockopt timeout
+Git-commit: 53ab60baa1ac4f20b080a22c13b77b6373922fd7
+Patch-mainline: v5.0-rc5
+References: bsc#1051510
+
+There is a UBSAN bug report as below:
+Ubsan: Undefined behaviour in net/netfilter/ipvs/ip_vs_ctl.c:2227:21
+signed integer overflow:
+-2147483647 * 1000 cannot be represented in type 'int'
+
+Reproduce program:
+ #include <stdio.h>
+ #include <sys/types.h>
+ #include <sys/socket.h>
+
+ #define IPPROTO_IP 0
+ #define IPPROTO_RAW 255
+
+ #define IP_VS_BASE_CTL (64+1024+64)
+ #define IP_VS_SO_SET_TIMEOUT (IP_VS_BASE_CTL+10)
+
+ /* The argument to IP_VS_SO_GET_TIMEOUT */
+ struct ipvs_timeout_t {
+ int tcp_timeout;
+ int tcp_fin_timeout;
+ int udp_timeout;
+ };
+
+ int main() {
+ int ret = -1;
+ int sockfd = -1;
+ struct ipvs_timeout_t to;
+
+ sockfd = socket(AF_INET, SOCK_RAW, IPPROTO_RAW);
+ if (sockfd == -1) {
+ printf("socket init error\n");
+ return -1;
+ }
+
+ to.tcp_timeout = -2147483647;
+ to.tcp_fin_timeout = -2147483647;
+ to.udp_timeout = -2147483647;
+
+ ret = setsockopt(sockfd,
+ IPPROTO_IP,
+ IP_VS_SO_SET_TIMEOUT,
+ (char *)(&to),
+ sizeof(to));
+
+ printf("setsockopt return %d\n", ret);
+ return ret;
+ }
+
+Return -EINVAL if the timeout value is negative or max than 'INT_MAX / HZ'.
+
+Signed-off-by: ZhangXiaoxu <zhangxiaoxu5@huawei.com>
+Acked-by: Simon Horman <horms@verge.net.au>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ net/netfilter/ipvs/ip_vs_ctl.c | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+diff --git a/net/netfilter/ipvs/ip_vs_ctl.c b/net/netfilter/ipvs/ip_vs_ctl.c
+index 432141f04af3..7d6318664eb2 100644
+--- a/net/netfilter/ipvs/ip_vs_ctl.c
++++ b/net/netfilter/ipvs/ip_vs_ctl.c
+@@ -2220,6 +2220,18 @@ static int ip_vs_set_timeout(struct netns_ipvs *ipvs, struct ip_vs_timeout_user
+ u->tcp_fin_timeout,
+ u->udp_timeout);
+
++#ifdef CONFIG_IP_VS_PROTO_TCP
++ if (u->tcp_timeout < 0 || u->tcp_timeout > (INT_MAX / HZ) ||
++ u->tcp_fin_timeout < 0 || u->tcp_fin_timeout > (INT_MAX / HZ)) {
++ return -EINVAL;
++ }
++#endif
++
++#ifdef CONFIG_IP_VS_PROTO_UDP
++ if (u->udp_timeout < 0 || u->udp_timeout > (INT_MAX / HZ))
++ return -EINVAL;
++#endif
++
+ #ifdef CONFIG_IP_VS_PROTO_TCP
+ if (u->tcp_timeout) {
+ pd = ip_vs_proto_data_get(ipvs, IPPROTO_TCP);
+--
+2.16.4
+
diff --git a/patches.fixes/ipvs-fix-race-between-ip_vs_conn_new-and-ip_vs_del_d.patch b/patches.fixes/ipvs-fix-race-between-ip_vs_conn_new-and-ip_vs_del_d.patch
new file mode 100644
index 0000000000..83547a5100
--- /dev/null
+++ b/patches.fixes/ipvs-fix-race-between-ip_vs_conn_new-and-ip_vs_del_d.patch
@@ -0,0 +1,87 @@
+From a53b42c11815d2357e31a9403ae3950517525894 Mon Sep 17 00:00:00 2001
+From: Tan Hu <tan.hu@zte.com.cn>
+Date: Wed, 25 Jul 2018 15:23:07 +0800
+Subject: [PATCH] ipvs: fix race between ip_vs_conn_new() and ip_vs_del_dest()
+Git-commit: a53b42c11815d2357e31a9403ae3950517525894
+Patch-mainline: v4.19-rc1
+References: bsc#1051510
+
+We came across infinite loop in ipvs when using ipvs in docker
+env.
+
+When ipvs receives new packets and cannot find an ipvs connection,
+it will create a new connection, then if the dest is unavailable
+(i.e. IP_VS_DEST_F_AVAILABLE), the packet will be dropped sliently.
+
+But if the dropped packet is the first packet of this connection,
+the connection control timer never has a chance to start and the
+ipvs connection cannot be released. This will lead to memory leak, or
+infinite loop in cleanup_net() when net namespace is released like
+This:
+
+ ip_vs_conn_net_cleanup at ffffffffa0a9f31a [ip_vs]
+ __ip_vs_cleanup at ffffffffa0a9f60a [ip_vs]
+ ops_exit_list at ffffffff81567a49
+ cleanup_net at ffffffff81568b40
+ process_one_work at ffffffff810a851b
+ worker_thread at ffffffff810a9356
+ kthread at ffffffff810b0b6f
+ ret_from_fork at ffffffff81697a18
+
+race condition:
+ CPU1 CPU2
+ ip_vs_in()
+ ip_vs_conn_new()
+ ip_vs_del_dest()
+ __ip_vs_unlink_dest()
+ ~IP_VS_DEST_F_AVAILABLE
+ cp->dest && !IP_VS_DEST_F_AVAILABLE
+ __ip_vs_conn_put
+ ...
+ cleanup_net ---> infinite looping
+
+Fix this by checking whether the timer already started.
+
+Signed-off-by: Tan Hu <tan.hu@zte.com.cn>
+Reviewed-by: Jiang Biao <jiang.biao2@zte.com.cn>
+Acked-by: Julian Anastasov <ja@ssi.bg>
+Acked-by: Simon Horman <horms@verge.net.au>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ net/netfilter/ipvs/ip_vs_core.c | 15 +++++++++++----
+ 1 file changed, 11 insertions(+), 4 deletions(-)
+
+diff --git a/net/netfilter/ipvs/ip_vs_core.c b/net/netfilter/ipvs/ip_vs_core.c
+index 0679dd101e72..7ca926a03b81 100644
+--- a/net/netfilter/ipvs/ip_vs_core.c
++++ b/net/netfilter/ipvs/ip_vs_core.c
+@@ -1972,13 +1972,20 @@ ip_vs_in(struct netns_ipvs *ipvs, unsigned int hooknum, struct sk_buff *skb, int
+ if (cp->dest && !(cp->dest->flags & IP_VS_DEST_F_AVAILABLE)) {
+ /* the destination server is not available */
+
+- if (sysctl_expire_nodest_conn(ipvs)) {
++ __u32 flags = cp->flags;
++
++ /* when timer already started, silently drop the packet.*/
++ if (timer_pending(&cp->timer))
++ __ip_vs_conn_put(cp);
++ else
++ ip_vs_conn_put(cp);
++
++ if (sysctl_expire_nodest_conn(ipvs) &&
++ !(flags & IP_VS_CONN_F_ONE_PACKET)) {
+ /* try to expire the connection immediately */
+ ip_vs_conn_expire_now(cp);
+ }
+- /* don't restart its timer, and silently
+- drop the packet. */
+- __ip_vs_conn_put(cp);
++
+ return NF_DROP;
+ }
+
+--
+2.16.4
+
diff --git a/patches.fixes/l2tp-cleanup-l2tp_tunnel_delete-calls.patch b/patches.fixes/l2tp-cleanup-l2tp_tunnel_delete-calls.patch
new file mode 100644
index 0000000000..6b5c8e4b05
--- /dev/null
+++ b/patches.fixes/l2tp-cleanup-l2tp_tunnel_delete-calls.patch
@@ -0,0 +1,58 @@
+From 4dc12ffeaeac939097a3f55c881d3dc3523dff0c Mon Sep 17 00:00:00 2001
+From: Jiri Slaby <jslaby@suse.cz>
+Date: Wed, 25 Oct 2017 15:57:55 +0200
+Subject: [PATCH] l2tp: cleanup l2tp_tunnel_delete calls
+Git-commit: 4dc12ffeaeac939097a3f55c881d3dc3523dff0c
+Patch-mainline: v4.15-rc1
+References: bsc#1051510
+
+l2tp_tunnel_delete does not return anything since commit 62b982eeb458
+("l2tp: fix race condition in l2tp_tunnel_delete"). But call sites of
+l2tp_tunnel_delete still do casts to void to avoid unused return value
+warnings.
+
+Kill these now useless casts.
+
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+Cc: Sabrina Dubroca <sd@queasysnail.net>
+Cc: Guillaume Nault <g.nault@alphalink.fr>
+Cc: David S. Miller <davem@davemloft.net>
+Cc: netdev@vger.kernel.org
+Acked-by: Guillaume Nault <g.nault@alphalink.fr>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ net/l2tp/l2tp_core.c | 2 +-
+ net/l2tp/l2tp_netlink.c | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/net/l2tp/l2tp_core.c b/net/l2tp/l2tp_core.c
+index 02d61101b108..af22aa8ae35b 100644
+--- a/net/l2tp/l2tp_core.c
++++ b/net/l2tp/l2tp_core.c
+@@ -1891,7 +1891,7 @@ static __net_exit void l2tp_exit_net(struct net *net)
+
+ rcu_read_lock_bh();
+ list_for_each_entry_rcu(tunnel, &pn->l2tp_tunnel_list, list) {
+- (void)l2tp_tunnel_delete(tunnel);
++ l2tp_tunnel_delete(tunnel);
+ }
+ rcu_read_unlock_bh();
+
+diff --git a/net/l2tp/l2tp_netlink.c b/net/l2tp/l2tp_netlink.c
+index f5179424eaf1..f04fb347d251 100644
+--- a/net/l2tp/l2tp_netlink.c
++++ b/net/l2tp/l2tp_netlink.c
+@@ -282,7 +282,7 @@ static int l2tp_nl_cmd_tunnel_delete(struct sk_buff *skb, struct genl_info *info
+ l2tp_tunnel_notify(&l2tp_nl_family, info,
+ tunnel, L2TP_CMD_TUNNEL_DELETE);
+
+- (void) l2tp_tunnel_delete(tunnel);
++ l2tp_tunnel_delete(tunnel);
+
+ l2tp_tunnel_dec_refcount(tunnel);
+
+--
+2.16.4
+
diff --git a/patches.fixes/l2tp-revert-l2tp-fix-missing-print-session-offset-in.patch b/patches.fixes/l2tp-revert-l2tp-fix-missing-print-session-offset-in.patch
new file mode 100644
index 0000000000..31f822167d
--- /dev/null
+++ b/patches.fixes/l2tp-revert-l2tp-fix-missing-print-session-offset-in.patch
@@ -0,0 +1,35 @@
+From de3b58bc359a861d5132300f53f95e83f71954b3 Mon Sep 17 00:00:00 2001
+From: James Chapman <jchapman@katalix.com>
+Date: Wed, 3 Jan 2018 22:48:05 +0000
+Subject: [PATCH] l2tp: revert "l2tp: fix missing print session offset info"
+Git-commit: de3b58bc359a861d5132300f53f95e83f71954b3
+Patch-mainline: v4.16-rc1
+References: bsc#1051510
+
+Revert commit 820da5357572 ("l2tp: fix missing print session offset
+info"). The peer_offset parameter is removed.
+
+Signed-off-by: James Chapman <jchapman@katalix.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ net/l2tp/l2tp_netlink.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+diff --git a/net/l2tp/l2tp_netlink.c b/net/l2tp/l2tp_netlink.c
+index 7e9c50125556..a1f24fb2be98 100644
+--- a/net/l2tp/l2tp_netlink.c
++++ b/net/l2tp/l2tp_netlink.c
+@@ -761,8 +761,6 @@ static int l2tp_nl_session_send(struct sk_buff *skb, u32 portid, u32 seq, int fl
+
+ if ((session->ifname[0] &&
+ nla_put_string(skb, L2TP_ATTR_IFNAME, session->ifname)) ||
+- (session->offset &&
+- nla_put_u16(skb, L2TP_ATTR_OFFSET, session->offset)) ||
+ (session->cookie_len &&
+ nla_put(skb, L2TP_ATTR_COOKIE, session->cookie_len,
+ &session->cookie[0])) ||
+--
+2.16.4
+
diff --git a/patches.fixes/mISDN-Check-address-length-before-reading-address-fa.patch b/patches.fixes/mISDN-Check-address-length-before-reading-address-fa.patch
new file mode 100644
index 0000000000..81d467cd9f
--- /dev/null
+++ b/patches.fixes/mISDN-Check-address-length-before-reading-address-fa.patch
@@ -0,0 +1,39 @@
+From 238ffdc49ef98b15819cfd5e3fb23194e3ea3d39 Mon Sep 17 00:00:00 2001
+From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+Date: Fri, 12 Apr 2019 19:52:36 +0900
+Subject: [PATCH] mISDN: Check address length before reading address family
+Git-commit: 238ffdc49ef98b15819cfd5e3fb23194e3ea3d39
+Patch-mainline: v5.1-rc6
+References: bsc#1051510
+
+KMSAN will complain if valid address length passed to bind() is shorter
+than sizeof("struct sockaddr_mISDN"->family) bytes.
+
+Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/isdn/mISDN/socket.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/isdn/mISDN/socket.c b/drivers/isdn/mISDN/socket.c
+index 4ab8b1b6608f..a14e35d40538 100644
+--- a/drivers/isdn/mISDN/socket.c
++++ b/drivers/isdn/mISDN/socket.c
+@@ -710,10 +710,10 @@ base_sock_bind(struct socket *sock, struct sockaddr *addr, int addr_len)
+ struct sock *sk = sock->sk;
+ int err = 0;
+
+- if (!maddr || maddr->family != AF_ISDN)
++ if (addr_len < sizeof(struct sockaddr_mISDN))
+ return -EINVAL;
+
+- if (addr_len < sizeof(struct sockaddr_mISDN))
++ if (!maddr || maddr->family != AF_ISDN)
+ return -EINVAL;
+
+ lock_sock(sk);
+--
+2.16.4
+
diff --git a/patches.fixes/mac80211-fix-memory-accounting-with-A-MSDU-aggregati.patch b/patches.fixes/mac80211-fix-memory-accounting-with-A-MSDU-aggregati.patch
new file mode 100644
index 0000000000..cf21e90f94
--- /dev/null
+++ b/patches.fixes/mac80211-fix-memory-accounting-with-A-MSDU-aggregati.patch
@@ -0,0 +1,49 @@
+From eb9b64e3a9f8483e6e54f4e03b2ae14ae5db2690 Mon Sep 17 00:00:00 2001
+From: Felix Fietkau <nbd@nbd.name>
+Date: Sat, 16 Mar 2019 18:06:31 +0100
+Subject: [PATCH] mac80211: fix memory accounting with A-MSDU aggregation
+Mime-version: 1.0
+Content-type: text/plain; charset=UTF-8
+Content-transfer-encoding: 8bit
+Git-commit: eb9b64e3a9f8483e6e54f4e03b2ae14ae5db2690
+Patch-mainline: v5.1-rc6
+References: bsc#1051510
+
+skb->truesize can change due to memory reallocation or when adding extra
+fragments. Adjust fq->memory_usage accordingly
+
+Signed-off-by: Felix Fietkau <nbd@nbd.name>
+Acked-by: Toke Høiland-Jørgensen <toke@redhat.com>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ net/mac80211/tx.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/net/mac80211/tx.c
++++ b/net/mac80211/tx.c
+@@ -3118,6 +3118,7 @@ static bool ieee80211_amsdu_aggregate(st
+ u8 max_subframes = sta->sta.max_amsdu_subframes;
+ int max_frags = local->hw.max_tx_fragments;
+ int max_amsdu_len = sta->sta.max_amsdu_len;
++ int orig_truesize;
+ __be16 len;
+ void *data;
+ bool ret = false;
+@@ -3151,6 +3152,7 @@ static bool ieee80211_amsdu_aggregate(st
+ if (!head)
+ goto out;
+
++ orig_truesize = head->truesize;
+ orig_len = head->len;
+
+ if (skb->len + head->len > max_amsdu_len)
+@@ -3205,6 +3207,7 @@ static bool ieee80211_amsdu_aggregate(st
+ *frag_tail = skb;
+
+ out_recalc:
++ fq->memory_usage += head->truesize - orig_truesize;
+ if (head->len != orig_len) {
+ flow->backlog += head->len - orig_len;
+ tin->backlog_bytes += head->len - orig_len;
diff --git a/patches.fixes/mac80211-fix-unaligned-access-in-mesh-table-hash-fun.patch b/patches.fixes/mac80211-fix-unaligned-access-in-mesh-table-hash-fun.patch
new file mode 100644
index 0000000000..24494157bd
--- /dev/null
+++ b/patches.fixes/mac80211-fix-unaligned-access-in-mesh-table-hash-fun.patch
@@ -0,0 +1,35 @@
+From 40586e3fc400c00c11151804dcdc93f8c831c808 Mon Sep 17 00:00:00 2001
+From: Felix Fietkau <nbd@nbd.name>
+Date: Wed, 13 Mar 2019 18:54:27 +0100
+Subject: [PATCH] mac80211: fix unaligned access in mesh table hash function
+Git-commit: 40586e3fc400c00c11151804dcdc93f8c831c808
+Patch-mainline: v5.1-rc6
+References: bsc#1051510
+
+The pointer to the last four bytes of the address is not guaranteed to be
+aligned, so we need to use __get_unaligned_cpu32 here
+
+Signed-off-by: Felix Fietkau <nbd@nbd.name>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ net/mac80211/mesh_pathtbl.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/mac80211/mesh_pathtbl.c b/net/mac80211/mesh_pathtbl.c
+index 95eb5064fa91..b76a2aefa9ec 100644
+--- a/net/mac80211/mesh_pathtbl.c
++++ b/net/mac80211/mesh_pathtbl.c
+@@ -23,7 +23,7 @@ static void mesh_path_free_rcu(struct mesh_table *tbl, struct mesh_path *mpath);
+ static u32 mesh_table_hash(const void *addr, u32 len, u32 seed)
+ {
+ /* Use last four bytes of hw addr as hash index */
+- return jhash_1word(*(u32 *)(addr+2), seed);
++ return jhash_1word(__get_unaligned_cpu32((u8 *)addr + 2), seed);
+ }
+
+ static const struct rhashtable_params mesh_rht_params = {
+--
+2.16.4
+
diff --git a/patches.fixes/mm-huge_memory-fix-vmf_insert_pfn_-pmd-pud-crash-han.patch b/patches.fixes/mm-huge_memory-fix-vmf_insert_pfn_-pmd-pud-crash-han.patch
new file mode 100644
index 0000000000..4529e50b35
--- /dev/null
+++ b/patches.fixes/mm-huge_memory-fix-vmf_insert_pfn_-pmd-pud-crash-han.patch
@@ -0,0 +1,79 @@
+From fce86ff5802bac3a7b19db171aa1949ef9caac31 Mon Sep 17 00:00:00 2001
+From: Dan Williams <dan.j.williams@intel.com>
+Date: Mon, 13 May 2019 17:15:33 -0700
+Subject: [PATCH] mm/huge_memory: fix vmf_insert_pfn_{pmd, pud}() crash, handle
+ unaligned addresses
+Git-commit: fce86ff5802bac3a7b19db171aa1949ef9caac31
+Patch-mainline: v5.2-rc1
+References: bsc#1135330
+
+Starting with c6f3c5ee40c1 ("mm/huge_memory.c: fix modifying of page
+protection by insert_pfn_pmd()") vmf_insert_pfn_pmd() internally calls
+pmdp_set_access_flags(). That helper enforces a pmd aligned @address
+argument via VM_BUG_ON() assertion.
+
+Update the implementation to take a 'struct vm_fault' argument directly
+and apply the address alignment fixup internally to fix crash signatures
+Like:
+
+ kernel BUG at arch/x86/mm/pgtable.c:515!
+ invalid opcode: 0000 [#1] SMP NOPTI
+ CPU: 51 PID: 43713 Comm: java Tainted: G OE 4.19.35 #1
+ [..]
+ RIP: 0010:pmdp_set_access_flags+0x48/0x50
+ [..]
