Home Home > GIT Browse > SLE12-SP5
summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorKernel Build Daemon <kbuild@suse.de>2019-07-19 07:01:15 +0200
committerKernel Build Daemon <kbuild@suse.de>2019-07-19 07:01:15 +0200
commitdfd082ce39b049e1e6e76e672ede26f7bc64b82f (patch)
tree05007e50ee8b2f51258ae1e2bf58ef614f70b206
parentd71cd3e4579c566eeb35afc320126c7b897a6e73 (diff)
parenta8aa0aac4c92ecd178f88c84453883467e8589e8 (diff)
Merge branch 'SLE15' into SLE12-SP4
-rw-r--r--patches.suse/Fix-memory-leak-in-sctp_process_init.patch123
-rw-r--r--patches.suse/ethtool-fix-potential-userspace-buffer-overflow.patch52
-rw-r--r--patches.suse/ipv6-fix-EFAULT-on-sendto-with-icmpv6-and-hdrincl.patch55
-rw-r--r--patches.suse/ipv6-use-READ_ONCE-for-inet-hdrincl-as-in-ipv4.patch62
-rw-r--r--patches.suse/mm-migrate-Fix-reference-check-race-between-__find_get_block-and-migration.patch77
-rw-r--r--patches.suse/net-mlx4_en-ethtool-Remove-unsupported-SFP-EEPROM-hi.patch58
-rw-r--r--patches.suse/net-rds-fix-memory-leak-in-rds_ib_flush_mr_pool.patch88
-rw-r--r--series.conf9
8 files changed, 524 insertions, 0 deletions
diff --git a/patches.suse/Fix-memory-leak-in-sctp_process_init.patch b/patches.suse/Fix-memory-leak-in-sctp_process_init.patch
new file mode 100644
index 0000000000..1199e00203
--- /dev/null
+++ b/patches.suse/Fix-memory-leak-in-sctp_process_init.patch
@@ -0,0 +1,123 @@
+From: Neil Horman <nhorman@tuxdriver.com>
+Date: Mon, 3 Jun 2019 16:32:59 -0400
+Subject: Fix memory leak in sctp_process_init
+Git-commit: 0a8dd9f67cd0da7dc284f48b032ce00db1a68791
+Patch-mainline: 5.2-rc4
+References: networking-stable-19_06_09
+
+syzbot found the following leak in sctp_process_init
+BUG: memory leak
+unreferenced object 0xffff88810ef68400 (size 1024):
+ comm "syz-executor273", pid 7046, jiffies 4294945598 (age 28.770s)
+ hex dump (first 32 bytes):
+ 1d de 28 8d de 0b 1b e3 b5 c2 f9 68 fd 1a 97 25 ..(........h...%
+ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
+ backtrace:
+ [<00000000a02cebbd>] kmemleak_alloc_recursive include/linux/kmemleak.h:55
+[inline]
+ [<00000000a02cebbd>] slab_post_alloc_hook mm/slab.h:439 [inline]
+ [<00000000a02cebbd>] slab_alloc mm/slab.c:3326 [inline]
+ [<00000000a02cebbd>] __do_kmalloc mm/slab.c:3658 [inline]
+ [<00000000a02cebbd>] __kmalloc_track_caller+0x15d/0x2c0 mm/slab.c:3675
+ [<000000009e6245e6>] kmemdup+0x27/0x60 mm/util.c:119
+ [<00000000dfdc5d2d>] kmemdup include/linux/string.h:432 [inline]
+ [<00000000dfdc5d2d>] sctp_process_init+0xa7e/0xc20
+net/sctp/sm_make_chunk.c:2437
+ [<00000000b58b62f8>] sctp_cmd_process_init net/sctp/sm_sideeffect.c:682
+[inline]
+ [<00000000b58b62f8>] sctp_cmd_interpreter net/sctp/sm_sideeffect.c:1384
+[inline]
+ [<00000000b58b62f8>] sctp_side_effects net/sctp/sm_sideeffect.c:1194
+[inline]
+ [<00000000b58b62f8>] sctp_do_sm+0xbdc/0x1d60 net/sctp/sm_sideeffect.c:1165
