Home Home > GIT Browse
summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJohannes Thumshirn <jthumshirn@suse.de>2018-10-16 09:46:35 +0200
committerJohannes Thumshirn <jthumshirn@suse.de>2018-10-16 09:46:35 +0200
commita78dfd7764c72ecc240824d8ad496ccdf73b8d0d (patch)
treef03203ff8ab810a7b4d398cf460bb58273412eb9
parentfba41fa932fc55a0bcf193c036fd0cc2203f9279 (diff)
parentd0d5beed5a7d5479faa7f96b74e58cb175c39ee4 (diff)
Merge branch 'SLE15' into SLE12-SP4
Conflicts: blacklist.conf series.conf
-rw-r--r--blacklist.conf6
-rw-r--r--patches.arch/0001-x86-speculation-l1tf-Fix-off-by-one-error-when-warni.patch18
-rw-r--r--patches.arch/0001-x86-speculation-l1tf-Increase-l1tf-memory-limit-for-.patch6
-rw-r--r--patches.arch/powerpc-rtas-Fix-a-potential-race-between-CPU-Offlin.patch74
-rw-r--r--patches.arch/scsi-ipr-Eliminate-duplicate-barriers.patch50
-rw-r--r--patches.arch/scsi-ipr-Use-dma_pool_zalloc.patch43
-rw-r--r--patches.arch/scsi-ipr-fix-incorrect-indentation-of-assignment-sta.patch37
-rw-r--r--patches.arch/x86-speculation-l1tf-extend-64bit-swap-file-size-limit6
-rw-r--r--patches.arch/x86-speculation-l1tf-fix-overflow-in-l1tf_pfn_limit-on-32bit.patch71
-rw-r--r--patches.arch/x86-speculation-l1tf-protect-pae-swap-entries-against-l1tf6
-rw-r--r--patches.drivers/USB-serial-simple-add-Motorola-Tetra-MTP6550-id.patch133
-rw-r--r--patches.drivers/USB-yurex-Check-for-truncation-in-yurex_read.patch41
-rw-r--r--patches.drivers/scsi-qla2xxx-fix-memory-leak-for-allocating-abort-iocb.patch101
-rw-r--r--patches.drivers/scsi-target-prefer-dbroot-of-etc-target-over-var-target84
-rw-r--r--patches.drivers/stm-Potential-read-overflow-in-stm_char_policy_set_i.patch36
-rw-r--r--patches.drivers/switchtec-Fix-Spectre-v1-vulnerability.patch54
-rw-r--r--patches.drivers/usb-gadget-fotg210-udc-Fix-memory-leak-of-fotg210-ep.patch91
-rw-r--r--patches.drivers/usb-xhci-mtk-resume-USB3-roothub-first.patch42
-rw-r--r--patches.drivers/xhci-Add-missing-CAS-workaround-for-Intel-Sunrise-Po.patch38
-rw-r--r--patches.fixes/aio-fix-io_destroy2-vs.-lookup_ioctx-race.patch66
-rw-r--r--patches.fixes/blkdev_report_zones_ioctl-use-vmalloc-to-allocate-large-buffers.patch69
-rw-r--r--patches.fixes/block-bvec_nr_vecs-returns-value-for-wrong-slab.patch37
-rw-r--r--patches.fixes/ksm-fix-unlocked-iteration-over-vmas-in-cmp_and_merge_page.patch52
-rw-r--r--patches.fixes/mm-fix-bug_on-in-vmf_insert_pfn_pud-from-vm_mixedmap-removal.patch51
-rw-r--r--patches.fixes/ovl-Sync-upper-dirty-data-when-syncing-overlayfs.patch61
-rw-r--r--patches.fixes/ovl-fix-format-of-setxattr-debug.patch34
-rw-r--r--patches.fixes/proc-restrict-kernel-stack-dumps-to-root.patch73
-rw-r--r--patches.fixes/sock_diag-fix-use-after-free-read-in-__sk_free.patch119
-rw-r--r--patches.fixes/squashfs-more-metadata-hardening2.patch102
-rw-r--r--patches.fixes/sysfs-Do-not-return-POSIX-ACL-xattrs-via-listxattr.patch62
-rw-r--r--patches.fixes/team-Forbid-enslaving-team-device-to-itself.patch125
-rw-r--r--patches.fixes/vti4-Don-t-count-header-length-twice-on-tunnel-setup.patch70
-rw-r--r--patches.fixes/vti6-fix-PMTU-caching-and-reporting-on-xmit.patch54
-rw-r--r--patches.fixes/vti6-remove-skb-ignore_df-check-from-vti6_xmit.patch42
-rw-r--r--patches.suse/btrfs-fix-file-data-corruption-after-cloning-a-range.patch107
-rw-r--r--patches.suse/btrfs-fix-mount-failure-after-fsync-due-to-hard-link.patch143
-rw-r--r--patches.suse/btrfs-send-fix-invalid-access-to-commit-roots-due-to.patch139
-rw-r--r--patches.suse/vmbus-don-t-return-values-for-uninitalized-channels.patch41
-rw-r--r--series.conf35
39 files changed, 2400 insertions, 19 deletions
diff --git a/blacklist.conf b/blacklist.conf
index 030eb78c11..2487bd98bf 100644
--- a/blacklist.conf
+++ b/blacklist.conf
@@ -521,3 +521,9 @@ c2ef60fea2dc7f903450926aee1f9c282ea529ca # xhci: revert: no fixes backported
c4ff91dd40e2253ab6dd028011469c2c694e1e19 # drm/amd/pp: initialize result to before or'ing in data
9c60583c0b0fd6f3a5b61fda3eb604ce218b9d25 # breaks KABI
+7a68d9fb851012829c29e770621905529bd9490b # breaks KABI
+81e0403b26d94360abd1f6a57311337973bc82cd # useless without patch breaking kABI
+babcbbc7c4e2fa7fa76417ece7c57083bee971f1 # needs read_word_at_a_time 7f1e541fc8d57
+c6718543463dbb78486ad259f884cb800df802b5 # for stacked ovl file operations
+8cf9ee5061037accf61775f438ad7513576d4413 # for stacked ovl file operations
+452061fd4521b2bf3225fc391dbe536e5f9c05e2 # depends of redirect_follow feature
diff --git a/patches.arch/0001-x86-speculation-l1tf-Fix-off-by-one-error-when-warni.patch b/patches.arch/0001-x86-speculation-l1tf-Fix-off-by-one-error-when-warni.patch
index abf870f9ad..13067a549b 100644
--- a/patches.arch/0001-x86-speculation-l1tf-Fix-off-by-one-error-when-warni.patch
+++ b/patches.arch/0001-x86-speculation-l1tf-Fix-off-by-one-error-when-warni.patch
@@ -51,24 +51,24 @@ Acked-by: Michal Hocko <mhocko@suse.com>
+++ b/arch/x86/include/asm/processor.h
@@ -184,7 +184,7 @@ extern void cpu_detect(struct cpuinfo_x8
- static inline unsigned long l1tf_pfn_limit(void)
+ static inline unsigned long long l1tf_pfn_limit(void)
{
-- return BIT(boot_cpu_data.x86_phys_bits - 1 - PAGE_SHIFT) - 1;
-+ return BIT(boot_cpu_data.x86_phys_bits - 1 - PAGE_SHIFT);
+- return BIT_ULL(boot_cpu_data.x86_phys_bits - 1 - PAGE_SHIFT) - 1;
++ return BIT_ULL(boot_cpu_data.x86_phys_bits - 1 - PAGE_SHIFT);
}
extern void early_cpu_init(void);
--- a/arch/x86/mm/init.c
+++ b/arch/x86/mm/init.c
-@@ -891,7 +891,7 @@ unsigned long max_swapfile_size(void)
+@@ -893,7 +893,7 @@ unsigned long max_swapfile_size(void)
if (boot_cpu_has_bug(X86_BUG_L1TF)) {
/* Limit the swap file size to MAX_PA/2 for L1TF workaround */
-- pages = min_t(unsigned long, l1tf_pfn_limit() + 1, pages);
-+ pages = min_t(unsigned long, l1tf_pfn_limit(), pages);
- }
- return pages;
- }
+- unsigned long long l1tf_limit = l1tf_pfn_limit() + 1;
++ unsigned long long l1tf_limit = l1tf_pfn_limit();
+ /*
+ * We encode swap offsets also with 3 bits below those for pfn
+ * which makes the usable limit higher.
--- a/arch/x86/mm/mmap.c
+++ b/arch/x86/mm/mmap.c
@@ -189,7 +189,7 @@ bool pfn_modify_allowed(unsigned long pf
diff --git a/patches.arch/0001-x86-speculation-l1tf-Increase-l1tf-memory-limit-for-.patch b/patches.arch/0001-x86-speculation-l1tf-Increase-l1tf-memory-limit-for-.patch
index 9e014fe7f6..7ce1c3a4b4 100644
--- a/patches.arch/0001-x86-speculation-l1tf-Increase-l1tf-memory-limit-for-.patch
+++ b/patches.arch/0001-x86-speculation-l1tf-Increase-l1tf-memory-limit-for-.patch
@@ -58,10 +58,10 @@ Acked-by: Michal Hocko <mhocko@suse.com>
@@ -182,7 +184,7 @@ extern void cpu_detect(struct cpuinfo_x8
- static inline unsigned long l1tf_pfn_limit(void)
+ static inline unsigned long long l1tf_pfn_limit(void)
{
-- return BIT(boot_cpu_data.x86_phys_bits - 1 - PAGE_SHIFT);
-+ return BIT(boot_cpu_data.x86_cache_bits - 1 - PAGE_SHIFT);
+- return BIT_ULL(boot_cpu_data.x86_phys_bits - 1 - PAGE_SHIFT);
++ return BIT_ULL(boot_cpu_data.x86_cache_bits - 1 - PAGE_SHIFT);
}
extern void early_cpu_init(void);
diff --git a/patches.arch/powerpc-rtas-Fix-a-potential-race-between-CPU-Offlin.patch b/patches.arch/powerpc-rtas-Fix-a-potential-race-between-CPU-Offlin.patch
new file mode 100644
index 0000000000..4d98c5c893
--- /dev/null
+++ b/patches.arch/powerpc-rtas-Fix-a-potential-race-between-CPU-Offlin.patch
@@ -0,0 +1,74 @@
+From 5d9c89cd8db668fa7addd4723e0de006e8a191ee Mon Sep 17 00:00:00 2001
+From: "Gautham R. Shenoy" <ego@linux.vnet.ibm.com>
+Date: Mon, 1 Oct 2018 16:10:39 +0530
+Subject: [PATCH] powerpc/rtas: Fix a potential race between CPU-Offline &
+ Migration
+
+References: bsc#1111870
+Patch-mainline: queued
+Git-repo: https://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux.git
+Git-commit: dfd718a2ed1f678e66749ffe41bdeafedf3f4314
+
+Live Partition Migrations require all the present CPUs to execute the
+H_JOIN call, and hence rtas_ibm_suspend_me() onlines any offline CPUs
+before initiating the migration for this purpose.
+
+The commit 85a88cabad57
+("powerpc/pseries: Disable CPU hotplug across migrations")
+disables any CPU-hotplug operations once all the offline CPUs are
+brought online to prevent any further state change. Once the
+CPU-Hotplug operation is disabled, the code assumes that all the CPUs
+are online.
+
+However, there is a minor window in rtas_ibm_suspend_me() between
+onlining the offline CPUs and disabling CPU-Hotplug when a concurrent
+CPU-offline operations initiated by the userspace can succeed thereby
+nullifying the the aformentioned assumption. In this unlikely case
+these offlined CPUs will not call H_JOIN, resulting in a system hang.
+
+Fix this by verifying that all the present CPUs are actually online
+after CPU-Hotplug has been disabled, failing which we restore the
+state of the offline CPUs in rtas_ibm_suspend_me() and return an
+-EBUSY.
+
+Cc: Nathan Fontenot <nfont@linux.vnet.ibm.com>
+Cc: Tyrel Datwyler <tyreld@linux.vnet.ibm.com>
+Suggested-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Gautham R. Shenoy <ego@linux.vnet.ibm.com>
+Reviewed-by: Nathan Fontenot <nfont@linux.vnet.ibm.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Acked-by: Michal Suchanek <msuchanek@suse.de>
+---
+ arch/powerpc/kernel/rtas.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/arch/powerpc/kernel/rtas.c b/arch/powerpc/kernel/rtas.c
+index 7c605dc98624..5fe41f0f59fd 100644
+--- a/arch/powerpc/kernel/rtas.c
++++ b/arch/powerpc/kernel/rtas.c
+@@ -983,6 +983,14 @@ int rtas_ibm_suspend_me(u64 handle)
+ cpu_hotplug_disable();
+ stop_topology_update();
+
++ /* Check if we raced with a CPU-Offline Operation */
++ if (unlikely(!cpumask_equal(cpu_present_mask, cpu_online_mask))) {
++ pr_err("%s: Raced against a concurrent CPU-Offline\n",
++ __func__);
++ atomic_set(&data.error, -EBUSY);
++ goto out_hotplug_enable;
++ }
++
+ /* Call function on all CPUs. One of us will make the
+ * rtas call
+ */
+@@ -994,6 +1002,7 @@ int rtas_ibm_suspend_me(u64 handle)
+ if (atomic_read(&data.error) != 0)
+ printk(KERN_ERR "Error doing global join\n");
+
++out_hotplug_enable:
+ start_topology_update();
+ cpu_hotplug_enable();
+
+--
+2.13.7
+
diff --git a/patches.arch/scsi-ipr-Eliminate-duplicate-barriers.patch b/patches.arch/scsi-ipr-Eliminate-duplicate-barriers.patch
new file mode 100644
index 0000000000..e2eb2f1b93
--- /dev/null
+++ b/patches.arch/scsi-ipr-Eliminate-duplicate-barriers.patch
@@ -0,0 +1,50 @@
+From f2233a33dc1fef4aa30dc11e4c676637bf358c3d Mon Sep 17 00:00:00 2001
+From: Arnd Bergmann <arnd@arndb.de>
+Date: Mon, 19 Mar 2018 22:50:05 -0400
+Subject: [PATCH] scsi: ipr: Eliminate duplicate barriers
+
+References: FATE#326436
+Patch-mainline: v4.18-rc3
+Git-commit: f2233a33dc1fef4aa30dc11e4c676637bf358c3d
+
+Driver does both wmb() and writel(). The latter already has a barrier
+on some architectures like arm64. This ends up with CPU observing two
+barriers back to back before executing the register write.
+
+Drivers should generally assume that the barrier implied by writel() is
+sufficient for ordering DMA. Remove the extraneous wmb() before it.
+
+[mkp: Squashed Arnd's and Sinan's patches]
+
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Reported-by: Sinan Kaya <okaya@codeaurora.org>
+Acked-by: Brian King <brking@linux.vnet.ibm.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Acked-by: Michal Suchanek <msuchanek@suse.de>
+---
+ drivers/scsi/ipr.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+diff --git a/drivers/scsi/ipr.c b/drivers/scsi/ipr.c
+index 0a9b8b387bd2..02d65dce74e5 100644
+--- a/drivers/scsi/ipr.c
++++ b/drivers/scsi/ipr.c
+@@ -760,7 +760,6 @@ static void ipr_mask_and_clear_interrupts(struct ipr_ioa_cfg *ioa_cfg,
+ ioa_cfg->hrrq[i].allow_interrupts = 0;
+ spin_unlock(&ioa_cfg->hrrq[i]._lock);
+ }
+- wmb();
+
+ /* Set interrupt mask to stop all new interrupts */
+ if (ioa_cfg->sis64)
+@@ -8403,7 +8402,6 @@ static int ipr_reset_enable_ioa(struct ipr_cmnd *ipr_cmd)
+ ioa_cfg->hrrq[i].allow_interrupts = 1;
+ spin_unlock(&ioa_cfg->hrrq[i]._lock);
+ }
+- wmb();
+ if (ioa_cfg->sis64) {
+ /* Set the adapter to the correct endian mode. */
+ writel(IPR_ENDIAN_SWAP_KEY, ioa_cfg->regs.endian_swap_reg);
+--
+2.13.7
+
diff --git a/patches.arch/scsi-ipr-Use-dma_pool_zalloc.patch b/patches.arch/scsi-ipr-Use-dma_pool_zalloc.patch
new file mode 100644
index 0000000000..3b770e9c63
--- /dev/null
+++ b/patches.arch/scsi-ipr-Use-dma_pool_zalloc.patch
@@ -0,0 +1,43 @@
+From 8b1bb6dcba76b0fceffff77a25e990f30b10d139 Mon Sep 17 00:00:00 2001
+From: Souptick Joarder <jrdr.linux@gmail.com>
+Date: Thu, 8 Mar 2018 18:41:57 +0530
+Subject: [PATCH] scsi: ipr: Use dma_pool_zalloc()
+
+References: FATE#326436
+Patch-mainline: v4.17-rc1
+Git-commit: 8b1bb6dcba76b0fceffff77a25e990f30b10d139
+
+Use dma_pool_zalloc() instead of dma_pool_alloc + memset
+
+Signed-off-by: Souptick Joarder <jrdr.linux@gmail.com>
+Acked-by: Brian King <brking@linux.vnet.ibm.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Acked-by: Michal Suchanek <msuchanek@suse.de>
+---
+ drivers/scsi/ipr.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/scsi/ipr.c b/drivers/scsi/ipr.c
+index 52735162444f..dda1a64ab89c 100644
+--- a/drivers/scsi/ipr.c
++++ b/drivers/scsi/ipr.c
+@@ -9651,14 +9651,14 @@ static int ipr_alloc_cmd_blks(struct ipr_ioa_cfg *ioa_cfg)
+ }
+
+ for (i = 0; i < IPR_NUM_CMD_BLKS; i++) {
+- ipr_cmd = dma_pool_alloc(ioa_cfg->ipr_cmd_pool, GFP_KERNEL, &dma_addr);
++ ipr_cmd = dma_pool_zalloc(ioa_cfg->ipr_cmd_pool,
++ GFP_KERNEL, &dma_addr);
+
+ if (!ipr_cmd) {
+ ipr_free_cmd_blks(ioa_cfg);
+ return -ENOMEM;
+ }
+
+- memset(ipr_cmd, 0, sizeof(*ipr_cmd));
+ ioa_cfg->ipr_cmnd_list[i] = ipr_cmd;
+ ioa_cfg->ipr_cmnd_list_dma[i] = dma_addr;
+
+--
+2.13.7
+
diff --git a/patches.arch/scsi-ipr-fix-incorrect-indentation-of-assignment-sta.patch b/patches.arch/scsi-ipr-fix-incorrect-indentation-of-assignment-sta.patch
new file mode 100644
index 0000000000..5233148ceb
--- /dev/null
+++ b/patches.arch/scsi-ipr-fix-incorrect-indentation-of-assignment-sta.patch
@@ -0,0 +1,37 @@
+From b82378e682d7128a5d26a4c68fa748e13fdd996a Mon Sep 17 00:00:00 2001
+From: Colin Ian King <colin.king@canonical.com>
+Date: Fri, 1 Dec 2017 13:33:27 +0000
+Subject: [PATCH] scsi: ipr: fix incorrect indentation of assignment statement
+
+References: FATE#326436
+Patch-mainline: v4.16-rc1
+Git-commit: b82378e682d7128a5d26a4c68fa748e13fdd996a
+
+Remove one extraneous level of indentation on an assignment statement.
