Home Home > GIT Browse > openSUSE-15.0
summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorKernel Build Daemon <kbuild@suse.de>2019-05-18 07:13:58 +0200
committerKernel Build Daemon <kbuild@suse.de>2019-05-18 07:13:58 +0200
commit15b7de73f618a937f177ff3f5cba0c384b5fbd3e (patch)
treece27469e82909729ee416f8f70b8fecf121f8802
parentabccfd01e031dc4cd67b44a30882815802394e40 (diff)
parent558f3864413e823b3ca07accd27a35242e927115 (diff)
Merge branch 'SLE15' into openSUSE-15.0openSUSE-15.0
-rw-r--r--patches.drivers/HID-input-add-mapping-for-Expose-Overview-key.patch39
-rw-r--r--patches.drivers/HID-input-add-mapping-for-Toggle-Display-key.patch41
-rw-r--r--patches.drivers/HID-input-add-mapping-for-keyboard-Brightness-Up-Dow.patch36
-rw-r--r--patches.drivers/Input-elan_i2c-add-hardware-ID-for-multiple-Lenovo-l.patch70
-rw-r--r--patches.drivers/Input-synaptics-rmi4-fix-possible-double-free.patch47
-rw-r--r--patches.drivers/iio-adc-xilinx-fix-potential-use-after-free-on-remov.patch35
-rw-r--r--patches.drivers/leds-pwm-silently-error-out-on-EPROBE_DEFER.patch38
-rw-r--r--patches.drivers/media-atmel-atmel-isc-fix-INIT_WORK-misplacement.patch46
-rw-r--r--patches.drivers/media-davinci-vpbe-array-underflow-in-vpbe_enum_outp.patch54
-rw-r--r--patches.drivers/media-omap_vout-potential-buffer-overflow-in-vidioc_.patch68
-rw-r--r--patches.drivers/power-supply-axp20x_usb_power-Fix-typo-in-VBUS-curre.patch66
-rw-r--r--patches.drivers/power-supply-axp288_charger-Fix-unchecked-return-val.patch46
-rw-r--r--patches.drivers/spi-Micrel-eth-switch-declare-missing-of-table.patch65
-rw-r--r--patches.drivers/spi-ST-ST95HF-NFC-declare-missing-of-table.patch57
-rw-r--r--patches.drivers/thermal-cpu_cooling-Actually-trace-CPU-load-in-therm.patch58
-rw-r--r--patches.drm/drm-bridge-adv7511-Fix-low-refresh-rate-selection.patch51
-rw-r--r--patches.drm/drm-i915-Disable-LP3-watermarks-on-all-SNB-machines.patch139
-rw-r--r--patches.drm/drm-i915-Downgrade-Gen9-Plane-WM-latency-error.patch41
-rw-r--r--patches.drm/drm-i915-fbc-disable-framebuffer-compression-on-Gemi.patch55
-rw-r--r--patches.drm/drm-imx-don-t-skip-DP-channel-disable-for-background.patch34
-rw-r--r--patches.drm/drm-rockchip-fix-for-mailbox-read-validation.patch39
-rw-r--r--patches.drm/gpu-ipu-v3-dp-fix-CSC-handling.patch71
-rw-r--r--patches.fixes/0001-netlink-fix-uninit-value-in-netlink_sendmsg.patch36
-rw-r--r--patches.fixes/0001-packet-fix-reserve-calculation.patch49
-rw-r--r--patches.fixes/0002-net-fix-rtnh_ok.patch40
-rw-r--r--patches.fixes/0002-packet-reset-network-header-if-packet-shorter-than-l.patch37
-rw-r--r--patches.fixes/0003-l2tp-fix-missing-refcount-drop-in-pppol2tp_tunnel_io.patch48
-rw-r--r--patches.fixes/0003-net-initialize-skb-peeked-when-cloning.patch35
-rw-r--r--patches.fixes/0004-net-fix-uninit-value-in-__hw_addr_add_ex.patch57
-rw-r--r--patches.fixes/0004-rxrpc-Fix-transport-sockopts-to-get-IPv4-errors-on-a.patch82
-rw-r--r--patches.fixes/0005-inetpeer-fix-uninit-value-in-inet_getpeer.patch119
-rw-r--r--patches.fixes/0006-ipvs-fix-rtnl_lock-lockups-caused-by-start_sync_thre.patch641
-rw-r--r--patches.fixes/0007-netfilter-nf_tables-can-t-fail-after-linking-rule-in.patch112
-rw-r--r--patches.fixes/0008-rxrpc-Fix-error-reception-on-AF_INET6-sockets.patch95
-rw-r--r--patches.fixes/0009-packet-in-packet_snd-start-writing-at-link-layer-all.patch59
-rw-r--r--patches.fixes/0010-ipvs-fix-stats-update-from-local-clients.patch124
-rw-r--r--patches.fixes/0011-tcp-purge-write-queue-in-tcp_connect_init.patch90
-rw-r--r--patches.fixes/0012-net-test-tailroom-before-appending-to-linear-skb.patch58
-rw-r--r--patches.fixes/0013-net-Fix-a-bug-in-removing-queues-from-XPS-map.patch35
-rw-r--r--patches.fixes/0014-netfilter-nf_tables-fix-NULL-pointer-dereference-on-.patch164
-rw-r--r--patches.fixes/0015-netfilter-ebtables-handle-string-from-userspace-with.patch102
-rw-r--r--patches.fixes/0016-ipvs-fix-buffer-overflow-with-sync-daemon-and-servic.patch147
-rw-r--r--patches.fixes/0017-xfrm6-avoid-potential-infinite-loop-in-_decode_sessi.patch100
-rw-r--r--patches.fixes/0018-sctp-fix-identification-of-new-acks-for-SFR-CACC.patch120
-rw-r--r--patches.fixes/0019-ip_tunnel-Fix-name-string-concatenate-in-__ip_tunnel.patch39
-rw-r--r--patches.fixes/0020-netfilter-nf_tables-check-msg_type-before-nft_trans_.patch145
-rw-r--r--patches.fixes/0022-ipvs-fix-check-on-xmit-to-non-local-addresses.patch42
-rw-r--r--patches.fixes/0023-netfilter-ebtables-reject-non-bridge-targets.patch66
-rw-r--r--patches.fixes/0024-netfilter-x_tables-initialise-match-target-check-par.patch77
-rw-r--r--patches.fixes/0025-l2tp-only-accept-PPP-sessions-in-pppol2tp_connect.patch40
-rw-r--r--patches.fixes/0026-l2tp-prevent-pppol2tp_connect-from-creating-kernel-s.patch49
-rw-r--r--patches.fixes/0027-l2tp-filter-out-non-PPP-sessions-in-pppol2tp_tunnel_.patch41
-rw-r--r--patches.fixes/0028-ipv6-mcast-fix-unsolicited-report-interval-after-rec.patch60
-rw-r--r--patches.fixes/0038-xfs-split-xfs_bmap_shift_extents.patch32
-rw-r--r--patches.fixes/ACPI-button-reinitialize-button-state-upon-resume.patch46
-rw-r--r--patches.fixes/ACPI-utils-Drop-reference-in-test-for-device-presenc.patch35
-rw-r--r--patches.fixes/ACPICA-AML-interpreter-add-region-addresses-in-globa.patch49
-rw-r--r--patches.fixes/ACPICA-Namespace-remove-address-node-from-global-lis.patch66
-rw-r--r--patches.fixes/appletalk-Fix-compile-regression.patch71
-rw-r--r--patches.fixes/appletalk-Fix-use-after-free-in-atalk_proc_exit.patch204
-rw-r--r--patches.fixes/configfs-fix-possible-use-after-free-in-configfs_reg.patch134
-rw-r--r--patches.fixes/crypto-caam-fix-caam_dump_sg-that-iterates-through-s.patch40
-rw-r--r--patches.fixes/devres-Align-data-to-ARCH_KMALLOC_MINALIGN.patch62
-rw-r--r--patches.fixes/mISDN-Check-address-length-before-reading-address-fa.patch39
-rw-r--r--patches.fixes/mac80211-fix-memory-accounting-with-A-MSDU-aggregati.patch49
-rw-r--r--patches.fixes/mac80211-fix-unaligned-access-in-mesh-table-hash-fun.patch35
-rw-r--r--patches.fixes/nl80211-Add-NL80211_FLAG_CLEAR_SKB-flag-for-other-NL.patch85
-rw-r--r--patches.fixes/team-set-slave-to-promisc-if-team-is-already-in-prom.patch78
-rw-r--r--patches.fixes/vt-always-call-notifier-with-the-console-lock-held.patch32
-rw-r--r--patches.fixes/xfs-check-_btree_check_block-value.patch49
-rw-r--r--patches.fixes/xfs-create-block-pointer-check-functions.patch137
-rw-r--r--patches.fixes/xfs-export-various-function-for-the-online-scrubber.patch277
-rw-r--r--patches.fixes/xfs-make-errortag-a-per-mountpoint-structure.patch336
-rw-r--r--patches.fixes/xfs-refactor-btree-block-header-checking-functions.patch279
-rw-r--r--patches.fixes/xfs-refactor-btree-pointer-checks.patch162
-rw-r--r--patches.fixes/xfs-remove-unneeded-parameter-from-XFS_TEST_ERROR.patch306
-rw-r--r--patches.fixes/xfs-rename-MAXPATHLEN-to-XFS_SYMLINK_MAXLEN.patch138
-rw-r--r--patches.fixes/xfs-sanity-check-the-unused-space-before-trying-to-u.patch321
-rw-r--r--patches.kabi/kabi-protect-ip_options_rcv_srr.patch66
-rw-r--r--patches.kabi/kabi-protect-struct-mlx5_td.patch30
-rw-r--r--patches.suse/bnxt_en-Improve-RX-consumer-index-validity-check.patch54
-rw-r--r--patches.suse/bnxt_en-Reset-device-on-RX-buffer-errors.patch39
-rw-r--r--patches.suse/ip6_tunnel-Match-to-ARPHRD_TUNNEL6-for-dev-type.patch48
-rw-r--r--patches.suse/net-ethtool-not-call-vzalloc-for-zero-sized-memory-r.patch94
-rw-r--r--patches.suse/net-gro-Fix-GRO-flush-when-receiving-a-GSO-packet.patch37
-rw-r--r--patches.suse/net-mlx5-Decrease-default-mr-cache-size.patch55
-rw-r--r--patches.suse/net-mlx5e-Add-a-lock-on-tir-list.patch78
-rw-r--r--patches.suse/net-mlx5e-Fix-error-handling-when-refreshing-TIRs.patch43
-rw-r--r--patches.suse/net-sched-act_sample-fix-divide-by-zero-in-the-traff.patch96
-rw-r--r--patches.suse/net-sched-fix-get-helper-of-the-matchall-cls.patch54
-rw-r--r--patches.suse/sched-do-not-re-read-h_load_next-during-hierarchical-load-calculation.patch11
-rw-r--r--patches.suse/sctp-initialize-_pad-of-sockaddr_in-before-copying-t.patch53
-rw-r--r--patches.suse/tcp-Ensure-DCTCP-reacts-to-losses.patch140
-rw-r--r--patches.suse/vrf-check-accept_source_route-on-the-original-netdev.patch89
-rw-r--r--series.conf95
95 files changed, 8225 insertions, 24 deletions
diff --git a/patches.drivers/HID-input-add-mapping-for-Expose-Overview-key.patch b/patches.drivers/HID-input-add-mapping-for-Expose-Overview-key.patch
new file mode 100644
index 0000000000..f7893ce1ca
--- /dev/null
+++ b/patches.drivers/HID-input-add-mapping-for-Expose-Overview-key.patch
@@ -0,0 +1,39 @@
+From 96dd86871e1fffbc39e4fa61c9c75ec54ee9af0f Mon Sep 17 00:00:00 2001
+From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Date: Fri, 18 Jan 2019 13:59:08 -0800
+Subject: [PATCH] HID: input: add mapping for Expose/Overview key
+Mime-version: 1.0
+Content-type: text/plain; charset=UTF-8
+Content-transfer-encoding: 8bit
+Git-commit: 96dd86871e1fffbc39e4fa61c9c75ec54ee9af0f
+Patch-mainline: v5.1-rc6
+References: bsc#1051510
+
+According to HUTRR77 usage 0x29f from the consumer page is reserved for
+the Desktop application to present all running user’s application windows.
+Linux defines KEY_SCALE to request Compiz Scale (Expose) mode, so let's
+add the mapping.
+
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/hid/hid-input.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/hid/hid-input.c b/drivers/hid/hid-input.c
+index def58c6aa835..5f800e7b04f2 100644
+--- a/drivers/hid/hid-input.c
++++ b/drivers/hid/hid-input.c
+@@ -1030,6 +1030,8 @@ static void hidinput_configure_usage(struct hid_input *hidinput, struct hid_fiel
+ case 0x2cb: map_key_clear(KEY_KBDINPUTASSIST_ACCEPT); break;
+ case 0x2cc: map_key_clear(KEY_KBDINPUTASSIST_CANCEL); break;
+
++ case 0x29f: map_key_clear(KEY_SCALE); break;
++
+ default: map_key_clear(KEY_UNKNOWN);
+ }
+ break;
+--
+2.16.4
+
diff --git a/patches.drivers/HID-input-add-mapping-for-Toggle-Display-key.patch b/patches.drivers/HID-input-add-mapping-for-Toggle-Display-key.patch
new file mode 100644
index 0000000000..106c5c7a36
--- /dev/null
+++ b/patches.drivers/HID-input-add-mapping-for-Toggle-Display-key.patch
@@ -0,0 +1,41 @@
+From c01908a14bf735b871170092807c618bb9dae654 Mon Sep 17 00:00:00 2001
+From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Date: Fri, 18 Jan 2019 14:35:45 -0800
+Subject: [PATCH] HID: input: add mapping for "Toggle Display" key
+Git-commit: c01908a14bf735b871170092807c618bb9dae654
+Patch-mainline: v5.1-rc6
+References: bsc#1051510
+
+According to HUT 1.12 usage 0xb5 from the generic desktop page is reserved
+for switching between external and internal display, so let's add the
+mapping.
+
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/hid/hid-input.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/drivers/hid/hid-input.c b/drivers/hid/hid-input.c
+index ecb1b6f26853..da76358cde06 100644
+--- a/drivers/hid/hid-input.c
++++ b/drivers/hid/hid-input.c
+@@ -677,6 +677,14 @@ static void hidinput_configure_usage(struct hid_input *hidinput, struct hid_fiel
+ break;
+ }
+
++ if ((usage->hid & 0xf0) == 0xb0) { /* SC - Display */
++ switch (usage->hid & 0xf) {
++ case 0x05: map_key_clear(KEY_SWITCHVIDEOMODE); break;
++ default: goto ignore;
++ }
++ break;
++ }
++
+ /*
+ * Some lazy vendors declare 255 usages for System Control,
+ * leading to the creation of ABS_X|Y axis and too many others.
+--
+2.16.4
+
diff --git a/patches.drivers/HID-input-add-mapping-for-keyboard-Brightness-Up-Dow.patch b/patches.drivers/HID-input-add-mapping-for-keyboard-Brightness-Up-Dow.patch
new file mode 100644
index 0000000000..4c91542c96
--- /dev/null
+++ b/patches.drivers/HID-input-add-mapping-for-keyboard-Brightness-Up-Dow.patch
@@ -0,0 +1,36 @@
+From 7975a1d6a7afeb3eb61c971a153d24dd8fa032f3 Mon Sep 17 00:00:00 2001
+From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Date: Fri, 18 Jan 2019 14:05:52 -0800
+Subject: [PATCH] HID: input: add mapping for keyboard Brightness Up/Down/Toggle keys
+Git-commit: 7975a1d6a7afeb3eb61c971a153d24dd8fa032f3
+Patch-mainline: v5.1-rc6
+References: bsc#1051510
+
+According to HUTRR73 usages 0x79, 0x7a and 0x7c from the consumer page
+correspond to Brightness Up/Down/Toggle keys, so let's add the mappings.
+
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/hid/hid-input.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/hid/hid-input.c b/drivers/hid/hid-input.c
+index 5f800e7b04f2..cebe8a8cce2e 100644
+--- a/drivers/hid/hid-input.c
++++ b/drivers/hid/hid-input.c
+@@ -900,6 +900,10 @@ static void hidinput_configure_usage(struct hid_input *hidinput, struct hid_fiel
+ case 0x074: map_key_clear(KEY_BRIGHTNESS_MAX); break;
+ case 0x075: map_key_clear(KEY_BRIGHTNESS_AUTO); break;
+
++ case 0x079: map_key_clear(KEY_KBDILLUMUP); break;
++ case 0x07a: map_key_clear(KEY_KBDILLUMDOWN); break;
++ case 0x07c: map_key_clear(KEY_KBDILLUMTOGGLE); break;
++
+ case 0x082: map_key_clear(KEY_VIDEO_NEXT); break;
+ case 0x083: map_key_clear(KEY_LAST); break;
+ case 0x084: map_key_clear(KEY_ENTER); break;
+--
+2.16.4
+
diff --git a/patches.drivers/Input-elan_i2c-add-hardware-ID-for-multiple-Lenovo-l.patch b/patches.drivers/Input-elan_i2c-add-hardware-ID-for-multiple-Lenovo-l.patch
new file mode 100644
index 0000000000..daab894a07
--- /dev/null
+++ b/patches.drivers/Input-elan_i2c-add-hardware-ID-for-multiple-Lenovo-l.patch
@@ -0,0 +1,70 @@
+From 738c06d0e4562e0acf9f2c7438a22b2d5afc67aa Mon Sep 17 00:00:00 2001
+From: KT Liao <kt.liao@emc.com.tw>
+Date: Tue, 26 Mar 2019 17:28:32 -0700
+Subject: [PATCH] Input: elan_i2c - add hardware ID for multiple Lenovo laptops
+Git-commit: 738c06d0e4562e0acf9f2c7438a22b2d5afc67aa
+Patch-mainline: v5.1-rc6
+References: bsc#1051510
+
+There are many Lenovo laptops which need elan_i2c support, this patch adds
+relevant IDs to the Elan driver so that touchpads are recognized.
+
+Signed-off-by: KT Liao <kt.liao@emc.com.tw>
+Cc: stable@vger.kernel.org
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/input/mouse/elan_i2c_core.c | 25 +++++++++++++++++++++++++
+ 1 file changed, 25 insertions(+)
+
+--- a/drivers/input/mouse/elan_i2c_core.c
++++ b/drivers/input/mouse/elan_i2c_core.c
+@@ -1225,22 +1225,47 @@ static const struct acpi_device_id elan_
+ { "ELAN0600", 0 },
+ { "ELAN0601", 0 },
+ { "ELAN0602", 0 },
++ { "ELAN0603", 0 },
++ { "ELAN0604", 0 },
+ { "ELAN0605", 0 },
++ { "ELAN0606", 0 },
++ { "ELAN0607", 0 },
+ { "ELAN0608", 0 },
+ { "ELAN0605", 0 },
+ { "ELAN0609", 0 },
+ { "ELAN060B", 0 },
+ { "ELAN060C", 0 },
++ { "ELAN060F", 0 },
++ { "ELAN0610", 0 },
+ { "ELAN0611", 0 },
+ { "ELAN0612", 0 },
++ { "ELAN0615", 0 },
++ { "ELAN0616", 0 },
+ { "ELAN0617", 0 },
+ { "ELAN0618", 0 },
++ { "ELAN0619", 0 },
++ { "ELAN061A", 0 },
++ { "ELAN061B", 0 },
+ { "ELAN061C", 0 },
+ { "ELAN061D", 0 },
+ { "ELAN061E", 0 },
++ { "ELAN061F", 0 },
+ { "ELAN0620", 0 },
+ { "ELAN0621", 0 },
+ { "ELAN0622", 0 },
++ { "ELAN0623", 0 },
++ { "ELAN0624", 0 },
++ { "ELAN0625", 0 },
++ { "ELAN0626", 0 },
++ { "ELAN0627", 0 },
++ { "ELAN0628", 0 },
++ { "ELAN0629", 0 },
++ { "ELAN062A", 0 },
++ { "ELAN062B", 0 },
++ { "ELAN062C", 0 },
++ { "ELAN062D", 0 },
++ { "ELAN0631", 0 },
++ { "ELAN0632", 0 },
+ { "ELAN1000", 0 },
+ { }
+ };
diff --git a/patches.drivers/Input-synaptics-rmi4-fix-possible-double-free.patch b/patches.drivers/Input-synaptics-rmi4-fix-possible-double-free.patch
new file mode 100644
index 0000000000..53b55e4051
--- /dev/null
+++ b/patches.drivers/Input-synaptics-rmi4-fix-possible-double-free.patch
@@ -0,0 +1,47 @@
+From bce1a78423961fce676ac65540a31b6ffd179e6d Mon Sep 17 00:00:00 2001
+From: Pan Bian <bianpan2016@163.com>
+Date: Fri, 19 Apr 2019 07:39:00 +0000
+Subject: [PATCH] Input: synaptics-rmi4 - fix possible double free
+Git-commit: bce1a78423961fce676ac65540a31b6ffd179e6d
+Patch-mainline: v5.1-rc7
+References: bsc#1051510
+
+The RMI4 function structure has been released in rmi_register_function
+if error occurs. However, it will be released again in the function
+rmi_create_function, which may result in a double-free bug.
+
+Signed-off-by: Pan Bian <bianpan2016@163.com>
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/input/rmi4/rmi_driver.c | 6 +-----
+ 1 file changed, 1 insertion(+), 5 deletions(-)
+
+diff --git a/drivers/input/rmi4/rmi_driver.c b/drivers/input/rmi4/rmi_driver.c
+index fc3ab93b7aea..7fb358f96195 100644
+--- a/drivers/input/rmi4/rmi_driver.c
++++ b/drivers/input/rmi4/rmi_driver.c
+@@ -860,7 +860,7 @@ static int rmi_create_function(struct rmi_device *rmi_dev,
+
+ error = rmi_register_function(fn);
+ if (error)
+- goto err_put_fn;
++ return error;
+
+ if (pdt->function_number == 0x01)
+ data->f01_container = fn;
+@@ -870,10 +870,6 @@ static int rmi_create_function(struct rmi_device *rmi_dev,
+ list_add_tail(&fn->node, &data->function_list);
+
+ return RMI_SCAN_CONTINUE;
+-
+-err_put_fn:
+- put_device(&fn->dev);
+- return error;
+ }
+
+ void rmi_enable_irq(struct rmi_device *rmi_dev, bool clear_wake)
+--
+2.16.4
+
diff --git a/patches.drivers/iio-adc-xilinx-fix-potential-use-after-free-on-remov.patch b/patches.drivers/iio-adc-xilinx-fix-potential-use-after-free-on-remov.patch
new file mode 100644
index 0000000000..94befeb519
--- /dev/null
+++ b/patches.drivers/iio-adc-xilinx-fix-potential-use-after-free-on-remov.patch
@@ -0,0 +1,35 @@
+From 62039b6aef63380ba7a37c113bbaeee8a55c5342 Mon Sep 17 00:00:00 2001
+From: Sven Van Asbroeck <thesven73@gmail.com>
+Date: Sun, 10 Mar 2019 14:58:24 -0400
+Subject: [PATCH] iio: adc: xilinx: fix potential use-after-free on remove
+Git-commit: 62039b6aef63380ba7a37c113bbaeee8a55c5342
+Patch-mainline: v5.1-rc6
+References: bsc#1051510
+
+When cancel_delayed_work() returns, the delayed work may still
+be running. This means that the core could potentially free
+the private structure (struct xadc) while the delayed work
+is still using it. This is a potential use-after-free.
+
+Fix by calling cancel_delayed_work_sync(), which waits for
+any residual work to finish before returning.
+
+Signed-off-by: Sven Van Asbroeck <TheSven73@gmail.com>
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/iio/adc/xilinx-xadc-core.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/iio/adc/xilinx-xadc-core.c
++++ b/drivers/iio/adc/xilinx-xadc-core.c
+@@ -1299,7 +1299,7 @@ static int xadc_remove(struct platform_d
+ }
+ free_irq(irq, indio_dev);
+ clk_disable_unprepare(xadc->clk);
+- cancel_delayed_work(&xadc->zynq_unmask_work);
++ cancel_delayed_work_sync(&xadc->zynq_unmask_work);
+ kfree(xadc->data);
+ kfree(indio_dev->channels);
+
diff --git a/patches.drivers/leds-pwm-silently-error-out-on-EPROBE_DEFER.patch b/patches.drivers/leds-pwm-silently-error-out-on-EPROBE_DEFER.patch
new file mode 100644
index 0000000000..f690b8f16b
--- /dev/null
+++ b/patches.drivers/leds-pwm-silently-error-out-on-EPROBE_DEFER.patch
@@ -0,0 +1,38 @@
+From 9aec30371fb095a0c9415f3f0146ae269c3713d8 Mon Sep 17 00:00:00 2001
+From: Jerome Brunet <jbrunet@baylibre.com>
+Date: Thu, 6 Sep 2018 15:59:04 +0200
+Subject: [PATCH] leds: pwm: silently error out on EPROBE_DEFER
+Git-commit: 9aec30371fb095a0c9415f3f0146ae269c3713d8
+Patch-mainline: v4.20-rc1
+References: bsc#1051510
+
+When probing, if we fail to get the pwm due to probe deferal, we shouldn't
+print an error message. Just be silent in this case.
+
+Signed-off-by: Jerome Brunet <jbrunet@baylibre.com>
+Signed-off-by: Jacek Anaszewski <jacek.anaszewski@gmail.com>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/leds/leds-pwm.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/leds/leds-pwm.c b/drivers/leds/leds-pwm.c
+index df80c89ebe7f..5d3faae51d59 100644
+--- a/drivers/leds/leds-pwm.c
++++ b/drivers/leds/leds-pwm.c
+@@ -100,8 +100,9 @@ static int led_pwm_add(struct device *dev, struct led_pwm_priv *priv,
+ led_data->pwm = devm_pwm_get(dev, led->name);
+ if (IS_ERR(led_data->pwm)) {
+ ret = PTR_ERR(led_data->pwm);
+- dev_err(dev, "unable to request PWM for %s: %d\n",
+- led->name, ret);
++ if (ret != -EPROBE_DEFER)
++ dev_err(dev, "unable to request PWM for %s: %d\n",
++ led->name, ret);
+ return ret;
+ }
+
+--
+2.16.4
+
diff --git a/patches.drivers/media-atmel-atmel-isc-fix-INIT_WORK-misplacement.patch b/patches.drivers/media-atmel-atmel-isc-fix-INIT_WORK-misplacement.patch
new file mode 100644
index 0000000000..91b7299f76
--- /dev/null
+++ b/patches.drivers/media-atmel-atmel-isc-fix-INIT_WORK-misplacement.patch
@@ -0,0 +1,46 @@
+From 79199002db5c571e335131856b3ff057ffd9f3c0 Mon Sep 17 00:00:00 2001
+From: Eugen Hristev <eugen.hristev@microchip.com>
+Date: Fri, 12 Apr 2019 06:19:46 -0400
+Subject: [PATCH] media: atmel: atmel-isc: fix INIT_WORK misplacement
+Git-commit: 79199002db5c571e335131856b3ff057ffd9f3c0
+Patch-mainline: v5.2-rc1
+References: bsc#1051510
+
+In case the completion function failes, unbind will be called
+which will call cancel_work for awb_work.
+This will trigger a WARN message from the workqueue.
+To avoid this, move the INIT_WORK call at the start of the completion
+function. This way the work is always initialized, which corresponds
+to the 'always canceled' unbind code.
+
+Fixes: 93d4a26c3d ("[media] atmel-isc: add the isc pipeline function")
+
+Signed-off-by: Eugen Hristev <eugen.hristev@microchip.com>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/media/platform/atmel/atmel-isc.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/media/platform/atmel/atmel-isc.c
++++ b/drivers/media/platform/atmel/atmel-isc.c
+@@ -1553,6 +1553,8 @@ static int isc_async_complete(struct v4l
+ struct vb2_queue *q = &isc->vb2_vidq;
+ int ret;
+
++ INIT_WORK(&isc->awb_work, isc_awb_work);
++
+ ret = v4l2_device_register_subdev_nodes(&isc->v4l2_dev);
+ if (ret < 0) {
+ v4l2_err(&isc->v4l2_dev, "Failed to register subdev nodes\n");
+@@ -1612,8 +1614,6 @@ static int isc_async_complete(struct v4l
+ return ret;
+ }
+
+- INIT_WORK(&isc->awb_work, isc_awb_work);
+-
+ /* Register video device */
+ strlcpy(vdev->name, ATMEL_ISC_NAME, sizeof(vdev->name));
+ vdev->release = video_device_release_empty;
diff --git a/patches.drivers/media-davinci-vpbe-array-underflow-in-vpbe_enum_outp.patch b/patches.drivers/media-davinci-vpbe-array-underflow-in-vpbe_enum_outp.patch
new file mode 100644
index 0000000000..94c1d793fa
--- /dev/null
+++ b/patches.drivers/media-davinci-vpbe-array-underflow-in-vpbe_enum_outp.patch
@@ -0,0 +1,54 @@
+From b72845ee5577b227131b1fef23f9d9a296621d7b Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Wed, 24 Apr 2019 05:46:27 -0400
+Subject: [PATCH] media: davinci/vpbe: array underflow in vpbe_enum_outputs()
+Git-commit: b72845ee5577b227131b1fef23f9d9a296621d7b
+Patch-mainline: v5.2-rc1
+References: bsc#1051510
+
+In vpbe_enum_outputs() we check if (temp_index >= cfg->num_outputs) but
+the problem is that "temp_index" can be negative. This patch changes
+the types to unsigned to address this array underflow bug.
+
+Fixes: 66715cdc3224 ("[media] davinci vpbe: VPBE display driver")
+
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Acked-by: "Lad, Prabhakar" <prabhakar.csengg@gmail.com>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/media/platform/davinci/vpbe.c | 2 +-
+ include/media/davinci/vpbe.h | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/media/platform/davinci/vpbe.c b/drivers/media/platform/davinci/vpbe.c
+index 8339163a5231..4e24f5d781f4 100644
+--- a/drivers/media/platform/davinci/vpbe.c
++++ b/drivers/media/platform/davinci/vpbe.c
+@@ -104,7 +104,7 @@ static int vpbe_enum_outputs(struct vpbe_device *vpbe_dev,
+ struct v4l2_output *output)
+ {
+ struct vpbe_config *cfg = vpbe_dev->cfg;
+- int temp_index = output->index;
++ unsigned int temp_index = output->index;
+
+ if (temp_index >= cfg->num_outputs)
+ return -EINVAL;
+diff --git a/include/media/davinci/vpbe.h b/include/media/davinci/vpbe.h
+index 5c31a7682492..f76d2f25a824 100644
+--- a/include/media/davinci/vpbe.h
++++ b/include/media/davinci/vpbe.h
+@@ -92,7 +92,7 @@ struct vpbe_config {
+ struct encoder_config_info *ext_encoders;
+ /* amplifier information goes here */
+ struct amp_config_info *amp;
+- int num_outputs;
++ unsigned int num_outputs;
+ /* Order is venc outputs followed by LCD and then external encoders */
+ struct vpbe_output *outputs;
+ };
+--
+2.16.4
+
diff --git a/patches.drivers/media-omap_vout-potential-buffer-overflow-in-vidioc_.patch b/patches.drivers/media-omap_vout-potential-buffer-overflow-in-vidioc_.patch
new file mode 100644
index 0000000000..04f40a3fb0
--- /dev/null
+++ b/patches.drivers/media-omap_vout-potential-buffer-overflow-in-vidioc_.patch
@@ -0,0 +1,68 @@
+From dd6e2a981bfe83aa4a493143fd8cf1edcda6c091 Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Thu, 11 Apr 2019 05:01:57 -0400
+Subject: [PATCH] media: omap_vout: potential buffer overflow in vidioc_dqbuf()
+Git-commit: dd6e2a981bfe83aa4a493143fd8cf1edcda6c091
+Patch-mainline: v5.2-rc1
+References: bsc#1051510
+
+The "b->index" is a u32 the comes from the user in the ioctl. It hasn't
+been checked. We aren't supposed to use it but we're instead supposed
+to use the value that gets written to it when we call videobuf_dqbuf().
+
+The videobuf_dqbuf() first memsets it to zero and then re-initializes it
+inside the videobuf_status() function. It's this final value which we
+want.
+
+Hans Verkuil pointed out that we need to check the return from
+videobuf_dqbuf(). I ended up doing a little cleanup related to that as
+well.
+
+Fixes: 72915e851da9 ("[media] V4L2: OMAP: VOUT: dma map and unmap v4l2 buffers in qbuf and dqbuf")
+
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/media/platform/omap/omap_vout.c | 15 ++++++---------
+ 1 file changed, 6 insertions(+), 9 deletions(-)
+
+diff --git a/drivers/media/platform/omap/omap_vout.c b/drivers/media/platform/omap/omap_vout.c
+index 37f0d7146dfa..cb6a9e3946b6 100644
+--- a/drivers/media/platform/omap/omap_vout.c
++++ b/drivers/media/platform/omap/omap_vout.c
+@@ -1527,23 +1527,20 @@ static int vidioc_dqbuf(struct file *file, void *fh, struct v4l2_buffer *b)
+ unsigned long size;
+ struct videobuf_buffer *vb;
+
+- vb = q->bufs[b->index];
+-
+ if (!vout->streaming)
+ return -EINVAL;
+
+- if (file->f_flags & O_NONBLOCK)
+- /* Call videobuf_dqbuf for non blocking mode */
+- ret = videobuf_dqbuf(q, (struct v4l2_buffer *)b, 1);
+- else
+- /* Call videobuf_dqbuf for blocking mode */
+- ret = videobuf_dqbuf(q, (struct v4l2_buffer *)b, 0);
++ ret = videobuf_dqbuf(q, b, !!(file->f_flags & O_NONBLOCK));
++ if (ret)
++ return ret;
++
++ vb = q->bufs[b->index];
+
+ addr = (unsigned long) vout->buf_phy_addr[vb->i];
+ size = (unsigned long) vb->size;
+ dma_unmap_single(vout->vid_dev->v4l2_dev.dev, addr,
+ size, DMA_TO_DEVICE);
+- return ret;
++ return 0;
+ }
+
+ static int vidioc_streamon(struct file *file, void *fh, enum v4l2_buf_type i)
+--
+2.16.4
+
diff --git a/patches.drivers/power-supply-axp20x_usb_power-Fix-typo-in-VBUS-curre.patch b/patches.drivers/power-supply-axp20x_usb_power-Fix-typo-in-VBUS-curre.patch
new file mode 100644
index 0000000000..f842e339af
--- /dev/null
+++ b/patches.drivers/power-supply-axp20x_usb_power-Fix-typo-in-VBUS-curre.patch
@@ -0,0 +1,66 @@
+From c11f0b8f226a411915f8d7467bd554a8c9ceec42 Mon Sep 17 00:00:00 2001
+From: Chen-Yu Tsai <wens@csie.org>
+Date: Tue, 16 Apr 2019 14:40:19 +0800
+Subject: [PATCH] power: supply: axp20x_usb_power: Fix typo in VBUS current limit macros
+Git-commit: c11f0b8f226a411915f8d7467bd554a8c9ceec42
+Patch-mainline: v5.2-rc1
+References: bsc#1051510
+
+The VBUS current limit value macros have VBUS typed as VBUC, while
+the bitmask macro is named correctly. Fix it.
+
+Fixes: 69fb4dcada77 ("power: Add an axp20x-usb-power driver")
+Signed-off-by: Chen-Yu Tsai <wens@csie.org>
+Signed-off-by: Sebastian Reichel <sebastian.reichel@collabora.com>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/power/supply/axp20x_usb_power.c | 16 ++++++++--------
+ 1 file changed, 8 insertions(+), 8 deletions(-)
+
+diff --git a/drivers/power/supply/axp20x_usb_power.c b/drivers/power/supply/axp20x_usb_power.c
+index f52fe77edb6f..cd9b90d79839 100644
+--- a/drivers/power/supply/axp20x_usb_power.c
++++ b/drivers/power/supply/axp20x_usb_power.c
+@@ -36,10 +36,10 @@
+ #define AXP20X_VBUS_VHOLD_MASK GENMASK(5, 3)
+ #define AXP20X_VBUS_VHOLD_OFFSET 3
+ #define AXP20X_VBUS_CLIMIT_MASK 3
+-#define AXP20X_VBUC_CLIMIT_900mA 0
+-#define AXP20X_VBUC_CLIMIT_500mA 1
+-#define AXP20X_VBUC_CLIMIT_100mA 2
+-#define AXP20X_VBUC_CLIMIT_NONE 3
++#define AXP20X_VBUS_CLIMIT_900mA 0
++#define AXP20X_VBUS_CLIMIT_500mA 1
++#define AXP20X_VBUS_CLIMIT_100mA 2
++#define AXP20X_VBUS_CLIMIT_NONE 3
+
+ #define AXP20X_ADC_EN1_VBUS_CURR BIT(2)
+ #define AXP20X_ADC_EN1_VBUS_VOLT BIT(3)
+@@ -107,19 +107,19 @@ static int axp20x_usb_power_get_property(struct power_supply *psy,
+ return ret;
+
+ switch (v & AXP20X_VBUS_CLIMIT_MASK) {
+- case AXP20X_VBUC_CLIMIT_100mA:
++ case AXP20X_VBUS_CLIMIT_100mA:
+ if (power->axp20x_id == AXP221_ID)
+ val->intval = -1; /* No 100mA limit */
+ else
+ val->intval = 100000;
+ break;
+- case AXP20X_VBUC_CLIMIT_500mA:
++ case AXP20X_VBUS_CLIMIT_500mA:
+ val->intval = 500000;
+ break;
+- case AXP20X_VBUC_CLIMIT_900mA:
++ case AXP20X_VBUS_CLIMIT_900mA:
+ val->intval = 900000;
+ break;
+- case AXP20X_VBUC_CLIMIT_NONE:
++ case AXP20X_VBUS_CLIMIT_NONE:
+ val->intval = -1;
+ break;
+ }
+--
+2.16.4
+
diff --git a/patches.drivers/power-supply-axp288_charger-Fix-unchecked-return-val.patch b/patches.drivers/power-supply-axp288_charger-Fix-unchecked-return-val.patch
new file mode 100644
index 0000000000..115d9f2bb3
--- /dev/null
+++ b/patches.drivers/power-supply-axp288_charger-Fix-unchecked-return-val.patch
@@ -0,0 +1,46 @@
+From c3422ad5f84a66739ec6a37251ca27638c85b6be Mon Sep 17 00:00:00 2001
+From: "Gustavo A. R. Silva" <gustavo@embeddedor.com>
+Date: Mon, 18 Mar 2019 11:14:39 -0500
+Subject: [PATCH] power: supply: axp288_charger: Fix unchecked return value
+Git-commit: c3422ad5f84a66739ec6a37251ca27638c85b6be
+Patch-mainline: v5.2-rc1
+References: bsc#1051510
+
+Currently there is no check on platform_get_irq() return value
+in case it fails, hence never actually reporting any errors and
+causing unexpected behavior when using such value as argument
+for function regmap_irq_get_virq().
+
+Fix this by adding a proper check, a message reporting any errors
+and returning *pirq*
+
+Addresses-coverity-id: 1443940 ("Improper use of negative value")
+Fixes: 843735b788a4 ("power: axp288_charger: axp288 charger driver")
+Cc: stable@vger.kernel.org
+Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com>
+Reviewed-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Sebastian Reichel <sebastian.reichel@collabora.com>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/power/supply/axp288_charger.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/power/supply/axp288_charger.c b/drivers/power/supply/axp288_charger.c
+index f8c6da9277b3..00b961890a38 100644
+--- a/drivers/power/supply/axp288_charger.c
++++ b/drivers/power/supply/axp288_charger.c
+@@ -833,6 +833,10 @@ static int axp288_charger_probe(struct platform_device *pdev)
+ /* Register charger interrupts */
+ for (i = 0; i < CHRG_INTR_END; i++) {
+ pirq = platform_get_irq(info->pdev, i);
++ if (pirq < 0) {
++ dev_err(&pdev->dev, "Failed to get IRQ: %d\n", pirq);
++ return pirq;
++ }
+ info->irq[i] = regmap_irq_get_virq(info->regmap_irqc, pirq);
+ if (info->irq[i] < 0) {
+ dev_warn(&info->pdev->dev,
+--
+2.16.4
+
diff --git a/patches.drivers/spi-Micrel-eth-switch-declare-missing-of-table.patch b/patches.drivers/spi-Micrel-eth-switch-declare-missing-of-table.patch
new file mode 100644
index 0000000000..2a1715bd58
--- /dev/null
+++ b/patches.drivers/spi-Micrel-eth-switch-declare-missing-of-table.patch
@@ -0,0 +1,65 @@
+From 2f23a2a768bee7ad2ff1e9527c3f7e279e794a46 Mon Sep 17 00:00:00 2001
+From: Daniel Gomez <dagmcr@gmail.com>
+Date: Mon, 22 Apr 2019 21:08:03 +0200
+Subject: [PATCH] spi: Micrel eth switch: declare missing of table
+Git-commit: 2f23a2a768bee7ad2ff1e9527c3f7e279e794a46
+Patch-mainline: v5.1-rc7
+References: bsc#1051510
+
+Add missing <of_device_id> table for SPI driver relying on SPI
+device match since compatible is in a DT binding or in a DTS.
+
+Before this patch:
+modinfo drivers/net/phy/spi_ks8995.ko | grep alias
+Alias: spi:ksz8795
+Alias: spi:ksz8864
+Alias: spi:ks8995
+
+After this patch:
+modinfo drivers/net/phy/spi_ks8995.ko | grep alias
+Alias: of:N*T*Cmicrel,ksz8795C*
+Alias: of:N*T*Cmicrel,ksz8795
+Alias: of:N*T*Cmicrel,ksz8864C*
+Alias: of:N*T*Cmicrel,ksz8864
+Alias: of:N*T*Cmicrel,ks8995C*
+Alias: of:N*T*Cmicrel,ks8995
+
+Reported-by: Javier Martinez Canillas <javier@dowhile0.org>
+Signed-off-by: Daniel Gomez <dagmcr@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/net/phy/spi_ks8995.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/drivers/net/phy/spi_ks8995.c b/drivers/net/phy/spi_ks8995.c
+index 92b64e254b44..7475cef17cf7 100644
+--- a/drivers/net/phy/spi_ks8995.c
++++ b/drivers/net/phy/spi_ks8995.c
+@@ -159,6 +159,14 @@ static const struct spi_device_id ks8995_id[] = {
+ };
+ MODULE_DEVICE_TABLE(spi, ks8995_id);
+
++static const struct of_device_id ks8895_spi_of_match[] = {
++ { .compatible = "micrel,ks8995" },
++ { .compatible = "micrel,ksz8864" },
++ { .compatible = "micrel,ksz8795" },
++ { },
++ };
++MODULE_DEVICE_TABLE(of, ks8895_spi_of_match);
++
+ static inline u8 get_chip_id(u8 val)
+ {
+ return (val >> ID1_CHIPID_S) & ID1_CHIPID_M;
+@@ -526,6 +534,7 @@ static int ks8995_remove(struct spi_device *spi)
+ static struct spi_driver ks8995_driver = {
+ .driver = {
+ .name = "spi-ks8995",
++ .of_match_table = of_match_ptr(ks8895_spi_of_match),
+ },
+ .probe = ks8995_probe,
+ .remove = ks8995_remove,
+--
+2.16.4
+
diff --git a/patches.drivers/spi-ST-ST95HF-NFC-declare-missing-of-table.patch b/patches.drivers/spi-ST-ST95HF-NFC-declare-missing-of-table.patch
new file mode 100644
index 0000000000..2cc18f34ea
--- /dev/null
+++ b/patches.drivers/spi-ST-ST95HF-NFC-declare-missing-of-table.patch
@@ -0,0 +1,57 @@
+From d04830531d0c4a99c897a44038e5da3d23331d2f Mon Sep 17 00:00:00 2001
+From: Daniel Gomez <dagmcr@gmail.com>
+Date: Mon, 22 Apr 2019 21:08:04 +0200
+Subject: [PATCH] spi: ST ST95HF NFC: declare missing of table
+Git-commit: d04830531d0c4a99c897a44038e5da3d23331d2f
+Patch-mainline: v5.1-rc7
+References: bsc#1051510
+
+Add missing <of_device_id> table for SPI driver relying on SPI
+device match since compatible is in a DT binding or in a DTS.
+
+Before this patch:
+modinfo drivers/nfc/st95hf/st95hf.ko | grep alias
+Alias: spi:st95hf
+
+After this patch:
+modinfo drivers/nfc/st95hf/st95hf.ko | grep alias
+Alias: of:N*T*Cst,st95hfC*
+Alias: of:N*T*Cst,st95hf
+
+Reported-by: Javier Martinez Canillas <javier@dowhile0.org>
+Signed-off-by: Daniel Gomez <dagmcr@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/nfc/st95hf/core.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/drivers/nfc/st95hf/core.c b/drivers/nfc/st95hf/core.c
+index 2b26f762fbc3..01acb6e53365 100644
+--- a/drivers/nfc/st95hf/core.c
++++ b/drivers/nfc/st95hf/core.c
+@@ -1074,6 +1074,12 @@ static const struct spi_device_id st95hf_id[] = {
+ };
+ MODULE_DEVICE_TABLE(spi, st95hf_id);
+
++static const struct of_device_id st95hf_spi_of_match[] = {
++ { .compatible = "st,st95hf" },
++ { },
++};
++MODULE_DEVICE_TABLE(of, st95hf_spi_of_match);
++
+ static int st95hf_probe(struct spi_device *nfc_spi_dev)
+ {
+ int ret;
+@@ -1260,6 +1266,7 @@ static struct spi_driver st95hf_driver = {
+ .driver = {
+ .name = "st95hf",
+ .owner = THIS_MODULE,
++ .of_match_table = of_match_ptr(st95hf_spi_of_match),
+ },
+ .id_table = st95hf_id,
+ .probe = st95hf_probe,
+--
+2.16.4
+
diff --git a/patches.drivers/thermal-cpu_cooling-Actually-trace-CPU-load-in-therm.patch b/patches.drivers/thermal-cpu_cooling-Actually-trace-CPU-load-in-therm.patch
new file mode 100644
index 0000000000..2f43967f7e
--- /dev/null
+++ b/patches.drivers/thermal-cpu_cooling-Actually-trace-CPU-load-in-therm.patch
@@ -0,0 +1,58 @@
+From bf45ac18b78038e43af3c1a273cae4ab5704d2ce Mon Sep 17 00:00:00 2001
+From: Matthias Kaehlcke <mka@chromium.org>
+Date: Thu, 2 May 2019 11:32:38 -0700
+Subject: [PATCH] thermal: cpu_cooling: Actually trace CPU load in thermal_power_cpu_get_power
+Git-commit: bf45ac18b78038e43af3c1a273cae4ab5704d2ce
+Patch-mainline: v5.2-rc1
+References: bsc#1051510
+
+The CPU load values passed to the thermal_power_cpu_get_power
+tracepoint are zero for all CPUs, unless, unless the
+thermal_power_cpu_limit tracepoint is enabled too:
+
+ irq/41-rockchip-98 [000] .... 290.972410: thermal_power_cpu_get_power:
+ cpus=0000000f freq=1800000 load={{0x0,0x0,0x0,0x0}} dynamic_power=4815
+
+vs
+
+ irq/41-rockchip-96 [000] .... 95.773585: thermal_power_cpu_get_power:
+ cpus=0000000f freq=1800000 load={{0x56,0x64,0x64,0x5e}} dynamic_power=4959
+ irq/41-rockchip-96 [000] .... 95.773596: thermal_power_cpu_limit:
+ cpus=0000000f freq=408000 cdev_state=10 power=416
+
+There seems to be no good reason for omitting the CPU load information
+depending on another tracepoint. My guess is that the intention was to
+check whether thermal_power_cpu_get_power is (still) enabled, however
+'load_cpu != NULL' already indicates that it was at least enabled when
+cpufreq_get_requested_power() was entered, there seems little gain
+from omitting the assignment if the tracepoint was just disabled, so
+just remove the check.
+
+Fixes: 6828a4711f99 ("thermal: add trace events to the power allocator governor")
+Signed-off-by: Matthias Kaehlcke <mka@chromium.org>
+Reviewed-by: Daniel Lezcano <daniel.lezcano@linaro.org>
+Acked-by: Javi Merino <javi.merino@kernel.org>
+Acked-by: Viresh Kumar <viresh.kumar@linaro.org>
+Signed-off-by: Eduardo Valentin <edubezval@gmail.com>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/thermal/cpu_cooling.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/thermal/cpu_cooling.c b/drivers/thermal/cpu_cooling.c
+index 9b014d0e8e70..4c5db59a619b 100644
+--- a/drivers/thermal/cpu_cooling.c
++++ b/drivers/thermal/cpu_cooling.c
+@@ -444,7 +444,7 @@ static int cpufreq_get_requested_power(struct thermal_cooling_device *cdev,
+ load = 0;
+
+ total_load += load;
+- if (trace_thermal_power_cpu_limit_enabled() && load_cpu)
++ if (load_cpu)
+ load_cpu[i] = load;
+
+ i++;
+--
+2.16.4
+
diff --git a/patches.drm/drm-bridge-adv7511-Fix-low-refresh-rate-selection.patch b/patches.drm/drm-bridge-adv7511-Fix-low-refresh-rate-selection.patch
new file mode 100644
index 0000000000..e105b76f1c
--- /dev/null
+++ b/patches.drm/drm-bridge-adv7511-Fix-low-refresh-rate-selection.patch
@@ -0,0 +1,51 @@
+From 67793bd3b3948dc8c8384b6430e036a30a0ecb43 Mon Sep 17 00:00:00 2001
+From: Matt Redfearn <matt.redfearn@thinci.com>
+Date: Wed, 24 Apr 2019 13:22:27 +0000
+Subject: [PATCH] drm/bridge: adv7511: Fix low refresh rate selection
+Git-commit: 67793bd3b3948dc8c8384b6430e036a30a0ecb43
+Patch-mainline: v5.2-rc1
+References: bsc#1051510
+
+The driver currently sets register 0xfb (Low Refresh Rate) based on the
+value of mode->vrefresh. Firstly, this field is specified to be in Hz,
+but the magic numbers used by the code are Hz * 1000. This essentially
+leads to the low refresh rate always being set to 0x01, since the
+vrefresh value will always be less than 24000. Fix the magic numbers to
+be in Hz.
+Secondly, according to the comment in drm_modes.h, the field is not
+supposed to be used in a functional way anyway. Instead, use the helper
+function drm_mode_vrefresh().
+
+Fixes: 9c8af882bf12 ("drm: Add adv7511 encoder driver")
+Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
+Signed-off-by: Matt Redfearn <matt.redfearn@thinci.com>
+Signed-off-by: Sean Paul <seanpaul@chromium.org>
+Link: https://patchwork.freedesktop.org/patch/msgid/20190424132210.26338-1-matt.redfearn@thinci.com
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/gpu/drm/bridge/adv7511/adv7511_drv.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/gpu/drm/bridge/adv7511/adv7511_drv.c b/drivers/gpu/drm/bridge/adv7511/adv7511_drv.c
+index ec2ca71e1323..c532e9c9e491 100644
+--- a/drivers/gpu/drm/bridge/adv7511/adv7511_drv.c
++++ b/drivers/gpu/drm/bridge/adv7511/adv7511_drv.c
+@@ -748,11 +748,11 @@ static void adv7511_mode_set(struct adv7511 *adv7511,
+ vsync_polarity = 1;
+ }
+
+- if (mode->vrefresh <= 24000)
++ if (drm_mode_vrefresh(mode) <= 24)
+ low_refresh_rate = ADV7511_LOW_REFRESH_RATE_24HZ;
+- else if (mode->vrefresh <= 25000)
++ else if (drm_mode_vrefresh(mode) <= 25)
+ low_refresh_rate = ADV7511_LOW_REFRESH_RATE_25HZ;
+- else if (mode->vrefresh <= 30000)
++ else if (drm_mode_vrefresh(mode) <= 30)
+ low_refresh_rate = ADV7511_LOW_REFRESH_RATE_30HZ;
+ else
+ low_refresh_rate = ADV7511_LOW_REFRESH_RATE_NONE;
+--
+2.16.4
+
diff --git a/patches.drm/drm-i915-Disable-LP3-watermarks-on-all-SNB-machines.patch b/patches.drm/drm-i915-Disable-LP3-watermarks-on-all-SNB-machines.patch
new file mode 100644
index 0000000000..2bcc793cb0
--- /dev/null
+++ b/patches.drm/drm-i915-Disable-LP3-watermarks-on-all-SNB-machines.patch
@@ -0,0 +1,139 @@
+From 03981c6ebec4fc7056b9b45f847393aeac90d060 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Ville=20Syrj=C3=A4l=C3=A4?= <ville.syrjala@linux.intel.com>
+Date: Wed, 14 Nov 2018 19:34:40 +0200
+Subject: [PATCH] drm/i915: Disable LP3 watermarks on all SNB machines
+Mime-version: 1.0
+Content-type: text/plain; charset=UTF-8
+Content-transfer-encoding: 8bit
+Git-commit: 03981c6ebec4fc7056b9b45f847393aeac90d060
+Patch-mainline: v5.0-rc1
+References: bsc#1051510
+
+I have a Thinkpad X220 Tablet in my hands that is losing vblank
+interrupts whenever LP3 watermarks are used.
+
+If I nudge the latency value written to the WM3 register just
+by one in either direction the problem disappears. That to me
+suggests that the punit will not enter the corrsponding
+powersave mode (MPLL shutdown IIRC) unless the latency value
+in the register matches exactly what we read from SSKPD. Ie.
+it's not really a latency value but rather just a cookie
+by which the punit can identify the desired power saving state.
+On HSW/BDW this was changed such that we actually just write
+the WM level number into those bits, which makes much more
+sense given the observed behaviour.
+
+We could try to handle this by disallowing LP3 watermarks
+only when vblank interrupts are enabled but we'd first have
+to prove that only vblank interrupts are affected, which
+seems unlikely. Also we can't grab the wm mutex from the
+vblank enable/disable hooks because those are called with
+various spinlocks held. Thus we'd have to redesigne the
+watermark locking. So to play it safe and keep the code
+simple we simply disable LP3 watermarks on all SNB machines.
+
+To do that we simply zero out the latency values for
+watermark level 3, and we adjust the watermark computation
+to check for that. The behaviour now matches that of the
+g4x/vlv/skl wm code in the presence of a zeroed latency
+value.
+
+V2: s/USHRT_MAX/U32_MAX/ for consistency with the types (Chris)
+
+Cc: stable@vger.kernel.org
+Cc: Chris Wilson <chris@chris-wilson.co.uk>
+Acked-by: Chris Wilson <chris@chris-wilson.co.uk>
+Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=101269
+Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=103713
+Signed-off-by: Ville Syrjälä <ville.syrjala@linux.intel.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20181114173440.6730-1-ville.syrjala@linux.intel.com
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/gpu/drm/i915/intel_pm.c | 41 ++++++++++++++++++++++++++++++++++++++++-
+ 1 file changed, 40 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/i915/intel_pm.c b/drivers/gpu/drm/i915/intel_pm.c
+index 27498ded4949..897a791662c5 100644
+--- a/drivers/gpu/drm/i915/intel_pm.c
++++ b/drivers/gpu/drm/i915/intel_pm.c
+@@ -2493,6 +2493,9 @@ static uint32_t ilk_compute_pri_wm(const struct intel_crtc_state *cstate,
+ uint32_t method1, method2;
+ int cpp;
+
++ if (mem_value == 0)
++ return U32_MAX;
++
+ if (!intel_wm_plane_visible(cstate, pstate))
+ return 0;
+
+@@ -2522,6 +2525,9 @@ static uint32_t ilk_compute_spr_wm(const struct intel_crtc_state *cstate,
+ uint32_t method1, method2;
+ int cpp;
+
++ if (mem_value == 0)
++ return U32_MAX;
++
+ if (!intel_wm_plane_visible(cstate, pstate))
+ return 0;
+
+@@ -2545,6 +2551,9 @@ static uint32_t ilk_compute_cur_wm(const struct intel_crtc_state *cstate,
+ {
+ int cpp;
+
++ if (mem_value == 0)
++ return U32_MAX;
++
+ if (!intel_wm_plane_visible(cstate, pstate))
+ return 0;
+
+@@ -3008,6 +3017,34 @@ static void snb_wm_latency_quirk(struct drm_i915_private *dev_priv)
+ intel_print_wm_latency(dev_priv, "Cursor", dev_priv->wm.cur_latency);
+ }
+
++static void snb_wm_lp3_irq_quirk(struct drm_i915_private *dev_priv)
++{
++ /*
++ * On some SNB machines (Thinkpad X220 Tablet at least)
++ * LP3 usage can cause vblank interrupts to be lost.
++ * The DEIIR bit will go high but it looks like the CPU
++ * never gets interrupted.
++ *
++ * It's not clear whether other interrupt source could
++ * be affected or if this is somehow limited to vblank
++ * interrupts only. To play it safe we disable LP3
++ * watermarks entirely.
++ */
++ if (dev_priv->wm.pri_latency[3] == 0 &&
++ dev_priv->wm.spr_latency[3] == 0 &&
++ dev_priv->wm.cur_latency[3] == 0)
++ return;
++
++ dev_priv->wm.pri_latency[3] = 0;
++ dev_priv->wm.spr_latency[3] = 0;
++ dev_priv->wm.cur_latency[3] = 0;
++
++ DRM_DEBUG_KMS("LP3 watermarks disabled due to potential for lost interrupts\n");
++ intel_print_wm_latency(dev_priv, "Primary", dev_priv->wm.pri_latency);
++ intel_print_wm_latency(dev_priv, "Sprite", dev_priv->wm.spr_latency);
++ intel_print_wm_latency(dev_priv, "Cursor", dev_priv->wm.cur_latency);
++}
++
+ static void ilk_setup_wm_latency(struct drm_i915_private *dev_priv)
+ {
+ intel_read_wm_latency(dev_priv, dev_priv->wm.pri_latency);
+@@ -3024,8 +3061,10 @@ static void ilk_setup_wm_latency(struct drm_i915_private *dev_priv)
+ intel_print_wm_latency(dev_priv, "Sprite", dev_priv->wm.spr_latency);
+ intel_print_wm_latency(dev_priv, "Cursor", dev_priv->wm.cur_latency);
+
+- if (IS_GEN6(dev_priv))
++ if (IS_GEN6(dev_priv)) {
+ snb_wm_latency_quirk(dev_priv);
++ snb_wm_lp3_irq_quirk(dev_priv);
++ }
+ }
+
+ static void skl_setup_wm_latency(struct drm_i915_private *dev_priv)
+--
+2.16.4
+
diff --git a/patches.drm/drm-i915-Downgrade-Gen9-Plane-WM-latency-error.patch b/patches.drm/drm-i915-Downgrade-Gen9-Plane-WM-latency-error.patch
new file mode 100644
index 0000000000..0fc56eddf2
--- /dev/null
+++ b/patches.drm/drm-i915-Downgrade-Gen9-Plane-WM-latency-error.patch
@@ -0,0 +1,41 @@
+From 86c1c87d0e6241cbe35bd52badfc84b154e1b959 Mon Sep 17 00:00:00 2001
+From: Chris Wilson <chris@chris-wilson.co.uk>
+Date: Thu, 26 Jul 2018 17:15:27 +0100
+Subject: [PATCH] drm/i915: Downgrade Gen9 Plane WM latency error
+Git-commit: 86c1c87d0e6241cbe35bd52badfc84b154e1b959
+Patch-mainline: v4.20-rc1
+References: bsc#1051510
+
+According to intel_read_wm_latency() it is perfectly legal for one WM
+and all subsequent levels to be 0 (and the deeper powersaving states
+disabled), so don't shout *ERROR*, over and over again.
