Home Home > GIT Browse > openSUSE-15.0
summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorKernel Build Daemon <kbuild@suse.de>2019-05-21 07:01:35 +0200
committerKernel Build Daemon <kbuild@suse.de>2019-05-21 07:01:35 +0200
commitf48ec14f1192ad3a8729a34279aa761b7f084c62 (patch)
tree63ffc1e941a438c5047eb93738b3c945be2ea69f
parent80b7d22f73a1132068733689a5a55f8aee3a3bd6 (diff)
parent294aea5a85cb48ef8d7672d49d9df88f61c24bc1 (diff)
Merge branch 'SLE15' into openSUSE-15.0
-rw-r--r--blacklist.conf10
-rw-r--r--patches.fixes/block-do-not-leak-memory-in-bio_copy_user_iov.patch46
-rw-r--r--patches.fixes/block-fix-the-return-errno-for-direct-IO.patch59
-rw-r--r--patches.fixes/block-fix-use-after-free-on-gendisk.patch135
-rw-r--r--patches.fixes/ext4-actually-request-zeroing-of-inode-table-after-g.patch41
-rw-r--r--patches.fixes/ext4-fix-ext4_show_options-for-file-systems-w-o-jour.patch39
-rw-r--r--patches.fixes/ext4-fix-use-after-free-race-with-debug_want_extra_i.patch105
-rw-r--r--patches.fixes/mm-huge_memory-fix-vmf_insert_pfn_-pmd-pud-crash-han.patch79
-rw-r--r--patches.fixes/ufs-fix-braino-in-ufs_get_inode_gid-for-solaris-UFS-.patch38
-rw-r--r--patches.suse/tun-allow-positive-return-values-on-dev_get_valid_na.patch2
-rw-r--r--patches.suse/tun-call-dev_get_valid_name-before-register_netdevic.patch2
-rw-r--r--series.conf8
12 files changed, 562 insertions, 2 deletions
diff --git a/blacklist.conf b/blacklist.conf
index a4ced472c4..5173cce52b 100644
--- a/blacklist.conf
+++ b/blacklist.conf
@@ -1109,7 +1109,17 @@ f132da2534ec6599c78c4adcef15340cff2e9dd9 # regulator: missing regulator_lock() A
f58213637206e190453e3bd91f98f535566290a3 # regulator: missing regulator_lock() API in SLE15
f7a621728a6a23bfd2c6ac4d3e42e1303aefde0f # regulator: missing regulator_lock() API in SLE15
8be64b6d87bd47d81753b60ddafe70102ebfd76b # regulator: missing regulator_lock() API in SLE15
+b01531db6cec2aa330dbc91bfbfaaef4a0d387a4 # ext4 encryption not supported and this is rare race with mostly benign consequences
+a5fdd713d256887b5f012608701149fa939e5645 # Just a cleanup
+0bf3d5c1604ecbbd4e49e9f5b3c79152b87adb0d # fscrypt not supported
+71921ef85928e95e3d942c747c9d40443a5ff775 # GFS2 not supported, just a performance optimization
+7959cf3a7506d4a2100d5d6f37f605c2f54af488 # ubifs not supported, no CC to stable
+988bec41318f3fa897e2f8af271bd456936d6caf # ubifs not supported, no CC to stable
+9ca2d732644484488db31123ecd3bf122b551566 # ubifs not supported, no CC to stable
98fdaaca9537b997062f1abc0aa87c61b50ce40a # Duplicate of fc89a38d99d4b1b33ca5b0e2329f5ddea02ecfb5: drm/i915/opregion: fix version check
a0f52c3d357af218a9c1f7cd906ab70426176a1a # Duplicate of 16eb0f34cdf4cf04cd92762c7a79f98aa51e053f: drm/i915/opregion: rvda is relative from opregion base in opregion 2.1+
ed180abba7f1fc3cf04ffa27767b1bcc8e8c842a # sound/hda: breaks kABI
+e2771deb5dece1acde9a406538e4f7ef9262d5cd # recently dropped: drm/sun4i: rgb: Change the pixel clock validation check
+75fdb811d93c8aa4a9f73b63db032b1e6a8668ef # Duplicate of 1e8b15a1988ed3c7429402017d589422628cdf47: drm/i915/gvt: Add in context mmio 0x20D8 to gen9 mmio list
+6fcc44d1d77fea3c7230e4d109b37f6977aa675a # Duplicate of 2c88e3c7ec32d7a40cc7c9b4a487cf90e4671bdd: block: fix use-after-free on gendisk
diff --git a/patches.fixes/block-do-not-leak-memory-in-bio_copy_user_iov.patch b/patches.fixes/block-do-not-leak-memory-in-bio_copy_user_iov.patch
new file mode 100644
index 0000000000..c54c2fda61
--- /dev/null
+++ b/patches.fixes/block-do-not-leak-memory-in-bio_copy_user_iov.patch
@@ -0,0 +1,46 @@
+From a3761c3c91209b58b6f33bf69dd8bb8ec0c9d925 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?J=C3=A9r=C3=B4me=20Glisse?= <jglisse@redhat.com>
+Date: Wed, 10 Apr 2019 16:27:51 -0400
+Subject: [PATCH] block: do not leak memory in bio_copy_user_iov()
+Mime-version: 1.0
+Content-type: text/plain; charset=UTF-8
+Content-transfer-encoding: 8bit
+Git-commit: a3761c3c91209b58b6f33bf69dd8bb8ec0c9d925
+Patch-mainline: v5.1-rc5
+References: bsc#1135309
+
+When bio_add_pc_page() fails in bio_copy_user_iov() we should free
+the page we just allocated otherwise we are leaking it.
