Home Home > GIT Browse > SLE15-AZURE
summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorPetr Tesarik <ptesarik@suse.cz>2019-06-13 09:00:26 +0200
committerPetr Tesarik <ptesarik@suse.cz>2019-06-13 09:00:26 +0200
commit20f9eaa3c7738c3375712b47136f70f079ff8f54 (patch)
treed296249322db714dbc9cc0b4ee70684997363413
parent96a9a88d2703774d08f574e9677b1bcd1151b502 (diff)
parent71ec0a76159d4b7b1ff9e5af0370b8847c21eb4c (diff)
Merge branch 'SLE15-SP1' into SLE15-SP1_EMBARGO
-rw-r--r--blacklist.conf1
-rw-r--r--patches.arch/KVM-PPC-Book3S-HV-Avoid-lockdep-debugging-in-TCE-rea.patch220
-rw-r--r--patches.arch/KVM-PPC-Book3S-HV-XIVE-Do-not-clear-IRQ-data-of-pass.patch100
-rw-r--r--patches.arch/KVM-PPC-Book3S-Protect-memslots-while-validating-use.patch80
-rw-r--r--patches.arch/KVM-PPC-Release-all-hardware-TCE-tables-attached-to-.patch49
-rw-r--r--patches.arch/KVM-PPC-Remove-redundand-permission-bits-removal.patch171
-rw-r--r--patches.arch/KVM-PPC-Validate-TCEs-against-preregistered-memory-p.patch190
-rw-r--r--patches.arch/KVM-PPC-Validate-all-tces-before-updating-tables.patch75
-rw-r--r--patches.drivers/ALSA-hda-realtek-Set-default-power-save-node-to-0.patch39
-rw-r--r--patches.drivers/ASoC-eukrea-tlv320-fix-a-leaked-reference-by-adding-.patch53
-rw-r--r--patches.drivers/ASoC-fsl_sai-Update-is_slave_mode-with-correct-value.patch49
-rw-r--r--patches.drivers/ASoC-fsl_utils-fix-a-leaked-reference-by-adding-miss.patch49
-rw-r--r--patches.drivers/ASoC-hdmi-codec-unlock-the-device-on-startup-errors.patch43
-rw-r--r--patches.drivers/HID-logitech-hidpp-change-low-battery-level-threshol.patch53
-rw-r--r--patches.drivers/HID-logitech-hidpp-use-RAP-instead-of-FAP-to-get-the.patch73
-rw-r--r--patches.drivers/Staging-vc04_services-Fix-a-couple-error-codes.patch46
-rw-r--r--patches.drivers/USB-Add-LPM-quirk-for-Surface-Dock-GigE-adapter.patch42
-rw-r--r--patches.drivers/USB-Fix-slab-out-of-bounds-write-in-usb_get_bos_desc.patch43
-rw-r--r--patches.drivers/USB-core-Don-t-unbind-interfaces-following-device-re.patch73
-rw-r--r--patches.drivers/USB-rio500-fix-memory-leak-in-close-after-disconnect.patch52
-rw-r--r--patches.drivers/USB-rio500-refuse-more-than-one-device-at-a-time.patch88
-rw-r--r--patches.drivers/USB-sisusbvga-fix-oops-in-error-path-of-sisusb_probe.patch60
-rw-r--r--patches.drivers/brcmfmac-convert-dev_init_lock-mutex-to-completion.patch192
-rw-r--r--patches.drivers/brcmfmac-fix-Oops-when-bringing-up-interface-during-.patch127
-rw-r--r--patches.drivers/brcmfmac-fix-WARNING-during-USB-disconnect-in-case-o.patch133
-rw-r--r--patches.drivers/brcmfmac-fix-missing-checks-for-kmemdup.patch45
-rw-r--r--patches.drivers/brcmfmac-fix-race-during-disconnect-when-USB-complet.patch93
-rw-r--r--patches.drivers/chardev-add-additional-check-for-minor-range-overlap.patch40
-rw-r--r--patches.drivers/extcon-arizona-Disable-mic-detect-if-running-when-dr.patch50
-rw-r--r--patches.drivers/gpio-Remove-obsolete-comment-about-gpiochip_free_hog.patch37
-rw-r--r--patches.drivers/gpio-fix-gpio-adp5588-build-errors.patch56
-rw-r--r--patches.drivers/hwmon-core-add-thermal-sensors-only-if-dev-of_node-i.patch64
-rw-r--r--patches.drivers/hwmon-pmbus-core-Treat-parameters-as-paged-if-on-mul.patch97
-rw-r--r--patches.drivers/hwrng-omap-Set-default-quality.patch44
-rw-r--r--patches.drivers/i2c-dev-fix-potential-memory-leak-in-i2cdev_ioctl_rd.patch30
-rw-r--r--patches.drivers/iio-ad_sigma_delta-Properly-handle-SPI-bus-locking-v.patch124
-rw-r--r--patches.drivers/iio-common-ssp_sensors-Initialize-calculated_time-in.patch50
-rw-r--r--patches.drivers/iio-hmc5843-fix-potential-NULL-pointer-dereferences.patch68
-rw-r--r--patches.drivers/iwlwifi-mvm-check-for-length-correctness-in-iwl_mvm_.patch110
-rw-r--r--patches.drivers/iwlwifi-pcie-don-t-crash-on-invalid-RX-interrupt.patch47
-rw-r--r--patches.drivers/leds-avoid-flush_work-in-atomic-context.patch68
-rw-r--r--patches.drivers/media-au0828-Fix-NULL-pointer-dereference-in-au0828_.patch78
-rw-r--r--patches.drivers/media-au0828-stop-video-streaming-only-when-last-use.patch71
-rw-r--r--patches.drivers/media-coda-clear-error-return-value-before-picture-r.patch39
-rw-r--r--patches.drivers/media-cpia2-Fix-use-after-free-in-cpia2_exit.patch125
-rw-r--r--patches.drivers/media-go7007-avoid-clang-frame-overflow-warning-with.patch47
-rw-r--r--patches.drivers/media-m88ds3103-serialize-reset-messages-in-m88ds310.patch104
-rw-r--r--patches.drivers/media-ov2659-make-S_FMT-succeed-even-if-requested-fo.patch52
-rw-r--r--patches.drivers/media-saa7146-avoid-high-stack-usage-with-clang.patch74
-rw-r--r--patches.drivers/media-smsusb-better-handle-optional-alignment.patch77
-rw-r--r--patches.drivers/media-usb-siano-Fix-false-positive-uninitialized-var.patch38
-rw-r--r--patches.drivers/media-usb-siano-Fix-general-protection-fault-in-smsu.patch90
-rw-r--r--patches.drivers/mfd-da9063-Fix-OTP-control-register-names-to-match-d.patch43
-rw-r--r--patches.drivers/mfd-max77620-Fix-swapped-FPS_PERIOD_MAX_US-values.patch38
-rw-r--r--patches.drivers/mmc-core-Verify-SD-bus-width.patch57
-rw-r--r--patches.drivers/mmc-sdhci-iproc-Set-NO_HISPD-bit-to-fix-HS50-data-ho.patch48
-rw-r--r--patches.drivers/mmc-sdhci-iproc-cygnus-Set-NO_HISPD-bit-to-fix-HS50-.patch50
-rw-r--r--patches.drivers/mmc-sdhci-of-esdhc-add-erratum-A-009204-support.patch44
-rw-r--r--patches.drivers/mmc-sdhci-of-esdhc-add-erratum-eSDHC5-support.patch40
-rw-r--r--patches.drivers/mmc_spi-add-a-status-check-for-spi_sync_locked.patch38
-rw-r--r--patches.drivers/parport-Fix-mem-leak-in-parport_register_dev_model.patch69
-rw-r--r--patches.drivers/rtc-88pm860x-prevent-use-after-free-on-device-remove.patch46
-rw-r--r--patches.drivers/rtc-don-t-reference-bogus-function-pointer-in-kdoc.patch41
-rw-r--r--patches.drivers/rtlwifi-fix-a-potential-NULL-pointer-dereference.patch38
-rw-r--r--patches.drivers/rtlwifi-fix-potential-NULL-pointer-dereference.patch99
-rw-r--r--patches.drivers/scsi-mpt3sas_ctl-fix-double-fetch-bug-in-ctl_ioctl_main45
-rw-r--r--patches.drivers/staging-vc04_services-prevent-integer-overflow-in-cr.patch55
-rw-r--r--patches.drivers/staging-wlan-ng-fix-adapter-initialization-failure.patch57
-rw-r--r--patches.drivers/thunderbolt-Fix-to-check-for-kmemdup-failure.patch84
-rw-r--r--patches.drivers/tty-ipwireless-fix-missing-checks-for-ioremap.patch51
-rw-r--r--patches.drivers/tty-serial-msm_serial-Fix-XON-XOFF.patch58
-rw-r--r--patches.drivers/tty-vt-fix-write-write-race-in-ioctl-KDSKBSENT-handl.patch187
-rw-r--r--patches.drivers/usb-core-Add-PM-runtime-calls-to-usb_hcd_platform_sh.patch40
-rw-r--r--patches.drivers/usbip-usbip_host-fix-BUG-sleeping-function-called-fr.patch247
-rw-r--r--patches.drivers/usbip-usbip_host-fix-stub_dev-lock-context-imbalance.patch159
-rw-r--r--patches.drivers/usbnet-fix-kernel-crash-after-disconnect.patch98
-rw-r--r--patches.drivers/w1-fix-the-resume-command-API.patch53
-rw-r--r--patches.drivers/wil6210-fix-return-code-of-wmi_mgmt_tx-and-wmi_mgmt_.patch73
-rw-r--r--patches.drivers/xhci-Convert-xhci_handshake-to-use-readl_poll_timeou.patch82
-rw-r--r--patches.drivers/xhci-Use-zu-for-printing-size_t-type.patch52
-rw-r--r--patches.drivers/xhci-update-bounce-buffer-with-correct-sg-num.patch87
-rw-r--r--patches.drm/drm-Wake-up-next-in-drm_read-chain-if-we-are-forced-.patch44
-rw-r--r--patches.drm/drm-amdgpu-fix-old-fence-check-in-amdgpu_fence_emit.patch67
-rw-r--r--patches.drm/drm-drv-Hold-ref-on-parent-device-during-drm_device-.patch51
-rw-r--r--patches.drm/drm_dp_cec-add-note-about-good-MegaChips-2900-CEC-su.patch43
-rw-r--r--patches.drm/drm_dp_cec-check-that-aux-has-a-transfer-function.patch78
-rw-r--r--patches.fixes/0001-Documentation-Correct-the-possible-MDS-sysfs-values.patch67
-rw-r--r--patches.fixes/0001-docs-Fix-conf.py-for-Sphinx-2.0.patch29
-rw-r--r--patches.fixes/0001-test_firmware-Use-correct-snprintf-limit.patch72
-rw-r--r--patches.fixes/0001-xen-pciback-Don-t-disable-PCI_COMMAND-on-PCI-device-.patch56
-rw-r--r--patches.fixes/ACPI-property-fix-handling-of-data_nodes-in-acpi_get.patch52
-rw-r--r--patches.fixes/batman-adv-allow-updating-DAT-entry-timeouts-on-inco.patch62
-rw-r--r--patches.fixes/efi-x86-Add-missing-error-handling-to-old_memmap-1-1.patch91
-rw-r--r--patches.fixes/fuse-fallocate-fix-return-with-locked-inode.patch40
-rw-r--r--patches.fixes/fuse-fix-writepages-on-32bit.patch40
-rw-r--r--patches.fixes/fuse-honor-RLIMIT_FSIZE-in-fuse_file_fallocate.patch44
-rw-r--r--patches.fixes/mac80211-Fix-kernel-panic-due-to-use-of-txq-after-fr.patch46
-rw-r--r--patches.fixes/mac80211-cfg80211-update-bss-channel-on-channel-swit.patch70
-rw-r--r--patches.fixes/vxlan-trivial-indenting-fix.patch36
-rw-r--r--patches.fixes/vxlan-use-__be32-type-for-the-param-vni-in-__vxlan_f.patch38
-rw-r--r--patches.fixes/xfs-do-not-set-the-page-uptodate-in-xfs_writepage_ma.patch59
-rw-r--r--patches.fixes/xfs-don-t-clear-imap_valid-for-a-non-uptodate-buffer.patch56
-rw-r--r--patches.fixes/xfs-don-t-look-at-buffer-heads-in-xfs_add_to_ioend.patch166
-rw-r--r--patches.fixes/xfs-don-t-use-XFS_BMAPI_ENTRIRE-in-xfs_get_blocks.patch37
-rw-r--r--patches.fixes/xfs-don-t-use-XFS_BMAPI_IGSTATE-in-xfs_map_blocks.patch58
-rw-r--r--patches.fixes/xfs-eof-trim-writeback-mapping-as-soon-as-it-is-cach.patch64
-rw-r--r--patches.fixes/xfs-fix-s_maxbytes-overflow-problems.patch58
-rw-r--r--patches.fixes/xfs-make-xfs_writepage_map-extent-map-centric.patch261
-rw-r--r--patches.fixes/xfs-minor-cleanup-for-xfs_get_blocks.patch51
-rw-r--r--patches.fixes/xfs-move-all-writeback-buffer_head-manipulation-into.patch77
-rw-r--r--patches.fixes/xfs-refactor-the-tail-of-xfs_writepage_map.patch113
-rw-r--r--patches.fixes/xfs-remove-XFS_IO_INVALID.patch79
-rw-r--r--patches.fixes/xfs-remove-the-imap_valid-flag.patch179
-rw-r--r--patches.fixes/xfs-remove-unused-parameter-from-xfs_writepage_map.patch52
-rw-r--r--patches.fixes/xfs-remove-xfs_map_cow.patch322
-rw-r--r--patches.fixes/xfs-remove-xfs_reflink_find_cow_mapping.patch130
-rw-r--r--patches.fixes/xfs-remove-xfs_reflink_trim_irec_to_next_cow.patch115
-rw-r--r--patches.fixes/xfs-remove-xfs_start_page_writeback.patch102
-rw-r--r--patches.fixes/xfs-rename-the-offset-variable-in-xfs_writepage_map.patch94
-rw-r--r--patches.fixes/xfs-simplify-xfs_map_blocks-by-using-xfs_iext_lookup.patch70
-rw-r--r--patches.fixes/xfs-skip-CoW-writes-past-EOF-when-writeback-races-wi.patch56
-rw-r--r--patches.fixes/xfs-xfs_reflink_convert_cow-memory-allocation-deadlo.patch83
-rw-r--r--series.conf123
123 files changed, 9429 insertions, 0 deletions
diff --git a/blacklist.conf b/blacklist.conf
index 28776848c7..12a6398a84 100644
--- a/blacklist.conf
+++ b/blacklist.conf
@@ -1159,3 +1159,4 @@ f627caf55b8e735dcec8fa6538e9668632b55276 # sm712fb driver not enabled: fbdev: sm
2f0799a0ffc033bf3cc82d5032acc3ec633464c2 # this reverts ac5b2c18911f and there is a disagreement over this policy. We want to have ac5b2c18911f applied
406d2b6ae3420f5bb2b3db6986dc6f0b6dbb637b # powerpc/64: Make meltdown reporting Book3S 64 specific - we compile only this arch
ebcd1bfc33c7a90df941df68a6e5d4018c022fba # powerpc/fsl: Add barrier_nospec implementation for NXP PowerPC Book3E
+e40542aff909ac34d2c24712c5c0769c8f77f895 # KVM: PPC: Book3S HV: Fix build failure without IOMMU support - we build with IOMMU
diff --git a/patches.arch/KVM-PPC-Book3S-HV-Avoid-lockdep-debugging-in-TCE-rea.patch b/patches.arch/KVM-PPC-Book3S-HV-Avoid-lockdep-debugging-in-TCE-rea.patch
new file mode 100644
index 0000000000..c4fff7a730
--- /dev/null
+++ b/patches.arch/KVM-PPC-Book3S-HV-Avoid-lockdep-debugging-in-TCE-rea.patch
@@ -0,0 +1,220 @@
+From 2001825efcea75e4209e4956f6cd619fbc246d16 Mon Sep 17 00:00:00 2001
+From: Alexey Kardashevskiy <aik@ozlabs.ru>
+Date: Fri, 29 Mar 2019 16:42:20 +1100
+Subject: [PATCH] KVM: PPC: Book3S HV: Avoid lockdep debugging in TCE realmode
+ handlers
+
+References: bsc#1061840
+References: bsc#1061840
+Patch-mainline: v5.2-rc1
+Git-commit: 2001825efcea75e4209e4956f6cd619fbc246d16
+
+The kvmppc_tce_to_ua() helper is called from real and virtual modes
+and it works fine as long as CONFIG_DEBUG_LOCKDEP is not enabled.
+However if the lockdep debugging is on, the lockdep will most likely break
+in kvm_memslots() because of srcu_dereference_check() so we need to use
+PPC-own kvm_memslots_raw() which uses realmode safe
+rcu_dereference_raw_notrace().
+
+This creates a realmode copy of kvmppc_tce_to_ua() which replaces
+kvm_memslots() with kvm_memslots_raw().
+
+Since kvmppc_rm_tce_to_ua() becomes static and can only be used inside
+HV KVM, this moves it earlier under CONFIG_KVM_BOOK3S_HV_POSSIBLE.
+
+This moves truly virtual-mode kvmppc_tce_to_ua() to where it belongs and
+drops the prmap parameter which was never used in the virtual mode.
+
+Fixes: d3695aa4f452 ("KVM: PPC: Add support for multiple-TCE hcalls", 2016-02-15)
+Signed-off-by: Alexey Kardashevskiy <aik@ozlabs.ru>
+Signed-off-by: Paul Mackerras <paulus@ozlabs.org>
+Acked-by: Michal Suchanek <msuchanek@suse.de>
+---
+ arch/powerpc/include/asm/kvm_ppc.h | 2 --
+ arch/powerpc/kvm/book3s_64_vio.c | 24 +++++++++++---
+ arch/powerpc/kvm/book3s_64_vio_hv.c | 51 ++++++++++++++---------------
+ 3 files changed, 44 insertions(+), 33 deletions(-)
+
+diff --git a/arch/powerpc/include/asm/kvm_ppc.h b/arch/powerpc/include/asm/kvm_ppc.h
+index df0b173da3e0..02732eb156ae 100644
+--- a/arch/powerpc/include/asm/kvm_ppc.h
++++ b/arch/powerpc/include/asm/kvm_ppc.h
+@@ -197,8 +197,6 @@ extern struct kvmppc_spapr_tce_table *kvmppc_find_table(
+ (iommu_tce_check_ioba((stt)->page_shift, (stt)->offset, \
+ (stt)->size, (ioba), (npages)) ? \
+ H_PARAMETER : H_SUCCESS)
+-extern long kvmppc_tce_to_ua(struct kvm *kvm, unsigned long tce,
+- unsigned long *ua, unsigned long **prmap);
+ extern void kvmppc_tce_put(struct kvmppc_spapr_tce_table *tt,
+ unsigned long idx, unsigned long tce);
+ extern long kvmppc_h_put_tce(struct kvm_vcpu *vcpu, unsigned long liobn,
+diff --git a/arch/powerpc/kvm/book3s_64_vio.c b/arch/powerpc/kvm/book3s_64_vio.c
+index f100e331e69b..5e3b62c491f8 100644
+--- a/arch/powerpc/kvm/book3s_64_vio.c
++++ b/arch/powerpc/kvm/book3s_64_vio.c
+@@ -363,6 +363,22 @@ long kvm_vm_ioctl_create_spapr_tce(struct kvm *kvm,
+ return ret;
+ }
+
++static long kvmppc_tce_to_ua(struct kvm *kvm, unsigned long tce,
++ unsigned long *ua)
++{
++ unsigned long gfn = tce >> PAGE_SHIFT;
++ struct kvm_memory_slot *memslot;
++
++ memslot = search_memslots(kvm_memslots(kvm), gfn);
++ if (!memslot)
++ return -EINVAL;
++
++ *ua = __gfn_to_hva_memslot(memslot, gfn) |
++ (tce & ~(PAGE_MASK | TCE_PCI_READ | TCE_PCI_WRITE));
++
++ return 0;
++}
++
+ static long kvmppc_tce_validate(struct kvmppc_spapr_tce_table *stt,
+ unsigned long tce)
+ {
+@@ -378,7 +394,7 @@ static long kvmppc_tce_validate(struct kvmppc_spapr_tce_table *stt,
+ if (iommu_tce_check_gpa(stt->page_shift, gpa))
+ return H_TOO_HARD;
+
+- if (kvmppc_tce_to_ua(stt->kvm, tce, &ua, NULL))
++ if (kvmppc_tce_to_ua(stt->kvm, tce, &ua))
+ return H_TOO_HARD;
+
+ list_for_each_entry_rcu(stit, &stt->iommu_tables, next) {
+@@ -551,7 +567,7 @@ long kvmppc_h_put_tce(struct kvm_vcpu *vcpu, unsigned long liobn,
+
+ dir = iommu_tce_direction(tce);
+
+- if ((dir != DMA_NONE) && kvmppc_tce_to_ua(vcpu->kvm, tce, &ua, NULL)) {
++ if ((dir != DMA_NONE) && kvmppc_tce_to_ua(vcpu->kvm, tce, &ua)) {
+ ret = H_PARAMETER;
+ goto unlock_exit;
+ }
+@@ -612,7 +628,7 @@ long kvmppc_h_put_tce_indirect(struct kvm_vcpu *vcpu,
+ return ret;
+
+ idx = srcu_read_lock(&vcpu->kvm->srcu);
+- if (kvmppc_tce_to_ua(vcpu->kvm, tce_list, &ua, NULL)) {
++ if (kvmppc_tce_to_ua(vcpu->kvm, tce_list, &ua)) {
+ ret = H_TOO_HARD;
+ goto unlock_exit;
+ }
+@@ -647,7 +663,7 @@ long kvmppc_h_put_tce_indirect(struct kvm_vcpu *vcpu,
+ }
+ tce = be64_to_cpu(tce);
+
+- if (kvmppc_tce_to_ua(vcpu->kvm, tce, &ua, NULL))
++ if (kvmppc_tce_to_ua(vcpu->kvm, tce, &ua))
+ return H_PARAMETER;
+
+ list_for_each_entry_lockless(stit, &stt->iommu_tables, next) {
+diff --git a/arch/powerpc/kvm/book3s_64_vio_hv.c b/arch/powerpc/kvm/book3s_64_vio_hv.c
+index 2206bc729b9a..31e59748832a 100644
+--- a/arch/powerpc/kvm/book3s_64_vio_hv.c
++++ b/arch/powerpc/kvm/book3s_64_vio_hv.c
+@@ -88,6 +88,25 @@ struct kvmppc_spapr_tce_table *kvmppc_find_table(struct kvm *kvm,
+ EXPORT_SYMBOL_GPL(kvmppc_find_table);
+
+ #ifdef CONFIG_KVM_BOOK3S_HV_POSSIBLE
++static long kvmppc_rm_tce_to_ua(struct kvm *kvm, unsigned long tce,
++ unsigned long *ua, unsigned long **prmap)
++{
++ unsigned long gfn = tce >> PAGE_SHIFT;
++ struct kvm_memory_slot *memslot;
++
++ memslot = search_memslots(kvm_memslots_raw(kvm), gfn);
++ if (!memslot)
++ return -EINVAL;
++
++ *ua = __gfn_to_hva_memslot(memslot, gfn) |
++ (tce & ~(PAGE_MASK | TCE_PCI_READ | TCE_PCI_WRITE));
++
++ if (prmap)
++ *prmap = &memslot->arch.rmap[gfn - memslot->base_gfn];
++
++ return 0;
++}
++
+ /*
+ * Validates TCE address.
+ * At the moment flags and page mask are validated.
+@@ -111,7 +130,7 @@ static long kvmppc_rm_tce_validate(struct kvmppc_spapr_tce_table *stt,
+ if (iommu_tce_check_gpa(stt->page_shift, gpa))
+ return H_PARAMETER;
+
+- if (kvmppc_tce_to_ua(stt->kvm, tce, &ua, NULL))
++ if (kvmppc_rm_tce_to_ua(stt->kvm, tce, &ua, NULL))
+ return H_TOO_HARD;
+
+ list_for_each_entry_lockless(stit, &stt->iommu_tables, next) {
+@@ -181,28 +200,6 @@ void kvmppc_tce_put(struct kvmppc_spapr_tce_table *stt,
+ }
+ EXPORT_SYMBOL_GPL(kvmppc_tce_put);
+
+-long kvmppc_tce_to_ua(struct kvm *kvm, unsigned long tce,
+- unsigned long *ua, unsigned long **prmap)
+-{
+- unsigned long gfn = tce >> PAGE_SHIFT;
+- struct kvm_memory_slot *memslot;
+-
+- memslot = search_memslots(kvm_memslots(kvm), gfn);
+- if (!memslot)
+- return -EINVAL;
+-
+- *ua = __gfn_to_hva_memslot(memslot, gfn) |
+- (tce & ~(PAGE_MASK | TCE_PCI_READ | TCE_PCI_WRITE));
+-
+-#ifdef CONFIG_KVM_BOOK3S_HV_POSSIBLE
+- if (prmap)
+- *prmap = &memslot->arch.rmap[gfn - memslot->base_gfn];
+-#endif
+-
+- return 0;
+-}
+-EXPORT_SYMBOL_GPL(kvmppc_tce_to_ua);
+-
+ #ifdef CONFIG_KVM_BOOK3S_HV_POSSIBLE
+ static long iommu_tce_xchg_rm(struct mm_struct *mm, struct iommu_table *tbl,
+ unsigned long entry, unsigned long *hpa,
+@@ -390,7 +387,7 @@ long kvmppc_rm_h_put_tce(struct kvm_vcpu *vcpu, unsigned long liobn,
+ return ret;
+
+ dir = iommu_tce_direction(tce);
+- if ((dir != DMA_NONE) && kvmppc_tce_to_ua(vcpu->kvm, tce, &ua, NULL))
++ if ((dir != DMA_NONE) && kvmppc_rm_tce_to_ua(vcpu->kvm, tce, &ua, NULL))
+ return H_PARAMETER;
+
+ entry = ioba >> stt->page_shift;
+@@ -492,7 +489,7 @@ long kvmppc_rm_h_put_tce_indirect(struct kvm_vcpu *vcpu,
+ */
+ struct mm_iommu_table_group_mem_t *mem;
+
+- if (kvmppc_tce_to_ua(vcpu->kvm, tce_list, &ua, NULL))
++ if (kvmppc_rm_tce_to_ua(vcpu->kvm, tce_list, &ua, NULL))
+ return H_TOO_HARD;
+
+ mem = mm_iommu_lookup_rm(vcpu->kvm->mm, ua, IOMMU_PAGE_SIZE_4K);
+@@ -508,7 +505,7 @@ long kvmppc_rm_h_put_tce_indirect(struct kvm_vcpu *vcpu,
+ * We do not require memory to be preregistered in this case
+ * so lock rmap and do __find_linux_pte_or_hugepte().
+ */
+- if (kvmppc_tce_to_ua(vcpu->kvm, tce_list, &ua, &rmap))
++ if (kvmppc_rm_tce_to_ua(vcpu->kvm, tce_list, &ua, &rmap))
+ return H_TOO_HARD;
+
+ rmap = (void *) vmalloc_to_phys(rmap);
+@@ -542,7 +539,7 @@ long kvmppc_rm_h_put_tce_indirect(struct kvm_vcpu *vcpu,
+ unsigned long tce = be64_to_cpu(((u64 *)tces)[i]);
+
+ ua = 0;
+- if (kvmppc_tce_to_ua(vcpu->kvm, tce, &ua, NULL))
++ if (kvmppc_rm_tce_to_ua(vcpu->kvm, tce, &ua, NULL))
+ return H_PARAMETER;
+
+ list_for_each_entry_lockless(stit, &stt->iommu_tables, next) {
+--
+2.20.1
+
diff --git a/patches.arch/KVM-PPC-Book3S-HV-XIVE-Do-not-clear-IRQ-data-of-pass.patch b/patches.arch/KVM-PPC-Book3S-HV-XIVE-Do-not-clear-IRQ-data-of-pass.patch
new file mode 100644
index 0000000000..f4a50d1f31
--- /dev/null
+++ b/patches.arch/KVM-PPC-Book3S-HV-XIVE-Do-not-clear-IRQ-data-of-pass.patch
@@ -0,0 +1,100 @@
+From ef9740204051d0e00f5402fe96cf3a43ddd2bbbf Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?C=C3=A9dric=20Le=20Goater?= <clg@kaod.org>
+Date: Tue, 28 May 2019 14:17:15 +0200
+Subject: [PATCH] KVM: PPC: Book3S HV: XIVE: Do not clear IRQ data of
+ passthrough interrupts
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+References: bsc#1061840
+References: bsc#1061840
+Patch-mainline: v5.2-rc3
+Git-commit: ef9740204051d0e00f5402fe96cf3a43ddd2bbbf
+
+The passthrough interrupts are defined at the host level and their IRQ
+data should not be cleared unless specifically deconfigured (shutdown)
+by the host. They differ from the IPI interrupts which are allocated
+by the XIVE KVM device and reserved to the guest usage only.
+
+This fixes a host crash when destroying a VM in which a PCI adapter
+was passed-through. In this case, the interrupt is cleared and freed
+by the KVM device and then shutdown by vfio at the host level.
+
+[ 1007.360265] BUG: Kernel NULL pointer dereference at 0x00000d00
+[ 1007.360285] Faulting instruction address: 0xc00000000009da34
+[ 1007.360296] Oops: Kernel access of bad area, sig: 7 [#1]
+[ 1007.360303] LE PAGE_SIZE=64K MMU=Radix MMU=Hash SMP NR_CPUS=2048 NUMA PowerNV
+[ 1007.360314] Modules linked in: vhost_net vhost iptable_mangle ipt_MASQUERADE iptable_nat nf_nat xt_conntrack nf_conntrack nf_defrag_ipv4 ipt_REJECT nf_reject_ipv4 tun bridge stp llc kvm_hv kvm xt_tcpudp iptable_filter squashfs fuse binfmt_misc vmx_crypto ib_iser rdma_cm iw_cm ib_cm libiscsi scsi_transport_iscsi nfsd ip_tables x_tables autofs4 btrfs zstd_decompress zstd_compress lzo_compress raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx xor raid6_pq multipath mlx5_ib ib_uverbs ib_core crc32c_vpmsum mlx5_core
+[ 1007.360425] CPU: 9 PID: 15576 Comm: CPU 18/KVM Kdump: loaded Not tainted 5.1.0-gad7e7d0ef #4
+[ 1007.360454] NIP: c00000000009da34 LR: c00000000009e50c CTR: c00000000009e5d0
+[ 1007.360482] REGS: c000007f24ccf330 TRAP: 0300 Not tainted (5.1.0-gad7e7d0ef)
+[ 1007.360500] MSR: 900000000280b033 <SF,HV,VEC,VSX,EE,FP,ME,IR,DR,RI,LE> CR: 24002484 XER: 00000000
+[ 1007.360532] CFAR: c00000000009da10 DAR: 0000000000000d00 DSISR: 00080000 IRQMASK: 1
+[ 1007.360532] GPR00: c00000000009e62c c000007f24ccf5c0 c000000001510600 c000007fe7f947c0
+[ 1007.360532] GPR04: 0000000000000d00 0000000000000000 0000000000000000 c000005eff02d200
+[ 1007.360532] GPR08: 0000000000400000 0000000000000000 0000000000000000 fffffffffffffffd
+[ 1007.360532] GPR12: c00000000009e5d0 c000007fffff7b00 0000000000000031 000000012c345718
+[ 1007.360532] GPR16: 0000000000000000 0000000000000008 0000000000418004 0000000000040100
+[ 1007.360532] GPR20: 0000000000000000 0000000008430000 00000000003c0000 0000000000000027
+[ 1007.360532] GPR24: 00000000000000ff 0000000000000000 00000000000000ff c000007faa90d98c
+[ 1007.360532] GPR28: c000007faa90da40 00000000000fe040 ffffffffffffffff c000007fe7f947c0
+[ 1007.360689] NIP [c00000000009da34] xive_esb_read+0x34/0x120
+[ 1007.360706] LR [c00000000009e50c] xive_do_source_set_mask.part.0+0x2c/0x50
+[ 1007.360732] Call Trace:
+[ 1007.360738] [c000007f24ccf5c0] [c000000000a6383c] snooze_loop+0x15c/0x270 (unreliable)
+[ 1007.360775] [c000007f24ccf5f0] [c00000000009e62c] xive_irq_shutdown+0x5c/0xe0
+[ 1007.360795] [c000007f24ccf630] [c00000000019e4a0] irq_shutdown+0x60/0xe0
+[ 1007.360813] [c000007f24ccf660] [c000000000198c44] __free_irq+0x3a4/0x420
+[ 1007.360831] [c000007f24ccf700] [c000000000198dc8] free_irq+0x78/0xe0
+[ 1007.360849] [c000007f24ccf730] [c00000000096c5a8] vfio_msi_set_vector_signal+0xa8/0x350
+[ 1007.360878] [c000007f24ccf7f0] [c00000000096c938] vfio_msi_set_block+0xe8/0x1e0
+[ 1007.360899] [c000007f24ccf850] [c00000000096cae0] vfio_msi_disable+0xb0/0x110
+[ 1007.360912] [c000007f24ccf8a0] [c00000000096cd04] vfio_pci_set_msi_trigger+0x1c4/0x3d0
+[ 1007.360922] [c000007f24ccf910] [c00000000096d910] vfio_pci_set_irqs_ioctl+0xa0/0x170
+[ 1007.360941] [c000007f24ccf930] [c00000000096b400] vfio_pci_disable+0x80/0x5e0
+[ 1007.360963] [c000007f24ccfa10] [c00000000096b9bc] vfio_pci_release+0x5c/0x90
+[ 1007.360991] [c000007f24ccfa40] [c000000000963a9c] vfio_device_fops_release+0x3c/0x70
+[ 1007.361012] [c000007f24ccfa70] [c0000000003b5668] __fput+0xc8/0x2b0
+[ 1007.361040] [c000007f24ccfac0] [c0000000001409b0] task_work_run+0x140/0x1b0
+[ 1007.361059] [c000007f24ccfb20] [c000000000118f8c] do_exit+0x3ac/0xd00
+[ 1007.361076] [c000007f24ccfc00] [c0000000001199b0] do_group_exit+0x60/0x100
+[ 1007.361094] [c000007f24ccfc40] [c00000000012b514] get_signal+0x1a4/0x8f0
+[ 1007.361112] [c000007f24ccfd30] [c000000000021cc8] do_notify_resume+0x1a8/0x430
+[ 1007.361141] [c000007f24ccfe20] [c00000000000e444] ret_from_except_lite+0x70/0x74
+[ 1007.361159] Instruction dump:
+[ 1007.361175] 38422c00 e9230000 712a0004 41820010 548a2036 7d442378 78840020 71290020
+[ 1007.361194] 4082004c e9230010 7c892214 7c0004ac <e9240000> 0c090000 4c00012c 792a0022
+
+Cc: stable@vger.kernel.org # v4.12+
+Fixes: 5af50993850a ("KVM: PPC: Book3S HV: Native usage of the XIVE interrupt controller")
+Signed-off-by: Cédric Le Goater <clg@kaod.org>
+Signed-off-by: Greg Kurz <groug@kaod.org>
+Signed-off-by: Paul Mackerras <paulus@ozlabs.org>
+Acked-by: Michal Suchanek <msuchanek@suse.de>
+---
+ arch/powerpc/kvm/book3s_xive.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/arch/powerpc/kvm/book3s_xive.c
++++ b/arch/powerpc/kvm/book3s_xive.c
+@@ -1723,7 +1723,6 @@ static void kvmppc_xive_cleanup_irq(u32
+ {
+ xive_vm_esb_load(xd, XIVE_ESB_SET_PQ_01);
+ xive_native_configure_irq(hw_num, 0, MASKED, 0);
+- xive_cleanup_irq_data(xd);
+ }
+
+ static void kvmppc_xive_free_sources(struct kvmppc_xive_src_block *sb)
+@@ -1737,9 +1736,10 @@ static void kvmppc_xive_free_sources(str
+ continue;
+
+ kvmppc_xive_cleanup_irq(state->ipi_number, &state->ipi_data);
++ xive_cleanup_irq_data(&state->ipi_data);
+ xive_native_free_irq(state->ipi_number);
+
+- /* Pass-through, cleanup too */
++ /* Pass-through, cleanup too but keep IRQ hw data */
+ if (state->pt_number)
+ kvmppc_xive_cleanup_irq(state->pt_number, state->pt_data);
+
diff --git a/patches.arch/KVM-PPC-Book3S-Protect-memslots-while-validating-use.patch b/patches.arch/KVM-PPC-Book3S-Protect-memslots-while-validating-use.patch
new file mode 100644
index 0000000000..e8d6e0d76e
--- /dev/null
+++ b/patches.arch/KVM-PPC-Book3S-Protect-memslots-while-validating-use.patch
@@ -0,0 +1,80 @@
+From 345077c8e172c255ea0707214303ccd099e5656b Mon Sep 17 00:00:00 2001
+From: Alexey Kardashevskiy <aik@ozlabs.ru>
+Date: Fri, 29 Mar 2019 16:41:13 +1100
+Subject: [PATCH] KVM: PPC: Book3S: Protect memslots while validating user
+ address
+
+References: bsc#1061840
+Patch-mainline: v5.1
+Git-commit: 345077c8e172c255ea0707214303ccd099e5656b
+
+Guest physical to user address translation uses KVM memslots and reading
+these requires holding the kvm->srcu lock. However recently introduced
+kvmppc_tce_validate() broke the rule (see the lockdep warning below).
+
+This moves srcu_read_lock(&vcpu->kvm->srcu) earlier to protect
+kvmppc_tce_validate() as well.
+
+=============================
+WARNING: suspicious RCU usage
+5.1.0-rc2-le_nv2_aikATfstn1-p1 #380 Not tainted
+-----------------------------
+include/linux/kvm_host.h:605 suspicious rcu_dereference_check() usage!
+
+other info that might help us debug this:
+
+rcu_scheduler_active = 2, debug_locks = 1
+1 lock held by qemu-system-ppc/8020:
+ #0: 0000000094972fe9 (&vcpu->mutex){+.+.}, at: kvm_vcpu_ioctl+0xdc/0x850 [kvm]
+
+stack backtrace:
+CPU: 44 PID: 8020 Comm: qemu-system-ppc Not tainted 5.1.0-rc2-le_nv2_aikATfstn1-p1 #380
+Call Trace:
+[c000003fece8f740] [c000000000bcc134] dump_stack+0xe8/0x164 (unreliable)
+[c000003fece8f790] [c000000000181be0] lockdep_rcu_suspicious+0x130/0x170
+[c000003fece8f810] [c0000000000d5f50] kvmppc_tce_to_ua+0x280/0x290
+[c000003fece8f870] [c00800001a7e2c78] kvmppc_tce_validate+0x80/0x1b0 [kvm]
+[c000003fece8f8e0] [c00800001a7e3fac] kvmppc_h_put_tce+0x94/0x3e4 [kvm]
+[c000003fece8f9a0] [c00800001a8baac4] kvmppc_pseries_do_hcall+0x30c/0xce0 [kvm_hv]
+[c000003fece8fa10] [c00800001a8bd89c] kvmppc_vcpu_run_hv+0x694/0xec0 [kvm_hv]
+[c000003fece8fae0] [c00800001a7d95dc] kvmppc_vcpu_run+0x34/0x48 [kvm]
+[c000003fece8fb00] [c00800001a7d56bc] kvm_arch_vcpu_ioctl_run+0x2f4/0x400 [kvm]
+[c000003fece8fb90] [c00800001a7c3618] kvm_vcpu_ioctl+0x460/0x850 [kvm]
+[c000003fece8fd00] [c00000000041c4f4] do_vfs_ioctl+0xe4/0x930
+[c000003fece8fdb0] [c00000000041ce04] ksys_ioctl+0xc4/0x110
+[c000003fece8fe00] [c00000000041ce78] sys_ioctl+0x28/0x80
+[c000003fece8fe20] [c00000000000b5a4] system_call+0x5c/0x70
+
+Fixes: 42de7b9e2167 ("KVM: PPC: Validate TCEs against preregistered memory page sizes", 2018-09-10)
+Signed-off-by: Alexey Kardashevskiy <aik@ozlabs.ru>
+Signed-off-by: Paul Mackerras <paulus@ozlabs.org>
+Acked-by: Michal Suchanek <msuchanek@suse.de>
+---
+ arch/powerpc/kvm/book3s_64_vio.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/arch/powerpc/kvm/book3s_64_vio.c b/arch/powerpc/kvm/book3s_64_vio.c
+index f02b04973710..f100e331e69b 100644
+--- a/arch/powerpc/kvm/book3s_64_vio.c
++++ b/arch/powerpc/kvm/book3s_64_vio.c
+@@ -543,14 +543,14 @@ long kvmppc_h_put_tce(struct kvm_vcpu *vcpu, unsigned long liobn,
+ if (ret != H_SUCCESS)
+ return ret;
+
++ idx = srcu_read_lock(&vcpu->kvm->srcu);
++
+ ret = kvmppc_tce_validate(stt, tce);
+ if (ret != H_SUCCESS)
+- return ret;
++ goto unlock_exit;
+
+ dir = iommu_tce_direction(tce);
+
+- idx = srcu_read_lock(&vcpu->kvm->srcu);
+-
+ if ((dir != DMA_NONE) && kvmppc_tce_to_ua(vcpu->kvm, tce, &ua, NULL)) {
+ ret = H_PARAMETER;
+ goto unlock_exit;
+--
+2.20.1
+
diff --git a/patches.arch/KVM-PPC-Release-all-hardware-TCE-tables-attached-to-.patch b/patches.arch/KVM-PPC-Release-all-hardware-TCE-tables-attached-to-.patch
new file mode 100644
index 0000000000..114bc9af36
--- /dev/null
+++ b/patches.arch/KVM-PPC-Release-all-hardware-TCE-tables-attached-to-.patch
@@ -0,0 +1,49 @@
+From a67614cc05a5052b265ea48196dab2fce11f5f2e Mon Sep 17 00:00:00 2001
+From: Alexey Kardashevskiy <aik@ozlabs.ru>
+Date: Tue, 12 Feb 2019 15:37:45 +1100
+Subject: [PATCH] KVM: PPC: Release all hardware TCE tables attached to a group
+
+References: bsc#1061840
+References: bsc#1061840
+Patch-mainline: v5.1-rc1
+Git-commit: a67614cc05a5052b265ea48196dab2fce11f5f2e
+
+The SPAPR TCE KVM device references all hardware IOMMU tables assigned to
+some IOMMU group to ensure that in-kernel KVM acceleration of H_PUT_TCE
+can work. The tables are references when an IOMMU group gets registered
+with the VFIO KVM device by the KVM_DEV_VFIO_GROUP_ADD ioctl;
+KVM_DEV_VFIO_GROUP_DEL calls into the dereferencing code
+in kvm_spapr_tce_release_iommu_group() which walks through the list of
+LIOBNs, finds a matching IOMMU table and calls kref_put() when found.
+
+However that code stops after the very first successful derefencing
+leaving other tables referenced till the SPAPR TCE KVM device is destroyed
+which normally happens on guest reboot or termination so if we do hotplug
+and unplug in a loop, we are leaking IOMMU tables here.
+
+This removes a premature return to let kvm_spapr_tce_release_iommu_group()
+find and dereference all attached tables.
+
+Fixes: 121f80ba68f ("KVM: PPC: VFIO: Add in-kernel acceleration for VFIO")
+Signed-off-by: Alexey Kardashevskiy <aik@ozlabs.ru>
+Signed-off-by: Paul Mackerras <paulus@ozlabs.org>
+Acked-by: Michal Suchanek <msuchanek@suse.de>
+---
+ arch/powerpc/kvm/book3s_64_vio.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/arch/powerpc/kvm/book3s_64_vio.c b/arch/powerpc/kvm/book3s_64_vio.c
+index 532ab79734c7..6630dde56668 100644
+--- a/arch/powerpc/kvm/book3s_64_vio.c
++++ b/arch/powerpc/kvm/book3s_64_vio.c
+@@ -133,7 +133,6 @@ extern void kvm_spapr_tce_release_iommu_group(struct kvm *kvm,
+ continue;
+
+ kref_put(&stit->kref, kvm_spapr_tce_liobn_put);
+- return;
+ }
+ }
+ }
+--
+2.20.1
+
diff --git a/patches.arch/KVM-PPC-Remove-redundand-permission-bits-removal.patch b/patches.arch/KVM-PPC-Remove-redundand-permission-bits-removal.patch
new file mode 100644
index 0000000000..70b34eeded
--- /dev/null
+++ b/patches.arch/KVM-PPC-Remove-redundand-permission-bits-removal.patch
@@ -0,0 +1,171 @@
+From a3ac077b75c5a922dcbafd7e689ee09beefae0f6 Mon Sep 17 00:00:00 2001
+From: Alexey Kardashevskiy <aik@ozlabs.ru>
+Date: Mon, 10 Sep 2018 18:29:12 +1000
+Subject: [PATCH] KVM: PPC: Remove redundand permission bits removal
+
+References: bsc#1061840
+Patch-mainline: v4.20-rc1
+Git-commit: a3ac077b75c5a922dcbafd7e689ee09beefae0f6
+
+The kvmppc_gpa_to_ua() helper itself takes care of the permission
+bits in the TCE and yet every single caller removes them.
+
+This changes semantics of kvmppc_gpa_to_ua() so it takes TCEs
+(which are GPAs + TCE permission bits) to make the callers simpler.
+
+This should cause no behavioural change.
+
+Signed-off-by: Alexey Kardashevskiy <aik@ozlabs.ru>
+Reviewed-by: David Gibson <david@gibson.dropbear.id.au>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Acked-by: Michal Suchanek <msuchanek@suse.de>
+---
+ arch/powerpc/include/asm/kvm_ppc.h | 2 +-
+ arch/powerpc/kvm/book3s_64_vio.c | 12 ++++--------
+ arch/powerpc/kvm/book3s_64_vio_hv.c | 22 +++++++++-------------
+ 3 files changed, 14 insertions(+), 22 deletions(-)
+
+diff --git a/arch/powerpc/include/asm/kvm_ppc.h b/arch/powerpc/include/asm/kvm_ppc.h
+index 2f5d431e438b..38d03282bb6a 100644
+--- a/arch/powerpc/include/asm/kvm_ppc.h
++++ b/arch/powerpc/include/asm/kvm_ppc.h
+@@ -194,7 +194,7 @@ extern struct kvmppc_spapr_tce_table *kvmppc_find_table(
+ (iommu_tce_check_ioba((stt)->page_shift, (stt)->offset, \
+ (stt)->size, (ioba), (npages)) ? \
+ H_PARAMETER : H_SUCCESS)
+-extern long kvmppc_gpa_to_ua(struct kvm *kvm, unsigned long gpa,
++extern long kvmppc_tce_to_ua(struct kvm *kvm, unsigned long tce,
+ unsigned long *ua, unsigned long **prmap);
+ extern void kvmppc_tce_put(struct kvmppc_spapr_tce_table *tt,
+ unsigned long idx, unsigned long tce);
+diff --git a/arch/powerpc/kvm/book3s_64_vio.c b/arch/powerpc/kvm/book3s_64_vio.c
+index 8231b178eac6..c0c64d11cc71 100644
+--- a/arch/powerpc/kvm/book3s_64_vio.c
++++ b/arch/powerpc/kvm/book3s_64_vio.c
+@@ -378,8 +378,7 @@ static long kvmppc_tce_validate(struct kvmppc_spapr_tce_table *stt,
+ if (iommu_tce_check_gpa(stt->page_shift, gpa))
+ return H_TOO_HARD;
+
+- if (kvmppc_gpa_to_ua(stt->kvm, tce & ~(TCE_PCI_READ | TCE_PCI_WRITE),
+- &ua, NULL))
++ if (kvmppc_tce_to_ua(stt->kvm, tce, &ua, NULL))
+ return H_TOO_HARD;
+
+ list_for_each_entry_rcu(stit, &stt->iommu_tables, next) {
+@@ -552,8 +551,7 @@ long kvmppc_h_put_tce(struct kvm_vcpu *vcpu, unsigned long liobn,
+
+ idx = srcu_read_lock(&vcpu->kvm->srcu);
+
+- if ((dir != DMA_NONE) && kvmppc_gpa_to_ua(vcpu->kvm,
+- tce & ~(TCE_PCI_READ | TCE_PCI_WRITE), &ua, NULL)) {
++ if ((dir != DMA_NONE) && kvmppc_tce_to_ua(vcpu->kvm, tce, &ua, NULL)) {
+ ret = H_PARAMETER;
+ goto unlock_exit;
+ }
+@@ -614,7 +612,7 @@ long kvmppc_h_put_tce_indirect(struct kvm_vcpu *vcpu,
+ return ret;
+
+ idx = srcu_read_lock(&vcpu->kvm->srcu);
+- if (kvmppc_gpa_to_ua(vcpu->kvm, tce_list, &ua, NULL)) {
++ if (kvmppc_tce_to_ua(vcpu->kvm, tce_list, &ua, NULL)) {
+ ret = H_TOO_HARD;
+ goto unlock_exit;
+ }
+@@ -649,9 +647,7 @@ long kvmppc_h_put_tce_indirect(struct kvm_vcpu *vcpu,
+ }
+ tce = be64_to_cpu(tce);
+
+- if (kvmppc_gpa_to_ua(vcpu->kvm,
+- tce & ~(TCE_PCI_READ | TCE_PCI_WRITE),
+- &ua, NULL))
++ if (kvmppc_tce_to_ua(vcpu->kvm, tce, &ua, NULL))
+ return H_PARAMETER;
+
+ list_for_each_entry_lockless(stit, &stt->iommu_tables, next) {
+diff --git a/arch/powerpc/kvm/book3s_64_vio_hv.c b/arch/powerpc/kvm/book3s_64_vio_hv.c
+index ae147b5c7571..ec99363fdf54 100644
+--- a/arch/powerpc/kvm/book3s_64_vio_hv.c
++++ b/arch/powerpc/kvm/book3s_64_vio_hv.c
+@@ -111,8 +111,7 @@ static long kvmppc_rm_tce_validate(struct kvmppc_spapr_tce_table *stt,
+ if (iommu_tce_check_gpa(stt->page_shift, gpa))
+ return H_PARAMETER;
+
+- if (kvmppc_gpa_to_ua(stt->kvm, tce & ~(TCE_PCI_READ | TCE_PCI_WRITE),
+- &ua, NULL))
++ if (kvmppc_tce_to_ua(stt->kvm, tce, &ua, NULL))
+ return H_TOO_HARD;
+
+ list_for_each_entry_lockless(stit, &stt->iommu_tables, next) {
+@@ -182,10 +181,10 @@ void kvmppc_tce_put(struct kvmppc_spapr_tce_table *stt,
+ }
+ EXPORT_SYMBOL_GPL(kvmppc_tce_put);
+
+-long kvmppc_gpa_to_ua(struct kvm *kvm, unsigned long gpa,
++long kvmppc_tce_to_ua(struct kvm *kvm, unsigned long tce,
+ unsigned long *ua, unsigned long **prmap)
+ {
+- unsigned long gfn = gpa >> PAGE_SHIFT;
++ unsigned long gfn = tce >> PAGE_SHIFT;
+ struct kvm_memory_slot *memslot;
+
+ memslot = search_memslots(kvm_memslots(kvm), gfn);
+@@ -193,7 +192,7 @@ long kvmppc_gpa_to_ua(struct kvm *kvm, unsigned long gpa,
+ return -EINVAL;
+
+ *ua = __gfn_to_hva_memslot(memslot, gfn) |
+- (gpa & ~(PAGE_MASK | TCE_PCI_READ | TCE_PCI_WRITE));
++ (tce & ~(PAGE_MASK | TCE_PCI_READ | TCE_PCI_WRITE));
+
+ #ifdef CONFIG_KVM_BOOK3S_HV_POSSIBLE
+ if (prmap)
+@@ -202,7 +201,7 @@ long kvmppc_gpa_to_ua(struct kvm *kvm, unsigned long gpa,
+
+ return 0;
+ }
+-EXPORT_SYMBOL_GPL(kvmppc_gpa_to_ua);
++EXPORT_SYMBOL_GPL(kvmppc_tce_to_ua);
+
+ #ifdef CONFIG_KVM_BOOK3S_HV_POSSIBLE
+ static long iommu_tce_xchg_rm(struct mm_struct *mm, struct iommu_table *tbl,
+@@ -391,8 +390,7 @@ long kvmppc_rm_h_put_tce(struct kvm_vcpu *vcpu, unsigned long liobn,
+ return ret;
+
+ dir = iommu_tce_direction(tce);
+- if ((dir != DMA_NONE) && kvmppc_gpa_to_ua(vcpu->kvm,
+- tce & ~(TCE_PCI_READ | TCE_PCI_WRITE), &ua, NULL))
++ if ((dir != DMA_NONE) && kvmppc_tce_to_ua(vcpu->kvm, tce, &ua, NULL))
+ return H_PARAMETER;
+
+ entry = ioba >> stt->page_shift;
+@@ -494,7 +492,7 @@ long kvmppc_rm_h_put_tce_indirect(struct kvm_vcpu *vcpu,
+ */
+ struct mm_iommu_table_group_mem_t *mem;
+
+- if (kvmppc_gpa_to_ua(vcpu->kvm, tce_list, &ua, NULL))
++ if (kvmppc_tce_to_ua(vcpu->kvm, tce_list, &ua, NULL))
+ return H_TOO_HARD;
+
+ mem = mm_iommu_lookup_rm(vcpu->kvm->mm, ua, IOMMU_PAGE_SIZE_4K);
+@@ -510,7 +508,7 @@ long kvmppc_rm_h_put_tce_indirect(struct kvm_vcpu *vcpu,
+ * We do not require memory to be preregistered in this case
+ * so lock rmap and do __find_linux_pte_or_hugepte().
+ */
+- if (kvmppc_gpa_to_ua(vcpu->kvm, tce_list, &ua, &rmap))
++ if (kvmppc_tce_to_ua(vcpu->kvm, tce_list, &ua, &rmap))
+ return H_TOO_HARD;
+
+ rmap = (void *) vmalloc_to_phys(rmap);
+@@ -544,9 +542,7 @@ long kvmppc_rm_h_put_tce_indirect(struct kvm_vcpu *vcpu,
+ unsigned long tce = be64_to_cpu(((u64 *)tces)[i]);
+
+ ua = 0;
+- if (kvmppc_gpa_to_ua(vcpu->kvm,
+- tce & ~(TCE_PCI_READ | TCE_PCI_WRITE),
+- &ua, NULL))
++ if (kvmppc_tce_to_ua(vcpu->kvm, tce, &ua, NULL))
+ return H_PARAMETER;
+
+ list_for_each_entry_lockless(stit, &stt->iommu_tables, next) {
+--
+2.20.1
+
diff --git a/patches.arch/KVM-PPC-Validate-TCEs-against-preregistered-memory-p.patch b/patches.arch/KVM-PPC-Validate-TCEs-against-preregistered-memory-p.patch
new file mode 100644
index 0000000000..ab3fa03dcc
--- /dev/null
+++ b/patches.arch/KVM-PPC-Validate-TCEs-against-preregistered-memory-p.patch
@@ -0,0 +1,190 @@
+From 42de7b9e216728edbe53e0c4513e06fe3d566c5d Mon Sep 17 00:00:00 2001
+From: Alexey Kardashevskiy <aik@ozlabs.ru>
+Date: Mon, 10 Sep 2018 18:29:10 +1000
+Subject: [PATCH] KVM: PPC: Validate TCEs against preregistered memory page
+ sizes
+
+References: bsc#1061840
+Patch-mainline: v4.20-rc1
+Git-commit: 42de7b9e216728edbe53e0c4513e06fe3d566c5d
+
+The userspace can request an arbitrary supported page size for a DMA
+window and this works fine as long as the mapped memory is backed with
+the pages of the same or bigger size; if this is not the case,
+mm_iommu_ua_to_hpa{_rm}() fail and tables do not populated with
+dangerously incorrect TCEs.
+
+However since it is quite easy to misconfigure the KVM and we do not do
+reverts to all changes made to TCE tables if an error happens in a middle,
+we better do the acceptable page size validation before we even touch
+the tables.
+
+This enhances kvmppc_tce_validate() to check the hardware IOMMU page sizes
+against the preregistered memory page sizes.
+
+Since the new check uses real/virtual mode helpers, this renames
+kvmppc_tce_validate() to kvmppc_rm_tce_validate() to handle the real mode
+case and mirrors it for the virtual mode under the old name. The real
+mode handler is not used for the virtual mode as:
+1. it uses _lockless() list traversing primitives instead of RCU;
+2. realmode's mm_iommu_ua_to_hpa_rm() uses vmalloc_to_phys() which
+virtual mode does not have to use and since on POWER9+radix only virtual
+mode handlers actually work, we do not want to slow down that path even
+a bit.
+
+This removes EXPORT_SYMBOL_GPL(kvmppc_tce_validate) as the validators
+are static now.
+
+From now on the attempts on mapping IOMMU pages bigger than allowed
+will result in KVM exit.
+
+Signed-off-by: Alexey Kardashevskiy <aik@ozlabs.ru>
+Reviewed-by: David Gibson <david@gibson.dropbear.id.au>
+[mpe: Fix KVM_HV=n build]
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Acked-by: Michal Suchanek <msuchanek@suse.de>
+---
+ arch/powerpc/include/asm/kvm_ppc.h | 2 --
+ arch/powerpc/kvm/book3s_64_vio.c | 35 +++++++++++++++++++++++++++++
+ arch/powerpc/kvm/book3s_64_vio_hv.c | 32 ++++++++++++++++++++------
+ 3 files changed, 60 insertions(+), 9 deletions(-)
+
+diff --git a/arch/powerpc/include/asm/kvm_ppc.h b/arch/powerpc/include/asm/kvm_ppc.h
+index e991821dd7fa..2f5d431e438b 100644
+--- a/arch/powerpc/include/asm/kvm_ppc.h
++++ b/arch/powerpc/include/asm/kvm_ppc.h
+@@ -194,8 +194,6 @@ extern struct kvmppc_spapr_tce_table *kvmppc_find_table(
+ (iommu_tce_check_ioba((stt)->page_shift, (stt)->offset, \
+ (stt)->size, (ioba), (npages)) ? \
+ H_PARAMETER : H_SUCCESS)
+-extern long kvmppc_tce_validate(struct kvmppc_spapr_tce_table *tt,
+- unsigned long tce);
+ extern long kvmppc_gpa_to_ua(struct kvm *kvm, unsigned long gpa,
+ unsigned long *ua, unsigned long **prmap);
+ extern void kvmppc_tce_put(struct kvmppc_spapr_tce_table *tt,
+diff --git a/arch/powerpc/kvm/book3s_64_vio.c b/arch/powerpc/kvm/book3s_64_vio.c
+index 984cec822a98..01e1994daff0 100644
+--- a/arch/powerpc/kvm/book3s_64_vio.c
++++ b/arch/powerpc/kvm/book3s_64_vio.c
+@@ -363,6 +363,41 @@ long kvm_vm_ioctl_create_spapr_tce(struct kvm *kvm,
+ return ret;
+ }
+
++static long kvmppc_tce_validate(struct kvmppc_spapr_tce_table *stt,
++ unsigned long tce)
++{
++ unsigned long gpa = tce & ~(TCE_PCI_READ | TCE_PCI_WRITE);
++ enum dma_data_direction dir = iommu_tce_direction(tce);
++ struct kvmppc_spapr_tce_iommu_table *stit;
++ unsigned long ua = 0;
++
++ /* Allow userspace to poison TCE table */
++ if (dir == DMA_NONE)
++ return H_SUCCESS;
++
++ if (iommu_tce_check_gpa(stt->page_shift, gpa))
++ return H_TOO_HARD;
++
++ if (kvmppc_gpa_to_ua(stt->kvm, tce & ~(TCE_PCI_READ | TCE_PCI_WRITE),
++ &ua, NULL))
++ return H_TOO_HARD;
++
++ list_for_each_entry_rcu(stit, &stt->iommu_tables, next) {
++ unsigned long hpa = 0;
++ struct mm_iommu_table_group_mem_t *mem;
++ long shift = stit->tbl->it_page_shift;
++
++ mem = mm_iommu_lookup(stt->kvm->mm, ua, 1ULL << shift);
++ if (!mem)
++ return H_TOO_HARD;
++
++ if (mm_iommu_ua_to_hpa(mem, ua, shift, &hpa))
++ return H_TOO_HARD;
++ }
++
++ return H_SUCCESS;
++}
++
+ static void kvmppc_clear_tce(struct iommu_table *tbl, unsigned long entry)
+ {
+ unsigned long hpa = 0;
+diff --git a/arch/powerpc/kvm/book3s_64_vio_hv.c b/arch/powerpc/kvm/book3s_64_vio_hv.c
+index 7388b660e648..3c05fc22de07 100644
+--- a/arch/powerpc/kvm/book3s_64_vio_hv.c
++++ b/arch/powerpc/kvm/book3s_64_vio_hv.c
+@@ -87,6 +87,7 @@ struct kvmppc_spapr_tce_table *kvmppc_find_table(struct kvm *kvm,
+ }
+ EXPORT_SYMBOL_GPL(kvmppc_find_table);
+
++#ifdef CONFIG_KVM_BOOK3S_HV_POSSIBLE
+ /*
+ * Validates TCE address.
+ * At the moment flags and page mask are validated.
+@@ -94,14 +95,14 @@ EXPORT_SYMBOL_GPL(kvmppc_find_table);
+ * to the table and user space is supposed to process them), we can skip
+ * checking other things (such as TCE is a guest RAM address or the page
+ * was actually allocated).
+- *
+- * WARNING: This will be called in real-mode on HV KVM and virtual
+- * mode on PR KVM
+ */
+-long kvmppc_tce_validate(struct kvmppc_spapr_tce_table *stt, unsigned long tce)
++static long kvmppc_rm_tce_validate(struct kvmppc_spapr_tce_table *stt,
++ unsigned long tce)
+ {
+ unsigned long gpa = tce & ~(TCE_PCI_READ | TCE_PCI_WRITE);
+ enum dma_data_direction dir = iommu_tce_direction(tce);
++ struct kvmppc_spapr_tce_iommu_table *stit;
++ unsigned long ua = 0;
+
+ /* Allow userspace to poison TCE table */
+ if (dir == DMA_NONE)
+@@ -110,9 +111,26 @@ long kvmppc_tce_validate(struct kvmppc_spapr_tce_table *stt, unsigned long tce)
+ if (iommu_tce_check_gpa(stt->page_shift, gpa))
+ return H_PARAMETER;
+
++ if (kvmppc_gpa_to_ua(stt->kvm, tce & ~(TCE_PCI_READ | TCE_PCI_WRITE),
++ &ua, NULL))
++ return H_TOO_HARD;
++
++ list_for_each_entry_lockless(stit, &stt->iommu_tables, next) {
++ unsigned long hpa = 0;
++ struct mm_iommu_table_group_mem_t *mem;
++ long shift = stit->tbl->it_page_shift;
++
++ mem = mm_iommu_lookup_rm(stt->kvm->mm, ua, 1ULL << shift);
++ if (!mem)
++ return H_TOO_HARD;
++
++ if (mm_iommu_ua_to_hpa_rm(mem, ua, shift, &hpa))
++ return H_TOO_HARD;
++ }
++
+ return H_SUCCESS;
+ }
+-EXPORT_SYMBOL_GPL(kvmppc_tce_validate);
++#endif /* CONFIG_KVM_BOOK3S_HV_POSSIBLE */
+
+ /* Note on the use of page_address() in real mode,
+ *
+@@ -368,7 +386,7 @@ long kvmppc_rm_h_put_tce(struct kvm_vcpu *vcpu, unsigned long liobn,
+ if (ret != H_SUCCESS)
+ return ret;
+
+- ret = kvmppc_tce_validate(stt, tce);
++ ret = kvmppc_rm_tce_validate(stt, tce);
+ if (ret != H_SUCCESS)
+ return ret;
+
+@@ -521,7 +539,7 @@ long kvmppc_rm_h_put_tce_indirect(struct kvm_vcpu *vcpu,
+ for (i = 0; i < npages; ++i) {
+ unsigned long tce = be64_to_cpu(((u64 *)tces)[i]);
+
+- ret = kvmppc_tce_validate(stt, tce);
++ ret = kvmppc_rm_tce_validate(stt, tce);
+ if (ret != H_SUCCESS)
+ goto unlock_exit;
+ }
+--
+2.20.1
+
diff --git a/patches.arch/KVM-PPC-Validate-all-tces-before-updating-tables.patch b/patches.arch/KVM-PPC-Validate-all-tces-before-updating-tables.patch
new file mode 100644
index 0000000000..25d89c7425
--- /dev/null
+++ b/patches.arch/KVM-PPC-Validate-all-tces-before-updating-tables.patch
@@ -0,0 +1,75 @@
+From e199ad2bf5cf7a6d15747a97da4ec1084bd6aae1 Mon Sep 17 00:00:00 2001
+From: Alexey Kardashevskiy <aik@ozlabs.ru>
+Date: Mon, 10 Sep 2018 18:29:08 +1000
+Subject: [PATCH] KVM: PPC: Validate all tces before updating tables
+
+References: bsc#1061840
+Patch-mainline: v4.20-rc1
+Git-commit: e199ad2bf5cf7a6d15747a97da4ec1084bd6aae1
+
+The KVM TCE handlers are written in a way so they fail when either
+something went horribly wrong or the userspace did some obvious mistake
+such as passing a misaligned address.
+
+We are going to enhance the TCE checker to fail on attempts to map bigger
+IOMMU page than the underlying pinned memory so let's valitate TCE
+beforehand.
+
+This should cause no behavioral change.
