Home Home > GIT Browse > stable
summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorPetr Tesarik <ptesarik@suse.cz>2019-07-11 13:05:13 +0200
committerPetr Tesarik <ptesarik@suse.cz>2019-07-11 14:27:16 +0200
commit8509cd2494f410cb7f36c382bc4ac010e44d81ad (patch)
tree63a5c57f5ab42367b318068813d2aef225fc8faa
parent4665cb5a1b87491e3bb36eb70ad474ec46215fba (diff)
parentf5294bb3a205d978cd7a765b8d7de231e8de57aa (diff)
- Refresh patches.drivers/nfit-ars-introduce-scrub_flags.patch - Refresh patches.fixes/blk-mq-free-hw-queue-s-resource-in-hctx-s-release-handler.patch - Refresh patches.fixes/inet-switch-IP-ID-generator-to-siphash.patch - Refresh patches.fixes/sbitmap-fix-improper-use-of-smp_mb__before_atomic.patch - Refresh patches.kabi/kabi-handle-addition-of-net-hash_mix.patch - Refresh patches.kabi/kabi-handle-addition-of-netns_ipv4-ip_id_key.patch - Refresh patches.suse/mm-vmscan.c-prevent-useless-kswapd-loops.patch - Restore patches.kabi/kabi-protect-struct-acpi_nfit_desc.patch Conflicts: blacklist.conf patches.kabi/kabi-protect-struct-acpi_nfit_desc.patch rpm/gitlog-excludes series.conf
-rw-r--r--blacklist.conf12
-rw-r--r--patches.arch/kvm-svm-avic-fix-off-by-one-in-checking-host-apic-id43
-rw-r--r--patches.arch/kvm-x86-fix-return-value-for-reserved-efer36
-rw-r--r--patches.arch/kvm-x86-skip-efer-vs-guest-cpuid-checks-for-host-initiated-writes99
-rw-r--r--patches.drivers/ACPI-PM-Allow-transitions-to-D0-to-occur-in-special-.patch146
-rw-r--r--patches.drivers/ACPI-PM-Avoid-evaluating-_PS3-on-transitions-from-D3.patch50
-rw-r--r--patches.drivers/ALSA-firewire-lib-fireworks-fix-miss-detection-of-re.patch57
-rw-r--r--patches.drivers/ALSA-hda-realtek-Add-quirks-for-several-Clevo-notebo.patch49
-rw-r--r--patches.drivers/ALSA-hda-realtek-Change-front-mic-location-for-Lenov.patch34
-rw-r--r--patches.drivers/ALSA-line6-Fix-write-on-zero-sized-buffer.patch44
-rw-r--r--patches.drivers/ALSA-seq-fix-incorrect-order-of-dest_client-dest_por.patch51
-rw-r--r--patches.drivers/ALSA-usb-audio-fix-sign-unintended-sign-extension-on.patch48
-rw-r--r--patches.drivers/ASoC-Intel-Add-machine-driver-for-Cherrytrail-CX20723
-rw-r--r--patches.drivers/ASoC-add-support-for-Conexant-CX2072X-CODEC3
-rw-r--r--patches.drivers/ASoC-cx2072x-fix-integer-overflow-on-unsigned-int-mu.patch41
-rw-r--r--patches.drivers/clk-rockchip-Turn-on-aclk_dmac1-for-suspend-on-rk328.patch91
-rw-r--r--patches.drivers/clk-tegra-Fix-PLLM-programming-on-Tegra124-when-PMC-.patch43
-rw-r--r--patches.drivers/dmaengine-imx-sdma-remove-BD_INTR-for-channel0.patch58
-rw-r--r--patches.drivers/documentation-dma-api-fix-a-function-name-of-max_mapping_size31
-rw-r--r--patches.drivers/gpio-omap-fix-lack-of-irqstatus_raw0-for-OMAP4.patch45
-rw-r--r--patches.drivers/ibmvnic-Do-not-close-unopened-driver-during-reset.patch3
-rw-r--r--patches.drivers/ibmvnic-Fix-unchecked-return-codes-of-memory-allocat.patch3
-rw-r--r--patches.drivers/ibmvnic-Refresh-device-multicast-list-after-reset.patch3
-rw-r--r--patches.drivers/iommu-amd-make-iommu_disable-safer33
-rw-r--r--patches.drivers/iommu-arm-smmu-avoid-constant-zero-in-tlbi-writes74
-rw-r--r--patches.drivers/iommu-fix-a-leak-in-iommu_insert_resv_region55
-rw-r--r--patches.drivers/iommu-use-right-function-to-get-group-for-device35
-rw-r--r--patches.drivers/iommu-vt-d-duplicate-iommu_resv_region-objects-per-device-list128
-rw-r--r--patches.drivers/iommu-vt-d-handle-pci-bridge-rmrr-device-scopes-in-intel_iommu_get_resv_regions33
-rw-r--r--patches.drivers/iommu-vt-d-handle-rmrr-with-pci-bridge-device-scopes36
-rw-r--r--patches.drivers/iommu-vt-d-introduce-is_downstream_to_pci_bridge-helper79
-rw-r--r--patches.drivers/iommu-vt-d-remove-unnecessary-rcu_read_locks47
-rw-r--r--patches.drivers/mfd-hi655x-Fix-regmap-area-declared-size-for-hi655x.patch69
-rw-r--r--patches.drivers/nfit-ars-avoid-stale-ars-results.patch73
-rw-r--r--patches.drivers/nfit-ars-introduce-scrub_flags.patch123
-rw-r--r--patches.drivers/pwm-stm32-Use-3-cells-of_xlate.patch37
-rw-r--r--patches.drivers/qmi_wwan-Fix-out-of-bounds-read.patch58
-rw-r--r--patches.drivers/regulator-s2mps11-Fix-buck7-and-buck8-wrong-voltages.patch46
-rw-r--r--patches.drivers/staging-comedi-ni_mio_common-Fix-divide-by-zero-for-.patch153
-rw-r--r--patches.drivers/staging-iio-ad7150-fix-threshold-mode-config-bit.patch75
-rw-r--r--patches.drm/drm-amdgpu-gfx9-use-reset-default-for-PA_SC_FIFO_SIZ.patch52
-rw-r--r--patches.drm/drm-i915-dmc-protect-against-reading-random-memory.patch97
-rw-r--r--patches.fixes/0006-irqchip-gic-v3-its-fix-some-definitions-of-inner-cac.patch80
-rw-r--r--patches.fixes/Abort-file_remove_privs-for-non-reg.-files.patch54
-rw-r--r--patches.fixes/PCI-Do-not-poll-for-PME-if-the-device-is-in-D3cold.patch60
-rw-r--r--patches.fixes/apparmor-enforce-nullbyte-at-end-of-tag-string.patch42
-rw-r--r--patches.fixes/blk-mq-free-hw-queue-s-resource-in-hctx-s-release-handler.patch127
-rw-r--r--patches.fixes/coresight-etb10-Fix-handling-of-perf-mode.patch40
-rw-r--r--patches.fixes/coresight-etm4x-Add-support-to-enable-ETMv4.2.patch66
-rw-r--r--patches.fixes/crypto-cryptd-Fix-skcipher-instance-memory-leak.patch46
-rw-r--r--patches.fixes/crypto-user-prevent-operating-on-larval-algorithms.patch3
-rw-r--r--patches.fixes/dax-Fix-xarray-entry-association-for-mixed-mappings.patch61
-rw-r--r--patches.fixes/drivers-base-introduce-kill_device.patch2
-rw-r--r--patches.fixes/ext4-do-not-delete-unlinked-inode-from-orphan-list-o.patch42
-rw-r--r--patches.fixes/fs-ocfs2-fix-race-in-ocfs2_dentry_attach_lock.patch101
-rw-r--r--patches.fixes/fs-proc-proc_sysctl.c-Fix-a-NULL-pointer-dereference.patch101
-rw-r--r--patches.fixes/fs-proc-proc_sysctl.c-fix-NULL-pointer-dereference-i.patch105
-rw-r--r--patches.fixes/inet-switch-IP-ID-generator-to-siphash.patch151
-rw-r--r--patches.fixes/iommu-arm-smmu-Add-support-for-qcom-smmu-v2-variant.patch52
-rw-r--r--patches.fixes/iommu-arm-smmu-v3-Use-explicit-mb-when-moving-cons-p.patch50
-rw-r--r--patches.fixes/iommu-arm-smmu-v3-sync-the-OVACKFLG-to-PRIQ-consumer.patch37
-rw-r--r--patches.fixes/irqchip-mbigen-Don-t-clear-eventid-when-freeing-an-M.patch50
-rw-r--r--patches.fixes/libnvdimm-bus-prevent-duplicate-device_unregister-calls.patch2
-rw-r--r--patches.fixes/libnvdimm-pfn-fix-over-trim-in-trim_pfn_device.patch39
-rw-r--r--patches.fixes/netns-get-more-entropy-from-net_hash_mix.patch46
-rw-r--r--patches.fixes/netns-provide-pure-entropy-for-net_hash_mix.patch73
-rw-r--r--patches.fixes/nfit-ars-allow-root-to-busy-poll-the-ars-state-machine.patch66
-rw-r--r--patches.fixes/nvme-copy-mtfa-field-from-identify-controller.patch39
-rw-r--r--patches.fixes/sbitmap-fix-improper-use-of-smp_mb__before_atomic.patch42
-rw-r--r--patches.fixes/scsi-qla2xxx-fix-abort-handling-in-tcm_qla2xxx_write_pending.patch42
-rw-r--r--patches.fixes/scsi-qla2xxx-fix-incorrect-region-size-setting-in-optrom-sysfs.patch48
-rw-r--r--patches.fixes/scsi-vmw_pscsi-Fix-use-after-free-in-pvscsi_queue_lc.patch3
-rw-r--r--patches.fixes/tcp-refine-memory-limit-test-in-tcp_fragment.patch39
-rw-r--r--patches.kabi/kabi-drop-LINUX_MIB_TCPWQUEUETOOBIG-snmp-counter.patch4
-rw-r--r--patches.kabi/kabi-fixup-blk_mq_register_dev.patch41
-rw-r--r--patches.kabi/kabi-handle-addition-of-net-hash_mix.patch34
-rw-r--r--patches.kabi/kabi-handle-addition-of-netns_ipv4-ip_id_key.patch77
-rw-r--r--patches.kabi/kabi-protect-struct-acpi_nfit_desc.patch33
-rw-r--r--patches.suse/ftrace-x86-remove-possible-deadlock-between-register_kprobe-and-ftrace_run_update_code.patch182
-rw-r--r--patches.suse/hugetlbfs-dirty-pages-as-they-are-added-to-pagecache.patch74
-rw-r--r--patches.suse/hugetlbfs-fix-kernel-BUG-at-fs-hugetlbfs-inode.c-444.patch134
-rw-r--r--patches.suse/mm-vmscan.c-prevent-useless-kswapd-loops.patch106
-rw-r--r--patches.suse/ptrace-Fix-ptracer_cred-handling-for-PTRACE_TRACEME.patch54
-rw-r--r--patches.suse/ptrace-restore-smp_rmb-in-__ptrace_may_access.patch60
-rw-r--r--patches.suse/signal-ptrace-Don-t-leak-unitialized-kernel-memory-w.patch74
-rw-r--r--patches.suse/tracing-snapshot-resize-spare-buffer-if-size-changed.patch105
-rw-r--r--rpm/gitlog-excludes4
-rw-r--r--rpm/post.sh4
-rwxr-xr-xscripts/git_sort/git_sort.py1
-rw-r--r--series.conf98
90 files changed, 5057 insertions, 33 deletions
diff --git a/blacklist.conf b/blacklist.conf
index f0224c47df..a4f95dcf95 100644
--- a/blacklist.conf
+++ b/blacklist.conf
@@ -1179,3 +1179,15 @@ d5443bbf5fc8f8389cce146b1fc2987cdd229d12 # infrastructure, no bug fix
064c5d6881e897077639e04973de26440ee205e6 # not needed
d3669ca9ff33e1dc6414d1e34891d342e4544e71 # not applicable, just changes in comments
24512228b7a3f412b5a51f189df302616b021c33 # DISCONTIGMEM unsupported
+0c97bf863efce63d6ab7971dad811601e6171d2f # compiler warning, gcc-9
+4a60aa05a0634241ce17f957bf9fb5ac1eed6576 # not needed. We don't build with -ffunction-sections -fdata-sections.
+074376ac0e1d1fcd4fafebca86ee6158e7c20680 # __CHECKER__ only
+fe0640eb30b7da261ae84d252ed9ed3c7e68dfd8 # compiler.h: reverted in below
+c6975e4196549c18c5277a55e30b2d6d1b80abf2 # compiler.h: reverted above in 4.14.x
+149d05f80dc9259ad62f2630935502e4c02b26a7 # nouveau: build fix, not affected
+9ae306d8dbc874de331bb10a4451a5198b660257 # nouveau: build fix, not affected
+6491d698396fd5da4941980a35ca7c162a672016 # nfc: breaks kABI
+65fd4cb65b2dad97feb8330b6690445910b56d6a # Documentation moving only
+9c3e922ba316a5d3d8cbe41e0db97888fca5c359 # too risky because too many dependencies
+8a4db13ccc079b762123d04a7270d6d2cb3398d7 # drm/i915: Already cherry-picked
+600d3712ae122be3ceab0d7ac8246caa3d87dcea # drm/i915: Already cherry-picked
diff --git a/patches.arch/kvm-svm-avic-fix-off-by-one-in-checking-host-apic-id b/patches.arch/kvm-svm-avic-fix-off-by-one-in-checking-host-apic-id
new file mode 100644
index 0000000000..e147510107
--- /dev/null
+++ b/patches.arch/kvm-svm-avic-fix-off-by-one-in-checking-host-apic-id
@@ -0,0 +1,43 @@
+From: "Suthikulpanit, Suravee" <Suravee.Suthikulpanit@amd.com>
+Date: Tue, 14 May 2019 15:49:52 +0000
+Subject: kvm: svm/avic: fix off-by-one in checking host APIC ID
+Git-commit: c9bcd3e3335d0a29d89fabd2c385e1b989e6f1b0
+Patch-mainline: v5.2-rc2
+References: bsc#1140971
+
+Current logic does not allow VCPU to be loaded onto CPU with
+APIC ID 255. This should be allowed since the host physical APIC ID
+field in the AVIC Physical APIC table entry is an 8-bit value,
+and APIC ID 255 is valid in system with x2APIC enabled.
+Instead, do not allow VCPU load if the host APIC ID cannot be
+represented by an 8-bit value.
+
+Also, use the more appropriate AVIC_PHYSICAL_ID_ENTRY_HOST_PHYSICAL_ID_MASK
+instead of AVIC_MAX_PHYSICAL_ID_COUNT.
+
+Signed-off-by: Suravee Suthikulpanit <suravee.suthikulpanit@amd.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Acked-by: Joerg Roedel <jroedel@suse.de>
+---
+ arch/x86/kvm/svm.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/arch/x86/kvm/svm.c b/arch/x86/kvm/svm.c
+index a849dcb7fbc5..a9e553a1317f 100644
+--- a/arch/x86/kvm/svm.c
++++ b/arch/x86/kvm/svm.c
+@@ -2024,7 +2024,11 @@ static void avic_vcpu_load(struct kvm_vcpu *vcpu, int cpu)
+ if (!kvm_vcpu_apicv_active(vcpu))
+ return;
+
+- if (WARN_ON(h_physical_id >= AVIC_MAX_PHYSICAL_ID_COUNT))
++ /*
++ * Since the host physical APIC id is 8 bits,
++ * we can support host APIC ID upto 255.
++ */
++ if (WARN_ON(h_physical_id > AVIC_PHYSICAL_ID_ENTRY_HOST_PHYSICAL_ID_MASK))
+ return;
+
+ entry = READ_ONCE(*(svm->avic_physical_id_cache));
+
diff --git a/patches.arch/kvm-x86-fix-return-value-for-reserved-efer b/patches.arch/kvm-x86-fix-return-value-for-reserved-efer
new file mode 100644
index 0000000000..5f8ffae10c
--- /dev/null
+++ b/patches.arch/kvm-x86-fix-return-value-for-reserved-efer
@@ -0,0 +1,36 @@
+From: Paolo Bonzini <pbonzini@redhat.com>
+Date: Fri, 24 May 2019 21:52:46 +0200
+Subject: KVM: x86: fix return value for reserved EFER
+Git-commit: 66f61c92889ff3ca365161fb29dd36d6354682ba
+Patch-mainline: v5.2-rc2
+References: bsc#1140992
+
+Commit 11988499e62b ("KVM: x86: Skip EFER vs. guest CPUID checks for
+host-initiated writes", 2019-04-02) introduced a "return false" in a
+function returning int, and anyway set_efer has a "nonzero on error"
+conventon so it should be returning 1.
+
+Reported-by: Pavel Machek <pavel@denx.de>
+Fixes: 11988499e62b ("KVM: x86: Skip EFER vs. guest CPUID checks for host-initiated writes")
+Cc: Sean Christopherson <sean.j.christopherson@intel.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Acked-by: Joerg Roedel <jroedel@suse.de>
+---
+ arch/x86/kvm/x86.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
+index e7e57de50a3c..acb179f78fdc 100644
+--- a/arch/x86/kvm/x86.c
++++ b/arch/x86/kvm/x86.c
+@@ -1298,7 +1298,7 @@ static int set_efer(struct kvm_vcpu *vcpu, struct msr_data *msr_info)
+ u64 efer = msr_info->data;
+
+ if (efer & efer_reserved_bits)
+- return false;
++ return 1;
+
+ if (!msr_info->host_initiated) {
+ if (!__kvm_valid_efer(vcpu, efer))
+
diff --git a/patches.arch/kvm-x86-skip-efer-vs-guest-cpuid-checks-for-host-initiated-writes b/patches.arch/kvm-x86-skip-efer-vs-guest-cpuid-checks-for-host-initiated-writes
new file mode 100644
index 0000000000..ef1cd7f41b
--- /dev/null
+++ b/patches.arch/kvm-x86-skip-efer-vs-guest-cpuid-checks-for-host-initiated-writes
@@ -0,0 +1,99 @@
+From: Sean Christopherson <sean.j.christopherson@intel.com>
+Date: Tue, 2 Apr 2019 08:19:15 -0700
+Subject: KVM: x86: Skip EFER vs. guest CPUID checks for host-initiated writes
+Git-commit: 11988499e62b310f3bf6f6d0a807a06d3f9ccc96
+Patch-mainline: v5.2-rc1
+References: bsc#1140972
+
+KVM allows userspace to violate consistency checks related to the
+guest's CPUID model to some degree. Generally speaking, userspace has
+carte blanche when it comes to guest state so long as jamming invalid
+state won't negatively affect the host.
+
+Currently this is seems to be a non-issue as most of the interesting
+EFER checks are missing, e.g. NX and LME, but those will be added
+shortly. Proactively exempt userspace from the CPUID checks so as not
+to break userspace.
+
+Note, the efer_reserved_bits check still applies to userspace writes as
+that mask reflects the host's capabilities, e.g. KVM shouldn't allow a
+guest to run with NX=1 if it has been disabled in the host.
+
+Fixes: d80174745ba39 ("KVM: SVM: Only allow setting of EFER_SVME when CPUID SVM is set")
+Cc: stable@vger.kernel.org
+Signed-off-by: Sean Christopherson <sean.j.christopherson@intel.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Acked-by: Joerg Roedel <jroedel@suse.de>
+---
+ arch/x86/kvm/x86.c | 37 ++++++++++++++++++++++++-------------
+ 1 file changed, 24 insertions(+), 13 deletions(-)
+
+diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
+index a0d1fc80ac5a..5d7dcd06d08a 100644
+--- a/arch/x86/kvm/x86.c
++++ b/arch/x86/kvm/x86.c
+@@ -1258,31 +1258,42 @@ static int do_get_msr_feature(struct kvm_vcpu *vcpu, unsigned index, u64 *data)
+ return 0;
+ }
+
+-bool kvm_valid_efer(struct kvm_vcpu *vcpu, u64 efer)
++static bool __kvm_valid_efer(struct kvm_vcpu *vcpu, u64 efer)
+ {
+- if (efer & efer_reserved_bits)
+- return false;
+-
+ if (efer & EFER_FFXSR && !guest_cpuid_has(vcpu, X86_FEATURE_FXSR_OPT))
+- return false;
++ return false;
+
+ if (efer & EFER_SVME && !guest_cpuid_has(vcpu, X86_FEATURE_SVM))
+- return false;
++ return false;
+
+ return true;
++
++}
++bool kvm_valid_efer(struct kvm_vcpu *vcpu, u64 efer)
++{
++ if (efer & efer_reserved_bits)
++ return false;
++
++ return __kvm_valid_efer(vcpu, efer);
+ }
+ EXPORT_SYMBOL_GPL(kvm_valid_efer);
+
+-static int set_efer(struct kvm_vcpu *vcpu, u64 efer)
++static int set_efer(struct kvm_vcpu *vcpu, struct msr_data *msr_info)
+ {
+ u64 old_efer = vcpu->arch.efer;
++ u64 efer = msr_info->data;
+
+- if (!kvm_valid_efer(vcpu, efer))
+- return 1;
++ if (efer & efer_reserved_bits)
++ return false;
+
+- if (is_paging(vcpu)
+- && (vcpu->arch.efer & EFER_LME) != (efer & EFER_LME))
+- return 1;
++ if (!msr_info->host_initiated) {
++ if (!__kvm_valid_efer(vcpu, efer))
++ return 1;
++
++ if (is_paging(vcpu) &&
++ (vcpu->arch.efer & EFER_LME) != (efer & EFER_LME))
++ return 1;
++ }
+
+ efer &= ~EFER_LMA;
+ efer |= vcpu->arch.efer & EFER_LMA;
+@@ -2452,7 +2463,7 @@ int kvm_set_msr_common(struct kvm_vcpu *vcpu, struct msr_data *msr_info)
+ vcpu->arch.arch_capabilities = data;
+ break;
+ case MSR_EFER:
+- return set_efer(vcpu, data);
++ return set_efer(vcpu, msr_info);
+ case MSR_K7_HWCR:
+ data &= ~(u64)0x40; /* ignore flush filter disable */
+ data &= ~(u64)0x100; /* ignore ignne emulation enable */
+
diff --git a/patches.drivers/ACPI-PM-Allow-transitions-to-D0-to-occur-in-special-.patch b/patches.drivers/ACPI-PM-Allow-transitions-to-D0-to-occur-in-special-.patch
new file mode 100644
index 0000000000..7591216e6b
--- /dev/null
+++ b/patches.drivers/ACPI-PM-Allow-transitions-to-D0-to-occur-in-special-.patch
@@ -0,0 +1,146 @@
+From f850a48a07996bfd7bd1b2e52f57b5ee55125482 Mon Sep 17 00:00:00 2001
+From: "Rafael J. Wysocki" <rafael.j.wysocki@intel.com>
+Date: Tue, 25 Jun 2019 14:06:13 +0200
+Subject: [PATCH] ACPI: PM: Allow transitions to D0 to occur in special cases
+Git-commit: f850a48a07996bfd7bd1b2e52f57b5ee55125482
+Patch-mainline: v5.3-rc1
+References: bsc#1051510
+
+If a device with ACPI PM is left in D0 during a system-wide
+transition to the S3 (suspend-to-RAM) or S4 (hibernation) sleep
+state, the actual state of the device need not be D0 during resume
+from it, although its power.state value will still reflect D0 (that
+is, the power state from before the system-wide transition).
+
+In that case, the acpi_device_set_power() call made to ensure that
+the power state of the device will be D0 going forward has no effect,
+because the new state (D0) is equal to the one reflected by the
+device's power.state value. That does not affect power resources,
+which are taken care of by acpi_resume_power_resources() called from
+acpi_pm_finish() during resume from system-wide sleep states, but it
+still may be necessary to invoke _PS0 for the device on top of that
+in order to finalize its transition to D0.
+
+For this reason, modify acpi_device_set_power() to allow transitions
+to D0 to occur even if D0 is the current power state of the device
+according to its power.state value.
+
+That will not affect power resources, which are assumed to be in
+the right configuration already (as reflected by the current values
+of their reference counters), but it may cause _PS0 to be evaluated
+for the device. However, evaluating _PS0 for a device already in D0
+may lead to confusion in general, so invoke _PSC (if present) to
+check the device's current power state upfront and only evaluate
+_PS0 for it if _PSC has returned a power state different from D0.
+[If _PSC is not present or the evaluation of it fails, the power
+state of the device is assumed to be D0 at this point.]
+
+Fixes: 20dacb71ad28 (ACPI / PM: Rework device power management to follow ACPI 6)
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Reviewed-by: Mika Westerberg <mika.westerberg@linux.intel.com>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/acpi/device_pm.c | 53 ++++++++++++++++++++++++++++++++++++++++--------
+ 1 file changed, 45 insertions(+), 8 deletions(-)
+
+diff --git a/drivers/acpi/device_pm.c b/drivers/acpi/device_pm.c
+index 3269a4e8b902..94194c7e8a07 100644
+--- a/drivers/acpi/device_pm.c
++++ b/drivers/acpi/device_pm.c
+@@ -53,6 +53,19 @@ const char *acpi_power_state_string(int state)
+ }
+ }
+
++static int acpi_dev_pm_explicit_get(struct acpi_device *device, int *state)
++{
++ unsigned long long psc;
++ acpi_status status;
++
++ status = acpi_evaluate_integer(device->handle, "_PSC", NULL, &psc);
++ if (ACPI_FAILURE(status))
++ return -ENODEV;
++
++ *state = psc;
++ return 0;
++}
++
+ /**
+ * acpi_device_get_power - Get power state of an ACPI device.
+ * @device: Device to get the power state of.
+@@ -65,6 +78,7 @@ const char *acpi_power_state_string(int state)
+ int acpi_device_get_power(struct acpi_device *device, int *state)
+ {
+ int result = ACPI_STATE_UNKNOWN;
++ int error;
+
+ if (!device || !state)
+ return -EINVAL;
+@@ -81,18 +95,16 @@ int acpi_device_get_power(struct acpi_device *device, int *state)
+ * if available.
+ */
+ if (device->power.flags.power_resources) {
+- int error = acpi_power_get_inferred_state(device, &result);
++ error = acpi_power_get_inferred_state(device, &result);
+ if (error)
+ return error;
+ }
+ if (device->power.flags.explicit_get) {
+- acpi_handle handle = device->handle;
+- unsigned long long psc;
+- acpi_status status;
++ int psc;
+
+- status = acpi_evaluate_integer(handle, "_PSC", NULL, &psc);
+- if (ACPI_FAILURE(status))
+- return -ENODEV;
++ error = acpi_dev_pm_explicit_get(device, &psc);
++ if (error)
++ return error;
+
+ /*
+ * The power resources settings may indicate a power state
+@@ -160,7 +172,8 @@ int acpi_device_set_power(struct acpi_device *device, int state)
+
+ /* Make sure this is a valid target state */
+
+- if (state == device->power.state) {
++ /* There is a special case for D0 addressed below. */
++ if (state > ACPI_STATE_D0 && state == device->power.state) {
+ ACPI_DEBUG_PRINT((ACPI_DB_INFO, "Device [%s] already in %s\n",
+ device->pnp.bus_id,
+ acpi_power_state_string(state)));
+@@ -228,6 +241,30 @@ int acpi_device_set_power(struct acpi_device *device, int state)
+ if (result)
+ goto end;
+ }
++
++ if (device->power.state == ACPI_STATE_D0) {
++ int psc;
++
++ /* Nothing to do here if _PSC is not present. */
++ if (!device->power.flags.explicit_get)
++ return 0;
++
++ /*
++ * The power state of the device was set to D0 last
++ * time, but that might have happened before a
++ * system-wide transition involving the platform
++ * firmware, so it may be necessary to evaluate _PS0
++ * for the device here. However, use extra care here
++ * and evaluate _PSC to check the device's current power
++ * state, and only invoke _PS0 if the evaluation of _PSC
++ * is successful and it returns a power state different
++ * from D0.
++ */
++ result = acpi_dev_pm_explicit_get(device, &psc);
++ if (result || psc == ACPI_STATE_D0)
++ return 0;
++ }
++
+ result = acpi_dev_pm_explicit_set(device, ACPI_STATE_D0);
+ }
+
+--
+2.16.4
+
diff --git a/patches.drivers/ACPI-PM-Avoid-evaluating-_PS3-on-transitions-from-D3.patch b/patches.drivers/ACPI-PM-Avoid-evaluating-_PS3-on-transitions-from-D3.patch
new file mode 100644
index 0000000000..3ae9bad71f
--- /dev/null
+++ b/patches.drivers/ACPI-PM-Avoid-evaluating-_PS3-on-transitions-from-D3.patch
@@ -0,0 +1,50 @@
+From 21ba237926227121dacccaf5d7863b0cb50f3eda Mon Sep 17 00:00:00 2001
+From: "Rafael J. Wysocki" <rafael.j.wysocki@intel.com>
+Date: Tue, 25 Jun 2019 14:04:45 +0200
+Subject: [PATCH] ACPI: PM: Avoid evaluating _PS3 on transitions from D3hot to D3cold
+Git-commit: 21ba237926227121dacccaf5d7863b0cb50f3eda
+Patch-mainline: v5.3-rc1
+References: bsc#1051510
+
+If the power state of a device with ACPI PM is changed from D3hot to
+D3cold, it merely is a matter of dropping references to additional
+power resources (specifically, those in the list returned by _PR3),
+and the _PS3 method should not be invoked for the device then (as
+it has already been evaluated during the previous transition to
+D3hot).
+
+Fixes: 20dacb71ad28 (ACPI / PM: Rework device power management to follow ACPI 6)
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Reviewed-by: Mika Westerberg <mika.westerberg@linux.intel.com>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/acpi/device_pm.c | 12 +++++++++---
+ 1 file changed, 9 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/acpi/device_pm.c b/drivers/acpi/device_pm.c
+index b859d75eaf9f..3269a4e8b902 100644
+--- a/drivers/acpi/device_pm.c
++++ b/drivers/acpi/device_pm.c
+@@ -210,9 +210,15 @@ int acpi_device_set_power(struct acpi_device *device, int state)
+ return -ENODEV;
+ }
+
+- result = acpi_dev_pm_explicit_set(device, state);
+- if (result)
+- goto end;
++ /*
++ * If the device goes from D3hot to D3cold, _PS3 has been
++ * evaluated for it already, so skip it in that case.
++ */
++ if (device->power.state < ACPI_STATE_D3_HOT) {
++ result = acpi_dev_pm_explicit_set(device, state);
++ if (result)
++ goto end;
++ }
+
+ if (device->power.flags.power_resources)
+ result = acpi_power_transition(device, target_state);
+--
+2.16.4
+
diff --git a/patches.drivers/ALSA-firewire-lib-fireworks-fix-miss-detection-of-re.patch b/patches.drivers/ALSA-firewire-lib-fireworks-fix-miss-detection-of-re.patch
new file mode 100644
index 0000000000..271333c385
--- /dev/null
+++ b/patches.drivers/ALSA-firewire-lib-fireworks-fix-miss-detection-of-re.patch
@@ -0,0 +1,57 @@
+From 7fbd1753b64eafe21cf842348a40a691d0dee440 Mon Sep 17 00:00:00 2001
+From: Takashi Sakamoto <o-takashi@sakamocchi.jp>
+Date: Mon, 1 Jul 2019 23:43:53 +0900
+Subject: [PATCH 5/7] ALSA: firewire-lib/fireworks: fix miss detection of received MIDI messages
+Git-commit: 7fbd1753b64eafe21cf842348a40a691d0dee440
+Patch-mainline: v5.2
+References: bsc#1051510
+
+In IEC 61883-6, 8 MIDI data streams are multiplexed into single
+MIDI conformant data channel. The index of stream is calculated by
+modulo 8 of the value of data block counter.
+
+In fireworks, the value of data block counter in CIP header has a quirk
+with firmware version v5.0.0, v5.7.3 and v5.8.0. This brings ALSA
+IEC 61883-1/6 packet streaming engine to miss detection of MIDI
+messages.
+
+This commit fixes the miss detection to modify the value of data block
+counter for the modulo calculation.
+
+For maintainers, this bug exists since a commit 18f5ed365d3f ("ALSA:
+Fireworks/firewire-lib: add support for recent firmware quirk") in Linux
+kernel v4.2. There're many changes since the commit. This fix can be
+backported to Linux kernel v4.4 or later. I tagged a base commit to the
+backport for your convenience.
+
+Besides, my work for Linux kernel v5.3 brings heavy code refactoring and
+some structure members are renamed in 'sound/firewire/amdtp-stream.h'.
+The content of this patch brings conflict when merging -rc tree with
+this patch and the latest tree. I request maintainers to solve the
+conflict to replace 'tx_first_dbc' with 'ctx_data.tx.first_dbc'.
+
+Fixes: df075feefbd3 ("ALSA: firewire-lib: complete AM824 data block processing layer")
+Cc: <stable@vger.kernel.org> # v4.4+
+Signed-off-by: Takashi Sakamoto <o-takashi@sakamocchi.jp>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ sound/firewire/amdtp-am824.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/sound/firewire/amdtp-am824.c b/sound/firewire/amdtp-am824.c
+index 4210e5c6262e..d09da9dbf235 100644
+--- a/sound/firewire/amdtp-am824.c
++++ b/sound/firewire/amdtp-am824.c
+@@ -321,7 +321,7 @@ static void read_midi_messages(struct amdtp_stream *s,
+ u8 *b;
+
+ for (f = 0; f < frames; f++) {
+- port = (s->data_block_counter + f) % 8;
++ port = (8 - s->tx_first_dbc + s->data_block_counter + f) % 8;
+ b = (u8 *)&buffer[p->midi_position];
+
+ len = b[0] - 0x80;
+--
+2.16.4
+
diff --git a/patches.drivers/ALSA-hda-realtek-Add-quirks-for-several-Clevo-notebo.patch b/patches.drivers/ALSA-hda-realtek-Add-quirks-for-several-Clevo-notebo.patch
new file mode 100644
index 0000000000..4d50162a19
--- /dev/null
+++ b/patches.drivers/ALSA-hda-realtek-Add-quirks-for-several-Clevo-notebo.patch
@@ -0,0 +1,49 @@
+From 503d90b30602a3295978e46d844ccc8167400fe6 Mon Sep 17 00:00:00 2001
+From: Richard Sailer <rs@tuxedocomputers.com>
+Date: Wed, 19 Jun 2019 13:33:11 +0200
+Subject: [PATCH 1/7] ALSA: hda/realtek: Add quirks for several Clevo notebook barebones
+Git-commit: 503d90b30602a3295978e46d844ccc8167400fe6
+Patch-mainline: v5.2
+References: bsc#1051510
+
+This adds 4 SND_PCI_QUIRK(...) lines for several barebone models of the ODM
+Clevo. The model names are written in regex syntax to describe/match all clevo
+models that are similar enough and use the same PCI SSID that this fixup works
+for them.
+
+Additionally the lines regarding SSID 0x96e1 and 0x97e1 didn't fix audio for the
+all our Clevo notebooks using these SSIDs (models Clevo P960* and P970*) since
+ALC1220_FIXP_CLEVO_PB51ED_PINS swapped pins that are not necesarry to be
+swapped. This patch initiates ALC1220_FIXUP_CLEVO_P950 instead for these model
+and fixes the audio.
+
+Fixes: 80690a276f44 ("ALSA: hda/realtek - Add quirk for Tuxedo XC 1509")
+Signed-off-by: Richard Sailer <rs@tuxedocomputers.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ sound/pci/hda/patch_realtek.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c
+index 179e4be1f747..35f01f5102da 100644
+--- a/sound/pci/hda/patch_realtek.c
++++ b/sound/pci/hda/patch_realtek.c
+@@ -2461,9 +2461,10 @@ static const struct snd_pci_quirk alc882_fixup_tbl[] = {
+ SND_PCI_QUIRK(0x1558, 0x9501, "Clevo P950HR", ALC1220_FIXUP_CLEVO_P950),
+ SND_PCI_QUIRK(0x1558, 0x95e1, "Clevo P95xER", ALC1220_FIXUP_CLEVO_P950),
+ SND_PCI_QUIRK(0x1558, 0x95e2, "Clevo P950ER", ALC1220_FIXUP_CLEVO_P950),
+- SND_PCI_QUIRK(0x1558, 0x96e1, "System76 Oryx Pro (oryp5)", ALC1220_FIXUP_CLEVO_PB51ED_PINS),
+- SND_PCI_QUIRK(0x1558, 0x97e1, "System76 Oryx Pro (oryp5)", ALC1220_FIXUP_CLEVO_PB51ED_PINS),
+- SND_PCI_QUIRK(0x1558, 0x65d1, "Tuxedo Book XC1509", ALC1220_FIXUP_CLEVO_PB51ED_PINS),
++ SND_PCI_QUIRK(0x1558, 0x96e1, "Clevo P960[ER][CDFN]-K", ALC1220_FIXUP_CLEVO_P950),
++ SND_PCI_QUIRK(0x1558, 0x97e1, "Clevo P970[ER][CDFN]", ALC1220_FIXUP_CLEVO_P950),
++ SND_PCI_QUIRK(0x1558, 0x65d1, "Clevo PB51[ER][CDF]", ALC1220_FIXUP_CLEVO_PB51ED_PINS),
++ SND_PCI_QUIRK(0x1558, 0x67d1, "Clevo PB71[ER][CDF]", ALC1220_FIXUP_CLEVO_PB51ED_PINS),
+ SND_PCI_QUIRK_VENDOR(0x1558, "Clevo laptop", ALC882_FIXUP_EAPD),
+ SND_PCI_QUIRK(0x161f, 0x2054, "Medion laptop", ALC883_FIXUP_EAPD),
+ SND_PCI_QUIRK(0x17aa, 0x3a0d, "Lenovo Y530", ALC882_FIXUP_LENOVO_Y530),
+--
+2.16.4
+
diff --git a/patches.drivers/ALSA-hda-realtek-Change-front-mic-location-for-Lenov.patch b/patches.drivers/ALSA-hda-realtek-Change-front-mic-location-for-Lenov.patch
new file mode 100644
index 0000000000..d9e56de2c1
--- /dev/null
+++ b/patches.drivers/ALSA-hda-realtek-Change-front-mic-location-for-Lenov.patch
@@ -0,0 +1,34 @@
+From bef33e19203dde434bcdf21c449e3fb4f06c2618 Mon Sep 17 00:00:00 2001
+From: Dennis Wassenberg <dennis.wassenberg@secunet.com>
+Date: Fri, 28 Jun 2019 10:54:53 +0200
+Subject: [PATCH 3/7] ALSA: hda/realtek - Change front mic location for Lenovo M710q
+Git-commit: bef33e19203dde434bcdf21c449e3fb4f06c2618
+Patch-mainline: v5.2
+References: bsc#1051510
+
+On M710q Lenovo ThinkCentre machine, there are two front mics,
+we change the location for one of them to avoid conflicts.
