Home Home > GIT Browse > stable
summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJiri Slaby <jslaby@suse.cz>2019-07-14 11:34:32 +0200
committerJiri Slaby <jslaby@suse.cz>2019-07-14 11:34:32 +0200
commitd5bbc2660483667d77c883cdffd78857cc7214b7 (patch)
tree534bcbf0516b382ff261605e7d3be078ab56c096
parentb11a4aeccb5949fc43e9edd065d17a0c4ad54a62 (diff)
parent51ca50031af1b47d0d8ded1d468db14e0f63dddc (diff)
Merge branch 'master' into stable
-rw-r--r--patches.kernel.org/5.2.1-001-crypto-lrw-use-correct-alignmask.patch45
-rw-r--r--patches.kernel.org/5.2.1-002-crypto-talitos-rename-alternative-AEAD-algos.patch103
-rw-r--r--patches.kernel.org/5.2.1-003-fscrypt-don-t-set-policy-for-a-dead-directory.patch45
-rw-r--r--patches.kernel.org/5.2.1-004-udf-Fix-incorrect-final-NOT_ALLOCATED-hole-exte.patch228
-rw-r--r--patches.kernel.org/5.2.1-005-media-stv0297-fix-frequency-range-limit.patch46
-rw-r--r--patches.kernel.org/5.2.1-006-ALSA-usb-audio-Fix-parse-of-UAC2-Extension-Unit.patch140
-rw-r--r--patches.kernel.org/5.2.1-007-ALSA-hda-realtek-Headphone-Mic-can-t-record-aft.patch48
-rw-r--r--patches.kernel.org/5.2.1-008-tpm-Actually-fail-on-TPM-errors-during-get-rand.patch95
-rw-r--r--patches.kernel.org/5.2.1-009-tpm-Fix-TPM-1.2-Shutdown-sequence-to-prevent-fu.patch54
-rw-r--r--patches.kernel.org/5.2.1-010-block-fix-.bi_size-overflow.patch151
-rw-r--r--patches.kernel.org/5.2.1-011-block-bfq-NULL-out-the-bic-when-it-s-no-longer-.patch83
-rw-r--r--patches.kernel.org/5.2.1-012-perf-intel-pt-Fix-itrace-defaults-for-perf-scri.patch64
-rw-r--r--patches.kernel.org/5.2.1-013-perf-auxtrace-Fix-itrace-defaults-for-perf-scri.patch60
-rw-r--r--patches.kernel.org/5.2.1-014-perf-intel-pt-Fix-itrace-defaults-for-perf-scri.patch62
-rw-r--r--patches.kernel.org/5.2.1-015-perf-pmu-Fix-uncore-PMU-alias-list-for-ARM64.patch99
-rw-r--r--patches.kernel.org/5.2.1-016-perf-thread-stack-Fix-thread-stack-return-from-.patch193
-rw-r--r--patches.kernel.org/5.2.1-017-perf-header-Assign-proper-ff-ph-in-perf_event__.patch75
-rw-r--r--patches.kernel.org/5.2.1-018-x86-ptrace-Fix-possible-spectre-v1-in-ptrace_ge.patch59
-rw-r--r--patches.kernel.org/5.2.1-019-x86-tls-Fix-possible-spectre-v1-in-do_get_threa.patch68
-rw-r--r--patches.kernel.org/5.2.1-020-Documentation-Add-section-about-CPU-vulnerabili.patch764
-rw-r--r--patches.kernel.org/5.2.1-021-Documentation-admin-Remove-the-vsyscall-native-.patch48
-rw-r--r--patches.kernel.org/5.2.1-022-mwifiex-Don-t-abort-on-small-spec-compliant-ven.patch150
-rw-r--r--patches.kernel.org/5.2.1-023-USB-serial-ftdi_sio-add-ID-for-isodebug-v1.patch51
-rw-r--r--patches.kernel.org/5.2.1-024-USB-serial-option-add-support-for-GosunCn-ME363.patch52
-rw-r--r--patches.kernel.org/5.2.1-025-Revert-serial-8250-Don-t-service-RX-FIFO-if-int.patch45
-rw-r--r--patches.kernel.org/5.2.1-026-p54usb-Fix-race-between-disconnect-and-firmware.patch179
-rw-r--r--patches.kernel.org/5.2.1-027-usb-gadget-f_fs-data_len-used-before-properly-s.patch54
-rw-r--r--patches.kernel.org/5.2.1-028-usb-gadget-ether-Fix-race-between-gether_discon.patch56
-rw-r--r--patches.kernel.org/5.2.1-029-usb-dwc2-use-a-longer-AHB-idle-timeout-in-dwc2_.patch48
-rw-r--r--patches.kernel.org/5.2.1-030-usb-renesas_usbhs-add-a-workaround-for-a-race-c.patch135
-rw-r--r--patches.kernel.org/5.2.1-031-drivers-usb-typec-tps6598x.c-fix-portinfo-width.patch38
-rw-r--r--patches.kernel.org/5.2.1-032-drivers-usb-typec-tps6598x.c-fix-4CC-cmd-write.patch50
-rw-r--r--patches.kernel.org/5.2.1-033-p54-fix-crash-during-initialization.patch76
-rw-r--r--patches.kernel.org/5.2.1-034-staging-comedi-dt282x-fix-a-null-pointer-deref-.patch56
-rw-r--r--patches.kernel.org/5.2.1-035-staging-wilc1000-fix-error-path-cleanup-in-wilc.patch62
-rw-r--r--patches.kernel.org/5.2.1-036-staging-bcm2835-camera-Restore-return-behavior-.patch75
-rw-r--r--patches.kernel.org/5.2.1-037-staging-comedi-amplc_pci230-fix-null-pointer-de.patch51
-rw-r--r--patches.kernel.org/5.2.1-038-staging-mt7621-pci-fix-PCIE_FTS_NUM_LO-macro.patch37
-rw-r--r--patches.kernel.org/5.2.1-039-HID-Add-another-Primax-PIXART-OEM-mouse-quirk.patch53
-rw-r--r--patches.kernel.org/5.2.1-040-lkdtm-support-llvm-objcopy.patch65
-rw-r--r--patches.kernel.org/5.2.1-041-binder-fix-memory-leak-in-error-path.patch48
-rw-r--r--patches.kernel.org/5.2.1-042-binder-return-errors-from-buffer-copy-functions.patch432
-rw-r--r--patches.kernel.org/5.2.1-043-iio-adc-stm32-adc-add-missing-vdda-supply.patch96
-rw-r--r--patches.kernel.org/5.2.1-044-coresight-Potential-uninitialized-variable-in-p.patch39
-rw-r--r--patches.kernel.org/5.2.1-045-coresight-etb10-Do-not-call-smp_processor_id-fr.patch54
-rw-r--r--patches.kernel.org/5.2.1-046-coresight-tmc-etr-Do-not-call-smp_processor_id-.patch75
-rw-r--r--patches.kernel.org/5.2.1-047-coresight-tmc-etr-alloc_perf_buf-Do-not-call-sm.patch75
-rw-r--r--patches.kernel.org/5.2.1-048-coresight-tmc-etf-Do-not-call-smp_processor_id-.patch73
-rw-r--r--patches.kernel.org/5.2.1-049-carl9170-fix-misuse-of-device-driver-API.patch153
-rw-r--r--patches.kernel.org/5.2.1-050-Revert-x86-build-Move-_etext-to-actual-end-of-..patch61
-rw-r--r--patches.kernel.org/5.2.1-051-VMCI-Fix-integer-overflow-in-VMCI-handle-arrays.patch385
-rw-r--r--patches.kernel.org/5.2.1-052-staging-vchiq_2835_arm-revert-quit-using-custom.patch40
-rw-r--r--patches.kernel.org/5.2.1-053-staging-vchiq-make-wait-events-interruptible.patch54
-rw-r--r--patches.kernel.org/5.2.1-054-staging-vchiq-revert-switch-to-wait_for_complet.patch251
-rw-r--r--patches.kernel.org/5.2.1-055-staging-fsl-dpaa2-ethsw-fix-memory-leak-of-swit.patch37
-rw-r--r--patches.kernel.org/5.2.1-056-staging-bcm2835-camera-Replace-spinlock-protect.patch81
-rw-r--r--patches.kernel.org/5.2.1-057-staging-bcm2835-camera-Ensure-all-buffers-are-r.patch113
-rw-r--r--patches.kernel.org/5.2.1-058-staging-bcm2835-camera-Remove-check-of-the-numb.patch53
-rw-r--r--patches.kernel.org/5.2.1-059-staging-bcm2835-camera-Handle-empty-EOS-buffers.patch99
-rw-r--r--patches.kernel.org/5.2.1-060-staging-rtl8712-reduce-stack-usage-again.patch209
-rw-r--r--patches.kernel.org/5.2.1-061-Linux-5.2.1.patch28
-rw-r--r--series.conf61
62 files changed, 6380 insertions, 0 deletions
diff --git a/patches.kernel.org/5.2.1-001-crypto-lrw-use-correct-alignmask.patch b/patches.kernel.org/5.2.1-001-crypto-lrw-use-correct-alignmask.patch
new file mode 100644
index 0000000000..f1f2c83f59
--- /dev/null
+++ b/patches.kernel.org/5.2.1-001-crypto-lrw-use-correct-alignmask.patch
@@ -0,0 +1,45 @@
+From: Eric Biggers <ebiggers@google.com>
+Date: Thu, 30 May 2019 10:53:08 -0700
+Subject: [PATCH] crypto: lrw - use correct alignmask
+References: bnc#1012628
+Patch-mainline: 5.2.1
+Git-commit: 20a0f9761343fba9b25ea46bd3a3e5e533d974f8
+
+commit 20a0f9761343fba9b25ea46bd3a3e5e533d974f8 upstream.
+
+Commit c778f96bf347 ("crypto: lrw - Optimize tweak computation")
+incorrectly reduced the alignmask of LRW instances from
+'__alignof__(u64) - 1' to '__alignof__(__be32) - 1'.
+
+However, xor_tweak() and setkey() assume that the data and key,
+respectively, are aligned to 'be128', which has u64 alignment.
+
+Fix the alignmask to be at least '__alignof__(be128) - 1'.
+
+Fixes: c778f96bf347 ("crypto: lrw - Optimize tweak computation")
+Cc: <stable@vger.kernel.org> # v4.20+
+Cc: Ondrej Mosnacek <omosnace@redhat.com>
+Signed-off-by: Eric Biggers <ebiggers@google.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ crypto/lrw.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/crypto/lrw.c b/crypto/lrw.c
+index 58009cf63a6e..be829f6afc8e 100644
+--- a/crypto/lrw.c
++++ b/crypto/lrw.c
+@@ -384,7 +384,7 @@ static int create(struct crypto_template *tmpl, struct rtattr **tb)
+ inst->alg.base.cra_priority = alg->base.cra_priority;
+ inst->alg.base.cra_blocksize = LRW_BLOCK_SIZE;
+ inst->alg.base.cra_alignmask = alg->base.cra_alignmask |
+- (__alignof__(__be32) - 1);
++ (__alignof__(be128) - 1);
+
+ inst->alg.ivsize = LRW_BLOCK_SIZE;
+ inst->alg.min_keysize = crypto_skcipher_alg_min_keysize(alg) +
+--
+2.22.0
+
diff --git a/patches.kernel.org/5.2.1-002-crypto-talitos-rename-alternative-AEAD-algos.patch b/patches.kernel.org/5.2.1-002-crypto-talitos-rename-alternative-AEAD-algos.patch
new file mode 100644
index 0000000000..58aa0d21c5
--- /dev/null
+++ b/patches.kernel.org/5.2.1-002-crypto-talitos-rename-alternative-AEAD-algos.patch
@@ -0,0 +1,103 @@
+From: Christophe Leroy <christophe.leroy@c-s.fr>
+Date: Tue, 21 May 2019 13:34:08 +0000
+Subject: [PATCH] crypto: talitos - rename alternative AEAD algos.
+References: bnc#1012628
+Patch-mainline: 5.2.1
+Git-commit: a1a42f84011fae6ff08441a91aefeb7febc984fc
+
+commit a1a42f84011fae6ff08441a91aefeb7febc984fc upstream.
+
+The talitos driver has two ways to perform AEAD depending on the
+HW capability. Some HW support both. It is needed to give them
+different names to distingish which one it is for instance when
+a test fails.
+
+Signed-off-by: Christophe Leroy <christophe.leroy@c-s.fr>
+Fixes: 7405c8d7ff97 ("crypto: talitos - templates for AEAD using HMAC_SNOOP_NO_AFEU")
+Cc: stable@vger.kernel.org
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/crypto/talitos.c | 16 ++++++++--------
+ 1 file changed, 8 insertions(+), 8 deletions(-)
+
+diff --git a/drivers/crypto/talitos.c b/drivers/crypto/talitos.c
+index fbc7bf9d7380..427c78d4d948 100644
+--- a/drivers/crypto/talitos.c
++++ b/drivers/crypto/talitos.c
+@@ -2339,7 +2339,7 @@ static struct talitos_alg_template driver_algs[] = {
+ .base = {
+ .cra_name = "authenc(hmac(sha1),cbc(aes))",
+ .cra_driver_name = "authenc-hmac-sha1-"
+- "cbc-aes-talitos",
++ "cbc-aes-talitos-hsna",
+ .cra_blocksize = AES_BLOCK_SIZE,
+ .cra_flags = CRYPTO_ALG_ASYNC,
+ },
+@@ -2384,7 +2384,7 @@ static struct talitos_alg_template driver_algs[] = {
+ .cra_name = "authenc(hmac(sha1),"
+ "cbc(des3_ede))",
+ .cra_driver_name = "authenc-hmac-sha1-"
+- "cbc-3des-talitos",
++ "cbc-3des-talitos-hsna",
+ .cra_blocksize = DES3_EDE_BLOCK_SIZE,
+ .cra_flags = CRYPTO_ALG_ASYNC,
+ },
+@@ -2427,7 +2427,7 @@ static struct talitos_alg_template driver_algs[] = {
+ .base = {
+ .cra_name = "authenc(hmac(sha224),cbc(aes))",
+ .cra_driver_name = "authenc-hmac-sha224-"
+- "cbc-aes-talitos",
++ "cbc-aes-talitos-hsna",
+ .cra_blocksize = AES_BLOCK_SIZE,
+ .cra_flags = CRYPTO_ALG_ASYNC,
+ },
+@@ -2472,7 +2472,7 @@ static struct talitos_alg_template driver_algs[] = {
+ .cra_name = "authenc(hmac(sha224),"
+ "cbc(des3_ede))",
+ .cra_driver_name = "authenc-hmac-sha224-"
+- "cbc-3des-talitos",
++ "cbc-3des-talitos-hsna",
+ .cra_blocksize = DES3_EDE_BLOCK_SIZE,
+ .cra_flags = CRYPTO_ALG_ASYNC,
+ },
+@@ -2515,7 +2515,7 @@ static struct talitos_alg_template driver_algs[] = {
+ .base = {
+ .cra_name = "authenc(hmac(sha256),cbc(aes))",
+ .cra_driver_name = "authenc-hmac-sha256-"
+- "cbc-aes-talitos",
++ "cbc-aes-talitos-hsna",
+ .cra_blocksize = AES_BLOCK_SIZE,
+ .cra_flags = CRYPTO_ALG_ASYNC,
+ },
+@@ -2560,7 +2560,7 @@ static struct talitos_alg_template driver_algs[] = {
+ .cra_name = "authenc(hmac(sha256),"
+ "cbc(des3_ede))",
+ .cra_driver_name = "authenc-hmac-sha256-"
+- "cbc-3des-talitos",
++ "cbc-3des-talitos-hsna",
+ .cra_blocksize = DES3_EDE_BLOCK_SIZE,
+ .cra_flags = CRYPTO_ALG_ASYNC,
+ },
+@@ -2689,7 +2689,7 @@ static struct talitos_alg_template driver_algs[] = {
+ .base = {
+ .cra_name = "authenc(hmac(md5),cbc(aes))",
+ .cra_driver_name = "authenc-hmac-md5-"
+- "cbc-aes-talitos",
++ "cbc-aes-talitos-hsna",
+ .cra_blocksize = AES_BLOCK_SIZE,
+ .cra_flags = CRYPTO_ALG_ASYNC,
+ },
+@@ -2732,7 +2732,7 @@ static struct talitos_alg_template driver_algs[] = {
+ .base = {
+ .cra_name = "authenc(hmac(md5),cbc(des3_ede))",
+ .cra_driver_name = "authenc-hmac-md5-"
+- "cbc-3des-talitos",
++ "cbc-3des-talitos-hsna",
+ .cra_blocksize = DES3_EDE_BLOCK_SIZE,
+ .cra_flags = CRYPTO_ALG_ASYNC,
+ },
+--
+2.22.0
+
diff --git a/patches.kernel.org/5.2.1-003-fscrypt-don-t-set-policy-for-a-dead-directory.patch b/patches.kernel.org/5.2.1-003-fscrypt-don-t-set-policy-for-a-dead-directory.patch
new file mode 100644
index 0000000000..20953fca32
--- /dev/null
+++ b/patches.kernel.org/5.2.1-003-fscrypt-don-t-set-policy-for-a-dead-directory.patch
@@ -0,0 +1,45 @@
+From: Hongjie Fang <hongjiefang@asrmicro.com>
+Date: Wed, 22 May 2019 10:02:53 +0800
+Subject: [PATCH] fscrypt: don't set policy for a dead directory
+References: bnc#1012628
+Patch-mainline: 5.2.1
+Git-commit: 5858bdad4d0d0fc18bf29f34c3ac836e0b59441f
+
+commit 5858bdad4d0d0fc18bf29f34c3ac836e0b59441f upstream.
+
+The directory may have been removed when entering
+fscrypt_ioctl_set_policy(). If so, the empty_dir() check will return
+error for ext4 file system.
+
+ext4_rmdir() sets i_size = 0, then ext4_empty_dir() reports an error
+because 'inode->i_size < EXT4_DIR_REC_LEN(1) + EXT4_DIR_REC_LEN(2)'. If
+the fs is mounted with errors=panic, it will trigger a panic issue.
+
+Add the check IS_DEADDIR() to fix this problem.
+
+Fixes: 9bd8212f981e ("ext4 crypto: add encryption policy and password salt support")
+Cc: <stable@vger.kernel.org> # v4.1+
+Signed-off-by: Hongjie Fang <hongjiefang@asrmicro.com>
+Signed-off-by: Eric Biggers <ebiggers@google.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ fs/crypto/policy.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/fs/crypto/policy.c b/fs/crypto/policy.c
+index d536889ac31b..4941fe8471ce 100644
+--- a/fs/crypto/policy.c
++++ b/fs/crypto/policy.c
+@@ -81,6 +81,8 @@ int fscrypt_ioctl_set_policy(struct file *filp, const void __user *arg)
+ if (ret == -ENODATA) {
+ if (!S_ISDIR(inode->i_mode))
+ ret = -ENOTDIR;
++ else if (IS_DEADDIR(inode))
++ ret = -ENOENT;
+ else if (!inode->i_sb->s_cop->empty_dir(inode))
+ ret = -ENOTEMPTY;
+ else
+--
+2.22.0
+
diff --git a/patches.kernel.org/5.2.1-004-udf-Fix-incorrect-final-NOT_ALLOCATED-hole-exte.patch b/patches.kernel.org/5.2.1-004-udf-Fix-incorrect-final-NOT_ALLOCATED-hole-exte.patch
new file mode 100644
index 0000000000..46cef687b3
--- /dev/null
+++ b/patches.kernel.org/5.2.1-004-udf-Fix-incorrect-final-NOT_ALLOCATED-hole-exte.patch
@@ -0,0 +1,228 @@
+From: "Steven J. Magnani" <steve.magnani@digidescorp.com>
+Date: Sun, 30 Jun 2019 21:39:35 -0500
+Subject: [PATCH] udf: Fix incorrect final NOT_ALLOCATED (hole) extent length
+References: bnc#1012628
+Patch-mainline: 5.2.1
+Git-commit: fa33cdbf3eceb0206a4f844fe91aeebcf6ff2b7a
+
+commit fa33cdbf3eceb0206a4f844fe91aeebcf6ff2b7a upstream.
+
+In some cases, using the 'truncate' command to extend a UDF file results
+in a mismatch between the length of the file's extents (specifically, due
+to incorrect length of the final NOT_ALLOCATED extent) and the information
+(file) length. The discrepancy can prevent other operating systems
+(i.e., Windows 10) from opening the file.
+
+Two particular errors have been observed when extending a file:
+
+1. The final extent is larger than it should be, having been rounded up
+ to a multiple of the block size.
+
+B. The final extent is not shorter than it should be, due to not having
+ been updated when the file's information length was increased.
+
+[JK: simplified udf_do_extend_final_block(), fixed up some types]
+
+Fixes: 2c948b3f86e5 ("udf: Avoid IO in udf_clear_inode")
+CC: stable@vger.kernel.org
+Signed-off-by: Steven J. Magnani <steve@digidescorp.com>
+Link: https://lore.kernel.org/r/1561948775-5878-1-git-send-email-steve@digidescorp.com
+Signed-off-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ fs/udf/inode.c | 93 ++++++++++++++++++++++++++++++++------------------
+ 1 file changed, 60 insertions(+), 33 deletions(-)
+
+diff --git a/fs/udf/inode.c b/fs/udf/inode.c
+index e7276932e433..9bb18311a22f 100644
+--- a/fs/udf/inode.c
++++ b/fs/udf/inode.c
+@@ -470,13 +470,15 @@ static struct buffer_head *udf_getblk(struct inode *inode, udf_pblk_t block,
+ return NULL;
+ }
+
+-/* Extend the file by 'blocks' blocks, return the number of extents added */
++/* Extend the file with new blocks totaling 'new_block_bytes',
++ * return the number of extents added
++ */
+ static int udf_do_extend_file(struct inode *inode,
+ struct extent_position *last_pos,
+ struct kernel_long_ad *last_ext,
+- sector_t blocks)
++ loff_t new_block_bytes)
+ {
+- sector_t add;
++ uint32_t add;
+ int count = 0, fake = !(last_ext->extLength & UDF_EXTENT_LENGTH_MASK);
+ struct super_block *sb = inode->i_sb;
+ struct kernel_lb_addr prealloc_loc = {};
+@@ -486,7 +488,7 @@ static int udf_do_extend_file(struct inode *inode,
+
+ /* The previous extent is fake and we should not extend by anything
+ * - there's nothing to do... */
+- if (!blocks && fake)
++ if (!new_block_bytes && fake)
+ return 0;
+
+ iinfo = UDF_I(inode);
+@@ -517,13 +519,12 @@ static int udf_do_extend_file(struct inode *inode,
+ /* Can we merge with the previous extent? */
+ if ((last_ext->extLength & UDF_EXTENT_FLAG_MASK) ==
+ EXT_NOT_RECORDED_NOT_ALLOCATED) {
+- add = ((1 << 30) - sb->s_blocksize -
+- (last_ext->extLength & UDF_EXTENT_LENGTH_MASK)) >>
+- sb->s_blocksize_bits;
+- if (add > blocks)
+- add = blocks;
+- blocks -= add;
+- last_ext->extLength += add << sb->s_blocksize_bits;
++ add = (1 << 30) - sb->s_blocksize -
++ (last_ext->extLength & UDF_EXTENT_LENGTH_MASK);
++ if (add > new_block_bytes)
++ add = new_block_bytes;
++ new_block_bytes -= add;
++ last_ext->extLength += add;
+ }
+
+ if (fake) {
+@@ -544,28 +545,27 @@ static int udf_do_extend_file(struct inode *inode,
+ }
+
+ /* Managed to do everything necessary? */
+- if (!blocks)
++ if (!new_block_bytes)
+ goto out;
+
+ /* All further extents will be NOT_RECORDED_NOT_ALLOCATED */
+ last_ext->extLocation.logicalBlockNum = 0;
+ last_ext->extLocation.partitionReferenceNum = 0;
+- add = (1 << (30-sb->s_blocksize_bits)) - 1;
+- last_ext->extLength = EXT_NOT_RECORDED_NOT_ALLOCATED |
+- (add << sb->s_blocksize_bits);
++ add = (1 << 30) - sb->s_blocksize;
++ last_ext->extLength = EXT_NOT_RECORDED_NOT_ALLOCATED | add;
+
+ /* Create enough extents to cover the whole hole */
+- while (blocks > add) {
+- blocks -= add;
++ while (new_block_bytes > add) {
++ new_block_bytes -= add;
+ err = udf_add_aext(inode, last_pos, &last_ext->extLocation,
+ last_ext->extLength, 1);
+ if (err)
+ return err;
+ count++;
+ }
+- if (blocks) {
++ if (new_block_bytes) {
+ last_ext->extLength = EXT_NOT_RECORDED_NOT_ALLOCATED |
+- (blocks << sb->s_blocksize_bits);
++ new_block_bytes;
+ err = udf_add_aext(inode, last_pos, &last_ext->extLocation,
+ last_ext->extLength, 1);
+ if (err)
+@@ -596,6 +596,24 @@ static int udf_do_extend_file(struct inode *inode,
+ return count;
+ }
+
++/* Extend the final block of the file to final_block_len bytes */
++static void udf_do_extend_final_block(struct inode *inode,
++ struct extent_position *last_pos,
++ struct kernel_long_ad *last_ext,
++ uint32_t final_block_len)
++{
++ struct super_block *sb = inode->i_sb;
++ uint32_t added_bytes;
++
++ added_bytes = final_block_len -
++ (last_ext->extLength & (sb->s_blocksize - 1));
++ last_ext->extLength += added_bytes;
++ UDF_I(inode)->i_lenExtents += added_bytes;
++
++ udf_write_aext(inode, last_pos, &last_ext->extLocation,
++ last_ext->extLength, 1);
++}
++
+ static int udf_extend_file(struct inode *inode, loff_t newsize)
+ {
+
+@@ -605,10 +623,12 @@ static int udf_extend_file(struct inode *inode, loff_t newsize)
+ int8_t etype;
+ struct super_block *sb = inode->i_sb;
+ sector_t first_block = newsize >> sb->s_blocksize_bits, offset;
++ unsigned long partial_final_block;
+ int adsize;
+ struct udf_inode_info *iinfo = UDF_I(inode);
+ struct kernel_long_ad extent;
+- int err;
++ int err = 0;
++ int within_final_block;
+
+ if (iinfo->i_alloc_type == ICBTAG_FLAG_AD_SHORT)
+ adsize = sizeof(struct short_ad);
+@@ -618,18 +638,8 @@ static int udf_extend_file(struct inode *inode, loff_t newsize)
+ BUG();
+
+ etype = inode_bmap(inode, first_block, &epos, &eloc, &elen, &offset);
++ within_final_block = (etype != -1);
+
+- /* File has extent covering the new size (could happen when extending
+- * inside a block)? */
+- if (etype != -1)
+- return 0;
+- if (newsize & (sb->s_blocksize - 1))
+- offset++;
+- /* Extended file just to the boundary of the last file block? */
+- if (offset == 0)
+- return 0;
+-
+- /* Truncate is extending the file by 'offset' blocks */
+ if ((!epos.bh && epos.offset == udf_file_entry_alloc_offset(inode)) ||
+ (epos.bh && epos.offset == sizeof(struct allocExtDesc))) {
+ /* File has no extents at all or has empty last
+@@ -643,7 +653,22 @@ static int udf_extend_file(struct inode *inode, loff_t newsize)
+ &extent.extLength, 0);
+ extent.extLength |= etype << 30;
+ }
+- err = udf_do_extend_file(inode, &epos, &extent, offset);
++
++ partial_final_block = newsize & (sb->s_blocksize - 1);
++
++ /* File has extent covering the new size (could happen when extending
++ * inside a block)?
++ */
++ if (within_final_block) {
++ /* Extending file within the last file block */
++ udf_do_extend_final_block(inode, &epos, &extent,
++ partial_final_block);
++ } else {
++ loff_t add = ((loff_t)offset << sb->s_blocksize_bits) |
++ partial_final_block;
++ err = udf_do_extend_file(inode, &epos, &extent, add);
++ }
++
+ if (err < 0)
+ goto out;
+ err = 0;
+@@ -745,6 +770,7 @@ static sector_t inode_getblk(struct inode *inode, sector_t block,
+ /* Are we beyond EOF? */
+ if (etype == -1) {
+ int ret;
++ loff_t hole_len;
+ isBeyondEOF = true;
+ if (count) {
+ if (c)
+@@ -760,7 +786,8 @@ static sector_t inode_getblk(struct inode *inode, sector_t block,
+ startnum = (offset > 0);
+ }
+ /* Create extents for the hole between EOF and offset */
+- ret = udf_do_extend_file(inode, &prev_epos, laarr, offset);
++ hole_len = (loff_t)offset << inode->i_blkbits;
++ ret = udf_do_extend_file(inode, &prev_epos, laarr, hole_len);
+ if (ret < 0) {
+ *err = ret;
+ newblock = 0;
+--
+2.22.0
+
diff --git a/patches.kernel.org/5.2.1-005-media-stv0297-fix-frequency-range-limit.patch b/patches.kernel.org/5.2.1-005-media-stv0297-fix-frequency-range-limit.patch
new file mode 100644
index 0000000000..f65e75a3b3
--- /dev/null
+++ b/patches.kernel.org/5.2.1-005-media-stv0297-fix-frequency-range-limit.patch
@@ -0,0 +1,46 @@
+From: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
+Date: Tue, 25 Jun 2019 06:45:20 -0400
+Subject: [PATCH] media: stv0297: fix frequency range limit
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+References: bnc#1012628
+Patch-mainline: 5.2.1
+Git-commit: b09a2ab2baeb36bf7ef7780405ad172281741c7c
+
+commit b09a2ab2baeb36bf7ef7780405ad172281741c7c upstream.
+
+There was a typo at the lower frequency limit for a DVB-C
+card, causing the driver to fail while tuning channels at the
+VHF range.
+
+https://bugzilla.kernel.org/show_bug.cgi?id=202083
+
+Fixes: f1b1eabff0eb ("media: dvb: represent min/max/step/tolerance freqs in Hz")
+Reported-by: Ari Kohtamäki <ari.kohtamaki@gmail.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
+Signed-off-by: Sean Young <sean@mess.org>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/media/dvb-frontends/stv0297.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/media/dvb-frontends/stv0297.c b/drivers/media/dvb-frontends/stv0297.c
+index dac396c95a59..6d5962d5697a 100644
+--- a/drivers/media/dvb-frontends/stv0297.c
++++ b/drivers/media/dvb-frontends/stv0297.c
+@@ -682,7 +682,7 @@ static const struct dvb_frontend_ops stv0297_ops = {
+ .delsys = { SYS_DVBC_ANNEX_A },
+ .info = {
+ .name = "ST STV0297 DVB-C",
+- .frequency_min_hz = 470 * MHz,
++ .frequency_min_hz = 47 * MHz,
+ .frequency_max_hz = 862 * MHz,
+ .frequency_stepsize_hz = 62500,
+ .symbol_rate_min = 870000,
+--
+2.22.0
+
diff --git a/patches.kernel.org/5.2.1-006-ALSA-usb-audio-Fix-parse-of-UAC2-Extension-Unit.patch b/patches.kernel.org/5.2.1-006-ALSA-usb-audio-Fix-parse-of-UAC2-Extension-Unit.patch
new file mode 100644
index 0000000000..204a45dcf4
--- /dev/null
+++ b/patches.kernel.org/5.2.1-006-ALSA-usb-audio-Fix-parse-of-UAC2-Extension-Unit.patch
@@ -0,0 +1,140 @@
+From: Takashi Iwai <tiwai@suse.de>
+Date: Thu, 4 Jul 2019 16:31:12 +0200
+Subject: [PATCH] ALSA: usb-audio: Fix parse of UAC2 Extension Units
+References: bnc#1012628
+Patch-mainline: 5.2.1
+Git-commit: ca95c7bf3d29716916baccdc77c3c2284b703069
+
+commit ca95c7bf3d29716916baccdc77c3c2284b703069 upstream.
+
+Extension Unit (XU) is used to have a compatible layout with
+Processing Unit (PU) on UAC1, and the usb-audio driver code assumed it
+for parsing the descriptors. Meanwhile, on UAC2, XU became slightly
+incompatible with PU; namely, XU has a one-byte bmControls bitmap
+while PU has two bytes bmControls bitmap. This incompatibility
+results in the read of a wrong address for the last iExtension field,
+which ended up with an incorrect string for the mixer element name, as
+recently reported for Focusrite Scarlett 18i20 device.
+
+This patch corrects this misalignment by introducing a couple of new
+macros and calling them depending on the descriptor type.
+
+Fixes: 23caaf19b11e ("ALSA: usb-mixer: Add support for Audio Class v2.0")
+Reported-by: Stefan Sauer <ensonic@hora-obscura.de>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ include/uapi/linux/usb/audio.h | 37 ++++++++++++++++++++++++++++++++++
+ sound/usb/mixer.c | 16 +++++++++------
+ 2 files changed, 47 insertions(+), 6 deletions(-)
+
+diff --git a/include/uapi/linux/usb/audio.h b/include/uapi/linux/usb/audio.h
+index ddc5396800aa..76b7c3f6cd0d 100644
+--- a/include/uapi/linux/usb/audio.h
++++ b/include/uapi/linux/usb/audio.h
+@@ -450,6 +450,43 @@ static inline __u8 *uac_processing_unit_specific(struct uac_processing_unit_desc
+ }
+ }
+
++/*
++ * Extension Unit (XU) has almost compatible layout with Processing Unit, but
++ * on UAC2, it has a different bmControls size (bControlSize); it's 1 byte for
++ * XU while 2 bytes for PU. The last iExtension field is a one-byte index as
++ * well as iProcessing field of PU.
++ */
++static inline __u8 uac_extension_unit_bControlSize(struct uac_processing_unit_descriptor *desc,
++ int protocol)
++{
++ switch (protocol) {
++ case UAC_VERSION_1:
++ return desc->baSourceID[desc->bNrInPins + 4];
++ case UAC_VERSION_2:
++ return 1; /* in UAC2, this value is constant */
++ case UAC_VERSION_3:
++ return 4; /* in UAC3, this value is constant */
++ default:
++ return 1;
++ }
++}
++
++static inline __u8 uac_extension_unit_iExtension(struct uac_processing_unit_descriptor *desc,
++ int protocol)
++{
++ __u8 control_size = uac_extension_unit_bControlSize(desc, protocol);
++
++ switch (protocol) {
++ case UAC_VERSION_1:
++ case UAC_VERSION_2:
++ default:
++ return *(uac_processing_unit_bmControls(desc, protocol)
++ + control_size);
++ case UAC_VERSION_3:
++ return 0; /* UAC3 does not have this field */
++ }
++}
++
+ /* 4.5.2 Class-Specific AS Interface Descriptor */
+ struct uac1_as_header_descriptor {
+ __u8 bLength; /* in bytes: 7 */
+diff --git a/sound/usb/mixer.c b/sound/usb/mixer.c
+index c703f8534b07..7498b5191b68 100644
+--- a/sound/usb/mixer.c
++++ b/sound/usb/mixer.c
+@@ -2303,7 +2303,7 @@ static struct procunit_info extunits[] = {
+ */
+ static int build_audio_procunit(struct mixer_build *state, int unitid,
+ void *raw_desc, struct procunit_info *list,
+- char *name)
++ bool extension_unit)
+ {
+ struct uac_processing_unit_descriptor *desc = raw_desc;
+ int num_ins;
+@@ -2320,6 +2320,8 @@ static int build_audio_procunit(struct mixer_build *state, int unitid,
+ static struct procunit_info default_info = {
+ 0, NULL, default_value_info
+ };
++ const char *name = extension_unit ?
++ "Extension Unit" : "Processing Unit";
+
+ if (desc->bLength < 13) {
+ usb_audio_err(state->chip, "invalid %s descriptor (id %d)\n", name, unitid);
+@@ -2433,7 +2435,10 @@ static int build_audio_procunit(struct mixer_build *state, int unitid,
+ } else if (info->name) {
+ strlcpy(kctl->id.name, info->name, sizeof(kctl->id.name));
+ } else {
+- nameid = uac_processing_unit_iProcessing(desc, state->mixer->protocol);
++ if (extension_unit)
++ nameid = uac_extension_unit_iExtension(desc, state->mixer->protocol);
++ else
++ nameid = uac_processing_unit_iProcessing(desc, state->mixer->protocol);
+ len = 0;
+ if (nameid)
+ len = snd_usb_copy_string_desc(state->chip,
+@@ -2466,10 +2471,10 @@ static int parse_audio_processing_unit(struct mixer_build *state, int unitid,
+ case UAC_VERSION_2:
+ default:
+ return build_audio_procunit(state, unitid, raw_desc,
+- procunits, "Processing Unit");
++ procunits, false);
+ case UAC_VERSION_3:
+ return build_audio_procunit(state, unitid, raw_desc,
+- uac3_procunits, "Processing Unit");
++ uac3_procunits, false);
+ }
+ }
+
+@@ -2480,8 +2485,7 @@ static int parse_audio_extension_unit(struct mixer_build *state, int unitid,
+ * Note that we parse extension units with processing unit descriptors.
+ * That's ok as the layout is the same.
+ */
+- return build_audio_procunit(state, unitid, raw_desc,
+- extunits, "Extension Unit");
++ return build_audio_procunit(state, unitid, raw_desc, extunits, true);
+ }
+
+ /*
+--
+2.22.0
+
diff --git a/patches.kernel.org/5.2.1-007-ALSA-hda-realtek-Headphone-Mic-can-t-record-aft.patch b/patches.kernel.org/5.2.1-007-ALSA-hda-realtek-Headphone-Mic-can-t-record-aft.patch
new file mode 100644
index 0000000000..efb241407c
--- /dev/null
+++ b/patches.kernel.org/5.2.1-007-ALSA-hda-realtek-Headphone-Mic-can-t-record-aft.patch
@@ -0,0 +1,48 @@
+From: Kailang Yang <kailang@realtek.com>
+Date: Thu, 4 Jul 2019 16:02:10 +0800
+Subject: [PATCH] ALSA: hda/realtek - Headphone Mic can't record after S3
+References: bnc#1012628
+Patch-mainline: 5.2.1
+Git-commit: d07a9a4f66e944fcc900812cbc2f6817bde6a43d
+
+commit d07a9a4f66e944fcc900812cbc2f6817bde6a43d upstream.
+
+Dell headset mode platform with ALC236.
+It doesn't recording after system resume from S3.
+S3 mode was deep. s2idle was not has this issue.
+S3 deep will cut of codec power. So, the register will back to default
+after resume back.
+This patch will solve this issue.