+
+Signed-off-by: Alexey Kardashevskiy <aik@ozlabs.ru>
+Reviewed-by: David Gibson <david@gibson.dropbear.id.au>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Acked-by: Michal Suchanek <msuchanek@suse.de>
+---
+ arch/powerpc/kvm/book3s_64_vio.c | 18 ++++++++++++++++++
+ arch/powerpc/kvm/book3s_64_vio_hv.c | 4 ++++
+ 2 files changed, 22 insertions(+)
+
+diff --git a/arch/powerpc/kvm/book3s_64_vio.c b/arch/powerpc/kvm/book3s_64_vio.c
+index 9a3f2646ecc7..3c17977ffea6 100644
+--- a/arch/powerpc/kvm/book3s_64_vio.c
++++ b/arch/powerpc/kvm/book3s_64_vio.c
+@@ -599,6 +599,24 @@ long kvmppc_h_put_tce_indirect(struct kvm_vcpu *vcpu,
+ ret = kvmppc_tce_validate(stt, tce);
+ if (ret != H_SUCCESS)
+ goto unlock_exit;
++ }
++
++ for (i = 0; i < npages; ++i) {
++ /*
++ * This looks unsafe, because we validate, then regrab
++ * the TCE from userspace which could have been changed by
++ * another thread.
++ *
++ * But it actually is safe, because the relevant checks will be
++ * re-executed in the following code. If userspace tries to
++ * change this dodgily it will result in a messier failure mode
++ * but won't threaten the host.
++ */
++ if (get_user(tce, tces + i)) {
++ ret = H_TOO_HARD;
++ goto unlock_exit;
++ }
++ tce = be64_to_cpu(tce);
+
+ if (kvmppc_gpa_to_ua(vcpu->kvm,
+ tce & ~(TCE_PCI_READ | TCE_PCI_WRITE),
+diff --git a/arch/powerpc/kvm/book3s_64_vio_hv.c b/arch/powerpc/kvm/book3s_64_vio_hv.c
+index 6821ead4b4eb..c2848e0b1b71 100644
+--- a/arch/powerpc/kvm/book3s_64_vio_hv.c
++++ b/arch/powerpc/kvm/book3s_64_vio_hv.c
+@@ -524,6 +524,10 @@ long kvmppc_rm_h_put_tce_indirect(struct kvm_vcpu *vcpu,
+ ret = kvmppc_tce_validate(stt, tce);
+ if (ret != H_SUCCESS)
+ goto unlock_exit;
++ }
++
++ for (i = 0; i < npages; ++i) {
++ unsigned long tce = be64_to_cpu(((u64 *)tces)[i]);
+
+ ua = 0;
+ if (kvmppc_gpa_to_ua(vcpu->kvm,
+--
+2.20.1
+
diff --git a/patches.drivers/ALSA-hda-realtek-Set-default-power-save-node-to-0.patch b/patches.drivers/ALSA-hda-realtek-Set-default-power-save-node-to-0.patch
new file mode 100644
index 0000000000..22d4ffacbb
--- /dev/null
+++ b/patches.drivers/ALSA-hda-realtek-Set-default-power-save-node-to-0.patch
@@ -0,0 +1,39 @@
+From 317d9313925cd8388304286c0d3c8dda7f060a2d Mon Sep 17 00:00:00 2001
+From: Kailang Yang <kailang@realtek.com>
+Date: Thu, 23 May 2019 14:43:04 +0800
+Subject: [PATCH] ALSA: hda/realtek - Set default power save node to 0
+Git-commit: 317d9313925cd8388304286c0d3c8dda7f060a2d
+Patch-mainline: v5.2-rc3
+References: bsc#1051510
+
+I measured power consumption between power_save_node=1 and power_save_node=0.
+It's almost the same.
+Codec will enter to runtime suspend and suspend.
+That pin also will enter to D3. Don't need to enter to D3 by single pin.
+So, Disable power_save_node as default. It will avoid more issues.
+Windows Driver also has not this option at runtime PM.
+
+Signed-off-by: Kailang Yang <kailang@realtek.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ sound/pci/hda/patch_realtek.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c
+index b984bd1d1971..1ca2a83b65cd 100644
+--- a/sound/pci/hda/patch_realtek.c
++++ b/sound/pci/hda/patch_realtek.c
+@@ -7711,7 +7711,7 @@ static int patch_alc269(struct hda_codec *codec)
+
+ spec = codec->spec;
+ spec->gen.shared_mic_vref_pin = 0x18;
+- codec->power_save_node = 1;
++ codec->power_save_node = 0;
+
+ #ifdef CONFIG_PM
+ codec->patch_ops.suspend = alc269_suspend;
+--
+2.16.4
+
diff --git a/patches.drivers/ASoC-eukrea-tlv320-fix-a-leaked-reference-by-adding-.patch b/patches.drivers/ASoC-eukrea-tlv320-fix-a-leaked-reference-by-adding-.patch
new file mode 100644
index 0000000000..917e8e58a2
--- /dev/null
+++ b/patches.drivers/ASoC-eukrea-tlv320-fix-a-leaked-reference-by-adding-.patch
@@ -0,0 +1,53 @@
+From b820d52e7eed7b30b2dfef5f4213a2bc3cbea6f3 Mon Sep 17 00:00:00 2001
+From: Wen Yang <wen.yang99@zte.com.cn>
+Date: Tue, 26 Feb 2019 16:17:51 +0800
+Subject: [PATCH] ASoC: eukrea-tlv320: fix a leaked reference by adding missing of_node_put
+Git-commit: b820d52e7eed7b30b2dfef5f4213a2bc3cbea6f3
+Patch-mainline: v5.2-rc1
+References: bsc#1051510
+
+The call to of_parse_phandle returns a node pointer with refcount
+incremented thus it must be explicitly decremented after the last
+usage.
+
+Detected by coccinelle with the following warnings:
+./sound/soc/fsl/eukrea-tlv320.c:121:3-9: ERROR: missing of_node_put; acquired a node pointer with refcount incremented on line 102, but without a correspo nding object release within this function.
+./sound/soc/fsl/eukrea-tlv320.c:127:3-9: ERROR: missing of_node_put; acquired a node pointer with refcount incremented on line 102, but without a correspo nding object release within this function.
+
+Signed-off-by: Wen Yang <wen.yang99@zte.com.cn>
+Cc: Liam Girdwood <lgirdwood@gmail.com>
+Cc: Mark Brown <broonie@kernel.org>
+Cc: Jaroslav Kysela <perex@perex.cz>
+Cc: Takashi Iwai <tiwai@suse.com>
+Cc: alsa-devel@alsa-project.org
+Cc: linux-kernel@vger.kernel.org
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ sound/soc/fsl/eukrea-tlv320.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/sound/soc/fsl/eukrea-tlv320.c b/sound/soc/fsl/eukrea-tlv320.c
+index 191426a6d9ad..30a3d68b5c03 100644
+--- a/sound/soc/fsl/eukrea-tlv320.c
++++ b/sound/soc/fsl/eukrea-tlv320.c
+@@ -118,13 +118,13 @@ static int eukrea_tlv320_probe(struct platform_device *pdev)
+ if (ret) {
+ dev_err(&pdev->dev,
+ "fsl,mux-int-port node missing or invalid.\n");
+- return ret;
++ goto err;
+ }
+ ret = of_property_read_u32(np, "fsl,mux-ext-port", &ext_port);
+ if (ret) {
+ dev_err(&pdev->dev,
+ "fsl,mux-ext-port node missing or invalid.\n");
+- return ret;
++ goto err;
+ }
+
+ /*
+--
+2.16.4
+
diff --git a/patches.drivers/ASoC-fsl_sai-Update-is_slave_mode-with-correct-value.patch b/patches.drivers/ASoC-fsl_sai-Update-is_slave_mode-with-correct-value.patch
new file mode 100644
index 0000000000..9c5280adb8
--- /dev/null
+++ b/patches.drivers/ASoC-fsl_sai-Update-is_slave_mode-with-correct-value.patch
@@ -0,0 +1,49 @@
+From ddb351145a967ee791a0fb0156852ec2fcb746ba Mon Sep 17 00:00:00 2001
+From: Daniel Baluta <daniel.baluta@nxp.com>
+Date: Sun, 21 Apr 2019 19:39:08 +0000
+Subject: [PATCH] ASoC: fsl_sai: Update is_slave_mode with correct value
+Git-commit: ddb351145a967ee791a0fb0156852ec2fcb746ba
+Patch-mainline: v5.2-rc1
+References: bsc#1051510
+
+is_slave_mode defaults to false because sai structure
+that contains it is kzalloc'ed.
+
+Anyhow, if we decide to set the following configuration
+SAI slave -> SAI master, is_slave_mode will remain set on true
+although SAI being master it should be set to false.
+
+Fix this by updating is_slave_mode for each call of
+fsl_sai_set_dai_fmt.
+
+Signed-off-by: Daniel Baluta <daniel.baluta@nxp.com>
+Acked-by: Nicolin Chen <nicoleotsuka@gmail.com>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ sound/soc/fsl/fsl_sai.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/sound/soc/fsl/fsl_sai.c b/sound/soc/fsl/fsl_sai.c
+index db9e0872f73d..7549b74e464e 100644
+--- a/sound/soc/fsl/fsl_sai.c
++++ b/sound/soc/fsl/fsl_sai.c
+@@ -268,12 +268,14 @@ static int fsl_sai_set_dai_fmt_tr(struct snd_soc_dai *cpu_dai,
+ case SND_SOC_DAIFMT_CBS_CFS:
+ val_cr2 |= FSL_SAI_CR2_BCD_MSTR;
+ val_cr4 |= FSL_SAI_CR4_FSD_MSTR;
++ sai->is_slave_mode = false;
+ break;
+ case SND_SOC_DAIFMT_CBM_CFM:
+ sai->is_slave_mode = true;
+ break;
+ case SND_SOC_DAIFMT_CBS_CFM:
+ val_cr2 |= FSL_SAI_CR2_BCD_MSTR;
++ sai->is_slave_mode = false;
+ break;
+ case SND_SOC_DAIFMT_CBM_CFS:
+ val_cr4 |= FSL_SAI_CR4_FSD_MSTR;
+--
+2.16.4
+
diff --git a/patches.drivers/ASoC-fsl_utils-fix-a-leaked-reference-by-adding-miss.patch b/patches.drivers/ASoC-fsl_utils-fix-a-leaked-reference-by-adding-miss.patch
new file mode 100644
index 0000000000..0c7094812b
--- /dev/null
+++ b/patches.drivers/ASoC-fsl_utils-fix-a-leaked-reference-by-adding-miss.patch
@@ -0,0 +1,49 @@
+From c705247136a523488eac806bd357c3e5d79a7acd Mon Sep 17 00:00:00 2001
+From: Wen Yang <wen.yang99@zte.com.cn>
+Date: Tue, 26 Feb 2019 16:17:50 +0800
+Subject: [PATCH] ASoC: fsl_utils: fix a leaked reference by adding missing of_node_put
+Git-commit: c705247136a523488eac806bd357c3e5d79a7acd
+Patch-mainline: v5.2-rc1
+References: bsc#1051510
+
+The call to of_parse_phandle returns a node pointer with refcount
+incremented thus it must be explicitly decremented after the last
+usage.
+
+Detected by coccinelle with the following warnings:
+./sound/soc/fsl/fsl_utils.c:74:2-8: ERROR: missing of_node_put; acquired a node pointer with refcount incremented on line 38, but without a corresponding object release within this function.
+
+Signed-off-by: Wen Yang <wen.yang99@zte.com.cn>
+Cc: Timur Tabi <timur@kernel.org>
+Cc: Nicolin Chen <nicoleotsuka@gmail.com>
+Cc: Xiubo Li <Xiubo.Lee@gmail.com>
+Cc: Fabio Estevam <festevam@gmail.com>
+Cc: Liam Girdwood <lgirdwood@gmail.com>
+Cc: Mark Brown <broonie@kernel.org>
+Cc: Jaroslav Kysela <perex@perex.cz>
+Cc: Takashi Iwai <tiwai@suse.com>
+Cc: alsa-devel@alsa-project.org
+Cc: linuxppc-dev@lists.ozlabs.org
+Cc: linux-kernel@vger.kernel.org
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ sound/soc/fsl/fsl_utils.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/sound/soc/fsl/fsl_utils.c b/sound/soc/fsl/fsl_utils.c
+index 9981668ab590..040d06b89f00 100644
+--- a/sound/soc/fsl/fsl_utils.c
++++ b/sound/soc/fsl/fsl_utils.c
+@@ -71,6 +71,7 @@ int fsl_asoc_get_dma_channel(struct device_node *ssi_np,
+ iprop = of_get_property(dma_np, "cell-index", NULL);
+ if (!iprop) {
+ of_node_put(dma_np);
++ of_node_put(dma_channel_np);
+ return -EINVAL;
+ }
+ *dma_id = be32_to_cpup(iprop);
+--
+2.16.4
+
diff --git a/patches.drivers/ASoC-hdmi-codec-unlock-the-device-on-startup-errors.patch b/patches.drivers/ASoC-hdmi-codec-unlock-the-device-on-startup-errors.patch
new file mode 100644
index 0000000000..d30ef9a55c
--- /dev/null
+++ b/patches.drivers/ASoC-hdmi-codec-unlock-the-device-on-startup-errors.patch
@@ -0,0 +1,43 @@
+From 30180e8436046344b12813dc954b2e01dfdcd22d Mon Sep 17 00:00:00 2001
+From: Jerome Brunet <jbrunet@baylibre.com>
+Date: Mon, 29 Apr 2019 15:29:39 +0200
+Subject: [PATCH] ASoC: hdmi-codec: unlock the device on startup errors
+Git-commit: 30180e8436046344b12813dc954b2e01dfdcd22d
+Patch-mainline: v5.2-rc1
+References: bsc#1051510
+
+If the hdmi codec startup fails, it should clear the current_substream
+pointer to free the device. This is properly done for the audio_startup()
+callback but for snd_pcm_hw_constraint_eld().
+
+Make sure the pointer cleared if an error is reported.
+
+Signed-off-by: Jerome Brunet <jbrunet@baylibre.com>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ sound/soc/codecs/hdmi-codec.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/sound/soc/codecs/hdmi-codec.c b/sound/soc/codecs/hdmi-codec.c
+index 35df73e42cbc..fb2f0ac1f16f 100644
+--- a/sound/soc/codecs/hdmi-codec.c
++++ b/sound/soc/codecs/hdmi-codec.c
+@@ -439,8 +439,12 @@ static int hdmi_codec_startup(struct snd_pcm_substream *substream,
+ if (!ret) {
+ ret = snd_pcm_hw_constraint_eld(substream->runtime,
+ hcp->eld);
+- if (ret)
++ if (ret) {
++ mutex_lock(&hcp->current_stream_lock);
++ hcp->current_stream = NULL;
++ mutex_unlock(&hcp->current_stream_lock);
+ return ret;
++ }
+ }
+ /* Select chmap supported */
+ hdmi_codec_eld_chmap(hcp);
+--
+2.16.4
+
diff --git a/patches.drivers/HID-logitech-hidpp-change-low-battery-level-threshol.patch b/patches.drivers/HID-logitech-hidpp-change-low-battery-level-threshol.patch
new file mode 100644
index 0000000000..8fdf6bb6fa
--- /dev/null
+++ b/patches.drivers/HID-logitech-hidpp-change-low-battery-level-threshol.patch
@@ -0,0 +1,53 @@
+From 1f87b0cd32b3456d7efdfb017fcf74d0bfe3ec29 Mon Sep 17 00:00:00 2001
+From: Hans de Goede <hdegoede@redhat.com>
+Date: Fri, 22 Mar 2019 08:41:40 +0100
+Subject: [PATCH] HID: logitech-hidpp: change low battery level threshold from 31 to 30 percent
+Git-commit: 1f87b0cd32b3456d7efdfb017fcf74d0bfe3ec29
+Patch-mainline: v5.2-rc1
+References: bsc#1051510
+
+According to hidpp20_batterylevel_get_battery_info my Logitech K270
+keyboard reports only 2 battery levels. This matches with what I've seen
+after testing with batteries at varying level of fullness, it always
+reports either 5% or 30%.
+
+Windows reports "battery good" for the 30% level. I've captured an USB
+trace of Windows reading the battery and it is getting the same info
+as the Linux hidpp code gets.
+
+Now that Linux handles these devices as hidpp devices, it reports the
+battery as being low as it treats anything under 31% as low, this leads
+to the user constantly getting a "Keyboard battery is low" warning from
+GNOME3, which is very annoying.
+
+This commit fixes this by changing the low threshold to anything under
+30%, which I assume is what Windows does.
+
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/hid/hid-logitech-hidpp.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/hid/hid-logitech-hidpp.c b/drivers/hid/hid-logitech-hidpp.c
+index cd4b0befc0e8..e5897c292e8c 100644
+--- a/drivers/hid/hid-logitech-hidpp.c
++++ b/drivers/hid/hid-logitech-hidpp.c
+@@ -1004,7 +1004,11 @@ static int hidpp_map_battery_level(int capacity)
+ {
+ if (capacity < 11)
+ return POWER_SUPPLY_CAPACITY_LEVEL_CRITICAL;
+- else if (capacity < 31)
++ /*
++ * The spec says this should be < 31 but some devices report 30
++ * with brand new batteries and Windows reports 30 as "Good".
++ */
++ else if (capacity < 30)
+ return POWER_SUPPLY_CAPACITY_LEVEL_LOW;
+ else if (capacity < 81)
+ return POWER_SUPPLY_CAPACITY_LEVEL_NORMAL;
+--
+2.16.4
+
diff --git a/patches.drivers/HID-logitech-hidpp-use-RAP-instead-of-FAP-to-get-the.patch b/patches.drivers/HID-logitech-hidpp-use-RAP-instead-of-FAP-to-get-the.patch
new file mode 100644
index 0000000000..5a85360aec
--- /dev/null
+++ b/patches.drivers/HID-logitech-hidpp-use-RAP-instead-of-FAP-to-get-the.patch
@@ -0,0 +1,73 @@
+From 096377525cdb8251e4656085efc988bdf733fb4c Mon Sep 17 00:00:00 2001
+From: Hans de Goede <hdegoede@redhat.com>
+Date: Sat, 20 Apr 2019 13:22:10 +0200
+Subject: [PATCH] HID: logitech-hidpp: use RAP instead of FAP to get the protocol version
+Git-commit: 096377525cdb8251e4656085efc988bdf733fb4c
+Patch-mainline: v5.2-rc1
+References: bsc#1051510
+
+According to the logitech_hidpp_2.0_specification_draft_2012-06-04.pdf doc:
+https://lekensteyn.nl/files/logitech/logitech_hidpp_2.0_specification_draft_2012-06-04.pdf
+
+We should use a register-access-protocol request using the short input /
+output report ids. This is necessary because 27MHz HID++ receivers have
+a max-packetsize on their HIP++ endpoint of 8, so they cannot support
+long reports. Using a feature-access-protocol request (which is always
+long or very-long) with these will cause a timeout error, followed by
+the hidpp driver treating the device as not being HID++ capable.
+
+This commit fixes this by switching to using a rap request to get the
+protocol version.
+
+Besides being tested with a (046d:c517) 27MHz receiver with various
+27MHz keyboards and mice, this has also been tested to not cause
+regressions on a non-unifying dual-HID++ nano receiver (046d:c534) with
+k270 and m185 HID++-2.0 devices connected and on a unifying/dj receiver
+(046d:c52b) with a HID++-2.0 Logitech Rechargeable Touchpad T650.
+
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/hid/hid-logitech-hidpp.c | 17 +++++++++++++----
+ 1 file changed, 13 insertions(+), 4 deletions(-)
+
+--- a/drivers/hid/hid-logitech-hidpp.c
++++ b/drivers/hid/hid-logitech-hidpp.c
+@@ -725,13 +725,16 @@ static int hidpp_root_get_feature(struct
+
+ static int hidpp_root_get_protocol_version(struct hidpp_device *hidpp)
+ {
++ const u8 ping_byte = 0x5a;
++ u8 ping_data[3] = { 0, 0, ping_byte };
+ struct hidpp_report response;
+ int ret;
+
+- ret = hidpp_send_fap_command_sync(hidpp,
++ ret = hidpp_send_rap_command_sync(hidpp,
++ REPORT_ID_HIDPP_SHORT,
+ HIDPP_PAGE_ROOT_IDX,
+ CMD_ROOT_GET_PROTOCOL_VERSION,
+- NULL, 0, &response);
++ ping_data, sizeof(ping_data), &response);
+
+ if (ret == HIDPP_ERROR_INVALID_SUBID) {
+ hidpp->protocol_major = 1;
+@@ -751,8 +754,14 @@ static int hidpp_root_get_protocol_versi
+ if (ret)
+ return ret;
+
+- hidpp->protocol_major = response.fap.params[0];
+- hidpp->protocol_minor = response.fap.params[1];
++ if (response.rap.params[2] != ping_byte) {
++ hid_err(hidpp->hid_dev, "%s: ping mismatch 0x%02x != 0x%02x\n",
++ __func__, response.rap.params[2], ping_byte);
++ return -EPROTO;
++ }
++
++ hidpp->protocol_major = response.rap.params[0];
++ hidpp->protocol_minor = response.rap.params[1];
+
+ return ret;
+ }
diff --git a/patches.drivers/Staging-vc04_services-Fix-a-couple-error-codes.patch b/patches.drivers/Staging-vc04_services-Fix-a-couple-error-codes.patch
new file mode 100644
index 0000000000..381295d952
--- /dev/null
+++ b/patches.drivers/Staging-vc04_services-Fix-a-couple-error-codes.patch
@@ -0,0 +1,46 @@
+From ca4e4efbefbbdde0a7bb3023ea08d491f4daf9b9 Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Mon, 13 May 2019 14:07:18 +0300
+Subject: [PATCH] Staging: vc04_services: Fix a couple error codes
+Git-commit: ca4e4efbefbbdde0a7bb3023ea08d491f4daf9b9
+Patch-mainline: v5.2-rc3
+References: bsc#1051510
+
+These are accidentally returning positive EINVAL instead of negative
+-EINVAL. Some of the callers treat positive values as success.
+
+Fixes: 7b3ad5abf027 ("staging: Import the BCM2835 MMAL-based V4L2 camera driver.")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Acked-by: Stefan Wahren <stefan.wahren@i2se.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/staging/vc04_services/bcm2835-camera/controls.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/staging/vc04_services/bcm2835-camera/controls.c b/drivers/staging/vc04_services/bcm2835-camera/controls.c
+index 9841c30450ce..dade79738a29 100644
+--- a/drivers/staging/vc04_services/bcm2835-camera/controls.c
++++ b/drivers/staging/vc04_services/bcm2835-camera/controls.c
+@@ -572,7 +572,7 @@ static int ctrl_set_image_effect(struct bm2835_mmal_dev *dev,
+ dev->colourfx.enable ? "true" : "false",
+ dev->colourfx.u, dev->colourfx.v,
+ ret, (ret == 0 ? 0 : -EINVAL));
+- return (ret == 0 ? 0 : EINVAL);
++ return (ret == 0 ? 0 : -EINVAL);
+ }
+
+ static int ctrl_set_colfx(struct bm2835_mmal_dev *dev,
+@@ -596,7 +596,7 @@ static int ctrl_set_colfx(struct bm2835_mmal_dev *dev,
+ "%s: After: mmal_ctrl:%p ctrl id:0x%x ctrl val:%d ret %d(%d)\n",
+ __func__, mmal_ctrl, ctrl->id, ctrl->val, ret,
+ (ret == 0 ? 0 : -EINVAL));
+- return (ret == 0 ? 0 : EINVAL);
++ return (ret == 0 ? 0 : -EINVAL);
+ }
+
+ static int ctrl_set_bitrate(struct bm2835_mmal_dev *dev,
+--
+2.16.4
+
diff --git a/patches.drivers/USB-Add-LPM-quirk-for-Surface-Dock-GigE-adapter.patch b/patches.drivers/USB-Add-LPM-quirk-for-Surface-Dock-GigE-adapter.patch
new file mode 100644
index 0000000000..26e8a075f2
--- /dev/null
+++ b/patches.drivers/USB-Add-LPM-quirk-for-Surface-Dock-GigE-adapter.patch
@@ -0,0 +1,42 @@
+From ea261113385ac0a71c2838185f39e8452d54b152 Mon Sep 17 00:00:00 2001
+From: Maximilian Luz <luzmaximilian@gmail.com>
+Date: Thu, 16 May 2019 17:08:31 +0200
+Subject: [PATCH] USB: Add LPM quirk for Surface Dock GigE adapter
+Git-commit: ea261113385ac0a71c2838185f39e8452d54b152
+Patch-mainline: v5.2-rc3
+References: bsc#1051510
+
+Without USB_QUIRK_NO_LPM ethernet will not work and rtl8152 will
+complain with
+
+ r8152 <device...>: Stop submitting intr, status -71
+
+Adding the quirk resolves this. As the dock is externally powered, this
+should not have any drawbacks.
+
+Signed-off-by: Maximilian Luz <luzmaximilian@gmail.com>
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/usb/core/quirks.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/usb/core/quirks.c b/drivers/usb/core/quirks.c
+index 8bc35d53408b..6082b008969b 100644
+--- a/drivers/usb/core/quirks.c
++++ b/drivers/usb/core/quirks.c
+@@ -209,6 +209,9 @@ static const struct usb_device_id usb_quirk_list[] = {
+ /* Microsoft LifeCam-VX700 v2.0 */
+ { USB_DEVICE(0x045e, 0x0770), .driver_info = USB_QUIRK_RESET_RESUME },
+
++ /* Microsoft Surface Dock Ethernet (RTL8153 GigE) */
++ { USB_DEVICE(0x045e, 0x07c6), .driver_info = USB_QUIRK_NO_LPM },
++
+ /* Cherry Stream G230 2.0 (G85-231) and 3.0 (G85-232) */
+ { USB_DEVICE(0x046a, 0x0023), .driver_info = USB_QUIRK_RESET_RESUME },
+
+--
+2.16.4
+
diff --git a/patches.drivers/USB-Fix-slab-out-of-bounds-write-in-usb_get_bos_desc.patch b/patches.drivers/USB-Fix-slab-out-of-bounds-write-in-usb_get_bos_desc.patch
new file mode 100644
index 0000000000..0a94b711fa
--- /dev/null
+++ b/patches.drivers/USB-Fix-slab-out-of-bounds-write-in-usb_get_bos_desc.patch
@@ -0,0 +1,43 @@
+From a03ff54460817c76105f81f3aa8ef655759ccc9a Mon Sep 17 00:00:00 2001
+From: Alan Stern <stern@rowland.harvard.edu>
+Date: Mon, 13 May 2019 13:14:29 -0400
+Subject: [PATCH] USB: Fix slab-out-of-bounds write in usb_get_bos_descriptor
+Git-commit: a03ff54460817c76105f81f3aa8ef655759ccc9a
+Patch-mainline: v5.2-rc3
+References: bsc#1051510
+
+The syzkaller USB fuzzer found a slab-out-of-bounds write bug in the
+USB core, caused by a failure to check the actual size of a BOS
+descriptor. This patch adds a check to make sure the descriptor is at
+least as large as it is supposed to be, so that the code doesn't
+inadvertently access memory beyond the end of the allocated region
+when assigning to dev->bos->desc->bNumDeviceCaps later on.
+
+Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
+Reported-and-tested-by: syzbot+71f1e64501a309fcc012@syzkaller.appspotmail.com
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/usb/core/config.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/usb/core/config.c b/drivers/usb/core/config.c
+index 20ff036b4c22..9d6cb709ca7b 100644
+--- a/drivers/usb/core/config.c
++++ b/drivers/usb/core/config.c
+@@ -932,8 +932,8 @@ int usb_get_bos_descriptor(struct usb_device *dev)
+
+ /* Get BOS descriptor */
+ ret = usb_get_descriptor(dev, USB_DT_BOS, 0, bos, USB_DT_BOS_SIZE);
+- if (ret < USB_DT_BOS_SIZE) {
+- dev_err(ddev, "unable to get BOS descriptor\n");
++ if (ret < USB_DT_BOS_SIZE || bos->bLength < USB_DT_BOS_SIZE) {
++ dev_err(ddev, "unable to get BOS descriptor or descriptor too short\n");
+ if (ret >= 0)
+ ret = -ENOMSG;
+ kfree(bos);
+--
+2.16.4
+
diff --git a/patches.drivers/USB-core-Don-t-unbind-interfaces-following-device-re.patch b/patches.drivers/USB-core-Don-t-unbind-interfaces-following-device-re.patch
new file mode 100644
index 0000000000..e48301d226
--- /dev/null
+++ b/patches.drivers/USB-core-Don-t-unbind-interfaces-following-device-re.patch
@@ -0,0 +1,73 @@
+From 381419fa720060ba48b7bbc483be787d5b1dca6f Mon Sep 17 00:00:00 2001
+From: Alan Stern <stern@rowland.harvard.edu>
+Date: Tue, 16 Apr 2019 10:50:01 -0400
+Subject: [PATCH] USB: core: Don't unbind interfaces following device reset failure
+Git-commit: 381419fa720060ba48b7bbc483be787d5b1dca6f
+Patch-mainline: v5.2-rc1
+References: bsc#1051510
+
+The SCSI core does not like to have devices or hosts unregistered
+while error recovery is in progress. Trying to do so can lead to
+Self-deadlock: Part of the removal code tries to obtain a lock already
+held by the error handler.
+
+This can cause problems for the usb-storage and uas drivers, because
+their error handler routines perform a USB reset, and if the reset
+fails then the USB core automatically goes on to unbind all drivers
+from the device's interfaces -- all while still in the context of the
+SCSI error handler.
+
+As it turns out, practically all the scenarios leading to a USB reset
+failure end up causing a device disconnect (the main error pathway in
+usb_reset_and_verify_device(), at the end of the routine, calls
+hub_port_logical_disconnect() before returning). As a result, the
+hub_wq thread will soon become aware of the problem and will unbind
+all the device's drivers in its own context, not in the
+error-handler's context.
+
+This means that usb_reset_device() does not need to call
+usb_unbind_and_rebind_marked_interfaces() in cases where
+usb_reset_and_verify_device() has returned an error, because hub_wq
+will take care of everything anyway.
+
+This particular problem was observed in somewhat artificial
+circumstances, by using usbfs to tell a hub to power-down a port
+connected to a USB-3 mass storage device using the UAS protocol. With
+the port turned off, the currently executing command timed out and the
+error handler started running. The USB reset naturally failed,
+because the hub port was off, and the error handler deadlocked as
+described above. Not carrying out the call to
+usb_unbind_and_rebind_marked_interfaces() fixes this issue.
+
+Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
+Reported-by: Kento Kobayashi <Kento.A.Kobayashi@sony.com>
+Tested-by: Kento Kobayashi <Kento.A.Kobayashi@sony.com>
+Cc: Bart Van Assche <bvanassche@acm.org>
+Cc: Martin K. Petersen <martin.petersen@oracle.com>
+Cc: Jacky Cao <Jacky.Cao@sony.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/usb/core/hub.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/usb/core/hub.c b/drivers/usb/core/hub.c
+index 15a2934dc29d..1949134f72e6 100644
+--- a/drivers/usb/core/hub.c
++++ b/drivers/usb/core/hub.c
+@@ -5901,7 +5901,10 @@ int usb_reset_device(struct usb_device *udev)
+ cintf->needs_binding = 1;
+ }
+ }
+- usb_unbind_and_rebind_marked_interfaces(udev);
++
++ /* If the reset failed, hub_wq will unbind drivers later */
++ if (ret == 0)
++ usb_unbind_and_rebind_marked_interfaces(udev);
+ }
+
+ usb_autosuspend_device(udev);
+--
+2.16.4
+
diff --git a/patches.drivers/USB-rio500-fix-memory-leak-in-close-after-disconnect.patch b/patches.drivers/USB-rio500-fix-memory-leak-in-close-after-disconnect.patch
new file mode 100644
index 0000000000..d3744d4d86
--- /dev/null
+++ b/patches.drivers/USB-rio500-fix-memory-leak-in-close-after-disconnect.patch
@@ -0,0 +1,52 @@
+From e0feb73428b69322dd5caae90b0207de369b5575 Mon Sep 17 00:00:00 2001
+From: Oliver Neukum <oneukum@suse.com>
+Date: Thu, 9 May 2019 11:30:59 +0200
+Subject: [PATCH] USB: rio500: fix memory leak in close after disconnect
+Git-commit: e0feb73428b69322dd5caae90b0207de369b5575
+Patch-mainline: v5.2-rc3
+References: bsc#1051510
+
+If a disconnected device is closed, rio_close() must free
+the buffers.
+
+Signed-off-by: Oliver Neukum <oneukum@suse.com>
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/usb/misc/rio500.c | 17 +++++++++++++++--
+ 1 file changed, 15 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/usb/misc/rio500.c b/drivers/usb/misc/rio500.c
+index 1d397d93d127..a32d61a79ab8 100644
+--- a/drivers/usb/misc/rio500.c
++++ b/drivers/usb/misc/rio500.c
+@@ -86,9 +86,22 @@ static int close_rio(struct inode *inode, struct file *file)
+ {
+ struct rio_usb_data *rio = &rio_instance;
+
+- rio->isopen = 0;
++ /* against disconnect() */
++ mutex_lock(&rio500_mutex);
++ mutex_lock(&(rio->lock));
+
+- dev_info(&rio->rio_dev->dev, "Rio closed.\n");
++ rio->isopen = 0;
++ if (!rio->present) {
++ /* cleanup has been delayed */
++ kfree(rio->ibuf);
++ kfree(rio->obuf);
++ rio->ibuf = NULL;
++ rio->obuf = NULL;
++ } else {
++ dev_info(&rio->rio_dev->dev, "Rio closed.\n");
++ }
++ mutex_unlock(&(rio->lock));
++ mutex_unlock(&rio500_mutex);
+ return 0;
+ }
+
+--
+2.16.4
+
diff --git a/patches.drivers/USB-rio500-refuse-more-than-one-device-at-a-time.patch b/patches.drivers/USB-rio500-refuse-more-than-one-device-at-a-time.patch
new file mode 100644
index 0000000000..ba7264c1a6
--- /dev/null
+++ b/patches.drivers/USB-rio500-refuse-more-than-one-device-at-a-time.patch
@@ -0,0 +1,88 @@
+From 3864d33943b4a76c6e64616280e98d2410b1190f Mon Sep 17 00:00:00 2001
+From: Oliver Neukum <oneukum@suse.com>
+Date: Thu, 9 May 2019 11:30:58 +0200
+Subject: [PATCH] USB: rio500: refuse more than one device at a time
+Git-commit: 3864d33943b4a76c6e64616280e98d2410b1190f
+Patch-mainline: v5.2-rc3
+References: bsc#1051510
+
+This driver is using a global variable. It cannot handle more than
+one device at a time. The issue has been existing since the dawn
+of the driver.
+
+Signed-off-by: Oliver Neukum <oneukum@suse.com>
+Reported-by: syzbot+35f04d136fc975a70da4@syzkaller.appspotmail.com
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/usb/misc/rio500.c | 24 ++++++++++++++++++------
+ 1 file changed, 18 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/usb/misc/rio500.c b/drivers/usb/misc/rio500.c
+index 7b9adeb3e7aa..1d397d93d127 100644
+--- a/drivers/usb/misc/rio500.c
++++ b/drivers/usb/misc/rio500.c
+@@ -447,15 +447,23 @@ static int probe_rio(struct usb_interface *intf,
+ {
+ struct usb_device *dev = interface_to_usbdev(intf);
+ struct rio_usb_data *rio = &rio_instance;
+- int retval;
++ int retval = 0;
+
+- dev_info(&intf->dev, "USB Rio found at address %d\n", dev->devnum);
++ mutex_lock(&rio500_mutex);
++ if (rio->present) {
++ dev_info(&intf->dev, "Second USB Rio at address %d refused\n", dev->devnum);
++ retval = -EBUSY;
++ goto bail_out;
++ } else {
++ dev_info(&intf->dev, "USB Rio found at address %d\n", dev->devnum);
++ }
+
+ retval = usb_register_dev(intf, &usb_rio_class);
+ if (retval) {
+ dev_err(&dev->dev,
+ "Not able to get a minor for this device.\n");
+- return -ENOMEM;
++ retval = -ENOMEM;
++ goto bail_out;
+ }
+
+ rio->rio_dev = dev;
+@@ -464,7 +472,8 @@ static int probe_rio(struct usb_interface *intf,
+ dev_err(&dev->dev,
+ "probe_rio: Not enough memory for the output buffer\n");
+ usb_deregister_dev(intf, &usb_rio_class);
+- return -ENOMEM;
++ retval = -ENOMEM;
++ goto bail_out;
+ }
+ dev_dbg(&intf->dev, "obuf address:%p\n", rio->obuf);
+
+@@ -473,7 +482,8 @@ static int probe_rio(struct usb_interface *intf,
+ "probe_rio: Not enough memory for the input buffer\n");
+ usb_deregister_dev(intf, &usb_rio_class);
+ kfree(rio->obuf);
+- return -ENOMEM;
++ retval = -ENOMEM;
++ goto bail_out;
+ }
+ dev_dbg(&intf->dev, "ibuf address:%p\n", rio->ibuf);
+
+@@ -481,8 +491,10 @@ static int probe_rio(struct usb_interface *intf,
+
+ usb_set_intfdata (intf, rio);
+ rio->present = 1;
++bail_out:
++ mutex_unlock(&rio500_mutex);
+
+- return 0;
++ return retval;
+ }
+
+ static void disconnect_rio(struct usb_interface *intf)
+--
+2.16.4
+
diff --git a/patches.drivers/USB-sisusbvga-fix-oops-in-error-path-of-sisusb_probe.patch b/patches.drivers/USB-sisusbvga-fix-oops-in-error-path-of-sisusb_probe.patch
new file mode 100644
index 0000000000..442fd98e66
--- /dev/null
+++ b/patches.drivers/USB-sisusbvga-fix-oops-in-error-path-of-sisusb_probe.patch
@@ -0,0 +1,60 @@
+From 9a5729f68d3a82786aea110b1bfe610be318f80a Mon Sep 17 00:00:00 2001
+From: Oliver Neukum <oneukum@suse.com>
+Date: Thu, 9 May 2019 14:41:50 +0200
+Subject: [PATCH] USB: sisusbvga: fix oops in error path of sisusb_probe
+Git-commit: 9a5729f68d3a82786aea110b1bfe610be318f80a
+Patch-mainline: v5.2-rc3
+References: bsc#1051510
+
+The pointer used to log a failure of usb_register_dev() must
+be set before the error is logged.
+
+V2: fix that minor is not available before registration
+
+Signed-off-by: oliver Neukum <oneukum@suse.com>
+Reported-by: syzbot+a0cbdbd6d169020c8959@syzkaller.appspotmail.com
+Fixes: 7b5cd5fefbe02 ("USB: SisUSB2VGA: Convert printk to dev_* macros")
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/usb/misc/sisusbvga/sisusb.c | 15 ++++++++-------
+ 1 file changed, 8 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/usb/misc/sisusbvga/sisusb.c b/drivers/usb/misc/sisusbvga/sisusb.c
+index 9560fde621ee..ea06f1fed6fa 100644
+--- a/drivers/usb/misc/sisusbvga/sisusb.c
++++ b/drivers/usb/misc/sisusbvga/sisusb.c
+@@ -3029,6 +3029,13 @@ static int sisusb_probe(struct usb_interface *intf,
+
+ mutex_init(&(sisusb->lock));
+
++ sisusb->sisusb_dev = dev;
++ sisusb->vrambase = SISUSB_PCI_MEMBASE;
++ sisusb->mmiobase = SISUSB_PCI_MMIOBASE;
++ sisusb->mmiosize = SISUSB_PCI_MMIOSIZE;
++ sisusb->ioportbase = SISUSB_PCI_IOPORTBASE;
++ /* Everything else is zero */
++
+ /* Register device */
+ retval = usb_register_dev(intf, &usb_sisusb_class);
+ if (retval) {
+@@ -3039,13 +3046,7 @@ static int sisusb_probe(struct usb_interface *intf,
+ goto error_1;
+ }
+
+- sisusb->sisusb_dev = dev;
+- sisusb->minor = intf->minor;
+- sisusb->vrambase = SISUSB_PCI_MEMBASE;
+- sisusb->mmiobase = SISUSB_PCI_MMIOBASE;
+- sisusb->mmiosize = SISUSB_PCI_MMIOSIZE;
+- sisusb->ioportbase = SISUSB_PCI_IOPORTBASE;
+- /* Everything else is zero */
++ sisusb->minor = intf->minor;
+
+ /* Allocate buffers */
+ sisusb->ibufsize = SISUSB_IBUF_SIZE;
+--
+2.16.4
+
diff --git a/patches.drivers/brcmfmac-convert-dev_init_lock-mutex-to-completion.patch b/patches.drivers/brcmfmac-convert-dev_init_lock-mutex-to-completion.patch
new file mode 100644
index 0000000000..0658bdacff
--- /dev/null
+++ b/patches.drivers/brcmfmac-convert-dev_init_lock-mutex-to-completion.patch
@@ -0,0 +1,192 @@
+From a9fd0953fa4a62887306be28641b4b0809f3b2fd Mon Sep 17 00:00:00 2001
+From: Piotr Figiel <p.figiel@camlintechnologies.com>
+Date: Wed, 13 Mar 2019 09:52:42 +0000
+Subject: [PATCH] brcmfmac: convert dev_init_lock mutex to completion
+Git-commit: a9fd0953fa4a62887306be28641b4b0809f3b2fd
+Patch-mainline: v5.2-rc1
+References: bsc#1051510
+
+Leaving dev_init_lock mutex locked in probe causes BUG and a WARNING when
+kernel is compiled with CONFIG_PROVE_LOCKING. Convert mutex to completion
+which silences those warnings and improves code readability.
+
+Fix below errors when connecting the USB WiFi dongle:
+
+Brcmfmac: brcmf_fw_alloc_request: using brcm/brcmfmac43143 for chip BCM43143/2
+Bug: workqueue leaked lock or atomic: kworker/0:2/0x00000000/434 last function: hub_event
+1 lock held by kworker/0:2/434:
+ #0: 18d5dcdf (&devinfo->dev_init_lock){+.+.}, at: brcmf_usb_probe+0x78/0x550 [brcmfmac]
+Cpu: 0 PID: 434 Comm: kworker/0:2 Not tainted 4.19.23-00084-g454a789-dirty #123
+Hardware name: Freescale i.MX6 Quad/DualLite (Device Tree)
+Workqueue: usb_hub_wq hub_event
+[<8011237c>] (unwind_backtrace) from [<8010d74c>] (show_stack+0x10/0x14)
+[<8010d74c>] (show_stack) from [<809c4324>] (dump_stack+0xa8/0xd4)
+[<809c4324>] (dump_stack) from [<8014195c>] (process_one_work+0x710/0x808)
+[<8014195c>] (process_one_work) from [<80141a80>] (worker_thread+0x2c/0x564)
+[<80141a80>] (worker_thread) from [<80147bcc>] (kthread+0x13c/0x16c)
+[<80147bcc>] (kthread) from [<801010b4>] (ret_from_fork+0x14/0x20)
+Exception stack(0xed1d9fb0 to 0xed1d9ff8)
+9fa0: 00000000 00000000 00000000 00000000
+9fc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
+9fe0: 00000000 00000000 00000000 00000000 00000013 00000000
+
+======================================================
+Warning: possible circular locking dependency detected
+4.19.23-00084-g454a789-dirty #123 Not tainted
+
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+------------------------------------------------------
+kworker/0:2/434 is trying to acquire lock:
+e29cf799 ((wq_completion)"events"){+.+.}, at: process_one_work+0x174/0x808
+
+but task is already holding lock:
+18d5dcdf (&devinfo->dev_init_lock){+.+.}, at: brcmf_usb_probe+0x78/0x550 [brcmfmac]
+
+which lock already depends on the new lock.
+
+the existing dependency chain (in reverse order) is:
+
+-> #2 (&devinfo->dev_init_lock){+.+.}:
+ mutex_lock_nested+0x1c/0x24
+ brcmf_usb_probe+0x78/0x550 [brcmfmac]
+ usb_probe_interface+0xc0/0x1bc
+ really_probe+0x228/0x2c0
+ __driver_attach+0xe4/0xe8
+ bus_for_each_dev+0x68/0xb4
+ bus_add_driver+0x19c/0x214
+ driver_register+0x78/0x110
+ usb_register_driver+0x84/0x148
+ process_one_work+0x228/0x808
+ worker_thread+0x2c/0x564
+ kthread+0x13c/0x16c
+ ret_from_fork+0x14/0x20
+ (null)
+
+-> #1 (brcmf_driver_work){+.+.}:
+ worker_thread+0x2c/0x564
+ kthread+0x13c/0x16c
+ ret_from_fork+0x14/0x20
+ (null)
+
+-> #0 ((wq_completion)"events"){+.+.}:
+ process_one_work+0x1b8/0x808
+ worker_thread+0x2c/0x564
+ kthread+0x13c/0x16c
+ ret_from_fork+0x14/0x20
+ (null)
+
+other info that might help us debug this:
+
+Chain exists of:
+ (wq_completion)"events" --> brcmf_driver_work --> &devinfo->dev_init_lock
+
+ Possible unsafe locking scenario:
+
+ CPU0 CPU1
+ ---- ----
+ lock(&devinfo->dev_init_lock);
+ lock(brcmf_driver_work);
+ lock(&devinfo->dev_init_lock);
+ lock((wq_completion)"events");
+
+ *** DEADLOCK ***
+
+1 lock held by kworker/0:2/434:
+ #0: 18d5dcdf (&devinfo->dev_init_lock){+.+.}, at: brcmf_usb_probe+0x78/0x550 [brcmfmac]
+
+stack backtrace:
+CPU: 0 PID: 434 Comm: kworker/0:2 Not tainted 4.19.23-00084-g454a789-dirty #123
+Hardware name: Freescale i.MX6 Quad/DualLite (Device Tree)
+Workqueue: events request_firmware_work_func
+[<8011237c>] (unwind_backtrace) from [<8010d74c>] (show_stack+0x10/0x14)
+[<8010d74c>] (show_stack) from [<809c4324>] (dump_stack+0xa8/0xd4)
+[<809c4324>] (dump_stack) from [<80172838>] (print_circular_bug+0x210/0x330)
+[<80172838>] (print_circular_bug) from [<80175940>] (__lock_acquire+0x160c/0x1a30)
+[<80175940>] (__lock_acquire) from [<8017671c>] (lock_acquire+0xe0/0x268)
+[<8017671c>] (lock_acquire) from [<80141404>] (process_one_work+0x1b8/0x808)
+[<80141404>] (process_one_work) from [<80141a80>] (worker_thread+0x2c/0x564)
+[<80141a80>] (worker_thread) from [<80147bcc>] (kthread+0x13c/0x16c)
+[<80147bcc>] (kthread) from [<801010b4>] (ret_from_fork+0x14/0x20)
+Exception stack(0xed1d9fb0 to 0xed1d9ff8)
+9fa0: 00000000 00000000 00000000 00000000
+9fc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
+9fe0: 00000000 00000000 00000000 00000000 00000013 00000000
+
+Signed-off-by: Piotr Figiel <p.figiel@camlintechnologies.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+---
+ drivers/net/wireless/broadcom/brcm80211/brcmfmac/usb.c | 17 ++++++++---------
+ 1 file changed, 8 insertions(+), 9 deletions(-)
+
+diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/usb.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/usb.c
+index c00b9fd8876b..75fcd6752edc 100644
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/usb.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/usb.c
+@@ -160,7 +160,7 @@ struct brcmf_usbdev_info {
+
+ struct usb_device *usbdev;
+ struct device *dev;
+- struct mutex dev_init_lock;
++ struct completion dev_init_done;
+
+ int ctl_in_pipe, ctl_out_pipe;
+ struct urb *ctl_urb; /* URB for control endpoint */
+@@ -1194,11 +1194,11 @@ static void brcmf_usb_probe_phase2(struct device *dev, int ret,
+ if (ret)
+ goto error;
+
+- mutex_unlock(&devinfo->dev_init_lock);
++ complete(&devinfo->dev_init_done);
+ return;
+ error:
+ brcmf_dbg(TRACE, "failed: dev=%s, err=%d\n", dev_name(dev), ret);
+- mutex_unlock(&devinfo->dev_init_lock);
++ complete(&devinfo->dev_init_done);
+ device_release_driver(dev);
+ }
+
+@@ -1266,7 +1266,7 @@ static int brcmf_usb_probe_cb(struct brcmf_usbdev_info *devinfo)
+ if (ret)
+ goto fail;
+ /* we are done */
+- mutex_unlock(&devinfo->dev_init_lock);
++ complete(&devinfo->dev_init_done);
+ return 0;
+ }
+ bus->chip = bus_pub->devid;
+@@ -1326,11 +1326,10 @@ brcmf_usb_probe(struct usb_interface *intf, const struct usb_device_id *id)
+
+ devinfo->usbdev = usb;
+ devinfo->dev = &usb->dev;
+- /* Take an init lock, to protect for disconnect while still loading.
++ /* Init completion, to protect for disconnect while still loading.
+ * Necessary because of the asynchronous firmware load construction
+ */
+- mutex_init(&devinfo->dev_init_lock);
+- mutex_lock(&devinfo->dev_init_lock);
++ init_completion(&devinfo->dev_init_done);
+
+ usb_set_intfdata(intf, devinfo);
+
+@@ -1408,7 +1407,7 @@ brcmf_usb_probe(struct usb_interface *intf, const struct usb_device_id *id)
+ return 0;
+
+ fail:
+- mutex_unlock(&devinfo->dev_init_lock);
++ complete(&devinfo->dev_init_done);
+ kfree(devinfo);
+ usb_set_intfdata(intf, NULL);
+ return ret;
+@@ -1423,7 +1422,7 @@ brcmf_usb_disconnect(struct usb_interface *intf)
+ devinfo = (struct brcmf_usbdev_info *)usb_get_intfdata(intf);
+
+ if (devinfo) {
+- mutex_lock(&devinfo->dev_init_lock);
++ wait_for_completion(&devinfo->dev_init_done);
+ /* Make sure that devinfo still exists. Firmware probe routines
+ * may have released the device and cleared the intfdata.
+ */
+--
+2.16.4
+
diff --git a/patches.drivers/brcmfmac-fix-Oops-when-bringing-up-interface-during-.patch b/patches.drivers/brcmfmac-fix-Oops-when-bringing-up-interface-during-.patch
new file mode 100644
index 0000000000..5405006fac
--- /dev/null
+++ b/patches.drivers/brcmfmac-fix-Oops-when-bringing-up-interface-during-.patch
@@ -0,0 +1,127 @@
+From 24d413a31afaee9bbbf79226052c386b01780ce2 Mon Sep 17 00:00:00 2001
+From: Piotr Figiel <p.figiel@camlintechnologies.com>
+Date: Wed, 13 Mar 2019 09:52:01 +0000
+Subject: [PATCH] brcmfmac: fix Oops when bringing up interface during USB disconnect
+Git-commit: 24d413a31afaee9bbbf79226052c386b01780ce2
+Patch-mainline: v5.2-rc1
+References: bsc#1051510
+
+Fix a race which leads to an Oops with NULL pointer dereference. The
+dereference is in brcmf_config_dongle() when cfg_to_ndev() attempts to get
+net_device structure of interface with index 0 via if2bss mapping. This
+shouldn't fail because of check for bus being ready in brcmf_netdev_open(),
+but it's not synchronised with USB disconnect and there is a race: after
+the check the bus can be marked down and the mapping for interface 0 may be
+gone.
+
+Solve this by modifying disconnect handling so that the removal of mapping
+of ifidx to brcmf_if structure happens after netdev removal (which is
+synchronous with brcmf_netdev_open() thanks to rtln being locked in
+devinet_ioctl()). This assures brcmf_netdev_open() returns before the
+mapping is removed during disconnect.
+
+Unable to handle kernel NULL pointer dereference at virtual address 00000008
+pgd = bcae2612
+[00000008] *pgd=8be73831
+Internal error: Oops: 17 [#1] PREEMPT SMP ARM
+Modules linked in: brcmfmac brcmutil nf_log_ipv4 nf_log_common xt_LOG xt_limit
+iptable_mangle xt_connmark xt_tcpudp xt_conntrack nf_conntrack nf_defrag_ipv6
+nf_defrag_ipv4 iptable_filter ip_tables x_tables usb_f_mass_storage usb_f_rndis
+u_ether usb_serial_simple usbserial cdc_acm smsc95xx usbnet ci_hdrc_imx ci_hdrc
+usbmisc_imx ulpi 8250_exar 8250_pci 8250 8250_base libcomposite configfs
+udc_core [last unloaded: brcmutil]
+Cpu: 2 PID: 24478 Comm: ifconfig Not tainted 4.19.23-00078-ga62866d-dirty #115
+Hardware name: Freescale i.MX6 Quad/DualLite (Device Tree)
+PC is at brcmf_cfg80211_up+0x94/0x29c [brcmfmac]
+LR is at brcmf_cfg80211_up+0x8c/0x29c [brcmfmac]
+pc : [<7f26a91c>] lr : [<7f26a914>] psr: a0070013
+sp : eca99d28 ip : 00000000 fp : ee9c6c00
+R10: 00000036 r9 : 00000000 r8 : ece4002c
+r7 : edb5b800 r6 : 00000000 r5 : 80f08448 r4 : edb5b968
+r3 : ffffffff r2 : 00000000 r1 : 00000002 r0 : 00000000
+Flags: NzCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment none
+Control: 10c5387d Table: 7ca0c04a DAC: 00000051
+Process ifconfig (pid: 24478, stack limit = 0xd9e85a0e)
+Stack: (0xeca99d28 to 0xeca9a000)
+9d20: 00000000 80f873b0 0000000d 80f08448 eca99d68 50d45f32
+9d40: 7f27de94 ece40000 80f08448 80f08448 7f27de94 ece4002c 00000000 00000036
+9d60: ee9c6c00 7f27262c 00001002 50d45f32 ece40000 00000000 80f08448 80772008
+9d80: 00000001 00001043 00001002 ece40000 00000000 50d45f32 ece40000 00000001
+9da0: 80f08448 00001043 00001002 807723d0 00000000 50d45f32 80f08448 eca99e58
+9dc0: 80f87113 50d45f32 80f08448 ece40000 ece40138 00001002 80f08448 00000000
+9de0: 00000000 80772434 edbd5380 eca99e58 edbd5380 80f08448 ee9c6c0c 80805f70
+9e00: 00000000 ede08e00 00008914 ece40000 00000014 ee9c6c0c 600c0013 00001043
+9e20: 0208a8c0 ffffffff 00000000 50d45f32 eca98000 80f08448 7ee9fc38 00008914
+9e40: 80f68e40 00000051 eca98000 00000036 00000003 80808b9c 6e616c77 00000030
+9e60: 00000000 00000000 00001043 0208a8c0 ffffffff 00000000 80f08448 00000000
+9e80: 00000000 816d8b20 600c0013 00000001 ede09320 801763d4 00000000 50d45f32
+9ea0: eca98000 80f08448 7ee9fc38 50d45f32 00008914 80f08448 7ee9fc38 80f68e40
+9ec0: ed531540 8074721c 00000800 00000001 00000000 6e616c77 00000030 00000000
+9ee0: 00000000 00001002 0208a8c0 ffffffff 00000000 50d45f32 80f08448 7ee9fc38
+9f00: ed531560 ec8fc900 80285a6c 80285138 edb910c0 00000000 ecd91008 ede08e00
+9f20: 80f08448 00000000 00000000 816d8b20 600c0013 00000001 ede09320 801763d4
+9f40: 00000000 50d45f32 00021000 edb91118 edb910c0 80f08448 01b29000 edb91118
+9f60: eca99f7c 50d45f32 00021000 ec8fc900 00000003 ec8fc900 00008914 7ee9fc38
+9f80: eca98000 00000036 00000003 80285a6c 00086364 7ee9fe1c 000000c3 00000036
+9fa0: 801011c4 80101000 00086364 7ee9fe1c 00000003 00008914 7ee9fc38 00086364
+9fc0: 00086364 7ee9fe1c 000000c3 00000036 0008630c 7ee9fe1c 7ee9fc38 00000003
+9fe0: 000a42b8 7ee9fbd4 00019914 76e09acc 600c0010 00000003 00000000 00000000
+[<7f26a91c>] (brcmf_cfg80211_up [brcmfmac]) from [<7f27262c>] (brcmf_netdev_open+0x74/0xe8 [brcmfmac])
+[<7f27262c>] (brcmf_netdev_open [brcmfmac]) from [<80772008>] (__dev_open+0xcc/0x150)
+[<80772008>] (__dev_open) from [<807723d0>] (__dev_change_flags+0x168/0x1b4)
+[<807723d0>] (__dev_change_flags) from [<80772434>] (dev_change_flags+0x18/0x48)
+[<80772434>] (dev_change_flags) from [<80805f70>] (devinet_ioctl+0x67c/0x79c)
+[<80805f70>] (devinet_ioctl) from [<80808b9c>] (inet_ioctl+0x210/0x3d4)
+[<80808b9c>] (inet_ioctl) from [<8074721c>] (sock_ioctl+0x350/0x524)
+[<8074721c>] (sock_ioctl) from [<80285138>] (do_vfs_ioctl+0xb0/0x9b0)
+[<80285138>] (do_vfs_ioctl) from [<80285a6c>] (ksys_ioctl+0x34/0x5c)
+[<80285a6c>] (ksys_ioctl) from [<80101000>] (ret_fast_syscall+0x0/0x28)
+Exception stack(0xeca99fa8 to 0xeca99ff0)
+
+9fa0: 00086364 7ee9fe1c 00000003 00008914 7ee9fc38 00086364
+9fe0: 000a42b8 7ee9fbd4 00019914 76e09acc
+Code: e5970328 eb002021 e1a02006 e3a01002 (e5909008)
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---[ end trace 5cbac2333f3ac5df ]---
+
+Signed-off-by: Piotr Figiel <p.figiel@camlintechnologies.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+---
+ drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c
+@@ -654,17 +654,17 @@ static void brcmf_del_if(struct brcmf_pu
+ bool rtnl_locked)
+ {
+ struct brcmf_if *ifp;
++ int ifidx;
+
+ ifp = drvr->iflist[bsscfgidx];
+- drvr->iflist[bsscfgidx] = NULL;
+ if (!ifp) {
+ brcmf_err("Null interface, bsscfgidx=%d\n", bsscfgidx);
+ return;
+ }
+ brcmf_dbg(TRACE, "Enter, bsscfgidx=%d, ifidx=%d\n", bsscfgidx,
+ ifp->ifidx);
+- if (drvr->if2bss[ifp->ifidx] == bsscfgidx)
+- drvr->if2bss[ifp->ifidx] = BRCMF_BSSIDX_INVALID;
++ ifidx = ifp->ifidx;
++
+ if (ifp->ndev) {
+ if (bsscfgidx == 0) {
+ if (ifp->ndev->netdev_ops == &brcmf_netdev_ops_pri) {
+@@ -692,6 +692,10 @@ static void brcmf_del_if(struct brcmf_pu
+ brcmf_p2p_ifp_removed(ifp, rtnl_locked);
+ kfree(ifp);
+ }
++
++ drvr->iflist[bsscfgidx] = NULL;
++ if (drvr->if2bss[ifidx] == bsscfgidx)
++ drvr->if2bss[ifidx] = BRCMF_BSSIDX_INVALID;
+ }
+
+ void brcmf_remove_interface(struct brcmf_if *ifp, bool rtnl_locked)
diff --git a/patches.drivers/brcmfmac-fix-WARNING-during-USB-disconnect-in-case-o.patch b/patches.drivers/brcmfmac-fix-WARNING-during-USB-disconnect-in-case-o.patch
new file mode 100644
index 0000000000..a902f514fc
--- /dev/null
+++ b/patches.drivers/brcmfmac-fix-WARNING-during-USB-disconnect-in-case-o.patch
@@ -0,0 +1,133 @@
+From c80d26e81ef1802f30364b4ad1955c1443a592b9 Mon Sep 17 00:00:00 2001
+From: Piotr Figiel <p.figiel@camlintechnologies.com>
+Date: Mon, 4 Mar 2019 15:42:49 +0000
+Subject: [PATCH] brcmfmac: fix WARNING during USB disconnect in case of unempty psq
+Git-commit: c80d26e81ef1802f30364b4ad1955c1443a592b9
+Patch-mainline: v5.2-rc1
+References: bsc#1051510
+
+brcmu_pkt_buf_free_skb emits WARNING when attempting to free a sk_buff
+which is part of any queue. After USB disconnect this may have happened
+when brcmf_fws_hanger_cleanup() is called as per-interface psq was never
+cleaned when removing the interface.
+Change brcmf_fws_macdesc_cleanup() in a way that it removes the
+corresponding packets from hanger table (to avoid double-free when
+brcmf_fws_hanger_cleanup() is called) and add a call to clean-up the
+interface specific packet queue.
+
+Below is a WARNING during USB disconnect with Raspberry Pi WiFi dongle
+running in AP mode. This was reproducible when the interface was
+transmitting during the disconnect and is fixed with this commit.
+
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+------------[ cut here ]------------
+WARNING: CPU: 0 PID: 1171 at drivers/net/wireless/broadcom/brcm80211/brcmutil/utils.c:49 brcmu_pkt_buf_free_skb+0x3c/0x40
+Modules linked in: nf_log_ipv4 nf_log_common xt_LOG xt_limit iptable_mangle xt_connmark xt_tcpudp xt_conntrack nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 iptable_filter ip_tables x_tables usb_f_mass_storage usb_f_rndis u_ether cdc_acm smsc95xx usbnet ci_hdrc_imx ci_hdrc ulpi usbmisc_imx 8250_exar 8250_pci 8250 8250_base libcomposite configfs udc_core
+CPU: 0 PID: 1171 Comm: kworker/0:0 Not tainted 4.19.23-00075-gde33ed8 #99
+Hardware name: Freescale i.MX6 Quad/DualLite (Device Tree)
+Workqueue: usb_hub_wq hub_event
+[<8010ff84>] (unwind_backtrace) from [<8010bb64>] (show_stack+0x10/0x14)
+[<8010bb64>] (show_stack) from [<80840278>] (dump_stack+0x88/0x9c)
+[<80840278>] (dump_stack) from [<8011f5ec>] (__warn+0xfc/0x114)
+[<8011f5ec>] (__warn) from [<8011f71c>] (warn_slowpath_null+0x40/0x48)
+[<8011f71c>] (warn_slowpath_null) from [<805a476c>] (brcmu_pkt_buf_free_skb+0x3c/0x40)
+[<805a476c>] (brcmu_pkt_buf_free_skb) from [<805bb6c4>] (brcmf_fws_cleanup+0x1e4/0x22c)
+[<805bb6c4>] (brcmf_fws_cleanup) from [<805bc854>] (brcmf_fws_del_interface+0x58/0x68)
+[<805bc854>] (brcmf_fws_del_interface) from [<805b66ac>] (brcmf_remove_interface+0x40/0x150)
+[<805b66ac>] (brcmf_remove_interface) from [<805b6870>] (brcmf_detach+0x6c/0xb0)
+[<805b6870>] (brcmf_detach) from [<805bdbb8>] (brcmf_usb_disconnect+0x30/0x4c)
+[<805bdbb8>] (brcmf_usb_disconnect) from [<805e5d64>] (usb_unbind_interface+0x5c/0x1e0)
+[<805e5d64>] (usb_unbind_interface) from [<804aab10>] (device_release_driver_internal+0x154/0x1ec)
+[<804aab10>] (device_release_driver_internal) from [<804a97f4>] (bus_remove_device+0xcc/0xf8)
+[<804a97f4>] (bus_remove_device) from [<804a6fc0>] (device_del+0x118/0x308)
+[<804a6fc0>] (device_del) from [<805e488c>] (usb_disable_device+0xa0/0x1c8)
+[<805e488c>] (usb_disable_device) from [<805dcf98>] (usb_disconnect+0x70/0x1d8)
+[<805dcf98>] (usb_disconnect) from [<805ddd84>] (hub_event+0x464/0xf50)
+[<805ddd84>] (hub_event) from [<80135a70>] (process_one_work+0x138/0x3f8)
+[<80135a70>] (process_one_work) from [<80135d5c>] (worker_thread+0x2c/0x554)
+[<80135d5c>] (worker_thread) from [<8013b1a0>] (kthread+0x124/0x154)
+[<8013b1a0>] (kthread) from [<801010e8>] (ret_from_fork+0x14/0x2c)
+Exception stack(0xecf8dfb0 to 0xecf8dff8)
+dfa0: 00000000 00000000 00000000 00000000
+dfc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
+dfe0: 00000000 00000000 00000000 00000000 00000013 00000000
+---[ end trace 38d234018e9e2a90 ]---
+------------[ cut here ]------------
+
+Signed-off-by: Piotr Figiel <p.figiel@camlintechnologies.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+---
+ .../broadcom/brcm80211/brcmfmac/fwsignal.c | 42 ++++++++++++----------
+ 1 file changed, 24 insertions(+), 18 deletions(-)
+
+diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fwsignal.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fwsignal.c
+index abeb305492e0..d48b8b2d946f 100644
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fwsignal.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fwsignal.c
+@@ -580,24 +580,6 @@ static bool brcmf_fws_ifidx_match(struct sk_buff *skb, void *arg)
+ return ifidx == *(int *)arg;
+ }
+
+-static void brcmf_fws_psq_flush(struct brcmf_fws_info *fws, struct pktq *q,
+- int ifidx)
+-{
+- bool (*matchfn)(struct sk_buff *, void *) = NULL;
+- struct sk_buff *skb;
+- int prec;
+-
+- if (ifidx != -1)
+- matchfn = brcmf_fws_ifidx_match;
+- for (prec = 0; prec < q->num_prec; prec++) {
+- skb = brcmu_pktq_pdeq_match(q, prec, matchfn, &ifidx);
+- while (skb) {
+- brcmu_pkt_buf_free_skb(skb);
+- skb = brcmu_pktq_pdeq_match(q, prec, matchfn, &ifidx);
+- }
+- }
+-}
+-
+ static void brcmf_fws_hanger_init(struct brcmf_fws_hanger *hanger)
+ {
+ int i;
+@@ -669,6 +651,28 @@ static inline int brcmf_fws_hanger_poppkt(struct brcmf_fws_hanger *h,
+ return 0;
+ }
+
++static void brcmf_fws_psq_flush(struct brcmf_fws_info *fws, struct pktq *q,
++ int ifidx)
++{
++ bool (*matchfn)(struct sk_buff *, void *) = NULL;
++ struct sk_buff *skb;
++ int prec;
++ u32 hslot;
++
++ if (ifidx != -1)
++ matchfn = brcmf_fws_ifidx_match;
++ for (prec = 0; prec < q->num_prec; prec++) {
++ skb = brcmu_pktq_pdeq_match(q, prec, matchfn, &ifidx);
++ while (skb) {
++ hslot = brcmf_skb_htod_tag_get_field(skb, HSLOT);
++ brcmf_fws_hanger_poppkt(&fws->hanger, hslot, &skb,
++ true);
++ brcmu_pkt_buf_free_skb(skb);
++ skb = brcmu_pktq_pdeq_match(q, prec, matchfn, &ifidx);
++ }
++ }
++}
++
+ static int brcmf_fws_hanger_mark_suppressed(struct brcmf_fws_hanger *h,
+ u32 slot_id)
+ {
+@@ -2200,6 +2204,8 @@ void brcmf_fws_del_interface(struct brcmf_if *ifp)
+ brcmf_fws_lock(fws);
+ ifp->fws_desc = NULL;
+ brcmf_dbg(TRACE, "deleting %s\n", entry->name);
++ brcmf_fws_macdesc_cleanup(fws, &fws->desc.iface[ifp->ifidx],
++ ifp->ifidx);
+ brcmf_fws_macdesc_deinit(entry);
+ brcmf_fws_cleanup(fws, ifp->ifidx);
+ brcmf_fws_unlock(fws);
+--
+2.16.4
+
diff --git a/patches.drivers/brcmfmac-fix-missing-checks-for-kmemdup.patch b/patches.drivers/brcmfmac-fix-missing-checks-for-kmemdup.patch
new file mode 100644
index 0000000000..3d4d628ff0
--- /dev/null
+++ b/patches.drivers/brcmfmac-fix-missing-checks-for-kmemdup.patch
@@ -0,0 +1,45 @@
+From 46953f97224d56a12ccbe9c6acaa84ca0dab2780 Mon Sep 17 00:00:00 2001
+From: Kangjie Lu <kjlu@umn.edu>
+Date: Fri, 15 Mar 2019 12:04:32 -0500
+Subject: [PATCH] brcmfmac: fix missing checks for kmemdup
+Git-commit: 46953f97224d56a12ccbe9c6acaa84ca0dab2780
+Patch-mainline: v5.2-rc1
+References: bsc#1051510
+
+In case kmemdup fails, the fix sets conn_info->req_ie_len and
+conn_info->resp_ie_len to zero to avoid buffer overflows.
