Home Home > GIT Browse > openSUSE-15.0
summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorKernel Build Daemon <kbuild@suse.de>2019-05-25 07:09:12 +0200
committerKernel Build Daemon <kbuild@suse.de>2019-05-25 07:09:12 +0200
commitb52494607a36b4ef6fc1c47dbdffdcb71df0eb55 (patch)
treef110e9d4c6db3d20f30f480c38b8656bf85c4030
parentfd0cc385c8741a4db91df1841370da78565db052 (diff)
parent7358223589a24e13b0898003b38d3dc29f13396c (diff)
Merge branch 'SLE15' into openSUSE-15.0
-rw-r--r--patches.drivers/RDMA-hns-Fix-bug-that-caused-srq-creation-to-fail.patch72
-rw-r--r--patches.drivers/bnxt_en-Free-short-FW-command-HWRM-memory-in-error-p.patch30
-rw-r--r--patches.drivers/bpf-Add-missed-newline-in-verifier-verbose-log.patch38
-rw-r--r--patches.drivers/net-ena-fix-return-value-of-ena_com_config_llq_info.patch31
-rw-r--r--patches.drivers/net-hns3-remove-resetting-check-in-hclgevf_reset_tas.patch33
-rw-r--r--patches.drivers/net-mlx5e-Fix-trailing-semicolon.patch29
-rw-r--r--patches.drivers/net-mlx5e-IPoIB-Reset-QP-after-channels-are-closed.patch41
-rw-r--r--patches.drivers/net-sched-don-t-dereference-a-goto_chain-to-read-the.patch34
-rw-r--r--patches.drivers/platform-x86-pmc_atom-Add-Lex-3I380D-industrial-PC-t.patch53
-rw-r--r--patches.drivers/platform-x86-pmc_atom-Add-several-Beckhoff-Automatio.patch60
-rw-r--r--patches.drm/drm-i915-gvt-do-not-let-TRTTE-and-0x4dfc-write-passt.patch64
-rw-r--r--patches.drm/drm-vmwgfx-Don-t-send-drm-sysfs-hotplug-events-on-in.patch44
-rw-r--r--patches.drm/drm-vmwgfx-integer-underflow-in-vmw_cmd_dx_set_shade.patch37
-rw-r--r--patches.fixes/0001-net-make-skb_partial_csum_set-more-robust-against-ov.patch93
-rw-r--r--patches.fixes/0002-ip_gre-fix-parsing-gre-header-in-ipgre_err.patch69
-rw-r--r--patches.fixes/0003-net-ipv4-defensive-cipso-option-parsing.patch67
-rw-r--r--patches.fixes/0004-netfilter-nft_compat-do-not-dump-private-area.patch71
-rw-r--r--patches.fixes/0005-net-don-t-keep-lonely-packets-forever-in-the-gro-has.patch58
-rw-r--r--patches.fixes/0006-ipvs-call-ip_vs_dst_notifier-earlier-than-ipv6_dev_n.patch57
-rw-r--r--patches.fixes/0007-netfilter-ipset-do-not-call-ipset_nest_end-after-nla.patch39
-rw-r--r--patches.fixes/0008-netfilter-nf_tables-fix-leaking-object-reference-cou.patch56
-rw-r--r--patches.fixes/0009-ipv6-invert-flowlabel-sharing-check-in-process-and-u.patch41
-rw-r--r--patches.fixes/0010-ipv6-flowlabel-wait-rcu-grace-period-before-put_pid.patch154
-rw-r--r--patches.fixes/0011-netfilter-ebtables-CONFIG_COMPAT-reject-trailing-dat.patch42
-rw-r--r--patches.fixes/arm64-Export-save_stack_trace_tsk.patch35
-rw-r--r--patches.fixes/block-Don-t-revalidate-bdev-of-hidden-gendisk.patch62
-rw-r--r--patches.kabi/kabi-fix-for-check_disk_size_change.patch30
-rw-r--r--patches.suse/nvme-Do-not-remove-namespaces-during-reset.patch42
-rw-r--r--patches.suse/nvme-flush-scan_work-when-resetting-controller.patch61
-rw-r--r--series.conf28
30 files changed, 1556 insertions, 15 deletions
diff --git a/patches.drivers/RDMA-hns-Fix-bug-that-caused-srq-creation-to-fail.patch b/patches.drivers/RDMA-hns-Fix-bug-that-caused-srq-creation-to-fail.patch
new file mode 100644
index 0000000000..827c32749d
--- /dev/null
+++ b/patches.drivers/RDMA-hns-Fix-bug-that-caused-srq-creation-to-fail.patch
@@ -0,0 +1,72 @@
+From: Lijun Ou <oulijun@huawei.com>
+Date: Sun, 7 Apr 2019 13:23:38 +0800
+Subject: RDMA/hns: Fix bug that caused srq creation to fail
+Patch-mainline: v5.1-rc5
+Git-commit: 4772e03d239484f3461e33c79d721c8ea03f7416
+References: bsc#1104427 FATE#326416
+
+Due to the incorrect use of the seg and obj information, the position of
+the mtt is calculated incorrectly, and the free space of the page is not
+enough to store the entire mtt, resulting in access to the next page. This
+patch fixes this problem.
+
+ Unable to handle kernel paging request at virtual address ffff00006e3cd000
+ ...
+ Call trace:
+ hns_roce_write_mtt+0x154/0x2f0 [hns_roce]
+ hns_roce_buf_write_mtt+0xa8/0xd8 [hns_roce]
+ hns_roce_create_srq+0x74c/0x808 [hns_roce]
+ ib_create_srq+0x28/0xc8
+
+Fixes: 0203b14c4f32 ("RDMA/hns: Unify the calculation for hem index in hip08")
+Signed-off-by: chenglang <chenglang@huawei.com>
+Signed-off-by: Lijun Ou <oulijun@huawei.com>
+Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
+Acked-by: Thomas Bogendoerfer <tbogendoerfer@suse.de>
+---
+ drivers/infiniband/hw/hns/hns_roce_hem.c | 6 ++++--
+ drivers/infiniband/hw/hns/hns_roce_mr.c | 4 ++--
+ 2 files changed, 6 insertions(+), 4 deletions(-)
+
+--- a/drivers/infiniband/hw/hns/hns_roce_hem.c
++++ b/drivers/infiniband/hw/hns/hns_roce_hem.c
+@@ -742,6 +742,8 @@ void *hns_roce_table_find(struct hns_roc
+ idx_offset = (obj & (table->num_obj - 1)) % obj_per_chunk;
+ dma_offset = offset = idx_offset * table->obj_size;
+ } else {
++ u32 seg_size = 64; /* 8 bytes per BA and 8 BA per segment */
++
+ hns_roce_calc_hem_mhop(hr_dev, table, &mhop_obj, &mhop);
+ /* mtt mhop */
+ i = mhop.l0_idx;
+@@ -753,8 +755,8 @@ void *hns_roce_table_find(struct hns_roc
+ hem_idx = i;
+
+ hem = table->hem[hem_idx];
+- dma_offset = offset = (obj & (table->num_obj - 1)) *
+- table->obj_size % mhop.bt_chunk_size;
++ dma_offset = offset = (obj & (table->num_obj - 1)) * seg_size %
++ mhop.bt_chunk_size;
+ if (mhop.hop_num == 2)
+ dma_offset = offset = 0;
+ }
+--- a/drivers/infiniband/hw/hns/hns_roce_mr.c
++++ b/drivers/infiniband/hw/hns/hns_roce_mr.c
+@@ -707,7 +707,6 @@ static int hns_roce_write_mtt_chunk(stru
+ struct hns_roce_hem_table *table;
+ dma_addr_t dma_handle;
+ __le64 *mtts;
+- u32 s = start_index * sizeof(u64);
+ u32 bt_page_size;
+ u32 i;
+
+@@ -730,7 +729,8 @@ static int hns_roce_write_mtt_chunk(stru
+ table = &hr_dev->mr_table.mtt_cqe_table;
+
+ mtts = hns_roce_table_find(hr_dev, table,
+- mtt->first_seg + s / hr_dev->caps.mtt_entry_sz,
++ mtt->first_seg +
++ start_index / HNS_ROCE_MTT_ENTRY_PER_SEG,
+ &dma_handle);
+ if (!mtts)
+ return -ENOMEM;
diff --git a/patches.drivers/bnxt_en-Free-short-FW-command-HWRM-memory-in-error-p.patch b/patches.drivers/bnxt_en-Free-short-FW-command-HWRM-memory-in-error-p.patch
new file mode 100644
index 0000000000..28db564b9e
--- /dev/null
+++ b/patches.drivers/bnxt_en-Free-short-FW-command-HWRM-memory-in-error-p.patch
@@ -0,0 +1,30 @@
+From: Vasundhara Volam <vasundhara-v.volam@broadcom.com>
+Date: Thu, 25 Apr 2019 22:31:51 -0400
+Subject: bnxt_en: Free short FW command HWRM memory in error path in
+ bnxt_init_one()
+Patch-mainline: v5.1
+Git-commit: f9099d611449836a51a65f40ea7dc9cb5f2f665e
+References: bsc#1050242 FATE#322914
+
+In the bnxt_init_one() error path, short FW command request memory
+is not freed. This patch fixes it.
+
+Fixes: e605db801bde ("bnxt_en: Support for Short Firmware Message")
+Signed-off-by: Vasundhara Volam <vasundhara-v.volam@broadcom.com>
+Signed-off-by: Michael Chan <michael.chan@broadcom.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Acked-by: Thomas Bogendoerfer <tbogendoerfer@suse.de>
+---
+ drivers/net/ethernet/broadcom/bnxt/bnxt.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.c
++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.c
+@@ -8865,6 +8865,7 @@ init_err_cleanup_tc:
+ bnxt_clear_int_mode(bp);
+
+ init_err_pci_clean:
++ bnxt_free_hwrm_short_cmd_req(bp);
+ bnxt_free_hwrm_resources(bp);
+ bnxt_cleanup_pci(bp);
+
diff --git a/patches.drivers/bpf-Add-missed-newline-in-verifier-verbose-log.patch b/patches.drivers/bpf-Add-missed-newline-in-verifier-verbose-log.patch
new file mode 100644
index 0000000000..98b74f750b
--- /dev/null
+++ b/patches.drivers/bpf-Add-missed-newline-in-verifier-verbose-log.patch
@@ -0,0 +1,38 @@
+From: Andrey Ignatov <rdna@fb.com>
+Date: Wed, 3 Apr 2019 23:22:43 -0700
+Subject: bpf: Add missed newline in verifier verbose log
+Patch-mainline: v5.2-rc1
+Git-commit: 1fbd20f8b77b366ea4aeb92ade72daa7f36a7e3b
+References: bsc#1056787
+
+check_stack_access() that prints verbose log is used in
+adjust_ptr_min_max_vals() that prints its own verbose log and now they
+stick together, e.g.:
+
+ variable stack access var_off=(0xfffffffffffffff0; 0x4) off=-16
+ size=1R2 stack pointer arithmetic goes out of range, prohibited for
+ !root
+
+Add missing newline so that log is more readable:
+ variable stack access var_off=(0xfffffffffffffff0; 0x4) off=-16 size=1
+ R2 stack pointer arithmetic goes out of range, prohibited for !root
+
+Fixes: f1174f77b50c ("bpf/verifier: rework value tracking")
+Signed-off-by: Andrey Ignatov <rdna@fb.com>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Acked-by: Thomas Bogendoerfer <tbogendoerfer@suse.de>
+---
+ kernel/bpf/verifier.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/kernel/bpf/verifier.c
++++ b/kernel/bpf/verifier.c
+@@ -831,7 +831,7 @@ static int check_stack_access(struct bpf
+ char tn_buf[48];
+
+ tnum_strn(tn_buf, sizeof(tn_buf), reg->var_off);
+- verbose(env, "variable stack access var_off=%s off=%d size=%d",
++ verbose(env, "variable stack access var_off=%s off=%d size=%d\n",
+ tn_buf, off, size);
+ return -EACCES;
+ }
diff --git a/patches.drivers/net-ena-fix-return-value-of-ena_com_config_llq_info.patch b/patches.drivers/net-ena-fix-return-value-of-ena_com_config_llq_info.patch
new file mode 100644
index 0000000000..bdfc085781
--- /dev/null
+++ b/patches.drivers/net-ena-fix-return-value-of-ena_com_config_llq_info.patch
@@ -0,0 +1,31 @@
+From: Sameeh Jubran <sameehj@amazon.com>
+Date: Wed, 1 May 2019 16:47:07 +0300
+Subject: net: ena: fix return value of ena_com_config_llq_info()
+Patch-mainline: v5.2-rc1
+Git-commit: 9a27de0c6ba10fe1af74d16d3524425e52c1ba3e
+References: bsc#1111696 bsc#1117561
+
+ena_com_config_llq_info() returns 0 even if ena_com_set_llq() fails.