+
+Signed-off-by: Kailang Yang <kailang@realtek.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ sound/pci/hda/patch_realtek.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c
+index 6f3a35949cdd..f24a757f8239 100644
+--- a/sound/pci/hda/patch_realtek.c
++++ b/sound/pci/hda/patch_realtek.c
+@@ -3255,6 +3255,7 @@ static void alc256_init(struct hda_codec *codec)
+ alc_update_coefex_idx(codec, 0x57, 0x04, 0x0007, 0x4); /* Hight power */
+ alc_update_coefex_idx(codec, 0x53, 0x02, 0x8000, 1 << 15); /* Clear bit */
+ alc_update_coefex_idx(codec, 0x53, 0x02, 0x8000, 0 << 15);
++ alc_update_coef_idx(codec, 0x36, 1 << 13, 1 << 5); /* Switch pcbeep path to Line in path*/
+ }
+
+ static void alc256_shutup(struct hda_codec *codec)
+@@ -7825,7 +7826,6 @@ static int patch_alc269(struct hda_codec *codec)
+ spec->shutup = alc256_shutup;
+ spec->init_hook = alc256_init;
+ spec->gen.mixer_nid = 0; /* ALC256 does not have any loopback mixer path */
+- alc_update_coef_idx(codec, 0x36, 1 << 13, 1 << 5); /* Switch pcbeep path to Line in path*/
+ break;
+ case 0x10ec0257:
+ spec->codec_variant = ALC269_TYPE_ALC257;
+--
+2.22.0
+
diff --git a/patches.kernel.org/5.2.1-008-tpm-Actually-fail-on-TPM-errors-during-get-rand.patch b/patches.kernel.org/5.2.1-008-tpm-Actually-fail-on-TPM-errors-during-get-rand.patch
new file mode 100644
index 0000000000..bf9887d412
--- /dev/null
+++ b/patches.kernel.org/5.2.1-008-tpm-Actually-fail-on-TPM-errors-during-get-rand.patch
@@ -0,0 +1,95 @@
+From: Kees Cook <keescook@chromium.org>
+Date: Mon, 1 Apr 2019 12:06:07 -0700
+Subject: [PATCH] tpm: Actually fail on TPM errors during "get random"
+References: bnc#1012628
+Patch-mainline: 5.2.1
+Git-commit: 782779b60faa2fc7ff609ac8ef938260fd792c0f
+
+commit 782779b60faa2fc7ff609ac8ef938260fd792c0f upstream.
+
+A "get random" may fail with a TPM error, but those codes were returned
+as-is to the caller, which assumed the result was the number of bytes
+that had been written to the target buffer, which could lead to a kernel
+heap memory exposure and over-read.
+
+This fixes tpm1_get_random() to mask positive TPM errors into -EIO, as
+before.
+
+[ 18.092103] tpm tpm0: A TPM error (379) occurred attempting get random
+[ 18.092106] usercopy: Kernel memory exposure attempt detected from SLUB object 'kmalloc-64' (offset 0, size 379)!
+
+Link: https://bugzilla.redhat.com/show_bug.cgi?id=1650989
+Reported-by: Phil Baker <baker1tex@gmail.com>
+Reported-by: Craig Robson <craig@zhatt.com>
+Fixes: 7aee9c52d7ac ("tpm: tpm1: rewrite tpm1_get_random() using tpm_buf structure")
+Cc: Laura Abbott <labbott@redhat.com>
+Cc: Tomas Winkler <tomas.winkler@intel.com>
+Cc: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Reviewed-by: Tomas Winkler <tomas.winkler@intel.com>
+Tested-by: Bartosz Szczepanek <bsz@semihalf.com>
+Reviewed-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
+Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/char/tpm/tpm1-cmd.c | 7 +++++--
+ drivers/char/tpm/tpm2-cmd.c | 7 +++++--
+ 2 files changed, 10 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/char/tpm/tpm1-cmd.c b/drivers/char/tpm/tpm1-cmd.c
+index 85dcf2654d11..faacbe1ffa1a 100644
+--- a/drivers/char/tpm/tpm1-cmd.c
++++ b/drivers/char/tpm/tpm1-cmd.c
+@@ -510,7 +510,7 @@ struct tpm1_get_random_out {
+ *
+ * Return:
+ * * number of bytes read
+- * * -errno or a TPM return code otherwise
++ * * -errno (positive TPM return codes are masked to -EIO)
+ */
+ int tpm1_get_random(struct tpm_chip *chip, u8 *dest, size_t max)
+ {
+@@ -531,8 +531,11 @@ int tpm1_get_random(struct tpm_chip *chip, u8 *dest, size_t max)
+
+ rc = tpm_transmit_cmd(chip, &buf, sizeof(out->rng_data_len),
+ "attempting get random");
+- if (rc)
++ if (rc) {
++ if (rc > 0)
++ rc = -EIO;
+ goto out;
++ }
+
+ out = (struct tpm1_get_random_out *)&buf.data[TPM_HEADER_SIZE];
+
+diff --git a/drivers/char/tpm/tpm2-cmd.c b/drivers/char/tpm/tpm2-cmd.c
+index 4de49924cfc4..d103545e4055 100644
+--- a/drivers/char/tpm/tpm2-cmd.c
++++ b/drivers/char/tpm/tpm2-cmd.c
+@@ -297,7 +297,7 @@ struct tpm2_get_random_out {
+ *
+ * Return:
+ * size of the buffer on success,
+- * -errno otherwise
++ * -errno otherwise (positive TPM return codes are masked to -EIO)
+ */
+ int tpm2_get_random(struct tpm_chip *chip, u8 *dest, size_t max)
+ {
+@@ -324,8 +324,11 @@ int tpm2_get_random(struct tpm_chip *chip, u8 *dest, size_t max)
+ offsetof(struct tpm2_get_random_out,
+ buffer),
+ "attempting get random");
+- if (err)
++ if (err) {
++ if (err > 0)
++ err = -EIO;
+ goto out;
++ }
+
+ out = (struct tpm2_get_random_out *)
+ &buf.data[TPM_HEADER_SIZE];
+--
+2.22.0
+
diff --git a/patches.kernel.org/5.2.1-009-tpm-Fix-TPM-1.2-Shutdown-sequence-to-prevent-fu.patch b/patches.kernel.org/5.2.1-009-tpm-Fix-TPM-1.2-Shutdown-sequence-to-prevent-fu.patch
new file mode 100644
index 0000000000..3d80cfd3eb
--- /dev/null
+++ b/patches.kernel.org/5.2.1-009-tpm-Fix-TPM-1.2-Shutdown-sequence-to-prevent-fu.patch
@@ -0,0 +1,54 @@
+From: Vadim Sukhomlinov <sukhomlinov@google.com>
+Date: Mon, 10 Jun 2019 15:01:18 -0700
+Subject: [PATCH] tpm: Fix TPM 1.2 Shutdown sequence to prevent future TPM
+ operations
+References: bnc#1012628
+Patch-mainline: 5.2.1
+Git-commit: db4d8cb9c9f2af71c4d087817160d866ed572cc9
+
+commit db4d8cb9c9f2af71c4d087817160d866ed572cc9 upstream.
+
+TPM 2.0 Shutdown involve sending TPM2_Shutdown to TPM chip and disabling
+future TPM operations. TPM 1.2 behavior was different, future TPM
+operations weren't disabled, causing rare issues. This patch ensures
+that future TPM operations are disabled.
+
+Fixes: d1bd4a792d39 ("tpm: Issue a TPM2_Shutdown for TPM2 devices.")
+Cc: stable@vger.kernel.org
+Signed-off-by: Vadim Sukhomlinov <sukhomlinov@google.com>
+[dianders: resolved merge conflicts with mainline]
+Signed-off-by: Douglas Anderson <dianders@chromium.org>
+Reviewed-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
+Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/char/tpm/tpm-chip.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/char/tpm/tpm-chip.c b/drivers/char/tpm/tpm-chip.c
+index 90325e1749fb..d47ad10a35fe 100644
+--- a/drivers/char/tpm/tpm-chip.c
++++ b/drivers/char/tpm/tpm-chip.c
+@@ -289,15 +289,15 @@ static int tpm_class_shutdown(struct device *dev)
+ {
+ struct tpm_chip *chip = container_of(dev, struct tpm_chip, dev);
+
++ down_write(&chip->ops_sem);
+ if (chip->flags & TPM_CHIP_FLAG_TPM2) {
+- down_write(&chip->ops_sem);
+ if (!tpm_chip_start(chip)) {
+ tpm2_shutdown(chip, TPM2_SU_CLEAR);
+ tpm_chip_stop(chip);
+ }
+- chip->ops = NULL;
+- up_write(&chip->ops_sem);
+ }
++ chip->ops = NULL;
++ up_write(&chip->ops_sem);
+
+ return 0;
+ }
+--
+2.22.0
+
diff --git a/patches.kernel.org/5.2.1-010-block-fix-.bi_size-overflow.patch b/patches.kernel.org/5.2.1-010-block-fix-.bi_size-overflow.patch
new file mode 100644
index 0000000000..7950ecd59e
--- /dev/null
+++ b/patches.kernel.org/5.2.1-010-block-fix-.bi_size-overflow.patch
@@ -0,0 +1,151 @@
+From: Ming Lei <ming.lei@redhat.com>
+Date: Mon, 1 Jul 2019 15:14:46 +0800
+Subject: [PATCH] block: fix .bi_size overflow
+References: bnc#1012628
+Patch-mainline: 5.2.1
+Git-commit: 79d08f89bb1b5c2c1ff90d9bb95497ab9e8aa7e0
+
+commit 79d08f89bb1b5c2c1ff90d9bb95497ab9e8aa7e0 upstream.
+
+'bio->bi_iter.bi_size' is 'unsigned int', which at most hold 4G - 1
+bytes.
+
+Before 07173c3ec276 ("block: enable multipage bvecs"), one bio can
+include very limited pages, and usually at most 256, so the fs bio
+size won't be bigger than 1M bytes most of times.
+
+Since we support multi-page bvec, in theory one fs bio really can
+be added > 1M pages, especially in case of hugepage, or big writeback
+with too many dirty pages. Then there is chance in which .bi_size
+is overflowed.
+
+Fixes this issue by using bio_full() to check if the added segment may
+overflow .bi_size.
+
+Cc: Liu Yiding <liuyd.fnst@cn.fujitsu.com>
+Cc: kernel test robot <rong.a.chen@intel.com>
+Cc: "Darrick J. Wong" <darrick.wong@oracle.com>
+Cc: linux-xfs@vger.kernel.org
+Cc: linux-fsdevel@vger.kernel.org
+Cc: stable@vger.kernel.org
+Fixes: 07173c3ec276 ("block: enable multipage bvecs")
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Ming Lei <ming.lei@redhat.com>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ block/bio.c | 10 +++++-----
+ fs/iomap.c | 2 +-
+ fs/xfs/xfs_aops.c | 2 +-
+ include/linux/bio.h | 18 ++++++++++++++++--
+ 4 files changed, 23 insertions(+), 9 deletions(-)
+
+diff --git a/block/bio.c b/block/bio.c
+index ce797d73bb43..67bba12d273b 100644
+--- a/block/bio.c
++++ b/block/bio.c
+@@ -731,7 +731,7 @@ static int __bio_add_pc_page(struct request_queue *q, struct bio *bio,
+ }
+ }
+
+- if (bio_full(bio))
++ if (bio_full(bio, len))
+ return 0;
+
+ if (bio->bi_phys_segments >= queue_max_segments(q))
+@@ -807,7 +807,7 @@ void __bio_add_page(struct bio *bio, struct page *page,
+ struct bio_vec *bv = &bio->bi_io_vec[bio->bi_vcnt];
+
+ WARN_ON_ONCE(bio_flagged(bio, BIO_CLONED));
+- WARN_ON_ONCE(bio_full(bio));
++ WARN_ON_ONCE(bio_full(bio, len));
+
+ bv->bv_page = page;
+ bv->bv_offset = off;
+@@ -834,7 +834,7 @@ int bio_add_page(struct bio *bio, struct page *page,
+ bool same_page = false;
+
+ if (!__bio_try_merge_page(bio, page, len, offset, &same_page)) {
+- if (bio_full(bio))
++ if (bio_full(bio, len))
+ return 0;
+ __bio_add_page(bio, page, len, offset);
+ }
+@@ -922,7 +922,7 @@ static int __bio_iov_iter_get_pages(struct bio *bio, struct iov_iter *iter)
+ if (same_page)
+ put_page(page);
+ } else {
+- if (WARN_ON_ONCE(bio_full(bio)))
++ if (WARN_ON_ONCE(bio_full(bio, len)))
+ return -EINVAL;
+ __bio_add_page(bio, page, len, offset);
+ }
+@@ -966,7 +966,7 @@ int bio_iov_iter_get_pages(struct bio *bio, struct iov_iter *iter)
+ ret = __bio_iov_bvec_add_pages(bio, iter);
+ else
+ ret = __bio_iov_iter_get_pages(bio, iter);
+- } while (!ret && iov_iter_count(iter) && !bio_full(bio));
++ } while (!ret && iov_iter_count(iter) && !bio_full(bio, 0));
+
+ if (iov_iter_bvec_no_ref(iter))
+ bio_set_flag(bio, BIO_NO_PAGE_REF);
+diff --git a/fs/iomap.c b/fs/iomap.c
+index 12654c2e78f8..da961fca3180 100644
+--- a/fs/iomap.c
++++ b/fs/iomap.c
+@@ -333,7 +333,7 @@ iomap_readpage_actor(struct inode *inode, loff_t pos, loff_t length, void *data,
+ if (iop)
+ atomic_inc(&iop->read_count);
+
+- if (!ctx->bio || !is_contig || bio_full(ctx->bio)) {
++ if (!ctx->bio || !is_contig || bio_full(ctx->bio, plen)) {
+ gfp_t gfp = mapping_gfp_constraint(page->mapping, GFP_KERNEL);
+ int nr_vecs = (length + PAGE_SIZE - 1) >> PAGE_SHIFT;
+
+diff --git a/fs/xfs/xfs_aops.c b/fs/xfs/xfs_aops.c
+index 8da5e6637771..11f703d4a605 100644
+--- a/fs/xfs/xfs_aops.c
++++ b/fs/xfs/xfs_aops.c
+@@ -782,7 +782,7 @@ xfs_add_to_ioend(
+ atomic_inc(&iop->write_count);
+
+ if (!merged) {
+- if (bio_full(wpc->ioend->io_bio))
++ if (bio_full(wpc->ioend->io_bio, len))
+ xfs_chain_bio(wpc->ioend, wbc, bdev, sector);
+ bio_add_page(wpc->ioend->io_bio, page, len, poff);
+ }
+diff --git a/include/linux/bio.h b/include/linux/bio.h
+index f87abaa898f0..e36b8fc1b1c3 100644
+--- a/include/linux/bio.h
++++ b/include/linux/bio.h
+@@ -102,9 +102,23 @@ static inline void *bio_data(struct bio *bio)
+ return NULL;
+ }
+
+-static inline bool bio_full(struct bio *bio)
++/**
++ * bio_full - check if the bio is full
++ * @bio: bio to check
++ * @len: length of one segment to be added
++ *
++ * Return true if @bio is full and one segment with @len bytes can't be
++ * added to the bio, otherwise return false
++ */
++static inline bool bio_full(struct bio *bio, unsigned len)
+ {
+- return bio->bi_vcnt >= bio->bi_max_vecs;
++ if (bio->bi_vcnt >= bio->bi_max_vecs)
++ return true;
++
++ if (bio->bi_iter.bi_size > UINT_MAX - len)
++ return true;
++
++ return false;
+ }
+
+ static inline bool bio_next_segment(const struct bio *bio,
+--
+2.22.0
+
diff --git a/patches.kernel.org/5.2.1-011-block-bfq-NULL-out-the-bic-when-it-s-no-longer-.patch b/patches.kernel.org/5.2.1-011-block-bfq-NULL-out-the-bic-when-it-s-no-longer-.patch
new file mode 100644
index 0000000000..f5c3cdab57
--- /dev/null
+++ b/patches.kernel.org/5.2.1-011-block-bfq-NULL-out-the-bic-when-it-s-no-longer-.patch
@@ -0,0 +1,83 @@
+From: Douglas Anderson <dianders@chromium.org>
+Date: Thu, 27 Jun 2019 21:44:09 -0700
+Subject: [PATCH] block, bfq: NULL out the bic when it's no longer valid
+References: bnc#1012628
+Patch-mainline: 5.2.1
+Git-commit: dbc3117d4ca9e17819ac73501e914b8422686750
+
+commit dbc3117d4ca9e17819ac73501e914b8422686750 upstream.
+
+In reboot tests on several devices we were seeing a "use after free"
+when slub_debug or KASAN was enabled. The kernel complained about:
+
+ Unable to handle kernel paging request at virtual address 6b6b6c2b
+
+...which is a classic sign of use after free under slub_debug. The
+stack crawl in kgdb looked like:
+
+ 0 test_bit (addr=<optimized out>, nr=<optimized out>)
+ 1 bfq_bfqq_busy (bfqq=<optimized out>)
+ 2 bfq_select_queue (bfqd=<optimized out>)
+ 3 __bfq_dispatch_request (hctx=<optimized out>)
+ 4 bfq_dispatch_request (hctx=<optimized out>)
+ 5 0xc056ef00 in blk_mq_do_dispatch_sched (hctx=0xed249440)
+ 6 0xc056f728 in blk_mq_sched_dispatch_requests (hctx=0xed249440)
+ 7 0xc0568d24 in __blk_mq_run_hw_queue (hctx=0xed249440)
+ 8 0xc0568d94 in blk_mq_run_work_fn (work=<optimized out>)
+ 9 0xc024c5c4 in process_one_work (worker=0xec6d4640, work=0xed249480)
+ 10 0xc024cff4 in worker_thread (__worker=0xec6d4640)
+
+Digging in kgdb, it could be found that, though bfqq looked fine,
+bfqq->bic had been freed.
+
+Through further digging, I postulated that perhaps it is illegal to
+access a "bic" (AKA an "icq") after bfq_exit_icq() had been called
+because the "bic" can be freed at some point in time after this call
+is made. I confirmed that there certainly were cases where the exact
+crashing code path would access the "bic" after bfq_exit_icq() had
+been called. Sspecifically I set the "bfqq->bic" to (void *)0x7 and
+saw that the bic was 0x7 at the time of the crash.
+
+To understand a bit more about why this crash was fairly uncommon (I
+saw it only once in a few hundred reboots), you can see that much of
+the time bfq_exit_icq_fbqq() fully frees the bfqq and thus it can't
+access the ->bic anymore. The only case it doesn't is if
+bfq_put_queue() sees a reference still held.
+
+However, even in the case when bfqq isn't freed, the crash is still
+rare. Why? I tracked what happened to the "bic" after the exit
+routine. It doesn't get freed right away. Rather,
+put_io_context_active() eventually called put_io_context() which
+queued up freeing on a workqueue. The freeing then actually happened
+later than that through call_rcu(). Despite all these delays, some
+extra debugging showed that all the hoops could be jumped through in
+time and the memory could be freed causing the original crash. Phew!
+
+To make a long story short, assuming it truly is illegal to access an
+icq after the "exit_icq" callback is finished, this patch is needed.
+
+Cc: stable@vger.kernel.org
+Reviewed-by: Paolo Valente <paolo.valente@unimore.it>
+Signed-off-by: Douglas Anderson <dianders@chromium.org>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ block/bfq-iosched.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/block/bfq-iosched.c b/block/bfq-iosched.c
+index f9269ae6da9c..e5db3856b194 100644
+--- a/block/bfq-iosched.c
++++ b/block/bfq-iosched.c
+@@ -4584,6 +4584,7 @@ static void bfq_exit_icq_bfqq(struct bfq_io_cq *bic, bool is_sync)
+ unsigned long flags;
+
+ spin_lock_irqsave(&bfqd->lock, flags);
++ bfqq->bic = NULL;
+ bfq_exit_bfqq(bfqd, bfqq);
+ bic_set_bfqq(bic, NULL, is_sync);
+ spin_unlock_irqrestore(&bfqd->lock, flags);
+--
+2.22.0
+
diff --git a/patches.kernel.org/5.2.1-012-perf-intel-pt-Fix-itrace-defaults-for-perf-scri.patch b/patches.kernel.org/5.2.1-012-perf-intel-pt-Fix-itrace-defaults-for-perf-scri.patch
new file mode 100644
index 0000000000..a008a10cd7
--- /dev/null
+++ b/patches.kernel.org/5.2.1-012-perf-intel-pt-Fix-itrace-defaults-for-perf-scri.patch
@@ -0,0 +1,64 @@
+From: Adrian Hunter <adrian.hunter@intel.com>
+Date: Mon, 20 May 2019 14:37:07 +0300
+Subject: [PATCH] perf intel-pt: Fix itrace defaults for perf script
+References: bnc#1012628
+Patch-mainline: 5.2.1
+Git-commit: 26f19c2eb7e54015564ff133b91983a74e84541b
+
+commit 26f19c2eb7e54015564ff133b91983a74e84541b upstream.
+
+Commit 4eb068157121 ("perf script: Make itrace script default to all
+calls") does not work because 'use_browser' is being used to determine
+whether to default to periodic sampling (i.e. better for perf report).
+The result is that nothing but CBR events display for perf script when
+no --itrace option is specified.
+
+Fix by using 'default_no_sample' and 'inject' instead.
+
+Example:
+
+ Before:
+
+ $ perf record -e intel_pt/cyc/u ls
+ $ perf script > cmp1.txt
+ $ perf script --itrace=cepwx > cmp2.txt
+ $ diff -sq cmp1.txt cmp2.txt
+ Files cmp1.txt and cmp2.txt differ
+
+ After:
+
+ $ perf script > cmp1.txt
+ $ perf script --itrace=cepwx > cmp2.txt
+ $ diff -sq cmp1.txt cmp2.txt
+ Files cmp1.txt and cmp2.txt are identical
+
+Signed-off-by: Adrian Hunter <adrian.hunter@intel.com>
+Tested-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Cc: Jiri Olsa <jolsa@redhat.com>
+Cc: stable@vger.kernel.org # v4.20+
+Fixes: 90e457f7be08 ("perf tools: Add Intel PT support")
+Link: http://lkml.kernel.org/r/20190520113728.14389-2-adrian.hunter@intel.com
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ tools/perf/util/intel-pt.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/tools/perf/util/intel-pt.c b/tools/perf/util/intel-pt.c
+index d6f1b2a03f9b..f7dd4657535d 100644
+--- a/tools/perf/util/intel-pt.c
++++ b/tools/perf/util/intel-pt.c
+@@ -2579,7 +2579,8 @@ int intel_pt_process_auxtrace_info(union perf_event *event,
+ } else {
+ itrace_synth_opts__set_default(&pt->synth_opts,
+ session->itrace_synth_opts->default_no_sample);
+- if (use_browser != -1) {
++ if (!session->itrace_synth_opts->default_no_sample &&
++ !session->itrace_synth_opts->inject) {
+ pt->synth_opts.branches = false;
+ pt->synth_opts.callchain = true;
+ }
+--
+2.22.0
+
diff --git a/patches.kernel.org/5.2.1-013-perf-auxtrace-Fix-itrace-defaults-for-perf-scri.patch b/patches.kernel.org/5.2.1-013-perf-auxtrace-Fix-itrace-defaults-for-perf-scri.patch
new file mode 100644
index 0000000000..5a08f2e8eb
--- /dev/null
+++ b/patches.kernel.org/5.2.1-013-perf-auxtrace-Fix-itrace-defaults-for-perf-scri.patch
@@ -0,0 +1,60 @@
+From: Adrian Hunter <adrian.hunter@intel.com>
+Date: Mon, 20 May 2019 14:37:08 +0300
+Subject: [PATCH] perf auxtrace: Fix itrace defaults for perf script
+References: bnc#1012628
+Patch-mainline: 5.2.1
+Git-commit: 355200e0f6a9ce14771625014aa469f5ecbd8977
+
+commit 355200e0f6a9ce14771625014aa469f5ecbd8977 upstream.
+
+Commit 4eb068157121 ("perf script: Make itrace script default to all
+calls") does not work for the case when '--itrace' only is used, because
+default_no_sample is not being passed.
+
+Example:
+
+ Before:
+
+ $ perf record -e intel_pt/cyc/u ls
+ $ perf script --itrace > cmp1.txt
+ $ perf script --itrace=cepwx > cmp2.txt
+ $ diff -sq cmp1.txt cmp2.txt
+ Files cmp1.txt and cmp2.txt differ
+
+ After:
+
+ $ perf script --itrace > cmp1.txt
+ $ perf script --itrace=cepwx > cmp2.txt
+ $ diff -sq cmp1.txt cmp2.txt
+ Files cmp1.txt and cmp2.txt are identical
+
+Signed-off-by: Adrian Hunter <adrian.hunter@intel.com>
+Tested-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Cc: Jiri Olsa <jolsa@redhat.com>
+Cc: stable@vger.kernel.org
+Fixes: 4eb068157121 ("perf script: Make itrace script default to all calls")
+Link: http://lkml.kernel.org/r/20190520113728.14389-3-adrian.hunter@intel.com
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ tools/perf/util/auxtrace.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/tools/perf/util/auxtrace.c b/tools/perf/util/auxtrace.c
+index 66e82bd0683e..cfdbf65f1e02 100644
+--- a/tools/perf/util/auxtrace.c
++++ b/tools/perf/util/auxtrace.c
+@@ -1001,7 +1001,8 @@ int itrace_parse_synth_opts(const struct option *opt, const char *str,
+ }
+
+ if (!str) {
+- itrace_synth_opts__set_default(synth_opts, false);
++ itrace_synth_opts__set_default(synth_opts,
++ synth_opts->default_no_sample);
+ return 0;
+ }
+
+--
+2.22.0
+
diff --git a/patches.kernel.org/5.2.1-014-perf-intel-pt-Fix-itrace-defaults-for-perf-scri.patch b/patches.kernel.org/5.2.1-014-perf-intel-pt-Fix-itrace-defaults-for-perf-scri.patch
new file mode 100644
index 0000000000..b28e8824b2
--- /dev/null
+++ b/patches.kernel.org/5.2.1-014-perf-intel-pt-Fix-itrace-defaults-for-perf-scri.patch
@@ -0,0 +1,62 @@
+From: Adrian Hunter <adrian.hunter@intel.com>
+Date: Mon, 20 May 2019 14:37:09 +0300
+Subject: [PATCH] perf intel-pt: Fix itrace defaults for perf script intel-pt
+ documentation
+References: bnc#1012628
+Patch-mainline: 5.2.1
+Git-commit: a2d8a1585e35444789c1c8cf7e2e51fb15589880
+
+commit a2d8a1585e35444789c1c8cf7e2e51fb15589880 upstream.
+
+Fix intel-pt documentation to reflect the change of itrace defaults for
+perf script.
+
+Signed-off-by: Adrian Hunter <adrian.hunter@intel.com>
+Cc: Jiri Olsa <jolsa@redhat.com>
+Cc: stable@vger.kernel.org
+Fixes: 4eb068157121 ("perf script: Make itrace script default to all calls")
+Link: http://lkml.kernel.org/r/20190520113728.14389-4-adrian.hunter@intel.com
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ tools/perf/Documentation/intel-pt.txt | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/tools/perf/Documentation/intel-pt.txt b/tools/perf/Documentation/intel-pt.txt
+index 115eaacc455f..60d99e5e7921 100644
+--- a/tools/perf/Documentation/intel-pt.txt
++++ b/tools/perf/Documentation/intel-pt.txt
+@@ -88,16 +88,16 @@ smaller.
+
+ To represent software control flow, "branches" samples are produced. By default
+ a branch sample is synthesized for every single branch. To get an idea what
+-data is available you can use the 'perf script' tool with no parameters, which
+-will list all the samples.
++data is available you can use the 'perf script' tool with all itrace sampling
++options, which will list all the samples.
+
+ perf record -e intel_pt//u ls
+- perf script
++ perf script --itrace=ibxwpe
+
+ An interesting field that is not printed by default is 'flags' which can be
+ displayed as follows:
+
+- perf script -Fcomm,tid,pid,time,cpu,event,trace,ip,sym,dso,addr,symoff,flags
++ perf script --itrace=ibxwpe -F+flags
+
+ The flags are "bcrosyiABEx" which stand for branch, call, return, conditional,
+ system, asynchronous, interrupt, transaction abort, trace begin, trace end, and
+@@ -713,7 +713,7 @@ Having no option is the same as
+
+ which, in turn, is the same as
+
+- --itrace=ibxwpe
++ --itrace=cepwx
+
+ The letters are:
+
+--
+2.22.0
+
diff --git a/patches.kernel.org/5.2.1-015-perf-pmu-Fix-uncore-PMU-alias-list-for-ARM64.patch b/patches.kernel.org/5.2.1-015-perf-pmu-Fix-uncore-PMU-alias-list-for-ARM64.patch
new file mode 100644
index 0000000000..8af34c4deb
--- /dev/null
+++ b/patches.kernel.org/5.2.1-015-perf-pmu-Fix-uncore-PMU-alias-list-for-ARM64.patch
@@ -0,0 +1,99 @@
+From: John Garry <john.garry@huawei.com>
+Date: Fri, 14 Jun 2019 22:07:59 +0800
+Subject: [PATCH] perf pmu: Fix uncore PMU alias list for ARM64
+References: bnc#1012628
+Patch-mainline: 5.2.1
+Git-commit: 599ee18f0740d7661b8711249096db94c09bc508
+
+commit 599ee18f0740d7661b8711249096db94c09bc508 upstream.
+
+In commit 292c34c10249 ("perf pmu: Fix core PMU alias list for X86
+platform"), we fixed the issue of CPU events being aliased to uncore
+events.
+
+Fix this same issue for ARM64, since the said commit left the (broken)
+behaviour untouched for ARM64.
+
+Signed-off-by: John Garry <john.garry@huawei.com>
+Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Cc: Ben Hutchings <ben@decadent.org.uk>
+Cc: Hendrik Brueckner <brueckner@linux.ibm.com>
+Cc: Jiri Olsa <jolsa@redhat.com>
+Cc: Kan Liang <kan.liang@linux.intel.com>
+Cc: Mark Rutland <mark.rutland@arm.com>
+Cc: Mathieu Poirier <mathieu.poirier@linaro.org>
+Cc: Namhyung Kim <namhyung@kernel.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Shaokun Zhang <zhangshaokun@hisilicon.com>
+Cc: Thomas Richter <tmricht@linux.ibm.com>
+Cc: Will Deacon <will.deacon@arm.com>
+Cc: linux-arm-kernel@lists.infradead.org
+Cc: linuxarm@huawei.com
+Cc: stable@vger.kernel.org
+Fixes: 292c34c10249 ("perf pmu: Fix core PMU alias list for X86 platform")
+Link: http://lkml.kernel.org/r/1560521283-73314-2-git-send-email-john.garry@huawei.com
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ tools/perf/util/pmu.c | 28 ++++++++++++----------------
+ 1 file changed, 12 insertions(+), 16 deletions(-)
+
+diff --git a/tools/perf/util/pmu.c b/tools/perf/util/pmu.c
+index e0429f4ef335..faa8eb231e1b 100644
+--- a/tools/perf/util/pmu.c
++++ b/tools/perf/util/pmu.c
+@@ -709,9 +709,7 @@ static void pmu_add_cpu_aliases(struct list_head *head, struct perf_pmu *pmu)
+ {
+ int i;
+ struct pmu_events_map *map;
+- struct pmu_event *pe;
+ const char *name = pmu->name;
+- const char *pname;
+
+ map = perf_pmu__find_map(pmu);
+ if (!map)
+@@ -722,28 +720,26 @@ static void pmu_add_cpu_aliases(struct list_head *head, struct perf_pmu *pmu)
+ */
+ i = 0;
+ while (1) {
++ const char *cpu_name = is_arm_pmu_core(name) ? name : "cpu";
++ struct pmu_event *pe = &map->table[i++];
++ const char *pname = pe->pmu ? pe->pmu : cpu_name;
+
+- pe = &map->table[i++];
+ if (!pe->name) {
+ if (pe->metric_group || pe->metric_name)
+ continue;
+ break;
+ }
+
+- if (!is_arm_pmu_core(name)) {
+- pname = pe->pmu ? pe->pmu : "cpu";
+-
+- /*
+- * uncore alias may be from different PMU
+- * with common prefix
+- */
+- if (pmu_is_uncore(name) &&
+- !strncmp(pname, name, strlen(pname)))
+- goto new_alias;
++ /*
++ * uncore alias may be from different PMU
++ * with common prefix
++ */
++ if (pmu_is_uncore(name) &&
++ !strncmp(pname, name, strlen(pname)))
++ goto new_alias;
+
+- if (strcmp(pname, name))
+- continue;
+- }
++ if (strcmp(pname, name))
++ continue;
+
+ new_alias:
+ /* need type casts to override 'const' */
+--
+2.22.0
+
diff --git a/patches.kernel.org/5.2.1-016-perf-thread-stack-Fix-thread-stack-return-from-.patch b/patches.kernel.org/5.2.1-016-perf-thread-stack-Fix-thread-stack-return-from-.patch
new file mode 100644
index 0000000000..0e6c34e040
--- /dev/null
+++ b/patches.kernel.org/5.2.1-016-perf-thread-stack-Fix-thread-stack-return-from-.patch
@@ -0,0 +1,193 @@
+From: Adrian Hunter <adrian.hunter@intel.com>
+Date: Wed, 19 Jun 2019 09:44:28 +0300
+Subject: [PATCH] perf thread-stack: Fix thread stack return from kernel for
+ kernel-only case
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+References: bnc#1012628
+Patch-mainline: 5.2.1
+Git-commit: 97860b483c5597663a174ff7405be957b4838391
+
+commit 97860b483c5597663a174ff7405be957b4838391 upstream.
+
+Commit f08046cb3082 ("perf thread-stack: Represent jmps to the start of a
+different symbol") had the side-effect of introducing more stack entries
+before return from kernel space.
+
+When user space is also traced, those entries are popped before entry to
+user space, but when user space is not traced, they get stuck at the
+bottom of the stack, making the stack grow progressively larger.
+
+Fix by detecting a return-from-kernel branch type, and popping kernel
+addresses from the stack then.
+
+Note, the problem and fix affect the exported Call Graph / Tree but not
+the callindent option used by "perf script --call-trace".
+
+Example:
+
+ perf-with-kcore record example -e intel_pt//k -- ls
+ perf-with-kcore script example --itrace=bep -s ~/libexec/perf-core/scripts/python/export-to-sqlite.py example.db branches calls
+ ~/libexec/perf-core/scripts/python/exported-sql-viewer.py example.db
+
+ Menu option: Reports -> Context-Sensitive Call Graph
+
+ Before: (showing Call Path column only)
+
+ Call Path
+ ▶ perf
+ ▼ ls
+ ▼ 12111:12111
+ ▶ setup_new_exec
+ ▶ __task_pid_nr_ns
+ ▶ perf_event_pid_type
+ ▶ perf_event_comm_output
+ ▶ perf_iterate_ctx
+ ▶ perf_iterate_sb
+ ▶ perf_event_comm
+ ▶ __set_task_comm
+ ▶ load_elf_binary
+ ▶ search_binary_handler
+ ▶ __do_execve_file.isra.41
+ ▶ __x64_sys_execve
+ ▶ do_syscall_64
+ ▼ entry_SYSCALL_64_after_hwframe
+ ▼ swapgs_restore_regs_and_return_to_usermode
+ ▼ native_iret
+ ▶ error_entry
+ ▶ do_page_fault
+ ▼ error_exit
+ ▼ retint_user
+ ▶ prepare_exit_to_usermode
+ ▼ native_iret
+ ▶ error_entry
+ ▶ do_page_fault
+ ▼ error_exit
+ ▼ retint_user
+ ▶ prepare_exit_to_usermode
+ ▼ native_iret
+ ▶ error_entry
+ ▶ do_page_fault
+ ▼ error_exit
+ ▼ retint_user
+ ▶ prepare_exit_to_usermode
+ ▶ native_iret
+
+ After: (showing Call Path column only)
+
+ Call Path
+ ▶ perf
+ ▼ ls
+ ▼ 12111:12111
+ ▶ setup_new_exec
+ ▶ __task_pid_nr_ns
+ ▶ perf_event_pid_type
+ ▶ perf_event_comm_output
+ ▶ perf_iterate_ctx
+ ▶ perf_iterate_sb
+ ▶ perf_event_comm
+ ▶ __set_task_comm
+ ▶ load_elf_binary
+ ▶ search_binary_handler
+ ▶ __do_execve_file.isra.41
+ ▶ __x64_sys_execve
+ ▶ do_syscall_64
+ ▶ entry_SYSCALL_64_after_hwframe
+ ▶ page_fault
+ ▼ entry_SYSCALL_64
+ ▼ do_syscall_64
+ ▶ __x64_sys_brk
+ ▶ __x64_sys_access
+ ▶ __x64_sys_openat
+ ▶ __x64_sys_newfstat
+ ▶ __x64_sys_mmap
+ ▶ __x64_sys_close
+ ▶ __x64_sys_read
+ ▶ __x64_sys_mprotect
+ ▶ __x64_sys_arch_prctl
+ ▶ __x64_sys_munmap
+ ▶ exit_to_usermode_loop
+ ▶ __x64_sys_set_tid_address
+ ▶ __x64_sys_set_robust_list
+ ▶ __x64_sys_rt_sigaction
+ ▶ __x64_sys_rt_sigprocmask
+ ▶ __x64_sys_prlimit64
+ ▶ __x64_sys_statfs
+ ▶ __x64_sys_ioctl
+ ▶ __x64_sys_getdents64
+ ▶ __x64_sys_write
+ ▶ __x64_sys_exit_group
+
+Committer notes:
+
+The first arg to the perf-with-kcore needs to be the same for the
+'record' and 'script' lines, otherwise we'll record the perf.data file
+and kcore_dir/ files in one directory ('example') to then try to use it
+from the 'bep' directory, fix the instructions above it so that both use
+'example'.
+
+Signed-off-by: Adrian Hunter <adrian.hunter@intel.com>
+Tested-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Cc: Jiri Olsa <jolsa@redhat.com>
+Cc: stable@vger.kernel.org
+Fixes: f08046cb3082 ("perf thread-stack: Represent jmps to the start of a different symbol")
+Link: http://lkml.kernel.org/r/20190619064429.14940-2-adrian.hunter@intel.com
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ tools/perf/util/thread-stack.c | 30 +++++++++++++++++++++++++++++-
+ 1 file changed, 29 insertions(+), 1 deletion(-)
+
+diff --git a/tools/perf/util/thread-stack.c b/tools/perf/util/thread-stack.c
+index 4ba9e866b076..60c9d955c4d7 100644
+--- a/tools/perf/util/thread-stack.c
++++ b/tools/perf/util/thread-stack.c
+@@ -616,6 +616,23 @@ static int thread_stack__bottom(struct thread_stack *ts,
+ true, false);
+ }
+
++static int thread_stack__pop_ks(struct thread *thread, struct thread_stack *ts,
++ struct perf_sample *sample, u64 ref)
++{
++ u64 tm = sample->time;
++ int err;
++
++ /* Return to userspace, so pop all kernel addresses */
++ while (thread_stack__in_kernel(ts)) {
++ err = thread_stack__call_return(thread, ts, --ts->cnt,
++ tm, ref, true);
++ if (err)
++ return err;
++ }
++
++ return 0;
++}
++
+ static int thread_stack__no_call_return(struct thread *thread,
+ struct thread_stack *ts,
+ struct perf_sample *sample,
+@@ -896,7 +913,18 @@ int thread_stack__process(struct thread *thread, struct comm *comm,
+ ts->rstate = X86_RETPOLINE_DETECTED;
+
+ } else if (sample->flags & PERF_IP_FLAG_RETURN) {
+- if (!sample->ip || !sample->addr)
++ if (!sample->addr) {
++ u32 return_from_kernel = PERF_IP_FLAG_SYSCALLRET |
++ PERF_IP_FLAG_INTERRUPT;
++
++ if (!(sample->flags & return_from_kernel))
++ return 0;
++
++ /* Pop kernel stack */
++ return thread_stack__pop_ks(thread, ts, sample, ref);
++ }
++
++ if (!sample->ip)
+ return 0;
+
+ /* x86 retpoline 'return' doesn't match the stack */
+--
+2.22.0
+
diff --git a/patches.kernel.org/5.2.1-017-perf-header-Assign-proper-ff-ph-in-perf_event__.patch b/patches.kernel.org/5.2.1-017-perf-header-Assign-proper-ff-ph-in-perf_event__.patch
new file mode 100644
index 0000000000..d28e26ee38
--- /dev/null
+++ b/patches.kernel.org/5.2.1-017-perf-header-Assign-proper-ff-ph-in-perf_event__.patch
@@ -0,0 +1,75 @@
+From: Song Liu <songliubraving@fb.com>
+Date: Wed, 19 Jun 2019 18:04:53 -0700
+Subject: [PATCH] perf header: Assign proper ff->ph in
+ perf_event__synthesize_features()
+References: bnc#1012628
+Patch-mainline: 5.2.1
+Git-commit: c952b35f4b15dd1b83e952718dec3307256383ef
+
+commit c952b35f4b15dd1b83e952718dec3307256383ef upstream.