+
+Signed-off-by: Kangjie Lu <kjlu@umn.edu>
+Acked-by: Arend van Spriel <arend.vanspriel@broadcom.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
+index e92f6351bd22..8ee8af4e7ec4 100644
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
+@@ -5464,6 +5464,8 @@ static s32 brcmf_get_assoc_ies(struct brcmf_cfg80211_info *cfg,
+ conn_info->req_ie =
+ kmemdup(cfg->extra_buf, conn_info->req_ie_len,
+ GFP_KERNEL);
++ if (!conn_info->req_ie)
++ conn_info->req_ie_len = 0;
+ } else {
+ conn_info->req_ie_len = 0;
+ conn_info->req_ie = NULL;
+@@ -5480,6 +5482,8 @@ static s32 brcmf_get_assoc_ies(struct brcmf_cfg80211_info *cfg,
+ conn_info->resp_ie =
+ kmemdup(cfg->extra_buf, conn_info->resp_ie_len,
+ GFP_KERNEL);
++ if (!conn_info->resp_ie)
++ conn_info->resp_ie_len = 0;
+ } else {
+ conn_info->resp_ie_len = 0;
+ conn_info->resp_ie = NULL;
+--
+2.16.4
+
diff --git a/patches.drivers/brcmfmac-fix-race-during-disconnect-when-USB-complet.patch b/patches.drivers/brcmfmac-fix-race-during-disconnect-when-USB-complet.patch
new file mode 100644
index 0000000000..67b38de3cb
--- /dev/null
+++ b/patches.drivers/brcmfmac-fix-race-during-disconnect-when-USB-complet.patch
@@ -0,0 +1,93 @@
+From db3b9e2e1d58080d0754bdf9293dabf8c6491b67 Mon Sep 17 00:00:00 2001
+From: Piotr Figiel <p.figiel@camlintechnologies.com>
+Date: Fri, 8 Mar 2019 15:25:04 +0000
+Subject: [PATCH] brcmfmac: fix race during disconnect when USB completion is in progress
+Git-commit: db3b9e2e1d58080d0754bdf9293dabf8c6491b67
+Patch-mainline: v5.2-rc1
+References: bsc#1051510
+
+It was observed that rarely during USB disconnect happening shortly after
+connect (before full initialization completes) usb_hub_wq would wait
+forever for the dev_init_lock to be unlocked. dev_init_lock would remain
+locked though because of infinite wait during usb_kill_urb:
+
+[ 2730.656472] kworker/0:2 D 0 260 2 0x00000000
+[ 2730.660700] Workqueue: events request_firmware_work_func
+[ 2730.664807] [<809dca20>] (__schedule) from [<809dd164>] (schedule+0x4c/0xac)
+[ 2730.670587] [<809dd164>] (schedule) from [<8069af44>] (usb_kill_urb+0xdc/0x114)
+[ 2730.676815] [<8069af44>] (usb_kill_urb) from [<7f258b50>] (brcmf_usb_free_q+0x34/0xa8 [brcmfmac])
+[ 2730.684833] [<7f258b50>] (brcmf_usb_free_q [brcmfmac]) from [<7f2517d4>] (brcmf_detach+0xa0/0xb8 [brcmfmac])
+[ 2730.693557] [<7f2517d4>] (brcmf_detach [brcmfmac]) from [<7f251a34>] (brcmf_attach+0xac/0x3d8 [brcmfmac])
+[ 2730.702094] [<7f251a34>] (brcmf_attach [brcmfmac]) from [<7f2587ac>] (brcmf_usb_probe_phase2+0x468/0x4a0 [brcmfmac])
+[ 2730.711601] [<7f2587ac>] (brcmf_usb_probe_phase2 [brcmfmac]) from [<7f252888>] (brcmf_fw_request_done+0x194/0x220 [brcmfmac])
+[ 2730.721795] [<7f252888>] (brcmf_fw_request_done [brcmfmac]) from [<805748e4>] (request_firmware_work_func+0x4c/0x88)
+[ 2730.731125] [<805748e4>] (request_firmware_work_func) from [<80141474>] (process_one_work+0x228/0x808)
+[ 2730.739223] [<80141474>] (process_one_work) from [<80141a80>] (worker_thread+0x2c/0x564)
+[ 2730.746105] [<80141a80>] (worker_thread) from [<80147bcc>] (kthread+0x13c/0x16c)
+[ 2730.752227] [<80147bcc>] (kthread) from [<801010b4>] (ret_from_fork+0x14/0x20)
+
+[ 2733.099695] kworker/0:3 D 0 1065 2 0x00000000
+[ 2733.103926] Workqueue: usb_hub_wq hub_event
+[ 2733.106914] [<809dca20>] (__schedule) from [<809dd164>] (schedule+0x4c/0xac)
+[ 2733.112693] [<809dd164>] (schedule) from [<809e2a8c>] (schedule_timeout+0x214/0x3e4)
+[ 2733.119621] [<809e2a8c>] (schedule_timeout) from [<809dde2c>] (wait_for_common+0xc4/0x1c0)
+[ 2733.126810] [<809dde2c>] (wait_for_common) from [<7f258d00>] (brcmf_usb_disconnect+0x1c/0x4c [brcmfmac])
+[ 2733.135206] [<7f258d00>] (brcmf_usb_disconnect [brcmfmac]) from [<8069e0c8>] (usb_unbind_interface+0x5c/0x1e4)
+[ 2733.143943] [<8069e0c8>] (usb_unbind_interface) from [<8056d3e8>] (device_release_driver_internal+0x164/0x1fc)
+[ 2733.152769] [<8056d3e8>] (device_release_driver_internal) from [<8056c078>] (bus_remove_device+0xd0/0xfc)
+[ 2733.161138] [<8056c078>] (bus_remove_device) from [<8056977c>] (device_del+0x11c/0x310)
+[ 2733.167939] [<8056977c>] (device_del) from [<8069cba8>] (usb_disable_device+0xa0/0x1cc)
+[ 2733.174743] [<8069cba8>] (usb_disable_device) from [<8069507c>] (usb_disconnect+0x74/0x1dc)
+[ 2733.181823] [<8069507c>] (usb_disconnect) from [<80695e88>] (hub_event+0x478/0xf88)
+[ 2733.188278] [<80695e88>] (hub_event) from [<80141474>] (process_one_work+0x228/0x808)
+[ 2733.194905] [<80141474>] (process_one_work) from [<80141a80>] (worker_thread+0x2c/0x564)
+[ 2733.201724] [<80141a80>] (worker_thread) from [<80147bcc>] (kthread+0x13c/0x16c)
+[ 2733.207913] [<80147bcc>] (kthread) from [<801010b4>] (ret_from_fork+0x14/0x20)
+
+It was traced down to a case where usb_kill_urb would be called on an URB
+structure containing more or less random data, including large number in
+its use_count. During the debugging it appeared that in brcmf_usb_free_q()
+the traversal over URBs' lists is not synchronized with operations on those
+lists in brcmf_usb_rx_complete() leading to handling
+brcmf_usbdev_info structure (holding lists' head) as lists' element and in
+result causing above problem.
+
+Fix it by walking through all URBs during brcmf_cancel_all_urbs using the
+arrays of requests instead of linked lists.
+
+Signed-off-by: Piotr Figiel <p.figiel@camlintechnologies.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/net/wireless/broadcom/brcm80211/brcmfmac/usb.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/usb.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/usb.c
+index e9cbfd077710..a7754092ef6a 100644
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/usb.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/usb.c
+@@ -682,12 +682,18 @@ static int brcmf_usb_up(struct device *dev)
+
+ static void brcmf_cancel_all_urbs(struct brcmf_usbdev_info *devinfo)
+ {
++ int i;
++
+ if (devinfo->ctl_urb)
+ usb_kill_urb(devinfo->ctl_urb);
+ if (devinfo->bulk_urb)
+ usb_kill_urb(devinfo->bulk_urb);
+- brcmf_usb_free_q(&devinfo->tx_postq, true);
+- brcmf_usb_free_q(&devinfo->rx_postq, true);
++ if (devinfo->tx_reqs)
++ for (i = 0; i < devinfo->bus_pub.ntxq; i++)
++ usb_kill_urb(devinfo->tx_reqs[i].urb);
++ if (devinfo->rx_reqs)
++ for (i = 0; i < devinfo->bus_pub.nrxq; i++)
++ usb_kill_urb(devinfo->rx_reqs[i].urb);
+ }
+
+ static void brcmf_usb_down(struct device *dev)
+--
+2.16.4
+
diff --git a/patches.drivers/chardev-add-additional-check-for-minor-range-overlap.patch b/patches.drivers/chardev-add-additional-check-for-minor-range-overlap.patch
new file mode 100644
index 0000000000..c15056d2a0
--- /dev/null
+++ b/patches.drivers/chardev-add-additional-check-for-minor-range-overlap.patch
@@ -0,0 +1,40 @@
+From de36e16d1557a0b6eb328bc3516359a12ba5c25c Mon Sep 17 00:00:00 2001
+From: Chengguang Xu <cgxu519@gmx.com>
+Date: Fri, 15 Feb 2019 20:27:11 +0800
+Subject: [PATCH] chardev: add additional check for minor range overlap
+Git-commit: de36e16d1557a0b6eb328bc3516359a12ba5c25c
+Patch-mainline: v5.2-rc1
+References: bsc#1051510
+
+Current overlap checking cannot correctly handle
+a case which is baseminor < existing baseminor &&
+baseminor + minorct > existing baseminor + minorct.
+
+Signed-off-by: Chengguang Xu <cgxu519@gmx.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ fs/char_dev.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/fs/char_dev.c b/fs/char_dev.c
+index a279c58fe360..8a63cfa29005 100644
+--- a/fs/char_dev.c
++++ b/fs/char_dev.c
+@@ -159,6 +159,12 @@ __register_chrdev_region(unsigned int major, unsigned int baseminor,
+ ret = -EBUSY;
+ goto out;
+ }
++
++ if (new_min < old_min && new_max > old_max) {
++ ret = -EBUSY;
++ goto out;
++ }
++
+ }
+
+ cd->next = *cp;
+--
+2.16.4
+
diff --git a/patches.drivers/extcon-arizona-Disable-mic-detect-if-running-when-dr.patch b/patches.drivers/extcon-arizona-Disable-mic-detect-if-running-when-dr.patch
new file mode 100644
index 0000000000..b3a12ecfbd
--- /dev/null
+++ b/patches.drivers/extcon-arizona-Disable-mic-detect-if-running-when-dr.patch
@@ -0,0 +1,50 @@
+From 00053de52231117ddc154042549f2256183ffb86 Mon Sep 17 00:00:00 2001
+From: Charles Keepax <ckeepax@opensource.cirrus.com>
+Date: Thu, 4 Apr 2019 17:33:56 +0100
+Subject: [PATCH] extcon: arizona: Disable mic detect if running when driver is removed
+Git-commit: 00053de52231117ddc154042549f2256183ffb86
+Patch-mainline: v5.2-rc1
+References: bsc#1051510
+
+Microphone detection provides the button detection features on the
+Arizona CODECs as such it will be running if the jack is currently
+inserted. If the driver is unbound whilst the jack is still inserted
+this will cause warnings from the regulator framework as the MICVDD
+regulator is put but was never disabled.
+
+Correct this by disabling microphone detection on driver removal and if
+the microphone detection was running disable the regulator and put the
+runtime reference that was currently held.
+
+Signed-off-by: Charles Keepax <ckeepax@opensource.cirrus.com>
+Signed-off-by: Chanwoo Choi <cw00.choi@samsung.com>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/extcon/extcon-arizona.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/drivers/extcon/extcon-arizona.c b/drivers/extcon/extcon-arizona.c
+index da0e9bc4262f..9327479c719c 100644
+--- a/drivers/extcon/extcon-arizona.c
++++ b/drivers/extcon/extcon-arizona.c
+@@ -1726,6 +1726,16 @@ static int arizona_extcon_remove(struct platform_device *pdev)
+ struct arizona_extcon_info *info = platform_get_drvdata(pdev);
+ struct arizona *arizona = info->arizona;
+ int jack_irq_rise, jack_irq_fall;
++ bool change;
++
++ regmap_update_bits_check(arizona->regmap, ARIZONA_MIC_DETECT_1,
++ ARIZONA_MICD_ENA, 0,
++ &change);
++
++ if (change) {
++ regulator_disable(info->micvdd);
++ pm_runtime_put(info->dev);
++ }
+
+ gpiod_put(info->micd_pol_gpio);
+
+--
+2.16.4
+
diff --git a/patches.drivers/gpio-Remove-obsolete-comment-about-gpiochip_free_hog.patch b/patches.drivers/gpio-Remove-obsolete-comment-about-gpiochip_free_hog.patch
new file mode 100644
index 0000000000..0a04ef8b48
--- /dev/null
+++ b/patches.drivers/gpio-Remove-obsolete-comment-about-gpiochip_free_hog.patch
@@ -0,0 +1,37 @@
+From 7e9fa3c9d3e3d4f5f13f66383666cd0f32ef3b81 Mon Sep 17 00:00:00 2001
+From: Geert Uytterhoeven <geert+renesas@glider.be>
+Date: Thu, 28 Mar 2019 14:13:49 +0100
+Subject: [PATCH] gpio: Remove obsolete comment about gpiochip_free_hogs() usage
+Git-commit: 7e9fa3c9d3e3d4f5f13f66383666cd0f32ef3b81
+Patch-mainline: v5.2-rc1
+References: bsc#1051510
+
+gpiochip_free_hogs() was always called from gpiochip_remove(), not
+of_gpiochip_remove(). It is now also called from the failure patch in
+gpiochip_add_data_with_key().
+
+Fixes: f625d4601759f1cf ("gpio: add GPIO hogging mechanism")
+Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/gpio/gpiolib.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+diff --git a/drivers/gpio/gpiolib.c b/drivers/gpio/gpiolib.c
+index 144af0733581..f41ad889124f 100644
+--- a/drivers/gpio/gpiolib.c
++++ b/drivers/gpio/gpiolib.c
+@@ -4445,8 +4445,6 @@ int gpiod_hog(struct gpio_desc *desc, const char *name,
+ /**
+ * gpiochip_free_hogs - Scan gpio-controller chip and release GPIO hog
+ * @chip: gpio chip to act on
+- *
+- * This is only used by of_gpiochip_remove to free hogged gpios
+ */
+ static void gpiochip_free_hogs(struct gpio_chip *chip)
+ {
+--
+2.16.4
+
diff --git a/patches.drivers/gpio-fix-gpio-adp5588-build-errors.patch b/patches.drivers/gpio-fix-gpio-adp5588-build-errors.patch
new file mode 100644
index 0000000000..7df6569158
--- /dev/null
+++ b/patches.drivers/gpio-fix-gpio-adp5588-build-errors.patch
@@ -0,0 +1,56 @@
+From e9646f0f5bb62b7d43f0968f39d536cfe7123b53 Mon Sep 17 00:00:00 2001
+From: Randy Dunlap <rdunlap@infradead.org>
+Date: Thu, 23 May 2019 15:00:41 -0700
+Subject: [PATCH] gpio: fix gpio-adp5588 build errors
+Mime-version: 1.0
+Content-type: text/plain; charset=UTF-8
+Content-transfer-encoding: 8bit
+Git-commit: e9646f0f5bb62b7d43f0968f39d536cfe7123b53
+Patch-mainline: v5.2-rc3
+References: bsc#1051510
+
+The gpio-adp5588 driver uses interfaces that are provided by
+GPIOLIB_IRQCHIP, so select that symbol in its Kconfig entry.
+
+Fixes these build errors:
+
+../drivers/gpio/gpio-adp5588.c: In function ‘adp5588_irq_handler’:
+../drivers/gpio/gpio-adp5588.c:266:26: error: ‘struct gpio_chip’ has no member named ‘irq’
+ dev->gpio_chip.irq.domain, gpio));
+ ^
+../drivers/gpio/gpio-adp5588.c: In function ‘adp5588_irq_setup’:
+../drivers/gpio/gpio-adp5588.c:298:2: error: implicit declaration of function ‘gpiochip_irqchip_add_nested’ [-Werror=implicit-function-declaration]
+ ret = gpiochip_irqchip_add_nested(&dev->gpio_chip,
+ ^
+../drivers/gpio/gpio-adp5588.c:307:2: error: implicit declaration of function ‘gpiochip_set_nested_irqchip’ [-Werror=implicit-function-declaration]
+ gpiochip_set_nested_irqchip(&dev->gpio_chip,
+ ^
+
+Fixes: 459773ae8dbb ("gpio: adp5588-gpio: support interrupt controller")
+Reported-by: kbuild test robot <lkp@intel.com>
+Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
+Cc: linux-gpio@vger.kernel.org
+Reviewed-by: Bartosz Golaszewski <bgolaszewski@baylibre.com>
+Acked-by: Michael Hennerich <michael.hennerich@analog.com>
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/gpio/Kconfig | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/gpio/Kconfig b/drivers/gpio/Kconfig
+index 8023d03ec362..fb9c42461331 100644
+--- a/drivers/gpio/Kconfig
++++ b/drivers/gpio/Kconfig
+@@ -822,6 +822,7 @@ config GPIO_ADP5588
+ config GPIO_ADP5588_IRQ
+ bool "Interrupt controller support for ADP5588"
+ depends on GPIO_ADP5588=y
++ select GPIOLIB_IRQCHIP
+ help
+ Say yes here to enable the adp5588 to be used as an interrupt
+ controller. It requires the driver to be built in the kernel.
+--
+2.16.4
+
diff --git a/patches.drivers/hwmon-core-add-thermal-sensors-only-if-dev-of_node-i.patch b/patches.drivers/hwmon-core-add-thermal-sensors-only-if-dev-of_node-i.patch
new file mode 100644
index 0000000000..ab5076d954
--- /dev/null
+++ b/patches.drivers/hwmon-core-add-thermal-sensors-only-if-dev-of_node-i.patch
@@ -0,0 +1,64 @@
+From c41dd48e21fae3e55b3670ccf2eb562fc1f6a67d Mon Sep 17 00:00:00 2001
+From: Eduardo Valentin <eduval@amazon.com>
+Date: Wed, 29 May 2019 19:56:04 -0700
+Subject: [PATCH] hwmon: (core) add thermal sensors only if dev->of_node is present
+Git-commit: c41dd48e21fae3e55b3670ccf2eb562fc1f6a67d
+Patch-mainline: v5.2-rc4
+References: bsc#1051510
+
+Drivers may register to hwmon and request for also registering
+with the thermal subsystem (HWMON_C_REGISTER_TZ). However,
+some of these driver, e.g. marvell phy, may be probed from
+Device Tree or being dynamically allocated, and in the later
+case, it will not have a dev->of_node entry.
+
+Registering with hwmon without the dev->of_node may result in
+different outcomes depending on the device tree, which may
+be a bit misleading. If the device tree blob has no 'thermal-zones'
+node, the *hwmon_device_register*() family functions are going
+to gracefully succeed, because of-thermal,
+*thermal_zone_of_sensor_register() return -ENODEV in this case,
+and the hwmon error path handles this error code as success to
+cover for the case where CONFIG_THERMAL_OF is not set.
+However, if the device tree blob has the 'thermal-zones'
+entry, the *hwmon_device_register*() will always fail on callers
+with no dev->of_node, propagating -EINVAL.
+
+If dev->of_node is not present, calling of-thermal does not
+make sense. For this reason, this patch checks first if the
+device has a of_node before going over the process of registering
+with the thermal subsystem of-thermal interface. And in this case,
+when a caller of *hwmon_device_register*() with HWMON_C_REGISTER_TZ
+and no dev->of_node will still register with hwmon, but not with
+the thermal subsystem. If all the hwmon part bits are in place,
+the registration will succeed.
+
+Fixes: d560168b5d0f ("hwmon: (core) New hwmon registration API")
+Cc: Jean Delvare <jdelvare@suse.com>
+Cc: Guenter Roeck <linux@roeck-us.net>
+Cc: linux-hwmon@vger.kernel.org
+Cc: linux-kernel@vger.kernel.org
+Signed-off-by: Eduardo Valentin <eduval@amazon.com>
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/hwmon/hwmon.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/hwmon/hwmon.c b/drivers/hwmon/hwmon.c
+index e694c46ff039..429784edd5ff 100644
+--- a/drivers/hwmon/hwmon.c
++++ b/drivers/hwmon/hwmon.c
+@@ -636,7 +636,7 @@ __hwmon_device_register(struct device *dev, const char *name, void *drvdata,
+ if (err)
+ goto free_hwmon;
+
+- if (dev && chip && chip->ops->read &&
++ if (dev && dev->of_node && chip && chip->ops->read &&
+ chip->info[0]->type == hwmon_chip &&
+ (chip->info[0]->config[0] & HWMON_C_REGISTER_TZ)) {
+ const struct hwmon_channel_info **info = chip->info;
+--
+2.16.4
+
diff --git a/patches.drivers/hwmon-pmbus-core-Treat-parameters-as-paged-if-on-mul.patch b/patches.drivers/hwmon-pmbus-core-Treat-parameters-as-paged-if-on-mul.patch
new file mode 100644
index 0000000000..6880ddb03b
--- /dev/null
+++ b/patches.drivers/hwmon-pmbus-core-Treat-parameters-as-paged-if-on-mul.patch
@@ -0,0 +1,97 @@
+From 4a60570dce658e3f8885bbcf852430b99f65aca5 Mon Sep 17 00:00:00 2001
+From: Robert Hancock <hancock@sedsystems.ca>
+Date: Wed, 5 Jun 2019 13:49:00 -0600
+Subject: [PATCH] hwmon: (pmbus/core) Treat parameters as paged if on multiple pages
+Git-commit: 4a60570dce658e3f8885bbcf852430b99f65aca5
+Patch-mainline: v5.2-rc4
+References: bsc#1051510
+
+Some chips have attributes which exist on more than one page but the
+attribute is not presently marked as paged. This causes the attributes
+to be generated with the same label, which makes it impossible for
+userspace to tell them apart.
+
+Marking all such attributes as paged would result in the page suffix
+being added regardless of whether they were present on more than one
+page or not, which might break existing setups. Therefore, we add a
+second check which treats the attribute as paged, even if not marked as
+such, if it is present on multiple pages.
+
+Fixes: b4ce237b7f7d ("hwmon: (pmbus) Introduce infrastructure to detect sensors and limit registers")
+Signed-off-by: Robert Hancock <hancock@sedsystems.ca>
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/hwmon/pmbus/pmbus_core.c | 34 ++++++++++++++++++++++++++++++----
+ 1 file changed, 30 insertions(+), 4 deletions(-)
+
+--- a/drivers/hwmon/pmbus/pmbus_core.c
++++ b/drivers/hwmon/pmbus/pmbus_core.c
+@@ -1025,14 +1025,15 @@ static int pmbus_add_sensor_attrs_one(st
+ const struct pmbus_driver_info *info,
+ const char *name,
+ int index, int page,
+- const struct pmbus_sensor_attr *attr)
++ const struct pmbus_sensor_attr *attr,
++ bool paged)
+ {
+ struct pmbus_sensor *base;
+ int ret;
+
+ if (attr->label) {
+ ret = pmbus_add_label(data, name, index, attr->label,
+- attr->paged ? page + 1 : 0);
++ paged ? page + 1 : 0);
+ if (ret)
+ return ret;
+ }
+@@ -1064,6 +1065,30 @@ static int pmbus_add_sensor_attrs_one(st
+ return 0;
+ }
+
++static bool pmbus_sensor_is_paged(const struct pmbus_driver_info *info,
++ const struct pmbus_sensor_attr *attr)
++{
++ int p;
++
++ if (attr->paged)
++ return true;
++
++ /*
++ * Some attributes may be present on more than one page despite
++ * not being marked with the paged attribute. If that is the case,
++ * then treat the sensor as being paged and add the page suffix to the
++ * attribute name.
++ * We don't just add the paged attribute to all such attributes, in
++ * order to maintain the un-suffixed labels in the case where the
++ * attribute is only on page 0.
++ */
++ for (p = 1; p < info->pages; p++) {
++ if (info->func[p] & attr->func)
++ return true;
++ }
++ return false;
++}
++
+ static int pmbus_add_sensor_attrs(struct i2c_client *client,
+ struct pmbus_data *data,
+ const char *name,
+@@ -1077,14 +1102,15 @@ static int pmbus_add_sensor_attrs(struct
+ index = 1;
+ for (i = 0; i < nattrs; i++) {
+ int page, pages;
++ bool paged = pmbus_sensor_is_paged(info, attrs);
+
+- pages = attrs->paged ? info->pages : 1;
++ pages = paged ? info->pages : 1;
+ for (page = 0; page < pages; page++) {
+ if (!(info->func[page] & attrs->func))
+ continue;
+ ret = pmbus_add_sensor_attrs_one(client, data, info,
+ name, index, page,
+- attrs);
++ attrs, paged);
+ if (ret)
+ return ret;
+ index++;
diff --git a/patches.drivers/hwrng-omap-Set-default-quality.patch b/patches.drivers/hwrng-omap-Set-default-quality.patch
new file mode 100644
index 0000000000..8036bed790
--- /dev/null
+++ b/patches.drivers/hwrng-omap-Set-default-quality.patch
@@ -0,0 +1,44 @@
+From 62f95ae805fa9e1e84d47d3219adddd97b2654b7 Mon Sep 17 00:00:00 2001
+From: Rouven Czerwinski <r.czerwinski@pengutronix.de>
+Date: Mon, 11 Mar 2019 11:58:57 +0100
+Subject: [PATCH] hwrng: omap - Set default quality
+Git-commit: 62f95ae805fa9e1e84d47d3219adddd97b2654b7
+Patch-mainline: v5.2-rc1
+References: bsc#1051510
+
+Newer combinations of the glibc, kernel and openssh can result in long initial
+startup times on OMAP devices:
+
+[ 6.671425] systemd-rc-once[102]: Creating ED25519 key; this may take some time ...
+[ 142.652491] systemd-rc-once[102]: Creating ED25519 key; done.
+
+due to the blocking getrandom(2) system call:
+
+[ 142.610335] random: crng init done
+
+Set the quality level for the omap hwrng driver allowing the kernel to use the
+hwrng as an entropy source at boot.
+
+Signed-off-by: Rouven Czerwinski <r.czerwinski@pengutronix.de>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/char/hw_random/omap-rng.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/char/hw_random/omap-rng.c b/drivers/char/hw_random/omap-rng.c
+index b65ff6962899..e9b6ac61fb7f 100644
+--- a/drivers/char/hw_random/omap-rng.c
++++ b/drivers/char/hw_random/omap-rng.c
+@@ -443,6 +443,7 @@ static int omap_rng_probe(struct platform_device *pdev)
+ priv->rng.read = omap_rng_do_read;
+ priv->rng.init = omap_rng_init;
+ priv->rng.cleanup = omap_rng_cleanup;
++ priv->rng.quality = 900;
+
+ priv->rng.priv = (unsigned long)priv;
+ platform_set_drvdata(pdev, priv);
+--
+2.16.4
+
diff --git a/patches.drivers/i2c-dev-fix-potential-memory-leak-in-i2cdev_ioctl_rd.patch b/patches.drivers/i2c-dev-fix-potential-memory-leak-in-i2cdev_ioctl_rd.patch
new file mode 100644
index 0000000000..d4a654f328
--- /dev/null
+++ b/patches.drivers/i2c-dev-fix-potential-memory-leak-in-i2cdev_ioctl_rd.patch
@@ -0,0 +1,30 @@
+From a0692f0eef91354b62c2b4c94954536536be5425 Mon Sep 17 00:00:00 2001
+From: Yingjoe Chen <yingjoe.chen@mediatek.com>
+Date: Tue, 7 May 2019 22:20:32 +0800
+Subject: [PATCH] i2c: dev: fix potential memory leak in i2cdev_ioctl_rdwr
+Git-commit: a0692f0eef91354b62c2b4c94954536536be5425
+Patch-mainline: v5.2-rc3
+References: bsc#1051510
+
+If I2C_M_RECV_LEN check failed, msgs[i].buf allocated by memdup_user
+will not be freed. Pump index up so it will be freed.
+
+Fixes: 838bfa6049fb ("i2c-dev: Add support for I2C_M_RECV_LEN")
+Signed-off-by: Yingjoe Chen <yingjoe.chen@mediatek.com>
+Signed-off-by: Wolfram Sang <wsa@the-dreams.de>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/i2c/i2c-dev.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/i2c/i2c-dev.c
++++ b/drivers/i2c/i2c-dev.c
+@@ -297,6 +297,7 @@ static noinline int i2cdev_ioctl_rdwr(st
+ rdwr_pa[i].buf[0] < 1 ||
+ rdwr_pa[i].len < rdwr_pa[i].buf[0] +
+ I2C_SMBUS_BLOCK_MAX) {
++ i++;
+ res = -EINVAL;
+ break;
+ }
diff --git a/patches.drivers/iio-ad_sigma_delta-Properly-handle-SPI-bus-locking-v.patch b/patches.drivers/iio-ad_sigma_delta-Properly-handle-SPI-bus-locking-v.patch
new file mode 100644
index 0000000000..c387598004
--- /dev/null
+++ b/patches.drivers/iio-ad_sigma_delta-Properly-handle-SPI-bus-locking-v.patch
@@ -0,0 +1,124 @@
+From df1d80aee963480c5c2938c64ec0ac3e4a0df2e0 Mon Sep 17 00:00:00 2001
+From: Lars-Peter Clausen <lars@metafoo.de>
+Date: Tue, 19 Mar 2019 13:37:55 +0200
+Subject: [PATCH] iio: ad_sigma_delta: Properly handle SPI bus locking vs CS assertion
+Git-commit: df1d80aee963480c5c2938c64ec0ac3e4a0df2e0
+Patch-mainline: v5.2-rc1
+References: bsc#1051510
+
+For devices from the SigmaDelta family we need to keep CS low when doing a
+conversion, since the device will use the MISO line as a interrupt to
+indicate that the conversion is complete.
+
+This is why the driver locks the SPI bus and when the SPI bus is locked
+keeps as long as a conversion is going on. The current implementation gets
+one small detail wrong though. CS is only de-asserted after the SPI bus is
+unlocked. This means it is possible for a different SPI device on the same
+bus to send a message which would be wrongfully be addressed to the
+SigmaDelta device as well. Make sure that the last SPI transfer that is
+done while holding the SPI bus lock de-asserts the CS signal.
+
+Signed-off-by: Lars-Peter Clausen <lars@metafoo.de>
+Signed-off-by: Alexandru Ardelean <Alexandru.Ardelean@analog.com>
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/iio/adc/ad_sigma_delta.c | 16 +++++++++++-----
+ include/linux/iio/adc/ad_sigma_delta.h | 1 +
+ 2 files changed, 12 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/iio/adc/ad_sigma_delta.c b/drivers/iio/adc/ad_sigma_delta.c
+index ff5f2da2e1b1..af6cbc683214 100644
+--- a/drivers/iio/adc/ad_sigma_delta.c
++++ b/drivers/iio/adc/ad_sigma_delta.c
+@@ -62,7 +62,7 @@ int ad_sd_write_reg(struct ad_sigma_delta *sigma_delta, unsigned int reg,
+ struct spi_transfer t = {
+ .tx_buf = data,
+ .len = size + 1,
+- .cs_change = sigma_delta->bus_locked,
++ .cs_change = sigma_delta->keep_cs_asserted,
+ };
+ struct spi_message m;
+ int ret;
+@@ -217,6 +217,7 @@ static int ad_sd_calibrate(struct ad_sigma_delta *sigma_delta,
+
+ spi_bus_lock(sigma_delta->spi->master);
+ sigma_delta->bus_locked = true;
++ sigma_delta->keep_cs_asserted = true;
+ reinit_completion(&sigma_delta->completion);
+
+ ret = ad_sigma_delta_set_mode(sigma_delta, mode);
+@@ -234,9 +235,10 @@ static int ad_sd_calibrate(struct ad_sigma_delta *sigma_delta,
+ ret = 0;
+ }
+ out:
++ sigma_delta->keep_cs_asserted = false;
++ ad_sigma_delta_set_mode(sigma_delta, AD_SD_MODE_IDLE);
+ sigma_delta->bus_locked = false;
+ spi_bus_unlock(sigma_delta->spi->master);
+- ad_sigma_delta_set_mode(sigma_delta, AD_SD_MODE_IDLE);
+
+ return ret;
+ }
+@@ -289,6 +291,7 @@ int ad_sigma_delta_single_conversion(struct iio_dev *indio_dev,
+
+ spi_bus_lock(sigma_delta->spi->master);
+ sigma_delta->bus_locked = true;
++ sigma_delta->keep_cs_asserted = true;
+ reinit_completion(&sigma_delta->completion);
+
+ ad_sigma_delta_set_mode(sigma_delta, AD_SD_MODE_SINGLE);
+@@ -298,9 +301,6 @@ int ad_sigma_delta_single_conversion(struct iio_dev *indio_dev,
+ ret = wait_for_completion_interruptible_timeout(
+ &sigma_delta->completion, HZ);
+
+- sigma_delta->bus_locked = false;
+- spi_bus_unlock(sigma_delta->spi->master);
+-
+ if (ret == 0)
+ ret = -EIO;
+ if (ret < 0)
+@@ -321,7 +321,10 @@ int ad_sigma_delta_single_conversion(struct iio_dev *indio_dev,
+ sigma_delta->irq_dis = true;
+ }
+
++ sigma_delta->keep_cs_asserted = false;
+ ad_sigma_delta_set_mode(sigma_delta, AD_SD_MODE_IDLE);
++ sigma_delta->bus_locked = false;
++ spi_bus_unlock(sigma_delta->spi->master);
+ mutex_unlock(&indio_dev->mlock);
+
+ if (ret)
+@@ -358,6 +361,8 @@ static int ad_sd_buffer_postenable(struct iio_dev *indio_dev)
+
+ spi_bus_lock(sigma_delta->spi->master);
+ sigma_delta->bus_locked = true;
++ sigma_delta->keep_cs_asserted = true;
++
+ ret = ad_sigma_delta_set_mode(sigma_delta, AD_SD_MODE_CONTINUOUS);
+ if (ret)
+ goto err_unlock;
+@@ -386,6 +391,7 @@ static int ad_sd_buffer_postdisable(struct iio_dev *indio_dev)
+ sigma_delta->irq_dis = true;
+ }
+
++ sigma_delta->keep_cs_asserted = false;
+ ad_sigma_delta_set_mode(sigma_delta, AD_SD_MODE_IDLE);
+
+ sigma_delta->bus_locked = false;
+diff --git a/include/linux/iio/adc/ad_sigma_delta.h b/include/linux/iio/adc/ad_sigma_delta.h
+index 7e84351fa2c0..6e9fb1932dde 100644
+--- a/include/linux/iio/adc/ad_sigma_delta.h
++++ b/include/linux/iio/adc/ad_sigma_delta.h
+@@ -69,6 +69,7 @@ struct ad_sigma_delta {
+ bool irq_dis;
+
+ bool bus_locked;
++ bool keep_cs_asserted;
+
+ uint8_t comm;
+
+--
+2.16.4
+
diff --git a/patches.drivers/iio-common-ssp_sensors-Initialize-calculated_time-in.patch b/patches.drivers/iio-common-ssp_sensors-Initialize-calculated_time-in.patch
new file mode 100644
index 0000000000..c57f5ef2be
--- /dev/null
+++ b/patches.drivers/iio-common-ssp_sensors-Initialize-calculated_time-in.patch
@@ -0,0 +1,50 @@
+From 6f9ca1d3eb74b81f811a87002de2d51640d135b1 Mon Sep 17 00:00:00 2001
+From: Nathan Chancellor <natechancellor@gmail.com>
+Date: Thu, 7 Mar 2019 14:45:46 -0700
+Subject: [PATCH] iio: common: ssp_sensors: Initialize calculated_time in ssp_common_process_data
+Git-commit: 6f9ca1d3eb74b81f811a87002de2d51640d135b1
+Patch-mainline: v5.2-rc1
+References: bsc#1051510
+
+When building with -Wsometimes-uninitialized, Clang warns:
+
+drivers/iio/common/ssp_sensors/ssp_iio.c:95:6: warning: variable
+'calculated_time' is used uninitialized whenever 'if' condition is false
+[-Wsometimes-uninitialized]
+
+While it isn't wrong, this will never be a problem because
+iio_push_to_buffers_with_timestamp only uses calculated_time
+on the same condition that it is assigned (when scan_timestamp
+is not zero). While iio_push_to_buffers_with_timestamp is marked
+as inline, Clang does inlining in the optimization stage, which
+happens after the semantic analysis phase (plus inline is merely
+a hint to the compiler).
+
+Fix this by just zero initializing calculated_time.
+
+Link: https://github.com/ClangBuiltLinux/linux/issues/394
+Signed-off-by: Nathan Chancellor <natechancellor@gmail.com>
+Reviewed-by: Nick Desaulniers <ndesaulniers@google.com>
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/iio/common/ssp_sensors/ssp_iio.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/iio/common/ssp_sensors/ssp_iio.c b/drivers/iio/common/ssp_sensors/ssp_iio.c
+index 645f2e3975db..e38f704d88b7 100644
+--- a/drivers/iio/common/ssp_sensors/ssp_iio.c
++++ b/drivers/iio/common/ssp_sensors/ssp_iio.c
+@@ -81,7 +81,7 @@ int ssp_common_process_data(struct iio_dev *indio_dev, void *buf,
+ unsigned int len, int64_t timestamp)
+ {
+ __le32 time;
+- int64_t calculated_time;
++ int64_t calculated_time = 0;
+ struct ssp_sensor_data *spd = iio_priv(indio_dev);
+
+ if (indio_dev->scan_bytes == 0)
+--
+2.16.4
+
diff --git a/patches.drivers/iio-hmc5843-fix-potential-NULL-pointer-dereferences.patch b/patches.drivers/iio-hmc5843-fix-potential-NULL-pointer-dereferences.patch
new file mode 100644
index 0000000000..61879f3e2f
--- /dev/null
+++ b/patches.drivers/iio-hmc5843-fix-potential-NULL-pointer-dereferences.patch
@@ -0,0 +1,68 @@
+From 536cc27deade8f1ec3c1beefa60d5fbe0f6fcb28 Mon Sep 17 00:00:00 2001
+From: Kangjie Lu <kjlu@umn.edu>
+Date: Sat, 16 Mar 2019 17:08:33 -0500
+Subject: [PATCH] iio: hmc5843: fix potential NULL pointer dereferences
+Git-commit: 536cc27deade8f1ec3c1beefa60d5fbe0f6fcb28
+Patch-mainline: v5.2-rc1
+References: bsc#1051510
+
+devm_regmap_init_i2c may fail and return NULL. The fix returns
+the error when it fails.
+
+Signed-off-by: Kangjie Lu <kjlu@umn.edu>
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/iio/magnetometer/hmc5843_i2c.c | 7 ++++++-
+ drivers/iio/magnetometer/hmc5843_spi.c | 7 ++++++-
+ 2 files changed, 12 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/iio/magnetometer/hmc5843_i2c.c b/drivers/iio/magnetometer/hmc5843_i2c.c
+index 3de7f4426ac4..86abba5827a2 100644
+--- a/drivers/iio/magnetometer/hmc5843_i2c.c
++++ b/drivers/iio/magnetometer/hmc5843_i2c.c
+@@ -58,8 +58,13 @@ static const struct regmap_config hmc5843_i2c_regmap_config = {
+ static int hmc5843_i2c_probe(struct i2c_client *cli,
+ const struct i2c_device_id *id)
+ {
++ struct regmap *regmap = devm_regmap_init_i2c(cli,
++ &hmc5843_i2c_regmap_config);
++ if (IS_ERR(regmap))
++ return PTR_ERR(regmap);
++
+ return hmc5843_common_probe(&cli->dev,
+- devm_regmap_init_i2c(cli, &hmc5843_i2c_regmap_config),
++ regmap,
+ id->driver_data, id->name);
+ }
+
+diff --git a/drivers/iio/magnetometer/hmc5843_spi.c b/drivers/iio/magnetometer/hmc5843_spi.c
+index 535f03a70d63..79b2b707f90e 100644
+--- a/drivers/iio/magnetometer/hmc5843_spi.c
++++ b/drivers/iio/magnetometer/hmc5843_spi.c
+@@ -58,6 +58,7 @@ static const struct regmap_config hmc5843_spi_regmap_config = {
+ static int hmc5843_spi_probe(struct spi_device *spi)
+ {
+ int ret;
++ struct regmap *regmap;
+ const struct spi_device_id *id = spi_get_device_id(spi);
+
+ spi->mode = SPI_MODE_3;
+@@ -67,8 +68,12 @@ static int hmc5843_spi_probe(struct spi_device *spi)
+ if (ret)
+ return ret;
+
++ regmap = devm_regmap_init_spi(spi, &hmc5843_spi_regmap_config);
++ if (IS_ERR(regmap))
++ return PTR_ERR(regmap);
++
+ return hmc5843_common_probe(&spi->dev,
+- devm_regmap_init_spi(spi, &hmc5843_spi_regmap_config),
++ regmap,
+ id->driver_data, id->name);
+ }
+
+--
+2.16.4
+
diff --git a/patches.drivers/iwlwifi-mvm-check-for-length-correctness-in-iwl_mvm_.patch b/patches.drivers/iwlwifi-mvm-check-for-length-correctness-in-iwl_mvm_.patch
new file mode 100644
index 0000000000..26db4b59b4
--- /dev/null
+++ b/patches.drivers/iwlwifi-mvm-check-for-length-correctness-in-iwl_mvm_.patch
@@ -0,0 +1,110 @@
+From de1887c064b9996ac03120d90d0a909a3f678f98 Mon Sep 17 00:00:00 2001
+From: Luca Coelho <luciano.coelho@intel.com>
+Date: Tue, 16 Apr 2019 12:57:21 +0300
+Subject: [PATCH] iwlwifi: mvm: check for length correctness in iwl_mvm_create_skb()
+Git-commit: de1887c064b9996ac03120d90d0a909a3f678f98
+Patch-mainline: v5.1
+References: bsc#1051510
+
+We don't check for the validity of the lengths in the packet received
+from the firmware. If the MPDU length received in the rx descriptor
+is too short to contain the header length and the crypt length
+together, we may end up trying to copy a negative number of bytes
+(headlen - hdrlen < 0) which will underflow and cause us to try to
+copy a huge amount of data. This causes oopses such as this one:
+
+Bug: unable to handle kernel paging request at ffff896be2970000
+PGD 5e201067 P4D 5e201067 PUD 5e205067 PMD 16110d063 PTE 8000000162970161
+Oops: 0003 [#1] PREEMPT SMP NOPTI
+Cpu: 2 PID: 1824 Comm: irq/134-iwlwifi Not tainted 4.19.33-04308-geea41cf4930f #1
+Hardware name: [...]
+Rip: 0010:memcpy_erms+0x6/0x10
+Code: 90 90 90 90 eb 1e 0f 1f 00 48 89 f8 48 89 d1 48 c1 e9 03 83 e2 07 f3 48 a5 89 d1 f3 a4 c3 66 0f 1f 44 00 00 48 89 f8 48 89 d1 <f3> a4 c3 0f 1f 80 00 00 00 00 48 89 f8 48 83 fa 20 72 7e 40 38 fe
+Rsp: 0018:ffffa4630196fc60 EFLAGS: 00010287
+Rax: ffff896be2924618 RBX: ffff896bc8ecc600 RCX: 00000000fffb4610
+Rdx: 00000000fffffff8 RSI: ffff896a835e2a38 RDI: ffff896be2970000
+Rbp: ffffa4630196fd30 R08: ffff896bc8ecc600 R09: ffff896a83597000
+R10: ffff896bd6998400 R11: 000000000200407f R12: ffff896a83597050
+R13: 00000000fffffff8 R14: 0000000000000010 R15: ffff896a83597038
+Fs: 0000000000000000(0000) GS:ffff896be8280000(0000) knlGS:0000000000000000
+Cs: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+Cr2: ffff896be2970000 CR3: 000000005dc12002 CR4: 00000000003606e0
+Dr0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+Dr3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+Call Trace:
+ iwl_mvm_rx_mpdu_mq+0xb51/0x121b [iwlmvm]
+ iwl_pcie_rx_handle+0x58c/0xa89 [iwlwifi]
+ iwl_pcie_irq_rx_msix_handler+0xd9/0x12a [iwlwifi]
+ irq_thread_fn+0x24/0x49
+ irq_thread+0xb0/0x122
+ kthread+0x138/0x140
+ ret_from_fork+0x1f/0x40
+
+Fix that by checking the lengths for correctness and trigger a warning
+to show that we have received wrong data.
+
+Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/net/wireless/intel/iwlwifi/mvm/rxmq.c | 28 ++++++++++++++++++++++----
+ 1 file changed, 24 insertions(+), 4 deletions(-)
+
+--- a/drivers/net/wireless/intel/iwlwifi/mvm/rxmq.c
++++ b/drivers/net/wireless/intel/iwlwifi/mvm/rxmq.c
+@@ -141,9 +141,9 @@ static inline int iwl_mvm_check_pn(struc
+ }
+
+ /* iwl_mvm_create_skb Adds the rxb to a new skb */
+-static void iwl_mvm_create_skb(struct sk_buff *skb, struct ieee80211_hdr *hdr,
+- u16 len, u8 crypt_len,
+- struct iwl_rx_cmd_buffer *rxb)
++static int iwl_mvm_create_skb(struct iwl_mvm *mvm, struct sk_buff *skb,
++ struct ieee80211_hdr *hdr, u16 len, u8 crypt_len,
++ struct iwl_rx_cmd_buffer *rxb)
+ {
+ struct iwl_rx_packet *pkt = rxb_addr(rxb);
+ struct iwl_rx_mpdu_desc *desc = (void *)pkt->data;
+@@ -184,6 +184,20 @@ static void iwl_mvm_create_skb(struct sk
+ * present before copying packet data.
+ */
+ hdrlen += crypt_len;
++
++ if (WARN_ONCE(headlen < hdrlen,
++ "invalid packet lengths (hdrlen=%d, len=%d, crypt_len=%d)\n",
++ hdrlen, len, crypt_len)) {
++ /*
++ * We warn and trace because we want to be able to see
++ * it in trace-cmd as well.
++ */
++ IWL_DEBUG_RX(mvm,
++ "invalid packet lengths (hdrlen=%d, len=%d, crypt_len=%d)\n",
++ hdrlen, len, crypt_len);
++ return -EINVAL;
++ }
++
+ skb_put_data(skb, hdr, hdrlen);
+ skb_put_data(skb, (u8 *)hdr + hdrlen + pad_len, headlen - hdrlen);
+
+@@ -196,6 +210,8 @@ static void iwl_mvm_create_skb(struct sk
+ skb_add_rx_frag(skb, 0, rxb_steal_page(rxb), offset,
+ fraglen, rxb->truesize);
+ }
++
++ return 0;
+ }
+
+ /* iwl_mvm_pass_packet_to_mac80211 - passes the packet for mac80211 */
+@@ -1031,7 +1047,11 @@ void iwl_mvm_rx_mpdu_mq(struct iwl_mvm *
+ rx_status->boottime_ns = ktime_get_boot_ns();
+ }
+
+- iwl_mvm_create_skb(skb, hdr, len, crypt_len, rxb);
++ if (iwl_mvm_create_skb(mvm, skb, hdr, len, crypt_len, rxb)) {
++ kfree_skb(skb);
++ goto out;
++ }
++
+ if (!iwl_mvm_reorder(mvm, napi, queue, sta, skb, desc))
+ iwl_mvm_pass_packet_to_mac80211(mvm, napi, skb, queue, sta);
+ out:
diff --git a/patches.drivers/iwlwifi-pcie-don-t-crash-on-invalid-RX-interrupt.patch b/patches.drivers/iwlwifi-pcie-don-t-crash-on-invalid-RX-interrupt.patch
new file mode 100644
index 0000000000..25a71776c3
--- /dev/null
+++ b/patches.drivers/iwlwifi-pcie-don-t-crash-on-invalid-RX-interrupt.patch
@@ -0,0 +1,47 @@
+From 30f24eabab8cd801064c5c37589d803cb4341929 Mon Sep 17 00:00:00 2001
+From: Johannes Berg <johannes.berg@intel.com>
+Date: Tue, 5 Mar 2019 10:31:11 +0100
+Subject: [PATCH] iwlwifi: pcie: don't crash on invalid RX interrupt
+Git-commit: 30f24eabab8cd801064c5c37589d803cb4341929
+Patch-mainline: v5.2-rc1
+References: bsc#1051510
+
+If for some reason the device gives us an RX interrupt before we're
+ready for it, perhaps during device power-on with misconfigured IRQ
+causes mapping or so, we can crash trying to access the queues.
+
+Prevent that by checking that we actually have RXQs and that they
+were properly allocated.
+
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/net/wireless/intel/iwlwifi/pcie/rx.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/intel/iwlwifi/pcie/rx.c b/drivers/net/wireless/intel/iwlwifi/pcie/rx.c
+index 69fcfa930791..413937824764 100644
+--- a/drivers/net/wireless/intel/iwlwifi/pcie/rx.c
++++ b/drivers/net/wireless/intel/iwlwifi/pcie/rx.c
+@@ -1429,10 +1429,15 @@ static struct iwl_rx_mem_buffer *iwl_pcie_get_rxb(struct iwl_trans *trans,
+ static void iwl_pcie_rx_handle(struct iwl_trans *trans, int queue)
+ {
+ struct iwl_trans_pcie *trans_pcie = IWL_TRANS_GET_PCIE_TRANS(trans);
+- struct iwl_rxq *rxq = &trans_pcie->rxq[queue];
++ struct iwl_rxq *rxq;
+ u32 r, i, count = 0;
+ bool emergency = false;
+
++ if (WARN_ON_ONCE(!trans_pcie->rxq || !trans_pcie->rxq[queue].bd))
++ return;
++
++ rxq = &trans_pcie->rxq[queue];
++
+ restart:
+ spin_lock(&rxq->lock);
+ /* uCode's read index (stored in shared DRAM) indicates the last Rx
+--
+2.16.4
+
diff --git a/patches.drivers/leds-avoid-flush_work-in-atomic-context.patch b/patches.drivers/leds-avoid-flush_work-in-atomic-context.patch
new file mode 100644
index 0000000000..9b2cbdfb4a
--- /dev/null
+++ b/patches.drivers/leds-avoid-flush_work-in-atomic-context.patch
@@ -0,0 +1,68 @@
+From 8c0f693c6effbc3f42f77a9e81209af9af20910c Mon Sep 17 00:00:00 2001
+From: Pavel Machek <pavel@ucw.cz>
+Date: Sun, 26 May 2019 09:38:55 +0200
+Subject: [PATCH] leds: avoid flush_work in atomic context
+Git-commit: 8c0f693c6effbc3f42f77a9e81209af9af20910c
+Patch-mainline: v5.2-rc3
+References: bsc#1051510
+
+It turns out that various triggers use led_blink_setup() from atomic
+context, so we can't do a flush_work there. Flush is still needed for
+slow LEDs, but we can move it to sysfs code where it is safe.
+
+ WARNING: inconsistent lock state
+ 5.2.0-rc1 #1 Tainted: G W
+ --------------------------------
+ inconsistent {SOFTIRQ-ON-W} -> {IN-SOFTIRQ-W} usage.
+ swapper/1/0 [HC0[0]:SC1[1]:HE1:SE0] takes:
+ 000000006e30541b
+ ((work_completion)(&led_cdev->set_brightness_work)){+.?.}, at:
+ +__flush_work+0x3b/0x38a
+ {SOFTIRQ-ON-W} state was registered at:
+ lock_acquire+0x146/0x1a1
+ __flush_work+0x5b/0x38a
+ flush_work+0xb/0xd
+ led_blink_setup+0x1e/0xd3
+ led_blink_set+0x3f/0x44
+ tpt_trig_timer+0xdb/0x106
+ ieee80211_mod_tpt_led_trig+0xed/0x112
+
+Fixes: 0db37915d912 ("leds: avoid races with workqueue")
+Signed-off-by: Pavel Machek <pavel@ucw.cz>
+Tested-by: Hugh Dickins <hughd@google.com>
+Signed-off-by: Jacek Anaszewski <jacek.anaszewski@gmail.com>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/leds/led-core.c | 5 -----
+ drivers/leds/trigger/ledtrig-timer.c | 5 +++++
+ 2 files changed, 5 insertions(+), 5 deletions(-)
+
+--- a/drivers/leds/led-core.c
++++ b/drivers/leds/led-core.c
+@@ -162,11 +162,6 @@ static void led_blink_setup(struct led_c
+ unsigned long *delay_on,
+ unsigned long *delay_off)
+ {
+- /*
+- * If "set brightness to 0" is pending in workqueue, we don't
+- * want that to be reordered after blink_set()
+- */
+- flush_work(&led_cdev->set_brightness_work);
+ if (!test_bit(LED_BLINK_ONESHOT, &led_cdev->work_flags) &&
+ led_cdev->blink_set &&
+ !led_cdev->blink_set(led_cdev, delay_on, delay_off))
+--- a/drivers/leds/trigger/ledtrig-timer.c
++++ b/drivers/leds/trigger/ledtrig-timer.c
+@@ -84,6 +84,11 @@ static void timer_trig_activate(struct l
+ if (rc)
+ goto err_out_delayon;
+
++ /*
++ * If "set brightness to 0" is pending in workqueue, we don't
++ * want that to be reordered after blink_set()
++ */
++ flush_work(&led_cdev->set_brightness_work);
+ led_blink_set(led_cdev, &led_cdev->blink_delay_on,
+ &led_cdev->blink_delay_off);
+ led_cdev->activated = true;
diff --git a/patches.drivers/media-au0828-Fix-NULL-pointer-dereference-in-au0828_.patch b/patches.drivers/media-au0828-Fix-NULL-pointer-dereference-in-au0828_.patch
new file mode 100644
index 0000000000..dc6d2f921e
--- /dev/null
+++ b/patches.drivers/media-au0828-Fix-NULL-pointer-dereference-in-au0828_.patch
@@ -0,0 +1,78 @@
+From 898bc40bfcc26abb6e06e960d6d4754c36c58b50 Mon Sep 17 00:00:00 2001
+From: Shuah Khan <shuah@kernel.org>
+Date: Mon, 1 Apr 2019 20:43:17 -0400
+Subject: [PATCH] media: au0828: Fix NULL pointer dereference in au0828_analog_stream_enable()
+Git-commit: 898bc40bfcc26abb6e06e960d6d4754c36c58b50
+Patch-mainline: v5.2-rc1
+References: bsc#1051510
+
+Fix au0828_analog_stream_enable() to check if device is in the right
+state first. When unbind happens while bind is in progress, usbdev
+pointer could be invalid in au0828_analog_stream_enable() and a call
+to usb_ifnum_to_if() will result in the null pointer dereference.
+
+This problem is found with the new media_dev_allocator.sh test.
+
+Kernel: [ 590.359623] BUG: unable to handle kernel NULL pointer dereference at 00000000000004e8
+Kernel: [ 590.359627] #PF error: [normal kernel read fault]
+Kernel: [ 590.359629] PGD 0 P4D 0
+Kernel: [ 590.359632] Oops: 0000 [#1] SMP PTI
+Kernel: [ 590.359634] CPU: 3 PID: 1458 Comm: v4l_id Not tainted 5.1.0-rc2+ #30
+Kernel: [ 590.359636] Hardware name: Dell Inc. OptiPlex 7 90/0HY9JP, BIOS A18 09/24/2013
+Kernel: [ 590.359641] RIP: 0010:usb_ifnum_to_if+0x6/0x60
+Kernel: [ 590.359643] Code: 5d 41 5e 41 5f 5d c3 48 83 c4 10 b8 fa ff ff ff 5b 41 5c 41 5d 41 5e 41 5f 5d c3 b8 fa ff ff ff c3 0f 1f 00 6
+6 66 66 66 90 55 <48> 8b 97 e8 04 00 00 48 89 e5 48 85 d2 74 41 0f b6 4a 04 84 c
+9 74
+Kernel: [ 590.359645] RSP: 0018:ffffad3cc3c1fc00 EFLAGS: 00010246
+Kernel: [ 590.359646] RAX: 0000000000000000 RBX: ffff8ded b1f3c000 RCX: 1f377e4500000000
+Kernel: [ 590.359648] RDX: ffff8dedfa3a6b50 RSI: 00000000 00000000 RDI: 0000000000000000
+Kernel: [ 590.359649] RBP: ffffad3cc3c1fc28 R08: 00000000 8574acc2 R09: ffff8dedfa3a6b50
+Kernel: [ 590.359650] R10: 0000000000000001 R11: 00000000 00000000 R12: 0000000000000000
+Kernel: [ 590.359652] R13: ffff8dedb1f3f0f0 R14: ffffffff adcf7ec0 R15: 0000000000000000
+Kernel: [ 590.359654] FS: 00007f7917198540(0000) GS:ffff 8dee258c0000(0000) knlGS:0000000000000000
+Kernel: [ 590.359655] CS: 0010 DS: 0000 ES: 0000 CR0: 00 00000080050033
+Kernel: [ 590.359657] CR2: 00000000000004e8 CR3: 00000001 a388e002 CR4: 00000000000606e0
+Kernel: [ 590.359658] Call Trace:
+Kernel: [ 590.359664] ? au0828_analog_stream_enable+0x2c/0x180
+Kernel: [ 590.359666] au0828_v4l2_open+0xa4/0x110
+Kernel: [ 590.359670] v4l2_open+0x8b/0x120
+Kernel: [ 590.359674] chrdev_open+0xa6/0x1c0
+Kernel: [ 590.359676] ? cdev_put.part.3+0x20/0x20
+Kernel: [ 590.359678] do_dentry_open+0x1f6/0x360
+Kernel: [ 590.359681] vfs_open+0x2f/0x40
+Kernel: [ 590.359684] path_openat+0x299/0xc20
+Kernel: [ 590.359688] do_filp_open+0x9b/0x110
+Kernel: [ 590.359695] ? _raw_spin_unlock+0x27/0x40
+Kernel: [ 590.359697] ? __alloc_fd+0xb2/0x160
+Kernel: [ 590.359700] do_sys_open+0x1ba/0x260
+Kernel: [ 590.359702] ? do_sys_open+0x1ba/0x260
+Kernel: [ 590.359712] __x64_sys_openat+0x20/0x30
+Kernel: [ 590.359715] do_syscall_64+0x5a/0x120
+Kernel: [ 590.359718] entry_SYSCALL_64_after_hwframe+0x44/0xa9
+
+Signed-off-by: Shuah Khan <shuah@kernel.org>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/media/usb/au0828/au0828-video.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/media/usb/au0828/au0828-video.c b/drivers/media/usb/au0828/au0828-video.c
+index e17047b94b87..536bd8bbb624 100644
+--- a/drivers/media/usb/au0828/au0828-video.c
++++ b/drivers/media/usb/au0828/au0828-video.c
+@@ -758,6 +758,9 @@ static int au0828_analog_stream_enable(struct au0828_dev *d)
+
+ dprintk(1, "au0828_analog_stream_enable called\n");
+
++ if (test_bit(DEV_DISCONNECTED, &d->dev_state))
++ return -ENODEV;
++
+ iface = usb_ifnum_to_if(d->usbdev, 0);
+ if (iface && iface->cur_altsetting->desc.bAlternateSetting != 5) {
+ dprintk(1, "Changing intf#0 to alt 5\n");
+--
+2.16.4
+
diff --git a/patches.drivers/media-au0828-stop-video-streaming-only-when-last-use.patch b/patches.drivers/media-au0828-stop-video-streaming-only-when-last-use.patch
new file mode 100644
index 0000000000..1c58406fb7
--- /dev/null
+++ b/patches.drivers/media-au0828-stop-video-streaming-only-when-last-use.patch
@@ -0,0 +1,71 @@
+From f604f0f5afb88045944567f604409951b5eb6af8 Mon Sep 17 00:00:00 2001
+From: Hans Verkuil <hverkuil@xs4all.nl>
+Date: Tue, 2 Apr 2019 03:24:15 -0400
+Subject: [PATCH] media: au0828: stop video streaming only when last user stops
+Git-commit: f604f0f5afb88045944567f604409951b5eb6af8
+Patch-mainline: v5.2-rc1
+References: bsc#1051510
+
+If the application was streaming from both videoX and vbiX, and streaming
+from videoX was stopped, then the vbi streaming also stopped.
+
+The cause being that stop_streaming for video stopped the subdevs as well,
+instead of only doing that if dev->streaming_users reached 0.
+
+au0828_stop_vbi_streaming was also wrong since it didn't stop the subdevs
+at all when dev->streaming_users reached 0.
+
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Tested-by: Shuah Khan <shuah@kernel.org>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/media/usb/au0828/au0828-video.c | 13 ++++++++-----
+ 1 file changed, 8 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/media/usb/au0828/au0828-video.c b/drivers/media/usb/au0828/au0828-video.c
+index 536bd8bbb624..4bde3db83aa2 100644
+--- a/drivers/media/usb/au0828/au0828-video.c
++++ b/drivers/media/usb/au0828/au0828-video.c
+@@ -842,9 +842,9 @@ int au0828_start_analog_streaming(struct vb2_queue *vq, unsigned int count)
+ return rc;
+ }
+
++ v4l2_device_call_all(&dev->v4l2_dev, 0, video, s_stream, 1);
++
+ if (vq->type == V4L2_BUF_TYPE_VIDEO_CAPTURE) {
+- v4l2_device_call_all(&dev->v4l2_dev, 0, video,
+- s_stream, 1);
+ dev->vid_timeout_running = 1;
+ mod_timer(&dev->vid_timeout, jiffies + (HZ / 10));
+ } else if (vq->type == V4L2_BUF_TYPE_VBI_CAPTURE) {
+@@ -864,10 +864,11 @@ static void au0828_stop_streaming(struct vb2_queue *vq)
+
+ dprintk(1, "au0828_stop_streaming called %d\n", dev->streaming_users);
+
+- if (dev->streaming_users-- == 1)
++ if (dev->streaming_users-- == 1) {
+ au0828_uninit_isoc(dev);
++ v4l2_device_call_all(&dev->v4l2_dev, 0, video, s_stream, 0);
++ }
+
+- v4l2_device_call_all(&dev->v4l2_dev, 0, video, s_stream, 0);
+ dev->vid_timeout_running = 0;
+ del_timer_sync(&dev->vid_timeout);
+
+@@ -896,8 +897,10 @@ void au0828_stop_vbi_streaming(struct vb2_queue *vq)
+ dprintk(1, "au0828_stop_vbi_streaming called %d\n",
+ dev->streaming_users);
+
+- if (dev->streaming_users-- == 1)
++ if (dev->streaming_users-- == 1) {
+ au0828_uninit_isoc(dev);
++ v4l2_device_call_all(&dev->v4l2_dev, 0, video, s_stream, 0);
++ }
+
+ spin_lock_irqsave(&dev->slock, flags);
+ if (dev->isoc_ctl.vbi_buf != NULL) {
+--
+2.16.4
+
diff --git a/patches.drivers/media-coda-clear-error-return-value-before-picture-r.patch b/patches.drivers/media-coda-clear-error-return-value-before-picture-r.patch
new file mode 100644
index 0000000000..2d933a0874
--- /dev/null
+++ b/patches.drivers/media-coda-clear-error-return-value-before-picture-r.patch
@@ -0,0 +1,39 @@
+From bbeefa7357a648afe70e7183914c87c3878d528d Mon Sep 17 00:00:00 2001
+From: Philipp Zabel <p.zabel@pengutronix.de>
+Date: Mon, 8 Apr 2019 08:32:49 -0400
+Subject: [PATCH] media: coda: clear error return value before picture run
+Git-commit: bbeefa7357a648afe70e7183914c87c3878d528d
+Patch-mainline: v5.2-rc1
+References: bsc#1051510
+
+The error return value is not written by some firmware codecs, such as
+MPEG-2 decode on CodaHx4. Clear the error return value before starting
+the picture run to avoid misinterpreting unrelated values returned by
+sequence initialization as error return value.