+
+Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
+Cc: Maarten Lankhorst <maarten.lankhorst@linux.intel.com>
+Cc: Ville Syrjala <ville.syrjala@linux.intel.com>
+Acked-by: Maarten Lankhorst <maarten.lankhorst@linux.intel.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20180726161527.10516-1-chris@chris-wilson.co.uk
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/gpu/drm/i915/intel_pm.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/gpu/drm/i915/intel_pm.c b/drivers/gpu/drm/i915/intel_pm.c
+index f175923939ae..8a4152244571 100644
+--- a/drivers/gpu/drm/i915/intel_pm.c
++++ b/drivers/gpu/drm/i915/intel_pm.c
+@@ -2942,8 +2942,8 @@ static void intel_print_wm_latency(struct drm_i915_private *dev_priv,
+ unsigned int latency = wm[level];
+
+ if (latency == 0) {
+- DRM_ERROR("%s WM%d latency not provided\n",
+- name, level);
++ DRM_DEBUG_KMS("%s WM%d latency not provided\n",
++ name, level);
+ continue;
+ }
+
+--
+2.16.4
+
diff --git a/patches.drm/drm-i915-fbc-disable-framebuffer-compression-on-Gemi.patch b/patches.drm/drm-i915-fbc-disable-framebuffer-compression-on-Gemi.patch
new file mode 100644
index 0000000000..e222d5d735
--- /dev/null
+++ b/patches.drm/drm-i915-fbc-disable-framebuffer-compression-on-Gemi.patch
@@ -0,0 +1,55 @@
+From 396dd8143bdd94bd1c358a228a631c8c895a1126 Mon Sep 17 00:00:00 2001
+From: Daniel Drake <drake@endlessm.com>
+Date: Tue, 23 Apr 2019 17:28:10 +0800
+Subject: [PATCH] drm/i915/fbc: disable framebuffer compression on GeminiLake
+Git-commit: 396dd8143bdd94bd1c358a228a631c8c895a1126
+Patch-mainline: v5.2-rc1
+No-fix: 1d25724b41fad7eeb2c3058a5c8190d6ece73e08
+References: bsc#1051510
+
+On many (all?) the Gemini Lake systems we work with, there is frequent
+momentary graphical corruption at the top of the screen, and it seems
+that disabling framebuffer compression can avoid this.
+
+The ticket was reported 6 months ago and has already affected a
+multitude of users, without any real progress being made. So, lets
+disable framebuffer compression on GeminiLake until a solution is found.
+
+Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=108085
+Fixes: fd7d6c5c8f3e ("drm/i915: enable FBC on gen9+ too")
+Cc: Paulo Zanoni <paulo.r.zanoni@intel.com>
+Cc: Daniel Vetter <daniel.vetter@ffwll.ch>
+Cc: Jani Nikula <jani.nikula@linux.intel.com>
+Cc: <stable@vger.kernel.org> # v4.11+
+Reviewed-by: Paulo Zanoni <paulo.r.zanoni@intel.com>
+Signed-off-by: Daniel Drake <drake@endlessm.com>
+Signed-off-by: Jian-Hong Pan <jian-hong@endlessm.com>
+Signed-off-by: Jani Nikula <jani.nikula@intel.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20190423092810.28359-1-jian-hong@endlessm.com
+(cherry picked from commit 1d25724b41fad7eeb2c3058a5c8190d6ece73e08)
+
+Signed-off-by: Joonas Lahtinen <joonas.lahtinen@linux.intel.com>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/gpu/drm/i915/intel_fbc.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/gpu/drm/i915/intel_fbc.c b/drivers/gpu/drm/i915/intel_fbc.c
+index c805a0966395..5679f2fffb7c 100644
+--- a/drivers/gpu/drm/i915/intel_fbc.c
++++ b/drivers/gpu/drm/i915/intel_fbc.c
+@@ -1280,6 +1280,10 @@ static int intel_sanitize_fbc_option(struct drm_i915_private *dev_priv)
+ if (!HAS_FBC(dev_priv))
+ return 0;
+
++ /* https://bugs.freedesktop.org/show_bug.cgi?id=108085 */
++ if (IS_GEMINILAKE(dev_priv))
++ return 0;
++
+ if (IS_BROADWELL(dev_priv) || INTEL_GEN(dev_priv) >= 9)
+ return 1;
+
+--
+2.16.4
+
diff --git a/patches.drm/drm-imx-don-t-skip-DP-channel-disable-for-background.patch b/patches.drm/drm-imx-don-t-skip-DP-channel-disable-for-background.patch
new file mode 100644
index 0000000000..e27805258f
--- /dev/null
+++ b/patches.drm/drm-imx-don-t-skip-DP-channel-disable-for-background.patch
@@ -0,0 +1,34 @@
+From 7bcde275eb1d0ac8793c77c7e666a886eb16633d Mon Sep 17 00:00:00 2001
+From: Lucas Stach <l.stach@pengutronix.de>
+Date: Fri, 12 Apr 2019 17:59:41 +0200
+Subject: [PATCH] drm/imx: don't skip DP channel disable for background plane
+Git-commit: 7bcde275eb1d0ac8793c77c7e666a886eb16633d
+Patch-mainline: v5.1-rc7
+References: bsc#1051510
+
+In order to make sure that the plane color space gets reset correctly.
+
+Signed-off-by: Lucas Stach <l.stach@pengutronix.de>
+Signed-off-by: Philipp Zabel <p.zabel@pengutronix.de>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/gpu/drm/imx/ipuv3-crtc.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/imx/ipuv3-crtc.c b/drivers/gpu/drm/imx/ipuv3-crtc.c
+index ec3602ebbc1c..54011df8c2e8 100644
+--- a/drivers/gpu/drm/imx/ipuv3-crtc.c
++++ b/drivers/gpu/drm/imx/ipuv3-crtc.c
+@@ -71,7 +71,7 @@ static void ipu_crtc_disable_planes(struct ipu_crtc *ipu_crtc,
+ if (disable_partial)
+ ipu_plane_disable(ipu_crtc->plane[1], true);
+ if (disable_full)
+- ipu_plane_disable(ipu_crtc->plane[0], false);
++ ipu_plane_disable(ipu_crtc->plane[0], true);
+ }
+
+ static void ipu_crtc_atomic_disable(struct drm_crtc *crtc,
+--
+2.16.4
+
diff --git a/patches.drm/drm-rockchip-fix-for-mailbox-read-validation.patch b/patches.drm/drm-rockchip-fix-for-mailbox-read-validation.patch
new file mode 100644
index 0000000000..73e6a37375
--- /dev/null
+++ b/patches.drm/drm-rockchip-fix-for-mailbox-read-validation.patch
@@ -0,0 +1,39 @@
+From e4056bbb6719fe713bfc4030ac78e8e97ddf7574 Mon Sep 17 00:00:00 2001
+From: Damian Kos <dkos@cadence.com>
+Date: Mon, 19 Nov 2018 15:14:14 +0000
+Subject: [PATCH] drm/rockchip: fix for mailbox read validation.
+Git-commit: e4056bbb6719fe713bfc4030ac78e8e97ddf7574
+Patch-mainline: v5.1-rc1
+References: bsc#1051510
+
+This is basically the same fix as in
+commit fa68d4f8476b ("drm/rockchip: fix for mailbox read size")
+but for cdn_dp_mailbox_validate_receive function.
+
+See patchwork.kernel.org/patch/10671981/ for details.
+
+Signed-off-by: Damian Kos <dkos@cadence.com>
+Signed-off-by: Heiko Stuebner <heiko@sntech.de>
+Link: https://patchwork.freedesktop.org/patch/msgid/1542640463-18332-1-git-send-email-dkos@cadence.com
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/gpu/drm/rockchip/cdn-dp-reg.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/rockchip/cdn-dp-reg.c b/drivers/gpu/drm/rockchip/cdn-dp-reg.c
+index 5a485489a1e2..6c8b14fb1d2f 100644
+--- a/drivers/gpu/drm/rockchip/cdn-dp-reg.c
++++ b/drivers/gpu/drm/rockchip/cdn-dp-reg.c
+@@ -113,7 +113,7 @@ static int cdp_dp_mailbox_write(struct cdn_dp_device *dp, u8 val)
+
+ static int cdn_dp_mailbox_validate_receive(struct cdn_dp_device *dp,
+ u8 module_id, u8 opcode,
+- u8 req_size)
++ u16 req_size)
+ {
+ u32 mbox_size, i;
+ u8 header[4];
+--
+2.16.4
+
diff --git a/patches.drm/gpu-ipu-v3-dp-fix-CSC-handling.patch b/patches.drm/gpu-ipu-v3-dp-fix-CSC-handling.patch
new file mode 100644
index 0000000000..088bcd1145
--- /dev/null
+++ b/patches.drm/gpu-ipu-v3-dp-fix-CSC-handling.patch
@@ -0,0 +1,71 @@
+From d4fad0a426c6e26f48c9a7cdd21a7fe9c198d645 Mon Sep 17 00:00:00 2001
+From: Lucas Stach <l.stach@pengutronix.de>
+Date: Fri, 12 Apr 2019 17:59:40 +0200
+Subject: [PATCH] gpu: ipu-v3: dp: fix CSC handling
+Git-commit: d4fad0a426c6e26f48c9a7cdd21a7fe9c198d645
+Patch-mainline: v5.1-rc7
+References: bsc#1051510
+
+Initialize the flow input colorspaces to unknown and reset to that value
+when the channel gets disabled. This avoids the state getting mixed up
+with a previous mode.
+
+Also keep the CSC settings for the background flow intact when disabling
+the foreground flow.
+
+Root-caused-by: Jonathan Marek <jonathan@marek.ca>
+Signed-off-by: Lucas Stach <l.stach@pengutronix.de>
+Signed-off-by: Philipp Zabel <p.zabel@pengutronix.de>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/gpu/ipu-v3/ipu-dp.c | 12 +++++++++---
+ 1 file changed, 9 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/gpu/ipu-v3/ipu-dp.c b/drivers/gpu/ipu-v3/ipu-dp.c
+index 9b2b3fa479c4..5e44ff1f2085 100644
+--- a/drivers/gpu/ipu-v3/ipu-dp.c
++++ b/drivers/gpu/ipu-v3/ipu-dp.c
+@@ -195,7 +195,8 @@ int ipu_dp_setup_channel(struct ipu_dp *dp,
+ ipu_dp_csc_init(flow, flow->foreground.in_cs, flow->out_cs,
+ DP_COM_CONF_CSC_DEF_BOTH);
+ } else {
+- if (flow->foreground.in_cs == flow->out_cs)
++ if (flow->foreground.in_cs == IPUV3_COLORSPACE_UNKNOWN ||
++ flow->foreground.in_cs == flow->out_cs)
+ /*
+ * foreground identical to output, apply color
+ * conversion on background
+@@ -261,6 +262,8 @@ void ipu_dp_disable_channel(struct ipu_dp *dp, bool sync)
+ struct ipu_dp_priv *priv = flow->priv;
+ u32 reg, csc;
+
++ dp->in_cs = IPUV3_COLORSPACE_UNKNOWN;
++
+ if (!dp->foreground)
+ return;
+
+@@ -268,8 +271,9 @@ void ipu_dp_disable_channel(struct ipu_dp *dp, bool sync)
+
+ reg = readl(flow->base + DP_COM_CONF);
+ csc = reg & DP_COM_CONF_CSC_DEF_MASK;
+- if (csc == DP_COM_CONF_CSC_DEF_FG)
+- reg &= ~DP_COM_CONF_CSC_DEF_MASK;
++ reg &= ~DP_COM_CONF_CSC_DEF_MASK;
++ if (csc == DP_COM_CONF_CSC_DEF_BOTH || csc == DP_COM_CONF_CSC_DEF_BG)
++ reg |= DP_COM_CONF_CSC_DEF_BG;
+
+ reg &= ~DP_COM_CONF_FG_EN;
+ writel(reg, flow->base + DP_COM_CONF);
+@@ -347,6 +351,8 @@ int ipu_dp_init(struct ipu_soc *ipu, struct device *dev, unsigned long base)
+ mutex_init(&priv->mutex);
+
+ for (i = 0; i < IPUV3_NUM_FLOWS; i++) {
++ priv->flow[i].background.in_cs = IPUV3_COLORSPACE_UNKNOWN;
++ priv->flow[i].foreground.in_cs = IPUV3_COLORSPACE_UNKNOWN;
+ priv->flow[i].foreground.foreground = true;
+ priv->flow[i].base = priv->base + ipu_dp_flow_base[i];
+ priv->flow[i].priv = priv;
+--
+2.16.4
+
diff --git a/patches.fixes/0001-netlink-fix-uninit-value-in-netlink_sendmsg.patch b/patches.fixes/0001-netlink-fix-uninit-value-in-netlink_sendmsg.patch
new file mode 100644
index 0000000000..b46b050f49
--- /dev/null
+++ b/patches.fixes/0001-netlink-fix-uninit-value-in-netlink_sendmsg.patch
@@ -0,0 +1,36 @@
+From: Eric Dumazet <edumazet@google.com>
+Subject: netlink: fix uninit-value in netlink_sendmsg
+Patch-mainline: v4.17-rc1
+Git-commit: 6091f09c2f79730d895149bcfe3d66140288cd0e
+References: git-fixes
+
+syzbot reported :
+
+BUG: KMSAN: uninit-value in ffs arch/x86/include/asm/bitops.h:432 [inline]
+BUG: KMSAN: uninit-value in netlink_sendmsg+0xb26/0x1310 net/netlink/af_netlink.c:1851
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Acked-by: Denis Kirjanov <dkirjanov@suse.com>
+---
+ net/netlink/af_netlink.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c
+index 3e012d578ccd..70cf781ececb 100644
+--- a/net/netlink/af_netlink.c
++++ b/net/netlink/af_netlink.c
+@@ -1812,6 +1812,8 @@ static int netlink_sendmsg(struct socket *sock, struct msghdr *msg, size_t len)
+
+ if (msg->msg_namelen) {
+ err = -EINVAL;
++ if (msg->msg_namelen < sizeof(struct sockaddr_nl))
++ goto out;
+ if (addr->nl_family != AF_NETLINK)
+ goto out;
+ dst_portid = addr->nl_pid;
+--
+2.12.3
+
diff --git a/patches.fixes/0001-packet-fix-reserve-calculation.patch b/patches.fixes/0001-packet-fix-reserve-calculation.patch
new file mode 100644
index 0000000000..4031fe8608
--- /dev/null
+++ b/patches.fixes/0001-packet-fix-reserve-calculation.patch
@@ -0,0 +1,49 @@
+From: Willem de Bruijn <willemb@google.com>
+Subject: packet: fix reserve calculation
+Patch-mainline: v4.17-rc7
+Git-commit: 9aad13b087ab0a588cd68259de618f100053360e
+References: git-fixes
+
+
+Commit b84bbaf7a6c8 ("packet: in packet_snd start writing at link
+layer allocation") ensures that packet_snd always starts writing
+the link layer header in reserved headroom allocated for this
+purpose.
+
+This is needed because packets may be shorter than hard_header_len,
+in which case the space up to hard_header_len may be zeroed. But
+that necessary padding is not accounted for in skb->len.
+
+The fix, however, is buggy. It calls skb_push, which grows skb->len
+when moving skb->data back. But in this case packet length should not
+change.
+
+Instead, call skb_reserve, which moves both skb->data and skb->tail
+back, without changing length.
+
+Fixes: b84bbaf7a6c8 ("packet: in packet_snd start writing at link layer allocation")
+Reported-by: Tariq Toukan <tariqt@mellanox.com>
+Signed-off-by: Willem de Bruijn <willemb@google.com>
+Acked-by: Soheil Hassas Yeganeh <soheil@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Acked-by: Denis Kirjanov <dkirjanov@suse.com>
+---
+ net/packet/af_packet.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c
+index 901618eb2725..9689622eaef7 100644
+--- a/net/packet/af_packet.c
++++ b/net/packet/af_packet.c
+@@ -2933,7 +2933,7 @@ static int packet_snd(struct socket *sock, struct msghdr *msg, size_t len)
+ if (unlikely(offset < 0))
+ goto out_free;
+ } else if (reserve) {
+- skb_push(skb, reserve);
++ skb_reserve(skb, -reserve);
+ }
+
+ /* Returns -EFAULT on error */
+--
+2.12.3
+
diff --git a/patches.fixes/0002-net-fix-rtnh_ok.patch b/patches.fixes/0002-net-fix-rtnh_ok.patch
new file mode 100644
index 0000000000..ff95b40996
--- /dev/null
+++ b/patches.fixes/0002-net-fix-rtnh_ok.patch
@@ -0,0 +1,40 @@
+From: Eric Dumazet <edumazet@google.com>
+Subject: fix rtnh_ok()
+Patch-mainline: v4.17-rc1
+Git-commit: b1993a2de12c9e75c35729e2ffbc3a92d50c0d31
+References: git-fixes
+
+syzbot reported :
+
+BUG: KMSAN: uninit-value in rtnh_ok include/net/nexthop.h:11 [inline]
+BUG: KMSAN: uninit-value in fib_count_nexthops net/ipv4/fib_semantics.c:469 [inline]
+BUG: KMSAN: uninit-value in fib_create_info+0x554/0x8d20 net/ipv4/fib_semantics.c:1091
+
+@remaining is an integer, coming from user space.
+If it is negative we want rtnh_ok() to return false.
+
+Fixes: 4e902c57417c ("[IPv4]: FIB configuration using struct fib_config")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Acked-by: Denis Kirjanov <dkirjanov@suse.com>
+---
+ include/net/nexthop.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/include/net/nexthop.h b/include/net/nexthop.h
+index 3334dbfa5aa4..7fc78663ec9d 100644
+--- a/include/net/nexthop.h
++++ b/include/net/nexthop.h
+@@ -6,7 +6,7 @@
+
+ static inline int rtnh_ok(const struct rtnexthop *rtnh, int remaining)
+ {
+- return remaining >= sizeof(*rtnh) &&
++ return remaining >= (int)sizeof(*rtnh) &&
+ rtnh->rtnh_len >= sizeof(*rtnh) &&
+ rtnh->rtnh_len <= remaining;
+ }
+--
+2.12.3
+
diff --git a/patches.fixes/0002-packet-reset-network-header-if-packet-shorter-than-l.patch b/patches.fixes/0002-packet-reset-network-header-if-packet-shorter-than-l.patch
new file mode 100644
index 0000000000..a826f3d726
--- /dev/null
+++ b/patches.fixes/0002-packet-reset-network-header-if-packet-shorter-than-l.patch
@@ -0,0 +1,37 @@
+From: Willem de Bruijn <willemb@google.com>
+Subject: packet: reset network header if packet shorter than ll
+ reserved space
+Patch-mainline: v4.18-rc6
+Git-commit: 993675a3100b16a4c80dfd70cbcde8ea7127b31d
+References: git-fixes
+
+If variable length link layer headers result in a packet shorter
+than dev->hard_header_len, reset the network header offset. Else
+skb->mac_len may exceed skb->len after skb_mac_reset_len.
+
+packet_sendmsg_spkt already has similar logic.
+
+Fixes: b84bbaf7a6c8 ("packet: in packet_snd start writing at link layer allocation")
+Signed-off-by: Willem de Bruijn <willemb@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Acked-by: Denis Kirjanov <dkirjanov@suse.com>
+---
+ net/packet/af_packet.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c
+index 9689622eaef7..cf7652bb2218 100644
+--- a/net/packet/af_packet.c
++++ b/net/packet/af_packet.c
+@@ -2934,6 +2934,8 @@ static int packet_snd(struct socket *sock, struct msghdr *msg, size_t len)
+ goto out_free;
+ } else if (reserve) {
+ skb_reserve(skb, -reserve);
++ if (len < reserve)
++ skb_reset_network_header(skb);
+ }
+
+ /* Returns -EFAULT on error */
+--
+2.12.3
+
diff --git a/patches.fixes/0003-l2tp-fix-missing-refcount-drop-in-pppol2tp_tunnel_io.patch b/patches.fixes/0003-l2tp-fix-missing-refcount-drop-in-pppol2tp_tunnel_io.patch
new file mode 100644
index 0000000000..fbe8993bb3
--- /dev/null
+++ b/patches.fixes/0003-l2tp-fix-missing-refcount-drop-in-pppol2tp_tunnel_io.patch
@@ -0,0 +1,48 @@
+From: Guillaume Nault <g.nault@alphalink.fr>
+Subject: l2tp: fix missing refcount drop in
+ pppol2tp_tunnel_ioctl()
+Patch-mainline: v4.18-rc8
+Git-commit: f664e37dcc525768280cb94321424a09beb1c992
+References: git-fixes
+
+If 'session' is not NULL and is not a PPP pseudo-wire, then we fail to
+drop the reference taken by l2tp_session_get().
+
+Fixes: ecd012e45ab5 ("l2tp: filter out non-PPP sessions in pppol2tp_tunnel_ioctl()")
+Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Acked-by: Denis Kirjanov <dkirjanov@suse.com>
+---
+ net/l2tp/l2tp_ppp.c | 13 +++++++++----
+ 1 file changed, 9 insertions(+), 4 deletions(-)
+
+diff --git a/net/l2tp/l2tp_ppp.c b/net/l2tp/l2tp_ppp.c
+index 3cd4cce8338c..93d4c72e4ee5 100644
+--- a/net/l2tp/l2tp_ppp.c
++++ b/net/l2tp/l2tp_ppp.c
+@@ -1214,13 +1214,18 @@ static int pppol2tp_tunnel_ioctl(struct l2tp_tunnel *tunnel,
+ l2tp_session_get(sock_net(sk), tunnel,
+ stats.session_id);
+
+- if (session && session->pwtype == L2TP_PWTYPE_PPP) {
+- err = pppol2tp_session_ioctl(session, cmd,
+- arg);
++ if (!session) {
++ err = -EBADR;
++ break;
++ }
++ if (session->pwtype != L2TP_PWTYPE_PPP) {
+ l2tp_session_dec_refcount(session);
+- } else {
+ err = -EBADR;
++ break;
+ }
++
++ err = pppol2tp_session_ioctl(session, cmd, arg);
++ l2tp_session_dec_refcount(session);
+ break;
+ }
+ #ifdef CONFIG_XFRM
+--
+2.12.3
+
diff --git a/patches.fixes/0003-net-initialize-skb-peeked-when-cloning.patch b/patches.fixes/0003-net-initialize-skb-peeked-when-cloning.patch
new file mode 100644
index 0000000000..9f11b92b6c
--- /dev/null
+++ b/patches.fixes/0003-net-initialize-skb-peeked-when-cloning.patch
@@ -0,0 +1,35 @@
+From: Eric Dumazet <edumazet@google.com>
+Subject: net: initialize skb->peeked when cloning
+Patch-mainline: v4.17-rc1
+Git-commit: b13dda9f9aa7caceeee61c080c2e544d5f5d85e5
+References: git-fixes
+
+syzbot reported __skb_try_recv_from_queue() was using skb->peeked
+while it was potentially unitialized.
+
+We need to clear it in __skb_clone()
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Acked-by: Denis Kirjanov <dkirjanov@suse.com>
+---
+ net/core/skbuff.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/net/core/skbuff.c b/net/core/skbuff.c
+index 4fd1eec0b79f..c160048283bc 100644
+--- a/net/core/skbuff.c
++++ b/net/core/skbuff.c
+@@ -896,6 +896,7 @@ static struct sk_buff *__skb_clone(struct sk_buff *n, struct sk_buff *skb)
+ n->hdr_len = skb->nohdr ? skb_headroom(skb) : skb->hdr_len;
+ n->cloned = 1;
+ n->nohdr = 0;
++ n->peeked = 0;
+ n->destructor = NULL;
+ C(tail);
+ C(end);
+--
+2.12.3
+
diff --git a/patches.fixes/0004-net-fix-uninit-value-in-__hw_addr_add_ex.patch b/patches.fixes/0004-net-fix-uninit-value-in-__hw_addr_add_ex.patch
new file mode 100644
index 0000000000..61ccd449bc
--- /dev/null
+++ b/patches.fixes/0004-net-fix-uninit-value-in-__hw_addr_add_ex.patch
@@ -0,0 +1,57 @@
+From: Eric Dumazet <edumazet@google.com>
+Subject: net: fix uninit-value in __hw_addr_add_ex()
+Patch-mainline: v4.17-rc1
+Git-commit: 77d36398d99f2565c0a8d43a86fd520a82e64bb8
+References: git-fixes
+
+syzbot complained :
+
+BUG: KMSAN: uninit-value in memcmp+0x119/0x180 lib/string.c:861
+CPU: 0 PID: 3 Comm: kworker/0:0 Not tainted 4.16.0+ #82
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+Workqueue: ipv6_addrconf addrconf_dad_work
+Call Trace:
+ __dump_stack lib/dump_stack.c:17 [inline]
+ dump_stack+0x185/0x1d0 lib/dump_stack.c:53
+ kmsan_report+0x142/0x240 mm/kmsan/kmsan.c:1067
+ __msan_warning_32+0x6c/0xb0 mm/kmsan/kmsan_instr.c:676
+ memcmp+0x119/0x180 lib/string.c:861
+ __hw_addr_add_ex net/core/dev_addr_lists.c:60 [inline]
+ __dev_mc_add+0x1c2/0x8e0 net/core/dev_addr_lists.c:670
+ dev_mc_add+0x6d/0x80 net/core/dev_addr_lists.c:687
+ igmp6_group_added+0x2db/0xa00 net/ipv6/mcast.c:662
+ ipv6_dev_mc_inc+0xe9e/0x1130 net/ipv6/mcast.c:914
+ addrconf_join_solict net/ipv6/addrconf.c:2078 [inline]
+ addrconf_dad_begin net/ipv6/addrconf.c:3828 [inline]
+ addrconf_dad_work+0x427/0x2150 net/ipv6/addrconf.c:3954
+ process_one_work+0x12c6/0x1f60 kernel/workqueue.c:2113
+ worker_thread+0x113c/0x24f0 kernel/workqueue.c:2247
+ kthread+0x539/0x720 kernel/kthread.c:239
+
+Fixes: f001fde5eadd ("net: introduce a list of device addresses dev_addr_list (v6)")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Acked-by: Denis Kirjanov <dkirjanov@suse.com>
+---
+ net/core/dev_addr_lists.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/net/core/dev_addr_lists.c b/net/core/dev_addr_lists.c
+index c0548d268e1a..e3e6a3e2ca22 100644
+--- a/net/core/dev_addr_lists.c
++++ b/net/core/dev_addr_lists.c
+@@ -57,8 +57,8 @@ static int __hw_addr_add_ex(struct netdev_hw_addr_list *list,
+ return -EINVAL;
+
+ list_for_each_entry(ha, &list->list, list) {
+- if (!memcmp(ha->addr, addr, addr_len) &&
+- ha->type == addr_type) {
++ if (ha->type == addr_type &&
++ !memcmp(ha->addr, addr, addr_len)) {
+ if (global) {
+ /* check if addr is already used as global */
+ if (ha->global_use)
+--
+2.12.3
+
diff --git a/patches.fixes/0004-rxrpc-Fix-transport-sockopts-to-get-IPv4-errors-on-a.patch b/patches.fixes/0004-rxrpc-Fix-transport-sockopts-to-get-IPv4-errors-on-a.patch
new file mode 100644
index 0000000000..b3b9fdbd1c
--- /dev/null
+++ b/patches.fixes/0004-rxrpc-Fix-transport-sockopts-to-get-IPv4-errors-on-a.patch
@@ -0,0 +1,82 @@
+From: David Howells <dhowells@redhat.com>
+Subject: rxrpc: Fix transport sockopts to get IPv4 errors on an
+ IPv6 socket
+Patch-mainline: v4.19-rc7
+Git-commit: 37a675e768d7606fe8a53e0c459c9b53e121ac20
+References: git-fixes
+
+It seems that enabling IPV6_RECVERR on an IPv6 socket doesn't also turn on
+IP_RECVERR, so neither local errors nor ICMP-transported remote errors from
+IPv4 peer addresses are returned to the AF_RXRPC protocol.
+
+Make the sockopt setting code in rxrpc_open_socket() fall through from the
+AF_INET6 case to the AF_INET case to turn on all the AF_INET options too in
+the AF_INET6 case.
+
+Fixes: f2aeed3a591f ("rxrpc: Fix error reception on AF_INET6 sockets")
+Signed-off-by: David Howells <dhowells@redhat.com>
+Acked-by: Denis Kirjanov <dkirjanov@suse.com>
+---
+ net/rxrpc/local_object.c | 23 +++++++++++++----------
+ 1 file changed, 13 insertions(+), 10 deletions(-)
+
+diff --git a/net/rxrpc/local_object.c b/net/rxrpc/local_object.c
+index adc49d8285bf..852a036c775e 100644
+--- a/net/rxrpc/local_object.c
++++ b/net/rxrpc/local_object.c
+@@ -134,10 +134,10 @@ static int rxrpc_open_socket(struct rxrpc_local *local)
+ }
+
+ switch (local->srx.transport.family) {
+- case AF_INET:
+- /* we want to receive ICMP errors */
++ case AF_INET6:
++ /* we want to receive ICMPv6 errors */
+ opt = 1;
+- ret = kernel_setsockopt(local->socket, SOL_IP, IP_RECVERR,
++ ret = kernel_setsockopt(local->socket, SOL_IPV6, IPV6_RECVERR,
+ (char *) &opt, sizeof(opt));
+ if (ret < 0) {
+ _debug("setsockopt failed");
+@@ -145,19 +145,22 @@ static int rxrpc_open_socket(struct rxrpc_local *local)
+ }
+
+ /* we want to set the don't fragment bit */
+- opt = IP_PMTUDISC_DO;
+- ret = kernel_setsockopt(local->socket, SOL_IP, IP_MTU_DISCOVER,
++ opt = IPV6_PMTUDISC_DO;
++ ret = kernel_setsockopt(local->socket, SOL_IPV6, IPV6_MTU_DISCOVER,
+ (char *) &opt, sizeof(opt));
+ if (ret < 0) {
+ _debug("setsockopt failed");
+ goto error;
+ }
+- break;
+
+- case AF_INET6:
++ /* Fall through and set IPv4 options too otherwise we don't get
++ * errors from IPv4 packets sent through the IPv6 socket.
++ */
++
++ case AF_INET:
+ /* we want to receive ICMP errors */
+ opt = 1;
+- ret = kernel_setsockopt(local->socket, SOL_IPV6, IPV6_RECVERR,
++ ret = kernel_setsockopt(local->socket, SOL_IP, IP_RECVERR,
+ (char *) &opt, sizeof(opt));
+ if (ret < 0) {
+ _debug("setsockopt failed");
+@@ -165,8 +168,8 @@ static int rxrpc_open_socket(struct rxrpc_local *local)
+ }
+
+ /* we want to set the don't fragment bit */
+- opt = IPV6_PMTUDISC_DO;
+- ret = kernel_setsockopt(local->socket, SOL_IPV6, IPV6_MTU_DISCOVER,
++ opt = IP_PMTUDISC_DO;
++ ret = kernel_setsockopt(local->socket, SOL_IP, IP_MTU_DISCOVER,
+ (char *) &opt, sizeof(opt));
+ if (ret < 0) {
+ _debug("setsockopt failed");
+--
+2.12.3
+
diff --git a/patches.fixes/0005-inetpeer-fix-uninit-value-in-inet_getpeer.patch b/patches.fixes/0005-inetpeer-fix-uninit-value-in-inet_getpeer.patch
new file mode 100644
index 0000000000..1a25b0ee0f
--- /dev/null
+++ b/patches.fixes/0005-inetpeer-fix-uninit-value-in-inet_getpeer.patch
@@ -0,0 +1,119 @@
+From: Eric Dumazet <edumazet@google.com>
+Subject: inetpeer: fix uninit-value in inet_getpeer
+Patch-mainline: v4.17-rc1
+Git-commit: b6a37e5e25414df4b8e9140a5c6f5ee0ec6f3b90
+References: git-fixes
+
+syzbot/KMSAN reported that p->dtime was read while it was
+not yet initialized in :
+
+ delta = (__u32)jiffies - p->dtime;
+ if (delta < ttl || !refcount_dec_if_one(&p->refcnt))
+ gc_stack[i] = NULL;
+
+This is a false positive, because the inetpeer wont be erased
+from rb-tree if the refcount_dec_if_one(&p->refcnt) does not
+succeed. And this wont happen before first inet_putpeer() call
+for this inetpeer has been done, and ->dtime field is written
+exactly before the refcount_dec_and_test(&p->refcnt).
+
+The KMSAN report was :
+
+BUG: KMSAN: uninit-value in inet_peer_gc net/ipv4/inetpeer.c:163 [inline]
+BUG: KMSAN: uninit-value in inet_getpeer+0x1567/0x1e70 net/ipv4/inetpeer.c:228
+CPU: 0 PID: 9494 Comm: syz-executor5 Not tainted 4.16.0+ #82
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+Call Trace:
+ __dump_stack lib/dump_stack.c:17 [inline]
+ dump_stack+0x185/0x1d0 lib/dump_stack.c:53
+ kmsan_report+0x142/0x240 mm/kmsan/kmsan.c:1067
+ __msan_warning_32+0x6c/0xb0 mm/kmsan/kmsan_instr.c:676
+ inet_peer_gc net/ipv4/inetpeer.c:163 [inline]
+ inet_getpeer+0x1567/0x1e70 net/ipv4/inetpeer.c:228
+ inet_getpeer_v4 include/net/inetpeer.h:110 [inline]
+ icmpv4_xrlim_allow net/ipv4/icmp.c:330 [inline]
+ icmp_send+0x2b44/0x3050 net/ipv4/icmp.c:725
+ ip_options_compile+0x237c/0x29f0 net/ipv4/ip_options.c:472
+ ip_rcv_options net/ipv4/ip_input.c:284 [inline]
+ ip_rcv_finish+0xda8/0x16d0 net/ipv4/ip_input.c:365
+ NF_HOOK include/linux/netfilter.h:288 [inline]
+ ip_rcv+0x119d/0x16f0 net/ipv4/ip_input.c:493
+ __netif_receive_skb_core+0x47cf/0x4a80 net/core/dev.c:4562
+ __netif_receive_skb net/core/dev.c:4627 [inline]
+ netif_receive_skb_internal+0x49d/0x630 net/core/dev.c:4701
+ netif_receive_skb+0x230/0x240 net/core/dev.c:4725
+ tun_rx_batched drivers/net/tun.c:1555 [inline]
+ tun_get_user+0x6d88/0x7580 drivers/net/tun.c:1962
+ tun_chr_write_iter+0x1d4/0x330 drivers/net/tun.c:1990
+ do_iter_readv_writev+0x7bb/0x970 include/linux/fs.h:1776
+ do_iter_write+0x30d/0xd40 fs/read_write.c:932
+ vfs_writev fs/read_write.c:977 [inline]
+ do_writev+0x3c9/0x830 fs/read_write.c:1012
+ SYSC_writev+0x9b/0xb0 fs/read_write.c:1085
+ SyS_writev+0x56/0x80 fs/read_write.c:1082
+ do_syscall_64+0x309/0x430 arch/x86/entry/common.c:287
+ entry_SYSCALL_64_after_hwframe+0x3d/0xa2
+RIP: 0033:0x455111
+RSP: 002b:00007fae0365cba0 EFLAGS: 00000293 ORIG_RAX: 0000000000000014
+RAX: ffffffffffffffda RBX: 000000000000002e RCX: 0000000000455111
+RDX: 0000000000000001 RSI: 00007fae0365cbf0 RDI: 00000000000000fc
+RBP: 0000000020000040 R08: 00000000000000fc R09: 0000000000000000
+R10: 000000000000002e R11: 0000000000000293 R12: 00000000ffffffff
+R13: 0000000000000658 R14: 00000000006fc8e0 R15: 0000000000000000
+
+Uninit was created at:
+ kmsan_save_stack_with_flags mm/kmsan/kmsan.c:278 [inline]
+ kmsan_internal_poison_shadow+0xb8/0x1b0 mm/kmsan/kmsan.c:188
+ kmsan_kmalloc+0x94/0x100 mm/kmsan/kmsan.c:314
+ kmem_cache_alloc+0xaab/0xb90 mm/slub.c:2756
+ inet_getpeer+0xed8/0x1e70 net/ipv4/inetpeer.c:210
+ inet_getpeer_v4 include/net/inetpeer.h:110 [inline]
+ ip4_frag_init+0x4d1/0x740 net/ipv4/ip_fragment.c:153
+ inet_frag_alloc net/ipv4/inet_fragment.c:369 [inline]
+ inet_frag_create net/ipv4/inet_fragment.c:385 [inline]
+ inet_frag_find+0x7da/0x1610 net/ipv4/inet_fragment.c:418
+ ip_find net/ipv4/ip_fragment.c:275 [inline]
+ ip_defrag+0x448/0x67a0 net/ipv4/ip_fragment.c:676
+ ip_check_defrag+0x775/0xda0 net/ipv4/ip_fragment.c:724
+ packet_rcv_fanout+0x2a8/0x8d0 net/packet/af_packet.c:1447
+ deliver_skb net/core/dev.c:1897 [inline]
+ deliver_ptype_list_skb net/core/dev.c:1912 [inline]
+ __netif_receive_skb_core+0x314a/0x4a80 net/core/dev.c:4545
+ __netif_receive_skb net/core/dev.c:4627 [inline]
+ netif_receive_skb_internal+0x49d/0x630 net/core/dev.c:4701
+ netif_receive_skb+0x230/0x240 net/core/dev.c:4725
+ tun_rx_batched drivers/net/tun.c:1555 [inline]
+ tun_get_user+0x6d88/0x7580 drivers/net/tun.c:1962
+ tun_chr_write_iter+0x1d4/0x330 drivers/net/tun.c:1990
+ do_iter_readv_writev+0x7bb/0x970 include/linux/fs.h:1776
+ do_iter_write+0x30d/0xd40 fs/read_write.c:932
+ vfs_writev fs/read_write.c:977 [inline]
+ do_writev+0x3c9/0x830 fs/read_write.c:1012
+ SYSC_writev+0x9b/0xb0 fs/read_write.c:1085
+ SyS_writev+0x56/0x80 fs/read_write.c:1082
+ do_syscall_64+0x309/0x430 arch/x86/entry/common.c:287
+ entry_SYSCALL_64_after_hwframe+0x3d/0xa2
+
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Acked-by: Denis Kirjanov <dkirjanov@suse.com>
+---
+ net/ipv4/inetpeer.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/net/ipv4/inetpeer.c b/net/ipv4/inetpeer.c
+index b20c8ac64081..64007ce87273 100644
+--- a/net/ipv4/inetpeer.c
++++ b/net/ipv4/inetpeer.c
+@@ -210,6 +210,7 @@ struct inet_peer *inet_getpeer(struct inet_peer_base *base,
+ p = kmem_cache_alloc(peer_cachep, GFP_ATOMIC);
+ if (p) {
+ p->daddr = *daddr;
++ p->dtime = (__u32)jiffies;
+ refcount_set(&p->refcnt, 2);
+ atomic_set(&p->rid, 0);
+ p->metrics[RTAX_LOCK-1] = INETPEER_METRICS_NEW;
+--
+2.12.3
+
diff --git a/patches.fixes/0006-ipvs-fix-rtnl_lock-lockups-caused-by-start_sync_thre.patch b/patches.fixes/0006-ipvs-fix-rtnl_lock-lockups-caused-by-start_sync_thre.patch
new file mode 100644
index 0000000000..a3796b4c6b
--- /dev/null
+++ b/patches.fixes/0006-ipvs-fix-rtnl_lock-lockups-caused-by-start_sync_thre.patch
@@ -0,0 +1,641 @@
+From: Julian Anastasov <ja@ssi.bg>
+Subject: ipvs: fix rtnl_lock lockups caused by start_sync_thread
+Patch-mainline: v4.17-rc3
+Git-commit: 5c64576a77894a50be80be0024bed27171b55989
+References: git-fixes
+
+syzkaller reports for wrong rtnl_lock usage in sync code [1] and [2]
+
+We have 2 problems in start_sync_thread if error path is
+taken, eg. on memory allocation error or failure to configure
+sockets for mcast group or addr/port binding:
+
+1. recursive locking: holding rtnl_lock while calling sock_release
+which in turn calls again rtnl_lock in ip_mc_drop_socket to leave
+the mcast group, as noticed by Florian Westphal. Additionally,
+sock_release can not be called while holding sync_mutex (ABBA
+deadlock).
+
+2. task hung: holding rtnl_lock while calling kthread_stop to
+stop the running kthreads. As the kthreads do the same to leave
+the mcast group (sock_release -> ip_mc_drop_socket -> rtnl_lock)
+they hang.
+
+Fix the problems by calling rtnl_unlock early in the error path,
+now sock_release is called after unlocking both mutexes.
+
+Problem 3 (task hung reported by syzkaller [2]) is variant of
+problem 2: use _trylock to prevent one user to call rtnl_lock and
+then while waiting for sync_mutex to block kthreads that execute
+sock_release when they are stopped by stop_sync_thread.
+
+[1]
+IPVS: stopping backup sync thread 4500 ...
+WARNING: possible recursive locking detected
+4.16.0-rc7+ #3 Not tainted
+--------------------------------------------
+syzkaller688027/4497 is trying to acquire lock:
+ (rtnl_mutex){+.+.}, at: [<00000000bb14d7fb>] rtnl_lock+0x17/0x20
+net/core/rtnetlink.c:74
+
+but task is already holding lock:
+IPVS: stopping backup sync thread 4495 ...
+ (rtnl_mutex){+.+.}, at: [<00000000bb14d7fb>] rtnl_lock+0x17/0x20
+net/core/rtnetlink.c:74
+
+other info that might help us debug this:
+ Possible unsafe locking scenario:
+
+ CPU0
+ ----
+ lock(rtnl_mutex);
+ lock(rtnl_mutex);
+
+ *** DEADLOCK ***
+
+ May be due to missing lock nesting notation
+
+2 locks held by syzkaller688027/4497:
+ #0: (rtnl_mutex){+.+.}, at: [<00000000bb14d7fb>] rtnl_lock+0x17/0x20
+net/core/rtnetlink.c:74
+ #1: (ipvs->sync_mutex){+.+.}, at: [<00000000703f78e3>]
+do_ip_vs_set_ctl+0x10f8/0x1cc0 net/netfilter/ipvs/ip_vs_ctl.c:2388
+
+stack backtrace:
+CPU: 1 PID: 4497 Comm: syzkaller688027 Not tainted 4.16.0-rc7+ #3
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
+Google 01/01/2011
+Call Trace:
+ __dump_stack lib/dump_stack.c:17 [inline]
+ dump_stack+0x194/0x24d lib/dump_stack.c:53
+ print_deadlock_bug kernel/locking/lockdep.c:1761 [inline]
+ check_deadlock kernel/locking/lockdep.c:1805 [inline]
+ validate_chain kernel/locking/lockdep.c:2401 [inline]
+ __lock_acquire+0xe8f/0x3e00 kernel/locking/lockdep.c:3431
+ lock_acquire+0x1d5/0x580 kernel/locking/lockdep.c:3920
+ __mutex_lock_common kernel/locking/mutex.c:756 [inline]
+ __mutex_lock+0x16f/0x1a80 kernel/locking/mutex.c:893
+ mutex_lock_nested+0x16/0x20 kernel/locking/mutex.c:908
+ rtnl_lock+0x17/0x20 net/core/rtnetlink.c:74
+ ip_mc_drop_socket+0x88/0x230 net/ipv4/igmp.c:2643
+ inet_release+0x4e/0x1c0 net/ipv4/af_inet.c:413
+ sock_release+0x8d/0x1e0 net/socket.c:595
+ start_sync_thread+0x2213/0x2b70 net/netfilter/ipvs/ip_vs_sync.c:1924
+ do_ip_vs_set_ctl+0x1139/0x1cc0 net/netfilter/ipvs/ip_vs_ctl.c:2389
+ nf_sockopt net/netfilter/nf_sockopt.c:106 [inline]
+ nf_setsockopt+0x67/0xc0 net/netfilter/nf_sockopt.c:115
+ ip_setsockopt+0x97/0xa0 net/ipv4/ip_sockglue.c:1261
+ udp_setsockopt+0x45/0x80 net/ipv4/udp.c:2406
+ sock_common_setsockopt+0x95/0xd0 net/core/sock.c:2975
+ SYSC_setsockopt net/socket.c:1849 [inline]
+ SyS_setsockopt+0x189/0x360 net/socket.c:1828
+ do_syscall_64+0x281/0x940 arch/x86/entry/common.c:287
+ entry_SYSCALL_64_after_hwframe+0x42/0xb7
+RIP: 0033:0x446a69
+RSP: 002b:00007fa1c3a64da8 EFLAGS: 00000246 ORIG_RAX: 0000000000000036
+RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000446a69
+RDX: 000000000000048b RSI: 0000000000000000 RDI: 0000000000000003
+RBP: 00000000006e29fc R08: 0000000000000018 R09: 0000000000000000
+R10: 00000000200000c0 R11: 0000000000000246 R12: 00000000006e29f8
+R13: 00676e697279656b R14: 00007fa1c3a659c0 R15: 00000000006e2b60
+
+[2]
+IPVS: sync thread started: state = BACKUP, mcast_ifn = syz_tun, syncid = 4,
+id = 0
+IPVS: stopping backup sync thread 25415 ...
+INFO: task syz-executor7:25421 blocked for more than 120 seconds.
+ Not tainted 4.16.0-rc6+ #284
+"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
+syz-executor7 D23688 25421 4408 0x00000004
+Call Trace:
+ context_switch kernel/sched/core.c:2862 [inline]
+ __schedule+0x8fb/0x1ec0 kernel/sched/core.c:3440
+ schedule+0xf5/0x430 kernel/sched/core.c:3499
+ schedule_timeout+0x1a3/0x230 kernel/time/timer.c:1777
+ do_wait_for_common kernel/sched/completion.c:86 [inline]
+ __wait_for_common kernel/sched/completion.c:107 [inline]
+ wait_for_common kernel/sched/completion.c:118 [inline]
+ wait_for_completion+0x415/0x770 kernel/sched/completion.c:139
+ kthread_stop+0x14a/0x7a0 kernel/kthread.c:530
+ stop_sync_thread+0x3d9/0x740 net/netfilter/ipvs/ip_vs_sync.c:1996
+ do_ip_vs_set_ctl+0x2b1/0x1cc0 net/netfilter/ipvs/ip_vs_ctl.c:2394
+ nf_sockopt net/netfilter/nf_sockopt.c:106 [inline]
+ nf_setsockopt+0x67/0xc0 net/netfilter/nf_sockopt.c:115
+ ip_setsockopt+0x97/0xa0 net/ipv4/ip_sockglue.c:1253
+ sctp_setsockopt+0x2ca/0x63e0 net/sctp/socket.c:4154
+ sock_common_setsockopt+0x95/0xd0 net/core/sock.c:3039
+ SYSC_setsockopt net/socket.c:1850 [inline]
+ SyS_setsockopt+0x189/0x360 net/socket.c:1829
+ do_syscall_64+0x281/0x940 arch/x86/entry/common.c:287
+ entry_SYSCALL_64_after_hwframe+0x42/0xb7
+RIP: 0033:0x454889
+RSP: 002b:00007fc927626c68 EFLAGS: 00000246 ORIG_RAX: 0000000000000036
+RAX: ffffffffffffffda RBX: 00007fc9276276d4 RCX: 0000000000454889
+RDX: 000000000000048c RSI: 0000000000000000 RDI: 0000000000000017
+RBP: 000000000072bf58 R08: 0000000000000018 R09: 0000000000000000
+R10: 0000000020000000 R11: 0000000000000246 R12: 00000000ffffffff
+R13: 000000000000051c R14: 00000000006f9b40 R15: 0000000000000001
+
+Showing all locks held in the system:
+2 locks held by khungtaskd/868:
+ #0: (rcu_read_lock){....}, at: [<00000000a1a8f002>]
+check_hung_uninterruptible_tasks kernel/hung_task.c:175 [inline]
+ #0: (rcu_read_lock){....}, at: [<00000000a1a8f002>] watchdog+0x1c5/0xd60
+kernel/hung_task.c:249
+ #1: (tasklist_lock){.+.+}, at: [<0000000037c2f8f9>]
+debug_show_all_locks+0xd3/0x3d0 kernel/locking/lockdep.c:4470
+1 lock held by rsyslogd/4247:
+ #0: (&f->f_pos_lock){+.+.}, at: [<000000000d8d6983>]
+__fdget_pos+0x12b/0x190 fs/file.c:765
+2 locks held by getty/4338:
+ #0: (&tty->ldisc_sem){++++}, at: [<00000000bee98654>]
+ldsem_down_read+0x37/0x40 drivers/tty/tty_ldsem.c:365
+ #1: (&ldata->atomic_read_lock){+.+.}, at: [<00000000c1d180aa>]
+n_tty_read+0x2ef/0x1a40 drivers/tty/n_tty.c:2131
+2 locks held by getty/4339:
+ #0: (&tty->ldisc_sem){++++}, at: [<00000000bee98654>]
+ldsem_down_read+0x37/0x40 drivers/tty/tty_ldsem.c:365
+ #1: (&ldata->atomic_read_lock){+.+.}, at: [<00000000c1d180aa>]
+n_tty_read+0x2ef/0x1a40 drivers/tty/n_tty.c:2131
+2 locks held by getty/4340:
+ #0: (&tty->ldisc_sem){++++}, at: [<00000000bee98654>]
+ldsem_down_read+0x37/0x40 drivers/tty/tty_ldsem.c:365
+ #1: (&ldata->atomic_read_lock){+.+.}, at: [<00000000c1d180aa>]
+n_tty_read+0x2ef/0x1a40 drivers/tty/n_tty.c:2131
+2 locks held by getty/4341:
+ #0: (&tty->ldisc_sem){++++}, at: [<00000000bee98654>]
+ldsem_down_read+0x37/0x40 drivers/tty/tty_ldsem.c:365
+ #1: (&ldata->atomic_read_lock){+.+.}, at: [<00000000c1d180aa>]
+n_tty_read+0x2ef/0x1a40 drivers/tty/n_tty.c:2131
+2 locks held by getty/4342:
+ #0: (&tty->ldisc_sem){++++}, at: [<00000000bee98654>]
+ldsem_down_read+0x37/0x40 drivers/tty/tty_ldsem.c:365
+ #1: (&ldata->atomic_read_lock){+.+.}, at: [<00000000c1d180aa>]
+n_tty_read+0x2ef/0x1a40 drivers/tty/n_tty.c:2131
+2 locks held by getty/4343:
+ #0: (&tty->ldisc_sem){++++}, at: [<00000000bee98654>]
+ldsem_down_read+0x37/0x40 drivers/tty/tty_ldsem.c:365
+ #1: (&ldata->atomic_read_lock){+.+.}, at: [<00000000c1d180aa>]
+n_tty_read+0x2ef/0x1a40 drivers/tty/n_tty.c:2131
+2 locks held by getty/4344:
+ #0: (&tty->ldisc_sem){++++}, at: [<00000000bee98654>]
+ldsem_down_read+0x37/0x40 drivers/tty/tty_ldsem.c:365
+ #1: (&ldata->atomic_read_lock){+.+.}, at: [<00000000c1d180aa>]
+n_tty_read+0x2ef/0x1a40 drivers/tty/n_tty.c:2131
+3 locks held by kworker/0:5/6494:
+ #0: ((wq_completion)"%s"("ipv6_addrconf")){+.+.}, at:
+[<00000000a062b18e>] work_static include/linux/workqueue.h:198 [inline]
+ #0: ((wq_completion)"%s"("ipv6_addrconf")){+.+.}, at:
+[<00000000a062b18e>] set_work_data kernel/workqueue.c:619 [inline]
+ #0: ((wq_completion)"%s"("ipv6_addrconf")){+.+.}, at:
+[<00000000a062b18e>] set_work_pool_and_clear_pending kernel/workqueue.c:646
+[inline]
+ #0: ((wq_completion)"%s"("ipv6_addrconf")){+.+.}, at:
+[<00000000a062b18e>] process_one_work+0xb12/0x1bb0 kernel/workqueue.c:2084
+ #1: ((addr_chk_work).work){+.+.}, at: [<00000000278427d5>]
+process_one_work+0xb89/0x1bb0 kernel/workqueue.c:2088
+ #2: (rtnl_mutex){+.+.}, at: [<00000000066e35ac>] rtnl_lock+0x17/0x20
+net/core/rtnetlink.c:74
+1 lock held by syz-executor7/25421:
+ #0: (ipvs->sync_mutex){+.+.}, at: [<00000000d414a689>]
+do_ip_vs_set_ctl+0x277/0x1cc0 net/netfilter/ipvs/ip_vs_ctl.c:2393
+2 locks held by syz-executor7/25427:
+ #0: (rtnl_mutex){+.+.}, at: [<00000000066e35ac>] rtnl_lock+0x17/0x20
+net/core/rtnetlink.c:74
+ #1: (ipvs->sync_mutex){+.+.}, at: [<00000000e6d48489>]
+do_ip_vs_set_ctl+0x10f8/0x1cc0 net/netfilter/ipvs/ip_vs_ctl.c:2388
+1 lock held by syz-executor7/25435:
+ #0: (rtnl_mutex){+.+.}, at: [<00000000066e35ac>] rtnl_lock+0x17/0x20
+net/core/rtnetlink.c:74
+1 lock held by ipvs-b:2:0/25415:
+ #0: (rtnl_mutex){+.+.}, at: [<00000000066e35ac>] rtnl_lock+0x17/0x20
+net/core/rtnetlink.c:74
+
+Reported-and-tested-by: syzbot+a46d6abf9d56b1365a72@syzkaller.appspotmail.com
+Reported-and-tested-by: syzbot+5fe074c01b2032ce9618@syzkaller.appspotmail.com
+Fixes: e0b26cc997d5 ("ipvs: call rtnl_lock early")
+Signed-off-by: Julian Anastasov <ja@ssi.bg>
+Signed-off-by: Simon Horman <horms@verge.net.au>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Acked-by: Denis Kirjanov <dkirjanov@suse.com>
+---
+ net/netfilter/ipvs/ip_vs_ctl.c | 8 ---
+ net/netfilter/ipvs/ip_vs_sync.c | 155 +++++++++++++++++++++-------------------
+ 2 files changed, 80 insertions(+), 83 deletions(-)
+
+diff --git a/net/netfilter/ipvs/ip_vs_ctl.c b/net/netfilter/ipvs/ip_vs_ctl.c
+index 1fa3c2307b6e..ce51ba12c605 100644
+--- a/net/netfilter/ipvs/ip_vs_ctl.c
++++ b/net/netfilter/ipvs/ip_vs_ctl.c
+@@ -2386,11 +2386,7 @@ do_ip_vs_set_ctl(struct sock *sk, int cmd, void __user *user, unsigned int len)
+ strlcpy(cfg.mcast_ifn, dm->mcast_ifn,
+ sizeof(cfg.mcast_ifn));
+ cfg.syncid = dm->syncid;
+- rtnl_lock();
+- mutex_lock(&ipvs->sync_mutex);
+ ret = start_sync_thread(ipvs, &cfg, dm->state);
+- mutex_unlock(&ipvs->sync_mutex);
+- rtnl_unlock();
+ } else {
+ mutex_lock(&ipvs->sync_mutex);
+ ret = stop_sync_thread(ipvs, dm->state);
+@@ -3483,12 +3479,8 @@ static int ip_vs_genl_new_daemon(struct netns_ipvs *ipvs, struct nlattr **attrs)
+ if (ipvs->mixed_address_family_dests > 0)
+ return -EINVAL;
+
+- rtnl_lock();
+- mutex_lock(&ipvs->sync_mutex);
+ ret = start_sync_thread(ipvs, &c,
+ nla_get_u32(attrs[IPVS_DAEMON_ATTR_STATE]));
+- mutex_unlock(&ipvs->sync_mutex);
+- rtnl_unlock();
+ return ret;
+ }
+
+diff --git a/net/netfilter/ipvs/ip_vs_sync.c b/net/netfilter/ipvs/ip_vs_sync.c
+index 0e5b64a75da0..9f1aa78e837d 100644
+--- a/net/netfilter/ipvs/ip_vs_sync.c
++++ b/net/netfilter/ipvs/ip_vs_sync.c
+@@ -48,6 +48,7 @@
+ #include <linux/kthread.h>
+ #include <linux/wait.h>
+ #include <linux/kernel.h>
++#include <linux/sched/signal.h>
+
+ #include <asm/unaligned.h> /* Used for ntoh_seq and hton_seq */
+
+@@ -1359,15 +1360,9 @@ static void set_mcast_pmtudisc(struct sock *sk, int val)
+ /*
+ * Specifiy default interface for outgoing multicasts
+ */
+-static int set_mcast_if(struct sock *sk, char *ifname)
++static int set_mcast_if(struct sock *sk, struct net_device *dev)
+ {
+- struct net_device *dev;
+ struct inet_sock *inet = inet_sk(sk);
+- struct net *net = sock_net(sk);
+-
+- dev = __dev_get_by_name(net, ifname);
+- if (!dev)
+- return -ENODEV;
+
+ if (sk->sk_bound_dev_if && dev->ifindex != sk->sk_bound_dev_if)
+ return -EINVAL;
+@@ -1395,19 +1390,14 @@ static int set_mcast_if(struct sock *sk, char *ifname)
+ * in the in_addr structure passed in as a parameter.
