Home Home > GIT Browse > stable-xen
summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJohannes Thumshirn <jthumshirn@suse.de>2019-07-09 10:34:44 +0200
committerJohannes Thumshirn <jthumshirn@suse.de>2019-07-09 10:34:44 +0200
commit96f6fa785efec43d2ef40a8616c8469f3e7a8bad (patch)
tree09b239ed2ead4386aa389dc022a1b065eb79ad55
parentea2e922badde4c89d00b1d47439b1beb62437baa (diff)
parenta6cfc5a6f2254dcb70b5ea3be5f6ac3ffe65c820 (diff)
Merge remote-tracking branch 'origin/SLE15' into SLE12-SP4
Conflicts: patches.fixes/crypto-user-prevent-operating-on-larval-algorithms.patch patches.kabi/kabi-protect-struct-acpi_nfit_desc.patch series.conf
-rw-r--r--blacklist.conf8
-rw-r--r--patches.drivers/clk-rockchip-Turn-on-aclk_dmac1-for-suspend-on-rk328.patch91
-rw-r--r--patches.drivers/clk-tegra-Fix-PLLM-programming-on-Tegra124-when-PMC-.patch43
-rw-r--r--patches.drivers/dmaengine-imx-sdma-remove-BD_INTR-for-channel0.patch58
-rw-r--r--patches.drivers/nfit-ars-avoid-stale-ars-results.patch73
-rw-r--r--patches.drivers/nfit-ars-introduce-scrub_flags.patch123
-rw-r--r--patches.drivers/staging-comedi-ni_mio_common-Fix-divide-by-zero-for-.patch153
-rw-r--r--patches.fixes/apparmor-enforce-nullbyte-at-end-of-tag-string.patch42
-rw-r--r--patches.fixes/coresight-etb10-Fix-handling-of-perf-mode.patch40
-rw-r--r--patches.fixes/coresight-etm4x-Add-support-to-enable-ETMv4.2.patch66
-rw-r--r--patches.fixes/crypto-user-prevent-operating-on-larval-algorithms.patch2
-rw-r--r--patches.fixes/inet-switch-IP-ID-generator-to-siphash.patch151
-rw-r--r--patches.fixes/libnvdimm-pfn-fix-over-trim-in-trim_pfn_device.patch39
-rw-r--r--patches.fixes/netns-get-more-entropy-from-net_hash_mix.patch46
-rw-r--r--patches.fixes/netns-provide-pure-entropy-for-net_hash_mix.patch73
-rw-r--r--patches.fixes/nfit-ars-allow-root-to-busy-poll-the-ars-state-machine.patch66
-rw-r--r--patches.fixes/nvme-copy-mtfa-field-from-identify-controller.patch39
-rw-r--r--patches.fixes/scsi-qla2xxx-fix-abort-handling-in-tcm_qla2xxx_write_pending.patch42
-rw-r--r--patches.fixes/scsi-qla2xxx-fix-incorrect-region-size-setting-in-optrom-sysfs.patch48
-rw-r--r--patches.fixes/tcp-refine-memory-limit-test-in-tcp_fragment.patch39
-rw-r--r--patches.kabi/kabi-drop-LINUX_MIB_TCPWQUEUETOOBIG-snmp-counter.patch4
-rw-r--r--patches.kabi/kabi-handle-addition-of-net-hash_mix.patch34
-rw-r--r--patches.kabi/kabi-handle-addition-of-netns_ipv4-ip_id_key.patch77
-rw-r--r--patches.kabi/kabi-protect-struct-acpi_nfit_desc.patch18
-rw-r--r--patches.suse/ftrace-x86-remove-possible-deadlock-between-register_kprobe-and-ftrace_run_update_code.patch182
-rw-r--r--patches.suse/tracing-snapshot-resize-spare-buffer-if-size-changed.patch105
-rw-r--r--series.conf22
27 files changed, 1677 insertions, 7 deletions
diff --git a/blacklist.conf b/blacklist.conf
index a11542ce64..89bbfab548 100644
--- a/blacklist.conf
+++ b/blacklist.conf
@@ -1266,3 +1266,11 @@ e9d38b08d7a68ede91280036a6657693387e2bcd # bt: revert in the stable tree, but fi
c3acd59014148470dc58519870fbc779785b4bf7 # depends on 09fe1f8d7e2f461275b1cdd832f2cfa5e9be346d
7746a8dfb3f9c91b3a0b63a1d5c2664410e6498d # depends on 09fe1f8d7e2f461275b1cdd832f2cfa5e9be346d
d5443bbf5fc8f8389cce146b1fc2987cdd229d12 # infrastructure, no bug fix
+0c97bf863efce63d6ab7971dad811601e6171d2f # compiler warning, gcc-9
+4a60aa05a0634241ce17f957bf9fb5ac1eed6576 # not needed. We don't build with -ffunction-sections -fdata-sections.
+074376ac0e1d1fcd4fafebca86ee6158e7c20680 # __CHECKER__ only
+fe0640eb30b7da261ae84d252ed9ed3c7e68dfd8 # compiler.h: reverted in below
+c6975e4196549c18c5277a55e30b2d6d1b80abf2 # compiler.h: reverted above in 4.14.x
+149d05f80dc9259ad62f2630935502e4c02b26a7 # nouveau: build fix, not affected
+9ae306d8dbc874de331bb10a4451a5198b660257 # nouveau: build fix, not affected
+6491d698396fd5da4941980a35ca7c162a672016 # nfc: breaks kABI
diff --git a/patches.drivers/clk-rockchip-Turn-on-aclk_dmac1-for-suspend-on-rk328.patch b/patches.drivers/clk-rockchip-Turn-on-aclk_dmac1-for-suspend-on-rk328.patch
new file mode 100644
index 0000000000..0569125656
--- /dev/null
+++ b/patches.drivers/clk-rockchip-Turn-on-aclk_dmac1-for-suspend-on-rk328.patch
@@ -0,0 +1,91 @@
+From 57a20248ef3e429dc822f0774bc4e00136c46c83 Mon Sep 17 00:00:00 2001
+From: Douglas Anderson <dianders@chromium.org>
+Date: Thu, 11 Apr 2019 16:21:53 -0700
+Subject: [PATCH] clk: rockchip: Turn on "aclk_dmac1" for suspend on rk3288
+Git-commit: 57a20248ef3e429dc822f0774bc4e00136c46c83
+Patch-mainline: v5.2-rc1
+References: bsc#1051510
+
+Experimentally it can be seen that going into deep sleep (specifically
+setting PMU_CLR_DMA and PMU_CLR_BUS in RK3288_PMU_PWRMODE_CON1)
+appears to fail unless "aclk_dmac1" is on. The failure is that the
+system never signals that it made it into suspend on the GLOBAL_PWROFF
+pin and it just hangs.
+
+NOTE that it's confirmed that it's the actual suspend that fails, not
+one of the earlier calls to read/write registers. Specifically if you
+comment out the "PMU_GLOBAL_INT_DISABLE" setting in
+rk3288_slp_mode_set() and then comment out the "cpu_do_idle()" call in
+rockchip_lpmode_enter() then you can exercise the whole suspend path
+without any crashing.
+
+This is currently not a problem with suspend upstream because there is
+no current way to exercise the deep suspend code. However, anyone
+trying to make it work will run into this issue.
+
+This was not a problem on shipping rk3288-based Chromebooks because
+those devices all ran on an old kernel based on 3.14. On that kernel
+"aclk_dmac1" appears to be left on all the time.
+
+There are several ways to skin this problem.
+
+A) We could add "aclk_dmac1" to the list of critical clocks and that
+apperas to work, but presumably that wastes power.
+
+B) We could keep a list of "struct clk" objects to enable at suspend
+time in clk-rk3288.c and use the standard clock APIs.
+
+C) We could make the rk3288-pmu driver keep a list of clocks to enable
+at suspend time. Presumably this would require a dts and bindings
+change.
+
+D) We could just whack the clock on in the existing syscore suspend
+function where we whack a bunch of other clocks. This is particularly
+easy because we know for sure that the clock's only parent
+("aclk_cpu") is a critical clock so we don't need to do anything more
+than ungate it.
+
+In this case I have chosen D) because it seemed like the least work,
+but any of the other options would presumably also work fine.
+
+Signed-off-by: Douglas Anderson <dianders@chromium.org>
+Reviewed-by: Elaine Zhang <zhangqing@rock-chips.com>
+Signed-off-by: Heiko Stuebner <heiko@sntech.de>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/clk/rockchip/clk-rk3288.c | 11 +++++++++++
+ 1 file changed, 11 insertions(+)
+
+diff --git a/drivers/clk/rockchip/clk-rk3288.c b/drivers/clk/rockchip/clk-rk3288.c
+index 961d4ee86b75..e8b5a6bfcc8a 100644
+--- a/drivers/clk/rockchip/clk-rk3288.c
++++ b/drivers/clk/rockchip/clk-rk3288.c
+@@ -861,6 +861,9 @@ static const int rk3288_saved_cru_reg_ids[] = {
+ RK3288_CLKSEL_CON(10),
+ RK3288_CLKSEL_CON(33),
+ RK3288_CLKSEL_CON(37),
++
++ /* We turn aclk_dmac1 on for suspend; this will restore it */
++ RK3288_CLKGATE_CON(10),
+ };
+
+ static u32 rk3288_saved_cru_regs[ARRAY_SIZE(rk3288_saved_cru_reg_ids)];
+@@ -876,6 +879,14 @@ static int rk3288_clk_suspend(void)
+ readl_relaxed(rk3288_cru_base + reg_id);
+ }
+
++ /*
++ * Going into deep sleep (specifically setting PMU_CLR_DMA in
++ * RK3288_PMU_PWRMODE_CON1) appears to fail unless
++ * "aclk_dmac1" is on.
++ */
++ writel_relaxed(1 << (12 + 16),
++ rk3288_cru_base + RK3288_CLKGATE_CON(10));
++
+ /*
+ * Switch PLLs other than DPLL (for SDRAM) to slow mode to
+ * avoid crashes on resume. The Mask ROM on the system will
+--
+2.16.4
+
diff --git a/patches.drivers/clk-tegra-Fix-PLLM-programming-on-Tegra124-when-PMC-.patch b/patches.drivers/clk-tegra-Fix-PLLM-programming-on-Tegra124-when-PMC-.patch
new file mode 100644
index 0000000000..0b70c9eece
--- /dev/null
+++ b/patches.drivers/clk-tegra-Fix-PLLM-programming-on-Tegra124-when-PMC-.patch
@@ -0,0 +1,43 @@
+From 40db569d6769ffa3864fd1b89616b1a7323568a8 Mon Sep 17 00:00:00 2001
+From: Dmitry Osipenko <digetx@gmail.com>
+Date: Fri, 12 Apr 2019 00:48:34 +0300
+Subject: [PATCH] clk: tegra: Fix PLLM programming on Tegra124+ when PMC overrides divider
+Git-commit: 40db569d6769ffa3864fd1b89616b1a7323568a8
+Patch-mainline: v5.2-rc1
+References: bsc#1051510
+
+There are wrongly set parenthesis in the code that are resulting in a
+wrong configuration being programmed for PLLM. The original fix was made
+by Danny Huang in the downstream kernel. The patch was tested on Nyan Big
+Tegra124 chromebook, PLLM rate changing works correctly now and system
+doesn't lock up after changing the PLLM rate due to EMC scaling.
