Home Home > GIT Browse > openSUSE-15.0
summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorKernel Build Daemon <kbuild@suse.de>2019-08-18 07:06:05 +0200
committerKernel Build Daemon <kbuild@suse.de>2019-08-18 07:06:05 +0200
commita7be81d27f58bb997c161841732943fc810790c8 (patch)
tree12cf7013387541027cc5e0ea24fe9ffcb9ff40be
parent666ccef91ea3d3e35c024e3a82b0d6d3db46adea (diff)
parentcaa1588856e42ff92ecf46ae45979546521684c3 (diff)
Merge branch 'SLE15' into openSUSE-15.0
-rw-r--r--patches.arch/cpu-speculation-warn-on-unsupported-mitigations-parameter.patch48
-rw-r--r--patches.arch/x86-boot-fix-memory-leak-in-default_get_smp_config.patch60
-rw-r--r--patches.arch/x86-speculation-allow-guests-to-use-ssbd-even-if-host-does-not.patch71
-rw-r--r--patches.arch/x86-speculation-mds-apply-more-accurate-check-on-hypervisor-platform.patch42
-rw-r--r--patches.drivers/ALSA-usb-audio-Fix-a-stack-buffer-overflow-bug-in-ch.patch101
-rw-r--r--patches.drivers/ALSA-usb-audio-Fix-an-OOB-bug-in-parse_audio_mixer_u.patch52
-rw-r--r--patches.fixes/0001-xfrm-Fix-NULL-pointer-dereference-when-skb_dst_force.patch61
-rw-r--r--patches.fixes/0002-xfrm-Fix-error-return-code-in-xfrm_output_one.patch37
-rw-r--r--patches.fixes/0003-xfrm-Fix-NULL-pointer-dereference-in-xfrm_input-when.patch61
-rw-r--r--patches.fixes/0004-xfrm-Fix-bucket-count-reported-to-userspace.patch36
-rw-r--r--patches.suse/btrfs-add-missing-inode-version-ctime-and-mtime-upda.patch44
-rw-r--r--patches.suse/btrfs-fix-data-loss-after-inode-eviction-renaming-it.patch112
-rw-r--r--patches.suse/btrfs-fix-fsync-not-persisting-dentry-deletions-due-.patch135
-rw-r--r--patches.suse/btrfs-fix-incremental-send-failure-after-deduplicati.patch181
-rw-r--r--patches.suse/btrfs-fix-race-leading-to-fs-corruption-after-transa.patch144
-rw-r--r--series.conf15
16 files changed, 1200 insertions, 0 deletions
diff --git a/patches.arch/cpu-speculation-warn-on-unsupported-mitigations-parameter.patch b/patches.arch/cpu-speculation-warn-on-unsupported-mitigations-parameter.patch
new file mode 100644
index 0000000000..f0fa424a0e
--- /dev/null
+++ b/patches.arch/cpu-speculation-warn-on-unsupported-mitigations-parameter.patch
@@ -0,0 +1,48 @@
+From: Geert Uytterhoeven <geert@linux-m68k.org>
+Date: Thu, 16 May 2019 09:09:35 +0200
+Subject: cpu/speculation: Warn on unsupported mitigations= parameter
+Git-commit: 1bf72720281770162c87990697eae1ba2f1d917a
+Patch-mainline: v5.2-rc7
+References: bsc#1114279
+
+Currently, if the user specifies an unsupported mitigation strategy on the
+kernel command line, it will be ignored silently. The code will fall back
+to the default strategy, possibly leaving the system more vulnerable than
+expected.
+
+This may happen due to e.g. a simple typo, or, for a stable kernel release,
+because not all mitigation strategies have been backported.
+
+Inform the user by printing a message.
+
+Fixes: 98af8452945c5565 ("cpu/speculation: Add 'mitigations=' cmdline option")
+Signed-off-by: Geert Uytterhoeven <geert@linux-m68k.org>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Acked-by: Josh Poimboeuf <jpoimboe@redhat.com>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Jiri Kosina <jkosina@suse.cz>
+Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Cc: Ben Hutchings <ben@decadent.org.uk>
+Cc: stable@vger.kernel.org
+Link: https://lkml.kernel.org/r/20190516070935.22546-1-geert@linux-m68k.org
+
+Acked-by: Borislav Petkov <bp@suse.de>
+---
+ kernel/cpu.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/kernel/cpu.c b/kernel/cpu.c
+index 077fde6fb953..551db494f153 100644
+--- a/kernel/cpu.c
++++ b/kernel/cpu.c
+@@ -2339,6 +2339,9 @@ static int __init mitigations_parse_cmdline(char *arg)
+ cpu_mitigations = CPU_MITIGATIONS_AUTO;
+ else if (!strcmp(arg, "auto,nosmt"))
+ cpu_mitigations = CPU_MITIGATIONS_AUTO_NOSMT;
++ else
++ pr_crit("Unsupported mitigations=%s, system may still be vulnerable\n",
++ arg);
+
+ return 0;
+ }
+
diff --git a/patches.arch/x86-boot-fix-memory-leak-in-default_get_smp_config.patch b/patches.arch/x86-boot-fix-memory-leak-in-default_get_smp_config.patch
new file mode 100644
index 0000000000..c2700d86e5
--- /dev/null
+++ b/patches.arch/x86-boot-fix-memory-leak-in-default_get_smp_config.patch
@@ -0,0 +1,60 @@
+From: David Rientjes <rientjes@google.com>
+Date: Tue, 9 Jul 2019 19:44:03 -0700
+Subject: x86/boot: Fix memory leak in default_get_smp_config()
+Git-commit: e74bd96989dd42a51a73eddb4a5510a6f5e42ac3
+Patch-mainline: v5.3-rc1
+References: bsc#1114279
+
+When default_get_smp_config() is called with early == 1 and mpf->feature1
+is non-zero, mpf is leaked because the return path does not do
+early_memunmap().
+
+Fix this and share a common exit routine.
+
+Fixes: 5997efb96756 ("x86/boot: Use memremap() to map the MPF and MPC data")
+Reported-by: Cfir Cohen <cfir@google.com>
+Signed-off-by: David Rientjes <rientjes@google.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Cc: stable@vger.kernel.org
+Link: https://lkml.kernel.org/r/alpine.DEB.2.21.1907091942570.28240@chino.kir.corp.google.com
+
+Acked-by: Borislav Petkov <bp@suse.de>
+---
+ arch/x86/kernel/mpparse.c | 10 ++++------
+ 1 file changed, 4 insertions(+), 6 deletions(-)
+
+diff --git a/arch/x86/kernel/mpparse.c b/arch/x86/kernel/mpparse.c
+index 1bfe5c6e6cfe..afac7ccce72f 100644
+--- a/arch/x86/kernel/mpparse.c
++++ b/arch/x86/kernel/mpparse.c
+@@ -546,17 +546,15 @@ void __init default_get_smp_config(unsigned int early)
+ * local APIC has default address
+ */
+ mp_lapic_addr = APIC_DEFAULT_PHYS_BASE;
+- return;
++ goto out;
+ }
+
+ pr_info("Default MP configuration #%d\n", mpf->feature1);
+ construct_default_ISA_mptable(mpf->feature1);
+
+ } else if (mpf->physptr) {
+- if (check_physptr(mpf, early)) {
+- early_memunmap(mpf, sizeof(*mpf));
+- return;
+- }
++ if (check_physptr(mpf, early))
++ goto out;
+ } else
+ BUG();
+
+@@ -565,7 +563,7 @@ void __init default_get_smp_config(unsigned int early)
+ /*
+ * Only use the first configuration found.
+ */
+-
++out:
+ early_memunmap(mpf, sizeof(*mpf));
+ }
+
+
diff --git a/patches.arch/x86-speculation-allow-guests-to-use-ssbd-even-if-host-does-not.patch b/patches.arch/x86-speculation-allow-guests-to-use-ssbd-even-if-host-does-not.patch
new file mode 100644
index 0000000000..eba44ed109
--- /dev/null
+++ b/patches.arch/x86-speculation-allow-guests-to-use-ssbd-even-if-host-does-not.patch
@@ -0,0 +1,71 @@
+From: Alejandro Jimenez <alejandro.j.jimenez@oracle.com>
+Date: Mon, 10 Jun 2019 13:20:10 -0400
+Subject: x86/speculation: Allow guests to use SSBD even if host does not
+Git-commit: c1f7fec1eb6a2c86d01bc22afce772c743451d88
+Patch-mainline: v5.2-rc7
+References: bsc#1114279
+
+The bits set in x86_spec_ctrl_mask are used to calculate the guest's value
+of SPEC_CTRL that is written to the MSR before VMENTRY, and control which
+mitigations the guest can enable. In the case of SSBD, unless the host has
+enabled SSBD always on mode (by passing "spec_store_bypass_disable=on" in
+the kernel parameters), the SSBD bit is not set in the mask and the guest
+can not properly enable the SSBD always on mitigation mode.