+Return the failure code of ena_com_set_llq() in case it fails.
+
+fixes: 689b2bdaaa14 ("net: ena: add functions for handling Low Latency Queues in ena_com")
+
+Signed-off-by: Arthur Kiyanovski <akiyano@amazon.com>
+Signed-off-by: Sameeh Jubran <sameehj@amazon.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Acked-by: Thomas Bogendoerfer <tbogendoerfer@suse.de>
+---
+ drivers/net/ethernet/amazon/ena/ena_com.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/amazon/ena/ena_com.c
++++ b/drivers/net/ethernet/amazon/ena/ena_com.c
+@@ -731,7 +731,7 @@ static int ena_com_config_llq_info(struc
+ if (rc)
+ pr_err("Cannot set LLQ configuration: %d\n", rc);
+
+- return 0;
++ return rc;
+ }
+
+ static int ena_com_wait_and_process_admin_cq_interrupts(struct ena_comp_ctx *comp_ctx,
diff --git a/patches.drivers/net-hns3-remove-resetting-check-in-hclgevf_reset_tas.patch b/patches.drivers/net-hns3-remove-resetting-check-in-hclgevf_reset_tas.patch
new file mode 100644
index 0000000000..17baaca021
--- /dev/null
+++ b/patches.drivers/net-hns3-remove-resetting-check-in-hclgevf_reset_tas.patch
@@ -0,0 +1,33 @@
+From: Huazhong Tan <tanhuazhong@huawei.com>
+Date: Sat, 6 Apr 2019 15:43:35 +0800
+Subject: net: hns3: remove resetting check in hclgevf_reset_task_schedule
+Patch-mainline: v5.2-rc1
+Git-commit: 7d60070668e4bf53571f43c6cf30838ca5dccffd
+References: bsc#1104353 FATE#326415 bsc#1135056
+
+The checking of HCLGEVF_STATE_RST_HANDLING flag in the
+hclgevf_reset_task_schedule() will make some scheduling of
+reset pending fail. This flag will be checked in the
+hclgevf_reset_service_task(), it is unnecessary to check it
+in the hclgevf_reset_task_schedule(). So this patch removes it.
+
+Fixes: 35a1e50343bd ("net: hns3: Add VF Reset Service Task to support event handling")
+Signed-off-by: Huazhong Tan <tanhuazhong@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Acked-by: Thomas Bogendoerfer <tbogendoerfer@suse.de>
+---
+ drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_main.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_main.c
++++ b/drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_main.c
+@@ -1139,8 +1139,7 @@ static void hclgevf_get_misc_vector(stru
+
+ void hclgevf_reset_task_schedule(struct hclgevf_dev *hdev)
+ {
+- if (!test_bit(HCLGEVF_STATE_RST_SERVICE_SCHED, &hdev->state) &&
+- !test_bit(HCLGEVF_STATE_RST_HANDLING, &hdev->state)) {
++ if (!test_bit(HCLGEVF_STATE_RST_SERVICE_SCHED, &hdev->state)) {
+ set_bit(HCLGEVF_STATE_RST_SERVICE_SCHED, &hdev->state);
+ schedule_work(&hdev->rst_service_task);
+ }
diff --git a/patches.drivers/net-mlx5e-Fix-trailing-semicolon.patch b/patches.drivers/net-mlx5e-Fix-trailing-semicolon.patch
new file mode 100644
index 0000000000..a2e39662f4
--- /dev/null
+++ b/patches.drivers/net-mlx5e-Fix-trailing-semicolon.patch
@@ -0,0 +1,29 @@
+From: Luis de Bethencourt <luisbg@kernel.org>
+Date: Wed, 17 Jan 2018 12:09:15 +0000
+Subject: net/mlx5e: Fix trailing semicolon
+Patch-mainline: v4.16-rc1
+Git-commit: 4c5386bae994e0cf683c973ea8adc23e0d2ca3d3
+References: bsc#1075020
+
+The trailing semicolon is an empty statement that does no operation.
+Removing it since it doesn't do anything.
+
+Signed-off-by: Luis de Bethencourt <luisbg@kernel.org>
+Reviewed-by: Saeed Mahameed <saeedm@mellanox.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Acked-by: Thomas Bogendoerfer <tbogendoerfer@suse.de>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/ipoib/ipoib.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/mellanox/mlx5/core/ipoib/ipoib.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/ipoib/ipoib.c
+@@ -476,7 +476,7 @@ static int mlx5i_close(struct net_device
+ mlx5_fs_remove_rx_underlay_qpn(mdev, ipriv->qp.qpn);
+ mlx5i_uninit_underlay_qp(epriv);
+ mlx5e_deactivate_priv_channels(epriv);
+- mlx5e_close_channels(&epriv->channels);;
++ mlx5e_close_channels(&epriv->channels);
+ unlock:
+ mutex_unlock(&epriv->state_lock);
+ return 0;
diff --git a/patches.drivers/net-mlx5e-IPoIB-Reset-QP-after-channels-are-closed.patch b/patches.drivers/net-mlx5e-IPoIB-Reset-QP-after-channels-are-closed.patch
new file mode 100644
index 0000000000..6d9de3bf1d
--- /dev/null
+++ b/patches.drivers/net-mlx5e-IPoIB-Reset-QP-after-channels-are-closed.patch
@@ -0,0 +1,41 @@
+From: Denis Drozdov <denisd@mellanox.com>
+Date: Thu, 27 Sep 2018 14:17:54 +0300
+Subject: net/mlx5e: IPoIB, Reset QP after channels are closed
+Patch-mainline: v4.20-rc4
+Git-commit: acf3766b36d8e59ecbc307894c6d05703ee48014
+References: bsc#1075020
+
+The mlx5e channels should be closed before mlx5i_uninit_underlay_qp
+puts the QP into RST (reset) state during mlx5i_close. Currently QP
+state incorrectly set to RST before channels got deactivated and closed,
+since mlx5_post_send request expects QP in RTS (Ready To Send) state.
+
+The fix is to keep QP in RTS state until mlx5e channels get closed
+and to reset QP afterwards.
+
+Also this fix is simply correct in order to keep the open/close flow
+symmetric, i.e mlx5i_init_underlay_qp() is called first thing at open,
+the correct thing to do is to call mlx5i_uninit_underlay_qp() last thing
+at close, which is exactly what this patch is doing.
+
+Fixes: dae37456c8ac ("net/mlx5: Support for attaching multiple underlay QPs to root flow table")
+Signed-off-by: Denis Drozdov <denisd@mellanox.com>
+Signed-off-by: Saeed Mahameed <saeedm@mellanox.com>
+Acked-by: Thomas Bogendoerfer <tbogendoerfer@suse.de>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/ipoib/ipoib.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/mellanox/mlx5/core/ipoib/ipoib.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/ipoib/ipoib.c
+@@ -475,9 +475,9 @@ static int mlx5i_close(struct net_device
+
+ netif_carrier_off(epriv->netdev);
+ mlx5_fs_remove_rx_underlay_qpn(mdev, ipriv->qp.qpn);
+- mlx5i_uninit_underlay_qp(epriv);
+ mlx5e_deactivate_priv_channels(epriv);
+ mlx5e_close_channels(&epriv->channels);
++ mlx5i_uninit_underlay_qp(epriv);
+ unlock:
+ mutex_unlock(&epriv->state_lock);
+ return 0;
diff --git a/patches.drivers/net-sched-don-t-dereference-a-goto_chain-to-read-the.patch b/patches.drivers/net-sched-don-t-dereference-a-goto_chain-to-read-the.patch
new file mode 100644
index 0000000000..4a685655e9
--- /dev/null
+++ b/patches.drivers/net-sched-don-t-dereference-a-goto_chain-to-read-the.patch
@@ -0,0 +1,34 @@
+From: Davide Caratti <dcaratti@redhat.com>
+Date: Wed, 20 Mar 2019 15:00:15 +0100
+Subject: net/sched: don't dereference a->goto_chain to read the chain index
+Patch-mainline: v5.1-rc3
+Git-commit: fe384e2fa36ca084a456fd30558cccc75b4b3fbd
+References: bsc#1064802 bsc#1066129
+
+callers of tcf_gact_goto_chain_index() can potentially read an old value
+of the chain index, or even dereference a NULL 'goto_chain' pointer,
+because 'goto_chain' and 'tcfa_action' are read in the traffic path
+without caring of concurrent write in the control path. The most recent
+value of chain index can be read also from a->tcfa_action (it's encoded
+there together with TC_ACT_GOTO_CHAIN bits), so we don't really need to
+dereference 'goto_chain': just read the chain id from the control action.
+
+Fixes: e457d86ada27 ("net: sched: add couple of goto_chain helpers")
+Signed-off-by: Davide Caratti <dcaratti@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Acked-by: Thomas Bogendoerfer <tbogendoerfer@suse.de>
+---
+ include/net/tc_act/tc_gact.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/include/net/tc_act/tc_gact.h
++++ b/include/net/tc_act/tc_gact.h
+@@ -55,7 +55,7 @@ static inline bool is_tcf_gact_goto_chai
+
+ static inline u32 tcf_gact_goto_chain_index(const struct tc_action *a)
+ {
+- return a->goto_chain->index;
++ return READ_ONCE(a->tcfa_action) & TC_ACT_EXT_VAL_MASK;
+ }
+
+ #endif /* __NET_TC_GACT_H */
diff --git a/patches.drivers/platform-x86-pmc_atom-Add-Lex-3I380D-industrial-PC-t.patch b/patches.drivers/platform-x86-pmc_atom-Add-Lex-3I380D-industrial-PC-t.patch
new file mode 100644
index 0000000000..4078806e38
--- /dev/null
+++ b/patches.drivers/platform-x86-pmc_atom-Add-Lex-3I380D-industrial-PC-t.patch
@@ -0,0 +1,53 @@
+From 3d0818f5eba80fbe4c0addbfe6ddb2d19dc82cd4 Mon Sep 17 00:00:00 2001
+From: Hans de Goede <hdegoede@redhat.com>
+Date: Mon, 29 Apr 2019 17:01:35 +0200
+Subject: [PATCH] platform/x86: pmc_atom: Add Lex 3I380D industrial PC to critclk_systems DMI table
+Git-commit: 3d0818f5eba80fbe4c0addbfe6ddb2d19dc82cd4
+Patch-mainline: v5.2-rc2
+References: bsc#1051510
+
+The Lex 3I380D industrial PC has 4 ethernet controllers on board
+which need pmc_plt_clk0 - 3 to function, add it to the critclk_systems
+DMI table, so that drivers/clk/x86/clk-pmc-atom.c will mark the clocks
+as CLK_CRITICAL and they will not get turned off.
+
+Fixes: 648e921888ad ("clk: x86: Stop marking clocks as CLK_IS_CRITICAL")
+Reported-and-tested-by: Semyon Verchenko <semverchenko@factor-ts.ru>
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Acked-by: Andy Shevchenko <andy.shevchenko@gmail.com>
+Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/platform/x86/pmc_atom.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/drivers/platform/x86/pmc_atom.c b/drivers/platform/x86/pmc_atom.c
+index c7039f52ad51..a311f48ce7c9 100644
+--- a/drivers/platform/x86/pmc_atom.c
++++ b/drivers/platform/x86/pmc_atom.c
+@@ -398,12 +398,21 @@ static int pmc_dbgfs_register(struct pmc_dev *pmc)
+ */
+ static const struct dmi_system_id critclk_systems[] = {
+ {
++ /* pmc_plt_clk0 is used for an external HSIC USB HUB */
+ .ident = "MPL CEC1x",
+ .matches = {
+ DMI_MATCH(DMI_SYS_VENDOR, "MPL AG"),
+ DMI_MATCH(DMI_PRODUCT_NAME, "CEC10 Family"),
+ },
+ },
++ {
++ /* pmc_plt_clk0 - 3 are used for the 4 ethernet controllers */
++ .ident = "Lex 3I380D",
++ .matches = {
++ DMI_MATCH(DMI_SYS_VENDOR, "Lex BayTrail"),
++ DMI_MATCH(DMI_PRODUCT_NAME, "3I380D"),
++ },
++ },
+ { /*sentinel*/ }
+ };
+
+--
+2.16.4
+
diff --git a/patches.drivers/platform-x86-pmc_atom-Add-several-Beckhoff-Automatio.patch b/patches.drivers/platform-x86-pmc_atom-Add-several-Beckhoff-Automatio.patch
new file mode 100644
index 0000000000..f0f73037b1
--- /dev/null
+++ b/patches.drivers/platform-x86-pmc_atom-Add-several-Beckhoff-Automatio.patch
@@ -0,0 +1,60 @@
+From d6423bd03031c020121da26c41a26bd5cc6d0da3 Mon Sep 17 00:00:00 2001
+From: Steffen Dirkwinkel <s.dirkwinkel@beckhoff.com>
+Date: Thu, 2 May 2019 15:03:51 +0200
+Subject: [PATCH] platform/x86: pmc_atom: Add several Beckhoff Automation boards to critclk_systems DMI table
+Git-commit: d6423bd03031c020121da26c41a26bd5cc6d0da3
+Patch-mainline: v5.2-rc2
+References: bsc#1051510
+
+There are several Beckhoff Automation industrial PC boards which use
+pmc_plt_clk* clocks for ethernet controllers. This adds affected boards
+to critclk_systems DMI table so the clocks are marked as CLK_CRITICAL and
+not turned off.