+
+Cc: linux-block@vger.kernel.org
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: stable@vger.kernel.org
+Reviewed-by: Chaitanya Kulkarni <chaitanya.kulkarni@wdc.com>
+Signed-off-by: Jérôme Glisse <jglisse@redhat.com>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Acked-by: Jan Kara <jack@suse.cz>
+
+---
+ block/bio.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/block/bio.c b/block/bio.c
+index b64cedc7f87c..716510ecd7ff 100644
+--- a/block/bio.c
++++ b/block/bio.c
+@@ -1298,8 +1298,11 @@ struct bio *bio_copy_user_iov(struct request_queue *q,
+ }
+ }
+
+- if (bio_add_pc_page(q, bio, page, bytes, offset) < bytes)
++ if (bio_add_pc_page(q, bio, page, bytes, offset) < bytes) {
++ if (!map_data)
++ __free_page(page);
+ break;
++ }
+
+ len -= bytes;
+ offset = 0;
+--
+2.16.4
+
diff --git a/patches.fixes/block-fix-the-return-errno-for-direct-IO.patch b/patches.fixes/block-fix-the-return-errno-for-direct-IO.patch
new file mode 100644
index 0000000000..4b4b6f3a05
--- /dev/null
+++ b/patches.fixes/block-fix-the-return-errno-for-direct-IO.patch
@@ -0,0 +1,59 @@
+From a89afe58f1a74aac768a5eb77af95ef4ee15beaa Mon Sep 17 00:00:00 2001
+From: Jason Yan <yanaijie@huawei.com>
+Date: Fri, 12 Apr 2019 10:09:16 +0800
+Subject: [PATCH] block: fix the return errno for direct IO
+Git-commit: a89afe58f1a74aac768a5eb77af95ef4ee15beaa
+Patch-mainline: v5.1-rc5
+References: bsc#1135320
+
+If the last bio returned is not dio->bio, the status of the bio will
+not assigned to dio->bio if it is error. This will cause the whole IO
+status wrong.
+
+ ksoftirqd/21-117 [021] ..s. 4017.966090: 8,0 C N 4883648 [0]
+ <idle>-0 [018] ..s. 4017.970888: 8,0 C WS 4924800 + 1024 [0]
+ <idle>-0 [018] ..s. 4017.970909: 8,0 D WS 4935424 + 1024 [<idle>]
+ <idle>-0 [018] ..s. 4017.970924: 8,0 D WS 4936448 + 321 [<idle>]
+ ksoftirqd/21-117 [021] ..s. 4017.995033: 8,0 C R 4883648 + 336 [65475]
+ ksoftirqd/21-117 [021] d.s. 4018.001988: myprobe1: (blkdev_bio_end_io+0x0/0x168) bi_status=7
+ ksoftirqd/21-117 [021] d.s. 4018.001992: myprobe: (aio_complete_rw+0x0/0x148) x0=0xffff802f2595ad80 res=0x12a000 res2=0x0
+
+We always have to assign bio->bi_status to dio->bio.bi_status because we
+will only check dio->bio.bi_status when we return the whole IO to
+the upper layer.
