Home Home > GIT Browse > SLE12-SP4-AZURE
summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorOlaf Hering <ohering@suse.de>2019-06-11 09:02:34 +0200
committerOlaf Hering <ohering@suse.de>2019-06-11 09:02:34 +0200
commit6fbea8977c94a372d0999c241250bfe28e1e1616 (patch)
tree1132ea1d311b5858c46ed89700e1416453dd4596
parent21481fcef51d1be602351e629270bb920ba5b7ab (diff)
parent1e103a3add7b1382daa7fd2460be0db9d4e18f0c (diff)
Merge remote-tracking branch 'kerncvs/SLE12-SP4' into SLE12-SP4-AZURE
-rw-r--r--blacklist.conf115
-rw-r--r--config/arm64/default1
-rw-r--r--config/x86_64/default1
-rw-r--r--patches.arch/ARM-iop-don-t-use-using-64-bit-DMA-masks.patch154
-rw-r--r--patches.arch/ARM-orion-don-t-use-using-64-bit-DMA-masks.patch53
-rw-r--r--patches.arch/crypto-vmx-ghash-do-nosimd-fallback-manually.patch312
-rw-r--r--patches.arch/crypto-vmx-return-correct-error-code-on-failed-setke.patch112
-rw-r--r--patches.arch/efi-arm-Don-t-mark-ACPI-reclaim-memory-as-MEMBLOCK_N.patch66
-rw-r--r--patches.arch/powerpc-perf-Fix-MMCRA-corruption-by-bhrb_filter.patch114
-rw-r--r--patches.arch/s390-smp-fix-cpu-hotplug-deadlock-with-cpu-rescan27
-rw-r--r--patches.drivers/0001-efi-add-API-to-reserve-memory-persistently-across-ke.patch76
-rw-r--r--patches.drivers/0001-efi-arm-libstub-add-a-root-memreserve-config-table.patch66
-rw-r--r--patches.drivers/0001-efi-honour-memory-reservations-passed-via-a-linux-sp.patch103
-rw-r--r--patches.drivers/ACPI-fix-menuconfig-presentation-of-ACPI-submenu.patch51
-rw-r--r--patches.drivers/ALSA-hda-realtek-Improve-the-headset-mic-for-Acer-As.patch72
-rw-r--r--patches.drivers/ASoC-Intel-Add-machine-driver-for-Cherrytrail-CX2072119
-rw-r--r--patches.drivers/ASoC-Intel-add-support-for-CX2072x-machine-driver36
-rw-r--r--patches.drivers/ASoC-add-support-for-Conexant-CX2072X-CODEC72
-rw-r--r--patches.drivers/ASoC-cx2072x-Add-DT-bingings-documentation-for-CX20757
-rw-r--r--patches.drivers/ASoC-intel-Add-headset-jack-support-to-cht-cx2072x111
-rw-r--r--patches.drivers/arm64-acpi-fix-alignment-fault-in-accessing-ACPI.patch173
-rw-r--r--patches.drivers/arm64-fix-ACPI-dependencies.patch91
-rw-r--r--patches.drivers/arm64-mm-efi-Account-for-GICv3-LPI-tables-in-static-.patch133
-rw-r--r--patches.drivers/drivers-acpi-add-dependency-of-EFI-for-arm64.patch42
-rw-r--r--patches.drivers/efi-Permit-calling-efi_mem_reserve_persistent-from-a.patch90
-rw-r--r--patches.drivers/efi-Permit-multiple-entries-in-persistent-memreserve.patch148
-rw-r--r--patches.drivers/efi-Prevent-GICv3-WARN-by-mapping-the-memreserve-tab.patch97
-rw-r--r--patches.drivers/efi-Reduce-the-amount-of-memblock-reservations-for-p.patch112
-rw-r--r--patches.drivers/efi-arm-Defer-persistent-reservations-until-after-pa.patch101
-rw-r--r--patches.drivers/efi-arm-Revert-Defer-persistent-reservations-until-a.patch102
-rw-r--r--patches.drivers/efi-arm-Revert-deferred-unmap-of-early-memmap-mappin.patch81
-rw-r--r--patches.drivers/efi-arm-map-UEFI-memory-map-even-w-o-runtime-service.patch64
-rw-r--r--patches.drivers/efi-arm-preserve-early-mapping-of-UEFI-memory-map-lo.patch62
-rw-r--r--patches.drivers/ibmvnic-Add-device-identification-to-requested-IRQs.patch92
-rw-r--r--patches.drivers/ibmvnic-remove-set-but-not-used-variable-netdev.patch46
-rw-r--r--patches.drivers/iommu-arm-smmu-v3-Abort-all-transactions-if-SMMU-is-.patch79
-rw-r--r--patches.drivers/iommu-arm-smmu-v3-Don-t-disable-SMMU-in-kdump-kernel.patch59
-rw-r--r--patches.drivers/mmc-block-Delete-gendisk-before-cleaning-up-the-requ.patch93
-rw-r--r--patches.drivers/net-ibmvnic-Remove-tests-of-member-address.patch56
-rw-r--r--patches.drivers/rtc-da9063-set-uie_unsupported-when-relevant.patch44
-rw-r--r--patches.drivers/rtc-sh-Fix-invalid-alarm-warning-for-non-enabled-ala.patch48
-rw-r--r--patches.drivers/scsi-qedf-fixup-bit-operations.patch77
-rw-r--r--patches.drivers/scsi-qedf-fixup-locking-in-qedf_restart_rport.patch42
-rw-r--r--patches.drivers/scsi-qedf-missing-kref_put-in-qedf_xmit.patch37
-rw-r--r--patches.drivers/scsi-qla2xxx-Declare-local-functions-static.patch45
-rw-r--r--patches.drivers/scsi-qla2xxx-Fix-function-argument-descriptions.patch947
-rw-r--r--patches.drivers/scsi-qla2xxx-Fix-small-memory-leak-in-qla2x00_probe_.patch2
-rw-r--r--patches.drivers/scsi-qla2xxx-Improve-several-kernel-doc-headers.patch179
-rw-r--r--patches.drivers/scsi-qla2xxx-Introduce-a-switch-case-statement-in-ql.patch54
-rw-r--r--patches.drivers/scsi-qla2xxx-Make-qla2x00_sysfs_write_nvram-easier-t.patch36
-rw-r--r--patches.drivers/scsi-qla2xxx-Make-sure-that-qlafx00_ioctl_iosb_entry.patch37
-rw-r--r--patches.drivers/scsi-qla2xxx-NULL-check-before-some-freeing-function.patch88
-rw-r--r--patches.drivers/scsi-qla2xxx-Remove-a-set-but-not-used-variable.patch45
-rw-r--r--patches.drivers/scsi-qla2xxx-Remove-two-arguments-from-qlafx00_error.patch66
-rw-r--r--patches.drivers/scsi-qla2xxx-Remove-unused-symbols.patch36
-rw-r--r--patches.drivers/scsi-qla2xxx-Split-the-__qla2x00_abort_all_cmds-func.patch128
-rw-r--r--patches.drivers/scsi-qla2xxx-Timeouts-occur-on-surprise-removal-of-Q.patch26
-rw-r--r--patches.drivers/scsi-qla2xxx-Use-p-for-printing-pointers.patch36
-rw-r--r--patches.drivers/scsi-qla2xxx-fully-convert-to-the-generic-DMA-API.patch72
-rw-r--r--patches.drivers/scsi-qla2xxx-use-lower_32_bits-and-upper_32_bits-ins.patch70
-rw-r--r--patches.drivers/treewide-Use-DEVICE_ATTR_WO.patch125
-rw-r--r--patches.drm/0001-drm-vmwgfx-NULL-pointer-dereference-from-vmw_cmd_dx_.patch36
-rw-r--r--patches.drm/0001-fbdev-fix-WARNING-in-__alloc_pages_nodemask-bug.patch54
-rw-r--r--patches.drm/0001-fbdev-fix-divide-error-in-fb_var_to_videomode.patch84
-rw-r--r--patches.drm/0002-drm-i915-gvt-Tiled-Resources-mmios-are-in-context-mm.patch41
-rw-r--r--patches.drm/0003-drm-i915-gvt-add-0x4dfc-to-gen9-save-restore-list.patch30
-rw-r--r--patches.drm/0004-drm-etnaviv-lock-MMU-while-dumping-core.patch51
-rw-r--r--patches.drm/drm-edid-Fix-a-missing-check-bug-in-drm_load_edid_firmware.patch38
-rw-r--r--patches.fixes/0001-Documentation-Add-MDS-vulnerability-documentation.patch353
-rw-r--r--patches.fixes/0001-dt-bindings-clock-r8a7795-Remove-CSIREF-clock.patch38
-rw-r--r--patches.fixes/0001-dt-bindings-clock-r8a7796-Remove-CSIREF-clock.patch38
-rw-r--r--patches.fixes/0001-dt-bindings-net-Add-binding-for-the-external-clock-f.patch48
-rw-r--r--patches.fixes/0001-dt-bindings-rtc-sun6i-rtc-Fix-register-range-in-exam.patch30
-rw-r--r--patches.fixes/0001-keys-safe-concurrent-user-session-uid-_keyring-acces.patch165
-rw-r--r--patches.fixes/0001-mm-hwpoison-fix-thp-split-handing-in-soft_offline_in.patch76
-rw-r--r--patches.fixes/0001-mwifiex-Abort-at-too-short-BSS-descriptor-element.patch89
-rw-r--r--patches.fixes/0001-mwifiex-Fix-heap-overflow-in-mwifiex_uap_parse_tail_.patch115
-rw-r--r--patches.fixes/0001-mwifiex-Fix-possible-buffer-overflows-at-parsing-bss.patch50
-rw-r--r--patches.fixes/0001-of-fix-clang-Wunsequenced-for-be32_to_cpu.patch59
-rw-r--r--patches.fixes/0001-p54-drop-device-reference-count-if-fails-to-enable-d.patch45
-rw-r--r--patches.fixes/0001-xenbus-drop-useless-LIST_HEAD-in-xenbus_write_watch-.patch45
-rw-r--r--patches.fixes/0002-btrfs-qgroup-Check-bg-while-resuming-relocation-to-a.patch93
-rw-r--r--patches.fixes/KVM-s390-fix-memory-overwrites-when-not-using-SCA-en.patch40
-rw-r--r--patches.fixes/KVM-s390-provide-io-interrupt-kvm_stat.patch29
-rw-r--r--patches.fixes/KVM-s390-use-created_vcpus-in-more-places.patch44
-rw-r--r--patches.fixes/KVM-s390-vsie-fix-8k-check-for-the-itdba.patch41
-rw-r--r--patches.fixes/RDMA-rxe-Consider-skb-reserve-space-based-on-netdev-.patch32
-rw-r--r--patches.fixes/bpf-add-map_lookup_elem_sys_only-for-lookups-from-sy.patch51
-rw-r--r--patches.fixes/bpf-lru-avoid-messing-with-eviction-heuristics-upon-.patch104
-rw-r--r--patches.fixes/configfs-Fix-use-after-free-when-accessing-sd-s_dent.patch60
-rw-r--r--patches.fixes/ext4-avoid-panic-during-forced-reboot-due-to-aborted.patch39
-rw-r--r--patches.fixes/ext4-fix-data-corruption-caused-by-overlapping-unali.patch54
-rw-r--r--patches.fixes/ext4-make-sanity-check-in-mballoc-more-strict.patch39
-rw-r--r--patches.fixes/ext4-wait-for-outstanding-dio-during-truncate-in-noj.patch62
-rw-r--r--patches.fixes/fs-prevent-page-refcount-overflow-in-pipe_buf_get.patch161
-rw-r--r--patches.fixes/fs-sync.c-sync_file_range-2-may-use-WB_SYNC_ALL-writ.patch87
-rw-r--r--patches.fixes/fs-writeback.c-use-rcu_barrier-to-wait-for-inflight-.patch75
-rw-r--r--patches.fixes/indirect-call-wrappers-helpers-to-speed-up-indirect-.patch85
-rw-r--r--patches.fixes/jbd2-check-superblock-mapped-prior-to-committing.patch53
-rw-r--r--patches.fixes/mm-Fix-modifying-of-page-protection-by-insert_pfn.patch14
-rw-r--r--patches.fixes/mm-add-try_get_page-helper-function.patch53
-rw-r--r--patches.fixes/mm-fix-__gup_device_huge-vs-unmap.patch6
-rw-r--r--patches.fixes/mm-gup-ensure-real-head-page-is-ref-counted-when-using-hugepages.patch101
-rw-r--r--patches.fixes/mm-gup-remove-broken-vm_bug_on_page-compound-check-for-hugepages.patch67
-rw-r--r--patches.fixes/mm-make-page-ref-count-overflow-check-tighter-and-more-explicit.patch49
-rw-r--r--patches.fixes/mm-prevent-get_user_pages-from-overflowing-page-refcount.patch234
-rw-r--r--patches.fixes/mount-copy-the-port-field-into-the-cloned-nfs_server.patch31
-rw-r--r--patches.fixes/net-unbreak-CONFIG_RETPOLINE-n-builds.patch37
-rw-r--r--patches.fixes/net-use-indirect-call-wrappers-at-GRO-network-layer.patch111
-rw-r--r--patches.fixes/net-use-indirect-call-wrappers-at-GRO-transport-laye.patch275
-rw-r--r--patches.fixes/nvme-rdma-fix-possible-free-of-a-non-allocated-async-event-buffer.patch87
-rw-r--r--patches.fixes/ocfs2-fix-ocfs2-read-inode-data-panic-in-ocfs2_iget.patch184
-rw-r--r--patches.fixes/scsi-qla2xxx-Fix-memory-corruption-during-hba-reset-.patch41
-rw-r--r--patches.fixes/scsi-qla2xxx-fix-driver-unload-by-shutting-down-chip.patch83
-rw-r--r--patches.fixes/scsi-qla2xxx-fix-error-message-on-qla2400.patch72
-rw-r--r--patches.fixes/scsi-qla2xxx-fix-spelling-mistake-existant-existent.patch32
-rw-r--r--patches.fixes/scsi-qla2xxx-fx00-copypaste-typo.patch36
-rw-r--r--patches.fixes/scsi-qla2xxx-remove-the-unused-tcm_qla2xxx_cmd_wq.patch55
-rw-r--r--patches.fixes/udp-use-indirect-call-wrappers-for-GRO-socket-lookup.patch52
-rw-r--r--patches.fixes/xfs-serialize-unaligned-dio-writes-against-all-other.patch94
-rw-r--r--patches.kabi/arch-arm64-acpi-KABI-ignore-includes.patch28
-rw-r--r--patches.kabi/bpf-add-map_lookup_elem_sys_only-for-lookups-from-sy.patch94
-rw-r--r--patches.kabi/firmware-efi-KABI-memreserve.patch82
-rw-r--r--patches.kabi/fs-prevent-page-refcount-overflow-in-pipe_buf_get-kabi.patch58
-rw-r--r--patches.kabi/kabi-protect-dma-mapping-h-include.patch26
-rw-r--r--patches.kabi/kabi-protect-struct-pci_dev.patch29
-rw-r--r--patches.kabi/memcg-make-it-work-on-sparse-non-0-node-systems-kabi.patch46
-rw-r--r--patches.kernel.org/4.4.164-131-mm-thp-relax-__GFP_THISNODE-for-MADV_HUGEPAGE.patch233
-rw-r--r--patches.suse/0001-btrfs-extent-tree-Fix-a-bug-that-btrfs-is-unable-to-.patch86
-rw-r--r--patches.suse/0002-MODSIGN-print-appropriate-status-message-when-gettin.patch6
-rw-r--r--patches.suse/PCI-Factor-out-pcie_retrain_link-function.patch85
-rw-r--r--patches.suse/PCI-Work-around-Pericom-PCIe-to-PCI-bridge-Retrain-L.patch100
-rw-r--r--patches.suse/PCI-endpoint-Use-EPC-s-device-in-dma_alloc_coherent-.patch82
-rw-r--r--patches.suse/bnxt_en-Improve-multicast-address-setup-logic.patch41
-rw-r--r--patches.suse/bonding-fix-event-handling-for-stacked-bonds.patch45
-rw-r--r--patches.suse/btrfs-don-t-double-unlock-on-error-in-btrfs_punch_ho.patch42
-rw-r--r--patches.suse/btrfs-fix-fsync-not-persisting-changed-attributes-of.patch99
-rw-r--r--patches.suse/btrfs-fix-race-between-ranged-fsync-and-writeback-of.patch245
-rw-r--r--patches.suse/btrfs-fix-race-updating-log-root-item-during-fsync.patch126
-rw-r--r--patches.suse/btrfs-fix-wrong-ctime-and-mtime-of-a-directory-after.patch85
-rw-r--r--patches.suse/btrfs-reloc-also-queue-orphan-reloc-tree-for-cleanup-to-avoid-bug_on.patch137
-rw-r--r--patches.suse/btrfs-tree-checker-detect-file-extent-items-with-ove.patch114
-rw-r--r--patches.suse/ftrace-x86_64-emulate-call-function-while-updating-in-breakpoint-handler.patch150
-rw-r--r--patches.suse/ipv4-Define-__ipv4_neigh_lookup_noref-when-CONFIG_IN.patch42
-rw-r--r--patches.suse/ipv4-add-sanity-checks-in-ipv4_link_failure.patch152
-rw-r--r--patches.suse/ipv4-ensure-rcu_read_lock-in-ipv4_link_failure.patch86
-rw-r--r--patches.suse/ipv4-ip_do_fragment-Preserve-skb_iif-during-fragment.patch40
-rw-r--r--patches.suse/ipv4-recompile-ip-options-in-ipv4_link_failure.patch40
-rw-r--r--patches.suse/ipv4-set-the-tcp_min_rtt_wlen-range-from-0-to-one-da.patch88
-rw-r--r--patches.suse/kernel-signal.c-trace_signal_deliver-when-signal_gro.patch47
-rw-r--r--patches.suse/kernel-sys.c-prctl-fix-false-positive-in-validate_pr.patch49
-rw-r--r--patches.suse/livepatch-convert-error-about-unsupported-reliable-stacktrace-into-a-warning.patch47
-rw-r--r--patches.suse/livepatch-remove-custom-kobject-state-handling.patch215
-rw-r--r--patches.suse/livepatch-remove-duplicated-code-for-early-initialization.patch127
-rw-r--r--patches.suse/memcg-make-it-work-on-sparse-non-0-node-systems.patch93
-rw-r--r--patches.suse/mlxsw-spectrum-Fix-autoneg-status-in-ethtool.patch42
-rw-r--r--patches.suse/neighbor-Call-__ipv4_neigh_lookup_noref-in-neigh_xmi.patch55
-rw-r--r--patches.suse/net-atm-Fix-potential-Spectre-v1-vulnerabilities.patch51
-rw-r--r--patches.suse/net-dsa-bcm_sf2-fix-buffer-overflow-doing-set_rxnfc.patch41
-rw-r--r--patches.suse/net-dsa-mv88e6xxx-fix-handling-of-upper-half-of-STAT.patch31
-rw-r--r--patches.suse/net-fou-do-not-use-guehdr-after-iptunnel_pull_offloa.patch47
-rw-r--r--patches.suse/net-mlx5e-ethtool-Remove-unsupported-SFP-EEPROM-high.patch47
-rw-r--r--patches.suse/net-phy-marvell-Fix-buffer-overrun-with-stats-counte.patch49
-rw-r--r--patches.suse/net-rds-exchange-of-8K-and-1M-pool.patch78
-rw-r--r--patches.suse/net-rose-fix-unbound-loop-in-rose_loopback_timer.patch161
-rw-r--r--patches.suse/net-stmmac-move-stmmac_check_ether_addr-to-driver-pr.patch44
-rw-r--r--patches.suse/net-thunderx-don-t-allow-jumbo-frames-with-XDP.patch39
-rw-r--r--patches.suse/net-thunderx-raise-XDP-MTU-to-1508.patch53
-rw-r--r--patches.suse/nvme-flush-scan_work-when-resetting-controller.patch38
-rw-r--r--patches.suse/objtool-fix-function-fallthrough-detection.patch59
-rw-r--r--patches.suse/ptrace-take-into-account-saved_sigmask-in-PTRACE-GET.patch127
-rw-r--r--patches.suse/sctp-avoid-running-the-sctp-state-machine-recursivel.patch163
-rw-r--r--patches.suse/signal-Always-notice-exiting-tasks.patch62
-rw-r--r--patches.suse/signal-Better-detection-of-synchronous-signals.patch115
-rw-r--r--patches.suse/signal-Restore-the-stop-PTRACE_EVENT_EXIT.patch55
-rw-r--r--patches.suse/stmmac-pci-Adjust-IOT2000-matching.patch50
-rw-r--r--patches.suse/switchtec-Fix-unintended-mask-of-MRPC-event.patch43
-rw-r--r--patches.suse/tcp-tcp_grow_window-needs-to-respect-tcp_space.patch61
-rw-r--r--patches.suse/team-fix-possible-recursive-locking-when-add-slaves.patch52
-rw-r--r--patches.suse/tipc-fix-hanging-clients-using-poll-with-EPOLLOUT-fl.patch52
-rw-r--r--patches.suse/tipc-missing-entries-in-name-table-of-publications.patch41
-rw-r--r--patches.suse/tracing-fix-buffer_ref-pipe-ops.patch27
-rw-r--r--patches.suse/tracing-fix-partial-reading-of-trace-event-s-id-file.patch77
-rw-r--r--patches.suse/userfaultfd-use-RCU-to-free-the-task-struct-when-for.patch132
-rw-r--r--patches.suse/vhost-reject-zero-size-iova-range.patch36
-rw-r--r--patches.suse/x86_64-add-gap-to-int3-to-allow-for-call-emulation.patch73
-rw-r--r--patches.suse/x86_64-allow-breakpoints-to-emulate-call-instructions.patch91
-rwxr-xr-xscripts/git_sort/git_sort.py5
-rw-r--r--series.conf177
189 files changed, 14985 insertions, 381 deletions
diff --git a/blacklist.conf b/blacklist.conf
index 538e08fc3b..5219e9d975 100644
--- a/blacklist.conf
+++ b/blacklist.conf
@@ -49,6 +49,103 @@ arch/unicore32
arch/xtensa
arch/x86/kernel/devicetree.c # we don't support devicetree on x86
arch/x86/um # UML not supported
+# we support only 64bit POWER8+ pSeries and powernv on ppc
+arch/powerpc/platforms/40x
+arch/powerpc/platforms/44x
+arch/powerpc/platforms/512x
+arch/powerpc/platforms/52xx
+arch/powerpc/platforms/82xx
+arch/powerpc/platforms/83xx
+arch/powerpc/platforms/85xx
+arch/powerpc/platforms/86xx
+arch/powerpc/platforms/8xx
+arch/powerpc/platforms/amigaone
+arch/powerpc/platforms/cell
+arch/powerpc/platforms/chrp
+arch/powerpc/platforms/embedded6xx
+arch/powerpc/platforms/maple
+arch/powerpc/platforms/pasemi
+arch/powerpc/platforms/powermac
+arch/powerpc/platforms/ps3
+arch/powerpc/include/asm/8xx_immap.h
+arch/powerpc/include/asm/fsl_85xx_cache_sram.h
+arch/powerpc/include/asm/fsl_gtm.h
+arch/powerpc/include/asm/fsl_hcalls.h
+arch/powerpc/include/asm/fsl_lbc.h
+arch/powerpc/include/asm/fsl_pamu_stash.h
+arch/powerpc/include/asm/fsl_pm.h
+arch/powerpc/include/asm/kvm_book3s_32.h
+arch/powerpc/include/asm/kvm_booke.h
+arch/powerpc/include/asm/kvm_booke_hv_asm.h
+arch/powerpc/include/asm/mmu-40x.h
+arch/powerpc/include/asm/mmu-44x.h
+arch/powerpc/include/asm/mmu-8xx.h
+arch/powerpc/include/asm/mmu-book3e.h
+arch/powerpc/include/asm/mpc5121.h
+arch/powerpc/include/asm/mpc52xx.h
+arch/powerpc/include/asm/mpc52xx_psc.h
+arch/powerpc/include/asm/mpc5xxx.h
+arch/powerpc/include/asm/mpc8260.h
+arch/powerpc/include/asm/mpc85xx.h
+arch/powerpc/include/asm/page_32.h
+arch/powerpc/include/asm/pasemi_dma.h
+arch/powerpc/include/asm/perf_event_fsl_emb.h
+arch/powerpc/include/asm/reg_8xx.h
+arch/powerpc/include/asm/reg_booke.h
+arch/powerpc/include/asm/reg_fsl_emb.h
+arch/powerpc/kernel/cpu_setup_44x.S
+arch/powerpc/kernel/cpu_setup_6xx.S
+arch/powerpc/kernel/cpu_setup_fsl_booke.S
+arch/powerpc/kernel/entry_32.S
+arch/powerpc/kernel/exceptions-64e.S
+arch/powerpc/kernel/fsl_booke_entry_mapping.S
+arch/powerpc/kernel/head_32.S
+arch/powerpc/kernel/head_40x.S
+arch/powerpc/kernel/head_44x.S
+arch/powerpc/kernel/head_booke.h
+arch/powerpc/kernel/head_fsl_booke.S
+arch/powerpc/kernel/idle_6xx.S
+arch/powerpc/kernel/idle_e500.S
+arch/powerpc/kernel/l2cr_6xx.S
+arch/powerpc/kernel/machine_kexec_32.c
+arch/powerpc/kernel/misc_32.S
+arch/powerpc/kernel/module_32.c
+arch/powerpc/kernel/pci_32.c
+arch/powerpc/kernel/reloc_32.S
+arch/powerpc/kernel/setup_32.c
+arch/powerpc/kernel/swsusp_32.S
+arch/powerpc/kernel/swsusp_booke.S
+arch/powerpc/kernel/tau_6xx.c
+arch/powerpc/kvm/book3s_32_mmu.c
+arch/powerpc/kvm/book3s_32_mmu_host.c
+arch/powerpc/kvm/book3s_32_sr.S
+arch/powerpc/kvm/booke.c
+arch/powerpc/kvm/booke_emulate.c
+arch/powerpc/kvm/booke.h
+arch/powerpc/kvm/bookehv_interrupts.S
+arch/powerpc/kvm/booke_interrupts.S
+arch/powerpc/kvm/e500.c
+arch/powerpc/kvm/e500_emulate.c
+arch/powerpc/kvm/e500.h
+arch/powerpc/kvm/e500mc.c
+arch/powerpc/kvm/e500_mmu.c
+arch/powerpc/kvm/e500_mmu_host.c
+arch/powerpc/kvm/e500_mmu_host.h
+arch/powerpc/kvm/mpic.c
+arch/powerpc/kvm/trace_booke.h
+arch/powerpc/mm/40x_mmu.c
+arch/powerpc/mm/44x_mmu.c
+arch/powerpc/mm/8xx_mmu.c
+arch/powerpc/mm/fsl_booke_mmu.c
+arch/powerpc/mm/hash_low_32.S
+arch/powerpc/mm/hugetlbpage-book3e.c
+arch/powerpc/mm/init_32.c
+arch/powerpc/mm/mmu_context_hash32.c
+arch/powerpc/mm/pgtable_32.c
+arch/powerpc/mm/pgtable-book3e.c
+arch/powerpc/mm/ppc_mmu_32.c
+arch/powerpc/mm/tlb_hash32.c
+
drivers/bus/brcmstb_gisb.c # driver for an internal bus on a settop box
drivers/staging/lustre # not shipped
@@ -1132,3 +1229,21 @@ c8ea3663f7a8e6996d44500ee818c9330ac4fd88 # virt/fsl: no supported platform
6a024330650e24556b8a18cc654ad00cfecf6c6c # virt/fsl: no supported platform
92ff42645028fa6f9b8aa767718457b9264316b4 # ipvlan: reverted in below
918150cbd6103199fe326e8b1462a7f0d81475e4 # ipvlan: reverting the above
+2100e3ca3676e894fa48b8f6f01d01733387fe81 # Kconfig only and our kernels compile
+e5d01196c0428a206f307e9ee5f6842964098ff0 # bug requires e50e5129f384 "ext4: xattr-in-inode support"
+08fc98a4d6424af66eb3ac4e2cedd2fc927ed436 # bug requires e08ac99fa2a2 "ext4: add largedir feature"
+8ea58f1e8b11cca3087b294779bf5959bf89cc10 # not needed. We can happily use just AR.
+0294e6f4a0006856e1f36b8cd8fa088d9e499e98 # kbuild: not a bugfix
+954b4b752a4c4e963b017ed8cef4c453c5ed308d # ARCH_RENESAS = n
+be20bbcb0a8cb5597cc62b3e28d275919f3431df # ARCH_RENESAS = n
+b80a2bfce85e1051056d98d04ecb2d0b55cbbc1c # fixes 2610e8894663 which we don't have
+43a0541e312f7136e081e6bf58f6c8a2e9672688 # We don't build the tegra-smmu driver
+8069053880e0ee3a75fd6d7e0a30293265fe3de4 # sm712fb driver not enabled: fbdev: sm712fb: fix white screen of death on reboot, don't set CR3B-CR3F
+5481115e25e42b9215f2619452aa99c95f08492f # sm712fb driver not enabled: fbdev: sm712fb: fix brightness control on reboot, don't set SR30
+dcf9070595e100942c539e229dde4770aaeaa4e9 # sm712fb driver not enabled: fbdev: sm712fb: fix VRAM detection, don't set SR70/71/74/75
+ec1587d5073f29820e358f3a383850d61601d981 # sm712fb driver not enabled: fbdev: sm712fb: fix boot screen glitch when sm712fb replaces VGA
+9e0e59993df0601cddb95c4f6c61aa3d5e753c00 # sm712fb driver not enabled: fbdev: sm712fb: fix crashes during framebuffer writes by correctly mapping VRAM
+f627caf55b8e735dcec8fa6538e9668632b55276 # sm712fb driver not enabled: fbdev: sm712fb: fix crashes and garbled display during DPMS modesetting
+6053d3a4793e5bde6299ac5388e76a3bf679ff65 # sm712fb driver not enabled: fbdev: sm712fb: fix support for 1024x768-16 mode
+4ed7d2ccb7684510ec5f7a8f7ef534bc6a3d55b2 # sm712fb driver not enabled: fbdev: sm712fb: use 1024x768 by default on non-MIPS, fix garbled display
+2f0799a0ffc033bf3cc82d5032acc3ec633464c2 # this reverts ac5b2c18911f and there is a disagreement over this policy. We want to have ac5b2c18911f applied
diff --git a/config/arm64/default b/config/arm64/default
index 44801203c3..ee9bbf66bb 100644
--- a/config/arm64/default
+++ b/config/arm64/default
@@ -6941,6 +6941,7 @@ CONFIG_MESON_SM=y
#
CONFIG_TEGRA_IVC=y
CONFIG_TEGRA_BPMP=y
+CONFIG_ARCH_SUPPORTS_ACPI=y
CONFIG_ACPI=y
CONFIG_ACPI_GENERIC_GSI=y
CONFIG_ACPI_CCA_REQUIRED=y
diff --git a/config/x86_64/default b/config/x86_64/default
index bf17d506f7..68f0f5bf57 100644
--- a/config/x86_64/default
+++ b/config/x86_64/default
@@ -722,6 +722,7 @@ CONFIG_PM_CLK=y
CONFIG_PM_GENERIC_DOMAINS=y
# CONFIG_WQ_POWER_EFFICIENT_DEFAULT is not set
CONFIG_PM_GENERIC_DOMAINS_SLEEP=y
+CONFIG_ARCH_SUPPORTS_ACPI=y
CONFIG_ACPI=y
CONFIG_ACPI_LEGACY_TABLES_LOOKUP=y
CONFIG_ARCH_MIGHT_HAVE_ACPI_PDC=y
diff --git a/patches.arch/ARM-iop-don-t-use-using-64-bit-DMA-masks.patch b/patches.arch/ARM-iop-don-t-use-using-64-bit-DMA-masks.patch
new file mode 100644
index 0000000000..c20b3b865b
--- /dev/null
+++ b/patches.arch/ARM-iop-don-t-use-using-64-bit-DMA-masks.patch
@@ -0,0 +1,154 @@
+From 2125801ccce19249708ca3245d48998e70569ab8 Mon Sep 17 00:00:00 2001
+From: Arnd Bergmann <arnd@arndb.de>
+Date: Mon, 25 Mar 2019 16:50:43 +0100
+Subject: [PATCH] ARM: iop: don't use using 64-bit DMA masks
+Git-commit: 2125801ccce19249708ca3245d48998e70569ab8
+Patch-mainline: v5.1-rc4
+References: bsc#1051510
+
+clang warns about statically defined DMA masks from the DMA_BIT_MASK
+macro with length 64:
+
+ arch/arm/mach-iop13xx/setup.c:303:35: error: shift count >= width of type [-Werror,-Wshift-count-overflow]
+ static u64 iop13xx_adma_dmamask = DMA_BIT_MASK(64);
+ ^~~~~~~~~~~~~~~~
+ include/linux/dma-mapping.h:141:54: note: expanded from macro 'DMA_BIT_MASK'
+ #define DMA_BIT_MASK(n) (((n) == 64) ? ~0ULL : ((1ULL<<(n))-1))
+ ^ ~~~
+
+The ones in iop shouldn't really be 64 bit masks, so changing them
+to what the driver can support avoids the warning.
+
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Signed-off-by: Olof Johansson <olof@lixom.net>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ arch/arm/mach-iop13xx/setup.c | 8 ++++----
+ arch/arm/mach-iop13xx/tpmi.c | 10 +++++-----
+ arch/arm/plat-iop/adma.c | 6 +++---
+ 3 files changed, 12 insertions(+), 12 deletions(-)
+
+diff --git a/arch/arm/mach-iop13xx/setup.c b/arch/arm/mach-iop13xx/setup.c
+index 53c316f7301e..fe4932fda01d 100644
+--- a/arch/arm/mach-iop13xx/setup.c
++++ b/arch/arm/mach-iop13xx/setup.c
+@@ -300,7 +300,7 @@ static struct resource iop13xx_adma_2_resources[] = {
+ }
+ };
+
+-static u64 iop13xx_adma_dmamask = DMA_BIT_MASK(64);
++static u64 iop13xx_adma_dmamask = DMA_BIT_MASK(32);
+ static struct iop_adma_platform_data iop13xx_adma_0_data = {
+ .hw_id = 0,
+ .pool_size = PAGE_SIZE,
+@@ -324,7 +324,7 @@ static struct platform_device iop13xx_adma_0_channel = {
+ .resource = iop13xx_adma_0_resources,
+ .dev = {
+ .dma_mask = &iop13xx_adma_dmamask,
+- .coherent_dma_mask = DMA_BIT_MASK(64),
++ .coherent_dma_mask = DMA_BIT_MASK(32),
+ .platform_data = (void *) &iop13xx_adma_0_data,
+ },
+ };
+@@ -336,7 +336,7 @@ static struct platform_device iop13xx_adma_1_channel = {
+ .resource = iop13xx_adma_1_resources,
+ .dev = {
+ .dma_mask = &iop13xx_adma_dmamask,
+- .coherent_dma_mask = DMA_BIT_MASK(64),
++ .coherent_dma_mask = DMA_BIT_MASK(32),
+ .platform_data = (void *) &iop13xx_adma_1_data,
+ },
+ };
+@@ -348,7 +348,7 @@ static struct platform_device iop13xx_adma_2_channel = {
+ .resource = iop13xx_adma_2_resources,
+ .dev = {
+ .dma_mask = &iop13xx_adma_dmamask,
+- .coherent_dma_mask = DMA_BIT_MASK(64),
++ .coherent_dma_mask = DMA_BIT_MASK(32),
+ .platform_data = (void *) &iop13xx_adma_2_data,
+ },
+ };
+diff --git a/arch/arm/mach-iop13xx/tpmi.c b/arch/arm/mach-iop13xx/tpmi.c
+index db511ec2b1df..116feb6b261e 100644
+--- a/arch/arm/mach-iop13xx/tpmi.c
++++ b/arch/arm/mach-iop13xx/tpmi.c
+@@ -152,7 +152,7 @@ static struct resource iop13xx_tpmi_3_resources[] = {
+ }
+ };
+
+-u64 iop13xx_tpmi_mask = DMA_BIT_MASK(64);
++u64 iop13xx_tpmi_mask = DMA_BIT_MASK(32);
+ static struct platform_device iop13xx_tpmi_0_device = {
+ .name = "iop-tpmi",
+ .id = 0,
+@@ -160,7 +160,7 @@ static struct platform_device iop13xx_tpmi_0_device = {
+ .resource = iop13xx_tpmi_0_resources,
+ .dev = {
+ .dma_mask = &iop13xx_tpmi_mask,
+- .coherent_dma_mask = DMA_BIT_MASK(64),
++ .coherent_dma_mask = DMA_BIT_MASK(32),
+ },
+ };
+
+@@ -171,7 +171,7 @@ static struct platform_device iop13xx_tpmi_1_device = {
+ .resource = iop13xx_tpmi_1_resources,
+ .dev = {
+ .dma_mask = &iop13xx_tpmi_mask,
+- .coherent_dma_mask = DMA_BIT_MASK(64),
++ .coherent_dma_mask = DMA_BIT_MASK(32),
+ },
+ };
+
+@@ -182,7 +182,7 @@ static struct platform_device iop13xx_tpmi_2_device = {
+ .resource = iop13xx_tpmi_2_resources,
+ .dev = {
+ .dma_mask = &iop13xx_tpmi_mask,
+- .coherent_dma_mask = DMA_BIT_MASK(64),
++ .coherent_dma_mask = DMA_BIT_MASK(32),
+ },
+ };
+
+@@ -193,7 +193,7 @@ static struct platform_device iop13xx_tpmi_3_device = {
+ .resource = iop13xx_tpmi_3_resources,
+ .dev = {
+ .dma_mask = &iop13xx_tpmi_mask,
+- .coherent_dma_mask = DMA_BIT_MASK(64),
++ .coherent_dma_mask = DMA_BIT_MASK(32),
+ },
+ };
+
+diff --git a/arch/arm/plat-iop/adma.c b/arch/arm/plat-iop/adma.c
+index a4d1f8de3b5b..d9612221e484 100644
+--- a/arch/arm/plat-iop/adma.c
++++ b/arch/arm/plat-iop/adma.c
+@@ -143,7 +143,7 @@ struct platform_device iop3xx_dma_0_channel = {
+ .resource = iop3xx_dma_0_resources,
+ .dev = {
+ .dma_mask = &iop3xx_adma_dmamask,
+- .coherent_dma_mask = DMA_BIT_MASK(64),
++ .coherent_dma_mask = DMA_BIT_MASK(32),
+ .platform_data = (void *) &iop3xx_dma_0_data,
+ },
+ };
+@@ -155,7 +155,7 @@ struct platform_device iop3xx_dma_1_channel = {
+ .resource = iop3xx_dma_1_resources,
+ .dev = {
+ .dma_mask = &iop3xx_adma_dmamask,
+- .coherent_dma_mask = DMA_BIT_MASK(64),
++ .coherent_dma_mask = DMA_BIT_MASK(32),
+ .platform_data = (void *) &iop3xx_dma_1_data,
+ },
+ };
+@@ -167,7 +167,7 @@ struct platform_device iop3xx_aau_channel = {
+ .resource = iop3xx_aau_resources,
+ .dev = {
+ .dma_mask = &iop3xx_adma_dmamask,
+- .coherent_dma_mask = DMA_BIT_MASK(64),
++ .coherent_dma_mask = DMA_BIT_MASK(32),
+ .platform_data = (void *) &iop3xx_aau_data,
+ },
+ };
+--
+2.16.4
+
diff --git a/patches.arch/ARM-orion-don-t-use-using-64-bit-DMA-masks.patch b/patches.arch/ARM-orion-don-t-use-using-64-bit-DMA-masks.patch
new file mode 100644
index 0000000000..68460d2c69
--- /dev/null
+++ b/patches.arch/ARM-orion-don-t-use-using-64-bit-DMA-masks.patch
@@ -0,0 +1,53 @@
+From cd92d74d67c811dc22544430b9ac3029f5bd64c5 Mon Sep 17 00:00:00 2001
+From: Arnd Bergmann <arnd@arndb.de>
+Date: Mon, 25 Mar 2019 16:50:42 +0100
+Subject: [PATCH] ARM: orion: don't use using 64-bit DMA masks
+Git-commit: cd92d74d67c811dc22544430b9ac3029f5bd64c5
+Patch-mainline: v5.1-rc4
+References: bsc#1051510
+
+clang warns about statically defined DMA masks from the DMA_BIT_MASK
+macro with length 64:
+
+arch/arm/plat-orion/common.c:625:29: error: shift count >= width of type [-Werror,-Wshift-count-overflow]
+ .coherent_dma_mask = DMA_BIT_MASK(64),
+ ^~~~~~~~~~~~~~~~
+include/linux/dma-mapping.h:141:54: note: expanded from macro 'DMA_BIT_MASK'
+ #define DMA_BIT_MASK(n) (((n) == 64) ? ~0ULL : ((1ULL<<(n))-1))
+
+The ones in orion shouldn't really be 64 bit masks, so changing them
+to what the driver can support avoids the warning.
+
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Signed-off-by: Olof Johansson <olof@lixom.net>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ arch/arm/plat-orion/common.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/arch/arm/plat-orion/common.c b/arch/arm/plat-orion/common.c
+index a6c81ce00f52..8647cb80a93b 100644
+--- a/arch/arm/plat-orion/common.c
++++ b/arch/arm/plat-orion/common.c
+@@ -622,7 +622,7 @@ static struct platform_device orion_xor0_shared = {
+ .resource = orion_xor0_shared_resources,
+ .dev = {
+ .dma_mask = &orion_xor_dmamask,
+- .coherent_dma_mask = DMA_BIT_MASK(64),
++ .coherent_dma_mask = DMA_BIT_MASK(32),
+ .platform_data = &orion_xor0_pdata,
+ },
+ };
+@@ -683,7 +683,7 @@ static struct platform_device orion_xor1_shared = {
+ .resource = orion_xor1_shared_resources,
+ .dev = {
+ .dma_mask = &orion_xor_dmamask,
+- .coherent_dma_mask = DMA_BIT_MASK(64),
++ .coherent_dma_mask = DMA_BIT_MASK(32),
+ .platform_data = &orion_xor1_pdata,
+ },
+ };
+--
+2.16.4
+
diff --git a/patches.arch/crypto-vmx-ghash-do-nosimd-fallback-manually.patch b/patches.arch/crypto-vmx-ghash-do-nosimd-fallback-manually.patch
new file mode 100644
index 0000000000..026e011e2b
--- /dev/null
+++ b/patches.arch/crypto-vmx-ghash-do-nosimd-fallback-manually.patch
@@ -0,0 +1,312 @@
+From 357d065a44cdd77ed5ff35155a989f2a763e96ef Mon Sep 17 00:00:00 2001
+From: Daniel Axtens <dja@axtens.net>
+Date: Fri, 17 May 2019 01:40:02 +1000
+Subject: [PATCH] crypto: vmx - ghash: do nosimd fallback manually
+
+References: bsc#1135661, bsc#1137162
+Patch-mainline: v5.2-rc2
+Git-commit: 357d065a44cdd77ed5ff35155a989f2a763e96ef
+
+VMX ghash was using a fallback that did not support interleaving simd
+and nosimd operations, leading to failures in the extended test suite.
+
+If I understood correctly, Eric's suggestion was to use the same
+data format that the generic code uses, allowing us to call into it
+with the same contexts. I wasn't able to get that to work - I think
+there's a very different key structure and data layout being used.
+
+So instead steal the arm64 approach and perform the fallback
+operations directly if required.
+
+Fixes: cc333cd68dfa ("crypto: vmx - Adding GHASH routines for VMX module")
+Cc: stable@vger.kernel.org # v4.1+
+Reported-by: Eric Biggers <ebiggers@google.com>
+Signed-off-by: Daniel Axtens <dja@axtens.net>
+Acked-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+Tested-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Acked-by: Michal Suchanek <msuchanek@suse.de>
+---
+ drivers/crypto/vmx/ghash.c | 211 +++++++++++++++----------------------
+ 1 file changed, 86 insertions(+), 125 deletions(-)
+
+--- a/drivers/crypto/vmx/ghash.c
++++ b/drivers/crypto/vmx/ghash.c
+@@ -1,22 +1,14 @@
++// SPDX-License-Identifier: GPL-2.0
+ /**
+ * GHASH routines supporting VMX instructions on the Power 8
+ *
+- * Copyright (C) 2015 International Business Machines Inc.
+- *
+- * This program is free software; you can redistribute it and/or modify
+- * it under the terms of the GNU General Public License as published by
+- * the Free Software Foundation; version 2 only.
+- *
+- * This program is distributed in the hope that it will be useful,
+- * but WITHOUT ANY WARRANTY; without even the implied warranty of
+- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+- * GNU General Public License for more details.
+- *
+- * You should have received a copy of the GNU General Public License
+- * along with this program; if not, write to the Free Software
+- * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
++ * Copyright (C) 2015, 2019 International Business Machines Inc.
+ *
+ * Author: Marcelo Henrique Cerri <mhcerri@br.ibm.com>
++ *
++ * Extended by Daniel Axtens <dja@axtens.net> to replace the fallback
++ * mechanism. The new approach is based on arm64 code, which is:
++ * Copyright (C) 2014 - 2018 Linaro Ltd. <ard.biesheuvel@linaro.org>
+ */
+
+ #include <linux/types.h>
+@@ -39,71 +31,25 @@ void gcm_ghash_p8(u64 Xi[2], const u128
+ const u8 *in, size_t len);
+
+ struct p8_ghash_ctx {
++ /* key used by vector asm */
+ u128 htable[16];
+- struct crypto_shash *fallback;
++ /* key used by software fallback */
++ be128 key;
+ };
+
+ struct p8_ghash_desc_ctx {
+ u64 shash[2];
+ u8 buffer[GHASH_DIGEST_SIZE];
+ int bytes;
+- struct shash_desc fallback_desc;
+ };
+
+-static int p8_ghash_init_tfm(struct crypto_tfm *tfm)
+-{
+- const char *alg = "ghash-generic";
+- struct crypto_shash *fallback;
+- struct crypto_shash *shash_tfm = __crypto_shash_cast(tfm);
+- struct p8_ghash_ctx *ctx = crypto_tfm_ctx(tfm);
+-
+- fallback = crypto_alloc_shash(alg, 0, CRYPTO_ALG_NEED_FALLBACK);
+- if (IS_ERR(fallback)) {
+- printk(KERN_ERR
+- "Failed to allocate transformation for '%s': %ld\n",
+- alg, PTR_ERR(fallback));
+- return PTR_ERR(fallback);
+- }
+-
+- crypto_shash_set_flags(fallback,
+- crypto_shash_get_flags((struct crypto_shash
+- *) tfm));
+-
+- /* Check if the descsize defined in the algorithm is still enough. */
+- if (shash_tfm->descsize < sizeof(struct p8_ghash_desc_ctx)
+- + crypto_shash_descsize(fallback)) {
+- printk(KERN_ERR
+- "Desc size of the fallback implementation (%s) does not match the expected value: %lu vs %u\n",
+- alg,
+- shash_tfm->descsize - sizeof(struct p8_ghash_desc_ctx),
+- crypto_shash_descsize(fallback));
+- return -EINVAL;
+- }
+- ctx->fallback = fallback;
+-
+- return 0;
+-}
+-
+-static void p8_ghash_exit_tfm(struct crypto_tfm *tfm)
+-{
+- struct p8_ghash_ctx *ctx = crypto_tfm_ctx(tfm);
+-
+- if (ctx->fallback) {
+- crypto_free_shash(ctx->fallback);
+- ctx->fallback = NULL;
+- }
+-}
+-
+ static int p8_ghash_init(struct shash_desc *desc)
+ {
+- struct p8_ghash_ctx *ctx = crypto_tfm_ctx(crypto_shash_tfm(desc->tfm));
+ struct p8_ghash_desc_ctx *dctx = shash_desc_ctx(desc);
+
+ dctx->bytes = 0;
+ memset(dctx->shash, 0, GHASH_DIGEST_SIZE);
+- dctx->fallback_desc.tfm = ctx->fallback;
+- dctx->fallback_desc.flags = desc->flags;
+- return crypto_shash_init(&dctx->fallback_desc);
++ return 0;
+ }
+
+ static int p8_ghash_setkey(struct crypto_shash *tfm, const u8 *key,
+@@ -121,7 +67,51 @@ static int p8_ghash_setkey(struct crypto
+ disable_kernel_vsx();
+ pagefault_enable();
+ preempt_enable();
+- return crypto_shash_setkey(ctx->fallback, key, keylen);
++
++ memcpy(&ctx->key, key, GHASH_BLOCK_SIZE);
++
++ return 0;
++}
++
++static inline void __ghash_block(struct p8_ghash_ctx *ctx,
++ struct p8_ghash_desc_ctx *dctx)
++{
++ if (!IN_INTERRUPT) {
++ preempt_disable();
++ pagefault_disable();
++ enable_kernel_vsx();
++ gcm_ghash_p8(dctx->shash, ctx->htable,
++ dctx->buffer, GHASH_DIGEST_SIZE);
++ disable_kernel_vsx();
++ pagefault_enable();
++ preempt_enable();
++ } else {
++ crypto_xor((u8 *)dctx->shash, dctx->buffer, GHASH_BLOCK_SIZE);
++ gf128mul_lle((be128 *)dctx->shash, &ctx->key);
++ }
++}
++
++static inline void __ghash_blocks(struct p8_ghash_ctx *ctx,
++ struct p8_ghash_desc_ctx *dctx,
++ const u8 *src, unsigned int srclen)
++{
++ if (!IN_INTERRUPT) {
++ preempt_disable();
++ pagefault_disable();
++ enable_kernel_vsx();
++ gcm_ghash_p8(dctx->shash, ctx->htable,
++ src, srclen);
++ disable_kernel_vsx();
++ pagefault_enable();
++ preempt_enable();
++ } else {
++ while (srclen >= GHASH_BLOCK_SIZE) {
++ crypto_xor((u8 *)dctx->shash, src, GHASH_BLOCK_SIZE);
++ gf128mul_lle((be128 *)dctx->shash, &ctx->key);
++ srclen -= GHASH_BLOCK_SIZE;
++ src += GHASH_BLOCK_SIZE;
++ }
++ }
+ }
+
+ static int p8_ghash_update(struct shash_desc *desc,
+@@ -131,49 +121,33 @@ static int p8_ghash_update(struct shash_
+ struct p8_ghash_ctx *ctx = crypto_tfm_ctx(crypto_shash_tfm(desc->tfm));
+ struct p8_ghash_desc_ctx *dctx = shash_desc_ctx(desc);
+
+- if (IN_INTERRUPT) {
+- return crypto_shash_update(&dctx->fallback_desc, src,
+- srclen);
+- } else {
+- if (dctx->bytes) {
+- if (dctx->bytes + srclen < GHASH_DIGEST_SIZE) {
+- memcpy(dctx->buffer + dctx->bytes, src,
+- srclen);
+- dctx->bytes += srclen;
+- return 0;
+- }
++ if (dctx->bytes) {
++ if (dctx->bytes + srclen < GHASH_DIGEST_SIZE) {
+ memcpy(dctx->buffer + dctx->bytes, src,
+- GHASH_DIGEST_SIZE - dctx->bytes);
+- preempt_disable();
+- pagefault_disable();
+- enable_kernel_vsx();
+- gcm_ghash_p8(dctx->shash, ctx->htable,
+- dctx->buffer, GHASH_DIGEST_SIZE);
+- disable_kernel_vsx();
+- pagefault_enable();
+- preempt_enable();
+- src += GHASH_DIGEST_SIZE - dctx->bytes;
+- srclen -= GHASH_DIGEST_SIZE - dctx->bytes;
+- dctx->bytes = 0;
++ srclen);
++ dctx->bytes += srclen;
++ return 0;
+ }
+- len = srclen & ~(GHASH_DIGEST_SIZE - 1);
+- if (len) {
+- preempt_disable();
+- pagefault_disable();
+- enable_kernel_vsx();
+- gcm_ghash_p8(dctx->shash, ctx->htable, src, len);
+- disable_kernel_vsx();
+- pagefault_enable();
+- preempt_enable();
+- src += len;
+- srclen -= len;
+- }
+- if (srclen) {
+- memcpy(dctx->buffer, src, srclen);
+- dctx->bytes = srclen;
+- }
+- return 0;
++ memcpy(dctx->buffer + dctx->bytes, src,
++ GHASH_DIGEST_SIZE - dctx->bytes);
++
++ __ghash_block(ctx, dctx);
++
++ src += GHASH_DIGEST_SIZE - dctx->bytes;
++ srclen -= GHASH_DIGEST_SIZE - dctx->bytes;
++ dctx->bytes = 0;
++ }
++ len = srclen & ~(GHASH_DIGEST_SIZE - 1);
++ if (len) {
++ __ghash_blocks(ctx, dctx, src, len);
++ src += len;
++ srclen -= len;
+ }
++ if (srclen) {
++ memcpy(dctx->buffer, src, srclen);
++ dctx->bytes = srclen;
++ }
++ return 0;
+ }
+
+ static int p8_ghash_final(struct shash_desc *desc, u8 *out)
+@@ -182,25 +156,14 @@ static int p8_ghash_final(struct shash_d
+ struct p8_ghash_ctx *ctx = crypto_tfm_ctx(crypto_shash_tfm(desc->tfm));
+ struct p8_ghash_desc_ctx *dctx = shash_desc_ctx(desc);
+
+- if (IN_INTERRUPT) {
+- return crypto_shash_final(&dctx->fallback_desc, out);
+- } else {
+- if (dctx->bytes) {
+- for (i = dctx->bytes; i < GHASH_DIGEST_SIZE; i++)
+- dctx->buffer[i] = 0;
+- preempt_disable();
+- pagefault_disable();
+- enable_kernel_vsx();
+- gcm_ghash_p8(dctx->shash, ctx->htable,
+- dctx->buffer, GHASH_DIGEST_SIZE);
+- disable_kernel_vsx();
+- pagefault_enable();
+- preempt_enable();
+- dctx->bytes = 0;
+- }
+- memcpy(out, dctx->shash, GHASH_DIGEST_SIZE);
+- return 0;
++ if (dctx->bytes) {
++ for (i = dctx->bytes; i < GHASH_DIGEST_SIZE; i++)
++ dctx->buffer[i] = 0;
++ __ghash_block(ctx, dctx);
++ dctx->bytes = 0;
+ }
++ memcpy(out, dctx->shash, GHASH_DIGEST_SIZE);
++ return 0;
+ }
+
+ struct shash_alg p8_ghash_alg = {
+@@ -215,11 +178,9 @@ struct shash_alg p8_ghash_alg = {
+ .cra_name = "ghash",
+ .cra_driver_name = "p8_ghash",
+ .cra_priority = 1000,
+- .cra_flags = CRYPTO_ALG_TYPE_SHASH | CRYPTO_ALG_NEED_FALLBACK,
++ .cra_flags = CRYPTO_ALG_TYPE_SHASH,
+ .cra_blocksize = GHASH_BLOCK_SIZE,
+ .cra_ctxsize = sizeof(struct p8_ghash_ctx),
+ .cra_module = THIS_MODULE,
+- .cra_init = p8_ghash_init_tfm,
+- .cra_exit = p8_ghash_exit_tfm,
+ },
+ };
diff --git a/patches.arch/crypto-vmx-return-correct-error-code-on-failed-setke.patch b/patches.arch/crypto-vmx-return-correct-error-code-on-failed-setke.patch
new file mode 100644
index 0000000000..8ea5c7af21
--- /dev/null
+++ b/patches.arch/crypto-vmx-return-correct-error-code-on-failed-setke.patch
@@ -0,0 +1,112 @@
+From 5749f687b62ea74a42aaf0723da49a18247649db Mon Sep 17 00:00:00 2001
+From: Eric Biggers <ebiggers@google.com>
+Date: Tue, 9 Apr 2019 23:46:35 -0700
+Subject: [PATCH] crypto: vmx - return correct error code on failed setkey
+
+References: bsc#1135661, bsc#1137162
+Patch-mainline: v5.2-rc1
+Git-commit: 694e0db6600c12f8172efb51cd4b4bbade958562
+
+In the VMX implementations of AES and AES modes, return -EINVAL when an
+invalid key length is provided, rather than some unusual error code
+determined via a series of additions. This makes the behavior match the
+other AES implementations in the kernel's crypto API.
+
+Cc: Daniel Axtens <dja@axtens.net>
+Signed-off-by: Eric Biggers <ebiggers@google.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Acked-by: Michal Suchanek <msuchanek@suse.de>
+---
+ drivers/crypto/vmx/aes.c | 7 ++++---
+ drivers/crypto/vmx/aes_cbc.c | 7 ++++---
+ drivers/crypto/vmx/aes_ctr.c | 5 +++--
+ drivers/crypto/vmx/aes_xts.c | 9 +++++----
+ 4 files changed, 16 insertions(+), 12 deletions(-)
+
+diff --git a/drivers/crypto/vmx/aes.c b/drivers/crypto/vmx/aes.c
+index b0cd5aff3822..5e85dfca8242 100644
+--- a/drivers/crypto/vmx/aes.c
++++ b/drivers/crypto/vmx/aes.c
+@@ -83,13 +83,14 @@ static int p8_aes_setkey(struct crypto_tfm *tfm, const u8 *key,
+ pagefault_disable();
+ enable_kernel_vsx();
+ ret = aes_p8_set_encrypt_key(key, keylen * 8, &ctx->enc_key);
+- ret += aes_p8_set_decrypt_key(key, keylen * 8, &ctx->dec_key);
++ ret |= aes_p8_set_decrypt_key(key, keylen * 8, &ctx->dec_key);
+ disable_kernel_vsx();
+ pagefault_enable();
+ preempt_enable();
+
+- ret += crypto_cipher_setkey(ctx->fallback, key, keylen);
+- return ret;
++ ret |= crypto_cipher_setkey(ctx->fallback, key, keylen);
++
++ return ret ? -EINVAL : 0;
+ }
+
+ static void p8_aes_encrypt(struct crypto_tfm *tfm, u8 *dst, const u8 *src)
+diff --git a/drivers/crypto/vmx/aes_cbc.c b/drivers/crypto/vmx/aes_cbc.c
+index 668e285f1a64..bb01e62700af 100644
+--- a/drivers/crypto/vmx/aes_cbc.c
++++ b/drivers/crypto/vmx/aes_cbc.c
+@@ -86,13 +86,14 @@ static int p8_aes_cbc_setkey(struct crypto_tfm *tfm, const u8 *key,
+ pagefault_disable();
+ enable_kernel_vsx();
+ ret = aes_p8_set_encrypt_key(key, keylen * 8, &ctx->enc_key);
+- ret += aes_p8_set_decrypt_key(key, keylen * 8, &ctx->dec_key);
++ ret |= aes_p8_set_decrypt_key(key, keylen * 8, &ctx->dec_key);
+ disable_kernel_vsx();
+ pagefault_enable();
+ preempt_enable();
+
+- ret += crypto_skcipher_setkey(ctx->fallback, key, keylen);
+- return ret;
++ ret |= crypto_skcipher_setkey(ctx->fallback, key, keylen);
++
++ return ret ? -EINVAL : 0;
+ }
+
+ static int p8_aes_cbc_encrypt(struct blkcipher_desc *desc,
+diff --git a/drivers/crypto/vmx/aes_ctr.c b/drivers/crypto/vmx/aes_ctr.c
+index 386943e65a20..a9bac01ba2fb 100644
+--- a/drivers/crypto/vmx/aes_ctr.c
++++ b/drivers/crypto/vmx/aes_ctr.c
+@@ -88,8 +88,9 @@ static int p8_aes_ctr_setkey(struct crypto_tfm *tfm, const u8 *key,
+ pagefault_enable();
+ preempt_enable();
+
+- ret += crypto_skcipher_setkey(ctx->fallback, key, keylen);
+- return ret;
++ ret |= crypto_skcipher_setkey(ctx->fallback, key, keylen);
++
++ return ret ? -EINVAL : 0;
+ }
+
+ static void p8_aes_ctr_final(struct p8_aes_ctr_ctx *ctx,
+diff --git a/drivers/crypto/vmx/aes_xts.c b/drivers/crypto/vmx/aes_xts.c
+index 16f6c0cef4ac..f9c224192802 100644
+--- a/drivers/crypto/vmx/aes_xts.c
++++ b/drivers/crypto/vmx/aes_xts.c
+@@ -91,14 +91,15 @@ static int p8_aes_xts_setkey(struct crypto_tfm *tfm, const u8 *key,
+ pagefault_disable();
+ enable_kernel_vsx();
+ ret = aes_p8_set_encrypt_key(key + keylen/2, (keylen/2) * 8, &ctx->tweak_key);
+- ret += aes_p8_set_encrypt_key(key, (keylen/2) * 8, &ctx->enc_key);
+- ret += aes_p8_set_decrypt_key(key, (keylen/2) * 8, &ctx->dec_key);
++ ret |= aes_p8_set_encrypt_key(key, (keylen/2) * 8, &ctx->enc_key);
++ ret |= aes_p8_set_decrypt_key(key, (keylen/2) * 8, &ctx->dec_key);
+ disable_kernel_vsx();
+ pagefault_enable();
+ preempt_enable();
+
+- ret += crypto_skcipher_setkey(ctx->fallback, key, keylen);
+- return ret;
++ ret |= crypto_skcipher_setkey(ctx->fallback, key, keylen);
++
++ return ret ? -EINVAL : 0;
+ }
+
+ static int p8_aes_xts_crypt(struct blkcipher_desc *desc,
+--
+2.20.1
+
diff --git a/patches.arch/efi-arm-Don-t-mark-ACPI-reclaim-memory-as-MEMBLOCK_N.patch b/patches.arch/efi-arm-Don-t-mark-ACPI-reclaim-memory-as-MEMBLOCK_N.patch
new file mode 100644
index 0000000000..d3270c0524
--- /dev/null
+++ b/patches.arch/efi-arm-Don-t-mark-ACPI-reclaim-memory-as-MEMBLOCK_N.patch
@@ -0,0 +1,66 @@
+From: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+Date: Fri, 18 Aug 2017 20:49:34 +0100
+Subject: efi/arm: Don't mark ACPI reclaim memory as MEMBLOCK_NOMAP
+Git-commit: f56ab9a5b73ca2aee777ccdf2d355ae2dd31db5a
+Patch-mainline: v4.14-rc1
+References: bsc#1117158 bsc#1115688 bsc#1134671
+
+On ARM, regions of memory that are described by UEFI as having special
+significance to the firmware itself are omitted from the linear mapping.
+This is necessary since we cannot guarantee that alternate mappings of
+the same physical region will use attributes that are compatible with
+the ones we use for the linear mapping, and aliases with mismatched
+attributes are prohibited by the architecture.
+
+The above does not apply to ACPI reclaim regions: such regions have no
+special significance to the firmware, and it is up to the OS to decide
+whether or not to preserve them after it has consumed their contents,
+and for how long, after which time the OS can use the memory in any way
+it likes. In the Linux case, such regions are preserved indefinitely,
+and are simply treated the same way as other 'reserved' memory types.
+
+Punching holes into the linear mapping causes page table fragmentation,
+which increases TLB pressure, and so we should avoid doing so if we can.
+So add a special case for regions of type EFI_ACPI_RECLAIM_MEMORY, and
+memblock_reserve() them instead of marking them MEMBLOCK_NOMAP.
+
+Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+Acked-by: Mark Rutland <mark.rutland@arm.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Matt Fleming <matt@codeblueprint.co.uk>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: linux-efi@vger.kernel.org
+Link: http://lkml.kernel.org/r/20170818194947.19347-2-ard.biesheuvel@linaro.org
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Matthias Brugger <mbrugger@suse.com>
+---
+ drivers/firmware/efi/arm-init.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/drivers/firmware/efi/arm-init.c b/drivers/firmware/efi/arm-init.c
+index 1027d7b44358..0aa4ce7b4fbb 100644
+--- a/drivers/firmware/efi/arm-init.c
++++ b/drivers/firmware/efi/arm-init.c
+@@ -159,6 +159,7 @@ static __init int is_usable_memory(efi_memory_desc_t *md)
+ switch (md->type) {
+ case EFI_LOADER_CODE:
+ case EFI_LOADER_DATA:
++ case EFI_ACPI_RECLAIM_MEMORY:
+ case EFI_BOOT_SERVICES_CODE:
+ case EFI_BOOT_SERVICES_DATA:
+ case EFI_CONVENTIONAL_MEMORY:
+@@ -211,6 +212,10 @@ static __init void reserve_regions(void)
+
+ if (!is_usable_memory(md))
+ memblock_mark_nomap(paddr, size);
++
++ /* keep ACPI reclaim memory intact for kexec etc. */
++ if (md->type == EFI_ACPI_RECLAIM_MEMORY)
++ memblock_reserve(paddr, size);
+ }
+ }
+ }
+--
+2.20.1
+
diff --git a/patches.arch/powerpc-perf-Fix-MMCRA-corruption-by-bhrb_filter.patch b/patches.arch/powerpc-perf-Fix-MMCRA-corruption-by-bhrb_filter.patch
new file mode 100644
index 0000000000..68a8a2b5cf
--- /dev/null
+++ b/patches.arch/powerpc-perf-Fix-MMCRA-corruption-by-bhrb_filter.patch
@@ -0,0 +1,114 @@
+From 3202e35ec1c8fc19cea24253ff83edf702a60a02 Mon Sep 17 00:00:00 2001
+From: Ravi Bangoria <ravi.bangoria@linux.ibm.com>
+Date: Sat, 11 May 2019 08:12:17 +0530
+Subject: [PATCH] powerpc/perf: Fix MMCRA corruption by bhrb_filter
+
+References: bsc#1053043
+Patch-mainline: v5.2-rc3
+Git-commit: 3202e35ec1c8fc19cea24253ff83edf702a60a02
+
+Consider a scenario where user creates two events:
+
+ 1st event:
+ attr.sample_type |= PERF_SAMPLE_BRANCH_STACK;
+ attr.branch_sample_type = PERF_SAMPLE_BRANCH_ANY;
+ fd = perf_event_open(attr, 0, 1, -1, 0);
+
+ This sets cpuhw->bhrb_filter to 0 and returns valid fd.
+
+ 2nd event:
+ attr.sample_type |= PERF_SAMPLE_BRANCH_STACK;
+ attr.branch_sample_type = PERF_SAMPLE_BRANCH_CALL;
+ fd = perf_event_open(attr, 0, 1, -1, 0);
+
+ It overrides cpuhw->bhrb_filter to -1 and returns with error.
+
+Now if power_pmu_enable() gets called by any path other than
+power_pmu_add(), ppmu->config_bhrb(-1) will set MMCRA to -1.
+
+Fixes: 3925f46bb590 ("powerpc/perf: Enable branch stack sampling framework")
+Cc: stable@vger.kernel.org # v3.10+
+Signed-off-by: Ravi Bangoria <ravi.bangoria@linux.ibm.com>
+Reviewed-by: Madhavan Srinivasan <maddy@linux.vnet.ibm.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Acked-by: Michal Suchanek <msuchanek@suse.de>
+---
+ arch/powerpc/perf/core-book3s.c | 6 ++++--
+ arch/powerpc/perf/power8-pmu.c | 3 +++
+ arch/powerpc/perf/power9-pmu.c | 3 +++
+ 3 files changed, 10 insertions(+), 2 deletions(-)
+
+diff --git a/arch/powerpc/perf/core-book3s.c b/arch/powerpc/perf/core-book3s.c
+index a66fb9c01c9e..2c21ff896e2c 100644
+--- a/arch/powerpc/perf/core-book3s.c
++++ b/arch/powerpc/perf/core-book3s.c
+@@ -1850,6 +1850,7 @@ static int power_pmu_event_init(struct perf_event *event)
+ int n;
+ int err;
+ struct cpu_hw_events *cpuhw;
++ u64 bhrb_filter;
+
+ if (!ppmu)
+ return -ENOENT;
+@@ -1955,13 +1956,14 @@ static int power_pmu_event_init(struct perf_event *event)
+ err = power_check_constraints(cpuhw, events, cflags, n + 1);
+
+ if (has_branch_stack(event)) {
+- cpuhw->bhrb_filter = ppmu->bhrb_filter_map(
++ bhrb_filter = ppmu->bhrb_filter_map(
+ event->attr.branch_sample_type);
+
+- if (cpuhw->bhrb_filter == -1) {
++ if (bhrb_filter == -1) {
+ put_cpu_var(cpu_hw_events);
+ return -EOPNOTSUPP;
+ }
++ cpuhw->bhrb_filter = bhrb_filter;
+ }
+
+ put_cpu_var(cpu_hw_events);
+diff --git a/arch/powerpc/perf/power8-pmu.c b/arch/powerpc/perf/power8-pmu.c
+index bcc3409a06de..c0eb3e2329f0 100644
+--- a/arch/powerpc/perf/power8-pmu.c
++++ b/arch/powerpc/perf/power8-pmu.c
+@@ -29,6 +29,7 @@ enum {
+ #define POWER8_MMCRA_IFM1 0x0000000040000000UL
+ #define POWER8_MMCRA_IFM2 0x0000000080000000UL
+ #define POWER8_MMCRA_IFM3 0x00000000C0000000UL
++#define POWER8_MMCRA_BHRB_MASK 0x00000000C0000000UL
+
+ /*
+ * Raw event encoding for PowerISA v2.07 (Power8):
+@@ -243,6 +244,8 @@ static u64 power8_bhrb_filter_map(u64 branch_sample_type)
+
+ static void power8_config_bhrb(u64 pmu_bhrb_filter)
+ {
++ pmu_bhrb_filter &= POWER8_MMCRA_BHRB_MASK;
++
+ /* Enable BHRB filter in PMU */
+ mtspr(SPRN_MMCRA, (mfspr(SPRN_MMCRA) | pmu_bhrb_filter));
+ }
+diff --git a/arch/powerpc/perf/power9-pmu.c b/arch/powerpc/perf/power9-pmu.c
+index 3a31ac6f4805..e19c492bd6ec 100644
+--- a/arch/powerpc/perf/power9-pmu.c
++++ b/arch/powerpc/perf/power9-pmu.c
+@@ -92,6 +92,7 @@ enum {
+ #define POWER9_MMCRA_IFM1 0x0000000040000000UL
+ #define POWER9_MMCRA_IFM2 0x0000000080000000UL
+ #define POWER9_MMCRA_IFM3 0x00000000C0000000UL
++#define POWER9_MMCRA_BHRB_MASK 0x00000000C0000000UL
+
+ /* Nasty Power9 specific hack */
+ #define PVR_POWER9_CUMULUS 0x00002000
+@@ -300,6 +301,8 @@ static u64 power9_bhrb_filter_map(u64 branch_sample_type)
+
+ static void power9_config_bhrb(u64 pmu_bhrb_filter)
+ {
++ pmu_bhrb_filter &= POWER9_MMCRA_BHRB_MASK;
++
+ /* Enable BHRB filter in PMU */
+ mtspr(SPRN_MMCRA, (mfspr(SPRN_MMCRA) | pmu_bhrb_filter));
+ }
+--
+2.20.1
+
diff --git a/patches.arch/s390-smp-fix-cpu-hotplug-deadlock-with-cpu-rescan b/patches.arch/s390-smp-fix-cpu-hotplug-deadlock-with-cpu-rescan
index 47f559027e..9e3308d697 100644
--- a/patches.arch/s390-smp-fix-cpu-hotplug-deadlock-with-cpu-rescan
+++ b/patches.arch/s390-smp-fix-cpu-hotplug-deadlock-with-cpu-rescan
@@ -1,9 +1,11 @@
+From b7cb707c373094ce4008d4a6ac9b6b366ec52da5 Mon Sep 17 00:00:00 2001
From: Gerald Schaefer <gerald.schaefer@de.ibm.com>
Date: Wed, 9 Jan 2019 13:00:03 +0100
-Subject: s390/smp: fix CPU hotplug deadlock with CPU rescan
-Git-commit: b7cb707c373094ce4008d4a6ac9b6b366ec52da5
-Patch-mainline: v5.0 or v5.0-rc3 (next release)
+Subject: [PATCH] s390/smp: fix CPU hotplug deadlock with CPU rescan
+
References: git-fixes
+Patch-mainline: v5.0-rc4
+Git-commit: b7cb707c373094ce4008d4a6ac9b6b366ec52da5
smp_rescan_cpus() is called without the device_hotplug_lock, which can lead
to a dedlock when a new CPU is found and immediately set online by a udev
@@ -47,17 +49,17 @@ Fix this by taking the device_hotplug_lock in the CPU rescan path.
Cc: <stable@vger.kernel.org>
Signed-off-by: Gerald Schaefer <gerald.schaefer@de.ibm.com>
Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
-[ ptesarik: Context adjusted, because SLE15 does not contain upstream
- commit 6cbaefb4bf2ce6746e49c972289702133b347ffa. ]
Acked-by: Petr Tesarik <ptesarik@suse.com>
---
- arch/s390/kernel/smp.c | 4 ++++
- drivers/s390/char/sclp_config.c | 2 ++
+ arch/s390/kernel/smp.c | 4 ++++
+ drivers/s390/char/sclp_config.c | 2 ++
2 files changed, 6 insertions(+)
+diff --git a/arch/s390/kernel/smp.c b/arch/s390/kernel/smp.c
+index f82b3d3c36e2..307a1c86ea21 100644
--- a/arch/s390/kernel/smp.c
+++ b/arch/s390/kernel/smp.c
-@@ -1163,7 +1163,11 @@ static ssize_t __ref rescan_store(struct
+@@ -1166,7 +1166,11 @@ static ssize_t __ref rescan_store(struct device *dev,
{
int rc;
@@ -68,10 +70,12 @@ Acked-by: Petr Tesarik <ptesarik@suse.com>
+ unlock_device_hotplug();
return rc ? rc : count;
}
- static DEVICE_ATTR(rescan, 0200, NULL, rescan_store);
+ static DEVICE_ATTR_WO(rescan);
+diff --git a/drivers/s390/char/sclp_config.c b/drivers/s390/char/sclp_config.c
+index 194ffd5c8580..039b2074db7e 100644
--- a/drivers/s390/char/sclp_config.c
+++ b/drivers/s390/char/sclp_config.c
-@@ -59,7 +59,9 @@ static void sclp_cpu_capability_notify(s
+@@ -60,7 +60,9 @@ static void sclp_cpu_capability_notify(struct work_struct *work)
static void __ref sclp_cpu_change_notify(struct work_struct *work)
{
@@ -81,3 +85,6 @@ Acked-by: Petr Tesarik <ptesarik@suse.com>
}
static void sclp_conf_receiver_fn(struct evbuf_header *evbuf)
+--
+2.20.1
+
diff --git a/patches.drivers/0001-efi-add-API-to-reserve-memory-persistently-across-ke.patch b/patches.drivers/0001-efi-add-API-to-reserve-memory-persistently-across-ke.patch
new file mode 100644
index 0000000000..24ee2b7c1c
--- /dev/null
+++ b/patches.drivers/0001-efi-add-API-to-reserve-memory-persistently-across-ke.patch
@@ -0,0 +1,76 @@
+From: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+Date: Fri, 21 Sep 2018 09:32:46 -0700
+Subject: efi: add API to reserve memory persistently across kexec reboot
+Git-commit: a23d3bb05ccbd815c79293d2207fedede0b3515d
+Patch-mainline: v4.20-rc1
+References: bsc#1117158 bsc#1134671
+
+Add kernel plumbing to reserve memory regions persistently on a EFI
+system by adding entries to the MEMRESERVE linked list.
+
+Tested-by: Jeremy Linton <jeremy.linton@arm.com>
+Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+Signed-off-by: Matthias Brugger <mbrugger@suse.com>
+---
+ drivers/firmware/efi/efi.c | 32 ++++++++++++++++++++++++++++++++
+ include/linux/efi.h | 1 +
+ 2 files changed, 33 insertions(+)
+
+diff --git a/drivers/firmware/efi/efi.c b/drivers/firmware/efi/efi.c
+index 688132ac8a0a..249eb70691b0 100644
+--- a/drivers/firmware/efi/efi.c
++++ b/drivers/firmware/efi/efi.c
+@@ -962,6 +962,38 @@ bool efi_is_table_address(unsigned long phys_addr)
+ return false;
+ }
+
++static DEFINE_SPINLOCK(efi_mem_reserve_persistent_lock);
++
++int efi_mem_reserve_persistent(phys_addr_t addr, u64 size)
++{
++ struct linux_efi_memreserve *rsv, *parent;
++
++ if (efi.mem_reserve == EFI_INVALID_TABLE_ADDR)
++ return -ENODEV;
++
++ rsv = kmalloc(sizeof(*rsv), GFP_KERNEL);
++ if (!rsv)
++ return -ENOMEM;
++
++ parent = memremap(efi.mem_reserve, sizeof(*rsv), MEMREMAP_WB);
++ if (!parent) {
++ kfree(rsv);
++ return -ENOMEM;
++ }
++
++ rsv->base = addr;
++ rsv->size = size;
++
++ spin_lock(&efi_mem_reserve_persistent_lock);
++ rsv->next = parent->next;
++ parent->next = __pa(rsv);
++ spin_unlock(&efi_mem_reserve_persistent_lock);
++
++ memunmap(parent);
++
++ return 0;
++}
++
+ #ifdef CONFIG_KEXEC
+ static int update_efi_random_seed(struct notifier_block *nb,
+ unsigned long code, void *unused)
+diff --git a/include/linux/efi.h b/include/linux/efi.h
+index a5cb580472c5..22e4de9d3700 100644
+--- a/include/linux/efi.h
++++ b/include/linux/efi.h
+@@ -1043,6 +1043,7 @@ extern int __init efi_uart_console_only (void);
+ extern u64 efi_mem_desc_end(efi_memory_desc_t *md);
+ extern int efi_mem_desc_lookup(u64 phys_addr, efi_memory_desc_t *out_md);
+ extern void efi_mem_reserve(phys_addr_t addr, u64 size);
++extern int efi_mem_reserve_persistent(phys_addr_t addr, u64 size);
+ extern void efi_initialize_iomem_resources(struct resource *code_resource,
+ struct resource *data_resource, struct resource *bss_resource);
+ extern void efi_reserve_boot_services(void);
+--
+2.16.4
+
diff --git a/patches.drivers/0001-efi-arm-libstub-add-a-root-memreserve-config-table.patch b/patches.drivers/0001-efi-arm-libstub-add-a-root-memreserve-config-table.patch
new file mode 100644
index 0000000000..62ec8e3c76
--- /dev/null
+++ b/patches.drivers/0001-efi-arm-libstub-add-a-root-memreserve-config-table.patch
@@ -0,0 +1,66 @@
+From: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+Date: Fri, 21 Sep 2018 09:32:45 -0700
+Subject: efi/arm: libstub: add a root memreserve config table
+Git-commit: b844470f22061e8cd646cb355e85d2f518b2c913
+Patch-mainline: v4.20-rc1
+References: bsc#1117158 bsc#1134671
+
+Installing UEFI configuration tables can only be done before calling
+ExitBootServices(), so if we want to use the new MEMRESRVE config table
+from the kernel proper, we need to install a dummy entry from the stub.
+
+Tested-by: Jeremy Linton <jeremy.linton@arm.com>
+Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+Signed-off-by: Matthias Brugger <mbrugger@suse.com>
+---
+ drivers/firmware/efi/libstub/arm-stub.c | 27 +++++++++++++++++++++++++++
+ 1 file changed, 27 insertions(+)
+
+diff --git a/drivers/firmware/efi/libstub/arm-stub.c b/drivers/firmware/efi/libstub/arm-stub.c
+index 6920033de6d4..30ac0c975f8a 100644
+--- a/drivers/firmware/efi/libstub/arm-stub.c
++++ b/drivers/firmware/efi/libstub/arm-stub.c
+@@ -69,6 +69,31 @@ static struct screen_info *setup_graphics(efi_system_table_t *sys_table_arg)
+ return si;
+ }
+
++void install_memreserve_table(efi_system_table_t *sys_table_arg)
++{
++ struct linux_efi_memreserve *rsv;
++ efi_guid_t memreserve_table_guid = LINUX_EFI_MEMRESERVE_TABLE_GUID;
++ efi_status_t status;
++
++ status = efi_call_early(allocate_pool, EFI_LOADER_DATA, sizeof(*rsv),
++ (void **)&rsv);
++ if (status != EFI_SUCCESS) {
++ pr_efi_err(sys_table_arg, "Failed to allocate memreserve entry!\n");
++ return;
++ }
++
++ rsv->next = 0;
++ rsv->base = 0;
++ rsv->size = 0;
++
++ status = efi_call_early(install_configuration_table,
++ &memreserve_table_guid,
++ rsv);
++ if (status != EFI_SUCCESS)
++ pr_efi_err(sys_table_arg, "Failed to install memreserve config table!\n");
++}
++
++
+ /*
+ * This function handles the architcture specific differences between arm and
+ * arm64 regarding where the kernel image must be loaded and any memory that
+@@ -235,6 +260,8 @@ unsigned long efi_entry(void *handle, efi_system_table_t *sys_table,
+ }
+ }
+
++ install_memreserve_table(sys_table);
++
+ new_fdt_addr = fdt_addr;
+ status = allocate_new_fdt_and_exit_boot(sys_table, handle,
+ &new_fdt_addr, efi_get_max_fdt_addr(dram_base),
+--
+2.16.4
+
diff --git a/patches.drivers/0001-efi-honour-memory-reservations-passed-via-a-linux-sp.patch b/patches.drivers/0001-efi-honour-memory-reservations-passed-via-a-linux-sp.patch
new file mode 100644
index 0000000000..1d47930622
--- /dev/null
+++ b/patches.drivers/0001-efi-honour-memory-reservations-passed-via-a-linux-sp.patch
@@ -0,0 +1,103 @@
+From: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+Date: Fri, 21 Sep 2018 09:32:44 -0700
+Subject: efi: honour memory reservations passed via a linux specific config
+ table
+Git-commit: 71e0940d52e107748b270213a01d3b1546657d74
+Patch-mainline: v4.20-rc1
+References: bsc#1117158 bsc#1134671
+
+In order to allow the OS to reserve memory persistently across a
+kexec, introduce a Linux-specific UEFI configuration table that
+points to the head of a linked list in memory, allowing each kernel
+to add list items describing memory regions that the next kernel
+should treat as reserved.
+
+This is useful, e.g., for GICv3 based ARM systems that cannot disable
+DMA access to the LPI tables, forcing them to reuse the same memory
+region again after a kexec reboot.
+
+Tested-by: Jeremy Linton <jeremy.linton@arm.com>
+Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+Signed-off-by: Matthias Brugger <mbrugger@suse.com>
+---
+ drivers/firmware/efi/efi.c | 25 +++++++++++++++++++++++++
+ include/linux/efi.h | 8 ++++++++
+ 2 files changed, 33 insertions(+)
+
+--- a/drivers/firmware/efi/efi.c
++++ b/drivers/firmware/efi/efi.c
+@@ -52,6 +52,7 @@ struct efi __read_mostly efi = {
+ .properties_table = EFI_INVALID_TABLE_ADDR,
+ .mem_attr_table = EFI_INVALID_TABLE_ADDR,
+ .rng_seed = EFI_INVALID_TABLE_ADDR,
++ .mem_reserve = EFI_INVALID_TABLE_ADDR,
+ };
+ EXPORT_SYMBOL(efi);
+
+@@ -462,6 +463,7 @@ static __initdata efi_config_table_type_
+ {EFI_PROPERTIES_TABLE_GUID, "PROP", &efi.properties_table},
+ {EFI_MEMORY_ATTRIBUTES_TABLE_GUID, "MEMATTR", &efi.mem_attr_table},
+ {LINUX_EFI_RANDOM_SEED_TABLE_GUID, "RNG", &efi.rng_seed},
++ {LINUX_EFI_MEMRESERVE_TABLE_GUID, "MEMRESERVE", &efi.mem_reserve},
+ {NULL_GUID, NULL, NULL},
+ };
+
+@@ -566,6 +568,29 @@ int __init efi_config_parse_tables(void
+ early_memunmap(tbl, sizeof(*tbl));
+ }
+
++ if (efi.mem_reserve != EFI_INVALID_TABLE_ADDR) {
++ unsigned long prsv = efi.mem_reserve;
++
++ while (prsv) {
++ struct linux_efi_memreserve *rsv;
++
++ /* reserve the entry itself */
++ memblock_reserve(prsv, sizeof(*rsv));
++
++ rsv = early_memremap(prsv, sizeof(*rsv));
++ if (rsv == NULL) {
++ pr_err("Could not map UEFI memreserve entry!\n");
++ return -ENOMEM;
++ }
++
++ if (rsv->size)
++ memblock_reserve(rsv->base, rsv->size);
++
++ prsv = rsv->next;
++ early_memunmap(rsv, sizeof(*rsv));
++ }
++ }
++
+ return 0;
+ }
+
+--- a/include/linux/efi.h
++++ b/include/linux/efi.h
+@@ -622,6 +622,7 @@ void efi_native_runtime_setup(void);
+ #define LINUX_EFI_ARM_SCREEN_INFO_TABLE_GUID EFI_GUID(0xe03fc20a, 0x85dc, 0x406e, 0xb9, 0x0e, 0x4a, 0xb5, 0x02, 0x37, 0x1d, 0x95)
+ #define LINUX_EFI_LOADER_ENTRY_GUID EFI_GUID(0x4a67b082, 0x0a4c, 0x41cf, 0xb6, 0xc7, 0x44, 0x0b, 0x29, 0xbb, 0x8c, 0x4f)
+ #define LINUX_EFI_RANDOM_SEED_TABLE_GUID EFI_GUID(0x1ce1e5bc, 0x7ceb, 0x42f2, 0x81, 0xe5, 0x8a, 0xad, 0xf1, 0x80, 0xf5, 0x7b)
++#define LINUX_EFI_MEMRESERVE_TABLE_GUID EFI_GUID(0x888eb0c6, 0x8ede, 0x4ff5, 0xa8, 0xf0, 0x9a, 0xee, 0x5c, 0xb9, 0x77, 0xc2)
+
+ typedef struct {
+ efi_guid_t guid;
+@@ -896,6 +897,7 @@ extern struct efi {
+ unsigned long properties_table; /* properties table */
+ unsigned long mem_attr_table; /* memory attributes table */
+ unsigned long rng_seed; /* UEFI firmware random seed */
++ unsigned long mem_reserve; /* Linux EFI memreserve table */
+ efi_get_time_t *get_time;
+ efi_set_time_t *set_time;
+ efi_get_wakeup_time_t *get_wakeup_time;
+@@ -1579,4 +1581,10 @@ struct linux_efi_random_seed {
+ u8 bits[];
+ };
+
++struct linux_efi_memreserve {
++ phys_addr_t next;
++ phys_addr_t base;
++ phys_addr_t size;
++};
++
+ #endif /* _LINUX_EFI_H */
diff --git a/patches.drivers/ACPI-fix-menuconfig-presentation-of-ACPI-submenu.patch b/patches.drivers/ACPI-fix-menuconfig-presentation-of-ACPI-submenu.patch
new file mode 100644
index 0000000000..40a12351c1
--- /dev/null
+++ b/patches.drivers/ACPI-fix-menuconfig-presentation-of-ACPI-submenu.patch
@@ -0,0 +1,51 @@
+From: Arnd Bergmann <arnd@arndb.de>
+Date: Tue, 21 Aug 2018 22:37:33 +0200
+Subject: ACPI: fix menuconfig presentation of ACPI submenu
+Git-commit: f5d707ede37a962bc3cb9b3f8531a870dae29e46
+Patch-mainline: v4.19-rc1
+References: bsc#1117158 bsc#1134671
+
+My fix for a recursive Kconfig dependency caused another issue where the
+ACPI specific options end up in the top-level menu in 'menuconfig'. This
+was an unintended side-effect of having a silent option between
+'menuconfig ACPI' and 'if ACPI'.
+
+Moving the ARCH_SUPPORTS_ACPI symbol ahead of the ACPI menu solves that
+problem and restores the previous presentation.
+
+Reported-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+Fixes: 2c870e61132c (arm64: fix ACPI dependencies)
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Matthias Brugger <mbrugger@suse.com>
+---
+ drivers/acpi/Kconfig | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/acpi/Kconfig b/drivers/acpi/Kconfig
+index 4a46344bf0e3..dd1eea90f67f 100644
+--- a/drivers/acpi/Kconfig
++++ b/drivers/acpi/Kconfig
+@@ -3,6 +3,9 @@
+ # ACPI Configuration
+ #
+
++config ARCH_SUPPORTS_ACPI
++ bool
++
+ menuconfig ACPI
+ bool "ACPI (Advanced Configuration and Power Interface) Support"
+ depends on ARCH_SUPPORTS_ACPI
+@@ -40,9 +43,6 @@ menuconfig ACPI
+ <http://www.acpi.info>
+ <http://www.uefi.org/acpi/specs>
+
+-config ARCH_SUPPORTS_ACPI
+- bool
+-
+ if ACPI
+
+ config ACPI_LEGACY_TABLES_LOOKUP
+--
+2.21.0
+
diff --git a/patches.drivers/ALSA-hda-realtek-Improve-the-headset-mic-for-Acer-As.patch b/patches.drivers/ALSA-hda-realtek-Improve-the-headset-mic-for-Acer-As.patch
new file mode 100644
index 0000000000..8ccf8c2537
--- /dev/null
+++ b/patches.drivers/ALSA-hda-realtek-Improve-the-headset-mic-for-Acer-As.patch
@@ -0,0 +1,72 @@
+From 9cb40eb184c4220d244a532bd940c6345ad9dbd9 Mon Sep 17 00:00:00 2001
+From: Hui Wang <hui.wang@canonical.com>
+Date: Wed, 29 May 2019 12:41:38 +0800
+Subject: [PATCH] ALSA: hda/realtek - Improve the headset mic for Acer Aspire laptops
+Git-commit: 9cb40eb184c4220d244a532bd940c6345ad9dbd9
+Patch-mainline: v5.2-rc3
+References: bsc#1051510
+
+We met another Acer Aspire laptop which has the problem on the
+headset-mic, the Pin 0x19 is not set the corret configuration for a
+mic and the pin presence can't be detected too after plugging a
+headset. Kailang suggested that we should set the coeff to enable the
+mic and apply the ALC269_FIXUP_LIFEBOOK_EXTMIC. After doing that,
+both headset-mic presence and headset-mic work well.
+
+The existing ALC255_FIXUP_ACER_MIC_NO_PRESENCE set the headset-mic
+jack to be a phantom jack. Now since the jack can support presence
+unsol event, let us imporve it to set the jack to be a normal jack.