+
+Fixes: 648e921888ad ("clk: x86: Stop marking clocks as CLK_IS_CRITICAL")
+Signed-off-by: Steffen Dirkwinkel <s.dirkwinkel@beckhoff.com>
+Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/platform/x86/pmc_atom.c | 24 ++++++++++++++++++++++++
+ 1 file changed, 24 insertions(+)
+
+diff --git a/drivers/platform/x86/pmc_atom.c b/drivers/platform/x86/pmc_atom.c
+index a311f48ce7c9..b1d804376237 100644
+--- a/drivers/platform/x86/pmc_atom.c
++++ b/drivers/platform/x86/pmc_atom.c
+@@ -413,6 +413,30 @@ static const struct dmi_system_id critclk_systems[] = {
+ DMI_MATCH(DMI_PRODUCT_NAME, "3I380D"),
+ },
+ },
++ {
++ /* pmc_plt_clk* - are used for ethernet controllers */
++ .ident = "Beckhoff CB3163",
++ .matches = {
++ DMI_MATCH(DMI_SYS_VENDOR, "Beckhoff Automation"),
++ DMI_MATCH(DMI_BOARD_NAME, "CB3163"),
++ },
++ },
++ {
++ /* pmc_plt_clk* - are used for ethernet controllers */
++ .ident = "Beckhoff CB6263",
++ .matches = {
++ DMI_MATCH(DMI_SYS_VENDOR, "Beckhoff Automation"),
++ DMI_MATCH(DMI_BOARD_NAME, "CB6263"),
++ },
++ },
++ {
++ /* pmc_plt_clk* - are used for ethernet controllers */
++ .ident = "Beckhoff CB6363",
++ .matches = {
++ DMI_MATCH(DMI_SYS_VENDOR, "Beckhoff Automation"),
++ DMI_MATCH(DMI_BOARD_NAME, "CB6363"),
++ },
++ },
+ { /*sentinel*/ }
+ };
+
+--
+2.16.4
+
diff --git a/patches.drm/drm-i915-gvt-do-not-let-TRTTE-and-0x4dfc-write-passt.patch b/patches.drm/drm-i915-gvt-do-not-let-TRTTE-and-0x4dfc-write-passt.patch
new file mode 100644
index 0000000000..c9e2e8cf08
--- /dev/null
+++ b/patches.drm/drm-i915-gvt-do-not-let-TRTTE-and-0x4dfc-write-passt.patch
@@ -0,0 +1,64 @@
+From e175a2520c7788a323ae93f04013b8fdaa552c69 Mon Sep 17 00:00:00 2001
+From: Yan Zhao <yan.y.zhao@intel.com>
+Date: Tue, 7 May 2019 22:16:44 -0400
+Subject: [PATCH] drm/i915/gvt: do not let TRTTE and 0x4dfc write passthrough to hardware
+Git-commit: e175a2520c7788a323ae93f04013b8fdaa552c69
+Patch-mainline: v5.2-rc2
+References: bsc#1051510
+
+the vGPU write on TRTTE and 0x4dfc is now write to vreg first. their
+values all be restored hardware when context switching.
+
+Fixes: e39c5add3221 ("drm/i915/gvt: vGPU MMIO virtualization")
+Acked-by: Zhenyu Wang <zhenyuw@linux.intel.com>
+Signed-off-by: Yan Zhao <yan.y.zhao@intel.com>
+Signed-off-by: Zhenyu Wang <zhenyuw@linux.intel.com>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/gpu/drm/i915/gvt/handlers.c | 15 ---------------
+ 1 file changed, 15 deletions(-)
+
+diff --git a/drivers/gpu/drm/i915/gvt/handlers.c b/drivers/gpu/drm/i915/gvt/handlers.c
+index 90673fca792f..e09bd6e0cc4d 100644
+--- a/drivers/gpu/drm/i915/gvt/handlers.c
++++ b/drivers/gpu/drm/i915/gvt/handlers.c
+@@ -1364,7 +1364,6 @@ static int dma_ctrl_write(struct intel_vgpu *vgpu, unsigned int offset,
+ static int gen9_trtte_write(struct intel_vgpu *vgpu, unsigned int offset,
+ void *p_data, unsigned int bytes)
+ {
+- struct drm_i915_private *dev_priv = vgpu->gvt->dev_priv;
+ u32 trtte = *(u32 *)p_data;
+
+ if ((trtte & 1) && (trtte & (1 << 1)) == 0) {
+@@ -1373,11 +1372,6 @@ static int gen9_trtte_write(struct intel_vgpu *vgpu, unsigned int offset,
+ return -EINVAL;
+ }
+ write_vreg(vgpu, offset, p_data, bytes);
+- /* TRTTE is not per-context */
+-
+- mmio_hw_access_pre(dev_priv);
+- I915_WRITE(_MMIO(offset), vgpu_vreg(vgpu, offset));
+- mmio_hw_access_post(dev_priv);
+
+ return 0;
+ }
+@@ -1385,15 +1379,6 @@ static int gen9_trtte_write(struct intel_vgpu *vgpu, unsigned int offset,
+ static int gen9_trtt_chicken_write(struct intel_vgpu *vgpu, unsigned int offset,
+ void *p_data, unsigned int bytes)
+ {
+- struct drm_i915_private *dev_priv = vgpu->gvt->dev_priv;
+- u32 val = *(u32 *)p_data;
+-
+- if (val & 1) {
+- /* unblock hw logic */
+- mmio_hw_access_pre(dev_priv);
+- I915_WRITE(_MMIO(offset), val);
+- mmio_hw_access_post(dev_priv);
+- }
+ write_vreg(vgpu, offset, p_data, bytes);
+ return 0;
+ }
+--
+2.16.4
+
diff --git a/patches.drm/drm-vmwgfx-Don-t-send-drm-sysfs-hotplug-events-on-in.patch b/patches.drm/drm-vmwgfx-Don-t-send-drm-sysfs-hotplug-events-on-in.patch
new file mode 100644
index 0000000000..5f3fff57c0
--- /dev/null
+++ b/patches.drm/drm-vmwgfx-Don-t-send-drm-sysfs-hotplug-events-on-in.patch
@@ -0,0 +1,44 @@
+From 63cb44441826e842b7285575b96db631cc9f2505 Mon Sep 17 00:00:00 2001
+From: Thomas Hellstrom <thellstrom@vmware.com>
+Date: Tue, 7 May 2019 11:07:53 +0200
+Subject: [PATCH] drm/vmwgfx: Don't send drm sysfs hotplug events on initial master set
+Git-commit: 63cb44441826e842b7285575b96db631cc9f2505
+Patch-mainline: v5.2-rc2
+References: bsc#1051510
+
+This may confuse user-space clients like plymouth that opens a drm
+file descriptor as a result of a hotplug event and then generates a
+new event...
+
+Cc: <stable@vger.kernel.org>
+Fixes: 5ea1734827bb ("drm/vmwgfx: Send a hotplug event at master_set")
+Signed-off-by: Thomas Hellstrom <thellstrom@vmware.com>
+Reviewed-by: Deepak Rawat <drawat@vmware.com>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/gpu/drm/vmwgfx/vmwgfx_drv.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_drv.c b/drivers/gpu/drm/vmwgfx/vmwgfx_drv.c
+index bf6c3500d363..4ff11a0077e1 100644
+--- a/drivers/gpu/drm/vmwgfx/vmwgfx_drv.c
++++ b/drivers/gpu/drm/vmwgfx/vmwgfx_drv.c
+@@ -1239,7 +1239,13 @@ static int vmw_master_set(struct drm_device *dev,
+ }
+
+ dev_priv->active_master = vmaster;
+- drm_sysfs_hotplug_event(dev);
++
++ /*
++ * Inform a new master that the layout may have changed while
++ * it was gone.
++ */
++ if (!from_open)
++ drm_sysfs_hotplug_event(dev);
+
+ return 0;
+ }
+--
+2.16.4
+
diff --git a/patches.drm/drm-vmwgfx-integer-underflow-in-vmw_cmd_dx_set_shade.patch b/patches.drm/drm-vmwgfx-integer-underflow-in-vmw_cmd_dx_set_shade.patch
new file mode 100644
index 0000000000..c9fb4f3659
--- /dev/null
+++ b/patches.drm/drm-vmwgfx-integer-underflow-in-vmw_cmd_dx_set_shade.patch
@@ -0,0 +1,37 @@
+From 5ed7f4b5eca11c3c69e7c8b53e4321812bc1ee1e Mon Sep 17 00:00:00 2001
+From: Murray McAllister <murray.mcallister@gmail.com>
+Date: Mon, 20 May 2019 21:57:34 +1200
+Subject: [PATCH] drm/vmwgfx: integer underflow in vmw_cmd_dx_set_shader() leading to an invalid read
+Git-commit: 5ed7f4b5eca11c3c69e7c8b53e4321812bc1ee1e
+Patch-mainline: v5.2-rc2
+References: bsc#1051510
+
+If SVGA_3D_CMD_DX_SET_SHADER is called with a shader ID
+of SVGA3D_INVALID_ID, and a shader type of
+SVGA3D_SHADERTYPE_INVALID, the calculated binding.shader_slot
+will be 4294967295, leading to an out-of-bounds read in vmw_binding_loc()
+when the offset is calculated.
+
+Cc: <stable@vger.kernel.org>
+Fixes: d80efd5cb3de ("drm/vmwgfx: Initial DX support")
+Signed-off-by: Murray McAllister <murray.mcallister@gmail.com>
+Reviewed-by: Thomas Hellstrom <thellstrom@vmware.com>
+Signed-off-by: Thomas Hellstrom <thellstrom@vmware.com>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c
++++ b/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c
+@@ -2493,7 +2493,8 @@ static int vmw_cmd_dx_set_shader(struct
+
+ cmd = container_of(header, typeof(*cmd), header);
+
+- if (cmd->body.type >= SVGA3D_SHADERTYPE_DX10_MAX) {
++ if (cmd->body.type >= SVGA3D_SHADERTYPE_DX10_MAX ||
++ cmd->body.type < SVGA3D_SHADERTYPE_MIN) {
+ DRM_ERROR("Illegal shader type %u.\n",
+ (unsigned) cmd->body.type);
+ return -EINVAL;
diff --git a/patches.fixes/0001-net-make-skb_partial_csum_set-more-robust-against-ov.patch b/patches.fixes/0001-net-make-skb_partial_csum_set-more-robust-against-ov.patch
new file mode 100644
index 0000000000..e5d9aa2124
--- /dev/null
+++ b/patches.fixes/0001-net-make-skb_partial_csum_set-more-robust-against-ov.patch
@@ -0,0 +1,93 @@
+From: Eric Dumazet <edumazet@google.com>
+Subject: net: make skb_partial_csum_set() more robust against
+ overflows
+Patch-mainline: v4.19-rc8
+Git-commit: 52b5d6f5dcf0e5201392f7d417148ccb537dbf6f
+References: git-fixes
+
+
+syzbot managed to crash in skb_checksum_help() [1] :
+
+ BUG_ON(offset + sizeof(__sum16) > skb_headlen(skb));
+
+Root cause is the following check in skb_partial_csum_set()
+
+ if (unlikely(start > skb_headlen(skb)) ||
+ unlikely((int)start + off > skb_headlen(skb) - 2))
+ return false;
+
+If skb_headlen(skb) is 1, then (skb_headlen(skb) - 2) becomes 0xffffffff
+and the check fails to detect that ((int)start + off) is off the limit,
+since the compare is unsigned.
+
+When we fix that, then the first condition (start > skb_headlen(skb))
+becomes obsolete.
+
+Then we should also check that (skb_headroom(skb) + start) wont
+overflow 16bit field.
+
+[1]
+kernel BUG at net/core/dev.c:2880!