+
+Fixes: 542ff7bf18c6 ("block: new direct I/O implementation")
+Cc: stable@vger.kernel.org
+Cc: Christoph Hellwig <hch@lst.de>
+Cc: Jens Axboe <axboe@kernel.dk>
+Reviewed-by: Ming Lei <ming.lei@redhat.com>
+Signed-off-by: Jason Yan <yanaijie@huawei.com>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Acked-by: Jan Kara <jack@suse.cz>
+
+---
+ fs/block_dev.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/fs/block_dev.c b/fs/block_dev.c
+index 78d3257435c0..24615c76c1d0 100644
+--- a/fs/block_dev.c
++++ b/fs/block_dev.c
+@@ -307,10 +307,10 @@ static void blkdev_bio_end_io(struct bio *bio)
+ struct blkdev_dio *dio = bio->bi_private;
+ bool should_dirty = dio->should_dirty;
+
+- if (dio->multi_bio && !atomic_dec_and_test(&dio->ref)) {
+- if (bio->bi_status && !dio->bio.bi_status)
+- dio->bio.bi_status = bio->bi_status;
+- } else {
++ if (bio->bi_status && !dio->bio.bi_status)
++ dio->bio.bi_status = bio->bi_status;
++
++ if (!dio->multi_bio || atomic_dec_and_test(&dio->ref)) {
+ if (!dio->is_sync) {
+ struct kiocb *iocb = dio->iocb;
+ ssize_t ret;
+--
+2.16.4
+
diff --git a/patches.fixes/block-fix-use-after-free-on-gendisk.patch b/patches.fixes/block-fix-use-after-free-on-gendisk.patch
new file mode 100644
index 0000000000..a2a239138c
--- /dev/null
+++ b/patches.fixes/block-fix-use-after-free-on-gendisk.patch
@@ -0,0 +1,135 @@
+From 2c88e3c7ec32d7a40cc7c9b4a487cf90e4671bdd Mon Sep 17 00:00:00 2001
+From: Yufen Yu <yuyufen@huawei.com>
+Date: Tue, 2 Apr 2019 20:06:34 +0800
+Subject: [PATCH] block: fix use-after-free on gendisk
+Git-commit: 2c88e3c7ec32d7a40cc7c9b4a487cf90e4671bdd
+Patch-mainline: v5.2-rc1
+References: bsc#1135312
+
+commit 2da78092dda "block: Fix dev_t minor allocation lifetime"
+specifically moved blk_free_devt(dev->devt) call to part_release()
+to avoid reallocating device number before the device is fully
+shutdown.
+
+However, it can cause use-after-free on gendisk in get_gendisk().
+We use md device as example to show the race scenes:
+
+Process1 Worker Process2
+md_free
+ blkdev_open
+del_gendisk
+ add delete_partition_work_fn() to wq
+ __blkdev_get
+ get_gendisk
+put_disk
+ disk_release
+ kfree(disk)
+ find part from ext_devt_idr
+ get_disk_and_module(disk)
+ cause use after free
+
+ delete_partition_work_fn
+ put_device(part)
+ part_release
+ remove part from ext_devt_idr
+
+Before <devt, hd_struct pointer> is removed from ext_devt_idr by
+delete_partition_work_fn(), we can find the devt and then access
+gendisk by hd_struct pointer. But, if we access the gendisk after
+it have been freed, it can cause in use-after-freeon gendisk in
+get_gendisk().
+
+We fix this by adding a new helper blk_invalidate_devt() in
+delete_partition() and del_gendisk(). It replaces hd_struct
+pointer in idr with value 'NULL', and deletes the entry from
+idr in part_release() as we do now.
+
+Thanks to Jan Kara for providing the solution and more clear comments
+for the code.
+
+Fixes: 2da78092dda1 ("block: Fix dev_t minor allocation lifetime")
+Cc: Al Viro <viro@zeniv.linux.org.uk>
+Reviewed-by: Bart Van Assche <bvanassche@acm.org>
+Reviewed-by: Keith Busch <keith.busch@intel.com>
+Reviewed-by: Jan Kara <jack@suse.cz>
+Suggested-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Yufen Yu <yuyufen@huawei.com>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Acked-by: Jan Kara <jack@suse.cz>
+
+---
+ block/genhd.c | 19 +++++++++++++++++++
+ block/partition-generic.c | 7 +++++++
+ include/linux/genhd.h | 1 +
+ 3 files changed, 27 insertions(+)
+
+diff --git a/block/genhd.c b/block/genhd.c
+index 1d0d25f7b0fe..83f5c33d1e80 100644
+--- a/block/genhd.c
++++ b/block/genhd.c
+@@ -531,6 +531,18 @@ void blk_free_devt(dev_t devt)
+ }
+ }
+
++/**
++ * We invalidate devt by assigning NULL pointer for devt in idr.
++ */
++void blk_invalidate_devt(dev_t devt)
++{
++ if (MAJOR(devt) == BLOCK_EXT_MAJOR) {
++ spin_lock_bh(&ext_devt_lock);
++ idr_replace(&ext_devt_idr, NULL, blk_mangle_minor(MINOR(devt)));
++ spin_unlock_bh(&ext_devt_lock);
++ }
++}
++
+ static char *bdevt_str(dev_t devt, char *buf)
+ {
+ if (MAJOR(devt) <= 0xff && MINOR(devt) <= 0xff) {
+@@ -793,6 +805,13 @@ void del_gendisk(struct gendisk *disk)
+
+ if (!(disk->flags & GENHD_FL_HIDDEN))
+ blk_unregister_region(disk_devt(disk), disk->minors);
++ /*
++ * Remove gendisk pointer from idr so that it cannot be looked up
++ * while RCU period before freeing gendisk is running to prevent
++ * use-after-free issues. Note that the device number stays
++ * "in-use" until we really free the gendisk.