+
+https://bugs.launchpad.net/bugs/1821269
+
+Fixes: 5824ce8de7b1c ("ALSA: hda/realtek - Add support for Acer Aspire E5-475 headset mic")
+Cc: Chris Chiu <chiu@endlessm.com>
+Cc: Daniel Drake <drake@endlessm.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Kailang Yang <kailang@realtek.com>
+Signed-off-by: Hui Wang <hui.wang@canonical.com>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ sound/pci/hda/patch_realtek.c | 16 +++++++++++-----
+ 1 file changed, 11 insertions(+), 5 deletions(-)
+
+diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c
+index f1bac03e954b..18cb48054e54 100644
+--- a/sound/pci/hda/patch_realtek.c
++++ b/sound/pci/hda/patch_realtek.c
+@@ -6223,13 +6223,15 @@ static const struct hda_fixup alc269_fixups[] = {
+ .chain_id = ALC269_FIXUP_THINKPAD_ACPI,
+ },
+ [ALC255_FIXUP_ACER_MIC_NO_PRESENCE] = {
+- .type = HDA_FIXUP_PINS,
+- .v.pins = (const struct hda_pintbl[]) {
+- { 0x19, 0x01a1913c }, /* use as headset mic, without its own jack detect */
+- { }
++ .type = HDA_FIXUP_VERBS,
++ .v.verbs = (const struct hda_verb[]) {
++ /* Enable the Mic */
++ { 0x20, AC_VERB_SET_COEF_INDEX, 0x45 },
++ { 0x20, AC_VERB_SET_PROC_COEF, 0x5089 },
++ {}
+ },
+ .chained = true,
+- .chain_id = ALC255_FIXUP_HEADSET_MODE
++ .chain_id = ALC269_FIXUP_LIFEBOOK_EXTMIC
+ },
+ [ALC255_FIXUP_ASUS_MIC_NO_PRESENCE] = {
+ .type = HDA_FIXUP_PINS,
+@@ -7273,6 +7275,10 @@ static const struct snd_hda_pin_quirk alc269_pin_fixup_tbl[] = {
+ {0x18, 0x02a11030},
+ {0x19, 0x0181303F},
+ {0x21, 0x0221102f}),
++ SND_HDA_PIN_QUIRK(0x10ec0255, 0x1025, "Acer", ALC255_FIXUP_ACER_MIC_NO_PRESENCE,
++ {0x12, 0x90a60140},
++ {0x14, 0x90170120},
++ {0x21, 0x02211030}),
+ SND_HDA_PIN_QUIRK(0x10ec0255, 0x1025, "Acer", ALC255_FIXUP_ACER_MIC_NO_PRESENCE,
+ {0x12, 0x90a601c0},
+ {0x14, 0x90171120},
+--
+2.16.4
+
diff --git a/patches.drivers/ASoC-Intel-Add-machine-driver-for-Cherrytrail-CX2072 b/patches.drivers/ASoC-Intel-Add-machine-driver-for-Cherrytrail-CX2072
index 35b4c452b4..2ca1565c25 100644
--- a/patches.drivers/ASoC-Intel-Add-machine-driver-for-Cherrytrail-CX2072
+++ b/patches.drivers/ASoC-Intel-Add-machine-driver-for-Cherrytrail-CX2072
@@ -1,23 +1,34 @@
-From 5a62f24d17554da9cf1c292aa31329237bd982f1 Mon Sep 17 00:00:00 2001
-From: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
-Date: Fri, 9 Dec 2016 07:49:28 -0600
-Subject: [PATCH] ASoC: Intel: Add machine driver for Cherrytrail-CX2072X
+From 3917da94f787e6c907e440653ead0c666a71379e Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Tue, 21 May 2019 08:26:53 +0200
+Subject: [PATCH] ASoC: Intel: Add machine driver for CX2072X on BYT/CHT
+ platforms
+Git-commit: 3917da94f787e6c907e440653ead0c666a71379e
+Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound.git
+Patch-mainline: Queued in subsystem maintainer repository
References: bsc#1068546
-Patch-mainline: Submitted, alsa-devel ML
-Machine driver needed for Conexant CX2072X codec.
+This is an implementation of a machine driver needed for Conexant
+CX2072X codec on Intel Baytrail and Cherrytrail platforms. The
+current patch is based on the initial work by Pierre-Louis Bossart and
+the other Intel machine drivers.
-A couple of fixmes related to PLL
-Jack detection needs to be re-added
+The jack detection support (driven via the standard GPIO) was added on
+top of the original work.
-Signed-off-by: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
+Tested with ASUS E200HA laptop.
+
+Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=115531
+Acked-by: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Mark Brown <broonie@kernel.org>
---
sound/soc/intel/Kconfig | 13 +
+ sound/soc/intel/atom/sst/sst_acpi.c | 4
sound/soc/intel/boards/Makefile | 2
- sound/soc/intel/boards/cht_cx2072x.c | 273 +++++++++++++++++++++++++++++++++++
- 3 files changed, 288 insertions(+)
+ sound/soc/intel/boards/cht_cx2072x.c | 337 +++++++++++++++++++++++++++++++++++
+ 4 files changed, 356 insertions(+)
create mode 100644 sound/soc/intel/boards/cht_cx2072x.c
--- a/sound/soc/intel/Kconfig
@@ -62,7 +73,7 @@ Signed-off-by: Takashi Iwai <tiwai@suse.de>
obj-$(CONFIG_SND_SOC_INTEL_CHT_BSW_MAX98090_TI_MACH) += snd-soc-sst-cht-bsw-max98090_ti.o
--- /dev/null
+++ b/sound/soc/intel/boards/cht_cx2072x.c
-@@ -0,0 +1,273 @@
+@@ -0,0 +1,337 @@
+/*
+ * cht_cx207x.c - ASoc DPCM Machine driver for CherryTrail w/ CX2072x
+ *
@@ -135,10 +146,49 @@ Signed-off-by: Takashi Iwai <tiwai@suse.de>
+ return 0;
+}
+
++static struct snd_soc_jack cht_cx_headset;
++
++/* Headset jack detection DAPM pins */
++static struct snd_soc_jack_pin cht_cx_headset_pins[] = {
++ {
++ .pin = "Headset Mic",
++ .mask = SND_JACK_MICROPHONE,
++ },
++ {
++ .pin = "Headphone",
++ .mask = SND_JACK_HEADPHONE,
++ },
++};
++
++static const struct acpi_gpio_params headset_gpios = { 0, 0, false };
++
++static const struct acpi_gpio_mapping acpi_cht_cx2072x_gpios[] = {
++ { "headset-gpios", &headset_gpios, 1 },
++ {},
++};
++
++static int cht_cx_jack_status_check(void *data)
++{
++ return cx2072x_get_jack_state(data);
++}
++
++static struct snd_soc_jack_gpio cht_cx_gpio = {
++ .name = "headset",
++ .report = SND_JACK_HEADSET | SND_JACK_BTN_0,
++ .debounce_time = 150,
++ .wake = true,
++ .jack_status_check = cht_cx_jack_status_check,
++};
++
+static int cht_codec_init(struct snd_soc_pcm_runtime *rtd)
+{
+ int ret;
+ struct snd_soc_card *card = rtd->card;
++ struct snd_soc_codec *codec = rtd->codec;
++
++ if (devm_acpi_dev_add_driver_gpios(codec->dev,
++ acpi_cht_cx2072x_gpios))
++ dev_warn(rtd->dev, "Unable to add GPIO mapping table\n");
+
+ card->dapm.idle_bias_off = true;
+
@@ -150,6 +200,24 @@ Signed-off-by: Takashi Iwai <tiwai@suse.de>
+ return ret;
+ }
+
++ ret = snd_soc_card_jack_new(card, "Headset",
++ SND_JACK_HEADSET | SND_JACK_BTN_0,
++ &cht_cx_headset,
++ cht_cx_headset_pins,
++ ARRAY_SIZE(cht_cx_headset_pins));
++ if (ret)
++ return ret;
++
++ cht_cx_gpio.gpiod_dev = codec->dev;
++ cht_cx_gpio.data = codec;
++ ret = snd_soc_jack_add_gpios(&cht_cx_headset, 1, &cht_cx_gpio);
++ if (ret) {
++ dev_err(rtd->dev, "Adding jack GPIO failed\n");
++ return ret;
++ }
++
++ cx2072x_enable_detect(codec);
++
+ return ret;
+}
+
@@ -324,11 +392,18 @@ Signed-off-by: Takashi Iwai <tiwai@suse.de>
+ return devm_snd_soc_register_card(&pdev->dev, &chtcx2072x_card);
+}
+
++static int snd_cht_mc_remove(struct platform_device *pdev)
++{
++ snd_soc_jack_free_gpios(&cht_cx_headset, 1, &cht_cx_gpio);
++ return 0;
++}
++
+static struct platform_driver snd_cht_mc_driver = {
+ .driver = {
+ .name = "cht-cx2072x",
+ },
+ .probe = snd_cht_mc_probe,
++ .remove = snd_cht_mc_remove,
+};
+module_platform_driver(snd_cht_mc_driver);
+
@@ -336,3 +411,23 @@ Signed-off-by: Takashi Iwai <tiwai@suse.de>
+MODULE_AUTHOR("Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>");
+MODULE_LICENSE("GPL v2");
+MODULE_ALIAS("platform:cht-cx2072x");
+--- a/sound/soc/intel/atom/sst/sst_acpi.c
++++ b/sound/soc/intel/atom/sst/sst_acpi.c
+@@ -503,6 +503,8 @@ static struct sst_acpi_mach sst_acpi_byt
+ &byt_rvp_platform_data },
+ {"10EC5648", "cht-bsw-rt5645", "intel/fw_sst_0f28.bin", "cht-bsw", NULL,
+ &byt_rvp_platform_data },
++ {"14F10720", "cht-cx2072x", "intel/fw_sst_0f28.bin", "cht-bsw", NULL,
++ &byt_rvp_platform_data },
+ #if IS_ENABLED(CONFIG_SND_SOC_INTEL_BYT_CHT_NOCODEC_MACH)
+ /*
+ * This is always last in the table so that it is selected only when
+@@ -541,6 +543,8 @@ static struct sst_acpi_mach sst_acpi_chv
+ /* some CHT-T platforms rely on RT5651, use Baytrail machine driver */
+ {"10EC5651", "bytcr_rt5651", "intel/fw_sst_22a8.bin", "bytcr_rt5651", NULL,
+ &chv_platform_data },
++ {"14F10720", "cht-cx2072x", "intel/fw_sst_22a8.bin", "cht-bsw", NULL,
++ &chv_platform_data },
+ #if IS_ENABLED(CONFIG_SND_SOC_INTEL_BYT_CHT_NOCODEC_MACH)
+ /*
+ * This is always last in the table so that it is selected only when
diff --git a/patches.drivers/ASoC-Intel-add-support-for-CX2072x-machine-driver b/patches.drivers/ASoC-Intel-add-support-for-CX2072x-machine-driver
deleted file mode 100644
index 0b5c9c493e..0000000000
--- a/patches.drivers/ASoC-Intel-add-support-for-CX2072x-machine-driver
+++ /dev/null
@@ -1,36 +0,0 @@
-From f6737dd82168f5a378fd035882b8ec67b3f7dba8 Mon Sep 17 00:00:00 2001
-From: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
-Date: Fri, 9 Dec 2016 09:10:39 -0600
-Subject: [PATCH] ASoC: Intel: add support for CX2072x machine driver
-References: bsc#1068546
-Patch-mainline: Submitted, alsa-devel ML
-
-Add ACPI reference to load machine driver
-
-Signed-off-by: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
-Signed-off-by: Takashi Iwai <tiwai@suse.de>
-
----
- sound/soc/intel/atom/sst/sst_acpi.c | 4 ++++
- 1 file changed, 4 insertions(+)
-
---- a/sound/soc/intel/atom/sst/sst_acpi.c
-+++ b/sound/soc/intel/atom/sst/sst_acpi.c
-@@ -503,6 +503,8 @@ static struct sst_acpi_mach sst_acpi_byt
- &byt_rvp_platform_data },
- {"10EC5648", "cht-bsw-rt5645", "intel/fw_sst_0f28.bin", "cht-bsw", NULL,
- &byt_rvp_platform_data },
-+ {"14F10720", "cht-cx2072x", "intel/fw_sst_0f28.bin", "cht-bsw", NULL,
-+ &byt_rvp_platform_data },
- #if IS_ENABLED(CONFIG_SND_SOC_INTEL_BYT_CHT_NOCODEC_MACH)
- /*
- * This is always last in the table so that it is selected only when
-@@ -541,6 +543,8 @@ static struct sst_acpi_mach sst_acpi_chv
- /* some CHT-T platforms rely on RT5651, use Baytrail machine driver */
- {"10EC5651", "bytcr_rt5651", "intel/fw_sst_22a8.bin", "bytcr_rt5651", NULL,
- &chv_platform_data },
-+ {"14F10720", "cht-cx2072x", "intel/fw_sst_22a8.bin", "cht-bsw", NULL,
-+ &chv_platform_data },
- #if IS_ENABLED(CONFIG_SND_SOC_INTEL_BYT_CHT_NOCODEC_MACH)
- /*
- * This is always last in the table so that it is selected only when
diff --git a/patches.drivers/ASoC-add-support-for-Conexant-CX2072X-CODEC b/patches.drivers/ASoC-add-support-for-Conexant-CX2072X-CODEC
index 4908964b43..84a7521746 100644
--- a/patches.drivers/ASoC-add-support-for-Conexant-CX2072X-CODEC
+++ b/patches.drivers/ASoC-add-support-for-Conexant-CX2072X-CODEC
@@ -1,9 +1,11 @@
-From e376dc97ffd2dbbc40174b08818cec8d6b6b30aa Mon Sep 17 00:00:00 2001
+From a497a4363706b3eb208c64e66e5b485bb3b186ac Mon Sep 17 00:00:00 2001
From: Simon Ho <simon.ho@conexant.com>
-Date: Wed, 5 Apr 2017 17:07:14 +0800
-Subject: [PATCH] ASoC: add support for Conexant CX2072X CODEC
+Date: Tue, 21 May 2019 08:26:52 +0200
+Subject: [PATCH] ASoC: Add support for Conexant CX2072X CODEC
+Git-commit: a497a4363706b3eb208c64e66e5b485bb3b186ac
+Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/broonie/sound.git
+Patch-mainline: Queued in subsystem maintainer repository
References: bsc#1068546
-Patch-mainline: Submitted, alsa-devel ML
Initial commit of the Conexant CX2072X CODEC driver. Some features are
not present.
@@ -29,21 +31,55 @@ Featues of CX2072X codec:
-TDM stream supports up to 4 channels.
* AEC loopback support.
-[Fixed by tiwai:
- * missing declarations of jack detection helpers
- * missing DAPM entry definitions
- * missing power hooks
- * Workaround for the jack detection during cache-only]
+Further fixes by tiwai:
+ * Rebase to 5.2+
+ * Missing DAPM entry definitions
+ * Missing power hooks
+ * Fix uninitialized variable warning
+ * Rewrite jack detection stuff to use set_jack callback
+ * Plumbing jack detection code for Intel ASoC
+ * Move clk management into runtime PM
+ * Drop incorrect regcache usages
+ * Drop untested stuff: OF table, EQ/DRC handling
+ * Lots of code cleanups and minor refactoring
+The OF code was dropped due to the lack of testability.
+It should be easy to re-add once if someone can test it.
+
+v1->v2: No change
+v2->v3: Move register tables to appropriate place
+ Remove some confusing codes
+ Set snd_ctl_boolean_* helpers directly
+ Fix EQ put callback
+ Rename to "DAC1 Switch" from "DAC1 Mute Switch"
+ Drop superfluous regmap calls at shutdown
+ Avoid regmap_register_patch()
+ Add missing register definitions
+ Fix register access on big-endian machine
+ Remove regcache messes
+v3->v4: Fix the wrong endianess conversion in reg write
+ Minor code cleanups
+v4->v5: Move clk management to runtime PM
+ Sparse warning fixes
+ Some more code simplification
+ Drop tricky regcache fiddling
+ Apply mutex locks around possible racy sequences
+ Move exported jack detection stuff into set_jack callback
+v5->v6: Drop buggy&untested EQ and DRC codes
+ Lots of code reduction/cleanup
+ Add more comments about platform-specific stuff
+
+Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=115531
Signed-off-by: Simon Ho <simon.ho@conexant.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Mark Brown <broonie@kernel.org>
---
sound/soc/codecs/Kconfig | 5
sound/soc/codecs/Makefile | 2
- sound/soc/codecs/cx2072x.c | 2266 +++++++++++++++++++++++++++++++++++++++++++++
+ sound/soc/codecs/cx2072x.c | 2254 +++++++++++++++++++++++++++++++++++++++++++++
sound/soc/codecs/cx2072x.h | 320 ++++++
- 4 files changed, 2593 insertions(+)
+ 4 files changed, 2581 insertions(+)
create mode 100644 sound/soc/codecs/cx2072x.c
create mode 100644 sound/soc/codecs/cx2072x.h
@@ -88,7 +124,7 @@ Signed-off-by: Takashi Iwai <tiwai@suse.de>
obj-$(CONFIG_SND_SOC_DA7218) += snd-soc-da7218.o
--- /dev/null
+++ b/sound/soc/codecs/cx2072x.c
-@@ -0,0 +1,2266 @@
+@@ -0,0 +1,2254 @@
+/*
+ * ALSA SoC CX20721/CX20723 codec driver
+ *
@@ -108,13 +144,10 @@ Signed-off-by: Takashi Iwai <tiwai@suse.de>
+#include <linux/delay.h>
+#include <linux/pm.h>
+#include <linux/platform_device.h>
-+#include <linux/of_gpio.h>
+#include <linux/gpio.h>
+#include <linux/slab.h>
+#include <linux/i2c.h>
-+#include <linux/firmware.h>
+#include <linux/regmap.h>
-+#include <linux/proc_fs.h>
+#include <linux/interrupt.h>
+#include <linux/irq.h>
+#include <linux/clk.h>
@@ -2323,14 +2356,6 @@ Signed-off-by: Takashi Iwai <tiwai@suse.de>
+};
+MODULE_DEVICE_TABLE(i2c, cx2072x_i2c_id);
+
-+static const struct of_device_id cx2072x_of_match[] = {
-+ { .compatible = "cnxt,cx20721", },
-+ { .compatible = "cnxt,cx20723", },
-+ { .compatible = "cnxt,cx7601", },
-+ {}
-+};
-+MODULE_DEVICE_TABLE(of, cx2072x_of_match);
-+
+#ifdef CONFIG_ACPI
+static struct acpi_device_id cx2072x_acpi_match[] = {
+ { "14F10720", 0 },
@@ -2345,7 +2370,6 @@ Signed-off-by: Takashi Iwai <tiwai@suse.de>
+ .id_table = cx2072x_i2c_id,
+ .driver = {
+ .name = "cx2072x",
-+ .of_match_table = cx2072x_of_match,
+ .acpi_match_table = ACPI_PTR(cx2072x_acpi_match),
+ },
+};
diff --git a/patches.drivers/ASoC-cx2072x-Add-DT-bingings-documentation-for-CX207 b/patches.drivers/ASoC-cx2072x-Add-DT-bingings-documentation-for-CX207
deleted file mode 100644
index ca10c65ae4..0000000000
--- a/patches.drivers/ASoC-cx2072x-Add-DT-bingings-documentation-for-CX207
+++ /dev/null
@@ -1,57 +0,0 @@
-From a1cf13479084b988fa9ef536b8256d9908fc6e30 Mon Sep 17 00:00:00 2001
-From: Simon Ho <simon.ho@conexant.com>
-Date: Wed, 5 Apr 2017 17:07:13 +0800
-Subject: [PATCH] ASoC: cx2072x: Add DT bingings documentation for CX2072X
- CODEC
-References: bsc#1068546
-Patch-mainline: Submitted, alsa-devel ML
-
-Initial version of CX2072X device tree bindings document.
-
-Signed-off-by: Simon Ho <simon.ho@conexant.com>
-Signed-off-by: Takashi Iwai <tiwai@suse.de>
-
----
- Documentation/devicetree/bindings/sound/cx2072x.txt | 36 ++++++++++++++++++++
- 1 file changed, 36 insertions(+)
- create mode 100644 Documentation/devicetree/bindings/sound/cx2072x.txt
-
---- /dev/null
-+++ b/Documentation/devicetree/bindings/sound/cx2072x.txt
-@@ -0,0 +1,36 @@
-+Conexant CX20721/CX20723/CX7601 audio CODEC
-+
-+The devices support I2C only.
-+
-+Required properties:
-+
-+ - compatible : One of "cnxt,cx20721", "cnxt,cx20723", "cnxt,cx7601".
-+
-+ - reg : the I2C address of the device for I2C, it should be <0x33>
-+
-+Optional properties:
-+
-+ - clocks : phandle and clock specifier for codec MCLK.
-+ - clock-names : Clock name string for 'clocks' attribute, should be "mclk".
-+
-+CODEC output pins:
-+ "PORTA" - Headphone
-+ "PORTG" - Class-D output
-+ "PORTE" - Line out
-+
-+CODEC output pins for Conexant DSP chip:
-+ "AEC REF" - AEC reference signal
-+
-+CODEC input pins:
-+ "PORTB" - Analog mic
-+ "PORTC" - Digital mic
-+ "PORTD" - Headset mic
-+
-+Example:
-+
-+codec: cx20721@33 {
-+ compatible = "cnxt,cx20721";
-+ reg = <0x33>;
-+ clocks = <&sco>;
-+ clock-names = "mclk";
-+};
diff --git a/patches.drivers/ASoC-intel-Add-headset-jack-support-to-cht-cx2072x b/patches.drivers/ASoC-intel-Add-headset-jack-support-to-cht-cx2072x
deleted file mode 100644
index a35989a676..0000000000
--- a/patches.drivers/ASoC-intel-Add-headset-jack-support-to-cht-cx2072x
+++ /dev/null
@@ -1,111 +0,0 @@
-From 8f5df7e07f68efe5ee5da4b95f6596138e3ff736 Mon Sep 17 00:00:00 2001
-From: Takashi Iwai <tiwai@suse.de>
-Date: Tue, 11 Apr 2017 15:51:02 +0200
-Subject: [PATCH] ASoC: intel: Add headset jack support to cht-cx2072x
-References: bsc#1068546
-Patch-mainline: Submitted, alsa-devel ML
-
-This patch adds plumbing up the jack detection via the standard gpio.
-
-Signed-off-by: Takashi Iwai <tiwai@suse.de>
-
----
- sound/soc/intel/boards/cht_cx2072x.c | 64 +++++++++++++++++++++++++++++++++++
- 1 file changed, 64 insertions(+)
-
---- a/sound/soc/intel/boards/cht_cx2072x.c
-+++ b/sound/soc/intel/boards/cht_cx2072x.c
-@@ -70,10 +70,49 @@ static int cht_aif1_hw_params(struct snd
- return 0;
- }
-
-+static struct snd_soc_jack cht_cx_headset;
-+
-+/* Headset jack detection DAPM pins */
-+static struct snd_soc_jack_pin cht_cx_headset_pins[] = {
-+ {
-+ .pin = "Headset Mic",
-+ .mask = SND_JACK_MICROPHONE,
-+ },
-+ {
-+ .pin = "Headphone",
-+ .mask = SND_JACK_HEADPHONE,
-+ },
-+};
-+
-+static const struct acpi_gpio_params headset_gpios = { 0, 0, false };
-+
-+static const struct acpi_gpio_mapping acpi_cht_cx2072x_gpios[] = {
-+ { "headset-gpios", &headset_gpios, 1 },
-+ {},
-+};
-+
-+static int cht_cx_jack_status_check(void *data)
-+{
-+ return cx2072x_get_jack_state(data);
-+}
-+
-+static struct snd_soc_jack_gpio cht_cx_gpio = {
-+ .name = "headset",
-+ .report = SND_JACK_HEADSET | SND_JACK_BTN_0,
-+ .debounce_time = 150,
-+ .wake = true,
-+ .jack_status_check = cht_cx_jack_status_check,
-+};
-+
- static int cht_codec_init(struct snd_soc_pcm_runtime *rtd)
- {
- int ret;
- struct snd_soc_card *card = rtd->card;
-+ struct snd_soc_codec *codec = rtd->codec;
-+
-+ if (devm_acpi_dev_add_driver_gpios(codec->dev,
-+ acpi_cht_cx2072x_gpios))
-+ dev_warn(rtd->dev, "Unable to add GPIO mapping table\n");
-
- card->dapm.idle_bias_off = true;
-
-@@ -85,6 +124,24 @@ static int cht_codec_init(struct snd_soc
- return ret;
- }
-
-+ ret = snd_soc_card_jack_new(card, "Headset",
-+ SND_JACK_HEADSET | SND_JACK_BTN_0,
-+ &cht_cx_headset,
-+ cht_cx_headset_pins,
-+ ARRAY_SIZE(cht_cx_headset_pins));
-+ if (ret)
-+ return ret;
-+
-+ cht_cx_gpio.gpiod_dev = codec->dev;
-+ cht_cx_gpio.data = codec;
-+ ret = snd_soc_jack_add_gpios(&cht_cx_headset, 1, &cht_cx_gpio);
-+ if (ret) {
-+ dev_err(rtd->dev, "Adding jack GPIO failed\n");
-+ return ret;
-+ }
-+
-+ cx2072x_enable_detect(codec);
-+
- return ret;
- }
-
-@@ -259,11 +316,18 @@ static int snd_cht_mc_probe(struct platf
- return devm_snd_soc_register_card(&pdev->dev, &chtcx2072x_card);
- }
-
-+static int snd_cht_mc_remove(struct platform_device *pdev)
-+{
-+ snd_soc_jack_free_gpios(&cht_cx_headset, 1, &cht_cx_gpio);
-+ return 0;
-+}
-+
- static struct platform_driver snd_cht_mc_driver = {
- .driver = {
- .name = "cht-cx2072x",
- },
- .probe = snd_cht_mc_probe,
-+ .remove = snd_cht_mc_remove,
- };
- module_platform_driver(snd_cht_mc_driver);
-
diff --git a/patches.drivers/arm64-acpi-fix-alignment-fault-in-accessing-ACPI.patch b/patches.drivers/arm64-acpi-fix-alignment-fault-in-accessing-ACPI.patch
new file mode 100644
index 0000000000..357a3cd3f9
--- /dev/null
+++ b/patches.drivers/arm64-acpi-fix-alignment-fault-in-accessing-ACPI.patch
@@ -0,0 +1,173 @@
+From: AKASHI Takahiro <takahiro.akashi@linaro.org>
+Date: Mon, 23 Jul 2018 10:57:32 +0900
+Subject: arm64: acpi: fix alignment fault in accessing ACPI
+Git-commit: 09ffcb0d718a0b100f0bed029b830987ecf53fab
+Patch-mainline: v4.19-rc1
+References: bsc#1117158 bsc#1134671
+
+This is a fix against the issue that crash dump kernel may hang up
+during booting, which can happen on any ACPI-based system with "ACPI
+Reclaim Memory."
+
+(kernel messages after panic kicked off kdump)
+ (snip...)
+ Bye!
+ (snip...)
+ ACPI: Core revision 20170728
+ pud=000000002e7d0003, *pmd=000000002e7c0003, *pte=00e8000039710707
+ Internal error: Oops: 96000021 [#1] SMP
+ Modules linked in:
+ CPU: 0 PID: 0 Comm: swapper/0 Not tainted 4.14.0-rc6 #1
+ task: ffff000008d05180 task.stack: ffff000008cc0000
+ PC is at acpi_ns_lookup+0x25c/0x3c0
+ LR is at acpi_ds_load1_begin_op+0xa4/0x294
+ (snip...)
+ Process swapper/0 (pid: 0, stack limit = 0xffff000008cc0000)
+ Call trace:
+ (snip...)
+ [<ffff0000084a6764>] acpi_ns_lookup+0x25c/0x3c0
+ [<ffff00000849b4f8>] acpi_ds_load1_begin_op+0xa4/0x294
+ [<ffff0000084ad4ac>] acpi_ps_build_named_op+0xc4/0x198
+ [<ffff0000084ad6cc>] acpi_ps_create_op+0x14c/0x270
+ [<ffff0000084acfa8>] acpi_ps_parse_loop+0x188/0x5c8
+ [<ffff0000084ae048>] acpi_ps_parse_aml+0xb0/0x2b8
+ [<ffff0000084a8e10>] acpi_ns_one_complete_parse+0x144/0x184
+ [<ffff0000084a8e98>] acpi_ns_parse_table+0x48/0x68
+ [<ffff0000084a82cc>] acpi_ns_load_table+0x4c/0xdc
+ [<ffff0000084b32f8>] acpi_tb_load_namespace+0xe4/0x264
+ [<ffff000008baf9b4>] acpi_load_tables+0x48/0xc0
+ [<ffff000008badc20>] acpi_early_init+0x9c/0xd0
+ [<ffff000008b70d50>] start_kernel+0x3b4/0x43c
+ Code: b9008fb9 2a000318 36380054 32190318 (b94002c0)
+ ---[ end trace c46ed37f9651c58e ]---
+ Kernel panic - not syncing: Fatal exception
+ Rebooting in 10 seconds..
+
+(diagnosis)
+* This fault is a data abort, alignment fault (ESR=0x96000021)
+ during reading out ACPI table.
+* Initial ACPI tables are normally stored in system ram and marked as
+ "ACPI Reclaim memory" by the firmware.
+* After the commit f56ab9a5b73c ("efi/arm: Don't mark ACPI reclaim
+ memory as MEMBLOCK_NOMAP"), those regions are differently handled
+ as they are "memblock-reserved", without NOMAP bit.
+* So they are now excluded from device tree's "usable-memory-range"
+ which kexec-tools determines based on a current view of /proc/iomem.
+* When crash dump kernel boots up, it tries to accesses ACPI tables by
+ mapping them with ioremap(), not ioremap_cache(), in acpi_os_ioremap()
+ since they are no longer part of mapped system ram.
+* Given that ACPI accessor/helper functions are compiled in without
+ unaligned access support (ACPI_MISALIGNMENT_NOT_SUPPORTED),
+ any unaligned access to ACPI tables can cause a fatal panic.
+
+With this patch, acpi_os_ioremap() always honors memory attribute
+information provided by the firmware (EFI) and retaining cacheability
+allows the kernel safe access to ACPI tables.
+
+Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
+Reviewed-by: James Morse <james.morse@arm.com>
+Reviewed-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+Reported-by and Tested-by: Bhupesh Sharma <bhsharma@redhat.com>
+Signed-off-by: Will Deacon <will.deacon@arm.com>
+Signed-off-by: Matthias Brugger <mbrugger@suse.com>
+---
+ arch/arm64/include/asm/acpi.h | 23 ++++++++++++++++-------
+ arch/arm64/kernel/acpi.c | 11 +++--------
+ 2 files changed, 19 insertions(+), 15 deletions(-)
+
+--- a/arch/arm64/include/asm/acpi.h
++++ b/arch/arm64/include/asm/acpi.h
+@@ -12,10 +12,12 @@
+ #ifndef _ASM_ACPI_H
+ #define _ASM_ACPI_H
+
++#include <linux/efi.h>
+ #include <linux/memblock.h>
+ #include <linux/psci.h>
+
+ #include <asm/cputype.h>
++#include <asm/io.h>
+ #include <asm/smp_plat.h>
+ #include <asm/tlbflush.h>
+
+@@ -29,18 +31,22 @@
+
+ /* Basic configuration for ACPI */
+ #ifdef CONFIG_ACPI
++pgprot_t __acpi_get_mem_attribute(phys_addr_t addr);
++
+ /* ACPI table mapping after acpi_permanent_mmap is set */
+ static inline void __iomem *acpi_os_ioremap(acpi_physical_address phys,
+ acpi_size size)
+ {
++ /* For normal memory we already have a cacheable mapping. */
++ if (memblock_is_map_memory(phys))
++ return (void __iomem *)__phys_to_virt(phys);
++
+ /*
+- * EFI's reserve_regions() call adds memory with the WB attribute
+- * to memblock via early_init_dt_add_memory_arch().
++ * We should still honor the memory's attribute here because
++ * crash dump kernel possibly excludes some ACPI (reclaim)
++ * regions from memblock list.
+ */
+- if (!memblock_is_memory(phys))
+- return ioremap(phys, size);
+-
+- return ioremap_cache(phys, size);
++ return __ioremap(phys, size, __acpi_get_mem_attribute(phys));
+ }
+ #define acpi_os_ioremap acpi_os_ioremap
+
+@@ -129,7 +135,10 @@ static inline const char *acpi_get_enabl
+ * for compatibility.
+ */
+ #define acpi_disable_cmcff 1
+-pgprot_t arch_apei_get_mem_attribute(phys_addr_t addr);
++static inline pgprot_t arch_apei_get_mem_attribute(phys_addr_t addr)
++{
++ return __acpi_get_mem_attribute(addr);
++}
+
+ /*
+ * Despite its name, this function must still broadcast the TLB
+--- a/arch/arm64/kernel/acpi.c
++++ b/arch/arm64/kernel/acpi.c
+@@ -18,6 +18,7 @@
+ #include <linux/acpi.h>
+ #include <linux/bootmem.h>
+ #include <linux/cpumask.h>
++#include <linux/efi.h>
+ #include <linux/efi-bgrt.h>
+ #include <linux/init.h>
+ #include <linux/irq.h>
+@@ -29,13 +30,9 @@
+
+ #include <asm/cputype.h>
+ #include <asm/cpu_ops.h>
++#include <asm/pgtable.h>
+ #include <asm/smp_plat.h>
+
+-#ifdef CONFIG_ACPI_APEI
+-# include <linux/efi.h>
+-# include <asm/pgtable.h>
+-#endif
+-
+ int acpi_noirq = 1; /* skip ACPI IRQ initialization */
+ int acpi_disabled = 1;
+ EXPORT_SYMBOL(acpi_disabled);
+@@ -239,8 +236,7 @@ done:
+ }
+ }
+
+-#ifdef CONFIG_ACPI_APEI
+-pgprot_t arch_apei_get_mem_attribute(phys_addr_t addr)
++pgprot_t __acpi_get_mem_attribute(phys_addr_t addr)
+ {
+ /*
+ * According to "Table 8 Map: EFI memory types to AArch64 memory
+@@ -261,4 +257,3 @@ pgprot_t arch_apei_get_mem_attribute(phy
+ return __pgprot(PROT_NORMAL_NC);
+ return __pgprot(PROT_DEVICE_nGnRnE);
+ }
+-#endif
diff --git a/patches.drivers/arm64-fix-ACPI-dependencies.patch b/patches.drivers/arm64-fix-ACPI-dependencies.patch
new file mode 100644
index 0000000000..0a32f6c4b0
--- /dev/null
+++ b/patches.drivers/arm64-fix-ACPI-dependencies.patch
@@ -0,0 +1,91 @@
+From: Arnd Bergmann <arnd@arndb.de>
+Date: Tue, 24 Jul 2018 11:48:45 +0200
+Subject: arm64: fix ACPI dependencies
+Git-commit: 2c870e61132c082a03769d2ac0a2849ba33c10e3
+Patch-mainline: v4.19-rc1
+References: bsc#1117158 bsc#1134671
+
+Kconfig reports a warning on x86 builds after the ARM64 dependency
+was added.
+
+drivers/acpi/Kconfig:6:error: recursive dependency detected!
+drivers/acpi/Kconfig:6: symbol ACPI depends on EFI
+
+This rephrases the dependency to keep the ARM64 details out of the
+shared Kconfig file, so Kconfig no longer gets confused by it.
+
+For consistency, all three architectures that support ACPI now
+select ARCH_SUPPORTS_ACPI in exactly the configuration in which
+they allow it. We still need the 'default x86', as each one
+wants a different default: default-y on x86, default-n on arm64,
+and always-y on ia64.
+
+Fixes: 5bcd44083a08 ("drivers: acpi: add dependency of EFI for arm64")
+Reviewed-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Acked-by: Will Deacon <will.deacon@arm.com>
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Signed-off-by: Will Deacon <will.deacon@arm.com>
+Signed-off-by: Matthias Brugger <mbrugger@suse.com>
+---
+ arch/arm64/Kconfig | 1 +
+ arch/ia64/Kconfig | 1 +
+ arch/x86/Kconfig | 1 +
+ drivers/acpi/Kconfig | 8 +++++---
+ 4 files changed, 8 insertions(+), 3 deletions(-)
+
+--- a/arch/arm64/Kconfig
++++ b/arch/arm64/Kconfig
+@@ -1151,6 +1151,7 @@ config EFI_STUB
+ config EFI
+ bool "UEFI runtime support"
+ depends on OF && !CPU_BIG_ENDIAN
++ select ARCH_SUPPORTS_ACPI
+ select LIBFDT
+ select UCS2_STRING
+ select EFI_PARAMS_FROM_FDT
+--- a/arch/ia64/Kconfig
++++ b/arch/ia64/Kconfig
+@@ -15,6 +15,7 @@ config IA64
+ select ARCH_MIGHT_HAVE_PC_SERIO
+ select PCI if (!IA64_HP_SIM)
+ select ACPI if (!IA64_HP_SIM)
++ select ARCH_SUPPORTS_ACPI if (!IA64_HP_SIM)
+ select ACPI_SYSTEM_POWER_STATES_SUPPORT if ACPI
+ select ARCH_MIGHT_HAVE_ACPI_PDC if ACPI
+ select HAVE_UNSTABLE_SCHED_CLOCK
+--- a/arch/x86/Kconfig
++++ b/arch/x86/Kconfig
+@@ -64,6 +64,7 @@ config X86
+ select ARCH_MIGHT_HAVE_ACPI_PDC if ACPI
+ select ARCH_MIGHT_HAVE_PC_PARPORT
+ select ARCH_MIGHT_HAVE_PC_SERIO
++ select ARCH_SUPPORTS_ACPI
+ select ARCH_SUPPORTS_ATOMIC_RMW
+ select ARCH_SUPPORTS_DEFERRED_STRUCT_PAGE_INIT
+ select ARCH_SUPPORTS_NUMA_BALANCING if X86_64
+--- a/drivers/acpi/Kconfig
++++ b/drivers/acpi/Kconfig
+@@ -4,11 +4,10 @@
+
+ menuconfig ACPI
+ bool "ACPI (Advanced Configuration and Power Interface) Support"
+- depends on !IA64_HP_SIM
+- depends on IA64 || X86 || (ARM64 && EFI)
++ depends on ARCH_SUPPORTS_ACPI
+ depends on PCI
+ select PNP
+- default y if (IA64 || X86)
++ default y if X86
+ help
+ Advanced Configuration and Power Interface (ACPI) support for
+ Linux requires an ACPI-compliant platform (hardware/firmware),
+@@ -40,6 +39,9 @@ menuconfig ACPI
+ <http://www.acpi.info>
+ <http://www.uefi.org/acpi/specs>
+
++config ARCH_SUPPORTS_ACPI
++ bool
++
+ if ACPI
+
+ config ACPI_LEGACY_TABLES_LOOKUP
diff --git a/patches.drivers/arm64-mm-efi-Account-for-GICv3-LPI-tables-in-static-.patch b/patches.drivers/arm64-mm-efi-Account-for-GICv3-LPI-tables-in-static-.patch
new file mode 100644
index 0000000000..2c0e1262ea
--- /dev/null
+++ b/patches.drivers/arm64-mm-efi-Account-for-GICv3-LPI-tables-in-static-.patch
@@ -0,0 +1,133 @@
+From: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+Date: Fri, 15 Feb 2019 13:33:32 +0100
+Subject: arm64, mm, efi: Account for GICv3 LPI tables in static memblock
+ reserve table
+Git-commit: 8a5b403d71affa098009cc3dff1b2c45113021ad
+Patch-mainline: v5.0-rc7
+References: bsc#1117158 bsc#1134671
+
+In the irqchip and EFI code, we have what basically amounts to a quirk
+to work around a peculiarity in the GICv3 architecture, which permits
+the system memory address of LPI tables to be programmable only once
+after a CPU reset. This means kexec kernels must use the same memory
+as the first kernel, and thus ensure that this memory has not been
+given out for other purposes by the time the ITS init code runs, which
+is not very early for secondary CPUs.
+
+On systems with many CPUs, these reservations could overflow the
+memblock reservation table, and this was addressed in commit:
+
+ eff896288872 ("efi/arm: Defer persistent reservations until after paging_init()")
+
+However, this turns out to have made things worse, since the allocation
+of page tables and heap space for the resized memblock reservation table
+itself may overwrite the regions we are attempting to reserve, which may
+cause all kinds of corruption, also considering that the ITS will still
+be poking bits into that memory in response to incoming MSIs.
+
+So instead, let's grow the static memblock reservation table on such
+systems so it can accommodate these reservations at an earlier time.
+This will permit us to revert the above commit in a subsequent patch.
+
+[ mingo: Minor cleanups. ]
+
+Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+Acked-by: Mike Rapoport <rppt@linux.ibm.com>
+Acked-by: Will Deacon <will.deacon@arm.com>
+Acked-by: Marc Zyngier <marc.zyngier@arm.com>
+Cc: Andrew Morton <akpm@linux-foundation.org>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: linux-arm-kernel@lists.infradead.org
+Cc: linux-efi@vger.kernel.org
+Link: http://lkml.kernel.org/r/20190215123333.21209-2-ard.biesheuvel@linaro.org
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Matthias Brugger <mbrugger@suse.com>
+---
+ arch/arm64/include/asm/memory.h | 11 +++++++++++
+ drivers/firmware/efi/efi.c | 11 ++++++++++-
+ include/linux/memblock.h | 3 ---
+ mm/memblock.c | 11 +++++++++--
+ 4 files changed, 30 insertions(+), 6 deletions(-)
+
+--- a/arch/arm64/include/asm/memory.h
++++ b/arch/arm64/include/asm/memory.h
+@@ -300,6 +300,17 @@ static inline void *phys_to_virt(phys_ad
+ #define virt_addr_valid(kaddr) (_virt_addr_is_linear(kaddr) && \
+ _virt_addr_valid(kaddr))
+
++/*
++ * Given that the GIC architecture permits ITS implementations that can only be
++ * configured with a LPI table address once, GICv3 systems with many CPUs may
++ * end up reserving a lot of different regions after a kexec for their LPI
++ * tables (one per CPU), as we are forced to reuse the same memory after kexec
++ * (and thus reserve it persistently with EFI beforehand)
++ */
++#if defined(CONFIG_EFI) && defined(CONFIG_ARM_GIC_V3_ITS)
++# define INIT_MEMBLOCK_RESERVED_REGIONS (INIT_MEMBLOCK_REGIONS + NR_CPUS + 1)
++#endif
++
+ #include <asm-generic/memory_model.h>
+
+ #endif
+--- a/drivers/firmware/efi/efi.c
++++ b/drivers/firmware/efi/efi.c
+@@ -962,7 +962,16 @@ int __ref efi_mem_reserve_persistent(phy
+ /* first try to find a slot in an existing linked list entry */
+ for (prsv = efi_memreserve_root->next; prsv; prsv = rsv->next) {
+ rsv = __va(prsv);
+- index = atomic_fetch_add_unless(&rsv->count, 1, rsv->size);
++ /* implement atomic_fetch_add_unless for
++ * index = atomic_fetch_add_unless(&rsv->count, 1, rsv->size);
++ */
++ index = atomic_read(&rsv->count);
++
++ do {
++ if (unlikely(index == rsv->size))
++ break;
++ } while (!atomic_try_cmpxchg(&rsv->count, &index, index + 1));
++
+ if (index < rsv->size) {
+ rsv->entry[index].base = addr;
+ rsv->entry[index].size = size;
+--- a/include/linux/memblock.h
++++ b/include/linux/memblock.h
+@@ -17,9 +17,6 @@
+ #include <linux/init.h>
+ #include <linux/mm.h>
+
+-#define INIT_MEMBLOCK_REGIONS 128
+-#define INIT_PHYSMEM_REGIONS 4
+-
+ /* Definition of memblock flags. */
+ enum {
+ MEMBLOCK_NONE = 0x0, /* No special request */
+--- a/mm/memblock.c
++++ b/mm/memblock.c
+@@ -25,8 +25,15 @@
+
+ #include "internal.h"
+
++#define INIT_MEMBLOCK_REGIONS 128
++#define INIT_PHYSMEM_REGIONS 4
++
++#ifndef INIT_MEMBLOCK_RESERVED_REGIONS
++# define INIT_MEMBLOCK_RESERVED_REGIONS INIT_MEMBLOCK_REGIONS
++#endif
++
+ static struct memblock_region memblock_memory_init_regions[INIT_MEMBLOCK_REGIONS] __initdata_memblock;
+-static struct memblock_region memblock_reserved_init_regions[INIT_MEMBLOCK_REGIONS] __initdata_memblock;
++static struct memblock_region memblock_reserved_init_regions[INIT_MEMBLOCK_RESERVED_REGIONS] __initdata_memblock;
+ #ifdef CONFIG_HAVE_MEMBLOCK_PHYS_MAP
+ static struct memblock_region memblock_physmem_init_regions[INIT_PHYSMEM_REGIONS] __initdata_memblock;
+ #endif
+@@ -39,7 +46,7 @@ struct memblock memblock __initdata_memb
+
+ .reserved.regions = memblock_reserved_init_regions,
+ .reserved.cnt = 1, /* empty dummy entry */
+- .reserved.max = INIT_MEMBLOCK_REGIONS,
++ .reserved.max = INIT_MEMBLOCK_RESERVED_REGIONS,
+ .reserved.name = "reserved",
+
+ #ifdef CONFIG_HAVE_MEMBLOCK_PHYS_MAP
diff --git a/patches.drivers/drivers-acpi-add-dependency-of-EFI-for-arm64.patch b/patches.drivers/drivers-acpi-add-dependency-of-EFI-for-arm64.patch
new file mode 100644
index 0000000000..0c804504a6
--- /dev/null
+++ b/patches.drivers/drivers-acpi-add-dependency-of-EFI-for-arm64.patch
@@ -0,0 +1,42 @@
+From: AKASHI Takahiro <takahiro.akashi@linaro.org>
+Date: Mon, 23 Jul 2018 10:57:29 +0900
+Subject: drivers: acpi: add dependency of EFI for arm64
+Git-commit: 5bcd44083a082f314032969cd6db1eb8275ac77a
+Patch-mainline: v4.19-rc1
+References: bsc#1117158 bsc#1134671
+
+As Ard suggested, CONFIG_ACPI && !CONFIG_EFI doesn't make sense on arm64,
+while CONFIG_ACPI and CONFIG_CPU_BIG_ENDIAN doesn't make sense either.
+
+As CONFIG_EFI already has a dependency of !CONFIG_CPU_BIG_ENDIAN, it is
+good enough to add a dependency of CONFIG_EFI to avoid any useless
+combination of configuration.
+
+This bug, reported by Will, will be revealed when my patch series,
+"arm64: kexec,kdump: fix boot failures on acpi-only system," is applied
+and the kernel is built under allmodconfig.
+
+Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
+Suggested-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+Signed-off-by: Will Deacon <will.deacon@arm.com>
+Signed-off-by: Matthias Brugger <mbrugger@suse.com>
+---
+ drivers/acpi/Kconfig | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/acpi/Kconfig b/drivers/acpi/Kconfig
+index b533eeb6139d..15ab1daaa808 100644
+--- a/drivers/acpi/Kconfig
++++ b/drivers/acpi/Kconfig
+@@ -6,7 +6,7 @@
+ menuconfig ACPI
+ bool "ACPI (Advanced Configuration and Power Interface) Support"
+ depends on !IA64_HP_SIM
+- depends on IA64 || X86 || ARM64
++ depends on IA64 || X86 || (ARM64 && EFI)
+ depends on PCI
+ select PNP
+ default y if (IA64 || X86)
+--
+2.20.1
+
diff --git a/patches.drivers/efi-Permit-calling-efi_mem_reserve_persistent-from-a.patch b/patches.drivers/efi-Permit-calling-efi_mem_reserve_persistent-from-a.patch
new file mode 100644
index 0000000000..d795a34720
--- /dev/null
+++ b/patches.drivers/efi-Permit-calling-efi_mem_reserve_persistent-from-a.patch
@@ -0,0 +1,90 @@
+From: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+Date: Wed, 14 Nov 2018 09:55:44 -0800
+Subject: efi: Permit calling efi_mem_reserve_persistent() from atomic context
+Git-commit: 63eb322d89c8505af9b4a3d703e85e42281ebaa0
+Patch-mainline: v4.20-rc3
+References: bsc#1117158 bsc#1134671
+
+Currently, efi_mem_reserve_persistent() may not be called from atomic
+context, since both the kmalloc() call and the memremap() call may
+sleep.
+
+The kmalloc() call is easy enough to fix, but the memremap() call
+needs to be moved into an init hook since we cannot control the
+memory allocation behavior of memremap() at the call site.
+
+Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: linux-efi@vger.kernel.org
+Link: http://lkml.kernel.org/r/20181114175544.12860-6-ard.biesheuvel@linaro.org
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Matthias Brugger <mbrugger@suse.com>
+---
+ drivers/firmware/efi/efi.c | 31 +++++++++++++++++++------------
+ 1 file changed, 19 insertions(+), 12 deletions(-)
+
+diff --git a/drivers/firmware/efi/efi.c b/drivers/firmware/efi/efi.c
+index 72a4da76d274..fad7c62cfc0e 100644
+--- a/drivers/firmware/efi/efi.c
++++ b/drivers/firmware/efi/efi.c
+@@ -967,36 +967,43 @@ bool efi_is_table_address(unsigned long phys_addr)
+ }
+
+ static DEFINE_SPINLOCK(efi_mem_reserve_persistent_lock);
++static struct linux_efi_memreserve *efi_memreserve_root __ro_after_init;
+
+ int efi_mem_reserve_persistent(phys_addr_t addr, u64 size)
+ {
+- struct linux_efi_memreserve *rsv, *parent;
++ struct linux_efi_memreserve *rsv;
+
+- if (efi.mem_reserve == EFI_INVALID_TABLE_ADDR)
++ if (!efi_memreserve_root)
+ return -ENODEV;
+
+- rsv = kmalloc(sizeof(*rsv), GFP_KERNEL);
++ rsv = kmalloc(sizeof(*rsv), GFP_ATOMIC);
+ if (!rsv)
+ return -ENOMEM;
+
+- parent = memremap(efi.mem_reserve, sizeof(*rsv), MEMREMAP_WB);
+- if (!parent) {
+- kfree(rsv);
+- return -ENOMEM;
+- }
+-
+ rsv->base = addr;
+ rsv->size = size;
+
+ spin_lock(&efi_mem_reserve_persistent_lock);
+- rsv->next = parent->next;
+- parent->next = __pa(rsv);
++ rsv->next = efi_memreserve_root->next;
++ efi_memreserve_root->next = __pa(rsv);
+ spin_unlock(&efi_mem_reserve_persistent_lock);
+
+- memunmap(parent);
++ return 0;
++}
+
++static int __init efi_memreserve_root_init(void)
++{
++ if (efi.mem_reserve == EFI_INVALID_TABLE_ADDR)
++ return -ENODEV;
++
++ efi_memreserve_root = memremap(efi.mem_reserve,
++ sizeof(*efi_memreserve_root),
++ MEMREMAP_WB);
++ if (!efi_memreserve_root)
++ return -ENOMEM;
+ return 0;
+ }
++early_initcall(efi_memreserve_root_init);
+
+ #ifdef CONFIG_KEXEC
+ static int update_efi_random_seed(struct notifier_block *nb,
+--
+2.21.0
+
diff --git a/patches.drivers/efi-Permit-multiple-entries-in-persistent-memreserve.patch b/patches.drivers/efi-Permit-multiple-entries-in-persistent-memreserve.patch
new file mode 100644
index 0000000000..7c1fa1dd9c
--- /dev/null
+++ b/patches.drivers/efi-Permit-multiple-entries-in-persistent-memreserve.patch
@@ -0,0 +1,148 @@
+From: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+Date: Thu, 29 Nov 2018 18:12:28 +0100
+Subject: efi: Permit multiple entries in persistent memreserve data structure
+Git-commit: 5f0b0ecf043a5319e729c11a53bc8294df12dab3
+Patch-mainline: v5.0-rc1
+References: bsc#1117158 bsc#1134671
+
+In preparation of updating efi_mem_reserve_persistent() to cause less
+fragmentation when dealing with many persistent reservations, update
+the struct definition and the code that handles it currently so it
+can describe an arbitrary number of reservations using a single linked
+list entry. The actual optimization will be implemented in a subsequent
+patch.
+
+Tested-by: Marc Zyngier <marc.zyngier@arm.com>
+Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+Cc: Andy Lutomirski <luto@kernel.org>
+Cc: Arend van Spriel <arend.vanspriel@broadcom.com>
+Cc: Bhupesh Sharma <bhsharma@redhat.com>
+Cc: Borislav Petkov <bp@alien8.de>
+Cc: Dave Hansen <dave.hansen@intel.com>
+Cc: Eric Snowberg <eric.snowberg@oracle.com>
+Cc: Hans de Goede <hdegoede@redhat.com>
+Cc: Joe Perches <joe@perches.com>
+Cc: Jon Hunter <jonathanh@nvidia.com>
+Cc: Julien Thierry <julien.thierry@arm.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Matt Fleming <matt@codeblueprint.co.uk>
+Cc: Nathan Chancellor <natechancellor@gmail.com>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Sai Praneeth Prakhya <sai.praneeth.prakhya@intel.com>
+Cc: Sedat Dilek <sedat.dilek@gmail.com>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: YiFei Zhu <zhuyifei1999@gmail.com>
+Cc: linux-efi@vger.kernel.org
+Link: http://lkml.kernel.org/r/20181129171230.18699-10-ard.biesheuvel@linaro.org
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Matthias Brugger <mbrugger@suse.com>
+---
+ drivers/firmware/efi/efi.c | 37 ++++++++++++++++++++++----------
+ drivers/firmware/efi/libstub/arm-stub.c | 2 -
+ include/linux/efi.h | 13 ++++++++---
+ 3 files changed, 37 insertions(+), 15 deletions(-)
+
+--- a/drivers/firmware/efi/efi.c
++++ b/drivers/firmware/efi/efi.c
+@@ -577,21 +577,33 @@ int __init efi_apply_persistent_mem_rese
+
+ while (prsv) {
+ struct linux_efi_memreserve *rsv;
++ u8 *p;
++ int i;
+
+- /* reserve the entry itself */
+- memblock_reserve(prsv, sizeof(*rsv));
+-
+- rsv = early_memremap(prsv, sizeof(*rsv));
+- if (rsv == NULL) {
++ /*
++ * Just map a full page: that is what we will get
++ * anyway, and it permits us to map the entire entry
++ * before knowing its size.
++ */
++ p = early_memremap(ALIGN_DOWN(prsv, PAGE_SIZE),
++ PAGE_SIZE);
++ if (p == NULL) {
+ pr_err("Could not map UEFI memreserve entry!\n");
+ return -ENOMEM;
+ }
+
+- if (rsv->size)
+- memblock_reserve(rsv->base, rsv->size);
++ rsv = (void *)(p + prsv % PAGE_SIZE);
++
++ /* reserve the entry itself */
++ memblock_reserve(prsv, EFI_MEMRESERVE_SIZE(rsv->size));
++
++ for (i = 0; i < atomic_read(&rsv->count); i++) {
++ memblock_reserve(rsv->entry[i].base,
++ rsv->entry[i].size);
++ }
+
+ prsv = rsv->next;
+- early_memunmap(rsv, sizeof(*rsv));
++ early_memunmap(p, PAGE_SIZE);
+ }
+ }
+
+@@ -935,6 +947,7 @@ static int __init efi_memreserve_map_roo
+ int __ref efi_mem_reserve_persistent(phys_addr_t addr, u64 size)
+ {
+ struct linux_efi_memreserve *rsv;
++ int rsvsize = EFI_MEMRESERVE_SIZE(1);
+ int rc;
+
+ if (efi_memreserve_root == (void *)ULONG_MAX)
+@@ -946,12 +959,14 @@ int __ref efi_mem_reserve_persistent(phy
+ return rc;
+ }
+
+- rsv = kmalloc(sizeof(*rsv), GFP_ATOMIC);
++ rsv = kmalloc(rsvsize, GFP_ATOMIC);
+ if (!rsv)
+ return -ENOMEM;
+
+- rsv->base = addr;
+- rsv->size = size;
++ rsv->size = 1;
++ atomic_set(&rsv->count, 1);
++ rsv->entry[0].base = addr;
++ rsv->entry[0].size = size;
+
+ spin_lock(&efi_mem_reserve_persistent_lock);
+ rsv->next = efi_memreserve_root->next;
+--- a/drivers/firmware/efi/libstub/arm-stub.c
++++ b/drivers/firmware/efi/libstub/arm-stub.c
+@@ -111,8 +111,8 @@ void install_memreserve_table(efi_system
+ }
+
+ rsv->next = 0;
+- rsv->base = 0;
+ rsv->size = 0;
++ atomic_set(&rsv->count, 0);
+
+ status = efi_call_early(install_configuration_table,
+ &memreserve_table_guid,
+--- a/include/linux/efi.h
++++ b/include/linux/efi.h
+@@ -1590,9 +1590,16 @@ struct linux_efi_random_seed {
+ };
+
+ struct linux_efi_memreserve {
+- phys_addr_t next;
+- phys_addr_t base;
+- phys_addr_t size;
++ int size; // allocated size of the array
++ atomic_t count; // number of entries used
++ phys_addr_t next; // pa of next struct instance
++ struct {
++ phys_addr_t base;
++ phys_addr_t size;
++ } entry[0];
+ };
+
++#define EFI_MEMRESERVE_SIZE(count) (sizeof(struct linux_efi_memreserve) + \
++ (count) * sizeof(((struct linux_efi_memreserve *)0)->entry[0]))
++
+ #endif /* _LINUX_EFI_H */
diff --git a/patches.drivers/efi-Prevent-GICv3-WARN-by-mapping-the-memreserve-tab.patch b/patches.drivers/efi-Prevent-GICv3-WARN-by-mapping-the-memreserve-tab.patch
new file mode 100644
index 0000000000..d03cea0c63
--- /dev/null
+++ b/patches.drivers/efi-Prevent-GICv3-WARN-by-mapping-the-memreserve-tab.patch
@@ -0,0 +1,97 @@
+From: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+Date: Fri, 23 Nov 2018 22:51:32 +0100
+Subject: efi: Prevent GICv3 WARN() by mapping the memreserve table before
+ first use
+Git-commit: 976b489120cdab2b1b3a41ffa14661db43d58190
+Patch-mainline: v4.20-rc5
+References: bsc#1117158 bsc#1134671
+
+Mapping the MEMRESERVE EFI configuration table from an early initcall
+is too late: the GICv3 ITS code that creates persistent reservations
+for the boot CPU's LPI tables is invoked from init_IRQ(), which runs
+much earlier than the handling of the initcalls. This results in a
+WARN() splat because the LPI tables cannot be reserved persistently,
+which will result in silent memory corruption after a kexec reboot.
+
+So instead, invoke the initialization performed by the initcall from
+efi_mem_reserve_persistent() itself as well, but keep the initcall so
+that the init is guaranteed to have been called before SMP boot.
+
+Tested-by: Marc Zyngier <marc.zyngier@arm.com>
+Tested-by: Jan Glauber <jglauber@cavium.com>
+Tested-by: John Garry <john.garry@huawei.com>
+Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: linux-efi@vger.kernel.org
+Fixes: 63eb322d89c8 ("efi: Permit calling efi_mem_reserve_persistent() ...")
+Link: http://lkml.kernel.org/r/20181123215132.7951-2-ard.biesheuvel@linaro.org
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Matthias Brugger <mbrugger@suse.com>
+---
+ drivers/firmware/efi/efi.c | 36 ++++++++++++++++++++++++++----------
+ 1 file changed, 26 insertions(+), 10 deletions(-)
+
+diff --git a/drivers/firmware/efi/efi.c b/drivers/firmware/efi/efi.c
+index fad7c62cfc0e..415849bab233 100644
+--- a/drivers/firmware/efi/efi.c
++++ b/drivers/firmware/efi/efi.c
+@@ -969,13 +969,33 @@ bool efi_is_table_address(unsigned long phys_addr)
+ static DEFINE_SPINLOCK(efi_mem_reserve_persistent_lock);
+ static struct linux_efi_memreserve *efi_memreserve_root __ro_after_init;
+
+-int efi_mem_reserve_persistent(phys_addr_t addr, u64 size)
++static int __init efi_memreserve_map_root(void)
++{
++ if (efi.mem_reserve == EFI_INVALID_TABLE_ADDR)
++ return -ENODEV;
++
++ efi_memreserve_root = memremap(efi.mem_reserve,
++ sizeof(*efi_memreserve_root),
++ MEMREMAP_WB);
++ if (WARN_ON_ONCE(!efi_memreserve_root))
++ return -ENOMEM;
++ return 0;
++}
++
++int __ref efi_mem_reserve_persistent(phys_addr_t addr, u64 size)
+ {
+ struct linux_efi_memreserve *rsv;
++ int rc;
+
+- if (!efi_memreserve_root)
++ if (efi_memreserve_root == (void *)ULONG_MAX)
+ return -ENODEV;
+
++ if (!efi_memreserve_root) {
++ rc = efi_memreserve_map_root();
++ if (rc)
++ return rc;
++ }
++
+ rsv = kmalloc(sizeof(*rsv), GFP_ATOMIC);
+ if (!rsv)
+ return -ENOMEM;
+@@ -993,14 +1013,10 @@ int efi_mem_reserve_persistent(phys_addr_t addr, u64 size)
+
+ static int __init efi_memreserve_root_init(void)
+ {
+- if (efi.mem_reserve == EFI_INVALID_TABLE_ADDR)
+- return -ENODEV;
+-
+- efi_memreserve_root = memremap(efi.mem_reserve,
+- sizeof(*efi_memreserve_root),
+- MEMREMAP_WB);
+- if (!efi_memreserve_root)
+- return -ENOMEM;
++ if (efi_memreserve_root)
++ return 0;
++ if (efi_memreserve_map_root())
++ efi_memreserve_root = (void *)ULONG_MAX;
+ return 0;
+ }
+ early_initcall(efi_memreserve_root_init);
+--
+2.21.0
+
diff --git a/patches.drivers/efi-Reduce-the-amount-of-memblock-reservations-for-p.patch b/patches.drivers/efi-Reduce-the-amount-of-memblock-reservations-for-p.patch
new file mode 100644
index 0000000000..b046e77ac6
--- /dev/null
+++ b/patches.drivers/efi-Reduce-the-amount-of-memblock-reservations-for-p.patch
@@ -0,0 +1,112 @@
+From: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+Date: Thu, 29 Nov 2018 18:12:29 +0100
+Subject: efi: Reduce the amount of memblock reservations for persistent
+ allocations
+Git-commit: 80424b02d42bb22f8ff8839cb93a84ade53b39c0
+Patch-mainline: v5.0-rc1
+References: bsc#1117158 bsc#1134671
+
+The current implementation of efi_mem_reserve_persistent() is rather
+naive, in the sense that for each invocation, it creates a separate
+linked list entry to describe the reservation. Since the linked list
+entries themselves need to persist across subsequent kexec reboots,
+every reservation created this way results in two memblock_reserve()
+calls at the next boot.
+
+On arm64 systems with 100s of CPUs, this may result in a excessive
+number of memblock reservations, and needless fragmentation.
+
+So instead, make use of the newly updated struct linux_efi_memreserve
+layout to put multiple reservations into a single linked list entry.
+This should get rid of the numerous tiny memblock reservations, and
+effectively cut the total number of reservations in half on arm64
+systems with many CPUs.
+
+ [ mingo: build warning fix. ]
+
+Tested-by: Marc Zyngier <marc.zyngier@arm.com>
+Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+Cc: Andy Lutomirski <luto@kernel.org>
+Cc: Arend van Spriel <arend.vanspriel@broadcom.com>
+Cc: Bhupesh Sharma <bhsharma@redhat.com>
+Cc: Borislav Petkov <bp@alien8.de>
+Cc: Dave Hansen <dave.hansen@intel.com>
+Cc: Eric Snowberg <eric.snowberg@oracle.com>
+Cc: Hans de Goede <hdegoede@redhat.com>
+Cc: Joe Perches <joe@perches.com>
+Cc: Jon Hunter <jonathanh@nvidia.com>
+Cc: Julien Thierry <julien.thierry@arm.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Matt Fleming <matt@codeblueprint.co.uk>
+Cc: Nathan Chancellor <natechancellor@gmail.com>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Sai Praneeth Prakhya <sai.praneeth.prakhya@intel.com>
+Cc: Sedat Dilek <sedat.dilek@gmail.com>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: YiFei Zhu <zhuyifei1999@gmail.com>
+Cc: linux-efi@vger.kernel.org
+Link: http://lkml.kernel.org/r/20181129171230.18699-11-ard.biesheuvel@linaro.org
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Matthias Brugger <mbrugger@suse.com>
+---
+ drivers/firmware/efi/efi.c | 21 +++++++++++++++++----
+ include/linux/efi.h | 3 +++
+ 2 files changed, 20 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/firmware/efi/efi.c b/drivers/firmware/efi/efi.c
+index 80b11521627a..4c46ff6f2242 100644
+--- a/drivers/firmware/efi/efi.c
++++ b/drivers/firmware/efi/efi.c
+@@ -997,8 +997,8 @@ static int __init efi_memreserve_map_root(void)
+ int __ref efi_mem_reserve_persistent(phys_addr_t addr, u64 size)
+ {
+ struct linux_efi_memreserve *rsv;
+- int rsvsize = EFI_MEMRESERVE_SIZE(1);
+- int rc;
++ unsigned long prsv;
++ int rc, index;
+
+ if (efi_memreserve_root == (void *)ULONG_MAX)
+ return -ENODEV;
+@@ -1009,11 +1009,24 @@ int __ref efi_mem_reserve_persistent(phys_addr_t addr, u64 size)
+ return rc;
+ }
+
+- rsv = kmalloc(rsvsize, GFP_ATOMIC);
++ /* first try to find a slot in an existing linked list entry */
++ for (prsv = efi_memreserve_root->next; prsv; prsv = rsv->next) {
++ rsv = __va(prsv);
++ index = atomic_fetch_add_unless(&rsv->count, 1, rsv->size);
++ if (index < rsv->size) {
++ rsv->entry[index].base = addr;
++ rsv->entry[index].size = size;
++
++ return 0;
++ }
++ }
++
++ /* no slot found - allocate a new linked list entry */
++ rsv = (struct linux_efi_memreserve *)__get_free_page(GFP_ATOMIC);
+ if (!rsv)
+ return -ENOMEM;
+
+- rsv->size = 1;
++ rsv->size = EFI_MEMRESERVE_COUNT(PAGE_SIZE);
+ atomic_set(&rsv->count, 1);
+ rsv->entry[0].base = addr;
+ rsv->entry[0].size = size;
+diff --git a/include/linux/efi.h b/include/linux/efi.h
+index 4f27640fdcdc..becd5d76a207 100644
+--- a/include/linux/efi.h
++++ b/include/linux/efi.h
+@@ -1724,4 +1724,7 @@ struct linux_efi_memreserve {
+ #define EFI_MEMRESERVE_SIZE(count) (sizeof(struct linux_efi_memreserve) + \
+ (count) * sizeof(((struct linux_efi_memreserve *)0)->entry[0]))
+
++#define EFI_MEMRESERVE_COUNT(size) (((size) - sizeof(struct linux_efi_memreserve)) \
++ / sizeof(((struct linux_efi_memreserve *)0)->entry[0]))
++
+ #endif /* _LINUX_EFI_H */
+--
+2.21.0
+
diff --git a/patches.drivers/efi-arm-Defer-persistent-reservations-until-after-pa.patch b/patches.drivers/efi-arm-Defer-persistent-reservations-until-after-pa.patch
new file mode 100644
index 0000000000..a75515d9d4
--- /dev/null
+++ b/patches.drivers/efi-arm-Defer-persistent-reservations-until-after-pa.patch
@@ -0,0 +1,101 @@
+From: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+Date: Wed, 14 Nov 2018 09:55:43 -0800
+Subject: efi/arm: Defer persistent reservations until after paging_init()
+Git-commit: eff896288872d687d9662000ec9ae11b6d61766f
+Patch-mainline: v4.20-rc3
+References: bsc#1117158 bsc#1134671
+
+The new memory EFI reservation feature we introduced to allow memory
+reservations to persist across kexec may trigger an unbounded number
+of calls to memblock_reserve(). The memblock subsystem can deal with
+this fine, but not before memblock resizing is enabled, which we can
+only do after paging_init(), when the memory we reallocate the array
+into is actually mapped.
+
+So break out the memreserve table processing into a separate routine
+and call it after paging_init() on arm64. On ARM, because of limited
+reviewing bandwidth of the maintainer, we cannot currently fix this,
+so instead, disable the EFI persistent memreserve entirely on ARM so
+we can fix it later.
+
+Tested-by: Marc Zyngier <marc.zyngier@arm.com>
+Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: linux-efi@vger.kernel.org
+Link: http://lkml.kernel.org/r/20181114175544.12860-5-ard.biesheuvel@linaro.org
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Matthias Brugger <mbrugger@suse.com>
+---
+ arch/arm64/kernel/setup.c | 1 +
+ drivers/firmware/efi/efi.c | 4 ++++
+ drivers/firmware/efi/libstub/arm-stub.c | 3 +++
+ include/linux/efi.h | 7 +++++++
+ 4 files changed, 15 insertions(+)
+
+--- a/arch/arm64/kernel/setup.c
++++ b/arch/arm64/kernel/setup.c
+@@ -313,6 +313,7 @@ void __init setup_arch(char **cmdline_p)
+ arm64_memblock_init();
+
+ paging_init();
++ efi_apply_persistent_mem_reservations();
+
+ acpi_table_upgrade();
+
+diff --git a/drivers/firmware/efi/efi.c b/drivers/firmware/efi/efi.c
+index 249eb70691b0..72a4da76d274 100644
+--- a/drivers/firmware/efi/efi.c
++++ b/drivers/firmware/efi/efi.c
+@@ -592,7 +592,11 @@ int __init efi_config_parse_tables(void *config_tables, int count, int sz,
+
+ early_memunmap(tbl, sizeof(*tbl));
+ }
++ return 0;
++}
+
++int __init efi_apply_persistent_mem_reservations(void)
++{
+ if (efi.mem_reserve != EFI_INVALID_TABLE_ADDR) {
+ unsigned long prsv = efi.mem_reserve;
+
+diff --git a/drivers/firmware/efi/libstub/arm-stub.c b/drivers/firmware/efi/libstub/arm-stub.c
+index 30ac0c975f8a..3d36142cf812 100644
+--- a/drivers/firmware/efi/libstub/arm-stub.c
++++ b/drivers/firmware/efi/libstub/arm-stub.c
+@@ -75,6 +75,9 @@ void install_memreserve_table(efi_system_table_t *sys_table_arg)
+ efi_guid_t memreserve_table_guid = LINUX_EFI_MEMRESERVE_TABLE_GUID;
+ efi_status_t status;
+
++ if (IS_ENABLED(CONFIG_ARM))
++ return;
++
+ status = efi_call_early(allocate_pool, EFI_LOADER_DATA, sizeof(*rsv),
+ (void **)&rsv);
+ if (status != EFI_SUCCESS) {
+diff --git a/include/linux/efi.h b/include/linux/efi.h
+index 845174e113ce..100ce4a4aff6 100644
+--- a/include/linux/efi.h
++++ b/include/linux/efi.h
+@@ -1103,6 +1103,8 @@ static inline bool efi_enabled(int featu
+ extern void efi_reboot(enum reboot_mode reboot_mode, const char *__unused);
+
+ extern bool efi_is_table_address(unsigned long phys_addr);
++
++extern int efi_apply_persistent_mem_reservations(void);
+ #else
+ static inline bool efi_enabled(int feature)
+ {
+@@ -1121,6 +1123,11 @@ static inline bool efi_is_table_address(
+ {
+ return false;
+ }
++
++static inline int efi_apply_persistent_mem_reservations(void)
++{
++ return 0;
++}
+ #endif
+
+ extern int efi_status_to_err(efi_status_t status);
diff --git a/patches.drivers/efi-arm-Revert-Defer-persistent-reservations-until-a.patch b/patches.drivers/efi-arm-Revert-Defer-persistent-reservations-until-a.patch
new file mode 100644
index 0000000000..f91ec00123
--- /dev/null
+++ b/patches.drivers/efi-arm-Revert-Defer-persistent-reservations-until-a.patch
@@ -0,0 +1,102 @@
+From: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+Date: Fri, 15 Feb 2019 13:33:33 +0100
+Subject: efi/arm: Revert "Defer persistent reservations until after
+ paging_init()"
+Git-commit: 582a32e708823e5957fd73ccd78dc4a9e49d21ea
+Patch-mainline: v5.0-rc7
+References: bsc#1117158 bsc#1134671
+
+This reverts commit eff896288872d687d9662000ec9ae11b6d61766f, which
+deferred the processing of persistent memory reservations to a point
+where the memory may have already been allocated and overwritten,
+defeating the purpose.
+
+Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+Acked-by: Will Deacon <will.deacon@arm.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Marc Zyngier <marc.zyngier@arm.com>
+Cc: Mike Rapoport <rppt@linux.ibm.com>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: linux-arm-kernel@lists.infradead.org
+Cc: linux-efi@vger.kernel.org
+Link: http://lkml.kernel.org/r/20190215123333.21209-3-ard.biesheuvel@linaro.org
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Matthias Brugger <mbrugger@suse.com>
+---
+ arch/arm64/kernel/setup.c | 1 -
+ drivers/firmware/efi/efi.c | 4 ----
+ drivers/firmware/efi/libstub/arm-stub.c | 3 ---
+ include/linux/efi.h | 7 -------
+ 4 files changed, 15 deletions(-)
+
+diff --git a/arch/arm64/kernel/setup.c b/arch/arm64/kernel/setup.c
+index 4b0e1231625c..d09ec76f08cf 100644
+--- a/arch/arm64/kernel/setup.c
++++ b/arch/arm64/kernel/setup.c
+@@ -313,7 +313,6 @@ void __init setup_arch(char **cmdline_p)
+ arm64_memblock_init();
+
+ paging_init();
+- efi_apply_persistent_mem_reservations();
+
+ acpi_table_upgrade();
+
+diff --git a/drivers/firmware/efi/efi.c b/drivers/firmware/efi/efi.c
+index 4c46ff6f2242..55b77c576c42 100644
+--- a/drivers/firmware/efi/efi.c
++++ b/drivers/firmware/efi/efi.c
+@@ -592,11 +592,7 @@ int __init efi_config_parse_tables(void *config_tables, int count, int sz,
+
+ early_memunmap(tbl, sizeof(*tbl));
+ }
+- return 0;
+-}
+
+-int __init efi_apply_persistent_mem_reservations(void)
+-{
+ if (efi.mem_reserve != EFI_INVALID_TABLE_ADDR) {
+ unsigned long prsv = efi.mem_reserve;
+
+diff --git a/drivers/firmware/efi/libstub/arm-stub.c b/drivers/firmware/efi/libstub/arm-stub.c
+index eee42d5e25ee..c037c6c5d0b7 100644
+--- a/drivers/firmware/efi/libstub/arm-stub.c
++++ b/drivers/firmware/efi/libstub/arm-stub.c
+@@ -75,9 +75,6 @@ void install_memreserve_table(efi_system_table_t *sys_table_arg)
+ efi_guid_t memreserve_table_guid = LINUX_EFI_MEMRESERVE_TABLE_GUID;
+ efi_status_t status;
+
+- if (IS_ENABLED(CONFIG_ARM))
+- return;
+-
+ status = efi_call_early(allocate_pool, EFI_LOADER_DATA, sizeof(*rsv),
+ (void **)&rsv);
+ if (status != EFI_SUCCESS) {
+diff --git a/include/linux/efi.h b/include/linux/efi.h
+index 45ff763fba76..28604a8d0aa9 100644
+--- a/include/linux/efi.h
++++ b/include/linux/efi.h
+@@ -1198,8 +1198,6 @@ static inline bool efi_enabled(int feature)
+ extern void efi_reboot(enum reboot_mode reboot_mode, const char *__unused);
+
+ extern bool efi_is_table_address(unsigned long phys_addr);
+-
+-extern int efi_apply_persistent_mem_reservations(void);
+ #else
+ static inline bool efi_enabled(int feature)
+ {
+@@ -1218,11 +1216,6 @@ static inline bool efi_is_table_address(unsigned long phys_addr)
+ {
+ return false;
+ }
+-
+-static inline int efi_apply_persistent_mem_reservations(void)
+-{
+- return 0;
+-}
+ #endif
+
+ extern int efi_status_to_err(efi_status_t status);
+--
+2.21.0
+
diff --git a/patches.drivers/efi-arm-Revert-deferred-unmap-of-early-memmap-mappin.patch b/patches.drivers/efi-arm-Revert-deferred-unmap-of-early-memmap-mappin.patch
new file mode 100644
index 0000000000..843b740bd9
--- /dev/null
+++ b/patches.drivers/efi-arm-Revert-deferred-unmap-of-early-memmap-mappin.patch
@@ -0,0 +1,81 @@
+From: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+Date: Wed, 14 Nov 2018 09:55:41 -0800
+Subject: efi/arm: Revert deferred unmap of early memmap mapping
+Git-commit: 33412b8673135b18ea42beb7f5117ed0091798b6
+Patch-mainline: v4.20-rc3
+References: bsc#1117158 bsc#1134671
+
+Commit:
+
+ 3ea86495aef2 ("efi/arm: preserve early mapping of UEFI memory map longer for BGRT")
+
+deferred the unmap of the early mapping of the UEFI memory map to
+accommodate the ACPI BGRT code, which looks up the memory type that
+backs the BGRT table to validate it against the requirements of the UEFI spec.
+
+Unfortunately, this causes problems on ARM, which does not permit
+early mappings to persist after paging_init() is called, resulting
+in a WARN() splat. Since we don't support the BGRT table on ARM anway,
+let's revert ARM to the old behaviour, which is to take down the
+early mapping at the end of efi_init().
+
+Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: linux-efi@vger.kernel.org
+Fixes: 3ea86495aef2 ("efi/arm: preserve early mapping of UEFI memory ...")
+Link: http://lkml.kernel.org/r/20181114175544.12860-3-ard.biesheuvel@linaro.org
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Matthias Brugger <mbrugger@suse.com>
+---
+ drivers/firmware/efi/arm-init.c | 4 ++++
+ drivers/firmware/efi/arm-runtime.c | 2 +-
+ drivers/firmware/efi/memmap.c | 3 +++
+ 3 files changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/firmware/efi/arm-init.c b/drivers/firmware/efi/arm-init.c
+index 388a929baf95..1a6a77df8a5e 100644
+--- a/drivers/firmware/efi/arm-init.c
++++ b/drivers/firmware/efi/arm-init.c
+@@ -265,6 +265,10 @@ void __init efi_init(void)
+ (params.mmap & ~PAGE_MASK)));
+
+ init_screen_info();
++
++ /* ARM does not permit early mappings to persist across paging_init() */
++ if (IS_ENABLED(CONFIG_ARM))
++ efi_memmap_unmap();
+ }
+
+ static int __init register_gop_device(void)
+diff --git a/drivers/firmware/efi/arm-runtime.c b/drivers/firmware/efi/arm-runtime.c
+index 922cfb813109..a00934d263c5 100644
+--- a/drivers/firmware/efi/arm-runtime.c
++++ b/drivers/firmware/efi/arm-runtime.c
+@@ -110,7 +110,7 @@ static int __init arm_enable_runtime_services(void)
+ {
+ u64 mapsize;
+
+- if (!efi_enabled(EFI_BOOT) || !efi_enabled(EFI_MEMMAP)) {
++ if (!efi_enabled(EFI_BOOT)) {
+ pr_info("EFI services will not be available.\n");
+ return 0;
+ }
+diff --git a/drivers/firmware/efi/memmap.c b/drivers/firmware/efi/memmap.c
+index fa2904fb841f..38b686c67b17 100644
+--- a/drivers/firmware/efi/memmap.c
++++ b/drivers/firmware/efi/memmap.c
+@@ -118,6 +118,9 @@ int __init efi_memmap_init_early(struct efi_memory_map_data *data)
+
+ void __init efi_memmap_unmap(void)
+ {
++ if (!efi_enabled(EFI_MEMMAP))
++ return;
++
+ if (!efi.memmap.late) {
+ unsigned long size;
+
+--
+2.21.0
+
diff --git a/patches.drivers/efi-arm-map-UEFI-memory-map-even-w-o-runtime-service.patch b/patches.drivers/efi-arm-map-UEFI-memory-map-even-w-o-runtime-service.patch
new file mode 100644
index 0000000000..f9f283da11
--- /dev/null
+++ b/patches.drivers/efi-arm-map-UEFI-memory-map-even-w-o-runtime-service.patch
@@ -0,0 +1,64 @@
+From: AKASHI Takahiro <takahiro.akashi@linaro.org>
+Date: Mon, 23 Jul 2018 10:57:31 +0900
+Subject: efi/arm: map UEFI memory map even w/o runtime services enabled
+Git-commit: 20d12cf990618845e76d3f24daaebd15d65a5e46
+Patch-mainline: v4.19-rc1
+References: bsc#1117158 bsc#1134671
+
+Under the current implementation, UEFI memory map will be mapped and made
+available in virtual mappings only if runtime services are enabled.
+But in a later patch, we want to use UEFI memory map in acpi_os_ioremap()
+to create mappings of ACPI tables using memory attributes described in
+UEFI memory map.
+See the following commit:
+ arm64: acpi: fix alignment fault in accessing ACPI tables
+
+So, as a first step, arm_enter_runtime_services() is modified, alongside
+Ard's patch[1], so that UEFI memory map will not be freed even if
+efi=noruntime.
+
+[1] https://marc.info/?l=linux-efi&m=152930773507524&w=2
+
+Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
+Reviewed-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+Signed-off-by: Will Deacon <will.deacon@arm.com>
+Signed-off-by: Matthias Brugger <mbrugger@suse.com>
+---
+ drivers/firmware/efi/arm-runtime.c | 14 +++++++-------
+ 1 file changed, 7 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/firmware/efi/arm-runtime.c b/drivers/firmware/efi/arm-runtime.c
+index 4712445c3213..922cfb813109 100644
+--- a/drivers/firmware/efi/arm-runtime.c
++++ b/drivers/firmware/efi/arm-runtime.c
+@@ -117,6 +117,13 @@ static int __init arm_enable_runtime_services(void)
+
+ efi_memmap_unmap();
+
++ mapsize = efi.memmap.desc_size * efi.memmap.nr_map;
++
++ if (efi_memmap_init_late(efi.memmap.phys_map, mapsize)) {
++ pr_err("Failed to remap EFI memory map\n");
++ return 0;
++ }
++
+ if (efi_runtime_disabled()) {
+ pr_info("EFI runtime services will be disabled.\n");
+ return 0;
+@@ -129,13 +136,6 @@ static int __init arm_enable_runtime_services(void)
+
+ pr_info("Remapping and enabling EFI services.\n");
+
+- mapsize = efi.memmap.desc_size * efi.memmap.nr_map;
+-
+- if (efi_memmap_init_late(efi.memmap.phys_map, mapsize)) {
+- pr_err("Failed to remap EFI memory map\n");
+- return -ENOMEM;
+- }
+-
+ if (!efi_virtmap_init()) {
+ pr_err("UEFI virtual mapping missing or invalid -- runtime services will not be available\n");
+ return -ENOMEM;
+--
+2.20.1
+
diff --git a/patches.drivers/efi-arm-preserve-early-mapping-of-UEFI-memory-map-lo.patch b/patches.drivers/efi-arm-preserve-early-mapping-of-UEFI-memory-map-lo.patch
new file mode 100644
index 0000000000..967400444e
--- /dev/null
+++ b/patches.drivers/efi-arm-preserve-early-mapping-of-UEFI-memory-map-lo.patch
@@ -0,0 +1,62 @@
+From: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+Date: Mon, 23 Jul 2018 10:57:30 +0900
+Subject: efi/arm: preserve early mapping of UEFI memory map longer for BGRT
+Git-commit: 3ea86495aef2f6de26b7cb1599ba350dd6a0c521
+Patch-mainline: v4.19-rc1
+References: bsc#1117158 bsc#1134671
+
+The BGRT code validates the contents of the table against the UEFI
+memory map, and so it expects it to be mapped when the code runs.
+
+On ARM, this is currently not the case, since we tear down the early
+mapping after efi_init() completes, and only create the permanent
+mapping in arm_enable_runtime_services(), which executes as an early
+initcall, but still leaves a window where the UEFI memory map is not
+mapped.
+
+So move the call to efi_memmap_unmap() from efi_init() to
+arm_enable_runtime_services().
+
+Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+[will: fold in EFI_MEMMAP attribute check from Ard]
+Signed-off-by: Will Deacon <will.deacon@arm.com>
+Signed-off-by: Matthias Brugger <mbrugger@suse.com>
+---
+ drivers/firmware/efi/arm-init.c | 1 -
+ drivers/firmware/efi/arm-runtime.c | 4 +++-
+ 2 files changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/firmware/efi/arm-init.c b/drivers/firmware/efi/arm-init.c
+index b5214c143fee..388a929baf95 100644
+--- a/drivers/firmware/efi/arm-init.c
++++ b/drivers/firmware/efi/arm-init.c
+@@ -259,7 +259,6 @@ void __init efi_init(void)
+
+ reserve_regions();
+ efi_esrt_init();
+- efi_memmap_unmap();
+
+ memblock_reserve(params.mmap & PAGE_MASK,
+ PAGE_ALIGN(params.mmap_size +
+diff --git a/drivers/firmware/efi/arm-runtime.c b/drivers/firmware/efi/arm-runtime.c
+index 5889cbea60b8..4712445c3213 100644
+--- a/drivers/firmware/efi/arm-runtime.c
++++ b/drivers/firmware/efi/arm-runtime.c
+@@ -110,11 +110,13 @@ static int __init arm_enable_runtime_services(void)
+ {
+ u64 mapsize;
+
+- if (!efi_enabled(EFI_BOOT)) {
++ if (!efi_enabled(EFI_BOOT) || !efi_enabled(EFI_MEMMAP)) {
+ pr_info("EFI services will not be available.\n");
+ return 0;
+ }
+
++ efi_memmap_unmap();
++
+ if (efi_runtime_disabled()) {
+ pr_info("EFI runtime services will be disabled.\n");
+ return 0;
+--
+2.20.1
+
diff --git a/patches.drivers/ibmvnic-Add-device-identification-to-requested-IRQs.patch b/patches.drivers/ibmvnic-Add-device-identification-to-requested-IRQs.patch
new file mode 100644
index 0000000000..0010244495
--- /dev/null
+++ b/patches.drivers/ibmvnic-Add-device-identification-to-requested-IRQs.patch
@@ -0,0 +1,92 @@
+From e56e2515669af9f2444228db39699d02c5a4989a Mon Sep 17 00:00:00 2001
+From: Murilo Fossa Vicentini <muvic@linux.ibm.com>
+Date: Thu, 25 Apr 2019 11:02:33 -0300
+Subject: [PATCH] ibmvnic: Add device identification to requested IRQs
+
+References: bsc#1137739
+Patch-mainline: v5.2-rc1
+Git-commit: e56e2515669af9f2444228db39699d02c5a4989a
+
+The ibmvnic driver currently uses the same fixed name when using
+request_irq, this makes it hard to parse when multiple VNIC devices are
+available at the same time. This patch adds the unit_address as the device
+identification along with an id for each queue.
+
+The original idea was to use the interface name as an identifier, but it
+is not feasible given these requests happen at adapter probe, and at this
+point netdev is not yet registered so it doesn't have the proper name
+assigned to it.
+
+Signed-off-by: Murilo Fossa Vicentini <muvic@linux.ibm.com>
+Reviewed-by: Mauro S. M. Rodrigues <maurosr@linux.vnet.ibm.com>
+Reviewed-by: Thomas Falcon <tlfalcon@linux.ibm.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Acked-by: Michal Suchanek <msuchanek@suse.de>
+---
+ drivers/net/ethernet/ibm/ibmvnic.c | 13 +++++++++----
+ drivers/net/ethernet/ibm/ibmvnic.h | 2 ++
+ 2 files changed, 11 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/net/ethernet/ibm/ibmvnic.c b/drivers/net/ethernet/ibm/ibmvnic.c
+index 5e3cdb0b46d5..b398d6c94dbd 100644
+--- a/drivers/net/ethernet/ibm/ibmvnic.c
++++ b/drivers/net/ethernet/ibm/ibmvnic.c
+@@ -2919,8 +2919,10 @@ static int init_sub_crq_irqs(struct ibmvnic_adapter *adapter)
+ goto req_tx_irq_failed;
+ }
+
++ snprintf(scrq->name, sizeof(scrq->name), "ibmvnic-%x-tx%d",
++ adapter->vdev->unit_address, i);
+ rc = request_irq(scrq->irq, ibmvnic_interrupt_tx,
+- 0, "ibmvnic_tx", scrq);
++ 0, scrq->name, scrq);
+
+ if (rc) {
+ dev_err(dev, "Couldn't register tx irq 0x%x. rc=%d\n",
+@@ -2940,8 +2942,10 @@ static int init_sub_crq_irqs(struct ibmvnic_adapter *adapter)
+ dev_err(dev, "Error mapping irq\n");
+ goto req_rx_irq_failed;
+ }
++ snprintf(scrq->name, sizeof(scrq->name), "ibmvnic-%x-rx%d",
++ adapter->vdev->unit_address, i);
+ rc = request_irq(scrq->irq, ibmvnic_interrupt_rx,
+- 0, "ibmvnic_rx", scrq);
++ 0, scrq->name, scrq);
+ if (rc) {
+ dev_err(dev, "Couldn't register rx irq 0x%x. rc=%d\n",
+ scrq->irq, rc);
+@@ -4667,8 +4671,9 @@ static int init_crq_queue(struct ibmvnic_adapter *adapter)
+ (unsigned long)adapter);
+
+ netdev_dbg(adapter->netdev, "registering irq 0x%x\n", vdev->irq);
+- rc = request_irq(vdev->irq, ibmvnic_interrupt, 0, IBMVNIC_NAME,
+- adapter);
++ snprintf(crq->name, sizeof(crq->name), "ibmvnic-%x",
++ adapter->vdev->unit_address);
++ rc = request_irq(vdev->irq, ibmvnic_interrupt, 0, crq->name, adapter);
+ if (rc) {
+ dev_err(dev, "Couldn't register irq 0x%x. rc=%d\n",
+ vdev->irq, rc);
+diff --git a/drivers/net/ethernet/ibm/ibmvnic.h b/drivers/net/ethernet/ibm/ibmvnic.h
+index d5260a206708..cffdac372a33 100644
+--- a/drivers/net/ethernet/ibm/ibmvnic.h
++++ b/drivers/net/ethernet/ibm/ibmvnic.h
+@@ -855,6 +855,7 @@ struct ibmvnic_crq_queue {
+ dma_addr_t msg_token;
+ spinlock_t lock;
+ bool active;
++ char name[32];
+ };
+
+ union sub_crq {
+@@ -881,6 +882,7 @@ struct ibmvnic_sub_crq_queue {
+ struct sk_buff *rx_skb_top;
+ struct ibmvnic_adapter *adapter;
+ atomic_t used;
++ char name[32];
+ };
+
+ struct ibmvnic_long_term_buff {
+--
+2.20.1
+
diff --git a/patches.drivers/ibmvnic-remove-set-but-not-used-variable-netdev.patch b/patches.drivers/ibmvnic-remove-set-but-not-used-variable-netdev.patch
new file mode 100644
index 0000000000..adf15e3f8f
--- /dev/null
+++ b/patches.drivers/ibmvnic-remove-set-but-not-used-variable-netdev.patch
@@ -0,0 +1,46 @@
+From 53a6b206e36f160dbaa5727e68f8418de0b10bbf Mon Sep 17 00:00:00 2001
+From: YueHaibing <yuehaibing@huawei.com>
+Date: Wed, 3 Apr 2019 15:54:09 +0800
+Subject: [PATCH] ibmvnic: remove set but not used variable 'netdev'
+
+References: bsc#1137739
+Patch-mainline: v5.2-rc1
+Git-commit: 53a6b206e36f160dbaa5727e68f8418de0b10bbf
+
+Fixes gcc '-Wunused-but-set-variable' warning:
+
+drivers/net/ethernet/ibm/ibmvnic.c: In function '__ibmvnic_reset':
+drivers/net/ethernet/ibm/ibmvnic.c:1971:21: warning: variable 'netdev' set but not used [-Wunused-but-set-variable]
+
+It's never used since introduction in
+commit ed651a10875f ("ibmvnic: Updated reset handling")
+
+Signed-off-by: YueHaibing <yuehaibing@huawei.com>
+Reviewed-by: Mukesh Ojha <mojha@codeaurora.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Acked-by: Michal Suchanek <msuchanek@suse.de>
+---
+ drivers/net/ethernet/ibm/ibmvnic.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/ibm/ibmvnic.c b/drivers/net/ethernet/ibm/ibmvnic.c
+index 25b8e04ef11a..20c4e0835ba8 100644
+--- a/drivers/net/ethernet/ibm/ibmvnic.c
++++ b/drivers/net/ethernet/ibm/ibmvnic.c
+@@ -1968,13 +1968,11 @@ static void __ibmvnic_reset(struct work_struct *work)
+ {
+ struct ibmvnic_rwi *rwi;
+ struct ibmvnic_adapter *adapter;
+- struct net_device *netdev;
+ bool we_lock_rtnl = false;
+ u32 reset_state;
+ int rc = 0;
+
+ adapter = container_of(work, struct ibmvnic_adapter, ibmvnic_reset);
+- netdev = adapter->netdev;
+
+ /* netif_set_real_num_xx_queues needs to take rtnl lock here
+ * unless wait_for_reset is set, in which case the rtnl lock
+--
+2.20.1
+
diff --git a/patches.drivers/iommu-arm-smmu-v3-Abort-all-transactions-if-SMMU-is-.patch b/patches.drivers/iommu-arm-smmu-v3-Abort-all-transactions-if-SMMU-is-.patch
new file mode 100644
index 0000000000..4a46f67e0a
--- /dev/null
+++ b/patches.drivers/iommu-arm-smmu-v3-Abort-all-transactions-if-SMMU-is-.patch
@@ -0,0 +1,79 @@
+From: Will Deacon <will.deacon@arm.com>
+Date: Wed, 25 Jul 2018 15:58:43 +0100
+Subject: iommu/arm-smmu-v3: Abort all transactions if SMMU is enabled in kdump
+ kernel
+Git-commit: b63b3439b85609338e4faabd5d2588dbda137e5c
+Patch-mainline: v4.19-rc1
+References: bsc#1117158 bsc#1134671
+
+If we find that the SMMU is enabled during probe, we reset it by
+re-initialising its registers and either enabling translation or placing
+it into bypass based on the disable_bypass commandline option.