+invalid opcode: 0000 [#1] PREEMPT SMP KASAN
+CPU: 1 PID: 7330 Comm: syz-executor4 Not tainted 4.19.0-rc6+ #253
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+RIP: 0010:skb_checksum_help+0x9e3/0xbb0 net/core/dev.c:2880
+Code: 85 00 ff ff ff 48 c1 e8 03 42 80 3c 28 00 0f 84 09 fb ff ff 48 8b bd 00 ff ff ff e8 97 a8 b9 fb e9 f8 fa ff ff e8 2d 09 76 fb <0f> 0b 48 8b bd 28 ff ff ff e8 1f a8 b9 fb e9 b1 f6 ff ff 48 89 cf
+RSP: 0018:ffff8801d83a6f60 EFLAGS: 00010293
+RAX: ffff8801b9834380 RBX: ffff8801b9f8d8c0 RCX: ffffffff8608c6d7
+RDX: 0000000000000000 RSI: ffffffff8608cc63 RDI: 0000000000000006
+RBP: ffff8801d83a7068 R08: ffff8801b9834380 R09: 0000000000000000
+R10: ffff8801d83a76d8 R11: 0000000000000000 R12: 0000000000000001
+R13: 0000000000010001 R14: 000000000000ffff R15: 00000000000000a8
+FS: 00007f1a66db5700(0000) GS:ffff8801daf00000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 00007f7d77f091b0 CR3: 00000001ba252000 CR4: 00000000001406e0
+DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+Call Trace:
+ skb_csum_hwoffload_help+0x8f/0xe0 net/core/dev.c:3269
+ validate_xmit_skb+0xa2a/0xf30 net/core/dev.c:3312
+ __dev_queue_xmit+0xc2f/0x3950 net/core/dev.c:3797
+ dev_queue_xmit+0x17/0x20 net/core/dev.c:3838
+ packet_snd net/packet/af_packet.c:2928 [inline]
+ packet_sendmsg+0x422d/0x64c0 net/packet/af_packet.c:2953
+
+Fixes: 5ff8dda3035d ("net: Ensure partial checksum offset is inside the skb head")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Cc: Herbert Xu <herbert@gondor.apana.org.au>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Acked-by: Denis Kirjanov <dkirjanov@suse.com>
+---
+ net/core/skbuff.c | 12 +++++++-----
+ 1 file changed, 7 insertions(+), 5 deletions(-)
+
+diff --git a/net/core/skbuff.c b/net/core/skbuff.c
+index bc663ccf6ba3..51906f8a8272 100644
+--- a/net/core/skbuff.c
++++ b/net/core/skbuff.c
+@@ -3994,14 +3994,16 @@ EXPORT_SYMBOL_GPL(skb_complete_wifi_ack);
+ */
+ bool skb_partial_csum_set(struct sk_buff *skb, u16 start, u16 off)
+ {
+- if (unlikely(start > skb_headlen(skb)) ||
+- unlikely((int)start + off > skb_headlen(skb) - 2)) {
+- net_warn_ratelimited("bad partial csum: csum=%u/%u len=%u\n",
+- start, off, skb_headlen(skb));
++ u32 csum_end = (u32)start + (u32)off + sizeof(__sum16);
++ u32 csum_start = skb_headroom(skb) + (u32)start;
++
++ if (unlikely(csum_start > U16_MAX || csum_end > skb_headlen(skb))) {
++ net_warn_ratelimited("bad partial csum: csum=%u/%u headroom=%u headlen=%u\n",
++ start, off, skb_headroom(skb), skb_headlen(skb));
+ return false;
+ }
+ skb->ip_summed = CHECKSUM_PARTIAL;
+- skb->csum_start = skb_headroom(skb) + start;
++ skb->csum_start = csum_start;
+ skb->csum_offset = off;
+ skb_set_transport_header(skb, start);
+ return true;
+--
+2.12.3
+
diff --git a/patches.fixes/0002-ip_gre-fix-parsing-gre-header-in-ipgre_err.patch b/patches.fixes/0002-ip_gre-fix-parsing-gre-header-in-ipgre_err.patch
new file mode 100644
index 0000000000..6ec5c0a762
--- /dev/null
+++ b/patches.fixes/0002-ip_gre-fix-parsing-gre-header-in-ipgre_err.patch
@@ -0,0 +1,69 @@
+From: Haishuang Yan <yanhaishuang@cmss.chinamobile.com>
+Subject: ip_gre: fix parsing gre header in ipgre_err
+Patch-mainline: v4.20-rc1
+Git-commit: b0350d51f001e6edc13ee4f253b98b50b05dd401
+References: git-fixes
+
+gre_parse_header stops parsing when csum_err is encountered, which means
+tpi->key is undefined and ip_tunnel_lookup will return NULL improperly.
+
+This patch introduce a NULL pointer as csum_err parameter. Even when
+csum_err is encountered, it won't return error and continue parsing gre
+header as expected.
+
+Fixes: 9f57c67c379d ("gre: Remove support for sharing GRE protocol hook.")
+Reported-by: Jiri Benc <jbenc@redhat.com>
+Signed-off-by: Haishuang Yan <yanhaishuang@cmss.chinamobile.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Acked-by: Denis Kirjanov <dkirjanov@suse.com>
+---
+ net/ipv4/gre_demux.c | 7 ++++---
+ net/ipv4/ip_gre.c | 9 +++------
+ 2 files changed, 7 insertions(+), 9 deletions(-)
+
+diff --git a/net/ipv4/gre_demux.c b/net/ipv4/gre_demux.c
+index b798862b6be5..7efe740c06eb 100644
+--- a/net/ipv4/gre_demux.c
++++ b/net/ipv4/gre_demux.c
+@@ -86,13 +86,14 @@ int gre_parse_header(struct sk_buff *skb, struct tnl_ptk_info *tpi,
+
+ options = (__be32 *)(greh + 1);
+ if (greh->flags & GRE_CSUM) {
+- if (skb_checksum_simple_validate(skb)) {
++ if (!skb_checksum_simple_validate(skb)) {
++ skb_checksum_try_convert(skb, IPPROTO_GRE, 0,
++ null_compute_pseudo);
++ } else if (csum_err) {
+ *csum_err = true;
+ return -EINVAL;
+ }
+
+- skb_checksum_try_convert(skb, IPPROTO_GRE, 0,
+- null_compute_pseudo);
+ options++;
+ }
+
+diff --git a/net/ipv4/ip_gre.c b/net/ipv4/ip_gre.c
+index 4bbf248761ac..9a5a31bd71a1 100644
+--- a/net/ipv4/ip_gre.c
++++ b/net/ipv4/ip_gre.c
+@@ -224,13 +224,10 @@ static void gre_err(struct sk_buff *skb, u32 info)
+ const int type = icmp_hdr(skb)->type;
+ const int code = icmp_hdr(skb)->code;
+ struct tnl_ptk_info tpi;
+- bool csum_err = false;
+
+- if (gre_parse_header(skb, &tpi, &csum_err, htons(ETH_P_IP),
+- iph->ihl * 4) < 0) {
+- if (!csum_err) /* ignore csum errors. */
+- return;
+- }
++ if (gre_parse_header(skb, &tpi, NULL, htons(ETH_P_IP),
++ iph->ihl * 4) < 0)
++ return;
+
+ if (type == ICMP_DEST_UNREACH && code == ICMP_FRAG_NEEDED) {
+ ipv4_update_pmtu(skb, dev_net(skb->dev), info,
+--
+2.12.3
+
diff --git a/patches.fixes/0003-net-ipv4-defensive-cipso-option-parsing.patch b/patches.fixes/0003-net-ipv4-defensive-cipso-option-parsing.patch
new file mode 100644
index 0000000000..da8900d4b9
--- /dev/null
+++ b/patches.fixes/0003-net-ipv4-defensive-cipso-option-parsing.patch
@@ -0,0 +1,67 @@
+From: Stefan Nuernberger <snu@amazon.com>
+Subject: net/ipv4: defensive cipso option parsing
+Patch-mainline: v4.20-rc1
+Git-commit: 076ed3da0c9b2f88d9157dbe7044a45641ae369e
+References: git-fixes
+
+commit 40413955ee26 ("Cipso: cipso_v4_optptr enter infinite loop") fixed
+a possible infinite loop in the IP option parsing of CIPSO. The fix
+assumes that ip_options_compile filtered out all zero length options and
+that no other one-byte options beside IPOPT_END and IPOPT_NOOP exist.
+While this assumption currently holds true, add explicit checks for zero
+length and invalid length options to be safe for the future. Even though
+ip_options_compile should have validated the options, the introduction of
+new one-byte options can still confuse this code without the additional
+checks.
+
+Signed-off-by: Stefan Nuernberger <snu@amazon.com>
+Cc: David Woodhouse <dwmw@amazon.co.uk>
+Cc: Simon Veith <sveith@amazon.de>
+Cc: stable@vger.kernel.org
+Acked-by: Paul Moore <paul@paul-moore.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Acked-by: Denis Kirjanov <dkirjanov@suse.com>
+---
+ net/ipv4/cipso_ipv4.c | 11 +++++++----
+ 1 file changed, 7 insertions(+), 4 deletions(-)
+
+diff --git a/net/ipv4/cipso_ipv4.c b/net/ipv4/cipso_ipv4.c
+index dcfaf9db1378..71bcab94c5c7 100644
+--- a/net/ipv4/cipso_ipv4.c
++++ b/net/ipv4/cipso_ipv4.c
+@@ -1513,7 +1513,7 @@ static int cipso_v4_parsetag_loc(const struct cipso_v4_doi *doi_def,
+ *
+ * Description:
+ * Parse the packet's IP header looking for a CIPSO option. Returns a pointer
+- * to the start of the CIPSO option on success, NULL if one if not found.
++ * to the start of the CIPSO option on success, NULL if one is not found.
+ *
+ */
+ unsigned char *cipso_v4_optptr(const struct sk_buff *skb)
+@@ -1523,10 +1523,8 @@ unsigned char *cipso_v4_optptr(const struct sk_buff *skb)
+ int optlen;
+ int taglen;
+
+- for (optlen = iph->ihl*4 - sizeof(struct iphdr); optlen > 0; ) {
++ for (optlen = iph->ihl*4 - sizeof(struct iphdr); optlen > 1; ) {
+ switch (optptr[0]) {
+- case IPOPT_CIPSO:
+- return optptr;
+ case IPOPT_END:
+ return NULL;
+ case IPOPT_NOOP:
+@@ -1535,6 +1533,11 @@ unsigned char *cipso_v4_optptr(const struct sk_buff *skb)
+ default:
+ taglen = optptr[1];
+ }
++ if (!taglen || taglen > optlen)
++ return NULL;
++ if (optptr[0] == IPOPT_CIPSO)
++ return optptr;
++
+ optlen -= taglen;
+ optptr += taglen;
+ }
+--
+2.12.3
+
diff --git a/patches.fixes/0004-netfilter-nft_compat-do-not-dump-private-area.patch b/patches.fixes/0004-netfilter-nft_compat-do-not-dump-private-area.patch
new file mode 100644
index 0000000000..5695da740a
--- /dev/null
+++ b/patches.fixes/0004-netfilter-nft_compat-do-not-dump-private-area.patch
@@ -0,0 +1,71 @@
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+Subject: netfilter: nft_compat: do not dump private area
+Patch-mainline: v4.20-rc1
+Git-commit: d701d8117200399d85e63a737d2e4e897932f3b6
+References: git-fixes
+
+
+Zero pad private area, otherwise we expose private kernel pointer to
+userspace. This patch also zeroes the tail area after the ->matchsize
+and ->targetsize that results from XT_ALIGN().
