Home Home > GIT Browse > SLE12-SP4-AZURE
summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJohannes Thumshirn <jthumshirn@suse.de>2019-02-20 12:57:50 +0100
committerJohannes Thumshirn <jthumshirn@suse.de>2019-02-20 12:57:50 +0100
commit2056933076eabef7607b53073bc8e6b47fcf2155 (patch)
treeaa1fa848449228807c8d3033a2e92bea70e2d7f0
parent0f2687b3e0a70b49d678effec3069bf305e8a24b (diff)
parente503a7e91989c9d7445ad987dbc5facc3a7b3bca (diff)
Merge remote-tracking branch 'origin/SLE15' into SLE12-SP4
Conflicts: patches.kabi/nvme-kABI-fix-for-scan_lock.patch series.conf
-rw-r--r--patches.fixes/acpi-nfit-Block-function-zero-DSMs.patch2
-rw-r--r--patches.fixes/acpi-nfit-Fix-command-supported-detection.patch2
-rw-r--r--patches.fixes/bpf-enable-access-to-ax-register-also-from-verifier-.patch70
-rw-r--r--patches.fixes/bpf-fix-check_map_access-smin_value-test-when-pointe.patch2
-rw-r--r--patches.fixes/bpf-move-prev_-insn_idx-into-verifier-env.patch2
-rw-r--r--patches.fixes/bpf-move-tmp-variable-into-ax-register-in-interprete.patch144
-rw-r--r--patches.fixes/bpf-prevent-out-of-bounds-speculation-on-pointer-ari.patch2
-rw-r--r--patches.fixes/bpf-restrict-map-value-pointer-arithmetic-for-unpriv.patch2
-rw-r--r--patches.fixes/bpf-restrict-stack-pointer-arithmetic-for-unprivileg.patch2
-rw-r--r--patches.fixes/bpf-restrict-unknown-scalars-of-mixed-signed-bounds-.patch2
-rw-r--r--patches.fixes/nvme-lock-NS-list-changes-while-handling-command-eff.patch96
-rw-r--r--patches.kabi/nvme-kABI-fix-for-scan_lock.patch32
-rw-r--r--series.conf7
13 files changed, 356 insertions, 9 deletions
diff --git a/patches.fixes/acpi-nfit-Block-function-zero-DSMs.patch b/patches.fixes/acpi-nfit-Block-function-zero-DSMs.patch
index f5bd065fd9..b063d69b57 100644
--- a/patches.fixes/acpi-nfit-Block-function-zero-DSMs.patch
+++ b/patches.fixes/acpi-nfit-Block-function-zero-DSMs.patch
@@ -4,7 +4,7 @@ Date: Mon, 14 Jan 2019 14:07:19 -0800
Subject: [PATCH] acpi/nfit: Block function zero DSMs
Git-commit: 5e9e38d0db1d29efed1dd4cf9a70115d33521be7
Patch-mainline: v5.0-rc4
-References: bsc#1051510
+References: bsc#1051510, bsc#1121789
In preparation for using function number 0 as an error value, prevent it
from being considered a valid function value by acpi_nfit_ctl().
diff --git a/patches.fixes/acpi-nfit-Fix-command-supported-detection.patch b/patches.fixes/acpi-nfit-Fix-command-supported-detection.patch
index c4c1c3bb2a..442ae7ed8e 100644
--- a/patches.fixes/acpi-nfit-Fix-command-supported-detection.patch
+++ b/patches.fixes/acpi-nfit-Fix-command-supported-detection.patch
@@ -4,7 +4,7 @@ Date: Sat, 19 Jan 2019 10:55:04 -0800
Subject: [PATCH] acpi/nfit: Fix command-supported detection
Git-commit: 11189c1089da413aa4b5fd6be4c4d47c78968819
Patch-mainline: v5.0-rc4
-References: bsc#1051510
+References: bsc#1051510, bsc#1121789
The _DSM function number validation only happens to succeed when the
generic Linux command number translation corresponds with a
diff --git a/patches.fixes/bpf-enable-access-to-ax-register-also-from-verifier-.patch b/patches.fixes/bpf-enable-access-to-ax-register-also-from-verifier-.patch
new file mode 100644
index 0000000000..3cce51bc75
--- /dev/null
+++ b/patches.fixes/bpf-enable-access-to-ax-register-also-from-verifier-.patch
@@ -0,0 +1,70 @@
+From: Daniel Borkmann <daniel@iogearbox.net>
+Date: Thu, 3 Jan 2019 00:58:29 +0100
+Subject: bpf: enable access to ax register also from verifier rewrite
+Patch-mainline: v5.0-rc1
+Git-commit: 9b73bfdd08e73231d6a90ae6db4b46b3fbf56c30
+References: bsc#1124055 CVE-2019-7308
+
+Right now we are using BPF ax register in JIT for constant blinding as
+well as in interpreter as temporary variable. Verifier will not be able
+to use it simply because its use will get overridden from the former in
+bpf_jit_blind_insn(). However, it can be made to work in that blinding
+will be skipped if there is prior use in either source or destination
+register on the instruction. Taking constraints of ax into account, the
+verifier is then open to use it in rewrites under some constraints. Note,
+ax register already has mappings in every eBPF JIT.