+
+bpf/btf write_* functions need ff->ph->env.
+
+With this missing, pipe-mode (perf record -o -) would crash like:
+
+Program terminated with signal SIGSEGV, Segmentation fault.
+
+This patch assign proper ph value to ff.
+
+Committer testing:
+
+ (gdb) run record -o -
+ Starting program: /root/bin/perf record -o -
+ PERFILE2
+ <SNIP start of perf.data headers>
+ Thread 1 "perf" received signal SIGSEGV, Segmentation fault.
+ __do_write_buf (size=4, buf=0x160, ff=0x7fffffff8f80) at util/header.c:126
+ 126 memcpy(ff->buf + ff->offset, buf, size);
+ (gdb) bt
+ #0 __do_write_buf (size=4, buf=0x160, ff=0x7fffffff8f80) at util/header.c:126
+ #1 do_write (ff=ff@entry=0x7fffffff8f80, buf=buf@entry=0x160, size=4) at util/header.c:137
+ #2 0x00000000004eddba in write_bpf_prog_info (ff=0x7fffffff8f80, evlist=<optimized out>) at util/header.c:912
+ #3 0x00000000004f69d7 in perf_event__synthesize_features (tool=tool@entry=0x97cc00 <record>, session=session@entry=0x7fffe9c6d010,
+ evlist=0x7fffe9cae010, process=process@entry=0x4435d0 <process_synthesized_event>) at util/header.c:3695
+ #4 0x0000000000443c79 in record__synthesize (tail=tail@entry=false, rec=0x97cc00 <record>) at builtin-record.c:1214
+ #5 0x0000000000444ec9 in __cmd_record (rec=0x97cc00 <record>, argv=<optimized out>, argc=0) at builtin-record.c:1435
+ #6 cmd_record (argc=0, argv=<optimized out>) at builtin-record.c:2450
+ #7 0x00000000004ae3e9 in run_builtin (p=p@entry=0x98e058 <commands+216>, argc=argc@entry=3, argv=0x7fffffffd670) at perf.c:304
+ #8 0x000000000042eded in handle_internal_command (argv=<optimized out>, argc=<optimized out>) at perf.c:356
+ #9 run_argv (argcp=<optimized out>, argv=<optimized out>) at perf.c:400
+ #10 main (argc=3, argv=<optimized out>) at perf.c:522
+ (gdb)
+
+After the patch the SEGSEGV is gone.
+
+Reported-by: David Carrillo Cisneros <davidca@fb.com>
+Signed-off-by: Song Liu <songliubraving@fb.com>
+Tested-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Cc: Jiri Olsa <jolsa@kernel.org>
+Cc: Namhyung Kim <namhyung@kernel.org>
+Cc: kernel-team@fb.com
+Cc: stable@vger.kernel.org # v5.1+
+Fixes: 606f972b1361 ("perf bpf: Save bpf_prog_info information as headers to perf.data")
+Link: http://lkml.kernel.org/r/20190620010453.4118689-1-songliubraving@fb.com
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ tools/perf/util/header.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/tools/perf/util/header.c b/tools/perf/util/header.c
+index 847ae51a524b..fb0aa661644b 100644
+--- a/tools/perf/util/header.c
++++ b/tools/perf/util/header.c
+@@ -3602,6 +3602,7 @@ int perf_event__synthesize_features(struct perf_tool *tool,
+ return -ENOMEM;
+
+ ff.size = sz - sz_hdr;
++ ff.ph = &session->header;
+
+ for_each_set_bit(feat, header->adds_features, HEADER_FEAT_BITS) {
+ if (!feat_ops[feat].synthesize) {
+--
+2.22.0
+
diff --git a/patches.kernel.org/5.2.1-018-x86-ptrace-Fix-possible-spectre-v1-in-ptrace_ge.patch b/patches.kernel.org/5.2.1-018-x86-ptrace-Fix-possible-spectre-v1-in-ptrace_ge.patch
new file mode 100644
index 0000000000..daac52392b
--- /dev/null
+++ b/patches.kernel.org/5.2.1-018-x86-ptrace-Fix-possible-spectre-v1-in-ptrace_ge.patch
@@ -0,0 +1,59 @@
+From: Dianzhang Chen <dianzhangchen0@gmail.com>
+Date: Tue, 25 Jun 2019 23:30:17 +0800
+Subject: [PATCH] x86/ptrace: Fix possible spectre-v1 in ptrace_get_debugreg()
+References: bnc#1012628
+Patch-mainline: 5.2.1
+Git-commit: 31a2fbb390fee4231281b939e1979e810f945415
+
+commit 31a2fbb390fee4231281b939e1979e810f945415 upstream.
+
+The index to access the threads ptrace_bps is controlled by userspace via
+syscall: sys_ptrace(), hence leading to a potential exploitation of the
+Spectre variant 1 vulnerability.
+
+The index can be controlled from:
+ ptrace -> arch_ptrace -> ptrace_get_debugreg.
+
+Fix this by sanitizing the user supplied index before using it access
+thread->ptrace_bps.
+
+Signed-off-by: Dianzhang Chen <dianzhangchen0@gmail.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Cc: bp@alien8.de
+Cc: hpa@zytor.com
+Cc: stable@vger.kernel.org
+Link: https://lkml.kernel.org/r/1561476617-3759-1-git-send-email-dianzhangchen0@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ arch/x86/kernel/ptrace.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/arch/x86/kernel/ptrace.c b/arch/x86/kernel/ptrace.c
+index a166c960bc9e..e9d0bc3a5e88 100644
+--- a/arch/x86/kernel/ptrace.c
++++ b/arch/x86/kernel/ptrace.c
+@@ -25,6 +25,7 @@
+ #include <linux/rcupdate.h>
+ #include <linux/export.h>
+ #include <linux/context_tracking.h>
++#include <linux/nospec.h>
+
+ #include <linux/uaccess.h>
+ #include <asm/pgtable.h>
+@@ -643,9 +644,11 @@ static unsigned long ptrace_get_debugreg(struct task_struct *tsk, int n)
+ {
+ struct thread_struct *thread = &tsk->thread;
+ unsigned long val = 0;
++ int index = n;
+
+ if (n < HBP_NUM) {
+- struct perf_event *bp = thread->ptrace_bps[n];
++ struct perf_event *bp = thread->ptrace_bps[index];
++ index = array_index_nospec(index, HBP_NUM);
+
+ if (bp)
+ val = bp->hw.info.address;
+--
+2.22.0
+
diff --git a/patches.kernel.org/5.2.1-019-x86-tls-Fix-possible-spectre-v1-in-do_get_threa.patch b/patches.kernel.org/5.2.1-019-x86-tls-Fix-possible-spectre-v1-in-do_get_threa.patch
new file mode 100644
index 0000000000..44d29ebcd9
--- /dev/null
+++ b/patches.kernel.org/5.2.1-019-x86-tls-Fix-possible-spectre-v1-in-do_get_threa.patch
@@ -0,0 +1,68 @@
+From: Dianzhang Chen <dianzhangchen0@gmail.com>
+Date: Wed, 26 Jun 2019 12:50:30 +0800
+Subject: [PATCH] x86/tls: Fix possible spectre-v1 in do_get_thread_area()
+References: bnc#1012628
+Patch-mainline: 5.2.1
+Git-commit: 993773d11d45c90cb1c6481c2638c3d9f092ea5b
+
+commit 993773d11d45c90cb1c6481c2638c3d9f092ea5b upstream.
+
+The index to access the threads tls array is controlled by userspace
+via syscall: sys_ptrace(), hence leading to a potential exploitation
+of the Spectre variant 1 vulnerability.
+
+The index can be controlled from:
+ ptrace -> arch_ptrace -> do_get_thread_area.
+
+Fix this by sanitizing the user supplied index before using it to access
+the p->thread.tls_array.
+
+Signed-off-by: Dianzhang Chen <dianzhangchen0@gmail.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Cc: bp@alien8.de
+Cc: hpa@zytor.com
+Cc: stable@vger.kernel.org
+Link: https://lkml.kernel.org/r/1561524630-3642-1-git-send-email-dianzhangchen0@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ arch/x86/kernel/tls.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+diff --git a/arch/x86/kernel/tls.c b/arch/x86/kernel/tls.c
+index a5b802a12212..71d3fef1edc9 100644
+--- a/arch/x86/kernel/tls.c
++++ b/arch/x86/kernel/tls.c
+@@ -5,6 +5,7 @@
+ #include <linux/user.h>
+ #include <linux/regset.h>
+ #include <linux/syscalls.h>
++#include <linux/nospec.h>
+
+ #include <linux/uaccess.h>
+ #include <asm/desc.h>
+@@ -220,6 +221,7 @@ int do_get_thread_area(struct task_struct *p, int idx,
+ struct user_desc __user *u_info)
+ {
+ struct user_desc info;
++ int index;
+
+ if (idx == -1 && get_user(idx, &u_info->entry_number))
+ return -EFAULT;
+@@ -227,8 +229,11 @@ int do_get_thread_area(struct task_struct *p, int idx,
+ if (idx < GDT_ENTRY_TLS_MIN || idx > GDT_ENTRY_TLS_MAX)
+ return -EINVAL;
+
+- fill_user_desc(&info, idx,
+- &p->thread.tls_array[idx - GDT_ENTRY_TLS_MIN]);
++ index = idx - GDT_ENTRY_TLS_MIN;
++ index = array_index_nospec(index,
++ GDT_ENTRY_TLS_MAX - GDT_ENTRY_TLS_MIN + 1);
++
++ fill_user_desc(&info, idx, &p->thread.tls_array[index]);
+
+ if (copy_to_user(u_info, &info, sizeof(info)))
+ return -EFAULT;
+--
+2.22.0
+
diff --git a/patches.kernel.org/5.2.1-020-Documentation-Add-section-about-CPU-vulnerabili.patch b/patches.kernel.org/5.2.1-020-Documentation-Add-section-about-CPU-vulnerabili.patch
new file mode 100644
index 0000000000..db41f2057e
--- /dev/null
+++ b/patches.kernel.org/5.2.1-020-Documentation-Add-section-about-CPU-vulnerabili.patch
@@ -0,0 +1,764 @@
+From: Tim Chen <tim.c.chen@linux.intel.com>
+Date: Thu, 20 Jun 2019 16:10:50 -0700
+Subject: [PATCH] Documentation: Add section about CPU vulnerabilities for
+ Spectre
+References: bnc#1012628
+Patch-mainline: 5.2.1
+Git-commit: 6e88559470f581741bcd0f2794f9054814ac9740
+
+commit 6e88559470f581741bcd0f2794f9054814ac9740 upstream.
+
+Add documentation for Spectre vulnerability and the mitigation mechanisms:
+
+- Explain the problem and risks
+- Document the mitigation mechanisms
+- Document the command line controls
+- Document the sysfs files
+
+Co-developed-by: Andi Kleen <ak@linux.intel.com>
+Signed-off-by: Andi Kleen <ak@linux.intel.com>
+Co-developed-by: Tim Chen <tim.c.chen@linux.intel.com>
+Signed-off-by: Tim Chen <tim.c.chen@linux.intel.com>
+Reviewed-by: Randy Dunlap <rdunlap@infradead.org>
+Reviewed-by: Thomas Gleixner <tglx@linutronix.de>
+Cc: stable@vger.kernel.org
+Signed-off-by: Jonathan Corbet <corbet@lwn.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ Documentation/admin-guide/hw-vuln/index.rst | 1 +
+ Documentation/admin-guide/hw-vuln/spectre.rst | 697 ++++++++++++++++++
+ Documentation/userspace-api/spec_ctrl.rst | 2 +
+ 3 files changed, 700 insertions(+)
+ create mode 100644 Documentation/admin-guide/hw-vuln/spectre.rst
+
+diff --git a/Documentation/admin-guide/hw-vuln/index.rst b/Documentation/admin-guide/hw-vuln/index.rst
+index ffc064c1ec68..49311f3da6f2 100644
+--- a/Documentation/admin-guide/hw-vuln/index.rst
++++ b/Documentation/admin-guide/hw-vuln/index.rst
+@@ -9,5 +9,6 @@ are configurable at compile, boot or run time.
+ .. toctree::
+ :maxdepth: 1
+
++ spectre
+ l1tf
+ mds
+diff --git a/Documentation/admin-guide/hw-vuln/spectre.rst b/Documentation/admin-guide/hw-vuln/spectre.rst
+new file mode 100644
+index 000000000000..25f3b2532198
+--- /dev/null
++++ b/Documentation/admin-guide/hw-vuln/spectre.rst
+@@ -0,0 +1,697 @@
++.. SPDX-License-Identifier: GPL-2.0
++
++Spectre Side Channels
++=====================
++
++Spectre is a class of side channel attacks that exploit branch prediction
++and speculative execution on modern CPUs to read memory, possibly
++bypassing access controls. Speculative execution side channel exploits
++do not modify memory but attempt to infer privileged data in the memory.
++
++This document covers Spectre variant 1 and Spectre variant 2.
++
++Affected processors
++-------------------
++
++Speculative execution side channel methods affect a wide range of modern
++high performance processors, since most modern high speed processors
++use branch prediction and speculative execution.
++
++The following CPUs are vulnerable:
++
++ - Intel Core, Atom, Pentium, and Xeon processors
++
++ - AMD Phenom, EPYC, and Zen processors
++
++ - IBM POWER and zSeries processors
++
++ - Higher end ARM processors
++
++ - Apple CPUs
++
++ - Higher end MIPS CPUs
++
++ - Likely most other high performance CPUs. Contact your CPU vendor for details.
++
++Whether a processor is affected or not can be read out from the Spectre
++vulnerability files in sysfs. See :ref:`spectre_sys_info`.
++
++Related CVEs
++------------
++
++The following CVE entries describe Spectre variants:
++
++ ============= ======================= =================
++ CVE-2017-5753 Bounds check bypass Spectre variant 1
++ CVE-2017-5715 Branch target injection Spectre variant 2
++ ============= ======================= =================
++
++Problem
++-------
++
++CPUs use speculative operations to improve performance. That may leave
++traces of memory accesses or computations in the processor's caches,
++buffers, and branch predictors. Malicious software may be able to
++influence the speculative execution paths, and then use the side effects
++of the speculative execution in the CPUs' caches and buffers to infer
++privileged data touched during the speculative execution.
++
++Spectre variant 1 attacks take advantage of speculative execution of
++conditional branches, while Spectre variant 2 attacks use speculative
++execution of indirect branches to leak privileged memory.
++See :ref:`[1] <spec_ref1>` :ref:`[5] <spec_ref5>` :ref:`[7] <spec_ref7>`
++:ref:`[10] <spec_ref10>` :ref:`[11] <spec_ref11>`.
++
++Spectre variant 1 (Bounds Check Bypass)
++---------------------------------------
++
++The bounds check bypass attack :ref:`[2] <spec_ref2>` takes advantage
++of speculative execution that bypasses conditional branch instructions
++used for memory access bounds check (e.g. checking if the index of an
++array results in memory access within a valid range). This results in
++memory accesses to invalid memory (with out-of-bound index) that are
++done speculatively before validation checks resolve. Such speculative
++memory accesses can leave side effects, creating side channels which
++leak information to the attacker.
++
++There are some extensions of Spectre variant 1 attacks for reading data
++over the network, see :ref:`[12] <spec_ref12>`. However such attacks
++are difficult, low bandwidth, fragile, and are considered low risk.
++
++Spectre variant 2 (Branch Target Injection)
++-------------------------------------------
++
++The branch target injection attack takes advantage of speculative
++execution of indirect branches :ref:`[3] <spec_ref3>`. The indirect
++branch predictors inside the processor used to guess the target of
++indirect branches can be influenced by an attacker, causing gadget code
++to be speculatively executed, thus exposing sensitive data touched by
++the victim. The side effects left in the CPU's caches during speculative
++execution can be measured to infer data values.
++
++.. _poison_btb:
++
++In Spectre variant 2 attacks, the attacker can steer speculative indirect
++branches in the victim to gadget code by poisoning the branch target
++buffer of a CPU used for predicting indirect branch addresses. Such
++poisoning could be done by indirect branching into existing code,
++with the address offset of the indirect branch under the attacker's
++control. Since the branch prediction on impacted hardware does not
++fully disambiguate branch address and uses the offset for prediction,
++this could cause privileged code's indirect branch to jump to a gadget
++code with the same offset.
++
++The most useful gadgets take an attacker-controlled input parameter (such
++as a register value) so that the memory read can be controlled. Gadgets
++without input parameters might be possible, but the attacker would have
++very little control over what memory can be read, reducing the risk of
++the attack revealing useful data.
++
++One other variant 2 attack vector is for the attacker to poison the
++return stack buffer (RSB) :ref:`[13] <spec_ref13>` to cause speculative
++subroutine return instruction execution to go to a gadget. An attacker's
++imbalanced subroutine call instructions might "poison" entries in the
++return stack buffer which are later consumed by a victim's subroutine
++return instructions. This attack can be mitigated by flushing the return
++stack buffer on context switch, or virtual machine (VM) exit.
++
++On systems with simultaneous multi-threading (SMT), attacks are possible
++from the sibling thread, as level 1 cache and branch target buffer
++(BTB) may be shared between hardware threads in a CPU core. A malicious
++program running on the sibling thread may influence its peer's BTB to
++steer its indirect branch speculations to gadget code, and measure the
++speculative execution's side effects left in level 1 cache to infer the
++victim's data.
++
++Attack scenarios
++----------------
++
++The following list of attack scenarios have been anticipated, but may
++not cover all possible attack vectors.
++
++1. A user process attacking the kernel
++^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
++
++ The attacker passes a parameter to the kernel via a register or
++ via a known address in memory during a syscall. Such parameter may
++ be used later by the kernel as an index to an array or to derive
++ a pointer for a Spectre variant 1 attack. The index or pointer
++ is invalid, but bound checks are bypassed in the code branch taken
++ for speculative execution. This could cause privileged memory to be
++ accessed and leaked.
++
++ For kernel code that has been identified where data pointers could
++ potentially be influenced for Spectre attacks, new "nospec" accessor
++ macros are used to prevent speculative loading of data.
++
++ Spectre variant 2 attacker can :ref:`poison <poison_btb>` the branch
++ target buffer (BTB) before issuing syscall to launch an attack.
++ After entering the kernel, the kernel could use the poisoned branch
++ target buffer on indirect jump and jump to gadget code in speculative
++ execution.
++
++ If an attacker tries to control the memory addresses leaked during
++ speculative execution, he would also need to pass a parameter to the
++ gadget, either through a register or a known address in memory. After
++ the gadget has executed, he can measure the side effect.
++
++ The kernel can protect itself against consuming poisoned branch
++ target buffer entries by using return trampolines (also known as
++ "retpoline") :ref:`[3] <spec_ref3>` :ref:`[9] <spec_ref9>` for all
++ indirect branches. Return trampolines trap speculative execution paths
++ to prevent jumping to gadget code during speculative execution.
++ x86 CPUs with Enhanced Indirect Branch Restricted Speculation
++ (Enhanced IBRS) available in hardware should use the feature to
++ mitigate Spectre variant 2 instead of retpoline. Enhanced IBRS is
++ more efficient than retpoline.
++
++ There may be gadget code in firmware which could be exploited with
++ Spectre variant 2 attack by a rogue user process. To mitigate such
++ attacks on x86, Indirect Branch Restricted Speculation (IBRS) feature
++ is turned on before the kernel invokes any firmware code.
++
++2. A user process attacking another user process
++^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
++
++ A malicious user process can try to attack another user process,
++ either via a context switch on the same hardware thread, or from the
++ sibling hyperthread sharing a physical processor core on simultaneous
++ multi-threading (SMT) system.
++
++ Spectre variant 1 attacks generally require passing parameters
++ between the processes, which needs a data passing relationship, such
++ as remote procedure calls (RPC). Those parameters are used in gadget
++ code to derive invalid data pointers accessing privileged memory in
++ the attacked process.
++
++ Spectre variant 2 attacks can be launched from a rogue process by
++ :ref:`poisoning <poison_btb>` the branch target buffer. This can
++ influence the indirect branch targets for a victim process that either
++ runs later on the same hardware thread, or running concurrently on
++ a sibling hardware thread sharing the same physical core.
++
++ A user process can protect itself against Spectre variant 2 attacks
++ by using the prctl() syscall to disable indirect branch speculation
++ for itself. An administrator can also cordon off an unsafe process
++ from polluting the branch target buffer by disabling the process's
++ indirect branch speculation. This comes with a performance cost
++ from not using indirect branch speculation and clearing the branch
++ target buffer. When SMT is enabled on x86, for a process that has
++ indirect branch speculation disabled, Single Threaded Indirect Branch
++ Predictors (STIBP) :ref:`[4] <spec_ref4>` are turned on to prevent the
++ sibling thread from controlling branch target buffer. In addition,
++ the Indirect Branch Prediction Barrier (IBPB) is issued to clear the
++ branch target buffer when context switching to and from such process.
++
++ On x86, the return stack buffer is stuffed on context switch.
++ This prevents the branch target buffer from being used for branch
++ prediction when the return stack buffer underflows while switching to
++ a deeper call stack. Any poisoned entries in the return stack buffer
++ left by the previous process will also be cleared.
++
++ User programs should use address space randomization to make attacks
++ more difficult (Set /proc/sys/kernel/randomize_va_space = 1 or 2).
++
++3. A virtualized guest attacking the host
++^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
++
++ The attack mechanism is similar to how user processes attack the
++ kernel. The kernel is entered via hyper-calls or other virtualization
++ exit paths.
++
++ For Spectre variant 1 attacks, rogue guests can pass parameters
++ (e.g. in registers) via hyper-calls to derive invalid pointers to
++ speculate into privileged memory after entering the kernel. For places
++ where such kernel code has been identified, nospec accessor macros
++ are used to stop speculative memory access.
++
++ For Spectre variant 2 attacks, rogue guests can :ref:`poison
++ <poison_btb>` the branch target buffer or return stack buffer, causing
++ the kernel to jump to gadget code in the speculative execution paths.
++
++ To mitigate variant 2, the host kernel can use return trampolines
++ for indirect branches to bypass the poisoned branch target buffer,
++ and flushing the return stack buffer on VM exit. This prevents rogue
++ guests from affecting indirect branching in the host kernel.
++
++ To protect host processes from rogue guests, host processes can have
++ indirect branch speculation disabled via prctl(). The branch target
++ buffer is cleared before context switching to such processes.
++
++4. A virtualized guest attacking other guest
++^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
++
++ A rogue guest may attack another guest to get data accessible by the
++ other guest.
++
++ Spectre variant 1 attacks are possible if parameters can be passed
++ between guests. This may be done via mechanisms such as shared memory
++ or message passing. Such parameters could be used to derive data
++ pointers to privileged data in guest. The privileged data could be
++ accessed by gadget code in the victim's speculation paths.
++
++ Spectre variant 2 attacks can be launched from a rogue guest by
++ :ref:`poisoning <poison_btb>` the branch target buffer or the return
++ stack buffer. Such poisoned entries could be used to influence
++ speculation execution paths in the victim guest.
++
++ Linux kernel mitigates attacks to other guests running in the same
++ CPU hardware thread by flushing the return stack buffer on VM exit,
++ and clearing the branch target buffer before switching to a new guest.
++
++ If SMT is used, Spectre variant 2 attacks from an untrusted guest
++ in the sibling hyperthread can be mitigated by the administrator,
++ by turning off the unsafe guest's indirect branch speculation via
++ prctl(). A guest can also protect itself by turning on microcode
++ based mitigations (such as IBPB or STIBP on x86) within the guest.
++
++.. _spectre_sys_info:
++
++Spectre system information
++--------------------------
++
++The Linux kernel provides a sysfs interface to enumerate the current
++mitigation status of the system for Spectre: whether the system is
++vulnerable, and which mitigations are active.
++
++The sysfs file showing Spectre variant 1 mitigation status is:
++
++ /sys/devices/system/cpu/vulnerabilities/spectre_v1
++
++The possible values in this file are:
++
++ ======================================= =================================
++ 'Mitigation: __user pointer sanitation' Protection in kernel on a case by
++ case base with explicit pointer
++ sanitation.
++ ======================================= =================================
++
++However, the protections are put in place on a case by case basis,
++and there is no guarantee that all possible attack vectors for Spectre
++variant 1 are covered.
++
++The spectre_v2 kernel file reports if the kernel has been compiled with
++retpoline mitigation or if the CPU has hardware mitigation, and if the
++CPU has support for additional process-specific mitigation.
++
++This file also reports CPU features enabled by microcode to mitigate
++attack between user processes:
++
++1. Indirect Branch Prediction Barrier (IBPB) to add additional
++ isolation between processes of different users.
++2. Single Thread Indirect Branch Predictors (STIBP) to add additional
++ isolation between CPU threads running on the same core.
++
++These CPU features may impact performance when used and can be enabled
++per process on a case-by-case base.
++
++The sysfs file showing Spectre variant 2 mitigation status is:
++
++ /sys/devices/system/cpu/vulnerabilities/spectre_v2
++
++The possible values in this file are:
++
++ - Kernel status:
++
++ ==================================== =================================
++ 'Not affected' The processor is not vulnerable
++ 'Vulnerable' Vulnerable, no mitigation
++ 'Mitigation: Full generic retpoline' Software-focused mitigation
++ 'Mitigation: Full AMD retpoline' AMD-specific software mitigation
++ 'Mitigation: Enhanced IBRS' Hardware-focused mitigation
++ ==================================== =================================
++
++ - Firmware status: Show if Indirect Branch Restricted Speculation (IBRS) is
++ used to protect against Spectre variant 2 attacks when calling firmware (x86 only).
++
++ ========== =============================================================
++ 'IBRS_FW' Protection against user program attacks when calling firmware
++ ========== =============================================================
++
++ - Indirect branch prediction barrier (IBPB) status for protection between
++ processes of different users. This feature can be controlled through
++ prctl() per process, or through kernel command line options. This is
++ an x86 only feature. For more details see below.
++
++ =================== ========================================================
++ 'IBPB: disabled' IBPB unused
++ 'IBPB: always-on' Use IBPB on all tasks
++ 'IBPB: conditional' Use IBPB on SECCOMP or indirect branch restricted tasks
++ =================== ========================================================
++
++ - Single threaded indirect branch prediction (STIBP) status for protection
++ between different hyper threads. This feature can be controlled through
++ prctl per process, or through kernel command line options. This is x86
++ only feature. For more details see below.
++
++ ==================== ========================================================
++ 'STIBP: disabled' STIBP unused
++ 'STIBP: forced' Use STIBP on all tasks
++ 'STIBP: conditional' Use STIBP on SECCOMP or indirect branch restricted tasks
++ ==================== ========================================================
++
++ - Return stack buffer (RSB) protection status:
++
++ ============= ===========================================
++ 'RSB filling' Protection of RSB on context switch enabled
++ ============= ===========================================
++
++Full mitigation might require a microcode update from the CPU
++vendor. When the necessary microcode is not available, the kernel will
++report vulnerability.
++
++Turning on mitigation for Spectre variant 1 and Spectre variant 2
++-----------------------------------------------------------------
++
++1. Kernel mitigation
++^^^^^^^^^^^^^^^^^^^^
++
++ For the Spectre variant 1, vulnerable kernel code (as determined
++ by code audit or scanning tools) is annotated on a case by case
++ basis to use nospec accessor macros for bounds clipping :ref:`[2]
++ <spec_ref2>` to avoid any usable disclosure gadgets. However, it may
++ not cover all attack vectors for Spectre variant 1.
++
++ For Spectre variant 2 mitigation, the compiler turns indirect calls or
++ jumps in the kernel into equivalent return trampolines (retpolines)
++ :ref:`[3] <spec_ref3>` :ref:`[9] <spec_ref9>` to go to the target
++ addresses. Speculative execution paths under retpolines are trapped
++ in an infinite loop to prevent any speculative execution jumping to
++ a gadget.
++
++ To turn on retpoline mitigation on a vulnerable CPU, the kernel
++ needs to be compiled with a gcc compiler that supports the
++ -mindirect-branch=thunk-extern -mindirect-branch-register options.
++ If the kernel is compiled with a Clang compiler, the compiler needs
++ to support -mretpoline-external-thunk option. The kernel config
++ CONFIG_RETPOLINE needs to be turned on, and the CPU needs to run with
++ the latest updated microcode.
++
++ On Intel Skylake-era systems the mitigation covers most, but not all,
++ cases. See :ref:`[3] <spec_ref3>` for more details.
++
++ On CPUs with hardware mitigation for Spectre variant 2 (e.g. Enhanced
++ IBRS on x86), retpoline is automatically disabled at run time.
++
++ The retpoline mitigation is turned on by default on vulnerable
++ CPUs. It can be forced on or off by the administrator
++ via the kernel command line and sysfs control files. See
++ :ref:`spectre_mitigation_control_command_line`.
++
++ On x86, indirect branch restricted speculation is turned on by default
++ before invoking any firmware code to prevent Spectre variant 2 exploits
++ using the firmware.
++
++ Using kernel address space randomization (CONFIG_RANDOMIZE_SLAB=y
++ and CONFIG_SLAB_FREELIST_RANDOM=y in the kernel configuration) makes
++ attacks on the kernel generally more difficult.
++
++2. User program mitigation
++^^^^^^^^^^^^^^^^^^^^^^^^^^
++
++ User programs can mitigate Spectre variant 1 using LFENCE or "bounds
++ clipping". For more details see :ref:`[2] <spec_ref2>`.
++
++ For Spectre variant 2 mitigation, individual user programs
++ can be compiled with return trampolines for indirect branches.
++ This protects them from consuming poisoned entries in the branch
++ target buffer left by malicious software. Alternatively, the
++ programs can disable their indirect branch speculation via prctl()
++ (See :ref:`Documentation/userspace-api/spec_ctrl.rst <set_spec_ctrl>`).
++ On x86, this will turn on STIBP to guard against attacks from the
++ sibling thread when the user program is running, and use IBPB to
++ flush the branch target buffer when switching to/from the program.
++
++ Restricting indirect branch speculation on a user program will
++ also prevent the program from launching a variant 2 attack
++ on x86. All sand-boxed SECCOMP programs have indirect branch
++ speculation restricted by default. Administrators can change
++ that behavior via the kernel command line and sysfs control files.
++ See :ref:`spectre_mitigation_control_command_line`.
++
++ Programs that disable their indirect branch speculation will have
++ more overhead and run slower.
++
++ User programs should use address space randomization
++ (/proc/sys/kernel/randomize_va_space = 1 or 2) to make attacks more
++ difficult.
++
++3. VM mitigation
++^^^^^^^^^^^^^^^^
++
++ Within the kernel, Spectre variant 1 attacks from rogue guests are
++ mitigated on a case by case basis in VM exit paths. Vulnerable code
++ uses nospec accessor macros for "bounds clipping", to avoid any
++ usable disclosure gadgets. However, this may not cover all variant
++ 1 attack vectors.
++
++ For Spectre variant 2 attacks from rogue guests to the kernel, the
++ Linux kernel uses retpoline or Enhanced IBRS to prevent consumption of
++ poisoned entries in branch target buffer left by rogue guests. It also
++ flushes the return stack buffer on every VM exit to prevent a return
++ stack buffer underflow so poisoned branch target buffer could be used,
++ or attacker guests leaving poisoned entries in the return stack buffer.
++
++ To mitigate guest-to-guest attacks in the same CPU hardware thread,
++ the branch target buffer is sanitized by flushing before switching
++ to a new guest on a CPU.
++
++ The above mitigations are turned on by default on vulnerable CPUs.
++
++ To mitigate guest-to-guest attacks from sibling thread when SMT is
++ in use, an untrusted guest running in the sibling thread can have
++ its indirect branch speculation disabled by administrator via prctl().
++
++ The kernel also allows guests to use any microcode based mitigation
++ they choose to use (such as IBPB or STIBP on x86) to protect themselves.
++
++.. _spectre_mitigation_control_command_line:
++
++Mitigation control on the kernel command line
++---------------------------------------------
++
++Spectre variant 2 mitigation can be disabled or force enabled at the
++kernel command line.
++
++ nospectre_v2
++
++ [X86] Disable all mitigations for the Spectre variant 2
++ (indirect branch prediction) vulnerability. System may
++ allow data leaks with this option, which is equivalent
++ to spectre_v2=off.
++
++
++ spectre_v2=
++
++ [X86] Control mitigation of Spectre variant 2
++ (indirect branch speculation) vulnerability.
++ The default operation protects the kernel from
++ user space attacks.
++
++ on
++ unconditionally enable, implies
++ spectre_v2_user=on
++ off
++ unconditionally disable, implies
++ spectre_v2_user=off
++ auto
++ kernel detects whether your CPU model is
++ vulnerable
++
++ Selecting 'on' will, and 'auto' may, choose a
++ mitigation method at run time according to the
++ CPU, the available microcode, the setting of the
++ CONFIG_RETPOLINE configuration option, and the
++ compiler with which the kernel was built.
++
++ Selecting 'on' will also enable the mitigation
++ against user space to user space task attacks.
++
++ Selecting 'off' will disable both the kernel and
++ the user space protections.
++
++ Specific mitigations can also be selected manually:
++
++ retpoline
++ replace indirect branches
++ retpoline,generic
++ google's original retpoline
++ retpoline,amd
++ AMD-specific minimal thunk
++
++ Not specifying this option is equivalent to
++ spectre_v2=auto.
++
++For user space mitigation:
++
++ spectre_v2_user=
++
++ [X86] Control mitigation of Spectre variant 2
++ (indirect branch speculation) vulnerability between
++ user space tasks
++
++ on
++ Unconditionally enable mitigations. Is
++ enforced by spectre_v2=on
++
++ off
++ Unconditionally disable mitigations. Is
++ enforced by spectre_v2=off
++
++ prctl
++ Indirect branch speculation is enabled,
++ but mitigation can be enabled via prctl
++ per thread. The mitigation control state
++ is inherited on fork.
++
++ prctl,ibpb
++ Like "prctl" above, but only STIBP is
++ controlled per thread. IBPB is issued
++ always when switching between different user
++ space processes.
++
++ seccomp
++ Same as "prctl" above, but all seccomp
++ threads will enable the mitigation unless
++ they explicitly opt out.
++
++ seccomp,ibpb
++ Like "seccomp" above, but only STIBP is
++ controlled per thread. IBPB is issued
++ always when switching between different
++ user space processes.
++
++ auto
++ Kernel selects the mitigation depending on
++ the available CPU features and vulnerability.
++
++ Default mitigation:
++ If CONFIG_SECCOMP=y then "seccomp", otherwise "prctl"
++
++ Not specifying this option is equivalent to
++ spectre_v2_user=auto.
++
++ In general the kernel by default selects
++ reasonable mitigations for the current CPU. To
++ disable Spectre variant 2 mitigations, boot with
++ spectre_v2=off. Spectre variant 1 mitigations
++ cannot be disabled.
++
++Mitigation selection guide
++--------------------------
++
++1. Trusted userspace
++^^^^^^^^^^^^^^^^^^^^
++
++ If all userspace applications are from trusted sources and do not
++ execute externally supplied untrusted code, then the mitigations can
++ be disabled.
++
++2. Protect sensitive programs
++^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
++
++ For security-sensitive programs that have secrets (e.g. crypto
++ keys), protection against Spectre variant 2 can be put in place by
++ disabling indirect branch speculation when the program is running
++ (See :ref:`Documentation/userspace-api/spec_ctrl.rst <set_spec_ctrl>`).
++
++3. Sandbox untrusted programs
++^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
++
++ Untrusted programs that could be a source of attacks can be cordoned
++ off by disabling their indirect branch speculation when they are run
++ (See :ref:`Documentation/userspace-api/spec_ctrl.rst <set_spec_ctrl>`).
++ This prevents untrusted programs from polluting the branch target
++ buffer. All programs running in SECCOMP sandboxes have indirect
++ branch speculation restricted by default. This behavior can be
++ changed via the kernel command line and sysfs control files. See
++ :ref:`spectre_mitigation_control_command_line`.
++
++3. High security mode
++^^^^^^^^^^^^^^^^^^^^^
++
++ All Spectre variant 2 mitigations can be forced on
++ at boot time for all programs (See the "on" option in
++ :ref:`spectre_mitigation_control_command_line`). This will add
++ overhead as indirect branch speculations for all programs will be
++ restricted.
++
++ On x86, branch target buffer will be flushed with IBPB when switching
++ to a new program. STIBP is left on all the time to protect programs
++ against variant 2 attacks originating from programs running on
++ sibling threads.
++
++ Alternatively, STIBP can be used only when running programs
++ whose indirect branch speculation is explicitly disabled,
++ while IBPB is still used all the time when switching to a new
++ program to clear the branch target buffer (See "ibpb" option in
++ :ref:`spectre_mitigation_control_command_line`). This "ibpb" option
++ has less performance cost than the "on" option, which leaves STIBP
++ on all the time.
++
++References on Spectre
++---------------------
++
++Intel white papers:
++
++.. _spec_ref1:
++
++[1] `Intel analysis of speculative execution side channels <https://newsroom.intel.com/wp-content/uploads/sites/11/2018/01/Intel-Analysis-of-Speculative-Execution-Side-Channels.pdf>`_.
++
++.. _spec_ref2:
++
++[2] `Bounds check bypass <https://software.intel.com/security-software-guidance/software-guidance/bounds-check-bypass>`_.
++
++.. _spec_ref3:
++
++[3] `Deep dive: Retpoline: A branch target injection mitigation <https://software.intel.com/security-software-guidance/insights/deep-dive-retpoline-branch-target-injection-mitigation>`_.
++
++.. _spec_ref4:
++
++[4] `Deep Dive: Single Thread Indirect Branch Predictors <https://software.intel.com/security-software-guidance/insights/deep-dive-single-thread-indirect-branch-predictors>`_.
++
++AMD white papers:
++
++.. _spec_ref5:
++
++[5] `AMD64 technology indirect branch control extension <https://developer.amd.com/wp-content/resources/Architecture_Guidelines_Update_Indirect_Branch_Control.pdf>`_.
++
++.. _spec_ref6:
++
++[6] `Software techniques for managing speculation on AMD processors <https://developer.amd.com/wp-content/resources/90343-B_SoftwareTechniquesforManagingSpeculation_WP_7-18Update_FNL.pdf>`_.
++
++ARM white papers:
++
++.. _spec_ref7:
++
++[7] `Cache speculation side-channels <https://developer.arm.com/support/arm-security-updates/speculative-processor-vulnerability/download-the-whitepaper>`_.