++ */
++ blk_invalidate_devt(disk_devt(disk));
+
+ kobject_put(disk->part0.holder_dir);
+ kobject_put(disk->slave_dir);
+diff --git a/block/partition-generic.c b/block/partition-generic.c
+index 8e596a8dff32..aee643ce13d1 100644
+--- a/block/partition-generic.c
++++ b/block/partition-generic.c
+@@ -285,6 +285,13 @@ void delete_partition(struct gendisk *disk, int partno)
+ kobject_put(part->holder_dir);
+ device_del(part_to_dev(part));
+
++ /*
++ * Remove gendisk pointer from idr so that it cannot be looked up
++ * while RCU period before freeing gendisk is running to prevent
++ * use-after-free issues. Note that the device number stays
++ * "in-use" until we really free the gendisk.
++ */
++ blk_invalidate_devt(part_devt(part));
+ hd_struct_kill(part);
+ }
+
+diff --git a/include/linux/genhd.h b/include/linux/genhd.h
+index 6547c9256d5c..8b5330dd5ac0 100644
+--- a/include/linux/genhd.h
++++ b/include/linux/genhd.h
+@@ -617,6 +617,7 @@ struct unixware_disklabel {
+
+ extern int blk_alloc_devt(struct hd_struct *part, dev_t *devt);
+ extern void blk_free_devt(dev_t devt);
++extern void blk_invalidate_devt(dev_t devt);
+ extern dev_t blk_lookup_devt(const char *name, int partno);
+ extern char *disk_name (struct gendisk *hd, int partno, char *buf);
+
+--
+2.16.4
+
diff --git a/patches.fixes/ext4-actually-request-zeroing-of-inode-table-after-g.patch b/patches.fixes/ext4-actually-request-zeroing-of-inode-table-after-g.patch
new file mode 100644
index 0000000000..79dc98bdc3
--- /dev/null
+++ b/patches.fixes/ext4-actually-request-zeroing-of-inode-table-after-g.patch
@@ -0,0 +1,41 @@
+From 310a997fd74de778b9a4848a64be9cda9f18764a Mon Sep 17 00:00:00 2001
+From: Kirill Tkhai <ktkhai@virtuozzo.com>
+Date: Thu, 25 Apr 2019 13:06:18 -0400
+Subject: [PATCH] ext4: actually request zeroing of inode table after grow
+Git-commit: 310a997fd74de778b9a4848a64be9cda9f18764a
+Patch-mainline: v5.2-rc1
+References: bsc#1135315
+
+It is never possible, that number of block groups decreases,
+since only online grow is supported.
+
+But after a growing occured, we have to zero inode tables
+for just created new block groups.
+
+Fixes: 19c5246d2516 ("ext4: add new online resize interface")
+Signed-off-by: Kirill Tkhai <ktkhai@virtuozzo.com>
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Reviewed-by: Jan Kara <jack@suse.cz>
+Cc: stable@kernel.org
+Acked-by: Jan Kara <jack@suse.cz>
+
+---
+ fs/ext4/ioctl.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/ext4/ioctl.c b/fs/ext4/ioctl.c
+index bab3da4f1e0d..20faa6a69238 100644
+--- a/fs/ext4/ioctl.c
++++ b/fs/ext4/ioctl.c
+@@ -978,7 +978,7 @@ long ext4_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
+ if (err == 0)
+ err = err2;
+ mnt_drop_write_file(filp);
+- if (!err && (o_group > EXT4_SB(sb)->s_groups_count) &&
++ if (!err && (o_group < EXT4_SB(sb)->s_groups_count) &&
+ ext4_has_group_desc_csum(sb) &&
+ test_opt(sb, INIT_INODE_TABLE))
+ err = ext4_register_li_request(sb, o_group);
+--
+2.16.4
+
diff --git a/patches.fixes/ext4-fix-ext4_show_options-for-file-systems-w-o-jour.patch b/patches.fixes/ext4-fix-ext4_show_options-for-file-systems-w-o-jour.patch
new file mode 100644
index 0000000000..32e7d064c0
--- /dev/null
+++ b/patches.fixes/ext4-fix-ext4_show_options-for-file-systems-w-o-jour.patch
@@ -0,0 +1,39 @@
+From 50b29d8f033a7c88c5bc011abc2068b1691ab755 Mon Sep 17 00:00:00 2001
+From: Debabrata Banerjee <dbanerje@akamai.com>
+Date: Tue, 30 Apr 2019 23:08:15 -0400
+Subject: [PATCH] ext4: fix ext4_show_options for file systems w/o journal
+Git-commit: 50b29d8f033a7c88c5bc011abc2068b1691ab755
+Patch-mainline: v5.2-rc1
+References: bsc#1135316
+
+Instead of removing EXT4_MOUNT_JOURNAL_CHECKSUM from s_def_mount_opt as
+I assume was intended, all other options were blown away leading to
+_ext4_show_options() output being incorrect.
