Home Home > GIT Browse
summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorKernel Build Daemon <kbuild@suse.de>2019-12-05 07:12:01 +0100
committerKernel Build Daemon <kbuild@suse.de>2019-12-05 07:12:01 +0100
commitbe9646a98f6872fbb501a14ddd161dad7d7735df (patch)
tree6967da7aac8ac532f3a9756e852ecbc8037e96cb
parent69aefd55f62e38b724ac0914ecb66278f42a0b24 (diff)
parenta188d6f56ed82993a9d18c9e4496866d17a168b1 (diff)
Merge branch 'SLE15' into SLE15-AZURErpm-4.12.14-5.47--sle15-updatesrpm-4.12.14-5.47
-rw-r--r--patches.kabi/kabi-handle-addition-of-ip6addrlbl_table-into-struct.patch7
-rw-r--r--patches.kabi/kabi-handle-addition-of-net-hash_mix.patch5
-rw-r--r--patches.kabi/kabi-handle-addition-of-netns_ipv4-ip_id_key.patch5
-rw-r--r--patches.kabi/kabi-handle-addition-of-uevent_sock-into-struct-net.patch9
-rw-r--r--patches.kabi/kabi-move-sysctl_tcp_min_snd_mss-to-preserve-struct-.patch21
-rw-r--r--patches.suse/0001-usb-cdc-acm-make-sure-a-refcount-is-taken-early-enou.patch2
-rw-r--r--patches.suse/0006-can-peak_usb-pcan_usb_pro-Fix-info-leaks-to-USB-devi.patch2
-rw-r--r--patches.suse/CIFS-Fix-SMB2-oplock-break-processing.patch3
-rw-r--r--patches.suse/Input-ff-memless-kill-timer-in-destroy.patch2
-rw-r--r--patches.suse/PCI-Apply-Cavium-ACS-quirk-to-ThunderX2-and-ThunderX.patch60
-rw-r--r--patches.suse/PCI-Fix-Intel-ACS-quirk-UPDCR-register-address.patch51
-rw-r--r--patches.suse/PCI-MSI-Fix-incorrect-MSI-X-masking-on-resume.patch62
-rw-r--r--patches.suse/PCI-PTM-Remove-spurious-d-from-granularity-message.patch41
-rw-r--r--patches.suse/PCI-dwc-Fix-find_next_bit-usage.patch56
-rw-r--r--patches.suse/PCI-rcar-Fix-missing-MACCTLR-register-setting-in-ini.patch67
-rw-r--r--patches.suse/USB-iowarrior-fix-use-after-free-on-disconnect.patch2
-rw-r--r--patches.suse/USB-misc-appledisplay-fix-backlight-update_status-re.patch50
-rw-r--r--patches.suse/can-mcba_usb-fix-use-after-free-on-disconnect.patch2
-rw-r--r--patches.suse/can-peak_usb-fix-slab-info-leak.patch2
-rw-r--r--patches.suse/cifs-move-cifsFileInfo_put-logic-into-a-work-queue.patch3
-rw-r--r--patches.suse/compat_ioctl-handle-SIOCOUTQNSD.patch38
-rw-r--r--patches.suse/ftrace-introduce-permanent-ftrace_ops-flag.patch134
-rw-r--r--patches.suse/ieee802154-atusb-fix-use-after-free-at-disconnect.patch2
-rw-r--r--patches.suse/ipv6-defrag-drop-non-last-frags-smaller-than-min-mtu.patch92
-rw-r--r--patches.suse/media-serial_ir-Fix-use-after-free-in-serial_ir_init.patch2
-rw-r--r--patches.suse/mlx5-add-parameter-to-disable-enhanced-IPoIB.patch47
-rw-r--r--patches.suse/sctp-change-sctp_prot-.no_autobind-with-true.patch27
-rw-r--r--patches.suse/synclink_gt-fix-compat_ioctl.patch62
-rw-r--r--patches.suse/tcp_nv-fix-potential-integer-overflow-in-tcpnv_acked.patch46
-rw-r--r--patches.suse/tipc-Avoid-copying-bytes-beyond-the-supplied-data.patch74
-rw-r--r--patches.suse/tipc-check-bearer-name-with-right-length-in-tipc_nl_.patch57
-rw-r--r--patches.suse/tipc-check-link-name-with-right-length-in-tipc_nl_co.patch45
-rw-r--r--patches.suse/tipc-check-msg-req-data-len-in-tipc_nl_compat_bearer.patch92
-rw-r--r--patches.suse/tipc-compat-allow-tipc-commands-without-arguments.patch90
-rw-r--r--patches.suse/tipc-fix-tipc_mon_delete-oops-in-tipc_enable_bearer-.patch85
-rw-r--r--patches.suse/tipc-fix-wrong-timeout-input-for-tipc_wait_for_cond.patch40
-rw-r--r--patches.suse/tipc-handle-the-err-returned-from-cmd-header-functio.patch81
-rw-r--r--patches.suse/tipc-pass-tunnel-dev-as-NULL-to-udp_tunnel-6-_xmit_s.patch94
-rw-r--r--patches.suse/tipc-tipc-clang-warning.patch69
-rw-r--r--patches.suse/tty-serial-fsl_lpuart-use-the-sg-count-from-dma_map_.patch44
-rw-r--r--patches.suse/tty-serial-imx-use-the-sg-count-from-dma_map_sg.patch38
-rw-r--r--patches.suse/tty-serial-msm_serial-Fix-flow-control.patch74
-rw-r--r--patches.suse/tty-serial-pch_uart-correct-usage-of-dma_unmap_sg.patch70
-rw-r--r--patches.suse/usb-yurex-Fix-use-after-free-in-yurex_delete.patch2
-rw-r--r--series.conf32
45 files changed, 1825 insertions, 64 deletions
diff --git a/patches.kabi/kabi-handle-addition-of-ip6addrlbl_table-into-struct.patch b/patches.kabi/kabi-handle-addition-of-ip6addrlbl_table-into-struct.patch
index f8db212d0e..6c07e77f10 100644
--- a/patches.kabi/kabi-handle-addition-of-ip6addrlbl_table-into-struct.patch
+++ b/patches.kabi/kabi-handle-addition-of-ip6addrlbl_table-into-struct.patch
@@ -1,5 +1,4 @@
From: Michal Kubecek <mkubecek@suse.cz>
-Date: Thu, 14 Feb 2019 13:24:03 +0100
Subject: kabi: handle addition of ip6addrlbl_table into struct netns_ipv6
Patch-mainline: Never, kabi workaround
References: bsc#1122982
@@ -19,7 +18,7 @@ Signed-off-by: Michal Kubecek <mkubecek@suse.cz>
--- a/include/net/net_namespace.h
+++ b/include/net/net_namespace.h
-@@ -150,6 +150,11 @@ struct net {
+@@ -151,6 +151,11 @@ struct net {
struct sock *diag_nlsk;
atomic_t fnhe_genid;
#ifndef __GENKSYMS__
@@ -28,9 +27,9 @@ Signed-off-by: Michal Kubecek <mkubecek@suse.cz>
+ spinlock_t lock;
+ u32 seq;
+ } ip6addrlbl_table;
- int sysctl_tcp_min_snd_mss;
+ int sysctl_tcp_min_snd_mss;
+ int ip6frag_strict_short;
#endif
- };
--- a/include/net/netns/ipv6.h
+++ b/include/net/netns/ipv6.h
@@ -86,11 +86,6 @@ struct netns_ipv6 {
diff --git a/patches.kabi/kabi-handle-addition-of-net-hash_mix.patch b/patches.kabi/kabi-handle-addition-of-net-hash_mix.patch
index 0d014818fd..91a69931dc 100644
--- a/patches.kabi/kabi-handle-addition-of-net-hash_mix.patch
+++ b/patches.kabi/kabi-handle-addition-of-net-hash_mix.patch
@@ -1,5 +1,4 @@
From: Michal Kubecek <mkubecek@suse.cz>
-Date: Tue, 9 Jul 2019 08:37:40 +0200
Subject: kabi: handle addition of net::hash_mix
Patch-mainline: Never, kabi workaround
References: CVE-2019-10639 bsc#1140577
@@ -27,8 +26,8 @@ Signed-off-by: Michal Kubecek <mkubecek@suse.cz>
@@ -156,6 +155,7 @@ struct net {
} ip6addrlbl_table;
struct uevent_sock *uevent_sock; /* uevent socket */
- int sysctl_tcp_min_snd_mss;
+ int sysctl_tcp_min_snd_mss;
+ u32 hash_mix;
+ int ip6frag_strict_short;
#endif
};
-
diff --git a/patches.kabi/kabi-handle-addition-of-netns_ipv4-ip_id_key.patch b/patches.kabi/kabi-handle-addition-of-netns_ipv4-ip_id_key.patch
index e5b790ea2d..f10b237c06 100644
--- a/patches.kabi/kabi-handle-addition-of-netns_ipv4-ip_id_key.patch
+++ b/patches.kabi/kabi-handle-addition-of-netns_ipv4-ip_id_key.patch
@@ -1,5 +1,4 @@
From: Michal Kubecek <mkubecek@suse.cz>
-Date: Tue, 9 Jul 2019 08:45:15 +0200
Subject: kabi: handle addition of netns_ipv4::ip_id_key
Patch-mainline: Never, kabi workaround
References: CVE-2019-10638 bsc#1140575
@@ -23,12 +22,12 @@ Signed-off-by: Michal Kubecek <mkubecek@suse.cz>
+++ b/include/net/net_namespace.h
@@ -156,6 +156,7 @@ struct net {
struct uevent_sock *uevent_sock; /* uevent socket */
- int sysctl_tcp_min_snd_mss;
+ int sysctl_tcp_min_snd_mss;
u32 hash_mix;
+ siphash_key_t ip_id_key;
+ int ip6frag_strict_short;
#endif
};
-
--- a/include/net/netns/ipv4.h
+++ b/include/net/netns/ipv4.h
@@ -160,6 +160,5 @@ struct netns_ipv4 {
diff --git a/patches.kabi/kabi-handle-addition-of-uevent_sock-into-struct-net.patch b/patches.kabi/kabi-handle-addition-of-uevent_sock-into-struct-net.patch
index 6ca00c0d6d..b3c633edc9 100644
--- a/patches.kabi/kabi-handle-addition-of-uevent_sock-into-struct-net.patch
+++ b/patches.kabi/kabi-handle-addition-of-uevent_sock-into-struct-net.patch
@@ -1,5 +1,4 @@
From: Michal Kubecek <mkubecek@suse.cz>
-Date: Thu, 14 Feb 2019 13:30:26 +0100
Subject: kabi: handle addition of uevent_sock into struct net
Patch-mainline: Never, kabi workaround
References: bsc#1122982
@@ -16,7 +15,7 @@ Signed-off-by: Michal Kubecek <mkubecek@suse.cz>
--- a/include/net/net_namespace.h
+++ b/include/net/net_namespace.h
-@@ -77,8 +77,6 @@ struct net {
+@@ -78,8 +78,6 @@ struct net {
struct sock *rtnl; /* rtnetlink socket */
struct sock *genl_sock;
@@ -25,11 +24,11 @@ Signed-off-by: Michal Kubecek <mkubecek@suse.cz>
struct list_head dev_base_head;
struct hlist_head *dev_name_head;
struct hlist_head *dev_index_head;
-@@ -155,6 +153,7 @@ struct net {
+@@ -156,6 +154,7 @@ struct net {
spinlock_t lock;
u32 seq;
} ip6addrlbl_table;
+ struct uevent_sock *uevent_sock; /* uevent socket */
- int sysctl_tcp_min_snd_mss;
+ int sysctl_tcp_min_snd_mss;
+ int ip6frag_strict_short;
#endif
- };
diff --git a/patches.kabi/kabi-move-sysctl_tcp_min_snd_mss-to-preserve-struct-.patch b/patches.kabi/kabi-move-sysctl_tcp_min_snd_mss-to-preserve-struct-.patch
index 3d7ec92ab3..2ade75170d 100644
--- a/patches.kabi/kabi-move-sysctl_tcp_min_snd_mss-to-preserve-struct-.patch
+++ b/patches.kabi/kabi-move-sysctl_tcp_min_snd_mss-to-preserve-struct-.patch
@@ -1,5 +1,4 @@
From: Michal Kubecek <mkubecek@suse.cz>
-Date: Sat, 8 Jun 2019 12:30:13 +0200
Subject: kabi: move sysctl_tcp_min_snd_mss to preserve struct net layout
Patch-mainline: Never, kabi workaround
References: bsc#1137586 CVE-2019-11479
@@ -14,29 +13,27 @@ never embedded in another structure or used as an array element.
Signed-off-by: Michal Kubecek <mkubecek@suse.cz>
---
- include/net/net_namespace.h | 3 +++
+ include/net/net_namespace.h | 1 +
include/net/netns/ipv4.h | 1 -
net/ipv4/sysctl_net_ipv4.c | 2 +-
net/ipv4/tcp_ipv4.c | 2 +-
net/ipv4/tcp_output.c | 2 +-
net/ipv4/tcp_timer.c | 2 +-
- 6 files changed, 7 insertions(+), 5 deletions(-)
+ 6 files changed, 5 insertions(+), 5 deletions(-)
--- a/include/net/net_namespace.h
+++ b/include/net/net_namespace.h
-@@ -149,6 +149,9 @@ struct net {
- #endif
+@@ -151,6 +151,7 @@ struct net {
struct sock *diag_nlsk;
atomic_t fnhe_genid;
-+#ifndef __GENKSYMS__
-+ int sysctl_tcp_min_snd_mss;
-+#endif
+ #ifndef __GENKSYMS__
++ int sysctl_tcp_min_snd_mss;
+ int ip6frag_strict_short;
+ #endif
};
-
- #include <linux/seq_file_net.h>
--- a/include/net/netns/ipv4.h
+++ b/include/net/netns/ipv4.h
-@@ -105,7 +105,6 @@ struct netns_ipv4 {
+@@ -106,7 +106,6 @@ struct netns_ipv4 {
#endif
int sysctl_tcp_mtu_probing;
int sysctl_tcp_base_mss;
@@ -68,7 +65,7 @@ Signed-off-by: Michal Kubecek <mkubecek@suse.cz>
--- a/net/ipv4/tcp_output.c
+++ b/net/ipv4/tcp_output.c
-@@ -1446,7 +1446,7 @@ static inline int __tcp_mtu_to_mss(struct sock *sk, int pmtu)
+@@ -1455,7 +1455,7 @@ static inline int __tcp_mtu_to_mss(struct sock *sk, int pmtu)
mss_now -= icsk->icsk_ext_hdr_len;
/* Then reserve room for full set of TCP options and 8 bytes of data */
diff --git a/patches.suse/0001-usb-cdc-acm-make-sure-a-refcount-is-taken-early-enou.patch b/patches.suse/0001-usb-cdc-acm-make-sure-a-refcount-is-taken-early-enou.patch
index a57409795f..135d7f5732 100644
--- a/patches.suse/0001-usb-cdc-acm-make-sure-a-refcount-is-taken-early-enou.patch
+++ b/patches.suse/0001-usb-cdc-acm-make-sure-a-refcount-is-taken-early-enou.patch
@@ -4,7 +4,7 @@ Date: Thu, 8 Aug 2019 16:21:19 +0200
Subject: [PATCH] usb: cdc-acm: make sure a refcount is taken early enough
Git-commit: c52873e5a1ef72f845526d9f6a50704433f9c625
Patch-mainline: v5.3-rc5
-References: bsc#1142635
+References: CVE-2019-19530 bsc#1158410 bsc#1142635
destroy() will decrement the refcount on the interface, so that
it needs to be taken so early that it never undercounts.
diff --git a/patches.suse/0006-can-peak_usb-pcan_usb_pro-Fix-info-leaks-to-USB-devi.patch b/patches.suse/0006-can-peak_usb-pcan_usb_pro-Fix-info-leaks-to-USB-devi.patch
index 85da45b793..0c68f3bf59 100644
--- a/patches.suse/0006-can-peak_usb-pcan_usb_pro-Fix-info-leaks-to-USB-devi.patch
+++ b/patches.suse/0006-can-peak_usb-pcan_usb_pro-Fix-info-leaks-to-USB-devi.patch
@@ -4,7 +4,7 @@ Date: Wed, 31 Jul 2019 10:54:47 -0400
Subject: [PATCH] can: peak_usb: pcan_usb_pro: Fix info-leaks to USB devices
Git-commit: ead16e53c2f0ed946d82d4037c630e2f60f4ab69
Patch-mainline: v5.3-rc4
-References: bsc#1051510
+References: CVE-2019-19536 bsc#1158394 bsc#1051510
Uninitialized Kernel memory can leak to USB devices.
diff --git a/patches.suse/CIFS-Fix-SMB2-oplock-break-processing.patch b/patches.suse/CIFS-Fix-SMB2-oplock-break-processing.patch
index 604ad95bfe..f8b4a8d346 100644
--- a/patches.suse/CIFS-Fix-SMB2-oplock-break-processing.patch
+++ b/patches.suse/CIFS-Fix-SMB2-oplock-break-processing.patch
@@ -2,7 +2,8 @@ From: Pavel Shilovsky <piastryyy@gmail.com>
Date: Thu, 31 Oct 2019 14:18:57 -0700
Subject: [PATCH] CIFS: Fix SMB2 oplock break processing
References: bsc#1144333 bsc#1154355
-Patch-mainline: Not yet, queued in for-next
+Patch-mainline: v5.5-rc1
+Git-commit: fa9c2362497fbd64788063288dc4e74daf977ebb
Even when mounting modern protocol version the server may be
configured without supporting SMB2.1 leases and the client
diff --git a/patches.suse/Input-ff-memless-kill-timer-in-destroy.patch b/patches.suse/Input-ff-memless-kill-timer-in-destroy.patch
index 18e8223d2b..4e62c701a1 100644
--- a/patches.suse/Input-ff-memless-kill-timer-in-destroy.patch
+++ b/patches.suse/Input-ff-memless-kill-timer-in-destroy.patch
@@ -4,7 +4,7 @@ Date: Fri, 15 Nov 2019 11:35:05 -0800
Subject: [PATCH] Input: ff-memless - kill timer in destroy()
Git-commit: fa3a5a1880c91bb92594ad42dfe9eedad7996b86
Patch-mainline: v5.4-rc8
-References: bsc#1051510
+References: CVE-2019-19524 bsc#1158413 bsc#1051510
No timer must be left running when the device goes away.
diff --git a/patches.suse/PCI-Apply-Cavium-ACS-quirk-to-ThunderX2-and-ThunderX.patch b/patches.suse/PCI-Apply-Cavium-ACS-quirk-to-ThunderX2-and-ThunderX.patch
new file mode 100644
index 0000000000..6f6968644e
--- /dev/null
+++ b/patches.suse/PCI-Apply-Cavium-ACS-quirk-to-ThunderX2-and-ThunderX.patch
@@ -0,0 +1,60 @@
+From f338bb9f0179cb959977b74e8331b312264d720b Mon Sep 17 00:00:00 2001
+From: George Cherian <george.cherian@marvell.com>
+Date: Mon, 11 Nov 2019 02:43:03 +0000
+Subject: [PATCH] PCI: Apply Cavium ACS quirk to ThunderX2 and ThunderX3
+Git-commit: f338bb9f0179cb959977b74e8331b312264d720b
+Patch-mainline: v5.5-rc1
+References: bsc#1051510
+
+Enhance the ACS quirk for Cavium Processors. Add the root port vendor IDs
+for ThunderX2 and ThunderX3 series of processors.