+
+Cc: <stable@vger.kernel.org>
+Tested-by: Steev Klimaszewski <steev@kali.org>
+Signed-off-by: Dmitry Osipenko <digetx@gmail.com>
+Acked-by: Peter De Schrijver <pdeschrijver@nvidia.com>
+Signed-off-by: Stephen Boyd <sboyd@kernel.org>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/clk/tegra/clk-pll.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/clk/tegra/clk-pll.c b/drivers/clk/tegra/clk-pll.c
+index ebc8481a2122..6b976b2514f7 100644
+--- a/drivers/clk/tegra/clk-pll.c
++++ b/drivers/clk/tegra/clk-pll.c
+@@ -666,8 +666,8 @@ static void _update_pll_mnp(struct tegra_clk_pll *pll,
+ pll_override_writel(val, params->pmc_divp_reg, pll);
+
+ val = pll_override_readl(params->pmc_divnm_reg, pll);
+- val &= ~(divm_mask(pll) << div_nmp->override_divm_shift) |
+- ~(divn_mask(pll) << div_nmp->override_divn_shift);
++ val &= ~((divm_mask(pll) << div_nmp->override_divm_shift) |
++ (divn_mask(pll) << div_nmp->override_divn_shift));
+ val |= (cfg->m << div_nmp->override_divm_shift) |
+ (cfg->n << div_nmp->override_divn_shift);
+ pll_override_writel(val, params->pmc_divnm_reg, pll);
+--
+2.16.4
+
diff --git a/patches.drivers/dmaengine-imx-sdma-remove-BD_INTR-for-channel0.patch b/patches.drivers/dmaengine-imx-sdma-remove-BD_INTR-for-channel0.patch
new file mode 100644
index 0000000000..a1620a33ac
--- /dev/null
+++ b/patches.drivers/dmaengine-imx-sdma-remove-BD_INTR-for-channel0.patch
@@ -0,0 +1,58 @@
+From 3f93a4f297961c12bb17aa16cb3a4d1291823cae Mon Sep 17 00:00:00 2001
+From: Robin Gong <yibin.gong@nxp.com>
+Date: Fri, 21 Jun 2019 16:23:06 +0800
+Subject: [PATCH] dmaengine: imx-sdma: remove BD_INTR for channel0
+Git-commit: 3f93a4f297961c12bb17aa16cb3a4d1291823cae
+Patch-mainline: v5.2
+References: bsc#1051510
+
+It is possible for an irq triggered by channel0 to be received later
+after clks are disabled once firmware loaded during sdma probe. If
+that happens then clearing them by writing to SDMA_H_INTR won't work
+and the kernel will hang processing infinite interrupts. Actually,
+don't need interrupt triggered on channel0 since it's pollling
+SDMA_H_STATSTOP to know channel0 done rather than interrupt in
+current code, just clear BD_INTR to disable channel0 interrupt to
+avoid the above case.
+This issue was brought by commit 1d069bfa3c78 ("dmaengine: imx-sdma:
+ack channel 0 IRQ in the interrupt handler") which didn't take care
+the above case.
+
+Fixes: 1d069bfa3c78 ("dmaengine: imx-sdma: ack channel 0 IRQ in the interrupt handler")
+Cc: stable@vger.kernel.org #5.0+
+Signed-off-by: Robin Gong <yibin.gong@nxp.com>
+Reported-by: Sven Van Asbroeck <thesven73@gmail.com>
+Tested-by: Sven Van Asbroeck <thesven73@gmail.com>
+Reviewed-by: Michael Olbrich <m.olbrich@pengutronix.de>
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/dma/imx-sdma.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/dma/imx-sdma.c b/drivers/dma/imx-sdma.c
+index ba72fcfbebfe..4ec84a633bd3 100644
+--- a/drivers/dma/imx-sdma.c
++++ b/drivers/dma/imx-sdma.c
+@@ -703,7 +703,7 @@ static int sdma_load_script(struct sdma_engine *sdma, void *buf, int size,
+ spin_lock_irqsave(&sdma->channel_0_lock, flags);
+
+ bd0->mode.command = C0_SETPM;
+- bd0->mode.status = BD_DONE | BD_INTR | BD_WRAP | BD_EXTD;
++ bd0->mode.status = BD_DONE | BD_WRAP | BD_EXTD;
+ bd0->mode.count = size / 2;
+ bd0->buffer_addr = buf_phys;
+ bd0->ext_buffer_addr = address;
+@@ -1025,7 +1025,7 @@ static int sdma_load_context(struct sdma_channel *sdmac)
+ context->gReg[7] = sdmac->watermark_level;
+
+ bd0->mode.command = C0_SETDM;
+- bd0->mode.status = BD_DONE | BD_INTR | BD_WRAP | BD_EXTD;
++ bd0->mode.status = BD_DONE | BD_WRAP | BD_EXTD;
+ bd0->mode.count = sizeof(*context) / 4;
+ bd0->buffer_addr = sdma->context_phys;
+ bd0->ext_buffer_addr = 2048 + (sizeof(*context) / 4) * channel;
+--
+2.16.4
+
diff --git a/patches.drivers/nfit-ars-avoid-stale-ars-results.patch b/patches.drivers/nfit-ars-avoid-stale-ars-results.patch
new file mode 100644
index 0000000000..2ec2b41550
--- /dev/null
+++ b/patches.drivers/nfit-ars-avoid-stale-ars-results.patch
@@ -0,0 +1,73 @@
+From: Dan Williams <dan.j.williams@intel.com>
+Date: Wed, 13 Feb 2019 09:28:40 -0800
+Subject: [PATCH] nfit/ars: Avoid stale ARS results
+Patch-mainline: v5.1-rc1
+Git-commit: 78153dd45e7e0596ba32b15d02bda08e1513111e
+References: jsc#SLE-5433
+
+Gate ARS result consumption on whether the OS issued start-ARS since the
+previous consumption. The BIOS may only clear its result buffers after a
+successful start-ARS.
+
+Fixes: 0caeef63e6d2 ("libnvdimm: Add a poison list and export badblocks")
+Cc: <stable@vger.kernel.org>
+Reported-by: Krzysztof Rusocki <krzysztof.rusocki@intel.com>
+Reported-by: Vishal Verma <vishal.l.verma@intel.com>
+Reviewed-by: Toshi Kani <toshi.kani@hpe.com>
+Signed-off-by: Dan Williams <dan.j.williams@intel.com>
+Acked-by: Johannes Thumshirn <jthumshirn@suse.de>
+---
+ drivers/acpi/nfit/core.c | 17 ++++++++++++++++-
+ drivers/acpi/nfit/nfit.h | 1 +
+ 2 files changed, 17 insertions(+), 1 deletion(-)
+
+--- a/drivers/acpi/nfit/core.c
++++ b/drivers/acpi/nfit/core.c
+@@ -2529,7 +2529,10 @@ static int ars_start(struct acpi_nfit_de
+
+ if (rc < 0)
+ return rc;
+- return cmd_rc;
++ if (cmd_rc < 0)
++ return cmd_rc;
++ set_bit(ARS_VALID, &acpi_desc->scrub_flags);
++ return 0;
+ }
+
+ static int ars_continue(struct acpi_nfit_desc *acpi_desc)
+@@ -2623,6 +2626,17 @@ static int ars_status_process_records(st
+ */
+ if (ars_status->out_length < 44)
+ return 0;
++
++ /*
++ * Ignore potentially stale results that are only refreshed
++ * after a start-ARS event.
++ */
++ if (!test_and_clear_bit(ARS_VALID, &acpi_desc->scrub_flags)) {
++ dev_dbg(acpi_desc->dev, "skip %d stale records\n",
++ ars_status->num_records);
++ return 0;
++ }
++
+ for (i = 0; i < ars_status->num_records; i++) {
+ /* only process full records */
+ if (ars_status->out_length
+@@ -3108,6 +3122,7 @@ static int acpi_nfit_register_regions(st
+ struct nfit_spa *nfit_spa;
+ int rc;
+
++ set_bit(ARS_VALID, &acpi_desc->scrub_flags);
+ list_for_each_entry(nfit_spa, &acpi_desc->spas, list) {
+ switch (nfit_spa_type(nfit_spa->spa)) {
+ case NFIT_SPA_VOLATILE:
+--- a/drivers/acpi/nfit/nfit.h
++++ b/drivers/acpi/nfit/nfit.h
+@@ -185,6 +185,7 @@ enum scrub_flags {
+ ARS_BUSY,
+ ARS_CANCEL,
+ ARS_POLL,
++ ARS_VALID,
+ };
+
+ struct acpi_nfit_desc {
diff --git a/patches.drivers/nfit-ars-introduce-scrub_flags.patch b/patches.drivers/nfit-ars-introduce-scrub_flags.patch
new file mode 100644
index 0000000000..a612906487
--- /dev/null
+++ b/patches.drivers/nfit-ars-introduce-scrub_flags.patch
@@ -0,0 +1,123 @@
+From: Dan Williams <dan.j.williams@intel.com>
+Date: Wed, 13 Feb 2019 09:57:22 -0800
+Subject: [PATCH] nfit/ars: Introduce scrub_flags
+Patch-mainline: v5.1-rc1
+Git-commit: e34b8252a3d2893ca55c82dbfcdaa302fa03d400
+References: jsc#SLE-5433
+
+In preparation for introducing new flags to gate whether ARS results are
+stale, or poll the completion state, convert the existing flags to an
+unsigned long with enumerated values. This conversion allows the flags
+to be atomically updated outside of ->init_mutex.