+
+Fixes: 1e381f60dad9 ("ext4: do not allow journal_opts for fs w/o journal")
+Signed-off-by: Debabrata Banerjee <dbanerje@akamai.com>
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Reviewed-by: Jan Kara <jack@suse.cz>
+Cc: stable@kernel.org
+Acked-by: Jan Kara <jack@suse.cz>
+
+---
+ fs/ext4/super.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/ext4/super.c b/fs/ext4/super.c
+index aeb6d22ea0ad..fc6fa2c93e77 100644
+--- a/fs/ext4/super.c
++++ b/fs/ext4/super.c
+@@ -4349,7 +4349,7 @@ static int ext4_fill_super(struct super_block *sb, void *data, int silent)
+ "data=, fs mounted w/o journal");
+ goto failed_mount_wq;
+ }
+- sbi->s_def_mount_opt &= EXT4_MOUNT_JOURNAL_CHECKSUM;
++ sbi->s_def_mount_opt &= ~EXT4_MOUNT_JOURNAL_CHECKSUM;
+ clear_opt(sb, JOURNAL_CHECKSUM);
+ clear_opt(sb, DATA_FLAGS);
+ sbi->s_journal = NULL;
+--
+2.16.4
+
diff --git a/patches.fixes/ext4-fix-use-after-free-race-with-debug_want_extra_i.patch b/patches.fixes/ext4-fix-use-after-free-race-with-debug_want_extra_i.patch
new file mode 100644
index 0000000000..a7215eb4ba
--- /dev/null
+++ b/patches.fixes/ext4-fix-use-after-free-race-with-debug_want_extra_i.patch
@@ -0,0 +1,105 @@
+From 7bc04c5c2cc467c5b40f2b03ba08da174a0d5fa7 Mon Sep 17 00:00:00 2001
+From: Barret Rhoden <brho@google.com>
+Date: Thu, 25 Apr 2019 11:55:50 -0400
+Subject: [PATCH] ext4: fix use-after-free race with debug_want_extra_isize
+Git-commit: 7bc04c5c2cc467c5b40f2b03ba08da174a0d5fa7
+Patch-mainline: v5.2-rc1
+References: bsc#1135314
+
+When remounting with debug_want_extra_isize, we were not performing the
+same checks that we do during a normal mount. That allowed us to set a
+value for s_want_extra_isize that reached outside the s_inode_size.
+
+Fixes: e2b911c53584 ("ext4: clean up feature test macros with predicate functions")
+Reported-by: syzbot+f584efa0ac7213c226b7@syzkaller.appspotmail.com
+Reviewed-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Barret Rhoden <brho@google.com>
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Cc: stable@vger.kernel.org
+Acked-by: Jan Kara <jack@suse.cz>
+
+---
+ fs/ext4/super.c | 58 ++++++++++++++++++++++++++++++++------------------------
+ 1 file changed, 34 insertions(+), 24 deletions(-)
+
+--- a/fs/ext4/super.c
++++ b/fs/ext4/super.c
+@@ -3425,6 +3425,37 @@ int ext4_calculate_overhead(struct super
+ return 0;
+ }
+
++static void ext4_clamp_want_extra_isize(struct super_block *sb)
++{
++ struct ext4_sb_info *sbi = EXT4_SB(sb);
++ struct ext4_super_block *es = sbi->s_es;
++
++ /* determine the minimum size of new large inodes, if present */
++ if (sbi->s_inode_size > EXT4_GOOD_OLD_INODE_SIZE &&
++ sbi->s_want_extra_isize == 0) {
++ sbi->s_want_extra_isize = sizeof(struct ext4_inode) -
++ EXT4_GOOD_OLD_INODE_SIZE;
++ if (ext4_has_feature_extra_isize(sb)) {
++ if (sbi->s_want_extra_isize <
++ le16_to_cpu(es->s_want_extra_isize))
++ sbi->s_want_extra_isize =
++ le16_to_cpu(es->s_want_extra_isize);
++ if (sbi->s_want_extra_isize <
++ le16_to_cpu(es->s_min_extra_isize))
++ sbi->s_want_extra_isize =
++ le16_to_cpu(es->s_min_extra_isize);