+
+This has been confirmed by running the SSBD PoC on a guest using the SSBD
+always on mitigation mode (booted with kernel parameter
+"spec_store_bypass_disable=on"), and verifying that the guest is vulnerable
+unless the host is also using SSBD always on mode. In addition, the guest
+OS incorrectly reports the SSB vulnerability as mitigated.
+
+Always set the SSBD bit in x86_spec_ctrl_mask when the host CPU supports
+it, allowing the guest to use SSBD whether or not the host has chosen to
+enable the mitigation in any of its modes.
+
+Fixes: be6fcb5478e9 ("x86/bugs: Rework spec_ctrl base and mask logic")
+Signed-off-by: Alejandro Jimenez <alejandro.j.jimenez@oracle.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Reviewed-by: Liam Merwick <liam.merwick@oracle.com>
+Reviewed-by: Mark Kanda <mark.kanda@oracle.com>
+Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
+Cc: bp@alien8.de
+Cc: rkrcmar@redhat.com
+Cc: kvm@vger.kernel.org
+Cc: stable@vger.kernel.org
+Link: https://lkml.kernel.org/r/1560187210-11054-1-git-send-email-alejandro.j.jimenez@oracle.com
+
+Acked-by: Borislav Petkov <bp@suse.de>
+---
+ arch/x86/kernel/cpu/bugs.c | 11 ++++++++++-
+ 1 file changed, 10 insertions(+), 1 deletion(-)
+
+diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c
+index 03b4cc0ec3a7..66ca906aa790 100644
+--- a/arch/x86/kernel/cpu/bugs.c
++++ b/arch/x86/kernel/cpu/bugs.c
+@@ -835,6 +835,16 @@ static enum ssb_mitigation __init __ssb_select_mitigation(void)
+ break;
+ }
+
++ /*
++ * If SSBD is controlled by the SPEC_CTRL MSR, then set the proper
++ * bit in the mask to allow guests to use the mitigation even in the
++ * case where the host does not enable it.
++ */
++ if (static_cpu_has(X86_FEATURE_SPEC_CTRL_SSBD) ||
++ static_cpu_has(X86_FEATURE_AMD_SSBD)) {
++ x86_spec_ctrl_mask |= SPEC_CTRL_SSBD;
++ }
++
+ /*
+ * We have three CPU feature flags that are in play here:
+ * - X86_BUG_SPEC_STORE_BYPASS - CPU is susceptible.
+@@ -852,7 +862,6 @@ static enum ssb_mitigation __init __ssb_select_mitigation(void)
+ x86_amd_ssb_disable();
+ } else {
+ x86_spec_ctrl_base |= SPEC_CTRL_SSBD;
+- x86_spec_ctrl_mask |= SPEC_CTRL_SSBD;
+ wrmsrl(MSR_IA32_SPEC_CTRL, x86_spec_ctrl_base);
+ }
+ }
+
diff --git a/patches.arch/x86-speculation-mds-apply-more-accurate-check-on-hypervisor-platform.patch b/patches.arch/x86-speculation-mds-apply-more-accurate-check-on-hypervisor-platform.patch
new file mode 100644
index 0000000000..05bc51dfe5
--- /dev/null
+++ b/patches.arch/x86-speculation-mds-apply-more-accurate-check-on-hypervisor-platform.patch
@@ -0,0 +1,42 @@
+From: Zhenzhong Duan <zhenzhong.duan@oracle.com>
+Date: Thu, 25 Jul 2019 10:39:09 +0800
+Subject: x86/speculation/mds: Apply more accurate check on hypervisor platform
+Git-commit: 517c3ba00916383af6411aec99442c307c23f684
+Patch-mainline: v5.3-rc2
+References: bsc#1114279
+
+X86_HYPER_NATIVE isn't accurate for checking if running on native platform,
+e.g. CONFIG_HYPERVISOR_GUEST isn't set or "nopv" is enabled.
+
+Checking the CPU feature bit X86_FEATURE_HYPERVISOR to determine if it's
+running on native platform is more accurate.
+
+This still doesn't cover the platforms on which X86_FEATURE_HYPERVISOR is
+unsupported, e.g. VMware, but there is nothing which can be done about this
+scenario.
+
+Fixes: 8a4b06d391b0 ("x86/speculation/mds: Add sysfs reporting for MDS")
+Signed-off-by: Zhenzhong Duan <zhenzhong.duan@oracle.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Cc: stable@vger.kernel.org
+Link: https://lkml.kernel.org/r/1564022349-17338-1-git-send-email-zhenzhong.duan@oracle.com
+
+Acked-by: Borislav Petkov <bp@suse.de>
+---
+ arch/x86/kernel/cpu/bugs.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c
+index 66ca906aa790..801ecd1c3fd5 100644
+--- a/arch/x86/kernel/cpu/bugs.c
++++ b/arch/x86/kernel/cpu/bugs.c
+@@ -1226,7 +1226,7 @@ static ssize_t l1tf_show_state(char *buf)
+
+ static ssize_t mds_show_state(char *buf)
+ {
+- if (!hypervisor_is_type(X86_HYPER_NATIVE)) {
++ if (boot_cpu_has(X86_FEATURE_HYPERVISOR)) {
+ return sprintf(buf, "%s; SMT Host state unknown\n",
+ mds_strings[mds_mitigation]);
+ }
+
diff --git a/patches.drivers/ALSA-usb-audio-Fix-a-stack-buffer-overflow-bug-in-ch.patch b/patches.drivers/ALSA-usb-audio-Fix-a-stack-buffer-overflow-bug-in-ch.patch
new file mode 100644
index 0000000000..f804c5e04c
--- /dev/null
+++ b/patches.drivers/ALSA-usb-audio-Fix-a-stack-buffer-overflow-bug-in-ch.patch
@@ -0,0 +1,101 @@
+From 19bce474c45be69a284ecee660aa12d8f1e88f18 Mon Sep 17 00:00:00 2001
+From: Hui Peng <benquike@gmail.com>
+Date: Thu, 15 Aug 2019 00:31:34 -0400
+Subject: [PATCH] ALSA: usb-audio: Fix a stack buffer overflow bug in
+ check_input_term
+References: CVE-2019-15118,bsc#1145922
+Git-commit: 19bce474c45be69a284ecee660aa12d8f1e88f18
+Patch-mainline: v5.3-rc5
+
+`check_input_term` recursively calls itself with input from
+device side (e.g., uac_input_terminal_descriptor.bCSourceID)
+as argument (id). In `check_input_term`, if `check_input_term`
+is called with the same `id` argument as the caller, it triggers
+endless recursive call, resulting kernel space stack overflow.
+
+This patch fixes the bug by adding a bitmap to `struct mixer_build`
+to keep track of the checked ids and stop the execution if some id
+has been checked (similar to how parse_audio_unit handles unitid
+argument).
+
+Reported-by: Hui Peng <benquike@gmail.com>
+Reported-by: Mathias Payer <mathias.payer@nebelwelt.net>
+Signed-off-by: Hui Peng <benquike@gmail.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ sound/usb/mixer.c | 28 +++++++++++++++++++++++-----
+ 1 file changed, 23 insertions(+), 5 deletions(-)
+
+--- a/sound/usb/mixer.c
++++ b/sound/usb/mixer.c
+@@ -82,6 +82,7 @@ struct mixer_build {
+ unsigned char *buffer;
+ unsigned int buflen;
+ DECLARE_BITMAP(unitbitmap, MAX_ID_ELEMS);
++ DECLARE_BITMAP(termbitmap, MAX_ID_ELEMS);
+ struct usb_audio_term oterm;
+ const struct usbmix_name_map *map;
+ const struct usbmix_selector_map *selector_map;
+@@ -710,15 +711,24 @@ static int get_term_name(struct mixer_bu
+ * parse the source unit recursively until it reaches to a terminal
+ * or a branched unit.