+
+Signed-off-by: Colin Ian King <colin.king@canonical.com>
+Acked-by: Brian King <brking@linux.vnet.ibm.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Acked-by: Michal Suchanek <msuchanek@suse.de>
+---
+ drivers/scsi/ipr.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/scsi/ipr.c b/drivers/scsi/ipr.c
+index cc0187965eee..e07dd990e585 100644
+--- a/drivers/scsi/ipr.c
++++ b/drivers/scsi/ipr.c
+@@ -9653,8 +9653,8 @@ static int ipr_alloc_cmd_blks(struct ipr_ioa_cfg *ioa_cfg)
+ if (i == 0) {
+ entries_each_hrrq = IPR_NUM_INTERNAL_CMD_BLKS;
+ ioa_cfg->hrrq[i].min_cmd_id = 0;
+- ioa_cfg->hrrq[i].max_cmd_id =
+- (entries_each_hrrq - 1);
++ ioa_cfg->hrrq[i].max_cmd_id =
++ (entries_each_hrrq - 1);
+ } else {
+ entries_each_hrrq =
+ IPR_NUM_BASE_CMD_BLKS/
+--
+2.13.7
+
diff --git a/patches.arch/x86-speculation-l1tf-extend-64bit-swap-file-size-limit b/patches.arch/x86-speculation-l1tf-extend-64bit-swap-file-size-limit
index b282af7a53..31c9979c84 100644
--- a/patches.arch/x86-speculation-l1tf-extend-64bit-swap-file-size-limit
+++ b/patches.arch/x86-speculation-l1tf-extend-64bit-swap-file-size-limit
@@ -19,16 +19,16 @@ Signed-off-by: Vlastimil Babka <vbabka@suse.cz>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Acked-by: Joerg Roedel <jroedel@suse.de>
---
- arch/x86/mm/init.c | 10 +++++++++-
+ arch/x86/mm/init.c | 10 +++++++++-
1 file changed, 9 insertions(+), 1 deletion(-)
--- a/arch/x86/mm/init.c
+++ b/arch/x86/mm/init.c
-@@ -894,7 +894,15 @@ unsigned long max_swapfile_size(void)
+@@ -893,7 +893,15 @@ unsigned long max_swapfile_size(void)
if (boot_cpu_has_bug(X86_BUG_L1TF)) {
/* Limit the swap file size to MAX_PA/2 for L1TF workaround */
-- pages = min_t(unsigned long, l1tf_pfn_limit(), pages);
+- pages = min_t(unsigned long, l1tf_pfn_limit() + 1, pages);
+ unsigned long l1tf_limit = l1tf_pfn_limit() + 1;
+ /*
+ * We encode swap offsets also with 3 bits below those for pfn
diff --git a/patches.arch/x86-speculation-l1tf-fix-overflow-in-l1tf_pfn_limit-on-32bit.patch b/patches.arch/x86-speculation-l1tf-fix-overflow-in-l1tf_pfn_limit-on-32bit.patch
new file mode 100644
index 0000000000..764aee1138
--- /dev/null
+++ b/patches.arch/x86-speculation-l1tf-fix-overflow-in-l1tf_pfn_limit-on-32bit.patch
@@ -0,0 +1,71 @@
+From: Vlastimil Babka <vbabka@suse.cz>
+Date: Mon, 20 Aug 2018 11:58:35 +0200
+Subject: x86/speculation/l1tf: Fix overflow in l1tf_pfn_limit() on 32bit
+Git-commit: 9df9516940a61d29aedf4d91b483ca6597e7d480
+Patch-mainline: v4.19-rc1
+References: bsc#1105536
+
+On 32bit PAE kernels on 64bit hardware with enough physical bits,
+l1tf_pfn_limit() will overflow unsigned long. This in turn affects
+max_swapfile_size() and can lead to swapon returning -EINVAL. This has been
+observed in a 32bit guest with 42 bits physical address size, where
+max_swapfile_size() overflows exactly to 1 << 32, thus zero, and produces
+the following warning to dmesg:
+
+[ 6.396845] Truncating oversized swap area, only using 0k out of 2047996k
+
+Fix this by using unsigned long long instead.
+
+Fixes: 17dbca119312 ("x86/speculation/l1tf: Add sysfs reporting for l1tf")
+Fixes: 377eeaa8e11f ("x86/speculation/l1tf: Limit swap file size to MAX_PA/2")
+Reported-by: Dominique Leuenberger <dimstar@suse.de>
+Reported-by: Adrian Schroeter <adrian@suse.de>
+Signed-off-by: Vlastimil Babka <vbabka@suse.cz>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Acked-by: Andi Kleen <ak@linux.intel.com>
+Acked-by: Michal Hocko <mhocko@suse.com>
+Cc: "H . Peter Anvin" <hpa@zytor.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Dave Hansen <dave.hansen@intel.com>
+Cc: Michal Hocko <mhocko@kernel.org>
+Cc: stable@vger.kernel.org
+Link: https://lkml.kernel.org/r/20180820095835.5298-1-vbabka@suse.cz
+---
+ arch/x86/include/asm/processor.h | 4 ++--
+ arch/x86/mm/init.c | 4 ++--
+ 2 files changed, 4 insertions(+), 4 deletions(-)
+
+--- a/arch/x86/include/asm/processor.h
++++ b/arch/x86/include/asm/processor.h
+@@ -182,9 +182,9 @@ extern const struct seq_operations cpuin
+
+ extern void cpu_detect(struct cpuinfo_x86 *c);
+
+-static inline unsigned long l1tf_pfn_limit(void)
++static inline unsigned long long l1tf_pfn_limit(void)
+ {
+- return BIT(boot_cpu_data.x86_phys_bits - 1 - PAGE_SHIFT) - 1;
++ return BIT_ULL(boot_cpu_data.x86_phys_bits - 1 - PAGE_SHIFT) - 1;
+ }
+
+ extern void early_cpu_init(void);
+--- a/arch/x86/mm/init.c
++++ b/arch/x86/mm/init.c
+@@ -893,7 +893,7 @@ unsigned long max_swapfile_size(void)
+
+ if (boot_cpu_has_bug(X86_BUG_L1TF)) {
+ /* Limit the swap file size to MAX_PA/2 for L1TF workaround */
+- unsigned long l1tf_limit = l1tf_pfn_limit() + 1;
++ unsigned long long l1tf_limit = l1tf_pfn_limit() + 1;
+ /*
+ * We encode swap offsets also with 3 bits below those for pfn
+ * which makes the usable limit higher.
+@@ -901,7 +901,7 @@ unsigned long max_swapfile_size(void)
+ #ifdef CONFIG_X86_64
+ l1tf_limit <<= PAGE_SHIFT - SWP_OFFSET_FIRST_BIT;
+ #endif
+- pages = min_t(unsigned long, l1tf_limit, pages);
++ pages = min_t(unsigned long long, l1tf_limit, pages);
+ }
+ return pages;
+ }
diff --git a/patches.arch/x86-speculation-l1tf-protect-pae-swap-entries-against-l1tf b/patches.arch/x86-speculation-l1tf-protect-pae-swap-entries-against-l1tf
index 33b63c1b9b..cbaba47bf4 100644
--- a/patches.arch/x86-speculation-l1tf-protect-pae-swap-entries-against-l1tf
+++ b/patches.arch/x86-speculation-l1tf-protect-pae-swap-entries-against-l1tf
@@ -22,8 +22,8 @@ Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Acked-by: Michal Hocko <mhocko@suse.com>
Acked-by: Joerg Roedel <jroedel@suse.de>
---
- arch/x86/include/asm/pgtable-3level.h | 35 +++++++++++++++++++++++++++++++++--
- arch/x86/mm/init.c | 2 +-
+ arch/x86/include/asm/pgtable-3level.h | 35 ++++++++++++++++++++++++++++++++--
+ arch/x86/mm/init.c | 2 -
2 files changed, 34 insertions(+), 3 deletions(-)
--- a/arch/x86/include/asm/pgtable-3level.h
@@ -84,4 +84,4 @@ Acked-by: Joerg Roedel <jroedel@suse.de>
+#if CONFIG_PGTABLE_LEVELS > 2
l1tf_limit <<= PAGE_SHIFT - SWP_OFFSET_FIRST_BIT;
#endif
- pages = min_t(unsigned long, l1tf_limit, pages);
+ pages = min_t(unsigned long long, l1tf_limit, pages);
diff --git a/patches.drivers/USB-serial-simple-add-Motorola-Tetra-MTP6550-id.patch b/patches.drivers/USB-serial-simple-add-Motorola-Tetra-MTP6550-id.patch
new file mode 100644
index 0000000000..f1f11ada04
--- /dev/null
+++ b/patches.drivers/USB-serial-simple-add-Motorola-Tetra-MTP6550-id.patch
@@ -0,0 +1,133 @@
+From f5fad711c06e652f90f581fc7c2caee327c33d31 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Mon, 24 Sep 2018 15:28:10 +0200
+Subject: [PATCH] USB: serial: simple: add Motorola Tetra MTP6550 id
+Git-commit: f5fad711c06e652f90f581fc7c2caee327c33d31
+Patch-mainline: v4.19-rc7
+References: bsc#1051510
+
+Add device-id for the Motorola Tetra radio MTP6550.
+
+Bus 001 Device 004: ID 0cad:9012 Motorola CGISS
+Device Descriptor:
+ bLength 18
+ bDescriptorType 1
+ bcdUSB 2.00
+ bDeviceClass 0 (Defined at Interface level)
+ bDeviceSubClass 0
+ bDeviceProtocol 0
+ bMaxPacketSize0 64
+ idVendor 0x0cad Motorola CGISS
+ idProduct 0x9012
+ bcdDevice 24.16
+ iManufacturer 1 Motorola Solutions, Inc.
+ iProduct 2 TETRA PEI interface
+ iSerial 0
+ bNumConfigurations 1
+ Configuration Descriptor:
+ bLength 9
+ bDescriptorType 2
+ wTotalLength 55
+ bNumInterfaces 2
+ bConfigurationValue 1
+ iConfiguration 3 Generic Serial config
+ bmAttributes 0x80
+ (Bus Powered)
+ MaxPower 500mA
+ Interface Descriptor:
+ bLength 9
+ bDescriptorType 4
+ bInterfaceNumber 0
+ bAlternateSetting 0
+ bNumEndpoints 2
+ bInterfaceClass 255 Vendor Specific Class
+ bInterfaceSubClass 0
+ bInterfaceProtocol 0
+ iInterface 0
+ Endpoint Descriptor:
+ bLength 7
+ bDescriptorType 5
+ bEndpointAddress 0x81 EP 1 IN
+ bmAttributes 2
+ Transfer Type Bulk
+ Synch Type None
+ Usage Type Data
+ wMaxPacketSize 0x0200 1x 512 bytes
+ bInterval 0
+ Endpoint Descriptor:
+ bLength 7
+ bDescriptorType 5
+ bEndpointAddress 0x01 EP 1 OUT
+ bmAttributes 2
+ Transfer Type Bulk
+ Synch Type None
+ Usage Type Data
+ wMaxPacketSize 0x0200 1x 512 bytes
+ Interface Descriptor:
+ bLength 9
+ bDescriptorType 4
+ bInterfaceNumber 1
+ bAlternateSetting 0
+ bNumEndpoints 2
+ bInterfaceClass 255 Vendor Specific Class
+ bInterfaceSubClass 0
+ bInterfaceProtocol 0
+ iInterface 0
+ Endpoint Descriptor:
+ bLength 7
+ bDescriptorType 5
+ bEndpointAddress 0x82 EP 2 IN
+ bmAttributes 2
+ Transfer Type Bulk
+ Synch Type None
+ Usage Type Data
+ wMaxPacketSize 0x0200 1x 512 bytes
+ bInterval 0
+ Endpoint Descriptor:
+ bLength 7
+ bDescriptorType 5
+ bEndpointAddress 0x02 EP 2 OUT
+ bmAttributes 2
+ Transfer Type Bulk
+ Synch Type None
+ Usage Type Data
+ wMaxPacketSize 0x0200 1x 512 bytes
+ bInterval 0
+Device Qualifier (for other device speed):
+ bLength 10
+ bDescriptorType 6
+ bcdUSB 2.00
+ bDeviceClass 0 (Defined at Interface level)
+ bDeviceSubClass 0
+ bDeviceProtocol 0
+ bMaxPacketSize0 64
+ bNumConfigurations 1
+Device Status: 0x0000
+ (Bus Powered)
+
+Reported-by: Hans Hult <hanshult35@gmail.com>
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/usb/serial/usb-serial-simple.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/usb/serial/usb-serial-simple.c b/drivers/usb/serial/usb-serial-simple.c
+index 40864c2bd9dc..4d0273508043 100644
+--- a/drivers/usb/serial/usb-serial-simple.c
++++ b/drivers/usb/serial/usb-serial-simple.c
+@@ -84,7 +84,8 @@ DEVICE(moto_modem, MOTO_IDS);
+
+ /* Motorola Tetra driver */
+ #define MOTOROLA_TETRA_IDS() \
+- { USB_DEVICE(0x0cad, 0x9011) } /* Motorola Solutions TETRA PEI */
++ { USB_DEVICE(0x0cad, 0x9011) }, /* Motorola Solutions TETRA PEI */ \
++ { USB_DEVICE(0x0cad, 0x9012) } /* MTP6550 */
+ DEVICE(motorola_tetra, MOTOROLA_TETRA_IDS);
+
+ /* Novatel Wireless GPS driver */
+--
+2.19.0
+
diff --git a/patches.drivers/USB-yurex-Check-for-truncation-in-yurex_read.patch b/patches.drivers/USB-yurex-Check-for-truncation-in-yurex_read.patch
new file mode 100644
index 0000000000..06151b097a
--- /dev/null
+++ b/patches.drivers/USB-yurex-Check-for-truncation-in-yurex_read.patch
@@ -0,0 +1,41 @@
+From 14427b86837a4baf1c121934c6599bdb67dfa9fc Mon Sep 17 00:00:00 2001
+From: Ben Hutchings <ben.hutchings@codethink.co.uk>
+Date: Wed, 15 Aug 2018 21:45:37 +0100
+Subject: [PATCH] USB: yurex: Check for truncation in yurex_read()
+Git-commit: 14427b86837a4baf1c121934c6599bdb67dfa9fc
+Patch-mainline: v4.19-rc4
+References: bsc#1051510
+
+snprintf() always returns the full length of the string it could have
+printed, even if it was truncated because the buffer was too small.
+So in case the counter value is truncated, we will over-read from
+in_buffer and over-write to the caller's buffer.
+
+I don't think it's actually possible for this to happen, but in case
+truncation occurs, WARN and return -EIO.
+
+Signed-off-by: Ben Hutchings <ben.hutchings@codethink.co.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/usb/misc/yurex.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/usb/misc/yurex.c b/drivers/usb/misc/yurex.c
+index 1232dd49556d..6d9fd5f64903 100644
+--- a/drivers/usb/misc/yurex.c
++++ b/drivers/usb/misc/yurex.c
+@@ -413,6 +413,9 @@ static ssize_t yurex_read(struct file *file, char __user *buffer, size_t count,
+ spin_unlock_irqrestore(&dev->lock, flags);
+ mutex_unlock(&dev->io_mutex);
+
++ if (WARN_ON_ONCE(len >= sizeof(in_buffer)))
++ return -EIO;
++
+ return simple_read_from_buffer(buffer, count, ppos, in_buffer, len);
+ }
+
+--
+2.19.0
+
diff --git a/patches.drivers/scsi-qla2xxx-fix-memory-leak-for-allocating-abort-iocb.patch b/patches.drivers/scsi-qla2xxx-fix-memory-leak-for-allocating-abort-iocb.patch
new file mode 100644
index 0000000000..3d52e46954
--- /dev/null
+++ b/patches.drivers/scsi-qla2xxx-fix-memory-leak-for-allocating-abort-iocb.patch
@@ -0,0 +1,101 @@
+From: Quinn Tran <quinn.tran@cavium.com>
+Date: Thu, 26 Jul 2018 16:34:44 -0700
+Subject: scsi: qla2xxx: Fix memory leak for allocating abort IOCB
+Git-commit: 5e53be8e476a3397ed5383c23376f299555a2b43
+Patch-mainline: v4.18
+References: bsc#1111830
+
+In the case of IOCB QFull, Initiator code can leave behind a stale pointer
+to an SRB structure on the outstanding command array.
+
+Fixes: 82de802ad46e ("scsi: qla2xxx: Preparation for Target MQ.")
+Cc: stable@vger.kernel.org #v4.16+
+Signed-off-by: Quinn Tran <quinn.tran@cavium.com>
+Signed-off-by: Himanshu Madhani <himanshu.madhani@cavium.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Acked-by: Johannes Thumshirn <jthumshirn@suse.de>
+---
+ drivers/scsi/qla2xxx/qla_iocb.c | 53 +++++++++++++++++++++--------------------
+ 1 file changed, 27 insertions(+), 26 deletions(-)
+
+diff --git a/drivers/scsi/qla2xxx/qla_iocb.c b/drivers/scsi/qla2xxx/qla_iocb.c
+index a91cca52b5d5..dd93a22fe843 100644
+--- a/drivers/scsi/qla2xxx/qla_iocb.c
++++ b/drivers/scsi/qla2xxx/qla_iocb.c
+@@ -2130,34 +2130,11 @@ __qla2x00_alloc_iocbs(struct qla_qpair *qpair, srb_t *sp)
+ req_cnt = 1;
+ handle = 0;
+
+- if (!sp)
+- goto skip_cmd_array;
+-
+- /* Check for room in outstanding command list. */
+- handle = req->current_outstanding_cmd;
+- for (index = 1; index < req->num_outstanding_cmds; index++) {
+- handle++;
+- if (handle == req->num_outstanding_cmds)
+- handle = 1;
+- if (!req->outstanding_cmds[handle])
+- break;
+- }
+- if (index == req->num_outstanding_cmds) {
+- ql_log(ql_log_warn, vha, 0x700b,
+- "No room on outstanding cmd array.\n");
+- goto queuing_error;
+- }
+-
+- /* Prep command array. */
+- req->current_outstanding_cmd = handle;
+- req->outstanding_cmds[handle] = sp;
+- sp->handle = handle;
+-
+- /* Adjust entry-counts as needed. */
+- if (sp->type != SRB_SCSI_CMD)
++ if (sp && (sp->type != SRB_SCSI_CMD)) {
++ /* Adjust entry-counts as needed. */
+ req_cnt = sp->iocbs;
++ }
+
+-skip_cmd_array:
+ /* Check for room on request queue. */
+ if (req->cnt < req_cnt + 2) {
+ if (qpair->use_shadow_reg)
+@@ -2183,6 +2160,28 @@ __qla2x00_alloc_iocbs(struct qla_qpair *qpair, srb_t *sp)
+ if (req->cnt < req_cnt + 2)
+ goto queuing_error;
+
++ if (sp) {
++ /* Check for room in outstanding command list. */
++ handle = req->current_outstanding_cmd;
++ for (index = 1; index < req->num_outstanding_cmds; index++) {
++ handle++;
++ if (handle == req->num_outstanding_cmds)
++ handle = 1;
++ if (!req->outstanding_cmds[handle])
++ break;
++ }
++ if (index == req->num_outstanding_cmds) {
++ ql_log(ql_log_warn, vha, 0x700b,
++ "No room on outstanding cmd array.\n");
++ goto queuing_error;
++ }
++
++ /* Prep command array. */
++ req->current_outstanding_cmd = handle;
++ req->outstanding_cmds[handle] = sp;
++ sp->handle = handle;
++ }
++
+ /* Prep packet */
+ req->cnt -= req_cnt;
+ pkt = req->ring_ptr;
+@@ -2195,6 +2194,8 @@ __qla2x00_alloc_iocbs(struct qla_qpair *qpair, srb_t *sp)
+ pkt->handle = handle;
+ }
+
++ return pkt;
++
+ queuing_error:
+ qpair->tgt_counters.num_alloc_iocb_failed++;
+ return pkt;
+
diff --git a/patches.drivers/scsi-target-prefer-dbroot-of-etc-target-over-var-target b/patches.drivers/scsi-target-prefer-dbroot-of-etc-target-over-var-target
new file mode 100644
index 0000000000..6065e7d69f
--- /dev/null
+++ b/patches.drivers/scsi-target-prefer-dbroot-of-etc-target-over-var-target
@@ -0,0 +1,84 @@
+From: Lee Duncan <lduncan@suse.com>
+Date: Fri, 6 Apr 2018 11:31:41 -0700
+Subject: scsi: target: prefer dbroot of /etc/target over /var/target
+Git-commit: 78a6295c71cb276f8ab0bfc786f3543a4e756a8f
+Patch-mainline: v4.18-rc1
+References: bsc#1111928
+
+The target database root directory, dbroot, has defaulted to /var/target
+for a while, but its main client, targetcli-fb, has been moving it to
+/etc/target for quite some time. With the plethora of target drivers now
+appearing, it has become more difficult to initialize this attribute
+before use by any child drivers.