+
+Fixes: 0ca743a55991 ("netfilter: nf_tables: add compatibility layer for x_tables")
+Reported-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Acked-by: Denis Kirjanov <dkirjanov@suse.com>
+---
+ net/netfilter/nft_compat.c | 24 ++++++++++++++++++++++--
+ 1 file changed, 22 insertions(+), 2 deletions(-)
+
+diff --git a/net/netfilter/nft_compat.c b/net/netfilter/nft_compat.c
+index d80aabe8287c..1a107a93427c 100644
+--- a/net/netfilter/nft_compat.c
++++ b/net/netfilter/nft_compat.c
+@@ -290,6 +290,24 @@ nft_target_destroy(const struct nft_ctx *ctx, const struct nft_expr *expr)
+ module_put(target->me);
+ }
+
++static int nft_extension_dump_info(struct sk_buff *skb, int attr,
++ const void *info,
++ unsigned int size, unsigned int user_size)
++{
++ unsigned int info_size, aligned_size = XT_ALIGN(size);
++ struct nlattr *nla;
++
++ nla = nla_reserve(skb, attr, aligned_size);
++ if (!nla)
++ return -1;
++
++ info_size = user_size ? : size;
++ memcpy(nla_data(nla), info, info_size);
++ memset(nla_data(nla) + info_size, 0, aligned_size - info_size);
++
++ return 0;
++}
++
+ static int nft_target_dump(struct sk_buff *skb, const struct nft_expr *expr)
+ {
+ const struct xt_target *target = expr->ops->data;
+@@ -297,7 +315,8 @@ static int nft_target_dump(struct sk_buff *skb, const struct nft_expr *expr)
+
+ if (nla_put_string(skb, NFTA_TARGET_NAME, target->name) ||
+ nla_put_be32(skb, NFTA_TARGET_REV, htonl(target->revision)) ||
+- nla_put(skb, NFTA_TARGET_INFO, XT_ALIGN(target->targetsize), info))
++ nft_extension_dump_info(skb, NFTA_TARGET_INFO, info,
++ target->targetsize, target->usersize))
+ goto nla_put_failure;
+
+ return 0;
+@@ -532,7 +551,8 @@ static int __nft_match_dump(struct sk_buff *skb, const struct nft_expr *expr,
+
+ if (nla_put_string(skb, NFTA_MATCH_NAME, match->name) ||
+ nla_put_be32(skb, NFTA_MATCH_REV, htonl(match->revision)) ||
+- nla_put(skb, NFTA_MATCH_INFO, XT_ALIGN(match->matchsize), info))
++ nft_extension_dump_info(skb, NFTA_MATCH_INFO, info,
++ match->matchsize, match->usersize))
+ goto nla_put_failure;
+
+ return 0;
+--
+2.12.3
+
diff --git a/patches.fixes/0005-net-don-t-keep-lonely-packets-forever-in-the-gro-has.patch b/patches.fixes/0005-net-don-t-keep-lonely-packets-forever-in-the-gro-has.patch
new file mode 100644
index 0000000000..106f37e1d8
--- /dev/null
+++ b/patches.fixes/0005-net-don-t-keep-lonely-packets-forever-in-the-gro-has.patch
@@ -0,0 +1,58 @@
+From: Paolo Abeni <pabeni@redhat.com>
+Subject: net: don't keep lonely packets forever in the gro hash
+Patch-mainline: v4.20-rc4
+Git-commit: 605108acfe6233b72e2f803aa1cb59a2af3001ca
+References: git-fixes
+
+
+Eric noted that with UDP GRO and NAPI timeout, we could keep a single
+UDP packet inside the GRO hash forever, if the related NAPI instance
+calls napi_gro_complete() at an higher frequency than the NAPI timeout.
+Willem noted that even TCP packets could be trapped there, till the
+next retransmission.
+This patch tries to address the issue, flushing the old packets -
+those with a NAPI_GRO_CB age before the current jiffy - before scheduling
+the NAPI timeout. The rationale is that such a timeout should be
+well below a jiffy and we are not flushing packets eligible for sane GRO.
+
+v1 -> v2:
+ - clarified the commit message and comment
+
+RFC -> v1:
+ - added 'Fixes tags', cleaned-up the wording.
+
+Reported-by: Eric Dumazet <eric.dumazet@gmail.com>
+Fixes: 3b47d30396ba ("net: gro: add a per device gro flush timer")
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Acked-by: Willem de Bruijn <willemb@google.com>
+Acked-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Acked-by: Denis Kirjanov <dkirjanov@suse.com>
+---
+ net/core/dev.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/net/core/dev.c b/net/core/dev.c
+index f259eb1b21b8..f2d613200be4 100644
+--- a/net/core/dev.c
++++ b/net/core/dev.c
+@@ -5262,11 +5262,14 @@ bool napi_complete_done(struct napi_struct *n, int work_done)
+ if (work_done)
+ timeout = n->dev->gro_flush_timeout;
+
++ /* When the NAPI instance uses a timeout and keeps postponing
++ * it, we need to bound somehow the time packets are kept in
++ * the GRO layer
++ */
++ napi_gro_flush(n, !!timeout);
+ if (timeout)
+ hrtimer_start(&n->timer, ns_to_ktime(timeout),
+ HRTIMER_MODE_REL_PINNED);
+- else
+- napi_gro_flush(n, false);
+ }
+ if (unlikely(!list_empty(&n->poll_list))) {
+ /* If n->poll_list is not empty, we need to mask irqs */
+--
+2.12.3
+
diff --git a/patches.fixes/0006-ipvs-call-ip_vs_dst_notifier-earlier-than-ipv6_dev_n.patch b/patches.fixes/0006-ipvs-call-ip_vs_dst_notifier-earlier-than-ipv6_dev_n.patch
new file mode 100644
index 0000000000..fbe7dfa828
--- /dev/null
+++ b/patches.fixes/0006-ipvs-call-ip_vs_dst_notifier-earlier-than-ipv6_dev_n.patch
@@ -0,0 +1,57 @@
+From: Xin Long <lucien.xin@gmail.com>
+Subject: ipvs: call ip_vs_dst_notifier earlier than
+ ipv6_dev_notf
+Patch-mainline: v4.20-rc5
+Git-commit: 2a31e4bd9ad255ee40809b5c798c4b1c2b09703b
+References: git-fixes
+
+ip_vs_dst_event is supposed to clean up all dst used in ipvs'
+destinations when a net dev is going down. But it works only
+when the dst's dev is the same as the dev from the event.
+
+Now with the same priority but late registration,
+ip_vs_dst_notifier is always called later than ipv6_dev_notf
+where the dst's dev is set to lo for NETDEV_DOWN event.
+
+As the dst's dev lo is not the same as the dev from the event
+in ip_vs_dst_event, ip_vs_dst_notifier doesn't actually work.
+Also as these dst have to wait for dest_trash_timer to clean
+them up. It would cause some non-permanent kernel warnings:
+
+ unregister_netdevice: waiting for br0 to become free. Usage count = 3
+
+To fix it, call ip_vs_dst_notifier earlier than ipv6_dev_notf
+by increasing its priority to ADDRCONF_NOTIFY_PRIORITY + 5.
+
+Note that for ipv4 route fib_netdev_notifier doesn't set dst's
+dev to lo in NETDEV_DOWN event, so this fix is only needed when
+IP_VS_IPV6 is defined.
+
+Fixes: 7a4f0761fce3 ("IPVS: init and cleanup restructuring")
+Reported-by: Li Shuang <shuali@redhat.com>
+Signed-off-by: Xin Long <lucien.xin@gmail.com>
+Acked-by: Julian Anastasov <ja@ssi.bg>
+Acked-by: Simon Horman <horms@verge.net.au>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Acked-by: Denis Kirjanov <dkirjanov@suse.com>
+---
+ net/netfilter/ipvs/ip_vs_ctl.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/net/netfilter/ipvs/ip_vs_ctl.c b/net/netfilter/ipvs/ip_vs_ctl.c
+index da439e2dadc1..208fb8132439 100644
+--- a/net/netfilter/ipvs/ip_vs_ctl.c
++++ b/net/netfilter/ipvs/ip_vs_ctl.c
+@@ -4023,6 +4023,9 @@ static void __net_exit ip_vs_control_net_cleanup_sysctl(struct netns_ipvs *ipvs)
+
+ static struct notifier_block ip_vs_dst_notifier = {
+ .notifier_call = ip_vs_dst_event,
++#ifdef CONFIG_IP_VS_IPV6
++ .priority = ADDRCONF_NOTIFY_PRIORITY + 5,
++#endif
+ };
+
+ int __net_init ip_vs_control_net_init(struct netns_ipvs *ipvs)
+--
+2.12.3
+
diff --git a/patches.fixes/0007-netfilter-ipset-do-not-call-ipset_nest_end-after-nla.patch b/patches.fixes/0007-netfilter-ipset-do-not-call-ipset_nest_end-after-nla.patch
new file mode 100644
index 0000000000..8b14a6670b
--- /dev/null
+++ b/patches.fixes/0007-netfilter-ipset-do-not-call-ipset_nest_end-after-nla.patch
@@ -0,0 +1,39 @@
+From: Pan Bian <bianpan2016@163.com>
+Subject: netfilter: ipset: do not call ipset_nest_end after
+ nla_nest_cancel
+Patch-mainline: v4.20
+Git-commit: 708abf74dd87f8640871b814faa195fb5970b0e3
+References: git-fixes
+
+
+In the error handling block, nla_nest_cancel(skb, atd) is called to
+cancel the nest operation. But then, ipset_nest_end(skb, atd) is
+unexpected called to end the nest operation. This patch calls the
+ipset_nest_end only on the branch that nla_nest_cancel is not called.
+
+Fixes: 45040978c899 ("netfilter: ipset: Fix set:list type crash when flush/dump set in parallel")
+Signed-off-by: Pan Bian <bianpan2016@163.com>
+Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Acked-by: Denis Kirjanov <dkirjanov@suse.com>
+---
+ net/netfilter/ipset/ip_set_list_set.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/netfilter/ipset/ip_set_list_set.c b/net/netfilter/ipset/ip_set_list_set.c
+index 178d4eba013b..ca168ca3f238 100644
+--- a/net/netfilter/ipset/ip_set_list_set.c
++++ b/net/netfilter/ipset/ip_set_list_set.c
+@@ -537,8 +537,8 @@ list_set_list(const struct ip_set *set,
+ ret = -EMSGSIZE;
+ } else {
+ cb->args[IPSET_CB_ARG0] = i;
++ ipset_nest_end(skb, atd);
+ }
+- ipset_nest_end(skb, atd);
+ out:
+ rcu_read_unlock();
+ return ret;
+--
+2.12.3
+
diff --git a/patches.fixes/0008-netfilter-nf_tables-fix-leaking-object-reference-cou.patch b/patches.fixes/0008-netfilter-nf_tables-fix-leaking-object-reference-cou.patch
new file mode 100644
index 0000000000..4bb5b4ac71
--- /dev/null
+++ b/patches.fixes/0008-netfilter-nf_tables-fix-leaking-object-reference-cou.patch
@@ -0,0 +1,56 @@
+From: Taehee Yoo <ap420073@gmail.com>
+Subject: netfilter: nf_tables: fix leaking object reference
+ count
+Patch-mainline: v5.0-rc3
+Git-commit: b91d9036883793122cf6575ca4dfbfbdd201a83d
+References: git-fixes
+
+There is no code that decreases the reference count of stateful objects
+in error path of the nft_add_set_elem(). this causes a leak of reference
+count of stateful objects.
+
+Test commands:
+ $nft add table ip filter
+ $nft add counter ip filter c1
+ $nft add map ip filter m1 { type ipv4_addr : counter \;}
+ $nft add element ip filter m1 { 1 : c1 }
+ $nft add element ip filter m1 { 1 : c1 }
+ $nft delete element ip filter m1 { 1 }
+ $nft delete counter ip filter c1
+
+Result:
+ Error: Could not process rule: Device or resource busy
+ delete counter ip filter c1
+ ^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+At the second 'nft add element ip filter m1 { 1 : c1 }', the reference
+count of the 'c1' is increased then it tries to insert into the 'm1'. but
+the 'm1' already has same element so it returns -EEXIST.
+But it doesn't decrease the reference count of the 'c1' in the error path.
+Due to a leak of the reference count of the 'c1', the 'c1' can't be
+removed by 'nft delete counter ip filter c1'.
+
+Fixes: 8aeff920dcc9 ("netfilter: nf_tables: add stateful object reference to set elements")
+Signed-off-by: Taehee Yoo <ap420073@gmail.com>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Acked-by: Denis Kirjanov <dkirjanov@suse.com>
+---
+ net/netfilter/nf_tables_api.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
+index 4d424069b5d8..defe11c00aaa 100644
+--- a/net/netfilter/nf_tables_api.c
++++ b/net/netfilter/nf_tables_api.c
+@@ -3869,6 +3869,8 @@ static int nft_add_set_elem(struct nft_ctx *ctx, struct nft_set *set,
+ err5:
+ kfree(trans);
+ err4:
++ if (obj)
++ obj->use--;
+ kfree(elem.priv);
+ err3:
+ if (nla[NFTA_SET_ELEM_DATA] != NULL)
+--
+2.12.3
+
diff --git a/patches.fixes/0009-ipv6-invert-flowlabel-sharing-check-in-process-and-u.patch b/patches.fixes/0009-ipv6-invert-flowlabel-sharing-check-in-process-and-u.patch
new file mode 100644
index 0000000000..531e8430b6
--- /dev/null
+++ b/patches.fixes/0009-ipv6-invert-flowlabel-sharing-check-in-process-and-u.patch
@@ -0,0 +1,41 @@
+From: Willem de Bruijn <willemb@google.com>
+Subject: ipv6: invert flowlabel sharing check in process and
+ user mode
+Patch-mainline: v5.1
+Git-commit: 95c169251bf734aa555a1e8043e4d88ec97a04ec
+References: git-fixes
+
+
+A request for a flowlabel fails in process or user exclusive mode must
+fail if the caller pid or uid does not match. Invert the test.