+
+Signed-off-by: Dennis Wassenberg <dennis.wassenberg@secunet.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ sound/pci/hda/patch_realtek.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c
+index 35f01f5102da..48f3c5b8d6e9 100644
+--- a/sound/pci/hda/patch_realtek.c
++++ b/sound/pci/hda/patch_realtek.c
+@@ -7088,6 +7088,7 @@ static const struct snd_pci_quirk alc269_fixup_tbl[] = {
+ SND_PCI_QUIRK(0x17aa, 0x30bb, "ThinkCentre AIO", ALC233_FIXUP_LENOVO_LINE2_MIC_HOTKEY),
+ SND_PCI_QUIRK(0x17aa, 0x30e2, "ThinkCentre AIO", ALC233_FIXUP_LENOVO_LINE2_MIC_HOTKEY),
+ SND_PCI_QUIRK(0x17aa, 0x310c, "ThinkCentre Station", ALC294_FIXUP_LENOVO_MIC_LOCATION),
++ SND_PCI_QUIRK(0x17aa, 0x3111, "ThinkCentre Station", ALC294_FIXUP_LENOVO_MIC_LOCATION),
+ SND_PCI_QUIRK(0x17aa, 0x312a, "ThinkCentre Station", ALC294_FIXUP_LENOVO_MIC_LOCATION),
+ SND_PCI_QUIRK(0x17aa, 0x312f, "ThinkCentre Station", ALC294_FIXUP_LENOVO_MIC_LOCATION),
+ SND_PCI_QUIRK(0x17aa, 0x313c, "ThinkCentre Station", ALC294_FIXUP_LENOVO_MIC_LOCATION),
+--
+2.16.4
+
diff --git a/patches.drivers/ALSA-line6-Fix-write-on-zero-sized-buffer.patch b/patches.drivers/ALSA-line6-Fix-write-on-zero-sized-buffer.patch
new file mode 100644
index 0000000000..63ae7ade56
--- /dev/null
+++ b/patches.drivers/ALSA-line6-Fix-write-on-zero-sized-buffer.patch
@@ -0,0 +1,44 @@
+From 3450121997ce872eb7f1248417225827ea249710 Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Tue, 2 Jul 2019 20:07:21 +0200
+Subject: [PATCH 7/7] ALSA: line6: Fix write on zero-sized buffer
+Git-commit: 3450121997ce872eb7f1248417225827ea249710
+Patch-mainline: v5.2
+References: bsc#1051510
+
+LINE6 drivers allocate the buffers based on the value returned from
+usb_maxpacket() calls. The manipulated device may return zero for
+this, and this results in the kmalloc() with zero size (and it may
+succeed) while the other part of the driver code writes the packet
+data with the fixed size -- which eventually overwrites.
+
+This patch adds a simple sanity check for the invalid buffer size for
+avoiding that problem.
+
+Reported-by: syzbot+219f00fb49874dcaea17@syzkaller.appspotmail.com
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ sound/usb/line6/pcm.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/sound/usb/line6/pcm.c b/sound/usb/line6/pcm.c
+index 72c6f8e82a7e..78c2d6cab3b5 100644
+--- a/sound/usb/line6/pcm.c
++++ b/sound/usb/line6/pcm.c
+@@ -560,6 +560,11 @@ int line6_init_pcm(struct usb_line6 *line6,
+ line6pcm->max_packet_size_out =
+ usb_maxpacket(line6->usbdev,
+ usb_sndisocpipe(line6->usbdev, ep_write), 1);
++ if (!line6pcm->max_packet_size_in || !line6pcm->max_packet_size_out) {
++ dev_err(line6pcm->line6->ifcdev,
++ "cannot get proper max packet size\n");
++ return -EINVAL;
++ }
+
+ spin_lock_init(&line6pcm->out.lock);
+ spin_lock_init(&line6pcm->in.lock);
+--
+2.16.4
+
diff --git a/patches.drivers/ALSA-seq-fix-incorrect-order-of-dest_client-dest_por.patch b/patches.drivers/ALSA-seq-fix-incorrect-order-of-dest_client-dest_por.patch
new file mode 100644
index 0000000000..2f91a32253
--- /dev/null
+++ b/patches.drivers/ALSA-seq-fix-incorrect-order-of-dest_client-dest_por.patch
@@ -0,0 +1,51 @@
+From c3ea60c231446663afd6ea1054da6b7f830855ca Mon Sep 17 00:00:00 2001
+From: Colin Ian King <colin.king@canonical.com>
+Date: Fri, 28 Jun 2019 10:54:29 +0100
+Subject: [PATCH 4/7] ALSA: seq: fix incorrect order of dest_client/dest_ports arguments
+Git-commit: c3ea60c231446663afd6ea1054da6b7f830855ca
+Patch-mainline: v5.2
+References: bsc#1051510
+
+There are two occurrances of a call to snd_seq_oss_fill_addr where
+the dest_client and dest_port arguments are in the wrong order. Fix
+this by swapping them around.
+
+Addresses-coverity: ("Arguments in wrong order")
+Signed-off-by: Colin Ian King <colin.king@canonical.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ sound/core/seq/oss/seq_oss_ioctl.c | 2 +-
+ sound/core/seq/oss/seq_oss_rw.c | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/sound/core/seq/oss/seq_oss_ioctl.c b/sound/core/seq/oss/seq_oss_ioctl.c
+index 5b8520177b0e..7d72e3d48ad5 100644
+--- a/sound/core/seq/oss/seq_oss_ioctl.c
++++ b/sound/core/seq/oss/seq_oss_ioctl.c
+@@ -62,7 +62,7 @@ static int snd_seq_oss_oob_user(struct seq_oss_devinfo *dp, void __user *arg)
+ if (copy_from_user(ev, arg, 8))
+ return -EFAULT;
+ memset(&tmpev, 0, sizeof(tmpev));
+- snd_seq_oss_fill_addr(dp, &tmpev, dp->addr.port, dp->addr.client);
++ snd_seq_oss_fill_addr(dp, &tmpev, dp->addr.client, dp->addr.port);
+ tmpev.time.tick = 0;
+ if (! snd_seq_oss_process_event(dp, (union evrec *)ev, &tmpev)) {
+ snd_seq_oss_dispatch(dp, &tmpev, 0, 0);
+diff --git a/sound/core/seq/oss/seq_oss_rw.c b/sound/core/seq/oss/seq_oss_rw.c
+index eb1ef12181f3..1063e1b16ea0 100644
+--- a/sound/core/seq/oss/seq_oss_rw.c
++++ b/sound/core/seq/oss/seq_oss_rw.c
+@@ -174,7 +174,7 @@ insert_queue(struct seq_oss_devinfo *dp, union evrec *rec, struct file *opt)
+ memset(&event, 0, sizeof(event));
+ /* set dummy -- to be sure */
+ event.type = SNDRV_SEQ_EVENT_NOTEOFF;
+- snd_seq_oss_fill_addr(dp, &event, dp->addr.port, dp->addr.client);
++ snd_seq_oss_fill_addr(dp, &event, dp->addr.client, dp->addr.port);
+
+ if (snd_seq_oss_process_event(dp, rec, &event))
+ return 0; /* invalid event - no need to insert queue */
+--
+2.16.4
+
diff --git a/patches.drivers/ALSA-usb-audio-fix-sign-unintended-sign-extension-on.patch b/patches.drivers/ALSA-usb-audio-fix-sign-unintended-sign-extension-on.patch
new file mode 100644
index 0000000000..76c6745471
--- /dev/null
+++ b/patches.drivers/ALSA-usb-audio-fix-sign-unintended-sign-extension-on.patch
@@ -0,0 +1,48 @@
+From 2acf5a3e6e9371e63c9e4ff54d84d08f630467a0 Mon Sep 17 00:00:00 2001
+From: Colin Ian King <colin.king@canonical.com>
+Date: Thu, 27 Jun 2019 17:43:08 +0100
+Subject: [PATCH 2/7] ALSA: usb-audio: fix sign unintended sign extension on left shifts
+Git-commit: 2acf5a3e6e9371e63c9e4ff54d84d08f630467a0
+Patch-mainline: v5.2
+References: bsc#1051510
+
+There are a couple of left shifts of unsigned 8 bit values that
+first get promoted to signed ints and hence get sign extended
+on the shift if the top bit of the 8 bit values are set. Fix
+this by casting the 8 bit values to unsigned ints to stop the
+unintentional sign extension.
+
+Addresses-coverity: ("Unintended sign extension")
+Signed-off-by: Colin Ian King <colin.king@canonical.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ sound/usb/mixer_quirks.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/sound/usb/mixer_quirks.c b/sound/usb/mixer_quirks.c
+index a751a18ca4c2..5783329a3237 100644
+--- a/sound/usb/mixer_quirks.c
++++ b/sound/usb/mixer_quirks.c
+@@ -754,7 +754,7 @@ static int snd_ni_control_init_val(struct usb_mixer_interface *mixer,
+ return err;
+ }
+
+- kctl->private_value |= (value << 24);
++ kctl->private_value |= ((unsigned int)value << 24);
+ return 0;
+ }
+
+@@ -915,7 +915,7 @@ static int snd_ftu_eff_switch_init(struct usb_mixer_interface *mixer,
+ if (err < 0)
+ return err;
+
+- kctl->private_value |= value[0] << 24;
++ kctl->private_value |= (unsigned int)value[0] << 24;
+ return 0;
+ }
+
+--
+2.16.4
+
diff --git a/patches.drivers/ASoC-Intel-Add-machine-driver-for-Cherrytrail-CX2072 b/patches.drivers/ASoC-Intel-Add-machine-driver-for-Cherrytrail-CX2072
index 2ca1565c25..f68d63c78d 100644
--- a/patches.drivers/ASoC-Intel-Add-machine-driver-for-Cherrytrail-CX2072
+++ b/patches.drivers/ASoC-Intel-Add-machine-driver-for-Cherrytrail-CX2072
@@ -4,8 +4,7 @@ Date: Tue, 21 May 2019 08:26:53 +0200
Subject: [PATCH] ASoC: Intel: Add machine driver for CX2072X on BYT/CHT
platforms
Git-commit: 3917da94f787e6c907e440653ead0c666a71379e
-Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound.git
-Patch-mainline: Queued in subsystem maintainer repository
+Patch-mainline: v5.3-rc1
References: bsc#1068546
This is an implementation of a machine driver needed for Conexant
diff --git a/patches.drivers/ASoC-add-support-for-Conexant-CX2072X-CODEC b/patches.drivers/ASoC-add-support-for-Conexant-CX2072X-CODEC
index 84a7521746..9901b44f89 100644
--- a/patches.drivers/ASoC-add-support-for-Conexant-CX2072X-CODEC
+++ b/patches.drivers/ASoC-add-support-for-Conexant-CX2072X-CODEC
@@ -3,8 +3,7 @@ From: Simon Ho <simon.ho@conexant.com>
Date: Tue, 21 May 2019 08:26:52 +0200
Subject: [PATCH] ASoC: Add support for Conexant CX2072X CODEC
Git-commit: a497a4363706b3eb208c64e66e5b485bb3b186ac
-Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/broonie/sound.git
-Patch-mainline: Queued in subsystem maintainer repository
+Patch-mainline: v5.3-rc1
References: bsc#1068546
Initial commit of the Conexant CX2072X CODEC driver. Some features are
diff --git a/patches.drivers/ASoC-cx2072x-fix-integer-overflow-on-unsigned-int-mu.patch b/patches.drivers/ASoC-cx2072x-fix-integer-overflow-on-unsigned-int-mu.patch
new file mode 100644
index 0000000000..b8ebd2832a
--- /dev/null
+++ b/patches.drivers/ASoC-cx2072x-fix-integer-overflow-on-unsigned-int-mu.patch
@@ -0,0 +1,41 @@
+From be0461048b60066eaba9046178fb96e78579af21 Mon Sep 17 00:00:00 2001
+From: Colin Ian King <colin.king@canonical.com>
+Date: Fri, 24 May 2019 23:25:51 +0100
+Subject: [PATCH] ASoC: cx2072x: fix integer overflow on unsigned int multiply
+Git-commit: be0461048b60066eaba9046178fb96e78579af21
+Patch-mainline: v5.3-rc1
+References: bsc#1111666
+
+In the case where frac_div larger than 96 the result of an unsigned
+multiplication overflows an unsigned int. For example, this can
+happen when the sample_rate is 192000 and pll_input is 122. Fix
+this by casing the first term of the mutiply to a u64. Also remove
+the extraneous parentheses around the expression.
+
+Addresses-coverity: ("Unintentional integer overflow")
+Fixes: a497a4363706 ("ASoC: Add support for Conexant CX2072X CODEC")
+Signed-off-by: Colin Ian King <colin.king@canonical.com>
+Reviewed-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ sound/soc/codecs/cx2072x.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/sound/soc/codecs/cx2072x.c b/sound/soc/codecs/cx2072x.c
+index c11a585bbf70..ed762546eaee 100644
+--- a/sound/soc/codecs/cx2072x.c
++++ b/sound/soc/codecs/cx2072x.c
+@@ -627,7 +627,7 @@ static int cx2072x_config_pll(struct cx2072x_priv *cx2072x)
+ if (frac_div) {
+ frac_div *= 1000;
+ frac_div /= pll_input;
+- frac_num = ((4000 + frac_div) * ((1 << 20) - 4));
++ frac_num = (u64)(4000 + frac_div) * ((1 << 20) - 4);
+ do_div(frac_num, 7);
+ frac = ((u32)frac_num + 499) / 1000;
+ }
+--
+2.16.4
+
diff --git a/patches.drivers/clk-rockchip-Turn-on-aclk_dmac1-for-suspend-on-rk328.patch b/patches.drivers/clk-rockchip-Turn-on-aclk_dmac1-for-suspend-on-rk328.patch
new file mode 100644
index 0000000000..0569125656
--- /dev/null
+++ b/patches.drivers/clk-rockchip-Turn-on-aclk_dmac1-for-suspend-on-rk328.patch
@@ -0,0 +1,91 @@
+From 57a20248ef3e429dc822f0774bc4e00136c46c83 Mon Sep 17 00:00:00 2001
+From: Douglas Anderson <dianders@chromium.org>
+Date: Thu, 11 Apr 2019 16:21:53 -0700
+Subject: [PATCH] clk: rockchip: Turn on "aclk_dmac1" for suspend on rk3288
+Git-commit: 57a20248ef3e429dc822f0774bc4e00136c46c83
+Patch-mainline: v5.2-rc1
+References: bsc#1051510
+
+Experimentally it can be seen that going into deep sleep (specifically
+setting PMU_CLR_DMA and PMU_CLR_BUS in RK3288_PMU_PWRMODE_CON1)
+appears to fail unless "aclk_dmac1" is on. The failure is that the
+system never signals that it made it into suspend on the GLOBAL_PWROFF
+pin and it just hangs.
+
+NOTE that it's confirmed that it's the actual suspend that fails, not
+one of the earlier calls to read/write registers. Specifically if you
+comment out the "PMU_GLOBAL_INT_DISABLE" setting in
+rk3288_slp_mode_set() and then comment out the "cpu_do_idle()" call in
+rockchip_lpmode_enter() then you can exercise the whole suspend path
+without any crashing.
+
+This is currently not a problem with suspend upstream because there is
+no current way to exercise the deep suspend code. However, anyone
+trying to make it work will run into this issue.
+
+This was not a problem on shipping rk3288-based Chromebooks because
+those devices all ran on an old kernel based on 3.14. On that kernel
+"aclk_dmac1" appears to be left on all the time.
+
+There are several ways to skin this problem.
+
+A) We could add "aclk_dmac1" to the list of critical clocks and that
+apperas to work, but presumably that wastes power.
+
+B) We could keep a list of "struct clk" objects to enable at suspend
+time in clk-rk3288.c and use the standard clock APIs.
+
+C) We could make the rk3288-pmu driver keep a list of clocks to enable
+at suspend time. Presumably this would require a dts and bindings
+change.
+
+D) We could just whack the clock on in the existing syscore suspend
+function where we whack a bunch of other clocks. This is particularly
+easy because we know for sure that the clock's only parent
+("aclk_cpu") is a critical clock so we don't need to do anything more
+than ungate it.
+
+In this case I have chosen D) because it seemed like the least work,
+but any of the other options would presumably also work fine.
+
+Signed-off-by: Douglas Anderson <dianders@chromium.org>
+Reviewed-by: Elaine Zhang <zhangqing@rock-chips.com>
+Signed-off-by: Heiko Stuebner <heiko@sntech.de>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/clk/rockchip/clk-rk3288.c | 11 +++++++++++
+ 1 file changed, 11 insertions(+)
+
+diff --git a/drivers/clk/rockchip/clk-rk3288.c b/drivers/clk/rockchip/clk-rk3288.c
+index 961d4ee86b75..e8b5a6bfcc8a 100644
+--- a/drivers/clk/rockchip/clk-rk3288.c
++++ b/drivers/clk/rockchip/clk-rk3288.c
+@@ -861,6 +861,9 @@ static const int rk3288_saved_cru_reg_ids[] = {
+ RK3288_CLKSEL_CON(10),
+ RK3288_CLKSEL_CON(33),
+ RK3288_CLKSEL_CON(37),
++
++ /* We turn aclk_dmac1 on for suspend; this will restore it */
++ RK3288_CLKGATE_CON(10),
+ };
+
+ static u32 rk3288_saved_cru_regs[ARRAY_SIZE(rk3288_saved_cru_reg_ids)];
+@@ -876,6 +879,14 @@ static int rk3288_clk_suspend(void)
+ readl_relaxed(rk3288_cru_base + reg_id);
+ }
+
++ /*
++ * Going into deep sleep (specifically setting PMU_CLR_DMA in
++ * RK3288_PMU_PWRMODE_CON1) appears to fail unless
++ * "aclk_dmac1" is on.
++ */
++ writel_relaxed(1 << (12 + 16),
++ rk3288_cru_base + RK3288_CLKGATE_CON(10));
++
+ /*
+ * Switch PLLs other than DPLL (for SDRAM) to slow mode to
+ * avoid crashes on resume. The Mask ROM on the system will
+--
+2.16.4
+
diff --git a/patches.drivers/clk-tegra-Fix-PLLM-programming-on-Tegra124-when-PMC-.patch b/patches.drivers/clk-tegra-Fix-PLLM-programming-on-Tegra124-when-PMC-.patch
new file mode 100644
index 0000000000..0b70c9eece
--- /dev/null
+++ b/patches.drivers/clk-tegra-Fix-PLLM-programming-on-Tegra124-when-PMC-.patch
@@ -0,0 +1,43 @@
+From 40db569d6769ffa3864fd1b89616b1a7323568a8 Mon Sep 17 00:00:00 2001
+From: Dmitry Osipenko <digetx@gmail.com>
+Date: Fri, 12 Apr 2019 00:48:34 +0300
+Subject: [PATCH] clk: tegra: Fix PLLM programming on Tegra124+ when PMC overrides divider
+Git-commit: 40db569d6769ffa3864fd1b89616b1a7323568a8
+Patch-mainline: v5.2-rc1
+References: bsc#1051510
+
+There are wrongly set parenthesis in the code that are resulting in a
+wrong configuration being programmed for PLLM. The original fix was made
+by Danny Huang in the downstream kernel. The patch was tested on Nyan Big
+Tegra124 chromebook, PLLM rate changing works correctly now and system
+doesn't lock up after changing the PLLM rate due to EMC scaling.
+
+Cc: <stable@vger.kernel.org>
+Tested-by: Steev Klimaszewski <steev@kali.org>
+Signed-off-by: Dmitry Osipenko <digetx@gmail.com>
+Acked-by: Peter De Schrijver <pdeschrijver@nvidia.com>
+Signed-off-by: Stephen Boyd <sboyd@kernel.org>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/clk/tegra/clk-pll.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/clk/tegra/clk-pll.c b/drivers/clk/tegra/clk-pll.c
+index ebc8481a2122..6b976b2514f7 100644
+--- a/drivers/clk/tegra/clk-pll.c
++++ b/drivers/clk/tegra/clk-pll.c
+@@ -666,8 +666,8 @@ static void _update_pll_mnp(struct tegra_clk_pll *pll,
+ pll_override_writel(val, params->pmc_divp_reg, pll);
+
+ val = pll_override_readl(params->pmc_divnm_reg, pll);
+- val &= ~(divm_mask(pll) << div_nmp->override_divm_shift) |
+- ~(divn_mask(pll) << div_nmp->override_divn_shift);
++ val &= ~((divm_mask(pll) << div_nmp->override_divm_shift) |
++ (divn_mask(pll) << div_nmp->override_divn_shift));
+ val |= (cfg->m << div_nmp->override_divm_shift) |
+ (cfg->n << div_nmp->override_divn_shift);
+ pll_override_writel(val, params->pmc_divnm_reg, pll);
+--
+2.16.4
+
diff --git a/patches.drivers/dmaengine-imx-sdma-remove-BD_INTR-for-channel0.patch b/patches.drivers/dmaengine-imx-sdma-remove-BD_INTR-for-channel0.patch
new file mode 100644
index 0000000000..a1620a33ac
--- /dev/null
+++ b/patches.drivers/dmaengine-imx-sdma-remove-BD_INTR-for-channel0.patch
@@ -0,0 +1,58 @@
+From 3f93a4f297961c12bb17aa16cb3a4d1291823cae Mon Sep 17 00:00:00 2001
+From: Robin Gong <yibin.gong@nxp.com>
+Date: Fri, 21 Jun 2019 16:23:06 +0800
+Subject: [PATCH] dmaengine: imx-sdma: remove BD_INTR for channel0
+Git-commit: 3f93a4f297961c12bb17aa16cb3a4d1291823cae
+Patch-mainline: v5.2
+References: bsc#1051510
+
+It is possible for an irq triggered by channel0 to be received later
+after clks are disabled once firmware loaded during sdma probe. If
+that happens then clearing them by writing to SDMA_H_INTR won't work
+and the kernel will hang processing infinite interrupts. Actually,
+don't need interrupt triggered on channel0 since it's pollling
+SDMA_H_STATSTOP to know channel0 done rather than interrupt in
+current code, just clear BD_INTR to disable channel0 interrupt to
+avoid the above case.
+This issue was brought by commit 1d069bfa3c78 ("dmaengine: imx-sdma:
+ack channel 0 IRQ in the interrupt handler") which didn't take care
+the above case.
+
+Fixes: 1d069bfa3c78 ("dmaengine: imx-sdma: ack channel 0 IRQ in the interrupt handler")
+Cc: stable@vger.kernel.org #5.0+
+Signed-off-by: Robin Gong <yibin.gong@nxp.com>
+Reported-by: Sven Van Asbroeck <thesven73@gmail.com>
+Tested-by: Sven Van Asbroeck <thesven73@gmail.com>
+Reviewed-by: Michael Olbrich <m.olbrich@pengutronix.de>
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/dma/imx-sdma.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/dma/imx-sdma.c b/drivers/dma/imx-sdma.c
+index ba72fcfbebfe..4ec84a633bd3 100644
+--- a/drivers/dma/imx-sdma.c
++++ b/drivers/dma/imx-sdma.c
+@@ -703,7 +703,7 @@ static int sdma_load_script(struct sdma_engine *sdma, void *buf, int size,
+ spin_lock_irqsave(&sdma->channel_0_lock, flags);
+
+ bd0->mode.command = C0_SETPM;
+- bd0->mode.status = BD_DONE | BD_INTR | BD_WRAP | BD_EXTD;
++ bd0->mode.status = BD_DONE | BD_WRAP | BD_EXTD;
+ bd0->mode.count = size / 2;
+ bd0->buffer_addr = buf_phys;
+ bd0->ext_buffer_addr = address;
+@@ -1025,7 +1025,7 @@ static int sdma_load_context(struct sdma_channel *sdmac)
+ context->gReg[7] = sdmac->watermark_level;
+
+ bd0->mode.command = C0_SETDM;
+- bd0->mode.status = BD_DONE | BD_INTR | BD_WRAP | BD_EXTD;
++ bd0->mode.status = BD_DONE | BD_WRAP | BD_EXTD;
+ bd0->mode.count = sizeof(*context) / 4;
+ bd0->buffer_addr = sdma->context_phys;
+ bd0->ext_buffer_addr = 2048 + (sizeof(*context) / 4) * channel;
+--
+2.16.4
+
diff --git a/patches.drivers/documentation-dma-api-fix-a-function-name-of-max_mapping_size b/patches.drivers/documentation-dma-api-fix-a-function-name-of-max_mapping_size
new file mode 100644
index 0000000000..50ef6b870b
--- /dev/null
+++ b/patches.drivers/documentation-dma-api-fix-a-function-name-of-max_mapping_size
@@ -0,0 +1,31 @@
+From: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
+Date: Fri, 7 Jun 2019 16:47:13 +0900
+Subject: Documentation: DMA-API: fix a function name of max_mapping_size
+Git-commit: 99d2b938672944831035bef50c68a6e948e93abf
+Patch-mainline: v5.3-rc1
+References: bsc#1140954
+
+The exported function name is dma_max_mapping_size(), not
+dma_direct_max_mapping_size() so that this patch fixes
+the function name in the documentation.
+
+Fixes: 133d624b1cee ("dma: Introduce dma_max_mapping_size()")
+Signed-off-by: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
+Signed-off-by: Jonathan Corbet <corbet@lwn.net>
+Acked-by: Joerg Roedel <jroedel@suse.de>
+---
+ Documentation/DMA-API.txt | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/Documentation/DMA-API.txt
++++ b/Documentation/DMA-API.txt
+@@ -181,7 +181,7 @@ call to set the mask to the value return
+ ::
+
+ size_t
+- dma_direct_max_mapping_size(struct device *dev);
++ dma_max_mapping_size(struct device *dev);
+
+ Returns the maximum size of a mapping for the device. The size parameter
+ of the mapping functions like dma_map_single(), dma_map_page() and
+
diff --git a/patches.drivers/gpio-omap-fix-lack-of-irqstatus_raw0-for-OMAP4.patch b/patches.drivers/gpio-omap-fix-lack-of-irqstatus_raw0-for-OMAP4.patch
new file mode 100644
index 0000000000..0cc1d96d08
--- /dev/null
+++ b/patches.drivers/gpio-omap-fix-lack-of-irqstatus_raw0-for-OMAP4.patch
@@ -0,0 +1,45 @@
+From 64ea3e9094a1f13b96c33244a3fb3a0f45690bd2 Mon Sep 17 00:00:00 2001
+From: Russell King <rmk+kernel@armlinux.org.uk>
+Date: Mon, 10 Jun 2019 20:10:45 +0300
+Subject: [PATCH] gpio: omap: fix lack of irqstatus_raw0 for OMAP4
+Git-commit: 64ea3e9094a1f13b96c33244a3fb3a0f45690bd2
+Patch-mainline: v5.3-rc1
+References: bsc#1051510
+
+Commit 384ebe1c2849 ("gpio/omap: Add DT support to GPIO driver") added
+the register definition tables to the gpio-omap driver. Subsequently to
+that commit, commit 4e962e8998cc ("gpio/omap: remove cpu_is_omapxxxx()
+checks from *_runtime_resume()") added definitions for irqstatus_raw*
+registers to the legacy OMAP4 definitions, but missed the DT
+definitions.
+
+This causes an unintentional change of behaviour for the 1.101 errata
+workaround on OMAP4 platforms. Fix this oversight.
+
+Fixes: 4e962e8998cc ("gpio/omap: remove cpu_is_omapxxxx() checks from *_runtime_resume()")
+Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk>
+Signed-off-by: Grygorii Strashko <grygorii.strashko@ti.com>
+Tested-by: Tony Lindgren <tony@atomide.com>
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/gpio/gpio-omap.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/gpio/gpio-omap.c b/drivers/gpio/gpio-omap.c
+index 2c6d46396834..44b214e5cefb 100644
+--- a/drivers/gpio/gpio-omap.c
++++ b/drivers/gpio/gpio-omap.c
+@@ -1457,6 +1457,8 @@ static struct omap_gpio_reg_offs omap4_gpio_regs = {
+ .clr_dataout = OMAP4_GPIO_CLEARDATAOUT,
+ .irqstatus = OMAP4_GPIO_IRQSTATUS0,
+ .irqstatus2 = OMAP4_GPIO_IRQSTATUS1,
++ .irqstatus_raw0 = OMAP4_GPIO_IRQSTATUSRAW0,
++ .irqstatus_raw1 = OMAP4_GPIO_IRQSTATUSRAW1,
+ .irqenable = OMAP4_GPIO_IRQSTATUSSET0,
+ .irqenable2 = OMAP4_GPIO_IRQSTATUSSET1,
+ .set_irqenable = OMAP4_GPIO_IRQSTATUSSET0,
+--
+2.16.4
+
diff --git a/patches.drivers/ibmvnic-Do-not-close-unopened-driver-during-reset.patch b/patches.drivers/ibmvnic-Do-not-close-unopened-driver-during-reset.patch
index c5a7b22902..9b12047150 100644
--- a/patches.drivers/ibmvnic-Do-not-close-unopened-driver-during-reset.patch
+++ b/patches.drivers/ibmvnic-Do-not-close-unopened-driver-during-reset.patch
@@ -4,8 +4,7 @@ Date: Fri, 7 Jun 2019 16:03:53 -0500
Subject: [PATCH] ibmvnic: Do not close unopened driver during reset
References: bsc#1137752
-Patch-mainline: queued
-Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/davem/net.git
+Patch-mainline: v5.2-rc6
Git-commit: 1f94608b0ce141be5286dde31270590bdf35b86a
Check driver state before halting it during a reset. If the driver is
diff --git a/patches.drivers/ibmvnic-Fix-unchecked-return-codes-of-memory-allocat.patch b/patches.drivers/ibmvnic-Fix-unchecked-return-codes-of-memory-allocat.patch
index f730273849..d4743b1b26 100644
--- a/patches.drivers/ibmvnic-Fix-unchecked-return-codes-of-memory-allocat.patch
+++ b/patches.drivers/ibmvnic-Fix-unchecked-return-codes-of-memory-allocat.patch
@@ -4,8 +4,7 @@ Date: Fri, 7 Jun 2019 16:03:55 -0500
Subject: [PATCH] ibmvnic: Fix unchecked return codes of memory allocations
References: bsc#1137752
-Patch-mainline: queued
-Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/davem/net.git
+Patch-mainline: v5.2-rc6
Git-commit: 7c940b1a5291e5069d561f5b8f0e51db6b7a259a
The return values for these memory allocations are unchecked,
diff --git a/patches.drivers/ibmvnic-Refresh-device-multicast-list-after-reset.patch b/patches.drivers/ibmvnic-Refresh-device-multicast-list-after-reset.patch
index 2b6d40e8ec..ee71f4f214 100644
--- a/patches.drivers/ibmvnic-Refresh-device-multicast-list-after-reset.patch
+++ b/patches.drivers/ibmvnic-Refresh-device-multicast-list-after-reset.patch
@@ -4,8 +4,7 @@ Date: Fri, 7 Jun 2019 16:03:54 -0500
Subject: [PATCH] ibmvnic: Refresh device multicast list after reset
References: bsc#1137752
-Patch-mainline: queued
-Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/davem/net.git
+Patch-mainline: v5.2-rc6
Git-commit: be32a24372cf162e825332da1a7ccef058d4f20b
It was observed that multicast packets were no longer received after
diff --git a/patches.drivers/iommu-amd-make-iommu_disable-safer b/patches.drivers/iommu-amd-make-iommu_disable-safer
new file mode 100644
index 0000000000..9937554526
--- /dev/null
+++ b/patches.drivers/iommu-amd-make-iommu_disable-safer
@@ -0,0 +1,33 @@
+From: Kevin Mitchell <kevmitch@arista.com>
+Date: Wed, 12 Jun 2019 14:52:03 -0700
+Subject: iommu/amd: Make iommu_disable safer
+Git-commit: 3ddbe913e55516d3e2165d43d4d5570761769878
+Patch-mainline: v5.3-rc1
+References: bsc#1140955
+
+Make it safe to call iommu_disable during early init error conditions
+before mmio_base is set, but after the struct amd_iommu has been added
+to the amd_iommu_list. For example, this happens if firmware fails to
+fill in mmio_phys in the ACPI table leading to a NULL pointer
+dereference in iommu_feature_disable.
+
+Fixes: 2c0ae1720c09c ('iommu/amd: Convert iommu initialization to state machine')
+Signed-off-by: Kevin Mitchell <kevmitch@arista.com>
+Signed-off-by: Joerg Roedel <jroedel@suse.de>
+---
+ drivers/iommu/amd_iommu_init.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/iommu/amd_iommu_init.c
++++ b/drivers/iommu/amd_iommu_init.c
+@@ -421,6 +421,9 @@ static void iommu_enable(struct amd_iomm
+
+ static void iommu_disable(struct amd_iommu *iommu)
+ {
++ if (!iommu->mmio_base)
++ return;
++
+ /* Disable command buffer */
+ iommu_feature_disable(iommu, CONTROL_CMDBUF_EN);
+
+
diff --git a/patches.drivers/iommu-arm-smmu-avoid-constant-zero-in-tlbi-writes b/patches.drivers/iommu-arm-smmu-avoid-constant-zero-in-tlbi-writes
new file mode 100644
index 0000000000..b3e9bc2ab7
--- /dev/null
+++ b/patches.drivers/iommu-arm-smmu-avoid-constant-zero-in-tlbi-writes
@@ -0,0 +1,74 @@
+From: Robin Murphy <robin.murphy@arm.com>
+Date: Mon, 3 Jun 2019 14:15:37 +0200
+Subject: iommu/arm-smmu: Avoid constant zero in TLBI writes
+Git-commit: 4e4abae311e4b44aaf61f18a826fd7136037f199
+Patch-mainline: v5.2-rc5
+References: bsc#1140956
+
+Apparently, some Qualcomm arm64 platforms which appear to expose their
+SMMU global register space are still, in fact, using a hypervisor to
+mediate it by trapping and emulating register accesses. Sadly, some
+deployed versions of said trapping code have bugs wherein they go
+horribly wrong for stores using r31 (i.e. XZR/WZR) as the source
+register.
+
+While this can be mitigated for GCC today by tweaking the constraints
+for the implementation of writel_relaxed(), to avoid any potential
+arms race with future compilers more aggressively optimising register
+allocation, the simple way is to just remove all the problematic
+constant zeros. For the write-only TLB operations, the actual value is
+irrelevant anyway and any old nearby variable will provide a suitable
+GPR to encode. The one point at which we really do need a zero to clear
+a context bank happens before any of the TLB maintenance where crashes
+have been reported, so is apparently not a problem... :/
+
+Reported-by: AngeloGioacchino Del Regno <kholk11@gmail.com>
+Tested-by: Marc Gonzalez <marc.w.gonzalez@free.fr>
+Signed-off-by: Robin Murphy <robin.murphy@arm.com>
+Signed-off-by: Marc Gonzalez <marc.w.gonzalez@free.fr>
+Acked-by: Will Deacon <will.deacon@arm.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Joerg Roedel <jroedel@suse.de>
+---
+ drivers/iommu/arm-smmu.c | 15 ++++++++++++---
+ 1 file changed, 12 insertions(+), 3 deletions(-)
+
+--- a/drivers/iommu/arm-smmu.c
++++ b/drivers/iommu/arm-smmu.c
+@@ -252,6 +252,15 @@ enum arm_smmu_s2cr_privcfg {
+ #define SCTLR_TRE (1 << 1)
+ #define SCTLR_M (1 << 0)
+
++/*
++ * Apparently, some Qualcomm arm64 platforms which appear to expose their SMMU
++ * global register space are still, in fact, using a hypervisor to mediate it
++ * by trapping and emulating register accesses. Sadly, some deployed versions
++ * of said trapping code have bugs wherein they go horribly wrong for stores
++ * using r31 (i.e. XZR/WZR) as the source register.
++ */
++#define QCOM_DUMMY_VAL -1
++
+ #define ARM_MMU500_ACTLR_CPRE (1 << 1)
+
+ #define ARM_MMU500_ACR_CACHE_LOCK (1 << 26)
+@@ -588,7 +597,7 @@ static void __arm_smmu_tlb_sync(struct a
+ {
+ unsigned int spin_cnt, delay;
+
+- writel_relaxed(0, sync);
++ writel_relaxed(QCOM_DUMMY_VAL, sync);
+ for (delay = 1; delay < TLB_LOOP_TIMEOUT; delay *= 2) {
+ for (spin_cnt = TLB_SPIN_COUNT; spin_cnt > 0; spin_cnt--) {
+ if (!(readl_relaxed(status) & sTLBGSTATUS_GSACTIVE))
+@@ -1787,8 +1796,8 @@ static void arm_smmu_device_reset(struct
+ }
+
+ /* Invalidate the TLB, just in case */
+- writel_relaxed(0, gr0_base + ARM_SMMU_GR0_TLBIALLH);
+- writel_relaxed(0, gr0_base + ARM_SMMU_GR0_TLBIALLNSNH);
++ writel_relaxed(QCOM_DUMMY_VAL, gr0_base + ARM_SMMU_GR0_TLBIALLH);
++ writel_relaxed(QCOM_DUMMY_VAL, gr0_base + ARM_SMMU_GR0_TLBIALLNSNH);
+
+ reg = readl_relaxed(ARM_SMMU_GR0_NS(smmu) + ARM_SMMU_GR0_sCR0);
+
+
diff --git a/patches.drivers/iommu-fix-a-leak-in-iommu_insert_resv_region b/patches.drivers/iommu-fix-a-leak-in-iommu_insert_resv_region
new file mode 100644
index 0000000000..33400b82d1
--- /dev/null
+++ b/patches.drivers/iommu-fix-a-leak-in-iommu_insert_resv_region
@@ -0,0 +1,55 @@
+From: Eric Auger <eric.auger@redhat.com>
+Date: Mon, 3 Jun 2019 08:53:30 +0200
+Subject: iommu: Fix a leak in iommu_insert_resv_region
+Git-commit: ad0834dedaa15c3a176f783c0373f836e44b4700
+Patch-mainline: v5.3-rc1
+References: bsc#1140957
+
+In case we expand an existing region, we unlink
+this latter and insert the larger one. In
+that case we should free the original region after
+the insertion. Also we can immediately return.
+
+Fixes: 6c65fb318e8b ("iommu: iommu_get_group_resv_regions")
+
+Signed-off-by: Eric Auger <eric.auger@redhat.com>
+Signed-off-by: Joerg Roedel <jroedel@suse.de>
+---
+ drivers/iommu/iommu.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+--- a/drivers/iommu/iommu.c
++++ b/drivers/iommu/iommu.c
+@@ -205,18 +205,21 @@ static int iommu_insert_resv_region(stru
+ pos = pos->next;
+ } else if ((start >= a) && (end <= b)) {
+ if (new->type == type)
+- goto done;
++ return 0;
+ else
+ pos = pos->next;
+ } else {
+ if (new->type == type) {
+ phys_addr_t new_start = min(a, start);
+ phys_addr_t new_end = max(b, end);
++ int ret;
+
+ list_del(&entry->list);
+ entry->start = new_start;
+ entry->length = new_end - new_start + 1;
+- iommu_insert_resv_region(entry, regions);
++ ret = iommu_insert_resv_region(entry, regions);
++ kfree(entry);
++ return ret;
+ } else {
+ pos = pos->next;
+ }
+@@ -229,7 +232,6 @@ insert:
+ return -ENOMEM;
+
+ list_add_tail(&region->list, pos);
+-done:
+ return 0;
+ }
+
+
diff --git a/patches.drivers/iommu-use-right-function-to-get-group-for-device b/patches.drivers/iommu-use-right-function-to-get-group-for-device
new file mode 100644
index 0000000000..5ac2b0957d
--- /dev/null
+++ b/patches.drivers/iommu-use-right-function-to-get-group-for-device
@@ -0,0 +1,35 @@
+From: Lu Baolu <baolu.lu@linux.intel.com>
+Date: Tue, 21 May 2019 15:27:35 +0800
+Subject: iommu: Use right function to get group for device
+Git-commit: 57274ea25736496ee019a5c40479855b21888839
+Patch-mainline: v5.3-rc1
+References: bsc#1140958
+
+The iommu_group_get_for_dev() will allocate a group for a
+device if it isn't in any group. This isn't the use case
+in iommu_request_dm_for_dev(). Let's use iommu_group_get()
+instead.