+ */
+-static int check_input_term(struct mixer_build *state, int id,
++static int __check_input_term(struct mixer_build *state, int id,
+ struct usb_audio_term *term)
+ {
+ int err;
+ void *p1;
++ unsigned char *hdr;
+
+ memset(term, 0, sizeof(*term));
+- while ((p1 = find_audio_control_unit(state, id)) != NULL) {
+- unsigned char *hdr = p1;
++ for (;;) {
++ /* a loop in the terminal chain? */
++ if (test_and_set_bit(id, state->termbitmap))
++ return -EINVAL;
++
++ p1 = find_audio_control_unit(state, id);
++ if (!p1)
++ break;
++
++ hdr = p1;
+ term->id = id;
+ switch (hdr[2]) {
+ case UAC_INPUT_TERMINAL:
+@@ -733,7 +743,7 @@ static int check_input_term(struct mixer
+
+ /* call recursively to verify that the
+ * referenced clock entity is valid */
+- err = check_input_term(state, d->bCSourceID, term);
++ err = __check_input_term(state, d->bCSourceID, term);
+ if (err < 0)
+ return err;
+
+@@ -765,7 +775,7 @@ static int check_input_term(struct mixer
+ case UAC2_CLOCK_SELECTOR: {
+ struct uac_selector_unit_descriptor *d = p1;
+ /* call recursively to retrieve the channel info */
+- err = check_input_term(state, d->baSourceID[0], term);
++ err = __check_input_term(state, d->baSourceID[0], term);
+ if (err < 0)
+ return err;
+ term->type = d->bDescriptorSubtype << 16; /* virtual type */
+@@ -812,6 +822,14 @@ static int check_input_term(struct mixer
+ return -ENODEV;
+ }
+
++static int check_input_term(struct mixer_build *state, int id,
++ struct usb_audio_term *term)
++{
++ memset(term, 0, sizeof(*term));
++ memset(state->termbitmap, 0, sizeof(state->termbitmap));
++ return __check_input_term(state, id, term);
++}
++
+ /*
+ * Feature Unit
+ */
diff --git a/patches.drivers/ALSA-usb-audio-Fix-an-OOB-bug-in-parse_audio_mixer_u.patch b/patches.drivers/ALSA-usb-audio-Fix-an-OOB-bug-in-parse_audio_mixer_u.patch
new file mode 100644
index 0000000000..fb104d5736
--- /dev/null
+++ b/patches.drivers/ALSA-usb-audio-Fix-an-OOB-bug-in-parse_audio_mixer_u.patch
@@ -0,0 +1,52 @@
+From daac07156b330b18eb5071aec4b3ddca1c377f2c Mon Sep 17 00:00:00 2001
+From: Hui Peng <benquike@gmail.com>
+Date: Tue, 13 Aug 2019 22:34:04 -0400
+Subject: [PATCH] ALSA: usb-audio: Fix an OOB bug in parse_audio_mixer_unit
+References: CVE-2019-15117,bsc#1145920
+Git-commit: daac07156b330b18eb5071aec4b3ddca1c377f2c
+Patch-mainline: v5.3-rc5
+
+The `uac_mixer_unit_descriptor` shown as below is read from the
+device side. In `parse_audio_mixer_unit`, `baSourceID` field is
+accessed from index 0 to `bNrInPins` - 1, the current implementation
+assumes that descriptor is always valid (the length of descriptor
+is no shorter than 5 + `bNrInPins`). If a descriptor read from
+the device side is invalid, it may trigger out-of-bound memory
+access.
+
+```
+struct uac_mixer_unit_descriptor {
+ __u8 bLength;
+ __u8 bDescriptorType;
+ __u8 bDescriptorSubtype;
+ __u8 bUnitID;
+ __u8 bNrInPins;
+ __u8 baSourceID[];
+}
+```
+
+This patch fixes the bug by add a sanity check on the length of
+the descriptor.
+
+Reported-by: Hui Peng <benquike@gmail.com>
+Reported-by: Mathias Payer <mathias.payer@nebelwelt.net>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Hui Peng <benquike@gmail.com>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ sound/usb/mixer.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/sound/usb/mixer.c
++++ b/sound/usb/mixer.c
+@@ -1701,6 +1701,9 @@ static int parse_audio_mixer_unit(struct
+ return -EINVAL;
+ }
+
++ if (desc->bLength < sizeof(*desc) + desc->bNrInPins)
++ return -EINVAL;
++
+ num_ins = 0;
+ ich = 0;
+ for (pin = 0; pin < input_pins; pin++) {
diff --git a/patches.fixes/0001-xfrm-Fix-NULL-pointer-dereference-when-skb_dst_force.patch b/patches.fixes/0001-xfrm-Fix-NULL-pointer-dereference-when-skb_dst_force.patch
new file mode 100644
index 0000000000..175210aec6
--- /dev/null
+++ b/patches.fixes/0001-xfrm-Fix-NULL-pointer-dereference-when-skb_dst_force.patch
@@ -0,0 +1,61 @@
+From bb8bb584c2948558b39451338b862136327e564f Mon Sep 17 00:00:00 2001
+From: Steffen Klassert <steffen.klassert@secunet.com>
+Date: Tue, 11 Sep 2018 10:31:15 +0200
+Subject: [PATCH 1/4] xfrm: Fix NULL pointer dereference when skb_dst_force
+ clears the dst_entry.
+
+Patch-mainline: v4.19-rc7
+Git-commit: 9e1437937807b0122e8da1ca8765be2adca9aee6
+References: bsc#1143300
+
+Since commit 222d7dbd258d ("net: prevent dst uses after free")
+skb_dst_force() might clear the dst_entry attached to the skb.
+The xfrm code don't expect this to happen, so we crash with
+a NULL pointer dereference in this case. Fix it by checking
+skb_dst(skb) for NULL after skb_dst_force() and drop the packet
+in cast the dst_entry was cleared.
+
+Fixes: 222d7dbd258d ("net: prevent dst uses after free")
+Reported-by: Tobias Hommel <netdev-list@genoetigt.de>
+Reported-by: Kristian Evensen <kristian.evensen@gmail.com>
+Reported-by: Wolfgang Walter <linux@stwm.de>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Firo Yang <firo.yang@suse.com>
+---
+ net/xfrm/xfrm_output.c | 4 ++++
+ net/xfrm/xfrm_policy.c | 4 ++++
+ 2 files changed, 8 insertions(+)
+
+diff --git a/net/xfrm/xfrm_output.c b/net/xfrm/xfrm_output.c
+index 7e7b6c6004f1..f576b05c4f72 100644
+--- a/net/xfrm/xfrm_output.c
++++ b/net/xfrm/xfrm_output.c
+@@ -98,6 +98,10 @@ static int xfrm_output_one(struct sk_buff *skb, int err)
+ spin_unlock_bh(&x->lock);
+
+ skb_dst_force(skb);
++ if (!skb_dst(skb)) {
++ XFRM_INC_STATS(net, LINUX_MIB_XFRMOUTERROR);
++ goto error_nolock;
++ }
+
+ if (xfrm_offload(skb)) {
+ x->type_offload->encap(x, skb);
+diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c
+index c82c695fa3fd..89bbe40736f9 100644
+--- a/net/xfrm/xfrm_policy.c
++++ b/net/xfrm/xfrm_policy.c
+@@ -2625,6 +2625,10 @@ int __xfrm_route_forward(struct sk_buff *skb, unsigned short family)
+ }
+
+ skb_dst_force(skb);
++ if (!skb_dst(skb)) {
++ XFRM_INC_STATS(net, LINUX_MIB_XFRMFWDHDRERROR);
++ return 0;
++ }
+
+ dst = xfrm_lookup(net, skb_dst(skb), &fl, NULL, XFRM_LOOKUP_QUEUE);
+ if (IS_ERR(dst)) {
+--
+2.16.4
+
diff --git a/patches.fixes/0002-xfrm-Fix-error-return-code-in-xfrm_output_one.patch b/patches.fixes/0002-xfrm-Fix-error-return-code-in-xfrm_output_one.patch
new file mode 100644
index 0000000000..28e29ebff3
--- /dev/null
+++ b/patches.fixes/0002-xfrm-Fix-error-return-code-in-xfrm_output_one.patch
@@ -0,0 +1,37 @@
+From 615887d455094dfdb598ca6df7093c6f0626005b Mon Sep 17 00:00:00 2001
+From: Wei Yongjun <weiyongjun1@huawei.com>
+Date: Sat, 27 Oct 2018 06:12:06 +0000
+Subject: [PATCH 2/4] xfrm: Fix error return code in xfrm_output_one()
+
+Patch-mainline: v4.20
+Git-commit: 533555e5cbb6aa2d77598917871ae5b579fe724b
+References: bsc#1143300
+
+xfrm_output_one() does not return a error code when there is
+no dst_entry attached to the skb, it is still possible crash
+with a NULL pointer dereference in xfrm_output_resume(). Fix
+it by return error code -EHOSTUNREACH.