+
+If the directory /etc/target exists, use that as the DB root. Otherwise,
+fall back to using /var/target.
+
+The ability to override this dbroot attribute still exists via sysfs.
+
+Signed-off-by: Lee Duncan <lduncan@suse.com>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+---
+ drivers/target/target_core_configfs.c | 25 +++++++++++++++++++++++++
+ drivers/target/target_core_internal.h | 1 +
+ 2 files changed, 26 insertions(+)
+
+--- a/drivers/target/target_core_configfs.c
++++ b/drivers/target/target_core_configfs.c
+@@ -155,6 +155,8 @@ static ssize_t target_core_item_dbroot_s
+
+ mutex_unlock(&g_tf_lock);
+
++ pr_debug("Target_Core_ConfigFS: db_root set to %s\n", db_root);
++
+ return read_bytes;
+ }
+
+@@ -3207,6 +3209,27 @@ void target_setup_backend_cits(struct ta
+ target_core_setup_dev_stat_cit(tb);
+ }
+
++static void target_init_dbroot(void)
++{
++ struct file *fp;
++
++ snprintf(db_root_stage, DB_ROOT_LEN, DB_ROOT_PREFERRED);
++ fp = filp_open(db_root_stage, O_RDONLY, 0);
++ if (IS_ERR(fp)) {
++ pr_err("db_root: cannot open: %s\n", db_root_stage);
++ return;
++ }
++ if (!S_ISDIR(file_inode(fp)->i_mode)) {
++ filp_close(fp, NULL);
++ pr_err("db_root: not a valid directory: %s\n", db_root_stage);
++ return;
++ }
++ filp_close(fp, NULL);
++
++ strncpy(db_root, db_root_stage, DB_ROOT_LEN);
++ pr_debug("Target_Core_ConfigFS: db_root set to %s\n", db_root);
++}
++
+ static int __init target_core_init_configfs(void)
+ {
+ struct configfs_subsystem *subsys = &target_core_fabrics;
+@@ -3287,6 +3310,8 @@ static int __init target_core_init_confi
+ if (ret < 0)
+ goto out;
+
++ target_init_dbroot();
++
+ return 0;
+
+ out:
+--- a/drivers/target/target_core_internal.h
++++ b/drivers/target/target_core_internal.h
+@@ -164,6 +164,7 @@ extern struct se_portal_group xcopy_pt_t
+ /* target_core_configfs.c */
+ #define DB_ROOT_LEN 4096
+ #define DB_ROOT_DEFAULT "/var/target"
++#define DB_ROOT_PREFERRED "/etc/target"
+
+ extern char db_root[];
+
diff --git a/patches.drivers/stm-Potential-read-overflow-in-stm_char_policy_set_i.patch b/patches.drivers/stm-Potential-read-overflow-in-stm_char_policy_set_i.patch
new file mode 100644
index 0000000000..673dfb565f
--- /dev/null
+++ b/patches.drivers/stm-Potential-read-overflow-in-stm_char_policy_set_i.patch
@@ -0,0 +1,36 @@
+From 71c488f32b071bfb5cfe9ddf682cd2e0c310c75d Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Thu, 10 Aug 2017 15:45:10 +0300
+Subject: [PATCH] stm: Potential read overflow in stm_char_policy_set_ioctl()
+Git-commit: 71c488f32b071bfb5cfe9ddf682cd2e0c310c75d
+Patch-mainline: v4.14-rc1
+References: bsc#1051510
+
+The "size" variable comes from the user so we need to verify that it's
+large enough to hold an stp_policy_id struct.
+
+Fixes: 7bd1d4093c2f ("stm class: Introduce an abstraction for System Trace Module devices")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/hwtracing/stm/core.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/hwtracing/stm/core.c b/drivers/hwtracing/stm/core.c
+index 0e731143f6a4..9414900575d8 100644
+--- a/drivers/hwtracing/stm/core.c
++++ b/drivers/hwtracing/stm/core.c
+@@ -566,7 +566,7 @@ static int stm_char_policy_set_ioctl(struct stm_file *stmf, void __user *arg)
+ if (copy_from_user(&size, arg, sizeof(size)))
+ return -EFAULT;
+
+- if (size >= PATH_MAX + sizeof(*id))
++ if (size < sizeof(*id) || size >= PATH_MAX + sizeof(*id))
+ return -EINVAL;
+
+ /*
+--
+2.19.0
+
diff --git a/patches.drivers/switchtec-Fix-Spectre-v1-vulnerability.patch b/patches.drivers/switchtec-Fix-Spectre-v1-vulnerability.patch
new file mode 100644
index 0000000000..1ff9749515
--- /dev/null
+++ b/patches.drivers/switchtec-Fix-Spectre-v1-vulnerability.patch
@@ -0,0 +1,54 @@
+From 46feb6b495f7628a6dbf36c4e6d80faf378372d4 Mon Sep 17 00:00:00 2001
+From: "Gustavo A. R. Silva" <gustavo@embeddedor.com>
+Date: Thu, 16 Aug 2018 14:06:46 -0500
+Subject: [PATCH] switchtec: Fix Spectre v1 vulnerability
+Git-commit: 46feb6b495f7628a6dbf36c4e6d80faf378372d4
+Patch-mainline: v4.19-rc4
+References: bsc#1051510
+
+p.port can is indirectly controlled by user-space, hence leading to
+a potential exploitation of the Spectre variant 1 vulnerability.
+
+This issue was detected with the help of Smatch:
+
+ drivers/pci/switch/switchtec.c:912 ioctl_port_to_pff() warn: potential spectre issue 'pcfg->dsp_pff_inst_id' [r]
+
+Fix this by sanitizing p.port before using it to index
+pcfg->dsp_pff_inst_id
+
+Notice that given that speculation windows are large, the policy is to kill
+the speculation on the first load and not worry if it can be completed with
+a dependent load/store [1].
+
+[1] https://marc.info/?l=linux-kernel&m=152449131114778&w=2
+
+Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com>
+Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
+Acked-by: Logan Gunthorpe <logang@deltatee.com>
+Cc: stable@vger.kernel.org
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/pci/switch/switchtec.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/pci/switch/switchtec.c
++++ b/drivers/pci/switch/switchtec.c
+@@ -24,6 +24,8 @@
+ #include <linux/cdev.h>
+ #include <linux/wait.h>
+
++#include <linux/nospec.h>
++
+ MODULE_DESCRIPTION("Microsemi Switchtec(tm) PCIe Management Driver");
+ MODULE_VERSION("0.1");
+ MODULE_LICENSE("GPL");
+@@ -1155,6 +1157,8 @@ static int ioctl_port_to_pff(struct swit
+ default:
+ if (p.port > ARRAY_SIZE(pcfg->dsp_pff_inst_id))
+ return -EINVAL;
++ p.port = array_index_nospec(p.port,
++ ARRAY_SIZE(pcfg->dsp_pff_inst_id) + 1);
+ p.pff = ioread32(&pcfg->dsp_pff_inst_id[p.port - 1]);
+ break;
+ }
diff --git a/patches.drivers/usb-gadget-fotg210-udc-Fix-memory-leak-of-fotg210-ep.patch b/patches.drivers/usb-gadget-fotg210-udc-Fix-memory-leak-of-fotg210-ep.patch
new file mode 100644
index 0000000000..250476144c
--- /dev/null
+++ b/patches.drivers/usb-gadget-fotg210-udc-Fix-memory-leak-of-fotg210-ep.patch
@@ -0,0 +1,91 @@
+From c37bd52836296ecc9a0fc8060b819089aebdbcde Mon Sep 17 00:00:00 2001
+From: Anton Vasilyev <vasilyev@ispras.ru>
+Date: Tue, 7 Aug 2018 14:44:48 +0300
+Subject: [PATCH] usb: gadget: fotg210-udc: Fix memory leak of fotg210->ep[i]
+Git-commit: c37bd52836296ecc9a0fc8060b819089aebdbcde
+Patch-mainline: v4.19-rc4
+References: bsc#1051510
+
+There is no deallocation of fotg210->ep[i] elements, allocated at
+fotg210_udc_probe.
+
+The patch adds deallocation of fotg210->ep array elements and simplifies
+error path of fotg210_udc_probe().
+
+Found by Linux Driver Verification project (linuxtesting.org).
+
+Signed-off-by: Anton Vasilyev <vasilyev@ispras.ru>
+Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/usb/gadget/udc/fotg210-udc.c | 15 ++++++++++-----
+ 1 file changed, 10 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/usb/gadget/udc/fotg210-udc.c b/drivers/usb/gadget/udc/fotg210-udc.c
+index 53a48f561458..587c5037ff07 100644
+--- a/drivers/usb/gadget/udc/fotg210-udc.c
++++ b/drivers/usb/gadget/udc/fotg210-udc.c
+@@ -1063,12 +1063,15 @@ static const struct usb_gadget_ops fotg210_gadget_ops = {
+ static int fotg210_udc_remove(struct platform_device *pdev)
+ {
+ struct fotg210_udc *fotg210 = platform_get_drvdata(pdev);
++ int i;
+
+ usb_del_gadget_udc(&fotg210->gadget);
+ iounmap(fotg210->reg);
+ free_irq(platform_get_irq(pdev, 0), fotg210);
+
+ fotg210_ep_free_request(&fotg210->ep[0]->ep, fotg210->ep0_req);
++ for (i = 0; i < FOTG210_MAX_NUM_EP; i++)
++ kfree(fotg210->ep[i]);
+ kfree(fotg210);
+
+ return 0;
+@@ -1099,7 +1102,7 @@ static int fotg210_udc_probe(struct platform_device *pdev)
+ /* initialize udc */
+ fotg210 = kzalloc(sizeof(struct fotg210_udc), GFP_KERNEL);
+ if (fotg210 == NULL)
+- goto err_alloc;
++ goto err;
+
+ for (i = 0; i < FOTG210_MAX_NUM_EP; i++) {
+ _ep[i] = kzalloc(sizeof(struct fotg210_ep), GFP_KERNEL);
+@@ -1111,7 +1114,7 @@ static int fotg210_udc_probe(struct platform_device *pdev)
+ fotg210->reg = ioremap(res->start, resource_size(res));
+ if (fotg210->reg == NULL) {
+ pr_err("ioremap error.\n");
+- goto err_map;
++ goto err_alloc;
+ }
+
+ spin_lock_init(&fotg210->lock);
+@@ -1159,7 +1162,7 @@ static int fotg210_udc_probe(struct platform_device *pdev)
+ fotg210->ep0_req = fotg210_ep_alloc_request(&fotg210->ep[0]->ep,
+ GFP_KERNEL);
+ if (fotg210->ep0_req == NULL)
+- goto err_req;
++ goto err_map;
+
+ fotg210_init(fotg210);
+
+@@ -1187,12 +1190,14 @@ static int fotg210_udc_probe(struct platform_device *pdev)
+ fotg210_ep_free_request(&fotg210->ep[0]->ep, fotg210->ep0_req);
+
+ err_map:
+- if (fotg210->reg)
+- iounmap(fotg210->reg);
++ iounmap(fotg210->reg);
+
+ err_alloc:
++ for (i = 0; i < FOTG210_MAX_NUM_EP; i++)
++ kfree(fotg210->ep[i]);
+ kfree(fotg210);
+
++err:
+ return ret;
+ }
+
+--
+2.19.0
+
diff --git a/patches.drivers/usb-xhci-mtk-resume-USB3-roothub-first.patch b/patches.drivers/usb-xhci-mtk-resume-USB3-roothub-first.patch
new file mode 100644
index 0000000000..f0cffa531e
--- /dev/null
+++ b/patches.drivers/usb-xhci-mtk-resume-USB3-roothub-first.patch
@@ -0,0 +1,42 @@
+From 555df5820e733cded7eb8d0bf78b2a791be51d75 Mon Sep 17 00:00:00 2001
+From: Chunfeng Yun <chunfeng.yun@mediatek.com>
+Date: Mon, 1 Oct 2018 18:36:08 +0300
+Subject: [PATCH] usb: xhci-mtk: resume USB3 roothub first
+Git-commit: 555df5820e733cded7eb8d0bf78b2a791be51d75
+Patch-mainline: v4.19-rc7
+References: bsc#1051510
+
+Give USB3 devices a better chance to enumerate at USB3 speeds if
+they are connected to a suspended host.
+Porting from "671ffdff5b13 xhci: resume USB 3 roothub first"
+
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Chunfeng Yun <chunfeng.yun@mediatek.com>
+Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/usb/host/xhci-mtk.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/usb/host/xhci-mtk.c b/drivers/usb/host/xhci-mtk.c
+index 7334da9e9779..71d0d33c3286 100644
+--- a/drivers/usb/host/xhci-mtk.c
++++ b/drivers/usb/host/xhci-mtk.c
+@@ -642,10 +642,10 @@ static int __maybe_unused xhci_mtk_resume(struct device *dev)
+ xhci_mtk_host_enable(mtk);
+
+ xhci_dbg(xhci, "%s: restart port polling\n", __func__);
+- set_bit(HCD_FLAG_POLL_RH, &hcd->flags);
+- usb_hcd_poll_rh_status(hcd);
+ set_bit(HCD_FLAG_POLL_RH, &xhci->shared_hcd->flags);
+ usb_hcd_poll_rh_status(xhci->shared_hcd);
++ set_bit(HCD_FLAG_POLL_RH, &hcd->flags);
++ usb_hcd_poll_rh_status(hcd);
+ return 0;
+ }
+
+--
+2.19.0
+
diff --git a/patches.drivers/xhci-Add-missing-CAS-workaround-for-Intel-Sunrise-Po.patch b/patches.drivers/xhci-Add-missing-CAS-workaround-for-Intel-Sunrise-Po.patch
new file mode 100644
index 0000000000..57522af81a
--- /dev/null
+++ b/patches.drivers/xhci-Add-missing-CAS-workaround-for-Intel-Sunrise-Po.patch
@@ -0,0 +1,38 @@
+From ffe84e01bb1b38c7eb9c6b6da127a6c136d251df Mon Sep 17 00:00:00 2001
+From: Mathias Nyman <mathias.nyman@linux.intel.com>
+Date: Mon, 1 Oct 2018 18:36:07 +0300
+Subject: [PATCH] xhci: Add missing CAS workaround for Intel Sunrise Point xHCI
+Git-commit: ffe84e01bb1b38c7eb9c6b6da127a6c136d251df
+Patch-mainline: v4.19-rc7
+References: bsc#1051510
+
+The workaround for missing CAS bit is also needed for xHC on Intel
+sunrisepoint PCH. For more details see:
+
+Intel 100/c230 series PCH specification update Doc #332692-006 Errata #8
+
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/usb/host/xhci-pci.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/usb/host/xhci-pci.c b/drivers/usb/host/xhci-pci.c
+index 6372edf339d9..722860eb5a91 100644
+--- a/drivers/usb/host/xhci-pci.c
++++ b/drivers/usb/host/xhci-pci.c
+@@ -185,6 +185,8 @@ static void xhci_pci_quirks(struct device *dev, struct xhci_hcd *xhci)
+ }
+ if (pdev->vendor == PCI_VENDOR_ID_INTEL &&
+ (pdev->device == PCI_DEVICE_ID_INTEL_CHERRYVIEW_XHCI ||
++ pdev->device == PCI_DEVICE_ID_INTEL_SUNRISEPOINT_LP_XHCI ||
++ pdev->device == PCI_DEVICE_ID_INTEL_SUNRISEPOINT_H_XHCI ||
+ pdev->device == PCI_DEVICE_ID_INTEL_APL_XHCI ||
+ pdev->device == PCI_DEVICE_ID_INTEL_DNV_XHCI))
+ xhci->quirks |= XHCI_MISSING_CAS;
+--
+2.19.0
+
diff --git a/patches.fixes/aio-fix-io_destroy2-vs.-lookup_ioctx-race.patch b/patches.fixes/aio-fix-io_destroy2-vs.-lookup_ioctx-race.patch
new file mode 100644
index 0000000000..13b80b0a36
--- /dev/null
+++ b/patches.fixes/aio-fix-io_destroy2-vs.-lookup_ioctx-race.patch
@@ -0,0 +1,66 @@
+From baf10564fbb66ea222cae66fbff11c444590ffd9 Mon Sep 17 00:00:00 2001
+From: Al Viro <viro@zeniv.linux.org.uk>
+Date: Sun May 20 16:46:23 2018 -0400
+Subject: [PATCH] aio: fix io_destroy(2) vs. lookup_ioctx() race
+Git-commit: baf10564fbb66ea222cae66fbff11c444590ffd9
+References: git-fixes
+Patch-mainline: v4.17-rc7
+
+kill_ioctx() used to have an explicit RCU delay between removing the
+reference from ->ioctx_table and percpu_ref_kill() dropping the refcount.
+At some point that delay had been removed, on the theory that
+percpu_ref_kill() itself contained an RCU delay. Unfortunately, that was
+the wrong kind of RCU delay and it didn't care about rcu_read_lock() used
+by lookup_ioctx(). As the result, we could get ctx freed right under
+lookup_ioctx(). Tejun has fixed that in a6d7cff472e ("fs/aio: Add explicit
+RCU grace period when freeing kioctx"); however, that fix is not enough.
+
+Suppose io_destroy() from one thread races with e.g. io_setup() from another;
+CPU1 removes the reference from current->mm->ioctx_table[...] just as CPU2
+has picked it (under rcu_read_lock()). Then CPU1 proceeds to drop the
+refcount, getting it to 0 and triggering a call of free_ioctx_users(),
+which proceeds to drop the secondary refcount and once that reaches zero
+calls free_ioctx_reqs(). That does
+ INIT_RCU_WORK(&ctx->free_rwork, free_ioctx);
+ queue_rcu_work(system_wq, &ctx->free_rwork);
+and schedules freeing the whole thing after RCU delay.