+ Call Trace:
+ vmf_insert_pfn_pmd+0x198/0x350
+ dax_iomap_fault+0xe82/0x1190
+ ext4_dax_huge_fault+0x103/0x1f0
+ ? __switch_to_asm+0x40/0x70
+ __handle_mm_fault+0x3f6/0x1370
+ ? __switch_to_asm+0x34/0x70
+ ? __switch_to_asm+0x40/0x70
+ handle_mm_fault+0xda/0x200
+ __do_page_fault+0x249/0x4f0
+ do_page_fault+0x32/0x110
+ ? page_fault+0x8/0x30
+ page_fault+0x1e/0x30
+
+Link: http://lkml.kernel.org/r/155741946350.372037.11148198430068238140.stgit@dwillia2-desk3.amr.corp.intel.com
+Fixes: c6f3c5ee40c1 ("mm/huge_memory.c: fix modifying of page protection by insert_pfn_pmd()")
+Signed-off-by: Dan Williams <dan.j.williams@intel.com>
+Reported-by: Piotr Balcer <piotr.balcer@intel.com>
+Tested-by: Yan Ma <yan.ma@intel.com>
+Tested-by: Pankaj Gupta <pagupta@redhat.com>
+Reviewed-by: Matthew Wilcox <willy@infradead.org>
+Reviewed-by: Jan Kara <jack@suse.cz>
+Reviewed-by: Aneesh Kumar K.V <aneesh.kumar@linux.ibm.com>
+Cc: Chandan Rajendra <chandan@linux.ibm.com>
+Cc: Souptick Joarder <jrdr.linux@gmail.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Acked-by: Jan Kara <jack@suse.cz>
+[JK: Removed changes in vmf_insert_pfn_pmd/pud() prototypes to maintain kABI]
+
+---
+ mm/huge_memory.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/mm/huge_memory.c
++++ b/mm/huge_memory.c
+@@ -780,6 +780,8 @@ int vmf_insert_pfn_pmd(struct vm_area_st
+ {
+ pgprot_t pgprot = vma->vm_page_prot;
+ pgtable_t pgtable = NULL;
++
++ addr &= PMD_MASK;
+ /*
+ * If we had pmd_special, we could avoid all these restrictions,
+ * but we need to be consistent with PTEs and architectures that
+@@ -855,6 +857,8 @@ int vmf_insert_pfn_pud(struct vm_area_st
+ pud_t *pud, pfn_t pfn, bool write)
+ {
+ pgprot_t pgprot = vma->vm_page_prot;
++
++ addr &= PUD_MASK;
+ /*
+ * If we had pud_special, we could avoid all these restrictions,
+ * but we need to be consistent with PTEs and architectures that
diff --git a/patches.fixes/mm-mincore-c-make-mincore-more-conservative.patch b/patches.fixes/mm-mincore-c-make-mincore-more-conservative.patch
new file mode 100644
index 0000000000..071d84b737
--- /dev/null
+++ b/patches.fixes/mm-mincore-c-make-mincore-more-conservative.patch
@@ -0,0 +1,91 @@
+From: Jiri Kosina <jkosina@suse.cz>
+Date: Tue, 14 May 2019 15:41:38 -0700
+Subject: mm/mincore.c: make mincore() more conservative
+Git-commit: 134fca9063ad4851de767d1768180e5dede9a881
+Patch-mainline: v5.2-rc1
+References: CVE-2019-5489, bsc#1120843
+
+The semantics of what mincore() considers to be resident is not
+completely clear, but Linux has always (since 2.3.52, which is when
+mincore() was initially done) treated it as "page is available in page
+cache".
+
+That's potentially a problem, as that [in]directly exposes
+meta-information about pagecache / memory mapping state even about
+memory not strictly belonging to the process executing the syscall,
+opening possibilities for sidechannel attacks.
+
+Change the semantics of mincore() so that it only reveals pagecache
+information for non-anonymous mappings that belog to files that the
+calling process could (if it tried to) successfully open for writing;
+otherwise we'd be including shared non-exclusive mappings, which
+
+ - is the sidechannel
+
+ - is not the usecase for mincore(), as that's primarily used for data,
+ not (shared) text
+
+[jkosina@suse.cz: v2]
+ Link: http://lkml.kernel.org/r/20190312141708.6652-2-vbabka@suse.cz
+[mhocko@suse.com: restructure can_do_mincore() conditions]
+Link: http://lkml.kernel.org/r/nycvar.YFH.7.76.1903062342020.19912@cbobk.fhfr.pm
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Vlastimil Babka <vbabka@suse.cz>
+Acked-by: Josh Snyder <joshs@netflix.com>
+Acked-by: Michal Hocko <mhocko@suse.com>
+Originally-by: Linus Torvalds <torvalds@linux-foundation.org>
+Originally-by: Dominique Martinet <asmadeus@codewreck.org>
+Cc: Andy Lutomirski <luto@amacapital.net>
+Cc: Dave Chinner <david@fromorbit.com>
+Cc: Kevin Easton <kevin@guarana.org>
+Cc: Matthew Wilcox <willy@infradead.org>
+Cc: Cyril Hrubis <chrubis@suse.cz>
+Cc: Tejun Heo <tj@kernel.org>
+Cc: Kirill A. Shutemov <kirill@shutemov.name>
+Cc: Daniel Gruss <daniel@gruss.cc>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+---
+ mm/mincore.c | 23 ++++++++++++++++++++++-
+ 1 file changed, 22 insertions(+), 1 deletion(-)
+
+--- a/mm/mincore.c
++++ b/mm/mincore.c
+@@ -168,6 +168,22 @@ out:
+ return 0;
+ }
+
++static inline bool can_do_mincore(struct vm_area_struct *vma)
++{
++ if (vma_is_anonymous(vma))
++ return true;
++ if (!vma->vm_file)
++ return false;
++ /*
++ * Reveal pagecache information only for non-anonymous mappings that
++ * correspond to the files the calling process could (if tried) open
++ * for writing; otherwise we'd be including shared non-exclusive
++ * mappings, which opens a side channel.
++ */
++ return inode_owner_or_capable(file_inode(vma->vm_file)) ||
++ inode_permission(file_inode(vma->vm_file), MAY_WRITE) == 0;
++}
++
+ /*
+ * Do a chunk of "sys_mincore()". We've already checked
+ * all the arguments, we hold the mmap semaphore: we should
+@@ -188,8 +204,13 @@ static long do_mincore(unsigned long add
+ vma = find_vma(current->mm, addr);
+ if (!vma || addr < vma->vm_start)
+ return -ENOMEM;
+- mincore_walk.mm = vma->vm_mm;
+ end = min(vma->vm_end, addr + (pages << PAGE_SHIFT));
++ if (!can_do_mincore(vma)) {
++ unsigned long pages = DIV_ROUND_UP(end - addr, PAGE_SIZE);
++ memset(vec, 1, pages);
++ return pages;
++ }
++ mincore_walk.mm = vma->vm_mm;
+ err = walk_page_range(addr, end, &mincore_walk);
+ if (err < 0)
+ return err;
diff --git a/patches.fixes/net-smc-check-for-ip-prefix-and-subnet b/patches.fixes/net-smc-check-for-ip-prefix-and-subnet
new file mode 100644
index 0000000000..dcbff65849
--- /dev/null
+++ b/patches.fixes/net-smc-check-for-ip-prefix-and-subnet
@@ -0,0 +1,76 @@
+From: Karsten Graul <kgraul@linux.ibm.com>
+Date: Fri, 12 Apr 2019 12:57:25 +0200
+Subject: net/smc: check for ip prefix and subnet
+Git-commit: 598866974c94eecb842291253780274f96b3d919
+Patch-mainline: v5.2-rc1
+References: bsc#1134607 LTC#177518
+
+The check for a matching ip prefix and subnet was only done for SMC-R
+in smc_listen_rdma_check() but not when an SMC-D connection was
+possible. Rename the function into smc_listen_prfx_check() and move its
+call to a place where it is called for both SMC variants.
+And add a new CLC DECLINE reason for the case when the IP prefix or
+subnet check fails so the reason for the failing SMC connection can be
+found out more easily.
+
+Signed-off-by: Karsten Graul <kgraul@linux.ibm.com>
+Signed-off-by: Ursula Braun <ubraun@linux.ibm.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Acked-by: Petr Tesarik <ptesarik@suse.com>
+---
+ net/smc/af_smc.c | 12 +++++++++---
+ net/smc/smc_clc.h | 1 +
+ 2 files changed, 10 insertions(+), 3 deletions(-)
+
+--- a/net/smc/af_smc.c
++++ b/net/smc/af_smc.c
+@@ -1121,7 +1121,7 @@ static void smc_listen_decline(struct sm
+ }
+
+ /* listen worker: check prefixes */
+-static int smc_listen_rdma_check(struct smc_sock *new_smc,
++static int smc_listen_prfx_check(struct smc_sock *new_smc,
+ struct smc_clc_msg_proposal *pclc)
+ {
+ struct smc_clc_msg_proposal_prefix *pclc_prfx;
+@@ -1129,7 +1129,7 @@ static int smc_listen_rdma_check(struct
+
+ pclc_prfx = smc_clc_proposal_get_prefix(pclc);
+ if (smc_clc_prfx_match(newclcsock, pclc_prfx))
+- return SMC_CLC_DECL_CNFERR;
++ return SMC_CLC_DECL_DIFFPREFIX;
+
+ return 0;
+ }
+@@ -1292,6 +1292,13 @@ static void smc_listen_work(struct work_
+ return;
+ }
+
++ /* check for matching IP prefix and subnet length */
++ rc = smc_listen_prfx_check(new_smc, pclc);
++ if (rc) {
++ smc_listen_decline(new_smc, rc, 0);
++ return;
++ }
++
+ mutex_lock(&smc_server_lgr_pending);
+ smc_close_init(new_smc);
+ smc_rx_init(new_smc);
+@@ -1309,7 +1316,6 @@ static void smc_listen_work(struct work_
+ ((pclc->hdr.path != SMC_TYPE_R && pclc->hdr.path != SMC_TYPE_B) ||
+ smc_vlan_by_tcpsk(new_smc->clcsock, &vlan) ||
+ smc_check_rdma(new_smc, &ibdev, &ibport, vlan, NULL) ||
+- smc_listen_rdma_check(new_smc, pclc) ||
+ smc_listen_rdma_init(new_smc, pclc, ibdev, ibport,
+ &local_contact) ||
+ smc_listen_rdma_reg(new_smc, local_contact))) {
+--- a/net/smc/smc_clc.h
++++ b/net/smc/smc_clc.h
+@@ -37,6 +37,7 @@
+ #define SMC_CLC_DECL_MODEUNSUPP 0x03040000 /* smc modes do not match (R or D)*/
+ #define SMC_CLC_DECL_RMBE_EC 0x03050000 /* peer has eyecatcher in RMBE */
+ #define SMC_CLC_DECL_OPTUNSUPP 0x03060000 /* fastopen sockopt not supported */
++#define SMC_CLC_DECL_DIFFPREFIX 0x03070000 /* IP prefix / subnet mismatch */
+ #define SMC_CLC_DECL_SYNCERR 0x04000000 /* synchronization error */
+ #define SMC_CLC_DECL_PEERDECL 0x05000000 /* peer declined during handshake */
+ #define SMC_CLC_DECL_INTERR 0x09990000 /* internal error */
diff --git a/patches.fixes/net-smc-cleanup-of-get-vlan-id b/patches.fixes/net-smc-cleanup-of-get-vlan-id
new file mode 100644
index 0000000000..3795b1f732
--- /dev/null
+++ b/patches.fixes/net-smc-cleanup-of-get-vlan-id
@@ -0,0 +1,74 @@
+From: Karsten Graul <kgraul@linux.ibm.com>
+Date: Fri, 12 Apr 2019 12:57:27 +0200
+Subject: net/smc: cleanup of get vlan id
+Git-commit: fba7e8ef513ce7309d62eb4999b640100b6db06f
+Patch-mainline: v5.2-rc1
+References: bsc#1134607 LTC#177518
+
+The vlan_id of the underlying CLC socket was retrieved two times
+during processing of the listen handshaking. Change this to get the
+vlan id one time in connect and in listen processing, and reuse the id.
+And add a new CLC DECLINE return code for the case when the retrieval
+of the vlan id failed.
+
+Signed-off-by: Karsten Graul <kgraul@linux.ibm.com>
+Signed-off-by: Ursula Braun <ubraun@linux.ibm.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Acked-by: Petr Tesarik <ptesarik@suse.com>
+---
+ net/smc/af_smc.c | 11 +++++++++--
+ net/smc/smc_clc.h | 1 +
+ net/smc/smc_core.c | 4 ----
+ 3 files changed, 10 insertions(+), 6 deletions(-)
+
+--- a/net/smc/af_smc.c
++++ b/net/smc/af_smc.c
+@@ -707,9 +707,10 @@ static int __smc_connect(struct smc_sock
+ if (using_ipsec(smc))
+ return smc_connect_decline_fallback(smc, SMC_CLC_DECL_IPSEC);
+
+- /* check for VLAN ID */
++ /* get vlan id from IP device */
+ if (smc_vlan_by_tcpsk(smc->clcsock, &ini))
+- return smc_connect_decline_fallback(smc, SMC_CLC_DECL_CNFERR);
++ return smc_connect_decline_fallback(smc,
++ SMC_CLC_DECL_GETVLANERR);
+
+ /* check if there is an ism device available */
+ if (!smc_check_ism(smc, &ini) &&
+@@ -1287,6 +1288,12 @@ static void smc_listen_work(struct work_
+ return;
+ }
+
++ /* get vlan id from IP device */
++ if (smc_vlan_by_tcpsk(new_smc->clcsock, &ini)) {
++ smc_listen_decline(new_smc, SMC_CLC_DECL_GETVLANERR, 0);
++ return;
++ }
++
+ mutex_lock(&smc_server_lgr_pending);
+ smc_close_init(new_smc);
+ smc_rx_init(new_smc);
+--- a/net/smc/smc_clc.h
++++ b/net/smc/smc_clc.h
+@@ -38,6 +38,7 @@
+ #define SMC_CLC_DECL_RMBE_EC 0x03050000 /* peer has eyecatcher in RMBE */
+ #define SMC_CLC_DECL_OPTUNSUPP 0x03060000 /* fastopen sockopt not supported */
+ #define SMC_CLC_DECL_DIFFPREFIX 0x03070000 /* IP prefix / subnet mismatch */
++#define SMC_CLC_DECL_GETVLANERR 0x03080000 /* err to get vlan id of ip device*/
+ #define SMC_CLC_DECL_SYNCERR 0x04000000 /* synchronization error */
+ #define SMC_CLC_DECL_PEERDECL 0x05000000 /* peer declined during handshake */
+ #define SMC_CLC_DECL_INTERR 0x09990000 /* internal error */
+--- a/net/smc/smc_core.c
++++ b/net/smc/smc_core.c
+@@ -604,10 +604,6 @@ int smc_conn_create(struct smc_sock *smc
+ int rc = 0;
+
+ role = smc->listen_smc ? SMC_SERV : SMC_CLNT;
+- rc = smc_vlan_by_tcpsk(smc->clcsock, ini);
+- if (rc)
+- return rc;
+-
+ if (role == SMC_CLNT && ini->srv_first_contact)
+ /* create new link group as well */
+ goto create;
diff --git a/patches.fixes/net-smc-code-cleanup-smc_listen_work b/patches.fixes/net-smc-code-cleanup-smc_listen_work
new file mode 100644
index 0000000000..64964737df
--- /dev/null
+++ b/patches.fixes/net-smc-code-cleanup-smc_listen_work
@@ -0,0 +1,118 @@
+From: Karsten Graul <kgraul@linux.ibm.com>
+Date: Fri, 12 Apr 2019 12:57:28 +0200
+Subject: net/smc: code cleanup smc_listen_work
+Git-commit: 228bae05be328045e6dfb4d3bf2600e6547c1d13
+Patch-mainline: v5.2-rc1
+References: bsc#1134607 LTC#177518
+
+In smc_listen_work() the variables rc and reason_code are defined which
+have the same meaning. Eliminate reason_code in favor of the shorter
+name rc. No functional changes.
+Rename the functions smc_check_ism() and smc_check_rdma() into
+smc_find_ism_device() and smc_find_rdma_device() to make there purpose
+more clear. No functional changes.
+
+Signed-off-by: Karsten Graul <kgraul@linux.ibm.com>
+Signed-off-by: Ursula Braun <ubraun@linux.ibm.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Acked-by: Petr Tesarik <ptesarik@suse.com>
+---
+ net/smc/af_smc.c | 29 ++++++++++++++---------------
+ 1 file changed, 14 insertions(+), 15 deletions(-)
+
+--- a/net/smc/af_smc.c
++++ b/net/smc/af_smc.c
+@@ -504,7 +504,7 @@ static int smc_connect_abort(struct smc_
+
+ /* check if there is a rdma device available for this connection. */
+ /* called for connect and listen */
+-static int smc_check_rdma(struct smc_sock *smc, struct smc_init_info *ini)
++static int smc_find_rdma_device(struct smc_sock *smc, struct smc_init_info *ini)
+ {
+ /* PNET table look up: search active ib_device and port
+ * within same PNETID that also contains the ethernet device
+@@ -518,7 +518,7 @@ static int smc_check_rdma(struct smc_soc
+
+ /* check if there is an ISM device available for this connection. */
+ /* called for connect and listen */
+-static int smc_check_ism(struct smc_sock *smc, struct smc_init_info *ini)
++static int smc_find_ism_device(struct smc_sock *smc, struct smc_init_info *ini)
+ {
+ /* Find ISM device with same PNETID as connecting interface */
+ smc_pnet_find_ism_resource(smc->clcsock->sk, ini);
+@@ -713,7 +713,7 @@ static int __smc_connect(struct smc_sock
+ SMC_CLC_DECL_GETVLANERR);
+
+ /* check if there is an ism device available */
+- if (!smc_check_ism(smc, &ini) &&
++ if (!smc_find_ism_device(smc, &ini) &&
+ !smc_connect_ism_vlan_setup(smc, &ini)) {
+ /* ISM is supported for this connection */
+ ism_supported = true;
+@@ -721,7 +721,7 @@ static int __smc_connect(struct smc_sock
+ }
+
+ /* check if there is a rdma device available */
+- if (!smc_check_rdma(smc, &ini)) {
++ if (!smc_find_rdma_device(smc, &ini)) {
+ /* RDMA is supported for this connection */
+ rdma_supported = true;
+ if (ism_supported)
+@@ -1245,7 +1245,6 @@ static void smc_listen_work(struct work_
+ bool ism_supported = false;
+ u8 buf[SMC_CLC_MAX_LEN];
+ int local_contact = 0;
+- int reason_code = 0;
+ int rc = 0;
+
+ if (new_smc->listen_smc->sk.sk_state != SMC_LISTEN)
+@@ -1268,10 +1267,10 @@ static void smc_listen_work(struct work_
+ * wait for and receive SMC Proposal CLC message
+ */
+ pclc = (struct smc_clc_msg_proposal *)&buf;
+- reason_code = smc_clc_wait_msg(new_smc, pclc, SMC_CLC_MAX_LEN,
+- SMC_CLC_PROPOSAL, CLC_WAIT_TIME);
+- if (reason_code) {
+- smc_listen_decline(new_smc, reason_code, 0);
++ rc = smc_clc_wait_msg(new_smc, pclc, SMC_CLC_MAX_LEN,
++ SMC_CLC_PROPOSAL, CLC_WAIT_TIME);
++ if (rc) {
++ smc_listen_decline(new_smc, rc, 0);
+ return;
+ }
+
+@@ -1303,7 +1302,7 @@ static void smc_listen_work(struct work_
+ ini.is_smcd = true;
+ /* check if ISM is available */
+ if ((pclc->hdr.path == SMC_TYPE_D || pclc->hdr.path == SMC_TYPE_B) &&
+- !smc_check_ism(new_smc, &ini) &&
++ !smc_find_ism_device(new_smc, &ini) &&
+ !smc_listen_ism_init(new_smc, pclc, &ini, &local_contact)) {
+ ism_supported = true;
+ } else {
+@@ -1317,7 +1316,7 @@ static void smc_listen_work(struct work_
+ if (!ism_supported &&
+ ((pclc->hdr.path != SMC_TYPE_R && pclc->hdr.path != SMC_TYPE_B) ||
+ smc_vlan_by_tcpsk(new_smc->clcsock, &ini) ||
+- smc_check_rdma(new_smc, &ini) ||
++ smc_find_rdma_device(new_smc, &ini) ||
+ smc_listen_rdma_init(new_smc, &ini, &local_contact) ||
+ smc_listen_rdma_reg(new_smc, local_contact))) {
+ /* SMC not supported, decline */
+@@ -1340,12 +1339,12 @@ static void smc_listen_work(struct work_
+ mutex_unlock(&smc_server_lgr_pending);
+
+ /* receive SMC Confirm CLC message */
+- reason_code = smc_clc_wait_msg(new_smc, &cclc, sizeof(cclc),
+- SMC_CLC_CONFIRM, CLC_WAIT_TIME);
+- if (reason_code) {
++ rc = smc_clc_wait_msg(new_smc, &cclc, sizeof(cclc),
++ SMC_CLC_CONFIRM, CLC_WAIT_TIME);
++ if (rc) {
+ if (!ism_supported)
+ mutex_unlock(&smc_server_lgr_pending);
+- smc_listen_decline(new_smc, reason_code, local_contact);
++ smc_listen_decline(new_smc, rc, local_contact);
+ return;
+ }
+
diff --git a/patches.fixes/net-smc-consolidate-function-parameters b/patches.fixes/net-smc-consolidate-function-parameters
new file mode 100644
index 0000000000..2eada918e3
--- /dev/null
+++ b/patches.fixes/net-smc-consolidate-function-parameters
@@ -0,0 +1,750 @@
+From: Karsten Graul <kgraul@linux.ibm.com>
+Date: Fri, 12 Apr 2019 12:57:26 +0200
+Subject: net/smc: consolidate function parameters
+Git-commit: bc36d2fc93eb2eaef3ab7fbe40d9fc1c5e8bf969
+Patch-mainline: v5.2-rc1
+References: bsc#1134607 LTC#177518
+
+During initialization of an SMC socket a lot of function parameters need
+to get passed down the function call path. Consolidate the parameters
+in a helper struct so there are less enough parameters to get all passed
+by register.