++
++.. _spec_ref8:
++
++[8] `Cache speculation issues update <https://developer.arm.com/support/arm-security-updates/speculative-processor-vulnerability/latest-updates/cache-speculation-issues-update>`_.
++
++Google white paper:
++
++.. _spec_ref9:
++
++[9] `Retpoline: a software construct for preventing branch-target-injection <https://support.google.com/faqs/answer/7625886>`_.
++
++MIPS white paper:
++
++.. _spec_ref10:
++
++[10] `MIPS: response on speculative execution and side channel vulnerabilities <https://www.mips.com/blog/mips-response-on-speculative-execution-and-side-channel-vulnerabilities/>`_.
++
++Academic papers:
++
++.. _spec_ref11:
++
++[11] `Spectre Attacks: Exploiting Speculative Execution <https://spectreattack.com/spectre.pdf>`_.
++
++.. _spec_ref12:
++
++[12] `NetSpectre: Read Arbitrary Memory over Network <https://arxiv.org/abs/1807.10535>`_.
++
++.. _spec_ref13:
++
++[13] `Spectre Returns! Speculation Attacks using the Return Stack Buffer <https://www.usenix.org/system/files/conference/woot18/woot18-paper-koruyeh.pdf>`_.
+diff --git a/Documentation/userspace-api/spec_ctrl.rst b/Documentation/userspace-api/spec_ctrl.rst
+index 1129c7550a48..7ddd8f667459 100644
+--- a/Documentation/userspace-api/spec_ctrl.rst
++++ b/Documentation/userspace-api/spec_ctrl.rst
+@@ -49,6 +49,8 @@ If PR_SPEC_PRCTL is set, then the per-task control of the mitigation is
+ available. If not set, prctl(PR_SET_SPECULATION_CTRL) for the speculation
+ misfeature will fail.
+
++.. _set_spec_ctrl:
++
+ PR_SET_SPECULATION_CTRL
+ -----------------------
+
+--
+2.22.0
+
diff --git a/patches.kernel.org/5.2.1-021-Documentation-admin-Remove-the-vsyscall-native-.patch b/patches.kernel.org/5.2.1-021-Documentation-admin-Remove-the-vsyscall-native-.patch
new file mode 100644
index 0000000000..66596d3ce7
--- /dev/null
+++ b/patches.kernel.org/5.2.1-021-Documentation-admin-Remove-the-vsyscall-native-.patch
@@ -0,0 +1,48 @@
+From: Andy Lutomirski <luto@kernel.org>
+Date: Wed, 26 Jun 2019 21:45:02 -0700
+Subject: [PATCH] Documentation/admin: Remove the vsyscall=native documentation
+References: bnc#1012628
+Patch-mainline: 5.2.1
+Git-commit: d974ffcfb7447db5f29a4b662a3eaf99a4e1109e
+
+commit d974ffcfb7447db5f29a4b662a3eaf99a4e1109e upstream.
+
+The vsyscall=native feature is gone -- remove the docs.
+
+Fixes: 076ca272a14c ("x86/vsyscall/64: Drop "native" vsyscalls")
+Signed-off-by: Andy Lutomirski <luto@kernel.org>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Acked-by: Kees Cook <keescook@chromium.org>
+Cc: Florian Weimer <fweimer@redhat.com>
+Cc: Jann Horn <jannh@google.com>
+Cc: stable@vger.kernel.org
+Cc: Borislav Petkov <bp@alien8.de>
+Cc: Kernel Hardening <kernel-hardening@lists.openwall.com>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Link: https://lkml.kernel.org/r/d77c7105eb4c57c1a95a95b6a5b8ba194a18e764.1561610354.git.luto@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ Documentation/admin-guide/kernel-parameters.txt | 6 ------
+ 1 file changed, 6 deletions(-)
+
+diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt
+index 138f6664b2e2..0082d1e56999 100644
+--- a/Documentation/admin-guide/kernel-parameters.txt
++++ b/Documentation/admin-guide/kernel-parameters.txt
+@@ -5102,12 +5102,6 @@
+ emulate [default] Vsyscalls turn into traps and are
+ emulated reasonably safely.
+
+- native Vsyscalls are native syscall instructions.
+- This is a little bit faster than trapping
+- and makes a few dynamic recompilers work
+- better than they would in emulation mode.
+- It also makes exploits much easier to write.
+-
+ none Vsyscalls don't work at all. This makes
+ them quite hard to use for exploits but
+ might break your system.
+--
+2.22.0
+
diff --git a/patches.kernel.org/5.2.1-022-mwifiex-Don-t-abort-on-small-spec-compliant-ven.patch b/patches.kernel.org/5.2.1-022-mwifiex-Don-t-abort-on-small-spec-compliant-ven.patch
new file mode 100644
index 0000000000..1e9cb582dc
--- /dev/null
+++ b/patches.kernel.org/5.2.1-022-mwifiex-Don-t-abort-on-small-spec-compliant-ven.patch
@@ -0,0 +1,150 @@
+From: Brian Norris <briannorris@chromium.org>
+Date: Fri, 14 Jun 2019 17:13:20 -0700
+Subject: [PATCH] mwifiex: Don't abort on small, spec-compliant vendor IEs
+References: bnc#1012628
+Patch-mainline: 5.2.1
+Git-commit: 63d7ef36103d26f20325a921ecc96a3288560146
+
+commit 63d7ef36103d26f20325a921ecc96a3288560146 upstream.
+
+Per the 802.11 specification, vendor IEs are (at minimum) only required
+to contain an OUI. A type field is also included in ieee80211.h (struct
+ieee80211_vendor_ie) but doesn't appear in the specification. The
+remaining fields (subtype, version) are a convention used in WMM
+headers.
+
+Thus, we should not reject vendor-specific IEs that have only the
+minimum length (3 bytes) -- we should skip over them (since we only want
+to match longer IEs, that match either WMM or WPA formats). We can
+reject elements that don't have the minimum-required 3 byte OUI.
+
+While we're at it, move the non-standard subtype and version fields into
+the WMM structs, to avoid this confusion in the future about generic
+"vendor header" attributes.
+
+Fixes: 685c9b7750bf ("mwifiex: Abort at too short BSS descriptor element")
+Cc: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Brian Norris <briannorris@chromium.org>
+Reviewed-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/net/wireless/marvell/mwifiex/fw.h | 12 +++++++++---
+ drivers/net/wireless/marvell/mwifiex/scan.c | 18 +++++++++++-------
+ .../net/wireless/marvell/mwifiex/sta_ioctl.c | 4 ++--
+ drivers/net/wireless/marvell/mwifiex/wmm.c | 2 +-
+ 4 files changed, 23 insertions(+), 13 deletions(-)
+
+diff --git a/drivers/net/wireless/marvell/mwifiex/fw.h b/drivers/net/wireless/marvell/mwifiex/fw.h
+index b73f99dc5a72..1fb76d2f5d3f 100644
+--- a/drivers/net/wireless/marvell/mwifiex/fw.h
++++ b/drivers/net/wireless/marvell/mwifiex/fw.h
+@@ -1759,9 +1759,10 @@ struct mwifiex_ie_types_wmm_queue_status {
+ struct ieee_types_vendor_header {
+ u8 element_id;
+ u8 len;
+- u8 oui[4]; /* 0~2: oui, 3: oui_type */
+- u8 oui_subtype;
+- u8 version;
++ struct {
++ u8 oui[3];
++ u8 oui_type;
++ } __packed oui;
+ } __packed;
+
+ struct ieee_types_wmm_parameter {
+@@ -1775,6 +1776,9 @@ struct ieee_types_wmm_parameter {
+ * Version [1]
+ */
+ struct ieee_types_vendor_header vend_hdr;
++ u8 oui_subtype;
++ u8 version;
++
+ u8 qos_info_bitmap;
+ u8 reserved;
+ struct ieee_types_wmm_ac_parameters ac_params[IEEE80211_NUM_ACS];
+@@ -1792,6 +1796,8 @@ struct ieee_types_wmm_info {
+ * Version [1]
+ */
+ struct ieee_types_vendor_header vend_hdr;
++ u8 oui_subtype;
++ u8 version;
+
+ u8 qos_info_bitmap;
+ } __packed;
+diff --git a/drivers/net/wireless/marvell/mwifiex/scan.c b/drivers/net/wireless/marvell/mwifiex/scan.c
+index c269a0de9413..e2786ab612ca 100644
+--- a/drivers/net/wireless/marvell/mwifiex/scan.c
++++ b/drivers/net/wireless/marvell/mwifiex/scan.c
+@@ -1361,21 +1361,25 @@ int mwifiex_update_bss_desc_with_ie(struct mwifiex_adapter *adapter,
+ break;
+
+ case WLAN_EID_VENDOR_SPECIFIC:
+- if (element_len + 2 < sizeof(vendor_ie->vend_hdr))
+- return -EINVAL;
+-
+ vendor_ie = (struct ieee_types_vendor_specific *)
+ current_ptr;
+
+- if (!memcmp
+- (vendor_ie->vend_hdr.oui, wpa_oui,
+- sizeof(wpa_oui))) {
++ /* 802.11 requires at least 3-byte OUI. */
++ if (element_len < sizeof(vendor_ie->vend_hdr.oui.oui))
++ return -EINVAL;
++
++ /* Not long enough for a match? Skip it. */
++ if (element_len < sizeof(wpa_oui))
++ break;
++
++ if (!memcmp(&vendor_ie->vend_hdr.oui, wpa_oui,
++ sizeof(wpa_oui))) {
+ bss_entry->bcn_wpa_ie =
+ (struct ieee_types_vendor_specific *)
+ current_ptr;
+ bss_entry->wpa_offset = (u16)
+ (current_ptr - bss_entry->beacon_buf);
+- } else if (!memcmp(vendor_ie->vend_hdr.oui, wmm_oui,
++ } else if (!memcmp(&vendor_ie->vend_hdr.oui, wmm_oui,
+ sizeof(wmm_oui))) {
+ if (total_ie_len ==
+ sizeof(struct ieee_types_wmm_parameter) ||
+diff --git a/drivers/net/wireless/marvell/mwifiex/sta_ioctl.c b/drivers/net/wireless/marvell/mwifiex/sta_ioctl.c
+index ebc0e41e5d3b..74e50566db1f 100644
+--- a/drivers/net/wireless/marvell/mwifiex/sta_ioctl.c
++++ b/drivers/net/wireless/marvell/mwifiex/sta_ioctl.c
+@@ -1351,7 +1351,7 @@ mwifiex_set_gen_ie_helper(struct mwifiex_private *priv, u8 *ie_data_ptr,
+ /* Test to see if it is a WPA IE, if not, then
+ * it is a gen IE
+ */
+- if (!memcmp(pvendor_ie->oui, wpa_oui,
++ if (!memcmp(&pvendor_ie->oui, wpa_oui,
+ sizeof(wpa_oui))) {
+ /* IE is a WPA/WPA2 IE so call set_wpa function
+ */
+@@ -1361,7 +1361,7 @@ mwifiex_set_gen_ie_helper(struct mwifiex_private *priv, u8 *ie_data_ptr,
+ goto next_ie;
+ }
+
+- if (!memcmp(pvendor_ie->oui, wps_oui,
++ if (!memcmp(&pvendor_ie->oui, wps_oui,
+ sizeof(wps_oui))) {
+ /* Test to see if it is a WPS IE,
+ * if so, enable wps session flag
+diff --git a/drivers/net/wireless/marvell/mwifiex/wmm.c b/drivers/net/wireless/marvell/mwifiex/wmm.c
+index 407b9932ca4d..64916ba15df5 100644
+--- a/drivers/net/wireless/marvell/mwifiex/wmm.c
++++ b/drivers/net/wireless/marvell/mwifiex/wmm.c
+@@ -240,7 +240,7 @@ mwifiex_wmm_setup_queue_priorities(struct mwifiex_private *priv,
+ mwifiex_dbg(priv->adapter, INFO,
+ "info: WMM Parameter IE: version=%d,\t"
+ "qos_info Parameter Set Count=%d, Reserved=%#x\n",
+- wmm_ie->vend_hdr.version, wmm_ie->qos_info_bitmap &
++ wmm_ie->version, wmm_ie->qos_info_bitmap &
+ IEEE80211_WMM_IE_AP_QOSINFO_PARAM_SET_CNT_MASK,
+ wmm_ie->reserved);
+
+--
+2.22.0
+
diff --git a/patches.kernel.org/5.2.1-023-USB-serial-ftdi_sio-add-ID-for-isodebug-v1.patch b/patches.kernel.org/5.2.1-023-USB-serial-ftdi_sio-add-ID-for-isodebug-v1.patch
new file mode 100644
index 0000000000..ff29b3bcdb
--- /dev/null
+++ b/patches.kernel.org/5.2.1-023-USB-serial-ftdi_sio-add-ID-for-isodebug-v1.patch
@@ -0,0 +1,51 @@
+From: Andreas Fritiofson <andreas.fritiofson@unjo.com>
+Date: Fri, 28 Jun 2019 15:08:34 +0200
+Subject: [PATCH] USB: serial: ftdi_sio: add ID for isodebug v1
+References: bnc#1012628
+Patch-mainline: 5.2.1
+Git-commit: f8377eff548170e8ea8022c067a1fbdf9e1c46a8
+
+commit f8377eff548170e8ea8022c067a1fbdf9e1c46a8 upstream.
+
+This adds the vid:pid of the isodebug v1 isolated JTAG/SWD+UART. Only the
+second channel is available for use as a serial port.
+
+Signed-off-by: Andreas Fritiofson <andreas.fritiofson@unjo.com>
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/usb/serial/ftdi_sio.c | 1 +
+ drivers/usb/serial/ftdi_sio_ids.h | 6 ++++++
+ 2 files changed, 7 insertions(+)
+
+diff --git a/drivers/usb/serial/ftdi_sio.c b/drivers/usb/serial/ftdi_sio.c
+index 1d8461ae2c34..23669a584bae 100644
+--- a/drivers/usb/serial/ftdi_sio.c
++++ b/drivers/usb/serial/ftdi_sio.c
+@@ -1029,6 +1029,7 @@ static const struct usb_device_id id_table_combined[] = {
+ { USB_DEVICE(AIRBUS_DS_VID, AIRBUS_DS_P8GR) },
+ /* EZPrototypes devices */
+ { USB_DEVICE(EZPROTOTYPES_VID, HJELMSLUND_USB485_ISO_PID) },
++ { USB_DEVICE_INTERFACE_NUMBER(UNJO_VID, UNJO_ISODEBUG_V1_PID, 1) },
+ { } /* Terminating entry */
+ };
+
+diff --git a/drivers/usb/serial/ftdi_sio_ids.h b/drivers/usb/serial/ftdi_sio_ids.h
+index 5755f0df0025..f12d806220b4 100644
+--- a/drivers/usb/serial/ftdi_sio_ids.h
++++ b/drivers/usb/serial/ftdi_sio_ids.h
+@@ -1543,3 +1543,9 @@
+ #define CHETCO_SEASMART_DISPLAY_PID 0xA5AD /* SeaSmart NMEA2000 Display */
+ #define CHETCO_SEASMART_LITE_PID 0xA5AE /* SeaSmart Lite USB Adapter */
+ #define CHETCO_SEASMART_ANALOG_PID 0xA5AF /* SeaSmart Analog Adapter */
++
++/*
++ * Unjo AB
++ */
++#define UNJO_VID 0x22B7
++#define UNJO_ISODEBUG_V1_PID 0x150D
+--
+2.22.0
+
diff --git a/patches.kernel.org/5.2.1-024-USB-serial-option-add-support-for-GosunCn-ME363.patch b/patches.kernel.org/5.2.1-024-USB-serial-option-add-support-for-GosunCn-ME363.patch
new file mode 100644
index 0000000000..3b2bb20ed5
--- /dev/null
+++ b/patches.kernel.org/5.2.1-024-USB-serial-option-add-support-for-GosunCn-ME363.patch
@@ -0,0 +1,52 @@
+From: =?UTF-8?q?J=C3=B6rgen=20Storvist?= <jorgen.storvist@gmail.com>
+Date: Wed, 19 Jun 2019 00:30:19 +0200
+Subject: [PATCH] USB: serial: option: add support for GosunCn ME3630 RNDIS
+ mode
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+References: bnc#1012628
+Patch-mainline: 5.2.1
+Git-commit: aed2a26283528fb69c38e414f649411aa48fb391
+
+commit aed2a26283528fb69c38e414f649411aa48fb391 upstream.
+
+Added USB IDs for GosunCn ME3630 cellular module in RNDIS mode.
+
+T: Bus=03 Lev=01 Prnt=01 Port=01 Cnt=03 Dev#= 18 Spd=480 MxCh= 0
+D: Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1
+P: Vendor=19d2 ProdID=0601 Rev=03.18
+S: Manufacturer=Android
+S: Product=Android
+S: SerialNumber=b950269c
+C: #Ifs= 5 Cfg#= 1 Atr=a0 MxPwr=500mA
+I: If#=0x0 Alt= 0 #EPs= 1 Cls=e0(wlcon) Sub=01 Prot=03 Driver=rndis_host
+I: If#=0x1 Alt= 0 #EPs= 2 Cls=0a(data ) Sub=00 Prot=00 Driver=rndis_host
+I: If#=0x2 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=option
+I: If#=0x3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
+I: If#=0x4 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
+
+Signed-off-by: Jörgen Storvist <jorgen.storvist@gmail.com>
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/usb/serial/option.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/usb/serial/option.c b/drivers/usb/serial/option.c
+index a0aaf0635359..c1582fbd1150 100644
+--- a/drivers/usb/serial/option.c
++++ b/drivers/usb/serial/option.c
+@@ -1343,6 +1343,7 @@ static const struct usb_device_id option_ids[] = {
+ .driver_info = RSVD(4) },
+ { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0414, 0xff, 0xff, 0xff) },
+ { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0417, 0xff, 0xff, 0xff) },
++ { USB_DEVICE_INTERFACE_CLASS(ZTE_VENDOR_ID, 0x0601, 0xff) }, /* GosunCn ZTE WeLink ME3630 (RNDIS mode) */
+ { USB_DEVICE_INTERFACE_CLASS(ZTE_VENDOR_ID, 0x0602, 0xff) }, /* GosunCn ZTE WeLink ME3630 (MBIM mode) */
+ { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x1008, 0xff, 0xff, 0xff),
+ .driver_info = RSVD(4) },
+--
+2.22.0
+
diff --git a/patches.kernel.org/5.2.1-025-Revert-serial-8250-Don-t-service-RX-FIFO-if-int.patch b/patches.kernel.org/5.2.1-025-Revert-serial-8250-Don-t-service-RX-FIFO-if-int.patch
new file mode 100644
index 0000000000..8d30b409c4
--- /dev/null
+++ b/patches.kernel.org/5.2.1-025-Revert-serial-8250-Don-t-service-RX-FIFO-if-int.patch
@@ -0,0 +1,45 @@
+From: Oliver Barta <o.barta89@gmail.com>
+Date: Wed, 19 Jun 2019 10:16:39 +0200
+Subject: [PATCH] Revert "serial: 8250: Don't service RX FIFO if interrupts are
+ disabled"
+References: bnc#1012628
+Patch-mainline: 5.2.1
+Git-commit: 3f2640ed7be838c3f05c0d2b0f7c7508e7431e48
+
+commit 3f2640ed7be838c3f05c0d2b0f7c7508e7431e48 upstream.
+
+This reverts commit 2e9fe539108320820016f78ca7704a7342788380.
+
+Reading LSR unconditionally but processing the error flags only if
+UART_IIR_RDI bit was set before in IIR may lead to a loss of transmission
+error information on UARTs where the transmission error flags are cleared
+by a read of LSR. Information are lost in case an error is detected right
+before the read of LSR while processing e.g. an UART_IIR_THRI interrupt.
+
+Signed-off-by: Oliver Barta <o.barta89@gmail.com>
+Reviewed-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Fixes: 2e9fe5391083 ("serial: 8250: Don't service RX FIFO if interrupts are disabled")
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/tty/serial/8250/8250_port.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/drivers/tty/serial/8250/8250_port.c b/drivers/tty/serial/8250/8250_port.c
+index d2f3310abe54..682300713be4 100644
+--- a/drivers/tty/serial/8250/8250_port.c
++++ b/drivers/tty/serial/8250/8250_port.c
+@@ -1869,8 +1869,7 @@ int serial8250_handle_irq(struct uart_port *port, unsigned int iir)
+
+ status = serial_port_in(port, UART_LSR);
+
+- if (status & (UART_LSR_DR | UART_LSR_BI) &&
+- iir & UART_IIR_RDI) {
++ if (status & (UART_LSR_DR | UART_LSR_BI)) {
+ if (!up->dma || handle_rx_dma(up, iir))
+ status = serial8250_rx_chars(up, status);
+ }
+--
+2.22.0
+
diff --git a/patches.kernel.org/5.2.1-026-p54usb-Fix-race-between-disconnect-and-firmware.patch b/patches.kernel.org/5.2.1-026-p54usb-Fix-race-between-disconnect-and-firmware.patch
new file mode 100644
index 0000000000..683691a8ee
--- /dev/null
+++ b/patches.kernel.org/5.2.1-026-p54usb-Fix-race-between-disconnect-and-firmware.patch
@@ -0,0 +1,179 @@
+From: Alan Stern <stern@rowland.harvard.edu>
+Date: Mon, 20 May 2019 10:44:21 -0400
+Subject: [PATCH] p54usb: Fix race between disconnect and firmware loading
+References: bnc#1012628
+Patch-mainline: 5.2.1
+Git-commit: 6e41e2257f1094acc37618bf6c856115374c6922
+
+commit 6e41e2257f1094acc37618bf6c856115374c6922 upstream.
+
+The syzbot fuzzer found a bug in the p54 USB wireless driver. The
+issue involves a race between disconnect and the firmware-loader
+callback routine, and it has several aspects.
+
+One big problem is that when the firmware can't be loaded, the
+callback routine tries to unbind the driver from the USB _device_ (by
+calling device_release_driver) instead of from the USB _interface_ to
+which it is actually bound (by calling usb_driver_release_interface).
+
+The race involves access to the private data structure. The driver's
+disconnect handler waits for a completion that is signalled by the
+firmware-loader callback routine. As soon as the completion is
+signalled, you have to assume that the private data structure may have
+been deallocated by the disconnect handler -- even if the firmware was
+loaded without errors. However, the callback routine does access the
+private data several times after that point.
+
+Another problem is that, in order to ensure that the USB device
+structure hasn't been freed when the callback routine runs, the driver
+takes a reference to it. This isn't good enough any more, because now
+that the callback routine calls usb_driver_release_interface, it has
+to ensure that the interface structure hasn't been freed.
+
+Finally, the driver takes an unnecessary reference to the USB device
+structure in the probe function and drops the reference in the
+disconnect handler. This extra reference doesn't accomplish anything,
+because the USB core already guarantees that a device structure won't
+be deallocated while a driver is still bound to any of its interfaces.
+
+To fix these problems, this patch makes the following changes:
+
+ Call usb_driver_release_interface() rather than
+ device_release_driver().
+
+ Don't signal the completion until after the important
+ information has been copied out of the private data structure,
+ and don't refer to the private data at all thereafter.
+
+ Lock udev (the interface's parent) before unbinding the driver
+ instead of locking udev->parent.
+
+ During the firmware loading process, take a reference to the
+ USB interface instead of the USB device.
+
+ Don't take an unnecessary reference to the device during probe
+ (and then don't drop it during disconnect).
+
+Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
+Reported-and-tested-by: syzbot+200d4bb11b23d929335f@syzkaller.appspotmail.com
+CC: <stable@vger.kernel.org>
+Acked-by: Christian Lamparter <chunkeey@gmail.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/net/wireless/intersil/p54/p54usb.c | 43 +++++++++-------------
+ 1 file changed, 18 insertions(+), 25 deletions(-)
+
+diff --git a/drivers/net/wireless/intersil/p54/p54usb.c b/drivers/net/wireless/intersil/p54/p54usb.c
+index f937815f0f2c..b94764c88750 100644
+--- a/drivers/net/wireless/intersil/p54/p54usb.c
++++ b/drivers/net/wireless/intersil/p54/p54usb.c
+@@ -30,6 +30,8 @@ MODULE_ALIAS("prism54usb");
+ MODULE_FIRMWARE("isl3886usb");
+ MODULE_FIRMWARE("isl3887usb");
+
++static struct usb_driver p54u_driver;
++
+ /*
+ * Note:
+ *
+@@ -918,9 +920,9 @@ static void p54u_load_firmware_cb(const struct firmware *firmware,
+ {
+ struct p54u_priv *priv = context;
+ struct usb_device *udev = priv->udev;
++ struct usb_interface *intf = priv->intf;
+ int err;
+
+- complete(&priv->fw_wait_load);
+ if (firmware) {
+ priv->fw = firmware;
+ err = p54u_start_ops(priv);
+@@ -929,26 +931,22 @@ static void p54u_load_firmware_cb(const struct firmware *firmware,
+ dev_err(&udev->dev, "Firmware not found.\n");
+ }
+
+- if (err) {
+- struct device *parent = priv->udev->dev.parent;
+-
+- dev_err(&udev->dev, "failed to initialize device (%d)\n", err);
+-
+- if (parent)
+- device_lock(parent);
++ complete(&priv->fw_wait_load);
++ /*
++ * At this point p54u_disconnect may have already freed
++ * the "priv" context. Do not use it anymore!
++ */
++ priv = NULL;
+
+- device_release_driver(&udev->dev);
+- /*
+- * At this point p54u_disconnect has already freed
+- * the "priv" context. Do not use it anymore!
+- */
+- priv = NULL;
++ if (err) {
++ dev_err(&intf->dev, "failed to initialize device (%d)\n", err);
+
+- if (parent)
+- device_unlock(parent);
++ usb_lock_device(udev);
++ usb_driver_release_interface(&p54u_driver, intf);
++ usb_unlock_device(udev);
+ }
+
+- usb_put_dev(udev);
++ usb_put_intf(intf);
+ }
+
+ static int p54u_load_firmware(struct ieee80211_hw *dev,
+@@ -969,14 +967,14 @@ static int p54u_load_firmware(struct ieee80211_hw *dev,
+ dev_info(&priv->udev->dev, "Loading firmware file %s\n",
+ p54u_fwlist[i].fw);
+
+- usb_get_dev(udev);
++ usb_get_intf(intf);
+ err = request_firmware_nowait(THIS_MODULE, 1, p54u_fwlist[i].fw,
+ device, GFP_KERNEL, priv,
+ p54u_load_firmware_cb);
+ if (err) {
+ dev_err(&priv->udev->dev, "(p54usb) cannot load firmware %s "
+ "(%d)!\n", p54u_fwlist[i].fw, err);
+- usb_put_dev(udev);
++ usb_put_intf(intf);
+ }
+
+ return err;
+@@ -1008,8 +1006,6 @@ static int p54u_probe(struct usb_interface *intf,
+ skb_queue_head_init(&priv->rx_queue);
+ init_usb_anchor(&priv->submitted);
+
+- usb_get_dev(udev);
+-
+ /* really lazy and simple way of figuring out if we're a 3887 */
+ /* TODO: should just stick the identification in the device table */
+ i = intf->altsetting->desc.bNumEndpoints;
+@@ -1050,10 +1046,8 @@ static int p54u_probe(struct usb_interface *intf,
+ priv->upload_fw = p54u_upload_firmware_net2280;
+ }
+ err = p54u_load_firmware(dev, intf);
+- if (err) {
+- usb_put_dev(udev);
++ if (err)
+ p54_free_common(dev);
+- }
+ return err;
+ }
+
+@@ -1069,7 +1063,6 @@ static void p54u_disconnect(struct usb_interface *intf)
+ wait_for_completion(&priv->fw_wait_load);
+ p54_unregister_common(dev);
+
+- usb_put_dev(interface_to_usbdev(intf));
+ release_firmware(priv->fw);
+ p54_free_common(dev);
+ }
+--
+2.22.0
+
diff --git a/patches.kernel.org/5.2.1-027-usb-gadget-f_fs-data_len-used-before-properly-s.patch b/patches.kernel.org/5.2.1-027-usb-gadget-f_fs-data_len-used-before-properly-s.patch
new file mode 100644
index 0000000000..4889298405
--- /dev/null
+++ b/patches.kernel.org/5.2.1-027-usb-gadget-f_fs-data_len-used-before-properly-s.patch
@@ -0,0 +1,54 @@
+From: Fei Yang <fei.yang@intel.com>
+Date: Wed, 12 Jun 2019 15:13:26 -0700
+Subject: [PATCH] usb: gadget: f_fs: data_len used before properly set
+References: bnc#1012628
+Patch-mainline: 5.2.1
+Git-commit: 4833a94eb383f5b22775077ff92ddaae90440921
+
+commit 4833a94eb383f5b22775077ff92ddaae90440921 upstream.
+
+The following line of code in function ffs_epfile_io is trying to set
+flag io_data->use_sg in case buffer required is larger than one page.
+
+ io_data->use_sg = gadget->sg_supported && data_len > PAGE_SIZE;
+
+However at this point of time the variable data_len has not been set
+to the proper buffer size yet. The consequence is that io_data->use_sg
+is always set regardless what buffer size really is, because the condition
+(data_len > PAGE_SIZE) is effectively an unsigned comparison between
+-EINVAL and PAGE_SIZE which would always result in TRUE.
+
+Fixes: 772a7a724f69 ("usb: gadget: f_fs: Allow scatter-gather buffers")
+Signed-off-by: Fei Yang <fei.yang@intel.com>
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/usb/gadget/function/f_fs.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/usb/gadget/function/f_fs.c b/drivers/usb/gadget/function/f_fs.c
+index 47be961f1bf3..c7ed90084d1a 100644
+--- a/drivers/usb/gadget/function/f_fs.c
++++ b/drivers/usb/gadget/function/f_fs.c
+@@ -997,7 +997,6 @@ static ssize_t ffs_epfile_io(struct file *file, struct ffs_io_data *io_data)
+ * earlier
+ */
+ gadget = epfile->ffs->gadget;
+- io_data->use_sg = gadget->sg_supported && data_len > PAGE_SIZE;
+
+ spin_lock_irq(&epfile->ffs->eps_lock);
+ /* In the meantime, endpoint got disabled or changed. */
+@@ -1012,6 +1011,8 @@ static ssize_t ffs_epfile_io(struct file *file, struct ffs_io_data *io_data)
+ */
+ if (io_data->read)
+ data_len = usb_ep_align_maybe(gadget, ep->ep, data_len);
++
++ io_data->use_sg = gadget->sg_supported && data_len > PAGE_SIZE;
+ spin_unlock_irq(&epfile->ffs->eps_lock);
+
+ data = ffs_alloc_buffer(io_data, data_len);
+--
+2.22.0
+
diff --git a/patches.kernel.org/5.2.1-028-usb-gadget-ether-Fix-race-between-gether_discon.patch b/patches.kernel.org/5.2.1-028-usb-gadget-ether-Fix-race-between-gether_discon.patch
new file mode 100644
index 0000000000..21bcd78628
--- /dev/null
+++ b/patches.kernel.org/5.2.1-028-usb-gadget-ether-Fix-race-between-gether_discon.patch
@@ -0,0 +1,56 @@
+From: Kiruthika Varadarajan <Kiruthika.Varadarajan@harman.com>
+Date: Tue, 18 Jun 2019 08:39:06 +0000
+Subject: [PATCH] usb: gadget: ether: Fix race between gether_disconnect and
+ rx_submit
+References: bnc#1012628
+Patch-mainline: 5.2.1
+Git-commit: d29fcf7078bc8be2b6366cbd4418265b53c94fac
+
+commit d29fcf7078bc8be2b6366cbd4418265b53c94fac upstream.
+
+On spin lock release in rx_submit, gether_disconnect get a chance to
+run, it makes port_usb NULL, rx_submit access NULL port USB, hence null
+pointer crash.
+
+Fixed by releasing the lock in rx_submit after port_usb is used.
+
+Fixes: 2b3d942c4878 ("usb ethernet gadget: split out network core")
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Kiruthika Varadarajan <Kiruthika.Varadarajan@harman.com>
+Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/usb/gadget/function/u_ether.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/usb/gadget/function/u_ether.c b/drivers/usb/gadget/function/u_ether.c
+index 737bd77a575d..2929bb47a618 100644
+--- a/drivers/usb/gadget/function/u_ether.c
++++ b/drivers/usb/gadget/function/u_ether.c
+@@ -186,11 +186,12 @@ rx_submit(struct eth_dev *dev, struct usb_request *req, gfp_t gfp_flags)
+ out = dev->port_usb->out_ep;
+ else
+ out = NULL;
+- spin_unlock_irqrestore(&dev->lock, flags);
+
+ if (!out)
++ {
++ spin_unlock_irqrestore(&dev->lock, flags);
+ return -ENOTCONN;
+-
++ }
+
+ /* Padding up to RX_EXTRA handles minor disagreements with host.
+ * Normally we use the USB "terminate on short read" convention;
+@@ -214,6 +215,7 @@ rx_submit(struct eth_dev *dev, struct usb_request *req, gfp_t gfp_flags)
+
+ if (dev->port_usb->is_fixed)
+ size = max_t(size_t, size, dev->port_usb->fixed_out_len);
++ spin_unlock_irqrestore(&dev->lock, flags);
+
+ skb = __netdev_alloc_skb(dev->net, size + NET_IP_ALIGN, gfp_flags);
+ if (skb == NULL) {
+--
+2.22.0
+
diff --git a/patches.kernel.org/5.2.1-029-usb-dwc2-use-a-longer-AHB-idle-timeout-in-dwc2_.patch b/patches.kernel.org/5.2.1-029-usb-dwc2-use-a-longer-AHB-idle-timeout-in-dwc2_.patch
new file mode 100644
index 0000000000..39db5b34a9
--- /dev/null
+++ b/patches.kernel.org/5.2.1-029-usb-dwc2-use-a-longer-AHB-idle-timeout-in-dwc2_.patch
@@ -0,0 +1,48 @@
+From: Martin Blumenstingl <martin.blumenstingl@googlemail.com>
+Date: Thu, 20 Jun 2019 19:50:22 +0200
+Subject: [PATCH] usb: dwc2: use a longer AHB idle timeout in dwc2_core_reset()
+References: bnc#1012628
+Patch-mainline: 5.2.1
+Git-commit: dfc4fdebc5d62ac4e2fe5428e59b273675515fb2
+
+commit dfc4fdebc5d62ac4e2fe5428e59b273675515fb2 upstream.
+
+Use a 10000us AHB idle timeout in dwc2_core_reset() and make it
+consistent with the other "wait for AHB master IDLE state" ocurrences.
+
+This fixes a problem for me where dwc2 would not want to initialize when
+updating to 4.19 on a MIPS Lantiq VRX200 SoC. dwc2 worked fine with
+4.14.
+Testing on my board shows that it takes 180us until AHB master IDLE
+state is signalled. The very old vendor driver for this SoC (ifxhcd)
+used a 1 second timeout.
+Use the same timeout that is used everywhere when polling for
+GRSTCTL_AHBIDLE instead of using a timeout that "works for one board"
+(180us in my case) to have consistent behavior across the dwc2 driver.
+
+Cc: linux-stable <stable@vger.kernel.org> # 4.19+
+Acked-by: Minas Harutyunyan <hminas@synopsys.com>
+Signed-off-by: Martin Blumenstingl <martin.blumenstingl@googlemail.com>
+Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/usb/dwc2/core.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/usb/dwc2/core.c b/drivers/usb/dwc2/core.c
+index 8b499d643461..8e41d70fd298 100644
+--- a/drivers/usb/dwc2/core.c
++++ b/drivers/usb/dwc2/core.c
+@@ -531,7 +531,7 @@ int dwc2_core_reset(struct dwc2_hsotg *hsotg, bool skip_wait)
+ }
+
+ /* Wait for AHB master IDLE state */
+- if (dwc2_hsotg_wait_bit_set(hsotg, GRSTCTL, GRSTCTL_AHBIDLE, 50)) {
++ if (dwc2_hsotg_wait_bit_set(hsotg, GRSTCTL, GRSTCTL_AHBIDLE, 10000)) {
+ dev_warn(hsotg->dev, "%s: HANG! AHB Idle timeout GRSTCTL GRSTCTL_AHBIDLE\n",
+ __func__);
+ return -EBUSY;
+--
+2.22.0
+
diff --git a/patches.kernel.org/5.2.1-030-usb-renesas_usbhs-add-a-workaround-for-a-race-c.patch b/patches.kernel.org/5.2.1-030-usb-renesas_usbhs-add-a-workaround-for-a-race-c.patch
new file mode 100644
index 0000000000..b44da96c9d
--- /dev/null
+++ b/patches.kernel.org/5.2.1-030-usb-renesas_usbhs-add-a-workaround-for-a-race-c.patch
@@ -0,0 +1,135 @@
+From: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
+Date: Wed, 26 Jun 2019 22:06:33 +0900
+Subject: [PATCH] usb: renesas_usbhs: add a workaround for a race condition of
+ workqueue
+References: bnc#1012628
+Patch-mainline: 5.2.1
+Git-commit: b2357839c56ab7d06bcd4e866ebc2d0e2b7997f3
+
+commit b2357839c56ab7d06bcd4e866ebc2d0e2b7997f3 upstream.
+
+The old commit 6e4b74e4690d ("usb: renesas: fix scheduling in atomic
+context bug") fixed an atomic issue by using workqueue for the shdmac
+dmaengine driver. However, this has a potential race condition issue
+between the work pending and usbhsg_ep_free_request() in gadget mode.
+When usbhsg_ep_free_request() is called while pending the queue,
+since the work_struct will be freed and then the work handler is
+called, kernel panic happens on process_one_work().
+
+To fix the issue, if we could call cancel_work_sync() at somewhere
+before the free request, it could be easy. However,
+the usbhsg_ep_free_request() is called on atomic (e.g. f_ncm driver
+calls free request via gether_disconnect()).
+
+For now, almost all users are having "USB-DMAC" and the DMAengine
+driver can be used on atomic. So, this patch adds a workaround for
+a race condition to call the DMAengine APIs without the workqueue.
+
+This means we still have TODO on shdmac environment (SH7724), but
+since it doesn't have SMP, the race condition might not happen.