+
+Fixes: d290f1e70d85a ("iommu: Introduce iommu_request_dm_for_dev()")
+Signed-off-by: Lu Baolu <baolu.lu@linux.intel.com>
+Signed-off-by: Joerg Roedel <jroedel@suse.de>
+---
+ drivers/iommu/iommu.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/drivers/iommu/iommu.c
++++ b/drivers/iommu/iommu.c
+@@ -1849,9 +1849,9 @@ int iommu_request_dm_for_dev(struct devi
+ int ret;
+
+ /* Device must already be in a group before calling this function */
+- group = iommu_group_get_for_dev(dev);
+- if (IS_ERR(group))
+- return PTR_ERR(group);
++ group = iommu_group_get(dev);
++ if (!group)
++ return -EINVAL;
+
+ mutex_lock(&group->mutex);
+
+
diff --git a/patches.drivers/iommu-vt-d-duplicate-iommu_resv_region-objects-per-device-list b/patches.drivers/iommu-vt-d-duplicate-iommu_resv_region-objects-per-device-list
new file mode 100644
index 0000000000..c7debfec4d
--- /dev/null
+++ b/patches.drivers/iommu-vt-d-duplicate-iommu_resv_region-objects-per-device-list
@@ -0,0 +1,128 @@
+From: Eric Auger <eric.auger@redhat.com>
+Date: Mon, 3 Jun 2019 08:53:31 +0200
+Subject: iommu/vt-d: Duplicate iommu_resv_region objects per device list
+Git-commit: 5f64ce5411b467f1cfea6c63e2494c22b773582b
+Patch-mainline: v5.3-rc1
+References: bsc#1140959
+
+intel_iommu_get_resv_regions() aims to return the list of
+reserved regions accessible by a given @device. However several
+devices can access the same reserved memory region and when
+building the list it is not safe to use a single iommu_resv_region
+object, whose container is the RMRR. This iommu_resv_region must
+be duplicated per device reserved region list.
+
+Let's remove the struct iommu_resv_region from the RMRR unit
+and allocate the iommu_resv_region directly in
+intel_iommu_get_resv_regions(). We hold the dmar_global_lock instead
+of the rcu-lock to allow sleeping.
+
+Fixes: 0659b8dc45a6 ("iommu/vt-d: Implement reserved region get/put callbacks")
+Signed-off-by: Eric Auger <eric.auger@redhat.com>
+Reviewed-by: Lu Baolu <baolu.lu@linux.intel.com>
+Signed-off-by: Joerg Roedel <jroedel@suse.de>
+---
+ drivers/iommu/intel-iommu.c | 34 +++++++++++++++++-----------------
+ 1 file changed, 17 insertions(+), 17 deletions(-)
+
+--- a/drivers/iommu/intel-iommu.c
++++ b/drivers/iommu/intel-iommu.c
+@@ -442,7 +442,6 @@ struct dmar_rmrr_unit {
+ u64 end_address; /* reserved end address */
+ struct dmar_dev_scope *devices; /* target devices */
+ int devices_cnt; /* target device count */
+- struct iommu_resv_region *resv; /* reserved region handle */
+ };
+
+ struct dmar_atsr_unit {
+@@ -4281,7 +4280,6 @@ static inline void init_iommu_pm_ops(voi
+ int __init dmar_parse_one_rmrr(struct acpi_dmar_header *header, void *arg)
+ {
+ struct acpi_dmar_reserved_memory *rmrr;
+- int prot = DMA_PTE_READ|DMA_PTE_WRITE;
+ struct dmar_rmrr_unit *rmrru;
+ size_t length;
+
+@@ -4295,22 +4293,16 @@ int __init dmar_parse_one_rmrr(struct ac
+ rmrru->end_address = rmrr->end_address;
+
+ length = rmrr->end_address - rmrr->base_address + 1;
+- rmrru->resv = iommu_alloc_resv_region(rmrr->base_address, length, prot,
+- IOMMU_RESV_DIRECT);
+- if (!rmrru->resv)
+- goto free_rmrru;
+
+ rmrru->devices = dmar_alloc_dev_scope((void *)(rmrr + 1),
+ ((void *)rmrr) + rmrr->header.length,
+ &rmrru->devices_cnt);
+ if (rmrru->devices_cnt && rmrru->devices == NULL)
+- goto free_all;
++ goto free_rmrru;
+
+ list_add(&rmrru->list, &dmar_rmrr_units);
+
+ return 0;
+-free_all:
+- kfree(rmrru->resv);
+ free_rmrru:
+ kfree(rmrru);
+ out:
+@@ -4528,7 +4520,6 @@ static void intel_iommu_free_dmars(void)
+ list_for_each_entry_safe(rmrru, rmrr_n, &dmar_rmrr_units, list) {
+ list_del(&rmrru->list);
+ dmar_free_dev_scope(&rmrru->devices, &rmrru->devices_cnt);
+- kfree(rmrru->resv);
+ kfree(rmrru);
+ }
+
+@@ -5308,22 +5299,33 @@ static void intel_iommu_remove_device(st
+ static void intel_iommu_get_resv_regions(struct device *device,
+ struct list_head *head)
+ {
++ int prot = DMA_PTE_READ | DMA_PTE_WRITE;
+ struct iommu_resv_region *reg;
+ struct dmar_rmrr_unit *rmrr;
+ struct device *i_dev;
+ int i;
+
+- rcu_read_lock();
++ down_read(&dmar_global_lock);
+ for_each_rmrr_units(rmrr) {
+ for_each_active_dev_scope(rmrr->devices, rmrr->devices_cnt,
+ i, i_dev) {
++ struct iommu_resv_region *resv;
++ size_t length;
++
+ if (i_dev != device)
+ continue;
+
+- list_add_tail(&rmrr->resv->list, head);
++ length = rmrr->end_address - rmrr->base_address + 1;
++ resv = iommu_alloc_resv_region(rmrr->base_address,
++ length, prot,
++ IOMMU_RESV_DIRECT);
++ if (!resv)
++ break;
++
++ list_add_tail(&resv->list, head);
+ }
+ }
+- rcu_read_unlock();
++ up_read(&dmar_global_lock);
+
+ reg = iommu_alloc_resv_region(IOAPIC_RANGE_START,
+ IOAPIC_RANGE_END - IOAPIC_RANGE_START + 1,
+@@ -5338,10 +5340,8 @@ static void intel_iommu_put_resv_regions
+ {
+ struct iommu_resv_region *entry, *next;
+
+- list_for_each_entry_safe(entry, next, head, list) {
+- if (entry->type == IOMMU_RESV_MSI)
+- kfree(entry);
+- }
++ list_for_each_entry_safe(entry, next, head, list)
++ kfree(entry);
+ }
+
+ #ifdef CONFIG_INTEL_IOMMU_SVM
+
diff --git a/patches.drivers/iommu-vt-d-handle-pci-bridge-rmrr-device-scopes-in-intel_iommu_get_resv_regions b/patches.drivers/iommu-vt-d-handle-pci-bridge-rmrr-device-scopes-in-intel_iommu_get_resv_regions
new file mode 100644
index 0000000000..331e0bbde3
--- /dev/null
+++ b/patches.drivers/iommu-vt-d-handle-pci-bridge-rmrr-device-scopes-in-intel_iommu_get_resv_regions
@@ -0,0 +1,33 @@
+From: Eric Auger <eric.auger@redhat.com>
+Date: Mon, 3 Jun 2019 08:53:34 +0200
+Subject: iommu/vt-d: Handle PCI bridge RMRR device scopes in
+ intel_iommu_get_resv_regions
+Git-commit: 3855ba2d834d8f7727b7f992ff781fa66cc09f96
+Patch-mainline: v5.3-rc1
+References: bsc#1140960
+
+In the case the RMRR device scope is a PCI-PCI bridge, let's check
+the device belongs to the PCI sub-hierarchy.
+
+Fixes: 0659b8dc45a6 ("iommu/vt-d: Implement reserved region get/put callbacks")
+
+Signed-off-by: Eric Auger <eric.auger@redhat.com>
+Reviewed-by: Lu Baolu <baolu.lu@linux.intel.com>
+Signed-off-by: Joerg Roedel <jroedel@suse.de>
+---
+ drivers/iommu/intel-iommu.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/iommu/intel-iommu.c
++++ b/drivers/iommu/intel-iommu.c
+@@ -5313,7 +5313,8 @@ static void intel_iommu_get_resv_regions
+ struct iommu_resv_region *resv;
+ size_t length;
+
+- if (i_dev != device)
++ if (i_dev != device &&
++ !is_downstream_to_pci_bridge(device, i_dev))
+ continue;
+
+ length = rmrr->end_address - rmrr->base_address + 1;
+
diff --git a/patches.drivers/iommu-vt-d-handle-rmrr-with-pci-bridge-device-scopes b/patches.drivers/iommu-vt-d-handle-rmrr-with-pci-bridge-device-scopes
new file mode 100644
index 0000000000..4e10bfbc16
--- /dev/null
+++ b/patches.drivers/iommu-vt-d-handle-rmrr-with-pci-bridge-device-scopes
@@ -0,0 +1,36 @@
+From: Eric Auger <eric.auger@redhat.com>
+Date: Mon, 3 Jun 2019 08:53:33 +0200
+Subject: iommu/vt-d: Handle RMRR with PCI bridge device scopes
+Git-commit: e143fd4598ddf7401d3699957cd59ceb5426d53d
+Patch-mainline: v5.3-rc1
+References: bsc#1140961
+
+When reading the vtd specification and especially the
+Reserved Memory Region Reporting Structure chapter,
+it is not obvious a device scope element cannot be a
+PCI-PCI bridge, in which case all downstream ports are
+likely to access the reserved memory region. Let's handle
+this case in device_has_rmrr.
+
+Fixes: ea2447f700ca ("intel-iommu: Prevent devices with RMRRs from being placed into SI Domain")
+
+Signed-off-by: Eric Auger <eric.auger@redhat.com>
+Reviewed-by: Lu Baolu <baolu.lu@linux.intel.com>
+Signed-off-by: Joerg Roedel <jroedel@suse.de>
+---
+ drivers/iommu/intel-iommu.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/iommu/intel-iommu.c
++++ b/drivers/iommu/intel-iommu.c
+@@ -2825,7 +2825,8 @@ static bool device_has_rmrr(struct devic
+ */
+ for_each_active_dev_scope(rmrr->devices,
+ rmrr->devices_cnt, i, tmp)
+- if (tmp == dev) {
++ if (tmp == dev ||
++ is_downstream_to_pci_bridge(dev, tmp)) {
+ rcu_read_unlock();
+ return true;
+ }
+
diff --git a/patches.drivers/iommu-vt-d-introduce-is_downstream_to_pci_bridge-helper b/patches.drivers/iommu-vt-d-introduce-is_downstream_to_pci_bridge-helper
new file mode 100644
index 0000000000..cd867e1f56
--- /dev/null
+++ b/patches.drivers/iommu-vt-d-introduce-is_downstream_to_pci_bridge-helper
@@ -0,0 +1,79 @@
+From: Eric Auger <eric.auger@redhat.com>
+Date: Mon, 3 Jun 2019 08:53:32 +0200
+Subject: iommu/vt-d: Introduce is_downstream_to_pci_bridge helper
+Git-commit: b9a7f9816483b19360b92e9b8c91bea2f9f30308
+Patch-mainline: v5.3-rc1
+References: bsc#1140962
+
+Several call sites are about to check whether a device belongs
+to the PCI sub-hierarchy of a candidate PCI-PCI bridge.
+Introduce an helper to perform that check.
+
+Signed-off-by: Eric Auger <eric.auger@redhat.com>
+Reviewed-by: Lu Baolu <baolu.lu@linux.intel.com>
+Signed-off-by: Joerg Roedel <jroedel@suse.de>
+---
+ drivers/iommu/intel-iommu.c | 37 +++++++++++++++++++++++++++++--------
+ 1 file changed, 29 insertions(+), 8 deletions(-)
+
+diff --git a/drivers/iommu/intel-iommu.c b/drivers/iommu/intel-iommu.c
+index 082fbb1bdeaf..6747fec46cfb 100644
+--- a/drivers/iommu/intel-iommu.c
++++ b/drivers/iommu/intel-iommu.c
+@@ -729,12 +729,39 @@ static int iommu_dummy(struct device *dev)
+ return dev->archdata.iommu == DUMMY_DEVICE_DOMAIN_INFO;
+ }
+
++/**
++ * is_downstream_to_pci_bridge - test if a device belongs to the PCI
++ * sub-hierarchy of a candidate PCI-PCI bridge
++ * @dev: candidate PCI device belonging to @bridge PCI sub-hierarchy
++ * @bridge: the candidate PCI-PCI bridge
++ *
++ * Return: true if @dev belongs to @bridge PCI sub-hierarchy, else false.
++ */
++static bool
++is_downstream_to_pci_bridge(struct device *dev, struct device *bridge)
++{
++ struct pci_dev *pdev, *pbridge;
++
++ if (!dev_is_pci(dev) || !dev_is_pci(bridge))
++ return false;
++
++ pdev = to_pci_dev(dev);
++ pbridge = to_pci_dev(bridge);
++
++ if (pbridge->subordinate &&
++ pbridge->subordinate->number <= pdev->bus->number &&
++ pbridge->subordinate->busn_res.end >= pdev->bus->number)
++ return true;
++
++ return false;
++}
++
+ static struct intel_iommu *device_to_iommu(struct device *dev, u8 *bus, u8 *devfn)
+ {
+ struct dmar_drhd_unit *drhd = NULL;
+ struct intel_iommu *iommu;
+ struct device *tmp;
+- struct pci_dev *ptmp, *pdev = NULL;
++ struct pci_dev *pdev = NULL;
+ u16 segment = 0;
+ int i;
+
+@@ -780,13 +807,7 @@ static struct intel_iommu *device_to_iommu(struct device *dev, u8 *bus, u8 *devf
+ goto out;
+ }
+
+- if (!pdev || !dev_is_pci(tmp))
+- continue;
+-
+- ptmp = to_pci_dev(tmp);
+- if (ptmp->subordinate &&
+- ptmp->subordinate->number <= pdev->bus->number &&
+- ptmp->subordinate->busn_res.end >= pdev->bus->number)
++ if (is_downstream_to_pci_bridge(dev, tmp))
+ goto got_pdev;
+ }
+
+
diff --git a/patches.drivers/iommu-vt-d-remove-unnecessary-rcu_read_locks b/patches.drivers/iommu-vt-d-remove-unnecessary-rcu_read_locks
new file mode 100644
index 0000000000..601dea269b
--- /dev/null
+++ b/patches.drivers/iommu-vt-d-remove-unnecessary-rcu_read_locks
@@ -0,0 +1,47 @@
+From: Lukasz Odzioba <lukasz.odzioba@intel.com>
+Date: Mon, 20 May 2019 15:41:28 +0200
+Subject: iommu/vt-d: Remove unnecessary rcu_read_locks
+Git-commit: f780a8dc196db1c41b5da21ecfa27e83ee5fb776
+Patch-mainline: v5.3-rc1
+References: bsc#1140964
+
+We use RCU's for rarely updated lists like iommus, rmrr, atsr units.
+
+I'm not sure why domain_remove_dev_info() in domain_exit() was surrounded
+by rcu_read_lock. Lock was present before refactoring in d160aca527,
+but it was related to rcu list, not domain_remove_dev_info function.
+
+dmar_remove_one_dev_info() doesn't touch any of those lists, so it doesn't
+require a lock. In fact it is called 6 times without it anyway.
+
+Fixes: d160aca5276d ("iommu/vt-d: Unify domain->iommu attach/detachment")
+
+Signed-off-by: Lukasz Odzioba <lukasz.odzioba@intel.com>
+Signed-off-by: Joerg Roedel <jroedel@suse.de>
+---
+ drivers/iommu/intel-iommu.c | 4 ----
+ 1 file changed, 4 deletions(-)
+
+--- a/drivers/iommu/intel-iommu.c
++++ b/drivers/iommu/intel-iommu.c
+@@ -2013,9 +2013,7 @@ static void domain_exit(struct dmar_doma
+ }
+
+ /* Remove associated devices and clear attached or cached domains */
+- rcu_read_lock();
+ domain_remove_dev_info(domain);
+- rcu_read_unlock();
+
+ /* destroy iovas */
+ put_iova_domain(&domain->iovad);
+@@ -5121,9 +5119,7 @@ static int intel_iommu_attach_device(str
+
+ old_domain = find_domain(dev);
+ if (old_domain) {
+- rcu_read_lock();
+ dmar_remove_one_dev_info(old_domain, dev);
+- rcu_read_unlock();
+
+ if (!domain_type_is_vm_or_si(old_domain) &&
+ list_empty(&old_domain->devices))
+
diff --git a/patches.drivers/mfd-hi655x-Fix-regmap-area-declared-size-for-hi655x.patch b/patches.drivers/mfd-hi655x-Fix-regmap-area-declared-size-for-hi655x.patch
new file mode 100644
index 0000000000..3ed2cf666e
--- /dev/null
+++ b/patches.drivers/mfd-hi655x-Fix-regmap-area-declared-size-for-hi655x.patch
@@ -0,0 +1,69 @@
+From 6afebb70ee7a4bde106dc1a875e7ac7997248f84 Mon Sep 17 00:00:00 2001
+From: Rafael David Tinoco <rafael.tinoco@linaro.org>
+Date: Fri, 6 Jul 2018 14:28:33 -0300
+Subject: [PATCH] mfd: hi655x: Fix regmap area declared size for hi655x
+Git-commit: 6afebb70ee7a4bde106dc1a875e7ac7997248f84
+Patch-mainline: v4.19-rc1
+References: bsc#1051510
+
+Fixes https://bugs.linaro.org/show_bug.cgi?id=3903
+
+LTP Functional tests have caused a bad paging request when triggering
+the regmap_read_debugfs() logic of the device PMIC Hi6553 (reading
+regmap/f8000000.pmic/registers file during read_all test):
+
+Unable to handle kernel paging request at virtual address ffff0
+[ffff00000984e000] pgd=0000000077ffe803, pud=0000000077ffd803,0
+Internal error: Oops: 96000007 [#1] SMP
+...
+Hardware name: HiKey Development Board (DT)
+...
+Call trace:
+ regmap_mmio_read8+0x24/0x40
+ regmap_mmio_read+0x48/0x70
+ _regmap_bus_reg_read+0x38/0x48
+ _regmap_read+0x68/0x170
+ regmap_read+0x50/0x78
+ regmap_read_debugfs+0x1a0/0x308
+ regmap_map_read_file+0x48/0x58
+ full_proxy_read+0x68/0x98
+ __vfs_read+0x48/0x80
+ vfs_read+0x94/0x150
+ SyS_read+0x6c/0xd8
+ el0_svc_naked+0x30/0x34
+Code: aa1e03e0 d503201f f9400280 8b334000 (39400000)
+
+Investigations have showed that, when triggered by debugfs read()
+handler, the mmio regmap logic was reading a bigger (16k) register area
+than the one mapped by devm_ioremap_resource() during hi655x-pmic probe
+time (4k).
+
+This commit changes hi655x's max register, according to HW specs, to be
+the same as the one declared in the pmic device in hi6220's dts, fixing
+the issue.
+
+Cc: <stable@vger.kernel.org> #v4.9 #v4.14 #v4.16 #v4.17
+Signed-off-by: Rafael David Tinoco <rafael.tinoco@linaro.org>
+Signed-off-by: Lee Jones <lee.jones@linaro.org>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/mfd/hi655x-pmic.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/mfd/hi655x-pmic.c b/drivers/mfd/hi655x-pmic.c
+index c37ccbfd52f2..96c07fa1802a 100644
+--- a/drivers/mfd/hi655x-pmic.c
++++ b/drivers/mfd/hi655x-pmic.c
+@@ -49,7 +49,7 @@ static struct regmap_config hi655x_regmap_config = {
+ .reg_bits = 32,
+ .reg_stride = HI655X_STRIDE,
+ .val_bits = 8,
+- .max_register = HI655X_BUS_ADDR(0xFFF),
++ .max_register = HI655X_BUS_ADDR(0x400) - HI655X_STRIDE,
+ };
+
+ static struct resource pwrkey_resources[] = {
+--
+2.16.4
+
diff --git a/patches.drivers/nfit-ars-avoid-stale-ars-results.patch b/patches.drivers/nfit-ars-avoid-stale-ars-results.patch
new file mode 100644
index 0000000000..2ec2b41550
--- /dev/null
+++ b/patches.drivers/nfit-ars-avoid-stale-ars-results.patch
@@ -0,0 +1,73 @@
+From: Dan Williams <dan.j.williams@intel.com>
+Date: Wed, 13 Feb 2019 09:28:40 -0800
+Subject: [PATCH] nfit/ars: Avoid stale ARS results
+Patch-mainline: v5.1-rc1
+Git-commit: 78153dd45e7e0596ba32b15d02bda08e1513111e
+References: jsc#SLE-5433
+
+Gate ARS result consumption on whether the OS issued start-ARS since the
+previous consumption. The BIOS may only clear its result buffers after a
+successful start-ARS.
+
+Fixes: 0caeef63e6d2 ("libnvdimm: Add a poison list and export badblocks")
+Cc: <stable@vger.kernel.org>
+Reported-by: Krzysztof Rusocki <krzysztof.rusocki@intel.com>
+Reported-by: Vishal Verma <vishal.l.verma@intel.com>
+Reviewed-by: Toshi Kani <toshi.kani@hpe.com>
+Signed-off-by: Dan Williams <dan.j.williams@intel.com>
+Acked-by: Johannes Thumshirn <jthumshirn@suse.de>
+---
+ drivers/acpi/nfit/core.c | 17 ++++++++++++++++-
+ drivers/acpi/nfit/nfit.h | 1 +
+ 2 files changed, 17 insertions(+), 1 deletion(-)
+
+--- a/drivers/acpi/nfit/core.c
++++ b/drivers/acpi/nfit/core.c
+@@ -2529,7 +2529,10 @@ static int ars_start(struct acpi_nfit_de
+
+ if (rc < 0)
+ return rc;
+- return cmd_rc;
++ if (cmd_rc < 0)
++ return cmd_rc;
++ set_bit(ARS_VALID, &acpi_desc->scrub_flags);
++ return 0;
+ }
+
+ static int ars_continue(struct acpi_nfit_desc *acpi_desc)
+@@ -2623,6 +2626,17 @@ static int ars_status_process_records(st
+ */
+ if (ars_status->out_length < 44)
+ return 0;
++
++ /*
++ * Ignore potentially stale results that are only refreshed
++ * after a start-ARS event.
++ */
++ if (!test_and_clear_bit(ARS_VALID, &acpi_desc->scrub_flags)) {
++ dev_dbg(acpi_desc->dev, "skip %d stale records\n",
++ ars_status->num_records);
++ return 0;
++ }
++
+ for (i = 0; i < ars_status->num_records; i++) {
+ /* only process full records */
+ if (ars_status->out_length
+@@ -3108,6 +3122,7 @@ static int acpi_nfit_register_regions(st
+ struct nfit_spa *nfit_spa;
+ int rc;
+
++ set_bit(ARS_VALID, &acpi_desc->scrub_flags);
+ list_for_each_entry(nfit_spa, &acpi_desc->spas, list) {
+ switch (nfit_spa_type(nfit_spa->spa)) {
+ case NFIT_SPA_VOLATILE:
+--- a/drivers/acpi/nfit/nfit.h
++++ b/drivers/acpi/nfit/nfit.h
+@@ -185,6 +185,7 @@ enum scrub_flags {
+ ARS_BUSY,
+ ARS_CANCEL,
+ ARS_POLL,
++ ARS_VALID,
+ };
+
+ struct acpi_nfit_desc {
diff --git a/patches.drivers/nfit-ars-introduce-scrub_flags.patch b/patches.drivers/nfit-ars-introduce-scrub_flags.patch
new file mode 100644
index 0000000000..e97d30041d
--- /dev/null
+++ b/patches.drivers/nfit-ars-introduce-scrub_flags.patch
@@ -0,0 +1,123 @@
+From: Dan Williams <dan.j.williams@intel.com>
+Date: Wed, 13 Feb 2019 09:57:22 -0800
+Subject: [PATCH] nfit/ars: Introduce scrub_flags
+Patch-mainline: v5.1-rc1
+Git-commit: e34b8252a3d2893ca55c82dbfcdaa302fa03d400
+References: jsc#SLE-5433
+
+In preparation for introducing new flags to gate whether ARS results are
+stale, or poll the completion state, convert the existing flags to an
+unsigned long with enumerated values. This conversion allows the flags
+to be atomically updated outside of ->init_mutex.
+
+Reviewed-by: Toshi Kani <toshi.kani@hpe.com>
+Signed-off-by: Dan Williams <dan.j.williams@intel.com>
+Acked-by: Johannes Thumshirn <jthumshirn@suse.de>
+---
+ drivers/acpi/nfit/core.c | 30 +++++++++++++++++-------------
+ drivers/acpi/nfit/nfit.h | 8 ++++++--
+ 2 files changed, 23 insertions(+), 15 deletions(-)
+
+--- a/drivers/acpi/nfit/core.c
++++ b/drivers/acpi/nfit/core.c
+@@ -1299,19 +1299,23 @@ static ssize_t scrub_show(struct device
+ struct device_attribute *attr, char *buf)
+ {
+ struct nvdimm_bus_descriptor *nd_desc;
++ struct acpi_nfit_desc *acpi_desc;
+ ssize_t rc = -ENXIO;
++ bool busy;
+
+ device_lock(dev);
+ nd_desc = dev_get_drvdata(dev);
+- if (nd_desc) {
+- struct acpi_nfit_desc *acpi_desc = to_acpi_desc(nd_desc);
+-
+- mutex_lock(&acpi_desc->init_mutex);
+- rc = sprintf(buf, "%d%s", acpi_desc->scrub_count,
+- acpi_desc->scrub_busy
+- && !acpi_desc->cancel ? "+\n" : "\n");
+- mutex_unlock(&acpi_desc->init_mutex);
++ if (!nd_desc) {
++ device_unlock(dev);
++ return rc;
+ }
++ acpi_desc = to_acpi_desc(nd_desc);
++
++ mutex_lock(&acpi_desc->init_mutex);
++ busy = test_bit(ARS_BUSY, &acpi_desc->scrub_flags)
++ && !test_bit(ARS_CANCEL, &acpi_desc->scrub_flags);
++ rc = sprintf(buf, "%d%s", acpi_desc->scrub_count, busy ? "+\n" : "\n");
++ mutex_unlock(&acpi_desc->init_mutex);
+ device_unlock(dev);
+ return rc;
+ }
+@@ -2951,7 +2955,7 @@ static unsigned int __acpi_nfit_scrub(st
+
+ lockdep_assert_held(&acpi_desc->init_mutex);
+
+- if (acpi_desc->cancel)
++ if (test_bit(ARS_CANCEL, &acpi_desc->scrub_flags))
+ return 0;
+
+ if (query_rc == -EBUSY) {
+@@ -3025,7 +3029,7 @@ static void __sched_ars(struct acpi_nfit
+ {
+ lockdep_assert_held(&acpi_desc->init_mutex);
+
+- acpi_desc->scrub_busy = 1;
++ set_bit(ARS_BUSY, &acpi_desc->scrub_flags);
+ /* note this should only be set from within the workqueue */
+ if (tmo)
+ acpi_desc->scrub_tmo = tmo;
+@@ -3041,7 +3045,7 @@ static void notify_ars_done(struct acpi_
+ {
+ lockdep_assert_held(&acpi_desc->init_mutex);
+
+- acpi_desc->scrub_busy = 0;
++ clear_bit(ARS_BUSY, &acpi_desc->scrub_flags);
+ acpi_desc->scrub_count++;
+ if (acpi_desc->scrub_count_state)
+ sysfs_notify_dirent(acpi_desc->scrub_count_state);
+@@ -3314,7 +3318,7 @@ int acpi_nfit_ars_rescan(struct acpi_nfi
+ struct nfit_spa *nfit_spa;
+
+ mutex_lock(&acpi_desc->init_mutex);
+- if (acpi_desc->cancel) {
++ if (test_bit(ARS_CANCEL, &acpi_desc->scrub_flags)) {
+ mutex_unlock(&acpi_desc->init_mutex);
+ return 0;
+ }
+@@ -3394,7 +3398,7 @@ void acpi_nfit_shutdown(void *data)
+ mutex_unlock(&acpi_desc_lock);
+
+ mutex_lock(&acpi_desc->init_mutex);
+- acpi_desc->cancel = 1;
++ set_bit(ARS_CANCEL, &acpi_desc->scrub_flags);
+ cancel_delayed_work_sync(&acpi_desc->dwork);
+ mutex_unlock(&acpi_desc->init_mutex);
+
+--- a/drivers/acpi/nfit/nfit.h
++++ b/drivers/acpi/nfit/nfit.h
+@@ -181,6 +181,11 @@ struct nfit_mem {
+ int family;
+ };
+
++enum scrub_flags {
++ ARS_BUSY,
++ ARS_CANCEL,
++};
++
+ struct acpi_nfit_desc {
+ struct nvdimm_bus_descriptor nd_desc;
+ struct acpi_table_header acpi_header;
+@@ -203,8 +208,7 @@ struct acpi_nfit_desc {
+ unsigned int max_ars;
+ unsigned int scrub_count;
+ unsigned int scrub_mode;
+- unsigned int scrub_busy:1;
+- unsigned int cancel:1;
++ unsigned long scrub_flags;
+ unsigned long dimm_cmd_force_en;
+ unsigned long bus_cmd_force_en;
+ unsigned long bus_nfit_cmd_force_en;
diff --git a/patches.drivers/pwm-stm32-Use-3-cells-of_xlate.patch b/patches.drivers/pwm-stm32-Use-3-cells-of_xlate.patch
new file mode 100644
index 0000000000..13c6551616
--- /dev/null
+++ b/patches.drivers/pwm-stm32-Use-3-cells-of_xlate.patch
@@ -0,0 +1,37 @@
+From 0b055ed4c9bc16217d5eb4f4e6a5446cd9631b87 Mon Sep 17 00:00:00 2001
+From: Fabrice Gasnier <fabrice.gasnier@st.com>
+Date: Wed, 19 Jun 2019 11:52:02 +0200
+Subject: [PATCH] pwm: stm32: Use 3 cells ->of_xlate()
+Git-commit: 0b055ed4c9bc16217d5eb4f4e6a5446cd9631b87
+Patch-mainline: v5.3-rc1
+References: bsc#1111666
+
+STM32 Timers support generic 3 cells PWM to encode PWM number, period
+and polarity.
+
+Fixes: 7edf7369205b ("pwm: Add driver for STM32 plaftorm")
+Signed-off-by: Fabrice Gasnier <fabrice.gasnier@st.com>
+Reviewed-by: Benjamin Gaignard <benjamin.gaignard@st.com>
+Signed-off-by: Thierry Reding <thierry.reding@gmail.com>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/pwm/pwm-stm32.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/pwm/pwm-stm32.c b/drivers/pwm/pwm-stm32.c
+index 4f842550fbd1..740e2dec8313 100644
+--- a/drivers/pwm/pwm-stm32.c
++++ b/drivers/pwm/pwm-stm32.c
+@@ -608,6 +608,8 @@ static int stm32_pwm_probe(struct platform_device *pdev)
+ priv->regmap = ddata->regmap;
+ priv->clk = ddata->clk;
+ priv->max_arr = ddata->max_arr;
++ priv->chip.of_xlate = of_pwm_xlate_with_flags;
++ priv->chip.of_pwm_n_cells = 3;
+
+ if (!priv->regmap || !priv->clk)
+ return -EINVAL;
+--
+2.16.4
+
diff --git a/patches.drivers/qmi_wwan-Fix-out-of-bounds-read.patch b/patches.drivers/qmi_wwan-Fix-out-of-bounds-read.patch
new file mode 100644
index 0000000000..77b7e947b7
--- /dev/null
+++ b/patches.drivers/qmi_wwan-Fix-out-of-bounds-read.patch
@@ -0,0 +1,58 @@
+From 904d88d743b0c94092c5117955eab695df8109e8 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Bj=C3=B8rn=20Mork?= <bjorn@mork.no>
+Date: Mon, 24 Jun 2019 18:45:11 +0200
+Subject: [PATCH] qmi_wwan: Fix out-of-bounds read
+Mime-version: 1.0
+Content-type: text/plain; charset=UTF-8
+Content-transfer-encoding: 8bit
+Git-commit: 904d88d743b0c94092c5117955eab695df8109e8
+Patch-mainline: v5.2-rc7
+References: bsc#1111666
+
+The syzbot reported
+
+ Call Trace:
+ __dump_stack lib/dump_stack.c:77 [inline]
+ dump_stack+0xca/0x13e lib/dump_stack.c:113
+ print_address_description+0x67/0x231 mm/kasan/report.c:188
+ __kasan_report.cold+0x1a/0x32 mm/kasan/report.c:317
+ kasan_report+0xe/0x20 mm/kasan/common.c:614
+ qmi_wwan_probe+0x342/0x360 drivers/net/usb/qmi_wwan.c:1417
+ usb_probe_interface+0x305/0x7a0 drivers/usb/core/driver.c:361
+ really_probe+0x281/0x660 drivers/base/dd.c:509
+ driver_probe_device+0x104/0x210 drivers/base/dd.c:670
+ __device_attach_driver+0x1c2/0x220 drivers/base/dd.c:777
+ bus_for_each_drv+0x15c/0x1e0 drivers/base/bus.c:454
+
+Caused by too many confusing indirections and casts.
+id->driver_info is a pointer stored in a long. We want the
+pointer here, not the address of it.
+
+Thanks-to: Hillf Danton <hdanton@sina.com>
+Reported-by: syzbot+b68605d7fadd21510de1@syzkaller.appspotmail.com
+Cc: Kristian Evensen <kristian.evensen@gmail.com>
+Fixes: e4bf63482c30 ("qmi_wwan: Add quirk for Quectel dynamic config")
+Signed-off-by: Bjørn Mork <bjorn@mork.no>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/net/usb/qmi_wwan.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/usb/qmi_wwan.c b/drivers/net/usb/qmi_wwan.c
+index d080f8048e52..8b4ad10cf940 100644
+--- a/drivers/net/usb/qmi_wwan.c
++++ b/drivers/net/usb/qmi_wwan.c
+@@ -1482,7 +1482,7 @@ static int qmi_wwan_probe(struct usb_interface *intf,
+ * different. Ignore the current interface if the number of endpoints
+ * equals the number for the diag interface (two).
+ */
+- info = (void *)&id->driver_info;
++ info = (void *)id->driver_info;
+
+ if (info->data & QMI_WWAN_QUIRK_QUECTEL_DYNCFG) {
+ if (desc->bNumEndpoints == 2)
+--
+2.16.4
+
diff --git a/patches.drivers/regulator-s2mps11-Fix-buck7-and-buck8-wrong-voltages.patch b/patches.drivers/regulator-s2mps11-Fix-buck7-and-buck8-wrong-voltages.patch
new file mode 100644
index 0000000000..fbc0eb13cc
--- /dev/null
+++ b/patches.drivers/regulator-s2mps11-Fix-buck7-and-buck8-wrong-voltages.patch
@@ -0,0 +1,46 @@
+From 16da0eb5ab6ef2dd1d33431199126e63db9997cc Mon Sep 17 00:00:00 2001
+From: Krzysztof Kozlowski <krzk@kernel.org>
+Date: Sat, 29 Jun 2019 13:44:45 +0200
+Subject: [PATCH] regulator: s2mps11: Fix buck7 and buck8 wrong voltages
+Git-commit: 16da0eb5ab6ef2dd1d33431199126e63db9997cc
+Patch-mainline: v5.3-rc1
+References: bsc#1051510
+
+On S2MPS11 device, the buck7 and buck8 regulator voltages start at 750
+mV, not 600 mV. Using wrong minimal value caused shifting of these
+regulator values by 150 mV (e.g. buck7 usually configured to v1.35 V was
+reported as 1.2 V).
+
+On most of the boards these regulators are left in default state so this
+was only affecting reported voltage. However if any driver wanted to
+change them, then effectively it would set voltage 150 mV higher than
+intended.
+
+Cc: <stable@vger.kernel.org>
+Fixes: cb74685ecb39 ("regulator: s2mps11: Add samsung s2mps11 regulator driver")
+Signed-off-by: Krzysztof Kozlowski <krzk@kernel.org>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/regulator/s2mps11.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/regulator/s2mps11.c b/drivers/regulator/s2mps11.c
+index af9bf10b4c33..7a89030187a4 100644
+--- a/drivers/regulator/s2mps11.c
++++ b/drivers/regulator/s2mps11.c
+@@ -372,8 +372,8 @@ static const struct regulator_desc s2mps11_regulators[] = {
+ regulator_desc_s2mps11_buck1_4(4),
+ regulator_desc_s2mps11_buck5,
+ regulator_desc_s2mps11_buck67810(6, MIN_600_MV, STEP_6_25_MV),
+- regulator_desc_s2mps11_buck67810(7, MIN_600_MV, STEP_12_5_MV),
+- regulator_desc_s2mps11_buck67810(8, MIN_600_MV, STEP_12_5_MV),
++ regulator_desc_s2mps11_buck67810(7, MIN_750_MV, STEP_12_5_MV),
++ regulator_desc_s2mps11_buck67810(8, MIN_750_MV, STEP_12_5_MV),
+ regulator_desc_s2mps11_buck9,
+ regulator_desc_s2mps11_buck67810(10, MIN_750_MV, STEP_12_5_MV),
+ };
+--
+2.16.4
+
diff --git a/patches.drivers/staging-comedi-ni_mio_common-Fix-divide-by-zero-for-.patch b/patches.drivers/staging-comedi-ni_mio_common-Fix-divide-by-zero-for-.patch
new file mode 100644
index 0000000000..44724e4c2c
--- /dev/null
+++ b/patches.drivers/staging-comedi-ni_mio_common-Fix-divide-by-zero-for-.patch
@@ -0,0 +1,153 @@
+From bafd9c64056cd034a1174dcadb65cd3b294ff8f6 Mon Sep 17 00:00:00 2001
+From: Ian Abbott <abbotti@mev.co.uk>
+Date: Mon, 4 Mar 2019 14:33:54 +0000
+Subject: [PATCH] staging: comedi: ni_mio_common: Fix divide-by-zero for DIO cmdtest
+Git-commit: bafd9c64056cd034a1174dcadb65cd3b294ff8f6
+Patch-mainline: v5.1-rc3
+References: bsc#1051510
+
+`ni_cdio_cmdtest()` validates Comedi asynchronous commands for the DIO
+subdevice (subdevice 2) of supported National Instruments M-series
+cards. It is called when handling the `COMEDI_CMD` and `COMEDI_CMDTEST`
+ioctls for this subdevice. There are two causes for a possible
+divide-by-zero error when validating that the `stop_arg` member of the
+passed-in command is not too large.
+
+The first cause for the divide-by-zero is that calls to
+`comedi_bytes_per_scan()` are only valid once the command has been
+copied to `s->async->cmd`, but that copy is only done for the
+`COMEDI_CMD` ioctl. For the `COMEDI_CMDTEST` ioctl, it will use
+whatever was left there by the previous `COMEDI_CMD` ioctl, if any.
+(This is very likely, as it is usual for the application to use
+`COMEDI_CMDTEST` before `COMEDI_CMD`.) If there has been no previous,
+valid `COMEDI_CMD` for this subdevice, then `comedi_bytes_per_scan()`
+will return 0, so the subsequent division in `ni_cdio_cmdtest()` of
+`s->async->prealloc_bufsz / comedi_bytes_per_scan(s)` will be a
+divide-by-zero error. To fix this error, call a new function
+`comedi_bytes_per_scan_cmd(s, cmd)`, based on the existing
+`comedi_bytes_per_scan(s)` but using a specified `struct comedi_cmd` for
+its calculations. (Also refactor `comedi_bytes_per_scan()` to call the
+new function.)
+
+Once the first cause for the divide-by-zero has been fixed, the second
+cause is that `comedi_bytes_per_scan_cmd()` can legitimately return 0 if
+the `scan_end_arg` member of the `struct comedi_cmd` being tested is 0.
+Fix it by only performing the division (and validating that `stop_arg`
+is no more than the maximum value) if `comedi_bytes_per_scan_cmd()`
+returns a non-zero value.