+
+Fixes: 9e1437937807 ("xfrm: Fix NULL pointer dereference when skb_dst_force clears the dst_entry.")
+Signed-off-by: Wei Yongjun <weiyongjun1@huawei.com>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Firo Yang <firo.yang@suse.com>
+---
+ net/xfrm/xfrm_output.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/net/xfrm/xfrm_output.c b/net/xfrm/xfrm_output.c
+index f576b05c4f72..58aaa0aefc5d 100644
+--- a/net/xfrm/xfrm_output.c
++++ b/net/xfrm/xfrm_output.c
+@@ -100,6 +100,7 @@ static int xfrm_output_one(struct sk_buff *skb, int err)
+ skb_dst_force(skb);
+ if (!skb_dst(skb)) {
+ XFRM_INC_STATS(net, LINUX_MIB_XFRMOUTERROR);
++ err = -EHOSTUNREACH;
+ goto error_nolock;
+ }
+
+--
+2.16.4
+
diff --git a/patches.fixes/0003-xfrm-Fix-NULL-pointer-dereference-in-xfrm_input-when.patch b/patches.fixes/0003-xfrm-Fix-NULL-pointer-dereference-in-xfrm_input-when.patch
new file mode 100644
index 0000000000..d871a18294
--- /dev/null
+++ b/patches.fixes/0003-xfrm-Fix-NULL-pointer-dereference-in-xfrm_input-when.patch
@@ -0,0 +1,61 @@
+From 567cfbae0919ca98efaeaed21a1b4304fdca2ebf Mon Sep 17 00:00:00 2001
+From: Steffen Klassert <steffen.klassert@secunet.com>
+Date: Thu, 22 Nov 2018 07:26:24 +0100
+Subject: [PATCH 3/4] xfrm: Fix NULL pointer dereference in xfrm_input when
+ skb_dst_force clears the dst_entry.
+
+Patch-mainline: v4.20
+Git-commit: 0152eee6fc3b84298bb6a79961961734e8afa5b8
+References: bsc#1143300
+
+Since commit 222d7dbd258d ("net: prevent dst uses after free")
+skb_dst_force() might clear the dst_entry attached to the skb.
+The xfrm code doesn't expect this to happen, so we crash with
+a NULL pointer dereference in this case.
+
+Fix it by checking skb_dst(skb) for NULL after skb_dst_force()
+and drop the packet in case the dst_entry was cleared. We also
+move the skb_dst_force() to a codepath that is not used when
+the transformation was offloaded, because in this case we
+don't have a dst_entry attached to the skb.
+
+The output and forwarding path was already fixed by
+commit 9e1437937807 ("xfrm: Fix NULL pointer dereference when
+skb_dst_force clears the dst_entry.")
+
+Fixes: 222d7dbd258d ("net: prevent dst uses after free")
+Reported-by: Jean-Philippe Menil <jpmenil@gmail.com>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Firo Yang <firo.yang@suse.com>
+---
+ net/xfrm/xfrm_input.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/net/xfrm/xfrm_input.c b/net/xfrm/xfrm_input.c
+index a18b0e37b8eb..1399907235a2 100644
+--- a/net/xfrm/xfrm_input.c
++++ b/net/xfrm/xfrm_input.c
+@@ -334,6 +334,12 @@ int xfrm_input(struct sk_buff *skb, int nexthdr, __be32 spi, int encap_type)
+
+ skb->sp->xvec[skb->sp->len++] = x;
+
++ skb_dst_force(skb);
++ if (!skb_dst(skb)) {
++ XFRM_INC_STATS(net, LINUX_MIB_XFRMINERROR);
++ goto drop;
++ }
++
+ lock:
+ spin_lock(&x->lock);
+
+@@ -373,7 +379,6 @@ int xfrm_input(struct sk_buff *skb, int nexthdr, __be32 spi, int encap_type)
+ XFRM_SKB_CB(skb)->seq.input.low = seq;
+ XFRM_SKB_CB(skb)->seq.input.hi = seq_hi;
+
+- skb_dst_force(skb);
+ dev_hold(skb->dev);
+
+ if (crypto_done)
+--
+2.16.4
+
diff --git a/patches.fixes/0004-xfrm-Fix-bucket-count-reported-to-userspace.patch b/patches.fixes/0004-xfrm-Fix-bucket-count-reported-to-userspace.patch
new file mode 100644
index 0000000000..50c43bd9a3
--- /dev/null
+++ b/patches.fixes/0004-xfrm-Fix-bucket-count-reported-to-userspace.patch
@@ -0,0 +1,36 @@
+From 6d4e563fdf41bad51e26bc8a1d8b61901053c311 Mon Sep 17 00:00:00 2001
+From: Benjamin Poirier <bpoirier@suse.com>
+Date: Mon, 5 Nov 2018 17:00:53 +0900
+Subject: [PATCH 4/4] xfrm: Fix bucket count reported to userspace
+
+Git-commit: ca92e173ab34a4f7fc4128bd372bd96f1af6f507
+Patch-mainline: v4.20
+References: bsc#1143300
+
+sadhcnt is reported by `ip -s xfrm state count` as "buckets count", not the
+hash mask.
+
+Fixes: 28d8909bc790 ("[XFRM]: Export SAD info.")
+Signed-off-by: Benjamin Poirier <bpoirier@suse.com>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Firo Yang <firo.yang@suse.com>
+---
+ net/xfrm/xfrm_state.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/xfrm/xfrm_state.c b/net/xfrm/xfrm_state.c
+index 609f7fdb9fb4..d4b49a2f698b 100644
+--- a/net/xfrm/xfrm_state.c
++++ b/net/xfrm/xfrm_state.c
+@@ -788,7 +788,7 @@ void xfrm_sad_getinfo(struct net *net, struct xfrmk_sadinfo *si)
+ {
+ spin_lock_bh(&net->xfrm.xfrm_state_lock);
+ si->sadcnt = net->xfrm.state_num;
+- si->sadhcnt = net->xfrm.state_hmask;
++ si->sadhcnt = net->xfrm.state_hmask + 1;
+ si->sadhmcnt = xfrm_state_hashmax;
+ spin_unlock_bh(&net->xfrm.xfrm_state_lock);
+ }
+--
+2.16.4
+
diff --git a/patches.suse/btrfs-add-missing-inode-version-ctime-and-mtime-upda.patch b/patches.suse/btrfs-add-missing-inode-version-ctime-and-mtime-upda.patch
new file mode 100644
index 0000000000..1b679dd9cf
--- /dev/null
+++ b/patches.suse/btrfs-add-missing-inode-version-ctime-and-mtime-upda.patch
@@ -0,0 +1,44 @@
+From: Filipe Manana <fdmanana@suse.com>
+Date: Wed, 19 Jun 2019 13:05:50 +0100
+Git-commit: 179006688a7e888cbff39577189f2e034786d06a
+Patch-mainline: 5.3-rc1
+References: bsc#1140487
+Subject: [PATCH] Btrfs: add missing inode version, ctime and mtime updates
+ when punching hole
+
+If the range for which we are punching a hole covers only part of a page,
+we end up updating the inode item but we skip the update of the inode's
+iversion, mtime and ctime. Fix that by ensuring we update those properties
+of the inode.
+
+A patch for fstests test case generic/059 that tests this as been sent
+along with this fix.
+
+Fixes: 2aaa66558172b0 ("Btrfs: add hole punching")
+Fixes: e8c1c76e804b18 ("Btrfs: add missing inode update when punching hole")
+CC: stable@vger.kernel.org # 4.4+
+Signed-off-by: Filipe Manana <fdmanana@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+---
+ fs/btrfs/file.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/fs/btrfs/file.c b/fs/btrfs/file.c
+index e4137008e12b..320b01580f2e 100644
+--- a/fs/btrfs/file.c
++++ b/fs/btrfs/file.c
+@@ -2783,6 +2783,11 @@ static int btrfs_punch_hole(struct inode *inode, loff_t offset, loff_t len)
+ * for detecting, at fsync time, if the inode isn't yet in the
+ * log tree or it's there but not up to date.