+
+Signed-off-by: Philipp Zabel <p.zabel@pengutronix.de>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/media/platform/coda/coda-bit.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/media/platform/coda/coda-bit.c b/drivers/media/platform/coda/coda-bit.c
+index b4f396c2e72c..eaa86737fa04 100644
+--- a/drivers/media/platform/coda/coda-bit.c
++++ b/drivers/media/platform/coda/coda-bit.c
+@@ -2010,6 +2010,9 @@ static int coda_prepare_decode(struct coda_ctx *ctx)
+ /* Clear decode success flag */
+ coda_write(dev, 0, CODA_RET_DEC_PIC_SUCCESS);
+
++ /* Clear error return value */
++ coda_write(dev, 0, CODA_RET_DEC_PIC_ERR_MB);
++
+ trace_coda_dec_pic_run(ctx, meta);
+
+ coda_command_async(ctx, CODA_COMMAND_PIC_RUN);
+--
+2.16.4
+
diff --git a/patches.drivers/media-cpia2-Fix-use-after-free-in-cpia2_exit.patch b/patches.drivers/media-cpia2-Fix-use-after-free-in-cpia2_exit.patch
new file mode 100644
index 0000000000..e46f309acb
--- /dev/null
+++ b/patches.drivers/media-cpia2-Fix-use-after-free-in-cpia2_exit.patch
@@ -0,0 +1,125 @@
+From dea37a97265588da604c6ba80160a287b72c7bfd Mon Sep 17 00:00:00 2001
+From: YueHaibing <yuehaibing@huawei.com>
+Date: Wed, 6 Mar 2019 07:45:08 -0500
+Subject: [PATCH] media: cpia2: Fix use-after-free in cpia2_exit
+Git-commit: dea37a97265588da604c6ba80160a287b72c7bfd
+Patch-mainline: v5.2-rc1
+References: bsc#1051510
+
+Syzkaller report this:
+
+Bug: KASAN: use-after-free in sysfs_remove_file_ns+0x5f/0x70 fs/sysfs/file.c:468
+Read of size 8 at addr ffff8881f59a6b70 by task syz-executor.0/8363
+
+Cpu: 0 PID: 8363 Comm: syz-executor.0 Not tainted 5.0.0-rc8+ #3
+Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014
+Call Trace:
+ __dump_stack lib/dump_stack.c:77 [inline]
+ dump_stack+0xfa/0x1ce lib/dump_stack.c:113
+ print_address_description+0x65/0x270 mm/kasan/report.c:187
+ kasan_report+0x149/0x18d mm/kasan/report.c:317
+ sysfs_remove_file_ns+0x5f/0x70 fs/sysfs/file.c:468
+ sysfs_remove_file include/linux/sysfs.h:519 [inline]
+ driver_remove_file+0x40/0x50 drivers/base/driver.c:122
+ usb_remove_newid_files drivers/usb/core/driver.c:212 [inline]
+ usb_deregister+0x12a/0x3b0 drivers/usb/core/driver.c:1005
+ cpia2_exit+0xa/0x16 [cpia2]
+ __do_sys_delete_module kernel/module.c:1018 [inline]
+ __se_sys_delete_module kernel/module.c:961 [inline]
+ __x64_sys_delete_module+0x3dc/0x5e0 kernel/module.c:961
+ do_syscall_64+0x147/0x600 arch/x86/entry/common.c:290
+ entry_SYSCALL_64_after_hwframe+0x49/0xbe
+Rip: 0033:0x462e99
+Code: f7 d8 64 89 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
+Rsp: 002b:00007f86f3754c58 EFLAGS: 00000246 ORIG_RAX: 00000000000000b0
+Rax: ffffffffffffffda RBX: 000000000073bf00 RCX: 0000000000462e99
+Rdx: 0000000000000000 RSI: 0000000000000000 RDI: 0000000020000300
+Rbp: 0000000000000002 R08: 0000000000000000 R09: 0000000000000000
+R10: 0000000000000000 R11: 0000000000000246 R12: 00007f86f37556bc
+R13: 00000000004bcca9 R14: 00000000006f6b48 R15: 00000000ffffffff
+
+Allocated by task 8363:
+ set_track mm/kasan/common.c:85 [inline]
+ __kasan_kmalloc.constprop.3+0xa0/0xd0 mm/kasan/common.c:495
+ kmalloc include/linux/slab.h:545 [inline]
+ kzalloc include/linux/slab.h:740 [inline]
+ bus_add_driver+0xc0/0x610 drivers/base/bus.c:651
+ driver_register+0x1bb/0x3f0 drivers/base/driver.c:170
+ usb_register_driver+0x267/0x520 drivers/usb/core/driver.c:965
+ 0xffffffffc1b4817c
+ do_one_initcall+0xfa/0x5ca init/main.c:887
+ do_init_module+0x204/0x5f6 kernel/module.c:3460
+ load_module+0x66b2/0x8570 kernel/module.c:3808
+ __do_sys_finit_module+0x238/0x2a0 kernel/module.c:3902
+ do_syscall_64+0x147/0x600 arch/x86/entry/common.c:290
+ entry_SYSCALL_64_after_hwframe+0x49/0xbe
+
+Freed by task 8363:
+ set_track mm/kasan/common.c:85 [inline]
+ __kasan_slab_free+0x130/0x180 mm/kasan/common.c:457
+ slab_free_hook mm/slub.c:1430 [inline]
+ slab_free_freelist_hook mm/slub.c:1457 [inline]
+ slab_free mm/slub.c:3005 [inline]
+ kfree+0xe1/0x270 mm/slub.c:3957
+ kobject_cleanup lib/kobject.c:662 [inline]
+ kobject_release lib/kobject.c:691 [inline]
+ kref_put include/linux/kref.h:67 [inline]
+ kobject_put+0x146/0x240 lib/kobject.c:708
+ bus_remove_driver+0x10e/0x220 drivers/base/bus.c:732
+ driver_unregister+0x6c/0xa0 drivers/base/driver.c:197
+ usb_register_driver+0x341/0x520 drivers/usb/core/driver.c:980
+ 0xffffffffc1b4817c
+ do_one_initcall+0xfa/0x5ca init/main.c:887
+ do_init_module+0x204/0x5f6 kernel/module.c:3460
+ load_module+0x66b2/0x8570 kernel/module.c:3808
+ __do_sys_finit_module+0x238/0x2a0 kernel/module.c:3902
+ do_syscall_64+0x147/0x600 arch/x86/entry/common.c:290
+ entry_SYSCALL_64_after_hwframe+0x49/0xbe
+
+The buggy address belongs to the object at ffff8881f59a6b40
+ which belongs to the cache kmalloc-256 of size 256
+The buggy address is located 48 bytes inside of
+ 256-byte region [ffff8881f59a6b40, ffff8881f59a6c40)
+The buggy address belongs to the page:
+page:ffffea0007d66980 count:1 mapcount:0 mapping:ffff8881f6c02e00 index:0x0
+Flags: 0x2fffc0000000200(slab)
+Raw: 02fffc0000000200 dead000000000100 dead000000000200 ffff8881f6c02e00
+Raw: 0000000000000000 00000000800c000c 00000001ffffffff 0000000000000000
+page dumped because: kasan: bad access detected
+
+Memory state around the buggy address:
+ ffff8881f59a6a00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+ ffff8881f59a6a80: 00 00 00 00 00 00 00 00 00 00 fc fc fc fc fc fc
+>ffff8881f59a6b00: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb ^ ffff8881f59a6b80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8881f59a6c00: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
+
+cpia2_init does not check return value of cpia2_init, if it failed
+in usb_register_driver, there is already cleanup using driver_unregister.
+No need call cpia2_usb_cleanup on module exit.
+
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Signed-off-by: YueHaibing <yuehaibing@huawei.com>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/media/usb/cpia2/cpia2_v4l.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/drivers/media/usb/cpia2/cpia2_v4l.c b/drivers/media/usb/cpia2/cpia2_v4l.c
+index 95c0bd4a19dc..45caf78119c4 100644
+--- a/drivers/media/usb/cpia2/cpia2_v4l.c
++++ b/drivers/media/usb/cpia2/cpia2_v4l.c
+@@ -1240,8 +1240,7 @@ static int __init cpia2_init(void)
+ LOG("%s v%s\n",
+ ABOUT, CPIA_VERSION);
+ check_parameters();
+- cpia2_usb_init();
+- return 0;
++ return cpia2_usb_init();
+ }
+
+
+--
+2.16.4
+
diff --git a/patches.drivers/media-go7007-avoid-clang-frame-overflow-warning-with.patch b/patches.drivers/media-go7007-avoid-clang-frame-overflow-warning-with.patch
new file mode 100644
index 0000000000..41cb4c7d6b
--- /dev/null
+++ b/patches.drivers/media-go7007-avoid-clang-frame-overflow-warning-with.patch
@@ -0,0 +1,47 @@
+From ed713a4a1367aca5c0f2f329579465db00c17995 Mon Sep 17 00:00:00 2001
+From: Arnd Bergmann <arnd@arndb.de>
+Date: Tue, 19 Feb 2019 12:01:58 -0500
+Subject: [PATCH] media: go7007: avoid clang frame overflow warning with KASAN
+Git-commit: ed713a4a1367aca5c0f2f329579465db00c17995
+Patch-mainline: v5.2-rc1
+References: bsc#1051510
+
+clang-8 warns about one function here when KASAN is enabled, even
+without the 'asan-stack' option:
+
+drivers/media/usb/go7007/go7007-fw.c:1551:5: warning: stack frame size of 2656 bytes in function
+
+I have reported this issue in the llvm bugzilla, but to make
+it work with the clang-8 release, a small annotation is still
+needed.
+
+Link: https://bugs.llvm.org/show_bug.cgi?id=38809
+
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+[hverkuil-cisco@xs4all.nl: fix checkpatch warning]
+Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/media/usb/go7007/go7007-fw.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/media/usb/go7007/go7007-fw.c b/drivers/media/usb/go7007/go7007-fw.c
+index 24f5b615dc7a..dfa9f899d0c2 100644
+--- a/drivers/media/usb/go7007/go7007-fw.c
++++ b/drivers/media/usb/go7007/go7007-fw.c
+@@ -1499,8 +1499,8 @@ static int modet_to_package(struct go7007 *go, __le16 *code, int space)
+ return cnt;
+ }
+
+-static int do_special(struct go7007 *go, u16 type, __le16 *code, int space,
+- int *framelen)
++static noinline_for_stack int do_special(struct go7007 *go, u16 type,
++ __le16 *code, int space, int *framelen)
+ {
+ switch (type) {
+ case SPECIAL_FRM_HEAD:
+--
+2.16.4
+
diff --git a/patches.drivers/media-m88ds3103-serialize-reset-messages-in-m88ds310.patch b/patches.drivers/media-m88ds3103-serialize-reset-messages-in-m88ds310.patch
new file mode 100644
index 0000000000..acd553e84c
--- /dev/null
+++ b/patches.drivers/media-m88ds3103-serialize-reset-messages-in-m88ds310.patch
@@ -0,0 +1,104 @@
+From 981fbe3da20a6f35f17977453bce7dfc1664d74f Mon Sep 17 00:00:00 2001
+From: James Hutchinson <jahutchinson99@googlemail.com>
+Date: Sun, 13 Jan 2019 16:13:47 -0500
+Subject: [PATCH] media: m88ds3103: serialize reset messages in m88ds3103_set_frontend
+Git-commit: 981fbe3da20a6f35f17977453bce7dfc1664d74f
+Patch-mainline: v5.2-rc1
+References: bsc#1051510
+
+Ref: https://bugzilla.kernel.org/show_bug.cgi?id=199323
+
+Users are experiencing problems with the DVBSky S960/S960C USB devices
+since the following commit:
+
+9d659ae: ("locking/mutex: Add lock handoff to avoid starvation")
+
+The device malfunctions after running for an indeterminable period of
+time, and the problem can only be cleared by rebooting the machine.
+
+It is possible to encourage the problem to surface by blocking the
+signal to the LNB.
+
+Further debugging revealed the cause of the problem.
+
+In the following capture:
+- thread #1325 is running m88ds3103_set_frontend
+- thread #42 is running ts2020_stat_work
+
+a> [1325] usb 1-1: dvb_usb_v2_generic_io: >>> 08 68 02 07 80
+ [1325] usb 1-1: dvb_usb_v2_generic_io: <<< 08
+ [42] usb 1-1: dvb_usb_v2_generic_io: >>> 09 01 01 68 3f
+ [42] usb 1-1: dvb_usb_v2_generic_io: <<< 08 ff
+ [42] usb 1-1: dvb_usb_v2_generic_io: >>> 08 68 02 03 11
+ [42] usb 1-1: dvb_usb_v2_generic_io: <<< 07
+ [42] usb 1-1: dvb_usb_v2_generic_io: >>> 09 01 01 60 3d
+ [42] usb 1-1: dvb_usb_v2_generic_io: <<< 07 ff
+b> [1325] usb 1-1: dvb_usb_v2_generic_io: >>> 08 68 02 07 00
+ [1325] usb 1-1: dvb_usb_v2_generic_io: <<< 07
+ [42] usb 1-1: dvb_usb_v2_generic_io: >>> 08 68 02 03 11
+ [42] usb 1-1: dvb_usb_v2_generic_io: <<< 07
+ [42] usb 1-1: dvb_usb_v2_generic_io: >>> 09 01 01 60 21
+ [42] usb 1-1: dvb_usb_v2_generic_io: <<< 07 ff
+ [42] usb 1-1: dvb_usb_v2_generic_io: >>> 08 68 02 03 11
+ [42] usb 1-1: dvb_usb_v2_generic_io: <<< 07
+ [42] usb 1-1: dvb_usb_v2_generic_io: >>> 09 01 01 60 66
+ [42] usb 1-1: dvb_usb_v2_generic_io: <<< 07 ff
+ [1325] usb 1-1: dvb_usb_v2_generic_io: >>> 08 68 02 03 11
+ [1325] usb 1-1: dvb_usb_v2_generic_io: <<< 07
+ [1325] usb 1-1: dvb_usb_v2_generic_io: >>> 08 60 02 10 0b
+ [1325] usb 1-1: dvb_usb_v2_generic_io: <<< 07
+
+Two i2c messages are sent to perform a reset in m88ds3103_set_frontend:
+
+ a. 0x07, 0x80
+ b. 0x07, 0x00
+
+However, as shown in the capture, the regmap mutex is being handed over
+to another thread (ts2020_stat_work) in between these two messages.
+
+>From here, the device responds to every i2c message with an 07 message,
+and will only return to normal operation following a power cycle.
+
+Use regmap_multi_reg_write to group the two reset messages, ensuring
+both are processed before the regmap mutex is unlocked.
+
+Signed-off-by: James Hutchinson <jahutchinson99@googlemail.com>
+Reviewed-by: Antti Palosaari <crope@iki.fi>
+Signed-off-by: Sean Young <sean@mess.org>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/media/dvb-frontends/m88ds3103.c | 9 ++++-----
+ 1 file changed, 4 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/media/dvb-frontends/m88ds3103.c b/drivers/media/dvb-frontends/m88ds3103.c
+index 123f2a33738b..403f42806455 100644
+--- a/drivers/media/dvb-frontends/m88ds3103.c
++++ b/drivers/media/dvb-frontends/m88ds3103.c
+@@ -309,6 +309,9 @@ static int m88ds3103_set_frontend(struct dvb_frontend *fe)
+ u16 u16tmp;
+ u32 tuner_frequency_khz, target_mclk;
+ s32 s32tmp;
++ static const struct reg_sequence reset_buf[] = {
++ {0x07, 0x80}, {0x07, 0x00}
++ };
+
+ dev_dbg(&client->dev,
+ "delivery_system=%d modulation=%d frequency=%u symbol_rate=%d inversion=%d pilot=%d rolloff=%d\n",
+@@ -321,11 +324,7 @@ static int m88ds3103_set_frontend(struct dvb_frontend *fe)
+ }
+
+ /* reset */
+- ret = regmap_write(dev->regmap, 0x07, 0x80);
+- if (ret)
+- goto err;
+-
+- ret = regmap_write(dev->regmap, 0x07, 0x00);
++ ret = regmap_multi_reg_write(dev->regmap, reset_buf, 2);
+ if (ret)
+ goto err;
+
+--
+2.16.4
+
diff --git a/patches.drivers/media-ov2659-make-S_FMT-succeed-even-if-requested-fo.patch b/patches.drivers/media-ov2659-make-S_FMT-succeed-even-if-requested-fo.patch
new file mode 100644
index 0000000000..5cec9550c8
--- /dev/null
+++ b/patches.drivers/media-ov2659-make-S_FMT-succeed-even-if-requested-fo.patch
@@ -0,0 +1,52 @@
+From bccb89cf9cd07a0690d519696a00c00a973b3fe4 Mon Sep 17 00:00:00 2001
+From: Akinobu Mita <akinobu.mita@gmail.com>
+Date: Sat, 30 Mar 2019 10:01:31 -0400
+Subject: [PATCH] media: ov2659: make S_FMT succeed even if requested format doesn't match
+Git-commit: bccb89cf9cd07a0690d519696a00c00a973b3fe4
+Patch-mainline: v5.2-rc1
+References: bsc#1051510
+
+This driver returns an error if unsupported media bus pixel code is
+requested by VIDIOC_SUBDEV_S_FMT.
+
+But according to Documentation/media/uapi/v4l/vidioc-subdev-g-fmt.rst,
+
+Drivers must not return an error solely because the requested format
+doesn't match the device capabilities. They must instead modify the
+format to match what the hardware can provide.
+
+So select default format code and return success in that case.
+
+This is detected by v4l2-compliance.
+
+Cc: "Lad, Prabhakar" <prabhakar.csengg@gmail.com>
+Signed-off-by: Akinobu Mita <akinobu.mita@gmail.com>
+Acked-by: Lad, Prabhakar <prabhakar.csengg@gmail.com>
+Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/media/i2c/ov2659.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/media/i2c/ov2659.c b/drivers/media/i2c/ov2659.c
+index 799acce803fe..a1e9a980a445 100644
+--- a/drivers/media/i2c/ov2659.c
++++ b/drivers/media/i2c/ov2659.c
+@@ -1117,8 +1117,10 @@ static int ov2659_set_fmt(struct v4l2_subdev *sd,
+ if (ov2659_formats[index].code == mf->code)
+ break;
+
+- if (index < 0)
+- return -EINVAL;
++ if (index < 0) {
++ index = 0;
++ mf->code = ov2659_formats[index].code;
++ }
+
+ mf->colorspace = V4L2_COLORSPACE_SRGB;
+ mf->field = V4L2_FIELD_NONE;
+--
+2.16.4
+
diff --git a/patches.drivers/media-saa7146-avoid-high-stack-usage-with-clang.patch b/patches.drivers/media-saa7146-avoid-high-stack-usage-with-clang.patch
new file mode 100644
index 0000000000..da11cc611d
--- /dev/null
+++ b/patches.drivers/media-saa7146-avoid-high-stack-usage-with-clang.patch
@@ -0,0 +1,74 @@
+From 03aa4f191a36f33fce015387f84efa0eee94408e Mon Sep 17 00:00:00 2001
+From: Arnd Bergmann <arnd@arndb.de>
+Date: Tue, 19 Feb 2019 12:01:56 -0500
+Subject: [PATCH] media: saa7146: avoid high stack usage with clang
+Git-commit: 03aa4f191a36f33fce015387f84efa0eee94408e
+Patch-mainline: v5.2-rc1
+References: bsc#1051510
+
+Two saa7146/hexium files contain a construct that causes a warning
+when built with clang:
+
+drivers/media/pci/saa7146/hexium_orion.c:210:12: error: stack frame size of 2272 bytes in function 'hexium_probe'
+ [-Werror,-Wframe-larger-than=]
+static int hexium_probe(struct saa7146_dev *dev)
+ ^
+drivers/media/pci/saa7146/hexium_gemini.c:257:12: error: stack frame size of 2304 bytes in function 'hexium_attach'
+ [-Werror,-Wframe-larger-than=]
+static int hexium_attach(struct saa7146_dev *dev, struct saa7146_pci_extension_data *info)
+ ^
+
+This one happens regardless of KASAN, and the problem is that a
+constructor to initialize a dynamically allocated structure leads
+to a copy of that structure on the stack, whereas gcc initializes
+it in place.
+
+Link: https://bugs.llvm.org/show_bug.cgi?id=40776
+
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Reviewed-by: Nick Desaulniers <ndesaulniers@google.com>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+[hverkuil-cisco@xs4all.nl: fix checkpatch warnings]
+Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/media/pci/saa7146/hexium_gemini.c | 5 ++---
+ drivers/media/pci/saa7146/hexium_orion.c | 5 ++---
+ 2 files changed, 4 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/media/pci/saa7146/hexium_gemini.c b/drivers/media/pci/saa7146/hexium_gemini.c
+index 5817d9cde4d0..6d8e4afe9673 100644
+--- a/drivers/media/pci/saa7146/hexium_gemini.c
++++ b/drivers/media/pci/saa7146/hexium_gemini.c
+@@ -270,9 +270,8 @@ static int hexium_attach(struct saa7146_dev *dev, struct saa7146_pci_extension_d
+ /* enable i2c-port pins */
+ saa7146_write(dev, MC1, (MASK_08 | MASK_24 | MASK_10 | MASK_26));
+
+- hexium->i2c_adapter = (struct i2c_adapter) {
+- .name = "hexium gemini",
+- };
++ strscpy(hexium->i2c_adapter.name, "hexium gemini",
++ sizeof(hexium->i2c_adapter.name));
+ saa7146_i2c_adapter_prepare(dev, &hexium->i2c_adapter, SAA7146_I2C_BUS_BIT_RATE_480);
+ if (i2c_add_adapter(&hexium->i2c_adapter) < 0) {
+ DEB_S("cannot register i2c-device. skipping.\n");
+diff --git a/drivers/media/pci/saa7146/hexium_orion.c b/drivers/media/pci/saa7146/hexium_orion.c
+index 0a05176c18ab..a794f9e5f990 100644
+--- a/drivers/media/pci/saa7146/hexium_orion.c
++++ b/drivers/media/pci/saa7146/hexium_orion.c
+@@ -231,9 +231,8 @@ static int hexium_probe(struct saa7146_dev *dev)
+ saa7146_write(dev, DD1_STREAM_B, 0x00000000);
+ saa7146_write(dev, MC2, (MASK_09 | MASK_25 | MASK_10 | MASK_26));
+
+- hexium->i2c_adapter = (struct i2c_adapter) {
+- .name = "hexium orion",
+- };
++ strscpy(hexium->i2c_adapter.name, "hexium orion",
++ sizeof(hexium->i2c_adapter.name));
+ saa7146_i2c_adapter_prepare(dev, &hexium->i2c_adapter, SAA7146_I2C_BUS_BIT_RATE_480);
+ if (i2c_add_adapter(&hexium->i2c_adapter) < 0) {
+ DEB_S("cannot register i2c-device. skipping.\n");
+--
+2.16.4
+
diff --git a/patches.drivers/media-smsusb-better-handle-optional-alignment.patch b/patches.drivers/media-smsusb-better-handle-optional-alignment.patch
new file mode 100644
index 0000000000..bcb4bb3359
--- /dev/null
+++ b/patches.drivers/media-smsusb-better-handle-optional-alignment.patch
@@ -0,0 +1,77 @@
+From a47686636d84eaec5c9c6e84bd5f96bed34d526d Mon Sep 17 00:00:00 2001
+From: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
+Date: Fri, 24 May 2019 10:59:43 -0400
+Subject: [PATCH] media: smsusb: better handle optional alignment
+Git-commit: a47686636d84eaec5c9c6e84bd5f96bed34d526d
+Patch-mainline: v5.2-rc3
+References: bsc#1051510
+
+Most Siano devices require an alignment for the response.
+
+Changeset f3be52b0056a ("media: usb: siano: Fix general protection fault in smsusb")
+changed the logic with gets such aligment, but it now produces a
+sparce warning:
+
+Drivers/media/usb/siano/smsusb.c: In function 'smsusb_init_device':
+drivers/media/usb/siano/smsusb.c:447:37: warning: 'in_maxp' may be used uninitialized in this function [-Wmaybe-uninitialized]
+ 447 | dev->response_alignment = in_maxp - sizeof(struct sms_msg_hdr);
+ | ~~~~~~~~^~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+The sparse message itself is bogus, but a broken (or fake) USB
+eeprom could produce a negative value for response_alignment.
+
+So, change the code in order to check if the result is not
+negative.
+
+Fixes: 31e0456de5be ("media: usb: siano: Fix general protection fault in smsusb")
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/media/usb/siano/smsusb.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/media/usb/siano/smsusb.c b/drivers/media/usb/siano/smsusb.c
+index 59b3c124b49d..e39f3f40dfdd 100644
+--- a/drivers/media/usb/siano/smsusb.c
++++ b/drivers/media/usb/siano/smsusb.c
+@@ -400,7 +400,7 @@ static int smsusb_init_device(struct usb_interface *intf, int board_id)
+ struct smsusb_device_t *dev;
+ void *mdev;
+ int i, rc;
+- int in_maxp = 0;
++ int align = 0;
+
+ /* create device object */
+ dev = kzalloc(sizeof(struct smsusb_device_t), GFP_KERNEL);
+@@ -418,14 +418,14 @@ static int smsusb_init_device(struct usb_interface *intf, int board_id)
+
+ if (desc->bEndpointAddress & USB_DIR_IN) {
+ dev->in_ep = desc->bEndpointAddress;
+- in_maxp = usb_endpoint_maxp(desc);
++ align = usb_endpoint_maxp(desc) - sizeof(struct sms_msg_hdr);
+ } else {
+ dev->out_ep = desc->bEndpointAddress;
+ }
+ }
+
+ pr_debug("in_ep = %02x, out_ep = %02x\n", dev->in_ep, dev->out_ep);
+- if (!dev->in_ep || !dev->out_ep) { /* Missing endpoints? */
++ if (!dev->in_ep || !dev->out_ep || align < 0) { /* Missing endpoints? */
+ smsusb_term_device(intf);
+ return -ENODEV;
+ }
+@@ -444,7 +444,7 @@ static int smsusb_init_device(struct usb_interface *intf, int board_id)
+ /* fall-thru */
+ default:
+ dev->buffer_size = USB2_BUFFER_SIZE;
+- dev->response_alignment = in_maxp - sizeof(struct sms_msg_hdr);
++ dev->response_alignment = align;
+
+ params.flags |= SMS_DEVICE_FAMILY2;
+ break;
+--
+2.16.4
+
diff --git a/patches.drivers/media-usb-siano-Fix-false-positive-uninitialized-var.patch b/patches.drivers/media-usb-siano-Fix-false-positive-uninitialized-var.patch
new file mode 100644
index 0000000000..98c147e9dc
--- /dev/null
+++ b/patches.drivers/media-usb-siano-Fix-false-positive-uninitialized-var.patch
@@ -0,0 +1,38 @@
+From 45457c01171fd1488a7000d1751c06ed8560ee38 Mon Sep 17 00:00:00 2001
+From: Alan Stern <stern@rowland.harvard.edu>
+Date: Tue, 21 May 2019 11:38:07 -0400
+Subject: [PATCH] media: usb: siano: Fix false-positive "uninitialized variable" warning
+Git-commit: 45457c01171fd1488a7000d1751c06ed8560ee38
+Patch-mainline: v5.2-rc3
+References: bsc#1051510
+
+GCC complains about an apparently uninitialized variable recently
+added to smsusb_init_device(). It's a false positive, but to silence
+the warning this patch adds a trivial initialization.
+
+Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
+Reported-by: kbuild test robot <lkp@intel.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/media/usb/siano/smsusb.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/media/usb/siano/smsusb.c b/drivers/media/usb/siano/smsusb.c
+index 27ad14a3f831..59b3c124b49d 100644
+--- a/drivers/media/usb/siano/smsusb.c
++++ b/drivers/media/usb/siano/smsusb.c
+@@ -400,7 +400,7 @@ static int smsusb_init_device(struct usb_interface *intf, int board_id)
+ struct smsusb_device_t *dev;
+ void *mdev;
+ int i, rc;
+- int in_maxp;
++ int in_maxp = 0;
+
+ /* create device object */
+ dev = kzalloc(sizeof(struct smsusb_device_t), GFP_KERNEL);
+--
+2.16.4
+
diff --git a/patches.drivers/media-usb-siano-Fix-general-protection-fault-in-smsu.patch b/patches.drivers/media-usb-siano-Fix-general-protection-fault-in-smsu.patch
new file mode 100644
index 0000000000..784711a9e7
--- /dev/null
+++ b/patches.drivers/media-usb-siano-Fix-general-protection-fault-in-smsu.patch
@@ -0,0 +1,90 @@
+From 31e0456de5be379b10fea0fa94a681057114a96e Mon Sep 17 00:00:00 2001
+From: Alan Stern <stern@rowland.harvard.edu>
+Date: Tue, 7 May 2019 12:39:47 -0400
+Subject: [PATCH] media: usb: siano: Fix general protection fault in smsusb
+Git-commit: 31e0456de5be379b10fea0fa94a681057114a96e
+Patch-mainline: v5.2-rc3
+References: bsc#1051510
+
+The syzkaller USB fuzzer found a general-protection-fault bug in the
+smsusb part of the Siano DVB driver. The fault occurs during probe
+because the driver assumes without checking that the device has both
+IN and OUT endpoints and the IN endpoint is ep1.
+
+By slightly rearranging the driver's initialization code, we can make
+the appropriate checks early on and thus avoid the problem. If the
+expected endpoints aren't present, the new code safely returns -ENODEV
+from the probe routine.
+
+Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
+Reported-and-tested-by: syzbot+53f029db71c19a47325a@syzkaller.appspotmail.com
+Cc: <stable@vger.kernel.org>
+Reviewed-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/media/usb/siano/smsusb.c | 33 ++++++++++++++++++++-------------
+ 1 file changed, 20 insertions(+), 13 deletions(-)
+
+--- a/drivers/media/usb/siano/smsusb.c
++++ b/drivers/media/usb/siano/smsusb.c
+@@ -402,6 +402,7 @@ static int smsusb_init_device(struct usb
+ struct smsusb_device_t *dev;
+ void *mdev;
+ int i, rc;
++ int in_maxp;
+
+ /* create device object */
+ dev = kzalloc(sizeof(struct smsusb_device_t), GFP_KERNEL);
+@@ -413,6 +414,24 @@ static int smsusb_init_device(struct usb
+ dev->udev = interface_to_usbdev(intf);
+ dev->state = SMSUSB_DISCONNECTED;
+
++ for (i = 0; i < intf->cur_altsetting->desc.bNumEndpoints; i++) {
++ struct usb_endpoint_descriptor *desc =
++ &intf->cur_altsetting->endpoint[i].desc;
++
++ if (desc->bEndpointAddress & USB_DIR_IN) {
++ dev->in_ep = desc->bEndpointAddress;
++ in_maxp = usb_endpoint_maxp(desc);
++ } else {
++ dev->out_ep = desc->bEndpointAddress;
++ }
++ }
++
++ pr_debug("in_ep = %02x, out_ep = %02x\n", dev->in_ep, dev->out_ep);
++ if (!dev->in_ep || !dev->out_ep) { /* Missing endpoints? */
++ smsusb_term_device(intf);
++ return -ENODEV;
++ }
++
+ params.device_type = sms_get_board(board_id)->type;
+
+ switch (params.device_type) {
+@@ -427,24 +446,12 @@ static int smsusb_init_device(struct usb
+ /* fall-thru */
+ default:
+ dev->buffer_size = USB2_BUFFER_SIZE;
+- dev->response_alignment =
+- le16_to_cpu(dev->udev->ep_in[1]->desc.wMaxPacketSize) -
+- sizeof(struct sms_msg_hdr);
++ dev->response_alignment = in_maxp - sizeof(struct sms_msg_hdr);
+
+ params.flags |= SMS_DEVICE_FAMILY2;
+ break;
+ }
+
+- for (i = 0; i < intf->cur_altsetting->desc.bNumEndpoints; i++) {
+- if (intf->cur_altsetting->endpoint[i].desc. bEndpointAddress & USB_DIR_IN)
+- dev->in_ep = intf->cur_altsetting->endpoint[i].desc.bEndpointAddress;
+- else
+- dev->out_ep = intf->cur_altsetting->endpoint[i].desc.bEndpointAddress;
+- }
+-
+- pr_debug("in_ep = %02x, out_ep = %02x\n",
+- dev->in_ep, dev->out_ep);
+-
+ params.device = &dev->udev->dev;
+ params.buffer_size = dev->buffer_size;
+ params.num_buffers = MAX_BUFFERS;
diff --git a/patches.drivers/mfd-da9063-Fix-OTP-control-register-names-to-match-d.patch b/patches.drivers/mfd-da9063-Fix-OTP-control-register-names-to-match-d.patch
new file mode 100644
index 0000000000..b2cc19ed98
--- /dev/null
+++ b/patches.drivers/mfd-da9063-Fix-OTP-control-register-names-to-match-d.patch
@@ -0,0 +1,43 @@
+From 6b4814a9451add06d457e198be418bf6a3e6a990 Mon Sep 17 00:00:00 2001
+From: Steve Twiss <stwiss.opensource@diasemi.com>
+Date: Fri, 26 Apr 2019 14:33:35 +0100
+Subject: [PATCH] mfd: da9063: Fix OTP control register names to match datasheets for DA9063/63L
+Git-commit: 6b4814a9451add06d457e198be418bf6a3e6a990
+Patch-mainline: v5.2-rc1
+References: bsc#1051510
+
+Mismatch between what is found in the Datasheets for DA9063 and DA9063L
+provided by Dialog Semiconductor, and the register names provided in the
+MFD registers file. The changes are for the OTP (one-time-programming)
+control registers. The two naming errors are OPT instead of OTP, and
+COUNT instead of CONT (i.e. control).
+
+Cc: Stable <stable@vger.kernel.org>
+Signed-off-by: Steve Twiss <stwiss.opensource@diasemi.com>
+Signed-off-by: Lee Jones <lee.jones@linaro.org>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ include/linux/mfd/da9063/registers.h | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/include/linux/mfd/da9063/registers.h b/include/linux/mfd/da9063/registers.h
+index 272f984b766d..ba706b0e28c2 100644
+--- a/include/linux/mfd/da9063/registers.h
++++ b/include/linux/mfd/da9063/registers.h
+@@ -210,9 +210,9 @@
+
+ /* DA9063 Configuration registers */
+ /* OTP */
+-#define DA9063_REG_OPT_COUNT 0x101
+-#define DA9063_REG_OPT_ADDR 0x102
+-#define DA9063_REG_OPT_DATA 0x103
++#define DA9063_REG_OTP_CONT 0x101
++#define DA9063_REG_OTP_ADDR 0x102
++#define DA9063_REG_OTP_DATA 0x103
+
+ /* Customer Trim and Configuration */
+ #define DA9063_REG_T_OFFSET 0x104
+--
+2.16.4
+
diff --git a/patches.drivers/mfd-max77620-Fix-swapped-FPS_PERIOD_MAX_US-values.patch b/patches.drivers/mfd-max77620-Fix-swapped-FPS_PERIOD_MAX_US-values.patch
new file mode 100644
index 0000000000..6b53f98070
--- /dev/null
+++ b/patches.drivers/mfd-max77620-Fix-swapped-FPS_PERIOD_MAX_US-values.patch
@@ -0,0 +1,38 @@
+From ea611d1cc180fbb56982c83cd5142a2b34881f5c Mon Sep 17 00:00:00 2001
+From: Dmitry Osipenko <digetx@gmail.com>
+Date: Sun, 5 May 2019 18:43:22 +0300
+Subject: [PATCH] mfd: max77620: Fix swapped FPS_PERIOD_MAX_US values
+Git-commit: ea611d1cc180fbb56982c83cd5142a2b34881f5c
+Patch-mainline: v5.2-rc1
+References: bsc#1051510
+
+The FPS_PERIOD_MAX_US definitions are swapped for MAX20024 and MAX77620,
+fix it.
+
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Dmitry Osipenko <digetx@gmail.com>
+Signed-off-by: Lee Jones <lee.jones@linaro.org>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ include/linux/mfd/max77620.h | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/include/linux/mfd/max77620.h b/include/linux/mfd/max77620.h
+index ad2a9a852aea..b4fd5a7c2aaa 100644
+--- a/include/linux/mfd/max77620.h
++++ b/include/linux/mfd/max77620.h
+@@ -136,8 +136,8 @@
+ #define MAX77620_FPS_PERIOD_MIN_US 40
+ #define MAX20024_FPS_PERIOD_MIN_US 20
+
+-#define MAX77620_FPS_PERIOD_MAX_US 2560
+-#define MAX20024_FPS_PERIOD_MAX_US 5120
++#define MAX20024_FPS_PERIOD_MAX_US 2560
++#define MAX77620_FPS_PERIOD_MAX_US 5120
+
+ #define MAX77620_REG_FPS_GPIO1 0x54
+ #define MAX77620_REG_FPS_GPIO2 0x55
+--
+2.16.4
+
diff --git a/patches.drivers/mmc-core-Verify-SD-bus-width.patch b/patches.drivers/mmc-core-Verify-SD-bus-width.patch
new file mode 100644
index 0000000000..c4ac9bac4d
--- /dev/null
+++ b/patches.drivers/mmc-core-Verify-SD-bus-width.patch
@@ -0,0 +1,57 @@
+From 9e4be8d03f50d1b25c38e2b59e73b194c130df7d Mon Sep 17 00:00:00 2001
+From: Raul E Rangel <rrangel@chromium.org>
+Date: Mon, 29 Apr 2019 11:32:39 -0600
+Subject: [PATCH] mmc: core: Verify SD bus width
+Git-commit: 9e4be8d03f50d1b25c38e2b59e73b194c130df7d
+Patch-mainline: v5.2-rc1
+References: bsc#1051510
+
+The SD Physical Layer Spec says the following: Since the SD Memory Card
+shall support at least the two bus modes 1-bit or 4-bit width, then any SD
+Card shall set at least bits 0 and 2 (SD_BUS_WIDTH="0101").
+
+This change verifies the card has specified a bus width.
+
+AMD SDHC Device 7806 can get into a bad state after a card disconnect
+where anything transferred via the DATA lines will always result in a
+zero filled buffer. Currently the driver will continue without error if
+the HC is in this condition. A block device will be created, but reading
+from it will result in a zero buffer. This makes it seem like the SD
+device has been erased, when in actuality the data is never getting
+copied from the DATA lines to the data buffer.
+
+SCR is the first command in the SD initialization sequence that uses the
+DATA lines. By checking that the response was invalid, we can abort
+mounting the card.
+
+Reviewed-by: Avri Altman <avri.altman@wdc.com>
+Signed-off-by: Raul E Rangel <rrangel@chromium.org>
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/mmc/core/sd.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/drivers/mmc/core/sd.c b/drivers/mmc/core/sd.c
+index 265e1aeeb9d8..d3d32f9a2cb1 100644
+--- a/drivers/mmc/core/sd.c
++++ b/drivers/mmc/core/sd.c
+@@ -221,6 +221,14 @@ static int mmc_decode_scr(struct mmc_card *card)
+
+ if (scr->sda_spec3)
+ scr->cmds = UNSTUFF_BITS(resp, 32, 2);
++
++ /* SD Spec says: any SD Card shall set at least bits 0 and 2 */
++ if (!(scr->bus_widths & SD_SCR_BUS_WIDTH_1) ||
++ !(scr->bus_widths & SD_SCR_BUS_WIDTH_4)) {
++ pr_err("%s: invalid bus width\n", mmc_hostname(card->host));
++ return -EINVAL;
++ }
++
+ return 0;
+ }
+
+--
+2.16.4
+
diff --git a/patches.drivers/mmc-sdhci-iproc-Set-NO_HISPD-bit-to-fix-HS50-data-ho.patch b/patches.drivers/mmc-sdhci-iproc-Set-NO_HISPD-bit-to-fix-HS50-data-ho.patch
new file mode 100644
index 0000000000..d0f16b250d
--- /dev/null
+++ b/patches.drivers/mmc-sdhci-iproc-Set-NO_HISPD-bit-to-fix-HS50-data-ho.patch
@@ -0,0 +1,48 @@
+From ec0970e0a1b2c807c908d459641a9f9a1be3e130 Mon Sep 17 00:00:00 2001
+From: Trac Hoang <trac.hoang@broadcom.com>
+Date: Thu, 9 May 2019 10:24:27 -0700
+Subject: [PATCH] mmc: sdhci-iproc: Set NO_HISPD bit to fix HS50 data hold time problem
+Git-commit: ec0970e0a1b2c807c908d459641a9f9a1be3e130
+Patch-mainline: v5.2-rc2
+References: bsc#1051510
+
+The iproc host eMMC/SD controller hold time does not meet the
+specification in the HS50 mode. This problem can be mitigated
+by disabling the HISPD bit; thus forcing the controller output
+data to be driven on the falling clock edges rather than the
+rising clock edges.
+
+Stable tag (v4.12+) chosen to assist stable kernel maintainers so that
+the change does not produce merge conflicts backporting to older kernel
+versions. In reality, the timing bug existed since the driver was first
+introduced but there is no need for this driver to be supported in kernel
+versions that old.
+
+Cc: stable@vger.kernel.org # v4.12+
+Signed-off-by: Trac Hoang <trac.hoang@broadcom.com>
+Signed-off-by: Scott Branden <scott.branden@broadcom.com>
+Acked-by: Adrian Hunter <adrian.hunter@intel.com>
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/mmc/host/sdhci-iproc.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/mmc/host/sdhci-iproc.c b/drivers/mmc/host/sdhci-iproc.c
+index 9d4071c41c94..2feb4ef32035 100644
+--- a/drivers/mmc/host/sdhci-iproc.c
++++ b/drivers/mmc/host/sdhci-iproc.c
+@@ -220,7 +220,8 @@ static const struct sdhci_iproc_data iproc_cygnus_data = {
+
+ static const struct sdhci_pltfm_data sdhci_iproc_pltfm_data = {
+ .quirks = SDHCI_QUIRK_DATA_TIMEOUT_USES_SDCLK |
+- SDHCI_QUIRK_MULTIBLOCK_READ_ACMD12,
++ SDHCI_QUIRK_MULTIBLOCK_READ_ACMD12 |
++ SDHCI_QUIRK_NO_HISPD_BIT,
+ .quirks2 = SDHCI_QUIRK2_ACMD23_BROKEN,
+ .ops = &sdhci_iproc_ops,
+ };
+--
+2.16.4
+
diff --git a/patches.drivers/mmc-sdhci-iproc-cygnus-Set-NO_HISPD-bit-to-fix-HS50-.patch b/patches.drivers/mmc-sdhci-iproc-cygnus-Set-NO_HISPD-bit-to-fix-HS50-.patch
new file mode 100644
index 0000000000..8bc7b297bc
--- /dev/null
+++ b/patches.drivers/mmc-sdhci-iproc-cygnus-Set-NO_HISPD-bit-to-fix-HS50-.patch
@@ -0,0 +1,50 @@
+From b7dfa695afc40d5396ed84b9f25aa3754de23e39 Mon Sep 17 00:00:00 2001
+From: Trac Hoang <trac.hoang@broadcom.com>
+Date: Thu, 9 May 2019 10:24:26 -0700
+Subject: [PATCH] mmc: sdhci-iproc: cygnus: Set NO_HISPD bit to fix HS50 data hold time problem
+Git-commit: b7dfa695afc40d5396ed84b9f25aa3754de23e39
+Patch-mainline: v5.2-rc2
+References: bsc#1051510
+
+The iproc host eMMC/SD controller hold time does not meet the
+specification in the HS50 mode. This problem can be mitigated
+by disabling the HISPD bit; thus forcing the controller output
+data to be driven on the falling clock edges rather than the
+rising clock edges.
+
+This change applies only to the Cygnus platform.
+
+Stable tag (v4.12+) chosen to assist stable kernel maintainers so that
+the change does not produce merge conflicts backporting to older kernel
+versions. In reality, the timing bug existed since the driver was first
+introduced but there is no need for this driver to be supported in kernel
+versions that old.
+
+Cc: stable@vger.kernel.org # v4.12+
+Signed-off-by: Trac Hoang <trac.hoang@broadcom.com>
+Signed-off-by: Scott Branden <scott.branden@broadcom.com>
+Acked-by: Adrian Hunter <adrian.hunter@intel.com>
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/mmc/host/sdhci-iproc.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/mmc/host/sdhci-iproc.c b/drivers/mmc/host/sdhci-iproc.c
+index 9d12c06c7fd6..9d4071c41c94 100644
+--- a/drivers/mmc/host/sdhci-iproc.c
++++ b/drivers/mmc/host/sdhci-iproc.c
+@@ -196,7 +196,8 @@ static const struct sdhci_ops sdhci_iproc_32only_ops = {
+ };
+
+ static const struct sdhci_pltfm_data sdhci_iproc_cygnus_pltfm_data = {
+- .quirks = SDHCI_QUIRK_DATA_TIMEOUT_USES_SDCLK,
++ .quirks = SDHCI_QUIRK_DATA_TIMEOUT_USES_SDCLK |
++ SDHCI_QUIRK_NO_HISPD_BIT,
+ .quirks2 = SDHCI_QUIRK2_ACMD23_BROKEN | SDHCI_QUIRK2_HOST_OFF_CARD_ON,
+ .ops = &sdhci_iproc_32only_ops,
+ };
+--
+2.16.4
+
diff --git a/patches.drivers/mmc-sdhci-of-esdhc-add-erratum-A-009204-support.patch b/patches.drivers/mmc-sdhci-of-esdhc-add-erratum-A-009204-support.patch
new file mode 100644
index 0000000000..c457cf7872
--- /dev/null
+++ b/patches.drivers/mmc-sdhci-of-esdhc-add-erratum-A-009204-support.patch
@@ -0,0 +1,44 @@
+From 5dd195522562542bc6ebe6e7bd47890d8b7ca93c Mon Sep 17 00:00:00 2001
+From: Yinbo Zhu <yinbo.zhu@nxp.com>
+Date: Mon, 11 Mar 2019 02:16:44 +0000
+Subject: [PATCH] mmc: sdhci-of-esdhc: add erratum A-009204 support
+Git-commit: 5dd195522562542bc6ebe6e7bd47890d8b7ca93c
+Patch-mainline: v5.2-rc1
+References: bsc#1051510
+
+In the event of that any data error (like, IRQSTAT[DCE]) occurs
+during an eSDHC data transaction where DMA is used for data
+transfer to/from the system memory, setting the SYSCTL[RSTD]
+register may cause a system hang. If software sets the register
+SYSCTL[RSTD] to 1 for error recovery while DMA transferring is
+not complete, eSDHC may hang the system bus. This happens because
+the software register SYSCTL[RSTD] resets the DMA engine without
+waiting for the completion of pending system transactions. This
+erratum is to fix this issue.
+
+Signed-off-by: Yinbo Zhu <yinbo.zhu@nxp.com>
+Acked-by: Adrian Hunter <adrian.hunter@intel.com>
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/mmc/host/sdhci-of-esdhc.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/mmc/host/sdhci-of-esdhc.c b/drivers/mmc/host/sdhci-of-esdhc.c
+index 04d7d95e9bba..57a44896668a 100644
+--- a/drivers/mmc/host/sdhci-of-esdhc.c
++++ b/drivers/mmc/host/sdhci-of-esdhc.c
+@@ -694,6 +694,9 @@ static void esdhc_reset(struct sdhci_host *host, u8 mask)
+ sdhci_writel(host, host->ier, SDHCI_INT_ENABLE);
+ sdhci_writel(host, host->ier, SDHCI_SIGNAL_ENABLE);
+
++ if (of_find_compatible_node(NULL, NULL, "fsl,p2020-esdhc"))
++ mdelay(5);
++
+ if (mask & SDHCI_RESET_ALL) {
+ val = sdhci_readl(host, ESDHC_TBCTL);
+ val &= ~ESDHC_TB_EN;
+--
+2.16.4
+
diff --git a/patches.drivers/mmc-sdhci-of-esdhc-add-erratum-eSDHC5-support.patch b/patches.drivers/mmc-sdhci-of-esdhc-add-erratum-eSDHC5-support.patch
new file mode 100644
index 0000000000..c0f064ff0e
--- /dev/null
+++ b/patches.drivers/mmc-sdhci-of-esdhc-add-erratum-eSDHC5-support.patch
@@ -0,0 +1,40 @@
+From a46e42712596b51874f04c73f1cdf1017f88df52 Mon Sep 17 00:00:00 2001
+From: Yinbo Zhu <yinbo.zhu@nxp.com>
+Date: Mon, 11 Mar 2019 02:16:36 +0000
+Subject: [PATCH] mmc: sdhci-of-esdhc: add erratum eSDHC5 support
+Git-commit: a46e42712596b51874f04c73f1cdf1017f88df52
+Patch-mainline: v5.2-rc1
+References: bsc#1051510
+
+Software writing to the Transfer Type configuration register
+(system clock domain) can cause a setup/hold violation in the
+CRC flops (card clock domain), which can cause write accesses
+to be sent with corrupt CRC values. This issue occurs only for
+write preceded by read. this erratum is to fix this issue.
+
+Signed-off-by: Yinbo Zhu <yinbo.zhu@nxp.com>
+Acked-by: Adrian Hunter <adrian.hunter@intel.com>
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/mmc/host/sdhci-of-esdhc.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/mmc/host/sdhci-of-esdhc.c b/drivers/mmc/host/sdhci-of-esdhc.c
+index e8cb7a92b9e6..b3310ea90231 100644
+--- a/drivers/mmc/host/sdhci-of-esdhc.c
++++ b/drivers/mmc/host/sdhci-of-esdhc.c
+@@ -1075,6 +1075,9 @@ static int sdhci_esdhc_probe(struct platform_device *pdev)
+ if (esdhc->vendor_ver > VENDOR_V_22)
+ host->quirks &= ~SDHCI_QUIRK_NO_BUSY_IRQ;
+
++ if (of_find_compatible_node(NULL, NULL, "fsl,p2020-esdhc"))
++ host->quirks2 |= SDHCI_QUIRK_RESET_AFTER_REQUEST;
++
+ if (of_device_is_compatible(np, "fsl,p5040-esdhc") ||
+ of_device_is_compatible(np, "fsl,p5020-esdhc") ||
+ of_device_is_compatible(np, "fsl,p4080-esdhc") ||
+--
+2.16.4
+
diff --git a/patches.drivers/mmc_spi-add-a-status-check-for-spi_sync_locked.patch b/patches.drivers/mmc_spi-add-a-status-check-for-spi_sync_locked.patch
new file mode 100644
index 0000000000..b42bd4b785
--- /dev/null
+++ b/patches.drivers/mmc_spi-add-a-status-check-for-spi_sync_locked.patch
@@ -0,0 +1,38 @@
+From 611025983b7976df0183390a63a2166411d177f1 Mon Sep 17 00:00:00 2001
+From: Kangjie Lu <kjlu@umn.edu>
+Date: Mon, 11 Mar 2019 00:53:33 -0500
+Subject: [PATCH] mmc_spi: add a status check for spi_sync_locked
+Git-commit: 611025983b7976df0183390a63a2166411d177f1
+Patch-mainline: v5.2-rc1
+References: bsc#1051510
+
+In case spi_sync_locked fails, the fix reports the error and
+returns the error code upstream.
+
+Signed-off-by: Kangjie Lu <kjlu@umn.edu>
+Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/mmc/host/mmc_spi.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/mmc/host/mmc_spi.c b/drivers/mmc/host/mmc_spi.c
+index 1b1498805972..a3533935e282 100644
+--- a/drivers/mmc/host/mmc_spi.c
++++ b/drivers/mmc/host/mmc_spi.c
+@@ -819,6 +819,10 @@ mmc_spi_readblock(struct mmc_spi_host *host, struct spi_transfer *t,
+ }
+
+ status = spi_sync_locked(spi, &host->m);
++ if (status < 0) {
++ dev_dbg(&spi->dev, "read error %d\n", status);
++ return status;
++ }
+
+ if (host->dma_dev) {
+ dma_sync_single_for_cpu(host->dma_dev,
+--
+2.16.4
+
diff --git a/patches.drivers/parport-Fix-mem-leak-in-parport_register_dev_model.patch b/patches.drivers/parport-Fix-mem-leak-in-parport_register_dev_model.patch
new file mode 100644
index 0000000000..169ff1567b
--- /dev/null
+++ b/patches.drivers/parport-Fix-mem-leak-in-parport_register_dev_model.patch
@@ -0,0 +1,69 @@
+From 1c7ebeabc9e5ee12e42075a597de40fdb9059530 Mon Sep 17 00:00:00 2001
+From: YueHaibing <yuehaibing@huawei.com>
+Date: Tue, 14 May 2019 23:24:37 +0800
+Subject: [PATCH] parport: Fix mem leak in parport_register_dev_model
+Git-commit: 1c7ebeabc9e5ee12e42075a597de40fdb9059530
+Patch-mainline: v5.2-rc4
+References: bsc#1051510
+
+Bug: memory leak
+unreferenced object 0xffff8881df48cda0 (size 16):
+ comm "syz-executor.0", pid 5077, jiffies 4295994670 (age 22.280s)
+ hex dump (first 16 bytes):
+ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
+ backtrace:
+ [<00000000d2d0d5fe>] parport_register_dev_model+0x141/0x6e0 [parport]
+ [<00000000782f6dab>] 0xffffffffc15d1196
+ [<00000000d2ca6ae4>] platform_drv_probe+0x7e/0x100
+ [<00000000628c2a94>] really_probe+0x342/0x4d0
+ [<000000006874f5da>] driver_probe_device+0x8c/0x170
+ [<00000000424de37a>] __device_attach_driver+0xda/0x100
+ [<000000002acab09a>] bus_for_each_drv+0xfe/0x170
+ [<000000003d9e5f31>] __device_attach+0x190/0x230
+ [<0000000035d32f80>] bus_probe_device+0x123/0x140
+ [<00000000a05ba627>] device_add+0x7cc/0xce0
+ [<000000003f7560bf>] platform_device_add+0x230/0x3c0
+ [<000000002a0be07d>] 0xffffffffc15d0949
+ [<000000007361d8d2>] port_check+0x3b/0x50 [parport]
+ [<000000004d67200f>] bus_for_each_dev+0x115/0x180
+ [<000000003ccfd11c>] __parport_register_driver+0x1f0/0x210 [parport]
+ [<00000000987f06fc>] 0xffffffffc15d803e
+
+After commit 4e5a74f1db8d ("parport: Revert "parport: fix
+memory leak""), free_pardevice do not free par_dev->state,
+we should free it in error path of parport_register_dev_model
+before return.
+
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Fixes: 4e5a74f1db8d ("parport: Revert "parport: fix memory leak"")
+Signed-off-by: YueHaibing <yuehaibing@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/parport/share.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/parport/share.c b/drivers/parport/share.c
+index 5dc53d420ca8..7b4ee33c1935 100644
+--- a/drivers/parport/share.c
++++ b/drivers/parport/share.c
+@@ -895,6 +895,7 @@ parport_register_dev_model(struct parport *port, const char *name,
+ par_dev->devmodel = true;
+ ret = device_register(&par_dev->dev);
+ if (ret) {
++ kfree(par_dev->state);
+ put_device(&par_dev->dev);
+ goto err_put_port;
+ }
+@@ -912,6 +913,7 @@ parport_register_dev_model(struct parport *port, const char *name,
+ spin_unlock(&port->physport->pardevice_lock);
+ pr_debug("%s: cannot grant exclusive access for device %s\n",
+ port->name, name);
++ kfree(par_dev->state);
+ device_unregister(&par_dev->dev);
+ goto err_put_port;
+ }
+--
+2.16.4
+
diff --git a/patches.drivers/rtc-88pm860x-prevent-use-after-free-on-device-remove.patch b/patches.drivers/rtc-88pm860x-prevent-use-after-free-on-device-remove.patch
new file mode 100644
index 0000000000..dba06d6e10
--- /dev/null
+++ b/patches.drivers/rtc-88pm860x-prevent-use-after-free-on-device-remove.patch
@@ -0,0 +1,46 @@
+From f22b1ba15ee5785aa028384ebf77dd39e8e47b70 Mon Sep 17 00:00:00 2001
+From: Sven Van Asbroeck <thesven73@gmail.com>
+Date: Fri, 26 Apr 2019 14:36:35 -0400
+Subject: [PATCH] rtc: 88pm860x: prevent use-after-free on device remove
+Git-commit: f22b1ba15ee5785aa028384ebf77dd39e8e47b70
+Patch-mainline: v5.2-rc1
+References: bsc#1051510
+
+The device's remove() attempts to shut down the delayed_work scheduled
+on the kernel-global workqueue by calling flush_scheduled_work().
+
+Unfortunately, flush_scheduled_work() does not prevent the delayed_work
+from re-scheduling itself. The delayed_work might run after the device
+has been removed, and touch the already de-allocated info structure.
+This is a potential use-after-free.
+
+Fix by calling cancel_delayed_work_sync() during remove(): this ensures
+that the delayed work is properly cancelled, is no longer running, and
+is not able to re-schedule itself.
+
+This issue was detected with the help of Coccinelle.
+
+Signed-off-by: Sven Van Asbroeck <TheSven73@gmail.com>
+Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/rtc/rtc-88pm860x.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/rtc/rtc-88pm860x.c b/drivers/rtc/rtc-88pm860x.c
+index d25282b4a7dd..73697e4b18a9 100644
+--- a/drivers/rtc/rtc-88pm860x.c
++++ b/drivers/rtc/rtc-88pm860x.c
+@@ -421,7 +421,7 @@ static int pm860x_rtc_remove(struct platform_device *pdev)
+ struct pm860x_rtc_info *info = platform_get_drvdata(pdev);
+
+ #ifdef VRTC_CALIBRATION
+- flush_scheduled_work();
++ cancel_delayed_work_sync(&info->calib_work);
+ /* disable measurement */
+ pm860x_set_bits(info->i2c, PM8607_MEAS_EN2, MEAS2_VRTC, 0);
+ #endif /* VRTC_CALIBRATION */
+--
+2.16.4
+
diff --git a/patches.drivers/rtc-don-t-reference-bogus-function-pointer-in-kdoc.patch b/patches.drivers/rtc-don-t-reference-bogus-function-pointer-in-kdoc.patch
new file mode 100644
index 0000000000..e037f98e71
--- /dev/null
+++ b/patches.drivers/rtc-don-t-reference-bogus-function-pointer-in-kdoc.patch
@@ -0,0 +1,41 @@
+From c48cadf5bf4becefcd0751b97995d2350aa9bb57 Mon Sep 17 00:00:00 2001
+From: Wolfram Sang <wsa+renesas@sang-engineering.com>
+Date: Wed, 3 Apr 2019 17:19:52 +0200
+Subject: [PATCH] rtc: don't reference bogus function pointer in kdoc
+Git-commit: c48cadf5bf4becefcd0751b97995d2350aa9bb57
+Patch-mainline: v5.2-rc1
+References: bsc#1051510
+
+The mentioned function pointer is long gone since early 2011. Remove the
+reference in the comment and reword it slightly.
+
+Fixes: 51ba60c5bb3b ("RTC: Cleanup rtc_class_ops->update_irq_enable()")
+Signed-off-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
+Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/rtc/interface.c | 7 +++----
+ 1 file changed, 3 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/rtc/interface.c b/drivers/rtc/interface.c
+index ccb7d6b4da3b..56ed0c3a8c85 100644
+--- a/drivers/rtc/interface.c
++++ b/drivers/rtc/interface.c
+@@ -573,10 +573,9 @@ int rtc_update_irq_enable(struct rtc_device *rtc, unsigned int enabled)
+ mutex_unlock(&rtc->ops_lock);
+ #ifdef CONFIG_RTC_INTF_DEV_UIE_EMUL
+ /*
+- * Enable emulation if the driver did not provide
+- * the update_irq_enable function pointer or if returned
+- * -EINVAL to signal that it has been configured without
+- * interrupts or that are not available at the moment.
++ * Enable emulation if the driver returned -EINVAL to signal that it has
++ * been configured without interrupts or they are not available at the
++ * moment.
+ */
+ if (err == -EINVAL)
+ err = rtc_dev_update_irq_enable_emul(rtc, enabled);
+--
+2.16.4
+
diff --git a/patches.drivers/rtlwifi-fix-a-potential-NULL-pointer-dereference.patch b/patches.drivers/rtlwifi-fix-a-potential-NULL-pointer-dereference.patch
new file mode 100644
index 0000000000..dbe77648e3
--- /dev/null
+++ b/patches.drivers/rtlwifi-fix-a-potential-NULL-pointer-dereference.patch
@@ -0,0 +1,38 @@
+From 765976285a8c8db3f0eb7f033829a899d0c2786e Mon Sep 17 00:00:00 2001
+From: Kangjie Lu <kjlu@umn.edu>
+Date: Tue, 12 Mar 2019 02:56:33 -0500
+Subject: [PATCH] rtlwifi: fix a potential NULL pointer dereference
+Git-commit: 765976285a8c8db3f0eb7f033829a899d0c2786e
+Patch-mainline: v5.2-rc1
+References: bsc#1051510
+
+In case alloc_workqueue fails, the fix reports the error and
+returns to avoid NULL pointer dereference.
+
+Signed-off-by: Kangjie Lu <kjlu@umn.edu>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/net/wireless/realtek/rtlwifi/base.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/drivers/net/wireless/realtek/rtlwifi/base.c b/drivers/net/wireless/realtek/rtlwifi/base.c
+index 217d2a7a43c7..ac746c322554 100644
+--- a/drivers/net/wireless/realtek/rtlwifi/base.c
++++ b/drivers/net/wireless/realtek/rtlwifi/base.c
+@@ -448,6 +448,11 @@ static void _rtl_init_deferred_work(struct ieee80211_hw *hw)
+ /* <2> work queue */
+ rtlpriv->works.hw = hw;
+ rtlpriv->works.rtl_wq = alloc_workqueue("%s", 0, 0, rtlpriv->cfg->name);
++ if (unlikely(!rtlpriv->works.rtl_wq)) {
++ pr_err("Failed to allocate work queue\n");
++ return;
++ }
++
+ INIT_DELAYED_WORK(&rtlpriv->works.watchdog_wq,
+ (void *)rtl_watchdog_wq_callback);
+ INIT_DELAYED_WORK(&rtlpriv->works.ips_nic_off_wq,
+--
+2.16.4
+
diff --git a/patches.drivers/rtlwifi-fix-potential-NULL-pointer-dereference.patch b/patches.drivers/rtlwifi-fix-potential-NULL-pointer-dereference.patch
new file mode 100644
index 0000000000..8df57585f7
--- /dev/null
+++ b/patches.drivers/rtlwifi-fix-potential-NULL-pointer-dereference.patch
@@ -0,0 +1,99 @@
+From 60209d482b97743915883d293c8b85226d230c19 Mon Sep 17 00:00:00 2001
+From: Ping-Ke Shih <pkshih@realtek.com>
+Date: Tue, 12 Mar 2019 17:06:48 +0800
+Subject: [PATCH] rtlwifi: fix potential NULL pointer dereference
+Git-commit: 60209d482b97743915883d293c8b85226d230c19
+Patch-mainline: v5.2-rc1
+References: bsc#1111666
+
+In case dev_alloc_skb fails, the fix safely returns to avoid
+potential NULL pointer dereference.