+
+The problem was reported on the COMEDI mailing list here:
+https://groups.google.com/forum/#!topic/comedi_list/4t9WlHzMhKM
+
+Reported-by: Ivan Vasilyev <grabesstimme@gmail.com>
+Tested-by: Ivan Vasilyev <grabesstimme@gmail.com>
+Fixes: f164cbf98fa8 ("staging: comedi: ni_mio_common: add finite regeneration to dio output")
+Cc: <stable@vger.kernel.org> # 4.6+
+Cc: Spencer E. Olson <olsonse@umich.edu>
+Signed-off-by: Ian Abbott <abbotti@mev.co.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/staging/comedi/comedidev.h | 2 +
+ drivers/staging/comedi/drivers.c | 33 +++++++++++++++++++++----
+ drivers/staging/comedi/drivers/ni_mio_common.c | 10 +++++--
+ 3 files changed, 38 insertions(+), 7 deletions(-)
+
+--- a/drivers/staging/comedi/comedidev.h
++++ b/drivers/staging/comedi/comedidev.h
+@@ -992,6 +992,8 @@ int comedi_dio_insn_config(struct comedi
+ unsigned int mask);
+ unsigned int comedi_dio_update_state(struct comedi_subdevice *s,
+ unsigned int *data);
++unsigned int comedi_bytes_per_scan_cmd(struct comedi_subdevice *s,
++ struct comedi_cmd *cmd);
+ unsigned int comedi_bytes_per_scan(struct comedi_subdevice *s);
+ unsigned int comedi_nscans_left(struct comedi_subdevice *s,
+ unsigned int nscans);
+--- a/drivers/staging/comedi/drivers.c
++++ b/drivers/staging/comedi/drivers.c
+@@ -390,11 +390,13 @@ unsigned int comedi_dio_update_state(str
+ EXPORT_SYMBOL_GPL(comedi_dio_update_state);
+
+ /**
+- * comedi_bytes_per_scan() - Get length of asynchronous command "scan" in bytes
++ * comedi_bytes_per_scan_cmd() - Get length of asynchronous command "scan" in
++ * bytes
+ * @s: COMEDI subdevice.
++ * @cmd: COMEDI command.
+ *
+ * Determines the overall scan length according to the subdevice type and the
+- * number of channels in the scan.
++ * number of channels in the scan for the specified command.
+ *
+ * For digital input, output or input/output subdevices, samples for
+ * multiple channels are assumed to be packed into one or more unsigned
+@@ -404,9 +406,9 @@ EXPORT_SYMBOL_GPL(comedi_dio_update_stat
+ *
+ * Returns the overall scan length in bytes.
+ */
+-unsigned int comedi_bytes_per_scan(struct comedi_subdevice *s)
++unsigned int comedi_bytes_per_scan_cmd(struct comedi_subdevice *s,
++ struct comedi_cmd *cmd)
+ {
+- struct comedi_cmd *cmd = &s->async->cmd;
+ unsigned int num_samples;
+ unsigned int bits_per_sample;
+
+@@ -423,6 +425,29 @@ unsigned int comedi_bytes_per_scan(struc
+ }
+ return comedi_samples_to_bytes(s, num_samples);
+ }
++EXPORT_SYMBOL_GPL(comedi_bytes_per_scan_cmd);
++
++/**
++ * comedi_bytes_per_scan() - Get length of asynchronous command "scan" in bytes
++ * @s: COMEDI subdevice.
++ *
++ * Determines the overall scan length according to the subdevice type and the
++ * number of channels in the scan for the current command.
++ *
++ * For digital input, output or input/output subdevices, samples for
++ * multiple channels are assumed to be packed into one or more unsigned
++ * short or unsigned int values according to the subdevice's %SDF_LSAMPL
++ * flag. For other types of subdevice, samples are assumed to occupy a
++ * whole unsigned short or unsigned int according to the %SDF_LSAMPL flag.
++ *
++ * Returns the overall scan length in bytes.
++ */
++unsigned int comedi_bytes_per_scan(struct comedi_subdevice *s)
++{
++ struct comedi_cmd *cmd = &s->async->cmd;
++
++ return comedi_bytes_per_scan_cmd(s, cmd);
++}
+ EXPORT_SYMBOL_GPL(comedi_bytes_per_scan);
+
+ static unsigned int __comedi_nscans_left(struct comedi_subdevice *s,
+--- a/drivers/staging/comedi/drivers/ni_mio_common.c
++++ b/drivers/staging/comedi/drivers/ni_mio_common.c
+@@ -3522,6 +3522,7 @@ static int ni_cdio_check_chanlist(struct
+ static int ni_cdio_cmdtest(struct comedi_device *dev,
+ struct comedi_subdevice *s, struct comedi_cmd *cmd)
+ {
++ unsigned int bytes_per_scan;
+ int err = 0;
+ int tmp;
+
+@@ -3551,9 +3552,12 @@ static int ni_cdio_cmdtest(struct comedi
+ err |= comedi_check_trigger_arg_is(&cmd->convert_arg, 0);
+ err |= comedi_check_trigger_arg_is(&cmd->scan_end_arg,
+ cmd->chanlist_len);
+- err |= comedi_check_trigger_arg_max(&cmd->stop_arg,
+- s->async->prealloc_bufsz /
+- comedi_bytes_per_scan(s));
++ bytes_per_scan = comedi_bytes_per_scan_cmd(s, cmd);
++ if (bytes_per_scan) {
++ err |= comedi_check_trigger_arg_max(&cmd->stop_arg,
++ s->async->prealloc_bufsz /
++ bytes_per_scan);
++ }
+
+ if (err)
+ return 3;
diff --git a/patches.drivers/staging-iio-ad7150-fix-threshold-mode-config-bit.patch b/patches.drivers/staging-iio-ad7150-fix-threshold-mode-config-bit.patch
new file mode 100644
index 0000000000..8d06d09375
--- /dev/null
+++ b/patches.drivers/staging-iio-ad7150-fix-threshold-mode-config-bit.patch
@@ -0,0 +1,75 @@
+From df4d737ee4d7205aaa6275158aeebff87fd14488 Mon Sep 17 00:00:00 2001
+From: Melissa Wen <melissa.srw@gmail.com>
+Date: Sat, 18 May 2019 22:04:56 -0300
+Subject: [PATCH] staging:iio:ad7150: fix threshold mode config bit
+Git-commit: df4d737ee4d7205aaa6275158aeebff87fd14488
+Patch-mainline: v5.2-rc6
+References: bsc#1051510
+
+According to the AD7150 configuration register description, bit 7 assumes
+value 1 when the threshold mode is fixed and 0 when it is adaptive,
+however, the operation that identifies this mode was considering the
+opposite values.
+
+This patch renames the boolean variable to describe it correctly and
+properly replaces it in the places where it is used.
+
+Fixes: 531efd6aa0991 ("staging:iio:adc:ad7150: chan_spec conv + i2c_smbus commands + drop unused poweroff timeout control.")
+Signed-off-by: Melissa Wen <melissa.srw@gmail.com>
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/staging/iio/cdc/ad7150.c | 19 +++++++++++--------
+ 1 file changed, 11 insertions(+), 8 deletions(-)
+
+--- a/drivers/staging/iio/cdc/ad7150.c
++++ b/drivers/staging/iio/cdc/ad7150.c
+@@ -6,6 +6,7 @@
+ * Licensed under the GPL-2 or later.
+ */
+
++#include <linux/bitfield.h>
+ #include <linux/interrupt.h>
+ #include <linux/device.h>
+ #include <linux/kernel.h>
+@@ -129,7 +130,7 @@ static int ad7150_read_event_config(stru
+ {
+ int ret;
+ u8 threshtype;
+- bool adaptive;
++ bool thrfixed;
+ struct ad7150_chip_info *chip = iio_priv(indio_dev);
+
+ ret = i2c_smbus_read_byte_data(chip->client, AD7150_CFG);
+@@ -137,21 +138,23 @@ static int ad7150_read_event_config(stru
+ return ret;
+
+ threshtype = (ret >> 5) & 0x03;
+- adaptive = !!(ret & 0x80);
++
++ /*check if threshold mode is fixed or adaptive*/
++ thrfixed = FIELD_GET(AD7150_CFG_FIX, ret);
+
+ switch (type) {
+ case IIO_EV_TYPE_MAG_ADAPTIVE:
+ if (dir == IIO_EV_DIR_RISING)
+- return adaptive && (threshtype == 0x1);
+- return adaptive && (threshtype == 0x0);
++ return !thrfixed && (threshtype == 0x1);
++ return !thrfixed && (threshtype == 0x0);
+ case IIO_EV_TYPE_THRESH_ADAPTIVE:
+ if (dir == IIO_EV_DIR_RISING)
+- return adaptive && (threshtype == 0x3);
+- return adaptive && (threshtype == 0x2);
++ return !thrfixed && (threshtype == 0x3);
++ return !thrfixed && (threshtype == 0x2);
+ case IIO_EV_TYPE_THRESH:
+ if (dir == IIO_EV_DIR_RISING)
+- return !adaptive && (threshtype == 0x1);
+- return !adaptive && (threshtype == 0x0);
++ return thrfixed && (threshtype == 0x1);
++ return thrfixed && (threshtype == 0x0);
+ default:
+ break;
+ }
diff --git a/patches.drm/drm-amdgpu-gfx9-use-reset-default-for-PA_SC_FIFO_SIZ.patch b/patches.drm/drm-amdgpu-gfx9-use-reset-default-for-PA_SC_FIFO_SIZ.patch
new file mode 100644
index 0000000000..6c26dc9131
--- /dev/null
+++ b/patches.drm/drm-amdgpu-gfx9-use-reset-default-for-PA_SC_FIFO_SIZ.patch
@@ -0,0 +1,52 @@
+From 25f09f858835b0e9a06213811031190a17d8ab78 Mon Sep 17 00:00:00 2001
+From: Alex Deucher <alexander.deucher@amd.com>
+Date: Mon, 1 Jul 2019 08:38:12 -0500
+Subject: [PATCH] drm/amdgpu/gfx9: use reset default for PA_SC_FIFO_SIZE
+Git-commit: 25f09f858835b0e9a06213811031190a17d8ab78
+Patch-mainline: v5.2
+References: bsc#1051510
+
+Recommended by the hw team.
+
+Reviewed-and-tested-by: Huang Rui <ray.huang@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Cc: stable@vger.kernel.org
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/gpu/drm/amd/amdgpu/gfx_v9_0.c | 19 -------------------
+ 1 file changed, 19 deletions(-)
+
+diff --git a/drivers/gpu/drm/amd/amdgpu/gfx_v9_0.c b/drivers/gpu/drm/amd/amdgpu/gfx_v9_0.c
+index b610e3b30d95..2f18c64d531f 100644
+--- a/drivers/gpu/drm/amd/amdgpu/gfx_v9_0.c
++++ b/drivers/gpu/drm/amd/amdgpu/gfx_v9_0.c
+@@ -1959,25 +1959,6 @@ static void gfx_v9_0_constants_init(struct amdgpu_device *adev)
+ mutex_unlock(&adev->srbm_mutex);
+
+ gfx_v9_0_init_compute_vmid(adev);
+-
+- mutex_lock(&adev->grbm_idx_mutex);
+- /*
+- * making sure that the following register writes will be broadcasted
+- * to all the shaders
+- */
+- gfx_v9_0_select_se_sh(adev, 0xffffffff, 0xffffffff, 0xffffffff);
+-
+- WREG32_SOC15(GC, 0, mmPA_SC_FIFO_SIZE,
+- (adev->gfx.config.sc_prim_fifo_size_frontend <<
+- PA_SC_FIFO_SIZE__SC_FRONTEND_PRIM_FIFO_SIZE__SHIFT) |
+- (adev->gfx.config.sc_prim_fifo_size_backend <<
+- PA_SC_FIFO_SIZE__SC_BACKEND_PRIM_FIFO_SIZE__SHIFT) |
+- (adev->gfx.config.sc_hiz_tile_fifo_size <<
+- PA_SC_FIFO_SIZE__SC_HIZ_TILE_FIFO_SIZE__SHIFT) |
+- (adev->gfx.config.sc_earlyz_tile_fifo_size <<
+- PA_SC_FIFO_SIZE__SC_EARLYZ_TILE_FIFO_SIZE__SHIFT));
+- mutex_unlock(&adev->grbm_idx_mutex);
+-
+ }
+
+ static void gfx_v9_0_wait_for_rlc_serdes(struct amdgpu_device *adev)
+--
+2.16.4
+
diff --git a/patches.drm/drm-i915-dmc-protect-against-reading-random-memory.patch b/patches.drm/drm-i915-dmc-protect-against-reading-random-memory.patch
new file mode 100644
index 0000000000..fadbf4fbd1
--- /dev/null
+++ b/patches.drm/drm-i915-dmc-protect-against-reading-random-memory.patch
@@ -0,0 +1,97 @@
+From 326fb6dd1483c985a6ef47db3fa8788bb99e8b83 Mon Sep 17 00:00:00 2001
+From: Lucas De Marchi <lucas.demarchi@intel.com>
+Date: Wed, 5 Jun 2019 16:55:35 -0700
+Subject: [PATCH] drm/i915/dmc: protect against reading random memory
+Git-commit: 326fb6dd1483c985a6ef47db3fa8788bb99e8b83
+Patch-mainline: v5.2-rc5
+No-fix: bc7b488b1d1c71dc4c5182206911127bc6c410d6
+References: bsc#1051510
+
+While loading the DMC firmware we were double checking the headers made
+sense, but in no place we checked that we were actually reading memory
+we were supposed to. This could be wrong in case the firmware file is
+truncated or malformed.
+
+Before this patch:
+ # ls -l /lib/firmware/i915/icl_dmc_ver1_07.bin
+ -rw-r--r-- 1 root root 25716 Feb 1 12:26 icl_dmc_ver1_07.bin
+ # truncate -s 25700 /lib/firmware/i915/icl_dmc_ver1_07.bin
+ # modprobe i915
+ # dmesg| grep -i dmc
+ [drm:intel_csr_ucode_init [i915]] Loading i915/icl_dmc_ver1_07.bin
+ [drm] Finished loading DMC firmware i915/icl_dmc_ver1_07.bin (v1.7)
+
+i.e. it loads random data. Now it fails like below:
+ [drm:intel_csr_ucode_init [i915]] Loading i915/icl_dmc_ver1_07.bin
+ [drm:csr_load_work_fn [i915]] *ERROR* Truncated DMC firmware, rejecting.
+ i915 0000:00:02.0: Failed to load DMC firmware i915/icl_dmc_ver1_07.bin. Disabling runtime power management.
+ i915 0000:00:02.0: DMC firmware homepage: https://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git/tree/i915
+
+Before reading any part of the firmware file, validate the input first.
+
+Fixes: eb805623d8b1 ("drm/i915/skl: Add support to load SKL CSR firmware.")
+Cc: stable@vger.kernel.org
+Signed-off-by: Lucas De Marchi <lucas.demarchi@intel.com>
+Reviewed-by: Rodrigo Vivi <rodrigo.vivi@intel.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20190605235535.17791-1-lucas.demarchi@intel.com
+(cherry picked from commit bc7b488b1d1c71dc4c5182206911127bc6c410d6)
+
+Signed-off-by: Jani Nikula <jani.nikula@intel.com>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/gpu/drm/i915/intel_csr.c | 18 ++++++++++++++++++
+ 1 file changed, 18 insertions(+)
+
+--- a/drivers/gpu/drm/i915/intel_csr.c
++++ b/drivers/gpu/drm/i915/intel_csr.c
+@@ -282,10 +282,17 @@ static uint32_t *parse_csr_fw(struct drm
+ uint32_t i;
+ uint32_t *dmc_payload;
+ uint32_t required_version;
++ size_t fsize;
+
+ if (!fw)
+ return NULL;
+
++ fsize = sizeof(struct intel_css_header) +
++ sizeof(struct intel_package_header) +
++ sizeof(struct intel_dmc_header);
++ if (fsize > fw->size)
++ goto error_truncated;
++
+ /* Extract CSS Header information*/
+ css_header = (struct intel_css_header *)fw->data;
+ if (sizeof(struct intel_css_header) !=
+@@ -357,6 +364,9 @@ static uint32_t *parse_csr_fw(struct drm
+ return NULL;
+ }
+ readcount += dmc_offset;
++ fsize += dmc_offset;
++ if (fsize > fw->size)
++ goto error_truncated;
+
+ /* Extract dmc_header information. */
+ dmc_header = (struct intel_dmc_header *)&fw->data[readcount];
+@@ -388,6 +398,10 @@ static uint32_t *parse_csr_fw(struct drm
+
+ /* fw_size is in dwords, so multiplied by 4 to convert into bytes. */
+ nbytes = dmc_header->fw_size * 4;
++ fsize += nbytes;
++ if (fsize > fw->size)
++ goto error_truncated;
++
+ if (nbytes > CSR_MAX_FW_SIZE) {
+ DRM_ERROR("DMC firmware too big (%u bytes)\n", nbytes);
+ return NULL;
+@@ -401,6 +415,10 @@ static uint32_t *parse_csr_fw(struct drm
+ }
+
+ return memcpy(dmc_payload, &fw->data[readcount], nbytes);
++
++error_truncated:
++ DRM_ERROR("Truncated DMC firmware, rejecting.\n");
++ return NULL;
+ }
+
+ static void csr_load_work_fn(struct work_struct *work)
diff --git a/patches.fixes/0006-irqchip-gic-v3-its-fix-some-definitions-of-inner-cac.patch b/patches.fixes/0006-irqchip-gic-v3-its-fix-some-definitions-of-inner-cac.patch
new file mode 100644
index 0000000000..813472dd5e
--- /dev/null
+++ b/patches.fixes/0006-irqchip-gic-v3-its-fix-some-definitions-of-inner-cac.patch
@@ -0,0 +1,80 @@
+From 0f29456d08042134aff6e562d07a6365c841c4ad Mon Sep 17 00:00:00 2001
+From: Hongbo Yao <yaohongbo@huawei.com>
+Date: Mon, 8 Apr 2019 22:01:03 +0800
+Subject: [PATCH] irqchip/gic-v3-its: fix some definitions of inner cacheability attributes
+Git-commit: 0f29456d08042134aff6e562d07a6365c841c4ad
+Patch-mainline: v5.2-rc1
+References: bsc#1051510
+
+Some definitions of Inner Cacheability attibutes need to be corrected.
+
+Fixes: 8c828a535e29f ("irqchip/gicv3-its: Restore all cacheability attributes")
+Signed-off-by: Hongbo Yao <yaohongbo@huawei.com>
+Signed-off-by: Marc Zyngier <marc.zyngier@arm.com>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ include/linux/irqchip/arm-gic-v3.h | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/include/linux/irqchip/arm-gic-v3.h b/include/linux/irqchip/arm-gic-v3.h
+index c848a7cc502e..c7e3e39224c6 100644
+--- a/include/linux/irqchip/arm-gic-v3.h
++++ b/include/linux/irqchip/arm-gic-v3.h
+@@ -165,7 +165,7 @@
+ #define GICR_PROPBASER_nCnB GIC_BASER_CACHEABILITY(GICR_PROPBASER, INNER, nCnB)
+ #define GICR_PROPBASER_nC GIC_BASER_CACHEABILITY(GICR_PROPBASER, INNER, nC)
+ #define GICR_PROPBASER_RaWt GIC_BASER_CACHEABILITY(GICR_PROPBASER, INNER, RaWt)
+-#define GICR_PROPBASER_RaWb GIC_BASER_CACHEABILITY(GICR_PROPBASER, INNER, RaWt)
++#define GICR_PROPBASER_RaWb GIC_BASER_CACHEABILITY(GICR_PROPBASER, INNER, RaWb)
+ #define GICR_PROPBASER_WaWt GIC_BASER_CACHEABILITY(GICR_PROPBASER, INNER, WaWt)
+ #define GICR_PROPBASER_WaWb GIC_BASER_CACHEABILITY(GICR_PROPBASER, INNER, WaWb)
+ #define GICR_PROPBASER_RaWaWt GIC_BASER_CACHEABILITY(GICR_PROPBASER, INNER, RaWaWt)
+@@ -192,7 +192,7 @@
+ #define GICR_PENDBASER_nCnB GIC_BASER_CACHEABILITY(GICR_PENDBASER, INNER, nCnB)
+ #define GICR_PENDBASER_nC GIC_BASER_CACHEABILITY(GICR_PENDBASER, INNER, nC)
+ #define GICR_PENDBASER_RaWt GIC_BASER_CACHEABILITY(GICR_PENDBASER, INNER, RaWt)
+-#define GICR_PENDBASER_RaWb GIC_BASER_CACHEABILITY(GICR_PENDBASER, INNER, RaWt)
++#define GICR_PENDBASER_RaWb GIC_BASER_CACHEABILITY(GICR_PENDBASER, INNER, RaWb)
+ #define GICR_PENDBASER_WaWt GIC_BASER_CACHEABILITY(GICR_PENDBASER, INNER, WaWt)
+ #define GICR_PENDBASER_WaWb GIC_BASER_CACHEABILITY(GICR_PENDBASER, INNER, WaWb)
+ #define GICR_PENDBASER_RaWaWt GIC_BASER_CACHEABILITY(GICR_PENDBASER, INNER, RaWaWt)
+@@ -251,7 +251,7 @@
+ #define GICR_VPROPBASER_nCnB GIC_BASER_CACHEABILITY(GICR_VPROPBASER, INNER, nCnB)
+ #define GICR_VPROPBASER_nC GIC_BASER_CACHEABILITY(GICR_VPROPBASER, INNER, nC)
+ #define GICR_VPROPBASER_RaWt GIC_BASER_CACHEABILITY(GICR_VPROPBASER, INNER, RaWt)
+-#define GICR_VPROPBASER_RaWb GIC_BASER_CACHEABILITY(GICR_VPROPBASER, INNER, RaWt)
++#define GICR_VPROPBASER_RaWb GIC_BASER_CACHEABILITY(GICR_VPROPBASER, INNER, RaWb)
+ #define GICR_VPROPBASER_WaWt GIC_BASER_CACHEABILITY(GICR_VPROPBASER, INNER, WaWt)
+ #define GICR_VPROPBASER_WaWb GIC_BASER_CACHEABILITY(GICR_VPROPBASER, INNER, WaWb)
+ #define GICR_VPROPBASER_RaWaWt GIC_BASER_CACHEABILITY(GICR_VPROPBASER, INNER, RaWaWt)
+@@ -277,7 +277,7 @@
+ #define GICR_VPENDBASER_nCnB GIC_BASER_CACHEABILITY(GICR_VPENDBASER, INNER, nCnB)
+ #define GICR_VPENDBASER_nC GIC_BASER_CACHEABILITY(GICR_VPENDBASER, INNER, nC)
+ #define GICR_VPENDBASER_RaWt GIC_BASER_CACHEABILITY(GICR_VPENDBASER, INNER, RaWt)
+-#define GICR_VPENDBASER_RaWb GIC_BASER_CACHEABILITY(GICR_VPENDBASER, INNER, RaWt)
++#define GICR_VPENDBASER_RaWb GIC_BASER_CACHEABILITY(GICR_VPENDBASER, INNER, RaWb)
+ #define GICR_VPENDBASER_WaWt GIC_BASER_CACHEABILITY(GICR_VPENDBASER, INNER, WaWt)
+ #define GICR_VPENDBASER_WaWb GIC_BASER_CACHEABILITY(GICR_VPENDBASER, INNER, WaWb)
+ #define GICR_VPENDBASER_RaWaWt GIC_BASER_CACHEABILITY(GICR_VPENDBASER, INNER, RaWaWt)
+@@ -351,7 +351,7 @@
+ #define GITS_CBASER_nCnB GIC_BASER_CACHEABILITY(GITS_CBASER, INNER, nCnB)
+ #define GITS_CBASER_nC GIC_BASER_CACHEABILITY(GITS_CBASER, INNER, nC)
+ #define GITS_CBASER_RaWt GIC_BASER_CACHEABILITY(GITS_CBASER, INNER, RaWt)
+-#define GITS_CBASER_RaWb GIC_BASER_CACHEABILITY(GITS_CBASER, INNER, RaWt)
++#define GITS_CBASER_RaWb GIC_BASER_CACHEABILITY(GITS_CBASER, INNER, RaWb)
+ #define GITS_CBASER_WaWt GIC_BASER_CACHEABILITY(GITS_CBASER, INNER, WaWt)
+ #define GITS_CBASER_WaWb GIC_BASER_CACHEABILITY(GITS_CBASER, INNER, WaWb)
+ #define GITS_CBASER_RaWaWt GIC_BASER_CACHEABILITY(GITS_CBASER, INNER, RaWaWt)
+@@ -377,7 +377,7 @@
+ #define GITS_BASER_nCnB GIC_BASER_CACHEABILITY(GITS_BASER, INNER, nCnB)
+ #define GITS_BASER_nC GIC_BASER_CACHEABILITY(GITS_BASER, INNER, nC)
+ #define GITS_BASER_RaWt GIC_BASER_CACHEABILITY(GITS_BASER, INNER, RaWt)
+-#define GITS_BASER_RaWb GIC_BASER_CACHEABILITY(GITS_BASER, INNER, RaWt)
++#define GITS_BASER_RaWb GIC_BASER_CACHEABILITY(GITS_BASER, INNER, RaWb)
+ #define GITS_BASER_WaWt GIC_BASER_CACHEABILITY(GITS_BASER, INNER, WaWt)
+ #define GITS_BASER_WaWb GIC_BASER_CACHEABILITY(GITS_BASER, INNER, WaWb)
+ #define GITS_BASER_RaWaWt GIC_BASER_CACHEABILITY(GITS_BASER, INNER, RaWaWt)
+--
+2.16.4
+
diff --git a/patches.fixes/Abort-file_remove_privs-for-non-reg.-files.patch b/patches.fixes/Abort-file_remove_privs-for-non-reg.-files.patch
new file mode 100644
index 0000000000..c28db02866
--- /dev/null
+++ b/patches.fixes/Abort-file_remove_privs-for-non-reg.-files.patch
@@ -0,0 +1,54 @@
+From f69e749a49353d96af1a293f56b5b56de59c668a Mon Sep 17 00:00:00 2001
+From: Alexander Lochmann <alexander.lochmann@tu-dortmund.de>
+Date: Fri, 14 Dec 2018 11:55:52 +0100
+Subject: [PATCH] Abort file_remove_privs() for non-reg. files
+Git-commit: f69e749a49353d96af1a293f56b5b56de59c668a
+Patch-mainline: v5.1
+References: bsc#1140888
+
+file_remove_privs() might be called for non-regular files, e.g.
+blkdev inode. There is no reason to do its job on things
+like blkdev inodes, pipes, or cdevs. Hence, abort if
+file does not refer to a regular inode.
+
+Av: more to the point, for devices there might be any number of
+inodes refering to given device. Which one to strip the permissions
+from, even if that made any sense in the first place? All of them
+will be observed with contents modified, after all.
+
+Found by LockDoc (Alexander Lochmann, Horst Schirmeier and Olaf
+Spinczyk)
+
+Reviewed-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Alexander Lochmann <alexander.lochmann@tu-dortmund.de>
+Signed-off-by: Horst Schirmeier <horst.schirmeier@tu-dortmund.de>
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Acked-by: Jan Kara <jack@suse.cz>
+
+---
+ fs/inode.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+diff --git a/fs/inode.c b/fs/inode.c
+index e9d97add2b36..9a453f3637f8 100644
+--- a/fs/inode.c
++++ b/fs/inode.c
+@@ -1817,8 +1817,13 @@ int file_remove_privs(struct file *file)
+ int kill;
+ int error = 0;
+
+- /* Fast path for nothing security related */
+- if (IS_NOSEC(inode))
++ /*
++ * Fast path for nothing security related.
++ * As well for non-regular files, e.g. blkdev inodes.
++ * For example, blkdev_write_iter() might get here
++ * trying to remove privs which it is not allowed to.
++ */
++ if (IS_NOSEC(inode) || !S_ISREG(inode->i_mode))
+ return 0;
+
+ kill = dentry_needs_remove_privs(dentry);
+--
+2.16.4
+
diff --git a/patches.fixes/PCI-Do-not-poll-for-PME-if-the-device-is-in-D3cold.patch b/patches.fixes/PCI-Do-not-poll-for-PME-if-the-device-is-in-D3cold.patch
new file mode 100644
index 0000000000..d07ef012e7
--- /dev/null
+++ b/patches.fixes/PCI-Do-not-poll-for-PME-if-the-device-is-in-D3cold.patch
@@ -0,0 +1,60 @@
+From 000dd5316e1c756a1c028f22e01d06a38249dd4d Mon Sep 17 00:00:00 2001
+From: Mika Westerberg <mika.westerberg@linux.intel.com>
+Date: Wed, 12 Jun 2019 13:57:39 +0300
+Subject: [PATCH] PCI: Do not poll for PME if the device is in D3cold
+Git-commit: 000dd5316e1c756a1c028f22e01d06a38249dd4d
+Patch-mainline: v5.3-rc1
+References: bsc#1051510
+
+PME polling does not take into account that a device that is directly
+connected to the host bridge may go into D3cold as well. This leads to a
+situation where the PME poll thread reads from a config space of a
+device that is in D3cold and gets incorrect information because the
+config space is not accessible.
+
+Here is an example from Intel Ice Lake system where two PCIe root ports
+are in D3cold (I've instrumented the kernel to log the PMCSR register
+Contents):
+
+ [ 62.971442] pcieport 0000:00:07.1: Check PME status, PMCSR=0xffff
+ [ 62.971504] pcieport 0000:00:07.0: Check PME status, PMCSR=0xffff
+
+Since 0xffff is interpreted so that PME is pending, the root ports will
+be runtime resumed. This repeats over and over again essentially
+blocking all runtime power management.
+
+Prevent this from happening by checking whether the device is in D3cold
+before its PME status is read.
+
+Fixes: 71a83bd727cc ("PCI/PM: add runtime PM support to PCIe port")
+Signed-off-by: Mika Westerberg <mika.westerberg@linux.intel.com>
+Reviewed-by: Lukas Wunner <lukas@wunner.de>
+Cc: 3.6+ <stable@vger.kernel.org> # v3.6+
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/pci/pci.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/drivers/pci/pci.c b/drivers/pci/pci.c
+index 9839d6f9bcb5..e34fb2b3c466 100644
+--- a/drivers/pci/pci.c
++++ b/drivers/pci/pci.c
+@@ -2060,6 +2060,13 @@ static void pci_pme_list_scan(struct work_struct *work)
+ */
+ if (bridge && bridge->current_state != PCI_D0)
+ continue;
++ /*
++ * If the device is in D3cold it should not be
++ * polled either.
++ */
++ if (pme_dev->dev->current_state == PCI_D3cold)
++ continue;
++
+ pci_pme_wakeup(pme_dev->dev, NULL);
+ } else {
+ list_del(&pme_dev->list);
+--
+2.16.4
+
diff --git a/patches.fixes/apparmor-enforce-nullbyte-at-end-of-tag-string.patch b/patches.fixes/apparmor-enforce-nullbyte-at-end-of-tag-string.patch
new file mode 100644
index 0000000000..c5a604e5d6
--- /dev/null
+++ b/patches.fixes/apparmor-enforce-nullbyte-at-end-of-tag-string.patch
@@ -0,0 +1,42 @@
+From 8404d7a674c49278607d19726e0acc0cae299357 Mon Sep 17 00:00:00 2001
+From: Jann Horn <jannh@google.com>
+Date: Tue, 28 May 2019 17:32:26 +0200
+Subject: [PATCH] apparmor: enforce nullbyte at end of tag string
+Git-commit: 8404d7a674c49278607d19726e0acc0cae299357
+Patch-mainline: v5.2-rc6
+References: bsc#1051510
+
+A packed AppArmor policy contains null-terminated tag strings that are read
+by unpack_nameX(). However, unpack_nameX() uses string functions on them
+without ensuring that they are actually null-terminated, potentially
+leading to out-of-bounds accesses.
+
+Make sure that the tag string is null-terminated before passing it to
+strcmp().
+
+Cc: stable@vger.kernel.org
+Fixes: 736ec752d95e ("AppArmor: policy routines for loading and unpacking policy")
+Signed-off-by: Jann Horn <jannh@google.com>
+Signed-off-by: John Johansen <john.johansen@canonical.com>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ security/apparmor/policy_unpack.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/security/apparmor/policy_unpack.c b/security/apparmor/policy_unpack.c
+index 01957ce9252b..005a705346f0 100644
+--- a/security/apparmor/policy_unpack.c
++++ b/security/apparmor/policy_unpack.c
+@@ -272,7 +272,7 @@ static bool unpack_nameX(struct aa_ext *e, enum aa_code code, const char *name)
+ char *tag = NULL;
+ size_t size = unpack_u16_chunk(e, &tag);
+ /* if a name is specified it must match. otherwise skip tag */
+- if (name && (!size || strcmp(name, tag)))
++ if (name && (!size || tag[size-1] != '\0' || strcmp(name, tag)))
+ goto fail;
+ } else if (name) {
+ /* if a name is specified and there is no name tag fail */
+--
+2.16.4
+
diff --git a/patches.fixes/blk-mq-free-hw-queue-s-resource-in-hctx-s-release-handler.patch b/patches.fixes/blk-mq-free-hw-queue-s-resource-in-hctx-s-release-handler.patch
new file mode 100644
index 0000000000..e443f25354
--- /dev/null
+++ b/patches.fixes/blk-mq-free-hw-queue-s-resource-in-hctx-s-release-handler.patch
@@ -0,0 +1,127 @@
+From: Ming Lei <ming.lei@redhat.com>
+Date: Tue, 30 Apr 2019 09:52:25 +0800
+Subject: blk-mq: free hw queue's resource in hctx's release handler
+Patch-mainline: v5.2-rc1
+Git-commit: c7e2d94b3d1634988a95ac4d77a72dc7487ece06
+References: bsc#1140637
+
+Once blk_cleanup_queue() returns, tags shouldn't be used any more,
+because blk_mq_free_tag_set() may be called. Commit 45a9c9d909b2
+("blk-mq: Fix a use-after-free") fixes this issue exactly.
+
+However, that commit introduces another issue. Before 45a9c9d909b2,
+we are allowed to run queue during cleaning up queue if the queue's
+kobj refcount is held. After that commit, queue can't be run during
+queue cleaning up, otherwise oops can be triggered easily because
+some fields of hctx are freed by blk_mq_free_queue() in blk_cleanup_queue().
+
+We have invented ways for addressing this kind of issue before, such as:
+
+ 8dc765d438f1 ("SCSI: fix queue cleanup race before queue initialization is done")
+ c2856ae2f315 ("blk-mq: quiesce queue before freeing queue")
+
+But still can't cover all cases, recently James reports another such
+kind of issue:
+
+ https://marc.info/?l=linux-scsi&m=155389088124782&w=2
+
+This issue can be quite hard to address by previous way, given
+scsi_run_queue() may run requeues for other LUNs.
+
+Fixes the above issue by freeing hctx's resources in its release handler, and this
+way is safe becasue tags isn't needed for freeing such hctx resource.
+
+This approach follows typical design pattern wrt. kobject's release handler.
+
+Cc: Dongli Zhang <dongli.zhang@oracle.com>
+Cc: James Smart <james.smart@broadcom.com>
+Cc: Bart Van Assche <bart.vanassche@wdc.com>
+Cc: linux-scsi@vger.kernel.org,
+Cc: Martin K . Petersen <martin.petersen@oracle.com>,
+Cc: Christoph Hellwig <hch@lst.de>,
+Cc: James E . J . Bottomley <jejb@linux.vnet.ibm.com>,
+Reported-by: James Smart <james.smart@broadcom.com>
+Fixes: 45a9c9d909b2 ("blk-mq: Fix a use-after-free")
+Cc: stable@vger.kernel.org
+Reviewed-by: Hannes Reinecke <hare@suse.com>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Tested-by: James Smart <james.smart@broadcom.com>
+Signed-off-by: Ming Lei <ming.lei@redhat.com>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Acked-by: Johannes Thumshirn <jthumshirn@suse.de>
+---
+ block/blk-core.c | 2 +-
+ block/blk-mq-sysfs.c | 6 ++++++
+ block/blk-mq.c | 8 ++------
+ block/blk-mq.h | 2 +-
+ 4 files changed, 10 insertions(+), 8 deletions(-)
+
+--- a/block/blk-core.c
++++ b/block/blk-core.c
+@@ -725,7 +725,7 @@ void blk_cleanup_queue(struct request_qu
+ blk_exit_queue(q);
+
+ if (q->mq_ops)
+- blk_mq_free_queue(q);
++ blk_mq_exit_queue(q);
+ percpu_ref_exit(&q->q_usage_counter);
+
+ spin_lock_irq(lock);
+--- a/block/blk-mq-sysfs.c
++++ b/block/blk-mq-sysfs.c
+@@ -10,6 +10,7 @@
+ #include <linux/smp.h>
+
+ #include <linux/blk-mq.h>
++#include "blk.h"
+ #include "blk-mq.h"
+ #include "blk-mq-tag.h"
+
+@@ -21,6 +22,11 @@ static void blk_mq_hw_sysfs_release(stru
+ {
+ struct blk_mq_hw_ctx *hctx = container_of(kobj, struct blk_mq_hw_ctx,
+ kobj);
++
++ if (hctx->flags & BLK_MQ_F_BLOCKING)
++ cleanup_srcu_struct(hctx->srcu);
++ blk_free_flush_queue(hctx->fq);
++ sbitmap_free(&hctx->ctx_map);
+ free_cpumask_var(hctx->cpumask);
+ kfree(hctx->ctxs);
+ kfree(hctx);
+--- a/block/blk-mq.c
++++ b/block/blk-mq.c
+@@ -1993,12 +1993,7 @@ static void blk_mq_exit_hctx(struct requ
+ if (set->ops->exit_hctx)
+ set->ops->exit_hctx(hctx, hctx_idx);
+
+- if (hctx->flags & BLK_MQ_F_BLOCKING)
+- cleanup_srcu_struct(hctx->srcu);
+-
+ blk_mq_remove_cpuhp(hctx);
+- blk_free_flush_queue(hctx->fq);
+- sbitmap_free(&hctx->ctx_map);
+ }
+
+ static void blk_mq_exit_hw_queues(struct request_queue *q,
+@@ -2533,7 +2528,8 @@ err_exit:
+ }
+ EXPORT_SYMBOL(blk_mq_init_allocated_queue);
+
+-void blk_mq_free_queue(struct request_queue *q)
++/* tags can _not_ be used after returning from blk_mq_exit_queue */
++void blk_mq_exit_queue(struct request_queue *q)
+ {
+ struct blk_mq_tag_set *set = q->tag_set;
+
+--- a/block/blk-mq.h
++++ b/block/blk-mq.h
+@@ -27,7 +27,7 @@ struct blk_mq_ctx {
+ } ____cacheline_aligned_in_smp;
+
+ void blk_mq_freeze_queue(struct request_queue *q);
+-void blk_mq_free_queue(struct request_queue *q);
++void blk_mq_exit_queue(struct request_queue *q);
+ int blk_mq_update_nr_requests(struct request_queue *q, unsigned int nr);
+ void blk_mq_wake_waiters(struct request_queue *q);
+ bool blk_mq_dispatch_rq_list(struct request_queue *, struct list_head *, bool);
diff --git a/patches.fixes/coresight-etb10-Fix-handling-of-perf-mode.patch b/patches.fixes/coresight-etb10-Fix-handling-of-perf-mode.patch
new file mode 100644
index 0000000000..20fed5727e
--- /dev/null
+++ b/patches.fixes/coresight-etb10-Fix-handling-of-perf-mode.patch
@@ -0,0 +1,40 @@
+From 987d1e8dcd370d96029a3d76a0031b043c4a69ae Mon Sep 17 00:00:00 2001
+From: Suzuki K Poulose <suzuki.poulose@arm.com>
+Date: Thu, 20 Sep 2018 13:17:46 -0600
+Subject: [PATCH] coresight: etb10: Fix handling of perf mode
+Git-commit: 987d1e8dcd370d96029a3d76a0031b043c4a69ae
+Patch-mainline: v4.20-rc1
+References: bsc#1051510
+
+If the ETB is already enabled in sysfs mode, the ETB reports
+success even if a perf mode is requested. Fix this by checking
+the requested mode.