+
+Previously, the test was unsafe wrt PID recycling, but indeed tested
+for inequality: fl1->owner != fl->owner
+
+Fixes: 4f82f45730c68 ("net ip6 flowlabel: Make owner a union of struct pid* and kuid_t")
+Signed-off-by: Willem de Bruijn <willemb@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Acked-by: Denis Kirjanov <dkirjanov@suse.com>
+---
+ net/ipv6/ip6_flowlabel.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/net/ipv6/ip6_flowlabel.c b/net/ipv6/ip6_flowlabel.c
+index 15535ee327c5..d8cb9acfe1a5 100644
+--- a/net/ipv6/ip6_flowlabel.c
++++ b/net/ipv6/ip6_flowlabel.c
+@@ -634,9 +634,9 @@ int ipv6_flowlabel_opt(struct sock *sk, char __user *optval, int optlen)
+ if (fl1->share == IPV6_FL_S_EXCL ||
+ fl1->share != fl->share ||
+ ((fl1->share == IPV6_FL_S_PROCESS) &&
+- (fl1->owner.pid == fl->owner.pid)) ||
++ (fl1->owner.pid != fl->owner.pid)) ||
+ ((fl1->share == IPV6_FL_S_USER) &&
+- uid_eq(fl1->owner.uid, fl->owner.uid)))
++ !uid_eq(fl1->owner.uid, fl->owner.uid)))
+ goto release;
+
+ err = -ENOMEM;
+--
+2.12.3
+
diff --git a/patches.fixes/0010-ipv6-flowlabel-wait-rcu-grace-period-before-put_pid.patch b/patches.fixes/0010-ipv6-flowlabel-wait-rcu-grace-period-before-put_pid.patch
new file mode 100644
index 0000000000..9452245e32
--- /dev/null
+++ b/patches.fixes/0010-ipv6-flowlabel-wait-rcu-grace-period-before-put_pid.patch
@@ -0,0 +1,154 @@
+From: Eric Dumazet <edumazet@google.com>
+Subject: ipv6/flowlabel: wait rcu grace period before put_pid()
+Patch-mainline: v5.1
+Git-commit: 6c0afef5fb0c27758f4d52b2210c61b6bd8b4470
+References: git-fixes
+
+
+syzbot was able to catch a use-after-free read in pid_nr_ns() [1]
+
+ip6fl_seq_show() seems to use RCU protection, dereferencing fl->owner.pid
+but fl_free() releases fl->owner.pid before rcu grace period is started.
+
+[1]
+
+BUG: KASAN: use-after-free in pid_nr_ns+0x128/0x140 kernel/pid.c:407
+Read of size 4 at addr ffff888094012a04 by task syz-executor.0/18087
+
+CPU: 0 PID: 18087 Comm: syz-executor.0 Not tainted 5.1.0-rc6+ #89
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+Call Trace:
+ __dump_stack lib/dump_stack.c:77 [inline]
+ dump_stack+0x172/0x1f0 lib/dump_stack.c:113
+ print_address_description.cold+0x7c/0x20d mm/kasan/report.c:187
+ kasan_report.cold+0x1b/0x40 mm/kasan/report.c:317
+ __asan_report_load4_noabort+0x14/0x20 mm/kasan/generic_report.c:131
+ pid_nr_ns+0x128/0x140 kernel/pid.c:407
+ ip6fl_seq_show+0x2f8/0x4f0 net/ipv6/ip6_flowlabel.c:794
+ seq_read+0xad3/0x1130 fs/seq_file.c:268
+ proc_reg_read+0x1fe/0x2c0 fs/proc/inode.c:227
+ do_loop_readv_writev fs/read_write.c:701 [inline]
+ do_loop_readv_writev fs/read_write.c:688 [inline]
+ do_iter_read+0x4a9/0x660 fs/read_write.c:922
+ vfs_readv+0xf0/0x160 fs/read_write.c:984
+ kernel_readv fs/splice.c:358 [inline]
+ default_file_splice_read+0x475/0x890 fs/splice.c:413
+ do_splice_to+0x12a/0x190 fs/splice.c:876
+ splice_direct_to_actor+0x2d2/0x970 fs/splice.c:953
+ do_splice_direct+0x1da/0x2a0 fs/splice.c:1062
+ do_sendfile+0x597/0xd00 fs/read_write.c:1443
+ __do_sys_sendfile64 fs/read_write.c:1498 [inline]
+ __se_sys_sendfile64 fs/read_write.c:1490 [inline]
+ __x64_sys_sendfile64+0x15a/0x220 fs/read_write.c:1490
+ do_syscall_64+0x103/0x610 arch/x86/entry/common.c:290
+ entry_SYSCALL_64_after_hwframe+0x49/0xbe
+RIP: 0033:0x458da9
+Code: ad b8 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b8 fb ff c3 66 2e 0f 1f 84 00 00 00 00
+RSP: 002b:00007f300d24bc78 EFLAGS: 00000246 ORIG_RAX: 0000000000000028
+RAX: ffffffffffffffda RBX: 0000000000000004 RCX: 0000000000458da9
+RDX: 00000000200000c0 RSI: 0000000000000008 RDI: 0000000000000007
+RBP: 000000000073bf00 R08: 0000000000000000 R09: 0000000000000000
+R10: 000000000000005a R11: 0000000000000246 R12: 00007f300d24c6d4
+R13: 00000000004c5fa3 R14: 00000000004da748 R15: 00000000ffffffff
+
+Allocated by task 17543:
+ save_stack+0x45/0xd0 mm/kasan/common.c:75
+ set_track mm/kasan/common.c:87 [inline]
+ __kasan_kmalloc mm/kasan/common.c:497 [inline]
+ __kasan_kmalloc.constprop.0+0xcf/0xe0 mm/kasan/common.c:470
+ kasan_slab_alloc+0xf/0x20 mm/kasan/common.c:505
+ slab_post_alloc_hook mm/slab.h:437 [inline]
+ slab_alloc mm/slab.c:3393 [inline]
+ kmem_cache_alloc+0x11a/0x6f0 mm/slab.c:3555
+ alloc_pid+0x55/0x8f0 kernel/pid.c:168
+ copy_process.part.0+0x3b08/0x7980 kernel/fork.c:1932
+ copy_process kernel/fork.c:1709 [inline]
+ _do_fork+0x257/0xfd0 kernel/fork.c:2226
+ __do_sys_clone kernel/fork.c:2333 [inline]
+ __se_sys_clone kernel/fork.c:2327 [inline]
+ __x64_sys_clone+0xbf/0x150 kernel/fork.c:2327
+ do_syscall_64+0x103/0x610 arch/x86/entry/common.c:290
+ entry_SYSCALL_64_after_hwframe+0x49/0xbe
+
+Freed by task 7789:
+ save_stack+0x45/0xd0 mm/kasan/common.c:75
+ set_track mm/kasan/common.c:87 [inline]
+ __kasan_slab_free+0x102/0x150 mm/kasan/common.c:459
+ kasan_slab_free+0xe/0x10 mm/kasan/common.c:467
+ __cache_free mm/slab.c:3499 [inline]
+ kmem_cache_free+0x86/0x260 mm/slab.c:3765
+ put_pid.part.0+0x111/0x150 kernel/pid.c:111
+ put_pid+0x20/0x30 kernel/pid.c:105
+ fl_free+0xbe/0xe0 net/ipv6/ip6_flowlabel.c:102
+ ip6_fl_gc+0x295/0x3e0 net/ipv6/ip6_flowlabel.c:152
+ call_timer_fn+0x190/0x720 kernel/time/timer.c:1325
+ expire_timers kernel/time/timer.c:1362 [inline]
+ __run_timers kernel/time/timer.c:1681 [inline]
+ __run_timers kernel/time/timer.c:1649 [inline]
+ run_timer_softirq+0x652/0x1700 kernel/time/timer.c:1694
+ __do_softirq+0x266/0x95a kernel/softirq.c:293
+
+The buggy address belongs to the object at ffff888094012a00
+ which belongs to the cache pid_2 of size 88
+The buggy address is located 4 bytes inside of
+ 88-byte region [ffff888094012a00, ffff888094012a58)
+The buggy address belongs to the page:
+page:ffffea0002500480 count:1 mapcount:0 mapping:ffff88809a483080 index:0xffff888094012980
+flags: 0x1fffc0000000200(slab)
+raw: 01fffc0000000200 ffffea00018a3508 ffffea0002524a88 ffff88809a483080
+raw: ffff888094012980 ffff888094012000 000000010000001b 0000000000000000
+page dumped because: kasan: bad access detected
+
+Memory state around the buggy address:
+ ffff888094012900: fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc fc
+ ffff888094012980: fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc fc
+>ffff888094012a00: fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc fc
+ ^
+ ffff888094012a80: fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc fc
+ ffff888094012b00: fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc fc
+
+Fixes: 4f82f45730c6 ("net ip6 flowlabel: Make owner a union of struct pid * and kuid_t")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Cc: Eric W. Biederman <ebiederm@xmission.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Acked-by: Denis Kirjanov <dkirjanov@suse.com>
+---
+ net/ipv6/ip6_flowlabel.c | 18 ++++++++++++------
+ 1 file changed, 12 insertions(+), 6 deletions(-)
+
+diff --git a/net/ipv6/ip6_flowlabel.c b/net/ipv6/ip6_flowlabel.c
+index d8cb9acfe1a5..6fa2bc236d9e 100644
+--- a/net/ipv6/ip6_flowlabel.c
++++ b/net/ipv6/ip6_flowlabel.c
+@@ -94,15 +94,21 @@ static struct ip6_flowlabel *fl_lookup(struct net *net, __be32 label)
+ return fl;
+ }
+
++static void fl_free_rcu(struct rcu_head *head)
++{
++ struct ip6_flowlabel *fl = container_of(head, struct ip6_flowlabel, rcu);
++
++ if (fl->share == IPV6_FL_S_PROCESS)
++ put_pid(fl->owner.pid);
++ kfree(fl->opt);
++ kfree(fl);
++}
++
+
+ static void fl_free(struct ip6_flowlabel *fl)
+ {
+- if (fl) {
+- if (fl->share == IPV6_FL_S_PROCESS)
+- put_pid(fl->owner.pid);
+- kfree(fl->opt);
+- kfree_rcu(fl, rcu);
+- }
++ if (fl)
++ call_rcu(&fl->rcu, fl_free_rcu);
+ }
+
+ static void fl_release(struct ip6_flowlabel *fl)
+--
+2.12.3
+
diff --git a/patches.fixes/0011-netfilter-ebtables-CONFIG_COMPAT-reject-trailing-dat.patch b/patches.fixes/0011-netfilter-ebtables-CONFIG_COMPAT-reject-trailing-dat.patch
new file mode 100644
index 0000000000..a73be7f839
--- /dev/null
+++ b/patches.fixes/0011-netfilter-ebtables-CONFIG_COMPAT-reject-trailing-dat.patch
@@ -0,0 +1,42 @@
+From: Florian Westphal <fw@strlen.de>
+Subject: netfilter: ebtables: CONFIG_COMPAT: reject trailing
+ data after last rule
+Patch-mainline: v5.2
+Git-commit: 680f6af5337c98d116e4f127cea7845339dba8da
+References: git-fixes
+
+
+If userspace provides a rule blob with trailing data after last target,
+we trigger a splat, then convert ruleset to 64bit format (with trailing
+data), then pass that to do_replace_finish() which then returns -EINVAL.
+
+Erroring out right away avoids the splat plus unneeded translation and
+error unwind.
+
+Fixes: 81e675c227ec ("netfilter: ebtables: add CONFIG_COMPAT support")
+Reported-by: Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp>
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Acked-by: Denis Kirjanov <dkirjanov@suse.com>
+---
+ net/bridge/netfilter/ebtables.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c
+index d7418e1d70e8..8c66d0eb5f65 100644
+--- a/net/bridge/netfilter/ebtables.c
++++ b/net/bridge/netfilter/ebtables.c
+@@ -2203,7 +2203,9 @@ static int compat_copy_entries(unsigned char *data, unsigned int size_user,
+ if (ret < 0)
+ return ret;
+
+- WARN_ON(size_remaining);
++ if (size_remaining)
++ return -EINVAL;
++
+ return state->buf_kern_offset;
+ }
+
+--
+2.12.3
+
diff --git a/patches.fixes/arm64-Export-save_stack_trace_tsk.patch b/patches.fixes/arm64-Export-save_stack_trace_tsk.patch
new file mode 100644
index 0000000000..ee7d0279e0
--- /dev/null
+++ b/patches.fixes/arm64-Export-save_stack_trace_tsk.patch
@@ -0,0 +1,35 @@
+From: Dustin Brown <dustinb@codeaurora.org>
+Date: Tue, 13 Jun 2017 11:40:56 -0700
+Subject: [PATCH] arm64: Export save_stack_trace_tsk()
+Git-commit: e27c7fa015d61c8be6a2c32b2144aad2ae6ec975
+Patch-mainline: v4.13
+References: jsc#SLE-4214
+
+The kernel watchdog is a great debugging tool for finding tasks that
+consume a disproportionate amount of CPU time in contiguous chunks. One
+can imagine building a similar watchdog for arbitrary driver threads
+using save_stack_trace_tsk() and print_stack_trace(). However, this is
+not viable for dynamically loaded driver modules on ARM platforms
+because save_stack_trace_tsk() is not exported for those architectures.