+
+Signed-off-by: Karsten Graul <kgraul@linux.ibm.com>
+Signed-off-by: Ursula Braun <ubraun@linux.ibm.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Acked-by: Petr Tesarik <ptesarik@suse.com>
+---
+ net/smc/af_smc.c | 118 +++++++++++++++++++++++++----------------------------
+ net/smc/smc_clc.c | 10 ++--
+ net/smc/smc_clc.h | 4 -
+ net/smc/smc_core.c | 70 ++++++++++++++-----------------
+ net/smc/smc_core.h | 24 ++++++++--
+ net/smc/smc_pnet.c | 47 +++++++++------------
+ net/smc/smc_pnet.h | 7 +--
+ 7 files changed, 139 insertions(+), 141 deletions(-)
+
+--- a/net/smc/af_smc.c
++++ b/net/smc/af_smc.c
+@@ -504,40 +504,34 @@ static int smc_connect_abort(struct smc_
+
+ /* check if there is a rdma device available for this connection. */
+ /* called for connect and listen */
+-static int smc_check_rdma(struct smc_sock *smc, struct smc_ib_device **ibdev,
+- u8 *ibport, unsigned short vlan_id, u8 gid[])
++static int smc_check_rdma(struct smc_sock *smc, struct smc_init_info *ini)
+ {
+- int reason_code = 0;
+-
+ /* PNET table look up: search active ib_device and port
+ * within same PNETID that also contains the ethernet device
+ * used for the internal TCP socket
+ */
+- smc_pnet_find_roce_resource(smc->clcsock->sk, ibdev, ibport, vlan_id,
+- gid);
+- if (!(*ibdev))
+- reason_code = SMC_CLC_DECL_CNFERR; /* configuration error */
+-
+- return reason_code;
++ smc_pnet_find_roce_resource(smc->clcsock->sk, ini);
++ if (!(ini->ib_dev))
++ return SMC_CLC_DECL_CNFERR; /* configuration error */
++ return 0;
+ }
+
+ /* check if there is an ISM device available for this connection. */
+ /* called for connect and listen */
+-static int smc_check_ism(struct smc_sock *smc, struct smcd_dev **ismdev)
++static int smc_check_ism(struct smc_sock *smc, struct smc_init_info *ini)
+ {
+ /* Find ISM device with same PNETID as connecting interface */
+- smc_pnet_find_ism_resource(smc->clcsock->sk, ismdev);
+- if (!(*ismdev))
++ smc_pnet_find_ism_resource(smc->clcsock->sk, ini);
++ if (!ini->ism_dev)
+ return SMC_CLC_DECL_CNFERR; /* configuration error */
+ return 0;
+ }
+
+ /* Check for VLAN ID and register it on ISM device just for CLC handshake */
+ static int smc_connect_ism_vlan_setup(struct smc_sock *smc,
+- struct smcd_dev *ismdev,
+- unsigned short vlan_id)
++ struct smc_init_info *ini)
+ {
+- if (vlan_id && smc_ism_get_vlan(ismdev, vlan_id))
++ if (ini->vlan_id && smc_ism_get_vlan(ini->ism_dev, ini->vlan_id))
+ return SMC_CLC_DECL_CNFERR;
+ return 0;
+ }
+@@ -546,12 +540,11 @@ static int smc_connect_ism_vlan_setup(st
+ * used, the VLAN ID will be registered again during the connection setup.
+ */
+ static int smc_connect_ism_vlan_cleanup(struct smc_sock *smc, bool is_smcd,
+- struct smcd_dev *ismdev,
+- unsigned short vlan_id)
++ struct smc_init_info *ini)
+ {
+ if (!is_smcd)
+ return 0;
+- if (vlan_id && smc_ism_put_vlan(ismdev, vlan_id))
++ if (ini->vlan_id && smc_ism_put_vlan(ini->ism_dev, ini->vlan_id))
+ return SMC_CLC_DECL_CNFERR;
+ return 0;
+ }
+@@ -559,13 +552,12 @@ static int smc_connect_ism_vlan_cleanup(
+ /* CLC handshake during connect */
+ static int smc_connect_clc(struct smc_sock *smc, int smc_type,
+ struct smc_clc_msg_accept_confirm *aclc,
+- struct smc_ib_device *ibdev, u8 ibport,
+- u8 gid[], struct smcd_dev *ismdev)
++ struct smc_init_info *ini)
+ {
+ int rc = 0;
+
+ /* do inband token exchange */
+- rc = smc_clc_send_proposal(smc, smc_type, ibdev, ibport, gid, ismdev);
++ rc = smc_clc_send_proposal(smc, smc_type, ini);
+ if (rc)
+ return rc;
+ /* receive SMC Accept CLC message */
+@@ -576,16 +568,19 @@ static int smc_connect_clc(struct smc_so
+ /* setup for RDMA connection of client */
+ static int smc_connect_rdma(struct smc_sock *smc,
+ struct smc_clc_msg_accept_confirm *aclc,
+- struct smc_ib_device *ibdev, u8 ibport)
++ struct smc_init_info *ini)
+ {
+ int local_contact = SMC_FIRST_CONTACT;
+ struct smc_link *link;
+ int reason_code = 0;
+
++ ini->is_smcd = false;
++ ini->ib_lcl = &aclc->lcl;
++ ini->ib_clcqpn = ntoh24(aclc->qpn);
++ ini->srv_first_contact = aclc->hdr.flag;
++
+ mutex_lock(&smc_client_lgr_pending);
+- local_contact = smc_conn_create(smc, false, aclc->hdr.flag, ibdev,
+- ibport, ntoh24(aclc->qpn), &aclc->lcl,
+- NULL, 0);
++ local_contact = smc_conn_create(smc, ini);
+ if (local_contact < 0) {
+ if (local_contact == -ENOMEM)
+ reason_code = SMC_CLC_DECL_MEM;/* insufficient memory*/
+@@ -651,15 +646,18 @@ static int smc_connect_rdma(struct smc_s
+ /* setup for ISM connection of client */
+ static int smc_connect_ism(struct smc_sock *smc,
+ struct smc_clc_msg_accept_confirm *aclc,
+- struct smcd_dev *ismdev)
++ struct smc_init_info *ini)
+ {
+ int local_contact = SMC_FIRST_CONTACT;
+ int rc = 0;
+
++ ini->is_smcd = true;
++ ini->ism_gid = aclc->gid;
++ ini->srv_first_contact = aclc->hdr.flag;
++
+ /* there is only one lgr role for SMC-D; use server lock */
+ mutex_lock(&smc_server_lgr_pending);
+- local_contact = smc_conn_create(smc, true, aclc->hdr.flag, NULL, 0, 0,
+- NULL, ismdev, aclc->gid);
++ local_contact = smc_conn_create(smc, ini);
+ if (local_contact < 0) {
+ mutex_unlock(&smc_server_lgr_pending);
+ return SMC_CLC_DECL_MEM;
+@@ -692,13 +690,9 @@ static int __smc_connect(struct smc_sock
+ {
+ bool ism_supported = false, rdma_supported = false;
+ struct smc_clc_msg_accept_confirm aclc;
+- struct smc_ib_device *ibdev;
+- struct smcd_dev *ismdev;
+- u8 gid[SMC_GID_SIZE];
+- unsigned short vlan;
++ struct smc_init_info ini = {0};
+ int smc_type;
+ int rc = 0;
+- u8 ibport;
+
+ sock_hold(&smc->sk); /* sock put in passive closing */
+
+@@ -714,19 +708,19 @@ static int __smc_connect(struct smc_sock
+ return smc_connect_decline_fallback(smc, SMC_CLC_DECL_IPSEC);
+
+ /* check for VLAN ID */
+- if (smc_vlan_by_tcpsk(smc->clcsock, &vlan))
++ if (smc_vlan_by_tcpsk(smc->clcsock, &ini))
+ return smc_connect_decline_fallback(smc, SMC_CLC_DECL_CNFERR);
+
+ /* check if there is an ism device available */
+- if (!smc_check_ism(smc, &ismdev) &&
+- !smc_connect_ism_vlan_setup(smc, ismdev, vlan)) {
++ if (!smc_check_ism(smc, &ini) &&
++ !smc_connect_ism_vlan_setup(smc, &ini)) {
+ /* ISM is supported for this connection */
+ ism_supported = true;
+ smc_type = SMC_TYPE_D;
+ }
+
+ /* check if there is a rdma device available */
+- if (!smc_check_rdma(smc, &ibdev, &ibport, vlan, gid)) {
++ if (!smc_check_rdma(smc, &ini)) {
+ /* RDMA is supported for this connection */
+ rdma_supported = true;
+ if (ism_supported)
+@@ -740,25 +734,25 @@ static int __smc_connect(struct smc_sock
+ return smc_connect_decline_fallback(smc, SMC_CLC_DECL_NOSMCDEV);
+
+ /* perform CLC handshake */
+- rc = smc_connect_clc(smc, smc_type, &aclc, ibdev, ibport, gid, ismdev);
++ rc = smc_connect_clc(smc, smc_type, &aclc, &ini);
+ if (rc) {
+- smc_connect_ism_vlan_cleanup(smc, ism_supported, ismdev, vlan);
++ smc_connect_ism_vlan_cleanup(smc, ism_supported, &ini);
+ return smc_connect_decline_fallback(smc, rc);
+ }
+
+ /* depending on previous steps, connect using rdma or ism */
+ if (rdma_supported && aclc.hdr.path == SMC_TYPE_R)
+- rc = smc_connect_rdma(smc, &aclc, ibdev, ibport);
++ rc = smc_connect_rdma(smc, &aclc, &ini);
+ else if (ism_supported && aclc.hdr.path == SMC_TYPE_D)
+- rc = smc_connect_ism(smc, &aclc, ismdev);
++ rc = smc_connect_ism(smc, &aclc, &ini);
+ else
+ rc = SMC_CLC_DECL_MODEUNSUPP;
+ if (rc) {
+- smc_connect_ism_vlan_cleanup(smc, ism_supported, ismdev, vlan);
++ smc_connect_ism_vlan_cleanup(smc, ism_supported, &ini);
+ return smc_connect_decline_fallback(smc, rc);
+ }
+
+- smc_connect_ism_vlan_cleanup(smc, ism_supported, ismdev, vlan);
++ smc_connect_ism_vlan_cleanup(smc, ism_supported, &ini);
+ return 0;
+ }
+
+@@ -1136,13 +1130,10 @@ static int smc_listen_prfx_check(struct
+
+ /* listen worker: initialize connection and buffers */
+ static int smc_listen_rdma_init(struct smc_sock *new_smc,
+- struct smc_clc_msg_proposal *pclc,
+- struct smc_ib_device *ibdev, u8 ibport,
+- int *local_contact)
++ struct smc_init_info *ini, int *local_contact)
+ {
+ /* allocate connection / link group */
+- *local_contact = smc_conn_create(new_smc, false, 0, ibdev, ibport, 0,
+- &pclc->lcl, NULL, 0);
++ *local_contact = smc_conn_create(new_smc, ini);
+ if (*local_contact < 0) {
+ if (*local_contact == -ENOMEM)
+ return SMC_CLC_DECL_MEM;/* insufficient memory*/
+@@ -1159,14 +1150,14 @@ static int smc_listen_rdma_init(struct s
+ /* listen worker: initialize connection and buffers for SMC-D */
+ static int smc_listen_ism_init(struct smc_sock *new_smc,
+ struct smc_clc_msg_proposal *pclc,
+- struct smcd_dev *ismdev,
++ struct smc_init_info *ini,
+ int *local_contact)
+ {
+ struct smc_clc_msg_smcd *pclc_smcd;
+
+ pclc_smcd = smc_get_clc_msg_smcd(pclc);
+- *local_contact = smc_conn_create(new_smc, true, 0, NULL, 0, 0, NULL,
+- ismdev, pclc_smcd->gid);
++ ini->ism_gid = pclc_smcd->gid;
++ *local_contact = smc_conn_create(new_smc, ini);
+ if (*local_contact < 0) {
+ if (*local_contact == -ENOMEM)
+ return SMC_CLC_DECL_MEM;/* insufficient memory*/
+@@ -1249,15 +1240,12 @@ static void smc_listen_work(struct work_
+ struct socket *newclcsock = new_smc->clcsock;
+ struct smc_clc_msg_accept_confirm cclc;
+ struct smc_clc_msg_proposal *pclc;
+- struct smc_ib_device *ibdev;
++ struct smc_init_info ini = {0};
+ bool ism_supported = false;
+- struct smcd_dev *ismdev;
+ u8 buf[SMC_CLC_MAX_LEN];
+ int local_contact = 0;
+- unsigned short vlan;
+ int reason_code = 0;
+ int rc = 0;
+- u8 ibport;
+
+ if (new_smc->listen_smc->sk.sk_state != SMC_LISTEN)
+ return smc_listen_out_err(new_smc);
+@@ -1304,20 +1292,26 @@ static void smc_listen_work(struct work_
+ smc_rx_init(new_smc);
+ smc_tx_init(new_smc);
+
++ /* prepare ISM check */
++ ini.is_smcd = true;
+ /* check if ISM is available */
+ if ((pclc->hdr.path == SMC_TYPE_D || pclc->hdr.path == SMC_TYPE_B) &&
+- !smc_check_ism(new_smc, &ismdev) &&
+- !smc_listen_ism_init(new_smc, pclc, ismdev, &local_contact)) {
++ !smc_check_ism(new_smc, &ini) &&
++ !smc_listen_ism_init(new_smc, pclc, &ini, &local_contact)) {
+ ism_supported = true;
++ } else {
++ /* prepare RDMA check */
++ memset(&ini, 0, sizeof(ini));
++ ini.is_smcd = false;
++ ini.ib_lcl = &pclc->lcl;
+ }
+
+ /* check if RDMA is available */
+ if (!ism_supported &&
+ ((pclc->hdr.path != SMC_TYPE_R && pclc->hdr.path != SMC_TYPE_B) ||
+- smc_vlan_by_tcpsk(new_smc->clcsock, &vlan) ||
+- smc_check_rdma(new_smc, &ibdev, &ibport, vlan, NULL) ||
+- smc_listen_rdma_init(new_smc, pclc, ibdev, ibport,
+- &local_contact) ||
++ smc_vlan_by_tcpsk(new_smc->clcsock, &ini) ||
++ smc_check_rdma(new_smc, &ini) ||
++ smc_listen_rdma_init(new_smc, &ini, &local_contact) ||
+ smc_listen_rdma_reg(new_smc, local_contact))) {
+ /* SMC not supported, decline */
+ mutex_unlock(&smc_server_lgr_pending);
+--- a/net/smc/smc_clc.c
++++ b/net/smc/smc_clc.c
+@@ -385,8 +385,7 @@ int smc_clc_send_decline(struct smc_sock
+
+ /* send CLC PROPOSAL message across internal TCP socket */
+ int smc_clc_send_proposal(struct smc_sock *smc, int smc_type,
+- struct smc_ib_device *ibdev, u8 ibport, u8 gid[],
+- struct smcd_dev *ismdev)
++ struct smc_init_info *ini)
+ {
+ struct smc_clc_ipv6_prefix ipv6_prfx[SMC_CLC_MAX_V6_PREFIX];
+ struct smc_clc_msg_proposal_prefix pclc_prfx;
+@@ -416,8 +415,9 @@ int smc_clc_send_proposal(struct smc_soc
+ /* add SMC-R specifics */
+ memcpy(pclc.lcl.id_for_peer, local_systemid,
+ sizeof(local_systemid));
+- memcpy(&pclc.lcl.gid, gid, SMC_GID_SIZE);
+- memcpy(&pclc.lcl.mac, &ibdev->mac[ibport - 1], ETH_ALEN);
++ memcpy(&pclc.lcl.gid, ini->ib_gid, SMC_GID_SIZE);
++ memcpy(&pclc.lcl.mac, &ini->ib_dev->mac[ini->ib_port - 1],
++ ETH_ALEN);
+ pclc.iparea_offset = htons(0);
+ }
+ if (smc_type == SMC_TYPE_D || smc_type == SMC_TYPE_B) {
+@@ -425,7 +425,7 @@ int smc_clc_send_proposal(struct smc_soc
+ memset(&pclc_smcd, 0, sizeof(pclc_smcd));
+ plen += sizeof(pclc_smcd);
+ pclc.iparea_offset = htons(SMC_CLC_PROPOSAL_MAX_OFFSET);
+- pclc_smcd.gid = ismdev->local_gid;
++ pclc_smcd.gid = ini->ism_dev->local_gid;
+ }
+ pclc.hdr.length = htons(plen);
+
+--- a/net/smc/smc_clc.h
++++ b/net/smc/smc_clc.h
+@@ -179,6 +179,7 @@ smc_get_clc_msg_smcd(struct smc_clc_msg_
+ }
+
+ struct smcd_dev;
++struct smc_init_info;
+
+ int smc_clc_prfx_match(struct socket *clcsock,
+ struct smc_clc_msg_proposal_prefix *prop);
+@@ -186,8 +187,7 @@ int smc_clc_wait_msg(struct smc_sock *sm
+ u8 expected_type, unsigned long timeout);
+ int smc_clc_send_decline(struct smc_sock *smc, u32 peer_diag_info);
+ int smc_clc_send_proposal(struct smc_sock *smc, int smc_type,
+- struct smc_ib_device *smcibdev, u8 ibport, u8 gid[],
+- struct smcd_dev *ismdev);
++ struct smc_init_info *ini);
+ int smc_clc_send_confirm(struct smc_sock *smc);
+ int smc_clc_send_accept(struct smc_sock *smc, int srv_first_contact);
+
+--- a/net/smc/smc_core.c
++++ b/net/smc/smc_core.c
+@@ -194,10 +194,7 @@ static void smc_lgr_free_work(struct wor
+ }
+
+ /* create a new SMC link group */
+-static int smc_lgr_create(struct smc_sock *smc, bool is_smcd,
+- struct smc_ib_device *smcibdev, u8 ibport,
+- char *peer_systemid, unsigned short vlan_id,
+- struct smcd_dev *smcismdev, u64 peer_gid)
++static int smc_lgr_create(struct smc_sock *smc, struct smc_init_info *ini)
+ {
+ struct smc_link_group *lgr;
+ struct smc_link *lnk;
+@@ -205,8 +202,8 @@ static int smc_lgr_create(struct smc_soc
+ int rc = 0;
+ int i;
+
+- if (is_smcd && vlan_id) {
+- rc = smc_ism_get_vlan(smcismdev, vlan_id);
++ if (ini->is_smcd && ini->vlan_id) {
++ rc = smc_ism_get_vlan(ini->ism_dev, ini->vlan_id);
+ if (rc)
+ goto out;
+ }
+@@ -216,9 +213,9 @@ static int smc_lgr_create(struct smc_soc
+ rc = -ENOMEM;
+ goto out;
+ }
+- lgr->is_smcd = is_smcd;
++ lgr->is_smcd = ini->is_smcd;
+ lgr->sync_err = 0;
+- lgr->vlan_id = vlan_id;
++ lgr->vlan_id = ini->vlan_id;
+ rwlock_init(&lgr->sndbufs_lock);
+ rwlock_init(&lgr->rmbs_lock);
+ rwlock_init(&lgr->conns_lock);
+@@ -231,29 +228,32 @@ static int smc_lgr_create(struct smc_soc
+ INIT_DELAYED_WORK(&lgr->free_work, smc_lgr_free_work);
+ lgr->conns_all = RB_ROOT;
+
+- if (is_smcd) {
++ if (ini->is_smcd) {
+ /* SMC-D specific settings */
+- lgr->peer_gid = peer_gid;
+- lgr->smcd = smcismdev;
++ lgr->peer_gid = ini->ism_gid;
++ lgr->smcd = ini->ism_dev;
+ } else {
+ /* SMC-R specific settings */
+ lgr->role = smc->listen_smc ? SMC_SERV : SMC_CLNT;
+- memcpy(lgr->peer_systemid, peer_systemid, SMC_SYSTEMID_LEN);
++ memcpy(lgr->peer_systemid, ini->ib_lcl->id_for_peer,
++ SMC_SYSTEMID_LEN);
+
+ lnk = &lgr->lnk[SMC_SINGLE_LINK];
+ /* initialize link */
+ lnk->state = SMC_LNK_ACTIVATING;
+ lnk->link_id = SMC_SINGLE_LINK;
+- lnk->smcibdev = smcibdev;
+- lnk->ibport = ibport;
+- lnk->path_mtu = smcibdev->pattr[ibport - 1].active_mtu;
+- if (!smcibdev->initialized)
+- smc_ib_setup_per_ibdev(smcibdev);
++ lnk->smcibdev = ini->ib_dev;
++ lnk->ibport = ini->ib_port;
++ lnk->path_mtu =
++ ini->ib_dev->pattr[ini->ib_port - 1].active_mtu;
++ if (!ini->ib_dev->initialized)
++ smc_ib_setup_per_ibdev(ini->ib_dev);
+ get_random_bytes(rndvec, sizeof(rndvec));
+ lnk->psn_initial = rndvec[0] + (rndvec[1] << 8) +
+ (rndvec[2] << 16);
+ rc = smc_ib_determine_gid(lnk->smcibdev, lnk->ibport,
+- vlan_id, lnk->gid, &lnk->sgid_index);
++ ini->vlan_id, lnk->gid,
++ &lnk->sgid_index);
+ if (rc)
+ goto free_lgr;
+ rc = smc_llc_link_init(lnk);
+@@ -529,13 +529,13 @@ void smc_smcd_terminate(struct smcd_dev
+ /* Determine vlan of internal TCP socket.