+
+[bhelgaas: add Fixes: and stable tag]
+Fixes: f2ddaf8dfd4a ("PCI: Apply Cavium ThunderX ACS quirk to more Root Ports")
+Link: https://lore.kernel.org/r/20191111024243.GA11408@dc5-eodlnx05.marvell.com
+Signed-off-by: George Cherian <george.cherian@marvell.com>
+Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
+Reviewed-by: Robert Richter <rrichter@marvell.com>
+Cc: stable@vger.kernel.org # v4.12+
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/pci/quirks.c | 20 +++++++++++++-------
+ 1 file changed, 13 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/pci/quirks.c b/drivers/pci/quirks.c
+index d5d57cd91a5e..2544e210b984 100644
+--- a/drivers/pci/quirks.c
++++ b/drivers/pci/quirks.c
+@@ -4347,15 +4347,21 @@ static int pci_quirk_amd_sb_acs(struct pci_dev *dev, u16 acs_flags)
+
+ static bool pci_quirk_cavium_acs_match(struct pci_dev *dev)
+ {
++ if (!pci_is_pcie(dev) || pci_pcie_type(dev) != PCI_EXP_TYPE_ROOT_PORT)
++ return false;
++
++ switch (dev->device) {
+ /*
+- * Effectively selects all downstream ports for whole ThunderX 1
+- * family by 0xf800 mask (which represents 8 SoCs), while the lower
+- * bits of device ID are used to indicate which subdevice is used
+- * within the SoC.
++ * Effectively selects all downstream ports for whole ThunderX1
++ * (which represents 8 SoCs).
+ */
+- return (pci_is_pcie(dev) &&
+- (pci_pcie_type(dev) == PCI_EXP_TYPE_ROOT_PORT) &&
+- ((dev->device & 0xf800) == 0xa000));
++ case 0xa000 ... 0xa7ff: /* ThunderX1 */
++ case 0xaf84: /* ThunderX2 */
++ case 0xb884: /* ThunderX3 */
++ return true;
++ default:
++ return false;
++ }
+ }
+
+ static int pci_quirk_cavium_acs(struct pci_dev *dev, u16 acs_flags)
+--
+2.16.4
+
diff --git a/patches.suse/PCI-Fix-Intel-ACS-quirk-UPDCR-register-address.patch b/patches.suse/PCI-Fix-Intel-ACS-quirk-UPDCR-register-address.patch
new file mode 100644
index 0000000000..25bcae04b8
--- /dev/null
+++ b/patches.suse/PCI-Fix-Intel-ACS-quirk-UPDCR-register-address.patch
@@ -0,0 +1,51 @@
+From d8558ac8c93d429d65d7490b512a3a67e559d0d4 Mon Sep 17 00:00:00 2001
+From: Steffen Liebergeld <steffen.liebergeld@kernkonzept.com>
+Date: Wed, 18 Sep 2019 15:16:52 +0200
+Subject: [PATCH] PCI: Fix Intel ACS quirk UPDCR register address
+Git-commit: d8558ac8c93d429d65d7490b512a3a67e559d0d4
+Patch-mainline: v5.5-rc1
+References: bsc#1051510
+
+According to documentation [0] the correct offset for the Upstream Peer
+Decode Configuration Register (UPDCR) is 0x1014. It was previously defined
+as 0x1114.
+
+d99321b63b1f ("PCI: Enable quirks for PCIe ACS on Intel PCH root ports")
+intended to enforce isolation between PCI devices allowing them to be put
+into separate IOMMU groups. Due to the wrong register offset the intended
+isolation was not fully enforced. This is fixed with this patch.
+
+Please note that I did not test this patch because I have no hardware that
+implements this register.
+
+[0] https://www.intel.com/content/dam/www/public/us/en/documents/datasheets/4th-gen-core-family-mobile-i-o-datasheet.pdf (page 325)
+
+Fixes: d99321b63b1f ("PCI: Enable quirks for PCIe ACS on Intel PCH root ports")
+Link: https://lore.kernel.org/r/7a3505df-79ba-8a28-464c-88b83eefffa6@kernkonzept.com
+Signed-off-by: Steffen Liebergeld <steffen.liebergeld@kernkonzept.com>
+Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
+Reviewed-by: Andrew Murray <andrew.murray@arm.com>
+Acked-by: Ashok Raj <ashok.raj@intel.com>
+Cc: stable@vger.kernel.org # v3.15+
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/pci/quirks.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/pci/quirks.c b/drivers/pci/quirks.c
+index 320255e5e8f8..cd3e84ae742e 100644
+--- a/drivers/pci/quirks.c
++++ b/drivers/pci/quirks.c
+@@ -4706,7 +4706,7 @@ int pci_dev_specific_acs_enabled(struct pci_dev *dev, u16 acs_flags)
+ #define INTEL_BSPR_REG_BPPD (1 << 9)
+
+ /* Upstream Peer Decode Configuration Register */
+-#define INTEL_UPDCR_REG 0x1114
++#define INTEL_UPDCR_REG 0x1014
+ /* 5:0 Peer Decode Enable bits */
+ #define INTEL_UPDCR_REG_MASK 0x3f
+
+--
+2.16.4
+
diff --git a/patches.suse/PCI-MSI-Fix-incorrect-MSI-X-masking-on-resume.patch b/patches.suse/PCI-MSI-Fix-incorrect-MSI-X-masking-on-resume.patch
new file mode 100644
index 0000000000..065b87eb61
--- /dev/null
+++ b/patches.suse/PCI-MSI-Fix-incorrect-MSI-X-masking-on-resume.patch
@@ -0,0 +1,62 @@
+From e045fa29e89383c717e308609edd19d2fd29e1be Mon Sep 17 00:00:00 2001
+From: Jian-Hong Pan <jian-hong@endlessm.com>
+Date: Tue, 8 Oct 2019 11:42:39 +0800
+Subject: [PATCH] PCI/MSI: Fix incorrect MSI-X masking on resume
+Git-commit: e045fa29e89383c717e308609edd19d2fd29e1be
+Patch-mainline: v5.5-rc1
+References: bsc#1051510
+
+When a driver enables MSI-X, msix_program_entries() reads the MSI-X Vector
+Control register for each vector and saves it in desc->masked. Each
+register is 32 bits and bit 0 is the actual Mask bit.
+
+When we restored these registers during resume, we previously set the Mask
+bit if *any* bit in desc->masked was set instead of when the Mask bit
+itself was set:
+
+ pci_restore_state
+ pci_restore_msi_state
+ __pci_restore_msix_state
+ for_each_pci_msi_entry
+ msix_mask_irq(entry, entry->masked) <-- entire u32 word
+ __pci_msix_desc_mask_irq(desc, flag)
+ mask_bits = desc->masked & ~PCI_MSIX_ENTRY_CTRL_MASKBIT
+ if (flag) <-- testing entire u32, not just bit 0
+ mask_bits |= PCI_MSIX_ENTRY_CTRL_MASKBIT
+ writel(mask_bits, desc_addr + PCI_MSIX_ENTRY_VECTOR_CTRL)
+
+This means that after resume, MSI-X vectors were masked when they shouldn't
+be, which leads to timeouts like this:
+
+ nvme nvme0: I/O 978 QID 3 timeout, completion polled
+
+On resume, set the Mask bit only when the saved Mask bit from suspend was
+set.
+
+This should remove the need for 19ea025e1d28 ("nvme: Add quirk for Kingston
+NVME SSD running FW E8FK11.T").
+
+[bhelgaas: commit log, move fix to __pci_msix_desc_mask_irq()]
+Link: https://bugzilla.kernel.org/show_bug.cgi?id=204887
+Link: https://lore.kernel.org/r/20191008034238.2503-1-jian-hong@endlessm.com
+Fixes: f2440d9acbe8 ("PCI MSI: Refactor interrupt masking code")
+Signed-off-by: Jian-Hong Pan <jian-hong@endlessm.com>
+Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
+Cc: stable@vger.kernel.org
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/pci/msi.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/pci/msi.c
++++ b/drivers/pci/msi.c
+@@ -211,7 +211,7 @@ u32 __pci_msix_desc_mask_irq(struct msi_
+ return 0;
+
+ mask_bits &= ~PCI_MSIX_ENTRY_CTRL_MASKBIT;
+- if (flag)
++ if (flag & PCI_MSIX_ENTRY_CTRL_MASKBIT)
+ mask_bits |= PCI_MSIX_ENTRY_CTRL_MASKBIT;
+ writel(mask_bits, pci_msix_desc_addr(desc) + PCI_MSIX_ENTRY_VECTOR_CTRL);
+
diff --git a/patches.suse/PCI-PTM-Remove-spurious-d-from-granularity-message.patch b/patches.suse/PCI-PTM-Remove-spurious-d-from-granularity-message.patch
new file mode 100644
index 0000000000..c2acae0f9f
--- /dev/null
+++ b/patches.suse/PCI-PTM-Remove-spurious-d-from-granularity-message.patch
@@ -0,0 +1,41 @@
+From 127a7709495db52a41012deaebbb7afc231dad91 Mon Sep 17 00:00:00 2001
+From: Bjorn Helgaas <bhelgaas@google.com>
+Date: Wed, 6 Nov 2019 15:30:48 -0600
+Subject: [PATCH] PCI/PTM: Remove spurious "d" from granularity message
+Git-commit: 127a7709495db52a41012deaebbb7afc231dad91
+Patch-mainline: v5.5-rc1
+References: bsc#1051510
+
+The granularity message has an extra "d":
+
+ pci 0000:02:00.0: PTM enabled, 4dns granularity
+
+Remove the "d" so the message is simply "PTM enabled, 4ns granularity".
+
+Fixes: 8b2ec318eece ("PCI: Add PTM clock granularity information")
+Link: https://lore.kernel.org/r/20191106222420.10216-2-helgaas@kernel.org
+Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
+Reviewed-by: Andrew Murray <andrew.murray@arm.com>
+Cc: Jonathan Yong <jonathan.yong@intel.com>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/pci/pcie/ptm.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/pci/pcie/ptm.c b/drivers/pci/pcie/ptm.c
+index 98cfa30f3fae..9361f3aa26ab 100644
+--- a/drivers/pci/pcie/ptm.c
++++ b/drivers/pci/pcie/ptm.c
+@@ -21,7 +21,7 @@ static void pci_ptm_info(struct pci_dev *dev)
+ snprintf(clock_desc, sizeof(clock_desc), ">254ns");
+ break;
+ default:
+- snprintf(clock_desc, sizeof(clock_desc), "%udns",
++ snprintf(clock_desc, sizeof(clock_desc), "%uns",
+ dev->ptm_granularity);
+ break;
+ }
+--
+2.16.4
+
diff --git a/patches.suse/PCI-dwc-Fix-find_next_bit-usage.patch b/patches.suse/PCI-dwc-Fix-find_next_bit-usage.patch
new file mode 100644
index 0000000000..9dd2a760e1
--- /dev/null
+++ b/patches.suse/PCI-dwc-Fix-find_next_bit-usage.patch
@@ -0,0 +1,56 @@
+From 1137e61dcb99f7f8b54e77ed83f68b5b485a3e34 Mon Sep 17 00:00:00 2001
+From: Niklas Cassel <niklas.cassel@linaro.org>
+Date: Wed, 4 Sep 2019 18:03:38 +0200
+Subject: [PATCH] PCI: dwc: Fix find_next_bit() usage
+Git-commit: 1137e61dcb99f7f8b54e77ed83f68b5b485a3e34
+Patch-mainline: v5.5-rc1
+References: bsc#1051510
+
+find_next_bit() takes a parameter of size long, and performs arithmetic
+that assumes that the argument is of size long.
+
+Therefore we cannot pass a u32, since this will cause find_next_bit()
+to read outside the stack buffer and will produce the following print:
+Bug: KASAN: stack-out-of-bounds in find_next_bit+0x38/0xb0
+
+Fixes: 1b497e6493c4 ("PCI: dwc: Fix uninitialized variable in dw_handle_msi_irq()")
+Tested-by: Bjorn Andersson <bjorn.andersson@linaro.org>
+Signed-off-by: Niklas Cassel <niklas.cassel@linaro.org>
+Signed-off-by: Lorenzo Pieralisi <lorenzo.pieralisi@arm.com>
+Reviewed-by: Andrew Murray <andrew.murray@arm.com>
+Acked-by: Gustavo Pimentel <gustavo.pimentel@synopsys.com>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/pci/dwc/pcie-designware-host.c | 11 ++++++-----
+ 1 file changed, 6 insertions(+), 5 deletions(-)
+
+--- a/drivers/pci/dwc/pcie-designware-host.c
++++ b/drivers/pci/dwc/pcie-designware-host.c
+@@ -56,20 +56,21 @@ static struct irq_chip dw_msi_irq_chip =
+ /* MSI int handler */
+ irqreturn_t dw_handle_msi_irq(struct pcie_port *pp)
+ {
+- u32 val;
++ unsigned long val;
++ u32 status;
+ int i, pos, irq;
+ irqreturn_t ret = IRQ_NONE;
+
+ for (i = 0; i < MAX_MSI_CTRLS; i++) {
+ dw_pcie_rd_own_conf(pp, PCIE_MSI_INTR0_STATUS + i * 12, 4,
+- &val);
+- if (!val)
++ &status);
++ if (!status)
+ continue;
+
+ ret = IRQ_HANDLED;
++ val = status;
+ pos = 0;
+- while ((pos = find_next_bit((unsigned long *) &val, 32,
+- pos)) != 32) {
++ while ((pos = find_next_bit(&val, 32, pos)) != 32) {
+ irq = irq_find_mapping(pp->irq_domain, i * 32 + pos);
+ dw_pcie_wr_own_conf(pp, PCIE_MSI_INTR0_STATUS + i * 12,
+ 4, 1 << pos);
diff --git a/patches.suse/PCI-rcar-Fix-missing-MACCTLR-register-setting-in-ini.patch b/patches.suse/PCI-rcar-Fix-missing-MACCTLR-register-setting-in-ini.patch
new file mode 100644
index 0000000000..8d5e61bc18
--- /dev/null
+++ b/patches.suse/PCI-rcar-Fix-missing-MACCTLR-register-setting-in-ini.patch
@@ -0,0 +1,67 @@
+From 7c7e53e1c93df14690bd12c1f84730fef927a6f1 Mon Sep 17 00:00:00 2001
+From: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
+Date: Tue, 5 Nov 2019 19:51:29 +0900
+Subject: [PATCH] PCI: rcar: Fix missing MACCTLR register setting in initialization sequence
+Git-commit: 7c7e53e1c93df14690bd12c1f84730fef927a6f1
+Patch-mainline: v5.5-rc1
+References: bsc#1051510
+
+[ backport note: dropped rcar_pcie_resume_noirq() hunk as it doesn't exist
+ in SLE15 code -- tiwai ]
+
+The R-Car Gen2/3 manual - available at:
+
+https://www.renesas.com/eu/en/products/microcontrollers-microprocessors/rz/rzg/rzg1m.html#documents
+
+"RZ/G Series User's Manual: Hardware" section
+
+strictly enforces the MACCTLR inizialization value - 39.3.1 - "Initial
+Setting of PCI Express":
+
+"Be sure to write the initial value (= H'80FF 0000) to MACCTLR before
+enabling PCIETCTLR.CFINIT".