+ [<0000000044e11f96>] sctp_assoc_bh_rcv+0x13c/0x200
+net/sctp/associola.c:1074
+ [<00000000ec43804d>] sctp_inq_push+0x7f/0xb0 net/sctp/inqueue.c:95
+ [<00000000726aa954>] sctp_backlog_rcv+0x5e/0x2a0 net/sctp/input.c:354
+ [<00000000d9e249a8>] sk_backlog_rcv include/net/sock.h:950 [inline]
+ [<00000000d9e249a8>] __release_sock+0xab/0x110 net/core/sock.c:2418
+ [<00000000acae44fa>] release_sock+0x37/0xd0 net/core/sock.c:2934
+ [<00000000963cc9ae>] sctp_sendmsg+0x2c0/0x990 net/sctp/socket.c:2122
+ [<00000000a7fc7565>] inet_sendmsg+0x64/0x120 net/ipv4/af_inet.c:802
+ [<00000000b732cbd3>] sock_sendmsg_nosec net/socket.c:652 [inline]
+ [<00000000b732cbd3>] sock_sendmsg+0x54/0x70 net/socket.c:671
+ [<00000000274c57ab>] ___sys_sendmsg+0x393/0x3c0 net/socket.c:2292
+ [<000000008252aedb>] __sys_sendmsg+0x80/0xf0 net/socket.c:2330
+ [<00000000f7bf23d1>] __do_sys_sendmsg net/socket.c:2339 [inline]
+ [<00000000f7bf23d1>] __se_sys_sendmsg net/socket.c:2337 [inline]
+ [<00000000f7bf23d1>] __x64_sys_sendmsg+0x23/0x30 net/socket.c:2337
+ [<00000000a8b4131f>] do_syscall_64+0x76/0x1a0 arch/x86/entry/common.c:3
+
+The problem was that the peer.cookie value points to an skb allocated
+area on the first pass through this function, at which point it is
+overwritten with a heap allocated value, but in certain cases, where a
+COOKIE_ECHO chunk is included in the packet, a second pass through
+sctp_process_init is made, where the cookie value is re-allocated,
+leaking the first allocation.
+
+Fix is to always allocate the cookie value, and free it when we are done
+using it.
+
+Signed-off-by: Neil Horman <nhorman@tuxdriver.com>
+Reported-by: syzbot+f7e9153b037eac9b1df8@syzkaller.appspotmail.com
+CC: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
+CC: "David S. Miller" <davem@davemloft.net>
+CC: netdev@vger.kernel.org
+Acked-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ net/sctp/sm_make_chunk.c | 13 +++----------
+ net/sctp/sm_sideeffect.c | 5 +++++
+ 2 files changed, 8 insertions(+), 10 deletions(-)
+
+--- a/net/sctp/sm_make_chunk.c
++++ b/net/sctp/sm_make_chunk.c
+@@ -2321,7 +2321,6 @@ int sctp_process_init(struct sctp_associ
+ struct list_head *pos, *temp;
+ struct sctp_af *af;
+ union sctp_addr addr;
+- char *cookie;
+ int src_match = 0;
+
+ /* We must include the address that the INIT packet came from.
+@@ -2426,14 +2425,6 @@ int sctp_process_init(struct sctp_associ
+ /* Peer Rwnd : Current calculated value of the peer's rwnd. */
+ asoc->peer.rwnd = asoc->peer.i.a_rwnd;
+
+- /* Copy cookie in case we need to resend COOKIE-ECHO. */
+- cookie = asoc->peer.cookie;
+- if (cookie) {
+- asoc->peer.cookie = kmemdup(cookie, asoc->peer.cookie_len, gfp);
+- if (!asoc->peer.cookie)
+- goto clean_up;
+- }
+-
+ /* RFC 2960 7.2.1 The initial value of ssthresh MAY be arbitrarily
+ * high (for example, implementations MAY use the size of the receiver
+ * advertised window).