+ * @vlan_id: address to store the determined vlan id into
+ */
+-int smc_vlan_by_tcpsk(struct socket *clcsock, unsigned short *vlan_id)
++int smc_vlan_by_tcpsk(struct socket *clcsock, struct smc_init_info *ini)
+ {
+ struct dst_entry *dst = sk_dst_get(clcsock->sk);
+ struct net_device *ndev;
+ int i, nest_lvl, rc = 0;
+
+- *vlan_id = 0;
++ ini->vlan_id = 0;
+ if (!dst) {
+ rc = -ENOTCONN;
+ goto out;
+@@ -547,7 +547,7 @@ int smc_vlan_by_tcpsk(struct socket *clc
+
+ ndev = dst->dev;
+ if (is_vlan_dev(ndev)) {
+- *vlan_id = vlan_dev_vlan_id(ndev);
++ ini->vlan_id = vlan_dev_vlan_id(ndev);
+ goto out_rel;
+ }
+
+@@ -561,7 +561,7 @@ int smc_vlan_by_tcpsk(struct socket *clc
+ lower = lower->next;
+ ndev = (struct net_device *)netdev_lower_get_next(ndev, &lower);
+ if (is_vlan_dev(ndev)) {
+- *vlan_id = vlan_dev_vlan_id(ndev);
++ ini->vlan_id = vlan_dev_vlan_id(ndev);
+ break;
+ }
+ }
+@@ -595,24 +595,20 @@ static bool smcd_lgr_match(struct smc_li
+ }
+
+ /* create a new SMC connection (and a new link group if necessary) */
+-int smc_conn_create(struct smc_sock *smc, bool is_smcd, int srv_first_contact,
+- struct smc_ib_device *smcibdev, u8 ibport, u32 clcqpn,
+- struct smc_clc_msg_local *lcl, struct smcd_dev *smcd,
+- u64 peer_gid)
++int smc_conn_create(struct smc_sock *smc, struct smc_init_info *ini)
+ {
+ struct smc_connection *conn = &smc->conn;
+ int local_contact = SMC_FIRST_CONTACT;
+ struct smc_link_group *lgr;
+- unsigned short vlan_id;
+ enum smc_lgr_role role;
+ int rc = 0;
+
+ role = smc->listen_smc ? SMC_SERV : SMC_CLNT;
+- rc = smc_vlan_by_tcpsk(smc->clcsock, &vlan_id);
++ rc = smc_vlan_by_tcpsk(smc->clcsock, ini);
+ if (rc)
+ return rc;
+
+- if ((role == SMC_CLNT) && srv_first_contact)
++ if (role == SMC_CLNT && ini->srv_first_contact)
+ /* create new link group as well */
+ goto create;
+
+@@ -620,10 +616,11 @@ int smc_conn_create(struct smc_sock *smc
+ spin_lock_bh(&smc_lgr_list.lock);
+ list_for_each_entry(lgr, &smc_lgr_list.list, list) {
+ write_lock_bh(&lgr->conns_lock);
+- if ((is_smcd ? smcd_lgr_match(lgr, smcd, peer_gid) :
+- smcr_lgr_match(lgr, lcl, role, clcqpn)) &&
++ if ((ini->is_smcd ?
++ smcd_lgr_match(lgr, ini->ism_dev, ini->ism_gid) :
++ smcr_lgr_match(lgr, ini->ib_lcl, role, ini->ib_clcqpn)) &&
+ !lgr->sync_err &&
+- lgr->vlan_id == vlan_id &&
++ lgr->vlan_id == ini->vlan_id &&
+ (role == SMC_CLNT ||
+ lgr->conns_num < SMC_RMBS_PER_LGR_MAX)) {
+ /* link group found */
+@@ -639,8 +636,8 @@ int smc_conn_create(struct smc_sock *smc
+ }
+ spin_unlock_bh(&smc_lgr_list.lock);
+
+- if (role == SMC_CLNT && !srv_first_contact &&
+- (local_contact == SMC_FIRST_CONTACT)) {
++ if (role == SMC_CLNT && !ini->srv_first_contact &&
++ local_contact == SMC_FIRST_CONTACT) {
+ /* Server reuses a link group, but Client wants to start
+ * a new one
+ * send out_of_sync decline, reason synchr. error
+@@ -650,8 +647,7 @@ int smc_conn_create(struct smc_sock *smc
+
+ create:
+ if (local_contact == SMC_FIRST_CONTACT) {
+- rc = smc_lgr_create(smc, is_smcd, smcibdev, ibport,
+- lcl->id_for_peer, vlan_id, smcd, peer_gid);
++ rc = smc_lgr_create(smc, ini);
+ if (rc)
+ goto out;
+ smc_lgr_register_conn(conn); /* add smc conn to lgr */
+@@ -659,7 +655,7 @@ create:
+ conn->local_tx_ctrl.common.type = SMC_CDC_MSG_TYPE;
+ conn->local_tx_ctrl.len = SMC_WR_TX_SIZE;
+ conn->urg_state = SMC_URG_READ;
+- if (is_smcd) {
++ if (ini->is_smcd) {
+ conn->rx_off = sizeof(struct smcd_cdc_msg);
+ smcd_cdc_rx_init(conn); /* init tasklet for this conn */
+ }
+--- a/net/smc/smc_core.h
++++ b/net/smc/smc_core.h
+@@ -228,6 +228,23 @@ struct smc_link_group {
+ };
+ };
+
++struct smc_clc_msg_local;
++
++struct smc_init_info {
++ u8 is_smcd;
++ unsigned short vlan_id;
++ int srv_first_contact;
++ /* SMC-R */
++ struct smc_clc_msg_local *ib_lcl;
++ struct smc_ib_device *ib_dev;
++ u8 ib_gid[SMC_GID_SIZE];
++ u8 ib_port;
++ u32 ib_clcqpn;
++ /* SMC-D */
++ u64 ism_gid;
++ struct smcd_dev *ism_dev;
++};
++
+ /* Find the connection associated with the given alert token in the link group.
+ * To use rbtrees we have to implement our own search core.
+ * Requires @conns_lock
+@@ -280,13 +297,10 @@ void smc_sndbuf_sync_sg_for_cpu(struct s
+ void smc_sndbuf_sync_sg_for_device(struct smc_connection *conn);
+ void smc_rmb_sync_sg_for_cpu(struct smc_connection *conn);
+ void smc_rmb_sync_sg_for_device(struct smc_connection *conn);
+-int smc_vlan_by_tcpsk(struct socket *clcsock, unsigned short *vlan_id);
++int smc_vlan_by_tcpsk(struct socket *clcsock, struct smc_init_info *ini);
+
+ void smc_conn_free(struct smc_connection *conn);
+-int smc_conn_create(struct smc_sock *smc, bool is_smcd, int srv_first_contact,
+- struct smc_ib_device *smcibdev, u8 ibport, u32 clcqpn,
+- struct smc_clc_msg_local *lcl, struct smcd_dev *smcd,
+- u64 peer_gid);
++int smc_conn_create(struct smc_sock *smc, struct smc_init_info *ini);
+ void smcd_conn_free(struct smc_connection *conn);
+ void smc_lgr_schedule_free_work_fast(struct smc_link_group *lgr);
+ void smc_core_exit(void);
+--- a/net/smc/smc_pnet.c
++++ b/net/smc/smc_pnet.c
+@@ -25,6 +25,7 @@
+ #include "smc_pnet.h"
+ #include "smc_ib.h"
+ #include "smc_ism.h"
++#include "smc_core.h"
+
+ #define SMC_ASCII_BLANK 32
+
+@@ -758,8 +759,7 @@ static int smc_pnet_find_ndev_pnetid_by_
+ * IB device and port
+ */
+ static void smc_pnet_find_rdma_dev(struct net_device *netdev,
+- struct smc_ib_device **smcibdev,
+- u8 *ibport, unsigned short vlan_id, u8 gid[])
++ struct smc_init_info *ini)
+ {
+ struct smc_ib_device *ibdev;
+
+@@ -779,10 +779,10 @@ static void smc_pnet_find_rdma_dev(struc
+ dev_put(ndev);
+ if (netdev == ndev &&
+ smc_ib_port_active(ibdev, i) &&
+- !smc_ib_determine_gid(ibdev, i, vlan_id, gid,
+- NULL)) {
+- *smcibdev = ibdev;
+- *ibport = i;
++ !smc_ib_determine_gid(ibdev, i, ini->vlan_id,
++ ini->ib_gid, NULL)) {
++ ini->ib_dev = ibdev;
++ ini->ib_port = i;
+ break;
+ }
+ }
+@@ -797,9 +797,7 @@ static void smc_pnet_find_rdma_dev(struc
+ * If nothing found, try to use handshake device
+ */
+ static void smc_pnet_find_roce_by_pnetid(struct net_device *ndev,
+- struct smc_ib_device **smcibdev,
+- u8 *ibport, unsigned short vlan_id,
+- u8 gid[])
++ struct smc_init_info *ini)
+ {
+ u8 ndev_pnetid[SMC_MAX_PNETID_LEN];
+ struct smc_ib_device *ibdev;
+@@ -809,7 +807,7 @@ static void smc_pnet_find_roce_by_pnetid
+ if (smc_pnetid_by_dev_port(ndev->dev.parent, ndev->dev_port,
+ ndev_pnetid) &&
+ smc_pnet_find_ndev_pnetid_by_table(ndev, ndev_pnetid)) {
+- smc_pnet_find_rdma_dev(ndev, smcibdev, ibport, vlan_id, gid);
++ smc_pnet_find_rdma_dev(ndev, ini);
+ return; /* pnetid could not be determined */
+ }
+
+@@ -820,10 +818,10 @@ static void smc_pnet_find_roce_by_pnetid
+ continue;
+ if (smc_pnet_match(ibdev->pnetid[i - 1], ndev_pnetid) &&
+ smc_ib_port_active(ibdev, i) &&
+- !smc_ib_determine_gid(ibdev, i, vlan_id, gid,
+- NULL)) {
+- *smcibdev = ibdev;
+- *ibport = i;
++ !smc_ib_determine_gid(ibdev, i, ini->vlan_id,
++ ini->ib_gid, NULL)) {
++ ini->ib_dev = ibdev;
++ ini->ib_port = i;
+ goto out;
+ }
+ }
+@@ -833,7 +831,7 @@ out:
+ }
+
+ static void smc_pnet_find_ism_by_pnetid(struct net_device *ndev,
+- struct smcd_dev **smcismdev)
++ struct smc_init_info *ini)
+ {
+ u8 ndev_pnetid[SMC_MAX_PNETID_LEN];
+ struct smcd_dev *ismdev;
+@@ -847,7 +845,7 @@ static void smc_pnet_find_ism_by_pnetid(
+ spin_lock(&smcd_dev_list.lock);
+ list_for_each_entry(ismdev, &smcd_dev_list.list, list) {
+ if (smc_pnet_match(ismdev->pnetid, ndev_pnetid)) {
+- *smcismdev = ismdev;
++ ini->ism_dev = ismdev;
+ break;
+ }
+ }
+@@ -858,21 +856,18 @@ static void smc_pnet_find_ism_by_pnetid(
+ * determine ib_device and port belonging to used internal TCP socket
+ * ethernet interface.
+ */
+-void smc_pnet_find_roce_resource(struct sock *sk,
+- struct smc_ib_device **smcibdev, u8 *ibport,
+- unsigned short vlan_id, u8 gid[])
++void smc_pnet_find_roce_resource(struct sock *sk, struct smc_init_info *ini)
+ {
+ struct dst_entry *dst = sk_dst_get(sk);
+
+- *smcibdev = NULL;
+- *ibport = 0;
+-
++ ini->ib_dev = NULL;
++ ini->ib_port = 0;
+ if (!dst)
+ goto out;
+ if (!dst->dev)
+ goto out_rel;
+
+- smc_pnet_find_roce_by_pnetid(dst->dev, smcibdev, ibport, vlan_id, gid);
++ smc_pnet_find_roce_by_pnetid(dst->dev, ini);
+
+ out_rel:
+ dst_release(dst);
+@@ -880,17 +875,17 @@ out:
+ return;
+ }
+
+-void smc_pnet_find_ism_resource(struct sock *sk, struct smcd_dev **smcismdev)
++void smc_pnet_find_ism_resource(struct sock *sk, struct smc_init_info *ini)
+ {
+ struct dst_entry *dst = sk_dst_get(sk);
+
+- *smcismdev = NULL;
++ ini->ism_dev = NULL;
+ if (!dst)
+ goto out;
+ if (!dst->dev)
+ goto out_rel;
+
+- smc_pnet_find_ism_by_pnetid(dst->dev, smcismdev);
++ smc_pnet_find_ism_by_pnetid(dst->dev, ini);
+
+ out_rel:
+ dst_release(dst);
+--- a/net/smc/smc_pnet.h
++++ b/net/smc/smc_pnet.h
+@@ -17,6 +17,7 @@
+
+ struct smc_ib_device;
+ struct smcd_dev;
++struct smc_init_info;
+
+ /**
+ * struct smc_pnettable - SMC PNET table anchor
+@@ -42,9 +43,7 @@ int smc_pnet_init(void) __init;
+ int smc_pnet_net_init(struct net *net);
+ void smc_pnet_exit(void);
+ void smc_pnet_net_exit(struct net *net);
+-void smc_pnet_find_roce_resource(struct sock *sk,
+- struct smc_ib_device **smcibdev, u8 *ibport,
+- unsigned short vlan_id, u8 gid[]);
+-void smc_pnet_find_ism_resource(struct sock *sk, struct smcd_dev **smcismdev);
++void smc_pnet_find_roce_resource(struct sock *sk, struct smc_init_info *ini);
++void smc_pnet_find_ism_resource(struct sock *sk, struct smc_init_info *ini);
+
+ #endif
diff --git a/patches.fixes/net-smc-fallback-to-tcp-after-connect-problems b/patches.fixes/net-smc-fallback-to-tcp-after-connect-problems
new file mode 100644
index 0000000000..ab41114849
--- /dev/null
+++ b/patches.fixes/net-smc-fallback-to-tcp-after-connect-problems
@@ -0,0 +1,36 @@
+From: Karsten Graul <kgraul@linux.ibm.com>
+Date: Fri, 12 Apr 2019 12:57:24 +0200
+Subject: net/smc: fallback to TCP after connect problems
+Git-commit: 4ada81fddfbbda360bb692aa469d472ebb06b37d
+Patch-mainline: v5.2-rc1
+References: bsc#1134607 LTC#177518
+
+Correct the CLC decline reason codes for internal problems to not have
+the sign bit set, negative reason codes are interpreted as not eligible
+for TCP fallback.
+
+Signed-off-by: Karsten Graul <kgraul@linux.ibm.com>
+Signed-off-by: Ursula Braun <ubraun@linux.ibm.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Acked-by: Petr Tesarik <ptesarik@suse.com>
+---
+ net/smc/smc_clc.h | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/net/smc/smc_clc.h
++++ b/net/smc/smc_clc.h
+@@ -39,10 +39,10 @@
+ #define SMC_CLC_DECL_OPTUNSUPP 0x03060000 /* fastopen sockopt not supported */
+ #define SMC_CLC_DECL_SYNCERR 0x04000000 /* synchronization error */
+ #define SMC_CLC_DECL_PEERDECL 0x05000000 /* peer declined during handshake */
+-#define SMC_CLC_DECL_INTERR 0x99990000 /* internal error */
+-#define SMC_CLC_DECL_ERR_RTOK 0x99990001 /* rtoken handling failed */
+-#define SMC_CLC_DECL_ERR_RDYLNK 0x99990002 /* ib ready link failed */
+-#define SMC_CLC_DECL_ERR_REGRMB 0x99990003 /* reg rmb failed */
++#define SMC_CLC_DECL_INTERR 0x09990000 /* internal error */
++#define SMC_CLC_DECL_ERR_RTOK 0x09990001 /* rtoken handling failed */
++#define SMC_CLC_DECL_ERR_RDYLNK 0x09990002 /* ib ready link failed */
++#define SMC_CLC_DECL_ERR_REGRMB 0x09990003 /* reg rmb failed */
+
+ struct smc_clc_msg_hdr { /* header1 of clc messages */
+ u8 eyecatcher[4]; /* eye catcher */
diff --git a/patches.fixes/net-smc-fix-a-null-pointer-dereference b/patches.fixes/net-smc-fix-a-null-pointer-dereference
new file mode 100644
index 0000000000..26980fd6e3
--- /dev/null
+++ b/patches.fixes/net-smc-fix-a-null-pointer-dereference
@@ -0,0 +1,32 @@
+From: Kangjie Lu <kjlu@umn.edu>
+Date: Thu, 11 Apr 2019 11:17:31 +0200
+Subject: net/smc: fix a NULL pointer dereference
+Git-commit: e183d4e414b64711baf7a04e214b61969ca08dfa
+Patch-mainline: v5.1-rc6
+References: bsc#1134607 LTC#177518
+
+In case alloc_ordered_workqueue fails, the fix returns NULL
+to avoid NULL pointer dereference.
+
+Signed-off-by: Kangjie Lu <kjlu@umn.edu>
+Signed-off-by: Ursula Braun <ubraun@linux.ibm.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Acked-by: Petr Tesarik <ptesarik@suse.com>
+---
+ net/smc/smc_ism.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/net/smc/smc_ism.c
++++ b/net/smc/smc_ism.c
+@@ -290,6 +290,11 @@ struct smcd_dev *smcd_alloc_dev(struct d
+ INIT_LIST_HEAD(&smcd->vlan);
+ smcd->event_wq = alloc_ordered_workqueue("ism_evt_wq-%s)",
+ WQ_MEM_RECLAIM, name);
++ if (!smcd->event_wq) {
++ kfree(smcd->conn);
++ kfree(smcd);
++ return NULL;
++ }
+ return smcd;
+ }
+ EXPORT_SYMBOL_GPL(smcd_alloc_dev);
diff --git a/patches.fixes/net-smc-fix-return-code-from-flush-command b/patches.fixes/net-smc-fix-return-code-from-flush-command
new file mode 100644
index 0000000000..b40980f153
--- /dev/null
+++ b/patches.fixes/net-smc-fix-return-code-from-flush-command
@@ -0,0 +1,37 @@
+From: Karsten Graul <kgraul@linux.ibm.com>
+Date: Thu, 11 Apr 2019 11:17:33 +0200
+Subject: net/smc: fix return code from FLUSH command
+Git-commit: 8ef659f1a840c953a59442ff1400ec73baf3b601
+Patch-mainline: v5.1-rc6
+References: bsc#1134607 LTC#177518
+
+The FLUSH command is used to empty the pnet table. No return code is
+expected from the command. Commit a9d8b0b1e3d6 added namespace support
+for the pnet table and changed the FLUSH command processing to call
+smc_pnet_remove_by_pnetid() to remove the pnet entries. This function
+returns -ENOENT when no entry was deleted, which is now the return code
+of the FLUSH command. As a result the FLUSH command will return an error
+when the pnet table is already empty.
+Restore the expected behavior and let FLUSH always return 0.
+
+Fixes: a9d8b0b1e3d6 ("net/smc: add pnet table namespace support")
+Signed-off-by: Karsten Graul <kgraul@linux.ibm.com>
+Signed-off-by: Ursula Braun <ubraun@linux.ibm.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Acked-by: Petr Tesarik <ptesarik@suse.com>
+---
+ net/smc/smc_pnet.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/net/smc/smc_pnet.c
++++ b/net/smc/smc_pnet.c
+@@ -602,7 +602,8 @@ static int smc_pnet_flush(struct sk_buff
+ {
+ struct net *net = genl_info_net(info);
+
+- return smc_pnet_remove_by_pnetid(net, NULL);
++ smc_pnet_remove_by_pnetid(net, NULL);
++ return 0;
+ }
+
+ /* SMC_PNETID generic netlink operation definition */
diff --git a/patches.fixes/net-smc-improve-smc_conn_create-reason-codes b/patches.fixes/net-smc-improve-smc_conn_create-reason-codes
new file mode 100644
index 0000000000..28bf8e49f6
--- /dev/null
+++ b/patches.fixes/net-smc-improve-smc_conn_create-reason-codes
@@ -0,0 +1,375 @@
+From: Karsten Graul <kgraul@linux.ibm.com>
+Date: Fri, 12 Apr 2019 12:57:30 +0200
+Subject: net/smc: improve smc_conn_create reason codes
+Git-commit: 7a62725a50e0282ed90185074c769ce2ecb16e59
+Patch-mainline: v5.2-rc1
+References: bsc#1134607 LTC#177518
+
+Rework smc_conn_create() to always return a valid DECLINE reason code.
+This removes the need to translate the return codes on 4 different
+places and allows to easily add more detailed return codes by changing
+smc_conn_create() only.