+
+Signed-off-by: Ping-Ke Shih <pkshih@realtek.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/net/wireless/realtek/rtlwifi/rtl8188ee/fw.c | 2 ++
+ drivers/net/wireless/realtek/rtlwifi/rtl8192c/fw_common.c | 2 ++
+ drivers/net/wireless/realtek/rtlwifi/rtl8192ee/fw.c | 2 ++
+ drivers/net/wireless/realtek/rtlwifi/rtl8723ae/fw.c | 2 ++
+ drivers/net/wireless/realtek/rtlwifi/rtl8723be/fw.c | 2 ++
+ drivers/net/wireless/realtek/rtlwifi/rtl8821ae/fw.c | 4 ++++
+ 6 files changed, 14 insertions(+)
+
+--- a/drivers/net/wireless/realtek/rtlwifi/rtl8188ee/fw.c
++++ b/drivers/net/wireless/realtek/rtlwifi/rtl8188ee/fw.c
+@@ -622,6 +622,8 @@ void rtl88e_set_fw_rsvdpagepkt(struct ie
+ u1rsvdpageloc, 3);
+
+ skb = dev_alloc_skb(totalpacketlen);
++ if (!skb)
++ return;
+ skb_put_data(skb, &reserved_page_packet, totalpacketlen);
+
+ rtstatus = rtl_cmd_send_packet(hw, skb);
+--- a/drivers/net/wireless/realtek/rtlwifi/rtl8192c/fw_common.c
++++ b/drivers/net/wireless/realtek/rtlwifi/rtl8192c/fw_common.c
+@@ -647,6 +647,8 @@ void rtl92c_set_fw_rsvdpagepkt(struct ie
+
+
+ skb = dev_alloc_skb(totalpacketlen);
++ if (!skb)
++ return;
+ skb_put_data(skb, &reserved_page_packet, totalpacketlen);
+
+ if (cmd_send_packet)
+--- a/drivers/net/wireless/realtek/rtlwifi/rtl8192ee/fw.c
++++ b/drivers/net/wireless/realtek/rtlwifi/rtl8192ee/fw.c
+@@ -766,6 +766,8 @@ void rtl92ee_set_fw_rsvdpagepkt(struct i
+ u1rsvdpageloc, 3);
+
+ skb = dev_alloc_skb(totalpacketlen);
++ if (!skb)
++ return;
+ skb_put_data(skb, &reserved_page_packet, totalpacketlen);
+
+ rtstatus = rtl_cmd_send_packet(hw, skb);
+--- a/drivers/net/wireless/realtek/rtlwifi/rtl8723ae/fw.c
++++ b/drivers/net/wireless/realtek/rtlwifi/rtl8723ae/fw.c
+@@ -470,6 +470,8 @@ void rtl8723e_set_fw_rsvdpagepkt(struct
+ u1rsvdpageloc, 3);
+
+ skb = dev_alloc_skb(totalpacketlen);
++ if (!skb)
++ return;
+ skb_put_data(skb, &reserved_page_packet, totalpacketlen);
+
+ rtstatus = rtl_cmd_send_packet(hw, skb);
+--- a/drivers/net/wireless/realtek/rtlwifi/rtl8723be/fw.c
++++ b/drivers/net/wireless/realtek/rtlwifi/rtl8723be/fw.c
+@@ -584,6 +584,8 @@ void rtl8723be_set_fw_rsvdpagepkt(struct
+ u1rsvdpageloc, sizeof(u1rsvdpageloc));
+
+ skb = dev_alloc_skb(totalpacketlen);
++ if (!skb)
++ return;
+ skb_put_data(skb, &reserved_page_packet, totalpacketlen);
+
+ rtstatus = rtl_cmd_send_packet(hw, skb);
+--- a/drivers/net/wireless/realtek/rtlwifi/rtl8821ae/fw.c
++++ b/drivers/net/wireless/realtek/rtlwifi/rtl8821ae/fw.c
+@@ -1645,6 +1645,8 @@ out:
+ &reserved_page_packet_8812[0], totalpacketlen);
+
+ skb = dev_alloc_skb(totalpacketlen);
++ if (!skb)
++ return;
+ skb_put_data(skb, &reserved_page_packet_8812, totalpacketlen);
+
+ rtstatus = rtl_cmd_send_packet(hw, skb);
+@@ -1781,6 +1783,8 @@ out:
+ &reserved_page_packet_8821[0], totalpacketlen);
+
+ skb = dev_alloc_skb(totalpacketlen);
++ if (!skb)
++ return;
+ skb_put_data(skb, &reserved_page_packet_8821, totalpacketlen);
+
+ rtstatus = rtl_cmd_send_packet(hw, skb);
diff --git a/patches.drivers/scsi-mpt3sas_ctl-fix-double-fetch-bug-in-ctl_ioctl_main b/patches.drivers/scsi-mpt3sas_ctl-fix-double-fetch-bug-in-ctl_ioctl_main
new file mode 100644
index 0000000000..3bb9ba6856
--- /dev/null
+++ b/patches.drivers/scsi-mpt3sas_ctl-fix-double-fetch-bug-in-ctl_ioctl_main
@@ -0,0 +1,45 @@
+From: Gen Zhang <blackgod016574@gmail.com>
+Date: Thu, 30 May 2019 09:10:30 +0800
+Subject: scsi: mpt3sas_ctl: fix double-fetch bug in _ctl_ioctl_main()
+Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi.git
+Git-commit: 86e5aca7fa2927060839f3e3b40c8bd65a7e8d1e
+Patch-mainline: Queued in subsystem maintainer repo
+References: bsc#1136922 CVE-2019-12456
+
+In _ctl_ioctl_main(), 'ioctl_header' is fetched the first time from
+userspace. 'ioctl_header.ioc_number' is then checked. The legal result is
+saved to 'ioc'. Then, in condition MPT3COMMAND, the whole struct is fetched
+again from the userspace. Then _ctl_do_mpt_command() is called, 'ioc' and
+'karg' as inputs.
+
+However, a malicious user can change the 'ioc_number' between the two
+fetches, which will cause a potential security issues. Moreover, a
+malicious user can provide a valid 'ioc_number' to pass the check in first
+fetch, and then modify it in the second fetch.
+
+To fix this, we need to recheck the 'ioc_number' in the second fetch.
+
+Signed-off-by: Gen Zhang <blackgod016574@gmail.com>
+Acked-by: Suganath Prabu S <suganath-prabu.subramani@broadcom.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Acked-by: Lee Duncan <lduncan@suse.com>
+---
+ drivers/scsi/mpt3sas/mpt3sas_ctl.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/scsi/mpt3sas/mpt3sas_ctl.c b/drivers/scsi/mpt3sas/mpt3sas_ctl.c
+index b2bb47c14d35..5181c03e82a6 100644
+--- a/drivers/scsi/mpt3sas/mpt3sas_ctl.c
++++ b/drivers/scsi/mpt3sas/mpt3sas_ctl.c
+@@ -2319,6 +2319,10 @@ _ctl_ioctl_main(struct file *file, unsigned int cmd, void __user *arg,
+ break;
+ }
+
++ if (karg.hdr.ioc_number != ioctl_header.ioc_number) {
++ ret = -EINVAL;
++ break;
++ }
+ if (_IOC_SIZE(cmd) == sizeof(struct mpt3_ioctl_command)) {
+ uarg = arg;
+ ret = _ctl_do_mpt_command(ioc, karg, &uarg->mf);
+
diff --git a/patches.drivers/staging-vc04_services-prevent-integer-overflow-in-cr.patch b/patches.drivers/staging-vc04_services-prevent-integer-overflow-in-cr.patch
new file mode 100644
index 0000000000..ead031e53e
--- /dev/null
+++ b/patches.drivers/staging-vc04_services-prevent-integer-overflow-in-cr.patch
@@ -0,0 +1,55 @@
+From ca641bae6da977d638458e78cd1487b6160a2718 Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Wed, 15 May 2019 12:38:33 +0300
+Subject: [PATCH] staging: vc04_services: prevent integer overflow in create_pagelist()
+Git-commit: ca641bae6da977d638458e78cd1487b6160a2718
+Patch-mainline: v5.2-rc3
+References: bsc#1051510
+
+The create_pagelist() "count" parameter comes from the user in
+vchiq_ioctl() and it could overflow. If you look at how create_page()
+is called in vchiq_prepare_bulk_data(), then the "size" variable is an
+int so it doesn't make sense to allow negatives or larger than INT_MAX.
+
+I don't know this code terribly well, but I believe that typical values
+of "count" are typically quite low and I don't think this check will
+affect normal valid uses at all.
+
+The "pagelist_size" calculation can also overflow on 32 bit systems, but
+not on 64 bit systems. I have added an integer overflow check for that
+as well.
+
+The Raspberry PI doesn't offer the same level of memory protection that
+x86 does so these sorts of bugs are probably not super critical to fix.
+
+Fixes: 71bad7f08641 ("staging: add bcm2708 vchiq driver")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/staging/vc04_services/interface/vchiq_arm/vchiq_2835_arm.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+--- a/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_2835_arm.c
++++ b/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_2835_arm.c
+@@ -406,9 +406,18 @@ create_pagelist(char __user *buf, size_t
+ int dma_buffers;
+ dma_addr_t dma_addr;
+
++ if (count >= INT_MAX - PAGE_SIZE)
++ return NULL;
++
+ offset = ((unsigned int)(unsigned long)buf & (PAGE_SIZE - 1));
+ num_pages = DIV_ROUND_UP(count + offset, PAGE_SIZE);
+
++ if (num_pages > (SIZE_MAX - sizeof(PAGELIST_T) -
++ sizeof(struct vchiq_pagelist_info)) /
++ (sizeof(u32) + sizeof(pages[0]) +
++ sizeof(struct scatterlist)))
++ return NULL;
++
+ pagelist_size = sizeof(PAGELIST_T) +
+ (num_pages * sizeof(u32)) +
+ (num_pages * sizeof(pages[0]) +
diff --git a/patches.drivers/staging-wlan-ng-fix-adapter-initialization-failure.patch b/patches.drivers/staging-wlan-ng-fix-adapter-initialization-failure.patch
new file mode 100644
index 0000000000..92e392a36d
--- /dev/null
+++ b/patches.drivers/staging-wlan-ng-fix-adapter-initialization-failure.patch
@@ -0,0 +1,57 @@
+From a67fedd788182764dc8ed59037c604b7e60349f1 Mon Sep 17 00:00:00 2001
+From: Tim Collier <osdevtc@gmail.com>
+Date: Sat, 11 May 2019 18:40:46 +0100
+Subject: [PATCH] staging: wlan-ng: fix adapter initialization failure
+Git-commit: a67fedd788182764dc8ed59037c604b7e60349f1
+Patch-mainline: v5.2-rc3
+References: bsc#1051510
+
+Commit e895f00a8496 ("Staging: wlan-ng: hfa384x_usb.c Fixed too long
+code line warnings.") moved the retrieval of the transfer buffer from
+the URB from the top of function hfa384x_usbin_callback to a point
+after reposting of the URB via a call to submit_rx_urb. The reposting
+of the URB allocates a new transfer buffer so the new buffer is
+retrieved instead of the buffer containing the response passed into
+the callback. This results in failure to initialize the adapter with
+an error reported in the system log (something like "CTLX[1] error:
+state(Request failed)").
+
+This change moves the retrieval to just before the point where the URB
+is reposted so that the correct transfer buffer is retrieved and
+initialization of the device succeeds.
+
+Signed-off-by: Tim Collier <osdevtc@gmail.com>
+Fixes: e895f00a8496 ("Staging: wlan-ng: hfa384x_usb.c Fixed too long code line warnings.")
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/staging/wlan-ng/hfa384x_usb.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/staging/wlan-ng/hfa384x_usb.c b/drivers/staging/wlan-ng/hfa384x_usb.c
+index 6fde75d4f064..ab734534093b 100644
+--- a/drivers/staging/wlan-ng/hfa384x_usb.c
++++ b/drivers/staging/wlan-ng/hfa384x_usb.c
+@@ -3119,7 +3119,9 @@ static void hfa384x_usbin_callback(struct urb *urb)
+ break;
+ }
+
++ /* Save values from the RX URB before reposting overwrites it. */
+ urb_status = urb->status;
++ usbin = (union hfa384x_usbin *)urb->transfer_buffer;
+
+ if (action != ABORT) {
+ /* Repost the RX URB */
+@@ -3136,7 +3138,6 @@ static void hfa384x_usbin_callback(struct urb *urb)
+ /* Note: the check of the sw_support field, the type field doesn't
+ * have bit 12 set like the docs suggest.
+ */
+- usbin = (union hfa384x_usbin *)urb->transfer_buffer;
+ type = le16_to_cpu(usbin->type);
+ if (HFA384x_USB_ISRXFRM(type)) {
+ if (action == HANDLE) {
+--
+2.16.4
+
diff --git a/patches.drivers/thunderbolt-Fix-to-check-for-kmemdup-failure.patch b/patches.drivers/thunderbolt-Fix-to-check-for-kmemdup-failure.patch
new file mode 100644
index 0000000000..b886352368
--- /dev/null
+++ b/patches.drivers/thunderbolt-Fix-to-check-for-kmemdup-failure.patch
@@ -0,0 +1,84 @@
+From 2cc12751cf464a722ff57b54d17d30c84553f9c0 Mon Sep 17 00:00:00 2001
+From: Aditya Pakki <pakki001@umn.edu>
+Date: Wed, 20 Mar 2019 10:57:54 -0500
+Subject: [PATCH] thunderbolt: Fix to check for kmemdup failure
+Git-commit: 2cc12751cf464a722ff57b54d17d30c84553f9c0
+Patch-mainline: v5.2-rc1
+References: bsc#1051510
+
+Memory allocated via kmemdup might fail and return a NULL pointer.
+This patch adds a check on the return value of kmemdup and passes the
+error upstream.
+
+Signed-off-by: Aditya Pakki <pakki001@umn.edu>
+Reviewed-by: Mukesh Ojha <mojha@codeaurora.org>
+Signed-off-by: Mika Westerberg <mika.westerberg@linux.intel.com>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/thunderbolt/switch.c | 22 ++++++++++++++++------
+ 1 file changed, 16 insertions(+), 6 deletions(-)
+
+--- a/drivers/thunderbolt/switch.c
++++ b/drivers/thunderbolt/switch.c
+@@ -1205,13 +1205,14 @@ int tb_switch_configure(struct tb_switch
+ return tb_plug_events_active(sw, true);
+ }
+
+-static void tb_switch_set_uuid(struct tb_switch *sw)
++static int tb_switch_set_uuid(struct tb_switch *sw)
+ {
+ u32 uuid[4];
+- int cap;
++ int cap, ret;
+
++ ret = 0;
+ if (sw->uuid)
+- return;
++ return ret;
+
+ /*
+ * The newer controllers include fused UUID as part of link
+@@ -1219,7 +1220,9 @@ static void tb_switch_set_uuid(struct tb
+ */
+ cap = tb_switch_find_vse_cap(sw, TB_VSE_CAP_LINK_CONTROLLER);
+ if (cap > 0) {
+- tb_sw_read(sw, uuid, TB_CFG_SWITCH, cap + 3, 4);
++ ret = tb_sw_read(sw, uuid, TB_CFG_SWITCH, cap + 3, 4);
++ if (ret)
++ return ret;
+ } else {
+ /*
+ * ICM generates UUID based on UID and fills the upper
+@@ -1234,6 +1237,9 @@ static void tb_switch_set_uuid(struct tb
+ }
+
+ sw->uuid = kmemdup(uuid, sizeof(uuid), GFP_KERNEL);
++ if (!sw->uuid)
++ ret = -ENOMEM;
++ return ret;
+ }
+
+ static int tb_switch_add_dma_port(struct tb_switch *sw)
+@@ -1279,7 +1285,9 @@ static int tb_switch_add_dma_port(struct
+
+ if (status) {
+ tb_sw_info(sw, "switch flash authentication failed\n");
+- tb_switch_set_uuid(sw);
++ ret = tb_switch_set_uuid(sw);
++ if (ret)
++ return ret;
+ nvm_set_auth_status(sw, status);
+ }
+
+@@ -1329,7 +1337,9 @@ int tb_switch_add(struct tb_switch *sw)
+ }
+ tb_sw_info(sw, "uid: %#llx\n", sw->uid);
+
+- tb_switch_set_uuid(sw);
++ ret = tb_switch_set_uuid(sw);
++ if (ret)
++ return ret;
+
+ for (i = 0; i <= sw->config.max_port_number; i++) {
+ if (sw->ports[i].disabled) {
diff --git a/patches.drivers/tty-ipwireless-fix-missing-checks-for-ioremap.patch b/patches.drivers/tty-ipwireless-fix-missing-checks-for-ioremap.patch
new file mode 100644
index 0000000000..24e48f8209
--- /dev/null
+++ b/patches.drivers/tty-ipwireless-fix-missing-checks-for-ioremap.patch
@@ -0,0 +1,51 @@
+From 1bbb1c318cd8a3a39e8c3e2e83d5e90542d6c3e3 Mon Sep 17 00:00:00 2001
+From: Kangjie Lu <kjlu@umn.edu>
+Date: Fri, 15 Mar 2019 02:07:12 -0500
+Subject: [PATCH] tty: ipwireless: fix missing checks for ioremap
+Git-commit: 1bbb1c318cd8a3a39e8c3e2e83d5e90542d6c3e3
+Patch-mainline: v5.2-rc1
+References: bsc#1051510
+
+ipw->attr_memory and ipw->common_memory are assigned with the
+return value of ioremap. ioremap may fail, but no checks
+are enforced. The fix inserts the checks to avoid potential
+NULL pointer dereferences.
+
+Signed-off-by: Kangjie Lu <kjlu@umn.edu>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/tty/ipwireless/main.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/drivers/tty/ipwireless/main.c b/drivers/tty/ipwireless/main.c
+index 3475e841ef5c..4c18bbfe1a92 100644
+--- a/drivers/tty/ipwireless/main.c
++++ b/drivers/tty/ipwireless/main.c
+@@ -114,6 +114,10 @@ static int ipwireless_probe(struct pcmcia_device *p_dev, void *priv_data)
+
+ ipw->common_memory = ioremap(p_dev->resource[2]->start,
+ resource_size(p_dev->resource[2]));
++ if (!ipw->common_memory) {
++ ret = -ENOMEM;
++ goto exit1;
++ }
+ if (!request_mem_region(p_dev->resource[2]->start,
+ resource_size(p_dev->resource[2]),
+ IPWIRELESS_PCCARD_NAME)) {
+@@ -134,6 +138,10 @@ static int ipwireless_probe(struct pcmcia_device *p_dev, void *priv_data)
+
+ ipw->attr_memory = ioremap(p_dev->resource[3]->start,
+ resource_size(p_dev->resource[3]));
++ if (!ipw->attr_memory) {
++ ret = -ENOMEM;
++ goto exit3;
++ }
+ if (!request_mem_region(p_dev->resource[3]->start,
+ resource_size(p_dev->resource[3]),
+ IPWIRELESS_PCCARD_NAME)) {
+--
+2.16.4
+
diff --git a/patches.drivers/tty-serial-msm_serial-Fix-XON-XOFF.patch b/patches.drivers/tty-serial-msm_serial-Fix-XON-XOFF.patch
new file mode 100644
index 0000000000..c98f3a646b
--- /dev/null
+++ b/patches.drivers/tty-serial-msm_serial-Fix-XON-XOFF.patch
@@ -0,0 +1,58 @@
+From 61c0e37950b88bad590056286c1d766b1f167f4e Mon Sep 17 00:00:00 2001
+From: Jorge Ramirez-Ortiz <jorge.ramirez-ortiz@linaro.org>
+Date: Mon, 20 May 2019 20:38:48 +0200
+Subject: [PATCH] tty: serial: msm_serial: Fix XON/XOFF
+Git-commit: 61c0e37950b88bad590056286c1d766b1f167f4e
+Patch-mainline: v5.2-rc3
+References: bsc#1051510
+
+When the tty layer requests the uart to throttle, the current code
+executing in msm_serial will trigger "Bad mode in Error Handler" and
+generate an invalid stack frame in pstore before rebooting (that is if
+pstore is indeed configured: otherwise the user shall just notice a
+reboot with no further information dumped to the console).
+
+This patch replaces the PIO byte accessor with the word accessor
+already used in PIO mode.
+
+Fixes: 68252424a7c7 ("tty: serial: msm: Support big-endian CPUs")
+Cc: stable@vger.kernel.org
+Signed-off-by: Jorge Ramirez-Ortiz <jorge.ramirez-ortiz@linaro.org>
+Reviewed-by: Bjorn Andersson <bjorn.andersson@linaro.org>
+Reviewed-by: Stephen Boyd <swboyd@chromium.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/tty/serial/msm_serial.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/tty/serial/msm_serial.c b/drivers/tty/serial/msm_serial.c
+index 109096033bb1..23833ad952ba 100644
+--- a/drivers/tty/serial/msm_serial.c
++++ b/drivers/tty/serial/msm_serial.c
+@@ -860,6 +860,7 @@ static void msm_handle_tx(struct uart_port *port)
+ struct circ_buf *xmit = &msm_port->uart.state->xmit;
+ struct msm_dma *dma = &msm_port->tx_dma;
+ unsigned int pio_count, dma_count, dma_min;
++ char buf[4] = { 0 };
+ void __iomem *tf;
+ int err = 0;
+
+@@ -869,10 +870,12 @@ static void msm_handle_tx(struct uart_port *port)
+ else
+ tf = port->membase + UART_TF;
+
++ buf[0] = port->x_char;
++
+ if (msm_port->is_uartdm)
+ msm_reset_dm_count(port, 1);
+
+- iowrite8_rep(tf, &port->x_char, 1);
++ iowrite32_rep(tf, buf, 1);
+ port->icount.tx++;
+ port->x_char = 0;
+ return;
+--
+2.16.4
+
diff --git a/patches.drivers/tty-vt-fix-write-write-race-in-ioctl-KDSKBSENT-handl.patch b/patches.drivers/tty-vt-fix-write-write-race-in-ioctl-KDSKBSENT-handl.patch
new file mode 100644
index 0000000000..fe27b12247
--- /dev/null
+++ b/patches.drivers/tty-vt-fix-write-write-race-in-ioctl-KDSKBSENT-handl.patch
@@ -0,0 +1,187 @@
+From 46ca3f735f345c9d87383dd3a09fa5d43870770e Mon Sep 17 00:00:00 2001
+From: Sergei Trofimovich <slyfox@gentoo.org>
+Date: Sun, 10 Mar 2019 21:24:15 +0000
+Subject: [PATCH] tty/vt: fix write/write race in ioctl(KDSKBSENT) handler
+Git-commit: 46ca3f735f345c9d87383dd3a09fa5d43870770e
+Patch-mainline: v5.2-rc1
+References: bsc#1051510
+
+The bug manifests as an attempt to access deallocated memory:
+
+ BUG: unable to handle kernel paging request at ffff9c8735448000
+ #PF error: [PROT] [WRITE]
+ PGD 288a05067 P4D 288a05067 PUD 288a07067 PMD 7f60c2063 PTE 80000007f5448161
+ Oops: 0003 [#1] PREEMPT SMP
+ CPU: 6 PID: 388 Comm: loadkeys Tainted: G C 5.0.0-rc6-00153-g5ded5871030e #91
+ Hardware name: Gigabyte Technology Co., Ltd. To be filled by O.E.M./H77M-D3H, BIOS F12 11/14/2013
+ RIP: 0010:__memmove+0x81/0x1a0
+ Code: 4c 89 4f 10 4c 89 47 18 48 8d 7f 20 73 d4 48 83 c2 20 e9 a2 00 00 00 66 90 48 89 d1 4c 8b 5c 16 f8 4c 8d 54 17 f8 48 c1 e9 03 <f3> 48 a5 4d 89 1a e9 0c 01 00 00 0f 1f 40 00 48 89 d1 4c 8b 1e 49
+ RSP: 0018:ffffa1b9002d7d08 EFLAGS: 00010203
+ RAX: ffff9c873541af43 RBX: ffff9c873541af43 RCX: 00000c6f105cd6bf
+ RDX: 0000637882e986b6 RSI: ffff9c8735447ffb RDI: ffff9c8735447ffb
+ RBP: ffff9c8739cd3800 R08: ffff9c873b802f00 R09: 00000000fffff73b
+ R10: ffffffffb82b35f1 R11: 00505b1b004d5b1b R12: 0000000000000000
+ R13: ffff9c873541af3d R14: 000000000000000b R15: 000000000000000c
+ FS: 00007f450c390580(0000) GS:ffff9c873f180000(0000) knlGS:0000000000000000
+ CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+ CR2: ffff9c8735448000 CR3: 00000007e213c002 CR4: 00000000000606e0
+ Call Trace:
+ vt_do_kdgkb_ioctl+0x34d/0x440
+ vt_ioctl+0xba3/0x1190
+ ? __bpf_prog_run32+0x39/0x60
+ ? mem_cgroup_commit_charge+0x7b/0x4e0
+ tty_ioctl+0x23f/0x920
+ ? preempt_count_sub+0x98/0xe0
+ ? __seccomp_filter+0x67/0x600
+ do_vfs_ioctl+0xa2/0x6a0
+ ? syscall_trace_enter+0x192/0x2d0
+ ksys_ioctl+0x3a/0x70
+ __x64_sys_ioctl+0x16/0x20
+ do_syscall_64+0x54/0xe0
+ entry_SYSCALL_64_after_hwframe+0x49/0xbe
+
+The bug manifests on systemd systems with multiple vtcon devices:
+ # cat /sys/devices/virtual/vtconsole/vtcon0/name
+ (S) dummy device
+ # cat /sys/devices/virtual/vtconsole/vtcon1/name
+ (M) frame buffer device
+
+There systemd runs 'loadkeys' tool in tapallel for each vtcon
+instance. This causes two parallel ioctl(KDSKBSENT) calls to
+race into adding the same entry into 'func_table' array at:
+
+ drivers/tty/vt/keyboard.c:vt_do_kdgkb_ioctl()
+
+The function has no locking around writes to 'func_table'.
+
+The simplest reproducer is to have initrams with the following
+init on a 8-CPU machine x86_64:
+
+ #!/bin/sh
+
+ loadkeys -q windowkeys ru4 &
+ loadkeys -q windowkeys ru4 &
+ loadkeys -q windowkeys ru4 &
+ loadkeys -q windowkeys ru4 &
+
+ loadkeys -q windowkeys ru4 &
+ loadkeys -q windowkeys ru4 &
+ loadkeys -q windowkeys ru4 &
+ loadkeys -q windowkeys ru4 &
+ wait
+
+The change adds lock on write path only. Reads are still racy.
+
+Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Cc: Jiri Slaby <jslaby@suse.com>
+Link: https://lkml.org/lkml/2019/2/17/256
+Signed-off-by: Sergei Trofimovich <slyfox@gentoo.org>
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/tty/vt/keyboard.c | 33 +++++++++++++++++++++++++++------
+ 1 file changed, 27 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/tty/vt/keyboard.c b/drivers/tty/vt/keyboard.c
+index 88312c6c92cc..0617e87ab343 100644
+--- a/drivers/tty/vt/keyboard.c
++++ b/drivers/tty/vt/keyboard.c
+@@ -123,6 +123,7 @@ static const int NR_TYPES = ARRAY_SIZE(max_vals);
+ static struct input_handler kbd_handler;
+ static DEFINE_SPINLOCK(kbd_event_lock);
+ static DEFINE_SPINLOCK(led_lock);
++static DEFINE_SPINLOCK(func_buf_lock); /* guard 'func_buf' and friends */
+ static unsigned long key_down[BITS_TO_LONGS(KEY_CNT)]; /* keyboard key bitmap */
+ static unsigned char shift_down[NR_SHIFT]; /* shift state counters.. */
+ static bool dead_key_next;
+@@ -1990,11 +1991,12 @@ int vt_do_kdgkb_ioctl(int cmd, struct kbsentry __user *user_kdgkb, int perm)
+ char *p;
+ u_char *q;
+ u_char __user *up;
+- int sz;
++ int sz, fnw_sz;
+ int delta;
+ char *first_free, *fj, *fnw;
+ int i, j, k;
+ int ret;
++ unsigned long flags;
+
+ if (!capable(CAP_SYS_TTY_CONFIG))
+ perm = 0;
+@@ -2037,7 +2039,14 @@ int vt_do_kdgkb_ioctl(int cmd, struct kbsentry __user *user_kdgkb, int perm)
+ goto reterr;
+ }
+
++ fnw = NULL;
++ fnw_sz = 0;
++ /* race aginst other writers */
++ again:
++ spin_lock_irqsave(&func_buf_lock, flags);
+ q = func_table[i];
++
++ /* fj pointer to next entry after 'q' */
+ first_free = funcbufptr + (funcbufsize - funcbufleft);
+ for (j = i+1; j < MAX_NR_FUNC && !func_table[j]; j++)
+ ;
+@@ -2045,10 +2054,12 @@ int vt_do_kdgkb_ioctl(int cmd, struct kbsentry __user *user_kdgkb, int perm)
+ fj = func_table[j];
+ else
+ fj = first_free;
+-
++ /* buffer usage increase by new entry */
+ delta = (q ? -strlen(q) : 1) + strlen(kbs->kb_string);
++
+ if (delta <= funcbufleft) { /* it fits in current buf */
+ if (j < MAX_NR_FUNC) {
++ /* make enough space for new entry at 'fj' */
+ memmove(fj + delta, fj, first_free - fj);
+ for (k = j; k < MAX_NR_FUNC; k++)
+ if (func_table[k])
+@@ -2061,20 +2072,28 @@ int vt_do_kdgkb_ioctl(int cmd, struct kbsentry __user *user_kdgkb, int perm)
+ sz = 256;
+ while (sz < funcbufsize - funcbufleft + delta)
+ sz <<= 1;
+- fnw = kmalloc(sz, GFP_KERNEL);
+- if(!fnw) {
+- ret = -ENOMEM;
+- goto reterr;
++ if (fnw_sz != sz) {
++ spin_unlock_irqrestore(&func_buf_lock, flags);
++ kfree(fnw);
++ fnw = kmalloc(sz, GFP_KERNEL);
++ fnw_sz = sz;
++ if (!fnw) {
++ ret = -ENOMEM;
++ goto reterr;
++ }
++ goto again;
+ }
+
+ if (!q)
+ func_table[i] = fj;
++ /* copy data before insertion point to new location */
+ if (fj > funcbufptr)
+ memmove(fnw, funcbufptr, fj - funcbufptr);
+ for (k = 0; k < j; k++)
+ if (func_table[k])
+ func_table[k] = fnw + (func_table[k] - funcbufptr);
+
++ /* copy data after insertion point to new location */
+ if (first_free > fj) {
+ memmove(fnw + (fj - funcbufptr) + delta, fj, first_free - fj);
+ for (k = j; k < MAX_NR_FUNC; k++)
+@@ -2087,7 +2106,9 @@ int vt_do_kdgkb_ioctl(int cmd, struct kbsentry __user *user_kdgkb, int perm)
+ funcbufleft = funcbufleft - delta + sz - funcbufsize;
+ funcbufsize = sz;
+ }
++ /* finally insert item itself */
+ strcpy(func_table[i], kbs->kb_string);
++ spin_unlock_irqrestore(&func_buf_lock, flags);
+ break;
+ }
+ ret = 0;
+--
+2.16.4
+
diff --git a/patches.drivers/usb-core-Add-PM-runtime-calls-to-usb_hcd_platform_sh.patch b/patches.drivers/usb-core-Add-PM-runtime-calls-to-usb_hcd_platform_sh.patch
new file mode 100644
index 0000000000..4692014048
--- /dev/null
+++ b/patches.drivers/usb-core-Add-PM-runtime-calls-to-usb_hcd_platform_sh.patch
@@ -0,0 +1,40 @@
+From 8ead7e817224d7832fe51a19783cb8fcadc79467 Mon Sep 17 00:00:00 2001
+From: Tony Lindgren <tony@atomide.com>
+Date: Fri, 22 Mar 2019 14:54:05 -0700
+Subject: [PATCH] usb: core: Add PM runtime calls to usb_hcd_platform_shutdown
+Git-commit: 8ead7e817224d7832fe51a19783cb8fcadc79467
+Patch-mainline: v5.2-rc1
+References: bsc#1051510
+
+If ohci-platform is runtime suspended, we can currently get an "imprecise
+external abort" on reboot with ohci-platform loaded when PM runtime
+is implemented for the SoC.
+
+Let's fix this by adding PM runtime support to usb_hcd_platform_shutdown.
+
+Signed-off-by: Tony Lindgren <tony@atomide.com>
+Acked-by: Alan Stern <stern@rowland.harvard.edu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/usb/core/hcd.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/usb/core/hcd.c b/drivers/usb/core/hcd.c
+index 3189181bb628..b227a2651e7c 100644
+--- a/drivers/usb/core/hcd.c
++++ b/drivers/usb/core/hcd.c
+@@ -3017,6 +3017,9 @@ usb_hcd_platform_shutdown(struct platform_device *dev)
+ {
+ struct usb_hcd *hcd = platform_get_drvdata(dev);
+
++ /* No need for pm_runtime_put(), we're shutting down */
++ pm_runtime_get_sync(&dev->dev);
++
+ if (hcd->driver->shutdown)
+ hcd->driver->shutdown(hcd);
+ }
+--
+2.16.4
+
diff --git a/patches.drivers/usbip-usbip_host-fix-BUG-sleeping-function-called-fr.patch b/patches.drivers/usbip-usbip_host-fix-BUG-sleeping-function-called-fr.patch
new file mode 100644
index 0000000000..5d624c1745
--- /dev/null
+++ b/patches.drivers/usbip-usbip_host-fix-BUG-sleeping-function-called-fr.patch
@@ -0,0 +1,247 @@
+From 0c9e8b3cad654bfc499c10b652fbf8f0b890af8f Mon Sep 17 00:00:00 2001
+From: Shuah Khan <skhan@linuxfoundation.org>
+Date: Thu, 2 May 2019 13:47:02 -0600
+Subject: [PATCH] usbip: usbip_host: fix BUG: sleeping function called from invalid context
+Git-commit: 0c9e8b3cad654bfc499c10b652fbf8f0b890af8f
+Patch-mainline: v5.2-rc3
+References: bsc#1051510
+
+stub_probe() and stub_disconnect() call functions which could call
+sleeping function in invalid context whil holding busid_lock.
+
+Fix the problem by refining the lock holds to short critical sections
+to change the busid_priv fields. This fix restructures the code to
+limit the lock holds in stub_probe() and stub_disconnect().
+
+Stub_probe():
+
+[15217.927028] BUG: sleeping function called from invalid context at mm/slab.h:418
+[15217.927038] in_atomic(): 1, irqs_disabled(): 0, pid: 29087, name: usbip
+[15217.927044] 5 locks held by usbip/29087:
+[15217.927047] #0: 0000000091647f28 (sb_writers#6){....}, at: vfs_write+0x191/0x1c0
+[15217.927062] #1: 000000008f9ba75b (&of->mutex){....}, at: kernfs_fop_write+0xf7/0x1b0
+[15217.927072] #2: 00000000872e5b4b (&dev->mutex){....}, at: __device_driver_lock+0x3b/0x50
+[15217.927082] #3: 00000000e74ececc (&dev->mutex){....}, at: __device_driver_lock+0x46/0x50
+[15217.927090] #4: 00000000b20abbe0 (&(&busid_table[i].busid_lock)->rlock){....}, at: get_busid_priv+0x48/0x60 [usbip_host]
+[15217.927103] CPU: 3 PID: 29087 Comm: usbip Tainted: G W 5.1.0-rc6+ #40
+[15217.927106] Hardware name: Dell Inc. OptiPlex 790/0HY9JP, BIOS A18 09/24/2013
+[15217.927109] Call Trace:
+[15217.927118] dump_stack+0x63/0x85
+[15217.927127] ___might_sleep+0xff/0x120
+[15217.927133] __might_sleep+0x4a/0x80
+[15217.927143] kmem_cache_alloc_trace+0x1aa/0x210
+[15217.927156] stub_probe+0xe8/0x440 [usbip_host]
+[15217.927171] usb_probe_device+0x34/0x70
+
+Stub_disconnect():
+
+[15279.182478] BUG: sleeping function called from invalid context at kernel/locking/mutex.c:908
+[15279.182487] in_atomic(): 1, irqs_disabled(): 0, pid: 29114, name: usbip
+[15279.182492] 5 locks held by usbip/29114:
+[15279.182494] #0: 0000000091647f28 (sb_writers#6){....}, at: vfs_write+0x191/0x1c0
+[15279.182506] #1: 00000000702cf0f3 (&of->mutex){....}, at: kernfs_fop_write+0xf7/0x1b0
+[15279.182514] #2: 00000000872e5b4b (&dev->mutex){....}, at: __device_driver_lock+0x3b/0x50
+[15279.182522] #3: 00000000e74ececc (&dev->mutex){....}, at: __device_driver_lock+0x46/0x50
+[15279.182529] #4: 00000000b20abbe0 (&(&busid_table[i].busid_lock)->rlock){....}, at: get_busid_priv+0x48/0x60 [usbip_host]
+[15279.182541] CPU: 0 PID: 29114 Comm: usbip Tainted: G W 5.1.0-rc6+ #40
+[15279.182543] Hardware name: Dell Inc. OptiPlex 790/0HY9JP, BIOS A18 09/24/2013
+[15279.182546] Call Trace:
+[15279.182554] dump_stack+0x63/0x85
+[15279.182561] ___might_sleep+0xff/0x120
+[15279.182566] __might_sleep+0x4a/0x80
+[15279.182574] __mutex_lock+0x55/0x950
+[15279.182582] ? get_busid_priv+0x48/0x60 [usbip_host]
+[15279.182587] ? reacquire_held_locks+0xec/0x1a0
+[15279.182591] ? get_busid_priv+0x48/0x60 [usbip_host]
+[15279.182597] ? find_held_lock+0x94/0xa0
+[15279.182609] mutex_lock_nested+0x1b/0x20
+[15279.182614] ? mutex_lock_nested+0x1b/0x20
+[15279.182618] kernfs_remove_by_name_ns+0x2a/0x90
+[15279.182625] sysfs_remove_file_ns+0x15/0x20
+[15279.182629] device_remove_file+0x19/0x20
+[15279.182634] stub_disconnect+0x6d/0x180 [usbip_host]
+[15279.182643] usb_unbind_device+0x27/0x60
+
+Signed-off-by: Shuah Khan <skhan@linuxfoundation.org>
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/usb/usbip/stub_dev.c | 65 +++++++++++++++++++++++++++++---------------
+ 1 file changed, 43 insertions(+), 22 deletions(-)
+
+diff --git a/drivers/usb/usbip/stub_dev.c b/drivers/usb/usbip/stub_dev.c
+index c0d6ff1baa72..d094c96643d2 100644
+--- a/drivers/usb/usbip/stub_dev.c
++++ b/drivers/usb/usbip/stub_dev.c
+@@ -301,9 +301,17 @@ static int stub_probe(struct usb_device *udev)
+ const char *udev_busid = dev_name(&udev->dev);
+ struct bus_id_priv *busid_priv;
+ int rc = 0;
++ char save_status;
+
+ dev_dbg(&udev->dev, "Enter probe\n");
+
++ /* Not sure if this is our device. Allocate here to avoid
++ * calling alloc while holding busid_table lock.
++ */
++ sdev = stub_device_alloc(udev);
++ if (!sdev)
++ return -ENOMEM;
++
+ /* check we should claim or not by busid_table */
+ busid_priv = get_busid_priv(udev_busid);
+ if (!busid_priv || (busid_priv->status == STUB_BUSID_REMOV) ||
+@@ -318,14 +326,14 @@ static int stub_probe(struct usb_device *udev)
+ * See driver_probe_device() in driver/base/dd.c
+ */
+ rc = -ENODEV;
+- goto call_put_busid_priv;
++ goto sdev_free;
+ }
+
+ if (udev->descriptor.bDeviceClass == USB_CLASS_HUB) {
+ dev_dbg(&udev->dev, "%s is a usb hub device... skip!\n",
+ udev_busid);
+ rc = -ENODEV;
+- goto call_put_busid_priv;
++ goto sdev_free;
+ }
+
+ if (!strcmp(udev->bus->bus_name, "vhci_hcd")) {
+@@ -334,15 +342,9 @@ static int stub_probe(struct usb_device *udev)
+ udev_busid);
+
+ rc = -ENODEV;
+- goto call_put_busid_priv;
++ goto sdev_free;
+ }
+
+- /* ok, this is my device */
+- sdev = stub_device_alloc(udev);
+- if (!sdev) {
+- rc = -ENOMEM;
+- goto call_put_busid_priv;
+- }
+
+ dev_info(&udev->dev,
+ "usbip-host: register new device (bus %u dev %u)\n",
+@@ -352,9 +354,13 @@ static int stub_probe(struct usb_device *udev)
+
+ /* set private data to usb_device */
+ dev_set_drvdata(&udev->dev, sdev);
++
+ busid_priv->sdev = sdev;
+ busid_priv->udev = udev;
+
++ save_status = busid_priv->status;
++ busid_priv->status = STUB_BUSID_ALLOC;
++
+ /*
+ * Claim this hub port.
+ * It doesn't matter what value we pass as owner
+@@ -367,15 +373,16 @@ static int stub_probe(struct usb_device *udev)
+ goto err_port;
+ }
+
++ /* release the busid_lock */
++ put_busid_priv(busid_priv);
++
+ rc = stub_add_files(&udev->dev);
+ if (rc) {
+ dev_err(&udev->dev, "stub_add_files for %s\n", udev_busid);
+ goto err_files;
+ }
+- busid_priv->status = STUB_BUSID_ALLOC;
+
+- rc = 0;
+- goto call_put_busid_priv;
++ return 0;
+
+ err_files:
+ usb_hub_release_port(udev->parent, udev->portnum,
+@@ -384,23 +391,24 @@ static int stub_probe(struct usb_device *udev)
+ dev_set_drvdata(&udev->dev, NULL);
+ usb_put_dev(udev);
+
++ /* we already have busid_priv, just lock busid_lock */
++ spin_lock(&busid_priv->busid_lock);
+ busid_priv->sdev = NULL;
++ busid_priv->status = save_status;
++sdev_free:
+ stub_device_free(sdev);
+-
+-call_put_busid_priv:
++ /* release the busid_lock */
+ put_busid_priv(busid_priv);
++
+ return rc;
+ }
+
+ static void shutdown_busid(struct bus_id_priv *busid_priv)
+ {
+- if (busid_priv->sdev && !busid_priv->shutdown_busid) {
+- busid_priv->shutdown_busid = 1;
+- usbip_event_add(&busid_priv->sdev->ud, SDEV_EVENT_REMOVED);
++ usbip_event_add(&busid_priv->sdev->ud, SDEV_EVENT_REMOVED);
+
+- /* wait for the stop of the event handler */
+- usbip_stop_eh(&busid_priv->sdev->ud);
+- }
++ /* wait for the stop of the event handler */
++ usbip_stop_eh(&busid_priv->sdev->ud);
+ }
+
+ /*
+@@ -432,6 +440,9 @@ static void stub_disconnect(struct usb_device *udev)
+
+ dev_set_drvdata(&udev->dev, NULL);
+
++ /* release busid_lock before call to remove device files */
++ put_busid_priv(busid_priv);
++
+ /*
+ * NOTE: rx/tx threads are invoked for each usb_device.
+ */
+@@ -442,18 +453,27 @@ static void stub_disconnect(struct usb_device *udev)
+ (struct usb_dev_state *) udev);
+ if (rc) {
+ dev_dbg(&udev->dev, "unable to release port\n");
+- goto call_put_busid_priv;
++ return;
+ }
+
+ /* If usb reset is called from event handler */
+ if (usbip_in_eh(current))
+- goto call_put_busid_priv;
++ return;
++
++ /* we already have busid_priv, just lock busid_lock */
++ spin_lock(&busid_priv->busid_lock);
++ if (!busid_priv->shutdown_busid)
++ busid_priv->shutdown_busid = 1;
++ /* release busid_lock */
++ put_busid_priv(busid_priv);
+
+ /* shutdown the current connection */
+ shutdown_busid(busid_priv);
+
+ usb_put_dev(sdev->udev);
+
++ /* we already have busid_priv, just lock busid_lock */
++ spin_lock(&busid_priv->busid_lock);
+ /* free sdev */
+ busid_priv->sdev = NULL;
+ stub_device_free(sdev);
+@@ -462,6 +482,7 @@ static void stub_disconnect(struct usb_device *udev)
+ busid_priv->status = STUB_BUSID_ADDED;
+
+ call_put_busid_priv:
++ /* release busid_lock */
+ put_busid_priv(busid_priv);
+ }
+
+--
+2.16.4
+
diff --git a/patches.drivers/usbip-usbip_host-fix-stub_dev-lock-context-imbalance.patch b/patches.drivers/usbip-usbip_host-fix-stub_dev-lock-context-imbalance.patch
new file mode 100644
index 0000000000..89a3ca770d
--- /dev/null
+++ b/patches.drivers/usbip-usbip_host-fix-stub_dev-lock-context-imbalance.patch
@@ -0,0 +1,159 @@
+From 3ea3091f1bd8586125848c62be295910e9802af0 Mon Sep 17 00:00:00 2001
+From: Shuah Khan <skhan@linuxfoundation.org>
+Date: Wed, 29 May 2019 13:46:15 -0600
+Subject: [PATCH] usbip: usbip_host: fix stub_dev lock context imbalance regression
+Mime-version: 1.0
+Content-type: text/plain; charset=UTF-8
+Content-transfer-encoding: 8bit
+Git-commit: 3ea3091f1bd8586125848c62be295910e9802af0
+Patch-mainline: v5.2-rc3
+References: bsc#1051510
+
+Fix the following sparse context imbalance regression introduced in
+a patch that fixed sleeping function called from invalid context bug.
+
+kbuild test robot reported on:
+
+Tree/branch: https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-linus
+
+Regressions in current branch:
+
+drivers/usb/usbip/stub_dev.c:399:9: sparse: sparse: context imbalance in 'stub_probe' - different lock contexts for basic block
+drivers/usb/usbip/stub_dev.c:418:13: sparse: sparse: context imbalance in 'stub_disconnect' - different lock contexts for basic block
+drivers/usb/usbip/stub_dev.c:464:1-10: second lock on line 476
+
+Error ids grouped by kconfigs:
+
+recent_errors
+├── i386-allmodconfig
+│ └── drivers-usb-usbip-stub_dev.c:second-lock-on-line
+├── x86_64-allmodconfig
+│ ├── drivers-usb-usbip-stub_dev.c:sparse:sparse:context-imbalance-in-stub_disconnect-different-lock-contexts-for-basic-block
+│ └── drivers-usb-usbip-stub_dev.c:sparse:sparse:context-imbalance-in-stub_probe-different-lock-contexts-for-basic-block
+└── x86_64-allyesconfig
+ └── drivers-usb-usbip-stub_dev.c:second-lock-on-line
+
+This is a real problem in an error leg where spin_lock() is called on an
+already held lock.
+
+Fix the imbalance in stub_probe() and stub_disconnect().
+
+Signed-off-by: Shuah Khan <skhan@linuxfoundation.org>
+Fixes: 0c9e8b3cad65 ("usbip: usbip_host: fix BUG: sleeping function called from invalid context")
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/usb/usbip/stub_dev.c | 36 +++++++++++++++++++++++-------------
+ 1 file changed, 23 insertions(+), 13 deletions(-)
+
+diff --git a/drivers/usb/usbip/stub_dev.c b/drivers/usb/usbip/stub_dev.c
+index d094c96643d2..7931e6cecc70 100644
+--- a/drivers/usb/usbip/stub_dev.c
++++ b/drivers/usb/usbip/stub_dev.c
+@@ -326,14 +326,17 @@ static int stub_probe(struct usb_device *udev)
+ * See driver_probe_device() in driver/base/dd.c
+ */
+ rc = -ENODEV;
+- goto sdev_free;
++ if (!busid_priv)
++ goto sdev_free;
++
++ goto call_put_busid_priv;
+ }
+
+ if (udev->descriptor.bDeviceClass == USB_CLASS_HUB) {
+ dev_dbg(&udev->dev, "%s is a usb hub device... skip!\n",
+ udev_busid);
+ rc = -ENODEV;
+- goto sdev_free;
++ goto call_put_busid_priv;
+ }
+
+ if (!strcmp(udev->bus->bus_name, "vhci_hcd")) {
+@@ -342,7 +345,7 @@ static int stub_probe(struct usb_device *udev)
+ udev_busid);
+
+ rc = -ENODEV;
+- goto sdev_free;
++ goto call_put_busid_priv;
+ }
+
+
+@@ -361,6 +364,9 @@ static int stub_probe(struct usb_device *udev)
+ save_status = busid_priv->status;
+ busid_priv->status = STUB_BUSID_ALLOC;
+
++ /* release the busid_lock */
++ put_busid_priv(busid_priv);
++
+ /*
+ * Claim this hub port.
+ * It doesn't matter what value we pass as owner
+@@ -373,9 +379,6 @@ static int stub_probe(struct usb_device *udev)
+ goto err_port;
+ }
+
+- /* release the busid_lock */
+- put_busid_priv(busid_priv);
+-
+ rc = stub_add_files(&udev->dev);
+ if (rc) {
+ dev_err(&udev->dev, "stub_add_files for %s\n", udev_busid);
+@@ -395,11 +398,17 @@ static int stub_probe(struct usb_device *udev)
+ spin_lock(&busid_priv->busid_lock);
+ busid_priv->sdev = NULL;
+ busid_priv->status = save_status;
+-sdev_free:
+- stub_device_free(sdev);
++ spin_unlock(&busid_priv->busid_lock);
++ /* lock is released - go to free */
++ goto sdev_free;
++
++call_put_busid_priv:
+ /* release the busid_lock */
+ put_busid_priv(busid_priv);
+
++sdev_free:
++ stub_device_free(sdev);
++
+ return rc;
+ }
+
+@@ -435,7 +444,9 @@ static void stub_disconnect(struct usb_device *udev)
+ /* get stub_device */
+ if (!sdev) {
+ dev_err(&udev->dev, "could not get device");
+- goto call_put_busid_priv;
++ /* release busid_lock */
++ put_busid_priv(busid_priv);
++ return;
+ }
+
+ dev_set_drvdata(&udev->dev, NULL);
+@@ -465,7 +476,7 @@ static void stub_disconnect(struct usb_device *udev)
+ if (!busid_priv->shutdown_busid)
+ busid_priv->shutdown_busid = 1;
+ /* release busid_lock */
+- put_busid_priv(busid_priv);
++ spin_unlock(&busid_priv->busid_lock);
+
+ /* shutdown the current connection */
+ shutdown_busid(busid_priv);
+@@ -480,10 +491,9 @@ static void stub_disconnect(struct usb_device *udev)
+
+ if (busid_priv->status == STUB_BUSID_ALLOC)
+ busid_priv->status = STUB_BUSID_ADDED;
+-
+-call_put_busid_priv:
+ /* release busid_lock */
+- put_busid_priv(busid_priv);
++ spin_unlock(&busid_priv->busid_lock);
++ return;
+ }
+
+ #ifdef CONFIG_PM
+--
+2.16.4
+
diff --git a/patches.drivers/usbnet-fix-kernel-crash-after-disconnect.patch b/patches.drivers/usbnet-fix-kernel-crash-after-disconnect.patch
new file mode 100644
index 0000000000..50921f8451
--- /dev/null
+++ b/patches.drivers/usbnet-fix-kernel-crash-after-disconnect.patch
@@ -0,0 +1,98 @@
+From ad70411a978d1e6e97b1e341a7bde9a79af0c93d Mon Sep 17 00:00:00 2001
+From: Kloetzke Jan <Jan.Kloetzke@preh.de>
+Date: Tue, 21 May 2019 13:18:40 +0000
+Subject: [PATCH] usbnet: fix kernel crash after disconnect
+Mime-version: 1.0
+Content-type: text/plain; charset=UTF-8
+Content-transfer-encoding: 8bit
+Git-commit: ad70411a978d1e6e97b1e341a7bde9a79af0c93d
+Patch-mainline: v5.2-rc2
+References: bsc#1051510
+
+When disconnecting cdc_ncm the kernel sporadically crashes shortly
+after the disconnect:
+
+ [ 57.868812] Unable to handle kernel NULL pointer dereference at virtual address 00000000
+ ...
+ [ 58.006653] PC is at 0x0
+ [ 58.009202] LR is at call_timer_fn+0xec/0x1b4
+ [ 58.013567] pc : [<0000000000000000>] lr : [<ffffff80080f5130>] pstate: 00000145
+ [ 58.020976] sp : ffffff8008003da0
+ [ 58.024295] x29: ffffff8008003da0 x28: 0000000000000001
+ [ 58.029618] x27: 000000000000000a x26: 0000000000000100
+ [ 58.034941] x25: 0000000000000000 x24: ffffff8008003e68
+ [ 58.040263] x23: 0000000000000000 x22: 0000000000000000
+ [ 58.045587] x21: 0000000000000000 x20: ffffffc68fac1808
+ [ 58.050910] x19: 0000000000000100 x18: 0000000000000000
+ [ 58.056232] x17: 0000007f885aff8c x16: 0000007f883a9f10
+ [ 58.061556] x15: 0000000000000001 x14: 000000000000006e
+ [ 58.066878] x13: 0000000000000000 x12: 00000000000000ba
+ [ 58.072201] x11: ffffffc69ff1db30 x10: 0000000000000020
+ [ 58.077524] x9 : 8000100008001000 x8 : 0000000000000001
+ [ 58.082847] x7 : 0000000000000800 x6 : ffffff8008003e70
+ [ 58.088169] x5 : ffffffc69ff17a28 x4 : 00000000ffff138b
+ [ 58.093492] x3 : 0000000000000000 x2 : 0000000000000000
+ [ 58.098814] x1 : 0000000000000000 x0 : 0000000000000000
+ ...
+ [ 58.205800] [< (null)>] (null)
+ [ 58.210521] [<ffffff80080f5298>] expire_timers+0xa0/0x14c
+ [ 58.215937] [<ffffff80080f542c>] run_timer_softirq+0xe8/0x128
+ [ 58.221702] [<ffffff8008081120>] __do_softirq+0x298/0x348
+ [ 58.227118] [<ffffff80080a6304>] irq_exit+0x74/0xbc
+ [ 58.232009] [<ffffff80080e17dc>] __handle_domain_irq+0x78/0xac
+ [ 58.237857] [<ffffff8008080cf4>] gic_handle_irq+0x80/0xac
+ ...
+
+The crash happens roughly 125..130ms after the disconnect. This
+correlates with the 'delay' timer that is started on certain USB tx/rx
+errors in the URB completion handler.
+
+The problem is a race of usbnet_stop() with usbnet_start_xmit(). In
+usbnet_stop() we call usbnet_terminate_urbs() to cancel all URBs in
+flight. This only makes sense if no new URBs are submitted
+concurrently, though. But the usbnet_start_xmit() can run at the same
+time on another CPU which almost unconditionally submits an URB. The
+error callback of the new URB will then schedule the timer after it was
+already stopped.
+
+The fix adds a check if the tx queue is stopped after the tx list lock
+has been taken. This should reliably prevent the submission of new URBs
+while usbnet_terminate_urbs() does its job. The same thing is done on
+the rx side even though it might be safe due to other flags that are
+checked there.
+
+Signed-off-by: Jan Klötzke <Jan.Kloetzke@preh.de>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/net/usb/usbnet.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/drivers/net/usb/usbnet.c b/drivers/net/usb/usbnet.c
+index 504282af27e5..921cc0571bd0 100644
+--- a/drivers/net/usb/usbnet.c
++++ b/drivers/net/usb/usbnet.c
+@@ -506,6 +506,7 @@ static int rx_submit (struct usbnet *dev, struct urb *urb, gfp_t flags)
+
+ if (netif_running (dev->net) &&
+ netif_device_present (dev->net) &&
++ test_bit(EVENT_DEV_OPEN, &dev->flags) &&
+ !test_bit (EVENT_RX_HALT, &dev->flags) &&
+ !test_bit (EVENT_DEV_ASLEEP, &dev->flags)) {
+ switch (retval = usb_submit_urb (urb, GFP_ATOMIC)) {
+@@ -1431,6 +1432,11 @@ netdev_tx_t usbnet_start_xmit (struct sk_buff *skb,
+ spin_unlock_irqrestore(&dev->txq.lock, flags);
+ goto drop;
+ }
++ if (netif_queue_stopped(net)) {
++ usb_autopm_put_interface_async(dev->intf);
++ spin_unlock_irqrestore(&dev->txq.lock, flags);
++ goto drop;
++ }
+
+ #ifdef CONFIG_PM
+ /* if this triggers the device is still a sleep */
+--
+2.16.4
+
diff --git a/patches.drivers/w1-fix-the-resume-command-API.patch b/patches.drivers/w1-fix-the-resume-command-API.patch
new file mode 100644
index 0000000000..c8173be815
--- /dev/null
+++ b/patches.drivers/w1-fix-the-resume-command-API.patch
@@ -0,0 +1,53 @@
+From 62909da8aca048ecf9fbd7e484e5100608f40a63 Mon Sep 17 00:00:00 2001
+From: Mariusz Bialonczyk <manio@skyboo.net>
+Date: Thu, 21 Mar 2019 11:52:55 +0100
+Subject: [PATCH] w1: fix the resume command API
+Git-commit: 62909da8aca048ecf9fbd7e484e5100608f40a63
+Patch-mainline: v5.2-rc1
+References: bsc#1051510
+
+>From the DS2408 datasheet [1]:
+"Resume Command function checks the status of the RC flag and, if it is set,
+ directly transfers control to the control functions, similar to a Skip ROM
+ command. The only way to set the RC flag is through successfully executing
+ the Match ROM, Search ROM, Conditional Search ROM, or Overdrive-Match ROM
+ command"
+
+The function currently works perfectly fine in a multidrop bus, but when we
+have only a single slave connected, then only a Skip ROM is used and Match
+ROM is not called at all. This is leading to problems e.g. with single one
+DS2408 connected, as the Resume Command is not working properly and the
+device is responding with failing results after the Resume Command.
+
+This commit is fixing this by using a Skip ROM instead in those cases.
+The bandwidth / performance advantage is exactly the same.
+
+Refs:
+[1] https://datasheets.maximintegrated.com/en/ds/DS2408.pdf
+
+Signed-off-by: Mariusz Bialonczyk <manio@skyboo.net>
+Reviewed-by: Jean-Francois Dagenais <jeff.dagenais@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/w1/w1_io.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/drivers/w1/w1_io.c b/drivers/w1/w1_io.c
+index 0364d3329c52..3516ce6718d9 100644
+--- a/drivers/w1/w1_io.c
++++ b/drivers/w1/w1_io.c
+@@ -432,8 +432,7 @@ int w1_reset_resume_command(struct w1_master *dev)
+ if (w1_reset_bus(dev))
+ return -1;
+
+- /* This will make only the last matched slave perform a skip ROM. */
+- w1_write_8(dev, W1_RESUME_CMD);
++ w1_write_8(dev, dev->slave_count > 1 ? W1_RESUME_CMD : W1_SKIP_ROM);
+ return 0;
+ }
+ EXPORT_SYMBOL_GPL(w1_reset_resume_command);
+--
+2.16.4
+
diff --git a/patches.drivers/wil6210-fix-return-code-of-wmi_mgmt_tx-and-wmi_mgmt_.patch b/patches.drivers/wil6210-fix-return-code-of-wmi_mgmt_tx-and-wmi_mgmt_.patch
new file mode 100644
index 0000000000..4cbc97510d
--- /dev/null
+++ b/patches.drivers/wil6210-fix-return-code-of-wmi_mgmt_tx-and-wmi_mgmt_.patch
@@ -0,0 +1,73 @@
+From 49122ec42634f73babb1dc96f170023e5228d080 Mon Sep 17 00:00:00 2001
+From: Lior David <liord@codeaurora.org>
+Date: Thu, 28 Feb 2019 11:35:01 +0200
+Subject: [PATCH] wil6210: fix return code of wmi_mgmt_tx and wmi_mgmt_tx_ext
+Git-commit: 49122ec42634f73babb1dc96f170023e5228d080
+Patch-mainline: v5.2-rc1
+References: bsc#1111666
+
+The functions that send management TX frame have 3 possible
+Results: success and other side acknowledged receive (ACK=1),
+success and other side did not acknowledge receive(ACK=0) and
+failure to send the frame. The current implementation
+incorrectly reports the ACK=0 case as failure.
+
+Signed-off-by: Lior David <liord@codeaurora.org>
+Signed-off-by: Maya Erez <merez@codeaurora.org>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/net/wireless/ath/wil6210/cfg80211.c | 5 +++++
+ drivers/net/wireless/ath/wil6210/wmi.c | 11 ++++++-----
+ 2 files changed, 11 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/net/wireless/ath/wil6210/cfg80211.c b/drivers/net/wireless/ath/wil6210/cfg80211.c
+index e8d65ddb1b0a..218296e319b9 100644
+--- a/drivers/net/wireless/ath/wil6210/cfg80211.c
++++ b/drivers/net/wireless/ath/wil6210/cfg80211.c
+@@ -1274,7 +1274,12 @@ int wil_cfg80211_mgmt_tx(struct wiphy *wiphy, struct wireless_dev *wdev,
+ params->wait);
+
+ out:
++ /* when the sent packet was not acked by receiver(ACK=0), rc will
++ * be -EAGAIN. In this case this function needs to return success,
++ * the ACK=0 will be reflected in tx_status.
++ */
+ tx_status = (rc == 0);
++ rc = (rc == -EAGAIN) ? 0 : rc;
+ cfg80211_mgmt_tx_status(wdev, cookie ? *cookie : 0, buf, len,
+ tx_status, GFP_KERNEL);
+
+diff --git a/drivers/net/wireless/ath/wil6210/wmi.c b/drivers/net/wireless/ath/wil6210/wmi.c
+index c5bcb8da07c1..d89cd41e78ac 100644
+--- a/drivers/net/wireless/ath/wil6210/wmi.c
++++ b/drivers/net/wireless/ath/wil6210/wmi.c
+@@ -3511,8 +3511,9 @@ int wmi_mgmt_tx(struct wil6210_vif *vif, const u8 *buf, size_t len)
+ rc = wmi_call(wil, WMI_SW_TX_REQ_CMDID, vif->mid, cmd, total,
+ WMI_SW_TX_COMPLETE_EVENTID, &evt, sizeof(evt), 2000);
+ if (!rc && evt.evt.status != WMI_FW_STATUS_SUCCESS) {
+- wil_err(wil, "mgmt_tx failed with status %d\n", evt.evt.status);
+- rc = -EINVAL;
++ wil_dbg_wmi(wil, "mgmt_tx failed with status %d\n",
++ evt.evt.status);
++ rc = -EAGAIN;
+ }
+
+ kfree(cmd);
+@@ -3564,9 +3565,9 @@ int wmi_mgmt_tx_ext(struct wil6210_vif *vif, const u8 *buf, size_t len,
+ rc = wmi_call(wil, WMI_SW_TX_REQ_EXT_CMDID, vif->mid, cmd, total,
+ WMI_SW_TX_COMPLETE_EVENTID, &evt, sizeof(evt), 2000);
+ if (!rc && evt.evt.status != WMI_FW_STATUS_SUCCESS) {
+- wil_err(wil, "mgmt_tx_ext failed with status %d\n",
+- evt.evt.status);
+- rc = -EINVAL;
++ wil_dbg_wmi(wil, "mgmt_tx_ext failed with status %d\n",
++ evt.evt.status);
++ rc = -EAGAIN;
+ }
+
+ kfree(cmd);
+--
+2.16.4
+
diff --git a/patches.drivers/xhci-Convert-xhci_handshake-to-use-readl_poll_timeou.patch b/patches.drivers/xhci-Convert-xhci_handshake-to-use-readl_poll_timeou.patch
new file mode 100644
index 0000000000..afeb32b877
--- /dev/null
+++ b/patches.drivers/xhci-Convert-xhci_handshake-to-use-readl_poll_timeou.patch
@@ -0,0 +1,82 @@
+From f7fac17ca925faa03fc5eb854c081a24075f8bad Mon Sep 17 00:00:00 2001
+From: Andrey Smirnov <andrew.smirnov@gmail.com>
+Date: Wed, 22 May 2019 14:34:01 +0300
+Subject: [PATCH] xhci: Convert xhci_handshake() to use readl_poll_timeout_atomic()
+Git-commit: f7fac17ca925faa03fc5eb854c081a24075f8bad
+Patch-mainline: v5.2-rc3
+References: bsc#1051510
+
+Xhci_handshake() implements the algorithm already captured by
+readl_poll_timeout_atomic(). Convert the former to use the latter to
+avoid repetition.
+
+Turned out this patch also fixes a bug on the AMD Stoneyridge platform
+where usleep(1) sometimes takes over 10ms.
+This means a 5 second timeout can easily take over 15 seconds which will
+trigger the watchdog and reboot the system.
+
+[Add info about patch fixing a bug to commit message -Mathias]
+
+Signed-off-by: Andrey Smirnov <andrew.smirnov@gmail.com>
+Tested-by: Raul E Rangel <rrangel@chromium.org>
+Reviewed-by: Raul E Rangel <rrangel@chromium.org>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/usb/host/xhci.c | 22 ++++++++++------------
+ 1 file changed, 10 insertions(+), 12 deletions(-)
+
+diff --git a/drivers/usb/host/xhci.c b/drivers/usb/host/xhci.c
+index 048a675bbc52..20db378a6012 100644
+--- a/drivers/usb/host/xhci.c
++++ b/drivers/usb/host/xhci.c
+@@ -9,6 +9,7 @@
+ */
+
+ #include <linux/pci.h>
++#include <linux/iopoll.h>
+ #include <linux/irq.h>
+ #include <linux/log2.h>
+ #include <linux/module.h>
+@@ -52,7 +53,6 @@ static bool td_on_ring(struct xhci_td *td, struct xhci_ring *ring)
+ return false;
+ }
+
+-/* TODO: copied from ehci-hcd.c - can this be refactored? */
+ /*
+ * xhci_handshake - spin reading hc until handshake completes or fails
+ * @ptr: address of hc register to be read
+@@ -69,18 +69,16 @@ static bool td_on_ring(struct xhci_td *td, struct xhci_ring *ring)
+ int xhci_handshake(void __iomem *ptr, u32 mask, u32 done, int usec)
+ {
+ u32 result;
++ int ret;
+
+- do {
+- result = readl(ptr);
+- if (result == ~(u32)0) /* card removed */
+- return -ENODEV;
+- result &= mask;
+- if (result == done)
+- return 0;
+- udelay(1);
+- usec--;
+- } while (usec > 0);
+- return -ETIMEDOUT;
++ ret = readl_poll_timeout_atomic(ptr, result,
++ (result & mask) == done ||
++ result == U32_MAX,
++ 1, usec);
++ if (result == U32_MAX) /* card removed */
++ return -ENODEV;
++
++ return ret;
+ }
+
+ /*
+--
+2.16.4
+
diff --git a/patches.drivers/xhci-Use-zu-for-printing-size_t-type.patch b/patches.drivers/xhci-Use-zu-for-printing-size_t-type.patch
new file mode 100644
index 0000000000..509e833b9b
--- /dev/null
+++ b/patches.drivers/xhci-Use-zu-for-printing-size_t-type.patch
@@ -0,0 +1,52 @@
+From c1a145a3ed9a40f3b6145feb97789e8eb49c5566 Mon Sep 17 00:00:00 2001
+From: Fabio Estevam <festevam@gmail.com>
+Date: Wed, 22 May 2019 10:35:29 -0300
+Subject: [PATCH] xhci: Use %zu for printing size_t type
+Git-commit: c1a145a3ed9a40f3b6145feb97789e8eb49c5566
+Patch-mainline: v5.2-rc3
+References: bsc#1051510
+
+Commit 597c56e372da ("xhci: update bounce buffer with correct sg num")
+caused the following build warnings:
+
+drivers/usb/host/xhci-ring.c:676:19: warning: format '%ld' expects argument of type 'long int', but argument 3 has type 'size_t {aka unsigned int}' [-Wformat=]
+
+Use %zu for printing size_t type in order to fix the warnings.