+
+Reviewed-by: Toshi Kani <toshi.kani@hpe.com>
+Signed-off-by: Dan Williams <dan.j.williams@intel.com>
+Acked-by: Johannes Thumshirn <jthumshirn@suse.de>
+---
+ drivers/acpi/nfit/core.c | 30 +++++++++++++++++-------------
+ drivers/acpi/nfit/nfit.h | 8 ++++++--
+ 2 files changed, 23 insertions(+), 15 deletions(-)
+
+--- a/drivers/acpi/nfit/core.c
++++ b/drivers/acpi/nfit/core.c
+@@ -1299,19 +1299,23 @@ static ssize_t scrub_show(struct device
+ struct device_attribute *attr, char *buf)
+ {
+ struct nvdimm_bus_descriptor *nd_desc;
++ struct acpi_nfit_desc *acpi_desc;
+ ssize_t rc = -ENXIO;
++ bool busy;
+
+ device_lock(dev);
+ nd_desc = dev_get_drvdata(dev);
+- if (nd_desc) {
+- struct acpi_nfit_desc *acpi_desc = to_acpi_desc(nd_desc);
+-
+- mutex_lock(&acpi_desc->init_mutex);
+- rc = sprintf(buf, "%d%s", acpi_desc->scrub_count,
+- acpi_desc->scrub_busy
+- && !acpi_desc->cancel ? "+\n" : "\n");
+- mutex_unlock(&acpi_desc->init_mutex);
++ if (!nd_desc) {
++ device_unlock(dev);
++ return rc;
+ }
++ acpi_desc = to_acpi_desc(nd_desc);
++
++ mutex_lock(&acpi_desc->init_mutex);
++ busy = test_bit(ARS_BUSY, &acpi_desc->scrub_flags)
++ && !test_bit(ARS_CANCEL, &acpi_desc->scrub_flags);
++ rc = sprintf(buf, "%d%s", acpi_desc->scrub_count, busy ? "+\n" : "\n");
++ mutex_unlock(&acpi_desc->init_mutex);
+ device_unlock(dev);
+ return rc;
+ }
+@@ -2951,7 +2955,7 @@ static unsigned int __acpi_nfit_scrub(st
+
+ lockdep_assert_held(&acpi_desc->init_mutex);
+
+- if (acpi_desc->cancel)
++ if (test_bit(ARS_CANCEL, &acpi_desc->scrub_flags))
+ return 0;
+
+ if (query_rc == -EBUSY) {
+@@ -3025,7 +3029,7 @@ static void __sched_ars(struct acpi_nfit
+ {
+ lockdep_assert_held(&acpi_desc->init_mutex);
+
+- acpi_desc->scrub_busy = 1;
++ set_bit(ARS_BUSY, &acpi_desc->scrub_flags);
+ /* note this should only be set from within the workqueue */
+ if (tmo)
+ acpi_desc->scrub_tmo = tmo;
+@@ -3041,7 +3045,7 @@ static void notify_ars_done(struct acpi_
+ {
+ lockdep_assert_held(&acpi_desc->init_mutex);
+
+- acpi_desc->scrub_busy = 0;
++ clear_bit(ARS_BUSY, &acpi_desc->scrub_flags);
+ acpi_desc->scrub_count++;
+ if (acpi_desc->scrub_count_state)
+ sysfs_notify_dirent(acpi_desc->scrub_count_state);
+@@ -3314,7 +3318,7 @@ int acpi_nfit_ars_rescan(struct acpi_nfi
+ struct nfit_spa *nfit_spa;
+
+ mutex_lock(&acpi_desc->init_mutex);
+- if (acpi_desc->cancel) {
++ if (test_bit(ARS_CANCEL, &acpi_desc->scrub_flags)) {
+ mutex_unlock(&acpi_desc->init_mutex);
+ return 0;
+ }
+@@ -3394,7 +3398,7 @@ void acpi_nfit_shutdown(void *data)
+ mutex_unlock(&acpi_desc_lock);
+
+ mutex_lock(&acpi_desc->init_mutex);
+- acpi_desc->cancel = 1;
++ set_bit(ARS_CANCEL, &acpi_desc->scrub_flags);
+ cancel_delayed_work_sync(&acpi_desc->dwork);
+ mutex_unlock(&acpi_desc->init_mutex);
+
+--- a/drivers/acpi/nfit/nfit.h
++++ b/drivers/acpi/nfit/nfit.h
+@@ -181,6 +181,11 @@ struct nfit_mem {
+ bool has_lsw;
+ };
+
++enum scrub_flags {
++ ARS_BUSY,
++ ARS_CANCEL,
++};
++
+ struct acpi_nfit_desc {
+ struct nvdimm_bus_descriptor nd_desc;
+ struct acpi_table_header acpi_header;
+@@ -203,8 +208,7 @@ struct acpi_nfit_desc {
+ unsigned int max_ars;
+ unsigned int scrub_count;
+ unsigned int scrub_mode;
+- unsigned int scrub_busy:1;
+- unsigned int cancel:1;
++ unsigned long scrub_flags;
+ unsigned long dimm_cmd_force_en;
+ unsigned long bus_cmd_force_en;
+ unsigned long bus_nfit_cmd_force_en;
diff --git a/patches.drivers/staging-comedi-ni_mio_common-Fix-divide-by-zero-for-.patch b/patches.drivers/staging-comedi-ni_mio_common-Fix-divide-by-zero-for-.patch
new file mode 100644
index 0000000000..44724e4c2c
--- /dev/null
+++ b/patches.drivers/staging-comedi-ni_mio_common-Fix-divide-by-zero-for-.patch
@@ -0,0 +1,153 @@
+From bafd9c64056cd034a1174dcadb65cd3b294ff8f6 Mon Sep 17 00:00:00 2001
+From: Ian Abbott <abbotti@mev.co.uk>
+Date: Mon, 4 Mar 2019 14:33:54 +0000
+Subject: [PATCH] staging: comedi: ni_mio_common: Fix divide-by-zero for DIO cmdtest
+Git-commit: bafd9c64056cd034a1174dcadb65cd3b294ff8f6
+Patch-mainline: v5.1-rc3
+References: bsc#1051510
+
+`ni_cdio_cmdtest()` validates Comedi asynchronous commands for the DIO
+subdevice (subdevice 2) of supported National Instruments M-series
+cards. It is called when handling the `COMEDI_CMD` and `COMEDI_CMDTEST`
+ioctls for this subdevice. There are two causes for a possible
+divide-by-zero error when validating that the `stop_arg` member of the
+passed-in command is not too large.
+
+The first cause for the divide-by-zero is that calls to
+`comedi_bytes_per_scan()` are only valid once the command has been
+copied to `s->async->cmd`, but that copy is only done for the
+`COMEDI_CMD` ioctl. For the `COMEDI_CMDTEST` ioctl, it will use
+whatever was left there by the previous `COMEDI_CMD` ioctl, if any.
+(This is very likely, as it is usual for the application to use
+`COMEDI_CMDTEST` before `COMEDI_CMD`.) If there has been no previous,
+valid `COMEDI_CMD` for this subdevice, then `comedi_bytes_per_scan()`
+will return 0, so the subsequent division in `ni_cdio_cmdtest()` of
+`s->async->prealloc_bufsz / comedi_bytes_per_scan(s)` will be a
+divide-by-zero error. To fix this error, call a new function
+`comedi_bytes_per_scan_cmd(s, cmd)`, based on the existing
+`comedi_bytes_per_scan(s)` but using a specified `struct comedi_cmd` for
+its calculations. (Also refactor `comedi_bytes_per_scan()` to call the
+new function.)
+
+Once the first cause for the divide-by-zero has been fixed, the second
+cause is that `comedi_bytes_per_scan_cmd()` can legitimately return 0 if
+the `scan_end_arg` member of the `struct comedi_cmd` being tested is 0.
+Fix it by only performing the division (and validating that `stop_arg`
+is no more than the maximum value) if `comedi_bytes_per_scan_cmd()`
+returns a non-zero value.
+
+The problem was reported on the COMEDI mailing list here:
+https://groups.google.com/forum/#!topic/comedi_list/4t9WlHzMhKM
+
+Reported-by: Ivan Vasilyev <grabesstimme@gmail.com>
+Tested-by: Ivan Vasilyev <grabesstimme@gmail.com>
+Fixes: f164cbf98fa8 ("staging: comedi: ni_mio_common: add finite regeneration to dio output")
+Cc: <stable@vger.kernel.org> # 4.6+
+Cc: Spencer E. Olson <olsonse@umich.edu>
+Signed-off-by: Ian Abbott <abbotti@mev.co.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/staging/comedi/comedidev.h | 2 +
+ drivers/staging/comedi/drivers.c | 33 +++++++++++++++++++++----
+ drivers/staging/comedi/drivers/ni_mio_common.c | 10 +++++--
+ 3 files changed, 38 insertions(+), 7 deletions(-)
+
+--- a/drivers/staging/comedi/comedidev.h
++++ b/drivers/staging/comedi/comedidev.h
+@@ -992,6 +992,8 @@ int comedi_dio_insn_config(struct comedi
+ unsigned int mask);
+ unsigned int comedi_dio_update_state(struct comedi_subdevice *s,
+ unsigned int *data);
++unsigned int comedi_bytes_per_scan_cmd(struct comedi_subdevice *s,
++ struct comedi_cmd *cmd);
+ unsigned int comedi_bytes_per_scan(struct comedi_subdevice *s);
+ unsigned int comedi_nscans_left(struct comedi_subdevice *s,
+ unsigned int nscans);
+--- a/drivers/staging/comedi/drivers.c
++++ b/drivers/staging/comedi/drivers.c
+@@ -390,11 +390,13 @@ unsigned int comedi_dio_update_state(str
+ EXPORT_SYMBOL_GPL(comedi_dio_update_state);
+
+ /**
+- * comedi_bytes_per_scan() - Get length of asynchronous command "scan" in bytes
++ * comedi_bytes_per_scan_cmd() - Get length of asynchronous command "scan" in
++ * bytes
+ * @s: COMEDI subdevice.
++ * @cmd: COMEDI command.
+ *
+ * Determines the overall scan length according to the subdevice type and the
+- * number of channels in the scan.
++ * number of channels in the scan for the specified command.
+ *
+ * For digital input, output or input/output subdevices, samples for
+ * multiple channels are assumed to be packed into one or more unsigned
+@@ -404,9 +406,9 @@ EXPORT_SYMBOL_GPL(comedi_dio_update_stat
+ *
+ * Returns the overall scan length in bytes.
+ */
+-unsigned int comedi_bytes_per_scan(struct comedi_subdevice *s)
++unsigned int comedi_bytes_per_scan_cmd(struct comedi_subdevice *s,
++ struct comedi_cmd *cmd)
+ {
+- struct comedi_cmd *cmd = &s->async->cmd;
+ unsigned int num_samples;
+ unsigned int bits_per_sample;
+
+@@ -423,6 +425,29 @@ unsigned int comedi_bytes_per_scan(struc
+ }
+ return comedi_samples_to_bytes(s, num_samples);
+ }
++EXPORT_SYMBOL_GPL(comedi_bytes_per_scan_cmd);
++
++/**
++ * comedi_bytes_per_scan() - Get length of asynchronous command "scan" in bytes
++ * @s: COMEDI subdevice.
++ *
++ * Determines the overall scan length according to the subdevice type and the
++ * number of channels in the scan for the current command.
++ *
++ * For digital input, output or input/output subdevices, samples for
++ * multiple channels are assumed to be packed into one or more unsigned
++ * short or unsigned int values according to the subdevice's %SDF_LSAMPL
++ * flag. For other types of subdevice, samples are assumed to occupy a
++ * whole unsigned short or unsigned int according to the %SDF_LSAMPL flag.
++ *
++ * Returns the overall scan length in bytes.
++ */
++unsigned int comedi_bytes_per_scan(struct comedi_subdevice *s)
++{
++ struct comedi_cmd *cmd = &s->async->cmd;
++
++ return comedi_bytes_per_scan_cmd(s, cmd);
++}
+ EXPORT_SYMBOL_GPL(comedi_bytes_per_scan);
+
+ static unsigned int __comedi_nscans_left(struct comedi_subdevice *s,
+--- a/drivers/staging/comedi/drivers/ni_mio_common.c
++++ b/drivers/staging/comedi/drivers/ni_mio_common.c
+@@ -3522,6 +3522,7 @@ static int ni_cdio_check_chanlist(struct
+ static int ni_cdio_cmdtest(struct comedi_device *dev,
+ struct comedi_subdevice *s, struct comedi_cmd *cmd)
+ {
++ unsigned int bytes_per_scan;
+ int err = 0;
+ int tmp;
+
+@@ -3551,9 +3552,12 @@ static int ni_cdio_cmdtest(struct comedi
+ err |= comedi_check_trigger_arg_is(&cmd->convert_arg, 0);
+ err |= comedi_check_trigger_arg_is(&cmd->scan_end_arg,
+ cmd->chanlist_len);
+- err |= comedi_check_trigger_arg_max(&cmd->stop_arg,
+- s->async->prealloc_bufsz /
+- comedi_bytes_per_scan(s));
++ bytes_per_scan = comedi_bytes_per_scan_cmd(s, cmd);
++ if (bytes_per_scan) {
++ err |= comedi_check_trigger_arg_max(&cmd->stop_arg,
++ s->async->prealloc_bufsz /
++ bytes_per_scan);
++ }
+
+ if (err)
+ return 3;
diff --git a/patches.fixes/apparmor-enforce-nullbyte-at-end-of-tag-string.patch b/patches.fixes/apparmor-enforce-nullbyte-at-end-of-tag-string.patch
new file mode 100644
index 0000000000..c5a604e5d6
--- /dev/null
+++ b/patches.fixes/apparmor-enforce-nullbyte-at-end-of-tag-string.patch
@@ -0,0 +1,42 @@
+From 8404d7a674c49278607d19726e0acc0cae299357 Mon Sep 17 00:00:00 2001
+From: Jann Horn <jannh@google.com>
+Date: Tue, 28 May 2019 17:32:26 +0200
+Subject: [PATCH] apparmor: enforce nullbyte at end of tag string
+Git-commit: 8404d7a674c49278607d19726e0acc0cae299357
+Patch-mainline: v5.2-rc6
+References: bsc#1051510
+
+A packed AppArmor policy contains null-terminated tag strings that are read
+by unpack_nameX(). However, unpack_nameX() uses string functions on them
+without ensuring that they are actually null-terminated, potentially
+leading to out-of-bounds accesses.
+
+Make sure that the tag string is null-terminated before passing it to
+strcmp().