+
+Fixes: ab330cf3888d ("usb: renesas_usbhs: add support for USB-DMAC")
+Cc: <stable@vger.kernel.org> # v4.1+
+Signed-off-by: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
+Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/usb/renesas_usbhs/fifo.c | 34 +++++++++++++++++++++-----------
+ 1 file changed, 22 insertions(+), 12 deletions(-)
+
+diff --git a/drivers/usb/renesas_usbhs/fifo.c b/drivers/usb/renesas_usbhs/fifo.c
+index 39fa2fc1b8b7..6036cbae8c78 100644
+--- a/drivers/usb/renesas_usbhs/fifo.c
++++ b/drivers/usb/renesas_usbhs/fifo.c
+@@ -802,9 +802,8 @@ static int __usbhsf_dma_map_ctrl(struct usbhs_pkt *pkt, int map)
+ }
+
+ static void usbhsf_dma_complete(void *arg);
+-static void xfer_work(struct work_struct *work)
++static void usbhsf_dma_xfer_preparing(struct usbhs_pkt *pkt)
+ {
+- struct usbhs_pkt *pkt = container_of(work, struct usbhs_pkt, work);
+ struct usbhs_pipe *pipe = pkt->pipe;
+ struct usbhs_fifo *fifo;
+ struct usbhs_priv *priv = usbhs_pipe_to_priv(pipe);
+@@ -812,12 +811,10 @@ static void xfer_work(struct work_struct *work)
+ struct dma_chan *chan;
+ struct device *dev = usbhs_priv_to_dev(priv);
+ enum dma_transfer_direction dir;
+- unsigned long flags;
+
+- usbhs_lock(priv, flags);
+ fifo = usbhs_pipe_to_fifo(pipe);
+ if (!fifo)
+- goto xfer_work_end;
++ return;
+
+ chan = usbhsf_dma_chan_get(fifo, pkt);
+ dir = usbhs_pipe_is_dir_in(pipe) ? DMA_DEV_TO_MEM : DMA_MEM_TO_DEV;
+@@ -826,7 +823,7 @@ static void xfer_work(struct work_struct *work)
+ pkt->trans, dir,
+ DMA_PREP_INTERRUPT | DMA_CTRL_ACK);
+ if (!desc)
+- goto xfer_work_end;
++ return;
+
+ desc->callback = usbhsf_dma_complete;
+ desc->callback_param = pipe;
+@@ -834,7 +831,7 @@ static void xfer_work(struct work_struct *work)
+ pkt->cookie = dmaengine_submit(desc);
+ if (pkt->cookie < 0) {
+ dev_err(dev, "Failed to submit dma descriptor\n");
+- goto xfer_work_end;
++ return;
+ }
+
+ dev_dbg(dev, " %s %d (%d/ %d)\n",
+@@ -845,8 +842,17 @@ static void xfer_work(struct work_struct *work)
+ dma_async_issue_pending(chan);
+ usbhsf_dma_start(pipe, fifo);
+ usbhs_pipe_enable(pipe);
++}
++
++static void xfer_work(struct work_struct *work)
++{
++ struct usbhs_pkt *pkt = container_of(work, struct usbhs_pkt, work);
++ struct usbhs_pipe *pipe = pkt->pipe;
++ struct usbhs_priv *priv = usbhs_pipe_to_priv(pipe);
++ unsigned long flags;
+
+-xfer_work_end:
++ usbhs_lock(priv, flags);
++ usbhsf_dma_xfer_preparing(pkt);
+ usbhs_unlock(priv, flags);
+ }
+
+@@ -899,8 +905,13 @@ static int usbhsf_dma_prepare_push(struct usbhs_pkt *pkt, int *is_done)
+ pkt->trans = len;
+
+ usbhsf_tx_irq_ctrl(pipe, 0);
+- INIT_WORK(&pkt->work, xfer_work);
+- schedule_work(&pkt->work);
++ /* FIXME: Workaound for usb dmac that driver can be used in atomic */
++ if (usbhs_get_dparam(priv, has_usb_dmac)) {
++ usbhsf_dma_xfer_preparing(pkt);
++ } else {
++ INIT_WORK(&pkt->work, xfer_work);
++ schedule_work(&pkt->work);
++ }
+
+ return 0;
+
+@@ -1006,8 +1017,7 @@ static int usbhsf_dma_prepare_pop_with_usb_dmac(struct usbhs_pkt *pkt,
+
+ pkt->trans = pkt->length;
+
+- INIT_WORK(&pkt->work, xfer_work);
+- schedule_work(&pkt->work);
++ usbhsf_dma_xfer_preparing(pkt);
+
+ return 0;
+
+--
+2.22.0
+
diff --git a/patches.kernel.org/5.2.1-031-drivers-usb-typec-tps6598x.c-fix-portinfo-width.patch b/patches.kernel.org/5.2.1-031-drivers-usb-typec-tps6598x.c-fix-portinfo-width.patch
new file mode 100644
index 0000000000..3ec4925bc5
--- /dev/null
+++ b/patches.kernel.org/5.2.1-031-drivers-usb-typec-tps6598x.c-fix-portinfo-width.patch
@@ -0,0 +1,38 @@
+From: Nikolaus Voss <nikolaus.voss@loewensteinmedical.de>
+Date: Fri, 28 Jun 2019 11:01:08 +0200
+Subject: [PATCH] drivers/usb/typec/tps6598x.c: fix portinfo width
+References: bnc#1012628
+Patch-mainline: 5.2.1
+Git-commit: 05da75fc651138e51ff74ace97174349910463f5
+
+commit 05da75fc651138e51ff74ace97174349910463f5 upstream.
+
+Portinfo bit field is 3 bits wide, not 2 bits. This led to
+a wrong driver configuration for some tps6598x configurations.
+
+Fixes: 0a4c005bd171 ("usb: typec: driver for TI TPS6598x USB Power Delivery controllers")
+Signed-off-by: Nikolaus Voss <nikolaus.voss@loewensteinmedical.de>
+Acked-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/usb/typec/tps6598x.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/usb/typec/tps6598x.c b/drivers/usb/typec/tps6598x.c
+index c674abe3cf99..a170c49c2542 100644
+--- a/drivers/usb/typec/tps6598x.c
++++ b/drivers/usb/typec/tps6598x.c
+@@ -41,7 +41,7 @@
+ #define TPS_STATUS_VCONN(s) (!!((s) & BIT(7)))
+
+ /* TPS_REG_SYSTEM_CONF bits */
+-#define TPS_SYSCONF_PORTINFO(c) ((c) & 3)
++#define TPS_SYSCONF_PORTINFO(c) ((c) & 7)
+
+ enum {
+ TPS_PORTINFO_SINK,
+--
+2.22.0
+
diff --git a/patches.kernel.org/5.2.1-032-drivers-usb-typec-tps6598x.c-fix-4CC-cmd-write.patch b/patches.kernel.org/5.2.1-032-drivers-usb-typec-tps6598x.c-fix-4CC-cmd-write.patch
new file mode 100644
index 0000000000..2930296811
--- /dev/null
+++ b/patches.kernel.org/5.2.1-032-drivers-usb-typec-tps6598x.c-fix-4CC-cmd-write.patch
@@ -0,0 +1,50 @@
+From: Nikolaus Voss <nikolaus.voss@loewensteinmedical.de>
+Date: Fri, 28 Jun 2019 11:01:09 +0200
+Subject: [PATCH] drivers/usb/typec/tps6598x.c: fix 4CC cmd write
+References: bnc#1012628
+Patch-mainline: 5.2.1
+Git-commit: 2681795b5e7a5bf336537661010072f4c22cea31
+
+commit 2681795b5e7a5bf336537661010072f4c22cea31 upstream.
+
+Writing 4CC commands with tps6598x_write_4cc() already has
+a pointer arg, don't reference it when using as arg to
+tps6598x_block_write(). Correcting this enforces the constness
+of the pointer to propagate to tps6598x_block_write(), so add
+the const qualifier there to avoid the warning.
+
+Fixes: 0a4c005bd171 ("usb: typec: driver for TI TPS6598x USB Power Delivery controllers")
+Signed-off-by: Nikolaus Voss <nikolaus.voss@loewensteinmedical.de>
+Acked-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/usb/typec/tps6598x.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/usb/typec/tps6598x.c b/drivers/usb/typec/tps6598x.c
+index a170c49c2542..a38d1409f15b 100644
+--- a/drivers/usb/typec/tps6598x.c
++++ b/drivers/usb/typec/tps6598x.c
+@@ -127,7 +127,7 @@ tps6598x_block_read(struct tps6598x *tps, u8 reg, void *val, size_t len)
+ }
+
+ static int tps6598x_block_write(struct tps6598x *tps, u8 reg,
+- void *val, size_t len)
++ const void *val, size_t len)
+ {
+ u8 data[TPS_MAX_LEN + 1];
+
+@@ -173,7 +173,7 @@ static inline int tps6598x_write64(struct tps6598x *tps, u8 reg, u64 val)
+ static inline int
+ tps6598x_write_4cc(struct tps6598x *tps, u8 reg, const char *val)
+ {
+- return tps6598x_block_write(tps, reg, &val, sizeof(u32));
++ return tps6598x_block_write(tps, reg, val, 4);
+ }
+
+ static int tps6598x_read_partner_identity(struct tps6598x *tps)
+--
+2.22.0
+
diff --git a/patches.kernel.org/5.2.1-033-p54-fix-crash-during-initialization.patch b/patches.kernel.org/5.2.1-033-p54-fix-crash-during-initialization.patch
new file mode 100644
index 0000000000..24455ebe69
--- /dev/null
+++ b/patches.kernel.org/5.2.1-033-p54-fix-crash-during-initialization.patch
@@ -0,0 +1,76 @@
+From: Christian Lamparter <chunkeey@gmail.com>
+Date: Sat, 18 May 2019 22:05:48 +0200
+Subject: [PATCH] p54: fix crash during initialization
+References: bnc#1012628
+Patch-mainline: 5.2.1
+Git-commit: 1645ab931998b39aed5761f095956f0b10a6362f
+
+commit 1645ab931998b39aed5761f095956f0b10a6362f upstream.
+
+This patch fixes a crash that got introduced when the
+mentioned patch replaced the direct list_head access
+with skb_peek_tail(). When the device is starting up,
+there are no entries in the queue, so previously to
+"Use skb_peek_tail() instead..." the target_skb would
+end up as the tail and head pointer which then could
+be used by __skb_queue_after to fill the empty queue.
+
+With skb_peek_tail() in its place will instead just
+return NULL which then causes a crash in the
+__skb_queue_after().
+
+| BUG: unable to handle kernel NULL pointer dereference at 000000
+| #PF error: [normal kernel read fault]
+| PGD 0 P4D 0
+| Oops: 0000 [#1] SMP PTI
+| CPU: 0 PID: 12 Comm: kworker/0:1 Tainted: GO 5.1.0-rc7-wt+ #218
+| Hardware name: MSI MS-7816/Z87-G43 (MS-7816), BIOS V1.11 05/09/2015
+| Workqueue: events request_firmware_work_func
+| RIP: 0010:p54_tx_pending+0x10f/0x1b0 [p54common]
+| Code: 78 06 80 78 28 00 74 6d <48> 8b 07 49 89 7c 24 08 49 89 04 24 4
+| RSP: 0018:ffffa81c81927d90 EFLAGS: 00010086
+| RAX: ffff9bbaaf131048 RBX: 0000000000020670 RCX: 0000000000020264
+| RDX: ffff9bbaa976d660 RSI: 0000000000000202 RDI: 0000000000000000
+| RBP: ffff9bbaa976d620 R08: 00000000000006c0 R09: ffff9bbaa976d660
+| R10: 0000000000000000 R11: ffffe8480dbc5900 R12: ffff9bbb45e87700
+| R13: ffff9bbaa976d648 R14: ffff9bbaa976d674 R15: ffff9bbaaf131048
+| FS: 0000000000000000(0000) GS:ffff9bbb5ec00000(0000) knlGS:00000
+| CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+| CR2: 0000000000000000 CR3: 00000003695fc003 CR4: 00000000001606f0
+| Call Trace:
+| p54_download_eeprom+0xbe/0x120 [p54common]
+| p54_read_eeprom+0x7f/0xc0 [p54common]
+| p54u_load_firmware_cb+0xe0/0x160 [p54usb]
+| request_firmware_work_func+0x42/0x80
+| process_one_work+0x1f5/0x3f0
+| worker_thread+0x28/0x3c0
+
+Cc: stable@vger.kernel.org
+Fixes: e3554197fc8f ("p54: Use skb_peek_tail() instead of direct head pointer accesses.")
+Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/net/wireless/intersil/p54/txrx.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/intersil/p54/txrx.c b/drivers/net/wireless/intersil/p54/txrx.c
+index ff9acd1563f4..5892898f8853 100644
+--- a/drivers/net/wireless/intersil/p54/txrx.c
++++ b/drivers/net/wireless/intersil/p54/txrx.c
+@@ -139,7 +139,10 @@ static int p54_assign_address(struct p54_common *priv, struct sk_buff *skb)
+ unlikely(GET_HW_QUEUE(skb) == P54_QUEUE_BEACON))
+ priv->beacon_req_id = data->req_id;
+
+- __skb_queue_after(&priv->tx_queue, target_skb, skb);
++ if (target_skb)
++ __skb_queue_after(&priv->tx_queue, target_skb, skb);
++ else
++ __skb_queue_head(&priv->tx_queue, skb);
+ spin_unlock_irqrestore(&priv->tx_queue.lock, flags);
+ return 0;
+ }
+--
+2.22.0
+
diff --git a/patches.kernel.org/5.2.1-034-staging-comedi-dt282x-fix-a-null-pointer-deref-.patch b/patches.kernel.org/5.2.1-034-staging-comedi-dt282x-fix-a-null-pointer-deref-.patch
new file mode 100644
index 0000000000..dad1203564
--- /dev/null
+++ b/patches.kernel.org/5.2.1-034-staging-comedi-dt282x-fix-a-null-pointer-deref-.patch
@@ -0,0 +1,56 @@
+From: Ian Abbott <abbotti@mev.co.uk>
+Date: Wed, 26 Jun 2019 14:18:04 +0100
+Subject: [PATCH] staging: comedi: dt282x: fix a null pointer deref on
+ interrupt
+References: bnc#1012628
+Patch-mainline: 5.2.1
+Git-commit: b8336be66dec06bef518030a0df9847122053ec5
+
+commit b8336be66dec06bef518030a0df9847122053ec5 upstream.
+
+The interrupt handler `dt282x_interrupt()` causes a null pointer
+dereference for those supported boards that have no analog output
+support. For these boards, `dev->write_subdev` will be `NULL` and
+therefore the `s_ao` subdevice pointer variable will be `NULL`. In that
+case, the following call near the end of the interrupt handler results
+in a null pointer dereference:
+
+ comedi_handle_events(dev, s_ao);
+
+Fix it by only calling the above function if `s_ao` is valid.
+
+(There are other uses of `s_ao` by the interrupt handler that may or may
+not be reached depending on values of hardware registers. Trust that
+they are reliable for now.)
+
+Note:
+commit 4f6f009b204f ("staging: comedi: dt282x: use comedi_handle_events()")
+propagates an earlier error from
+commit f21c74fa4cfe ("staging: comedi: dt282x: use cfc_handle_events()").
+
+Fixes: 4f6f009b204f ("staging: comedi: dt282x: use comedi_handle_events()")
+Cc: <stable@vger.kernel.org> # v3.19+
+Signed-off-by: Ian Abbott <abbotti@mev.co.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/staging/comedi/drivers/dt282x.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/staging/comedi/drivers/dt282x.c b/drivers/staging/comedi/drivers/dt282x.c
+index 3be927f1d3a9..e15e33ed94ae 100644
+--- a/drivers/staging/comedi/drivers/dt282x.c
++++ b/drivers/staging/comedi/drivers/dt282x.c
+@@ -557,7 +557,8 @@ static irqreturn_t dt282x_interrupt(int irq, void *d)
+ }
+ #endif
+ comedi_handle_events(dev, s);
+- comedi_handle_events(dev, s_ao);
++ if (s_ao)
++ comedi_handle_events(dev, s_ao);
+
+ return IRQ_RETVAL(handled);
+ }
+--
+2.22.0
+
diff --git a/patches.kernel.org/5.2.1-035-staging-wilc1000-fix-error-path-cleanup-in-wilc.patch b/patches.kernel.org/5.2.1-035-staging-wilc1000-fix-error-path-cleanup-in-wilc.patch
new file mode 100644
index 0000000000..2917435e6c
--- /dev/null
+++ b/patches.kernel.org/5.2.1-035-staging-wilc1000-fix-error-path-cleanup-in-wilc.patch
@@ -0,0 +1,62 @@
+From: Ajay Singh <ajay.kathat@microchip.com>
+Date: Wed, 26 Jun 2019 12:40:48 +0000
+Subject: [PATCH] staging: wilc1000: fix error path cleanup in
+ wilc_wlan_initialize()
+References: bnc#1012628
+Patch-mainline: 5.2.1
+Git-commit: 6419f818ababebc1116fb2d0e220bd4fe835d0e3
+
+commit 6419f818ababebc1116fb2d0e220bd4fe835d0e3 upstream.
+
+For the error path in wilc_wlan_initialize(), the resources are not
+cleanup in the correct order. Reverted the previous changes and use the
+correct order to free during error condition.
+
+Fixes: b46d68825c2d ("staging: wilc1000: remove COMPLEMENT_BOOT")
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Ajay Singh <ajay.kathat@microchip.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/staging/wilc1000/wilc_netdev.c | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/staging/wilc1000/wilc_netdev.c b/drivers/staging/wilc1000/wilc_netdev.c
+index ba78c08a17f1..5338d7d2b248 100644
+--- a/drivers/staging/wilc1000/wilc_netdev.c
++++ b/drivers/staging/wilc1000/wilc_netdev.c
+@@ -530,17 +530,17 @@ static int wilc_wlan_initialize(struct net_device *dev, struct wilc_vif *vif)
+ goto fail_locks;
+ }
+
+- if (wl->gpio_irq && init_irq(dev)) {
+- ret = -EIO;
+- goto fail_locks;
+- }
+-
+ ret = wlan_initialize_threads(dev);
+ if (ret < 0) {
+ ret = -EIO;
+ goto fail_wilc_wlan;
+ }
+
++ if (wl->gpio_irq && init_irq(dev)) {
++ ret = -EIO;
++ goto fail_threads;
++ }
++
+ if (!wl->dev_irq_num &&
+ wl->hif_func->enable_interrupt &&
+ wl->hif_func->enable_interrupt(wl)) {
+@@ -596,7 +596,7 @@ static int wilc_wlan_initialize(struct net_device *dev, struct wilc_vif *vif)
+ fail_irq_init:
+ if (wl->dev_irq_num)
+ deinit_irq(dev);
+-
++fail_threads:
+ wlan_deinitialize_threads(dev);
+ fail_wilc_wlan:
+ wilc_wlan_cleanup(dev);
+--
+2.22.0
+
diff --git a/patches.kernel.org/5.2.1-036-staging-bcm2835-camera-Restore-return-behavior-.patch b/patches.kernel.org/5.2.1-036-staging-bcm2835-camera-Restore-return-behavior-.patch
new file mode 100644
index 0000000000..c0ec2a1716
--- /dev/null
+++ b/patches.kernel.org/5.2.1-036-staging-bcm2835-camera-Restore-return-behavior-.patch
@@ -0,0 +1,75 @@
+From: Stefan Wahren <wahrenst@gmx.net>
+Date: Wed, 26 Jun 2019 17:48:11 +0200
+Subject: [PATCH] staging: bcm2835-camera: Restore return behavior of
+ ctrl_set_bitrate()
+References: bnc#1012628
+Patch-mainline: 5.2.1
+Git-commit: f816db1dc17b99b059325f41ed5a78f85d15368c
+
+commit f816db1dc17b99b059325f41ed5a78f85d15368c upstream.
+
+The commit 52c4dfcead49 ("Staging: vc04_services: Cleanup in
+ctrl_set_bitrate()") changed the return behavior of ctrl_set_bitrate().
+We cannot do this because of a bug in the firmware, which breaks probing
+of bcm2835-camera:
+
+ bcm2835-v4l2: mmal_init: failed to set all camera controls: -3
+ Cleanup: Destroy video encoder
+ Cleanup: Destroy image encoder
+ Cleanup: Destroy video render
+ Cleanup: Destroy camera
+ bcm2835-v4l2: bcm2835_mmal_probe: mmal init failed: -3
+ bcm2835-camera: probe of bcm2835-camera failed with error -3
+
+So restore the old behavior, add an explaining comment and a debug message
+to verify that the bug has been fixed in firmware.
+
+Fixes: 52c4dfcead49 ("Staging: vc04_services: Cleanup in ctrl_set_bitrate()")
+Signed-off-by: Stefan Wahren <wahrenst@gmx.net>
+Cc: stable <stable@vger.kernel.org>
+Acked-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ .../vc04_services/bcm2835-camera/controls.c | 19 ++++++++++++++++---
+ 1 file changed, 16 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/staging/vc04_services/bcm2835-camera/controls.c b/drivers/staging/vc04_services/bcm2835-camera/controls.c
+index dade79738a29..12ac3ef61fe6 100644
+--- a/drivers/staging/vc04_services/bcm2835-camera/controls.c
++++ b/drivers/staging/vc04_services/bcm2835-camera/controls.c
+@@ -603,15 +603,28 @@ static int ctrl_set_bitrate(struct bm2835_mmal_dev *dev,
+ struct v4l2_ctrl *ctrl,
+ const struct bm2835_mmal_v4l2_ctrl *mmal_ctrl)
+ {
++ int ret;
+ struct vchiq_mmal_port *encoder_out;
+
+ dev->capture.encode_bitrate = ctrl->val;
+
+ encoder_out = &dev->component[MMAL_COMPONENT_VIDEO_ENCODE]->output[0];
+
+- return vchiq_mmal_port_parameter_set(dev->instance, encoder_out,
+- mmal_ctrl->mmal_id, &ctrl->val,
+- sizeof(ctrl->val));
++ ret = vchiq_mmal_port_parameter_set(dev->instance, encoder_out,
++ mmal_ctrl->mmal_id, &ctrl->val,
++ sizeof(ctrl->val));
++
++ v4l2_dbg(1, bcm2835_v4l2_debug, &dev->v4l2_dev,
++ "%s: After: mmal_ctrl:%p ctrl id:0x%x ctrl val:%d ret %d(%d)\n",
++ __func__, mmal_ctrl, ctrl->id, ctrl->val, ret,
++ (ret == 0 ? 0 : -EINVAL));
++
++ /*
++ * Older firmware versions (pre July 2019) have a bug in handling
++ * MMAL_PARAMETER_VIDEO_BIT_RATE that result in the call
++ * returning -MMAL_MSG_STATUS_EINVAL. So ignore errors from this call.
++ */
++ return 0;
+ }
+
+ static int ctrl_set_bitrate_mode(struct bm2835_mmal_dev *dev,
+--
+2.22.0
+
diff --git a/patches.kernel.org/5.2.1-037-staging-comedi-amplc_pci230-fix-null-pointer-de.patch b/patches.kernel.org/5.2.1-037-staging-comedi-amplc_pci230-fix-null-pointer-de.patch
new file mode 100644
index 0000000000..5683c2bae3
--- /dev/null
+++ b/patches.kernel.org/5.2.1-037-staging-comedi-amplc_pci230-fix-null-pointer-de.patch
@@ -0,0 +1,51 @@
+From: Ian Abbott <abbotti@mev.co.uk>
+Date: Wed, 26 Jun 2019 14:17:39 +0100
+Subject: [PATCH] staging: comedi: amplc_pci230: fix null pointer deref on
+ interrupt
+References: bnc#1012628
+Patch-mainline: 5.2.1
+Git-commit: 7379e6baeddf580d01feca650ec1ad508b6ea8ee
+
+commit 7379e6baeddf580d01feca650ec1ad508b6ea8ee upstream.
+
+The interrupt handler `pci230_interrupt()` causes a null pointer
+dereference for a PCI260 card. There is no analog output subdevice for
+a PCI260. The `dev->write_subdev` subdevice pointer and therefore the
+`s_ao` subdevice pointer variable will be `NULL` for a PCI260. The
+following call near the end of the interrupt handler results in the null
+pointer dereference for a PCI260:
+
+ comedi_handle_events(dev, s_ao);
+
+Fix it by only calling the above function if `s_ao` is valid.
+
+Note that the other uses of `s_ao` in the calls
+`pci230_handle_ao_nofifo(dev, s_ao);` and `pci230_handle_ao_fifo(dev,
+s_ao);` will never be reached for a PCI260, so they are safe.
+
+Fixes: 39064f23284c ("staging: comedi: amplc_pci230: use comedi_handle_events()")
+Cc: <stable@vger.kernel.org> # v3.19+
+Signed-off-by: Ian Abbott <abbotti@mev.co.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/staging/comedi/drivers/amplc_pci230.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/staging/comedi/drivers/amplc_pci230.c b/drivers/staging/comedi/drivers/amplc_pci230.c
+index 65f60c2b702a..f7e673121864 100644
+--- a/drivers/staging/comedi/drivers/amplc_pci230.c
++++ b/drivers/staging/comedi/drivers/amplc_pci230.c
+@@ -2330,7 +2330,8 @@ static irqreturn_t pci230_interrupt(int irq, void *d)
+ devpriv->intr_running = false;
+ spin_unlock_irqrestore(&devpriv->isr_spinlock, irqflags);
+
+- comedi_handle_events(dev, s_ao);
++ if (s_ao)
++ comedi_handle_events(dev, s_ao);
+ comedi_handle_events(dev, s_ai);
+
+ return IRQ_HANDLED;
+--
+2.22.0
+
diff --git a/patches.kernel.org/5.2.1-038-staging-mt7621-pci-fix-PCIE_FTS_NUM_LO-macro.patch b/patches.kernel.org/5.2.1-038-staging-mt7621-pci-fix-PCIE_FTS_NUM_LO-macro.patch
new file mode 100644
index 0000000000..efc90da15b
--- /dev/null
+++ b/patches.kernel.org/5.2.1-038-staging-mt7621-pci-fix-PCIE_FTS_NUM_LO-macro.patch
@@ -0,0 +1,37 @@
+From: Sergio Paracuellos <sergio.paracuellos@gmail.com>
+Date: Wed, 26 Jun 2019 14:43:18 +0200
+Subject: [PATCH] staging: mt7621-pci: fix PCIE_FTS_NUM_LO macro
+References: bnc#1012628
+Patch-mainline: 5.2.1
+Git-commit: 0ae0cf509d28d8539b88b5f7f24558f5bfe57cdf
+
+commit 0ae0cf509d28d8539b88b5f7f24558f5bfe57cdf upstream.
+
+Add missing parenthesis to PCIE_FTS_NUM_LO macro to do the
+same it was being done in original code.
+
+Fixes: a4b2eb912bb1 ("staging: mt7621-pci: rewrite RC FTS configuration")
+Signed-off-by: Sergio Paracuellos <sergio.paracuellos@gmail.com>
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/staging/mt7621-pci/pci-mt7621.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/staging/mt7621-pci/pci-mt7621.c b/drivers/staging/mt7621-pci/pci-mt7621.c
+index 03d919a94552..93763d40e3a1 100644
+--- a/drivers/staging/mt7621-pci/pci-mt7621.c
++++ b/drivers/staging/mt7621-pci/pci-mt7621.c
+@@ -40,7 +40,7 @@
+ /* MediaTek specific configuration registers */
+ #define PCIE_FTS_NUM 0x70c
+ #define PCIE_FTS_NUM_MASK GENMASK(15, 8)
+-#define PCIE_FTS_NUM_L0(x) ((x) & 0xff << 8)
++#define PCIE_FTS_NUM_L0(x) (((x) & 0xff) << 8)
+
+ /* rt_sysc_membase relative registers */
+ #define RALINK_PCIE_CLK_GEN 0x7c
+--
+2.22.0
+
diff --git a/patches.kernel.org/5.2.1-039-HID-Add-another-Primax-PIXART-OEM-mouse-quirk.patch b/patches.kernel.org/5.2.1-039-HID-Add-another-Primax-PIXART-OEM-mouse-quirk.patch
new file mode 100644
index 0000000000..28e9e55a28
--- /dev/null
+++ b/patches.kernel.org/5.2.1-039-HID-Add-another-Primax-PIXART-OEM-mouse-quirk.patch
@@ -0,0 +1,53 @@
+From: Sebastian Parschauer <s.parschauer@gmx.de>
+Date: Mon, 1 Jul 2019 07:48:17 +0200
+Subject: [PATCH] HID: Add another Primax PIXART OEM mouse quirk
+References: bnc#1012628
+Patch-mainline: 5.2.1
+Git-commit: 4c12954965fdf33d8ae3883c1931fc29ca023cfb
+
+commit 4c12954965fdf33d8ae3883c1931fc29ca023cfb upstream.
+
+The PixArt OEM mice are known for disconnecting every minute in
+runlevel 1 or 3 if they are not always polled. So add quirk
+ALWAYS_POLL for this Alienware branded Primax mouse as well.
+
+Daniel Schepler (@dschepler) reported and tested the quirk.
+Reference: https://github.com/sriemer/fix-linux-mouse/issues/15
+
+Signed-off-by: Sebastian Parschauer <s.parschauer@gmx.de>
+CC: stable@vger.kernel.org
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/hid/hid-ids.h | 1 +
+ drivers/hid/hid-quirks.c | 1 +
+ 2 files changed, 2 insertions(+)
+
+diff --git a/drivers/hid/hid-ids.h b/drivers/hid/hid-ids.h
+index b032d3899fa3..bfc584ada4eb 100644
+--- a/drivers/hid/hid-ids.h
++++ b/drivers/hid/hid-ids.h
+@@ -1241,6 +1241,7 @@
+ #define USB_DEVICE_ID_PRIMAX_KEYBOARD 0x4e05
+ #define USB_DEVICE_ID_PRIMAX_REZEL 0x4e72
+ #define USB_DEVICE_ID_PRIMAX_PIXART_MOUSE_4D0F 0x4d0f
++#define USB_DEVICE_ID_PRIMAX_PIXART_MOUSE_4D65 0x4d65
+ #define USB_DEVICE_ID_PRIMAX_PIXART_MOUSE_4E22 0x4e22
+
+
+diff --git a/drivers/hid/hid-quirks.c b/drivers/hid/hid-quirks.c
+index 671a285724f9..1549c7a2f04c 100644
+--- a/drivers/hid/hid-quirks.c
++++ b/drivers/hid/hid-quirks.c
+@@ -130,6 +130,7 @@ static const struct hid_device_id hid_quirks[] = {
+ { HID_USB_DEVICE(USB_VENDOR_ID_PIXART, USB_DEVICE_ID_PIXART_USB_OPTICAL_MOUSE), HID_QUIRK_ALWAYS_POLL },
+ { HID_USB_DEVICE(USB_VENDOR_ID_PRIMAX, USB_DEVICE_ID_PRIMAX_MOUSE_4D22), HID_QUIRK_ALWAYS_POLL },
+ { HID_USB_DEVICE(USB_VENDOR_ID_PRIMAX, USB_DEVICE_ID_PRIMAX_PIXART_MOUSE_4D0F), HID_QUIRK_ALWAYS_POLL },
++ { HID_USB_DEVICE(USB_VENDOR_ID_PRIMAX, USB_DEVICE_ID_PRIMAX_PIXART_MOUSE_4D65), HID_QUIRK_ALWAYS_POLL },
+ { HID_USB_DEVICE(USB_VENDOR_ID_PRIMAX, USB_DEVICE_ID_PRIMAX_PIXART_MOUSE_4E22), HID_QUIRK_ALWAYS_POLL },
+ { HID_USB_DEVICE(USB_VENDOR_ID_PRODIGE, USB_DEVICE_ID_PRODIGE_CORDLESS), HID_QUIRK_NOGET },
+ { HID_USB_DEVICE(USB_VENDOR_ID_QUANTA, USB_DEVICE_ID_QUANTA_OPTICAL_TOUCH_3001), HID_QUIRK_NOGET },
+--
+2.22.0
+
diff --git a/patches.kernel.org/5.2.1-040-lkdtm-support-llvm-objcopy.patch b/patches.kernel.org/5.2.1-040-lkdtm-support-llvm-objcopy.patch
new file mode 100644
index 0000000000..fc3a7d3fa8
--- /dev/null
+++ b/patches.kernel.org/5.2.1-040-lkdtm-support-llvm-objcopy.patch
@@ -0,0 +1,65 @@
+From: Nick Desaulniers <ndesaulniers@google.com>
+Date: Wed, 15 May 2019 11:24:41 -0700
+Subject: [PATCH] lkdtm: support llvm-objcopy
+References: bnc#1012628
+Patch-mainline: 5.2.1
+Git-commit: e9e08a07385e08f1a7f85c5d1e345c21c9564963
+
+commit e9e08a07385e08f1a7f85c5d1e345c21c9564963 upstream.
+
+With CONFIG_LKDTM=y and make OBJCOPY=llvm-objcopy, llvm-objcopy errors:
+llvm-objcopy: error: --set-section-flags=.text conflicts with
+--rename-section=.text=.rodata
+
+Rather than support setting flags then renaming sections vs renaming
+then setting flags, it's simpler to just change both at the same time
+via --rename-section. Adding the load flag is required for GNU objcopy
+to mark .rodata Type as PROGBITS after the rename.
+
+This can be verified with:
+$ readelf -S drivers/misc/lkdtm/rodata_objcopy.o
+...
+Section Headers:
+ [Nr] Name Type Address Offset
+ Size EntSize Flags Link Info Align
+...
+ [ 1] .rodata PROGBITS 0000000000000000 00000040
+ 0000000000000004 0000000000000000 A 0 0 4
+...
+
+Which shows that .text is now renamed .rodata, the alloc flag A is set,
+the type is PROGBITS, and the section is not flagged as writeable W.
+
+Cc: stable@vger.kernel.org
+Link: https://sourceware.org/bugzilla/show_bug.cgi?id=24554
+Link: https://github.com/ClangBuiltLinux/linux/issues/448
+Reported-by: Nathan Chancellor <natechancellor@gmail.com>
+Suggested-by: Alan Modra <amodra@gmail.com>
+Suggested-by: Jordan Rupprect <rupprecht@google.com>
+Suggested-by: Kees Cook <keescook@chromium.org>
+Acked-by: Kees Cook <keescook@chromium.org>
+Reviewed-by: Nathan Chancellor <natechancellor@gmail.com>
+Signed-off-by: Nick Desaulniers <ndesaulniers@google.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/misc/lkdtm/Makefile | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/drivers/misc/lkdtm/Makefile b/drivers/misc/lkdtm/Makefile
+index 951c984de61a..fb10eafe9bde 100644
+--- a/drivers/misc/lkdtm/Makefile
++++ b/drivers/misc/lkdtm/Makefile
+@@ -15,8 +15,7 @@ KCOV_INSTRUMENT_rodata.o := n
+
+ OBJCOPYFLAGS :=
+ OBJCOPYFLAGS_rodata_objcopy.o := \
+- --set-section-flags .text=alloc,readonly \
+- --rename-section .text=.rodata
++ --rename-section .text=.rodata,alloc,readonly,load
+ targets += rodata.o rodata_objcopy.o
+ $(obj)/rodata_objcopy.o: $(obj)/rodata.o FORCE
+ $(call if_changed,objcopy)
+--
+2.22.0
+
diff --git a/patches.kernel.org/5.2.1-041-binder-fix-memory-leak-in-error-path.patch b/patches.kernel.org/5.2.1-041-binder-fix-memory-leak-in-error-path.patch
new file mode 100644
index 0000000000..2e3e5bcdf3
--- /dev/null
+++ b/patches.kernel.org/5.2.1-041-binder-fix-memory-leak-in-error-path.patch
@@ -0,0 +1,48 @@
+From: Todd Kjos <tkjos@android.com>
+Date: Fri, 21 Jun 2019 10:54:15 -0700
+Subject: [PATCH] binder: fix memory leak in error path
+References: bnc#1012628
+Patch-mainline: 5.2.1
+Git-commit: 1909a671dbc3606685b1daf8b22a16f65ea7edda
+
+commit 1909a671dbc3606685b1daf8b22a16f65ea7edda upstream.
+
+syzkallar found a 32-byte memory leak in a rarely executed error
+case. The transaction complete work item was not freed if put_user()
+failed when writing the BR_TRANSACTION_COMPLETE to the user command
+buffer. Fixed by freeing it before put_user() is called.
+
+Reported-by: syzbot+182ce46596c3f2e1eb24@syzkaller.appspotmail.com
+Signed-off-by: Todd Kjos <tkjos@google.com>
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/android/binder.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/android/binder.c b/drivers/android/binder.c
+index bc26b5511f0a..8bf039fdeb91 100644
+--- a/drivers/android/binder.c
++++ b/drivers/android/binder.c
+@@ -4268,6 +4268,8 @@ static int binder_thread_read(struct binder_proc *proc,
+ case BINDER_WORK_TRANSACTION_COMPLETE: {
+ binder_inner_proc_unlock(proc);
+ cmd = BR_TRANSACTION_COMPLETE;
++ kfree(w);
++ binder_stats_deleted(BINDER_STAT_TRANSACTION_COMPLETE);
+ if (put_user(cmd, (uint32_t __user *)ptr))
+ return -EFAULT;
+ ptr += sizeof(uint32_t);
+@@ -4276,8 +4278,6 @@ static int binder_thread_read(struct binder_proc *proc,
+ binder_debug(BINDER_DEBUG_TRANSACTION_COMPLETE,
+ "%d:%d BR_TRANSACTION_COMPLETE\n",
+ proc->pid, thread->pid);
+- kfree(w);
+- binder_stats_deleted(BINDER_STAT_TRANSACTION_COMPLETE);
+ } break;
+ case BINDER_WORK_NODE: {
+ struct binder_node *node = container_of(w, struct binder_node, work);
+--
+2.22.0
+
diff --git a/patches.kernel.org/5.2.1-042-binder-return-errors-from-buffer-copy-functions.patch b/patches.kernel.org/5.2.1-042-binder-return-errors-from-buffer-copy-functions.patch
new file mode 100644
index 0000000000..a7b6db7591
--- /dev/null
+++ b/patches.kernel.org/5.2.1-042-binder-return-errors-from-buffer-copy-functions.patch
@@ -0,0 +1,432 @@
+From: Todd Kjos <tkjos@android.com>
+Date: Fri, 28 Jun 2019 09:50:12 -0700
+Subject: [PATCH] binder: return errors from buffer copy functions
+References: bnc#1012628
+Patch-mainline: 5.2.1
+Git-commit: bb4a2e48d5100ed3ff614df158a636bca3c6bf9f
+
+commit bb4a2e48d5100ed3ff614df158a636bca3c6bf9f upstream.
+
+The buffer copy functions assumed the caller would ensure
+correct alignment and that the memory to be copied was
+completely within the binder buffer. There have been
+a few cases discovered by syzkallar where a malformed
+transaction created by a user could violated the
+assumptions and resulted in a BUG_ON.
+
+The fix is to remove the BUG_ON and always return the
+error to be handled appropriately by the caller.