+
+In the case of a kdump kernel, the SMMU won't have been shutdown cleanly
+by the previous kernel and there may be concurrent DMA through the SMMU.
+Rather than reset the SMMU to bypass, which would likely lead to rampant
+data corruption, we can instead configure the SMMU to abort all incoming
+transactions when we find that it is enabled from within a kdump kernel.
+
+Reported-by: Sameer Goel <sgoel@codeaurora.org>
+Signed-off-by: Will Deacon <will.deacon@arm.com>
+Signed-off-by: Matthias Brugger <mbrugger@suse.com>
+---
+ drivers/iommu/arm-smmu-v3.c | 22 ++++++++++++++++------
+ 1 file changed, 16 insertions(+), 6 deletions(-)
+
+--- a/drivers/iommu/arm-smmu-v3.c
++++ b/drivers/iommu/arm-smmu-v3.c
+@@ -22,6 +22,7 @@
+
+ #include <linux/acpi.h>
+ #include <linux/acpi_iort.h>
++#include <linux/crash_dump.h>
+ #include <linux/delay.h>
+ #include <linux/dma-iommu.h>
+ #include <linux/err.h>
+@@ -2187,8 +2188,12 @@ static int arm_smmu_update_gbpa(struct a
+ reg &= ~clr;
+ reg |= set;
+ writel_relaxed(reg | GBPA_UPDATE, gbpa);
+- return readl_relaxed_poll_timeout(gbpa, reg, !(reg & GBPA_UPDATE),
+- 1, ARM_SMMU_POLL_TIMEOUT_US);
++ ret = readl_relaxed_poll_timeout(gbpa, reg, !(reg & GBPA_UPDATE),
++ 1, ARM_SMMU_POLL_TIMEOUT_US);
++
++ if (ret)
++ dev_err(smmu->dev, "GBPA not responding to update\n");
++ return ret;
+ }
+
+ static void arm_smmu_free_msis(void *data)
+@@ -2366,8 +2371,15 @@ static int arm_smmu_device_reset(struct
+
+ /* Clear CR0 and sync (disables SMMU and queue processing) */
+ reg = readl_relaxed(smmu->base + ARM_SMMU_CR0);
+- if (reg & CR0_SMMUEN)
++ if (reg & CR0_SMMUEN) {
++ if (is_kdump_kernel()) {
++ arm_smmu_update_gbpa(smmu, GBPA_ABORT, 0);
++ arm_smmu_device_disable(smmu);
++ return -EBUSY;
++ }
++
+ dev_warn(smmu->dev, "SMMU currently enabled! Resetting...\n");
++ }
+
+ ret = arm_smmu_device_disable(smmu);
+ if (ret)
+@@ -2467,10 +2479,8 @@ static int arm_smmu_device_reset(struct
+ enables |= CR0_SMMUEN;
+ } else {
+ ret = arm_smmu_update_gbpa(smmu, 0, GBPA_ABORT);
+- if (ret) {
+- dev_err(smmu->dev, "GBPA not responding to update\n");
++ if (ret)
+ return ret;
+- }
+ }
+ ret = arm_smmu_write_reg_sync(smmu, enables, ARM_SMMU_CR0,
+ ARM_SMMU_CR0ACK);
diff --git a/patches.drivers/iommu-arm-smmu-v3-Don-t-disable-SMMU-in-kdump-kernel.patch b/patches.drivers/iommu-arm-smmu-v3-Don-t-disable-SMMU-in-kdump-kernel.patch
new file mode 100644
index 0000000000..1faa75dd55
--- /dev/null
+++ b/patches.drivers/iommu-arm-smmu-v3-Don-t-disable-SMMU-in-kdump-kernel.patch
@@ -0,0 +1,59 @@
+From: Will Deacon <will.deacon@arm.com>
+Date: Tue, 23 Apr 2019 11:59:36 +0100
+Subject: iommu/arm-smmu-v3: Don't disable SMMU in kdump kernel
+Git-commit: 3f54c447df34ff9efac7809a4a80fd3208efc619
+Patch-mainline: v5.2-rc1
+References: bsc#1117158 bsc#1134671
+
+Disabling the SMMU when probing from within a kdump kernel so that all
+incoming transactions are terminated can prevent the core of the crashed
+kernel from being transferred off the machine if all I/O devices are
+behind the SMMU.
+
+Instead, continue to probe the SMMU after it is disabled so that we can
+reinitialise it entirely and re-attach the DMA masters as they are reset.
+Since the kdump kernel may not have drivers for all of the active DMA
+masters, we suppress fault reporting to avoid spamming the console and
+swamping the IRQ threads.
+
+Reported-by: "Leizhen (ThunderTown)" <thunder.leizhen@huawei.com>
+Tested-by: "Leizhen (ThunderTown)" <thunder.leizhen@huawei.com>
+Tested-by: Bhupesh Sharma <bhsharma@redhat.com>
+Signed-off-by: Will Deacon <will.deacon@arm.com>
+Signed-off-by: Matthias Brugger <mbrugger@suse.com>
+---
+ drivers/iommu/arm-smmu-v3.c | 10 ++++------
+ 1 file changed, 4 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/iommu/arm-smmu-v3.c b/drivers/iommu/arm-smmu-v3.c
+index 99b83fda11e4..4d5a694f02c2 100644
+--- a/drivers/iommu/arm-smmu-v3.c
++++ b/drivers/iommu/arm-smmu-v3.c
+@@ -2649,13 +2649,9 @@ static int arm_smmu_device_reset(struct arm_smmu_device *smmu, bool bypass)
+ /* Clear CR0 and sync (disables SMMU and queue processing) */
+ reg = readl_relaxed(smmu->base + ARM_SMMU_CR0);
+ if (reg & CR0_SMMUEN) {
+- if (is_kdump_kernel()) {
+- arm_smmu_update_gbpa(smmu, GBPA_ABORT, 0);
+- arm_smmu_device_disable(smmu);
+- return -EBUSY;
+- }
+-
+ dev_warn(smmu->dev, "SMMU currently enabled! Resetting...\n");
++ WARN_ON(is_kdump_kernel() && !disable_bypass);
++ arm_smmu_update_gbpa(smmu, GBPA_ABORT, 0);
+ }
+
+ ret = arm_smmu_device_disable(smmu);
+@@ -2758,6 +2754,8 @@ static int arm_smmu_device_reset(struct arm_smmu_device *smmu, bool bypass)
+ return ret;
+ }
+
++ if (is_kdump_kernel())
++ enables &= ~(CR0_EVTQEN | CR0_PRIQEN);
+
+ /* Enable the SMMU interface, or ensure bypass */
+ if (!bypass || disable_bypass) {
+--
+2.21.0
+
diff --git a/patches.drivers/mmc-block-Delete-gendisk-before-cleaning-up-the-requ.patch b/patches.drivers/mmc-block-Delete-gendisk-before-cleaning-up-the-requ.patch
new file mode 100644
index 0000000000..32f38f4a4e
--- /dev/null
+++ b/patches.drivers/mmc-block-Delete-gendisk-before-cleaning-up-the-requ.patch
@@ -0,0 +1,93 @@
+From 57678e5a3d5145e5f08aa1d307ba219b27b1765a Mon Sep 17 00:00:00 2001
+From: Shawn Lin <shawn.lin@rock-chips.com>
+Date: Thu, 22 Mar 2018 18:56:16 +0800
+Subject: [PATCH] mmc: block: Delete gendisk before cleaning up the request queue
+Git-commit: 57678e5a3d5145e5f08aa1d307ba219b27b1765a
+Patch-mainline: v4.17-rc1
+References: bsc#1127616
+
+dd if=/dev/urandom of=/dev/mmcblk1 bs=4k count=10000
+with a SD card hotplug during transfer reports a warning below
+introduced by commit a063057d7c73 ("block: Fix a race between
+request queue removal and the block cgroup controller"). So we
+should now remove the disk, partition and bdi sysfs attributes
+before cleaning up the request queue associated with the disk.
+
+[ 410.331226] mmc1: card 59b4 removed
+[ 410.348583] WARNING: CPU: 0 PID: 5 at block/blk-core.c:785
+blk_cleanup_queue+0x138/0x140
+[ 410.349294] Modules linked in:
+[ 410.349570] CPU: 0 PID: 5 Comm: kworker/0:0 Not tainted
+4.16.0-rc6-next-20180321-00004-gc2ad6a7 #263
+[ 410.350363] Hardware name: Excavator-RK3399 Board (DT)
+[ 410.350819] Workqueue: events_freezable mmc_rescan
+[ 410.351242] pstate: 60000005 (nZCv daif -PAN -UAO)
+[ 410.351663] pc : blk_cleanup_queue+0x138/0x140
+[ 410.352054] lr : blk_cleanup_queue+0xac/0x140
+[ 410.352436] sp : ffff0000092cbb90
+[ 410.352727] x29: ffff0000092cbb90 x28: 0000000000000000
+[ 410.353195] x27: ffff8000f6f23030 x26: ffff00000904e610
+[ 410.353662] x25: ffff8000f17cc808 x24: ffff8000f1038200
+[ 410.354128] x23: 0000000000000060 x22: 0000000000000000
+[ 410.354595] x21: ffff8000f11748d8 x20: ffff8000f1038200
+[ 410.355061] x19: ffff8000f1174200 x18: 0000ffff936347d8
+[ 410.355528] x17: 0000ffff935b93c0 x16: ffff0000081263f8
+[ 410.355994] x15: 0000000000000000 x14: 0000000000000400
+[ 410.356461] x13: 0000000000000001 x12: 0000000000000001
+[ 410.356927] x11: 0000000000000040 x10: ffff8000f2400028
+[ 410.357393] x9 : ffff8000f2400040 x8 : 0000000000000000
+[ 410.357860] x7 : ffff8000f6f3a340 x6 : ffff8000f6f3a340
+[ 410.358326] x5 : ffff8000f2400000 x4 : ffff8000f6f3a340
+[ 410.358792] x3 : 0000000000000000 x2 : 39c1333e45670800
+[ 410.359259] x1 : 0000000000000000 x0 : 0000000000000003
+[ 410.359726] Call trace:
+[ 410.359943] blk_cleanup_queue+0x138/0x140
+[ 410.360305] mmc_cleanup_queue+0x2c/0x48
+[ 410.360652] mmc_blk_remove_req+0x1c/0x98
+[ 410.361005] mmc_blk_remove+0x180/0x1c0
+[ 410.361343] mmc_bus_remove+0x1c/0x28
+[ 410.361670] device_release_driver_internal+0x154/0x1f0
+[ 410.362128] device_release_driver+0x14/0x20
+[ 410.362504] bus_remove_device+0xc8/0x108
+[ 410.362858] device_del+0x120/0x350
+[ 410.363167] mmc_remove_card+0x5c/0xb8
+[ 410.363498] mmc_sd_detect+0x40/0x78
+[ 410.363813] mmc_rescan+0x19c/0x368
+[ 410.364123] process_one_work+0x1ac/0x318
+[ 410.364477] worker_thread+0x50/0x450
+[ 410.364801] kthread+0xf8/0x128
+[ 410.365081] ret_from_fork+0x10/0x18
+[ 410.365395] ---[ end trace 268e87a46c28968c ]---
+
+Reviewed-by: Bart Van Assche <bart.vanassche@wdc.com>
+Signed-off-by: Shawn Lin <shawn.lin@rock-chips.com>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/mmc/core/block.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/mmc/core/block.c b/drivers/mmc/core/block.c
+index 20135a5de748..c895bb0d5569 100644
+--- a/drivers/mmc/core/block.c
++++ b/drivers/mmc/core/block.c
+@@ -2647,7 +2647,6 @@ static void mmc_blk_remove_req(struct mmc_blk_data *md)
+ * from being accepted.
+ */
+ card = md->queue.card;
+- mmc_cleanup_queue(&md->queue);
+ if (md->disk->flags & GENHD_FL_UP) {
+ device_remove_file(disk_to_dev(md->disk), &md->force_ro);
+ if ((md->area_type & MMC_BLK_DATA_AREA_BOOT) &&
+@@ -2657,6 +2656,7 @@ static void mmc_blk_remove_req(struct mmc_blk_data *md)
+
+ del_gendisk(md->disk);
+ }
++ mmc_cleanup_queue(&md->queue);
+ mmc_blk_put(md);
+ }
+ }
+--
+2.16.4
+
diff --git a/patches.drivers/net-ibmvnic-Remove-tests-of-member-address.patch b/patches.drivers/net-ibmvnic-Remove-tests-of-member-address.patch
new file mode 100644
index 0000000000..1cf3320ee8
--- /dev/null
+++ b/patches.drivers/net-ibmvnic-Remove-tests-of-member-address.patch
@@ -0,0 +1,56 @@
+From 390de1940441a72625283098dd0d9303d0ceb8fb Mon Sep 17 00:00:00 2001
+From: Wen Yang <wen.yang99@zte.com.cn>
+Date: Tue, 11 Dec 2018 12:20:46 +0800
+Subject: [PATCH] net/ibmvnic: Remove tests of member address
+
+References: bsc#1137739
+Patch-mainline: v5.0-rc1
+Git-commit: 390de1940441a72625283098dd0d9303d0ceb8fb
+
+The driver was checking for non-NULL address.
+- adapter->napi[i]
+
+This is pointless as these will be always non-NULL, since the
+'dapter->napi' is allocated in init_napi().
+It is safe to get rid of useless checks for addresses to fix the
+coccinelle warning:
+>>drivers/net/ethernet/ibm/ibmvnic.c: test of a variable/field address
+Since such statements always return true, they are redundant.
+
+Signed-off-by: Wen Yang <wen.yang99@zte.com.cn>
+CC: Benjamin Herrenschmidt <benh@kernel.crashing.org>
+CC: Paul Mackerras <paulus@samba.org>
+CC: Michael Ellerman <mpe@ellerman.id.au>
+CC: Thomas Falcon <tlfalcon@linux.ibm.com>
+CC: John Allen <jallen@linux.ibm.com>
+CC: "David S. Miller" <davem@davemloft.net>
+CC: linuxppc-dev@lists.ozlabs.org
+CC: netdev@vger.kernel.org
+CC: linux-kernel@vger.kernel.org
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Acked-by: Michal Suchanek <msuchanek@suse.de>
+---
+ drivers/net/ethernet/ibm/ibmvnic.c | 7 ++-----
+ 1 file changed, 2 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/net/ethernet/ibm/ibmvnic.c b/drivers/net/ethernet/ibm/ibmvnic.c
+index ed50b8dee44f..14d00985f087 100644
+--- a/drivers/net/ethernet/ibm/ibmvnic.c
++++ b/drivers/net/ethernet/ibm/ibmvnic.c
+@@ -773,11 +773,8 @@ static void release_napi(struct ibmvnic_adapter *adapter)
+ return;
+
+ for (i = 0; i < adapter->num_active_rx_napi; i++) {
+- if (&adapter->napi[i]) {
+- netdev_dbg(adapter->netdev,
+- "Releasing napi[%d]\n", i);
+- netif_napi_del(&adapter->napi[i]);
+- }
++ netdev_dbg(adapter->netdev, "Releasing napi[%d]\n", i);
++ netif_napi_del(&adapter->napi[i]);
+ }
+
+ kfree(adapter->napi);
+--
+2.20.1
+
diff --git a/patches.drivers/rtc-da9063-set-uie_unsupported-when-relevant.patch b/patches.drivers/rtc-da9063-set-uie_unsupported-when-relevant.patch
new file mode 100644
index 0000000000..7b1ce11b62
--- /dev/null
+++ b/patches.drivers/rtc-da9063-set-uie_unsupported-when-relevant.patch
@@ -0,0 +1,44 @@
+From 882c5e552ffd06856de42261460f46e18319d259 Mon Sep 17 00:00:00 2001
+From: Alexandre Belloni <alexandre.belloni@bootlin.com>
+Date: Tue, 2 Apr 2019 12:26:36 +0200
+Subject: [PATCH] rtc: da9063: set uie_unsupported when relevant
+Git-commit: 882c5e552ffd06856de42261460f46e18319d259
+Patch-mainline: v5.1-rc4
+References: bsc#1051510
+
+The DA9063AD doesn't support alarms on any seconds and its granularity is
+the minute. Set uie_unsupported in that case.
+
+Reported-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
+Reported-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Reviewed-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
+Tested-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
+Acked-by: Steve Twiss <stwiss.opensource@diasemi.com>
+Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/rtc/rtc-da9063.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/drivers/rtc/rtc-da9063.c b/drivers/rtc/rtc-da9063.c
+index b4e054c64bad..69b54e5556c0 100644
+--- a/drivers/rtc/rtc-da9063.c
++++ b/drivers/rtc/rtc-da9063.c
+@@ -480,6 +480,13 @@ static int da9063_rtc_probe(struct platform_device *pdev)
+ da9063_data_to_tm(data, &rtc->alarm_time, rtc);
+ rtc->rtc_sync = false;
+
++ /*
++ * TODO: some models have alarms on a minute boundary but still support
++ * real hardware interrupts. Add this once the core supports it.
++ */
++ if (config->rtc_data_start != RTC_SEC)
++ rtc->rtc_dev->uie_unsupported = 1;
++
+ irq_alarm = platform_get_irq_byname(pdev, "ALARM");
+ ret = devm_request_threaded_irq(&pdev->dev, irq_alarm, NULL,
+ da9063_alarm_event,
+--
+2.16.4
+
diff --git a/patches.drivers/rtc-sh-Fix-invalid-alarm-warning-for-non-enabled-ala.patch b/patches.drivers/rtc-sh-Fix-invalid-alarm-warning-for-non-enabled-ala.patch
new file mode 100644
index 0000000000..c436ec1c7e
--- /dev/null
+++ b/patches.drivers/rtc-sh-Fix-invalid-alarm-warning-for-non-enabled-ala.patch
@@ -0,0 +1,48 @@
+From 15d82d22498784966df8e4696174a16b02cc1052 Mon Sep 17 00:00:00 2001
+From: Geert Uytterhoeven <geert+renesas@glider.be>
+Date: Wed, 20 Mar 2019 11:32:14 +0100
+Subject: [PATCH] rtc: sh: Fix invalid alarm warning for non-enabled alarm
+Git-commit: 15d82d22498784966df8e4696174a16b02cc1052
+Patch-mainline: v5.1-rc4
+References: bsc#1051510
+
+When no alarm has been programmed on RSK-RZA1, an error message is
+printed during boot:
+
+ rtc rtc0: invalid alarm value: 2019-03-14T255:255:255
+
+sh_rtc_read_alarm_value() returns 0xff when querying a hardware alarm
+field that is not enabled. __rtc_read_alarm() validates the received
+alarm values, and fills in missing fields when needed.
+While 0xff is handled fine for the year, month, and day fields, and
+corrected as considered being out-of-range, this is not the case for the
+hour, minute, and second fields, where -1 is expected for missing
+fields.
+
+Fix this by returning -1 instead, as this value is handled fine for all
+fields.
+
+Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/rtc/rtc-sh.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/rtc/rtc-sh.c b/drivers/rtc/rtc-sh.c
+index d417b203cbc5..1d3de2a3d1a4 100644
+--- a/drivers/rtc/rtc-sh.c
++++ b/drivers/rtc/rtc-sh.c
+@@ -374,7 +374,7 @@ static int sh_rtc_set_time(struct device *dev, struct rtc_time *tm)
+ static inline int sh_rtc_read_alarm_value(struct sh_rtc *rtc, int reg_off)
+ {
+ unsigned int byte;
+- int value = 0xff; /* return 0xff for ignored values */
++ int value = -1; /* return -1 for ignored values */
+
+ byte = readb(rtc->regbase + reg_off);
+ if (byte & AR_ENB) {
+--
+2.16.4
+
diff --git a/patches.drivers/scsi-qedf-fixup-bit-operations.patch b/patches.drivers/scsi-qedf-fixup-bit-operations.patch
new file mode 100644
index 0000000000..d51b9b9183
--- /dev/null
+++ b/patches.drivers/scsi-qedf-fixup-bit-operations.patch
@@ -0,0 +1,77 @@
+From: Hannes Reinecke <hare@suse.com>
+Date: Tue, 26 Mar 2019 00:38:45 -0700
+Subject: [PATCH] scsi: qedf: fixup bit operations
+Git-commit: 78a8ab3cc0f95a66c8fb2429030289103de173e7
+Patch-Mainline: v5.2
+References: bsc#1135542
+
+test_bit() is atomic, test_bit() || test_bit() is not. So protect
+consecutive bit tests with a lock to avoid races.
+
+Signed-off-by: Hannes Reinecke <hare@suse.com>
+Signed-off-by: Saurav Kashyap <skashyap@marvell.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+---
+ drivers/scsi/qedf/qedf_els.c | 4 ++++
+ drivers/scsi/qedf/qedf_main.c | 5 ++++-
+ 2 files changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/scsi/qedf/qedf_els.c b/drivers/scsi/qedf/qedf_els.c
+index aad1f7c464fd..f1f576375de4 100644
+--- a/drivers/scsi/qedf/qedf_els.c
++++ b/drivers/scsi/qedf/qedf_els.c
+@@ -358,20 +358,24 @@ void qedf_restart_rport(struct qedf_rport *fcport)
+ struct fc_lport *lport;
+ struct fc_rport_priv *rdata;
+ u32 port_id;
++ unsigned long flags;
+
+ if (!fcport)
+ return;
+
++ spin_lock_irqsave(&fcport->rport_lock, flags);
+ if (test_bit(QEDF_RPORT_IN_RESET, &fcport->flags) ||
+ !test_bit(QEDF_RPORT_SESSION_READY, &fcport->flags) ||
+ test_bit(QEDF_RPORT_UPLOADING_CONNECTION, &fcport->flags)) {
+ QEDF_ERR(&(fcport->qedf->dbg_ctx), "fcport %p already in reset or not offloaded.\n",
+ fcport);
++ spin_unlock_irqrestore(&fcport->rport_lock, flags);
+ return;
+ }
+
+ /* Set that we are now in reset */
+ set_bit(QEDF_RPORT_IN_RESET, &fcport->flags);
++ spin_unlock_irqrestore(&fcport->rport_lock, flags);
+
+ rdata = fcport->rdata;
+ if (rdata) {
+diff --git a/drivers/scsi/qedf/qedf_main.c b/drivers/scsi/qedf/qedf_main.c
+index b216a0f757a1..bc787ce0b526 100644
+--- a/drivers/scsi/qedf/qedf_main.c
++++ b/drivers/scsi/qedf/qedf_main.c
+@@ -1435,9 +1435,11 @@ static void qedf_rport_event_handler(struct fc_lport *lport,
+ */
+ fcport = (struct qedf_rport *)&rp[1];
+
++ spin_lock_irqsave(&fcport->rport_lock, flags);
+ /* Only free this fcport if it is offloaded already */
+ if (test_bit(QEDF_RPORT_SESSION_READY, &fcport->flags)) {
+ set_bit(QEDF_RPORT_UPLOADING_CONNECTION, &fcport->flags);
++ spin_unlock_irqrestore(&fcport->rport_lock, flags);
+ qedf_cleanup_fcport(qedf, fcport);
+
+ /*
+@@ -1453,8 +1455,9 @@ static void qedf_rport_event_handler(struct fc_lport *lport,
+ clear_bit(QEDF_RPORT_UPLOADING_CONNECTION,
+ &fcport->flags);
+ atomic_dec(&qedf->num_offloads);
++ } else {
++ spin_unlock_irqrestore(&fcport->rport_lock, flags);
+ }
+-
+ break;
+
+ case RPORT_EV_NONE:
+--
+2.16.4
+
diff --git a/patches.drivers/scsi-qedf-fixup-locking-in-qedf_restart_rport.patch b/patches.drivers/scsi-qedf-fixup-locking-in-qedf_restart_rport.patch
new file mode 100644
index 0000000000..559fb137dd
--- /dev/null
+++ b/patches.drivers/scsi-qedf-fixup-locking-in-qedf_restart_rport.patch
@@ -0,0 +1,42 @@
+From: Hannes Reinecke <hare@suse.com>
+Date: Tue, 26 Mar 2019 00:38:44 -0700
+Subject: [PATCH] scsi: qedf: fixup locking in qedf_restart_rport()
+Git-commit: 6d1368e8f987dd4bb1be6506d5416cb90b4ecf7a
+Patch-Mainline: v5.2
+References: bsc#1135542
+
+fc_rport_create() needs to be called with disc_mutex held. And we should
+re-assign the 'rdata' pointer in case it got changed.
+
+Signed-off-by: Hannes Reinecke <hare@suse.com>
+Signed-off-by: Saurav Kashyap <skashyap@marvell.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+---
+ drivers/scsi/qedf/qedf_els.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/scsi/qedf/qedf_els.c b/drivers/scsi/qedf/qedf_els.c
+index ac2bfc26bcdb..aad1f7c464fd 100644
+--- a/drivers/scsi/qedf/qedf_els.c
++++ b/drivers/scsi/qedf/qedf_els.c
+@@ -380,10 +380,16 @@ void qedf_restart_rport(struct qedf_rport *fcport)
+ QEDF_ERR(&(fcport->qedf->dbg_ctx),
+ "LOGO port_id=%x.\n", port_id);
+ fc_rport_logoff(rdata);
++ mutex_lock(&lport->disc.disc_mutex);
+ /* Recreate the rport and log back in */
+ rdata = fc_rport_create(lport, port_id);
+- if (rdata)
++ if (rdata) {
++ mutex_unlock(&lport->disc.disc_mutex);
+ fc_rport_login(rdata);
++ fcport->rdata = rdata;
++ } else {
++ mutex_unlock(&lport->disc.disc_mutex);
++ }
+ }
+ clear_bit(QEDF_RPORT_IN_RESET, &fcport->flags);
+ }
+--
+2.16.4
+
diff --git a/patches.drivers/scsi-qedf-missing-kref_put-in-qedf_xmit.patch b/patches.drivers/scsi-qedf-missing-kref_put-in-qedf_xmit.patch
new file mode 100644
index 0000000000..c9d8858994
--- /dev/null
+++ b/patches.drivers/scsi-qedf-missing-kref_put-in-qedf_xmit.patch
@@ -0,0 +1,37 @@
+From: Hannes Reinecke <hare@suse.com>
+Date: Tue, 26 Mar 2019 00:38:43 -0700
+Subject: [PATCH] scsi: qedf: missing kref_put in qedf_xmit()
+Git-commit: 4262d35c32c652344b6784cad51ec5a0e2e5258b
+Patch-Mainline: v5.2
+References: bsc#1135542
+
+qedf_xmit() calls fc_rport_lookup(), but discards the returned rdata
+structure almost immediately without decreasing the refcount. This leads
+to a refcount leak and the rdata never to be freed.
+
+Signed-off-by: Hannes Reinecke <hare@suse.com>
+Signed-off-by: Saurav Kashyap <skashyap@marvell.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+---
+ drivers/scsi/qedf/qedf_main.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/scsi/qedf/qedf_main.c b/drivers/scsi/qedf/qedf_main.c
+index 9e186d762d63..b216a0f757a1 100644
+--- a/drivers/scsi/qedf/qedf_main.c
++++ b/drivers/scsi/qedf/qedf_main.c
+@@ -971,8 +971,10 @@ static int qedf_xmit(struct fc_lport *lport, struct fc_frame *fp)
+ "Dropping FCoE frame to %06x.\n", ntoh24(fh->fh_d_id));
+ kfree_skb(skb);
+ rdata = fc_rport_lookup(lport, ntoh24(fh->fh_d_id));
+- if (rdata)
++ if (rdata) {
+ rdata->retries = lport->max_rport_retry_count;
++ kref_put(&rdata->kref, fc_rport_destroy);
++ }
+ return -EINVAL;
+ }
+ /* End NPIV filtering */
+--
+2.16.4
+
diff --git a/patches.drivers/scsi-qla2xxx-Declare-local-functions-static.patch b/patches.drivers/scsi-qla2xxx-Declare-local-functions-static.patch
new file mode 100644
index 0000000000..04af915d8c
--- /dev/null
+++ b/patches.drivers/scsi-qla2xxx-Declare-local-functions-static.patch
@@ -0,0 +1,45 @@
+From: Bart Van Assche <bvanassche@acm.org>
+Date: Thu, 18 Oct 2018 15:45:42 -0700
+Subject: [PATCH] scsi: qla2xxx: Declare local functions 'static'
+Git-commit: 8f9a214823c9806386760b9f8624a376bbcd5232
+Patch-mainline: v4.20-rc1
+References: bsc#1137444
+
+This patch avoids that the compiler complains about missing declarations
+when building with W=1.
+
+Cc: Himanshu Madhani <himanshu.madhani@cavium.com>
+Signed-off-by: Bart Van Assche <bvanassche@acm.org>
+Acked-by: Himanshu Madhani <himanshu.madhani@cavium.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Acked-by: Hannes Reinecke <hare@suse.com>
+---
+ drivers/scsi/qla2xxx/qla_init.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/scsi/qla2xxx/qla_init.c b/drivers/scsi/qla2xxx/qla_init.c
+index 2ccf9f190c68..6fe20c27acc1 100644
+--- a/drivers/scsi/qla2xxx/qla_init.c
++++ b/drivers/scsi/qla2xxx/qla_init.c
+@@ -425,7 +425,7 @@ void qla24xx_handle_adisc_event(scsi_qla_host_t *vha, struct event_arg *ea)
+ __qla24xx_handle_gpdb_event(vha, ea);
+ }
+
+-int qla_post_els_plogi_work(struct scsi_qla_host *vha, fc_port_t *fcport)
++static int qla_post_els_plogi_work(struct scsi_qla_host *vha, fc_port_t *fcport)
+ {
+ struct qla_work_evt *e;
+
+@@ -1551,7 +1551,8 @@ void qla24xx_handle_relogin_event(scsi_qla_host_t *vha,
+ }
+
+
+-void qla_handle_els_plogi_done(scsi_qla_host_t *vha, struct event_arg *ea)
++static void qla_handle_els_plogi_done(scsi_qla_host_t *vha,
++ struct event_arg *ea)
+ {
+ ql_dbg(ql_dbg_disc, vha, 0x2118,
+ "%s %d %8phC post PRLI\n",
+--
+2.16.4
+
diff --git a/patches.drivers/scsi-qla2xxx-Fix-function-argument-descriptions.patch b/patches.drivers/scsi-qla2xxx-Fix-function-argument-descriptions.patch
new file mode 100644
index 0000000000..a0b437dc67
--- /dev/null
+++ b/patches.drivers/scsi-qla2xxx-Fix-function-argument-descriptions.patch
@@ -0,0 +1,947 @@
+From: Bart Van Assche <bart.vanassche@wdc.com>
+Date: Tue, 23 Jan 2018 16:33:51 -0800
+Subject: [PATCH] scsi: qla2xxx: Fix function argument descriptions
+Git-commit: 2db6228d9cd13bc3bb83bf3436998ea82b0d56ae
+Patch-mainline: v4.17-rc1
+References: bsc#1118139
+
+Bring the kernel-doc headers in sync with the function argument lists.
+
+Signed-off-by: Bart Van Assche <bart.vanassche@wdc.com>
+Cc: Himanshu Madhani <himanshu.madhani@cavium.com>
+Acked-by: Himanshu Madhani <himanshu.madhani@cavium.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Acked-by: Hannes Reinecke <hare@suse.com>
+---
+ drivers/scsi/qla2xxx/qla_dbg.c | 4 +-
+ drivers/scsi/qla2xxx/qla_gs.c | 78 +++++++++++++++++++--------------------
+ drivers/scsi/qla2xxx/qla_init.c | 33 +++++++++--------
+ drivers/scsi/qla2xxx/qla_inline.h | 1 +
+ drivers/scsi/qla2xxx/qla_iocb.c | 15 ++++++--
+ drivers/scsi/qla2xxx/qla_isr.c | 23 +++++++-----
+ drivers/scsi/qla2xxx/qla_mbx.c | 5 ++-
+ drivers/scsi/qla2xxx/qla_mr.c | 36 ++++++++++--------
+ drivers/scsi/qla2xxx/qla_nx.c | 7 ++--
+ drivers/scsi/qla2xxx/qla_nx2.c | 19 +++++-----
+ drivers/scsi/qla2xxx/qla_sup.c | 1 +
+ drivers/scsi/qla2xxx/qla_target.c | 7 ++--
+ 12 files changed, 125 insertions(+), 104 deletions(-)
+
+diff --git a/drivers/scsi/qla2xxx/qla_dbg.c b/drivers/scsi/qla2xxx/qla_dbg.c
+index 3e9dc54b89a3..7e9d8f08b9d5 100644
+--- a/drivers/scsi/qla2xxx/qla_dbg.c
++++ b/drivers/scsi/qla2xxx/qla_dbg.c
+@@ -717,7 +717,7 @@ qla2xxx_dump_post_process(scsi_qla_host_t *vha, int rval)
+
+ /**
+ * qla2300_fw_dump() - Dumps binary data from the 2300 firmware.
+- * @ha: HA context
++ * @vha: HA context
+ * @hardware_locked: Called with the hardware_lock
+ */
+ void
+@@ -887,7 +887,7 @@ qla2300_fw_dump(scsi_qla_host_t *vha, int hardware_locked)
+
+ /**
+ * qla2100_fw_dump() - Dumps binary data from the 2100/2200 firmware.
+- * @ha: HA context
++ * @vha: HA context
+ * @hardware_locked: Called with the hardware_lock
+ */
+ void
+diff --git a/drivers/scsi/qla2xxx/qla_gs.c b/drivers/scsi/qla2xxx/qla_gs.c
+index 5bf9a59432f6..e4d404c24506 100644
+--- a/drivers/scsi/qla2xxx/qla_gs.c
++++ b/drivers/scsi/qla2xxx/qla_gs.c
+@@ -21,11 +21,10 @@ static int qla_async_rsnn_nn(scsi_qla_host_t *);
+
+ /**
+ * qla2x00_prep_ms_iocb() - Prepare common MS/CT IOCB fields for SNS CT query.
+- * @ha: HA context
+- * @req_size: request size in bytes
+- * @rsp_size: response size in bytes
++ * @vha: HA context
++ * @arg: CT arguments
+ *
+- * Returns a pointer to the @ha's ms_iocb.
++ * Returns a pointer to the @vha's ms_iocb.
+ */
+ void *
+ qla2x00_prep_ms_iocb(scsi_qla_host_t *vha, struct ct_arg *arg)
+@@ -61,9 +60,8 @@ qla2x00_prep_ms_iocb(scsi_qla_host_t *vha, struct ct_arg *arg)
+
+ /**
+ * qla24xx_prep_ms_iocb() - Prepare common CT IOCB fields for SNS CT query.
+- * @ha: HA context
+- * @req_size: request size in bytes
+- * @rsp_size: response size in bytes
++ * @vha: HA context
++ * @arg: CT arguments
+ *
+ * Returns a pointer to the @ha's ms_iocb.
+ */
+@@ -101,7 +99,7 @@ qla24xx_prep_ms_iocb(scsi_qla_host_t *vha, struct ct_arg *arg)
+
+ /**
+ * qla2x00_prep_ct_req() - Prepare common CT request fields for SNS query.
+- * @ct_req: CT request buffer
++ * @p: CT request buffer
+ * @cmd: GS command
+ * @rsp_size: response size in bytes
+ *
+@@ -196,7 +194,7 @@ qla2x00_chk_ms_status(scsi_qla_host_t *vha, ms_iocb_entry_t *ms_pkt,
+
+ /**
+ * qla2x00_ga_nxt() - SNS scan for fabric devices via GA_NXT command.
+- * @ha: HA context
++ * @vha: HA context
+ * @fcport: fcport entry to updated
+ *
+ * Returns 0 on success.
+@@ -283,7 +281,7 @@ qla2x00_gid_pt_rsp_size(scsi_qla_host_t *vha)
+
+ /**
+ * qla2x00_gid_pt() - SNS scan for fabric devices via GID_PT command.
+- * @ha: HA context
++ * @vha: HA context
+ * @list: switch info entries to populate
+ *
+ * NOTE: Non-Nx_Ports are not requested.
+@@ -371,7 +369,7 @@ qla2x00_gid_pt(scsi_qla_host_t *vha, sw_info_t *list)
+
+ /**
+ * qla2x00_gpn_id() - SNS Get Port Name (GPN_ID) query.
+- * @ha: HA context
++ * @vha: HA context
+ * @list: switch info entries to populate
+ *
+ * Returns 0 on success.
+@@ -441,7 +439,7 @@ qla2x00_gpn_id(scsi_qla_host_t *vha, sw_info_t *list)
+
+ /**
+ * qla2x00_gnn_id() - SNS Get Node Name (GNN_ID) query.
+- * @ha: HA context
++ * @vha: HA context
+ * @list: switch info entries to populate
+ *
+ * Returns 0 on success.
+@@ -583,7 +581,7 @@ static void qla2x00_async_sns_sp_done(void *s, int rc)
+
+ /**
+ * qla2x00_rft_id() - SNS Register FC-4 TYPEs (RFT_ID) supported by the HBA.
+- * @ha: HA context
++ * @vha: HA context
+ *
+ * Returns 0 on success.
+ */
+@@ -675,7 +673,8 @@ static int qla_async_rftid(scsi_qla_host_t *vha, port_id_t *d_id)
+
+ /**
+ * qla2x00_rff_id() - SNS Register FC-4 Features (RFF_ID) supported by the HBA.
+- * @ha: HA context
++ * @vha: HA context
++ * @type: not used
+ *
+ * Returns 0 on success.
+ */
+@@ -769,7 +768,7 @@ static int qla_async_rffid(scsi_qla_host_t *vha, port_id_t *d_id,
+
+ /**
+ * qla2x00_rnn_id() - SNS Register Node Name (RNN_ID) of the HBA.
+- * @ha: HA context
++ * @vha: HA context
+ *
+ * Returns 0 on success.
+ */
+@@ -874,7 +873,7 @@ qla2x00_get_sym_node_name(scsi_qla_host_t *vha, uint8_t *snn, size_t size)
+
+ /**
+ * qla2x00_rsnn_nn() - SNS Register Symbolic Node Name (RSNN_NN) of the HBA.
+- * @ha: HA context
++ * @vha: HA context
+ *
+ * Returns 0 on success.
+ */
+@@ -970,7 +969,7 @@ static int qla_async_rsnn_nn(scsi_qla_host_t *vha)
+
+ /**
+ * qla2x00_prep_sns_cmd() - Prepare common SNS command request fields for query.
+- * @ha: HA context
++ * @vha: HA context
+ * @cmd: GS command
+ * @scmd_len: Subcommand length
+ * @data_size: response size in bytes
+@@ -1003,7 +1002,7 @@ qla2x00_prep_sns_cmd(scsi_qla_host_t *vha, uint16_t cmd, uint16_t scmd_len,
+
+ /**
+ * qla2x00_sns_ga_nxt() - SNS scan for fabric devices via GA_NXT command.
+- * @ha: HA context
++ * @vha: HA context
+ * @fcport: fcport entry to updated
+ *
+ * This command uses the old Exectute SNS Command mailbox routine.
+@@ -1067,7 +1066,7 @@ qla2x00_sns_ga_nxt(scsi_qla_host_t *vha, fc_port_t *fcport)
+
+ /**
+ * qla2x00_sns_gid_pt() - SNS scan for fabric devices via GID_PT command.
+- * @ha: HA context
++ * @vha: HA context
+ * @list: switch info entries to populate
+ *
+ * This command uses the old Exectute SNS Command mailbox routine.
+@@ -1140,7 +1139,7 @@ qla2x00_sns_gid_pt(scsi_qla_host_t *vha, sw_info_t *list)
+
+ /**
+ * qla2x00_sns_gpn_id() - SNS Get Port Name (GPN_ID) query.
+- * @ha: HA context
++ * @vha: HA context
+ * @list: switch info entries to populate
+ *
+ * This command uses the old Exectute SNS Command mailbox routine.
+@@ -1196,7 +1195,7 @@ qla2x00_sns_gpn_id(scsi_qla_host_t *vha, sw_info_t *list)
+
+ /**
+ * qla2x00_sns_gnn_id() - SNS Get Node Name (GNN_ID) query.
+- * @ha: HA context
++ * @vha: HA context
+ * @list: switch info entries to populate
+ *
+ * This command uses the old Exectute SNS Command mailbox routine.
+@@ -1259,7 +1258,7 @@ qla2x00_sns_gnn_id(scsi_qla_host_t *vha, sw_info_t *list)
+
+ /**
+ * qla2x00_snd_rft_id() - SNS Register FC-4 TYPEs (RFT_ID) supported by the HBA.
+- * @ha: HA context
++ * @vha: HA context
+ *
+ * This command uses the old Exectute SNS Command mailbox routine.
+ *
+@@ -1308,8 +1307,7 @@ qla2x00_sns_rft_id(scsi_qla_host_t *vha)
+
+ /**
+ * qla2x00_sns_rnn_id() - SNS Register Node Name (RNN_ID) of the HBA.
+- * HBA.
+- * @ha: HA context
++ * @vha: HA context
+ *
+ * This command uses the old Exectute SNS Command mailbox routine.
+ *
+@@ -1365,7 +1363,7 @@ qla2x00_sns_rnn_id(scsi_qla_host_t *vha)
+
+ /**
+ * qla2x00_mgmt_svr_login() - Login to fabric Management Service.
+- * @ha: HA context
++ * @vha: HA context
+ *
+ * Returns 0 on success.
+ */
+@@ -1401,7 +1399,7 @@ qla2x00_mgmt_svr_login(scsi_qla_host_t *vha)
+
+ /**
+ * qla2x00_prep_ms_fdmi_iocb() - Prepare common MS IOCB fields for FDMI query.
+- * @ha: HA context
++ * @vha: HA context
+ * @req_size: request size in bytes
+ * @rsp_size: response size in bytes
+ *
+@@ -1439,7 +1437,7 @@ qla2x00_prep_ms_fdmi_iocb(scsi_qla_host_t *vha, uint32_t req_size,
+
+ /**
+ * qla24xx_prep_ms_fdmi_iocb() - Prepare common MS IOCB fields for FDMI query.
+- * @ha: HA context
++ * @vha: HA context
+ * @req_size: request size in bytes
+ * @rsp_size: response size in bytes
+ *
+@@ -1496,7 +1494,7 @@ qla2x00_update_ms_fdmi_iocb(scsi_qla_host_t *vha, uint32_t req_size)
+
+ /**
+ * qla2x00_prep_ct_req() - Prepare common CT request fields for SNS query.
+- * @ct_req: CT request buffer
++ * @p: CT request buffer
+ * @cmd: GS command
+ * @rsp_size: response size in bytes
+ *
+@@ -1518,8 +1516,8 @@ qla2x00_prep_ct_fdmi_req(struct ct_sns_pkt *p, uint16_t cmd,
+ }
+
+ /**
+- * qla2x00_fdmi_rhba() -
+- * @ha: HA context
++ * qla2x00_fdmi_rhba() - perform RHBA FDMI registration
++ * @vha: HA context
+ *
+ * Returns 0 on success.
+ */
+@@ -1728,8 +1726,8 @@ qla2x00_fdmi_rhba(scsi_qla_host_t *vha)
+ }
+
+ /**
+- * qla2x00_fdmi_rpa() -
+- * @ha: HA context
++ * qla2x00_fdmi_rpa() - perform RPA registration
++ * @vha: HA context
+ *
+ * Returns 0 on success.
+ */
+@@ -1940,8 +1938,8 @@ qla2x00_fdmi_rpa(scsi_qla_host_t *vha)
+ }
+
+ /**
+- * qla2x00_fdmiv2_rhba() -
+- * @ha: HA context
++ * qla2x00_fdmiv2_rhba() - perform RHBA FDMI v2 registration
++ * @vha: HA context
+ *
+ * Returns 0 on success.
+ */
+@@ -2257,7 +2255,7 @@ qla2x00_fdmiv2_rhba(scsi_qla_host_t *vha)
+
+ /**
+ * qla2x00_fdmi_dhba() -
+- * @ha: HA context
++ * @vha: HA context
+ *
+ * Returns 0 on success.
+ */
+@@ -2305,7 +2303,7 @@ qla2x00_fdmi_dhba(scsi_qla_host_t *vha)
+
+ /**
+ * qla2x00_fdmiv2_rpa() -
+- * @ha: HA context
++ * @vha: HA context
+ *
+ * Returns 0 on success.
+ */
+@@ -2635,7 +2633,7 @@ qla2x00_fdmiv2_rpa(scsi_qla_host_t *vha)
+
+ /**
+ * qla2x00_fdmi_register() -
+- * @ha: HA context
++ * @vha: HA context
+ *
+ * Returns 0 on success.
+ */
+@@ -2693,7 +2691,7 @@ qla2x00_fdmi_register(scsi_qla_host_t *vha)
+
+ /**
+ * qla2x00_gfpn_id() - SNS Get Fabric Port Name (GFPN_ID) query.
+- * @ha: HA context
++ * @vha: HA context
+ * @list: switch info entries to populate
+ *
+ * Returns 0 on success.
+@@ -2778,7 +2776,7 @@ qla24xx_prep_ct_fm_req(struct ct_sns_pkt *p, uint16_t cmd,
+
+ /**
+ * qla2x00_gpsc() - FCS Get Port Speed Capabilities (GPSC) query.
+- * @ha: HA context
++ * @vha: HA context
+ * @list: switch info entries to populate
+ *
+ * Returns 0 on success.
+@@ -2892,7 +2890,7 @@ qla2x00_gpsc(scsi_qla_host_t *vha, sw_info_t *list)
+ /**
+ * qla2x00_gff_id() - SNS Get FC-4 Features (GFF_ID) query.
+ *
+- * @ha: HA context
++ * @vha: HA context
+ * @list: switch info entries to populate
+ *
+ */
+diff --git a/drivers/scsi/qla2xxx/qla_init.c b/drivers/scsi/qla2xxx/qla_init.c
+index 995579ea0f7f..590aa904fdef 100644
+--- a/drivers/scsi/qla2xxx/qla_init.c
++++ b/drivers/scsi/qla2xxx/qla_init.c
+@@ -2046,7 +2046,7 @@ qla2x00_initialize_adapter(scsi_qla_host_t *vha)
+
+ /**
+ * qla2100_pci_config() - Setup ISP21xx PCI configuration registers.
+- * @ha: HA context
++ * @vha: HA context
+ *
+ * Returns 0 on success.
+ */
+@@ -2077,7 +2077,7 @@ qla2100_pci_config(scsi_qla_host_t *vha)
+
+ /**
+ * qla2300_pci_config() - Setup ISP23xx PCI configuration registers.
+- * @ha: HA context
++ * @vha: HA context
+ *
+ * Returns 0 on success.
+ */
+@@ -2159,7 +2159,7 @@ qla2300_pci_config(scsi_qla_host_t *vha)
+
+ /**
+ * qla24xx_pci_config() - Setup ISP24xx PCI configuration registers.
+- * @ha: HA context
++ * @vha: HA context
+ *
+ * Returns 0 on success.
+ */
+@@ -2203,7 +2203,7 @@ qla24xx_pci_config(scsi_qla_host_t *vha)
+
+ /**
+ * qla25xx_pci_config() - Setup ISP25xx PCI configuration registers.
+- * @ha: HA context
++ * @vha: HA context
+ *
+ * Returns 0 on success.
+ */
+@@ -2234,7 +2234,7 @@ qla25xx_pci_config(scsi_qla_host_t *vha)
+
+ /**
+ * qla2x00_isp_firmware() - Choose firmware image.
+- * @ha: HA context
++ * @vha: HA context
+ *
+ * Returns 0 on success.
+ */
+@@ -2270,7 +2270,7 @@ qla2x00_isp_firmware(scsi_qla_host_t *vha)
+
+ /**
+ * qla2x00_reset_chip() - Reset ISP chip.
+- * @ha: HA context
++ * @vha: HA context
+ *
+ * Returns 0 on success.
+ */
+@@ -2414,6 +2414,7 @@ qla2x00_reset_chip(scsi_qla_host_t *vha)
+
+ /**
+ * qla81xx_reset_mpi() - Reset's MPI FW via Write MPI Register MBC.
++ * @vha: HA context
+ *
+ * Returns 0 on success.
+ */
+@@ -2430,7 +2431,7 @@ qla81xx_reset_mpi(scsi_qla_host_t *vha)
+
+ /**
+ * qla24xx_reset_risc() - Perform full reset of ISP24xx RISC.
+- * @ha: HA context
++ * @vha: HA context
+ *
+ * Returns 0 on success.
+ */
+@@ -2645,7 +2646,7 @@ qla25xx_manipulate_risc_semaphore(scsi_qla_host_t *vha)
+
+ /**
+ * qla24xx_reset_chip() - Reset ISP24xx chip.
+- * @ha: HA context
++ * @vha: HA context
+ *
+ * Returns 0 on success.
+ */
+@@ -2669,7 +2670,7 @@ qla24xx_reset_chip(scsi_qla_host_t *vha)
+
+ /**
+ * qla2x00_chip_diag() - Test chip for proper operation.
+- * @ha: HA context
++ * @vha: HA context
+ *
+ * Returns 0 on success.
+ */
+@@ -2793,7 +2794,7 @@ qla2x00_chip_diag(scsi_qla_host_t *vha)
+
+ /**
+ * qla24xx_chip_diag() - Test ISP24xx for proper operation.
+- * @ha: HA context
++ * @vha: HA context
+ *
+ * Returns 0 on success.
+ */
+@@ -3261,7 +3262,7 @@ qla24xx_detect_sfp(scsi_qla_host_t *vha)
+
+ /**
+ * qla2x00_setup_chip() - Load and start RISC firmware.
+- * @ha: HA context
++ * @vha: HA context
+ *
+ * Returns 0 on success.
+ */
+@@ -3416,7 +3417,7 @@ qla2x00_setup_chip(scsi_qla_host_t *vha)
+
+ /**
+ * qla2x00_init_response_q_entries() - Initializes response queue entries.
+- * @ha: HA context
++ * @rsp: response queue
+ *
+ * Beginning of request ring has initialization control block already built
+ * by nvram config routine.
+@@ -3441,7 +3442,7 @@ qla2x00_init_response_q_entries(struct rsp_que *rsp)
+
+ /**
+ * qla2x00_update_fw_options() - Read and process firmware options.
+- * @ha: HA context
++ * @vha: HA context
+ *
+ * Returns 0 on success.
+ */
+@@ -3704,7 +3705,7 @@ qla24xx_config_rings(struct scsi_qla_host *vha)
+
+ /**
+ * qla2x00_init_rings() - Initializes firmware.
+- * @ha: HA context
++ * @vha: HA context
+ *
+ * Beginning of request ring has initialization control block already built
+ * by nvram config routine.
+@@ -3812,7 +3813,7 @@ qla2x00_init_rings(scsi_qla_host_t *vha)
+
+ /**
+ * qla2x00_fw_ready() - Waits for firmware ready.
+- * @ha: HA context
++ * @vha: HA context
+ *
+ * Returns 0 on success.
+ */
+@@ -4480,7 +4481,7 @@ qla2x00_rport_del(void *data)
+
+ /**
+ * qla2x00_alloc_fcport() - Allocate a generic fcport.
+- * @ha: HA context
++ * @vha: HA context
+ * @flags: allocation flags
+ *
+ * Returns a pointer to the allocated fcport, or NULL, if none available.
+diff --git a/drivers/scsi/qla2xxx/qla_inline.h b/drivers/scsi/qla2xxx/qla_inline.h
+index 4d32426393c7..b7a05aebf065 100644
+--- a/drivers/scsi/qla2xxx/qla_inline.h
++++ b/drivers/scsi/qla2xxx/qla_inline.h
+@@ -10,6 +10,7 @@
+ * qla24xx_calc_iocbs() - Determine number of Command Type 3 and
+ * Continuation Type 1 IOCBs to allocate.
+ *
++ * @vha: HA context
+ * @dsds: number of data segment decriptors needed
+ *
+ * Returns the number of IOCB entries needed to store @dsds.
+diff --git a/drivers/scsi/qla2xxx/qla_iocb.c b/drivers/scsi/qla2xxx/qla_iocb.c
+index 1b62e943ec49..e62ccd931853 100644
+--- a/drivers/scsi/qla2xxx/qla_iocb.c
++++ b/drivers/scsi/qla2xxx/qla_iocb.c
+@@ -14,7 +14,7 @@
+
+ /**
+ * qla2x00_get_cmd_direction() - Determine control_flag data direction.
+- * @cmd: SCSI command
++ * @sp: SCSI command
+ *
+ * Returns the proper CF_* direction based on CDB.
+ */
+@@ -86,7 +86,7 @@ qla2x00_calc_iocbs_64(uint16_t dsds)
+
+ /**
+ * qla2x00_prep_cont_type0_iocb() - Initialize a Continuation Type 0 IOCB.
+- * @ha: HA context
++ * @vha: HA context
+ *
+ * Returns a pointer to the Continuation Type 0 IOCB packet.
+ */
+@@ -114,7 +114,8 @@ qla2x00_prep_cont_type0_iocb(struct scsi_qla_host *vha)
+
+ /**
+ * qla2x00_prep_cont_type1_iocb() - Initialize a Continuation Type 1 IOCB.
+- * @ha: HA context
++ * @vha: HA context
++ * @req: request queue
+ *
+ * Returns a pointer to the continuation type 1 IOCB packet.
+ */
+@@ -445,6 +446,8 @@ qla2x00_start_scsi(srb_t *sp)
+
+ /**
+ * qla2x00_start_iocbs() - Execute the IOCB command
++ * @vha: HA context
++ * @req: request queue
+ */
+ void
+ qla2x00_start_iocbs(struct scsi_qla_host *vha, struct req_que *req)
+@@ -486,7 +489,9 @@ qla2x00_start_iocbs(struct scsi_qla_host *vha, struct req_que *req)
+
+ /**
+ * qla2x00_marker() - Send a marker IOCB to the firmware.
+- * @ha: HA context
++ * @vha: HA context
++ * @req: request queue
++ * @rsp: response queue
+ * @loop_id: loop ID
+ * @lun: LUN
+ * @type: marker modifier
+@@ -1190,6 +1195,8 @@ qla24xx_walk_and_build_prot_sglist(struct qla_hw_data *ha, srb_t *sp,
+ * @sp: SRB command to process
+ * @cmd_pkt: Command type 3 IOCB
+ * @tot_dsds: Total number of segments to transfer
++ * @tot_prot_dsds:
++ * @fw_prot_opts:
+ */
+ inline int
+ qla24xx_build_scsi_crc_2_iocbs(srb_t *sp, struct cmd_type_crc_2 *cmd_pkt,
+diff --git a/drivers/scsi/qla2xxx/qla_isr.c b/drivers/scsi/qla2xxx/qla_isr.c
+index 14109d86c3f6..16c43bd9bb83 100644
+--- a/drivers/scsi/qla2xxx/qla_isr.c
++++ b/drivers/scsi/qla2xxx/qla_isr.c
+@@ -259,7 +259,7 @@ qla2300_intr_handler(int irq, void *dev_id)
+
+ /**
+ * qla2x00_mbx_completion() - Process mailbox command completions.
+- * @ha: SCSI driver HA context
++ * @vha: SCSI driver HA context
+ * @mb0: Mailbox0 register
+ */
+ static void
+@@ -612,7 +612,8 @@ qla2x00_find_fcport_by_nportid(scsi_qla_host_t *vha, port_id_t *id,
+
+ /**
+ * qla2x00_async_event() - Process aynchronous events.
+- * @ha: SCSI driver HA context
++ * @vha: SCSI driver HA context
++ * @rsp: response queue
+ * @mb: Mailbox registers (0 - 3)
+ */
+ void
+@@ -1255,7 +1256,8 @@ qla2x00_async_event(scsi_qla_host_t *vha, struct rsp_que *rsp, uint16_t *mb)
+
+ /**
+ * qla2x00_process_completed_request() - Process a Fast Post response.
+- * @ha: SCSI driver HA context
++ * @vha: SCSI driver HA context
++ * @req: request queue
+ * @index: SRB index
+ */
+ void
+@@ -1969,7 +1971,7 @@ static void qla_ctrlvp_completed(scsi_qla_host_t *vha, struct req_que *req,
+
+ /**
+ * qla2x00_process_response_queue() - Process response queue entries.
+- * @ha: SCSI driver HA context
++ * @rsp: response queue
+ */
+ void
+ qla2x00_process_response_queue(struct rsp_que *rsp)
+@@ -2373,7 +2375,8 @@ qla25xx_process_bidir_status_iocb(scsi_qla_host_t *vha, void *pkt,
+
+ /**
+ * qla2x00_status_entry() - Process a Status IOCB entry.
+- * @ha: SCSI driver HA context
++ * @vha: SCSI driver HA context
++ * @rsp: response queue
+ * @pkt: Entry pointer
+ */
+ static void
+@@ -2750,7 +2753,7 @@ qla2x00_status_entry(scsi_qla_host_t *vha, struct rsp_que *rsp, void *pkt)
+
+ /**
+ * qla2x00_status_cont_entry() - Process a Status Continuations entry.
+- * @ha: SCSI driver HA context
++ * @rsp: response queue
+ * @pkt: Entry pointer
+ *
+ * Extended sense data.
+@@ -2808,7 +2811,8 @@ qla2x00_status_cont_entry(struct rsp_que *rsp, sts_cont_entry_t *pkt)
+
+ /**
+ * qla2x00_error_entry() - Process an error entry.
+- * @ha: SCSI driver HA context
++ * @vha: SCSI driver HA context
++ * @rsp: response queue
+ * @pkt: Entry pointer
+ * return : 1=allow further error analysis. 0=no additional error analysis.
+ */
+@@ -2867,7 +2871,7 @@ qla2x00_error_entry(scsi_qla_host_t *vha, struct rsp_que *rsp, sts_entry_t *pkt)
+
+ /**
+ * qla24xx_mbx_completion() - Process mailbox command completions.
+- * @ha: SCSI driver HA context
++ * @vha: SCSI driver HA context
+ * @mb0: Mailbox0 register
+ */
+ static void
+@@ -2935,7 +2939,8 @@ void qla24xx_nvme_ls4_iocb(struct scsi_qla_host *vha,
+
+ /**
+ * qla24xx_process_response_queue() - Process response queue entries.
+- * @ha: SCSI driver HA context
++ * @vha: SCSI driver HA context
++ * @rsp: response queue
+ */
+ void qla24xx_process_response_queue(struct scsi_qla_host *vha,
+ struct rsp_que *rsp)
+diff --git a/drivers/scsi/qla2xxx/qla_mbx.c b/drivers/scsi/qla2xxx/qla_mbx.c
+index 7397aeddd96c..41b0ee47c6a1 100644
+--- a/drivers/scsi/qla2xxx/qla_mbx.c
++++ b/drivers/scsi/qla2xxx/qla_mbx.c
+@@ -3385,7 +3385,10 @@ qla8044_read_serdes_word(scsi_qla_host_t *vha, uint32_t addr, uint32_t *data)
+
+ /**
+ * qla2x00_set_serdes_params() -
+- * @ha: HA context
++ * @vha: HA context
++ * @sw_em_1g:
++ * @sw_em_2g:
++ * @sw_em_4g:
+ *
+ * Returns
+ */
+diff --git a/drivers/scsi/qla2xxx/qla_mr.c b/drivers/scsi/qla2xxx/qla_mr.c
+index d5da3981cefe..7113acf42ff3 100644
+--- a/drivers/scsi/qla2xxx/qla_mr.c
++++ b/drivers/scsi/qla2xxx/qla_mr.c
+@@ -490,7 +490,7 @@ qlafx00_mbx_reg_test(scsi_qla_host_t *vha)
+
+ /**
+ * qlafx00_pci_config() - Setup ISPFx00 PCI configuration registers.
+- * @ha: HA context
++ * @vha: HA context
+ *
+ * Returns 0 on success.
+ */
+@@ -519,9 +519,9 @@ qlafx00_pci_config(scsi_qla_host_t *vha)
+
+ /**
+ * qlafx00_warm_reset() - Perform warm reset of iSA(CPUs being reset on SOC).
+- * @ha: HA context
++ * @vha: HA context
+ *
+- */
++ */
+ static inline void
+ qlafx00_soc_cpu_reset(scsi_qla_host_t *vha)
+ {
+@@ -625,7 +625,7 @@ qlafx00_soc_cpu_reset(scsi_qla_host_t *vha)
+
+ /**
+ * qlafx00_soft_reset() - Soft Reset ISPFx00.
+- * @ha: HA context
++ * @vha: HA context
+ *
+ * Returns 0 on success.
+ */
+@@ -644,7 +644,7 @@ qlafx00_soft_reset(scsi_qla_host_t *vha)
+
+ /**
+ * qlafx00_chip_diag() - Test ISPFx00 for proper operation.
+- * @ha: HA context
++ * @vha: HA context
+ *
+ * Returns 0 on success.
+ */
+@@ -1408,7 +1408,7 @@ qlafx00_abort_isp_cleanup(scsi_qla_host_t *vha, bool critemp)
+
+ /**
+ * qlafx00_init_response_q_entries() - Initializes response queue entries.
+- * @ha: HA context
++ * @rsp: response queue
+ *
+ * Beginning of request ring has initialization control block already built
+ * by nvram config routine.
+@@ -2269,7 +2269,8 @@ qlafx00_ioctl_iosb_entry(scsi_qla_host_t *vha, struct req_que *req,
+
+ /**
+ * qlafx00_status_entry() - Process a Status IOCB entry.
+- * @ha: SCSI driver HA context
++ * @vha: SCSI driver HA context
++ * @rsp: response queue
+ * @pkt: Entry pointer
+ */
+ static void
+@@ -2542,7 +2543,7 @@ qlafx00_status_entry(scsi_qla_host_t *vha, struct rsp_que *rsp, void *pkt)
+
+ /**
+ * qlafx00_status_cont_entry() - Process a Status Continuations entry.
+- * @ha: SCSI driver HA context
++ * @rsp: response queue
+ * @pkt: Entry pointer
+ *
+ * Extended sense data.
+@@ -2620,7 +2621,9 @@ qlafx00_status_cont_entry(struct rsp_que *rsp, sts_cont_entry_t *pkt)
+
+ /**
+ * qlafx00_multistatus_entry() - Process Multi response queue entries.
+- * @ha: SCSI driver HA context
++ * @vha: SCSI driver HA context
++ * @rsp: response queue
++ * @pkt:
+ */
+ static void
+ qlafx00_multistatus_entry(struct scsi_qla_host *vha,
+@@ -2674,8 +2677,11 @@ qlafx00_multistatus_entry(struct scsi_qla_host *vha,
+
+ /**
+ * qlafx00_error_entry() - Process an error entry.
+- * @ha: SCSI driver HA context
++ * @vha: SCSI driver HA context
++ * @rsp: response queue
+ * @pkt: Entry pointer
++ * @estatus:
++ * @etype:
+ */
+ static void
+ qlafx00_error_entry(scsi_qla_host_t *vha, struct rsp_que *rsp,
+@@ -2705,7 +2711,8 @@ qlafx00_error_entry(scsi_qla_host_t *vha, struct rsp_que *rsp,
+
+ /**
+ * qlafx00_process_response_queue() - Process response queue entries.
+- * @ha: SCSI driver HA context
++ * @vha: SCSI driver HA context
++ * @rsp: response queue
+ */
+ static void
+ qlafx00_process_response_queue(struct scsi_qla_host *vha,
+@@ -2781,7 +2788,7 @@ qlafx00_process_response_queue(struct scsi_qla_host *vha,
+
+ /**
+ * qlafx00_async_event() - Process aynchronous events.
+- * @ha: SCSI driver HA context
++ * @vha: SCSI driver HA context
+ */
+ static void
+ qlafx00_async_event(scsi_qla_host_t *vha)
+@@ -2857,10 +2864,9 @@ qlafx00_async_event(scsi_qla_host_t *vha)
+ }
+
+ /**
+- *
+ * qlafx00x_mbx_completion() - Process mailbox command completions.
+- * @ha: SCSI driver HA context
+- * @mb16: Mailbox16 register
++ * @vha: SCSI driver HA context
++ * @mb0:
+ */
+ static void
+ qlafx00_mbx_completion(scsi_qla_host_t *vha, uint32_t mb0)
+diff --git a/drivers/scsi/qla2xxx/qla_nx.c b/drivers/scsi/qla2xxx/qla_nx.c
+index a77c33987703..872d66dd79cd 100644
+--- a/drivers/scsi/qla2xxx/qla_nx.c
++++ b/drivers/scsi/qla2xxx/qla_nx.c
+@@ -1732,7 +1732,7 @@ qla82xx_iospace_config(struct qla_hw_data *ha)
+
+ /**
+ * qla82xx_pci_config() - Setup ISP82xx PCI configuration registers.
+- * @ha: HA context
++ * @vha: HA context
+ *
+ * Returns 0 on success.
+ */
+@@ -1753,7 +1753,7 @@ qla82xx_pci_config(scsi_qla_host_t *vha)
+
+ /**
+ * qla82xx_reset_chip() - Setup ISP82xx PCI configuration registers.
+- * @ha: HA context
++ * @vha: HA context
+ *
+ * Returns 0 on success.
+ */
+@@ -2008,11 +2008,10 @@ qla82xx_mbx_completion(scsi_qla_host_t *vha, uint16_t mb0)
+ "MBX pointer ERROR.\n");
+ }
+
+-/*
++/**
+ * qla82xx_intr_handler() - Process interrupts for the ISP23xx and ISP63xx.
+ * @irq:
+ * @dev_id: SCSI driver HA context
+- * @regs:
+ *
+ * Called by system whenever the host adapter generates an interrupt.
+ *
+diff --git a/drivers/scsi/qla2xxx/qla_nx2.c b/drivers/scsi/qla2xxx/qla_nx2.c
+index 525ac35a757b..3a2b0282df14 100644
+--- a/drivers/scsi/qla2xxx/qla_nx2.c
++++ b/drivers/scsi/qla2xxx/qla_nx2.c
+@@ -280,9 +280,8 @@ qla8044_clear_qsnt_ready(struct scsi_qla_host *vha)
+ }
+
+ /**
+- *
+ * qla8044_lock_recovery - Recovers the idc_lock.
+- * @ha : Pointer to adapter structure
++ * @vha : Pointer to adapter structure
+ *
+ * Lock Recovery Register
+ * 5-2 Lock recovery owner: Function ID of driver doing lock recovery,
+@@ -1639,10 +1638,10 @@ qla8044_set_rst_ready(struct scsi_qla_host *vha)
+
+ /**
+ * qla8044_need_reset_handler - Code to start reset sequence
+- * @ha: pointer to adapter structure
++ * @vha: pointer to adapter structure
+ *
+ * Note: IDC lock must be held upon entry
+- **/
++ */
+ static void
+ qla8044_need_reset_handler(struct scsi_qla_host *vha)
+ {
+@@ -1859,8 +1858,8 @@ qla8044_update_idc_reg(struct scsi_qla_host *vha)
+
+ /**
+ * qla8044_need_qsnt_handler - Code to start qsnt
+- * @ha: pointer to adapter structure
+- **/
++ * @vha: pointer to adapter structure
++ */
+ static void
+ qla8044_need_qsnt_handler(struct scsi_qla_host *vha)
+ {
+@@ -2031,10 +2030,10 @@ qla8044_device_state_handler(struct scsi_qla_host *vha)
+
+ /**
+ * qla4_8xxx_check_temp - Check the ISP82XX temperature.
+- * @ha: adapter block pointer.
++ * @vha: adapter block pointer.
+ *
+ * Note: The caller should not hold the idc lock.
+- **/
++ */
+ static int
+ qla8044_check_temp(struct scsi_qla_host *vha)
+ {
+@@ -2071,10 +2070,10 @@ int qla8044_read_temperature(scsi_qla_host_t *vha)
+
+ /**
+ * qla8044_check_fw_alive - Check firmware health
+- * @ha: Pointer to host adapter structure.
++ * @vha: Pointer to host adapter structure.
+ *
+ * Context: Interrupt
+- **/
++ */
+ int
+ qla8044_check_fw_alive(struct scsi_qla_host *vha)
+ {
+diff --git a/drivers/scsi/qla2xxx/qla_sup.c b/drivers/scsi/qla2xxx/qla_sup.c
+index d2db86ea06b2..04458eb19d38 100644
+--- a/drivers/scsi/qla2xxx/qla_sup.c
++++ b/drivers/scsi/qla2xxx/qla_sup.c
+@@ -2226,6 +2226,7 @@ qla2x00_erase_flash_sector(struct qla_hw_data *ha, uint32_t addr,
+
+ /**
+ * qla2x00_get_flash_manufacturer() - Read manufacturer ID from flash chip.
++ * @ha:
+ * @man_id: Flash manufacturer ID
+ * @flash_id: Flash ID
+ */
+diff --git a/drivers/scsi/qla2xxx/qla_target.c b/drivers/scsi/qla2xxx/qla_target.c
+index fc89af8fe256..3735ebd83012 100644
+--- a/drivers/scsi/qla2xxx/qla_target.c
++++ b/drivers/scsi/qla2xxx/qla_target.c
+@@ -6299,10 +6299,11 @@ static void qlt_lport_dump(struct scsi_qla_host *vha, u64 wwpn,
+ /**
+ * qla_tgt_lport_register - register lport with external module
+ *
+- * @qla_tgt_ops: Pointer for tcm_qla2xxx qla_tgt_ops
+- * @wwpn: Passwd FC target WWPN
+- * @callback: lport initialization callback for tcm_qla2xxx code
+ * @target_lport_ptr: pointer for tcm_qla2xxx specific lport data
++ * @phys_wwpn:
++ * @npiv_wwpn:
++ * @npiv_wwnn:
++ * @callback: lport initialization callback for tcm_qla2xxx code
+ */
+ int qlt_lport_register(void *target_lport_ptr, u64 phys_wwpn,
+ u64 npiv_wwpn, u64 npiv_wwnn,
+--
+2.12.3
+
diff --git a/patches.drivers/scsi-qla2xxx-Fix-small-memory-leak-in-qla2x00_probe_.patch b/patches.drivers/scsi-qla2xxx-Fix-small-memory-leak-in-qla2x00_probe_.patch
index 22bc78f1b0..c6a1f6acd7 100644
--- a/patches.drivers/scsi-qla2xxx-Fix-small-memory-leak-in-qla2x00_probe_.patch
+++ b/patches.drivers/scsi-qla2xxx-Fix-small-memory-leak-in-qla2x00_probe_.patch
@@ -151,7 +151,7 @@ Acked-by: Johannes Thumshirn <jthumshirn@suse.de>
- return;
-
if (IS_QLAFX00(ha)) {
- if (rsp && rsp->ring)
+ if (rsp && rsp->ring_fx00)
dma_free_coherent(&ha->pdev->dev,
@@ -507,8 +501,7 @@ static void qla2x00_free_rsp_que(struct
(rsp->length + 1) * sizeof(response_t),
diff --git a/patches.drivers/scsi-qla2xxx-Improve-several-kernel-doc-headers.patch b/patches.drivers/scsi-qla2xxx-Improve-several-kernel-doc-headers.patch
new file mode 100644
index 0000000000..ce1ced2add
--- /dev/null
+++ b/patches.drivers/scsi-qla2xxx-Improve-several-kernel-doc-headers.patch
@@ -0,0 +1,179 @@
+From: Bart Van Assche <bvanassche@acm.org>
+Date: Thu, 18 Oct 2018 15:45:41 -0700
+Subject: [PATCH] scsi: qla2xxx: Improve several kernel-doc headers
+Git-commit: 807eb90703e78c0fb853d8e5b90c9947d7a95cba
+Patch-mainline: v4.20-rc1
+References: bsc#1137444
+
+This patch avoids that complaints about kernel-doc headers are reported
+when building with W=1.
+
+Cc: Himanshu Madhani <himanshu.madhani@cavium.com>
+Signed-off-by: Bart Van Assche <bvanassche@acm.org>
+Acked-by: Himanshu Madhani <himanshu.madhani@cavium.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Acked-by: Hannes Reinecke <hare@suse.com>
+---
+ drivers/scsi/qla2xxx/qla_iocb.c | 4 ++--
+ drivers/scsi/qla2xxx/qla_isr.c | 6 +++---
+ drivers/scsi/qla2xxx/qla_mbx.c | 6 +++---
+ drivers/scsi/qla2xxx/qla_mr.c | 6 +++---
+ drivers/scsi/qla2xxx/qla_nx.c | 2 +-
+ drivers/scsi/qla2xxx/qla_nx2.c | 2 +-
+ drivers/scsi/qla2xxx/qla_sup.c | 2 +-
+ drivers/scsi/qla2xxx/qla_target.c | 6 +++---
+ 8 files changed, 17 insertions(+), 17 deletions(-)
+
+diff --git a/drivers/scsi/qla2xxx/qla_iocb.c b/drivers/scsi/qla2xxx/qla_iocb.c
+index 86fb8b21aa71..032635321ad6 100644
+--- a/drivers/scsi/qla2xxx/qla_iocb.c
++++ b/drivers/scsi/qla2xxx/qla_iocb.c
+@@ -1195,8 +1195,8 @@ qla24xx_walk_and_build_prot_sglist(struct qla_hw_data *ha, srb_t *sp,
+ * @sp: SRB command to process
+ * @cmd_pkt: Command type 3 IOCB
+ * @tot_dsds: Total number of segments to transfer
+- * @tot_prot_dsds:
+- * @fw_prot_opts:
++ * @tot_prot_dsds: Total number of segments with protection information
++ * @fw_prot_opts: Protection options to be passed to firmware
+ */
+ inline int
+ qla24xx_build_scsi_crc_2_iocbs(srb_t *sp, struct cmd_type_crc_2 *cmd_pkt,
+diff --git a/drivers/scsi/qla2xxx/qla_isr.c b/drivers/scsi/qla2xxx/qla_isr.c
+index d73b04e40590..30d3090842f8 100644
+--- a/drivers/scsi/qla2xxx/qla_isr.c
++++ b/drivers/scsi/qla2xxx/qla_isr.c
+@@ -25,7 +25,7 @@ static int qla2x00_error_entry(scsi_qla_host_t *, struct rsp_que *,
+
+ /**
+ * qla2100_intr_handler() - Process interrupts for the ISP2100 and ISP2200.
+- * @irq:
++ * @irq: interrupt number
+ * @dev_id: SCSI driver HA context
+ *
+ * Called by system whenever the host adapter generates an interrupt.
+@@ -144,7 +144,7 @@ qla2x00_check_reg16_for_disconnect(scsi_qla_host_t *vha, uint16_t reg)
+
+ /**
+ * qla2300_intr_handler() - Process interrupts for the ISP23xx and ISP63xx.
+- * @irq:
++ * @irq: interrupt number
+ * @dev_id: SCSI driver HA context
+ *
+ * Called by system whenever the host adapter generates an interrupt.
+@@ -3109,7 +3109,7 @@ qla2xxx_check_risc_status(scsi_qla_host_t *vha)
+
+ /**
+ * qla24xx_intr_handler() - Process interrupts for the ISP23xx and ISP24xx.
+- * @irq:
++ * @irq: interrupt number
+ * @dev_id: SCSI driver HA context
+ *
+ * Called by system whenever the host adapter generates an interrupt.
+diff --git a/drivers/scsi/qla2xxx/qla_mbx.c b/drivers/scsi/qla2xxx/qla_mbx.c
+index 2f3e5075ae76..191b6b7c8747 100644
+--- a/drivers/scsi/qla2xxx/qla_mbx.c
++++ b/drivers/scsi/qla2xxx/qla_mbx.c
+@@ -3478,9 +3478,9 @@ qla8044_read_serdes_word(scsi_qla_host_t *vha, uint32_t addr, uint32_t *data)
+ /**
+ * qla2x00_set_serdes_params() -
+ * @vha: HA context
+- * @sw_em_1g:
+- * @sw_em_2g:
+- * @sw_em_4g:
++ * @sw_em_1g: serial link options
++ * @sw_em_2g: serial link options
++ * @sw_em_4g: serial link options
+ *
+ * Returns
+ */
+diff --git a/drivers/scsi/qla2xxx/qla_mr.c b/drivers/scsi/qla2xxx/qla_mr.c
+index 521a51370554..2d96f3b7e3e3 100644
+--- a/drivers/scsi/qla2xxx/qla_mr.c
++++ b/drivers/scsi/qla2xxx/qla_mr.c
+@@ -2624,7 +2624,7 @@ qlafx00_status_cont_entry(struct rsp_que *rsp, sts_cont_entry_t *pkt)
+ * qlafx00_multistatus_entry() - Process Multi response queue entries.
+ * @vha: SCSI driver HA context
+ * @rsp: response queue
+- * @pkt:
++ * @pkt: received packet
+ */
+ static void
+ qlafx00_multistatus_entry(struct scsi_qla_host *vha,
+@@ -2867,7 +2867,7 @@ qlafx00_async_event(scsi_qla_host_t *vha)
+ /**
+ * qlafx00x_mbx_completion() - Process mailbox command completions.
+ * @vha: SCSI driver HA context
+- * @mb0:
++ * @mb0: value to be written into mailbox register 0
+ */
+ static void
+ qlafx00_mbx_completion(scsi_qla_host_t *vha, uint32_t mb0)
+@@ -2893,7 +2893,7 @@ qlafx00_mbx_completion(scsi_qla_host_t *vha, uint32_t mb0)
+
+ /**
+ * qlafx00_intr_handler() - Process interrupts for the ISPFX00.
+- * @irq:
++ * @irq: interrupt number
+ * @dev_id: SCSI driver HA context
+ *
+ * Called by system whenever the host adapter generates an interrupt.
+diff --git a/drivers/scsi/qla2xxx/qla_nx.c b/drivers/scsi/qla2xxx/qla_nx.c
+index 121e18b3b9f8..f2f54806f4da 100644
+--- a/drivers/scsi/qla2xxx/qla_nx.c
++++ b/drivers/scsi/qla2xxx/qla_nx.c
+@@ -2010,7 +2010,7 @@ qla82xx_mbx_completion(scsi_qla_host_t *vha, uint16_t mb0)
+
+ /**
+ * qla82xx_intr_handler() - Process interrupts for the ISP23xx and ISP63xx.
+- * @irq:
++ * @irq: interrupt number
+ * @dev_id: SCSI driver HA context
+ *
+ * Called by system whenever the host adapter generates an interrupt.
+diff --git a/drivers/scsi/qla2xxx/qla_nx2.c b/drivers/scsi/qla2xxx/qla_nx2.c
+index 3a2b0282df14..fe856b602e03 100644
+--- a/drivers/scsi/qla2xxx/qla_nx2.c
++++ b/drivers/scsi/qla2xxx/qla_nx2.c
+@@ -3878,7 +3878,7 @@ qla8044_write_optrom_data(struct scsi_qla_host *vha, uint8_t *buf,
+ #define PF_BITS_MASK (0xF << 16)
+ /**
+ * qla8044_intr_handler() - Process interrupts for the ISP8044
+- * @irq:
++ * @irq: interrupt number
+ * @dev_id: SCSI driver HA context
+ *
+ * Called by system whenever the host adapter generates an interrupt.
+diff --git a/drivers/scsi/qla2xxx/qla_sup.c b/drivers/scsi/qla2xxx/qla_sup.c
+index 4499c787165f..2a3055c799fb 100644
+--- a/drivers/scsi/qla2xxx/qla_sup.c
++++ b/drivers/scsi/qla2xxx/qla_sup.c
+@@ -2229,7 +2229,7 @@ qla2x00_erase_flash_sector(struct qla_hw_data *ha, uint32_t addr,
+
+ /**
+ * qla2x00_get_flash_manufacturer() - Read manufacturer ID from flash chip.
+- * @ha:
++ * @ha: host adapter
+ * @man_id: Flash manufacturer ID
+ * @flash_id: Flash ID
+ */
+diff --git a/drivers/scsi/qla2xxx/qla_target.c b/drivers/scsi/qla2xxx/qla_target.c
+index 78dfece2e89d..c4504740f0e2 100644
+--- a/drivers/scsi/qla2xxx/qla_target.c
++++ b/drivers/scsi/qla2xxx/qla_target.c
+@@ -6598,9 +6598,9 @@ static void qlt_lport_dump(struct scsi_qla_host *vha, u64 wwpn,
+ * qla_tgt_lport_register - register lport with external module
+ *
+ * @target_lport_ptr: pointer for tcm_qla2xxx specific lport data
+- * @phys_wwpn:
+- * @npiv_wwpn:
+- * @npiv_wwnn:
++ * @phys_wwpn: physical port WWPN
++ * @npiv_wwpn: NPIV WWPN
++ * @npiv_wwnn: NPIV WWNN
+ * @callback: lport initialization callback for tcm_qla2xxx code
+ */
+ int qlt_lport_register(void *target_lport_ptr, u64 phys_wwpn,
+--
+2.16.4
+
diff --git a/patches.drivers/scsi-qla2xxx-Introduce-a-switch-case-statement-in-ql.patch b/patches.drivers/scsi-qla2xxx-Introduce-a-switch-case-statement-in-ql.patch
new file mode 100644
index 0000000000..5e555b21c2
--- /dev/null
+++ b/patches.drivers/scsi-qla2xxx-Introduce-a-switch-case-statement-in-ql.patch
@@ -0,0 +1,54 @@
+From: Bart Van Assche <bvanassche@acm.org>
+Date: Tue, 27 Nov 2018 15:04:54 -0800
+Subject: [PATCH] scsi: qla2xxx: Introduce a switch/case statement in
+ qlt_xmit_tm_rsp()
+Git-commit: 8837aa8bc093b29bd52ba55f98ad206d5418d240
+Patch-mainline: v5.0-rc1
+References: bsc#1137444
+
+This patch improves code readability but does not change any functionality.
+
+Cc: Himanshu Madhani <himanshu.madhani@cavium.com>
+Signed-off-by: Bart Van Assche <bvanassche@acm.org>
+Acked-by: Himanshu Madhani <himanshu.madhani@cavium.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Acked-by: Hannes Reinecke <hare@suse.com>
+---
+ drivers/scsi/qla2xxx/qla_target.c | 14 +++++++-------
+ 1 file changed, 7 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/scsi/qla2xxx/qla_target.c b/drivers/scsi/qla2xxx/qla_target.c
+index bceb8e882e7f..510337eac106 100644
+--- a/drivers/scsi/qla2xxx/qla_target.c
++++ b/drivers/scsi/qla2xxx/qla_target.c
+@@ -2379,20 +2379,20 @@ void qlt_xmit_tm_rsp(struct qla_tgt_mgmt_cmd *mcmd)
+ }
+
+ if (mcmd->flags == QLA24XX_MGMT_SEND_NACK) {
+- if (mcmd->orig_iocb.imm_ntfy.u.isp24.status_subcode ==
+- ELS_LOGO ||
+- mcmd->orig_iocb.imm_ntfy.u.isp24.status_subcode ==
+- ELS_PRLO ||
+- mcmd->orig_iocb.imm_ntfy.u.isp24.status_subcode ==
+- ELS_TPRLO) {
++ switch (mcmd->orig_iocb.imm_ntfy.u.isp24.status_subcode) {
++ case ELS_LOGO:
++ case ELS_PRLO:
++ case ELS_TPRLO:
+ ql_dbg(ql_dbg_disc, vha, 0x2106,
+ "TM response logo %phC status %#x state %#x",
+ mcmd->sess->port_name, mcmd->fc_tm_rsp,
+ mcmd->flags);
+ qlt_schedule_sess_for_deletion(mcmd->sess);
+- } else {
++ break;
++ default:
+ qlt_send_notify_ack(vha->hw->base_qpair,
+ &mcmd->orig_iocb.imm_ntfy, 0, 0, 0, 0, 0, 0);
++ break;
+ }
+ } else {
+ if (mcmd->orig_iocb.atio.u.raw.entry_type == ABTS_RECV_24XX) {
+--
+2.16.4
+
diff --git a/patches.drivers/scsi-qla2xxx-Make-qla2x00_sysfs_write_nvram-easier-t.patch b/patches.drivers/scsi-qla2xxx-Make-qla2x00_sysfs_write_nvram-easier-t.patch
new file mode 100644
index 0000000000..f177f76606
--- /dev/null
+++ b/patches.drivers/scsi-qla2xxx-Make-qla2x00_sysfs_write_nvram-easier-t.patch
@@ -0,0 +1,36 @@
+From: Bart Van Assche <bvanassche@acm.org>
+Date: Thu, 18 Oct 2018 15:45:43 -0700
+Subject: [PATCH] scsi: qla2xxx: Make qla2x00_sysfs_write_nvram() easier to
+ analyze
+Git-commit: 109a5987d9ead316523647d6310d609dc95bdaa2
+Patch-mainline: v4.20-rc1
+References: bsc#1137444
+
+Modify the unlock statement such that it becomes easier for static
+analyzers to analyze it. This patch does not change any functionality.
+
+Cc: Himanshu Madhani <himanshu.madhani@cavium.com>
+Signed-off-by: Bart Van Assche <bvanassche@acm.org>
+Acked-by: Himanshu Madhani <himanshu.madhani@cavium.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Acked-by: Hannes Reinecke <hare@suse.com>
+---
+ drivers/scsi/qla2xxx/qla_attr.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/scsi/qla2xxx/qla_attr.c b/drivers/scsi/qla2xxx/qla_attr.c
+index b28f159fdaee..0bb9ac6ece92 100644
+--- a/drivers/scsi/qla2xxx/qla_attr.c
++++ b/drivers/scsi/qla2xxx/qla_attr.c
+@@ -218,7 +218,7 @@ qla2x00_sysfs_write_nvram(struct file *filp, struct kobject *kobj,
+
+ mutex_lock(&ha->optrom_mutex);
+ if (qla2x00_chip_is_down(vha)) {
+- mutex_unlock(&vha->hw->optrom_mutex);
++ mutex_unlock(&ha->optrom_mutex);
+ return -EAGAIN;
+ }
+
+--
+2.16.4
+
diff --git a/patches.drivers/scsi-qla2xxx-Make-sure-that-qlafx00_ioctl_iosb_entry.patch b/patches.drivers/scsi-qla2xxx-Make-sure-that-qlafx00_ioctl_iosb_entry.patch
new file mode 100644
index 0000000000..7ed6986903
--- /dev/null
+++ b/patches.drivers/scsi-qla2xxx-Make-sure-that-qlafx00_ioctl_iosb_entry.patch
@@ -0,0 +1,37 @@
+From: Bart Van Assche <bvanassche@acm.org>
+Date: Thu, 18 Oct 2018 15:45:45 -0700
+Subject: [PATCH] scsi: qla2xxx: Make sure that qlafx00_ioctl_iosb_entry()
+ initializes 'res'
+Git-commit: 5b0af4777b1bf397787f03336f0db34f185ca565
+Patch-mainline: v4.20-rc1
+References: bsc#1137444
+
+Only one of the two code paths in qlafx00_ioctl_iosb_entry() initializes
+the variable 'res'. Make sure that 'res' is initialized before
+sp->done(sp, res) is called.
+
+Cc: Himanshu Madhani <himanshu.madhani@cavium.com>
+Signed-off-by: Bart Van Assche <bvanassche@acm.org>
+Acked-by: Himanshu Madhani <himanshu.madhani@cavium.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Acked-by: Hannes Reinecke <hare@suse.com>
+---
+ drivers/scsi/qla2xxx/qla_mr.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/scsi/qla2xxx/qla_mr.c b/drivers/scsi/qla2xxx/qla_mr.c
+index 2d96f3b7e3e3..b8f967e61891 100644
+--- a/drivers/scsi/qla2xxx/qla_mr.c
++++ b/drivers/scsi/qla2xxx/qla_mr.c
+@@ -2212,7 +2212,7 @@ qlafx00_ioctl_iosb_entry(scsi_qla_host_t *vha, struct req_que *req,
+ struct bsg_job *bsg_job;
+ struct fc_bsg_reply *bsg_reply;
+ struct srb_iocb *iocb_job;
+- int res;
++ int res = 0;
+ struct qla_mt_iocb_rsp_fx00 fstatus;
+ uint8_t *fw_sts_ptr;
+
+--
+2.16.4
+
diff --git a/patches.drivers/scsi-qla2xxx-NULL-check-before-some-freeing-function.patch b/patches.drivers/scsi-qla2xxx-NULL-check-before-some-freeing-function.patch
new file mode 100644
index 0000000000..9faa6b6b1b
--- /dev/null
+++ b/patches.drivers/scsi-qla2xxx-NULL-check-before-some-freeing-function.patch
@@ -0,0 +1,88 @@
+From: Thomas Meyer <thomas@m3y3r.de>
+Date: Sun, 2 Dec 2018 21:52:11 +0100
+Subject: [PATCH] scsi: qla2xxx: NULL check before some freeing functions is
+ not needed
+Git-commit: 75c1d48a338bdf3ce850166be527598017e0ebca
+Patch-mainline: v5.0-rc1
+References: bsc#1137444
+
+NULL check before some freeing functions is not needed.