+
+Signed-off-by: Karsten Graul <kgraul@linux.ibm.com>
+Signed-off-by: Ursula Braun <ubraun@linux.ibm.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Acked-by: Petr Tesarik <ptesarik@suse.com>
+---
+ net/smc/af_smc.c | 90 +++++++++++++++++++++++------------------------------
+ net/smc/smc_clc.h | 1
+ net/smc/smc_core.c | 25 +++++++++-----
+ net/smc/smc_core.h | 1
+ 4 files changed, 58 insertions(+), 59 deletions(-)
+
+--- a/net/smc/af_smc.c
++++ b/net/smc/af_smc.c
+@@ -532,7 +532,7 @@ static int smc_connect_ism_vlan_setup(st
+ struct smc_init_info *ini)
+ {
+ if (ini->vlan_id && smc_ism_get_vlan(ini->ism_dev, ini->vlan_id))
+- return SMC_CLC_DECL_CNFERR;
++ return SMC_CLC_DECL_ISMVLANERR;
+ return 0;
+ }
+
+@@ -570,7 +570,6 @@ static int smc_connect_rdma(struct smc_s
+ struct smc_clc_msg_accept_confirm *aclc,
+ struct smc_init_info *ini)
+ {
+- int local_contact = SMC_FIRST_CONTACT;
+ struct smc_link *link;
+ int reason_code = 0;
+
+@@ -580,14 +579,8 @@ static int smc_connect_rdma(struct smc_s
+ ini->srv_first_contact = aclc->hdr.flag;
+
+ mutex_lock(&smc_client_lgr_pending);
+- local_contact = smc_conn_create(smc, ini);
+- if (local_contact < 0) {
+- if (local_contact == -ENOMEM)
+- reason_code = SMC_CLC_DECL_MEM;/* insufficient memory*/
+- else if (local_contact == -ENOLINK)
+- reason_code = SMC_CLC_DECL_SYNCERR; /* synchr. error */
+- else
+- reason_code = SMC_CLC_DECL_INTERR; /* other error */
++ reason_code = smc_conn_create(smc, ini);
++ if (reason_code) {
+ mutex_unlock(&smc_client_lgr_pending);
+ return reason_code;
+ }
+@@ -597,41 +590,43 @@ static int smc_connect_rdma(struct smc_s
+
+ /* create send buffer and rmb */
+ if (smc_buf_create(smc, false))
+- return smc_connect_abort(smc, SMC_CLC_DECL_MEM, local_contact);
++ return smc_connect_abort(smc, SMC_CLC_DECL_MEM,
++ ini->cln_first_contact);
+
+- if (local_contact == SMC_FIRST_CONTACT)
++ if (ini->cln_first_contact == SMC_FIRST_CONTACT)
+ smc_link_save_peer_info(link, aclc);
+
+ if (smc_rmb_rtoken_handling(&smc->conn, aclc))
+ return smc_connect_abort(smc, SMC_CLC_DECL_ERR_RTOK,
+- local_contact);
++ ini->cln_first_contact);
+
+ smc_close_init(smc);
+ smc_rx_init(smc);
+
+- if (local_contact == SMC_FIRST_CONTACT) {
++ if (ini->cln_first_contact == SMC_FIRST_CONTACT) {
+ if (smc_ib_ready_link(link))
+ return smc_connect_abort(smc, SMC_CLC_DECL_ERR_RDYLNK,
+- local_contact);
++ ini->cln_first_contact);
+ } else {
+ if (smc_reg_rmb(link, smc->conn.rmb_desc, true))
+ return smc_connect_abort(smc, SMC_CLC_DECL_ERR_REGRMB,
+- local_contact);
++ ini->cln_first_contact);
+ }
+ smc_rmb_sync_sg_for_device(&smc->conn);
+
+ reason_code = smc_clc_send_confirm(smc);
+ if (reason_code)
+- return smc_connect_abort(smc, reason_code, local_contact);
++ return smc_connect_abort(smc, reason_code,
++ ini->cln_first_contact);
+
+ smc_tx_init(smc);
+
+- if (local_contact == SMC_FIRST_CONTACT) {
++ if (ini->cln_first_contact == SMC_FIRST_CONTACT) {
+ /* QP confirmation over RoCE fabric */
+ reason_code = smc_clnt_conf_first_link(smc);
+ if (reason_code)
+ return smc_connect_abort(smc, reason_code,
+- local_contact);
++ ini->cln_first_contact);
+ }
+ mutex_unlock(&smc_client_lgr_pending);
+
+@@ -648,7 +643,6 @@ static int smc_connect_ism(struct smc_so
+ struct smc_clc_msg_accept_confirm *aclc,
+ struct smc_init_info *ini)
+ {
+- int local_contact = SMC_FIRST_CONTACT;
+ int rc = 0;
+
+ ini->is_smcd = true;
+@@ -657,15 +651,16 @@ static int smc_connect_ism(struct smc_so
+
+ /* there is only one lgr role for SMC-D; use server lock */
+ mutex_lock(&smc_server_lgr_pending);
+- local_contact = smc_conn_create(smc, ini);
+- if (local_contact < 0) {
++ rc = smc_conn_create(smc, ini);
++ if (rc) {
+ mutex_unlock(&smc_server_lgr_pending);
+- return SMC_CLC_DECL_MEM;
++ return rc;
+ }
+
+ /* Create send and receive buffers */
+ if (smc_buf_create(smc, true))
+- return smc_connect_abort(smc, SMC_CLC_DECL_MEM, local_contact);
++ return smc_connect_abort(smc, SMC_CLC_DECL_MEM,
++ ini->cln_first_contact);
+
+ smc_conn_save_peer_info(smc, aclc);
+ smc_close_init(smc);
+@@ -674,7 +669,7 @@ static int smc_connect_ism(struct smc_so
+
+ rc = smc_clc_send_confirm(smc);
+ if (rc)
+- return smc_connect_abort(smc, rc, local_contact);
++ return smc_connect_abort(smc, rc, ini->cln_first_contact);
+ mutex_unlock(&smc_server_lgr_pending);
+
+ smc_copy_sock_settings_to_clc(smc);
+@@ -1131,15 +1126,14 @@ static int smc_listen_prfx_check(struct
+
+ /* listen worker: initialize connection and buffers */
+ static int smc_listen_rdma_init(struct smc_sock *new_smc,
+- struct smc_init_info *ini, int *local_contact)
++ struct smc_init_info *ini)
+ {
++ int rc;
++
+ /* allocate connection / link group */
+- *local_contact = smc_conn_create(new_smc, ini);
+- if (*local_contact < 0) {
+- if (*local_contact == -ENOMEM)
+- return SMC_CLC_DECL_MEM;/* insufficient memory*/
+- return SMC_CLC_DECL_INTERR; /* other error */
+- }
++ rc = smc_conn_create(new_smc, ini);
++ if (rc)
++ return rc;
+
+ /* create send buffer and rmb */
+ if (smc_buf_create(new_smc, false))
+@@ -1151,25 +1145,22 @@ static int smc_listen_rdma_init(struct s
+ /* listen worker: initialize connection and buffers for SMC-D */
+ static int smc_listen_ism_init(struct smc_sock *new_smc,
+ struct smc_clc_msg_proposal *pclc,
+- struct smc_init_info *ini,
+- int *local_contact)
++ struct smc_init_info *ini)
+ {
+ struct smc_clc_msg_smcd *pclc_smcd;
++ int rc;
+
+ pclc_smcd = smc_get_clc_msg_smcd(pclc);
+ ini->ism_gid = pclc_smcd->gid;
+- *local_contact = smc_conn_create(new_smc, ini);
+- if (*local_contact < 0) {
+- if (*local_contact == -ENOMEM)
+- return SMC_CLC_DECL_MEM;/* insufficient memory*/
+- return SMC_CLC_DECL_INTERR; /* other error */
+- }
++ rc = smc_conn_create(new_smc, ini);
++ if (rc)
++ return rc;
+
+ /* Check if peer can be reached via ISM device */
+ if (smc_ism_cantalk(new_smc->conn.lgr->peer_gid,
+ new_smc->conn.lgr->vlan_id,
+ new_smc->conn.lgr->smcd)) {
+- if (*local_contact == SMC_FIRST_CONTACT)
++ if (ini->cln_first_contact == SMC_FIRST_CONTACT)
+ smc_lgr_forget(new_smc->conn.lgr);
+ smc_conn_free(&new_smc->conn);
+ return SMC_CLC_DECL_SMCDNOTALK;
+@@ -1177,7 +1168,7 @@ static int smc_listen_ism_init(struct sm
+
+ /* Create send and receive buffers */
+ if (smc_buf_create(new_smc, true)) {
+- if (*local_contact == SMC_FIRST_CONTACT)
++ if (ini->cln_first_contact == SMC_FIRST_CONTACT)
+ smc_lgr_forget(new_smc->conn.lgr);
+ smc_conn_free(&new_smc->conn);
+ return SMC_CLC_DECL_MEM;
+@@ -1244,7 +1235,6 @@ static void smc_listen_work(struct work_
+ struct smc_init_info ini = {0};
+ bool ism_supported = false;
+ u8 buf[SMC_CLC_MAX_LEN];
+- int local_contact = 0;
+ int rc = 0;
+
+ if (new_smc->listen_smc->sk.sk_state != SMC_LISTEN)
+@@ -1299,8 +1289,7 @@ static void smc_listen_work(struct work_
+ ini.is_smcd = true; /* prepare ISM check */
+ rc = smc_find_ism_device(new_smc, &ini);
+ if (!rc)
+- rc = smc_listen_ism_init(new_smc, pclc, &ini,
+- &local_contact);
++ rc = smc_listen_ism_init(new_smc, pclc, &ini);
+ if (!rc)
+ ism_supported = true;
+ else if (pclc->hdr.path == SMC_TYPE_D)
+@@ -1321,16 +1310,16 @@ static void smc_listen_work(struct work_
+ rc = SMC_CLC_DECL_NOSMCDEV;
+ goto out_unlock;
+ }
+- rc = smc_listen_rdma_init(new_smc, &ini, &local_contact);
++ rc = smc_listen_rdma_init(new_smc, &ini);
+ if (rc)
+ goto out_unlock;
+- rc = smc_listen_rdma_reg(new_smc, local_contact);
++ rc = smc_listen_rdma_reg(new_smc, ini.cln_first_contact);
+ if (rc)
+ goto out_unlock;
+ }
+
+ /* send SMC Accept CLC message */
+- rc = smc_clc_send_accept(new_smc, local_contact);
++ rc = smc_clc_send_accept(new_smc, ini.cln_first_contact);
+ if (rc)
+ goto out_unlock;
+
+@@ -1349,7 +1338,8 @@ static void smc_listen_work(struct work_
+
+ /* finish worker */
+ if (!ism_supported) {
+- rc = smc_listen_rdma_finish(new_smc, &cclc, local_contact);
++ rc = smc_listen_rdma_finish(new_smc, &cclc,
++ ini.cln_first_contact);
+ mutex_unlock(&smc_server_lgr_pending);
+ if (rc)
+ return;
+@@ -1361,7 +1351,7 @@ static void smc_listen_work(struct work_
+ out_unlock:
+ mutex_unlock(&smc_server_lgr_pending);
+ out_decl:
+- smc_listen_decline(new_smc, rc, local_contact);
++ smc_listen_decline(new_smc, rc, ini.cln_first_contact);
+ }
+
+ static void smc_tcp_listen_work(struct work_struct *work)
+--- a/net/smc/smc_clc.h
++++ b/net/smc/smc_clc.h
+@@ -42,6 +42,7 @@
+ #define SMC_CLC_DECL_OPTUNSUPP 0x03060000 /* fastopen sockopt not supported */
+ #define SMC_CLC_DECL_DIFFPREFIX 0x03070000 /* IP prefix / subnet mismatch */
+ #define SMC_CLC_DECL_GETVLANERR 0x03080000 /* err to get vlan id of ip device*/
++#define SMC_CLC_DECL_ISMVLANERR 0x03090000 /* err to reg vlan id on ism dev */
+ #define SMC_CLC_DECL_SYNCERR 0x04000000 /* synchronization error */
+ #define SMC_CLC_DECL_PEERDECL 0x05000000 /* peer declined during handshake */
+ #define SMC_CLC_DECL_INTERR 0x09990000 /* internal error */
+--- a/net/smc/smc_core.c
++++ b/net/smc/smc_core.c
+@@ -203,14 +203,15 @@ static int smc_lgr_create(struct smc_soc
+ int i;
+
+ if (ini->is_smcd && ini->vlan_id) {
+- rc = smc_ism_get_vlan(ini->ism_dev, ini->vlan_id);
+- if (rc)
++ if (smc_ism_get_vlan(ini->ism_dev, ini->vlan_id)) {
++ rc = SMC_CLC_DECL_ISMVLANERR;
+ goto out;
++ }
+ }
+
+ lgr = kzalloc(sizeof(*lgr), GFP_KERNEL);
+ if (!lgr) {
+- rc = -ENOMEM;
++ rc = SMC_CLC_DECL_MEM;
+ goto out;
+ }
+ lgr->is_smcd = ini->is_smcd;
+@@ -290,6 +291,12 @@ clear_llc_lnk:
+ free_lgr:
+ kfree(lgr);
+ out:
++ if (rc < 0) {
++ if (rc == -ENOMEM)
++ rc = SMC_CLC_DECL_MEM;
++ else
++ rc = SMC_CLC_DECL_INTERR;
++ }
+ return rc;
+ }
+
+@@ -598,11 +605,11 @@ static bool smcd_lgr_match(struct smc_li
+ int smc_conn_create(struct smc_sock *smc, struct smc_init_info *ini)
+ {
+ struct smc_connection *conn = &smc->conn;
+- int local_contact = SMC_FIRST_CONTACT;
+ struct smc_link_group *lgr;
+ enum smc_lgr_role role;
+ int rc = 0;
+
++ ini->cln_first_contact = SMC_FIRST_CONTACT;
+ role = smc->listen_smc ? SMC_SERV : SMC_CLNT;
+ if (role == SMC_CLNT && ini->srv_first_contact)
+ /* create new link group as well */
+@@ -620,7 +627,7 @@ int smc_conn_create(struct smc_sock *smc
+ (role == SMC_CLNT ||
+ lgr->conns_num < SMC_RMBS_PER_LGR_MAX)) {
+ /* link group found */
+- local_contact = SMC_REUSE_CONTACT;
++ ini->cln_first_contact = SMC_REUSE_CONTACT;
+ conn->lgr = lgr;
+ smc_lgr_register_conn(conn); /* add smc conn to lgr */
+ if (delayed_work_pending(&lgr->free_work))
+@@ -633,16 +640,16 @@ int smc_conn_create(struct smc_sock *smc
+ spin_unlock_bh(&smc_lgr_list.lock);
+
+ if (role == SMC_CLNT && !ini->srv_first_contact &&
+- local_contact == SMC_FIRST_CONTACT) {
++ ini->cln_first_contact == SMC_FIRST_CONTACT) {
+ /* Server reuses a link group, but Client wants to start
+ * a new one
+ * send out_of_sync decline, reason synchr. error
+ */
+- return -ENOLINK;
++ return SMC_CLC_DECL_SYNCERR;
+ }
+
+ create:
+- if (local_contact == SMC_FIRST_CONTACT) {
++ if (ini->cln_first_contact == SMC_FIRST_CONTACT) {
+ rc = smc_lgr_create(smc, ini);
+ if (rc)
+ goto out;
+@@ -660,7 +667,7 @@ create:
+ #endif
+
+ out:
+- return rc ? rc : local_contact;
++ return rc;
+ }
+
+ /* convert the RMB size into the compressed notation - minimum 16K.
+--- a/net/smc/smc_core.h
++++ b/net/smc/smc_core.h
+@@ -234,6 +234,7 @@ struct smc_init_info {
+ u8 is_smcd;
+ unsigned short vlan_id;
+ int srv_first_contact;
++ int cln_first_contact;
+ /* SMC-R */
+ struct smc_clc_msg_local *ib_lcl;
+ struct smc_ib_device *ib_dev;
diff --git a/patches.fixes/net-smc-improve-smc_listen_work-reason-codes b/patches.fixes/net-smc-improve-smc_listen_work-reason-codes
new file mode 100644
index 0000000000..56db3392f6
--- /dev/null
+++ b/patches.fixes/net-smc-improve-smc_listen_work-reason-codes
@@ -0,0 +1,201 @@
+From: Karsten Graul <kgraul@linux.ibm.com>
+Date: Fri, 12 Apr 2019 12:57:29 +0200
+Subject: net/smc: improve smc_listen_work reason codes
+Git-commit: 9aa68d298c80d11a987691258ff92fd67e224af3
+Patch-mainline: v5.2-rc1
+References: bsc#1134607 LTC#177518
+
+Rework smc_listen_work() to provide improved reason codes when an
+SMC connection is declined. This allows better debugging on user side.
+This also adds 3 more detailed reason codes in smc_clc.h to indicate
+what type of device was not found (ism or rdma or both), or if ism
+cannot talk to the peer.
+
+Signed-off-by: Karsten Graul <kgraul@linux.ibm.com>
+Signed-off-by: Ursula Braun <ubraun@linux.ibm.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Acked-by: Petr Tesarik <ptesarik@suse.com>
+---
+ net/smc/af_smc.c | 95 ++++++++++++++++++++++++++++--------------------------
+ net/smc/smc_clc.h | 5 ++
+ 2 files changed, 54 insertions(+), 46 deletions(-)
+
+--- a/net/smc/af_smc.c
++++ b/net/smc/af_smc.c
+@@ -511,8 +511,8 @@ static int smc_find_rdma_device(struct s
+ * used for the internal TCP socket
+ */
+ smc_pnet_find_roce_resource(smc->clcsock->sk, ini);
+- if (!(ini->ib_dev))
+- return SMC_CLC_DECL_CNFERR; /* configuration error */
++ if (!ini->ib_dev)
++ return SMC_CLC_DECL_NOSMCRDEV;
+ return 0;
+ }
+
+@@ -523,7 +523,7 @@ static int smc_find_ism_device(struct sm
+ /* Find ISM device with same PNETID as connecting interface */
+ smc_pnet_find_ism_resource(smc->clcsock->sk, ini);
+ if (!ini->ism_dev)
+- return SMC_CLC_DECL_CNFERR; /* configuration error */
++ return SMC_CLC_DECL_NOSMCDDEV;
+ return 0;
+ }
+
+@@ -1172,7 +1172,7 @@ static int smc_listen_ism_init(struct sm
+ if (*local_contact == SMC_FIRST_CONTACT)
+ smc_lgr_forget(new_smc->conn.lgr);
+ smc_conn_free(&new_smc->conn);
+- return SMC_CLC_DECL_CNFERR;
++ return SMC_CLC_DECL_SMCDNOTALK;
+ }
+
+ /* Create send and receive buffers */
+@@ -1269,28 +1269,24 @@ static void smc_listen_work(struct work_
+ pclc = (struct smc_clc_msg_proposal *)&buf;
+ rc = smc_clc_wait_msg(new_smc, pclc, SMC_CLC_MAX_LEN,
+ SMC_CLC_PROPOSAL, CLC_WAIT_TIME);
+- if (rc) {
+- smc_listen_decline(new_smc, rc, 0);
+- return;
+- }
++ if (rc)
++ goto out_decl;
+
+ /* IPSec connections opt out of SMC-R optimizations */
+ if (using_ipsec(new_smc)) {
+- smc_listen_decline(new_smc, SMC_CLC_DECL_IPSEC, 0);
+- return;
++ rc = SMC_CLC_DECL_IPSEC;
++ goto out_decl;
+ }
+
+ /* check for matching IP prefix and subnet length */
+ rc = smc_listen_prfx_check(new_smc, pclc);
+- if (rc) {
+- smc_listen_decline(new_smc, rc, 0);
+- return;
+- }
++ if (rc)
++ goto out_decl;
+
+ /* get vlan id from IP device */
+ if (smc_vlan_by_tcpsk(new_smc->clcsock, &ini)) {
+- smc_listen_decline(new_smc, SMC_CLC_DECL_GETVLANERR, 0);
+- return;
++ rc = SMC_CLC_DECL_GETVLANERR;
++ goto out_decl;
+ }
+
+ mutex_lock(&smc_server_lgr_pending);
+@@ -1298,41 +1294,45 @@ static void smc_listen_work(struct work_
+ smc_rx_init(new_smc);
+ smc_tx_init(new_smc);
+
+- /* prepare ISM check */
+- ini.is_smcd = true;
+ /* check if ISM is available */
+- if ((pclc->hdr.path == SMC_TYPE_D || pclc->hdr.path == SMC_TYPE_B) &&
+- !smc_find_ism_device(new_smc, &ini) &&
+- !smc_listen_ism_init(new_smc, pclc, &ini, &local_contact)) {
+- ism_supported = true;
+- } else {
++ if (pclc->hdr.path == SMC_TYPE_D || pclc->hdr.path == SMC_TYPE_B) {
++ ini.is_smcd = true; /* prepare ISM check */
++ rc = smc_find_ism_device(new_smc, &ini);
++ if (!rc)
++ rc = smc_listen_ism_init(new_smc, pclc, &ini,
++ &local_contact);
++ if (!rc)
++ ism_supported = true;
++ else if (pclc->hdr.path == SMC_TYPE_D)
++ goto out_unlock; /* skip RDMA and decline */
++ }
++
++ /* check if RDMA is available */
++ if (!ism_supported) { /* SMC_TYPE_R or SMC_TYPE_B */
+ /* prepare RDMA check */
+ memset(&ini, 0, sizeof(ini));
+ ini.is_smcd = false;
+ ini.ib_lcl = &pclc->lcl;
+- }
+-
+- /* check if RDMA is available */
+- if (!ism_supported &&
+- ((pclc->hdr.path != SMC_TYPE_R && pclc->hdr.path != SMC_TYPE_B) ||
+- smc_vlan_by_tcpsk(new_smc->clcsock, &ini) ||
+- smc_find_rdma_device(new_smc, &ini) ||
+- smc_listen_rdma_init(new_smc, &ini, &local_contact) ||
+- smc_listen_rdma_reg(new_smc, local_contact))) {
+- /* SMC not supported, decline */
+- mutex_unlock(&smc_server_lgr_pending);
+- smc_listen_decline(new_smc, SMC_CLC_DECL_MODEUNSUPP,
+- local_contact);
+- return;
++ rc = smc_find_rdma_device(new_smc, &ini);
++ if (rc) {
++ /* no RDMA device found */
++ if (pclc->hdr.path == SMC_TYPE_B)
++ /* neither ISM nor RDMA device found */
++ rc = SMC_CLC_DECL_NOSMCDEV;
++ goto out_unlock;
++ }
++ rc = smc_listen_rdma_init(new_smc, &ini, &local_contact);
++ if (rc)
++ goto out_unlock;
++ rc = smc_listen_rdma_reg(new_smc, local_contact);
++ if (rc)
++ goto out_unlock;
+ }
+
+ /* send SMC Accept CLC message */
+ rc = smc_clc_send_accept(new_smc, local_contact);
+- if (rc) {
+- mutex_unlock(&smc_server_lgr_pending);
+- smc_listen_decline(new_smc, rc, local_contact);
+- return;
+- }
++ if (rc)
++ goto out_unlock;
+
+ /* SMC-D does not need this lock any more */
+ if (ism_supported)
+@@ -1343,9 +1343,8 @@ static void smc_listen_work(struct work_
+ SMC_CLC_CONFIRM, CLC_WAIT_TIME);
+ if (rc) {
+ if (!ism_supported)
+- mutex_unlock(&smc_server_lgr_pending);
+- smc_listen_decline(new_smc, rc, local_contact);
+- return;
++ goto out_unlock;
++ goto out_decl;
+ }
+
+ /* finish worker */
+@@ -1357,6 +1356,12 @@ static void smc_listen_work(struct work_
+ }
+ smc_conn_save_peer_info(new_smc, &cclc);
+ smc_listen_out_connected(new_smc);
++ return;
++
++out_unlock:
++ mutex_unlock(&smc_server_lgr_pending);
++out_decl:
++ smc_listen_decline(new_smc, rc, local_contact);
+ }
+
+ static void smc_tcp_listen_work(struct work_struct *work)
+--- a/net/smc/smc_clc.h
++++ b/net/smc/smc_clc.h
+@@ -33,7 +33,10 @@
+ #define SMC_CLC_DECL_CNFERR 0x03000000 /* configuration error */
+ #define SMC_CLC_DECL_PEERNOSMC 0x03010000 /* peer did not indicate SMC */
+ #define SMC_CLC_DECL_IPSEC 0x03020000 /* IPsec usage */
+-#define SMC_CLC_DECL_NOSMCDEV 0x03030000 /* no SMC device found */
++#define SMC_CLC_DECL_NOSMCDEV 0x03030000 /* no SMC device found (R or D) */
++#define SMC_CLC_DECL_NOSMCDDEV 0x03030001 /* no SMC-D device found */
++#define SMC_CLC_DECL_NOSMCRDEV 0x03030002 /* no SMC-R device found */
++#define SMC_CLC_DECL_SMCDNOTALK 0x03030003 /* SMC-D dev can't talk to peer */
+ #define SMC_CLC_DECL_MODEUNSUPP 0x03040000 /* smc modes do not match (R or D)*/
+ #define SMC_CLC_DECL_RMBE_EC 0x03050000 /* peer has eyecatcher in RMBE */
+ #define SMC_CLC_DECL_OPTUNSUPP 0x03060000 /* fastopen sockopt not supported */
diff --git a/patches.fixes/net-smc-move-unhash-before-release-of-clcsock b/patches.fixes/net-smc-move-unhash-before-release-of-clcsock
new file mode 100644
index 0000000000..3b7828e634
--- /dev/null
+++ b/patches.fixes/net-smc-move-unhash-before-release-of-clcsock
@@ -0,0 +1,66 @@
+From: Ursula Braun <ubraun@linux.ibm.com>
+Date: Thu, 11 Apr 2019 11:17:34 +0200
+Subject: net/smc: move unhash before release of clcsock
+Git-commit: f61bca58f6c36e666c2b807697f25e5e98708162
+Patch-mainline: v5.1-rc6
+References: bsc#1134607 LTC#177518
+
+Commit <26d92e951fe0>
+("net/smc: move unhash as early as possible in smc_release()")
+fixes one occurrence in the smc code, but the same pattern exists
+in other places. This patch covers the remaining occurrences and
+makes sure, the unhash operation is done before the smc->clcsock is
+released. This avoids a potential use-after-free in smc_diag_dump().