+
+Cc: Mathieu Poirier <mathieu.poirier@linaro.org>
+Signed-off-by: Suzuki K Poulose <suzuki.poulose@arm.com>
+Signed-off-by: Mathieu Poirier <mathieu.poirier@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/hwtracing/coresight/coresight-etb10.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/hwtracing/coresight/coresight-etb10.c b/drivers/hwtracing/coresight/coresight-etb10.c
+index 306119eaf16a..0dad8626bcfb 100644
+--- a/drivers/hwtracing/coresight/coresight-etb10.c
++++ b/drivers/hwtracing/coresight/coresight-etb10.c
+@@ -147,6 +147,10 @@ static int etb_enable(struct coresight_device *csdev, u32 mode)
+ if (val == CS_MODE_PERF)
+ return -EBUSY;
+
++ /* Don't let perf disturb sysFS sessions */
++ if (val == CS_MODE_SYSFS && mode == CS_MODE_PERF)
++ return -EBUSY;
++
+ /* Nothing to do, the tracer is already enabled. */
+ if (val == CS_MODE_SYSFS)
+ goto out;
+--
+2.16.4
+
diff --git a/patches.fixes/coresight-etm4x-Add-support-to-enable-ETMv4.2.patch b/patches.fixes/coresight-etm4x-Add-support-to-enable-ETMv4.2.patch
new file mode 100644
index 0000000000..75c6e9b187
--- /dev/null
+++ b/patches.fixes/coresight-etm4x-Add-support-to-enable-ETMv4.2.patch
@@ -0,0 +1,66 @@
+From 5666dfd1d8a45a167f0d8b4ef47ea7f780b1f24a Mon Sep 17 00:00:00 2001
+From: Sai Prakash Ranjan <saiprakash.ranjan@codeaurora.org>
+Date: Mon, 25 Feb 2019 10:54:01 -0700
+Subject: [PATCH] coresight: etm4x: Add support to enable ETMv4.2
+Git-commit: 5666dfd1d8a45a167f0d8b4ef47ea7f780b1f24a
+Patch-mainline: v5.1-rc1
+References: bsc#1051510
+
+SDM845 has ETMv4.2 and can use the existing etm4x driver.
+But the current etm driver checks only for ETMv4.0 and
+errors out for other etm4x versions. This patch adds this
+missing support to enable SoC's with ETMv4x to use same
+driver by checking only the ETM architecture major version
+number.
+
+Without this change, we get below error during etm probe:
+
+/ # dmesg | grep etm
+[ 6.660093] coresight-etm4x: probe of 7040000.etm failed with error -22
+[ 6.666902] coresight-etm4x: probe of 7140000.etm failed with error -22
+[ 6.673708] coresight-etm4x: probe of 7240000.etm failed with error -22
+[ 6.680511] coresight-etm4x: probe of 7340000.etm failed with error -22
+[ 6.687313] coresight-etm4x: probe of 7440000.etm failed with error -22
+[ 6.694113] coresight-etm4x: probe of 7540000.etm failed with error -22
+[ 6.700914] coresight-etm4x: probe of 7640000.etm failed with error -22
+[ 6.707717] coresight-etm4x: probe of 7740000.etm failed with error -22
+
+With this change, etm probe is successful:
+
+/ # dmesg | grep etm
+[ 6.659198] coresight-etm4x 7040000.etm: CPU0: ETM v4.2 initialized
+[ 6.665848] coresight-etm4x 7140000.etm: CPU1: ETM v4.2 initialized
+[ 6.672493] coresight-etm4x 7240000.etm: CPU2: ETM v4.2 initialized
+[ 6.679129] coresight-etm4x 7340000.etm: CPU3: ETM v4.2 initialized
+[ 6.685770] coresight-etm4x 7440000.etm: CPU4: ETM v4.2 initialized
+[ 6.692403] coresight-etm4x 7540000.etm: CPU5: ETM v4.2 initialized
+[ 6.699024] coresight-etm4x 7640000.etm: CPU6: ETM v4.2 initialized
+[ 6.705646] coresight-etm4x 7740000.etm: CPU7: ETM v4.2 initialized
+
+Signed-off-by: Sai Prakash Ranjan <saiprakash.ranjan@codeaurora.org>
+Reviewed-by: Suzuki K Poulose <suzuki.poulose@arm.com>
+Signed-off-by: Mathieu Poirier <mathieu.poirier@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/hwtracing/coresight/coresight-etm4x.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/hwtracing/coresight/coresight-etm4x.c b/drivers/hwtracing/coresight/coresight-etm4x.c
+index 53e2fb6e86f6..fe76b176974a 100644
+--- a/drivers/hwtracing/coresight/coresight-etm4x.c
++++ b/drivers/hwtracing/coresight/coresight-etm4x.c
+@@ -55,7 +55,8 @@ static void etm4_os_unlock(struct etmv4_drvdata *drvdata)
+
+ static bool etm4_arch_supported(u8 arch)
+ {
+- switch (arch) {
++ /* Mask out the minor version number */
++ switch (arch & 0xf0) {
+ case ETM_ARCH_V4:
+ break;
+ default:
+--
+2.16.4
+
diff --git a/patches.fixes/crypto-cryptd-Fix-skcipher-instance-memory-leak.patch b/patches.fixes/crypto-cryptd-Fix-skcipher-instance-memory-leak.patch
new file mode 100644
index 0000000000..33a83a1eeb
--- /dev/null
+++ b/patches.fixes/crypto-cryptd-Fix-skcipher-instance-memory-leak.patch
@@ -0,0 +1,46 @@
+From 1a0fad630e0b7cff38e7691b28b0517cfbb0633f Mon Sep 17 00:00:00 2001
+From: Vincent Whitchurch <vincent.whitchurch@axis.com>
+Date: Tue, 2 Jul 2019 09:53:25 +0200
+Subject: [PATCH] crypto: cryptd - Fix skcipher instance memory leak
+Git-commit: 1a0fad630e0b7cff38e7691b28b0517cfbb0633f
+Patch-mainline: v5.2
+References: bsc#1051510
+
+cryptd_skcipher_free() fails to free the struct skcipher_instance
+allocated in cryptd_create_skcipher(), leading to a memory leak. This
+is detected by kmemleak on bootup on ARM64 platforms:
+
+ unreferenced object 0xffff80003377b180 (size 1024):
+ comm "cryptomgr_probe", pid 822, jiffies 4294894830 (age 52.760s)
+ backtrace:
+ kmem_cache_alloc_trace+0x270/0x2d0
+ cryptd_create+0x990/0x124c
+ cryptomgr_probe+0x5c/0x1e8
+ kthread+0x258/0x318
+ ret_from_fork+0x10/0x1c
+
+Fixes: 4e0958d19bd8 ("crypto: cryptd - Add support for skcipher")
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Vincent Whitchurch <vincent.whitchurch@axis.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ crypto/cryptd.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/crypto/cryptd.c b/crypto/cryptd.c
+index b3bb99390ae7..c8434042cbc1 100644
+--- a/crypto/cryptd.c
++++ b/crypto/cryptd.c
+@@ -393,6 +393,7 @@ static void cryptd_skcipher_free(struct skcipher_instance *inst)
+ struct skcipherd_instance_ctx *ctx = skcipher_instance_ctx(inst);
+
+ crypto_drop_skcipher(&ctx->spawn);
++ kfree(inst);
+ }
+
+ static int cryptd_create_skcipher(struct crypto_template *tmpl,
+--
+2.16.4
+
diff --git a/patches.fixes/crypto-user-prevent-operating-on-larval-algorithms.patch b/patches.fixes/crypto-user-prevent-operating-on-larval-algorithms.patch
index a629a4cfd8..d60d69bee7 100644
--- a/patches.fixes/crypto-user-prevent-operating-on-larval-algorithms.patch
+++ b/patches.fixes/crypto-user-prevent-operating-on-larval-algorithms.patch
@@ -4,8 +4,7 @@ Date: Tue, 2 Jul 2019 14:17:00 -0700
Subject: [PATCH] crypto: user - prevent operating on larval algorithms
References: bsc#1133401
-Patch-mainline: queued
-Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6.git
+Patch-mainline: v5.2
Git-commit: 21d4120ec6f5b5992b01b96ac484701163917b63
Michal Suchanek reported [1] that running the pcrypt_aead01 test from
diff --git a/patches.fixes/dax-Fix-xarray-entry-association-for-mixed-mappings.patch b/patches.fixes/dax-Fix-xarray-entry-association-for-mixed-mappings.patch
new file mode 100644
index 0000000000..39c4262046
--- /dev/null
+++ b/patches.fixes/dax-Fix-xarray-entry-association-for-mixed-mappings.patch
@@ -0,0 +1,61 @@
+From 1571c029a2ff289683ddb0a32253850363bcb8a7 Mon Sep 17 00:00:00 2001
+From: Jan Kara <jack@suse.cz>
+Date: Thu, 6 Jun 2019 11:10:28 +0200
+Subject: [PATCH] dax: Fix xarray entry association for mixed mappings
+Git-commit: 1571c029a2ff289683ddb0a32253850363bcb8a7
+Patch-mainline: v5.2
+References: bsc#1140893
+
+When inserting entry into xarray, we store mapping and index in
+corresponding struct pages for memory error handling. When it happened
+that one process was mapping file at PMD granularity while another
+process at PTE granularity, we could wrongly deassociate PMD range and
+then reassociate PTE range leaving the rest of struct pages in PMD range
+without mapping information which could later cause missed notifications
+about memory errors. Fix the problem by calling the association /
+deassociation code if and only if we are really going to update the
+xarray (deassociating and associating zero or empty entries is just
+no-op so there's no reason to complicate the code with trying to avoid
+the calls for these cases).
+
+Cc: <stable@vger.kernel.org>
+Fixes: d2c997c0f145 ("fs, dax: use page->mapping to warn if truncate...")
+Signed-off-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Dan Williams <dan.j.williams@intel.com>
+Acked-by: Jan Kara <jack@suse.cz>
+
+---
+ fs/dax.c | 12 +++++-------
+ 1 file changed, 5 insertions(+), 7 deletions(-)
+
+--- a/fs/dax.c
++++ b/fs/dax.c
+@@ -693,12 +693,14 @@ static void *dax_insert_mapping_entry(st
+
+ spin_lock_irq(&mapping->tree_lock);
+ new_entry = dax_radix_locked_entry(pfn, flags);
+- if (dax_entry_size(entry) != dax_entry_size(new_entry)) {
++ if (dax_is_zero_entry(entry) || dax_is_empty_entry(entry)) {
++ struct radix_tree_node *node;
++ void **slot;
++ void *ret;
++
+ dax_disassociate_entry(entry, mapping, false);
+ dax_associate_entry(new_entry, mapping, vmf->vma, vmf->address);
+- }
+
+- if (dax_is_zero_entry(entry) || dax_is_empty_entry(entry)) {
+ /*
+ * Only swap our new entry into the radix tree if the current
+ * entry is a zero page or an empty entry. If a normal PTE or
+@@ -707,10 +709,6 @@ static void *dax_insert_mapping_entry(st
+ * existing entry is a PMD, we will just leave the PMD in the
+ * tree and dirty it if necessary.
+ */
+- struct radix_tree_node *node;
+- void **slot;
+- void *ret;
+-
+ ret = __radix_tree_lookup(page_tree, index, &node, &slot);
+ WARN_ON_ONCE(ret != entry);
+ __radix_tree_replace(page_tree, node, slot,
diff --git a/patches.fixes/drivers-base-introduce-kill_device.patch b/patches.fixes/drivers-base-introduce-kill_device.patch
index f63e79c569..de803f6155 100644
--- a/patches.fixes/drivers-base-introduce-kill_device.patch
+++ b/patches.fixes/drivers-base-introduce-kill_device.patch
@@ -2,7 +2,7 @@ From: Dan Williams <dan.j.williams@intel.com>
Date: Mon, 10 Jun 2019 21:03:44 -0700
Subject: drivers/base: Introduce kill_device()
Patch-mainline: Queued in subsystem maintainer repository
-Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/djbw/nvdimm.git
+Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/nvdimm/nvdimm.git
Git-commit: 2fcf7c0b67e03233b118ca29c551c1e66da6c80b
References: bsc#1139865
diff --git a/patches.fixes/ext4-do-not-delete-unlinked-inode-from-orphan-list-o.patch b/patches.fixes/ext4-do-not-delete-unlinked-inode-from-orphan-list-o.patch
new file mode 100644
index 0000000000..c1e51689f2
--- /dev/null
+++ b/patches.fixes/ext4-do-not-delete-unlinked-inode-from-orphan-list-o.patch
@@ -0,0 +1,42 @@
+From ee0ed02ca93ef1ecf8963ad96638795d55af2c14 Mon Sep 17 00:00:00 2001
+From: Jan Kara <jack@suse.cz>
+Date: Thu, 23 May 2019 23:35:28 -0400
+Subject: [PATCH] ext4: do not delete unlinked inode from orphan list on failed
+ truncate
+Git-commit: ee0ed02ca93ef1ecf8963ad96638795d55af2c14
+Patch-mainline: v5.2-rc2
+References: bsc#1140891
+
+It is possible that unlinked inode enters ext4_setattr() (e.g. if
+somebody calls ftruncate(2) on unlinked but still open file). In such
+case we should not delete the inode from the orphan list if truncate
+fails. Note that this is mostly a theoretical concern as filesystem is
+corrupted if we reach this path anyway but let's be consistent in our
+orphan handling.
+
+Reviewed-by: Ira Weiny <ira.weiny@intel.com>
+Signed-off-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Cc: stable@kernel.org
+Acked-by: Jan Kara <jack@suse.cz>
+
+---
+ fs/ext4/inode.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/ext4/inode.c b/fs/ext4/inode.c
+index 9bcb7f2b86dd..c7f77c643008 100644
+--- a/fs/ext4/inode.c
++++ b/fs/ext4/inode.c
+@@ -5625,7 +5625,7 @@ int ext4_setattr(struct dentry *dentry, struct iattr *attr)
+ up_write(&EXT4_I(inode)->i_data_sem);
+ ext4_journal_stop(handle);
+ if (error) {
+- if (orphan)
++ if (orphan && inode->i_nlink)
+ ext4_orphan_del(NULL, inode);
+ goto err_out;
+ }
+--
+2.16.4
+
diff --git a/patches.fixes/fs-ocfs2-fix-race-in-ocfs2_dentry_attach_lock.patch b/patches.fixes/fs-ocfs2-fix-race-in-ocfs2_dentry_attach_lock.patch
new file mode 100644
index 0000000000..3cfaa86327
--- /dev/null
+++ b/patches.fixes/fs-ocfs2-fix-race-in-ocfs2_dentry_attach_lock.patch
@@ -0,0 +1,101 @@
+From be99ca2716972a712cde46092c54dee5e6192bf8 Mon Sep 17 00:00:00 2001
+From: Wengang Wang <wen.gang.wang@oracle.com>
+Date: Thu, 13 Jun 2019 15:56:01 -0700
+Subject: [PATCH] fs/ocfs2: fix race in ocfs2_dentry_attach_lock()
+Git-commit: be99ca2716972a712cde46092c54dee5e6192bf8
+Patch-mainline: v5.2-rc5
+References: bsc#1140889
+
+ocfs2_dentry_attach_lock() can be executed in parallel threads against the
+same dentry. Make that race safe. The race is like this:
+
+ thread A thread B
+
+(A1) enter ocfs2_dentry_attach_lock,
+seeing dentry->d_fsdata is NULL,
+and no alias found by
+ocfs2_find_local_alias, so kmalloc
+a new ocfs2_dentry_lock structure
+to local variable "dl", dl1
+
+ .....
+
+ (B1) enter ocfs2_dentry_attach_lock,
+ seeing dentry->d_fsdata is NULL,
+ and no alias found by
+ ocfs2_find_local_alias so kmalloc
+ a new ocfs2_dentry_lock structure
+ to local variable "dl", dl2.
+
+ ......
+
+(A2) set dentry->d_fsdata with dl1,
+call ocfs2_dentry_lock() and increase
+dl1->dl_lockres.l_ro_holders to 1 on
+success.
+ ......
+
+ (B2) set dentry->d_fsdata with dl2
+ call ocfs2_dentry_lock() and increase
+ dl2->dl_lockres.l_ro_holders to 1 on
+ success.
+
+ ......
+
+(A3) call ocfs2_dentry_unlock()
+and decrease
+dl2->dl_lockres.l_ro_holders to 0
+on success.
+ ....
+
+ (B3) call ocfs2_dentry_unlock(),
+ decreasing
+ dl2->dl_lockres.l_ro_holders, but
+ see it's zero now, panic
+
+Link: http://lkml.kernel.org/r/20190529174636.22364-1-wen.gang.wang@oracle.com
+Signed-off-by: Wengang Wang <wen.gang.wang@oracle.com>
+Reported-by: Daniel Sobe <daniel.sobe@nxp.com>
+Tested-by: Daniel Sobe <daniel.sobe@nxp.com>
+Reviewed-by: Changwei Ge <gechangwei@live.cn>
+Reviewed-by: Joseph Qi <joseph.qi@linux.alibaba.com>
+Cc: Mark Fasheh <mark@fasheh.com>
+Cc: Joel Becker <jlbec@evilplan.org>
+Cc: Junxiao Bi <junxiao.bi@oracle.com>
+Cc: Gang He <ghe@suse.com>
+Cc: Jun Piao <piaojun@huawei.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Acked-by: Jan Kara <jack@suse.cz>
+
+---
+ fs/ocfs2/dcache.c | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+diff --git a/fs/ocfs2/dcache.c b/fs/ocfs2/dcache.c
+index 2d016937fdda..42a61eecdacd 100644
+--- a/fs/ocfs2/dcache.c
++++ b/fs/ocfs2/dcache.c
+@@ -296,6 +296,18 @@ int ocfs2_dentry_attach_lock(struct dentry *dentry,
+
+ out_attach:
+ spin_lock(&dentry_attach_lock);
++ if (unlikely(dentry->d_fsdata && !alias)) {
++ /* d_fsdata is set by a racing thread which is doing
++ * the same thing as this thread is doing. Leave the racing
++ * thread going ahead and we return here.
++ */
++ spin_unlock(&dentry_attach_lock);
++ iput(dl->dl_inode);
++ ocfs2_lock_res_free(&dl->dl_lockres);
++ kfree(dl);
++ return 0;
++ }
++
+ dentry->d_fsdata = dl;
+ dl->dl_count++;
+ spin_unlock(&dentry_attach_lock);
+--
+2.16.4
+
diff --git a/patches.fixes/fs-proc-proc_sysctl.c-Fix-a-NULL-pointer-dereference.patch b/patches.fixes/fs-proc-proc_sysctl.c-Fix-a-NULL-pointer-dereference.patch
new file mode 100644
index 0000000000..87476c1150
--- /dev/null
+++ b/patches.fixes/fs-proc-proc_sysctl.c-Fix-a-NULL-pointer-dereference.patch
@@ -0,0 +1,101 @@
+From 89189557b47b35683a27c80ee78aef18248eefb4 Mon Sep 17 00:00:00 2001
+From: YueHaibing <yuehaibing@huawei.com>
+Date: Thu, 25 Apr 2019 22:24:05 -0700
+Subject: [PATCH] fs/proc/proc_sysctl.c: Fix a NULL pointer dereference
+Git-commit: 89189557b47b35683a27c80ee78aef18248eefb4
+Patch-mainline: v5.1-rc7
+References: bsc#1140887
+
+Syzkaller report this:
+
+ sysctl could not get directory: /net//bridge -12
+ kasan: CONFIG_KASAN_INLINE enabled
+ kasan: GPF could be caused by NULL-ptr deref or user memory access
+ general protection fault: 0000 [#1] SMP KASAN PTI
+ CPU: 1 PID: 7027 Comm: syz-executor.0 Tainted: G C 5.1.0-rc3+ #8
+ Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014
+ RIP: 0010:__write_once_size include/linux/compiler.h:220 [inline]
+ RIP: 0010:__rb_change_child include/linux/rbtree_augmented.h:144 [inline]
+ RIP: 0010:__rb_erase_augmented include/linux/rbtree_augmented.h:186 [inline]
+ RIP: 0010:rb_erase+0x5f4/0x19f0 lib/rbtree.c:459
+ Code: 00 0f 85 60 13 00 00 48 89 1a 48 83 c4 18 5b 5d 41 5c 41 5d 41 5e 41 5f c3 48 89 f2 48 b8 00 00 00 00 00 fc ff df 48 c1 ea 03 <80> 3c 02 00 0f 85 75 0c 00 00 4d 85 ed 4c 89 2e 74 ce 4c 89 ea 48
+ RSP: 0018:ffff8881bb507778 EFLAGS: 00010206
+ RAX: dffffc0000000000 RBX: ffff8881f224b5b8 RCX: ffffffff818f3f6a
+ RDX: 000000000000000a RSI: 0000000000000050 RDI: ffff8881f224b568
+ RBP: 0000000000000000 R08: ffffed10376a0ef4 R09: ffffed10376a0ef4
+ R10: 0000000000000001 R11: ffffed10376a0ef4 R12: ffff8881f224b558
+ R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
+ FS: 00007f3e7ce13700(0000) GS:ffff8881f7300000(0000) knlGS:0000000000000000
+ CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+ CR2: 00007fd60fbe9398 CR3: 00000001cb55c001 CR4: 00000000007606e0
+ DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+ DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+ PKRU: 55555554
+ Call Trace:
+ erase_entry fs/proc/proc_sysctl.c:178 [inline]
+ erase_header+0xe3/0x160 fs/proc/proc_sysctl.c:207
+ start_unregistering fs/proc/proc_sysctl.c:331 [inline]
+ drop_sysctl_table+0x558/0x880 fs/proc/proc_sysctl.c:1631
+ get_subdir fs/proc/proc_sysctl.c:1022 [inline]
+ __register_sysctl_table+0xd65/0x1090 fs/proc/proc_sysctl.c:1335
+ br_netfilter_init+0x68/0x1000 [br_netfilter]
+ do_one_initcall+0xbc/0x47d init/main.c:901
+ do_init_module+0x1b5/0x547 kernel/module.c:3456
+ load_module+0x6405/0x8c10 kernel/module.c:3804
+ __do_sys_finit_module+0x162/0x190 kernel/module.c:3898
+ do_syscall_64+0x9f/0x450 arch/x86/entry/common.c:290
+ entry_SYSCALL_64_after_hwframe+0x49/0xbe
+ Modules linked in: br_netfilter(+) backlight comedi(C) hid_sensor_hub max3100 ti_ads8688 udc_core fddi snd_mona leds_gpio rc_streamzap mtd pata_netcell nf_log_common rc_winfast udp_tunnel snd_usbmidi_lib snd_usb_toneport snd_usb_line6 snd_rawmidi snd_seq_device snd_hwdep videobuf2_v4l2 videobuf2_common videodev media videobuf2_vmalloc videobuf2_memops rc_gadmei_rm008z 8250_of smm665 hid_tmff hid_saitek hwmon_vid rc_ati_tv_wonder_hd_600 rc_core pata_pdc202xx_old dn_rtmsg as3722 ad714x_i2c ad714x snd_soc_cs4265 hid_kensington panel_ilitek_ili9322 drm drm_panel_orientation_quirks ipack cdc_phonet usbcore phonet hid_jabra hid extcon_arizona can_dev industrialio_triggered_buffer kfifo_buf industrialio adm1031 i2c_mux_ltc4306 i2c_mux ipmi_msghandler mlxsw_core snd_soc_cs35l34 snd_soc_core snd_pcm_dmaengine snd_pcm snd_timer ac97_bus snd_compress snd soundcore gpio_da9055 uio ecdh_generic mdio_thunder of_mdio fixed_phy libphy mdio_cavium iptable_security iptable_raw iptable_mangle
+ iptable_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 iptable_filter bpfilter ip6_vti ip_vti ip_gre ipip sit tunnel4 ip_tunnel hsr veth netdevsim vxcan batman_adv cfg80211 rfkill chnl_net caif nlmon dummy team bonding vcan bridge stp llc ip6_gre gre ip6_tunnel tunnel6 tun joydev mousedev ppdev tpm kvm_intel kvm irqbypass crct10dif_pclmul crc32_pclmul crc32c_intel ghash_clmulni_intel aesni_intel ide_pci_generic piix aes_x86_64 crypto_simd cryptd ide_core glue_helper input_leds psmouse intel_agp intel_gtt serio_raw ata_generic i2c_piix4 agpgart pata_acpi parport_pc parport floppy rtc_cmos sch_fq_codel ip_tables x_tables sha1_ssse3 sha1_generic ipv6 [last unloaded: br_netfilter]
+ Dumping ftrace buffer:
+ (ftrace buffer empty)
+ ---[ end trace 68741688d5fbfe85 ]---
+
+commit 23da9588037e ("fs/proc/proc_sysctl.c: fix NULL pointer
+dereference in put_links") forgot to handle start_unregistering() case,
+while header->parent is NULL, it calls erase_header() and as seen in the
+above syzkaller call trace, accessing &header->parent->root will trigger
+a NULL pointer dereference.
+
+As that commit explained, there is also no need to call
+start_unregistering() if header->parent is NULL.
+
+Link: http://lkml.kernel.org/r/20190409153622.28112-1-yuehaibing@huawei.com
+Fixes: 23da9588037e ("fs/proc/proc_sysctl.c: fix NULL pointer dereference in put_links")
+Fixes: 0e47c99d7fe25 ("sysctl: Replace root_list with links between sysctl_table_sets")
+Signed-off-by: YueHaibing <yuehaibing@huawei.com>
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Reviewed-by: Kees Cook <keescook@chromium.org>
+Cc: Luis Chamberlain <mcgrof@kernel.org>
+Cc: Alexey Dobriyan <adobriyan@gmail.com>
+Cc: Al Viro <viro@zeniv.linux.org.uk>
+Cc: "Eric W. Biederman" <ebiederm@xmission.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Acked-by: Jan Kara <jack@suse.cz>
+
+---
+ fs/proc/proc_sysctl.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/fs/proc/proc_sysctl.c b/fs/proc/proc_sysctl.c
+index d65390727541..7325baa8f9d4 100644
+--- a/fs/proc/proc_sysctl.c
++++ b/fs/proc/proc_sysctl.c
+@@ -1626,9 +1626,11 @@ static void drop_sysctl_table(struct ctl_table_header *header)
+ if (--header->nreg)
+ return;
+
+- if (parent)
++ if (parent) {
+ put_links(header);
+- start_unregistering(header);
++ start_unregistering(header);
++ }
++
+ if (!--header->count)
+ kfree_rcu(header, rcu);
+
+--
+2.16.4
+
diff --git a/patches.fixes/fs-proc-proc_sysctl.c-fix-NULL-pointer-dereference-i.patch b/patches.fixes/fs-proc-proc_sysctl.c-fix-NULL-pointer-dereference-i.patch
new file mode 100644
index 0000000000..e8cda58b7b
--- /dev/null
+++ b/patches.fixes/fs-proc-proc_sysctl.c-fix-NULL-pointer-dereference-i.patch
@@ -0,0 +1,105 @@
+From 23da9588037ecdd4901db76a5b79a42b529c4ec3 Mon Sep 17 00:00:00 2001
+From: YueHaibing <yuehaibing@huawei.com>
+Date: Thu, 28 Mar 2019 20:44:40 -0700
+Subject: [PATCH] fs/proc/proc_sysctl.c: fix NULL pointer dereference in
+ put_links
+Git-commit: 23da9588037ecdd4901db76a5b79a42b529c4ec3
+Patch-mainline: v5.1-rc3
+References: bsc#1140887
+
+Syzkaller reports:
+
+Kasan: GPF could be caused by NULL-ptr deref or user memory access
+general protection fault: 0000 [#1] SMP KASAN PTI
+Cpu: 1 PID: 5373 Comm: syz-executor.0 Not tainted 5.0.0-rc8+ #3
+Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014
+Rip: 0010:put_links+0x101/0x440 fs/proc/proc_sysctl.c:1599
+Code: 00 0f 85 3a 03 00 00 48 8b 43 38 48 89 44 24 20 48 83 c0 38 48 89 c2 48 89 44 24 28 48 b8 00 00 00 00 00 fc ff df 48 c1 ea 03 <80> 3c 02 00 0f 85 fe 02 00 00 48 8b 74 24 20 48 c7 c7 60 2a 9d 91
+Rsp: 0018:ffff8881d828f238 EFLAGS: 00010202
+Rax: dffffc0000000000 RBX: ffff8881e01b1140 RCX: ffffffff8ee98267
+Rdx: 0000000000000007 RSI: ffffc90001479000 RDI: ffff8881e01b1178
+Rbp: dffffc0000000000 R08: ffffed103ee27259 R09: ffffed103ee27259
+R10: 0000000000000001 R11: ffffed103ee27258 R12: fffffffffffffff4
+R13: 0000000000000006 R14: ffff8881f59838c0 R15: dffffc0000000000
+Fs: 00007f072254f700(0000) GS:ffff8881f7100000(0000) knlGS:0000000000000000
+Cs: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+Cr2: 00007fff8b286668 CR3: 00000001f0542002 CR4: 00000000007606e0
+Dr0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+Dr3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+Pkru: 55555554
+Call Trace:
+ drop_sysctl_table+0x152/0x9f0 fs/proc/proc_sysctl.c:1629
+ get_subdir fs/proc/proc_sysctl.c:1022 [inline]
+ __register_sysctl_table+0xd65/0x1090 fs/proc/proc_sysctl.c:1335
+ br_netfilter_init+0xbc/0x1000 [br_netfilter]
+ do_one_initcall+0xfa/0x5ca init/main.c:887
+ do_init_module+0x204/0x5f6 kernel/module.c:3460
+ load_module+0x66b2/0x8570 kernel/module.c:3808
+ __do_sys_finit_module+0x238/0x2a0 kernel/module.c:3902
+ do_syscall_64+0x147/0x600 arch/x86/entry/common.c:290
+ entry_SYSCALL_64_after_hwframe+0x49/0xbe
+Rip: 0033:0x462e99
+Code: f7 d8 64 89 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
+Rsp: 002b:00007f072254ec58 EFLAGS: 00000246 ORIG_RAX: 0000000000000139
+Rax: ffffffffffffffda RBX: 000000000073bf00 RCX: 0000000000462e99
+Rdx: 0000000000000000 RSI: 0000000020000280 RDI: 0000000000000003
+Rbp: 00007f072254ec70 R08: 0000000000000000 R09: 0000000000000000
+R10: 0000000000000000 R11: 0000000000000246 R12: 00007f072254f6bc
+R13: 00000000004bcefa R14: 00000000006f6fb0 R15: 0000000000000004
+Modules linked in: br_netfilter(+) dvb_usb_dibusb_mc_common dib3000mc dibx000_common dvb_usb_dibusb_common dvb_usb_dw2102 dvb_usb classmate_laptop palmas_regulator cn videobuf2_v4l2 v4l2_common snd_soc_bd28623 mptbase snd_usb_usx2y snd_usbmidi_lib snd_rawmidi wmi libnvdimm lockd sunrpc grace rc_kworld_pc150u rc_core rtc_da9063 sha1_ssse3 i2c_cros_ec_tunnel adxl34x_spi adxl34x nfnetlink lib80211 i5500_temp dvb_as102 dvb_core videobuf2_common videodev media videobuf2_vmalloc videobuf2_memops udc_core lnbp22 leds_lp3952 hid_roccat_ryos s1d13xxxfb mtd vport_geneve openvswitch nf_conncount nf_nat_ipv6 nsh geneve udp_tunnel ip6_udp_tunnel snd_soc_mt6351 sis_agp phylink snd_soc_adau1761_spi snd_soc_adau1761 snd_soc_adau17x1 snd_soc_core snd_pcm_dmaengine ac97_bus snd_compress snd_soc_adau_utils snd_soc_sigmadsp_regmap snd_soc_sigmadsp raid_class hid_roccat_konepure hid_roccat_common hid_roccat c2port_duramar2150 core mdio_bcm_unimac iptable_security iptable_raw iptable_mangle
+ iptable_nat nf_nat_ipv4 nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 iptable_filter bpfilter ip6_vti ip_vti ip_gre ipip sit tunnel4 ip_tunnel hsr veth netdevsim devlink vxcan batman_adv cfg80211 rfkill chnl_net caif nlmon dummy team bonding vcan bridge stp llc ip6_gre gre ip6_tunnel tunnel6 tun crct10dif_pclmul crc32_pclmul crc32c_intel ghash_clmulni_intel joydev mousedev ide_pci_generic piix aesni_intel aes_x86_64 ide_core crypto_simd atkbd cryptd glue_helper serio_raw ata_generic pata_acpi i2c_piix4 floppy sch_fq_codel ip_tables x_tables ipv6 [last unloaded: lm73]
+Dumping ftrace buffer:
+ (ftrace buffer empty)
+
+Acked-by: Jan Kara <jack@suse.cz>
+
+---[ end trace 770020de38961fd0 ]---
+
+A new dir entry can be created in get_subdir and its 'header->parent' is
+set to NULL. Only after insert_header success, it will be set to 'dir',
+otherwise 'header->parent' is set to NULL and drop_sysctl_table is called.
+However in err handling path of get_subdir, drop_sysctl_table also be
+called on 'new->header' regardless its value of parent pointer. Then
+put_links is called, which triggers NULL-ptr deref when access member of
+header->parent.
+
+In fact we have multiple error paths which call drop_sysctl_table() there,
+upon failure on insert_links() we also call drop_sysctl_table().And even
+in the successful case on __register_sysctl_table() we still always call
+drop_sysctl_table().This patch fix it.
+
+Link: http://lkml.kernel.org/r/20190314085527.13244-1-yuehaibing@huawei.com
+Fixes: 0e47c99d7fe25 ("sysctl: Replace root_list with links between sysctl_table_sets")
+Signed-off-by: YueHaibing <yuehaibing@huawei.com>
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Acked-by: Luis Chamberlain <mcgrof@kernel.org>
+Cc: Kees Cook <keescook@chromium.org>
+Cc: Alexey Dobriyan <adobriyan@gmail.com>
+Cc: Alexei Starovoitov <ast@kernel.org>
+Cc: Daniel Borkmann <daniel@iogearbox.net>
+Cc: Al Viro <viro@zeniv.linux.org.uk>
+Cc: Eric W. Biederman <ebiederm@xmission.com>
+Cc: <stable@vger.kernel.org> [3.4+]
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+---
+ fs/proc/proc_sysctl.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/fs/proc/proc_sysctl.c b/fs/proc/proc_sysctl.c
+index 4d598a399bbf..d65390727541 100644
+--- a/fs/proc/proc_sysctl.c
++++ b/fs/proc/proc_sysctl.c
+@@ -1626,7 +1626,8 @@ static void drop_sysctl_table(struct ctl_table_header *header)
+ if (--header->nreg)
+ return;
+
+- put_links(header);
++ if (parent)
++ put_links(header);
+ start_unregistering(header);
+ if (!--header->count)
+ kfree_rcu(header, rcu);
+--
+2.16.4
+
diff --git a/patches.fixes/inet-switch-IP-ID-generator-to-siphash.patch b/patches.fixes/inet-switch-IP-ID-generator-to-siphash.patch
new file mode 100644
index 0000000000..f44a61df11
--- /dev/null
+++ b/patches.fixes/inet-switch-IP-ID-generator-to-siphash.patch
@@ -0,0 +1,151 @@
+From: Eric Dumazet <edumazet@google.com>
+Date: Wed, 27 Mar 2019 12:40:33 -0700
+Subject: inet: switch IP ID generator to siphash
+Patch-mainline: v5.2-rc1
+Git-commit: df453700e8d81b1bdafdf684365ee2b9431fb702
+References: CVE-2019-10638 bsc#1140575
+
+According to Amit Klein and Benny Pinkas, IP ID generation is too weak
+and might be used by attackers.
+
+Even with recent net_hash_mix() fix (netns: provide pure entropy for net_hash_mix())
+having 64bit key and Jenkins hash is risky.
+
+It is time to switch to siphash and its 128bit keys.
+
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: Amit Klein <aksecurity@gmail.com>
+Reported-by: Benny Pinkas <benny@pinkas.net>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Acked-by: Michal Kubecek <mkubecek@suse.cz>
+
+---
+ include/linux/siphash.h | 5 +++++
+ include/net/netns/ipv4.h | 2 ++
+ net/ipv4/route.c | 12 +++++++-----
+ net/ipv6/output_core.c | 30 ++++++++++++++++--------------
+ 4 files changed, 30 insertions(+), 19 deletions(-)
+
+--- a/include/linux/siphash.h
++++ b/include/linux/siphash.h
+@@ -21,6 +21,11 @@ typedef struct {
+ u64 key[2];
+ } siphash_key_t;
+
++static inline bool siphash_key_is_zero(const siphash_key_t *key)
++{
++ return !(key->key[0] | key->key[1]);
++}
++
+ u64 __siphash_aligned(const void *data, size_t len, const siphash_key_t *key);
+ #ifndef CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS
+ u64 __siphash_unaligned(const void *data, size_t len, const siphash_key_t *key);
+--- a/include/net/netns/ipv4.h
++++ b/include/net/netns/ipv4.h
+@@ -8,6 +8,7 @@
+ #include <linux/uidgid.h>
+ #include <net/inet_frag.h>
+ #include <linux/rcupdate.h>
++#include <linux/siphash.h>
+
+ struct tcpm_hash_bucket;
+ struct ctl_table_header;
+@@ -159,5 +160,6 @@ struct netns_ipv4 {
+ unsigned int ipmr_seq; /* protected by rtnl_mutex */
+
+ atomic_t rt_genid;
++ siphash_key_t ip_id_key;
+ };
+ #endif
+--- a/net/ipv4/route.c
++++ b/net/ipv4/route.c
+@@ -513,15 +513,17 @@ EXPORT_SYMBOL(ip_idents_reserve);
+
+ void __ip_select_ident(struct net *net, struct iphdr *iph, int segs)
+ {
+- static u32 ip_idents_hashrnd __read_mostly;
+ u32 hash, id;
+
+- net_get_random_once(&ip_idents_hashrnd, sizeof(ip_idents_hashrnd));
++ /* Note the following code is not safe, but this is okay. */
++ if (unlikely(siphash_key_is_zero(&net->ipv4.ip_id_key)))
++ get_random_bytes(&net->ipv4.ip_id_key,
++ sizeof(net->ipv4.ip_id_key));
+
+- hash = jhash_3words((__force u32)iph->daddr,
++ hash = siphash_3u32((__force u32)iph->daddr,
+ (__force u32)iph->saddr,
+- iph->protocol ^ net_hash_mix(net),
+- ip_idents_hashrnd);
++ iph->protocol,
++ &net->ipv4.ip_id_key);
+ id = ip_idents_reserve(hash, segs);
+ iph->id = htons(id);
+ }
+--- a/net/ipv6/output_core.c
++++ b/net/ipv6/output_core.c
+@@ -10,15 +10,25 @@
+ #include <net/secure_seq.h>
+ #include <linux/netfilter.h>
+
+-static u32 __ipv6_select_ident(struct net *net, u32 hashrnd,
++static u32 __ipv6_select_ident(struct net *net,
+ const struct in6_addr *dst,
+ const struct in6_addr *src)
+ {
++ const struct {
++ struct in6_addr dst;
++ struct in6_addr src;
++ } __aligned(SIPHASH_ALIGNMENT) combined = {
++ .dst = *dst,
++ .src = *src,
++ };
+ u32 hash, id;
+
+- hash = __ipv6_addr_jhash(dst, hashrnd);
+- hash = __ipv6_addr_jhash(src, hash);
+- hash ^= net_hash_mix(net);
++ /* Note the following code is not safe, but this is okay. */
++ if (unlikely(siphash_key_is_zero(&net->ipv4.ip_id_key)))
++ get_random_bytes(&net->ipv4.ip_id_key,
++ sizeof(net->ipv4.ip_id_key));
++
++ hash = siphash(&combined, sizeof(combined), &net->ipv4.ip_id_key);
+
+ /* Treat id of 0 as unset and if we get 0 back from ip_idents_reserve,
+ * set the hight order instead thus minimizing possible future
+@@ -41,7 +51,6 @@ static u32 __ipv6_select_ident(struct net *net, u32 hashrnd,
+ */
+ __be32 ipv6_proxy_select_ident(struct net *net, struct sk_buff *skb)
+ {
+- static u32 ip6_proxy_idents_hashrnd __read_mostly;
+ struct in6_addr buf[2];
+ struct in6_addr *addrs;
+ u32 id;
+@@ -53,11 +62,7 @@ __be32 ipv6_proxy_select_ident(struct net *net, struct sk_buff *skb)
+ if (!addrs)
+ return 0;
+
+- net_get_random_once(&ip6_proxy_idents_hashrnd,
+- sizeof(ip6_proxy_idents_hashrnd));
+-
+- id = __ipv6_select_ident(net, ip6_proxy_idents_hashrnd,
+- &addrs[1], &addrs[0]);
++ id = __ipv6_select_ident(net, &addrs[1], &addrs[0]);
+ return htonl(id);
+ }
+ EXPORT_SYMBOL_GPL(ipv6_proxy_select_ident);
+@@ -66,12 +71,9 @@ __be32 ipv6_select_ident(struct net *net,
+ const struct in6_addr *daddr,
+ const struct in6_addr *saddr)
+ {
+- static u32 ip6_idents_hashrnd __read_mostly;
+ u32 id;
+
+- net_get_random_once(&ip6_idents_hashrnd, sizeof(ip6_idents_hashrnd));
+-
+- id = __ipv6_select_ident(net, ip6_idents_hashrnd, daddr, saddr);
++ id = __ipv6_select_ident(net, daddr, saddr);
+ return htonl(id);
+ }
+ EXPORT_SYMBOL(ipv6_select_ident);
diff --git a/patches.fixes/iommu-arm-smmu-Add-support-for-qcom-smmu-v2-variant.patch b/patches.fixes/iommu-arm-smmu-Add-support-for-qcom-smmu-v2-variant.patch
new file mode 100644
index 0000000000..9240a949f0
--- /dev/null
+++ b/patches.fixes/iommu-arm-smmu-Add-support-for-qcom-smmu-v2-variant.patch
@@ -0,0 +1,52 @@
+From 89cddc563743cb1e0068867ac97013b2a5bf86aa Mon Sep 17 00:00:00 2001
+From: Vivek Gautam <vivek.gautam@codeaurora.org>
+Date: Tue, 4 Dec 2018 11:52:13 +0530
+Subject: [PATCH] iommu/arm-smmu: Add support for qcom,smmu-v2 variant
+Git-commit: 89cddc563743cb1e0068867ac97013b2a5bf86aa
+Patch-mainline: v5.0-rc1
+References: bsc#1051510
+
+qcom,smmu-v2 is an arm,smmu-v2 implementation with specific
+clock and power requirements.