+
+In the meanwhile CPU2 has gotten around to percpu_ref_get(), bumping the
+refcount from 0 to 1 and returned the reference to io_setup().
+
+Tejun's fix (that queue_rcu_work() in there) guarantees that ctx won't get
+freed until after percpu_ref_get(). Sure, we'd increment the counter before
+ctx can be freed. Now we are out of rcu_read_lock() and there's nothing to
+stop freeing of the whole thing. Unfortunately, CPU2 assumes that since it
+has grabbed the reference, ctx is *NOT* going away until it gets around to
+dropping that reference.
+
+The fix is obvious - use percpu_ref_tryget_live() and treat failure as miss.
+It's not costlier than what we currently do in normal case, it's safe to
+call since freeing *is* delayed and it closes the race window - either
+lookup_ioctx() comes before percpu_ref_kill() (in which case ctx->users
+won't reach 0 until the caller of lookup_ioctx() drops it) or lookup_ioctx()
+fails, ctx->users is unaffected and caller of lookup_ioctx() doesn't see
+the object in question at all.
+
+Cc: stable@kernel.org
+Fixes: a6d7cff472e "fs/aio: Add explicit RCU grace period when freeing kioctx"
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Acked-by: Goldwyn Rodrigues <rgoldwyn@suse.com>
+
+diff --git a/fs/aio.c b/fs/aio.c
+index 88d7927..8061d97 100644
+
+--- a/fs/aio.c
++++ b/fs/aio.c
+@@ -1078,8 +1078,8 @@ static struct kioctx *lookup_ioctx(unsigned long ctx_id)
+
+ ctx = rcu_dereference(table->table[id]);
+ if (ctx && ctx->user_id == ctx_id) {
+- percpu_ref_get(&ctx->users);
+- ret = ctx;
++ if (percpu_ref_tryget_live(&ctx->users))
++ ret = ctx;
+ }
+ out:
+ rcu_read_unlock();
diff --git a/patches.fixes/blkdev_report_zones_ioctl-use-vmalloc-to-allocate-large-buffers.patch b/patches.fixes/blkdev_report_zones_ioctl-use-vmalloc-to-allocate-large-buffers.patch
new file mode 100644
index 0000000000..fe1e1b5bde
--- /dev/null
+++ b/patches.fixes/blkdev_report_zones_ioctl-use-vmalloc-to-allocate-large-buffers.patch
@@ -0,0 +1,69 @@
+From: Bart Van Assche <bart.vanassche@wdc.com>
+Date: Tue, 22 May 2018 08:27:22 -0700
+Subject: blkdev_report_zones_ioctl(): Use vmalloc() to allocate large buffers
+Git-commit: 327ea4adcfa37194739f1ec7c70568944d292281
+Patch-mainline: v4.18-rc1
+References: bsc#1111819
+
+Avoid that complaints similar to the following appear in the kernel log
+if the number of zones is sufficiently large:
+
+ fio: page allocation failure: order:9, mode:0x140c0c0(GFP_KERNEL|__GFP_COMP|__GFP_ZERO), nodemask=(null)
+ Call Trace:
+ dump_stack+0x63/0x88
+ warn_alloc+0xf5/0x190
+ __alloc_pages_slowpath+0x8f0/0xb0d
+ __alloc_pages_nodemask+0x242/0x260
+ alloc_pages_current+0x6a/0xb0
+ kmalloc_order+0x18/0x50
+ kmalloc_order_trace+0x26/0xb0
+ __kmalloc+0x20e/0x220
+ blkdev_report_zones_ioctl+0xa5/0x1a0
+ blkdev_ioctl+0x1ba/0x930
+ block_ioctl+0x41/0x50
+ do_vfs_ioctl+0xaa/0x610
+ SyS_ioctl+0x79/0x90
+ do_syscall_64+0x79/0x1b0
+ entry_SYSCALL_64_after_hwframe+0x3d/0xa2
+
+Fixes: 3ed05a987e0f ("blk-zoned: implement ioctls")
+Signed-off-by: Bart Van Assche <bart.vanassche@wdc.com>
+Cc: Shaun Tancheff <shaun.tancheff@seagate.com>
+Cc: Damien Le Moal <damien.lemoal@hgst.com>
+Cc: Christoph Hellwig <hch@lst.de>
+Cc: Martin K. Petersen <martin.petersen@oracle.com>
+Cc: Hannes Reinecke <hare@suse.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Acked-by: Johannes Thumshirn <jthumshirn@suse.de>
+---
+ block/blk-zoned.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/block/blk-zoned.c b/block/blk-zoned.c
+index 08e84ef2bc05..3d08dc84db16 100644
+--- a/block/blk-zoned.c
++++ b/block/blk-zoned.c
+@@ -328,7 +328,11 @@ int blkdev_report_zones_ioctl(struct block_device *bdev, fmode_t mode,
+ if (!rep.nr_zones)
+ return -EINVAL;
+
+- zones = kcalloc(rep.nr_zones, sizeof(struct blk_zone), GFP_KERNEL);
++ if (rep.nr_zones > INT_MAX / sizeof(struct blk_zone))
++ return -ERANGE;
++
++ zones = kvmalloc(rep.nr_zones * sizeof(struct blk_zone),
++ GFP_KERNEL | __GFP_ZERO);
+ if (!zones)
+ return -ENOMEM;
+
+@@ -350,7 +354,7 @@ int blkdev_report_zones_ioctl(struct block_device *bdev, fmode_t mode,
+ }
+
+ out:
+- kfree(zones);
++ kvfree(zones);
+
+ return ret;
+ }
+
diff --git a/patches.fixes/block-bvec_nr_vecs-returns-value-for-wrong-slab.patch b/patches.fixes/block-bvec_nr_vecs-returns-value-for-wrong-slab.patch
new file mode 100644
index 0000000000..bab14b368e
--- /dev/null
+++ b/patches.fixes/block-bvec_nr_vecs-returns-value-for-wrong-slab.patch
@@ -0,0 +1,37 @@
+From: Greg Edwards <gedwards@ddn.com>
+Date: Wed, 8 Aug 2018 13:27:53 -0600
+Subject: block: bvec_nr_vecs() returns value for wrong slab
+Git-commit: d6c02a9beb67f13d5f14f23e72fa9981e8b84477
+Patch-mainline: v4.19-rc1
+References: bsc#1111834
+
+In commit ed996a52c868 ("block: simplify and cleanup bvec pool
+handling"), the value of the slab index is incremented by one in
+bvec_alloc() after the allocation is done to indicate an index value of
+0 does not need to be later freed.
+
+bvec_nr_vecs() was not updated accordingly, and thus returns the wrong
+value. Decrement idx before performing the lookup.
+
+Fixes: ed996a52c868 ("block: simplify and cleanup bvec pool handling")
+Signed-off-by: Greg Edwards <gedwards@ddn.com>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Acked-by: Johannes Thumshirn <jthumshirn@suse.de>
+---
+ block/bio.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/block/bio.c b/block/bio.c
+index b832151cd0bf..04969b392c72 100644
+--- a/block/bio.c
++++ b/block/bio.c
+@@ -158,7 +158,7 @@ static void bio_put_slab(struct bio_set *bs)
+
+ unsigned int bvec_nr_vecs(unsigned short idx)
+ {
+- return bvec_slabs[idx].nr_vecs;
++ return bvec_slabs[--idx].nr_vecs;
+ }
+
+ void bvec_free(mempool_t *pool, struct bio_vec *bv, unsigned int idx)
+
diff --git a/patches.fixes/ksm-fix-unlocked-iteration-over-vmas-in-cmp_and_merge_page.patch b/patches.fixes/ksm-fix-unlocked-iteration-over-vmas-in-cmp_and_merge_page.patch
new file mode 100644
index 0000000000..fc9e645a91
--- /dev/null
+++ b/patches.fixes/ksm-fix-unlocked-iteration-over-vmas-in-cmp_and_merge_page.patch
@@ -0,0 +1,52 @@
+From: Kirill Tkhai <ktkhai@virtuozzo.com>
+Date: Tue, 3 Oct 2017 16:14:27 -0700
+Subject: ksm: fix unlocked iteration over vmas in cmp_and_merge_page()
+Git-commit: 4b22927f0cbd58303aac689e378d20bf56267a39
+Patch-mainline: v4.14-rc4
+References: VM Functionality bsc#1111806
+
+In this place mm is unlocked, so vmas or list may change. Down read
+mmap_sem to protect them from modifications.
+
+Link: http://lkml.kernel.org/r/150512788393.10691.8868381099691121308.stgit@localhost.localdomain
+Fixes: e86c59b1b12d ("mm/ksm: improve deduplication of zero pages with colouring")
+Signed-off-by: Kirill Tkhai <ktkhai@virtuozzo.com>
+Acked-by: Michal Hocko <mhocko@suse.com>
+Reviewed-by: Andrea Arcangeli <aarcange@redhat.com>
+Cc: Minchan Kim <minchan@kernel.org>
+Cc: zhong jiang <zhongjiang@huawei.com>
+Cc: Ingo Molnar <mingo@kernel.org>
+Cc: Claudio Imbrenda <imbrenda@linux.vnet.ibm.com>
+Cc: "Kirill A. Shutemov" <kirill.shutemov@linux.intel.com>
+Cc: Hugh Dickins <hughd@google.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Vlastimil Babka <vbabka@suse.cz>
+---
+ mm/ksm.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/mm/ksm.c
++++ b/mm/ksm.c
+@@ -1436,6 +1436,7 @@ static void stable_tree_append(struct rm
+ */
+ static void cmp_and_merge_page(struct page *page, struct rmap_item *rmap_item)
+ {
++ struct mm_struct *mm = rmap_item->mm;
+ struct rmap_item *tree_rmap_item;
+ struct page *tree_page = NULL;
+ struct stable_node *stable_node;
+@@ -1500,9 +1501,11 @@ static void cmp_and_merge_page(struct pa
+ if (ksm_use_zero_pages && (checksum == zero_checksum)) {
+ struct vm_area_struct *vma;
+
+- vma = find_mergeable_vma(rmap_item->mm, rmap_item->address);
++ down_read(&mm->mmap_sem);
++ vma = find_mergeable_vma(mm, rmap_item->address);
+ err = try_to_merge_one_page(vma, page,
+ ZERO_PAGE(rmap_item->address));
++ up_read(&mm->mmap_sem);
+ /*
+ * In case of failure, the page was not really empty, so we
+ * need to continue. Otherwise we're done.
diff --git a/patches.fixes/mm-fix-bug_on-in-vmf_insert_pfn_pud-from-vm_mixedmap-removal.patch b/patches.fixes/mm-fix-bug_on-in-vmf_insert_pfn_pud-from-vm_mixedmap-removal.patch
new file mode 100644
index 0000000000..956c406175
--- /dev/null
+++ b/patches.fixes/mm-fix-bug_on-in-vmf_insert_pfn_pud-from-vm_mixedmap-removal.patch
@@ -0,0 +1,51 @@
+From: Dave Jiang <dave.jiang@intel.com>
+Date: Tue, 4 Sep 2018 15:46:16 -0700
+Subject: mm: fix BUG_ON() in vmf_insert_pfn_pud() from VM_MIXEDMAP removal
+Git-commit: 62ec0d8c4f332dedf19d6fad15ddea639044d5fe
+Patch-mainline: v4.19-rc3
+References: bsc#1111841
+
+It looks like I missed the PUD path when doing VM_MIXEDMAP removal.
+This can be triggered by:
+1. Boot with memmap=4G!8G
+2. build ndctl with destructive flag on
+3. make TESTS=device-dax check
+
+[ +0.000675] kernel BUG at mm/huge_memory.c:824!
+
+Applying the same change that was applied to vmf_insert_pfn_pmd() in the
+original patch.
+
+Link: http://lkml.kernel.org/r/153565957352.35524.1005746906902065126.stgit@djiang5-desk3.ch.intel.com
+Fixes: e1fb4a08649 ("dax: remove VM_MIXEDMAP for fsdax and device dax")
+Signed-off-by: Dave Jiang <dave.jiang@intel.com>
+Reported-by: Vishal Verma <vishal.l.verma@intel.com>
+Tested-by: Vishal Verma <vishal.l.verma@intel.com>
+Acked-by: Jeff Moyer <jmoyer@redhat.com>
+Reviewed-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Acked-by: Johannes Thumshirn <jthumshirn@suse.de>
+---
+ mm/huge_memory.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/mm/huge_memory.c b/mm/huge_memory.c
+index c3bc7e9c9a2a..533f9b00147d 100644
+--- a/mm/huge_memory.c
++++ b/mm/huge_memory.c
+@@ -821,11 +821,11 @@ vm_fault_t vmf_insert_pfn_pud(struct vm_area_struct *vma, unsigned long addr,
+ * but we need to be consistent with PTEs and architectures that
+ * can't support a 'special' bit.
+ */
+- BUG_ON(!(vma->vm_flags & (VM_PFNMAP|VM_MIXEDMAP)));
++ BUG_ON(!(vma->vm_flags & (VM_PFNMAP|VM_MIXEDMAP)) &&
++ !pfn_t_devmap(pfn));
+ BUG_ON((vma->vm_flags & (VM_PFNMAP|VM_MIXEDMAP)) ==
+ (VM_PFNMAP|VM_MIXEDMAP));
+ BUG_ON((vma->vm_flags & VM_PFNMAP) && is_cow_mapping(vma->vm_flags));
+- BUG_ON(!pfn_t_devmap(pfn));
+
+ if (addr < vma->vm_start || addr >= vma->vm_end)
+ return VM_FAULT_SIGBUS;
+
diff --git a/patches.fixes/ovl-Sync-upper-dirty-data-when-syncing-overlayfs.patch b/patches.fixes/ovl-Sync-upper-dirty-data-when-syncing-overlayfs.patch
new file mode 100644
index 0000000000..173cf3670b
--- /dev/null
+++ b/patches.fixes/ovl-Sync-upper-dirty-data-when-syncing-overlayfs.patch
@@ -0,0 +1,61 @@
+From e8d4bfe3a71537284a90561f77c85dea6c154369 Mon Sep 17 00:00:00 2001
+From: Chengguang Xu <cgxu@mykernel.net>
+Date: Wed Nov 29 10:01:32 2017 +0800
+Subject: [PATCH] ovl: Sync upper dirty data when syncing overlayfs
+Git-commit: e8d4bfe3a71537284a90561f77c85dea6c154369
+References: git-fixes
+Patch-mainline: v4.15-rc4
+
+When executing filesystem sync or umount on overlayfs,
+dirty data does not get synced as expected on upper filesystem.
+This patch fixes sync filesystem method to keep data consistency
+for overlayfs.
+
+Signed-off-by: Chengguang Xu <cgxu@mykernel.net>
+Fixes: e593b2bf513d ("ovl: properly implement sync_filesystem()")
+Cc: <stable@vger.kernel.org> #4.11
+Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
+Acked-by: Goldwyn Rodrigues <rgoldwyn@suse.com>
+
+---
+ fs/overlayfs/super.c | 17 ++++++++++++++---
+ 1 file changed, 14 insertions(+), 3 deletions(-)
+
+--- a/fs/overlayfs/super.c
++++ b/fs/overlayfs/super.c
+@@ -183,6 +183,7 @@ static void ovl_put_super(struct super_b
+ kfree(ufs);
+ }
+
++/* Sync real dirty inodes in upper filesystem (if it exists) */
+ static int ovl_sync_fs(struct super_block *sb, int wait)
+ {
+ struct ovl_fs *ufs = sb->s_fs_info;
+@@ -191,14 +192,24 @@ static int ovl_sync_fs(struct super_bloc
+
+ if (!ufs->upper_mnt)
+ return 0;
+- upper_sb = ufs->upper_mnt->mnt_sb;
+- if (!upper_sb->s_op->sync_fs)
++ /*
++ * If this is a sync(2) call or an emergency sync, all the super blocks
++ * will be iterated, including upper_sb, so no need to do anything.
++ *
++ * If this is a syncfs(2) call, then we do need to call
++ * sync_filesystem() on upper_sb, but enough if we do it when being
++ * called with wait == 1.
++ */
++ if (!wait)
+ return 0;
+
+ /* real inodes have already been synced by sync_filesystem(ovl_sb) */
++ upper_sb = ufs->upper_mnt->mnt_sb;
++
+ down_read(&upper_sb->s_umount);
+- ret = upper_sb->s_op->sync_fs(upper_sb, wait);
++ ret = sync_filesystem(upper_sb);
+ up_read(&upper_sb->s_umount);
++
+ return ret;
+ }
+
diff --git a/patches.fixes/ovl-fix-format-of-setxattr-debug.patch b/patches.fixes/ovl-fix-format-of-setxattr-debug.patch
new file mode 100644
index 0000000000..a72cc9c48f
--- /dev/null
+++ b/patches.fixes/ovl-fix-format-of-setxattr-debug.patch
@@ -0,0 +1,34 @@
+From 1a8f8d2a443ef9ad9a3065ba8c8119df714240fa Mon Sep 17 00:00:00 2001
+From: Miklos Szeredi <mszeredi@redhat.com>
+Date: Thu Oct 4 14:49:10 2018 +0200
+Subject: [PATCH] ovl: fix format of setxattr debug
+Git-commit: 1a8f8d2a443ef9ad9a3065ba8c8119df714240fa
+References: git-fixes
+Patch-mainline: v4.19-rc7
+
+Format has a typo: it was meant to be "%.*s", not "%*s". But at some point
+callers grew nonprintable values as well, so use "%*pE" instead with a
+maximized length.
+
+Reported-by: Amir Goldstein <amir73il@gmail.com>
+Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
+Fixes: 3a1e819b4e80 ("ovl: store file handle of lower inode on copy up")
+Cc: <stable@vger.kernel.org> # v4.12
+Acked-by: Goldwyn Rodrigues <rgoldwyn@suse.com>
+
+diff --git a/fs/overlayfs/overlayfs.h b/fs/overlayfs/overlayfs.h
+index f61839e..a3c0d95 100644
+
+--- a/fs/overlayfs/overlayfs.h
++++ b/fs/overlayfs/overlayfs.h
+@@ -152,8 +152,8 @@ static inline int ovl_do_setxattr(struct dentry *dentry, const char *name,
+ const void *value, size_t size, int flags)
+ {
+ int err = vfs_setxattr(dentry, name, value, size, flags);
+- pr_debug("setxattr(%pd2, \"%s\", \"%*s\", 0x%x) = %i\n",
+- dentry, name, (int) size, (char *) value, flags, err);
++ pr_debug("setxattr(%pd2, \"%s\", \"%*pE\", %zu, 0x%x) = %i\n",
++ dentry, name, min((int)size, 48), value, size, flags, err);
+ return err;
+ }
+
diff --git a/patches.fixes/proc-restrict-kernel-stack-dumps-to-root.patch b/patches.fixes/proc-restrict-kernel-stack-dumps-to-root.patch
new file mode 100644
index 0000000000..11036df88c
--- /dev/null
+++ b/patches.fixes/proc-restrict-kernel-stack-dumps-to-root.patch
@@ -0,0 +1,73 @@
+From f8a00cef17206ecd1b30d3d9f99e10d9fa707aa7 Mon Sep 17 00:00:00 2001
+From: Jann Horn <jannh@google.com>
+Date: Fri Oct 5 15:51:58 2018 -0700
+Subject: [PATCH] proc: restrict kernel stack dumps to root
+Git-commit: f8a00cef17206ecd1b30d3d9f99e10d9fa707aa7
+References: git-fixes
+Patch-mainline: v4.19-rc7
+
+Currently, you can use /proc/self/task/*/stack to cause a stack walk on
+a task you control while it is running on another CPU. That means that
+the stack can change under the stack walker. The stack walker does
+have guards against going completely off the rails and into random
+kernel memory, but it can interpret random data from your kernel stack
+as instruction pointers and stack pointers. This can cause exposure of
+kernel stack contents to userspace.