+
+Fixes: 597c56e372da ("xhci: update bounce buffer with correct sg num")
+Reported-by: kbuild test robot <lkp@intel.com>
+Signed-off-by: Fabio Estevam <festevam@gmail.com>
+Cc: stable <stable@vger.kernel.org>
+Acked-by: Mathias Nyman <mathias.nyman@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/usb/host/xhci-ring.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/usb/host/xhci-ring.c b/drivers/usb/host/xhci-ring.c
+index 88392aa65722..feffceb31e8a 100644
+--- a/drivers/usb/host/xhci-ring.c
++++ b/drivers/usb/host/xhci-ring.c
+@@ -673,7 +673,7 @@ static void xhci_unmap_td_bounce_buffer(struct xhci_hcd *xhci,
+ len = sg_pcopy_from_buffer(urb->sg, urb->num_sgs, seg->bounce_buf,
+ seg->bounce_len, seg->bounce_offs);
+ if (len != seg->bounce_len)
+- xhci_warn(xhci, "WARN Wrong bounce buffer read length: %ld != %d\n",
++ xhci_warn(xhci, "WARN Wrong bounce buffer read length: %zu != %d\n",
+ len, seg->bounce_len);
+ seg->bounce_len = 0;
+ seg->bounce_offs = 0;
+@@ -3166,7 +3166,7 @@ static int xhci_align_td(struct xhci_hcd *xhci, struct urb *urb, u32 enqd_len,
+ seg->bounce_buf, new_buff_len, enqd_len);
+ if (len != seg->bounce_len)
+ xhci_warn(xhci,
+- "WARN Wrong bounce buffer write length: %ld != %d\n",
++ "WARN Wrong bounce buffer write length: %zu != %d\n",
+ len, seg->bounce_len);
+ seg->bounce_dma = dma_map_single(dev, seg->bounce_buf,
+ max_pkt, DMA_TO_DEVICE);
+--
+2.16.4
+
diff --git a/patches.drivers/xhci-update-bounce-buffer-with-correct-sg-num.patch b/patches.drivers/xhci-update-bounce-buffer-with-correct-sg-num.patch
new file mode 100644
index 0000000000..9b14f7fa4d
--- /dev/null
+++ b/patches.drivers/xhci-update-bounce-buffer-with-correct-sg-num.patch
@@ -0,0 +1,87 @@
+From 597c56e372dab2c7f79b8d700aad3a5deebf9d1b Mon Sep 17 00:00:00 2001
+From: Henry Lin <henryl@nvidia.com>
+Date: Wed, 22 May 2019 14:33:57 +0300
+Subject: [PATCH] xhci: update bounce buffer with correct sg num
+Git-commit: 597c56e372dab2c7f79b8d700aad3a5deebf9d1b
+Patch-mainline: v5.2-rc3
+References: bsc#1051510
+
+This change fixes a data corruption issue occurred on USB hard disk for
+the case that bounce buffer is used during transferring data.
+
+While updating data between sg list and bounce buffer, current
+implementation passes mapped sg number (urb->num_mapped_sgs) to
+sg_pcopy_from_buffer() and sg_pcopy_to_buffer(). This causes data
+not get copied if target buffer is located in the elements after
+mapped sg elements. This change passes sg number for full list to
+fix issue.
+
+Besides, for copying data from bounce buffer, calling dma_unmap_single()
+on the bounce buffer before copying data to sg list can avoid cache issue.
+
+Fixes: f9c589e142d0 ("xhci: TD-fragment, align the unsplittable case with a bounce buffer")
+Cc: <stable@vger.kernel.org> # v4.8+
+Signed-off-by: Henry Lin <henryl@nvidia.com>
+Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/usb/host/xhci-ring.c | 17 +++++++++++++----
+ 1 file changed, 13 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/usb/host/xhci-ring.c b/drivers/usb/host/xhci-ring.c
+index fed3385aeac0..ef7c8698772e 100644
+--- a/drivers/usb/host/xhci-ring.c
++++ b/drivers/usb/host/xhci-ring.c
+@@ -656,6 +656,7 @@ static void xhci_unmap_td_bounce_buffer(struct xhci_hcd *xhci,
+ struct device *dev = xhci_to_hcd(xhci)->self.controller;
+ struct xhci_segment *seg = td->bounce_seg;
+ struct urb *urb = td->urb;
++ size_t len;
+
+ if (!ring || !seg || !urb)
+ return;
+@@ -666,11 +667,14 @@ static void xhci_unmap_td_bounce_buffer(struct xhci_hcd *xhci,
+ return;
+ }
+
+- /* for in tranfers we need to copy the data from bounce to sg */
+- sg_pcopy_from_buffer(urb->sg, urb->num_mapped_sgs, seg->bounce_buf,
+- seg->bounce_len, seg->bounce_offs);
+ dma_unmap_single(dev, seg->bounce_dma, ring->bounce_buf_len,
+ DMA_FROM_DEVICE);
++ /* for in tranfers we need to copy the data from bounce to sg */
++ len = sg_pcopy_from_buffer(urb->sg, urb->num_sgs, seg->bounce_buf,
++ seg->bounce_len, seg->bounce_offs);
++ if (len != seg->bounce_len)
++ xhci_warn(xhci, "WARN Wrong bounce buffer read length: %ld != %d\n",
++ len, seg->bounce_len);
+ seg->bounce_len = 0;
+ seg->bounce_offs = 0;
+ }
+@@ -3127,6 +3131,7 @@ static int xhci_align_td(struct xhci_hcd *xhci, struct urb *urb, u32 enqd_len,
+ unsigned int unalign;
+ unsigned int max_pkt;
+ u32 new_buff_len;
++ size_t len;
+
+ max_pkt = usb_endpoint_maxp(&urb->ep->desc);
+ unalign = (enqd_len + *trb_buff_len) % max_pkt;
+@@ -3157,8 +3162,12 @@ static int xhci_align_td(struct xhci_hcd *xhci, struct urb *urb, u32 enqd_len,
+
+ /* create a max max_pkt sized bounce buffer pointed to by last trb */
+ if (usb_urb_dir_out(urb)) {
+- sg_pcopy_to_buffer(urb->sg, urb->num_mapped_sgs,
++ len = sg_pcopy_to_buffer(urb->sg, urb->num_sgs,
+ seg->bounce_buf, new_buff_len, enqd_len);
++ if (len != seg->bounce_len)
++ xhci_warn(xhci,
++ "WARN Wrong bounce buffer write length: %ld != %d\n",
++ len, seg->bounce_len);
+ seg->bounce_dma = dma_map_single(dev, seg->bounce_buf,
+ max_pkt, DMA_TO_DEVICE);
+ } else {
+--
+2.16.4
+
diff --git a/patches.drm/drm-Wake-up-next-in-drm_read-chain-if-we-are-forced-.patch b/patches.drm/drm-Wake-up-next-in-drm_read-chain-if-we-are-forced-.patch
new file mode 100644
index 0000000000..b657942157
--- /dev/null
+++ b/patches.drm/drm-Wake-up-next-in-drm_read-chain-if-we-are-forced-.patch
@@ -0,0 +1,44 @@
+From 60b801999c48b6c1dd04e653a38e2e613664264e Mon Sep 17 00:00:00 2001
+From: Chris Wilson <chris@chris-wilson.co.uk>
+Date: Fri, 4 Aug 2017 09:23:28 +0100
+Subject: [PATCH] drm: Wake up next in drm_read() chain if we are forced to putback the event
+Mime-version: 1.0
+Content-type: text/plain; charset=UTF-8
+Content-transfer-encoding: 8bit
+Git-commit: 60b801999c48b6c1dd04e653a38e2e613664264e
+Patch-mainline: v5.2-rc1
+References: bsc#1051510
+
+After an event is sent, we try to copy it into the user buffer of the
+first waiter in drm_read() and if the user buffer doesn't have enough
+room we put it back onto the list. However, we didn't wake up any
+subsequent waiter, so that event may sit on the list until either a new
+vblank event is sent or a new waiter appears. Rare, but in the worst
+case may lead to a stuck process.
+
+Testcase: igt/drm_read/short-buffer-wakeup
+Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
+Cc: Daniel Vetter <daniel.vetter@ffwll.ch>
+Reviewed-by: Ville Syrjälä <ville.syrjala@linux.intel.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20170804082328.17173-1-chris@chris-wilson.co.uk
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/gpu/drm/drm_file.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/gpu/drm/drm_file.c b/drivers/gpu/drm/drm_file.c
+index ee4df8f8a62d..f782d3103d29 100644
+--- a/drivers/gpu/drm/drm_file.c
++++ b/drivers/gpu/drm/drm_file.c
+@@ -567,6 +567,7 @@ ssize_t drm_read(struct file *filp, char __user *buffer,
+ file_priv->event_space -= length;
+ list_add(&e->link, &file_priv->event_list);
+ spin_unlock_irq(&dev->event_lock);
++ wake_up_interruptible(&file_priv->event_wait);
+ break;
+ }
+
+--
+2.16.4
+
diff --git a/patches.drm/drm-amdgpu-fix-old-fence-check-in-amdgpu_fence_emit.patch b/patches.drm/drm-amdgpu-fix-old-fence-check-in-amdgpu_fence_emit.patch
new file mode 100644
index 0000000000..fab447c7a3
--- /dev/null
+++ b/patches.drm/drm-amdgpu-fix-old-fence-check-in-amdgpu_fence_emit.patch
@@ -0,0 +1,67 @@
+From 3d2aca8c8620346abdba96c6300d2c0b90a1d0cc Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Christian=20K=C3=B6nig?= <christian.koenig@amd.com>
+Date: Fri, 29 Mar 2019 19:30:23 +0100
+Subject: [PATCH] drm/amdgpu: fix old fence check in amdgpu_fence_emit
+Mime-version: 1.0
+Content-type: text/plain; charset=UTF-8
+Content-transfer-encoding: 8bit
+Git-commit: 3d2aca8c8620346abdba96c6300d2c0b90a1d0cc
+Patch-mainline: v5.2-rc1
+References: bsc#1051510
+
+We don't hold a reference to the old fence, so it can go away
+any time we are waiting for it to signal.
+
+Signed-off-by: Christian König <christian.koenig@amd.com>
+Reviewed-by: Chunming Zhou <david1.zhou@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/gpu/drm/amd/amdgpu/amdgpu_fence.c | 24 +++++++++++++++++-------
+ 1 file changed, 17 insertions(+), 7 deletions(-)
+
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_fence.c
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_fence.c
+@@ -135,8 +135,9 @@ int amdgpu_fence_emit(struct amdgpu_ring
+ {
+ struct amdgpu_device *adev = ring->adev;
+ struct amdgpu_fence *fence;
+- struct dma_fence *old, **ptr;
++ struct dma_fence __rcu **ptr;
+ uint32_t seq;
++ int r;
+
+ fence = kmem_cache_alloc(amdgpu_fence_slab, GFP_KERNEL);
+ if (fence == NULL)
+@@ -152,15 +153,24 @@ int amdgpu_fence_emit(struct amdgpu_ring
+ seq, flags | AMDGPU_FENCE_FLAG_INT);
+
+ ptr = &ring->fence_drv.fences[seq & ring->fence_drv.num_fences_mask];
++ if (unlikely(rcu_dereference_protected(*ptr, 1))) {
++ struct dma_fence *old;
++
++ rcu_read_lock();
++ old = dma_fence_get_rcu_safe(ptr);
++ rcu_read_unlock();
++
++ if (old) {
++ r = dma_fence_wait(old, false);
++ dma_fence_put(old);
++ if (r)
++ return r;
++ }
++ }
++
+ /* This function can't be called concurrently anyway, otherwise
+ * emitting the fence would mess up the hardware ring buffer.
+ */
+- old = rcu_dereference_protected(*ptr, 1);
+- if (old && !dma_fence_is_signaled(old)) {
+- DRM_INFO("rcu slot is busy\n");
+- dma_fence_wait(old, false);
+- }
+-
+ rcu_assign_pointer(*ptr, dma_fence_get(&fence->base));
+
+ *f = &fence->base;
diff --git a/patches.drm/drm-drv-Hold-ref-on-parent-device-during-drm_device-.patch b/patches.drm/drm-drv-Hold-ref-on-parent-device-during-drm_device-.patch
new file mode 100644
index 0000000000..0f437ca801
--- /dev/null
+++ b/patches.drm/drm-drv-Hold-ref-on-parent-device-during-drm_device-.patch
@@ -0,0 +1,51 @@
+From 56be6503aab2bc3a30beae408071b9be5e1bae51 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Noralf=20Tr=C3=B8nnes?= <noralf@tronnes.org>
+Date: Mon, 25 Feb 2019 15:42:26 +0100
+Subject: [PATCH] drm/drv: Hold ref on parent device during drm_device lifetime
+Mime-version: 1.0
+Content-type: text/plain; charset=UTF-8
+Content-transfer-encoding: 8bit
+Git-commit: 56be6503aab2bc3a30beae408071b9be5e1bae51
+Patch-mainline: v5.2-rc1
+References: bsc#1051510
+
+This makes it safe to access drm_device->dev after the parent device has
+been removed/unplugged.
+
+Signed-off-by: Noralf Trønnes <noralf@tronnes.org>
+Reviewed-by: Gerd Hoffmann <kraxel@redhat.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20190225144232.20761-2-noralf@tronnes.org
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/gpu/drm/drm_drv.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/drm_drv.c
++++ b/drivers/gpu/drm/drm_drv.c
+@@ -503,7 +503,7 @@ int drm_dev_init(struct drm_device *dev,
+ }
+
+ kref_init(&dev->ref);
+- dev->dev = parent;
++ dev->dev = get_device(parent);
+ dev->driver = driver;
+
+ INIT_LIST_HEAD(&dev->filelist);
+@@ -572,6 +572,7 @@ err_minors:
+ drm_minor_free(dev, DRM_MINOR_RENDER);
+ drm_fs_inode_free(dev->anon_inode);
+ err_free:
++ put_device(dev->dev);
+ mutex_destroy(&dev->master_mutex);
+ mutex_destroy(&dev->ctxlist_mutex);
+ mutex_destroy(&dev->clientlist_mutex);
+@@ -607,6 +608,8 @@ void drm_dev_fini(struct drm_device *dev
+ drm_minor_free(dev, DRM_MINOR_PRIMARY);
+ drm_minor_free(dev, DRM_MINOR_RENDER);
+
++ put_device(dev->dev);
++
+ mutex_destroy(&dev->master_mutex);
+ mutex_destroy(&dev->ctxlist_mutex);
+ mutex_destroy(&dev->clientlist_mutex);
diff --git a/patches.drm/drm_dp_cec-add-note-about-good-MegaChips-2900-CEC-su.patch b/patches.drm/drm_dp_cec-add-note-about-good-MegaChips-2900-CEC-su.patch
new file mode 100644
index 0000000000..a4d1019c8f
--- /dev/null
+++ b/patches.drm/drm_dp_cec-add-note-about-good-MegaChips-2900-CEC-su.patch
@@ -0,0 +1,43 @@
+From 9bcf6d9868ae95fc7e5eda3dae5200f234ea5623 Mon Sep 17 00:00:00 2001
+From: Hans Verkuil <hans.verkuil@cisco.com>
+Date: Mon, 27 Aug 2018 09:58:17 +0200
+Subject: [PATCH] drm_dp_cec: add note about good MegaChips 2900 CEC support
+Git-commit: 9bcf6d9868ae95fc7e5eda3dae5200f234ea5623
+Patch-mainline: v4.20-rc1
+References: bsc#1136978
+
+A big problem with DP CEC-Tunneling-over-AUX is that it is tricky
+to find adapters with a chipset that supports this AND where the
+manufacturer actually connected the HDMI CEC line to the chipset.
+
+Add a mention of the MegaChips 2900 chipset which seems to support
+this feature well.
+
+Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com>
+Reviewed-by: Lyude Paul <lyude@redhat.com>
+Acked-by: Alex Deucher <alexander.deucher@amd.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20180827075820.41109-3-hverkuil@xs4all.nl
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/gpu/drm/drm_dp_cec.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/drm_dp_cec.c b/drivers/gpu/drm/drm_dp_cec.c
+index 1407b13a8d5d..8a718f85079a 100644
+--- a/drivers/gpu/drm/drm_dp_cec.c
++++ b/drivers/gpu/drm/drm_dp_cec.c
+@@ -16,7 +16,9 @@
+ * here. Quite a few active (mini-)DP-to-HDMI or USB-C-to-HDMI adapters
+ * have a converter chip that supports CEC-Tunneling-over-AUX (usually the
+ * Parade PS176), but they do not wire up the CEC pin, thus making CEC
+- * useless.
++ * useless. Note that MegaChips 2900-based adapters appear to have good
++ * support for CEC tunneling. Those adapters that I have tested using
++ * this chipset all have the CEC line connected.
+ *
+ * Sadly there is no way for this driver to know this. What happens is
+ * that a /dev/cecX device is created that is isolated and unable to see
+--
+2.16.4
+
diff --git a/patches.drm/drm_dp_cec-check-that-aux-has-a-transfer-function.patch b/patches.drm/drm_dp_cec-check-that-aux-has-a-transfer-function.patch
new file mode 100644
index 0000000000..4231d8b5d3
--- /dev/null
+++ b/patches.drm/drm_dp_cec-check-that-aux-has-a-transfer-function.patch
@@ -0,0 +1,78 @@
+From 5ce70c799ac22c142061c71aaeae518f04283472 Mon Sep 17 00:00:00 2001
+From: Hans Verkuil <hans.verkuil@cisco.com>
+Date: Mon, 27 Aug 2018 09:58:16 +0200
+Subject: [PATCH] drm_dp_cec: check that aux has a transfer function
+Git-commit: 5ce70c799ac22c142061c71aaeae518f04283472
+Patch-mainline: v4.20-rc1
+References: bsc#1136978
+
+If aux->transfer == NULL, then just return without doing
+anything. In that case the function is likely called for
+a non-(e)DP connector.
+
+This never happened for the i915 driver, but the nouveau and amdgpu
+drivers need this check.
+
+The alternative would be to add this check in those drivers before
+every drm_dp_cec call, but it makes sense to check it in the
+drm_dp_cec functions to prevent a kernel oops.
+
+Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com>
+Reviewed-by: Lyude Paul <lyude@redhat.com>
+Acked-by: Alex Deucher <alexander.deucher@amd.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20180827075820.41109-2-hverkuil@xs4all.nl
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/gpu/drm/drm_dp_cec.c | 14 ++++++++++++++
+ 1 file changed, 14 insertions(+)
+
+diff --git a/drivers/gpu/drm/drm_dp_cec.c b/drivers/gpu/drm/drm_dp_cec.c
+index 988513346e9c..1407b13a8d5d 100644
+--- a/drivers/gpu/drm/drm_dp_cec.c
++++ b/drivers/gpu/drm/drm_dp_cec.c
+@@ -238,6 +238,10 @@ void drm_dp_cec_irq(struct drm_dp_aux *aux)
+ u8 cec_irq;
+ int ret;
+
++ /* No transfer function was set, so not a DP connector */
++ if (!aux->transfer)
++ return;
++
+ mutex_lock(&aux->cec.lock);
+ if (!aux->cec.adap)
+ goto unlock;
+@@ -293,6 +297,10 @@ void drm_dp_cec_set_edid(struct drm_dp_aux *aux, const struct edid *edid)
+ unsigned int num_las = 1;
+ u8 cap;
+
++ /* No transfer function was set, so not a DP connector */
++ if (!aux->transfer)
++ return;
++
+ #ifndef CONFIG_MEDIA_CEC_RC
+ /*
+ * CEC_CAP_RC is part of CEC_CAP_DEFAULTS, but it is stripped by
+@@ -361,6 +369,10 @@ EXPORT_SYMBOL(drm_dp_cec_set_edid);
+ */
+ void drm_dp_cec_unset_edid(struct drm_dp_aux *aux)
+ {
++ /* No transfer function was set, so not a DP connector */
++ if (!aux->transfer)
++ return;
++
+ cancel_delayed_work_sync(&aux->cec.unregister_work);
+
+ mutex_lock(&aux->cec.lock);
+@@ -404,6 +416,8 @@ void drm_dp_cec_register_connector(struct drm_dp_aux *aux, const char *name,
+ struct device *parent)
+ {
+ WARN_ON(aux->cec.adap);
++ if (WARN_ON(!aux->transfer))
++ return;
+ aux->cec.name = name;
+ aux->cec.parent = parent;
+ INIT_DELAYED_WORK(&aux->cec.unregister_work,
+--
+2.16.4
+
diff --git a/patches.fixes/0001-Documentation-Correct-the-possible-MDS-sysfs-values.patch b/patches.fixes/0001-Documentation-Correct-the-possible-MDS-sysfs-values.patch
new file mode 100644
index 0000000000..651b1923a9
--- /dev/null
+++ b/patches.fixes/0001-Documentation-Correct-the-possible-MDS-sysfs-values.patch
@@ -0,0 +1,67 @@
+From ea01668f9f43021b28b3f4d5ffad50106a1e1301 Mon Sep 17 00:00:00 2001
+From: Tyler Hicks <tyhicks@canonical.com>
+Date: Mon, 6 May 2019 23:52:58 +0000
+Subject: [PATCH] Documentation: Correct the possible MDS sysfs values
+Git-commit: ea01668f9f43021b28b3f4d5ffad50106a1e1301
+Patch-mainline: v5.2-rc1
+References: bsc#1135642
+
+Adjust the last two rows in the table that display possible values when
+MDS mitigation is enabled. They both were slightly innacurate.
+
+In addition, convert the table of possible values and their descriptions
+to a list-table. The simple table format uses the top border of equals
+signs to determine cell width which resulted in the first column being
+far too wide in comparison to the second column that contained the
+majority of the text.
+
+Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Reviewed-by: Fabian Baumanis <fabian.baumanis@suse.com>
+---
+ Documentation/admin-guide/hw-vuln/mds.rst | 29 +++++++++++++----------------
+ 1 file changed, 13 insertions(+), 16 deletions(-)
+
+diff --git a/Documentation/admin-guide/hw-vuln/mds.rst b/Documentation/admin-guide/hw-vuln/mds.rst
+index e0dccf414eca..e3a796c0d3a2 100644
+--- a/Documentation/admin-guide/hw-vuln/mds.rst
++++ b/Documentation/admin-guide/hw-vuln/mds.rst
+@@ -95,22 +95,19 @@ mitigations are active. The relevant sysfs file is:
+
+ The possible values in this file are:
+
+- ========================================= =================================
+- 'Not affected' The processor is not vulnerable
+-
+- 'Vulnerable' The processor is vulnerable,
+- but no mitigation enabled
+-
+- 'Vulnerable: Clear CPU buffers attempted' The processor is vulnerable but
+- microcode is not updated.
+- The mitigation is enabled on a
+- best effort basis.
+- See :ref:`vmwerv`
+-
+- 'Mitigation: CPU buffer clear' The processor is vulnerable and the
+- CPU buffer clearing mitigation is
+- enabled.
+- ========================================= =================================
++ .. list-table::
++
++ * - 'Not affected'
++ - The processor is not vulnerable
++ * - 'Vulnerable'
++ - The processor is vulnerable, but no mitigation enabled
++ * - 'Vulnerable: Clear CPU buffers attempted, no microcode'
++ - The processor is vulnerable but microcode is not updated.
++
++ The mitigation is enabled on a best effort basis. See :ref:`vmwerv`
++ * - 'Mitigation: Clear CPU buffers'
++ - The processor is vulnerable and the CPU buffer clearing mitigation is
++ enabled.
+
+ If the processor is vulnerable then the following information is appended
+ to the above information:
+--
+2.16.4
+
diff --git a/patches.fixes/0001-docs-Fix-conf.py-for-Sphinx-2.0.patch b/patches.fixes/0001-docs-Fix-conf.py-for-Sphinx-2.0.patch
new file mode 100644
index 0000000000..6e5f94cbf2
--- /dev/null
+++ b/patches.fixes/0001-docs-Fix-conf.py-for-Sphinx-2.0.patch
@@ -0,0 +1,29 @@
+From 3bc8088464712fdcb078eefb68837ccfcc413c88 Mon Sep 17 00:00:00 2001
+From: Jonathan Corbet <corbet@lwn.net>
+Date: Wed, 22 May 2019 14:30:45 -0600
+Subject: [PATCH] docs: Fix conf.py for Sphinx 2.0
+Git-commit: 3bc8088464712fdcb078eefb68837ccfcc413c88
+Patch-mainline: v5.2-rc3
+References: bsc#
+Our version check in Documentation/conf.py never envisioned a world where
+Sphinx moved beyond 1.x. Now that the unthinkable has happened, fix our
+version check to handle higher version numbers correctly.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Jonathan Corbet <corbet@lwn.net>
+Reviewed-by: Fabian Baumanis <fabian.baumanis@suse.com>
+---
+ Documentation/conf.py | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/Documentation/conf.py
++++ b/Documentation/conf.py
+@@ -37,7 +37,7 @@ needs_sphinx = '1.2'
+ extensions = ['kerneldoc', 'rstFlatTable', 'kernel_include', 'cdomain', 'kfigure']
+
+ # The name of the math extension changed on Sphinx 1.4
+-if major == 1 and minor > 3:
++if (major == 1 and minor > 3) or (major > 1):
+ extensions.append("sphinx.ext.imgmath")
+ else:
+ extensions.append("sphinx.ext.pngmath")
diff --git a/patches.fixes/0001-test_firmware-Use-correct-snprintf-limit.patch b/patches.fixes/0001-test_firmware-Use-correct-snprintf-limit.patch
new file mode 100644
index 0000000000..e7d62c3438
--- /dev/null
+++ b/patches.fixes/0001-test_firmware-Use-correct-snprintf-limit.patch
@@ -0,0 +1,72 @@
+From bd17cc5a20ae9aaa3ed775f360b75ff93cd66a1d Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Wed, 15 May 2019 12:33:22 +0300
+Subject: [PATCH] test_firmware: Use correct snprintf() limit
+Git-commit: bd17cc5a20ae9aaa3ed775f360b75ff93cd66a1d
+Patch-mainline: v5.2-rc4
+References: bsc#1135642
+
+The limit here is supposed to be how much of the page is left, but it's
+just using PAGE_SIZE as the limit.
+
+The other thing to remember is that snprintf() returns the number of
+bytes which would have been copied if we had had enough room. So that
+means that if we run out of space then this code would end up passing a
+negative value as the limit and the kernel would print an error message.
+I have change the code to use scnprintf() which returns the number of
+bytes that were successfully printed (not counting the NUL terminator).
+
+Fixes: c92316bf8e94 ("test_firmware: add batched firmware tests")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Reviewed-by: Fabian Baumanis <fabian.baumanis@suse.com>
+---
+ lib/test_firmware.c | 14 +++++++-------
+ 1 file changed, 7 insertions(+), 7 deletions(-)
+
+diff --git a/lib/test_firmware.c b/lib/test_firmware.c
+index 7222093ee00b..b5487ed829d7 100644
+--- a/lib/test_firmware.c
++++ b/lib/test_firmware.c
+@@ -223,30 +223,30 @@ static ssize_t config_show(struct device *dev,
+
+ mutex_lock(&test_fw_mutex);
+
+- len += snprintf(buf, PAGE_SIZE,
++ len += scnprintf(buf, PAGE_SIZE - len,
+ "Custom trigger configuration for: %s\n",
+ dev_name(dev));
+
+ if (test_fw_config->name)
+- len += snprintf(buf+len, PAGE_SIZE,
++ len += scnprintf(buf+len, PAGE_SIZE - len,
+ "name:\t%s\n",
+ test_fw_config->name);
+ else
+- len += snprintf(buf+len, PAGE_SIZE,
++ len += scnprintf(buf+len, PAGE_SIZE - len,
+ "name:\tEMTPY\n");
+
+- len += snprintf(buf+len, PAGE_SIZE,
++ len += scnprintf(buf+len, PAGE_SIZE - len,
+ "num_requests:\t%u\n", test_fw_config->num_requests);
+
+- len += snprintf(buf+len, PAGE_SIZE,
++ len += scnprintf(buf+len, PAGE_SIZE - len,
+ "send_uevent:\t\t%s\n",
+ test_fw_config->send_uevent ?
+ "FW_ACTION_HOTPLUG" :
+ "FW_ACTION_NOHOTPLUG");
+- len += snprintf(buf+len, PAGE_SIZE,
++ len += scnprintf(buf+len, PAGE_SIZE - len,
+ "sync_direct:\t\t%s\n",
+ test_fw_config->sync_direct ? "true" : "false");
+- len += snprintf(buf+len, PAGE_SIZE,
++ len += scnprintf(buf+len, PAGE_SIZE - len,
+ "read_fw_idx:\t%u\n", test_fw_config->read_fw_idx);
+
+ mutex_unlock(&test_fw_mutex);
+--
+2.16.4
+
diff --git a/patches.fixes/0001-xen-pciback-Don-t-disable-PCI_COMMAND-on-PCI-device-.patch b/patches.fixes/0001-xen-pciback-Don-t-disable-PCI_COMMAND-on-PCI-device-.patch
new file mode 100644
index 0000000000..6cc95d17f1
--- /dev/null
+++ b/patches.fixes/0001-xen-pciback-Don-t-disable-PCI_COMMAND-on-PCI-device-.patch
@@ -0,0 +1,56 @@
+Patch-mainline: v5.1-rc1
+Git-commit: 7681f31ec9cdacab4fd10570be924f2cef6669ba
+References: bsc#1065600
+From: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
+Date: Wed, 13 Feb 2019 18:21:31 -0500
+Subject: [PATCH] xen/pciback: Don't disable PCI_COMMAND on PCI device reset.
+
+There is no need for this at all. Worst it means that if
+the guest tries to write to BARs it could lead (on certain
+platforms) to PCI SERR errors.
+
+Please note that with af6fc858a35b90e89ea7a7ee58e66628c55c776b
+"xen-pciback: limit guest control of command register"
+a guest is still allowed to enable those control bits (safely), but
+is not allowed to disable them and that therefore a well behaved
+frontend which enables things before using them will still
+function correctly.
+
+This is done via an write to the configuration register 0x4 which
+triggers on the backend side:
+command_write
+ \- pci_enable_device
+ \- pci_enable_device_flags
+ \- do_pci_enable_device
+ \- pcibios_enable_device
+ \-pci_enable_resourcess
+ [which enables the PCI_COMMAND_MEMORY|PCI_COMMAND_IO]
+
+However guests (and drivers) which don't do this could cause
+problems, including the security issues which XSA-120 sought
+to address.
+
+Reported-by: Jan Beulich <jbeulich@suse.com>
+Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
+Reviewed-by: Prarit Bhargava <prarit@redhat.com>
+Signed-off-by: Juergen Gross <jgross@suse.com>
+---
+ drivers/xen/xen-pciback/pciback_ops.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+diff --git a/drivers/xen/xen-pciback/pciback_ops.c b/drivers/xen/xen-pciback/pciback_ops.c
+index ea4a08b83fa0..787966f44589 100644
+--- a/drivers/xen/xen-pciback/pciback_ops.c
++++ b/drivers/xen/xen-pciback/pciback_ops.c
+@@ -127,8 +127,6 @@ void xen_pcibk_reset_device(struct pci_dev *dev)
+ if (pci_is_enabled(dev))
+ pci_disable_device(dev);
+
+- pci_write_config_word(dev, PCI_COMMAND, 0);
+-
+ dev->is_busmaster = 0;
+ } else {
+ pci_read_config_word(dev, PCI_COMMAND, &cmd);
+--
+2.16.4
+
diff --git a/patches.fixes/ACPI-property-fix-handling-of-data_nodes-in-acpi_get.patch b/patches.fixes/ACPI-property-fix-handling-of-data_nodes-in-acpi_get.patch
new file mode 100644
index 0000000000..8f3152a090
--- /dev/null
+++ b/patches.fixes/ACPI-property-fix-handling-of-data_nodes-in-acpi_get.patch
@@ -0,0 +1,52 @@
+From 23583f7795025e3c783b680d906509366b0906ad Mon Sep 17 00:00:00 2001
+From: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
+Date: Tue, 30 Apr 2019 10:52:29 -0500
+Subject: [PATCH] ACPI / property: fix handling of data_nodes in acpi_get_next_subnode()
+Git-commit: 23583f7795025e3c783b680d906509366b0906ad
+Patch-mainline: v5.2-rc1
+References: bsc#1051510
+
+When the DSDT tables expose devices with subdevices and a set of
+hierarchical _DSD properties, the data returned by
+acpi_get_next_subnode() is incorrect, with the results suggesting a bad
+pointer assignment. The parser works fine with device_nodes or
+data_nodes, but not with a combination of the two.
+
+The problem is traced to an invalid pointer used when jumping from
+handling device_nodes to data nodes. The existing code looks for data
+nodes below the last subdevice found instead of the common root. Fix
+by forcing the acpi_device pointer to be derived from the same fwnode
+for the two types of subnodes.
+
+This same problem of handling device and data nodes was already fixed
+in a similar way by 'commit bf4703fdd166 ("ACPI / property: fix data
+node parsing in acpi_get_next_subnode()")' but broken later by 'commit
+34055190b19 ("ACPI / property: Add fwnode_get_next_child_node()")', so
+this should probably go to linux-stable all the way to 4.12
+
+Signed-off-by: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
+Reviewed-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/acpi/property.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+--- a/drivers/acpi/property.c
++++ b/drivers/acpi/property.c
+@@ -930,6 +930,14 @@ struct fwnode_handle *acpi_get_next_subn
+ const struct acpi_data_node *data = to_acpi_data_node(fwnode);
+ struct acpi_data_node *dn;
+
++ /*
++ * We can have a combination of device and data nodes, e.g. with
++ * hierarchical _DSD properties. Make sure the adev pointer is
++ * restored before going through data nodes, otherwise we will
++ * be looking for data_nodes below the last device found instead
++ * of the common fwnode shared by device_nodes and data_nodes.
++ */
++ adev = to_acpi_device_node(fwnode);
+ if (adev)
+ head = &adev->data.subnodes;
+ else if (data)
diff --git a/patches.fixes/batman-adv-allow-updating-DAT-entry-timeouts-on-inco.patch b/patches.fixes/batman-adv-allow-updating-DAT-entry-timeouts-on-inco.patch
new file mode 100644
index 0000000000..6c3201f671
--- /dev/null
+++ b/patches.fixes/batman-adv-allow-updating-DAT-entry-timeouts-on-inco.patch
@@ -0,0 +1,62 @@
+From 099e6cc1582dc2903fecb898bbeae8f7cf4262c7 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Linus=20L=C3=BCssing?= <linus.luessing@c0d3.blue>
+Date: Thu, 14 Feb 2019 16:52:43 +0100
+Subject: [PATCH] batman-adv: allow updating DAT entry timeouts on incoming ARP Replies
+Mime-version: 1.0
+Content-type: text/plain; charset=UTF-8
+Content-transfer-encoding: 8bit
+Git-commit: 099e6cc1582dc2903fecb898bbeae8f7cf4262c7
+Patch-mainline: v5.2-rc1
+References: bsc#1051510
+
+Currently incoming ARP Replies, for example via a DHT-PUT message, do
+not update the timeout for an already existing DAT entry. These ARP
+Replies are dropped instead.
+
+This however defeats the purpose of the DHCPACK snooping, for instance.
+Right now, a DAT entry in the DHT will be purged every five minutes,
+likely leading to a mesh-wide ARP Request broadcast after this timeout.
+Which then recreates the entry. The idea of the DHCPACK snooping is to
+be able to update an entry before a timeout happens, to avoid ARP Request
+flooding.
+
+This patch fixes this issue by updating a DAT entry on incoming
+ARP Replies even if a matching DAT entry already exists. While still
+filtering the ARP Reply towards the soft-interface, to avoid duplicate
+messages on the client device side.
+
+Signed-off-by: Linus Lüssing <linus.luessing@c0d3.blue>
+Acked-by: Antonio Quartulli <a@unstable.cc>
+Signed-off-by: Sven Eckelmann <sven@narfation.org>
+Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ net/batman-adv/distributed-arp-table.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/net/batman-adv/distributed-arp-table.c b/net/batman-adv/distributed-arp-table.c
+index 81fc63fc1936..b0af3a11d406 100644
+--- a/net/batman-adv/distributed-arp-table.c
++++ b/net/batman-adv/distributed-arp-table.c
+@@ -1434,7 +1434,6 @@ bool batadv_dat_snoop_incoming_arp_reply(struct batadv_priv *bat_priv,
+ hw_src, &ip_src, hw_dst, &ip_dst,
+ dat_entry->mac_addr, &dat_entry->ip);
+ dropped = true;
+- goto out;
+ }
+
+ /* Update our internal cache with both the IP addresses the node got
+@@ -1443,6 +1442,9 @@ bool batadv_dat_snoop_incoming_arp_reply(struct batadv_priv *bat_priv,
+ batadv_dat_entry_add(bat_priv, ip_src, hw_src, vid);
+ batadv_dat_entry_add(bat_priv, ip_dst, hw_dst, vid);
+
++ if (dropped)
++ goto out;
++
+ /* If BLA is enabled, only forward ARP replies if we have claimed the
+ * source of the ARP reply or if no one else of the same backbone has
+ * already claimed that client. This prevents that different gateways
+--
+2.16.4
+
diff --git a/patches.fixes/efi-x86-Add-missing-error-handling-to-old_memmap-1-1.patch b/patches.fixes/efi-x86-Add-missing-error-handling-to-old_memmap-1-1.patch
new file mode 100644
index 0000000000..ed9eea5716
--- /dev/null
+++ b/patches.fixes/efi-x86-Add-missing-error-handling-to-old_memmap-1-1.patch
@@ -0,0 +1,91 @@
+From 4e78921ba4dd0aca1cc89168f45039add4183f8e Mon Sep 17 00:00:00 2001
+From: Gen Zhang <blackgod016574@gmail.com>
+Date: Sat, 25 May 2019 13:25:58 +0200
+Subject: [PATCH] efi/x86/Add missing error handling to old_memmap 1:1 mapping code
+Git-commit: 4e78921ba4dd0aca1cc89168f45039add4183f8e
+Patch-mainline: v5.2-rc3
+References: CVE-2019-12380,bsc#1136598
+
+The old_memmap flow in efi_call_phys_prolog() performs numerous memory
+allocations, and either does not check for failure at all, or it does
+but fails to propagate it back to the caller, which may end up calling
+into the firmware with an incomplete 1:1 mapping.
+
+So let's fix this by returning NULL from efi_call_phys_prolog() on
+memory allocation failures only, and by handling this condition in the
+caller. Also, clean up any half baked sets of page tables that we may
+have created before returning with a NULL return value.
+
+Note that any failure at this level will trigger a panic() two levels
+up, so none of this makes a huge difference, but it is a nice cleanup
+nonetheless.
+
+[ardb: update commit log, add efi_call_phys_epilog() call on error path]
+
+Signed-off-by: Gen Zhang <blackgod016574@gmail.com>
+Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Rob Bradford <robert.bradford@intel.com>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: linux-efi@vger.kernel.org
+Link: http://lkml.kernel.org/r/20190525112559.7917-2-ard.biesheuvel@linaro.org
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ arch/x86/platform/efi/efi.c | 2 ++
+ arch/x86/platform/efi/efi_64.c | 10 ++++++++--
+ 2 files changed, 10 insertions(+), 2 deletions(-)
+
+--- a/arch/x86/platform/efi/efi.c
++++ b/arch/x86/platform/efi/efi.c
+@@ -85,6 +85,8 @@ static efi_status_t __init phys_efi_set_
+ pgd_t *save_pgd;
+
+ save_pgd = efi_call_phys_prolog();
++ if (!save_pgd)
++ return EFI_ABORTED;
+
+ /* Disable interrupts around EFI calls: */
+ local_irq_save(flags);
+--- a/arch/x86/platform/efi/efi_64.c
++++ b/arch/x86/platform/efi/efi_64.c
+@@ -90,6 +90,8 @@ pgd_t * __init efi_call_phys_prolog(void
+
+ n_pgds = DIV_ROUND_UP((max_pfn << PAGE_SHIFT), PGDIR_SIZE);
+ save_pgd = kmalloc_array(n_pgds, sizeof(*save_pgd), GFP_KERNEL);
++ if (!save_pgd)
++ return NULL;
+
+ /*
+ * Build 1:1 identity mapping for efi=old_map usage. Note that
+@@ -108,7 +110,7 @@ pgd_t * __init efi_call_phys_prolog(void
+ p4d = p4d_alloc(&init_mm, pgd_efi, addr_pgd);
+ if (!p4d) {
+ pr_err("Failed to allocate p4d table!\n");
+- goto out;
++ goto error;
+ }
+
+ for (i = 0; i < PTRS_PER_P4D; i++) {
+@@ -118,7 +120,7 @@ pgd_t * __init efi_call_phys_prolog(void
+ pud = pud_alloc(&init_mm, p4d_efi, addr_p4d);
+ if (!pud) {
+ pr_err("Failed to allocate pud table!\n");
+- goto out;
++ goto error;
+ }
+
+ for (j = 0; j < PTRS_PER_PUD; j++) {
+@@ -141,6 +143,10 @@ out:
+ __flush_tlb_all();
+
+ return save_pgd;
++
++error:
++ efi_call_phys_epilog(save_pgd);
++ return NULL;
+ }
+
+ void __init efi_call_phys_epilog(pgd_t *save_pgd)
diff --git a/patches.fixes/fuse-fallocate-fix-return-with-locked-inode.patch b/patches.fixes/fuse-fallocate-fix-return-with-locked-inode.patch
new file mode 100644
index 0000000000..0e2daa117b
--- /dev/null
+++ b/patches.fixes/fuse-fallocate-fix-return-with-locked-inode.patch
@@ -0,0 +1,40 @@
+From 35d6fcbb7c3e296a52136347346a698a35af3fda Mon Sep 17 00:00:00 2001
+From: Miklos Szeredi <mszeredi@redhat.com>
+Date: Mon, 27 May 2019 11:42:07 +0200
+Subject: [PATCH] fuse: fallocate: fix return with locked inode
+Git-commit: 35d6fcbb7c3e296a52136347346a698a35af3fda
+Patch-mainline: v5.2-rc4
+References: bsc#1051510
+
+Do the proper cleanup in case the size check fails.
+
+Tested with xfstests:generic/228
+
+Reported-by: kbuild test robot <lkp@intel.com>
+Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
+Fixes: 0cbade024ba5 ("fuse: honor RLIMIT_FSIZE in fuse_file_fallocate")
+Cc: Liu Bo <bo.liu@linux.alibaba.com>
+Cc: <stable@vger.kernel.org> # v3.5
+Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ fs/fuse/file.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/fuse/file.c b/fs/fuse/file.c
+index 3959f08279e6..143c54f93f2d 100644
+--- a/fs/fuse/file.c
++++ b/fs/fuse/file.c
+@@ -3055,7 +3055,7 @@ static long fuse_file_fallocate(struct file *file, int mode, loff_t offset,
+ offset + length > i_size_read(inode)) {
+ err = inode_newsize_ok(inode, offset + length);
+ if (err)
+- return err;
++ goto out;
+ }
+
+ if (!(mode & FALLOC_FL_KEEP_SIZE))
+--
+2.16.4
+
diff --git a/patches.fixes/fuse-fix-writepages-on-32bit.patch b/patches.fixes/fuse-fix-writepages-on-32bit.patch
new file mode 100644
index 0000000000..de716fc19f
--- /dev/null
+++ b/patches.fixes/fuse-fix-writepages-on-32bit.patch
@@ -0,0 +1,40 @@
+From 9de5be06d0a89ca97b5ab902694d42dfd2bb77d2 Mon Sep 17 00:00:00 2001
+From: Miklos Szeredi <mszeredi@redhat.com>
+Date: Wed, 24 Apr 2019 17:05:06 +0200
+Subject: [PATCH] fuse: fix writepages on 32bit
+Git-commit: 9de5be06d0a89ca97b5ab902694d42dfd2bb77d2
+Patch-mainline: v5.2-rc1
+References: bsc#1051510
+
+Writepage requests were cropped to i_size & 0xffffffff, which meant that
+mmaped writes to any file larger than 4G might be silently discarded.
+
+Fix by storing the file size in a properly sized variable (loff_t instead
+of size_t).
+
+Reported-by: Antonio SJ Musumeci <trapexit@spawn.link>
+Fixes: 6eaf4782eb09 ("fuse: writepages: crop secondary requests")
+Cc: <stable@vger.kernel.org> # v3.13
+Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ fs/fuse/file.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/fuse/file.c b/fs/fuse/file.c
+index 06096b60f1df..5428c81879b2 100644
+--- a/fs/fuse/file.c
++++ b/fs/fuse/file.c
+@@ -1586,7 +1586,7 @@ __acquires(fi->lock)
+ {
+ struct fuse_conn *fc = get_fuse_conn(inode);
+ struct fuse_inode *fi = get_fuse_inode(inode);
+- size_t crop = i_size_read(inode);
++ loff_t crop = i_size_read(inode);
+ struct fuse_req *req;
+
+ while (fi->writectr >= 0 && !list_empty(&fi->queued_writes)) {
+--
+2.16.4
+
diff --git a/patches.fixes/fuse-honor-RLIMIT_FSIZE-in-fuse_file_fallocate.patch b/patches.fixes/fuse-honor-RLIMIT_FSIZE-in-fuse_file_fallocate.patch
new file mode 100644
index 0000000000..8f81fae30e
--- /dev/null
+++ b/patches.fixes/fuse-honor-RLIMIT_FSIZE-in-fuse_file_fallocate.patch
@@ -0,0 +1,44 @@
+From 0cbade024ba501313da3b7e5dd2a188a6bc491b5 Mon Sep 17 00:00:00 2001
+From: Liu Bo <bo.liu@linux.alibaba.com>
+Date: Thu, 18 Apr 2019 04:04:41 +0800
+Subject: [PATCH] fuse: honor RLIMIT_FSIZE in fuse_file_fallocate
+Git-commit: 0cbade024ba501313da3b7e5dd2a188a6bc491b5
+Patch-mainline: v5.2-rc1
+References: bsc#1051510
+
+fstests generic/228 reported this failure that fuse fallocate does not
+honor what 'ulimit -f' has set.
+
+This adds the necessary inode_newsize_ok() check.
+
+Signed-off-by: Liu Bo <bo.liu@linux.alibaba.com>
+Fixes: 05ba1f082300 ("fuse: add FALLOCATE operation")
+Cc: <stable@vger.kernel.org> # v3.5
+Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ fs/fuse/file.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/fs/fuse/file.c b/fs/fuse/file.c
+index 5428c81879b2..f811af4f6507 100644
+--- a/fs/fuse/file.c
++++ b/fs/fuse/file.c
+@@ -3044,6 +3044,13 @@ static long fuse_file_fallocate(struct file *file, int mode, loff_t offset,
+ }
+ }
+
++ if (!(mode & FALLOC_FL_KEEP_SIZE) &&
++ offset + length > i_size_read(inode)) {
++ err = inode_newsize_ok(inode, offset + length);
++ if (err)
++ return err;
++ }
++
+ if (!(mode & FALLOC_FL_KEEP_SIZE))
+ set_bit(FUSE_I_SIZE_UNSTABLE, &fi->state);
+
+--
+2.16.4
+
diff --git a/patches.fixes/mac80211-Fix-kernel-panic-due-to-use-of-txq-after-fr.patch b/patches.fixes/mac80211-Fix-kernel-panic-due-to-use-of-txq-after-fr.patch
new file mode 100644
index 0000000000..81589ebe43
--- /dev/null
+++ b/patches.fixes/mac80211-Fix-kernel-panic-due-to-use-of-txq-after-fr.patch
@@ -0,0 +1,46 @@
+From f1267cf3c01b12e0f843fb6a7450a7f0b2efab8a Mon Sep 17 00:00:00 2001
+From: Bhagavathi Perumal S <bperumal@codeaurora.org>
+Date: Tue, 16 Apr 2019 12:54:40 +0530
+Subject: [PATCH] mac80211: Fix kernel panic due to use of txq after free
+Mime-version: 1.0
+Content-type: text/plain; charset=UTF-8
+Content-transfer-encoding: 8bit
+Git-commit: f1267cf3c01b12e0f843fb6a7450a7f0b2efab8a
+Patch-mainline: v5.1
+References: bsc#1051510
+
+The txq of vif is added to active_txqs list for ATF TXQ scheduling
+in the function ieee80211_queue_skb(), but it was not properly removed
+before freeing the txq object. It was causing use after free of the txq
+objects from the active_txqs list, result was kernel panic
+due to invalid memory access.
+
+Fix kernel invalid memory access by properly removing txq object
+from active_txqs list before free the object.
+
+Signed-off-by: Bhagavathi Perumal S <bperumal@codeaurora.org>
+Acked-by: Toke Høiland-Jørgensen <toke@redhat.com>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ net/mac80211/iface.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/net/mac80211/iface.c b/net/mac80211/iface.c
+index 4a6ff1482a9f..02d2e6f11e93 100644
+--- a/net/mac80211/iface.c
++++ b/net/mac80211/iface.c
+@@ -1908,6 +1908,9 @@ void ieee80211_if_remove(struct ieee80211_sub_if_data *sdata)
+ list_del_rcu(&sdata->list);
+ mutex_unlock(&sdata->local->iflist_mtx);
+
++ if (sdata->vif.txq)
++ ieee80211_txq_purge(sdata->local, to_txq_info(sdata->vif.txq));
++
+ synchronize_rcu();
+
+ if (sdata->dev) {
+--
+2.16.4
+
diff --git a/patches.fixes/mac80211-cfg80211-update-bss-channel-on-channel-swit.patch b/patches.fixes/mac80211-cfg80211-update-bss-channel-on-channel-swit.patch
new file mode 100644
index 0000000000..5d37dfe840
--- /dev/null
+++ b/patches.fixes/mac80211-cfg80211-update-bss-channel-on-channel-swit.patch
@@ -0,0 +1,70 @@
+From 5dc8cdce1d722c733f8c7af14c5fb595cfedbfa8 Mon Sep 17 00:00:00 2001
+From: Sergey Matyukevich <sergey.matyukevich.os@quantenna.com>
+Date: Tue, 26 Mar 2019 09:27:37 +0000
+Subject: [PATCH] mac80211/cfg80211: update bss channel on channel switch
+Git-commit: 5dc8cdce1d722c733f8c7af14c5fb595cfedbfa8
+Patch-mainline: v5.2-rc1
+References: bsc#1051510
+
+FullMAC STAs have no way to update bss channel after CSA channel switch
+completion. As a result, user-space tools may provide inconsistent
+channel info. For instance, consider the following two commands:
+$ sudo iw dev wlan0 link
+$ sudo iw dev wlan0 info
+The latter command gets channel info from the hardware, so most probably
+its output will be correct. However the former command gets channel info
+from scan cache, so its output will contain outdated channel info.
+In fact, current bss channel info will not be updated until the
+next [re-]connect.
+
+Note that mac80211 STAs have a workaround for this, but it requires
+access to internal cfg80211 data, see ieee80211_chswitch_work:
+
+ /* XXX: shouldn't really modify cfg80211-owned data! */
+ ifmgd->associated->channel = sdata->csa_chandef.chan;
+
+This patch suggests to convert mac80211 workaround into cfg80211 behavior
+and to update current bss channel in cfg80211_ch_switch_notify.
+
+Signed-off-by: Sergey Matyukevich <sergey.matyukevich.os@quantenna.com>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ net/mac80211/mlme.c | 3 ---
+ net/wireless/nl80211.c | 5 +++++
+ 2 files changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/net/mac80211/mlme.c b/net/mac80211/mlme.c
+index 2dbcf5d5512e..b7a9fe3d5fcb 100644
+--- a/net/mac80211/mlme.c
++++ b/net/mac80211/mlme.c
+@@ -1188,9 +1188,6 @@ static void ieee80211_chswitch_work(struct work_struct *work)
+ goto out;
+ }
+
+- /* XXX: shouldn't really modify cfg80211-owned data! */
+- ifmgd->associated->channel = sdata->csa_chandef.chan;
+-
+ ifmgd->csa_waiting_bcn = true;
+
+ ieee80211_sta_reset_beacon_monitor(sdata);
+diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c
+index ab9b095f6094..e7984f025bc7 100644
+--- a/net/wireless/nl80211.c
++++ b/net/wireless/nl80211.c
+@@ -15731,6 +15731,11 @@ void cfg80211_ch_switch_notify(struct net_device *dev,
+
+ wdev->chandef = *chandef;
+ wdev->preset_chandef = *chandef;
++
++ if (wdev->iftype == NL80211_IFTYPE_STATION &&
++ !WARN_ON(!wdev->current_bss))
++ wdev->current_bss->pub.channel = chandef->chan;
++
+ nl80211_ch_switch_notify(rdev, dev, chandef, GFP_KERNEL,
+ NL80211_CMD_CH_SWITCH_NOTIFY, 0);
+ }
+--
+2.16.4
+
diff --git a/patches.fixes/vxlan-trivial-indenting-fix.patch b/patches.fixes/vxlan-trivial-indenting-fix.patch
new file mode 100644
index 0000000000..08dac623b6
--- /dev/null
+++ b/patches.fixes/vxlan-trivial-indenting-fix.patch
@@ -0,0 +1,36 @@
+From f1c8d3720f2e6c8c2b209120678236debd0360e5 Mon Sep 17 00:00:00 2001
+From: William Tu <u9012063@gmail.com>
+Date: Tue, 2 Jan 2018 14:05:19 -0800
+Subject: [PATCH] vxlan: trivial indenting fix.
+Git-commit: f1c8d3720f2e6c8c2b209120678236debd0360e5
+Patch-mainline: v4.15-rc8
+References: bsc#1051510
+
+Fix indentation of reserved_flags2 field in vxlanhdr_gpe.
+
+Fixes: e1e5314de08b ("vxlan: implement GPE")
+Signed-off-by: William Tu <u9012063@gmail.com>
+Acked-by: Stephen Hemminger <stephen@networkplumber.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ include/net/vxlan.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/include/net/vxlan.h b/include/net/vxlan.h
+index 13223396dc64..f96391e84a8a 100644
+--- a/include/net/vxlan.h
++++ b/include/net/vxlan.h
+@@ -146,7 +146,7 @@ struct vxlanhdr_gpe {
+ np_applied:1,
+ instance_applied:1,
+ version:2,
+-reserved_flags2:2;
++ reserved_flags2:2;
+ #elif defined(__BIG_ENDIAN_BITFIELD)
+ u8 reserved_flags2:2,
+ version:2,
+--
+2.16.4
+
diff --git a/patches.fixes/vxlan-use-__be32-type-for-the-param-vni-in-__vxlan_f.patch b/patches.fixes/vxlan-use-__be32-type-for-the-param-vni-in-__vxlan_f.patch
new file mode 100644
index 0000000000..0b946cefa5
--- /dev/null
+++ b/patches.fixes/vxlan-use-__be32-type-for-the-param-vni-in-__vxlan_f.patch
@@ -0,0 +1,38 @@
+From fc39c38bdc46c49e1e9166afbeb686634e63cbaf Mon Sep 17 00:00:00 2001
+From: Xin Long <lucien.xin@gmail.com>
+Date: Sun, 26 Nov 2017 21:19:05 +0800
+Subject: [PATCH] vxlan: use __be32 type for the param vni in __vxlan_fdb_delete
+Git-commit: fc39c38bdc46c49e1e9166afbeb686634e63cbaf
+Patch-mainline: v4.15-rc2
+References: bsc#1051510
+
+All callers of __vxlan_fdb_delete pass vni with __be32 type, and
+this param should be declared as __be32 type.
+
+Fixes: 3ad7a4b141eb ("vxlan: support fdb and learning in COLLECT_METADATA mode")
+Signed-off-by: Xin Long <lucien.xin@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/net/vxlan.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/vxlan.c b/drivers/net/vxlan.c
+index 7ac487031b4b..19b9cc51079e 100644
+--- a/drivers/net/vxlan.c
++++ b/drivers/net/vxlan.c
+@@ -874,8 +874,8 @@ static int vxlan_fdb_add(struct ndmsg *ndm, struct nlattr *tb[],
+
+ static int __vxlan_fdb_delete(struct vxlan_dev *vxlan,
+ const unsigned char *addr, union vxlan_addr ip,
+- __be16 port, __be32 src_vni, u32 vni, u32 ifindex,
+- u16 vid)
++ __be16 port, __be32 src_vni, __be32 vni,
++ u32 ifindex, u16 vid)
+ {
+ struct vxlan_fdb *f;
+ struct vxlan_rdst *rd = NULL;
+--
+2.16.4
+
diff --git a/patches.fixes/xfs-do-not-set-the-page-uptodate-in-xfs_writepage_ma.patch b/patches.fixes/xfs-do-not-set-the-page-uptodate-in-xfs_writepage_ma.patch
new file mode 100644
index 0000000000..737d04da7f
--- /dev/null
+++ b/patches.fixes/xfs-do-not-set-the-page-uptodate-in-xfs_writepage_ma.patch
@@ -0,0 +1,59 @@
+From 91cdfd1761659f338e673aca72af3d0d50b88847 Mon Sep 17 00:00:00 2001
+From: Christoph Hellwig <hch@lst.de>
+Date: Wed, 11 Jul 2018 22:25:58 -0700
+Subject: [PATCH] xfs: do not set the page uptodate in xfs_writepage_map
+Git-commit: 91cdfd1761659f338e673aca72af3d0d50b88847
+Patch-mainline: v4.19-rc1
+References: bsc#1138003
+
+We already track the page uptodate status based on the buffer uptodate
+status, which is updated whenever reading or zeroing blocks.
+
+This code has been there since commit a ptool commit in 2002, which
+claims to:
+
+ "merge" the 2.4 fsx fix for block size < page size to 2.5. This needed
+ major changes to actually fit.
+
+and isn't present in other writepage implementations.
+
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Reviewed-by: Brian Foster <bfoster@redhat.com>
+Reviewed-by: Darrick J. Wong <darrick.wong@oracle.com>
+Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
+Acked-by: Anthony Iliopoulos <ailiopoulos@suse.com>
+
+---
+ fs/xfs/xfs_aops.c | 6 ------
+ 1 file changed, 6 deletions(-)
+
+--- a/fs/xfs/xfs_aops.c
++++ b/fs/xfs/xfs_aops.c
+@@ -928,7 +928,6 @@
+ uint64_t offset;
+ int error = 0;
+ int count = 0;
+- int uptodate = 1;
+ unsigned int new_type;
+
+ bh = head = page_buffers(page);
+@@ -936,8 +935,6 @@
+ do {
+ if (offset >= end_offset)
+ break;
+- if (!buffer_uptodate(bh))
+- uptodate = 0;
+
+ /*
+ * set_page_dirty dirties all buffers in a page, independent
+@@ -1001,9 +998,6 @@
+
+ } while (offset += len, ((bh = bh->b_this_page) != head));
+
+- if (uptodate && bh == head)
+- SetPageUptodate(page);
+-
+ ASSERT(wpc->ioend || list_empty(&submit_list));
+
+ out:
+
diff --git a/patches.fixes/xfs-don-t-clear-imap_valid-for-a-non-uptodate-buffer.patch b/patches.fixes/xfs-don-t-clear-imap_valid-for-a-non-uptodate-buffer.patch
new file mode 100644
index 0000000000..5078956a9b
--- /dev/null
+++ b/patches.fixes/xfs-don-t-clear-imap_valid-for-a-non-uptodate-buffer.patch
@@ -0,0 +1,56 @@
+From c57371a16d074bb4eafe6b73f29360085ecb2064 Mon Sep 17 00:00:00 2001
+From: Christoph Hellwig <hch@lst.de>
+Date: Wed, 11 Jul 2018 22:25:58 -0700
+Subject: [PATCH] xfs: don't clear imap_valid for a non-uptodate buffers
+Git-commit: c57371a16d074bb4eafe6b73f29360085ecb2064
+Patch-mainline: v4.19-rc1
+References: bsc#1138018
+
+Finding a buffer that isn't uptodate doesn't invalidate the mapping for
+any given block. The last_sector check will already take care of starting
+another ioend as soon as we find any non-update buffer, and if the current
+mapping doesn't include the next uptodate buffer the xfs_imap_valid check
+will take care of it.
+
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Reviewed-by: Brian Foster <bfoster@redhat.com>
+Reviewed-by: Darrick J. Wong <darrick.wong@oracle.com>
+Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
+Acked-by: Anthony Iliopoulos <ailiopoulos@suse.com>
+
+---
+ fs/xfs/xfs_aops.c | 9 ++-------
+ 1 file changed, 2 insertions(+), 7 deletions(-)
+
+diff --git a/fs/xfs/xfs_aops.c b/fs/xfs/xfs_aops.c
+index df80a383ccd8..1d1cb917cc6e 100644
+--- a/fs/xfs/xfs_aops.c
++++ b/fs/xfs/xfs_aops.c
+@@ -863,10 +863,8 @@ xfs_writepage_map(
+ * meaningless for holes (!mapped && uptodate), so skip
+ * buffers covering holes here.
+ */
+- if (!buffer_mapped(bh) && buffer_uptodate(bh)) {
+- wpc->imap_valid = false;
++ if (!buffer_mapped(bh) && buffer_uptodate(bh))
+ continue;
+- }
+
+ if (buffer_unwritten(bh))
+ new_type = XFS_IO_UNWRITTEN;
+@@ -879,11 +877,8 @@ xfs_writepage_map(
+ ASSERT(buffer_mapped(bh));
+ /*
+ * This buffer is not uptodate and will not be
+- * written to disk. Ensure that we will put any
+- * subsequent writeable buffers into a new
+- * ioend.
++ * written to disk.
+ */
+- wpc->imap_valid = false;
+ continue;
+ }
+
+--
+2.16.4
+
diff --git a/patches.fixes/xfs-don-t-look-at-buffer-heads-in-xfs_add_to_ioend.patch b/patches.fixes/xfs-don-t-look-at-buffer-heads-in-xfs_add_to_ioend.patch
new file mode 100644
index 0000000000..5c28e7b2ba
--- /dev/null
+++ b/patches.fixes/xfs-don-t-look-at-buffer-heads-in-xfs_add_to_ioend.patch
@@ -0,0 +1,166 @@
+From 3faed667644d787c3cf6f977f80bac7a013eb045 Mon Sep 17 00:00:00 2001
+From: Christoph Hellwig <hch@lst.de>
+Date: Wed, 11 Jul 2018 22:26:02 -0700
+Subject: [PATCH] xfs: don't look at buffer heads in xfs_add_to_ioend
+Git-commit: 3faed667644d787c3cf6f977f80bac7a013eb045
+Patch-mainline: v4.19-rc1
+References: bsc#1138013
+
+Calculate all information for the bio based on the passed in information
+without requiring a buffer_head structure.
+
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Reviewed-by: Brian Foster <bfoster@redhat.com>
+Reviewed-by: Darrick J. Wong <darrick.wong@oracle.com>
+Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
+Acked-by: Anthony Iliopoulos <ailiopoulos@suse.com>
+
+---
+ fs/xfs/xfs_aops.c | 68 +++++++++++++++++++++++++-----------------------------
+ 1 file changed, 32 insertions(+), 36 deletions(-)
+
+--- a/fs/xfs/xfs_aops.c
++++ b/fs/xfs/xfs_aops.c
+@@ -44,7 +44,6 @@
+ struct xfs_bmbt_irec imap;
+ unsigned int io_type;
+ struct xfs_ioend *ioend;
+- sector_t last_block;
+ };
+
+ void
+@@ -546,11 +545,6 @@
+ unlock_page(page);
+ }
+
+-static inline int xfs_bio_add_buffer(struct bio *bio, struct buffer_head *bh)
+-{
+- return bio_add_page(bio, bh->b_page, bh->b_size, bh_offset(bh));
+-}
+-
+ /*
+ * Submit the bio for an ioend. We are passed an ioend with a bio attached to
+ * it, and we submit that bio. The ioend may be used for multiple bio
+@@ -615,27 +609,20 @@
+ return 0;
+ }
+
+-static void
+-xfs_init_bio_from_bh(
+- struct bio *bio,
+- struct buffer_head *bh)
+-{
+- bio->bi_iter.bi_sector = bh->b_blocknr * (bh->b_size >> 9);
+- bio_set_dev(bio, bh->b_bdev);
+-}
+-
+ static struct xfs_ioend *
+ xfs_alloc_ioend(
+ struct inode *inode,
+ unsigned int type,
+ xfs_off_t offset,
+- struct buffer_head *bh)
++ struct block_device *bdev,
++ sector_t sector)
+ {
+ struct xfs_ioend *ioend;
+ struct bio *bio;
+
+ bio = bio_alloc_bioset(GFP_NOFS, BIO_MAX_PAGES, xfs_ioend_bioset);
+- xfs_init_bio_from_bh(bio, bh);
++ bio_set_dev(bio, bdev);
++ bio->bi_iter.bi_sector = sector;
+
+ ioend = container_of(bio, struct xfs_ioend, io_inline_bio);
+ INIT_LIST_HEAD(&ioend->io_list);
+@@ -660,13 +647,14 @@
+ xfs_chain_bio(
+ struct xfs_ioend *ioend,
+ struct writeback_control *wbc,
+- struct buffer_head *bh)
++ struct block_device *bdev,
++ sector_t sector)
+ {
+ struct bio *new;
+
+ new = bio_alloc(GFP_NOFS, BIO_MAX_PAGES);
+- xfs_init_bio_from_bh(new, bh);
+-
++ bio_set_dev(new, bdev);
++ new->bi_iter.bi_sector = sector;
+ bio_chain(ioend->io_bio, new);
+ bio_get(ioend->io_bio); /* for xfs_destroy_ioend */
+ ioend->io_bio->bi_opf = REQ_OP_WRITE | wbc_to_write_flags(wbc);
+@@ -675,39 +663,45 @@
+ }
+
+ /*
+- * Test to see if we've been building up a completion structure for
+- * earlier buffers -- if so, we try to append to this ioend if we
+- * can, otherwise we finish off any current ioend and start another.
+- * Return the ioend we finished off so that the caller can submit it
+- * once it has finished processing the dirty page.
++ * Test to see if we have an existing ioend structure that we could append to
++ * first, otherwise finish off the current ioend and start another.