+
+Reviewed-by: Karsten Graul <kgraul@linux.ibm.com>
+Signed-off-by: Ursula Braun <ubraun@linux.ibm.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Acked-by: Petr Tesarik <ptesarik@suse.com>
+---
+ net/smc/af_smc.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/net/smc/af_smc.c
++++ b/net/smc/af_smc.c
+@@ -884,11 +884,11 @@ static int smc_clcsock_accept(struct smc
+ if (rc < 0)
+ lsk->sk_err = -rc;
+ if (rc < 0 || lsk->sk_state == SMC_CLOSED) {
++ new_sk->sk_prot->unhash(new_sk);
+ if (new_clcsock)
+ sock_release(new_clcsock);
+ new_sk->sk_state = SMC_CLOSED;
+ sock_set_flag(new_sk, SOCK_DEAD);
+- new_sk->sk_prot->unhash(new_sk);
+ sock_put(new_sk); /* final */
+ *new_smc = NULL;
+ goto out;
+@@ -939,11 +939,11 @@ struct sock *smc_accept_dequeue(struct s
+
+ smc_accept_unlink(new_sk);
+ if (new_sk->sk_state == SMC_CLOSED) {
++ new_sk->sk_prot->unhash(new_sk);
+ if (isk->clcsock) {
+ sock_release(isk->clcsock);
+ isk->clcsock = NULL;
+ }
+- new_sk->sk_prot->unhash(new_sk);
+ sock_put(new_sk); /* final */
+ continue;
+ }
+@@ -973,6 +973,7 @@ void smc_close_non_accepted(struct sock
+ sock_set_flag(sk, SOCK_DEAD);
+ sk->sk_shutdown |= SHUTDOWN_MASK;
+ }
++ sk->sk_prot->unhash(sk);
+ if (smc->clcsock) {
+ struct socket *tcp;
+
+@@ -988,7 +989,6 @@ void smc_close_non_accepted(struct sock
+ smc_conn_free(&smc->conn);
+ }
+ release_sock(sk);
+- sk->sk_prot->unhash(sk);
+ sock_put(sk); /* final sock_put */
+ }
+
diff --git a/patches.fixes/net-smc-nonblocking-connect-rework b/patches.fixes/net-smc-nonblocking-connect-rework
new file mode 100644
index 0000000000..980a470ecd
--- /dev/null
+++ b/patches.fixes/net-smc-nonblocking-connect-rework
@@ -0,0 +1,218 @@
+From: Ursula Braun <ubraun@linux.ibm.com>
+Date: Fri, 12 Apr 2019 12:57:23 +0200
+Subject: net/smc: nonblocking connect rework
+Git-commit: 50717a37db032ce783f50685a73bb2ac68471a5a
+Patch-mainline: v5.2-rc1
+References: bsc#1134607 LTC#177518
+
+For nonblocking sockets move the kernel_connect() from the connect
+worker into the initial smc_connect part to return kernel_connect()
+errors other than -EINPROGRESS to user space.
+
+Reviewed-by: Karsten Graul <kgraul@linux.ibm.com>
+Signed-off-by: Ursula Braun <ubraun@linux.ibm.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Acked-by: Petr Tesarik <ptesarik@suse.com>
+---
+ net/smc/af_smc.c | 76 ++++++++++++++++++++++++++++++-------------------------
+ net/smc/smc.h | 11 ++-----
+ 2 files changed, 46 insertions(+), 41 deletions(-)
+
+--- a/net/smc/af_smc.c
++++ b/net/smc/af_smc.c
+@@ -134,11 +134,9 @@ static int smc_release(struct socket *so
+ smc = smc_sk(sk);
+
+ /* cleanup for a dangling non-blocking connect */
+- if (smc->connect_info && sk->sk_state == SMC_INIT)
++ if (smc->connect_nonblock && sk->sk_state == SMC_INIT)
+ tcp_abort(smc->clcsock->sk, ECONNABORTED);
+ flush_work(&smc->connect_work);
+- kfree(smc->connect_info);
+- smc->connect_info = NULL;
+
+ if (sk->sk_state == SMC_LISTEN)
+ /* smc_close_non_accepted() is called and acquires
+@@ -460,6 +458,7 @@ static int smc_connect_fallback(struct s
+ smc_switch_to_fallback(smc);
+ smc->fallback_rsn = reason_code;
+ smc_copy_sock_settings_to_clc(smc);
++ smc->connect_nonblock = 0;
+ if (smc->sk.sk_state == SMC_INIT)
+ smc->sk.sk_state = SMC_ACTIVE;
+ return 0;
+@@ -499,6 +498,7 @@ static int smc_connect_abort(struct smc_
+ mutex_unlock(&smc_client_lgr_pending);
+
+ smc_conn_free(&smc->conn);
++ smc->connect_nonblock = 0;
+ return reason_code;
+ }
+
+@@ -641,6 +641,7 @@ static int smc_connect_rdma(struct smc_s
+ mutex_unlock(&smc_client_lgr_pending);
+
+ smc_copy_sock_settings_to_clc(smc);
++ smc->connect_nonblock = 0;
+ if (smc->sk.sk_state == SMC_INIT)
+ smc->sk.sk_state = SMC_ACTIVE;
+
+@@ -679,6 +680,7 @@ static int smc_connect_ism(struct smc_so
+ mutex_unlock(&smc_server_lgr_pending);
+
+ smc_copy_sock_settings_to_clc(smc);
++ smc->connect_nonblock = 0;
+ if (smc->sk.sk_state == SMC_INIT)
+ smc->sk.sk_state = SMC_ACTIVE;
+
+@@ -764,17 +766,30 @@ static void smc_connect_work(struct work
+ {
+ struct smc_sock *smc = container_of(work, struct smc_sock,
+ connect_work);
+- int rc;
++ long timeo = smc->sk.sk_sndtimeo;
++ int rc = 0;
+
+- lock_sock(&smc->sk);
+- rc = kernel_connect(smc->clcsock, &smc->connect_info->addr,
+- smc->connect_info->alen, smc->connect_info->flags);
++ if (!timeo)
++ timeo = MAX_SCHEDULE_TIMEOUT;
++ lock_sock(smc->clcsock->sk);
+ if (smc->clcsock->sk->sk_err) {
+ smc->sk.sk_err = smc->clcsock->sk->sk_err;
+- goto out;
++ } else if ((1 << smc->clcsock->sk->sk_state) &
++ (TCPF_SYN_SENT | TCP_SYN_RECV)) {
++ rc = sk_stream_wait_connect(smc->clcsock->sk, &timeo);
++ if ((rc == -EPIPE) &&
++ ((1 << smc->clcsock->sk->sk_state) &
++ (TCPF_ESTABLISHED | TCPF_CLOSE_WAIT)))
++ rc = 0;
+ }
+- if (rc < 0) {
+- smc->sk.sk_err = -rc;
++ release_sock(smc->clcsock->sk);
++ lock_sock(&smc->sk);
++ if (rc != 0 || smc->sk.sk_err) {
++ smc->sk.sk_state = SMC_CLOSED;
++ if (rc == -EPIPE || rc == -EAGAIN)
++ smc->sk.sk_err = EPIPE;
++ else if (signal_pending(current))
++ smc->sk.sk_err = -sock_intr_errno(timeo);
+ goto out;
+ }
+
+@@ -791,8 +806,6 @@ out:
+ smc->sk.sk_write_space(&smc->sk);
+ }
+ }
+- kfree(smc->connect_info);
+- smc->connect_info = NULL;
+ release_sock(&smc->sk);
+ }
+
+@@ -825,26 +838,18 @@ static int smc_connect(struct socket *so
+
+ smc_copy_sock_settings_to_clc(smc);
+ tcp_sk(smc->clcsock->sk)->syn_smc = 1;
++ if (smc->connect_nonblock) {
++ rc = -EALREADY;
++ goto out;
++ }
++ rc = kernel_connect(smc->clcsock, addr, alen, flags);
++ if (rc && rc != -EINPROGRESS)
++ goto out;
+ if (flags & O_NONBLOCK) {
+- if (smc->connect_info) {
+- rc = -EALREADY;
+- goto out;
+- }
+- smc->connect_info = kzalloc(alen + 2 * sizeof(int), GFP_KERNEL);
+- if (!smc->connect_info) {
+- rc = -ENOMEM;
+- goto out;
+- }
+- smc->connect_info->alen = alen;
+- smc->connect_info->flags = flags ^ O_NONBLOCK;
+- memcpy(&smc->connect_info->addr, addr, alen);
+- schedule_work(&smc->connect_work);
++ if (schedule_work(&smc->connect_work))
++ smc->connect_nonblock = 1;
+ rc = -EINPROGRESS;
+ } else {
+- rc = kernel_connect(smc->clcsock, addr, alen, flags);
+- if (rc)
+- goto out;
+-
+ rc = __smc_connect(smc);
+ if (rc < 0)
+ goto out;
+@@ -1591,8 +1596,8 @@ static unsigned int smc_poll(struct file
+ poll_table *wait)
+ {
+ struct sock *sk = sock->sk;
+- unsigned int mask = 0;
+ struct smc_sock *smc;
++ unsigned int mask = 0;
+
+ if (!sk)
+ return POLLNVAL;
+@@ -1602,8 +1607,6 @@ static unsigned int smc_poll(struct file
+ /* delegate to CLC child sock */
+ mask = smc->clcsock->ops->poll(file, smc->clcsock, wait);
+ sk->sk_err = smc->clcsock->sk->sk_err;
+- if (sk->sk_err)
+- mask |= POLLERR;
+ } else {
+ if (sk->sk_state != SMC_CLOSED)
+ sock_poll_wait(file, sk_sleep(sk), wait);
+@@ -1614,9 +1617,14 @@ static unsigned int smc_poll(struct file
+ mask |= POLLHUP;
+ if (sk->sk_state == SMC_LISTEN) {
+ /* woken up by sk_data_ready in smc_listen_work() */
+- mask = smc_accept_poll(sk);
++ mask |= smc_accept_poll(sk);
++ } else if (smc->use_fallback) { /* as result of connect_work()*/
++ mask |= smc->clcsock->ops->poll(file, smc->clcsock,
++ wait);
++ sk->sk_err = smc->clcsock->sk->sk_err;
+ } else {
+- if (atomic_read(&smc->conn.sndbuf_space) ||
++ if ((sk->sk_state != SMC_INIT &&
++ atomic_read(&smc->conn.sndbuf_space)) ||
+ sk->sk_shutdown & SEND_SHUTDOWN) {
+ mask |= POLLOUT | POLLWRNORM;
+ } else {
+--- a/net/smc/smc.h
++++ b/net/smc/smc.h
+@@ -189,18 +189,11 @@ struct smc_connection {
+ u64 peer_token; /* SMC-D token of peer */
+ };
+
+-struct smc_connect_info {
+- int flags;
+- int alen;
+- struct sockaddr addr;
+-};
+-
+ struct smc_sock { /* smc sock container */
+ struct sock sk;
+ struct socket *clcsock; /* internal tcp socket */
+ struct smc_connection conn; /* smc connection */
+ struct smc_sock *listen_smc; /* listen parent */
+- struct smc_connect_info *connect_info; /* connect address & flags */
+ struct work_struct connect_work; /* handle non-blocking connect*/
+ struct work_struct tcp_listen_work;/* handle tcp socket accepts */
+ struct work_struct smc_listen_work;/* prepare new accept socket */
+@@ -218,6 +211,10 @@ struct smc_sock { /* smc sock contain
+ * started, waiting for unsent
+ * data to be sent
+ */
++ u8 connect_nonblock : 1;
++ /* non-blocking connect in
++ * flight
++ */
+ struct mutex clcsock_release_lock;
+ /* protects clcsock of a listen
+ * socket
diff --git a/patches.fixes/net-smc-propagate-file-from-smc-to-tcp-socket b/patches.fixes/net-smc-propagate-file-from-smc-to-tcp-socket
new file mode 100644
index 0000000000..ee5116ac79
--- /dev/null
+++ b/patches.fixes/net-smc-propagate-file-from-smc-to-tcp-socket
@@ -0,0 +1,115 @@
+From: Ursula Braun <ubraun@linux.ibm.com>
+Date: Thu, 11 Apr 2019 11:17:32 +0200
+Subject: net/smc: propagate file from SMC to TCP socket
+Git-commit: 07603b230895a74ebb1e2a1231ac45c29c2a8cd3
+Patch-mainline: v5.1-rc6
+References: bsc#1134607 LTC#177518
+
+fcntl(fd, F_SETOWN, getpid()) selects the recipient of SIGURG signals
+that are delivered when out-of-band data arrives on socket fd.
+If an SMC socket program makes use of such an fcntl() call, it fails
+in case of fallback to TCP-mode. In case of fallback the traffic is
+processed with the internal TCP socket. Propagating field "file" from the
+SMC socket to the internal TCP socket fixes the issue.
+
+Reviewed-by: Karsten Graul <kgraul@linux.ibm.com>
+Signed-off-by: Ursula Braun <ubraun@linux.ibm.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Acked-by: Petr Tesarik <ptesarik@suse.com>
+---
+ net/smc/af_smc.c | 38 ++++++++++++++++++++++++++++----------
+ 1 file changed, 28 insertions(+), 10 deletions(-)
+
+--- a/net/smc/af_smc.c
++++ b/net/smc/af_smc.c
+@@ -445,10 +445,19 @@ static void smc_link_save_peer_info(stru
+ link->peer_mtu = clc->qp_mtu;
+ }
+
++static void smc_switch_to_fallback(struct smc_sock *smc)
++{
++ smc->use_fallback = true;
++ if (smc->sk.sk_socket && smc->sk.sk_socket->file) {
++ smc->clcsock->file = smc->sk.sk_socket->file;
++ smc->clcsock->file->private_data = smc->clcsock;
++ }
++}
++
+ /* fall back during connect */
+ static int smc_connect_fallback(struct smc_sock *smc, int reason_code)
+ {
+- smc->use_fallback = true;
++ smc_switch_to_fallback(smc);
+ smc->fallback_rsn = reason_code;
+ smc_copy_sock_settings_to_clc(smc);
+ if (smc->sk.sk_state == SMC_INIT)
+@@ -774,10 +783,14 @@ static void smc_connect_work(struct work
+ smc->sk.sk_err = -rc;
+
+ out:
+- if (smc->sk.sk_err)
+- smc->sk.sk_state_change(&smc->sk);
+- else
+- smc->sk.sk_write_space(&smc->sk);
++ if (!sock_flag(&smc->sk, SOCK_DEAD)) {
++ if (smc->sk.sk_err) {
++ smc->sk.sk_state_change(&smc->sk);
++ } else { /* allow polling before and after fallback decision */
++ smc->clcsock->sk->sk_write_space(smc->clcsock->sk);
++ smc->sk.sk_write_space(&smc->sk);
++ }
++ }
+ kfree(smc->connect_info);
+ smc->connect_info = NULL;
+ release_sock(&smc->sk);
+@@ -934,8 +947,13 @@ struct sock *smc_accept_dequeue(struct s
+ sock_put(new_sk); /* final */
+ continue;
+ }
+- if (new_sock)
++ if (new_sock) {
+ sock_graft(new_sk, new_sock);
++ if (isk->use_fallback) {
++ smc_sk(new_sk)->clcsock->file = new_sock->file;
++ isk->clcsock->file->private_data = isk->clcsock;
++ }
++ }
+ return new_sk;
+ }
+ return NULL;
+@@ -1086,7 +1104,7 @@ static void smc_listen_decline(struct sm
+ return;
+ }
+ smc_conn_free(&new_smc->conn);
+- new_smc->use_fallback = true;
++ smc_switch_to_fallback(new_smc);
+ new_smc->fallback_rsn = reason_code;
+ if (reason_code && reason_code != SMC_CLC_DECL_PEERDECL) {
+ if (smc_clc_send_decline(new_smc, reason_code) < 0) {
+@@ -1246,7 +1264,7 @@ static void smc_listen_work(struct work_
+
+ /* check if peer is smc capable */
+ if (!tcp_sk(newclcsock->sk)->syn_smc) {
+- new_smc->use_fallback = true;
++ smc_switch_to_fallback(new_smc);
+ new_smc->fallback_rsn = SMC_CLC_DECL_PEERNOSMC;
+ smc_listen_out_connected(new_smc);
+ return;
+@@ -1503,7 +1521,7 @@ static int smc_sendmsg(struct socket *so
+
+ if (msg->msg_flags & MSG_FASTOPEN) {
+ if (sk->sk_state == SMC_INIT) {
+- smc->use_fallback = true;
++ smc_switch_to_fallback(smc);
+ smc->fallback_rsn = SMC_CLC_DECL_OPTUNSUPP;
+ } else {
+ rc = -EINVAL;
+@@ -1702,7 +1720,7 @@ static int smc_setsockopt(struct socket
+ case TCP_FASTOPEN_CONNECT:
+ /* option not supported by SMC */
+ if (sk->sk_state == SMC_INIT) {
+- smc->use_fallback = true;
++ smc_switch_to_fallback(smc);
+ smc->fallback_rsn = SMC_CLC_DECL_OPTUNSUPP;
+ } else {
+ if (!smc->use_fallback)
diff --git a/patches.fixes/net-smc-wait-for-pending-work-before-clcsock-release_sock b/patches.fixes/net-smc-wait-for-pending-work-before-clcsock-release_sock
new file mode 100644
index 0000000000..ff56432b42
--- /dev/null
+++ b/patches.fixes/net-smc-wait-for-pending-work-before-clcsock-release_sock
@@ -0,0 +1,127 @@
+From: Karsten Graul <kgraul@linux.ibm.com>
+Date: Thu, 11 Apr 2019 11:17:30 +0200
+Subject: net/smc: wait for pending work before clcsock release_sock
+Git-commit: fd57770dd198f5b2ddd5b9e6bf282cf98d63adb9
+Patch-mainline: v5.1-rc6
+References: bsc#1134607 LTC#177518
+
+When the clcsock is already released using sock_release() and a pending
+smc_listen_work accesses the clcsock than that will fail. Solve this
+by canceling and waiting for the work to complete first. Because the
+work holds the sock_lock it must make sure that the lock is not hold
+before the new helper smc_clcsock_release() is invoked. And before the
+smc_listen_work starts working check if the parent listen socket is
+still valid, otherwise stop the work early.