+ */
++ struct timespec now = current_time(inode);
++
++ inode_inc_iversion(inode);
++ inode->i_mtime = now;
++ inode->i_ctime = now;
+ trans = btrfs_start_transaction(root, 1);
+ if (IS_ERR(trans)) {
+ err = PTR_ERR(trans);
+--
+2.16.4
+
diff --git a/patches.suse/btrfs-fix-data-loss-after-inode-eviction-renaming-it.patch b/patches.suse/btrfs-fix-data-loss-after-inode-eviction-renaming-it.patch
new file mode 100644
index 0000000000..eff82aba31
--- /dev/null
+++ b/patches.suse/btrfs-fix-data-loss-after-inode-eviction-renaming-it.patch
@@ -0,0 +1,112 @@
+From: Filipe Manana <fdmanana@suse.com>
+Date: Fri, 7 Jun 2019 11:25:24 +0100
+Git-commit: d1d832a0b51dd9570429bb4b81b2a6c1759e681a
+Patch-mainline: 5.3-rc1
+Subject: [PATCH] Btrfs: fix data loss after inode eviction, renaming it, and
+ fsync it
+References: bsc#1145941
+
+When we log an inode, regardless of logging it completely or only that it
+exists, we always update it as logged (logged_trans and last_log_commit
+fields of the inode are updated). This is generally fine and avoids future
+attempts to log it from having to do repeated work that brings no value.
+
+However, if we write data to a file, then evict its inode after all the
+dealloc was flushed (and ordered extents completed), rename the file and
+fsync it, we end up not logging the new extents, since the rename may
+result in logging that the inode exists in case the parent directory was
+logged before. The following reproducer shows and explains how this can
+happen:
+
+ $ mkfs.btrfs -f /dev/sdb
+ $ mount /dev/sdb /mnt
+
+ $ mkdir /mnt/dir
+ $ touch /mnt/dir/foo
+ $ touch /mnt/dir/bar
+
+ # Do a direct IO write instead of a buffered write because with a
+ # buffered write we would need to make sure dealloc gets flushed and
+ # complete before we do the inode eviction later, and we can not do that
+ # from user space with call to things such as sync(2) since that results
+ # in a transaction commit as well.
+ $ xfs_io -d -c "pwrite -S 0xd3 0 4K" /mnt/dir/bar
+
+ # Keep the directory dir in use while we evict inodes. We want our file
+ # bar's inode to be evicted but we don't want our directory's inode to
+ # be evicted (if it were evicted too, we would not be able to reproduce
+ # the issue since the first fsync below, of file foo, would result in a
+ # transaction commit.
+ $ ( cd /mnt/dir; while true; do :; done ) &
+ $ pid=$!
+
+ # Wait a bit to give time for the background process to chdir.
+ $ sleep 0.1
+
+ # Evict all inodes, except the inode for the directory dir because it is
+ # currently in use by our background process.
+ $ echo 2 > /proc/sys/vm/drop_caches
+
+ # fsync file foo, which ends up persisting information about the parent
+ # directory because it is a new inode.
+ $ xfs_io -c fsync /mnt/dir/foo
+
+ # Rename bar, this results in logging that this inode exists (inode item,
+ # names, xattrs) because the parent directory is in the log.
+ $ mv /mnt/dir/bar /mnt/dir/baz
+
+ # Now fsync baz, which ends up doing absolutely nothing because of the
+ # rename operation which logged that the inode exists only.
+ $ xfs_io -c fsync /mnt/dir/baz
+
+ <power failure>
+
+ $ mount /dev/sdb /mnt
+ $ od -t x1 -A d /mnt/dir/baz
+ 0000000
+
+ --> Empty file, data we wrote is missing.
+
+Fix this by not updating last_sub_trans of an inode when we are logging
+only that it exists and the inode was not yet logged since it was loaded
+from disk (full_sync bit set), this is enough to make btrfs_inode_in_log()
+return false for this scenario and make us log the inode. The logged_trans
+of the inode is still always setsince that alone is used to track if names
+need to be deleted as part of unlink operations.
+
+Fixes: 257c62e1bce03e ("Btrfs: avoid tree log commit when there are no changes")
+CC: stable@vger.kernel.org # 4.4+
+Signed-off-by: Filipe Manana <fdmanana@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+---
+ fs/btrfs/tree-log.c | 12 +++++++++++-
+ 1 file changed, 11 insertions(+), 1 deletion(-)
+
+diff --git a/fs/btrfs/tree-log.c b/fs/btrfs/tree-log.c
+index 46ba55a225ff..de05078bc634 100644
+--- a/fs/btrfs/tree-log.c
++++ b/fs/btrfs/tree-log.c
+@@ -5591,9 +5591,19 @@ static int btrfs_log_inode(struct btrfs_trans_handle *trans,
+ }
+ }
+
++ /*
++ * Don't update last_log_commit if we logged that an inode exists after
++ * it was loaded to memory (full_sync bit set).
++ * This is to prevent data loss when we do a write to the inode, then
++ * the inode gets evicted after all delalloc was flushed, then we log
++ * it exists (due to a rename for example) and then fsync it. This last
++ * fsync would do nothing (not logging the extents previously written).
++ */
+ spin_lock(&inode->lock);
+ inode->logged_trans = trans->transid;
+- inode->last_log_commit = inode->last_sub_trans;
++ if (inode_only != LOG_INODE_EXISTS ||
++ !test_bit(BTRFS_INODE_NEEDS_FULL_SYNC, &inode->runtime_flags))
++ inode->last_log_commit = inode->last_sub_trans;
+ spin_unlock(&inode->lock);
+ out_unlock:
+ if (unlikely(err))
+--
+2.16.4
+
diff --git a/patches.suse/btrfs-fix-fsync-not-persisting-dentry-deletions-due-.patch b/patches.suse/btrfs-fix-fsync-not-persisting-dentry-deletions-due-.patch
new file mode 100644
index 0000000000..9c5d4f3d3b
--- /dev/null
+++ b/patches.suse/btrfs-fix-fsync-not-persisting-dentry-deletions-due-.patch
@@ -0,0 +1,135 @@
+From: Filipe Manana <fdmanana@suse.com>
+Date: Wed, 19 Jun 2019 13:05:39 +0100
+Git-commit: 803f0f64d17769071d7287d9e3e3b79a3e1ae937
+Patch-mainline: 5.3-rc1
+Subject: [PATCH] Btrfs: fix fsync not persisting dentry deletions due to inode
+ evictions
+References: bsc#1145942
+
+In order to avoid searches on a log tree when unlinking an inode, we check
+if the inode being unlinked was logged in the current transaction, as well
+as the inode of its parent directory. When any of the inodes are logged,
+we proceed to delete directory items and inode reference items from the
+log, to ensure that if a subsequent fsync of only the inode being unlinked
+or only of the parent directory when the other is not fsync'ed as well,
+does not result in the entry still existing after a power failure.
+
+That check however is not reliable when one of the inodes involved (the
+one being unlinked or its parent directory's inode) is evicted, since the
+logged_trans field is transient, that is, it is not stored on disk, so it
+is lost when the inode is evicted and loaded into memory again (which is
+set to zero on load). As a consequence the checks currently being done by
+btrfs_del_dir_entries_in_log() and btrfs_del_inode_ref_in_log() always
+return true if the inode was evicted before, regardless of the inode
+having been logged or not before (and in the current transaction), this
+results in the dentry being unlinked still existing after a log replay
+if after the unlink operation only one of the inodes involved is fsync'ed.
+
+Example:
+
+ $ mkfs.btrfs -f /dev/sdb
+ $ mount /dev/sdb /mnt
+
+ $ mkdir /mnt/dir
+ $ touch /mnt/dir/foo
+ $ xfs_io -c fsync /mnt/dir/foo
+
+ # Keep an open file descriptor on our directory while we evict inodes.
+ # We just want to evict the file's inode, the directory's inode must not
+ # be evicted.
+ $ ( cd /mnt/dir; while true; do :; done ) &
+ $ pid=$!