+
+Restrict the ability to inspect kernel stacks of arbitrary tasks to root
+in order to prevent a local attacker from exploiting racy stack unwinding
+to leak kernel task stack contents. See the added comment for a longer
+rationale.
+
+There don't seem to be any users of this userspace API that can't
+gracefully bail out if reading from the file fails. Therefore, I believe
+that this change is unlikely to break things. In the case that this patch
+does end up needing a revert, the next-best solution might be to fake a
+single-entry stack based on wchan.
+
+Link: http://lkml.kernel.org/r/20180927153316.200286-1-jannh@google.com
+Fixes: 2ec220e27f50 ("proc: add /proc/*/stack")
+Signed-off-by: Jann Horn <jannh@google.com>
+Acked-by: Kees Cook <keescook@chromium.org>
+Cc: Alexey Dobriyan <adobriyan@gmail.com>
+Cc: Ken Chen <kenchen@google.com>
+Cc: Will Deacon <will.deacon@arm.com>
+Cc: Laura Abbott <labbott@redhat.com>
+Cc: Andy Lutomirski <luto@amacapital.net>
+Cc: Catalin Marinas <catalin.marinas@arm.com>
+Cc: Josh Poimboeuf <jpoimboe@redhat.com>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: Ingo Molnar <mingo@redhat.com>
+Cc: "H . Peter Anvin" <hpa@zytor.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Acked-by: Goldwyn Rodrigues <rgoldwyn@suse.com>
+
+---
+ fs/proc/base.c | 14 ++++++++++++++
+ 1 file changed, 14 insertions(+)
+
+--- a/fs/proc/base.c
++++ b/fs/proc/base.c
+@@ -428,6 +428,20 @@ static int proc_pid_stack(struct seq_fil
+ int err;
+ int i;
+
++ /*
++ * The ability to racily run the kernel stack unwinder on a running task
++ * and then observe the unwinder output is scary; while it is useful for
++ * debugging kernel issues, it can also allow an attacker to leak kernel
++ * stack contents.
++ * Doing this in a manner that is at least safe from races would require
++ * some work to ensure that the remote task can not be scheduled; and
++ * even then, this would still expose the unwinder as local attack
++ * surface.
++ * Therefore, this interface is restricted to root.
++ */
++ if (!file_ns_capable(m->file, &init_user_ns, CAP_SYS_ADMIN))
++ return -EACCES;
++
+ entries = kmalloc(MAX_STACK_TRACE_DEPTH * sizeof(*entries), GFP_KERNEL);
+ if (!entries)
+ return -ENOMEM;
diff --git a/patches.fixes/sock_diag-fix-use-after-free-read-in-__sk_free.patch b/patches.fixes/sock_diag-fix-use-after-free-read-in-__sk_free.patch
new file mode 100644
index 0000000000..609b7303dd
--- /dev/null
+++ b/patches.fixes/sock_diag-fix-use-after-free-read-in-__sk_free.patch
@@ -0,0 +1,119 @@
+From 9709020c86f6bf8439ca3effc58cfca49a5de192 Mon Sep 17 00:00:00 2001
+From: Eric Dumazet <edumazet@google.com>
+Date: Fri, 18 May 2018 04:47:55 -0700
+Subject: [PATCH] sock_diag: fix use-after-free read in __sk_free
+Git-commit: 9709020c86f6bf8439ca3effc58cfca49a5de192
+Patch-mainline: v4.17-rc7
+References: bsc#1051510
+
+We must not call sock_diag_has_destroy_listeners(sk) on a socket
+that has no reference on net structure.
+
+Bug: KASAN: use-after-free in sock_diag_has_destroy_listeners include/linux/sock_diag.h:75 [inline]
+Bug: KASAN: use-after-free in __sk_free+0x329/0x340 net/core/sock.c:1609
+Read of size 8 at addr ffff88018a02e3a0 by task swapper/1/0
+
+Cpu: 1 PID: 0 Comm: swapper/1 Not tainted 4.17.0-rc5+ #54
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+Call Trace:
+ <IRQ>
+ __dump_stack lib/dump_stack.c:77 [inline]
+ dump_stack+0x1b9/0x294 lib/dump_stack.c:113
+ print_address_description+0x6c/0x20b mm/kasan/report.c:256
+ kasan_report_error mm/kasan/report.c:354 [inline]
+ kasan_report.cold.7+0x242/0x2fe mm/kasan/report.c:412
+ __asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:433
+ sock_diag_has_destroy_listeners include/linux/sock_diag.h:75 [inline]
+ __sk_free+0x329/0x340 net/core/sock.c:1609
+ sk_free+0x42/0x50 net/core/sock.c:1623
+ sock_put include/net/sock.h:1664 [inline]
+ reqsk_free include/net/request_sock.h:116 [inline]
+ reqsk_put include/net/request_sock.h:124 [inline]
+ inet_csk_reqsk_queue_drop_and_put net/ipv4/inet_connection_sock.c:672 [inline]
+ reqsk_timer_handler+0xe27/0x10e0 net/ipv4/inet_connection_sock.c:739
+ call_timer_fn+0x230/0x940 kernel/time/timer.c:1326
+ expire_timers kernel/time/timer.c:1363 [inline]
+ __run_timers+0x79e/0xc50 kernel/time/timer.c:1666
+ run_timer_softirq+0x4c/0x70 kernel/time/timer.c:1692
+ __do_softirq+0x2e0/0xaf5 kernel/softirq.c:285
+ invoke_softirq kernel/softirq.c:365 [inline]
+ irq_exit+0x1d1/0x200 kernel/softirq.c:405
+ exiting_irq arch/x86/include/asm/apic.h:525 [inline]
+ smp_apic_timer_interrupt+0x17e/0x710 arch/x86/kernel/apic/apic.c:1052
+ apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:863
+ </IRQ>
+Rip: 0010:native_safe_halt+0x6/0x10 arch/x86/include/asm/irqflags.h:54
+Rsp: 0018:ffff8801d9ae7c38 EFLAGS: 00000282 ORIG_RAX: ffffffffffffff13
+Rax: dffffc0000000000 RBX: 1ffff1003b35cf8a RCX: 0000000000000000
+Rdx: 1ffffffff11a30d0 RSI: 0000000000000001 RDI: ffffffff88d18680
+Rbp: ffff8801d9ae7c38 R08: ffffed003b5e46c3 R09: 0000000000000000
+R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000001
+R13: ffff8801d9ae7cf0 R14: ffffffff897bef20 R15: 0000000000000000 arch_safe_halt arch/x86/include/asm/paravirt.h:94 [inline] default_idle+0xc2/0x440 arch/x86/kernel/process.c:354 arch_cpu_idle+0x10/0x20 arch/x86/kernel/process.c:345 default_idle_call+0x6d/0x90 kernel/sched/idle.c:93 cpuidle_idle_call kernel/sched/idle.c:153 [inline] do_idle+0x395/0x560 kernel/sched/idle.c:262 cpu_startup_entry+0x104/0x120 kernel/sched/idle.c:368 start_secondary+0x426/0x5b0 arch/x86/kernel/smpboot.c:269 secondary_startup_64+0xa5/0xb0 arch/x86/kernel/head_64.S:242
+
+Allocated by task 4557:
+ save_stack+0x43/0xd0 mm/kasan/kasan.c:448
+ set_track mm/kasan/kasan.c:460 [inline]
+ kasan_kmalloc+0xc4/0xe0 mm/kasan/kasan.c:553
+ kasan_slab_alloc+0x12/0x20 mm/kasan/kasan.c:490
+ kmem_cache_alloc+0x12e/0x760 mm/slab.c:3554
+ kmem_cache_zalloc include/linux/slab.h:691 [inline]
+ net_alloc net/core/net_namespace.c:383 [inline]
+ copy_net_ns+0x159/0x4c0 net/core/net_namespace.c:423
+ create_new_namespaces+0x69d/0x8f0 kernel/nsproxy.c:107
+ unshare_nsproxy_namespaces+0xc3/0x1f0 kernel/nsproxy.c:206
+ ksys_unshare+0x708/0xf90 kernel/fork.c:2408
+ __do_sys_unshare kernel/fork.c:2476 [inline]
+ __se_sys_unshare kernel/fork.c:2474 [inline]
+ __x64_sys_unshare+0x31/0x40 kernel/fork.c:2474
+ do_syscall_64+0x1b1/0x800 arch/x86/entry/common.c:287
+ entry_SYSCALL_64_after_hwframe+0x49/0xbe
+
+Freed by task 69:
+ save_stack+0x43/0xd0 mm/kasan/kasan.c:448
+ set_track mm/kasan/kasan.c:460 [inline]
+ __kasan_slab_free+0x11a/0x170 mm/kasan/kasan.c:521
+ kasan_slab_free+0xe/0x10 mm/kasan/kasan.c:528
+ __cache_free mm/slab.c:3498 [inline]
+ kmem_cache_free+0x86/0x2d0 mm/slab.c:3756
+ net_free net/core/net_namespace.c:399 [inline]
+ net_drop_ns.part.14+0x11a/0x130 net/core/net_namespace.c:406
+ net_drop_ns net/core/net_namespace.c:405 [inline]
+ cleanup_net+0x6a1/0xb20 net/core/net_namespace.c:541
+ process_one_work+0xc1e/0x1b50 kernel/workqueue.c:2145
+ worker_thread+0x1cc/0x1440 kernel/workqueue.c:2279
+ kthread+0x345/0x410 kernel/kthread.c:240
+ ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:412
+
+The buggy address belongs to the object at ffff88018a02c140
+ which belongs to the cache net_namespace of size 8832
+The buggy address is located 8800 bytes inside of
+ 8832-byte region [ffff88018a02c140, ffff88018a02e3c0)
+The buggy address belongs to the page:
+page:ffffea0006280b00 count:1 mapcount:0 mapping:ffff88018a02c140 index:0x0 compound_mapcount: 0
+Flags: 0x2fffc0000008100(slab|head)
+Raw: 02fffc0000008100 ffff88018a02c140 0000000000000000 0000000100000001
+Raw: ffffea00062a1320 ffffea0006268020 ffff8801d9bdde40 0000000000000000
+page dumped because: kasan: bad access detected
+
+Fixes: b922622ec6ef ("sock_diag: don't broadcast kernel sockets")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Cc: Craig Gallek <kraig@google.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ net/core/sock.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/core/sock.c
++++ b/net/core/sock.c
+@@ -1556,7 +1556,7 @@ void sk_destruct(struct sock *sk)
+
+ static void __sk_free(struct sock *sk)
+ {
+- if (unlikely(sock_diag_has_destroy_listeners(sk) && sk->sk_net_refcnt))
++ if (unlikely(sk->sk_net_refcnt && sock_diag_has_destroy_listeners(sk)))
+ sock_diag_broadcast_destroy(sk);
+ else
+ sk_destruct(sk);
diff --git a/patches.fixes/squashfs-more-metadata-hardening2.patch b/patches.fixes/squashfs-more-metadata-hardening2.patch
new file mode 100644
index 0000000000..7e02521cb4
--- /dev/null
+++ b/patches.fixes/squashfs-more-metadata-hardening2.patch
@@ -0,0 +1,102 @@
+From 71755ee5350b63fb1f283de8561cdb61b47f4d1d Mon Sep 17 00:00:00 2001
+From: Linus Torvalds <torvalds@linux-foundation.org>
+Date: Thu, 2 Aug 2018 08:43:35 -0700
+Subject: [PATCH] squashfs: more metadata hardening
+Mime-version: 1.0
+Content-type: text/plain; charset=UTF-8
+Content-transfer-encoding: 8bit
+Git-commit: 71755ee5350b63fb1f283de8561cdb61b47f4d1d
+Patch-mainline: v4.18-rc8
+References: bsc#1051510
+
+The squashfs fragment reading code doesn't actually verify that the
+fragment is inside the fragment table. The end result _is_ verified to
+be inside the image when actually reading the fragment data, but before
+that is done, we may end up taking a page fault because the fragment
+table itself might not even exist.
+
+Another report from Anatoly and his endless squashfs image fuzzing.
+
+Reported-by: Анатолий Тросиненко <anatoly.trosinenko@gmail.com>
+Acked-by:: Phillip Lougher <phillip.lougher@gmail.com>,
+
+Cc: Willy Tarreau <w@1wt.eu>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ fs/squashfs/fragment.c | 13 +++++++++----
+ fs/squashfs/squashfs_fs_sb.h | 1 +
+ fs/squashfs/super.c | 5 +++--
+ 3 files changed, 13 insertions(+), 6 deletions(-)
+
+diff --git a/fs/squashfs/fragment.c b/fs/squashfs/fragment.c
+index 86ad9a4b8c36..0681feab4a84 100644
+--- a/fs/squashfs/fragment.c
++++ b/fs/squashfs/fragment.c
+@@ -49,11 +49,16 @@ int squashfs_frag_lookup(struct super_block *sb, unsigned int fragment,
+ u64 *fragment_block)
+ {
+ struct squashfs_sb_info *msblk = sb->s_fs_info;
+- int block = SQUASHFS_FRAGMENT_INDEX(fragment);
+- int offset = SQUASHFS_FRAGMENT_INDEX_OFFSET(fragment);
+- u64 start_block = le64_to_cpu(msblk->fragment_index[block]);
++ int block, offset, size;
+ struct squashfs_fragment_entry fragment_entry;
+- int size;
++ u64 start_block;
++
++ if (fragment >= msblk->fragments)
++ return -EIO;
++ block = SQUASHFS_FRAGMENT_INDEX(fragment);
++ offset = SQUASHFS_FRAGMENT_INDEX_OFFSET(fragment);
++
++ start_block = le64_to_cpu(msblk->fragment_index[block]);
+
+ size = squashfs_read_metadata(sb, &fragment_entry, &start_block,
+ &offset, sizeof(fragment_entry));
+diff --git a/fs/squashfs/squashfs_fs_sb.h b/fs/squashfs/squashfs_fs_sb.h
+index 1da565cb50c3..ef69c31947bf 100644
+--- a/fs/squashfs/squashfs_fs_sb.h
++++ b/fs/squashfs/squashfs_fs_sb.h
+@@ -75,6 +75,7 @@ struct squashfs_sb_info {
+ unsigned short block_log;
+ long long bytes_used;
+ unsigned int inodes;
++ unsigned int fragments;
+ int xattr_ids;
+ };
+ #endif
+diff --git a/fs/squashfs/super.c b/fs/squashfs/super.c
+index 8a73b97217c8..40e657386fa5 100644
+--- a/fs/squashfs/super.c
++++ b/fs/squashfs/super.c
+@@ -175,6 +175,7 @@ static int squashfs_fill_super(struct super_block *sb, void *data, int silent)
+ msblk->inode_table = le64_to_cpu(sblk->inode_table_start);
+ msblk->directory_table = le64_to_cpu(sblk->directory_table_start);
+ msblk->inodes = le32_to_cpu(sblk->inodes);
++ msblk->fragments = le32_to_cpu(sblk->fragments);
+ flags = le16_to_cpu(sblk->flags);
+
+ TRACE("Found valid superblock on %pg\n", sb->s_bdev);
+@@ -185,7 +186,7 @@ static int squashfs_fill_super(struct super_block *sb, void *data, int silent)
+ TRACE("Filesystem size %lld bytes\n", msblk->bytes_used);
+ TRACE("Block size %d\n", msblk->block_size);
+ TRACE("Number of inodes %d\n", msblk->inodes);
+- TRACE("Number of fragments %d\n", le32_to_cpu(sblk->fragments));
++ TRACE("Number of fragments %d\n", msblk->fragments);
+ TRACE("Number of ids %d\n", le16_to_cpu(sblk->no_ids));
+ TRACE("sblk->inode_table_start %llx\n", msblk->inode_table);
+ TRACE("sblk->directory_table_start %llx\n", msblk->directory_table);
+@@ -272,7 +273,7 @@ static int squashfs_fill_super(struct super_block *sb, void *data, int silent)
+ sb->s_export_op = &squashfs_export_ops;
+
+ handle_fragments:
+- fragments = le32_to_cpu(sblk->fragments);
++ fragments = msblk->fragments;
+ if (fragments == 0)
+ goto check_directory_table;
+
+--
+2.19.0
+
diff --git a/patches.fixes/sysfs-Do-not-return-POSIX-ACL-xattrs-via-listxattr.patch b/patches.fixes/sysfs-Do-not-return-POSIX-ACL-xattrs-via-listxattr.patch
new file mode 100644
index 0000000000..f287440baf
--- /dev/null
+++ b/patches.fixes/sysfs-Do-not-return-POSIX-ACL-xattrs-via-listxattr.patch
@@ -0,0 +1,62 @@
+From ffc4c92227db5699493e43eb140b4cb5904c30ff Mon Sep 17 00:00:00 2001
+From: Andreas Gruenbacher <agruenba@redhat.com>
+Date: Tue Sep 18 00:36:36 2018 -0400
+Subject: [PATCH] sysfs: Do not return POSIX ACL xattrs via listxattr
+Git-commit: ffc4c92227db5699493e43eb140b4cb5904c30ff
+References: git-fixes
+Patch-mainline: v4.19-rc7
+
+Commit 786534b92f3c introduced a regression that caused listxattr to
+return the POSIX ACL attribute names even though sysfs doesn't support
+POSIX ACLs. This happens because simple_xattr_list checks for NULL
+i_acl / i_default_acl, but inode_init_always initializes those fields
+to ACL_NOT_CACHED ((void *)-1). For example:
+ $ getfattr -m- -d /sys
+ /sys: system.posix_acl_access: Operation not supported
+ /sys: system.posix_acl_default: Operation not supported
+Fix this in simple_xattr_list by checking if the filesystem supports POSIX ACLs.