+
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Acked-by: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Acked-by: Gary Lin <glin@suse.com>
+---
+ include/linux/filter.h | 7 +------
+ kernel/bpf/core.c | 20 ++++++++++++++++++++
+ 2 files changed, 21 insertions(+), 6 deletions(-)
+
+--- a/include/linux/filter.h
++++ b/include/linux/filter.h
+@@ -48,12 +48,7 @@ struct bpf_prog_aux;
+ #define BPF_REG_X BPF_REG_7
+ #define BPF_REG_TMP BPF_REG_8
+
+-/* Kernel hidden auxiliary/helper register for hardening step.
+- * Only used by eBPF JITs. It's nothing more than a temporary
+- * register that JITs use internally, only that here it's part
+- * of eBPF instructions that have been rewritten for blinding
+- * constants. See JIT pre-step in bpf_jit_blind_constants().
+- */
++/* Kernel hidden auxiliary/helper register. */
+ #define BPF_REG_AX MAX_BPF_REG
+ #define MAX_BPF_EXT_REG (MAX_BPF_REG + 1)
+ #define MAX_BPF_JIT_REG MAX_BPF_EXT_REG
+--- a/kernel/bpf/core.c
++++ b/kernel/bpf/core.c
+@@ -557,6 +557,26 @@ static int bpf_jit_blind_insn(const stru
+ BUILD_BUG_ON(BPF_REG_AX + 1 != MAX_BPF_JIT_REG);
+ BUILD_BUG_ON(MAX_BPF_REG + 1 != MAX_BPF_JIT_REG);
+
++ /* Constraints on AX register:
++ *
++ * AX register is inaccessible from user space. It is mapped in
++ * all JITs, and used here for constant blinding rewrites. It is
++ * typically "stateless" meaning its contents are only valid within
++ * the executed instruction, but not across several instructions.
++ * There are a few exceptions however which are further detailed
++ * below.
++ *
++ * Constant blinding is only used by JITs, not in the interpreter.
++ * The interpreter uses AX in some occasions as a local temporary
++ * register e.g. in DIV or MOD instructions.
++ *
++ * In restricted circumstances, the verifier can also use the AX
++ * register for rewrites as long as they do not interfere with
++ * the above cases!