+
+To avoid unexpected behavior and to match the SW initialization sequence
+guidelines, this patch programs the MACCTLR with the correct value.
+
+Note that the MACCTLR.SPCHG bit in the MACCTLR register description
+reports that "Only writing 1 is valid and writing 0 is invalid" but this
+"invalid" has to be interpreted as a write-ignore aka "ignored", not
+"prohibited".
+
+Reported-by: Eugeniu Rosca <erosca@de.adit-jv.com>
+Fixes: c25da4778803 ("PCI: rcar: Add Renesas R-Car PCIe driver")
+Fixes: be20bbcb0a8c ("PCI: rcar: Add the initialization of PCIe link in resume_noirq()")
+Signed-off-by: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
+Signed-off-by: Lorenzo Pieralisi <lorenzo.pieralisi@arm.com>
+Reviewed-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Cc: <stable@vger.kernel.org> # v5.2+
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/pci/host/pcie-rcar.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/drivers/pci/host/pcie-rcar.c
++++ b/drivers/pci/host/pcie-rcar.c
+@@ -89,8 +89,11 @@
+ #define LINK_SPEED_2_5GTS (1 << 16)
+ #define LINK_SPEED_5_0GTS (2 << 16)
+ #define MACCTLR 0x011058
++#define MACCTLR_NFTS_MASK GENMASK(23, 16) /* The name is from SH7786 */
+ #define SPEED_CHANGE (1 << 24)
+ #define SCRAMBLE_DISABLE (1 << 27)
++#define LTSMDIS BIT(31)
++#define MACCTLR_INIT_VAL (LTSMDIS | MACCTLR_NFTS_MASK)
+ #define MACS2R 0x011078
+ #define MACCGSPSETR 0x011084
+ #define SPCNGRSN (1 << 31)
+@@ -590,6 +593,8 @@ static int rcar_pcie_hw_init(struct rcar
+ if (IS_ENABLED(CONFIG_PCI_MSI))
+ rcar_pci_write_reg(pcie, 0x801f0000, PCIEMSITXR);
+
++ rcar_pci_write_reg(pcie, MACCTLR_INIT_VAL, MACCTLR);
++
+ /* Finish initialization - establish a PCI Express link */
+ rcar_pci_write_reg(pcie, CFINIT, PCIETCTLR);
+
diff --git a/patches.suse/USB-iowarrior-fix-use-after-free-on-disconnect.patch b/patches.suse/USB-iowarrior-fix-use-after-free-on-disconnect.patch
index 76f55d6332..9464a3f9d8 100644
--- a/patches.suse/USB-iowarrior-fix-use-after-free-on-disconnect.patch
+++ b/patches.suse/USB-iowarrior-fix-use-after-free-on-disconnect.patch
@@ -4,7 +4,7 @@ Date: Wed, 9 Oct 2019 12:48:41 +0200
Subject: [PATCH] USB: iowarrior: fix use-after-free on disconnect
Git-commit: edc4746f253d907d048de680a621e121517f484b
Patch-mainline: v5.4-rc3
-References: bsc#1051510
+References: CVE-2019-19528 bsc#1158407 bsc#1051510
A recent fix addressing a deadlock on disconnect introduced a new bug
by moving the present flag out of the critical section protected by the
diff --git a/patches.suse/USB-misc-appledisplay-fix-backlight-update_status-re.patch b/patches.suse/USB-misc-appledisplay-fix-backlight-update_status-re.patch
new file mode 100644
index 0000000000..58ede69428
--- /dev/null
+++ b/patches.suse/USB-misc-appledisplay-fix-backlight-update_status-re.patch
@@ -0,0 +1,50 @@
+From 090158555ff8d194a98616034100b16697dd80d0 Mon Sep 17 00:00:00 2001
+From: Mattias Jacobsson <2pi@mok.nu>
+Date: Tue, 16 Oct 2018 14:20:08 +0200
+Subject: [PATCH] USB: misc: appledisplay: fix backlight update_status return code
+Git-commit: 090158555ff8d194a98616034100b16697dd80d0
+Patch-mainline: v4.20-rc1
+References: bsc#1051510
+
+Upon success the update_status handler returns a positive number
+corresponding to the number of bytes transferred by usb_control_msg.
+However the return code of the update_status handler should indicate if
+an error occurred(negative) or how many bytes of the user's input to sysfs
+that was consumed. Return code zero indicates all bytes were consumed.
+
+The bug can for example result in the update_status handler being called
+twice, the second time with only the "unconsumed" part of the user's input
+to sysfs. Effectively setting an incorrect brightness.
+
+Change the update_status handler to return zero for all successful
+transactions and forward usb_control_msg's error code upon failure.
+
+Signed-off-by: Mattias Jacobsson <2pi@mok.nu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/usb/misc/appledisplay.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/usb/misc/appledisplay.c b/drivers/usb/misc/appledisplay.c
+index d746c26a8055..bd539f3058bc 100644
+--- a/drivers/usb/misc/appledisplay.c
++++ b/drivers/usb/misc/appledisplay.c
+@@ -146,8 +146,11 @@ static int appledisplay_bl_update_status(struct backlight_device *bd)
+ pdata->msgdata, 2,
+ ACD_USB_TIMEOUT);
+ mutex_unlock(&pdata->sysfslock);
+-
+- return retval;
++
++ if (retval < 0)
++ return retval;
++ else
++ return 0;
+ }
+
+ static int appledisplay_bl_get_brightness(struct backlight_device *bd)
+--
+2.16.4
+
diff --git a/patches.suse/can-mcba_usb-fix-use-after-free-on-disconnect.patch b/patches.suse/can-mcba_usb-fix-use-after-free-on-disconnect.patch
index 00f3e5c513..ac45c7edf3 100644
--- a/patches.suse/can-mcba_usb-fix-use-after-free-on-disconnect.patch
+++ b/patches.suse/can-mcba_usb-fix-use-after-free-on-disconnect.patch
@@ -7,7 +7,7 @@ Content-type: text/plain; charset=UTF-8
Content-transfer-encoding: 8bit
Git-commit: 4d6636498c41891d0482a914dd570343a838ad79
Patch-mainline: v5.4-rc7
-References: git-fixes
+References: CVE-2019-19529 bsc#1158381
The driver was accessing its driver data after having freed it.
diff --git a/patches.suse/can-peak_usb-fix-slab-info-leak.patch b/patches.suse/can-peak_usb-fix-slab-info-leak.patch
index 45622fef4b..35f04da9a4 100644
--- a/patches.suse/can-peak_usb-fix-slab-info-leak.patch
+++ b/patches.suse/can-peak_usb-fix-slab-info-leak.patch
@@ -4,7 +4,7 @@ Date: Wed, 23 Oct 2019 10:27:05 +0200
Subject: [PATCH] can: peak_usb: fix slab info leak
Git-commit: f7a1337f0d29b98733c8824e165fca3371d7d4fd
Patch-mainline: v5.4-rc7
-References: git-fixes
+References: CVE-2019-19534 bsc#1158398
Fix a small slab info leak due to a failure to clear the command buffer
at allocation.
diff --git a/patches.suse/cifs-move-cifsFileInfo_put-logic-into-a-work-queue.patch b/patches.suse/cifs-move-cifsFileInfo_put-logic-into-a-work-queue.patch
index 32a0751f67..c03a1a5190 100644
--- a/patches.suse/cifs-move-cifsFileInfo_put-logic-into-a-work-queue.patch
+++ b/patches.suse/cifs-move-cifsFileInfo_put-logic-into-a-work-queue.patch
@@ -2,7 +2,8 @@ From: Ronnie Sahlberg <lsahlber@redhat.com>
Date: Sun, 3 Nov 2019 13:06:37 +1000
Subject: [PATCH] cifs: move cifsFileInfo_put logic into a work-queue
References: bsc#1144333 bsc#1154355
-Patch-mainline: Not yet, queued in for-next
+Patch-mainline: v5.5-rc1
+Git-commit: 32546a9586aa4565035bb557e191648e022b29e8
This patch moves the final part of the cifsFileInfo_put() logic where we
need a write lock on lock_sem to be processed in a separate thread that
diff --git a/patches.suse/compat_ioctl-handle-SIOCOUTQNSD.patch b/patches.suse/compat_ioctl-handle-SIOCOUTQNSD.patch
new file mode 100644
index 0000000000..1523b22cf9
--- /dev/null
+++ b/patches.suse/compat_ioctl-handle-SIOCOUTQNSD.patch
@@ -0,0 +1,38 @@
+From 9d7bf41fafa5b5ddd4c13eb39446b0045f0a8167 Mon Sep 17 00:00:00 2001
+From: Arnd Bergmann <arnd@arndb.de>
+Date: Mon, 3 Jun 2019 23:06:00 +0200
+Subject: [PATCH] compat_ioctl: handle SIOCOUTQNSD
+Git-commit: 9d7bf41fafa5b5ddd4c13eb39446b0045f0a8167
+Patch-mainline: v5.5-rc1
+References: bsc#1051510
+
+Unlike the normal SIOCOUTQ, SIOCOUTQNSD was never handled in compat
+mode. Add it to the common socket compat handler along with similar
+ones.
+
+Fixes: 2f4e1b397097 ("tcp: ioctl type SIOCOUTQNSD returns amount of data not sent")
+Cc: Eric Dumazet <edumazet@google.com>
+Cc: netdev@vger.kernel.org
+Cc: "David S. Miller" <davem@davemloft.net>
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ net/socket.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/net/socket.c b/net/socket.c
+index 6a9ab7a8b1d2..a60f48ab2130 100644
+--- a/net/socket.c
++++ b/net/socket.c
+@@ -3452,6 +3452,7 @@ static int compat_sock_ioctl_trans(struct file *file, struct socket *sock,
+ case SIOCSARP:
+ case SIOCGARP:
+ case SIOCDARP:
++ case SIOCOUTQNSD:
+ case SIOCATMARK:
+ return sock_do_ioctl(net, sock, cmd, arg);
+ }
+--
+2.16.4
+
diff --git a/patches.suse/ftrace-introduce-permanent-ftrace_ops-flag.patch b/patches.suse/ftrace-introduce-permanent-ftrace_ops-flag.patch
new file mode 100644
index 0000000000..1e2280ada8
--- /dev/null
+++ b/patches.suse/ftrace-introduce-permanent-ftrace_ops-flag.patch
@@ -0,0 +1,134 @@
+From: Miroslav Benes <mbenes@suse.cz>
+Date: Wed, 16 Oct 2019 13:33:13 +0200
+Subject: ftrace: Introduce PERMANENT ftrace_ops flag
+Git-commit: 7162431dcf72032835d369c8d7b51311df407938
+Patch-mainline: v5.5-rc1
+References: bsc#1120853
+
+Livepatch uses ftrace for redirection to new patched functions. It means
+that if ftrace is disabled, all live patched functions are disabled as
+well. Toggling global 'ftrace_enabled' sysctl thus affect it directly.
+It is not a problem per se, because only administrator can set sysctl
+values, but it still may be surprising.
+
+Introduce PERMANENT ftrace_ops flag to amend this. If the
+FTRACE_OPS_FL_PERMANENT is set on any ftrace ops, the tracing cannot be
+disabled by disabling ftrace_enabled. Equally, a callback with the flag
+set cannot be registered if ftrace_enabled is disabled.
+
+Link: http://lkml.kernel.org/r/20191016113316.13415-2-mbenes@suse.cz
+
+Reviewed-by: Petr Mladek <pmladek@suse.com>
+Reviewed-by: Kamalesh Babulal <kamalesh@linux.vnet.ibm.com>
+Signed-off-by: Miroslav Benes <mbenes@suse.cz>
+Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
+---
+ Documentation/trace/ftrace.txt | 4 +++-
+ include/linux/ftrace.h | 3 +++
+ kernel/livepatch/patch.c | 3 ++-
+ kernel/trace/ftrace.c | 23 +++++++++++++++++++++--
+ 4 files changed, 29 insertions(+), 4 deletions(-)
+
+--- a/Documentation/trace/ftrace.txt
++++ b/Documentation/trace/ftrace.txt
+@@ -2440,7 +2440,9 @@ Note, the proc sysctl ftrace_enable is a
+ function tracer. By default it is enabled (when function tracing is
+ enabled in the kernel). If it is disabled, all function tracing is
+ disabled. This includes not only the function tracers for ftrace, but
+-also for any other uses (perf, kprobes, stack tracing, profiling, etc).
++also for any other uses (perf, kprobes, stack tracing, profiling, etc). It
++cannot be disabled if there is a callback with FTRACE_OPS_FL_PERMANENT set
++registered.
+
+ Please disable this with care.
+
+--- a/include/linux/ftrace.h
++++ b/include/linux/ftrace.h
+@@ -119,6 +119,8 @@ ftrace_func_t ftrace_ops_get_func(struct
+ * for any of the functions that this ops will be registered for, then
+ * this ops will fail to register or set_filter_ip.
+ * PID - Is affected by set_ftrace_pid (allows filtering on those pids)
++ * PERMANENT - Set when the ops is permanent and should not be affected by
++ * ftrace_enabled.
+ */
+ enum {
+ FTRACE_OPS_FL_ENABLED = 1 << 0,
+@@ -137,6 +139,7 @@ enum {
+ FTRACE_OPS_FL_IPMODIFY = 1 << 13,
+ FTRACE_OPS_FL_PID = 1 << 14,
+ FTRACE_OPS_FL_RCU = 1 << 15,
++ FTRACE_OPS_FL_PERMANENT = 1 << 16,
+ };
+
+ #ifdef CONFIG_DYNAMIC_FTRACE
+--- a/kernel/livepatch/patch.c
++++ b/kernel/livepatch/patch.c
+@@ -208,7 +208,8 @@ static int klp_patch_func(struct klp_fun
+ ops->fops.func = klp_ftrace_handler;
+ ops->fops.flags = FTRACE_OPS_FL_SAVE_REGS |
+ FTRACE_OPS_FL_DYNAMIC |
+- FTRACE_OPS_FL_IPMODIFY;
++ FTRACE_OPS_FL_IPMODIFY |
++ FTRACE_OPS_FL_PERMANENT;
+
+ list_add(&ops->node, &klp_ops);
+
+--- a/kernel/trace/ftrace.c
++++ b/kernel/trace/ftrace.c
+@@ -407,6 +407,8 @@ static int __register_ftrace_function(st
+ if (ops->flags & FTRACE_OPS_FL_SAVE_REGS_IF_SUPPORTED)
+ ops->flags |= FTRACE_OPS_FL_SAVE_REGS;
+ #endif
++ if (!ftrace_enabled && (ops->flags & FTRACE_OPS_FL_PERMANENT))
++ return -EBUSY;
+
+ if (!core_kernel_data((unsigned long)ops))
+ ops->flags |= FTRACE_OPS_FL_DYNAMIC;
+@@ -6129,6 +6131,18 @@ int unregister_ftrace_function(struct ft
+ }
+ EXPORT_SYMBOL_GPL(unregister_ftrace_function);
+
++static bool is_permanent_ops_registered(void)
++{
++ struct ftrace_ops *op;
++
++ do_for_each_ftrace_op(op, ftrace_ops_list) {
++ if (op->flags & FTRACE_OPS_FL_PERMANENT)
++ return true;
++ } while_for_each_ftrace_op(op);
++
++ return false;
++}
++
+ int
+ ftrace_enable_sysctl(struct ctl_table *table, int write,
+ void __user *buffer, size_t *lenp,
+@@ -6146,8 +6160,6 @@ ftrace_enable_sysctl(struct ctl_table *t
+ if (ret || !write || (last_ftrace_enabled == !!ftrace_enabled))
+ goto out;
+
+- last_ftrace_enabled = !!ftrace_enabled;
+-
+ if (ftrace_enabled) {
+
+ /* we are starting ftrace again */
+@@ -6157,12 +6169,19 @@ ftrace_enable_sysctl(struct ctl_table *t
+ ftrace_startup_sysctl();
+
+ } else {
++ if (is_permanent_ops_registered()) {
++ ftrace_enabled = true;
++ ret = -EBUSY;
++ goto out;
++ }
++
+ /* stopping ftrace calls (just send to ftrace_stub) */
+ ftrace_trace_function = ftrace_stub;
+
+ ftrace_shutdown_sysctl();
+ }
+
++ last_ftrace_enabled = !!ftrace_enabled;
+ out:
+ mutex_unlock(&ftrace_lock);
+ return ret;
diff --git a/patches.suse/ieee802154-atusb-fix-use-after-free-at-disconnect.patch b/patches.suse/ieee802154-atusb-fix-use-after-free-at-disconnect.patch
index 77216c59c5..cecaed7dd0 100644
--- a/patches.suse/ieee802154-atusb-fix-use-after-free-at-disconnect.patch
+++ b/patches.suse/ieee802154-atusb-fix-use-after-free-at-disconnect.patch
@@ -4,7 +4,7 @@ Date: Thu, 19 Sep 2019 14:12:34 +0200
Subject: [PATCH] ieee802154: atusb: fix use-after-free at disconnect
Git-commit: 7fd25e6fc035f4b04b75bca6d7e8daa069603a76
Patch-mainline: v5.4-rc2
-References: bsc#1051510
+References: CVE-2019-19525 bsc#1158417 bsc#1051510
The disconnect callback was accessing the hardware-descriptor private
data after having having freed it.
diff --git a/patches.suse/ipv6-defrag-drop-non-last-frags-smaller-than-min-mtu.patch b/patches.suse/ipv6-defrag-drop-non-last-frags-smaller-than-min-mtu.patch
index 40d79435c0..dda607e597 100644
--- a/patches.suse/ipv6-defrag-drop-non-last-frags-smaller-than-min-mtu.patch
+++ b/patches.suse/ipv6-defrag-drop-non-last-frags-smaller-than-min-mtu.patch
@@ -1,9 +1,8 @@
From: Florian Westphal <fw@strlen.de>
-Date: Fri, 3 Aug 2018 02:22:20 +0200
Subject: ipv6: defrag: drop non-last frags smaller than min mtu
Patch-mainline: v4.19-rc1
Git-commit: 0ed4229b08c13c84a3c301a08defdc9e7f4467e6
-References: CVE-2018-5391 bsc#1103097
+References: CVE-2018-5391 bsc#1103097 bsc#1141054
don't bother with pathological cases, they only waste cycles.