+
+Cc: stable@vger.kernel.org
+Fixes: 736ec752d95e ("AppArmor: policy routines for loading and unpacking policy")
+Signed-off-by: Jann Horn <jannh@google.com>
+Signed-off-by: John Johansen <john.johansen@canonical.com>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ security/apparmor/policy_unpack.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/security/apparmor/policy_unpack.c b/security/apparmor/policy_unpack.c
+index 01957ce9252b..005a705346f0 100644
+--- a/security/apparmor/policy_unpack.c
++++ b/security/apparmor/policy_unpack.c
+@@ -272,7 +272,7 @@ static bool unpack_nameX(struct aa_ext *e, enum aa_code code, const char *name)
+ char *tag = NULL;
+ size_t size = unpack_u16_chunk(e, &tag);
+ /* if a name is specified it must match. otherwise skip tag */
+- if (name && (!size || strcmp(name, tag)))
++ if (name && (!size || tag[size-1] != '\0' || strcmp(name, tag)))
+ goto fail;
+ } else if (name) {
+ /* if a name is specified and there is no name tag fail */
+--
+2.16.4
+
diff --git a/patches.fixes/coresight-etb10-Fix-handling-of-perf-mode.patch b/patches.fixes/coresight-etb10-Fix-handling-of-perf-mode.patch
new file mode 100644
index 0000000000..20fed5727e
--- /dev/null
+++ b/patches.fixes/coresight-etb10-Fix-handling-of-perf-mode.patch
@@ -0,0 +1,40 @@
+From 987d1e8dcd370d96029a3d76a0031b043c4a69ae Mon Sep 17 00:00:00 2001
+From: Suzuki K Poulose <suzuki.poulose@arm.com>
+Date: Thu, 20 Sep 2018 13:17:46 -0600
+Subject: [PATCH] coresight: etb10: Fix handling of perf mode
+Git-commit: 987d1e8dcd370d96029a3d76a0031b043c4a69ae
+Patch-mainline: v4.20-rc1
+References: bsc#1051510
+
+If the ETB is already enabled in sysfs mode, the ETB reports
+success even if a perf mode is requested. Fix this by checking
+the requested mode.
+
+Cc: Mathieu Poirier <mathieu.poirier@linaro.org>
+Signed-off-by: Suzuki K Poulose <suzuki.poulose@arm.com>
+Signed-off-by: Mathieu Poirier <mathieu.poirier@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/hwtracing/coresight/coresight-etb10.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/hwtracing/coresight/coresight-etb10.c b/drivers/hwtracing/coresight/coresight-etb10.c
+index 306119eaf16a..0dad8626bcfb 100644
+--- a/drivers/hwtracing/coresight/coresight-etb10.c
++++ b/drivers/hwtracing/coresight/coresight-etb10.c
+@@ -147,6 +147,10 @@ static int etb_enable(struct coresight_device *csdev, u32 mode)
+ if (val == CS_MODE_PERF)
+ return -EBUSY;
+
++ /* Don't let perf disturb sysFS sessions */
++ if (val == CS_MODE_SYSFS && mode == CS_MODE_PERF)
++ return -EBUSY;
++
+ /* Nothing to do, the tracer is already enabled. */
+ if (val == CS_MODE_SYSFS)
+ goto out;
+--
+2.16.4
+
diff --git a/patches.fixes/coresight-etm4x-Add-support-to-enable-ETMv4.2.patch b/patches.fixes/coresight-etm4x-Add-support-to-enable-ETMv4.2.patch
new file mode 100644
index 0000000000..75c6e9b187
--- /dev/null
+++ b/patches.fixes/coresight-etm4x-Add-support-to-enable-ETMv4.2.patch
@@ -0,0 +1,66 @@
+From 5666dfd1d8a45a167f0d8b4ef47ea7f780b1f24a Mon Sep 17 00:00:00 2001
+From: Sai Prakash Ranjan <saiprakash.ranjan@codeaurora.org>
+Date: Mon, 25 Feb 2019 10:54:01 -0700
+Subject: [PATCH] coresight: etm4x: Add support to enable ETMv4.2
+Git-commit: 5666dfd1d8a45a167f0d8b4ef47ea7f780b1f24a
+Patch-mainline: v5.1-rc1
+References: bsc#1051510
+
+SDM845 has ETMv4.2 and can use the existing etm4x driver.
+But the current etm driver checks only for ETMv4.0 and
+errors out for other etm4x versions. This patch adds this
+missing support to enable SoC's with ETMv4x to use same
+driver by checking only the ETM architecture major version
+number.
+
+Without this change, we get below error during etm probe:
+
+/ # dmesg | grep etm
+[ 6.660093] coresight-etm4x: probe of 7040000.etm failed with error -22
+[ 6.666902] coresight-etm4x: probe of 7140000.etm failed with error -22
+[ 6.673708] coresight-etm4x: probe of 7240000.etm failed with error -22
+[ 6.680511] coresight-etm4x: probe of 7340000.etm failed with error -22
+[ 6.687313] coresight-etm4x: probe of 7440000.etm failed with error -22
+[ 6.694113] coresight-etm4x: probe of 7540000.etm failed with error -22
+[ 6.700914] coresight-etm4x: probe of 7640000.etm failed with error -22
+[ 6.707717] coresight-etm4x: probe of 7740000.etm failed with error -22
+
+With this change, etm probe is successful:
+
+/ # dmesg | grep etm
+[ 6.659198] coresight-etm4x 7040000.etm: CPU0: ETM v4.2 initialized
+[ 6.665848] coresight-etm4x 7140000.etm: CPU1: ETM v4.2 initialized
+[ 6.672493] coresight-etm4x 7240000.etm: CPU2: ETM v4.2 initialized
+[ 6.679129] coresight-etm4x 7340000.etm: CPU3: ETM v4.2 initialized
+[ 6.685770] coresight-etm4x 7440000.etm: CPU4: ETM v4.2 initialized
+[ 6.692403] coresight-etm4x 7540000.etm: CPU5: ETM v4.2 initialized
+[ 6.699024] coresight-etm4x 7640000.etm: CPU6: ETM v4.2 initialized
+[ 6.705646] coresight-etm4x 7740000.etm: CPU7: ETM v4.2 initialized
+
+Signed-off-by: Sai Prakash Ranjan <saiprakash.ranjan@codeaurora.org>
+Reviewed-by: Suzuki K Poulose <suzuki.poulose@arm.com>
+Signed-off-by: Mathieu Poirier <mathieu.poirier@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/hwtracing/coresight/coresight-etm4x.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/hwtracing/coresight/coresight-etm4x.c b/drivers/hwtracing/coresight/coresight-etm4x.c
+index 53e2fb6e86f6..fe76b176974a 100644
+--- a/drivers/hwtracing/coresight/coresight-etm4x.c
++++ b/drivers/hwtracing/coresight/coresight-etm4x.c
+@@ -55,7 +55,8 @@ static void etm4_os_unlock(struct etmv4_drvdata *drvdata)
+
+ static bool etm4_arch_supported(u8 arch)
+ {
+- switch (arch) {
++ /* Mask out the minor version number */
++ switch (arch & 0xf0) {
+ case ETM_ARCH_V4:
+ break;
+ default:
+--
+2.16.4
+
diff --git a/patches.fixes/crypto-user-prevent-operating-on-larval-algorithms.patch b/patches.fixes/crypto-user-prevent-operating-on-larval-algorithms.patch
index a72f52f778..d60d69bee7 100644
--- a/patches.fixes/crypto-user-prevent-operating-on-larval-algorithms.patch
+++ b/patches.fixes/crypto-user-prevent-operating-on-larval-algorithms.patch
@@ -4,7 +4,7 @@ Date: Tue, 2 Jul 2019 14:17:00 -0700
Subject: [PATCH] crypto: user - prevent operating on larval algorithms
References: bsc#1133401
-Patch-mainline: v5.2 or v5.2-rc8 (next release)
+Patch-mainline: v5.2
Git-commit: 21d4120ec6f5b5992b01b96ac484701163917b63
Michal Suchanek reported [1] that running the pcrypt_aead01 test from
diff --git a/patches.fixes/inet-switch-IP-ID-generator-to-siphash.patch b/patches.fixes/inet-switch-IP-ID-generator-to-siphash.patch
new file mode 100644
index 0000000000..b6a89381cb
--- /dev/null
+++ b/patches.fixes/inet-switch-IP-ID-generator-to-siphash.patch
@@ -0,0 +1,151 @@
+From: Eric Dumazet <edumazet@google.com>
+Date: Wed, 27 Mar 2019 12:40:33 -0700
+Subject: inet: switch IP ID generator to siphash
+Patch-mainline: v5.2-rc1
+Git-commit: df453700e8d81b1bdafdf684365ee2b9431fb702
+References: CVE-2019-10638 bsc#1140575
+
+According to Amit Klein and Benny Pinkas, IP ID generation is too weak
+and might be used by attackers.
+
+Even with recent net_hash_mix() fix (netns: provide pure entropy for net_hash_mix())
+having 64bit key and Jenkins hash is risky.
+
+It is time to switch to siphash and its 128bit keys.