+
+Fixes: 786534b92f3c ("tmpfs: listxattr should include POSIX ACL xattrs")
+Reported-by: Marc Aurèle La France <tsi@tuyoix.net>
+Tested-by: Marc Aurèle La France <tsi@tuyoix.net>
+Signed-off-by: Andreas Gruenbacher <agruenba@redhat.com>
+Cc: stable@vger.kernel.org # v4.5+
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Acked-by: Goldwyn Rodrigues <rgoldwyn@suse.com>
+
+diff --git a/fs/xattr.c b/fs/xattr.c
+index daa7325..0d6a6a4 100644
+
+--- a/fs/xattr.c
++++ b/fs/xattr.c
+@@ -948,17 +948,19 @@ ssize_t simple_xattr_list(struct inode *inode, struct simple_xattrs *xattrs,
+ int err = 0;
+
+ #ifdef CONFIG_FS_POSIX_ACL
+- if (inode->i_acl) {
+- err = xattr_list_one(&buffer, &remaining_size,
+- XATTR_NAME_POSIX_ACL_ACCESS);
+- if (err)
+- return err;
+- }
+- if (inode->i_default_acl) {
+- err = xattr_list_one(&buffer, &remaining_size,
+- XATTR_NAME_POSIX_ACL_DEFAULT);
+- if (err)
+- return err;
++ if (IS_POSIXACL(inode)) {
++ if (inode->i_acl) {
++ err = xattr_list_one(&buffer, &remaining_size,
++ XATTR_NAME_POSIX_ACL_ACCESS);
++ if (err)
++ return err;
++ }
++ if (inode->i_default_acl) {
++ err = xattr_list_one(&buffer, &remaining_size,
++ XATTR_NAME_POSIX_ACL_DEFAULT);
++ if (err)
++ return err;
++ }
+ }
+ #endif
+
diff --git a/patches.fixes/team-Forbid-enslaving-team-device-to-itself.patch b/patches.fixes/team-Forbid-enslaving-team-device-to-itself.patch
new file mode 100644
index 0000000000..c3ea617c38
--- /dev/null
+++ b/patches.fixes/team-Forbid-enslaving-team-device-to-itself.patch
@@ -0,0 +1,125 @@
+From 471b83bd8bbe4e89743683ef8ecb78f7029d8288 Mon Sep 17 00:00:00 2001
+From: Ido Schimmel <idosch@mellanox.com>
+Date: Mon, 1 Oct 2018 12:21:59 +0300
+Subject: [PATCH] team: Forbid enslaving team device to itself
+Git-commit: 471b83bd8bbe4e89743683ef8ecb78f7029d8288
+Patch-mainline: v4.19-rc7
+References: bsc#1051510
+
+team's ndo_add_slave() acquires 'team->lock' and later tries to open the
+newly enslaved device via dev_open(). This emits a 'NETDEV_UP' event
+that causes the VLAN driver to add VLAN 0 on the team device. team's
+ndo_vlan_rx_add_vid() will also try to acquire 'team->lock' and
+deadlock.
+
+Fix this by checking early at the enslavement function that a team
+device is not being enslaved to itself.
+
+A similar check was added to the bond driver in commit 09a89c219baf
+("bonding: disallow enslaving a bond to itself").
+
+Warning: possible recursive locking detected
+4.18.0-rc7+ #176 Not tainted
+
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+--------------------------------------------
+syz-executor4/6391 is trying to acquire lock:
+(____ptrval____) (&team->lock){+.+.}, at: team_vlan_rx_add_vid+0x3b/0x1e0 drivers/net/team/team.c:1868
+
+but task is already holding lock:
+(____ptrval____) (&team->lock){+.+.}, at: team_add_slave+0xdb/0x1c30 drivers/net/team/team.c:1947
+
+other info that might help us debug this:
+ Possible unsafe locking scenario:
+
+ CPU0
+ ----
+ lock(&team->lock);
+ lock(&team->lock);
+
+ *** DEADLOCK ***
+
+ May be due to missing lock nesting notation
+
+2 locks held by syz-executor4/6391:
+ #0: (____ptrval____) (rtnl_mutex){+.+.}, at: rtnl_lock net/core/rtnetlink.c:77 [inline]
+ #0: (____ptrval____) (rtnl_mutex){+.+.}, at: rtnetlink_rcv_msg+0x412/0xc30 net/core/rtnetlink.c:4662
+ #1: (____ptrval____) (&team->lock){+.+.}, at: team_add_slave+0xdb/0x1c30 drivers/net/team/team.c:1947
+
+stack backtrace:
+CPU: 1 PID: 6391 Comm: syz-executor4 Not tainted 4.18.0-rc7+ #176
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+Call Trace:
+ __dump_stack lib/dump_stack.c:77 [inline]
+ dump_stack+0x1c9/0x2b4 lib/dump_stack.c:113
+ print_deadlock_bug kernel/locking/lockdep.c:1765 [inline]
+ check_deadlock kernel/locking/lockdep.c:1809 [inline]
+ validate_chain kernel/locking/lockdep.c:2405 [inline]
+ __lock_acquire.cold.64+0x1fb/0x486 kernel/locking/lockdep.c:3435
+ lock_acquire+0x1e4/0x540 kernel/locking/lockdep.c:3924
+ __mutex_lock_common kernel/locking/mutex.c:757 [inline]
+ __mutex_lock+0x176/0x1820 kernel/locking/mutex.c:894
+ mutex_lock_nested+0x16/0x20 kernel/locking/mutex.c:909
+ team_vlan_rx_add_vid+0x3b/0x1e0 drivers/net/team/team.c:1868
+ vlan_add_rx_filter_info+0x14a/0x1d0 net/8021q/vlan_core.c:210
+ __vlan_vid_add net/8021q/vlan_core.c:278 [inline]
+ vlan_vid_add+0x63e/0x9d0 net/8021q/vlan_core.c:308
+ vlan_device_event.cold.12+0x2a/0x2f net/8021q/vlan.c:381
+ notifier_call_chain+0x180/0x390 kernel/notifier.c:93
+ __raw_notifier_call_chain kernel/notifier.c:394 [inline]
+ raw_notifier_call_chain+0x2d/0x40 kernel/notifier.c:401
+ call_netdevice_notifiers_info+0x3f/0x90 net/core/dev.c:1735
+ call_netdevice_notifiers net/core/dev.c:1753 [inline]
+ dev_open+0x173/0x1b0 net/core/dev.c:1433
+ team_port_add drivers/net/team/team.c:1219 [inline]
+ team_add_slave+0xa8b/0x1c30 drivers/net/team/team.c:1948
+ do_set_master+0x1c9/0x220 net/core/rtnetlink.c:2248
+ do_setlink+0xba4/0x3e10 net/core/rtnetlink.c:2382
+ rtnl_setlink+0x2a9/0x400 net/core/rtnetlink.c:2636
+ rtnetlink_rcv_msg+0x46e/0xc30 net/core/rtnetlink.c:4665
+ netlink_rcv_skb+0x172/0x440 net/netlink/af_netlink.c:2455
+ rtnetlink_rcv+0x1c/0x20 net/core/rtnetlink.c:4683
+ netlink_unicast_kernel net/netlink/af_netlink.c:1317 [inline]
+ netlink_unicast+0x5a0/0x760 net/netlink/af_netlink.c:1343
+ netlink_sendmsg+0xa18/0xfd0 net/netlink/af_netlink.c:1908
+ sock_sendmsg_nosec net/socket.c:642 [inline]
+ sock_sendmsg+0xd5/0x120 net/socket.c:652
+ ___sys_sendmsg+0x7fd/0x930 net/socket.c:2126
+ __sys_sendmsg+0x11d/0x290 net/socket.c:2164
+ __do_sys_sendmsg net/socket.c:2173 [inline]
+ __se_sys_sendmsg net/socket.c:2171 [inline]
+ __x64_sys_sendmsg+0x78/0xb0 net/socket.c:2171
+ do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290
+ entry_SYSCALL_64_after_hwframe+0x49/0xbe
+RIP: 0033:0x456b29
+Code: fd b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 cb b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00
+RSP: 002b:00007f9706bf8c78 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
+RAX: ffffffffffffffda RBX: 00007f9706bf96d4 RCX: 0000000000456b29
+RDX: 0000000000000000 RSI: 0000000020000240 RDI: 0000000000000004
+RBP: 00000000009300a0 R08: 0000000000000000 R09: 0000000000000000
+R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff
+R13: 00000000004d3548 R14: 00000000004c8227 R15: 0000000000000000
+
+Fixes: 87002b03baab ("net: introduce vlan_vid_[add/del] and use them instead of direct [add/kill]_vid ndo calls")
+Signed-off-by: Ido Schimmel <idosch@mellanox.com>
+Reported-and-tested-by: syzbot+bd051aba086537515cdb@syzkaller.appspotmail.com
+Signed-off-by: David S. Miller <davem@davemloft.net>
+---
+ drivers/net/team/team.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/drivers/net/team/team.c
++++ b/drivers/net/team/team.c
+@@ -1165,6 +1165,11 @@ static int team_port_add(struct team *te
+ return -EBUSY;
+ }
+
++ if (dev == port_dev) {
++ netdev_err(dev, "Cannot enslave team device to itself\n");
++ return -EINVAL;
++ }
++
+ if (port_dev->features & NETIF_F_VLAN_CHALLENGED &&
+ vlan_uses_dev(dev)) {
+ netdev_err(dev, "Device %s is VLAN challenged and team device has VLAN set up\n",
diff --git a/patches.fixes/vti4-Don-t-count-header-length-twice-on-tunnel-setup.patch b/patches.fixes/vti4-Don-t-count-header-length-twice-on-tunnel-setup.patch
new file mode 100644
index 0000000000..f5d1469c05
--- /dev/null
+++ b/patches.fixes/vti4-Don-t-count-header-length-twice-on-tunnel-setup.patch
@@ -0,0 +1,70 @@
+From dd1df24737727e119c263acf1be2a92763938297 Mon Sep 17 00:00:00 2001
+From: Stefano Brivio <sbrivio@redhat.com>
+Date: Thu, 15 Mar 2018 17:16:27 +0100
+Subject: [PATCH] vti4: Don't count header length twice on tunnel setup
+Git-commit: dd1df24737727e119c263acf1be2a92763938297
+Patch-mainline: v4.16
+References: bsc#1051510
+
+This re-introduces the effect of commit a32452366b72 ("vti4:
+Don't count header length twice.") which was accidentally
+reverted by merge commit f895f0cfbb77 ("Merge branch 'master' of
+git://git.kernel.org/pub/scm/linux/kernel/git/klassert/ipsec").
+
+The commit message from Steffen Klassert said:
+
+ We currently count the size of LL_MAX_HEADER and struct iphdr
+ twice for vti4 devices, this leads to a wrong device mtu.
+ The size of LL_MAX_HEADER and struct iphdr is already counted in
+ ip_tunnel_bind_dev(), so don't do it again in vti_tunnel_init().
+
+And this is still the case now: ip_tunnel_bind_dev() already
+accounts for the header length of the link layer (not
+necessarily LL_MAX_HEADER, if the output device is found), plus
+one IP header.
+
+For example, with a vti device on top of veth, with MTU of 1500,
+the existing implementation would set the initial vti MTU to
+1332, accounting once for LL_MAX_HEADER (128, included in
+hard_header_len by vti) and twice for the same IP header (once
+from hard_header_len, once from ip_tunnel_bind_dev()).
+
+It should instead be 1480, because ip_tunnel_bind_dev() is able
+to figure out that the output device is veth, so no additional
+link layer header is attached, and will properly count one
+single IP header.
+
+The existing issue had the side effect of avoiding PMTUD for
+most xfrm policies, by arbitrarily lowering the initial MTU.
+However, the only way to get a consistent PMTU value is to let
+the xfrm PMTU discovery do its course, and commit d6af1a31cc72
+("vti: Add pmtu handling to vti_xmit.") now takes care of local
+delivery cases where the application ignores local socket
+notifications.
+
+Fixes: b9959fd3b0fa ("vti: switch to new ip tunnel code")
+Fixes: f895f0cfbb77 ("Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/klassert/ipsec")
+Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
+Acked-by: Sabrina Dubroca <sd@queasysnail.net>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ net/ipv4/ip_vti.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/net/ipv4/ip_vti.c b/net/ipv4/ip_vti.c
+index 51b1669334fe..502e5222eaa9 100644
+--- a/net/ipv4/ip_vti.c
++++ b/net/ipv4/ip_vti.c
+@@ -387,7 +387,6 @@ static int vti_tunnel_init(struct net_device *dev)
+ memcpy(dev->dev_addr, &iph->saddr, 4);
+ memcpy(dev->broadcast, &iph->daddr, 4);
+
+- dev->hard_header_len = LL_MAX_HEADER + sizeof(struct iphdr);
+ dev->mtu = ETH_DATA_LEN;
+ dev->flags = IFF_NOARP;
+ dev->addr_len = 4;
+--
+2.19.0
+
diff --git a/patches.fixes/vti6-fix-PMTU-caching-and-reporting-on-xmit.patch b/patches.fixes/vti6-fix-PMTU-caching-and-reporting-on-xmit.patch
new file mode 100644
index 0000000000..8b2d232536
--- /dev/null
+++ b/patches.fixes/vti6-fix-PMTU-caching-and-reporting-on-xmit.patch
@@ -0,0 +1,54 @@
+From d6990976af7c5d8f55903bfb4289b6fb030bf754 Mon Sep 17 00:00:00 2001
+From: Eyal Birger <eyal.birger@gmail.com>
+Date: Thu, 7 Jun 2018 10:11:02 +0300
+Subject: [PATCH] vti6: fix PMTU caching and reporting on xmit
+Git-commit: d6990976af7c5d8f55903bfb4289b6fb030bf754
+Patch-mainline: v4.18-rc8
+References: bsc#1051510
+
+When setting the skb->dst before doing the MTU check, the route PMTU
+caching and reporting is done on the new dst which is about to be
+released.
+
+Instead, PMTU handling should be done using the original dst.
+
+This is aligned with IPv4 VTI.
+
+Fixes: ccd740cbc6 ("vti6: Add pmtu handling to vti6_xmit.")
+Signed-off-by: Eyal Birger <eyal.birger@gmail.com>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ net/ipv6/ip6_vti.c | 11 ++++++-----
+ 1 file changed, 6 insertions(+), 5 deletions(-)
+
+--- a/net/ipv6/ip6_vti.c
++++ b/net/ipv6/ip6_vti.c
+@@ -480,10 +480,6 @@ vti6_xmit(struct sk_buff *skb, struct ne
+ goto tx_err_dst_release;
+ }
+
+- skb_scrub_packet(skb, !net_eq(t->net, dev_net(dev)));
+- skb_dst_set(skb, dst);
+- skb->dev = skb_dst(skb)->dev;
+-
+ mtu = dst_mtu(dst);
+ if (!skb->ignore_df && skb->len > mtu) {
+ skb_dst(skb)->ops->update_pmtu(dst, NULL, skb, mtu);
+@@ -498,9 +494,14 @@ vti6_xmit(struct sk_buff *skb, struct ne
+ htonl(mtu));
+ }
+
+- return -EMSGSIZE;
++ err = -EMSGSIZE;
++ goto tx_err_dst_release;
+ }
+
++ skb_scrub_packet(skb, !net_eq(t->net, dev_net(dev)));
++ skb_dst_set(skb, dst);
++ skb->dev = skb_dst(skb)->dev;
++
+ err = dst_output(t->net, skb->sk, skb);
+ if (net_xmit_eval(err) == 0) {
+ struct pcpu_sw_netstats *tstats = this_cpu_ptr(dev->tstats);
diff --git a/patches.fixes/vti6-remove-skb-ignore_df-check-from-vti6_xmit.patch b/patches.fixes/vti6-remove-skb-ignore_df-check-from-vti6_xmit.patch
new file mode 100644
index 0000000000..0536aa43fa
--- /dev/null
+++ b/patches.fixes/vti6-remove-skb-ignore_df-check-from-vti6_xmit.patch
@@ -0,0 +1,42 @@
+From 9f2895461439fda2801a7906fb4c5fb3dbb37a0a Mon Sep 17 00:00:00 2001
+From: Alexey Kodanev <alexey.kodanev@oracle.com>
+Date: Thu, 23 Aug 2018 19:49:54 +0300
+Subject: [PATCH] vti6: remove !skb->ignore_df check from vti6_xmit()
+Git-commit: 9f2895461439fda2801a7906fb4c5fb3dbb37a0a
+Patch-mainline: v4.19-rc3
+References: bsc#1051510
+
+Before the commit d6990976af7c ("vti6: fix PMTU caching and reporting
+on xmit") '!skb->ignore_df' check was always true because the function
+skb_scrub_packet() was called before it, resetting ignore_df to zero.
+
+In the commit, skb_scrub_packet() was moved below, and now this check
+can be false for the packet, e.g. when sending it in the two fragments,
+this prevents successful PMTU updates in such case. The next attempts
+to send the packet lead to the same tx error. Moreover, vti6 initial
+MTU value relies on PMTU adjustments.
+
+This issue can be reproduced with the following LTP test script:
+ udp_ipsec_vti.sh -6 -p ah -m tunnel -s 2000
+
+Fixes: ccd740cbc6e0 ("vti6: Add pmtu handling to vti6_xmit.")
+Signed-off-by: Alexey Kodanev <alexey.kodanev@oracle.com>
+Acked-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ net/ipv6/ip6_vti.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/ipv6/ip6_vti.c
++++ b/net/ipv6/ip6_vti.c
+@@ -481,7 +481,7 @@ vti6_xmit(struct sk_buff *skb, struct ne
+ }
+
+ mtu = dst_mtu(dst);
+- if (!skb->ignore_df && skb->len > mtu) {
++ if (skb->len > mtu) {
+ skb_dst(skb)->ops->update_pmtu(dst, NULL, skb, mtu);
+
+ if (skb->protocol == htons(ETH_P_IPV6)) {
diff --git a/patches.suse/btrfs-fix-file-data-corruption-after-cloning-a-range.patch b/patches.suse/btrfs-fix-file-data-corruption-after-cloning-a-range.patch
new file mode 100644
index 0000000000..bf0b7e8c62
--- /dev/null
+++ b/patches.suse/btrfs-fix-file-data-corruption-after-cloning-a-range.patch
@@ -0,0 +1,107 @@
+From: Filipe Manana <fdmanana@suse.com>
+Date: Thu, 12 Jul 2018 01:36:43 +0100
+Patch-mainline: 4.18
+Git-commit: bd3599a0e142cd73edd3b6801068ac3f48ac771a
+Subject: [PATCH] Btrfs: fix file data corruption after cloning a range and
+ fsync
+References: bsc#1111901
+
+When we clone a range into a file we can end up dropping existing
+extent maps (or trimming them) and replacing them with new ones if the
+range to be cloned overlaps with a range in the destination inode.
+When that happens we add the new extent maps to the list of modified
+extents in the inode's extent map tree, so that a "fast" fsync (the flag
+BTRFS_INODE_NEEDS_FULL_SYNC not set in the inode) will see the extent maps
+and log corresponding extent items. However, at the end of range cloning
+operation we do truncate all the pages in the affected range (in order to
+ensure future reads will not get stale data). Sometimes this truncation
+will release the corresponding extent maps besides the pages from the page
+cache. If this happens, then a "fast" fsync operation will miss logging
+some extent items, because it relies exclusively on the extent maps being
+present in the inode's extent tree, leading to data loss/corruption if
+the fsync ends up using the same transaction used by the clone operation
+(that transaction was not committed in the meanwhile). An extent map is
+released through the callback btrfs_invalidatepage(), which gets called by
+truncate_inode_pages_range(), and it calls __btrfs_releasepage(). The
+later ends up calling try_release_extent_mapping() which will release the
+extent map if some conditions are met, like the file size being greater
+than 16Mb, gfp flags allow blocking and the range not being locked (which
+is the case during the clone operation) nor being the extent map flagged
+as pinned (also the case for cloning).
+
+The following example, turned into a test for fstests, reproduces the
+issue:
+
+ $ mkfs.btrfs -f /dev/sdb
+ $ mount /dev/sdb /mnt
+
+ $ xfs_io -f -c "pwrite -S 0x18 9000K 6908K" /mnt/foo
+ $ xfs_io -f -c "pwrite -S 0x20 2572K 156K" /mnt/bar
+
+ $ xfs_io -c "fsync" /mnt/bar
+ # reflink destination offset corresponds to the size of file bar,
+ # 2728Kb minus 4Kb.