+
+Acked-by: Martijn Coenen <maco@android.com>
+Reported-by: syzbot+3ae18325f96190606754@syzkaller.appspotmail.com
+Fixes: bde4a19fc04f ("binder: use userspace pointer as base of buffer space")
+Suggested-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Todd Kjos <tkjos@google.com>
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/android/binder.c | 153 ++++++++++++++++++++-------------
+ drivers/android/binder_alloc.c | 44 +++++-----
+ drivers/android/binder_alloc.h | 22 ++---
+ 3 files changed, 126 insertions(+), 93 deletions(-)
+
+diff --git a/drivers/android/binder.c b/drivers/android/binder.c
+index 8bf039fdeb91..38a59a630cd4 100644
+--- a/drivers/android/binder.c
++++ b/drivers/android/binder.c
+@@ -2059,10 +2059,9 @@ static size_t binder_get_object(struct binder_proc *proc,
+
+ read_size = min_t(size_t, sizeof(*object), buffer->data_size - offset);
+ if (offset > buffer->data_size || read_size < sizeof(*hdr) ||
+- !IS_ALIGNED(offset, sizeof(u32)))
++ binder_alloc_copy_from_buffer(&proc->alloc, object, buffer,
++ offset, read_size))
+ return 0;
+- binder_alloc_copy_from_buffer(&proc->alloc, object, buffer,
+- offset, read_size);
+
+ /* Ok, now see if we read a complete object. */
+ hdr = &object->hdr;
+@@ -2131,8 +2130,10 @@ static struct binder_buffer_object *binder_validate_ptr(
+ return NULL;
+
+ buffer_offset = start_offset + sizeof(binder_size_t) * index;
+- binder_alloc_copy_from_buffer(&proc->alloc, &object_offset,
+- b, buffer_offset, sizeof(object_offset));
++ if (binder_alloc_copy_from_buffer(&proc->alloc, &object_offset,
++ b, buffer_offset,
++ sizeof(object_offset)))
++ return NULL;
+ object_size = binder_get_object(proc, b, object_offset, object);
+ if (!object_size || object->hdr.type != BINDER_TYPE_PTR)
+ return NULL;
+@@ -2212,10 +2213,12 @@ static bool binder_validate_fixup(struct binder_proc *proc,
+ return false;
+ last_min_offset = last_bbo->parent_offset + sizeof(uintptr_t);
+ buffer_offset = objects_start_offset +
+- sizeof(binder_size_t) * last_bbo->parent,
+- binder_alloc_copy_from_buffer(&proc->alloc, &last_obj_offset,
+- b, buffer_offset,
+- sizeof(last_obj_offset));
++ sizeof(binder_size_t) * last_bbo->parent;
++ if (binder_alloc_copy_from_buffer(&proc->alloc,
++ &last_obj_offset,
++ b, buffer_offset,
++ sizeof(last_obj_offset)))
++ return false;
+ }
+ return (fixup_offset >= last_min_offset);
+ }
+@@ -2301,15 +2304,15 @@ static void binder_transaction_buffer_release(struct binder_proc *proc,
+ for (buffer_offset = off_start_offset; buffer_offset < off_end_offset;
+ buffer_offset += sizeof(binder_size_t)) {
+ struct binder_object_header *hdr;
+- size_t object_size;
++ size_t object_size = 0;
+ struct binder_object object;
+ binder_size_t object_offset;
+
+- binder_alloc_copy_from_buffer(&proc->alloc, &object_offset,
+- buffer, buffer_offset,
+- sizeof(object_offset));
+- object_size = binder_get_object(proc, buffer,
+- object_offset, &object);
++ if (!binder_alloc_copy_from_buffer(&proc->alloc, &object_offset,
++ buffer, buffer_offset,
++ sizeof(object_offset)))
++ object_size = binder_get_object(proc, buffer,
++ object_offset, &object);
+ if (object_size == 0) {
+ pr_err("transaction release %d bad object at offset %lld, size %zd\n",
+ debug_id, (u64)object_offset, buffer->data_size);
+@@ -2432,15 +2435,16 @@ static void binder_transaction_buffer_release(struct binder_proc *proc,
+ for (fd_index = 0; fd_index < fda->num_fds;
+ fd_index++) {
+ u32 fd;
++ int err;
+ binder_size_t offset = fda_offset +
+ fd_index * sizeof(fd);
+
+- binder_alloc_copy_from_buffer(&proc->alloc,
+- &fd,
+- buffer,
+- offset,
+- sizeof(fd));
+- binder_deferred_fd_close(fd);
++ err = binder_alloc_copy_from_buffer(
++ &proc->alloc, &fd, buffer,
++ offset, sizeof(fd));
++ WARN_ON(err);
++ if (!err)
++ binder_deferred_fd_close(fd);
+ }
+ } break;
+ default:
+@@ -2683,11 +2687,12 @@ static int binder_translate_fd_array(struct binder_fd_array_object *fda,
+ int ret;
+ binder_size_t offset = fda_offset + fdi * sizeof(fd);
+
+- binder_alloc_copy_from_buffer(&target_proc->alloc,
+- &fd, t->buffer,
+- offset, sizeof(fd));
+- ret = binder_translate_fd(fd, offset, t, thread,
+- in_reply_to);
++ ret = binder_alloc_copy_from_buffer(&target_proc->alloc,
++ &fd, t->buffer,
++ offset, sizeof(fd));
++ if (!ret)
++ ret = binder_translate_fd(fd, offset, t, thread,
++ in_reply_to);
+ if (ret < 0)
+ return ret;
+ }
+@@ -2740,8 +2745,12 @@ static int binder_fixup_parent(struct binder_transaction *t,
+ }
+ buffer_offset = bp->parent_offset +
+ (uintptr_t)parent->buffer - (uintptr_t)b->user_data;
+- binder_alloc_copy_to_buffer(&target_proc->alloc, b, buffer_offset,
+- &bp->buffer, sizeof(bp->buffer));
++ if (binder_alloc_copy_to_buffer(&target_proc->alloc, b, buffer_offset,
++ &bp->buffer, sizeof(bp->buffer))) {
++ binder_user_error("%d:%d got transaction with invalid parent offset\n",
++ proc->pid, thread->pid);
++ return -EINVAL;
++ }
+
+ return 0;
+ }
+@@ -3160,15 +3169,20 @@ static void binder_transaction(struct binder_proc *proc,
+ goto err_binder_alloc_buf_failed;
+ }
+ if (secctx) {
++ int err;
+ size_t buf_offset = ALIGN(tr->data_size, sizeof(void *)) +
+ ALIGN(tr->offsets_size, sizeof(void *)) +
+ ALIGN(extra_buffers_size, sizeof(void *)) -
+ ALIGN(secctx_sz, sizeof(u64));
+
+ t->security_ctx = (uintptr_t)t->buffer->user_data + buf_offset;
+- binder_alloc_copy_to_buffer(&target_proc->alloc,
+- t->buffer, buf_offset,
+- secctx, secctx_sz);
++ err = binder_alloc_copy_to_buffer(&target_proc->alloc,
++ t->buffer, buf_offset,
++ secctx, secctx_sz);
++ if (err) {
++ t->security_ctx = 0;
++ WARN_ON(1);
++ }
+ security_release_secctx(secctx, secctx_sz);
+ secctx = NULL;
+ }
+@@ -3234,11 +3248,16 @@ static void binder_transaction(struct binder_proc *proc,
+ struct binder_object object;
+ binder_size_t object_offset;
+
+- binder_alloc_copy_from_buffer(&target_proc->alloc,
+- &object_offset,
+- t->buffer,
+- buffer_offset,
+- sizeof(object_offset));
++ if (binder_alloc_copy_from_buffer(&target_proc->alloc,
++ &object_offset,
++ t->buffer,
++ buffer_offset,
++ sizeof(object_offset))) {
++ return_error = BR_FAILED_REPLY;
++ return_error_param = -EINVAL;
++ return_error_line = __LINE__;
++ goto err_bad_offset;
++ }
+ object_size = binder_get_object(target_proc, t->buffer,
+ object_offset, &object);
+ if (object_size == 0 || object_offset < off_min) {
+@@ -3262,15 +3281,17 @@ static void binder_transaction(struct binder_proc *proc,
+
+ fp = to_flat_binder_object(hdr);
+ ret = binder_translate_binder(fp, t, thread);
+- if (ret < 0) {
++
++ if (ret < 0 ||
++ binder_alloc_copy_to_buffer(&target_proc->alloc,
++ t->buffer,
++ object_offset,
++ fp, sizeof(*fp))) {
+ return_error = BR_FAILED_REPLY;
+ return_error_param = ret;
+ return_error_line = __LINE__;
+ goto err_translate_failed;
+ }
+- binder_alloc_copy_to_buffer(&target_proc->alloc,
+- t->buffer, object_offset,
+- fp, sizeof(*fp));
+ } break;
+ case BINDER_TYPE_HANDLE:
+ case BINDER_TYPE_WEAK_HANDLE: {
+@@ -3278,15 +3299,16 @@ static void binder_transaction(struct binder_proc *proc,
+
+ fp = to_flat_binder_object(hdr);
+ ret = binder_translate_handle(fp, t, thread);
+- if (ret < 0) {
++ if (ret < 0 ||
++ binder_alloc_copy_to_buffer(&target_proc->alloc,
++ t->buffer,
++ object_offset,
++ fp, sizeof(*fp))) {
+ return_error = BR_FAILED_REPLY;
+ return_error_param = ret;
+ return_error_line = __LINE__;
+ goto err_translate_failed;
+ }
+- binder_alloc_copy_to_buffer(&target_proc->alloc,
+- t->buffer, object_offset,
+- fp, sizeof(*fp));
+ } break;
+
+ case BINDER_TYPE_FD: {
+@@ -3296,16 +3318,17 @@ static void binder_transaction(struct binder_proc *proc,
+ int ret = binder_translate_fd(fp->fd, fd_offset, t,
+ thread, in_reply_to);
+
+- if (ret < 0) {
++ fp->pad_binder = 0;
++ if (ret < 0 ||
++ binder_alloc_copy_to_buffer(&target_proc->alloc,
++ t->buffer,
++ object_offset,
++ fp, sizeof(*fp))) {
+ return_error = BR_FAILED_REPLY;
+ return_error_param = ret;
+ return_error_line = __LINE__;
+ goto err_translate_failed;
+ }
+- fp->pad_binder = 0;
+- binder_alloc_copy_to_buffer(&target_proc->alloc,
+- t->buffer, object_offset,
+- fp, sizeof(*fp));
+ } break;
+ case BINDER_TYPE_FDA: {
+ struct binder_object ptr_object;
+@@ -3393,15 +3416,16 @@ static void binder_transaction(struct binder_proc *proc,
+ num_valid,
+ last_fixup_obj_off,
+ last_fixup_min_off);
+- if (ret < 0) {
++ if (ret < 0 ||
++ binder_alloc_copy_to_buffer(&target_proc->alloc,
++ t->buffer,
++ object_offset,
++ bp, sizeof(*bp))) {
+ return_error = BR_FAILED_REPLY;
+ return_error_param = ret;
+ return_error_line = __LINE__;
+ goto err_translate_failed;
+ }
+- binder_alloc_copy_to_buffer(&target_proc->alloc,
+- t->buffer, object_offset,
+- bp, sizeof(*bp));
+ last_fixup_obj_off = object_offset;
+ last_fixup_min_off = 0;
+ } break;
+@@ -4140,20 +4164,27 @@ static int binder_apply_fd_fixups(struct binder_proc *proc,
+ trace_binder_transaction_fd_recv(t, fd, fixup->offset);
+ fd_install(fd, fixup->file);
+ fixup->file = NULL;
+- binder_alloc_copy_to_buffer(&proc->alloc, t->buffer,
+- fixup->offset, &fd,
+- sizeof(u32));
++ if (binder_alloc_copy_to_buffer(&proc->alloc, t->buffer,
++ fixup->offset, &fd,
++ sizeof(u32))) {
++ ret = -EINVAL;
++ break;
++ }
+ }
+ list_for_each_entry_safe(fixup, tmp, &t->fd_fixups, fixup_entry) {
+ if (fixup->file) {
+ fput(fixup->file);
+ } else if (ret) {
+ u32 fd;
+-
+- binder_alloc_copy_from_buffer(&proc->alloc, &fd,
+- t->buffer, fixup->offset,
+- sizeof(fd));
+- binder_deferred_fd_close(fd);
++ int err;
++
++ err = binder_alloc_copy_from_buffer(&proc->alloc, &fd,
++ t->buffer,
++ fixup->offset,
++ sizeof(fd));
++ WARN_ON(err);
++ if (!err)
++ binder_deferred_fd_close(fd);
+ }
+ list_del(&fixup->fixup_entry);
+ kfree(fixup);
+diff --git a/drivers/android/binder_alloc.c b/drivers/android/binder_alloc.c
+index ce5603c2291c..6d79a1b0d446 100644
+--- a/drivers/android/binder_alloc.c
++++ b/drivers/android/binder_alloc.c
+@@ -1119,15 +1119,16 @@ binder_alloc_copy_user_to_buffer(struct binder_alloc *alloc,
+ return 0;
+ }
+
+-static void binder_alloc_do_buffer_copy(struct binder_alloc *alloc,
+- bool to_buffer,
+- struct binder_buffer *buffer,
+- binder_size_t buffer_offset,
+- void *ptr,
+- size_t bytes)
++static int binder_alloc_do_buffer_copy(struct binder_alloc *alloc,
++ bool to_buffer,
++ struct binder_buffer *buffer,
++ binder_size_t buffer_offset,
++ void *ptr,
++ size_t bytes)
+ {
+ /* All copies must be 32-bit aligned and 32-bit size */
+- BUG_ON(!check_buffer(alloc, buffer, buffer_offset, bytes));
++ if (!check_buffer(alloc, buffer, buffer_offset, bytes))
++ return -EINVAL;
+
+ while (bytes) {
+ unsigned long size;
+@@ -1155,25 +1156,26 @@ static void binder_alloc_do_buffer_copy(struct binder_alloc *alloc,
+ ptr = ptr + size;
+ buffer_offset += size;
+ }
++ return 0;
+ }
+
+-void binder_alloc_copy_to_buffer(struct binder_alloc *alloc,
+- struct binder_buffer *buffer,
+- binder_size_t buffer_offset,
+- void *src,
+- size_t bytes)
++int binder_alloc_copy_to_buffer(struct binder_alloc *alloc,
++ struct binder_buffer *buffer,
++ binder_size_t buffer_offset,
++ void *src,
++ size_t bytes)
+ {
+- binder_alloc_do_buffer_copy(alloc, true, buffer, buffer_offset,
+- src, bytes);
++ return binder_alloc_do_buffer_copy(alloc, true, buffer, buffer_offset,
++ src, bytes);
+ }
+
+-void binder_alloc_copy_from_buffer(struct binder_alloc *alloc,
+- void *dest,
+- struct binder_buffer *buffer,
+- binder_size_t buffer_offset,
+- size_t bytes)
++int binder_alloc_copy_from_buffer(struct binder_alloc *alloc,
++ void *dest,
++ struct binder_buffer *buffer,
++ binder_size_t buffer_offset,
++ size_t bytes)
+ {
+- binder_alloc_do_buffer_copy(alloc, false, buffer, buffer_offset,
+- dest, bytes);
++ return binder_alloc_do_buffer_copy(alloc, false, buffer, buffer_offset,
++ dest, bytes);
+ }
+
+diff --git a/drivers/android/binder_alloc.h b/drivers/android/binder_alloc.h
+index 71bfa95f8e09..db9c1b984695 100644
+--- a/drivers/android/binder_alloc.h
++++ b/drivers/android/binder_alloc.h
+@@ -159,17 +159,17 @@ binder_alloc_copy_user_to_buffer(struct binder_alloc *alloc,
+ const void __user *from,
+ size_t bytes);
+
+-void binder_alloc_copy_to_buffer(struct binder_alloc *alloc,
+- struct binder_buffer *buffer,
+- binder_size_t buffer_offset,
+- void *src,
+- size_t bytes);
+-
+-void binder_alloc_copy_from_buffer(struct binder_alloc *alloc,
+- void *dest,
+- struct binder_buffer *buffer,
+- binder_size_t buffer_offset,
+- size_t bytes);
++int binder_alloc_copy_to_buffer(struct binder_alloc *alloc,
++ struct binder_buffer *buffer,
++ binder_size_t buffer_offset,
++ void *src,
++ size_t bytes);
++
++int binder_alloc_copy_from_buffer(struct binder_alloc *alloc,
++ void *dest,
++ struct binder_buffer *buffer,
++ binder_size_t buffer_offset,
++ size_t bytes);
+
+ #endif /* _LINUX_BINDER_ALLOC_H */
+
+--
+2.22.0
+
diff --git a/patches.kernel.org/5.2.1-043-iio-adc-stm32-adc-add-missing-vdda-supply.patch b/patches.kernel.org/5.2.1-043-iio-adc-stm32-adc-add-missing-vdda-supply.patch
new file mode 100644
index 0000000000..0c4a1250bf
--- /dev/null
+++ b/patches.kernel.org/5.2.1-043-iio-adc-stm32-adc-add-missing-vdda-supply.patch
@@ -0,0 +1,96 @@
+From: Fabrice Gasnier <fabrice.gasnier@st.com>
+Date: Wed, 19 Jun 2019 14:29:55 +0200
+Subject: [PATCH] iio: adc: stm32-adc: add missing vdda-supply
+References: bnc#1012628
+Patch-mainline: 5.2.1
+Git-commit: 7685010fca2ba0284f31fd1380df3cffc96d847e
+
+commit 7685010fca2ba0284f31fd1380df3cffc96d847e upstream.
+
+Add missing vdda-supply, analog power supply, to STM32 ADC. When vdda is
+an independent supply, it needs to be properly turned on or off to supply
+the ADC.
+
+Signed-off-by: Fabrice Gasnier <fabrice.gasnier@st.com>
+Fixes: 1add69880240 ("iio: adc: Add support for STM32 ADC core").
+Cc: <Stable@vger.kernel.org>
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/iio/adc/stm32-adc-core.c | 21 ++++++++++++++++++++-
+ 1 file changed, 20 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/iio/adc/stm32-adc-core.c b/drivers/iio/adc/stm32-adc-core.c
+index 2327ec18b40c..1f7ce5186dfc 100644
+--- a/drivers/iio/adc/stm32-adc-core.c
++++ b/drivers/iio/adc/stm32-adc-core.c
+@@ -87,6 +87,7 @@ struct stm32_adc_priv_cfg {
+ * @domain: irq domain reference
+ * @aclk: clock reference for the analog circuitry
+ * @bclk: bus clock common for all ADCs, depends on part used
++ * @vdda: vdda analog supply reference
+ * @vref: regulator reference
+ * @cfg: compatible configuration data
+ * @common: common data for all ADC instances
+@@ -97,6 +98,7 @@ struct stm32_adc_priv {
+ struct irq_domain *domain;
+ struct clk *aclk;
+ struct clk *bclk;
++ struct regulator *vdda;
+ struct regulator *vref;
+ const struct stm32_adc_priv_cfg *cfg;
+ struct stm32_adc_common common;
+@@ -394,10 +396,16 @@ static int stm32_adc_core_hw_start(struct device *dev)
+ struct stm32_adc_priv *priv = to_stm32_adc_priv(common);
+ int ret;
+
++ ret = regulator_enable(priv->vdda);
++ if (ret < 0) {
++ dev_err(dev, "vdda enable failed %d\n", ret);
++ return ret;
++ }
++
+ ret = regulator_enable(priv->vref);
+ if (ret < 0) {
+ dev_err(dev, "vref enable failed\n");
+- return ret;
++ goto err_vdda_disable;
+ }
+
+ if (priv->bclk) {
+@@ -425,6 +433,8 @@ static int stm32_adc_core_hw_start(struct device *dev)
+ clk_disable_unprepare(priv->bclk);
+ err_regulator_disable:
+ regulator_disable(priv->vref);
++err_vdda_disable:
++ regulator_disable(priv->vdda);
+
+ return ret;
+ }
+@@ -441,6 +451,7 @@ static void stm32_adc_core_hw_stop(struct device *dev)
+ if (priv->bclk)
+ clk_disable_unprepare(priv->bclk);
+ regulator_disable(priv->vref);
++ regulator_disable(priv->vdda);
+ }
+
+ static int stm32_adc_probe(struct platform_device *pdev)
+@@ -468,6 +479,14 @@ static int stm32_adc_probe(struct platform_device *pdev)
+ return PTR_ERR(priv->common.base);
+ priv->common.phys_base = res->start;
+
++ priv->vdda = devm_regulator_get(&pdev->dev, "vdda");
++ if (IS_ERR(priv->vdda)) {
++ ret = PTR_ERR(priv->vdda);
++ if (ret != -EPROBE_DEFER)
++ dev_err(&pdev->dev, "vdda get failed, %d\n", ret);
++ return ret;
++ }
++
+ priv->vref = devm_regulator_get(&pdev->dev, "vref");
+ if (IS_ERR(priv->vref)) {
+ ret = PTR_ERR(priv->vref);
+--
+2.22.0
+
diff --git a/patches.kernel.org/5.2.1-044-coresight-Potential-uninitialized-variable-in-p.patch b/patches.kernel.org/5.2.1-044-coresight-Potential-uninitialized-variable-in-p.patch
new file mode 100644
index 0000000000..0dbf63bf6e
--- /dev/null
+++ b/patches.kernel.org/5.2.1-044-coresight-Potential-uninitialized-variable-in-p.patch
@@ -0,0 +1,39 @@
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Thu, 20 Jun 2019 16:12:37 -0600
+Subject: [PATCH] coresight: Potential uninitialized variable in probe()
+References: bnc#1012628
+Patch-mainline: 5.2.1
+Git-commit: 0530ef6b41e80c5cc979e0e50682302161edb6b7
+
+commit 0530ef6b41e80c5cc979e0e50682302161edb6b7 upstream.
+
+The "drvdata->atclk" clock is optional, but if it gets set to an error
+pointer then we're accidentally return an uninitialized variable instead
+of success.
+
+Fixes: 78e6427b4e7b ("coresight: funnel: Support static funnel")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Mathieu Poirier <mathieu.poirier@linaro.org>
+Cc: stable <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20190620221237.3536-6-mathieu.poirier@linaro.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/hwtracing/coresight/coresight-funnel.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/hwtracing/coresight/coresight-funnel.c b/drivers/hwtracing/coresight/coresight-funnel.c
+index 16b0c0e1e43a..ad6e16c96263 100644
+--- a/drivers/hwtracing/coresight/coresight-funnel.c
++++ b/drivers/hwtracing/coresight/coresight-funnel.c
+@@ -241,6 +241,7 @@ static int funnel_probe(struct device *dev, struct resource *res)
+ }
+
+ pm_runtime_put(dev);
++ ret = 0;
+
+ out_disable_clk:
+ if (ret && !IS_ERR_OR_NULL(drvdata->atclk))
+--
+2.22.0
+
diff --git a/patches.kernel.org/5.2.1-045-coresight-etb10-Do-not-call-smp_processor_id-fr.patch b/patches.kernel.org/5.2.1-045-coresight-etb10-Do-not-call-smp_processor_id-fr.patch
new file mode 100644
index 0000000000..a11f85447e
--- /dev/null
+++ b/patches.kernel.org/5.2.1-045-coresight-etb10-Do-not-call-smp_processor_id-fr.patch
@@ -0,0 +1,54 @@
+From: Suzuki K Poulose <suzuki.poulose@arm.com>
+Date: Thu, 20 Jun 2019 16:12:36 -0600
+Subject: [PATCH] coresight: etb10: Do not call smp_processor_id from
+ preemptible
+References: bnc#1012628
+Patch-mainline: 5.2.1
+Git-commit: 730766bae3280a25d40ea76a53dc6342e84e6513
+
+commit 730766bae3280a25d40ea76a53dc6342e84e6513 upstream.
+
+During a perf session we try to allocate buffers on the "node" associated
+with the CPU the event is bound to. If it is not bound to a CPU, we
+use the current CPU node, using smp_processor_id(). However this is unsafe
+in a pre-emptible context and could generate the splats as below :
+
+ BUG: using smp_processor_id() in preemptible [00000000] code: perf/2544
+
+Use NUMA_NO_NODE hint instead of using the current node for events
+not bound to CPUs.
+
+Fixes: 2997aa4063d97fdb39 ("coresight: etb10: implementing AUX API")
+Cc: Mathieu Poirier <mathieu.poirier@linaro.org>
+Signed-off-by: Suzuki K Poulose <suzuki.poulose@arm.com>
+Cc: stable <stable@vger.kernel.org> # 4.6+
+Signed-off-by: Mathieu Poirier <mathieu.poirier@linaro.org>
+Link: https://lore.kernel.org/r/20190620221237.3536-5-mathieu.poirier@linaro.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/hwtracing/coresight/coresight-etb10.c | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/hwtracing/coresight/coresight-etb10.c b/drivers/hwtracing/coresight/coresight-etb10.c
+index 4ee4c80a4354..543cc3d36e1d 100644
+--- a/drivers/hwtracing/coresight/coresight-etb10.c
++++ b/drivers/hwtracing/coresight/coresight-etb10.c
+@@ -373,12 +373,10 @@ static void *etb_alloc_buffer(struct coresight_device *csdev,
+ struct perf_event *event, void **pages,
+ int nr_pages, bool overwrite)
+ {
+- int node, cpu = event->cpu;
++ int node;
+ struct cs_buffers *buf;
+
+- if (cpu == -1)
+- cpu = smp_processor_id();
+- node = cpu_to_node(cpu);
++ node = (event->cpu == -1) ? NUMA_NO_NODE : cpu_to_node(event->cpu);
+
+ buf = kzalloc_node(sizeof(struct cs_buffers), GFP_KERNEL, node);
+ if (!buf)
+--
+2.22.0
+
diff --git a/patches.kernel.org/5.2.1-046-coresight-tmc-etr-Do-not-call-smp_processor_id-.patch b/patches.kernel.org/5.2.1-046-coresight-tmc-etr-Do-not-call-smp_processor_id-.patch
new file mode 100644
index 0000000000..7bbbf80cac
--- /dev/null
+++ b/patches.kernel.org/5.2.1-046-coresight-tmc-etr-Do-not-call-smp_processor_id-.patch
@@ -0,0 +1,75 @@
+From: Suzuki K Poulose <suzuki.poulose@arm.com>
+Date: Thu, 20 Jun 2019 16:12:33 -0600
+Subject: [PATCH] coresight: tmc-etr: Do not call smp_processor_id() from
+ preemptible
+References: bnc#1012628
+Patch-mainline: 5.2.1
+Git-commit: 3ff44563dbb02456a33f2a42000f04db4ef19a8f
+
+commit 3ff44563dbb02456a33f2a42000f04db4ef19a8f upstream.
+
+During a perf session we try to allocate buffers on the "node" associated
+with the CPU the event is bound to. If it's not bound to a CPU, we use
+the current CPU node, using smp_processor_id(). However this is unsafe
+in a pre-emptible context and could generate the splats as below :
+
+ BUG: using smp_processor_id() in preemptible [00000000] code: perf/1743
+ caller is alloc_etr_buf.isra.6+0x80/0xa0
+ CPU: 1 PID: 1743 Comm: perf Not tainted 5.1.0-rc6-147786-g116841e #344
+ Hardware name: ARM LTD ARM Juno Development Platform/ARM Juno Development Platform, BIOS EDK II Feb 1 2019
+ Call trace:
+ dump_backtrace+0x0/0x150
+ show_stack+0x14/0x20
+ dump_stack+0x9c/0xc4
+ debug_smp_processor_id+0x10c/0x110
+ alloc_etr_buf.isra.6+0x80/0xa0
+ tmc_alloc_etr_buffer+0x12c/0x1f0
+ etm_setup_aux+0x1c4/0x230
+ rb_alloc_aux+0x1b8/0x2b8
+ perf_mmap+0x35c/0x478
+ mmap_region+0x34c/0x4f0
+ do_mmap+0x2d8/0x418
+ vm_mmap_pgoff+0xd0/0xf8
+ ksys_mmap_pgoff+0x88/0xf8
+ __arm64_sys_mmap+0x28/0x38
+ el0_svc_handler+0xd8/0x138
+ el0_svc+0x8/0xc
+
+Use NUMA_NO_NODE hint instead of using the current node for events
+not bound to CPUs.
+
+Fixes: 855ab61c16bf70b646 ("coresight: tmc-etr: Refactor function tmc_etr_setup_perf_buf()")
+Cc: Mathieu Poirier <mathieu.poirier@linaro.org>
+Signed-off-by: Suzuki K Poulose <suzuki.poulose@arm.com>
+Signed-off-by: Mathieu Poirier <mathieu.poirier@linaro.org>
+Cc: stable <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20190620221237.3536-2-mathieu.poirier@linaro.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/hwtracing/coresight/coresight-tmc-etr.c | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/hwtracing/coresight/coresight-tmc-etr.c b/drivers/hwtracing/coresight/coresight-tmc-etr.c
+index df6e4b0b84e9..c6a36897924f 100644
+--- a/drivers/hwtracing/coresight/coresight-tmc-etr.c
++++ b/drivers/hwtracing/coresight/coresight-tmc-etr.c
+@@ -1317,13 +1317,11 @@ static struct etr_perf_buffer *
+ tmc_etr_setup_perf_buf(struct tmc_drvdata *drvdata, struct perf_event *event,
+ int nr_pages, void **pages, bool snapshot)
+ {
+- int node, cpu = event->cpu;
++ int node;
+ struct etr_buf *etr_buf;
+ struct etr_perf_buffer *etr_perf;
+
+- if (cpu == -1)
+- cpu = smp_processor_id();
+- node = cpu_to_node(cpu);
++ node = (event->cpu == -1) ? NUMA_NO_NODE : cpu_to_node(event->cpu);
+
+ etr_perf = kzalloc_node(sizeof(*etr_perf), GFP_KERNEL, node);
+ if (!etr_perf)
+--
+2.22.0
+
diff --git a/patches.kernel.org/5.2.1-047-coresight-tmc-etr-alloc_perf_buf-Do-not-call-sm.patch b/patches.kernel.org/5.2.1-047-coresight-tmc-etr-alloc_perf_buf-Do-not-call-sm.patch
new file mode 100644
index 0000000000..1d920f985b
--- /dev/null
+++ b/patches.kernel.org/5.2.1-047-coresight-tmc-etr-alloc_perf_buf-Do-not-call-sm.patch
@@ -0,0 +1,75 @@
+From: Suzuki K Poulose <suzuki.poulose@arm.com>
+Date: Thu, 20 Jun 2019 16:12:34 -0600
+Subject: [PATCH] coresight: tmc-etr: alloc_perf_buf: Do not call
+ smp_processor_id from preemptible
+References: bnc#1012628
+Patch-mainline: 5.2.1
+Git-commit: 3a8710392db2c70f74aed6f06b16e8bec0f05a35
+
+commit 3a8710392db2c70f74aed6f06b16e8bec0f05a35 upstream.
+
+During a perf session we try to allocate buffers on the "node" associated
+with the CPU the event is bound to. If it is not bound to a CPU, we
+use the current CPU node, using smp_processor_id(). However this is unsafe
+in a pre-emptible context and could generate the splats as below :
+
+ BUG: using smp_processor_id() in preemptible [00000000] code: perf/1743
+ caller is tmc_alloc_etr_buffer+0x1bc/0x1f0
+ CPU: 1 PID: 1743 Comm: perf Not tainted 5.1.0-rc6-147786-g116841e #344
+ Hardware name: ARM LTD ARM Juno Development Platform/ARM Juno Development Platform, BIOS EDK II Feb 1 2019
+ Call trace:
+ dump_backtrace+0x0/0x150
+ show_stack+0x14/0x20
+ dump_stack+0x9c/0xc4
+ debug_smp_processor_id+0x10c/0x110
+ tmc_alloc_etr_buffer+0x1bc/0x1f0
+ etm_setup_aux+0x1c4/0x230
+ rb_alloc_aux+0x1b8/0x2b8
+ perf_mmap+0x35c/0x478
+ mmap_region+0x34c/0x4f0
+ do_mmap+0x2d8/0x418
+ vm_mmap_pgoff+0xd0/0xf8
+ ksys_mmap_pgoff+0x88/0xf8
+ __arm64_sys_mmap+0x28/0x38
+ el0_svc_handler+0xd8/0x138
+ el0_svc+0x8/0xc
+
+Use NUMA_NO_NODE hint instead of using the current node for events
+not bound to CPUs.
+
+Fixes: 22f429f19c4135d51e9 ("coresight: etm-perf: Add support for ETR backend")
+Cc: Mathieu Poirier <mathieu.poirier@linaro.org>
+Signed-off-by: Suzuki K Poulose <suzuki.poulose@arm.com>
+Cc: stable <stable@vger.kernel.org> # 4.20+
+Signed-off-by: Mathieu Poirier <mathieu.poirier@linaro.org>
+Link: https://lore.kernel.org/r/20190620221237.3536-3-mathieu.poirier@linaro.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/hwtracing/coresight/coresight-tmc-etr.c | 7 ++-----
+ 1 file changed, 2 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/hwtracing/coresight/coresight-tmc-etr.c b/drivers/hwtracing/coresight/coresight-tmc-etr.c
+index c6a36897924f..9f293b9dce8c 100644
+--- a/drivers/hwtracing/coresight/coresight-tmc-etr.c
++++ b/drivers/hwtracing/coresight/coresight-tmc-etr.c
+@@ -1178,14 +1178,11 @@ static struct etr_buf *
+ alloc_etr_buf(struct tmc_drvdata *drvdata, struct perf_event *event,
+ int nr_pages, void **pages, bool snapshot)
+ {
+- int node, cpu = event->cpu;
++ int node;
+ struct etr_buf *etr_buf;
+ unsigned long size;
+
+- if (cpu == -1)
+- cpu = smp_processor_id();
+- node = cpu_to_node(cpu);
+-
++ node = (event->cpu == -1) ? NUMA_NO_NODE : cpu_to_node(event->cpu);
+ /*
+ * Try to match the perf ring buffer size if it is larger
+ * than the size requested via sysfs.
+--
+2.22.0
+
diff --git a/patches.kernel.org/5.2.1-048-coresight-tmc-etf-Do-not-call-smp_processor_id-.patch b/patches.kernel.org/5.2.1-048-coresight-tmc-etf-Do-not-call-smp_processor_id-.patch
new file mode 100644
index 0000000000..22bcd61ee4
--- /dev/null
+++ b/patches.kernel.org/5.2.1-048-coresight-tmc-etf-Do-not-call-smp_processor_id-.patch
@@ -0,0 +1,73 @@
+From: Suzuki K Poulose <suzuki.poulose@arm.com>
+Date: Thu, 20 Jun 2019 16:12:35 -0600
+Subject: [PATCH] coresight: tmc-etf: Do not call smp_processor_id from
+ preemptible
+References: bnc#1012628
+Patch-mainline: 5.2.1
+Git-commit: 024c1fd9dbcc1d8a847f1311f999d35783921b7f
+
+commit 024c1fd9dbcc1d8a847f1311f999d35783921b7f upstream.
+
+During a perf session we try to allocate buffers on the "node" associated
+with the CPU the event is bound to. If it is not bound to a CPU, we
+use the current CPU node, using smp_processor_id(). However this is unsafe
+in a pre-emptible context and could generate the splats as below :
+
+ BUG: using smp_processor_id() in preemptible [00000000] code: perf/2544
+ caller is tmc_alloc_etf_buffer+0x5c/0x60
+ CPU: 2 PID: 2544 Comm: perf Not tainted 5.1.0-rc6-147786-g116841e #344
+ Hardware name: ARM LTD ARM Juno Development Platform/ARM Juno Development Platform, BIOS EDK II Feb 1 2019
+ Call trace:
+ dump_backtrace+0x0/0x150
+ show_stack+0x14/0x20
+ dump_stack+0x9c/0xc4
+ debug_smp_processor_id+0x10c/0x110
+ tmc_alloc_etf_buffer+0x5c/0x60
+ etm_setup_aux+0x1c4/0x230
+ rb_alloc_aux+0x1b8/0x2b8
+ perf_mmap+0x35c/0x478
+ mmap_region+0x34c/0x4f0
+ do_mmap+0x2d8/0x418
+ vm_mmap_pgoff+0xd0/0xf8
+ ksys_mmap_pgoff+0x88/0xf8
+ __arm64_sys_mmap+0x28/0x38
+ el0_svc_handler+0xd8/0x138
+ el0_svc+0x8/0xc
+
+Use NUMA_NO_NODE hint instead of using the current node for events
+not bound to CPUs.
+
+Fixes: 2e499bbc1a929ac ("coresight: tmc: implementing TMC-ETF AUX space API")
+Cc: Mathieu Poirier <mathieu.poirier@linaro.org>
+Signed-off-by: Suzuki K Poulose <suzuki.poulose@arm.com>
+Cc: stable <stable@vger.kernel.org> # 4.7+
+Signed-off-by: Mathieu Poirier <mathieu.poirier@linaro.org>
+Link: https://lore.kernel.org/r/20190620221237.3536-4-mathieu.poirier@linaro.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/hwtracing/coresight/coresight-tmc-etf.c | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/hwtracing/coresight/coresight-tmc-etf.c b/drivers/hwtracing/coresight/coresight-tmc-etf.c
+index 2527b5d3b65e..8de109de171f 100644
+--- a/drivers/hwtracing/coresight/coresight-tmc-etf.c
++++ b/drivers/hwtracing/coresight/coresight-tmc-etf.c
+@@ -378,12 +378,10 @@ static void *tmc_alloc_etf_buffer(struct coresight_device *csdev,
+ struct perf_event *event, void **pages,
+ int nr_pages, bool overwrite)
+ {
+- int node, cpu = event->cpu;
++ int node;
+ struct cs_buffers *buf;
+
+- if (cpu == -1)
+- cpu = smp_processor_id();
+- node = cpu_to_node(cpu);
++ node = (event->cpu == -1) ? NUMA_NO_NODE : cpu_to_node(event->cpu);
+
+ /* Allocate memory structure for interaction with Perf */
+ buf = kzalloc_node(sizeof(struct cs_buffers), GFP_KERNEL, node);
+--
+2.22.0
+
diff --git a/patches.kernel.org/5.2.1-049-carl9170-fix-misuse-of-device-driver-API.patch b/patches.kernel.org/5.2.1-049-carl9170-fix-misuse-of-device-driver-API.patch
new file mode 100644
index 0000000000..942af1a1a0
--- /dev/null
+++ b/patches.kernel.org/5.2.1-049-carl9170-fix-misuse-of-device-driver-API.patch
@@ -0,0 +1,153 @@
+From: Christian Lamparter <chunkeey@gmail.com>
+Date: Sat, 8 Jun 2019 16:49:47 +0200
+Subject: [PATCH] carl9170: fix misuse of device driver API
+References: bnc#1012628
+Patch-mainline: 5.2.1
+Git-commit: feb09b2933275a70917a869989ea2823e7356be8
+
+commit feb09b2933275a70917a869989ea2823e7356be8 upstream.
+
+This patch follows Alan Stern's recent patch:
+"p54: Fix race between disconnect and firmware loading"
+
+that overhauled carl9170 buggy firmware loading and driver
+unbinding procedures.
+
+Since the carl9170 code was adapted from p54 it uses the
+same functions and is likely to have the same problem, but
+it's just that the syzbot hasn't reproduce them (yet).
+
+a summary from the changes (copied from the p54 patch):
+ * Call usb_driver_release_interface() rather than
+ device_release_driver().
+
+ * Lock udev (the interface's parent) before unbinding the
+ driver instead of locking udev->parent.
+
+ * During the firmware loading process, take a reference
+ to the USB interface instead of the USB device.
+
+ * Don't take an unnecessary reference to the device during
+ probe (and then don't drop it during disconnect).
+
+and
+
+ * Make sure to prevent use-after-free bugs by explicitly
+ setting the driver context to NULL after signaling the
+ completion.
+
+Cc: <stable@vger.kernel.org>
+Cc: Alan Stern <stern@rowland.harvard.edu>
+Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
+Acked-by: Alan Stern <stern@rowland.harvard.edu>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/net/wireless/ath/carl9170/usb.c | 39 +++++++++++--------------
+ 1 file changed, 17 insertions(+), 22 deletions(-)
+
+diff --git a/drivers/net/wireless/ath/carl9170/usb.c b/drivers/net/wireless/ath/carl9170/usb.c
+index e7c3f3b8457d..99f1897a775d 100644
+--- a/drivers/net/wireless/ath/carl9170/usb.c
++++ b/drivers/net/wireless/ath/carl9170/usb.c
+@@ -128,6 +128,8 @@ static const struct usb_device_id carl9170_usb_ids[] = {
+ };
+ MODULE_DEVICE_TABLE(usb, carl9170_usb_ids);
+
++static struct usb_driver carl9170_driver;
++
+ static void carl9170_usb_submit_data_urb(struct ar9170 *ar)
+ {
+ struct urb *urb;
+@@ -966,32 +968,28 @@ static int carl9170_usb_init_device(struct ar9170 *ar)
+
+ static void carl9170_usb_firmware_failed(struct ar9170 *ar)
+ {
+- struct device *parent = ar->udev->dev.parent;
+- struct usb_device *udev;
+-
+- /*
+- * Store a copy of the usb_device pointer locally.