+@@ -2599,7 +2590,9 @@ do_addr_param:
+ case SCTP_PARAM_STATE_COOKIE:
+ asoc->peer.cookie_len =
+ ntohs(param.p->length) - sizeof(sctp_paramhdr_t);
+- asoc->peer.cookie = param.cookie->body;
++ asoc->peer.cookie = kmemdup(param.cookie->body, asoc->peer.cookie_len, gfp);
++ if (!asoc->peer.cookie)
++ retval = 0;
+ break;
+
+ case SCTP_PARAM_HEARTBEAT_INFO:
+--- a/net/sctp/sm_sideeffect.c
++++ b/net/sctp/sm_sideeffect.c
+@@ -854,6 +854,11 @@ static void sctp_cmd_new_state(sctp_cmd_
+ asoc->rto_initial;
+ }
+
++ if (sctp_state(asoc, ESTABLISHED)) {
++ kfree(asoc->peer.cookie);
++ asoc->peer.cookie = NULL;
++ }
++
+ if (sctp_state(asoc, ESTABLISHED) ||
+ sctp_state(asoc, CLOSED) ||
+ sctp_state(asoc, SHUTDOWN_RECEIVED)) {
diff --git a/patches.suse/ethtool-fix-potential-userspace-buffer-overflow.patch b/patches.suse/ethtool-fix-potential-userspace-buffer-overflow.patch
new file mode 100644
index 0000000000..d67ec9a7cb
--- /dev/null
+++ b/patches.suse/ethtool-fix-potential-userspace-buffer-overflow.patch
@@ -0,0 +1,52 @@
+From: Vivien Didelot <vivien.didelot@gmail.com>
+Date: Mon, 3 Jun 2019 16:57:13 -0400
+Subject: ethtool: fix potential userspace buffer overflow
+Git-commit: 0ee4e76937d69128a6a66861ba393ebdc2ffc8a2
+Patch-mainline: 5.2-rc4
+References: networking-stable-19_06_09
+
+ethtool_get_regs() allocates a buffer of size ops->get_regs_len(),
+and pass it to the kernel driver via ops->get_regs() for filling.
+
+There is no restriction about what the kernel drivers can or cannot do
+with the open ethtool_regs structure. They usually set regs->version
+and ignore regs->len or set it to the same size as ops->get_regs_len().
+
+But if userspace allocates a smaller buffer for the registers dump,
+we would cause a userspace buffer overflow in the final copy_to_user()
+call, which uses the regs.len value potentially reset by the driver.
+
+To fix this, make this case obvious and store regs.len before calling
+ops->get_regs(), to only copy as much data as requested by userspace,
+up to the value returned by ops->get_regs_len().
+
+While at it, remove the redundant check for non-null regbuf.