+On msm8996, multiple cores, viz. mdss, video, etc. use this
+smmu. On sdm845, this smmu is used with gpu.
+Add bindings for the same.
+
+Signed-off-by: Vivek Gautam <vivek.gautam@codeaurora.org>
+Reviewed-by: Rob Herring <robh@kernel.org>
+Reviewed-by: Tomasz Figa <tfiga@chromium.org>
+Tested-by: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
+Reviewed-by: Robin Murphy <robin.murphy@arm.com>
+Signed-off-by: Will Deacon <will.deacon@arm.com>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/iommu/arm-smmu.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/iommu/arm-smmu.c
++++ b/drivers/iommu/arm-smmu.c
+@@ -319,6 +319,7 @@ enum arm_smmu_implementation {
+ GENERIC_SMMU,
+ ARM_MMU500,
+ CAVIUM_SMMUV2,
++ QCOM_SMMUV2,
+ };
+
+ /* Until ACPICA headers cover IORT rev. C */
+@@ -2068,6 +2069,7 @@ ARM_SMMU_MATCH_DATA(smmu_generic_v2, ARM
+ ARM_SMMU_MATCH_DATA(arm_mmu401, ARM_SMMU_V1_64K, GENERIC_SMMU);
+ ARM_SMMU_MATCH_DATA(arm_mmu500, ARM_SMMU_V2, ARM_MMU500);
+ ARM_SMMU_MATCH_DATA(cavium_smmuv2, ARM_SMMU_V2, CAVIUM_SMMUV2);
++ARM_SMMU_MATCH_DATA(qcom_smmuv2, ARM_SMMU_V2, QCOM_SMMUV2);
+
+ static const struct of_device_id arm_smmu_of_match[] = {
+ { .compatible = "arm,smmu-v1", .data = &smmu_generic_v1 },
+@@ -2076,6 +2078,7 @@ static const struct of_device_id arm_smm
+ { .compatible = "arm,mmu-401", .data = &arm_mmu401 },
+ { .compatible = "arm,mmu-500", .data = &arm_mmu500 },
+ { .compatible = "cavium,smmu-v2", .data = &cavium_smmuv2 },
++ { .compatible = "qcom,smmu-v2", .data = &qcom_smmuv2 },
+ { },
+ };
+ MODULE_DEVICE_TABLE(of, arm_smmu_of_match);
diff --git a/patches.fixes/iommu-arm-smmu-v3-Use-explicit-mb-when-moving-cons-p.patch b/patches.fixes/iommu-arm-smmu-v3-Use-explicit-mb-when-moving-cons-p.patch
new file mode 100644
index 0000000000..97de8c84d2
--- /dev/null
+++ b/patches.fixes/iommu-arm-smmu-v3-Use-explicit-mb-when-moving-cons-p.patch
@@ -0,0 +1,50 @@
+From a868e8530441286342f90c1fd9c5f24de3aa2880 Mon Sep 17 00:00:00 2001
+From: Will Deacon <will.deacon@arm.com>
+Date: Wed, 7 Nov 2018 22:58:24 +0000
+Subject: [PATCH] iommu/arm-smmu-v3: Use explicit mb() when moving cons pointer
+Git-commit: a868e8530441286342f90c1fd9c5f24de3aa2880
+Patch-mainline: v5.0-rc1
+References: bsc#1051510
+
+After removing an entry from a queue (e.g. reading an event in
+arm_smmu_evtq_thread()) it is necessary to advance the MMIO consumer
+pointer to free the queue slot back to the SMMU. A memory barrier is
+required here so that all reads targetting the queue entry have
+completed before the consumer pointer is updated.
+
+The implementation of queue_inc_cons() relies on a writel() to complete
+the previous reads, but this is incorrect because writel() is only
+guaranteed to complete prior writes. This patch replaces the call to
+writel() with an mb(); writel_relaxed() sequence, which gives us the
+read->write ordering which we require.
+
+Cc: Robin Murphy <robin.murphy@arm.com>
+Signed-off-by: Will Deacon <will.deacon@arm.com>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/iommu/arm-smmu-v3.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/iommu/arm-smmu-v3.c b/drivers/iommu/arm-smmu-v3.c
+index 62ef4afc9ee5..11f528e727a1 100644
+--- a/drivers/iommu/arm-smmu-v3.c
++++ b/drivers/iommu/arm-smmu-v3.c
+@@ -679,7 +679,13 @@ static void queue_inc_cons(struct arm_smmu_queue *q)
+ u32 cons = (Q_WRP(q, q->cons) | Q_IDX(q, q->cons)) + 1;
+
+ q->cons = Q_OVF(q, q->cons) | Q_WRP(q, cons) | Q_IDX(q, cons);
+- writel(q->cons, q->cons_reg);
++
++ /*
++ * Ensure that all CPU accesses (reads and writes) to the queue
++ * are complete before we update the cons pointer.
++ */
++ mb();
++ writel_relaxed(q->cons, q->cons_reg);
+ }
+
+ static int queue_sync_prod(struct arm_smmu_queue *q)
+--
+2.16.4
+
diff --git a/patches.fixes/iommu-arm-smmu-v3-sync-the-OVACKFLG-to-PRIQ-consumer.patch b/patches.fixes/iommu-arm-smmu-v3-sync-the-OVACKFLG-to-PRIQ-consumer.patch
new file mode 100644
index 0000000000..76c3be3a1f
--- /dev/null
+++ b/patches.fixes/iommu-arm-smmu-v3-sync-the-OVACKFLG-to-PRIQ-consumer.patch
@@ -0,0 +1,37 @@
+From 0d535967ac658966c6ade8f82b5799092f7d5441 Mon Sep 17 00:00:00 2001
+From: Miao Zhong <zhongmiao@hisilicon.com>
+Date: Mon, 23 Jul 2018 20:56:58 +0800
+Subject: [PATCH] iommu/arm-smmu-v3: sync the OVACKFLG to PRIQ consumer register
+Git-commit: 0d535967ac658966c6ade8f82b5799092f7d5441
+Patch-mainline: v4.19-rc1
+References: bsc#1051510
+
+When PRI queue occurs overflow, driver should update the OVACKFLG to
+the PRIQ consumer register, otherwise subsequent PRI requests will not
+be processed.
+
+Cc: Will Deacon <will.deacon@arm.com>
+Cc: Robin Murphy <robin.murphy@arm.com>
+Signed-off-by: Miao Zhong <zhongmiao@hisilicon.com>
+Signed-off-by: Will Deacon <will.deacon@arm.com>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/iommu/arm-smmu-v3.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/iommu/arm-smmu-v3.c b/drivers/iommu/arm-smmu-v3.c
+index 1d647104bccc..deacc152f09f 100644
+--- a/drivers/iommu/arm-smmu-v3.c
++++ b/drivers/iommu/arm-smmu-v3.c
+@@ -1301,6 +1301,7 @@ static irqreturn_t arm_smmu_priq_thread(int irq, void *dev)
+
+ /* Sync our overflow flag, as we believe we're up to speed */
+ q->cons = Q_OVF(q, q->prod) | Q_WRP(q, q->cons) | Q_IDX(q, q->cons);
++ writel(q->cons, q->cons_reg);
+ return IRQ_HANDLED;
+ }
+
+--
+2.16.4
+
diff --git a/patches.fixes/irqchip-mbigen-Don-t-clear-eventid-when-freeing-an-M.patch b/patches.fixes/irqchip-mbigen-Don-t-clear-eventid-when-freeing-an-M.patch
new file mode 100644
index 0000000000..f7a019912d
--- /dev/null
+++ b/patches.fixes/irqchip-mbigen-Don-t-clear-eventid-when-freeing-an-M.patch
@@ -0,0 +1,50 @@
+From fca269f201a8d9985c0a31fb60b15d4eb57cef80 Mon Sep 17 00:00:00 2001
+From: Jianguo Chen <chenjianguo3@huawei.com>
+Date: Wed, 20 Mar 2019 18:54:21 +0000
+Subject: [PATCH] irqchip/mbigen: Don't clear eventid when freeing an MSI
+Git-commit: fca269f201a8d9985c0a31fb60b15d4eb57cef80
+Patch-mainline: v5.1-rc2
+References: bsc#1051510
+
+mbigen_write_msg clears eventid bits of a mbigen register
+when free a interrupt, because msi_domain_deactivate memset
+struct msg to zero. Then multiple mbigen pins with zero eventid
+will report the same interrupt number.
+
+The eventid clear call trace:
+ free_irq
+ __free_irq
+ irq_shutdown
+ irq_domain_deactivate_irq
+ __irq_domain_deactivate_irq
+ __irq_domain_deactivate_irq
+ msi_domain_deactivate
+ platform_msi_write_msg
+ mbigen_write_msg
+
+Signed-off-by: Jianguo Chen <chenjianguo3@huawei.com>
+[maz: massaged subject]
+Signed-off-by: Marc Zyngier <marc.zyngier@arm.com>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/irqchip/irq-mbigen.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/irqchip/irq-mbigen.c b/drivers/irqchip/irq-mbigen.c
+index 567b29c47608..98b6e1d4b1a6 100644
+--- a/drivers/irqchip/irq-mbigen.c
++++ b/drivers/irqchip/irq-mbigen.c
+@@ -161,6 +161,9 @@ static void mbigen_write_msg(struct msi_desc *desc, struct msi_msg *msg)
+ void __iomem *base = d->chip_data;
+ u32 val;
+
++ if (!msg->address_lo && !msg->address_hi)
++ return;
++
+ base += get_mbigen_vec_reg(d->hwirq);
+ val = readl_relaxed(base);
+
+--
+2.16.4
+
diff --git a/patches.fixes/libnvdimm-bus-prevent-duplicate-device_unregister-calls.patch b/patches.fixes/libnvdimm-bus-prevent-duplicate-device_unregister-calls.patch
index f2ad11bc28..bedf626b2b 100644
--- a/patches.fixes/libnvdimm-bus-prevent-duplicate-device_unregister-calls.patch
+++ b/patches.fixes/libnvdimm-bus-prevent-duplicate-device_unregister-calls.patch
@@ -2,7 +2,7 @@ From: Dan Williams <dan.j.williams@intel.com>
Date: Mon, 10 Jun 2019 21:10:58 -0700
Subject: libnvdimm/bus: Prevent duplicate device_unregister() calls
Patch-mainline: Queued in subsystem maintainer repository
-Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/djbw/nvdimm.git
+Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/nvdimm/nvdimm.git
Git-commit: 4bc5021f8006cfb021e878cb8fb1b0e15a01ff28
References: bsc#1139865
diff --git a/patches.fixes/libnvdimm-pfn-fix-over-trim-in-trim_pfn_device.patch b/patches.fixes/libnvdimm-pfn-fix-over-trim-in-trim_pfn_device.patch
new file mode 100644
index 0000000000..2c80b0eda4
--- /dev/null
+++ b/patches.fixes/libnvdimm-pfn-fix-over-trim-in-trim_pfn_device.patch
@@ -0,0 +1,39 @@
+From: Wei Yang <richardw.yang@linux.intel.com>
+Date: Tue, 22 Jan 2019 10:48:09 +0800
+Subject: libnvdimm, pfn: Fix over-trim in trim_pfn_device()
+Patch-mainline: v5.1-rc1
+Git-commit: f101ada7da6551127d192c2f1742c1e9e0f62799
+References: bsc#1140719
+
+When trying to see whether current nd_region intersects with others,
+trim_pfn_device() has already calculated the *size* to be expanded to
+SECTION size.
+
+Do not double append 'adjust' to 'size' when calculating whether the end
+of a region collides with the next pmem region.
+
+Fixes: ae86cbfef381 "libnvdimm, pfn: Pad pfn namespaces relative to other regions"
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Wei Yang <richardw.yang@linux.intel.com>
+Signed-off-by: Dan Williams <dan.j.williams@intel.com>
+Acked-by: Johannes Thumshirn <jthumshirn@suse.de>
+---
+ drivers/nvdimm/pfn_devs.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/nvdimm/pfn_devs.c b/drivers/nvdimm/pfn_devs.c
+index 6f22272e8d80..040bbd9c367e 100644
+--- a/drivers/nvdimm/pfn_devs.c
++++ b/drivers/nvdimm/pfn_devs.c
+@@ -678,7 +678,7 @@ static void trim_pfn_device(struct nd_pfn *nd_pfn, u32 *start_pad, u32 *end_trun
+ if (region_intersects(start, size, IORESOURCE_SYSTEM_RAM,
+ IORES_DESC_NONE) == REGION_MIXED
+ || !IS_ALIGNED(end, nd_pfn->align)
+- || nd_region_conflict(nd_region, start, size + adjust))
++ || nd_region_conflict(nd_region, start, size))
+ *end_trunc = end - phys_pmem_align_down(nd_pfn, end);
+ }
+
+--
+2.16.4
+
diff --git a/patches.fixes/netns-get-more-entropy-from-net_hash_mix.patch b/patches.fixes/netns-get-more-entropy-from-net_hash_mix.patch
new file mode 100644
index 0000000000..dc1965379c
--- /dev/null
+++ b/patches.fixes/netns-get-more-entropy-from-net_hash_mix.patch
@@ -0,0 +1,46 @@
+From: Eric Dumazet <edumazet@google.com>
+Date: Fri, 22 Jun 2018 16:27:47 -0700
+Subject: netns: get more entropy from net_hash_mix()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+Patch-mainline: v4.19-rc1
+Git-commit: 5424ea27390f1f8903e5de0eaa0c5b561e8e877a
+References: CVE-2019-10638 bsc#1140575
+
+struct net are effectively allocated from order-1 pages on x86,
+with one object per slab, meaning that the 13 low order bits
+of their addresses are zero.
+
+Once shifted by L1_CACHE_SHIFT, this leaves 7 zero-bits,
+meaning that net_hash_mix() does not help spreading
+objects on various hash tables.
+
+For example, TCP listen table has 32 buckets, meaning that
+all netns use the same bucket for port 80 or port 443.
+
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: Maciej Żenczykowski <maze@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Acked-by: Michal Kubecek <mkubecek@suse.cz>
+
+---
+ include/net/netns/hash.h | 7 +------
+ 1 file changed, 1 insertion(+), 6 deletions(-)
+
+--- a/include/net/netns/hash.h
++++ b/include/net/netns/hash.h
+@@ -8,12 +8,7 @@ struct net;
+ static inline u32 net_hash_mix(const struct net *net)
+ {
+ #ifdef CONFIG_NET_NS
+- /*
+- * shift this right to eliminate bits, that are
+- * always zeroed
+- */
+-
+- return (u32)(((unsigned long)net) >> L1_CACHE_SHIFT);
++ return (u32)(((unsigned long)net) >> ilog2(sizeof(*net)));
+ #else
+ return 0;
+ #endif
diff --git a/patches.fixes/netns-provide-pure-entropy-for-net_hash_mix.patch b/patches.fixes/netns-provide-pure-entropy-for-net_hash_mix.patch
new file mode 100644
index 0000000000..9556d0a0ba
--- /dev/null
+++ b/patches.fixes/netns-provide-pure-entropy-for-net_hash_mix.patch
@@ -0,0 +1,73 @@
+From: Eric Dumazet <edumazet@google.com>
+Date: Wed, 27 Mar 2019 08:21:30 -0700
+Subject: netns: provide pure entropy for net_hash_mix()
+Patch-mainline: v5.1-rc4
+Git-commit: 355b98553789b646ed97ad801a619ff898471b92
+References: CVE-2019-10639 bsc#1140577
+
+net_hash_mix() currently uses kernel address of a struct net,
+and is used in many places that could be used to reveal this
+address to a patient attacker, thus defeating KASLR, for
+the typical case (initial net namespace, &init_net is
+not dynamically allocated)
+
+I believe the original implementation tried to avoid spending
+too many cycles in this function, but security comes first.
+
+Also provide entropy regardless of CONFIG_NET_NS.
+
+Fixes: 0b4419162aa6 ("netns: introduce the net_hash_mix "salt" for hashes")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: Amit Klein <aksecurity@gmail.com>
+Reported-by: Benny Pinkas <benny@pinkas.net>
+Cc: Pavel Emelyanov <xemul@openvz.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Acked-by: Michal Kubecek <mkubecek@suse.cz>
+
+---
+ include/net/net_namespace.h | 1 +
+ include/net/netns/hash.h | 10 ++--------
+ net/core/net_namespace.c | 1 +
+ 3 files changed, 4 insertions(+), 8 deletions(-)
+
+--- a/include/net/net_namespace.h
++++ b/include/net/net_namespace.h
+@@ -54,6 +54,7 @@ struct net {
+ */
+ spinlock_t rules_mod_lock;
+
++ u32 hash_mix;
+ atomic64_t cookie_gen;
+
+ struct list_head list; /* list of network namespaces */
+--- a/include/net/netns/hash.h
++++ b/include/net/netns/hash.h
+@@ -1,16 +1,10 @@
+ #ifndef __NET_NS_HASH_H__
+ #define __NET_NS_HASH_H__
+
+-#include <asm/cache.h>
+-
+-struct net;
++#include <net/net_namespace.h>
+
+ static inline u32 net_hash_mix(const struct net *net)
+ {
+-#ifdef CONFIG_NET_NS
+- return (u32)(((unsigned long)net) >> ilog2(sizeof(*net)));
+-#else
+- return 0;
+-#endif
++ return net->hash_mix;
+ }
+ #endif
+--- a/net/core/net_namespace.c
++++ b/net/core/net_namespace.c
+@@ -285,6 +285,7 @@ static __net_init int setup_net(struct net *net, struct user_namespace *user_ns)
+
+ atomic_set(&net->count, 1);
+ atomic_set(&net->passive, 1);
++ get_random_bytes(&net->hash_mix, sizeof(u32));
+ net->dev_base_seq = 1;
+ net->user_ns = user_ns;
+ idr_init(&net->netns_ids);
diff --git a/patches.fixes/nfit-ars-allow-root-to-busy-poll-the-ars-state-machine.patch b/patches.fixes/nfit-ars-allow-root-to-busy-poll-the-ars-state-machine.patch
new file mode 100644
index 0000000000..129a02824b
--- /dev/null
+++ b/patches.fixes/nfit-ars-allow-root-to-busy-poll-the-ars-state-machine.patch
@@ -0,0 +1,66 @@
+From: Dan Williams <dan.j.williams@intel.com>
+Date: Wed, 13 Feb 2019 09:04:07 -0800
+Subject: nfit/ars: Allow root to busy-poll the ARS state machine
+Patch-mainline: v5.1-rc1
+Git-commit: 5479b2757f26fe9908fc341d105b2097fe820b6f
+References: bsc#1140814
+
+The ARS implementation implements exponential back-off on the poll
+interval to prevent high-frequency access to the DIMM / platform
+interface. Depending on when the ARS completes the poll interval may
+exceed the completion event by minutes. Allow root to reset the timeout
+each time it probes the status. A one-second timeout is still enforced,
+but root can otherwise can control the poll interval.
+
+Fixes: bc6ba8085842 ("nfit, address-range-scrub: rework and simplify ARS...")
+Cc: <stable@vger.kernel.org>
+Reported-by: Erwin Tsaur <erwin.tsaur@oracle.com>
+Reviewed-by: Toshi Kani <toshi.kani@hpe.com>
+Signed-off-by: Dan Williams <dan.j.williams@intel.com>
+Acked-by: Johannes Thumshirn <jthumshirn@suse.de>
+---
+ drivers/acpi/nfit/core.c | 8 ++++++++
+ drivers/acpi/nfit/nfit.h | 1 +
+ 2 files changed, 9 insertions(+)
+
+diff --git a/drivers/acpi/nfit/core.c b/drivers/acpi/nfit/core.c
+index 90312892093e..629cf91649d2 100644
+--- a/drivers/acpi/nfit/core.c
++++ b/drivers/acpi/nfit/core.c
+@@ -1333,6 +1333,13 @@ static ssize_t scrub_show(struct device *dev,
+ busy = test_bit(ARS_BUSY, &acpi_desc->scrub_flags)
+ && !test_bit(ARS_CANCEL, &acpi_desc->scrub_flags);
+ rc = sprintf(buf, "%d%s", acpi_desc->scrub_count, busy ? "+\n" : "\n");
++ /* Allow an admin to poll the busy state at a higher rate */
++ if (busy && capable(CAP_SYS_RAWIO) && !test_and_set_bit(ARS_POLL,
++ &acpi_desc->scrub_flags)) {
++ acpi_desc->scrub_tmo = 1;
++ mod_delayed_work(nfit_wq, &acpi_desc->dwork, HZ);
++ }
++
+ mutex_unlock(&acpi_desc->init_mutex);
+ device_unlock(dev);
+ return rc;
+@@ -3187,6 +3194,7 @@ static void acpi_nfit_scrub(struct work_struct *work)
+ else
+ notify_ars_done(acpi_desc);
+ memset(acpi_desc->ars_status, 0, acpi_desc->max_ars);
++ clear_bit(ARS_POLL, &acpi_desc->scrub_flags);
+ mutex_unlock(&acpi_desc->init_mutex);
+ }
+
+diff --git a/drivers/acpi/nfit/nfit.h b/drivers/acpi/nfit/nfit.h
+index 897ce10192a0..d14bad687fb8 100644
+--- a/drivers/acpi/nfit/nfit.h
++++ b/drivers/acpi/nfit/nfit.h
+@@ -213,6 +213,7 @@ struct nfit_mem {
+ enum scrub_flags {
+ ARS_BUSY,
+ ARS_CANCEL,
++ ARS_POLL,
+ };
+
+ struct acpi_nfit_desc {
+--
+2.16.4
+
diff --git a/patches.fixes/nvme-copy-mtfa-field-from-identify-controller.patch b/patches.fixes/nvme-copy-mtfa-field-from-identify-controller.patch
new file mode 100644
index 0000000000..90bd54ac3d
--- /dev/null
+++ b/patches.fixes/nvme-copy-mtfa-field-from-identify-controller.patch
@@ -0,0 +1,39 @@
+From: Laine Walker-Avina <laine.walker-avina@intel.com>
+Date: Mon, 20 May 2019 10:13:04 -0700
+Subject: nvme: copy MTFA field from identify controller
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+Patch-mainline: v5.2-rc2
+Git-commit: 2d466c7a574d0b893a233735f133c60115013c0e
+References: bsc#1140715
+
+We use the controller's reported maximum firmware activation time as our
+timeout before resetting a controller for a failed activation notice,
+but this value was never being read so we could only use the default
+timeout. Copy the Identify Controller MTFA field to the corresponding
+nvme_ctrl's mtfa field.
+
+Fixes: b6dccf7fae433 (“nvme: add support for FW activation without reset”).
+Reviewed-by: Max Gurtovoy <maxg@mellanox.com>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Reviewed-by: Minwoo Im <minwoo.im@samsung.com>
+Signed-off-by: Laine Walker-Avina <laine.walker-avina@intel.com>
+[changelog, fix endian]
+Signed-off-by: Keith Busch <keith.busch@intel.com>
+Acked-by: Johannes Thumshirn <jthumshirn@suse.de>
+---
+ drivers/nvme/host/core.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/nvme/host/core.c
++++ b/drivers/nvme/host/core.c
+@@ -2391,6 +2391,7 @@ int nvme_init_identify(struct nvme_ctrl
+
+ ctrl->oacs = le16_to_cpu(id->oacs);
+ ctrl->oncs = le16_to_cpup(&id->oncs);
++ ctrl->mtfa = le16_to_cpu(id->mtfa);
+ ctrl->oaes = le32_to_cpu(id->oaes);
+ atomic_set(&ctrl->abort_limit, id->acl + 1);
+ ctrl->vwc = id->vwc;
+
diff --git a/patches.fixes/sbitmap-fix-improper-use-of-smp_mb__before_atomic.patch b/patches.fixes/sbitmap-fix-improper-use-of-smp_mb__before_atomic.patch
new file mode 100644
index 0000000000..390c0b29c3
--- /dev/null
+++ b/patches.fixes/sbitmap-fix-improper-use-of-smp_mb__before_atomic.patch
@@ -0,0 +1,42 @@
+From: Andrea Parri <andrea.parri@amarulasolutions.com>
+Date: Mon, 20 May 2019 19:23:57 +0200
+Subject: sbitmap: fix improper use of smp_mb__before_atomic()
+Patch-mainline: v5.2-rc2
+Git-commit: a0934fd2b1208458e55fc4b48f55889809fce666
+References: bsc#1140658
+
+This barrier only applies to the read-modify-write operations; in
+particular, it does not apply to the atomic_set() primitive.
+
+Replace the barrier with an smp_mb().
+
+Fixes: 6c0ca7ae292ad ("sbitmap: fix wakeup hang after sbq resize")
+Cc: stable@vger.kernel.org
+Reported-by: "Paul E. McKenney" <paulmck@linux.ibm.com>
+Reported-by: Peter Zijlstra <peterz@infradead.org>
+Signed-off-by: Andrea Parri <andrea.parri@amarulasolutions.com>
+Reviewed-by: Ming Lei <ming.lei@redhat.com>
+Cc: Jens Axboe <axboe@kernel.dk>
+Cc: Omar Sandoval <osandov@fb.com>
+Cc: Ming Lei <ming.lei@redhat.com>
+Cc: linux-block@vger.kernel.org
+Cc: "Paul E. McKenney" <paulmck@linux.ibm.com>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Acked-by: Johannes Thumshirn <jthumshirn@suse.de>
+---
+ lib/sbitmap.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/lib/sbitmap.c
++++ b/lib/sbitmap.c
+@@ -338,7 +338,7 @@ void sbitmap_queue_resize(struct sbitmap
+ * to ensure that the batch size is updated before the wait
+ * counts.
+ */
+- smp_mb__before_atomic();
++ smp_mb();
+ for (i = 0; i < SBQ_WAIT_QUEUES; i++)
+ atomic_set(&sbq->ws[i].wait_cnt, 1);
+ }
+
diff --git a/patches.fixes/scsi-qla2xxx-fix-abort-handling-in-tcm_qla2xxx_write_pending.patch b/patches.fixes/scsi-qla2xxx-fix-abort-handling-in-tcm_qla2xxx_write_pending.patch
new file mode 100644
index 0000000000..3b5ec18b57
--- /dev/null
+++ b/patches.fixes/scsi-qla2xxx-fix-abort-handling-in-tcm_qla2xxx_write_pending.patch
@@ -0,0 +1,42 @@
+From: Bart Van Assche <bvanassche@acm.org>
+Date: Wed, 17 Apr 2019 14:44:28 -0700
+Subject: scsi: qla2xxx: Fix abort handling in tcm_qla2xxx_write_pending()
+Patch-mainline: v5.2-rc1
+Git-commit: e209783d66bca04b5fce4429e59338517ffc1a0b
+References: bsc#1140727
+
+Implementations of the .write_pending() callback functions must guarantee
+that an appropriate LIO core callback function will be called immediately or
+at a later time. Make sure that this guarantee is met for aborted SCSI
+commands.
+
+[mkp: typo]
+
+Cc: Himanshu Madhani <hmadhani@marvell.com>
+Cc: Giridhar Malavali <gmalavali@marvell.com>
+Fixes: 694833ee00c4 ("scsi: tcm_qla2xxx: Do not allow aborted cmd to advance.") # v4.13.
+Fixes: a07100e00ac4 ("qla2xxx: Fix TMR ABORT interaction issue between qla2xxx and TCM") # v4.5.
+Signed-off-by: Bart Van Assche <bvanassche@acm.org>
+Acked-by: Himanshu Madhani <hmadhani@marvell.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Acked-by: Johannes Thumshirn <jthumshirn@suse.de>
+---
+ drivers/scsi/qla2xxx/tcm_qla2xxx.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/scsi/qla2xxx/tcm_qla2xxx.c b/drivers/scsi/qla2xxx/tcm_qla2xxx.c
+index b1cf2aa03de7..aa2de81e2dcc 100644
+--- a/drivers/scsi/qla2xxx/tcm_qla2xxx.c
++++ b/drivers/scsi/qla2xxx/tcm_qla2xxx.c
+@@ -393,6 +393,8 @@ static int tcm_qla2xxx_write_pending(struct se_cmd *se_cmd)
+ cmd->se_cmd.transport_state,
+ cmd->se_cmd.t_state,
+ cmd->se_cmd.se_cmd_flags);
++ transport_generic_request_failure(&cmd->se_cmd,
++ TCM_CHECK_CONDITION_ABORT_CMD);
+ return 0;
+ }
+ cmd->trc_flags |= TRC_XFR_RDY;
+--
+2.16.4
+
diff --git a/patches.fixes/scsi-qla2xxx-fix-incorrect-region-size-setting-in-optrom-sysfs.patch b/patches.fixes/scsi-qla2xxx-fix-incorrect-region-size-setting-in-optrom-sysfs.patch
new file mode 100644
index 0000000000..b6114f085a
--- /dev/null
+++ b/patches.fixes/scsi-qla2xxx-fix-incorrect-region-size-setting-in-optrom-sysfs.patch
@@ -0,0 +1,48 @@
+From: Andrew Vasquez <andrewv@marvell.com>
+Date: Tue, 2 Apr 2019 14:24:25 -0700
+Subject: scsi: qla2xxx: Fix incorrect region-size setting in optrom SYSFS
+ routines
+Patch-mainline: v5.2-rc1
+Git-commit: 5cbdae10bf11f96e30b4d14de7b08c8b490e903c
+References: bsc#1140728
+
+Commit e6f77540c067 ("scsi: qla2xxx: Fix an integer overflow in sysfs
+code") incorrectly set 'optrom_region_size' to 'start+size', which can
+overflow option-rom boundaries when 'start' is non-zero. Continue setting
+optrom_region_size to the proper adjusted value of 'size'.
+
+Fixes: e6f77540c067 ("scsi: qla2xxx: Fix an integer overflow in sysfs code")
+Cc: stable@vger.kernel.org
+Signed-off-by: Andrew Vasquez <andrewv@marvell.com>
+Signed-off-by: Himanshu Madhani <hmadhani@marvell.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Acked-by: Johannes Thumshirn <jthumshirn@suse.de>
+---
+ drivers/scsi/qla2xxx/qla_attr.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/scsi/qla2xxx/qla_attr.c b/drivers/scsi/qla2xxx/qla_attr.c
+index 8687090193dc..93058379d3c8 100644
+--- a/drivers/scsi/qla2xxx/qla_attr.c
++++ b/drivers/scsi/qla2xxx/qla_attr.c
+@@ -376,7 +376,7 @@ qla2x00_sysfs_write_optrom_ctl(struct file *filp, struct kobject *kobj,
+ }
+
+ ha->optrom_region_start = start;
+- ha->optrom_region_size = start + size;
++ ha->optrom_region_size = size;
+
+ ha->optrom_state = QLA_SREADING;
+ ha->optrom_buffer = vmalloc(ha->optrom_region_size);
+@@ -449,7 +449,7 @@ qla2x00_sysfs_write_optrom_ctl(struct file *filp, struct kobject *kobj,
+ }
+
+ ha->optrom_region_start = start;
+- ha->optrom_region_size = start + size;
++ ha->optrom_region_size = size;
+
+ ha->optrom_state = QLA_SWRITING;
+ ha->optrom_buffer = vmalloc(ha->optrom_region_size);
+--
+2.16.4
+
diff --git a/patches.fixes/scsi-vmw_pscsi-Fix-use-after-free-in-pvscsi_queue_lc.patch b/patches.fixes/scsi-vmw_pscsi-Fix-use-after-free-in-pvscsi_queue_lc.patch
index 96bb5c711f..af47c291ff 100644
--- a/patches.fixes/scsi-vmw_pscsi-Fix-use-after-free-in-pvscsi_queue_lc.patch
+++ b/patches.fixes/scsi-vmw_pscsi-Fix-use-after-free-in-pvscsi_queue_lc.patch
@@ -3,7 +3,8 @@ From: Jan Kara <jack@suse.cz>
Date: Tue, 11 Jun 2019 14:33:38 +0200
Subject: [PATCH] scsi: vmw_pscsi: Fix use-after-free in pvscsi_queue_lck()
References: bsc#1135296
-Patch-mainline: Submitted 18/06/2019
+Patch-mainline: v5.2-rc7
+Git-commit: 240b4cc8fd5db138b675297d4226ec46594d9b3b
Once we unlock adapter->hw_lock in pvscsi_queue_lck() nothing prevents just
queued scsi_cmnd from completing and freeing the request. Thus cmd->cmnd[0]
diff --git a/patches.fixes/tcp-refine-memory-limit-test-in-tcp_fragment.patch b/patches.fixes/tcp-refine-memory-limit-test-in-tcp_fragment.patch
new file mode 100644
index 0000000000..1af25b9763
--- /dev/null
+++ b/patches.fixes/tcp-refine-memory-limit-test-in-tcp_fragment.patch
@@ -0,0 +1,39 @@
+From: Eric Dumazet <edumazet@google.com>
+Date: Fri, 21 Jun 2019 06:09:55 -0700
+Subject: tcp: refine memory limit test in tcp_fragment()
+Patch-mainline: v5.2-rc6
+Git-commit: b6653b3629e5b88202be3c9abc44713973f5c4b4
+References: CVE-2019-11478 bsc#1137586 bsc#1139751
+
+tcp_fragment() might be called for skbs in the write queue.
+
+Memory limits might have been exceeded because tcp_sendmsg() only
+checks limits at full skb (64KB) boundaries.
+
+Therefore, we need to make sure tcp_fragment() wont punish applications
+that might have setup very low SO_SNDBUF values.
+
+Fixes: f070ef2ac667 ("tcp: tcp_fragment() should apply sane memory limits")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: Christoph Paasch <cpaasch@apple.com>
+Tested-by: Christoph Paasch <cpaasch@apple.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Acked-by: Michal Kubecek <mkubecek@suse.cz>
+
+SLE: version used here comes from stable-4.4.y commit 46c7b5d6f2a5
+
+---
+ net/ipv4/tcp_output.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/ipv4/tcp_output.c
++++ b/net/ipv4/tcp_output.c
+@@ -1273,7 +1273,7 @@ int tcp_fragment(struct sock *sk, struct sk_buff *skb, u32 len,
+ if (nsize < 0)
+ nsize = 0;
+
+- if (unlikely((sk->sk_wmem_queued >> 1) > sk->sk_sndbuf)) {
++ if (unlikely((sk->sk_wmem_queued >> 1) > sk->sk_sndbuf + 0x20000)) {
+ NET_INC_STATS(sock_net(sk), LINUX_MIB_TCPWQUEUETOOBIG);
+ return -ENOMEM;
+ }
diff --git a/patches.kabi/kabi-drop-LINUX_MIB_TCPWQUEUETOOBIG-snmp-counter.patch b/patches.kabi/kabi-drop-LINUX_MIB_TCPWQUEUETOOBIG-snmp-counter.patch
index 781b664f79..ed0bff0688 100644
--- a/patches.kabi/kabi-drop-LINUX_MIB_TCPWQUEUETOOBIG-snmp-counter.patch
+++ b/patches.kabi/kabi-drop-LINUX_MIB_TCPWQUEUETOOBIG-snmp-counter.patch
@@ -42,9 +42,9 @@ Signed-off-by: Michal Kubecek <mkubecek@suse.cz>
if (nsize < 0)
nsize = 0;
-- if (unlikely((sk->sk_wmem_queued >> 1) > sk->sk_sndbuf)) {
+- if (unlikely((sk->sk_wmem_queued >> 1) > sk->sk_sndbuf + 0x20000)) {
- NET_INC_STATS(sock_net(sk), LINUX_MIB_TCPWQUEUETOOBIG);
-+ if (unlikely((sk->sk_wmem_queued >> 1) > sk->sk_sndbuf))
++ if (unlikely((sk->sk_wmem_queued >> 1) > sk->sk_sndbuf + 0x20000))
return -ENOMEM;
- }
diff --git a/patches.kabi/kabi-fixup-blk_mq_register_dev.patch b/patches.kabi/kabi-fixup-blk_mq_register_dev.patch
new file mode 100644
index 0000000000..bdb84097e7
--- /dev/null
+++ b/patches.kabi/kabi-fixup-blk_mq_register_dev.patch
@@ -0,0 +1,41 @@
+From: Johannes Thumshirn <jthumshirn@suse.de>
+Date: Mon 8 Jul 11:05:25 CEST 2019
+Subject: Kabi fixup blk_mq_register_dev()
+References: bsc#1140637
+Patch-mainline: Never, KABI consistency
+
+This is a kabi consistency patch for
+patches.fixes/blk-mq-free-hw-queue-s-resource-in-hctx-s-release-handler.patch.
+
+patches.fixes/blk-mq-free-hw-queue-s-resource-in-hctx-s-release-handler.patch
+adds "block/blk.h" to block/blk-mq-sysfs.c in order to get the definitions for
+blk_free_flush_queue().
+
+But adding "block/blk.h" breaks the kABI for blk_mq_register_dev() by making
+it more defined.