+Export save_stack_trace_tsk() for the ARM64 architecture to align with
+x86 and support various debugging use cases such as arbitrary driver
+thread watchdog timers.
+
+Signed-off-by: Dustin Brown <dustinb@codeaurora.org>
+Signed-off-by: Will Deacon <will.deacon@arm.com>
+Acked-by: NeilBrown <neilb@suse.com>
+
+---
+ arch/arm64/kernel/stacktrace.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/arch/arm64/kernel/stacktrace.c
++++ b/arch/arm64/kernel/stacktrace.c
+@@ -175,6 +175,7 @@ void save_stack_trace_tsk(struct task_st
+
+ put_task_stack(tsk);
+ }
++EXPORT_SYMBOL_GPL(save_stack_trace_tsk);
+
+ void save_stack_trace(struct stack_trace *trace)
+ {
diff --git a/patches.fixes/block-Don-t-revalidate-bdev-of-hidden-gendisk.patch b/patches.fixes/block-Don-t-revalidate-bdev-of-hidden-gendisk.patch
new file mode 100644
index 0000000000..ddb6b65b7f
--- /dev/null
+++ b/patches.fixes/block-Don-t-revalidate-bdev-of-hidden-gendisk.patch
@@ -0,0 +1,62 @@
+From: Jan Kara <jack@suse.cz>
+Date: Wed, 15 May 2019 08:57:40 +0200
+Subject: [PATCH] block: Don't revalidate bdev of hidden gendisk
+References: bsc#1120091
+Patch-Mainline: submitted linux-block 2019/05/15
+
+When hidden gendisk is revalidated, there's no point in revalidating
+associated block device as there's none. We would thus just create new
+bdev inode, report "detected capacity change from 0 to XXX" message and
+evict the bdev inode again. Avoid this pointless dance and confusing
+message in the kernel log.
+
+Signed-off-by: Jan Kara <jack@suse.cz>
+Reviewed-by: Hannes Reinecke <hare@suse.com>
+---
+ fs/block_dev.c | 25 ++++++++++++++++---------
+ 1 file changed, 16 insertions(+), 9 deletions(-)
+
+diff --git a/fs/block_dev.c b/fs/block_dev.c
+index 53463e801387..bed1bb569409 100644
+--- a/fs/block_dev.c
++++ b/fs/block_dev.c
+@@ -1361,20 +1361,27 @@ EXPORT_SYMBOL(check_disk_size_change);
+ */
+ int revalidate_disk(struct gendisk *disk)
+ {
+- struct block_device *bdev;
+ int ret = 0;
+
+ if (disk->fops->revalidate_disk)
+ ret = disk->fops->revalidate_disk(disk);
+- bdev = bdget_disk(disk, 0);
+- if (!bdev)
+- return ret;
+
+- mutex_lock(&bdev->bd_mutex);
+- check_disk_size_change(disk, bdev, ret == 0);
+- bdev->bd_invalidated = 0;
+- mutex_unlock(&bdev->bd_mutex);
+- bdput(bdev);
++ /*
++ * Hidden disks don't have associated bdev so there's no point in
++ * revalidating it.
++ */
++ if (!(disk->flags & GENHD_FL_HIDDEN)) {
++ struct block_device *bdev = bdget_disk(disk, 0);
++
++ if (!bdev)
++ return ret;
++
++ mutex_lock(&bdev->bd_mutex);
++ check_disk_size_change(disk, bdev, ret == 0);
++ bdev->bd_invalidated = 0;
++ mutex_unlock(&bdev->bd_mutex);
++ bdput(bdev);
++ }
+ return ret;
+ }
+ EXPORT_SYMBOL(revalidate_disk);
+--
+2.16.4
+
diff --git a/patches.kabi/kabi-fix-for-check_disk_size_change.patch b/patches.kabi/kabi-fix-for-check_disk_size_change.patch
index df9d279bbf..eafa0a5195 100644
--- a/patches.kabi/kabi-fix-for-check_disk_size_change.patch
+++ b/patches.kabi/kabi-fix-for-check_disk_size_change.patch
@@ -36,10 +36,10 @@ index f59308cd6c43..bb77c2a5c8c7 100644
/* tell userspace that the media / partition table may have changed */
kobject_uevent(&disk_to_dev(disk)->kobj, KOBJ_CHANGE);
diff --git a/fs/block_dev.c b/fs/block_dev.c
-index ec6cc370fdf4..ce1e25f1a947 100644
+index bed1bb569409..b0cc36737815 100644
--- a/fs/block_dev.c
+++ b/fs/block_dev.c
-@@ -1313,30 +1313,39 @@ static void flush_disk(struct block_device *bdev, bool kill_dirty)
+@@ -1327,30 +1327,39 @@ static void flush_disk(struct block_device *bdev, bool kill_dirty)
* check_disk_size_change - checks for disk size change and adjusts bdev size.
* @disk: struct gendisk to check
* @bdev: struct bdev to adjust.
@@ -87,23 +87,23 @@ index ec6cc370fdf4..ce1e25f1a947 100644
/**
* revalidate_disk - wrapper for lower-level driver's revalidate_disk call-back
* @disk: struct gendisk to be revalidated
-@@ -1357,7 +1366,10 @@ int revalidate_disk(struct gendisk *disk)
- return ret;
+@@ -1377,7 +1386,10 @@ int revalidate_disk(struct gendisk *disk)
+ return ret;
- mutex_lock(&bdev->bd_mutex);
-- check_disk_size_change(disk, bdev, ret == 0);
-+ if (ret == 0)
-+ check_disk_size_change(disk, bdev);
-+ else
-+ __check_disk_size_change(disk, bdev);
- bdev->bd_invalidated = 0;
- mutex_unlock(&bdev->bd_mutex);
- bdput(bdev);
+ mutex_lock(&bdev->bd_mutex);
+- check_disk_size_change(disk, bdev, ret == 0);
++ if (ret == 0)
++ check_disk_size_change(disk, bdev);
++ else
++ __check_disk_size_change(disk, bdev);
+ bdev->bd_invalidated = 0;
+ mutex_unlock(&bdev->bd_mutex);
+ bdput(bdev);
diff --git a/include/linux/fs.h b/include/linux/fs.h
-index 25d80f3e281d..7a0f3758c381 100644
+index 668388425f86..5007579512b3 100644
--- a/include/linux/fs.h
+++ b/include/linux/fs.h
-@@ -2532,7 +2532,9 @@ extern bool is_bad_inode(struct inode *);
+@@ -2554,7 +2554,9 @@ extern bool is_bad_inode(struct inode *);
#ifdef CONFIG_BLOCK
extern void check_disk_size_change(struct gendisk *disk,
diff --git a/patches.suse/nvme-Do-not-remove-namespaces-during-reset.patch b/patches.suse/nvme-Do-not-remove-namespaces-during-reset.patch
new file mode 100644
index 0000000000..5e95bed1e6
--- /dev/null
+++ b/patches.suse/nvme-Do-not-remove-namespaces-during-reset.patch
@@ -0,0 +1,42 @@
+From: Hannes Reinecke <hare@suse.de>
+Date: Thu, 2 May 2019 12:39:12 +0200
+Subject: [PATCH] nvme: Do not remove namespaces during reset
+Patch-Mainline: never, solved differently upstream
+References: bsc#1131673
+
+When a controller is resetting or reconnecting there is no way
+how we could establish the validity of any given namespace.
+So do not call nvme_ns_remove() during resetting or reconnecting
+and rely on the call to nvme_scan_queue() after reset to fixup
+things.
+
+Signed-off-by: Hannes Reinecke <hare@suse.com>
+---
+ drivers/nvme/host/core.c | 11 +++++++++++
+ 1 file changed, 11 insertions(+)
+
+diff --git a/drivers/nvme/host/core.c b/drivers/nvme/host/core.c
+index 0d5865189013..e536f48ea4dd 100644
+--- a/drivers/nvme/host/core.c
++++ b/drivers/nvme/host/core.c
+@@ -3141,6 +3141,17 @@ static void nvme_alloc_ns(struct nvme_ctrl *ctrl, unsigned nsid)
+
+ static void nvme_ns_remove(struct nvme_ns *ns)
+ {
++ /*
++ * We cannot make any assumptions about namespaces during
++ * reset; in particular we shouldn't attempt to remove them
++ * as I/O might still be queued to them.
++ * So ignore this call during reset and rely on the
++ * rescan after reset to clean up things again.
++ */
++ if (ns->ctrl->state == NVME_CTRL_RESETTING ||
++ ns->ctrl->state == NVME_CTRL_CONNECTING)
++ return;
++
+ if (test_and_set_bit(NVME_NS_REMOVING, &ns->flags))
+ return;
+
+--
+2.16.4
+
diff --git a/patches.suse/nvme-flush-scan_work-when-resetting-controller.patch b/patches.suse/nvme-flush-scan_work-when-resetting-controller.patch
new file mode 100644
index 0000000000..6c000278ca
--- /dev/null
+++ b/patches.suse/nvme-flush-scan_work-when-resetting-controller.patch
@@ -0,0 +1,61 @@
+From: Hannes Reinecke <hare@suse.de>
+Date: Thu, 16 May 2019 09:39:01 +0200
+Subject: [PATCH] nvme: flush scan_work when resetting controller
+Patch-Mainline: never, solved differently upstream
+References: bsc#1131673
+
+When resetting the controller there is no point whatsoever to
+have a scan run in parallel; we cannot access the controller and
+we cannot tell which devices are present and which not.
+Additionally we'll run a scan after reset anyway.
+So flush existing scans, ensuring to short-circuit the scan workqueue
+function if the controller state isn't live to avoit lockups.