++ }
++ }
++ /* Check if enough inode space is available */
++ if (EXT4_GOOD_OLD_INODE_SIZE + sbi->s_want_extra_isize >
++ sbi->s_inode_size) {
++ sbi->s_want_extra_isize = sizeof(struct ext4_inode) -
++ EXT4_GOOD_OLD_INODE_SIZE;
++ ext4_msg(sb, KERN_INFO,
++ "required extra inode space not available");
++ }
++}
++
+ static void ext4_set_resv_clusters(struct super_block *sb)
+ {
+ ext4_fsblk_t resv_clusters;
+@@ -4259,30 +4290,7 @@ no_journal:
+ if (ext4_setup_super(sb, es, sb->s_flags & MS_RDONLY))
+ sb->s_flags |= MS_RDONLY;
+
+- /* determine the minimum size of new large inodes, if present */
+- if (sbi->s_inode_size > EXT4_GOOD_OLD_INODE_SIZE &&
+- sbi->s_want_extra_isize == 0) {
+- sbi->s_want_extra_isize = sizeof(struct ext4_inode) -
+- EXT4_GOOD_OLD_INODE_SIZE;
+- if (ext4_has_feature_extra_isize(sb)) {
+- if (sbi->s_want_extra_isize <
+- le16_to_cpu(es->s_want_extra_isize))
+- sbi->s_want_extra_isize =
+- le16_to_cpu(es->s_want_extra_isize);
+- if (sbi->s_want_extra_isize <
+- le16_to_cpu(es->s_min_extra_isize))
+- sbi->s_want_extra_isize =
+- le16_to_cpu(es->s_min_extra_isize);
+- }
+- }
+- /* Check if enough inode space is available */
+- if (EXT4_GOOD_OLD_INODE_SIZE + sbi->s_want_extra_isize >
+- sbi->s_inode_size) {
+- sbi->s_want_extra_isize = sizeof(struct ext4_inode) -
+- EXT4_GOOD_OLD_INODE_SIZE;
+- ext4_msg(sb, KERN_INFO, "required extra inode space not"
+- "available");
+- }
++ ext4_clamp_want_extra_isize(sb);
+
+ ext4_set_resv_clusters(sb);
+
+@@ -5064,6 +5072,8 @@ static int ext4_remount(struct super_blo
+ goto restore_opts;
+ }
+
++ ext4_clamp_want_extra_isize(sb);
++
+ if ((old_opts.s_mount_opt & EXT4_MOUNT_JOURNAL_CHECKSUM) ^
+ test_opt(sb, JOURNAL_CHECKSUM)) {
+ ext4_msg(sb, KERN_ERR, "changing journal_checksum "
diff --git a/patches.fixes/mm-huge_memory-fix-vmf_insert_pfn_-pmd-pud-crash-han.patch b/patches.fixes/mm-huge_memory-fix-vmf_insert_pfn_-pmd-pud-crash-han.patch
new file mode 100644
index 0000000000..4529e50b35
--- /dev/null
+++ b/patches.fixes/mm-huge_memory-fix-vmf_insert_pfn_-pmd-pud-crash-han.patch
@@ -0,0 +1,79 @@
+From fce86ff5802bac3a7b19db171aa1949ef9caac31 Mon Sep 17 00:00:00 2001
+From: Dan Williams <dan.j.williams@intel.com>
+Date: Mon, 13 May 2019 17:15:33 -0700
+Subject: [PATCH] mm/huge_memory: fix vmf_insert_pfn_{pmd, pud}() crash, handle
+ unaligned addresses
+Git-commit: fce86ff5802bac3a7b19db171aa1949ef9caac31
+Patch-mainline: v5.2-rc1
+References: bsc#1135330
+
+Starting with c6f3c5ee40c1 ("mm/huge_memory.c: fix modifying of page
+protection by insert_pfn_pmd()") vmf_insert_pfn_pmd() internally calls
+pmdp_set_access_flags(). That helper enforces a pmd aligned @address
+argument via VM_BUG_ON() assertion.
+
+Update the implementation to take a 'struct vm_fault' argument directly
+and apply the address alignment fixup internally to fix crash signatures
+Like:
+
+ kernel BUG at arch/x86/mm/pgtable.c:515!
+ invalid opcode: 0000 [#1] SMP NOPTI
+ CPU: 51 PID: 43713 Comm: java Tainted: G OE 4.19.35 #1
+ [..]
+ RIP: 0010:pmdp_set_access_flags+0x48/0x50
+ [..]