+
+Fix this by removing the include and pulling the definition in as an "extern"
+
+Signed-off-by: Johannes Thumshirn <jthumshirn@suse.de>
+---
+ block/blk-mq-sysfs.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/block/blk-mq-sysfs.c
++++ b/block/blk-mq-sysfs.c
+@@ -10,7 +10,6 @@
+ #include <linux/smp.h>
+
+ #include <linux/blk-mq.h>
+-#include "blk.h"
+ #include "blk-mq.h"
+ #include "blk-mq-tag.h"
+
+@@ -20,6 +19,7 @@ static void blk_mq_sysfs_release(struct
+
+ static void blk_mq_hw_sysfs_release(struct kobject *kobj)
+ {
++ extern void blk_free_flush_queue(struct blk_flush_queue *q);
+ struct blk_mq_hw_ctx *hctx = container_of(kobj, struct blk_mq_hw_ctx,
+ kobj);
+
diff --git a/patches.kabi/kabi-handle-addition-of-net-hash_mix.patch b/patches.kabi/kabi-handle-addition-of-net-hash_mix.patch
new file mode 100644
index 0000000000..5e54d1142d
--- /dev/null
+++ b/patches.kabi/kabi-handle-addition-of-net-hash_mix.patch
@@ -0,0 +1,34 @@
+From: Michal Kubecek <mkubecek@suse.cz>
+Date: Tue, 9 Jul 2019 08:37:40 +0200
+Subject: kabi: handle addition of net::hash_mix
+Patch-mainline: Never, kabi workaround
+References: CVE-2019-10639 bsc#1140577
+
+Backport of mainline commit 355b98553789 ("netns: provide pure entropy for
+net_hash_mix()") adds new member hash_mix into kabi-protected struct net.
+As struct net is always allocated by in-tree kernel code, we can simply
+move hash_mix at the end and hide it from genksyms.
+
+Signed-off-by: Michal Kubecek <mkubecek@suse.cz>
+---
+ include/net/net_namespace.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/include/net/net_namespace.h
++++ b/include/net/net_namespace.h
+@@ -54,7 +54,6 @@ struct net {
+ */
+ spinlock_t rules_mod_lock;
+
+- u32 hash_mix;
+ atomic64_t cookie_gen;
+
+ struct list_head list; /* list of network namespaces */
+@@ -156,6 +155,7 @@ struct net {
+ atomic_t fnhe_genid;
+ #ifndef __GENKSYMS__
+ int sysctl_tcp_min_snd_mss;
++ u32 hash_mix;
+ #endif
+ };
+
diff --git a/patches.kabi/kabi-handle-addition-of-netns_ipv4-ip_id_key.patch b/patches.kabi/kabi-handle-addition-of-netns_ipv4-ip_id_key.patch
new file mode 100644
index 0000000000..bd3f1555a6
--- /dev/null
+++ b/patches.kabi/kabi-handle-addition-of-netns_ipv4-ip_id_key.patch
@@ -0,0 +1,77 @@
+From: Michal Kubecek <mkubecek@suse.cz>
+Date: Tue, 9 Jul 2019 08:45:15 +0200
+Subject: kabi: handle addition of netns_ipv4::ip_id_key
+Patch-mainline: Never, kabi workaround
+References: CVE-2019-10638 bsc#1140575
+
+Backport of mainline commit df453700e8d8 ("inet: switch IP ID generator to
+siphash") adds new member ip_id_ikey into struct netns_ipv4 which is
+embedded into kabi-protected struct net. As struct net is always allocated
+by in-tree kernel code and struct netns_ipv4 is not used anywhere else, we
+can move ip_id_key out of netns_ipv4 to the end of struct net itself and
+hide it from genksyms.
+
+Signed-off-by: Michal Kubecek <mkubecek@suse.cz>
+---
+ include/net/net_namespace.h | 1 +
+ include/net/netns/ipv4.h | 1 -
+ net/ipv4/route.c | 7 +++----
+ net/ipv6/output_core.c | 7 +++----
+ 4 files changed, 7 insertions(+), 9 deletions(-)
+
+--- a/include/net/net_namespace.h
++++ b/include/net/net_namespace.h
+@@ -156,6 +156,7 @@ struct net {
+ #ifndef __GENKSYMS__
+ int sysctl_tcp_min_snd_mss;
+ u32 hash_mix;
++ siphash_key_t ip_id_key;
+ #endif
+ };
+
+--- a/include/net/netns/ipv4.h
++++ b/include/net/netns/ipv4.h
+@@ -160,6 +160,5 @@ struct netns_ipv4 {
+ unsigned int ipmr_seq; /* protected by rtnl_mutex */
+
+ atomic_t rt_genid;
+- siphash_key_t ip_id_key;
+ };
+ #endif
+--- a/net/ipv4/route.c
++++ b/net/ipv4/route.c
+@@ -516,14 +516,13 @@ void __ip_select_ident(struct net *net, struct iphdr *iph, int segs)
+ u32 hash, id;
+
+ /* Note the following code is not safe, but this is okay. */
+- if (unlikely(siphash_key_is_zero(&net->ipv4.ip_id_key)))
+- get_random_bytes(&net->ipv4.ip_id_key,
+- sizeof(net->ipv4.ip_id_key));
++ if (unlikely(siphash_key_is_zero(&net->ip_id_key)))
++ get_random_bytes(&net->ip_id_key, sizeof(net->ip_id_key));
+
+ hash = siphash_3u32((__force u32)iph->daddr,
+ (__force u32)iph->saddr,
+ iph->protocol,
+- &net->ipv4.ip_id_key);
++ &net->ip_id_key);
+ id = ip_idents_reserve(hash, segs);
+ iph->id = htons(id);
+ }
+--- a/net/ipv6/output_core.c
++++ b/net/ipv6/output_core.c
+@@ -24,11 +24,10 @@ static u32 __ipv6_select_ident(struct net *net,
+ u32 hash, id;
+
+ /* Note the following code is not safe, but this is okay. */
+- if (unlikely(siphash_key_is_zero(&net->ipv4.ip_id_key)))
+- get_random_bytes(&net->ipv4.ip_id_key,
+- sizeof(net->ipv4.ip_id_key));
++ if (unlikely(siphash_key_is_zero(&net->ip_id_key)))
++ get_random_bytes(&net->ip_id_key, sizeof(net->ip_id_key));
+
+- hash = siphash(&combined, sizeof(combined), &net->ipv4.ip_id_key);
++ hash = siphash(&combined, sizeof(combined), &net->ip_id_key);
+
+ /* Treat id of 0 as unset and if we get 0 back from ip_idents_reserve,
+ * set the hight order instead thus minimizing possible future
diff --git a/patches.kabi/kabi-protect-struct-acpi_nfit_desc.patch b/patches.kabi/kabi-protect-struct-acpi_nfit_desc.patch
new file mode 100644
index 0000000000..2bbba5d99e
--- /dev/null
+++ b/patches.kabi/kabi-protect-struct-acpi_nfit_desc.patch
@@ -0,0 +1,33 @@
+From: Johannes Thumshirn <jthumshirn@suse.de>
+Date: Tue 22 May 11:58:05 CEST 2018
+Subject: kabi protect struct acpi_nfit_desc
+References: bsc#1091424
+Patch-mainline: Never, KABI fixup
+
+Signed-off-by: Johannes Thumshirn <jthumshirn@suse.de>
+---
+ drivers/acpi/nfit/nfit.h | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/drivers/acpi/nfit/nfit.h
++++ b/drivers/acpi/nfit/nfit.h
+@@ -239,7 +239,8 @@ struct acpi_nfit_desc {
+ unsigned int max_ars;
+ unsigned int scrub_count;
+ unsigned int scrub_mode;
+- unsigned long scrub_flags;
++ unsigned int scrub_busy:1;
++ unsigned int cancel:1;
+ unsigned long dimm_cmd_force_en;
+ unsigned long bus_cmd_force_en;
+ unsigned long bus_nfit_cmd_force_en;
+@@ -247,6 +248,9 @@ struct acpi_nfit_desc {
+ unsigned int scrub_tmo;
+ int (*blk_do_io)(struct nd_blk_region *ndbr, resource_size_t dpa,
+ void *iobuf, u64 len, int rw);
++#ifndef __GENKSYMS__
++ unsigned long scrub_flags;
++#endif
+ };
+
+ enum scrub_mode {
diff --git a/patches.suse/ftrace-x86-remove-possible-deadlock-between-register_kprobe-and-ftrace_run_update_code.patch b/patches.suse/ftrace-x86-remove-possible-deadlock-between-register_kprobe-and-ftrace_run_update_code.patch
new file mode 100644
index 0000000000..7ca190f8d2
--- /dev/null
+++ b/patches.suse/ftrace-x86-remove-possible-deadlock-between-register_kprobe-and-ftrace_run_update_code.patch
@@ -0,0 +1,182 @@
+From: Petr Mladek <pmladek@suse.com>
+Date: Thu, 27 Jun 2019 10:13:34 +0200
+Subject: ftrace/x86: Remove possible deadlock between register_kprobe() and
+ ftrace_run_update_code()
+Git-commit: d5b844a2cf507fc7642c9ae80a9d585db3065c28
+Patch-mainline: v5.2
+References: bsc#1071995 fate#323487
+
+The commit 9f255b632bf12c4dd7 ("module: Fix livepatch/ftrace module text
+permissions race") causes a possible deadlock between register_kprobe()
+and ftrace_run_update_code() when ftrace is using stop_machine().
+
+The existing dependency chain (in reverse order) is:
+
+-> #1 (text_mutex){+.+.}:
+ validate_chain.isra.21+0xb32/0xd70
+ __lock_acquire+0x4b8/0x928
+ lock_acquire+0x102/0x230
+ __mutex_lock+0x88/0x908
+ mutex_lock_nested+0x32/0x40
+ register_kprobe+0x254/0x658
+ init_kprobes+0x11a/0x168
+ do_one_initcall+0x70/0x318
+ kernel_init_freeable+0x456/0x508
+ kernel_init+0x22/0x150
+ ret_from_fork+0x30/0x34
+ kernel_thread_starter+0x0/0xc
+
+-> #0 (cpu_hotplug_lock.rw_sem){++++}:
+ check_prev_add+0x90c/0xde0
+ validate_chain.isra.21+0xb32/0xd70
+ __lock_acquire+0x4b8/0x928
+ lock_acquire+0x102/0x230
+ cpus_read_lock+0x62/0xd0
+ stop_machine+0x2e/0x60
+ arch_ftrace_update_code+0x2e/0x40
+ ftrace_run_update_code+0x40/0xa0
+ ftrace_startup+0xb2/0x168
+ register_ftrace_function+0x64/0x88
+ klp_patch_object+0x1a2/0x290
+ klp_enable_patch+0x554/0x980
+ do_one_initcall+0x70/0x318
+ do_init_module+0x6e/0x250
+ load_module+0x1782/0x1990
+ __s390x_sys_finit_module+0xaa/0xf0
+ system_call+0xd8/0x2d0
+
+ Possible unsafe locking scenario:
+
+ CPU0 CPU1
+ ---- ----
+ lock(text_mutex);
+ lock(cpu_hotplug_lock.rw_sem);
+ lock(text_mutex);
+ lock(cpu_hotplug_lock.rw_sem);
+
+It is similar problem that has been solved by the commit 2d1e38f56622b9b
+("kprobes: Cure hotplug lock ordering issues"). Many locks are involved.
+To be on the safe side, text_mutex must become a low level lock taken
+after cpu_hotplug_lock.rw_sem.
+
+This can't be achieved easily with the current ftrace design.
+For example, arm calls set_all_modules_text_rw() already in
+ftrace_arch_code_modify_prepare(), see arch/arm/kernel/ftrace.c.
+This functions is called:
+
+ + outside stop_machine() from ftrace_run_update_code()
+ + without stop_machine() from ftrace_module_enable()
+
+Fortunately, the problematic fix is needed only on x86_64. It is
+the only architecture that calls set_all_modules_text_rw()
+in ftrace path and supports livepatching at the same time.
+
+Therefore it is enough to move text_mutex handling from the generic
+kernel/trace/ftrace.c into arch/x86/kernel/ftrace.c:
+
+ ftrace_arch_code_modify_prepare()
+ ftrace_arch_code_modify_post_process()
+
+This patch basically reverts the ftrace part of the problematic
+commit 9f255b632bf12c4dd7 ("module: Fix livepatch/ftrace module
+text permissions race"). And provides x86_64 specific-fix.
+
+Some refactoring of the ftrace code will be needed when livepatching
+is implemented for arm or nds32. These architectures call
+set_all_modules_text_rw() and use stop_machine() at the same time.
+
+Link: http://lkml.kernel.org/r/20190627081334.12793-1-pmladek@suse.com
+
+Fixes: 9f255b632bf12c4dd7 ("module: Fix livepatch/ftrace module text permissions race")
+Acked-by: Thomas Gleixner <tglx@linutronix.de>
+Reported-by: Miroslav Benes <mbenes@suse.cz>
+Reviewed-by: Miroslav Benes <mbenes@suse.cz>
+Reviewed-by: Josh Poimboeuf <jpoimboe@redhat.com>
+Signed-off-by: Petr Mladek <pmladek@suse.com>
+[
+ As reviewed by Miroslav Benes <mbenes@suse.cz>, removed return value of
+ ftrace_run_update_code() as it is a void function.
+]
+Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
+Acked-by: Miroslav Benes <mbenes@suse.cz>
+---
+ arch/x86/kernel/ftrace.c | 3 +++
+ kernel/trace/ftrace.c | 10 +---------
+ 2 files changed, 4 insertions(+), 9 deletions(-)
+
+--- a/arch/x86/kernel/ftrace.c
++++ b/arch/x86/kernel/ftrace.c
+@@ -21,6 +21,7 @@
+ #include <linux/init.h>
+ #include <linux/list.h>
+ #include <linux/module.h>
++#include <linux/memory.h>
+
+ #include <trace/syscall.h>
+
+@@ -34,6 +35,7 @@
+
+ int ftrace_arch_code_modify_prepare(void)
+ {
++ mutex_lock(&text_mutex);
+ set_kernel_text_rw();
+ set_all_modules_text_rw();
+ return 0;
+@@ -43,6 +45,7 @@ int ftrace_arch_code_modify_post_process
+ {
+ set_all_modules_text_ro();
+ set_kernel_text_ro();
++ mutex_unlock(&text_mutex);
+ return 0;
+ }
+
+--- a/kernel/trace/ftrace.c
++++ b/kernel/trace/ftrace.c
+@@ -33,7 +33,6 @@
+ #include <linux/list.h>
+ #include <linux/hash.h>
+ #include <linux/rcupdate.h>
+-#include <linux/memory.h>
+
+ #include <trace/events/sched.h>
+
+@@ -2630,12 +2629,10 @@ static void ftrace_run_update_code(int c
+ {
+ int ret;
+
+- mutex_lock(&text_mutex);
+-
+ ret = ftrace_arch_code_modify_prepare();
+ FTRACE_WARN_ON(ret);
+ if (ret)
+- goto out_unlock;
++ return;
+
+ /*
+ * By default we use stop_machine() to modify the code.
+@@ -2647,9 +2644,6 @@ static void ftrace_run_update_code(int c
+
+ ret = ftrace_arch_code_modify_post_process();
+ FTRACE_WARN_ON(ret);
+-
+-out_unlock:
+- mutex_unlock(&text_mutex);
+ }
+
+ static void ftrace_run_modify_code(struct ftrace_ops *ops, int command,
+@@ -5415,7 +5409,6 @@ void ftrace_module_enable(struct module
+ struct ftrace_page *pg;
+
+ mutex_lock(&ftrace_lock);
+- mutex_lock(&text_mutex);
+
+ if (ftrace_disabled)
+ goto out_unlock;
+@@ -5476,7 +5469,6 @@ void ftrace_module_enable(struct module
+ ftrace_arch_code_modify_post_process();
+
+ out_unlock:
+- mutex_unlock(&text_mutex);
+ mutex_unlock(&ftrace_lock);
+ }
+
diff --git a/patches.suse/hugetlbfs-dirty-pages-as-they-are-added-to-pagecache.patch b/patches.suse/hugetlbfs-dirty-pages-as-they-are-added-to-pagecache.patch
new file mode 100644
index 0000000000..d8375988cd
--- /dev/null
+++ b/patches.suse/hugetlbfs-dirty-pages-as-they-are-added-to-pagecache.patch
@@ -0,0 +1,74 @@
+From 81d3f9de6f4c3abd507aed6840e04d55085d31c2 Mon Sep 17 00:00:00 2001
+From: Mike Kravetz <mike.kravetz@oracle.com>
+Date: Fri, 26 Oct 2018 15:10:58 -0700
+Subject: [PATCH] hugetlbfs: dirty pages as they are added to pagecache
+
+References: git fixes (mm/hugetlbfs)
+Patch-mainline: v4.20
+Git-commit: 22146c3ce98962436e401f7b7016a6f664c9ffb5
+
+Some test systems were experiencing negative huge page reserve counts and
+incorrect file block counts. This was traced to /proc/sys/vm/drop_caches
+removing clean pages from hugetlbfs file pagecaches. When non-hugetlbfs
+explicit code removes the pages, the appropriate accounting is not
+performed.
+
+This can be recreated as follows:
+ fallocate -l 2M /dev/hugepages/foo
+ echo 1 > /proc/sys/vm/drop_caches
+ fallocate -l 2M /dev/hugepages/foo
+ grep -i huge /proc/meminfo
+ AnonHugePages: 0 kB
+ ShmemHugePages: 0 kB
+ HugePages_Total: 2048
+ HugePages_Free: 2047
+ HugePages_Rsvd: 18446744073709551615
+ HugePages_Surp: 0
+ Hugepagesize: 2048 kB
+ Hugetlb: 4194304 kB
+ ls -lsh /dev/hugepages/foo
+ 4.0M -rw-r--r--. 1 root root 2.0M Oct 17 20:05 /dev/hugepages/foo
+
+To address this issue, dirty pages as they are added to pagecache. This
+can easily be reproduced with fallocate as shown above. Read faulted
+pages will eventually end up being marked dirty. But there is a window
+where they are clean and could be impacted by code such as drop_caches.
+So, just dirty them all as they are added to the pagecache.
+
+Link: http://lkml.kernel.org/r/b5be45b8-5afe-56cd-9482-28384699a049@oracle.com
+Fixes: 6bda666a03f0 ("hugepages: fold find_or_alloc_pages into huge_no_page()")
+Signed-off-by: Mike Kravetz <mike.kravetz@oracle.com>
+Acked-by: Mihcla Hocko <mhocko@suse.com>
+Reviewed-by: Khalid Aziz <khalid.aziz@oracle.com>
+Cc: Hugh Dickins <hughd@google.com>
+Cc: Naoya Horiguchi <n-horiguchi@ah.jp.nec.com>
+Cc: "Aneesh Kumar K . V" <aneesh.kumar@linux.vnet.ibm.com>
+Cc: Andrea Arcangeli <aarcange@redhat.com>
+Cc: "Kirill A . Shutemov" <kirill.shutemov@linux.intel.com>
+Cc: Davidlohr Bueso <dave@stgolabs.net>
+Cc: Alexander Viro <viro@zeniv.linux.org.uk>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Mel Gorman <mgorman@suse.de>
+---
+ mm/hugetlb.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/mm/hugetlb.c b/mm/hugetlb.c
+index 9922e6aa80da..4e0ab342baf8 100644
+--- a/mm/hugetlb.c
++++ b/mm/hugetlb.c
+@@ -3684,6 +3684,12 @@ int huge_add_to_page_cache(struct page *page, struct address_space *mapping,
+ return err;
+ ClearPagePrivate(page);
+
++ /*
++ * set page dirty so that it will not be removed from cache/file
++ * by non-hugetlbfs specific code paths.
++ */
++ set_page_dirty(page);
++
+ spin_lock(&inode->i_lock);
+ inode->i_blocks += blocks_per_huge_page(h);
+ spin_unlock(&inode->i_lock);
diff --git a/patches.suse/hugetlbfs-fix-kernel-BUG-at-fs-hugetlbfs-inode.c-444.patch b/patches.suse/hugetlbfs-fix-kernel-BUG-at-fs-hugetlbfs-inode.c-444.patch
new file mode 100644
index 0000000000..49400aacc3
--- /dev/null
+++ b/patches.suse/hugetlbfs-fix-kernel-BUG-at-fs-hugetlbfs-inode.c-444.patch
@@ -0,0 +1,134 @@
+From ab19c4ea6646929c6239dc43b15c87d4667d93ac Mon Sep 17 00:00:00 2001
+From: Mike Kravetz <mike.kravetz@oracle.com>
+Date: Fri, 16 Nov 2018 15:08:04 -0800
+Subject: [PATCH] hugetlbfs: fix kernel BUG at fs/hugetlbfs/inode.c:444!
+
+References: git fixes (mm/hugetlbfs)
+Patch-mainline: v4.20
+Git-commit: 5e41540c8a0f0e98c337dda8b391e5dda0cde7cf
+
+This bug has been experienced several times by the Oracle DB team. The
+BUG is in remove_inode_hugepages() as follows:
+
+ /*
+ * If page is mapped, it was faulted in after being
+ * unmapped in caller. Unmap (again) now after taking
+ * the fault mutex. The mutex will prevent faults
+ * until we finish removing the page.
+ *
+ * This race can only happen in the hole punch case.
+ * Getting here in a truncate operation is a bug.
+ */
+ if (unlikely(page_mapped(page))) {
+ BUG_ON(truncate_op);
+
+In this case, the elevated map count is not the result of a race.
+Rather it was incorrectly incremented as the result of a bug in the huge
+pmd sharing code. Consider the following:
+
+ - Process A maps a hugetlbfs file of sufficient size and alignment
+ (PUD_SIZE) that a pmd page could be shared.
+
+ - Process B maps the same hugetlbfs file with the same size and
+ alignment such that a pmd page is shared.
+
+ - Process B then calls mprotect() to change protections for the mapping
+ with the shared pmd. As a result, the pmd is 'unshared'.
+
+ - Process B then calls mprotect() again to chage protections for the
+ mapping back to their original value. pmd remains unshared.
+
+ - Process B then forks and process C is created. During the fork
+ process, we do dup_mm -> dup_mmap -> copy_page_range to copy page
+ tables. Copying page tables for hugetlb mappings is done in the
+ routine copy_hugetlb_page_range.
+
+In copy_hugetlb_page_range(), the destination pte is obtained by:
+
+ dst_pte = huge_pte_alloc(dst, addr, sz);
+
+If pmd sharing is possible, the returned pointer will be to a pte in an
+existing page table. In the situation above, process C could share with
+either process A or process B. Since process A is first in the list,
+the returned pte is a pointer to a pte in process A's page table.
+
+However, the check for pmd sharing in copy_hugetlb_page_range is:
+
+ /* If the pagetables are shared don't copy or take references */
+ if (dst_pte == src_pte)
+ continue;
+
+Since process C is sharing with process A instead of process B, the
+above test fails. The code in copy_hugetlb_page_range which follows
+assumes dst_pte points to a huge_pte_none pte. It copies the pte entry
+from src_pte to dst_pte and increments this map count of the associated
+page. This is how we end up with an elevated map count.
+
+To solve, check the dst_pte entry for huge_pte_none. If !none, this
+implies PMD sharing so do not copy.
+
+Link: http://lkml.kernel.org/r/20181105212315.14125-1-mike.kravetz@oracle.com
+Fixes: c5c99429fa57 ("fix hugepages leak due to pagetable page sharing")
+Signed-off-by: Mike Kravetz <mike.kravetz@oracle.com>
+Reviewed-by: Naoya Horiguchi <n-horiguchi@ah.jp.nec.com>
+Cc: Michal Hocko <mhocko@kernel.org>
+Cc: Hugh Dickins <hughd@google.com>
+Cc: Andrea Arcangeli <aarcange@redhat.com>
+Cc: "Kirill A . Shutemov" <kirill.shutemov@linux.intel.com>
+Cc: Davidlohr Bueso <dave@stgolabs.net>
+Cc: Prakash Sangappa <prakash.sangappa@oracle.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Mel Gorman <mgorman@suse.de>
+---
+ mm/hugetlb.c | 23 +++++++++++++++++++----
+ 1 file changed, 19 insertions(+), 4 deletions(-)
+
+diff --git a/mm/hugetlb.c b/mm/hugetlb.c
+index 4e0ab342baf8..29314b5b4b8e 100644
+--- a/mm/hugetlb.c
++++ b/mm/hugetlb.c
+@@ -3254,7 +3254,7 @@ static int is_hugetlb_entry_hwpoisoned(pte_t pte)
+ int copy_hugetlb_page_range(struct mm_struct *dst, struct mm_struct *src,
+ struct vm_area_struct *vma)
+ {
+- pte_t *src_pte, *dst_pte, entry;
++ pte_t *src_pte, *dst_pte, entry, dst_entry;
+ struct page *ptepage;
+ unsigned long addr;
+ int cow;
+@@ -3282,15 +3282,30 @@ int copy_hugetlb_page_range(struct mm_struct *dst, struct mm_struct *src,
+ break;
+ }
+
+- /* If the pagetables are shared don't copy or take references */
+- if (dst_pte == src_pte)
++ /*
++ * If the pagetables are shared don't copy or take references.
++ * dst_pte == src_pte is the common case of src/dest sharing.
++ *
++ * However, src could have 'unshared' and dst shares with
++ * another vma. If dst_pte !none, this implies sharing.
++ * Check here before taking page table lock, and once again
++ * after taking the lock below.
++ */
++ dst_entry = huge_ptep_get(dst_pte);
++ if ((dst_pte == src_pte) || !huge_pte_none(dst_entry))
+ continue;
+
+ dst_ptl = huge_pte_lock(h, dst, dst_pte);
+ src_ptl = huge_pte_lockptr(h, src, src_pte);
+ spin_lock_nested(src_ptl, SINGLE_DEPTH_NESTING);
+ entry = huge_ptep_get(src_pte);
+- if (huge_pte_none(entry)) { /* skip none entry */
++ dst_entry = huge_ptep_get(dst_pte);
++ if (huge_pte_none(entry) || !huge_pte_none(dst_entry)) {
++ /*
++ * Skip if src entry none. Also, skip in the
++ * unlikely case dst entry !none as this implies
++ * sharing with another vma.
++ */
+ ;
+ } else if (unlikely(is_hugetlb_entry_migration(entry) ||
+ is_hugetlb_entry_hwpoisoned(entry))) {
diff --git a/patches.suse/mm-vmscan.c-prevent-useless-kswapd-loops.patch b/patches.suse/mm-vmscan.c-prevent-useless-kswapd-loops.patch
new file mode 100644
index 0000000000..19c179938d
--- /dev/null
+++ b/patches.suse/mm-vmscan.c-prevent-useless-kswapd-loops.patch
@@ -0,0 +1,106 @@
+From 3f40030f624f6a3532c11dde3cde8433f10fe889 Mon Sep 17 00:00:00 2001
+From: Shakeel Butt <shakeelb@google.com>
+Date: Thu, 4 Jul 2019 15:14:42 -0700
+Subject: [PATCH] mm/vmscan.c: prevent useless kswapd loops
+
+References: git fixes (mm/vmscan)
+Patch-mainline: v5.2
+Git-commit: dffcac2cb88e4ec5906235d64a83d802580b119e
+
+In production we have noticed hard lockups on large machines running
+large jobs due to kswaps hoarding lru lock within isolate_lru_pages when
+sc->reclaim_idx is 0 which is a small zone. The lru was couple hundred
+GiBs and the condition (page_zonenum(page) > sc->reclaim_idx) in
+isolate_lru_pages() was basically skipping GiBs of pages while holding
+the LRU spinlock with interrupt disabled.
+
+On further inspection, it seems like there are two issues:
+
+(1) If kswapd on the return from balance_pgdat() could not sleep (i.e.
+ node is still unbalanced), the classzone_idx is unintentionally set
+ to 0 and the whole reclaim cycle of kswapd will try to reclaim only
+ the lowest and smallest zone while traversing the whole memory.
+
+(2) Fundamentally isolate_lru_pages() is really bad when the
+ allocation has woken kswapd for a smaller zone on a very large machine
+ running very large jobs. It can hoard the LRU spinlock while skipping
+ over 100s of GiBs of pages.
+
+This patch only fixes (1). (2) needs a more fundamental solution. To
+fix (1), in the kswapd context, if pgdat->kswapd_classzone_idx is
+invalid use the classzone_idx of the previous kswapd loop otherwise use
+the one the waker has requested.
+
+Link: http://lkml.kernel.org/r/20190701201847.251028-1-shakeelb@google.com
+Fixes: e716f2eb24de ("mm, vmscan: prevent kswapd sleeping prematurely due to mismatched classzone_idx")
+Signed-off-by: Shakeel Butt <shakeelb@google.com>
+Reviewed-by: Yang Shi <yang.shi@linux.alibaba.com>
+Acked-by: Mel Gorman <mgorman@suse.de>
+Cc: Johannes Weiner <hannes@cmpxchg.org>
+Cc: Michal Hocko <mhocko@suse.com>
+Cc: Vlastimil Babka <vbabka@suse.cz>
+Cc: Hillf Danton <hdanton@sina.com>
+Cc: Roman Gushchin <guro@fb.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Mel Gorman <mgorman@suse.de>
+---
+ mm/vmscan.c | 27 +++++++++++++++------------
+ 1 file changed, 15 insertions(+), 12 deletions(-)
+
+diff --git a/mm/vmscan.c b/mm/vmscan.c
+index 8cf73cb92a13..477fcb98a825 100644
+--- a/mm/vmscan.c
++++ b/mm/vmscan.c
+@@ -3362,19 +3362,18 @@ static int balance_pgdat(pg_data_t *pgdat, int order, int classzone_idx)
+ }
+
+ /*
+- * pgdat->kswapd_classzone_idx is the highest zone index that a recent
+- * allocation request woke kswapd for. When kswapd has not woken recently,
+- * the value is MAX_NR_ZONES which is not a valid index. This compares a
+- * given classzone and returns it or the highest classzone index kswapd
+- * was recently woke for.
++ * The pgdat->kswapd_classzone_idx is used to pass the highest zone index to be
++ * reclaimed by kswapd from the waker. If the value is MAX_NR_ZONES which is not
++ * a valid index then either kswapd runs for first time or kswapd couldn't sleep
++ * after previous reclaim attempt (node is still unbalanced). In that case
++ * return the zone index of the previous kswapd reclaim cycle.
+ */
+ static enum zone_type kswapd_classzone_idx(pg_data_t *pgdat,
+- enum zone_type classzone_idx)
++ enum zone_type prev_classzone_idx)
+ {
+ if (pgdat->kswapd_classzone_idx == MAX_NR_ZONES)
+- return classzone_idx;
+-
+- return max(pgdat->kswapd_classzone_idx, classzone_idx);
++ return prev_classzone_idx;
++ return pgdat->kswapd_classzone_idx;
+ }
+
+ static void kswapd_try_to_sleep(pg_data_t *pgdat, int alloc_order, int reclaim_order,
+@@ -3517,7 +3516,7 @@ static int kswapd(void *p)
+
+ /* Read the new order and classzone_idx */
+ alloc_order = reclaim_order = pgdat->kswapd_order;
+- classzone_idx = kswapd_classzone_idx(pgdat, 0);
++ classzone_idx = kswapd_classzone_idx(pgdat, classzone_idx);
+ pgdat->kswapd_order = 0;
+ pgdat->kswapd_classzone_idx = MAX_NR_ZONES;
+
+@@ -3567,8 +3566,12 @@ void wakeup_kswapd(struct zone *zone, int order, enum zone_type classzone_idx)
+ if (!cpuset_zone_allowed(zone, gfp_flags))
+ return;
+ pgdat = zone->zone_pgdat;
+- pgdat->kswapd_classzone_idx = kswapd_classzone_idx(pgdat,
+- classzone_idx);
++
++ if (pgdat->kswapd_classzone_idx == MAX_NR_ZONES)
++ pgdat->kswapd_classzone_idx = classzone_idx;
++ else
++ pgdat->kswapd_classzone_idx = max(pgdat->kswapd_classzone_idx,
++ classzone_idx);
+ pgdat->kswapd_order = max(pgdat->kswapd_order, order);
+ if (!waitqueue_active(&pgdat->kswapd_wait))
+ return;
diff --git a/patches.suse/ptrace-Fix-ptracer_cred-handling-for-PTRACE_TRACEME.patch b/patches.suse/ptrace-Fix-ptracer_cred-handling-for-PTRACE_TRACEME.patch
new file mode 100644
index 0000000000..aa85abd734
--- /dev/null
+++ b/patches.suse/ptrace-Fix-ptracer_cred-handling-for-PTRACE_TRACEME.patch
@@ -0,0 +1,54 @@
+From: Jann Horn <jannh@google.com>
+Date: Thu, 4 Jul 2019 17:32:23 +0200
+Subject: ptrace: Fix ->ptracer_cred handling for PTRACE_TRACEME
+Git-commit: 6994eefb0053799d2e07cd140df6c2ea106c41ee
+Patch-mainline: 5.2
+References: git-fixes
+
+Fix two issues:
+
+When called for PTRACE_TRACEME, ptrace_link() would obtain an RCU
+reference to the parent's objective credentials, then give that pointer
+to get_cred(). However, the object lifetime rules for things like
+struct cred do not permit unconditionally turning an RCU reference into
+a stable reference.
+
+PTRACE_TRACEME records the parent's credentials as if the parent was
+acting as the subject, but that's not the case. If a malicious
+unprivileged child uses PTRACE_TRACEME and the parent is privileged, and
+at a later point, the parent process becomes attacker-controlled
+(because it drops privileges and calls execve()), the attacker ends up
+with control over two processes with a privileged ptrace relationship,
+which can be abused to ptrace a suid binary and obtain root privileges.
+
+Fix both of these by always recording the credentials of the process
+that is requesting the creation of the ptrace relationship:
+current_cred() can't change under us, and current is the proper subject
+for access control.
+
+This change is theoretically userspace-visible, but I am not aware of
+any code that it will actually break.
+
+Fixes: 64b875f7ac8a ("ptrace: Capture the ptracer's creds not PT_PTRACE_CAP")
+Signed-off-by: Jann Horn <jannh@google.com>
+Acked-by: Oleg Nesterov <oleg@redhat.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ kernel/ptrace.c | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+--- a/kernel/ptrace.c
++++ b/kernel/ptrace.c
+@@ -78,9 +78,7 @@ void __ptrace_link(struct task_struct *c
+ */
+ static void ptrace_link(struct task_struct *child, struct task_struct *new_parent)
+ {
+- rcu_read_lock();
+- __ptrace_link(child, new_parent, __task_cred(new_parent));
+- rcu_read_unlock();
++ __ptrace_link(child, new_parent, current_cred());
+ }
+
+ /**
diff --git a/patches.suse/ptrace-restore-smp_rmb-in-__ptrace_may_access.patch b/patches.suse/ptrace-restore-smp_rmb-in-__ptrace_may_access.patch
new file mode 100644
index 0000000000..3f793f5ad4
--- /dev/null
+++ b/patches.suse/ptrace-restore-smp_rmb-in-__ptrace_may_access.patch
@@ -0,0 +1,60 @@
+From: Jann Horn <jannh@google.com>
+Date: Wed, 29 May 2019 13:31:57 +0200
+Subject: ptrace: restore smp_rmb() in __ptrace_may_access()
+Git-commit: f6581f5b55141a95657ef5742cf6a6bfa20a109f
+Patch-mainline: 5.2-rc5
+References: git-fixes
+
+Restore the read memory barrier in __ptrace_may_access() that was deleted
+a couple years ago. Also add comments on this barrier and the one it pairs
+with to explain why they're there (as far as I understand).
+
+Fixes: bfedb589252c ("mm: Add a user_ns owner to mm_struct and fix ptrace permission checks")
+Cc: stable@vger.kernel.org
+Acked-by: Kees Cook <keescook@chromium.org>
+Acked-by: Oleg Nesterov <oleg@redhat.com>
+Signed-off-by: Jann Horn <jannh@google.com>
+Signed-off-by: Eric W. Biederman <ebiederm@xmission.com>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ kernel/cred.c | 9 +++++++++
+ kernel/ptrace.c | 10 ++++++++++
+ 2 files changed, 19 insertions(+)
+
+--- a/kernel/cred.c
++++ b/kernel/cred.c
+@@ -448,6 +448,15 @@ int commit_creds(struct cred *new)
+ if (task->mm)
+ set_dumpable(task->mm, suid_dumpable);
+ task->pdeath_signal = 0;
++ /*
++ * If a task drops privileges and becomes nondumpable,
++ * the dumpability change must become visible before
++ * the credential change; otherwise, a __ptrace_may_access()
++ * racing with this change may be able to attach to a task it
++ * shouldn't be able to attach to (as if the task had dropped
++ * privileges without becoming nondumpable).
++ * Pairs with a read barrier in __ptrace_may_access().
++ */
+ smp_wmb();
+ }
+
+--- a/kernel/ptrace.c
++++ b/kernel/ptrace.c
+@@ -323,6 +323,16 @@ static int __ptrace_may_access(struct ta
+ return -EPERM;
+ ok:
+ rcu_read_unlock();
++ /*
++ * If a task drops privileges and becomes nondumpable (through a syscall
++ * like setresuid()) while we are trying to access it, we must ensure
++ * that the dumpability is read after the credentials; otherwise,
++ * we may be able to attach to a task that we shouldn't be able to
++ * attach to (as if the task had dropped privileges without becoming
++ * nondumpable).
++ * Pairs with a write barrier in commit_creds().
++ */
++ smp_rmb();
+ mm = task->mm;
+ if (mm &&
+ ((get_dumpable(mm) != SUID_DUMP_USER) &&
diff --git a/patches.suse/signal-ptrace-Don-t-leak-unitialized-kernel-memory-w.patch b/patches.suse/signal-ptrace-Don-t-leak-unitialized-kernel-memory-w.patch
new file mode 100644
index 0000000000..e9f048efc1
--- /dev/null
+++ b/patches.suse/signal-ptrace-Don-t-leak-unitialized-kernel-memory-w.patch
@@ -0,0 +1,74 @@
+From: "Eric W. Biederman" <ebiederm@xmission.com>
+Date: Tue, 28 May 2019 18:46:37 -0500
+Subject: signal/ptrace: Don't leak unitialized kernel memory with
+ PTRACE_PEEK_SIGINFO
+Git-commit: f6e2aa91a46d2bc79fce9b93a988dbe7655c90c0
+Patch-mainline: 5.2-rc5
+References: git-fixes
+
+Recently syzbot in conjunction with KMSAN reported that
+ptrace_peek_siginfo can copy an uninitialized siginfo to userspace.
+Inspecting ptrace_peek_siginfo confirms this.
+
+The problem is that off when initialized from args.off can be
+initialized to a negaive value. At which point the "if (off >= 0)"
+test to see if off became negative fails because off started off
+negative.
+
+Prevent the core problem by adding a variable found that is only true
+if a siginfo is found and copied to a temporary in preparation for
+being copied to userspace.
+
+Prevent args.off from being truncated when being assigned to off by
+testing that off is <= the maximum possible value of off. Convert off
+to an unsigned long so that we should not have to truncate args.off,
+we have well defined overflow behavior so if we add another check we
+won't risk fighting undefined compiler behavior, and so that we have a
+type whose maximum value is easy to test for.