+
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: Amit Klein <aksecurity@gmail.com>
+Reported-by: Benny Pinkas <benny@pinkas.net>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Acked-by: Michal Kubecek <mkubecek@suse.cz>
+
+---
+ include/linux/siphash.h | 5 +++++
+ include/net/netns/ipv4.h | 2 ++
+ net/ipv4/route.c | 12 +++++++-----
+ net/ipv6/output_core.c | 30 ++++++++++++++++--------------
+ 4 files changed, 30 insertions(+), 19 deletions(-)
+
+--- a/include/linux/siphash.h
++++ b/include/linux/siphash.h
+@@ -21,6 +21,11 @@ typedef struct {
+ u64 key[2];
+ } siphash_key_t;
+
++static inline bool siphash_key_is_zero(const siphash_key_t *key)
++{
++ return !(key->key[0] | key->key[1]);
++}
++
+ u64 __siphash_aligned(const void *data, size_t len, const siphash_key_t *key);
+ #ifndef CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS
+ u64 __siphash_unaligned(const void *data, size_t len, const siphash_key_t *key);
+--- a/include/net/netns/ipv4.h
++++ b/include/net/netns/ipv4.h
+@@ -8,6 +8,7 @@
+ #include <linux/uidgid.h>
+ #include <net/inet_frag.h>
+ #include <linux/rcupdate.h>
++#include <linux/siphash.h>
+
+ struct tcpm_hash_bucket;
+ struct ctl_table_header;
+@@ -159,5 +160,6 @@ struct netns_ipv4 {
+ unsigned int fib_seq; /* protected by rtnl_mutex */
+
+ atomic_t rt_genid;
++ siphash_key_t ip_id_key;
+ };
+ #endif
+--- a/net/ipv4/route.c
++++ b/net/ipv4/route.c
+@@ -513,15 +513,17 @@ EXPORT_SYMBOL(ip_idents_reserve);
+
+ void __ip_select_ident(struct net *net, struct iphdr *iph, int segs)
+ {
+- static u32 ip_idents_hashrnd __read_mostly;
+ u32 hash, id;
+
+- net_get_random_once(&ip_idents_hashrnd, sizeof(ip_idents_hashrnd));
++ /* Note the following code is not safe, but this is okay. */
++ if (unlikely(siphash_key_is_zero(&net->ipv4.ip_id_key)))
++ get_random_bytes(&net->ipv4.ip_id_key,
++ sizeof(net->ipv4.ip_id_key));
+
+- hash = jhash_3words((__force u32)iph->daddr,
++ hash = siphash_3u32((__force u32)iph->daddr,
+ (__force u32)iph->saddr,
+- iph->protocol ^ net_hash_mix(net),
+- ip_idents_hashrnd);
++ iph->protocol,
++ &net->ipv4.ip_id_key);
+ id = ip_idents_reserve(hash, segs);
+ iph->id = htons(id);
+ }
+--- a/net/ipv6/output_core.c
++++ b/net/ipv6/output_core.c
+@@ -10,15 +10,25 @@
+ #include <net/secure_seq.h>
+ #include <linux/netfilter.h>
+
+-static u32 __ipv6_select_ident(struct net *net, u32 hashrnd,
++static u32 __ipv6_select_ident(struct net *net,
+ const struct in6_addr *dst,
+ const struct in6_addr *src)
+ {
++ const struct {
++ struct in6_addr dst;
++ struct in6_addr src;
++ } __aligned(SIPHASH_ALIGNMENT) combined = {
++ .dst = *dst,
++ .src = *src,
++ };
+ u32 hash, id;
+
+- hash = __ipv6_addr_jhash(dst, hashrnd);
+- hash = __ipv6_addr_jhash(src, hash);
+- hash ^= net_hash_mix(net);
++ /* Note the following code is not safe, but this is okay. */
++ if (unlikely(siphash_key_is_zero(&net->ipv4.ip_id_key)))
++ get_random_bytes(&net->ipv4.ip_id_key,
++ sizeof(net->ipv4.ip_id_key));
++
++ hash = siphash(&combined, sizeof(combined), &net->ipv4.ip_id_key);
+
+ /* Treat id of 0 as unset and if we get 0 back from ip_idents_reserve,
+ * set the hight order instead thus minimizing possible future
+@@ -41,7 +51,6 @@ static u32 __ipv6_select_ident(struct net *net, u32 hashrnd,
+ */
+ __be32 ipv6_proxy_select_ident(struct net *net, struct sk_buff *skb)
+ {
+- static u32 ip6_proxy_idents_hashrnd __read_mostly;
+ struct in6_addr buf[2];
+ struct in6_addr *addrs;
+ u32 id;
+@@ -53,11 +62,7 @@ __be32 ipv6_proxy_select_ident(struct net *net, struct sk_buff *skb)
+ if (!addrs)
+ return 0;
+
+- net_get_random_once(&ip6_proxy_idents_hashrnd,
+- sizeof(ip6_proxy_idents_hashrnd));
+-
+- id = __ipv6_select_ident(net, ip6_proxy_idents_hashrnd,
+- &addrs[1], &addrs[0]);
++ id = __ipv6_select_ident(net, &addrs[1], &addrs[0]);
+ return htonl(id);
+ }
+ EXPORT_SYMBOL_GPL(ipv6_proxy_select_ident);
+@@ -66,12 +71,9 @@ __be32 ipv6_select_ident(struct net *net,
+ const struct in6_addr *daddr,
+ const struct in6_addr *saddr)
+ {
+- static u32 ip6_idents_hashrnd __read_mostly;
+ u32 id;
+
+- net_get_random_once(&ip6_idents_hashrnd, sizeof(ip6_idents_hashrnd));
+-
+- id = __ipv6_select_ident(net, ip6_idents_hashrnd, daddr, saddr);
++ id = __ipv6_select_ident(net, daddr, saddr);
+ return htonl(id);
+ }
+ EXPORT_SYMBOL(ipv6_select_ident);
diff --git a/patches.fixes/libnvdimm-pfn-fix-over-trim-in-trim_pfn_device.patch b/patches.fixes/libnvdimm-pfn-fix-over-trim-in-trim_pfn_device.patch
new file mode 100644
index 0000000000..2c80b0eda4
--- /dev/null
+++ b/patches.fixes/libnvdimm-pfn-fix-over-trim-in-trim_pfn_device.patch
@@ -0,0 +1,39 @@
+From: Wei Yang <richardw.yang@linux.intel.com>
+Date: Tue, 22 Jan 2019 10:48:09 +0800
+Subject: libnvdimm, pfn: Fix over-trim in trim_pfn_device()
+Patch-mainline: v5.1-rc1
+Git-commit: f101ada7da6551127d192c2f1742c1e9e0f62799
+References: bsc#1140719
+
+When trying to see whether current nd_region intersects with others,
+trim_pfn_device() has already calculated the *size* to be expanded to
+SECTION size.
+
+Do not double append 'adjust' to 'size' when calculating whether the end
+of a region collides with the next pmem region.
+
+Fixes: ae86cbfef381 "libnvdimm, pfn: Pad pfn namespaces relative to other regions"
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Wei Yang <richardw.yang@linux.intel.com>
+Signed-off-by: Dan Williams <dan.j.williams@intel.com>
+Acked-by: Johannes Thumshirn <jthumshirn@suse.de>
+---
+ drivers/nvdimm/pfn_devs.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/nvdimm/pfn_devs.c b/drivers/nvdimm/pfn_devs.c
+index 6f22272e8d80..040bbd9c367e 100644
+--- a/drivers/nvdimm/pfn_devs.c
++++ b/drivers/nvdimm/pfn_devs.c
+@@ -678,7 +678,7 @@ static void trim_pfn_device(struct nd_pfn *nd_pfn, u32 *start_pad, u32 *end_trun
+ if (region_intersects(start, size, IORESOURCE_SYSTEM_RAM,
+ IORES_DESC_NONE) == REGION_MIXED
+ || !IS_ALIGNED(end, nd_pfn->align)
+- || nd_region_conflict(nd_region, start, size + adjust))
++ || nd_region_conflict(nd_region, start, size))
+ *end_trunc = end - phys_pmem_align_down(nd_pfn, end);
+ }
+
+--
+2.16.4
+
diff --git a/patches.fixes/netns-get-more-entropy-from-net_hash_mix.patch b/patches.fixes/netns-get-more-entropy-from-net_hash_mix.patch
new file mode 100644
index 0000000000..dc1965379c
--- /dev/null
+++ b/patches.fixes/netns-get-more-entropy-from-net_hash_mix.patch
@@ -0,0 +1,46 @@
+From: Eric Dumazet <edumazet@google.com>
+Date: Fri, 22 Jun 2018 16:27:47 -0700
+Subject: netns: get more entropy from net_hash_mix()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+Patch-mainline: v4.19-rc1
+Git-commit: 5424ea27390f1f8903e5de0eaa0c5b561e8e877a
+References: CVE-2019-10638 bsc#1140575
+
+struct net are effectively allocated from order-1 pages on x86,
+with one object per slab, meaning that the 13 low order bits
+of their addresses are zero.
+
+Once shifted by L1_CACHE_SHIFT, this leaves 7 zero-bits,
+meaning that net_hash_mix() does not help spreading
+objects on various hash tables.
+
+For example, TCP listen table has 32 buckets, meaning that
+all netns use the same bucket for port 80 or port 443.
+
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: Maciej Żenczykowski <maze@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Acked-by: Michal Kubecek <mkubecek@suse.cz>
+
+---
+ include/net/netns/hash.h | 7 +------
+ 1 file changed, 1 insertion(+), 6 deletions(-)
+
+--- a/include/net/netns/hash.h
++++ b/include/net/netns/hash.h
+@@ -8,12 +8,7 @@ struct net;
+ static inline u32 net_hash_mix(const struct net *net)
+ {
+ #ifdef CONFIG_NET_NS
+- /*
+- * shift this right to eliminate bits, that are
+- * always zeroed
+- */
+-
+- return (u32)(((unsigned long)net) >> L1_CACHE_SHIFT);
++ return (u32)(((unsigned long)net) >> ilog2(sizeof(*net)));
+ #else
+ return 0;
+ #endif
diff --git a/patches.fixes/netns-provide-pure-entropy-for-net_hash_mix.patch b/patches.fixes/netns-provide-pure-entropy-for-net_hash_mix.patch
new file mode 100644
index 0000000000..9556d0a0ba
--- /dev/null
+++ b/patches.fixes/netns-provide-pure-entropy-for-net_hash_mix.patch
@@ -0,0 +1,73 @@
+From: Eric Dumazet <edumazet@google.com>
+Date: Wed, 27 Mar 2019 08:21:30 -0700
+Subject: netns: provide pure entropy for net_hash_mix()
+Patch-mainline: v5.1-rc4
+Git-commit: 355b98553789b646ed97ad801a619ff898471b92
+References: CVE-2019-10639 bsc#1140577
+
+net_hash_mix() currently uses kernel address of a struct net,
+and is used in many places that could be used to reveal this
+address to a patient attacker, thus defeating KASLR, for
+the typical case (initial net namespace, &init_net is
+not dynamically allocated)
+
+I believe the original implementation tried to avoid spending
+too many cycles in this function, but security comes first.
+
+Also provide entropy regardless of CONFIG_NET_NS.
+
+Fixes: 0b4419162aa6 ("netns: introduce the net_hash_mix "salt" for hashes")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: Amit Klein <aksecurity@gmail.com>
+Reported-by: Benny Pinkas <benny@pinkas.net>
+Cc: Pavel Emelyanov <xemul@openvz.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Acked-by: Michal Kubecek <mkubecek@suse.cz>
+
+---
+ include/net/net_namespace.h | 1 +
+ include/net/netns/hash.h | 10 ++--------
+ net/core/net_namespace.c | 1 +
+ 3 files changed, 4 insertions(+), 8 deletions(-)
+
+--- a/include/net/net_namespace.h
++++ b/include/net/net_namespace.h
+@@ -54,6 +54,7 @@ struct net {
+ */
+ spinlock_t rules_mod_lock;
+
++ u32 hash_mix;
+ atomic64_t cookie_gen;
+
+ struct list_head list; /* list of network namespaces */
+--- a/include/net/netns/hash.h
++++ b/include/net/netns/hash.h
+@@ -1,16 +1,10 @@
+ #ifndef __NET_NS_HASH_H__
+ #define __NET_NS_HASH_H__
+
+-#include <asm/cache.h>
+-
+-struct net;
++#include <net/net_namespace.h>
+
+ static inline u32 net_hash_mix(const struct net *net)
+ {
+-#ifdef CONFIG_NET_NS
+- return (u32)(((unsigned long)net) >> ilog2(sizeof(*net)));
+-#else
+- return 0;
+-#endif
++ return net->hash_mix;
+ }
+ #endif
+--- a/net/core/net_namespace.c
++++ b/net/core/net_namespace.c
+@@ -285,6 +285,7 @@ static __net_init int setup_net(struct net *net, struct user_namespace *user_ns)
+
+ atomic_set(&net->count, 1);
+ atomic_set(&net->passive, 1);
++ get_random_bytes(&net->hash_mix, sizeof(u32));
+ net->dev_base_seq = 1;
+ net->user_ns = user_ns;
+ idr_init(&net->netns_ids);
diff --git a/patches.fixes/nfit-ars-allow-root-to-busy-poll-the-ars-state-machine.patch b/patches.fixes/nfit-ars-allow-root-to-busy-poll-the-ars-state-machine.patch
new file mode 100644
index 0000000000..129a02824b
--- /dev/null
+++ b/patches.fixes/nfit-ars-allow-root-to-busy-poll-the-ars-state-machine.patch
@@ -0,0 +1,66 @@
+From: Dan Williams <dan.j.williams@intel.com>
+Date: Wed, 13 Feb 2019 09:04:07 -0800
+Subject: nfit/ars: Allow root to busy-poll the ARS state machine
+Patch-mainline: v5.1-rc1
+Git-commit: 5479b2757f26fe9908fc341d105b2097fe820b6f
+References: bsc#1140814
+
+The ARS implementation implements exponential back-off on the poll
+interval to prevent high-frequency access to the DIMM / platform
+interface. Depending on when the ARS completes the poll interval may
+exceed the completion event by minutes. Allow root to reset the timeout
+each time it probes the status. A one-second timeout is still enforced,
+but root can otherwise can control the poll interval.
+
+Fixes: bc6ba8085842 ("nfit, address-range-scrub: rework and simplify ARS...")