+
+Signed-off-by: Vivien Didelot <vivien.didelot@gmail.com>
+Reviewed-by: Michal Kubecek <mkubecek@suse.cz>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ net/core/ethtool.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/net/core/ethtool.c
++++ b/net/core/ethtool.c
+@@ -1427,13 +1427,16 @@ static int ethtool_get_regs(struct net_d
+ return -ENOMEM;
+ }
+
++ if (regs.len < reglen)
++ reglen = regs.len;
++
+ ops->get_regs(dev, &regs, regbuf);
+
+ ret = -EFAULT;
+ if (copy_to_user(useraddr, &regs, sizeof(regs)))
+ goto out;
+ useraddr += offsetof(struct ethtool_regs, data);
+- if (regbuf && copy_to_user(useraddr, regbuf, regs.len))
++ if (copy_to_user(useraddr, regbuf, reglen))
+ goto out;
+ ret = 0;
+
diff --git a/patches.suse/ipv6-fix-EFAULT-on-sendto-with-icmpv6-and-hdrincl.patch b/patches.suse/ipv6-fix-EFAULT-on-sendto-with-icmpv6-and-hdrincl.patch
new file mode 100644
index 0000000000..2e53d7e02a
--- /dev/null
+++ b/patches.suse/ipv6-fix-EFAULT-on-sendto-with-icmpv6-and-hdrincl.patch
@@ -0,0 +1,55 @@
+From: Olivier Matz <olivier.matz@6wind.com>
+Date: Thu, 6 Jun 2019 09:15:19 +0200
+Subject: ipv6: fix EFAULT on sendto with icmpv6 and hdrincl
+Git-commit: b9aa52c4cb457e7416cc0c95f475e72ef4a61336
+Patch-mainline: 5.2-rc4
+References: networking-stable-19_06_09
+
+The following code returns EFAULT (Bad address):
+
+ s = socket(AF_INET6, SOCK_RAW, IPPROTO_ICMPV6);
+ setsockopt(s, SOL_IPV6, IPV6_HDRINCL, 1);
+ sendto(ipv6_icmp6_packet, addr); /* returns -1, errno = EFAULT */
+
+The IPv4 equivalent code works. A workaround is to use IPPROTO_RAW
+instead of IPPROTO_ICMPV6.
+
+The failure happens because 2 bytes are eaten from the msghdr by
+rawv6_probe_proto_opt() starting from commit 19e3c66b52ca ("ipv6
+equivalent of "ipv4: Avoid reading user iov twice after
+raw_probe_proto_opt""), but at that time it was not a problem because
+IPV6_HDRINCL was not yet introduced.
+
+Only eat these 2 bytes if hdrincl == 0.
+
+Fixes: 715f504b1189 ("ipv6: add IPV6_HDRINCL option for raw sockets")
+Signed-off-by: Olivier Matz <olivier.matz@6wind.com>
+Acked-by: Nicolas Dichtel <nicolas.dichtel@6wind.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ net/ipv6/raw.c | 13 ++++++++-----
+ 1 file changed, 8 insertions(+), 5 deletions(-)
+
+--- a/net/ipv6/raw.c
++++ b/net/ipv6/raw.c
+@@ -894,11 +894,14 @@ static int rawv6_sendmsg(struct sock *sk
+ opt = ipv6_fixup_options(&opt_space, opt);
+
+ fl6.flowi6_proto = proto;
+- rfv.msg = msg;
+- rfv.hlen = 0;
+- err = rawv6_probe_proto_opt(&rfv, &fl6);
+- if (err)
+- goto out;
++
++ if (!hdrincl) {
++ rfv.msg = msg;
++ rfv.hlen = 0;
++ err = rawv6_probe_proto_opt(&rfv, &fl6);
++ if (err)
++ goto out;
++ }
+
+ if (!ipv6_addr_any(daddr))
+ fl6.daddr = *daddr;
diff --git a/patches.suse/ipv6-use-READ_ONCE-for-inet-hdrincl-as-in-ipv4.patch b/patches.suse/ipv6-use-READ_ONCE-for-inet-hdrincl-as-in-ipv4.patch
new file mode 100644
index 0000000000..a398ac32dc
--- /dev/null
+++ b/patches.suse/ipv6-use-READ_ONCE-for-inet-hdrincl-as-in-ipv4.patch
@@ -0,0 +1,62 @@
+From: Olivier Matz <olivier.matz@6wind.com>
+Date: Thu, 6 Jun 2019 09:15:18 +0200
+Subject: ipv6: use READ_ONCE() for inet->hdrincl as in ipv4
+Git-commit: 59e3e4b52663a9d97efbce7307f62e4bc5c9ce91
+Patch-mainline: 5.2-rc4
+References: networking-stable-19_06_09
+
+As it was done in commit 8f659a03a0ba ("net: ipv4: fix for a race
+condition in raw_sendmsg") and commit 20b50d79974e ("net: ipv4: emulate
+READ_ONCE() on ->hdrincl bit-field in raw_sendmsg()") for ipv4, copy the
+value of inet->hdrincl in a local variable, to avoid introducing a race
+condition in the next commit.