+ */
+ static int
+-join_mcast_group(struct sock *sk, struct in_addr *addr, char *ifname)
++join_mcast_group(struct sock *sk, struct in_addr *addr, struct net_device *dev)
+ {
+- struct net *net = sock_net(sk);
+ struct ip_mreqn mreq;
+- struct net_device *dev;
+ int ret;
+
+ memset(&mreq, 0, sizeof(mreq));
+ memcpy(&mreq.imr_multiaddr, addr, sizeof(struct in_addr));
+
+- dev = __dev_get_by_name(net, ifname);
+- if (!dev)
+- return -ENODEV;
+ if (sk->sk_bound_dev_if && dev->ifindex != sk->sk_bound_dev_if)
+ return -EINVAL;
+
+@@ -1422,15 +1412,10 @@ join_mcast_group(struct sock *sk, struct in_addr *addr, char *ifname)
+
+ #ifdef CONFIG_IP_VS_IPV6
+ static int join_mcast_group6(struct sock *sk, struct in6_addr *addr,
+- char *ifname)
++ struct net_device *dev)
+ {
+- struct net *net = sock_net(sk);
+- struct net_device *dev;
+ int ret;
+
+- dev = __dev_get_by_name(net, ifname);
+- if (!dev)
+- return -ENODEV;
+ if (sk->sk_bound_dev_if && dev->ifindex != sk->sk_bound_dev_if)
+ return -EINVAL;
+
+@@ -1442,24 +1427,18 @@ static int join_mcast_group6(struct sock *sk, struct in6_addr *addr,
+ }
+ #endif
+
+-static int bind_mcastif_addr(struct socket *sock, char *ifname)
++static int bind_mcastif_addr(struct socket *sock, struct net_device *dev)
+ {
+- struct net *net = sock_net(sock->sk);
+- struct net_device *dev;
+ __be32 addr;
+ struct sockaddr_in sin;
+
+- dev = __dev_get_by_name(net, ifname);
+- if (!dev)
+- return -ENODEV;
+-
+ addr = inet_select_addr(dev, 0, RT_SCOPE_UNIVERSE);
+ if (!addr)
+ pr_err("You probably need to specify IP address on "
+ "multicast interface.\n");
+
+ IP_VS_DBG(7, "binding socket with (%s) %pI4\n",
+- ifname, &addr);
++ dev->name, &addr);
+
+ /* Now bind the socket with the address of multicast interface */
+ sin.sin_family = AF_INET;
+@@ -1492,7 +1471,8 @@ static void get_mcast_sockaddr(union ipvs_sockaddr *sa, int *salen,
+ /*
+ * Set up sending multicast socket over UDP
+ */
+-static struct socket *make_send_sock(struct netns_ipvs *ipvs, int id)
++static int make_send_sock(struct netns_ipvs *ipvs, int id,
++ struct net_device *dev, struct socket **sock_ret)
+ {
+ /* multicast addr */
+ union ipvs_sockaddr mcast_addr;
+@@ -1504,9 +1484,10 @@ static struct socket *make_send_sock(struct netns_ipvs *ipvs, int id)
+ IPPROTO_UDP, &sock);
+ if (result < 0) {
+ pr_err("Error during creation of socket; terminating\n");
+- return ERR_PTR(result);
++ goto error;
+ }
+- result = set_mcast_if(sock->sk, ipvs->mcfg.mcast_ifn);
++ *sock_ret = sock;
++ result = set_mcast_if(sock->sk, dev);
+ if (result < 0) {
+ pr_err("Error setting outbound mcast interface\n");
+ goto error;
+@@ -1521,7 +1502,7 @@ static struct socket *make_send_sock(struct netns_ipvs *ipvs, int id)
+ set_sock_size(sock->sk, 1, result);
+
+ if (AF_INET == ipvs->mcfg.mcast_af)
+- result = bind_mcastif_addr(sock, ipvs->mcfg.mcast_ifn);
++ result = bind_mcastif_addr(sock, dev);
+ else
+ result = 0;
+ if (result < 0) {
+@@ -1537,19 +1518,18 @@ static struct socket *make_send_sock(struct netns_ipvs *ipvs, int id)
+ goto error;
+ }
+
+- return sock;
++ return 0;
+
+ error:
+- sock_release(sock);
+- return ERR_PTR(result);
++ return result;
+ }
+
+
+ /*
+ * Set up receiving multicast socket over UDP
+ */
+-static struct socket *make_receive_sock(struct netns_ipvs *ipvs, int id,
+- int ifindex)
++static int make_receive_sock(struct netns_ipvs *ipvs, int id,
++ struct net_device *dev, struct socket **sock_ret)
+ {
+ /* multicast addr */
+ union ipvs_sockaddr mcast_addr;
+@@ -1561,8 +1541,9 @@ static struct socket *make_receive_sock(struct netns_ipvs *ipvs, int id,
+ IPPROTO_UDP, &sock);
+ if (result < 0) {
+ pr_err("Error during creation of socket; terminating\n");
+- return ERR_PTR(result);
++ goto error;
+ }
++ *sock_ret = sock;
+ /* it is equivalent to the REUSEADDR option in user-space */
+ sock->sk->sk_reuse = SK_CAN_REUSE;
+ result = sysctl_sync_sock_size(ipvs);
+@@ -1570,7 +1551,7 @@ static struct socket *make_receive_sock(struct netns_ipvs *ipvs, int id,
+ set_sock_size(sock->sk, 0, result);
+
+ get_mcast_sockaddr(&mcast_addr, &salen, &ipvs->bcfg, id);
+- sock->sk->sk_bound_dev_if = ifindex;
++ sock->sk->sk_bound_dev_if = dev->ifindex;
+ result = sock->ops->bind(sock, (struct sockaddr *)&mcast_addr, salen);
+ if (result < 0) {
+ pr_err("Error binding to the multicast addr\n");
+@@ -1581,21 +1562,20 @@ static struct socket *make_receive_sock(struct netns_ipvs *ipvs, int id,
+ #ifdef CONFIG_IP_VS_IPV6
+ if (ipvs->bcfg.mcast_af == AF_INET6)
+ result = join_mcast_group6(sock->sk, &mcast_addr.in6.sin6_addr,
+- ipvs->bcfg.mcast_ifn);
++ dev);
+ else
+ #endif
+ result = join_mcast_group(sock->sk, &mcast_addr.in.sin_addr,
+- ipvs->bcfg.mcast_ifn);
++ dev);
+ if (result < 0) {
+ pr_err("Error joining to the multicast group\n");
+ goto error;
+ }
+
+- return sock;
++ return 0;
+
+ error:
+- sock_release(sock);
+- return ERR_PTR(result);
++ return result;
+ }
+
+
+@@ -1780,13 +1760,12 @@ static int sync_thread_backup(void *data)
+ int start_sync_thread(struct netns_ipvs *ipvs, struct ipvs_sync_daemon_cfg *c,
+ int state)
+ {
+- struct ip_vs_sync_thread_data *tinfo;
++ struct ip_vs_sync_thread_data *tinfo = NULL;
+ struct task_struct **array = NULL, *task;
+- struct socket *sock;
+ struct net_device *dev;
+ char *name;
+ int (*threadfn)(void *data);
+- int id, count, hlen;
++ int id = 0, count, hlen;
+ int result = -ENOMEM;
+ u16 mtu, min_mtu;
+
+@@ -1794,6 +1773,18 @@ int start_sync_thread(struct netns_ipvs *ipvs, struct ipvs_sync_daemon_cfg *c,
+ IP_VS_DBG(7, "Each ip_vs_sync_conn entry needs %zd bytes\n",
+ sizeof(struct ip_vs_sync_conn_v0));
+
++ /* Do not hold one mutex and then to block on another */
++ for (;;) {
++ rtnl_lock();
++ if (mutex_trylock(&ipvs->sync_mutex))
++ break;
++ rtnl_unlock();
++ mutex_lock(&ipvs->sync_mutex);
++ if (rtnl_trylock())
++ break;
++ mutex_unlock(&ipvs->sync_mutex);
++ }
++
+ if (!ipvs->sync_state) {
+ count = clamp(sysctl_sync_ports(ipvs), 1, IPVS_SYNC_PORTS_MAX);
+ ipvs->threads_mask = count - 1;
+@@ -1812,7 +1803,8 @@ int start_sync_thread(struct netns_ipvs *ipvs, struct ipvs_sync_daemon_cfg *c,
+ dev = __dev_get_by_name(ipvs->net, c->mcast_ifn);
+ if (!dev) {
+ pr_err("Unknown mcast interface: %s\n", c->mcast_ifn);
+- return -ENODEV;
++ result = -ENODEV;
++ goto out_early;
+ }
+ hlen = (AF_INET6 == c->mcast_af) ?
+ sizeof(struct ipv6hdr) + sizeof(struct udphdr) :
+@@ -1829,26 +1821,30 @@ int start_sync_thread(struct netns_ipvs *ipvs, struct ipvs_sync_daemon_cfg *c,
+ c->sync_maxlen = mtu - hlen;
+
+ if (state == IP_VS_STATE_MASTER) {
++ result = -EEXIST;
+ if (ipvs->ms)
+- return -EEXIST;
++ goto out_early;
+
+ ipvs->mcfg = *c;
+ name = "ipvs-m:%d:%d";
+ threadfn = sync_thread_master;
+ } else if (state == IP_VS_STATE_BACKUP) {
++ result = -EEXIST;
+ if (ipvs->backup_threads)
+- return -EEXIST;
++ goto out_early;
+
+ ipvs->bcfg = *c;
+ name = "ipvs-b:%d:%d";
+ threadfn = sync_thread_backup;
+ } else {
+- return -EINVAL;
++ result = -EINVAL;
++ goto out_early;
+ }
+
+ if (state == IP_VS_STATE_MASTER) {
+ struct ipvs_master_sync_state *ms;
+
++ result = -ENOMEM;
+ ipvs->ms = kcalloc(count, sizeof(ipvs->ms[0]), GFP_KERNEL);
+ if (!ipvs->ms)
+ goto out;
+@@ -1864,39 +1860,38 @@ int start_sync_thread(struct netns_ipvs *ipvs, struct ipvs_sync_daemon_cfg *c,
+ } else {
+ array = kcalloc(count, sizeof(struct task_struct *),
+ GFP_KERNEL);
++ result = -ENOMEM;
+ if (!array)
+ goto out;
+ }
+
+- tinfo = NULL;
+ for (id = 0; id < count; id++) {
+- if (state == IP_VS_STATE_MASTER)
+- sock = make_send_sock(ipvs, id);
+- else
+- sock = make_receive_sock(ipvs, id, dev->ifindex);
+- if (IS_ERR(sock)) {
+- result = PTR_ERR(sock);
+- goto outtinfo;
+- }
++ result = -ENOMEM;
+ tinfo = kmalloc(sizeof(*tinfo), GFP_KERNEL);
+ if (!tinfo)
+- goto outsocket;
++ goto out;
+ tinfo->ipvs = ipvs;
+- tinfo->sock = sock;
++ tinfo->sock = NULL;
+ if (state == IP_VS_STATE_BACKUP) {
+ tinfo->buf = kmalloc(ipvs->bcfg.sync_maxlen,
+ GFP_KERNEL);
+ if (!tinfo->buf)
+- goto outtinfo;
++ goto out;
+ } else {
+ tinfo->buf = NULL;
+ }
+ tinfo->id = id;
++ if (state == IP_VS_STATE_MASTER)
++ result = make_send_sock(ipvs, id, dev, &tinfo->sock);
++ else
++ result = make_receive_sock(ipvs, id, dev, &tinfo->sock);
++ if (result < 0)
++ goto out;
+
+ task = kthread_run(threadfn, tinfo, name, ipvs->gen, id);
+ if (IS_ERR(task)) {
+ result = PTR_ERR(task);
+- goto outtinfo;
++ goto out;
+ }
+ tinfo = NULL;
+ if (state == IP_VS_STATE_MASTER)
+@@ -1913,20 +1908,20 @@ int start_sync_thread(struct netns_ipvs *ipvs, struct ipvs_sync_daemon_cfg *c,
+ ipvs->sync_state |= state;
+ spin_unlock_bh(&ipvs->sync_buff_lock);
+
++ mutex_unlock(&ipvs->sync_mutex);
++ rtnl_unlock();
++
+ /* increase the module use count */
+ ip_vs_use_count_inc();
+
+ return 0;
+
+-outsocket:
+- sock_release(sock);
+-
+-outtinfo:
+- if (tinfo) {
+- sock_release(tinfo->sock);
+- kfree(tinfo->buf);
+- kfree(tinfo);
+- }
++out:
++ /* We do not need RTNL lock anymore, release it here so that
++ * sock_release below and in the kthreads can use rtnl_lock
++ * to leave the mcast group.
++ */
++ rtnl_unlock();
+ count = id;
+ while (count-- > 0) {
+ if (state == IP_VS_STATE_MASTER)
+@@ -1934,13 +1929,23 @@ int start_sync_thread(struct netns_ipvs *ipvs, struct ipvs_sync_daemon_cfg *c,
+ else
+ kthread_stop(array[count]);
+ }
+- kfree(array);
+-
+-out:
+ if (!(ipvs->sync_state & IP_VS_STATE_MASTER)) {
+ kfree(ipvs->ms);
+ ipvs->ms = NULL;
+ }
++ mutex_unlock(&ipvs->sync_mutex);
++ if (tinfo) {
++ if (tinfo->sock)
++ sock_release(tinfo->sock);
++ kfree(tinfo->buf);
++ kfree(tinfo);
++ }
++ kfree(array);
++ return result;
++
++out_early:
++ mutex_unlock(&ipvs->sync_mutex);
++ rtnl_unlock();
+ return result;
+ }
+
+--
+2.12.3
+
diff --git a/patches.fixes/0007-netfilter-nf_tables-can-t-fail-after-linking-rule-in.patch b/patches.fixes/0007-netfilter-nf_tables-can-t-fail-after-linking-rule-in.patch
new file mode 100644
index 0000000000..36254a92b1
--- /dev/null
+++ b/patches.fixes/0007-netfilter-nf_tables-can-t-fail-after-linking-rule-in.patch
@@ -0,0 +1,112 @@
+From: Florian Westphal <fw@strlen.de>
+Subject: netfilter: nf_tables: can't fail after linking rule
+ into active rule list
+Patch-mainline: v4.17-rc3
+Git-commit: 569ccae68b38654f04b6842b034aa33857f605fe
+References: git-fixes
+
+rules in nftables a free'd using kfree, but protected by rcu, i.e. we
+must wait for a grace period to elapse.
+
+Normal removal patch does this, but nf_tables_newrule() doesn't obey
+this rule during error handling.
+
+It calls nft_trans_rule_add() *after* linking rule, and, if that
+fails to allocate memory, it unlinks the rule and then kfree() it --
+this is unsafe.
+
+Switch order -- first add rule to transaction list, THEN link it
+to public list.
+
+Note: nft_trans_rule_add() uses GFP_KERNEL; it will not fail so this
+is not a problem in practice (spotted only during code review).
+
+Fixes: 0628b123c96d12 ("netfilter: nfnetlink: add batch support and use it from nf_tables")
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Acked-by: Denis Kirjanov <dkirjanov@suse.com>
+---
+ net/netfilter/nf_tables_api.c | 59 +++++++++++++++++++++++--------------------
+ 1 file changed, 32 insertions(+), 27 deletions(-)
+
+diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
+index 595004098410..d627a479e332 100644
+--- a/net/netfilter/nf_tables_api.c
++++ b/net/netfilter/nf_tables_api.c
+@@ -2251,41 +2251,46 @@ static int nf_tables_newrule(struct net *net, struct sock *nlsk,
+ }
+
+ if (nlh->nlmsg_flags & NLM_F_REPLACE) {
+- if (nft_is_active_next(net, old_rule)) {
+- trans = nft_trans_rule_add(&ctx, NFT_MSG_DELRULE,
+- old_rule);
+- if (trans == NULL) {
+- err = -ENOMEM;
+- goto err2;
+- }
+- nft_deactivate_next(net, old_rule);
+- chain->use--;
+- list_add_tail_rcu(&rule->list, &old_rule->list);
+- } else {
++ if (!nft_is_active_next(net, old_rule)) {
+ err = -ENOENT;
+ goto err2;
+ }
+- } else if (nlh->nlmsg_flags & NLM_F_APPEND)
+- if (old_rule)
+- list_add_rcu(&rule->list, &old_rule->list);
+- else
+- list_add_tail_rcu(&rule->list, &chain->rules);
+- else {
+- if (old_rule)
+- list_add_tail_rcu(&rule->list, &old_rule->list);
+- else
+- list_add_rcu(&rule->list, &chain->rules);
+- }
++ trans = nft_trans_rule_add(&ctx, NFT_MSG_DELRULE,
++ old_rule);
++ if (trans == NULL) {
++ err = -ENOMEM;
++ goto err2;
++ }
++ nft_deactivate_next(net, old_rule);
++ chain->use--;
+
+- if (nft_trans_rule_add(&ctx, NFT_MSG_NEWRULE, rule) == NULL) {
+- err = -ENOMEM;
+- goto err3;
++ if (nft_trans_rule_add(&ctx, NFT_MSG_NEWRULE, rule) == NULL) {
++ err = -ENOMEM;
++ goto err2;
++ }
++
++ list_add_tail_rcu(&rule->list, &old_rule->list);
++ } else {
++ if (nft_trans_rule_add(&ctx, NFT_MSG_NEWRULE, rule) == NULL) {
++ err = -ENOMEM;
++ goto err2;
++ }
++
++ if (nlh->nlmsg_flags & NLM_F_APPEND) {
++ if (old_rule)
++ list_add_rcu(&rule->list, &old_rule->list);
++ else
++ list_add_tail_rcu(&rule->list, &chain->rules);
++ } else {
++ if (old_rule)
++ list_add_tail_rcu(&rule->list, &old_rule->list);
++ else
++ list_add_rcu(&rule->list, &chain->rules);
++ }
+ }
+ chain->use++;
+ return 0;
+
+-err3:
+- list_del_rcu(&rule->list);
+ err2:
+ nf_tables_rule_destroy(&ctx, rule);
+ err1:
+--
+2.12.3
+
diff --git a/patches.fixes/0008-rxrpc-Fix-error-reception-on-AF_INET6-sockets.patch b/patches.fixes/0008-rxrpc-Fix-error-reception-on-AF_INET6-sockets.patch
new file mode 100644
index 0000000000..995ee8bf73
--- /dev/null
+++ b/patches.fixes/0008-rxrpc-Fix-error-reception-on-AF_INET6-sockets.patch
@@ -0,0 +1,95 @@
+From: David Howells <dhowells@redhat.com>
+Subject: rxrpc: Fix error reception on AF_INET6 sockets
+Patch-mainline: v4.17-rc5
+Git-commit: f2aeed3a591ff29a82495eeaa92ac4780bad7487
+References: git-fixes
+
+AF_RXRPC tries to turn on IP_RECVERR and IP_MTU_DISCOVER on the UDP socket
+it just opened for communications with the outside world, regardless of the
+type of socket. Unfortunately, this doesn't work with an AF_INET6 socket.
+
+Fix this by turning on IPV6_RECVERR and IPV6_MTU_DISCOVER instead if the
+socket is of the AF_INET6 family.
+
+Without this, kAFS server and address rotation doesn't work correctly
+because the algorithm doesn't detect received network errors.
+
+Fixes: 75b54cb57ca3 ("rxrpc: Add IPv6 support")
+Signed-off-by: David Howells <dhowells@redhat.com>
+Acked-by: Denis Kirjanov <dkirjanov@suse.com>
+---
+ net/rxrpc/local_object.c | 57 +++++++++++++++++++++++++++++++++++-------------
+ 1 file changed, 42 insertions(+), 15 deletions(-)
+
+diff --git a/net/rxrpc/local_object.c b/net/rxrpc/local_object.c
+index ff4864d550b8..adc49d8285bf 100644
+--- a/net/rxrpc/local_object.c
++++ b/net/rxrpc/local_object.c
+@@ -133,22 +133,49 @@ static int rxrpc_open_socket(struct rxrpc_local *local)
+ }
+ }
+
+- /* we want to receive ICMP errors */
+- opt = 1;
+- ret = kernel_setsockopt(local->socket, SOL_IP, IP_RECVERR,
+- (char *) &opt, sizeof(opt));
+- if (ret < 0) {
+- _debug("setsockopt failed");
+- goto error;
+- }
++ switch (local->srx.transport.family) {
++ case AF_INET:
++ /* we want to receive ICMP errors */
++ opt = 1;
++ ret = kernel_setsockopt(local->socket, SOL_IP, IP_RECVERR,
++ (char *) &opt, sizeof(opt));
++ if (ret < 0) {
++ _debug("setsockopt failed");
++ goto error;
++ }
+
+- /* we want to set the don't fragment bit */
+- opt = IP_PMTUDISC_DO;
+- ret = kernel_setsockopt(local->socket, SOL_IP, IP_MTU_DISCOVER,
+- (char *) &opt, sizeof(opt));
+- if (ret < 0) {
+- _debug("setsockopt failed");
+- goto error;
++ /* we want to set the don't fragment bit */
++ opt = IP_PMTUDISC_DO;
++ ret = kernel_setsockopt(local->socket, SOL_IP, IP_MTU_DISCOVER,
++ (char *) &opt, sizeof(opt));
++ if (ret < 0) {
++ _debug("setsockopt failed");
++ goto error;
++ }
++ break;
++
++ case AF_INET6:
++ /* we want to receive ICMP errors */
++ opt = 1;
++ ret = kernel_setsockopt(local->socket, SOL_IPV6, IPV6_RECVERR,
++ (char *) &opt, sizeof(opt));
++ if (ret < 0) {
++ _debug("setsockopt failed");
++ goto error;
++ }
++
++ /* we want to set the don't fragment bit */
++ opt = IPV6_PMTUDISC_DO;
++ ret = kernel_setsockopt(local->socket, SOL_IPV6, IPV6_MTU_DISCOVER,
++ (char *) &opt, sizeof(opt));
++ if (ret < 0) {
++ _debug("setsockopt failed");
++ goto error;
++ }
++ break;
++
++ default:
++ BUG();
+ }
+
+ /* set the socket up */
+--
+2.12.3
+
diff --git a/patches.fixes/0009-packet-in-packet_snd-start-writing-at-link-layer-all.patch b/patches.fixes/0009-packet-in-packet_snd-start-writing-at-link-layer-all.patch
new file mode 100644
index 0000000000..98f7330676
--- /dev/null
+++ b/patches.fixes/0009-packet-in-packet_snd-start-writing-at-link-layer-all.patch
@@ -0,0 +1,59 @@
+From: Willem de Bruijn <willemb@google.com>
+Subject: packet: in packet_snd start writing at link layer
+ allocation
+Patch-mainline: v4.17-rc7
+Git-commit: b84bbaf7a6c8cca24f8acf25a2c8e46913a947ba
+References: git-fixes
+
+Packet sockets allow construction of packets shorter than
+dev->hard_header_len to accommodate protocols with variable length
+link layer headers. These packets are padded to dev->hard_header_len,
+because some device drivers interpret that as a minimum packet size.
+
+packet_snd reserves dev->hard_header_len bytes on allocation.
+SOCK_DGRAM sockets call skb_push in dev_hard_header() to ensure that
+link layer headers are stored in the reserved range. SOCK_RAW sockets
+do the same in tpacket_snd, but not in packet_snd.
+
+Syzbot was able to send a zero byte packet to a device with massive
+116B link layer header, causing padding to cross over into skb_shinfo.
+Fix this by writing from the start of the llheader reserved range also
+in the case of packet_snd/SOCK_RAW.
+
+Update skb_set_network_header to the new offset. This also corrects
+it for SOCK_DGRAM, where it incorrectly double counted reserve due to
+the skb_push in dev_hard_header.
+
+Fixes: 9ed988cd5915 ("packet: validate variable length ll headers")
+Reported-by: syzbot+71d74a5406d02057d559@syzkaller.appspotmail.com
+Signed-off-by: Willem de Bruijn <willemb@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Acked-by: Denis Kirjanov <dkirjanov@suse.com>
+---
+ net/packet/af_packet.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c
+index c6c4d9be2276..901618eb2725 100644
+--- a/net/packet/af_packet.c
++++ b/net/packet/af_packet.c
+@@ -2925,13 +2925,15 @@ static int packet_snd(struct socket *sock, struct msghdr *msg, size_t len)
+ if (skb == NULL)
+ goto out_unlock;
+
+- skb_set_network_header(skb, reserve);
++ skb_reset_network_header(skb);
+
+ err = -EINVAL;
+ if (sock->type == SOCK_DGRAM) {
+ offset = dev_hard_header(skb, dev, ntohs(proto), addr, NULL, len);
+ if (unlikely(offset < 0))
+ goto out_free;
++ } else if (reserve) {
++ skb_push(skb, reserve);
+ }
+
+ /* Returns -EFAULT on error */
+--
+2.12.3
+
diff --git a/patches.fixes/0010-ipvs-fix-stats-update-from-local-clients.patch b/patches.fixes/0010-ipvs-fix-stats-update-from-local-clients.patch
new file mode 100644
index 0000000000..f77c884071
--- /dev/null
+++ b/patches.fixes/0010-ipvs-fix-stats-update-from-local-clients.patch
@@ -0,0 +1,124 @@
+From: Julian Anastasov <ja@ssi.bg>
+Subject: ipvs: fix stats update from local clients
+Patch-mainline: v4.17-rc7
+Git-commit: d5e032fc5697b6c0d6b4958bcacb981a08f8174e
+References: git-fixes
+
+
+Local clients are not properly synchronized on 32-bit CPUs when
+updating stats (3.10+). Now it is possible estimation_timer (timer),
+a stats reader, to interrupt the local client in the middle of
+write_seqcount_{begin,end} sequence leading to loop (DEADLOCK).
+The same interrupt can happen from received packet (SoftIRQ)
+which updates the same per-CPU stats.
+
+Fix it by disabling BH while updating stats.
+
+Found with debug:
+
+WARNING: inconsistent lock state
+4.17.0-rc2-00105-g35cb6d7-dirty #2 Not tainted
+--------------------------------
+inconsistent {IN-SOFTIRQ-R} -> {SOFTIRQ-ON-W} usage.
+ftp/2545 [HC0[0]:SC0[0]:HE1:SE1] takes:
+86845479 (&syncp->seq#6){+.+-}, at: ip_vs_schedule+0x1c5/0x59e [ip_vs]
+{IN-SOFTIRQ-R} state was registered at:
+ lock_acquire+0x44/0x5b
+ estimation_timer+0x1b3/0x341 [ip_vs]
+ call_timer_fn+0x54/0xcd
+ run_timer_softirq+0x10c/0x12b
+ __do_softirq+0xc1/0x1a9
+ do_softirq_own_stack+0x1d/0x23
+ irq_exit+0x4a/0x64
+ smp_apic_timer_interrupt+0x63/0x71
+ apic_timer_interrupt+0x3a/0x40
+ default_idle+0xa/0xc
+ arch_cpu_idle+0x9/0xb
+ default_idle_call+0x21/0x23
+ do_idle+0xa0/0x167
+ cpu_startup_entry+0x19/0x1b
+ start_secondary+0x133/0x182
+ startup_32_smp+0x164/0x168
+irq event stamp: 42213
+
+other info that might help us debug this:
+Possible unsafe locking scenario:
+
+ CPU0
+ ----
+ lock(&syncp->seq#6);
+ <Interrupt>
+ lock(&syncp->seq#6);
+
+*** DEADLOCK ***
+
+Fixes: ac69269a45e8 ("ipvs: do not disable bh for long time")
+Signed-off-by: Julian Anastasov <ja@ssi.bg>
+Acked-by: Simon Horman <horms@verge.net.au>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Acked-by: Denis Kirjanov <dkirjanov@suse.com>
+---
+ net/netfilter/ipvs/ip_vs_core.c | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+diff --git a/net/netfilter/ipvs/ip_vs_core.c b/net/netfilter/ipvs/ip_vs_core.c
+index ad99c1ceea6f..62ed310e2397 100644
+--- a/net/netfilter/ipvs/ip_vs_core.c
++++ b/net/netfilter/ipvs/ip_vs_core.c
+@@ -119,6 +119,8 @@ ip_vs_in_stats(struct ip_vs_conn *cp, struct sk_buff *skb)
+ struct ip_vs_cpu_stats *s;
+ struct ip_vs_service *svc;
+
++ local_bh_disable();
++
+ s = this_cpu_ptr(dest->stats.cpustats);
+ u64_stats_update_begin(&s->syncp);
+ s->cnt.inpkts++;
+@@ -139,6 +141,8 @@ ip_vs_in_stats(struct ip_vs_conn *cp, struct sk_buff *skb)
+ s->cnt.inpkts++;
+ s->cnt.inbytes += skb->len;
+ u64_stats_update_end(&s->syncp);
++
++ local_bh_enable();
+ }
+ }
+
+@@ -153,6 +157,8 @@ ip_vs_out_stats(struct ip_vs_conn *cp, struct sk_buff *skb)
+ struct ip_vs_cpu_stats *s;
+ struct ip_vs_service *svc;
+
++ local_bh_disable();
++
+ s = this_cpu_ptr(dest->stats.cpustats);
+ u64_stats_update_begin(&s->syncp);
+ s->cnt.outpkts++;
+@@ -173,6 +179,8 @@ ip_vs_out_stats(struct ip_vs_conn *cp, struct sk_buff *skb)
+ s->cnt.outpkts++;
+ s->cnt.outbytes += skb->len;
+ u64_stats_update_end(&s->syncp);
++
++ local_bh_enable();
+ }
+ }
+
+@@ -183,6 +191,8 @@ ip_vs_conn_stats(struct ip_vs_conn *cp, struct ip_vs_service *svc)
+ struct netns_ipvs *ipvs = svc->ipvs;
+ struct ip_vs_cpu_stats *s;
+
++ local_bh_disable();
++
+ s = this_cpu_ptr(cp->dest->stats.cpustats);
+ u64_stats_update_begin(&s->syncp);
+ s->cnt.conns++;
+@@ -197,6 +207,8 @@ ip_vs_conn_stats(struct ip_vs_conn *cp, struct ip_vs_service *svc)
+ u64_stats_update_begin(&s->syncp);
+ s->cnt.conns++;
+ u64_stats_update_end(&s->syncp);
++
++ local_bh_enable();
+ }
+
+
+--
+2.12.3
+
diff --git a/patches.fixes/0011-tcp-purge-write-queue-in-tcp_connect_init.patch b/patches.fixes/0011-tcp-purge-write-queue-in-tcp_connect_init.patch
new file mode 100644
index 0000000000..fa8a24755f
--- /dev/null
+++ b/patches.fixes/0011-tcp-purge-write-queue-in-tcp_connect_init.patch
@@ -0,0 +1,90 @@
+From: Eric Dumazet <edumazet@google.com>
+Subject: tcp: purge write queue in tcp_connect_init()
+Patch-mainline: v4.17-rc7
+Git-commit: 7f582b248d0a86bae5788c548d7bb5bca6f7691a
+References: git-fixes
+
+syzkaller found a reliable way to crash the host, hitting a BUG()
+in __tcp_retransmit_skb()
+
+Malicous MSG_FASTOPEN is the root cause. We need to purge write queue
+in tcp_connect_init() at the point we init snd_una/write_seq.
+
+This patch also replaces the BUG() by a less intrusive WARN_ON_ONCE()
+
+kernel BUG at net/ipv4/tcp_output.c:2837!
+invalid opcode: 0000 [#1] SMP KASAN
+Dumping ftrace buffer:
+ (ftrace buffer empty)
+Modules linked in:
+CPU: 0 PID: 5276 Comm: syz-executor0 Not tainted 4.17.0-rc3+ #51
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+RIP: 0010:__tcp_retransmit_skb+0x2992/0x2eb0 net/ipv4/tcp_output.c:2837
+RSP: 0000:ffff8801dae06ff8 EFLAGS: 00010206
+RAX: ffff8801b9fe61c0 RBX: 00000000ffc18a16 RCX: ffffffff864e1a49
+RDX: 0000000000000100 RSI: ffffffff864e2e12 RDI: 0000000000000005
+RBP: ffff8801dae073a0 R08: ffff8801b9fe61c0 R09: ffffed0039c40dd2
+R10: ffffed0039c40dd2 R11: ffff8801ce206e93 R12: 00000000421eeaad
+R13: ffff8801ce206d4e R14: ffff8801ce206cc0 R15: ffff8801cd4f4a80
+FS: 0000000000000000(0000) GS:ffff8801dae00000(0063) knlGS:00000000096bc900
+CS: 0010 DS: 002b ES: 002b CR0: 0000000080050033
+CR2: 0000000020000000 CR3: 00000001c47b6000 CR4: 00000000001406f0
+DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+Call Trace:
+ <IRQ>
+ tcp_retransmit_skb+0x2e/0x250 net/ipv4/tcp_output.c:2923
+ tcp_retransmit_timer+0xc50/0x3060 net/ipv4/tcp_timer.c:488
+ tcp_write_timer_handler+0x339/0x960 net/ipv4/tcp_timer.c:573
+ tcp_write_timer+0x111/0x1d0 net/ipv4/tcp_timer.c:593
+ call_timer_fn+0x230/0x940 kernel/time/timer.c:1326
+ expire_timers kernel/time/timer.c:1363 [inline]
+ __run_timers+0x79e/0xc50 kernel/time/timer.c:1666
+ run_timer_softirq+0x4c/0x70 kernel/time/timer.c:1692
+ __do_softirq+0x2e0/0xaf5 kernel/softirq.c:285
+ invoke_softirq kernel/softirq.c:365 [inline]
+ irq_exit+0x1d1/0x200 kernel/softirq.c:405
+ exiting_irq arch/x86/include/asm/apic.h:525 [inline]
+ smp_apic_timer_interrupt+0x17e/0x710 arch/x86/kernel/apic/apic.c:1052
+ apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:863
+
+Fixes: cf60af03ca4e ("net-tcp: Fast Open client - sendmsg(MSG_FASTOPEN)")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Cc: Yuchung Cheng <ycheng@google.com>
+Cc: Neal Cardwell <ncardwell@google.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Acked-by: Neal Cardwell <ncardwell@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Acked-by: Denis Kirjanov <dkirjanov@suse.com>
+---
+ net/ipv4/tcp_output.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c
+index 2d139697bcd8..beda69aad37d 100644
+--- a/net/ipv4/tcp_output.c
++++ b/net/ipv4/tcp_output.c
+@@ -2842,8 +2842,10 @@ int __tcp_retransmit_skb(struct sock *sk, struct sk_buff *skb, int segs)
+ return -EBUSY;
+
+ if (before(TCP_SKB_CB(skb)->seq, tp->snd_una)) {
+- if (before(TCP_SKB_CB(skb)->end_seq, tp->snd_una))
+- BUG();
++ if (unlikely(before(TCP_SKB_CB(skb)->end_seq, tp->snd_una))) {
++ WARN_ON_ONCE(1);
++ return -EINVAL;
++ }
+ if (tcp_trim_head(sk, skb, tp->snd_una - TCP_SKB_CB(skb)->seq))
+ return -ENOMEM;
+ }
+@@ -3332,6 +3334,7 @@ static void tcp_connect_init(struct sock *sk)
+ sock_reset_flag(sk, SOCK_DONE);
+ tp->snd_wnd = 0;
+ tcp_init_wl(tp, 0);
++ tcp_write_queue_purge(sk);
+ tp->snd_una = tp->write_seq;
+ tp->snd_sml = tp->write_seq;
+ tp->snd_up = tp->write_seq;
+--
+2.12.3
+
diff --git a/patches.fixes/0012-net-test-tailroom-before-appending-to-linear-skb.patch b/patches.fixes/0012-net-test-tailroom-before-appending-to-linear-skb.patch
new file mode 100644
index 0000000000..705d0dab79
--- /dev/null
+++ b/patches.fixes/0012-net-test-tailroom-before-appending-to-linear-skb.patch
@@ -0,0 +1,58 @@
+From: Willem de Bruijn <willemb@google.com>
+Subject: net: test tailroom before appending to linear skb
+Patch-mainline: v4.17-rc7
+Git-commit: 113f99c3358564a0647d444c2ae34e8b1abfd5b9
+References: git-fixes
+
+Device features may change during transmission. In particular with
+corking, a device may toggle scatter-gather in between allocating
+and writing to an skb.
+
+Do not unconditionally assume that !NETIF_F_SG at write time implies
+that the same held at alloc time and thus the skb has sufficient
+tailroom.
+
+This issue predates git history.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Reported-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: Willem de Bruijn <willemb@google.com>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Acked-by: Denis Kirjanov <dkirjanov@suse.com>
+---
+ net/ipv4/ip_output.c | 3 ++-
+ net/ipv6/ip6_output.c | 3 ++-
+ 2 files changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/net/ipv4/ip_output.c b/net/ipv4/ip_output.c
+index 41c5d8bdc768..c81916930652 100644
+--- a/net/ipv4/ip_output.c
++++ b/net/ipv4/ip_output.c
+@@ -1042,7 +1042,8 @@ static int __ip_append_data(struct sock *sk,
+ if (copy > length)
+ copy = length;
+
+- if (!(rt->dst.dev->features&NETIF_F_SG)) {
++ if (!(rt->dst.dev->features&NETIF_F_SG) &&
++ skb_tailroom(skb) >= copy) {
+ unsigned int off;
+
+ off = skb->len;
+diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c
+index 42a97e490737..04729272dfb3 100644
+--- a/net/ipv6/ip6_output.c
++++ b/net/ipv6/ip6_output.c
+@@ -1484,7 +1484,8 @@ static int __ip6_append_data(struct sock *sk,
+ if (copy > length)
+ copy = length;
+
+- if (!(rt->dst.dev->features&NETIF_F_SG)) {
++ if (!(rt->dst.dev->features&NETIF_F_SG) &&
++ skb_tailroom(skb) >= copy) {
+ unsigned int off;
+
+ off = skb->len;
+--
+2.12.3
+
diff --git a/patches.fixes/0013-net-Fix-a-bug-in-removing-queues-from-XPS-map.patch b/patches.fixes/0013-net-Fix-a-bug-in-removing-queues-from-XPS-map.patch
new file mode 100644
index 0000000000..c833d893d3
--- /dev/null
+++ b/patches.fixes/0013-net-Fix-a-bug-in-removing-queues-from-XPS-map.patch
@@ -0,0 +1,35 @@
+From: Amritha Nambiar <amritha.nambiar@intel.com>
+Subject: net: Fix a bug in removing queues from XPS map
+Patch-mainline: v4.17-rc7
+Git-commit: 6358d49ac23995fdfe157cc8747ab0f274d3954b
+References: git-fixes
+
+While removing queues from the XPS map, the individual CPU ID
+alone was used to index the CPUs map, this should be changed to also
+factor in the traffic class mapping for the CPU-to-queue lookup.
+
+Fixes: 184c449f91fe ("net: Add support for XPS with QoS via traffic classes")
+Signed-off-by: Amritha Nambiar <amritha.nambiar@intel.com>
+Acked-by: Alexander Duyck <alexander.h.duyck@intel.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Acked-by: Denis Kirjanov <dkirjanov@suse.com>
+---
+ net/core/dev.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/core/dev.c b/net/core/dev.c
+index 15880ba084a9..f259eb1b21b8 100644
+--- a/net/core/dev.c
++++ b/net/core/dev.c
+@@ -2078,7 +2078,7 @@ static bool remove_xps_queue_cpu(struct net_device *dev,
+ int i, j;
+
+ for (i = count, j = offset; i--; j++) {
+- if (!remove_xps_queue(dev_maps, cpu, j))
++ if (!remove_xps_queue(dev_maps, tci, j))
+ break;
+ }
+
+--
+2.12.3
+
diff --git a/patches.fixes/0014-netfilter-nf_tables-fix-NULL-pointer-dereference-on-.patch b/patches.fixes/0014-netfilter-nf_tables-fix-NULL-pointer-dereference-on-.patch
new file mode 100644
index 0000000000..59aff0b412
--- /dev/null
+++ b/patches.fixes/0014-netfilter-nf_tables-fix-NULL-pointer-dereference-on-.patch
@@ -0,0 +1,164 @@
+From: Taehee Yoo <ap420073@gmail.com>
+Subject: netfilter: nf_tables: fix NULL pointer dereference on
+ nft_ct_helper_obj_dump()
+Patch-mainline: v4.17
+Git-commit: b71534583f22d08c3e3563bf5100aeb5f5c9fbe5
+References: git-fixes
+
+
+In the nft_ct_helper_obj_dump(), always priv->helper4 is dereferenced.
+But if family is ipv6, priv->helper6 should be dereferenced.
+
+Steps to reproduces:
+
+ #test.nft
+ table ip6 filter {
+ ct helper ftp {
+ type "ftp" protocol tcp
+ }
+ chain input {
+ type filter hook input priority 4;
+ ct helper set "ftp"
+ }
+ }
+
+ %nft -f test.nft
+ %nft list ruleset
+
+we can see the below messages:
+
+[ 916.286233] kasan: GPF could be caused by NULL-ptr deref or user memory access
+[ 916.294777] general protection fault: 0000 [#1] SMP DEBUG_PAGEALLOC KASAN PTI
+[ 916.302613] Modules linked in: nft_objref nf_conntrack_sip nf_conntrack_snmp nf_conntrack_broadcast nf_conntrack_ftp nft_ct nf_conntrack nf_tables nfnetlink [last unloaded: nfnetlink]
+[ 916.318758] CPU: 1 PID: 2093 Comm: nft Not tainted 4.17.0-rc4+ #181
+[ 916.326772] Hardware name: To be filled by O.E.M. To be filled by O.E.M./Aptio CRB, BIOS 5.6.5 07/08/2015
+[ 916.338773] RIP: 0010:strlen+0x1a/0x90
+[ 916.342781] RSP: 0018:ffff88010ff0f2f8 EFLAGS: 00010292
+[ 916.346773] RAX: dffffc0000000000 RBX: ffff880119b26ee8 RCX: ffff88010c150038
+[ 916.354777] RDX: 0000000000000002 RSI: ffff880119b26ee8 RDI: 0000000000000010
+[ 916.362773] RBP: 0000000000000010 R08: 0000000000007e88 R09: ffff88010c15003c
+[ 916.370773] R10: ffff88010c150037 R11: ffffed002182a007 R12: ffff88010ff04040
+[ 916.378779] R13: 0000000000000010 R14: ffff880119b26f30 R15: ffff88010ff04110
+[ 916.387265] FS: 00007f57a1997700(0000) GS:ffff88011b800000(0000) knlGS:0000000000000000
+[ 916.394785] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 916.402778] CR2: 00007f57a0ac80f0 CR3: 000000010ff02000 CR4: 00000000001006e0
+[ 916.410772] Call Trace:
+[ 916.414787] nft_ct_helper_obj_dump+0x94/0x200 [nft_ct]
+[ 916.418779] ? nft_ct_set_eval+0x560/0x560 [nft_ct]
+[ 916.426771] ? memset+0x1f/0x40
+[ 916.426771] ? __nla_reserve+0x92/0xb0
+[ 916.434774] ? memcpy+0x34/0x50
+[ 916.434774] nf_tables_fill_obj_info+0x484/0x860 [nf_tables]
+[ 916.442773] ? __nft_release_basechain+0x600/0x600 [nf_tables]
+[ 916.450779] ? lock_acquire+0x193/0x380
+[ 916.454771] ? lock_acquire+0x193/0x380
+[ 916.458789] ? nf_tables_dump_obj+0x148/0xcb0 [nf_tables]
+[ 916.462777] nf_tables_dump_obj+0x5f0/0xcb0 [nf_tables]
+[ 916.470769] ? __alloc_skb+0x30b/0x500
+[ 916.474779] netlink_dump+0x752/0xb50
+[ 916.478775] __netlink_dump_start+0x4d3/0x750
+[ 916.482784] nf_tables_getobj+0x27a/0x930 [nf_tables]
+[ 916.490774] ? nft_obj_notify+0x100/0x100 [nf_tables]
+[ 916.494772] ? nf_tables_getobj+0x930/0x930 [nf_tables]
+[ 916.502579] ? nf_tables_dump_flowtable_done+0x70/0x70 [nf_tables]
+[ 916.506774] ? nft_obj_notify+0x100/0x100 [nf_tables]
+[ 916.514808] nfnetlink_rcv_msg+0x8ab/0xa86 [nfnetlink]
+[ 916.518771] ? nfnetlink_rcv_msg+0x550/0xa86 [nfnetlink]
+[ 916.526782] netlink_rcv_skb+0x23e/0x360
+[ 916.530773] ? nfnetlink_bind+0x200/0x200 [nfnetlink]
+[ 916.534778] ? debug_check_no_locks_freed+0x280/0x280
+[ 916.542770] ? netlink_ack+0x870/0x870
+[ 916.546786] ? ns_capable_common+0xf4/0x130
+[ 916.550765] nfnetlink_rcv+0x172/0x16c0 [nfnetlink]
+[ 916.554771] ? sched_clock_local+0xe2/0x150
+[ 916.558774] ? sched_clock_cpu+0x144/0x180
+[ 916.566575] ? lock_acquire+0x380/0x380
+[ 916.570775] ? sched_clock_local+0xe2/0x150
+[ 916.574765] ? nfnetlink_net_init+0x130/0x130 [nfnetlink]
+[ 916.578763] ? sched_clock_cpu+0x144/0x180
+[ 916.582770] ? lock_acquire+0x193/0x380
+[ 916.590771] ? lock_acquire+0x193/0x380
+[ 916.594766] ? lock_acquire+0x380/0x380
+[ 916.598760] ? netlink_deliver_tap+0x262/0xa60
+[ 916.602766] ? lock_acquire+0x193/0x380
+[ 916.606766] netlink_unicast+0x3ef/0x5a0
+[ 916.610771] ? netlink_attachskb+0x630/0x630
+[ 916.614763] netlink_sendmsg+0x72a/0xb00
+[ 916.618769] ? netlink_unicast+0x5a0/0x5a0
+[ 916.626766] ? _copy_from_user+0x92/0xc0
+[ 916.630773] __sys_sendto+0x202/0x300
+[ 916.634772] ? __ia32_sys_getpeername+0xb0/0xb0
+[ 916.638759] ? lock_acquire+0x380/0x380
+[ 916.642769] ? lock_acquire+0x193/0x380
+[ 916.646761] ? finish_task_switch+0xf4/0x560
+[ 916.650763] ? __schedule+0x582/0x19a0
+[ 916.655301] ? __sched_text_start+0x8/0x8
+[ 916.655301] ? up_read+0x1c/0x110
+[ 916.655301] ? __do_page_fault+0x48b/0xaa0
+[ 916.655301] ? entry_SYSCALL_64_after_hwframe+0x59/0xbe
+[ 916.655301] __x64_sys_sendto+0xdd/0x1b0
+[ 916.655301] do_syscall_64+0x96/0x3d0
+[ 916.655301] entry_SYSCALL_64_after_hwframe+0x49/0xbe
+[ 916.655301] RIP: 0033:0x7f57a0ff5e03
+[ 916.655301] RSP: 002b:00007fff6367e0a8 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
+[ 916.655301] RAX: ffffffffffffffda RBX: 00007fff6367f1e0 RCX: 00007f57a0ff5e03
+[ 916.655301] RDX: 0000000000000020 RSI: 00007fff6367e110 RDI: 0000000000000003
+[ 916.655301] RBP: 00007fff6367e100 R08: 00007f57a0ce9160 R09: 000000000000000c
+[ 916.655301] R10: 0000000000000000 R11: 0000000000000246 R12: 00007fff6367e110
+[ 916.655301] R13: 0000000000000020 R14: 00007f57a153c610 R15: 0000562417258de0
+[ 916.655301] Code: ff ff ff 0f 1f 40 00 66 2e 0f 1f 84 00 00 00 00 00 55 48 89 fa 53 48 c1 ea 03 48 b8 00 00 00 00 00 fc ff df 48 89 fd 48 83 ec 08 <0f> b6 04 02 48 89 fa 83 e2 07 38 d0 7f
+[ 916.655301] RIP: strlen+0x1a/0x90 RSP: ffff88010ff0f2f8
+[ 916.771929] ---[ end trace 1065e048e72479fe ]---
+[ 916.777204] Kernel panic - not syncing: Fatal exception
+[ 916.778158] Kernel Offset: 0x14000000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff)
+
+Signed-off-by: Taehee Yoo <ap420073@gmail.com>
+Acked-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Acked-by: Denis Kirjanov <dkirjanov@suse.com>
+---
+ net/netfilter/nft_ct.c | 20 ++++++++++++--------
+ 1 file changed, 12 insertions(+), 8 deletions(-)
+
+diff --git a/net/netfilter/nft_ct.c b/net/netfilter/nft_ct.c
+index 1678e9e75e8e..2cded8ee6d30 100644
+--- a/net/netfilter/nft_ct.c
++++ b/net/netfilter/nft_ct.c
+@@ -875,22 +875,26 @@ static int nft_ct_helper_obj_dump(struct sk_buff *skb,
+ struct nft_object *obj, bool reset)
+ {
+ const struct nft_ct_helper_obj *priv = nft_obj_data(obj);
+- const struct nf_conntrack_helper *helper = priv->helper4;
++ const struct nf_conntrack_helper *helper;
+ u16 family;
+
++ if (priv->helper4 && priv->helper6) {
++ family = NFPROTO_INET;
++ helper = priv->helper4;
++ } else if (priv->helper6) {
++ family = NFPROTO_IPV6;
++ helper = priv->helper6;
++ } else {
++ family = NFPROTO_IPV4;
++ helper = priv->helper4;
++ }
++
+ if (nla_put_string(skb, NFTA_CT_HELPER_NAME, helper->name))
+ return -1;
+
+ if (nla_put_u8(skb, NFTA_CT_HELPER_L4PROTO, priv->l4proto))
+ return -1;
+
+- if (priv->helper4 && priv->helper6)
+- family = NFPROTO_INET;
+- else if (priv->helper6)
+- family = NFPROTO_IPV6;
+- else
+- family = NFPROTO_IPV4;
+-
+ if (nla_put_be16(skb, NFTA_CT_HELPER_L3PROTO, htons(family)))
+ return -1;
+
+--
+2.12.3
+
diff --git a/patches.fixes/0015-netfilter-ebtables-handle-string-from-userspace-with.patch b/patches.fixes/0015-netfilter-ebtables-handle-string-from-userspace-with.patch
new file mode 100644
index 0000000000..f97ecde4f7
--- /dev/null
+++ b/patches.fixes/0015-netfilter-ebtables-handle-string-from-userspace-with.patch
@@ -0,0 +1,102 @@
+From: Paolo Abeni <pabeni@redhat.com>
+Subject: netfilter: ebtables: handle string from userspace with
+ care
+Patch-mainline: v4.17
+Git-commit: 94c752f99954797da583a84c4907ff19e92550a4
+References: git-fixes
+
+strlcpy() can't be safely used on a user-space provided string,
+as it can try to read beyond the buffer's end, if the latter is
+not NULL terminated.
+
+Leveraging the above, syzbot has been able to trigger the following
+splat:
+
+BUG: KASAN: stack-out-of-bounds in strlcpy include/linux/string.h:300
+[inline]
+BUG: KASAN: stack-out-of-bounds in compat_mtw_from_user
+net/bridge/netfilter/ebtables.c:1957 [inline]
+BUG: KASAN: stack-out-of-bounds in ebt_size_mwt
+net/bridge/netfilter/ebtables.c:2059 [inline]
+BUG: KASAN: stack-out-of-bounds in size_entry_mwt
+net/bridge/netfilter/ebtables.c:2155 [inline]
+BUG: KASAN: stack-out-of-bounds in compat_copy_entries+0x96c/0x14a0
+net/bridge/netfilter/ebtables.c:2194
+Write of size 33 at addr ffff8801b0abf888 by task syz-executor0/4504
+
+CPU: 0 PID: 4504 Comm: syz-executor0 Not tainted 4.17.0-rc2+ #40
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
+Google 01/01/2011
+Call Trace:
+ __dump_stack lib/dump_stack.c:77 [inline]
+ dump_stack+0x1b9/0x294 lib/dump_stack.c:113
+ print_address_description+0x6c/0x20b mm/kasan/report.c:256
+ kasan_report_error mm/kasan/report.c:354 [inline]
+ kasan_report.cold.7+0x242/0x2fe mm/kasan/report.c:412
+ check_memory_region_inline mm/kasan/kasan.c:260 [inline]
+ check_memory_region+0x13e/0x1b0 mm/kasan/kasan.c:267
+ memcpy+0x37/0x50 mm/kasan/kasan.c:303
+ strlcpy include/linux/string.h:300 [inline]
+ compat_mtw_from_user net/bridge/netfilter/ebtables.c:1957 [inline]
+ ebt_size_mwt net/bridge/netfilter/ebtables.c:2059 [inline]
+ size_entry_mwt net/bridge/netfilter/ebtables.c:2155 [inline]
+ compat_copy_entries+0x96c/0x14a0 net/bridge/netfilter/ebtables.c:2194
+ compat_do_replace+0x483/0x900 net/bridge/netfilter/ebtables.c:2285
+ compat_do_ebt_set_ctl+0x2ac/0x324 net/bridge/netfilter/ebtables.c:2367
+ compat_nf_sockopt net/netfilter/nf_sockopt.c:144 [inline]
+ compat_nf_setsockopt+0x9b/0x140 net/netfilter/nf_sockopt.c:156
+ compat_ip_setsockopt+0xff/0x140 net/ipv4/ip_sockglue.c:1279
+ inet_csk_compat_setsockopt+0x97/0x120 net/ipv4/inet_connection_sock.c:1041
+ compat_tcp_setsockopt+0x49/0x80 net/ipv4/tcp.c:2901
+ compat_sock_common_setsockopt+0xb4/0x150 net/core/sock.c:3050
+ __compat_sys_setsockopt+0x1ab/0x7c0 net/compat.c:403
+ __do_compat_sys_setsockopt net/compat.c:416 [inline]
+ __se_compat_sys_setsockopt net/compat.c:413 [inline]
+ __ia32_compat_sys_setsockopt+0xbd/0x150 net/compat.c:413
+ do_syscall_32_irqs_on arch/x86/entry/common.c:323 [inline]
+ do_fast_syscall_32+0x345/0xf9b arch/x86/entry/common.c:394
+ entry_SYSENTER_compat+0x70/0x7f arch/x86/entry/entry_64_compat.S:139
+RIP: 0023:0xf7fb3cb9
+RSP: 002b:00000000fff0c26c EFLAGS: 00000282 ORIG_RAX: 000000000000016e
+RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000000000
+RDX: 0000000000000080 RSI: 0000000020000300 RDI: 00000000000005f4
+RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
+R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
+R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
+
+The buggy address belongs to the page:
+page:ffffea0006c2afc0 count:0 mapcount:0 mapping:0000000000000000 index:0x0
+flags: 0x2fffc0000000000()
+raw: 02fffc0000000000 0000000000000000 0000000000000000 00000000ffffffff
+raw: 0000000000000000 ffffea0006c20101 0000000000000000 0000000000000000
+page dumped because: kasan: bad access detected
+
+Fix the issue replacing the unsafe function with strscpy() and
+taking care of possible errors.
+
+Fixes: 81e675c227ec ("netfilter: ebtables: add CONFIG_COMPAT support")
+Reported-and-tested-by: syzbot+4e42a04e0bc33cb6c087@syzkaller.appspotmail.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Acked-by: Denis Kirjanov <dkirjanov@suse.com>
+---
+ net/bridge/netfilter/ebtables.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c
+index 9b11e61c4b7e..546c20cf632e 100644
+--- a/net/bridge/netfilter/ebtables.c
++++ b/net/bridge/netfilter/ebtables.c
+@@ -1950,7 +1950,8 @@ static int compat_mtw_from_user(struct compat_ebt_entry_mwt *mwt,
+ int off, pad = 0;
+ unsigned int size_kern, match_size = mwt->match_size;
+
+- strlcpy(name, mwt->u.name, sizeof(name));
++ if (strscpy(name, mwt->u.name, sizeof(name)) < 0)
++ return -EINVAL;
+
+ if (state->buf_kern_start)
+ dst = state->buf_kern_start + state->buf_kern_offset;
+--
+2.12.3
+
diff --git a/patches.fixes/0016-ipvs-fix-buffer-overflow-with-sync-daemon-and-servic.patch b/patches.fixes/0016-ipvs-fix-buffer-overflow-with-sync-daemon-and-servic.patch
new file mode 100644
index 0000000000..08f73e30d6
--- /dev/null
+++ b/patches.fixes/0016-ipvs-fix-buffer-overflow-with-sync-daemon-and-servic.patch
@@ -0,0 +1,147 @@
+From: Julian Anastasov <ja@ssi.bg>
+Subject: ipvs: fix buffer overflow with sync daemon and service
+Patch-mainline: v4.17
+Git-commit: 52f96757905bbf0edef47f3ee6c7c784e7f8ff8a
+References: git-fixes
+
+syzkaller reports for buffer overflow for interface name
+when starting sync daemons [1]
+
+What we do is that we copy user structure into larger stack
+buffer but later we search NUL past the stack buffer.
+The same happens for sched_name when adding/editing virtual server.
+
+We are restricted by IP_VS_SCHEDNAME_MAXLEN and IP_VS_IFNAME_MAXLEN
+being used as size in include/uapi/linux/ip_vs.h, so they
+include the space for NUL.
+
+As using strlcpy is wrong for unsafe source, replace it with
+strscpy and add checks to return EINVAL if source string is not
+NUL-terminated. The incomplete strlcpy fix comes from 2.6.13.
+
+For the netlink interface reduce the len parameter for
+IPVS_DAEMON_ATTR_MCAST_IFN and IPVS_SVC_ATTR_SCHED_NAME,
+so that we get proper EINVAL.
+
+[1]
+kernel BUG at lib/string.c:1052!