++ */
++ if (from->dst_reg == BPF_REG_AX || from->src_reg == BPF_REG_AX)
++ goto out;
++
+ if (from->imm == 0 &&
+ (from->code == (BPF_ALU | BPF_MOV | BPF_K) ||
+ from->code == (BPF_ALU64 | BPF_MOV | BPF_K))) {
diff --git a/patches.fixes/bpf-fix-check_map_access-smin_value-test-when-pointe.patch b/patches.fixes/bpf-fix-check_map_access-smin_value-test-when-pointe.patch
index 8d11645171..f23eeb2658 100644
--- a/patches.fixes/bpf-fix-check_map_access-smin_value-test-when-pointe.patch
+++ b/patches.fixes/bpf-fix-check_map_access-smin_value-test-when-pointe.patch
@@ -4,7 +4,7 @@ Subject: bpf: fix check_map_access smin_value test when pointer contains
offset
Patch-mainline: v5.0-rc1
Git-commit: b7137c4eab85c1cf3d46acdde90ce1163b28c873
-References: bsc#1068032 CVE-2017-5753
+References: bsc#1068032 CVE-2017-5753 bsc#1124055 CVE-2019-7308
In check_map_access() we probe actual bounds through __check_map_access()
with offset of reg->smin_value + off for lower bound and offset of
diff --git a/patches.fixes/bpf-move-prev_-insn_idx-into-verifier-env.patch b/patches.fixes/bpf-move-prev_-insn_idx-into-verifier-env.patch
index cba26cdae2..e15ba62757 100644
--- a/patches.fixes/bpf-move-prev_-insn_idx-into-verifier-env.patch
+++ b/patches.fixes/bpf-move-prev_-insn_idx-into-verifier-env.patch
@@ -3,7 +3,7 @@ Date: Thu, 3 Jan 2019 00:58:27 +0100
Subject: bpf: move {prev_,}insn_idx into verifier env
Patch-mainline: v5.0-rc1
Git-commit: c08435ec7f2bc8f4109401f696fd55159b4b40cb
-References: bsc#1068032 CVE-2017-5753
+References: bsc#1068032 CVE-2017-5753 bsc#1124055 CVE-2019-7308
Move prev_insn_idx and insn_idx from the do_check() function into
the verifier environment, so they can be read inside the various
diff --git a/patches.fixes/bpf-move-tmp-variable-into-ax-register-in-interprete.patch b/patches.fixes/bpf-move-tmp-variable-into-ax-register-in-interprete.patch
new file mode 100644
index 0000000000..51961e7db9
--- /dev/null
+++ b/patches.fixes/bpf-move-tmp-variable-into-ax-register-in-interprete.patch
@@ -0,0 +1,144 @@
+From: Daniel Borkmann <daniel@iogearbox.net>
+Date: Thu, 3 Jan 2019 00:58:28 +0100
+Subject: bpf: move tmp variable into ax register in interpreter
+Patch-mainline: v5.0-rc1
+Git-commit: 144cd91c4c2bced6eb8a7e25e590f6618a11e854
+References: bsc#1124055 CVE-2019-7308
+
+This change moves the on-stack 64 bit tmp variable in ___bpf_prog_run()
+into the hidden ax register. The latter is currently only used in JITs
+for constant blinding as a temporary scratch register, meaning the BPF
+interpreter will never see the use of ax. Therefore it is safe to use
+it for the cases where tmp has been used earlier. This is needed to later
+on allow restricted hidden use of ax in both interpreter and JITs.
+
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Acked-by: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Acked-by: Gary Lin <glin@suse.com>
+---
+ include/linux/filter.h | 3 ++-
+ kernel/bpf/core.c | 38 +++++++++++++++++++-------------------
+ 2 files changed, 21 insertions(+), 20 deletions(-)
+
+--- a/include/linux/filter.h
++++ b/include/linux/filter.h
+@@ -55,7 +55,8 @@ struct bpf_prog_aux;
+ * constants. See JIT pre-step in bpf_jit_blind_constants().
+ */
+ #define BPF_REG_AX MAX_BPF_REG
+-#define MAX_BPF_JIT_REG (MAX_BPF_REG + 1)
++#define MAX_BPF_EXT_REG (MAX_BPF_REG + 1)
++#define MAX_BPF_JIT_REG MAX_BPF_EXT_REG
+
+ /* unused opcode to mark special call to bpf_tail_call() helper */
+ #define BPF_TAIL_CALL 0xf0