+
+Signed-off-by: Olivier Matz <olivier.matz@6wind.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ net/ipv6/raw.c | 12 ++++++++++--
+ 1 file changed, 10 insertions(+), 2 deletions(-)
+
+--- a/net/ipv6/raw.c
++++ b/net/ipv6/raw.c
+@@ -779,6 +779,7 @@ static int rawv6_sendmsg(struct sock *sk
+ struct sockcm_cookie sockc;
+ struct ipcm6_cookie ipc6;
+ int addr_len = msg->msg_namelen;
++ int hdrincl;
+ u16 proto;
+ int err;
+
+@@ -792,6 +793,13 @@ static int rawv6_sendmsg(struct sock *sk
+ if (msg->msg_flags & MSG_OOB)
+ return -EOPNOTSUPP;
+
++ /* hdrincl should be READ_ONCE(inet->hdrincl)
++ * but READ_ONCE() doesn't work with bit fields.
++ * Doing this indirectly yields the same result.
++ */
++ hdrincl = inet->hdrincl;
++ hdrincl = READ_ONCE(hdrincl);
++
+ /*
+ * Get and verify the address.
+ */
+@@ -907,7 +915,7 @@ static int rawv6_sendmsg(struct sock *sk
+ fl6.flowi6_oif = np->ucast_oif;
+ security_sk_classify_flow(sk, flowi6_to_flowi(&fl6));
+
+- if (inet->hdrincl)
++ if (hdrincl)
+ fl6.flowi6_flags |= FLOWI_FLAG_KNOWN_NH;
+
+ if (ipc6.tclass < 0)
+@@ -930,7 +938,7 @@ static int rawv6_sendmsg(struct sock *sk
+ goto do_confirm;
+
+ back_from_confirm:
+- if (inet->hdrincl)
++ if (hdrincl)
+ err = rawv6_send_hdrinc(sk, msg, len, &fl6, &dst, msg->msg_flags);
+ else {
+ ipc6.opt = opt;
diff --git a/patches.suse/mm-migrate-Fix-reference-check-race-between-__find_get_block-and-migration.patch b/patches.suse/mm-migrate-Fix-reference-check-race-between-__find_get_block-and-migration.patch
new file mode 100644
index 0000000000..d7084c1f60
--- /dev/null
+++ b/patches.suse/mm-migrate-Fix-reference-check-race-between-__find_get_block-and-migration.patch
@@ -0,0 +1,77 @@
+From 17b4ecf88713135dd439f72c5c6150d6dc84da3e Mon Sep 17 00:00:00 2001
+From: Jan Kara <jack@suse.cz>
+Date: Wed, 10 Jul 2019 11:31:01 +0200
+Subject: [PATCH] mm: migrate: Fix reference check race between
+ __find_get_block() and migration
+
+References: bnc#1137609
+Patch-mainline: No, under review, expected in 5.3
+
+buffer_migrate_page_norefs() can race with bh users in the following way:
+
+CPU1 CPU2
+buffer_migrate_page_norefs()
+ buffer_migrate_lock_buffers()
+ checks bh refs
+ spin_unlock(&mapping->private_lock)
+ __find_get_block()
+ spin_lock(&mapping->private_lock)
+ grab bh ref
+ spin_unlock(&mapping->private_lock)
+ move page do bh work
+
+This can result in various issues like lost updates to buffers (i.e.
+metadata corruption) or use after free issues for the old page.