+
+Signed-off-by: Thomas Meyer <thomas@m3y3r.de>
+Acked-by: Himanshu Madhani <hmadhani@marvell.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Acked-by: Hannes Reinecke <hare@suse.com>
+---
+ drivers/scsi/qla2xxx/qla_os.c | 24 ++++++++----------------
+ 1 file changed, 8 insertions(+), 16 deletions(-)
+
+diff --git a/drivers/scsi/qla2xxx/qla_os.c b/drivers/scsi/qla2xxx/qla_os.c
+index 4a75e0572121..643cd7c0efc1 100644
+--- a/drivers/scsi/qla2xxx/qla_os.c
++++ b/drivers/scsi/qla2xxx/qla_os.c
+@@ -4183,12 +4183,10 @@ qla2x00_mem_alloc(struct qla_hw_data *ha, uint16_t req_len, uint16_t rsp_len,
+ kfree(ha->nvram);
+ ha->nvram = NULL;
+ fail_free_ctx_mempool:
+- if (ha->ctx_mempool)
+- mempool_destroy(ha->ctx_mempool);
++ mempool_destroy(ha->ctx_mempool);
+ ha->ctx_mempool = NULL;
+ fail_free_srb_mempool:
+- if (ha->srb_mempool)
+- mempool_destroy(ha->srb_mempool);
++ mempool_destroy(ha->srb_mempool);
+ ha->srb_mempool = NULL;
+ fail_free_gid_list:
+ dma_free_coherent(&ha->pdev->dev, qla2x00_gid_list_size(ha),
+@@ -4490,8 +4488,7 @@ qla2x00_mem_free(struct qla_hw_data *ha)
+ dma_free_coherent(&ha->pdev->dev, MCTP_DUMP_SIZE, ha->mctp_dump,
+ ha->mctp_dump_dma);
+
+- if (ha->srb_mempool)
+- mempool_destroy(ha->srb_mempool);
++ mempool_destroy(ha->srb_mempool);
+
+ if (ha->dcbx_tlv)
+ dma_free_coherent(&ha->pdev->dev, DCBX_TLV_DATA_SIZE,
+@@ -4523,8 +4520,7 @@ qla2x00_mem_free(struct qla_hw_data *ha)
+ if (ha->async_pd)
+ dma_pool_free(ha->s_dma_pool, ha->async_pd, ha->async_pd_dma);
+
+- if (ha->s_dma_pool)
+- dma_pool_destroy(ha->s_dma_pool);
++ dma_pool_destroy(ha->s_dma_pool);
+
+ if (ha->gid_list)
+ dma_free_coherent(&ha->pdev->dev, qla2x00_gid_list_size(ha),
+@@ -4545,14 +4541,11 @@ qla2x00_mem_free(struct qla_hw_data *ha)
+ }
+ }
+
+- if (ha->dl_dma_pool)
+- dma_pool_destroy(ha->dl_dma_pool);
++ dma_pool_destroy(ha->dl_dma_pool);
+
+- if (ha->fcp_cmnd_dma_pool)
+- dma_pool_destroy(ha->fcp_cmnd_dma_pool);
++ dma_pool_destroy(ha->fcp_cmnd_dma_pool);
+
+- if (ha->ctx_mempool)
+- mempool_destroy(ha->ctx_mempool);
++ mempool_destroy(ha->ctx_mempool);
+
+ qlt_mem_free(ha);
+
+@@ -7098,8 +7091,7 @@ qla2x00_module_exit(void)
+ qla2x00_release_firmware();
+ kmem_cache_destroy(srb_cachep);
+ qlt_exit();
+- if (ctx_cachep)
+- kmem_cache_destroy(ctx_cachep);
++ kmem_cache_destroy(ctx_cachep);
+ fc_release_transport(qla2xxx_transport_template);
+ fc_release_transport(qla2xxx_transport_vport_template);
+ }
+--
+2.16.4
+
diff --git a/patches.drivers/scsi-qla2xxx-Remove-a-set-but-not-used-variable.patch b/patches.drivers/scsi-qla2xxx-Remove-a-set-but-not-used-variable.patch
new file mode 100644
index 0000000000..b01af0c612
--- /dev/null
+++ b/patches.drivers/scsi-qla2xxx-Remove-a-set-but-not-used-variable.patch
@@ -0,0 +1,45 @@
+From: Bart Van Assche <bvanassche@acm.org>
+Date: Thu, 18 Oct 2018 15:45:44 -0700
+Subject: [PATCH] scsi: qla2xxx: Remove a set-but-not-used variable
+Git-commit: eb023220f4eac1703e22e48ed62310a6565b3a1f
+Patch-mainline: v4.20-rc1
+References: bsc#1137444
+
+This patch does not change any functionality.
+
+Cc: Himanshu Madhani <himanshu.madhani@cavium.com>
+Signed-off-by: Bart Van Assche <bvanassche@acm.org>
+Acked-by: Himanshu Madhani <himanshu.madhani@cavium.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Acked-by: Hannes Reinecke <hare@suse.com>
+---
+ drivers/scsi/qla2xxx/qla_os.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/scsi/qla2xxx/qla_os.c b/drivers/scsi/qla2xxx/qla_os.c
+index dba672f87cb2..01607d2f2c34 100644
+--- a/drivers/scsi/qla2xxx/qla_os.c
++++ b/drivers/scsi/qla2xxx/qla_os.c
+@@ -1749,7 +1749,7 @@ qla2x00_loop_reset(scsi_qla_host_t *vha)
+ static void
+ __qla2x00_abort_all_cmds(struct qla_qpair *qp, int res)
+ {
+- int cnt, status;
++ int cnt;
+ unsigned long flags;
+ srb_t *sp;
+ scsi_qla_host_t *vha = qp->vha;
+@@ -1799,8 +1799,8 @@ __qla2x00_abort_all_cmds(struct qla_qpair *qp, int res)
+ if (!sp_get(sp)) {
+ spin_unlock_irqrestore
+ (qp->qp_lock_ptr, flags);
+- status = qla2xxx_eh_abort(
+- GET_CMD_SP(sp));
++ qla2xxx_eh_abort(
++ GET_CMD_SP(sp));
+ spin_lock_irqsave
+ (qp->qp_lock_ptr, flags);
+ }
+--
+2.16.4
+
diff --git a/patches.drivers/scsi-qla2xxx-Remove-two-arguments-from-qlafx00_error.patch b/patches.drivers/scsi-qla2xxx-Remove-two-arguments-from-qlafx00_error.patch
new file mode 100644
index 0000000000..9b8d879774
--- /dev/null
+++ b/patches.drivers/scsi-qla2xxx-Remove-two-arguments-from-qlafx00_error.patch
@@ -0,0 +1,66 @@
+From: Bart Van Assche <bvanassche@acm.org>
+Date: Thu, 18 Oct 2018 15:45:46 -0700
+Subject: [PATCH] scsi: qla2xxx: Remove two arguments from
+ qlafx00_error_entry()
+Git-commit: 2c309aeed62c25661eb2c7d4e4510613a1c7ffc2
+Patch-mainline: v4.20-rc1
+References: bsc#1137444
+
+Move a debug statement from qlafx00_error_entry() into its caller. Remove
+one unused argument from that function. This patch does not change the
+behavior of the qla2xxx driver.
+
+Cc: Himanshu Madhani <himanshu.madhani@cavium.com>
+Signed-off-by: Bart Van Assche <bvanassche@acm.org>
+Acked-by: Himanshu Madhani <himanshu.madhani@cavium.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Acked-by: Hannes Reinecke <hare@suse.com>
+---
+ drivers/scsi/qla2xxx/qla_mr.c | 13 +++++--------
+ 1 file changed, 5 insertions(+), 8 deletions(-)
+
+diff --git a/drivers/scsi/qla2xxx/qla_mr.c b/drivers/scsi/qla2xxx/qla_mr.c
+index b8f967e61891..60f964c53c01 100644
+--- a/drivers/scsi/qla2xxx/qla_mr.c
++++ b/drivers/scsi/qla2xxx/qla_mr.c
+@@ -2681,12 +2681,10 @@ qlafx00_multistatus_entry(struct scsi_qla_host *vha,
+ * @vha: SCSI driver HA context
+ * @rsp: response queue
+ * @pkt: Entry pointer
+- * @estatus:
+- * @etype:
+ */
+ static void
+ qlafx00_error_entry(scsi_qla_host_t *vha, struct rsp_que *rsp,
+- struct sts_entry_fx00 *pkt, uint8_t estatus, uint8_t etype)
++ struct sts_entry_fx00 *pkt)
+ {
+ srb_t *sp;
+ struct qla_hw_data *ha = vha->hw;
+@@ -2695,9 +2693,6 @@ qlafx00_error_entry(scsi_qla_host_t *vha, struct rsp_que *rsp,
+ struct req_que *req = NULL;
+ int res = DID_ERROR << 16;
+
+- ql_dbg(ql_dbg_async, vha, 0x507f,
+- "type of error status in response: 0x%x\n", estatus);
+-
+ req = ha->req_q_map[que];
+
+ sp = qla2x00_get_sp_from_handle(vha, func, req, pkt);
+@@ -2745,9 +2740,11 @@ qlafx00_process_response_queue(struct scsi_qla_host *vha,
+
+ if (pkt->entry_status != 0 &&
+ pkt->entry_type != IOCTL_IOSB_TYPE_FX00) {
++ ql_dbg(ql_dbg_async, vha, 0x507f,
++ "type of error status in response: 0x%x\n",
++ pkt->entry_status);
+ qlafx00_error_entry(vha, rsp,
+- (struct sts_entry_fx00 *)pkt, pkt->entry_status,
+- pkt->entry_type);
++ (struct sts_entry_fx00 *)pkt);
+ continue;
+ }
+
+--
+2.16.4
+
diff --git a/patches.drivers/scsi-qla2xxx-Remove-unused-symbols.patch b/patches.drivers/scsi-qla2xxx-Remove-unused-symbols.patch
new file mode 100644
index 0000000000..78b58eb045
--- /dev/null
+++ b/patches.drivers/scsi-qla2xxx-Remove-unused-symbols.patch
@@ -0,0 +1,36 @@
+From: Bart Van Assche <bart.vanassche@wdc.com>
+Date: Tue, 23 Jan 2018 16:33:48 -0800
+Subject: [PATCH] scsi: qla2xxx: Remove unused symbols
+Git-commit: 7843327a236c4cf103a8b1d5da2b27e7bace0260
+Patch-mainline: v4.17-rc1
+References: bsc#1118139
+
+Remove a few preprocessor macros that are not used anywhere.
+
+Signed-off-by: Bart Van Assche <bart.vanassche@wdc.com>
+Cc: Himanshu Madhani <himanshu.madhani@cavium.com>
+Acked-by: Himanshu Madhani <himanshu.madhani@cavium.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Acked-by: Hannes Reinecke <hare@suse.com>
+---
+ drivers/scsi/qla2xxx/qla_nx2.h | 4 ----
+ 1 file changed, 4 deletions(-)
+
+diff --git a/drivers/scsi/qla2xxx/qla_nx2.h b/drivers/scsi/qla2xxx/qla_nx2.h
+index 83c1b7e17c80..8ba7c1db07c3 100644
+--- a/drivers/scsi/qla2xxx/qla_nx2.h
++++ b/drivers/scsi/qla2xxx/qla_nx2.h
+@@ -23,10 +23,6 @@
+ #define MD_MIU_TEST_AGT_WRDATA_HI 0x410000A4
+ #define MD_MIU_TEST_AGT_WRDATA_ULO 0x410000B0
+ #define MD_MIU_TEST_AGT_WRDATA_UHI 0x410000B4
+-#define MD_MIU_TEST_AGT_RDDATA_LO 0x410000A8
+-#define MD_MIU_TEST_AGT_RDDATA_HI 0x410000AC
+-#define MD_MIU_TEST_AGT_RDDATA_ULO 0x410000B8
+-#define MD_MIU_TEST_AGT_RDDATA_UHI 0x410000BC
+
+ /* MIU_TEST_AGT_CTRL flags. work for SIU as well */
+ #define MIU_TA_CTL_WRITE_ENABLE (MIU_TA_CTL_WRITE | MIU_TA_CTL_ENABLE)
+--
+2.12.3
+
diff --git a/patches.drivers/scsi-qla2xxx-Split-the-__qla2x00_abort_all_cmds-func.patch b/patches.drivers/scsi-qla2xxx-Split-the-__qla2x00_abort_all_cmds-func.patch
new file mode 100644
index 0000000000..c7855fe074
--- /dev/null
+++ b/patches.drivers/scsi-qla2xxx-Split-the-__qla2x00_abort_all_cmds-func.patch
@@ -0,0 +1,128 @@
+From: Bart Van Assche <bvanassche@acm.org>
+Date: Thu, 29 Nov 2018 10:25:11 -0800
+Subject: [PATCH] scsi: qla2xxx: Split the __qla2x00_abort_all_cmds() function
+Git-commit: c4e521b654e15e372a6429e269e7e907b4698224
+Patch-mainline: v5.0-rc1
+References: bsc#1137444
+
+Nesting in __qla2x00_abort_all_cmds() is way too deep. Reduce the nesting
+level by introducing a helper function. This patch does not change any
+functionality.
+
+[hare: resolved merge conflict manually]
+
+Reviewed-by: Laurence Oberman <loberman@redhat.com>
+Acked-by: Himanshu Madhani <himanshu.madhani@cavium.com>
+Signed-off-by: Bart Van Assche <bvanassche@acm.org>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Acked-by: Hannes Reinecke <hare@suse.com>
+---
+ drivers/scsi/qla2xxx/qla_os.c | 82 +++++++++++++++++++------------------------
+ 1 file changed, 37 insertions(+), 45 deletions(-)
+
+diff --git a/drivers/scsi/qla2xxx/qla_os.c b/drivers/scsi/qla2xxx/qla_os.c
+index b658b9a5eb1e..5f78f14e84db 100644
+--- a/drivers/scsi/qla2xxx/qla_os.c
++++ b/drivers/scsi/qla2xxx/qla_os.c
+@@ -1746,10 +1746,45 @@ qla2x00_loop_reset(scsi_qla_host_t *vha)
+ return QLA_SUCCESS;
+ }
+
++static void qla2x00_abort_srb(struct qla_qpair *qp, srb_t *sp, const int res,
++ unsigned long *flags)
++ __releases(qp->qp_lock_ptr)
++ __acquires(qp->qp_lock_ptr)
++{
++ scsi_qla_host_t *vha = qp->vha;
++ struct qla_hw_data *ha = vha->hw;
++
++ if (sp->type == SRB_NVME_CMD || sp->type == SRB_NVME_LS) {
++ if (!sp_get(sp)) {
++ /* got sp */
++ spin_unlock_irqrestore(qp->qp_lock_ptr, *flags);
++ qla_nvme_abort(ha, sp, res);
++ spin_lock_irqsave(qp->qp_lock_ptr, *flags);
++ }
++ } else if (GET_CMD_SP(sp) && !ha->flags.eeh_busy &&
++ !test_bit(ABORT_ISP_ACTIVE, &vha->dpc_flags) &&
++ !qla2x00_isp_reg_stat(ha) && sp->type == SRB_SCSI_CMD) {
++ /*
++ * Don't abort commands in adapter during EEH recovery as it's
++ * not accessible/responding.
++ *
++ * Get a reference to the sp and drop the lock. The reference
++ * ensures this sp->done() call and not the call in
++ * qla2xxx_eh_abort() ends the SCSI cmd (with result 'res').
++ */
++ if (!sp_get(sp)) {
++ spin_unlock_irqrestore(qp->qp_lock_ptr, *flags);
++ qla2xxx_eh_abort(GET_CMD_SP(sp));
++ spin_lock_irqsave(qp->qp_lock_ptr, *flags);
++ }
++ }
++ sp->done(sp, res);
++}
++
+ static void
+ __qla2x00_abort_all_cmds(struct qla_qpair *qp, int res)
+ {
+- int cnt, status;
++ int cnt;
+ unsigned long flags;
+ srb_t *sp;
+ scsi_qla_host_t *vha = qp->vha;
+@@ -1768,50 +1803,7 @@ __qla2x00_abort_all_cmds(struct qla_qpair *qp, int res)
+ req->outstanding_cmds[cnt] = NULL;
+ switch (sp->cmd_type) {
+ case TYPE_SRB:
+- if (sp->type == SRB_NVME_CMD ||
+- sp->type == SRB_NVME_LS) {
+- if (!sp_get(sp)) {
+- /* got sp */
+- spin_unlock_irqrestore
+- (qp->qp_lock_ptr,
+- flags);
+- qla_nvme_abort(ha, sp, res);
+- spin_lock_irqsave
+- (qp->qp_lock_ptr, flags);
+- }
+- } else if (GET_CMD_SP(sp) &&
+- !ha->flags.eeh_busy &&
+- (!test_bit(ABORT_ISP_ACTIVE,
+- &vha->dpc_flags)) &&
+- !qla2x00_isp_reg_stat(ha) &&
+- (sp->type == SRB_SCSI_CMD)) {
+- /*
+- * Don't abort commands in adapter
+- * during EEH recovery as it's not
+- * accessible/responding.
+- *
+- * Get a reference to the sp and drop
+- * the lock. The reference ensures this
+- * sp->done() call and not the call in
+- * qla2xxx_eh_abort() ends the SCSI cmd
+- * (with result 'res').
+- */
+- if (!sp_get(sp)) {
+- spin_unlock_irqrestore
+- (qp->qp_lock_ptr, flags);
+- status = qla2xxx_eh_abort(
+- GET_CMD_SP(sp));
+- spin_lock_irqsave
+- (qp->qp_lock_ptr, flags);
+- /*
+- * Get rid of extra reference caused
+- * by early exit from qla2xxx_eh_abort
+- */
+- if (status == FAST_IO_FAIL)
+- atomic_dec(&sp->ref_count);
+- }
+- }
+- sp->done(sp, res);
++ qla2x00_abort_srb(qp, sp, res, &flags);
+ break;
+ case TYPE_TGT_CMD:
+ if (!vha->hw->tgt.tgt_ops || !tgt ||
+--
+2.16.4
+
diff --git a/patches.drivers/scsi-qla2xxx-Timeouts-occur-on-surprise-removal-of-Q.patch b/patches.drivers/scsi-qla2xxx-Timeouts-occur-on-surprise-removal-of-Q.patch
index 0a3aca96bd..3ccedfc9b0 100644
--- a/patches.drivers/scsi-qla2xxx-Timeouts-occur-on-surprise-removal-of-Q.patch
+++ b/patches.drivers/scsi-qla2xxx-Timeouts-occur-on-surprise-removal-of-Q.patch
@@ -17,13 +17,29 @@ Acked-by: Himanshu Madhani <himanshu.madhani@cavium.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Acked-by: Johannes Thumshirn <jthumshirn@suse.de>
---
- drivers/scsi/qla2xxx/qla_os.c | 8 +++++++-
- 1 file changed, 7 insertions(+), 1 deletion(-)
+ drivers/scsi/qla2xxx/qla_os.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+diff --git a/drivers/scsi/qla2xxx/qla_os.c b/drivers/scsi/qla2xxx/qla_os.c
+index 20c85eed1a75..b658b9a5eb1e 100644
--- a/drivers/scsi/qla2xxx/qla_os.c
+++ b/drivers/scsi/qla2xxx/qla_os.c
-@@ -1805,6 +1805,12 @@ __qla2x00_abort_all_cmds(struct qla_qpai
- GET_CMD_SP(sp));
+@@ -1749,7 +1749,7 @@ qla2x00_loop_reset(scsi_qla_host_t *vha)
+ static void
+ __qla2x00_abort_all_cmds(struct qla_qpair *qp, int res)
+ {
+- int cnt;
++ int cnt, status;
+ unsigned long flags;
+ srb_t *sp;
+ scsi_qla_host_t *vha = qp->vha;
+@@ -1799,10 +1799,16 @@ __qla2x00_abort_all_cmds(struct qla_qpair *qp, int res)
+ if (!sp_get(sp)) {
+ spin_unlock_irqrestore
+ (qp->qp_lock_ptr, flags);
+- qla2xxx_eh_abort(
++ status = qla2xxx_eh_abort(
+ GET_CMD_SP(sp));
spin_lock_irqsave
(qp->qp_lock_ptr, flags);
+ /*
@@ -35,4 +51,6 @@ Acked-by: Johannes Thumshirn <jthumshirn@suse.de>
}
}
sp->done(sp, res);
+--
+2.16.4
diff --git a/patches.drivers/scsi-qla2xxx-Use-p-for-printing-pointers.patch b/patches.drivers/scsi-qla2xxx-Use-p-for-printing-pointers.patch
new file mode 100644
index 0000000000..dae8264c5c
--- /dev/null
+++ b/patches.drivers/scsi-qla2xxx-Use-p-for-printing-pointers.patch
@@ -0,0 +1,36 @@
+From: Bart Van Assche <bart.vanassche@wdc.com>
+Date: Tue, 23 Jan 2018 16:33:47 -0800
+Subject: [PATCH] scsi: qla2xxx: Use %p for printing pointers
+Git-commit: da4704d941766ef61f125d57162eee4ba7f2deda
+Patch-mainline: v4.17-rc1
+References: bsc#1118139
+
+Using %p instead of %lx to print a pointer allows to remove a cast.
+
+Signed-off-by: Bart Van Assche <bart.vanassche@wdc.com>
+Cc: Himanshu Madhani <himanshu.madhani@cavium.com>
+Acked-by: Himanshu Madhani <himanshu.madhani@cavium.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Acked-by: Hannes Reinecke <hare@suse.com>
+---
+ drivers/scsi/qla2xxx/qla_init.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/scsi/qla2xxx/qla_init.c b/drivers/scsi/qla2xxx/qla_init.c
+index aececf664654..995579ea0f7f 100644
+--- a/drivers/scsi/qla2xxx/qla_init.c
++++ b/drivers/scsi/qla2xxx/qla_init.c
+@@ -2688,8 +2688,8 @@ qla2x00_chip_diag(scsi_qla_host_t *vha)
+ /* Assume a failed state */
+ rval = QLA_FUNCTION_FAILED;
+
+- ql_dbg(ql_dbg_init, vha, 0x007b,
+- "Testing device at %lx.\n", (u_long)&reg->flash_address);
++ ql_dbg(ql_dbg_init, vha, 0x007b, "Testing device at %p.\n",
++ &reg->flash_address);
+
+ spin_lock_irqsave(&ha->hardware_lock, flags);
+
+--
+2.12.3
+
diff --git a/patches.drivers/scsi-qla2xxx-fully-convert-to-the-generic-DMA-API.patch b/patches.drivers/scsi-qla2xxx-fully-convert-to-the-generic-DMA-API.patch
new file mode 100644
index 0000000000..24149a9f3e
--- /dev/null
+++ b/patches.drivers/scsi-qla2xxx-fully-convert-to-the-generic-DMA-API.patch
@@ -0,0 +1,72 @@
+From: Christoph Hellwig <hch@lst.de>
+Date: Thu, 11 Oct 2018 09:42:07 +0200
+Subject: [PATCH] scsi: qla2xxx: fully convert to the generic DMA API
+Git-commit: e7d0bb774699be4542ec09e903a9cce38cea33d4
+Patch-mainline: v4.20-rc1
+References: bsc#1137444
+
+The driver is currently using an odd mix of legacy PCI DMA API and
+generic DMA API calls, switch it over to the generic API entirely.
+
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Reviewed-by: Johannes Thumshirn <jthumshirn@suse.de>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Acked-by: Hannes Reinecke <hare@suse.com>
+---
+ drivers/scsi/qla2xxx/qla_target.c | 8 ++++----
+ drivers/scsi/qla2xxx/tcm_qla2xxx.c | 2 +-
+ 2 files changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/scsi/qla2xxx/qla_target.c b/drivers/scsi/qla2xxx/qla_target.c
+index 3015f1bbcf1a..39828207bc1d 100644
+--- a/drivers/scsi/qla2xxx/qla_target.c
++++ b/drivers/scsi/qla2xxx/qla_target.c
+@@ -2425,7 +2425,7 @@ static int qlt_pci_map_calc_cnt(struct qla_tgt_prm *prm)
+ BUG_ON(cmd->sg_cnt == 0);
+
+ prm->sg = (struct scatterlist *)cmd->sg;
+- prm->seg_cnt = pci_map_sg(cmd->qpair->pdev, cmd->sg,
++ prm->seg_cnt = dma_map_sg(&cmd->qpair->pdev->dev, cmd->sg,
+ cmd->sg_cnt, cmd->dma_data_direction);
+ if (unlikely(prm->seg_cnt == 0))
+ goto out_err;
+@@ -2452,7 +2452,7 @@ static int qlt_pci_map_calc_cnt(struct qla_tgt_prm *prm)
+
+ if (cmd->prot_sg_cnt) {
+ prm->prot_sg = cmd->prot_sg;
+- prm->prot_seg_cnt = pci_map_sg(cmd->qpair->pdev,
++ prm->prot_seg_cnt = dma_map_sg(&cmd->qpair->pdev->dev,
+ cmd->prot_sg, cmd->prot_sg_cnt,
+ cmd->dma_data_direction);
+ if (unlikely(prm->prot_seg_cnt == 0))
+@@ -2487,12 +2487,12 @@ static void qlt_unmap_sg(struct scsi_qla_host *vha, struct qla_tgt_cmd *cmd)
+
+ qpair = cmd->qpair;
+
+- pci_unmap_sg(qpair->pdev, cmd->sg, cmd->sg_cnt,
++ dma_unmap_sg(&qpair->pdev->dev, cmd->sg, cmd->sg_cnt,
+ cmd->dma_data_direction);
+ cmd->sg_mapped = 0;
+
+ if (cmd->prot_sg_cnt)
+- pci_unmap_sg(qpair->pdev, cmd->prot_sg, cmd->prot_sg_cnt,
++ dma_unmap_sg(&qpair->pdev->dev, cmd->prot_sg, cmd->prot_sg_cnt,
+ cmd->dma_data_direction);
+
+ if (!cmd->ctx)
+diff --git a/drivers/scsi/qla2xxx/tcm_qla2xxx.c b/drivers/scsi/qla2xxx/tcm_qla2xxx.c
+index 731a094d2386..65053c066680 100644
+--- a/drivers/scsi/qla2xxx/tcm_qla2xxx.c
++++ b/drivers/scsi/qla2xxx/tcm_qla2xxx.c
+@@ -424,7 +424,7 @@ static int tcm_qla2xxx_write_pending(struct se_cmd *se_cmd)
+ se_cmd->pi_err = 0;
+
+ /*
+- * qla_target.c:qlt_rdy_to_xfer() will call pci_map_sg() to setup
++ * qla_target.c:qlt_rdy_to_xfer() will call dma_map_sg() to setup
+ * the SGL mappings into PCIe memory for incoming FCP WRITE data.
+ */
+ return qlt_rdy_to_xfer(cmd);
+--
+2.16.4
+
diff --git a/patches.drivers/scsi-qla2xxx-use-lower_32_bits-and-upper_32_bits-ins.patch b/patches.drivers/scsi-qla2xxx-use-lower_32_bits-and-upper_32_bits-ins.patch
new file mode 100644
index 0000000000..3abc19b803
--- /dev/null
+++ b/patches.drivers/scsi-qla2xxx-use-lower_32_bits-and-upper_32_bits-ins.patch
@@ -0,0 +1,70 @@
+From: Christoph Hellwig <hch@lst.de>
+Date: Thu, 18 Oct 2018 15:03:37 +0200
+Subject: [PATCH] scsi: qla2xxx: use lower_32_bits and upper_32_bits instead of
+ reinventing them
+Git-commit: 3d5ca1e6fdfeb4bc9d0b2eb4e35717198af03d78
+Patch-mainline: v5.0-rc1
+References: bsc#1137444
+
+This also moves the optimization for builds with 32-bit dma_addr_t to
+the compiler (where it belongs) instead of opencoding it based on
+incorrect assumptions.
+
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Acked-by: Hannes Reinecke <hare@suse.com>
+---
+ drivers/scsi/qla2xxx/qla_target.c | 8 ++++----
+ drivers/scsi/qla2xxx/qla_target.h | 8 --------
+ 2 files changed, 4 insertions(+), 12 deletions(-)
+
+diff --git a/drivers/scsi/qla2xxx/qla_target.c b/drivers/scsi/qla2xxx/qla_target.c
+index c4504740f0e2..bceb8e882e7f 100644
+--- a/drivers/scsi/qla2xxx/qla_target.c
++++ b/drivers/scsi/qla2xxx/qla_target.c
+@@ -2660,9 +2660,9 @@ static void qlt_load_cont_data_segments(struct qla_tgt_prm *prm)
+ cnt < QLA_TGT_DATASEGS_PER_CONT_24XX && prm->seg_cnt;
+ cnt++, prm->seg_cnt--) {
+ *dword_ptr++ =
+- cpu_to_le32(pci_dma_lo32
++ cpu_to_le32(lower_32_bits
+ (sg_dma_address(prm->sg)));
+- *dword_ptr++ = cpu_to_le32(pci_dma_hi32
++ *dword_ptr++ = cpu_to_le32(upper_32_bits
+ (sg_dma_address(prm->sg)));
+ *dword_ptr++ = cpu_to_le32(sg_dma_len(prm->sg));
+
+@@ -2704,9 +2704,9 @@ static void qlt_load_data_segments(struct qla_tgt_prm *prm)
+ (cnt < QLA_TGT_DATASEGS_PER_CMD_24XX) && prm->seg_cnt;
+ cnt++, prm->seg_cnt--) {
+ *dword_ptr++ =
+- cpu_to_le32(pci_dma_lo32(sg_dma_address(prm->sg)));
++ cpu_to_le32(lower_32_bits(sg_dma_address(prm->sg)));
+
+- *dword_ptr++ = cpu_to_le32(pci_dma_hi32(
++ *dword_ptr++ = cpu_to_le32(upper_32_bits(
+ sg_dma_address(prm->sg)));
+
+ *dword_ptr++ = cpu_to_le32(sg_dma_len(prm->sg));
+diff --git a/drivers/scsi/qla2xxx/qla_target.h b/drivers/scsi/qla2xxx/qla_target.h
+index 721da593b1bc..577e1786a3f1 100644
+--- a/drivers/scsi/qla2xxx/qla_target.h
++++ b/drivers/scsi/qla2xxx/qla_target.h
+@@ -771,14 +771,6 @@ int qla2x00_wait_for_hba_online(struct scsi_qla_host *);
+ #define FC_TM_REJECT 4
+ #define FC_TM_FAILED 5
+
+-#if (BITS_PER_LONG > 32) || defined(CONFIG_HIGHMEM64G)
+-#define pci_dma_lo32(a) (a & 0xffffffff)
+-#define pci_dma_hi32(a) ((((a) >> 16)>>16) & 0xffffffff)
+-#else
+-#define pci_dma_lo32(a) (a & 0xffffffff)
+-#define pci_dma_hi32(a) 0
+-#endif
+-
+ #define QLA_TGT_SENSE_VALID(sense) ((sense != NULL) && \
+ (((const uint8_t *)(sense))[0] & 0x70) == 0x70)
+
+--
+2.16.4
+
diff --git a/patches.drivers/treewide-Use-DEVICE_ATTR_WO.patch b/patches.drivers/treewide-Use-DEVICE_ATTR_WO.patch
new file mode 100644
index 0000000000..ba6a7cc995
--- /dev/null
+++ b/patches.drivers/treewide-Use-DEVICE_ATTR_WO.patch
@@ -0,0 +1,125 @@
+From 6cbaefb4bf2ce6746e49c972289702133b347ffa Mon Sep 17 00:00:00 2001
+From: Joe Perches <joe@perches.com>
+Date: Tue, 19 Dec 2017 10:15:09 -0800
+Subject: [PATCH] treewide: Use DEVICE_ATTR_WO
+
+References: bsc#1137739
+Patch-mainline: v4.16-rc1
+Git-commit: 6cbaefb4bf2ce6746e49c972289702133b347ffa
+
+Convert DEVICE_ATTR uses to DEVICE_ATTR_WO where possible.
+
+Done with perl script:
+
+$ git grep -w --name-only DEVICE_ATTR | \
+ xargs perl -i -e 'local $/; while (<>) { s/\bDEVICE_ATTR\s*\(\s*(\w+)\s*,\s*\(?(?:\s*S_IWUSR\s*|\s*0200\s*)\)?\s*,\s*NULL\s*,\s*\s_store\s*\)/DEVICE_ATTR_WO(\1)/g; print;}'
+
+Signed-off-by: Joe Perches <joe@perches.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Acked-by: Michal Suchanek <msuchanek@suse.de>
+---
+ arch/s390/kernel/smp.c | 2 +-
+ arch/x86/kernel/cpu/microcode/core.c | 2 +-
+ drivers/input/touchscreen/elants_i2c.c | 2 +-
+ drivers/net/ethernet/ibm/ibmvnic.c | 2 +-
+ drivers/net/wimax/i2400m/sysfs.c | 3 +--
+ drivers/scsi/lpfc/lpfc_attr.c | 3 +--
+ drivers/thermal/thermal_sysfs.c | 2 +-
+ 7 files changed, 7 insertions(+), 9 deletions(-)
+
+diff --git a/arch/s390/kernel/smp.c b/arch/s390/kernel/smp.c
+index b8c1a85bcf2d..a919b2f0141d 100644
+--- a/arch/s390/kernel/smp.c
++++ b/arch/s390/kernel/smp.c
+@@ -1151,7 +1151,7 @@ static ssize_t __ref rescan_store(struct device *dev,
+ rc = smp_rescan_cpus();
+ return rc ? rc : count;
+ }
+-static DEVICE_ATTR(rescan, 0200, NULL, rescan_store);
++static DEVICE_ATTR_WO(rescan);
+ #endif /* CONFIG_HOTPLUG_CPU */
+
+ static int __init s390_smp_init(void)
+diff --git a/arch/x86/kernel/cpu/microcode/core.c b/arch/x86/kernel/cpu/microcode/core.c
+index c4fa4a85d4cb..09c74b0560dd 100644
+--- a/arch/x86/kernel/cpu/microcode/core.c
++++ b/arch/x86/kernel/cpu/microcode/core.c
+@@ -560,7 +560,7 @@ static ssize_t pf_show(struct device *dev,
+ return sprintf(buf, "0x%x\n", uci->cpu_sig.pf);
+ }
+
+-static DEVICE_ATTR(reload, 0200, NULL, reload_store);
++static DEVICE_ATTR_WO(reload);
+ static DEVICE_ATTR(version, 0400, version_show, NULL);
+ static DEVICE_ATTR(processor_flags, 0400, pf_show, NULL);
+
+diff --git a/drivers/input/touchscreen/elants_i2c.c b/drivers/input/touchscreen/elants_i2c.c
+index e102d7764bc2..98613910d756 100644
+--- a/drivers/input/touchscreen/elants_i2c.c
++++ b/drivers/input/touchscreen/elants_i2c.c
+@@ -999,7 +999,7 @@ static ssize_t show_iap_mode(struct device *dev,
+ "Normal" : "Recovery");
+ }
+
+-static DEVICE_ATTR(calibrate, S_IWUSR, NULL, calibrate_store);
++static DEVICE_ATTR_WO(calibrate);
+ static DEVICE_ATTR(iap_mode, S_IRUGO, show_iap_mode, NULL);
+ static DEVICE_ATTR(update_fw, S_IWUSR, NULL, write_update_fw);
+
+diff --git a/drivers/net/ethernet/ibm/ibmvnic.c b/drivers/net/ethernet/ibm/ibmvnic.c
+index 1dc4aef37d3a..42b96e1a1b13 100644
+--- a/drivers/net/ethernet/ibm/ibmvnic.c
++++ b/drivers/net/ethernet/ibm/ibmvnic.c
+@@ -4411,7 +4411,7 @@ static ssize_t failover_store(struct device *dev, struct device_attribute *attr,
+ return count;
+ }
+
+-static DEVICE_ATTR(failover, 0200, NULL, failover_store);
++static DEVICE_ATTR_WO(failover);
+
+ static unsigned long ibmvnic_get_desired_dma(struct vio_dev *vdev)
+ {
+diff --git a/drivers/net/wimax/i2400m/sysfs.c b/drivers/net/wimax/i2400m/sysfs.c
+index 1237109f251a..8c67df11105c 100644
+--- a/drivers/net/wimax/i2400m/sysfs.c
++++ b/drivers/net/wimax/i2400m/sysfs.c
+@@ -65,8 +65,7 @@ error_bad_value:
+ }
+
+ static
+-DEVICE_ATTR(i2400m_idle_timeout, S_IWUSR,
+- NULL, i2400m_idle_timeout_store);
++DEVICE_ATTR_WO(i2400m_idle_timeout);
+
+ static
+ struct attribute *i2400m_dev_attrs[] = {
+diff --git a/drivers/scsi/lpfc/lpfc_attr.c b/drivers/scsi/lpfc/lpfc_attr.c
+index ea8d382bc2eb..a28618c3eb63 100644
+--- a/drivers/scsi/lpfc/lpfc_attr.c
++++ b/drivers/scsi/lpfc/lpfc_attr.c
+@@ -2384,8 +2384,7 @@ lpfc_soft_wwn_enable_store(struct device *dev, struct device_attribute *attr,
+
+ return count;
+ }
+-static DEVICE_ATTR(lpfc_soft_wwn_enable, S_IWUSR, NULL,
+- lpfc_soft_wwn_enable_store);
++static DEVICE_ATTR_WO(lpfc_soft_wwn_enable);
+
+ /**
+ * lpfc_soft_wwpn_show - Return the cfg soft ww port name of the adapter
+diff --git a/drivers/thermal/thermal_sysfs.c b/drivers/thermal/thermal_sysfs.c
+index 2bc964392924..ba81c9080f6e 100644
+--- a/drivers/thermal/thermal_sysfs.c
++++ b/drivers/thermal/thermal_sysfs.c
+@@ -317,7 +317,7 @@ emul_temp_store(struct device *dev, struct device_attribute *attr,
+
+ return ret ? ret : count;
+ }
+-static DEVICE_ATTR(emul_temp, S_IWUSR, NULL, emul_temp_store);
++static DEVICE_ATTR_WO(emul_temp);
+ #endif
+
+ static ssize_t
+--
+2.20.1
+
diff --git a/patches.drm/0001-drm-vmwgfx-NULL-pointer-dereference-from-vmw_cmd_dx_.patch b/patches.drm/0001-drm-vmwgfx-NULL-pointer-dereference-from-vmw_cmd_dx_.patch
new file mode 100644
index 0000000000..3791b40dbc
--- /dev/null
+++ b/patches.drm/0001-drm-vmwgfx-NULL-pointer-dereference-from-vmw_cmd_dx_.patch
@@ -0,0 +1,36 @@
+From bcd6aa7b6cbfd6f985f606c6f76046d782905820 Mon Sep 17 00:00:00 2001
+From: Murray McAllister <murray.mcallister@gmail.com>
+Date: Sat, 11 May 2019 18:01:37 +1200
+Subject: drm/vmwgfx: NULL pointer dereference from vmw_cmd_dx_view_define()
+Git-commit: bcd6aa7b6cbfd6f985f606c6f76046d782905820
+Patch-mainline: v5.2-rc2
+References: bsc#1113722
+
+If SVGA_3D_CMD_DX_DEFINE_RENDERTARGET_VIEW is called with a surface
+ID of SVGA3D_INVALID_ID, the srf struct will remain NULL after
+vmw_cmd_res_check(), leading to a null pointer dereference in
+vmw_view_add().
+
+Cc: <stable@vger.kernel.org>
+Fixes: d80efd5cb3de ("drm/vmwgfx: Initial DX support")
+Signed-off-by: Murray McAllister <murray.mcallister@gmail.com>
+Reviewed-by: Thomas Hellstrom <thellstrom@vmware.com>
+Signed-off-by: Thomas Hellstrom <thellstrom@vmware.com>
+Acked-by: Thomas Zimmermann <tzimmermann@suse.de>
+---
+ drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c
++++ b/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c
+@@ -2732,6 +2732,10 @@ static int vmw_cmd_dx_view_define(struct
+ if (view_type == vmw_view_max)
+ return -EINVAL;
+ cmd = container_of(header, typeof(*cmd), header);
++ if (unlikely(cmd->sid == SVGA3D_INVALID_ID)) {
++ DRM_ERROR("Invalid surface id.\n");
++ return -EINVAL;
++ }
+ ret = vmw_cmd_res_check(dev_priv, sw_context, vmw_res_surface,
+ user_surface_converter,
+ &cmd->sid, &srf_node);
diff --git a/patches.drm/0001-fbdev-fix-WARNING-in-__alloc_pages_nodemask-bug.patch b/patches.drm/0001-fbdev-fix-WARNING-in-__alloc_pages_nodemask-bug.patch
new file mode 100644
index 0000000000..efe9e15d1b
--- /dev/null
+++ b/patches.drm/0001-fbdev-fix-WARNING-in-__alloc_pages_nodemask-bug.patch
@@ -0,0 +1,54 @@
+From 8c40292be9169a9cbe19aadd1a6fc60cbd1af82f Mon Sep 17 00:00:00 2001
+From: Jiufei Xue <jiufei.xue@linux.alibaba.com>
+Date: Thu, 11 Apr 2019 19:25:12 +0200
+Subject: fbdev: fix WARNING in __alloc_pages_nodemask bug
+Git-commit: 8c40292be9169a9cbe19aadd1a6fc60cbd1af82f
+Patch-mainline: v5.2-rc1
+References: bsc#1113722
+
+Syzkaller hit 'WARNING in __alloc_pages_nodemask' bug.
+
+WARNING: CPU: 1 PID: 1473 at mm/page_alloc.c:4377
+__alloc_pages_nodemask+0x4da/0x2130
+Kernel panic - not syncing: panic_on_warn set ...
+
+Call Trace:
+ alloc_pages_current+0xb1/0x1e0
+ kmalloc_order+0x1f/0x60
+ kmalloc_order_trace+0x1d/0x120
+ fb_alloc_cmap_gfp+0x85/0x2b0
+ fb_set_user_cmap+0xff/0x370
+ do_fb_ioctl+0x949/0xa20
+ fb_ioctl+0xdd/0x120
+ do_vfs_ioctl+0x186/0x1070
+ ksys_ioctl+0x89/0xa0
+ __x64_sys_ioctl+0x74/0xb0
+ do_syscall_64+0xc8/0x550
+ entry_SYSCALL_64_after_hwframe+0x49/0xbe
+
+This is a warning about order >= MAX_ORDER and the order is from
+userspace ioctl. Add flag __NOWARN to silence this warning.
+
+Signed-off-by: Jiufei Xue <jiufei.xue@linux.alibaba.com>
+Signed-off-by: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>
+Acked-by: Thomas Zimmermann <tzimmermann@suse.de>
+---
+ drivers/video/fbdev/core/fbcmap.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/video/fbdev/core/fbcmap.c b/drivers/video/fbdev/core/fbcmap.c
+index 68a113594808..2811c4afde01 100644
+--- a/drivers/video/fbdev/core/fbcmap.c
++++ b/drivers/video/fbdev/core/fbcmap.c
+@@ -94,6 +94,8 @@ int fb_alloc_cmap_gfp(struct fb_cmap *cmap, int len, int transp, gfp_t flags)
+ int size = len * sizeof(u16);
+ int ret = -ENOMEM;
+
++ flags |= __GFP_NOWARN;
++
+ if (cmap->len != len) {
+ fb_dealloc_cmap(cmap);
+ if (!len)
+--
+2.21.0
+
diff --git a/patches.drm/0001-fbdev-fix-divide-error-in-fb_var_to_videomode.patch b/patches.drm/0001-fbdev-fix-divide-error-in-fb_var_to_videomode.patch
new file mode 100644
index 0000000000..6d81f9d088
--- /dev/null
+++ b/patches.drm/0001-fbdev-fix-divide-error-in-fb_var_to_videomode.patch
@@ -0,0 +1,84 @@
+From cf84807f6dd0be5214378e66460cfc9187f532f9 Mon Sep 17 00:00:00 2001
+From: Shile Zhang <shile.zhang@linux.alibaba.com>
+Date: Mon, 1 Apr 2019 17:47:00 +0200
+Subject: fbdev: fix divide error in fb_var_to_videomode
+Git-commit: cf84807f6dd0be5214378e66460cfc9187f532f9
+Patch-mainline: v5.2-rc1
+References: bsc#1113722
+
+To fix following divide-by-zero error found by Syzkaller:
+
+ divide error: 0000 [#1] SMP PTI
+ CPU: 7 PID: 8447 Comm: test Kdump: loaded Not tainted 4.19.24-8.al7.x86_64 #1
+ Hardware name: Alibaba Cloud Alibaba Cloud ECS, BIOS rel-1.12.0-0-ga698c8995f-prebuilt.qemu.org 04/01/2014
+ RIP: 0010:fb_var_to_videomode+0xae/0xc0
+ Code: 04 44 03 46 78 03 4e 7c 44 03 46 68 03 4e 70 89 ce d1 ee 69 c0 e8 03 00 00 f6 c2 01 0f 45 ce 83 e2 02 8d 34 09 0f 45 ce 31 d2 <41> f7 f0 31 d2 f7 f1 89 47 08 f3 c3 66 0f 1f 44 00 00 0f 1f 44 00
+ RSP: 0018:ffffb7e189347bf0 EFLAGS: 00010246
+ RAX: 00000000e1692410 RBX: ffffb7e189347d60 RCX: 0000000000000000
+ RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffffb7e189347c10
+ RBP: ffff99972a091c00 R08: 0000000000000000 R09: 0000000000000000
+ R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000100
+ R13: 0000000000010000 R14: 00007ffd66baf6d0 R15: 0000000000000000
+ FS: 00007f2054d11740(0000) GS:ffff99972fbc0000(0000) knlGS:0000000000000000
+ CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+ CR2: 00007f205481fd20 CR3: 00000004288a0001 CR4: 00000000001606a0
+ Call Trace:
+ fb_set_var+0x257/0x390
+ ? lookup_fast+0xbb/0x2b0
+ ? fb_open+0xc0/0x140
+ ? chrdev_open+0xa6/0x1a0
+ do_fb_ioctl+0x445/0x5a0
+ do_vfs_ioctl+0x92/0x5f0
+ ? __alloc_fd+0x3d/0x160
+ ksys_ioctl+0x60/0x90
+ __x64_sys_ioctl+0x16/0x20
+ do_syscall_64+0x5b/0x190
+ entry_SYSCALL_64_after_hwframe+0x44/0xa9
+ RIP: 0033:0x7f20548258d7
+ Code: 44 00 00 48 8b 05 b9 15 2d 00 64 c7 00 26 00 00 00 48 c7 c0 ff ff ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 b8 10 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 89 15 2d 00 f7 d8 64 89 01 48
+
+It can be triggered easily with following test code:
+
+ #include <linux/fb.h>
+ #include <fcntl.h>
+ #include <sys/ioctl.h>
+ int main(void)
+ {
+ struct fb_var_screeninfo var = {.activate = 0x100, .pixclock = 60};
+ int fd = open("/dev/fb0", O_RDWR);
+ if (fd < 0)
+ return 1;
+
+ if (ioctl(fd, FBIOPUT_VSCREENINFO, &var))
+ return 1;
+
+ return 0;
+ }
+
+Signed-off-by: Shile Zhang <shile.zhang@linux.alibaba.com>
+Cc: Fredrik Noring <noring@nocrew.org>
+Cc: Daniel Vetter <daniel.vetter@ffwll.ch>
+Reviewed-by: Mukesh Ojha <mojha@codeaurora.org>
+Signed-off-by: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>
+Acked-by: Thomas Zimmermann <tzimmermann@suse.de>
+---
+ drivers/video/fbdev/core/modedb.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/video/fbdev/core/modedb.c b/drivers/video/fbdev/core/modedb.c
+index 283d9307df21..ac049871704d 100644
+--- a/drivers/video/fbdev/core/modedb.c
++++ b/drivers/video/fbdev/core/modedb.c
+@@ -935,6 +935,9 @@ void fb_var_to_videomode(struct fb_videomode *mode,
+ if (var->vmode & FB_VMODE_DOUBLE)
+ vtotal *= 2;
+
++ if (!htotal || !vtotal)
++ return;
++
+ hfreq = pixclock/htotal;
+ mode->refresh = hfreq/vtotal;
+ }
+--
+2.21.0
+
diff --git a/patches.drm/0002-drm-i915-gvt-Tiled-Resources-mmios-are-in-context-mm.patch b/patches.drm/0002-drm-i915-gvt-Tiled-Resources-mmios-are-in-context-mm.patch
new file mode 100644
index 0000000000..08103e9554
--- /dev/null
+++ b/patches.drm/0002-drm-i915-gvt-Tiled-Resources-mmios-are-in-context-mm.patch
@@ -0,0 +1,41 @@
+From 39947afc6c063940cbd80824e75eb0cf84591c3c Mon Sep 17 00:00:00 2001
+From: Yan Zhao <yan.y.zhao@intel.com>
+Date: Tue, 7 May 2019 22:15:00 -0400
+Subject: drm/i915/gvt: Tiled Resources mmios are in-context mmios for gen9+
+Git-commit: 39947afc6c063940cbd80824e75eb0cf84591c3c
+Patch-mainline: v5.2-rc2
+References: bsc#1113722
+
+TRVATTL3PTRDW(0x4de0-0x4de4), TRNULLDETCT(0x4de8), TRINVTILEDETCT(0x4dec),
+TRTTE(0x4df0), TRVADR(0x4df4) are in-context mmios for gen9+
+
+Fixes: 178657139307 ("drm/i915/gvt: vGPU context switch")
+Acked-by: Zhenyu Wang <zhenyuw@linux.intel.com>
+Signed-off-by: Yan Zhao <yan.y.zhao@intel.com>
+Signed-off-by: Zhenyu Wang <zhenyuw@linux.intel.com>
+Acked-by: Thomas Zimmermann <tzimmermann@suse.de>
+---
+ drivers/gpu/drm/i915/gvt/mmio_context.c | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+--- a/drivers/gpu/drm/i915/gvt/mmio_context.c
++++ b/drivers/gpu/drm/i915/gvt/mmio_context.c
+@@ -119,12 +119,12 @@ static struct engine_mmio gen9_engine_mm
+ {RCS, GEN9_HALF_SLICE_CHICKEN5, 0xffff, true}, /* 0xe188 */
+ {RCS, GEN9_HALF_SLICE_CHICKEN7, 0xffff, true}, /* 0xe194 */
+ {RCS, GEN8_ROW_CHICKEN, 0xffff, true}, /* 0xe4f0 */
+- {RCS, TRVATTL3PTRDW(0), 0, false}, /* 0x4de0 */
+- {RCS, TRVATTL3PTRDW(1), 0, false}, /* 0x4de4 */
+- {RCS, TRNULLDETCT, 0, false}, /* 0x4de8 */
+- {RCS, TRINVTILEDETCT, 0, false}, /* 0x4dec */
+- {RCS, TRVADR, 0, false}, /* 0x4df0 */
+- {RCS, TRTTE, 0, false}, /* 0x4df4 */
++ {RCS, TRVATTL3PTRDW(0), 0, true}, /* 0x4de0 */
++ {RCS, TRVATTL3PTRDW(1), 0, true}, /* 0x4de4 */
++ {RCS, TRNULLDETCT, 0, true}, /* 0x4de8 */
++ {RCS, TRINVTILEDETCT, 0, true}, /* 0x4dec */
++ {RCS, TRVADR, 0, true}, /* 0x4df0 */
++ {RCS, TRTTE, 0, true}, /* 0x4df4 */
+
+ {BCS, RING_GFX_MODE(BLT_RING_BASE), 0xffff, false}, /* 0x2229c */
+ {BCS, RING_MI_MODE(BLT_RING_BASE), 0xffff, false}, /* 0x2209c */
diff --git a/patches.drm/0003-drm-i915-gvt-add-0x4dfc-to-gen9-save-restore-list.patch b/patches.drm/0003-drm-i915-gvt-add-0x4dfc-to-gen9-save-restore-list.patch
new file mode 100644
index 0000000000..c015829096
--- /dev/null
+++ b/patches.drm/0003-drm-i915-gvt-add-0x4dfc-to-gen9-save-restore-list.patch
@@ -0,0 +1,30 @@
+From b6241002039118d6bea78f50f8f19195b41ab602 Mon Sep 17 00:00:00 2001
+From: Yan Zhao <yan.y.zhao@intel.com>
+Date: Tue, 7 May 2019 22:16:33 -0400
+Subject: drm/i915/gvt: add 0x4dfc to gen9 save-restore list
+Git-commit: b6241002039118d6bea78f50f8f19195b41ab602
+Patch-mainline: v5.2-rc2
+References: bsc#1113722
+
+0x4dfc is in-context mmio for gen9+, but each vm have different settings
+need to add it to save-restore list along with other trtt registers
+
+Fixes: 178657139307 ("drm/i915/gvt: vGPU context switch")
+Acked-by: Zhenyu Wang <zhenyuw@linux.intel.com>
+Signed-off-by: Yan Zhao <yan.y.zhao@intel.com>
+Signed-off-by: Zhenyu Wang <zhenyuw@linux.intel.com>
+Acked-by: Thomas Zimmermann <tzimmermann@suse.de>
+---
+ drivers/gpu/drm/i915/gvt/mmio_context.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/gpu/drm/i915/gvt/mmio_context.c
++++ b/drivers/gpu/drm/i915/gvt/mmio_context.c
+@@ -125,6 +125,7 @@ static struct engine_mmio gen9_engine_mm
+ {RCS, TRINVTILEDETCT, 0, true}, /* 0x4dec */
+ {RCS, TRVADR, 0, true}, /* 0x4df0 */
+ {RCS, TRTTE, 0, true}, /* 0x4df4 */
++ {RCS, _MMIO(0x4dfc), 0, true},
+
+ {BCS, RING_GFX_MODE(BLT_RING_BASE), 0xffff, false}, /* 0x2229c */
+ {BCS, RING_MI_MODE(BLT_RING_BASE), 0xffff, false}, /* 0x2209c */
diff --git a/patches.drm/0004-drm-etnaviv-lock-MMU-while-dumping-core.patch b/patches.drm/0004-drm-etnaviv-lock-MMU-while-dumping-core.patch
new file mode 100644
index 0000000000..6358aaea1d
--- /dev/null
+++ b/patches.drm/0004-drm-etnaviv-lock-MMU-while-dumping-core.patch
@@ -0,0 +1,51 @@
+From 1396500d673bd027683a0609ff84dca7eb6ea2e7 Mon Sep 17 00:00:00 2001
+From: Lucas Stach <l.stach@pengutronix.de>
+Date: Tue, 21 May 2019 14:53:40 +0200
+Subject: drm/etnaviv: lock MMU while dumping core
+Git-commit: 1396500d673bd027683a0609ff84dca7eb6ea2e7
+Patch-mainline: v5.2-rc3
+References: bsc#1113722
+
+The devcoredump needs to operate on a stable state of the MMU while
+it is writing the MMU state to the coredump. The missing lock
+allowed both the userspace submit, as well as the GPU job finish
+paths to mutate the MMU state while a coredump is under way.
+
+Fixes: a8c21a5451d8 (drm/etnaviv: add initial etnaviv DRM driver)
+Reported-by: David Jander <david@protonic.nl>
+Signed-off-by: Lucas Stach <l.stach@pengutronix.de>
+Tested-by: David Jander <david@protonic.nl>
+Reviewed-by: Philipp Zabel <p.zabel@pengutronix.de>
+Acked-by: Thomas Zimmermann <tzimmermann@suse.de>
+---
+ drivers/gpu/drm/etnaviv/etnaviv_dump.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/drivers/gpu/drm/etnaviv/etnaviv_dump.c
++++ b/drivers/gpu/drm/etnaviv/etnaviv_dump.c
+@@ -125,6 +125,8 @@ void etnaviv_core_dump(struct etnaviv_gp
+ size_t file_size, mmu_size;
+ __le64 *bomap, *bomap_start;
+
++ mutex_lock(&gpu->mmu->lock);
++
+ mmu_size = etnaviv_iommu_dump_size(gpu->mmu);
+
+ /* We always dump registers, mmu, ring and end marker */
+@@ -164,6 +166,7 @@ void etnaviv_core_dump(struct etnaviv_gp
+ iter.start = __vmalloc(file_size, GFP_KERNEL | __GFP_NOWARN | __GFP_NORETRY,
+ PAGE_KERNEL);
+ if (!iter.start) {
++ mutex_unlock(&gpu->mmu->lock);
+ dev_warn(gpu->dev, "failed to allocate devcoredump file\n");
+ return;
+ }
+@@ -226,6 +229,8 @@ void etnaviv_core_dump(struct etnaviv_gp
+ obj->base.size);
+ }
+
++ mutex_unlock(&gpu->mmu->lock);
++
+ etnaviv_core_dump_header(&iter, ETDUMP_BUF_END, iter.data);
+
+ dev_coredumpv(gpu->dev, iter.start, iter.data - iter.start, GFP_KERNEL);
diff --git a/patches.drm/drm-edid-Fix-a-missing-check-bug-in-drm_load_edid_firmware.patch b/patches.drm/drm-edid-Fix-a-missing-check-bug-in-drm_load_edid_firmware.patch
new file mode 100644
index 0000000000..14f8f41d9a
--- /dev/null
+++ b/patches.drm/drm-edid-Fix-a-missing-check-bug-in-drm_load_edid_firmware.patch
@@ -0,0 +1,38 @@
+From 9f1f1a2dab38d4ce87a13565cf4dc1b73bef3a5f Mon Sep 17 00:00:00 2001
+From: Gen Zhang <blackgod016574@gmail.com>
+Date: Fri, 24 May 2019 10:32:22 +0800
+Subject: drm/edid: Fix a missing-check bug in drm_load_edid_firmware()
+Git-commit: 9f1f1a2dab38d4ce87a13565cf4dc1b73bef3a5f
+Git-repo: git://anongit.freedesktop.org/drm/drm-misc
+Patch-mainline: Queued in subsystem maintainer repository
+References: CVE-2019-12382, bsc#1136586
+
+In drm_load_edid_firmware(), fwstr is allocated by kstrdup(). And fwstr
+is dereferenced in the following codes. However, memory allocation
+functions such as kstrdup() may fail and returns NULL. Dereferencing
+this null pointer may cause the kernel go wrong. Thus we should check
+this kstrdup() operation.
+Further, if kstrdup() returns NULL, we should return ERR_PTR(-ENOMEM) to
+the caller site.
+
+Signed-off-by: Gen Zhang <blackgod016574@gmail.com>
+Reviewed-by: Jani Nikula <jani.nikula@intel.com>
+Signed-off-by: Jani Nikula <jani.nikula@intel.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20190524023222.GA5302@zhanggen-UX430UQ
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/gpu/drm/drm_edid_load.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/gpu/drm/drm_edid_load.c
++++ b/drivers/gpu/drm/drm_edid_load.c
+@@ -274,6 +274,8 @@ struct edid *drm_load_edid_firmware(stru
+ * the last one found one as a fallback.
+ */
+ fwstr = kstrdup(edid_firmware, GFP_KERNEL);
++ if (!fwstr)
++ return ERR_PTR(-ENOMEM);
+ edidstr = fwstr;
+
+ while ((edidname = strsep(&edidstr, ","))) {
diff --git a/patches.fixes/0001-Documentation-Add-MDS-vulnerability-documentation.patch b/patches.fixes/0001-Documentation-Add-MDS-vulnerability-documentation.patch
new file mode 100644
index 0000000000..5c09813556
--- /dev/null
+++ b/patches.fixes/0001-Documentation-Add-MDS-vulnerability-documentation.patch
@@ -0,0 +1,353 @@
+From 5999bbe7a6ea3c62029532ec84dc06003a1fa258 Mon Sep 17 00:00:00 2001
+From: Thomas Gleixner <tglx@linutronix.de>
+Date: Tue, 19 Feb 2019 00:02:31 +0100
+Subject: [PATCH] Documentation: Add MDS vulnerability documentation
+Git-commit: 5999bbe7a6ea3c62029532ec84dc06003a1fa258
+Patch-mainline: v5.2-rc1
+References: bsc#1135642
+
+Add the initial MDS vulnerability documentation.
+
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Reviewed-by: Jon Masters <jcm@redhat.com>
+Reviewed-by: Fabian Baumanis <fabian.baumanis@suse.com>
+---
+ Documentation/ABI/testing/sysfs-devices-system-cpu | 3
+ Documentation/admin-guide/hw-vuln/mds.rst | 307 +++++++++++++++++++++
+ Documentation/admin-guide/kernel-parameters.txt | 2
+ 3 files changed, 310 insertions(+), 2 deletions(-)
+ create mode 100644 Documentation/admin-guide/hw-vuln/mds.rst
+
+--- a/Documentation/ABI/testing/sysfs-devices-system-cpu
++++ b/Documentation/ABI/testing/sysfs-devices-system-cpu
+@@ -393,8 +393,7 @@ Description: Information about CPU vulne
+ "Vulnerable" CPU is affected and no mitigation in effect
+ "Mitigation: $M" CPU is affected and mitigation $M is in effect
+
+- Details about the l1tf file can be found in
+- Documentation/admin-guide/l1tf.rst
++ See also: Documentation/admin-guide/hw-vuln/index.rst
+
+ What: /sys/devices/system/cpu/smt
+ /sys/devices/system/cpu/smt/active
+--- /dev/null
++++ b/Documentation/admin-guide/hw-vuln/mds.rst
+@@ -0,0 +1,307 @@
++MDS - Microarchitectural Data Sampling
++======================================
++
++Microarchitectural Data Sampling is a hardware vulnerability which allows
++unprivileged speculative access to data which is available in various CPU
++internal buffers.
++
++Affected processors
++-------------------
++
++This vulnerability affects a wide range of Intel processors. The
++vulnerability is not present on:
++
++ - Processors from AMD, Centaur and other non Intel vendors
++
++ - Older processor models, where the CPU family is < 6
++
++ - Some Atoms (Bonnell, Saltwell, Goldmont, GoldmontPlus)
++
++ - Intel processors which have the ARCH_CAP_MDS_NO bit set in the
++ IA32_ARCH_CAPABILITIES MSR.
++
++Whether a processor is affected or not can be read out from the MDS
++vulnerability file in sysfs. See :ref:`mds_sys_info`.
++
++Not all processors are affected by all variants of MDS, but the mitigation
++is identical for all of them so the kernel treats them as a single
++vulnerability.
++
++Related CVEs
++------------
++
++The following CVE entries are related to the MDS vulnerability:
++
++ ============== ===== ==============================================
++ CVE-2018-12126 MSBDS Microarchitectural Store Buffer Data Sampling
++ CVE-2018-12130 MFBDS Microarchitectural Fill Buffer Data Sampling
++ CVE-2018-12127 MLPDS Microarchitectural Load Port Data Sampling
++ ============== ===== ==============================================
++
++Problem
++-------
++
++When performing store, load, L1 refill operations, processors write data
++into temporary microarchitectural structures (buffers). The data in the
++buffer can be forwarded to load operations as an optimization.
++
++Under certain conditions, usually a fault/assist caused by a load
++operation, data unrelated to the load memory address can be speculatively
++forwarded from the buffers. Because the load operation causes a fault or
++assist and its result will be discarded, the forwarded data will not cause
++incorrect program execution or state changes. But a malicious operation
++may be able to forward this speculative data to a disclosure gadget which
++allows in turn to infer the value via a cache side channel attack.
++
++Because the buffers are potentially shared between Hyper-Threads cross
++Hyper-Thread attacks are possible.
++
++Deeper technical information is available in the MDS specific x86
++architecture section: :ref:`Documentation/x86/mds.rst <mds>`.
++
++
++Attack scenarios
++----------------
++
++Attacks against the MDS vulnerabilities can be mounted from malicious non
++priviledged user space applications running on hosts or guest. Malicious
++guest OSes can obviously mount attacks as well.
++
++Contrary to other speculation based vulnerabilities the MDS vulnerability
++does not allow the attacker to control the memory target address. As a
++consequence the attacks are purely sampling based, but as demonstrated with
++the TLBleed attack samples can be postprocessed successfully.
++
++Web-Browsers
++^^^^^^^^^^^^
++
++ It's unclear whether attacks through Web-Browsers are possible at
++ all. The exploitation through Java-Script is considered very unlikely,
++ but other widely used web technologies like Webassembly could possibly be
++ abused.
++
++
++.. _mds_sys_info:
++
++MDS system information
++-----------------------
++
++The Linux kernel provides a sysfs interface to enumerate the current MDS
++status of the system: whether the system is vulnerable, and which
++mitigations are active. The relevant sysfs file is:
++
++/sys/devices/system/cpu/vulnerabilities/mds
++
++The possible values in this file are:
++
++ ========================================= =================================
++ 'Not affected' The processor is not vulnerable
++
++ 'Vulnerable' The processor is vulnerable,
++ but no mitigation enabled
++
++ 'Vulnerable: Clear CPU buffers attempted' The processor is vulnerable but
++ microcode is not updated.
++ The mitigation is enabled on a
++ best effort basis.
++ See :ref:`vmwerv`
++
++ 'Mitigation: CPU buffer clear' The processor is vulnerable and the
++ CPU buffer clearing mitigation is
++ enabled.
++ ========================================= =================================
++
++If the processor is vulnerable then the following information is appended
++to the above information:
++
++ ======================== ============================================
++ 'SMT vulnerable' SMT is enabled
++ 'SMT mitigated' SMT is enabled and mitigated
++ 'SMT disabled' SMT is disabled
++ 'SMT Host state unknown' Kernel runs in a VM, Host SMT state unknown
++ ======================== ============================================
++
++.. _vmwerv:
++
++Best effort mitigation mode
++^^^^^^^^^^^^^^^^^^^^^^^^^^^
++
++ If the processor is vulnerable, but the availability of the microcode based
++ mitigation mechanism is not advertised via CPUID the kernel selects a best
++ effort mitigation mode. This mode invokes the mitigation instructions
++ without a guarantee that they clear the CPU buffers.
++
++ This is done to address virtualization scenarios where the host has the
++ microcode update applied, but the hypervisor is not yet updated to expose
++ the CPUID to the guest. If the host has updated microcode the protection
++ takes effect otherwise a few cpu cycles are wasted pointlessly.
++
++ The state in the mds sysfs file reflects this situation accordingly.
++
++
++Mitigation mechanism
++-------------------------
++
++The kernel detects the affected CPUs and the presence of the microcode
++which is required.
++
++If a CPU is affected and the microcode is available, then the kernel
++enables the mitigation by default. The mitigation can be controlled at boot
++time via a kernel command line option. See
++:ref:`mds_mitigation_control_command_line`.
++
++.. _cpu_buffer_clear:
++
++CPU buffer clearing
++^^^^^^^^^^^^^^^^^^^
++
++ The mitigation for MDS clears the affected CPU buffers on return to user
++ space and when entering a guest.
++
++ If SMT is enabled it also clears the buffers on idle entry when the CPU
++ is only affected by MSBDS and not any other MDS variant, because the
++ other variants cannot be protected against cross Hyper-Thread attacks.
++
++ For CPUs which are only affected by MSBDS the user space, guest and idle
++ transition mitigations are sufficient and SMT is not affected.
++
++.. _virt_mechanism:
++
++Virtualization mitigation
++^^^^^^^^^^^^^^^^^^^^^^^^^
++
++ The protection for host to guest transition depends on the L1TF
++ vulnerability of the CPU:
++
++ - CPU is affected by L1TF:
++
++ If the L1D flush mitigation is enabled and up to date microcode is
++ available, the L1D flush mitigation is automatically protecting the
++ guest transition.
++
++ If the L1D flush mitigation is disabled then the MDS mitigation is
++ invoked explicit when the host MDS mitigation is enabled.
++
++ For details on L1TF and virtualization see:
++ :ref:`Documentation/admin-guide/hw-vuln//l1tf.rst <mitigation_control_kvm>`.
++
++ - CPU is not affected by L1TF:
++
++ CPU buffers are flushed before entering the guest when the host MDS
++ mitigation is enabled.
++
++ The resulting MDS protection matrix for the host to guest transition:
++
++ ============ ===== ============= ============ =================
++ L1TF MDS VMX-L1FLUSH Host MDS MDS-State
++
++ Don't care No Don't care N/A Not affected
++
++ Yes Yes Disabled Off Vulnerable
++
++ Yes Yes Disabled Full Mitigated
++
++ Yes Yes Enabled Don't care Mitigated
++
++ No Yes N/A Off Vulnerable
++
++ No Yes N/A Full Mitigated
++ ============ ===== ============= ============ =================
++
++ This only covers the host to guest transition, i.e. prevents leakage from
++ host to guest, but does not protect the guest internally. Guests need to
++ have their own protections.
++
++.. _xeon_phi:
++
++XEON PHI specific considerations
++^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
++
++ The XEON PHI processor family is affected by MSBDS which can be exploited
++ cross Hyper-Threads when entering idle states. Some XEON PHI variants allow
++ to use MWAIT in user space (Ring 3) which opens an potential attack vector
++ for malicious user space. The exposure can be disabled on the kernel
++ command line with the 'ring3mwait=disable' command line option.
++
++ XEON PHI is not affected by the other MDS variants and MSBDS is mitigated
++ before the CPU enters a idle state. As XEON PHI is not affected by L1TF
++ either disabling SMT is not required for full protection.
++
++.. _mds_smt_control:
++
++SMT control
++^^^^^^^^^^^
++
++ All MDS variants except MSBDS can be attacked cross Hyper-Threads. That
++ means on CPUs which are affected by MFBDS or MLPDS it is necessary to
++ disable SMT for full protection. These are most of the affected CPUs; the
++ exception is XEON PHI, see :ref:`xeon_phi`.
++
++ Disabling SMT can have a significant performance impact, but the impact
++ depends on the type of workloads.
++
++ See the relevant chapter in the L1TF mitigation documentation for details:
++ :ref:`Documentation/admin-guide/hw-vuln/l1tf.rst <smt_control>`.
++
++
++.. _mds_mitigation_control_command_line:
++
++Mitigation control on the kernel command line
++---------------------------------------------
++
++The kernel command line allows to control the MDS mitigations at boot
++time with the option "mds=". The valid arguments for this option are:
++
++ ============ =============================================================
++ full If the CPU is vulnerable, enable all available mitigations
++ for the MDS vulnerability, CPU buffer clearing on exit to
++ userspace and when entering a VM. Idle transitions are
++ protected as well if SMT is enabled.
++
++ It does not automatically disable SMT.
++
++ off Disables MDS mitigations completely.
++
++ ============ =============================================================
++
++Not specifying this option is equivalent to "mds=full".
++
++
++Mitigation selection guide
++--------------------------
++
++1. Trusted userspace
++^^^^^^^^^^^^^^^^^^^^
++
++ If all userspace applications are from a trusted source and do not
++ execute untrusted code which is supplied externally, then the mitigation
++ can be disabled.
++
++
++2. Virtualization with trusted guests
++^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
++
++ The same considerations as above versus trusted user space apply.
++
++3. Virtualization with untrusted guests
++^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
++
++ The protection depends on the state of the L1TF mitigations.
++ See :ref:`virt_mechanism`.
++
++ If the MDS mitigation is enabled and SMT is disabled, guest to host and
++ guest to guest attacks are prevented.
++
++.. _mds_default_mitigations:
++
++Default mitigations
++-------------------
++
++ The kernel default mitigations for vulnerable processors are:
++
++ - Enable CPU buffer clearing
++
++ The kernel does not by default enforce the disabling of SMT, which leaves
++ SMT systems vulnerable when running untrusted code. The same rationale as
++ for L1TF applies.
++ See :ref:`Documentation/admin-guide/hw-vuln//l1tf.rst <default_mitigations>`.
+--- a/Documentation/admin-guide/kernel-parameters.txt
++++ b/Documentation/admin-guide/kernel-parameters.txt
+@@ -2227,6 +2227,8 @@
+ Not specifying this option is equivalent to
+ mds=full.
+
++ For details see: Documentation/admin-guide/hw-vuln/mds.rst
++
+ mem=nn[KMG] [KNL,BOOT] Force usage of a specific amount of memory
+ Amount of memory to be used when the kernel is not able
+ to see the whole system memory or for test.
diff --git a/patches.fixes/0001-dt-bindings-clock-r8a7795-Remove-CSIREF-clock.patch b/patches.fixes/0001-dt-bindings-clock-r8a7795-Remove-CSIREF-clock.patch
new file mode 100644
index 0000000000..77ad13fead
--- /dev/null
+++ b/patches.fixes/0001-dt-bindings-clock-r8a7795-Remove-CSIREF-clock.patch
@@ -0,0 +1,38 @@
+From 4102a9edf90112cefec1ab208ea8a75871d63d41 Mon Sep 17 00:00:00 2001
+From: Geert Uytterhoeven <geert+renesas@glider.be>
+Date: Tue, 20 Nov 2018 16:34:47 +0100
+Subject: [PATCH] dt-bindings: clock: r8a7795: Remove CSIREF clock
+Git-commit: 4102a9edf90112cefec1ab208ea8a75871d63d41
+Patch-mainline: v5.0
+References: bsc#1120902
+
+The R-Car Gen3 HardWare Manual Errata for Rev. 0.52 (Nov 30, 2016)
+removed the CSI reference clock on R-Car H3.
+
+As this definition was never used, it can just be removed.
+The freed slot in the DT bindings header must not be reused, though.
+
+Fixes: 9d0c3c682033d3f1 ("clk: shmobile: Add r8a7795 CPG Core Clock Definitions")
+Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Acked-by: Stephen Boyd <sboyd@kernel.org>
+Reviewed-by: Fabian Baumanis <fabian.baumanis@suse.com>
+---
+ include/dt-bindings/clock/r8a7795-cpg-mssr.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/include/dt-bindings/clock/r8a7795-cpg-mssr.h b/include/dt-bindings/clock/r8a7795-cpg-mssr.h
+index 948389641565..92b3e2a95179 100644
+--- a/include/dt-bindings/clock/r8a7795-cpg-mssr.h
++++ b/include/dt-bindings/clock/r8a7795-cpg-mssr.h
+@@ -50,7 +50,7 @@
+ #define R8A7795_CLK_CANFD 39
+ #define R8A7795_CLK_HDMI 40
+ #define R8A7795_CLK_CSI0 41
+-#define R8A7795_CLK_CSIREF 42
++/* CLK_CSIREF was removed */
+ #define R8A7795_CLK_CP 43
+ #define R8A7795_CLK_CPEX 44
+ #define R8A7795_CLK_R 45
+--
+2.16.4
+
diff --git a/patches.fixes/0001-dt-bindings-clock-r8a7796-Remove-CSIREF-clock.patch b/patches.fixes/0001-dt-bindings-clock-r8a7796-Remove-CSIREF-clock.patch
new file mode 100644
index 0000000000..fc26871dd7
--- /dev/null
+++ b/patches.fixes/0001-dt-bindings-clock-r8a7796-Remove-CSIREF-clock.patch
@@ -0,0 +1,38 @@
+From 4584738e139ce51c3c89ff5491bf6bc65fb0db69 Mon Sep 17 00:00:00 2001
+From: Geert Uytterhoeven <geert+renesas@glider.be>
+Date: Tue, 20 Nov 2018 16:34:47 +0100
+Subject: [PATCH] dt-bindings: clock: r8a7796: Remove CSIREF clock
+Git-commit: 4584738e139ce51c3c89ff5491bf6bc65fb0db69
+Patch-mainline: v5.0
+References: bsc#1120902
+
+The R-Car Gen3 HardWare Manual Errata for Rev. 0.52 (Nov 30, 2016)
+removed the CSI reference clock on R-Car M3-W.
+
+As this definition was never used, it can just be removed.
+The freed slot in the DT bindings header must not be reused, though.
+
+Fixes: 972610fb23b08dd5 ("clk: renesas: Add r8a7796 CPG Core Clock Definitions")
+Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Acked-by: Stephen Boyd <sboyd@kernel.org>
+Reviewed-by: Fabian Baumanis <fabian.baumanis@suse.com>
+---
+ include/dt-bindings/clock/r8a7796-cpg-mssr.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/include/dt-bindings/clock/r8a7796-cpg-mssr.h b/include/dt-bindings/clock/r8a7796-cpg-mssr.h
+index e6087f2f7e3a..c0957cf45840 100644
+--- a/include/dt-bindings/clock/r8a7796-cpg-mssr.h
++++ b/include/dt-bindings/clock/r8a7796-cpg-mssr.h
+@@ -56,7 +56,7 @@
+ #define R8A7796_CLK_CANFD 45
+ #define R8A7796_CLK_HDMI 46
+ #define R8A7796_CLK_CSI0 47
+-#define R8A7796_CLK_CSIREF 48
++/* CLK_CSIREF was removed */
+ #define R8A7796_CLK_CP 49
+ #define R8A7796_CLK_CPEX 50
+ #define R8A7796_CLK_R 51
+--
+2.16.4
+
diff --git a/patches.fixes/0001-dt-bindings-net-Add-binding-for-the-external-clock-f.patch b/patches.fixes/0001-dt-bindings-net-Add-binding-for-the-external-clock-f.patch
new file mode 100644
index 0000000000..85aab365a9
--- /dev/null
+++ b/patches.fixes/0001-dt-bindings-net-Add-binding-for-the-external-clock-f.patch
@@ -0,0 +1,48 @@
+From 3c8e42a7935f720c403612abf896d962a7aa1495 Mon Sep 17 00:00:00 2001
+From: Ulf Hansson <ulf.hansson@linaro.org>
+Date: Wed, 7 Jun 2017 11:08:20 +0200
+Subject: [PATCH] dt-bindings: net: Add binding for the external clock for TI
+ WiLink
+Git-commit: 3c8e42a7935f720c403612abf896d962a7aa1495
+Patch-mainline: v4.13
+References: bsc#1085535
+
+The external clock is provided to the TI WiLink combo chip and it's needed
+for any of the transport interfaces. However let's make it optional to
+avoid breaking existing platforms that yet doesn't specify the clock.
+
+Fixes: ea452678734e ("arm64: dts: hikey: Fix WiFi support")
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Tested-by: John Stultz <john.stultz@linaro.org>
+Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
+Reviewed-by: Fabian Baumanis <fabian.baumanis@suse.com>
+---
+ Documentation/devicetree/bindings/net/ti,wilink-st.txt | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/Documentation/devicetree/bindings/net/ti,wilink-st.txt b/Documentation/devicetree/bindings/net/ti,wilink-st.txt
+index b1a421e2fde3..1649c1f66b07 100644
+--- a/Documentation/devicetree/bindings/net/ti,wilink-st.txt
++++ b/Documentation/devicetree/bindings/net/ti,wilink-st.txt
+@@ -28,6 +28,10 @@ Optional properties:
+ - enable-gpios : GPIO signal controlling enabling of BT. Active high.
+ - vio-supply : Vio input supply (1.8V)
+ - vbat-supply : Vbat input supply (2.9-4.8V)
++ - clocks : Must contain an entry, for each entry in clock-names.
++ See ../clocks/clock-bindings.txt for details.
++ - clock-names : Must include the following entry:
++ "ext_clock" (External clock provided to the TI combo chip).
+
+ Example:
+
+@@ -37,5 +41,7 @@ Example:
+ bluetooth {
+ compatible = "ti,wl1835-st";
+ enable-gpios = <&gpio1 7 GPIO_ACTIVE_HIGH>;
++ clocks = <&clk32k_wl18xx>;
++ clock-names = "ext_clock";
+ };
+ };
+--
+2.16.4
+
diff --git a/patches.fixes/0001-dt-bindings-rtc-sun6i-rtc-Fix-register-range-in-exam.patch b/patches.fixes/0001-dt-bindings-rtc-sun6i-rtc-Fix-register-range-in-exam.patch
new file mode 100644
index 0000000000..4fcdaa61ac
--- /dev/null
+++ b/patches.fixes/0001-dt-bindings-rtc-sun6i-rtc-Fix-register-range-in-exam.patch
@@ -0,0 +1,30 @@
+From 8c4cf161a8b42749e986a3503f6cd4f3b5682fe3 Mon Sep 17 00:00:00 2001
+From: Chen-Yu Tsai <wens@csie.org>
+Date: Fri, 7 Dec 2018 16:47:19 +0800
+Subject: [PATCH] dt-bindings: rtc: sun6i-rtc: Fix register range in example
+Git-commit: 8c4cf161a8b42749e986a3503f6cd4f3b5682fe3
+Patch-mainline: v5.0
+References: bsc#1120902
+
+The register range for the RTC extends beyond 0x54.
+Use the size from the user manual's memory map instead.
+
+Fixes: 9765d2d94309 ("rtc: sun6i: Add sun6i RTC driver")
+Signed-off-by: Chen-Yu Tsai <wens@csie.org>
+Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
+Reviewed-by: Fabian Baumanis <fabian.baumanis@suse.com>
+---
+ Documentation/devicetree/bindings/rtc/sun6i-rtc.txt | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/Documentation/devicetree/bindings/rtc/sun6i-rtc.txt
++++ b/Documentation/devicetree/bindings/rtc/sun6i-rtc.txt
+@@ -19,7 +19,7 @@ Example:
+
+ rtc: rtc@01f00000 {
+ compatible = "allwinner,sun6i-a31-rtc";
+- reg = <0x01f00000 0x54>;
++ reg = <0x01f00000 0x400>;
+ interrupts = <0 40 4>, <0 41 4>;
+ clock-output-names = "osc32k";
+ clocks = <&ext_osc32k>;
diff --git a/patches.fixes/0001-keys-safe-concurrent-user-session-uid-_keyring-acces.patch b/patches.fixes/0001-keys-safe-concurrent-user-session-uid-_keyring-acces.patch
new file mode 100644
index 0000000000..eba974131e
--- /dev/null
+++ b/patches.fixes/0001-keys-safe-concurrent-user-session-uid-_keyring-acces.patch
@@ -0,0 +1,165 @@
+From 0b9dc6c9f01c4a726558b82a3b6082a89d264eb5 Mon Sep 17 00:00:00 2001
+From: Jann Horn <jannh@google.com>
+Date: Wed, 27 Mar 2019 16:55:08 +0100
+Subject: [PATCH] keys: safe concurrent user->{session,uid}_keyring access
+Git-commit: 0b9dc6c9f01c4a726558b82a3b6082a89d264eb5
+Patch-mainline: v5.2-rc1
+References: bsc#1135642
+
+The current code can perform concurrent updates and reads on
+user->session_keyring and user->uid_keyring. Add a comment to
+struct user_struct to document the nontrivial locking semantics, and use
+READ_ONCE() for unlocked readers and smp_store_release() for writers to
+prevent memory ordering issues.
+
+Fixes: 69664cf16af4 ("keys: don't generate user and user session keyrings unless they're accessed")
+Signed-off-by: Jann Horn <jannh@google.com>
+Signed-off-by: James Morris <james.morris@microsoft.com>
+Signed-off-by: Oliver Neukum <oneukum@suse.com>
+---
+ include/linux/sched/user.h | 7 +++++++
+ security/keys/process_keys.c | 31 +++++++++++++++++--------------
+ security/keys/request_key.c | 5 +++--
+ 3 files changed, 27 insertions(+), 16 deletions(-)
+
+--- a/include/linux/sched/user.h
++++ b/include/linux/sched/user.h
+@@ -28,6 +28,13 @@ struct user_struct {
+ atomic_long_t pipe_bufs; /* how many pages are allocated in pipe buffers */
+
+ #ifdef CONFIG_KEYS
++ /*
++ * These pointers can only change from NULL to a non-NULL value once.
++ * Writes are protected by key_user_keyring_mutex.
++ * Unlocked readers should use READ_ONCE() unless they know that
++ * install_user_keyrings() has been called successfully (which sets
++ * these members to non-NULL values, preventing further modifications).
++ */
+ struct key *uid_keyring; /* UID specific keyring */
+ struct key *session_keyring; /* UID's default session keyring */
+ #endif
+--- a/security/keys/process_keys.c
++++ b/security/keys/process_keys.c
+@@ -58,7 +58,7 @@ int install_user_keyrings(void)
+
+ kenter("%p{%u}", user, uid);
+
+- if (user->uid_keyring && user->session_keyring) {
++ if (READ_ONCE(user->uid_keyring) && READ_ONCE(user->session_keyring)) {
+ kleave(" = 0 [exist]");
+ return 0;
+ }
+@@ -111,8 +111,10 @@ int install_user_keyrings(void)
+ }
+
+ /* install the keyrings */
+- user->uid_keyring = uid_keyring;
+- user->session_keyring = session_keyring;
++ /* paired with READ_ONCE() */
++ smp_store_release(&user->uid_keyring, uid_keyring);
++ /* paired with READ_ONCE() */
++ smp_store_release(&user->session_keyring, session_keyring);
+ }
+
+ mutex_unlock(&key_user_keyring_mutex);
+@@ -339,6 +341,7 @@ void key_fsgid_changed(struct task_struc
+ key_ref_t search_my_process_keyrings(struct keyring_search_context *ctx)
+ {
+ key_ref_t key_ref, ret, err;
++ const struct cred *cred = ctx->cred;
+
+ /* we want to return -EAGAIN or -ENOKEY if any of the keyrings were
+ * searchable, but we failed to find a key or we found a negative key;
+@@ -352,9 +355,9 @@ key_ref_t search_my_process_keyrings(str
+ err = ERR_PTR(-EAGAIN);
+
+ /* search the thread keyring first */
+- if (ctx->cred->thread_keyring) {
++ if (cred->thread_keyring) {
+ key_ref = keyring_search_aux(
+- make_key_ref(ctx->cred->thread_keyring, 1), ctx);
++ make_key_ref(cred->thread_keyring, 1), ctx);
+ if (!IS_ERR(key_ref))
+ goto found;
+
+@@ -370,9 +373,9 @@ key_ref_t search_my_process_keyrings(str
+ }
+
+ /* search the process keyring second */
+- if (ctx->cred->process_keyring) {
++ if (cred->process_keyring) {
+ key_ref = keyring_search_aux(
+- make_key_ref(ctx->cred->process_keyring, 1), ctx);
++ make_key_ref(cred->process_keyring, 1), ctx);
+ if (!IS_ERR(key_ref))
+ goto found;
+
+@@ -390,10 +393,10 @@ key_ref_t search_my_process_keyrings(str
+ }
+
+ /* search the session keyring */
+- if (ctx->cred->session_keyring) {
++ if (cred->session_keyring) {
+ rcu_read_lock();
+ key_ref = keyring_search_aux(
+- make_key_ref(rcu_dereference(ctx->cred->session_keyring), 1),
++ make_key_ref(rcu_dereference(cred->session_keyring), 1),
+ ctx);
+ rcu_read_unlock();
+
+@@ -413,9 +416,9 @@ key_ref_t search_my_process_keyrings(str
+ }
+ }
+ /* or search the user-session keyring */
+- else if (ctx->cred->user->session_keyring) {
++ else if (READ_ONCE(cred->user->session_keyring)) {
+ key_ref = keyring_search_aux(
+- make_key_ref(ctx->cred->user->session_keyring, 1),
++ make_key_ref(READ_ONCE(cred->user->session_keyring), 1),
+ ctx);
+ if (!IS_ERR(key_ref))
+ goto found;
+@@ -601,7 +604,7 @@ try_again:
+ goto error;
+ goto reget_creds;
+ } else if (ctx.cred->session_keyring ==
+- ctx.cred->user->session_keyring &&
++ READ_ONCE(ctx.cred->user->session_keyring) &&
+ lflags & KEY_LOOKUP_CREATE) {
+ ret = join_session_keyring(NULL);
+ if (ret < 0)
+@@ -617,7 +620,7 @@ try_again:
+ break;
+
+ case KEY_SPEC_USER_KEYRING:
+- if (!ctx.cred->user->uid_keyring) {
++ if (!READ_ONCE(ctx.cred->user->uid_keyring)) {
+ ret = install_user_keyrings();
+ if (ret < 0)
+ goto error;
+@@ -629,7 +632,7 @@ try_again:
+ break;
+
+ case KEY_SPEC_USER_SESSION_KEYRING:
+- if (!ctx.cred->user->session_keyring) {
++ if (!READ_ONCE(ctx.cred->user->session_keyring)) {
+ ret = install_user_keyrings();
+ if (ret < 0)
+ goto error;
+--- a/security/keys/request_key.c
++++ b/security/keys/request_key.c
+@@ -308,11 +308,12 @@ static int construct_get_dest_keyring(st
+
+ case KEY_REQKEY_DEFL_USER_SESSION_KEYRING:
+ dest_keyring =
+- key_get(cred->user->session_keyring);
++ key_get(READ_ONCE(cred->user->session_keyring));
+ break;
+
+ case KEY_REQKEY_DEFL_USER_KEYRING:
+- dest_keyring = key_get(cred->user->uid_keyring);
++ dest_keyring =
++ key_get(READ_ONCE(cred->user->uid_keyring));
+ break;
+
+ case KEY_REQKEY_DEFL_GROUP_KEYRING:
diff --git a/patches.fixes/0001-mm-hwpoison-fix-thp-split-handing-in-soft_offline_in.patch b/patches.fixes/0001-mm-hwpoison-fix-thp-split-handing-in-soft_offline_in.patch
new file mode 100644
index 0000000000..3d03f6be35
--- /dev/null
+++ b/patches.fixes/0001-mm-hwpoison-fix-thp-split-handing-in-soft_offline_in.patch
@@ -0,0 +1,76 @@
+From 46612b751c4941c5c0472ddf04027e877ae5990f Mon Sep 17 00:00:00 2001
+From: zhongjiang <zhongjiang@huawei.com>
+Date: Tue, 5 Mar 2019 15:41:16 -0800
+Subject: [PATCH] mm: hwpoison: fix thp split handing in
+ soft_offline_in_use_page()
+Git-commit: 46612b751c4941c5c0472ddf04027e877ae5990f
+Patch-mainline: v5.1-rc1
+References: bsc#1130699, CVE-2019-10124
+
+When soft_offline_in_use_page() runs on a thp tail page after pmd is
+split, we trigger the following VM_BUG_ON_PAGE():
+
+ Memory failure: 0x3755ff: non anonymous thp
+ __get_any_page: 0x3755ff: unknown zero refcount page type 2fffff80000000
+ Soft offlining pfn 0x34d805 at process virtual address 0x20fff000
+ page:ffffea000d360140 count:0 mapcount:0 mapping:0000000000000000 index:0x1
+ flags: 0x2fffff80000000()
+ raw: 002fffff80000000 ffffea000d360108 ffffea000d360188 0000000000000000
+ raw: 0000000000000001 0000000000000000 00000000ffffffff 0000000000000000
+ page dumped because: VM_BUG_ON_PAGE(page_ref_count(page) == 0)
+ ------------[ cut here ]------------
+ kernel BUG at ./include/linux/mm.h:519!
+
+soft_offline_in_use_page() passed refcount and page lock from tail page
+to head page, which is not needed because we can pass any subpage to
+split_huge_page().
+
+Naoya had fixed a similar issue in c3901e722b29 ("mm: hwpoison: fix thp
+split handling in memory_failure()"). But he missed fixing soft
+offline.
+
+Link: http://lkml.kernel.org/r/1551452476-24000-1-git-send-email-zhongjiang@huawei.com
+Fixes: 61f5d698cc97 ("mm: re-enable THP")
+Signed-off-by: zhongjiang <zhongjiang@huawei.com>
+Acked-by: Naoya Horiguchi <n-horiguchi@ah.jp.nec.com>
+Cc: Michal Hocko <mhocko@suse.com>
+Cc: Hugh Dickins <hughd@google.com>
+Cc: Kirill A. Shutemov <kirill@shutemov.name>
+Cc: Andrea Arcangeli <aarcange@redhat.com>
+Cc: <stable@vger.kernel.org> [4.5+]
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Michal Hocko <mhocko@suse.com>
+
+---
+ mm/memory-failure.c | 14 ++++++--------
+ 1 file changed, 6 insertions(+), 8 deletions(-)
+
+--- a/mm/memory-failure.c
++++ b/mm/memory-failure.c
+@@ -1826,19 +1826,17 @@ static int soft_offline_in_use_page(stru
+ struct page *hpage = compound_head(page);
+
+ if (!PageHuge(page) && PageTransHuge(hpage)) {
+- lock_page(hpage);
+- if (!PageAnon(hpage) || unlikely(split_huge_page(hpage))) {
+- unlock_page(hpage);
+- if (!PageAnon(hpage))
++ lock_page(page);
++ if (!PageAnon(page) || unlikely(split_huge_page(page))) {
++ unlock_page(page);
++ if (!PageAnon(page))
+ pr_info("soft offline: %#lx: non anonymous thp\n", page_to_pfn(page));
+ else
+ pr_info("soft offline: %#lx: thp split failed\n", page_to_pfn(page));
+- put_hwpoison_page(hpage);
++ put_hwpoison_page(page);
+ return -EBUSY;
+ }
+- unlock_page(hpage);
+- get_hwpoison_page(page);
+- put_hwpoison_page(hpage);
++ unlock_page(page);
+ }
+
+ if (PageHuge(page))
diff --git a/patches.fixes/0001-mwifiex-Abort-at-too-short-BSS-descriptor-element.patch b/patches.fixes/0001-mwifiex-Abort-at-too-short-BSS-descriptor-element.patch
new file mode 100644
index 0000000000..62221e8979
--- /dev/null
+++ b/patches.fixes/0001-mwifiex-Abort-at-too-short-BSS-descriptor-element.patch
@@ -0,0 +1,89 @@
+From 685c9b7750bfacd6fc1db50d86579980593b7869 Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Wed, 29 May 2019 14:52:20 +0200
+Subject: [PATCH] mwifiex: Abort at too short BSS descriptor element
+Patch-mainline: Submitted, https://lore.kernel.org/linux-wireless/20190529125220.17066-3-tiwai@suse.de/
+References: bsc#1136424 CVE-2019-3846
+
+Currently mwifiex_update_bss_desc_with_ie() implicitly assumes that
+the source descriptor entries contain the enough size for each type
+and performs copying without checking the source size. This may lead
+to read over boundary.