+ */
+ STATIC void
+ xfs_add_to_ioend(
+ struct inode *inode,
+- struct buffer_head *bh,
+ xfs_off_t offset,
++ struct page *page,
+ struct xfs_writepage_ctx *wpc,
+ struct writeback_control *wbc,
+ struct list_head *iolist)
+ {
++ struct xfs_inode *ip = XFS_I(inode);
++ struct xfs_mount *mp = ip->i_mount;
++ struct block_device *bdev = xfs_find_bdev_for_inode(inode);
++ unsigned len = i_blocksize(inode);
++ unsigned poff = offset & (PAGE_SIZE - 1);
++ sector_t sector;
++
++ sector = xfs_fsb_to_db(ip, wpc->imap.br_startblock) +
++ ((offset - XFS_FSB_TO_B(mp, wpc->imap.br_startoff)) >> 9);
++
+ if (!wpc->ioend || wpc->io_type != wpc->ioend->io_type ||
+- bh->b_blocknr != wpc->last_block + 1 ||
++ sector != bio_end_sector(wpc->ioend->io_bio) ||
+ offset != wpc->ioend->io_offset + wpc->ioend->io_size) {
+ if (wpc->ioend)
+ list_add(&wpc->ioend->io_list, iolist);
+- wpc->ioend = xfs_alloc_ioend(inode, wpc->io_type, offset, bh);
++ wpc->ioend = xfs_alloc_ioend(inode, wpc->io_type, offset,
++ bdev, sector);
+ }
+
+ /*
+- * If the buffer doesn't fit into the bio we need to allocate a new
+- * one. This shouldn't happen more than once for a given buffer.
++ * If the block doesn't fit into the bio we need to allocate a new
++ * one. This shouldn't happen more than once for a given block.
+ */
+- while (xfs_bio_add_buffer(wpc->ioend->io_bio, bh) != bh->b_size)
+- xfs_chain_bio(wpc->ioend, wbc, bh);
++ while (bio_add_page(wpc->ioend->io_bio, page, len, poff) != len)
++ xfs_chain_bio(wpc->ioend, wbc, bdev, sector);
+
+- wpc->ioend->io_size += bh->b_size;
+- wpc->last_block = bh->b_blocknr;
+- xfs_start_buffer_writeback(bh);
++ wpc->ioend->io_size += len;
+ }
+
+ STATIC void
+@@ -948,7 +942,9 @@
+
+ lock_buffer(bh);
+ xfs_map_at_offset(inode, bh, &wpc->imap, file_offset);
+- xfs_add_to_ioend(inode, bh, file_offset, wpc, wbc, &submit_list);
++ xfs_add_to_ioend(inode, file_offset, page, wpc, wbc,
++ &submit_list);
++ xfs_start_buffer_writeback(bh);
+ count++;
+ }
+
+
diff --git a/patches.fixes/xfs-don-t-use-XFS_BMAPI_ENTRIRE-in-xfs_get_blocks.patch b/patches.fixes/xfs-don-t-use-XFS_BMAPI_ENTRIRE-in-xfs_get_blocks.patch
new file mode 100644
index 0000000000..6f22f5db8b
--- /dev/null
+++ b/patches.fixes/xfs-don-t-use-XFS_BMAPI_ENTRIRE-in-xfs_get_blocks.patch
@@ -0,0 +1,37 @@
+From 7d9df3c1631b0cb7eb4e59c934271adf0ead2f55 Mon Sep 17 00:00:00 2001
+From: Christoph Hellwig <hch@lst.de>
+Date: Tue, 13 Mar 2018 23:15:31 -0700
+Subject: [PATCH] xfs: don't use XFS_BMAPI_ENTRIRE in xfs_get_blocks
+Git-commit: 7d9df3c1631b0cb7eb4e59c934271adf0ead2f55
+Patch-mainline: v4.17-rc1
+References: bsc#1137999
+
+There is no reason to get a mapping bigger than what we were asked for.
+
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Reviewed-by: Darrick J. Wong <darrick.wong@oracle.com>
+Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
+Acked-by: Anthony Iliopoulos <ailiopoulos@suse.com>
+
+---
+ fs/xfs/xfs_aops.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/fs/xfs/xfs_aops.c b/fs/xfs/xfs_aops.c
+index a0afb6411417..c79a3ca20ef8 100644
+--- a/fs/xfs/xfs_aops.c
++++ b/fs/xfs/xfs_aops.c
+@@ -1331,8 +1331,8 @@ xfs_get_blocks(
+ end_fsb = XFS_B_TO_FSB(mp, (xfs_ufsize_t)offset + size);
+ offset_fsb = XFS_B_TO_FSBT(mp, offset);
+
+- error = xfs_bmapi_read(ip, offset_fsb, end_fsb - offset_fsb,
+- &imap, &nimaps, XFS_BMAPI_ENTIRE);
++ error = xfs_bmapi_read(ip, offset_fsb, end_fsb - offset_fsb, &imap,
++ &nimaps, 0);
+ if (error)
+ goto out_unlock;
+
+--
+2.16.4
+
diff --git a/patches.fixes/xfs-don-t-use-XFS_BMAPI_IGSTATE-in-xfs_map_blocks.patch b/patches.fixes/xfs-don-t-use-XFS_BMAPI_IGSTATE-in-xfs_map_blocks.patch
new file mode 100644
index 0000000000..820f964236
--- /dev/null
+++ b/patches.fixes/xfs-don-t-use-XFS_BMAPI_IGSTATE-in-xfs_map_blocks.patch
@@ -0,0 +1,58 @@
+From a7b28f72ab90fe7a2f438360df5f6fda4237afdc Mon Sep 17 00:00:00 2001
+From: Christoph Hellwig <hch@lst.de>
+Date: Wed, 11 Jul 2018 22:25:59 -0700
+Subject: [PATCH] xfs: don't use XFS_BMAPI_IGSTATE in xfs_map_blocks
+Git-commit: a7b28f72ab90fe7a2f438360df5f6fda4237afdc
+Patch-mainline: v4.19-rc1
+References: bsc#1138005
+
+We want to be able to use the extent state as a reliably indicator for
+the type of I/O, and stop using the buffer head state. For this we
+need to stop using the XFS_BMAPI_IGSTATE so that we don't see merged
+extents of different types.
+
+Based on a patch from Dave Chinner.
+
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Reviewed-by: Brian Foster <bfoster@redhat.com>
+Reviewed-by: Darrick J. Wong <darrick.wong@oracle.com>
+Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
+Acked-by: Anthony Iliopoulos <ailiopoulos@suse.com>
+
+---
+ fs/xfs/xfs_aops.c | 5 +----
+ 1 file changed, 1 insertion(+), 4 deletions(-)
+
+diff --git a/fs/xfs/xfs_aops.c b/fs/xfs/xfs_aops.c
+index 1d1cb917cc6e..6b6150683343 100644
+--- a/fs/xfs/xfs_aops.c
++++ b/fs/xfs/xfs_aops.c
+@@ -373,7 +373,6 @@ xfs_map_blocks(
+ ssize_t count = i_blocksize(inode);
+ xfs_fileoff_t offset_fsb, end_fsb;
+ int error = 0;
+- int bmapi_flags = XFS_BMAPI_ENTIRE;
+ int nimaps = 1;
+
+ if (XFS_FORCED_SHUTDOWN(mp))
+@@ -393,8 +392,6 @@ xfs_map_blocks(
+ return 0;
+
+ ASSERT(type != XFS_IO_COW);
+- if (type == XFS_IO_UNWRITTEN)
+- bmapi_flags |= XFS_BMAPI_IGSTATE;
+
+ xfs_ilock(ip, XFS_ILOCK_SHARED);
+ ASSERT(ip->i_d.di_format != XFS_DINODE_FMT_BTREE ||
+@@ -406,7 +403,7 @@ xfs_map_blocks(
+ end_fsb = XFS_B_TO_FSB(mp, (xfs_ufsize_t)offset + count);
+ offset_fsb = XFS_B_TO_FSBT(mp, offset);
+ error = xfs_bmapi_read(ip, offset_fsb, end_fsb - offset_fsb,
+- imap, &nimaps, bmapi_flags);
++ imap, &nimaps, XFS_BMAPI_ENTIRE);
+ /*
+ * Truncate an overwrite extent if there's a pending CoW
+ * reservation before the end of this extent. This forces us
+--
+2.16.4
+
diff --git a/patches.fixes/xfs-eof-trim-writeback-mapping-as-soon-as-it-is-cach.patch b/patches.fixes/xfs-eof-trim-writeback-mapping-as-soon-as-it-is-cach.patch
new file mode 100644
index 0000000000..00e34e863c
--- /dev/null
+++ b/patches.fixes/xfs-eof-trim-writeback-mapping-as-soon-as-it-is-cach.patch
@@ -0,0 +1,64 @@
+From aa6ee4ab69293969867ab09b57546d226ace3d7a Mon Sep 17 00:00:00 2001
+From: Brian Foster <bfoster@redhat.com>
+Date: Fri, 1 Feb 2019 09:36:36 -0800
+Subject: [PATCH] xfs: eof trim writeback mapping as soon as it is cached
+Git-commit: aa6ee4ab69293969867ab09b57546d226ace3d7a
+Patch-mainline: v5.0-rc6
+References: bsc#1138019
+
+The cached writeback mapping is EOF trimmed to try and avoid races
+between post-eof block management and writeback that result in
+sending cached data to a stale location. The cached mapping is
+currently trimmed on the validation check, which leaves a race
+window between the time the mapping is cached and when it is trimmed
+against the current inode size.
+
+For example, if a new mapping is cached by delalloc conversion on a
+blocksize == page size fs, we could cycle various locks, perform
+memory allocations, etc. in the writeback codepath before the
+associated mapping is eventually trimmed to i_size. This leaves
+enough time for a post-eof truncate and file append before the
+cached mapping is trimmed. The former event essentially invalidates
+a range of the cached mapping and the latter bumps the inode size
+such the trim on the next writepage event won't trim all of the
+invalid blocks. fstest generic/464 reproduces this scenario
+occasionally and causes a lost writeback and stale delalloc blocks
+warning on inode inactivation.
+
+To work around this problem, trim the cached writeback mapping as
+soon as it is cached in addition to on subsequent validation checks.
+This is a minor tweak to tighten the race window as much as possible
+until a proper invalidation mechanism is available.
+
+Fixes: 40214d128e07 ("xfs: trim writepage mapping to within eof")
+Cc: <stable@vger.kernel.org> # v4.14+
+Signed-off-by: Brian Foster <bfoster@redhat.com>
+Reviewed-by: Allison Henderson <allison.henderson@oracle.com>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Reviewed-by: Darrick J. Wong <darrick.wong@oracle.com>
+Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
+Acked-by: Anthony Iliopoulos <ailiopoulos@suse.com>
+
+---
+ fs/xfs/xfs_aops.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/fs/xfs/xfs_aops.c
++++ b/fs/xfs/xfs_aops.c
+@@ -495,6 +495,7 @@
+ }
+
+ wpc->imap = imap;
++ xfs_trim_extent_eof(&wpc->imap, ip);
+ trace_xfs_map_blocks_found(ip, offset, count, wpc->io_type, &imap);
+ return 0;
+ allocate_blocks:
+@@ -502,6 +503,7 @@
+ if (error)
+ return error;
+ wpc->imap = imap;
++ xfs_trim_extent_eof(&wpc->imap, ip);
+ trace_xfs_map_blocks_alloc(ip, offset, count, wpc->io_type, &imap);
+ return 0;
+ }
+
diff --git a/patches.fixes/xfs-fix-s_maxbytes-overflow-problems.patch b/patches.fixes/xfs-fix-s_maxbytes-overflow-problems.patch
new file mode 100644
index 0000000000..8fb4a0282c
--- /dev/null
+++ b/patches.fixes/xfs-fix-s_maxbytes-overflow-problems.patch
@@ -0,0 +1,58 @@
+From b4d8ad7fd3a18e6d92d4ebe858185c704604a57d Mon Sep 17 00:00:00 2001
+From: "Darrick J. Wong" <darrick.wong@oracle.com>
+Date: Fri, 22 Dec 2017 13:14:34 -0800
+Subject: [PATCH] xfs: fix s_maxbytes overflow problems
+Git-commit: b4d8ad7fd3a18e6d92d4ebe858185c704604a57d
+Patch-mainline: v4.15-rc7
+References: bsc#1137996
+
+Fix some integer overflow problems if offset + count happen to be large
+enough to cause an integer overflow.
+
+Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Acked-by: Anthony Iliopoulos <ailiopoulos@suse.com>
+
+---
+ fs/xfs/xfs_aops.c | 4 ++--
+ fs/xfs/xfs_iomap.c | 2 +-
+ 2 files changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/fs/xfs/xfs_aops.c b/fs/xfs/xfs_aops.c
+index 21e2d70884e1..4fc526a27a94 100644
+--- a/fs/xfs/xfs_aops.c
++++ b/fs/xfs/xfs_aops.c
+@@ -399,7 +399,7 @@ xfs_map_blocks(
+ (ip->i_df.if_flags & XFS_IFEXTENTS));
+ ASSERT(offset <= mp->m_super->s_maxbytes);
+
+- if ((xfs_ufsize_t)offset + count > mp->m_super->s_maxbytes)
++ if (offset > mp->m_super->s_maxbytes - count)
+ count = mp->m_super->s_maxbytes - offset;
+ end_fsb = XFS_B_TO_FSB(mp, (xfs_ufsize_t)offset + count);
+ offset_fsb = XFS_B_TO_FSBT(mp, offset);
+@@ -1312,7 +1312,7 @@ xfs_get_blocks(
+ lockmode = xfs_ilock_data_map_shared(ip);
+
+ ASSERT(offset <= mp->m_super->s_maxbytes);
+- if ((xfs_ufsize_t)offset + size > mp->m_super->s_maxbytes)
++ if (offset > mp->m_super->s_maxbytes - size)
+ size = mp->m_super->s_maxbytes - offset;
+ end_fsb = XFS_B_TO_FSB(mp, (xfs_ufsize_t)offset + size);
+ offset_fsb = XFS_B_TO_FSBT(mp, offset);
+diff --git a/fs/xfs/xfs_iomap.c b/fs/xfs/xfs_iomap.c
+index 7ab52a8bc0a9..66e1edbfb2b2 100644
+--- a/fs/xfs/xfs_iomap.c
++++ b/fs/xfs/xfs_iomap.c
+@@ -1006,7 +1006,7 @@ xfs_file_iomap_begin(
+ }
+
+ ASSERT(offset <= mp->m_super->s_maxbytes);
+- if ((xfs_fsize_t)offset + length > mp->m_super->s_maxbytes)
++ if (offset > mp->m_super->s_maxbytes - length)
+ length = mp->m_super->s_maxbytes - offset;
+ offset_fsb = XFS_B_TO_FSBT(mp, offset);
+ end_fsb = XFS_B_TO_FSB(mp, offset + length);
+--
+2.16.4
+
diff --git a/patches.fixes/xfs-make-xfs_writepage_map-extent-map-centric.patch b/patches.fixes/xfs-make-xfs_writepage_map-extent-map-centric.patch
new file mode 100644
index 0000000000..a3005e1a61
--- /dev/null
+++ b/patches.fixes/xfs-make-xfs_writepage_map-extent-map-centric.patch
@@ -0,0 +1,261 @@
+From e2f6ad4624dfbde3a6c42c0cfbfc5553d93c3cae Mon Sep 17 00:00:00 2001
+From: Dave Chinner <dchinner@redhat.com>
+Date: Wed, 11 Jul 2018 22:26:00 -0700
+Subject: [PATCH] xfs: make xfs_writepage_map extent map centric
+Git-commit: e2f6ad4624dfbde3a6c42c0cfbfc5553d93c3cae
+Patch-mainline: v4.19-rc1
+References: bsc#1138009
+
+xfs_writepage_map() iterates over the bufferheads on a page to decide
+what sort of IO to do and what actions to take. However, when it comes
+to reflink and deciding when it needs to execute a COW operation, we no
+longer look at the bufferhead state but instead we ignore than and look
+up internal state held in the COW fork extent list.
+
+This means xfs_writepage_map() is somewhat confused. It does stuff, then
+ignores it, then tries to handle the impedence mismatch by shovelling the
+results inside the existing mapping code. It works, but it's a bit of a
+mess and it makes it hard to fix the cached map bug that the writepage
+code currently has.
+
+To unify the two different mechanisms, we first have to choose a direction.
+That's already been set - we're de-emphasising bufferheads so they are no
+longer a control structure as we need to do taht to allow for eventual
+removal. Hence we need to move away from looking at bufferhead state to
+determine what operations we need to perform.
+
+We can't completely get rid of bufferheads yet - they do contain some
+state that is absolutely necessary, such as whether that part of the page
+contains valid data or not (buffer_uptodate()). Other state in the
+bufferhead is redundant:
+
+ BH_dirty - the page is dirty, so we can ignore this and just
+ write it
+ BH_delay - we have delalloc extent info in the DATA fork extent
+ tree
+ BH_unwritten - same as BH_delay
+ BH_mapped - indicates we've already used it once for IO and it is
+ mapped to a disk address. Needs to be ignored for COW
+ blocks.
+
+The BH_mapped flag is an interesting case - it's supposed to indicate that
+it's already mapped to disk and so we can just use it "as is". In theory,
+we don't even have to do an extent lookup to find where to write it too,
+but we have to do that anyway to determine we are actually writing over a
+valid extent. Hence it's not even serving the purpose of avoiding a an
+extent lookup during writeback, and so we can pretty much ignore it.
+Especially as we have to ignore it for COW operations...
+
+Therefore, use the extent map as the source of information to tell us
+what actions we need to take and what sort of IO we should perform. The
+first step is to have xfs_map_blocks() set the io type according to what
+it looks up. This means it can easily handle both normal overwrite and
+COW cases. The only thing we also need to add is the ability to return
+hole mappings.
+
+We need to return and cache hole mappings now for the case of multiple
+blocks per page. We no longer use the BH_mapped to indicate a block over
+a hole, so we have to get that info from xfs_map_blocks(). We cache it so
+that holes that span two pages don't need separate lookups. This allows us
+to avoid ever doing write IO over a hole, too.
+
+Now that we have xfs_map_blocks() returning both a cached map and the type
+of IO we need to perform, we can rewrite xfs_writepage_map() to drop all
+the bufferhead control. It's also much simplified because it doesn't need
+to explicitly handle COW operations. Instead of iterating bufferheads, it
+iterates blocks within the page and then looks up what per-block state is
+required from the appropriate bufferhead. It then validates the cached
+map, and if it's not valid, we get a new map. If we don't get a valid map
+or it's over a hole, we skip the block.
+
+At this point, we have to remap the bufferhead via xfs_map_at_offset().
+As previously noted, we had to do this even if the buffer was already
+mapped as the mapping would be stale for XFS_IO_DELALLOC, XFS_IO_UNWRITTEN
+and XFS_IO_COW IO types. With xfs_map_blocks() now controlling the type,
+even XFS_IO_OVERWRITE types need remapping, as converted-but-not-yet-
+written delalloc extents beyond EOF can be reported at XFS_IO_OVERWRITE.
+Bufferheads that span such regions still need their BH_Delay flags cleared
+and their block numbers calculated, so we now unconditionally map each
+bufferhead before submission.
+
+But wait! There's more - remember the old "treat unwritten extents as
+holes on read" hack? Yeah, that means we can have a dirty page with
+unmapped, unwritten bufferheads that contain data! What makes these so
+special is that the unwritten "hole" bufferheads do not have a valid block
+device pointer, so if we attempt to write them xfs_add_to_ioend() blows
+up. So we make xfs_map_at_offset() do the "realtime or data device"
+lookup from the inode and ignore what was or wasn't put into the
+bufferhead when the buffer was instantiated.
+
+The astute reader will have realised by now that this code treats
+unwritten extents in multiple-blocks-per-page situations differently.
+If we get any combination of unwritten blocks on a dirty page that contain
+valid data in the page, we're going to convert them to real extents. This
+can actually be a win, because it means that pages with interleaving
+unwritten and written blocks will get converted to a single written extent
+with zeros replacing the interspersed unwritten blocks. This is actually
+good for reducing extent list and conversion overhead, and it means we
+issue a contiguous IO instead of lots of little ones. The downside is
+that we use up a little extra IO bandwidth. Neither of these seem like a
+bad thing given that spinning disks are seek sensitive, and SSDs/pmem have
+bandwidth to burn and the lower Io latency/CPU overhead of fewer, larger
+IOs will result in better performance on them...
+
+As a result of all this, the only state we actually care about from the
+bufferhead is a single flag - BH_Uptodate. We still use the bufferhead to
+pass some information to the bio via xfs_add_to_ioend(), but that is
+trivial to separate and pass explicitly. This means we really only need
+1 bit of state per block per page from the buffered write path in the
+writeback path. Everything else we do with the bufferhead is purely to
+make the buffered IO front end continue to work correctly. i.e we've
+pretty much marginalised bufferheads in the writeback path completely.
+
+Signed-off-by: Dave Chinner <dchinner@redhat.com>
+[hch: forward port, refactor and split off bits into other commits]
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Reviewed-by: Brian Foster <bfoster@redhat.com>
+Reviewed-by: Darrick J. Wong <darrick.wong@oracle.com>
+Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
+Acked-by: Anthony Iliopoulos <ailiopoulos@suse.com>
+
+---
+ fs/xfs/xfs_aops.c | 88 ++++++++++++++++++++++--------------------------------
+ 1 file changed, 36 insertions(+), 52 deletions(-)
+
+--- a/fs/xfs/xfs_aops.c
++++ b/fs/xfs/xfs_aops.c
+@@ -454,19 +454,19 @@
+ } else if (imap.br_startblock == HOLESTARTBLOCK) {
+ /* landed in a hole */
+ wpc->io_type = XFS_IO_HOLE;
+- }
++ } else {
++ if (isnullstartblock(imap.br_startblock)) {
++ /* got a delalloc extent */
++ wpc->io_type = XFS_IO_DELALLOC;
++ goto allocate_blocks;
++ }
+
+- if (wpc->io_type == XFS_IO_DELALLOC &&
+- (!nimaps || isnullstartblock(imap.br_startblock)))
+- goto allocate_blocks;
+-
+-#ifdef DEBUG
+- if (wpc->io_type == XFS_IO_UNWRITTEN) {
+- ASSERT(nimaps);
+- ASSERT(imap.br_startblock != HOLESTARTBLOCK);
+- ASSERT(imap.br_startblock != DELAYSTARTBLOCK);
++ if (imap.br_state == XFS_EXT_UNWRITTEN)
++ wpc->io_type = XFS_IO_UNWRITTEN;
++ else
++ wpc->io_type = XFS_IO_OVERWRITE;
+ }
+-#endif
++
+ wpc->imap = imap;
+ trace_xfs_map_blocks_found(ip, offset, count, wpc->io_type, &imap);
+ return 0;
+@@ -745,6 +745,14 @@
+ set_buffer_mapped(bh);
+ clear_buffer_delay(bh);
+ clear_buffer_unwritten(bh);
++
++ /*
++ * If this is a realtime file, data may be on a different device.
++ * to that pointed to from the buffer_head b_bdev currently. We can't
++ * trust that the bufferhead has a already been mapped correctly, so
++ * set the bdev now.
++ */
++ bh->b_bdev = xfs_find_bdev_for_inode(inode);
+ }
+
+ /*
+@@ -900,58 +908,35 @@
+ {
+ LIST_HEAD(submit_list);
+ struct xfs_ioend *ioend, *next;
+- struct buffer_head *bh, *head;
++ struct buffer_head *bh;
+ ssize_t len = i_blocksize(inode);
+ uint64_t file_offset; /* file offset of page */
++ unsigned poffset; /* offset into page */
+ int error = 0;
+ int count = 0;
+- unsigned int new_type;
+
+- bh = head = page_buffers(page);
++ /*
++ * Walk the blocks on the page, and if we run off the end of the current
++ * map or find the current map invalid, grab a new one. We only use
++ * bufferheads here to check per-block state - they no longer control
++ * the iteration through the page. This allows us to replace the
++ * bufferhead with some other state tracking mechanism in future.
++ */
+ file_offset = page_offset(page);
+- do {
++ bh = page_buffers(page);
++ for (poffset = 0;
++ poffset < PAGE_SIZE;
++ poffset += len, file_offset += len, bh = bh->b_this_page) {
++ /* past the range we are writing, so nothing more to write. */
+ if (file_offset >= end_offset)
+ break;
+
+- /*
+- * set_page_dirty dirties all buffers in a page, independent
+- * of their state. The dirty state however is entirely
+- * meaningless for holes (!mapped && uptodate), so skip
+- * buffers covering holes here.
+- */
+- if (!buffer_mapped(bh) && buffer_uptodate(bh))
+- continue;
+-
+- if (buffer_unwritten(bh))
+- new_type = XFS_IO_UNWRITTEN;
+- else if (buffer_delay(bh))
+- new_type = XFS_IO_DELALLOC;
+- else if (buffer_uptodate(bh))
+- new_type = XFS_IO_OVERWRITE;
+- else {
++ if (!buffer_uptodate(bh)) {
+ if (PageUptodate(page))
+ ASSERT(buffer_mapped(bh));
+- /*
+- * This buffer is not uptodate and will not be
+- * written to disk.
+- */
+ continue;
+ }
+
+- /*
+- * If we already have a valid COW mapping keep using it.
+- */
+- if (wpc->io_type == XFS_IO_COW &&
+- xfs_imap_valid(inode, &wpc->imap, file_offset)) {
+- wpc->imap_valid = true;
+- new_type = XFS_IO_COW;
+- }
+-
+- if (wpc->io_type != new_type) {
+- wpc->io_type = new_type;
+- wpc->imap_valid = false;
+- }
+-
+ if (wpc->imap_valid)
+ wpc->imap_valid = xfs_imap_valid(inode, &wpc->imap,
+ file_offset);
+@@ -976,11 +961,10 @@
+ continue;
+
+ lock_buffer(bh);
+- if (wpc->io_type != XFS_IO_OVERWRITE)
+- xfs_map_at_offset(inode, bh, &wpc->imap, file_offset);
++ xfs_map_at_offset(inode, bh, &wpc->imap, file_offset);
+ xfs_add_to_ioend(inode, bh, file_offset, wpc, wbc, &submit_list);
+ count++;
+- } while (file_offset += len, ((bh = bh->b_this_page) != head));
++ }
+
+ ASSERT(wpc->ioend || list_empty(&submit_list));
+
+
diff --git a/patches.fixes/xfs-minor-cleanup-for-xfs_get_blocks.patch b/patches.fixes/xfs-minor-cleanup-for-xfs_get_blocks.patch
new file mode 100644
index 0000000000..5e5bc4e7f8
--- /dev/null
+++ b/patches.fixes/xfs-minor-cleanup-for-xfs_get_blocks.patch
@@ -0,0 +1,51 @@
+From 1d4352de511f4c9b6f4466c8fd4cfc25b14869b7 Mon Sep 17 00:00:00 2001
+From: Christoph Hellwig <hch@lst.de>
+Date: Tue, 13 Mar 2018 23:15:32 -0700
+Subject: [PATCH] xfs: minor cleanup for xfs_get_blocks
+Git-commit: 1d4352de511f4c9b6f4466c8fd4cfc25b14869b7
+Patch-mainline: v4.17-rc1
+References: bsc#1138000
+
+Simplify the control flow a bit in preparation for O_ATOMIC-related
+changes.
+
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Reviewed-by: Darrick J. Wong <darrick.wong@oracle.com>
+Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
+Acked-by: Anthony Iliopoulos <ailiopoulos@suse.com>
+
+---
+ fs/xfs/xfs_aops.c | 13 ++++++-------
+ 1 file changed, 6 insertions(+), 7 deletions(-)
+
+diff --git a/fs/xfs/xfs_aops.c b/fs/xfs/xfs_aops.c
+index c79a3ca20ef8..19eadc807056 100644
+--- a/fs/xfs/xfs_aops.c
++++ b/fs/xfs/xfs_aops.c
+@@ -1335,17 +1335,16 @@ xfs_get_blocks(
+ &nimaps, 0);
+ if (error)
+ goto out_unlock;
+-
+- if (nimaps) {
+- trace_xfs_get_blocks_found(ip, offset, size,
+- imap.br_state == XFS_EXT_UNWRITTEN ?
+- XFS_IO_UNWRITTEN : XFS_IO_OVERWRITE, &imap);
+- xfs_iunlock(ip, lockmode);
+- } else {
++ if (!nimaps) {
+ trace_xfs_get_blocks_notfound(ip, offset, size);
+ goto out_unlock;
+ }
+
++ trace_xfs_get_blocks_found(ip, offset, size,
++ imap.br_state == XFS_EXT_UNWRITTEN ?
++ XFS_IO_UNWRITTEN : XFS_IO_OVERWRITE, &imap);
++ xfs_iunlock(ip, lockmode);
++
+ /* trim mapping down to size requested */
+ xfs_map_trim_size(inode, iblock, bh_result, &imap, offset, size);
+
+--
+2.16.4
+
diff --git a/patches.fixes/xfs-move-all-writeback-buffer_head-manipulation-into.patch b/patches.fixes/xfs-move-all-writeback-buffer_head-manipulation-into.patch
new file mode 100644
index 0000000000..6eaa73f074
--- /dev/null
+++ b/patches.fixes/xfs-move-all-writeback-buffer_head-manipulation-into.patch
@@ -0,0 +1,77 @@
+From 6d465e895343225e3ad35fe10d7b3e9f2f18faec Mon Sep 17 00:00:00 2001
+From: Christoph Hellwig <hch@lst.de>
+Date: Wed, 11 Jul 2018 22:26:03 -0700
+Subject: [PATCH] xfs: move all writeback buffer_head manipulation into
+ xfs_map_at_offset
+Git-commit: 6d465e895343225e3ad35fe10d7b3e9f2f18faec
+Patch-mainline: v4.19-rc1
+References: bsc#1138014
+
+This keeps it in a single place so it can be made otional more easily.
+
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Reviewed-by: Brian Foster <bfoster@redhat.com>
+Reviewed-by: Darrick J. Wong <darrick.wong@oracle.com>
+Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
+Acked-by: Anthony Iliopoulos <ailiopoulos@suse.com>
+
+---
+ fs/xfs/xfs_aops.c | 22 +++++-----------------
+ 1 file changed, 5 insertions(+), 17 deletions(-)
+
+--- a/fs/xfs/xfs_aops.c
++++ b/fs/xfs/xfs_aops.c
+@@ -507,21 +507,6 @@
+ }
+
+ STATIC void
+-xfs_start_buffer_writeback(
+- struct buffer_head *bh)
+-{
+- ASSERT(buffer_mapped(bh));
+- ASSERT(buffer_locked(bh));
+- ASSERT(!buffer_delay(bh));
+- ASSERT(!buffer_unwritten(bh));
+-
+- bh->b_end_io = NULL;
+- set_buffer_async_write(bh);
+- set_buffer_uptodate(bh);
+- clear_buffer_dirty(bh);
+-}
+-
+-STATIC void
+ xfs_start_page_writeback(
+ struct page *page,
+ int clear_dirty)
+@@ -738,6 +723,7 @@
+ ASSERT(imap->br_startblock != HOLESTARTBLOCK);
+ ASSERT(imap->br_startblock != DELAYSTARTBLOCK);
+
++ lock_buffer(bh);
+ xfs_map_buffer(inode, bh, imap, offset);
+ set_buffer_mapped(bh);
+ clear_buffer_delay(bh);
+@@ -750,6 +736,10 @@
+ * set the bdev now.
+ */
+ bh->b_bdev = xfs_find_bdev_for_inode(inode);
++ bh->b_end_io = NULL;
++ set_buffer_async_write(bh);
++ set_buffer_uptodate(bh);
++ clear_buffer_dirty(bh);
+ }
+
+ /*
+@@ -940,11 +930,9 @@
+ if (wpc->io_type == XFS_IO_HOLE)
+ continue;
+
+- lock_buffer(bh);
+ xfs_map_at_offset(inode, bh, &wpc->imap, file_offset);
+ xfs_add_to_ioend(inode, file_offset, page, wpc, wbc,
+ &submit_list);
+- xfs_start_buffer_writeback(bh);
+ count++;
+ }
+
+
diff --git a/patches.fixes/xfs-refactor-the-tail-of-xfs_writepage_map.patch b/patches.fixes/xfs-refactor-the-tail-of-xfs_writepage_map.patch
new file mode 100644
index 0000000000..ed1b2f742b
--- /dev/null
+++ b/patches.fixes/xfs-refactor-the-tail-of-xfs_writepage_map.patch
@@ -0,0 +1,113 @@
+From 8e1f065bea1b1c128c92ef7e386779a23cd5d342 Mon Sep 17 00:00:00 2001
+From: Christoph Hellwig <hch@lst.de>
+Date: Wed, 11 Jul 2018 22:26:04 -0700
+Subject: [PATCH] xfs: refactor the tail of xfs_writepage_map
+Git-commit: 8e1f065bea1b1c128c92ef7e386779a23cd5d342
+Patch-mainline: v4.19-rc1
+References: bsc#1138016
+
+Rejuggle how we deal with the different error vs non-error and have
+ioends vs not have ioend cases to keep the fast path streamlined, and
+the duplicate code at a minimum.
+
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Reviewed-by: Brian Foster <bfoster@redhat.com>
+Reviewed-by: Darrick J. Wong <darrick.wong@oracle.com>
+Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
+Acked-by: Anthony Iliopoulos <ailiopoulos@suse.com>
+
+---
+ fs/xfs/xfs_aops.c | 65 +++++++++++++++++++++++++++----------------------------
+ 1 file changed, 32 insertions(+), 33 deletions(-)
+
+diff --git a/fs/xfs/xfs_aops.c b/fs/xfs/xfs_aops.c
+index af9224ea4ebf..c8e0d3055153 100644
+--- a/fs/xfs/xfs_aops.c
++++ b/fs/xfs/xfs_aops.c
+@@ -854,7 +854,14 @@ xfs_writepage_map(
+ * submission of outstanding ioends on the writepage context so they are
+ * treated correctly on error.
+ */
+- if (count) {
++ if (unlikely(error)) {
++ if (!count) {
++ xfs_aops_discard_page(page);
++ ClearPageUptodate(page);
++ unlock_page(page);
++ goto done;
++ }
++
+ /*
+ * If the page was not fully cleaned, we need to ensure that the
+ * higher layers come back to it correctly. That means we need
+@@ -863,43 +870,35 @@ xfs_writepage_map(
+ * so another attempt to write this page in this writeback sweep
+ * will be made.
+ */
+- if (error) {
+- set_page_writeback_keepwrite(page);
+- } else {
+- clear_page_dirty_for_io(page);
+- set_page_writeback(page);
+- }
+- unlock_page(page);
+-
+- /*
+- * Preserve the original error if there was one, otherwise catch
+- * submission errors here and propagate into subsequent ioend
+- * submissions.
+- */
+- list_for_each_entry_safe(ioend, next, &submit_list, io_list) {
+- int error2;
+-
+- list_del_init(&ioend->io_list);
+- error2 = xfs_submit_ioend(wbc, ioend, error);
+- if (error2 && !error)
+- error = error2;
+- }
+- } else if (error) {
+- xfs_aops_discard_page(page);
+- ClearPageUptodate(page);
+- unlock_page(page);
++ set_page_writeback_keepwrite(page);
+ } else {
+- /*
+- * We can end up here with no error and nothing to write if we
+- * race with a partial page truncate on a sub-page block sized
+- * filesystem. In that case we need to mark the page clean.
+- */
+ clear_page_dirty_for_io(page);
+ set_page_writeback(page);
+- unlock_page(page);
+- end_page_writeback(page);
+ }
+
++ unlock_page(page);
++
++ /*
++ * Preserve the original error if there was one, otherwise catch
++ * submission errors here and propagate into subsequent ioend
++ * submissions.
++ */
++ list_for_each_entry_safe(ioend, next, &submit_list, io_list) {
++ int error2;
++
++ list_del_init(&ioend->io_list);
++ error2 = xfs_submit_ioend(wbc, ioend, error);
++ if (error2 && !error)
++ error = error2;
++ }
++
++ /*
++ * We can end up here with no error and nothing to write if we race with
++ * a partial page truncate on a sub-page block sized filesystem.
++ */
++ if (!count)
++ end_page_writeback(page);
++done:
+ mapping_set_error(page->mapping, error);
+ return error;
+ }
+--
+2.16.4
+
diff --git a/patches.fixes/xfs-remove-XFS_IO_INVALID.patch b/patches.fixes/xfs-remove-XFS_IO_INVALID.patch
new file mode 100644
index 0000000000..9c99f252b0
--- /dev/null
+++ b/patches.fixes/xfs-remove-XFS_IO_INVALID.patch
@@ -0,0 +1,79 @@
+From 97e5a6e6dc44b9ea660f85de084f6e38cb5cf39c Mon Sep 17 00:00:00 2001
+From: Christoph Hellwig <hch@lst.de>
+Date: Thu, 18 Oct 2018 17:17:50 +1100
+Subject: [PATCH] xfs: remove XFS_IO_INVALID
+Git-commit: 97e5a6e6dc44b9ea660f85de084f6e38cb5cf39c
+Patch-mainline: v4.20-rc1
+References: bsc#1138017
+
+The invalid state isn't any different from a hole, so merge the two
+states. Use the more descriptive hole name, but keep it as the first
+value of the enum to catch uninitialized fields.
+
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Reviewed-by: Brian Foster <bfoster@redhat.com>
+Signed-off-by: Dave Chinner <david@fromorbit.com>
+Acked-by: Anthony Iliopoulos <ailiopoulos@suse.com>
+
+---
+ fs/xfs/xfs_aops.c | 4 ++--
+ fs/xfs/xfs_aops.h | 14 ++++++--------
+ 2 files changed, 8 insertions(+), 10 deletions(-)
+
+diff --git a/fs/xfs/xfs_aops.c b/fs/xfs/xfs_aops.c
+index 49f5f5896a43..338b9d9984e0 100644
+--- a/fs/xfs/xfs_aops.c
++++ b/fs/xfs/xfs_aops.c
+@@ -917,7 +917,7 @@ xfs_vm_writepage(
+ struct writeback_control *wbc)
+ {
+ struct xfs_writepage_ctx wpc = {
+- .io_type = XFS_IO_INVALID,
++ .io_type = XFS_IO_HOLE,
+ };
+ int ret;
+
+@@ -933,7 +933,7 @@ xfs_vm_writepages(
+ struct writeback_control *wbc)
+ {
+ struct xfs_writepage_ctx wpc = {
+- .io_type = XFS_IO_INVALID,
++ .io_type = XFS_IO_HOLE,
+ };
+ int ret;
+
+diff --git a/fs/xfs/xfs_aops.h b/fs/xfs/xfs_aops.h
+index 9af867951a10..494b4338446e 100644
+--- a/fs/xfs/xfs_aops.h
++++ b/fs/xfs/xfs_aops.h
+@@ -12,21 +12,19 @@ extern struct bio_set xfs_ioend_bioset;
+ * Types of I/O for bmap clustering and I/O completion tracking.
+ */
+ enum {
+- XFS_IO_INVALID, /* initial state */
++ XFS_IO_HOLE, /* covers region without any block allocation */
+ XFS_IO_DELALLOC, /* covers delalloc region */
+ XFS_IO_UNWRITTEN, /* covers allocated but uninitialized data */
+ XFS_IO_OVERWRITE, /* covers already allocated extent */
+ XFS_IO_COW, /* covers copy-on-write extent */
+- XFS_IO_HOLE, /* covers region without any block allocation */
+ };
+
+ #define XFS_IO_TYPES \
+- { XFS_IO_INVALID, "invalid" }, \
+- { XFS_IO_DELALLOC, "delalloc" }, \
+- { XFS_IO_UNWRITTEN, "unwritten" }, \
+- { XFS_IO_OVERWRITE, "overwrite" }, \
+- { XFS_IO_COW, "CoW" }, \
+- { XFS_IO_HOLE, "hole" }
++ { XFS_IO_HOLE, "hole" }, \
++ { XFS_IO_DELALLOC, "delalloc" }, \
++ { XFS_IO_UNWRITTEN, "unwritten" }, \
++ { XFS_IO_OVERWRITE, "overwrite" }, \
++ { XFS_IO_COW, "CoW" }
+
+ /*
+ * Structure for buffered I/O completions.
+--
+2.16.4
+
diff --git a/patches.fixes/xfs-remove-the-imap_valid-flag.patch b/patches.fixes/xfs-remove-the-imap_valid-flag.patch
new file mode 100644
index 0000000000..41d88d2a53
--- /dev/null
+++ b/patches.fixes/xfs-remove-the-imap_valid-flag.patch
@@ -0,0 +1,179 @@
+From 889c65b3f60af4c840896478fc6151363ffa279f Mon Sep 17 00:00:00 2001
+From: Christoph Hellwig <hch@lst.de>
+Date: Wed, 11 Jul 2018 22:26:02 -0700
+Subject: [PATCH] xfs: remove the imap_valid flag
+Git-commit: 889c65b3f60af4c840896478fc6151363ffa279f
+Patch-mainline: v4.19-rc1
+References: bsc#1138012
+
+Simplify the way we check for a valid imap - we know we have a valid
+mapping after xfs_map_blocks returned successfully, and we know we can
+call xfs_imap_valid on any imap, as it will always fail on a
+zero-initialized map.
+
+We can also remove the xfs_imap_valid function and fold it into
+xfs_map_blocks now.
+
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Reviewed-by: Brian Foster <bfoster@redhat.com>
+Reviewed-by: Darrick J. Wong <darrick.wong@oracle.com>
+Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
+Acked-by: Anthony Iliopoulos <ailiopoulos@suse.com>
+
+---
+ fs/xfs/xfs_aops.c | 89 ++++++++++++++++++++++++-------------------------------
+ 1 file changed, 38 insertions(+), 51 deletions(-)
+
+diff --git a/fs/xfs/xfs_aops.c b/fs/xfs/xfs_aops.c
+index 0bfcc2d06658..09092f10cff3 100644
+--- a/fs/xfs/xfs_aops.c
++++ b/fs/xfs/xfs_aops.c
+@@ -30,7 +30,6 @@
+ */
+ struct xfs_writepage_ctx {
+ struct xfs_bmbt_irec imap;
+- bool imap_valid;
+ unsigned int io_type;
+ struct xfs_ioend *ioend;
+ sector_t last_block;
+@@ -370,15 +369,47 @@ xfs_map_blocks(
+ struct xfs_inode *ip = XFS_I(inode);
+ struct xfs_mount *mp = ip->i_mount;
+ ssize_t count = i_blocksize(inode);
+- xfs_fileoff_t offset_fsb, end_fsb;
++ xfs_fileoff_t offset_fsb = XFS_B_TO_FSBT(mp, offset), end_fsb;
+ struct xfs_bmbt_irec imap;
+ int whichfork = XFS_DATA_FORK;
+ struct xfs_iext_cursor icur;
++ bool imap_valid;
+ int error = 0;
+
++ /*
++ * We have to make sure the cached mapping is within EOF to protect
++ * against eofblocks trimming on file release leaving us with a stale
++ * mapping. Otherwise, a page for a subsequent file extending buffered
++ * write could get picked up by this writeback cycle and written to the
++ * wrong blocks.
++ *
++ * Note that what we really want here is a generic mapping invalidation
++ * mechanism to protect us from arbitrary extent modifying contexts, not
++ * just eofblocks.
++ */
++ xfs_trim_extent_eof(&wpc->imap, ip);
++
++ /*
++ * COW fork blocks can overlap data fork blocks even if the blocks
++ * aren't shared. COW I/O always takes precedent, so we must always
++ * check for overlap on reflink inodes unless the mapping is already a
++ * COW one.
++ */
++ imap_valid = offset_fsb >= wpc->imap.br_startoff &&
++ offset_fsb < wpc->imap.br_startoff + wpc->imap.br_blockcount;
++ if (imap_valid &&
++ (!xfs_is_reflink_inode(ip) || wpc->io_type == XFS_IO_COW))
++ return 0;
++
+ if (XFS_FORCED_SHUTDOWN(mp))
+ return -EIO;
+
++ /*
++ * If we don't have a valid map, now it's time to get a new one for this
++ * offset. This will convert delayed allocations (including COW ones)
++ * into real extents. If we return without a valid map, it means we
++ * landed in a hole and we skip the block.
++ */
+ xfs_ilock(ip, XFS_ILOCK_SHARED);
+ ASSERT(ip->i_d.di_format != XFS_DINODE_FMT_BTREE ||
+ (ip->i_df.if_flags & XFS_IFEXTENTS));
+@@ -387,7 +418,6 @@ xfs_map_blocks(
+ if (offset > mp->m_super->s_maxbytes - count)
+ count = mp->m_super->s_maxbytes - offset;
+ end_fsb = XFS_B_TO_FSB(mp, (xfs_ufsize_t)offset + count);
+- offset_fsb = XFS_B_TO_FSBT(mp, offset);
+
+ /*
+ * Check if this is offset is covered by a COW extents, and if yes use
+@@ -420,7 +450,7 @@ xfs_map_blocks(
+ /*
+ * Map valid and no COW extent in the way? We're done.
+ */
+- if (wpc->imap_valid) {
++ if (imap_valid) {
+ xfs_iunlock(ip, XFS_ILOCK_SHARED);
+ return 0;
+ }
+@@ -465,31 +495,6 @@ xfs_map_blocks(
+ return 0;
+ }
+
+-STATIC bool
+-xfs_imap_valid(
+- struct inode *inode,
+- struct xfs_bmbt_irec *imap,
+- xfs_off_t offset)
+-{
+- offset >>= inode->i_blkbits;
+-
+- /*
+- * We have to make sure the cached mapping is within EOF to protect
+- * against eofblocks trimming on file release leaving us with a stale
+- * mapping. Otherwise, a page for a subsequent file extending buffered
+- * write could get picked up by this writeback cycle and written to the
+- * wrong blocks.
+- *
+- * Note that what we really want here is a generic mapping invalidation
+- * mechanism to protect us from arbitrary extent modifying contexts, not
+- * just eofblocks.
+- */
+- xfs_trim_extent_eof(imap, XFS_I(inode));
+-
+- return offset >= imap->br_startoff &&
+- offset < imap->br_startoff + imap->br_blockcount;
+-}
+-
+ STATIC void
+ xfs_start_buffer_writeback(
+ struct buffer_head *bh)
+@@ -856,27 +861,10 @@ xfs_writepage_map(
+ continue;
+ }
+
+- if (wpc->imap_valid)
+- wpc->imap_valid = xfs_imap_valid(inode, &wpc->imap,
+- file_offset);
+-
+- /*
+- * COW fork blocks can overlap data fork blocks even if the
+- * blocks aren't shared. COW I/O always takes precedent, so we
+- * must always check for overlap on reflink inodes unless the
+- * mapping is already a COW one.
+- */
+- if (!wpc->imap_valid ||
+- (xfs_is_reflink_inode(XFS_I(inode)) &&
+- wpc->io_type != XFS_IO_COW)) {
+- error = xfs_map_blocks(wpc, inode, file_offset);
+- if (error)
+- goto out;
+- wpc->imap_valid = xfs_imap_valid(inode, &wpc->imap,
+- file_offset);
+- }
+-
+- if (!wpc->imap_valid || wpc->io_type == XFS_IO_HOLE)
++ error = xfs_map_blocks(wpc, inode, file_offset);
++ if (error)
++ break;
++ if (wpc->io_type == XFS_IO_HOLE)
+ continue;
+
+ lock_buffer(bh);
+@@ -887,7 +875,6 @@ xfs_writepage_map(
+
+ ASSERT(wpc->ioend || list_empty(&submit_list));
+
+-out:
+ /*
+ * On error, we have to fail the ioend here because we have locked
+ * buffers in the ioend. If we don't do this, we'll deadlock
+--
+2.16.4
+
diff --git a/patches.fixes/xfs-remove-unused-parameter-from-xfs_writepage_map.patch b/patches.fixes/xfs-remove-unused-parameter-from-xfs_writepage_map.patch
new file mode 100644
index 0000000000..f557a94f8c
--- /dev/null
+++ b/patches.fixes/xfs-remove-unused-parameter-from-xfs_writepage_map.patch
@@ -0,0 +1,52 @@
+From 2d5f4b5bebccfe983715ebc9255151e611234643 Mon Sep 17 00:00:00 2001
+From: "Darrick J. Wong" <darrick.wong@oracle.com>
+Date: Mon, 27 Nov 2017 09:50:22 -0800
+Subject: [PATCH] xfs: remove unused parameter from xfs_writepage_map
+Git-commit: 2d5f4b5bebccfe983715ebc9255151e611234643
+Patch-mainline: v4.15-rc2
+References: bsc#1137995
+
+The first thing that xfs_writepage_map does is clobber the offset
+parameter. Since we never use the passed-in value, turn the parameter
+into a local variable. This gets rid of an UBSAN warning in generic/466.
+
+Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
+Reviewed-by: Brian Foster <bfoster@redhat.com>
+Acked-by: Anthony Iliopoulos <ailiopoulos@suse.com>
+
+---
+ fs/xfs/xfs_aops.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/fs/xfs/xfs_aops.c b/fs/xfs/xfs_aops.c
+index b0cccf8a81a8..21e2d70884e1 100644
+--- a/fs/xfs/xfs_aops.c
++++ b/fs/xfs/xfs_aops.c
+@@ -896,13 +896,13 @@ xfs_writepage_map(
+ struct writeback_control *wbc,
+ struct inode *inode,
+ struct page *page,
+- loff_t offset,
+- uint64_t end_offset)
++ uint64_t end_offset)
+ {
+ LIST_HEAD(submit_list);
+ struct xfs_ioend *ioend, *next;
+ struct buffer_head *bh, *head;
+ ssize_t len = i_blocksize(inode);
++ uint64_t offset;
+ int error = 0;
+ int count = 0;
+ int uptodate = 1;
+@@ -1146,7 +1146,7 @@ xfs_do_writepage(
+ end_offset = offset;
+ }
+
+- return xfs_writepage_map(wpc, wbc, inode, page, offset, end_offset);
++ return xfs_writepage_map(wpc, wbc, inode, page, end_offset);
+
+ redirty:
+ redirty_page_for_writepage(wbc, page);
+--
+2.16.4
+
diff --git a/patches.fixes/xfs-remove-xfs_map_cow.patch b/patches.fixes/xfs-remove-xfs_map_cow.patch
new file mode 100644
index 0000000000..0d9b9e0a2e
--- /dev/null
+++ b/patches.fixes/xfs-remove-xfs_map_cow.patch
@@ -0,0 +1,322 @@
+From 5c665e5b5af6b8ad3e38ee73cb495ec695bcf589 Mon Sep 17 00:00:00 2001
+From: Christoph Hellwig <hch@lst.de>
+Date: Wed, 11 Jul 2018 22:25:59 -0700
+Subject: [PATCH] xfs: remove xfs_map_cow
+Git-commit: 5c665e5b5af6b8ad3e38ee73cb495ec695bcf589
+Patch-mainline: v4.19-rc1
+References: bsc#1138007
+
+We can handle the existing cow mapping case as a special case directly
+in xfs_writepage_map, and share code for allocating delalloc blocks
+with regular I/O in xfs_map_blocks. This means we need to always
+call xfs_map_blocks for reflink inodes, but we can still skip most of
+the work if it turns out that there is no COW mapping overlapping the
+current block.
+
+As a subtle detail we need to start caching holes in the wpc to deal
+with the case of COW reservations between EOF. But we'll need that
+infrastructure later anyway, so this is no big deal.
+
+Based on a patch from Dave Chinner.
+
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Reviewed-by: Brian Foster <bfoster@redhat.com>
+Reviewed-by: Darrick J. Wong <darrick.wong@oracle.com>
+Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
+Acked-by: Anthony Iliopoulos <ailiopoulos@suse.com>
+
+---
+ fs/xfs/xfs_aops.c | 195 ++++++++++++++++++++++++++----------------------------
+ fs/xfs/xfs_aops.h | 4 -
+ 2 files changed, 100 insertions(+), 99 deletions(-)
+
+--- a/fs/xfs/xfs_aops.c
++++ b/fs/xfs/xfs_aops.c
+@@ -375,70 +375,107 @@
+
+ STATIC int
+ xfs_map_blocks(
++ struct xfs_writepage_ctx *wpc,
+ struct inode *inode,
+- loff_t offset,
+- struct xfs_bmbt_irec *imap,
+- int type)
++ loff_t offset)
+ {
+ struct xfs_inode *ip = XFS_I(inode);
+ struct xfs_mount *mp = ip->i_mount;
+ ssize_t count = i_blocksize(inode);
+- xfs_fileoff_t offset_fsb, end_fsb;
++ xfs_fileoff_t offset_fsb = XFS_B_TO_FSBT(mp, offset), end_fsb;
++ struct xfs_bmbt_irec imap;
++ int whichfork = XFS_DATA_FORK;
+ int error = 0;
+ int nimaps = 1;
+
+ if (XFS_FORCED_SHUTDOWN(mp))
+ return -EIO;
+
+- /*
+- * Truncate can race with writeback since writeback doesn't take the
+- * iolock and truncate decreases the file size before it starts
+- * truncating the pages between new_size and old_size. Therefore, we
+- * can end up in the situation where writeback gets a CoW fork mapping
+- * but the truncate makes the mapping invalid and we end up in here
+- * trying to get a new mapping. Bail out here so that we simply never
+- * get a valid mapping and so we drop the write altogether. The page
+- * truncation will kill the contents anyway.
+- */
+- if (type == XFS_IO_COW && offset > i_size_read(inode))
+- return 0;
+-
+- ASSERT(type != XFS_IO_COW);
+-
+ xfs_ilock(ip, XFS_ILOCK_SHARED);
+ ASSERT(ip->i_d.di_format != XFS_DINODE_FMT_BTREE ||
+ (ip->i_df.if_flags & XFS_IFEXTENTS));
+ ASSERT(offset <= mp->m_super->s_maxbytes);
+
++ if (xfs_is_reflink_inode(ip) &&
++ xfs_reflink_find_cow_mapping(ip, offset, &imap)) {
++ xfs_iunlock(ip, XFS_ILOCK_SHARED);
++ /*
++ * Truncate can race with writeback since writeback doesn't
++ * take the iolock and truncate decreases the file size before
++ * it starts truncating the pages between new_size and old_size.
++ * Therefore, we can end up in the situation where writeback
++ * gets a CoW fork mapping but the truncate makes the mapping
++ * invalid and we end up in here trying to get a new mapping.
++ * bail out here so that we simply never get a valid mapping
++ * and so we drop the write altogether. The page truncation
++ * will kill the contents anyway.
++ */
++ if (offset > i_size_read(inode)) {
++ wpc->io_type = XFS_IO_HOLE;
++ return 0;
++ }
++ whichfork = XFS_COW_FORK;
++ wpc->io_type = XFS_IO_COW;
++ goto allocate_blocks;
++ }
++
++ /*
++ * Map valid and no COW extent in the way? We're done.
++ */
++ if (wpc->imap_valid) {
++ xfs_iunlock(ip, XFS_ILOCK_SHARED);
++ return 0;
++ }
++
++ /*
++ * If we don't have a valid map, now it's time to get a new one for this
++ * offset. This will convert delayed allocations (including COW ones)
++ * into real extents.
++ */
+ if (offset > mp->m_super->s_maxbytes - count)
+ count = mp->m_super->s_maxbytes - offset;
+ end_fsb = XFS_B_TO_FSB(mp, (xfs_ufsize_t)offset + count);
+ offset_fsb = XFS_B_TO_FSBT(mp, offset);
+ error = xfs_bmapi_read(ip, offset_fsb, end_fsb - offset_fsb,
+- imap, &nimaps, XFS_BMAPI_ENTIRE);
++ &imap, &nimaps, XFS_BMAPI_ENTIRE);
+ xfs_iunlock(ip, XFS_ILOCK_SHARED);
+-
+ if (error)
+ return error;
+
+- if (type == XFS_IO_DELALLOC &&
+- (!nimaps || isnullstartblock(imap->br_startblock))) {
+- error = xfs_iomap_write_allocate(ip, XFS_DATA_FORK, offset,
+- imap);
+- if (!error)
+- trace_xfs_map_blocks_alloc(ip, offset, count, type, imap);
+- return error;
++ if (!nimaps) {
++ /*
++ * Lookup returns no match? Beyond eof? regardless,
++ * return it as a hole so we don't write it
++ */
++ imap.br_startoff = offset_fsb;
++ imap.br_blockcount = end_fsb - offset_fsb;
++ imap.br_startblock = HOLESTARTBLOCK;
++ wpc->io_type = XFS_IO_HOLE;
++ } else if (imap.br_startblock == HOLESTARTBLOCK) {
++ /* landed in a hole */
++ wpc->io_type = XFS_IO_HOLE;
+ }
+
++ if (wpc->io_type == XFS_IO_DELALLOC &&
++ (!nimaps || isnullstartblock(imap.br_startblock)))
++ goto allocate_blocks;
++
+ #ifdef DEBUG
+- if (type == XFS_IO_UNWRITTEN) {
++ if (wpc->io_type == XFS_IO_UNWRITTEN) {
+ ASSERT(nimaps);
+- ASSERT(imap->br_startblock != HOLESTARTBLOCK);
+- ASSERT(imap->br_startblock != DELAYSTARTBLOCK);
++ ASSERT(imap.br_startblock != HOLESTARTBLOCK);
++ ASSERT(imap.br_startblock != DELAYSTARTBLOCK);
+ }
+ #endif
+- if (nimaps)
+- trace_xfs_map_blocks_found(ip, offset, count, type, imap);
++ wpc->imap = imap;
++ trace_xfs_map_blocks_found(ip, offset, count, wpc->io_type, &imap);
++ return 0;
++allocate_blocks:
++ error = xfs_iomap_write_allocate(ip, whichfork, offset, &imap);
++ if (error)
++ return error;
++ wpc->imap = imap;
++ trace_xfs_map_blocks_alloc(ip, offset, count, wpc->io_type, &imap);
+ return 0;
+ }
+
+@@ -837,56 +874,6 @@
+ return;
+ }
+
+-static int
+-xfs_map_cow(
+- struct xfs_writepage_ctx *wpc,
+- struct inode *inode,
+- loff_t offset,
+- unsigned int *new_type)
+-{
+- struct xfs_inode *ip = XFS_I(inode);
+- struct xfs_bmbt_irec imap;
+- bool is_cow = false;
+- int error;
+-
+- /*
+- * If we already have a valid COW mapping keep using it.
+- */
+- if (wpc->io_type == XFS_IO_COW) {
+- wpc->imap_valid = xfs_imap_valid(inode, &wpc->imap, offset);
+- if (wpc->imap_valid) {
+- *new_type = XFS_IO_COW;
+- return 0;
+- }
+- }
+-
+- /*
+- * Else we need to check if there is a COW mapping at this offset.
+- */
+- xfs_ilock(ip, XFS_ILOCK_SHARED);
+- is_cow = xfs_reflink_find_cow_mapping(ip, offset, &imap);
+- xfs_iunlock(ip, XFS_ILOCK_SHARED);
+-
+- if (!is_cow)
+- return 0;
+-
+- /*
+- * And if the COW mapping has a delayed extent here we need to
+- * allocate real space for it now.
+- */
+- if (isnullstartblock(imap.br_startblock)) {
+- error = xfs_iomap_write_allocate(ip, XFS_COW_FORK, offset,
+- &imap);
+- if (error)
+- return error;
+- }
+-
+- wpc->io_type = *new_type = XFS_IO_COW;
+- wpc->imap_valid = true;
+- wpc->imap = imap;
+- return 0;
+-}
+-
+ /*
+ * We implement an immediate ioend submission policy here to avoid needing to
+ * chain multiple ioends and hence nest mempool allocations which can violate
+@@ -915,7 +902,7 @@
+ struct xfs_ioend *ioend, *next;
+ struct buffer_head *bh, *head;
+ ssize_t len = i_blocksize(inode);
+- uint64_t offset;
++ uint64_t offset; /* file offset of page */
+ int error = 0;
+ int count = 0;
+ unsigned int new_type;
+@@ -951,10 +938,13 @@
+ continue;
+ }
+
+- if (xfs_is_reflink_inode(XFS_I(inode))) {
+- error = xfs_map_cow(wpc, inode, offset, &new_type);
+- if (error)
+- goto out;
++ /*
++ * If we already have a valid COW mapping keep using it.
++ */
++ if (wpc->io_type == XFS_IO_COW &&
++ xfs_imap_valid(inode, &wpc->imap, offset)) {
++ wpc->imap_valid = true;
++ new_type = XFS_IO_COW;
+ }
+
+ if (wpc->io_type != new_type) {
+@@ -965,22 +955,31 @@
+ if (wpc->imap_valid)
+ wpc->imap_valid = xfs_imap_valid(inode, &wpc->imap,
+ offset);
+- if (!wpc->imap_valid) {
+- error = xfs_map_blocks(inode, offset, &wpc->imap,
+- wpc->io_type);
++
++ /*
++ * COW fork blocks can overlap data fork blocks even if the
++ * blocks aren't shared. COW I/O always takes precedent, so we
++ * must always check for overlap on reflink inodes unless the
++ * mapping is already a COW one.
++ */
++ if (!wpc->imap_valid ||
++ (xfs_is_reflink_inode(XFS_I(inode)) &&
++ wpc->io_type != XFS_IO_COW)) {
++ error = xfs_map_blocks(wpc, inode, offset);
+ if (error)
+ goto out;
+ wpc->imap_valid = xfs_imap_valid(inode, &wpc->imap,
+ offset);
+ }
+- if (wpc->imap_valid) {
+- lock_buffer(bh);
+- if (wpc->io_type != XFS_IO_OVERWRITE)
+- xfs_map_at_offset(inode, bh, &wpc->imap, offset);
+- xfs_add_to_ioend(inode, bh, offset, wpc, wbc, &submit_list);
+- count++;
+- }
+
++ if (!wpc->imap_valid || wpc->io_type == XFS_IO_HOLE)
++ continue;
++
++ lock_buffer(bh);
++ if (wpc->io_type != XFS_IO_OVERWRITE)
++ xfs_map_at_offset(inode, bh, &wpc->imap, offset);
++ xfs_add_to_ioend(inode, bh, offset, wpc, wbc, &submit_list);
++ count++;
+ } while (offset += len, ((bh = bh->b_this_page) != head));
+
+ ASSERT(wpc->ioend || list_empty(&submit_list));
+--- a/fs/xfs/xfs_aops.h
++++ b/fs/xfs/xfs_aops.h
+@@ -29,6 +29,7 @@
+ XFS_IO_UNWRITTEN, /* covers allocated but uninitialized data */
+ XFS_IO_OVERWRITE, /* covers already allocated extent */
+ XFS_IO_COW, /* covers copy-on-write extent */
++ XFS_IO_HOLE, /* covers region without any block allocation */
+ };
+
+ #define XFS_IO_TYPES \
+@@ -36,7 +37,8 @@
+ { XFS_IO_DELALLOC, "delalloc" }, \
+ { XFS_IO_UNWRITTEN, "unwritten" }, \
+ { XFS_IO_OVERWRITE, "overwrite" }, \
+- { XFS_IO_COW, "CoW" }
++ { XFS_IO_COW, "CoW" }, \
++ { XFS_IO_HOLE, "hole" }
+
+ /*
+ * Structure for buffered I/O completions.
+
diff --git a/patches.fixes/xfs-remove-xfs_reflink_find_cow_mapping.patch b/patches.fixes/xfs-remove-xfs_reflink_find_cow_mapping.patch
new file mode 100644
index 0000000000..7b9971abc8
--- /dev/null
+++ b/patches.fixes/xfs-remove-xfs_reflink_find_cow_mapping.patch
@@ -0,0 +1,130 @@
+From 060d4eaa0bf30a8fc2d189e4d4922f6e9027857b Mon Sep 17 00:00:00 2001
+From: Christoph Hellwig <hch@lst.de>
+Date: Wed, 11 Jul 2018 22:26:01 -0700
+Subject: [PATCH] xfs: remove xfs_reflink_find_cow_mapping
+Git-commit: 060d4eaa0bf30a8fc2d189e4d4922f6e9027857b
+Patch-mainline: v4.19-rc1
+References: bsc#1138010
+
+We only have one caller left, and open coding the simple extent list
+lookup in it allows us to make the code both more understandable and
+reuse calculations and variables already present.
+
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Reviewed-by: Brian Foster <bfoster@redhat.com>
+Reviewed-by: Darrick J. Wong <darrick.wong@oracle.com>
+Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
+Acked-by: Anthony Iliopoulos <ailiopoulos@suse.com>
+
+---
+ fs/xfs/xfs_aops.c | 19 +++++++++++++------
+ fs/xfs/xfs_reflink.c | 29 -----------------------------
+ fs/xfs/xfs_reflink.h | 2 --
+ fs/xfs/xfs_trace.h | 1 -
+ 4 files changed, 13 insertions(+), 38 deletions(-)
+
+--- a/fs/xfs/xfs_aops.c
++++ b/fs/xfs/xfs_aops.c
+@@ -382,9 +382,10 @@
+ struct xfs_inode *ip = XFS_I(inode);
+ struct xfs_mount *mp = ip->i_mount;
+ ssize_t count = i_blocksize(inode);
+- xfs_fileoff_t offset_fsb = XFS_B_TO_FSBT(mp, offset), end_fsb;
++ xfs_fileoff_t offset_fsb, end_fsb;
+ struct xfs_bmbt_irec imap;
+ int whichfork = XFS_DATA_FORK;
++ struct xfs_iext_cursor icur;
+ int error = 0;
+ int nimaps = 1;
+
+@@ -396,8 +397,18 @@
+ (ip->i_df.if_flags & XFS_IFEXTENTS));
+ ASSERT(offset <= mp->m_super->s_maxbytes);
+
++ if (offset > mp->m_super->s_maxbytes - count)
++ count = mp->m_super->s_maxbytes - offset;
++ end_fsb = XFS_B_TO_FSB(mp, (xfs_ufsize_t)offset + count);
++ offset_fsb = XFS_B_TO_FSBT(mp, offset);
++
++ /*
++ * Check if this is offset is covered by a COW extents, and if yes use
++ * it directly instead of looking up anything in the data fork.
++ */
+ if (xfs_is_reflink_inode(ip) &&
+- xfs_reflink_find_cow_mapping(ip, offset, &imap)) {
++ xfs_iext_lookup_extent(ip, ip->i_cowfp, offset_fsb, &icur, &imap) &&
++ imap.br_startoff <= offset_fsb) {
+ xfs_iunlock(ip, XFS_ILOCK_SHARED);
+ /*
+ * Truncate can race with writeback since writeback doesn't
+@@ -432,10 +443,6 @@
+ * offset. This will convert delayed allocations (including COW ones)
+ * into real extents.