+Cc: <stable@vger.kernel.org>
+Reported-by: Erwin Tsaur <erwin.tsaur@oracle.com>
+Reviewed-by: Toshi Kani <toshi.kani@hpe.com>
+Signed-off-by: Dan Williams <dan.j.williams@intel.com>
+Acked-by: Johannes Thumshirn <jthumshirn@suse.de>
+---
+ drivers/acpi/nfit/core.c | 8 ++++++++
+ drivers/acpi/nfit/nfit.h | 1 +
+ 2 files changed, 9 insertions(+)
+
+diff --git a/drivers/acpi/nfit/core.c b/drivers/acpi/nfit/core.c
+index 90312892093e..629cf91649d2 100644
+--- a/drivers/acpi/nfit/core.c
++++ b/drivers/acpi/nfit/core.c
+@@ -1333,6 +1333,13 @@ static ssize_t scrub_show(struct device *dev,
+ busy = test_bit(ARS_BUSY, &acpi_desc->scrub_flags)
+ && !test_bit(ARS_CANCEL, &acpi_desc->scrub_flags);
+ rc = sprintf(buf, "%d%s", acpi_desc->scrub_count, busy ? "+\n" : "\n");
++ /* Allow an admin to poll the busy state at a higher rate */
++ if (busy && capable(CAP_SYS_RAWIO) && !test_and_set_bit(ARS_POLL,
++ &acpi_desc->scrub_flags)) {
++ acpi_desc->scrub_tmo = 1;
++ mod_delayed_work(nfit_wq, &acpi_desc->dwork, HZ);
++ }
++
+ mutex_unlock(&acpi_desc->init_mutex);
+ device_unlock(dev);
+ return rc;
+@@ -3187,6 +3194,7 @@ static void acpi_nfit_scrub(struct work_struct *work)
+ else
+ notify_ars_done(acpi_desc);
+ memset(acpi_desc->ars_status, 0, acpi_desc->max_ars);
++ clear_bit(ARS_POLL, &acpi_desc->scrub_flags);
+ mutex_unlock(&acpi_desc->init_mutex);
+ }
+
+diff --git a/drivers/acpi/nfit/nfit.h b/drivers/acpi/nfit/nfit.h
+index 897ce10192a0..d14bad687fb8 100644
+--- a/drivers/acpi/nfit/nfit.h
++++ b/drivers/acpi/nfit/nfit.h
+@@ -213,6 +213,7 @@ struct nfit_mem {
+ enum scrub_flags {
+ ARS_BUSY,
+ ARS_CANCEL,
++ ARS_POLL,
+ };
+
+ struct acpi_nfit_desc {
+--
+2.16.4
+
diff --git a/patches.fixes/nvme-copy-mtfa-field-from-identify-controller.patch b/patches.fixes/nvme-copy-mtfa-field-from-identify-controller.patch
new file mode 100644
index 0000000000..90bd54ac3d
--- /dev/null
+++ b/patches.fixes/nvme-copy-mtfa-field-from-identify-controller.patch
@@ -0,0 +1,39 @@
+From: Laine Walker-Avina <laine.walker-avina@intel.com>
+Date: Mon, 20 May 2019 10:13:04 -0700
+Subject: nvme: copy MTFA field from identify controller
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+Patch-mainline: v5.2-rc2
+Git-commit: 2d466c7a574d0b893a233735f133c60115013c0e
+References: bsc#1140715
+
+We use the controller's reported maximum firmware activation time as our
+timeout before resetting a controller for a failed activation notice,
+but this value was never being read so we could only use the default
+timeout. Copy the Identify Controller MTFA field to the corresponding
+nvme_ctrl's mtfa field.
+
+Fixes: b6dccf7fae433 (“nvme: add support for FW activation without reset”).
+Reviewed-by: Max Gurtovoy <maxg@mellanox.com>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Reviewed-by: Minwoo Im <minwoo.im@samsung.com>
+Signed-off-by: Laine Walker-Avina <laine.walker-avina@intel.com>
+[changelog, fix endian]
+Signed-off-by: Keith Busch <keith.busch@intel.com>
+Acked-by: Johannes Thumshirn <jthumshirn@suse.de>
+---
+ drivers/nvme/host/core.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/nvme/host/core.c
++++ b/drivers/nvme/host/core.c
+@@ -2391,6 +2391,7 @@ int nvme_init_identify(struct nvme_ctrl
+
+ ctrl->oacs = le16_to_cpu(id->oacs);
+ ctrl->oncs = le16_to_cpup(&id->oncs);
++ ctrl->mtfa = le16_to_cpu(id->mtfa);
+ ctrl->oaes = le32_to_cpu(id->oaes);
+ atomic_set(&ctrl->abort_limit, id->acl + 1);
+ ctrl->vwc = id->vwc;
+
diff --git a/patches.fixes/scsi-qla2xxx-fix-abort-handling-in-tcm_qla2xxx_write_pending.patch b/patches.fixes/scsi-qla2xxx-fix-abort-handling-in-tcm_qla2xxx_write_pending.patch
new file mode 100644
index 0000000000..3b5ec18b57
--- /dev/null
+++ b/patches.fixes/scsi-qla2xxx-fix-abort-handling-in-tcm_qla2xxx_write_pending.patch
@@ -0,0 +1,42 @@
+From: Bart Van Assche <bvanassche@acm.org>
+Date: Wed, 17 Apr 2019 14:44:28 -0700
+Subject: scsi: qla2xxx: Fix abort handling in tcm_qla2xxx_write_pending()
+Patch-mainline: v5.2-rc1
+Git-commit: e209783d66bca04b5fce4429e59338517ffc1a0b
+References: bsc#1140727
+
+Implementations of the .write_pending() callback functions must guarantee
+that an appropriate LIO core callback function will be called immediately or
+at a later time. Make sure that this guarantee is met for aborted SCSI
+commands.
+
+[mkp: typo]
+
+Cc: Himanshu Madhani <hmadhani@marvell.com>
+Cc: Giridhar Malavali <gmalavali@marvell.com>
+Fixes: 694833ee00c4 ("scsi: tcm_qla2xxx: Do not allow aborted cmd to advance.") # v4.13.
+Fixes: a07100e00ac4 ("qla2xxx: Fix TMR ABORT interaction issue between qla2xxx and TCM") # v4.5.
+Signed-off-by: Bart Van Assche <bvanassche@acm.org>
+Acked-by: Himanshu Madhani <hmadhani@marvell.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Acked-by: Johannes Thumshirn <jthumshirn@suse.de>
+---
+ drivers/scsi/qla2xxx/tcm_qla2xxx.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/scsi/qla2xxx/tcm_qla2xxx.c b/drivers/scsi/qla2xxx/tcm_qla2xxx.c
+index b1cf2aa03de7..aa2de81e2dcc 100644
+--- a/drivers/scsi/qla2xxx/tcm_qla2xxx.c
++++ b/drivers/scsi/qla2xxx/tcm_qla2xxx.c
+@@ -393,6 +393,8 @@ static int tcm_qla2xxx_write_pending(struct se_cmd *se_cmd)
+ cmd->se_cmd.transport_state,
+ cmd->se_cmd.t_state,
+ cmd->se_cmd.se_cmd_flags);
++ transport_generic_request_failure(&cmd->se_cmd,
++ TCM_CHECK_CONDITION_ABORT_CMD);
+ return 0;
+ }
+ cmd->trc_flags |= TRC_XFR_RDY;
+--
+2.16.4
+
diff --git a/patches.fixes/scsi-qla2xxx-fix-incorrect-region-size-setting-in-optrom-sysfs.patch b/patches.fixes/scsi-qla2xxx-fix-incorrect-region-size-setting-in-optrom-sysfs.patch
new file mode 100644
index 0000000000..b6114f085a
--- /dev/null
+++ b/patches.fixes/scsi-qla2xxx-fix-incorrect-region-size-setting-in-optrom-sysfs.patch
@@ -0,0 +1,48 @@
+From: Andrew Vasquez <andrewv@marvell.com>
+Date: Tue, 2 Apr 2019 14:24:25 -0700
+Subject: scsi: qla2xxx: Fix incorrect region-size setting in optrom SYSFS
+ routines
+Patch-mainline: v5.2-rc1
+Git-commit: 5cbdae10bf11f96e30b4d14de7b08c8b490e903c
+References: bsc#1140728
+
+Commit e6f77540c067 ("scsi: qla2xxx: Fix an integer overflow in sysfs
+code") incorrectly set 'optrom_region_size' to 'start+size', which can
+overflow option-rom boundaries when 'start' is non-zero. Continue setting
+optrom_region_size to the proper adjusted value of 'size'.
+
+Fixes: e6f77540c067 ("scsi: qla2xxx: Fix an integer overflow in sysfs code")
+Cc: stable@vger.kernel.org
+Signed-off-by: Andrew Vasquez <andrewv@marvell.com>
+Signed-off-by: Himanshu Madhani <hmadhani@marvell.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Acked-by: Johannes Thumshirn <jthumshirn@suse.de>
+---
+ drivers/scsi/qla2xxx/qla_attr.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/scsi/qla2xxx/qla_attr.c b/drivers/scsi/qla2xxx/qla_attr.c
+index 8687090193dc..93058379d3c8 100644
+--- a/drivers/scsi/qla2xxx/qla_attr.c
++++ b/drivers/scsi/qla2xxx/qla_attr.c
+@@ -376,7 +376,7 @@ qla2x00_sysfs_write_optrom_ctl(struct file *filp, struct kobject *kobj,
+ }
+
+ ha->optrom_region_start = start;
+- ha->optrom_region_size = start + size;
++ ha->optrom_region_size = size;
+
+ ha->optrom_state = QLA_SREADING;
+ ha->optrom_buffer = vmalloc(ha->optrom_region_size);
+@@ -449,7 +449,7 @@ qla2x00_sysfs_write_optrom_ctl(struct file *filp, struct kobject *kobj,
+ }
+
+ ha->optrom_region_start = start;
+- ha->optrom_region_size = start + size;
++ ha->optrom_region_size = size;
+
+ ha->optrom_state = QLA_SWRITING;
+ ha->optrom_buffer = vmalloc(ha->optrom_region_size);
+--
+2.16.4
+
diff --git a/patches.fixes/tcp-refine-memory-limit-test-in-tcp_fragment.patch b/patches.fixes/tcp-refine-memory-limit-test-in-tcp_fragment.patch
new file mode 100644
index 0000000000..1af25b9763
--- /dev/null
+++ b/patches.fixes/tcp-refine-memory-limit-test-in-tcp_fragment.patch
@@ -0,0 +1,39 @@
+From: Eric Dumazet <edumazet@google.com>
+Date: Fri, 21 Jun 2019 06:09:55 -0700
+Subject: tcp: refine memory limit test in tcp_fragment()
+Patch-mainline: v5.2-rc6
+Git-commit: b6653b3629e5b88202be3c9abc44713973f5c4b4
+References: CVE-2019-11478 bsc#1137586 bsc#1139751
+
+tcp_fragment() might be called for skbs in the write queue.
+
+Memory limits might have been exceeded because tcp_sendmsg() only
+checks limits at full skb (64KB) boundaries.
+
+Therefore, we need to make sure tcp_fragment() wont punish applications
+that might have setup very low SO_SNDBUF values.