+
+Fix this by putting the source size check in appropriate places.
+
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Oliver Neukum <oneukum@suse.com>
+---
+ drivers/net/wireless/marvell/mwifiex/scan.c | 15 +++++++++++++++
+ 1 file changed, 15 insertions(+)
+
+diff --git a/drivers/net/wireless/marvell/mwifiex/scan.c b/drivers/net/wireless/marvell/mwifiex/scan.c
+index 64ab6fe78c0d..c269a0de9413 100644
+--- a/drivers/net/wireless/marvell/mwifiex/scan.c
++++ b/drivers/net/wireless/marvell/mwifiex/scan.c
+@@ -1269,6 +1269,8 @@ int mwifiex_update_bss_desc_with_ie(struct mwifiex_adapter *adapter,
+ break;
+
+ case WLAN_EID_FH_PARAMS:
++ if (element_len + 2 < sizeof(*fh_param_set))
++ return -EINVAL;
+ fh_param_set =
+ (struct ieee_types_fh_param_set *) current_ptr;
+ memcpy(&bss_entry->phy_param_set.fh_param_set,
+@@ -1277,6 +1279,8 @@ int mwifiex_update_bss_desc_with_ie(struct mwifiex_adapter *adapter,
+ break;
+
+ case WLAN_EID_DS_PARAMS:
++ if (element_len + 2 < sizeof(*ds_param_set))
++ return -EINVAL;
+ ds_param_set =
+ (struct ieee_types_ds_param_set *) current_ptr;
+
+@@ -1288,6 +1292,8 @@ int mwifiex_update_bss_desc_with_ie(struct mwifiex_adapter *adapter,
+ break;
+
+ case WLAN_EID_CF_PARAMS:
++ if (element_len + 2 < sizeof(*cf_param_set))
++ return -EINVAL;
+ cf_param_set =
+ (struct ieee_types_cf_param_set *) current_ptr;
+ memcpy(&bss_entry->ss_param_set.cf_param_set,
+@@ -1296,6 +1302,8 @@ int mwifiex_update_bss_desc_with_ie(struct mwifiex_adapter *adapter,
+ break;
+
+ case WLAN_EID_IBSS_PARAMS:
++ if (element_len + 2 < sizeof(*ibss_param_set))
++ return -EINVAL;
+ ibss_param_set =
+ (struct ieee_types_ibss_param_set *)
+ current_ptr;
+@@ -1305,10 +1313,14 @@ int mwifiex_update_bss_desc_with_ie(struct mwifiex_adapter *adapter,
+ break;
+
+ case WLAN_EID_ERP_INFO:
++ if (!element_len)
++ return -EINVAL;
+ bss_entry->erp_flags = *(current_ptr + 2);
+ break;
+
+ case WLAN_EID_PWR_CONSTRAINT:
++ if (!element_len)
++ return -EINVAL;
+ bss_entry->local_constraint = *(current_ptr + 2);
+ bss_entry->sensed_11h = true;
+ break;
+@@ -1349,6 +1361,9 @@ int mwifiex_update_bss_desc_with_ie(struct mwifiex_adapter *adapter,
+ break;
+
+ case WLAN_EID_VENDOR_SPECIFIC:
++ if (element_len + 2 < sizeof(vendor_ie->vend_hdr))
++ return -EINVAL;
++
+ vendor_ie = (struct ieee_types_vendor_specific *)
+ current_ptr;
+
+--
+2.16.4
+
diff --git a/patches.fixes/0001-mwifiex-Fix-heap-overflow-in-mwifiex_uap_parse_tail_.patch b/patches.fixes/0001-mwifiex-Fix-heap-overflow-in-mwifiex_uap_parse_tail_.patch
new file mode 100644
index 0000000000..17e460814d
--- /dev/null
+++ b/patches.fixes/0001-mwifiex-Fix-heap-overflow-in-mwifiex_uap_parse_tail_.patch
@@ -0,0 +1,115 @@
+From 69ae4f6aac1578575126319d3f55550e7e440449 Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Fri, 31 May 2019 15:18:41 +0200
+Subject: [PATCH] mwifiex: Fix heap overflow in mwifiex_uap_parse_tail_ies()
+Patch-mainline: Submitted, https://www.spinics.net/lists/linux-wireless/msg186667.html
+References: bsc#1136935
+
+A few places in mwifiex_uap_parse_tail_ies() perform memcpy()
+unconditionally, which may lead to either buffer overflow or read over
+boundary.
+
+This patch addresses the issues by checking the read size and the
+destination size at each place more properly. Along with the fixes,
+the patch cleans up the code slightly by introducing a temporary
+variable for the token size, and unifies the error path with the
+standard goto statement.
+
+Reported-by: huangwen <huangwen@venustech.com.cn>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Oliver Neukum <oneukum@suse.com>
+---
+ drivers/net/wireless/marvell/mwifiex/ie.c | 45 ++++++++++++++++++++----------
+ 1 file changed, 30 insertions(+), 15 deletions(-)
+
+--- a/drivers/net/wireless/marvell/mwifiex/ie.c
++++ b/drivers/net/wireless/marvell/mwifiex/ie.c
+@@ -329,6 +329,8 @@ static int mwifiex_uap_parse_tail_ies(st
+ struct ieee80211_vendor_ie *vendorhdr;
+ u16 gen_idx = MWIFIEX_AUTO_IDX_MASK, ie_len = 0;
+ int left_len, parsed_len = 0;
++ unsigned int token_len;
++ int err = 0;
+
+ if (!info->tail || !info->tail_len)
+ return 0;
+@@ -344,6 +346,12 @@ static int mwifiex_uap_parse_tail_ies(st
+ */
+ while (left_len > sizeof(struct ieee_types_header)) {
+ hdr = (void *)(info->tail + parsed_len);
++ token_len = hdr->len + sizeof(struct ieee_types_header);
++ if (token_len > left_len) {
++ err = -EINVAL;
++ goto out;
++ }
++
+ switch (hdr->element_id) {
+ case WLAN_EID_SSID:
+ case WLAN_EID_SUPP_RATES:
+@@ -357,13 +365,16 @@ static int mwifiex_uap_parse_tail_ies(st
+ case WLAN_EID_VENDOR_SPECIFIC:
+ break;
+ default:
+- memcpy(gen_ie->ie_buffer + ie_len, hdr,
+- hdr->len + sizeof(struct ieee_types_header));
+- ie_len += hdr->len + sizeof(struct ieee_types_header);
++ if (ie_len + token_len > IEEE_MAX_IE_SIZE) {
++ err = -EINVAL;
++ goto out;
++ }
++ memcpy(gen_ie->ie_buffer + ie_len, hdr, token_len);
++ ie_len += token_len;
+ break;
+ }
+- left_len -= hdr->len + sizeof(struct ieee_types_header);
+- parsed_len += hdr->len + sizeof(struct ieee_types_header);
++ left_len -= token_len;
++ parsed_len += token_len;
+ }
+
+ /* parse only WPA vendor IE from tail, WMM IE is configured by
+@@ -373,15 +384,17 @@ static int mwifiex_uap_parse_tail_ies(st
+ WLAN_OUI_TYPE_MICROSOFT_WPA,
+ info->tail, info->tail_len);
+ if (vendorhdr) {
+- memcpy(gen_ie->ie_buffer + ie_len, vendorhdr,
+- vendorhdr->len + sizeof(struct ieee_types_header));
+- ie_len += vendorhdr->len + sizeof(struct ieee_types_header);
++ token_len = vendorhdr->len + sizeof(struct ieee_types_header);
++ if (ie_len + token_len > IEEE_MAX_IE_SIZE) {
++ err = -EINVAL;
++ goto out;
++ }
++ memcpy(gen_ie->ie_buffer + ie_len, vendorhdr, token_len);
++ ie_len += token_len;
+ }
+
+- if (!ie_len) {
+- kfree(gen_ie);
+- return 0;
+- }
++ if (!ie_len)
++ goto out;
+
+ gen_ie->ie_index = cpu_to_le16(gen_idx);
+ gen_ie->mgmt_subtype_mask = cpu_to_le16(MGMT_MASK_BEACON |
+@@ -391,13 +404,15 @@ static int mwifiex_uap_parse_tail_ies(st
+
+ if (mwifiex_update_uap_custom_ie(priv, gen_ie, &gen_idx, NULL, NULL,
+ NULL, NULL)) {
+- kfree(gen_ie);
+- return -1;
++ err = -EINVAL;
++ goto out;
+ }
+
+ priv->gen_idx = gen_idx;
++
++ out:
+ kfree(gen_ie);
+- return 0;
++ return err;
+ }
+
+ /* This function parses different IEs-head & tail IEs, beacon IEs,
diff --git a/patches.fixes/0001-mwifiex-Fix-possible-buffer-overflows-at-parsing-bss.patch b/patches.fixes/0001-mwifiex-Fix-possible-buffer-overflows-at-parsing-bss.patch
new file mode 100644
index 0000000000..0bbe3b355d
--- /dev/null
+++ b/patches.fixes/0001-mwifiex-Fix-possible-buffer-overflows-at-parsing-bss.patch
@@ -0,0 +1,50 @@
+From 13ec7f10b87f5fc04c4ccbd491c94c7980236a74 Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Wed, 29 May 2019 14:52:19 +0200
+Subject: [PATCH] mwifiex: Fix possible buffer overflows at parsing bss
+ descriptor
+Patch-mainline: Submitted, https://lore.kernel.org/linux-wireless/20190529125220.17066-1-tiwai@suse.de/
+References: bsc#1136424 CVE-2019-3846
+
+mwifiex_update_bss_desc_with_ie() calls memcpy() unconditionally in
+a couple places without checking the destination size. Since the
+source is given from user-space, this may trigger a heap buffer
+overflow.
+
+Fix it by putting the length check before performing memcpy().
+
+This fix addresses CVE-2019-3846.
+
+Reported-by: huangwen <huangwen@venustech.com.cn>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Oliver Neukum <oneukum@suse.com>
+---
+ drivers/net/wireless/marvell/mwifiex/scan.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/net/wireless/marvell/mwifiex/scan.c b/drivers/net/wireless/marvell/mwifiex/scan.c
+index 935778ec9a1b..64ab6fe78c0d 100644
+--- a/drivers/net/wireless/marvell/mwifiex/scan.c
++++ b/drivers/net/wireless/marvell/mwifiex/scan.c
+@@ -1247,6 +1247,8 @@ int mwifiex_update_bss_desc_with_ie(struct mwifiex_adapter *adapter,
+ }
+ switch (element_id) {
+ case WLAN_EID_SSID:
++ if (element_len > IEEE80211_MAX_SSID_LEN)
++ return -EINVAL;
+ bss_entry->ssid.ssid_len = element_len;
+ memcpy(bss_entry->ssid.ssid, (current_ptr + 2),
+ element_len);
+@@ -1256,6 +1258,8 @@ int mwifiex_update_bss_desc_with_ie(struct mwifiex_adapter *adapter,
+ break;
+
+ case WLAN_EID_SUPP_RATES:
++ if (element_len > MWIFIEX_SUPPORTED_RATES)
++ return -EINVAL;
+ memcpy(bss_entry->data_rates, current_ptr + 2,
+ element_len);
+ memcpy(bss_entry->supported_rates, current_ptr + 2,
+--
+2.16.4
+
diff --git a/patches.fixes/0001-of-fix-clang-Wunsequenced-for-be32_to_cpu.patch b/patches.fixes/0001-of-fix-clang-Wunsequenced-for-be32_to_cpu.patch
new file mode 100644
index 0000000000..504c50247a
--- /dev/null
+++ b/patches.fixes/0001-of-fix-clang-Wunsequenced-for-be32_to_cpu.patch
@@ -0,0 +1,59 @@
+From 440868661f36071886ed360d91de83bd67c73b4f Mon Sep 17 00:00:00 2001
+From: Phong Tran <tranmanphong@gmail.com>
+Date: Tue, 30 Apr 2019 21:56:24 +0700
+Subject: [PATCH] of: fix clang -Wunsequenced for be32_to_cpu()
+Git-commit: 440868661f36071886ed360d91de83bd67c73b4f
+Patch-mainline: v5.2-rc1
+References: bsc#1135642
+
+Now, make the loop explicit to avoid clang warning.
+
+./include/linux/of.h:238:37: warning: multiple unsequenced modifications
+to 'cell' [-Wunsequenced]
+ r = (r << 32) | be32_to_cpu(*(cell++));
+ ^~
+./include/linux/byteorder/generic.h:95:21: note: expanded from macro
+'be32_to_cpu'
+ ^
+./include/uapi/linux/byteorder/little_endian.h:40:59: note: expanded
+from macro '__be32_to_cpu'
+ ^
+./include/uapi/linux/swab.h:118:21: note: expanded from macro '__swab32'
+ ___constant_swab32(x) : \
+ ^
+./include/uapi/linux/swab.h:18:12: note: expanded from macro
+'___constant_swab32'
+ (((__u32)(x) & (__u32)0x000000ffUL) << 24) | \
+ ^
+
+Signed-off-by: Phong Tran <tranmanphong@gmail.com>
+Reported-by: Nick Desaulniers <ndesaulniers@google.com>
+Link: https://github.com/ClangBuiltLinux/linux/issues/460
+Suggested-by: David Laight <David.Laight@ACULAB.COM>
+Reviewed-by: Nick Desaulniers <ndesaulniers@google.com>
+Cc: stable@vger.kernel.org
+[robh: fix up whitespace]
+Signed-off-by: Rob Herring <robh@kernel.org>
+Reviewed-by: Fabian Baumanis <fabian.baumanis@suse.com>
+---
+ include/linux/of.h | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/include/linux/of.h b/include/linux/of.h
+index 28797e1a9982..0cf857012f11 100644
+--- a/include/linux/of.h
++++ b/include/linux/of.h
+@@ -234,8 +234,8 @@ extern struct device_node *of_find_all_nodes(struct device_node *prev);
+ static inline u64 of_read_number(const __be32 *cell, int size)
+ {
+ u64 r = 0;
+- while (size--)
+- r = (r << 32) | be32_to_cpu(*(cell++));
++ for (; size--; cell++)
++ r = (r << 32) | be32_to_cpu(*cell);
+ return r;
+ }
+
+--
+2.16.4
+
diff --git a/patches.fixes/0001-p54-drop-device-reference-count-if-fails-to-enable-d.patch b/patches.fixes/0001-p54-drop-device-reference-count-if-fails-to-enable-d.patch
new file mode 100644
index 0000000000..a6d6ec0bef
--- /dev/null
+++ b/patches.fixes/0001-p54-drop-device-reference-count-if-fails-to-enable-d.patch
@@ -0,0 +1,45 @@
+From 8149069db81853570a665f5e5648c0e526dc0e43 Mon Sep 17 00:00:00 2001
+From: Pan Bian <bianpan2016@163.com>
+Date: Wed, 17 Apr 2019 17:41:23 +0800
+Subject: [PATCH] p54: drop device reference count if fails to enable device
+Git-commit: 8149069db81853570a665f5e5648c0e526dc0e43
+Patch-mainline: v5.2-rc1
+References: bsc#1135642
+
+The function p54p_probe takes an extra reference count of the PCI
+device. However, the extra reference count is not dropped when it fails
+to enable the PCI device. This patch fixes the bug.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Pan Bian <bianpan2016@163.com>
+Acked-by: Christian Lamparter <chunkeey@gmail.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Oliver Neukum <oneukum@suse.com>
+---
+ drivers/net/wireless/intersil/p54/p54pci.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/intersil/p54/p54pci.c b/drivers/net/wireless/intersil/p54/p54pci.c
+index 27a49068d32d..57ad56435dda 100644
+--- a/drivers/net/wireless/intersil/p54/p54pci.c
++++ b/drivers/net/wireless/intersil/p54/p54pci.c
+@@ -554,7 +554,7 @@ static int p54p_probe(struct pci_dev *pdev,
+ err = pci_enable_device(pdev);
+ if (err) {
+ dev_err(&pdev->dev, "Cannot enable new PCI device\n");
+- return err;
++ goto err_put;
+ }
+
+ mem_addr = pci_resource_start(pdev, 0);
+@@ -639,6 +639,7 @@ static int p54p_probe(struct pci_dev *pdev,
+ pci_release_regions(pdev);
+ err_disable_dev:
+ pci_disable_device(pdev);
++err_put:
+ pci_dev_put(pdev);
+ return err;
+ }
+--
+2.16.4
+
diff --git a/patches.fixes/0001-xenbus-drop-useless-LIST_HEAD-in-xenbus_write_watch-.patch b/patches.fixes/0001-xenbus-drop-useless-LIST_HEAD-in-xenbus_write_watch-.patch
new file mode 100644
index 0000000000..04d046ecb5
--- /dev/null
+++ b/patches.fixes/0001-xenbus-drop-useless-LIST_HEAD-in-xenbus_write_watch-.patch
@@ -0,0 +1,45 @@
+Patch-mainline: v5.2-rc1
+Git-commit: 51cf07a7b6cd99d9b910932e2af4e7282782e3fe
+References: bsc#1065600
+From: Mao Wenan <maowenan@huawei.com>
+Date: Tue, 16 Apr 2019 12:06:51 +0800
+Subject: [PATCH] xenbus: drop useless LIST_HEAD in xenbus_write_watch() and
+ xenbus_file_write()
+
+Drop LIST_HEAD where the variable it declares is never used.
+
+The declarations were introduced with the file, but the declared
+variables were not used.
+
+Fixes: 1107ba885e469 ("xen: add xenfs to allow usermode <-> Xen interaction")
+Signed-off-by: Mao Wenan <maowenan@huawei.com>
+Reviewed-by: Juergen Gross <jgross@suse.com>
+Signed-off-by: Boris Ostrovsky <boris.ostrovsky@oracle.com>
+Signed-off-by: Juergen Gross <jgross@suse.com>
+---
+ drivers/xen/xenbus/xenbus_dev_frontend.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+diff --git a/drivers/xen/xenbus/xenbus_dev_frontend.c b/drivers/xen/xenbus/xenbus_dev_frontend.c
+index 0782ff3c2273..faf452d0edf0 100644
+--- a/drivers/xen/xenbus/xenbus_dev_frontend.c
++++ b/drivers/xen/xenbus/xenbus_dev_frontend.c
+@@ -465,7 +465,6 @@ static int xenbus_write_watch(unsigned msg_type, struct xenbus_file_priv *u)
+ struct watch_adapter *watch;
+ char *path, *token;
+ int err, rc;
+- LIST_HEAD(staging_q);
+
+ path = u->u.buffer + sizeof(u->u.msg);
+ token = memchr(path, 0, u->u.msg.len);
+@@ -523,7 +522,6 @@ static ssize_t xenbus_file_write(struct file *filp,
+ uint32_t msg_type;
+ int rc = len;
+ int ret;
+- LIST_HEAD(staging_q);
+
+ /*
+ * We're expecting usermode to be writing properly formed
+--
+2.16.4
+
diff --git a/patches.fixes/0002-btrfs-qgroup-Check-bg-while-resuming-relocation-to-a.patch b/patches.fixes/0002-btrfs-qgroup-Check-bg-while-resuming-relocation-to-a.patch
new file mode 100644
index 0000000000..95dd770c40
--- /dev/null
+++ b/patches.fixes/0002-btrfs-qgroup-Check-bg-while-resuming-relocation-to-a.patch
@@ -0,0 +1,93 @@
+From 57949d033a09c57d77be218b5bec07af6878ab32 Mon Sep 17 00:00:00 2001
+From: Qu Wenruo <wqu@suse.com>
+Date: Tue, 21 May 2019 19:28:08 +0800
+Git-commit: 57949d033a09c57d77be218b5bec07af6878ab32
+Patch-mainline: v5.2-rc3
+References: bsc#1134806
+Subject: [PATCH 2/2] btrfs: qgroup: Check bg while resuming relocation to
+ avoid NULL pointer dereference
+
+[BUG]
+When mounting a fs with reloc tree and has qgroup enabled, it can cause
+NULL pointer dereference at mount time:
+
+ BUG: kernel NULL pointer dereference, address: 00000000000000a8
+ #PF: supervisor read access in kernel mode
+ #PF: error_code(0x0000) - not-present page
+ PGD 0 P4D 0
+ Oops: 0000 [#1] PREEMPT SMP NOPTI
+ RIP: 0010:btrfs_qgroup_add_swapped_blocks+0x186/0x300 [btrfs]
+ Call Trace:
+ replace_path.isra.23+0x685/0x900 [btrfs]
+ merge_reloc_root+0x26e/0x5f0 [btrfs]
+ merge_reloc_roots+0x10a/0x1a0 [btrfs]
+ btrfs_recover_relocation+0x3cd/0x420 [btrfs]
+ open_ctree+0x1bc8/0x1ed0 [btrfs]
+ btrfs_mount_root+0x544/0x680 [btrfs]
+ legacy_get_tree+0x34/0x60
+ vfs_get_tree+0x2d/0xf0
+ fc_mount+0x12/0x40
+ vfs_kern_mount.part.12+0x61/0xa0
+ vfs_kern_mount+0x13/0x20
+ btrfs_mount+0x16f/0x860 [btrfs]
+ legacy_get_tree+0x34/0x60
+ vfs_get_tree+0x2d/0xf0
+ do_mount+0x81f/0xac0
+ ksys_mount+0xbf/0xe0
+ __x64_sys_mount+0x25/0x30
+ do_syscall_64+0x65/0x240
+ entry_SYSCALL_64_after_hwframe+0x49/0xbe
+
+[CAUSE]
+In btrfs_recover_relocation(), we don't have enough info to determine
+which block group we're relocating, but only to merge existing reloc
+trees.
+
+Thus in btrfs_recover_relocation(), rc->block_group is NULL.
+btrfs_qgroup_add_swapped_blocks() hasn't taken this into consideration,
+and causes a NULL pointer dereference.
+
+The bug is introduced by commit 3d0174f78e72 ("btrfs: qgroup: Only trace
+data extents in leaves if we're relocating data block group"), and
+later qgroup refactoring still keeps this optimization.
+
+[FIX]
+Thankfully in the context of btrfs_recover_relocation(), there is no
+other progress can modify tree blocks, thus those swapped tree blocks
+pair will never affect qgroup numbers, no matter whatever we set for
+block->trace_leaf.
+
+So we only need to check if @bg is NULL before accessing @bg->flags.
+
+Reported-by: Juan Erbes <jerbes@gmail.com>
+Link: https://bugzilla.opensuse.org/show_bug.cgi?id=1134806
+Fixes: 3d0174f78e72 ("btrfs: qgroup: Only trace data extents in leaves if we're relocating data block group")
+CC: stable@vger.kernel.org # 4.20+
+Signed-off-by: Qu Wenruo <wqu@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+---
+ fs/btrfs/qgroup.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/fs/btrfs/qgroup.c b/fs/btrfs/qgroup.c
+index 2f708f2c4e67..3e6ffbbd8b0a 100644
+--- a/fs/btrfs/qgroup.c
++++ b/fs/btrfs/qgroup.c
+@@ -3830,7 +3830,13 @@ int btrfs_qgroup_add_swapped_blocks(struct btrfs_trans_handle *trans,
+ subvol_slot);
+ block->last_snapshot = last_snapshot;
+ block->level = level;
+- if (bg->flags & BTRFS_BLOCK_GROUP_DATA)
++
++ /*
++ * If we have bg == NULL, we're called from btrfs_recover_relocation(),
++ * no one else can modify tree blocks thus we qgroup will not change
++ * no matter the value of trace_leaf.
++ */
++ if (bg && bg->flags & BTRFS_BLOCK_GROUP_DATA)
+ block->trace_leaf = true;
+ else
+ block->trace_leaf = false;
+--
+2.21.0
+
diff --git a/patches.fixes/KVM-s390-fix-memory-overwrites-when-not-using-SCA-en.patch b/patches.fixes/KVM-s390-fix-memory-overwrites-when-not-using-SCA-en.patch
new file mode 100644
index 0000000000..448a939978
--- /dev/null
+++ b/patches.fixes/KVM-s390-fix-memory-overwrites-when-not-using-SCA-en.patch
@@ -0,0 +1,40 @@
+From: David Hildenbrand <david@redhat.com>
+Date: Tue, 6 Mar 2018 14:27:58 +0100
+Subject: KVM: s390: fix memory overwrites when not using SCA entries
+Patch-mainline: v4.16-rc5
+Git-commit: f07afa0462b76a5b9c4f3a43d5ac24fdb86a90c2
+References: bsc#1136206
+
+Even if we don't have extended SCA support, we can have more than 64 CPUs
+if we don't enable any HW features that might use the SCA entries.
+
+Now, this works just fine, but we missed a return, which is why we
+would actually store the SCA entries. If we have more than 64 CPUs, this
+means writing outside of the basic SCA - bad.
+
+Let's fix this. This allows > 64 CPUs when running nested (under vSIE)
+without random crashes.
+
+Fixes: a6940674c384 ("KVM: s390: allow 255 VCPUs when sca entries aren't used")
+Reported-by: Christian Borntraeger <borntraeger@de.ibm.com>
+Tested-by: Christian Borntraeger <borntraeger@de.ibm.com>
+Signed-off-by: David Hildenbrand <david@redhat.com>
+Message-Id: <20180306132758.21034-1-david@redhat.com>
+Cc: stable@vger.kernel.org
+Reviewed-by: Cornelia Huck <cohuck@redhat.com>
+Signed-off-by: Christian Borntraeger <borntraeger@de.ibm.com>
+Acked-by: Liang Yan <lyan@suse.com>
+---
+ arch/s390/kvm/kvm-s390.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/arch/s390/kvm/kvm-s390.c
++++ b/arch/s390/kvm/kvm-s390.c
+@@ -2132,6 +2132,7 @@ static void sca_add_vcpu(struct kvm_vcpu
+ /* we still need the basic sca for the ipte control */
+ vcpu->arch.sie_block->scaoh = (__u32)(((__u64)sca) >> 32);
+ vcpu->arch.sie_block->scaol = (__u32)(__u64)sca;
++ return;
+ }
+ read_lock(&vcpu->kvm->arch.sca_lock);
+ if (vcpu->kvm->arch.use_esca) {
diff --git a/patches.fixes/KVM-s390-provide-io-interrupt-kvm_stat.patch b/patches.fixes/KVM-s390-provide-io-interrupt-kvm_stat.patch
new file mode 100644
index 0000000000..ece8c102df
--- /dev/null
+++ b/patches.fixes/KVM-s390-provide-io-interrupt-kvm_stat.patch
@@ -0,0 +1,29 @@
+From: Christian Borntraeger <borntraeger@de.ibm.com>
+Date: Wed, 28 Feb 2018 18:44:34 +0000
+Subject: KVM: s390: provide io interrupt kvm_stat
+Patch-mainline: v4.16-rc5
+Git-commit: 09a0fb67536a49af19f2bfc632100e9de91fe526
+References: bsc#1136206
+
+We already count io interrupts, but we forgot to print them.
+
+Signed-off-by: Christian Borntraeger <borntraeger@de.ibm.com>
+Fixes: d8346b7d9b ("KVM: s390: Support for I/O interrupts.")
+Reviewed-by: Cornelia Huck <cohuck@redhat.com>
+Reviewed-by: David Hildenbrand <david@redhat.com>
+Signed-off-by: Christian Borntraeger <borntraeger@de.ibm.com>
+Acked-by: Liang Yan <lyan@suse.com>
+---
+ arch/s390/kvm/kvm-s390.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/arch/s390/kvm/kvm-s390.c
++++ b/arch/s390/kvm/kvm-s390.c
+@@ -86,6 +86,7 @@ struct kvm_stats_debugfs_item debugfs_en
+ { "deliver_prefix_signal", VCPU_STAT(deliver_prefix_signal) },
+ { "deliver_restart_signal", VCPU_STAT(deliver_restart_signal) },
+ { "deliver_program_interruption", VCPU_STAT(deliver_program_int) },
++ { "deliver_io_interrupt", VCPU_STAT(deliver_io_int) },
+ { "exit_wait_state", VCPU_STAT(exit_wait_state) },
+ { "instruction_epsw", VCPU_STAT(instruction_epsw) },
+ { "instruction_gs", VCPU_STAT(instruction_gs) },
diff --git a/patches.fixes/KVM-s390-use-created_vcpus-in-more-places.patch b/patches.fixes/KVM-s390-use-created_vcpus-in-more-places.patch
new file mode 100644
index 0000000000..3d8b7f57f4
--- /dev/null
+++ b/patches.fixes/KVM-s390-use-created_vcpus-in-more-places.patch
@@ -0,0 +1,44 @@
+From: Christian Borntraeger <borntraeger@de.ibm.com>
+Date: Thu, 16 Nov 2017 15:12:52 +0100
+Subject: KVM: s390: use created_vcpus in more places
+Patch-mainline: v4.16-rc1
+Git-commit: 241e3ec0faf5ab1a0d9b1f6c43eefa919fb9c112
+References: bsc#1136206
+
+commit a03825bbd0c3 ("KVM: s390: use kvm->created_vcpus") introduced
+kvm->created_vcpus to avoid races with the existing kvm->online_vcpus
+scheme. One place was "forgotten" and one new place was "added".
+Let's fix those.
+
+Reported-by: Halil Pasic <pasic@linux.vnet.ibm.com>
+Signed-off-by: Christian Borntraeger <borntraeger@de.ibm.com>
+Reviewed-by: Halil Pasic <pasic@linux.vnet.ibm.com>
+Reviewed-by: Cornelia Huck <cohuck@redhat.com>
+Reviewed-by: David Hildenbrand <david@redhat.com>
+Fixes: 4e0b1ab72b8a ("KVM: s390: gs support for kvm guests")
+Fixes: a03825bbd0c3 ("KVM: s390: use kvm->created_vcpus")
+Acked-by: Liang Yan <lyan@suse.com>
+---
+ arch/s390/kvm/kvm-s390.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/arch/s390/kvm/kvm-s390.c
++++ b/arch/s390/kvm/kvm-s390.c
+@@ -576,7 +576,7 @@ static int kvm_vm_ioctl_enable_cap(struc
+ case KVM_CAP_S390_GS:
+ r = -EINVAL;
+ mutex_lock(&kvm->lock);
+- if (atomic_read(&kvm->online_vcpus)) {
++ if (kvm->created_vcpus) {
+ r = -EBUSY;
+ } else if (test_facility(133)) {
+ set_kvm_facility(kvm->arch.model.fac_mask, 133);
+@@ -1098,7 +1098,7 @@ static int kvm_s390_set_processor_feat(s
+ return -EINVAL;
+
+ mutex_lock(&kvm->lock);
+- if (!atomic_read(&kvm->online_vcpus)) {
++ if (!kvm->created_vcpus) {
+ bitmap_copy(kvm->arch.cpu_feat, (unsigned long *) data.feat,
+ KVM_S390_VM_CPU_FEAT_NR_BITS);
+ ret = 0;
diff --git a/patches.fixes/KVM-s390-vsie-fix-8k-check-for-the-itdba.patch b/patches.fixes/KVM-s390-vsie-fix-8k-check-for-the-itdba.patch
new file mode 100644
index 0000000000..c5ab435c5f
--- /dev/null
+++ b/patches.fixes/KVM-s390-vsie-fix-8k-check-for-the-itdba.patch
@@ -0,0 +1,41 @@
+From: David Hildenbrand <david@redhat.com>
+Date: Wed, 9 May 2018 16:12:17 +0200
+Subject: KVM: s390: vsie: fix < 8k check for the itdba
+Patch-mainline: v4.17-rc7
+Git-commit: f4a551b72358facbbe5714248dff78404272feee
+References: bsc#1136206
+
+By missing an "L", we might detect some addresses to be <8k,
+although they are not.
+
+e.g. for itdba = 100001fff
+!(gpa & ~0x1fffU) -> 1
+!(gpa & ~0x1fffUL) -> 0
+
+So we would report a SIE validity intercept although everything is fine.
+
+Fixes: 166ecb3 ("KVM: s390: vsie: support transactional execution")
+Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
+Reviewed-by: Christian Borntraeger <borntraeger@de.ibm.com>
+Reviewed-by: Janosch Frank <frankja@linux.ibm.com>
+Reviewed-by: Cornelia Huck <cohuck@redhat.com>
+Signed-off-by: David Hildenbrand <david@redhat.com>
+Signed-off-by: Janosch Frank <frankja@linux.ibm.com>
+Cc: stable@vger.kernel.org # v4.8+
+Signed-off-by: Christian Borntraeger <borntraeger@de.ibm.com>
+Acked-by: Liang Yan <lyan@suse.com>
+---
+ arch/s390/kvm/vsie.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/s390/kvm/vsie.c
++++ b/arch/s390/kvm/vsie.c
+@@ -563,7 +563,7 @@ static int pin_blocks(struct kvm_vcpu *v
+
+ gpa = scb_o->itdba & ~0xffUL;
+ if (gpa && (scb_s->ecb & ECB_TE)) {
+- if (!(gpa & ~0x1fffU)) {
++ if (!(gpa & ~0x1fffUL)) {
+ rc = set_validity_icpt(scb_s, 0x0080U);
+ goto unpin;
+ }
diff --git a/patches.fixes/RDMA-rxe-Consider-skb-reserve-space-based-on-netdev-.patch b/patches.fixes/RDMA-rxe-Consider-skb-reserve-space-based-on-netdev-.patch
new file mode 100644
index 0000000000..4b3d5128f5
--- /dev/null
+++ b/patches.fixes/RDMA-rxe-Consider-skb-reserve-space-based-on-netdev-.patch
@@ -0,0 +1,32 @@
+From: Parav Pandit <parav@mellanox.com>
+Date: Thu, 2 May 2019 10:48:01 +0300
+Subject: RDMA/rxe: Consider skb reserve space based on netdev of GID
+Patch-mainline: v5.2-rc1
+Git-commit: 3bf3e2b881c1412d0329ce9376dfe1518489b8fc
+References: bsc#1082387, bsc#1103992, FATE#326009
+
+Always consider the skb reserve space based on netdevice of the GID
+attribute, regardless of vlan or non vlan netdevice.
+
+Fixes: 43c9fc509fa5 ("rdma_rxe: make rxe work over 802.1q VLAN devices")
+Signed-off-by: Parav Pandit <parav@mellanox.com>
+Signed-off-by: Leon Romanovsky <leonro@mellanox.com>
+Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
+Acked-by: Martin Wilck <mwilck@suse.com>
+---
+ drivers/infiniband/sw/rxe/rxe_net.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/infiniband/sw/rxe/rxe_net.c
++++ b/drivers/infiniband/sw/rxe/rxe_net.c
+@@ -558,8 +558,9 @@ struct sk_buff *rxe_init_packet(struct r
+ return NULL;
+ }
+
+- skb_reserve(skb, hdr_len + LL_RESERVED_SPACE(rxe->ndev));
++ skb_reserve(skb, hdr_len + LL_RESERVED_SPACE(ndev));
+
++ /* FIXME: hold reference to this netdev until life of this skb. */
+ skb->dev = ndev;
+ if (av->network_type == RDMA_NETWORK_IPV4)
+ skb->protocol = htons(ETH_P_IP);
diff --git a/patches.fixes/bpf-add-map_lookup_elem_sys_only-for-lookups-from-sy.patch b/patches.fixes/bpf-add-map_lookup_elem_sys_only-for-lookups-from-sy.patch
new file mode 100644
index 0000000000..b0e4a1492a
--- /dev/null
+++ b/patches.fixes/bpf-add-map_lookup_elem_sys_only-for-lookups-from-sy.patch
@@ -0,0 +1,51 @@
+From: Daniel Borkmann <daniel@iogearbox.net>
+Date: Tue, 14 May 2019 01:18:55 +0200
+Subject: bpf: add map_lookup_elem_sys_only for lookups from syscall side
+Patch-mainline: Queued in subsystem maintainer repository
+Git-repo: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
+Git-commit: c6110222c6f49ea68169f353565eb865488a8619
+References: bsc#1083647
+
+Add a callback map_lookup_elem_sys_only() that map implementations
+could use over map_lookup_elem() from system call side in case the
+map implementation needs to handle the latter differently than from
+the BPF data path. If map_lookup_elem_sys_only() is set, this will
+be preferred pick for map lookups out of user space. This hook is
+used in a follow-up fix for LRU map, but once development window
+opens, we can convert other map types from map_lookup_elem() (here,
+the one called upon BPF_MAP_LOOKUP_ELEM cmd is meant) over to use
+the callback to simplify and clean up the latter.
+
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Acked-by: Martin KaFai Lau <kafai@fb.com>
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Acked-by: Gary Lin <glin@suse.com>
+---
+ include/linux/bpf.h | 1 +
+ kernel/bpf/syscall.c | 5 ++++-
+ 2 files changed, 5 insertions(+), 1 deletion(-)
+
+--- a/include/linux/bpf.h
++++ b/include/linux/bpf.h
+@@ -25,6 +25,7 @@ struct bpf_map_ops {
+ void (*map_release)(struct bpf_map *map, struct file *map_file);
+ void (*map_free)(struct bpf_map *map);
+ int (*map_get_next_key)(struct bpf_map *map, void *key, void *next_key);
++ void *(*map_lookup_elem_sys_only)(struct bpf_map *map, void *key);
+
+ /* funcs callable from userspace and from eBPF programs */
+ void *(*map_lookup_elem)(struct bpf_map *map, void *key);
+--- a/kernel/bpf/syscall.c
++++ b/kernel/bpf/syscall.c
+@@ -488,7 +488,10 @@ static int map_lookup_elem(union bpf_att
+ err = bpf_fd_htab_map_lookup_elem(map, key, value);
+ } else {
+ rcu_read_lock();
+- ptr = map->ops->map_lookup_elem(map, key);
++ if (map->ops->map_lookup_elem_sys_only)
++ ptr = map->ops->map_lookup_elem_sys_only(map, key);
++ else
++ ptr = map->ops->map_lookup_elem(map, key);
+ if (ptr)
+ memcpy(value, ptr, value_size);
+ rcu_read_unlock();
diff --git a/patches.fixes/bpf-lru-avoid-messing-with-eviction-heuristics-upon-.patch b/patches.fixes/bpf-lru-avoid-messing-with-eviction-heuristics-upon-.patch
new file mode 100644
index 0000000000..aab4ca02cb
--- /dev/null
+++ b/patches.fixes/bpf-lru-avoid-messing-with-eviction-heuristics-upon-.patch
@@ -0,0 +1,104 @@
+From: Daniel Borkmann <daniel@iogearbox.net>
+Date: Tue, 14 May 2019 01:18:56 +0200
+Subject: bpf, lru: avoid messing with eviction heuristics upon syscall lookup
+Patch-mainline: Queued in subsystem maintainer repository
+Git-repo: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
+Git-commit: 50b045a8c0ccf44f76640ac3eea8d80ca53979a3
+References: bsc#1083647
+
+One of the biggest issues we face right now with picking LRU map over
+regular hash table is that a map walk out of user space, for example,
+to just dump the existing entries or to remove certain ones, will
+completely mess up LRU eviction heuristics and wrong entries such
+as just created ones will get evicted instead. The reason for this
+is that we mark an entry as "in use" via bpf_lru_node_set_ref() from
+system call lookup side as well. Thus upon walk, all entries are
+being marked, so information of actual least recently used ones
+are "lost".
+
+In case of Cilium where it can be used (besides others) as a BPF
+based connection tracker, this current behavior causes disruption
+upon control plane changes that need to walk the map from user space
+to evict certain entries. Discussion result from bpfconf [0] was that
+we should simply just remove marking from system call side as no
+good use case could be found where it's actually needed there.
+Therefore this patch removes marking for regular LRU and per-CPU
+flavor. If there ever should be a need in future, the behavior could
+be selected via map creation flag, but due to mentioned reason we
+avoid this here.
+
+ [0] http://vger.kernel.org/bpfconf.html
+
+Fixes: 29ba732acbee ("bpf: Add BPF_MAP_TYPE_LRU_HASH")
+Fixes: 8f8449384ec3 ("bpf: Add BPF_MAP_TYPE_LRU_PERCPU_HASH")
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Acked-by: Martin KaFai Lau <kafai@fb.com>
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Acked-by: Gary Lin <glin@suse.com>
+---
+ kernel/bpf/hashtab.c | 23 ++++++++++++++++++-----
+ 1 file changed, 18 insertions(+), 5 deletions(-)
+
+--- a/kernel/bpf/hashtab.c
++++ b/kernel/bpf/hashtab.c
+@@ -493,18 +493,30 @@ static u32 htab_map_gen_lookup(struct bp
+ return insn - insn_buf;
+ }
+
+-static void *htab_lru_map_lookup_elem(struct bpf_map *map, void *key)
++static __always_inline void *__htab_lru_map_lookup_elem(struct bpf_map *map,
++ void *key, const bool mark)
+ {
+ struct htab_elem *l = __htab_map_lookup_elem(map, key);
+
+ if (l) {
+- bpf_lru_node_set_ref(&l->lru_node);
++ if (mark)
++ bpf_lru_node_set_ref(&l->lru_node);
+ return l->key + round_up(map->key_size, 8);
+ }
+
+ return NULL;
+ }
+
++static void *htab_lru_map_lookup_elem(struct bpf_map *map, void *key)
++{
++ return __htab_lru_map_lookup_elem(map, key, true);
++}
++
++static void *htab_lru_map_lookup_elem_sys(struct bpf_map *map, void *key)
++{
++ return __htab_lru_map_lookup_elem(map, key, false);
++}
++
+ static u32 htab_lru_map_gen_lookup(struct bpf_map *map,
+ struct bpf_insn *insn_buf)
+ {
+@@ -1154,6 +1166,7 @@ const struct bpf_map_ops htab_lru_map_op
+ .map_free = htab_map_free,
+ .map_get_next_key = htab_map_get_next_key,
+ .map_lookup_elem = htab_lru_map_lookup_elem,
++ .map_lookup_elem_sys_only = htab_lru_map_lookup_elem_sys,
+ .map_update_elem = htab_lru_map_update_elem,
+ .map_delete_elem = htab_lru_map_delete_elem,
+ .map_gen_lookup = htab_lru_map_gen_lookup,
+@@ -1184,7 +1197,6 @@ static void *htab_lru_percpu_map_lookup_
+
+ int bpf_percpu_hash_copy(struct bpf_map *map, void *key, void *value)
+ {
+- struct bpf_htab *htab = container_of(map, struct bpf_htab, map);
+ struct htab_elem *l;
+ void __percpu *pptr;
+ int ret = -ENOENT;
+@@ -1200,8 +1212,9 @@ int bpf_percpu_hash_copy(struct bpf_map
+ l = __htab_map_lookup_elem(map, key);
+ if (!l)
+ goto out;
+- if (htab_is_lru(htab))
+- bpf_lru_node_set_ref(&l->lru_node);
++ /* We do not mark LRU map element here in order to not mess up
++ * eviction heuristics when user space does a map walk.
++ */
+ pptr = htab_elem_get_ptr(l, map->key_size);
+ for_each_possible_cpu(cpu) {
+ bpf_long_memcpy(value + off,
diff --git a/patches.fixes/configfs-Fix-use-after-free-when-accessing-sd-s_dent.patch b/patches.fixes/configfs-Fix-use-after-free-when-accessing-sd-s_dent.patch
new file mode 100644
index 0000000000..fe82bfef12
--- /dev/null
+++ b/patches.fixes/configfs-Fix-use-after-free-when-accessing-sd-s_dent.patch
@@ -0,0 +1,60 @@
+From f6122ed2a4f9c9c1c073ddf6308d1b2ac10e0781 Mon Sep 17 00:00:00 2001
+From: Sahitya Tummala <stummala@codeaurora.org>
+Date: Thu, 3 Jan 2019 16:48:15 +0530
+Subject: [PATCH] configfs: Fix use-after-free when accessing sd->s_dentry
+Git-commit: f6122ed2a4f9c9c1c073ddf6308d1b2ac10e0781
+Patch-mainline: v5.2-rc3
+References: bsc#1051510
+
+In the vfs_statx() context, during path lookup, the dentry gets
+added to sd->s_dentry via configfs_attach_attr(). In the end,
+vfs_statx() kills the dentry by calling path_put(), which invokes
+configfs_d_iput(). Ideally, this dentry must be removed from
+sd->s_dentry but it doesn't if the sd->s_count >= 3. As a result,
+sd->s_dentry is holding reference to a stale dentry pointer whose
+memory is already freed up. This results in use-after-free issue,
+when this stale sd->s_dentry is accessed later in
+configfs_readdir() path.
+
+This issue can be easily reproduced, by running the LTP test case -
+sh fs_racer_file_list.sh /config
+(https://github.com/linux-test-project/ltp/blob/master/testcases/kernel/fs/racer/fs_racer_file_list.sh)
+
+Fixes: 76ae281f6307 ('configfs: fix race between dentry put and lookup')
+Signed-off-by: Sahitya Tummala <stummala@codeaurora.org>
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ fs/configfs/dir.c | 14 ++++++--------
+ 1 file changed, 6 insertions(+), 8 deletions(-)
+
+diff --git a/fs/configfs/dir.c b/fs/configfs/dir.c
+index 5e7932d668ab..22203a3423a3 100644
+--- a/fs/configfs/dir.c
++++ b/fs/configfs/dir.c
+@@ -58,15 +58,13 @@ static void configfs_d_iput(struct dentry * dentry,
+ if (sd) {
+ /* Coordinate with configfs_readdir */
+ spin_lock(&configfs_dirent_lock);
+- /* Coordinate with configfs_attach_attr where will increase
+- * sd->s_count and update sd->s_dentry to new allocated one.
+- * Only set sd->dentry to null when this dentry is the only
+- * sd owner.
+- * If not do so, configfs_d_iput may run just after
+- * configfs_attach_attr and set sd->s_dentry to null
+- * even it's still in use.
++ /*
++ * Set sd->s_dentry to null only when this dentry is the one
++ * that is going to be killed. Otherwise configfs_d_iput may
++ * run just after configfs_attach_attr and set sd->s_dentry to
++ * NULL even it's still in use.
+ */
+- if (atomic_read(&sd->s_count) <= 2)
++ if (sd->s_dentry == dentry)
+ sd->s_dentry = NULL;
+
+ spin_unlock(&configfs_dirent_lock);
+--
+2.16.4
+
diff --git a/patches.fixes/ext4-avoid-panic-during-forced-reboot-due-to-aborted.patch b/patches.fixes/ext4-avoid-panic-during-forced-reboot-due-to-aborted.patch
new file mode 100644
index 0000000000..a21a2a6898
--- /dev/null
+++ b/patches.fixes/ext4-avoid-panic-during-forced-reboot-due-to-aborted.patch
@@ -0,0 +1,39 @@
+From 2c1d0e3631e5732dba98ef49ac0bec1388776793 Mon Sep 17 00:00:00 2001
+From: Jan Kara <jack@suse.cz>
+Date: Fri, 17 May 2019 17:37:18 -0400
+Subject: [PATCH] ext4: avoid panic during forced reboot due to aborted journal
+Git-commit: 2c1d0e3631e5732dba98ef49ac0bec1388776793
+Patch-mainline: v5.2-rc1
+References: bsc#1126356
+
+Handling of aborted journal is a special code path different from
+standard ext4_error() one and it can call panic() as well. Commit
+1dc1097ff60e ("ext4: avoid panic during forced reboot") forgot to update
+this path so fix that omission.
+
+Fixes: 1dc1097ff60e ("ext4: avoid panic during forced reboot")
+Signed-off-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Cc: stable@kernel.org # 5.1
+Acked-by: Jan Kara <jack@suse.cz>
+
+---
+ fs/ext4/super.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/ext4/super.c b/fs/ext4/super.c
+index 5013d04b41fd..272e1881b5f8 100644
+--- a/fs/ext4/super.c
++++ b/fs/ext4/super.c
+@@ -699,7 +699,7 @@ void __ext4_abort(struct super_block *sb, const char *function,
+ jbd2_journal_abort(EXT4_SB(sb)->s_journal, -EIO);
+ save_error_info(sb, function, line);
+ }
+- if (test_opt(sb, ERRORS_PANIC)) {
++ if (test_opt(sb, ERRORS_PANIC) && !system_going_down()) {
+ if (EXT4_SB(sb)->s_journal &&
+ !(EXT4_SB(sb)->s_journal->j_flags & JBD2_REC_ERR))
+ return;
+--
+2.16.4
+
diff --git a/patches.fixes/ext4-fix-data-corruption-caused-by-overlapping-unali.patch b/patches.fixes/ext4-fix-data-corruption-caused-by-overlapping-unali.patch
new file mode 100644
index 0000000000..574caef212
--- /dev/null
+++ b/patches.fixes/ext4-fix-data-corruption-caused-by-overlapping-unali.patch
@@ -0,0 +1,54 @@
+From 57a0da28ced8707cb9f79f071a016b9d005caf5a Mon Sep 17 00:00:00 2001
+From: Lukas Czerner <lczerner@redhat.com>
+Date: Fri, 10 May 2019 21:45:33 -0400
+Subject: [PATCH] ext4: fix data corruption caused by overlapping unaligned and
+ aligned IO
+Git-commit: 57a0da28ced8707cb9f79f071a016b9d005caf5a
+Patch-mainline: v5.2-rc1
+References: bsc#1136428
+
+Unaligned AIO must be serialized because the zeroing of partial blocks
+of unaligned AIO can result in data corruption in case it's overlapping
+another in flight IO.
+
+Currently we wait for all unwritten extents before we submit unaligned
+AIO which protects data in case of unaligned AIO is following overlapping
+IO. However if a unaligned AIO is followed by overlapping aligned AIO we
+can still end up corrupting data.
+
+To fix this, we must make sure that the unaligned AIO is the only IO in
+flight by waiting for unwritten extents conversion not just before the
+IO submission, but right after it as well.
+
+This problem can be reproduced by xfstest generic/538
+
+Signed-off-by: Lukas Czerner <lczerner@redhat.com>
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Cc: stable@kernel.org
+Acked-by: Jan Kara <jack@suse.cz>
+
+---
+ fs/ext4/file.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/fs/ext4/file.c b/fs/ext4/file.c
+index 98ec11f69cd4..2c5baa5e8291 100644
+--- a/fs/ext4/file.c
++++ b/fs/ext4/file.c
+@@ -264,6 +264,13 @@ ext4_file_write_iter(struct kiocb *iocb, struct iov_iter *from)
+ }
+
+ ret = __generic_file_write_iter(iocb, from);
++ /*
++ * Unaligned direct AIO must be the only IO in flight. Otherwise
++ * overlapping aligned IO after unaligned might result in data
++ * corruption.
++ */
++ if (ret == -EIOCBQUEUED && unaligned_aio)
++ ext4_unwritten_wait(inode);
+ inode_unlock(inode);
+
+ if (ret > 0)
+--
+2.16.4
+
diff --git a/patches.fixes/ext4-make-sanity-check-in-mballoc-more-strict.patch b/patches.fixes/ext4-make-sanity-check-in-mballoc-more-strict.patch
new file mode 100644
index 0000000000..6680eb8d01
--- /dev/null
+++ b/patches.fixes/ext4-make-sanity-check-in-mballoc-more-strict.patch
@@ -0,0 +1,39 @@
+From 31562b954b60f02acb91b7349dc6432d3f8c3c5f Mon Sep 17 00:00:00 2001
+From: Jan Kara <jack@suse.cz>
+Date: Sat, 6 Apr 2019 18:33:06 -0400
+Subject: [PATCH] ext4: make sanity check in mballoc more strict
+Git-commit: 31562b954b60f02acb91b7349dc6432d3f8c3c5f
+Patch-mainline: v5.2-rc1
+References: bsc#1136439
+
+The sanity check in mb_find_extent() only checked that returned extent
+does not extend past blocksize * 8, however it should not extend past
+EXT4_CLUSTERS_PER_GROUP(sb). This can happen when clusters_per_group <
+blocksize * 8 and the tail of the bitmap is not properly filled by 1s
+which happened e.g. when ancient kernels have grown the filesystem.
+
+Signed-off-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Cc: stable@kernel.org
+Acked-by: Jan Kara <jack@suse.cz>
+
+---
+ fs/ext4/mballoc.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/ext4/mballoc.c b/fs/ext4/mballoc.c
+index 6fb76d408093..8ef5f12bbee2 100644
+--- a/fs/ext4/mballoc.c
++++ b/fs/ext4/mballoc.c
+@@ -1539,7 +1539,7 @@ static int mb_find_extent(struct ext4_buddy *e4b, int block,
+ ex->fe_len += 1 << order;
+ }
+
+- if (ex->fe_start + ex->fe_len > (1 << (e4b->bd_blkbits + 3))) {
++ if (ex->fe_start + ex->fe_len > EXT4_CLUSTERS_PER_GROUP(e4b->bd_sb)) {
+ /* Should never happen! (but apparently sometimes does?!?) */
+ WARN_ON(1);
+ ext4_error(e4b->bd_sb, "corruption or bug in mb_find_extent "
+--
+2.16.4
+
diff --git a/patches.fixes/ext4-wait-for-outstanding-dio-during-truncate-in-noj.patch b/patches.fixes/ext4-wait-for-outstanding-dio-during-truncate-in-noj.patch
new file mode 100644
index 0000000000..7c7da6313c
--- /dev/null
+++ b/patches.fixes/ext4-wait-for-outstanding-dio-during-truncate-in-noj.patch
@@ -0,0 +1,62 @@
+From 82a25b027ca48d7ef197295846b352345853dfa8 Mon Sep 17 00:00:00 2001
+From: Jan Kara <jack@suse.cz>
+Date: Thu, 23 May 2019 23:07:08 -0400
+Subject: [PATCH] ext4: wait for outstanding dio during truncate in nojournal
+ mode
+Git-commit: 82a25b027ca48d7ef197295846b352345853dfa8
+Patch-mainline: v5.2-rc2
+References: bsc#1136438
+
+We didn't wait for outstanding direct IO during truncate in nojournal
+mode (as we skip orphan handling in that case). This can lead to fs
+corruption or stale data exposure if truncate ends up freeing blocks
+and these get reallocated before direct IO finishes. Fix the condition
+determining whether the wait is necessary.
+
+Cc: stable@vger.kernel.org
+Fixes: 1c9114f9c0f1 ("ext4: serialize unlocked dio reads with truncate")
+Reviewed-by: Ira Weiny <ira.weiny@intel.com>
+Signed-off-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Acked-by: Jan Kara <jack@suse.cz>
+
+---
+ fs/ext4/inode.c | 25 +++++++++++--------------
+ 1 file changed, 11 insertions(+), 14 deletions(-)
+
+--- a/fs/ext4/inode.c
++++ b/fs/ext4/inode.c
+@@ -5476,22 +5476,19 @@ int ext4_setattr(struct dentry *dentry,
+ goto err_out;
+ }
+ }
+- if (!shrink)
++ if (!shrink) {
+ pagecache_isize_extended(inode, oldsize, inode->i_size);
+-
+- /*
+- * Blocks are going to be removed from the inode. Wait
+- * for dio in flight. Temporarily disable
+- * dioread_nolock to prevent livelock.
+- */
+- if (orphan) {
+- if (!ext4_should_journal_data(inode)) {
+- ext4_inode_block_unlocked_dio(inode);
+- inode_dio_wait(inode);
+- ext4_inode_resume_unlocked_dio(inode);
+- } else
+- ext4_wait_for_tail_page_commit(inode);
++ } else {
++ /*
++ * Blocks are going to be removed from the inode. Wait
++ * for dio in flight.
++ */
++ ext4_inode_block_unlocked_dio(inode);
++ inode_dio_wait(inode);
++ ext4_inode_resume_unlocked_dio(inode);
+ }
++ if (orphan && ext4_should_journal_data(inode))
++ ext4_wait_for_tail_page_commit(inode);
+ down_write(&EXT4_I(inode)->i_mmap_sem);
+
+ rc = ext4_break_layouts(inode);
diff --git a/patches.fixes/fs-prevent-page-refcount-overflow-in-pipe_buf_get.patch b/patches.fixes/fs-prevent-page-refcount-overflow-in-pipe_buf_get.patch
new file mode 100644
index 0000000000..4829d84955
--- /dev/null
+++ b/patches.fixes/fs-prevent-page-refcount-overflow-in-pipe_buf_get.patch
@@ -0,0 +1,161 @@
+From: Matthew Wilcox <willy@infradead.org>
+Date: Fri, 5 Apr 2019 14:02:10 -0700
+Subject: fs: prevent page refcount overflow in pipe_buf_get
+Git-commit: 15fab63e1e57be9fdb5eec1bbc5916e9825e9acb
+Patch-mainline: v5.1-rc5
+References: CVE-2019-11487, bsc#1133190
+
+Change pipe_buf_get() to return a bool indicating whether it succeeded
+in raising the refcount of the page (if the thing in the pipe is a page).
+This removes another mechanism for overflowing the page refcount. All
+callers converted to handle a failure.
+
+Reported-by: Jann Horn <jannh@google.com>
+Signed-off-by: Matthew Wilcox <willy@infradead.org>
+Cc: stable@kernel.org
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Vlastimil Babka <vbabka@suse.cz>
+---
+ fs/fuse/dev.c | 12 ++++++------
+ fs/pipe.c | 4 ++--
+ fs/splice.c | 12 ++++++++++--
+ include/linux/pipe_fs_i.h | 10 ++++++----
+ kernel/trace/trace.c | 6 +++++-
+ 5 files changed, 29 insertions(+), 15 deletions(-)
+
+--- a/fs/fuse/dev.c
++++ b/fs/fuse/dev.c
+@@ -1979,10 +1979,8 @@ static ssize_t fuse_dev_splice_write(str
+ rem += pipe->bufs[(pipe->curbuf + idx) & (pipe->buffers - 1)].len;
+
+ ret = -EINVAL;
+- if (rem < len) {
+- pipe_unlock(pipe);
+- goto out;
+- }
++ if (rem < len)
++ goto out_free;
+
+ rem = len;
+ while (rem) {
+@@ -2000,7 +1998,9 @@ static ssize_t fuse_dev_splice_write(str
+ pipe->curbuf = (pipe->curbuf + 1) & (pipe->buffers - 1);
+ pipe->nrbufs--;
+ } else {
+- pipe_buf_get(pipe, ibuf);
++ if (!pipe_buf_get(pipe, ibuf))
++ goto out_free;
++
+ *obuf = *ibuf;
+ obuf->flags &= ~PIPE_BUF_FLAG_GIFT;
+ obuf->len = rem;
+@@ -2023,11 +2023,11 @@ static ssize_t fuse_dev_splice_write(str
+ ret = fuse_dev_do_write(fud, &cs, len);
+
+ pipe_lock(pipe);
++out_free:
+ for (idx = 0; idx < nbuf; idx++)
+ pipe_buf_release(pipe, &bufs[idx]);
+ pipe_unlock(pipe);
+
+-out:
+ kfree(bufs);
+ return ret;
+ }
+--- a/fs/pipe.c
++++ b/fs/pipe.c
+@@ -193,9 +193,9 @@ EXPORT_SYMBOL(generic_pipe_buf_steal);
+ * in the tee() system call, when we duplicate the buffers in one
+ * pipe into another.
+ */
+-void generic_pipe_buf_get(struct pipe_inode_info *pipe, struct pipe_buffer *buf)
++bool generic_pipe_buf_get(struct pipe_inode_info *pipe, struct pipe_buffer *buf)
+ {
+- get_page(buf->page);
++ return try_get_page(buf->page);
+ }
+ EXPORT_SYMBOL(generic_pipe_buf_get);
+
+--- a/fs/splice.c
++++ b/fs/splice.c
+@@ -1592,7 +1592,11 @@ retry:
+ * Get a reference to this pipe buffer,
+ * so we can copy the contents over.
+ */
+- pipe_buf_get(ipipe, ibuf);
++ if (!pipe_buf_get(ipipe, ibuf)) {
++ if (ret == 0)
++ ret = -EFAULT;
++ break;
++ }
+ *obuf = *ibuf;
+
+ /*
+@@ -1666,7 +1670,11 @@ static int link_pipe(struct pipe_inode_i
+ * Get a reference to this pipe buffer,
+ * so we can copy the contents over.
+ */
+- pipe_buf_get(ipipe, ibuf);
++ if (!pipe_buf_get(ipipe, ibuf)) {
++ if (ret == 0)
++ ret = -EFAULT;
++ break;
++ }
+
+ obuf = opipe->bufs + nbuf;
+ *obuf = *ibuf;
+--- a/include/linux/pipe_fs_i.h
++++ b/include/linux/pipe_fs_i.h
+@@ -107,18 +107,20 @@ struct pipe_buf_operations {
+ /*
+ * Get a reference to the pipe buffer.
+ */
+- void (*get)(struct pipe_inode_info *, struct pipe_buffer *);
++ bool (*get)(struct pipe_inode_info *, struct pipe_buffer *);
+ };
+
+ /**
+ * pipe_buf_get - get a reference to a pipe_buffer
+ * @pipe: the pipe that the buffer belongs to
+ * @buf: the buffer to get a reference to
++ *
++ * Return: %true if the reference was successfully obtained.
+ */
+-static inline void pipe_buf_get(struct pipe_inode_info *pipe,
++static inline __must_check bool pipe_buf_get(struct pipe_inode_info *pipe,
+ struct pipe_buffer *buf)
+ {
+- buf->ops->get(pipe, buf);
++ return buf->ops->get(pipe, buf);
+ }
+
+ /**
+@@ -178,7 +180,7 @@ struct pipe_inode_info *alloc_pipe_info(
+ void free_pipe_info(struct pipe_inode_info *);
+
+ /* Generic pipe buffer ops functions */
+-void generic_pipe_buf_get(struct pipe_inode_info *, struct pipe_buffer *);
++bool generic_pipe_buf_get(struct pipe_inode_info *, struct pipe_buffer *);
+ int generic_pipe_buf_confirm(struct pipe_inode_info *, struct pipe_buffer *);
+ int generic_pipe_buf_steal(struct pipe_inode_info *, struct pipe_buffer *);
+ void generic_pipe_buf_release(struct pipe_inode_info *, struct pipe_buffer *);
+--- a/kernel/trace/trace.c
++++ b/kernel/trace/trace.c
+@@ -6529,12 +6529,16 @@ static void buffer_pipe_buf_release(stru
+ buf->private = 0;
+ }
+
+-static void buffer_pipe_buf_get(struct pipe_inode_info *pipe,
++static bool buffer_pipe_buf_get(struct pipe_inode_info *pipe,
+ struct pipe_buffer *buf)
+ {
+ struct buffer_ref *ref = (struct buffer_ref *)buf->private;
+
++ if (ref->ref > INT_MAX/2)
++ return false;
++
+ ref->ref++;
++ return true;
+ }
+
+ /* Pipe buffer operations for a buffer. */
diff --git a/patches.fixes/fs-sync.c-sync_file_range-2-may-use-WB_SYNC_ALL-writ.patch b/patches.fixes/fs-sync.c-sync_file_range-2-may-use-WB_SYNC_ALL-writ.patch
new file mode 100644
index 0000000000..458390453e
--- /dev/null
+++ b/patches.fixes/fs-sync.c-sync_file_range-2-may-use-WB_SYNC_ALL-writ.patch
@@ -0,0 +1,87 @@
+From c553ea4fdf2701d64b9e9cca4497a8a2512bb025 Mon Sep 17 00:00:00 2001
+From: Amir Goldstein <amir73il@gmail.com>
+Date: Mon, 13 May 2019 17:22:30 -0700
+Subject: [PATCH] fs/sync.c: sync_file_range(2) may use WB_SYNC_ALL writeback
+Git-commit: c553ea4fdf2701d64b9e9cca4497a8a2512bb025
+Patch-mainline: v5.2-rc1
+References: bsc#1136432
+
+23d0127096cb ("fs/sync.c: make sync_file_range(2) use WB_SYNC_NONE
+writeback") claims that sync_file_range(2) syscall was "created for
+userspace to be able to issue background writeout and so waiting for
+in-flight IO is undesirable there" and changes the writeback (back) to
+WB_SYNC_NONE.
+
+This claim is only partially true. It is true for users that use the flag
+SYNC_FILE_RANGE_WRITE by itself, as does PostgreSQL, the user that was the
+reason for changing to WB_SYNC_NONE writeback.
+
+However, that claim is not true for users that use that flag combination
+SYNC_FILE_RANGE_{WAIT_BEFORE|WRITE|_WAIT_AFTER}. Those users explicitly
+requested to wait for in-flight IO as well as to writeback of dirty pages.
+
+Re-brand that flag combination as SYNC_FILE_RANGE_WRITE_AND_WAIT and use
+WB_SYNC_ALL writeback to perform the full range sync request.
+
+Link: http://lkml.kernel.org/r/20190409114922.30095-1-amir73il@gmail.com
+Link: http://lkml.kernel.org/r/20190419072938.31320-1-amir73il@gmail.com
+Fixes: 23d0127096cb ("fs/sync.c: make sync_file_range(2) use WB_SYNC_NONE")
+Signed-off-by: Amir Goldstein <amir73il@gmail.com>
+Acked-by: Jan Kara <jack@suse.com>
+Cc: Dave Chinner <david@fromorbit.com>
+Cc: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Acked-by: Jan Kara <jack@suse.cz>
+
+---
+ fs/sync.c | 15 ++++++++++++---
+ include/uapi/linux/fs.h | 3 +++
+ 2 files changed, 15 insertions(+), 3 deletions(-)
+
+--- a/fs/sync.c
++++ b/fs/sync.c
+@@ -264,10 +264,13 @@ SYSCALL_DEFINE1(fdatasync, unsigned int,
+ * earlier SYNC_FILE_RANGE_WAIT_BEFORE|SYNC_FILE_RANGE_WRITE operation to wait
+ * for that operation to complete and to return the result.
+ *
+- * SYNC_FILE_RANGE_WAIT_BEFORE|SYNC_FILE_RANGE_WRITE|SYNC_FILE_RANGE_WAIT_AFTER:
++ * SYNC_FILE_RANGE_WAIT_BEFORE|SYNC_FILE_RANGE_WRITE|SYNC_FILE_RANGE_WAIT_AFTER
++ * (a.k.a. SYNC_FILE_RANGE_WRITE_AND_WAIT):
+ * a traditional sync() operation. This is a write-for-data-integrity operation
+ * which will ensure that all pages in the range which were dirty on entry to
+- * sys_sync_file_range() are committed to disk.
++ * sys_sync_file_range() are written to disk. It should be noted that disk
++ * caches are not flushed by this call, so there are no guarantees here that the
++ * data will be available on disk after a crash.
+ *
+ *
+ * SYNC_FILE_RANGE_WAIT_BEFORE and SYNC_FILE_RANGE_WAIT_AFTER will detect any
+@@ -348,8 +351,14 @@ SYSCALL_DEFINE4(sync_file_range, int, fd
+ }
+
+ if (flags & SYNC_FILE_RANGE_WRITE) {
++ int sync_mode = WB_SYNC_NONE;
++
++ if ((flags & SYNC_FILE_RANGE_WRITE_AND_WAIT) ==
++ SYNC_FILE_RANGE_WRITE_AND_WAIT)
++ sync_mode = WB_SYNC_ALL;
++
+ ret = __filemap_fdatawrite_range(mapping, offset, endbyte,
+- WB_SYNC_NONE);
++ sync_mode);
+ if (ret < 0)
+ goto out_put;
+ }
+--- a/include/uapi/linux/fs.h
++++ b/include/uapi/linux/fs.h
+@@ -355,6 +355,9 @@ struct fscrypt_key {
+ #define SYNC_FILE_RANGE_WAIT_BEFORE 1
+ #define SYNC_FILE_RANGE_WRITE 2
+ #define SYNC_FILE_RANGE_WAIT_AFTER 4
++#define SYNC_FILE_RANGE_WRITE_AND_WAIT (SYNC_FILE_RANGE_WRITE | \
++ SYNC_FILE_RANGE_WAIT_BEFORE | \
++ SYNC_FILE_RANGE_WAIT_AFTER)
+
+ /* flags for preadv2/pwritev2: */
+ #define RWF_HIPRI 0x00000001 /* high priority request, poll if possible */
diff --git a/patches.fixes/fs-writeback.c-use-rcu_barrier-to-wait-for-inflight-.patch b/patches.fixes/fs-writeback.c-use-rcu_barrier-to-wait-for-inflight-.patch
new file mode 100644
index 0000000000..7b8b11ed98
--- /dev/null
+++ b/patches.fixes/fs-writeback.c-use-rcu_barrier-to-wait-for-inflight-.patch
@@ -0,0 +1,75 @@
+From ec084de929e419e51bcdafaafe567d9e7d0273b7 Mon Sep 17 00:00:00 2001
+From: Jiufei Xue <jiufei.xue@linux.alibaba.com>
+Date: Fri, 17 May 2019 14:31:44 -0700
+Subject: [PATCH] fs/writeback.c: use rcu_barrier() to wait for inflight wb
+ switches going into workqueue when umount
+Git-commit: ec084de929e419e51bcdafaafe567d9e7d0273b7
+Patch-mainline: v5.2-rc1
+References: bsc#1136435
+
+synchronize_rcu() didn't wait for call_rcu() callbacks, so inode wb
+switch may not go to the workqueue after synchronize_rcu(). Thus
+previous scheduled switches was not finished even flushing the
+workqueue, which will cause a NULL pointer dereferenced followed below.
+
+ VFS: Busy inodes after unmount of vdd. Self-destruct in 5 seconds. Have a nice day...
+ BUG: unable to handle kernel NULL pointer dereference at 0000000000000278
+ evict+0xb3/0x180
+ iput+0x1b0/0x230
+ inode_switch_wbs_work_fn+0x3c0/0x6a0
+ worker_thread+0x4e/0x490
+ ? process_one_work+0x410/0x410
+ kthread+0xe6/0x100
+ ret_from_fork+0x39/0x50
+
+Replace the synchronize_rcu() call with a rcu_barrier() to wait for all
+pending callbacks to finish. And inc isw_nr_in_flight after call_rcu()
+in inode_switch_wbs() to make more sense.
+
+Link: http://lkml.kernel.org/r/20190429024108.54150-1-jiufei.xue@linux.alibaba.com
+Signed-off-by: Jiufei Xue <jiufei.xue@linux.alibaba.com>
+Acked-by: Tejun Heo <tj@kernel.org>
+Suggested-by: Tejun Heo <tj@kernel.org>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Acked-by: Jan Kara <jack@suse.cz>
+
+---
+ fs/fs-writeback.c | 11 ++++++++---
+ 1 file changed, 8 insertions(+), 3 deletions(-)
+
+--- a/fs/fs-writeback.c
++++ b/fs/fs-writeback.c
+@@ -502,8 +502,6 @@ static void inode_switch_wbs(struct inod
+
+ isw->inode = inode;
+
+- atomic_inc(&isw_nr_in_flight);
+-
+ /*
+ * In addition to synchronizing among switchers, I_WB_SWITCH tells
+ * the RCU protected stat update paths to grab the mapping's
+@@ -511,6 +509,9 @@ static void inode_switch_wbs(struct inod
+ * Let's continue after I_WB_SWITCH is guaranteed to be visible.
+ */
+ call_rcu(&isw->rcu_head, inode_switch_wbs_rcu_fn);
++
++ atomic_inc(&isw_nr_in_flight);
++
+ return;
+
+ out_free:
+@@ -877,7 +878,11 @@ restart:
+ void cgroup_writeback_umount(void)
+ {
+ if (atomic_read(&isw_nr_in_flight)) {
+- synchronize_rcu();
++ /*
++ * Use rcu_barrier() to wait for all pending callbacks to
++ * ensure that all in-flight wb switches are in the workqueue.
++ */
++ rcu_barrier();
+ flush_workqueue(isw_wq);
+ }
+ }
diff --git a/patches.fixes/indirect-call-wrappers-helpers-to-speed-up-indirect-.patch b/patches.fixes/indirect-call-wrappers-helpers-to-speed-up-indirect-.patch
new file mode 100644
index 0000000000..a152ebecc1
--- /dev/null
+++ b/patches.fixes/indirect-call-wrappers-helpers-to-speed-up-indirect-.patch
@@ -0,0 +1,85 @@
+From: Paolo Abeni <pabeni@redhat.com>
+Date: Fri, 14 Dec 2018 11:51:57 +0100
+Subject: indirect call wrappers: helpers to speed-up indirect calls of builtin
+Patch-mainline: v5.0-rc1
+Git-commit: 283c16a2dfd332bf5610c874f7b9f9c8b601ce53
+References: bsc#1124503
+
+This header define a bunch of helpers that allow avoiding the
+retpoline overhead when calling builtin functions via function pointers.
+It boils down to explicitly comparing the function pointers to
+known builtin functions and eventually invoke directly the latter.
+
+The macros defined here implement the boilerplate for the above schema
+and will be used by the next patches.
+
+rfc -> v1:
+ - use branch prediction hint, as suggested by Eric
+v1 -> v2:
+ - list explicitly the builtin function names in INDIRECT_CALL_*(),
+ as suggested by Ed Cree
+
+Suggested-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Acked-by: Michal Kubecek <mkubecek@suse.cz>
+
+---
+ include/linux/indirect_call_wrapper.h | 51 +++++++++++++++++++++++++++
+ 1 file changed, 51 insertions(+)
+ create mode 100644 include/linux/indirect_call_wrapper.h
+
+--- /dev/null
++++ b/include/linux/indirect_call_wrapper.h
+@@ -0,0 +1,51 @@
++/* SPDX-License-Identifier: GPL-2.0 */
++#ifndef _LINUX_INDIRECT_CALL_WRAPPER_H
++#define _LINUX_INDIRECT_CALL_WRAPPER_H
++
++#ifdef CONFIG_RETPOLINE
++
++/*
++ * INDIRECT_CALL_$NR - wrapper for indirect calls with $NR known builtin
++ * @f: function pointer
++ * @f$NR: builtin functions names, up to $NR of them
++ * @__VA_ARGS__: arguments for @f
++ *
++ * Avoid retpoline overhead for known builtin, checking @f vs each of them and
++ * eventually invoking directly the builtin function. The functions are check
++ * in the given order. Fallback to the indirect call.
++ */
++#define INDIRECT_CALL_1(f, f1, ...) \
++ ({ \
++ likely(f == f1) ? f1(__VA_ARGS__) : f(__VA_ARGS__); \
++ })
++#define INDIRECT_CALL_2(f, f2, f1, ...) \
++ ({ \
++ likely(f == f2) ? f2(__VA_ARGS__) : \
++ INDIRECT_CALL_1(f, f1, __VA_ARGS__); \
++ })
++
++#define INDIRECT_CALLABLE_DECLARE(f) f
++#define INDIRECT_CALLABLE_SCOPE
++
++#else
++#define INDIRECT_CALL_1(f, name, ...) f(__VA_ARGS__)
++#define INDIRECT_CALL_2(f, name, ...) f(__VA_ARGS__)
++#define INDIRECT_CALLABLE_DECLARE(f)
++#define INDIRECT_CALLABLE_SCOPE static
++#endif
++
++/*
++ * We can use INDIRECT_CALL_$NR for ipv6 related functions only if ipv6 is
++ * builtin, this macro simplify dealing with indirect calls with only ipv4/ipv6
++ * alternatives
++ */
++#if IS_BUILTIN(CONFIG_IPV6)
++#define INDIRECT_CALL_INET(f, f2, f1, ...) \
++ INDIRECT_CALL_2(f, f2, f1, __VA_ARGS__)
++#elif IS_ENABLED(CONFIG_INET)
++#define INDIRECT_CALL_INET(f, f2, f1, ...) INDIRECT_CALL_1(f, f1, __VA_ARGS__)
++#else
++#define INDIRECT_CALL_INET(f, f2, f1, ...) f(__VA_ARGS__)
++#endif
++
++#endif
diff --git a/patches.fixes/jbd2-check-superblock-mapped-prior-to-committing.patch b/patches.fixes/jbd2-check-superblock-mapped-prior-to-committing.patch
new file mode 100644
index 0000000000..41714b3471
--- /dev/null
+++ b/patches.fixes/jbd2-check-superblock-mapped-prior-to-committing.patch
@@ -0,0 +1,53 @@
+From 742b06b5628f2cd23cb51a034cb54dc33c6162c5 Mon Sep 17 00:00:00 2001
+From: Jiufei Xue <jiufei.xue@linux.alibaba.com>
+Date: Sat, 6 Apr 2019 18:57:40 -0400
+Subject: [PATCH] jbd2: check superblock mapped prior to committing
+Git-commit: 742b06b5628f2cd23cb51a034cb54dc33c6162c5
+Patch-mainline: v5.2-rc1
+References: bsc#1136430
+
+We hit a BUG at fs/buffer.c:3057 if we detached the nbd device
+before unmounting ext4 filesystem.
+
+The typical chain of events leading to the BUG:
+jbd2_write_superblock
+ submit_bh
+ submit_bh_wbc
+ BUG_ON(!buffer_mapped(bh));
+
+The block device is removed and all the pages are invalidated. JBD2
+was trying to write journal superblock to the block device which is
+no longer present.
+
+Fix this by checking the journal superblock's buffer head prior to
+submitting.
+
+Reported-by: Eric Ren <renzhen@linux.alibaba.com>
+Signed-off-by: Jiufei Xue <jiufei.xue@linux.alibaba.com>
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Reviewed-by: Jan Kara <jack@suse.cz>
+Cc: stable@kernel.org
+Acked-by: Jan Kara <jack@suse.cz>
+
+---
+ fs/jbd2/journal.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/fs/jbd2/journal.c b/fs/jbd2/journal.c
+index 382c030cc78b..37e16d969925 100644
+--- a/fs/jbd2/journal.c
++++ b/fs/jbd2/journal.c
+@@ -1350,6 +1350,10 @@ static int jbd2_write_superblock(journal_t *journal, int write_flags)
+ journal_superblock_t *sb = journal->j_superblock;
+ int ret;
+
++ /* Buffer got discarded which means block device got invalidated */
++ if (!buffer_mapped(bh))
++ return -EIO;
++
+ trace_jbd2_write_superblock(journal, write_flags);
+ if (!(journal->j_flags & JBD2_BARRIER))
+ write_flags &= ~(REQ_FUA | REQ_PREFLUSH);
+--
+2.16.4
+
diff --git a/patches.fixes/mm-Fix-modifying-of-page-protection-by-insert_pfn.patch b/patches.fixes/mm-Fix-modifying-of-page-protection-by-insert_pfn.patch
index 9bfd6bf5db..389d11cee6 100644
--- a/patches.fixes/mm-Fix-modifying-of-page-protection-by-insert_pfn.patch
+++ b/patches.fixes/mm-Fix-modifying-of-page-protection-by-insert_pfn.patch
@@ -37,14 +37,12 @@ Reported-by: "Aneesh Kumar K.V" <aneesh.kumar@linux.ibm.com>
Signed-off-by: Jan Kara <jack@suse.cz>
Acked-by: Jan Kara <jack@suse.cz>
---
- mm/memory.c | 11 ++++++-----
- 1 file changed, 6 insertions(+), 5 deletions(-)
+ mm/memory.c | 12 +++++++-----
+ 1 file changed, 7 insertions(+), 5 deletions(-)
-diff --git a/mm/memory.c b/mm/memory.c
-index 47fe250307c7..ab650c21bccd 100644
--- a/mm/memory.c
+++ b/mm/memory.c
-@@ -1549,10 +1549,12 @@ static vm_fault_t insert_pfn(struct vm_area_struct *vma, unsigned long addr,
+@@ -1799,10 +1799,13 @@ static int insert_pfn(struct vm_area_str
WARN_ON_ONCE(!is_zero_pfn(pte_pfn(*pte)));
goto out_unlock;
}
@@ -56,12 +54,13 @@ index 47fe250307c7..ab650c21bccd 100644
+ entry = maybe_mkwrite(pte_mkdirty(entry), vma);
+ if (ptep_set_access_flags(vma, addr, pte, entry, 1))
+ update_mmu_cache(vma, addr, pte);
++ retval = 0;
+ }
+ goto out_unlock;
}
/* Ok, finally just insert the thing.. */
-@@ -1561,7 +1563,6 @@ static vm_fault_t insert_pfn(struct vm_area_struct *vma, unsigned long addr,
+@@ -1811,7 +1814,6 @@ static int insert_pfn(struct vm_area_str
else
entry = pte_mkspecial(pfn_t_pte(pfn, prot));
@@ -69,6 +68,3 @@ index 47fe250307c7..ab650c21bccd 100644
if (mkwrite) {
entry = pte_mkyoung(entry);
entry = maybe_mkwrite(pte_mkdirty(entry), vma);
---
-2.16.4
-
diff --git a/patches.fixes/mm-add-try_get_page-helper-function.patch b/patches.fixes/mm-add-try_get_page-helper-function.patch
new file mode 100644
index 0000000000..0356c5deff
--- /dev/null
+++ b/patches.fixes/mm-add-try_get_page-helper-function.patch
@@ -0,0 +1,53 @@
+From: Linus Torvalds <torvalds@linux-foundation.org>
+Date: Thu, 11 Apr 2019 10:14:59 -0700
+Subject: mm: add 'try_get_page()' helper function
+Git-commit: 88b1a17dfc3ed7728316478fae0f5ad508f50397
+Patch-mainline: v5.1-rc5
+References: CVE-2019-11487, bsc#1133190
+
+This is the same as the traditional 'get_page()' function, but instead
+of unconditionally incrementing the reference count of the page, it only
+does so if the count was "safe". It returns whether the reference count
+was incremented (and is marked __must_check, since the caller obviously
+has to be aware of it).
+
+Also like 'get_page()', you can't use this function unless you already
+had a reference to the page. The intent is that you can use this
+exactly like get_page(), but in situations where you want to limit the
+maximum reference count.
+
+The code currently does an unconditional WARN_ON_ONCE() if we ever hit
+the reference count issues (either zero or negative), as a notification
+that the conditional non-increment actually happened.
+
+NOTE! The count access for the "safety" check is inherently racy, but
+that doesn't matter since the buffer we use is basically half the range
+of the reference count (ie we look at the sign of the count).
+
+Acked-by: Matthew Wilcox <willy@infradead.org>
+Cc: Jann Horn <jannh@google.com>
+Cc: stable@kernel.org
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Vlastimil Babka <vbabka@suse.cz>
+---
+ include/linux/mm.h | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+--- a/include/linux/mm.h
++++ b/include/linux/mm.h
+@@ -845,6 +845,15 @@ static inline void get_page(struct page
+ page_ref_inc(page);
+ }
+
++static inline __must_check bool try_get_page(struct page *page)
++{
++ page = compound_head(page);
++ if (WARN_ON_ONCE(page_ref_count(page) <= 0))
++ return false;
++ page_ref_inc(page);
++ return true;
++}
++
+ static inline void put_page(struct page *page)
+ {
+ page = compound_head(page);
diff --git a/patches.fixes/mm-fix-__gup_device_huge-vs-unmap.patch b/patches.fixes/mm-fix-__gup_device_huge-vs-unmap.patch
index 448e86a6a8..6632c4f839 100644
--- a/patches.fixes/mm-fix-__gup_device_huge-vs-unmap.patch
+++ b/patches.fixes/mm-fix-__gup_device_huge-vs-unmap.patch
@@ -89,8 +89,8 @@ Acked-by: Jan Kara <jack@suse.cz>
+ return __gup_device_huge_pmd(orig, pmdp, addr, end, pages, nr);
refs = 0;
- head = pmd_page(orig);
-@@ -1459,7 +1475,7 @@ static int gup_huge_pud(pud_t orig, pud_
+ page = pmd_page(orig) + ((addr & ~PMD_MASK) >> PAGE_SHIFT);
+@@ -1458,7 +1474,7 @@ static int gup_huge_pud(pud_t orig, pud_
return 0;
if (pud_devmap(orig))
@@ -98,4 +98,4 @@ Acked-by: Jan Kara <jack@suse.cz>
+ return __gup_device_huge_pud(orig, pudp, addr, end, pages, nr);
refs = 0;
- head = pud_page(orig);
+ page = pud_page(orig) + ((addr & ~PUD_MASK) >> PAGE_SHIFT);
diff --git a/patches.fixes/mm-gup-ensure-real-head-page-is-ref-counted-when-using-hugepages.patch b/patches.fixes/mm-gup-ensure-real-head-page-is-ref-counted-when-using-hugepages.patch
new file mode 100644
index 0000000000..942fb3fbac
--- /dev/null
+++ b/patches.fixes/mm-gup-ensure-real-head-page-is-ref-counted-when-using-hugepages.patch
@@ -0,0 +1,101 @@
+From: Punit Agrawal <punit.agrawal@arm.com>
+Date: Thu, 6 Jul 2017 15:39:39 -0700
+Subject: mm, gup: ensure real head page is ref-counted when using hugepages
+Git-commit: d63206ee32b6e64b0e12d46e5d6004afd9913713
+Patch-mainline: v4.13-rc1
+References: CVE-2019-11487, bsc#1133190, prerequisity
+
+When speculatively taking references to a hugepage using
+page_cache_add_speculative() in gup_huge_pmd(), it is assumed that the
+page returned by pmd_page() is the head page. Although normally true,
+this assumption doesn't hold when the hugepage comprises of successive
+page table entries such as when using contiguous bit on arm64 at PTE or
+PMD levels.
+
+This can be addressed by ensuring that the page passed to
+page_cache_add_speculative() is the real head or by de-referencing the
+head page within the function.
+
+We take the first approach to keep the usage pattern aligned with
+page_cache_get_speculative() where users already pass the appropriate
+page, i.e., the de-referenced head.
+
+Apply the same logic to fix gup_huge_[pud|pgd]() as well.
+
+[punit.agrawal@arm.com: fix arm64 ltp failure]
+ Link: http://lkml.kernel.org/r/20170619170145.25577-5-punit.agrawal@arm.com
+Link: http://lkml.kernel.org/r/20170522133604.11392-3-punit.agrawal@arm.com
+Signed-off-by: Punit Agrawal <punit.agrawal@arm.com>
+Acked-by: Steve Capper <steve.capper@arm.com>
+Cc: Michal Hocko <mhocko@suse.com>
+Cc: "Kirill A. Shutemov" <kirill.shutemov@linux.intel.com>
+Cc: Aneesh Kumar K.V <aneesh.kumar@linux.vnet.ibm.com>
+Cc: Catalin Marinas <catalin.marinas@arm.com>
+Cc: Will Deacon <will.deacon@arm.com>
+Cc: Naoya Horiguchi <n-horiguchi@ah.jp.nec.com>
+Cc: Mark Rutland <mark.rutland@arm.com>
+Cc: Hillf Danton <hillf.zj@alibaba-inc.com>
+Cc: Mike Kravetz <mike.kravetz@oracle.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Vlastimil Babka <vbabka@suse.cz>
+---
+ mm/gup.c | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+--- a/mm/gup.c
++++ b/mm/gup.c
+@@ -1349,8 +1349,7 @@ static int gup_huge_pmd(pmd_t orig, pmd_
+ return __gup_device_huge_pmd(orig, addr, end, pages, nr);
+
+ refs = 0;
+- head = pmd_page(orig);
+- page = head + ((addr & ~PMD_MASK) >> PAGE_SHIFT);
++ page = pmd_page(orig) + ((addr & ~PMD_MASK) >> PAGE_SHIFT);
+ do {
+ pages[*nr] = page;
+ (*nr)++;
+@@ -1358,6 +1357,7 @@ static int gup_huge_pmd(pmd_t orig, pmd_
+ refs++;
+ } while (addr += PAGE_SIZE, addr != end);
+
++ head = compound_head(pmd_page(orig));
+ if (!page_cache_add_speculative(head, refs)) {
+ *nr -= refs;
+ return 0;
+@@ -1387,8 +1387,7 @@ static int gup_huge_pud(pud_t orig, pud_
+ return __gup_device_huge_pud(orig, addr, end, pages, nr);
+
+ refs = 0;
+- head = pud_page(orig);
+- page = head + ((addr & ~PUD_MASK) >> PAGE_SHIFT);
++ page = pud_page(orig) + ((addr & ~PUD_MASK) >> PAGE_SHIFT);
+ do {
+ pages[*nr] = page;
+ (*nr)++;
+@@ -1396,6 +1395,7 @@ static int gup_huge_pud(pud_t orig, pud_
+ refs++;
+ } while (addr += PAGE_SIZE, addr != end);
+
++ head = compound_head(pud_page(orig));
+ if (!page_cache_add_speculative(head, refs)) {
+ *nr -= refs;
+ return 0;
+@@ -1424,8 +1424,7 @@ static int gup_huge_pgd(pgd_t orig, pgd_
+
+ BUILD_BUG_ON(pgd_devmap(orig));
+ refs = 0;
+- head = pgd_page(orig);
+- page = head + ((addr & ~PGDIR_MASK) >> PAGE_SHIFT);
++ page = pgd_page(orig) + ((addr & ~PGDIR_MASK) >> PAGE_SHIFT);
+ do {
+ pages[*nr] = page;
+ (*nr)++;
+@@ -1433,6 +1432,7 @@ static int gup_huge_pgd(pgd_t orig, pgd_
+ refs++;
+ } while (addr += PAGE_SIZE, addr != end);
+
++ head = compound_head(pgd_page(orig));
+ if (!page_cache_add_speculative(head, refs)) {
+ *nr -= refs;
+ return 0;
diff --git a/patches.fixes/mm-gup-remove-broken-vm_bug_on_page-compound-check-for-hugepages.patch b/patches.fixes/mm-gup-remove-broken-vm_bug_on_page-compound-check-for-hugepages.patch
new file mode 100644
index 0000000000..6ad01644be
--- /dev/null
+++ b/patches.fixes/mm-gup-remove-broken-vm_bug_on_page-compound-check-for-hugepages.patch
@@ -0,0 +1,67 @@
+From: Will Deacon <will.deacon@arm.com>
+Date: Thu, 6 Jul 2017 15:39:36 -0700
+Subject: mm, gup: remove broken VM_BUG_ON_PAGE compound check for hugepages
+Git-commit: a3e328556d41bb61c55f9dfcc62d6a826ea97b85
+Patch-mainline: v4.13-rc1
+References: CVE-2019-11487, bsc#1133190, prerequisity
+
+When operating on hugepages with DEBUG_VM enabled, the GUP code checks
+the compound head for each tail page prior to calling
+page_cache_add_speculative. This is broken, because on the fast-GUP
+path (where we don't hold any page table locks) we can be racing with a
+concurrent invocation of split_huge_page_to_list.
+
+split_huge_page_to_list deals with this race by using page_ref_freeze to
+freeze the page and force concurrent GUPs to fail whilst the component
+pages are modified. This modification includes clearing the
+compound_head field for the tail pages, so checking this prior to a
+successful call to page_cache_add_speculative can lead to false
+positives: In fact, page_cache_add_speculative *already* has this check
+once the page refcount has been successfully updated, so we can simply
+remove the broken calls to VM_BUG_ON_PAGE.