+--- a/kernel/bpf/core.c
++++ b/kernel/bpf/core.c
+@@ -51,6 +51,7 @@
+ #define DST regs[insn->dst_reg]
+ #define SRC regs[insn->src_reg]
+ #define FP regs[BPF_REG_FP]
++#define AX regs[BPF_REG_AX]
+ #define ARG1 regs[BPF_REG_ARG1]
+ #define CTX regs[BPF_REG_CTX]
+ #define IMM insn->imm
+@@ -771,7 +772,6 @@ EXPORT_SYMBOL_GPL(__bpf_call_base);
+ static unsigned int ___bpf_prog_run(u64 *regs, const struct bpf_insn *insn,
+ u64 *stack)
+ {
+- u64 tmp;
+ static const void *jumptable[256] = {
+ [0 ... 255] = &&default_label,
+ /* Now overwrite non-defaults ... */
+@@ -945,22 +945,22 @@ select_insn:
+ ALU64_MOD_X:
+ if (unlikely(SRC == 0))
+ return 0;
+- div64_u64_rem(DST, SRC, &tmp);
+- DST = tmp;
++ div64_u64_rem(DST, SRC, &AX);
++ DST = AX;
+ CONT;
+ ALU_MOD_X:
+ if (unlikely((u32)SRC == 0))
+ return 0;
+- tmp = (u32) DST;
+- DST = do_div(tmp, (u32) SRC);
++ AX = (u32) DST;
++ DST = do_div(AX, (u32) SRC);
+ CONT;
+ ALU64_MOD_K:
+- div64_u64_rem(DST, IMM, &tmp);
+- DST = tmp;
++ div64_u64_rem(DST, IMM, &AX);
++ DST = AX;
+ CONT;
+ ALU_MOD_K:
+- tmp = (u32) DST;
+- DST = do_div(tmp, (u32) IMM);
++ AX = (u32) DST;
++ DST = do_div(AX, (u32) IMM);
+ CONT;
+ ALU64_DIV_X:
+ if (unlikely(SRC == 0))
+@@ -970,17 +970,17 @@ select_insn:
+ ALU_DIV_X:
+ if (unlikely((u32)SRC == 0))
+ return 0;
+- tmp = (u32) DST;
+- do_div(tmp, (u32) SRC);
+- DST = (u32) tmp;
++ AX = (u32) DST;
++ do_div(AX, (u32) SRC);
++ DST = (u32) AX;
+ CONT;
+ ALU64_DIV_K:
+ DST = div64_u64(DST, IMM);
+ CONT;
+ ALU_DIV_K:
+- tmp = (u32) DST;
+- do_div(tmp, (u32) IMM);
+- DST = (u32) tmp;
++ AX = (u32) DST;
++ do_div(AX, (u32) IMM);
++ DST = (u32) AX;
+ CONT;
+ ALU_END_TO_BE:
+ switch (IMM) {
+@@ -1235,7 +1235,7 @@ load_word:
+ * BPF_R0 - 8/16/32-bit skb data converted to cpu endianness
+ */
+
+- ptr = bpf_load_pointer((struct sk_buff *) (unsigned long) CTX, off, 4, &tmp);
++ ptr = bpf_load_pointer((struct sk_buff *) (unsigned long) CTX, off, 4, &AX);
+ if (likely(ptr != NULL)) {
+ BPF_R0 = get_unaligned_be32(ptr);
+ CONT;
+@@ -1245,7 +1245,7 @@ load_word:
+ LD_ABS_H: /* BPF_R0 = ntohs(*(u16 *) (skb->data + imm32)) */
+ off = IMM;
+ load_half:
+- ptr = bpf_load_pointer((struct sk_buff *) (unsigned long) CTX, off, 2, &tmp);
++ ptr = bpf_load_pointer((struct sk_buff *) (unsigned long) CTX, off, 2, &AX);
+ if (likely(ptr != NULL)) {
+ BPF_R0 = get_unaligned_be16(ptr);
+ CONT;
+@@ -1255,7 +1255,7 @@ load_half:
+ LD_ABS_B: /* BPF_R0 = *(u8 *) (skb->data + imm32) */
+ off = IMM;
+ load_byte:
+- ptr = bpf_load_pointer((struct sk_buff *) (unsigned long) CTX, off, 1, &tmp);
++ ptr = bpf_load_pointer((struct sk_buff *) (unsigned long) CTX, off, 1, &AX);
+ if (likely(ptr != NULL)) {
+ BPF_R0 = *(u8 *)ptr;
+ CONT;
+@@ -1284,7 +1284,7 @@ STACK_FRAME_NON_STANDARD(___bpf_prog_run
+ static unsigned int PROG_NAME(stack_size)(const void *ctx, const struct bpf_insn *insn) \
+ { \
+ u64 stack[stack_size / sizeof(u64)]; \
+- u64 regs[MAX_BPF_REG]; \
++ u64 regs[MAX_BPF_EXT_REG]; \
+ \
+ FP = (u64) (unsigned long) &stack[ARRAY_SIZE(stack)]; \
+ ARG1 = (u64) (unsigned long) ctx; \
diff --git a/patches.fixes/bpf-prevent-out-of-bounds-speculation-on-pointer-ari.patch b/patches.fixes/bpf-prevent-out-of-bounds-speculation-on-pointer-ari.patch
index 41f10f4181..16ac5ed040 100644
--- a/patches.fixes/bpf-prevent-out-of-bounds-speculation-on-pointer-ari.patch
+++ b/patches.fixes/bpf-prevent-out-of-bounds-speculation-on-pointer-ari.patch
@@ -3,7 +3,7 @@ Date: Thu, 3 Jan 2019 00:58:34 +0100