IPv6 requires a minimum MTU of 1280 so we should never see fragments
@@ -18,43 +17,98 @@ Cc: Peter Oskolkov <posk@google.com>
Cc: Eric Dumazet <edumazet@google.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: David S. Miller <davem@davemloft.net>
-Acked-by: Michal Kubecek <mkubecek@suse.cz>
+Signed-off-by: Michal Kubecek <mkubecek@suse.cz>
+SLE12-SP2-LTSS: this commit was eventually reverted in upstream because it
+breaks conformance with some USGv6 tests but only after frag queues were
+reworked to use rbtrees rather than linear lists. As such change would not
+be feasible to backport, let's weaken the sanity checks to allow fragments
+of size 640 (to cover potential implementation trying to use equal sized
+fragments) and short first fragment (to cover potential implementation
+which would send the "remainder" as first fragment rather than last). Also
+introduce net.ipv6.ip6frag_strict_short which (if set to non-zero value)
+disables the length check completely (at the expense of being more
+vulnerable to FragmentSmack type attacks).
---
- net/ipv6/netfilter/nf_conntrack_reasm.c | 4 ++++
- net/ipv6/reassembly.c | 4 ++++
- 2 files changed, 8 insertions(+)
+ include/net/net_namespace.h | 3 +++
+ net/ipv6/netfilter/nf_conntrack_reasm.c | 8 ++++++++
+ net/ipv6/reassembly.c | 18 ++++++++++++++++++
+ 3 files changed, 29 insertions(+)
-diff --git a/net/ipv6/netfilter/nf_conntrack_reasm.c b/net/ipv6/netfilter/nf_conntrack_reasm.c
-index b263bf3a19f7..3c3fd3f19a95 100644
+--- a/include/net/net_namespace.h
++++ b/include/net/net_namespace.h
+@@ -149,6 +149,9 @@ struct net {
+ #endif
+ struct sock *diag_nlsk;
+ atomic_t fnhe_genid;
++#ifndef __GENKSYMS__
++ int ip6frag_strict_short;
++#endif
+ };
+
+ #include <linux/seq_file_net.h>
--- a/net/ipv6/netfilter/nf_conntrack_reasm.c
+++ b/net/ipv6/netfilter/nf_conntrack_reasm.c
-@@ -589,6 +589,10 @@ int nf_ct_frag6_gather(struct net *net, struct sk_buff *skb, u32 user)
+@@ -589,6 +589,14 @@ int nf_ct_frag6_gather(struct net *net, struct sk_buff *skb, u32 user)
hdr = ipv6_hdr(skb);
fhdr = (struct frag_hdr *)skb_transport_header(skb);
-+ if (skb->len - skb_network_offset(skb) < IPV6_MIN_MTU &&
-+ fhdr->frag_off & htons(IP6_MF))
++ if (skb->len - skb_network_offset(skb) < IPV6_MIN_MTU / 2 &&
++ fhdr->frag_off & htons(IP6_MF) &&
++ fhdr->frag_off & htons(IP6_OFFSET) &&
++ !net->ip6frag_strict_short) {
++ pr_debug("fragment too short\n");
+ return -EINVAL;
++ }
+
skb_orphan(skb);
fq = fq_find(net, fhdr->identification, user, &hdr->saddr, &hdr->daddr,
skb->dev ? skb->dev->ifindex : 0, ip6_frag_ecn(hdr));
-diff --git a/net/ipv6/reassembly.c b/net/ipv6/reassembly.c
-index 846012eae526..9fe5caa7b032 100644
--- a/net/ipv6/reassembly.c
+++ b/net/ipv6/reassembly.c
-@@ -558,6 +558,10 @@ static int ipv6_frag_rcv(struct sk_buff *skb)
+@@ -558,6 +558,12 @@ static int ipv6_frag_rcv(struct sk_buff *skb)
return 1;
}
-+ if (skb->len - skb_network_offset(skb) < IPV6_MIN_MTU &&
-+ fhdr->frag_off & htons(IP6_MF))
++ if (skb->len - skb_network_offset(skb) < IPV6_MIN_MTU / 2 &&
++ fhdr->frag_off & htons(IP6_MF) &&
++ fhdr->frag_off & htons(IP6_OFFSET) &&
++ !net->ip6frag_strict_short)
+ goto fail_hdr;
+
fq = fq_find(net, fhdr->identification, &hdr->saddr, &hdr->daddr,
skb->dev ? skb->dev->ifindex : 0, ip6_frag_ecn(hdr));
if (fq) {
---
-2.18.0
-
+@@ -616,6 +622,13 @@ static struct ctl_table ip6_frags_ns_ctl_table[] = {
+ .mode = 0644,
+ .proc_handler = proc_dointvec_jiffies,
+ },
++ {
++ .procname = "ip6frag_strict_short",
++ .data = &init_net.ip6frag_strict_short,
++ .maxlen = sizeof(int),
++ .mode = 0644,
++ .proc_handler = proc_dointvec_jiffies,
++ },
+ { }
+ };
+
+@@ -649,6 +662,7 @@ static int __net_init ip6_frags_ns_sysctl_register(struct net *net)
+ table[1].data = &net->ipv6.frags.low_thresh;
+ table[1].extra2 = &net->ipv6.frags.high_thresh;
+ table[2].data = &net->ipv6.frags.timeout;
++ table[3].data = &net->ip6frag_strict_short;
+
+ /* Don't export sysctls to unprivileged users */
+ if (net->user_ns != &init_user_ns)
+@@ -717,6 +731,10 @@ static int __net_init ipv6_frags_init_net(struct net *net)
+ net->ipv6.frags.high_thresh = IPV6_FRAG_HIGH_THRESH;
+ net->ipv6.frags.low_thresh = IPV6_FRAG_LOW_THRESH;
+ net->ipv6.frags.timeout = IPV6_FRAG_TIMEOUT;
++ if (net_eq(net, &init_net))
++ net->ip6frag_strict_short = 0;
++ else
++ net->ip6frag_strict_short = init_net.ip6frag_strict_short;
+
+ inet_frags_init_net(&net->ipv6.frags);
+
diff --git a/patches.suse/media-serial_ir-Fix-use-after-free-in-serial_ir_init.patch b/patches.suse/media-serial_ir-Fix-use-after-free-in-serial_ir_init.patch
index 538bbec145..f338cb80be 100644
--- a/patches.suse/media-serial_ir-Fix-use-after-free-in-serial_ir_init.patch
+++ b/patches.suse/media-serial_ir-Fix-use-after-free-in-serial_ir_init.patch
@@ -4,7 +4,7 @@ Date: Tue, 5 Mar 2019 00:40:26 -0500
Subject: [PATCH] media: serial_ir: Fix use-after-free in serial_ir_init_module
Git-commit: 56cd26b618855c9af48c8301aa6754ced8dd0beb
Patch-mainline: v5.2-rc1
-References: bsc#1051510
+References: CVE-2019-19543 bsc#1158427 bsc#1051510
Syzkaller report this:
diff --git a/patches.suse/mlx5-add-parameter-to-disable-enhanced-IPoIB.patch b/patches.suse/mlx5-add-parameter-to-disable-enhanced-IPoIB.patch
new file mode 100644
index 0000000000..154e8b75da
--- /dev/null
+++ b/patches.suse/mlx5-add-parameter-to-disable-enhanced-IPoIB.patch
@@ -0,0 +1,47 @@
+From e6bc5ebe2450cc5fd71e4cbd859541423f13c9e0 Mon Sep 17 00:00:00 2001
+From: Nicolas Morey-Chaisemartin <nmoreychaisemartin@suse.com>
+Date: Mon, 29 Jul 2019 20:19:55 +0200
+Subject: [PATCH] mlx5: add parameter to disable enhanced IPoIB
+Patch-mainline: Never, better fix based on netlink is being worked on
+References: bsc#1142095
+
+Recent ConnextX-[45] HCA have enhanced IPoIB enabled which prevents the use of the connected mode.
+Although not an issue in a fully compatible setup, it can be an issue in a mixed HW one.
+
+Mellanox OFED uses a ipoib_enhanced flag on the ib_ipoib module to work around the issue.
+This patch adds a similarly name flag to the mlx5_ib module to disable enhanced IPoIB for
+all mlx5 HCA and allow users to pick datagram/connected the usual way.
+
+Signed-off-by: Nicolas Morey-Chaisemartin <nmoreychaisemartin@suse.com>
+---
+ drivers/infiniband/hw/mlx5/main.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/infiniband/hw/mlx5/main.c b/drivers/infiniband/hw/mlx5/main.c
+index ef8d51ec8a40..4997de10e614 100644
+--- a/drivers/infiniband/hw/mlx5/main.c
++++ b/drivers/infiniband/hw/mlx5/main.c
+@@ -68,6 +68,10 @@ MODULE_AUTHOR("Eli Cohen <eli@mellanox.com>");
+ MODULE_DESCRIPTION("Mellanox Connect-IB HCA IB driver");
+ MODULE_LICENSE("Dual BSD/GPL");
+
++static int ipoib_enhanced = 1;
++module_param(ipoib_enhanced, int, 0444);
++MODULE_PARM_DESC(ipoib_enhanced, "Enable IPoIB enhanced for capable devices (default = 1) (0-1)");
++
+ static char mlx5_version[] =
+ DRIVER_NAME ": Mellanox Connect-IB Infiniband driver v"
+ DRIVER_VERSION "\n";
+@@ -4026,7 +4030,8 @@ static void *mlx5_ib_add(struct mlx5_core_dev *mdev)
+ dev->ib_dev.get_port_immutable = mlx5_port_immutable;
+ dev->ib_dev.get_dev_fw_str = get_dev_fw_str;
+ dev->ib_dev.get_vector_affinity = mlx5_ib_get_vector_affinity;
+- if (MLX5_CAP_GEN(mdev, ipoib_enhanced_offloads))
++ if (MLX5_CAP_GEN(mdev, ipoib_enhanced_offloads) &&
++ ipoib_enhanced)
+ dev->ib_dev.alloc_rdma_netdev = mlx5_ib_alloc_rdma_netdev;
+
+ if (mlx5_core_is_pf(mdev)) {
+--
+2.24.0
+
diff --git a/patches.suse/sctp-change-sctp_prot-.no_autobind-with-true.patch b/patches.suse/sctp-change-sctp_prot-.no_autobind-with-true.patch
index 2748385a70..6a166a97bb 100644
--- a/patches.suse/sctp-change-sctp_prot-.no_autobind-with-true.patch
+++ b/patches.suse/sctp-change-sctp_prot-.no_autobind-with-true.patch
@@ -1,9 +1,8 @@
From: Xin Long <lucien.xin@gmail.com>
-Date: Tue, 15 Oct 2019 15:24:38 +0800
Subject: sctp: change sctp_prot .no_autobind with true
+Patch-mainline: v5.4-rc4
Git-commit: 63dfb7938b13fa2c2fbcb45f34d065769eb09414
-Patch-mainline: 5.4-rc4
-References: networking-stable-19_10_24
+References: networking-stable-19_10_24 bsc#1158082
syzbot reported a memory leak:
@@ -43,10 +42,28 @@ Signed-off-by: Xin Long <lucien.xin@gmail.com>
Acked-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+Signed-off-by: Michal Kubecek <mkubecek@suse.cz>
+
+SLE15: we need to check no_autobind socket flag in inet_dgram_connect() as,
+unlike in mainline, SCTP still uses this function.
+
---
- net/sctp/socket.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
+ net/ipv4/af_inet.c | 3 ++-
+ net/sctp/socket.c | 4 ++--
+ 2 files changed, 4 insertions(+), 3 deletions(-)
+--- a/net/ipv4/af_inet.c
++++ b/net/ipv4/af_inet.c
+@@ -535,7 +535,8 @@ int inet_dgram_connect(struct socket *sock, struct sockaddr *uaddr,
+ if (uaddr->sa_family == AF_UNSPEC)
+ return sk->sk_prot->disconnect(sk, flags);
+
+- if (!inet_sk(sk)->inet_num && inet_autobind(sk))
++ if (!inet_sk(sk)->inet_num && !sk->sk_prot->no_autobind &&
++ inet_autobind(sk))
+ return -EAGAIN;
+ return sk->sk_prot->connect(sk, uaddr, addr_len);
+ }
--- a/net/sctp/socket.c
+++ b/net/sctp/socket.c
@@ -8240,7 +8240,7 @@ struct proto sctp_prot = {
diff --git a/patches.suse/synclink_gt-fix-compat_ioctl.patch b/patches.suse/synclink_gt-fix-compat_ioctl.patch
new file mode 100644
index 0000000000..9b7e4dd9bd
--- /dev/null
+++ b/patches.suse/synclink_gt-fix-compat_ioctl.patch
@@ -0,0 +1,62 @@
+From 27230e51349fde075598c1b59d15e1ff802f3f6e Mon Sep 17 00:00:00 2001
+From: Al Viro <viro@zeniv.linux.org.uk>
+Date: Wed, 12 Sep 2018 20:57:18 -0400
+Subject: [PATCH] synclink_gt(): fix compat_ioctl()
+Git-commit: 27230e51349fde075598c1b59d15e1ff802f3f6e
+Patch-mainline: v4.20-rc1
+References: bsc#1051510
+
+compat_ptr() for pointer-taking ones...
+
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/tty/synclink_gt.c | 16 ++++------------
+ 1 file changed, 4 insertions(+), 12 deletions(-)
+
+diff --git a/drivers/tty/synclink_gt.c b/drivers/tty/synclink_gt.c
+index b8287a010336..e8a9047de451 100644
+--- a/drivers/tty/synclink_gt.c
++++ b/drivers/tty/synclink_gt.c
+@@ -1185,14 +1185,13 @@ static long slgt_compat_ioctl(struct tty_struct *tty,
+ unsigned int cmd, unsigned long arg)
+ {
+ struct slgt_info *info = tty->driver_data;
+- int rc = -ENOIOCTLCMD;
++ int rc;
+
+ if (sanity_check(info, tty->name, "compat_ioctl"))
+ return -ENODEV;
+ DBGINFO(("%s compat_ioctl() cmd=%08X\n", info->device_name, cmd));
+
+ switch (cmd) {
+-
+ case MGSL_IOCSPARAMS32:
+ rc = set_params32(info, compat_ptr(arg));
+ break;
+@@ -1212,18 +1211,11 @@ static long slgt_compat_ioctl(struct tty_struct *tty,
+ case MGSL_IOCWAITGPIO:
+ case MGSL_IOCGXSYNC:
+ case MGSL_IOCGXCTRL:
+- case MGSL_IOCSTXIDLE:
+- case MGSL_IOCTXENABLE:
+- case MGSL_IOCRXENABLE:
+- case MGSL_IOCTXABORT:
+- case TIOCMIWAIT:
+- case MGSL_IOCSIF:
+- case MGSL_IOCSXSYNC:
+- case MGSL_IOCSXCTRL:
+- rc = ioctl(tty, cmd, arg);
++ rc = ioctl(tty, cmd, (unsigned long)compat_ptr(arg));
+ break;
++ default:
++ rc = ioctl(tty, cmd, arg);
+ }
+-
+ DBGINFO(("%s compat_ioctl() cmd=%08X rc=%d\n", info->device_name, cmd, rc));
+ return rc;
+ }
+--
+2.16.4
+
diff --git a/patches.suse/tcp_nv-fix-potential-integer-overflow-in-tcpnv_acked.patch b/patches.suse/tcp_nv-fix-potential-integer-overflow-in-tcpnv_acked.patch
new file mode 100644
index 0000000000..13cfe5cc52
--- /dev/null
+++ b/patches.suse/tcp_nv-fix-potential-integer-overflow-in-tcpnv_acked.patch
@@ -0,0 +1,46 @@
+From e4823fbd229bfbba368b40cdadb8f4eeb20604cc Mon Sep 17 00:00:00 2001
+From: "Gustavo A. R. Silva" <gustavo@embeddedor.com>
+Date: Tue, 30 Jan 2018 22:21:48 -0600
+Subject: [PATCH] tcp_nv: fix potential integer overflow in tcpnv_acked
+Git-commit: e4823fbd229bfbba368b40cdadb8f4eeb20604cc
+Patch-mainline: v4.16-rc1
+References: bsc#1051510
+
+Add suffix ULL to constant 80000 in order to avoid a potential integer
+overflow and give the compiler complete information about the proper
+arithmetic to use. Notice that this constant is used in a context that
+expects an expression of type u64.