+
+This patch closes the race by holding mapping->private_lock while the
+mapping is being moved to a new page. Ordinarily, a reference can be taken
+outside of the private_lock using the per-cpu BH LRU but the references
+are checked and the LRU invalidated if necessary. The private_lock is held
+once the references are known so the buffer lookup slow path will spin
+on the private_lock. Between the page lock and private_lock, it should
+be impossible for other references to be acquired and updates to happen
+during the migration.
+
+A user had reported data corruption issues on a distribution kernel with
+a similar page migration implementation as mainline. The data corruption
+could not be reproduced with this patch applied after 44 hours of testing
+(fastest time to produce the problem reported as 5 hours). A small number
+of migration-intensive tests were run and no performance problems were
+noted.
+
+[mgorman@techsingularity.net: Changelog, removed tracing]
+Fixes: 89cb0888ca14 "mm: migrate: provide buffer_migrate_page_norefs()"
+CC: stable@vger.kernel.org
+Signed-off-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Mel Gorman <mgorman@suse.de>
+---
+ mm/migrate.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/mm/migrate.c b/mm/migrate.c
+index e9594bc0d406..a59e4aed6d2e 100644
+--- a/mm/migrate.c
++++ b/mm/migrate.c
+@@ -771,12 +771,12 @@ static int __buffer_migrate_page(struct address_space *mapping,
+ }
+ bh = bh->b_this_page;
+ } while (bh != head);
+- spin_unlock(&mapping->private_lock);
+ if (busy) {
+ if (invalidated) {
+ rc = -EAGAIN;
+ goto unlock_buffers;
+ }
++ spin_unlock(&mapping->private_lock);
+ invalidate_bh_lrus();
+ invalidated = true;
+ goto recheck_buffers;
+@@ -809,6 +809,8 @@ static int __buffer_migrate_page(struct address_space *mapping,
+
+ rc = MIGRATEPAGE_SUCCESS;
+ unlock_buffers:
++ if (check_refs)
++ spin_unlock(&mapping->private_lock);
+ bh = head;
+ do {
+ unlock_buffer(bh);
diff --git a/patches.suse/net-mlx4_en-ethtool-Remove-unsupported-SFP-EEPROM-hi.patch b/patches.suse/net-mlx4_en-ethtool-Remove-unsupported-SFP-EEPROM-hi.patch
new file mode 100644
index 0000000000..0df24c5c40
--- /dev/null
+++ b/patches.suse/net-mlx4_en-ethtool-Remove-unsupported-SFP-EEPROM-hi.patch
@@ -0,0 +1,58 @@
+From: Erez Alfasi <ereza@mellanox.com>
+Date: Mon, 20 May 2019 17:42:52 +0300
+Subject: net/mlx4_en: ethtool, Remove unsupported SFP EEPROM high pages query
+Git-commit: 135dd9594f127c8a82d141c3c8430e9e2143216a
+Patch-mainline: 5.2-rc2
+References: networking-stable-19_06_09
+
+Querying EEPROM high pages data for SFP module is currently
+not supported by our driver but is still tried, resulting in
+invalid FW queries.
+
+Set the EEPROM ethtool data length to 256 for SFP module to
+limit the reading for page 0 only and prevent invalid FW queries.