Subject: bpf: prevent out of bounds speculation on pointer arithmetic
Patch-mainline: v5.0-rc1
Git-commit: 979d63d50c0c0f7bc537bf821e056cc9fe5abd38
-References: bsc#1068032 CVE-2017-5753
+References: bsc#1068032 CVE-2017-5753 bsc#1124055 CVE-2019-7308
Jann reported that the original commit back in b2157399cc98
("bpf: prevent out-of-bounds speculation") was not sufficient
diff --git a/patches.fixes/bpf-restrict-map-value-pointer-arithmetic-for-unpriv.patch b/patches.fixes/bpf-restrict-map-value-pointer-arithmetic-for-unpriv.patch
index ae75cd0be1..5abfbda004 100644
--- a/patches.fixes/bpf-restrict-map-value-pointer-arithmetic-for-unpriv.patch
+++ b/patches.fixes/bpf-restrict-map-value-pointer-arithmetic-for-unpriv.patch
@@ -3,7 +3,7 @@ Date: Thu, 3 Jan 2019 00:58:30 +0100
Subject: bpf: restrict map value pointer arithmetic for unprivileged
Patch-mainline: v5.0-rc1
Git-commit: 0d6303db7970e6f56ae700fa07e11eb510cda125
-References: bsc#1068032 CVE-2017-5753
+References: bsc#1068032 CVE-2017-5753 bsc#1124055 CVE-2019-7308
Restrict map value pointer arithmetic for unprivileged users in that
arithmetic itself must not go out of bounds as opposed to the actual
diff --git a/patches.fixes/bpf-restrict-stack-pointer-arithmetic-for-unprivileg.patch b/patches.fixes/bpf-restrict-stack-pointer-arithmetic-for-unprivileg.patch
index a7cec82f8d..64348a467e 100644
--- a/patches.fixes/bpf-restrict-stack-pointer-arithmetic-for-unprivileg.patch
+++ b/patches.fixes/bpf-restrict-stack-pointer-arithmetic-for-unprivileg.patch
@@ -3,7 +3,7 @@ Date: Thu, 3 Jan 2019 00:58:31 +0100
Subject: bpf: restrict stack pointer arithmetic for unprivileged
Patch-mainline: v5.0-rc1
Git-commit: e4298d25830a866cc0f427d4bccb858e76715859
-References: bsc#1068032 CVE-2017-5753
+References: bsc#1068032 CVE-2017-5753 bsc#1124055 CVE-2019-7308
Restrict stack pointer arithmetic for unprivileged users in that
arithmetic itself must not go out of bounds as opposed to the actual
diff --git a/patches.fixes/bpf-restrict-unknown-scalars-of-mixed-signed-bounds-.patch b/patches.fixes/bpf-restrict-unknown-scalars-of-mixed-signed-bounds-.patch
index 21985c592a..c5a462e273 100644
--- a/patches.fixes/bpf-restrict-unknown-scalars-of-mixed-signed-bounds-.patch
+++ b/patches.fixes/bpf-restrict-unknown-scalars-of-mixed-signed-bounds-.patch
@@ -3,7 +3,7 @@ Date: Thu, 3 Jan 2019 00:58:32 +0100
Subject: bpf: restrict unknown scalars of mixed signed bounds for unprivileged
Patch-mainline: v5.0-rc1
Git-commit: 9d7eceede769f90b66cfa06ad5b357140d5141ed
-References: bsc#1068032 CVE-2017-5753
+References: bsc#1068032 CVE-2017-5753 bsc#1124055 CVE-2019-7308
For unknown scalars of mixed signed bounds, meaning their smin_value is
negative and their smax_value is positive, we need to reject arithmetic
diff --git a/patches.fixes/nvme-lock-NS-list-changes-while-handling-command-eff.patch b/patches.fixes/nvme-lock-NS-list-changes-while-handling-command-eff.patch
new file mode 100644
index 0000000000..cef94e9e1a
--- /dev/null
+++ b/patches.fixes/nvme-lock-NS-list-changes-while-handling-command-eff.patch
@@ -0,0 +1,96 @@
+From: Keith Busch <keith.busch@intel.com>
+Date: Mon, 28 Jan 2019 09:46:07 -0700
+Subject: [PATCH] nvme: lock NS list changes while handling command effects
+Git-commit: e7ad43c3eda6a1690c4c3c341f95dc1c6898da83
+Patch-Mainline: v5.0-rc6
+References: bsc#1123882
+
+If a controller supports the NS Change Notification, the namespace
+scan_work is automatically triggered after attaching a new namespace.