+ */
+- if (offset > mp->m_super->s_maxbytes - count)
+- count = mp->m_super->s_maxbytes - offset;
+- end_fsb = XFS_B_TO_FSB(mp, (xfs_ufsize_t)offset + count);
+- offset_fsb = XFS_B_TO_FSBT(mp, offset);
+ error = xfs_bmapi_read(ip, offset_fsb, end_fsb - offset_fsb,
+ &imap, &nimaps, XFS_BMAPI_ENTIRE);
+ xfs_iunlock(ip, XFS_ILOCK_SHARED);
+--- a/fs/xfs/xfs_reflink.c
++++ b/fs/xfs/xfs_reflink.c
+@@ -476,35 +476,6 @@
+ }
+
+ /*
+- * Find the CoW reservation for a given byte offset of a file.
+- */
+-bool
+-xfs_reflink_find_cow_mapping(
+- struct xfs_inode *ip,
+- xfs_off_t offset,
+- struct xfs_bmbt_irec *imap)
+-{
+- struct xfs_ifork *ifp = XFS_IFORK_PTR(ip, XFS_COW_FORK);
+- xfs_fileoff_t offset_fsb;
+- struct xfs_bmbt_irec got;
+- struct xfs_iext_cursor icur;
+-
+- ASSERT(xfs_isilocked(ip, XFS_ILOCK_EXCL | XFS_ILOCK_SHARED));
+- ASSERT(xfs_is_reflink_inode(ip));
+-
+- offset_fsb = XFS_B_TO_FSBT(ip->i_mount, offset);
+- if (!xfs_iext_lookup_extent(ip, ifp, offset_fsb, &icur, &got))
+- return false;
+- if (got.br_startoff > offset_fsb)
+- return false;
+-
+- trace_xfs_reflink_find_cow_mapping(ip, offset, 1, XFS_IO_OVERWRITE,
+- &got);
+- *imap = got;
+- return true;
+-}
+-
+-/*
+ * Cancel CoW reservations for some block range of an inode.
+ *
+ * If cancel_real is true this function cancels all COW fork extents for the
+--- a/fs/xfs/xfs_reflink.h
++++ b/fs/xfs/xfs_reflink.h
+@@ -32,8 +32,6 @@
+ struct xfs_bmbt_irec *imap, bool *shared, uint *lockmode);
+ extern int xfs_reflink_convert_cow(struct xfs_inode *ip, xfs_off_t offset,
+ xfs_off_t count);
+-extern bool xfs_reflink_find_cow_mapping(struct xfs_inode *ip, xfs_off_t offset,
+- struct xfs_bmbt_irec *imap);
+
+ extern int xfs_reflink_cancel_cow_blocks(struct xfs_inode *ip,
+ struct xfs_trans **tpp, xfs_fileoff_t offset_fsb,
+--- a/fs/xfs/xfs_trace.h
++++ b/fs/xfs/xfs_trace.h
+@@ -3220,7 +3220,6 @@
+ DEFINE_RW_EVENT(xfs_reflink_reserve_cow);
+
+ DEFINE_SIMPLE_IO_EVENT(xfs_reflink_bounce_dio_write);
+-DEFINE_IOMAP_EVENT(xfs_reflink_find_cow_mapping);
+
+ DEFINE_SIMPLE_IO_EVENT(xfs_reflink_cancel_cow_range);
+ DEFINE_SIMPLE_IO_EVENT(xfs_reflink_end_cow);
+
diff --git a/patches.fixes/xfs-remove-xfs_reflink_trim_irec_to_next_cow.patch b/patches.fixes/xfs-remove-xfs_reflink_trim_irec_to_next_cow.patch
new file mode 100644
index 0000000000..8b714f220c
--- /dev/null
+++ b/patches.fixes/xfs-remove-xfs_reflink_trim_irec_to_next_cow.patch
@@ -0,0 +1,115 @@
+From fca8c805425c0d9435097a6c780e95332e54613a Mon Sep 17 00:00:00 2001
+From: Christoph Hellwig <hch@lst.de>
+Date: Wed, 11 Jul 2018 22:25:59 -0700
+Subject: [PATCH] xfs: remove xfs_reflink_trim_irec_to_next_cow
+Git-commit: fca8c805425c0d9435097a6c780e95332e54613a
+Patch-mainline: v4.19-rc1
+References: bsc#1138006
+
+We already have to check for overlapping COW extents everytime we
+come back to a page in xfs_writepage_map / xfs_map_cow, so this
+additional trim is not required.
+
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Reviewed-by: Brian Foster <bfoster@redhat.com>
+Reviewed-by: Darrick J. Wong <darrick.wong@oracle.com>
+Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
+Acked-by: Anthony Iliopoulos <ailiopoulos@suse.com>
+
+---
+ fs/xfs/xfs_aops.c | 7 -------
+ fs/xfs/xfs_reflink.c | 33 ---------------------------------
+ fs/xfs/xfs_reflink.h | 2 --
+ fs/xfs/xfs_trace.h | 1 -
+ 4 files changed, 43 deletions(-)
+
+diff --git a/fs/xfs/xfs_aops.c b/fs/xfs/xfs_aops.c
+index 6b6150683343..08605432c497 100644
+--- a/fs/xfs/xfs_aops.c
++++ b/fs/xfs/xfs_aops.c
+@@ -404,13 +404,6 @@ xfs_map_blocks(
+ offset_fsb = XFS_B_TO_FSBT(mp, offset);
+ error = xfs_bmapi_read(ip, offset_fsb, end_fsb - offset_fsb,
+ imap, &nimaps, XFS_BMAPI_ENTIRE);
+- /*
+- * Truncate an overwrite extent if there's a pending CoW
+- * reservation before the end of this extent. This forces us
+- * to come back to writepage to take care of the CoW.
+- */
+- if (nimaps && type == XFS_IO_OVERWRITE)
+- xfs_reflink_trim_irec_to_next_cow(ip, offset_fsb, imap);
+ xfs_iunlock(ip, XFS_ILOCK_SHARED);
+
+ if (error)
+diff --git a/fs/xfs/xfs_reflink.c b/fs/xfs/xfs_reflink.c
+index 592fb2071a03..22c11b98ab26 100644
+--- a/fs/xfs/xfs_reflink.c
++++ b/fs/xfs/xfs_reflink.c
+@@ -500,39 +500,6 @@ xfs_reflink_find_cow_mapping(
+ return true;
+ }
+
+-/*
+- * Trim an extent to end at the next CoW reservation past offset_fsb.
+- */
+-void
+-xfs_reflink_trim_irec_to_next_cow(
+- struct xfs_inode *ip,
+- xfs_fileoff_t offset_fsb,
+- struct xfs_bmbt_irec *imap)
+-{
+- struct xfs_ifork *ifp = XFS_IFORK_PTR(ip, XFS_COW_FORK);
+- struct xfs_bmbt_irec got;
+- struct xfs_iext_cursor icur;
+-
+- if (!xfs_is_reflink_inode(ip))
+- return;
+-
+- /* Find the extent in the CoW fork. */
+- if (!xfs_iext_lookup_extent(ip, ifp, offset_fsb, &icur, &got))
+- return;
+-
+- /* This is the extent before; try sliding up one. */
+- if (got.br_startoff < offset_fsb) {
+- if (!xfs_iext_next_extent(ifp, &icur, &got))
+- return;
+- }
+-
+- if (got.br_startoff >= imap->br_startoff + imap->br_blockcount)
+- return;
+-
+- imap->br_blockcount = got.br_startoff - imap->br_startoff;
+- trace_xfs_reflink_trim_irec(ip, imap);
+-}
+-
+ /*
+ * Cancel CoW reservations for some block range of an inode.
+ *
+diff --git a/fs/xfs/xfs_reflink.h b/fs/xfs/xfs_reflink.h
+index 1532827ba911..6f9f98894abc 100644
+--- a/fs/xfs/xfs_reflink.h
++++ b/fs/xfs/xfs_reflink.h
+@@ -20,8 +20,6 @@ extern int xfs_reflink_convert_cow(struct xfs_inode *ip, xfs_off_t offset,
+ xfs_off_t count);
+ extern bool xfs_reflink_find_cow_mapping(struct xfs_inode *ip, xfs_off_t offset,
+ struct xfs_bmbt_irec *imap);
+-extern void xfs_reflink_trim_irec_to_next_cow(struct xfs_inode *ip,
+- xfs_fileoff_t offset_fsb, struct xfs_bmbt_irec *imap);
+
+ extern int xfs_reflink_cancel_cow_blocks(struct xfs_inode *ip,
+ struct xfs_trans **tpp, xfs_fileoff_t offset_fsb,
+diff --git a/fs/xfs/xfs_trace.h b/fs/xfs/xfs_trace.h
+index 972d45d28097..a5b01529ecf6 100644
+--- a/fs/xfs/xfs_trace.h
++++ b/fs/xfs/xfs_trace.h
+@@ -3216,7 +3216,6 @@ DEFINE_RW_EVENT(xfs_reflink_reserve_cow);
+
+ DEFINE_SIMPLE_IO_EVENT(xfs_reflink_bounce_dio_write);
+ DEFINE_IOMAP_EVENT(xfs_reflink_find_cow_mapping);
+-DEFINE_INODE_IREC_EVENT(xfs_reflink_trim_irec);
+
+ DEFINE_SIMPLE_IO_EVENT(xfs_reflink_cancel_cow_range);
+ DEFINE_SIMPLE_IO_EVENT(xfs_reflink_end_cow);
+--
+2.16.4
+
diff --git a/patches.fixes/xfs-remove-xfs_start_page_writeback.patch b/patches.fixes/xfs-remove-xfs_start_page_writeback.patch
new file mode 100644
index 0000000000..096c185e0f
--- /dev/null
+++ b/patches.fixes/xfs-remove-xfs_start_page_writeback.patch
@@ -0,0 +1,102 @@
+From 1b65d3dd2d5e938b035b2ad73d0b47f35b5ef9a0 Mon Sep 17 00:00:00 2001
+From: Christoph Hellwig <hch@lst.de>
+Date: Wed, 11 Jul 2018 22:26:03 -0700
+Subject: [PATCH] xfs: remove xfs_start_page_writeback
+Git-commit: 1b65d3dd2d5e938b035b2ad73d0b47f35b5ef9a0
+Patch-mainline: v4.19-rc1
+References: bsc#1138015
+
+This helper only has two callers, one of them with a constant error
+argument. Remove it to make pending changes to the code a little easier.
+
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Reviewed-by: Brian Foster <bfoster@redhat.com>
+Reviewed-by: Darrick J. Wong <darrick.wong@oracle.com>
+Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
+Acked-by: Anthony Iliopoulos <ailiopoulos@suse.com>
+
+---
+ fs/xfs/xfs_aops.c | 46 ++++++++++++++++++++--------------------------
+ 1 file changed, 20 insertions(+), 26 deletions(-)
+
+diff --git a/fs/xfs/xfs_aops.c b/fs/xfs/xfs_aops.c
+index 71b4ca60ff40..af9224ea4ebf 100644
+--- a/fs/xfs/xfs_aops.c
++++ b/fs/xfs/xfs_aops.c
+@@ -494,30 +494,6 @@ xfs_map_blocks(
+ return 0;
+ }
+
+-STATIC void
+-xfs_start_page_writeback(
+- struct page *page,
+- int clear_dirty)
+-{
+- ASSERT(PageLocked(page));
+- ASSERT(!PageWriteback(page));
+-
+- /*
+- * if the page was not fully cleaned, we need to ensure that the higher
+- * layers come back to it correctly. That means we need to keep the page
+- * dirty, and for WB_SYNC_ALL writeback we need to ensure the
+- * PAGECACHE_TAG_TOWRITE index mark is not removed so another attempt to
+- * write this page in this writeback sweep will be made.
+- */
+- if (clear_dirty) {
+- clear_page_dirty_for_io(page);
+- set_page_writeback(page);
+- } else
+- set_page_writeback_keepwrite(page);
+-
+- unlock_page(page);
+-}
+-
+ /*
+ * Submit the bio for an ioend. We are passed an ioend with a bio attached to
+ * it, and we submit that bio. The ioend may be used for multiple bio
+@@ -858,6 +834,8 @@ xfs_writepage_map(
+ }
+
+ ASSERT(wpc->ioend || list_empty(&submit_list));
++ ASSERT(PageLocked(page));
++ ASSERT(!PageWriteback(page));
+
+ /*
+ * On error, we have to fail the ioend here because we have locked
+@@ -877,7 +855,21 @@ xfs_writepage_map(
+ * treated correctly on error.
+ */
+ if (count) {
+- xfs_start_page_writeback(page, !error);
++ /*
++ * If the page was not fully cleaned, we need to ensure that the
++ * higher layers come back to it correctly. That means we need
++ * to keep the page dirty, and for WB_SYNC_ALL writeback we need
++ * to ensure the PAGECACHE_TAG_TOWRITE index mark is not removed
++ * so another attempt to write this page in this writeback sweep
++ * will be made.
++ */
++ if (error) {
++ set_page_writeback_keepwrite(page);
++ } else {
++ clear_page_dirty_for_io(page);
++ set_page_writeback(page);
++ }
++ unlock_page(page);
+
+ /*
+ * Preserve the original error if there was one, otherwise catch
+@@ -902,7 +894,9 @@ xfs_writepage_map(
+ * race with a partial page truncate on a sub-page block sized
+ * filesystem. In that case we need to mark the page clean.
+ */
+- xfs_start_page_writeback(page, 1);
++ clear_page_dirty_for_io(page);
++ set_page_writeback(page);
++ unlock_page(page);
+ end_page_writeback(page);
+ }
+
+--
+2.16.4
+
diff --git a/patches.fixes/xfs-rename-the-offset-variable-in-xfs_writepage_map.patch b/patches.fixes/xfs-rename-the-offset-variable-in-xfs_writepage_map.patch
new file mode 100644
index 0000000000..13a5b9a42d
--- /dev/null
+++ b/patches.fixes/xfs-rename-the-offset-variable-in-xfs_writepage_map.patch
@@ -0,0 +1,94 @@
+From 6a4c95013608120b2d88be67c6871cb6b86aa5d6 Mon Sep 17 00:00:00 2001
+From: Christoph Hellwig <hch@lst.de>
+Date: Wed, 11 Jul 2018 22:26:00 -0700
+Subject: [PATCH] xfs: rename the offset variable in xfs_writepage_map
+Git-commit: 6a4c95013608120b2d88be67c6871cb6b86aa5d6
+Patch-mainline: v4.19-rc1
+References: bsc#1138008
+
+Calling it file_offset makes the usage more clear, especially with
+a new poffset variable that will be added soon for the offset inside
+the page.
+
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Reviewed-by: Brian Foster <bfoster@redhat.com>
+Reviewed-by: Darrick J. Wong <darrick.wong@oracle.com>
+Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
+Acked-by: Anthony Iliopoulos <ailiopoulos@suse.com>
+
+---
+ fs/xfs/xfs_aops.c | 20 ++++++++++----------
+ 1 file changed, 10 insertions(+), 10 deletions(-)
+
+diff --git a/fs/xfs/xfs_aops.c b/fs/xfs/xfs_aops.c
+index 65454a4f4d93..4dc5fcff226e 100644
+--- a/fs/xfs/xfs_aops.c
++++ b/fs/xfs/xfs_aops.c
+@@ -823,15 +823,15 @@ xfs_writepage_map(
+ struct xfs_ioend *ioend, *next;
+ struct buffer_head *bh, *head;
+ ssize_t len = i_blocksize(inode);
+- uint64_t offset; /* file offset of page */
++ uint64_t file_offset; /* file offset of page */
+ int error = 0;
+ int count = 0;
+ unsigned int new_type;
+
+ bh = head = page_buffers(page);
+- offset = page_offset(page);
++ file_offset = page_offset(page);
+ do {
+- if (offset >= end_offset)
++ if (file_offset >= end_offset)
+ break;
+
+ /*
+@@ -863,7 +863,7 @@ xfs_writepage_map(
+ * If we already have a valid COW mapping keep using it.
+ */
+ if (wpc->io_type == XFS_IO_COW &&
+- xfs_imap_valid(inode, &wpc->imap, offset)) {
++ xfs_imap_valid(inode, &wpc->imap, file_offset)) {
+ wpc->imap_valid = true;
+ new_type = XFS_IO_COW;
+ }
+@@ -875,7 +875,7 @@ xfs_writepage_map(
+
+ if (wpc->imap_valid)
+ wpc->imap_valid = xfs_imap_valid(inode, &wpc->imap,
+- offset);
++ file_offset);
+
+ /*
+ * COW fork blocks can overlap data fork blocks even if the
+@@ -886,11 +886,11 @@ xfs_writepage_map(
+ if (!wpc->imap_valid ||
+ (xfs_is_reflink_inode(XFS_I(inode)) &&
+ wpc->io_type != XFS_IO_COW)) {
+- error = xfs_map_blocks(wpc, inode, offset);
++ error = xfs_map_blocks(wpc, inode, file_offset);
+ if (error)
+ goto out;
+ wpc->imap_valid = xfs_imap_valid(inode, &wpc->imap,
+- offset);
++ file_offset);
+ }
+
+ if (!wpc->imap_valid || wpc->io_type == XFS_IO_HOLE)
+@@ -898,10 +898,10 @@ xfs_writepage_map(
+
+ lock_buffer(bh);
+ if (wpc->io_type != XFS_IO_OVERWRITE)
+- xfs_map_at_offset(inode, bh, &wpc->imap, offset);
+- xfs_add_to_ioend(inode, bh, offset, wpc, wbc, &submit_list);
++ xfs_map_at_offset(inode, bh, &wpc->imap, file_offset);
++ xfs_add_to_ioend(inode, bh, file_offset, wpc, wbc, &submit_list);
+ count++;
+- } while (offset += len, ((bh = bh->b_this_page) != head));
++ } while (file_offset += len, ((bh = bh->b_this_page) != head));
+
+ ASSERT(wpc->ioend || list_empty(&submit_list));
+
+--
+2.16.4
+
diff --git a/patches.fixes/xfs-simplify-xfs_map_blocks-by-using-xfs_iext_lookup.patch b/patches.fixes/xfs-simplify-xfs_map_blocks-by-using-xfs_iext_lookup.patch
new file mode 100644
index 0000000000..45baedf91b
--- /dev/null
+++ b/patches.fixes/xfs-simplify-xfs_map_blocks-by-using-xfs_iext_lookup.patch
@@ -0,0 +1,70 @@
+From 3345746ef38bb794ae9d4d0762adf151e452663e Mon Sep 17 00:00:00 2001
+From: Christoph Hellwig <hch@lst.de>
+Date: Wed, 11 Jul 2018 22:26:02 -0700
+Subject: [PATCH] xfs: simplify xfs_map_blocks by using xfs_iext_lookup_extent
+ directly
+Git-commit: 3345746ef38bb794ae9d4d0762adf151e452663e
+Patch-mainline: v4.19-rc1
+References: bsc#1138011
+
+xfs_bmapi_read adds zero value in xfs_map_blocks. Replace it with a
+direct call to the low-level extent lookup function.
+
+Note that we now always pass a 0 length to the trace points as we ask
+for an unspecified len.
+
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Reviewed-by: Brian Foster <bfoster@redhat.com>
+Reviewed-by: Darrick J. Wong <darrick.wong@oracle.com>
+Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
+Acked-by: Anthony Iliopoulos <ailiopoulos@suse.com>
+
+---
+ fs/xfs/xfs_aops.c | 19 +++++--------------
+ 1 file changed, 5 insertions(+), 14 deletions(-)
+
+diff --git a/fs/xfs/xfs_aops.c b/fs/xfs/xfs_aops.c
+index 5c5d8c832dcc..0bfcc2d06658 100644
+--- a/fs/xfs/xfs_aops.c
++++ b/fs/xfs/xfs_aops.c
+@@ -375,7 +375,6 @@ xfs_map_blocks(
+ int whichfork = XFS_DATA_FORK;
+ struct xfs_iext_cursor icur;
+ int error = 0;
+- int nimaps = 1;
+
+ if (XFS_FORCED_SHUTDOWN(mp))
+ return -EIO;
+@@ -431,24 +430,16 @@ xfs_map_blocks(
+ * offset. This will convert delayed allocations (including COW ones)
+ * into real extents.
+ */
+- error = xfs_bmapi_read(ip, offset_fsb, end_fsb - offset_fsb,
+- &imap, &nimaps, XFS_BMAPI_ENTIRE);
++ if (!xfs_iext_lookup_extent(ip, &ip->i_df, offset_fsb, &icur, &imap))
++ imap.br_startoff = end_fsb; /* fake a hole past EOF */
+ xfs_iunlock(ip, XFS_ILOCK_SHARED);
+- if (error)
+- return error;
+
+- if (!nimaps) {
+- /*
+- * Lookup returns no match? Beyond eof? regardless,
+- * return it as a hole so we don't write it
+- */
++ if (imap.br_startoff > offset_fsb) {
++ /* landed in a hole or beyond EOF */
++ imap.br_blockcount = imap.br_startoff - offset_fsb;
+ imap.br_startoff = offset_fsb;
+- imap.br_blockcount = end_fsb - offset_fsb;
+ imap.br_startblock = HOLESTARTBLOCK;
+ wpc->io_type = XFS_IO_HOLE;
+- } else if (imap.br_startblock == HOLESTARTBLOCK) {
+- /* landed in a hole */
+- wpc->io_type = XFS_IO_HOLE;
+ } else {
+ if (isnullstartblock(imap.br_startblock)) {
+ /* got a delalloc extent */
+--
+2.16.4
+
diff --git a/patches.fixes/xfs-skip-CoW-writes-past-EOF-when-writeback-races-wi.patch b/patches.fixes/xfs-skip-CoW-writes-past-EOF-when-writeback-races-wi.patch
new file mode 100644
index 0000000000..10b8c85e0c
--- /dev/null
+++ b/patches.fixes/xfs-skip-CoW-writes-past-EOF-when-writeback-races-wi.patch
@@ -0,0 +1,56 @@
+From 70c57dcd606f218b507372a05e633b23351258f0 Mon Sep 17 00:00:00 2001
+From: "Darrick J. Wong" <darrick.wong@oracle.com>
+Date: Wed, 24 Jan 2018 20:48:53 -0800
+Subject: [PATCH] xfs: skip CoW writes past EOF when writeback races with
+ truncate
+Git-commit: 70c57dcd606f218b507372a05e633b23351258f0
+Patch-mainline: v4.16-rc1
+References: bsc#1137998
+
+Every so often we blow the ASSERT(type != XFS_IO_COW) in xfs_map_blocks
+when running fsstress, as we do in generic/269. The cause of this is
+writeback racing with truncate -- writeback doesn't take the iolock, so
+truncate can sneak in to decrease i_size and truncate page cache while
+writeback is gathering buffer heads to schedule writeout.
+
+If we hit this race on a block that has a CoW mapping, we'll get a valid
+imap from the CoW fork but the reduced i_size trims the mapping to zero
+length (which makes it invalid), so we call xfs_map_blocks to try again.
+This doesn't do much anyway, since any mapping we get out of that will
+also be invalid, so we might as well skip the assert and just stop.
+
+Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Acked-by: Anthony Iliopoulos <ailiopoulos@suse.com>
+
+---
+ fs/xfs/xfs_aops.c | 13 +++++++++++++
+ 1 file changed, 13 insertions(+)
+
+diff --git a/fs/xfs/xfs_aops.c b/fs/xfs/xfs_aops.c
+index 2e094c76bd45..9c6a830da0ee 100644
+--- a/fs/xfs/xfs_aops.c
++++ b/fs/xfs/xfs_aops.c
+@@ -390,6 +390,19 @@ xfs_map_blocks(
+ if (XFS_FORCED_SHUTDOWN(mp))
+ return -EIO;
+
++ /*
++ * Truncate can race with writeback since writeback doesn't take the
++ * iolock and truncate decreases the file size before it starts
++ * truncating the pages between new_size and old_size. Therefore, we
++ * can end up in the situation where writeback gets a CoW fork mapping
++ * but the truncate makes the mapping invalid and we end up in here
++ * trying to get a new mapping. Bail out here so that we simply never
++ * get a valid mapping and so we drop the write altogether. The page
++ * truncation will kill the contents anyway.
++ */
++ if (type == XFS_IO_COW && offset > i_size_read(inode))
++ return 0;
++
+ ASSERT(type != XFS_IO_COW);
+ if (type == XFS_IO_UNWRITTEN)
+ bmapi_flags |= XFS_BMAPI_IGSTATE;
+--
+2.16.4
+
diff --git a/patches.fixes/xfs-xfs_reflink_convert_cow-memory-allocation-deadlo.patch b/patches.fixes/xfs-xfs_reflink_convert_cow-memory-allocation-deadlo.patch
new file mode 100644
index 0000000000..256404f7f2
--- /dev/null
+++ b/patches.fixes/xfs-xfs_reflink_convert_cow-memory-allocation-deadlo.patch
@@ -0,0 +1,83 @@
+From 4a2d01b076d231afebbea04647373644e767b453 Mon Sep 17 00:00:00 2001
+From: Dave Chinner <dchinner@redhat.com>
+Date: Thu, 7 Jun 2018 07:46:42 -0700
+Subject: [PATCH] xfs: xfs_reflink_convert_cow() memory allocation deadlock
+Git-commit: 4a2d01b076d231afebbea04647373644e767b453
+Patch-mainline: v4.18-rc1
+References: bsc#1138002
+
+xfs_reflink_convert_cow() manipulates the incore extent list
+in GFP_KERNEL context in the IO submission path whilst holding
+locked pages under writeback. This is a memory reclaim deadlock
+vector. This code is not in a transaction, so any memory allocations
+it makes aren't protected via the memalloc_nofs_save() context that
+transactions carry.
+
+Hence we need to run this call under memalloc_nofs_save() context to
+prevent potential memory allocations from being run as GFP_KERNEL
+and deadlocking.
+
+Signed-off-by: Dave Chinner <dchinner@redhat.com>
+Reviewed-by: Allison Henderson <allison.henderson@oracle.com>
+Reviewed-by: Brian Foster <bfoster@redhat.com>
+Reviewed-by: Darrick J. Wong <darrick.wong@oracle.com>
+Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
+Acked-by: Anthony Iliopoulos <ailiopoulos@suse.com>
+
+---
+ fs/xfs/xfs_aops.c | 11 +++++++++++
+ fs/xfs/xfs_buf.c | 1 -
+ fs/xfs/xfs_linux.h | 1 +
+ 3 files changed, 12 insertions(+), 1 deletion(-)
+
+diff --git a/fs/xfs/xfs_aops.c b/fs/xfs/xfs_aops.c
+index 767d53222f31..1eb625fdcb1e 100644
+--- a/fs/xfs/xfs_aops.c
++++ b/fs/xfs/xfs_aops.c
+@@ -531,8 +531,19 @@ xfs_submit_ioend(
+ {
+ /* Convert CoW extents to regular */
+ if (!status && ioend->io_type == XFS_IO_COW) {
++ /*
++ * Yuk. This can do memory allocation, but is not a
++ * transactional operation so everything is done in GFP_KERNEL
++ * context. That can deadlock, because we hold pages in
++ * writeback state and GFP_KERNEL allocations can block on them.
++ * Hence we must operate in nofs conditions here.
++ */
++ unsigned nofs_flag;
++
++ nofs_flag = memalloc_nofs_save();
+ status = xfs_reflink_convert_cow(XFS_I(ioend->io_inode),
+ ioend->io_offset, ioend->io_size);
++ memalloc_nofs_restore(nofs_flag);
+ }
+
+ /* Reserve log space if we might write beyond the on-disk inode size. */
+diff --git a/fs/xfs/xfs_buf.c b/fs/xfs/xfs_buf.c
+index 980bc48979e9..e9c058e3761c 100644
+--- a/fs/xfs/xfs_buf.c
++++ b/fs/xfs/xfs_buf.c
+@@ -21,7 +21,6 @@
+ #include <linux/migrate.h>
+ #include <linux/backing-dev.h>
+ #include <linux/freezer.h>
+-#include <linux/sched/mm.h>
+
+ #include "xfs_format.h"
+ #include "xfs_log_format.h"
+diff --git a/fs/xfs/xfs_linux.h b/fs/xfs/xfs_linux.h
+index ae1e66fa3f61..1631cf4546f2 100644
+--- a/fs/xfs/xfs_linux.h
++++ b/fs/xfs/xfs_linux.h
+@@ -26,6 +26,7 @@ typedef __u32 xfs_nlink_t;
+
+ #include <linux/semaphore.h>
+ #include <linux/mm.h>
++#include <linux/sched/mm.h>
+ #include <linux/kernel.h>
+ #include <linux/blkdev.h>
+ #include <linux/slab.h>
+--
+2.16.4
+
diff --git a/series.conf b/series.conf
index b79d331683..75cf755ffb 100644
--- a/series.conf
+++ b/series.conf
@@ -17905,6 +17905,7 @@
patches.fixes/net-packet-fix-a-race-in-packet_bind-and-packet_noti.patch
patches.drivers/cls_bpf-don-t-decrement-net-s-refcount-when-offload-.patch
patches.suse/sctp-use-right-member-as-the-param-of-list_for_each_.patch
+ patches.fixes/vxlan-use-__be32-type-for-the-param-vni-in-__vxlan_f.patch
patches.drivers/net-sched-cbq-create-block-for-q-link.block.patch
patches.suse/btrfs-move-definition-of-the-function-btrfs_find_new.patch
patches.suse/btrfs-fix-reported-number-of-inode-blocks-after-buff.patch
@@ -18095,6 +18096,7 @@
patches.arch/0007-arm64-context-Fix-comments-and-remove-pointless-smp_.patch
patches.fixes/xfs-fortify-xfs_alloc_buftarg-error-handling.patch
patches.fixes/xfs-ubsan-fixes.patch
+ patches.fixes/xfs-remove-unused-parameter-from-xfs_writepage_map.patch
patches.fixes/xfs-Properly-retry-failed-dquot-items-in-case-of-err.patch
patches.fixes/SUNRPC-Allow-connect-to-return-EHOSTUNREACH.patch
patches.drivers/hwmon-pmbus-Use-64bit-math-for-DIRECT-format-values.patch
@@ -18863,6 +18865,7 @@
patches.arch/10-x86-pti-rename-bug_cpu_insecure-to-bug_cpu_meltdown.patch
patches.fixes/xfs-quota-fix-missed-destroy-of-qi_tree_lock.patch
patches.fixes/xfs-quota-check-result-of-register_shrinker.patch
+ patches.fixes/xfs-fix-s_maxbytes-overflow-problems.patch
patches.drivers/iommu-arm-smmu-v3-don-t-free-page-table-ops-twice
patches.suse/0001-iommu-arm-smmu-v3-Cope-with-duplicated-Stream-IDs.patch
patches.drivers/Input-elantech-add-new-icbody-type-15
@@ -18896,6 +18899,7 @@
patches.fixes/RDS-Heap-OOB-write-in-rds_message_alloc_sgs.patch
patches.drivers/e1000-fix-disabling-already-disabled-warning.patch
patches.suse/e1000e-Fix-e1000_check_for_copper_link_ich8lan-retur.patch
+ patches.fixes/vxlan-trivial-indenting-fix.patch
patches.suse/net-fec-restore-dev_id-in-the-cases-of-probe-error.patch
patches.suse/net-fec-defer-probe-if-regulator-is-not-ready.patch
patches.drivers/cxgb4-Fix-FW-flash-errors.patch
@@ -19783,6 +19787,7 @@
patches.fixes/0004-iomap-report-collisions-between-directio-and-buffere.patch
patches.fixes/xfs-call-xfs_qm_dqattach-before-performing-reflink-o.patch
patches.fixes/xfs-preserve-i_rdev-when-recycling-a-reclaimable-inode.patch
+ patches.fixes/xfs-skip-CoW-writes-past-EOF-when-writeback-races-wi.patch
patches.fixes/xfs-reflink-should-break-pnfs-leases-before-sharing-.patch
patches.fixes/xfs-allow-xfs_lock_two_inodes-to-take-different-EXCL.patch
patches.fixes/xfs-only-grab-shared-inode-locks-for-source-file-dur.patch
@@ -27803,7 +27808,9 @@
patches.fixes/xfs-Remove-dead-code-from-inode-recover-function.patch
patches.fixes/xfs-fix-transaction-allocation-deadlock-in-IO-path.patch
patches.fixes/xfs-convert-XFS_AGFL_SIZE-to-a-helper-function.patch
+ patches.fixes/xfs-don-t-use-XFS_BMAPI_ENTRIRE-in-xfs_get_blocks.patch
patches.fixes/xfs-remove-xfs_zero_range.patch
+ patches.fixes/xfs-minor-cleanup-for-xfs_get_blocks.patch
patches.fixes/xfs-detect-agfl-count-corruption-and-reset-agfl.patch
patches.fixes/xfs-sanity-check-the-unused-space-before-trying-to-u.patch
patches.fixes/xfs-catch-inode-allocation-state-mismatch-corruption.patch
@@ -34043,6 +34050,7 @@
patches.suse/0001-vfio-platform-Fix-reset-module-leak-in-error-path.patch
patches.drivers/thermal-exynos-fix-setting-rising_threshold-for-Exyn
patches.drivers/PCI-AER-Move-pcie_aer_get_firmware_first-to-portdrv..patch
+ patches.fixes/xfs-xfs_reflink_convert_cow-memory-allocation-deadlo.patch
patches.suse/xfs-don-t-call-xfs_da_shrink_inode-with-NULL-bp.patch
patches.suse/0078-dm-report-which-conflicting-type-caused-error-during.patch
patches.suse/0079-dm-adjust-structure-members-to-improve-alignment.patch
@@ -35202,6 +35210,20 @@
patches.fixes/ext4-reset-error-code-in-ext4_find_entry-in-fallback.patch
patches.fixes/ext4-check-for-NUL-characters-in-extended-attribute-.patch
patches.fixes/ext4-fix-spectre-gadget-in-ext4_mb_regular_allocator.patch
+ patches.fixes/xfs-do-not-set-the-page-uptodate-in-xfs_writepage_ma.patch
+ patches.fixes/xfs-don-t-clear-imap_valid-for-a-non-uptodate-buffer.patch
+ patches.fixes/xfs-don-t-use-XFS_BMAPI_IGSTATE-in-xfs_map_blocks.patch
+ patches.fixes/xfs-remove-xfs_reflink_trim_irec_to_next_cow.patch
+ patches.fixes/xfs-remove-xfs_map_cow.patch
+ patches.fixes/xfs-rename-the-offset-variable-in-xfs_writepage_map.patch
+ patches.fixes/xfs-make-xfs_writepage_map-extent-map-centric.patch
+ patches.fixes/xfs-remove-xfs_reflink_find_cow_mapping.patch
+ patches.fixes/xfs-simplify-xfs_map_blocks-by-using-xfs_iext_lookup.patch
+ patches.fixes/xfs-remove-the-imap_valid-flag.patch
+ patches.fixes/xfs-don-t-look-at-buffer-heads-in-xfs_add_to_ioend.patch
+ patches.fixes/xfs-move-all-writeback-buffer_head-manipulation-into.patch
+ patches.fixes/xfs-remove-xfs_start_page_writeback.patch
+ patches.fixes/xfs-refactor-the-tail-of-xfs_writepage_map.patch
patches.fixes/xfs-remove-unused-iolock-arg-from-xfs_break_dax_layo.patch
patches.fixes/xfs-detect-and-fix-bad-summary-counts-at-mount.patch
patches.fixes/xfs-refactor-unmount-record-write.patch
@@ -41226,6 +41248,7 @@
patches.suse/btrfs-fix-wrong-dentries-after-fsync-of-file-that-go.patch
patches.fixes/gfs2_meta-mount-can-get-NULL-dev_name.patch
patches.fixes/gfs2-Don-t-leave-s_fs_info-pointing-to-freed-memory-.patch
+ patches.fixes/xfs-remove-XFS_IO_INVALID.patch
patches.fixes/xfs-Fix-xqmstats-offsets-in-proc-fs-xfs-xqmstat.patch
patches.fixes/ext4-fix-EXT4_IOC_SWAP_BOOT.patch
patches.fixes/ext4-initialize-retries-variable-in-ext4_da_write_in.patch
@@ -41548,6 +41571,9 @@
patches.arch/s390-sles15sp1-00-07-24-KVM-s390-device-attrs-to-enable-disable-AP-interpret.patch
patches.arch/s390-sles15sp1-00-07-25-KVM-s390-CPU-model-support-for-AP-virtualization.patch
patches.arch/s390-sles15sp1-00-07-26-s390-doc-detailed-specifications-for-AP-virtualizati.patch
+ patches.arch/KVM-PPC-Validate-all-tces-before-updating-tables.patch
+ patches.arch/KVM-PPC-Validate-TCEs-against-preregistered-memory-p.patch
+ patches.arch/KVM-PPC-Remove-redundand-permission-bits-removal.patch
patches.arch/kvm-s390-fix-locking-for-crypto-setting-error-path.patch
patches.arch/kvm-nvmx-clear-reserved-bits-of-db-exit-qualification
patches.arch/kvm-nvmx-restore-host-state-in-nested_vmx_vmexit-for-vmfail
@@ -41974,6 +42000,8 @@
patches.drm/0033-drm-panel-Fix-sphinx-warning.patch
patches.drm/drm-nouveau-Remove-unecessary-dma_fence_ops.patch
patches.drm/0001-drm-virtio-fix-bounds-check-in-virtio_gpu_cmd_get_ca.patch
+ patches.drm/drm_dp_cec-check-that-aux-has-a-transfer-function.patch
+ patches.drm/drm_dp_cec-add-note-about-good-MegaChips-2900-CEC-su.patch
patches.drm/drm-nouveau-add-DisplayPort-CEC-Tunneling-over-AUX-s.patch
patches.drm/drm-rockchip-Allow-driver-to-be-shutdown-on-reboot-k.patch
patches.drm/0004-drm-i915-icl-compute-the-TBT-PLL-registers.patch
@@ -44666,6 +44694,7 @@
patches.drm/drm-i915-always-return-something-on-DDI-clock-select.patch
patches.drm/drm-modes-Prevent-division-by-zero-htotal.patch
patches.drm/drm-sun4i-tcon-Prepare-and-enable-TCON-channel-0-clo.patch
+ patches.fixes/xfs-eof-trim-writeback-mapping-as-soon-as-it-is-cach.patch
patches.drivers/usb-gadget-musb-fix-short-isoc-packets-with-inventra.patch
patches.drivers/usb-dwc3-gadget-Handle-0-xfer-length-for-OUT-EP.patch
patches.drivers/usb-gadget-udc-net2272-Fix-bitwise-and-boolean-opera.patch
@@ -45649,6 +45678,7 @@
patches.drivers/pinctrl-sh-pfc-sh73a0-Fix-fsic_spdif-pin-groups.patch
patches.suse/tracing-do-not-free-iter-trace-in-fail-path-of-tracing_open_pipe.patch
patches.suse/tracing-use-strncpy-instead-of-memcpy-for-string-keys-in-hist-triggers.patch
+ patches.fixes/0001-xen-pciback-Don-t-disable-PCI_COMMAND-on-PCI-device-.patch
patches.fixes/0001-xen-remove-pre-xen3-fallback-handlers.patch
patches.fixes/0001-xen-cpu_hotplug-Prevent-an-out-of-bounds-access.patch
patches.fixes/0001-xen-fix-dom0-boot-on-huge-systems.patch
@@ -45770,6 +45800,7 @@
patches.arch/kvm-call-kvm_arch_memslots_updated-before-updating-memslots
patches.arch/kvm-x86-mmu-detect-mmio-generation-wrap-in-any-address-space
patches.arch/kvm-x86-mmu-do-not-cache-mmio-accesses-while-memslots-are-in-flux
+ patches.arch/KVM-PPC-Release-all-hardware-TCE-tables-attached-to-.patch
patches.fixes/CIFS-fix-POSIX-lock-leak-and-invalid-ptr-deref.patch
patches.fixes/It-s-wrong-to-add-len-to-sector_nr-in-raid10-reshape.patch
patches.fixes/md-Fix-failed-allocation-of-md_register_thread.patch
@@ -46175,11 +46206,13 @@
patches.drivers/bnxt_en-Pass-correct-extended-TX-port-statistics-siz.patch
patches.drivers/bnxt_en-Fix-statistics-context-reservation-logic.patch
patches.drivers/bnxt_en-Fix-uninitialized-variable-usage-in-bnxt_rx_.patch
+ patches.fixes/mac80211-Fix-kernel-panic-due-to-use-of-txq-after-fr.patch
patches.fixes/mac80211-don-t-attempt-to-rename-ERR_PTR-debugfs-dir.patch
patches.fixes/0009-ipv6-invert-flowlabel-sharing-check-in-process-and-u.patch
patches.fixes/0010-ipv6-flowlabel-wait-rcu-grace-period-before-put_pid.patch
patches.suse/net-dsa-bcm_sf2-fix-buffer-overflow-doing-set_rxnfc.patch
patches.drivers/mwifiex-Make-resume-actually-do-something-useful-aga.patch
+ patches.drivers/iwlwifi-mvm-check-for-length-correctness-in-iwl_mvm_.patch
patches.drivers/iwlwifi-fix-driver-operation-for-5350.patch
patches.suse/sctp-avoid-running-the-sctp-state-machine-recursivel.patch
patches.suse/packet-validate-msg_namelen-in-send-directly.patch
@@ -46190,6 +46223,7 @@
patches.drivers/ALSA-hda-realtek-Apply-the-fixup-for-ASUS-Q325UAR.patch
patches.drivers/i2c-imx-correct-the-method-of-getting-private-data-i.patch
patches.drivers/i2c-synquacer-fix-enumeration-of-slave-devices.patch
+ patches.arch/KVM-PPC-Book3S-Protect-memslots-while-validating-use.patch
patches.fixes/ufs-fix-braino-in-ufs_get_inode_gid-for-solaris-UFS-.patch
patches.arch/perf-x86-amd-update-generic-hardware-cache-events-for-family-17h.patch
patches.arch/cpu-speculation-add-mitigations-cmdline-option.patch
@@ -46199,6 +46233,7 @@
patches.arch/x86-cpu-hygon-fix-phys_proc_id-calculation-logic-for-multi-die-processors.patch
patches.fixes/ACPI-button-reinitialize-button-state-upon-resume.patch
patches.fixes/ACPI-property-restore-_DSD-data-subnodes-GUID-commen.patch
+ patches.fixes/ACPI-property-fix-handling-of-data_nodes-in-acpi_get.patch
patches.arch/x86-mce-handle-varying-mca-bank-counts.patch
patches.drivers/hwmon-f71805f-Use-request_muxed_region-for-Super-IO-.patch
patches.drivers/hwmon-pc87427-Use-request_muxed_region-for-Super-IO-.patch
@@ -46206,6 +46241,7 @@
patches.drivers/hwmon-smsc47m1-Use-request_muxed_region-for-Super-IO.patch
patches.drivers/hwmon-w83627hf-Use-request_muxed_region-for-Super-IO.patch
patches.drivers/hwmon-vt1211-Use-request_muxed_region-for-Super-IO-a.patch
+ patches.drivers/hwrng-omap-Set-default-quality.patch
patches.fixes/crypto-vmx-fix-copy-paste-error-in-CTR-mode.patch
patches.fixes/crypto-fips-Grammar-s-options-option-s-to-the.patch
patches.fixes/crypto-crct10dif-generic-fix-use-via-crypto_shash_di.patch
@@ -46229,6 +46265,8 @@
patches.drivers/spi-mem-fix-kernel-doc-for-spi_mem_dirmap_-read-writ.patch
patches.fixes/0001-keys-safe-concurrent-user-session-uid-_keyring-acces.patch
patches.drivers/hid-core-move-usage-page-concatenation-to-main-item.patch
+ patches.drivers/HID-logitech-hidpp-change-low-battery-level-threshol.patch
+ patches.drivers/HID-logitech-hidpp-use-RAP-instead-of-FAP-to-get-the.patch
patches.suse/livepatch-convert-error-about-unsupported-reliable-stacktrace-into-a-warning.patch
patches.suse/livepatch-remove-custom-kobject-state-handling.patch
patches.suse/livepatch-remove-duplicated-code-for-early-initialization.patch
@@ -46244,11 +46282,22 @@
patches.suse/0009-btrfs-qgroup-Don-t-scan-leaf-if-we-re-modifying-relo.patch
patches.suse/btrfs-send-flush-dellaloc-in-order-to-avoid-data-los.patch
patches.suse/btrfs-improve-performance-on-fsync-of-files-with-mul.patch
+ patches.drivers/mmc-sdhci-of-esdhc-add-erratum-eSDHC5-support.patch
+ patches.drivers/mmc-sdhci-of-esdhc-add-erratum-A-009204-support.patch
+ patches.drivers/mmc_spi-add-a-status-check-for-spi_sync_locked.patch
patches.drivers/mmc-core-fix-possible-use-after-free-of-host.patch
+ patches.drivers/mmc-core-Verify-SD-bus-width.patch
patches.drivers/mmc-core-Fix-tag-set-memory-leak.patch
+ patches.drivers/iio-common-ssp_sensors-Initialize-calculated_time-in.patch
+ patches.drivers/iio-hmc5843-fix-potential-NULL-pointer-dereferences.patch
+ patches.drivers/iio-ad_sigma_delta-Properly-handle-SPI-bus-locking-v.patch
patches.drivers/phy-sun4i-usb-Make-sure-to-disable-PHY0-passby-for-p.patch
patches.drivers/stm-class-Fix-channel-free-in-stm-output-free-path.patch
patches.drivers/intel_th-pci-Add-Comet-Lake-support.patch
+ patches.drivers/chardev-add-additional-check-for-minor-range-overlap.patch
+ patches.drivers/extcon-arizona-Disable-mic-detect-if-running-when-dr.patch
+ patches.drivers/w1-fix-the-resume-command-API.patch
+ patches.drivers/thunderbolt-Fix-to-check-for-kmemdup-failure.patch
patches.drivers/intel_th-msu-Fix-single-mode-with-IOMMU.patch
patches.drivers/ALSA-line6-Avoid-polluting-led_-namespace.patch
patches.drivers/leds-avoid-races-with-workqueue.patch
@@ -46338,6 +46387,7 @@
patches.drivers/ice-Update-comment-regarding-the-ITR_GRAN_S.patch
patches.drivers/ice-Remove-2-BITS-comment.patch
patches.drivers/bnx2x-Utilize-FW-7.13.11.0.patch
+ patches.fixes/batman-adv-allow-updating-DAT-entry-timeouts-on-inco.patch
patches.drivers/cxgb4-Update-1.23.3.0-as-the-latest-firmware-support.patch
patches.drivers/cxgb4-cxgb4vf-Display-advertised-FEC-in-ethtool.patch
patches.drivers/net-hns3-check-1000M-half-for-hns3_ethtool_ops.set_l.patch
@@ -46403,8 +46453,15 @@
patches.drivers/i40e-Report-advertised-link-modes-on-40GBASE_SR4.patch
patches.drivers/i40e-Able-to-add-up-to-16-MAC-filters-on-an-untruste.patch
patches.drivers/i40e-Fix-misleading-error-message.patch
+ patches.drivers/brcmfmac-fix-WARNING-during-USB-disconnect-in-case-o.patch
+ patches.drivers/brcmfmac-fix-race-during-disconnect-when-USB-complet.patch
+ patches.drivers/brcmfmac-fix-Oops-when-bringing-up-interface-during-.patch
+ patches.drivers/brcmfmac-convert-dev_init_lock-mutex-to-completion.patch
+ patches.drivers/brcmfmac-fix-missing-checks-for-kmemdup.patch
patches.drivers/b43-shut-up-clang-Wuninitialized-variable-warning.patch
patches.drivers/mwifiex-Fix-mem-leak-in-mwifiex_tm_cmd.patch
+ patches.drivers/rtlwifi-fix-a-potential-NULL-pointer-dereference.patch
+ patches.drivers/rtlwifi-fix-potential-NULL-pointer-dereference.patch
patches.drivers/brcmfmac-fix-leak-of-mypkt-on-error-return-path.patch
patches.drivers/ice-Fix-typos-in-code-comments.patch
patches.drivers/ice-Fix-incorrect-use-of-abbreviations.patch
@@ -46448,6 +46505,7 @@
patches.drivers/net-hns3-extend-the-loopback-state-acquisition-time.patch
patches.drivers/net-hns3-prevent-double-free-in-hns3_put_ring_config.patch
patches.drivers/net-hns3-remove-reset-after-command-send-failed.patch
+ patches.fixes/mac80211-cfg80211-update-bss-channel-on-channel-swit.patch
patches.drivers/ibmvnic-Add-device-identification-to-requested-IRQs.patch
patches.drivers/cxgb4-Delete-all-hash-and-TCAM-filters-before-resour.patch
patches.drivers/i40e-Fix-for-allowing-too-many-MDD-events-on-VF.patch
@@ -46476,12 +46534,14 @@
patches.drivers/ice-Add-missing-PHY-type-to-link-settings.patch
patches.drivers/ice-Refactor-link-event-flow.patch
patches.drivers/ice-Use-dev_err-when-ice_cfg_vsi_lan-fails.patch
+ patches.drivers/wil6210-fix-return-code-of-wmi_mgmt_tx-and-wmi_mgmt_.patch
patches.drivers/ssb-Fix-possible-NULL-pointer-dereference-in-ssb_hos.patch
patches.drivers/mwifiex-prevent-an-array-overflow.patch
patches.drivers/at76c50x-usb-Don-t-register-led_trigger-if-usb_regis.patch
patches.drivers/mwl8k-Fix-rate_idx-underflow.patch
patches.drivers/rtlwifi-rtl8723ae-Fix-missing-break-in-switch-statem.patch
patches.fixes/0001-p54-drop-device-reference-count-if-fails-to-enable-d.patch
+ patches.drivers/iwlwifi-pcie-don-t-crash-on-invalid-RX-interrupt.patch
patches.drivers/brcm80211-potential-NULL-dereference-in-brcmf_cfg802.patch
patches.drivers/i40e-VF-s-promiscuous-attribute-is-not-kept.patch
patches.drivers/i40e-add-new-pci-id-for-X710-XXV710-N3000-cards.patch
@@ -46528,13 +46588,17 @@
patches.suse/ipv4-Define-__ipv4_neigh_lookup_noref-when-CONFIG_IN.patch
patches.fixes/0001-dt-bindings-net-Fix-a-typo-in-the-phy-mode-list-for-.patch
patches.drivers/cxgb4-Fix-error-path-in-cxgb4_init_module.patch
+ patches.drivers/usb-core-Add-PM-runtime-calls-to-usb_hcd_platform_sh.patch
patches.drivers/usb-storage-Set-virt_boundary_mask-to-avoid-SG-overf.patch
+ patches.drivers/USB-core-Don-t-unbind-interfaces-following-device-re.patch
patches.drivers/USB-cdc-acm-fix-unthrottle-races.patch
patches.fixes/0001-UAS-fix-alignment-of-scatter-gather-segments.patch
patches.drivers/USB-serial-fix-unthrottle-races.patch
patches.drivers/USB-serial-f81232-fix-interrupt-worker-not-stop.patch
patches.drivers/dwc2-gadget-Fix-completed-transfer-size-calculation-.patch
patches.drivers/usb-dwc3-Fix-default-lpm_nyet_threshold-value.patch
+ patches.drivers/tty-ipwireless-fix-missing-checks-for-ioremap.patch
+ patches.drivers/tty-vt-fix-write-write-race-in-ioctl-KDSKBSENT-handl.patch
patches.drivers/tty-vt.c-Fix-TIOCL_BLANKSCREEN-console-blanking-if-b.patch
patches.drivers/tty-pty-Fix-race-condition-between-release_one_tty-a.patch
patches.drivers/Revert-tty-pty-Fix-race-condition-between-release_on.patch
@@ -46580,19 +46644,29 @@
patches.drivers/scsi-libsas-print-expander-phy-indexes-in-decimal
patches.drivers/scsi-qla2xxx-Fix-read-offset-in-qla24xx_load_risc_fl.patch
patches.drivers/ipmi-ssif-compare-block-number-correctly-for-multi-p.patch
+ patches.drivers/media-cpia2-Fix-use-after-free-in-cpia2_exit.patch
+ patches.drivers/media-saa7146-avoid-high-stack-usage-with-clang.patch
+ patches.drivers/media-go7007-avoid-clang-frame-overflow-warning-with.patch
patches.drivers/media-ivtv-update-pos-correctly-in-ivtv_read_pos.patch
patches.drivers/media-cx18-update-pos-correctly-in-cx18_read_pos.patch
patches.drivers/media-wl128x-Fix-an-error-code-in-fm_download_firmwa.patch
+ patches.drivers/media-m88ds3103-serialize-reset-messages-in-m88ds310.patch
patches.drivers/media-cx23885-check-allocation-return.patch
patches.drivers/media-serial_ir-Fix-use-after-free-in-serial_ir_init.patch
patches.drivers/media-davinci-isif-avoid-uninitialized-variable-use.patch
patches.drivers/media-tw5864-Fix-possible-NULL-pointer-dereference-i.patch
patches.drivers/media-wl128x-prevent-two-potential-buffer-overflows.patch
+ patches.drivers/media-au0828-Fix-NULL-pointer-dereference-in-au0828_.patch
+ patches.drivers/media-au0828-stop-video-streaming-only-when-last-use.patch
+ patches.drivers/media-ov2659-make-S_FMT-succeed-even-if-requested-fo.patch
patches.drivers/media-ov2659-fix-unbalanced-mutex_lock-unlock.patch
patches.drivers/media-vivid-use-vfree-instead-of-kfree-for-dev-bitma.patch
patches.fixes/0001-media-pvrusb2-Prevent-a-buffer-overflow.patch
+ patches.drivers/media-coda-clear-error-return-value-before-picture-r.patch
patches.fixes/scripts-override-locale-from-environment-when-runnin.patch
patches.drm/drm-rcar-du-Fix-rcar_du_crtc-structure-documentation.patch
+ patches.drm/drm-Wake-up-next-in-drm_read-chain-if-we-are-forced-.patch
+ patches.drm/drm-drv-Hold-ref-on-parent-device-during-drm_device-.patch
patches.drm/drm-i915-Fix-I915_EXEC_RING_MASK.patch
patches.drm/drm-doc-Drop-content-type-from-the-legacy-kms-proper.patch
patches.drm/drm-fb-helper-dpms_legacy-Only-set-on-connectors-in-.patch
@@ -46602,6 +46676,7 @@
patches.drm/0004-drm-i915-gvt-Fix-incorrect-mask-of-mmio-0x22028-in-g.patch
patches.drm/0005-drm-meson-add-size-and-alignment-requirements-for-du.patch
patches.drm/drm-tegra-gem-Fix-CPU-cache-maintenance-for-BO-s-all.patch
+ patches.drm/drm-amdgpu-fix-old-fence-check-in-amdgpu_fence_emit.patch
patches.drm/0001-drm-nouveau-i2c-Disable-i2c-bus-access-after-fini.patch
patches.drm/drm-i915-icl-Whitelist-GEN9_SLICE_COMMON_ECO_CHICKEN.patch
patches.drm/drm-rockchip-shutdown-drm-subsystem-on-shutdown.patch
@@ -46628,7 +46703,11 @@
patches.drivers/ALSA-usb-audio-Fix-a-memory-leak-bug.patch
patches.drivers/ALSA-usx2y-fix-a-double-free-bug.patch
patches.drivers/ALSA-hda-Register-irq-handler-after-the-chip-initial.patch
+ patches.drivers/ASoC-hdmi-codec-unlock-the-device-on-startup-errors.patch
patches.drivers/ASoC-fix-valid-stream-condition.patch
+ patches.drivers/ASoC-fsl_utils-fix-a-leaked-reference-by-adding-miss.patch
+ patches.drivers/ASoC-eukrea-tlv320-fix-a-leaked-reference-by-adding-.patch
+ patches.drivers/ASoC-fsl_sai-Update-is_slave_mode-with-correct-value.patch
patches.drivers/ASoC-fsl_esai-Fix-missing-break-in-switch-statement.patch
patches.drivers/ASoC-Intel-avoid-Oops-if-DMA-setup-fails.patch
patches.drivers/ALSA-hda-hdmi-Read-the-pin-sense-from-register-when-.patch
@@ -46664,6 +46743,8 @@
patches.drivers/IB-hfi1-Add-selected-Rcv-counters.patch
patches.fixes/RDMA-rxe-Consider-skb-reserve-space-based-on-netdev-.patch
patches.drivers/IB-hfi1-Fix-WQ_MEM_RECLAIM-warning.patch
+ patches.drivers/rtc-don-t-reference-bogus-function-pointer-in-kdoc.patch
+ patches.drivers/rtc-88pm860x-prevent-use-after-free-on-device-remove.patch
patches.drivers/clk-rockchip-fix-wrong-clock-definitions-for-rk3328.patch
patches.drivers/clk-rockchip-Fix-video-codec-clocks-on-rk3288.patch
patches.drivers/net-hns3-remove-redundant-assignment-of-l2_hdr-to-it.patch
@@ -46688,6 +46769,7 @@
patches.drivers/platform-x86-sony-laptop-Fix-unintentional-fall-thro.patch
patches.fixes/vfio-mdev-Avoid-release-parent-reference-during-erro.patch
patches.fixes/vfio-mdev-Fix-aborting-mdev-child-device-removal-if-.patch
+ patches.drivers/gpio-Remove-obsolete-comment-about-gpiochip_free_hog.patch
patches.drivers/mtd-nand-omap-Fix-comment-in-platform-data-using-wro.patch
patches.fixes/0001-mtd-spi-nor-intel-spi-Avoid-crossing-4K-address-boun.patch
patches.drivers/mtd-part-fix-incorrect-format-specifier-for-an-unsig.patch
@@ -46716,7 +46798,10 @@
patches.arch/x86-speculation-mds-add-smt-warning-message.patch
patches.arch/x86-speculation-mds-print-smt-vulnerable-on-msbds-with-mitigations-off.patch
patches.arch/x86-speculation-mds-add-mitigations-support-for-mds.patch
+ patches.fixes/0001-Documentation-Correct-the-possible-MDS-sysfs-values.patch
patches.fixes/0001-x86-speculation-mds-Fix-documentation-typo.patch
+ patches.fixes/fuse-fix-writepages-on-32bit.patch
+ patches.fixes/fuse-honor-RLIMIT_FSIZE-in-fuse_file_fallocate.patch
patches.fixes/mm-huge_memory-fix-vmf_insert_pfn_-pmd-pud-crash-han.patch
patches.suse/kernel-sys.c-prctl-fix-false-positive-in-validate_pr.patch
patches.fixes/ocfs2-fix-ocfs2-read-inode-data-panic-in-ocfs2_iget.patch
@@ -46727,6 +46812,8 @@
patches.suse/switchtec-Fix-unintended-mask-of-MRPC-event.patch
patches.drivers/PCI-Mark-AMD-Stoney-Radeon-R7-GPU-ATS-as-broken.patch
patches.drivers/PCI-Mark-Atheros-AR9462-to-avoid-bus-reset.patch
+ patches.drivers/mfd-max77620-Fix-swapped-FPS_PERIOD_MAX_US-values.patch
+ patches.drivers/mfd-da9063-Fix-OTP-control-register-names-to-match-d.patch
patches.drivers/backlight-lm3630a-Return-0-on-success-in-update_stat.patch
patches.suse/userfaultfd-use-RCU-to-free-the-task-struct-when-for.patch
patches.fixes/mm-mincore-c-make-mincore-more-conservative.patch
@@ -46753,6 +46840,7 @@
patches.drivers/media-davinci-vpbe-array-underflow-in-vpbe_enum_outp.patch
patches.fixes/nvme-fc-use-separate-work-queue-to-avoid-warning.patch
patches.fixes/nvme-multipath-avoid-crash-on-invalid-subsystem-cntl.patch
+ patches.arch/KVM-PPC-Book3S-HV-Avoid-lockdep-debugging-in-TCE-rea.patch
patches.drivers/ALSA-hda-realtek-Fixup-headphone-noise-via-runtime-s.patch
patches.drivers/ALSA-hda-realtek-Avoid-superfluous-COEF-EAPD-setups.patch
patches.drivers/ALSA-hda-realtek-Corrected-fixup-for-System76-Gazell.patch
@@ -46771,6 +46859,7 @@
patches.suse/btrfs-tree-checker-detect-file-extent-items-with-ove.patch
patches.fixes/crypto-vmx-CTR-always-increment-IV-as-quadword.patch
patches.arch/crypto-vmx-ghash-do-nosimd-fallback-manually.patch
+ patches.drivers/usbnet-fix-kernel-crash-after-disconnect.patch
patches.drm/drm-vmwgfx-Don-t-send-drm-sysfs-hotplug-events-on-in.patch
patches.drm/0001-drm-vmwgfx-NULL-pointer-dereference-from-vmw_cmd_dx_.patch
patches.drm/drm-vmwgfx-integer-underflow-in-vmw_cmd_dx_set_shade.patch
@@ -46779,9 +46868,14 @@
patches.drm/0002-drm-i915-gvt-Tiled-Resources-mmios-are-in-context-mm.patch
patches.drm/0003-drm-i915-gvt-add-0x4dfc-to-gen9-save-restore-list.patch
patches.drm/drm-i915-gvt-do-not-let-TRTTE-and-0x4dfc-write-passt.patch
+ patches.drivers/mmc-sdhci-iproc-cygnus-Set-NO_HISPD-bit-to-fix-HS50-.patch
+ patches.drivers/mmc-sdhci-iproc-Set-NO_HISPD-bit-to-fix-HS50-data-ho.patch
patches.drivers/platform-x86-pmc_atom-Add-Lex-3I380D-industrial-PC-t.patch
patches.drivers/platform-x86-pmc_atom-Add-several-Beckhoff-Automatio.patch
patches.fixes/ext4-wait-for-outstanding-dio-during-truncate-in-noj.patch
+ patches.drivers/gpio-fix-gpio-adp5588-build-errors.patch
+ patches.fixes/0001-docs-Fix-conf.py-for-Sphinx-2.0.patch
+ patches.drivers/ALSA-hda-realtek-Set-default-power-save-node-to-0.patch
patches.drivers/ALSA-hda-realtek-Enable-micmute-LED-for-Huawei-lapto.patch
patches.drivers/ALSA-hda-realtek-Improve-the-headset-mic-for-Acer-As.patch
patches.fixes/configfs-Fix-use-after-free-when-accessing-sd-s_dent.patch
@@ -46797,11 +46891,37 @@
patches.drivers/cxgb4-Revert-cxgb4-Remove-SGE_HOST_PAGE_SIZE-depende.patch
patches.suse/net-dsa-mv88e6xxx-fix-handling-of-upper-half-of-STAT.patch
patches.drm/0004-drm-etnaviv-lock-MMU-while-dumping-core.patch
+ patches.drivers/USB-Fix-slab-out-of-bounds-write-in-usb_get_bos_desc.patch
+ patches.drivers/media-usb-siano-Fix-general-protection-fault-in-smsu.patch
+ patches.drivers/USB-Add-LPM-quirk-for-Surface-Dock-GigE-adapter.patch
+ patches.drivers/USB-sisusbvga-fix-oops-in-error-path-of-sisusb_probe.patch
+ patches.drivers/usbip-usbip_host-fix-BUG-sleeping-function-called-fr.patch
+ patches.drivers/USB-rio500-refuse-more-than-one-device-at-a-time.patch
+ patches.drivers/USB-rio500-fix-memory-leak-in-close-after-disconnect.patch
+ patches.drivers/media-usb-siano-Fix-false-positive-uninitialized-var.patch
+ patches.drivers/xhci-update-bounce-buffer-with-correct-sg-num.patch
+ patches.drivers/xhci-Convert-xhci_handshake-to-use-readl_poll_timeou.patch
+ patches.drivers/xhci-Use-zu-for-printing-size_t-type.patch
+ patches.drivers/media-smsusb-better-handle-optional-alignment.patch
+ patches.drivers/usbip-usbip_host-fix-stub_dev-lock-context-imbalance.patch
+ patches.drivers/tty-serial-msm_serial-Fix-XON-XOFF.patch
+ patches.drivers/staging-wlan-ng-fix-adapter-initialization-failure.patch
+ patches.drivers/Staging-vc04_services-Fix-a-couple-error-codes.patch
+ patches.drivers/staging-vc04_services-prevent-integer-overflow-in-cr.patch
patches.suse/memcg-make-it-work-on-sparse-non-0-node-systems.patch
patches.suse/kernel-signal.c-trace_signal_deliver-when-signal_gro.patch
+ patches.drivers/leds-avoid-flush_work-in-atomic-context.patch
+ patches.drivers/i2c-dev-fix-potential-memory-leak-in-i2cdev_ioctl_rd.patch
+ patches.arch/KVM-PPC-Book3S-HV-XIVE-Do-not-clear-IRQ-data-of-pass.patch
patches.arch/powerpc-perf-Fix-MMCRA-corruption-by-bhrb_filter.patch
+ patches.fixes/efi-x86-Add-missing-error-handling-to-old_memmap-1-1.patch
+ patches.fixes/fuse-fallocate-fix-return-with-locked-inode.patch
+ patches.drivers/hwmon-core-add-thermal-sensors-only-if-dev-of_node-i.patch
+ patches.drivers/hwmon-pmbus-core-Treat-parameters-as-paged-if-on-mul.patch
patches.drm/0002-drm-i915-gvt-refine-ggtt-range-validation.patch
patches.drm/0003-drm-i915-gvt-Fix-cmd-length-of-VEB_DI_IECP.patch
+ patches.drivers/parport-Fix-mem-leak-in-parport_register_dev_model.patch
+ patches.fixes/0001-test_firmware-Use-correct-snprintf-limit.patch
# davem/net
patches.drivers/ibmvnic-Do-not-close-unopened-driver-during-reset.patch
@@ -46831,6 +46951,9 @@
patches.drivers/RDMA-hns-Remove-jiffies-operation-in-disable-interru.patch
patches.drivers/RDMA-hns-Bugfix-for-posting-multiple-srq-work-reques.patch
+ # jejb/scsi for-next
+ patches.drivers/scsi-mpt3sas_ctl-fix-double-fetch-bug-in-ctl_ioctl_main
+
# dhowells/linux-fs keys-uefi
patches.suse/0001-KEYS-Allow-unrestricted-boot-time-addition-of-keys-t.patch
patches.suse/0002-efi-Add-EFI-signature-data-types.patch