+
+Signed-off-by: Hannes Reinecke <hare@suse.com>
+---
+ drivers/nvme/host/core.c | 3 +++
+ drivers/nvme/host/fc.c | 1 +
+ drivers/nvme/host/rdma.c | 1 +
+ 3 files changed, 5 insertions(+)
+
+diff --git a/drivers/nvme/host/core.c b/drivers/nvme/host/core.c
+index a4ecb44476ef..e3b89df96fbe 100644
+--- a/drivers/nvme/host/core.c
++++ b/drivers/nvme/host/core.c
+@@ -1538,6 +1538,9 @@ static int nvme_revalidate_disk(struct gendisk *disk)
+ struct nvme_ns_ids ids;
+ int ret = 0;
+
++ if (ctrl->state != NVME_CTRL_LIVE)
++ return 0;
++
+ if (test_bit(NVME_NS_DEAD, &ns->flags)) {
+ set_capacity(disk, 0);
+ return -ENODEV;
+diff --git a/drivers/nvme/host/fc.c b/drivers/nvme/host/fc.c
+index 5b6b74e4462b..73c238fd8c70 100644
+--- a/drivers/nvme/host/fc.c
++++ b/drivers/nvme/host/fc.c
+@@ -2936,6 +2936,7 @@ nvme_fc_reset_ctrl_work(struct work_struct *work)
+
+ __nvme_fc_terminate_io(ctrl);
+
++ flush_work(&ctrl->ctrl.scan_work);
+ nvme_stop_ctrl(&ctrl->ctrl);
+
+ if (ctrl->rport->remoteport.port_state == FC_OBJSTATE_ONLINE)
+diff --git a/drivers/nvme/host/rdma.c b/drivers/nvme/host/rdma.c
+index d42bada25b54..da3b48fbad9e 100644
+--- a/drivers/nvme/host/rdma.c
++++ b/drivers/nvme/host/rdma.c
+@@ -1763,6 +1763,7 @@ static void nvme_rdma_reset_ctrl_work(struct work_struct *work)
+
+ nvme_stop_ctrl(&ctrl->ctrl);
+ nvme_rdma_shutdown_ctrl(ctrl, false);
++ flush_work(&ctrl->ctrl.scan_work);
+
+ if (!nvme_change_ctrl_state(&ctrl->ctrl, NVME_CTRL_CONNECTING)) {
+ /* state change failure should never happen */
+--
+2.16.4
+
diff --git a/series.conf b/series.conf
index 35d152dca4..817607d786 100644
--- a/series.conf
+++ b/series.conf
@@ -2360,6 +2360,7 @@
patches.drivers/0001-ARM64-PCI-Set-root-bus-NUMA-node-on-ACPI-systems.patch
patches.suse/arm64-kernel-restrict-dev-mem-read-calls-to-linear-r.patch
patches.drivers/0001-ACPI-IORT-Remove-iort_node_match.patch
+ patches.fixes/arm64-Export-save_stack_trace_tsk.patch
patches.arch/arm64-drivers-char-kmem-disable-on-arm64.patch
patches.suse/0001-fs-proc-kcore-use-kcore_list-type-to-check-for-vmall.patch
patches.suse/0002-arm64-mm-select-CONFIG_ARCH_PROC_KCORE_TEXT.patch
@@ -12530,6 +12531,7 @@
patches.drivers/bnxt_en-export-a-common-switchdev-PARENT_ID-for-all-.patch
patches.drivers/cxgb4-restructure-VF-mgmt-code.patch
patches.fixes/vxlan-Fix-trailing-semicolon.patch
+ patches.drivers/net-mlx5e-Fix-trailing-semicolon.patch
patches.drivers/ath9k-add-MSI-support
patches.drivers/cxgb4-update-dump-collection-logic-to-use-compressio.patch
patches.drivers/cxgb4-use-zlib-deflate-to-compress-firmware-dump.patch
@@ -19361,6 +19363,7 @@
patches.drivers/net-ena-fix-rare-bug-when-failed-restart-resume-is-f.patch
patches.drivers/net-ena-fix-NULL-dereference-due-to-untimely-napi-in.patch
patches.drivers/net-ena-fix-auto-casting-to-boolean.patch
+ patches.fixes/0001-net-make-skb_partial_csum_set-more-robust-against-ov.patch
patches.suse/net-ipv4-don-t-let-PMTU-updates-increase-route-MTU.patch
patches.drivers/qmi_wwan-Added-support-for-Gemalto-s-Cinterion-ALASx.patch
patches.suse/net-dsa-bcm_sf2-Fix-unbind-ordering.patch
@@ -19490,7 +19493,9 @@
patches.drivers/cxgb4-remove-redundant-assignment-to-vlan_cmd.dropno.patch
patches.fixes/0001-cxgb4-add-per-rx-queue-counter-for-packet-errors.patch
patches.drivers/cxgb4-update-supported-DCB-version.patch
+ patches.fixes/0002-ip_gre-fix-parsing-gre-header-in-ipgre_err.patch
patches.arch/s390-sles15sp1-00-16-12-s390-qeth-invoke-softirqs-after-napi_schedule.patch
+ patches.fixes/0003-net-ipv4-defensive-cipso-option-parsing.patch
patches.drivers/net-ibm-fix-return-type-of-ndo_start_xmit-function.patch
patches.drivers/net-hns3-Add-support-for-hns3_nic_netdev_ops.ndo_do_.patch
patches.drivers/net-hns3-Set-STATE_DOWN-bit-of-hdev-state-when-stopp.patch
@@ -19562,6 +19567,7 @@
patches.drivers/Bluetooth-btsdio-Do-not-bind-to-non-removable-BCM43430.patch
patches.drivers/net-ena-fix-compilation-error-in-xtensa-architecture.patch
patches.fixes/llc-do-not-use-sk_eat_skb.patch
+ patches.fixes/0004-netfilter-nft_compat-do-not-dump-private-area.patch
patches.arch/signal-properly-deliver-sigsegv-from-x86-uprobes
patches.suse/signal-Always-deliver-the-kernel-s-SIGKILL-and-SIGST.patch
patches.fixes/selinux-Add-__GFP_NOWARN-to-allocation-at-str_read.patch
@@ -20113,6 +20119,7 @@
patches.drivers/qed-Fix-bitmap_weight-check.patch
patches.drivers/qed-Fix-QM-getters-to-always-return-a-valid-pq.patch
patches.drivers/net-ibmnvic-Fix-deadlock-problem-in-reset.patch
+ patches.drivers/net-mlx5e-IPoIB-Reset-QP-after-channels-are-closed.patch
patches.suse/net-mlx5e-Fix-selftest-for-small-MTUs.patch
patches.suse/tg3-Add-PHY-reset-for-5717-5719-5720-in-change-ring-.patch
patches.drivers/net-skb_scrub_packet-Scrub-offload_fwd_mark.patch
@@ -20125,6 +20132,7 @@
patches.drivers/net-thunderx-set-xdp_prog-to-NULL-if-bpf_prog_add-fa.patch
patches.drivers/ibmvnic-Fix-RX-queue-buffer-cleanup.patch
patches.drivers/ibmvnic-Update-driver-queues-after-change-in-ring-si.patch
+ patches.fixes/0005-net-don-t-keep-lonely-packets-forever-in-the-gro-has.patch
patches.drivers/virtio-net-fail-XDP-set-if-guest-csum-is-negotiated.patch
patches.fixes/team-no-need-to-do-team_notify_peers-or-team_mcast_r.patch
patches.drivers/net-thunderx-set-tso_hdrs-pointer-to-NULL-in-nicvf_f.patch
@@ -20148,6 +20156,7 @@
patches.suse/usbnet-ipheth-fix-potential-recvmsg-bug-and-recvmsg-.patch
patches.fixes/0001-net-thunderx-fix-NULL-pointer-dereference-in-nic_rem.patch
patches.suse/rapidio-rionet-do-not-free-skb-before-reading-its-le.patch
+ patches.fixes/0006-ipvs-call-ip_vs_dst_notifier-earlier-than-ipv6_dev_n.patch
patches.arch/s390-sles15-17-03-s390-qeth-fix-length-check-in-SNMP-processing.patch
patches.fixes/ixgbe-recognize-1000BaseLX-SFP-modules-as-1Gbps.patch
patches.fixes/udf-Allow-mounting-volumes-with-incorrect-identifica.patch
@@ -20399,6 +20408,7 @@
patches.drivers/bnx2x-Clear-fip-MAC-when-fcoe-offload-support-is-dis.patch
patches.drivers/bnx2x-Remove-configured-vlans-as-part-of-unload-sequ.patch
patches.drivers/bnx2x-Send-update-svid-ramrod-with-retry-poll-flags-.patch
+ patches.fixes/0007-netfilter-ipset-do-not-call-ipset_nest_end-after-nla.patch
patches.drivers/i40e-fix-mac-filter-delete-when-setting-mac-address.patch
patches.suse/vhost-make-sure-used-idx-is-seen-before-log-in-vhost.patch
patches.drivers/qed-Fix-command-number-mismatch-between-driver-and-t.patch
@@ -20905,6 +20915,7 @@
patches.fixes/blockdev-Fix-livelocks-on-loop-device.patch
patches.drivers/scsi-qedi-add-ep_state-for-login-completion-on-un-reachable-targets
patches.fixes/acpi-nfit-fix-race-accessing-memdev-in-nfit_get_smbios_id.patch
+ patches.fixes/0008-netfilter-nf_tables-fix-leaking-object-reference-cou.patch
patches.suse/net-ipv4-Fix-memory-leak-in-network-namespace-disman.patch
patches.fixes/tipc-fix-uninit-value-in-tipc_nl_compat_link_reset_s.patch
patches.fixes/tipc-fix-uninit-value-in-tipc_nl_compat_bearer_enabl.patch
@@ -21698,6 +21709,7 @@
patches.suse/net-packet-Set-__GFP_NOWARN-upon-allocation-in-alloc.patch
patches.suse/genetlink-Fix-a-memory-leak-on-error-path.patch
patches.fixes/0001-netfilter-bridge-set-skb-transport_header-before-ent.patch
+ patches.drivers/net-sched-don-t-dereference-a-goto_chain-to-read-the.patch
patches.fixes/rhashtable-Still-do-rehash-when-we-get-EEXIST.patch
patches.fixes/bpf-do-not-restore-dst_reg-when-cur_state-is-freed.patch
patches.arch/ARM-imx6q-cpuidle-fix-bug-that-CPU-might-not-wake-up.patch
@@ -21808,6 +21820,7 @@
patches.drivers/Bluetooth-btusb-request-wake-pin-with-NOAUTOEN.patch
patches.fixes/virtio_pci-fix-a-NULL-pointer-reference-in-vp_del_vq.patch
patches.fixes/virtio-Honour-may_reduce_num-in-vring_create_virtque.patch
+ patches.drivers/RDMA-hns-Fix-bug-that-caused-srq-creation-to-fail.patch
patches.suse/btrfs-do-not-allow-trimming-when-a-fs-is-mounted-wit.patch
patches.drm/0001-drm-udl-add-a-release-method-and-delay-modeset-teard.patch
patches.drm/0003-drm-mediatek-Fix-an-error-code-in-mtk_hdmi_dt_parse_.patch
@@ -21908,6 +21921,9 @@
patches.drivers/usb-usbip-fix-isoc-packet-num-validation-in-get_pipe.patch
patches.drivers/USB-yurex-Fix-protection-fault-after-device-removal.patch
patches.drivers/USB-w1-ds2490-Fix-bug-caused-by-improper-use-of-alts.patch
+ patches.drivers/bnxt_en-Free-short-FW-command-HWRM-memory-in-error-p.patch
+ patches.fixes/0009-ipv6-invert-flowlabel-sharing-check-in-process-and-u.patch
+ patches.fixes/0010-ipv6-flowlabel-wait-rcu-grace-period-before-put_pid.patch
patches.suse/packet-validate-msg_namelen-in-send-directly.patch
patches.drivers/ALSA-hda-realtek-Add-new-Dell-platform-for-headset-m.patch
patches.drivers/ALSA-hda-realtek-Fixed-Dell-AIO-speaker-noise.patch
@@ -21974,6 +21990,8 @@
patches.fixes/ext4-fix-ext4_show_options-for-file-systems-w-o-jour.patch
patches.drivers/ibmvnic-Report-actual-backing-device-speed-and-duple.patch
patches.fixes/openvswitch-add-seqadj-extension-when-NAT-is-used.patch
+ patches.drivers/net-hns3-remove-resetting-check-in-hclgevf_reset_tas.patch
+ patches.drivers/bpf-Add-missed-newline-in-verifier-verbose-log.patch
patches.drivers/b43-shut-up-clang-Wuninitialized-variable-warning.patch
patches.drivers/mwifiex-Fix-mem-leak-in-mwifiex_tm_cmd.patch
patches.drivers/Bluetooth-hidp-fix-buffer-overflow.patch
@@ -21984,6 +22002,7 @@
patches.drivers/mwl8k-Fix-rate_idx-underflow.patch
patches.drivers/rtlwifi-rtl8723ae-Fix-missing-break-in-switch-statem.patch
patches.drivers/brcm80211-potential-NULL-dereference-in-brcmf_cfg802.patch
+ patches.drivers/net-ena-fix-return-value-of-ena_com_config_llq_info.patch
patches.fixes/0001-dt-bindings-net-Fix-a-typo-in-the-phy-mode-list-for-.patch
patches.drivers/usb-storage-Set-virt_boundary_mask-to-avoid-SG-overf.patch
patches.drivers/USB-cdc-acm-fix-unthrottle-races.patch
@@ -22074,6 +22093,7 @@
patches.drivers/iommu-vt-d-make-kernel-parameter-igfx_off-work-with-viommu
patches.drivers/net-ibmvnic-Update-MAC-address-settings-after-adapte.patch
patches.drivers/net-ibmvnic-Update-carrier-state-after-link-state-ch.patch
+ patches.fixes/0011-netfilter-ebtables-CONFIG_COMPAT-reject-trailing-dat.patch
patches.arch/x86-msr-index-cleanup-bit-defines.patch
patches.arch/x86-speculation-consolidate-cpu-whitelists.patch
patches.arch/x86-speculation-mds-add-basic-bug-infrastructure-for-mds.patch
@@ -22115,6 +22135,11 @@
patches.fixes/ext4-zero-out-the-unused-memory-region-in-the-extent.patch
patches.fixes/vsock-virtio-Initialize-core-virtio-vsock-before-reg.patch
patches.fixes/crypto-vmx-CTR-always-increment-IV-as-quadword.patch
+ patches.drm/drm-vmwgfx-Don-t-send-drm-sysfs-hotplug-events-on-in.patch
+ patches.drm/drm-vmwgfx-integer-underflow-in-vmw_cmd_dx_set_shade.patch
+ patches.drm/drm-i915-gvt-do-not-let-TRTTE-and-0x4dfc-write-passt.patch
+ patches.drivers/platform-x86-pmc_atom-Add-Lex-3I380D-industrial-PC-t.patch
+ patches.drivers/platform-x86-pmc_atom-Add-several-Beckhoff-Automatio.patch
# dhowells/linux-fs keys-uefi
patches.suse/0001-KEYS-Allow-unrestricted-boot-time-addition-of-keys-t.patch
@@ -22137,6 +22162,9 @@
patches.suse/lpfc-validate-command-in-lpfc_sli4_scmd_to_wqidx_dis.patch
patches.suse/0001-drm-ttm-Remove-warning-about-inconsistent-mapping-in.patch
patches.suse/0001-btrfs-extent-tree-Fix-a-bug-that-btrfs-is-unable-to-.patch
+ patches.fixes/block-Don-t-revalidate-bdev-of-hidden-gendisk.patch
+ patches.suse/nvme-Do-not-remove-namespaces-during-reset.patch
+ patches.suse/nvme-flush-scan_work-when-resetting-controller.patch
########################################################
# end of sorted patches