+invalid opcode: 0000 [#1] SMP KASAN
+Dumping ftrace buffer:
+ (ftrace buffer empty)
+Modules linked in:
+CPU: 1 PID: 373 Comm: syz-executor936 Not tainted 4.17.0-rc4+ #45
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
+Google 01/01/2011
+RIP: 0010:fortify_panic+0x13/0x20 lib/string.c:1051
+RSP: 0018:ffff8801c976f800 EFLAGS: 00010282
+RAX: 0000000000000022 RBX: 0000000000000040 RCX: 0000000000000000
+RDX: 0000000000000022 RSI: ffffffff8160f6f1 RDI: ffffed00392edef6
+RBP: ffff8801c976f800 R08: ffff8801cf4c62c0 R09: ffffed003b5e4fb0
+R10: ffffed003b5e4fb0 R11: ffff8801daf27d87 R12: ffff8801c976fa20
+R13: ffff8801c976fae4 R14: ffff8801c976fae0 R15: 000000000000048b
+FS: 00007fd99f75e700(0000) GS:ffff8801daf00000(0000)
+knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 00000000200001c0 CR3: 00000001d6843000 CR4: 00000000001406e0
+DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+Call Trace:
+ strlen include/linux/string.h:270 [inline]
+ strlcpy include/linux/string.h:293 [inline]
+ do_ip_vs_set_ctl+0x31c/0x1d00 net/netfilter/ipvs/ip_vs_ctl.c:2388
+ nf_sockopt net/netfilter/nf_sockopt.c:106 [inline]
+ nf_setsockopt+0x7d/0xd0 net/netfilter/nf_sockopt.c:115
+ ip_setsockopt+0xd8/0xf0 net/ipv4/ip_sockglue.c:1253
+ udp_setsockopt+0x62/0xa0 net/ipv4/udp.c:2487
+ ipv6_setsockopt+0x149/0x170 net/ipv6/ipv6_sockglue.c:917
+ tcp_setsockopt+0x93/0xe0 net/ipv4/tcp.c:3057
+ sock_common_setsockopt+0x9a/0xe0 net/core/sock.c:3046
+ __sys_setsockopt+0x1bd/0x390 net/socket.c:1903
+ __do_sys_setsockopt net/socket.c:1914 [inline]
+ __se_sys_setsockopt net/socket.c:1911 [inline]
+ __x64_sys_setsockopt+0xbe/0x150 net/socket.c:1911
+ do_syscall_64+0x1b1/0x800 arch/x86/entry/common.c:287
+ entry_SYSCALL_64_after_hwframe+0x49/0xbe
+RIP: 0033:0x447369
+RSP: 002b:00007fd99f75dda8 EFLAGS: 00000246 ORIG_RAX: 0000000000000036
+RAX: ffffffffffffffda RBX: 00000000006e39e4 RCX: 0000000000447369
+RDX: 000000000000048b RSI: 0000000000000000 RDI: 0000000000000003
+RBP: 0000000000000000 R08: 0000000000000018 R09: 0000000000000000
+R10: 00000000200001c0 R11: 0000000000000246 R12: 00000000006e39e0
+R13: 75a1ff93f0896195 R14: 6f745f3168746576 R15: 0000000000000001
+Code: 08 5b 41 5c 41 5d 41 5e 41 5f 5d c3 0f 0b 48 89 df e8 d2 8f 48 fa eb
+de 55 48 89 fe 48 c7 c7 60 65 64 88 48 89 e5 e8 91 dd f3 f9 <0f> 0b 90 90
+90 90 90 90 90 90 90 90 90 55 48 89 e5 41 57 41 56
+RIP: fortify_panic+0x13/0x20 lib/string.c:1051 RSP: ffff8801c976f800
+
+Reported-and-tested-by: syzbot+aac887f77319868646df@syzkaller.appspotmail.com
+Fixes: e4ff67513096 ("ipvs: add sync_maxlen parameter for the sync daemon")
+Fixes: 4da62fc70d7c ("[IPVS]: Fix for overflows")
+Signed-off-by: Julian Anastasov <ja@ssi.bg>
+Acked-by: Simon Horman <horms+renesas@verge.net.au>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Acked-by: Denis Kirjanov <dkirjanov@suse.com>
+---
+ net/netfilter/ipvs/ip_vs_ctl.c | 21 +++++++++++++++------
+ 1 file changed, 15 insertions(+), 6 deletions(-)
+
+diff --git a/net/netfilter/ipvs/ip_vs_ctl.c b/net/netfilter/ipvs/ip_vs_ctl.c
+index ce51ba12c605..90dc25c5d938 100644
+--- a/net/netfilter/ipvs/ip_vs_ctl.c
++++ b/net/netfilter/ipvs/ip_vs_ctl.c
+@@ -2383,8 +2383,10 @@ do_ip_vs_set_ctl(struct sock *sk, int cmd, void __user *user, unsigned int len)
+ struct ipvs_sync_daemon_cfg cfg;
+
+ memset(&cfg, 0, sizeof(cfg));
+- strlcpy(cfg.mcast_ifn, dm->mcast_ifn,
+- sizeof(cfg.mcast_ifn));
++ ret = -EINVAL;
++ if (strscpy(cfg.mcast_ifn, dm->mcast_ifn,
++ sizeof(cfg.mcast_ifn)) <= 0)
++ goto out_dec;
+ cfg.syncid = dm->syncid;
+ ret = start_sync_thread(ipvs, &cfg, dm->state);
+ } else {
+@@ -2422,12 +2424,19 @@ do_ip_vs_set_ctl(struct sock *sk, int cmd, void __user *user, unsigned int len)
+ }
+ }
+
++ if ((cmd == IP_VS_SO_SET_ADD || cmd == IP_VS_SO_SET_EDIT) &&
++ strnlen(usvc.sched_name, IP_VS_SCHEDNAME_MAXLEN) ==
++ IP_VS_SCHEDNAME_MAXLEN) {
++ ret = -EINVAL;
++ goto out_unlock;
++ }
++
+ /* Check for valid protocol: TCP or UDP or SCTP, even for fwmark!=0 */
+ if (usvc.protocol != IPPROTO_TCP && usvc.protocol != IPPROTO_UDP &&
+ usvc.protocol != IPPROTO_SCTP) {
+- pr_err("set_ctl: invalid protocol: %d %pI4:%d %s\n",
++ pr_err("set_ctl: invalid protocol: %d %pI4:%d\n",
+ usvc.protocol, &usvc.addr.ip,
+- ntohs(usvc.port), usvc.sched_name);
++ ntohs(usvc.port));
+ ret = -EFAULT;
+ goto out_unlock;
+ }
+@@ -2849,7 +2858,7 @@ static const struct nla_policy ip_vs_cmd_policy[IPVS_CMD_ATTR_MAX + 1] = {
+ static const struct nla_policy ip_vs_daemon_policy[IPVS_DAEMON_ATTR_MAX + 1] = {
+ [IPVS_DAEMON_ATTR_STATE] = { .type = NLA_U32 },
+ [IPVS_DAEMON_ATTR_MCAST_IFN] = { .type = NLA_NUL_STRING,
+- .len = IP_VS_IFNAME_MAXLEN },
++ .len = IP_VS_IFNAME_MAXLEN - 1 },
+ [IPVS_DAEMON_ATTR_SYNC_ID] = { .type = NLA_U32 },
+ [IPVS_DAEMON_ATTR_SYNC_MAXLEN] = { .type = NLA_U16 },
+ [IPVS_DAEMON_ATTR_MCAST_GROUP] = { .type = NLA_U32 },
+@@ -2867,7 +2876,7 @@ static const struct nla_policy ip_vs_svc_policy[IPVS_SVC_ATTR_MAX + 1] = {
+ [IPVS_SVC_ATTR_PORT] = { .type = NLA_U16 },
+ [IPVS_SVC_ATTR_FWMARK] = { .type = NLA_U32 },
+ [IPVS_SVC_ATTR_SCHED_NAME] = { .type = NLA_NUL_STRING,
+- .len = IP_VS_SCHEDNAME_MAXLEN },
++ .len = IP_VS_SCHEDNAME_MAXLEN - 1 },
+ [IPVS_SVC_ATTR_PE_NAME] = { .type = NLA_NUL_STRING,
+ .len = IP_VS_PENAME_MAXLEN },
+ [IPVS_SVC_ATTR_FLAGS] = { .type = NLA_BINARY,
+--
+2.12.3
+
diff --git a/patches.fixes/0017-xfrm6-avoid-potential-infinite-loop-in-_decode_sessi.patch b/patches.fixes/0017-xfrm6-avoid-potential-infinite-loop-in-_decode_sessi.patch
new file mode 100644
index 0000000000..445826bdfa
--- /dev/null
+++ b/patches.fixes/0017-xfrm6-avoid-potential-infinite-loop-in-_decode_sessi.patch
@@ -0,0 +1,100 @@
+From: Eric Dumazet <edumazet@google.com>
+Subject: xfrm6: avoid potential infinite loop in
+ _decode_session6()
+Patch-mainline: v4.17
+Git-commit: d9f92772e8ec388d070752ee8f187ef8fa18621f
+References: git-fixes
+
+
+syzbot found a way to trigger an infinitie loop by overflowing
+@offset variable that has been forced to use u16 for some very
+obscure reason in the past.
+
+We probably want to look at NEXTHDR_FRAGMENT handling which looks
+wrong, in a separate patch.
+
+In net-next, we shall try to use skb_header_pointer() instead of
+pskb_may_pull().
+
+watchdog: BUG: soft lockup - CPU#1 stuck for 134s! [syz-executor738:4553]
+Modules linked in:
+irq event stamp: 13885653
+hardirqs last enabled at (13885652): [<ffffffff878009d5>] restore_regs_and_return_to_kernel+0x0/0x2b
+hardirqs last disabled at (13885653): [<ffffffff87800905>] interrupt_entry+0xb5/0xf0 arch/x86/entry/entry_64.S:625
+softirqs last enabled at (13614028): [<ffffffff84df0809>] tun_napi_alloc_frags drivers/net/tun.c:1478 [inline]
+softirqs last enabled at (13614028): [<ffffffff84df0809>] tun_get_user+0x1dd9/0x4290 drivers/net/tun.c:1825
+softirqs last disabled at (13614032): [<ffffffff84df1b6f>] tun_get_user+0x313f/0x4290 drivers/net/tun.c:1942
+CPU: 1 PID: 4553 Comm: syz-executor738 Not tainted 4.17.0-rc3+ #40
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+RIP: 0010:check_kcov_mode kernel/kcov.c:67 [inline]
+RIP: 0010:__sanitizer_cov_trace_pc+0x20/0x50 kernel/kcov.c:101
+RSP: 0018:ffff8801d8cfe250 EFLAGS: 00000246 ORIG_RAX: ffffffffffffff13
+RAX: ffff8801d88a8080 RBX: ffff8801d7389e40 RCX: 0000000000000006
+RDX: 0000000000000000 RSI: ffffffff868da4ad RDI: ffff8801c8a53277
+RBP: ffff8801d8cfe250 R08: ffff8801d88a8080 R09: ffff8801d8cfe3e8
+R10: ffffed003b19fc87 R11: ffff8801d8cfe43f R12: ffff8801c8a5327f
+R13: 0000000000000000 R14: ffff8801c8a4e5fe R15: ffff8801d8cfe3e8
+FS: 0000000000d88940(0000) GS:ffff8801daf00000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: ffffffffff600400 CR3: 00000001acab3000 CR4: 00000000001406e0
+DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+Call Trace:
+ _decode_session6+0xc1d/0x14f0 net/ipv6/xfrm6_policy.c:150
+ __xfrm_decode_session+0x71/0x140 net/xfrm/xfrm_policy.c:2368
+ xfrm_decode_session_reverse include/net/xfrm.h:1213 [inline]
+ icmpv6_route_lookup+0x395/0x6e0 net/ipv6/icmp.c:372
+ icmp6_send+0x1982/0x2da0 net/ipv6/icmp.c:551
+ icmpv6_send+0x17a/0x300 net/ipv6/ip6_icmp.c:43
+ ip6_input_finish+0x14e1/0x1a30 net/ipv6/ip6_input.c:305
+ NF_HOOK include/linux/netfilter.h:288 [inline]
+ ip6_input+0xe1/0x5e0 net/ipv6/ip6_input.c:327
+ dst_input include/net/dst.h:450 [inline]
+ ip6_rcv_finish+0x29c/0xa10 net/ipv6/ip6_input.c:71
+ NF_HOOK include/linux/netfilter.h:288 [inline]
+ ipv6_rcv+0xeb8/0x2040 net/ipv6/ip6_input.c:208
+ __netif_receive_skb_core+0x2468/0x3650 net/core/dev.c:4646
+ __netif_receive_skb+0x2c/0x1e0 net/core/dev.c:4711
+ netif_receive_skb_internal+0x126/0x7b0 net/core/dev.c:4785
+ napi_frags_finish net/core/dev.c:5226 [inline]
+ napi_gro_frags+0x631/0xc40 net/core/dev.c:5299
+ tun_get_user+0x3168/0x4290 drivers/net/tun.c:1951
+ tun_chr_write_iter+0xb9/0x154 drivers/net/tun.c:1996
+ call_write_iter include/linux/fs.h:1784 [inline]
+ do_iter_readv_writev+0x859/0xa50 fs/read_write.c:680
+ do_iter_write+0x185/0x5f0 fs/read_write.c:959
+ vfs_writev+0x1c7/0x330 fs/read_write.c:1004
+ do_writev+0x112/0x2f0 fs/read_write.c:1039
+ __do_sys_writev fs/read_write.c:1112 [inline]
+ __se_sys_writev fs/read_write.c:1109 [inline]
+ __x64_sys_writev+0x75/0xb0 fs/read_write.c:1109
+ do_syscall_64+0x1b1/0x800 arch/x86/entry/common.c:287
+ entry_SYSCALL_64_after_hwframe+0x49/0xbe
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Cc: Steffen Klassert <steffen.klassert@secunet.com>
+Cc: Nicolas Dichtel <nicolas.dichtel@6wind.com>
+Reported-by: syzbot+0053c8...@syzkaller.appspotmail.com
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Acked-by: Denis Kirjanov <dkirjanov@suse.com>
+---
+ net/ipv6/xfrm6_policy.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/ipv6/xfrm6_policy.c b/net/ipv6/xfrm6_policy.c
+index 79651bc71bf0..7d89acf2fdd6 100644
+--- a/net/ipv6/xfrm6_policy.c
++++ b/net/ipv6/xfrm6_policy.c
+@@ -119,7 +119,7 @@ _decode_session6(struct sk_buff *skb, struct flowi *fl, int reverse)
+ struct flowi6 *fl6 = &fl->u.ip6;
+ int onlyproto = 0;
+ const struct ipv6hdr *hdr = ipv6_hdr(skb);
+- u16 offset = sizeof(*hdr);
++ u32 offset = sizeof(*hdr);
+ struct ipv6_opt_hdr *exthdr;
+ const unsigned char *nh = skb_network_header(skb);
+ u16 nhoff = IP6CB(skb)->nhoff;
+--
+2.12.3
+
diff --git a/patches.fixes/0018-sctp-fix-identification-of-new-acks-for-SFR-CACC.patch b/patches.fixes/0018-sctp-fix-identification-of-new-acks-for-SFR-CACC.patch
new file mode 100644
index 0000000000..4c76abe212
--- /dev/null
+++ b/patches.fixes/0018-sctp-fix-identification-of-new-acks-for-SFR-CACC.patch
@@ -0,0 +1,120 @@
+From: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
+Subject: sctp: fix identification of new acks for SFR-CACC
+Patch-mainline: v4.18-rc1
+Git-commit: 51446780fc33e45cb790c05a7fa2c5bf7e8bc53b
+References: git-fixes
+
+
+It's currently written as:
+
+if (!tchunk->tsn_gap_acked) { [1]
+ tchunk->tsn_gap_acked = 1;
+ ...
+}
+
+if (TSN_lte(tsn, sack_ctsn)) {
+ if (!tchunk->tsn_gap_acked) {
+ /* SFR-CACC processing */
+ ...
+ }
+}
+
+Which causes the SFR-CACC processing on ack reception to never process,
+as tchunk->tsn_gap_acked is always true by then. Block [1] was
+moved to that position by the commit marked below.
+
+This patch fixes it by doing SFR-CACC processing earlier, before
+tsn_gap_acked is set to true.
+
+Fixes: 31b02e154940 ("sctp: Failover transmitted list on transport delete")
+Signed-off-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
+Reviewed-by: Xin Long <lucien.xin@gmail.com>
+Acked-by: Neil Horman <nhorman@tuxdriver.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Acked-by: Denis Kirjanov <dkirjanov@suse.com>
+---
+ net/sctp/outqueue.c | 48 +++++++++++++++++++++++-------------------------
+ 1 file changed, 23 insertions(+), 25 deletions(-)
+
+diff --git a/net/sctp/outqueue.c b/net/sctp/outqueue.c
+index 05be058255ea..b3f44daf3af6 100644
+--- a/net/sctp/outqueue.c
++++ b/net/sctp/outqueue.c
+@@ -1447,7 +1447,7 @@ static void sctp_check_transmitted(struct sctp_outq *q,
+ * the outstanding bytes for this chunk, so only
+ * count bytes associated with a transport.
+ */
+- if (transport) {
++ if (transport && !tchunk->tsn_gap_acked) {
+ /* If this chunk is being used for RTT
+ * measurement, calculate the RTT and update
+ * the RTO using this value.
+@@ -1459,14 +1459,34 @@ static void sctp_check_transmitted(struct sctp_outq *q,
+ * first instance of the packet or a later
+ * instance).
+ */
+- if (!tchunk->tsn_gap_acked &&
+- !sctp_chunk_retransmitted(tchunk) &&
++ if (!sctp_chunk_retransmitted(tchunk) &&
+ tchunk->rtt_in_progress) {
+ tchunk->rtt_in_progress = 0;
+ rtt = jiffies - tchunk->sent_at;
+ sctp_transport_update_rto(transport,
+ rtt);
+ }
++
++ if (TSN_lte(tsn, sack_ctsn)) {
++ /*
++ * SFR-CACC algorithm:
++ * 2) If the SACK contains gap acks
++ * and the flag CHANGEOVER_ACTIVE is
++ * set the receiver of the SACK MUST
++ * take the following action:
++ *
++ * B) For each TSN t being acked that
++ * has not been acked in any SACK so
++ * far, set cacc_saw_newack to 1 for
++ * the destination that the TSN was
++ * sent to.
++ */
++ if (sack->num_gap_ack_blocks &&
++ q->asoc->peer.primary_path->cacc.
++ changeover_active)
++ transport->cacc.cacc_saw_newack
++ = 1;
++ }
+ }
+
+ /* If the chunk hasn't been marked as ACKED,
+@@ -1498,28 +1518,6 @@ static void sctp_check_transmitted(struct sctp_outq *q,
+ restart_timer = 1;
+ forward_progress = true;
+
+- if (!tchunk->tsn_gap_acked) {
+- /*
+- * SFR-CACC algorithm:
+- * 2) If the SACK contains gap acks
+- * and the flag CHANGEOVER_ACTIVE is
+- * set the receiver of the SACK MUST
+- * take the following action:
+- *
+- * B) For each TSN t being acked that
+- * has not been acked in any SACK so
+- * far, set cacc_saw_newack to 1 for
+- * the destination that the TSN was
+- * sent to.
+- */
+- if (transport &&
+- sack->num_gap_ack_blocks &&
+- q->asoc->peer.primary_path->cacc.
+- changeover_active)
+- transport->cacc.cacc_saw_newack
+- = 1;
+- }
+-
+ list_add_tail(&tchunk->transmitted_list,
+ &q->sacked);
+ } else {
+--
+2.12.3
+
diff --git a/patches.fixes/0019-ip_tunnel-Fix-name-string-concatenate-in-__ip_tunnel.patch b/patches.fixes/0019-ip_tunnel-Fix-name-string-concatenate-in-__ip_tunnel.patch
new file mode 100644
index 0000000000..e06411857d
--- /dev/null
+++ b/patches.fixes/0019-ip_tunnel-Fix-name-string-concatenate-in-__ip_tunnel.patch
@@ -0,0 +1,39 @@
+From: Sultan Alsawaf <sultanxda@gmail.com>
+Subject: ip_tunnel: Fix name string concatenate in
+ __ip_tunnel_create()
+Patch-mainline: v4.18-rc1
+Git-commit: 000ade8016400d93b4d7c89970d96b8c14773d45
+References: git-fixes
+
+
+By passing a limit of 2 bytes to strncat, strncat is limited to writing
+fewer bytes than what it's supposed to append to the name here.
+
+Since the bounds are checked on the line above this, just remove the string
+bounds checks entirely since they're unneeded.
+
+Signed-off-by: Sultan Alsawaf <sultanxda@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Acked-by: Denis Kirjanov <dkirjanov@suse.com>
+---
+ net/ipv4/ip_tunnel.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/net/ipv4/ip_tunnel.c b/net/ipv4/ip_tunnel.c
+index 440a289ebd68..9b5d313f445c 100644
+--- a/net/ipv4/ip_tunnel.c
++++ b/net/ipv4/ip_tunnel.c
+@@ -261,8 +261,8 @@ static struct net_device *__ip_tunnel_create(struct net *net,
+ } else {
+ if (strlen(ops->kind) > (IFNAMSIZ - 3))
+ goto failed;
+- strlcpy(name, ops->kind, IFNAMSIZ);
+- strncat(name, "%d", 2);
++ strcpy(name, ops->kind);
++ strcat(name, "%d");
+ }
+
+ ASSERT_RTNL();
+--
+2.12.3
+
diff --git a/patches.fixes/0020-netfilter-nf_tables-check-msg_type-before-nft_trans_.patch b/patches.fixes/0020-netfilter-nf_tables-check-msg_type-before-nft_trans_.patch
new file mode 100644
index 0000000000..a1ededb25d
--- /dev/null
+++ b/patches.fixes/0020-netfilter-nf_tables-check-msg_type-before-nft_trans_.patch
@@ -0,0 +1,145 @@
+From: Alexey Kodanev <alexey.kodanev@oracle.com>
+Subject: netfilter: nf_tables: check msg_type before
+ nft_trans_set(trans)
+Patch-mainline: v4.18-rc1
+Git-commit: 9c7f96fd77b0dbe1fe7ed1f9c462c45dc48a1076
+References: git-fixes
+
+
+The patch moves the "trans->msg_type == NFT_MSG_NEWSET" check before
+using nft_trans_set(trans). Otherwise we can get out of bounds read.
+
+For example, KASAN reported the one when running 0001_cache_handling_0 nft
+test. In this case "trans->msg_type" was NFT_MSG_NEWTABLE:
+
+[75517.177808] BUG: KASAN: slab-out-of-bounds in nft_set_lookup_global+0x22f/0x270 [nf_tables]
+[75517.279094] Read of size 8 at addr ffff881bdb643fc8 by task nft/7356
+...
+[75517.375605] CPU: 26 PID: 7356 Comm: nft Tainted: G E 4.17.0-rc7.1.x86_64 #1
+[75517.489587] Hardware name: Oracle Corporation SUN SERVER X4-2
+[75517.618129] Call Trace:
+[75517.648821] dump_stack+0xd1/0x13b
+[75517.691040] ? show_regs_print_info+0x5/0x5
+[75517.742519] ? kmsg_dump_rewind_nolock+0xf5/0xf5
+[75517.799300] ? lock_acquire+0x143/0x310
+[75517.846738] print_address_description+0x85/0x3a0
+[75517.904547] kasan_report+0x18d/0x4b0
+[75517.949892] ? nft_set_lookup_global+0x22f/0x270 [nf_tables]
+[75518.019153] ? nft_set_lookup_global+0x22f/0x270 [nf_tables]
+[75518.088420] ? nft_set_lookup_global+0x22f/0x270 [nf_tables]
+[75518.157689] nft_set_lookup_global+0x22f/0x270 [nf_tables]
+[75518.224869] nf_tables_newsetelem+0x1a5/0x5d0 [nf_tables]
+[75518.291024] ? nft_add_set_elem+0x2280/0x2280 [nf_tables]
+[75518.357154] ? nla_parse+0x1a5/0x300
+[75518.401455] ? kasan_kmalloc+0xa6/0xd0
+[75518.447842] nfnetlink_rcv+0xc43/0x1bdf [nfnetlink]
+[75518.507743] ? nfnetlink_rcv+0x7a5/0x1bdf [nfnetlink]
+[75518.569745] ? nfnl_err_reset+0x3c0/0x3c0 [nfnetlink]
+[75518.631711] ? lock_acquire+0x143/0x310
+[75518.679133] ? netlink_deliver_tap+0x9b/0x1070
+[75518.733840] ? kasan_unpoison_shadow+0x31/0x40
+[75518.788542] netlink_unicast+0x45d/0x680
+[75518.837111] ? __isolate_free_page+0x890/0x890
+[75518.891913] ? netlink_attachskb+0x6b0/0x6b0
+[75518.944542] netlink_sendmsg+0x6fa/0xd30
+[75518.993107] ? netlink_unicast+0x680/0x680
+[75519.043758] ? netlink_unicast+0x680/0x680
+[75519.094402] sock_sendmsg+0xd9/0x160
+[75519.138810] ___sys_sendmsg+0x64d/0x980
+[75519.186234] ? copy_msghdr_from_user+0x350/0x350
+[75519.243118] ? lock_downgrade+0x650/0x650
+[75519.292738] ? do_raw_spin_unlock+0x5d/0x250
+[75519.345456] ? _raw_spin_unlock+0x24/0x30
+[75519.395065] ? __handle_mm_fault+0xbde/0x3410
+[75519.448830] ? sock_setsockopt+0x3d2/0x1940
+[75519.500516] ? __lock_acquire.isra.25+0xdc/0x19d0
+[75519.558448] ? lock_downgrade+0x650/0x650
+[75519.608057] ? __audit_syscall_entry+0x317/0x720
+[75519.664960] ? __fget_light+0x58/0x250
+[75519.711325] ? __sys_sendmsg+0xde/0x170
+[75519.758850] __sys_sendmsg+0xde/0x170
+[75519.804193] ? __ia32_sys_shutdown+0x90/0x90
+[75519.856725] ? syscall_trace_enter+0x897/0x10e0
+[75519.912354] ? trace_event_raw_event_sys_enter+0x920/0x920
+[75519.979432] ? __audit_syscall_entry+0x720/0x720
+[75520.036118] do_syscall_64+0xa3/0x3d0
+[75520.081248] ? prepare_exit_to_usermode+0x47/0x1d0
+[75520.139904] entry_SYSCALL_64_after_hwframe+0x44/0xa9
+[75520.201680] RIP: 0033:0x7fc153320ba0
+[75520.245772] RSP: 002b:00007ffe294c3638 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
+[75520.337708] RAX: ffffffffffffffda RBX: 00007ffe294c4820 RCX: 00007fc153320ba0
+[75520.424547] RDX: 0000000000000000 RSI: 00007ffe294c46b0 RDI: 0000000000000003
+[75520.511386] RBP: 00007ffe294c47b0 R08: 0000000000000004 R09: 0000000002114090
+[75520.598225] R10: 00007ffe294c30a0 R11: 0000000000000246 R12: 00007ffe294c3660
+[75520.684961] R13: 0000000000000001 R14: 00007ffe294c3650 R15: 0000000000000001
+
+[75520.790946] Allocated by task 7356:
+[75520.833994] kasan_kmalloc+0xa6/0xd0
+[75520.878088] __kmalloc+0x189/0x450
+[75520.920107] nft_trans_alloc_gfp+0x20/0x190 [nf_tables]
+[75520.983961] nf_tables_newtable+0xcd0/0x1bd0 [nf_tables]
+[75521.048857] nfnetlink_rcv+0xc43/0x1bdf [nfnetlink]
+[75521.108655] netlink_unicast+0x45d/0x680
+[75521.157013] netlink_sendmsg+0x6fa/0xd30
+[75521.205271] sock_sendmsg+0xd9/0x160
+[75521.249365] ___sys_sendmsg+0x64d/0x980
+[75521.296686] __sys_sendmsg+0xde/0x170
+[75521.341822] do_syscall_64+0xa3/0x3d0
+[75521.386957] entry_SYSCALL_64_after_hwframe+0x44/0xa9
+
+[75521.467867] Freed by task 23454:
+[75521.507804] __kasan_slab_free+0x132/0x180
+[75521.558137] kfree+0x14d/0x4d0
+[75521.596005] free_rt_sched_group+0x153/0x280
+[75521.648410] sched_autogroup_create_attach+0x19a/0x520
+[75521.711330] ksys_setsid+0x2ba/0x400
+[75521.755529] __ia32_sys_setsid+0xa/0x10
+[75521.802850] do_syscall_64+0xa3/0x3d0
+[75521.848090] entry_SYSCALL_64_after_hwframe+0x44/0xa9
+
+[75521.929000] The buggy address belongs to the object at ffff881bdb643f80
+ which belongs to the cache kmalloc-96 of size 96
+[75522.079797] The buggy address is located 72 bytes inside of
+ 96-byte region [ffff881bdb643f80, ffff881bdb643fe0)
+[75522.221234] The buggy address belongs to the page:
+[75522.280100] page:ffffea006f6d90c0 count:1 mapcount:0 mapping:0000000000000000 index:0x0
+[75522.377443] flags: 0x2fffff80000100(slab)
+[75522.426956] raw: 002fffff80000100 0000000000000000 0000000000000000 0000000180200020
+[75522.521275] raw: ffffea006e6fafc0 0000000c0000000c ffff881bf180f400 0000000000000000
+[75522.615601] page dumped because: kasan: bad access detected
+
+Fixes: 37a9cc525525 ("netfilter: nf_tables: add generation mask to sets")
+Signed-off-by: Alexey Kodanev <alexey.kodanev@oracle.com>
+Acked-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Acked-by: Denis Kirjanov <dkirjanov@suse.com>
+---
+ net/netfilter/nf_tables_api.c | 11 ++++++-----
+ 1 file changed, 6 insertions(+), 5 deletions(-)
+
+diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
+index d627a479e332..02b79bde519f 100644
+--- a/net/netfilter/nf_tables_api.c
++++ b/net/netfilter/nf_tables_api.c
+@@ -2564,12 +2564,13 @@ static struct nft_set *nf_tables_set_lookup_byid(const struct net *net,
+ u32 id = ntohl(nla_get_be32(nla));
+
+ list_for_each_entry(trans, &net->nft.commit_list, list) {
+- struct nft_set *set = nft_trans_set(trans);
++ if (trans->msg_type == NFT_MSG_NEWSET) {
++ struct nft_set *set = nft_trans_set(trans);
+
+- if (trans->msg_type == NFT_MSG_NEWSET &&
+- id == nft_trans_set_id(trans) &&
+- nft_active_genmask(set, genmask))
+- return set;
++ if (id == nft_trans_set_id(trans) &&
++ nft_active_genmask(set, genmask))
++ return set;
++ }
+ }
+ return ERR_PTR(-ENOENT);
+ }
+--
+2.12.3
+
diff --git a/patches.fixes/0022-ipvs-fix-check-on-xmit-to-non-local-addresses.patch b/patches.fixes/0022-ipvs-fix-check-on-xmit-to-non-local-addresses.patch
new file mode 100644
index 0000000000..ecf4e516f3
--- /dev/null
+++ b/patches.fixes/0022-ipvs-fix-check-on-xmit-to-non-local-addresses.patch
@@ -0,0 +1,42 @@
+From: Julian Anastasov <ja@ssi.bg>
+Subject: ipvs: fix check on xmit to non-local addresses
+Patch-mainline: v4.18-rc1
+Git-commit: 6fcc02e3c2bddeaf628fde3c6a5ab3216d45691a
+References: git-fixes
+
+There is mistake in the rt_mode_allow_non_local assignment.
+It should be used to check if sending to non-local addresses is
+allowed, now it checks if local addresses are allowed.
+
+As local addresses are allowed for most of the cases, the only
+places that are affected are for traffic to transparent cache
+servers:
+
+- bypass connections when cache server is not available
+- related ICMP in FORWARD hook when sent to cache server
+
+Fixes: 4a4739d56b00 ("ipvs: Pull out crosses_local_route_boundary logic")
+Signed-off-by: Julian Anastasov <ja@ssi.bg>
+Acked-by: Simon Horman <horms@verge.net.au>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Acked-by: Denis Kirjanov <dkirjanov@suse.com>
+---
+ net/netfilter/ipvs/ip_vs_xmit.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/netfilter/ipvs/ip_vs_xmit.c b/net/netfilter/ipvs/ip_vs_xmit.c
+index 2eab1e0400f4..6edbd8db80af 100644
+--- a/net/netfilter/ipvs/ip_vs_xmit.c
++++ b/net/netfilter/ipvs/ip_vs_xmit.c
+@@ -168,7 +168,7 @@ static inline bool crosses_local_route_boundary(int skb_af, struct sk_buff *skb,
+ bool new_rt_is_local)
+ {
+ bool rt_mode_allow_local = !!(rt_mode & IP_VS_RT_MODE_LOCAL);
+- bool rt_mode_allow_non_local = !!(rt_mode & IP_VS_RT_MODE_LOCAL);
++ bool rt_mode_allow_non_local = !!(rt_mode & IP_VS_RT_MODE_NON_LOCAL);
+ bool rt_mode_allow_redirect = !!(rt_mode & IP_VS_RT_MODE_RDR);
+ bool source_is_loopback;
+ bool old_rt_is_local;
+--
+2.12.3
+
diff --git a/patches.fixes/0023-netfilter-ebtables-reject-non-bridge-targets.patch b/patches.fixes/0023-netfilter-ebtables-reject-non-bridge-targets.patch
new file mode 100644
index 0000000000..d24b7de86e
--- /dev/null
+++ b/patches.fixes/0023-netfilter-ebtables-reject-non-bridge-targets.patch
@@ -0,0 +1,66 @@
+From: Florian Westphal <fw@strlen.de>
+Subject: netfilter: ebtables: reject non-bridge targets
+Patch-mainline: v4.18-rc1
+Git-commit: 11ff7288beb2b7da889a014aff0a7b80bf8efcf3
+References: git-fixes
+
+
+the ebtables evaluation loop expects targets to return
+positive values (jumps), or negative values (absolute verdicts).
+
+This is completely different from what xtables does.
+In xtables, targets are expected to return the standard netfilter
+verdicts, i.e. NF_DROP, NF_ACCEPT, etc.
+
+ebtables will consider these as jumps.
+
+Therefore reject any target found due to unspec fallback.
+v2: also reject watchers. ebtables ignores their return value, so
+a target that assumes skb ownership (and returns NF_STOLEN) causes
+use-after-free.
+
+The only watchers in the 'ebtables' front-end are log and nflog;
+both have AF_BRIDGE specific wrappers on kernel side.
+
+Reported-by: syzbot+2b43f681169a2a0d306a@syzkaller.appspotmail.com
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Acked-by: Denis Kirjanov <dkirjanov@suse.com>
+---
+ net/bridge/netfilter/ebtables.c | 13 +++++++++++++
+ 1 file changed, 13 insertions(+)
+
+diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c
+index 546c20cf632e..a97cd8c3f1a7 100644
+--- a/net/bridge/netfilter/ebtables.c
++++ b/net/bridge/netfilter/ebtables.c
+@@ -402,6 +402,12 @@ ebt_check_watcher(struct ebt_entry_watcher *w, struct xt_tgchk_param *par,
+ watcher = xt_request_find_target(NFPROTO_BRIDGE, w->u.name, 0);
+ if (IS_ERR(watcher))
+ return PTR_ERR(watcher);
++
++ if (watcher->family != NFPROTO_BRIDGE) {
++ module_put(watcher->me);
++ return -ENOENT;
++ }
++
+ w->u.watcher = watcher;
+
+ par->target = watcher;
+@@ -721,6 +727,13 @@ ebt_check_entry(struct ebt_entry *e, struct net *net,
+ goto cleanup_watchers;
+ }
+
++ /* Reject UNSPEC, xtables verdicts/return values are incompatible */
++ if (target->family != NFPROTO_BRIDGE) {
++ module_put(target->me);
++ ret = -ENOENT;
++ goto cleanup_watchers;
++ }
++
+ t->u.target = target;
+ if (t->u.target == &ebt_standard_target) {
+ if (gap < sizeof(struct ebt_standard_target)) {
+--
+2.12.3
+
diff --git a/patches.fixes/0024-netfilter-x_tables-initialise-match-target-check-par.patch b/patches.fixes/0024-netfilter-x_tables-initialise-match-target-check-par.patch
new file mode 100644
index 0000000000..24704aa03b
--- /dev/null
+++ b/patches.fixes/0024-netfilter-x_tables-initialise-match-target-check-par.patch
@@ -0,0 +1,77 @@
+From: Florian Westphal <fw@strlen.de>
+Subject: netfilter: x_tables: initialise match/target check
+ parameter struct
+Patch-mainline: 4.18-rc1
+Git-commit: c568503ef02030f169c9e19204def610a3510918
+References: git-fixes
+
+
+syzbot reports following splat:
+
+BUG: KMSAN: uninit-value in ebt_stp_mt_check+0x24b/0x450
+ net/bridge/netfilter/ebt_stp.c:162
+ ebt_stp_mt_check+0x24b/0x450 net/bridge/netfilter/ebt_stp.c:162
+ xt_check_match+0x1438/0x1650 net/netfilter/x_tables.c:506
+ ebt_check_match net/bridge/netfilter/ebtables.c:372 [inline]
+ ebt_check_entry net/bridge/netfilter/ebtables.c:702 [inline]
+
+The uninitialised access is
+ xt_mtchk_param->nft_compat
+
+... which should be set to 0.
+Fix it by zeroing the struct beforehand, same for tgchk.
+
+ip(6)tables targetinfo uses c99-style initialiser, so no change
+needed there.
+
+Reported-by: syzbot+da4494182233c23a5fcf@syzkaller.appspotmail.com
+Fixes: 55917a21d0cc0 ("netfilter: x_tables: add context to know if extension runs from nft_compat")
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Acked-by: Denis Kirjanov <dkirjanov@suse.com>
+---
+ net/bridge/netfilter/ebtables.c | 2 ++
+ net/ipv4/netfilter/ip_tables.c | 1 +
+ net/ipv6/netfilter/ip6_tables.c | 1 +
+ 3 files changed, 4 insertions(+)
+
+diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c
+index a97cd8c3f1a7..d7418e1d70e8 100644
+--- a/net/bridge/netfilter/ebtables.c
++++ b/net/bridge/netfilter/ebtables.c
+@@ -706,6 +706,8 @@ ebt_check_entry(struct ebt_entry *e, struct net *net,
+ }
+ i = 0;
+
++ memset(&mtpar, 0, sizeof(mtpar));
++ memset(&tgpar, 0, sizeof(tgpar));
+ mtpar.net = tgpar.net = net;
+ mtpar.table = tgpar.table = name;
+ mtpar.entryinfo = tgpar.entryinfo = e;
+diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c
+index b3b49c07b7af..7bf9d034112f 100644
+--- a/net/ipv4/netfilter/ip_tables.c
++++ b/net/ipv4/netfilter/ip_tables.c
+@@ -546,6 +546,7 @@ find_check_entry(struct ipt_entry *e, struct net *net, const char *name,
+ return -ENOMEM;
+
+ j = 0;
++ memset(&mtpar, 0, sizeof(mtpar));
+ mtpar.net = net;
+ mtpar.table = name;
+ mtpar.entryinfo = &e->ip;
+diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c
+index 7d2228be6fa5..f2b3b5879536 100644
+--- a/net/ipv6/netfilter/ip6_tables.c
++++ b/net/ipv6/netfilter/ip6_tables.c
+@@ -567,6 +567,7 @@ find_check_entry(struct ip6t_entry *e, struct net *net, const char *name,
+ return -ENOMEM;
+
+ j = 0;
++ memset(&mtpar, 0, sizeof(mtpar));
+ mtpar.net = net;
+ mtpar.table = name;
+ mtpar.entryinfo = &e->ipv6;
+--
+2.12.3
+
diff --git a/patches.fixes/0025-l2tp-only-accept-PPP-sessions-in-pppol2tp_connect.patch b/patches.fixes/0025-l2tp-only-accept-PPP-sessions-in-pppol2tp_connect.patch
new file mode 100644
index 0000000000..504fa0cd1e
--- /dev/null
+++ b/patches.fixes/0025-l2tp-only-accept-PPP-sessions-in-pppol2tp_connect.patch
@@ -0,0 +1,40 @@
+From: Guillaume Nault <g.nault@alphalink.fr>
+Subject: l2tp: only accept PPP sessions in pppol2tp_connect()
+Patch-mainline: v4.18-rc1
+Git-commit: 7ac6ab1f8a38ba7f8d97f95475bb6a2575db4658
+References: git-fixes
+
+l2tp_session_priv() returns a struct pppol2tp_session pointer only for
+PPPoL2TP sessions. In particular, if the session is an L2TP_PWTYPE_ETH
+pseudo-wire, l2tp_session_priv() returns a pointer to an l2tp_eth_sess
+structure, which is much smaller than struct pppol2tp_session. This
+leads to invalid memory dereference when trying to lock ps->sk_lock.
+
+Fixes: d9e31d17ceba ("l2tp: Add L2TP ethernet pseudowire support")
+Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Acked-by: Denis Kirjanov <dkirjanov@suse.com>
+---
+ net/l2tp/l2tp_ppp.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/net/l2tp/l2tp_ppp.c b/net/l2tp/l2tp_ppp.c
+index 6541e8103187..4718916e9bdc 100644
+--- a/net/l2tp/l2tp_ppp.c
++++ b/net/l2tp/l2tp_ppp.c
+@@ -746,6 +746,12 @@ static int pppol2tp_connect(struct socket *sock, struct sockaddr *uservaddr,
+ session = l2tp_session_get(sock_net(sk), tunnel, session_id);
+ if (session) {
+ drop_refcnt = true;
++
++ if (session->pwtype != L2TP_PWTYPE_PPP) {
++ error = -EPROTOTYPE;
++ goto end;
++ }
++
+ ps = l2tp_session_priv(session);
+
+ /* Using a pre-existing session is fine as long as it hasn't
+--
+2.12.3
+
diff --git a/patches.fixes/0026-l2tp-prevent-pppol2tp_connect-from-creating-kernel-s.patch b/patches.fixes/0026-l2tp-prevent-pppol2tp_connect-from-creating-kernel-s.patch
new file mode 100644
index 0000000000..025c5cdc0b
--- /dev/null
+++ b/patches.fixes/0026-l2tp-prevent-pppol2tp_connect-from-creating-kernel-s.patch
@@ -0,0 +1,49 @@
+From: Guillaume Nault <g.nault@alphalink.fr>
+Subject: l2tp: prevent pppol2tp_connect() from creating kernel
+ sockets
+Patch-mainline: v4.18-rc1
+Git-commit: 3e1bc8bf974e2d4e7beb842a4c801c2542eff3bd
+References: git-fixes
+
+
+If 'fd' is negative, l2tp_tunnel_create() creates a tunnel socket using
+the configuration passed in 'tcfg'. Currently, pppol2tp_connect() sets
+the relevant fields to zero, tricking l2tp_tunnel_create() into setting
+up an unusable kernel socket.
+
+We can't set 'tcfg' with the required fields because there's no way to
+get them from the current connect() parameters. So let's restrict
+kernel sockets creation to the netlink API, which is the original use
+case.
+
+Fixes: 789a4a2c61d8 ("l2tp: Add support for static unmanaged L2TPv3 tunnels")
+Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Acked-by: Denis Kirjanov <dkirjanov@suse.com>
+---
+ net/l2tp/l2tp_ppp.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/net/l2tp/l2tp_ppp.c b/net/l2tp/l2tp_ppp.c
+index 4718916e9bdc..a28829c2eb41 100644
+--- a/net/l2tp/l2tp_ppp.c
++++ b/net/l2tp/l2tp_ppp.c
+@@ -722,6 +722,15 @@ static int pppol2tp_connect(struct socket *sock, struct sockaddr *uservaddr,
+ .encap = L2TP_ENCAPTYPE_UDP,
+ .debug = 0,
+ };
++
++ /* Prevent l2tp_tunnel_register() from trying to set up
++ * a kernel socket.
++ */
++ if (fd < 0) {
++ error = -EBADF;
++ goto end;
++ }
++
+ error = l2tp_tunnel_create(sock_net(sk), fd, ver, tunnel_id, peer_tunnel_id, &tcfg, &tunnel);
+ if (error < 0)
+ goto end;
+--
+2.12.3
+
diff --git a/patches.fixes/0027-l2tp-filter-out-non-PPP-sessions-in-pppol2tp_tunnel_.patch b/patches.fixes/0027-l2tp-filter-out-non-PPP-sessions-in-pppol2tp_tunnel_.patch
new file mode 100644
index 0000000000..6505086df6
--- /dev/null
+++ b/patches.fixes/0027-l2tp-filter-out-non-PPP-sessions-in-pppol2tp_tunnel_.patch
@@ -0,0 +1,41 @@
+From: Guillaume Nault <g.nault@alphalink.fr>
+Subject: l2tp: filter out non-PPP sessions in
+ pppol2tp_tunnel_ioctl()
+Patch-mainline: v4.18-rc1
+Git-commit: ecd012e45ab5fd76ed57546865897ce35920f56b
+References: git-fixes
+
+
+pppol2tp_tunnel_ioctl() can act on an L2TPv3 tunnel, in which case
+'session' may be an Ethernet pseudo-wire.
+
+However, pppol2tp_session_ioctl() expects a PPP pseudo-wire, as it
+assumes l2tp_session_priv() points to a pppol2tp_session structure. For
+an Ethernet pseudo-wire l2tp_session_priv() points to an l2tp_eth_sess
+structure instead, making pppol2tp_session_ioctl() access invalid
+memory.
+
+Fixes: d9e31d17ceba ("l2tp: Add L2TP ethernet pseudowire support")
+Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Acked-by: Denis Kirjanov <dkirjanov@suse.com>
+---
+ net/l2tp/l2tp_ppp.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/l2tp/l2tp_ppp.c b/net/l2tp/l2tp_ppp.c
+index a28829c2eb41..3cd4cce8338c 100644
+--- a/net/l2tp/l2tp_ppp.c
++++ b/net/l2tp/l2tp_ppp.c
+@@ -1214,7 +1214,7 @@ static int pppol2tp_tunnel_ioctl(struct l2tp_tunnel *tunnel,
+ l2tp_session_get(sock_net(sk), tunnel,
+ stats.session_id);
+
+- if (session) {
++ if (session && session->pwtype == L2TP_PWTYPE_PPP) {
+ err = pppol2tp_session_ioctl(session, cmd,
+ arg);
+ l2tp_session_dec_refcount(session);
+--
+2.12.3
+
diff --git a/patches.fixes/0028-ipv6-mcast-fix-unsolicited-report-interval-after-rec.patch b/patches.fixes/0028-ipv6-mcast-fix-unsolicited-report-interval-after-rec.patch
new file mode 100644
index 0000000000..91b46dde8e
--- /dev/null
+++ b/patches.fixes/0028-ipv6-mcast-fix-unsolicited-report-interval-after-rec.patch
@@ -0,0 +1,60 @@
+From: Hangbin Liu <liuhangbin@gmail.com>
+Subject: ipv6: mcast: fix unsolicited report interval after
+ receiving querys
+Patch-mainline: v4.18-rc3
+Git-commit: 6c6da92808442908287fae8ebb0ca041a52469f4
+References: git-fixes
+
+After recieving MLD querys, we update idev->mc_maxdelay with max_delay
+from query header. This make the later unsolicited reports have the same
+interval with mc_maxdelay, which means we may send unsolicited reports with
+long interval time instead of default configured interval time.
+
+Also as we will not call ipv6_mc_reset() after device up. This issue will
+be there even after leave the group and join other groups.
+
+Fixes: fc4eba58b4c14 ("ipv6: make unsolicited report intervals configurable for mld")
+Signed-off-by: Hangbin Liu <liuhangbin@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Acked-by: Denis Kirjanov <dkirjanov@suse.com>
+---
+ net/ipv6/mcast.c | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+diff --git a/net/ipv6/mcast.c b/net/ipv6/mcast.c
+index 0642884bb08f..3c6479b32b97 100644
+--- a/net/ipv6/mcast.c
++++ b/net/ipv6/mcast.c
+@@ -2084,7 +2084,8 @@ void ipv6_mc_dad_complete(struct inet6_dev *idev)
+ mld_send_initial_cr(idev);
+ idev->mc_dad_count--;
+ if (idev->mc_dad_count)
+- mld_dad_start_timer(idev, idev->mc_maxdelay);
++ mld_dad_start_timer(idev,
++ unsolicited_report_interval(idev));
+ }
+ }
+
+@@ -2096,7 +2097,8 @@ static void mld_dad_timer_expire(unsigned long data)
+ if (idev->mc_dad_count) {
+ idev->mc_dad_count--;
+ if (idev->mc_dad_count)
+- mld_dad_start_timer(idev, idev->mc_maxdelay);
++ mld_dad_start_timer(idev,
++ unsolicited_report_interval(idev));
+ }
+ in6_dev_put(idev);
+ }
+@@ -2454,7 +2456,8 @@ static void mld_ifc_timer_expire(unsigned long data)
+ if (idev->mc_ifc_count) {
+ idev->mc_ifc_count--;
+ if (idev->mc_ifc_count)
+- mld_ifc_start_timer(idev, idev->mc_maxdelay);
++ mld_ifc_start_timer(idev,
++ unsolicited_report_interval(idev));
+ }
+ in6_dev_put(idev);
+ }
+--
+2.12.3
+
diff --git a/patches.fixes/0038-xfs-split-xfs_bmap_shift_extents.patch b/patches.fixes/0038-xfs-split-xfs_bmap_shift_extents.patch
index 38b5598818..960381715b 100644
--- a/patches.fixes/0038-xfs-split-xfs_bmap_shift_extents.patch
+++ b/patches.fixes/0038-xfs-split-xfs_bmap_shift_extents.patch
@@ -23,10 +23,10 @@ Acked-by: Nikolay Borisov <nborisov@suse.com>
3 files changed, 148 insertions(+), 73 deletions(-)
diff --git a/fs/xfs/libxfs/xfs_bmap.c b/fs/xfs/libxfs/xfs_bmap.c
-index 4062ec298497..186f4719a582 100644
+index d0118a2e51d3..47fb51774fcc 100644
--- a/fs/xfs/libxfs/xfs_bmap.c
+++ b/fs/xfs/libxfs/xfs_bmap.c
-@@ -5687,57 +5687,151 @@ xfs_bmse_shift_one(
+@@ -5700,57 +5700,151 @@ xfs_bmse_shift_one(
return xfs_rmap_map_extent(mp, dfops, ip, whichfork, &new);
}
@@ -78,10 +78,10 @@ index 4062ec298497..186f4719a582 100644
if (unlikely(XFS_TEST_ERROR(
(XFS_IFORK_FORMAT(ip, whichfork) != XFS_DINODE_FMT_EXTENTS &&
XFS_IFORK_FORMAT(ip, whichfork) != XFS_DINODE_FMT_BTREE),
- mp, XFS_ERRTAG_BMAPIFORMAT, XFS_RANDOM_BMAPIFORMAT))) {
+ mp, XFS_ERRTAG_BMAPIFORMAT))) {
- XFS_ERROR_REPORT("xfs_bmap_shift_extents",
- XFS_ERRLEVEL_LOW, mp);
-+ XFS_ERROR_REPORT("__func__", XFS_ERRLEVEL_LOW, mp);
++ XFS_ERROR_REPORT(__func__, XFS_ERRLEVEL_LOW, mp);
return -EFSCORRUPTED;
}
@@ -192,7 +192,7 @@ index 4062ec298497..186f4719a582 100644
+ if (unlikely(XFS_TEST_ERROR(
+ (XFS_IFORK_FORMAT(ip, whichfork) != XFS_DINODE_FMT_EXTENTS &&
+ XFS_IFORK_FORMAT(ip, whichfork) != XFS_DINODE_FMT_BTREE),
-+ mp, XFS_ERRTAG_BMAPIFORMAT, XFS_RANDOM_BMAPIFORMAT))) {
++ mp, XFS_ERRTAG_BMAPIFORMAT))) {
+ XFS_ERROR_REPORT(__func__, XFS_ERRLEVEL_LOW, mp);
+ return -EFSCORRUPTED;
+ }
@@ -208,7 +208,7 @@ index 4062ec298497..186f4719a582 100644
error = xfs_iread_extents(tp, ip, whichfork);
if (error)
return error;
-@@ -5757,7 +5851,7 @@ xfs_bmap_shift_extents(
+@@ -5770,7 +5864,7 @@ xfs_bmap_shift_extents(
*/
total_extents = xfs_iext_count(ifp);
if (total_extents == 0) {
@@ -217,7 +217,7 @@ index 4062ec298497..186f4719a582 100644
goto del_cursor;
}
-@@ -5765,12 +5859,10 @@ xfs_bmap_shift_extents(
+@@ -5778,12 +5872,10 @@ xfs_bmap_shift_extents(
* In case of first right shift, we need to initialize next_fsb
*/
if (*next_fsb == NULLFSBLOCK) {
@@ -231,7 +231,7 @@ index 4062ec298497..186f4719a582 100644
goto del_cursor;
}
*next_fsb = got.br_startoff;
-@@ -5785,46 +5877,27 @@ xfs_bmap_shift_extents(
+@@ -5798,46 +5890,27 @@ xfs_bmap_shift_extents(
*/
if (!xfs_iext_lookup_extent(ip, ifp, *next_fsb, &current_ext,
&got)) {
@@ -288,7 +288,7 @@ index 4062ec298497..186f4719a582 100644
}
xfs_iext_get_extent(ifp, current_ext, &got);
diff --git a/fs/xfs/libxfs/xfs_bmap.h b/fs/xfs/libxfs/xfs_bmap.h
-index 7eb1cf199138..cee680f01d87 100644
+index ba5a4835bb13..ca37030f4cfb 100644
--- a/fs/xfs/libxfs/xfs_bmap.h
+++ b/fs/xfs/libxfs/xfs_bmap.h
@@ -228,10 +228,14 @@ int xfs_bmap_del_extent_delay(struct xfs_inode *ip, int whichfork,
@@ -310,10 +310,10 @@ index 7eb1cf199138..cee680f01d87 100644
int xfs_bmapi_reserve_delalloc(struct xfs_inode *ip, int whichfork,
xfs_fileoff_t off, xfs_filblks_t len, xfs_filblks_t prealloc,
diff --git a/fs/xfs/xfs_bmap_util.c b/fs/xfs/xfs_bmap_util.c
-index 29b999e86571..09e21f704444 100644
+index 3273f083c496..034f3429ca8c 100644
--- a/fs/xfs/xfs_bmap_util.c
+++ b/fs/xfs/xfs_bmap_util.c
-@@ -1303,7 +1303,6 @@ xfs_collapse_file_space(
+@@ -1322,7 +1322,6 @@ xfs_collapse_file_space(
xfs_off_t offset,
xfs_off_t len)
{
@@ -321,7 +321,7 @@ index 29b999e86571..09e21f704444 100644
struct xfs_mount *mp = ip->i_mount;
struct xfs_trans *tp;
int error;
-@@ -1313,6 +1312,7 @@ xfs_collapse_file_space(
+@@ -1332,6 +1331,7 @@ xfs_collapse_file_space(
xfs_fileoff_t next_fsb = XFS_B_TO_FSB(mp, offset + len);
xfs_fileoff_t shift_fsb = XFS_B_TO_FSB(mp, len);
uint resblks = XFS_DIOSTRAT_SPACE_RES(mp, 0);
@@ -329,7 +329,7 @@ index 29b999e86571..09e21f704444 100644
ASSERT(xfs_isilocked(ip, XFS_IOLOCK_EXCL));
trace_xfs_collapse_file_space(ip);
-@@ -1340,9 +1340,8 @@ xfs_collapse_file_space(
+@@ -1359,9 +1359,8 @@ xfs_collapse_file_space(
xfs_trans_ijoin(tp, ip, XFS_ILOCK_EXCL);
xfs_defer_init(&dfops, &first_block);
@@ -341,7 +341,7 @@ index 29b999e86571..09e21f704444 100644
if (error)
goto out_bmap_cancel;
-@@ -1387,7 +1386,7 @@ xfs_insert_file_space(
+@@ -1406,7 +1405,7 @@ xfs_insert_file_space(
xfs_fileoff_t stop_fsb = XFS_B_TO_FSB(mp, offset);
xfs_fileoff_t next_fsb = NULLFSBLOCK;
xfs_fileoff_t shift_fsb = XFS_B_TO_FSB(mp, len);
@@ -350,7 +350,7 @@ index 29b999e86571..09e21f704444 100644
ASSERT(xfs_isilocked(ip, XFS_IOLOCK_EXCL));
trace_xfs_insert_file_space(ip);
-@@ -1414,9 +1413,8 @@ xfs_insert_file_space(
+@@ -1433,9 +1432,8 @@ xfs_insert_file_space(
xfs_ilock(ip, XFS_ILOCK_EXCL);
xfs_trans_ijoin(tp, ip, XFS_ILOCK_EXCL);
xfs_defer_init(&dfops, &first_block);
@@ -363,5 +363,5 @@ index 29b999e86571..09e21f704444 100644
goto out_bmap_cancel;
--
-2.7.4
+2.16.4
diff --git a/patches.fixes/ACPI-button-reinitialize-button-state-upon-resume.patch b/patches.fixes/ACPI-button-reinitialize-button-state-upon-resume.patch
new file mode 100644
index 0000000000..d9752fa0cd
--- /dev/null
+++ b/patches.fixes/ACPI-button-reinitialize-button-state-upon-resume.patch
@@ -0,0 +1,46 @@
+From 13e962140be671f31a011543f11477af67a6c33e Mon Sep 17 00:00:00 2001
+From: Zhang Rui <rui.zhang@intel.com>
+Date: Tue, 2 Apr 2019 21:38:32 +0800
+Subject: [PATCH] ACPI: button: reinitialize button state upon resume
+Git-commit: 13e962140be671f31a011543f11477af67a6c33e
+Patch-mainline: v5.2-rc1
+References: bsc#1051510
+
+With commit dfa46c50f65b ("ACPI / button: Fix an issue in
+button.lid_init_state=ignore mode"), the lid device is considered to be
+not compliant to SW_LID if the Lid state is unchanged when updating it.
+
+This is not wrong, but we overlooked the resume case, where Lid state is
+updated unconditionally in the button driver .resume() callback. And this
+results in warning message "ACPI: button: The lid device is not compliant
+to SW_LID." after resume, if the machine is suspended with Lid opened and
+then resumed with Lid opened.
+
+Fix this by flushing the cached lid state before updating the Lid device
+in .resume() callback.
+
+Fixes: dfa46c50f65b ("ACPI / button: Fix an issue in button.lid_init_state=ignore mode")
+Reported-and-tested-by: Zhao Lijian <lijian.zhao@intel.com>
+Signed-off-by: Zhang Rui <rui.zhang@intel.com>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/acpi/button.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/drivers/acpi/button.c
++++ b/drivers/acpi/button.c
+@@ -442,8 +442,11 @@ static int acpi_button_resume(struct dev
+ struct acpi_button *button = acpi_driver_data(device);
+
+ button->suspended = false;
+- if (button->type == ACPI_BUTTON_TYPE_LID)
++ if (button->type == ACPI_BUTTON_TYPE_LID) {
++ button->last_state = !!acpi_lid_evaluate_state(device);
++ button->last_time = ktime_get();
+ acpi_lid_initialize_state(device);
++ }
+ return 0;
+ }
+ #endif
diff --git a/patches.fixes/ACPI-utils-Drop-reference-in-test-for-device-presenc.patch b/patches.fixes/ACPI-utils-Drop-reference-in-test-for-device-presenc.patch
new file mode 100644
index 0000000000..6e27ead003
--- /dev/null
+++ b/patches.fixes/ACPI-utils-Drop-reference-in-test-for-device-presenc.patch
@@ -0,0 +1,35 @@
+From 54e3aca84e571559915998aa6cc05e5ac37c043b Mon Sep 17 00:00:00 2001
+From: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Date: Mon, 18 Mar 2019 21:47:09 +0300
+Subject: [PATCH] ACPI / utils: Drop reference in test for device presence
+Git-commit: 54e3aca84e571559915998aa6cc05e5ac37c043b
+Patch-mainline: v5.1-rc2
+References: bsc#1051510
+
+When commit 8661423eea1a ("ACPI / utils: Add new acpi_dev_present
+helper") introduced acpi_dev_present(), it missed the fact that
+bus_find_device() took a reference on the device found by it and
+the callers of acpi_dev_present() don't drop that reference.