+
+The current cast to u64 effectively applies to the whole expression
+as an argument of type u64 to be passed to div64_u64, but it does
+not prevent it from being evaluated using 32-bit arithmetic instead
+of 64-bit arithmetic.
+
+Also, once the expression is properly evaluated using 64-bit arithmentic,
+there is no need for the parentheses and the external cast to u64.
+
+Addresses-coverity-id: 1357588 ("Unintentional integer overflow")
+Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ net/ipv4/tcp_nv.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/ipv4/tcp_nv.c b/net/ipv4/tcp_nv.c
+index ddbce73edae8..764298e52577 100644
+--- a/net/ipv4/tcp_nv.c
++++ b/net/ipv4/tcp_nv.c
+@@ -364,7 +364,7 @@ static void tcpnv_acked(struct sock *sk, const struct ack_sample *sample)
+ */
+ cwnd_by_slope = (u32)
+ div64_u64(((u64)ca->nv_rtt_max_rate) * ca->nv_min_rtt,
+- (u64)(80000 * tp->mss_cache));
++ 80000ULL * tp->mss_cache);
+ max_win = cwnd_by_slope + nv_pad;
+
+ /* If cwnd > max_win, decrease cwnd
+--
+2.16.4
+
diff --git a/patches.suse/tipc-Avoid-copying-bytes-beyond-the-supplied-data.patch b/patches.suse/tipc-Avoid-copying-bytes-beyond-the-supplied-data.patch
new file mode 100644
index 0000000000..2310c53415
--- /dev/null
+++ b/patches.suse/tipc-Avoid-copying-bytes-beyond-the-supplied-data.patch
@@ -0,0 +1,74 @@
+From 9bbcdb07a53549ed072f03a88a5012e939a64c01 Mon Sep 17 00:00:00 2001
+From: Chris Packham <chris.packham@alliedtelesis.co.nz>
+Date: Mon, 20 May 2019 15:45:36 +1200
+Subject: [PATCH] tipc: Avoid copying bytes beyond the supplied data
+Git-commit: 9bbcdb07a53549ed072f03a88a5012e939a64c01
+Patch-mainline: v5.2-rc2
+References: bsc#1051510
+
+TLV_SET is called with a data pointer and a len parameter that tells us
+how many bytes are pointed to by data. When invoking memcpy() we need
+to careful to only copy len bytes.
+
+Previously we would copy TLV_LENGTH(len) bytes which would copy an extra
+4 bytes past the end of the data pointer which newer GCC versions
+complain about.
+
+ In file included from test.c:17:
+ In function 'TLV_SET',
+ inlined from 'test' at test.c:186:5:
+ /usr/include/linux/tipc_config.h:317:3:
+ warning: 'memcpy' forming offset [33, 36] is out of the bounds [0, 32]
+ of object 'bearer_name' with type 'char[32]' [-Warray-bounds]
+ memcpy(TLV_DATA(tlv_ptr), data, tlv_len);
+ ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ test.c: In function 'test':
+ test.c::161:10: note:
+ 'bearer_name' declared here
+ char bearer_name[TIPC_MAX_BEARER_NAME];
+ ^~~~~~~~~~~
+
+We still want to ensure any padding bytes at the end are initialised, do
+this with a explicit memset() rather than copy bytes past the end of
+data. Apply the same logic to TCM_SET.
+
+Signed-off-by: Chris Packham <chris.packham@alliedtelesis.co.nz>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ include/uapi/linux/tipc_config.h | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+diff --git a/include/uapi/linux/tipc_config.h b/include/uapi/linux/tipc_config.h
+index 4b2c93b1934c..4955e1a9f1bc 100644
+--- a/include/uapi/linux/tipc_config.h
++++ b/include/uapi/linux/tipc_config.h
+@@ -307,8 +307,10 @@ static inline int TLV_SET(void *tlv, __u16 type, void *data, __u16 len)
+ tlv_ptr = (struct tlv_desc *)tlv;
+ tlv_ptr->tlv_type = htons(type);
+ tlv_ptr->tlv_len = htons(tlv_len);
+- if (len && data)
+- memcpy(TLV_DATA(tlv_ptr), data, tlv_len);
++ if (len && data) {
++ memcpy(TLV_DATA(tlv_ptr), data, len);
++ memset(TLV_DATA(tlv_ptr) + len, 0, TLV_SPACE(len) - tlv_len);
++ }
+ return TLV_SPACE(len);
+ }
+
+@@ -405,8 +407,10 @@ static inline int TCM_SET(void *msg, __u16 cmd, __u16 flags,
+ tcm_hdr->tcm_len = htonl(msg_len);
+ tcm_hdr->tcm_type = htons(cmd);
+ tcm_hdr->tcm_flags = htons(flags);
+- if (data_len && data)
++ if (data_len && data) {
+ memcpy(TCM_DATA(msg), data, data_len);
++ memset(TCM_DATA(msg) + data_len, 0, TCM_SPACE(data_len) - msg_len);
++ }
+ return TCM_SPACE(data_len);
+ }
+
+--
+2.16.4
+
diff --git a/patches.suse/tipc-check-bearer-name-with-right-length-in-tipc_nl_.patch b/patches.suse/tipc-check-bearer-name-with-right-length-in-tipc_nl_.patch
new file mode 100644
index 0000000000..858fadf338
--- /dev/null
+++ b/patches.suse/tipc-check-bearer-name-with-right-length-in-tipc_nl_.patch
@@ -0,0 +1,57 @@
+From 6f07e5f06c8712acc423485f657799fc8e11e56c Mon Sep 17 00:00:00 2001
+From: Xin Long <lucien.xin@gmail.com>
+Date: Sun, 31 Mar 2019 22:50:08 +0800
+Subject: [PATCH] tipc: check bearer name with right length in tipc_nl_compat_bearer_enable
+Git-commit: 6f07e5f06c8712acc423485f657799fc8e11e56c
+Patch-mainline: v5.1-rc4
+References: bsc#1051510
+
+Syzbot reported the following crash:
+
+Bug: KMSAN: uninit-value in memchr+0xce/0x110 lib/string.c:961 memchr+0xce/0x110 lib/string.c:961 string_is_valid net/tipc/netlink_compat.c:176 [inline] tipc_nl_compat_bearer_enable+0x2c4/0x910 net/tipc/netlink_compat.c:401 __tipc_nl_compat_doit net/tipc/netlink_compat.c:321 [inline] tipc_nl_compat_doit+0x3aa/0xaf0 net/tipc/netlink_compat.c:354 tipc_nl_compat_handle net/tipc/netlink_compat.c:1162 [inline] tipc_nl_compat_recv+0x1ae7/0x2750 net/tipc/netlink_compat.c:1265 genl_family_rcv_msg net/netlink/genetlink.c:601 [inline] genl_rcv_msg+0x185f/0x1a60 net/netlink/genetlink.c:626 netlink_rcv_skb+0x431/0x620 net/netlink/af_netlink.c:2477 genl_rcv+0x63/0x80 net/netlink/genetlink.c:637 netlink_unicast_kernel net/netlink/af_netlink.c:1310 [inline] netlink_unicast+0xf3e/0x1020 net/netlink/af_netlink.c:1336 netlink_sendmsg+0x127f/0x1300 net/netlink/af_netlink.c:1917 sock_sendmsg_nosec net/socket.c:622 [inline] sock_sendmsg net/socket.c:632 [inline]
+
+Uninit was created at:
+ __alloc_skb+0x309/0xa20 net/core/skbuff.c:208
+ alloc_skb include/linux/skbuff.h:1012 [inline]
+ netlink_alloc_large_skb net/netlink/af_netlink.c:1182 [inline]
+ netlink_sendmsg+0xb82/0x1300 net/netlink/af_netlink.c:1892
+ sock_sendmsg_nosec net/socket.c:622 [inline]
+ sock_sendmsg net/socket.c:632 [inline]
+
+It was triggered when the bearer name size < TIPC_MAX_BEARER_NAME,
+it would check with a wrong len/TLV_GET_DATA_LEN(msg->req), which
+also includes priority and disc_domain length.
+
+This patch is to fix it by checking it with a right length:
+'TLV_GET_DATA_LEN(msg->req) - offsetof(struct tipc_bearer_config, name)'.
+
+Reported-by: syzbot+8b707430713eb46e1e45@syzkaller.appspotmail.com
+Signed-off-by: Xin Long <lucien.xin@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ net/tipc/netlink_compat.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/net/tipc/netlink_compat.c b/net/tipc/netlink_compat.c
+index 4ad3586da8f0..5f8e53cca222 100644
+--- a/net/tipc/netlink_compat.c
++++ b/net/tipc/netlink_compat.c
+@@ -397,7 +397,12 @@ static int tipc_nl_compat_bearer_enable(struct tipc_nl_compat_cmd_doit *cmd,
+ if (!bearer)
+ return -EMSGSIZE;
+
+- len = min_t(int, TLV_GET_DATA_LEN(msg->req), TIPC_MAX_BEARER_NAME);
++ len = TLV_GET_DATA_LEN(msg->req);
++ len -= offsetof(struct tipc_bearer_config, name);
++ if (len <= 0)
++ return -EINVAL;
++
++ len = min_t(int, len, TIPC_MAX_BEARER_NAME);
+ if (!string_is_valid(b->name, len))
+ return -EINVAL;
+
+--
+2.16.4
+
diff --git a/patches.suse/tipc-check-link-name-with-right-length-in-tipc_nl_co.patch b/patches.suse/tipc-check-link-name-with-right-length-in-tipc_nl_co.patch
new file mode 100644
index 0000000000..2de6a95bfc
--- /dev/null
+++ b/patches.suse/tipc-check-link-name-with-right-length-in-tipc_nl_co.patch
@@ -0,0 +1,45 @@
+From 8c63bf9ab4be8b83bd8c34aacfd2f1d2c8901c8a Mon Sep 17 00:00:00 2001
+From: Xin Long <lucien.xin@gmail.com>
+Date: Sun, 31 Mar 2019 22:50:09 +0800
+Subject: [PATCH] tipc: check link name with right length in tipc_nl_compat_link_set
+Git-commit: 8c63bf9ab4be8b83bd8c34aacfd2f1d2c8901c8a
+Patch-mainline: v5.1-rc4
+References: bsc#1051510
+
+A similar issue as fixed by Patch "tipc: check bearer name with right
+length in tipc_nl_compat_bearer_enable" was also found by syzbot in
+tipc_nl_compat_link_set().
+
+The length to check with should be 'TLV_GET_DATA_LEN(msg->req) -
+offsetof(struct tipc_link_config, name)'.
+
+Reported-by: syzbot+de00a87b8644a582ae79@syzkaller.appspotmail.com
+Signed-off-by: Xin Long <lucien.xin@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ net/tipc/netlink_compat.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/net/tipc/netlink_compat.c b/net/tipc/netlink_compat.c
+index 5f8e53cca222..0bfd03d67fdd 100644
+--- a/net/tipc/netlink_compat.c
++++ b/net/tipc/netlink_compat.c
+@@ -771,7 +771,12 @@ static int tipc_nl_compat_link_set(struct tipc_nl_compat_cmd_doit *cmd,
+
+ lc = (struct tipc_link_config *)TLV_DATA(msg->req);
+
+- len = min_t(int, TLV_GET_DATA_LEN(msg->req), TIPC_MAX_LINK_NAME);
++ len = TLV_GET_DATA_LEN(msg->req);
++ len -= offsetof(struct tipc_link_config, name);
++ if (len <= 0)
++ return -EINVAL;
++
++ len = min_t(int, len, TIPC_MAX_LINK_NAME);
+ if (!string_is_valid(lc->name, len))
+ return -EINVAL;
+
+--
+2.16.4
+
diff --git a/patches.suse/tipc-check-msg-req-data-len-in-tipc_nl_compat_bearer.patch b/patches.suse/tipc-check-msg-req-data-len-in-tipc_nl_compat_bearer.patch
new file mode 100644
index 0000000000..e5cf26fbec
--- /dev/null
+++ b/patches.suse/tipc-check-msg-req-data-len-in-tipc_nl_compat_bearer.patch
@@ -0,0 +1,92 @@
+From 4f07b80c973348a99b5d2a32476a2e7877e94a05 Mon Sep 17 00:00:00 2001
+From: Xin Long <lucien.xin@gmail.com>
+Date: Tue, 25 Jun 2019 00:28:19 +0800
+Subject: [PATCH] tipc: check msg->req data len in tipc_nl_compat_bearer_disable
+Git-commit: 4f07b80c973348a99b5d2a32476a2e7877e94a05
+Patch-mainline: v5.2-rc7
+References: bsc#1051510
+
+This patch is to fix an uninit-value issue, reported by syzbot:
+
+ BUG: KMSAN: uninit-value in memchr+0xce/0x110 lib/string.c:981
+ Call Trace:
+ __dump_stack lib/dump_stack.c:77 [inline]
+ dump_stack+0x191/0x1f0 lib/dump_stack.c:113
+ kmsan_report+0x130/0x2a0 mm/kmsan/kmsan.c:622
+ __msan_warning+0x75/0xe0 mm/kmsan/kmsan_instr.c:310
+ memchr+0xce/0x110 lib/string.c:981
+ string_is_valid net/tipc/netlink_compat.c:176 [inline]
+ tipc_nl_compat_bearer_disable+0x2a1/0x480 net/tipc/netlink_compat.c:449
+ __tipc_nl_compat_doit net/tipc/netlink_compat.c:327 [inline]
+ tipc_nl_compat_doit+0x3ac/0xb00 net/tipc/netlink_compat.c:360
+ tipc_nl_compat_handle net/tipc/netlink_compat.c:1178 [inline]
+ tipc_nl_compat_recv+0x1b1b/0x27b0 net/tipc/netlink_compat.c:1281
+
+TLV_GET_DATA_LEN() may return a negtive int value, which will be
+used as size_t (becoming a big unsigned long) passed into memchr,
+cause this issue.
+
+Similar to what it does in tipc_nl_compat_bearer_enable(), this
+fix is to return -EINVAL when TLV_GET_DATA_LEN() is negtive in
+tipc_nl_compat_bearer_disable(), as well as in
+tipc_nl_compat_link_stat_dump() and tipc_nl_compat_link_reset_stats().
+
+V1->v2: - add the missing Fixes tags per Eric's request.