+
+Signed-off-by: Karsten Graul <kgraul@linux.ibm.com>
+Signed-off-by: Ursula Braun <ubraun@linux.ibm.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Acked-by: Petr Tesarik <ptesarik@suse.com>
+---
+ net/smc/af_smc.c | 14 ++++++++------
+ net/smc/smc_close.c | 25 +++++++++++++++++++++----
+ net/smc/smc_close.h | 1 +
+ 3 files changed, 30 insertions(+), 10 deletions(-)
+
+--- a/net/smc/af_smc.c
++++ b/net/smc/af_smc.c
+@@ -167,10 +167,9 @@ static int smc_release(struct socket *so
+
+ if (sk->sk_state == SMC_CLOSED) {
+ if (smc->clcsock) {
+- mutex_lock(&smc->clcsock_release_lock);
+- sock_release(smc->clcsock);
+- smc->clcsock = NULL;
+- mutex_unlock(&smc->clcsock_release_lock);
++ release_sock(sk);
++ smc_clcsock_release(smc);
++ lock_sock(sk);
+ }
+ if (!smc->use_fallback)
+ smc_conn_free(&smc->conn);
+@@ -1037,13 +1036,13 @@ static void smc_listen_out(struct smc_so
+ struct smc_sock *lsmc = new_smc->listen_smc;
+ struct sock *newsmcsk = &new_smc->sk;
+
+- lock_sock_nested(&lsmc->sk, SINGLE_DEPTH_NESTING);
+ if (lsmc->sk.sk_state == SMC_LISTEN) {
++ lock_sock_nested(&lsmc->sk, SINGLE_DEPTH_NESTING);
+ smc_accept_enqueue(&lsmc->sk, newsmcsk);
++ release_sock(&lsmc->sk);
+ } else { /* no longer listening */
+ smc_close_non_accepted(newsmcsk);
+ }
+- release_sock(&lsmc->sk);
+
+ /* Wake up accept */
+ lsmc->sk.sk_data_ready(&lsmc->sk);
+@@ -1237,6 +1236,9 @@ static void smc_listen_work(struct work_
+ int rc = 0;
+ u8 ibport;
+
++ if (new_smc->listen_smc->sk.sk_state != SMC_LISTEN)
++ return smc_listen_out_err(new_smc);
++
+ if (new_smc->use_fallback) {
+ smc_listen_out_connected(new_smc);
+ return;
+--- a/net/smc/smc_close.c
++++ b/net/smc/smc_close.c
+@@ -20,6 +20,22 @@
+
+ #define SMC_CLOSE_WAIT_LISTEN_CLCSOCK_TIME (5 * HZ)
+
++/* release the clcsock that is assigned to the smc_sock */
++void smc_clcsock_release(struct smc_sock *smc)
++{
++ struct socket *tcp;
++
++ if (smc->listen_smc && current_work() != &smc->smc_listen_work)
++ cancel_work_sync(&smc->smc_listen_work);
++ mutex_lock(&smc->clcsock_release_lock);
++ if (smc->clcsock) {
++ tcp = smc->clcsock;
++ smc->clcsock = NULL;
++ sock_release(tcp);
++ }
++ mutex_unlock(&smc->clcsock_release_lock);
++}
++
+ static void smc_close_cleanup_listen(struct sock *parent)
+ {
+ struct sock *sk;
+@@ -320,6 +336,7 @@ static void smc_close_passive_work(struc
+ close_work);
+ struct smc_sock *smc = container_of(conn, struct smc_sock, conn);
+ struct smc_cdc_conn_state_flags *rxflags;
++ bool release_clcsock = false;
+ struct sock *sk = &smc->sk;
+ int old_state;
+
+@@ -399,13 +416,13 @@ wakeup:
+ if ((sk->sk_state == SMC_CLOSED) &&
+ (sock_flag(sk, SOCK_DEAD) || !sk->sk_socket)) {
+ smc_conn_free(conn);
+- if (smc->clcsock) {
+- sock_release(smc->clcsock);
+- smc->clcsock = NULL;
+- }
++ if (smc->clcsock)
++ release_clcsock = true;
+ }
+ }
+ release_sock(sk);
++ if (release_clcsock)
++ smc_clcsock_release(smc);
+ sock_put(sk); /* sock_hold done by schedulers of close_work */
+ }
+
+--- a/net/smc/smc_close.h
++++ b/net/smc/smc_close.h
+@@ -22,5 +22,6 @@ void smc_close_wake_tx_prepared(struct s
+ int smc_close_active(struct smc_sock *smc);
+ int smc_close_shutdown_write(struct smc_sock *smc);
+ void smc_close_init(struct smc_sock *smc);
++void smc_clcsock_release(struct smc_sock *smc);
+
+ #endif /* SMC_CLOSE_H */
diff --git a/patches.fixes/nl80211-Add-NL80211_FLAG_CLEAR_SKB-flag-for-other-NL.patch b/patches.fixes/nl80211-Add-NL80211_FLAG_CLEAR_SKB-flag-for-other-NL.patch
new file mode 100644
index 0000000000..bff32a3c7b
--- /dev/null
+++ b/patches.fixes/nl80211-Add-NL80211_FLAG_CLEAR_SKB-flag-for-other-NL.patch
@@ -0,0 +1,85 @@
+From d6db02a88a4aaa1cd7105137c67ddec7f3bdbc05 Mon Sep 17 00:00:00 2001
+From: Sunil Dutt <usdutt@codeaurora.org>
+Date: Mon, 25 Feb 2019 15:37:20 +0530
+Subject: [PATCH] nl80211: Add NL80211_FLAG_CLEAR_SKB flag for other NL commands
+Git-commit: d6db02a88a4aaa1cd7105137c67ddec7f3bdbc05
+Patch-mainline: v5.1-rc6
+References: bsc#1051510
+
+This commit adds NL80211_FLAG_CLEAR_SKB flag to other NL commands
+that carry key data to ensure they do not stick around on heap
+after the SKB is freed.
+
+Also introduced this flag for NL80211_CMD_VENDOR as there are sub
+commands which configure the keys.
+
+Signed-off-by: Sunil Dutt <usdutt@codeaurora.org>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ net/wireless/nl80211.c | 18 ++++++++++++------
+ 1 file changed, 12 insertions(+), 6 deletions(-)
+
+--- a/net/wireless/nl80211.c
++++ b/net/wireless/nl80211.c
+@@ -12682,7 +12682,8 @@ static const struct genl_ops nl80211_ops
+ .policy = nl80211_policy,
+ .flags = GENL_UNS_ADMIN_PERM,
+ .internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
+- NL80211_FLAG_NEED_RTNL,
++ NL80211_FLAG_NEED_RTNL |
++ NL80211_FLAG_CLEAR_SKB,
+ },
+ {
+ .cmd = NL80211_CMD_DEAUTHENTICATE,
+@@ -12733,7 +12734,8 @@ static const struct genl_ops nl80211_ops
+ .policy = nl80211_policy,
+ .flags = GENL_UNS_ADMIN_PERM,
+ .internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
+- NL80211_FLAG_NEED_RTNL,
++ NL80211_FLAG_NEED_RTNL |
++ NL80211_FLAG_CLEAR_SKB,
+ },
+ {
+ .cmd = NL80211_CMD_UPDATE_CONNECT_PARAMS,
+@@ -12741,7 +12743,8 @@ static const struct genl_ops nl80211_ops
+ .policy = nl80211_policy,
+ .flags = GENL_ADMIN_PERM,
+ .internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
+- NL80211_FLAG_NEED_RTNL,
++ NL80211_FLAG_NEED_RTNL |
++ NL80211_FLAG_CLEAR_SKB,
+ },
+ {
+ .cmd = NL80211_CMD_DISCONNECT,
+@@ -12770,7 +12773,8 @@ static const struct genl_ops nl80211_ops
+ .policy = nl80211_policy,
+ .flags = GENL_UNS_ADMIN_PERM,
+ .internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
+- NL80211_FLAG_NEED_RTNL,
++ NL80211_FLAG_NEED_RTNL |
++ NL80211_FLAG_CLEAR_SKB,
+ },
+ {
+ .cmd = NL80211_CMD_DEL_PMKSA,
+@@ -13122,7 +13126,8 @@ static const struct genl_ops nl80211_ops
+ .policy = nl80211_policy,
+ .flags = GENL_UNS_ADMIN_PERM,
+ .internal_flags = NL80211_FLAG_NEED_WIPHY |
+- NL80211_FLAG_NEED_RTNL,
++ NL80211_FLAG_NEED_RTNL |
++ NL80211_FLAG_CLEAR_SKB,
+ },
+ {
+ .cmd = NL80211_CMD_SET_QOS_MAP,
+@@ -13162,7 +13167,8 @@ static const struct genl_ops nl80211_ops
+ .policy = nl80211_policy,
+ .flags = GENL_UNS_ADMIN_PERM,
+ .internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
+- NL80211_FLAG_NEED_RTNL,
++ NL80211_FLAG_NEED_RTNL |
++ NL80211_FLAG_CLEAR_SKB,
+ },
+ {
+ .cmd = NL80211_CMD_SET_MULTICAST_TO_UNICAST,
diff --git a/patches.fixes/nvme-multipath-split-bios-with-the-ns_head-bio_set-b.patch b/patches.fixes/nvme-multipath-split-bios-with-the-ns_head-bio_set-b.patch
index 3ee8d3269c..da6a698744 100644
--- a/patches.fixes/nvme-multipath-split-bios-with-the-ns_head-bio_set-b.patch
+++ b/patches.fixes/nvme-multipath-split-bios-with-the-ns_head-bio_set-b.patch
@@ -3,8 +3,7 @@ Date: Tue, 30 Apr 2019 18:57:09 +0200
Subject: [PATCH] nvme-multipath: split bios with the ns_head bio_set before
submitting
Git-commit: 525aa5a705d86e193726ee465d1a975265fabf19
-Git-repo: git://git.kernel.dk/linux-block.git
-Patch-Mainline: queued in subsystem maintainer tree
+Patch-Mainline: v5.2-rc1
References: bsc#1103259, bsc#1131673
If the bio is moved to a different queue via blk_steal_bios() and
diff --git a/patches.fixes/team-set-slave-to-promisc-if-team-is-already-in-prom.patch b/patches.fixes/team-set-slave-to-promisc-if-team-is-already-in-prom.patch
new file mode 100644
index 0000000000..78382650bd
--- /dev/null
+++ b/patches.fixes/team-set-slave-to-promisc-if-team-is-already-in-prom.patch
@@ -0,0 +1,78 @@
+From 43c2adb9df7ddd6560fd3546d925b42cef92daa0 Mon Sep 17 00:00:00 2001
+From: Hangbin Liu <liuhangbin@gmail.com>
+Date: Mon, 8 Apr 2019 16:45:17 +0800
+Subject: [PATCH] team: set slave to promisc if team is already in promisc mode
+Git-commit: 43c2adb9df7ddd6560fd3546d925b42cef92daa0
+Patch-mainline: v5.1-rc6
+References: bsc#1051510
+
+After adding a team interface to bridge, the team interface will enter
+promisc mode. Then if we add a new slave to team0, the slave will keep
+promisc off. Fix it by setting slave to promisc on if team master is
+already in promisc mode, also do the same for allmulti.
+
+V2: add promisc and allmulti checking when delete ports
+
+Fixes: 3d249d4ca7d0 ("net: introduce ethernet teaming device")
+Signed-off-by: Hangbin Liu <liuhangbin@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/net/team/team.c | 26 ++++++++++++++++++++++++++
+ 1 file changed, 26 insertions(+)
+
+diff --git a/drivers/net/team/team.c b/drivers/net/team/team.c
+index 6ed96fdfd96d..9ce61b019aad 100644
+--- a/drivers/net/team/team.c
++++ b/drivers/net/team/team.c
+@@ -1246,6 +1246,23 @@ static int team_port_add(struct team *team, struct net_device *port_dev,
+ goto err_option_port_add;
+ }
+
++ /* set promiscuity level to new slave */
++ if (dev->flags & IFF_PROMISC) {
++ err = dev_set_promiscuity(port_dev, 1);
++ if (err)
++ goto err_set_slave_promisc;
++ }
++
++ /* set allmulti level to new slave */
++ if (dev->flags & IFF_ALLMULTI) {
++ err = dev_set_allmulti(port_dev, 1);
++ if (err) {
++ if (dev->flags & IFF_PROMISC)
++ dev_set_promiscuity(port_dev, -1);
++ goto err_set_slave_promisc;
++ }
++ }
++
+ netif_addr_lock_bh(dev);
+ dev_uc_sync_multiple(port_dev, dev);
+ dev_mc_sync_multiple(port_dev, dev);
+@@ -1262,6 +1279,9 @@ static int team_port_add(struct team *team, struct net_device *port_dev,
+
+ return 0;
+
++err_set_slave_promisc:
++ __team_option_inst_del_port(team, port);
++
+ err_option_port_add:
+ team_upper_dev_unlink(team, port);
+
+@@ -1307,6 +1327,12 @@ static int team_port_del(struct team *team, struct net_device *port_dev)
+
+ team_port_disable(team, port);
+ list_del_rcu(&port->list);
++
++ if (dev->flags & IFF_PROMISC)
++ dev_set_promiscuity(port_dev, -1);
++ if (dev->flags & IFF_ALLMULTI)
++ dev_set_allmulti(port_dev, -1);
++
+ team_upper_dev_unlink(team, port);
+ netdev_rx_handler_unregister(port_dev);
+ team_port_disable_netpoll(port);
+--
+2.16.4
+
diff --git a/patches.fixes/ufs-fix-braino-in-ufs_get_inode_gid-for-solaris-UFS-.patch b/patches.fixes/ufs-fix-braino-in-ufs_get_inode_gid-for-solaris-UFS-.patch
new file mode 100644
index 0000000000..24e5cafecf
--- /dev/null
+++ b/patches.fixes/ufs-fix-braino-in-ufs_get_inode_gid-for-solaris-UFS-.patch
@@ -0,0 +1,38 @@
+From 4e9036042fedaffcd868d7f7aa948756c48c637d Mon Sep 17 00:00:00 2001
+From: Al Viro <viro@zeniv.linux.org.uk>
+Date: Wed, 1 May 2019 22:46:11 -0400
+Subject: [PATCH] ufs: fix braino in ufs_get_inode_gid() for solaris UFS
+ flavour
+Git-commit: 4e9036042fedaffcd868d7f7aa948756c48c637d
+Patch-mainline: v5.1
+References: bsc#1135323
+
+To choose whether to pick the GID from the old (16bit) or new (32bit)
+field, we should check if the old gid field is set to 0xffff. Mainline
+checks the old *UID* field instead - cut'n'paste from the corresponding
+code in ufs_get_inode_uid().
+
+Fixes: 252e211e90ce
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Acked-by: Jan Kara <jack@suse.cz>
+
+---
+ fs/ufs/util.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/ufs/util.h b/fs/ufs/util.h
+index 1fd3011ea623..7fd4802222b8 100644
+--- a/fs/ufs/util.h
++++ b/fs/ufs/util.h
+@@ -229,7 +229,7 @@ ufs_get_inode_gid(struct super_block *sb, struct ufs_inode *inode)
+ case UFS_UID_44BSD:
+ return fs32_to_cpu(sb, inode->ui_u3.ui_44.ui_gid);
+ case UFS_UID_EFT:
+- if (inode->ui_u1.oldids.ui_suid == 0xFFFF)
++ if (inode->ui_u1.oldids.ui_sgid == 0xFFFF)
+ return fs32_to_cpu(sb, inode->ui_u3.ui_sun.ui_gid);
+ /* Fall through */
+ default:
+--
+2.16.4
+
diff --git a/patches.fixes/vsock-virtio-Initialize-core-virtio-vsock-before-reg.patch b/patches.fixes/vsock-virtio-Initialize-core-virtio-vsock-before-reg.patch
new file mode 100644
index 0000000000..da0d0c5f09
--- /dev/null
+++ b/patches.fixes/vsock-virtio-Initialize-core-virtio-vsock-before-reg.patch
@@ -0,0 +1,113 @@
+From ba95e5dfd36647622d8897a2a0470dde60e59ffd Mon Sep 17 00:00:00 2001
+From: "Jorge E. Moreira" <jemoreira@google.com>
+Date: Thu, 16 May 2019 13:51:07 -0700
+Subject: [PATCH] vsock/virtio: Initialize core virtio vsock before registering the driver
+Git-commit: ba95e5dfd36647622d8897a2a0470dde60e59ffd
+Patch-mainline: v5.2-rc2
+References: bsc#1051510
+
+Avoid a race in which static variables in net/vmw_vsock/af_vsock.c are
+accessed (while handling interrupts) before they are initialized.
+
+[ 4.201410] BUG: unable to handle kernel paging request at ffffffffffffffe8
+[ 4.207829] IP: vsock_addr_equals_addr+0x3/0x20
+[ 4.211379] PGD 28210067 P4D 28210067 PUD 28212067 PMD 0
+[ 4.211379] Oops: 0000 [#1] PREEMPT SMP PTI
+[ 4.211379] Modules linked in:
+[ 4.211379] CPU: 1 PID: 30 Comm: kworker/1:1 Not tainted 4.14.106-419297-gd7e28cc1f241 #1
+[ 4.211379] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1 04/01/2014
+[ 4.211379] Workqueue: virtio_vsock virtio_transport_rx_work
+[ 4.211379] task: ffffa3273d175280 task.stack: ffffaea1800e8000
+[ 4.211379] RIP: 0010:vsock_addr_equals_addr+0x3/0x20
+[ 4.211379] RSP: 0000:ffffaea1800ebd28 EFLAGS: 00010286
+[ 4.211379] RAX: 0000000000000002 RBX: 0000000000000000 RCX: ffffffffb94e42f0
+[ 4.211379] RDX: 0000000000000400 RSI: ffffffffffffffe0 RDI: ffffaea1800ebdd0
+[ 4.211379] RBP: ffffaea1800ebd58 R08: 0000000000000001 R09: 0000000000000001
+[ 4.211379] R10: 0000000000000000 R11: ffffffffb89d5d60 R12: ffffaea1800ebdd0
+[ 4.211379] R13: 00000000828cbfbf R14: 0000000000000000 R15: ffffaea1800ebdc0
+[ 4.211379] FS: 0000000000000000(0000) GS:ffffa3273fd00000(0000) knlGS:0000000000000000
+[ 4.211379] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 4.211379] CR2: ffffffffffffffe8 CR3: 000000002820e001 CR4: 00000000001606e0
+[ 4.211379] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+[ 4.211379] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+[ 4.211379] Call Trace:
+[ 4.211379] ? vsock_find_connected_socket+0x6c/0xe0
+[ 4.211379] virtio_transport_recv_pkt+0x15f/0x740
+[ 4.211379] ? detach_buf+0x1b5/0x210
+[ 4.211379] virtio_transport_rx_work+0xb7/0x140
+[ 4.211379] process_one_work+0x1ef/0x480
+[ 4.211379] worker_thread+0x312/0x460
+[ 4.211379] kthread+0x132/0x140
+[ 4.211379] ? process_one_work+0x480/0x480
+[ 4.211379] ? kthread_destroy_worker+0xd0/0xd0
+[ 4.211379] ret_from_fork+0x35/0x40
+[ 4.211379] Code: c7 47 08 00 00 00 00 66 c7 07 28 00 c7 47 08 ff ff ff ff c7 47 04 ff ff ff ff c3 0f 1f 00 66 2e 0f 1f 84 00 00 00 00 00 8b 47 08 <3b> 46 08 75 0a 8b 47 04 3b 46 04 0f 94 c0 c3 31 c0 c3 90 66 2e
+[ 4.211379] RIP: vsock_addr_equals_addr+0x3/0x20 RSP: ffffaea1800ebd28
+[ 4.211379] CR2: ffffffffffffffe8
+[ 4.211379] ---[ end trace f31cc4a2e6df3689 ]---
+[ 4.211379] Kernel panic - not syncing: Fatal exception in interrupt
+[ 4.211379] Kernel Offset: 0x37000000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff)
+[ 4.211379] Rebooting in 5 seconds..
+
+Fixes: 22b5c0b63f32 ("vsock/virtio: fix kernel panic after device hot-unplug")
+Cc: Stefan Hajnoczi <stefanha@redhat.com>
+Cc: Stefano Garzarella <sgarzare@redhat.com>
+Cc: "David S. Miller" <davem@davemloft.net>
+Cc: kvm@vger.kernel.org
+Cc: virtualization@lists.linux-foundation.org
+Cc: netdev@vger.kernel.org
+Cc: kernel-team@android.com
+Cc: stable@vger.kernel.org [4.9+]
+Signed-off-by: Jorge E. Moreira <jemoreira@google.com>
+Reviewed-by: Stefano Garzarella <sgarzare@redhat.com>
+Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
+Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ net/vmw_vsock/virtio_transport.c | 13 ++++++-------
+ 1 file changed, 6 insertions(+), 7 deletions(-)
+
+diff --git a/net/vmw_vsock/virtio_transport.c b/net/vmw_vsock/virtio_transport.c
+index 15eb5d3d4750..96ab344f17bb 100644
+--- a/net/vmw_vsock/virtio_transport.c
++++ b/net/vmw_vsock/virtio_transport.c
+@@ -702,28 +702,27 @@ static int __init virtio_vsock_init(void)
+ if (!virtio_vsock_workqueue)
+ return -ENOMEM;
+
+- ret = register_virtio_driver(&virtio_vsock_driver);
++ ret = vsock_core_init(&virtio_transport.transport);
+ if (ret)
+ goto out_wq;
+
+- ret = vsock_core_init(&virtio_transport.transport);
++ ret = register_virtio_driver(&virtio_vsock_driver);
+ if (ret)
+- goto out_vdr;
++ goto out_vci;
+
+ return 0;
+
+-out_vdr:
+- unregister_virtio_driver(&virtio_vsock_driver);
++out_vci:
++ vsock_core_exit();
+ out_wq:
+ destroy_workqueue(virtio_vsock_workqueue);
+ return ret;
+-
+ }
+
+ static void __exit virtio_vsock_exit(void)
+ {
+- vsock_core_exit();
+ unregister_virtio_driver(&virtio_vsock_driver);
++ vsock_core_exit();
+ destroy_workqueue(virtio_vsock_workqueue);
+ }
+
+--
+2.16.4
+
diff --git a/patches.fixes/vt-always-call-notifier-with-the-console-lock-held.patch b/patches.fixes/vt-always-call-notifier-with-the-console-lock-held.patch
new file mode 100644
index 0000000000..59e2139795
--- /dev/null
+++ b/patches.fixes/vt-always-call-notifier-with-the-console-lock-held.patch
@@ -0,0 +1,32 @@
+From 7e1d226345f89ad5d0216a9092c81386c89b4983 Mon Sep 17 00:00:00 2001
+From: Nicolas Pitre <nicolas.pitre@linaro.org>
+Date: Tue, 8 Jan 2019 22:55:00 -0500
+Subject: [PATCH] vt: always call notifier with the console lock held
+Git-commit: 7e1d226345f89ad5d0216a9092c81386c89b4983
+Patch-mainline: v5.0-rc4
+References: bsc#1051510
+
+Every invocation of notify_write() and notify_update() is performed
+under the console lock, except for one case. Let's fix that.