+
+Fixes: 7202da8b7f71 ("ethtool, net/mlx4_en: Cable info, get_module_info/eeprom ethtool support")
+Signed-off-by: Erez Alfasi <ereza@mellanox.com>
+Signed-off-by: Tariq Toukan <tariqt@mellanox.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/net/ethernet/mellanox/mlx4/en_ethtool.c | 4 +++-
+ drivers/net/ethernet/mellanox/mlx4/port.c | 5 -----
+ 2 files changed, 3 insertions(+), 6 deletions(-)
+
+--- a/drivers/net/ethernet/mellanox/mlx4/en_ethtool.c
++++ b/drivers/net/ethernet/mellanox/mlx4/en_ethtool.c
+@@ -1982,6 +1982,8 @@ static int mlx4_en_set_tunable(struct ne
+ return ret;
+ }
+
++#define MLX4_EEPROM_PAGE_LEN 256
++
+ static int mlx4_en_get_module_info(struct net_device *dev,
+ struct ethtool_modinfo *modinfo)
+ {
+@@ -2016,7 +2018,7 @@ static int mlx4_en_get_module_info(struc
+ break;
+ case MLX4_MODULE_ID_SFP:
+ modinfo->type = ETH_MODULE_SFF_8472;
+- modinfo->eeprom_len = ETH_MODULE_SFF_8472_LEN;
++ modinfo->eeprom_len = MLX4_EEPROM_PAGE_LEN;
+ break;
+ default:
+ return -EINVAL;
+--- a/drivers/net/ethernet/mellanox/mlx4/port.c
++++ b/drivers/net/ethernet/mellanox/mlx4/port.c
+@@ -2077,11 +2077,6 @@ int mlx4_get_module_info(struct mlx4_dev
+ size -= offset + size - I2C_PAGE_SIZE;
+
+ i2c_addr = I2C_ADDR_LOW;
+- if (offset >= I2C_PAGE_SIZE) {
+- /* Reset offset to high page */
+- i2c_addr = I2C_ADDR_HIGH;
+- offset -= I2C_PAGE_SIZE;
+- }
+
+ cable_info = (struct mlx4_cable_info *)inmad->data;
+ cable_info->dev_mem_address = cpu_to_be16(offset);
diff --git a/patches.suse/net-rds-fix-memory-leak-in-rds_ib_flush_mr_pool.patch b/patches.suse/net-rds-fix-memory-leak-in-rds_ib_flush_mr_pool.patch
new file mode 100644
index 0000000000..be69d22ad8
--- /dev/null
+++ b/patches.suse/net-rds-fix-memory-leak-in-rds_ib_flush_mr_pool.patch
@@ -0,0 +1,88 @@
+From: Zhu Yanjun <yanjun.zhu@oracle.com>
+Date: Thu, 6 Jun 2019 04:00:03 -0400
+Subject: net: rds: fix memory leak in rds_ib_flush_mr_pool
+Git-commit: 85cb928787eab6a2f4ca9d2a798b6f3bed53ced1
+Patch-mainline: 5.2-rc4
+References: networking-stable-19_06_09
+
+When the following tests last for several hours, the problem will occur.
+
+Server:
+ rds-stress -r 1.1.1.16 -D 1M
+Client:
+ rds-stress -r 1.1.1.14 -s 1.1.1.16 -D 1M -T 30
+
+The following will occur.
+
+"
+Starting up....
+tsks tx/s rx/s tx+rx K/s mbi K/s mbo K/s tx us/c rtt us cpu
+%
+ 1 0 0 0.00 0.00 0.00 0.00 0.00 -1.00
+ 1 0 0 0.00 0.00 0.00 0.00 0.00 -1.00
+ 1 0 0 0.00 0.00 0.00 0.00 0.00 -1.00
+ 1 0 0 0.00 0.00 0.00 0.00 0.00 -1.00
+"
+>From vmcore, we can find that clean_list is NULL.
+
+>From the source code, rds_mr_flushd calls rds_ib_mr_pool_flush_worker.
+Then rds_ib_mr_pool_flush_worker calls
+"
+ rds_ib_flush_mr_pool(pool, 0, NULL);
+"
+Then in function
+"
+int rds_ib_flush_mr_pool(struct rds_ib_mr_pool *pool,
+ int free_all, struct rds_ib_mr **ibmr_ret)
+"
+ibmr_ret is NULL.
+
+In the source code,
+"
+...
+list_to_llist_nodes(pool, &unmap_list, &clean_nodes, &clean_tail);
+if (ibmr_ret)
+ *ibmr_ret = llist_entry(clean_nodes, struct rds_ib_mr, llnode);
+
+/* more than one entry in llist nodes */
+if (clean_nodes->next)
+ llist_add_batch(clean_nodes->next, clean_tail, &pool->clean_list);
+...