+
+ # Wait a bit to give time to background process to chdir to our test
+ # directory.
+ $ sleep 0.5
+
+ # Trigger eviction of the file's inode.
+ $ echo 2 > /proc/sys/vm/drop_caches
+
+ # Unlink our file and fsync the parent directory. After a power failure
+ # we don't expect to see the file anymore, since we fsync'ed the parent
+ # directory.
+ $ rm -f $SCRATCH_MNT/dir/foo
+ $ xfs_io -c fsync /mnt/dir
+
+ <power failure>
+
+ $ mount /dev/sdb /mnt
+ $ ls /mnt/dir
+ foo
+ $
+ --> file still there, unlink not persisted despite explicit fsync on dir
+
+Fix this by checking if the inode has the full_sync bit set in its runtime
+flags as well, since that bit is set everytime an inode is loaded from
+disk, or for other less common cases such as after a shrinking truncate
+or failure to allocate extent maps for holes, and gets cleared after the
+first fsync. Also consider the inode as possibly logged only if it was
+last modified in the current transaction (besides having the full_fsync
+flag set).
+
+Fixes: 3a5f1d458ad161 ("Btrfs: Optimize btree walking while logging inodes")
+CC: stable@vger.kernel.org # 4.4+
+Signed-off-by: Filipe Manana <fdmanana@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+---
+ fs/btrfs/tree-log.c | 28 ++++++++++++++++++++++++++--
+ 1 file changed, 26 insertions(+), 2 deletions(-)
+
+diff --git a/fs/btrfs/tree-log.c b/fs/btrfs/tree-log.c
+index de05078bc634..cc91cba8ca3e 100644
+--- a/fs/btrfs/tree-log.c
++++ b/fs/btrfs/tree-log.c
+@@ -3377,6 +3377,30 @@ int btrfs_free_log_root_tree(struct btrfs_trans_handle *trans,
+ return 0;
+ }
+
++/*
++ * Check if an inode was logged in the current transaction. We can't always rely
++ * on an inode's logged_trans value, because it's an in-memory only field and
++ * therefore not persisted. This means that its value is lost if the inode gets
++ * evicted and loaded again from disk (in which case it has a value of 0, and
++ * certainly it is smaller then any possible transaction ID), when that happens
++ * the full_sync flag is set in the inode's runtime flags, so on that case we
++ * assume eviction happened and ignore the logged_trans value, assuming the
++ * worst case, that the inode was logged before in the current transaction.
++ */
++static bool inode_logged(struct btrfs_trans_handle *trans,
++ struct btrfs_inode *inode)
++{
++ if (inode->logged_trans == trans->transid)
++ return true;
++
++ if (inode->last_trans == trans->transid &&
++ test_bit(BTRFS_INODE_NEEDS_FULL_SYNC, &inode->runtime_flags) &&
++ !test_bit(BTRFS_FS_LOG_RECOVERING, &trans->fs_info->flags))
++ return true;
++
++ return false;
++}
++
+ /*
+ * If both a file and directory are logged, and unlinks or renames are
+ * mixed in, we have a few interesting corners:
+@@ -3411,7 +3435,7 @@ int btrfs_del_dir_entries_in_log(struct btrfs_trans_handle *trans,
+ int bytes_del = 0;
+ u64 dir_ino = btrfs_ino(dir);
+
+- if (dir->logged_trans < trans->transid)
++ if (!inode_logged(trans, dir))
+ return 0;
+
+ ret = join_running_log_trans(root);
+@@ -3516,7 +3540,7 @@ int btrfs_del_inode_ref_in_log(struct btrfs_trans_handle *trans,
+ u64 index;
+ int ret;
+
+- if (inode->logged_trans < trans->transid)
++ if (!inode_logged(trans, inode))
+ return 0;
+
+ ret = join_running_log_trans(root);
+--
+2.16.4
+
diff --git a/patches.suse/btrfs-fix-incremental-send-failure-after-deduplicati.patch b/patches.suse/btrfs-fix-incremental-send-failure-after-deduplicati.patch
new file mode 100644
index 0000000000..9cd2be6ead
--- /dev/null
+++ b/patches.suse/btrfs-fix-incremental-send-failure-after-deduplicati.patch
@@ -0,0 +1,181 @@
+From: Filipe Manana <fdmanana@suse.com>
+Date: Wed, 17 Jul 2019 13:23:39 +0100
+Git-commit: b4f9a1a87a48c255bb90d8a6c3d555a1abb88130
+Patch-mainline: 5.3-rc3
+Subject: [PATCH] Btrfs: fix incremental send failure after deduplication
+References: bsc#1145940
+
+When doing an incremental send operation we can fail if we previously did
+deduplication operations against a file that exists in both snapshots. In
+that case we will fail the send operation with -EIO and print a message
+to dmesg/syslog like the following:
+
+ BTRFS error (device sdc): Send: inconsistent snapshot, found updated \
+ extent for inode 257 without updated inode item, send root is 258, \
+ parent root is 257
+
+This requires that we deduplicate to the same file in both snapshots for
+the same amount of times on each snapshot. The issue happens because a
+deduplication only updates the iversion of an inode and does not update
+any other field of the inode, therefore if we deduplicate the file on
+each snapshot for the same amount of time, the inode will have the same
+iversion value (stored as the "sequence" field on the inode item) on both
+snapshots, therefore it will be seen as unchanged between in the send
+snapshot while there are new/updated/deleted extent items when comparing
+to the parent snapshot. This makes the send operation return -EIO and
+print an error message.
+
+Example reproducer:
+
+ $ mkfs.btrfs -f /dev/sdb
+ $ mount /dev/sdb /mnt
+
+ # Create our first file. The first half of the file has several 64Kb
+ # extents while the second half as a single 512Kb extent.
+ $ xfs_io -f -s -c "pwrite -S 0xb8 -b 64K 0 512K" /mnt/foo
+ $ xfs_io -c "pwrite -S 0xb8 512K 512K" /mnt/foo
+
+ # Create the base snapshot and the parent send stream from it.
+ $ btrfs subvolume snapshot -r /mnt /mnt/mysnap1
+ $ btrfs send -f /tmp/1.snap /mnt/mysnap1
+
+ # Create our second file, that has exactly the same data as the first
+ # file.
+ $ xfs_io -f -c "pwrite -S 0xb8 0 1M" /mnt/bar
+
+ # Create the second snapshot, used for the incremental send, before
+ # doing the file deduplication.
+ $ btrfs subvolume snapshot -r /mnt /mnt/mysnap2
+
+ # Now before creating the incremental send stream:
+ #
+ # 1) Deduplicate into a subrange of file foo in snapshot mysnap1. This
+ # will drop several extent items and add a new one, also updating
+ # the inode's iversion (sequence field in inode item) by 1, but not
+ # any other field of the inode;
+ #
+ # 2) Deduplicate into a different subrange of file foo in snapshot
+ # mysnap2. This will replace an extent item with a new one, also
+ # updating the inode's iversion by 1 but not any other field of the
+ # inode.
+ #
+ # After these two deduplication operations, the inode items, for file
+ # foo, are identical in both snapshots, but we have different extent
+ # items for this inode in both snapshots. We want to check this doesn't
+ # cause send to fail with an error or produce an incorrect stream.
+
+ $ xfs_io -r -c "dedupe /mnt/bar 0 0 512K" /mnt/mysnap1/foo
+ $ xfs_io -r -c "dedupe /mnt/bar 512K 512K 512K" /mnt/mysnap2/foo
+
+ # Create the incremental send stream.
+ $ btrfs send -p /mnt/mysnap1 -f /tmp/2.snap /mnt/mysnap2
+ ERROR: send ioctl failed with -5: Input/output error
+
+This issue started happening back in 2015 when deduplication was updated
+to not update the inode's ctime and mtime and update only the iversion.
+Back then we would hit a BUG_ON() in send, but later in 2016 send was
+updated to return -EIO and print the error message instead of doing the
+BUG_ON().
+
+A test case for fstests follows soon.