+
+Link: http://lkml.kernel.org/r/20170522133604.11392-2-punit.agrawal@arm.com
+Signed-off-by: Will Deacon <will.deacon@arm.com>
+Signed-off-by: Punit Agrawal <punit.agrawal@arm.com>
+Acked-by: Steve Capper <steve.capper@arm.com>
+Acked-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
+Cc: Aneesh Kumar K.V <aneesh.kumar@linux.vnet.ibm.com>
+Cc: Catalin Marinas <catalin.marinas@arm.com>
+Cc: Naoya Horiguchi <n-horiguchi@ah.jp.nec.com>
+Cc: Mark Rutland <mark.rutland@arm.com>
+Cc: Hillf Danton <hillf.zj@alibaba-inc.com>
+Cc: Michal Hocko <mhocko@suse.com>
+Cc: Mike Kravetz <mike.kravetz@oracle.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Vlastimil Babka <vbabka@suse.cz>
+---
+ mm/gup.c | 3 ---
+ 1 file changed, 3 deletions(-)
+
+--- a/mm/gup.c
++++ b/mm/gup.c
+@@ -1352,7 +1352,6 @@ static int gup_huge_pmd(pmd_t orig, pmd_
+ head = pmd_page(orig);
+ page = head + ((addr & ~PMD_MASK) >> PAGE_SHIFT);
+ do {
+- VM_BUG_ON_PAGE(compound_head(page) != head, page);
+ pages[*nr] = page;
+ (*nr)++;
+ page++;
+@@ -1391,7 +1390,6 @@ static int gup_huge_pud(pud_t orig, pud_
+ head = pud_page(orig);
+ page = head + ((addr & ~PUD_MASK) >> PAGE_SHIFT);
+ do {
+- VM_BUG_ON_PAGE(compound_head(page) != head, page);
+ pages[*nr] = page;
+ (*nr)++;
+ page++;
+@@ -1429,7 +1427,6 @@ static int gup_huge_pgd(pgd_t orig, pgd_
+ head = pgd_page(orig);
+ page = head + ((addr & ~PGDIR_MASK) >> PAGE_SHIFT);
+ do {
+- VM_BUG_ON_PAGE(compound_head(page) != head, page);
+ pages[*nr] = page;
+ (*nr)++;
+ page++;
diff --git a/patches.fixes/mm-make-page-ref-count-overflow-check-tighter-and-more-explicit.patch b/patches.fixes/mm-make-page-ref-count-overflow-check-tighter-and-more-explicit.patch
new file mode 100644
index 0000000000..3b9db1ee15
--- /dev/null
+++ b/patches.fixes/mm-make-page-ref-count-overflow-check-tighter-and-more-explicit.patch
@@ -0,0 +1,49 @@
+From: Linus Torvalds <torvalds@linux-foundation.org>
+Date: Thu, 11 Apr 2019 10:06:20 -0700
+Subject: mm: make page ref count overflow check tighter and more explicit
+Git-commit: f958d7b528b1b40c44cfda5eabe2d82760d868c3
+Patch-mainline: v5.1-rc5
+References: CVE-2019-11487, bsc#1133190
+
+We have a VM_BUG_ON() to check that the page reference count doesn't
+underflow (or get close to overflow) by checking the sign of the count.
+
+That's all fine, but we actually want to allow people to use a "get page
+ref unless it's already very high" helper function, and we want that one
+to use the sign of the page ref (without triggering this VM_BUG_ON).
+
+Change the VM_BUG_ON to only check for small underflows (or _very_ close
+to overflowing), and ignore overflows which have strayed into negative
+territory.
+
+Acked-by: Matthew Wilcox <willy@infradead.org>
+Cc: Jann Horn <jannh@google.com>
+Cc: stable@kernel.org
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Vlastimil Babka <vbabka@suse.cz>
+---
+ include/linux/mm.h | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/include/linux/mm.h
++++ b/include/linux/mm.h
+@@ -869,6 +869,10 @@ static inline bool is_device_public_page
+ }
+ #endif /* CONFIG_DEV_PAGEMAP_OPS */
+
++/* 127: arbitrary random number, small enough to assemble well */
++#define page_ref_zero_or_close_to_overflow(page) \
++ ((unsigned int) page_ref_count(page) + 127u <= 127u)
++
+ static inline void get_page(struct page *page)
+ {
+ page = compound_head(page);
+@@ -876,7 +880,7 @@ static inline void get_page(struct page
+ * Getting a normal page or the head of a compound page
+ * requires to already have an elevated page->_refcount.
+ */
+- VM_BUG_ON_PAGE(page_ref_count(page) <= 0, page);
++ VM_BUG_ON_PAGE(page_ref_zero_or_close_to_overflow(page), page);
+ page_ref_inc(page);
+ }
+
diff --git a/patches.fixes/mm-prevent-get_user_pages-from-overflowing-page-refcount.patch b/patches.fixes/mm-prevent-get_user_pages-from-overflowing-page-refcount.patch
new file mode 100644
index 0000000000..456da3e810
--- /dev/null
+++ b/patches.fixes/mm-prevent-get_user_pages-from-overflowing-page-refcount.patch
@@ -0,0 +1,234 @@
+From: Linus Torvalds <torvalds@linux-foundation.org>
+Date: Thu, 11 Apr 2019 10:49:19 -0700
+Subject: mm: prevent get_user_pages() from overflowing page refcount
+Git-commit: 8fde12ca79aff9b5ba951fce1a2641901b8d8e64
+Patch-mainline: v5.1-rc5
+References: CVE-2019-11487, bsc#1133190
+
+[ 4.12 backport notes: also adjust arch-specific gup.c for x86 and s390,
+ ignore sparc/sh/mips that we don't build ]
+
+If the page refcount wraps around past zero, it will be freed while
+there are still four billion references to it. One of the possible
+avenues for an attacker to try to make this happen is by doing direct IO
+on a page multiple times. This patch makes get_user_pages() refuse to
+take a new page reference if there are already more than two billion
+references to the page.
+
+Reported-by: Jann Horn <jannh@google.com>
+Acked-by: Matthew Wilcox <willy@infradead.org>
+Cc: stable@kernel.org
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Vlastimil Babka <vbabka@suse.cz>
+---
+ arch/s390/mm/gup.c | 9 ++++++---
+ arch/x86/mm/gup.c | 14 ++++++++++++--
+ mm/gup.c | 46 +++++++++++++++++++++++++++++++++++-----------
+ mm/hugetlb.c | 13 +++++++++++++
+ 4 files changed, 66 insertions(+), 16 deletions(-)
+
+--- a/arch/s390/mm/gup.c
++++ b/arch/s390/mm/gup.c
+@@ -38,7 +38,8 @@ static inline int gup_pte_range(pmd_t *p
+ VM_BUG_ON(!pfn_valid(pte_pfn(pte)));
+ page = pte_page(pte);
+ head = compound_head(page);
+- if (!page_cache_get_speculative(head))
++ if (unlikely(WARN_ON_ONCE(page_ref_count(head) < 0)
++ || !page_cache_get_speculative(head)))
+ return 0;
+ if (unlikely(pte_val(pte) != pte_val(*ptep))) {
+ put_page(head);
+@@ -76,7 +77,8 @@ static inline int gup_huge_pmd(pmd_t *pm
+ refs++;
+ } while (addr += PAGE_SIZE, addr != end);
+
+- if (!page_cache_add_speculative(head, refs)) {
++ if (unlikely(WARN_ON_ONCE(page_ref_count(head) < 0)
++ || !page_cache_add_speculative(head, refs))) {
+ *nr -= refs;
+ return 0;
+ }
+@@ -150,7 +152,8 @@ static int gup_huge_pud(pud_t *pudp, pud
+ refs++;
+ } while (addr += PAGE_SIZE, addr != end);
+
+- if (!page_cache_add_speculative(head, refs)) {
++ if (unlikely(WARN_ON_ONCE(page_ref_count(head) < 0)
++ || !page_cache_add_speculative(head, refs))) {
+ *nr -= refs;
+ return 0;
+ }
+--- a/arch/x86/mm/gup.c
++++ b/arch/x86/mm/gup.c
+@@ -137,7 +137,10 @@ static noinline int gup_pte_range(pmd_t
+
+ VM_BUG_ON(!pfn_valid(pte_pfn(pte)));
+ page = pte_page(pte);
+- get_page(page);
++ if (unlikely(!try_get_page(page))) {
++ put_dev_pagemap(pgmap);
++ break;
++ }
+ put_dev_pagemap(pgmap);
+ SetPageReferenced(page);
+ pages[*nr] = page;
+@@ -173,9 +176,12 @@ static int __gup_device_huge(unsigned lo
+ undo_dev_pagemap(nr, nr_start, pages);
+ return 0;
+ }
++ if (unlikely(!try_get_page(page))) {
++ put_dev_pagemap(pgmap);
++ return 0;
++ }
+ SetPageReferenced(page);
+ pages[*nr] = page;
+- get_page(page);
+ put_dev_pagemap(pgmap);
+ (*nr)++;
+ pfn++;
+@@ -219,6 +225,8 @@ static noinline int gup_huge_pmd(pmd_t p
+
+ refs = 0;
+ head = pmd_page(pmd);
++ if (WARN_ON_ONCE(page_ref_count(head) <= 0))
++ return 0;
+ page = head + ((addr & ~PMD_MASK) >> PAGE_SHIFT);
+ do {
+ VM_BUG_ON_PAGE(compound_head(page) != head, page);
+@@ -282,6 +290,8 @@ static noinline int gup_huge_pud(pud_t p
+
+ refs = 0;
+ head = pud_page(pud);
++ if (WARN_ON_ONCE(page_ref_count(head) <= 0))
++ return 0;
+ page = head + ((addr & ~PUD_MASK) >> PAGE_SHIFT);
+ do {
+ VM_BUG_ON_PAGE(compound_head(page) != head, page);
+--- a/mm/gup.c
++++ b/mm/gup.c
+@@ -153,7 +153,11 @@ retry:
+ }
+
+ if (flags & FOLL_GET) {
+- get_page(page);
++ if (unlikely(!try_get_page(page))) {
++ page = ERR_PTR(-ENOMEM);
++ put_dev_pagemap(pgmap);
++ goto out;
++ }
+
+ /* drop the pgmap reference now that we hold the page */
+ if (pgmap) {
+@@ -306,7 +310,10 @@ struct page *follow_page_mask(struct vm_
+ if (pmd_trans_unstable(pmd))
+ ret = -EBUSY;
+ } else {
+- get_page(page);
++ if (unlikely(!try_get_page(page))) {
++ spin_unlock(ptl);
++ return ERR_PTR(-ENOMEM);
++ }
+ spin_unlock(ptl);
+ lock_page(page);
+ ret = split_huge_page(page);
+@@ -372,7 +379,10 @@ static int get_gate_page(struct mm_struc
+ if (is_device_public_page(*page))
+ goto unmap;
+ }
+- get_page(*page);
++ if (unlikely(!try_get_page(*page))) {
++ ret = -ENOMEM;
++ goto unmap;
++ }
+ out:
+ ret = 0;
+ unmap:
+@@ -1275,6 +1285,20 @@ static void undo_dev_pagemap(int *nr, in
+ }
+ }
+
++/*
++ * Return the compund head page with ref appropriately incremented,
++ * or NULL if that failed.
++ */
++static inline struct page *try_get_compound_head(struct page *page, int refs)
++{
++ struct page *head = compound_head(page);
++ if (WARN_ON_ONCE(page_ref_count(head) < 0))
++ return NULL;
++ if (unlikely(!page_cache_add_speculative(head, refs)))
++ return NULL;
++ return head;
++}
++
+ #ifdef __HAVE_ARCH_PTE_SPECIAL
+ static int gup_pte_range(pmd_t pmd, unsigned long addr, unsigned long end,
+ int write, struct page **pages, int *nr)
+@@ -1309,9 +1333,9 @@ static int gup_pte_range(pmd_t pmd, unsi
+
+ VM_BUG_ON(!pfn_valid(pte_pfn(pte)));
+ page = pte_page(pte);
+- head = compound_head(page);
+
+- if (!page_cache_get_speculative(head))
++ head = try_get_compound_head(page, 1);
++ if (!head)
+ goto pte_unmap;
+
+ if (unlikely(pte_val(pte) != pte_val(*ptep))) {
+@@ -1447,8 +1471,8 @@ static int gup_huge_pmd(pmd_t orig, pmd_
+ refs++;
+ } while (addr += PAGE_SIZE, addr != end);
+
+- head = compound_head(pmd_page(orig));
+- if (!page_cache_add_speculative(head, refs)) {
++ head = try_get_compound_head(pmd_page(orig), refs);
++ if (!head) {
+ *nr -= refs;
+ return 0;
+ }
+@@ -1485,8 +1509,8 @@ static int gup_huge_pud(pud_t orig, pud_
+ refs++;
+ } while (addr += PAGE_SIZE, addr != end);
+
+- head = compound_head(pud_page(orig));
+- if (!page_cache_add_speculative(head, refs)) {
++ head = try_get_compound_head(pud_page(orig), refs);
++ if (!head) {
+ *nr -= refs;
+ return 0;
+ }
+@@ -1522,8 +1546,8 @@ static int gup_huge_pgd(pgd_t orig, pgd_
+ refs++;
+ } while (addr += PAGE_SIZE, addr != end);
+
+- head = compound_head(pgd_page(orig));
+- if (!page_cache_add_speculative(head, refs)) {
++ head = try_get_compound_head(pgd_page(orig), refs);
++ if (!head) {
+ *nr -= refs;
+ return 0;
+ }
+--- a/mm/hugetlb.c
++++ b/mm/hugetlb.c
+@@ -4263,6 +4263,19 @@ long follow_hugetlb_page(struct mm_struc
+
+ pfn_offset = (vaddr & ~huge_page_mask(h)) >> PAGE_SHIFT;
+ page = pte_page(huge_ptep_get(pte));
++
++ /*
++ * Instead of doing 'try_get_page()' below in the same_page
++ * loop, just check the count once here.
++ */
++ if (unlikely(page_count(page) <= 0)) {
++ if (pages) {
++ spin_unlock(ptl);
++ remainder = 0;
++ err = -ENOMEM;
++ break;
++ }
++ }
+ same_page:
+ if (pages) {
+ pages[i] = mem_map_offset(page, pfn_offset);
diff --git a/patches.fixes/mount-copy-the-port-field-into-the-cloned-nfs_server.patch b/patches.fixes/mount-copy-the-port-field-into-the-cloned-nfs_server.patch
new file mode 100644
index 0000000000..dc48f5d776
--- /dev/null
+++ b/patches.fixes/mount-copy-the-port-field-into-the-cloned-nfs_server.patch
@@ -0,0 +1,31 @@
+From: Steve Dickson <steved@redhat.com>
+Date: Thu, 29 Jun 2017 11:48:26 -0400
+Subject: [PATCH] mount: copy the port field into the cloned nfs_server
+ structure.
+Git-commit: 89a6814d9b665b196aa3a102f96b6dc7e8cb669e
+Patch-mainline: v4.13
+References: bsc#1136990
+
+Doing this copy eliminates the "port=0" entry in
+the /proc/mounts entries
+
+Fixes: https://bugzilla.kernel.org/show_bug.cgi?id=69241
+
+Signed-off-by: Steve Dickson <steved@redhat.com>
+Signed-off-by: Anna Schumaker <Anna.Schumaker@Netapp.com>
+Acked-by: NeilBrown <neilb@suse.com>
+
+---
+ fs/nfs/client.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/fs/nfs/client.c
++++ b/fs/nfs/client.c
+@@ -835,6 +835,7 @@ void nfs_server_copy_userdata(struct nfs
+ target->caps = source->caps;
+ target->options = source->options;
+ target->auth_info = source->auth_info;
++ target->port = source->port;
+ }
+ EXPORT_SYMBOL_GPL(nfs_server_copy_userdata);
+
diff --git a/patches.fixes/net-unbreak-CONFIG_RETPOLINE-n-builds.patch b/patches.fixes/net-unbreak-CONFIG_RETPOLINE-n-builds.patch
new file mode 100644
index 0000000000..7e1646f316
--- /dev/null
+++ b/patches.fixes/net-unbreak-CONFIG_RETPOLINE-n-builds.patch
@@ -0,0 +1,37 @@
+From: Paolo Abeni <pabeni@redhat.com>
+Date: Mon, 17 Dec 2018 12:39:02 +0100
+Subject: net: unbreak CONFIG_RETPOLINE=n builds
+Patch-mainline: v5.0-rc1
+Git-commit: c03b0358ab60504151b35587c88205c7b7fe22be
+References: bsc#1124503
+
+The kbuild bot reported a build breakage with CONFIG_RETPOLINE=n
+due to commit aaa5d90b395a ("net: use indirect call wrappers at
+GRO network layer").
+I screwed the wrapper implementation for such config.
+Fix the issue properly ignoring the builtin symbols arguments,
+when retpoline is not enabled.
+
+Reported-by: kbuild test robot <lkp@intel.com>
+Fixes: aaa5d90b395a ("net: use indirect call wrappers at GRO network layer")
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Acked-by: Michal Kubecek <mkubecek@suse.cz>
+
+---
+ include/linux/indirect_call_wrapper.h | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/include/linux/indirect_call_wrapper.h
++++ b/include/linux/indirect_call_wrapper.h
+@@ -28,8 +28,8 @@
+ #define INDIRECT_CALLABLE_SCOPE
+
+ #else
+-#define INDIRECT_CALL_1(f, name, ...) f(__VA_ARGS__)
+-#define INDIRECT_CALL_2(f, name, ...) f(__VA_ARGS__)
++#define INDIRECT_CALL_1(f, f1, ...) f(__VA_ARGS__)
++#define INDIRECT_CALL_2(f, f2, f1, ...) f(__VA_ARGS__)
+ #define INDIRECT_CALLABLE_DECLARE(f)
+ #define INDIRECT_CALLABLE_SCOPE static
+ #endif
diff --git a/patches.fixes/net-use-indirect-call-wrappers-at-GRO-network-layer.patch b/patches.fixes/net-use-indirect-call-wrappers-at-GRO-network-layer.patch
new file mode 100644
index 0000000000..a6fefb0c16
--- /dev/null
+++ b/patches.fixes/net-use-indirect-call-wrappers-at-GRO-network-layer.patch
@@ -0,0 +1,111 @@
+From: Paolo Abeni <pabeni@redhat.com>
+Date: Fri, 14 Dec 2018 11:51:58 +0100
+Subject: net: use indirect call wrappers at GRO network layer
+Patch-mainline: v5.0-rc1
+Git-commit: aaa5d90b395a72faff797b00d815165ee0e664c0
+References: bsc#1124503
+
+This avoids an indirect calls for L3 GRO receive path, both
+for ipv4 and ipv6, if the latter is not compiled as a module.
+
+Note that when IPv6 is compiled as builtin, it will be checked first,
+so we have a single additional compare for the more common path.
+
+v1 -> v2:
+ - adapted to INDIRECT_CALL_ changes
+
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Acked-by: Michal Kubecek <mkubecek@suse.cz>
+
+---
+ include/net/inet_common.h | 2 ++
+ net/core/dev.c | 15 +++++++++++++--
+ net/ipv6/ip6_offload.c | 6 +++---
+ 3 files changed, 18 insertions(+), 5 deletions(-)
+
+--- a/include/net/inet_common.h
++++ b/include/net/inet_common.h
+@@ -1,6 +1,8 @@
+ #ifndef _INET_COMMON_H
+ #define _INET_COMMON_H
+
++#include <linux/indirect_call_wrapper.h>
++
+ extern const struct proto_ops inet_stream_ops;
+ extern const struct proto_ops inet_dgram_ops;
+
+--- a/net/core/dev.c
++++ b/net/core/dev.c
+@@ -144,6 +144,7 @@
+ #include <linux/netfilter_ingress.h>
+ #include <linux/crash_dump.h>
+ #include <linux/sctp.h>
++#include <linux/indirect_call_wrapper.h>
+
+ #include "net-sysfs.h"
+
+@@ -4616,6 +4617,8 @@ static void flush_all_backlogs(void)
+ put_online_cpus();
+ }
+
++INDIRECT_CALLABLE_DECLARE(int inet_gro_complete(struct sk_buff *, int));
++INDIRECT_CALLABLE_DECLARE(int ipv6_gro_complete(struct sk_buff *, int));
+ static int napi_gro_complete(struct sk_buff *skb)
+ {
+ struct packet_offload *ptype;
+@@ -4635,7 +4638,9 @@ static int napi_gro_complete(struct sk_buff *skb)
+ if (ptype->type != type || !ptype->callbacks.gro_complete)
+ continue;
+
+- err = ptype->callbacks.gro_complete(skb, 0);
++ err = INDIRECT_CALL_INET(ptype->callbacks.gro_complete,
++ ipv6_gro_complete, inet_gro_complete,
++ skb, 0);
+ break;
+ }
+ rcu_read_unlock();
+@@ -4749,6 +4754,10 @@ static void gro_pull_from_frag0(struct sk_buff *skb, int grow)
+ }
+ }
+
++INDIRECT_CALLABLE_DECLARE(struct sk_buff **inet_gro_receive(struct sk_buff **,
++ struct sk_buff *));
++INDIRECT_CALLABLE_DECLARE(struct sk_buff **ipv6_gro_receive(struct sk_buff **,
++ struct sk_buff *));
+ static enum gro_result dev_gro_receive(struct napi_struct *napi, struct sk_buff *skb)
+ {
+ struct sk_buff **pp = NULL;
+@@ -4796,7 +4805,9 @@ static enum gro_result dev_gro_receive(struct napi_struct *napi, struct sk_buff
+ NAPI_GRO_CB(skb)->csum_valid = 0;
+ }
+
+- pp = ptype->callbacks.gro_receive(&napi->gro_list, skb);
++ pp = INDIRECT_CALL_INET(ptype->callbacks.gro_receive,
++ ipv6_gro_receive, inet_gro_receive,
++ &napi->gro_list, skb);
+ break;
+ }
+ rcu_read_unlock();
+--- a/net/ipv6/ip6_offload.c
++++ b/net/ipv6/ip6_offload.c
+@@ -162,8 +162,8 @@ static int ipv6_exthdrs_len(struct ipv6hdr *iph,
+ return len;
+ }
+
+-static struct sk_buff **ipv6_gro_receive(struct sk_buff **head,
+- struct sk_buff *skb)
++INDIRECT_CALLABLE_SCOPE
++struct sk_buff **ipv6_gro_receive(struct sk_buff **head, struct sk_buff *skb)
+ {
+ const struct net_offload *ops;
+ struct sk_buff **pp = NULL;
+@@ -292,7 +292,7 @@ static struct sk_buff **ip4ip6_gro_receive(struct sk_buff **head,
+ return inet_gro_receive(head, skb);
+ }
+
+-static int ipv6_gro_complete(struct sk_buff *skb, int nhoff)
++INDIRECT_CALLABLE_SCOPE int ipv6_gro_complete(struct sk_buff *skb, int nhoff)
+ {
+ const struct net_offload *ops;
+ struct ipv6hdr *iph = (struct ipv6hdr *)(skb->data + nhoff);
diff --git a/patches.fixes/net-use-indirect-call-wrappers-at-GRO-transport-laye.patch b/patches.fixes/net-use-indirect-call-wrappers-at-GRO-transport-laye.patch
new file mode 100644
index 0000000000..e3b3a0833e
--- /dev/null
+++ b/patches.fixes/net-use-indirect-call-wrappers-at-GRO-transport-laye.patch
@@ -0,0 +1,275 @@
+From: Paolo Abeni <pabeni@redhat.com>
+Date: Fri, 14 Dec 2018 11:51:59 +0100
+Subject: net: use indirect call wrappers at GRO transport layer
+Patch-mainline: v5.0-rc1
+Git-commit: 028e0a4766844e7eeb31b93479ea6dd40cfc2895
+References: bsc#1124503
+
+This avoids an indirect call in the receive path for TCP and UDP
+packets. TCP takes precedence on UDP, so that we have a single
+additional conditional in the common case.
+
+When IPV6 is build as module, all gro symbols except UDPv6 are
+builtin, while the latter belong to the ipv6 module, so we
+need some special care.
+
+v1 -> v2:
+ - adapted to INDIRECT_CALL_ changes
+v2 -> v3:
+ - fix build issue with CONFIG_IPV6=m
+
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Acked-by: Michal Kubecek <mkubecek@suse.cz>
+
+---
+ include/net/inet_common.h | 7 +++++++
+ net/ipv4/af_inet.c | 13 +++++++++++--
+ net/ipv4/tcp_offload.c | 6 ++++--
+ net/ipv4/udp_offload.c | 7 ++++---
+ net/ipv6/ip6_offload.c | 29 +++++++++++++++++++++++++++--
+ net/ipv6/tcpv6_offload.c | 7 ++++---
+ net/ipv6/udp_offload.c | 7 ++++---
+ 7 files changed, 61 insertions(+), 15 deletions(-)
+
+--- a/include/net/inet_common.h
++++ b/include/net/inet_common.h
+@@ -53,4 +53,11 @@ static inline void inet_ctl_sock_destroy(struct sock *sk)
+ sock_release(sk->sk_socket);
+ }
+
++#define indirect_call_gro_receive(f2, f1, cb, head, skb) \
++({ \
++ unlikely(gro_recursion_inc_test(skb)) ? \
++ NAPI_GRO_CB(skb)->flush |= 1, NULL : \
++ INDIRECT_CALL_2(cb, f2, f1, head, skb); \
++})
++
+ #endif
+--- a/net/ipv4/af_inet.c
++++ b/net/ipv4/af_inet.c
+@@ -1313,6 +1313,10 @@ struct sk_buff *inet_gso_segment(struct sk_buff *skb,
+ }
+ EXPORT_SYMBOL(inet_gso_segment);
+
++INDIRECT_CALLABLE_DECLARE(struct sk_buff **tcp4_gro_receive(struct sk_buff **,
++ struct sk_buff *));
++INDIRECT_CALLABLE_DECLARE(struct sk_buff **udp4_gro_receive(struct sk_buff **,
++ struct sk_buff *));
+ struct sk_buff **inet_gro_receive(struct sk_buff **head, struct sk_buff *skb)
+ {
+ const struct net_offload *ops;
+@@ -1422,7 +1426,8 @@ struct sk_buff **inet_gro_receive(struct sk_buff **head, struct sk_buff *skb)
+ skb_gro_pull(skb, sizeof(*iph));
+ skb_set_transport_header(skb, skb_gro_offset(skb));
+
+- pp = call_gro_receive(ops->callbacks.gro_receive, head, skb);
++ pp = indirect_call_gro_receive(tcp4_gro_receive, udp4_gro_receive,
++ ops->callbacks.gro_receive, head, skb);
+
+ out_unlock:
+ rcu_read_unlock();
+@@ -1484,6 +1489,8 @@ int inet_recv_error(struct sock *sk, struct msghdr *msg, int len, int *addr_len)
+ return -EINVAL;
+ }
+
++INDIRECT_CALLABLE_DECLARE(int tcp4_gro_complete(struct sk_buff *, int));
++INDIRECT_CALLABLE_DECLARE(int udp4_gro_complete(struct sk_buff *, int));
+ int inet_gro_complete(struct sk_buff *skb, int nhoff)
+ {
+ __be16 newlen = htons(skb->len - nhoff);
+@@ -1509,7 +1516,9 @@ int inet_gro_complete(struct sk_buff *skb, int nhoff)
+ * because any hdr with option will have been flushed in
+ * inet_gro_receive().
+ */
+- err = ops->callbacks.gro_complete(skb, nhoff + sizeof(*iph));
++ err = INDIRECT_CALL_2(ops->callbacks.gro_complete,
++ tcp4_gro_complete, udp4_gro_complete,
++ skb, nhoff + sizeof(*iph));
+
+ out_unlock:
+ rcu_read_unlock();
+--- a/net/ipv4/tcp_offload.c
++++ b/net/ipv4/tcp_offload.c
+@@ -10,6 +10,7 @@
+ * TCPv4 GSO/GRO support
+ */
+
++#include <linux/indirect_call_wrapper.h>
+ #include <linux/skbuff.h>
+ #include <net/tcp.h>
+ #include <net/protocol.h>
+@@ -296,7 +297,8 @@ int tcp_gro_complete(struct sk_buff *skb)
+ }
+ EXPORT_SYMBOL(tcp_gro_complete);
+
+-static struct sk_buff **tcp4_gro_receive(struct sk_buff **head, struct sk_buff *skb)
++INDIRECT_CALLABLE_SCOPE
++struct sk_buff **tcp4_gro_receive(struct sk_buff **head, struct sk_buff *skb)
+ {
+ /* Don't bother verifying checksum if we're going to flush anyway. */
+ if (!NAPI_GRO_CB(skb)->flush &&
+@@ -309,7 +311,7 @@ static struct sk_buff **tcp4_gro_receive(struct sk_buff **head, struct sk_buff *
+ return tcp_gro_receive(head, skb);
+ }
+
+-static int tcp4_gro_complete(struct sk_buff *skb, int thoff)
++INDIRECT_CALLABLE_SCOPE int tcp4_gro_complete(struct sk_buff *skb, int thoff)
+ {
+ const struct iphdr *iph = ip_hdr(skb);
+ struct tcphdr *th = tcp_hdr(skb);
+--- a/net/ipv4/udp_offload.c
++++ b/net/ipv4/udp_offload.c
+@@ -13,6 +13,7 @@
+ #include <linux/skbuff.h>
+ #include <net/udp.h>
+ #include <net/protocol.h>
++#include <net/inet_common.h>
+
+ static struct sk_buff *__skb_udp_tunnel_segment(struct sk_buff *skb,
+ netdev_features_t features,
+@@ -300,8 +301,8 @@ struct sk_buff **udp_gro_receive(struct sk_buff **head, struct sk_buff *skb,
+ }
+ EXPORT_SYMBOL(udp_gro_receive);
+
+-static struct sk_buff **udp4_gro_receive(struct sk_buff **head,
+- struct sk_buff *skb)
++INDIRECT_CALLABLE_SCOPE
++struct sk_buff **udp4_gro_receive(struct sk_buff **head, struct sk_buff *skb)
+ {
+ struct udphdr *uh = udp_gro_udphdr(skb);
+
+@@ -356,7 +357,7 @@ int udp_gro_complete(struct sk_buff *skb, int nhoff,
+ }
+ EXPORT_SYMBOL(udp_gro_complete);
+
+-static int udp4_gro_complete(struct sk_buff *skb, int nhoff)
++INDIRECT_CALLABLE_SCOPE int udp4_gro_complete(struct sk_buff *skb, int nhoff)
+ {
+ const struct iphdr *iph = ip_hdr(skb);
+ struct udphdr *uh = (struct udphdr *)(skb->data + nhoff);
+--- a/net/ipv6/ip6_offload.c
++++ b/net/ipv6/ip6_offload.c
+@@ -20,6 +20,23 @@
+
+ #include "ip6_offload.h"
+
++/* All GRO functions are always builtin, except UDP over ipv6, which lays in
++ * ipv6 module, as it depends on UDPv6 lookup function, so we need special care
++ * when ipv6 is built as a module
++ */
++#if IS_BUILTIN(CONFIG_IPV6)
++#define INDIRECT_CALL_L4(f, f2, f1, ...) INDIRECT_CALL_2(f, f2, f1, __VA_ARGS__)
++#else
++#define INDIRECT_CALL_L4(f, f2, f1, ...) INDIRECT_CALL_1(f, f2, __VA_ARGS__)
++#endif
++
++#define indirect_call_gro_receive_l4(f2, f1, cb, head, skb) \
++({ \
++ unlikely(gro_recursion_inc_test(skb)) ? \
++ NAPI_GRO_CB(skb)->flush |= 1, NULL : \
++ INDIRECT_CALL_L4(cb, f2, f1, head, skb); \
++})
++
+ static int ipv6_gso_pull_exthdrs(struct sk_buff *skb, int proto)
+ {
+ const struct net_offload *ops = NULL;
+@@ -162,6 +179,10 @@ static int ipv6_exthdrs_len(struct ipv6hdr *iph,
+ return len;
+ }
+
++INDIRECT_CALLABLE_DECLARE(struct sk_buff **tcp6_gro_receive(struct sk_buff **,
++ struct sk_buff *));
++INDIRECT_CALLABLE_DECLARE(struct sk_buff **udp6_gro_receive(struct sk_buff **,
++ struct sk_buff *));
+ INDIRECT_CALLABLE_SCOPE
+ struct sk_buff **ipv6_gro_receive(struct sk_buff **head, struct sk_buff *skb)
+ {
+@@ -251,7 +272,8 @@ struct sk_buff **ipv6_gro_receive(struct sk_buff **head, struct sk_buff *skb)
+
+ skb_gro_postpull_rcsum(skb, iph, nlen);
+
+- pp = call_gro_receive(ops->callbacks.gro_receive, head, skb);
++ pp = indirect_call_gro_receive_l4(tcp6_gro_receive, udp6_gro_receive,
++ ops->callbacks.gro_receive, head, skb);
+
+ out_unlock:
+ rcu_read_unlock();
+@@ -292,6 +314,8 @@ static struct sk_buff **ip4ip6_gro_receive(struct sk_buff **head,
+ return inet_gro_receive(head, skb);
+ }
+
++INDIRECT_CALLABLE_DECLARE(int tcp6_gro_complete(struct sk_buff *, int));
++INDIRECT_CALLABLE_DECLARE(int udp6_gro_complete(struct sk_buff *, int));
+ INDIRECT_CALLABLE_SCOPE int ipv6_gro_complete(struct sk_buff *skb, int nhoff)
+ {
+ const struct net_offload *ops;
+@@ -311,7 +335,8 @@ INDIRECT_CALLABLE_SCOPE int ipv6_gro_complete(struct sk_buff *skb, int nhoff)
+ if (WARN_ON(!ops || !ops->callbacks.gro_complete))
+ goto out_unlock;
+
+- err = ops->callbacks.gro_complete(skb, nhoff);
++ err = INDIRECT_CALL_L4(ops->callbacks.gro_complete, tcp6_gro_complete,
++ udp6_gro_complete, skb, nhoff);
+
+ out_unlock:
+ rcu_read_unlock();
+--- a/net/ipv6/tcpv6_offload.c
++++ b/net/ipv6/tcpv6_offload.c
+@@ -9,14 +9,15 @@
+ *
+ * TCPv6 GSO/GRO support
+ */
++#include <linux/indirect_call_wrapper.h>
+ #include <linux/skbuff.h>
+ #include <net/protocol.h>
+ #include <net/tcp.h>
+ #include <net/ip6_checksum.h>
+ #include "ip6_offload.h"
+
+-static struct sk_buff **tcp6_gro_receive(struct sk_buff **head,
+- struct sk_buff *skb)
++INDIRECT_CALLABLE_SCOPE
++struct sk_buff **tcp6_gro_receive(struct sk_buff **head, struct sk_buff *skb)
+ {
+ /* Don't bother verifying checksum if we're going to flush anyway. */
+ if (!NAPI_GRO_CB(skb)->flush &&
+@@ -29,7 +30,7 @@ static struct sk_buff **tcp6_gro_receive(struct sk_buff **head,
+ return tcp_gro_receive(head, skb);
+ }
+
+-static int tcp6_gro_complete(struct sk_buff *skb, int thoff)
++INDIRECT_CALLABLE_SCOPE int tcp6_gro_complete(struct sk_buff *skb, int thoff)
+ {
+ const struct ipv6hdr *iph = ipv6_hdr(skb);
+ struct tcphdr *th = tcp_hdr(skb);
+--- a/net/ipv6/udp_offload.c
++++ b/net/ipv6/udp_offload.c
+@@ -11,6 +11,7 @@
+ */
+ #include <linux/skbuff.h>
+ #include <linux/netdevice.h>
++#include <linux/indirect_call_wrapper.h>
+ #include <net/protocol.h>
+ #include <net/ipv6.h>
+ #include <net/udp.h>
+@@ -111,8 +112,8 @@ static struct sk_buff *udp6_ufo_fragment(struct sk_buff *skb,
+ return segs;
+ }
+
+-static struct sk_buff **udp6_gro_receive(struct sk_buff **head,
+- struct sk_buff *skb)
++INDIRECT_CALLABLE_SCOPE
++struct sk_buff **udp6_gro_receive(struct sk_buff **head, struct sk_buff *skb)
+ {
+ struct udphdr *uh = udp_gro_udphdr(skb);
+
+@@ -139,7 +140,7 @@ static struct sk_buff **udp6_gro_receive(struct sk_buff **head,
+ return NULL;
+ }
+
+-static int udp6_gro_complete(struct sk_buff *skb, int nhoff)
++INDIRECT_CALLABLE_SCOPE int udp6_gro_complete(struct sk_buff *skb, int nhoff)
+ {
+ const struct ipv6hdr *ipv6h = ipv6_hdr(skb);
+ struct udphdr *uh = (struct udphdr *)(skb->data + nhoff);
diff --git a/patches.fixes/nvme-rdma-fix-possible-free-of-a-non-allocated-async-event-buffer.patch b/patches.fixes/nvme-rdma-fix-possible-free-of-a-non-allocated-async-event-buffer.patch
new file mode 100644
index 0000000000..b4d1658c50
--- /dev/null
+++ b/patches.fixes/nvme-rdma-fix-possible-free-of-a-non-allocated-async-event-buffer.patch
@@ -0,0 +1,87 @@
+From: Sagi Grimberg <sagi@grimberg.me>
+Date: Tue, 19 Jun 2018 15:34:10 +0300
+Subject: nvme-rdma: fix possible free of a non-allocated async event buffer
+Git-commit: 94e42213cc1ae41c57819539c0130f8dfc69d718
+Patch-mainline: v4.18-rc2
+References: bsc#1120423
+
+If nvme_rdma_configure_admin_queue fails before we allocated
+the async event buffer, we will falsly free it because
+nvme_rdma_free_queue is freeing it. Fix it by allocating the buffer right
+after nvme_rdma_alloc_queue and free it right before nvme_rdma_queue_free
+to maintain orderly reverse cleanup sequence.
+
+Reported-by: Israel Rukshin <israelr@mellanox.com>
+Signed-off-by: Sagi Grimberg <sagi@grimberg.me>
+Reviewed-by: Max Gurtovoy <maxg@mellanox.com>
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Acked-by: Johannes Thumshirn <jthumshirn@suse.de>
+---
+ drivers/nvme/host/rdma.c | 24 +++++++++++-------------
+ 1 file changed, 11 insertions(+), 13 deletions(-)
+
+--- a/drivers/nvme/host/rdma.c
++++ b/drivers/nvme/host/rdma.c
+@@ -560,12 +560,6 @@ static void nvme_rdma_free_queue(struct
+ if (!test_and_clear_bit(NVME_RDMA_Q_ALLOCATED, &queue->flags))
+ return;
+
+- if (nvme_rdma_queue_idx(queue) == 0) {
+- nvme_rdma_free_qe(queue->device->dev,
+- &queue->ctrl->async_event_sqe,
+- sizeof(struct nvme_command), DMA_TO_DEVICE);
+- }
+-
+ nvme_rdma_destroy_queue_ib(queue);
+ rdma_destroy_id(queue->cm_id);
+ }
+@@ -739,6 +733,8 @@ static void nvme_rdma_destroy_admin_queu
+ blk_cleanup_queue(ctrl->ctrl.admin_q);
+ nvme_rdma_free_tagset(&ctrl->ctrl, ctrl->ctrl.admin_tagset);
+ }
++ nvme_rdma_free_qe(ctrl->device->dev, &ctrl->async_event_sqe,
++ sizeof(struct nvme_command), DMA_TO_DEVICE);
+ nvme_rdma_free_queue(&ctrl->queues[0]);
+ }
+
+@@ -755,11 +751,16 @@ static int nvme_rdma_configure_admin_que
+
+ ctrl->max_fr_pages = nvme_rdma_get_max_fr_pages(ctrl->device->dev);
+
++ error = nvme_rdma_alloc_qe(ctrl->device->dev, &ctrl->async_event_sqe,
++ sizeof(struct nvme_command), DMA_TO_DEVICE);
++ if (error)
++ goto out_free_queue;
++
+ if (new) {
+ ctrl->ctrl.admin_tagset = nvme_rdma_alloc_tagset(&ctrl->ctrl, true);
+ if (IS_ERR(ctrl->ctrl.admin_tagset)) {
+ error = PTR_ERR(ctrl->ctrl.admin_tagset);
+- goto out_free_queue;
++ goto out_free_async_qe;
+ }
+
+ ctrl->ctrl.admin_q = blk_mq_init_queue(&ctrl->admin_tag_set);
+@@ -795,12 +796,6 @@ static int nvme_rdma_configure_admin_que
+ if (error)
+ goto out_cleanup_queue;
+
+- error = nvme_rdma_alloc_qe(ctrl->queues[0].device->dev,
+- &ctrl->async_event_sqe, sizeof(struct nvme_command),
+- DMA_TO_DEVICE);
+- if (error)
+- goto out_cleanup_queue;
+-
+ return 0;
+
+ out_cleanup_queue:
+@@ -809,6 +804,9 @@ out_cleanup_queue:
+ out_free_tagset:
+ if (new)
+ nvme_rdma_free_tagset(&ctrl->ctrl, ctrl->ctrl.admin_tagset);
++out_free_async_qe:
++ nvme_rdma_free_qe(ctrl->device->dev, &ctrl->async_event_sqe,
++ sizeof(struct nvme_command), DMA_TO_DEVICE);
+ out_free_queue:
+ nvme_rdma_free_queue(&ctrl->queues[0]);
+ return error;
diff --git a/patches.fixes/ocfs2-fix-ocfs2-read-inode-data-panic-in-ocfs2_iget.patch b/patches.fixes/ocfs2-fix-ocfs2-read-inode-data-panic-in-ocfs2_iget.patch
new file mode 100644
index 0000000000..756b757e47
--- /dev/null
+++ b/patches.fixes/ocfs2-fix-ocfs2-read-inode-data-panic-in-ocfs2_iget.patch
@@ -0,0 +1,184 @@
+From e091eab028f9253eac5c04f9141bbc9d170acab3 Mon Sep 17 00:00:00 2001
+From: Shuning Zhang <sunny.s.zhang@oracle.com>
+Date: Mon, 13 May 2019 17:15:56 -0700
+Subject: [PATCH] ocfs2: fix ocfs2 read inode data panic in ocfs2_iget
+Git-commit: e091eab028f9253eac5c04f9141bbc9d170acab3
+Patch-mainline: v5.2-rc1
+References: bsc#1136434
+
+In some cases, ocfs2_iget() reads the data of inode, which has been
+deleted for some reason. That will make the system panic. So We should
+judge whether this inode has been deleted, and tell the caller that the
+inode is a bad inode.
+
+For example, the ocfs2 is used as the backed of nfs, and the client is
+nfsv3. This issue can be reproduced by the following steps.
+
+on the nfs server side,
+..../patha/pathb
+
+Step 1: The process A was scheduled before calling the function fh_verify.
+
+Step 2: The process B is removing the 'pathb', and just completed the call
+to function dput. Then the dentry of 'pathb' has been deleted from the
+dcache, and all ancestors have been deleted also. The relationship of
+dentry and inode was deleted through the function hlist_del_init. The
+following is the call stack.
+dentry_iput->hlist_del_init(&dentry->d_u.d_alias)
+
+At this time, the inode is still in the dcache.
+
+Step 3: The process A call the function ocfs2_get_dentry, which get the
+inode from dcache. Then the refcount of inode is 1. The following is the
+call stack.
+nfsd3_proc_getacl->fh_verify->exportfs_decode_fh->fh_to_dentry(ocfs2_get_dentry)
+
+Step 4: Dirty pages are flushed by bdi threads. So the inode of 'patha'
+is evicted, and this directory was deleted. But the inode of 'pathb'
+can't be evicted, because the refcount of the inode was 1.
+
+Step 5: The process A keep running, and call the function
+reconnect_path(in exportfs_decode_fh), which call function
+ocfs2_get_parent of ocfs2. Get the block number of parent
+directory(patha) by the name of ... Then read the data from disk by the
+block number. But this inode has been deleted, so the system panic.
+
+Process A Process B
+1. in nfsd3_proc_getacl |
+2. | dput
+3. fh_to_dentry(ocfs2_get_dentry) |
+4. bdi flush dirty cache |
+5. ocfs2_iget |
+
+[283465.542049] OCFS2: ERROR (device sdp): ocfs2_validate_inode_block:
+Invalid dinode #580640: OCFS2_VALID_FL not set
+
+[283465.545490] Kernel panic - not syncing: OCFS2: (device sdp): panic forced
+after error
+
+[283465.546889] CPU: 5 PID: 12416 Comm: nfsd Tainted: G W
+4.1.12-124.18.6.el6uek.bug28762940v3.x86_64 #2
+[283465.548382] Hardware name: VMware, Inc. VMware Virtual Platform/440BX
+Desktop Reference Platform, BIOS 6.00 09/21/2015
+[283465.549657] 0000000000000000 ffff8800a56fb7b8 ffffffff816e839c
+ffffffffa0514758
+[283465.550392] 000000000008dc20 ffff8800a56fb838 ffffffff816e62d3
+0000000000000008
+[283465.551056] ffff880000000010 ffff8800a56fb848 ffff8800a56fb7e8
+ffff88005df9f000
+[283465.551710] Call Trace:
+[283465.552516] [<ffffffff816e839c>] dump_stack+0x63/0x81
+[283465.553291] [<ffffffff816e62d3>] panic+0xcb/0x21b
+[283465.554037] [<ffffffffa04e66b0>] ocfs2_handle_error+0xf0/0xf0 [ocfs2]
+[283465.554882] [<ffffffffa04e7737>] __ocfs2_error+0x67/0x70 [ocfs2]
+[283465.555768] [<ffffffffa049c0f9>] ocfs2_validate_inode_block+0x229/0x230
+[ocfs2]
+[283465.556683] [<ffffffffa047bcbc>] ocfs2_read_blocks+0x46c/0x7b0 [ocfs2]
+[283465.557408] [<ffffffffa049bed0>] ? ocfs2_inode_cache_io_unlock+0x20/0x20
+[ocfs2]
+[283465.557973] [<ffffffffa049f0eb>] ocfs2_read_inode_block_full+0x3b/0x60
+[ocfs2]
+[283465.558525] [<ffffffffa049f5ba>] ocfs2_iget+0x4aa/0x880 [ocfs2]
+[283465.559082] [<ffffffffa049146e>] ocfs2_get_parent+0x9e/0x220 [ocfs2]
+[283465.559622] [<ffffffff81297c05>] reconnect_path+0xb5/0x300
+[283465.560156] [<ffffffff81297f46>] exportfs_decode_fh+0xf6/0x2b0
+[283465.560708] [<ffffffffa062faf0>] ? nfsd_proc_getattr+0xa0/0xa0 [nfsd]
+[283465.561262] [<ffffffff810a8196>] ? prepare_creds+0x26/0x110
+[283465.561932] [<ffffffffa0630860>] fh_verify+0x350/0x660 [nfsd]
+[283465.562862] [<ffffffffa0637804>] ? nfsd_cache_lookup+0x44/0x630 [nfsd]
+[283465.563697] [<ffffffffa063a8b9>] nfsd3_proc_getattr+0x69/0xf0 [nfsd]
+[283465.564510] [<ffffffffa062cf60>] nfsd_dispatch+0xe0/0x290 [nfsd]
+[283465.565358] [<ffffffffa05eb892>] ? svc_tcp_adjust_wspace+0x12/0x30
+[sunrpc]
+[283465.566272] [<ffffffffa05ea652>] svc_process_common+0x412/0x6a0 [sunrpc]
+[283465.567155] [<ffffffffa05eaa03>] svc_process+0x123/0x210 [sunrpc]
+[283465.568020] [<ffffffffa062c90f>] nfsd+0xff/0x170 [nfsd]
+[283465.568962] [<ffffffffa062c810>] ? nfsd_destroy+0x80/0x80 [nfsd]
+[283465.570112] [<ffffffff810a622b>] kthread+0xcb/0xf0
+[283465.571099] [<ffffffff810a6160>] ? kthread_create_on_node+0x180/0x180
+[283465.572114] [<ffffffff816f11b8>] ret_from_fork+0x58/0x90
+[283465.573156] [<ffffffff810a6160>] ? kthread_create_on_node+0x180/0x180
+
+Link: http://lkml.kernel.org/r/1554185919-3010-1-git-send-email-sunny.s.zhang@oracle.com
+Signed-off-by: Shuning Zhang <sunny.s.zhang@oracle.com>
+Reviewed-by: Joseph Qi <jiangqi903@gmail.com>
+Cc: Mark Fasheh <mark@fasheh.com>
+Cc: Joel Becker <jlbec@evilplan.org>
+Cc: Junxiao Bi <junxiao.bi@oracle.com>
+Cc: Changwei Ge <gechangwei@live.cn>
+Cc: piaojun <piaojun@huawei.com>
+Cc: "Gang He" <ghe@suse.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Acked-by: Jan Kara <jack@suse.cz>
+
+---
+ fs/ocfs2/export.c | 30 +++++++++++++++++++++++++++++-
+ 1 file changed, 29 insertions(+), 1 deletion(-)
+
+diff --git a/fs/ocfs2/export.c b/fs/ocfs2/export.c
+index 4bf8d5854b27..af2888d23de3 100644
+--- a/fs/ocfs2/export.c
++++ b/fs/ocfs2/export.c
+@@ -148,16 +148,24 @@ static struct dentry *ocfs2_get_parent(struct dentry *child)
+ u64 blkno;
+ struct dentry *parent;
+ struct inode *dir = d_inode(child);
++ int set;
+
+ trace_ocfs2_get_parent(child, child->d_name.len, child->d_name.name,
+ (unsigned long long)OCFS2_I(dir)->ip_blkno);
+
++ status = ocfs2_nfs_sync_lock(OCFS2_SB(dir->i_sb), 1);
++ if (status < 0) {
++ mlog(ML_ERROR, "getting nfs sync lock(EX) failed %d\n", status);
++ parent = ERR_PTR(status);
++ goto bail;
++ }
++
+ status = ocfs2_inode_lock(dir, NULL, 0);
+ if (status < 0) {
+ if (status != -ENOENT)
+ mlog_errno(status);
+ parent = ERR_PTR(status);
+- goto bail;
++ goto unlock_nfs_sync;
+ }
+
+ status = ocfs2_lookup_ino_from_name(dir, "..", 2, &blkno);
+@@ -166,11 +174,31 @@ static struct dentry *ocfs2_get_parent(struct dentry *child)
+ goto bail_unlock;
+ }
+
++ status = ocfs2_test_inode_bit(OCFS2_SB(dir->i_sb), blkno, &set);
++ if (status < 0) {
++ if (status == -EINVAL) {
++ status = -ESTALE;
++ } else
++ mlog(ML_ERROR, "test inode bit failed %d\n", status);
++ parent = ERR_PTR(status);
++ goto bail_unlock;
++ }
++
++ trace_ocfs2_get_dentry_test_bit(status, set);
++ if (!set) {
++ status = -ESTALE;
++ parent = ERR_PTR(status);
++ goto bail_unlock;
++ }
++
+ parent = d_obtain_alias(ocfs2_iget(OCFS2_SB(dir->i_sb), blkno, 0, 0));
+
+ bail_unlock:
+ ocfs2_inode_unlock(dir, 0);
+
++unlock_nfs_sync:
++ ocfs2_nfs_sync_unlock(OCFS2_SB(dir->i_sb), 1);
++
+ bail:
+ trace_ocfs2_get_parent_end(parent);
+
+--
+2.16.4
+
diff --git a/patches.fixes/scsi-qla2xxx-Fix-memory-corruption-during-hba-reset-.patch b/patches.fixes/scsi-qla2xxx-Fix-memory-corruption-during-hba-reset-.patch
new file mode 100644
index 0000000000..2b94971d10
--- /dev/null
+++ b/patches.fixes/scsi-qla2xxx-Fix-memory-corruption-during-hba-reset-.patch
@@ -0,0 +1,41 @@
+From: Quinn Tran <quinn.tran@cavium.com>
+Date: Tue, 23 Jan 2018 11:05:21 -0800
+Subject: [PATCH] scsi: qla2xxx: Fix memory corruption during hba reset test
+Git-commit: 2ce87cc5b269510de9ca1185ca8a6e10ec78c069
+Patch-mainline: v4.16-rc3
+References: bsc#1118139
+
+This patch fixes memory corrpution while performing HBA Reset test.
+
+Following stack trace is seen:
+
+[ 466.397219] BUG: unable to handle kernel NULL pointer dereference at 0000000000000020
+[ 466.433669] IP: [<ffffffffc06f5dd0>] qlt_free_session_done+0x260/0x5f0 [qla2xxx]
+[ 466.467731] PGD 0
+[ 466.476718] Oops: 0000 [#1] SMP
+
+Signed-off-by: Quinn Tran <quinn.tran@cavium.com>
+Signed-off-by: Himanshu Madhani <himanshu.madhani@cavium.com>
+Reviewed-by: Johannes Thumshirn <jthumshirn@suse.de>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Acked-by: Hannes Reinecke <hare@suse.com>
+---
+ drivers/scsi/qla2xxx/qla_os.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/scsi/qla2xxx/qla_os.c b/drivers/scsi/qla2xxx/qla_os.c
+index 12ee6e02d146..afcb5567998a 100644
+--- a/drivers/scsi/qla2xxx/qla_os.c
++++ b/drivers/scsi/qla2xxx/qla_os.c
+@@ -3625,6 +3625,8 @@ qla2x00_remove_one(struct pci_dev *pdev)
+ }
+ qla2x00_wait_for_hba_ready(base_vha);
+
++ qla2x00_wait_for_sess_deletion(base_vha);
++
+ /*
+ * if UNLOAD flag is already set, then continue unload,
+ * where it was set first.
+--
+2.12.3
+
diff --git a/patches.fixes/scsi-qla2xxx-fix-driver-unload-by-shutting-down-chip.patch b/patches.fixes/scsi-qla2xxx-fix-driver-unload-by-shutting-down-chip.patch
index 6a896e2f57..511843e975 100644
--- a/patches.fixes/scsi-qla2xxx-fix-driver-unload-by-shutting-down-chip.patch
+++ b/patches.fixes/scsi-qla2xxx-fix-driver-unload-by-shutting-down-chip.patch
@@ -16,16 +16,18 @@ Signed-off-by: Himanshu Madhani <himanshu.madhani@cavium.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Acked-by: Johannes Thumshirn <jthumshirn@suse.de>
---
- drivers/scsi/qla2xxx/qla_isr.c | 3 ++
- drivers/scsi/qla2xxx/qla_mbx.c | 6 +++++
- drivers/scsi/qla2xxx/qla_mid.c | 6 +++--
- drivers/scsi/qla2xxx/qla_os.c | 43 +++++++++++++++++------------------------
- drivers/scsi/qla2xxx/qla_sup.c | 3 ++
+ drivers/scsi/qla2xxx/qla_isr.c | 3 +++
+ drivers/scsi/qla2xxx/qla_mbx.c | 6 ++++++
+ drivers/scsi/qla2xxx/qla_mid.c | 6 ++++--
+ drivers/scsi/qla2xxx/qla_os.c | 43 ++++++++++++++++++------------------------
+ drivers/scsi/qla2xxx/qla_sup.c | 3 +++
5 files changed, 34 insertions(+), 27 deletions(-)
+diff --git a/drivers/scsi/qla2xxx/qla_isr.c b/drivers/scsi/qla2xxx/qla_isr.c
+index 91f235d109db..d5f896812a2b 100644
--- a/drivers/scsi/qla2xxx/qla_isr.c
+++ b/drivers/scsi/qla2xxx/qla_isr.c
-@@ -630,6 +630,9 @@ qla2x00_async_event(scsi_qla_host_t *vha
+@@ -630,6 +630,9 @@ qla2x00_async_event(scsi_qla_host_t *vha, struct rsp_que *rsp, uint16_t *mb)
unsigned long flags;
fc_port_t *fcport = NULL;
@@ -35,9 +37,11 @@ Acked-by: Johannes Thumshirn <jthumshirn@suse.de>
/* Setup to process RIO completion. */
handle_cnt = 0;
if (IS_CNA_CAPABLE(ha))
+diff --git a/drivers/scsi/qla2xxx/qla_mbx.c b/drivers/scsi/qla2xxx/qla_mbx.c
+index d9515e734cb9..2b4e7a3ff7c2 100644
--- a/drivers/scsi/qla2xxx/qla_mbx.c
+++ b/drivers/scsi/qla2xxx/qla_mbx.c
-@@ -4201,6 +4201,9 @@ qla25xx_init_req_que(struct scsi_qla_hos
+@@ -4201,6 +4201,9 @@ qla25xx_init_req_que(struct scsi_qla_host *vha, struct req_que *req)
mbx_cmd_t *mcp = &mc;
struct qla_hw_data *ha = vha->hw;
@@ -47,7 +51,7 @@ Acked-by: Johannes Thumshirn <jthumshirn@suse.de>
ql_dbg(ql_dbg_mbx + ql_dbg_verbose, vha, 0x10d3,
"Entered %s.\n", __func__);
-@@ -4270,6 +4273,9 @@ qla25xx_init_rsp_que(struct scsi_qla_hos
+@@ -4270,6 +4273,9 @@ qla25xx_init_rsp_que(struct scsi_qla_host *vha, struct rsp_que *rsp)
mbx_cmd_t *mcp = &mc;
struct qla_hw_data *ha = vha->hw;
@@ -57,6 +61,8 @@ Acked-by: Johannes Thumshirn <jthumshirn@suse.de>
ql_dbg(ql_dbg_mbx + ql_dbg_verbose, vha, 0x10d6,
"Entered %s.\n", __func__);
+diff --git a/drivers/scsi/qla2xxx/qla_mid.c b/drivers/scsi/qla2xxx/qla_mid.c
+index a55c91b6c8c7..bbbbaf470b6a 100644
--- a/drivers/scsi/qla2xxx/qla_mid.c
+++ b/drivers/scsi/qla2xxx/qla_mid.c
@@ -152,10 +152,12 @@ int
@@ -74,9 +80,11 @@ Acked-by: Johannes Thumshirn <jthumshirn@suse.de>
atomic_set(&vha->loop_state, LOOP_DOWN);
atomic_set(&vha->loop_down_timer, LOOP_DOWN_TIME);
list_for_each_entry(fcport, &vha->vp_fcports, list)
+diff --git a/drivers/scsi/qla2xxx/qla_os.c b/drivers/scsi/qla2xxx/qla_os.c
+index eb246be7cda1..99e287b11b0b 100644
--- a/drivers/scsi/qla2xxx/qla_os.c
+++ b/drivers/scsi/qla2xxx/qla_os.c
-@@ -303,6 +303,7 @@ static void qla2x00_free_device(scsi_qla
+@@ -299,6 +299,7 @@ static void qla2x00_free_device(scsi_qla_host_t *);
static int qla2xxx_map_queues(struct Scsi_Host *shost);
static void qla2x00_destroy_deferred_work(struct qla_hw_data *);
@@ -84,7 +92,7 @@ Acked-by: Johannes Thumshirn <jthumshirn@suse.de>
struct scsi_host_template qla2xxx_driver_template = {
.module = THIS_MODULE,
.name = QLA2XXX_DRIVER_NAME,
-@@ -3605,6 +3606,8 @@ qla2x00_remove_one(struct pci_dev *pdev)
+@@ -3601,6 +3602,8 @@ qla2x00_remove_one(struct pci_dev *pdev)
base_vha = pci_get_drvdata(pdev);
ha = base_vha->hw;
@@ -93,7 +101,29 @@ Acked-by: Johannes Thumshirn <jthumshirn@suse.de>
/* Indicate device removal to prevent future board_disable and wait
* until any pending board_disable has completed. */
-@@ -3648,14 +3651,6 @@ qla2x00_remove_one(struct pci_dev *pdev)
+@@ -3625,6 +3628,21 @@ qla2x00_remove_one(struct pci_dev *pdev)
+
+ qla2x00_wait_for_sess_deletion(base_vha);
+
++ if (IS_QLA25XX(ha) || IS_QLA2031(ha) || IS_QLA27XX(ha)) {
++ if (ha->flags.fw_started)
++ qla2x00_abort_isp_cleanup(base_vha);
++ } else if (!IS_QLAFX00(ha)) {
++ if (IS_QLA8031(ha)) {
++ ql_dbg(ql_dbg_p3p, base_vha, 0xb07e,
++ "Clearing fcoe driver presence.\n");
++ if (qla83xx_clear_drv_presence(base_vha) != QLA_SUCCESS)
++ ql_dbg(ql_dbg_p3p, base_vha, 0xb079,
++ "Error while clearing DRV-Presence.\n");
++ }
++
++ qla2x00_try_to_stop_firmware(base_vha);
++ }
++
+ /*
+ * if UNLOAD flag is already set, then continue unload,
+ * where it was set first.
+@@ -3646,14 +3664,6 @@ qla2x00_remove_one(struct pci_dev *pdev)
qla2x00_delete_all_vps(ha, base_vha);
@@ -108,7 +138,7 @@ Acked-by: Johannes Thumshirn <jthumshirn@suse.de>
qla2x00_abort_all_cmds(base_vha, DID_NO_CONNECT << 16);
qla2x00_dfs_remove(base_vha);
-@@ -3716,23 +3711,6 @@ qla2x00_free_device(scsi_qla_host_t *vha
+@@ -3714,23 +3724,6 @@ qla2x00_free_device(scsi_qla_host_t *vha)
qla25xx_delete_queues(vha);
@@ -132,31 +162,11 @@ Acked-by: Johannes Thumshirn <jthumshirn@suse.de>
vha->flags.online = 0;
/* turn-off interrupts on the card */
-@@ -5819,6 +5797,21 @@ qla2x00_disable_board_on_pci_error(struc
- return;
- }
-
-+ if (IS_QLA25XX(ha) || IS_QLA2031(ha) || IS_QLA27XX(ha)) {
-+ if (ha->flags.fw_started)
-+ qla2x00_abort_isp_cleanup(base_vha);
-+ } else if (!IS_QLAFX00(ha)) {
-+ if (IS_QLA8031(ha)) {
-+ ql_dbg(ql_dbg_p3p, base_vha, 0xb07e,
-+ "Clearing fcoe driver presence.\n");
-+ if (qla83xx_clear_drv_presence(base_vha) != QLA_SUCCESS)
-+ ql_dbg(ql_dbg_p3p, base_vha, 0xb079,
-+ "Error while clearing DRV-Presence.\n");
-+ }
-+
-+ qla2x00_try_to_stop_firmware(base_vha);
-+ }
-+
- qla2x00_wait_for_sess_deletion(base_vha);
-
- set_bit(UNLOADING, &base_vha->dpc_flags);
+diff --git a/drivers/scsi/qla2xxx/qla_sup.c b/drivers/scsi/qla2xxx/qla_sup.c
+index d2db86ea06b2..d9649b3afc51 100644
--- a/drivers/scsi/qla2xxx/qla_sup.c
+++ b/drivers/scsi/qla2xxx/qla_sup.c
-@@ -1880,6 +1880,9 @@ qla24xx_beacon_off(struct scsi_qla_host
+@@ -1880,6 +1880,9 @@ qla24xx_beacon_off(struct scsi_qla_host *vha)
if (IS_P3P_TYPE(ha))
return QLA_SUCCESS;
@@ -166,3 +176,6 @@ Acked-by: Johannes Thumshirn <jthumshirn@suse.de>
ha->beacon_blink_led = 0;
if (IS_QLA2031(ha) || IS_QLA27XX(ha))
+--
+2.16.4
+
diff --git a/patches.fixes/scsi-qla2xxx-fix-error-message-on-qla2400.patch b/patches.fixes/scsi-qla2xxx-fix-error-message-on-qla2400.patch
new file mode 100644
index 0000000000..f26259962d
--- /dev/null
+++ b/patches.fixes/scsi-qla2xxx-fix-error-message-on-qla2400.patch
@@ -0,0 +1,72 @@
+From: Meelis Roos <mroos@linux.ee>
+Date: Thu, 8 Mar 2018 15:44:07 +0200
+Subject: [PATCH] scsi: qla2xxx: fix error message on <qla2400
+Git-commit: f7e59e994fc69ace89f828686d82d528529ea025
+Patch-mainline: v4.17-rc1
+References: bsc#1118139
+
+This patch fixes IO traps caught by hardware when mailbox command fails
+on qla2200. The error handler assumes newer firmware that is available
+on 2400 and newer HBA-s.
+
+This causes ugly crashes on sparc64.
+
+Fix it with separate debug prints on different firmware generations like
+most other places do.
+
+[mkp: updated based on feedback from Himanshu]
+
+Signed-off-by: Meelis Roos <mroos@linux.ee>
+Acked-by: Himanshu Madhani <himanshu.madhani@cavium.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Acked-by: Hannes Reinecke <hare@suse.com>
+---
+ drivers/scsi/qla2xxx/qla_dbg.c | 2 +-
+ drivers/scsi/qla2xxx/qla_mbx.c | 18 +++++++++++++-----
+ 2 files changed, 14 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/scsi/qla2xxx/qla_dbg.c b/drivers/scsi/qla2xxx/qla_dbg.c
+index 3e9dc54b89a3..d52ee990707d 100644
+--- a/drivers/scsi/qla2xxx/qla_dbg.c
++++ b/drivers/scsi/qla2xxx/qla_dbg.c
+@@ -14,7 +14,7 @@
+ * | Module Init and Probe | 0x0193 | 0x0146 |
+ * | | | 0x015b-0x0160 |
+ * | | | 0x016e |
+- * | Mailbox commands | 0x1205 | 0x11a2-0x11ff |
++ * | Mailbox commands | 0x1206 | 0x11a2-0x11ff |
+ * | Device Discovery | 0x2134 | 0x210e-0x2116 |
+ * | | | 0x211a |
+ * | | | 0x211c-0x2128 |
+diff --git a/drivers/scsi/qla2xxx/qla_mbx.c b/drivers/scsi/qla2xxx/qla_mbx.c
+index 7397aeddd96c..9a97f2ceffba 100644
+--- a/drivers/scsi/qla2xxx/qla_mbx.c
++++ b/drivers/scsi/qla2xxx/qla_mbx.c
+@@ -503,11 +503,19 @@ qla2x00_mailbox_command(scsi_qla_host_t *vha, mbx_cmd_t *mcp)
+ }
+ pr_warn(" cmd=%x ****\n", command);
+ }
+- ql_dbg(ql_dbg_mbx, vha, 0x1198,
+- "host_status=%#x intr_ctrl=%#x intr_status=%#x\n",
+- RD_REG_DWORD(&reg->isp24.host_status),
+- RD_REG_DWORD(&reg->isp24.ictrl),
+- RD_REG_DWORD(&reg->isp24.istatus));
++ if (IS_FWI2_CAPABLE(ha) && !(IS_P3P_TYPE(ha))) {
++ ql_dbg(ql_dbg_mbx, vha, 0x1198,
++ "host_status=%#x intr_ctrl=%#x intr_status=%#x\n",
++ RD_REG_DWORD(&reg->isp24.host_status),
++ RD_REG_DWORD(&reg->isp24.ictrl),
++ RD_REG_DWORD(&reg->isp24.istatus));
++ } else {
++ ql_dbg(ql_dbg_mbx, vha, 0x1206,
++ "ctrl_status=%#x ictrl=%#x istatus=%#x\n",
++ RD_REG_WORD(&reg->isp.ctrl_status),
++ RD_REG_WORD(&reg->isp.ictrl),
++ RD_REG_WORD(&reg->isp.istatus));
++ }
+ } else {
+ ql_dbg(ql_dbg_mbx, base_vha, 0x1021, "Done %s.\n", __func__);
+ }
+--
+2.12.3
+
diff --git a/patches.fixes/scsi-qla2xxx-fix-spelling-mistake-existant-existent.patch b/patches.fixes/scsi-qla2xxx-fix-spelling-mistake-existant-existent.patch
new file mode 100644
index 0000000000..20def1021a
--- /dev/null
+++ b/patches.fixes/scsi-qla2xxx-fix-spelling-mistake-existant-existent.patch
@@ -0,0 +1,32 @@
+From: Colin Ian King <colin.king@canonical.com>
+Date: Mon, 19 Mar 2018 10:53:41 +0000
+Subject: [PATCH] scsi: qla2xxx: fix spelling mistake: "existant" -> "existent"
+Git-commit: 03fea736c0d0f102b604ba410e45c76e7616a077
+Patch-mainline: v4.17-rc1
+References: bsc#1118139
+
+Trivial fix to spelling mistake in debug message text
+
+Signed-off-by: Colin Ian King <colin.king@canonical.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Acked-by: Hannes Reinecke <hare@suse.com>
+---
+ drivers/scsi/qla2xxx/qla_target.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/scsi/qla2xxx/qla_target.c b/drivers/scsi/qla2xxx/qla_target.c
+index 755d7a2a3eea..41863a056c9a 100644
+--- a/drivers/scsi/qla2xxx/qla_target.c
++++ b/drivers/scsi/qla2xxx/qla_target.c
+@@ -2028,7 +2028,7 @@ static void qlt_24xx_handle_abts(struct scsi_qla_host *vha,
+ sess = ha->tgt.tgt_ops->find_sess_by_s_id(vha, s_id);
+ if (!sess) {
+ ql_dbg(ql_dbg_tgt_mgt, vha, 0xf012,
+- "qla_target(%d): task abort for non-existant session\n",
++ "qla_target(%d): task abort for non-existent session\n",
+ vha->vp_idx);
+ spin_unlock_irqrestore(&ha->tgt.sess_lock, flags);
+
+--
+2.12.3
+
diff --git a/patches.fixes/scsi-qla2xxx-fx00-copypaste-typo.patch b/patches.fixes/scsi-qla2xxx-fx00-copypaste-typo.patch
new file mode 100644
index 0000000000..d39e7e95b5
--- /dev/null
+++ b/patches.fixes/scsi-qla2xxx-fx00-copypaste-typo.patch
@@ -0,0 +1,36 @@
+From: Meelis Roos <mroos@linux.ee>
+Date: Thu, 8 Mar 2018 15:44:37 +0200
+Subject: [PATCH] scsi: qla2xxx: fx00 copypaste typo
+Git-commit: 3f6c9be27ae1932410d0af044b074fd2c27945c4
+Patch-mainline: v4.17-rc1
+References: bsc#1118139
+
+Fix an obvious copy-paste error in freeing QLAFX00 response queue - the
+code checked for rsp->ring but freed rsp->ring_fx00.
+
+[mkp: applied by hand]
+
+Signed-off-by: Meelis Roos <mroos@linux.ee>
+Acked-by: Himanshu Madhani <himanshu.madhani@cavium.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Acked-by: Hannes Reinecke <hare@suse.com>
+---
+ drivers/scsi/qla2xxx/qla_os.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/scsi/qla2xxx/qla_os.c b/drivers/scsi/qla2xxx/qla_os.c
+index 5c5dcca4d1da..b12fea6367b5 100644
+--- a/drivers/scsi/qla2xxx/qla_os.c
++++ b/drivers/scsi/qla2xxx/qla_os.c
+@@ -496,7 +496,7 @@ static void qla2x00_free_rsp_que(struct qla_hw_data *ha, struct rsp_que *rsp)
+ return;
+
+ if (IS_QLAFX00(ha)) {
+- if (rsp && rsp->ring)
++ if (rsp && rsp->ring_fx00)
+ dma_free_coherent(&ha->pdev->dev,
+ (rsp->length_fx00 + 1) * sizeof(request_t),
+ rsp->ring_fx00, rsp->dma_fx00);
+--
+2.12.3
+
diff --git a/patches.fixes/scsi-qla2xxx-remove-the-unused-tcm_qla2xxx_cmd_wq.patch b/patches.fixes/scsi-qla2xxx-remove-the-unused-tcm_qla2xxx_cmd_wq.patch
new file mode 100644
index 0000000000..7951642be8
--- /dev/null
+++ b/patches.fixes/scsi-qla2xxx-remove-the-unused-tcm_qla2xxx_cmd_wq.patch
@@ -0,0 +1,55 @@
+From: Andrei Vagin <avagin@openvz.org>
+Date: Wed, 2 May 2018 13:31:13 -0700
+Subject: [PATCH] scsi: qla2xxx: remove the unused tcm_qla2xxx_cmd_wq
+Git-commit: 4b83cb8b06bc1faf70573a18b080976aa9aed0fb
+Patch-mainline: v4.18-rc1
+References: bsc#1118139
+
+Signed-off-by: Andrei Vagin <avagin@openvz.org>
+Reviewed-by: Laurence Oberman <loberman@redhat.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Acked-by: Hannes Reinecke <hare@suse.com>
+---
+ drivers/scsi/qla2xxx/tcm_qla2xxx.c | 10 ----------
+ 1 file changed, 10 deletions(-)
+
+diff --git a/drivers/scsi/qla2xxx/tcm_qla2xxx.c b/drivers/scsi/qla2xxx/tcm_qla2xxx.c
+index 34ea4a8f98d2..0c2e82af9c0a 100644
+--- a/drivers/scsi/qla2xxx/tcm_qla2xxx.c
++++ b/drivers/scsi/qla2xxx/tcm_qla2xxx.c
+@@ -48,7 +48,6 @@
+ #include "tcm_qla2xxx.h"
+
+ static struct workqueue_struct *tcm_qla2xxx_free_wq;
+-static struct workqueue_struct *tcm_qla2xxx_cmd_wq;
+
+ /*
+ * Parse WWN.
+@@ -2003,16 +2002,8 @@ static int tcm_qla2xxx_register_configfs(void)
+ goto out_fabric_npiv;
+ }
+
+- tcm_qla2xxx_cmd_wq = alloc_workqueue("tcm_qla2xxx_cmd", 0, 0);
+- if (!tcm_qla2xxx_cmd_wq) {
+- ret = -ENOMEM;
+- goto out_free_wq;
+- }
+-
+ return 0;
+
+-out_free_wq:
+- destroy_workqueue(tcm_qla2xxx_free_wq);
+ out_fabric_npiv:
+ target_unregister_template(&tcm_qla2xxx_npiv_ops);
+ out_fabric:
+@@ -2022,7 +2013,6 @@ static int tcm_qla2xxx_register_configfs(void)
+
+ static void tcm_qla2xxx_deregister_configfs(void)
+ {
+- destroy_workqueue(tcm_qla2xxx_cmd_wq);
+ destroy_workqueue(tcm_qla2xxx_free_wq);
+
+ target_unregister_template(&tcm_qla2xxx_ops);
+--
+2.12.3
+
diff --git a/patches.fixes/udp-use-indirect-call-wrappers-for-GRO-socket-lookup.patch b/patches.fixes/udp-use-indirect-call-wrappers-for-GRO-socket-lookup.patch
new file mode 100644
index 0000000000..9d0dd3e1f2
--- /dev/null
+++ b/patches.fixes/udp-use-indirect-call-wrappers-for-GRO-socket-lookup.patch
@@ -0,0 +1,52 @@
+From: Paolo Abeni <pabeni@redhat.com>
+Date: Fri, 14 Dec 2018 11:52:00 +0100
+Subject: udp: use indirect call wrappers for GRO socket lookup
+Patch-mainline: v5.0-rc1
+Git-commit: 4f24ed77dec9b067d08f7958a287cbf48665f35e
+References: bsc#1124503
+
+This avoids another indirect call for UDP GRO. Again, the test
+for the IPv6 variant is performed first.
+
+v1 -> v2:
+ - adapted to INDIRECT_CALL_ changes
+
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Acked-by: Michal Kubecek <mkubecek@suse.cz>
+
+---
+ net/ipv4/udp_offload.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+--- a/net/ipv4/udp_offload.c
++++ b/net/ipv4/udp_offload.c
+@@ -245,6 +245,8 @@ static struct sk_buff *udp4_ufo_fragment(struct sk_buff *skb,
+ return segs;
+ }
+
++INDIRECT_CALLABLE_DECLARE(struct sock *udp6_lib_lookup_skb(struct sk_buff *skb,
++ __be16 sport, __be16 dport));
+ struct sk_buff **udp_gro_receive(struct sk_buff **head, struct sk_buff *skb,
+ struct udphdr *uh, udp_lookup_t lookup)
+ {
+@@ -264,7 +266,8 @@ struct sk_buff **udp_gro_receive(struct sk_buff **head, struct sk_buff *skb,
+ NAPI_GRO_CB(skb)->encap_mark = 1;
+
+ rcu_read_lock();
+- sk = (*lookup)(skb, uh->source, uh->dest);
++ sk = INDIRECT_CALL_INET(lookup, udp6_lib_lookup_skb,
++ udp4_lib_lookup_skb, skb, uh->source, uh->dest);
+
+ if (sk && udp_sk(sk)->gro_receive)
+ goto unflush;
+@@ -344,7 +347,8 @@ int udp_gro_complete(struct sk_buff *skb, int nhoff,
+ skb->encapsulation = 1;
+
+ rcu_read_lock();
+- sk = (*lookup)(skb, uh->source, uh->dest);
++ sk = INDIRECT_CALL_INET(lookup, udp6_lib_lookup_skb,
++ udp4_lib_lookup_skb, skb, uh->source, uh->dest);
+ if (sk && udp_sk(sk)->gro_complete)
+ err = udp_sk(sk)->gro_complete(sk, skb,
+ nhoff + sizeof(struct udphdr));
diff --git a/patches.fixes/xfs-serialize-unaligned-dio-writes-against-all-other.patch b/patches.fixes/xfs-serialize-unaligned-dio-writes-against-all-other.patch
new file mode 100644
index 0000000000..3c99ca3c98
--- /dev/null
+++ b/patches.fixes/xfs-serialize-unaligned-dio-writes-against-all-other.patch
@@ -0,0 +1,94 @@
+From 2032a8a27b5cc0f578d37fa16fa2494b80a0d00a Mon Sep 17 00:00:00 2001
+From: Brian Foster <bfoster@redhat.com>
+Date: Mon, 25 Mar 2019 17:01:45 -0700
+Subject: [PATCH] xfs: serialize unaligned dio writes against all other dio
+ writes
+Git-commit: 2032a8a27b5cc0f578d37fa16fa2494b80a0d00a
+Patch-mainline: v5.1-rc3
+References: bsc#1134936
+
+XFS applies more strict serialization constraints to unaligned
+direct writes to accommodate things like direct I/O layer zeroing,
+unwritten extent conversion, etc. Unaligned submissions acquire the
+exclusive iolock and wait for in-flight dio to complete to ensure
+multiple submissions do not race on the same block and cause data
+corruption.
+
+This generally works in the case of an aligned dio followed by an
+unaligned dio, but the serialization is lost if I/Os occur in the
+opposite order. If an unaligned write is submitted first and
+immediately followed by an overlapping, aligned write, the latter
+submits without the typical unaligned serialization barriers because
+there is no indication of an unaligned dio still in-flight. This can
+lead to unpredictable results.
+
+To provide proper unaligned dio serialization, require that such
+direct writes are always the only dio allowed in-flight at one time
+for a particular inode. We already acquire the exclusive iolock and
+drain pending dio before submitting the unaligned dio. Wait once
+more after the dio submission to hold the iolock across the I/O and
+prevent further submissions until the unaligned I/O completes. This
+is heavy handed, but consistent with the current pre-submission
+serialization for unaligned direct writes.
+
+Signed-off-by: Brian Foster <bfoster@redhat.com>
+Reviewed-by: Allison Henderson <allison.henderson@oracle.com>
+Reviewed-by: Dave Chinner <dchinner@redhat.com>
+Reviewed-by: Darrick J. Wong <darrick.wong@oracle.com>
+Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
+Acked-by: Anthony Iliopoulos <ailiopoulos@suse.com>
+
+---
+ fs/xfs/xfs_file.c | 27 +++++++++++++++++----------
+ 1 file changed, 17 insertions(+), 10 deletions(-)
+
+diff --git a/fs/xfs/xfs_file.c b/fs/xfs/xfs_file.c
+index 1f2e2845eb76..a7ceae90110e 100644
+--- a/fs/xfs/xfs_file.c
++++ b/fs/xfs/xfs_file.c
+@@ -529,18 +529,17 @@ xfs_file_dio_aio_write(
+ count = iov_iter_count(from);
+
+ /*
+- * If we are doing unaligned IO, wait for all other IO to drain,
+- * otherwise demote the lock if we had to take the exclusive lock
+- * for other reasons in xfs_file_aio_write_checks.
++ * If we are doing unaligned IO, we can't allow any other overlapping IO
++ * in-flight at the same time or we risk data corruption. Wait for all
++ * other IO to drain before we submit. If the IO is aligned, demote the
++ * iolock if we had to take the exclusive lock in
++ * xfs_file_aio_write_checks() for other reasons.
+ */
+ if (unaligned_io) {
+- /* If we are going to wait for other DIO to finish, bail */
+- if (iocb->ki_flags & IOCB_NOWAIT) {
+- if (atomic_read(&inode->i_dio_count))
+- return -EAGAIN;
+- } else {
+- inode_dio_wait(inode);
+- }
++ /* unaligned dio always waits, bail */
++ if (iocb->ki_flags & IOCB_NOWAIT)
++ return -EAGAIN;
++ inode_dio_wait(inode);
+ } else if (iolock == XFS_IOLOCK_EXCL) {
+ xfs_ilock_demote(ip, XFS_IOLOCK_EXCL);
+ iolock = XFS_IOLOCK_SHARED;
+@@ -548,6 +547,14 @@ xfs_file_dio_aio_write(
+
+ trace_xfs_file_direct_write(ip, count, iocb->ki_pos);
+ ret = iomap_dio_rw(iocb, from, &xfs_iomap_ops, xfs_dio_write_end_io);
++
++ /*
++ * If unaligned, this is the only IO in-flight. If it has not yet
++ * completed, wait on it before we release the iolock to prevent
++ * subsequent overlapping IO.
++ */
++ if (ret == -EIOCBQUEUED && unaligned_io)
++ inode_dio_wait(inode);
+ out:
+ xfs_iunlock(ip, iolock);
+
+--
+2.16.4
+
diff --git a/patches.kabi/arch-arm64-acpi-KABI-ignore-includes.patch b/patches.kabi/arch-arm64-acpi-KABI-ignore-includes.patch
new file mode 100644
index 0000000000..a3fe5f5974
--- /dev/null
+++ b/patches.kabi/arch-arm64-acpi-KABI-ignore-includes.patch
@@ -0,0 +1,28 @@
+From: Matthias Brugger <mbrugger@suse.com>
+Subject: arch: arm64: acpi: KABI ginore includes
+Patch-mainline: never, kabi
+References: bsc#1117158 bsc#1134671
+
+Upstream commit
+09ffcb0d718a ("arm64: acpi: fix alignment fault in accessing ACPI")
+adds new header file inclusions which trigger kABI checker to fail.
+Mark the include statements as not needed for kABI checker to fix that.
+
+Signed-off-by: Matthias Brugger <mbrugger@suse.com>
+---
+ arch/arm64/include/asm/acpi.h | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/arch/arm64/include/asm/acpi.h
++++ b/arch/arm64/include/asm/acpi.h
+@@ -12,7 +12,10 @@
+ #ifndef _ASM_ACPI_H
+ #define _ASM_ACPI_H
+
++#ifndef __GENKSYMS__
+ #include <linux/efi.h>
++#endif
++
+ #include <linux/memblock.h>
+ #include <linux/psci.h>
+
diff --git a/patches.kabi/bpf-add-map_lookup_elem_sys_only-for-lookups-from-sy.patch b/patches.kabi/bpf-add-map_lookup_elem_sys_only-for-lookups-from-sy.patch
new file mode 100644
index 0000000000..0eee0f868f
--- /dev/null
+++ b/patches.kabi/bpf-add-map_lookup_elem_sys_only-for-lookups-from-sy.patch
@@ -0,0 +1,94 @@
+From: Gary Lin <glin@suse.com>
+Subject: kabi: implement map_lookup_elem_sys_only in another way
+Patch-mainline: never, KABI fix
+References: bsc#1083647
+
+The upstream fix(*) introduces a new member, map_lookup_elem_sys_only,
+to 'struct bpf_map_ops' and breaks KABI.
+
+Since the only user of map_lookup_elem_sys_only is lru hash, this patch
+renames htab_lru_map_lookup_elem_sys() and makes it public for
+kernel/bpf/syscall.c.
+
+(*) c6110222c6f49ea68169f353565eb865488a8619
+ patches.fixes/bpf-add-map_lookup_elem_sys_only-for-lookups-from-sy.patch
+
+Signed-off-by: Gary Lin <glin@suse.com>
+
+---
+ include/linux/bpf.h | 1 -
+ kernel/bpf/hashtab.c | 3 +--
+ kernel/bpf/hashtab.h | 16 ++++++++++++++++
+ kernel/bpf/syscall.c | 6 ++++--
+ 4 files changed, 21 insertions(+), 5 deletions(-)
+
+--- a/include/linux/bpf.h
++++ b/include/linux/bpf.h
+@@ -25,7 +25,6 @@ struct bpf_map_ops {
+ void (*map_release)(struct bpf_map *map, struct file *map_file);
+ void (*map_free)(struct bpf_map *map);
+ int (*map_get_next_key)(struct bpf_map *map, void *key, void *next_key);
+- void *(*map_lookup_elem_sys_only)(struct bpf_map *map, void *key);
+
+ /* funcs callable from userspace and from eBPF programs */
+ void *(*map_lookup_elem)(struct bpf_map *map, void *key);
+--- a/kernel/bpf/hashtab.c
++++ b/kernel/bpf/hashtab.c
+@@ -512,7 +512,7 @@ static void *htab_lru_map_lookup_elem(st
+ return __htab_lru_map_lookup_elem(map, key, true);
+ }
+
+-static void *htab_lru_map_lookup_elem_sys(struct bpf_map *map, void *key)
++void *suse_htab_lru_map_lookup_elem_sys(struct bpf_map *map, void *key)
+ {
+ return __htab_lru_map_lookup_elem(map, key, false);
+ }
+@@ -1166,7 +1166,6 @@ const struct bpf_map_ops htab_lru_map_op
+ .map_free = htab_map_free,
+ .map_get_next_key = htab_map_get_next_key,
+ .map_lookup_elem = htab_lru_map_lookup_elem,
+- .map_lookup_elem_sys_only = htab_lru_map_lookup_elem_sys,
+ .map_update_elem = htab_lru_map_update_elem,
+ .map_delete_elem = htab_lru_map_delete_elem,
+ .map_gen_lookup = htab_lru_map_gen_lookup,
+--- /dev/null
++++ b/kernel/bpf/hashtab.h
+@@ -0,0 +1,16 @@
++/* Copyright (c) 2019 SUSE, https://www.suse.com/
++ *
++ * This program is free software; you can redistribute it and/or
++ * modify it under the terms of version 2 of the GNU General Public
++ * License as published by the Free Software Foundation.
++ *
++ * This program is distributed in the hope that it will be useful, but
++ * WITHOUT ANY WARRANTY; without even the implied warranty of
++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
++ * General Public License for more details.
++ */
++
++#include <linux/bpf.h>
++
++/* Add this function to avoid adding an extra member to bpf_map_ops */
++void *suse_htab_lru_map_lookup_elem_sys(struct bpf_map *map, void *key);
+--- a/kernel/bpf/syscall.c
++++ b/kernel/bpf/syscall.c
+@@ -24,6 +24,8 @@
+ #include <linux/kernel.h>
+ #include <linux/idr.h>
+
++#include "hashtab.h"
++
+ #define IS_FD_ARRAY(map) ((map)->map_type == BPF_MAP_TYPE_PROG_ARRAY || \
+ (map)->map_type == BPF_MAP_TYPE_PERF_EVENT_ARRAY || \
+ (map)->map_type == BPF_MAP_TYPE_CGROUP_ARRAY || \
+@@ -488,8 +490,8 @@ static int map_lookup_elem(union bpf_att
+ err = bpf_fd_htab_map_lookup_elem(map, key, value);
+ } else {
+ rcu_read_lock();
+- if (map->ops->map_lookup_elem_sys_only)
+- ptr = map->ops->map_lookup_elem_sys_only(map, key);
++ if (map->map_type == BPF_MAP_TYPE_LRU_HASH)
++ ptr = suse_htab_lru_map_lookup_elem_sys(map, key);
+ else
+ ptr = map->ops->map_lookup_elem(map, key);
+ if (ptr)
diff --git a/patches.kabi/firmware-efi-KABI-memreserve.patch b/patches.kabi/firmware-efi-KABI-memreserve.patch
new file mode 100644
index 0000000000..5f8ba907e5
--- /dev/null
+++ b/patches.kabi/firmware-efi-KABI-memreserve.patch
@@ -0,0 +1,82 @@
+From: Matthias Brugger <mbrugger@suse.com>
+Subject: firmware: efi: factor out mem_reserve
+Patch-mainline: never, kabi
+References: bsc#1117158 bsc#1134671
+
+Upstream commit
+976b489120cd ("efi: Prevent GICv3 WARN() by mapping the memreserve table before first use")
+63eb322d89c8 ("efi: Permit calling efi_mem_reserve_persistent() from atomic context")
+a23d3bb05ccb ("efi: add API to reserve memory persistently across kexec reboot")
+and
+71e0940d52e1 ("efi: honour memory reservations passed via a linux specific config table")
+use and introduce the new member mem_reserve of struct efi.
+This breaks KABI. As the only user of struct efi is the efi code itself, we change it
+to a global variable, which should do the trick.
+
+Signed-off-by: Matthias Brugger <mbrugger@suse.com>
+---
+ drivers/firmware/efi/efi.c | 16 ++++++++++------
+ include/linux/efi.h | 1 -
+ 2 files changed, 10 insertions(+), 7 deletions(-)
+
+--- a/drivers/firmware/efi/efi.c
++++ b/drivers/firmware/efi/efi.c
+@@ -52,10 +52,14 @@ struct efi __read_mostly efi = {
+ .properties_table = EFI_INVALID_TABLE_ADDR,
+ .mem_attr_table = EFI_INVALID_TABLE_ADDR,
+ .rng_seed = EFI_INVALID_TABLE_ADDR,
+- .mem_reserve = EFI_INVALID_TABLE_ADDR,
+ };
+ EXPORT_SYMBOL(efi);
+
++ /* Linux EFI memreserve table
++ * Declared as global variable for not breaking KABI
++ */
++unsigned long mem_reserve = EFI_INVALID_TABLE_ADDR;
++
+ static unsigned long *efi_tables[] = {
+ &efi.mps,
+ &efi.acpi,
+@@ -467,7 +471,7 @@ static __initdata efi_config_table_type_
+ {EFI_PROPERTIES_TABLE_GUID, "PROP", &efi.properties_table},
+ {EFI_MEMORY_ATTRIBUTES_TABLE_GUID, "MEMATTR", &efi.mem_attr_table},
+ {LINUX_EFI_RANDOM_SEED_TABLE_GUID, "RNG", &efi.rng_seed},
+- {LINUX_EFI_MEMRESERVE_TABLE_GUID, "MEMRESERVE", &efi.mem_reserve},
++ {LINUX_EFI_MEMRESERVE_TABLE_GUID, "MEMRESERVE", &mem_reserve},
+ {NULL_GUID, NULL, NULL},
+ };
+
+@@ -572,8 +576,8 @@ int __init efi_config_parse_tables(void
+ early_memunmap(tbl, sizeof(*tbl));
+ }
+
+- if (efi.mem_reserve != EFI_INVALID_TABLE_ADDR) {
+- unsigned long prsv = efi.mem_reserve;
++ if (mem_reserve != EFI_INVALID_TABLE_ADDR) {
++ unsigned long prsv = mem_reserve;
+
+ while (prsv) {
+ struct linux_efi_memreserve *rsv;
+@@ -933,10 +937,10 @@ static struct linux_efi_memreserve *efi_
+
+ static int __init efi_memreserve_map_root(void)
+ {
+- if (efi.mem_reserve == EFI_INVALID_TABLE_ADDR)
++ if (mem_reserve == EFI_INVALID_TABLE_ADDR)
+ return -ENODEV;
+
+- efi_memreserve_root = memremap(efi.mem_reserve,
++ efi_memreserve_root = memremap(mem_reserve,
+ sizeof(*efi_memreserve_root),
+ MEMREMAP_WB);
+ if (WARN_ON_ONCE(!efi_memreserve_root))
+--- a/include/linux/efi.h
++++ b/include/linux/efi.h
+@@ -922,7 +922,6 @@ extern struct efi {
+ unsigned long properties_table; /* properties table */
+ unsigned long mem_attr_table; /* memory attributes table */
+ unsigned long rng_seed; /* UEFI firmware random seed */
+- unsigned long mem_reserve; /* Linux EFI memreserve table */
+ efi_get_time_t *get_time;
+ efi_set_time_t *set_time;
+ efi_get_wakeup_time_t *get_wakeup_time;
diff --git a/patches.kabi/fs-prevent-page-refcount-overflow-in-pipe_buf_get-kabi.patch b/patches.kabi/fs-prevent-page-refcount-overflow-in-pipe_buf_get-kabi.patch
new file mode 100644
index 0000000000..5e6a2d6860
--- /dev/null
+++ b/patches.kabi/fs-prevent-page-refcount-overflow-in-pipe_buf_get-kabi.patch
@@ -0,0 +1,58 @@
+From: Vlastimil Babka <vbabka@suse.cz>
+Subject: fs: prevent page refcount overflow in pipe_buf_get - KABI fix
+References: CVE-2019-11487, bsc#1133190, KABI
+Patch-mainline: Never, kABI
+
+Hide return value change from void to bool, current callers can keep
+ignoring it.