+
+Fixes: f070ef2ac667 ("tcp: tcp_fragment() should apply sane memory limits")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: Christoph Paasch <cpaasch@apple.com>
+Tested-by: Christoph Paasch <cpaasch@apple.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Acked-by: Michal Kubecek <mkubecek@suse.cz>
+
+SLE: version used here comes from stable-4.4.y commit 46c7b5d6f2a5
+
+---
+ net/ipv4/tcp_output.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/ipv4/tcp_output.c
++++ b/net/ipv4/tcp_output.c
+@@ -1273,7 +1273,7 @@ int tcp_fragment(struct sock *sk, struct sk_buff *skb, u32 len,
+ if (nsize < 0)
+ nsize = 0;
+
+- if (unlikely((sk->sk_wmem_queued >> 1) > sk->sk_sndbuf)) {
++ if (unlikely((sk->sk_wmem_queued >> 1) > sk->sk_sndbuf + 0x20000)) {
+ NET_INC_STATS(sock_net(sk), LINUX_MIB_TCPWQUEUETOOBIG);
+ return -ENOMEM;
+ }
diff --git a/patches.kabi/kabi-drop-LINUX_MIB_TCPWQUEUETOOBIG-snmp-counter.patch b/patches.kabi/kabi-drop-LINUX_MIB_TCPWQUEUETOOBIG-snmp-counter.patch
index 781b664f79..ed0bff0688 100644
--- a/patches.kabi/kabi-drop-LINUX_MIB_TCPWQUEUETOOBIG-snmp-counter.patch
+++ b/patches.kabi/kabi-drop-LINUX_MIB_TCPWQUEUETOOBIG-snmp-counter.patch
@@ -42,9 +42,9 @@ Signed-off-by: Michal Kubecek <mkubecek@suse.cz>
if (nsize < 0)
nsize = 0;
-- if (unlikely((sk->sk_wmem_queued >> 1) > sk->sk_sndbuf)) {
+- if (unlikely((sk->sk_wmem_queued >> 1) > sk->sk_sndbuf + 0x20000)) {
- NET_INC_STATS(sock_net(sk), LINUX_MIB_TCPWQUEUETOOBIG);
-+ if (unlikely((sk->sk_wmem_queued >> 1) > sk->sk_sndbuf))
++ if (unlikely((sk->sk_wmem_queued >> 1) > sk->sk_sndbuf + 0x20000))
return -ENOMEM;
- }
diff --git a/patches.kabi/kabi-handle-addition-of-net-hash_mix.patch b/patches.kabi/kabi-handle-addition-of-net-hash_mix.patch
new file mode 100644
index 0000000000..0d014818fd
--- /dev/null
+++ b/patches.kabi/kabi-handle-addition-of-net-hash_mix.patch
@@ -0,0 +1,34 @@
+From: Michal Kubecek <mkubecek@suse.cz>
+Date: Tue, 9 Jul 2019 08:37:40 +0200
+Subject: kabi: handle addition of net::hash_mix
+Patch-mainline: Never, kabi workaround
+References: CVE-2019-10639 bsc#1140577
+
+Backport of mainline commit 355b98553789 ("netns: provide pure entropy for
+net_hash_mix()") adds new member hash_mix into kabi-protected struct net.
+As struct net is always allocated by in-tree kernel code, we can simply
+move hash_mix at the end and hide it from genksyms.
+
+Signed-off-by: Michal Kubecek <mkubecek@suse.cz>
+---
+ include/net/net_namespace.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/include/net/net_namespace.h
++++ b/include/net/net_namespace.h
+@@ -54,7 +54,6 @@ struct net {
+ */
+ spinlock_t rules_mod_lock;
+
+- u32 hash_mix;
+ atomic64_t cookie_gen;
+
+ struct list_head list; /* list of network namespaces */
+@@ -156,6 +155,7 @@ struct net {
+ } ip6addrlbl_table;
+ struct uevent_sock *uevent_sock; /* uevent socket */
+ int sysctl_tcp_min_snd_mss;
++ u32 hash_mix;
+ #endif
+ };
+
diff --git a/patches.kabi/kabi-handle-addition-of-netns_ipv4-ip_id_key.patch b/patches.kabi/kabi-handle-addition-of-netns_ipv4-ip_id_key.patch
new file mode 100644
index 0000000000..e5b790ea2d
--- /dev/null
+++ b/patches.kabi/kabi-handle-addition-of-netns_ipv4-ip_id_key.patch
@@ -0,0 +1,77 @@
+From: Michal Kubecek <mkubecek@suse.cz>
+Date: Tue, 9 Jul 2019 08:45:15 +0200
+Subject: kabi: handle addition of netns_ipv4::ip_id_key
+Patch-mainline: Never, kabi workaround
+References: CVE-2019-10638 bsc#1140575
+
+Backport of mainline commit df453700e8d8 ("inet: switch IP ID generator to
+siphash") adds new member ip_id_ikey into struct netns_ipv4 which is
+embedded into kabi-protected struct net. As struct net is always allocated
+by in-tree kernel code and struct netns_ipv4 is not used anywhere else, we
+can move ip_id_key out of netns_ipv4 to the end of struct net itself and
+hide it from genksyms.
+
+Signed-off-by: Michal Kubecek <mkubecek@suse.cz>
+---
+ include/net/net_namespace.h | 1 +
+ include/net/netns/ipv4.h | 1 -
+ net/ipv4/route.c | 7 +++----
+ net/ipv6/output_core.c | 7 +++----
+ 4 files changed, 7 insertions(+), 9 deletions(-)
+
+--- a/include/net/net_namespace.h
++++ b/include/net/net_namespace.h
+@@ -156,6 +156,7 @@ struct net {
+ struct uevent_sock *uevent_sock; /* uevent socket */
+ int sysctl_tcp_min_snd_mss;
+ u32 hash_mix;
++ siphash_key_t ip_id_key;
+ #endif
+ };
+
+--- a/include/net/netns/ipv4.h
++++ b/include/net/netns/ipv4.h
+@@ -160,6 +160,5 @@ struct netns_ipv4 {
+ unsigned int fib_seq; /* protected by rtnl_mutex */
+
+ atomic_t rt_genid;
+- siphash_key_t ip_id_key;
+ };
+ #endif
+--- a/net/ipv4/route.c
++++ b/net/ipv4/route.c
+@@ -516,14 +516,13 @@ void __ip_select_ident(struct net *net, struct iphdr *iph, int segs)
+ u32 hash, id;
+
+ /* Note the following code is not safe, but this is okay. */
+- if (unlikely(siphash_key_is_zero(&net->ipv4.ip_id_key)))
+- get_random_bytes(&net->ipv4.ip_id_key,
+- sizeof(net->ipv4.ip_id_key));
++ if (unlikely(siphash_key_is_zero(&net->ip_id_key)))
++ get_random_bytes(&net->ip_id_key, sizeof(net->ip_id_key));
+
+ hash = siphash_3u32((__force u32)iph->daddr,
+ (__force u32)iph->saddr,
+ iph->protocol,
+- &net->ipv4.ip_id_key);
++ &net->ip_id_key);
+ id = ip_idents_reserve(hash, segs);
+ iph->id = htons(id);
+ }
+--- a/net/ipv6/output_core.c
++++ b/net/ipv6/output_core.c
+@@ -24,11 +24,10 @@ static u32 __ipv6_select_ident(struct net *net,
+ u32 hash, id;
+
+ /* Note the following code is not safe, but this is okay. */
+- if (unlikely(siphash_key_is_zero(&net->ipv4.ip_id_key)))
+- get_random_bytes(&net->ipv4.ip_id_key,
+- sizeof(net->ipv4.ip_id_key));
++ if (unlikely(siphash_key_is_zero(&net->ip_id_key)))
++ get_random_bytes(&net->ip_id_key, sizeof(net->ip_id_key));
+
+- hash = siphash(&combined, sizeof(combined), &net->ipv4.ip_id_key);
++ hash = siphash(&combined, sizeof(combined), &net->ip_id_key);
+
+ /* Treat id of 0 as unset and if we get 0 back from ip_idents_reserve,
+ * set the hight order instead thus minimizing possible future
diff --git a/patches.kabi/kabi-protect-struct-acpi_nfit_desc.patch b/patches.kabi/kabi-protect-struct-acpi_nfit_desc.patch
index 499708b00d..ca8049a713 100644
--- a/patches.kabi/kabi-protect-struct-acpi_nfit_desc.patch
+++ b/patches.kabi/kabi-protect-struct-acpi_nfit_desc.patch
@@ -8,12 +8,12 @@ Move additional new structure members to the back of acpi_nfit_desc.
Signed-off-by: Johannes Thumshirn <jthumshirn@suse.de>
---
- drivers/acpi/nfit/nfit.h | 4 +++-
- 1 file changed, 3 insertions(+), 1 deletion(-)
+ drivers/acpi/nfit/nfit.h | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
--- a/drivers/acpi/nfit/nfit.h
+++ b/drivers/acpi/nfit/nfit.h
-@@ -196,7 +196,6 @@ struct acpi_nfit_desc {
+@@ -203,14 +203,14 @@ struct acpi_nfit_desc {
struct device *dev;
u8 ars_start_flags;
struct nd_cmd_ars_status *ars_status;
@@ -21,12 +21,22 @@ Signed-off-by: Johannes Thumshirn <jthumshirn@suse.de>
struct delayed_work dwork;
struct list_head list;
struct kernfs_node *scrub_count_state;
-@@ -212,6 +211,9 @@ struct acpi_nfit_desc {
+ unsigned int max_ars;
+ unsigned int scrub_count;
+ unsigned int scrub_mode;
+- unsigned long scrub_flags;
++ unsigned int scrub_busy:1;
++ unsigned int cancel:1;
+ unsigned long dimm_cmd_force_en;
+ unsigned long bus_cmd_force_en;
+ unsigned long bus_nfit_cmd_force_en;
+@@ -218,6 +218,10 @@ struct acpi_nfit_desc {
unsigned int scrub_tmo;
int (*blk_do_io)(struct nd_blk_region *ndbr, resource_size_t dpa,
void *iobuf, u64 len, int rw);
+#ifndef __GENKSYMS__
+ struct nfit_spa *scrub_spa;
++ unsigned long scrub_flags;
+#endif
};
diff --git a/patches.suse/ftrace-x86-remove-possible-deadlock-between-register_kprobe-and-ftrace_run_update_code.patch b/patches.suse/ftrace-x86-remove-possible-deadlock-between-register_kprobe-and-ftrace_run_update_code.patch
new file mode 100644
index 0000000000..7ca190f8d2
--- /dev/null
+++ b/patches.suse/ftrace-x86-remove-possible-deadlock-between-register_kprobe-and-ftrace_run_update_code.patch
@@ -0,0 +1,182 @@
+From: Petr Mladek <pmladek@suse.com>
+Date: Thu, 27 Jun 2019 10:13:34 +0200
+Subject: ftrace/x86: Remove possible deadlock between register_kprobe() and
+ ftrace_run_update_code()
+Git-commit: d5b844a2cf507fc7642c9ae80a9d585db3065c28
+Patch-mainline: v5.2
+References: bsc#1071995 fate#323487
+
+The commit 9f255b632bf12c4dd7 ("module: Fix livepatch/ftrace module text
+permissions race") causes a possible deadlock between register_kprobe()
+and ftrace_run_update_code() when ftrace is using stop_machine().
+
+The existing dependency chain (in reverse order) is:
+
+-> #1 (text_mutex){+.+.}:
+ validate_chain.isra.21+0xb32/0xd70
+ __lock_acquire+0x4b8/0x928
+ lock_acquire+0x102/0x230
+ __mutex_lock+0x88/0x908
+ mutex_lock_nested+0x32/0x40
+ register_kprobe+0x254/0x658
+ init_kprobes+0x11a/0x168
+ do_one_initcall+0x70/0x318
+ kernel_init_freeable+0x456/0x508
+ kernel_init+0x22/0x150
+ ret_from_fork+0x30/0x34
+ kernel_thread_starter+0x0/0xc
+
+-> #0 (cpu_hotplug_lock.rw_sem){++++}:
+ check_prev_add+0x90c/0xde0
+ validate_chain.isra.21+0xb32/0xd70
+ __lock_acquire+0x4b8/0x928
+ lock_acquire+0x102/0x230
+ cpus_read_lock+0x62/0xd0
+ stop_machine+0x2e/0x60
+ arch_ftrace_update_code+0x2e/0x40
+ ftrace_run_update_code+0x40/0xa0
+ ftrace_startup+0xb2/0x168
+ register_ftrace_function+0x64/0x88
+ klp_patch_object+0x1a2/0x290
+ klp_enable_patch+0x554/0x980
+ do_one_initcall+0x70/0x318
+ do_init_module+0x6e/0x250
+ load_module+0x1782/0x1990
+ __s390x_sys_finit_module+0xaa/0xf0
+ system_call+0xd8/0x2d0
+
+ Possible unsafe locking scenario:
+
+ CPU0 CPU1
+ ---- ----
+ lock(text_mutex);
+ lock(cpu_hotplug_lock.rw_sem);
+ lock(text_mutex);
+ lock(cpu_hotplug_lock.rw_sem);
+
+It is similar problem that has been solved by the commit 2d1e38f56622b9b
+("kprobes: Cure hotplug lock ordering issues"). Many locks are involved.