+
+Drop the reference on the device in acpi_dev_present().
+
+Fixes: 8661423eea1a ("ACPI / utils: Add new acpi_dev_present helper")
+Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Reviewed-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/acpi/utils.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/acpi/utils.c
++++ b/drivers/acpi/utils.c
+@@ -798,6 +798,7 @@ bool acpi_dev_present(const char *hid, c
+ dev = bus_find_device(&acpi_bus_type, NULL, &match,
+ acpi_dev_present_cb);
+
++ put_device(dev);
+ return !!dev;
+ }
+ EXPORT_SYMBOL(acpi_dev_present);
diff --git a/patches.fixes/ACPICA-AML-interpreter-add-region-addresses-in-globa.patch b/patches.fixes/ACPICA-AML-interpreter-add-region-addresses-in-globa.patch
new file mode 100644
index 0000000000..87b2a9052c
--- /dev/null
+++ b/patches.fixes/ACPICA-AML-interpreter-add-region-addresses-in-globa.patch
@@ -0,0 +1,49 @@
+From 4abb951b73ff0a8a979113ef185651aa3c8da19b Mon Sep 17 00:00:00 2001
+From: Erik Schmauss <erik.schmauss@intel.com>
+Date: Wed, 17 Oct 2018 14:09:35 -0700
+Subject: [PATCH] ACPICA: AML interpreter: add region addresses in global list during initialization
+Git-commit: 4abb951b73ff0a8a979113ef185651aa3c8da19b
+Patch-mainline: v4.20-rc1
+References: bsc#1051510
+
+The table load process omitted adding the operation region address
+range to the global list. This omission is problematic because the OS
+queries the global list to check for address range conflicts before
+deciding which drivers to load. This commit may result in warning
+messages that look like the following:
+
+[ 7.871761] ACPI Warning: system_IO range 0x00000428-0x0000042F conflicts with op_region 0x00000400-0x0000047F (\PMIO) (20180531/utaddress-213)
+[ 7.871769] ACPI: If an ACPI driver is available for this device, you should use it instead of the native driver
+
+However, these messages do not signify regressions. It is a result of
+properly adding address ranges within the global address list.
+
+Link: https://bugzilla.kernel.org/show_bug.cgi?id=200011
+Tested-by: Jean-Marc Lenoir <archlinux@jihemel.com>
+Signed-off-by: Erik Schmauss <erik.schmauss@intel.com>
+Cc: All applicable <stable@vger.kernel.org>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/acpi/acpica/dsopcode.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/acpi/acpica/dsopcode.c b/drivers/acpi/acpica/dsopcode.c
+index e9fb0bf3c8d2..78f9de260d5f 100644
+--- a/drivers/acpi/acpica/dsopcode.c
++++ b/drivers/acpi/acpica/dsopcode.c
+@@ -417,6 +417,10 @@ acpi_ds_eval_region_operands(struct acpi_walk_state *walk_state,
+ ACPI_FORMAT_UINT64(obj_desc->region.address),
+ obj_desc->region.length));
+
++ status = acpi_ut_add_address_range(obj_desc->region.space_id,
++ obj_desc->region.address,
++ obj_desc->region.length, node);
++
+ /* Now the address and length are valid for this opregion */
+
+ obj_desc->region.flags |= AOPOBJ_DATA_VALID;
+--
+2.16.4
+
diff --git a/patches.fixes/ACPICA-Namespace-remove-address-node-from-global-lis.patch b/patches.fixes/ACPICA-Namespace-remove-address-node-from-global-lis.patch
new file mode 100644
index 0000000000..a60359796c
--- /dev/null
+++ b/patches.fixes/ACPICA-Namespace-remove-address-node-from-global-lis.patch
@@ -0,0 +1,66 @@
+From c5781ffbbd4f742a58263458145fe7f0ac01d9e0 Mon Sep 17 00:00:00 2001
+From: Erik Schmauss <erik.schmauss@intel.com>
+Date: Mon, 8 Apr 2019 13:42:26 -0700
+Subject: [PATCH] ACPICA: Namespace: remove address node from global list after method termination
+Git-commit: c5781ffbbd4f742a58263458145fe7f0ac01d9e0
+Patch-mainline: v5.1-rc5
+References: bsc#1051510
+
+ACPICA commit b233720031a480abd438f2e9c643080929d144c3
+
+ASL operation_regions declare a range of addresses that it uses. In a
+perfect world, the range of addresses should be used exclusively by
+the AML interpreter. The OS can use this information to decide which
+drivers to load so that the AML interpreter and device drivers use
+different regions of memory.
+
+During table load, the address information is added to a global
+address range list. Each node in this list contains an address range
+as well as a namespace node of the operation_region. This list is
+deleted at ACPI shutdown.
+
+Unfortunately, ASL operation_regions can be declared inside of control
+methods. Although this is not recommended, modern firmware contains
+such code. New module level code changes unintentionally removed the
+functionality of adding and removing nodes to the global address
+range list.
+
+A few months ago, support for adding addresses has been re-
+implemented. However, the removal of the address range list was
+missed and resulted in some systems to crash due to the address list
+containing bogus namespace nodes from operation_regions declared in
+control methods. In order to fix the crash, this change removes
+dynamic operation_regions after control method termination.
+
+Link: https://github.com/acpica/acpica/commit/b2337200
+Link: https://bugzilla.kernel.org/show_bug.cgi?id=202475
+Fixes: 4abb951b73ff ("ACPICA: AML interpreter: add region addresses in global list during initialization")
+Reported-by: Michael J Gruber <mjg@fedoraproject.org>
+Signed-off-by: Erik Schmauss <erik.schmauss@intel.com>
+Signed-off-by: Bob Moore <robert.moore@intel.com>
+Cc: 4.20+ <stable@vger.kernel.org> # 4.20+
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/acpi/acpica/nsobject.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/acpi/acpica/nsobject.c b/drivers/acpi/acpica/nsobject.c
+index 8638f43cfc3d..79d86da1c892 100644
+--- a/drivers/acpi/acpica/nsobject.c
++++ b/drivers/acpi/acpica/nsobject.c
+@@ -186,6 +186,10 @@ void acpi_ns_detach_object(struct acpi_namespace_node *node)
+ }
+ }
+
++ if (obj_desc->common.type == ACPI_TYPE_REGION) {
++ acpi_ut_remove_address_range(obj_desc->region.space_id, node);
++ }
++
+ /* Clear the Node entry in all cases */
+
+ node->object = NULL;
+--
+2.16.4
+
diff --git a/patches.fixes/appletalk-Fix-compile-regression.patch b/patches.fixes/appletalk-Fix-compile-regression.patch
new file mode 100644
index 0000000000..bb0bdee640
--- /dev/null
+++ b/patches.fixes/appletalk-Fix-compile-regression.patch
@@ -0,0 +1,71 @@
+From 27da0d2ef998e222a876c0cec72aa7829a626266 Mon Sep 17 00:00:00 2001
+From: Arnd Bergmann <arnd@arndb.de>
+Date: Wed, 6 Mar 2019 11:52:36 +0100
+Subject: [PATCH] appletalk: Fix compile regression
+Git-commit: 27da0d2ef998e222a876c0cec72aa7829a626266
+Patch-mainline: v5.1-rc1
+References: bsc#1051510
+
+A bugfix just broke compilation of appletalk when CONFIG_SYSCTL
+is disabled:
+
+In file included from net/appletalk/ddp.c:65:
+Net/appletalk/ddp.c: In function 'atalk_init':
+include/linux/atalk.h:164:34: error: expected expression before 'do'
+ #define atalk_register_sysctl() do { } while(0)
+ ^~
+net/appletalk/ddp.c:1934:7: note: in expansion of macro 'atalk_register_sysctl'
+ rc = atalk_register_sysctl();
+
+This is easier to avoid by using conventional inline functions
+as stubs rather than macros. The header already has inline
+functions for other purposes, so I'm changing over all the
+macros for consistency.
+
+Fixes: 6377f787aeb9 ("appletalk: Fix use-after-free in atalk_proc_exit")
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ include/linux/atalk.h | 18 ++++++++++++++----
+ 1 file changed, 14 insertions(+), 4 deletions(-)
+
+diff --git a/include/linux/atalk.h b/include/linux/atalk.h
+index 5a90f28d5ff2..d5cfc0b15b76 100644
+--- a/include/linux/atalk.h
++++ b/include/linux/atalk.h
+@@ -161,16 +161,26 @@ extern int sysctl_aarp_resolve_time;
+ extern int atalk_register_sysctl(void);
+ extern void atalk_unregister_sysctl(void);
+ #else
+-#define atalk_register_sysctl() do { } while(0)
+-#define atalk_unregister_sysctl() do { } while(0)
++static inline int atalk_register_sysctl(void)
++{
++ return 0;
++}
++static inline void atalk_unregister_sysctl(void)
++{
++}
+ #endif
+
+ #ifdef CONFIG_PROC_FS
+ extern int atalk_proc_init(void);
+ extern void atalk_proc_exit(void);
+ #else
+-#define atalk_proc_init() ({ 0; })
+-#define atalk_proc_exit() do { } while(0)
++static inline int atalk_proc_init(void)
++{
++ return 0;
++}
++static inline void atalk_proc_exit(void)
++{
++}
+ #endif /* CONFIG_PROC_FS */
+
+ #endif /* __LINUX_ATALK_H__ */
+--
+2.16.4
+
diff --git a/patches.fixes/appletalk-Fix-use-after-free-in-atalk_proc_exit.patch b/patches.fixes/appletalk-Fix-use-after-free-in-atalk_proc_exit.patch
new file mode 100644
index 0000000000..8bb642942b
--- /dev/null
+++ b/patches.fixes/appletalk-Fix-use-after-free-in-atalk_proc_exit.patch
@@ -0,0 +1,204 @@
+From 6377f787aeb945cae7abbb6474798de129e1f3ac Mon Sep 17 00:00:00 2001
+From: YueHaibing <yuehaibing@huawei.com>
+Date: Fri, 1 Mar 2019 10:57:57 +0800
+Subject: [PATCH] appletalk: Fix use-after-free in atalk_proc_exit
+Git-commit: 6377f787aeb945cae7abbb6474798de129e1f3ac
+Patch-mainline: v5.1-rc1
+References: bsc#1051510
+
+KASAN report this:
+
+Bug: KASAN: use-after-free in pde_subdir_find+0x12d/0x150 fs/proc/generic.c:71
+Read of size 8 at addr ffff8881f41fe5b0 by task syz-executor.0/2806
+
+Cpu: 0 PID: 2806 Comm: syz-executor.0 Not tainted 5.0.0-rc7+ #45
+Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014
+Call Trace:
+ __dump_stack lib/dump_stack.c:77 [inline]
+ dump_stack+0xfa/0x1ce lib/dump_stack.c:113
+ print_address_description+0x65/0x270 mm/kasan/report.c:187
+ kasan_report+0x149/0x18d mm/kasan/report.c:317
+ pde_subdir_find+0x12d/0x150 fs/proc/generic.c:71
+ remove_proc_entry+0xe8/0x420 fs/proc/generic.c:667
+ atalk_proc_exit+0x18/0x820 [appletalk]
+ atalk_exit+0xf/0x5a [appletalk]
+ __do_sys_delete_module kernel/module.c:1018 [inline]
+ __se_sys_delete_module kernel/module.c:961 [inline]
+ __x64_sys_delete_module+0x3dc/0x5e0 kernel/module.c:961
+ do_syscall_64+0x147/0x600 arch/x86/entry/common.c:290
+ entry_SYSCALL_64_after_hwframe+0x49/0xbe
+Rip: 0033:0x462e99
+Code: f7 d8 64 89 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
+Rsp: 002b:00007fb2de6b9c58 EFLAGS: 00000246 ORIG_RAX: 00000000000000b0
+Rax: ffffffffffffffda RBX: 000000000073bf00 RCX: 0000000000462e99
+Rdx: 0000000000000000 RSI: 0000000000000000 RDI: 00000000200001c0
+Rbp: 0000000000000002 R08: 0000000000000000 R09: 0000000000000000
+R10: 0000000000000000 R11: 0000000000000246 R12: 00007fb2de6ba6bc
+R13: 00000000004bccaa R14: 00000000006f6bc8 R15: 00000000ffffffff
+
+Allocated by task 2806:
+ set_track mm/kasan/common.c:85 [inline]
+ __kasan_kmalloc.constprop.3+0xa0/0xd0 mm/kasan/common.c:496
+ slab_post_alloc_hook mm/slab.h:444 [inline]
+ slab_alloc_node mm/slub.c:2739 [inline]
+ slab_alloc mm/slub.c:2747 [inline]
+ kmem_cache_alloc+0xcf/0x250 mm/slub.c:2752
+ kmem_cache_zalloc include/linux/slab.h:730 [inline]
+ __proc_create+0x30f/0xa20 fs/proc/generic.c:408
+ proc_mkdir_data+0x47/0x190 fs/proc/generic.c:469
+ 0xffffffffc10c01bb
+ 0xffffffffc10c0166
+ do_one_initcall+0xfa/0x5ca init/main.c:887
+ do_init_module+0x204/0x5f6 kernel/module.c:3460
+ load_module+0x66b2/0x8570 kernel/module.c:3808
+ __do_sys_finit_module+0x238/0x2a0 kernel/module.c:3902
+ do_syscall_64+0x147/0x600 arch/x86/entry/common.c:290
+ entry_SYSCALL_64_after_hwframe+0x49/0xbe
+
+Freed by task 2806:
+ set_track mm/kasan/common.c:85 [inline]
+ __kasan_slab_free+0x130/0x180 mm/kasan/common.c:458
+ slab_free_hook mm/slub.c:1409 [inline]
+ slab_free_freelist_hook mm/slub.c:1436 [inline]
+ slab_free mm/slub.c:2986 [inline]
+ kmem_cache_free+0xa6/0x2a0 mm/slub.c:3002
+ pde_put+0x6e/0x80 fs/proc/generic.c:647
+ remove_proc_entry+0x1d3/0x420 fs/proc/generic.c:684
+ 0xffffffffc10c031c
+ 0xffffffffc10c0166
+ do_one_initcall+0xfa/0x5ca init/main.c:887
+ do_init_module+0x204/0x5f6 kernel/module.c:3460
+ load_module+0x66b2/0x8570 kernel/module.c:3808
+ __do_sys_finit_module+0x238/0x2a0 kernel/module.c:3902
+ do_syscall_64+0x147/0x600 arch/x86/entry/common.c:290
+ entry_SYSCALL_64_after_hwframe+0x49/0xbe
+
+The buggy address belongs to the object at ffff8881f41fe500
+ which belongs to the cache proc_dir_entry of size 256
+The buggy address is located 176 bytes inside of
+ 256-byte region [ffff8881f41fe500, ffff8881f41fe600)
+The buggy address belongs to the page:
+page:ffffea0007d07f80 count:1 mapcount:0 mapping:ffff8881f6e69a00 index:0x0
+Flags: 0x2fffc0000000200(slab)
+Raw: 02fffc0000000200 dead000000000100 dead000000000200 ffff8881f6e69a00
+Raw: 0000000000000000 00000000800c000c 00000001ffffffff 0000000000000000
+page dumped because: kasan: bad access detected
+
+Memory state around the buggy address:
+ ffff8881f41fe480: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
+ ffff8881f41fe500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+>ffff8881f41fe580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8881f41fe600: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb ffff8881f41fe680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+
+It should check the return value of atalk_proc_init fails,
+otherwise atalk_exit will trgger use-after-free in pde_subdir_find
+while unload the module.This patch fix error cleanup path of atalk_init
+
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Signed-off-by: YueHaibing <yuehaibing@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ include/linux/atalk.h | 2 +-
+ net/appletalk/atalk_proc.c | 2 +-
+ net/appletalk/ddp.c | 37 +++++++++++++++++++++++++++++++------
+ net/appletalk/sysctl_net_atalk.c | 5 ++++-
+ 4 files changed, 37 insertions(+), 9 deletions(-)
+
+--- a/include/linux/atalk.h
++++ b/include/linux/atalk.h
+@@ -150,7 +150,7 @@ extern int sysctl_aarp_retransmit_limit;
+ extern int sysctl_aarp_resolve_time;
+
+ #ifdef CONFIG_SYSCTL
+-extern void atalk_register_sysctl(void);
++extern int atalk_register_sysctl(void);
+ extern void atalk_unregister_sysctl(void);
+ #else
+ #define atalk_register_sysctl() do { } while(0)
+--- a/net/appletalk/atalk_proc.c
++++ b/net/appletalk/atalk_proc.c
+@@ -293,7 +293,7 @@ out_interface:
+ goto out;
+ }
+
+-void __exit atalk_proc_exit(void)
++void atalk_proc_exit(void)
+ {
+ remove_proc_entry("interface", atalk_proc_dir);
+ remove_proc_entry("route", atalk_proc_dir);
+--- a/net/appletalk/ddp.c
++++ b/net/appletalk/ddp.c
+@@ -1912,12 +1912,16 @@ static const char atalk_err_snap[] __ini
+ /* Called by proto.c on kernel start up */
+ static int __init atalk_init(void)
+ {
+- int rc = proto_register(&ddp_proto, 0);
++ int rc;
+
+- if (rc != 0)
++ rc = proto_register(&ddp_proto, 0);
++ if (rc)
+ goto out;
+
+- (void)sock_register(&atalk_family_ops);
++ rc = sock_register(&atalk_family_ops);
++ if (rc)
++ goto out_proto;
++
+ ddp_dl = register_snap_client(ddp_snap_id, atalk_rcv);
+ if (!ddp_dl)
+ printk(atalk_err_snap);
+@@ -1925,12 +1929,33 @@ static int __init atalk_init(void)
+ dev_add_pack(&ltalk_packet_type);
+ dev_add_pack(&ppptalk_packet_type);
+
+- register_netdevice_notifier(&ddp_notifier);
++ rc = register_netdevice_notifier(&ddp_notifier);
++ if (rc)
++ goto out_sock;
++
+ aarp_proto_init();
+- atalk_proc_init();
+- atalk_register_sysctl();
++ rc = atalk_proc_init();
++ if (rc)
++ goto out_aarp;
++
++ rc = atalk_register_sysctl();
++ if (rc)
++ goto out_proc;
+ out:
+ return rc;
++out_proc:
++ atalk_proc_exit();
++out_aarp:
++ aarp_cleanup_module();
++ unregister_netdevice_notifier(&ddp_notifier);
++out_sock:
++ dev_remove_pack(&ppptalk_packet_type);
++ dev_remove_pack(&ltalk_packet_type);
++ unregister_snap_client(ddp_dl);
++ sock_unregister(PF_APPLETALK);
++out_proto:
++ proto_unregister(&ddp_proto);
++ goto out;
+ }
+ module_init(atalk_init);
+
+--- a/net/appletalk/sysctl_net_atalk.c
++++ b/net/appletalk/sysctl_net_atalk.c
+@@ -44,9 +44,12 @@ static struct ctl_table atalk_table[] =
+
+ static struct ctl_table_header *atalk_table_header;
+
+-void atalk_register_sysctl(void)
++int __init atalk_register_sysctl(void)
+ {
+ atalk_table_header = register_net_sysctl(&init_net, "net/appletalk", atalk_table);
++ if (!atalk_table_header)
++ return -ENOMEM;
++ return 0;
+ }
+
+ void atalk_unregister_sysctl(void)
diff --git a/patches.fixes/configfs-fix-possible-use-after-free-in-configfs_reg.patch b/patches.fixes/configfs-fix-possible-use-after-free-in-configfs_reg.patch
new file mode 100644
index 0000000000..d1317a9a1e
--- /dev/null
+++ b/patches.fixes/configfs-fix-possible-use-after-free-in-configfs_reg.patch
@@ -0,0 +1,134 @@
+From 35399f87e271f7cf3048eab00a421a6519ac8441 Mon Sep 17 00:00:00 2001
+From: YueHaibing <yuehaibing@huawei.com>
+Date: Sun, 5 May 2019 11:03:12 +0800
+Subject: [PATCH] configfs: fix possible use-after-free in configfs_register_group
+Git-commit: 35399f87e271f7cf3048eab00a421a6519ac8441
+Patch-mainline: v5.2-rc1
+References: bsc#1051510
+
+In configfs_register_group(), if create_default_group() failed, we
+forget to unlink the group. It will left a invalid item in the parent list,
+which may trigger the use-after-free issue seen below:
+
+Bug: KASAN: use-after-free in __list_add_valid+0xd4/0xe0 lib/list_debug.c:26
+Read of size 8 at addr ffff8881ef61ae20 by task syz-executor.0/5996
+
+Cpu: 1 PID: 5996 Comm: syz-executor.0 Tainted: G C 5.0.0+ #5
+Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014
+Call Trace:
+ __dump_stack lib/dump_stack.c:77 [inline]
+ dump_stack+0xa9/0x10e lib/dump_stack.c:113
+ print_address_description+0x65/0x270 mm/kasan/report.c:187
+ kasan_report+0x149/0x18d mm/kasan/report.c:317
+ __list_add_valid+0xd4/0xe0 lib/list_debug.c:26
+ __list_add include/linux/list.h:60 [inline]
+ list_add_tail include/linux/list.h:93 [inline]
+ link_obj+0xb0/0x190 fs/configfs/dir.c:759
+ link_group+0x1c/0x130 fs/configfs/dir.c:784
+ configfs_register_group+0x56/0x1e0 fs/configfs/dir.c:1751
+ configfs_register_default_group+0x72/0xc0 fs/configfs/dir.c:1834
+ ? 0xffffffffc1be0000
+ iio_sw_trigger_init+0x23/0x1000 [industrialio_sw_trigger]
+ do_one_initcall+0xbc/0x47d init/main.c:887
+ do_init_module+0x1b5/0x547 kernel/module.c:3456
+ load_module+0x6405/0x8c10 kernel/module.c:3804
+ __do_sys_finit_module+0x162/0x190 kernel/module.c:3898
+ do_syscall_64+0x9f/0x450 arch/x86/entry/common.c:290
+ entry_SYSCALL_64_after_hwframe+0x49/0xbe
+Rip: 0033:0x462e99
+Code: f7 d8 64 89 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
+Rsp: 002b:00007f494ecbcc58 EFLAGS: 00000246 ORIG_RAX: 0000000000000139
+Rax: ffffffffffffffda RBX: 000000000073bf00 RCX: 0000000000462e99
+Rdx: 0000000000000000 RSI: 0000000020000180 RDI: 0000000000000003
+Rbp: 00007f494ecbcc70 R08: 0000000000000000 R09: 0000000000000000
+R10: 0000000000000000 R11: 0000000000000246 R12: 00007f494ecbd6bc
+R13: 00000000004bcefa R14: 00000000006f6fb0 R15: 0000000000000004
+
+Allocated by task 5987:
+ set_track mm/kasan/common.c:87 [inline]
+ __kasan_kmalloc.constprop.3+0xa0/0xd0 mm/kasan/common.c:497
+ kmalloc include/linux/slab.h:545 [inline]
+ kzalloc include/linux/slab.h:740 [inline]
+ configfs_register_default_group+0x4c/0xc0 fs/configfs/dir.c:1829
+ 0xffffffffc1bd0023
+ do_one_initcall+0xbc/0x47d init/main.c:887
+ do_init_module+0x1b5/0x547 kernel/module.c:3456
+ load_module+0x6405/0x8c10 kernel/module.c:3804
+ __do_sys_finit_module+0x162/0x190 kernel/module.c:3898
+ do_syscall_64+0x9f/0x450 arch/x86/entry/common.c:290
+ entry_SYSCALL_64_after_hwframe+0x49/0xbe
+
+Freed by task 5987:
+ set_track mm/kasan/common.c:87 [inline]
+ __kasan_slab_free+0x130/0x180 mm/kasan/common.c:459
+ slab_free_hook mm/slub.c:1429 [inline]
+ slab_free_freelist_hook mm/slub.c:1456 [inline]
+ slab_free mm/slub.c:3003 [inline]
+ kfree+0xe1/0x270 mm/slub.c:3955
+ configfs_register_default_group+0x9a/0xc0 fs/configfs/dir.c:1836
+ 0xffffffffc1bd0023
+ do_one_initcall+0xbc/0x47d init/main.c:887
+ do_init_module+0x1b5/0x547 kernel/module.c:3456
+ load_module+0x6405/0x8c10 kernel/module.c:3804
+ __do_sys_finit_module+0x162/0x190 kernel/module.c:3898
+ do_syscall_64+0x9f/0x450 arch/x86/entry/common.c:290
+ entry_SYSCALL_64_after_hwframe+0x49/0xbe
+
+The buggy address belongs to the object at ffff8881ef61ae00
+ which belongs to the cache kmalloc-192 of size 192
+The buggy address is located 32 bytes inside of
+ 192-byte region [ffff8881ef61ae00, ffff8881ef61aec0)
+The buggy address belongs to the page:
+page:ffffea0007bd8680 count:1 mapcount:0 mapping:ffff8881f6c03000 index:0xffff8881ef61a700
+Flags: 0x2fffc0000000200(slab)
+Raw: 02fffc0000000200 ffffea0007ca4740 0000000500000005 ffff8881f6c03000
+Raw: ffff8881ef61a700 000000008010000c 00000001ffffffff 0000000000000000
+page dumped because: kasan: bad access detected
+
+Memory state around the buggy address:
+ ffff8881ef61ad00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+ ffff8881ef61ad80: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc
+>ffff8881ef61ae00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8881ef61ae80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc ffff8881ef61af00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+
+Fixes: 5cf6a51e6062 ("configfs: allow dynamic group creation")
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Signed-off-by: YueHaibing <yuehaibing@huawei.com>
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ fs/configfs/dir.c | 17 ++++++++++++-----
+ 1 file changed, 12 insertions(+), 5 deletions(-)
+
+diff --git a/fs/configfs/dir.c b/fs/configfs/dir.c
+index 39843fa7e11b..920d350df37b 100644
+--- a/fs/configfs/dir.c
++++ b/fs/configfs/dir.c
+@@ -1755,12 +1755,19 @@ int configfs_register_group(struct config_group *parent_group,
+
+ inode_lock_nested(d_inode(parent), I_MUTEX_PARENT);
+ ret = create_default_group(parent_group, group);
+- if (!ret) {
+- spin_lock(&configfs_dirent_lock);
+- configfs_dir_set_ready(group->cg_item.ci_dentry->d_fsdata);
+- spin_unlock(&configfs_dirent_lock);
+- }
++ if (ret)
++ goto err_out;
++
++ spin_lock(&configfs_dirent_lock);
++ configfs_dir_set_ready(group->cg_item.ci_dentry->d_fsdata);
++ spin_unlock(&configfs_dirent_lock);
++ inode_unlock(d_inode(parent));
++ return 0;
++err_out:
+ inode_unlock(d_inode(parent));
++ mutex_lock(&subsys->su_mutex);
++ unlink_group(group);
++ mutex_unlock(&subsys->su_mutex);
+ return ret;
+ }
+ EXPORT_SYMBOL(configfs_register_group);
+--
+2.16.4
+
diff --git a/patches.fixes/crypto-caam-fix-caam_dump_sg-that-iterates-through-s.patch b/patches.fixes/crypto-caam-fix-caam_dump_sg-that-iterates-through-s.patch
new file mode 100644
index 0000000000..9eb3e1cf24
--- /dev/null
+++ b/patches.fixes/crypto-caam-fix-caam_dump_sg-that-iterates-through-s.patch
@@ -0,0 +1,40 @@
+From 8c65d35435e8cbfdf953cafe5ebe3648ee9276a2 Mon Sep 17 00:00:00 2001
+From: Iuliana Prodan <iuliana.prodan@nxp.com>
+Date: Tue, 7 May 2019 16:37:03 +0300
+Subject: [PATCH] crypto: caam - fix caam_dump_sg that iterates through scatterlist
+Mime-version: 1.0
+Content-type: text/plain; charset=UTF-8
+Content-transfer-encoding: 8bit
+Git-commit: 8c65d35435e8cbfdf953cafe5ebe3648ee9276a2
+Patch-mainline: v5.2-rc1
+References: bsc#1051510
+
+Fix caam_dump_sg by correctly determining the next scatterlist
+entry in the list.
+
+Fixes: 5ecf8ef9103c ("crypto: caam - fix sg dump")
+Signed-off-by: Iuliana Prodan <iuliana.prodan@nxp.com>
+Reviewed-by: Horia Geantă <horia.geanta@nxp.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/crypto/caam/error.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/crypto/caam/error.c b/drivers/crypto/caam/error.c
+index a4129a35a330..4da844e4b61d 100644
+--- a/drivers/crypto/caam/error.c
++++ b/drivers/crypto/caam/error.c
+@@ -22,7 +22,7 @@ void caam_dump_sg(const char *level, const char *prefix_str, int prefix_type,
+ size_t len;
+ void *buf;
+
+- for (it = sg; it && tlen > 0 ; it = sg_next(sg)) {
++ for (it = sg; it && tlen > 0 ; it = sg_next(it)) {
+ /*
+ * make sure the scatterlist's page
+ * has a valid virtual memory mapping
+--
+2.16.4
+
diff --git a/patches.fixes/devres-Align-data-to-ARCH_KMALLOC_MINALIGN.patch b/patches.fixes/devres-Align-data-to-ARCH_KMALLOC_MINALIGN.patch
new file mode 100644
index 0000000000..97316dd307
--- /dev/null
+++ b/patches.fixes/devres-Align-data-to-ARCH_KMALLOC_MINALIGN.patch
@@ -0,0 +1,62 @@
+From a66d972465d15b1d89281258805eb8b47d66bd36 Mon Sep 17 00:00:00 2001
+From: Alexey Brodkin <alexey.brodkin@synopsys.com>
+Date: Wed, 31 Oct 2018 18:25:47 +0300
+Subject: [PATCH] devres: Align data[] to ARCH_KMALLOC_MINALIGN
+Git-commit: a66d972465d15b1d89281258805eb8b47d66bd36
+Patch-mainline: v4.20-rc5
+References: bsc#1051510
+
+Initially we bumped into problem with 32-bit aligned atomic64_t
+on ARC, see [1]. And then during quite lengthly discussion Peter Z.
+mentioned ARCH_KMALLOC_MINALIGN which IMHO makes perfect sense.
+If allocation is done by plain kmalloc() obtained buffer will be
+ARCH_KMALLOC_MINALIGN aligned and then why buffer obtained via
+devm_kmalloc() should have any other alignment?
+
+This way we at least get the same behavior for both types of
+allocation.
+
+[1] http://lists.infradead.org/pipermail/linux-snps-arc/2018-July/004009.html
+[2] http://lists.infradead.org/pipermail/linux-snps-arc/2018-July/004036.html
+
+Signed-off-by: Alexey Brodkin <abrodkin@synopsys.com>
+Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Cc: Geert Uytterhoeven <geert@linux-m68k.org>
+Cc: David Laight <David.Laight@ACULAB.COM>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: Vineet Gupta <vgupta@synopsys.com>
+Cc: Will Deacon <will.deacon@arm.com>
+Cc: Greg KH <greg@kroah.com>
+Cc: <stable@vger.kernel.org> # 4.8+
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/base/devres.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/base/devres.c b/drivers/base/devres.c
+index 4aaf00d2098b..e038e2b3b7ea 100644
+--- a/drivers/base/devres.c
++++ b/drivers/base/devres.c
+@@ -26,8 +26,14 @@ struct devres_node {
+
+ struct devres {
+ struct devres_node node;
+- /* -- 3 pointers */
+- unsigned long long data[]; /* guarantee ull alignment */
++ /*
++ * Some archs want to perform DMA into kmalloc caches
++ * and need a guaranteed alignment larger than
++ * the alignment of a 64-bit integer.
++ * Thus we use ARCH_KMALLOC_MINALIGN here and get exactly the same
++ * buffer alignment as if it was allocated by plain kmalloc().
++ */
++ u8 __aligned(ARCH_KMALLOC_MINALIGN) data[];
+ };
+
+ struct devres_group {
+--
+2.16.4
+
diff --git a/patches.fixes/mISDN-Check-address-length-before-reading-address-fa.patch b/patches.fixes/mISDN-Check-address-length-before-reading-address-fa.patch
new file mode 100644
index 0000000000..81d467cd9f
--- /dev/null
+++ b/patches.fixes/mISDN-Check-address-length-before-reading-address-fa.patch
@@ -0,0 +1,39 @@
+From 238ffdc49ef98b15819cfd5e3fb23194e3ea3d39 Mon Sep 17 00:00:00 2001
+From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+Date: Fri, 12 Apr 2019 19:52:36 +0900
+Subject: [PATCH] mISDN: Check address length before reading address family
+Git-commit: 238ffdc49ef98b15819cfd5e3fb23194e3ea3d39
+Patch-mainline: v5.1-rc6
+References: bsc#1051510
+
+KMSAN will complain if valid address length passed to bind() is shorter
+than sizeof("struct sockaddr_mISDN"->family) bytes.
+
+Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/isdn/mISDN/socket.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/isdn/mISDN/socket.c b/drivers/isdn/mISDN/socket.c
+index 4ab8b1b6608f..a14e35d40538 100644
+--- a/drivers/isdn/mISDN/socket.c
++++ b/drivers/isdn/mISDN/socket.c
+@@ -710,10 +710,10 @@ base_sock_bind(struct socket *sock, struct sockaddr *addr, int addr_len)
+ struct sock *sk = sock->sk;
+ int err = 0;
+
+- if (!maddr || maddr->family != AF_ISDN)
++ if (addr_len < sizeof(struct sockaddr_mISDN))
+ return -EINVAL;
+
+- if (addr_len < sizeof(struct sockaddr_mISDN))
++ if (!maddr || maddr->family != AF_ISDN)
+ return -EINVAL;
+
+ lock_sock(sk);
+--
+2.16.4
+
diff --git a/patches.fixes/mac80211-fix-memory-accounting-with-A-MSDU-aggregati.patch b/patches.fixes/mac80211-fix-memory-accounting-with-A-MSDU-aggregati.patch
new file mode 100644
index 0000000000..cf21e90f94
--- /dev/null
+++ b/patches.fixes/mac80211-fix-memory-accounting-with-A-MSDU-aggregati.patch
@@ -0,0 +1,49 @@
+From eb9b64e3a9f8483e6e54f4e03b2ae14ae5db2690 Mon Sep 17 00:00:00 2001
+From: Felix Fietkau <nbd@nbd.name>
+Date: Sat, 16 Mar 2019 18:06:31 +0100
+Subject: [PATCH] mac80211: fix memory accounting with A-MSDU aggregation
+Mime-version: 1.0
+Content-type: text/plain; charset=UTF-8
+Content-transfer-encoding: 8bit
+Git-commit: eb9b64e3a9f8483e6e54f4e03b2ae14ae5db2690
+Patch-mainline: v5.1-rc6
+References: bsc#1051510
+
+skb->truesize can change due to memory reallocation or when adding extra
+fragments. Adjust fq->memory_usage accordingly
+
+Signed-off-by: Felix Fietkau <nbd@nbd.name>
+Acked-by: Toke Høiland-Jørgensen <toke@redhat.com>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ net/mac80211/tx.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/net/mac80211/tx.c
++++ b/net/mac80211/tx.c
+@@ -3118,6 +3118,7 @@ static bool ieee80211_amsdu_aggregate(st
+ u8 max_subframes = sta->sta.max_amsdu_subframes;
+ int max_frags = local->hw.max_tx_fragments;
+ int max_amsdu_len = sta->sta.max_amsdu_len;
++ int orig_truesize;
+ __be16 len;
+ void *data;
+ bool ret = false;
+@@ -3151,6 +3152,7 @@ static bool ieee80211_amsdu_aggregate(st
+ if (!head)
+ goto out;
+
++ orig_truesize = head->truesize;
+ orig_len = head->len;
+
+ if (skb->len + head->len > max_amsdu_len)
+@@ -3205,6 +3207,7 @@ static bool ieee80211_amsdu_aggregate(st
+ *frag_tail = skb;
+
+ out_recalc:
++ fq->memory_usage += head->truesize - orig_truesize;
+ if (head->len != orig_len) {
+ flow->backlog += head->len - orig_len;
+ tin->backlog_bytes += head->len - orig_len;
diff --git a/patches.fixes/mac80211-fix-unaligned-access-in-mesh-table-hash-fun.patch b/patches.fixes/mac80211-fix-unaligned-access-in-mesh-table-hash-fun.patch
new file mode 100644
index 0000000000..24494157bd
--- /dev/null
+++ b/patches.fixes/mac80211-fix-unaligned-access-in-mesh-table-hash-fun.patch
@@ -0,0 +1,35 @@
+From 40586e3fc400c00c11151804dcdc93f8c831c808 Mon Sep 17 00:00:00 2001
+From: Felix Fietkau <nbd@nbd.name>
+Date: Wed, 13 Mar 2019 18:54:27 +0100
+Subject: [PATCH] mac80211: fix unaligned access in mesh table hash function
+Git-commit: 40586e3fc400c00c11151804dcdc93f8c831c808
+Patch-mainline: v5.1-rc6
+References: bsc#1051510
+
+The pointer to the last four bytes of the address is not guaranteed to be
+aligned, so we need to use __get_unaligned_cpu32 here
+
+Signed-off-by: Felix Fietkau <nbd@nbd.name>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ net/mac80211/mesh_pathtbl.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/mac80211/mesh_pathtbl.c b/net/mac80211/mesh_pathtbl.c
+index 95eb5064fa91..b76a2aefa9ec 100644
+--- a/net/mac80211/mesh_pathtbl.c
++++ b/net/mac80211/mesh_pathtbl.c
+@@ -23,7 +23,7 @@ static void mesh_path_free_rcu(struct mesh_table *tbl, struct mesh_path *mpath);
+ static u32 mesh_table_hash(const void *addr, u32 len, u32 seed)
+ {
+ /* Use last four bytes of hw addr as hash index */
+- return jhash_1word(*(u32 *)(addr+2), seed);
++ return jhash_1word(__get_unaligned_cpu32((u8 *)addr + 2), seed);
+ }
+
+ static const struct rhashtable_params mesh_rht_params = {
+--
+2.16.4
+
diff --git a/patches.fixes/nl80211-Add-NL80211_FLAG_CLEAR_SKB-flag-for-other-NL.patch b/patches.fixes/nl80211-Add-NL80211_FLAG_CLEAR_SKB-flag-for-other-NL.patch
new file mode 100644
index 0000000000..bff32a3c7b
--- /dev/null
+++ b/patches.fixes/nl80211-Add-NL80211_FLAG_CLEAR_SKB-flag-for-other-NL.patch
@@ -0,0 +1,85 @@
+From d6db02a88a4aaa1cd7105137c67ddec7f3bdbc05 Mon Sep 17 00:00:00 2001
+From: Sunil Dutt <usdutt@codeaurora.org>
+Date: Mon, 25 Feb 2019 15:37:20 +0530
+Subject: [PATCH] nl80211: Add NL80211_FLAG_CLEAR_SKB flag for other NL commands
+Git-commit: d6db02a88a4aaa1cd7105137c67ddec7f3bdbc05
+Patch-mainline: v5.1-rc6
+References: bsc#1051510
+
+This commit adds NL80211_FLAG_CLEAR_SKB flag to other NL commands
+that carry key data to ensure they do not stick around on heap
+after the SKB is freed.
+
+Also introduced this flag for NL80211_CMD_VENDOR as there are sub
+commands which configure the keys.
+
+Signed-off-by: Sunil Dutt <usdutt@codeaurora.org>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ net/wireless/nl80211.c | 18 ++++++++++++------
+ 1 file changed, 12 insertions(+), 6 deletions(-)
+
+--- a/net/wireless/nl80211.c
++++ b/net/wireless/nl80211.c
+@@ -12682,7 +12682,8 @@ static const struct genl_ops nl80211_ops
+ .policy = nl80211_policy,
+ .flags = GENL_UNS_ADMIN_PERM,
+ .internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
+- NL80211_FLAG_NEED_RTNL,
++ NL80211_FLAG_NEED_RTNL |
++ NL80211_FLAG_CLEAR_SKB,
+ },
+ {
+ .cmd = NL80211_CMD_DEAUTHENTICATE,
+@@ -12733,7 +12734,8 @@ static const struct genl_ops nl80211_ops
+ .policy = nl80211_policy,
+ .flags = GENL_UNS_ADMIN_PERM,
+ .internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
+- NL80211_FLAG_NEED_RTNL,
++ NL80211_FLAG_NEED_RTNL |
++ NL80211_FLAG_CLEAR_SKB,
+ },
+ {
+ .cmd = NL80211_CMD_UPDATE_CONNECT_PARAMS,
+@@ -12741,7 +12743,8 @@ static const struct genl_ops nl80211_ops
+ .policy = nl80211_policy,
+ .flags = GENL_ADMIN_PERM,
+ .internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
+- NL80211_FLAG_NEED_RTNL,
++ NL80211_FLAG_NEED_RTNL |
++ NL80211_FLAG_CLEAR_SKB,
+ },
+ {
+ .cmd = NL80211_CMD_DISCONNECT,
+@@ -12770,7 +12773,8 @@ static const struct genl_ops nl80211_ops
+ .policy = nl80211_policy,
+ .flags = GENL_UNS_ADMIN_PERM,
+ .internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
+- NL80211_FLAG_NEED_RTNL,
++ NL80211_FLAG_NEED_RTNL |
++ NL80211_FLAG_CLEAR_SKB,
+ },
+ {
+ .cmd = NL80211_CMD_DEL_PMKSA,
+@@ -13122,7 +13126,8 @@ static const struct genl_ops nl80211_ops
+ .policy = nl80211_policy,
+ .flags = GENL_UNS_ADMIN_PERM,
+ .internal_flags = NL80211_FLAG_NEED_WIPHY |
+- NL80211_FLAG_NEED_RTNL,
++ NL80211_FLAG_NEED_RTNL |
++ NL80211_FLAG_CLEAR_SKB,
+ },
+ {
+ .cmd = NL80211_CMD_SET_QOS_MAP,
+@@ -13162,7 +13167,8 @@ static const struct genl_ops nl80211_ops
+ .policy = nl80211_policy,
+ .flags = GENL_UNS_ADMIN_PERM,
+ .internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
+- NL80211_FLAG_NEED_RTNL,
++ NL80211_FLAG_NEED_RTNL |
++ NL80211_FLAG_CLEAR_SKB,
+ },
+ {
+ .cmd = NL80211_CMD_SET_MULTICAST_TO_UNICAST,
diff --git a/patches.fixes/team-set-slave-to-promisc-if-team-is-already-in-prom.patch b/patches.fixes/team-set-slave-to-promisc-if-team-is-already-in-prom.patch
new file mode 100644
index 0000000000..78382650bd
--- /dev/null
+++ b/patches.fixes/team-set-slave-to-promisc-if-team-is-already-in-prom.patch
@@ -0,0 +1,78 @@
+From 43c2adb9df7ddd6560fd3546d925b42cef92daa0 Mon Sep 17 00:00:00 2001
+From: Hangbin Liu <liuhangbin@gmail.com>
+Date: Mon, 8 Apr 2019 16:45:17 +0800
+Subject: [PATCH] team: set slave to promisc if team is already in promisc mode
+Git-commit: 43c2adb9df7ddd6560fd3546d925b42cef92daa0
+Patch-mainline: v5.1-rc6
+References: bsc#1051510
+
+After adding a team interface to bridge, the team interface will enter
+promisc mode. Then if we add a new slave to team0, the slave will keep
+promisc off. Fix it by setting slave to promisc on if team master is
+already in promisc mode, also do the same for allmulti.
+
+V2: add promisc and allmulti checking when delete ports
+
+Fixes: 3d249d4ca7d0 ("net: introduce ethernet teaming device")
+Signed-off-by: Hangbin Liu <liuhangbin@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/net/team/team.c | 26 ++++++++++++++++++++++++++
+ 1 file changed, 26 insertions(+)
+
+diff --git a/drivers/net/team/team.c b/drivers/net/team/team.c
+index 6ed96fdfd96d..9ce61b019aad 100644
+--- a/drivers/net/team/team.c
++++ b/drivers/net/team/team.c
+@@ -1246,6 +1246,23 @@ static int team_port_add(struct team *team, struct net_device *port_dev,
+ goto err_option_port_add;
+ }
+
++ /* set promiscuity level to new slave */
++ if (dev->flags & IFF_PROMISC) {
++ err = dev_set_promiscuity(port_dev, 1);
++ if (err)
++ goto err_set_slave_promisc;
++ }
++
++ /* set allmulti level to new slave */
++ if (dev->flags & IFF_ALLMULTI) {
++ err = dev_set_allmulti(port_dev, 1);
++ if (err) {
++ if (dev->flags & IFF_PROMISC)
++ dev_set_promiscuity(port_dev, -1);
++ goto err_set_slave_promisc;
++ }
++ }
++
+ netif_addr_lock_bh(dev);
+ dev_uc_sync_multiple(port_dev, dev);
+ dev_mc_sync_multiple(port_dev, dev);
+@@ -1262,6 +1279,9 @@ static int team_port_add(struct team *team, struct net_device *port_dev,
+
+ return 0;
+
++err_set_slave_promisc:
++ __team_option_inst_del_port(team, port);
++
+ err_option_port_add:
+ team_upper_dev_unlink(team, port);
+
+@@ -1307,6 +1327,12 @@ static int team_port_del(struct team *team, struct net_device *port_dev)
+
+ team_port_disable(team, port);
+ list_del_rcu(&port->list);
++
++ if (dev->flags & IFF_PROMISC)
++ dev_set_promiscuity(port_dev, -1);
++ if (dev->flags & IFF_ALLMULTI)
++ dev_set_allmulti(port_dev, -1);
++
+ team_upper_dev_unlink(team, port);
+ netdev_rx_handler_unregister(port_dev);
+ team_port_disable_netpoll(port);
+--
+2.16.4
+
diff --git a/patches.fixes/vt-always-call-notifier-with-the-console-lock-held.patch b/patches.fixes/vt-always-call-notifier-with-the-console-lock-held.patch
new file mode 100644
index 0000000000..59e2139795
--- /dev/null
+++ b/patches.fixes/vt-always-call-notifier-with-the-console-lock-held.patch
@@ -0,0 +1,32 @@
+From 7e1d226345f89ad5d0216a9092c81386c89b4983 Mon Sep 17 00:00:00 2001
+From: Nicolas Pitre <nicolas.pitre@linaro.org>
+Date: Tue, 8 Jan 2019 22:55:00 -0500
+Subject: [PATCH] vt: always call notifier with the console lock held
+Git-commit: 7e1d226345f89ad5d0216a9092c81386c89b4983
+Patch-mainline: v5.0-rc4
+References: bsc#1051510
+
+Every invocation of notify_write() and notify_update() is performed
+under the console lock, except for one case. Let's fix that.
+
+Signed-off-by: Nicolas Pitre <nico@linaro.org>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/tty/vt/vt.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/tty/vt/vt.c
++++ b/drivers/tty/vt/vt.c
+@@ -2435,8 +2435,8 @@ rescan_last_byte:
+ }
+ con_flush(vc, draw_from, draw_to, &draw_x);
+ console_conditional_schedule();
+- console_unlock();
+ notify_update(vc);
++ console_unlock();
+ return n;
+ }
+
diff --git a/patches.fixes/xfs-check-_btree_check_block-value.patch b/patches.fixes/xfs-check-_btree_check_block-value.patch
new file mode 100644
index 0000000000..a5d0edf4c8
--- /dev/null
+++ b/patches.fixes/xfs-check-_btree_check_block-value.patch
@@ -0,0 +1,49 @@
+From 1e86eabe73b73c82e1110c746ed3ec6d5e1c0a0d Mon Sep 17 00:00:00 2001
+From: "Darrick J. Wong" <darrick.wong@oracle.com>
+Date: Mon, 17 Jul 2017 14:30:45 -0700
+Subject: [PATCH] xfs: check _btree_check_block value
+Git-commit: 1e86eabe73b73c82e1110c746ed3ec6d5e1c0a0d
+Patch-mainline: v4.13-rc3
+References: bsc#1123663
+
+Check the _btree_check_block return value for the firstrec and lastrec
+functions, since we have the ability to signal that the repositioning
+did not succeed.
+
+Fixes-coverity-id: 114067
+Fixes-coverity-id: 114068
+Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
+Reviewed-by: Brian Foster <bfoster@redhat.com>
+Acked-by: Anthony Iliopoulos <ailiopoulos@suse.com>
+
+---
+ fs/xfs/libxfs/xfs_btree.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/fs/xfs/libxfs/xfs_btree.c b/fs/xfs/libxfs/xfs_btree.c
+index 4da85fff69ad..e0bcc4a59efd 100644
+--- a/fs/xfs/libxfs/xfs_btree.c
++++ b/fs/xfs/libxfs/xfs_btree.c
+@@ -728,7 +728,8 @@ xfs_btree_firstrec(
+ * Get the block pointer for this level.
+ */
+ block = xfs_btree_get_block(cur, level, &bp);
+- xfs_btree_check_block(cur, block, level, bp);
++ if (xfs_btree_check_block(cur, block, level, bp))
++ return 0;
+ /*
+ * It's empty, there is no such record.
+ */
+@@ -757,7 +758,8 @@ xfs_btree_lastrec(
+ * Get the block pointer for this level.
+ */
+ block = xfs_btree_get_block(cur, level, &bp);
+- xfs_btree_check_block(cur, block, level, bp);
++ if (xfs_btree_check_block(cur, block, level, bp))
++ return 0;
+ /*
+ * It's empty, there is no such record.
+ */
+--
+2.16.4
+
diff --git a/patches.fixes/xfs-create-block-pointer-check-functions.patch b/patches.fixes/xfs-create-block-pointer-check-functions.patch
new file mode 100644
index 0000000000..c4c84d8308
--- /dev/null
+++ b/patches.fixes/xfs-create-block-pointer-check-functions.patch
@@ -0,0 +1,137 @@
+From 21ec54168b368f1a98097dee00625ec8ec2d47f3 Mon Sep 17 00:00:00 2001
+From: "Darrick J. Wong" <darrick.wong@oracle.com>
+Date: Tue, 17 Oct 2017 21:37:32 -0700
+Subject: [PATCH] xfs: create block pointer check functions
+Git-commit: 21ec54168b368f1a98097dee00625ec8ec2d47f3
+Patch-mainline: v4.15-rc1
+References: bsc#1123663
+
+Create some helper functions to check that a block pointer points
+within the filesystem (or AG) and doesn't point at static metadata.
+We will use this for scrub.
+
+Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
+Reviewed-by: Dave Chinner <dchinner@redhat.com>
+Acked-by: Anthony Iliopoulos <ailiopoulos@suse.com>
+
+---
+ fs/xfs/libxfs/xfs_alloc.c | 49 ++++++++++++++++++++++++++++++++++++++++++++
+ fs/xfs/libxfs/xfs_alloc.h | 4 ++++
+ fs/xfs/libxfs/xfs_rtbitmap.c | 12 +++++++++++
+ fs/xfs/xfs_rtalloc.h | 2 ++
+ 4 files changed, 67 insertions(+)
+
+diff --git a/fs/xfs/libxfs/xfs_alloc.c b/fs/xfs/libxfs/xfs_alloc.c
+index f965ce832bc0..11c01e2668bf 100644
+--- a/fs/xfs/libxfs/xfs_alloc.c
++++ b/fs/xfs/libxfs/xfs_alloc.c
+@@ -2931,3 +2931,52 @@ xfs_alloc_query_all(
+ query.fn = fn;
+ return xfs_btree_query_all(cur, xfs_alloc_query_range_helper, &query);
+ }
++
++/* Find the size of the AG, in blocks. */
++xfs_agblock_t
++xfs_ag_block_count(
++ struct xfs_mount *mp,
++ xfs_agnumber_t agno)
++{
++ ASSERT(agno < mp->m_sb.sb_agcount);
++
++ if (agno < mp->m_sb.sb_agcount - 1)
++ return mp->m_sb.sb_agblocks;
++ return mp->m_sb.sb_dblocks - (agno * mp->m_sb.sb_agblocks);
++}
++
++/*
++ * Verify that an AG block number pointer neither points outside the AG
++ * nor points at static metadata.
++ */
++bool
++xfs_verify_agbno(
++ struct xfs_mount *mp,
++ xfs_agnumber_t agno,
++ xfs_agblock_t agbno)
++{
++ xfs_agblock_t eoag;
++
++ eoag = xfs_ag_block_count(mp, agno);
++ if (agbno >= eoag)
++ return false;
++ if (agbno <= XFS_AGFL_BLOCK(mp))
++ return false;
++ return true;
++}
++
++/*
++ * Verify that an FS block number pointer neither points outside the
++ * filesystem nor points at static AG metadata.
++ */
++bool
++xfs_verify_fsbno(
++ struct xfs_mount *mp,
++ xfs_fsblock_t fsbno)
++{
++ xfs_agnumber_t agno = XFS_FSB_TO_AGNO(mp, fsbno);
++
++ if (agno >= mp->m_sb.sb_agcount)
++ return false;
++ return xfs_verify_agbno(mp, agno, XFS_FSB_TO_AGBNO(mp, fsbno));
++}
+diff --git a/fs/xfs/libxfs/xfs_alloc.h b/fs/xfs/libxfs/xfs_alloc.h
+index ef26edc2e938..7ba2d129d504 100644
+--- a/fs/xfs/libxfs/xfs_alloc.h
++++ b/fs/xfs/libxfs/xfs_alloc.h
+@@ -232,5 +232,9 @@ int xfs_alloc_query_range(struct xfs_btree_cur *cur,
+ xfs_alloc_query_range_fn fn, void *priv);
+ int xfs_alloc_query_all(struct xfs_btree_cur *cur, xfs_alloc_query_range_fn fn,
+ void *priv);
++xfs_agblock_t xfs_ag_block_count(struct xfs_mount *mp, xfs_agnumber_t agno);
++bool xfs_verify_agbno(struct xfs_mount *mp, xfs_agnumber_t agno,
++ xfs_agblock_t agbno);
++bool xfs_verify_fsbno(struct xfs_mount *mp, xfs_fsblock_t fsbno);
+
+ #endif /* __XFS_ALLOC_H__ */
+diff --git a/fs/xfs/libxfs/xfs_rtbitmap.c b/fs/xfs/libxfs/xfs_rtbitmap.c
+index 5d4e43ef4eea..4523a92d5507 100644
+--- a/fs/xfs/libxfs/xfs_rtbitmap.c
++++ b/fs/xfs/libxfs/xfs_rtbitmap.c
+@@ -1086,3 +1086,15 @@ xfs_rtalloc_query_all(
+
+ return xfs_rtalloc_query_range(tp, &keys[0], &keys[1], fn, priv);
+ }
++
++/*
++ * Verify that an realtime block number pointer doesn't point off the
++ * end of the realtime device.
++ */
++bool
++xfs_verify_rtbno(
++ struct xfs_mount *mp,
++ xfs_rtblock_t rtbno)
++{
++ return rtbno < mp->m_sb.sb_rblocks;
++}
+diff --git a/fs/xfs/xfs_rtalloc.h b/fs/xfs/xfs_rtalloc.h
+index 79defa722bf1..3f30f846d7f2 100644
+--- a/fs/xfs/xfs_rtalloc.h
++++ b/fs/xfs/xfs_rtalloc.h
+@@ -138,6 +138,7 @@ int xfs_rtalloc_query_range(struct xfs_trans *tp,
+ int xfs_rtalloc_query_all(struct xfs_trans *tp,
+ xfs_rtalloc_query_range_fn fn,
+ void *priv);
++bool xfs_verify_rtbno(struct xfs_mount *mp, xfs_rtblock_t rtbno);
+ #else
+ # define xfs_rtallocate_extent(t,b,min,max,l,f,p,rb) (ENOSYS)
+ # define xfs_rtfree_extent(t,b,l) (ENOSYS)
+@@ -146,6 +147,7 @@ int xfs_rtalloc_query_all(struct xfs_trans *tp,
+ # define xfs_rtalloc_query_range(t,l,h,f,p) (ENOSYS)
+ # define xfs_rtalloc_query_all(t,f,p) (ENOSYS)
+ # define xfs_rtbuf_get(m,t,b,i,p) (ENOSYS)
++# define xfs_verify_rtbno(m, r) (false)
+ static inline int /* error */
+ xfs_rtmount_init(
+ xfs_mount_t *mp) /* file system mount structure */
+--
+2.16.4
+
diff --git a/patches.fixes/xfs-export-various-function-for-the-online-scrubber.patch b/patches.fixes/xfs-export-various-function-for-the-online-scrubber.patch
new file mode 100644
index 0000000000..efc78e3892
--- /dev/null
+++ b/patches.fixes/xfs-export-various-function-for-the-online-scrubber.patch
@@ -0,0 +1,277 @@
+From 2678809799e6e37db0800725157f5ebfc03a9df7 Mon Sep 17 00:00:00 2001
+From: "Darrick J. Wong" <darrick.wong@oracle.com>
+Date: Fri, 16 Jun 2017 11:00:07 -0700
+Subject: [PATCH] xfs: export various function for the online scrubber
+Git-commit: 2678809799e6e37db0800725157f5ebfc03a9df7
+Patch-mainline: v4.13-rc1
+References: bsc#1123663
+
+Export various internal functions so that the online scrubber can use
+them to check the state of metadata.