+- * This is because device_release_driver initiates
+- * carl9170_usb_disconnect, which in turn frees our
+- * driver context (ar).
++ /* Store a copies of the usb_interface and usb_device pointer locally.
++ * This is because release_driver initiates carl9170_usb_disconnect,
++ * which in turn frees our driver context (ar).
+ */
+- udev = ar->udev;
++ struct usb_interface *intf = ar->intf;
++ struct usb_device *udev = ar->udev;
+
+ complete(&ar->fw_load_wait);
++ /* at this point 'ar' could be already freed. Don't use it anymore */
++ ar = NULL;
+
+ /* unbind anything failed */
+- if (parent)
+- device_lock(parent);
+-
+- device_release_driver(&udev->dev);
+- if (parent)
+- device_unlock(parent);
++ usb_lock_device(udev);
++ usb_driver_release_interface(&carl9170_driver, intf);
++ usb_unlock_device(udev);
+
+- usb_put_dev(udev);
++ usb_put_intf(intf);
+ }
+
+ static void carl9170_usb_firmware_finish(struct ar9170 *ar)
+ {
++ struct usb_interface *intf = ar->intf;
+ int err;
+
+ err = carl9170_parse_firmware(ar);
+@@ -1009,7 +1007,7 @@ static void carl9170_usb_firmware_finish(struct ar9170 *ar)
+ goto err_unrx;
+
+ complete(&ar->fw_load_wait);
+- usb_put_dev(ar->udev);
++ usb_put_intf(intf);
+ return;
+
+ err_unrx:
+@@ -1052,7 +1050,6 @@ static int carl9170_usb_probe(struct usb_interface *intf,
+ return PTR_ERR(ar);
+
+ udev = interface_to_usbdev(intf);
+- usb_get_dev(udev);
+ ar->udev = udev;
+ ar->intf = intf;
+ ar->features = id->driver_info;
+@@ -1094,15 +1091,14 @@ static int carl9170_usb_probe(struct usb_interface *intf,
+ atomic_set(&ar->rx_anch_urbs, 0);
+ atomic_set(&ar->rx_pool_urbs, 0);
+
+- usb_get_dev(ar->udev);
++ usb_get_intf(intf);
+
+ carl9170_set_state(ar, CARL9170_STOPPED);
+
+ err = request_firmware_nowait(THIS_MODULE, 1, CARL9170FW_NAME,
+ &ar->udev->dev, GFP_KERNEL, ar, carl9170_usb_firmware_step2);
+ if (err) {
+- usb_put_dev(udev);
+- usb_put_dev(udev);
++ usb_put_intf(intf);
+ carl9170_free(ar);
+ }
+ return err;
+@@ -1131,7 +1127,6 @@ static void carl9170_usb_disconnect(struct usb_interface *intf)
+
+ carl9170_release_firmware(ar);
+ carl9170_free(ar);
+- usb_put_dev(udev);
+ }
+
+ #ifdef CONFIG_PM
+--
+2.22.0
+
diff --git a/patches.kernel.org/5.2.1-050-Revert-x86-build-Move-_etext-to-actual-end-of-..patch b/patches.kernel.org/5.2.1-050-Revert-x86-build-Move-_etext-to-actual-end-of-..patch
new file mode 100644
index 0000000000..eb357485fb
--- /dev/null
+++ b/patches.kernel.org/5.2.1-050-Revert-x86-build-Move-_etext-to-actual-end-of-..patch
@@ -0,0 +1,61 @@
+From: Ross Zwisler <zwisler@chromium.org>
+Date: Mon, 1 Jul 2019 09:52:08 -0600
+Subject: [PATCH] Revert "x86/build: Move _etext to actual end of .text"
+References: bnc#1012628
+Patch-mainline: 5.2.1
+Git-commit: 013c66edf207ddb78422b8b636f56c87939c9e34
+
+commit 013c66edf207ddb78422b8b636f56c87939c9e34 upstream.
+
+This reverts commit 392bef709659abea614abfe53cf228e7a59876a4.
+
+Per the discussion here:
+
+ https://lkml.kernel.org/r/201906201042.3BF5CD6@keescook
+
+the above referenced commit breaks kernel compilation with old GCC
+toolchains as well as current versions of the Gold linker.
+
+Revert it to fix the regression and to keep the ability to compile the
+kernel with these tools.
+
+Signed-off-by: Ross Zwisler <zwisler@google.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Reviewed-by: Guenter Roeck <groeck@chromium.org>
+Cc: <stable@vger.kernel.org>
+Cc: "H. Peter Anvin" <hpa@zytor.com>
+Cc: Borislav Petkov <bp@alien8.de>
+Cc: Kees Cook <keescook@chromium.org>
+Cc: Johannes Hirte <johannes.hirte@datenkhaos.de>
+Cc: Klaus Kusche <klaus.kusche@computerix.info>
+Cc: samitolvanen@google.com
+Cc: Guenter Roeck <groeck@google.com>
+Link: https://lkml.kernel.org/r/20190701155208.211815-1-zwisler@google.com
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ arch/x86/kernel/vmlinux.lds.S | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/arch/x86/kernel/vmlinux.lds.S b/arch/x86/kernel/vmlinux.lds.S
+index 0850b5149345..4d1517022a14 100644
+--- a/arch/x86/kernel/vmlinux.lds.S
++++ b/arch/x86/kernel/vmlinux.lds.S
+@@ -141,10 +141,10 @@ SECTIONS
+ *(.text.__x86.indirect_thunk)
+ __indirect_thunk_end = .;
+ #endif
+- } :text = 0x9090
+
+- /* End of text section */
+- _etext = .;
++ /* End of text section */
++ _etext = .;
++ } :text = 0x9090
+
+ NOTES :text :note
+
+--
+2.22.0
+
diff --git a/patches.kernel.org/5.2.1-051-VMCI-Fix-integer-overflow-in-VMCI-handle-arrays.patch b/patches.kernel.org/5.2.1-051-VMCI-Fix-integer-overflow-in-VMCI-handle-arrays.patch
new file mode 100644
index 0000000000..7b476ef706
--- /dev/null
+++ b/patches.kernel.org/5.2.1-051-VMCI-Fix-integer-overflow-in-VMCI-handle-arrays.patch
@@ -0,0 +1,385 @@
+From: Vishnu DASA <vdasa@vmware.com>
+Date: Fri, 24 May 2019 15:13:10 +0000
+Subject: [PATCH] VMCI: Fix integer overflow in VMCI handle arrays
+References: bnc#1012628
+Patch-mainline: 5.2.1
+Git-commit: 1c2eb5b2853c9f513690ba6b71072d8eb65da16a
+
+commit 1c2eb5b2853c9f513690ba6b71072d8eb65da16a upstream.
+
+The VMCI handle array has an integer overflow in
+vmci_handle_arr_append_entry when it tries to expand the array. This can be
+triggered from a guest, since the doorbell link hypercall doesn't impose a
+limit on the number of doorbell handles that a VM can create in the
+hypervisor, and these handles are stored in a handle array.
+
+In this change, we introduce a mandatory max capacity for handle
+arrays/lists to avoid excessive memory usage.
+
+Signed-off-by: Vishnu Dasa <vdasa@vmware.com>
+Reviewed-by: Adit Ranadive <aditr@vmware.com>
+Reviewed-by: Jorgen Hansen <jhansen@vmware.com>
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/misc/vmw_vmci/vmci_context.c | 80 +++++++++++++----------
+ drivers/misc/vmw_vmci/vmci_handle_array.c | 38 +++++++----
+ drivers/misc/vmw_vmci/vmci_handle_array.h | 29 +++++---
+ include/linux/vmw_vmci_defs.h | 11 +++-
+ 4 files changed, 99 insertions(+), 59 deletions(-)
+
+diff --git a/drivers/misc/vmw_vmci/vmci_context.c b/drivers/misc/vmw_vmci/vmci_context.c
+index 300ed69fe2c7..16695366ec92 100644
+--- a/drivers/misc/vmw_vmci/vmci_context.c
++++ b/drivers/misc/vmw_vmci/vmci_context.c
+@@ -21,6 +21,9 @@
+ #include "vmci_driver.h"
+ #include "vmci_event.h"
+
++/* Use a wide upper bound for the maximum contexts. */
++#define VMCI_MAX_CONTEXTS 2000
++
+ /*
+ * List of current VMCI contexts. Contexts can be added by
+ * vmci_ctx_create() and removed via vmci_ctx_destroy().
+@@ -117,19 +120,22 @@ struct vmci_ctx *vmci_ctx_create(u32 cid, u32 priv_flags,
+ /* Initialize host-specific VMCI context. */
+ init_waitqueue_head(&context->host_context.wait_queue);
+
+- context->queue_pair_array = vmci_handle_arr_create(0);
++ context->queue_pair_array =
++ vmci_handle_arr_create(0, VMCI_MAX_GUEST_QP_COUNT);
+ if (!context->queue_pair_array) {
+ error = -ENOMEM;
+ goto err_free_ctx;
+ }
+
+- context->doorbell_array = vmci_handle_arr_create(0);
++ context->doorbell_array =
++ vmci_handle_arr_create(0, VMCI_MAX_GUEST_DOORBELL_COUNT);
+ if (!context->doorbell_array) {
+ error = -ENOMEM;
+ goto err_free_qp_array;
+ }
+
+- context->pending_doorbell_array = vmci_handle_arr_create(0);
++ context->pending_doorbell_array =
++ vmci_handle_arr_create(0, VMCI_MAX_GUEST_DOORBELL_COUNT);
+ if (!context->pending_doorbell_array) {
+ error = -ENOMEM;
+ goto err_free_db_array;
+@@ -204,7 +210,7 @@ static int ctx_fire_notification(u32 context_id, u32 priv_flags)
+ * We create an array to hold the subscribers we find when
+ * scanning through all contexts.
+ */
+- subscriber_array = vmci_handle_arr_create(0);
++ subscriber_array = vmci_handle_arr_create(0, VMCI_MAX_CONTEXTS);
+ if (subscriber_array == NULL)
+ return VMCI_ERROR_NO_MEM;
+
+@@ -623,20 +629,26 @@ int vmci_ctx_add_notification(u32 context_id, u32 remote_cid)
+
+ spin_lock(&context->lock);
+
+- list_for_each_entry(n, &context->notifier_list, node) {
+- if (vmci_handle_is_equal(n->handle, notifier->handle)) {
+- exists = true;
+- break;
++ if (context->n_notifiers < VMCI_MAX_CONTEXTS) {
++ list_for_each_entry(n, &context->notifier_list, node) {
++ if (vmci_handle_is_equal(n->handle, notifier->handle)) {
++ exists = true;
++ break;
++ }
+ }
+- }
+
+- if (exists) {
+- kfree(notifier);
+- result = VMCI_ERROR_ALREADY_EXISTS;
++ if (exists) {
++ kfree(notifier);
++ result = VMCI_ERROR_ALREADY_EXISTS;
++ } else {
++ list_add_tail_rcu(&notifier->node,
++ &context->notifier_list);
++ context->n_notifiers++;
++ result = VMCI_SUCCESS;
++ }
+ } else {
+- list_add_tail_rcu(&notifier->node, &context->notifier_list);
+- context->n_notifiers++;
+- result = VMCI_SUCCESS;
++ kfree(notifier);
++ result = VMCI_ERROR_NO_MEM;
+ }
+
+ spin_unlock(&context->lock);
+@@ -721,8 +733,7 @@ static int vmci_ctx_get_chkpt_doorbells(struct vmci_ctx *context,
+ u32 *buf_size, void **pbuf)
+ {
+ struct dbell_cpt_state *dbells;
+- size_t n_doorbells;
+- int i;
++ u32 i, n_doorbells;
+
+ n_doorbells = vmci_handle_arr_get_size(context->doorbell_array);
+ if (n_doorbells > 0) {
+@@ -860,7 +871,8 @@ int vmci_ctx_rcv_notifications_get(u32 context_id,
+ spin_lock(&context->lock);
+
+ *db_handle_array = context->pending_doorbell_array;
+- context->pending_doorbell_array = vmci_handle_arr_create(0);
++ context->pending_doorbell_array =
++ vmci_handle_arr_create(0, VMCI_MAX_GUEST_DOORBELL_COUNT);
+ if (!context->pending_doorbell_array) {
+ context->pending_doorbell_array = *db_handle_array;
+ *db_handle_array = NULL;
+@@ -942,12 +954,11 @@ int vmci_ctx_dbell_create(u32 context_id, struct vmci_handle handle)
+ return VMCI_ERROR_NOT_FOUND;
+
+ spin_lock(&context->lock);
+- if (!vmci_handle_arr_has_entry(context->doorbell_array, handle)) {
+- vmci_handle_arr_append_entry(&context->doorbell_array, handle);
+- result = VMCI_SUCCESS;
+- } else {
++ if (!vmci_handle_arr_has_entry(context->doorbell_array, handle))
++ result = vmci_handle_arr_append_entry(&context->doorbell_array,
++ handle);
++ else
+ result = VMCI_ERROR_DUPLICATE_ENTRY;
+- }
+
+ spin_unlock(&context->lock);
+ vmci_ctx_put(context);
+@@ -1083,15 +1094,16 @@ int vmci_ctx_notify_dbell(u32 src_cid,
+ if (!vmci_handle_arr_has_entry(
+ dst_context->pending_doorbell_array,
+ handle)) {
+- vmci_handle_arr_append_entry(
++ result = vmci_handle_arr_append_entry(
+ &dst_context->pending_doorbell_array,
+ handle);
+-
+- ctx_signal_notify(dst_context);
+- wake_up(&dst_context->host_context.wait_queue);
+-
++ if (result == VMCI_SUCCESS) {
++ ctx_signal_notify(dst_context);
++ wake_up(&dst_context->host_context.wait_queue);
++ }
++ } else {
++ result = VMCI_SUCCESS;
+ }
+- result = VMCI_SUCCESS;
+ }
+ spin_unlock(&dst_context->lock);
+ }
+@@ -1118,13 +1130,11 @@ int vmci_ctx_qp_create(struct vmci_ctx *context, struct vmci_handle handle)
+ if (context == NULL || vmci_handle_is_invalid(handle))
+ return VMCI_ERROR_INVALID_ARGS;
+
+- if (!vmci_handle_arr_has_entry(context->queue_pair_array, handle)) {
+- vmci_handle_arr_append_entry(&context->queue_pair_array,
+- handle);
+- result = VMCI_SUCCESS;
+- } else {
++ if (!vmci_handle_arr_has_entry(context->queue_pair_array, handle))
++ result = vmci_handle_arr_append_entry(
++ &context->queue_pair_array, handle);
++ else
+ result = VMCI_ERROR_DUPLICATE_ENTRY;
+- }
+
+ return result;
+ }
+diff --git a/drivers/misc/vmw_vmci/vmci_handle_array.c b/drivers/misc/vmw_vmci/vmci_handle_array.c
+index c527388f5d7b..de7fee7ead1b 100644
+--- a/drivers/misc/vmw_vmci/vmci_handle_array.c
++++ b/drivers/misc/vmw_vmci/vmci_handle_array.c
+@@ -8,24 +8,29 @@
+ #include <linux/slab.h>
+ #include "vmci_handle_array.h"
+
+-static size_t handle_arr_calc_size(size_t capacity)
++static size_t handle_arr_calc_size(u32 capacity)
+ {
+- return sizeof(struct vmci_handle_arr) +
++ return VMCI_HANDLE_ARRAY_HEADER_SIZE +
+ capacity * sizeof(struct vmci_handle);
+ }
+
+-struct vmci_handle_arr *vmci_handle_arr_create(size_t capacity)
++struct vmci_handle_arr *vmci_handle_arr_create(u32 capacity, u32 max_capacity)
+ {
+ struct vmci_handle_arr *array;
+
++ if (max_capacity == 0 || capacity > max_capacity)
++ return NULL;
++
+ if (capacity == 0)
+- capacity = VMCI_HANDLE_ARRAY_DEFAULT_SIZE;
++ capacity = min((u32)VMCI_HANDLE_ARRAY_DEFAULT_CAPACITY,
++ max_capacity);
+
+ array = kmalloc(handle_arr_calc_size(capacity), GFP_ATOMIC);
+ if (!array)
+ return NULL;
+
+ array->capacity = capacity;
++ array->max_capacity = max_capacity;
+ array->size = 0;
+
+ return array;
+@@ -36,27 +41,34 @@ void vmci_handle_arr_destroy(struct vmci_handle_arr *array)
+ kfree(array);
+ }
+
+-void vmci_handle_arr_append_entry(struct vmci_handle_arr **array_ptr,
+- struct vmci_handle handle)
++int vmci_handle_arr_append_entry(struct vmci_handle_arr **array_ptr,
++ struct vmci_handle handle)
+ {
+ struct vmci_handle_arr *array = *array_ptr;
+
+ if (unlikely(array->size >= array->capacity)) {
+ /* reallocate. */
+ struct vmci_handle_arr *new_array;
+- size_t new_capacity = array->capacity * VMCI_ARR_CAP_MULT;
+- size_t new_size = handle_arr_calc_size(new_capacity);
++ u32 capacity_bump = min(array->max_capacity - array->capacity,
++ array->capacity);
++ size_t new_size = handle_arr_calc_size(array->capacity +
++ capacity_bump);
++
++ if (array->size >= array->max_capacity)
++ return VMCI_ERROR_NO_MEM;
+
+ new_array = krealloc(array, new_size, GFP_ATOMIC);
+ if (!new_array)
+- return;
++ return VMCI_ERROR_NO_MEM;
+
+- new_array->capacity = new_capacity;
++ new_array->capacity += capacity_bump;
+ *array_ptr = array = new_array;
+ }
+
+ array->entries[array->size] = handle;
+ array->size++;
++
++ return VMCI_SUCCESS;
+ }
+
+ /*
+@@ -66,7 +78,7 @@ struct vmci_handle vmci_handle_arr_remove_entry(struct vmci_handle_arr *array,
+ struct vmci_handle entry_handle)
+ {
+ struct vmci_handle handle = VMCI_INVALID_HANDLE;
+- size_t i;
++ u32 i;
+
+ for (i = 0; i < array->size; i++) {
+ if (vmci_handle_is_equal(array->entries[i], entry_handle)) {
+@@ -101,7 +113,7 @@ struct vmci_handle vmci_handle_arr_remove_tail(struct vmci_handle_arr *array)
+ * Handle at given index, VMCI_INVALID_HANDLE if invalid index.
+ */
+ struct vmci_handle
+-vmci_handle_arr_get_entry(const struct vmci_handle_arr *array, size_t index)
++vmci_handle_arr_get_entry(const struct vmci_handle_arr *array, u32 index)
+ {
+ if (unlikely(index >= array->size))
+ return VMCI_INVALID_HANDLE;
+@@ -112,7 +124,7 @@ vmci_handle_arr_get_entry(const struct vmci_handle_arr *array, size_t index)
+ bool vmci_handle_arr_has_entry(const struct vmci_handle_arr *array,
+ struct vmci_handle entry_handle)
+ {
+- size_t i;
++ u32 i;
+
+ for (i = 0; i < array->size; i++)
+ if (vmci_handle_is_equal(array->entries[i], entry_handle))
+diff --git a/drivers/misc/vmw_vmci/vmci_handle_array.h b/drivers/misc/vmw_vmci/vmci_handle_array.h
+index bd1559a548e9..96193f85be5b 100644
+--- a/drivers/misc/vmw_vmci/vmci_handle_array.h
++++ b/drivers/misc/vmw_vmci/vmci_handle_array.h
+@@ -9,32 +9,41 @@
+ #define _VMCI_HANDLE_ARRAY_H_
+
+ #include <linux/vmw_vmci_defs.h>
++#include <linux/limits.h>
+ #include <linux/types.h>
+
+-#define VMCI_HANDLE_ARRAY_DEFAULT_SIZE 4
+-#define VMCI_ARR_CAP_MULT 2 /* Array capacity multiplier */
+-
+ struct vmci_handle_arr {
+- size_t capacity;
+- size_t size;
++ u32 capacity;
++ u32 max_capacity;
++ u32 size;
++ u32 pad;
+ struct vmci_handle entries[];
+ };
+
+-struct vmci_handle_arr *vmci_handle_arr_create(size_t capacity);
++#define VMCI_HANDLE_ARRAY_HEADER_SIZE \
++ offsetof(struct vmci_handle_arr, entries)
++/* Select a default capacity that results in a 64 byte sized array */
++#define VMCI_HANDLE_ARRAY_DEFAULT_CAPACITY 6
++/* Make sure that the max array size can be expressed by a u32 */
++#define VMCI_HANDLE_ARRAY_MAX_CAPACITY \
++ ((U32_MAX - VMCI_HANDLE_ARRAY_HEADER_SIZE - 1) / \
++ sizeof(struct vmci_handle))
++
++struct vmci_handle_arr *vmci_handle_arr_create(u32 capacity, u32 max_capacity);
+ void vmci_handle_arr_destroy(struct vmci_handle_arr *array);
+-void vmci_handle_arr_append_entry(struct vmci_handle_arr **array_ptr,
+- struct vmci_handle handle);
++int vmci_handle_arr_append_entry(struct vmci_handle_arr **array_ptr,
++ struct vmci_handle handle);
+ struct vmci_handle vmci_handle_arr_remove_entry(struct vmci_handle_arr *array,
+ struct vmci_handle
+ entry_handle);
+ struct vmci_handle vmci_handle_arr_remove_tail(struct vmci_handle_arr *array);
+ struct vmci_handle
+-vmci_handle_arr_get_entry(const struct vmci_handle_arr *array, size_t index);
++vmci_handle_arr_get_entry(const struct vmci_handle_arr *array, u32 index);
+ bool vmci_handle_arr_has_entry(const struct vmci_handle_arr *array,
+ struct vmci_handle entry_handle);
+ struct vmci_handle *vmci_handle_arr_get_handles(struct vmci_handle_arr *array);
+
+-static inline size_t vmci_handle_arr_get_size(
++static inline u32 vmci_handle_arr_get_size(
+ const struct vmci_handle_arr *array)
+ {
+ return array->size;
+diff --git a/include/linux/vmw_vmci_defs.h b/include/linux/vmw_vmci_defs.h
+index 77ac9c7b9483..762f793e92f6 100644
+--- a/include/linux/vmw_vmci_defs.h
++++ b/include/linux/vmw_vmci_defs.h
+@@ -62,9 +62,18 @@ enum {
+
+ /*
+ * A single VMCI device has an upper limit of 128MB on the amount of
+- * memory that can be used for queue pairs.
++ * memory that can be used for queue pairs. Since each queue pair
++ * consists of at least two pages, the memory limit also dictates the
++ * number of queue pairs a guest can create.
+ */
+ #define VMCI_MAX_GUEST_QP_MEMORY (128 * 1024 * 1024)
++#define VMCI_MAX_GUEST_QP_COUNT (VMCI_MAX_GUEST_QP_MEMORY / PAGE_SIZE / 2)
++
++/*
++ * There can be at most PAGE_SIZE doorbells since there is one doorbell
++ * per byte in the doorbell bitmap page.
++ */
++#define VMCI_MAX_GUEST_DOORBELL_COUNT PAGE_SIZE
+
+ /*
+ * Queues with pre-mapped data pages must be small, so that we don't pin
+--
+2.22.0
+
diff --git a/patches.kernel.org/5.2.1-052-staging-vchiq_2835_arm-revert-quit-using-custom.patch b/patches.kernel.org/5.2.1-052-staging-vchiq_2835_arm-revert-quit-using-custom.patch
new file mode 100644
index 0000000000..667c1a2a4e
--- /dev/null
+++ b/patches.kernel.org/5.2.1-052-staging-vchiq_2835_arm-revert-quit-using-custom.patch
@@ -0,0 +1,40 @@
+From: Nicolas Saenz Julienne <nsaenzjulienne@suse.de>
+Date: Thu, 9 May 2019 16:31:33 +0200
+Subject: [PATCH] staging: vchiq_2835_arm: revert "quit using custom
+ down_interruptible()"
+References: bnc#1012628
+Patch-mainline: 5.2.1
+Git-commit: 061ca1401f96c254e7f179bf97a1fc5c7f47e1e1
+
+commit 061ca1401f96c254e7f179bf97a1fc5c7f47e1e1 upstream.
+
+The killable version of down() is meant to be used on situations where
+it should not fail at all costs, but still have the convenience of being
+able to kill it if really necessary. VCHIQ doesn't fit this criteria, as
+it's mainly used as an interface to V4L2 and ALSA devices.
+
+Fixes: ff5979ad8636 ("staging: vchiq_2835_arm: quit using custom down_interruptible()")
+Signed-off-by: Nicolas Saenz Julienne <nsaenzjulienne@suse.de>
+Acked-by: Stefan Wahren <stefan.wahren@i2se.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ .../staging/vc04_services/interface/vchiq_arm/vchiq_2835_arm.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_2835_arm.c b/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_2835_arm.c
+index c557c9953724..aa20fcaefa9d 100644
+--- a/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_2835_arm.c
++++ b/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_2835_arm.c
+@@ -523,7 +523,7 @@ create_pagelist(char __user *buf, size_t count, unsigned short type)
+ (g_cache_line_size - 1)))) {
+ char *fragments;
+
+- if (down_killable(&g_free_fragments_sema)) {
++ if (down_interruptible(&g_free_fragments_sema) != 0) {
+ cleanup_pagelistinfo(pagelistinfo);
+ return NULL;
+ }
+--
+2.22.0
+
diff --git a/patches.kernel.org/5.2.1-053-staging-vchiq-make-wait-events-interruptible.patch b/patches.kernel.org/5.2.1-053-staging-vchiq-make-wait-events-interruptible.patch
new file mode 100644
index 0000000000..119901ab83
--- /dev/null
+++ b/patches.kernel.org/5.2.1-053-staging-vchiq-make-wait-events-interruptible.patch
@@ -0,0 +1,54 @@
+From: Nicolas Saenz Julienne <nsaenzjulienne@suse.de>
+Date: Thu, 9 May 2019 16:31:35 +0200
+Subject: [PATCH] staging: vchiq: make wait events interruptible
+References: bnc#1012628
+Patch-mainline: 5.2.1
+Git-commit: 77cf3f5dcf35c8f547f075213dbc15146d44cc76
+
+commit 77cf3f5dcf35c8f547f075213dbc15146d44cc76 upstream.
+
+The killable version of wait_event() is meant to be used on situations
+where it should not fail at all costs, but still have the convenience of
+being able to kill it if really necessary. Wait events in VCHIQ doesn't
+fit this criteria, as it's mainly used as an interface to V4L2 and ALSA
+devices.
+
+Fixes: 852b2876a8a8 ("staging: vchiq: rework remove_event handling")
+Signed-off-by: Nicolas Saenz Julienne <nsaenzjulienne@suse.de>
+Acked-by: Stefan Wahren <stefan.wahren@i2se.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ .../vc04_services/interface/vchiq_arm/vchiq_core.c | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_core.c b/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_core.c
+index 0c387b6473a5..7eb3f33eaef8 100644
+--- a/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_core.c
++++ b/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_core.c
+@@ -395,13 +395,21 @@ remote_event_create(wait_queue_head_t *wq, struct remote_event *event)
+ init_waitqueue_head(wq);
+ }
+
++/*
++ * All the event waiting routines in VCHIQ used a custom semaphore
++ * implementation that filtered most signals. This achieved a behaviour similar
++ * to the "killable" family of functions. While cleaning up this code all the
++ * routines where switched to the "interruptible" family of functions, as the
++ * former was deemed unjustified and the use "killable" set all VCHIQ's
++ * threads in D state.
++ */
+ static inline int
+ remote_event_wait(wait_queue_head_t *wq, struct remote_event *event)
+ {
+ if (!event->fired) {
+ event->armed = 1;
+ dsb(sy);
+- if (wait_event_killable(*wq, event->fired)) {
++ if (wait_event_interruptible(*wq, event->fired)) {
+ event->armed = 0;
+ return 0;
+ }
+--
+2.22.0
+
diff --git a/patches.kernel.org/5.2.1-054-staging-vchiq-revert-switch-to-wait_for_complet.patch b/patches.kernel.org/5.2.1-054-staging-vchiq-revert-switch-to-wait_for_complet.patch
new file mode 100644
index 0000000000..f15bad9d52
--- /dev/null
+++ b/patches.kernel.org/5.2.1-054-staging-vchiq-revert-switch-to-wait_for_complet.patch
@@ -0,0 +1,251 @@
+From: Nicolas Saenz Julienne <nsaenzjulienne@suse.de>
+Date: Thu, 9 May 2019 16:31:34 +0200
+Subject: [PATCH] staging: vchiq: revert "switch to
+ wait_for_completion_killable"
+References: bnc#1012628
+Patch-mainline: 5.2.1
+Git-commit: 086efbabdc04563268372aaef4d66039d85ee76c
+
+commit 086efbabdc04563268372aaef4d66039d85ee76c upstream.
+
+The killable version of wait_for_completion() is meant to be used on
+situations where it should not fail at all costs, but still have the
+convenience of being able to kill it if really necessary. VCHIQ doesn't
+fit this criteria, as it's mainly used as an interface to V4L2 and ALSA
+devices.
+
+Fixes: a772f116702e ("staging: vchiq: switch to wait_for_completion_killable")
+Signed-off-by: Nicolas Saenz Julienne <nsaenzjulienne@suse.de>
+Acked-by: Stefan Wahren <stefan.wahren@i2se.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ .../interface/vchiq_arm/vchiq_arm.c | 21 ++++++++++---------
+ .../interface/vchiq_arm/vchiq_core.c | 21 ++++++++++---------
+ .../interface/vchiq_arm/vchiq_util.c | 6 +++---
+ 3 files changed, 25 insertions(+), 23 deletions(-)
+
+diff --git a/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_arm.c b/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_arm.c
+index ab7d6a0ce94c..62d8f599e765 100644
+--- a/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_arm.c
++++ b/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_arm.c
+@@ -532,7 +532,8 @@ add_completion(VCHIQ_INSTANCE_T instance, VCHIQ_REASON_T reason,
+ vchiq_log_trace(vchiq_arm_log_level,
+ "%s - completion queue full", __func__);
+ DEBUG_COUNT(COMPLETION_QUEUE_FULL_COUNT);
+- if (wait_for_completion_killable(&instance->remove_event)) {
++ if (wait_for_completion_interruptible(
++ &instance->remove_event)) {
+ vchiq_log_info(vchiq_arm_log_level,
+ "service_callback interrupted");
+ return VCHIQ_RETRY;
+@@ -643,7 +644,7 @@ service_callback(VCHIQ_REASON_T reason, struct vchiq_header *header,
+ }
+
+ DEBUG_TRACE(SERVICE_CALLBACK_LINE);
+- if (wait_for_completion_killable(
++ if (wait_for_completion_interruptible(
+ &user_service->remove_event)
+ != 0) {
+ vchiq_log_info(vchiq_arm_log_level,
+@@ -978,7 +979,7 @@ vchiq_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
+ has been closed until the client library calls the
+ CLOSE_DELIVERED ioctl, signalling close_event. */
+ if (user_service->close_pending &&
+- wait_for_completion_killable(
++ wait_for_completion_interruptible(
+ &user_service->close_event))
+ status = VCHIQ_RETRY;
+ break;
+@@ -1154,7 +1155,7 @@ vchiq_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
+
+ DEBUG_TRACE(AWAIT_COMPLETION_LINE);
+ mutex_unlock(&instance->completion_mutex);
+- rc = wait_for_completion_killable(
++ rc = wait_for_completion_interruptible(
+ &instance->insert_event);
+ mutex_lock(&instance->completion_mutex);
+ if (rc != 0) {
+@@ -1324,7 +1325,7 @@ vchiq_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
+ do {
+ spin_unlock(&msg_queue_spinlock);
+ DEBUG_TRACE(DEQUEUE_MESSAGE_LINE);
+- if (wait_for_completion_killable(
++ if (wait_for_completion_interruptible(
+ &user_service->insert_event)) {
+ vchiq_log_info(vchiq_arm_log_level,
+ "DEQUEUE_MESSAGE interrupted");
+@@ -2328,7 +2329,7 @@ vchiq_keepalive_thread_func(void *v)
+ while (1) {
+ long rc = 0, uc = 0;
+
+- if (wait_for_completion_killable(&arm_state->ka_evt)
++ if (wait_for_completion_interruptible(&arm_state->ka_evt)
+ != 0) {
+ vchiq_log_error(vchiq_susp_log_level,
+ "%s interrupted", __func__);
+@@ -2579,7 +2580,7 @@ block_resume(struct vchiq_arm_state *arm_state)
+ write_unlock_bh(&arm_state->susp_res_lock);
+ vchiq_log_info(vchiq_susp_log_level, "%s wait for previously "
+ "blocked clients", __func__);
+- if (wait_for_completion_killable_timeout(
++ if (wait_for_completion_interruptible_timeout(
+ &arm_state->blocked_blocker, timeout_val)
+ <= 0) {
+ vchiq_log_error(vchiq_susp_log_level, "%s wait for "
+@@ -2605,7 +2606,7 @@ block_resume(struct vchiq_arm_state *arm_state)
+ write_unlock_bh(&arm_state->susp_res_lock);
+ vchiq_log_info(vchiq_susp_log_level, "%s wait for resume",
+ __func__);
+- if (wait_for_completion_killable_timeout(
++ if (wait_for_completion_interruptible_timeout(
+ &arm_state->vc_resume_complete, timeout_val)
+ <= 0) {
+ vchiq_log_error(vchiq_susp_log_level, "%s wait for "
+@@ -2812,7 +2813,7 @@ vchiq_arm_force_suspend(struct vchiq_state *state)
+ do {
+ write_unlock_bh(&arm_state->susp_res_lock);
+
+- rc = wait_for_completion_killable_timeout(
++ rc = wait_for_completion_interruptible_timeout(
+ &arm_state->vc_suspend_complete,
+ msecs_to_jiffies(FORCE_SUSPEND_TIMEOUT_MS));
+
+@@ -2908,7 +2909,7 @@ vchiq_arm_allow_resume(struct vchiq_state *state)
+ write_unlock_bh(&arm_state->susp_res_lock);
+
+ if (resume) {
+- if (wait_for_completion_killable(
++ if (wait_for_completion_interruptible(
+ &arm_state->vc_resume_complete) < 0) {
+ vchiq_log_error(vchiq_susp_log_level,
+ "%s interrupted", __func__);
+diff --git a/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_core.c b/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_core.c
+index 7eb3f33eaef8..44bfa890e0e5 100644
+--- a/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_core.c
++++ b/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_core.c
+@@ -568,7 +568,7 @@ reserve_space(struct vchiq_state *state, size_t space, int is_blocking)
+ remote_event_signal(&state->remote->trigger);
+
+ if (!is_blocking ||
+- (wait_for_completion_killable(
++ (wait_for_completion_interruptible(
+ &state->slot_available_event)))
+ return NULL; /* No space available */
+ }
+@@ -838,7 +838,7 @@ queue_message(struct vchiq_state *state, struct vchiq_service *service,
+ spin_unlock(&quota_spinlock);
+ mutex_unlock(&state->slot_mutex);
+
+- if (wait_for_completion_killable(
++ if (wait_for_completion_interruptible(
+ &state->data_quota_event))
+ return VCHIQ_RETRY;
+
+@@ -869,7 +869,7 @@ queue_message(struct vchiq_state *state, struct vchiq_service *service,
+ service_quota->slot_use_count);
+ VCHIQ_SERVICE_STATS_INC(service, quota_stalls);
+ mutex_unlock(&state->slot_mutex);
+- if (wait_for_completion_killable(
++ if (wait_for_completion_interruptible(
+ &service_quota->quota_event))
+ return VCHIQ_RETRY;
+ if (service->closing)
+@@ -1718,7 +1718,8 @@ parse_rx_slots(struct vchiq_state *state)
+ &service->bulk_rx : &service->bulk_tx;
+
+ DEBUG_TRACE(PARSE_LINE);
+- if (mutex_lock_killable(&service->bulk_mutex)) {
++ if (mutex_lock_killable(
++ &service->bulk_mutex) != 0) {
+ DEBUG_TRACE(PARSE_LINE);
+ goto bail_not_ready;
+ }
+@@ -2436,7 +2437,7 @@ vchiq_open_service_internal(struct vchiq_service *service, int client_id)
+ QMFLAGS_IS_BLOCKING);
+ if (status == VCHIQ_SUCCESS) {
+ /* Wait for the ACK/NAK */
+- if (wait_for_completion_killable(&service->remove_event)) {
++ if (wait_for_completion_interruptible(&service->remove_event)) {
+ status = VCHIQ_RETRY;
+ vchiq_release_service_internal(service);
+ } else if ((service->srvstate != VCHIQ_SRVSTATE_OPEN) &&
+@@ -2803,7 +2804,7 @@ vchiq_connect_internal(struct vchiq_state *state, VCHIQ_INSTANCE_T instance)
+ }
+
+ if (state->conn_state == VCHIQ_CONNSTATE_CONNECTING) {
+- if (wait_for_completion_killable(&state->connect))
++ if (wait_for_completion_interruptible(&state->connect))
+ return VCHIQ_RETRY;
+
+ vchiq_set_conn_state(state, VCHIQ_CONNSTATE_CONNECTED);
+@@ -2902,7 +2903,7 @@ vchiq_close_service(VCHIQ_SERVICE_HANDLE_T handle)
+ }
+
+ while (1) {
+- if (wait_for_completion_killable(&service->remove_event)) {
++ if (wait_for_completion_interruptible(&service->remove_event)) {
+ status = VCHIQ_RETRY;
+ break;
+ }
+@@ -2963,7 +2964,7 @@ vchiq_remove_service(VCHIQ_SERVICE_HANDLE_T handle)
+ request_poll(service->state, service, VCHIQ_POLL_REMOVE);
+ }
+ while (1) {
+- if (wait_for_completion_killable(&service->remove_event)) {
++ if (wait_for_completion_interruptible(&service->remove_event)) {
+ status = VCHIQ_RETRY;
+ break;
+ }
+@@ -3046,7 +3047,7 @@ VCHIQ_STATUS_T vchiq_bulk_transfer(VCHIQ_SERVICE_HANDLE_T handle,
+ VCHIQ_SERVICE_STATS_INC(service, bulk_stalls);
+ do {
+ mutex_unlock(&service->bulk_mutex);
+- if (wait_for_completion_killable(
++ if (wait_for_completion_interruptible(
+ &service->bulk_remove_event)) {
+ status = VCHIQ_RETRY;
+ goto error_exit;
+@@ -3123,7 +3124,7 @@ VCHIQ_STATUS_T vchiq_bulk_transfer(VCHIQ_SERVICE_HANDLE_T handle,
+
+ if (bulk_waiter) {
+ bulk_waiter->bulk = bulk;
+- if (wait_for_completion_killable(&bulk_waiter->event))
++ if (wait_for_completion_interruptible(&bulk_waiter->event))
+ status = VCHIQ_RETRY;
+ else if (bulk_waiter->actual == VCHIQ_BULK_ACTUAL_ABORTED)
+ status = VCHIQ_ERROR;
+diff --git a/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_util.c b/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_util.c
+index 6c519d8e48cb..8ee85c5e6f77 100644
+--- a/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_util.c
++++ b/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_util.c
+@@ -50,7 +50,7 @@ void vchiu_queue_push(struct vchiu_queue *queue, struct vchiq_header *header)
+ return;
+
+ while (queue->write == queue->read + queue->size) {
+- if (wait_for_completion_killable(&queue->pop))
++ if (wait_for_completion_interruptible(&queue->pop))
+ flush_signals(current);
+ }
+
+@@ -63,7 +63,7 @@ void vchiu_queue_push(struct vchiu_queue *queue, struct vchiq_header *header)
+ struct vchiq_header *vchiu_queue_peek(struct vchiu_queue *queue)
+ {
+ while (queue->write == queue->read) {
+- if (wait_for_completion_killable(&queue->push))
++ if (wait_for_completion_interruptible(&queue->push))
+ flush_signals(current);
+ }
+
+@@ -77,7 +77,7 @@ struct vchiq_header *vchiu_queue_pop(struct vchiu_queue *queue)
+ struct vchiq_header *header;
+
+ while (queue->write == queue->read) {
+- if (wait_for_completion_killable(&queue->push))
++ if (wait_for_completion_interruptible(&queue->push))
+ flush_signals(current);
+ }
+
+--
+2.22.0
+
diff --git a/patches.kernel.org/5.2.1-055-staging-fsl-dpaa2-ethsw-fix-memory-leak-of-swit.patch b/patches.kernel.org/5.2.1-055-staging-fsl-dpaa2-ethsw-fix-memory-leak-of-swit.patch
new file mode 100644
index 0000000000..103fdd0fb1
--- /dev/null
+++ b/patches.kernel.org/5.2.1-055-staging-fsl-dpaa2-ethsw-fix-memory-leak-of-swit.patch
@@ -0,0 +1,37 @@
+From: Colin Ian King <colin.king@canonical.com>
+Date: Sat, 8 Jun 2019 12:50:31 +0100
+Subject: [PATCH] staging: fsl-dpaa2/ethsw: fix memory leak of switchdev_work
+References: bnc#1012628
+Patch-mainline: 5.2.1
+Git-commit: 5555ebbbac822b4fa28db2be15aaf98b3c21af26
+
+commit 5555ebbbac822b4fa28db2be15aaf98b3c21af26 upstream.