+
+Occasionally the namespace scan_work may append the new namespace to the
+list before the admin command effects handling is completed. The effects
+handling unfreezes namespaces, but if it unfreezes the newly attached
+namespace, its request_queue freeze depth will be off and we'll hit the
+warning in blk_mq_unfreeze_queue().
+
+On the next namespace add, we will fail to freeze that queue due to the
+previous bad accounting and deadlock waiting for frozen.
+
+Fix that by preventing scan work from altering the namespace list while
+command effects handling needs to pair freeze with unfreeze.
+
+Reported-by: Wen Xiong <wenxiong@us.ibm.com>
+Tested-by: Wen Xiong <wenxiong@us.ibm.com>
+Signed-off-by: Keith Busch <keith.busch@intel.com>
+Reviewed-by: Chaitanya Kulkarni <chaitanya.kulkarni@wdc.com>
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Hannes Reinecke <hare@suse.com>
+---
+ drivers/nvme/host/core.c | 8 +++++++-
+ drivers/nvme/host/nvme.h | 1 +
+ 2 files changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/nvme/host/core.c b/drivers/nvme/host/core.c
+index 4d5e81c80cc6..e9bc23326cc1 100644
+--- a/drivers/nvme/host/core.c
++++ b/drivers/nvme/host/core.c
+@@ -1169,6 +1169,7 @@ static u32 nvme_passthru_start(struct nvme_ctrl *ctrl, struct nvme_ns *ns,
+ * effects say only one namespace is affected.
+ */
+ if (effects & (NVME_CMD_EFFECTS_LBCC | NVME_CMD_EFFECTS_CSE_MASK)) {
++ mutex_lock(&ctrl->scan_lock);
+ nvme_start_freeze(ctrl);
+ nvme_wait_freeze(ctrl);
+ }
+@@ -1197,8 +1198,10 @@ static void nvme_passthru_end(struct nvme_ctrl *ctrl, u32 effects)
+ */
+ if (effects & NVME_CMD_EFFECTS_LBCC)
+ nvme_update_formats(ctrl);
+- if (effects & (NVME_CMD_EFFECTS_LBCC | NVME_CMD_EFFECTS_CSE_MASK))
++ if (effects & (NVME_CMD_EFFECTS_LBCC | NVME_CMD_EFFECTS_CSE_MASK)) {
+ nvme_unfreeze(ctrl);
++ mutex_unlock(&ctrl->scan_lock);
++ }
+ if (effects & NVME_CMD_EFFECTS_CCC)
+ nvme_init_identify(ctrl);
+ if (effects & (NVME_CMD_EFFECTS_NIC | NVME_CMD_EFFECTS_NCC))
+@@ -3270,6 +3273,7 @@ static void nvme_scan_work(struct work_struct *work)
+ if (nvme_identify_ctrl(ctrl, &id))
+ return;
+
++ mutex_lock(&ctrl->scan_lock);
+ nn = le32_to_cpu(id->nn);
+ if (ctrl->vs >= NVME_VS(1, 1, 0) &&
+ !(ctrl->quirks & NVME_QUIRK_IDENTIFY_CNS)) {
+@@ -3278,6 +3282,7 @@ static void nvme_scan_work(struct work_struct *work)
+ }
+ nvme_scan_ns_sequential(ctrl, nn);
+ out_free_id:
++ mutex_unlock(&ctrl->scan_lock);
+ kfree(id);
+ mutex_lock(&ctrl->namespaces_mutex);
+ list_sort(NULL, &ctrl->namespaces, ns_cmp);
+@@ -3504,6 +3509,7 @@ int nvme_init_ctrl(struct nvme_ctrl *ctrl, struct device *dev,
+
+ ctrl->state = NVME_CTRL_NEW;
+ spin_lock_init(&ctrl->lock);
++ mutex_init(&ctrl->scan_lock);
+ INIT_LIST_HEAD(&ctrl->namespaces);
+ mutex_init(&ctrl->namespaces_mutex);
+ ctrl->dev = dev;
+diff --git a/drivers/nvme/host/nvme.h b/drivers/nvme/host/nvme.h
+index ce5d75b11cc7..cf12f579ea2e 100644
+--- a/drivers/nvme/host/nvme.h
++++ b/drivers/nvme/host/nvme.h