+
+Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=203933
+Fixes: 1c919a5e13702c ("btrfs: don't update mtime/ctime on deduped inodes")
+CC: stable@vger.kernel.org # 4.4+
+Signed-off-by: Filipe Manana <fdmanana@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+---
+ fs/btrfs/send.c | 77 +++++++++++----------------------------------------------
+ 1 file changed, 15 insertions(+), 62 deletions(-)
+
+diff --git a/fs/btrfs/send.c b/fs/btrfs/send.c
+index bb1861ca7ddf..a3dd934ad293 100644
+--- a/fs/btrfs/send.c
++++ b/fs/btrfs/send.c
+@@ -6250,68 +6250,21 @@ static int changed_extent(struct send_ctx *sctx,
+ {
+ int ret = 0;
+
+- if (sctx->cur_ino != sctx->cmp_key->objectid) {
+-
+- if (result == BTRFS_COMPARE_TREE_CHANGED) {
+- struct extent_buffer *leaf_l;
+- struct extent_buffer *leaf_r;
+- struct btrfs_file_extent_item *ei_l;
+- struct btrfs_file_extent_item *ei_r;
+-
+- leaf_l = sctx->left_path->nodes[0];
+- leaf_r = sctx->right_path->nodes[0];
+- ei_l = btrfs_item_ptr(leaf_l,
+- sctx->left_path->slots[0],
+- struct btrfs_file_extent_item);
+- ei_r = btrfs_item_ptr(leaf_r,
+- sctx->right_path->slots[0],
+- struct btrfs_file_extent_item);
+-
+- /*
+- * We may have found an extent item that has changed
+- * only its disk_bytenr field and the corresponding
+- * inode item was not updated. This case happens due to
+- * very specific timings during relocation when a leaf
+- * that contains file extent items is COWed while
+- * relocation is ongoing and its in the stage where it
+- * updates data pointers. So when this happens we can
+- * safely ignore it since we know it's the same extent,
+- * but just at different logical and physical locations
+- * (when an extent is fully replaced with a new one, we
+- * know the generation number must have changed too,
+- * since snapshot creation implies committing the current
+- * transaction, and the inode item must have been updated
+- * as well).
+- * This replacement of the disk_bytenr happens at
+- * relocation.c:replace_file_extents() through
+- * relocation.c:btrfs_reloc_cow_block().
+- */
+- if (btrfs_file_extent_generation(leaf_l, ei_l) ==
+- btrfs_file_extent_generation(leaf_r, ei_r) &&
+- btrfs_file_extent_ram_bytes(leaf_l, ei_l) ==
+- btrfs_file_extent_ram_bytes(leaf_r, ei_r) &&
+- btrfs_file_extent_compression(leaf_l, ei_l) ==
+- btrfs_file_extent_compression(leaf_r, ei_r) &&
+- btrfs_file_extent_encryption(leaf_l, ei_l) ==
+- btrfs_file_extent_encryption(leaf_r, ei_r) &&
+- btrfs_file_extent_other_encoding(leaf_l, ei_l) ==
+- btrfs_file_extent_other_encoding(leaf_r, ei_r) &&
+- btrfs_file_extent_type(leaf_l, ei_l) ==
+- btrfs_file_extent_type(leaf_r, ei_r) &&
+- btrfs_file_extent_disk_bytenr(leaf_l, ei_l) !=
+- btrfs_file_extent_disk_bytenr(leaf_r, ei_r) &&
+- btrfs_file_extent_disk_num_bytes(leaf_l, ei_l) ==
+- btrfs_file_extent_disk_num_bytes(leaf_r, ei_r) &&
+- btrfs_file_extent_offset(leaf_l, ei_l) ==
+- btrfs_file_extent_offset(leaf_r, ei_r) &&
+- btrfs_file_extent_num_bytes(leaf_l, ei_l) ==
+- btrfs_file_extent_num_bytes(leaf_r, ei_r))
+- return 0;
+- }
+-
+- inconsistent_snapshot_error(sctx, result, "extent");
+- return -EIO;
+- }
++ /*
++ * We have found an extent item that changed without the inode item
++ * having changed. This can happen either after relocation (where the
++ * disk_bytenr of an extent item is replaced at
++ * relocation.c:replace_file_extents()) or after deduplication into a
++ * file in both the parent and send snapshots (where an extent item can
++ * get modified or replaced with a new one). Note that deduplication
++ * updates the inode item, but it only changes the iversion (sequence
++ * field in the inode item) of the inode, so if a file is deduplicated
++ * the same amount of times in both the parent and send snapshots, its
++ * iversion becames the same in both snapshots, whence the inode item is
++ * the same on both snapshots.
++ */
++ if (sctx->cur_ino != sctx->cmp_key->objectid)
++ return 0;
+
+ if (!sctx->cur_inode_new_gen && !sctx->cur_inode_deleted) {
+ if (result != BTRFS_COMPARE_TREE_DELETED)
+--
+2.16.4
+
diff --git a/patches.suse/btrfs-fix-race-leading-to-fs-corruption-after-transa.patch b/patches.suse/btrfs-fix-race-leading-to-fs-corruption-after-transa.patch
new file mode 100644
index 0000000000..dd70a59ff8
--- /dev/null
+++ b/patches.suse/btrfs-fix-race-leading-to-fs-corruption-after-transa.patch
@@ -0,0 +1,144 @@
+From: Filipe Manana <fdmanana@suse.com>
+Date: Thu, 25 Jul 2019 11:27:04 +0100
+Git-commit: cb2d3daddbfb6318d170e79aac1f7d5e4d49f0d7
+Patch-mainline: 5.3-rc3
+Subject: [PATCH] Btrfs: fix race leading to fs corruption after transaction
+ abort
+References: bsc#1145937
+
+When one transaction is finishing its commit, it is possible for another
+transaction to start and enter its initial commit phase as well. If the
+first ends up getting aborted, we have a small time window where the second
+transaction commit does not notice that the previous transaction aborted
+and ends up committing, writing a superblock that points to btrees that
+reference extent buffers (nodes and leafs) that were not persisted to disk.
+The consequence is that after mounting the filesystem again, we will be
+unable to load some btree nodes/leafs, either because the content on disk
+is either garbage (or just zeroes) or corresponds to the old content of a
+previouly COWed or deleted node/leaf, resulting in the well known error
+messages "parent transid verify failed on ...".
+The following sequence diagram illustrates how this can happen.
+
+ CPU 1 CPU 2
+
+ <at transaction N>
+
+ btrfs_commit_transaction()
+ (...)
+ --> sets transaction state to
+ TRANS_STATE_UNBLOCKED
+ --> sets fs_info->running_transaction
+ to NULL
+
+ (...)
+ btrfs_start_transaction()
+ start_transaction()
+ wait_current_trans()
+ --> returns immediately
+ because
+ fs_info->running_transaction
+ is NULL
+ join_transaction()
+ --> creates transaction N + 1
+ --> sets
+ fs_info->running_transaction
+ to transaction N + 1
+ --> adds transaction N + 1 to
+ the fs_info->trans_list list
+ --> returns transaction handle
+ pointing to the new
+ transaction N + 1
+ (...)
+
+ btrfs_sync_file()
+ btrfs_start_transaction()
+ --> returns handle to
+ transaction N + 1
+ (...)
+
+ btrfs_write_and_wait_transaction()
+ --> writeback of some extent
+ buffer fails, returns an
+ error
+ btrfs_handle_fs_error()
+ --> sets BTRFS_FS_STATE_ERROR in
+ fs_info->fs_state
+ --> jumps to label "scrub_continue"
+ cleanup_transaction()
+ btrfs_abort_transaction(N)
+ --> sets BTRFS_FS_STATE_TRANS_ABORTED
+ flag in fs_info->fs_state
+ --> sets aborted field in the
+ transaction and transaction
+ handle structures, for
+ transaction N only
+ --> removes transaction from the
+ list fs_info->trans_list
+ btrfs_commit_transaction(N + 1)
+ --> transaction N + 1 was not
+ aborted, so it proceeds
+ (...)
+ --> sets the transaction's state
+ to TRANS_STATE_COMMIT_START
+ --> does not find the previous
+ transaction (N) in the
+ fs_info->trans_list, so it
+ doesn't know that transaction
+ was aborted, and the commit
+ of transaction N + 1 proceeds
+ (...)
+ --> sets transaction N + 1 state
+ to TRANS_STATE_UNBLOCKED
+ btrfs_write_and_wait_transaction()
+ --> succeeds writing all extent
+ buffers created in the
+ transaction N + 1
+ write_all_supers()
+ --> succeeds
+ --> we now have a superblock on
+ disk that points to trees
+ that refer to at least one
+ extent buffer that was
+ never persisted
+
+So fix this by updating the transaction commit path to check if the flag
+BTRFS_FS_STATE_TRANS_ABORTED is set on fs_info->fs_state if after setting
+the transaction to the TRANS_STATE_COMMIT_START we do not find any previous
+transaction in the fs_info->trans_list. If the flag is set, just fail the
+transaction commit with -EROFS, as we do in other places. The exact error
+code for the previous transaction abort was already logged and reported.