+
+Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
+Reviewed-by: Brian Foster <bfoster@redhat.com>
+Acked-by: Anthony Iliopoulos <ailiopoulos@suse.com>
+
+---
+ fs/xfs/libxfs/xfs_alloc.c | 2 +-
+ fs/xfs/libxfs/xfs_alloc.h | 2 ++
+ fs/xfs/libxfs/xfs_btree.c | 12 ++++++------
+ fs/xfs/libxfs/xfs_btree.h | 13 +++++++++++++
+ fs/xfs/libxfs/xfs_dir2_leaf.c | 2 +-
+ fs/xfs/libxfs/xfs_dir2_priv.h | 2 ++
+ fs/xfs/libxfs/xfs_inode_buf.c | 2 +-
+ fs/xfs/libxfs/xfs_inode_buf.h | 3 +++
+ fs/xfs/libxfs/xfs_rmap.c | 3 ++-
+ fs/xfs/libxfs/xfs_rmap.h | 3 +++
+ fs/xfs/libxfs/xfs_rtbitmap.c | 2 +-
+ fs/xfs/xfs_itable.c | 2 +-
+ fs/xfs/xfs_itable.h | 2 ++
+ fs/xfs/xfs_rtalloc.h | 3 +++
+ 14 files changed, 41 insertions(+), 12 deletions(-)
+
+diff --git a/fs/xfs/libxfs/xfs_alloc.c b/fs/xfs/libxfs/xfs_alloc.c
+index 7486401ccbd3..fefa8daa1c36 100644
+--- a/fs/xfs/libxfs/xfs_alloc.c
++++ b/fs/xfs/libxfs/xfs_alloc.c
+@@ -606,7 +606,7 @@ const struct xfs_buf_ops xfs_agfl_buf_ops = {
+ /*
+ * Read in the allocation group free block array.
+ */
+-STATIC int /* error */
++int /* error */
+ xfs_alloc_read_agfl(
+ xfs_mount_t *mp, /* mount point structure */
+ xfs_trans_t *tp, /* transaction pointer */
+diff --git a/fs/xfs/libxfs/xfs_alloc.h b/fs/xfs/libxfs/xfs_alloc.h
+index 77d9c27330ab..ef26edc2e938 100644
+--- a/fs/xfs/libxfs/xfs_alloc.h
++++ b/fs/xfs/libxfs/xfs_alloc.h
+@@ -213,6 +213,8 @@ xfs_alloc_get_rec(
+
+ int xfs_read_agf(struct xfs_mount *mp, struct xfs_trans *tp,
+ xfs_agnumber_t agno, int flags, struct xfs_buf **bpp);
++int xfs_alloc_read_agfl(struct xfs_mount *mp, struct xfs_trans *tp,
++ xfs_agnumber_t agno, struct xfs_buf **bpp);
+ int xfs_alloc_fix_freelist(struct xfs_alloc_arg *args, int flags);
+ int xfs_free_extent_fix_freelist(struct xfs_trans *tp, xfs_agnumber_t agno,
+ struct xfs_buf **agbp);
+diff --git a/fs/xfs/libxfs/xfs_btree.c b/fs/xfs/libxfs/xfs_btree.c
+index 2aac3f499d97..2f8075aa8725 100644
+--- a/fs/xfs/libxfs/xfs_btree.c
++++ b/fs/xfs/libxfs/xfs_btree.c
+@@ -568,7 +568,7 @@ xfs_btree_ptr_offset(
+ /*
+ * Return a pointer to the n-th record in the btree block.
+ */
+-STATIC union xfs_btree_rec *
++union xfs_btree_rec *
+ xfs_btree_rec_addr(
+ struct xfs_btree_cur *cur,
+ int n,
+@@ -581,7 +581,7 @@ xfs_btree_rec_addr(
+ /*
+ * Return a pointer to the n-th key in the btree block.
+ */
+-STATIC union xfs_btree_key *
++union xfs_btree_key *
+ xfs_btree_key_addr(
+ struct xfs_btree_cur *cur,
+ int n,
+@@ -594,7 +594,7 @@ xfs_btree_key_addr(
+ /*
+ * Return a pointer to the n-th high key in the btree block.
+ */
+-STATIC union xfs_btree_key *
++union xfs_btree_key *
+ xfs_btree_high_key_addr(
+ struct xfs_btree_cur *cur,
+ int n,
+@@ -607,7 +607,7 @@ xfs_btree_high_key_addr(
+ /*
+ * Return a pointer to the n-th block pointer in the btree block.
+ */
+-STATIC union xfs_btree_ptr *
++union xfs_btree_ptr *
+ xfs_btree_ptr_addr(
+ struct xfs_btree_cur *cur,
+ int n,
+@@ -641,7 +641,7 @@ xfs_btree_get_iroot(
+ * Retrieve the block pointer from the cursor at the given level.
+ * This may be an inode btree root or from a buffer.
+ */
+-STATIC struct xfs_btree_block * /* generic btree block pointer */
++struct xfs_btree_block * /* generic btree block pointer */
+ xfs_btree_get_block(
+ struct xfs_btree_cur *cur, /* btree cursor */
+ int level, /* level in btree */
+@@ -1756,7 +1756,7 @@ xfs_btree_decrement(
+ return error;
+ }
+
+-STATIC int
++int
+ xfs_btree_lookup_get_block(
+ struct xfs_btree_cur *cur, /* btree cursor */
+ int level, /* level in the btree */
+diff --git a/fs/xfs/libxfs/xfs_btree.h b/fs/xfs/libxfs/xfs_btree.h
+index 177a364ce5cf..9c95e965cfe5 100644
+--- a/fs/xfs/libxfs/xfs_btree.h
++++ b/fs/xfs/libxfs/xfs_btree.h
+@@ -504,4 +504,17 @@ int xfs_btree_visit_blocks(struct xfs_btree_cur *cur,
+
+ int xfs_btree_count_blocks(struct xfs_btree_cur *cur, xfs_extlen_t *blocks);
+
++union xfs_btree_rec *xfs_btree_rec_addr(struct xfs_btree_cur *cur, int n,
++ struct xfs_btree_block *block);
++union xfs_btree_key *xfs_btree_key_addr(struct xfs_btree_cur *cur, int n,
++ struct xfs_btree_block *block);
++union xfs_btree_key *xfs_btree_high_key_addr(struct xfs_btree_cur *cur, int n,
++ struct xfs_btree_block *block);
++union xfs_btree_ptr *xfs_btree_ptr_addr(struct xfs_btree_cur *cur, int n,
++ struct xfs_btree_block *block);
++int xfs_btree_lookup_get_block(struct xfs_btree_cur *cur, int level,
++ union xfs_btree_ptr *pp, struct xfs_btree_block **blkp);
++struct xfs_btree_block *xfs_btree_get_block(struct xfs_btree_cur *cur,
++ int level, struct xfs_buf **bpp);
++
+ #endif /* __XFS_BTREE_H__ */
+diff --git a/fs/xfs/libxfs/xfs_dir2_leaf.c b/fs/xfs/libxfs/xfs_dir2_leaf.c
+index 68bf3e860a90..7002024a5d0d 100644
+--- a/fs/xfs/libxfs/xfs_dir2_leaf.c
++++ b/fs/xfs/libxfs/xfs_dir2_leaf.c
+@@ -256,7 +256,7 @@ const struct xfs_buf_ops xfs_dir3_leafn_buf_ops = {
+ .verify_write = xfs_dir3_leafn_write_verify,
+ };
+
+-static int
++int
+ xfs_dir3_leaf_read(
+ struct xfs_trans *tp,
+ struct xfs_inode *dp,
+diff --git a/fs/xfs/libxfs/xfs_dir2_priv.h b/fs/xfs/libxfs/xfs_dir2_priv.h
+index 011df4da6cc2..576f2d267fa7 100644
+--- a/fs/xfs/libxfs/xfs_dir2_priv.h
++++ b/fs/xfs/libxfs/xfs_dir2_priv.h
+@@ -58,6 +58,8 @@ extern int xfs_dir3_data_init(struct xfs_da_args *args, xfs_dir2_db_t blkno,
+ struct xfs_buf **bpp);
+
+ /* xfs_dir2_leaf.c */
++extern int xfs_dir3_leaf_read(struct xfs_trans *tp, struct xfs_inode *dp,
++ xfs_dablk_t fbno, xfs_daddr_t mappedbno, struct xfs_buf **bpp);
+ extern int xfs_dir3_leafn_read(struct xfs_trans *tp, struct xfs_inode *dp,
+ xfs_dablk_t fbno, xfs_daddr_t mappedbno, struct xfs_buf **bpp);
+ extern int xfs_dir2_block_to_leaf(struct xfs_da_args *args,
+diff --git a/fs/xfs/libxfs/xfs_inode_buf.c b/fs/xfs/libxfs/xfs_inode_buf.c
+index d887af940f09..0c970cf7ab63 100644
+--- a/fs/xfs/libxfs/xfs_inode_buf.c
++++ b/fs/xfs/libxfs/xfs_inode_buf.c
+@@ -381,7 +381,7 @@ xfs_log_dinode_to_disk(
+ }
+ }
+
+-static bool
++bool
+ xfs_dinode_verify(
+ struct xfs_mount *mp,
+ xfs_ino_t ino,
+diff --git a/fs/xfs/libxfs/xfs_inode_buf.h b/fs/xfs/libxfs/xfs_inode_buf.h
+index 0827d7def1ce..a9c97a356c30 100644
+--- a/fs/xfs/libxfs/xfs_inode_buf.h
++++ b/fs/xfs/libxfs/xfs_inode_buf.h
+@@ -82,4 +82,7 @@ void xfs_inobp_check(struct xfs_mount *, struct xfs_buf *);
+ #define xfs_inobp_check(mp, bp)
+ #endif /* DEBUG */
+
++bool xfs_dinode_verify(struct xfs_mount *mp, xfs_ino_t ino,
++ struct xfs_dinode *dip);
++
+ #endif /* __XFS_INODE_BUF_H__ */
+diff --git a/fs/xfs/libxfs/xfs_rmap.c b/fs/xfs/libxfs/xfs_rmap.c
+index 1bcb41fe0156..eda275beebe0 100644
+--- a/fs/xfs/libxfs/xfs_rmap.c
++++ b/fs/xfs/libxfs/xfs_rmap.c
+@@ -179,7 +179,8 @@ xfs_rmap_delete(
+ return error;
+ }
+
+-static int
++/* Convert an internal btree record to an rmap record. */
++int
+ xfs_rmap_btrec_to_irec(
+ union xfs_btree_rec *rec,
+ struct xfs_rmap_irec *irec)
+diff --git a/fs/xfs/libxfs/xfs_rmap.h b/fs/xfs/libxfs/xfs_rmap.h
+index 265116d044f4..466ede637080 100644
+--- a/fs/xfs/libxfs/xfs_rmap.h
++++ b/fs/xfs/libxfs/xfs_rmap.h
+@@ -216,5 +216,8 @@ int xfs_rmap_lookup_le_range(struct xfs_btree_cur *cur, xfs_agblock_t bno,
+ struct xfs_rmap_irec *irec, int *stat);
+ int xfs_rmap_compare(const struct xfs_rmap_irec *a,
+ const struct xfs_rmap_irec *b);
++union xfs_btree_rec;
++int xfs_rmap_btrec_to_irec(union xfs_btree_rec *rec,
++ struct xfs_rmap_irec *irec);
+
+ #endif /* __XFS_RMAP_H__ */
+diff --git a/fs/xfs/libxfs/xfs_rtbitmap.c b/fs/xfs/libxfs/xfs_rtbitmap.c
+index 26bba7f90fdf..5d4e43ef4eea 100644
+--- a/fs/xfs/libxfs/xfs_rtbitmap.c
++++ b/fs/xfs/libxfs/xfs_rtbitmap.c
+@@ -70,7 +70,7 @@ const struct xfs_buf_ops xfs_rtbuf_ops = {
+ * Get a buffer for the bitmap or summary file block specified.
+ * The buffer is returned read and locked.
+ */
+-static int
++int
+ xfs_rtbuf_get(
+ xfs_mount_t *mp, /* file system mount structure */
+ xfs_trans_t *tp, /* transaction pointer */
+diff --git a/fs/xfs/xfs_itable.c b/fs/xfs/xfs_itable.c
+index 26d67ce3c18d..c393a2f6d8c3 100644
+--- a/fs/xfs/xfs_itable.c
++++ b/fs/xfs/xfs_itable.c
+@@ -31,7 +31,7 @@
+ #include "xfs_trace.h"
+ #include "xfs_icache.h"
+
+-STATIC int
++int
+ xfs_internal_inum(
+ xfs_mount_t *mp,
+ xfs_ino_t ino)
+diff --git a/fs/xfs/xfs_itable.h b/fs/xfs/xfs_itable.h
+index 6ea8b3912fa4..17e86e0541af 100644
+--- a/fs/xfs/xfs_itable.h
++++ b/fs/xfs/xfs_itable.h
+@@ -96,4 +96,6 @@ xfs_inumbers(
+ void __user *buffer, /* buffer with inode info */
+ inumbers_fmt_pf formatter);
+
++int xfs_internal_inum(struct xfs_mount *mp, xfs_ino_t ino);
++
+ #endif /* __XFS_ITABLE_H__ */
+diff --git a/fs/xfs/xfs_rtalloc.h b/fs/xfs/xfs_rtalloc.h
+index f13133e6f19f..79defa722bf1 100644
+--- a/fs/xfs/xfs_rtalloc.h
++++ b/fs/xfs/xfs_rtalloc.h
+@@ -107,6 +107,8 @@ xfs_growfs_rt(
+ /*
+ * From xfs_rtbitmap.c
+ */
++int xfs_rtbuf_get(struct xfs_mount *mp, struct xfs_trans *tp,
++ xfs_rtblock_t block, int issum, struct xfs_buf **bpp);
+ int xfs_rtcheck_range(struct xfs_mount *mp, struct xfs_trans *tp,
+ xfs_rtblock_t start, xfs_extlen_t len, int val,
+ xfs_rtblock_t *new, int *stat);
+@@ -143,6 +145,7 @@ int xfs_rtalloc_query_all(struct xfs_trans *tp,
+ # define xfs_growfs_rt(mp,in) (ENOSYS)
+ # define xfs_rtalloc_query_range(t,l,h,f,p) (ENOSYS)
+ # define xfs_rtalloc_query_all(t,f,p) (ENOSYS)
++# define xfs_rtbuf_get(m,t,b,i,p) (ENOSYS)
+ static inline int /* error */
+ xfs_rtmount_init(
+ xfs_mount_t *mp) /* file system mount structure */
+--
+2.16.4
+
diff --git a/patches.fixes/xfs-make-errortag-a-per-mountpoint-structure.patch b/patches.fixes/xfs-make-errortag-a-per-mountpoint-structure.patch
new file mode 100644
index 0000000000..fe026452b2
--- /dev/null
+++ b/patches.fixes/xfs-make-errortag-a-per-mountpoint-structure.patch
@@ -0,0 +1,336 @@
+From 31965ef34802f49903bba06dd7c3b96a2e2ed4e4 Mon Sep 17 00:00:00 2001
+From: "Darrick J. Wong" <darrick.wong@oracle.com>
+Date: Tue, 20 Jun 2017 17:54:46 -0700
+Subject: [PATCH] xfs: make errortag a per-mountpoint structure
+Git-commit: 31965ef34802f49903bba06dd7c3b96a2e2ed4e4
+Patch-mainline: v4.13-rc1
+References: bsc#1123663
+
+Remove the xfs_etest structure in favor of a per-mountpoint structure.
+This will give us the flexibility to set as many error injection points
+as we want, and later enable us to set up sysfs knobs to set the trigger
+frequency as we wish. This comes at a cost of higher memory use, but
+unti we hit 1024 injection points (we're at 29) or a lot of mounts this
+shouldn't be a huge issue.
+
+Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
+Reviewed-by: Brian Foster <bfoster@redhat.com>
+Reviewed-by: Carlos Maiolino <cmaiolino@redhat.com>
+Acked-by: Anthony Iliopoulos <ailiopoulos@suse.com>
+
+---
+ fs/xfs/xfs_error.c | 154 ++++++++++++++++++++++++++++-------------------------
+ fs/xfs/xfs_error.h | 25 +++++----
+ fs/xfs/xfs_ioctl.c | 4 +-
+ fs/xfs/xfs_mount.c | 10 +++-
+ fs/xfs/xfs_mount.h | 7 +++
+ 5 files changed, 111 insertions(+), 89 deletions(-)
+
+diff --git a/fs/xfs/xfs_error.c b/fs/xfs/xfs_error.c
+index ed7ee4e8af73..52f75bc1abac 100644
+--- a/fs/xfs/xfs_error.c
++++ b/fs/xfs/xfs_error.c
+@@ -25,100 +25,106 @@
+
+ #ifdef DEBUG
+
+-int xfs_etest[XFS_NUM_INJECT_ERROR];
+-int64_t xfs_etest_fsid[XFS_NUM_INJECT_ERROR];
+-char * xfs_etest_fsname[XFS_NUM_INJECT_ERROR];
+-int xfs_error_test_active;
++static unsigned int xfs_errortag_random_default[] = {
++ XFS_RANDOM_DEFAULT,
++ XFS_RANDOM_IFLUSH_1,
++ XFS_RANDOM_IFLUSH_2,
++ XFS_RANDOM_IFLUSH_3,
++ XFS_RANDOM_IFLUSH_4,
++ XFS_RANDOM_IFLUSH_5,
++ XFS_RANDOM_IFLUSH_6,
++ XFS_RANDOM_DA_READ_BUF,
++ XFS_RANDOM_BTREE_CHECK_LBLOCK,
++ XFS_RANDOM_BTREE_CHECK_SBLOCK,
++ XFS_RANDOM_ALLOC_READ_AGF,
++ XFS_RANDOM_IALLOC_READ_AGI,
++ XFS_RANDOM_ITOBP_INOTOBP,
++ XFS_RANDOM_IUNLINK,
++ XFS_RANDOM_IUNLINK_REMOVE,
++ XFS_RANDOM_DIR_INO_VALIDATE,
++ XFS_RANDOM_BULKSTAT_READ_CHUNK,
++ XFS_RANDOM_IODONE_IOERR,
++ XFS_RANDOM_STRATREAD_IOERR,
++ XFS_RANDOM_STRATCMPL_IOERR,
++ XFS_RANDOM_DIOWRITE_IOERR,
++ XFS_RANDOM_BMAPIFORMAT,
++ XFS_RANDOM_FREE_EXTENT,
++ XFS_RANDOM_RMAP_FINISH_ONE,
++ XFS_RANDOM_REFCOUNT_CONTINUE_UPDATE,
++ XFS_RANDOM_REFCOUNT_FINISH_ONE,
++ XFS_RANDOM_BMAP_FINISH_ONE,
++ XFS_RANDOM_AG_RESV_CRITICAL,
++};
+
+ int
+-xfs_error_test(int error_tag, int *fsidp, char *expression,
+- int line, char *file, unsigned long randfactor)
++xfs_errortag_init(
++ struct xfs_mount *mp)
+ {
+- int i;
+- int64_t fsid;
++ mp->m_errortag = kmem_zalloc(sizeof(unsigned int) * XFS_ERRTAG_MAX,
++ KM_SLEEP | KM_MAYFAIL);
++ if (!mp->m_errortag)
++ return -ENOMEM;
++ return 0;
++}
+
+- if (prandom_u32() % randfactor)
+- return 0;
++void
++xfs_errortag_del(
++ struct xfs_mount *mp)
++{
++ kmem_free(mp->m_errortag);
++}
+
+- memcpy(&fsid, fsidp, sizeof(xfs_fsid_t));
++bool
++xfs_errortag_test(
++ struct xfs_mount *mp,
++ const char *expression,
++ const char *file,
++ int line,
++ unsigned int error_tag)
++{
++ unsigned int randfactor;
+
+- for (i = 0; i < XFS_NUM_INJECT_ERROR; i++) {
+- if (xfs_etest[i] == error_tag && xfs_etest_fsid[i] == fsid) {
+- xfs_warn(NULL,
+- "Injecting error (%s) at file %s, line %d, on filesystem \"%s\"",
+- expression, file, line, xfs_etest_fsname[i]);
+- return 1;
+- }
+- }
++ ASSERT(error_tag < XFS_ERRTAG_MAX);
++ randfactor = mp->m_errortag[error_tag];
++ if (!randfactor || prandom_u32() % randfactor)
++ return false;
+
+- return 0;
++ xfs_warn_ratelimited(mp,
++"Injecting error (%s) at file %s, line %d, on filesystem \"%s\"",
++ expression, file, line, mp->m_fsname);
++ return true;
+ }
+
+ int
+-xfs_errortag_add(unsigned int error_tag, xfs_mount_t *mp)
++xfs_errortag_set(
++ struct xfs_mount *mp,
++ unsigned int error_tag,
++ unsigned int tag_value)
+ {
+- int i;
+- int len;
+- int64_t fsid;
+-
+ if (error_tag >= XFS_ERRTAG_MAX)
+ return -EINVAL;
+
+- memcpy(&fsid, mp->m_fixedfsid, sizeof(xfs_fsid_t));
+-
+- for (i = 0; i < XFS_NUM_INJECT_ERROR; i++) {
+- if (xfs_etest_fsid[i] == fsid && xfs_etest[i] == error_tag) {
+- xfs_warn(mp, "error tag #%d on", error_tag);
+- return 0;
+- }
+- }
+-
+- for (i = 0; i < XFS_NUM_INJECT_ERROR; i++) {
+- if (xfs_etest[i] == 0) {
+- xfs_warn(mp, "Turned on XFS error tag #%d",
+- error_tag);
+- xfs_etest[i] = error_tag;
+- xfs_etest_fsid[i] = fsid;
+- len = strlen(mp->m_fsname);
+- xfs_etest_fsname[i] = kmem_alloc(len + 1, KM_SLEEP);
+- strcpy(xfs_etest_fsname[i], mp->m_fsname);
+- xfs_error_test_active++;
+- return 0;
+- }
+- }
+-
+- xfs_warn(mp, "error tag overflow, too many turned on");
+-
+- return 1;
++ mp->m_errortag[error_tag] = tag_value;
++ return 0;
+ }
+
+ int
+-xfs_errortag_clearall(xfs_mount_t *mp, int loud)
++xfs_errortag_add(
++ struct xfs_mount *mp,
++ unsigned int error_tag)
+ {
+- int64_t fsid;
+- int cleared = 0;
+- int i;
+-
+- memcpy(&fsid, mp->m_fixedfsid, sizeof(xfs_fsid_t));
+-
+-
+- for (i = 0; i < XFS_NUM_INJECT_ERROR; i++) {
+- if ((fsid == 0LL || xfs_etest_fsid[i] == fsid) &&
+- xfs_etest[i] != 0) {
+- cleared = 1;
+- xfs_warn(mp, "Clearing XFS error tag #%d",
+- xfs_etest[i]);
+- xfs_etest[i] = 0;
+- xfs_etest_fsid[i] = 0LL;
+- kmem_free(xfs_etest_fsname[i]);
+- xfs_etest_fsname[i] = NULL;
+- xfs_error_test_active--;
+- }
+- }
++ if (error_tag >= XFS_ERRTAG_MAX)
++ return -EINVAL;
+
+- if (loud || cleared)
+- xfs_warn(mp, "Cleared all XFS error tags for filesystem");
++ return xfs_errortag_set(mp, error_tag,
++ xfs_errortag_random_default[error_tag]);
++}
+
++int
++xfs_errortag_clearall(
++ struct xfs_mount *mp)
++{
++ memset(mp->m_errortag, 0, sizeof(unsigned int) * XFS_ERRTAG_MAX);
+ return 0;
+ }
+ #endif /* DEBUG */
+diff --git a/fs/xfs/xfs_error.h b/fs/xfs/xfs_error.h
+index 05f8666733a0..b4316d39e1ca 100644
+--- a/fs/xfs/xfs_error.h
++++ b/fs/xfs/xfs_error.h
+@@ -131,21 +131,24 @@ extern void xfs_verifier_error(struct xfs_buf *bp);
+ #define XFS_RANDOM_AG_RESV_CRITICAL 4
+
+ #ifdef DEBUG
+-extern int xfs_error_test_active;
+-extern int xfs_error_test(int, int *, char *, int, char *, unsigned long);
+-
+-#define XFS_NUM_INJECT_ERROR 10
++extern int xfs_errortag_init(struct xfs_mount *mp);
++extern void xfs_errortag_del(struct xfs_mount *mp);
++extern bool xfs_errortag_test(struct xfs_mount *mp, const char *expression,
++ const char *file, int line, unsigned int error_tag);
+ #define XFS_TEST_ERROR(expr, mp, tag, rf) \
+- ((expr) || (xfs_error_test_active && \
+- xfs_error_test((tag), (mp)->m_fixedfsid, "expr", __LINE__, __FILE__, \
+- (rf))))
++ ((expr) || xfs_errortag_test((mp), #expr, __FILE__, __LINE__, (tag)))
+
+-extern int xfs_errortag_add(unsigned int error_tag, struct xfs_mount *mp);
+-extern int xfs_errortag_clearall(struct xfs_mount *mp, int loud);
++extern int xfs_errortag_set(struct xfs_mount *mp, unsigned int error_tag,
++ unsigned int tag_value);
++extern int xfs_errortag_add(struct xfs_mount *mp, unsigned int error_tag);
++extern int xfs_errortag_clearall(struct xfs_mount *mp);
+ #else
++#define xfs_errortag_init(mp) (0)
++#define xfs_errortag_del(mp)
+ #define XFS_TEST_ERROR(expr, mp, tag, rf) (expr)
+-#define xfs_errortag_add(tag, mp) (ENOSYS)
+-#define xfs_errortag_clearall(mp, loud) (ENOSYS)
++#define xfs_errortag_set(mp, tag, val) (ENOSYS)
++#define xfs_errortag_add(mp, tag) (ENOSYS)
++#define xfs_errortag_clearall(mp) (ENOSYS)
+ #endif /* DEBUG */
+
+ /*
+diff --git a/fs/xfs/xfs_ioctl.c b/fs/xfs/xfs_ioctl.c
+index 8ffe4eac0b48..9c0c7a920304 100644
+--- a/fs/xfs/xfs_ioctl.c
++++ b/fs/xfs/xfs_ioctl.c
+@@ -2037,14 +2037,14 @@ xfs_file_ioctl(
+ if (copy_from_user(&in, arg, sizeof(in)))
+ return -EFAULT;
+
+- return xfs_errortag_add(in.errtag, mp);
++ return xfs_errortag_add(mp, in.errtag);
+ }
+
+ case XFS_IOC_ERROR_CLEARALL:
+ if (!capable(CAP_SYS_ADMIN))
+ return -EPERM;
+
+- return xfs_errortag_clearall(mp, 1);
++ return xfs_errortag_clearall(mp);
+
+ case XFS_IOC_FREE_EOFBLOCKS: {
+ struct xfs_fs_eofblocks eofb;
+diff --git a/fs/xfs/xfs_mount.c b/fs/xfs/xfs_mount.c
+index cc6789d35232..1a98c35e1ccf 100644
+--- a/fs/xfs/xfs_mount.c
++++ b/fs/xfs/xfs_mount.c
+@@ -720,10 +720,13 @@ xfs_mountfs(
+ if (error)
+ goto out_del_stats;
+
++ error = xfs_errortag_init(mp);
++ if (error)
++ goto out_remove_error_sysfs;
+
+ error = xfs_uuid_mount(mp);
+ if (error)
+- goto out_remove_error_sysfs;
++ goto out_remove_errortag;
+
+ /*
+ * Set the minimum read and write sizes
+@@ -1042,6 +1045,8 @@ xfs_mountfs(
+ xfs_da_unmount(mp);
+ out_remove_uuid:
+ xfs_uuid_unmount(mp);
++ out_remove_errortag:
++ xfs_errortag_del(mp);
+ out_remove_error_sysfs:
+ xfs_error_sysfs_del(mp);
+ out_del_stats:
+@@ -1145,10 +1150,11 @@ xfs_unmountfs(
+ xfs_uuid_unmount(mp);
+
+ #if defined(DEBUG)
+- xfs_errortag_clearall(mp, 0);
++ xfs_errortag_clearall(mp);
+ #endif
+ xfs_free_perag(mp);
+
++ xfs_errortag_del(mp);
+ xfs_error_sysfs_del(mp);
+ xfs_sysfs_del(&mp->m_stats.xs_kobj);
+ xfs_sysfs_del(&mp->m_kobj);
+diff --git a/fs/xfs/xfs_mount.h b/fs/xfs/xfs_mount.h
+index 305d95394e2d..e002ac52a4e6 100644
+--- a/fs/xfs/xfs_mount.h
++++ b/fs/xfs/xfs_mount.h
+@@ -198,6 +198,13 @@ typedef struct xfs_mount {
+
+ bool m_fail_unmount;
+ #ifdef DEBUG
++ /*
++ * Frequency with which errors are injected. Replaces xfs_etest; the
++ * value stored in here is the inverse of the frequency with which the
++ * error triggers. 1 = always, 2 = half the time, etc.
++ */
++ unsigned int *m_errortag;
++
+ /*
+ * DEBUG mode instrumentation to test and/or trigger delayed allocation
+ * block killing in the event of failed writes. When enabled, all
+--
+2.16.4
+
diff --git a/patches.fixes/xfs-refactor-btree-block-header-checking-functions.patch b/patches.fixes/xfs-refactor-btree-block-header-checking-functions.patch
new file mode 100644
index 0000000000..0091045f8a
--- /dev/null
+++ b/patches.fixes/xfs-refactor-btree-block-header-checking-functions.patch
@@ -0,0 +1,279 @@
+From 52c732eee78b47ac2eb828b1c7fa611cd37b0090 Mon Sep 17 00:00:00 2001
+From: "Darrick J. Wong" <darrick.wong@oracle.com>
+Date: Tue, 17 Oct 2017 21:37:33 -0700
+Subject: [PATCH] xfs: refactor btree block header checking functions
+Git-commit: 52c732eee78b47ac2eb828b1c7fa611cd37b0090
+Patch-mainline: v4.15-rc1
+References: bsc#1123663
+
+Refactor the btree block header checks to have an internal function that
+returns the address of the failing check without logging errors. The
+scrubber will call the internal function, while the external version
+will maintain the current logging behavior.
+
+Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
+Reviewed-by: Dave Chinner <dchinner@redhat.com>
+Acked-by: Anthony Iliopoulos <ailiopoulos@suse.com>
+
+---
+ fs/xfs/libxfs/xfs_btree.c | 168 +++++++++++++++++++++++++++-------------------
+ fs/xfs/libxfs/xfs_btree.h | 8 +++
+ fs/xfs/libxfs/xfs_types.h | 6 ++
+ fs/xfs/xfs_linux.h | 7 ++
+ 4 files changed, 121 insertions(+), 68 deletions(-)
+
+diff --git a/fs/xfs/libxfs/xfs_btree.c b/fs/xfs/libxfs/xfs_btree.c
+index ae19f242c237..8bb20e1cf57b 100644
+--- a/fs/xfs/libxfs/xfs_btree.c
++++ b/fs/xfs/libxfs/xfs_btree.c
+@@ -63,44 +63,63 @@ xfs_btree_magic(
+ return magic;
+ }
+
+-STATIC int /* error (0 or EFSCORRUPTED) */
+-xfs_btree_check_lblock(
+- struct xfs_btree_cur *cur, /* btree cursor */
+- struct xfs_btree_block *block, /* btree long form block pointer */
+- int level, /* level of the btree block */
+- struct xfs_buf *bp) /* buffer for block, if any */
++/*
++ * Check a long btree block header. Return the address of the failing check,
++ * or NULL if everything is ok.
++ */
++xfs_failaddr_t
++__xfs_btree_check_lblock(
++ struct xfs_btree_cur *cur,
++ struct xfs_btree_block *block,
++ int level,
++ struct xfs_buf *bp)
+ {
+- int lblock_ok = 1; /* block passes checks */
+- struct xfs_mount *mp; /* file system mount point */
++ struct xfs_mount *mp = cur->bc_mp;
+ xfs_btnum_t btnum = cur->bc_btnum;
+- int crc;
+-
+- mp = cur->bc_mp;
+- crc = xfs_sb_version_hascrc(&mp->m_sb);
++ int crc = xfs_sb_version_hascrc(&mp->m_sb);
+
+ if (crc) {
+- lblock_ok = lblock_ok &&
+- uuid_equal(&block->bb_u.l.bb_uuid,
+- &mp->m_sb.sb_meta_uuid) &&
+- block->bb_u.l.bb_blkno == cpu_to_be64(
+- bp ? bp->b_bn : XFS_BUF_DADDR_NULL);
++ if (!uuid_equal(&block->bb_u.l.bb_uuid, &mp->m_sb.sb_meta_uuid))
++ return __this_address;
++ if (block->bb_u.l.bb_blkno !=
++ cpu_to_be64(bp ? bp->b_bn : XFS_BUF_DADDR_NULL))
++ return __this_address;
++ if (block->bb_u.l.bb_pad != cpu_to_be32(0))
++ return __this_address;
+ }
+
+- lblock_ok = lblock_ok &&
+- be32_to_cpu(block->bb_magic) == xfs_btree_magic(crc, btnum) &&
+- be16_to_cpu(block->bb_level) == level &&
+- be16_to_cpu(block->bb_numrecs) <=
+- cur->bc_ops->get_maxrecs(cur, level) &&
+- block->bb_u.l.bb_leftsib &&
+- (block->bb_u.l.bb_leftsib == cpu_to_be64(NULLFSBLOCK) ||
+- XFS_FSB_SANITY_CHECK(mp,
+- be64_to_cpu(block->bb_u.l.bb_leftsib))) &&
+- block->bb_u.l.bb_rightsib &&
+- (block->bb_u.l.bb_rightsib == cpu_to_be64(NULLFSBLOCK) ||
+- XFS_FSB_SANITY_CHECK(mp,
+- be64_to_cpu(block->bb_u.l.bb_rightsib)));
+-
+- if (unlikely(XFS_TEST_ERROR(!lblock_ok, mp,
++ if (be32_to_cpu(block->bb_magic) != xfs_btree_magic(crc, btnum))
++ return __this_address;
++ if (be16_to_cpu(block->bb_level) != level)
++ return __this_address;
++ if (be16_to_cpu(block->bb_numrecs) >
++ cur->bc_ops->get_maxrecs(cur, level))
++ return __this_address;
++ if (block->bb_u.l.bb_leftsib != cpu_to_be64(NULLFSBLOCK) &&
++ !xfs_btree_check_lptr(cur, be64_to_cpu(block->bb_u.l.bb_leftsib),
++ level + 1))
++ return __this_address;
++ if (block->bb_u.l.bb_rightsib != cpu_to_be64(NULLFSBLOCK) &&
++ !xfs_btree_check_lptr(cur, be64_to_cpu(block->bb_u.l.bb_rightsib),
++ level + 1))
++ return __this_address;
++
++ return NULL;
++}
++
++/* Check a long btree block header. */
++int
++xfs_btree_check_lblock(
++ struct xfs_btree_cur *cur,
++ struct xfs_btree_block *block,
++ int level,
++ struct xfs_buf *bp)
++{
++ struct xfs_mount *mp = cur->bc_mp;
++ xfs_failaddr_t fa;
++
++ fa = __xfs_btree_check_lblock(cur, block, level, bp);
++ if (unlikely(XFS_TEST_ERROR(fa != NULL, mp,
+ XFS_ERRTAG_BTREE_CHECK_LBLOCK))) {
+ if (bp)
+ trace_xfs_btree_corrupt(bp, _RET_IP_);
+@@ -110,48 +129,61 @@ xfs_btree_check_lblock(
+ return 0;
+ }
+
+-STATIC int /* error (0 or EFSCORRUPTED) */
+-xfs_btree_check_sblock(
+- struct xfs_btree_cur *cur, /* btree cursor */
+- struct xfs_btree_block *block, /* btree short form block pointer */
+- int level, /* level of the btree block */
+- struct xfs_buf *bp) /* buffer containing block */
++/*
++ * Check a short btree block header. Return the address of the failing check,
++ * or NULL if everything is ok.
++ */
++xfs_failaddr_t
++__xfs_btree_check_sblock(
++ struct xfs_btree_cur *cur,
++ struct xfs_btree_block *block,
++ int level,
++ struct xfs_buf *bp)
+ {
+- struct xfs_mount *mp; /* file system mount point */
+- struct xfs_buf *agbp; /* buffer for ag. freespace struct */
+- struct xfs_agf *agf; /* ag. freespace structure */
+- xfs_agblock_t agflen; /* native ag. freespace length */
+- int sblock_ok = 1; /* block passes checks */
++ struct xfs_mount *mp = cur->bc_mp;
+ xfs_btnum_t btnum = cur->bc_btnum;
+- int crc;
+-
+- mp = cur->bc_mp;
+- crc = xfs_sb_version_hascrc(&mp->m_sb);
+- agbp = cur->bc_private.a.agbp;
+- agf = XFS_BUF_TO_AGF(agbp);
+- agflen = be32_to_cpu(agf->agf_length);
++ int crc = xfs_sb_version_hascrc(&mp->m_sb);
+
+ if (crc) {
+- sblock_ok = sblock_ok &&
+- uuid_equal(&block->bb_u.s.bb_uuid,
+- &mp->m_sb.sb_meta_uuid) &&
+- block->bb_u.s.bb_blkno == cpu_to_be64(
+- bp ? bp->b_bn : XFS_BUF_DADDR_NULL);
++ if (!uuid_equal(&block->bb_u.s.bb_uuid, &mp->m_sb.sb_meta_uuid))
++ return __this_address;
++ if (block->bb_u.s.bb_blkno !=
++ cpu_to_be64(bp ? bp->b_bn : XFS_BUF_DADDR_NULL))
++ return __this_address;
+ }
+
+- sblock_ok = sblock_ok &&
+- be32_to_cpu(block->bb_magic) == xfs_btree_magic(crc, btnum) &&
+- be16_to_cpu(block->bb_level) == level &&
+- be16_to_cpu(block->bb_numrecs) <=
+- cur->bc_ops->get_maxrecs(cur, level) &&
+- (block->bb_u.s.bb_leftsib == cpu_to_be32(NULLAGBLOCK) ||
+- be32_to_cpu(block->bb_u.s.bb_leftsib) < agflen) &&
+- block->bb_u.s.bb_leftsib &&
+- (block->bb_u.s.bb_rightsib == cpu_to_be32(NULLAGBLOCK) ||
+- be32_to_cpu(block->bb_u.s.bb_rightsib) < agflen) &&
+- block->bb_u.s.bb_rightsib;
+-
+- if (unlikely(XFS_TEST_ERROR(!sblock_ok, mp,
++ if (be32_to_cpu(block->bb_magic) != xfs_btree_magic(crc, btnum))
++ return __this_address;
++ if (be16_to_cpu(block->bb_level) != level)
++ return __this_address;
++ if (be16_to_cpu(block->bb_numrecs) >
++ cur->bc_ops->get_maxrecs(cur, level))
++ return __this_address;
++ if (block->bb_u.s.bb_leftsib != cpu_to_be32(NULLAGBLOCK) &&
++ !xfs_btree_check_sptr(cur, be32_to_cpu(block->bb_u.s.bb_leftsib),
++ level + 1))
++ return __this_address;
++ if (block->bb_u.s.bb_rightsib != cpu_to_be32(NULLAGBLOCK) &&
++ !xfs_btree_check_sptr(cur, be32_to_cpu(block->bb_u.s.bb_rightsib),
++ level + 1))
++ return __this_address;
++
++ return NULL;
++}
++
++/* Check a short btree block header. */
++STATIC int
++xfs_btree_check_sblock(
++ struct xfs_btree_cur *cur,
++ struct xfs_btree_block *block,
++ int level,
++ struct xfs_buf *bp)
++{
++ struct xfs_mount *mp = cur->bc_mp;
++ xfs_failaddr_t fa;
++
++ fa = __xfs_btree_check_sblock(cur, block, level, bp);
++ if (unlikely(XFS_TEST_ERROR(fa != NULL, mp,
+ XFS_ERRTAG_BTREE_CHECK_SBLOCK))) {
+ if (bp)
+ trace_xfs_btree_corrupt(bp, _RET_IP_);
+diff --git a/fs/xfs/libxfs/xfs_btree.h b/fs/xfs/libxfs/xfs_btree.h
+index 8f52eda8eb82..3f8001de2493 100644
+--- a/fs/xfs/libxfs/xfs_btree.h
++++ b/fs/xfs/libxfs/xfs_btree.h
+@@ -255,6 +255,14 @@ typedef struct xfs_btree_cur
+ */
+ #define XFS_BUF_TO_BLOCK(bp) ((struct xfs_btree_block *)((bp)->b_addr))
+
++/*
++ * Internal long and short btree block checks. They return NULL if the
++ * block is ok or the address of the failed check otherwise.
++ */
++xfs_failaddr_t __xfs_btree_check_lblock(struct xfs_btree_cur *cur,
++ struct xfs_btree_block *block, int level, struct xfs_buf *bp);
++xfs_failaddr_t __xfs_btree_check_sblock(struct xfs_btree_cur *cur,
++ struct xfs_btree_block *block, int level, struct xfs_buf *bp);
+
+ /*
+ * Check that block header is ok.
+diff --git a/fs/xfs/libxfs/xfs_types.h b/fs/xfs/libxfs/xfs_types.h
+index 0220159bd463..f04dbfb2f50d 100644
+--- a/fs/xfs/libxfs/xfs_types.h
++++ b/fs/xfs/libxfs/xfs_types.h
+@@ -47,6 +47,12 @@ typedef uint64_t xfs_filblks_t; /* number of blocks in a file */
+ typedef int64_t xfs_srtblock_t; /* signed version of xfs_rtblock_t */
+ typedef int64_t xfs_sfiloff_t; /* signed block number in a file */
+
++/*
++ * New verifiers will return the instruction address of the failing check.
++ * NULL means everything is ok.
++ */
++typedef void * xfs_failaddr_t;
++
+ /*
+ * Null values for the types.
+ */
+diff --git a/fs/xfs/xfs_linux.h b/fs/xfs/xfs_linux.h
+index dcd1292664b3..00a5efeec496 100644
+--- a/fs/xfs/xfs_linux.h
++++ b/fs/xfs/xfs_linux.h
+@@ -142,6 +142,13 @@ typedef __u32 xfs_nlink_t;
+ #define SYNCHRONIZE() barrier()
+ #define __return_address __builtin_return_address(0)
+
++/*
++ * Return the address of a label. Use barrier() so that the optimizer
++ * won't reorder code to refactor the error jumpouts into a single
++ * return, which throws off the reported address.
++ */
++#define __this_address ({ __label__ __here; __here: barrier(); &&__here; })
++
+ #define XFS_PROJID_DEFAULT 0
+
+ #define MIN(a,b) (min(a,b))
+--
+2.16.4
+
diff --git a/patches.fixes/xfs-refactor-btree-pointer-checks.patch b/patches.fixes/xfs-refactor-btree-pointer-checks.patch
new file mode 100644
index 0000000000..ceae8b7a6a
--- /dev/null
+++ b/patches.fixes/xfs-refactor-btree-pointer-checks.patch
@@ -0,0 +1,162 @@
+From f135761a73b18877bdfb44018fe993172c7be203 Mon Sep 17 00:00:00 2001
+From: "Darrick J. Wong" <darrick.wong@oracle.com>
+Date: Tue, 17 Oct 2017 21:37:33 -0700
+Subject: [PATCH] xfs: refactor btree pointer checks
+Git-commit: f135761a73b18877bdfb44018fe993172c7be203
+Patch-mainline: v4.15-rc1
+References: bsc#1123663
+
+Refactor the btree pointer checks so that we can call them from the
+scrub code without logging errors to dmesg. Preserve the existing error
+reporting for regular operations.
+
+Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
+Reviewed-by: Dave Chinner <dchinner@redhat.com>
+Acked-by: Anthony Iliopoulos <ailiopoulos@suse.com>
+
+---
+ fs/xfs/libxfs/xfs_bmap.c | 4 +--
+ fs/xfs/libxfs/xfs_btree.c | 70 ++++++++++++++++++++++-------------------------
+ fs/xfs/libxfs/xfs_btree.h | 13 +++++++--
+ 3 files changed, 45 insertions(+), 42 deletions(-)
+
+diff --git a/fs/xfs/libxfs/xfs_bmap.c b/fs/xfs/libxfs/xfs_bmap.c
+index dd6672b81c26..7eac21a310bf 100644
+--- a/fs/xfs/libxfs/xfs_bmap.c
++++ b/fs/xfs/libxfs/xfs_bmap.c
+@@ -646,8 +646,8 @@ xfs_bmap_btree_to_extents(
+ cbno = be64_to_cpu(*pp);
+ *logflagsp = 0;
+ #ifdef DEBUG
+- if ((error = xfs_btree_check_lptr(cur, cbno, 1)))
+- return error;
++ XFS_WANT_CORRUPTED_RETURN(cur->bc_mp,
++ xfs_btree_check_lptr(cur, cbno, 1));
+ #endif
+ error = xfs_btree_read_bufl(mp, tp, cbno, 0, &cbp, XFS_BMAP_BTREE_REF,
+ &xfs_bmbt_buf_ops);
+diff --git a/fs/xfs/libxfs/xfs_btree.c b/fs/xfs/libxfs/xfs_btree.c
+index 5bfb88261c7e..ae19f242c237 100644
+--- a/fs/xfs/libxfs/xfs_btree.c
++++ b/fs/xfs/libxfs/xfs_btree.c
+@@ -177,59 +177,53 @@ xfs_btree_check_block(
+ return xfs_btree_check_sblock(cur, block, level, bp);
+ }
+
+-/*
+- * Check that (long) pointer is ok.
+- */
+-int /* error (0 or EFSCORRUPTED) */
++/* Check that this long pointer is valid and points within the fs. */
++bool
+ xfs_btree_check_lptr(
+- struct xfs_btree_cur *cur, /* btree cursor */
+- xfs_fsblock_t bno, /* btree block disk address */
+- int level) /* btree block level */
++ struct xfs_btree_cur *cur,
++ xfs_fsblock_t fsbno,
++ int level)
+ {
+- XFS_WANT_CORRUPTED_RETURN(cur->bc_mp,
+- level > 0 &&
+- bno != NULLFSBLOCK &&
+- XFS_FSB_SANITY_CHECK(cur->bc_mp, bno));
+- return 0;
++ if (level <= 0)
++ return false;
++ return xfs_verify_fsbno(cur->bc_mp, fsbno);
+ }
+
+-#ifdef DEBUG
+-/*
+- * Check that (short) pointer is ok.
+- */
+-STATIC int /* error (0 or EFSCORRUPTED) */
++/* Check that this short pointer is valid and points within the AG. */
++bool
+ xfs_btree_check_sptr(
+- struct xfs_btree_cur *cur, /* btree cursor */
+- xfs_agblock_t bno, /* btree block disk address */
+- int level) /* btree block level */
++ struct xfs_btree_cur *cur,
++ xfs_agblock_t agbno,
++ int level)
+ {
+- xfs_agblock_t agblocks = cur->bc_mp->m_sb.sb_agblocks;
+-
+- XFS_WANT_CORRUPTED_RETURN(cur->bc_mp,
+- level > 0 &&
+- bno != NULLAGBLOCK &&
+- bno != 0 &&
+- bno < agblocks);
+- return 0;
++ if (level <= 0)
++ return false;
++ return xfs_verify_agbno(cur->bc_mp, cur->bc_private.a.agno, agbno);
+ }
+
++#ifdef DEBUG
+ /*
+- * Check that block ptr is ok.
++ * Check that a given (indexed) btree pointer at a certain level of a
++ * btree is valid and doesn't point past where it should.
+ */
+-STATIC int /* error (0 or EFSCORRUPTED) */
++int
+ xfs_btree_check_ptr(
+- struct xfs_btree_cur *cur, /* btree cursor */
+- union xfs_btree_ptr *ptr, /* btree block disk address */
+- int index, /* offset from ptr to check */
+- int level) /* btree block level */
++ struct xfs_btree_cur *cur,
++ union xfs_btree_ptr *ptr,
++ int index,
++ int level)
+ {
+ if (cur->bc_flags & XFS_BTREE_LONG_PTRS) {
+- return xfs_btree_check_lptr(cur,
+- be64_to_cpu((&ptr->l)[index]), level);
++ XFS_WANT_CORRUPTED_RETURN(cur->bc_mp,
++ xfs_btree_check_lptr(cur,
++ be64_to_cpu((&ptr->l)[index]), level));
+ } else {
+- return xfs_btree_check_sptr(cur,
+- be32_to_cpu((&ptr->s)[index]), level);
++ XFS_WANT_CORRUPTED_RETURN(cur->bc_mp,
++ xfs_btree_check_sptr(cur,
++ be32_to_cpu((&ptr->s)[index]), level));
+ }
++
++ return 0;
+ }
+ #endif
+
+diff --git a/fs/xfs/libxfs/xfs_btree.h b/fs/xfs/libxfs/xfs_btree.h
+index f2a88c3b1159..8f52eda8eb82 100644
+--- a/fs/xfs/libxfs/xfs_btree.h
++++ b/fs/xfs/libxfs/xfs_btree.h
+@@ -269,10 +269,19 @@ xfs_btree_check_block(
+ /*
+ * Check that (long) pointer is ok.
+ */
+-int /* error (0 or EFSCORRUPTED) */
++bool /* error (0 or EFSCORRUPTED) */
+ xfs_btree_check_lptr(
+ struct xfs_btree_cur *cur, /* btree cursor */
+- xfs_fsblock_t ptr, /* btree block disk address */
++ xfs_fsblock_t fsbno, /* btree block disk address */
++ int level); /* btree block level */
++
++/*
++ * Check that (short) pointer is ok.
++ */
++bool /* error (0 or EFSCORRUPTED) */
++xfs_btree_check_sptr(
++ struct xfs_btree_cur *cur, /* btree cursor */
++ xfs_agblock_t agbno, /* btree block disk address */
+ int level); /* btree block level */
+
+ /*
+--
+2.16.4
+
diff --git a/patches.fixes/xfs-remove-unneeded-parameter-from-XFS_TEST_ERROR.patch b/patches.fixes/xfs-remove-unneeded-parameter-from-XFS_TEST_ERROR.patch
new file mode 100644
index 0000000000..2299b68e7d
--- /dev/null
+++ b/patches.fixes/xfs-remove-unneeded-parameter-from-XFS_TEST_ERROR.patch
@@ -0,0 +1,306 @@
+From 9e24cfd044853e0e46e7149b91b7bb09effb0a79 Mon Sep 17 00:00:00 2001
+From: "Darrick J. Wong" <darrick.wong@oracle.com>
+Date: Tue, 20 Jun 2017 17:54:47 -0700
+Subject: [PATCH] xfs: remove unneeded parameter from XFS_TEST_ERROR
+Git-commit: 9e24cfd044853e0e46e7149b91b7bb09effb0a79
+Patch-mainline: v4.13-rc1
+References: bsc#1123663
+
+Since we moved the injected error frequency controls to the mountpoint,
+we can get rid of the last argument to XFS_TEST_ERROR.