+@@ -146,6 +146,7 @@ struct nvme_ctrl {
+ enum nvme_ctrl_state state;
+ bool identified;
+ spinlock_t lock;
++ struct mutex scan_lock;
+ const struct nvme_ctrl_ops *ops;
+ struct request_queue *admin_q;
+ struct request_queue *connect_q;
+--
+2.16.4
+
diff --git a/patches.kabi/nvme-kABI-fix-for-scan_lock.patch b/patches.kabi/nvme-kABI-fix-for-scan_lock.patch
new file mode 100644
index 0000000000..6ca8063342
--- /dev/null
+++ b/patches.kabi/nvme-kABI-fix-for-scan_lock.patch
@@ -0,0 +1,32 @@
+From: Hannes Reinecke <hare@suse.de>
+Date: Tue, 19 Feb 2019 13:43:50 +0100
+Subject: [PATCH] nvme: kABI fix for scan_lock
+Patch-Mainline: never, SLE15 specific kABI fix
+References: bsc#1123882
+
+Signed-off-by: Hannes Reinecke <hare@suse.com>
+---
+ drivers/nvme/host/nvme.h | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/drivers/nvme/host/nvme.h
++++ b/drivers/nvme/host/nvme.h
+@@ -146,7 +146,6 @@ struct nvme_ctrl {
+ enum nvme_ctrl_state state;
+ bool identified;
+ spinlock_t lock;
+- struct mutex scan_lock;
+ const struct nvme_ctrl_ops *ops;
+ struct request_queue *admin_q;
+ struct request_queue *connect_q;
+@@ -235,6 +234,10 @@ struct nvme_ctrl {
+ u16 maxcmd;
+ int nr_reconnects;
+ struct nvmf_ctrl_options *opts;
++
++#ifndef __GENKSYMS__
++ struct mutex scan_lock;
++#endif
+ };
+
+ #ifdef CONFIG_NVME_MULTIPATH
diff --git a/series.conf b/series.conf
index 85bea6eee4..7e3ffa8999 100644
--- a/series.conf
+++ b/series.conf
@@ -20413,6 +20413,8 @@
patches.suse/net-hamradio-6pack-use-mod_timer-to-rearm-timers.patch
patches.drivers/isdn-fix-kernel-infoleak-in-capi_unlocked_ioctl.patch
patches.fixes/bpf-move-prev_-insn_idx-into-verifier-env.patch
+ patches.fixes/bpf-move-tmp-variable-into-ax-register-in-interprete.patch
+ patches.fixes/bpf-enable-access-to-ax-register-also-from-verifier-.patch
patches.fixes/bpf-restrict-map-value-pointer-arithmetic-for-unpriv.patch
patches.fixes/bpf-restrict-stack-pointer-arithmetic-for-unprivileg.patch
patches.fixes/bpf-restrict-unknown-scalars-of-mixed-signed-bounds-.patch
@@ -20568,6 +20570,7 @@
patches.fixes/scsi-target-make-the-pi_prot_format-ConfigFS-path-re.patch
patches.fixes/ARM-iop32x-n2100-fix-PCI-IRQ-mapping.patch
patches.fixes/ARM-tango-Improve-ARCH_MULTIPLATFORM-compatibility.patch
+ patches.fixes/nvme-lock-NS-list-changes-while-handling-command-eff.patch
patches.fixes/irqchip-gic-v3-its-Fix-ITT_entry_size-accessor.patch
patches.arch/x86-mce-initialize-mce-bank-in-the-case-of-a-fatal-error-in-mce_no_way_out.patch
patches.drivers/dmaengine-at_xdmac-Fix-wrongfull-report-of-a-channel.patch
@@ -21227,7 +21230,9 @@
patches.suse/prepare-arm64-kgraft
patches.suse/powerpc-KABI-add-aux_ptr-to-hole-in-paca_struct-to-e.patch
-
+
+ patches.kabi/nvme-kABI-fix-for-scan_lock.patch
+
patches.kabi/KABI-move-mce_data_buf-into-paca_aux.patch
patches.kabi/KABI-move-the-new-handler-to-end-of-machdep_calls-an.patch
patches.kabi/KABI-powerpc-export-__find_linux_pte-as-__find_linux.patch