+
+In the default event case switchdev_work is being leaked because
+nothing is queued for work. Fix this by kfree'ing switchdev_work
+before returning NOTIFY_DONE.
+
+Addresses-Coverity: ("Resource leak")
+Fixes: 44baaa43d7cc ("staging: fsl-dpaa2/ethsw: Add Freescale DPAA2 Ethernet Switch driver")
+Signed-off-by: Colin Ian King <colin.king@canonical.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/staging/fsl-dpaa2/ethsw/ethsw.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/staging/fsl-dpaa2/ethsw/ethsw.c b/drivers/staging/fsl-dpaa2/ethsw/ethsw.c
+index e3c3e427309a..f73edaf6ce87 100644
+--- a/drivers/staging/fsl-dpaa2/ethsw/ethsw.c
++++ b/drivers/staging/fsl-dpaa2/ethsw/ethsw.c
+@@ -1086,6 +1086,7 @@ static int port_switchdev_event(struct notifier_block *unused,
+ dev_hold(dev);
+ break;
+ default:
++ kfree(switchdev_work);
+ return NOTIFY_DONE;
+ }
+
+--
+2.22.0
+
diff --git a/patches.kernel.org/5.2.1-056-staging-bcm2835-camera-Replace-spinlock-protect.patch b/patches.kernel.org/5.2.1-056-staging-bcm2835-camera-Replace-spinlock-protect.patch
new file mode 100644
index 0000000000..e8e7ed09da
--- /dev/null
+++ b/patches.kernel.org/5.2.1-056-staging-bcm2835-camera-Replace-spinlock-protect.patch
@@ -0,0 +1,81 @@
+From: Dave Stevenson <dave.stevenson@raspberrypi.org>
+Date: Sat, 29 Jun 2019 14:13:17 +0200
+Subject: [PATCH] staging: bcm2835-camera: Replace spinlock protecting
+ context_map with mutex
+References: bnc#1012628
+Patch-mainline: 5.2.1
+Git-commit: 8dedab2903f152aa3cee9ae3d57c828dea0d356e
+
+commit 8dedab2903f152aa3cee9ae3d57c828dea0d356e upstream.
+
+The commit "staging: bcm2835-camera: Replace open-coded idr with a struct idr."
+replaced an internal implementation of an idr with the standard functions
+and a spinlock. idr_alloc(GFP_KERNEL) can sleep whilst calling kmem_cache_alloc
+to allocate the new node, but this is not valid whilst in an atomic context
+due to the spinlock.
+
+There is no need for this to be a spinlock as a standard mutex is
+sufficient.
+
+Fixes: 950fd867c635 ("staging: bcm2835-camera: Replace open-coded idr with a struct idr.")
+Signed-off-by: Dave Stevenson <dave.stevenson@raspberrypi.org>
+Signed-off-by: Stefan Wahren <wahrenst@gmx.net>
+Acked-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Acked-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ .../vc04_services/bcm2835-camera/mmal-vchiq.c | 13 +++++++------
+ 1 file changed, 7 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/staging/vc04_services/bcm2835-camera/mmal-vchiq.c b/drivers/staging/vc04_services/bcm2835-camera/mmal-vchiq.c
+index 16af735af5c3..f1bb900c4aa6 100644
+--- a/drivers/staging/vc04_services/bcm2835-camera/mmal-vchiq.c
++++ b/drivers/staging/vc04_services/bcm2835-camera/mmal-vchiq.c
+@@ -161,7 +161,8 @@ struct vchiq_mmal_instance {
+ void *bulk_scratch;
+
+ struct idr context_map;
+- spinlock_t context_map_lock;
++ /* protect accesses to context_map */
++ struct mutex context_map_lock;
+
+ /* component to use next */
+ int component_idx;
+@@ -184,10 +185,10 @@ get_msg_context(struct vchiq_mmal_instance *instance)
+ * that when we service the VCHI reply, we can look up what
+ * message is being replied to.
+ */
+- spin_lock(&instance->context_map_lock);
++ mutex_lock(&instance->context_map_lock);
+ handle = idr_alloc(&instance->context_map, msg_context,
+ 0, 0, GFP_KERNEL);
+- spin_unlock(&instance->context_map_lock);
++ mutex_unlock(&instance->context_map_lock);
+
+ if (handle < 0) {
+ kfree(msg_context);
+@@ -211,9 +212,9 @@ release_msg_context(struct mmal_msg_context *msg_context)
+ {
+ struct vchiq_mmal_instance *instance = msg_context->instance;
+
+- spin_lock(&instance->context_map_lock);
++ mutex_lock(&instance->context_map_lock);
+ idr_remove(&instance->context_map, msg_context->handle);
+- spin_unlock(&instance->context_map_lock);
++ mutex_unlock(&instance->context_map_lock);
+ kfree(msg_context);
+ }
+
+@@ -1849,7 +1850,7 @@ int vchiq_mmal_init(struct vchiq_mmal_instance **out_instance)
+
+ instance->bulk_scratch = vmalloc(PAGE_SIZE);
+
+- spin_lock_init(&instance->context_map_lock);
++ mutex_init(&instance->context_map_lock);
+ idr_init_base(&instance->context_map, 1);
+
+ params.callback_param = instance;
+--
+2.22.0
+
diff --git a/patches.kernel.org/5.2.1-057-staging-bcm2835-camera-Ensure-all-buffers-are-r.patch b/patches.kernel.org/5.2.1-057-staging-bcm2835-camera-Ensure-all-buffers-are-r.patch
new file mode 100644
index 0000000000..017a38e76d
--- /dev/null
+++ b/patches.kernel.org/5.2.1-057-staging-bcm2835-camera-Ensure-all-buffers-are-r.patch
@@ -0,0 +1,113 @@
+From: Dave Stevenson <dave.stevenson@raspberrypi.org>
+Date: Sat, 29 Jun 2019 14:13:29 +0200
+Subject: [PATCH] staging: bcm2835-camera: Ensure all buffers are returned on
+ disable
+References: bnc#1012628
+Patch-mainline: 5.2.1
+Git-commit: 70ec64ccdaac5d8f634338e33b016c1c99831499
+
+commit 70ec64ccdaac5d8f634338e33b016c1c99831499 upstream.
+
+With the recent change to match MMAL and V4L2 buffers there
+is a need to wait for all MMAL buffers to be returned during
+stop_streaming.
+
+Fixes: 938416707071 ("staging: bcm2835-camera: Remove V4L2/MMAL buffer remapping")
+Signed-off-by: Dave Stevenson <dave.stevenson@raspberrypi.org>
+Signed-off-by: Stefan Wahren <wahrenst@gmx.net>
+Acked-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Acked-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ .../bcm2835-camera/bcm2835-camera.c | 22 ++++++++++++++-----
+ .../vc04_services/bcm2835-camera/mmal-vchiq.c | 4 ++++
+ .../vc04_services/bcm2835-camera/mmal-vchiq.h | 3 +++
+ 3 files changed, 23 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/staging/vc04_services/bcm2835-camera/bcm2835-camera.c b/drivers/staging/vc04_services/bcm2835-camera/bcm2835-camera.c
+index 68f08dc18da9..bc6ff83ddb01 100644
+--- a/drivers/staging/vc04_services/bcm2835-camera/bcm2835-camera.c
++++ b/drivers/staging/vc04_services/bcm2835-camera/bcm2835-camera.c
+@@ -576,6 +576,7 @@ static void stop_streaming(struct vb2_queue *vq)
+ int ret;
+ unsigned long timeout;
+ struct bm2835_mmal_dev *dev = vb2_get_drv_priv(vq);
++ struct vchiq_mmal_port *port = dev->capture.port;
+
+ v4l2_dbg(1, bcm2835_v4l2_debug, &dev->v4l2_dev, "%s: dev:%p\n",
+ __func__, dev);
+@@ -599,12 +600,6 @@ static void stop_streaming(struct vb2_queue *vq)
+ &dev->capture.frame_count,
+ sizeof(dev->capture.frame_count));
+
+- /* wait for last frame to complete */
+- timeout = wait_for_completion_timeout(&dev->capture.frame_cmplt, HZ);
+- if (timeout == 0)
+- v4l2_err(&dev->v4l2_dev,
+- "timed out waiting for frame completion\n");
+-
+ v4l2_dbg(1, bcm2835_v4l2_debug, &dev->v4l2_dev,
+ "disabling connection\n");
+
+@@ -619,6 +614,21 @@ static void stop_streaming(struct vb2_queue *vq)
+ ret);
+ }
+
++ /* wait for all buffers to be returned */
++ while (atomic_read(&port->buffers_with_vpu)) {
++ v4l2_dbg(1, bcm2835_v4l2_debug, &dev->v4l2_dev,
++ "%s: Waiting for buffers to be returned - %d outstanding\n",
++ __func__, atomic_read(&port->buffers_with_vpu));
++ timeout = wait_for_completion_timeout(&dev->capture.frame_cmplt,
++ HZ);
++ if (timeout == 0) {
++ v4l2_err(&dev->v4l2_dev, "%s: Timeout waiting for buffers to be returned - %d outstanding\n",
++ __func__,
++ atomic_read(&port->buffers_with_vpu));
++ break;
++ }
++ }
++
+ if (disable_camera(dev) < 0)
+ v4l2_err(&dev->v4l2_dev, "Failed to disable camera\n");
+ }
+diff --git a/drivers/staging/vc04_services/bcm2835-camera/mmal-vchiq.c b/drivers/staging/vc04_services/bcm2835-camera/mmal-vchiq.c
+index f1bb900c4aa6..c62625b8ae41 100644
+--- a/drivers/staging/vc04_services/bcm2835-camera/mmal-vchiq.c
++++ b/drivers/staging/vc04_services/bcm2835-camera/mmal-vchiq.c
+@@ -240,6 +240,8 @@ static void buffer_work_cb(struct work_struct *work)
+ struct mmal_msg_context *msg_context =
+ container_of(work, struct mmal_msg_context, u.bulk.work);
+
++ atomic_dec(&msg_context->u.bulk.port->buffers_with_vpu);
++
+ msg_context->u.bulk.port->buffer_cb(msg_context->u.bulk.instance,
+ msg_context->u.bulk.port,
+ msg_context->u.bulk.status,
+@@ -380,6 +382,8 @@ buffer_from_host(struct vchiq_mmal_instance *instance,
+ /* initialise work structure ready to schedule callback */
+ INIT_WORK(&msg_context->u.bulk.work, buffer_work_cb);
+
++ atomic_inc(&port->buffers_with_vpu);
++
+ /* prep the buffer from host message */
+ memset(&m, 0xbc, sizeof(m)); /* just to make debug clearer */
+
+diff --git a/drivers/staging/vc04_services/bcm2835-camera/mmal-vchiq.h b/drivers/staging/vc04_services/bcm2835-camera/mmal-vchiq.h
+index 22b839ecd5f0..b0ee1716525b 100644
+--- a/drivers/staging/vc04_services/bcm2835-camera/mmal-vchiq.h
++++ b/drivers/staging/vc04_services/bcm2835-camera/mmal-vchiq.h
+@@ -71,6 +71,9 @@ struct vchiq_mmal_port {
+ struct list_head buffers;
+ /* lock to serialise adding and removing buffers from list */
+ spinlock_t slock;
++
++ /* Count of buffers the VPU has yet to return */
++ atomic_t buffers_with_vpu;
+ /* callback on buffer completion */
+ vchiq_mmal_buffer_cb buffer_cb;
+ /* callback context */
+--
+2.22.0
+
diff --git a/patches.kernel.org/5.2.1-058-staging-bcm2835-camera-Remove-check-of-the-numb.patch b/patches.kernel.org/5.2.1-058-staging-bcm2835-camera-Remove-check-of-the-numb.patch
new file mode 100644
index 0000000000..edc1f04a30
--- /dev/null
+++ b/patches.kernel.org/5.2.1-058-staging-bcm2835-camera-Remove-check-of-the-numb.patch
@@ -0,0 +1,53 @@
+From: Dave Stevenson <dave.stevenson@raspberrypi.org>
+Date: Sat, 29 Jun 2019 14:13:30 +0200
+Subject: [PATCH] staging: bcm2835-camera: Remove check of the number of
+ buffers supplied
+References: bnc#1012628
+Patch-mainline: 5.2.1
+Git-commit: bb8e97006d701ae725a177f8f322e5a75fa761b7
+
+commit bb8e97006d701ae725a177f8f322e5a75fa761b7 upstream.
+
+Before commit "staging: bcm2835-camera: Remove V4L2/MMAL buffer remapping"
+there was a need to ensure that there were sufficient buffers supplied from
+the user to cover those being sent to the VPU (always 1).
+
+Now the buffers are linked 1:1 between MMAL and V4L2,
+therefore there is no need for that check, and indeed it is wrong
+as there is no need to submit all the buffers before starting streaming.
+
+Fixes: 938416707071 ("staging: bcm2835-camera: Remove V4L2/MMAL buffer remapping")
+Signed-off-by: Dave Stevenson <dave.stevenson@raspberrypi.org>
+Signed-off-by: Stefan Wahren <wahrenst@gmx.net>
+Acked-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Acked-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ .../staging/vc04_services/bcm2835-camera/mmal-vchiq.c | 10 ----------
+ 1 file changed, 10 deletions(-)
+
+diff --git a/drivers/staging/vc04_services/bcm2835-camera/mmal-vchiq.c b/drivers/staging/vc04_services/bcm2835-camera/mmal-vchiq.c
+index c62625b8ae41..0f7de34eb5db 100644
+--- a/drivers/staging/vc04_services/bcm2835-camera/mmal-vchiq.c
++++ b/drivers/staging/vc04_services/bcm2835-camera/mmal-vchiq.c
+@@ -1328,16 +1328,6 @@ static int port_enable(struct vchiq_mmal_instance *instance,
+ if (port->enabled)
+ return 0;
+
+- /* ensure there are enough buffers queued to cover the buffer headers */
+- if (port->buffer_cb) {
+- hdr_count = 0;
+- list_for_each(buf_head, &port->buffers) {
+- hdr_count++;
+- }
+- if (hdr_count < port->current_buffer.num)
+- return -ENOSPC;
+- }
+-
+ ret = port_action_port(instance, port,
+ MMAL_MSG_PORT_ACTION_TYPE_ENABLE);
+ if (ret)
+--
+2.22.0
+
diff --git a/patches.kernel.org/5.2.1-059-staging-bcm2835-camera-Handle-empty-EOS-buffers.patch b/patches.kernel.org/5.2.1-059-staging-bcm2835-camera-Handle-empty-EOS-buffers.patch
new file mode 100644
index 0000000000..69982b3ddf
--- /dev/null
+++ b/patches.kernel.org/5.2.1-059-staging-bcm2835-camera-Handle-empty-EOS-buffers.patch
@@ -0,0 +1,99 @@
+From: Dave Stevenson <dave.stevenson@raspberrypi.org>
+Date: Sat, 29 Jun 2019 14:48:23 +0200
+Subject: [PATCH] staging: bcm2835-camera: Handle empty EOS buffers whilst
+ streaming
+References: bnc#1012628
+Patch-mainline: 5.2.1
+Git-commit: a26be06d6d96c10a9ab005e99d93fbb5d3babd98
+
+commit a26be06d6d96c10a9ab005e99d93fbb5d3babd98 upstream.
+
+The change to mapping V4L2 to MMAL buffers 1:1 didn't handle
+the condition we get with raw pixel buffers (eg YUV and RGB)
+direct from the camera's stills port. That sends the pixel buffer
+and then an empty buffer with the EOS flag set. The EOS buffer
+wasn't handled and returned an error up the stack.
+
+Handle the condition correctly by returning it to the component
+if streaming, or returning with an error if stopping streaming.
+
+Fixes: 938416707071 ("staging: bcm2835-camera: Remove V4L2/MMAL buffer remapping")
+Signed-off-by: Dave Stevenson <dave.stevenson@raspberrypi.org>
+Signed-off-by: Stefan Wahren <wahrenst@gmx.net>
+Acked-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Acked-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ .../bcm2835-camera/bcm2835-camera.c | 21 +++++++++++--------
+ .../vc04_services/bcm2835-camera/mmal-vchiq.c | 5 +++--
+ 2 files changed, 15 insertions(+), 11 deletions(-)
+
+diff --git a/drivers/staging/vc04_services/bcm2835-camera/bcm2835-camera.c b/drivers/staging/vc04_services/bcm2835-camera/bcm2835-camera.c
+index bc6ff83ddb01..5e9187edeef4 100644
+--- a/drivers/staging/vc04_services/bcm2835-camera/bcm2835-camera.c
++++ b/drivers/staging/vc04_services/bcm2835-camera/bcm2835-camera.c
+@@ -336,16 +336,13 @@ static void buffer_cb(struct vchiq_mmal_instance *instance,
+ return;
+ } else if (length == 0) {
+ /* stream ended */
+- if (buf) {
+- /* this should only ever happen if the port is
+- * disabled and there are buffers still queued
++ if (dev->capture.frame_count) {
++ /* empty buffer whilst capturing - expected to be an
++ * EOS, so grab another frame
+ */
+- vb2_buffer_done(&buf->vb.vb2_buf, VB2_BUF_STATE_ERROR);
+- pr_debug("Empty buffer");
+- } else if (dev->capture.frame_count) {
+- /* grab another frame */
+ if (is_capturing(dev)) {
+- pr_debug("Grab another frame");
++ v4l2_dbg(1, bcm2835_v4l2_debug, &dev->v4l2_dev,
++ "Grab another frame");
+ vchiq_mmal_port_parameter_set(
+ instance,
+ dev->capture.camera_port,
+@@ -353,8 +350,14 @@ static void buffer_cb(struct vchiq_mmal_instance *instance,
+ &dev->capture.frame_count,
+ sizeof(dev->capture.frame_count));
+ }
++ if (vchiq_mmal_submit_buffer(instance, port, buf))
++ v4l2_dbg(1, bcm2835_v4l2_debug, &dev->v4l2_dev,
++ "Failed to return EOS buffer");
+ } else {
+- /* signal frame completion */
++ /* stopping streaming.
++ * return buffer, and signal frame completion
++ */
++ vb2_buffer_done(&buf->vb.vb2_buf, VB2_BUF_STATE_ERROR);
+ complete(&dev->capture.frame_cmplt);
+ }
+ } else {
+diff --git a/drivers/staging/vc04_services/bcm2835-camera/mmal-vchiq.c b/drivers/staging/vc04_services/bcm2835-camera/mmal-vchiq.c
+index 0f7de34eb5db..29761f6c3b55 100644
+--- a/drivers/staging/vc04_services/bcm2835-camera/mmal-vchiq.c
++++ b/drivers/staging/vc04_services/bcm2835-camera/mmal-vchiq.c
+@@ -290,8 +290,6 @@ static int bulk_receive(struct vchiq_mmal_instance *instance,
+
+ /* store length */
+ msg_context->u.bulk.buffer_used = rd_len;
+- msg_context->u.bulk.mmal_flags =
+- msg->u.buffer_from_host.buffer_header.flags;
+ msg_context->u.bulk.dts = msg->u.buffer_from_host.buffer_header.dts;
+ msg_context->u.bulk.pts = msg->u.buffer_from_host.buffer_header.pts;
+
+@@ -452,6 +450,9 @@ static void buffer_to_host_cb(struct vchiq_mmal_instance *instance,
+ return;
+ }
+
++ msg_context->u.bulk.mmal_flags =
++ msg->u.buffer_from_host.buffer_header.flags;
++
+ if (msg->h.status != MMAL_MSG_STATUS_SUCCESS) {
+ /* message reception had an error */
+ pr_warn("error %d in reply\n", msg->h.status);
+--
+2.22.0
+
diff --git a/patches.kernel.org/5.2.1-060-staging-rtl8712-reduce-stack-usage-again.patch b/patches.kernel.org/5.2.1-060-staging-rtl8712-reduce-stack-usage-again.patch
new file mode 100644
index 0000000000..dd0eefc274
--- /dev/null
+++ b/patches.kernel.org/5.2.1-060-staging-rtl8712-reduce-stack-usage-again.patch
@@ -0,0 +1,209 @@
+From: Arnd Bergmann <arnd@arndb.de>
+Date: Fri, 28 Jun 2019 14:37:48 +0200
+Subject: [PATCH] staging: rtl8712: reduce stack usage, again
+References: bnc#1012628
+Patch-mainline: 5.2.1
+Git-commit: fbd6b25009ac76b2034168cd21d5e01f8c2d83d1
+
+commit fbd6b25009ac76b2034168cd21d5e01f8c2d83d1 upstream.
+
+An earlier patch I sent reduced the stack usage enough to get
+below the warning limit, and I could show this was safe, but with
+GCC_PLUGIN_STRUCTLEAK_BYREF_ALL, it gets worse again because large stack
+variables in the same function no longer overlap:
+
+drivers/staging/rtl8712/rtl871x_ioctl_linux.c: In function 'translate_scan.isra.2':
+drivers/staging/rtl8712/rtl871x_ioctl_linux.c:322:1: error: the frame size of 1200 bytes is larger than 1024 bytes [-Werror=frame-larger-than=]
+
+Split out the largest two blocks in the affected function into two
+separate functions and mark those noinline_for_stack.
+
+Fixes: 8c5af16f7953 ("staging: rtl8712: reduce stack usage")
+Fixes: 81a56f6dcd20 ("gcc-plugins: structleak: Generalize to all variable types")
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/staging/rtl8712/rtl871x_ioctl_linux.c | 157 ++++++++++--------
+ 1 file changed, 88 insertions(+), 69 deletions(-)
+
+diff --git a/drivers/staging/rtl8712/rtl871x_ioctl_linux.c b/drivers/staging/rtl8712/rtl871x_ioctl_linux.c
+index a7230c0c7b23..8f5a8ac1b010 100644
+--- a/drivers/staging/rtl8712/rtl871x_ioctl_linux.c
++++ b/drivers/staging/rtl8712/rtl871x_ioctl_linux.c
+@@ -124,10 +124,91 @@ static inline void handle_group_key(struct ieee_param *param,
+ }
+ }
+
+-static noinline_for_stack char *translate_scan(struct _adapter *padapter,
+- struct iw_request_info *info,
+- struct wlan_network *pnetwork,
+- char *start, char *stop)
++static noinline_for_stack char *translate_scan_wpa(struct iw_request_info *info,
++ struct wlan_network *pnetwork,
++ struct iw_event *iwe,
++ char *start, char *stop)
++{
++ /* parsing WPA/WPA2 IE */
++ u8 buf[MAX_WPA_IE_LEN];
++ u8 wpa_ie[255], rsn_ie[255];
++ u16 wpa_len = 0, rsn_len = 0;
++ int n, i;
++
++ r8712_get_sec_ie(pnetwork->network.IEs,
++ pnetwork->network.IELength, rsn_ie, &rsn_len,
++ wpa_ie, &wpa_len);
++ if (wpa_len > 0) {
++ memset(buf, 0, MAX_WPA_IE_LEN);
++ n = sprintf(buf, "wpa_ie=");
++ for (i = 0; i < wpa_len; i++) {
++ n += snprintf(buf + n, MAX_WPA_IE_LEN - n,
++ "%02x", wpa_ie[i]);
++ if (n >= MAX_WPA_IE_LEN)
++ break;
++ }
++ memset(iwe, 0, sizeof(*iwe));
++ iwe->cmd = IWEVCUSTOM;
++ iwe->u.data.length = (u16)strlen(buf);
++ start = iwe_stream_add_point(info, start, stop,
++ iwe, buf);
++ memset(iwe, 0, sizeof(*iwe));
++ iwe->cmd = IWEVGENIE;
++ iwe->u.data.length = (u16)wpa_len;
++ start = iwe_stream_add_point(info, start, stop,
++ iwe, wpa_ie);
++ }
++ if (rsn_len > 0) {
++ memset(buf, 0, MAX_WPA_IE_LEN);
++ n = sprintf(buf, "rsn_ie=");
++ for (i = 0; i < rsn_len; i++) {
++ n += snprintf(buf + n, MAX_WPA_IE_LEN - n,
++ "%02x", rsn_ie[i]);
++ if (n >= MAX_WPA_IE_LEN)
++ break;
++ }
++ memset(iwe, 0, sizeof(*iwe));
++ iwe->cmd = IWEVCUSTOM;
++ iwe->u.data.length = strlen(buf);
++ start = iwe_stream_add_point(info, start, stop,
++ iwe, buf);
++ memset(iwe, 0, sizeof(*iwe));
++ iwe->cmd = IWEVGENIE;
++ iwe->u.data.length = rsn_len;
++ start = iwe_stream_add_point(info, start, stop, iwe,
++ rsn_ie);
++ }
++
++ return start;
++}
++
++static noinline_for_stack char *translate_scan_wps(struct iw_request_info *info,
++ struct wlan_network *pnetwork,
++ struct iw_event *iwe,
++ char *start, char *stop)
++{
++ /* parsing WPS IE */
++ u8 wps_ie[512];
++ uint wps_ielen;
++
++ if (r8712_get_wps_ie(pnetwork->network.IEs,
++ pnetwork->network.IELength,
++ wps_ie, &wps_ielen)) {
++ if (wps_ielen > 2) {
++ iwe->cmd = IWEVGENIE;
++ iwe->u.data.length = (u16)wps_ielen;
++ start = iwe_stream_add_point(info, start, stop,
++ iwe, wps_ie);
++ }
++ }
++
++ return start;
++}
++
++static char *translate_scan(struct _adapter *padapter,
++ struct iw_request_info *info,
++ struct wlan_network *pnetwork,
++ char *start, char *stop)
+ {
+ struct iw_event iwe;
+ struct ieee80211_ht_cap *pht_capie;
+@@ -240,73 +321,11 @@ static noinline_for_stack char *translate_scan(struct _adapter *padapter,
+ /* Check if we added any event */
+ if ((current_val - start) > iwe_stream_lcp_len(info))
+ start = current_val;
+- /* parsing WPA/WPA2 IE */
+- {
+- u8 buf[MAX_WPA_IE_LEN];
+- u8 wpa_ie[255], rsn_ie[255];
+- u16 wpa_len = 0, rsn_len = 0;
+- int n;
+-
+- r8712_get_sec_ie(pnetwork->network.IEs,
+- pnetwork->network.IELength, rsn_ie, &rsn_len,
+- wpa_ie, &wpa_len);
+- if (wpa_len > 0) {
+- memset(buf, 0, MAX_WPA_IE_LEN);
+- n = sprintf(buf, "wpa_ie=");
+- for (i = 0; i < wpa_len; i++) {
+- n += snprintf(buf + n, MAX_WPA_IE_LEN - n,
+- "%02x", wpa_ie[i]);
+- if (n >= MAX_WPA_IE_LEN)
+- break;
+- }
+- memset(&iwe, 0, sizeof(iwe));
+- iwe.cmd = IWEVCUSTOM;
+- iwe.u.data.length = (u16)strlen(buf);
+- start = iwe_stream_add_point(info, start, stop,
+- &iwe, buf);
+- memset(&iwe, 0, sizeof(iwe));
+- iwe.cmd = IWEVGENIE;
+- iwe.u.data.length = (u16)wpa_len;
+- start = iwe_stream_add_point(info, start, stop,
+- &iwe, wpa_ie);
+- }
+- if (rsn_len > 0) {
+- memset(buf, 0, MAX_WPA_IE_LEN);
+- n = sprintf(buf, "rsn_ie=");
+- for (i = 0; i < rsn_len; i++) {
+- n += snprintf(buf + n, MAX_WPA_IE_LEN - n,
+- "%02x", rsn_ie[i]);
+- if (n >= MAX_WPA_IE_LEN)
+- break;
+- }
+- memset(&iwe, 0, sizeof(iwe));
+- iwe.cmd = IWEVCUSTOM;
+- iwe.u.data.length = strlen(buf);
+- start = iwe_stream_add_point(info, start, stop,
+- &iwe, buf);
+- memset(&iwe, 0, sizeof(iwe));
+- iwe.cmd = IWEVGENIE;
+- iwe.u.data.length = rsn_len;
+- start = iwe_stream_add_point(info, start, stop, &iwe,
+- rsn_ie);
+- }
+- }
+
+- { /* parsing WPS IE */
+- u8 wps_ie[512];
+- uint wps_ielen;
++ start = translate_scan_wpa(info, pnetwork, &iwe, start, stop);
++
++ start = translate_scan_wps(info, pnetwork, &iwe, start, stop);
+
+- if (r8712_get_wps_ie(pnetwork->network.IEs,
+- pnetwork->network.IELength,
+- wps_ie, &wps_ielen)) {
+- if (wps_ielen > 2) {
+- iwe.cmd = IWEVGENIE;
+- iwe.u.data.length = (u16)wps_ielen;
+- start = iwe_stream_add_point(info, start, stop,
+- &iwe, wps_ie);
+- }
+- }
+- }
+ /* Add quality statistics */
+ iwe.cmd = IWEVQUAL;
+ rssi = r8712_signal_scale_mapping(pnetwork->network.Rssi);
+--
+2.22.0
+
diff --git a/patches.kernel.org/5.2.1-061-Linux-5.2.1.patch b/patches.kernel.org/5.2.1-061-Linux-5.2.1.patch
new file mode 100644
index 0000000000..aa54b6c23d
--- /dev/null
+++ b/patches.kernel.org/5.2.1-061-Linux-5.2.1.patch
@@ -0,0 +1,28 @@
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Date: Sun, 14 Jul 2019 08:01:15 +0200
+Subject: [PATCH] Linux 5.2.1
+References: bnc#1012628
+Patch-mainline: 5.2.1
+Git-commit: 527a3db363a3bd7e6ae0a77da809e01847a9931c
+
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ Makefile | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/Makefile b/Makefile
+index 3e4868a6498b..d8f5dbfd6b76 100644
+--- a/Makefile
++++ b/Makefile
+@@ -1,7 +1,7 @@
+ # SPDX-License-Identifier: GPL-2.0
+ VERSION = 5
+ PATCHLEVEL = 2
+-SUBLEVEL = 0
++SUBLEVEL = 1
+ EXTRAVERSION =
+ NAME = Bobtail Squid
+
+--
+2.22.0
+
diff --git a/series.conf b/series.conf
index 19331f66a5..ff4f10cfab 100644
--- a/series.conf
+++ b/series.conf
@@ -27,6 +27,67 @@
# DO NOT MODIFY THEM!
# Send separate patches upstream if you find a problem...
########################################################
+ patches.kernel.org/5.2.1-001-crypto-lrw-use-correct-alignmask.patch
+ patches.kernel.org/5.2.1-002-crypto-talitos-rename-alternative-AEAD-algos.patch
+ patches.kernel.org/5.2.1-003-fscrypt-don-t-set-policy-for-a-dead-directory.patch
+ patches.kernel.org/5.2.1-004-udf-Fix-incorrect-final-NOT_ALLOCATED-hole-exte.patch
+ patches.kernel.org/5.2.1-005-media-stv0297-fix-frequency-range-limit.patch
+ patches.kernel.org/5.2.1-006-ALSA-usb-audio-Fix-parse-of-UAC2-Extension-Unit.patch
+ patches.kernel.org/5.2.1-007-ALSA-hda-realtek-Headphone-Mic-can-t-record-aft.patch
+ patches.kernel.org/5.2.1-008-tpm-Actually-fail-on-TPM-errors-during-get-rand.patch
+ patches.kernel.org/5.2.1-009-tpm-Fix-TPM-1.2-Shutdown-sequence-to-prevent-fu.patch
+ patches.kernel.org/5.2.1-010-block-fix-.bi_size-overflow.patch
+ patches.kernel.org/5.2.1-011-block-bfq-NULL-out-the-bic-when-it-s-no-longer-.patch
+ patches.kernel.org/5.2.1-012-perf-intel-pt-Fix-itrace-defaults-for-perf-scri.patch
+ patches.kernel.org/5.2.1-013-perf-auxtrace-Fix-itrace-defaults-for-perf-scri.patch
+ patches.kernel.org/5.2.1-014-perf-intel-pt-Fix-itrace-defaults-for-perf-scri.patch
+ patches.kernel.org/5.2.1-015-perf-pmu-Fix-uncore-PMU-alias-list-for-ARM64.patch
+ patches.kernel.org/5.2.1-016-perf-thread-stack-Fix-thread-stack-return-from-.patch
+ patches.kernel.org/5.2.1-017-perf-header-Assign-proper-ff-ph-in-perf_event__.patch
+ patches.kernel.org/5.2.1-018-x86-ptrace-Fix-possible-spectre-v1-in-ptrace_ge.patch
+ patches.kernel.org/5.2.1-019-x86-tls-Fix-possible-spectre-v1-in-do_get_threa.patch
+ patches.kernel.org/5.2.1-020-Documentation-Add-section-about-CPU-vulnerabili.patch
+ patches.kernel.org/5.2.1-021-Documentation-admin-Remove-the-vsyscall-native-.patch
+ patches.kernel.org/5.2.1-022-mwifiex-Don-t-abort-on-small-spec-compliant-ven.patch
+ patches.kernel.org/5.2.1-023-USB-serial-ftdi_sio-add-ID-for-isodebug-v1.patch
+ patches.kernel.org/5.2.1-024-USB-serial-option-add-support-for-GosunCn-ME363.patch
+ patches.kernel.org/5.2.1-025-Revert-serial-8250-Don-t-service-RX-FIFO-if-int.patch
+ patches.kernel.org/5.2.1-026-p54usb-Fix-race-between-disconnect-and-firmware.patch
+ patches.kernel.org/5.2.1-027-usb-gadget-f_fs-data_len-used-before-properly-s.patch
+ patches.kernel.org/5.2.1-028-usb-gadget-ether-Fix-race-between-gether_discon.patch
+ patches.kernel.org/5.2.1-029-usb-dwc2-use-a-longer-AHB-idle-timeout-in-dwc2_.patch
+ patches.kernel.org/5.2.1-030-usb-renesas_usbhs-add-a-workaround-for-a-race-c.patch
+ patches.kernel.org/5.2.1-031-drivers-usb-typec-tps6598x.c-fix-portinfo-width.patch
+ patches.kernel.org/5.2.1-032-drivers-usb-typec-tps6598x.c-fix-4CC-cmd-write.patch
+ patches.kernel.org/5.2.1-033-p54-fix-crash-during-initialization.patch
+ patches.kernel.org/5.2.1-034-staging-comedi-dt282x-fix-a-null-pointer-deref-.patch
+ patches.kernel.org/5.2.1-035-staging-wilc1000-fix-error-path-cleanup-in-wilc.patch
+ patches.kernel.org/5.2.1-036-staging-bcm2835-camera-Restore-return-behavior-.patch
+ patches.kernel.org/5.2.1-037-staging-comedi-amplc_pci230-fix-null-pointer-de.patch
+ patches.kernel.org/5.2.1-038-staging-mt7621-pci-fix-PCIE_FTS_NUM_LO-macro.patch
+ patches.kernel.org/5.2.1-039-HID-Add-another-Primax-PIXART-OEM-mouse-quirk.patch
+ patches.kernel.org/5.2.1-040-lkdtm-support-llvm-objcopy.patch
+ patches.kernel.org/5.2.1-041-binder-fix-memory-leak-in-error-path.patch
+ patches.kernel.org/5.2.1-042-binder-return-errors-from-buffer-copy-functions.patch
+ patches.kernel.org/5.2.1-043-iio-adc-stm32-adc-add-missing-vdda-supply.patch
+ patches.kernel.org/5.2.1-044-coresight-Potential-uninitialized-variable-in-p.patch
+ patches.kernel.org/5.2.1-045-coresight-etb10-Do-not-call-smp_processor_id-fr.patch
+ patches.kernel.org/5.2.1-046-coresight-tmc-etr-Do-not-call-smp_processor_id-.patch
+ patches.kernel.org/5.2.1-047-coresight-tmc-etr-alloc_perf_buf-Do-not-call-sm.patch
+ patches.kernel.org/5.2.1-048-coresight-tmc-etf-Do-not-call-smp_processor_id-.patch
+ patches.kernel.org/5.2.1-049-carl9170-fix-misuse-of-device-driver-API.patch
+ patches.kernel.org/5.2.1-050-Revert-x86-build-Move-_etext-to-actual-end-of-..patch
+ patches.kernel.org/5.2.1-051-VMCI-Fix-integer-overflow-in-VMCI-handle-arrays.patch
+ patches.kernel.org/5.2.1-052-staging-vchiq_2835_arm-revert-quit-using-custom.patch
+ patches.kernel.org/5.2.1-053-staging-vchiq-make-wait-events-interruptible.patch
+ patches.kernel.org/5.2.1-054-staging-vchiq-revert-switch-to-wait_for_complet.patch
+ patches.kernel.org/5.2.1-055-staging-fsl-dpaa2-ethsw-fix-memory-leak-of-swit.patch
+ patches.kernel.org/5.2.1-056-staging-bcm2835-camera-Replace-spinlock-protect.patch
+ patches.kernel.org/5.2.1-057-staging-bcm2835-camera-Ensure-all-buffers-are-r.patch
+ patches.kernel.org/5.2.1-058-staging-bcm2835-camera-Remove-check-of-the-numb.patch
+ patches.kernel.org/5.2.1-059-staging-bcm2835-camera-Handle-empty-EOS-buffers.patch
+ patches.kernel.org/5.2.1-060-staging-rtl8712-reduce-stack-usage-again.patch
+ patches.kernel.org/5.2.1-061-Linux-5.2.1.patch
########################################################
# Build fixes that apply to the vanilla kernel too.