+
+Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
+Reviewed-by: Brian Foster <bfoster@redhat.com>
+Reviewed-by: Carlos Maiolino <cmaiolino@redhat.com>
+Acked-by: Anthony Iliopoulos <ailiopoulos@suse.com>
+
+---
+ fs/xfs/libxfs/xfs_ag_resv.c | 3 +--
+ fs/xfs/libxfs/xfs_alloc.c | 6 ++----
+ fs/xfs/libxfs/xfs_bmap.c | 13 ++++++-------
+ fs/xfs/libxfs/xfs_btree.c | 6 ++----
+ fs/xfs/libxfs/xfs_dir2.c | 3 +--
+ fs/xfs/libxfs/xfs_ialloc.c | 3 +--
+ fs/xfs/libxfs/xfs_inode_buf.c | 3 +--
+ fs/xfs/libxfs/xfs_refcount.c | 6 ++----
+ fs/xfs/libxfs/xfs_rmap.c | 3 +--
+ fs/xfs/xfs_error.h | 4 ++--
+ fs/xfs/xfs_inode.c | 11 +++++------
+ fs/xfs/xfs_iomap.c | 2 +-
+ fs/xfs/xfs_log.c | 3 +--
+ 13 files changed, 26 insertions(+), 40 deletions(-)
+
+--- a/fs/xfs/libxfs/xfs_ag_resv.c
++++ b/fs/xfs/libxfs/xfs_ag_resv.c
+@@ -111,8 +111,7 @@
+
+ /* Critically low if less than 10% or max btree height remains. */
+ return XFS_TEST_ERROR(avail < orig / 10 || avail < XFS_BTREE_MAXLEVELS,
+- pag->pag_mount, XFS_ERRTAG_AG_RESV_CRITICAL,
+- XFS_RANDOM_AG_RESV_CRITICAL);
++ pag->pag_mount, XFS_ERRTAG_AG_RESV_CRITICAL);
+ }
+
+ /*
+--- a/fs/xfs/libxfs/xfs_alloc.c
++++ b/fs/xfs/libxfs/xfs_alloc.c
+@@ -2454,8 +2454,7 @@
+ !xfs_buf_verify_cksum(bp, XFS_AGF_CRC_OFF))
+ xfs_buf_ioerror(bp, -EFSBADCRC);
+ else if (XFS_TEST_ERROR(!xfs_agf_verify(mp, bp), mp,
+- XFS_ERRTAG_ALLOC_READ_AGF,
+- XFS_RANDOM_ALLOC_READ_AGF))
++ XFS_ERRTAG_ALLOC_READ_AGF))
+ xfs_buf_ioerror(bp, -EFSCORRUPTED);
+
+ if (bp->b_error)
+@@ -2842,8 +2841,7 @@
+ ASSERT(type != XFS_AG_RESV_AGFL);
+
+ if (XFS_TEST_ERROR(false, mp,
+- XFS_ERRTAG_FREE_EXTENT,
+- XFS_RANDOM_FREE_EXTENT))
++ XFS_ERRTAG_FREE_EXTENT))
+ return -EIO;
+
+ error = xfs_free_extent_fix_freelist(tp, agno, &agbp);
+--- a/fs/xfs/libxfs/xfs_bmap.c
++++ b/fs/xfs/libxfs/xfs_bmap.c
+@@ -3992,7 +3992,7 @@
+ if (unlikely(XFS_TEST_ERROR(
+ (XFS_IFORK_FORMAT(ip, whichfork) != XFS_DINODE_FMT_EXTENTS &&
+ XFS_IFORK_FORMAT(ip, whichfork) != XFS_DINODE_FMT_BTREE),
+- mp, XFS_ERRTAG_BMAPIFORMAT, XFS_RANDOM_BMAPIFORMAT))) {
++ mp, XFS_ERRTAG_BMAPIFORMAT))) {
+ XFS_ERROR_REPORT("xfs_bmapi_read", XFS_ERRLEVEL_LOW, mp);
+ return -EFSCORRUPTED;
+ }
+@@ -4473,7 +4473,7 @@
+ if (unlikely(XFS_TEST_ERROR(
+ (XFS_IFORK_FORMAT(ip, whichfork) != XFS_DINODE_FMT_EXTENTS &&
+ XFS_IFORK_FORMAT(ip, whichfork) != XFS_DINODE_FMT_BTREE),
+- mp, XFS_ERRTAG_BMAPIFORMAT, XFS_RANDOM_BMAPIFORMAT))) {
++ mp, XFS_ERRTAG_BMAPIFORMAT))) {
+ XFS_ERROR_REPORT("xfs_bmapi_write", XFS_ERRLEVEL_LOW, mp);
+ return -EFSCORRUPTED;
+ }
+@@ -4694,7 +4694,7 @@
+ if (unlikely(XFS_TEST_ERROR(
+ (XFS_IFORK_FORMAT(ip, XFS_DATA_FORK) != XFS_DINODE_FMT_EXTENTS &&
+ XFS_IFORK_FORMAT(ip, XFS_DATA_FORK) != XFS_DINODE_FMT_BTREE),
+- mp, XFS_ERRTAG_BMAPIFORMAT, XFS_RANDOM_BMAPIFORMAT))) {
++ mp, XFS_ERRTAG_BMAPIFORMAT))) {
+ XFS_ERROR_REPORT("xfs_bmapi_remap", XFS_ERRLEVEL_LOW, mp);
+ return -EFSCORRUPTED;
+ }
+@@ -6077,7 +6077,7 @@
+ if (unlikely(XFS_TEST_ERROR(
+ (XFS_IFORK_FORMAT(ip, whichfork) != XFS_DINODE_FMT_EXTENTS &&
+ XFS_IFORK_FORMAT(ip, whichfork) != XFS_DINODE_FMT_BTREE),
+- mp, XFS_ERRTAG_BMAPIFORMAT, XFS_RANDOM_BMAPIFORMAT))) {
++ mp, XFS_ERRTAG_BMAPIFORMAT))) {
+ XFS_ERROR_REPORT("xfs_bmap_shift_extents",
+ XFS_ERRLEVEL_LOW, mp);
+ return -EFSCORRUPTED;
+@@ -6229,7 +6229,7 @@
+ if (unlikely(XFS_TEST_ERROR(
+ (XFS_IFORK_FORMAT(ip, whichfork) != XFS_DINODE_FMT_EXTENTS &&
+ XFS_IFORK_FORMAT(ip, whichfork) != XFS_DINODE_FMT_BTREE),
+- mp, XFS_ERRTAG_BMAPIFORMAT, XFS_RANDOM_BMAPIFORMAT))) {
++ mp, XFS_ERRTAG_BMAPIFORMAT))) {
+ XFS_ERROR_REPORT("xfs_bmap_split_extent_at",
+ XFS_ERRLEVEL_LOW, mp);
+ return -EFSCORRUPTED;
+@@ -6486,8 +6486,7 @@
+ return -EFSCORRUPTED;
+
+ if (XFS_TEST_ERROR(false, tp->t_mountp,
+- XFS_ERRTAG_BMAP_FINISH_ONE,
+- XFS_RANDOM_BMAP_FINISH_ONE))
++ XFS_ERRTAG_BMAP_FINISH_ONE))
+ return -EIO;
+
+ switch (type) {
+--- a/fs/xfs/libxfs/xfs_btree.c
++++ b/fs/xfs/libxfs/xfs_btree.c
+@@ -101,8 +101,7 @@
+ be64_to_cpu(block->bb_u.l.bb_rightsib)));
+
+ if (unlikely(XFS_TEST_ERROR(!lblock_ok, mp,
+- XFS_ERRTAG_BTREE_CHECK_LBLOCK,
+- XFS_RANDOM_BTREE_CHECK_LBLOCK))) {
++ XFS_ERRTAG_BTREE_CHECK_LBLOCK))) {
+ if (bp)
+ trace_xfs_btree_corrupt(bp, _RET_IP_);
+ XFS_ERROR_REPORT(__func__, XFS_ERRLEVEL_LOW, mp);
+@@ -153,8 +152,7 @@
+ block->bb_u.s.bb_rightsib;
+
+ if (unlikely(XFS_TEST_ERROR(!sblock_ok, mp,
+- XFS_ERRTAG_BTREE_CHECK_SBLOCK,
+- XFS_RANDOM_BTREE_CHECK_SBLOCK))) {
++ XFS_ERRTAG_BTREE_CHECK_SBLOCK))) {
+ if (bp)
+ trace_xfs_btree_corrupt(bp, _RET_IP_);
+ XFS_ERROR_REPORT(__func__, XFS_ERRLEVEL_LOW, mp);
+--- a/fs/xfs/libxfs/xfs_dir2.c
++++ b/fs/xfs/libxfs/xfs_dir2.c
+@@ -218,8 +218,7 @@
+ agblkno != 0 &&
+ ioff < (1 << mp->m_sb.sb_inopblog) &&
+ XFS_AGINO_TO_INO(mp, agno, agino) == ino;
+- if (unlikely(XFS_TEST_ERROR(!ino_ok, mp, XFS_ERRTAG_DIR_INO_VALIDATE,
+- XFS_RANDOM_DIR_INO_VALIDATE))) {
++ if (unlikely(XFS_TEST_ERROR(!ino_ok, mp, XFS_ERRTAG_DIR_INO_VALIDATE))) {
+ xfs_warn(mp, "Invalid inode number 0x%Lx",
+ (unsigned long long) ino);
+ XFS_ERROR_REPORT("xfs_dir_ino_validate", XFS_ERRLEVEL_LOW, mp);
+--- a/fs/xfs/libxfs/xfs_ialloc.c
++++ b/fs/xfs/libxfs/xfs_ialloc.c
+@@ -2542,8 +2542,7 @@
+ !xfs_buf_verify_cksum(bp, XFS_AGI_CRC_OFF))
+ xfs_buf_ioerror(bp, -EFSBADCRC);
+ else if (XFS_TEST_ERROR(!xfs_agi_verify(bp), mp,
+- XFS_ERRTAG_IALLOC_READ_AGI,
+- XFS_RANDOM_IALLOC_READ_AGI))
++ XFS_ERRTAG_IALLOC_READ_AGI))
+ xfs_buf_ioerror(bp, -EFSCORRUPTED);
+
+ if (bp->b_error)
+--- a/fs/xfs/libxfs/xfs_inode_buf.c
++++ b/fs/xfs/libxfs/xfs_inode_buf.c
+@@ -105,8 +105,7 @@
+ di_ok = dip->di_magic == cpu_to_be16(XFS_DINODE_MAGIC) &&
+ xfs_dinode_good_version(mp, dip->di_version);
+ if (unlikely(XFS_TEST_ERROR(!di_ok, mp,
+- XFS_ERRTAG_ITOBP_INOTOBP,
+- XFS_RANDOM_ITOBP_INOTOBP))) {
++ XFS_ERRTAG_ITOBP_INOTOBP))) {
+ if (readahead) {
+ bp->b_flags &= ~XBF_DONE;
+ xfs_buf_ioerror(bp, -EIO);
+--- a/fs/xfs/libxfs/xfs_refcount.c
++++ b/fs/xfs/libxfs/xfs_refcount.c
+@@ -813,8 +813,7 @@
+ */
+ if (cur->bc_private.a.priv.refc.nr_ops > 2 &&
+ XFS_TEST_ERROR(false, cur->bc_mp,
+- XFS_ERRTAG_REFCOUNT_CONTINUE_UPDATE,
+- XFS_RANDOM_REFCOUNT_CONTINUE_UPDATE))
++ XFS_ERRTAG_REFCOUNT_CONTINUE_UPDATE))
+ return false;
+
+ if (cur->bc_private.a.priv.refc.nr_ops == 0)
+@@ -1076,8 +1075,7 @@
+ blockcount);
+
+ if (XFS_TEST_ERROR(false, mp,
+- XFS_ERRTAG_REFCOUNT_FINISH_ONE,
+- XFS_RANDOM_REFCOUNT_FINISH_ONE))
++ XFS_ERRTAG_REFCOUNT_FINISH_ONE))
+ return -EIO;
+
+ /*
+--- a/fs/xfs/libxfs/xfs_rmap.c
++++ b/fs/xfs/libxfs/xfs_rmap.c
+@@ -2086,8 +2086,7 @@
+ startoff, blockcount, state);
+
+ if (XFS_TEST_ERROR(false, mp,
+- XFS_ERRTAG_RMAP_FINISH_ONE,
+- XFS_RANDOM_RMAP_FINISH_ONE))
++ XFS_ERRTAG_RMAP_FINISH_ONE))
+ return -EIO;
+
+ /*
+--- a/fs/xfs/xfs_error.h
++++ b/fs/xfs/xfs_error.h
+@@ -135,7 +135,7 @@
+ extern void xfs_errortag_del(struct xfs_mount *mp);
+ extern bool xfs_errortag_test(struct xfs_mount *mp, const char *expression,
+ const char *file, int line, unsigned int error_tag);
+-#define XFS_TEST_ERROR(expr, mp, tag, rf) \
++#define XFS_TEST_ERROR(expr, mp, tag) \
+ ((expr) || xfs_errortag_test((mp), #expr, __FILE__, __LINE__, (tag)))
+
+ extern int xfs_errortag_set(struct xfs_mount *mp, unsigned int error_tag,
+@@ -145,7 +145,7 @@
+ #else
+ #define xfs_errortag_init(mp) (0)
+ #define xfs_errortag_del(mp)
+-#define XFS_TEST_ERROR(expr, mp, tag, rf) (expr)
++#define XFS_TEST_ERROR(expr, mp, tag) (expr)
+ #define xfs_errortag_set(mp, tag, val) (ENOSYS)
+ #define xfs_errortag_add(mp, tag) (ENOSYS)
+ #define xfs_errortag_clearall(mp) (ENOSYS)
+--- a/fs/xfs/xfs_inode.c
++++ b/fs/xfs/xfs_inode.c
+@@ -3489,7 +3489,7 @@
+ dip = xfs_buf_offset(bp, ip->i_imap.im_boffset);
+
+ if (XFS_TEST_ERROR(dip->di_magic != cpu_to_be16(XFS_DINODE_MAGIC),
+- mp, XFS_ERRTAG_IFLUSH_1, XFS_RANDOM_IFLUSH_1)) {
++ mp, XFS_ERRTAG_IFLUSH_1)) {
+ xfs_alert_tag(mp, XFS_PTAG_IFLUSH,
+ "%s: Bad inode %Lu magic number 0x%x, ptr 0x%p",
+ __func__, ip->i_ino, be16_to_cpu(dip->di_magic), dip);
+@@ -3499,7 +3499,7 @@
+ if (XFS_TEST_ERROR(
+ (ip->i_d.di_format != XFS_DINODE_FMT_EXTENTS) &&
+ (ip->i_d.di_format != XFS_DINODE_FMT_BTREE),
+- mp, XFS_ERRTAG_IFLUSH_3, XFS_RANDOM_IFLUSH_3)) {
++ mp, XFS_ERRTAG_IFLUSH_3)) {
+ xfs_alert_tag(mp, XFS_PTAG_IFLUSH,
+ "%s: Bad regular inode %Lu, ptr 0x%p",
+ __func__, ip->i_ino, ip);
+@@ -3510,7 +3510,7 @@
+ (ip->i_d.di_format != XFS_DINODE_FMT_EXTENTS) &&
+ (ip->i_d.di_format != XFS_DINODE_FMT_BTREE) &&
+ (ip->i_d.di_format != XFS_DINODE_FMT_LOCAL),
+- mp, XFS_ERRTAG_IFLUSH_4, XFS_RANDOM_IFLUSH_4)) {
++ mp, XFS_ERRTAG_IFLUSH_4)) {
+ xfs_alert_tag(mp, XFS_PTAG_IFLUSH,
+ "%s: Bad directory inode %Lu, ptr 0x%p",
+ __func__, ip->i_ino, ip);
+@@ -3518,8 +3518,7 @@
+ }
+ }
+ if (XFS_TEST_ERROR(ip->i_d.di_nextents + ip->i_d.di_anextents >
+- ip->i_d.di_nblocks, mp, XFS_ERRTAG_IFLUSH_5,
+- XFS_RANDOM_IFLUSH_5)) {
++ ip->i_d.di_nblocks, mp, XFS_ERRTAG_IFLUSH_5)) {
+ xfs_alert_tag(mp, XFS_PTAG_IFLUSH,
+ "%s: detected corrupt incore inode %Lu, "
+ "total extents = %d, nblocks = %Ld, ptr 0x%p",
+@@ -3529,7 +3528,7 @@
+ goto corrupt_out;
+ }
+ if (XFS_TEST_ERROR(ip->i_d.di_forkoff > mp->m_sb.sb_inodesize,
+- mp, XFS_ERRTAG_IFLUSH_6, XFS_RANDOM_IFLUSH_6)) {
++ mp, XFS_ERRTAG_IFLUSH_6)) {
+ xfs_alert_tag(mp, XFS_PTAG_IFLUSH,
+ "%s: bad inode %Lu, forkoff 0x%x, ptr 0x%p",
+ __func__, ip->i_ino, ip->i_d.di_forkoff, ip);
+--- a/fs/xfs/xfs_iomap.c
++++ b/fs/xfs/xfs_iomap.c
+@@ -543,7 +543,7 @@
+ if (unlikely(XFS_TEST_ERROR(
+ (XFS_IFORK_FORMAT(ip, XFS_DATA_FORK) != XFS_DINODE_FMT_EXTENTS &&
+ XFS_IFORK_FORMAT(ip, XFS_DATA_FORK) != XFS_DINODE_FMT_BTREE),
+- mp, XFS_ERRTAG_BMAPIFORMAT, XFS_RANDOM_BMAPIFORMAT))) {
++ mp, XFS_ERRTAG_BMAPIFORMAT))) {
+ XFS_ERROR_REPORT(__func__, XFS_ERRLEVEL_LOW, mp);
+ error = -EFSCORRUPTED;
+ goto out_unlock;
+--- a/fs/xfs/xfs_log.c
++++ b/fs/xfs/xfs_log.c
+@@ -1189,8 +1189,7 @@
+ * IOABORT state. The IOABORT state is only set in DEBUG mode to inject
+ * CRC errors into log recovery.
+ */
+- if (XFS_TEST_ERROR(bp->b_error, l->l_mp, XFS_ERRTAG_IODONE_IOERR,
+- XFS_RANDOM_IODONE_IOERR) ||
++ if (XFS_TEST_ERROR(bp->b_error, l->l_mp, XFS_ERRTAG_IODONE_IOERR) ||
+ iclog->ic_state & XLOG_STATE_IOABORT) {
+ if (iclog->ic_state & XLOG_STATE_IOABORT)
+ iclog->ic_state &= ~XLOG_STATE_IOABORT;
diff --git a/patches.fixes/xfs-rename-MAXPATHLEN-to-XFS_SYMLINK_MAXLEN.patch b/patches.fixes/xfs-rename-MAXPATHLEN-to-XFS_SYMLINK_MAXLEN.patch
new file mode 100644
index 0000000000..19cb718dda
--- /dev/null
+++ b/patches.fixes/xfs-rename-MAXPATHLEN-to-XFS_SYMLINK_MAXLEN.patch
@@ -0,0 +1,138 @@
+From 6eb0b8df9f74f33d1a69100117630a7a87a9cc96 Mon Sep 17 00:00:00 2001
+From: "Darrick J. Wong" <darrick.wong@oracle.com>
+Date: Fri, 7 Jul 2017 08:37:26 -0700
+Subject: [PATCH] xfs: rename MAXPATHLEN to XFS_SYMLINK_MAXLEN
+Git-commit: 6eb0b8df9f74f33d1a69100117630a7a87a9cc96
+Patch-mainline: v4.13-rc1
+References: bsc#1123663
+
+XFS has a maximum symlink target length of 1024 bytes; this is a
+holdover from the Irix days. Unfortunately, the constant establishing
+this is 'MAXPATHLEN' and is /not/ the same as the Linux MAXPATHLEN,
+which is 4096.
+
+The kernel enforces its 1024 byte MAXPATHLEN on symlink targets, but
+xfsprogs picks up the (Linux) system 4096 byte MAXPATHLEN, which means
+that xfs_repair doesn't complain about oversized symlinks.
+
+Since this is an on-disk format constraint, put the define in the XFS
+namespace and move everything over to use the new name.
+
+Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
+Reviewed-by: Brian Foster <bfoster@redhat.com>
+Acked-by: Anthony Iliopoulos <ailiopoulos@suse.com>
+
+---
+ fs/xfs/libxfs/xfs_format.h | 1 +
+ fs/xfs/libxfs/xfs_symlink_remote.c | 2 +-
+ fs/xfs/libxfs/xfs_trans_resv.c | 4 ++--
+ fs/xfs/xfs_iops.c | 2 +-
+ fs/xfs/xfs_linux.h | 1 -
+ fs/xfs/xfs_symlink.c | 6 +++---
+ 6 files changed, 8 insertions(+), 8 deletions(-)
+
+diff --git a/fs/xfs/libxfs/xfs_format.h b/fs/xfs/libxfs/xfs_format.h
+index e204a942e5bf..23229f0c5b15 100644
+--- a/fs/xfs/libxfs/xfs_format.h
++++ b/fs/xfs/libxfs/xfs_format.h
+@@ -1211,6 +1211,7 @@ struct xfs_dsymlink_hdr {
+
+ #define XFS_SYMLINK_CRC_OFF offsetof(struct xfs_dsymlink_hdr, sl_crc)
+
++#define XFS_SYMLINK_MAXLEN 1024
+ /*
+ * The maximum pathlen is 1024 bytes. Since the minimum file system
+ * blocksize is 512 bytes, we can get a max of 3 extents back from
+diff --git a/fs/xfs/libxfs/xfs_symlink_remote.c b/fs/xfs/libxfs/xfs_symlink_remote.c
+index 2e2c6716b623..c484877129a0 100644
+--- a/fs/xfs/libxfs/xfs_symlink_remote.c
++++ b/fs/xfs/libxfs/xfs_symlink_remote.c
+@@ -114,7 +114,7 @@ xfs_symlink_verify(
+ if (bp->b_bn != be64_to_cpu(dsl->sl_blkno))
+ return false;
+ if (be32_to_cpu(dsl->sl_offset) +
+- be32_to_cpu(dsl->sl_bytes) >= MAXPATHLEN)
++ be32_to_cpu(dsl->sl_bytes) >= XFS_SYMLINK_MAXLEN)
+ return false;
+ if (dsl->sl_owner == 0)
+ return false;
+diff --git a/fs/xfs/libxfs/xfs_trans_resv.c b/fs/xfs/libxfs/xfs_trans_resv.c
+index b456cca1bfb2..6bd916bd35e2 100644
+--- a/fs/xfs/libxfs/xfs_trans_resv.c
++++ b/fs/xfs/libxfs/xfs_trans_resv.c
+@@ -477,14 +477,14 @@ xfs_calc_mkdir_reservation(
+ /*
+ * Making a new symplink is the same as creating a new file, but
+ * with the added blocks for remote symlink data which can be up to 1kB in
+- * length (MAXPATHLEN).
++ * length (XFS_SYMLINK_MAXLEN).
+ */
+ STATIC uint
+ xfs_calc_symlink_reservation(
+ struct xfs_mount *mp)
+ {
+ return xfs_calc_create_reservation(mp) +
+- xfs_calc_buf_res(1, MAXPATHLEN);
++ xfs_calc_buf_res(1, XFS_SYMLINK_MAXLEN);
+ }
+
+ /*
+diff --git a/fs/xfs/xfs_iops.c b/fs/xfs/xfs_iops.c
+index 077e2b2ac773..469c9fa4c178 100644
+--- a/fs/xfs/xfs_iops.c
++++ b/fs/xfs/xfs_iops.c
+@@ -460,7 +460,7 @@ xfs_vn_get_link(
+ if (!dentry)
+ return ERR_PTR(-ECHILD);
+
+- link = kmalloc(MAXPATHLEN+1, GFP_KERNEL);
++ link = kmalloc(XFS_SYMLINK_MAXLEN+1, GFP_KERNEL);
+ if (!link)
+ goto out_err;
+
+diff --git a/fs/xfs/xfs_linux.h b/fs/xfs/xfs_linux.h
+index ecdae42267d3..44abaecd1481 100644
+--- a/fs/xfs/xfs_linux.h
++++ b/fs/xfs/xfs_linux.h
+@@ -143,7 +143,6 @@ typedef __u32 xfs_nlink_t;
+ #define __return_address __builtin_return_address(0)
+
+ #define XFS_PROJID_DEFAULT 0
+-#define MAXPATHLEN 1024
+
+ #define MIN(a,b) (min(a,b))
+ #define MAX(a,b) (max(a,b))
+diff --git a/fs/xfs/xfs_symlink.c b/fs/xfs/xfs_symlink.c
+index 493804857d67..12cd9cf7de41 100644
+--- a/fs/xfs/xfs_symlink.c
++++ b/fs/xfs/xfs_symlink.c
+@@ -143,7 +143,7 @@ xfs_readlink(
+ if (!pathlen)
+ goto out;
+
+- if (pathlen < 0 || pathlen > MAXPATHLEN) {
++ if (pathlen < 0 || pathlen > XFS_SYMLINK_MAXLEN) {
+ xfs_alert(mp, "%s: inode (%llu) bad symlink length (%lld)",
+ __func__, (unsigned long long) ip->i_ino,
+ (long long) pathlen);
+@@ -202,7 +202,7 @@ xfs_symlink(
+ * Check component lengths of the target path name.
+ */
+ pathlen = strlen(target_path);
+- if (pathlen >= MAXPATHLEN) /* total string too long */
++ if (pathlen >= XFS_SYMLINK_MAXLEN) /* total string too long */
+ return -ENAMETOOLONG;
+
+ udqp = gdqp = NULL;
+@@ -559,7 +559,7 @@ xfs_inactive_symlink(
+ return 0;
+ }
+
+- if (pathlen < 0 || pathlen > MAXPATHLEN) {
++ if (pathlen < 0 || pathlen > XFS_SYMLINK_MAXLEN) {
+ xfs_alert(mp, "%s: inode (0x%llx) bad symlink length (%d)",
+ __func__, (unsigned long long)ip->i_ino, pathlen);
+ xfs_iunlock(ip, XFS_ILOCK_EXCL);
+--
+2.16.4
+
diff --git a/patches.fixes/xfs-sanity-check-the-unused-space-before-trying-to-u.patch b/patches.fixes/xfs-sanity-check-the-unused-space-before-trying-to-u.patch
new file mode 100644
index 0000000000..9f1ce38986
--- /dev/null
+++ b/patches.fixes/xfs-sanity-check-the-unused-space-before-trying-to-u.patch
@@ -0,0 +1,321 @@
+From 6915ef35c0350e87a104cb4c4ab2121c81ca7a34 Mon Sep 17 00:00:00 2001
+From: "Darrick J. Wong" <darrick.wong@oracle.com>
+Date: Fri, 23 Mar 2018 10:06:51 -0700
+Subject: [PATCH] xfs: sanity-check the unused space before trying to use it
+Git-commit: 6915ef35c0350e87a104cb4c4ab2121c81ca7a34
+Patch-mainline: v4.17-rc1
+References: bsc#1123663
+
+In xfs_dir2_data_use_free, we examine on-disk metadata and ASSERT if
+it doesn't make sense. Since a carefully crafted fuzzed image can cause
+the kernel to crash after blowing a bunch of assertions, let's move
+those checks into a validator function and rig everything up to return
+EFSCORRUPTED to userspace. Found by lastbit fuzzing ltail.bestcount via
+xfs/391.
+
+Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
+Reviewed-by: Brian Foster <bfoster@redhat.com>
+Acked-by: Anthony Iliopoulos <ailiopoulos@suse.com>
+
+---
+ fs/xfs/libxfs/xfs_dir2.h | 2 -
+ fs/xfs/libxfs/xfs_dir2_block.c | 59 ++++++++++++++++++-------------
+ fs/xfs/libxfs/xfs_dir2_data.c | 78 +++++++++++++++++++++++++++++++----------
+ fs/xfs/libxfs/xfs_dir2_leaf.c | 10 +++--
+ fs/xfs/libxfs/xfs_dir2_node.c | 11 ++++-
+ 5 files changed, 111 insertions(+), 49 deletions(-)
+
+--- a/fs/xfs/libxfs/xfs_dir2.h
++++ b/fs/xfs/libxfs/xfs_dir2.h
+@@ -173,7 +173,7 @@
+ extern void xfs_dir2_data_make_free(struct xfs_da_args *args,
+ struct xfs_buf *bp, xfs_dir2_data_aoff_t offset,
+ xfs_dir2_data_aoff_t len, int *needlogp, int *needscanp);
+-extern void xfs_dir2_data_use_free(struct xfs_da_args *args,
++extern int xfs_dir2_data_use_free(struct xfs_da_args *args,
+ struct xfs_buf *bp, struct xfs_dir2_data_unused *dup,
+ xfs_dir2_data_aoff_t offset, xfs_dir2_data_aoff_t len,
+ int *needlogp, int *needscanp);
+--- a/fs/xfs/libxfs/xfs_dir2_block.c
++++ b/fs/xfs/libxfs/xfs_dir2_block.c
+@@ -450,15 +450,19 @@
+ * No stale entries, will use enddup space to hold new leaf.
+ */
+ if (!btp->stale) {
++ xfs_dir2_data_aoff_t aoff;
++
+ /*
+ * Mark the space needed for the new leaf entry, now in use.
+ */
+- xfs_dir2_data_use_free(args, bp, enddup,
+- (xfs_dir2_data_aoff_t)
+- ((char *)enddup - (char *)hdr + be16_to_cpu(enddup->length) -
+- sizeof(*blp)),
+- (xfs_dir2_data_aoff_t)sizeof(*blp),
+- &needlog, &needscan);
++ aoff = (xfs_dir2_data_aoff_t)((char *)enddup - (char *)hdr +
++ be16_to_cpu(enddup->length) - sizeof(*blp));
++ error = xfs_dir2_data_use_free(args, bp, enddup, aoff,
++ (xfs_dir2_data_aoff_t)sizeof(*blp), &needlog,
++ &needscan);
++ if (error)
++ return error;
++
+ /*
+ * Update the tail (entry count).
+ */
+@@ -540,9 +544,11 @@
+ /*
+ * Mark space for the data entry used.
+ */
+- xfs_dir2_data_use_free(args, bp, dup,
+- (xfs_dir2_data_aoff_t)((char *)dup - (char *)hdr),
+- (xfs_dir2_data_aoff_t)len, &needlog, &needscan);
++ error = xfs_dir2_data_use_free(args, bp, dup,
++ (xfs_dir2_data_aoff_t)((char *)dup - (char *)hdr),
++ (xfs_dir2_data_aoff_t)len, &needlog, &needscan);
++ if (error)
++ return error;
+ /*
+ * Create the new data entry.
+ */
+@@ -996,8 +1002,10 @@
+ /*
+ * Use up the space at the end of the block (blp/btp).
+ */
+- xfs_dir2_data_use_free(args, dbp, dup, args->geo->blksize - size, size,
+- &needlog, &needscan);
++ error = xfs_dir2_data_use_free(args, dbp, dup,
++ args->geo->blksize - size, size, &needlog, &needscan);
++ if (error)
++ return error;
+ /*
+ * Initialize the block tail.
+ */
+@@ -1109,18 +1117,14 @@
+ * Add block 0 to the inode.
+ */
+ error = xfs_dir2_grow_inode(args, XFS_DIR2_DATA_SPACE, &blkno);
+- if (error) {
+- kmem_free(sfp);
+- return error;
+- }
++ if (error)
++ goto out_free;
+ /*
+ * Initialize the data block, then convert it to block format.
+ */
+ error = xfs_dir3_data_init(args, blkno, &bp);
+- if (error) {
+- kmem_free(sfp);
+- return error;
+- }
++ if (error)
++ goto out_free;
+ xfs_dir3_block_init(mp, tp, bp, dp);
+ hdr = bp->b_addr;
+
+@@ -1135,8 +1139,10 @@
+ */
+ dup = dp->d_ops->data_unused_p(hdr);
+ needlog = needscan = 0;
+- xfs_dir2_data_use_free(args, bp, dup, args->geo->blksize - i,
+- i, &needlog, &needscan);
++ error = xfs_dir2_data_use_free(args, bp, dup, args->geo->blksize - i,
++ i, &needlog, &needscan);
++ if (error)
++ goto out_free;
+ ASSERT(needscan == 0);
+ /*
+ * Fill in the tail.
+@@ -1149,9 +1155,11 @@
+ /*
+ * Remove the freespace, we'll manage it.
+ */
+- xfs_dir2_data_use_free(args, bp, dup,
+- (xfs_dir2_data_aoff_t)((char *)dup - (char *)hdr),
+- be16_to_cpu(dup->length), &needlog, &needscan);
++ error = xfs_dir2_data_use_free(args, bp, dup,
++ (xfs_dir2_data_aoff_t)((char *)dup - (char *)hdr),
++ be16_to_cpu(dup->length), &needlog, &needscan);
++ if (error)
++ goto out_free;
+ /*
+ * Create entry for .
+ */
+@@ -1255,4 +1263,7 @@
+ xfs_dir2_block_log_tail(tp, bp);
+ xfs_dir3_data_check(dp, bp);
+ return 0;
++out_free:
++ kmem_free(sfp);
++ return error;
+ }
+--- a/fs/xfs/libxfs/xfs_dir2_data.c
++++ b/fs/xfs/libxfs/xfs_dir2_data.c
+@@ -910,10 +910,51 @@
+ *needscanp = needscan;
+ }
+
++/* Check our free data for obvious signs of corruption. */
++static inline xfs_failaddr_t
++xfs_dir2_data_check_free(
++ struct xfs_dir2_data_hdr *hdr,
++ struct xfs_dir2_data_unused *dup,
++ xfs_dir2_data_aoff_t offset,
++ xfs_dir2_data_aoff_t len)
++{
++ if (hdr->magic != cpu_to_be32(XFS_DIR2_DATA_MAGIC) &&
++ hdr->magic != cpu_to_be32(XFS_DIR3_DATA_MAGIC) &&
++ hdr->magic != cpu_to_be32(XFS_DIR2_BLOCK_MAGIC) &&
++ hdr->magic != cpu_to_be32(XFS_DIR3_BLOCK_MAGIC))
++ return __this_address;
++ if (be16_to_cpu(dup->freetag) != XFS_DIR2_DATA_FREE_TAG)
++ return __this_address;
++ if (offset < (char *)dup - (char *)hdr)
++ return __this_address;
++ if (offset + len > (char *)dup + be16_to_cpu(dup->length) - (char *)hdr)
++ return __this_address;
++ if ((char *)dup - (char *)hdr !=
++ be16_to_cpu(*xfs_dir2_data_unused_tag_p(dup)))
++ return __this_address;
++ return NULL;
++}
++
++/* Sanity-check a new bestfree entry. */
++static inline xfs_failaddr_t
++xfs_dir2_data_check_new_free(
++ struct xfs_dir2_data_hdr *hdr,
++ struct xfs_dir2_data_free *dfp,
++ struct xfs_dir2_data_unused *newdup)
++{
++ if (dfp == NULL)
++ return __this_address;
++ if (dfp->length != newdup->length)
++ return __this_address;
++ if (be16_to_cpu(dfp->offset) != (char *)newdup - (char *)hdr)
++ return __this_address;
++ return NULL;
++}
++
+ /*
+ * Take a byte range out of an existing unused space and make it un-free.
+ */
+-void
++int
+ xfs_dir2_data_use_free(
+ struct xfs_da_args *args,
+ struct xfs_buf *bp,
+@@ -925,23 +966,19 @@
+ {
+ xfs_dir2_data_hdr_t *hdr; /* data block header */
+ xfs_dir2_data_free_t *dfp; /* bestfree pointer */
++ xfs_dir2_data_unused_t *newdup; /* new unused entry */
++ xfs_dir2_data_unused_t *newdup2; /* another new unused entry */
++ struct xfs_dir2_data_free *bf;
++ xfs_failaddr_t fa;
+ int matchback; /* matches end of freespace */
+ int matchfront; /* matches start of freespace */
+ int needscan; /* need to regen bestfree */
+- xfs_dir2_data_unused_t *newdup; /* new unused entry */
+- xfs_dir2_data_unused_t *newdup2; /* another new unused entry */
+ int oldlen; /* old unused entry's length */
+- struct xfs_dir2_data_free *bf;
+
+ hdr = bp->b_addr;
+- ASSERT(hdr->magic == cpu_to_be32(XFS_DIR2_DATA_MAGIC) ||
+- hdr->magic == cpu_to_be32(XFS_DIR3_DATA_MAGIC) ||
+- hdr->magic == cpu_to_be32(XFS_DIR2_BLOCK_MAGIC) ||
+- hdr->magic == cpu_to_be32(XFS_DIR3_BLOCK_MAGIC));
+- ASSERT(be16_to_cpu(dup->freetag) == XFS_DIR2_DATA_FREE_TAG);
+- ASSERT(offset >= (char *)dup - (char *)hdr);
+- ASSERT(offset + len <= (char *)dup + be16_to_cpu(dup->length) - (char *)hdr);
+- ASSERT((char *)dup - (char *)hdr == be16_to_cpu(*xfs_dir2_data_unused_tag_p(dup)));
++ fa = xfs_dir2_data_check_free(hdr, dup, offset, len);
++ if (fa)
++ goto corrupt;
+ /*
+ * Look up the entry in the bestfree table.
+ */
+@@ -986,9 +1023,9 @@
+ xfs_dir2_data_freeremove(hdr, bf, dfp, needlogp);
+ dfp = xfs_dir2_data_freeinsert(hdr, bf, newdup,
+ needlogp);
+- ASSERT(dfp != NULL);
+- ASSERT(dfp->length == newdup->length);
+- ASSERT(be16_to_cpu(dfp->offset) == (char *)newdup - (char *)hdr);
++ fa = xfs_dir2_data_check_new_free(hdr, dfp, newdup);
++ if (fa)
++ goto corrupt;
+ /*
+ * If we got inserted at the last slot,
+ * that means we don't know if there was a better
+@@ -1014,9 +1051,9 @@
+ xfs_dir2_data_freeremove(hdr, bf, dfp, needlogp);
+ dfp = xfs_dir2_data_freeinsert(hdr, bf, newdup,
+ needlogp);
+- ASSERT(dfp != NULL);
+- ASSERT(dfp->length == newdup->length);
+- ASSERT(be16_to_cpu(dfp->offset) == (char *)newdup - (char *)hdr);
++ fa = xfs_dir2_data_check_new_free(hdr, dfp, newdup);
++ if (fa)
++ goto corrupt;
+ /*
+ * If we got inserted at the last slot,
+ * that means we don't know if there was a better
+@@ -1062,4 +1099,9 @@
+ }
+ }
+ *needscanp = needscan;
++ return 0;
++corrupt:
++ xfs_corruption_error(__func__, XFS_ERRLEVEL_LOW, args->dp->i_mount,
++ hdr, __FILE__, __LINE__, fa);
++ return -EFSCORRUPTED;
+ }
+--- a/fs/xfs/libxfs/xfs_dir2_leaf.c
++++ b/fs/xfs/libxfs/xfs_dir2_leaf.c
+@@ -850,9 +850,13 @@
+ /*
+ * Mark the initial part of our freespace in use for the new entry.
+ */
+- xfs_dir2_data_use_free(args, dbp, dup,
+- (xfs_dir2_data_aoff_t)((char *)dup - (char *)hdr), length,
+- &needlog, &needscan);
++ error = xfs_dir2_data_use_free(args, dbp, dup,
++ (xfs_dir2_data_aoff_t)((char *)dup - (char *)hdr),
++ length, &needlog, &needscan);
++ if (error) {
++ xfs_trans_brelse(tp, lbp);
++ return error;
++ }
+ /*
+ * Initialize our new entry (at last).
+ */
+--- a/fs/xfs/libxfs/xfs_dir2_node.c
++++ b/fs/xfs/libxfs/xfs_dir2_node.c
+@@ -1713,6 +1713,7 @@
+ __be16 *bests;
+ struct xfs_dir3_icfree_hdr freehdr;
+ struct xfs_dir2_data_free *bf;
++ xfs_dir2_data_aoff_t aoff;
+
+ dp = args->dp;
+ mp = dp->i_mount;
+@@ -2007,9 +2008,13 @@
+ /*
+ * Mark the first part of the unused space, inuse for us.
+ */
+- xfs_dir2_data_use_free(args, dbp, dup,
+- (xfs_dir2_data_aoff_t)((char *)dup - (char *)hdr), length,
+- &needlog, &needscan);
++ aoff = (xfs_dir2_data_aoff_t)((char *)dup - (char *)hdr);
++ error = xfs_dir2_data_use_free(args, dbp, dup, aoff, length,
++ &needlog, &needscan);
++ if (error) {
++ xfs_trans_brelse(tp, dbp);
++ return error;
++ }
+ /*
+ * Fill in the new entry and log it.
+ */
diff --git a/patches.kabi/kabi-protect-ip_options_rcv_srr.patch b/patches.kabi/kabi-protect-ip_options_rcv_srr.patch
new file mode 100644
index 0000000000..a7498c980f
--- /dev/null
+++ b/patches.kabi/kabi-protect-ip_options_rcv_srr.patch
@@ -0,0 +1,66 @@
+From: Jiri Slaby <jslaby@suse.cz>
+Subject: kABI: protect ip_options_rcv_srr
+Patch-mainline: never, kabi
+References: kabi
+
+In networking-stable-19_04_10, commit
+8c83f2df9c6578ea4c5b940d8238ad8a41b87e9e (vrf: check accept_source_route
+on the original netdevice) added a parameter to ip_options_rcv_srr.
+This indeed changed the checksum of this exported function and the kABI
+checker now complains.
+
+Introduce ip_options_rcv_srr2 with the new set of parameters and let
+ip_options_rcv_srr as it was.
+
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ include/net/ip.h | 3 ++-
+ net/ipv4/ip_input.c | 2 +-
+ net/ipv4/ip_options.c | 8 +++++++-
+ 3 files changed, 10 insertions(+), 3 deletions(-)
+
+--- a/include/net/ip.h
++++ b/include/net/ip.h
+@@ -594,7 +594,8 @@ int ip_options_get_from_user(struct net
+ unsigned char __user *data, int optlen);
+ void ip_options_undo(struct ip_options *opt);
+ void ip_forward_options(struct sk_buff *skb);
+-int ip_options_rcv_srr(struct sk_buff *skb, struct net_device *dev);
++int ip_options_rcv_srr(struct sk_buff *skb);
++int ip_options_rcv_srr2(struct sk_buff *skb, struct net_device *dev);
+
+ /*
+ * Functions provided by ip_sockglue.c
+--- a/net/ipv4/ip_input.c
++++ b/net/ipv4/ip_input.c
+@@ -298,7 +298,7 @@ static inline bool ip_rcv_options(struct
+ }
+ }
+
+- if (ip_options_rcv_srr(skb, dev))
++ if (ip_options_rcv_srr2(skb, dev))
+ goto drop;
+ }
+
+--- a/net/ipv4/ip_options.c
++++ b/net/ipv4/ip_options.c
+@@ -614,7 +614,7 @@ void ip_forward_options(struct sk_buff *
+ }
+ }
+
+-int ip_options_rcv_srr(struct sk_buff *skb, struct net_device *dev)
++int ip_options_rcv_srr2(struct sk_buff *skb, struct net_device *dev)
+ {
+ struct ip_options *opt = &(IPCB(skb)->opt);
+ int srrspace, srrptr;
+@@ -670,4 +670,10 @@ int ip_options_rcv_srr(struct sk_buff *s
+ }
+ return 0;
+ }
++EXPORT_SYMBOL(ip_options_rcv_srr2);
++
++int ip_options_rcv_srr(struct sk_buff *skb)
++{
++ return ip_options_rcv_srr2(skb, skb->dev);
++}
+ EXPORT_SYMBOL(ip_options_rcv_srr);
diff --git a/patches.kabi/kabi-protect-struct-mlx5_td.patch b/patches.kabi/kabi-protect-struct-mlx5_td.patch
new file mode 100644
index 0000000000..606bbe4a3d
--- /dev/null
+++ b/patches.kabi/kabi-protect-struct-mlx5_td.patch
@@ -0,0 +1,30 @@
+From: Jiri Slaby <jslaby@suse.cz>
+Subject: kABI: protect struct mlx5_td
+Patch-mainline: never, kabi
+References: kabi
+
+In networking-stable-19_04_10, upstream commit
+80a2a9026b24c6bd34b8d58256973e22270bedec (net/mlx5e: Add a lock on tir
+list) added a list_lock to struct mlx5_td. It made the kABI checker to
+complain.
+
+Given the structure is private to mlx5, hide the change from the kABI
+checker.
+
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ include/linux/mlx5/driver.h | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/include/linux/mlx5/driver.h
++++ b/include/linux/mlx5/driver.h
+@@ -746,7 +746,9 @@ struct mlx5_pagefault {
+
+ struct mlx5_td {
+ /* protects tirs list changes while tirs refresh */
++#ifndef __GENKSYMS__
+ struct mutex list_lock;
++#endif
+ struct list_head tirs_list;
+ u32 tdn;
+ };
diff --git a/patches.suse/bnxt_en-Improve-RX-consumer-index-validity-check.patch b/patches.suse/bnxt_en-Improve-RX-consumer-index-validity-check.patch
new file mode 100644
index 0000000000..aa55f26c24
--- /dev/null
+++ b/patches.suse/bnxt_en-Improve-RX-consumer-index-validity-check.patch
@@ -0,0 +1,54 @@
+From: Michael Chan <michael.chan@broadcom.com>
+Date: Mon, 8 Apr 2019 17:39:54 -0400
+Subject: bnxt_en: Improve RX consumer index validity check.
+Git-commit: a1b0e4e684e9c300b9e759b46cb7a0147e61ddff
+Patch-mainline: v5.1-rc5
+References: networking-stable-19_04_10
+
+There is logic to check that the RX/TPA consumer index is the expected
+index to work around a hardware problem. However, the potentially bad
+consumer index is first used to index into an array to reference an entry.
+This can potentially crash if the bad consumer index is beyond legal
+range. Improve the logic to use the consumer index for dereferencing
+after the validity check and log an error message.
+
+Fixes: fa7e28127a5a ("bnxt_en: Add workaround to detect bad opaque in rx completion (part 2)")
+Signed-off-by: Michael Chan <michael.chan@broadcom.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/net/ethernet/broadcom/bnxt/bnxt.c | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.c
++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.c
+@@ -1089,6 +1089,8 @@ static void bnxt_tpa_start(struct bnxt *
+ tpa_info = &rxr->rx_tpa[agg_id];
+
+ if (unlikely(cons != rxr->rx_next_cons)) {
++ netdev_warn(bp->dev, "TPA cons %x != expected cons %x\n",
++ cons, rxr->rx_next_cons);
+ bnxt_sched_reset(bp, rxr);
+ return;
+ }
+@@ -1541,15 +1543,17 @@ static int bnxt_rx_pkt(struct bnxt *bp,
+ }
+
+ cons = rxcmp->rx_cmp_opaque;
+- rx_buf = &rxr->rx_buf_ring[cons];
+- data = rx_buf->data;
+- data_ptr = rx_buf->data_ptr;
+ if (unlikely(cons != rxr->rx_next_cons)) {
+ int rc1 = bnxt_discard_rx(bp, bnapi, raw_cons, rxcmp);
+
++ netdev_warn(bp->dev, "RX cons %x != expected cons %x\n",
++ cons, rxr->rx_next_cons);
+ bnxt_sched_reset(bp, rxr);
+ return rc1;
+ }
++ rx_buf = &rxr->rx_buf_ring[cons];
++ data = rx_buf->data;
++ data_ptr = rx_buf->data_ptr;
+ prefetch(data_ptr);
+
+ misc = le32_to_cpu(rxcmp->rx_cmp_misc_v1);
diff --git a/patches.suse/bnxt_en-Reset-device-on-RX-buffer-errors.patch b/patches.suse/bnxt_en-Reset-device-on-RX-buffer-errors.patch
new file mode 100644
index 0000000000..665c611824
--- /dev/null
+++ b/patches.suse/bnxt_en-Reset-device-on-RX-buffer-errors.patch
@@ -0,0 +1,39 @@
+From: Michael Chan <michael.chan@broadcom.com>
+Date: Mon, 8 Apr 2019 17:39:55 -0400
+Subject: bnxt_en: Reset device on RX buffer errors.
+Git-commit: 8e44e96c6c8e8fb80b84a2ca11798a8554f710f2
+Patch-mainline: v5.1-rc5
+References: networking-stable-19_04_10
+
+If the RX completion indicates RX buffers errors, the RX ring will be
+disabled by firmware and no packets will be received on that ring from
+that point on. Recover by resetting the device.
+
+Fixes: c0c050c58d84 ("bnxt_en: New Broadcom ethernet driver.")
+Signed-off-by: Michael Chan <michael.chan@broadcom.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/net/ethernet/broadcom/bnxt/bnxt.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.c
++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.c
+@@ -1570,11 +1570,17 @@ static int bnxt_rx_pkt(struct bnxt *bp,
+
+ rx_buf->data = NULL;
+ if (rxcmp1->rx_cmp_cfa_code_errors_v2 & RX_CMP_L2_ERRORS) {
++ u32 rx_err = le32_to_cpu(rxcmp1->rx_cmp_cfa_code_errors_v2);
++
+ bnxt_reuse_rx_data(rxr, cons, data);
+ if (agg_bufs)
+ bnxt_reuse_rx_agg_bufs(bnapi, cp_cons, agg_bufs);
+
+ rc = -EIO;
++ if (rx_err & RX_CMPL_ERRORS_BUFFER_ERROR_MASK) {
++ netdev_warn(bp->dev, "RX buffer error %x\n", rx_err);
++ bnxt_sched_reset(bp, rxr);
++ }
+ goto next_rx;
+ }
+
diff --git a/patches.suse/ip6_tunnel-Match-to-ARPHRD_TUNNEL6-for-dev-type.patch b/patches.suse/ip6_tunnel-Match-to-ARPHRD_TUNNEL6-for-dev-type.patch
new file mode 100644
index 0000000000..a6a8d99d70
--- /dev/null
+++ b/patches.suse/ip6_tunnel-Match-to-ARPHRD_TUNNEL6-for-dev-type.patch
@@ -0,0 +1,48 @@
+From: Sheena Mira-ato <sheena.mira-ato@alliedtelesis.co.nz>
+Date: Mon, 1 Apr 2019 13:04:42 +1300
+Subject: ip6_tunnel: Match to ARPHRD_TUNNEL6 for dev type
+Git-commit: b2e54b09a3d29c4db883b920274ca8dca4d9f04d
+Patch-mainline: v5.1-rc4
+References: networking-stable-19_04_10
+
+The device type for ip6 tunnels is set to
+ARPHRD_TUNNEL6. However, the ip4ip6_err function
+is expecting the device type of the tunnel to be
+ARPHRD_TUNNEL. Since the device types do not
+match, the function exits and the ICMP error
+packet is not sent to the originating host. Note
+that the device type for IPv4 tunnels is set to
+ARPHRD_TUNNEL.
+
+Fix is to expect a tunnel device type of
+ARPHRD_TUNNEL6 instead. Now the tunnel device
+type matches and the ICMP error packet is sent
+to the originating host.
+
+Signed-off-by: Sheena Mira-ato <sheena.mira-ato@alliedtelesis.co.nz>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ net/ipv6/ip6_tunnel.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/net/ipv6/ip6_tunnel.c
++++ b/net/ipv6/ip6_tunnel.c
+@@ -633,7 +633,7 @@ ip4ip6_err(struct sk_buff *skb, struct i
+ IPPROTO_IPIP,
+ RT_TOS(eiph->tos), 0);
+ if (IS_ERR(rt) ||
+- rt->dst.dev->type != ARPHRD_TUNNEL) {
++ rt->dst.dev->type != ARPHRD_TUNNEL6) {
+ if (!IS_ERR(rt))
+ ip_rt_put(rt);
+ goto out;
+@@ -643,7 +643,7 @@ ip4ip6_err(struct sk_buff *skb, struct i
+ ip_rt_put(rt);
+ if (ip_route_input(skb2, eiph->daddr, eiph->saddr, eiph->tos,
+ skb2->dev) ||
+- skb_dst(skb2)->dev->type != ARPHRD_TUNNEL)
++ skb_dst(skb2)->dev->type != ARPHRD_TUNNEL6)
+ goto out;
+ }
+
diff --git a/patches.suse/net-ethtool-not-call-vzalloc-for-zero-sized-memory-r.patch b/patches.suse/net-ethtool-not-call-vzalloc-for-zero-sized-memory-r.patch
new file mode 100644
index 0000000000..f721c58362
--- /dev/null
+++ b/patches.suse/net-ethtool-not-call-vzalloc-for-zero-sized-memory-r.patch
@@ -0,0 +1,94 @@
+From: Li RongQing <lirongqing@baidu.com>
+Date: Fri, 29 Mar 2019 09:18:02 +0800
+Subject: net: ethtool: not call vzalloc for zero sized memory request
+Git-commit: 3d8830266ffc28c16032b859e38a0252e014b631
+Patch-mainline: v5.1-rc4
+References: networking-stable-19_04_10
+
+NULL or ZERO_SIZE_PTR will be returned for zero sized memory
+request, and derefencing them will lead to a segfault
+
+so it is unnecessory to call vzalloc for zero sized memory
+request and not call functions which maybe derefence the
+NULL allocated memory
+
+this also fixes a possible memory leak if phy_ethtool_get_stats
+returns error, memory should be freed before exit
+
+Signed-off-by: Li RongQing <lirongqing@baidu.com>
+Reviewed-by: Wang Li <wangli39@baidu.com>
+Reviewed-by: Michal Kubecek <mkubecek@suse.cz>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ net/core/ethtool.c | 42 ++++++++++++++++++++++++++++--------------
+ 1 file changed, 28 insertions(+), 14 deletions(-)
+
+--- a/net/core/ethtool.c
++++ b/net/core/ethtool.c
+@@ -1832,11 +1832,16 @@ static int ethtool_get_strings(struct ne
+ WARN_ON_ONCE(!ret);
+
+ gstrings.len = ret;
+- data = vzalloc(gstrings.len * ETH_GSTRING_LEN);
+- if (gstrings.len && !data)
+- return -ENOMEM;
+
+- __ethtool_get_strings(dev, gstrings.string_set, data);
++ if (gstrings.len) {
++ data = vzalloc(gstrings.len * ETH_GSTRING_LEN);
++ if (!data)
++ return -ENOMEM;
++
++ __ethtool_get_strings(dev, gstrings.string_set, data);
++ } else {
++ data = NULL;
++ }
+
+ ret = -EFAULT;
+ if (copy_to_user(useraddr, &gstrings, sizeof(gstrings)))
+@@ -1932,11 +1937,15 @@ static int ethtool_get_stats(struct net_
+ return -EFAULT;
+
+ stats.n_stats = n_stats;
+- data = vzalloc(n_stats * sizeof(u64));
+- if (n_stats && !data)
+- return -ENOMEM;
+
+- ops->get_ethtool_stats(dev, &stats, data);
++ if (n_stats) {
++ data = vzalloc(n_stats * sizeof(u64));
++ if (!data)
++ return -ENOMEM;
++ ops->get_ethtool_stats(dev, &stats, data);
++ } else {
++ data = NULL;
++ }
+
+ ret = -EFAULT;
+ if (copy_to_user(useraddr, &stats, sizeof(stats)))
+@@ -1972,13 +1981,18 @@ static int ethtool_get_phy_stats(struct
+ return -EFAULT;
+
+ stats.n_stats = n_stats;
+- data = vzalloc(n_stats * sizeof(u64));
+- if (n_stats && !data)
+- return -ENOMEM;
+
+- mutex_lock(&phydev->lock);
+- phydev->drv->get_stats(phydev, &stats, data);
+- mutex_unlock(&phydev->lock);
++ if (n_stats) {
++ data = vzalloc(n_stats * sizeof(u64));
++ if (!data)
++ return -ENOMEM;
++
++ mutex_lock(&phydev->lock);
++ phydev->drv->get_stats(phydev, &stats, data);
++ mutex_unlock(&phydev->lock);
++ } else {
++ data = NULL;
++ }
+
+ ret = -EFAULT;
+ if (copy_to_user(useraddr, &stats, sizeof(stats)))
diff --git a/patches.suse/net-gro-Fix-GRO-flush-when-receiving-a-GSO-packet.patch b/patches.suse/net-gro-Fix-GRO-flush-when-receiving-a-GSO-packet.patch
new file mode 100644
index 0000000000..3096cf699c
--- /dev/null
+++ b/patches.suse/net-gro-Fix-GRO-flush-when-receiving-a-GSO-packet.patch
@@ -0,0 +1,37 @@
+From: Steffen Klassert <steffen.klassert@secunet.com>
+Date: Tue, 2 Apr 2019 08:16:03 +0200
+Subject: net-gro: Fix GRO flush when receiving a GSO packet.
+Git-commit: 0ab03f353d3613ea49d1f924faf98559003670a8
+Patch-mainline: v5.1-rc4
+References: networking-stable-19_04_10
+
+Currently we may merge incorrectly a received GSO packet
+or a packet with frag_list into a packet sitting in the
+gro_hash list. skb_segment() may crash case because
+the assumptions on the skb layout are not met.
+The correct behaviour would be to flush the packet in the
+gro_hash list and send the received GSO packet directly
+afterwards. Commit d61d072e87c8e ("net-gro: avoid reorders")
+sets NAPI_GRO_CB(skb)->flush in this case, but this is not
+checked before merging. This patch makes sure to check this
+flag and to not merge in that case.
+
+Fixes: d61d072e87c8e ("net-gro: avoid reorders")
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ net/core/skbuff.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/core/skbuff.c
++++ b/net/core/skbuff.c
+@@ -3389,7 +3389,7 @@ int skb_gro_receive(struct sk_buff **hea
+ struct sk_buff *lp, *p = *head;
+ unsigned int delta_truesize;
+
+- if (unlikely(p->len + len >= 65536))
++ if (unlikely(p->len + len >= 65536 || NAPI_GRO_CB(skb)->flush))
+ return -E2BIG;
+
+ lp = NAPI_GRO_CB(p)->last;
diff --git a/patches.suse/net-mlx5-Decrease-default-mr-cache-size.patch b/patches.suse/net-mlx5-Decrease-default-mr-cache-size.patch
new file mode 100644
index 0000000000..b4de55c3d5
--- /dev/null
+++ b/patches.suse/net-mlx5-Decrease-default-mr-cache-size.patch
@@ -0,0 +1,55 @@
+From: Artemy Kovalyov <artemyko@mellanox.com>
+Date: Tue, 19 Mar 2019 11:24:38 +0200
+Subject: net/mlx5: Decrease default mr cache size
+Git-commit: e8b26b2135dedc0284490bfeac06dfc4418d0105
+Patch-mainline: v5.1-rc4
+References: networking-stable-19_04_10
+
+Delete initialization of high order entries in mr cache to decrease initial
+memory footprint. When required, the administrator can populate the
+entries with memory keys via the /sys interface.
+
+This approach is very helpful to significantly reduce the per HW function
+memory footprint in virtualization environments such as SRIOV.
+
+Fixes: 9603b61de1ee ("mlx5: Move pci device handling from mlx5_ib to mlx5_core")
+Signed-off-by: Artemy Kovalyov <artemyko@mellanox.com>
+Signed-off-by: Moni Shoua <monis@mellanox.com>
+Signed-off-by: Leon Romanovsky <leonro@mellanox.com>
+Reported-by: Shalom Toledo <shalomt@mellanox.com>
+Acked-by: Or Gerlitz <ogerlitz@mellanox.com>
+Signed-off-by: Saeed Mahameed <saeedm@mellanox.com>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/main.c | 20 --------------------
+ 1 file changed, 20 deletions(-)
+
+--- a/drivers/net/ethernet/mellanox/mlx5/core/main.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/main.c
+@@ -156,26 +156,6 @@ static struct mlx5_profile profile[] = {
+ .size = 8,
+ .limit = 4
+ },
+- .mr_cache[16] = {
+- .size = 8,
+- .limit = 4
+- },
+- .mr_cache[17] = {
+- .size = 8,
+- .limit = 4
+- },
+- .mr_cache[18] = {
+- .size = 8,
+- .limit = 4
+- },
+- .mr_cache[19] = {
+- .size = 4,
+- .limit = 2
+- },
+- .mr_cache[20] = {
+- .size = 4,
+- .limit = 2
+- },
+ },
+ };
+
diff --git a/patches.suse/net-mlx5e-Add-a-lock-on-tir-list.patch b/patches.suse/net-mlx5e-Add-a-lock-on-tir-list.patch
new file mode 100644
index 0000000000..e72ab4b477
--- /dev/null
+++ b/patches.suse/net-mlx5e-Add-a-lock-on-tir-list.patch
@@ -0,0 +1,78 @@
+From: Yuval Avnery <yuvalav@mellanox.com>
+Date: Mon, 11 Mar 2019 06:18:24 +0200
+Subject: net/mlx5e: Add a lock on tir list
+Git-commit: 80a2a9026b24c6bd34b8d58256973e22270bedec
+Patch-mainline: v5.1-rc4
+References: networking-stable-19_04_10
+
+Refresh tirs is looping over a global list of tirs while netdevs are
+adding and removing tirs from that list. That is why a lock is
+required.
+
+Fixes: 724b2aa15126 ("net/mlx5e: TIRs management refactoring")
+Signed-off-by: Yuval Avnery <yuvalav@mellanox.com>
+Signed-off-by: Saeed Mahameed <saeedm@mellanox.com>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/en_common.c | 7 +++++++
+ include/linux/mlx5/driver.h | 2 ++
+ 2 files changed, 9 insertions(+)
+
+--- a/drivers/net/ethernet/mellanox/mlx5/core/en_common.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_common.c
+@@ -45,7 +45,9 @@ int mlx5e_create_tir(struct mlx5_core_de
+ if (err)
+ return err;
+
++ mutex_lock(&mdev->mlx5e_res.td.list_lock);
+ list_add(&tir->list, &mdev->mlx5e_res.td.tirs_list);
++ mutex_unlock(&mdev->mlx5e_res.td.list_lock);
+
+ return 0;
+ }
+@@ -53,8 +55,10 @@ int mlx5e_create_tir(struct mlx5_core_de
+ void mlx5e_destroy_tir(struct mlx5_core_dev *mdev,
+ struct mlx5e_tir *tir)
+ {
++ mutex_lock(&mdev->mlx5e_res.td.list_lock);
+ mlx5_core_destroy_tir(mdev, tir->tirn);
+ list_del(&tir->list);
++ mutex_unlock(&mdev->mlx5e_res.td.list_lock);
+ }
+
+ static int mlx5e_create_mkey(struct mlx5_core_dev *mdev, u32 pdn,
+@@ -114,6 +118,7 @@ int mlx5e_create_mdev_resources(struct m
+ }
+
+ INIT_LIST_HEAD(&mdev->mlx5e_res.td.tirs_list);
++ mutex_init(&mdev->mlx5e_res.td.list_lock);
+
+ return 0;
+
+@@ -159,6 +164,7 @@ int mlx5e_refresh_tirs(struct mlx5e_priv
+
+ MLX5_SET(modify_tir_in, in, bitmask.self_lb_en, 1);
+
++ mutex_lock(&mdev->mlx5e_res.td.list_lock);
+ list_for_each_entry(tir, &mdev->mlx5e_res.td.tirs_list, list) {
+ tirn = tir->tirn;
+ err = mlx5_core_modify_tir(mdev, tirn, in, inlen);
+@@ -170,6 +176,7 @@ out:
+ kvfree(in);
+ if (err)
+ netdev_err(priv->netdev, "refresh tir(0x%x) failed, %d\n", tirn, err);
++ mutex_unlock(&mdev->mlx5e_res.td.list_lock);
+
+ return err;
+ }
+--- a/include/linux/mlx5/driver.h
++++ b/include/linux/mlx5/driver.h
+@@ -745,6 +745,8 @@ struct mlx5_pagefault {
+ };
+
+ struct mlx5_td {
++ /* protects tirs list changes while tirs refresh */
++ struct mutex list_lock;
+ struct list_head tirs_list;
+ u32 tdn;
+ };
diff --git a/patches.suse/net-mlx5e-Fix-error-handling-when-refreshing-TIRs.patch b/patches.suse/net-mlx5e-Fix-error-handling-when-refreshing-TIRs.patch
new file mode 100644
index 0000000000..6ee2167308
--- /dev/null
+++ b/patches.suse/net-mlx5e-Fix-error-handling-when-refreshing-TIRs.patch
@@ -0,0 +1,43 @@
+From: Gavi Teitz <gavi@mellanox.com>
+Date: Mon, 11 Mar 2019 11:56:34 +0200
+Subject: net/mlx5e: Fix error handling when refreshing TIRs
+Git-commit: bc87a0036826a37b43489b029af8143bd07c6cca
+Patch-mainline: v5.1-rc4
+References: networking-stable-19_04_10
+
+Previously, a false positive would be caught if the TIRs list is
+empty, since the err value was initialized to -ENOMEM, and was only
+updated if a TIR is refreshed. This is resolved by initializing the
+err value to zero.
+
+Fixes: b676f653896a ("net/mlx5e: Refactor refresh TIRs")
+Signed-off-by: Gavi Teitz <gavi@mellanox.com>
+Reviewed-by: Roi Dayan <roid@mellanox.com>
+Signed-off-by: Saeed Mahameed <saeedm@mellanox.com>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/en_common.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/ethernet/mellanox/mlx5/core/en_common.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_common.c
+@@ -141,15 +141,17 @@ int mlx5e_refresh_tirs(struct mlx5e_priv
+ {
+ struct mlx5_core_dev *mdev = priv->mdev;
+ struct mlx5e_tir *tir;
+- int err = -ENOMEM;
++ int err = 0;
+ u32 tirn = 0;
+ int inlen;
+ void *in;
+
+ inlen = MLX5_ST_SZ_BYTES(modify_tir_in);
+ in = kvzalloc(inlen, GFP_KERNEL);
+- if (!in)
++ if (!in) {
++ err = -ENOMEM;
+ goto out;
++ }
+
+ if (enable_uc_lb)
+ MLX5_SET(modify_tir_in, in, ctx.self_lb_block,
diff --git a/patches.suse/net-sched-act_sample-fix-divide-by-zero-in-the-traff.patch b/patches.suse/net-sched-act_sample-fix-divide-by-zero-in-the-traff.patch
new file mode 100644
index 0000000000..24920c5770
--- /dev/null
+++ b/patches.suse/net-sched-act_sample-fix-divide-by-zero-in-the-traff.patch
@@ -0,0 +1,96 @@
+From: Davide Caratti <dcaratti@redhat.com>
+Date: Thu, 4 Apr 2019 12:31:35 +0200
+Subject: net/sched: act_sample: fix divide by zero in the traffic path
+Git-commit: fae2708174ae95d98d19f194e03d6e8f688ae195
+Patch-mainline: v5.1-rc4
+References: networking-stable-19_04_10
+
+the control path of 'sample' action does not validate the value of 'rate'
+provided by the user, but then it uses it as divisor in the traffic path.