+ $ xfs_io -c ""reflink ${SCRATCH_MNT}/foo 0 2724K 15908K" /mnt/bar
+ $ xfs_io -c "fsync" /mnt/bar
+
+ $ md5sum /mnt/bar
+ 95a95813a8c2abc9aa75a6c2914a077e /mnt/bar
+
+ <power fail>
+
+ $ mount /dev/sdb /mnt
+ $ md5sum /mnt/bar
+ 207fd8d0b161be8a84b945f0df8d5f8d /mnt/bar
+ # digest should be 95a95813a8c2abc9aa75a6c2914a077e like before the
+ # power failure
+
+In the above example, the destination offset of the clone operation
+corresponds to the size of the "bar" file minus 4Kb. So during the clone
+operation, the extent map covering the range from 2572Kb to 2728Kb gets
+trimmed so that it ends at offset 2724Kb, and a new extent map covering
+the range from 2724Kb to 11724Kb is created. So at the end of the clone
+operation when we ask to truncate the pages in the range from 2724Kb to
+2724Kb + 15908Kb, the page invalidation callback ends up removing the new
+extent map (through try_release_extent_mapping()) when the page at offset
+2724Kb is passed to that callback.
+
+Fix this by setting the bit BTRFS_INODE_NEEDS_FULL_SYNC whenever an extent
+map is removed at try_release_extent_mapping(), forcing the next fsync to
+search for modified extents in the fs/subvolume tree instead of relying on
+the presence of extent maps in memory. This way we can continue doing a
+"fast" fsync if the destination range of a clone operation does not
+overlap with an existing range or if any of the criteria necessary to
+remove an extent map at try_release_extent_mapping() is not met (file
+size not bigger then 16Mb or gfp flags do not allow blocking).
+
+CC: stable@vger.kernel.org # 3.16+
+Signed-off-by: Filipe Manana <fdmanana@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+---
+ fs/btrfs/extent_io.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/fs/btrfs/extent_io.c b/fs/btrfs/extent_io.c
+index 062b27621e67..1e46d50373ae 100644
+--- a/fs/btrfs/extent_io.c
++++ b/fs/btrfs/extent_io.c
+@@ -4324,6 +4324,7 @@ int try_release_extent_mapping(struct extent_map_tree *map,
+ struct extent_map *em;
+ u64 start = page_offset(page);
+ u64 end = start + PAGE_SIZE - 1;
++ struct btrfs_inode *btrfs_inode = BTRFS_I(page->mapping->host);
+
+ if (gfpflags_allow_blocking(mask) &&
+ page->mapping->host->i_size > SZ_16M) {
+@@ -4346,6 +4347,8 @@ int try_release_extent_mapping(struct extent_map_tree *map,
+ extent_map_end(em) - 1,
+ EXTENT_LOCKED | EXTENT_WRITEBACK,
+ 0, NULL)) {
++ set_bit(BTRFS_INODE_NEEDS_FULL_SYNC,
++ &btrfs_inode->runtime_flags);
+ remove_extent_mapping(map, em);
+ /* once for the rb tree */
+ free_extent_map(em);
+--
+2.19.0
+
diff --git a/patches.suse/btrfs-fix-mount-failure-after-fsync-due-to-hard-link.patch b/patches.suse/btrfs-fix-mount-failure-after-fsync-due-to-hard-link.patch
new file mode 100644
index 0000000000..23923766e7
--- /dev/null
+++ b/patches.suse/btrfs-fix-mount-failure-after-fsync-due-to-hard-link.patch
@@ -0,0 +1,143 @@
+From: Filipe Manana <fdmanana@suse.com>
+Date: Fri, 20 Jul 2018 10:59:06 +0100
+Patch-mainline: 4.19-rc1
+Git-commit: 0d836392cadd5535f4184d46d901a82eb276ed62
+References: bsc#1103543
+Subject: [PATCH] Btrfs: fix mount failure after fsync due to hard link
+ recreation
+
+If we end up with logging an inode reference item which has the same name
+but different index from the one we have persisted, we end up failing when
+replaying the log with an errno value of -EEXIST. The error comes from
+btrfs_add_link(), which is called from add_inode_ref(), when we are
+replaying an inode reference item.
+
+Example scenario where this happens:
+
+ $ mkfs.btrfs -f /dev/sdb
+ $ mount /dev/sdb /mnt
+
+ $ touch /mnt/foo
+ $ ln /mnt/foo /mnt/bar
+
+ $ sync
+
+ # Rename the first hard link (foo) to a new name and rename the second
+ # hard link (bar) to the old name of the first hard link (foo).
+ $ mv /mnt/foo /mnt/qwerty
+ $ mv /mnt/bar /mnt/foo
+
+ # Create a new file, in the same parent directory, with the old name of
+ # the second hard link (bar) and fsync this new file.
+ # We do this instead of calling fsync on foo/qwerty because if we did
+ # that the fsync resulted in a full transaction commit, not triggering
+ # the problem.
+ $ touch /mnt/bar
+ $ xfs_io -c "fsync" /mnt/bar
+
+ <power fail>
+
+ $ mount /dev/sdb /mnt
+ mount: mount /dev/sdb on /mnt failed: File exists
+
+So fix this by checking if a conflicting inode reference exists (same
+name, same parent but different index), removing it (and the associated
+dir index entries from the parent inode) if it exists, before attempting
+to add the new reference.
+
+A test case for fstests follows soon.
+
+CC: stable@vger.kernel.org # 4.4+
+Signed-off-by: Filipe Manana <fdmanana@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+---
+ fs/btrfs/tree-log.c | 66 +++++++++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 66 insertions(+)
+
+diff --git a/fs/btrfs/tree-log.c b/fs/btrfs/tree-log.c
+index 686d566a607c..0dabcb8bab71 100644
+--- a/fs/btrfs/tree-log.c
++++ b/fs/btrfs/tree-log.c
+@@ -1312,6 +1312,46 @@ static int unlink_old_inode_refs(struct btrfs_trans_handle *trans,
+ return ret;
+ }
+
++static int btrfs_inode_ref_exists(struct inode *inode, struct inode *dir,
++ const u8 ref_type, const char *name,
++ const int namelen)
++{
++ struct btrfs_key key;
++ struct btrfs_path *path;
++ const u64 parent_id = btrfs_ino(BTRFS_I(dir));
++ int ret;
++
++ path = btrfs_alloc_path();
++ if (!path)
++ return -ENOMEM;
++
++ key.objectid = btrfs_ino(BTRFS_I(inode));
++ key.type = ref_type;
++ if (key.type == BTRFS_INODE_REF_KEY)
++ key.offset = parent_id;
++ else
++ key.offset = btrfs_extref_hash(parent_id, name, namelen);
++
++ ret = btrfs_search_slot(NULL, BTRFS_I(inode)->root, &key, path, 0, 0);
++ if (ret < 0)
++ goto out;
++ if (ret > 0) {
++ ret = 0;
++ goto out;
++ }
++ if (key.type == BTRFS_INODE_EXTREF_KEY)
++ ret = btrfs_find_name_in_ext_backref(path->nodes[0],
++ path->slots[0], parent_id,
++ name, namelen, NULL);
++ else
++ ret = btrfs_find_name_in_backref(path->nodes[0], path->slots[0],
++ name, namelen, NULL);
++
++out:
++ btrfs_free_path(path);
++ return ret;
++}
++
+ /*
+ * replay one inode back reference item found in the log tree.
+ * eb, slot and key refer to the buffer and key found in the log tree.
+@@ -1421,6 +1461,32 @@ static noinline int add_inode_ref(struct btrfs_trans_handle *trans,
+ }
+ }
+
++ /*
++ * If a reference item already exists for this inode
++ * with the same parent and name, but different index,
++ * drop it and the corresponding directory index entries
++ * from the parent before adding the new reference item
++ * and dir index entries, otherwise we would fail with
++ * -EEXIST returned from btrfs_add_link() below.
++ */
++ ret = btrfs_inode_ref_exists(inode, dir, key->type,
++ name, namelen);
++ if (ret > 0) {
++ ret = btrfs_unlink_inode(trans, root,
++ BTRFS_I(dir),
++ BTRFS_I(inode),
++ name, namelen);
++ /*
++ * If we dropped the link count to 0, bump it so
++ * that later the iput() on the inode will not
++ * free it. We will fixup the link count later.
++ */
++ if (!ret && inode->i_nlink == 0)
++ inc_nlink(inode);
++ }
++ if (ret < 0)
++ goto out;
++
+ /* insert our name */
+ ret = btrfs_add_link(trans, BTRFS_I(dir),
+ BTRFS_I(inode),
+--
+2.19.0
+
diff --git a/patches.suse/btrfs-send-fix-invalid-access-to-commit-roots-due-to.patch b/patches.suse/btrfs-send-fix-invalid-access-to-commit-roots-due-to.patch
new file mode 100644
index 0000000000..2fb834e01f
--- /dev/null
+++ b/patches.suse/btrfs-send-fix-invalid-access-to-commit-roots-due-to.patch
@@ -0,0 +1,139 @@
+From: Robbie Ko <robbieko@synology.com>
+Date: Mon, 14 May 2018 10:51:34 +0800
+Patch-mainline: 4.17
+Git-commit: 6f2f0b394b54e2b159ef969a0b5274e9bbf82ff2
+Subject: [PATCH] Btrfs: send, fix invalid access to commit roots due to
+ concurrent snapshotting
+References: bsc#1111904
+
+[BUG]
+btrfs incremental send BUG happens when creating a snapshot of snapshot
+that is being used by send.
+
+[REASON]
+The problem can happen if while we are doing a send one of the snapshots
+used (parent or send) is snapshotted, because snapshoting implies COWing
+the root of the source subvolume/snapshot.
+
+1. When doing an incremental send, the send process will get the commit
+ roots from the parent and send snapshots, and add references to them
+ through extent_buffer_get().
+
+2. When a snapshot/subvolume is snapshotted, its root node is COWed
+ (transaction.c:create_pending_snapshot()).
+
+3. COWing releases the space used by the node immediately, through:
+
+ __btrfs_cow_block()
+ --btrfs_free_tree_block()
+ ----btrfs_add_free_space(bytenr of node)
+
+4. Because send doesn't hold a transaction open, it's possible that
+ the transaction used to create the snapshot commits, switches the
+ commit root and the old space used by the previous root node gets
+ assigned to some other node allocation. Allocation of a new node will
+ use the existing extent buffer found in memory, which we previously
+ got a reference through extent_buffer_get(), and allow the extent
+ buffer's content (pages) to be modified:
+
+ btrfs_alloc_tree_block
+ --btrfs_reserve_extent
+ ----find_free_extent (get bytenr of old node)
+ --btrfs_init_new_buffer (use bytenr of old node)
+ ----btrfs_find_create_tree_block
+ ------alloc_extent_buffer
+ --------find_extent_buffer (get old node)
+
+5. So send can access invalid memory content and have unpredictable
+ behaviour.
+
+[FIX]
+So we fix the problem by copying the commit roots of the send and
+parent snapshots and use those copies.
+
+CallTrace looks like this:
+ ------------[ cut here ]------------
+ kernel BUG at fs/btrfs/ctree.c:1861!
+ invalid opcode: 0000 [#1] SMP
+ CPU: 6 PID: 24235 Comm: btrfs Tainted: P O 3.10.105 #23721
+ ffff88046652d680 ti: ffff88041b720000 task.ti: ffff88041b720000
+ RIP: 0010:[<ffffffffa08dd0e8>] read_node_slot+0x108/0x110 [btrfs]
+ RSP: 0018:ffff88041b723b68 EFLAGS: 00010246
+ RAX: ffff88043ca6b000 RBX: ffff88041b723c50 RCX: ffff880000000000
+ RDX: 000000000000004c RSI: ffff880314b133f8 RDI: ffff880458b24000
+ RBP: 0000000000000000 R08: 0000000000000001 R09: ffff88041b723c66
+ R10: 0000000000000001 R11: 0000000000001000 R12: ffff8803f3e48890
+ R13: ffff8803f3e48880 R14: ffff880466351800 R15: 0000000000000001
+ FS: 00007f8c321dc8c0(0000) GS:ffff88047fcc0000(0000)
+ CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+ R2: 00007efd1006d000 CR3: 0000000213a24000 CR4: 00000000003407e0
+ DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+ DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+ Stack:
+ ffff88041b723c50 ffff8803f3e48880 ffff8803f3e48890 ffff8803f3e48880
+ ffff880466351800 0000000000000001 ffffffffa08dd9d7 ffff88041b723c50
+ ffff8803f3e48880 ffff88041b723c66 ffffffffa08dde85 a9ff88042d2c4400
+ Call Trace:
+ [<ffffffffa08dd9d7>] ? tree_move_down.isra.33+0x27/0x50 [btrfs]
+ [<ffffffffa08dde85>] ? tree_advance+0xb5/0xc0 [btrfs]
+ [<ffffffffa08e83d4>] ? btrfs_compare_trees+0x2d4/0x760 [btrfs]
+ [<ffffffffa0982050>] ? finish_inode_if_needed+0x870/0x870 [btrfs]
+ [<ffffffffa09841ea>] ? btrfs_ioctl_send+0xeda/0x1050 [btrfs]
+ [<ffffffffa094bd3d>] ? btrfs_ioctl+0x1e3d/0x33f0 [btrfs]
+ [<ffffffff81111133>] ? handle_pte_fault+0x373/0x990
+ [<ffffffff8153a096>] ? atomic_notifier_call_chain+0x16/0x20
+ [<ffffffff81063256>] ? set_task_cpu+0xb6/0x1d0
+ [<ffffffff811122c3>] ? handle_mm_fault+0x143/0x2a0
+ [<ffffffff81539cc0>] ? __do_page_fault+0x1d0/0x500
+ [<ffffffff81062f07>] ? check_preempt_curr+0x57/0x90
+ [<ffffffff8115075a>] ? do_vfs_ioctl+0x4aa/0x990
+ [<ffffffff81034f83>] ? do_fork+0x113/0x3b0
+ [<ffffffff812dd7d7>] ? trace_hardirqs_off_thunk+0x3a/0x6c
+ [<ffffffff81150cc8>] ? SyS_ioctl+0x88/0xa0
+ [<ffffffff8153e422>] ? system_call_fastpath+0x16/0x1b
+ ---[ end trace 29576629ee80b2e1 ]---
+
+Fixes: 7069830a9e38 ("Btrfs: add btrfs_compare_trees function")
+CC: stable@vger.kernel.org # 3.6+
+Signed-off-by: Robbie Ko <robbieko@synology.com>
+Reviewed-by: Filipe Manana <fdmanana@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Filipe Manana <fdmanana@suse.com>
+---
+ fs/btrfs/ctree.c | 16 ++++++++++++++--
+ 1 file changed, 14 insertions(+), 2 deletions(-)
+
+diff --git a/fs/btrfs/ctree.c b/fs/btrfs/ctree.c
+index cb917fa6d944..5f7cd9f0005a 100644
+--- a/fs/btrfs/ctree.c
++++ b/fs/btrfs/ctree.c
+@@ -5458,12 +5458,24 @@ int btrfs_compare_trees(struct btrfs_root *left_root,
+ down_read(&fs_info->commit_root_sem);
+ left_level = btrfs_header_level(left_root->commit_root);
+ left_root_level = left_level;
+- left_path->nodes[left_level] = left_root->commit_root;
++ left_path->nodes[left_level] =
++ btrfs_clone_extent_buffer(left_root->commit_root);
++ if (!left_path->nodes[left_level]) {
++ up_read(&fs_info->commit_root_sem);
++ ret = -ENOMEM;
++ goto out;
++ }
+ extent_buffer_get(left_path->nodes[left_level]);
+
+ right_level = btrfs_header_level(right_root->commit_root);
+ right_root_level = right_level;
+- right_path->nodes[right_level] = right_root->commit_root;
++ right_path->nodes[right_level] =
++ btrfs_clone_extent_buffer(right_root->commit_root);
++ if (!right_path->nodes[right_level]) {
++ up_read(&fs_info->commit_root_sem);
++ ret = -ENOMEM;
++ goto out;
++ }
+ extent_buffer_get(right_path->nodes[right_level]);
+ up_read(&fs_info->commit_root_sem);
+
+--
+2.19.0
+
diff --git a/patches.suse/vmbus-don-t-return-values-for-uninitalized-channels.patch b/patches.suse/vmbus-don-t-return-values-for-uninitalized-channels.patch
new file mode 100644
index 0000000000..3c21d97c60
--- /dev/null
+++ b/patches.suse/vmbus-don-t-return-values-for-uninitalized-channels.patch
@@ -0,0 +1,41 @@
+From 6712cc9c22117a8af9f3df272b4a44fd2e4201cd Mon Sep 17 00:00:00 2001
+From: Stephen Hemminger <stephen@networkplumber.org>
+Date: Mon, 20 Aug 2018 21:16:40 +0000
+Subject: [PATCH] vmbus: don't return values for uninitalized channels
+Git-commit: 6712cc9c22117a8af9f3df272b4a44fd2e4201cd
+Patch-mainline: v4.19-rc4
+References: bsc#1051510
+
+For unsupported device types, the vmbus channel ringbuffer is never
+initialized, and therefore reading the sysfs files will return garbage
+or cause a kernel OOPS.