+ Call Trace:
+ vmf_insert_pfn_pmd+0x198/0x350
+ dax_iomap_fault+0xe82/0x1190
+ ext4_dax_huge_fault+0x103/0x1f0
+ ? __switch_to_asm+0x40/0x70
+ __handle_mm_fault+0x3f6/0x1370
+ ? __switch_to_asm+0x34/0x70
+ ? __switch_to_asm+0x40/0x70
+ handle_mm_fault+0xda/0x200
+ __do_page_fault+0x249/0x4f0
+ do_page_fault+0x32/0x110
+ ? page_fault+0x8/0x30
+ page_fault+0x1e/0x30
+
+Link: http://lkml.kernel.org/r/155741946350.372037.11148198430068238140.stgit@dwillia2-desk3.amr.corp.intel.com
+Fixes: c6f3c5ee40c1 ("mm/huge_memory.c: fix modifying of page protection by insert_pfn_pmd()")
+Signed-off-by: Dan Williams <dan.j.williams@intel.com>
+Reported-by: Piotr Balcer <piotr.balcer@intel.com>
+Tested-by: Yan Ma <yan.ma@intel.com>
+Tested-by: Pankaj Gupta <pagupta@redhat.com>
+Reviewed-by: Matthew Wilcox <willy@infradead.org>
+Reviewed-by: Jan Kara <jack@suse.cz>
+Reviewed-by: Aneesh Kumar K.V <aneesh.kumar@linux.ibm.com>
+Cc: Chandan Rajendra <chandan@linux.ibm.com>
+Cc: Souptick Joarder <jrdr.linux@gmail.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Acked-by: Jan Kara <jack@suse.cz>
+[JK: Removed changes in vmf_insert_pfn_pmd/pud() prototypes to maintain kABI]
+
+---
+ mm/huge_memory.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/mm/huge_memory.c
++++ b/mm/huge_memory.c
+@@ -780,6 +780,8 @@ int vmf_insert_pfn_pmd(struct vm_area_st
+ {
+ pgprot_t pgprot = vma->vm_page_prot;
+ pgtable_t pgtable = NULL;
++
++ addr &= PMD_MASK;
+ /*
+ * If we had pmd_special, we could avoid all these restrictions,
+ * but we need to be consistent with PTEs and architectures that
+@@ -855,6 +857,8 @@ int vmf_insert_pfn_pud(struct vm_area_st
+ pud_t *pud, pfn_t pfn, bool write)
+ {
+ pgprot_t pgprot = vma->vm_page_prot;
++
++ addr &= PUD_MASK;
+ /*
+ * If we had pud_special, we could avoid all these restrictions,
+ * but we need to be consistent with PTEs and architectures that
diff --git a/patches.fixes/ufs-fix-braino-in-ufs_get_inode_gid-for-solaris-UFS-.patch b/patches.fixes/ufs-fix-braino-in-ufs_get_inode_gid-for-solaris-UFS-.patch
new file mode 100644
index 0000000000..24e5cafecf
--- /dev/null
+++ b/patches.fixes/ufs-fix-braino-in-ufs_get_inode_gid-for-solaris-UFS-.patch
@@ -0,0 +1,38 @@
+From 4e9036042fedaffcd868d7f7aa948756c48c637d Mon Sep 17 00:00:00 2001
+From: Al Viro <viro@zeniv.linux.org.uk>
+Date: Wed, 1 May 2019 22:46:11 -0400
+Subject: [PATCH] ufs: fix braino in ufs_get_inode_gid() for solaris UFS
+ flavour
+Git-commit: 4e9036042fedaffcd868d7f7aa948756c48c637d
+Patch-mainline: v5.1
+References: bsc#1135323
+
+To choose whether to pick the GID from the old (16bit) or new (32bit)
+field, we should check if the old gid field is set to 0xffff. Mainline
+checks the old *UID* field instead - cut'n'paste from the corresponding
+code in ufs_get_inode_uid().
+
+Fixes: 252e211e90ce
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Acked-by: Jan Kara <jack@suse.cz>
+
+---
+ fs/ufs/util.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/ufs/util.h b/fs/ufs/util.h
+index 1fd3011ea623..7fd4802222b8 100644
+--- a/fs/ufs/util.h
++++ b/fs/ufs/util.h
+@@ -229,7 +229,7 @@ ufs_get_inode_gid(struct super_block *sb, struct ufs_inode *inode)
+ case UFS_UID_44BSD:
+ return fs32_to_cpu(sb, inode->ui_u3.ui_44.ui_gid);
+ case UFS_UID_EFT:
+- if (inode->ui_u1.oldids.ui_suid == 0xFFFF)
++ if (inode->ui_u1.oldids.ui_sgid == 0xFFFF)
+ return fs32_to_cpu(sb, inode->ui_u3.ui_sun.ui_gid);
+ /* Fall through */
+ default:
+--
+2.16.4
+
diff --git a/patches.suse/tun-allow-positive-return-values-on-dev_get_valid_na.patch b/patches.suse/tun-allow-positive-return-values-on-dev_get_valid_na.patch
index f5a9202739..1213f3350c 100644
--- a/patches.suse/tun-allow-positive-return-values-on-dev_get_valid_na.patch
+++ b/patches.suse/tun-allow-positive-return-values-on-dev_get_valid_na.patch