+
+Fixes: 0762216c0ad2 ("tipc: fix uninit-value in tipc_nl_compat_bearer_enable")
+Fixes: 8b66fee7f8ee ("tipc: fix uninit-value in tipc_nl_compat_link_reset_stats")
+Reported-by: syzbot+30eaa8bf392f7fafffaf@syzkaller.appspotmail.com
+Signed-off-by: Xin Long <lucien.xin@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ net/tipc/netlink_compat.c | 18 +++++++++++++++---
+ 1 file changed, 15 insertions(+), 3 deletions(-)
+
+diff --git a/net/tipc/netlink_compat.c b/net/tipc/netlink_compat.c
+index c6a04c09d075..cf155061c472 100644
+--- a/net/tipc/netlink_compat.c
++++ b/net/tipc/netlink_compat.c
+@@ -445,7 +445,11 @@ static int tipc_nl_compat_bearer_disable(struct tipc_nl_compat_cmd_doit *cmd,
+ if (!bearer)
+ return -EMSGSIZE;
+
+- len = min_t(int, TLV_GET_DATA_LEN(msg->req), TIPC_MAX_BEARER_NAME);
++ len = TLV_GET_DATA_LEN(msg->req);
++ if (len <= 0)
++ return -EINVAL;
++
++ len = min_t(int, len, TIPC_MAX_BEARER_NAME);
+ if (!string_is_valid(name, len))
+ return -EINVAL;
+
+@@ -539,7 +543,11 @@ static int tipc_nl_compat_link_stat_dump(struct tipc_nl_compat_msg *msg,
+
+ name = (char *)TLV_DATA(msg->req);
+
+- len = min_t(int, TLV_GET_DATA_LEN(msg->req), TIPC_MAX_LINK_NAME);
++ len = TLV_GET_DATA_LEN(msg->req);
++ if (len <= 0)
++ return -EINVAL;
++
++ len = min_t(int, len, TIPC_MAX_BEARER_NAME);
+ if (!string_is_valid(name, len))
+ return -EINVAL;
+
+@@ -817,7 +825,11 @@ static int tipc_nl_compat_link_reset_stats(struct tipc_nl_compat_cmd_doit *cmd,
+ if (!link)
+ return -EMSGSIZE;
+
+- len = min_t(int, TLV_GET_DATA_LEN(msg->req), TIPC_MAX_LINK_NAME);
++ len = TLV_GET_DATA_LEN(msg->req);
++ if (len <= 0)
++ return -EINVAL;
++
++ len = min_t(int, len, TIPC_MAX_BEARER_NAME);
+ if (!string_is_valid(name, len))
+ return -EINVAL;
+
+--
+2.16.4
+
diff --git a/patches.suse/tipc-compat-allow-tipc-commands-without-arguments.patch b/patches.suse/tipc-compat-allow-tipc-commands-without-arguments.patch
new file mode 100644
index 0000000000..fe21f0aaa7
--- /dev/null
+++ b/patches.suse/tipc-compat-allow-tipc-commands-without-arguments.patch
@@ -0,0 +1,90 @@
+From 4da5f0018eef4c0de31675b670c80e82e13e99d1 Mon Sep 17 00:00:00 2001
+From: Taras Kondratiuk <takondra@cisco.com>
+Date: Mon, 29 Jul 2019 22:15:07 +0000
+Subject: [PATCH] tipc: compat: allow tipc commands without arguments
+Git-commit: 4da5f0018eef4c0de31675b670c80e82e13e99d1
+Patch-mainline: v5.3-rc4
+References: bsc#1051510
+
+Commit 2753ca5d9009 ("tipc: fix uninit-value in tipc_nl_compat_doit")
+broke older tipc tools that use compat interface (e.g. tipc-config from
+tipcutils package):
+
+% tipc-config -p
+operation not supported
+
+The commit started to reject TIPC netlink compat messages that do not
+have attributes. It is too restrictive because some of such messages are
+valid (they don't need any arguments):
+
+% grep 'tx none' include/uapi/linux/tipc_config.h
+#define TIPC_CMD_NOOP 0x0000 /* tx none, rx none */
+#define TIPC_CMD_GET_MEDIA_NAMES 0x0002 /* tx none, rx media_name(s) */
+#define TIPC_CMD_GET_BEARER_NAMES 0x0003 /* tx none, rx bearer_name(s) */
+#define TIPC_CMD_SHOW_PORTS 0x0006 /* tx none, rx ultra_string */
+#define TIPC_CMD_GET_REMOTE_MNG 0x4003 /* tx none, rx unsigned */
+#define TIPC_CMD_GET_MAX_PORTS 0x4004 /* tx none, rx unsigned */
+#define TIPC_CMD_GET_NETID 0x400B /* tx none, rx unsigned */
+#define TIPC_CMD_NOT_NET_ADMIN 0xC001 /* tx none, rx none */
+
+This patch relaxes the original fix and rejects messages without
+arguments only if such arguments are expected by a command (reg_type is
+non zero).
+
+Fixes: 2753ca5d9009 ("tipc: fix uninit-value in tipc_nl_compat_doit")
+Cc: stable@vger.kernel.org
+Signed-off-by: Taras Kondratiuk <takondra@cisco.com>
+Acked-by: Ying Xue <ying.xue@windriver.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ net/tipc/netlink_compat.c | 11 +++++++----
+ 1 file changed, 7 insertions(+), 4 deletions(-)
+
+diff --git a/net/tipc/netlink_compat.c b/net/tipc/netlink_compat.c
+index d86030ef1232..e135d4e11231 100644
+--- a/net/tipc/netlink_compat.c
++++ b/net/tipc/netlink_compat.c
+@@ -55,6 +55,7 @@ struct tipc_nl_compat_msg {
+ int rep_type;
+ int rep_size;
+ int req_type;
++ int req_size;
+ struct net *net;
+ struct sk_buff *rep;
+ struct tlv_desc *req;
+@@ -257,7 +258,8 @@ static int tipc_nl_compat_dumpit(struct tipc_nl_compat_cmd_dump *cmd,
+ int err;
+ struct sk_buff *arg;
+
+- if (msg->req_type && !TLV_CHECK_TYPE(msg->req, msg->req_type))
++ if (msg->req_type && (!msg->req_size ||
++ !TLV_CHECK_TYPE(msg->req, msg->req_type)))
+ return -EINVAL;
+
+ msg->rep = tipc_tlv_alloc(msg->rep_size);
+@@ -354,7 +356,8 @@ static int tipc_nl_compat_doit(struct tipc_nl_compat_cmd_doit *cmd,
+ {
+ int err;
+
+- if (msg->req_type && !TLV_CHECK_TYPE(msg->req, msg->req_type))
++ if (msg->req_type && (!msg->req_size ||
++ !TLV_CHECK_TYPE(msg->req, msg->req_type)))
+ return -EINVAL;
+
+ err = __tipc_nl_compat_doit(cmd, msg);
+@@ -1278,8 +1281,8 @@ static int tipc_nl_compat_recv(struct sk_buff *skb, struct genl_info *info)
+ goto send;
+ }
+
+- len = nlmsg_attrlen(req_nlh, GENL_HDRLEN + TIPC_GENL_HDRLEN);
+- if (!len || !TLV_OK(msg.req, len)) {
++ msg.req_size = nlmsg_attrlen(req_nlh, GENL_HDRLEN + TIPC_GENL_HDRLEN);
++ if (msg.req_size && !TLV_OK(msg.req, msg.req_size)) {
+ msg.rep = tipc_get_err_tlv(TIPC_CFG_NOT_SUPPORTED);
+ err = -EOPNOTSUPP;
+ goto send;
+--
+2.16.4
+
diff --git a/patches.suse/tipc-fix-tipc_mon_delete-oops-in-tipc_enable_bearer-.patch b/patches.suse/tipc-fix-tipc_mon_delete-oops-in-tipc_enable_bearer-.patch
new file mode 100644
index 0000000000..1ed7292a60
--- /dev/null
+++ b/patches.suse/tipc-fix-tipc_mon_delete-oops-in-tipc_enable_bearer-.patch
@@ -0,0 +1,85 @@
+From 642a8439ddd8423b92f2e71960afe21ee1f66bb6 Mon Sep 17 00:00:00 2001
+From: Tommi Rantala <tommi.t.rantala@nokia.com>
+Date: Fri, 22 Dec 2017 09:35:17 +0200
+Subject: [PATCH] tipc: fix tipc_mon_delete() oops in tipc_enable_bearer() error path
+Git-commit: 642a8439ddd8423b92f2e71960afe21ee1f66bb6
+Patch-mainline: v4.15-rc6
+References: bsc#1051510
+
+Calling tipc_mon_delete() before the monitor has been created will oops.
+This can happen in tipc_enable_bearer() error path if tipc_disc_create()
+fails.
+
+[ 48.589074] BUG: unable to handle kernel paging request at 0000000000001008
+[ 48.590266] IP: tipc_mon_delete+0xea/0x270 [tipc]
+[ 48.591223] PGD 1e60c5067 P4D 1e60c5067 PUD 1eb0cf067 PMD 0
+[ 48.592230] Oops: 0000 [#1] SMP KASAN
+[ 48.595610] CPU: 5 PID: 1199 Comm: tipc Tainted: G B 4.15.0-rc4-pc64-dirty #5
+[ 48.597176] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-2.fc27 04/01/2014
+[ 48.598489] RIP: 0010:tipc_mon_delete+0xea/0x270 [tipc]
+[ 48.599347] RSP: 0018:ffff8801d827f668 EFLAGS: 00010282
+[ 48.600705] RAX: ffff8801ee813f00 RBX: 0000000000000204 RCX: 0000000000000000
+[ 48.602183] RDX: 1ffffffff1de6a75 RSI: 0000000000000297 RDI: 0000000000000297
+[ 48.604373] RBP: 0000000000000000 R08: 0000000000000000 R09: fffffbfff1dd1533
+[ 48.605607] R10: ffffffff8eafbb05 R11: fffffbfff1dd1534 R12: 0000000000000050
+[ 48.607082] R13: dead000000000200 R14: ffffffff8e73f310 R15: 0000000000001020
+[ 48.608228] FS: 00007fc686484800(0000) GS:ffff8801f5540000(0000) knlGS:0000000000000000
+[ 48.610189] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 48.611459] CR2: 0000000000001008 CR3: 00000001dda70002 CR4: 00000000003606e0
+[ 48.612759] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+[ 48.613831] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+[ 48.615038] Call Trace:
+[ 48.615635] tipc_enable_bearer+0x415/0x5e0 [tipc]
+[ 48.620623] tipc_nl_bearer_enable+0x1ab/0x200 [tipc]
+[ 48.625118] genl_family_rcv_msg+0x36b/0x570
+[ 48.631233] genl_rcv_msg+0x5a/0xa0
+[ 48.631867] netlink_rcv_skb+0x1cc/0x220
+[ 48.636373] genl_rcv+0x24/0x40
+[ 48.637306] netlink_unicast+0x29c/0x350
+[ 48.639664] netlink_sendmsg+0x439/0x590
+[ 48.642014] SYSC_sendto+0x199/0x250
+[ 48.649912] do_syscall_64+0xfd/0x2c0
+[ 48.650651] entry_SYSCALL64_slow_path+0x25/0x25
+[ 48.651843] RIP: 0033:0x7fc6859848e3
+[ 48.652539] RSP: 002b:00007ffd25dff938 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
+[ 48.654003] RAX: ffffffffffffffda RBX: 00007ffd25dff990 RCX: 00007fc6859848e3
+[ 48.655303] RDX: 0000000000000054 RSI: 00007ffd25dff990 RDI: 0000000000000003
+[ 48.656512] RBP: 00007ffd25dff980 R08: 00007fc685c35fc0 R09: 000000000000000c
+[ 48.657697] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000d13010
+[ 48.658840] R13: 00007ffd25e009c0 R14: 0000000000000000 R15: 0000000000000000
+[ 48.662972] RIP: tipc_mon_delete+0xea/0x270 [tipc] RSP: ffff8801d827f668
+[ 48.664073] CR2: 0000000000001008
+[ 48.664576] ---[ end trace e811818d54d5ce88 ]---
+
+Acked-by: Ying Xue <ying.xue@windriver.com>
+Acked-by: Jon Maloy <jon.maloy@ericsson.com>
+Signed-off-by: Tommi Rantala <tommi.t.rantala@nokia.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ net/tipc/monitor.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/net/tipc/monitor.c b/net/tipc/monitor.c
+index 8e884ed06d4b..32dc33a94bc7 100644
+--- a/net/tipc/monitor.c
++++ b/net/tipc/monitor.c
+@@ -642,9 +642,13 @@ void tipc_mon_delete(struct net *net, int bearer_id)
+ {
+ struct tipc_net *tn = tipc_net(net);
+ struct tipc_monitor *mon = tipc_monitor(net, bearer_id);
+- struct tipc_peer *self = get_self(net, bearer_id);
++ struct tipc_peer *self;
+ struct tipc_peer *peer, *tmp;
+
++ if (!mon)
++ return;
++
++ self = get_self(net, bearer_id);
+ write_lock_bh(&mon->lock);
+ tn->monitors[bearer_id] = NULL;
+ list_for_each_entry_safe(peer, tmp, &self->list, list) {
+--
+2.16.4
+
diff --git a/patches.suse/tipc-fix-wrong-timeout-input-for-tipc_wait_for_cond.patch b/patches.suse/tipc-fix-wrong-timeout-input-for-tipc_wait_for_cond.patch
new file mode 100644
index 0000000000..8691a6fe6c
--- /dev/null
+++ b/patches.suse/tipc-fix-wrong-timeout-input-for-tipc_wait_for_cond.patch
@@ -0,0 +1,40 @@
+From 12db3c8083fcab4270866a88191933f2d9f24f89 Mon Sep 17 00:00:00 2001
+From: Tung Nguyen <tung.q.nguyen@dektech.com.au>
+Date: Thu, 28 Nov 2019 10:10:07 +0700
+Subject: [PATCH] tipc: fix wrong timeout input for tipc_wait_for_cond()
+Git-commit: 12db3c8083fcab4270866a88191933f2d9f24f89
+Patch-mainline: v5.5-rc1
+References: bsc#1051510
+
+In function __tipc_shutdown(), the timeout value passed to
+tipc_wait_for_cond() is not jiffies.
+
+This commit fixes it by converting that value from milliseconds
+to jiffies.
+
+Fixes: 365ad353c256 ("tipc: reduce risk of user starvation during link congestion")
+Signed-off-by: Tung Nguyen <tung.q.nguyen@dektech.com.au>
+Acked-by: Jon Maloy <jon.maloy@ericsson.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ net/tipc/socket.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/tipc/socket.c b/net/tipc/socket.c
+index fb5595081a05..da5fb84852a6 100644
+--- a/net/tipc/socket.c
++++ b/net/tipc/socket.c
+@@ -532,7 +532,7 @@ static void __tipc_shutdown(struct socket *sock, int error)
+ struct sock *sk = sock->sk;
+ struct tipc_sock *tsk = tipc_sk(sk);
+ struct net *net = sock_net(sk);
+- long timeout = CONN_TIMEOUT_DEFAULT;
++ long timeout = msecs_to_jiffies(CONN_TIMEOUT_DEFAULT);
+ u32 dnode = tsk_peer_node(tsk);
+ struct sk_buff *skb;
+
+--
+2.16.4
+
diff --git a/patches.suse/tipc-handle-the-err-returned-from-cmd-header-functio.patch b/patches.suse/tipc-handle-the-err-returned-from-cmd-header-functio.patch
new file mode 100644
index 0000000000..fcb9803e15
--- /dev/null
+++ b/patches.suse/tipc-handle-the-err-returned-from-cmd-header-functio.patch
@@ -0,0 +1,81 @@
+From 2ac695d1d602ce00b12170242f58c3d3a8e36d04 Mon Sep 17 00:00:00 2001
+From: Xin Long <lucien.xin@gmail.com>
+Date: Sun, 31 Mar 2019 22:50:10 +0800
+Subject: [PATCH] tipc: handle the err returned from cmd header function
+Git-commit: 2ac695d1d602ce00b12170242f58c3d3a8e36d04
+Patch-mainline: v5.1-rc4
+References: bsc#1051510
+
+Syzbot found a crash:
+
+ BUG: KMSAN: uninit-value in tipc_nl_compat_name_table_dump+0x54f/0xcd0 net/tipc/netlink_compat.c:872
+ Call Trace:
+ tipc_nl_compat_name_table_dump+0x54f/0xcd0 net/tipc/netlink_compat.c:872
+ __tipc_nl_compat_dumpit+0x59e/0xda0 net/tipc/netlink_compat.c:215
+ tipc_nl_compat_dumpit+0x63a/0x820 net/tipc/netlink_compat.c:280
+ tipc_nl_compat_handle net/tipc/netlink_compat.c:1226 [inline]
+ tipc_nl_compat_recv+0x1b5f/0x2750 net/tipc/netlink_compat.c:1265
+ genl_family_rcv_msg net/netlink/genetlink.c:601 [inline]
+ genl_rcv_msg+0x185f/0x1a60 net/netlink/genetlink.c:626
+ netlink_rcv_skb+0x431/0x620 net/netlink/af_netlink.c:2477
+ genl_rcv+0x63/0x80 net/netlink/genetlink.c:637
+ netlink_unicast_kernel net/netlink/af_netlink.c:1310 [inline]
+ netlink_unicast+0xf3e/0x1020 net/netlink/af_netlink.c:1336
+ netlink_sendmsg+0x127f/0x1300 net/netlink/af_netlink.c:1917
+ sock_sendmsg_nosec net/socket.c:622 [inline]
+ sock_sendmsg net/socket.c:632 [inline]
+
+ Uninit was created at:
+ __alloc_skb+0x309/0xa20 net/core/skbuff.c:208
+ alloc_skb include/linux/skbuff.h:1012 [inline]
+ netlink_alloc_large_skb net/netlink/af_netlink.c:1182 [inline]
+ netlink_sendmsg+0xb82/0x1300 net/netlink/af_netlink.c:1892
+ sock_sendmsg_nosec net/socket.c:622 [inline]
+ sock_sendmsg net/socket.c:632 [inline]
+
+It was supposed to be fixed on commit 974cb0e3e7c9 ("tipc: fix uninit-value
+in tipc_nl_compat_name_table_dump") by checking TLV_GET_DATA_LEN(msg->req)
+in cmd->header()/tipc_nl_compat_name_table_dump_header(), which is called
+ahead of tipc_nl_compat_name_table_dump().
+
+However, tipc_nl_compat_dumpit() doesn't handle the error returned from cmd
+header function. It means even when the check added in that fix fails, it
+won't stop calling tipc_nl_compat_name_table_dump(), and the issue will be
+triggered again.
+
+So this patch is to add the process for the err returned from cmd header
+function in tipc_nl_compat_dumpit().