+
+Signed-off-by: Vlastimil Babka <vbabka@suse.cz>
+---
+ fs/pipe.c | 7 ++++++-
+ include/linux/pipe_fs_i.h | 11 ++++++++++-
+ 2 files changed, 16 insertions(+), 2 deletions(-)
+
+--- a/fs/pipe.c
++++ b/fs/pipe.c
+@@ -193,7 +193,12 @@ EXPORT_SYMBOL(generic_pipe_buf_steal);
+ * in the tee() system call, when we duplicate the buffers in one
+ * pipe into another.
+ */
+-bool generic_pipe_buf_get(struct pipe_inode_info *pipe, struct pipe_buffer *buf)
++#ifndef __GENKSYMS__
++bool
++#else
++void
++#endif
++generic_pipe_buf_get(struct pipe_inode_info *pipe, struct pipe_buffer *buf)
+ {
+ return try_get_page(buf->page);
+ }
+--- a/include/linux/pipe_fs_i.h
++++ b/include/linux/pipe_fs_i.h
+@@ -107,7 +107,11 @@ struct pipe_buf_operations {
+ /*
+ * Get a reference to the pipe buffer.
+ */
++#ifndef __GENKSYMS__
+ bool (*get)(struct pipe_inode_info *, struct pipe_buffer *);
++#else
++ void (*get)(struct pipe_inode_info *, struct pipe_buffer *);
++#endif
+ };
+
+ /**
+@@ -180,7 +184,12 @@ struct pipe_inode_info *alloc_pipe_info(
+ void free_pipe_info(struct pipe_inode_info *);
+
+ /* Generic pipe buffer ops functions */
+-bool generic_pipe_buf_get(struct pipe_inode_info *, struct pipe_buffer *);
++#ifndef __GENKSYMS__
++bool
++#else
++void
++#endif
++generic_pipe_buf_get(struct pipe_inode_info *, struct pipe_buffer *);
+ int generic_pipe_buf_confirm(struct pipe_inode_info *, struct pipe_buffer *);
+ int generic_pipe_buf_steal(struct pipe_inode_info *, struct pipe_buffer *);
+ int generic_pipe_buf_nosteal(struct pipe_inode_info *, struct pipe_buffer *);
diff --git a/patches.kabi/kabi-protect-dma-mapping-h-include.patch b/patches.kabi/kabi-protect-dma-mapping-h-include.patch
new file mode 100644
index 0000000000..e782d8914b
--- /dev/null
+++ b/patches.kabi/kabi-protect-dma-mapping-h-include.patch
@@ -0,0 +1,26 @@
+From: Jiri Slaby <jslaby@suse.cz>
+Subject: kABI: protect dma-mapping.h include
+Patch-mainline: never, kabi
+References: kabi
+
+Upstream commit b330104fa76df3eae6e199a23791fed5d35f06b4 (PCI: endpoint:
+Use EPC's device in dma_alloc_coherent()/dma_free_coherent()) removed an
+#include from pci-epc-core.c. It made the kABI checker to complain.
+
+Just add the include back to make the kABI checker happy.
+
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/pci/endpoint/pci-epc-core.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/pci/endpoint/pci-epc-core.c
++++ b/drivers/pci/endpoint/pci-epc-core.c
+@@ -18,6 +18,7 @@
+ */
+
+ #include <linux/device.h>
++#include <linux/dma-mapping.h>
+ #include <linux/slab.h>
+ #include <linux/module.h>
+
diff --git a/patches.kabi/kabi-protect-struct-pci_dev.patch b/patches.kabi/kabi-protect-struct-pci_dev.patch
new file mode 100644
index 0000000000..e91a2ac305
--- /dev/null
+++ b/patches.kabi/kabi-protect-struct-pci_dev.patch
@@ -0,0 +1,29 @@
+From: Jiri Slaby <jslaby@suse.cz>
+Subject: kABI: protect struct pci_dev
+Patch-mainline: never, kabi
+References: kabi
+
+Upstream commit 4ec73791a64bab25cabf16a6067ee478692e506d (PCI: Work
+around Pericom PCIe-to-PCI bridge Retrain Link erratum) added a bit to
+struct pci_dev. It made the kABI checker to complain.
+
+Given the bit uses a hole, hide the change from the kABI checker.
+
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ include/linux/pci.h | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/include/linux/pci.h
++++ b/include/linux/pci.h
+@@ -328,8 +328,10 @@ struct pci_dev {
+ unsigned int hotplug_user_indicators:1; /* SlotCtl indicators
+ controlled exclusively by
+ user sysfs */
++#ifndef __GENKSYMS__
+ unsigned int clear_retrain_link:1; /* Need to clear Retrain Link
+ bit manually */
++#endif
+ unsigned int d3_delay; /* D3->D0 transition time in ms */
+ unsigned int d3cold_delay; /* D3cold->D0 transition time in ms */
+
diff --git a/patches.kabi/memcg-make-it-work-on-sparse-non-0-node-systems-kabi.patch b/patches.kabi/memcg-make-it-work-on-sparse-non-0-node-systems-kabi.patch
new file mode 100644
index 0000000000..60038fc923
--- /dev/null
+++ b/patches.kabi/memcg-make-it-work-on-sparse-non-0-node-systems-kabi.patch
@@ -0,0 +1,46 @@
+From: Jiri Slaby <jslaby@suse.cz>
+Subject: memcg: make it work on sparse non-0-node systems kabi
+Patch-mainline: never, kabi
+References: bnc#1133616
+
+The orignal fix is in commit 3e8589963773a5c23e2f1fe4bcad0e9a90b7f471.
+But the commit adds a bool to struct list_lru and it breaks kABI as
+list_lru is embedded in struct super_block. Instead of this new flag,
+use first_online_node here.
+
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ include/linux/list_lru.h | 1 -
+ mm/list_lru.c | 4 +---
+ 2 files changed, 1 insertion(+), 4 deletions(-)
+
+--- a/include/linux/list_lru.h
++++ b/include/linux/list_lru.h
+@@ -51,7 +51,6 @@ struct list_lru {
+ struct list_lru_node *node;
+ #if defined(CONFIG_MEMCG) && !defined(CONFIG_SLOB)
+ struct list_head list;
+- bool memcg_aware;
+ #endif
+ };
+
+--- a/mm/list_lru.c
++++ b/mm/list_lru.c
+@@ -42,7 +42,7 @@ static void list_lru_unregister(struct l
+ #if defined(CONFIG_MEMCG) && !defined(CONFIG_SLOB)
+ static inline bool list_lru_memcg_aware(struct list_lru *lru)
+ {
+- return lru->memcg_aware;
++ return !!lru->node[first_online_node].memcg_lrus;
+ }
+
+ static inline struct list_lru_one *
+@@ -385,8 +385,6 @@ static int memcg_init_list_lru(struct li
+ {
+ int i;
+
+- lru->memcg_aware = memcg_aware;
+-
+ if (!memcg_aware)
+ return 0;
+
diff --git a/patches.kernel.org/4.4.164-131-mm-thp-relax-__GFP_THISNODE-for-MADV_HUGEPAGE.patch b/patches.kernel.org/4.4.164-131-mm-thp-relax-__GFP_THISNODE-for-MADV_HUGEPAGE.patch
new file mode 100644
index 0000000000..6565d723e5
--- /dev/null
+++ b/patches.kernel.org/4.4.164-131-mm-thp-relax-__GFP_THISNODE-for-MADV_HUGEPAGE.patch
@@ -0,0 +1,233 @@
+From: Andrea Arcangeli <aarcange@redhat.com>
+Date: Fri, 2 Nov 2018 15:47:59 -0700
+Subject: [PATCH] mm: thp: relax __GFP_THISNODE for MADV_HUGEPAGE mappings
+References: bnc#1012382
+Patch-mainline: 4.4.164
+Git-commit: ac5b2c18911ffe95c08d69273917f90212cf5659
+
+commit ac5b2c18911ffe95c08d69273917f90212cf5659 upstream.
+
+THP allocation might be really disruptive when allocated on NUMA system
+with the local node full or hard to reclaim. Stefan has posted an
+allocation stall report on 4.12 based SLES kernel which suggests the
+same issue:
+
+ kvm: page allocation stalls for 194572ms, order:9, mode:0x4740ca(__GFP_HIGHMEM|__GFP_IO|__GFP_FS|__GFP_COMP|__GFP_NOMEMALLOC|__GFP_HARDWALL|__GFP_THISNODE|__GFP_MOVABLE|__GFP_DIRECT_RECLAIM), nodemask=(null)
+ kvm cpuset=/ mems_allowed=0-1
+ CPU: 10 PID: 84752 Comm: kvm Tainted: G W 4.12.0+98-ph <a href="/view.php?id=1" title="[geschlossen] Integration Ramdisk" class="resolved">0000001</a> SLE15 (unreleased)
+ Hardware name: Supermicro SYS-1029P-WTRT/X11DDW-NT, BIOS 2.0 12/05/2017
+ Call Trace:
+ dump_stack+0x5c/0x84
+ warn_alloc+0xe0/0x180
+ __alloc_pages_slowpath+0x820/0xc90
+ __alloc_pages_nodemask+0x1cc/0x210
+ alloc_pages_vma+0x1e5/0x280
+ do_huge_pmd_wp_page+0x83f/0xf00
+ __handle_mm_fault+0x93d/0x1060
+ handle_mm_fault+0xc6/0x1b0
+ __do_page_fault+0x230/0x430
+ do_page_fault+0x2a/0x70
+ page_fault+0x7b/0x80
+ [...]
+ Mem-Info:
+ active_anon:126315487 inactive_anon:1612476 isolated_anon:5
+ active_file:60183 inactive_file:245285 isolated_file:0
+ unevictable:15657 dirty:286 writeback:1 unstable:0
+ slab_reclaimable:75543 slab_unreclaimable:2509111
+ mapped:81814 shmem:31764 pagetables:370616 bounce:0
+ free:32294031 free_pcp:6233 free_cma:0
+ Node 0 active_anon:254680388kB inactive_anon:1112760kB active_file:240648kB inactive_file:981168kB unevictable:13368kB isolated(anon):0kB isolated(file):0kB mapped:280240kB dirty:1144kB writeback:0kB shmem:95832kB shmem_thp: 0kB shmem_pmdmapped: 0kB anon_thp: 81225728kB writeback_tmp:0kB unstable:0kB all_unreclaimable? no
+ Node 1 active_anon:250583072kB inactive_anon:5337144kB active_file:84kB inactive_file:0kB unevictable:49260kB isolated(anon):20kB isolated(file):0kB mapped:47016kB dirty:0kB writeback:4kB shmem:31224kB shmem_thp: 0kB shmem_pmdmapped: 0kB anon_thp: 31897600kB writeback_tmp:0kB unstable:0kB all_unreclaimable? no
+
+The defrag mode is "madvise" and from the above report it is clear that
+the THP has been allocated for MADV_HUGEPAGA vma.
+
+Andrea has identified that the main source of the problem is
+__GFP_THISNODE usage:
+
+: The problem is that direct compaction combined with the NUMA
+: __GFP_THISNODE logic in mempolicy.c is telling reclaim to swap very
+: hard the local node, instead of failing the allocation if there's no
+: THP available in the local node.
+:
+: Such logic was ok until __GFP_THISNODE was added to the THP allocation
+: path even with MPOL_DEFAULT.
+:
+: The idea behind the __GFP_THISNODE addition, is that it is better to
+: provide local memory in PAGE_SIZE units than to use remote NUMA THP
+: backed memory. That largely depends on the remote latency though, on
+: threadrippers for example the overhead is relatively low in my
+: experience.
+:
+: The combination of __GFP_THISNODE and __GFP_DIRECT_RECLAIM results in
+: extremely slow qemu startup with vfio, if the VM is larger than the
+: size of one host NUMA node. This is because it will try very hard to
+: unsuccessfully swapout get_user_pages pinned pages as result of the
+: __GFP_THISNODE being set, instead of falling back to PAGE_SIZE
+: allocations and instead of trying to allocate THP on other nodes (it
+: would be even worse without vfio type1 GUP pins of course, except it'd
+: be swapping heavily instead).
+
+Fix this by removing __GFP_THISNODE for THP requests which are
+requesting the direct reclaim. This effectivelly reverts 5265047ac301
+on the grounds that the zone/node reclaim was known to be disruptive due
+to premature reclaim when there was memory free. While it made sense at
+the time for HPC workloads without NUMA awareness on rare machines, it
+was ultimately harmful in the majority of cases. The existing behaviour
+is similar, if not as widespare as it applies to a corner case but
+crucially, it cannot be tuned around like zone_reclaim_mode can. The
+default behaviour should always be to cause the least harm for the
+common case.
+
+If there are specialised use cases out there that want zone_reclaim_mode
+in specific cases, then it can be built on top. Longterm we should
+consider a memory policy which allows for the node reclaim like behavior
+for the specific memory ranges which would allow a
+
+[1] http://lkml.kernel.org/r/20180820032204.9591-1-aarcange@redhat.com
+
+Mel said:
+
+: Both patches look correct to me but I'm responding to this one because
+: it's the fix. The change makes sense and moves further away from the
+: severe stalling behaviour we used to see with both THP and zone reclaim
+: mode.
+:
+: I put together a basic experiment with usemem configured to reference a
+: buffer multiple times that is 80% the size of main memory on a 2-socket
+: box with symmetric node sizes and defrag set to "always". The defrag
+: setting is not the default but it would be functionally similar to
+: accessing a buffer with madvise(MADV_HUGEPAGE). Usemem is configured to
+: reference the buffer multiple times and while it's not an interesting
+: workload, it would be expected to complete reasonably quickly as it fits
+: within memory. The results were;
+:
+: usemem
+: vanilla noreclaim-v1
+: Amean Elapsd-1 42.78 ( 0.00%) 26.87 ( 37.18%)
+: Amean Elapsd-3 27.55 ( 0.00%) 7.44 ( 73.00%)
+: Amean Elapsd-4 5.72 ( 0.00%) 5.69 ( 0.45%)
+:
+: This shows the elapsed time in seconds for 1 thread, 3 threads and 4
+: threads referencing buffers 80% the size of memory. With the patches
+: applied, it's 37.18% faster for the single thread and 73% faster with two
+: threads. Note that 4 threads showing little difference does not indicate
+: the problem is related to thread counts. It's simply the case that 4
+: threads gets spread so their workload mostly fits in one node.
+:
+: The overall view from /proc/vmstats is more startling
+:
+: 4.19.0-rc1 4.19.0-rc1
+: vanillanoreclaim-v1r1
+: Minor Faults 35593425 708164
+: Major Faults 484088 36
+: Swap Ins 3772837 0
+: Swap Outs 3932295 0
+:
+: Massive amounts of swap in/out without the patch
+:
+: Direct pages scanned 6013214 0
+: Kswapd pages scanned 0 0
+: Kswapd pages reclaimed 0 0
+: Direct pages reclaimed 4033009 0
+:
+: Lots of reclaim activity without the patch
+:
+: Kswapd efficiency 100% 100%
+: Kswapd velocity 0.000 0.000
+: Direct efficiency 67% 100%
+: Direct velocity 11191.956 0.000
+:
+: Mostly from direct reclaim context as you'd expect without the patch.
+:
+: Page writes by reclaim 3932314.000 0.000
+: Page writes file 19 0
+: Page writes anon 3932295 0
+: Page reclaim immediate 42336 0
+:
+: Writes from reclaim context is never good but the patch eliminates it.
+:
+: We should never have default behaviour to thrash the system for such a
+: basic workload. If zone reclaim mode behaviour is ever desired but on a
+: single task instead of a global basis then the sensible option is to build
+: a mempolicy that enforces that behaviour.
+
+This was a severe regression compared to previous kernels that made
+important workloads unusable and it starts when __GFP_THISNODE was
+added to THP allocations under MADV_HUGEPAGE. It is not a significant
+risk to go to the previous behavior before __GFP_THISNODE was added, it
+worked like that for years.
+
+This was simply an optimization to some lucky workloads that can fit in
+a single node, but it ended up breaking the VM for others that can't
+possibly fit in a single node, so going back is safe.
+
+[mhocko@suse.com: rewrote the changelog based on the one from Andrea]
+Link: http://lkml.kernel.org/r/20180925120326.24392-2-mhocko@kernel.org
+Fixes: 5265047ac301 ("mm, thp: really limit transparent hugepage allocation to local node")
+Signed-off-by: Andrea Arcangeli <aarcange@redhat.com>
+Signed-off-by: Michal Hocko <mhocko@suse.com>
+Reported-by: Stefan Priebe <s.priebe@profihost.ag>
+Debugged-by: Andrea Arcangeli <aarcange@redhat.com>
+Reported-by: Alex Williamson <alex.williamson@redhat.com>
+Reviewed-by: Mel Gorman <mgorman@techsingularity.net>
+Tested-by: Mel Gorman <mgorman@techsingularity.net>
+Cc: Zi Yan <zi.yan@cs.rutgers.edu>
+Cc: Vlastimil Babka <vbabka@suse.cz>
+Cc: David Rientjes <rientjes@google.com>
+Cc: "Kirill A. Shutemov" <kirill@shutemov.name>
+Cc: <stable@vger.kernel.org> [4.1+]
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ mm/mempolicy.c | 32 ++++++++++++++++++++++++++++++--
+ 1 file changed, 30 insertions(+), 2 deletions(-)
+
+diff --git a/mm/mempolicy.c b/mm/mempolicy.c
+index b777590c3e13..be9840bf11d1 100644
+--- a/mm/mempolicy.c
++++ b/mm/mempolicy.c
+@@ -2010,8 +2010,36 @@ alloc_pages_vma(gfp_t gfp, int order, struct vm_area_struct *vma,
+ nmask = policy_nodemask(gfp, pol);
+ if (!nmask || node_isset(hpage_node, *nmask)) {
+ mpol_cond_put(pol);
+- page = __alloc_pages_node(hpage_node,
+- gfp | __GFP_THISNODE, order);
++ /*
++ * We cannot invoke reclaim if __GFP_THISNODE
++ * is set. Invoking reclaim with
++ * __GFP_THISNODE set, would cause THP
++ * allocations to trigger heavy swapping
++ * despite there may be tons of free memory
++ * (including potentially plenty of THP
++ * already available in the buddy) on all the
++ * other NUMA nodes.
++ *
++ * At most we could invoke compaction when
++ * __GFP_THISNODE is set (but we would need to
++ * refrain from invoking reclaim even if
++ * compaction returned COMPACT_SKIPPED because
++ * there wasn't not enough memory to succeed
++ * compaction). For now just avoid
++ * __GFP_THISNODE instead of limiting the
++ * allocation path to a strict and single
++ * compaction invocation.
++ *
++ * Supposedly if direct reclaim was enabled by
++ * the caller, the app prefers THP regardless
++ * of the node it comes from so this would be
++ * more desiderable behavior than only
++ * providing THP originated from the local
++ * node in such case.
++ */
++ if (!(gfp & __GFP_DIRECT_RECLAIM))
++ gfp |= __GFP_THISNODE;
++ page = __alloc_pages_node(hpage_node, gfp, order);
+ goto out;
+ }
+ }
+--
+2.19.1
+
diff --git a/patches.suse/0001-btrfs-extent-tree-Fix-a-bug-that-btrfs-is-unable-to-.patch b/patches.suse/0001-btrfs-extent-tree-Fix-a-bug-that-btrfs-is-unable-to-.patch
index 6eac1cfa99..a922feed75 100644
--- a/patches.suse/0001-btrfs-extent-tree-Fix-a-bug-that-btrfs-is-unable-to-.patch
+++ b/patches.suse/0001-btrfs-extent-tree-Fix-a-bug-that-btrfs-is-unable-to-.patch
@@ -1,7 +1,8 @@
-From 965fe8a6e29ede784cb38b97bb894aac1e8337a6 Mon Sep 17 00:00:00 2001
+From 14ae4ec1ee1466b701e0518f9acbb0bbd8ab0684 Mon Sep 17 00:00:00 2001
From: Qu Wenruo <wqu@suse.com>
Date: Fri, 10 May 2019 12:45:05 +0800
-Patch-mainline: Submitted, 10 May 2019
+Git-commit: 14ae4ec1ee1466b701e0518f9acbb0bbd8ab0684
+Patch-mainline: v5.2-rc2
References: bsc#1063638 bsc#1128052 bsc#1108838
Subject: [PATCH] btrfs: extent-tree: Fix a bug that btrfs is unable to add
pinned bytes
@@ -14,74 +15,59 @@ of subtracting.
That refactor misses those two caller, causing incorrect pinned bytes
calculation and resulting unexpected ENOSPC error.
-Fix it by refactoring add_pinned_bytes() to add_pinned_bytes() and
-sub_pinned_bytes() to explicitly show what we're doing.
+Fix it by adding a new parameter @sign to restore the original behavior.
Reported-by: kernel test robot <rong.a.chen@intel.com>
Fixes: ddf30cf03fb5 ("btrfs: extent-tree: Use btrfs_ref to refactor add_pinned_bytes()")
Signed-off-by: Qu Wenruo <wqu@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
---
- fs/btrfs/extent-tree.c | 36 ++++++++++++++++++++++++------------
- 1 file changed, 24 insertions(+), 12 deletions(-)
+ fs/btrfs/extent-tree.c | 12 +++++++-----
+ 1 file changed, 7 insertions(+), 5 deletions(-)
--- a/fs/btrfs/extent-tree.c
+++ b/fs/btrfs/extent-tree.c
-@@ -767,25 +767,37 @@ static struct btrfs_space_info *__find_s
- return NULL;
+@@ -768,12 +768,14 @@ static struct btrfs_space_info *__find_s
}
-+static u64 generic_ref_to_space_flags(struct btrfs_ref *ref)
-+{
-+ if (ref->type == BTRFS_REF_METADATA) {
-+ if (ref->tree_ref.root == BTRFS_CHUNK_TREE_OBJECTID)
-+ return BTRFS_BLOCK_GROUP_SYSTEM;
-+ else
-+ return BTRFS_BLOCK_GROUP_METADATA;
-+ }
-+ return BTRFS_BLOCK_GROUP_DATA;
-+}
-+
static void add_pinned_bytes(struct btrfs_fs_info *fs_info,
- struct btrfs_ref *ref)
+- struct btrfs_ref *ref)
++ struct btrfs_ref *ref, int sign)
{
struct btrfs_space_info *space_info;
- s64 num_bytes = -ref->len;
-- u64 flags;
-+ u64 flags = generic_ref_to_space_flags(ref);
++ s64 num_bytes;
+ u64 flags;
-- if (ref->type == BTRFS_REF_METADATA) {
-- if (ref->tree_ref.root == BTRFS_CHUNK_TREE_OBJECTID)
-- flags = BTRFS_BLOCK_GROUP_SYSTEM;
-- else
-- flags = BTRFS_BLOCK_GROUP_METADATA;
-- } else {
-- flags = BTRFS_BLOCK_GROUP_DATA;
-- }
-+ space_info = __find_space_info(fs_info, flags);
-+ ASSERT(space_info);
-+ percpu_counter_add(&space_info->total_bytes_pinned, ref->len);
-+}
-+
-+static void sub_pinned_bytes(struct btrfs_fs_info *fs_info,
-+ struct btrfs_ref *ref)
-+{
-+ struct btrfs_space_info *space_info;
-+ u64 flags = generic_ref_to_space_flags(ref);
-
- space_info = __find_space_info(fs_info, flags);
- ASSERT(space_info);
-- percpu_counter_add(&space_info->total_bytes_pinned, num_bytes);
-+ percpu_counter_add(&space_info->total_bytes_pinned, -ref->len);
- }
-
- /*
-@@ -2129,7 +2141,7 @@ int btrfs_inc_extent_ref(struct btrfs_tr
++ ASSERT(sign == 1 || sign == -1);
++ num_bytes = sign * ref->len;
+ if (ref->type == BTRFS_REF_METADATA) {
+ if (ref->tree_ref.root == BTRFS_CHUNK_TREE_OBJECTID)
+ flags = BTRFS_BLOCK_GROUP_SYSTEM;
+@@ -2129,7 +2131,7 @@ int btrfs_inc_extent_ref(struct btrfs_tr
&old_ref_mod, &new_ref_mod);
if (ret == 0 && old_ref_mod < 0 && new_ref_mod >= 0)
- add_pinned_bytes(fs_info, generic_ref);
-+ sub_pinned_bytes(fs_info, generic_ref);
++ add_pinned_bytes(fs_info, generic_ref, -1);
+
+ return ret;
+ }
+@@ -7176,7 +7178,7 @@ void btrfs_free_tree_block(struct btrfs_
+ }
+ out:
+ if (pin)
+- add_pinned_bytes(fs_info, &generic_ref);
++ add_pinned_bytes(fs_info, &generic_ref, 1);
+
+ if (last_ref) {
+ /*
+@@ -7219,7 +7221,7 @@ int btrfs_free_extent(struct btrfs_trans
+ }
+
+ if (ret == 0 && old_ref_mod >= 0 && new_ref_mod < 0)
+- add_pinned_bytes(fs_info, ref);
++ add_pinned_bytes(fs_info, ref, 1);
return ret;
}
diff --git a/patches.suse/0002-MODSIGN-print-appropriate-status-message-when-gettin.patch b/patches.suse/0002-MODSIGN-print-appropriate-status-message-when-gettin.patch
index d64136f152..6810e07a30 100644
--- a/patches.suse/0002-MODSIGN-print-appropriate-status-message-when-gettin.patch
+++ b/patches.suse/0002-MODSIGN-print-appropriate-status-message-when-gettin.patch
@@ -126,9 +126,9 @@ Signed-off-by: Lee, Chun-Yi <jlee@suse.com>
if (rc)
--- a/include/linux/efi.h
+++ b/include/linux/efi.h
-@@ -1592,4 +1592,29 @@ struct linux_efi_random_seed {
- u8 bits[];
- };
+@@ -1640,4 +1640,29 @@ struct linux_efi_memreserve {
+ #define EFI_MEMRESERVE_COUNT(size) (((size) - sizeof(struct linux_efi_memreserve)) \
+ / sizeof(((struct linux_efi_memreserve *)0)->entry[0]))
+#define EFI_STATUS_STR(_status) \
+ case EFI_##_status: \
diff --git a/patches.suse/PCI-Factor-out-pcie_retrain_link-function.patch b/patches.suse/PCI-Factor-out-pcie_retrain_link-function.patch
new file mode 100644
index 0000000000..8a196d34b0
--- /dev/null
+++ b/patches.suse/PCI-Factor-out-pcie_retrain_link-function.patch
@@ -0,0 +1,85 @@
+From: =?UTF-8?q?Stefan=20M=C3=A4tje?= <stefan.maetje@esd.eu>
+Date: Fri, 29 Mar 2019 18:07:34 +0100
+Subject: PCI: Factor out pcie_retrain_link() function
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+Git-commit: 86fa6a344209d9414ea962b1f1ac6ade9dd7563a
+Patch-mainline: v5.2-rc1
+References: git-fixes
+
+Factor out pcie_retrain_link() to use for Pericom Retrain Link quirk. No
+functional change intended.
+
+Signed-off-by: Stefan Mätje <stefan.maetje@esd.eu>
+Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
+Reviewed-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+CC: stable@vger.kernel.org
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/pci/pcie/aspm.c | 40 ++++++++++++++++++++++++----------------
+ 1 file changed, 24 insertions(+), 16 deletions(-)
+
+--- a/drivers/pci/pcie/aspm.c
++++ b/drivers/pci/pcie/aspm.c
+@@ -198,6 +198,29 @@ static void pcie_clkpm_cap_init(struct p
+ link->clkpm_capable = (blacklist) ? 0 : capable;
+ }
+
++static bool pcie_retrain_link(struct pcie_link_state *link)
++{
++ struct pci_dev *parent = link->pdev;
++ unsigned long start_jiffies;
++ u16 reg16;
++
++ pcie_capability_read_word(parent, PCI_EXP_LNKCTL, &reg16);
++ reg16 |= PCI_EXP_LNKCTL_RL;
++ pcie_capability_write_word(parent, PCI_EXP_LNKCTL, reg16);
++
++ /* Wait for link training end. Break out after waiting for timeout */
++ start_jiffies = jiffies;
++ for (;;) {
++ pcie_capability_read_word(parent, PCI_EXP_LNKSTA, &reg16);
++ if (!(reg16 & PCI_EXP_LNKSTA_LT))
++ break;
++ if (time_after(jiffies, start_jiffies + LINK_RETRAIN_TIMEOUT))
++ break;
++ msleep(1);
++ }
++ return !(reg16 & PCI_EXP_LNKSTA_LT);
++}
++
+ /*
+ * pcie_aspm_configure_common_clock: check if the 2 ends of a link
+ * could use common clock. If they are, configure them to use the
+@@ -207,7 +230,6 @@ static void pcie_aspm_configure_common_c
+ {
+ int same_clock = 1;
+ u16 reg16, parent_reg, child_reg[8];
+- unsigned long start_jiffies;
+ struct pci_dev *child, *parent = link->pdev;
+ struct pci_bus *linkbus = parent->subordinate;
+ /*
+@@ -247,21 +269,7 @@ static void pcie_aspm_configure_common_c
+ reg16 &= ~PCI_EXP_LNKCTL_CCC;
+ pcie_capability_write_word(parent, PCI_EXP_LNKCTL, reg16);
+
+- /* Retrain link */
+- reg16 |= PCI_EXP_LNKCTL_RL;
+- pcie_capability_write_word(parent, PCI_EXP_LNKCTL, reg16);
+-
+- /* Wait for link training end. Break out after waiting for timeout */
+- start_jiffies = jiffies;
+- for (;;) {
+- pcie_capability_read_word(parent, PCI_EXP_LNKSTA, &reg16);
+- if (!(reg16 & PCI_EXP_LNKSTA_LT))
+- break;
+- if (time_after(jiffies, start_jiffies + LINK_RETRAIN_TIMEOUT))
+- break;
+- msleep(1);
+- }
+- if (!(reg16 & PCI_EXP_LNKSTA_LT))
++ if (pcie_retrain_link(link))
+ return;
+
+ /* Training failed. Restore common clock configurations */
diff --git a/patches.suse/PCI-Work-around-Pericom-PCIe-to-PCI-bridge-Retrain-L.patch b/patches.suse/PCI-Work-around-Pericom-PCIe-to-PCI-bridge-Retrain-L.patch
new file mode 100644
index 0000000000..e279088fc0
--- /dev/null
+++ b/patches.suse/PCI-Work-around-Pericom-PCIe-to-PCI-bridge-Retrain-L.patch
@@ -0,0 +1,100 @@
+From: =?UTF-8?q?Stefan=20M=C3=A4tje?= <stefan.maetje@esd.eu>
+Date: Fri, 29 Mar 2019 18:07:35 +0100
+Subject: PCI: Work around Pericom PCIe-to-PCI bridge Retrain Link erratum
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+Git-commit: 4ec73791a64bab25cabf16a6067ee478692e506d
+Patch-mainline: v5.2-rc1
+References: git-fixes
+
+Due to an erratum in some Pericom PCIe-to-PCI bridges in reverse mode
+(conventional PCI on primary side, PCIe on downstream side), the Retrain
+Link bit needs to be cleared manually to allow the link training to
+complete successfully.
+
+If it is not cleared manually, the link training is continuously restarted
+and no devices below the PCI-to-PCIe bridge can be accessed. That means
+drivers for devices below the bridge will be loaded but won't work and may
+even crash because the driver is only reading 0xffff.
+
+See the Pericom Errata Sheet PI7C9X111SLB_errata_rev1.2_102711.pdf for
+details. Devices known as affected so far are: PI7C9X110, PI7C9X111SL,
+PI7C9X130.
+
+Add a new flag, clear_retrain_link, in struct pci_dev. Quirks for affected
+devices set this bit.
+
+Note that pcie_retrain_link() lives in aspm.c because that's currently the
+only place we use it, but this erratum is not specific to ASPM, and we may
+retrain links for other reasons in the future.
+
+[js] no pci_info in 4.12 yet.
+
+Signed-off-by: Stefan Mätje <stefan.maetje@esd.eu>
+[bhelgaas: apply regardless of CONFIG_PCIEASPM]
+Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
+Reviewed-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+CC: stable@vger.kernel.org
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/pci/pcie/aspm.c | 9 +++++++++
+ drivers/pci/quirks.c | 17 +++++++++++++++++
+ include/linux/pci.h | 2 ++
+ 3 files changed, 28 insertions(+)
+
+--- a/drivers/pci/pcie/aspm.c
++++ b/drivers/pci/pcie/aspm.c
+@@ -207,6 +207,15 @@ static bool pcie_retrain_link(struct pci
+ pcie_capability_read_word(parent, PCI_EXP_LNKCTL, &reg16);
+ reg16 |= PCI_EXP_LNKCTL_RL;
+ pcie_capability_write_word(parent, PCI_EXP_LNKCTL, reg16);
++ if (parent->clear_retrain_link) {
++ /*
++ * Due to an erratum in some devices the Retrain Link bit
++ * needs to be cleared again manually to allow the link
++ * training to succeed.
++ */
++ reg16 &= ~PCI_EXP_LNKCTL_RL;
++ pcie_capability_write_word(parent, PCI_EXP_LNKCTL, reg16);
++ }
+
+ /* Wait for link training end. Break out after waiting for timeout */
+ start_jiffies = jiffies;
+--- a/drivers/pci/quirks.c
++++ b/drivers/pci/quirks.c
+@@ -2085,6 +2085,23 @@ DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_IN
+ DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_INTEL, 0x10f4, quirk_disable_aspm_l0s);
+ DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_INTEL, 0x1508, quirk_disable_aspm_l0s);
+
++/*
++ * Some Pericom PCIe-to-PCI bridges in reverse mode need the PCIe Retrain
++ * Link bit cleared after starting the link retrain process to allow this
++ * process to finish.
++ *
++ * Affected devices: PI7C9X110, PI7C9X111SL, PI7C9X130. See also the
++ * Pericom Errata Sheet PI7C9X111SLB_errata_rev1.2_102711.pdf.
++ */
++static void quirk_enable_clear_retrain_link(struct pci_dev *dev)
++{
++ dev->clear_retrain_link = 1;
++ dev_info(&dev->dev, "Enable PCIe Retrain Link quirk\n");
++}
++DECLARE_PCI_FIXUP_HEADER(0x12d8, 0xe110, quirk_enable_clear_retrain_link);
++DECLARE_PCI_FIXUP_HEADER(0x12d8, 0xe111, quirk_enable_clear_retrain_link);
++DECLARE_PCI_FIXUP_HEADER(0x12d8, 0xe130, quirk_enable_clear_retrain_link);
++
+ static void fixup_rev1_53c810(struct pci_dev *dev)
+ {
+ u32 class = dev->class;
+--- a/include/linux/pci.h
++++ b/include/linux/pci.h
+@@ -328,6 +328,8 @@ struct pci_dev {
+ unsigned int hotplug_user_indicators:1; /* SlotCtl indicators
+ controlled exclusively by
+ user sysfs */
++ unsigned int clear_retrain_link:1; /* Need to clear Retrain Link
++ bit manually */
+ unsigned int d3_delay; /* D3->D0 transition time in ms */
+ unsigned int d3cold_delay; /* D3cold->D0 transition time in ms */
+
diff --git a/patches.suse/PCI-endpoint-Use-EPC-s-device-in-dma_alloc_coherent-.patch b/patches.suse/PCI-endpoint-Use-EPC-s-device-in-dma_alloc_coherent-.patch
new file mode 100644
index 0000000000..df34526bfc
--- /dev/null
+++ b/patches.suse/PCI-endpoint-Use-EPC-s-device-in-dma_alloc_coherent-.patch
@@ -0,0 +1,82 @@
+From: Kishon Vijay Abraham I <kishon@ti.com>
+Date: Thu, 11 Jan 2018 14:00:57 +0530
+Subject: PCI: endpoint: Use EPC's device in
+ dma_alloc_coherent()/dma_free_coherent()
+Git-commit: b330104fa76df3eae6e199a23791fed5d35f06b4
+Patch-mainline: v4.16-rc1
+References: git-fixes
+
+After commit 723288836628 ("of: restrict DMA configuration"),
+of_dma_configure() doesn't configure the coherent_dma_mask/dma_mask
+of endpoint function device (since it doesn't have a DT node associated
+with and hence no dma-ranges property), resulting in
+dma_alloc_coherent() (used in pci_epf_alloc_space()) to fail.
+
+Fix it by making dma_alloc_coherent() use EPC's device for allocating
+memory address.
+
+Link: http://lkml.kernel.org/r/64d63468-d28f-8fcd-a6f3-cf2a6401c8cb@ti.com
+Signed-off-by: Kishon Vijay Abraham I <kishon@ti.com>
+[lorenzo.pieralisi@arm.com: tweaked commit log]
+Signed-off-by: Lorenzo Pieralisi <lorenzo.pieralisi@arm.com>
+Cc: Robin Murphy <robin.murphy@arm.com>
+Cc: Rob Herring <robh@kernel.org>
+Cc: Christoph Hellwig <hch@lst.de>
+Tested-by: Cyrille Pitchen <cyrille.pitchen@free-electrons.com>
+Tested-by: Niklas Cassel <niklas.cassel@axis.com>
+Reviewed-by: Robin Murphy <robin.murphy@arm.com>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/pci/endpoint/pci-epc-core.c | 5 -----
+ drivers/pci/endpoint/pci-epf-core.c | 4 ++--
+ 2 files changed, 2 insertions(+), 7 deletions(-)
+
+--- a/drivers/pci/endpoint/pci-epc-core.c
++++ b/drivers/pci/endpoint/pci-epc-core.c
+@@ -18,7 +18,6 @@
+ */
+
+ #include <linux/device.h>
+-#include <linux/dma-mapping.h>
+ #include <linux/slab.h>
+ #include <linux/module.h>
+
+@@ -381,8 +380,6 @@ int pci_epc_add_epf(struct pci_epc *epc,
+ return -EINVAL;
+
+ epf->epc = epc;
+- dma_set_coherent_mask(&epf->dev, epc->dev.coherent_dma_mask);
+- epf->dev.dma_mask = epc->dev.dma_mask;
+
+ spin_lock_irqsave(&epc->lock, flags);
+ list_add_tail(&epf->list, &epc->pci_epf);
+@@ -497,9 +494,7 @@ __pci_epc_create(struct device *dev, con
+ INIT_LIST_HEAD(&epc->pci_epf);
+
+ device_initialize(&epc->dev);
+- dma_set_coherent_mask(&epc->dev, dev->coherent_dma_mask);
+ epc->dev.class = pci_epc_class;
+- epc->dev.dma_mask = dev->dma_mask;
+ epc->ops = ops;
+
+ ret = dev_set_name(&epc->dev, "%s", dev_name(dev));
+--- a/drivers/pci/endpoint/pci-epf-core.c
++++ b/drivers/pci/endpoint/pci-epf-core.c
+@@ -99,7 +99,7 @@ EXPORT_SYMBOL_GPL(pci_epf_bind);
+ */
+ void pci_epf_free_space(struct pci_epf *epf, void *addr, enum pci_barno bar)
+ {
+- struct device *dev = &epf->dev;
++ struct device *dev = epf->epc->dev.parent;
+
+ if (!addr)
+ return;
+@@ -122,7 +122,7 @@ EXPORT_SYMBOL_GPL(pci_epf_free_space);
+ void *pci_epf_alloc_space(struct pci_epf *epf, size_t size, enum pci_barno bar)
+ {
+ void *space;
+- struct device *dev = &epf->dev;
++ struct device *dev = epf->epc->dev.parent;
+ dma_addr_t phys_addr;
+
+ if (size < 128)
diff --git a/patches.suse/bnxt_en-Improve-multicast-address-setup-logic.patch b/patches.suse/bnxt_en-Improve-multicast-address-setup-logic.patch
new file mode 100644
index 0000000000..28aea619db
--- /dev/null
+++ b/patches.suse/bnxt_en-Improve-multicast-address-setup-logic.patch
@@ -0,0 +1,41 @@
+From: Michael Chan <michael.chan@broadcom.com>
+Date: Thu, 25 Apr 2019 22:31:50 -0400
+Subject: bnxt_en: Improve multicast address setup logic.
+Git-commit: b4e30e8e7ea1d1e35ffd64ca46f7d9a7f227b4bf
+Patch-mainline: v5.1
+References: networking-stable-19_05_04
+
+The driver builds a list of multicast addresses and sends it to the
+firmware when the driver's ndo_set_rx_mode() is called. In rare
+cases, the firmware can fail this call if internal resources to
+add multicast addresses are exhausted. In that case, we should
+try the call again by setting the ALL_MCAST flag which is more
+guaranteed to succeed.
+
+Fixes: c0c050c58d84 ("bnxt_en: New Broadcom ethernet driver.")
+Signed-off-by: Michael Chan <michael.chan@broadcom.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/net/ethernet/broadcom/bnxt/bnxt.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.c
++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.c
+@@ -7246,8 +7246,15 @@ static int bnxt_cfg_rx_mode(struct bnxt
+
+ skip_uc:
+ rc = bnxt_hwrm_cfa_l2_set_rx_mask(bp, 0);
++ if (rc && vnic->mc_list_count) {
++ netdev_info(bp->dev, "Failed setting MC filters rc: %d, turning on ALL_MCAST mode\n",
++ rc);
++ vnic->rx_mask |= CFA_L2_SET_RX_MASK_REQ_MASK_ALL_MCAST;
++ vnic->mc_list_count = 0;
++ rc = bnxt_hwrm_cfa_l2_set_rx_mask(bp, 0);
++ }
+ if (rc)
+- netdev_err(bp->dev, "HWRM cfa l2 rx mask failure rc: %x\n",
++ netdev_err(bp->dev, "HWRM cfa l2 rx mask failure rc: %d\n",
+ rc);
+
+ return rc;
diff --git a/patches.suse/bonding-fix-event-handling-for-stacked-bonds.patch b/patches.suse/bonding-fix-event-handling-for-stacked-bonds.patch
new file mode 100644
index 0000000000..0298437791
--- /dev/null
+++ b/patches.suse/bonding-fix-event-handling-for-stacked-bonds.patch
@@ -0,0 +1,45 @@
+From: Sabrina Dubroca <sd@queasysnail.net>
+Date: Fri, 12 Apr 2019 15:04:10 +0200
+Subject: bonding: fix event handling for stacked bonds
+Git-commit: 92480b3977fd3884649d404cbbaf839b70035699
+Patch-mainline: v5.1-rc6
+References: networking-stable-19_04_19
+
+When a bond is enslaved to another bond, bond_netdev_event() only
+handles the event as if the bond is a master, and skips treating the
+bond as a slave.
+
+This leads to a refcount leak on the slave, since we don't remove the
+adjacency to its master and the master holds a reference on the slave.
+
+Reproducer:
+ ip link add bondL type bond
+ ip link add bondU type bond
+ ip link set bondL master bondU
+ ip link del bondL
+
+No "Fixes:" tag, this code is older than git history.
+
+Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/net/bonding/bond_main.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/bonding/bond_main.c
++++ b/drivers/net/bonding/bond_main.c
+@@ -3161,8 +3161,12 @@ static int bond_netdev_event(struct noti
+ return NOTIFY_DONE;
+
+ if (event_dev->flags & IFF_MASTER) {
++ int ret;
++
+ netdev_dbg(event_dev, "IFF_MASTER\n");
+- return bond_master_netdev_event(event, event_dev);
++ ret = bond_master_netdev_event(event, event_dev);
++ if (ret != NOTIFY_DONE)
++ return ret;
+ }
+
+ if (event_dev->flags & IFF_SLAVE) {
diff --git a/patches.suse/btrfs-don-t-double-unlock-on-error-in-btrfs_punch_ho.patch b/patches.suse/btrfs-don-t-double-unlock-on-error-in-btrfs_punch_ho.patch
new file mode 100644
index 0000000000..9d2af900ac
--- /dev/null
+++ b/patches.suse/btrfs-don-t-double-unlock-on-error-in-btrfs_punch_ho.patch
@@ -0,0 +1,42 @@
+From: Josef Bacik <josef@toxicpanda.com>
+Date: Fri, 3 May 2019 11:10:06 -0400
+Git-commit: 8fca955057b9c58467d1b231e43f19c4cf26ae8c
+Patch-mainline: 5.2-rc2
+Subject: [PATCH] btrfs: don't double unlock on error in btrfs_punch_hole
+References: bsc#1136881
+
+If we have an error writing out a delalloc range in
+btrfs_punch_hole_lock_range we'll unlock the inode and then goto
+out_only_mutex, where we will again unlock the inode. This is bad,
+don't do this.
+
+Fixes: f27451f22996 ("Btrfs: add support for fallocate's zero range operation")
+CC: stable@vger.kernel.org # 4.19+
+Reviewed-by: Filipe Manana <fdmanana@suse.com>
+Signed-off-by: Josef Bacik <josef@toxicpanda.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Filipe Manana <fdmanana@suse.com>
+---
+ fs/btrfs/file.c | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+diff --git a/fs/btrfs/file.c b/fs/btrfs/file.c
+index 39897e087ab0..e4137008e12b 100644
+--- a/fs/btrfs/file.c
++++ b/fs/btrfs/file.c
+@@ -2628,10 +2628,8 @@ static int btrfs_punch_hole(struct inode *inode, loff_t offset, loff_t len)
+
+ ret = btrfs_punch_hole_lock_range(inode, lockstart, lockend,
+ &cached_state);
+- if (ret) {
+- inode_unlock(inode);
++ if (ret)
+ goto out_only_mutex;
+- }
+
+ path = btrfs_alloc_path();
+ if (!path) {
+--
+2.19.0
+
diff --git a/patches.suse/btrfs-fix-fsync-not-persisting-changed-attributes-of.patch b/patches.suse/btrfs-fix-fsync-not-persisting-changed-attributes-of.patch
new file mode 100644
index 0000000000..0e5a10b454
--- /dev/null
+++ b/patches.suse/btrfs-fix-fsync-not-persisting-changed-attributes-of.patch
@@ -0,0 +1,99 @@
+From: Filipe Manana <fdmanana@suse.com>
+Date: Thu, 16 May 2019 15:48:55 +0100
+Git-commit: 60d9f50308e5df19bc18c2fefab0eba4a843900a
+Patch-mainline: 5.2-rc3
+Subject: [PATCH] Btrfs: fix fsync not persisting changed attributes of a
+ directory
+References: bsc#1137151
+
+While logging an inode we follow its ancestors and for each one we mark
+it as logged in the current transaction, even if we have not logged it.
+As a consequence if we change an attribute of an ancestor, such as the
+UID or GID for example, and then explicitly fsync it, we end up not
+logging the inode at all despite returning success to user space, which
+results in the attribute being lost if a power failure happens after
+the fsync.
+
+Sample reproducer:
+
+ $ mkfs.btrfs -f /dev/sdb
+ $ mount /dev/sdb /mnt
+
+ $ mkdir /mnt/dir
+ $ chown 6007:6007 /mnt/dir
+
+ $ sync
+
+ $ chown 9003:9003 /mnt/dir
+ $ touch /mnt/dir/file
+ $ xfs_io -c fsync /mnt/dir/file
+
+ # fsync our directory after fsync'ing the new file, should persist the
+ # new values for the uid and gid.
+ $ xfs_io -c fsync /mnt/dir
+
+ <power failure>
+
+ $ mount /dev/sdb /mnt
+ $ stat -c %u:%g /mnt/dir
+ 6007:6007
+
+ --> should be 9003:9003, the uid and gid were not persisted, despite
+ the explicit fsync on the directory prior to the power failure
+
+Fix this by not updating the logged_trans field of ancestor inodes when
+logging an inode, since we have not logged them. Let only future calls to
+btrfs_log_inode() to mark inodes as logged.
+
+This could be triggered by my recent fsync fuzz tester for fstests, for
+which an fstests patch exists titled "fstests: generic, fsync fuzz tester
+with fsstress".
+
+Fixes: 12fcfd22fe5b ("Btrfs: tree logging unlink/rename fixes")
+CC: stable@vger.kernel.org # 4.4+
+Signed-off-by: Filipe Manana <fdmanana@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+---
+ fs/btrfs/tree-log.c | 12 ------------
+ 1 file changed, 12 deletions(-)
+
+diff --git a/fs/btrfs/tree-log.c b/fs/btrfs/tree-log.c
+index 5c0fd8b848ec..4e82284f3db4 100644
+--- a/fs/btrfs/tree-log.c
++++ b/fs/btrfs/tree-log.c
+@@ -5653,7 +5653,6 @@ static noinline int check_parent_dirs_for_sync(struct btrfs_trans_handle *trans,
+ {
+ int ret = 0;
+ struct dentry *old_parent = NULL;
+- struct btrfs_inode *orig_inode = inode;
+
+ /*
+ * for regular files, if its inode is already on disk, we don't
+@@ -5673,16 +5672,6 @@ static noinline int check_parent_dirs_for_sync(struct btrfs_trans_handle *trans,
+ }
+
+ while (1) {
+- /*
+- * If we are logging a directory then we start with our inode,
+- * not our parent's inode, so we need to skip setting the
+- * logged_trans so that further down in the log code we don't
+- * think this inode has already been logged.
+- */
+- if (inode != orig_inode)
+- inode->logged_trans = trans->transid;
+- smp_mb();
+-
+ if (btrfs_must_commit_transaction(trans, inode)) {
+ ret = 1;
+ break;
+@@ -6560,7 +6549,6 @@ void btrfs_record_unlink_dir(struct btrfs_trans_handle *trans,
+ * if this directory was already logged any new
+ * names for this file/dir will get recorded
+ */
+- smp_mb();
+ if (dir->logged_trans == trans->transid)
+ return;
+
+--
+2.19.0
+
diff --git a/patches.suse/btrfs-fix-race-between-ranged-fsync-and-writeback-of.patch b/patches.suse/btrfs-fix-race-between-ranged-fsync-and-writeback-of.patch
new file mode 100644
index 0000000000..84493400bf
--- /dev/null
+++ b/patches.suse/btrfs-fix-race-between-ranged-fsync-and-writeback-of.patch
@@ -0,0 +1,245 @@
+From: Filipe Manana <fdmanana@suse.com>
+Date: Mon, 6 May 2019 16:44:02 +0100
+Git-commit: 0c713cbab6200b0ab6473b50435e450a6e1de85d
+Patch-mainline: 5.2-rc2
+Subject: [PATCH] Btrfs: fix race between ranged fsync and writeback of
+ adjacent ranges
+References: bsc#1136477
+
+When we do a full fsync (the bit BTRFS_INODE_NEEDS_FULL_SYNC is set in the
+inode) that happens to be ranged, which happens during a msync() or writes
+for files opened with O_SYNC for example, we can end up with a corrupt log,
+due to different file extent items representing ranges that overlap with
+each other, or hit some assertion failures.
+
+When doing a ranged fsync we only flush delalloc and wait for ordered
+exents within that range. If while we are logging items from our inode
+ordered extents for adjacent ranges complete, we end up in a race that can
+make us insert the file extent items that overlap with others we logged
+previously and the assertion failures.
+
+For example, if tree-log.c:copy_items() receives a leaf that has the
+following file extents items, all with a length of 4K and therefore there
+is an implicit hole in the range 68K to 72K - 1:
+
+ (257 EXTENT_ITEM 64K), (257 EXTENT_ITEM 72K), (257 EXTENT_ITEM 76K), ...
+
+It copies them to the log tree. However due to the need to detect implicit
+holes, it may release the path, in order to look at the previous leaf to
+detect an implicit hole, and then later it will search again in the tree
+for the first file extent item key, with the goal of locking again the
+leaf (which might have changed due to concurrent changes to other inodes).
+
+However when it locks again the leaf containing the first key, the key
+corresponding to the extent at offset 72K may not be there anymore since
+there is an ordered extent for that range that is finishing (that is,
+somewhere in the middle of btrfs_finish_ordered_io()), and it just
+removed the file extent item but has not yet replaced it with a new file
+extent item, so the part of copy_items() that does hole detection will
+decide that there is a hole in the range starting from 68K to 76K - 1,
+and therefore insert a file extent item to represent that hole, having
+a key offset of 68K. After that we now have a log tree with 2 different
+extent items that have overlapping ranges:
+
+ 1) The file extent item copied before copy_items() released the path,
+ which has a key offset of 72K and a length of 4K, representing the
+ file range 72K to 76K - 1.
+
+ 2) And a file extent item representing a hole that has a key offset of
+ 68K and a length of 8K, representing the range 68K to 76K - 1. This
+ item was inserted after releasing the path, and overlaps with the
+ extent item inserted before.
+
+The overlapping extent items can cause all sorts of unpredictable and
+incorrect behaviour, either when replayed or if a fast (non full) fsync
+happens later, which can trigger a BUG_ON() when calling
+btrfs_set_item_key_safe() through __btrfs_drop_extents(), producing a
+trace like the following:
+
+ [61666.783269] ------------[ cut here ]------------
+ [61666.783943] kernel BUG at fs/btrfs/ctree.c:3182!
+ [61666.784644] invalid opcode: 0000 [#1] PREEMPT SMP
+ (...)
+ [61666.786253] task: ffff880117b88c40 task.stack: ffffc90008168000
+ [61666.786253] RIP: 0010:btrfs_set_item_key_safe+0x7c/0xd2 [btrfs]
+ [61666.786253] RSP: 0018:ffffc9000816b958 EFLAGS: 00010246
+ [61666.786253] RAX: 0000000000000000 RBX: 000000000000000f RCX: 0000000000030000
+ [61666.786253] RDX: 0000000000000000 RSI: ffffc9000816ba4f RDI: ffffc9000816b937
+ [61666.786253] RBP: ffffc9000816b998 R08: ffff88011dae2428 R09: 0000000000001000
+ [61666.786253] R10: 0000160000000000 R11: 6db6db6db6db6db7 R12: ffff88011dae2418
+ [61666.786253] R13: ffffc9000816ba4f R14: ffff8801e10c4118 R15: ffff8801e715c000
+ [61666.786253] FS: 00007f6060a18700(0000) GS:ffff88023f5c0000(0000) knlGS:0000000000000000
+ [61666.786253] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+ [61666.786253] CR2: 00007f6060a28000 CR3: 0000000213e69000 CR4: 00000000000006e0
+ [61666.786253] Call Trace:
+ [61666.786253] __btrfs_drop_extents+0x5e3/0xaad [btrfs]
+ [61666.786253] ? time_hardirqs_on+0x9/0x14
+ [61666.786253] btrfs_log_changed_extents+0x294/0x4e0 [btrfs]
+ [61666.786253] ? release_extent_buffer+0x38/0xb4 [btrfs]
+ [61666.786253] btrfs_log_inode+0xb6e/0xcdc [btrfs]
+ [61666.786253] ? lock_acquire+0x131/0x1c5
+ [61666.786253] ? btrfs_log_inode_parent+0xee/0x659 [btrfs]
+ [61666.786253] ? arch_local_irq_save+0x9/0xc
+ [61666.786253] ? btrfs_log_inode_parent+0x1f5/0x659 [btrfs]
+ [61666.786253] btrfs_log_inode_parent+0x223/0x659 [btrfs]
+ [61666.786253] ? arch_local_irq_save+0x9/0xc
+ [61666.786253] ? lockref_get_not_zero+0x2c/0x34
+ [61666.786253] ? rcu_read_unlock+0x3e/0x5d
+ [61666.786253] btrfs_log_dentry_safe+0x60/0x7b [btrfs]
+ [61666.786253] btrfs_sync_file+0x317/0x42c [btrfs]
+ [61666.786253] vfs_fsync_range+0x8c/0x9e
+ [61666.786253] SyS_msync+0x13c/0x1c9
+ [61666.786253] entry_SYSCALL_64_fastpath+0x18/0xad
+
+A sample of a corrupt log tree leaf with overlapping extents I got from
+running btrfs/072:
+
+ item 14 key (295 108 200704) itemoff 2599 itemsize 53
+ extent data disk bytenr 0 nr 0
+ extent data offset 0 nr 458752 ram 458752
+ item 15 key (295 108 659456) itemoff 2546 itemsize 53
+ extent data disk bytenr 4343541760 nr 770048
+ extent data offset 606208 nr 163840 ram 770048
+ item 16 key (295 108 663552) itemoff 2493 itemsize 53
+ extent data disk bytenr 4343541760 nr 770048
+ extent data offset 610304 nr 155648 ram 770048
+ item 17 key (295 108 819200) itemoff 2440 itemsize 53
+ extent data disk bytenr 4334788608 nr 4096
+ extent data offset 0 nr 4096 ram 4096
+
+The file extent item at offset 659456 (item 15) ends at offset 823296
+(659456 + 163840) while the next file extent item (item 16) starts at
+offset 663552.
+
+Another different problem that the race can trigger is a failure in the
+assertions at tree-log.c:copy_items(), which expect that the first file
+extent item key we found before releasing the path exists after we have
+released path and that the last key we found before releasing the path
+also exists after releasing the path:
+
+ $ cat -n fs/btrfs/tree-log.c
+ 4080 if (need_find_last_extent) {
+ 4081 /* btrfs_prev_leaf could return 1 without releasing the path */
+ 4082 btrfs_release_path(src_path);
+ 4083 ret = btrfs_search_slot(NULL, inode->root, &first_key,
+ 4084 src_path, 0, 0);
+ 4085 if (ret < 0)
+ 4086 return ret;
+ 4087 ASSERT(ret == 0);
+ (...)
+ 4103 if (i >= btrfs_header_nritems(src_path->nodes[0])) {
+ 4104 ret = btrfs_next_leaf(inode->root, src_path);
+ 4105 if (ret < 0)
+ 4106 return ret;
+ 4107 ASSERT(ret == 0);
+ 4108 src = src_path->nodes[0];
+ 4109 i = 0;
+ 4110 need_find_last_extent = true;
+ 4111 }
+ (...)
+
+The second assertion implicitly expects that the last key before the path
+release still exists, because the surrounding while loop only stops after
+we have found that key. When this assertion fails it produces a stack like
+this:
+
+ [139590.037075] assertion failed: ret == 0, file: fs/btrfs/tree-log.c, line: 4107
+ [139590.037406] ------------[ cut here ]------------
+ [139590.037707] kernel BUG at fs/btrfs/ctree.h:3546!
+ [139590.038034] invalid opcode: 0000 [#1] SMP DEBUG_PAGEALLOC PTI
+ [139590.038340] CPU: 1 PID: 31841 Comm: fsstress Tainted: G W 5.0.0-btrfs-next-46 #1
+ (...)
+ [139590.039354] RIP: 0010:assfail.constprop.24+0x18/0x1a [btrfs]
+ (...)
+ [139590.040397] RSP: 0018:ffffa27f48f2b9b0 EFLAGS: 00010282
+ [139590.040730] RAX: 0000000000000041 RBX: ffff897c635d92c8 RCX: 0000000000000000
+ [139590.041105] RDX: 0000000000000000 RSI: ffff897d36a96868 RDI: ffff897d36a96868
+ [139590.041470] RBP: ffff897d1b9a0708 R08: 0000000000000000 R09: 0000000000000000
+ [139590.041815] R10: 0000000000000008 R11: 0000000000000000 R12: 0000000000000013
+ [139590.042159] R13: 0000000000000227 R14: ffff897cffcbba88 R15: 0000000000000001
+ [139590.042501] FS: 00007f2efc8dee80(0000) GS:ffff897d36a80000(0000) knlGS:0000000000000000
+ [139590.042847] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+ [139590.043199] CR2: 00007f8c064935e0 CR3: 0000000232252002 CR4: 00000000003606e0
+ [139590.043547] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+ [139590.043899] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+ [139590.044250] Call Trace:
+ [139590.044631] copy_items+0xa3f/0x1000 [btrfs]
+ [139590.045009] ? generic_bin_search.constprop.32+0x61/0x200 [btrfs]
+ [139590.045396] btrfs_log_inode+0x7b3/0xd70 [btrfs]
+ [139590.045773] btrfs_log_inode_parent+0x2b3/0xce0 [btrfs]
+ [139590.046143] ? do_raw_spin_unlock+0x49/0xc0
+ [139590.046510] btrfs_log_dentry_safe+0x4a/0x70 [btrfs]
+ [139590.046872] btrfs_sync_file+0x3b6/0x440 [btrfs]
+ [139590.047243] btrfs_file_write_iter+0x45b/0x5c0 [btrfs]
+ [139590.047592] __vfs_write+0x129/0x1c0
+ [139590.047932] vfs_write+0xc2/0x1b0
+ [139590.048270] ksys_write+0x55/0xc0
+ [139590.048608] do_syscall_64+0x60/0x1b0
+ [139590.048946] entry_SYSCALL_64_after_hwframe+0x49/0xbe
+ [139590.049287] RIP: 0033:0x7f2efc4be190
+ (...)
+ [139590.050342] RSP: 002b:00007ffe743243a8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
+ [139590.050701] RAX: ffffffffffffffda RBX: 0000000000008d58 RCX: 00007f2efc4be190
+ [139590.051067] RDX: 0000000000008d58 RSI: 00005567eca0f370 RDI: 0000000000000003
+ [139590.051459] RBP: 0000000000000024 R08: 0000000000000003 R09: 0000000000008d60
+ [139590.051863] R10: 0000000000000078 R11: 0000000000000246 R12: 0000000000000003
+ [139590.052252] R13: 00000000003d3507 R14: 00005567eca0f370 R15: 0000000000000000
+ (...)
+ [139590.055128] ---[ end trace 193f35d0215cdeeb ]---
+
+So fix this race between a full ranged fsync and writeback of adjacent
+ranges by flushing all delalloc and waiting for all ordered extents to
+complete before logging the inode. This is the simplest way to solve the
+problem because currently the full fsync path does not deal with ranges
+at all (it assumes a full range from 0 to LLONG_MAX) and it always needs
+to look at adjacent ranges for hole detection. For use cases of ranged
+fsyncs this can make a few fsyncs slower but on the other hand it can
+make some following fsyncs to other ranges do less work or no need to do
+anything at all. A full fsync is rare anyway and happens only once after
+loading/creating an inode and once after less common operations such as a
+shrinking truncate.
+
+This is an issue that exists for a long time, and was often triggered by
+generic/127, because it does mmap'ed writes and msync (which triggers a
+ranged fsync). Adding support for the tree checker to detect overlapping
+extents (next patch in the series) and trigger a WARN() when such cases
+are found, and then calling btrfs_check_leaf_full() at the end of
+btrfs_insert_file_extent() made the issue much easier to detect. Running
+btrfs/072 with that change to the tree checker and making fsstress open
+files always with O_SYNC made it much easier to trigger the issue (as
+triggering it with generic/127 is very rare).
+
+CC: stable@vger.kernel.org # 3.16+
+Reviewed-by: Josef Bacik <josef@toxicpanda.com>
+Signed-off-by: Filipe Manana <fdmanana@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+---
+ fs/btrfs/file.c | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+diff --git a/fs/btrfs/file.c b/fs/btrfs/file.c
+index 3ca7189c3902..39897e087ab0 100644
+--- a/fs/btrfs/file.c
++++ b/fs/btrfs/file.c
+@@ -2059,6 +2059,18 @@ int btrfs_sync_file(struct file *file, loff_t start, loff_t end, int datasync)
+ bool full_sync = 0;
+ u64 len;
+
++ /*
++ * If the inode needs a full sync, make sure we use a full range to
++ * avoid log tree corruption, due to hole detection racing with ordered
++ * extent completion for adjacent ranges, and assertion failures during
++ * hole detection.
++ */
++ if (test_bit(BTRFS_INODE_NEEDS_FULL_SYNC,
++ &BTRFS_I(inode)->runtime_flags)) {
++ start = 0;
++ end = LLONG_MAX;
++ }
++
+ /*
+ * The range length can be represented by u64, we have to do the typecasts
+ * to avoid signed overflow if it's [0, LLONG_MAX] eg. from fsync()
+--
+2.19.0
+
diff --git a/patches.suse/btrfs-fix-race-updating-log-root-item-during-fsync.patch b/patches.suse/btrfs-fix-race-updating-log-root-item-during-fsync.patch
new file mode 100644
index 0000000000..a5290532ac
--- /dev/null
+++ b/patches.suse/btrfs-fix-race-updating-log-root-item-during-fsync.patch
@@ -0,0 +1,126 @@
+From: Filipe Manana <fdmanana@suse.com>
+Date: Wed, 15 May 2019 16:03:17 +0100
+Git-commit: 06989c799f04810f6876900d4760c0edda369cf7
+Patch-mainline: 5.2-rc3
+Subject: [PATCH] Btrfs: fix race updating log root item during fsync
+References: bsc#1137153, bsc#1112063
+
+When syncing the log, the final phase of a fsync operation, we need to
+either create a log root's item or update the existing item in the log
+tree of log roots, and that depends on the current value of the log
+root's log_transid - if it's 1 we need to create the log root item,
+otherwise it must exist already and we update it. Since there is no
+synchronization between updating the log_transid and checking it for
+deciding whether the log root's item needs to be created or updated, we
+end up with a tiny race window that results in attempts to update the
+item to fail because the item was not yet created:
+
+ CPU 1 CPU 2
+
+ btrfs_sync_log()
+
+ lock root->log_mutex
+
+ set log root's log_transid to 1
+
+ unlock root->log_mutex
+
+ btrfs_sync_log()
+
+ lock root->log_mutex
+
+ sets log root's
+ log_transid to 2
+
+ unlock root->log_mutex
+
+ update_log_root()
+
+ sees log root's log_transid
+ with a value of 2
+
+ calls btrfs_update_root(),
+ which fails with -EUCLEAN
+ and causes transaction abort
+
+Until recently the race lead to a BUG_ON at btrfs_update_root(), but after
+the recent commit 7ac1e464c4d47 ("btrfs: Don't panic when we can't find a
+root key") we just abort the current transaction.
+
+A sample trace of the BUG_ON() on a SLE12 kernel:
+
+ ------------[ cut here ]------------
+ kernel BUG at ../fs/btrfs/root-tree.c:157!
+ Oops: Exception in kernel mode, sig: 5 [#1]
+ SMP NR_CPUS=2048 NUMA pSeries
+ (...)
+ Supported: Yes, External
+ CPU: 78 PID: 76303 Comm: rtas_errd Tainted: G X 4.4.156-94.57-default #1
+ task: c00000ffa906d010 ti: c00000ff42b08000 task.ti: c00000ff42b08000
+ NIP: d000000036ae5cdc LR: d000000036ae5cd8 CTR: 0000000000000000
+ REGS: c00000ff42b0b860 TRAP: 0700 Tainted: G X (4.4.156-94.57-default)
+ MSR: 8000000002029033 <SF,VEC,EE,ME,IR,DR,RI,LE> CR: 22444484 XER: 20000000
+ CFAR: d000000036aba66c SOFTE: 1
+ GPR00: d000000036ae5cd8 c00000ff42b0bae0 d000000036bda220 0000000000000054
+ GPR04: 0000000000000001 0000000000000000 c00007ffff8d37c8 0000000000000000
+ GPR08: c000000000e19c00 0000000000000000 0000000000000000 3736343438312079
+ GPR12: 3930373337303434 c000000007a3a800 00000000007fffff 0000000000000023
+ GPR16: c00000ffa9d26028 c00000ffa9d261f8 0000000000000010 c00000ffa9d2ab28
+ GPR20: c00000ff42b0bc48 0000000000000001 c00000ff9f0d9888 0000000000000001
+ GPR24: c00000ffa9d26000 c00000ffa9d261e8 c00000ffa9d2a800 c00000ff9f0d9888
+ GPR28: c00000ffa9d26028 c00000ffa9d2aa98 0000000000000001 c00000ffa98f5b20
+ NIP [d000000036ae5cdc] btrfs_update_root+0x25c/0x4e0 [btrfs]
+ LR [d000000036ae5cd8] btrfs_update_root+0x258/0x4e0 [btrfs]
+ Call Trace:
+ [c00000ff42b0bae0] [d000000036ae5cd8] btrfs_update_root+0x258/0x4e0 [btrfs] (unreliable)
+ [c00000ff42b0bba0] [d000000036b53610] btrfs_sync_log+0x2d0/0xc60 [btrfs]
+ [c00000ff42b0bce0] [d000000036b1785c] btrfs_sync_file+0x44c/0x4e0 [btrfs]
+ [c00000ff42b0bd80] [c00000000032e300] vfs_fsync_range+0x70/0x120
+ [c00000ff42b0bdd0] [c00000000032e44c] do_fsync+0x5c/0xb0
+ [c00000ff42b0be10] [c00000000032e8dc] SyS_fdatasync+0x2c/0x40
+ [c00000ff42b0be30] [c000000000009488] system_call+0x3c/0x100
+ Instruction dump:
+ 7f43d378 4bffebb9 60000000 88d90008 3d220000 e8b90000 3b390009 e87a01f0
+ e8898e08 e8f90000 4bfd48e5 60000000 <0fe00000> e95b0060 39200004 394a0ea0
+ ---[ end trace 8f2dc8f919cabab8 ]---
+
+So fix this by doing the check of log_transid and updating or creating the
+log root's item while holding the root's log_mutex.
+
+Fixes: 7237f1833601d ("Btrfs: fix tree logs parallel sync")
+CC: stable@vger.kernel.org # 4.4+
+Signed-off-by: Filipe Manana <fdmanana@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+---
+ fs/btrfs/tree-log.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/fs/btrfs/tree-log.c b/fs/btrfs/tree-log.c
+index 4e82284f3db4..46ba55a225ff 100644
+--- a/fs/btrfs/tree-log.c
++++ b/fs/btrfs/tree-log.c
+@@ -3137,6 +3137,12 @@ int btrfs_sync_log(struct btrfs_trans_handle *trans,
+ root->log_transid++;
+ log->log_transid = root->log_transid;
+ root->log_start_pid = 0;
++ /*
++ * Update or create log root item under the root's log_mutex to prevent
++ * races with concurrent log syncs that can lead to failure to update
++ * log root item because it was not created yet.
++ */
++ ret = update_log_root(trans, log);
+ /*
+ * IO has been started, blocks of the log tree have WRITTEN flag set
+ * in their headers. new modifications of the log will be written to
+@@ -3156,8 +3162,6 @@ int btrfs_sync_log(struct btrfs_trans_handle *trans,
+
+ mutex_unlock(&log_root_tree->log_mutex);
+
+- ret = update_log_root(trans, log);
+-
+ mutex_lock(&log_root_tree->log_mutex);
+ if (atomic_dec_and_test(&log_root_tree->log_writers)) {
+ /*
+--
+2.19.0
+
diff --git a/patches.suse/btrfs-fix-wrong-ctime-and-mtime-of-a-directory-after.patch b/patches.suse/btrfs-fix-wrong-ctime-and-mtime-of-a-directory-after.patch
new file mode 100644
index 0000000000..d06ce56dfc
--- /dev/null
+++ b/patches.suse/btrfs-fix-wrong-ctime-and-mtime-of-a-directory-after.patch
@@ -0,0 +1,85 @@
+From: Filipe Manana <fdmanana@suse.com>
+Date: Wed, 15 May 2019 16:02:47 +0100
+Git-commit: 5338e43abbab13791144d37fd8846847062351c6
+Patch-mainline: 5.2-rc3
+Subject: [PATCH] Btrfs: fix wrong ctime and mtime of a directory after log
+ replay
+References: bsc#1137152
+
+When replaying a log that contains a new file or directory name that needs
+to be added to its parent directory, we end up updating the mtime and the
+ctime of the parent directory to the current time after we have set their
+values to the correct ones (set at fsync time), efectivelly losing them.
+
+Sample reproducer:
+
+ $ mkfs.btrfs -f /dev/sdb
+ $ mount /dev/sdb /mnt
+
+ $ mkdir /mnt/dir
+ $ touch /mnt/dir/file
+
+ # fsync of the directory is optional, not needed
+ $ xfs_io -c fsync /mnt/dir
+ $ xfs_io -c fsync /mnt/dir/file
+
+ $ stat -c %Y /mnt/dir
+ 1557856079
+
+ <power failure>
+
+ $ sleep 3
+ $ mount /dev/sdb /mnt
+ $ stat -c %Y /mnt/dir
+ 1557856082
+
+ --> should have been 1557856079, the mtime is updated to the current
+ time when replaying the log
+
+Fix this by not updating the mtime and ctime to the current time at
+btrfs_add_link() when we are replaying a log tree.
+
+This could be triggered by my recent fsync fuzz tester for fstests, for
+which an fstests patch exists titled "fstests: generic, fsync fuzz tester
+with fsstress".
+
+Fixes: e02119d5a7b43 ("Btrfs: Add a write ahead tree log to optimize synchronous operations")
+CC: stable@vger.kernel.org # 4.4+
+Reviewed-by: Nikolay Borisov <nborisov@suse.com>
+Signed-off-by: Filipe Manana <fdmanana@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+[ ptesarik: inode->i_mtime and inode->i_ctime are still struct timespec
+ in 4.12. The change is needed for 32-bit builds. ]
+Signed-off-by: Petr Tesarik <ptesarik@suse.com>
+---
+ fs/btrfs/inode.c | 14 ++++++++++++--
+ 1 file changed, 12 insertions(+), 2 deletions(-)
+
+diff --git a/fs/btrfs/inode.c b/fs/btrfs/inode.c
+index b3e279e68eaa..941ddeb6cd45 100644
+--- a/fs/btrfs/inode.c
++++ b/fs/btrfs/inode.c
+@@ -6231,8 +6231,18 @@ int btrfs_add_link(struct btrfs_trans_handle *trans,
+ btrfs_i_size_write(parent_inode, parent_inode->vfs_inode.i_size +
+ name_len * 2);
+ inode_inc_iversion(&parent_inode->vfs_inode);
+- parent_inode->vfs_inode.i_mtime = parent_inode->vfs_inode.i_ctime =
+- current_time(&parent_inode->vfs_inode);
++ /*
++ * If we are replaying a log tree, we do not want to update the mtime
++ * and ctime of the parent directory with the current time, since the
++ * log replay procedure is responsible for setting them to their correct
++ * values (the ones it had when the fsync was done).
++ */
++ if (!test_bit(BTRFS_FS_LOG_RECOVERING, &root->fs_info->flags)) {
++ struct timespec now = current_time(&parent_inode->vfs_inode);
++
++ parent_inode->vfs_inode.i_mtime = now;
++ parent_inode->vfs_inode.i_ctime = now;
++ }
+ ret = btrfs_update_inode(trans, root, &parent_inode->vfs_inode);
+ if (ret)
+ btrfs_abort_transaction(trans, ret);
+--
+2.19.0
+
diff --git a/patches.suse/btrfs-reloc-also-queue-orphan-reloc-tree-for-cleanup-to-avoid-bug_on.patch b/patches.suse/btrfs-reloc-also-queue-orphan-reloc-tree-for-cleanup-to-avoid-bug_on.patch
new file mode 100644
index 0000000000..b21d57e8e3
--- /dev/null
+++ b/patches.suse/btrfs-reloc-also-queue-orphan-reloc-tree-for-cleanup-to-avoid-bug_on.patch
@@ -0,0 +1,137 @@
+From: Qu Wenruo <wqu@suse.com>
+Date: Wed, 22 May 2019 16:33:11 +0800
+Subject: btrfs: reloc: Also queue orphan reloc tree for cleanup to avoid
+ BUG_ON()
+Git-commit: 30d40577e322b670551ad7e2faa9570b6e23eb2b
+Patch-mainline: v5.2-rc3
+References: bsc#1133612
+
+[BUG]
+When a fs has orphan reloc tree along with unfinished balance:
+ ...
+ item 16 key (TREE_RELOC ROOT_ITEM FS_TREE) itemoff 12090 itemsize 439
+ generation 12 root_dirid 256 bytenr 300400640 level 1 refs 0 <<<
+ lastsnap 8 byte_limit 0 bytes_used 1359872 flags 0x0(none)
+ uuid 7c48d938-33a3-4aae-ab19-6e5c9d406e46
+ item 17 key (BALANCE TEMPORARY_ITEM 0) itemoff 11642 itemsize 448
+ temporary item objectid BALANCE offset 0
+ balance status flags 14
+
+Then at mount time, we can hit the following kernel BUG_ON():
+ BTRFS info (device dm-3): relocating block group 298844160 flags metadata|dup
+ ------------[ cut here ]------------
+ kernel BUG at fs/btrfs/relocation.c:1413!
+ invalid opcode: 0000 [#1] PREEMPT SMP NOPTI
+ CPU: 1 PID: 897 Comm: btrfs-balance Tainted: G O 5.2.0-rc1-custom #15
+ RIP: 0010:create_reloc_root+0x1eb/0x200 [btrfs]
+ Call Trace:
+ btrfs_init_reloc_root+0x96/0xb0 [btrfs]
+ record_root_in_trans+0xb2/0xe0 [btrfs]
+ btrfs_record_root_in_trans+0x55/0x70 [btrfs]
+ select_reloc_root+0x7e/0x230 [btrfs]
+ do_relocation+0xc4/0x620 [btrfs]
+ relocate_tree_blocks+0x592/0x6a0 [btrfs]
+ relocate_block_group+0x47b/0x5d0 [btrfs]
+ btrfs_relocate_block_group+0x183/0x2f0 [btrfs]
+ btrfs_relocate_chunk+0x4e/0xe0 [btrfs]
+ btrfs_balance+0x864/0xfa0 [btrfs]
+ balance_kthread+0x3b/0x50 [btrfs]
+ kthread+0x123/0x140
+ ret_from_fork+0x27/0x50
+
+[CAUSE]
+In btrfs, reloc trees are used to record swapped tree blocks during
+balance.
+Reloc tree either get merged (replace old tree blocks of its parent
+subvolume) in next transaction if its ref is 1 (fresh).
+Or is already merged and will be cleaned up if its ref is 0 (orphan).
+
+After commit d2311e698578 ("btrfs: relocation: Delay reloc tree deletion
+after merge_reloc_roots"), reloc tree cleanup is delayed until one block
+group is balanced.
+
+Since fresh reloc roots are recorded during merge, as long as there
+is no power loss, those orphan reloc roots converted from fresh ones are
+handled without problem.
+
+However when power loss happens, orphan reloc roots can be recorded
+on-disk, thus at next mount time, we will have orphan reloc roots from
+on-disk data directly, and ignored by clean_dirty_subvols() routine.
+
+Then when background balance starts to balance another block group, and
+needs to create new reloc root for the same root, btrfs_insert_item()
+returns -EEXIST, and trigger that BUG_ON().
+
+[FIX]
+For orphan reloc roots, also queue them to rc->dirty_subvol_roots, so
+all reloc roots no matter orphan or not, can be cleaned up properly and
+avoid above BUG_ON().
+
+And to cooperate with above change, clean_dirty_subvols() will check if
+the queued root is a reloc root or a subvol root.
+For a subvol root, do the old work, and for a orphan reloc root, clean it
+up.
+
+Fixes: d2311e698578 ("btrfs: relocation: Delay reloc tree deletion after merge_reloc_roots")
+CC: stable@vger.kernel.org # 5.1
+Signed-off-by: Qu Wenruo <wqu@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Acked-by: Nikolay Borisov <nborisov@suse.com>
+---
+ fs/btrfs/relocation.c | 27 +++++++++++++++++++--------
+ 1 file changed, 19 insertions(+), 8 deletions(-)
+
+diff --git a/fs/btrfs/relocation.c b/fs/btrfs/relocation.c
+index a459ecddcce4..22a3c69864fa 100644
+--- a/fs/btrfs/relocation.c
++++ b/fs/btrfs/relocation.c
+@@ -2177,22 +2177,30 @@ static int clean_dirty_subvols(struct reloc_control *rc)
+ struct btrfs_root *root;
+ struct btrfs_root *next;
+ int ret = 0;
++ int ret2;
+
+ list_for_each_entry_safe(root, next, &rc->dirty_subvol_roots,
+ reloc_dirty_list) {
+- struct btrfs_root *reloc_root = root->reloc_root;
++ if (root->root_key.objectid != BTRFS_TREE_RELOC_OBJECTID) {
++ /* Merged subvolume, cleanup its reloc root */
++ struct btrfs_root *reloc_root = root->reloc_root;
+
+- clear_bit(BTRFS_ROOT_DEAD_RELOC_TREE, &root->state);
+- list_del_init(&root->reloc_dirty_list);
+- root->reloc_root = NULL;
+- if (reloc_root) {
+- int ret2;
++ clear_bit(BTRFS_ROOT_DEAD_RELOC_TREE, &root->state);
++ list_del_init(&root->reloc_dirty_list);
++ root->reloc_root = NULL;
++ if (reloc_root) {
+
+- ret2 = btrfs_drop_snapshot(reloc_root, NULL, 0, 1);
++ ret2 = btrfs_drop_snapshot(reloc_root, NULL, 0, 1);
++ if (ret2 < 0 && !ret)
++ ret = ret2;
++ }
++ btrfs_put_fs_root(root);
++ } else {
++ /* Orphan reloc tree, just clean it up */
++ ret2 = btrfs_drop_snapshot(root, NULL, 0, 1);
+ if (ret2 < 0 && !ret)
+ ret = ret2;
+ }
+- btrfs_put_fs_root(root);
+ }
+ return ret;
+ }
+@@ -2480,6 +2488,9 @@ void merge_reloc_roots(struct reloc_control *rc)
+ }
+ } else {
+ list_del_init(&reloc_root->root_list);
++ /* Don't forget to queue this reloc root for cleanup */
++ list_add_tail(&reloc_root->reloc_dirty_list,
++ &rc->dirty_subvol_roots);
+ }
+ }
+
+
diff --git a/patches.suse/btrfs-tree-checker-detect-file-extent-items-with-ove.patch b/patches.suse/btrfs-tree-checker-detect-file-extent-items-with-ove.patch
new file mode 100644
index 0000000000..7d0e1d231e
--- /dev/null
+++ b/patches.suse/btrfs-tree-checker-detect-file-extent-items-with-ove.patch
@@ -0,0 +1,114 @@
+From: Filipe Manana <fdmanana@suse.com>
+Date: Mon, 6 May 2019 16:44:12 +0100
+Git-commit: 4e9845eff5a8027b5181d5bff56a02991fe46d48
+Patch-mainline: 5.2-rc2
+Subject: [PATCH] Btrfs: tree-checker: detect file extent items with
+ overlapping ranges
+References: bsc#1136478
+
+Having file extent items with ranges that overlap each other is a
+serious issue that leads to all sorts of corruptions and crashes (like a
+BUG_ON() during the course of __btrfs_drop_extents() when it traims file
+extent items). Therefore teach the tree checker to detect such cases.
+This is motivated by a recently fixed bug (race between ranged full
+fsync and writeback or adjacent ranges).
+
+Reviewed-by: Josef Bacik <josef@toxicpanda.com>
+Reviewed-by: Qu Wenruo <wqu@suse.com>
+Signed-off-by: Filipe Manana <fdmanana@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+---
+ fs/btrfs/tree-checker.c | 49 +++++++++++++++++++++++++++++++++++++----
+ 1 file changed, 45 insertions(+), 4 deletions(-)
+
+diff --git a/fs/btrfs/tree-checker.c b/fs/btrfs/tree-checker.c
+index 60a70af16b06..b6caebc636c3 100644
+--- a/fs/btrfs/tree-checker.c
++++ b/fs/btrfs/tree-checker.c
+@@ -114,9 +114,27 @@ static void file_extent_err(const struct btrfs_fs_info *fs_info,
+ (!IS_ALIGNED(btrfs_file_extent_##name((leaf), (fi)), (alignment))); \
+ })
+
++static u64 file_extent_end(struct extent_buffer *leaf,
++ struct btrfs_key *key,
++ struct btrfs_file_extent_item *extent)
++{
++ u64 end;
++ u64 len;
++
++ if (btrfs_file_extent_type(leaf, extent) == BTRFS_FILE_EXTENT_INLINE) {
++ len = btrfs_file_extent_ram_bytes(leaf, extent);
++ end = ALIGN(key->offset + len, leaf->fs_info->sectorsize);
++ } else {
++ len = btrfs_file_extent_num_bytes(leaf, extent);
++ end = key->offset + len;
++ }
++ return end;
++}
++
+ static int check_extent_data_item(struct btrfs_fs_info *fs_info,
+ struct extent_buffer *leaf,
+- struct btrfs_key *key, int slot)
++ struct btrfs_key *key, int slot,
++ struct btrfs_key *prev_key)
+ {
+ struct btrfs_file_extent_item *fi;
+ u32 sectorsize = fs_info->sectorsize;
+@@ -195,6 +213,28 @@ static int check_extent_data_item(struct btrfs_fs_info *fs_info,
+ CHECK_FE_ALIGNED(fs_info, leaf, slot, fi, offset, sectorsize) ||
+ CHECK_FE_ALIGNED(fs_info, leaf, slot, fi, num_bytes, sectorsize))
+ return -EUCLEAN;
++
++ /*
++ * Check that no two consecutive file extent items, in the same leaf,
++ * present ranges that overlap each other.
++ */
++ if (slot > 0 &&
++ prev_key->objectid == key->objectid &&
++ prev_key->type == BTRFS_EXTENT_DATA_KEY) {
++ struct btrfs_file_extent_item *prev_fi;
++ u64 prev_end;
++
++ prev_fi = btrfs_item_ptr(leaf, slot - 1,
++ struct btrfs_file_extent_item);
++ prev_end = file_extent_end(leaf, prev_key, prev_fi);
++ if (prev_end > key->offset) {
++ file_extent_err(fs_info, leaf, slot - 1,
++"file extent end range (%llu) goes beyond start offset (%llu) of the next file extent",
++ prev_end, key->offset);
++ return -EUCLEAN;
++ }
++ }
++
+ return 0;
+ }
+
+@@ -461,13 +501,14 @@ static int check_block_group_item(struct btrfs_fs_info *fs_info,
+ */
+ static int check_leaf_item(struct btrfs_fs_info *fs_info,
+ struct extent_buffer *leaf,
+- struct btrfs_key *key, int slot)
++ struct btrfs_key *key, int slot,
++ struct btrfs_key *prev_key)
+ {
+ int ret = 0;
+
+ switch (key->type) {
+ case BTRFS_EXTENT_DATA_KEY:
+- ret = check_extent_data_item(fs_info, leaf, key, slot);
++ ret = check_extent_data_item(fs_info, leaf, key, slot, prev_key);
+ break;
+ case BTRFS_EXTENT_CSUM_KEY:
+ ret = check_csum_item(fs_info, leaf, key, slot);
+@@ -621,7 +662,7 @@ static int check_leaf(struct btrfs_fs_info *fs_info, struct extent_buffer *leaf,
+ * Check if the item size and content meet other
+ * criteria
+ */
+- ret = check_leaf_item(fs_info, leaf, &key, slot);
++ ret = check_leaf_item(fs_info, leaf, &key, slot, &prev_key);
+ if (ret < 0)
+ return ret;
+ }
+--
+2.19.0
+
diff --git a/patches.suse/ftrace-x86_64-emulate-call-function-while-updating-in-breakpoint-handler.patch b/patches.suse/ftrace-x86_64-emulate-call-function-while-updating-in-breakpoint-handler.patch
new file mode 100644
index 0000000000..e8460c6263
--- /dev/null
+++ b/patches.suse/ftrace-x86_64-emulate-call-function-while-updating-in-breakpoint-handler.patch
@@ -0,0 +1,150 @@
+From: Peter Zijlstra <peterz@infradead.org>
+Date: Wed, 1 May 2019 15:11:17 +0200
+Subject: ftrace/x86_64: Emulate call function while updating in breakpoint
+ handler
+Git-commit: 9e298e8604088a600d8100a111a532a9d342af09
+Patch-mainline: v5.2-rc1
+References: bsc#1099658
+
+Nicolai Stange discovered[1] that if live kernel patching is enabled, and the
+function tracer started tracing the same function that was patched, the
+conversion of the fentry call site during the translation of going from
+calling the live kernel patch trampoline to the iterator trampoline, would
+have as slight window where it didn't call anything.
+
+As live kernel patching depends on ftrace to always call its code (to
+prevent the function being traced from being called, as it will redirect
+it). This small window would allow the old buggy function to be called, and
+this can cause undesirable results.
+
+Nicolai submitted new patches[2] but these were controversial. As this is
+similar to the static call emulation issues that came up a while ago[3].
+But after some debate[4][5] adding a gap in the stack when entering the
+breakpoint handler allows for pushing the return address onto the stack to
+easily emulate a call.
+
+[1] http://lkml.kernel.org/r/20180726104029.7736-1-nstange@suse.de
+[2] http://lkml.kernel.org/r/20190427100639.15074-1-nstange@suse.de
+[3] http://lkml.kernel.org/r/3cf04e113d71c9f8e4be95fb84a510f085aa4afa.1541711457.git.jpoimboe@redhat.com
+[4] http://lkml.kernel.org/r/CAHk-=wh5OpheSU8Em_Q3Hg8qw_JtoijxOdPtHru6d+5K8TWM=A@mail.gmail.com
+[5] http://lkml.kernel.org/r/CAHk-=wjvQxY4DvPrJ6haPgAa6b906h=MwZXO6G8OtiTGe=N7_w@mail.gmail.com
+
+[
+ Live kernel patching is not implemented on x86_32, thus the emulate
+ calls are only for x86_64.
+]
+
+Cc: Andy Lutomirski <luto@kernel.org>
+Cc: Nicolai Stange <nstange@suse.de>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: Ingo Molnar <mingo@redhat.com>
+Cc: Borislav Petkov <bp@alien8.de>
+Cc: "H. Peter Anvin" <hpa@zytor.com>
+Cc: the arch/x86 maintainers <x86@kernel.org>
+Cc: Josh Poimboeuf <jpoimboe@redhat.com>
+Cc: Jiri Kosina <jikos@kernel.org>
+Cc: Miroslav Benes <mbenes@suse.cz>
+Cc: Petr Mladek <pmladek@suse.com>
+Cc: Joe Lawrence <joe.lawrence@redhat.com>
+Cc: Shuah Khan <shuah@kernel.org>
+Cc: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
+Cc: Tim Chen <tim.c.chen@linux.intel.com>
+Cc: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
+Cc: Mimi Zohar <zohar@linux.ibm.com>
+Cc: Juergen Gross <jgross@suse.com>
+Cc: Nick Desaulniers <ndesaulniers@google.com>
+Cc: Nayna Jain <nayna@linux.ibm.com>
+Cc: Masahiro Yamada <yamada.masahiro@socionext.com>
+Cc: Joerg Roedel <jroedel@suse.de>
+Cc: "open list:KERNEL SELFTEST FRAMEWORK" <linux-kselftest@vger.kernel.org>
+Cc: stable@vger.kernel.org
+Fixes: b700e7f03df5 ("livepatch: kernel: add support for live patching")
+Tested-by: Nicolai Stange <nstange@suse.de>
+Reviewed-by: Nicolai Stange <nstange@suse.de>
+Reviewed-by: Masami Hiramatsu <mhiramat@kernel.org>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+[ Changed to only implement emulated calls for x86_64 ]
+Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
+Acked-by: Miroslav Benes <mbenes@suse.cz>
+---
+ arch/x86/kernel/ftrace.c | 32 +++++++++++++++++++++++++++-----
+ 1 file changed, 27 insertions(+), 5 deletions(-)
+
+--- a/arch/x86/kernel/ftrace.c
++++ b/arch/x86/kernel/ftrace.c
+@@ -28,6 +28,7 @@
+ #include <asm/kprobes.h>
+ #include <asm/ftrace.h>
+ #include <asm/nops.h>
++#include <asm/text-patching.h>
+
+ #ifdef CONFIG_DYNAMIC_FTRACE
+
+@@ -227,6 +228,7 @@ int ftrace_modify_call(struct dyn_ftrace
+ }
+
+ static unsigned long ftrace_update_func;
++static unsigned long ftrace_update_func_call;
+
+ static int update_ftrace_func(unsigned long ip, void *new)
+ {
+@@ -255,6 +257,8 @@ int ftrace_update_ftrace_func(ftrace_fun
+ unsigned char *new;
+ int ret;
+
++ ftrace_update_func_call = (unsigned long)func;
++
+ new = ftrace_call_replace(ip, (unsigned long)func);
+ ret = update_ftrace_func(ip, new);
+
+@@ -290,13 +294,28 @@ int ftrace_int3_handler(struct pt_regs *
+ if (WARN_ON_ONCE(!regs))
+ return 0;
+
+- ip = regs->ip - 1;
+- if (!ftrace_location(ip) && !is_ftrace_caller(ip))
+- return 0;
++ ip = regs->ip - INT3_INSN_SIZE;
+
+- regs->ip += MCOUNT_INSN_SIZE - 1;
++#ifdef CONFIG_X86_64
++ if (ftrace_location(ip)) {
++ int3_emulate_call(regs, (unsigned long)ftrace_regs_caller);
++ return 1;
++ } else if (is_ftrace_caller(ip)) {
++ if (!ftrace_update_func_call) {
++ int3_emulate_jmp(regs, ip + CALL_INSN_SIZE);
++ return 1;
++ }
++ int3_emulate_call(regs, ftrace_update_func_call);
++ return 1;
++ }
++#else
++ if (ftrace_location(ip) || is_ftrace_caller(ip)) {
++ int3_emulate_jmp(regs, ip + CALL_INSN_SIZE);
++ return 1;
++ }
++#endif
+
+- return 1;
++ return 0;
+ }
+
+ static int ftrace_write(unsigned long ip, const char *val, int size)
+@@ -867,6 +886,8 @@ void arch_ftrace_update_trampoline(struc
+
+ func = ftrace_ops_get_func(ops);
+
++ ftrace_update_func_call = (unsigned long)func;
++
+ /* Do a safe modify in case the trampoline is executing */
+ new = ftrace_call_replace(ip, (unsigned long)func);
+ ret = update_ftrace_func(ip, new);
+@@ -963,6 +984,7 @@ static int ftrace_mod_jmp(unsigned long
+ {
+ unsigned char *new;
+
++ ftrace_update_func_call = 0UL;
+ new = ftrace_jmp_replace(ip, (unsigned long)func);
+
+ return update_ftrace_func(ip, new);
diff --git a/patches.suse/ipv4-Define-__ipv4_neigh_lookup_noref-when-CONFIG_IN.patch b/patches.suse/ipv4-Define-__ipv4_neigh_lookup_noref-when-CONFIG_IN.patch
new file mode 100644
index 0000000000..179ff0392e
--- /dev/null
+++ b/patches.suse/ipv4-Define-__ipv4_neigh_lookup_noref-when-CONFIG_IN.patch
@@ -0,0 +1,42 @@
+From: David Ahern <dsahern@gmail.com>
+Date: Sun, 5 May 2019 11:16:20 -0700
+Subject: ipv4: Define __ipv4_neigh_lookup_noref when CONFIG_INET is disabled
+Git-commit: 9b3040a6aafd7898ece7fc7efcbca71e42aa8069
+Patch-mainline: v5.2-rc1
+References: git-fixes
+
+Define __ipv4_neigh_lookup_noref to return NULL when CONFIG_INET is disabled.