+
+Cc: Andrei Vagin <avagin@gmail.com>
+Cc: stable@vger.kernel.org
+Reported-by: syzbot+0d602a1b0d8c95bdf299@syzkaller.appspotmail.com
+Fixes: 84c751bd4aeb ("ptrace: add ability to retrieve signals without removing from a queue (v4)")
+Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ kernel/ptrace.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+--- a/kernel/ptrace.c
++++ b/kernel/ptrace.c
+@@ -704,6 +704,10 @@ static int ptrace_peek_siginfo(struct ta
+ if (arg.nr < 0)
+ return -EINVAL;
+
++ /* Ensure arg.off fits in an unsigned long */
++ if (arg.off > ULONG_MAX)
++ return 0;
++
+ if (arg.flags & PTRACE_PEEKSIGINFO_SHARED)
+ pending = &child->signal->shared_pending;
+ else
+@@ -711,18 +715,20 @@ static int ptrace_peek_siginfo(struct ta
+
+ for (i = 0; i < arg.nr; ) {
+ siginfo_t info;
+- s32 off = arg.off + i;
++ unsigned long off = arg.off + i;
++ bool found = false;
+
+ spin_lock_irq(&child->sighand->siglock);
+ list_for_each_entry(q, &pending->list, list) {
+ if (!off--) {
++ found = true;
+ copy_siginfo(&info, &q->info);
+ break;
+ }
+ }
+ spin_unlock_irq(&child->sighand->siglock);
+
+- if (off >= 0) /* beyond the end of the list */
++ if (!found) /* beyond the end of the list */
+ break;
+
+ #ifdef CONFIG_COMPAT
diff --git a/patches.suse/tracing-snapshot-resize-spare-buffer-if-size-changed.patch b/patches.suse/tracing-snapshot-resize-spare-buffer-if-size-changed.patch
new file mode 100644
index 0000000000..d67ddc4bf6
--- /dev/null
+++ b/patches.suse/tracing-snapshot-resize-spare-buffer-if-size-changed.patch
@@ -0,0 +1,105 @@
+From: Eiichi Tsukata <devel@etsukata.com>
+Date: Tue, 25 Jun 2019 10:29:10 +0900
+Subject: tracing/snapshot: Resize spare buffer if size changed
+Git-commit: 46cc0b44428d0f0e81f11ea98217fc0edfbeab07
+Patch-mainline: v5.2
+References: bsc#1140726
+
+Current snapshot implementation swaps two ring_buffers even though their
+sizes are different from each other, that can cause an inconsistency
+between the contents of buffer_size_kb file and the current buffer size.
+
+For example:
+
+ # cat buffer_size_kb
+ 7 (expanded: 1408)
+ # echo 1 > events/enable
+ # grep bytes per_cpu/cpu0/stats
+ bytes: 1441020
+ # echo 1 > snapshot // current:1408, spare:1408
+ # echo 123 > buffer_size_kb // current:123, spare:1408
+ # echo 1 > snapshot // current:1408, spare:123
+ # grep bytes per_cpu/cpu0/stats
+ bytes: 1443700
+ # cat buffer_size_kb
+ 123 // != current:1408
+
+And also, a similar per-cpu case hits the following WARNING:
+
+Reproducer:
+
+ # echo 1 > per_cpu/cpu0/snapshot
+ # echo 123 > buffer_size_kb
+ # echo 1 > per_cpu/cpu0/snapshot
+
+WARNING:
+
+ WARNING: CPU: 0 PID: 1946 at kernel/trace/trace.c:1607 update_max_tr_single.part.0+0x2b8/0x380
+ Modules linked in:
+ CPU: 0 PID: 1946 Comm: bash Not tainted 5.2.0-rc6 #20
+ Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-2.fc30 04/01/2014
+ RIP: 0010:update_max_tr_single.part.0+0x2b8/0x380
+ Code: ff e8 dc da f9 ff 0f 0b e9 88 fe ff ff e8 d0 da f9 ff 44 89 ee bf f5 ff ff ff e8 33 dc f9 ff 41 83 fd f5 74 96 e8 b8 da f9 ff <0f> 0b eb 8d e8 af da f9 ff 0f 0b e9 bf fd ff ff e8 a3 da f9 ff 48
+ RSP: 0018:ffff888063e4fca0 EFLAGS: 00010093
+ RAX: ffff888066214380 RBX: ffffffff99850fe0 RCX: ffffffff964298a8
+ RDX: 0000000000000000 RSI: 00000000fffffff5 RDI: 0000000000000005
+ RBP: 1ffff1100c7c9f96 R08: ffff888066214380 R09: ffffed100c7c9f9b
+ R10: ffffed100c7c9f9a R11: 0000000000000003 R12: 0000000000000000
+ R13: 00000000ffffffea R14: ffff888066214380 R15: ffffffff99851060
+ FS: 00007f9f8173c700(0000) GS:ffff88806d000000(0000) knlGS:0000000000000000
+ CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+ CR2: 0000000000714dc0 CR3: 0000000066fa6000 CR4: 00000000000006f0
+ Call Trace:
+ ? trace_array_printk_buf+0x140/0x140
+ ? __mutex_lock_slowpath+0x10/0x10
+ tracing_snapshot_write+0x4c8/0x7f0
+ ? trace_printk_init_buffers+0x60/0x60
+ ? selinux_file_permission+0x3b/0x540
+ ? tracer_preempt_off+0x38/0x506
+ ? trace_printk_init_buffers+0x60/0x60
+ __vfs_write+0x81/0x100
+ vfs_write+0x1e1/0x560
+ ksys_write+0x126/0x250
+ ? __ia32_sys_read+0xb0/0xb0
+ ? do_syscall_64+0x1f/0x390
+ do_syscall_64+0xc1/0x390
+ entry_SYSCALL_64_after_hwframe+0x49/0xbe
+
+This patch adds resize_buffer_duplicate_size() to check if there is a
+difference between current/spare buffer sizes and resize a spare buffer
+if necessary.
+
+Link: http://lkml.kernel.org/r/20190625012910.13109-1-devel@etsukata.com
+
+Cc: stable@vger.kernel.org
+Fixes: ad909e21bbe69 ("tracing: Add internal tracing_snapshot() functions")
+Signed-off-by: Eiichi Tsukata <devel@etsukata.com>
+Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
+Acked-by: Miroslav Benes <mbenes@suse.cz>
+---
+ kernel/trace/trace.c | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+diff --git a/kernel/trace/trace.c b/kernel/trace/trace.c
+index 4122ccde6ec2..c3aabb576fe5 100644
+--- a/kernel/trace/trace.c
++++ b/kernel/trace/trace.c
+@@ -6719,11 +6719,13 @@ tracing_snapshot_write(struct file *filp, const char __user *ubuf, size_t cnt,
+ break;
+ }
+ #endif
+- if (!tr->allocated_snapshot) {
++ if (tr->allocated_snapshot)
++ ret = resize_buffer_duplicate_size(&tr->max_buffer,
++ &tr->trace_buffer, iter->cpu_file);
++ else
+ ret = tracing_alloc_snapshot_instance(tr);
+- if (ret < 0)
+- break;
+- }
++ if (ret < 0)
++ break;
+ local_irq_disable();
+ /* Now, we're going to swap */
+ if (iter->cpu_file == RING_BUFFER_ALL_CPUS)
+
diff --git a/rpm/gitlog-excludes b/rpm/gitlog-excludes
index 3ebe117098..4cc953fd94 100644
--- a/rpm/gitlog-excludes
+++ b/rpm/gitlog-excludes
@@ -46,3 +46,7 @@ afad726eebefbb4c892476482bf48f4ec8f5e4ad
3970eda87249720404ed2fccd0f5b09281272071
6ee531a251e417d971b85d64ca9be65023b79921
9107bf77b44c09488b7909f35ebd6ff01315e8fa
+bac621c6704610562ebd9e74ae5ad85ca8025681
+5568093d5dbacaeb60b6e0f7f4bbe384b586b82a
+821419f311f3edd58124e551664a2362b62671d6
+16acab4bfa6b2421267eb4833ae3a6a5a763ff2f
diff --git a/rpm/post.sh b/rpm/post.sh
index 1569b8b398..992988099b 100644
--- a/rpm/post.sh
+++ b/rpm/post.sh
@@ -10,7 +10,7 @@ for x in /boot/@IMAGE@ /boot/initrd; do
ln -s ${x##*/}-@KERNELRELEASE@-@FLAVOR@ $x$suffix
done
-# Add symlinks of compatible modules to /lib/modules/$krel/weak-updates/,
+# Add symlinks of compatible modules to /lib/modules/$krel/weak-updates/,
# run depmod and mkinitrd
wm2=/usr/lib/module-init-tools/weak-modules2
if [ -x $wm2 ]; then
@@ -21,7 +21,7 @@ if [ -x $wm2 ]; then
rpm -ql $nvr | /bin/bash -${-/e/} $wm2 --add-kernel-modules @KERNELRELEASE@-@FLAVOR@
fi
else
- echo "$wm does not exist, please run depmod and mkinitrd manually" >&2
+ echo "$wm2 does not exist, please run depmod and mkinitrd manually" >&2
fi
message_install_bl () {
diff --git a/scripts/git_sort/git_sort.py b/scripts/git_sort/git_sort.py
index dc9aabb4b5..342c913a60 100755
--- a/scripts/git_sort/git_sort.py
+++ b/scripts/git_sort/git_sort.py
@@ -228,6 +228,7 @@ remotes = (
Head(RepoURL("viro/vfs.git"), "fixes"),
Head(RepoURL("jeyu/linux.git"), "modules-next"),
Head(RepoURL("nvdimm/nvdimm.git"), "libnvdimm-for-next"),
+ Head(RepoURL("nvdimm/nvdimm.git"), "libnvdimm-fixes"),
Head(RepoURL("djbw/nvdimm.git"), "libnvdimm-pending"),
Head(RepoURL("git://git.linux-nfs.org/projects/anna/linux-nfs.git"), "linux-next"),
Head(RepoURL("acme/linux.git"), "perf/core"),
diff --git a/series.conf b/series.conf
index e4334f9db9..72d6715cd1 100644
--- a/series.conf
+++ b/series.conf
@@ -35738,6 +35738,7 @@
patches.fixes/kconfig-fix-the-rule-of-mainmenu_stmt-symbol.patch
patches.arch/x86-i8259-add-missing-include-file
patches.drivers/net-usb-r8152-use-irqsave-in-USB-s-complete-callback.patch
+ patches.fixes/netns-get-more-entropy-from-net_hash_mix.patch
patches.drivers/net_sched-remove-unused-htb-drop_list.patch
patches.drivers/tls-Removed-unused-variable.patch
patches.drivers/bnxt-simplify-cls_flower-command-switch-and-handle-d.patch
@@ -39133,6 +39134,7 @@
patches.drivers/mfd-intel-lpss-Add-Ice-Lake-PCI-IDs.patch
patches.drivers/mfd-arizona-Don-t-use-regmap_read_poll_timeout
patches.drivers/mfd-ti_am335x_tscadc-Fix-struct-clk-memory-leak.patch
+ patches.drivers/mfd-hi655x-Fix-regmap-area-declared-size-for-hi655x.patch
patches.drivers/mfd-sm501-Set-coherent_dma_mask-when-creating-subdev
patches.drivers/HID-hid-ntrig-add-error-handling-for-sysfs_create_gr.patch
patches.drivers/HID-wacom-Replace-touch_max-fixup-code-with-static-t.patch
@@ -39370,6 +39372,7 @@
patches.apparmor/apparmor-fix-an-error-code-in-__aa_create_ns.patch
patches.apparmor/apparmor-remove-no-op-permission-check-in-policy_unpack.patch
patches.drivers/iommu-arm-smmu-error-out-only-if-not-enough-context-interrupts
+ patches.fixes/iommu-arm-smmu-v3-sync-the-OVACKFLG-to-PRIQ-consumer.patch
patches.drivers/iommu-arm-smmu-v3-Prevent-any-devices-access-to-memo.patch
patches.drivers/iommu-arm-smmu-v3-Abort-all-transactions-if-SMMU-is-.patch
patches.drivers/iommu-amd-make-sure-tlb-to-be-flushed-before-iova-freed
@@ -41960,6 +41963,7 @@
patches.suse/msft-hv-1758-uio_hv_generic-drop-ifdef-DEBUG.patch
patches.suse/msft-hv-1759-Drivers-hv-vmbus-Fix-synic-per-cpu-context-initializ.patch
patches.drivers/uio-ensure-class-is-registered-before-devices.patch
+ patches.fixes/coresight-etb10-Fix-handling-of-perf-mode.patch
patches.suse/msft-hv-1767-vmbus-pass-channel-to-hv_process_channel_removal.patch
patches.suse/msft-hv-1768-vmbus-keep-pointer-to-ring-buffer-page.patch
patches.suse/msft-hv-1769-vmbus-split-ring-buffer-allocation-from-open.patch
@@ -42092,6 +42096,7 @@
patches.suse/0001-mm-defer-ZONE_DEVICE-page-initialization-to-the-poin.patch
patches.suse/mm-split-swp_file-into-swp_activated-and-swp_fs.patch
patches.suse/mm-export-add_swap_extent.patch
+ patches.suse/hugetlbfs-dirty-pages-as-they-are-added-to-pagecache.patch
patches.drivers/0432-rtc-ds1307-add-offset-sysfs-for-mt41txx-chips.patch
patches.drivers/0433-rtc-ds1307-add-frequency_test_enable-attribute-on-m4.patch
patches.drivers/0457-rtc-ds1307-fix-ds1339-wakealarm-support.patch
@@ -42685,6 +42690,7 @@
patches.drivers/efi-arm-Defer-persistent-reservations-until-after-pa.patch
patches.drivers/efi-Permit-calling-efi_mem_reserve_persistent-from-a.patch
patches.arch/perf-x86-intel-uncore-support-coffeelake-8th-cbox.patch
+ patches.suse/hugetlbfs-fix-kernel-BUG-at-fs-hugetlbfs-inode.c-444.patch
patches.fixes/ocfs2-free-up-write-context-when-direct-IO-failed.patch
patches.suse/mm-vmstat.c-fix-NUMA-statistics-updates.patch
patches.fixes/lib-ubsan.c-don-t-mark-__ubsan_handle_builtin_unreac.patch
@@ -44388,6 +44394,8 @@
patches.drivers/revert-iommu-io-pgtable-arm-check-for-v7s-incapable-systems
patches.fixes/iommu-arm-smmu-v3-Fix-big-endian-CMD_SYNC-writes.patch
patches.drivers/iommu-arm-smmu-v3-avoid-memory-corruption-from-hisilicon-msi-payloads
+ patches.fixes/iommu-arm-smmu-v3-Use-explicit-mb-when-moving-cons-p.patch
+ patches.fixes/iommu-arm-smmu-Add-support-for-qcom-smmu-v2-variant.patch
patches.drivers/iommu-vt-d-handle-domain-agaw-being-less-than-iommu-agaw
patches.drivers/iommu-amd-fix-amd_iommu-force_isolation
patches.drivers/iommu-dma-use-numa-aware-memory-allocations-in-_iommu_dma_alloc_pages
@@ -45468,6 +45476,7 @@
patches.drivers/stm-class-Fix-an-endless-loop-in-channel-allocation.patch
patches.drivers/stm-class-Prevent-division-by-zero.patch
patches.suse/msft-hv-1845-Drivers-hv-vmbus-Change-server-monitor_pages-index-t.patch
+ patches.fixes/coresight-etm4x-Add-support-to-enable-ETMv4.2.patch
patches.drivers/VMCI-Support-upto-64-bit-PPNs.patch
patches.drivers/misc-hpilo-Exclude-unsupported-device-via-blacklist.patch
patches.drivers/misc-hpilo-Do-not-claim-unsupported-hardware.patch
@@ -45922,10 +45931,14 @@
patches.fixes/libnvdimm-label-clear-updating-flag-after-label-set-update.patch
patches.fixes/nfit-Fix-nfit_intel_shutdown_status-command-submissi.patch
patches.fixes/nfit-acpi_nfit_ctl-check-out_obj-type-in-the-right-place.patch
+ patches.fixes/libnvdimm-pfn-fix-over-trim-in-trim_pfn_device.patch
patches.fixes/libnvdimm-Fix-altmap-reservation-size-calculation.patch
patches.fixes/libnvdimm-pmem-honor-force_raw-for-legacy-pmem-regions.patch
patches.fixes/nfit-ars-Attempt-a-short-ARS-whenever-the-ARS-state-.patch
patches.fixes/nfit-ars-Attempt-short-ARS-even-in-the-no_init_ars-c.patch
+ patches.drivers/nfit-ars-introduce-scrub_flags.patch
+ patches.fixes/nfit-ars-allow-root-to-busy-poll-the-ars-state-machine.patch
+ patches.drivers/nfit-ars-avoid-stale-ars-results.patch
patches.fixes/0001-crypto-caam-add-missing-put_device-call.patch
patches.drivers/clk-highbank-fix-refcount-leak-in-hb_clk_init.patch
patches.drivers/clk-qoriq-fix-refcount-leak-in-clockgen_init.patch
@@ -46066,6 +46079,7 @@
patches.drivers/thermal-int340x_thermal-fix-mode-setting.patch
patches.arch/thermal-intel_powerclamp-fix-truncated-kthread-name.patch
patches.fixes/irqchip-gic-v3-its-Fix-comparison-logic-in-lpi_range.patch
+ patches.fixes/irqchip-mbigen-Don-t-clear-eventid-when-freeing-an-M.patch
patches.fixes/0001-futex-Ensure-that-futex-address-is-aligned-in-handle.patch
patches.suse/msft-hv-1856-x86-hyperv-Prevent-potential-NULL-pointer-dereferenc.patch
patches.fixes/ext4-fix-NULL-pointer-dereference-while-journal-is-a.patch
@@ -46151,6 +46165,7 @@
patches.fixes/0001-mm-debug.c-fix-__dump_page-when-mapping-host-is-not-.patch
patches.suse/ptrace-take-into-account-saved_sigmask-in-PTRACE-GET.patch
patches.fixes/0001-mm-page_isolation.c-fix-a-wrong-flag-in-set_migratet.patch
+ patches.fixes/fs-proc-proc_sysctl.c-fix-NULL-pointer-dereference-i.patch
patches.fixes/ACPI-CPPC-Fix-guaranteed-performance-handling.patch
patches.fixes/cpufreq-intel_pstate-Also-use-CPPC-nominal_perf-for-.patch
patches.drivers/usb-host-xhci-rcar-Add-XHCI_TRUST_TX_LENGTH-quirk.patch
@@ -46178,6 +46193,7 @@
patches.drivers/serial-ar933x_uart-Fix-build-failure-with-disabled-c.patch
patches.drivers/serial-sh-sci-Fix-setting-SCSCR_TIE-while-transferri.patch
patches.drivers/Disable-kgdboc-failed-by-echo-space-to-sys-module-kg.patch
+ patches.drivers/staging-comedi-ni_mio_common-Fix-divide-by-zero-for-.patch
patches.drivers/staging-rtl8188eu-Fix-potential-NULL-pointer-derefer.patch
patches.drivers/staging-rtlwifi-rtl8822b-fix-to-avoid-potential-NULL.patch
patches.drivers/staging-rtl8712-uninitialized-memory-in-read_bbreg_h.patch
@@ -46209,6 +46225,7 @@
patches.drivers/ixgbe-fix-mdio-bus-registration.patch
patches.drivers/fm10k-Fix-a-potential-NULL-pointer-dereference.patch
patches.drivers/qmi_wwan-add-Olicard-600.patch
+ patches.fixes/netns-provide-pure-entropy-for-net_hash_mix.patch
patches.drivers/nfp-disable-netpoll-on-representors.patch
patches.fixes/openvswitch-fix-flow-actions-reallocation.patch
patches.fixes/net-rds-force-to-destroy-connection-if-t_sock-is-NUL.patch
@@ -46439,6 +46456,7 @@
patches.suse/tracing-fix-a-memory-leak-by-early-error-exit-in-trace_pid_write.patch
patches.suse/mm-page_alloc.c-avoid-potential-NULL-pointer-dereference.patch
patches.suse/mm-page_alloc.c-fix-never-set-ALLOC_NOFRAGMENT-flag.patch
+ patches.fixes/fs-proc-proc_sysctl.c-Fix-a-NULL-pointer-dereference.patch
patches.drivers/Input-synaptics-rmi4-fix-possible-double-free.patch
patches.drivers/Input-synaptics-rmi4-write-config-register-values-to.patch
patches.drivers/dmaengine-sh-rcar-dmac-With-cyclic-DMA-residue-0-is-.patch
@@ -46482,6 +46500,7 @@
patches.drivers/i2c-imx-correct-the-method-of-getting-private-data-i.patch
patches.drivers/i2c-synquacer-fix-enumeration-of-slave-devices.patch
patches.arch/KVM-PPC-Book3S-Protect-memslots-while-validating-use.patch
+ patches.fixes/Abort-file_remove_privs-for-non-reg.-files.patch
patches.fixes/ufs-fix-braino-in-ufs_get_inode_gid-for-solaris-UFS-.patch
patches.arch/x86-mm-mem_encrypt-disable-all-instrumentation-for-early-sme-setup.patch
patches.arch/perf-x86-amd-update-generic-hardware-cache-events-for-family-17h.patch
@@ -46604,6 +46623,7 @@
patches.suse/block-check_events-don-t-bother-with-events-if-un.patch
patches.fixes/block-fix-use-after-free-on-gendisk.patch
patches.fixes/nvme-multipath-split-bios-with-the-ns_head-bio_set-b.patch
+ patches.fixes/blk-mq-free-hw-queue-s-resource-in-hctx-s-release-handler.patch
patches.fixes/audit-fix-a-memleak-caused-by-auditing-load-module.patch
patches.fixes/audit-fix-a-memory-leak-bug.patch
patches.fixes/ext4-make-sanity-check-in-mballoc-more-strict.patch
@@ -46685,6 +46705,7 @@
patches.drivers/ice-Update-comment-regarding-the-ITR_GRAN_S.patch
patches.drivers/ice-Remove-2-BITS-comment.patch
patches.drivers/bnx2x-Utilize-FW-7.13.11.0.patch
+ patches.fixes/inet-switch-IP-ID-generator-to-siphash.patch
patches.fixes/batman-adv-allow-updating-DAT-entry-timeouts-on-inco.patch
patches.drivers/cxgb4-Update-1.23.3.0-as-the-latest-firmware-support.patch
patches.drivers/cxgb4-cxgb4vf-Display-advertised-FEC-in-ethtool.patch
@@ -46952,6 +46973,7 @@
patches.drivers/scsi-qedf-missing-kref_put-in-qedf_xmit.patch
patches.drivers/scsi-qedf-fixup-locking-in-qedf_restart_rport.patch
patches.drivers/scsi-qedf-fixup-bit-operations.patch
+ patches.fixes/scsi-qla2xxx-fix-incorrect-region-size-setting-in-optrom-sysfs.patch
patches.drivers/scsi-qla2xxx-Set-remote-port-devloss-timeout-to-0.patch
patches.drivers/scsi-hisi_sas-add-host-reset-interface-for-test
patches.drivers/scsi-hisi_sas-remedy-inconsistent-phy-down-state-in-software
@@ -46969,6 +46991,7 @@
patches.drivers/scsi-libsas-do-discovery-on-empty-phy-to-update-phy-info
patches.drivers/scsi-libsas-print-expander-phy-indexes-in-decimal
patches.drivers/scsi-qla2xxx-Fix-read-offset-in-qla24xx_load_risc_fl.patch
+ patches.fixes/scsi-qla2xxx-fix-abort-handling-in-tcm_qla2xxx_write_pending.patch
patches.drivers/ipmi-ssif-compare-block-number-correctly-for-multi-p.patch
patches.drivers/media-cpia2-Fix-use-after-free-in-cpia2_exit.patch
patches.drivers/media-saa7146-avoid-high-stack-usage-with-clang.patch
@@ -47103,6 +47126,8 @@
patches.drivers/rtc-88pm860x-prevent-use-after-free-on-device-remove.patch
patches.drivers/clk-rockchip-fix-wrong-clock-definitions-for-rk3328.patch
patches.drivers/clk-rockchip-Fix-video-codec-clocks-on-rk3288.patch
+ patches.drivers/clk-rockchip-Turn-on-aclk_dmac1-for-suspend-on-rk328.patch
+ patches.drivers/clk-tegra-Fix-PLLM-programming-on-Tegra124-when-PMC-.patch
patches.drivers/net-hns3-remove-redundant-assignment-of-l2_hdr-to-it.patch
patches.suse/tipc-fix-hanging-clients-using-poll-with-EPOLLOUT-fl.patch
patches.fixes/vlan-disable-SIOCSHWTSTAMP-in-container.patch
@@ -47236,12 +47261,14 @@
patches.fixes/ceph-flush-dirty-inodes-before-proceeding-with-remount.patch
patches.fixes/nvme-fc-use-separate-work-queue-to-avoid-warning.patch
patches.fixes/nvme-multipath-avoid-crash-on-invalid-subsystem-cntl.patch
+ patches.arch/kvm-x86-skip-efer-vs-guest-cpuid-checks-for-host-initiated-writes
patches.arch/KVM-PPC-Book3S-HV-Avoid-lockdep-debugging-in-TCE-rea.patch
patches.drivers/ALSA-hda-realtek-Fixup-headphone-noise-via-runtime-s.patch
patches.drivers/ALSA-hda-realtek-Avoid-superfluous-COEF-EAPD-setups.patch
patches.drivers/ALSA-hda-realtek-Corrected-fixup-for-System76-Gazell.patch
patches.drivers/ALSA-hda-realtek-Fix-for-Lenovo-B50-70-inverted-inte.patch
patches.drivers/soc-fsl-qe-Fix-an-error-code-in-qe_pin_request.patch
+ patches.fixes/0006-irqchip-gic-v3-its-fix-some-definitions-of-inner-cac.patch
patches.fixes/ext4-zero-out-the-unused-memory-region-in-the-extent.patch
patches.fixes/ext4-fix-data-corruption-caused-by-overlapping-unali.patch
patches.fixes/ext4-avoid-panic-during-forced-reboot-due-to-aborted.patch
@@ -47277,10 +47304,15 @@
patches.drivers/mmc-sdhci-iproc-Set-NO_HISPD-bit-to-fix-HS50-data-ho.patch
patches.drivers/platform-x86-pmc_atom-Add-Lex-3I380D-industrial-PC-t.patch
patches.drivers/platform-x86-pmc_atom-Add-several-Beckhoff-Automatio.patch
+ patches.fixes/sbitmap-fix-improper-use-of-smp_mb__before_atomic.patch
patches.fixes/blk-mq-fix-hang-caused-by-freeze-unfreeze-sequence.patch
+ patches.fixes/nvme-copy-mtfa-field-from-identify-controller.patch
patches.fixes/ext4-wait-for-outstanding-dio-during-truncate-in-noj.patch
+ patches.fixes/ext4-do-not-delete-unlinked-inode-from-orphan-list-o.patch
patches.arch/kvm-x86-include-multiple-indices-with-cpuid-leaf-0x8000001d.patch
patches.arch/kvm-x86-include-cpuid-leaf-0x8000001e-in-kvm-s-supported-cpuid.patch
+ patches.arch/kvm-svm-avic-fix-off-by-one-in-checking-host-apic-id
+ patches.arch/kvm-x86-fix-return-value-for-reserved-efer
patches.drivers/gpio-fix-gpio-adp5588-build-errors.patch
patches.fixes/doc-Cope-with-the-deprecation-of-AutoReporter.patch
patches.fixes/0001-docs-Fix-conf.py-for-Sphinx-2.0.patch
@@ -47365,6 +47397,8 @@
patches.fixes/0001-test_firmware-Use-correct-snprintf-limit.patch
patches.drivers/spi-bitbang-Fix-NULL-pointer-dereference-in-spi_unre.patch
patches.drivers/spi-spi-fsl-spi-call-spi_finalize_current_message-at.patch
+ patches.suse/signal-ptrace-Don-t-leak-unitialized-kernel-memory-w.patch
+ patches.suse/ptrace-restore-smp_rmb-in-__ptrace_may_access.patch
patches.drivers/HID-wacom-Don-t-set-tool-type-until-we-re-in-range.patch
patches.drivers/HID-wacom-Don-t-report-anything-prior-to-the-tool-en.patch
patches.drivers/HID-wacom-Send-BTN_TOUCH-in-response-to-INTUOSP2_BT-.patch
@@ -47376,6 +47410,8 @@
patches.drivers/ASoC-fsl_asrc-Fix-the-issue-about-unsupported-rate.patch
patches.drivers/ASoC-cs42xx8-Add-regcache-mask-dirty.patch
patches.drivers/Revert-ALSA-hda-realtek-Improve-the-headset-mic-for-.patch
+ patches.drivers/iommu-arm-smmu-avoid-constant-zero-in-tlbi-writes
+ patches.fixes/fs-ocfs2-fix-race-in-ocfs2_dentry_attach_lock.patch
patches.fixes/0001-coredump-fix-race-condition-between-collapse_huge_pa.patch
patches.drivers/drivers-base-devres-introduce-devm_release_action.patch
patches.drivers/mm-devm_memremap_pages-introduce-devm_memunmap_pages.patch
@@ -47388,6 +47424,7 @@
patches.drm/drm-mediatek-call-drm_atomic_helper_shutdown-when-un.patch
patches.drm/drm-mediatek-clear-num_pipes-when-unbind-driver.patch
patches.drm/drm-mediatek-call-mtk_dsi_stop-after-mtk_drm_crtc_at.patch
+ patches.drm/drm-i915-dmc-protect-against-reading-random-memory.patch
patches.drm/drm-i915-sdvo-Implement-proper-HDMI-audio-support-fo.patch
patches.drm/drm-i915-perf-fix-whitelist-on-Gen10.patch
patches.drm/drm-panel-orientation-quirks-Add-quirk-for-GPD-pocke.patch
@@ -47417,6 +47454,9 @@
patches.fixes/can-purge-socket-error-queue-on-sock-destruct.patch
patches.drivers/net-mlx5-Update-pci-error-handler-entries-and-comman.patch
patches.drivers/net-mlx5-Avoid-reloading-already-removed-devices.patch
+ patches.drivers/ibmvnic-Do-not-close-unopened-driver-during-reset.patch
+ patches.drivers/ibmvnic-Refresh-device-multicast-list-after-reset.patch
+ patches.drivers/ibmvnic-Fix-unchecked-return-codes-of-memory-allocat.patch
patches.drivers/net-tls-correctly-account-for-copied-bytes-with-mult.patch
patches.drivers/mlxsw-spectrum_flower-Fix-TOS-matching.patch
patches.drivers/net-mvpp2-prs-Fix-parser-range-for-VID-filtering.patch
@@ -47443,37 +47483,70 @@
patches.fixes/tcp-enforce-tcp_min_snd_mss-in-tcp_mtu_probing.patch
patches.drivers/Input-uinput-add-compat-ioctl-number-translation-for.patch
patches.drivers/Input-synaptics-enable-SMBus-on-ThinkPad-E480-and-E5.patch
+ patches.fixes/apparmor-enforce-nullbyte-at-end-of-tag-string.patch
patches.drivers/PCI-PM-Skip-devices-in-D0-for-suspend-to-idle.patch
patches.drivers/mmc-core-complete-HS400-before-checking-status.patch
patches.drivers/mmc-core-Prevent-processing-SDIO-IRQs-when-the-card-.patch
patches.fixes/0001-usb-chipidea-udc-workaround-for-endpoint-conflict-is.patch
+ patches.drivers/staging-iio-ad7150-fix-threshold-mode-config-bit.patch
patches.drm/drm-vmwgfx-Use-the-backdoor-port-if-the-HB-port-is-n.patch
patches.drm/drm-vmwgfx-fix-a-warning-due-to-missing-dma_parms.patch
patches.drm/drm-i915-gvt-ignore-unexpected-pvinfo-write.patch
patches.drivers/IB-hfi1-Validate-fault-injection-opcode-user-input.patch
patches.drivers/IB-hfi1-Create-inline-to-get-extended-headers.patch
patches.drivers/net-udp_gso-Allow-TX-timestamp-with-UDP-GSO.patch
+ patches.fixes/tcp-refine-memory-limit-test-in-tcp_fragment.patch
patches.drivers/Bluetooth-Fix-regression-with-minimum-encryption-key.patch
patches.arch/powerpc-mm-64s-hash-Reallocate-context-ids-on-fork.patch
patches.drivers/ppp-mppe-Add-softdep-to-arc4.patch
patches.drivers/net-sched-cbs-Fix-error-path-of-cbs_module_init.patch
patches.drivers/net-tls-fix-page-double-free-on-TX-cleanup.patch
+ patches.drivers/qmi_wwan-Fix-out-of-bounds-read.patch
+ patches.fixes/scsi-vmw_pscsi-Fix-use-after-free-in-pvscsi_queue_lc.patch
patches.fixes/mm-soft-offline-return-EBUSY-if-set_hwpoison_free_bu.patch
patches.fixes/mm-hugetlb-soft-offline-dissolve_free_huge_page-retu.patch
patches.fixes/Bluetooth-Fix-faulty-expression-for-minimum-encrypti.patch
+ patches.suse/ftrace-x86-remove-possible-deadlock-between-register_kprobe-and-ftrace_run_update_code.patch
+ patches.suse/tracing-snapshot-resize-spare-buffer-if-size-changed.patch
+ patches.suse/ptrace-Fix-ptracer_cred-handling-for-PTRACE_TRACEME.patch
+ patches.drivers/ALSA-hda-realtek-Add-quirks-for-several-Clevo-notebo.patch
+ patches.drivers/ALSA-usb-audio-fix-sign-unintended-sign-extension-on.patch
+ patches.drivers/ALSA-hda-realtek-Change-front-mic-location-for-Lenov.patch
+ patches.drivers/ALSA-seq-fix-incorrect-order-of-dest_client-dest_por.patch
+ patches.drivers/ALSA-firewire-lib-fireworks-fix-miss-detection-of-re.patch
+ patches.drivers/ALSA-line6-Fix-write-on-zero-sized-buffer.patch
+ patches.fixes/dax-Fix-xarray-entry-association-for-mixed-mappings.patch
+ patches.suse/mm-vmscan.c-prevent-useless-kswapd-loops.patch
+ patches.fixes/crypto-cryptd-Fix-skcipher-instance-memory-leak.patch
+ patches.fixes/crypto-user-prevent-operating-on-larval-algorithms.patch
patches.drm/drm-amd-powerplay-use-hardware-fan-control-if-no-pow.patch
+ patches.drm/drm-amdgpu-gfx9-use-reset-default-for-PA_SC_FIFO_SIZ.patch
patches.drm/drm-etnaviv-add-missing-failure-path-to-destroy-suba.patch
patches.drm/drm-imx-notify-drm-core-before-sending-event-during-.patch
patches.drm/drm-imx-only-send-event-on-crtc-disable-if-kept-disa.patch
patches.fixes/scsi-target-iblock-fix-overrun-in-write-same-emulation
+ patches.drivers/dmaengine-imx-sdma-remove-BD_INTR-for-channel0.patch
+ patches.drivers/pwm-stm32-Use-3-cells-of_xlate.patch
+ patches.drivers/gpio-omap-fix-lack-of-irqstatus_raw0-for-OMAP4.patch
+ patches.drivers/regulator-s2mps11-Fix-buck7-and-buck8-wrong-voltages.patch
+ patches.drivers/iommu-vt-d-remove-unnecessary-rcu_read_locks
+ patches.drivers/iommu-fix-a-leak-in-iommu_insert_resv_region
+ patches.drivers/iommu-vt-d-duplicate-iommu_resv_region-objects-per-device-list
+ patches.drivers/iommu-vt-d-introduce-is_downstream_to_pci_bridge-helper
+ patches.drivers/iommu-vt-d-handle-rmrr-with-pci-bridge-device-scopes
+ patches.drivers/iommu-vt-d-handle-pci-bridge-rmrr-device-scopes-in-intel_iommu_get_resv_regions
+ patches.drivers/iommu-amd-make-iommu_disable-safer
+ patches.drivers/iommu-use-right-function-to-get-group-for-device
patches.drivers/ALSA-usb-audio-Fix-parse-of-UAC2-Extension-Units.patch
+ patches.drivers/ASoC-add-support-for-Conexant-CX2072X-CODEC
+ patches.drivers/ASoC-Intel-Add-machine-driver-for-Cherrytrail-CX2072
+ patches.drivers/ASoC-cx2072x-fix-integer-overflow-on-unsigned-int-mu.patch
+ patches.drivers/ACPI-PM-Avoid-evaluating-_PS3-on-transitions-from-D3.patch
+ patches.drivers/ACPI-PM-Allow-transitions-to-D0-to-occur-in-special-.patch
+ patches.fixes/PCI-Do-not-poll-for-PME-if-the-device-is-in-D3cold.patch
patches.fixes/PM-ACPI-PCI-Resume-all-devices-during-hibernation.patch
patches.drivers/ACPICA-Clear-status-of-GPEs-on-first-direct-enable.patch
-
- # davem/net
- patches.drivers/ibmvnic-Do-not-close-unopened-driver-during-reset.patch
- patches.drivers/ibmvnic-Refresh-device-multicast-list-after-reset.patch
- patches.drivers/ibmvnic-Fix-unchecked-return-codes-of-memory-allocat.patch
+ patches.drivers/documentation-dma-api-fix-a-function-name-of-max_mapping_size
# davem/net-next
patches.drivers/cxgb4-Enable-hash-filter-with-offload.patch
@@ -47583,13 +47656,10 @@
patches.drivers/scsi-mpt3sas-Introduce-perf_mode-module-parameter.patch
patches.drivers/scsi-mpt3sas-Update-driver-version-to-29.100.00.00.patch
- # djbw/nvdimm libnvdimm-pending
+ # nvdimm/nvdimm libnvdimm-fixes
patches.fixes/drivers-base-introduce-kill_device.patch
patches.fixes/libnvdimm-bus-prevent-duplicate-device_unregister-calls.patch
- # herbert/crypto-2.6
- patches.fixes/crypto-user-prevent-operating-on-larval-algorithms.patch
-
# out-of-tree patches
patches.drivers/firmware-arm_sdei-fix-wrong-of_node_put-in-init-function.patch
patches.drivers/net-mvpp2-fix-condition-for-setting-up-link-interrup.patch
@@ -48012,9 +48082,6 @@
patches.suse/cdrom-turn-off-autoclose-by-default.patch
patches.suse/scsi-sr-workaround-VMware-ESXi-cdrom-emulation-bug.patch
- # bsc#1136922
- patches.fixes/scsi-vmw_pscsi-Fix-use-after-free-in-pvscsi_queue_lc.patch
-
########################################################
# DRM/Video
########################################################
@@ -48049,6 +48116,8 @@
patches.suse/ibmveth-Update-ethtool-settings-to-reflect-virtual-p.patch
patches.fixes/irda-Fix-memory-leak-caused-by-repeated-binds-of-ird.patch
patches.fixes/irda-Only-insert-new-objects-into-the-global-databas.patch
+ patches.kabi/kabi-handle-addition-of-net-hash_mix.patch
+ patches.kabi/kabi-handle-addition-of-netns_ipv4-ip_id_key.patch
########################################################
# Netfilter
@@ -48068,8 +48137,6 @@
##########################################################
# Sound
##########################################################
- patches.drivers/ASoC-add-support-for-Conexant-CX2072X-CODEC
- patches.drivers/ASoC-Intel-Add-machine-driver-for-Cherrytrail-CX2072
########################################################
# printk
@@ -48272,6 +48339,7 @@
patches.suse/0008-kabi-arm64-reserve-space-in-cpu_hwcaps-and-cpu_hwcap.patch
patches.suse/prepare-arm64-kgraft
patches.suse/powerpc-KABI-add-aux_ptr-to-hole-in-paca_struct-to-e.patch
+ patches.kabi/kabi-protect-struct-acpi_nfit_desc.patch
patches.kabi/Fix-struct-page-kABI-after-adding-atomic-for-ppc.patch
patches.kabi/kabi-arm64-cpuhotplug-Reuse-other-arch-s-cpuhp_state.patch
@@ -48321,6 +48389,8 @@
patches.kabi/x86-topology-Add-CPUID.1F-multi-die-package-support.patch
patches.kabi/x86-topology-Define-topology_logical_die_id.patch
+ patches.kabi/kabi-fixup-blk_mq_register_dev.patch
+
########################################################
# You'd better have a good reason for adding a patch
# below here.