+
+Fixes: 49b25e0540904b ("btrfs: enhance transaction abort infrastructure")
+CC: stable@vger.kernel.org # 4.4+
+Reviewed-by: Josef Bacik <josef@toxicpanda.com>
+Signed-off-by: Filipe Manana <fdmanana@suse.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+---
+ fs/btrfs/transaction.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/fs/btrfs/transaction.c b/fs/btrfs/transaction.c
+index 5ce9180030e6..0d0f5b4b819f 100644
+--- a/fs/btrfs/transaction.c
++++ b/fs/btrfs/transaction.c
+@@ -2064,6 +2064,16 @@ int btrfs_commit_transaction(struct btrfs_trans_handle *trans)
+ }
+ } else {
+ spin_unlock(&fs_info->trans_lock);
++ /*
++ * The previous transaction was aborted and was already removed
++ * from the list of transactions at fs_info->trans_list. So we
++ * abort to prevent writing a new superblock that reflects a
++ * corrupt state (pointing to trees with unwritten nodes/leafs).
++ */
++ if (test_bit(BTRFS_FS_STATE_TRANS_ABORTED, &fs_info->fs_state)) {
++ ret = -EROFS;
++ goto cleanup_transaction;
++ }
+ }
+
+ extwriter_counter_dec(cur_trans, trans->type);
+--
+2.16.4
+
diff --git a/series.conf b/series.conf
index d25899960b..f32a9e934b 100644
--- a/series.conf
+++ b/series.conf
@@ -19480,6 +19480,7 @@
patches.fixes/0019-xfrm6-call-kfree_skb-when-skb-is-toobig.patch
patches.fixes/0020-xfrm-reset-transport-header-back-to-network-header-a.patch
patches.fixes/0021-xfrm-reset-crypto_done-when-iterating-over-multiple-.patch
+ patches.fixes/0001-xfrm-Fix-NULL-pointer-dereference-when-skb_dst_force.patch
patches.fixes/Bluetooth-SMP-fix-crash-in-unpairing.patch
patches.fixes/Revert-openvswitch-Fix-template-leak-in-error-cases.patch
patches.drivers/declance-Fix-continuation-with-the-adapter-identific.patch
@@ -20693,6 +20694,9 @@
patches.suse/ip6mr-Fix-potential-Spectre-v1-vulnerability.patch
patches.suse/qmi_wwan-Added-support-for-Fibocom-NL668-series.patch
patches.suse/qmi_wwan-Added-support-for-Telit-LN940-series.patch
+ patches.fixes/0002-xfrm-Fix-error-return-code-in-xfrm_output_one.patch
+ patches.fixes/0004-xfrm-Fix-bucket-count-reported-to-userspace.patch
+ patches.fixes/0003-xfrm-Fix-NULL-pointer-dereference-in-xfrm_input-when.patch
patches.suse/VSOCK-Send-reset-control-packet-when-socket-is-parti.patch
patches.drivers/qed-Fix-an-error-code-qed_ll2_start_xmit.patch
patches.suse/net-macb-restart-tx-after-tx-used-bit-read.patch
@@ -22998,6 +23002,8 @@
patches.fixes/scsi-vmw_pscsi-Fix-use-after-free-in-pvscsi_queue_lc.patch
patches.fixes/efi-bgrt-Drop-BGRT-status-field-reserved-bits-check.patch
patches.arch/x86-microcode-fix-the-microcode-load-on-cpu-hotplug-for-real.patch
+ patches.arch/x86-speculation-allow-guests-to-use-ssbd-even-if-host-does-not.patch
+ patches.arch/cpu-speculation-warn-on-unsupported-mitigations-parameter.patch
patches.fixes/Bluetooth-Fix-faulty-expression-for-minimum-encrypti.patch
patches.suse/ftrace-x86-remove-possible-deadlock-between-register_kprobe-and-ftrace_run_update_code.patch
patches.suse/tracing-snapshot-resize-spare-buffer-if-size-changed.patch
@@ -23265,7 +23271,10 @@
patches.suse/msft-hv-1895-PCI-hv-Fix-a-use-after-free-bug-in-hv_eject_device_w.patch
patches.fixes/0001-PCI-qcom-Ensure-that-PERST-is-asserted-for-at-least-.patch
patches.fixes/0001-PCI-xilinx-nwl-Fix-Multi-MSI-data-programming.patch
+ patches.suse/btrfs-fix-data-loss-after-inode-eviction-renaming-it.patch
patches.suse/Btrfs-prevent-send-failures-and-crashes-due-to-concu.patch
+ patches.suse/btrfs-fix-fsync-not-persisting-dentry-deletions-due-.patch
+ patches.suse/btrfs-add-missing-inode-version-ctime-and-mtime-upda.patch
patches.drivers/0022-drivers-rapidio-devices-rio_mport_cdev.c-NUL-termina.patch
patches.drivers/dmaengine-hsu-Revert-set-HSU_CH_MTSR-to-memory-width.patch
patches.drivers/0008-dmaengine-rcar-dmac-Reject-zero-length-slave-DMA-req.patch
@@ -23295,6 +23304,7 @@
patches.arch/kvm-svm-fix-detection-of-amd-errata-1096
patches.arch/kvm-x86-vpmu-refine-kvm_pmu-err-msg-when-event-creation-failed
patches.arch/kvm-nvmx-do-not-use-dangling-shadow-vmcs-after-guest-reset
+ patches.arch/x86-boot-fix-memory-leak-in-default_get_smp_config.patch
patches.drivers/Input-synaptics-whitelist-Lenovo-T580-SMBus-intertou.patch
patches.drivers/Input-gtco-bounds-check-collection-indent-level.patch
patches.drivers/Input-alps-don-t-handle-ALPS-cs19-trackpoint-only-de.patch
@@ -23326,6 +23336,7 @@
patches.arch/x86-mm-check-for-pfn-instead-of-page-in-vmalloc_sync_one
patches.arch/x86-mm-sync-also-unmappings-in-vmalloc_sync_all
patches.arch/mm-vmalloc-sync-unmappings-in-_purge_vmap_area_lazy
+ patches.arch/x86-speculation-mds-apply-more-accurate-check-on-hypervisor-platform.patch
patches.drivers/usb-pci-quirks-Correct-AMD-PLL-quirk-detection.patch
patches.drivers/usb-wusbcore-fix-unbalanced-get-put-cluster_id.patch
patches.fixes/hpet-Fix-division-by-zero-in-hpet_time_div.patch
@@ -23338,6 +23349,8 @@
patches.drivers/ALSA-pcm-fix-lost-wakeup-event-scenarios-in-snd_pcm_.patch
patches.drivers/ALSA-usb-audio-Fix-gpf-in-snd_usb_pipe_sanity_check.patch
patches.drivers/ACPI-PM-Fix-regression-in-acpi_device_set_power.patch
+ patches.suse/btrfs-fix-incremental-send-failure-after-deduplicati.patch
+ patches.suse/btrfs-fix-race-leading-to-fs-corruption-after-transa.patch
patches.drivers/IB-mlx5-Fix-MR-registration-flow-to-use-UMR-properly.patch
patches.drivers/libata-zpodd-Fix-small-read-overflow-in-zpodd_get_me.patch
patches.drivers/ata-libahci-do-not-complain-in-case-of-deferred-prob.patch
@@ -23374,6 +23387,8 @@
patches.drivers/usb-yurex-Fix-use-after-free-in-yurex_delete.patch
patches.drivers/usb-iowarrior-fix-deadlock-on-disconnect.patch
patches.fixes/driver_core-Fix_use-after-free_and_double_free_on_glue.patch
+ patches.drivers/ALSA-usb-audio-Fix-an-OOB-bug-in-parse_audio_mixer_u.patch
+ patches.drivers/ALSA-usb-audio-Fix-a-stack-buffer-overflow-bug-in-ch.patch
# dhowells/linux-fs keys-uefi
patches.suse/0001-KEYS-Allow-unrestricted-boot-time-addition-of-keys-t.patch