+
+Fixes: 4b2a2bfeb3f0 ("neighbor: Call __ipv4_neigh_lookup_noref in neigh_xmit")
+Reported-by: kbuild test robot <lkp@intel.com>
+Signed-off-by: David Ahern <dsahern@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ include/net/arp.h | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+--- a/include/net/arp.h
++++ b/include/net/arp.h
+@@ -17,6 +17,7 @@ static inline u32 arp_hashfn(const void
+ return val * hash_rnd[0];
+ }
+
++#ifdef CONFIG_INET
+ static inline struct neighbour *__ipv4_neigh_lookup_noref(struct net_device *dev, u32 key)
+ {
+ if (dev->flags & (IFF_LOOPBACK | IFF_POINTOPOINT))
+@@ -24,6 +25,13 @@ static inline struct neighbour *__ipv4_n
+
+ return ___neigh_lookup_noref(&arp_tbl, neigh_key_eq32, arp_hashfn, &key, dev);
+ }
++#else
++static inline
++struct neighbour *__ipv4_neigh_lookup_noref(struct net_device *dev, u32 key)
++{
++ return NULL;
++}
++#endif
+
+ static inline struct neighbour *__ipv4_neigh_lookup(struct net_device *dev, u32 key)
+ {
diff --git a/patches.suse/ipv4-add-sanity-checks-in-ipv4_link_failure.patch b/patches.suse/ipv4-add-sanity-checks-in-ipv4_link_failure.patch
new file mode 100644
index 0000000000..46a6400528
--- /dev/null
+++ b/patches.suse/ipv4-add-sanity-checks-in-ipv4_link_failure.patch
@@ -0,0 +1,152 @@
+From: Eric Dumazet <edumazet@google.com>
+Date: Wed, 24 Apr 2019 08:04:05 -0700
+Subject: ipv4: add sanity checks in ipv4_link_failure()
+Git-commit: 20ff83f10f113c88d0bb74589389b05250994c16
+Patch-mainline: v5.1-rc7
+References: git-fixes
+
+Before calling __ip_options_compile(), we need to ensure the network
+header is a an IPv4 one, and that it is already pulled in skb->head.
+
+RAW sockets going through a tunnel can end up calling ipv4_link_failure()
+with total garbage in the skb, or arbitrary lengthes.
+
+syzbot report :
+
+BUG: KASAN: stack-out-of-bounds in memcpy include/linux/string.h:355 [inline]
+BUG: KASAN: stack-out-of-bounds in __ip_options_echo+0x294/0x1120 net/ipv4/ip_options.c:123
+Write of size 69 at addr ffff888096abf068 by task syz-executor.4/9204
+
+CPU: 0 PID: 9204 Comm: syz-executor.4 Not tainted 5.1.0-rc5+ #77
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+Call Trace:
+ __dump_stack lib/dump_stack.c:77 [inline]
+ dump_stack+0x172/0x1f0 lib/dump_stack.c:113
+ print_address_description.cold+0x7c/0x20d mm/kasan/report.c:187
+ kasan_report.cold+0x1b/0x40 mm/kasan/report.c:317
+ check_memory_region_inline mm/kasan/generic.c:185 [inline]
+ check_memory_region+0x123/0x190 mm/kasan/generic.c:191
+ memcpy+0x38/0x50 mm/kasan/common.c:133
+ memcpy include/linux/string.h:355 [inline]
+ __ip_options_echo+0x294/0x1120 net/ipv4/ip_options.c:123
+ __icmp_send+0x725/0x1400 net/ipv4/icmp.c:695
+ ipv4_link_failure+0x29f/0x550 net/ipv4/route.c:1204
+ dst_link_failure include/net/dst.h:427 [inline]
+ vti6_xmit net/ipv6/ip6_vti.c:514 [inline]
+ vti6_tnl_xmit+0x10d4/0x1c0c net/ipv6/ip6_vti.c:553
+ __netdev_start_xmit include/linux/netdevice.h:4414 [inline]
+ netdev_start_xmit include/linux/netdevice.h:4423 [inline]
+ xmit_one net/core/dev.c:3292 [inline]
+ dev_hard_start_xmit+0x1b2/0x980 net/core/dev.c:3308
+ __dev_queue_xmit+0x271d/0x3060 net/core/dev.c:3878
+ dev_queue_xmit+0x18/0x20 net/core/dev.c:3911
+ neigh_direct_output+0x16/0x20 net/core/neighbour.c:1527
+ neigh_output include/net/neighbour.h:508 [inline]
+ ip_finish_output2+0x949/0x1740 net/ipv4/ip_output.c:229
+ ip_finish_output+0x73c/0xd50 net/ipv4/ip_output.c:317
+ NF_HOOK_COND include/linux/netfilter.h:278 [inline]
+ ip_output+0x21f/0x670 net/ipv4/ip_output.c:405
+ dst_output include/net/dst.h:444 [inline]
+ NF_HOOK include/linux/netfilter.h:289 [inline]
+ raw_send_hdrinc net/ipv4/raw.c:432 [inline]
+ raw_sendmsg+0x1d2b/0x2f20 net/ipv4/raw.c:663
+ inet_sendmsg+0x147/0x5d0 net/ipv4/af_inet.c:798
+ sock_sendmsg_nosec net/socket.c:651 [inline]
+ sock_sendmsg+0xdd/0x130 net/socket.c:661
+ sock_write_iter+0x27c/0x3e0 net/socket.c:988
+ call_write_iter include/linux/fs.h:1866 [inline]
+ new_sync_write+0x4c7/0x760 fs/read_write.c:474
+ __vfs_write+0xe4/0x110 fs/read_write.c:487
+ vfs_write+0x20c/0x580 fs/read_write.c:549
+ ksys_write+0x14f/0x2d0 fs/read_write.c:599
+ __do_sys_write fs/read_write.c:611 [inline]
+ __se_sys_write fs/read_write.c:608 [inline]
+ __x64_sys_write+0x73/0xb0 fs/read_write.c:608
+ do_syscall_64+0x103/0x610 arch/x86/entry/common.c:290
+ entry_SYSCALL_64_after_hwframe+0x49/0xbe
+RIP: 0033:0x458c29
+Code: ad b8 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b8 fb ff c3 66 2e 0f 1f 84 00 00 00 00
+RSP: 002b:00007f293b44bc78 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
+RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000458c29
+RDX: 0000000000000014 RSI: 00000000200002c0 RDI: 0000000000000003
+RBP: 000000000073bf00 R08: 0000000000000000 R09: 0000000000000000
+R10: 0000000000000000 R11: 0000000000000246 R12: 00007f293b44c6d4
+R13: 00000000004c8623 R14: 00000000004ded68 R15: 00000000ffffffff
+
+The buggy address belongs to the page:
+page:ffffea00025aafc0 count:0 mapcount:0 mapping:0000000000000000 index:0x0
+flags: 0x1fffc0000000000()
+raw: 01fffc0000000000 0000000000000000 ffffffff025a0101 0000000000000000
+raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
+page dumped because: kasan: bad access detected
+
+Memory state around the buggy address:
+ ffff888096abef80: 00 00 00 f2 f2 f2 f2 f2 00 00 00 00 00 00 00 f2
+ ffff888096abf000: f2 f2 f2 f2 00 00 00 00 00 00 00 00 00 00 00 00
+>ffff888096abf080: 00 00 f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00
+ ^
+ ffff888096abf100: 00 00 00 00 f1 f1 f1 f1 00 00 f3 f3 00 00 00 00
+ ffff888096abf180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+
+Fixes: ed0de45a1008 ("ipv4: recompile ip options in ipv4_link_failure")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Cc: Stephen Suryaputra <ssuryaextr@gmail.com>
+Acked-by: Willem de Bruijn <willemb@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ net/ipv4/route.c | 34 ++++++++++++++++++++++++----------
+ 1 file changed, 24 insertions(+), 10 deletions(-)
+
+--- a/net/ipv4/route.c
++++ b/net/ipv4/route.c
+@@ -1186,25 +1186,39 @@ static struct dst_entry *ipv4_dst_check(
+ return dst;
+ }
+
+-static void ipv4_link_failure(struct sk_buff *skb)
++static void ipv4_send_dest_unreach(struct sk_buff *skb)
+ {
+ struct ip_options opt;
+- struct rtable *rt;
+ int res;
+
+ /* Recompile ip options since IPCB may not be valid anymore.
++ * Also check we have a reasonable ipv4 header.
+ */
+- memset(&opt, 0, sizeof(opt));
+- opt.optlen = ip_hdr(skb)->ihl*4 - sizeof(struct iphdr);
+-
+- rcu_read_lock();
+- res = __ip_options_compile(dev_net(skb->dev), &opt, skb, NULL);
+- rcu_read_unlock();
+-
+- if (res)
++ if (!pskb_network_may_pull(skb, sizeof(struct iphdr)) ||
++ ip_hdr(skb)->version != 4 || ip_hdr(skb)->ihl < 5)
+ return;
+
++ memset(&opt, 0, sizeof(opt));
++ if (ip_hdr(skb)->ihl > 5) {
++ if (!pskb_network_may_pull(skb, ip_hdr(skb)->ihl * 4))
++ return;
++ opt.optlen = ip_hdr(skb)->ihl * 4 - sizeof(struct iphdr);
++
++ rcu_read_lock();
++ res = __ip_options_compile(dev_net(skb->dev), &opt, skb, NULL);
++ rcu_read_unlock();
++
++ if (res)
++ return;
++ }
+ __icmp_send(skb, ICMP_DEST_UNREACH, ICMP_HOST_UNREACH, 0, &opt);
++}
++
++static void ipv4_link_failure(struct sk_buff *skb)
++{
++ struct rtable *rt;
++
++ ipv4_send_dest_unreach(skb);
+
+ rt = skb_rtable(skb);
+ if (rt)
diff --git a/patches.suse/ipv4-ensure-rcu_read_lock-in-ipv4_link_failure.patch b/patches.suse/ipv4-ensure-rcu_read_lock-in-ipv4_link_failure.patch
new file mode 100644
index 0000000000..dbf65bc2ae
--- /dev/null
+++ b/patches.suse/ipv4-ensure-rcu_read_lock-in-ipv4_link_failure.patch
@@ -0,0 +1,86 @@
+From: Eric Dumazet <edumazet@google.com>
+Date: Sat, 13 Apr 2019 17:32:21 -0700
+Subject: ipv4: ensure rcu_read_lock() in ipv4_link_failure()
+Git-commit: c543cb4a5f07e09237ec0fc2c60c9f131b2c79ad
+Patch-mainline: v5.1-rc6
+References: networking-stable-19_04_19
+
+fib_compute_spec_dst() needs to be called under rcu protection.
+
+syzbot reported :
+
+WARNING: suspicious RCU usage
+5.1.0-rc4+ #165 Not tainted
+include/linux/inetdevice.h:220 suspicious rcu_dereference_check() usage!
+
+other info that might help us debug this:
+
+rcu_scheduler_active = 2, debug_locks = 1
+1 lock held by swapper/0/0:
+ #0: 0000000051b67925 ((&n->timer)){+.-.}, at: lockdep_copy_map include/linux/lockdep.h:170 [inline]
+ #0: 0000000051b67925 ((&n->timer)){+.-.}, at: call_timer_fn+0xda/0x720 kernel/time/timer.c:1315
+
+stack backtrace:
+CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.1.0-rc4+ #165
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+Call Trace:
+ <IRQ>
+ __dump_stack lib/dump_stack.c:77 [inline]
+ dump_stack+0x172/0x1f0 lib/dump_stack.c:113
+ lockdep_rcu_suspicious+0x153/0x15d kernel/locking/lockdep.c:5162
+ __in_dev_get_rcu include/linux/inetdevice.h:220 [inline]
+ fib_compute_spec_dst+0xbbd/0x1030 net/ipv4/fib_frontend.c:294
+ spec_dst_fill net/ipv4/ip_options.c:245 [inline]
+ __ip_options_compile+0x15a7/0x1a10 net/ipv4/ip_options.c:343
+ ipv4_link_failure+0x172/0x400 net/ipv4/route.c:1195
+ dst_link_failure include/net/dst.h:427 [inline]
+ arp_error_report+0xd1/0x1c0 net/ipv4/arp.c:297
+ neigh_invalidate+0x24b/0x570 net/core/neighbour.c:995
+ neigh_timer_handler+0xc35/0xf30 net/core/neighbour.c:1081
+ call_timer_fn+0x190/0x720 kernel/time/timer.c:1325
+ expire_timers kernel/time/timer.c:1362 [inline]
+ __run_timers kernel/time/timer.c:1681 [inline]
+ __run_timers kernel/time/timer.c:1649 [inline]
+ run_timer_softirq+0x652/0x1700 kernel/time/timer.c:1694
+ __do_softirq+0x266/0x95a kernel/softirq.c:293
+ invoke_softirq kernel/softirq.c:374 [inline]
+ irq_exit+0x180/0x1d0 kernel/softirq.c:414
+ exiting_irq arch/x86/include/asm/apic.h:536 [inline]
+ smp_apic_timer_interrupt+0x14a/0x570 arch/x86/kernel/apic/apic.c:1062
+ apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:807
+
+Fixes: ed0de45a1008 ("ipv4: recompile ip options in ipv4_link_failure")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Cc: Stephen Suryaputra <ssuryaextr@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ net/ipv4/route.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+--- a/net/ipv4/route.c
++++ b/net/ipv4/route.c
+@@ -1188,14 +1188,20 @@ static struct dst_entry *ipv4_dst_check(
+
+ static void ipv4_link_failure(struct sk_buff *skb)
+ {
+- struct rtable *rt;
+ struct ip_options opt;
++ struct rtable *rt;
++ int res;
+
+ /* Recompile ip options since IPCB may not be valid anymore.
+ */
+ memset(&opt, 0, sizeof(opt));
+ opt.optlen = ip_hdr(skb)->ihl*4 - sizeof(struct iphdr);
+- if (__ip_options_compile(dev_net(skb->dev), &opt, skb, NULL))
++
++ rcu_read_lock();
++ res = __ip_options_compile(dev_net(skb->dev), &opt, skb, NULL);
++ rcu_read_unlock();
++
++ if (res)
+ return;
+
+ __icmp_send(skb, ICMP_DEST_UNREACH, ICMP_HOST_UNREACH, 0, &opt);
diff --git a/patches.suse/ipv4-ip_do_fragment-Preserve-skb_iif-during-fragment.patch b/patches.suse/ipv4-ip_do_fragment-Preserve-skb_iif-during-fragment.patch
new file mode 100644
index 0000000000..9308b53fbe
--- /dev/null
+++ b/patches.suse/ipv4-ip_do_fragment-Preserve-skb_iif-during-fragment.patch
@@ -0,0 +1,40 @@
+From: Shmulik Ladkani <shmulik@metanetworks.com>
+Date: Mon, 29 Apr 2019 16:39:30 +0300
+Subject: ipv4: ip_do_fragment: Preserve skb_iif during fragmentation
+Git-commit: d2f0c961148f65bc73eda72b9fa3a4e80973cb49
+Patch-mainline: v5.1
+References: networking-stable-19_05_04
+
+Previously, during fragmentation after forwarding, skb->skb_iif isn't
+preserved, i.e. 'ip_copy_metadata' does not copy skb_iif from given
+'from' skb.
+
+As a result, ip_do_fragment's creates fragments with zero skb_iif,
+leading to inconsistent behavior.
+
+Assume for example an eBPF program attached at tc egress (post
+forwarding) that examines __sk_buff->ingress_ifindex:
+ - the correct iif is observed if forwarding path does not involve
+ fragmentation/refragmentation
+ - a bogus iif is observed if forwarding path involves
+ fragmentation/refragmentatiom
+
+Fix, by preserving skb_iif during 'ip_copy_metadata'.
+
+Signed-off-by: Shmulik Ladkani <shmulik.ladkani@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ net/ipv4/ip_output.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/net/ipv4/ip_output.c
++++ b/net/ipv4/ip_output.c
+@@ -518,6 +518,7 @@ static void ip_copy_metadata(struct sk_b
+ to->pkt_type = from->pkt_type;
+ to->priority = from->priority;
+ to->protocol = from->protocol;
++ to->skb_iif = from->skb_iif;
+ skb_dst_drop(to);
+ skb_dst_copy(to, from);
+ to->dev = from->dev;
diff --git a/patches.suse/ipv4-recompile-ip-options-in-ipv4_link_failure.patch b/patches.suse/ipv4-recompile-ip-options-in-ipv4_link_failure.patch
new file mode 100644
index 0000000000..e2091000b3
--- /dev/null
+++ b/patches.suse/ipv4-recompile-ip-options-in-ipv4_link_failure.patch
@@ -0,0 +1,40 @@
+From: Stephen Suryaputra <ssuryaextr@gmail.com>
+Date: Fri, 12 Apr 2019 16:19:27 -0400
+Subject: ipv4: recompile ip options in ipv4_link_failure
+Git-commit: ed0de45a1008991fdaa27a0152befcb74d126a8b
+Patch-mainline: v5.1-rc6
+References: networking-stable-19_04_19
+
+Recompile IP options since IPCB may not be valid anymore when
+ipv4_link_failure is called from arp_error_report.
+
+Refer to the commit 3da1ed7ac398 ("net: avoid use IPCB in cipso_v4_error")
+and the commit before that (9ef6b42ad6fd) for a similar issue.
+
+Signed-off-by: Stephen Suryaputra <ssuryaextr@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ net/ipv4/route.c | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+--- a/net/ipv4/route.c
++++ b/net/ipv4/route.c
+@@ -1189,8 +1189,16 @@ static struct dst_entry *ipv4_dst_check(
+ static void ipv4_link_failure(struct sk_buff *skb)
+ {
+ struct rtable *rt;
++ struct ip_options opt;
+
+- icmp_send(skb, ICMP_DEST_UNREACH, ICMP_HOST_UNREACH, 0);
++ /* Recompile ip options since IPCB may not be valid anymore.
++ */
++ memset(&opt, 0, sizeof(opt));
++ opt.optlen = ip_hdr(skb)->ihl*4 - sizeof(struct iphdr);
++ if (__ip_options_compile(dev_net(skb->dev), &opt, skb, NULL))
++ return;
++
++ __icmp_send(skb, ICMP_DEST_UNREACH, ICMP_HOST_UNREACH, 0, &opt);
+
+ rt = skb_rtable(skb);
+ if (rt)
diff --git a/patches.suse/ipv4-set-the-tcp_min_rtt_wlen-range-from-0-to-one-da.patch b/patches.suse/ipv4-set-the-tcp_min_rtt_wlen-range-from-0-to-one-da.patch
new file mode 100644
index 0000000000..8a241ad25a
--- /dev/null
+++ b/patches.suse/ipv4-set-the-tcp_min_rtt_wlen-range-from-0-to-one-da.patch
@@ -0,0 +1,88 @@
+From: ZhangXiaoxu <zhangxiaoxu5@huawei.com>
+Date: Tue, 16 Apr 2019 09:47:24 +0800
+Subject: ipv4: set the tcp_min_rtt_wlen range from 0 to one day
+Git-commit: 19fad20d15a6494f47f85d869f00b11343ee5c78
+Patch-mainline: v5.1-rc7
+References: networking-stable-19_04_30
+
+There is a UBSAN report as below:
+UBSAN: Undefined behaviour in net/ipv4/tcp_input.c:2877:56
+signed integer overflow:
+2147483647 * 1000 cannot be represented in type 'int'
+CPU: 3 PID: 0 Comm: swapper/3 Not tainted 5.1.0-rc4-00058-g582549e #1
+Call Trace:
+ <IRQ>
+ dump_stack+0x8c/0xba
+ ubsan_epilogue+0x11/0x60
+ handle_overflow+0x12d/0x170
+ ? ttwu_do_wakeup+0x21/0x320
+ __ubsan_handle_mul_overflow+0x12/0x20
+ tcp_ack_update_rtt+0x76c/0x780
+ tcp_clean_rtx_queue+0x499/0x14d0
+ tcp_ack+0x69e/0x1240
+ ? __wake_up_sync_key+0x2c/0x50
+ ? update_group_capacity+0x50/0x680
+ tcp_rcv_established+0x4e2/0xe10
+ tcp_v4_do_rcv+0x22b/0x420
+ tcp_v4_rcv+0xfe8/0x1190
+ ip_protocol_deliver_rcu+0x36/0x180
+ ip_local_deliver+0x15b/0x1a0
+ ip_rcv+0xac/0xd0
+ __netif_receive_skb_one_core+0x7f/0xb0
+ __netif_receive_skb+0x33/0xc0
+ netif_receive_skb_internal+0x84/0x1c0
+ napi_gro_receive+0x2a0/0x300
+ receive_buf+0x3d4/0x2350
+ ? detach_buf_split+0x159/0x390
+ virtnet_poll+0x198/0x840
+ ? reweight_entity+0x243/0x4b0
+ net_rx_action+0x25c/0x770
+ __do_softirq+0x19b/0x66d
+ irq_exit+0x1eb/0x230
+ do_IRQ+0x7a/0x150
+ common_interrupt+0xf/0xf
+ </IRQ>
+
+It can be reproduced by:
+ echo 2147483647 > /proc/sys/net/ipv4/tcp_min_rtt_wlen
+
+Fixes: f672258391b42 ("tcp: track min RTT using windowed min-filter")
+Signed-off-by: ZhangXiaoxu <zhangxiaoxu5@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ Documentation/networking/ip-sysctl.txt | 1 +
+ net/ipv4/sysctl_net_ipv4.c | 5 ++++-
+ 2 files changed, 5 insertions(+), 1 deletion(-)
+
+--- a/Documentation/networking/ip-sysctl.txt
++++ b/Documentation/networking/ip-sysctl.txt
+@@ -402,6 +402,7 @@ tcp_min_rtt_wlen - INTEGER
+ minimum RTT when it is moved to a longer path (e.g., due to traffic
+ engineering). A longer window makes the filter more resistant to RTT
+ inflations such as transient congestion. The unit is seconds.
++ Possible values: 0 - 86400 (1 day)
+ Default: 300
+
+ tcp_moderate_rcvbuf - BOOLEAN
+--- a/net/ipv4/sysctl_net_ipv4.c
++++ b/net/ipv4/sysctl_net_ipv4.c
+@@ -44,6 +44,7 @@ static int tcp_syn_retries_min = 1;
+ static int tcp_syn_retries_max = MAX_TCP_SYNCNT;
+ static int ip_ping_group_range_min[] = { 0, 0 };
+ static int ip_ping_group_range_max[] = { GID_T_MAX, GID_T_MAX };
++static int one_day_secs = 24 * 3600;
+
+ /* obsolete */
+ static int sysctl_tcp_low_latency __read_mostly;
+@@ -553,7 +554,9 @@ static struct ctl_table ipv4_table[] = {
+ .data = &sysctl_tcp_min_rtt_wlen,
+ .maxlen = sizeof(int),
+ .mode = 0644,
+- .proc_handler = proc_dointvec
++ .proc_handler = proc_dointvec_minmax,
++ .extra1 = &zero,
++ .extra2 = &one_day_secs
+ },
+ {
+ .procname = "tcp_low_latency",
diff --git a/patches.suse/kernel-signal.c-trace_signal_deliver-when-signal_gro.patch b/patches.suse/kernel-signal.c-trace_signal_deliver-when-signal_gro.patch
new file mode 100644
index 0000000000..8fb312e9c8
--- /dev/null
+++ b/patches.suse/kernel-signal.c-trace_signal_deliver-when-signal_gro.patch
@@ -0,0 +1,47 @@
+From: Zhenliang Wei <weizhenliang@huawei.com>
+Date: Fri, 31 May 2019 22:30:52 -0700
+Subject: kernel/signal.c: trace_signal_deliver when signal_group_exit
+Git-commit: 98af37d624ed8c83f1953b1b6b2f6866011fc064
+Patch-mainline: v5.2-rc3
+References: git-fixes
+
+In the fixes commit, removing SIGKILL from each thread signal mask and
+executing "goto fatal" directly will skip the call to
+"trace_signal_deliver". At this point, the delivery tracking of the
+SIGKILL signal will be inaccurate.
+
+Therefore, we need to add trace_signal_deliver before "goto fatal" after
+executing sigdelset.
+
+Note: SEND_SIG_NOINFO matches the fact that SIGKILL doesn't have any info.
+
+Link: http://lkml.kernel.org/r/20190425025812.91424-1-weizhenliang@huawei.com
+Fixes: cf43a757fd4944 ("signal: Restore the stop PTRACE_EVENT_EXIT")
+Signed-off-by: Zhenliang Wei <weizhenliang@huawei.com>
+Reviewed-by: Christian Brauner <christian@brauner.io>
+Reviewed-by: Oleg Nesterov <oleg@redhat.com>
+Cc: Eric W. Biederman <ebiederm@xmission.com>
+Cc: Ivan Delalande <colona@arista.com>
+Cc: Arnd Bergmann <arnd@arndb.de>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: Deepa Dinamani <deepa.kernel@gmail.com>
+Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ kernel/signal.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/kernel/signal.c
++++ b/kernel/signal.c
+@@ -2257,6 +2257,8 @@ relock:
+ if (signal_group_exit(signal)) {
+ ksig->info.si_signo = signr = SIGKILL;
+ sigdelset(&current->pending.signal, SIGKILL);
++ trace_signal_deliver(SIGKILL, SEND_SIG_NOINFO,
++ &sighand->action[SIGKILL - 1]);
+ recalc_sigpending();
+ goto fatal;
+ }
diff --git a/patches.suse/kernel-sys.c-prctl-fix-false-positive-in-validate_pr.patch b/patches.suse/kernel-sys.c-prctl-fix-false-positive-in-validate_pr.patch
new file mode 100644
index 0000000000..28d1fddfea
--- /dev/null
+++ b/patches.suse/kernel-sys.c-prctl-fix-false-positive-in-validate_pr.patch
@@ -0,0 +1,49 @@
+From: Cyrill Gorcunov <gorcunov@gmail.com>
+Date: Mon, 13 May 2019 17:15:40 -0700
+Subject: kernel/sys.c: prctl: fix false positive in validate_prctl_map()
+Git-commit: a9e73998f9d705c94a8dca9687633adc0f24a19a
+Patch-mainline: v5.2-rc1
+References: git-fixes
+
+While validating new map we require the @start_data to be strictly less
+than @end_data, which is fine for regular applications (this is why this
+nit didn't trigger for that long). These members are set from executable
+loaders such as elf handers, still it is pretty valid to have a loadable
+data section with zero size in file, in such case the start_data is equal
+to end_data once kernel loader finishes.
+
+As a result when we're trying to restore such programs the procedure fails
+and the kernel returns -EINVAL. From the image dump of a program:
+
+ | "mm_start_code": "0x400000",
+ | "mm_end_code": "0x8f5fb4",
+ | "mm_start_data": "0xf1bfb0",
+ | "mm_end_data": "0xf1bfb0",
+
+Thus we need to change validate_prctl_map from strictly less to less or
+equal operator use.
+
+Link: http://lkml.kernel.org/r/20190408143554.GY1421@uranus.lan
+Fixes: f606b77f1a9e3 ("prctl: PR_SET_MM -- introduce PR_SET_MM_MAP operation")
+Signed-off-by: Cyrill Gorcunov <gorcunov@gmail.com>
+Cc: Andrey Vagin <avagin@gmail.com>
+Cc: Dmitry Safonov <0x7f454c46@gmail.com>
+Cc: Pavel Emelyanov <xemul@virtuozzo.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ kernel/sys.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/kernel/sys.c
++++ b/kernel/sys.c
+@@ -1768,7 +1768,7 @@ static int validate_prctl_map(struct prc
+ ((unsigned long)prctl_map->__m1 __op \
+ (unsigned long)prctl_map->__m2) ? 0 : -EINVAL
+ error = __prctl_check_order(start_code, <, end_code);
+- error |= __prctl_check_order(start_data, <, end_data);
++ error |= __prctl_check_order(start_data,<=, end_data);
+ error |= __prctl_check_order(start_brk, <=, brk);
+ error |= __prctl_check_order(arg_start, <=, arg_end);
+ error |= __prctl_check_order(env_start, <=, env_end);
diff --git a/patches.suse/livepatch-convert-error-about-unsupported-reliable-stacktrace-into-a-warning.patch b/patches.suse/livepatch-convert-error-about-unsupported-reliable-stacktrace-into-a-warning.patch
new file mode 100644
index 0000000000..5d3bf35732
--- /dev/null
+++ b/patches.suse/livepatch-convert-error-about-unsupported-reliable-stacktrace-into-a-warning.patch
@@ -0,0 +1,47 @@
+From: Petr Mladek <pmladek@suse.com>
+Date: Wed, 24 Apr 2019 10:55:48 +0200
+Subject: livepatch: Convert error about unsupported reliable stacktrace into a
+ warning
+Git-commit: 31adf2308f33dcae59009019675224be0978bc70
+Patch-mainline: v5.2-rc1
+References: bsc#1071995
+
+The commit d0807da78e11d46f ("livepatch: Remove immediate feature") caused
+that any livepatch was refused when reliable stacktraces were not supported
+on the given architecture.
+
+The limitation is too strong. User space processes are safely migrated
+even when entering or leaving the kernel. Kthreads transition would
+need to get forced. But it is safe when:
+
+ + The livepatch does not change the semantic of the code.
+ + Callbacks do not depend on a safely finished transition.
+
+Suggested-by: Josh Poimboeuf <jpoimboe@redhat.com>
+Acked-by: Josh Poimboeuf <jpoimboe@redhat.com>
+Acked-by: Miroslav Benes <mbenes@suse.cz>
+Reviewed-by: Kamalesh Babulal <kamalesh@linux.vnet.ibm.com>
+Signed-off-by: Petr Mladek <pmladek@suse.com>
+---
+ kernel/livepatch/core.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+diff --git a/kernel/livepatch/core.c b/kernel/livepatch/core.c
+index eb0ee10a1981..14f33ab6c583 100644
+--- a/kernel/livepatch/core.c
++++ b/kernel/livepatch/core.c
+@@ -1003,11 +1003,10 @@ int klp_enable_patch(struct klp_patch *patch)
+ return -ENODEV;
+
+ if (!klp_have_reliable_stack()) {
+- pr_err("This architecture doesn't have support for the livepatch consistency model.\n");
+- return -EOPNOTSUPP;
++ pr_warn("This architecture doesn't have support for the livepatch consistency model.\n");
++ pr_warn("The livepatch transition may never complete.\n");
+ }
+
+-
+ mutex_lock(&klp_mutex);
+
+ ret = klp_init_patch_early(patch);
+
diff --git a/patches.suse/livepatch-remove-custom-kobject-state-handling.patch b/patches.suse/livepatch-remove-custom-kobject-state-handling.patch
new file mode 100644
index 0000000000..d668f386c3
--- /dev/null
+++ b/patches.suse/livepatch-remove-custom-kobject-state-handling.patch
@@ -0,0 +1,215 @@
+From: Petr Mladek <pmladek@suse.com>
+Date: Fri, 3 May 2019 15:26:24 +0200
+Subject: livepatch: Remove custom kobject state handling
+Git-commit: 4d141ab3416d90f87775f5dee725efdf40110a8f
+Patch-mainline: v5.2-rc1
+References: bsc#1071995
+
+kobject_init() always succeeds and sets the reference count to 1.
+It allows to always free the structures via kobject_put() and
+the related release callback.
+
+Note that the custom kobject state handling was used only
+because we did not know that kobject_put() can and actually
+should get called even when kobject_init_and_add() fails.
+
+The patch should not change the existing behavior.
+
+Suggested-by: "Tobin C. Harding" <tobin@kernel.org>
+Signed-off-by: Petr Mladek <pmladek@suse.com>
+Reviewed-by: Kamalesh Babulal <kamalesh@linux.vnet.ibm.com>
+Acked-by: Joe Lawrence <joe.lawrence@redhat.com>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Acked-by: Miroslav Benes <mbenes@suse.cz>
+---
+ include/linux/livepatch.h | 3 ---
+ kernel/livepatch/core.c | 56 ++++++++++++++---------------------------------
+ 2 files changed, 17 insertions(+), 42 deletions(-)
+
+diff --git a/include/linux/livepatch.h b/include/linux/livepatch.h
+index 53551f470722..a14bab1a0a3e 100644
+--- a/include/linux/livepatch.h
++++ b/include/linux/livepatch.h
+@@ -86,7 +86,6 @@ struct klp_func {
+ struct list_head node;
+ struct list_head stack_node;
+ unsigned long old_size, new_size;
+- bool kobj_added;
+ bool nop;
+ bool patched;
+ bool transition;
+@@ -141,7 +140,6 @@ struct klp_object {
+ struct list_head func_list;
+ struct list_head node;
+ struct module *mod;
+- bool kobj_added;
+ bool dynamic;
+ bool patched;
+ };
+@@ -170,7 +168,6 @@ struct klp_patch {
+ struct list_head list;
+ struct kobject kobj;
+ struct list_head obj_list;
+- bool kobj_added;
+ bool enabled;
+ bool forced;
+ struct work_struct free_work;
+diff --git a/kernel/livepatch/core.c b/kernel/livepatch/core.c
+index 14f33ab6c583..42385f23252a 100644
+--- a/kernel/livepatch/core.c
++++ b/kernel/livepatch/core.c
+@@ -426,6 +426,9 @@ static void klp_free_object_dynamic(struct klp_object *obj)
+ kfree(obj);
+ }
+
++static struct kobj_type klp_ktype_object;
++static struct kobj_type klp_ktype_func;
++
+ static struct klp_object *klp_alloc_object_dynamic(const char *name)
+ {
+ struct klp_object *obj;
+@@ -443,6 +446,7 @@ static struct klp_object *klp_alloc_object_dynamic(const char *name)
+ }
+
+ INIT_LIST_HEAD(&obj->func_list);
++ kobject_init(&obj->kobj, &klp_ktype_object);
+ obj->dynamic = true;
+
+ return obj;
+@@ -471,6 +475,7 @@ static struct klp_func *klp_alloc_func_nop(struct klp_func *old_func,
+ }
+ }
+
++ kobject_init(&func->kobj, &klp_ktype_func);
+ /*
+ * func->new_func is same as func->old_func. These addresses are
+ * set when the object is loaded, see klp_init_object_loaded().
+@@ -588,13 +593,7 @@ static void __klp_free_funcs(struct klp_object *obj, bool nops_only)
+ continue;
+
+ list_del(&func->node);
+-
+- /* Might be called from klp_init_patch() error path. */
+- if (func->kobj_added) {
+- kobject_put(&func->kobj);
+- } else if (func->nop) {
+- klp_free_func_nop(func);
+- }
++ kobject_put(&func->kobj);
+ }
+ }
+
+@@ -624,13 +623,7 @@ static void __klp_free_objects(struct klp_patch *patch, bool nops_only)
+ continue;
+
+ list_del(&obj->node);
+-
+- /* Might be called from klp_init_patch() error path. */
+- if (obj->kobj_added) {
+- kobject_put(&obj->kobj);
+- } else if (obj->dynamic) {
+- klp_free_object_dynamic(obj);
+- }
++ kobject_put(&obj->kobj);
+ }
+ }
+
+@@ -675,10 +668,8 @@ static void klp_free_patch_finish(struct klp_patch *patch)
+ * this is called when the patch gets disabled and it
+ * cannot get enabled again.
+ */
+- if (patch->kobj_added) {
+- kobject_put(&patch->kobj);
+- wait_for_completion(&patch->finish);
+- }
++ kobject_put(&patch->kobj);
++ wait_for_completion(&patch->finish);
+
+ /* Put the module after the last access to struct klp_patch. */
+ if (!patch->forced)
+@@ -700,8 +691,6 @@ static void klp_free_patch_work_fn(struct work_struct *work)
+
+ static int klp_init_func(struct klp_object *obj, struct klp_func *func)
+ {
+- int ret;
+-
+ if (!func->old_name)
+ return -EINVAL;
+
+@@ -724,13 +713,9 @@ static int klp_init_func(struct klp_object *obj, struct klp_func *func)
+ * object. If the user selects 0 for old_sympos, then 1 will be used
+ * since a unique symbol will be the first occurrence.
+ */
+- ret = kobject_init_and_add(&func->kobj, &klp_ktype_func,
+- &obj->kobj, "%s,%lu", func->old_name,
+- func->old_sympos ? func->old_sympos : 1);
+- if (!ret)
+- func->kobj_added = true;
+-
+- return ret;
++ return kobject_add(&func->kobj, &obj->kobj, "%s,%lu",
++ func->old_name,
++ func->old_sympos ? func->old_sympos : 1);
+ }
+
+ /* Arches may override this to finish any remaining arch-specific tasks */
+@@ -801,11 +786,9 @@ static int klp_init_object(struct klp_patch *patch, struct klp_object *obj)
+ klp_find_object_module(obj);
+
+ name = klp_is_module(obj) ? obj->name : "vmlinux";
+- ret = kobject_init_and_add(&obj->kobj, &klp_ktype_object,
+- &patch->kobj, "%s", name);
++ ret = kobject_add(&obj->kobj, &patch->kobj, "%s", name);
+ if (ret)
+ return ret;
+- obj->kobj_added = true;
+
+ klp_for_each_func(obj, func) {
+ ret = klp_init_func(obj, func);
+@@ -829,7 +812,7 @@ static int klp_init_patch_early(struct klp_patch *patch)
+
+ INIT_LIST_HEAD(&patch->list);
+ INIT_LIST_HEAD(&patch->obj_list);
+- patch->kobj_added = false;
++ kobject_init(&patch->kobj, &klp_ktype_patch);
+ patch->enabled = false;
+ patch->forced = false;
+ INIT_WORK(&patch->free_work, klp_free_patch_work_fn);
+@@ -840,11 +823,11 @@ static int klp_init_patch_early(struct klp_patch *patch)
+ return -EINVAL;
+
+ INIT_LIST_HEAD(&obj->func_list);
+- obj->kobj_added = false;
++ kobject_init(&obj->kobj, &klp_ktype_object);
+ list_add_tail(&obj->node, &patch->obj_list);
+
+ klp_for_each_func_static(obj, func) {
+- func->kobj_added = false;
++ kobject_init(&func->kobj, &klp_ktype_func);
+ list_add_tail(&func->node, &obj->func_list);
+ }
+ }
+@@ -860,11 +843,9 @@ static int klp_init_patch(struct klp_patch *patch)
+ struct klp_object *obj;
+ int ret;
+
+- ret = kobject_init_and_add(&patch->kobj, &klp_ktype_patch,
+- klp_root_kobj, "%s", patch->mod->name);
++ ret = kobject_add(&patch->kobj, klp_root_kobj, "%s", patch->mod->name);
+ if (ret)
+ return ret;
+- patch->kobj_added = true;
+
+ if (patch->replace) {
+ ret = klp_add_nops(patch);
+@@ -926,9 +907,6 @@ static int __klp_enable_patch(struct klp_patch *patch)
+ if (WARN_ON(patch->enabled))
+ return -EINVAL;
+
+- if (!patch->kobj_added)
+- return -EINVAL;
+-
+ pr_notice("enabling patch '%s'\n", patch->mod->name);
+
+ klp_init_transition(patch, KLP_PATCHED);
+
diff --git a/patches.suse/livepatch-remove-duplicated-code-for-early-initialization.patch b/patches.suse/livepatch-remove-duplicated-code-for-early-initialization.patch
new file mode 100644
index 0000000000..7ded42e916
--- /dev/null
+++ b/patches.suse/livepatch-remove-duplicated-code-for-early-initialization.patch
@@ -0,0 +1,127 @@
+From: Petr Mladek <pmladek@suse.com>
+Date: Fri, 3 May 2019 15:26:25 +0200
+Subject: livepatch: Remove duplicated code for early initialization
+Git-commit: f68d67cf2f83dc82675969724b59ca7c6da43fa9
+Patch-mainline: v5.2-rc1
+References: bsc#1071995
+
+kobject_init() call added one more operation that has to be
+done when doing the early initialization of both static and
+dynamic livepatch structures.
+
+It would have been easier when the early initialization code
+was not duplicated. Let's deduplicate it for future generations
+of livepatching hackers.
+
+The patch does not change the existing behavior.
+
+Signed-off-by: Petr Mladek <pmladek@suse.com>
+Reviewed-by: Kamalesh Babulal <kamalesh@linux.vnet.ibm.com>
+Acked-by: Joe Lawrence <joe.lawrence@redhat.com>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Acked-by: Miroslav Benes <mbenes@suse.cz>
+---
+ kernel/livepatch/core.c | 42 ++++++++++++++++++++++++++----------------
+ 1 file changed, 26 insertions(+), 16 deletions(-)
+
+diff --git a/kernel/livepatch/core.c b/kernel/livepatch/core.c
+index 42385f23252a..f12c0eabd843 100644
+--- a/kernel/livepatch/core.c
++++ b/kernel/livepatch/core.c
+@@ -426,10 +426,13 @@ static void klp_free_object_dynamic(struct klp_object *obj)
+ kfree(obj);
+ }
+
+-static struct kobj_type klp_ktype_object;
+-static struct kobj_type klp_ktype_func;
++static void klp_init_func_early(struct klp_object *obj,
++ struct klp_func *func);
++static void klp_init_object_early(struct klp_patch *patch,
++ struct klp_object *obj);
+
+-static struct klp_object *klp_alloc_object_dynamic(const char *name)
++static struct klp_object *klp_alloc_object_dynamic(const char *name,
++ struct klp_patch *patch)
+ {
+ struct klp_object *obj;
+
+@@ -445,8 +448,7 @@ static struct klp_object *klp_alloc_object_dynamic(const char *name)
+ }
+ }
+
+- INIT_LIST_HEAD(&obj->func_list);
+- kobject_init(&obj->kobj, &klp_ktype_object);
++ klp_init_object_early(patch, obj);
+ obj->dynamic = true;
+
+ return obj;
+@@ -475,7 +477,7 @@ static struct klp_func *klp_alloc_func_nop(struct klp_func *old_func,
+ }
+ }
+
+- kobject_init(&func->kobj, &klp_ktype_func);
++ klp_init_func_early(obj, func);
+ /*
+ * func->new_func is same as func->old_func. These addresses are
+ * set when the object is loaded, see klp_init_object_loaded().
+@@ -495,11 +497,9 @@ static int klp_add_object_nops(struct klp_patch *patch,
+ obj = klp_find_object(patch, old_obj);
+
+ if (!obj) {
+- obj = klp_alloc_object_dynamic(old_obj->name);
++ obj = klp_alloc_object_dynamic(old_obj->name, patch);
+ if (!obj)
+ return -ENOMEM;
+-
+- list_add_tail(&obj->node, &patch->obj_list);
+ }
+
+ klp_for_each_func(old_obj, old_func) {
+@@ -510,8 +510,6 @@ static int klp_add_object_nops(struct klp_patch *patch,
+ func = klp_alloc_func_nop(old_func, obj);
+ if (!func)
+ return -ENOMEM;
+-
+- list_add_tail(&func->node, &obj->func_list);
+ }
+
+ return 0;
+@@ -802,6 +800,21 @@ static int klp_init_object(struct klp_patch *patch, struct klp_object *obj)
+ return ret;
+ }
+
++static void klp_init_func_early(struct klp_object *obj,
++ struct klp_func *func)
++{
++ kobject_init(&func->kobj, &klp_ktype_func);
++ list_add_tail(&func->node, &obj->func_list);
++}
++
++static void klp_init_object_early(struct klp_patch *patch,
++ struct klp_object *obj)
++{
++ INIT_LIST_HEAD(&obj->func_list);
++ kobject_init(&obj->kobj, &klp_ktype_object);
++ list_add_tail(&obj->node, &patch->obj_list);
++}
++
+ static int klp_init_patch_early(struct klp_patch *patch)
+ {
+ struct klp_object *obj;
+@@ -822,13 +835,10 @@ static int klp_init_patch_early(struct klp_patch *patch)
+ if (!obj->funcs)
+ return -EINVAL;
+
+- INIT_LIST_HEAD(&obj->func_list);
+- kobject_init(&obj->kobj, &klp_ktype_object);
+- list_add_tail(&obj->node, &patch->obj_list);
++ klp_init_object_early(patch, obj);
+
+ klp_for_each_func_static(obj, func) {
+- kobject_init(&func->kobj, &klp_ktype_func);
+- list_add_tail(&func->node, &obj->func_list);
++ klp_init_func_early(obj, func);
+ }
+ }
+
+
diff --git a/patches.suse/memcg-make-it-work-on-sparse-non-0-node-systems.patch b/patches.suse/memcg-make-it-work-on-sparse-non-0-node-systems.patch
new file mode 100644
index 0000000000..3eece221cf
--- /dev/null
+++ b/patches.suse/memcg-make-it-work-on-sparse-non-0-node-systems.patch
@@ -0,0 +1,93 @@
+From: Jiri Slaby <jslaby@suse.cz>
+Date: Fri, 31 May 2019 22:30:26 -0700
+Subject: memcg: make it work on sparse non-0-node systems
+Git-commit: 3e8589963773a5c23e2f1fe4bcad0e9a90b7f471
+Patch-mainline: v5.2-rc3
+References: bnc#1133616
+
+We have a single node system with node 0 disabled:
+ Scanning NUMA topology in Northbridge 24
+ Number of physical nodes 2
+ Skipping disabled node 0
+ Node 1 MemBase 0000000000000000 Limit 00000000fbff0000
+ NODE_DATA(1) allocated [mem 0xfbfda000-0xfbfeffff]
+
+This causes crashes in memcg when system boots:
+ BUG: unable to handle kernel NULL pointer dereference at 0000000000000008
+ #PF error: [normal kernel read fault]
+...
+ RIP: 0010:list_lru_add+0x94/0x170
+...
+ Call Trace:
+ d_lru_add+0x44/0x50
+ dput.part.34+0xfc/0x110
+ __fput+0x108/0x230
+ task_work_run+0x9f/0xc0
+ exit_to_usermode_loop+0xf5/0x100
+
+It is reproducible as far as 4.12. I did not try older kernels. You have
+to have a new enough systemd, e.g. 241 (the reason is unknown -- was not
+investigated). Cannot be reproduced with systemd 234.
+
+The system crashes because the size of lru array is never updated in
+memcg_update_all_list_lrus and the reads are past the zero-sized array,
+causing dereferences of random memory.
+
+The root cause are list_lru_memcg_aware checks in the list_lru code. The
+test in list_lru_memcg_aware is broken: it assumes node 0 is always
+present, but it is not true on some systems as can be seen above.
+
+So fix this by avoiding checks on node 0. Remember the memcg-awareness by
+a bool flag in struct list_lru.
+
+Link: http://lkml.kernel.org/r/20190522091940.3615-1-jslaby@suse.cz
+Fixes: 60d3fd32a7a9 ("list_lru: introduce per-memcg lists")
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+Acked-by: Michal Hocko <mhocko@suse.com>
+Suggested-by: Vladimir Davydov <vdavydov.dev@gmail.com>
+Acked-by: Vladimir Davydov <vdavydov.dev@gmail.com>
+Reviewed-by: Shakeel Butt <shakeelb@google.com>
+Cc: Johannes Weiner <hannes@cmpxchg.org>
+Cc: Raghavendra K T <raghavendra.kt@linux.vnet.ibm.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+---
+ include/linux/list_lru.h | 1 +
+ mm/list_lru.c | 8 +++-----
+ 2 files changed, 4 insertions(+), 5 deletions(-)
+
+--- a/include/linux/list_lru.h
++++ b/include/linux/list_lru.h
+@@ -51,6 +51,7 @@ struct list_lru {
+ struct list_lru_node *node;
+ #if defined(CONFIG_MEMCG) && !defined(CONFIG_SLOB)
+ struct list_head list;
++ bool memcg_aware;
+ #endif
+ };
+
+--- a/mm/list_lru.c
++++ b/mm/list_lru.c
+@@ -42,11 +42,7 @@ static void list_lru_unregister(struct l
+ #if defined(CONFIG_MEMCG) && !defined(CONFIG_SLOB)
+ static inline bool list_lru_memcg_aware(struct list_lru *lru)
+ {
+- /*
+- * This needs node 0 to be always present, even
+- * in the systems supporting sparse numa ids.
+- */
+- return !!lru->node[0].memcg_lrus;
++ return lru->memcg_aware;
+ }
+
+ static inline struct list_lru_one *
+@@ -389,6 +385,8 @@ static int memcg_init_list_lru(struct li
+ {
+ int i;
+
++ lru->memcg_aware = memcg_aware;
++
+ if (!memcg_aware)
+ return 0;
+
diff --git a/patches.suse/mlxsw-spectrum-Fix-autoneg-status-in-ethtool.patch b/patches.suse/mlxsw-spectrum-Fix-autoneg-status-in-ethtool.patch
new file mode 100644
index 0000000000..adbfb169d4
--- /dev/null
+++ b/patches.suse/mlxsw-spectrum-Fix-autoneg-status-in-ethtool.patch
@@ -0,0 +1,42 @@
+From: Amit Cohen <amitc@mellanox.com>
+Date: Thu, 18 Apr 2019 07:14:16 +0000
+Subject: mlxsw: spectrum: Fix autoneg status in ethtool
+Git-commit: 151f0dddbbfe4c35c9c5b64873115aafd436af9d
+Patch-mainline: v5.1-rc7
+References: networking-stable-19_04_30
+
+If link is down and autoneg is set to on/off, the status in ethtool does
+not change.
+
+The reason is when the link is down the function returns with zero
+before changing autoneg value.
+
+Move the checking of link state (up/down) to be performed after setting
+autoneg value, in order to be sure that autoneg will change in any case.
+
+Fixes: 56ade8fe3fe1 ("mlxsw: spectrum: Add initial support for Spectrum ASIC")
+Signed-off-by: Amit Cohen <amitc@mellanox.com>
+Signed-off-by: Ido Schimmel <idosch@mellanox.com>
+Acked-by: Jiri Pirko <jiri@mellanox.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/net/ethernet/mellanox/mlxsw/spectrum.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/ethernet/mellanox/mlxsw/spectrum.c
++++ b/drivers/net/ethernet/mellanox/mlxsw/spectrum.c
+@@ -2289,11 +2289,11 @@ mlxsw_sp_port_set_link_ksettings(struct
+ if (err)
+ return err;
+
++ mlxsw_sp_port->link.autoneg = autoneg;
++
+ if (!netif_running(dev))
+ return 0;
+
+- mlxsw_sp_port->link.autoneg = autoneg;
+-
+ mlxsw_sp_port_admin_status_set(mlxsw_sp_port, false);
+ mlxsw_sp_port_admin_status_set(mlxsw_sp_port, true);
+
diff --git a/patches.suse/neighbor-Call-__ipv4_neigh_lookup_noref-in-neigh_xmi.patch b/patches.suse/neighbor-Call-__ipv4_neigh_lookup_noref-in-neigh_xmi.patch
new file mode 100644
index 0000000000..28dd9d912f
--- /dev/null
+++ b/patches.suse/neighbor-Call-__ipv4_neigh_lookup_noref-in-neigh_xmi.patch
@@ -0,0 +1,55 @@
+From: David Ahern <dsahern@gmail.com>
+Date: Wed, 1 May 2019 18:18:42 -0700
+Subject: neighbor: Call __ipv4_neigh_lookup_noref in neigh_xmit
+Git-commit: 4b2a2bfeb3f056461a90bd621e8bd7d03fa47f60
+Patch-mainline: v5.2-rc1
+References: git-fixes
+
+Commit cd9ff4de0107 changed the key for IFF_POINTOPOINT devices to
+INADDR_ANY but neigh_xmit which is used for MPLS encapsulations was not
+updated to use the altered key. The result is that every packet Tx does
+a lookup on the gateway address which does not find an entry, a new one
+is created only to find the existing one in the table right before the
+insert since arp_constructor was updated to reset the primary key. This
+is seen in the allocs and destroys counters:
+ ip -s -4 ntable show | head -10 | grep alloc
+
+which increase for each packet showing the unnecessary overhread.
+
+Fix by having neigh_xmit use __ipv4_neigh_lookup_noref for NEIGH_ARP_TABLE.
+
+Fixes: cd9ff4de0107 ("ipv4: Make neigh lookup keys for loopback/point-to-point devices be INADDR_ANY")
+Reported-by: Alan Maguire <alan.maguire@oracle.com>
+Signed-off-by: David Ahern <dsahern@gmail.com>
+Tested-by: Alan Maguire <alan.maguire@oracle.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ net/core/neighbour.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+--- a/net/core/neighbour.c
++++ b/net/core/neighbour.c
+@@ -30,6 +30,7 @@
+ #include <linux/times.h>
+ #include <net/net_namespace.h>
+ #include <net/neighbour.h>
++#include <net/arp.h>
+ #include <net/dst.h>
+ #include <net/sock.h>
+ #include <net/netevent.h>
+@@ -2529,7 +2530,13 @@ int neigh_xmit(int index, struct net_dev
+ if (!tbl)
+ goto out;
+ rcu_read_lock_bh();
+- neigh = __neigh_lookup_noref(tbl, addr, dev);
++ if (index == NEIGH_ARP_TABLE) {
++ u32 key = *((u32 *)addr);
++
++ neigh = __ipv4_neigh_lookup_noref(dev, key);
++ } else {
++ neigh = __neigh_lookup_noref(tbl, addr, dev);
++ }
+ if (!neigh)
+ neigh = __neigh_create(tbl, addr, dev, false);
+ err = PTR_ERR(neigh);
diff --git a/patches.suse/net-atm-Fix-potential-Spectre-v1-vulnerabilities.patch b/patches.suse/net-atm-Fix-potential-Spectre-v1-vulnerabilities.patch
new file mode 100644
index 0000000000..9cff3f2e39
--- /dev/null
+++ b/patches.suse/net-atm-Fix-potential-Spectre-v1-vulnerabilities.patch
@@ -0,0 +1,51 @@
+From: "Gustavo A. R. Silva" <gustavo@embeddedor.com>
+Date: Mon, 15 Apr 2019 15:57:23 -0500
+Subject: net: atm: Fix potential Spectre v1 vulnerabilities
+Git-commit: 899537b73557aafbdd11050b501cf54b4f5c45af
+Patch-mainline: v5.1-rc6
+References: networking-stable-19_04_19
+
+arg is controlled by user-space, hence leading to a potential
+exploitation of the Spectre variant 1 vulnerability.
+
+This issue was detected with the help of Smatch:
+
+net/atm/lec.c:715 lec_mcast_attach() warn: potential spectre issue 'dev_lec' [r] (local cap)
+
+Fix this by sanitizing arg before using it to index dev_lec.
+
+Notice that given that speculation windows are large, the policy is
+to kill the speculation on the first load and not worry if it can be
+completed with a dependent load/store [1].
+
+[1] https://lore.kernel.org/lkml/20180423164740.GY17484@dhcp22.suse.cz/
+
+Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ net/atm/lec.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/net/atm/lec.c
++++ b/net/atm/lec.c
+@@ -710,7 +710,10 @@ static int lec_vcc_attach(struct atm_vcc
+
+ static int lec_mcast_attach(struct atm_vcc *vcc, int arg)
+ {
+- if (arg < 0 || arg >= MAX_LEC_ITF || !dev_lec[arg])
++ if (arg < 0 || arg >= MAX_LEC_ITF)
++ return -EINVAL;
++ arg = array_index_nospec(arg, MAX_LEC_ITF);
++ if (!dev_lec[arg])
+ return -EINVAL;
+ vcc->proto_data = dev_lec[arg];
+ return lec_mcast_make(netdev_priv(dev_lec[arg]), vcc);
+@@ -728,6 +731,7 @@ static int lecd_attach(struct atm_vcc *v
+ i = arg;
+ if (arg >= MAX_LEC_ITF)
+ return -EINVAL;
++ i = array_index_nospec(arg, MAX_LEC_ITF);
+ if (!dev_lec[i]) {
+ int size;
+
diff --git a/patches.suse/net-dsa-bcm_sf2-fix-buffer-overflow-doing-set_rxnfc.patch b/patches.suse/net-dsa-bcm_sf2-fix-buffer-overflow-doing-set_rxnfc.patch
new file mode 100644
index 0000000000..4d2db1c7ff
--- /dev/null
+++ b/patches.suse/net-dsa-bcm_sf2-fix-buffer-overflow-doing-set_rxnfc.patch
@@ -0,0 +1,41 @@
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Tue, 30 Apr 2019 13:44:19 +0300
+Subject: net: dsa: bcm_sf2: fix buffer overflow doing set_rxnfc
+Git-commit: f949a12fd697479f68d99dc65e9bbab68ee49043
+Patch-mainline: v5.1
+References: networking-stable-19_05_04
+
+The "fs->location" is a u32 that comes from the user in ethtool_set_rxnfc().
+We can't pass unclamped values to test_bit() or it results in an out of
+bounds access beyond the end of the bitmap.
+
+Fixes: 7318166cacad ("net: dsa: bcm_sf2: Add support for ethtool::rxnfc")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/net/dsa/bcm_sf2_cfp.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/drivers/net/dsa/bcm_sf2_cfp.c
++++ b/drivers/net/dsa/bcm_sf2_cfp.c
+@@ -130,6 +130,9 @@ static int bcm_sf2_cfp_rule_set(struct d
+ (fs->m_ext.vlan_etype || fs->m_ext.data[1]))
+ return -EINVAL;
+
++ if (fs->location != RX_CLS_LOC_ANY && fs->location >= CFP_NUM_RULES)
++ return -EINVAL;
++
+ if (fs->location != RX_CLS_LOC_ANY &&
+ test_bit(fs->location, priv->cfp.used))
+ return -EBUSY;
+@@ -330,6 +333,9 @@ static int bcm_sf2_cfp_rule_del(struct b
+ int ret;
+ u32 reg;
+
++ if (loc >= CFP_NUM_RULES)
++ return -EINVAL;
++
+ /* Refuse deletion of unused rules, and the default reserved rule */
+ if (!test_bit(loc, priv->cfp.used) || loc == 0)
+ return -EINVAL;
diff --git a/patches.suse/net-dsa-mv88e6xxx-fix-handling-of-upper-half-of-STAT.patch b/patches.suse/net-dsa-mv88e6xxx-fix-handling-of-upper-half-of-STAT.patch
new file mode 100644
index 0000000000..cd4395ff40
--- /dev/null
+++ b/patches.suse/net-dsa-mv88e6xxx-fix-handling-of-upper-half-of-STAT.patch
@@ -0,0 +1,31 @@
+From: Rasmus Villemoes <rasmus.villemoes@prevas.dk>
+Date: Wed, 29 May 2019 07:02:11 +0000
+Subject: net: dsa: mv88e6xxx: fix handling of upper half of STATS_TYPE_PORT
+Git-commit: 84b3fd1fc9592d431e23b077e692fa4e3fd0f086
+Patch-mainline: 5.2-rc3
+References: git-fixes
+
+Currently, the upper half of a 4-byte STATS_TYPE_PORT statistic ends
+up in bits 47:32 of the return value, instead of bits 31:16 as they
+should.
+
+Fixes: 6e46e2d821bb ("net: dsa: mv88e6xxx: Fix u64 statistics")
+Signed-off-by: Rasmus Villemoes <rasmus.villemoes@prevas.dk>
+Reviewed-by: Vivien Didelot <vivien.didelot@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/net/dsa/mv88e6xxx/chip.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/dsa/mv88e6xxx/chip.c
++++ b/drivers/net/dsa/mv88e6xxx/chip.c
+@@ -854,7 +854,7 @@ static uint64_t _mv88e6xxx_get_ethtool_s
+ err = mv88e6xxx_port_read(chip, port, s->reg + 1, &reg);
+ if (err)
+ return UINT64_MAX;
+- high = reg;
++ low |= ((u32)reg) << 16;
+ }
+ break;
+ case STATS_TYPE_BANK1:
diff --git a/patches.suse/net-fou-do-not-use-guehdr-after-iptunnel_pull_offloa.patch b/patches.suse/net-fou-do-not-use-guehdr-after-iptunnel_pull_offloa.patch
new file mode 100644
index 0000000000..bd3f1e0a68
--- /dev/null
+++ b/patches.suse/net-fou-do-not-use-guehdr-after-iptunnel_pull_offloa.patch
@@ -0,0 +1,47 @@
+From: Lorenzo Bianconi <lorenzo.bianconi@redhat.com>
+Date: Tue, 9 Apr 2019 11:47:20 +0200
+Subject: net: fou: do not use guehdr after iptunnel_pull_offloads in
+ gue_udp_recv
+Git-commit: 988dc4a9a3b66be75b30405a5494faf0dc7cffb6
+Patch-mainline: v5.1-rc6
+References: networking-stable-19_04_19
+
+gue tunnels run iptunnel_pull_offloads on received skbs. This can
+determine a possible use-after-free accessing guehdr pointer since
+the packet will be 'uncloned' running pskb_expand_head if it is a
+cloned gso skb (e.g if the packet has been sent though a veth device)
+
+Fixes: a09a4c8dd1ec ("tunnels: Remove encapsulation offloads on decap")
+Signed-off-by: Lorenzo Bianconi <lorenzo.bianconi@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ net/ipv4/fou.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/net/ipv4/fou.c
++++ b/net/ipv4/fou.c
+@@ -119,6 +119,7 @@ static int gue_udp_recv(struct sock *sk,
+ struct guehdr *guehdr;
+ void *data;
+ u16 doffset = 0;
++ u8 proto_ctype;
+
+ if (!fou)
+ return 1;
+@@ -210,13 +211,14 @@ static int gue_udp_recv(struct sock *sk,
+ if (unlikely(guehdr->control))
+ return gue_control_message(skb, guehdr);
+
++ proto_ctype = guehdr->proto_ctype;
+ __skb_pull(skb, sizeof(struct udphdr) + hdrlen);
+ skb_reset_transport_header(skb);
+
+ if (iptunnel_pull_offloads(skb))
+ goto drop;
+
+- return -guehdr->proto_ctype;
++ return -proto_ctype;
+
+ drop:
+ kfree_skb(skb);
diff --git a/patches.suse/net-mlx5e-ethtool-Remove-unsupported-SFP-EEPROM-high.patch b/patches.suse/net-mlx5e-ethtool-Remove-unsupported-SFP-EEPROM-high.patch
new file mode 100644
index 0000000000..4dccbc3dc3
--- /dev/null
+++ b/patches.suse/net-mlx5e-ethtool-Remove-unsupported-SFP-EEPROM-high.patch
@@ -0,0 +1,47 @@
+From: Erez Alfasi <ereza@mellanox.com>
+Date: Thu, 11 Apr 2019 10:41:03 +0300
+Subject: net/mlx5e: ethtool, Remove unsupported SFP EEPROM high pages query
+Git-commit: ace329f4ab3ba434be2adf618073c752d083b524
+Patch-mainline: v5.1-rc7
+References: networking-stable-19_04_30
+
+Querying EEPROM high pages data for SFP module is currently
+not supported by our driver and yet queried, resulting in
+invalid FW queries.
+
+Set the EEPROM ethtool data length to 256 for SFP module will
+limit the reading for page 0 only and prevent invalid FW queries.
+
+Fixes: bb64143eee8c ("net/mlx5e: Add ethtool support for dump module EEPROM")
+Signed-off-by: Erez Alfasi <ereza@mellanox.com>
+Signed-off-by: Saeed Mahameed <saeedm@mellanox.com>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/en_ethtool.c | 2 +-
+ drivers/net/ethernet/mellanox/mlx5/core/port.c | 4 ----
+ 2 files changed, 1 insertion(+), 5 deletions(-)
+
+--- a/drivers/net/ethernet/mellanox/mlx5/core/en_ethtool.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_ethtool.c
+@@ -1633,7 +1633,7 @@ static int mlx5e_get_module_info(struct
+ break;
+ case MLX5_MODULE_ID_SFP:
+ modinfo->type = ETH_MODULE_SFF_8472;
+- modinfo->eeprom_len = ETH_MODULE_SFF_8472_LEN;
++ modinfo->eeprom_len = MLX5_EEPROM_PAGE_LENGTH;
+ break;
+ default:
+ netdev_err(priv->netdev, "%s: cable type not recognized:0x%x\n",
+--- a/drivers/net/ethernet/mellanox/mlx5/core/port.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/port.c
+@@ -392,10 +392,6 @@ int mlx5_query_module_eeprom(struct mlx5
+ size -= offset + size - MLX5_EEPROM_PAGE_LENGTH;
+
+ i2c_addr = MLX5_I2C_ADDR_LOW;
+- if (offset >= MLX5_EEPROM_PAGE_LENGTH) {
+- i2c_addr = MLX5_I2C_ADDR_HIGH;
+- offset -= MLX5_EEPROM_PAGE_LENGTH;
+- }
+
+ MLX5_SET(mcia_reg, in, l, 0);
+ MLX5_SET(mcia_reg, in, module, module_num);
diff --git a/patches.suse/net-phy-marvell-Fix-buffer-overrun-with-stats-counte.patch b/patches.suse/net-phy-marvell-Fix-buffer-overrun-with-stats-counte.patch
new file mode 100644
index 0000000000..160fb7e6b9
--- /dev/null
+++ b/patches.suse/net-phy-marvell-Fix-buffer-overrun-with-stats-counte.patch
@@ -0,0 +1,49 @@
+From: Andrew Lunn <andrew@lunn.ch>
+Date: Thu, 25 Apr 2019 00:33:00 +0200
+Subject: net: phy: marvell: Fix buffer overrun with stats counters
+Git-commit: fdfdf86720a34527f777cbe0d8599bf0528fa146
+Patch-mainline: v5.1
+References: networking-stable-19_05_04
+
+marvell_get_sset_count() returns how many statistics counters there
+are. If the PHY supports fibre, there are 3, otherwise two.
+
+marvell_get_strings() does not make this distinction, and always
+returns 3 strings. This then often results in writing past the end
+of the buffer for the strings.
+
+Fixes: 2170fef78a40 ("Marvell phy: add field to get errors from fiber link.")
+Signed-off-by: Andrew Lunn <andrew@lunn.ch>
+Reviewed-by: Florian Fainelli <f.fainelli@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/net/phy/marvell.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/phy/marvell.c
++++ b/drivers/net/phy/marvell.c
+@@ -1482,9 +1482,10 @@ static int marvell_get_sset_count(struct
+
+ static void marvell_get_strings(struct phy_device *phydev, u8 *data)
+ {
++ int count = marvell_get_sset_count(phydev);
+ int i;
+
+- for (i = 0; i < ARRAY_SIZE(marvell_hw_stats); i++) {
++ for (i = 0; i < count; i++) {
+ memcpy(data + i * ETH_GSTRING_LEN,
+ marvell_hw_stats[i].string, ETH_GSTRING_LEN);
+ }
+@@ -1523,9 +1524,10 @@ static u64 marvell_get_stat(struct phy_d
+ static void marvell_get_stats(struct phy_device *phydev,
+ struct ethtool_stats *stats, u64 *data)
+ {
++ int count = marvell_get_sset_count(phydev);
+ int i;
+
+- for (i = 0; i < ARRAY_SIZE(marvell_hw_stats); i++)
++ for (i = 0; i < count; i++)
+ data[i] = marvell_get_stat(phydev, i);
+ }
+
diff --git a/patches.suse/net-rds-exchange-of-8K-and-1M-pool.patch b/patches.suse/net-rds-exchange-of-8K-and-1M-pool.patch
new file mode 100644
index 0000000000..7e081e0939
--- /dev/null
+++ b/patches.suse/net-rds-exchange-of-8K-and-1M-pool.patch
@@ -0,0 +1,78 @@
+From: Zhu Yanjun <yanjun.zhu@oracle.com>
+Date: Wed, 24 Apr 2019 02:56:42 -0400
+Subject: net: rds: exchange of 8K and 1M pool
+Git-commit: 4b9fc7146249a6e0e3175d0acc033fdcd2bfcb17
+Patch-mainline: v5.1-rc7
+References: networking-stable-19_04_30
+
+Before the commit 490ea5967b0d ("RDS: IB: move FMR code to its own file"),
+when the dirty_count is greater than 9/10 of max_items of 8K pool,
+1M pool is used, Vice versa. After the commit 490ea5967b0d ("RDS: IB: move
+FMR code to its own file"), the above is removed. When we make the
+following tests.
+
+Server:
+ rds-stress -r 1.1.1.16 -D 1M
+
+Client:
+ rds-stress -r 1.1.1.14 -s 1.1.1.16 -D 1M
+
+The following will appear.
+"
+connecting to 1.1.1.16:4000
+negotiated options, tasks will start in 2 seconds
+Starting up..header from 1.1.1.166:4001 to id 4001 bogus
+..
+tsks tx/s rx/s tx+rx K/s mbi K/s mbo K/s tx us/c rtt us
+cpu %
+ 1 0 0 0.00 0.00 0.00 0.00 0.00 -1.00
+ 1 0 0 0.00 0.00 0.00 0.00 0.00 -1.00
+ 1 0 0 0.00 0.00 0.00 0.00 0.00 -1.00
+ 1 0 0 0.00 0.00 0.00 0.00 0.00 -1.00
+ 1 0 0 0.00 0.00 0.00 0.00 0.00 -1.00
+...
+"
+So this exchange between 8K and 1M pool is added back.
+
+Fixes: commit 490ea5967b0d ("RDS: IB: move FMR code to its own file")
+Signed-off-by: Zhu Yanjun <yanjun.zhu@oracle.com>
+Acked-by: Santosh Shilimkar <santosh.shilimkar@oracle.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ net/rds/ib_fmr.c | 11 +++++++++++
+ net/rds/ib_rdma.c | 3 ---
+ 2 files changed, 11 insertions(+), 3 deletions(-)
+
+--- a/net/rds/ib_fmr.c
++++ b/net/rds/ib_fmr.c
+@@ -44,6 +44,17 @@ struct rds_ib_mr *rds_ib_alloc_fmr(struc
+ else
+ pool = rds_ibdev->mr_1m_pool;
+
++ if (atomic_read(&pool->dirty_count) >= pool->max_items / 10)
++ queue_delayed_work(rds_ib_mr_wq, &pool->flush_worker, 10);
++
++ /* Switch pools if one of the pool is reaching upper limit */
++ if (atomic_read(&pool->dirty_count) >= pool->max_items * 9 / 10) {
++ if (pool->pool_type == RDS_IB_MR_8K_POOL)
++ pool = rds_ibdev->mr_1m_pool;
++ else
++ pool = rds_ibdev->mr_8k_pool;
++ }
++
+ ibmr = rds_ib_try_reuse_ibmr(pool);
+ if (ibmr)
+ return ibmr;
+--- a/net/rds/ib_rdma.c
++++ b/net/rds/ib_rdma.c
+@@ -442,9 +442,6 @@ struct rds_ib_mr *rds_ib_try_reuse_ibmr(
+ struct rds_ib_mr *ibmr = NULL;
+ int iter = 0;
+
+- if (atomic_read(&pool->dirty_count) >= pool->max_items_soft / 10)
+- queue_delayed_work(rds_ib_mr_wq, &pool->flush_worker, 10);
+-
+ while (1) {
+ ibmr = rds_ib_reuse_mr(pool);
+ if (ibmr)
diff --git a/patches.suse/net-rose-fix-unbound-loop-in-rose_loopback_timer.patch b/patches.suse/net-rose-fix-unbound-loop-in-rose_loopback_timer.patch
new file mode 100644
index 0000000000..a410a254d2
--- /dev/null
+++ b/patches.suse/net-rose-fix-unbound-loop-in-rose_loopback_timer.patch
@@ -0,0 +1,161 @@
+From: Eric Dumazet <edumazet@google.com>
+Date: Wed, 24 Apr 2019 05:35:00 -0700
+Subject: net/rose: fix unbound loop in rose_loopback_timer()
+Git-commit: 0453c682459583910d611a96de928f4442205493
+Patch-mainline: v5.1-rc7
+References: networking-stable-19_04_30
+
+This patch adds a limit on the number of skbs that fuzzers can queue
+into loopback_queue. 1000 packets for rose loopback seems more than enough.
+
+Then, since we now have multiple cpus in most linux hosts,
+we also need to limit the number of skbs rose_loopback_timer()
+can dequeue at each round.
+
+rose_loopback_queue() can be drop-monitor friendly, calling
+consume_skb() or kfree_skb() appropriately.
+
+Finally, use mod_timer() instead of del_timer() + add_timer()
+
+syzbot report was :
+
+rcu: INFO: rcu_preempt self-detected stall on CPU
+rcu: 0-...!: (10499 ticks this GP) idle=536/1/0x4000000000000002 softirq=103291/103291 fqs=34
+rcu: (t=10500 jiffies g=140321 q=323)
+rcu: rcu_preempt kthread starved for 10426 jiffies! g140321 f0x0 RCU_GP_WAIT_FQS(5) ->state=0x402 ->cpu=1
+rcu: RCU grace-period kthread stack dump:
+rcu_preempt I29168 10 2 0x80000000
+Call Trace:
+ context_switch kernel/sched/core.c:2877 [inline]
+ __schedule+0x813/0x1cc0 kernel/sched/core.c:3518
+ schedule+0x92/0x180 kernel/sched/core.c:3562
+ schedule_timeout+0x4db/0xfd0 kernel/time/timer.c:1803
+ rcu_gp_fqs_loop kernel/rcu/tree.c:1971 [inline]
+ rcu_gp_kthread+0x962/0x17b0 kernel/rcu/tree.c:2128
+ kthread+0x357/0x430 kernel/kthread.c:253
+ ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:352
+NMI backtrace for cpu 0
+CPU: 0 PID: 7632 Comm: kworker/0:4 Not tainted 5.1.0-rc5+ #172
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+Workqueue: events iterate_cleanup_work
+Call Trace:
+ <IRQ>
+ __dump_stack lib/dump_stack.c:77 [inline]
+ dump_stack+0x172/0x1f0 lib/dump_stack.c:113
+ nmi_cpu_backtrace.cold+0x63/0xa4 lib/nmi_backtrace.c:101
+ nmi_trigger_cpumask_backtrace+0x1be/0x236 lib/nmi_backtrace.c:62
+ arch_trigger_cpumask_backtrace+0x14/0x20 arch/x86/kernel/apic/hw_nmi.c:38
+ trigger_single_cpu_backtrace include/linux/nmi.h:164 [inline]
+ rcu_dump_cpu_stacks+0x183/0x1cf kernel/rcu/tree.c:1223
+ print_cpu_stall kernel/rcu/tree.c:1360 [inline]
+ check_cpu_stall kernel/rcu/tree.c:1434 [inline]
+ rcu_pending kernel/rcu/tree.c:3103 [inline]
+ rcu_sched_clock_irq.cold+0x500/0xa4a kernel/rcu/tree.c:2544
+ update_process_times+0x32/0x80 kernel/time/timer.c:1635
+ tick_sched_handle+0xa2/0x190 kernel/time/tick-sched.c:161
+ tick_sched_timer+0x47/0x130 kernel/time/tick-sched.c:1271
+ __run_hrtimer kernel/time/hrtimer.c:1389 [inline]
+ __hrtimer_run_queues+0x33e/0xde0 kernel/time/hrtimer.c:1451
+ hrtimer_interrupt+0x314/0x770 kernel/time/hrtimer.c:1509
+ local_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1035 [inline]
+ smp_apic_timer_interrupt+0x120/0x570 arch/x86/kernel/apic/apic.c:1060
+ apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:807
+RIP: 0010:__sanitizer_cov_trace_pc+0x0/0x50 kernel/kcov.c:95
+Code: 89 25 b4 6e ec 08 41 bc f4 ff ff ff e8 cd 5d ea ff 48 c7 05 9e 6e ec 08 00 00 00 00 e9 a4 e9 ff ff 90 90 90 90 90 90 90 90 90 <55> 48 89 e5 48 8b 75 08 65 48 8b 04 25 00 ee 01 00 65 8b 15 c8 60
+RSP: 0018:ffff8880ae807ce0 EFLAGS: 00000286 ORIG_RAX: ffffffffffffff13
+RAX: ffff88806fd40640 RBX: dffffc0000000000 RCX: ffffffff863fbc56
+RDX: 0000000000000100 RSI: ffffffff863fbc1d RDI: ffff88808cf94228
+RBP: ffff8880ae807d10 R08: ffff88806fd40640 R09: ffffed1015d00f8b
+R10: ffffed1015d00f8a R11: 0000000000000003 R12: ffff88808cf941c0
+R13: 00000000fffff034 R14: ffff8882166cd840 R15: 0000000000000000
+ rose_loopback_timer+0x30d/0x3f0 net/rose/rose_loopback.c:91
+ call_timer_fn+0x190/0x720 kernel/time/timer.c:1325
+ expire_timers kernel/time/timer.c:1362 [inline]
+ __run_timers kernel/time/timer.c:1681 [inline]
+ __run_timers kernel/time/timer.c:1649 [inline]
+ run_timer_softirq+0x652/0x1700 kernel/time/timer.c:1694
+ __do_softirq+0x266/0x95a kernel/softirq.c:293
+ do_softirq_own_stack+0x2a/0x40 arch/x86/entry/entry_64.S:1027
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ net/rose/rose_loopback.c | 26 ++++++++++++++++----------
+ 1 file changed, 16 insertions(+), 10 deletions(-)
+
+--- a/net/rose/rose_loopback.c
++++ b/net/rose/rose_loopback.c
+@@ -16,6 +16,7 @@
+ #include <linux/init.h>
+
+ static struct sk_buff_head loopback_queue;
++#define ROSE_LOOPBACK_LIMIT 1000
+ static struct timer_list loopback_timer;
+
+ static void rose_set_loopback_timer(void);
+@@ -34,17 +35,19 @@ static int rose_loopback_running(void)
+
+ int rose_loopback_queue(struct sk_buff *skb, struct rose_neigh *neigh)
+ {
+- struct sk_buff *skbn;
++ struct sk_buff *skbn = NULL;
+
+- skbn = skb_clone(skb, GFP_ATOMIC);
++ if (skb_queue_len(&loopback_queue) < ROSE_LOOPBACK_LIMIT)
++ skbn = skb_clone(skb, GFP_ATOMIC);
+
+- kfree_skb(skb);
+-
+- if (skbn != NULL) {
++ if (skbn) {
++ consume_skb(skb);
+ skb_queue_tail(&loopback_queue, skbn);
+
+ if (!rose_loopback_running())
+ rose_set_loopback_timer();
++ } else {
++ kfree_skb(skb);
+ }
+
+ return 1;
+@@ -54,13 +57,10 @@ static void rose_loopback_timer(unsigned
+
+ static void rose_set_loopback_timer(void)
+ {
+- del_timer(&loopback_timer);
+-
+ loopback_timer.data = 0;
+ loopback_timer.function = &rose_loopback_timer;
+- loopback_timer.expires = jiffies + 10;
+
+- add_timer(&loopback_timer);
++ mod_timer(&loopback_timer, jiffies + 10);
+ }
+
+ static void rose_loopback_timer(unsigned long param)
+@@ -71,8 +71,12 @@ static void rose_loopback_timer(unsigned
+ struct sock *sk;
+ unsigned short frametype;
+ unsigned int lci_i, lci_o;
++ int count;
+
+- while ((skb = skb_dequeue(&loopback_queue)) != NULL) {
++ for (count = 0; count < ROSE_LOOPBACK_LIMIT; count++) {
++ skb = skb_dequeue(&loopback_queue);
++ if (!skb)
++ return;
+ if (skb->len < ROSE_MIN_LEN) {
+ kfree_skb(skb);
+ continue;
+@@ -109,6 +113,8 @@ static void rose_loopback_timer(unsigned
+ kfree_skb(skb);
+ }
+ }
++ if (!skb_queue_empty(&loopback_queue))
++ mod_timer(&loopback_timer, jiffies + 1);
+ }
+
+ void __exit rose_loopback_clear(void)
diff --git a/patches.suse/net-stmmac-move-stmmac_check_ether_addr-to-driver-pr.patch b/patches.suse/net-stmmac-move-stmmac_check_ether_addr-to-driver-pr.patch
new file mode 100644
index 0000000000..922abddca5
--- /dev/null
+++ b/patches.suse/net-stmmac-move-stmmac_check_ether_addr-to-driver-pr.patch
@@ -0,0 +1,44 @@
+From: Vinod Koul <vkoul@kernel.org>
+Date: Mon, 22 Apr 2019 15:15:32 +0530
+Subject: net: stmmac: move stmmac_check_ether_addr() to driver probe
+Git-commit: b561af36b1841088552464cdc3f6371d92f17710
+Patch-mainline: v5.1-rc7
+References: networking-stable-19_04_30
+
+stmmac_check_ether_addr() checks the MAC address and assigns one in
+driver open(). In many cases when we create slave netdevice, the dev
+addr is inherited from master but the master dev addr maybe NULL at
+that time, so move this call to driver probe so that address is
+always valid.
+
+Signed-off-by: Xiaofei Shen <xiaofeis@codeaurora.org>
+Tested-by: Xiaofei Shen <xiaofeis@codeaurora.org>
+Signed-off-by: Sneh Shah <snehshah@codeaurora.org>
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Reviewed-by: Andrew Lunn <andrew@lunn.ch>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/net/ethernet/stmicro/stmmac/stmmac_main.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
+@@ -2597,8 +2597,6 @@ static int stmmac_open(struct net_device
+ struct stmmac_priv *priv = netdev_priv(dev);
+ int ret;
+
+- stmmac_check_ether_addr(priv);
+-
+ if (priv->hw->pcs != STMMAC_PCS_RGMII &&
+ priv->hw->pcs != STMMAC_PCS_TBI &&
+ priv->hw->pcs != STMMAC_PCS_RTBI) {
+@@ -4178,6 +4176,8 @@ int stmmac_dvr_probe(struct device *devi
+ if (ret)
+ goto error_hw_init;
+
++ stmmac_check_ether_addr(priv);
++
+ /* Configure real RX and TX queues */
+ netif_set_real_num_rx_queues(ndev, priv->plat->rx_queues_to_use);
+ netif_set_real_num_tx_queues(ndev, priv->plat->tx_queues_to_use);
diff --git a/patches.suse/net-thunderx-don-t-allow-jumbo-frames-with-XDP.patch b/patches.suse/net-thunderx-don-t-allow-jumbo-frames-with-XDP.patch
new file mode 100644
index 0000000000..4f2d0f70dd
--- /dev/null
+++ b/patches.suse/net-thunderx-don-t-allow-jumbo-frames-with-XDP.patch
@@ -0,0 +1,39 @@
+From: Matteo Croce <mcroce@redhat.com>
+Date: Thu, 11 Apr 2019 12:26:33 +0200
+Subject: net: thunderx: don't allow jumbo frames with XDP
+Git-commit: 1f227d16083b2e280b7dde4ca78883d75593f2fd
+Patch-mainline: v5.1-rc6
+References: networking-stable-19_04_19
+
+The thunderx driver forbids to load an eBPF program if the MTU is too high,
+but this can be circumvented by loading the eBPF, then raising the MTU.
+
+Fix this by limiting the MTU if an eBPF program is already loaded.
+
+Fixes: 05c773f52b96e ("net: thunderx: Add basic XDP support")
+Signed-off-by: Matteo Croce <mcroce@redhat.com>
+Acked-by: Jesper Dangaard Brouer <brouer@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/net/ethernet/cavium/thunder/nicvf_main.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+--- a/drivers/net/ethernet/cavium/thunder/nicvf_main.c
++++ b/drivers/net/ethernet/cavium/thunder/nicvf_main.c
+@@ -1546,6 +1546,15 @@ static int nicvf_change_mtu(struct net_d
+ struct nicvf *nic = netdev_priv(netdev);
+ int orig_mtu = netdev->mtu;
+
++ /* For now just support only the usual MTU sized frames,
++ * plus some headroom for VLAN, QinQ.
++ */
++ if (nic->xdp_prog && new_mtu > MAX_XDP_MTU) {
++ netdev_warn(netdev, "Jumbo frames not yet supported with XDP, current MTU %d.\n",
++ netdev->mtu);
++ return -EINVAL;
++ }
++
+ netdev->mtu = new_mtu;
+
+ if (!netif_running(netdev))
diff --git a/patches.suse/net-thunderx-raise-XDP-MTU-to-1508.patch b/patches.suse/net-thunderx-raise-XDP-MTU-to-1508.patch
new file mode 100644
index 0000000000..3b7bb1ff99
--- /dev/null
+++ b/patches.suse/net-thunderx-raise-XDP-MTU-to-1508.patch
@@ -0,0 +1,53 @@
+From: Matteo Croce <mcroce@redhat.com>
+Date: Thu, 11 Apr 2019 12:26:32 +0200
+Subject: net: thunderx: raise XDP MTU to 1508
+Git-commit: 5ee15c101f29e0093ffb5448773ccbc786eb313b
+Patch-mainline: v5.1-rc6
+References: networking-stable-19_04_19
+
+The thunderx driver splits frames bigger than 1530 bytes to multiple
+pages, making impossible to run an eBPF program on it.
+This leads to a maximum MTU of 1508 if QinQ is in use.
+
+The thunderx driver forbids to load an eBPF program if the MTU is higher
+than 1500 bytes. Raise the limit to 1508 so it is possible to use L2
+protocols which need some more headroom.
+
+Fixes: 05c773f52b96e ("net: thunderx: Add basic XDP support")
+Signed-off-by: Matteo Croce <mcroce@redhat.com>
+Acked-by: Jesper Dangaard Brouer <brouer@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/net/ethernet/cavium/thunder/nicvf_main.c | 13 +++++++++++--
+ 1 file changed, 11 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/ethernet/cavium/thunder/nicvf_main.c
++++ b/drivers/net/ethernet/cavium/thunder/nicvf_main.c
+@@ -32,6 +32,13 @@
+ #define DRV_NAME "nicvf"
+ #define DRV_VERSION "1.0"
+
++/* NOTE: Packets bigger than 1530 are split across multiple pages and XDP needs
++ * the buffer to be contiguous. Allow XDP to be set up only if we don't exceed
++ * this value, keeping headroom for the 14 byte Ethernet header and two
++ * VLAN tags (for QinQ)
++ */
++#define MAX_XDP_MTU (1530 - ETH_HLEN - VLAN_HLEN * 2)
++
+ /* Supported devices */
+ static const struct pci_device_id nicvf_id_table[] = {
+ { PCI_DEVICE_SUB(PCI_VENDOR_ID_CAVIUM,
+@@ -1789,8 +1796,10 @@ static int nicvf_xdp_setup(struct nicvf
+ bool bpf_attached = false;
+ int ret = 0;
+
+- /* For now just support only the usual MTU sized frames */
+- if (prog && (dev->mtu > 1500)) {
++ /* For now just support only the usual MTU sized frames,
++ * plus some headroom for VLAN, QinQ.
++ */
++ if (prog && dev->mtu > MAX_XDP_MTU) {
+ netdev_warn(dev, "Jumbo frames not yet supported with XDP, current MTU %d.\n",
+ dev->mtu);
+ return -EOPNOTSUPP;
diff --git a/patches.suse/nvme-flush-scan_work-when-resetting-controller.patch b/patches.suse/nvme-flush-scan_work-when-resetting-controller.patch
index 6c000278ca..bef2513461 100644
--- a/patches.suse/nvme-flush-scan_work-when-resetting-controller.patch
+++ b/patches.suse/nvme-flush-scan_work-when-resetting-controller.patch
@@ -13,30 +13,48 @@ function if the controller state isn't live to avoit lockups.
Signed-off-by: Hannes Reinecke <hare@suse.com>
---
- drivers/nvme/host/core.c | 3 +++
+ drivers/nvme/host/core.c | 7 +++++++
drivers/nvme/host/fc.c | 1 +
drivers/nvme/host/rdma.c | 1 +
- 3 files changed, 5 insertions(+)
+ 3 files changed, 9 insertions(+)
diff --git a/drivers/nvme/host/core.c b/drivers/nvme/host/core.c
-index a4ecb44476ef..e3b89df96fbe 100644
+index e536f48ea4dd..1cd8cfe42f60 100644
--- a/drivers/nvme/host/core.c
+++ b/drivers/nvme/host/core.c
-@@ -1538,6 +1538,9 @@ static int nvme_revalidate_disk(struct gendisk *disk)
- struct nvme_ns_ids ids;
- int ret = 0;
+@@ -1536,6 +1536,9 @@ static int nvme_revalidate_disk(struct gendisk *disk)
+ return -ENODEV;
+ }
+ if (ctrl->state != NVME_CTRL_LIVE)
+ return 0;
+
- if (test_bit(NVME_NS_DEAD, &ns->flags)) {
- set_capacity(disk, 0);
+ id = nvme_identify_ns(ctrl, ns->head->ns_id);
+ if (!id)
return -ENODEV;
+@@ -3221,6 +3224,8 @@ static int nvme_scan_ns_list(struct nvme_ctrl *ctrl, unsigned nn)
+ return -ENOMEM;
+
+ for (i = 0; i < num_lists; i++) {
++ if (ctrl->state != NVME_CTRL_LIVE)
++ goto free;
+ ret = nvme_identify_ns_list(ctrl, prev, ns_list);
+ if (ret)
+ goto free;
+@@ -3299,6 +3304,8 @@ static void nvme_scan_work(struct work_struct *work)
+ if (test_and_clear_bit(NVME_AER_NOTICE_NS_CHANGED, &ctrl->events)) {
+ dev_info(ctrl->device, "rescanning namespaces.\n");
+ nvme_clear_changed_ns_log(ctrl);
++ if (ctrl->state != NVME_CTRL_LIVE)
++ return;
+ }
+
+ if (nvme_identify_ctrl(ctrl, &id))
diff --git a/drivers/nvme/host/fc.