+"
+When ibmr_ret is NULL, llist_entry is not executed. clean_nodes->next
+instead of clean_nodes is added in clean_list.
+So clean_nodes is discarded. It can not be used again.
+The workqueue is executed periodically. So more and more clean_nodes are
+discarded. Finally the clean_list is NULL.
+Then this problem will occur.
+
+Fixes: 1bc144b62524 ("net, rds, Replace xlist in net/rds/xlist.h with llist")
+Signed-off-by: Zhu Yanjun <yanjun.zhu@oracle.com>
+Acked-by: Santosh Shilimkar <santosh.shilimkar@oracle.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ net/rds/ib_rdma.c | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+--- a/net/rds/ib_rdma.c
++++ b/net/rds/ib_rdma.c
+@@ -416,12 +416,14 @@ int rds_ib_flush_mr_pool(struct rds_ib_m
+ wait_clean_list_grace();
+
+ list_to_llist_nodes(pool, &unmap_list, &clean_nodes, &clean_tail);
+- if (ibmr_ret)
++ if (ibmr_ret) {
+ *ibmr_ret = llist_entry(clean_nodes, struct rds_ib_mr, llnode);
+-
++ clean_nodes = clean_nodes->next;
++ }
+ /* more than one entry in llist nodes */
+- if (clean_nodes->next)
+- llist_add_batch(clean_nodes->next, clean_tail, &pool->clean_list);
++ if (clean_nodes)
++ llist_add_batch(clean_nodes, clean_tail,
++ &pool->clean_list);
+
+ }
+
diff --git a/series.conf b/series.conf
index 7e8a5776b3..0e621c2140 100644
--- a/series.conf
+++ b/series.conf
@@ -22904,6 +22904,7 @@
patches.suse/btrfs-tree-checker-detect-file-extent-items-with-ove.patch
patches.fixes/crypto-vmx-CTR-always-increment-IV-as-quadword.patch
patches.arch/crypto-vmx-ghash-do-nosimd-fallback-manually.patch
+ patches.suse/net-mlx4_en-ethtool-Remove-unsupported-SFP-EEPROM-hi.patch
patches.drivers/usbnet-ipheth-fix-racing-condition.patch
patches.suse/ipv6-Consider-sk_bound_dev_if-when-binding-a-raw-soc.patch
patches.drivers/usbnet-fix-kernel-crash-after-disconnect.patch
@@ -22988,6 +22989,11 @@
patches.arch/x86-cpu-amd-don-t-force-the-cpb-cap-when-running-under-a-hypervisor.patch
patches.fixes/fuse-fallocate-fix-return-with-locked-inode.patch
patches.fixes/s390-qeth-fix-vlan-attribute-in-bridge_hostnotify-udev-event
+ patches.suse/Fix-memory-leak-in-sctp_process_init.patch
+ patches.suse/ethtool-fix-potential-userspace-buffer-overflow.patch
+ patches.suse/ipv6-use-READ_ONCE-for-inet-hdrincl-as-in-ipv4.patch
+ patches.suse/ipv6-fix-EFAULT-on-sendto-with-icmpv6-and-hdrincl.patch
+ patches.suse/net-rds-fix-memory-leak-in-rds_ib_flush_mr_pool.patch
patches.drivers/net-mvpp2-Use-strscpy-to-handle-stat-strings.patch
patches.fixes/pktgen-do-not-sleep-with-the-thread-lock-held.patch
patches.drivers/hwmon-core-add-thermal-sensors-only-if-dev-of_node-i.patch
@@ -23435,6 +23441,9 @@
patches.fixes/fs-dax-deposit-pagetable-even-when-installing-zero-page.patch
+ # bnc#1137609
+ patches.suse/mm-migrate-Fix-reference-check-race-between-__find_get_block-and-migration.patch
+
########################################################
# misc small fixes
########################################################