+
+Fixes: c2e5df616e1a ("vmbus: add per-channel sysfs info")
+
+Signed-off-by: Stephen Hemminger <sthemmin@microsoft.com>
+Signed-off-by: K. Y. Srinivasan <kys@microsoft.com>
+Cc: <stable@vger.kernel.org> # 4.15
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/hv/vmbus_drv.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/hv/vmbus_drv.c b/drivers/hv/vmbus_drv.c
+index b1b548a21f91..c71cc857b649 100644
+--- a/drivers/hv/vmbus_drv.c
++++ b/drivers/hv/vmbus_drv.c
+@@ -1291,6 +1291,9 @@ static ssize_t vmbus_chan_attr_show(struct kobject *kobj,
+ if (!attribute->show)
+ return -EIO;
+
++ if (chan->state != CHANNEL_OPENED_STATE)
++ return -EINVAL;
++
+ return attribute->show(chan, buf);
+ }
+
+--
+2.19.0
+
diff --git a/series.conf b/series.conf
index c437244c61..035ccc233f 100644
--- a/series.conf
+++ b/series.conf
@@ -5333,6 +5333,7 @@
patches.drivers/0032-thunderbolt-Make-key-root-only-accessible.patch
patches.drivers/0033-thunderbolt-Allow-clearing-the-key.patch
patches.drivers/0034-thunderbolt-Fix-reset-response_type.patch
+ patches.drivers/stm-Potential-read-overflow-in-stm_char_policy_set_i.patch
patches.drivers/intel_th-pci-Enable-bus-mastering
patches.drivers/intel_th-Output-devices-without-ports-don-t-need-ass
patches.drivers/intel_th-Streamline-the-subdevice-tree-accessors
@@ -7131,6 +7132,7 @@
patches.fixes/cgroup-Reinit-cgroup_taskset-structure-before-cgroup_migrate_execute-returns.patch
patches.fixes/lsm-fix-smack_inode_removexattr-and-xattr_getsecurit.patch
patches.arch/include-linux-mm.h-fix-typo-in-VM_MPX-definition.patch
+ patches.fixes/ksm-fix-unlocked-iteration-over-vmas-in-cmp_and_merge_page.patch
patches.suse/0001-mm-oom_reaper-skip-mm-structs-with-mmu-notifiers.patch
patches.fixes/mm-compaction-serialize-waitqueue_active-checks-for-real.patch
patches.fixes/mm-meminit-mark-init_reserved_page-as-__meminit.patch
@@ -10554,6 +10556,7 @@
patches.arch/0003-arm64-mm-Fix-false-positives-in-set_pte_at-access-di.patch
patches.suse/0005-arm64-Define-cputype-macros-for-Falkor-CPU.patch
patches.arch/0001-arm64-fix-CONFIG_DEBUG_WX-address-reporting.patch
+ patches.fixes/ovl-Sync-upper-dirty-data-when-syncing-overlayfs.patch
patches.fixes/ceph-drop-negative-child-dentries-before-try-pruning-inode-s-alias.patch
patches.drivers/scsi-lpfc-Use-after-free-in-lpfc_rq_buf_free.patch
patches.drivers/libfc-fix-ELS-request-handling.patch
@@ -11575,6 +11578,7 @@
patches.drivers/lpfc-update-driver-version-to-11.4.0.5.patch
patches.drivers/scsi-mpt3sas-Replace-PCI-pool-old-API.patch
patches.drivers/scsi-mpt3sas-Remove-unused-variable-requeue_event.patch
+ patches.arch/scsi-ipr-fix-incorrect-indentation-of-assignment-sta.patch
patches.fixes/scsi-ibmvscsis-add-DRC-indices-to-debug-statements.patch
patches.drivers/scsi-core-scsi_get_device_flags_keyed-always-return.patch
patches.drivers/scsi-qla2xxx-Fix-system-crash-for-Notify-ack-timeout.patch
@@ -14063,6 +14067,7 @@
patches.drivers/net-mlx4_core-Fix-memory-leak-while-delete-slave-s-r.patch
patches.suse/vhost-correctly-remove-wait-queue-during-poll-failur.patch
patches.drivers/qede-Fix-barrier-usage-after-tx-doorbell-write.patch
+ patches.fixes/vti4-Don-t-count-header-length-twice-on-tunnel-setup.patch
patches.fixes/vti6-Properly-adjust-vti6-MTU-from-MTU-of-lower-devi.patch
patches.fixes/vti6-Keep-set-MTU-on-link-creation-or-change-validat.patch
patches.fixes/vti6-Fix-dev-max_mtu-setting.patch
@@ -14700,6 +14705,7 @@
patches.drivers/scsi-mpt3sas-clarify-mmio-pointer-types.patch
patches.drivers/scsi-smartpqi-add-in-new-supported-controllers.patch
patches.drivers/scsi-lpfc-use-__raw_writex-on-dpp-copies.patch
+ patches.arch/scsi-ipr-Use-dma_pool_zalloc.patch
patches.drivers/scsi-lpfc-add-missing-unlock-in-wq-full-logic.patch
patches.drivers/scsi-lpfc-code-cleanup-for-128byte-wqe-data-type.patch
patches.drivers/scsi-lpfc-streamline-nvme-initiator-wqe-setup.patch
@@ -15599,6 +15605,7 @@
patches.fixes/ARM-8770-1-kprobes-Prohibit-probing-on-optimized_cal.patch
patches.fixes/ARM-8771-1-kprobes-Prohibit-kprobes-on-do_undefinstr.patch
patches.fixes/ARM-8772-1-kprobes-Prohibit-kprobes-on-get_user-func.patch
+ patches.suse/btrfs-send-fix-invalid-access-to-commit-roots-due-to.patch
patches.suse/btrfs-fix-xattr-loss-after-power-failure.patch
patches.suse/btrfs-fix-duplicate-extents-after-fsync-of-file-with.patch
patches.drivers/qede-Fix-ref-cnt-usage-count.patch
@@ -15617,6 +15624,7 @@
patches.drivers/ibmvnic-Free-coherent-DMA-memory-if-FW-map-failed.patch
patches.drivers/ibmvnic-Fix-non-fatal-firmware-error-reset.patch
patches.drivers/ibmvnic-Fix-statistics-buffers-memory-leak.patch
+ patches.fixes/sock_diag-fix-use-after-free-read-in-__sk_free.patch
patches.drivers/net-sched-red-avoid-hashing-NULL-child.patch
patches.drivers/cxgb4-fix-offset-in-collecting-TX-rate-limit-info.patch
patches.fixes/0001-iov_iter-fix-return-type-of-_pipe_get_pages.patch
@@ -15625,6 +15633,7 @@
patches.fixes/affs_lookup-close-a-race-with-affs_remove_link.patch
patches.fixes/befs_lookup-use-d_splice_alias.patch
patches.fixes/ext2-fix-a-block-leak.patch
+ patches.fixes/aio-fix-io_destroy2-vs.-lookup_ioctx-race.patch
patches.drivers/scsi-zfcp-fix-infinite-iteration-on-erp-ready-list.patch
patches.fixes/scsi-core-clean-up-generated-file-scsi_devinfo_tbl.c.patch
patches.drivers/scsi-sg-allocate-with-_gfp_zero-in-sg_build_indirect.patch
@@ -15731,6 +15740,7 @@
patches.suse/net-usb-cdc_mbim-add-flag-FLAG_SEND_ZLP.patch
patches.fixes/fix-io_destroy-aio_complete-race.patch
patches.suse/0001-nbd-fix-nbd-device-deletion.patch
+ patches.fixes/blkdev_report_zones_ioctl-use-vmalloc-to-allocate-large-buffers.patch
patches.fixes/bdi-Move-cgroup-bdi_writeback-to-a-dedicated-low-con.patch
patches.fixes/block-don-t-print-a-message-when-the-device-went-awa.patch
patches.drivers/nvme-fix-lockdep-warning-in-nvme_mpath_clear_current_path.patch
@@ -16489,6 +16499,7 @@
patches.drivers/scsi-lpfc-fix-null-pointer-reference-when-resetting-adapter.patch
patches.drivers/scsi-lpfc-correct-missing-remoteport-registration-during-link-bounces.patch
patches.drivers/scsi-lpfc-update-driver-version-to-12-0-0-2.patch
+ patches.drivers/scsi-target-prefer-dbroot-of-etc-target-over-var-target
patches.drivers/scsi-mpt3sas-fix-spelling-mistake-disbale-disable.patch
patches.drivers/scsi-mpt3sas-Bug-fix-for-big-endian-systems.patch
patches.drivers/scsi-mpt3sas-Pre-allocate-RDPQ-Array-at-driver-boot-.patch
@@ -16779,6 +16790,7 @@
patches.drivers/Input-elan_i2c-add-ELAN0618-Lenovo-v330-15IKB-ACPI-I
patches.drivers/Input-elan_i2c_smbus-fix-more-potential-stack-buffer
patches.drivers/Input-xpad-fix-GPD-Win-2-controller-name
+ patches.arch/scsi-ipr-Eliminate-duplicate-barriers.patch
patches.drivers/scsi-qla2xxx-Spinlock-recursion-in-qla_target.patch
patches.drivers/soc-imx-gpcv2-correct-PGC-offset
patches.drivers/ALSA-hda-realtek-Fix-pop-noise-on-Lenovo-P50-co
@@ -17024,6 +17036,7 @@
patches.fixes/fat-fix-memory-allocation-failure-handling-of-match_.patch
patches.fixes/mm-huge_memory.c-fix-data-loss-when-splitting-a-file.patch
patches.fixes/mm-memcg-fix-use-after-free-in-mem_cgroup_iter.patch
+ patches.suse/btrfs-fix-file-data-corruption-after-cloning-a-range.patch
patches.arch/vfio-spapr-Use-IOMMU-pageshift-rather-than-pagesize.patch
patches.arch/KVM-PPC-Check-if-IOMMU-page-is-contained-in-the-pinn.patch
patches.fixes/lib-iov_iter-Fix-pipe-handling-in-_copy_to_iter_mcsa.patch
@@ -17121,6 +17134,7 @@
patches.fixes/squashfs-more-metadata-hardening.patch
patches.suse/net-fix-amd-xgbe-flow-control-issue.patch
patches.suse/net-ena-Fix-use-of-uninitialized-DMA-address-bits-fi.patch
+ patches.fixes/vti6-fix-PMTU-caching-and-reporting-on-xmit.patch
patches.fixes/0001-net-lan78xx-fix-rx-handling-before-first-packet-is-s.patch
patches.suse/ipv4-remove-BUG_ON-from-fib_compute_spec_dst.patch
patches.suse/net-mdio-mux-bcm-iproc-fix-wrong-getter-and-setter-p.patch
@@ -17141,6 +17155,7 @@
patches.suse/cpufreq-intel_pstate-Limit-the-scope-of-HWP-dynamic-.patch
patches.fixes/tools-power-turbostat-fix-S-on-UP-systems.patch
patches.fixes/tools-power-turbostat-Read-extended-processor-family.patch
+ patches.fixes/squashfs-more-metadata-hardening2.patch
patches.fixes/Squashfs-Compute-expected-length-from-inode-size-rat.patch
patches.drivers/iwlwifi-add-more-card-IDs-for-9000-series
patches.fixes/inet-frag-enforce-memory-limits-earlier.patch
@@ -17180,6 +17195,7 @@
patches.fixes/fix-mntputmntput-race.patch
patches.fixes/fix-__legitimize_mntmntput-race.patch
patches.fixes/init-rename-and-re-order-boot_cpu_state_init.patch
+ patches.drivers/scsi-qla2xxx-fix-memory-leak-for-allocating-abort-iocb.patch
patches.fixes/genirq-Fix-editing-error-in-a-comment.patch
patches.suse/sched-numa-Remove-redundant-field.patch
patches.suse/sched-numa-Simplify-load_too_imbalanced.patch
@@ -17213,6 +17229,7 @@
patches.arch/s390-fix-br_r1_trampoline-for-machines-without-exrl.patch
patches.fixes/binfmt_elf-Respect-error-return-from-regset-active.patch
patches.suse/0001-btrfs-Don-t-remove-block-group-still-has-pinned-down.patch
+ patches.suse/btrfs-fix-mount-failure-after-fsync-due-to-hard-link.patch
patches.suse/btrfs-fix-send-failure-when-root-has-deleted-files-s.patch
patches.fixes/ext4-sysfs-print-ext4_super_block-fields-as-little-e.patch
patches.fixes/dax-dax_layout_busy_page-warn-on-exceptional.patch
@@ -17248,6 +17265,7 @@
patches.suse/0237-bcache-make-the-pr_err-statement-used-for-ENOENT-onl.patch
patches.fixes/nvme-fixup-crash-on-failed-discovery.patch
patches.fixes/nvme.h-fixup-ANA-group-descriptor-format.patch
+ patches.fixes/block-bvec_nr_vecs-returns-value-for-wrong-slab.patch
patches.suse/0236-bcache-fix-error-setting-writeback_rate-through-sysf.patch
patches.suse/0001-md-cluster-clear-another-node-s-suspend_area-after-t.patch
patches.suse/0002-md-cluster-show-array-s-status-more-accurate.patch
@@ -17820,6 +17838,7 @@
patches.arch/x86-nmi-fix-nmi-uaccess-race-against-cr3-switching
patches.fixes/x86-mce-Fix-set_mce_nospec-to-avoid-GP-fault.patch
patches.arch/x86-vdso-fix-lsl-operand-order.patch
+ patches.fixes/vti6-remove-skb-ignore_df-check-from-vti6_xmit.patch
patches.drivers/net-hns-add-the-code-for-cleaning-pkt-in-chip.patch
patches.drivers/net-hns-add-netif_carrier_off-before-change-speed-an.patch
patches.drivers/ibmvnic-Include-missing-return-code-checks-in-reset-.patch
@@ -17842,6 +17861,7 @@
patches.fixes/mac80211-don-t-Tx-a-deauth-frame-if-the-AP-forbade-T.patch
patches.fixes/mac80211-shorten-the-IBSS-debug-messages.patch
patches.fixes/mm-hugetlb-filter-out-hugetlb-pages-if-hugepage-migration-is-not-supported.patch
+ patches.fixes/mm-fix-bug_on-in-vmf_insert_pfn_pud-from-vm_mixedmap-removal.patch
patches.fixes/scsi-lpfc-Correct-MDS-diag-and-nvmet-configuration.patch
patches.drivers/scsi-hpsa-limit-transfer-length-to-1mb-not-512kb.patch
patches.drivers/gpio-adp5588-Fix-sleep-in-atomic-context-bug.patch
@@ -17889,6 +17909,7 @@
patches.drivers/drm-nouveau-TBDdevinit-don-t-fail-when-PMU-PRE_OS-is.patch
patches.drivers/drm-nouveau-disp-fix-DP-disable-race.patch
patches.drivers/Revert-PCI-Add-ACS-quirk-for-Intel-300-series
+ patches.drivers/switchtec-Fix-Spectre-v1-vulnerability.patch
patches.arch/s390-sles15-15-04-crypto-paes-fix.patch
patches.drivers/mmc-omap_hsmmc-fix-wakeirq-handling-on-removal.patch
patches.drivers/pstore-Fix-incorrect-persistent-ram-buffer-mapping.patch
@@ -17896,9 +17917,11 @@
patches.drivers/drm-i915-overlay-Allocate-physical-registers-from-st.patch
patches.fixes/0001-drm-amdgpu-fix-error-handling-in-amdgpu_cs_user_fenc.patch
patches.drivers/mei-ignore-not-found-client-in-the-enumeration.patch
+ patches.suse/vmbus-don-t-return-values-for-uninitalized-channels.patch
patches.drivers/USB-add-quirk-for-WORLDE-Controller-KS49-or-Prodipe-.patch
patches.drivers/xhci-Fix-use-after-free-for-URB-cancellation-on-a-re.patch
patches.drivers/USB-yurex-Fix-buffer-over-read-in-yurex_write.patch
+ patches.drivers/USB-yurex-Check-for-truncation-in-yurex_read.patch
patches.drivers/USB-Add-quirk-to-support-DJI-CineSSD.patch
patches.drivers/usb-uas-add-support-for-more-quirk-flags.patch
patches.drivers/usb-Don-t-die-twice-if-PCI-xhci-host-is-not-respondi.patch
@@ -17908,6 +17931,7 @@
patches.drivers/USB-serial-io_ti-fix-array-underflow-in-completion-h.patch
patches.drivers/USB-serial-ti_usb_3410_5052-fix-array-underflow-in-c.patch
patches.drivers/USB-net2280-Fix-erroneous-synchronization-change.patch
+ patches.drivers/usb-gadget-fotg210-udc-Fix-memory-leak-of-fotg210-ep.patch
patches.drivers/usb-gadget-udc-renesas_usb3-fix-maxpacket-size-of-ep.patch
patches.drivers/Revert-cdc-acm-implement-put_char-and-flush_chars.patch
patches.fixes/cifs-integer-overflow-in-in-SMB2_ioctl.patch
@@ -17986,6 +18010,7 @@
patches.drivers/Input-elantech-enable-middle-button-of-touchpad-on-T.patch
patches.arch/x86-boot-fix-kexec-booting-failure-in-the-sev-bit-detection-code.patch
patches.drivers/soc-fsl-qe-Fix-copy-paste-bug-in-ucc_get_tdm_sync_sh.patch
+ patches.fixes/sysfs-Do-not-return-POSIX-ACL-xattrs-via-listxattr.patch
patches.drivers/qed-Fix-shmem-structure-inconsistency-between-driver.patch
patches.drivers/cfg80211-reg-Init-wiphy_idx-in-regulatory_hint_core.patch
patches.drivers/mac80211-fix-pending-queue-hang-due-to-TX_DROP.patch
@@ -18001,6 +18026,7 @@
patches.suse/ipv4-fix-use-after-free-in-ip_cmsg_recv_dstaddr.patch
patches.drivers/0001-drm-i915-Handle-incomplete-Z_FINISH-for-compressed-e.patch
patches.arch/ARM-8799-1-mm-fix-pci_ioremap_io-offset-check.patch
+ patches.fixes/ovl-fix-format-of-setxattr-debug.patch
patches.fixes/crypto-caam-jr-fix-ablkcipher_edesc-pointer-arithmet.patch
patches.drivers/crypto-mxs-dcp-Fix-wait-logic-on-chan-threads.patch
patches.drivers/crypto-qat-Fix-KASAN-stack-out-of-bounds-bug-in-adf_.patch
@@ -18012,10 +18038,15 @@
patches.arch/x86-vdso-fix-vdso-syscall-fallback-asm-constraint-regression
patches.fixes/PM-core-Clear-the-direct_complete-flag-on-errors.patch
patches.drivers/gpiolib-Free-the-last-requested-descriptor.patch
+ patches.fixes/proc-restrict-kernel-stack-dumps-to-root.patch
patches.fixes/mac80211-fix-setting-IEEE80211_KEY_FLAG_RX_MGMT-for-.patch
+ patches.fixes/team-Forbid-enslaving-team-device-to-itself.patch
patches.arch/powerpc-numa-Skip-onlining-a-offline-node-in-kdump-p.patch
patches.drivers/scsi-qedi-initialize-the-stats-mutex-lock
+ patches.drivers/USB-serial-simple-add-Motorola-Tetra-MTP6550-id.patch
patches.drivers/usb-cdc_acm-Do-not-leak-URB-buffers.patch
+ patches.drivers/xhci-Add-missing-CAS-workaround-for-Intel-Sunrise-Po.patch
+ patches.drivers/usb-xhci-mtk-resume-USB3-roothub-first.patch
patches.drivers/net-smc-use-__aligned_u64-for-64-bit-smc_diag-fields.patch
patches.drivers/net-smc-retain-old-name-for-diag_mode-field.patch
@@ -18090,6 +18121,7 @@
patches.arch/powerpc-pseries-Remove-unneeded-uses-of-dlpar-work-q.patch
patches.arch/powerpc-pseries-Disable-CPU-hotplug-across-migration.patch
patches.arch/powerpc-fadump-re-register-firmware-assisted-dump-if.patch
+ patches.arch/powerpc-rtas-Fix-a-potential-race-between-CPU-Offlin.patch
# dhowells/linux-fs keys-uefi
patches.suse/0001-KEYS-Allow-unrestricted-boot-time-addition-of-keys-t.patch
@@ -18926,6 +18958,8 @@
patches.arch/x86-speculation-Protect-against-userspace-userspace-.patch
+ patches.arch/x86-speculation-l1tf-extend-64bit-swap-file-size-limit
+ patches.arch/x86-speculation-l1tf-fix-overflow-in-l1tf_pfn_limit-on-32bit.patch
patches.arch/0001-x86-speculation-l1tf-Fix-off-by-one-error-when-warni.patch
patches.arch/0001-x86-speculation-l1tf-Suggest-what-to-do-on-systems-w.patch
patches.arch/0001-x86-speculation-l1tf-Increase-l1tf-memory-limit-for-.patch
@@ -18944,7 +18978,6 @@
patches.fixes/0001-xen-issue-warning-message-when-out-of-grant-maptrack.patch
# bsc#1110006
- patches.arch/x86-speculation-l1tf-extend-64bit-swap-file-size-limit
patches.arch/x86-speculation-l1tf-protect-pae-swap-entries-against-l1tf
patches.arch/x86-speculation-l1tf-fix-up-pte-pfn-conversion-for-pae
patches.arch/x86-kvm-vmx-don-t-set-l1tf_flush_l1d-to-true-from-vmx_l1d_flush