+
+Signed-off-by: Nicolas Pitre <nico@linaro.org>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/tty/vt/vt.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/tty/vt/vt.c
++++ b/drivers/tty/vt/vt.c
+@@ -2435,8 +2435,8 @@ rescan_last_byte:
+ }
+ con_flush(vc, draw_from, draw_to, &draw_x);
+ console_conditional_schedule();
+- console_unlock();
+ notify_update(vc);
++ console_unlock();
+ return n;
+ }
+
diff --git a/patches.fixes/xfs-add-log-item-pinning-error-injection-tag.patch b/patches.fixes/xfs-add-log-item-pinning-error-injection-tag.patch
new file mode 100644
index 0000000000..47768954c7
--- /dev/null
+++ b/patches.fixes/xfs-add-log-item-pinning-error-injection-tag.patch
@@ -0,0 +1,120 @@
+From 7f4d01f36a3ac16f539f0fd3839de5d58fa4940f Mon Sep 17 00:00:00 2001
+From: Brian Foster <bfoster@redhat.com>
+Date: Tue, 8 Aug 2017 18:21:52 -0700
+Subject: [PATCH] xfs: add log item pinning error injection tag
+Git-commit: 7f4d01f36a3ac16f539f0fd3839de5d58fa4940f
+Patch-mainline: v4.14-rc1
+References: bsc#1114427
+
+Add an error injection tag to force log items in the AIL to the
+pinned state. This option can be used by test infrastructure to
+induce head behind tail conditions. Specifically, this is intended
+to be used by xfstests to reproduce log recovery problems after
+failed/corrupted log writes overwrite the last good tail LSN in the
+log.
+
+When enabled, AIL push attempts see log items in the AIL in the
+pinned state. This stalls metadata writeback and thus prevents the
+current tail of the log from moving forward. When disabled,
+subsequent AIL pushes observe the log items in their appropriate
+state and filesystem operation continues as normal.
+
+Signed-off-by: Brian Foster <bfoster@redhat.com>
+Reviewed-by: Darrick J. Wong <darrick.wong@oracle.com>
+Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
+Acked-by: Anthony Iliopoulos <ailiopoulos@suse.com>
+
+---
+ fs/xfs/xfs_error.c | 3 +++
+ fs/xfs/xfs_error.h | 4 +++-
+ fs/xfs/xfs_trans_ail.c | 17 ++++++++++++++++-
+ 3 files changed, 22 insertions(+), 2 deletions(-)
+
+diff --git a/fs/xfs/xfs_error.c b/fs/xfs/xfs_error.c
+index 2f4feb959bfb..bd786a9ac2c3 100644
+--- a/fs/xfs/xfs_error.c
++++ b/fs/xfs/xfs_error.c
+@@ -57,6 +57,7 @@ static unsigned int xfs_errortag_random_default[] = {
+ XFS_RANDOM_AG_RESV_CRITICAL,
+ XFS_RANDOM_DROP_WRITES,
+ XFS_RANDOM_LOG_BAD_CRC,
++ XFS_RANDOM_LOG_ITEM_PIN,
+ };
+
+ struct xfs_errortag_attr {
+@@ -161,6 +162,7 @@ XFS_ERRORTAG_ATTR_RW(bmap_finish_one, XFS_ERRTAG_BMAP_FINISH_ONE);
+ XFS_ERRORTAG_ATTR_RW(ag_resv_critical, XFS_ERRTAG_AG_RESV_CRITICAL);
+ XFS_ERRORTAG_ATTR_RW(drop_writes, XFS_ERRTAG_DROP_WRITES);
+ XFS_ERRORTAG_ATTR_RW(log_bad_crc, XFS_ERRTAG_LOG_BAD_CRC);
++XFS_ERRORTAG_ATTR_RW(log_item_pin, XFS_ERRTAG_LOG_ITEM_PIN);
+
+ static struct attribute *xfs_errortag_attrs[] = {
+ XFS_ERRORTAG_ATTR_LIST(noerror),
+@@ -193,6 +195,7 @@ static struct attribute *xfs_errortag_attrs[] = {
+ XFS_ERRORTAG_ATTR_LIST(ag_resv_critical),
+ XFS_ERRORTAG_ATTR_LIST(drop_writes),
+ XFS_ERRORTAG_ATTR_LIST(log_bad_crc),
++ XFS_ERRORTAG_ATTR_LIST(log_item_pin),
+ NULL,
+ };
+
+diff --git a/fs/xfs/xfs_error.h b/fs/xfs/xfs_error.h
+index 7577be5f09bc..7c4bef3bddb7 100644
+--- a/fs/xfs/xfs_error.h
++++ b/fs/xfs/xfs_error.h
+@@ -106,7 +106,8 @@ extern void xfs_verifier_error(struct xfs_buf *bp);
+ */
+ #define XFS_ERRTAG_DROP_WRITES 28
+ #define XFS_ERRTAG_LOG_BAD_CRC 29
+-#define XFS_ERRTAG_MAX 30
++#define XFS_ERRTAG_LOG_ITEM_PIN 30
++#define XFS_ERRTAG_MAX 31
+
+ /*
+ * Random factors for above tags, 1 means always, 2 means 1/2 time, etc.
+@@ -141,6 +142,7 @@ extern void xfs_verifier_error(struct xfs_buf *bp);
+ #define XFS_RANDOM_AG_RESV_CRITICAL 4
+ #define XFS_RANDOM_DROP_WRITES 1
+ #define XFS_RANDOM_LOG_BAD_CRC 1
++#define XFS_RANDOM_LOG_ITEM_PIN 1
+
+ #ifdef DEBUG
+ extern int xfs_errortag_init(struct xfs_mount *mp);
+diff --git a/fs/xfs/xfs_trans_ail.c b/fs/xfs/xfs_trans_ail.c
+index 70f5ab017323..354368a906e5 100644
+--- a/fs/xfs/xfs_trans_ail.c
++++ b/fs/xfs/xfs_trans_ail.c
+@@ -325,6 +325,21 @@ xfs_ail_delete(
+ xfs_trans_ail_cursor_clear(ailp, lip);
+ }
+
++static inline uint
++xfsaild_push_item(
++ struct xfs_ail *ailp,
++ struct xfs_log_item *lip)
++{
++ /*
++ * If log item pinning is enabled, skip the push and track the item as
++ * pinned. This can help induce head-behind-tail conditions.
++ */
++ if (XFS_TEST_ERROR(false, ailp->xa_mount, XFS_ERRTAG_LOG_ITEM_PIN))
++ return XFS_ITEM_PINNED;
++
++ return lip->li_ops->iop_push(lip, &ailp->xa_buf_list);
++}
++
+ static long
+ xfsaild_push(
+ struct xfs_ail *ailp)
+@@ -382,7 +397,7 @@ xfsaild_push(
+ * rely on the AIL cursor implementation to be able to deal with
+ * the dropped lock.
+ */
+- lock_result = lip->li_ops->iop_push(lip, &ailp->xa_buf_list);
++ lock_result = xfsaild_push_item(ailp, lip);
+ switch (lock_result) {
+ case XFS_ITEM_SUCCESS:
+ XFS_STATS_INC(mp, xs_push_ail_success);
+--
+2.16.4
+
diff --git a/patches.fixes/xfs-buffer-lru-reference-count-error-injection-tag.patch b/patches.fixes/xfs-buffer-lru-reference-count-error-injection-tag.patch
new file mode 100644
index 0000000000..8f22bc056d
--- /dev/null
+++ b/patches.fixes/xfs-buffer-lru-reference-count-error-injection-tag.patch
@@ -0,0 +1,137 @@
+From 7561d27e90fa0df0aac2a1d6b49c2a28eaae7026 Mon Sep 17 00:00:00 2001
+From: Brian Foster <bfoster@redhat.com>
+Date: Tue, 17 Oct 2017 14:16:29 -0700
+Subject: [PATCH] xfs: buffer lru reference count error injection tag
+Git-commit: 7561d27e90fa0df0aac2a1d6b49c2a28eaae7026
+Patch-mainline: v4.15-rc1
+References: bsc#1114427
+
+XFS uses a fixed reference count for certain types of buffers in the
+internal LRU cache. These reference counts dictate how aggressively
+certain buffers are reclaimed vs. others. While the reference counts
+implements priority across different buffer types, all buffers
+(other than uncached buffers) are typically cached for at least one
+reclaim cycle.
+
+We've had at least one bug recently that has been hidden by a
+released buffer sitting around in the LRU. Users hitting the problem
+were able to reproduce under enough memory pressure to cause
+aggressive reclaim in a particular window of time.
+
+To support future xfstests cases, add an error injection tag to
+hardcode the buffer reference count to zero. When enabled, this
+bypasses caching of associated buffers and facilitates test cases
+that depend on this behavior.
+
+Signed-off-by: Brian Foster <bfoster@redhat.com>
+Reviewed-by: Darrick J. Wong <darrick.wong@oracle.com>
+Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
+Acked-by: Anthony Iliopoulos <ailiopoulos@suse.com>
+
+---
+ fs/xfs/xfs_buf.c | 16 ++++++++++++++++
+ fs/xfs/xfs_buf.h | 5 +----
+ fs/xfs/xfs_error.c | 3 +++
+ fs/xfs/xfs_error.h | 4 +++-
+ 4 files changed, 23 insertions(+), 5 deletions(-)
+
+diff --git a/fs/xfs/xfs_buf.c b/fs/xfs/xfs_buf.c
+index 2f97c12ca75e..d481dd2b29a6 100644
+--- a/fs/xfs/xfs_buf.c
++++ b/fs/xfs/xfs_buf.c
+@@ -42,6 +42,7 @@
+ #include "xfs_mount.h"
+ #include "xfs_trace.h"
+ #include "xfs_log.h"
++#include "xfs_error.h"
+
+ static kmem_zone_t *xfs_buf_zone;
+
+@@ -2129,3 +2130,18 @@ xfs_buf_terminate(void)
+ {
+ kmem_zone_destroy(xfs_buf_zone);
+ }
++
++void xfs_buf_set_ref(struct xfs_buf *bp, int lru_ref)
++{
++ struct xfs_mount *mp = bp->b_target->bt_mount;
++
++ /*
++ * Set the lru reference count to 0 based on the error injection tag.
++ * This allows userspace to disrupt buffer caching for debug/testing
++ * purposes.
++ */
++ if (XFS_TEST_ERROR(false, mp, XFS_ERRTAG_BUF_LRU_REF))
++ lru_ref = 0;
++
++ atomic_set(&bp->b_lru_ref, lru_ref);
++}
+diff --git a/fs/xfs/xfs_buf.h b/fs/xfs/xfs_buf.h
+index bf71507ddb16..f873bb786824 100644
+--- a/fs/xfs/xfs_buf.h
++++ b/fs/xfs/xfs_buf.h
+@@ -352,10 +352,7 @@ extern void xfs_buf_terminate(void);
+ #define XFS_BUF_ADDR(bp) ((bp)->b_maps[0].bm_bn)
+ #define XFS_BUF_SET_ADDR(bp, bno) ((bp)->b_maps[0].bm_bn = (xfs_daddr_t)(bno))
+
+-static inline void xfs_buf_set_ref(struct xfs_buf *bp, int lru_ref)
+-{
+- atomic_set(&bp->b_lru_ref, lru_ref);
+-}
++void xfs_buf_set_ref(struct xfs_buf *bp, int lru_ref);
+
+ static inline int xfs_buf_ispinned(struct xfs_buf *bp)
+ {
+diff --git a/fs/xfs/xfs_error.c b/fs/xfs/xfs_error.c
+index eaf86f55b7f2..6732b0a0d826 100644
+--- a/fs/xfs/xfs_error.c
++++ b/fs/xfs/xfs_error.c
+@@ -58,6 +58,7 @@ static unsigned int xfs_errortag_random_default[] = {
+ XFS_RANDOM_DROP_WRITES,
+ XFS_RANDOM_LOG_BAD_CRC,
+ XFS_RANDOM_LOG_ITEM_PIN,
++ XFS_RANDOM_BUF_LRU_REF,
+ };
+
+ struct xfs_errortag_attr {
+@@ -163,6 +164,7 @@ XFS_ERRORTAG_ATTR_RW(ag_resv_critical, XFS_ERRTAG_AG_RESV_CRITICAL);
+ XFS_ERRORTAG_ATTR_RW(drop_writes, XFS_ERRTAG_DROP_WRITES);
+ XFS_ERRORTAG_ATTR_RW(log_bad_crc, XFS_ERRTAG_LOG_BAD_CRC);
+ XFS_ERRORTAG_ATTR_RW(log_item_pin, XFS_ERRTAG_LOG_ITEM_PIN);
++XFS_ERRORTAG_ATTR_RW(buf_lru_ref, XFS_ERRTAG_BUF_LRU_REF);
+
+ static struct attribute *xfs_errortag_attrs[] = {
+ XFS_ERRORTAG_ATTR_LIST(noerror),
+@@ -196,6 +198,7 @@ static struct attribute *xfs_errortag_attrs[] = {
+ XFS_ERRORTAG_ATTR_LIST(drop_writes),
+ XFS_ERRORTAG_ATTR_LIST(log_bad_crc),
+ XFS_ERRORTAG_ATTR_LIST(log_item_pin),
++ XFS_ERRORTAG_ATTR_LIST(buf_lru_ref),
+ NULL,
+ };
+
+diff --git a/fs/xfs/xfs_error.h b/fs/xfs/xfs_error.h
+index 7c4bef3bddb7..78a7f43f8d01 100644
+--- a/fs/xfs/xfs_error.h
++++ b/fs/xfs/xfs_error.h
+@@ -107,7 +107,8 @@ extern void xfs_verifier_error(struct xfs_buf *bp);
+ #define XFS_ERRTAG_DROP_WRITES 28
+ #define XFS_ERRTAG_LOG_BAD_CRC 29
+ #define XFS_ERRTAG_LOG_ITEM_PIN 30
+-#define XFS_ERRTAG_MAX 31
++#define XFS_ERRTAG_BUF_LRU_REF 31
++#define XFS_ERRTAG_MAX 32
+
+ /*
+ * Random factors for above tags, 1 means always, 2 means 1/2 time, etc.
+@@ -143,6 +144,7 @@ extern void xfs_verifier_error(struct xfs_buf *bp);
+ #define XFS_RANDOM_DROP_WRITES 1
+ #define XFS_RANDOM_LOG_BAD_CRC 1
+ #define XFS_RANDOM_LOG_ITEM_PIN 1
++#define XFS_RANDOM_BUF_LRU_REF 2
+
+ #ifdef DEBUG
+ extern int xfs_errortag_init(struct xfs_mount *mp);
+--
+2.16.4
+
diff --git a/patches.fixes/xfs-check-_btree_check_block-value.patch b/patches.fixes/xfs-check-_btree_check_block-value.patch
new file mode 100644
index 0000000000..a5d0edf4c8
--- /dev/null
+++ b/patches.fixes/xfs-check-_btree_check_block-value.patch
@@ -0,0 +1,49 @@
+From 1e86eabe73b73c82e1110c746ed3ec6d5e1c0a0d Mon Sep 17 00:00:00 2001
+From: "Darrick J. Wong" <darrick.wong@oracle.com>
+Date: Mon, 17 Jul 2017 14:30:45 -0700
+Subject: [PATCH] xfs: check _btree_check_block value
+Git-commit: 1e86eabe73b73c82e1110c746ed3ec6d5e1c0a0d
+Patch-mainline: v4.13-rc3
+References: bsc#1123663
+
+Check the _btree_check_block return value for the firstrec and lastrec
+functions, since we have the ability to signal that the repositioning
+did not succeed.
+
+Fixes-coverity-id: 114067
+Fixes-coverity-id: 114068
+Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
+Reviewed-by: Brian Foster <bfoster@redhat.com>
+Acked-by: Anthony Iliopoulos <ailiopoulos@suse.com>
+
+---
+ fs/xfs/libxfs/xfs_btree.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/fs/xfs/libxfs/xfs_btree.c b/fs/xfs/libxfs/xfs_btree.c
+index 4da85fff69ad..e0bcc4a59efd 100644
+--- a/fs/xfs/libxfs/xfs_btree.c
++++ b/fs/xfs/libxfs/xfs_btree.c
+@@ -728,7 +728,8 @@ xfs_btree_firstrec(
+ * Get the block pointer for this level.
+ */
+ block = xfs_btree_get_block(cur, level, &bp);
+- xfs_btree_check_block(cur, block, level, bp);
++ if (xfs_btree_check_block(cur, block, level, bp))
++ return 0;
+ /*
+ * It's empty, there is no such record.
+ */
+@@ -757,7 +758,8 @@ xfs_btree_lastrec(
+ * Get the block pointer for this level.
+ */
+ block = xfs_btree_get_block(cur, level, &bp);
+- xfs_btree_check_block(cur, block, level, bp);
++ if (xfs_btree_check_block(cur, block, level, bp))
++ return 0;
+ /*
+ * It's empty, there is no such record.
+ */
+--
+2.16.4
+
diff --git a/patches.fixes/xfs-convert-drop_writes-to-use-the-errortag-mechanis.patch b/patches.fixes/xfs-convert-drop_writes-to-use-the-errortag-mechanis.patch
new file mode 100644
index 0000000000..6381bef09e
--- /dev/null
+++ b/patches.fixes/xfs-convert-drop_writes-to-use-the-errortag-mechanis.patch
@@ -0,0 +1,194 @@
+From f8c47250ba46eb221d1ac537266ac65bcf2866d5 Mon Sep 17 00:00:00 2001
+From: "Darrick J. Wong" <darrick.wong@oracle.com>
+Date: Tue, 20 Jun 2017 17:54:48 -0700
+Subject: [PATCH] xfs: convert drop_writes to use the errortag mechanism
+Git-commit: f8c47250ba46eb221d1ac537266ac65bcf2866d5
+Patch-mainline: v4.13-rc1
+References: bsc#1114427
+
+We now have enhanced error injection that can control the frequency
+with which errors happen, so convert drop_writes to use this.
+
+Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
+Reviewed-by: Brian Foster <bfoster@redhat.com>
+Reviewed-by: Carlos Maiolino <cmaiolino@redhat.com>
+Acked-by: Anthony Iliopoulos <ailiopoulos@suse.com>
+
+---
+ fs/xfs/xfs_error.c | 3 +++
+ fs/xfs/xfs_error.h | 12 +++++++++++-
+ fs/xfs/xfs_iomap.c | 2 +-
+ fs/xfs/xfs_mount.h | 24 ------------------------
+ fs/xfs/xfs_sysfs.c | 42 ------------------------------------------
+ 5 files changed, 15 insertions(+), 68 deletions(-)
+
+diff --git a/fs/xfs/xfs_error.c b/fs/xfs/xfs_error.c
+index e2278af6aed1..a2f23d2bab16 100644
+--- a/fs/xfs/xfs_error.c
++++ b/fs/xfs/xfs_error.c
+@@ -55,6 +55,7 @@ static unsigned int xfs_errortag_random_default[] = {
+ XFS_RANDOM_REFCOUNT_FINISH_ONE,
+ XFS_RANDOM_BMAP_FINISH_ONE,
+ XFS_RANDOM_AG_RESV_CRITICAL,
++ XFS_RANDOM_DROP_WRITES,
+ };
+
+ struct xfs_errortag_attr {
+@@ -157,6 +158,7 @@ XFS_ERRORTAG_ATTR_RW(refcount_continue_update, XFS_ERRTAG_REFCOUNT_CONTINUE_UPDA
+ XFS_ERRORTAG_ATTR_RW(refcount_finish_one, XFS_ERRTAG_REFCOUNT_FINISH_ONE);
+ XFS_ERRORTAG_ATTR_RW(bmap_finish_one, XFS_ERRTAG_BMAP_FINISH_ONE);
+ XFS_ERRORTAG_ATTR_RW(ag_resv_critical, XFS_ERRTAG_AG_RESV_CRITICAL);
++XFS_ERRORTAG_ATTR_RW(drop_writes, XFS_ERRTAG_DROP_WRITES);
+
+ static struct attribute *xfs_errortag_attrs[] = {
+ XFS_ERRORTAG_ATTR_LIST(noerror),
+@@ -187,6 +189,7 @@ static struct attribute *xfs_errortag_attrs[] = {
+ XFS_ERRORTAG_ATTR_LIST(refcount_finish_one),
+ XFS_ERRORTAG_ATTR_LIST(bmap_finish_one),
+ XFS_ERRORTAG_ATTR_LIST(ag_resv_critical),
++ XFS_ERRORTAG_ATTR_LIST(drop_writes),
+ NULL,
+ };
+
+diff --git a/fs/xfs/xfs_error.h b/fs/xfs/xfs_error.h
+index ae8935b90a93..e0e4cf776fac 100644
+--- a/fs/xfs/xfs_error.h
++++ b/fs/xfs/xfs_error.h
+@@ -96,7 +96,16 @@ extern void xfs_verifier_error(struct xfs_buf *bp);
+ #define XFS_ERRTAG_REFCOUNT_FINISH_ONE 25
+ #define XFS_ERRTAG_BMAP_FINISH_ONE 26
+ #define XFS_ERRTAG_AG_RESV_CRITICAL 27
+-#define XFS_ERRTAG_MAX 28
++/*
++ * DEBUG mode instrumentation to test and/or trigger delayed allocation
++ * block killing in the event of failed writes. When enabled, all
++ * buffered writes are silenty dropped and handled as if they failed.
++ * All delalloc blocks in the range of the write (including pre-existing
++ * delalloc blocks!) are tossed as part of the write failure error
++ * handling sequence.
++ */
++#define XFS_ERRTAG_DROP_WRITES 28
++#define XFS_ERRTAG_MAX 29
+
+ /*
+ * Random factors for above tags, 1 means always, 2 means 1/2 time, etc.
+@@ -129,6 +138,7 @@ extern void xfs_verifier_error(struct xfs_buf *bp);
+ #define XFS_RANDOM_REFCOUNT_FINISH_ONE 1
+ #define XFS_RANDOM_BMAP_FINISH_ONE 1
+ #define XFS_RANDOM_AG_RESV_CRITICAL 4
++#define XFS_RANDOM_DROP_WRITES 1
+
+ #ifdef DEBUG
+ extern int xfs_errortag_init(struct xfs_mount *mp);
+diff --git a/fs/xfs/xfs_iomap.c b/fs/xfs/xfs_iomap.c
+index 304b79d681e4..86f1a9fa46d2 100644
+--- a/fs/xfs/xfs_iomap.c
++++ b/fs/xfs/xfs_iomap.c
+@@ -1097,7 +1097,7 @@ xfs_file_iomap_end_delalloc(
+ * Behave