+Validate it in tcf_sample_init(), and return -EINVAL with a proper extack
+message in case that value is zero, to fix a splat with the script below:
+
+ # tc f a dev test0 egress matchall action sample rate 0 group 1 index 2
+ # tc -s a s action sample
+ total acts 1
+
+ action order 0: sample rate 1/0 group 1 pipe
+ index 2 ref 1 bind 1 installed 19 sec used 19 sec
+ Action statistics:
+ Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0)
+ backlog 0b 0p requeues 0
+ # ping 192.0.2.1 -I test0 -c1 -q
+
+ divide error: 0000 [#1] SMP PTI
+ CPU: 1 PID: 6192 Comm: ping Not tainted 5.1.0-rc2.diag2+ #591
+ Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011
+ RIP: 0010:tcf_sample_act+0x9e/0x1e0 [act_sample]
+ Code: 6a f1 85 c0 74 0d 80 3d 83 1a 00 00 00 0f 84 9c 00 00 00 4d 85 e4 0f 84 85 00 00 00 e8 9b d7 9c f1 44 8b 8b e0 00 00 00 31 d2 <41> f7 f1 85 d2 75 70 f6 85 83 00 00 00 10 48 8b 45 10 8b 88 08 01
+ RSP: 0018:ffffae320190ba30 EFLAGS: 00010246
+ RAX: 00000000b0677d21 RBX: ffff8af1ed9ec000 RCX: 0000000059a9fe49
+ RDX: 0000000000000000 RSI: 000000000c7e33b7 RDI: ffff8af23daa0af0
+ RBP: ffff8af1ee11b200 R08: 0000000074fcaf7e R09: 0000000000000000
+ R10: 0000000000000050 R11: ffffffffb3088680 R12: ffff8af232307f80
+ R13: 0000000000000003 R14: ffff8af1ed9ec000 R15: 0000000000000000
+ FS: 00007fe9c6d2f740(0000) GS:ffff8af23da80000(0000) knlGS:0000000000000000
+ CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+ CR2: 00007fff6772f000 CR3: 00000000746a2004 CR4: 00000000001606e0
+ Call Trace:
+ tcf_action_exec+0x7c/0x1c0
+ tcf_classify+0x57/0x160
+ __dev_queue_xmit+0x3dc/0xd10
+ ip_finish_output2+0x257/0x6d0
+ ip_output+0x75/0x280
+ ip_send_skb+0x15/0x40
+ raw_sendmsg+0xae3/0x1410
+ sock_sendmsg+0x36/0x40
+ __sys_sendto+0x10e/0x140
+ __x64_sys_sendto+0x24/0x30
+ do_syscall_64+0x60/0x210
+ entry_SYSCALL_64_after_hwframe+0x49/0xbe
+ [...]
+ Kernel panic - not syncing: Fatal exception in interrupt
+
+Add a TDC selftest to document that 'rate' is now being validated.
+
+[js] no selftest in 4.12 yet
+
+Reported-by: Matteo Croce <mcroce@redhat.com>
+Fixes: 5c5670fae430 ("net/sched: Introduce sample tc action")
+Signed-off-by: Davide Caratti <dcaratti@redhat.com>
+Acked-by: Yotam Gigi <yotam.gi@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ net/sched/act_sample.c | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+--- a/net/sched/act_sample.c
++++ b/net/sched/act_sample.c
+@@ -43,6 +43,7 @@ static int tcf_sample_init(struct net *n
+ struct tc_action_net *tn = net_generic(net, sample_net_id);
+ struct nlattr *tb[TCA_SAMPLE_MAX + 1];
+ struct psample_group *psample_group;
++ u32 rate;
+ struct tc_sample *parm;
+ struct tcf_sample *s;
+ bool exists = false;
+@@ -74,10 +75,17 @@ static int tcf_sample_init(struct net *n
+ if (!ovr)
+ return -EEXIST;
+ }
++
++ rate = nla_get_u32(tb[TCA_SAMPLE_RATE]);
++ if (!rate) {
++ if (ret == ACT_P_CREATED)
++ tcf_hash_release(*a, bind);
++ return -EINVAL;
++ }
+ s = to_sample(*a);
+
+ s->tcf_action = parm->action;
+- s->rate = nla_get_u32(tb[TCA_SAMPLE_RATE]);
++ s->rate = rate;
+ s->psample_group_num = nla_get_u32(tb[TCA_SAMPLE_PSAMPLE_GROUP]);
+ psample_group = psample_group_get(net, s->psample_group_num);
+ if (!psample_group) {
diff --git a/patches.suse/net-sched-fix-get-helper-of-the-matchall-cls.patch b/patches.suse/net-sched-fix-get-helper-of-the-matchall-cls.patch
new file mode 100644
index 0000000000..2972c257b6
--- /dev/null
+++ b/patches.suse/net-sched-fix-get-helper-of-the-matchall-cls.patch
@@ -0,0 +1,54 @@
+From: Nicolas Dichtel <nicolas.dichtel@6wind.com>
+Date: Thu, 28 Mar 2019 10:35:06 +0100
+Subject: net/sched: fix ->get helper of the matchall cls
+Git-commit: 0db6f8befc32c68bb13d7ffbb2e563c79e913e13
+Patch-mainline: v5.1-rc4
+References: networking-stable-19_04_10
+
+It returned always NULL, thus it was never possible to get the filter.
+
+Example:
+$ ip link add foo type dummy
+$ ip link add bar type dummy
+$ tc qdisc add dev foo clsact
+$ tc filter add dev foo protocol all pref 1 ingress handle 1234 \
+ matchall action mirred ingress mirror dev bar
+
+Before the patch:
+$ tc filter get dev foo protocol all pref 1 ingress handle 1234 matchall
+Error: Specified filter handle not found.
+We have an error talking to the kernel
+
+After:
+$ tc filter get dev foo protocol all pref 1 ingress handle 1234 matchall
+filter ingress protocol all pref 1 matchall chain 0 handle 0x4d2
+ not_in_hw
+ action order 1: mirred (Ingress Mirror to device bar) pipe
+ index 1 ref 1 bind 1
+
+[js] mall_get returns ulong in 4.12 yet
+
+CC: Yotam Gigi <yotamg@mellanox.com>
+CC: Jiri Pirko <jiri@mellanox.com>
+Fixes: fd62d9f5c575 ("net/sched: matchall: Fix configuration race")
+Signed-off-by: Nicolas Dichtel <nicolas.dichtel@6wind.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ net/sched/cls_matchall.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/net/sched/cls_matchall.c
++++ b/net/sched/cls_matchall.c
+@@ -103,6 +103,11 @@ static void mall_destroy(struct tcf_prot
+
+ static unsigned long mall_get(struct tcf_proto *tp, u32 handle)
+ {
++ struct cls_mall_head *head = rtnl_dereference(tp->root);
++
++ if (head && head->handle == handle)
++ return (unsigned long)head;
++
+ return 0UL;
+ }
+
diff --git a/patches.suse/sched-do-not-re-read-h_load_next-during-hierarchical-load-calculation.patch b/patches.suse/sched-do-not-re-read-h_load_next-during-hierarchical-load-calculation.patch
index 0fe5e22a26..256f20bd84 100644
--- a/patches.suse/sched-do-not-re-read-h_load_next-during-hierarchical-load-calculation.patch
+++ b/patches.suse/sched-do-not-re-read-h_load_next-during-hierarchical-load-calculation.patch
@@ -5,7 +5,8 @@ Subject: [PATCH] sched: Do not re-read h_load_next during hierarchical load
calculation
References: bnc#1120909
-Patch-mainline: No, under review, expected in 5.1
+Patch-mainline: v5.1
+Git-commit: 0e9f02450da07fc7b1346c8c32c771555173e397
A NULL pointer dereference bug was reported on a distribution kernel but
the same issue should be present on mainline kernel. It occured on s390
@@ -46,14 +47,12 @@ Reviewed-by: Valentin Schneider <valentin.schneider@arm.com>
Signed-off-by: Mel Gorman <mgorman@suse.com>
Cc: stable@vger.kernel.org
---
- kernel/sched/fair.c | 6 +++---
+ kernel/sched/fair.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
-diff --git a/kernel/sched/fair.c b/kernel/sched/fair.c
-index 310d0637fe4b..5e61a1a99e38 100644
--- a/kernel/sched/fair.c
+++ b/kernel/sched/fair.c
-@@ -7713,10 +7713,10 @@ static void update_cfs_rq_h_load(struct cfs_rq *cfs_rq)
+@@ -7455,10 +7455,10 @@ static void update_cfs_rq_h_load(struct
if (cfs_rq->last_h_load_update == now)
return;
@@ -66,7 +65,7 @@ index 310d0637fe4b..5e61a1a99e38 100644
if (cfs_rq->last_h_load_update == now)
break;
}
-@@ -7726,7 +7726,7 @@ static void update_cfs_rq_h_load(struct cfs_rq *cfs_rq)
+@@ -7468,7 +7468,7 @@ static void update_cfs_rq_h_load(struct
cfs_rq->last_h_load_update = now;
}
diff --git a/patches.suse/sctp-initialize-_pad-of-sockaddr_in-before-copying-t.patch b/patches.suse/sctp-initialize-_pad-of-sockaddr_in-before-copying-t.patch
new file mode 100644
index 0000000000..38ac04eeb5
--- /dev/null
+++ b/patches.suse/sctp-initialize-_pad-of-sockaddr_in-before-copying-t.patch
@@ -0,0 +1,53 @@
+From: Xin Long <lucien.xin@gmail.com>
+Date: Sun, 31 Mar 2019 16:58:15 +0800
+Subject: sctp: initialize _pad of sockaddr_in before copying to user memory
+Git-commit: 09279e615c81ce55e04835970601ae286e3facbe
+Patch-mainline: v5.1-rc4
+References: networking-stable-19_04_10
+
+Syzbot report a kernel-infoleak:
+
+ BUG: KMSAN: kernel-infoleak in _copy_to_user+0x16b/0x1f0 lib/usercopy.c:32
+ Call Trace:
+ _copy_to_user+0x16b/0x1f0 lib/usercopy.c:32
+ copy_to_user include/linux/uaccess.h:174 [inline]
+ sctp_getsockopt_peer_addrs net/sctp/socket.c:5911 [inline]
+ sctp_getsockopt+0x1668e/0x17f70 net/sctp/socket.c:7562
+ ...
+ Uninit was stored to memory at:
+ sctp_transport_init net/sctp/transport.c:61 [inline]
+ sctp_transport_new+0x16d/0x9a0 net/sctp/transport.c:115
+ sctp_assoc_add_peer+0x532/0x1f70 net/sctp/associola.c:637
+ sctp_process_param net/sctp/sm_make_chunk.c:2548 [inline]
+ sctp_process_init+0x1a1b/0x3ed0 net/sctp/sm_make_chunk.c:2361
+ ...
+ Bytes 8-15 of 16 are uninitialized
+
+It was caused by that th _pad field (the 8-15 bytes) of a v4 addr (saved in
+struct sockaddr_in) wasn't initialized, but directly copied to user memory
+in sctp_getsockopt_peer_addrs().
+
+So fix it by calling memset(addr->v4.sin_zero, 0, 8) to initialize _pad of
+sockaddr_in before copying it to user memory in sctp_v4_addr_to_user(), as
+sctp_v6_addr_to_user() does.
+
+Reported-by: syzbot+86b5c7c236a22616a72f@syzkaller.appspotmail.com
+Signed-off-by: Xin Long <lucien.xin@gmail.com>
+Tested-by: Alexander Potapenko <glider@google.com>
+Acked-by: Neil Horman <nhorman@tuxdriver.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ net/sctp/protocol.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/net/sctp/protocol.c
++++ b/net/sctp/protocol.c
+@@ -606,6 +606,7 @@ out:
+ static int sctp_v4_addr_to_user(struct sctp_sock *sp, union sctp_addr *addr)
+ {
+ /* No address mapping for V4 sockets */
++ memset(addr->v4.sin_zero, 0, sizeof(addr->v4.sin_zero));
+ return sizeof(struct sockaddr_in);
+ }
+
diff --git a/patches.suse/tcp-Ensure-DCTCP-reacts-to-losses.patch b/patches.suse/tcp-Ensure-DCTCP-reacts-to-losses.patch
new file mode 100644
index 0000000000..ea5f9b6086
--- /dev/null
+++ b/patches.suse/tcp-Ensure-DCTCP-reacts-to-losses.patch
@@ -0,0 +1,140 @@
+From: Koen De Schepper <koen.de_schepper@nokia-bell-labs.com>
+Date: Thu, 4 Apr 2019 12:24:02 +0000
+Subject: tcp: Ensure DCTCP reacts to losses
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+Git-commit: aecfde23108b8e637d9f5c5e523b24fb97035dc3
+Patch-mainline: v5.1-rc4
+References: networking-stable-19_04_10
+
+RFC8257 §3.5 explicitly states that "A DCTCP sender MUST react to
+loss episodes in the same way as conventional TCP".
+
+Currently, Linux DCTCP performs no cwnd reduction when losses
+are encountered. Optionally, the dctcp_clamp_alpha_on_loss resets
+alpha to its maximal value if a RTO happens. This behavior
+is sub-optimal for at least two reasons: i) it ignores losses
+triggering fast retransmissions; and ii) it causes unnecessary large
+cwnd reduction in the future if the loss was isolated as it resets
+the historical term of DCTCP's alpha EWMA to its maximal value (i.e.,
+denoting a total congestion). The second reason has an especially
+noticeable effect when using DCTCP in high BDP environments, where
+alpha normally stays at low values.
+
+This patch replace the clamping of alpha by setting ssthresh to
+half of cwnd for both fast retransmissions and RTOs, at most once
+per RTT. Consequently, the dctcp_clamp_alpha_on_loss module parameter
+has been removed.
+
+The table below shows experimental results where we measured the
+drop probability of a PIE AQM (not applying ECN marks) at a
+bottleneck in the presence of a single TCP flow with either the
+alpha-clamping option enabled or the cwnd halving proposed by this
+patch. Results using reno or cubic are given for comparison.
+
+ | Link | RTT | Drop
+ TCP CC | speed | base+AQM | probability
+ ==================|=========|==========|============
+ CUBIC | 40Mbps | 7+20ms | 0.21%
+ RENO | | | 0.19%
+ DCTCP-CLAMP-ALPHA | | | 25.80%
+ DCTCP-HALVE-CWND | | | 0.22%
+ ------------------|---------|----------|------------
+ CUBIC | 100Mbps | 7+20ms | 0.03%
+ RENO | | | 0.02%
+ DCTCP-CLAMP-ALPHA | | | 23.30%
+ DCTCP-HALVE-CWND | | | 0.04%
+ ------------------|---------|----------|------------
+ CUBIC | 800Mbps | 1+1ms | 0.04%
+ RENO | | | 0.05%
+ DCTCP-CLAMP-ALPHA | | | 18.70%
+ DCTCP-HALVE-CWND | | | 0.06%
+
+We see that, without halving its cwnd for all source of losses,
+DCTCP drives the AQM to large drop probabilities in order to keep
+the queue length under control (i.e., it repeatedly faces RTOs).
+Instead, if DCTCP reacts to all source of losses, it can then be
+controlled by the AQM using similar drop levels than cubic or reno.
+
+Signed-off-by: Koen De Schepper <koen.de_schepper@nokia-bell-labs.com>
+Signed-off-by: Olivier Tilmans <olivier.tilmans@nokia-bell-labs.com>
+Cc: Bob Briscoe <research@bobbriscoe.net>
+Cc: Lawrence Brakmo <brakmo@fb.com>
+Cc: Florian Westphal <fw@strlen.de>
+Cc: Daniel Borkmann <borkmann@iogearbox.net>
+Cc: Yuchung Cheng <ycheng@google.com>
+Cc: Neal Cardwell <ncardwell@google.com>
+Cc: Eric Dumazet <edumazet@google.com>
+Cc: Andrew Shewmaker <agshew@gmail.com>
+Cc: Glenn Judd <glenn.judd@morganstanley.com>
+Acked-by: Florian Westphal <fw@strlen.de>
+Acked-by: Neal Cardwell <ncardwell@google.com>
+Acked-by: Daniel Borkmann <daniel@iogearbox.net>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ net/ipv4/tcp_dctcp.c | 36 ++++++++++++++++++------------------
+ 1 file changed, 18 insertions(+), 18 deletions(-)
+
+--- a/net/ipv4/tcp_dctcp.c
++++ b/net/ipv4/tcp_dctcp.c
+@@ -67,11 +67,6 @@ static unsigned int dctcp_alpha_on_init
+ module_param(dctcp_alpha_on_init, uint, 0644);
+ MODULE_PARM_DESC(dctcp_alpha_on_init, "parameter for initial alpha value");
+
+-static unsigned int dctcp_clamp_alpha_on_loss __read_mostly;
+-module_param(dctcp_clamp_alpha_on_loss, uint, 0644);
+-MODULE_PARM_DESC(dctcp_clamp_alpha_on_loss,
+- "parameter for clamping alpha on loss");
+-
+ static struct tcp_congestion_ops dctcp_reno;
+
+ static void dctcp_reset(const struct tcp_sock *tp, struct dctcp *ca)
+@@ -213,21 +208,23 @@ static void dctcp_update_alpha(struct so
+ }
+ }
+
+-static void dctcp_state(struct sock *sk, u8 new_state)
++static void dctcp_react_to_loss(struct sock *sk)
+ {
+- if (dctcp_clamp_alpha_on_loss && new_state == TCP_CA_Loss) {
+- struct dctcp *ca = inet_csk_ca(sk);
++ struct dctcp *ca = inet_csk_ca(sk);
++ struct tcp_sock *tp = tcp_sk(sk);
+
+- /* If this extension is enabled, we clamp dctcp_alpha to
+- * max on packet loss; the motivation is that dctcp_alpha
+- * is an indicator to the extend of congestion and packet
+- * loss is an indicator of extreme congestion; setting
+- * this in practice turned out to be beneficial, and
+- * effectively assumes total congestion which reduces the
+- * window by half.
+- */
+- ca->dctcp_alpha = DCTCP_MAX_ALPHA;
+- }
++ ca->loss_cwnd = tp->snd_cwnd;
++ tp->snd_ssthresh = max(tp->snd_cwnd >> 1U, 2U);
++}
++
++static void dctcp_state(struct sock *sk, u8 new_state)
++{
++ if (new_state == TCP_CA_Recovery &&
++ new_state != inet_csk(sk)->icsk_ca_state)
++ dctcp_react_to_loss(sk);
++ /* We handle RTO in dctcp_cwnd_event to ensure that we perform only
++ * one loss-adjustment per RTT.
++ */
+ }
+
+ static void dctcp_update_ack_reserved(struct sock *sk, enum tcp_ca_event ev)
+@@ -258,6 +255,9 @@ static void dctcp_cwnd_event(struct sock
+ case CA_EVENT_ECN_NO_CE:
+ dctcp_ce_state_1_to_0(sk);
+ break;
++ case CA_EVENT_LOSS:
++ dctcp_react_to_loss(sk);
++ break;
+ case CA_EVENT_DELAYED_ACK:
+ case CA_EVENT_NON_DELAYED_ACK:
+ dctcp_update_ack_reserved(sk, ev);
diff --git a/patches.suse/vrf-check-accept_source_route-on-the-original-netdev.patch b/patches.suse/vrf-check-accept_source_route-on-the-original-netdev.patch
new file mode 100644
index 0000000000..b05e22363f
--- /dev/null
+++ b/patches.suse/vrf-check-accept_source_route-on-the-original-netdev.patch
@@ -0,0 +1,89 @@
+From: Stephen Suryaputra <ssuryaextr@gmail.com>
+Date: Mon, 1 Apr 2019 09:17:32 -0400
+Subject: vrf: check accept_source_route on the original netdevice
+Git-commit: 8c83f2df9c6578ea4c5b940d8238ad8a41b87e9e
+Patch-mainline: v5.1-rc4
+References: networking-stable-19_04_10
+
+Configuration check to accept source route IP options should be made on
+the incoming netdevice when the skb->dev is an l3mdev master. The route
+lookup for the source route next hop also needs the incoming netdev.
+
+v2->v3:
+- Simplify by passing the original netdevice down the stack (per David
+ Ahern).
+
+Signed-off-by: Stephen Suryaputra <ssuryaextr@gmail.com>
+Reviewed-by: David Ahern <dsahern@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ include/net/ip.h | 2 +-
+ net/ipv4/ip_input.c | 7 +++----
+ net/ipv4/ip_options.c | 4 ++--
+ 3 files changed, 6 insertions(+), 7 deletions(-)
+
+--- a/include/net/ip.h
++++ b/include/net/ip.h
+@@ -594,7 +594,7 @@ int ip_options_get_from_user(struct net
+ unsigned char __user *data, int optlen);
+ void ip_options_undo(struct ip_options *opt);
+ void ip_forward_options(struct sk_buff *skb);
+-int ip_options_rcv_srr(struct sk_buff *skb);
++int ip_options_rcv_srr(struct sk_buff *skb, struct net_device *dev);
+
+ /*
+ * Functions provided by ip_sockglue.c
+--- a/net/ipv4/ip_input.c
++++ b/net/ipv4/ip_input.c
+@@ -259,11 +259,10 @@ int ip_local_deliver(struct sk_buff *skb
+ ip_local_deliver_finish);
+ }
+
+-static inline bool ip_rcv_options(struct sk_buff *skb)
++static inline bool ip_rcv_options(struct sk_buff *skb, struct net_device *dev)
+ {
+ struct ip_options *opt;
+ const struct iphdr *iph;
+- struct net_device *dev = skb->dev;
+
+ /* It looks as overkill, because not all
+ IP options require packet mangling.
+@@ -299,7 +298,7 @@ static inline bool ip_rcv_options(struct
+ }
+ }
+
+- if (ip_options_rcv_srr(skb))
++ if (ip_options_rcv_srr(skb, dev))
+ goto drop;
+ }
+
+@@ -362,7 +361,7 @@ static int ip_rcv_finish(struct net *net
+ }
+ #endif
+
+- if (iph->ihl > 5 && ip_rcv_options(skb))
++ if (iph->ihl > 5 && ip_rcv_options(skb, dev))
+ goto drop;
+
+ rt = skb_rtable(skb);
+--- a/net/ipv4/ip_options.c
++++ b/net/ipv4/ip_options.c
+@@ -614,7 +614,7 @@ void ip_forward_options(struct sk_buff *
+ }
+ }
+
+-int ip_options_rcv_srr(struct sk_buff *skb)
++int ip_options_rcv_srr(struct sk_buff *skb, struct net_device *dev)
+ {
+ struct ip_options *opt = &(IPCB(skb)->opt);
+ int srrspace, srrptr;
+@@ -649,7 +649,7 @@ int ip_options_rcv_srr(struct sk_buff *s
+
+ orefdst = skb->_skb_refdst;
+ skb_dst_set(skb, NULL);
+- err = ip_route_input(skb, nexthop, iph->saddr, iph->tos, skb->dev);
++ err = ip_route_input(skb, nexthop, iph->saddr, iph->tos, dev);
+ rt2 = skb_rtable(skb);
+ if (err || (rt2->rt_type != RTN_UNICAST && rt2->rt_type != RTN_LOCAL)) {
+ skb_dst_drop(skb);
diff --git a/series.conf b/series.conf
index 10d41d0587..83eb1a9793 100644
--- a/series.conf
+++ b/series.conf
@@ -3561,13 +3561,17 @@
patches.fixes/xfs-release-bli-from-transaction-properly-on-fs-shut.patch
patches.fixes/xfs-remove-bli-from-AIL-before-release-on-transactio.patch
patches.fixes/xfs-remove-double-underscore-integer-types.patch
+ patches.fixes/xfs-export-various-function-for-the-online-scrubber.patch
patches.fixes/xfs-check-if-an-inode-is-cached-and-allocated.patch
patches.fixes/xfs-reflink-find-shared-should-take-a-transaction.patch
+ patches.fixes/xfs-make-errortag-a-per-mountpoint-structure.patch
+ patches.fixes/xfs-remove-unneeded-parameter-from-XFS_TEST_ERROR.patch
patches.fixes/xfs-rewrite-xfs_dq_get_next_id-using-xfs_iext_lookup.patch
patches.fixes/vfs-Add-page_cache_seek_hole_data-helper.patch
patches.fixes/vfs-Add-iomap_seek_hole-and-iomap_seek_data-helpers.patch
patches.fixes/xfs-Switch-to-iomap-for-SEEK_HOLE-SEEK_DATA.patch
patches.fixes/xfs-fix-contiguous-dquot-chunk-iteration-livelock.patch
+ patches.fixes/xfs-rename-MAXPATHLEN-to-XFS_SYMLINK_MAXLEN.patch
patches.drivers/ipmi_ssif-unlock-on-allocation-failure
patches.drivers/0007-ipmi_ssif-remove-redundant-null-check-on-array-clien.patch
patches.drivers/0008-ipmi-Use-the-proper-default-value-for-register-size-.patch
@@ -4133,6 +4137,7 @@
patches.suse/KVM-nVMX-Fix-loss-of-L2-s-NMI-blocking-state.patch
patches.suse/KVM-s390-take-srcu-lock-when-getting-setting-storage.patch
patches.suse/KVM-LAPIC-Fix-reentrancy-issues-with-preempt-notifie.patch
+ patches.fixes/xfs-check-_btree_check_block-value.patch
patches.fixes/xfs-fix-quotacheck-dquot-id-overflow-infinite-loop.patch
patches.fixes/0001-NFS-Optimize-fallocate-by-refreshing-mapping-when-ne.patch
patches.fixes/perf-x86-intel-uncore-fix-skylake-upi-pmu-event-masks.patch
@@ -8232,6 +8237,9 @@
patches.fixes/0027-xfs-remove-all-xfs_bmbt_set_-helpers-except-for-xfs_.patch
patches.fixes/0028-xfs-remove-xfs_bmbt_get_state.patch
patches.fixes/xfs-return-a-distinct-error-code-value-for-IGET_INCO.patch
+ patches.fixes/xfs-create-block-pointer-check-functions.patch
+ patches.fixes/xfs-refactor-btree-pointer-checks.patch
+ patches.fixes/xfs-refactor-btree-block-header-checking-functions.patch
patches.fixes/0029-xfs-add-a-xfs_bmap_fork_to_state-helper.patch
patches.fixes/0030-xfs-make-better-use-of-the-state-variable-in-xfs_bma.patch
patches.fixes/0031-xfs-remove-post-bmap-tracing-in-xfs_bmap_local_to_ex.patch
@@ -14903,6 +14911,7 @@
patches.fixes/xfs-convert-XFS_AGFL_SIZE-to-a-helper-function.patch
patches.fixes/xfs-remove-xfs_zero_range.patch
patches.fixes/xfs-detect-agfl-count-corruption-and-reset-agfl.patch
+ patches.fixes/xfs-sanity-check-the-unused-space-before-trying-to-u.patch
patches.fixes/xfs-catch-inode-allocation-state-mismatch-corruption.patch
patches.suse/btrfs-do-not-check-inode-s-runtime-flags-under-root-orphan_lock.patch
patches.suse/0014-btrfs-tree-checker-Replace-root-parameter-with-fs_in.patch
@@ -15455,6 +15464,10 @@
patches.suse/net-ipv6-Increment-OUTxxx-counters-after-netfilter-h.patch
patches.drivers/net-sched-fix-NULL-dereference-in-the-error-path-of--3239534a.patch
patches.drivers/crypto-af_alg-fix-possible-uninit-value-in-alg_bind
+ patches.fixes/0001-netlink-fix-uninit-value-in-netlink_sendmsg.patch
+ patches.fixes/0002-net-fix-rtnh_ok.patch
+ patches.fixes/0003-net-initialize-skb-peeked-when-cloning.patch
+ patches.fixes/0004-net-fix-uninit-value-in-__hw_addr_add_ex.patch
patches.fixes/soreuseport-initialise-timewait-reuseport-field.patch
patches.suse/sctp-do-not-leak-kernel-memory-to-user-space.patch
patches.suse/sctp-sctp_sockaddr_af-must-check-minimal-addr-length.patch
@@ -15464,6 +15477,7 @@
patches.drivers/ibmvnic-Fix-failover-case-for-non-redundant-configur.patch
patches.drivers/ibmvnic-Do-not-reset-CRQ-for-Mobility-driver-resets.patch
patches.drivers/dp83640-Ensure-against-premature-access-to-PHY-regis
+ patches.fixes/0005-inetpeer-fix-uninit-value-in-inet_getpeer.patch
patches.drivers/net-thunderx-rework-mac-addresses-list-to-u64-array.patch
patches.drivers/hwmon-pmbus-max8688-Accept-negative-page-register-va
patches.drivers/hwmon-pmbus-adm1275-Accept-negative-page-register-va
@@ -15755,6 +15769,8 @@
patches.suse/tcp-don-t-read-out-of-bounds-opsize.patch
patches.suse/bonding-do-not-set-slave_dev-npinfo-before-slave_ena.patch
patches.suse/ipv6-add-RTA_TABLE-and-RTA_PREFSRC-to-rtm_ipv6_polic.patch
+ patches.fixes/0006-ipvs-fix-rtnl_lock-lockups-caused-by-start_sync_thre.patch
+ patches.fixes/0007-netfilter-nf_tables-can-t-fail-after-linking-rule-in.patch
patches.suse/l2tp-check-sockaddr-length-in-pppol2tp_connect.patch
patches.suse/pppoe-check-sockaddr-length-in-pppoe_connect.patch
patches.suse/amd-xgbe-Add-pre-post-auto-negotiation-phy-hooks.patch
@@ -16054,6 +16070,7 @@
patches.drivers/net-mlx5-Free-IRQs-in-shutdown-path.patch
patches.suse/net-mlx5-E-Switch-Include-VF-RDMA-stats-in-vport-sta.patch
patches.suse/net-mlx5e-Err-if-asked-to-offload-TC-match-on-frag-b.patch
+ patches.fixes/0008-rxrpc-Fix-error-reception-on-AF_INET6-sockets.patch
patches.drivers/ixgbe-return-error-on-unsupported-SFP-module-when-re.patch
patches.drivers/ixgbevf-fix-ixgbevf_xmit_frame-s-return-type.patch
patches.suse/net-sched-fix-error-path-in-tcf_proto_create-when-mo.patch
@@ -16169,8 +16186,10 @@
patches.suse/btrfs-fix-xattr-loss-after-power-failure.patch
patches.suse/btrfs-fix-duplicate-extents-after-fsync-of-file-with.patch
patches.suse/0002-btrfs-fix-reading-stale-metadata-blocks-after-degrad.patch
+ patches.fixes/0009-packet-in-packet_snd-start-writing-at-link-layer-all.patch
patches.drivers/qede-Fix-ref-cnt-usage-count.patch
patches.suse/netfilter-nf_tables-nft_compat-fix-refcount-leak-on-.patch
+ patches.fixes/0010-ipvs-fix-stats-update-from-local-clients.patch
patches.suse/netfilter-nf_tables-don-t-assume-chain-stats-are-set.patch
patches.suse/netfilter-nft_compat-prepare-for-indirect-info-stora.patch
patches.suse/netfilter-nft_compat-fix-handling-of-large-matchinfo.patch
@@ -16180,10 +16199,13 @@
patches.drivers/vmxnet3-set-the-DMA-mask-before-the-first-DMA-map-op.patch
patches.drivers/vmxnet3-use-DMA-memory-barriers-where-required.patch
patches.drivers/net-mlx5-Fix-build-break-when-CONFIG_SMP-n.patch
+ patches.fixes/0011-tcp-purge-write-queue-in-tcp_connect_init.patch
patches.drivers/qed-LL2-flush-isles-when-connection-is-closed.patch
patches.drivers/ibmvnic-Free-coherent-DMA-memory-if-FW-map-failed.patch
patches.drivers/ibmvnic-Fix-non-fatal-firmware-error-reset.patch
patches.drivers/ibmvnic-Fix-statistics-buffers-memory-leak.patch
+ patches.fixes/0012-net-test-tailroom-before-appending-to-linear-skb.patch
+ patches.fixes/0013-net-Fix-a-bug-in-removing-queues-from-XPS-map.patch
patches.fixes/sock_diag-fix-use-after-free-read-in-__sk_free.patch
patches.drivers/net-sched-red-avoid-hashing-NULL-child.patch
patches.drivers/cxgb4-fix-offset-in-collecting-TX-rate-limit-info.patch
@@ -16295,6 +16317,7 @@
patches.suse/net-phy-broadcom-Fix-auxiliary-control-register-read.patch
patches.suse/net-phy-broadcom-Fix-bcm_write_exp.patch
patches.suse/net-mlx4-Fix-irq-unsafe-spinlock-usage.patch
+ patches.fixes/0001-packet-fix-reserve-calculation.patch
patches.suse/net-mlx5e-When-RXFCS-is-set-add-FCS-data-into-checks.patch
patches.drivers/net-mlx5-IPSec-Fix-a-race-between-concurrent-sandbox.patch
patches.suse/vhost-synchronize-IOTLB-message-with-dev-cleanup.patch
@@ -16346,7 +16369,10 @@
patches.drm/drm-i915-lvds-Move-acpi-lid-notification-registratio
patches.drm/drm-psr-Fix-missed-entry-in-PSR-setup-time-table
patches.fixes/scsi-scsi_transport_srp-fix-shost-to-rport-translation
+ patches.fixes/0014-netfilter-nf_tables-fix-NULL-pointer-dereference-on-.patch
+ patches.fixes/0015-netfilter-ebtables-handle-string-from-userspace-with.patch
patches.suse/netfilter-nft_meta-fix-wrong-value-dereference-in-nf.patch
+ patches.fixes/0016-ipvs-fix-buffer-overflow-with-sync-daemon-and-servic.patch
patches.suse/netfilter-nf_tables-disable-preemption-in-nft_update.patch
patches.suse/ipv6-sr-fix-memory-OOB-access-in-seg6_do_srh_encap-i.patch
patches.fixes/atm-zatm-fix-memcmp-casting.patch
@@ -16358,6 +16384,7 @@
patches.suse/net-ethernet-davinci_emac-fix-error-handling-in-prob.patch
patches.suse/net-sysfs-Fix-memory-leak-in-XPS-configuration.patch
patches.suse/kcm-Fix-use-after-free-caused-by-clonned-sockets.patch
+ patches.fixes/0017-xfrm6-avoid-potential-infinite-loop-in-_decode_sessi.patch
patches.suse/ip6_tunnel-remove-magic-mtu-value-0xFFF8.patch
patches.suse/net-usb-cdc_mbim-add-flag-FLAG_SEND_ZLP.patch
patches.fixes/fix-io_destroy-aio_complete-race.patch
@@ -16642,6 +16669,7 @@
patches.drivers/qed-Delete-unused-parameter-p_ptt-from-mcp-APIs.patch
patches.drivers/qed-Add-configuration-information-to-register-dump-a.patch
patches.drivers/qed-Fix-copying-2-strings.patch
+ patches.fixes/0018-sctp-fix-identification-of-new-acks-for-SFR-CACC.patch
patches.drivers/ixgbe-Drop-support-for-macvlan-specific-unicast-list.patch
patches.drivers/igb-Fix-not-adding-filter-elements-to-the-list.patch
patches.drivers/igb-Fix-queue-selection-on-MAC-filters-on-i210.patch
@@ -17268,6 +17296,7 @@
patches.drivers/rtc-pxa-fix-probe-function
patches.suse/net-in-virtio_net_hdr-only-add-VLAN_HLEN-to-csum_sta.patch
patches.suse/msft-hv-1704-hv_netvsc-Fix-a-network-regression-after-ifdown-ifup.patch
+ patches.fixes/0019-ip_tunnel-Fix-name-string-concatenate-in-__ip_tunnel.patch
patches.suse/bonding-re-evaluate-force_primary-when-the-primary-s.patch
patches.suse/net-sched-act_simple-fix-parsing-of-TCA_DEF_DATA.patch
patches.suse/cdc_ncm-avoid-padding-beyond-end-of-skb.patch
@@ -17388,12 +17417,19 @@
patches.arch/KVM-PPC-Book3S-PR-Add-guest-MSR-parameter-for-kvmppc.patch
patches.suse/ipv6-allow-PMTU-exceptions-to-local-routes.patch
patches.suse/net-dsa-add-error-handling-for-pskb_trim_rcsum.patch
+ patches.fixes/0020-netfilter-nf_tables-check-msg_type-before-nft_trans_.patch
+ patches.fixes/0022-ipvs-fix-check-on-xmit-to-non-local-addresses.patch
+ patches.fixes/0023-netfilter-ebtables-reject-non-bridge-targets.patch
+ patches.fixes/0024-netfilter-x_tables-initialise-match-target-check-par.patch
patches.drivers/ixgbe-Fix-setting-of-TC-configuration-for-macvlan-ca.patch
patches.drivers/net-thunderx-prevent-concurrent-data-re-writing-by-n.patch
patches.fixes/xen-netfront-raise-max-number-of-slots-in-xennet_get_responses.patch
patches.suse/netfilter-nf_tables-use-WARN_ON_ONCE-instead-of-BUG_.patch
patches.suse/tcp-verify-the-checksum-of-the-first-data-segment-in.patch
+ patches.fixes/0025-l2tp-only-accept-PPP-sessions-in-pppol2tp_connect.patch
+ patches.fixes/0026-l2tp-prevent-pppol2tp_connect-from-creating-kernel-s.patch
patches.drivers/cfg80211-initialize-sinfo-in-cfg80211_get_station
+ patches.fixes/0027-l2tp-filter-out-non-PPP-sessions-in-pppol2tp_tunnel_.patch
patches.drivers/0001-video-omap-add-module-license-tags.patch
patches.suse/0001-arch-Kconfig-fix-documentation-for-NMI-watchdog.patch
patches.suse/0001-blk-mq-reinit-q-tag_set_list-entry-only-after-grace-.patch
@@ -17468,6 +17504,7 @@
patches.suse/net-packet-fix-use-after-free.patch
patches.suse/VSOCK-fix-loopback-on-big-endian-systems.patch
patches.suse/vhost_net-validate-sock-before-trying-to-put-its-fd.patch
+ patches.fixes/0028-ipv6-mcast-fix-unsolicited-report-interval-after-rec.patch
patches.suse/net-mvneta-fix-the-Rx-desc-DMA-address-in-the-Rx-pat.patch
patches.suse/net-dccp-avoid-crash-in-ccid3_hc_rx_send_feedback.patch
patches.suse/net-dccp-switch-rx_tstamp_last_feedback-to-monotonic.patch
@@ -17707,6 +17744,7 @@
patches.fixes/ieee802154-fakelb-switch-from-BUG_ON-to-WARN_ON-on-p.patch
patches.fixes/ixgbe-Be-more-careful-when-modifying-MAC-filters.patch
patches.suse/net-systemport-Fix-CRC-forwarding-check-for-SYSTEMPO.patch
+ patches.fixes/0002-packet-reset-network-header-if-packet-shorter-than-l.patch
patches.drivers/qlogic-check-kstrtoul-for-errors.patch
patches.suse/tcp-fix-dctcp-delayed-ACK-schedule.patch
patches.fixes/KEYS-DNS-fix-parsing-multiple-options.patch
@@ -17911,6 +17949,7 @@
patches.arch/kvm-x86-vmx-fix-vpid-leak
patches.suse/0084-Partially-revert-block-fail-op_is_write-requests-to-.patch
patches.drivers/mlxsw-core_acl_flex_actions-Return-error-for-conflic.patch
+ patches.fixes/0003-l2tp-fix-missing-refcount-drop-in-pppol2tp_tunnel_io.patch
patches.suse/netlink-Don-t-shift-on-64-for-ngroups.patch
patches.fixes/genirq-Make-force-irq-threading-setup-more-robust.patch
patches.fixes/nohz-Fix-local_timer_softirq_pending.patch
@@ -19184,6 +19223,7 @@
patches.fixes/nl80211-Fix-possible-Spectre-v1-for-CQM-RSSI-thresho.patch
patches.drivers/net-ena-remove-ndo_poll_controller.patch
patches.drivers/ibmvnic-remove-ndo_poll_controller.patch
+ patches.fixes/0004-rxrpc-Fix-transport-sockopts-to-get-IPv4-errors-on-a.patch
patches.drivers/asix-Check-for-supported-Wake-on-LAN-modes.patch
patches.drivers/ax88179_178a-Check-for-supported-Wake-on-LAN-modes.patch
patches.drivers/lan78xx-Check-for-supported-Wake-on-LAN-modes.patch
@@ -19368,12 +19408,14 @@
patches.drivers/pinctrl-at91-pio4-fix-has_config-check-in-atmel_pctl.patch
patches.drivers/pinctrl-qcom-spmi-mpp-Fix-err-handling-of-pmic_mpp_s.patch
patches.drivers/gpio-davinci-remove-unused-member-of-davinci_gpio_controller.patch
+ patches.drivers/leds-pwm-silently-error-out-on-EPROBE_DEFER.patch
patches.drivers/0001-ipmi-ssif-Add-support-for-multi-part-transmit-messag.patch
patches.drivers/ipmi-Fix-timer-race-with-module-unload.patch
patches.drivers/pcmcia-Implement-CLKRUN-protocol-disabling-for-Ricoh.patch
patches.fixes/cpufreq-conservative-Take-limits-changes-into-accoun.patch
patches.arch/x86-hibernate-fix-nosave_regions-setup-for-hibernation
patches.fixes/cpupower-remove-stringop-truncation-waring.patch
+ patches.fixes/ACPICA-AML-interpreter-add-region-addresses-in-globa.patch
patches.drivers/ACPI-LPSS-Add-alternative-ACPI-HIDs-for-Cherry-Trail.patch
patches.drivers/ACPI-processor-Fix-the-return-value-of-acpi_processo.patch
patches.drivers/mailbox-PCC-handle-parse-error.patch
@@ -19734,6 +19776,7 @@
patches.drm/0001-drm-cirrus-Use-drm_framebuffer_put-to-avoid-kernel-o.patch
patches.drm/0001-drm-virtio-fix-bounds-check-in-virtio_gpu_cmd_get_ca.patch
patches.drm/drm-rockchip-Allow-driver-to-be-shutdown-on-reboot-k.patch
+ patches.drm/drm-i915-Downgrade-Gen9-Plane-WM-latency-error.patch
patches.drm/drm-i915-cfl-Add-a-new-CFL-PCI-ID
patches.drm/8855-drm-i915-audio-hook-up-component-bindings-even-if-displays-are-disabled
patches.drm/drm-amdgpu-add-missing-CHIP_HAINAN-in-amdgpu_ucode_g.patch
@@ -20116,6 +20159,7 @@
patches.drivers/staging-rtl8723bs-Add-missing-return-for-cfg80211_rt.patch
patches.drivers/staging-vchiq_arm-fix-compat-VCHIQ_IOC_AWAIT_COMPLET.patch
patches.drivers/iio-st_magn-Fix-enable-device-after-trigger.patch
+ patches.fixes/devres-Align-data-to-ARCH_KMALLOC_MINALIGN.patch
patches.drivers/misc-mic-scif-fix-copy-paste-error-in-scif_create_re.patch
patches.fixes/unifdef-use-memcpy-instead-of-strncpy.patch
patches.fixes/fscache-Fix-race-in-fscache_op_complete-due-to-split.patch
@@ -20376,6 +20420,7 @@
patches.drm/drm-rockchip-fix-for-mailbox-read-size.patch
patches.drm/0003-drm-i915-Redefine-some-Whiskey-Lake-SKUs.patch
patches.drivers/ALSA-x86-Fix-runtime-PM-for-hdmi-lpe-audio.patch
+ patches.drm/drm-i915-Disable-LP3-watermarks-on-all-SNB-machines.patch
patches.drm/0001-drm-rcar-du-Fix-vblank-initialization.patch
patches.drm/0001-drm-rcar-du-Fix-external-clock-error-checks.patch
patches.drm/0004-drm-atomic-helper-Complete-fake_commit-flip_done-pot.patch
@@ -20861,6 +20906,7 @@
patches.drivers/USB-serial-pl2303-add-new-PID-to-support-PL2303TB.patch
patches.drivers/uart-Fix-crash-in-uart_write-and-uart_put_char.patch
patches.drivers/tty-n_hdlc-fix-__might_sleep-warning.patch
+ patches.fixes/vt-always-call-notifier-with-the-console-lock-held.patch
patches.drivers/vt-invoke-notifier-on-screen-size-change.patch
patches.drivers/tty-Handle-problem-if-line-discipline-does-not-have-.patch
patches.drivers/serial-fsl_lpuart-fix-maximum-acceptable-baud-rate-w.patch
@@ -21182,6 +21228,7 @@
patches.fixes/0001-ip6mr-Do-not-call-__IP6_INC_STATS-from-preemptible-c.patch
patches.drivers/team-Free-BPF-filter-when-unregistering-netdev.patch
patches.drivers/sky2-Disable-MSI-on-Dell-Inspiron-1545-and-Gateway-P.patch
+ patches.fixes/appletalk-Fix-use-after-free-in-atalk_proc_exit.patch
patches.fixes/0001-net-dsa-mv88e6xxx-handle-unknown-duplex-modes-gracef.patch
patches.fixes/0001-net-sysfs-Fix-mem-leak-in-netdev_register_kobject.patch
patches.suse/qmi_wwan-Add-support-for-Quectel-EG12-EM12.patch
@@ -21297,6 +21344,7 @@
patches.drm/drm-nouveau-Stop-using-drm_crtc_force_disable.patch
patches.drm/drm-Auto-set-allow_fb_modifiers-when-given-modifiers.patch
patches.drm/0003-drm-shmob-Fix-return-value-check-in-shmob_drm_probe.patch
+ patches.drm/drm-rockchip-fix-for-mailbox-read-validation.patch
patches.drm/drm-disable-uncached-DMA-optimization-for-ARM-and-ar.patch
patches.drm/drm-nouveau-volt-gf117-fix-speedo-readout-register.patch
patches.drm/0001-drm-nouveau-bios-ramcfg-fix-missing-parentheses-when.patch
@@ -21407,6 +21455,7 @@
patches.drivers/tpm-Fix-some-name-collisions-with-drivers-char-tpm.h.patch
patches.fixes/tipc-fix-RDM-DGRAM-connect-regression.patch
patches.fixes/0001-ipv4-route-fail-early-when-inet-dev-is-missing.patch
+ patches.fixes/appletalk-Fix-compile-regression.patch
patches.suse/net-hsr-fix-memory-leak-in-hsr_dev_finalize.patch
patches.suse/ravb-Decrease-TxFIFO-depth-of-Q3-and-Q2-to-one.patch
patches.drivers/enic-fix-build-warning-without-CONFIG_CPUMASK_OFFSTA.patch
@@ -21542,6 +21591,7 @@
patches.drm/0001-drm-vmwgfx-Don-t-double-free-the-mode-stored-in-par-.patch
patches.drivers/mmc-pxamci-fix-enum-type-confusion.patch
patches.drivers/mmc-davinci-remove-extraneous-__init-annotation.patch
+ patches.fixes/ACPI-utils-Drop-reference-in-test-for-device-presenc.patch
patches.drivers/ALSA-echoaudio-add-a-check-for-ioremap_nocache.patch
patches.drivers/ALSA-sb8-add-a-check-for-request_region.patch
patches.drivers/ALSA-firewire-motu-use-version-field-of-unit-directo.patch
@@ -21668,9 +21718,20 @@
patches.drivers/qmi_wwan-add-Olicard-600.patch
patches.fixes/openvswitch-fix-flow-actions-reallocation.patch
patches.fixes/net-rds-force-to-destroy-connection-if-t_sock-is-NUL.patch
+ patches.suse/net-ethtool-not-call-vzalloc-for-zero-sized-memory-r.patch
+ patches.suse/net-mlx5-Decrease-default-mr-cache-size.patch
+ patches.suse/net-mlx5e-Fix-error-handling-when-refreshing-TIRs.patch
+ patches.suse/net-mlx5e-Add-a-lock-on-tir-list.patch
patches.fixes/bpf-fix-use-after-free-in-bpf_evict_inode.patch
+ patches.suse/vrf-check-accept_source_route-on-the-original-netdev.patch
+ patches.suse/net-sched-fix-get-helper-of-the-matchall-cls.patch
patches.suse/kcm-switch-order-of-device-registration-to-fix-a-cra.patch
+ patches.suse/sctp-initialize-_pad-of-sockaddr_in-before-copying-t.patch
+ patches.suse/ip6_tunnel-Match-to-ARPHRD_TUNNEL6-for-dev-type.patch
+ patches.suse/net-gro-Fix-GRO-flush-when-receiving-a-GSO-packet.patch
patches.fixes/0001-ipv6-Fix-dangling-pointer-when-ipv6-fragment.patch
+ patches.suse/net-sched-act_sample-fix-divide-by-zero-in-the-traff.patch
+ patches.suse/tcp-Ensure-DCTCP-reacts-to-losses.patch
patches.fixes/0001-ipv6-sit-reset-ip-header-pointer-in-ipip6_rcv.patch
patches.drivers/ibmvnic-Fix-completion-structure-initialization.patch
patches.drm/drm-i915-gvt-do-not-deliver-a-workload-if-its-creati.patch
@@ -21683,6 +21744,8 @@
patches.fixes/0001-xen-Prevent-buffer-overflow-in-privcmd-ioctl.patch
patches.drivers/tpm-Fix-the-type-of-the-return-value-in-calc_tpm2_ev.patch
patches.drivers/NFC-nci-Add-some-bounds-checking-in-nci_hci_cmd_rece.patch
+ patches.suse/bnxt_en-Improve-RX-consumer-index-validity-check.patch
+ patches.suse/bnxt_en-Reset-device-on-RX-buffer-errors.patch
patches.drivers/Bluetooth-btusb-request-wake-pin-with-NOAUTOEN.patch
patches.fixes/virtio_pci-fix-a-NULL-pointer-reference-in-vp_del_vq.patch
patches.fixes/virtio-Honour-may_reduce_num-in-vring_create_virtque.patch
@@ -21690,6 +21753,7 @@
patches.drm/0003-drm-mediatek-Fix-an-error-code-in-mtk_hdmi_dt_parse_.patch
patches.drm/drm-mediatek-fix-possible-object-reference-leak.patch
patches.drm/drm-i915-gvt-Annotate-iomem-usage.patch
+ patches.fixes/ACPICA-Namespace-remove-address-node-from-global-lis.patch
patches.drivers/ALSA-hda-realtek-Add-quirk-for-Tuxedo-XC-1509.patch
patches.drivers/ALSA-seq-Fix-OOB-reads-from-strlcpy.patch
patches.drivers/ALSA-hda-Add-two-more-machines-to-the-power_save_bla.patch
@@ -21705,6 +21769,7 @@
patches.drivers/ASoC-stm32-fix-sai-driver-name-initialisation.patch
patches.drivers/iommu-amd-set-exclusion-range-correctly
patches.fixes/linux-kernel.h-Use-parentheses-around-argument-in-u6.patch
+ patches.suse/sched-do-not-re-read-h_load_next-during-hierarchical-load-calculation.patch
patches.arch/powerpc-vdso32-fix-CLOCK_MONOTONIC-on-PPC64.patch
patches.drivers/PCI-Add-function-1-DMA-alias-quirk-for-Marvell-9170-.patch
patches.fixes/0001-PCI-pciehp-Ignore-Link-State-Changes-after-powering-.patch
@@ -21715,14 +21780,23 @@
patches.arch/kvm-x86-svm-make-sure-nmi-is-injected-after-nmi_singlestep
patches.arch/kvm-x86-don-t-clear-efer-during-smm-transitions-for-32-bit-vcpu
patches.arch/kvm-x86-always-use-32-bit-smram-save-state-for-32-bit-kernels
+ patches.fixes/mac80211-fix-unaligned-access-in-mesh-table-hash-fun.patch
+ patches.fixes/mac80211-fix-memory-accounting-with-A-MSDU-aggregati.patch
patches.fixes/mac80211-do-not-call-driver-wake_tx_queue-op-during-.patch
+ patches.fixes/nl80211-Add-NL80211_FLAG_CLEAR_SKB-flag-for-other-NL.patch
patches.drivers/ibmvnic-Enable-GRO.patch
patches.drivers/ibmvnic-Fix-netdev-feature-clobbering-during-a-reset.patch
+ patches.fixes/team-set-slave-to-promisc-if-team-is-already-in-prom.patch
patches.fixes/0001-net-bridge-multicast-use-rcu-to-access-port-list-fro.patch
+ patches.fixes/mISDN-Check-address-length-before-reading-address-fa.patch
patches.drivers/rt2x00-do-not-increment-sequence-number-while-re-tra.patch
patches.fixes/0001-net-bridge-fix-per-port-af_packet-sockets.patch
patches.fixes/CIFS-keep-FileInfo-handle-live-during-oplock-break.patch
patches.fixes/crypto-x86-poly1305-fix-overflow-during-partial-redu.patch
+ patches.drivers/Input-elan_i2c-add-hardware-ID-for-multiple-Lenovo-l.patch
+ patches.drivers/HID-input-add-mapping-for-Expose-Overview-key.patch
+ patches.drivers/HID-input-add-mapping-for-keyboard-Brightness-Up-Dow.patch
+ patches.drivers/HID-input-add-mapping-for-Toggle-Display-key.patch
patches.drivers/Input-snvs_pwrkey-initialize-necessary-driver-data-b.patch
patches.drivers/iio-gyro-bmg160-Use-millidegrees-for-temperature-sca.patch
patches.drivers/staging-iio-ad7192-Fix-ad7193-channel-address.patch
@@ -21731,6 +21805,7 @@
patches.drivers/iio-adc-at91-disable-adc-channel-interrupt-in-timeou.patch
patches.drivers/io-accel-kxcjk1013-restore-the-range-after-resume.patch
patches.drivers/iio-dac-mcp4725-add-missing-powerdown-bits-in-store-.patch
+ patches.drivers/iio-adc-xilinx-fix-potential-use-after-free-on-remov.patch
patches.drivers/iio-cros_ec-Fix-the-maths-for-gyro-scale-calculation.patch
patches.drivers/iio-ad_sigma_delta-select-channel-when-reading-regis.patch
patches.drivers/iio-core-fix-a-possible-circular-locking-dependency.patch
@@ -21746,6 +21821,8 @@
patches.drivers/ALSA-info-Fix-racy-addition-deletion-of-nodes.patch
patches.drivers/ALSA-core-Fix-card-races-between-register-and-discon.patch
patches.drivers/ALSA-hda-realtek-add-two-more-pin-configuration-sets.patch
+ patches.drivers/spi-Micrel-eth-switch-declare-missing-of-table.patch
+ patches.drivers/spi-ST-ST95HF-NFC-declare-missing-of-table.patch
patches.fixes/ceph-only-use-d_name-directly-when-parent-is-locked.patch
patches.fixes/ceph-ensure-d_name-stability-in-ceph_dentry_hash.patch
patches.fixes/ceph-fix-ci-i_head_snapc-leak.patch
@@ -21755,8 +21832,11 @@
patches.drm/0004-drm-sun4i-Fix-component-unbinding-and-component-mast.patch
patches.drm/0005-drm-vc4-Fix-memory-leak-during-gpu-reset.patch
patches.drm/0001-drm-sun4i-Unbind-components-before-releasing-DRM-and.patch
+ patches.drm/gpu-ipu-v3-dp-fix-CSC-handling.patch
+ patches.drm/drm-imx-don-t-skip-DP-channel-disable-for-background.patch
patches.suse/tracing-fix-buffer_ref-pipe-ops.patch
patches.suse/tracing-fix-a-memory-leak-by-early-error-exit-in-trace_pid_write.patch
+ patches.drivers/Input-synaptics-rmi4-fix-possible-double-free.patch
patches.drivers/Input-synaptics-rmi4-write-config-register-values-to.patch
patches.drivers/dmaengine-sh-rcar-dmac-With-cyclic-DMA-residue-0-is-.patch
patches.fixes/selinux-use-kernel-linux-socket.h-for-genheaders-and-mdp
@@ -21774,6 +21854,7 @@
patches.arch/x86-speculation-support-mitigations-cmdline-option.patch
patches.arch/powerpc-speculation-support-mitigations-cmdline-option.patch
patches.arch/s390-speculation-support-mitigations-cmdline-option.patch
+ patches.fixes/ACPI-button-reinitialize-button-state-upon-resume.patch
patches.arch/x86-mce-handle-varying-mca-bank-counts.patch
patches.drivers/hwmon-f71805f-Use-request_muxed_region-for-Super-IO-.patch
patches.drivers/hwmon-pc87427-Use-request_muxed_region-for-Super-IO-.patch
@@ -21942,6 +22023,16 @@
patches.drivers/PCI-Mark-AMD-Stoney-Radeon-R7-GPU-ATS-as-broken.patch
patches.drivers/PCI-Mark-Atheros-AR9462-to-avoid-bus-reset.patch
patches.drivers/backlight-lm3630a-Return-0-on-success-in-update_stat.patch
+ patches.fixes/crypto-caam-fix-caam_dump_sg-that-iterates-through-s.patch
+ patches.drivers/power-supply-axp288_charger-Fix-unchecked-return-val.patch
+ patches.drivers/power-supply-axp20x_usb_power-Fix-typo-in-VBUS-curre.patch
+ patches.drm/drm-i915-fbc-disable-framebuffer-compression-on-Gemi.patch
+ patches.drm/drm-bridge-adv7511-Fix-low-refresh-rate-selection.patch
+ patches.drivers/thermal-cpu_cooling-Actually-trace-CPU-load-in-therm.patch
+ patches.fixes/configfs-fix-possible-use-after-free-in-configfs_reg.patch
+ patches.drivers/media-atmel-atmel-isc-fix-INIT_WORK-misplacement.patch
+ patches.drivers/media-omap_vout-potential-buffer-overflow-in-vidioc_.patch
+ patches.drivers/media-davinci-vpbe-array-underflow-in-vpbe_enum_outp.patch
# dhowells/linux-fs keys-uefi
patches.suse/0001-KEYS-Allow-unrestricted-boot-time-addition-of-keys-t.patch
@@ -22045,8 +22136,6 @@
patches.kabi/posix-timers-overrun-change-kABI-fix.patch
- patches.suse/sched-do-not-re-read-h_load_next-during-hierarchical-load-calculation.patch
-
########################################################
# locking/core
########################################################
@@ -22698,6 +22787,8 @@
patches.kabi/hid-debug-kfifo-kabi-workaround.patch
patches.kabi/kabi-protect-vhost_log_write.patch
patches.kabi/kabi-restore-icmp_send.patch
+ patches.kabi/kabi-protect-struct-mlx5_td.patch
+ patches.kabi/kabi-protect-ip_options_rcv_srr.patch
patches.kabi/md-batch-flush-requests-kabi.patch