@@ -3,7 +3,7 @@ Date: Wed, 25 Oct 2017 11:50:50 -0700
Subject: tun: allow positive return values on dev_get_valid_name() call
Git-commit: 5c25f65fd1e42685f7ccd80e0621829c105785d9
Patch-mainline: v4.14-rc7
-References: networking-stable-17_11_14
+References: networking-stable-17_11_14, CVE-2018-7191, bsc#1135603
If the name argument of dev_get_valid_name() contains "%d", it will try
to assign it a unit number in __dev__alloc_name() and return either the
diff --git a/patches.suse/tun-call-dev_get_valid_name-before-register_netdevic.patch b/patches.suse/tun-call-dev_get_valid_name-before-register_netdevic.patch
index 776b56d4d7..a92f442870 100644
--- a/patches.suse/tun-call-dev_get_valid_name-before-register_netdevic.patch
+++ b/patches.suse/tun-call-dev_get_valid_name-before-register_netdevic.patch
@@ -3,7 +3,7 @@ Date: Fri, 13 Oct 2017 11:58:53 -0700
Subject: tun: call dev_get_valid_name() before register_netdevice()
Git-commit: 0ad646c81b2182f7fa67ec0c8c825e0ee165696d
Patch-mainline: v4.14-rc6
-References: networking-stable-17_11_14
+References: networking-stable-17_11_14, CVE-2018-7191, bsc#1135603
register_netdevice() could fail early when we have an invalid
dev name, in which case ->ndo_uninit() is not called. For tun
diff --git a/series.conf b/series.conf
index abc5ee0fb3..baae52c2ed 100644
--- a/series.conf
+++ b/series.conf
@@ -21788,6 +21788,8 @@
patches.fixes/clk-x86-Add-system-specific-quirk-to-mark-clocks-as-.patch
patches.drivers/platform-x86-pmc_atom-Drop-__initconst-on-dmi-table.patch
patches.fixes/virtio-blk-limit-number-of-hw-queues-by-nr_cpu_ids.patch
+ patches.fixes/block-do-not-leak-memory-in-bio_copy_user_iov.patch
+ patches.fixes/block-fix-the-return-errno-for-direct-IO.patch
patches.arch/svm-avic-fix-invalidate-logical-apic-id-entry
patches.arch/kvm-x86-svm-make-sure-nmi-is-injected-after-nmi_singlestep
patches.arch/kvm-x86-don-t-clear-efer-during-smm-transitions-for-32-bit-vcpu
@@ -21862,6 +21864,7 @@
patches.drivers/ALSA-hda-realtek-Fixed-Dell-AIO-speaker-noise.patch
patches.drivers/ALSA-line6-use-dynamic-buffers.patch
patches.drivers/ALSA-hda-realtek-Apply-the-fixup-for-ASUS-Q325UAR.patch
+ patches.fixes/ufs-fix-braino-in-ufs_get_inode_gid-for-solaris-UFS-.patch
patches.arch/cpu-speculation-add-mitigations-cmdline-option.patch
patches.arch/x86-speculation-support-mitigations-cmdline-option.patch
patches.arch/powerpc-speculation-support-mitigations-cmdline-option.patch
@@ -21912,8 +21915,12 @@
patches.fixes/Revert-ide-unexport-DISK_EVENT_MEDIA_CHANGE-for-ide-.patch
patches.suse/Revert-block-unexport-DISK_EVENT_MEDIA_CHANGE-for.patch
patches.suse/block-check_events-don-t-bother-with-events-if-un.patch
+ patches.fixes/block-fix-use-after-free-on-gendisk.patch
patches.fixes/nvme-multipath-split-bios-with-the-ns_head-bio_set-b.patch
patches.fixes/audit-fix-a-memleak-caused-by-auditing-load-module.patch
+ patches.fixes/ext4-fix-use-after-free-race-with-debug_want_extra_i.patch
+ patches.fixes/ext4-actually-request-zeroing-of-inode-table-after-g.patch
+ patches.fixes/ext4-fix-ext4_show_options-for-file-systems-w-o-jour.patch
patches.drivers/ibmvnic-Report-actual-backing-device-speed-and-duple.patch
patches.fixes/openvswitch-add-seqadj-extension-when-NAT-is-used.patch
patches.drivers/b43-shut-up-clang-Wuninitialized-variable-warning.patch
@@ -22032,6 +22039,7 @@
patches.arch/x86-speculation-mds-add-smt-warning-message.patch
patches.arch/x86-speculation-mds-print-smt-vulnerable-on-msbds-with-mitigations-off.patch
patches.arch/x86-speculation-mds-add-mitigations-support-for-mds.patch
+ patches.fixes/mm-huge_memory-fix-vmf_insert_pfn_-pmd-pud-crash-han.patch
patches.drivers/PCI-Mark-AMD-Stoney-Radeon-R7-GPU-ATS-as-broken.patch
patches.drivers/PCI-Mark-Atheros-AR9462-to-avoid-bus-reset.patch
patches.drivers/backlight-lm3630a-Return-0-on-success-in-update_stat.patch