+
+Reported-by: syzbot+3ce8520484b0d4e260a5@syzkaller.appspotmail.com
+Signed-off-by: Xin Long <lucien.xin@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ net/tipc/netlink_compat.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/net/tipc/netlink_compat.c b/net/tipc/netlink_compat.c
+index 0bfd03d67fdd..340a6e7c43a7 100644
+--- a/net/tipc/netlink_compat.c
++++ b/net/tipc/netlink_compat.c
+@@ -267,8 +267,14 @@ static int tipc_nl_compat_dumpit(struct tipc_nl_compat_cmd_dump *cmd,
+ if (msg->rep_type)
+ tipc_tlv_init(msg->rep, msg->rep_type);
+
+- if (cmd->header)
+- (*cmd->header)(msg);
++ if (cmd->header) {
++ err = (*cmd->header)(msg);
++ if (err) {
++ kfree_skb(msg->rep);
++ msg->rep = NULL;
++ return err;
++ }
++ }
+
+ arg = nlmsg_new(0, GFP_KERNEL);
+ if (!arg) {
+--
+2.16.4
+
diff --git a/patches.suse/tipc-pass-tunnel-dev-as-NULL-to-udp_tunnel-6-_xmit_s.patch b/patches.suse/tipc-pass-tunnel-dev-as-NULL-to-udp_tunnel-6-_xmit_s.patch
new file mode 100644
index 0000000000..948939f82f
--- /dev/null
+++ b/patches.suse/tipc-pass-tunnel-dev-as-NULL-to-udp_tunnel-6-_xmit_s.patch
@@ -0,0 +1,94 @@
+From c3bcde026684c62d7a2b6f626dc7cf763833875c Mon Sep 17 00:00:00 2001
+From: Xin Long <lucien.xin@gmail.com>
+Date: Mon, 17 Jun 2019 21:34:15 +0800
+Subject: [PATCH] tipc: pass tunnel dev as NULL to udp_tunnel(6)_xmit_skb
+Git-commit: c3bcde026684c62d7a2b6f626dc7cf763833875c
+Patch-mainline: v5.2-rc6
+References: bsc#1051510
+
+udp_tunnel(6)_xmit_skb() called by tipc_udp_xmit() expects a tunnel device
+to count packets on dev->tstats, a perpcu variable. However, TIPC is using
+udp tunnel with no tunnel device, and pass the lower dev, like veth device
+that only initializes dev->lstats(a perpcu variable) when creating it.
+
+Later iptunnel_xmit_stats() called by ip(6)tunnel_xmit() thinks the dev as
+a tunnel device, and uses dev->tstats instead of dev->lstats. tstats' each
+pointer points to a bigger struct than lstats, so when tstats->tx_bytes is
+increased, other percpu variable's members could be overwritten.
+
+syzbot has reported quite a few crashes due to fib_nh_common percpu member
+'nhc_pcpu_rth_output' overwritten, call traces are like:
+
+ BUG: KASAN: slab-out-of-bounds in rt_cache_valid+0x158/0x190
+ net/ipv4/route.c:1556
+ rt_cache_valid+0x158/0x190 net/ipv4/route.c:1556
+ __mkroute_output net/ipv4/route.c:2332 [inline]
+ ip_route_output_key_hash_rcu+0x819/0x2d50 net/ipv4/route.c:2564
+ ip_route_output_key_hash+0x1ef/0x360 net/ipv4/route.c:2393
+ __ip_route_output_key include/net/route.h:125 [inline]
+ ip_route_output_flow+0x28/0xc0 net/ipv4/route.c:2651
+ ip_route_output_key include/net/route.h:135 [inline]
+ ...
+
+Or:
+
+ kasan: GPF could be caused by NULL-ptr deref or user memory access
+ RIP: 0010:dst_dev_put+0x24/0x290 net/core/dst.c:168
+ <IRQ>
+ rt_fibinfo_free_cpus net/ipv4/fib_semantics.c:200 [inline]
+ free_fib_info_rcu+0x2e1/0x490 net/ipv4/fib_semantics.c:217
+ __rcu_reclaim kernel/rcu/rcu.h:240 [inline]
+ rcu_do_batch kernel/rcu/tree.c:2437 [inline]
+ invoke_rcu_callbacks kernel/rcu/tree.c:2716 [inline]
+ rcu_process_callbacks+0x100a/0x1ac0 kernel/rcu/tree.c:2697
+ ...
+
+The issue exists since tunnel stats update is moved to iptunnel_xmit by
+Commit 039f50629b7f ("ip_tunnel: Move stats update to iptunnel_xmit()"),
+and here to fix it by passing a NULL tunnel dev to udp_tunnel(6)_xmit_skb
+so that the packets counting won't happen on dev->tstats.
+
+Reported-by: syzbot+9d4c12bfd45a58738d0a@syzkaller.appspotmail.com
+Reported-by: syzbot+a9e23ea2aa21044c2798@syzkaller.appspotmail.com
+Reported-by: syzbot+c4c4b2bb358bb936ad7e@syzkaller.appspotmail.com
+Reported-by: syzbot+0290d2290a607e035ba1@syzkaller.appspotmail.com
+Reported-by: syzbot+a43d8d4e7e8a7a9e149e@syzkaller.appspotmail.com
+Reported-by: syzbot+a47c5f4c6c00fc1ed16e@syzkaller.appspotmail.com
+Fixes: 039f50629b7f ("ip_tunnel: Move stats update to iptunnel_xmit()")
+Signed-off-by: Xin Long <lucien.xin@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ net/tipc/udp_media.c | 8 +++-----
+ 1 file changed, 3 insertions(+), 5 deletions(-)
+
+diff --git a/net/tipc/udp_media.c b/net/tipc/udp_media.c
+index 7fc02d84c4f1..1405ccc9101c 100644
+--- a/net/tipc/udp_media.c
++++ b/net/tipc/udp_media.c
+@@ -176,7 +176,6 @@ static int tipc_udp_xmit(struct net *net, struct sk_buff *skb,
+ goto tx_error;
+ }
+
+- skb->dev = rt->dst.dev;
+ ttl = ip4_dst_hoplimit(&rt->dst);
+ udp_tunnel_xmit_skb(rt, ub->ubsock->sk, skb, src->ipv4.s_addr,
+ dst->ipv4.s_addr, 0, ttl, 0, src->port,
+@@ -195,10 +194,9 @@ static int tipc_udp_xmit(struct net *net, struct sk_buff *skb,
+ if (err)
+ goto tx_error;
+ ttl = ip6_dst_hoplimit(ndst);
+- err = udp_tunnel6_xmit_skb(ndst, ub->ubsock->sk, skb,
+- ndst->dev, &src->ipv6,
+- &dst->ipv6, 0, ttl, 0, src->port,
+- dst->port, false);
++ err = udp_tunnel6_xmit_skb(ndst, ub->ubsock->sk, skb, NULL,
++ &src->ipv6, &dst->ipv6, 0, ttl, 0,
++ src->port, dst->port, false);
+ #endif
+ }
+ return err;
+--
+2.16.4
+
diff --git a/patches.suse/tipc-tipc-clang-warning.patch b/patches.suse/tipc-tipc-clang-warning.patch
new file mode 100644
index 0000000000..11052d7ec2
--- /dev/null
+++ b/patches.suse/tipc-tipc-clang-warning.patch
@@ -0,0 +1,69 @@
+From 737889efe9713a0f20a75fd0de952841d9275e6b Mon Sep 17 00:00:00 2001
+From: Jon Maloy <jon.maloy@ericsson.com>
+Date: Fri, 22 Mar 2019 15:03:51 +0100
+Subject: [PATCH] tipc: tipc clang warning
+Git-commit: 737889efe9713a0f20a75fd0de952841d9275e6b
+Patch-mainline: v5.1-rc3
+References: bsc#1051510
+
+When checking the code with clang -Wsometimes-uninitialized we get the
+following warning:
+
+if (!tipc_link_is_establishing(l)) {
+ ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+net/tipc/node.c:847:46: note: uninitialized use occurs here
+ tipc_bearer_xmit(n->net, bearer_id, &xmitq, maddr);
+
+net/tipc/node.c:831:2: note: remove the 'if' if its condition is always
+true
+if (!tipc_link_is_establishing(l)) {
+ ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+net/tipc/node.c:821:31: note: initialize the variable 'maddr' to silence
+this warning
+struct tipc_media_addr *maddr;
+
+We fix this by initializing 'maddr' to NULL. For the matter of clarity,
+we also test if 'xmitq' is non-empty before we use it and 'maddr'
+further down in the function. It will never happen that 'xmitq' is non-
+empty at the same time as 'maddr' is NULL, so this is a sufficient test.
+
+Fixes: 598411d70f85 ("tipc: make resetting of links non-atomic")
+Reported-by: Nathan Chancellor <natechancellor@gmail.com>
+Signed-off-by: Jon Maloy <jon.maloy@ericsson.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ net/tipc/node.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/net/tipc/node.c b/net/tipc/node.c
+index 2dc4919ab23c..dd3b6dc17662 100644
+--- a/net/tipc/node.c
++++ b/net/tipc/node.c
+@@ -817,10 +817,10 @@ static void __tipc_node_link_down(struct tipc_node *n, int *bearer_id,
+ static void tipc_node_link_down(struct tipc_node *n, int bearer_id, bool delete)
+ {
+ struct tipc_link_entry *le = &n->links[bearer_id];
++ struct tipc_media_addr *maddr = NULL;
+ struct tipc_link *l = le->link;
+- struct tipc_media_addr *maddr;
+- struct sk_buff_head xmitq;
+ int old_bearer_id = bearer_id;
++ struct sk_buff_head xmitq;
+
+ if (!l)
+ return;
+@@ -844,7 +844,8 @@ static void tipc_node_link_down(struct tipc_node *n, int bearer_id, bool delete)
+ tipc_node_write_unlock(n);
+ if (delete)
+ tipc_mon_remove_peer(n->net, n->addr, old_bearer_id);
+- tipc_bearer_xmit(n->net, bearer_id, &xmitq, maddr);
++ if (!skb_queue_empty(&xmitq))
++ tipc_bearer_xmit(n->net, bearer_id, &xmitq, maddr);
+ tipc_sk_rcv(n->net, &le->inputq);
+ }
+
+--
+2.16.4
+
diff --git a/patches.suse/tty-serial-fsl_lpuart-use-the-sg-count-from-dma_map_.patch b/patches.suse/tty-serial-fsl_lpuart-use-the-sg-count-from-dma_map_.patch
new file mode 100644
index 0000000000..7a320dde00
--- /dev/null
+++ b/patches.suse/tty-serial-fsl_lpuart-use-the-sg-count-from-dma_map_.patch
@@ -0,0 +1,44 @@
+From 487ee861de176090b055eba5b252b56a3b9973d6 Mon Sep 17 00:00:00 2001
+From: Peng Fan <peng.fan@nxp.com>
+Date: Tue, 5 Nov 2019 05:51:10 +0000
+Subject: [PATCH] tty: serial: fsl_lpuart: use the sg count from dma_map_sg
+Git-commit: 487ee861de176090b055eba5b252b56a3b9973d6
+Patch-mainline: v5.5-rc1
+References: bsc#1051510
+
+The dmaengine_prep_slave_sg needs to use sg count returned
+by dma_map_sg, not use sport->dma_tx_nents, because the return
+value of dma_map_sg is not always same with "nents".
+
+When enabling iommu for lpuart + edma, iommu framework may concatenate
+two sgs into one.
+
+Fixes: 6250cc30c4c4e ("tty: serial: fsl_lpuart: Use scatter/gather DMA for Tx")
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Peng Fan <peng.fan@nxp.com>
+Link: https://lore.kernel.org/r/1572932977-17866-1-git-send-email-peng.fan@nxp.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/tty/serial/fsl_lpuart.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/tty/serial/fsl_lpuart.c b/drivers/tty/serial/fsl_lpuart.c
+index 22df5f8f48b6..4e128d19e0ad 100644
+--- a/drivers/tty/serial/fsl_lpuart.c
++++ b/drivers/tty/serial/fsl_lpuart.c
+@@ -437,8 +437,8 @@ static void lpuart_dma_tx(struct lpuart_port *sport)
+ }
+
+ sport->dma_tx_desc = dmaengine_prep_slave_sg(sport->dma_tx_chan, sgl,
+- sport->dma_tx_nents,
+- DMA_MEM_TO_DEV, DMA_PREP_INTERRUPT);
++ ret, DMA_MEM_TO_DEV,
++ DMA_PREP_INTERRUPT);
+ if (!sport->dma_tx_desc) {
+ dma_unmap_sg(dev, sgl, sport->dma_tx_nents, DMA_TO_DEVICE);
+ dev_err(dev, "Cannot prepare TX slave DMA!\n");
+--
+2.16.4
+
diff --git a/patches.suse/tty-serial-imx-use-the-sg-count-from-dma_map_sg.patch b/patches.suse/tty-serial-imx-use-the-sg-count-from-dma_map_sg.patch
new file mode 100644
index 0000000000..f3d137fe37
--- /dev/null
+++ b/patches.suse/tty-serial-imx-use-the-sg-count-from-dma_map_sg.patch
@@ -0,0 +1,38 @@
+From 596fd8dffb745afcebc0ec6968e17fe29f02044c Mon Sep 17 00:00:00 2001
+From: Peng Fan <peng.fan@nxp.com>
+Date: Thu, 7 Nov 2019 06:42:53 +0000
+Subject: [PATCH] tty: serial: imx: use the sg count from dma_map_sg
+Git-commit: 596fd8dffb745afcebc0ec6968e17fe29f02044c
+Patch-mainline: v5.5-rc1
+References: bsc#1051510
+
+The dmaengine_prep_slave_sg needs to use sg count returned
+by dma_map_sg, not use sport->dma_tx_nents, because the return
+value of dma_map_sg is not always same with "nents".
+
+Fixes: b4cdc8f61beb ("serial: imx: add DMA support for imx6q")
+Signed-off-by: Peng Fan <peng.fan@nxp.com>
+Link: https://lore.kernel.org/r/1573108875-26530-1-git-send-email-peng.fan@nxp.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/tty/serial/imx.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/tty/serial/imx.c b/drivers/tty/serial/imx.c
+index 357d3ff34d51..a9e20e6c63ad 100644
+--- a/drivers/tty/serial/imx.c
++++ b/drivers/tty/serial/imx.c
+@@ -619,7 +619,7 @@ static void imx_uart_dma_tx(struct imx_port *sport)
+ dev_err(dev, "DMA mapping error for TX.\n");
+ return;
+ }
+- desc = dmaengine_prep_slave_sg(chan, sgl, sport->dma_tx_nents,
++ desc = dmaengine_prep_slave_sg(chan, sgl, ret,
+ DMA_MEM_TO_DEV, DMA_PREP_INTERRUPT);
+ if (!desc) {
+ dma_unmap_sg(dev, sgl, sport->dma_tx_nents,
+--
+2.16.4
+
diff --git a/patches.suse/tty-serial-msm_serial-Fix-flow-control.patch b/patches.suse/tty-serial-msm_serial-Fix-flow-control.patch
new file mode 100644
index 0000000000..6c92a2332a
--- /dev/null
+++ b/patches.suse/tty-serial-msm_serial-Fix-flow-control.patch
@@ -0,0 +1,74 @@
+From b027ce258369cbfa88401a691c23dad01deb9f9b Mon Sep 17 00:00:00 2001
+From: Jeffrey Hugo <jeffrey.l.hugo@gmail.com>
+Date: Mon, 21 Oct 2019 08:46:16 -0700
+Subject: [PATCH] tty: serial: msm_serial: Fix flow control
+Git-commit: b027ce258369cbfa88401a691c23dad01deb9f9b
+Patch-mainline: v5.5-rc1
+References: bsc#1051510
+
+hci_qca interfaces to the wcn3990 via a uart_dm on the msm8998 mtp and
+Lenovo Miix 630 laptop. As part of initializing the wcn3990, hci_qca
+disables flow, configures the uart baudrate, and then reenables flow - at
+which point an event is expected to be received over the uart from the
+wcn3990. It is observed that this event comes after the baudrate change
+but before hci_qca re-enables flow. This is unexpected, and is a result of
+msm_reset() being broken.
+
+According to the uart_dm hardware documentation, it is recommended that
+automatic hardware flow control be enabled by setting RX_RDY_CTL. Auto
+hw flow control will manage RFR based on the configured watermark. When
+there is space to receive data, the hw will assert RFR. When the watermark
+is hit, the hw will de-assert RFR.
+
+The hardware documentation indicates that RFR can me manually managed via
+CR when RX_RDY_CTL is not set. SET_RFR asserts RFR, and RESET_RFR
+de-asserts RFR.
+
+msm_reset() is broken because after resetting the hardware, it
+unconditionally asserts RFR via SET_RFR. This enables flow regardless of
+the current configuration, and would undo a previous flow disable
+operation. It should instead de-assert RFR via RESET_RFR to block flow
+until the hardware is reconfigured. msm_serial should rely on the client
+to specify that flow should be enabled, either via mctrl() or the termios
+structure, and only assert RFR in response to those triggers.
+
+Fixes: 04896a77a97b ("msm_serial: serial driver for MSM7K onboard serial peripheral.")
+Signed-off-by: Jeffrey Hugo <jeffrey.l.hugo@gmail.com>
+Reviewed-by: Bjorn Andersson <bjorn.andersson@linaro.org>
+Cc: stable <stable@vger.kernel.org>
+Reviewed-by: Andy Gross <agross@kernel.org>
+Link: https://lore.kernel.org/r/20191021154616.25457-1-jeffrey.l.hugo@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/tty/serial/msm_serial.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/tty/serial/msm_serial.c b/drivers/tty/serial/msm_serial.c
+index 3657a24913fc..00964b6e4ac1 100644
+--- a/drivers/tty/serial/msm_serial.c
++++ b/drivers/tty/serial/msm_serial.c
+@@ -980,6 +980,7 @@ static unsigned int msm_get_mctrl(struct uart_port *port)
+ static void msm_reset(struct uart_port *port)
+ {
+ struct msm_port *msm_port = UART_TO_MSM(port);
++ unsigned int mr;
+
+ /* reset everything */
+ msm_write(port, UART_CR_CMD_RESET_RX, UART_CR);
+@@ -987,7 +988,10 @@ static void msm_reset(struct uart_port *port)
+ msm_write(port, UART_CR_CMD_RESET_ERR, UART_CR);
+ msm_write(port, UART_CR_CMD_RESET_BREAK_INT, UART_CR);
+ msm_write(port, UART_CR_CMD_RESET_CTS, UART_CR);
+- msm_write(port, UART_CR_CMD_SET_RFR, UART_CR);
++ msm_write(port, UART_CR_CMD_RESET_RFR, UART_CR);
++ mr = msm_read(port, UART_MR1);
++ mr &= ~UART_MR1_RX_RDY_CTL;
++ msm_write(port, mr, UART_MR1);
+
+ /* Disable DM modes */
+ if (msm_port->is_uartdm)
+--
+2.16.4
+
diff --git a/patches.suse/tty-serial-pch_uart-correct-usage-of-dma_unmap_sg.patch b/patches.suse/tty-serial-pch_uart-correct-usage-of-dma_unmap_sg.patch
new file mode 100644
index 0000000000..0e392268a3
--- /dev/null
+++ b/patches.suse/tty-serial-pch_uart-correct-usage-of-dma_unmap_sg.patch
@@ -0,0 +1,70 @@
+From 74887542fdcc92ad06a48c0cca17cdf09fc8aa00 Mon Sep 17 00:00:00 2001
+From: Peng Fan <peng.fan@nxp.com>
+Date: Wed, 13 Nov 2019 05:37:42 +0000
+Subject: [PATCH] tty: serial: pch_uart: correct usage of dma_unmap_sg
+Git-commit: 74887542fdcc92ad06a48c0cca17cdf09fc8aa00
+Patch-mainline: v5.5-rc1
+References: bsc#1051510
+
+Per Documentation/DMA-API-HOWTO.txt,
+To unmap a scatterlist, just call:
+ dma_unmap_sg(dev, sglist, nents, direction);
+
+.. note::
+
+ The 'nents' argument to the dma_unmap_sg call must be
+ the _same_ one you passed into the dma_map_sg call,
+ it should _NOT_ be the 'count' value _returned_ from the
+ dma_map_sg call.
+
+However in the driver, priv->nent is directly assigned with value
+returned from dma_map_sg, and dma_unmap_sg use priv->nent for unmap,
+this breaks the API usage.
+
+So introduce a new entry orig_nent to remember 'nents'.
+
+Fixes: da3564ee027e ("pch_uart: add multi-scatter processing")
+Signed-off-by: Peng Fan <peng.fan@nxp.com>
+Link: https://lore.kernel.org/r/1573623259-6339-1-git-send-email-peng.fan@nxp.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/tty/serial/pch_uart.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/tty/serial/pch_uart.c b/drivers/tty/serial/pch_uart.c
+index 6157213a8359..c16234bca78f 100644
+--- a/drivers/tty/serial/pch_uart.c
++++ b/drivers/tty/serial/pch_uart.c
+@@ -233,6 +233,7 @@ struct eg20t_port {
+ struct dma_chan *chan_rx;
+ struct scatterlist *sg_tx_p;
+ int nent;
++ int orig_nent;
+ struct scatterlist sg_rx;
+ int tx_dma_use;
+ void *rx_buf_virt;
+@@ -787,9 +788,10 @@ static void pch_dma_tx_complete(void *arg)
+ }
+ xmit->tail &= UART_XMIT_SIZE - 1;
+ async_tx_ack(priv->desc_tx);
+- dma_unmap_sg(port->dev, sg, priv->nent, DMA_TO_DEVICE);
++ dma_unmap_sg(port->dev, sg, priv->orig_nent, DMA_TO_DEVICE);
+ priv->tx_dma_use = 0;
+ priv->nent = 0;
++ priv->orig_nent = 0;
+ kfree(priv->sg_tx_p);
+ pch_uart_hal_enable_interrupt(priv, PCH_UART_HAL_TX_INT);
+ }
+@@ -1010,6 +1012,7 @@ static unsigned int dma_handle_tx(struct eg20t_port *priv)
+ dev_err(priv->port.dev, "%s:dma_map_sg Failed\n", __func__);
+ return 0;
+ }
++ priv->orig_nent = num;
+ priv->nent = nent;
+
+ for (i = 0; i < nent; i++, sg++) {
+--
+2.16.4
+
diff --git a/patches.suse/usb-yurex-Fix-use-after-free-in-yurex_delete.patch b/patches.suse/usb-yurex-Fix-use-after-free-in-yurex_delete.patch
index f41b87a83e..97b2609e1c 100644
--- a/patches.suse/usb-yurex-Fix-use-after-free-in-yurex_delete.patch
+++ b/patches.suse/usb-yurex-Fix-use-after-free-in-yurex_delete.patch
@@ -4,7 +4,7 @@ Date: Mon, 5 Aug 2019 12:15:28 +0100
Subject: [PATCH] usb: yurex: Fix use-after-free in yurex_delete
Git-commit: fc05481b2fcabaaeccf63e32ac1baab54e5b6963
Patch-mainline: v5.3-rc4
-References: bsc#1051510
+References: CVE-2019-19531 bsc#1158445 bsc#1051510
syzbot reported the following crash [0]:
diff --git a/series.conf b/series.conf
index fb99ae11f4..da2b173206 100644
--- a/series.conf
+++ b/series.conf
@@ -11326,6 +11326,7 @@
patches.suse/net-phy-micrel-ksz9031-reconfigure-autoneg-after-phy.patch
patches.suse/RDS-Check-cmsg_len-before-dereferencing-CMSG_DATA.patch
patches.suse/tipc-error-path-leak-fixes-in-tipc_enable_bearer.patch
+ patches.suse/tipc-fix-tipc_mon_delete-oops-in-tipc_enable_bearer-.patch
patches.suse/net-fec-unmap-the-xmit-buffer-that-are-not-transferr.patch
patches.suse/xfrm-Fix-xfrm_input-to-verify-state-is-valid-when-en.patch
patches.suse/0005-xfrm-Fix-stack-out-of-bounds-read-on-socket-policy-l.patch
@@ -12838,6 +12839,7 @@
patches.suse/ibmvnic-Wait-for-device-response-when-changing-MAC.patch
patches.suse/qmi_wwan-Add-support-for-Quectel-EP06.patch
patches.suse/r8169-fix-RTL8168EP-take-too-long-to-complete-driver.patch
+ patches.suse/tcp_nv-fix-potential-integer-overflow-in-tcpnv_acked.patch
patches.suse/ip6mr-fix-stale-iterator.patch
patches.suse/fs-dax.c-release-PMD-lock-even-when-there-is-no-PMD-.patch
patches.suse/ocfs2-return-EROFS-to-mount.ocfs2-if-inode-block-is-.patch
@@ -20301,6 +20303,7 @@
patches.suse/signal-Always-deliver-the-kernel-s-SIGKILL-and-SIGST.patch
patches.suse/selinux-Add-__GFP_NOWARN-to-allocation-at-str_read.patch
patches.suse/0001-keys-Fix-the-use-of-the-C-keyword-private-in-uapi-li.patch
+ patches.suse/synclink_gt-fix-compat_ioctl.patch
patches.suse/0009-Btrfs-do-not-unnecessarily-pass-write_lock_level-whe.patch
patches.suse/0001-btrfs-qgroup-Dirty-all-qgroups-before-rescan.patch
patches.suse/btrfs-fix-error-handling-in-free_log_tree.patch
@@ -20533,6 +20536,7 @@
patches.suse/usb-chipidea-Fix-otg-event-handler.patch
patches.suse/usb-host-ohci-at91-fix-request-of-irq-for-optional-g.patch
patches.suse/USB-serial-cypress_m8-fix-interrupt-out-transfer-len.patch
+ patches.suse/USB-misc-appledisplay-fix-backlight-update_status-re.patch
patches.suse/usbip-tools-fix-atoi-on-non-null-terminated-string.patch
patches.suse/usbip-vudc-BUG-kmalloc-2048-Not-tainted-Poison-overw.patch
patches.suse/kernfs-update-comment-about-kernfs_path-return-value.patch
@@ -22983,6 +22987,7 @@
patches.suse/0001-netfilter-bridge-set-skb-transport_header-before-ent.patch
patches.suse/net-sched-don-t-dereference-a-goto_chain-to-read-the.patch
patches.suse/rhashtable-Still-do-rehash-when-we-get-EEXIST.patch
+ patches.suse/tipc-tipc-clang-warning.patch
patches.suse/bpf-do-not-restore-dst_reg-when-cur_state-is-freed.patch
patches.suse/ARM-imx6q-cpuidle-fix-bug-that-CPU-might-not-wake-up.patch
patches.suse/s390-vtime-steal-time-exponential-moving-average.patch
@@ -23089,6 +23094,9 @@
patches.suse/net-mlx5e-Fix-error-handling-when-refreshing-TIRs.patch
patches.suse/net-mlx5e-Add-a-lock-on-tir-list.patch
patches.suse/bpf-fix-use-after-free-in-bpf_evict_inode.patch
+ patches.suse/tipc-check-bearer-name-with-right-length-in-tipc_nl_.patch
+ patches.suse/tipc-check-link-name-with-right-length-in-tipc_nl_co.patch
+ patches.suse/tipc-handle-the-err-returned-from-cmd-header-functio.patch
patches.suse/vrf-check-accept_source_route-on-the-original-netdev.patch
patches.suse/net-sched-fix-get-helper-of-the-matchall-cls.patch
patches.suse/kcm-switch-order-of-device-registration-to-fix-a-cra.patch
@@ -23894,6 +23902,7 @@
patches.suse/crypto-vmx-CTR-always-increment-IV-as-quadword.patch
patches.suse/crypto-vmx-ghash-do-nosimd-fallback-manually.patch
patches.suse/net-mlx4_en-ethtool-Remove-unsupported-SFP-EEPROM-hi.patch
+ patches.suse/tipc-Avoid-copying-bytes-beyond-the-supplied-data.patch
patches.suse/usbnet-ipheth-fix-racing-condition.patch
patches.suse/ipv6-Consider-sk_bound_dev_if-when-binding-a-raw-soc.patch
patches.suse/usbnet-fix-kernel-crash-after-disconnect.patch
@@ -24127,6 +24136,7 @@
patches.suse/drm-i915-gvt-ignore-unexpected-pvinfo-write.patch
patches.suse/net-remove-duplicate-fetch-in-sock_getsockopt.patch
patches.suse/tun-wake-up-waitqueues-after-IFF_UP-is-set.patch
+ patches.suse/tipc-pass-tunnel-dev-as-NULL-to-udp_tunnel-6-_xmit_s.patch
patches.suse/net-af_iucv-remove-gfp_dma-restriction-for-hipertransport
patches.suse/tcp-refine-memory-limit-test-in-tcp_fragment.patch
patches.suse/Bluetooth-Fix-regression-with-minimum-encryption-key.patch
@@ -24138,6 +24148,7 @@
patches.suse/sis900-fix-TX-completion.patch
patches.suse/tipc-change-to-use-register_pernet_device.patch
patches.suse/net-packet-fix-memory-leak-in-packet_set_ring.patch
+ patches.suse/tipc-check-msg-req-data-len-in-tipc_nl_compat_bearer.patch
patches.suse/qmi_wwan-Fix-out-of-bounds-read.patch
patches.suse/ipv4-Use-return-value-of-inet_iif-for-__raw_v4_looku.patch
patches.suse/bonding-Always-enable-vlan-tx-offload.patch
@@ -24703,6 +24714,7 @@
patches.suse/mac80211-don-t-WARN-on-short-WMM-parameters-from-AP.patch
patches.suse/isdn-hfcsusb-Fix-mISDN-driver-crash-caused-by-transf.patch
patches.suse/net-bridge-mcast-don-t-delete-permanent-entries-when.patch
+ patches.suse/tipc-compat-allow-tipc-commands-without-arguments.patch
patches.suse/net-usb-pegasus-fix-improper-read-if-get_registers-f.patch
patches.suse/atm-iphase-Fix-Spectre-v1-vulnerability.patch
patches.suse/can-sja1000-force-the-string-buffer-NULL-terminated.patch
@@ -25681,9 +25693,12 @@
patches.suse/Documentation-debugfs-Document-debugfs-helper-for-un.patch
patches.suse/powerpc-book3s64-Fix-link-stack-flush-on-context-swi.patch
patches.suse/KVM-PPC-Book3S-HV-Flush-link-stack-on-guest-exit-to-.patch
+ patches.suse/ftrace-introduce-permanent-ftrace_ops-flag.patch
patches.suse/openvswitch-fix-flow-command-message-size.patch
patches.suse/video-hdmi-Fix-AVI-bar-unpack.patch
patches.suse/drm-radeon-fix-bad-DMA-from-INTERRUPT_CNTL2.patch
+ patches.suse/CIFS-Fix-SMB2-oplock-break-processing.patch
+ patches.suse/cifs-move-cifsFileInfo_put-logic-into-a-work-queue.patch
patches.suse/powerpc-pseries-Don-t-opencode-HPTE_V_BOLTED.patch
patches.suse/powerpc-pseries-Don-t-fail-hash-page-table-insert-fo.patch
patches.suse/powerpc-book3s64-hash-Use-secondary-hash-for-bolted-.patch
@@ -25693,10 +25708,12 @@
patches.suse/powerpc-security-Fix-wrong-message-when-RFI-Flush-is.patch
patches.suse/powerpc-xive-Prevent-page-fault-issues-in-the-machin.patch
patches.suse/powerpc-fadump-when-fadump-is-supported-register-the.patch
+ patches.suse/compat_ioctl-handle-SIOCOUTQNSD.patch
patches.suse/clk-samsung-exynos5420-Preserve-CPU-clocks-configura.patch
patches.suse/clk-pxa-fix-one-of-the-pxa-RTC-clocks.patch
patches.suse/mfd-intel-lpss-Add-default-I2C-device-properties-for.patch
patches.suse/gpio-mpc8xxx-Don-t-overwrite-default-irq_set_type-ca.patch
+ patches.suse/tipc-fix-wrong-timeout-input-for-tipc_wait_for_cond.patch
patches.suse/scsi-qla2xxx-remove-redundant-assignment-to-pointer-.patch
patches.suse/scsi-qla2xxx-Dual-FCP-NVMe-target-port-support.patch
patches.suse/scsi-qla2xxx-Add-error-handling-for-PLOGI-ELS-passth.patch
@@ -25716,6 +25733,16 @@
patches.suse/scsi-qla2xxx-Fix-a-dma_pool_free-call.patch
patches.suse/scsi-qla2xxx-initialize-fc4_type_priority.patch
patches.suse/scsi-qla2xxx-don-t-use-zero-for-FC4_PRIORITY_NVME.patch
+ patches.suse/PCI-PTM-Remove-spurious-d-from-granularity-message.patch
+ patches.suse/PCI-MSI-Fix-incorrect-MSI-X-masking-on-resume.patch
+ patches.suse/PCI-Fix-Intel-ACS-quirk-UPDCR-register-address.patch
+ patches.suse/PCI-Apply-Cavium-ACS-quirk-to-ThunderX2-and-ThunderX.patch
+ patches.suse/PCI-dwc-Fix-find_next_bit-usage.patch
+ patches.suse/PCI-rcar-Fix-missing-MACCTLR-register-setting-in-ini.patch
+ patches.suse/tty-serial-msm_serial-Fix-flow-control.patch
+ patches.suse/tty-serial-fsl_lpuart-use-the-sg-count-from-dma_map_.patch
+ patches.suse/tty-serial-imx-use-the-sg-count-from-dma_map_sg.patch
+ patches.suse/tty-serial-pch_uart-correct-usage-of-dma_unmap_sg.patch
# dhowells/linux-fs keys-uefi
patches.suse/0001-KEYS-Allow-unrestricted-boot-time-addition-of-keys-t.patch
@@ -25732,8 +25759,6 @@
# out-of-tree patches
patches.suse/cifs-handle-netapp-error-codes.patch
- patches.suse/CIFS-Fix-SMB2-oplock-break-processing.patch
- patches.suse/cifs-move-cifsFileInfo_put-logic-into-a-work-queue.patch
patches.suse/powerpc-add-link-stack-flush-mitigation-in-debugfs.patch
########################################################
@@ -25967,6 +25992,9 @@
patches.suse/0001-irqchip-gic-v3-its-fix-build-warnings.patch
+ # bsc#1142095
+ patches.suse/mlx5-add-parameter-to-disable-enhanced-IPoIB.patch
+
########################################################
# Filesystem
########################################################