+To be on the safe side, text_mutex must become a low level lock taken
+after cpu_hotplug_lock.rw_sem.
+
+This can't be achieved easily with the current ftrace design.
+For example, arm calls set_all_modules_text_rw() already in
+ftrace_arch_code_modify_prepare(), see arch/arm/kernel/ftrace.c.
+This functions is called:
+
+ + outside stop_machine() from ftrace_run_update_code()
+ + without stop_machine() from ftrace_module_enable()
+
+Fortunately, the problematic fix is needed only on x86_64. It is
+the only architecture that calls set_all_modules_text_rw()
+in ftrace path and supports livepatching at the same time.
+
+Therefore it is enough to move text_mutex handling from the generic
+kernel/trace/ftrace.c into arch/x86/kernel/ftrace.c:
+
+ ftrace_arch_code_modify_prepare()
+ ftrace_arch_code_modify_post_process()
+
+This patch basically reverts the ftrace part of the problematic
+commit 9f255b632bf12c4dd7 ("module: Fix livepatch/ftrace module
+text permissions race"). And provides x86_64 specific-fix.
+
+Some refactoring of the ftrace code will be needed when livepatching
+is implemented for arm or nds32. These architectures call
+set_all_modules_text_rw() and use stop_machine() at the same time.
+
+Link: http://lkml.kernel.org/r/20190627081334.12793-1-pmladek@suse.com
+
+Fixes: 9f255b632bf12c4dd7 ("module: Fix livepatch/ftrace module text permissions race")
+Acked-by: Thomas Gleixner <tglx@linutronix.de>
+Reported-by: Miroslav Benes <mbenes@suse.cz>
+Reviewed-by: Miroslav Benes <mbenes@suse.cz>
+Reviewed-by: Josh Poimboeuf <jpoimboe@redhat.com>
+Signed-off-by: Petr Mladek <pmladek@suse.com>
+[
+ As reviewed by Miroslav Benes <mbenes@suse.cz>, removed return value of
+ ftrace_run_update_code() as it is a void function.
+]
+Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
+Acked-by: Miroslav Benes <mbenes@suse.cz>
+---
+ arch/x86/kernel/ftrace.c | 3 +++
+ kernel/trace/ftrace.c | 10 +---------
+ 2 files changed, 4 insertions(+), 9 deletions(-)
+
+--- a/arch/x86/kernel/ftrace.c
++++ b/arch/x86/kernel/ftrace.c
+@@ -21,6 +21,7 @@
+ #include <linux/init.h>
+ #include <linux/list.h>
+ #include <linux/module.h>
++#include <linux/memory.h>
+
+ #include <trace/syscall.h>
+
+@@ -34,6 +35,7 @@
+
+ int ftrace_arch_code_modify_prepare(void)
+ {
++ mutex_lock(&text_mutex);
+ set_kernel_text_rw();
+ set_all_modules_text_rw();
+ return 0;
+@@ -43,6 +45,7 @@ int ftrace_arch_code_modify_post_process
+ {
+ set_all_modules_text_ro();
+ set_kernel_text_ro();
++ mutex_unlock(&text_mutex);
+ return 0;
+ }
+
+--- a/kernel/trace/ftrace.c
++++ b/kernel/trace/ftrace.c
+@@ -33,7 +33,6 @@
+ #include <linux/list.h>
+ #include <linux/hash.h>
+ #include <linux/rcupdate.h>
+-#include <linux/memory.h>
+
+ #include <trace/events/sched.h>
+
+@@ -2630,12 +2629,10 @@ static void ftrace_run_update_code(int c
+ {
+ int ret;
+
+- mutex_lock(&text_mutex);
+-
+ ret = ftrace_arch_code_modify_prepare();
+ FTRACE_WARN_ON(ret);
+ if (ret)
+- goto out_unlock;
++ return;
+
+ /*
+ * By default we use stop_machine() to modify the code.
+@@ -2647,9 +2644,6 @@ static void ftrace_run_update_code(int c
+
+ ret = ftrace_arch_code_modify_post_process();
+ FTRACE_WARN_ON(ret);
+-
+-out_unlock:
+- mutex_unlock(&text_mutex);
+ }
+
+ static void ftrace_run_modify_code(struct ftrace_ops *ops, int command,
+@@ -5415,7 +5409,6 @@ void ftrace_module_enable(struct module
+ struct ftrace_page *pg;
+
+ mutex_lock(&ftrace_lock);
+- mutex_lock(&text_mutex);
+
+ if (ftrace_disabled)
+ goto out_unlock;
+@@ -5476,7 +5469,6 @@ void ftrace_module_enable(struct module
+ ftrace_arch_code_modify_post_process();
+
+ out_unlock:
+- mutex_unlock(&text_mutex);
+ mutex_unlock(&ftrace_lock);
+ }
+
diff --git a/patches.suse/tracing-snapshot-resize-spare-buffer-if-size-changed.patch b/patches.suse/tracing-snapshot-resize-spare-buffer-if-size-changed.patch
new file mode 100644
index 0000000000..d67ddc4bf6
--- /dev/null
+++ b/patches.suse/tracing-snapshot-resize-spare-buffer-if-size-changed.patch
@@ -0,0 +1,105 @@
+From: Eiichi Tsukata <devel@etsukata.com>
+Date: Tue, 25 Jun 2019 10:29:10 +0900
+Subject: tracing/snapshot: Resize spare buffer if size changed
+Git-commit: 46cc0b44428d0f0e81f11ea98217fc0edfbeab07
+Patch-mainline: v5.2
+References: bsc#1140726
+
+Current snapshot implementation swaps two ring_buffers even though their
+sizes are different from each other, that can cause an inconsistency
+between the contents of buffer_size_kb file and the current buffer size.
+
+For example:
+
+ # cat buffer_size_kb
+ 7 (expanded: 1408)
+ # echo 1 > events/enable
+ # grep bytes per_cpu/cpu0/stats
+ bytes: 1441020
+ # echo 1 > snapshot // current:1408, spare:1408
+ # echo 123 > buffer_size_kb // current:123, spare:1408
+ # echo 1 > snapshot // current:1408, spare:123
+ # grep bytes per_cpu/cpu0/stats
+ bytes: 1443700
+ # cat buffer_size_kb
+ 123 // != current:1408
+
+And also, a similar per-cpu case hits the following WARNING:
+
+Reproducer:
+
+ # echo 1 > per_cpu/cpu0/snapshot
+ # echo 123 > buffer_size_kb
+ # echo 1 > per_cpu/cpu0/snapshot
+
+WARNING:
+
+ WARNING: CPU: 0 PID: 1946 at kernel/trace/trace.c:1607 update_max_tr_single.part.0+0x2b8/0x380
+ Modules linked in:
+ CPU: 0 PID: 1946 Comm: bash Not tainted 5.2.0-rc6 #20
+ Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-2.fc30 04/01/2014
+ RIP: 0010:update_max_tr_single.part.0+0x2b8/0x380
+ Code: ff e8 dc da f9 ff 0f 0b e9 88 fe ff ff e8 d0 da f9 ff 44 89 ee bf f5 ff ff ff e8 33 dc f9 ff 41 83 fd f5 74 96 e8 b8 da f9 ff <0f> 0b eb 8d e8 af da f9 ff 0f 0b e9 bf fd ff ff e8 a3 da f9 ff 48
+ RSP: 0018:ffff888063e4fca0 EFLAGS: 00010093
+ RAX: ffff888066214380 RBX: ffffffff99850fe0 RCX: ffffffff964298a8
+ RDX: 0000000000000000 RSI: 00000000fffffff5 RDI: 0000000000000005
+ RBP: 1ffff1100c7c9f96 R08: ffff888066214380 R09: ffffed100c7c9f9b
+ R10: ffffed100c7c9f9a R11: 0000000000000003 R12: 0000000000000000
+ R13: 00000000ffffffea R14: ffff888066214380 R15: ffffffff99851060
+ FS: 00007f9f8173c700(0000) GS:ffff88806d000000(0000) knlGS:0000000000000000
+ CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+ CR2: 0000000000714dc0 CR3: 0000000066fa6000 CR4: 00000000000006f0
+ Call Trace:
+ ? trace_array_printk_buf+0x140/0x140
+ ? __mutex_lock_slowpath+0x10/0x10
+ tracing_snapshot_write+0x4c8/0x7f0
+ ? trace_printk_init_buffers+0x60/0x60
+ ? selinux_file_permission+0x3b/0x540
+ ? tracer_preempt_off+0x38/0x506
+ ? trace_printk_init_buffers+0x60/0x60
+ __vfs_write+0x81/0x100
+ vfs_write+0x1e1/0x560
+ ksys_write+0x126/0x250
+ ? __ia32_sys_read+0xb0/0xb0
+ ? do_syscall_64+0x1f/0x390
+ do_syscall_64+0xc1/0x390
+ entry_SYSCALL_64_after_hwframe+0x49/0xbe
+
+This patch adds resize_buffer_duplicate_size() to check if there is a
+difference between current/spare buffer sizes and resize a spare buffer
+if necessary.
+
+Link: http://lkml.kernel.org/r/20190625012910.13109-1-devel@etsukata.com
+
+Cc: stable@vger.kernel.org
+Fixes: ad909e21bbe69 ("tracing: Add internal tracing_snapshot() functions")
+Signed-off-by: Eiichi Tsukata <devel@etsukata.com>
+Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
+Acked-by: Miroslav Benes <mbenes@suse.cz>
+---
+ kernel/trace/trace.c | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+diff --git a/kernel/trace/trace.c b/kernel/trace/trace.c
+index 4122ccde6ec2..c3aabb576fe5 100644
+--- a/kernel/trace/trace.c
++++ b/kernel/trace/trace.c
+@@ -6719,11 +6719,13 @@ tracing_snapshot_write(struct file *filp, const char __user *ubuf, size_t cnt,
+ break;
+ }
+ #endif
+- if (!tr->allocated_snapshot) {
++ if (tr->allocated_snapshot)
++ ret = resize_buffer_duplicate_size(&tr->max_buffer,
++ &tr->trace_buffer, iter->cpu_file);
++ else
+ ret = tracing_alloc_snapshot_instance(tr);
+- if (ret < 0)
+- break;
+- }
++ if (ret < 0)
++ break;
+ local_irq_disable();
+ /* Now, we're going to swap */
+ if (iter->cpu_file == RING_BUFFER_ALL_CPUS)
+
diff --git a/series.conf b/series.conf
index 0388fad0b4..826809b34c 100644
--- a/series.conf
+++ b/series.conf
@@ -18553,6 +18553,7 @@
patches.fixes/kconfig-fix-the-rule-of-mainmenu_stmt-symbol.patch
patches.arch/x86-i8259-add-missing-include-file
patches.drivers/net-usb-r8152-use-irqsave-in-USB-s-complete-callback.patch
+ patches.fixes/netns-get-more-entropy-from-net_hash_mix.patch
patches.drivers/cxgb4-Add-flag-tc_flower_initialized.patch
patches.fixes/0001-cxgb4-Add-new-T5-PCI-device-id-0x50ae.patch
patches.drivers/net-hns3-rename-the-interface-for-init_client_instan.patch
@@ -20108,6 +20109,7 @@
patches.drivers/usbip-vudc-BUG-kmalloc-2048-Not-tainted-Poison-overw.patch
patches.drivers/kernfs-update-comment-about-kernfs_path-return-value.patch
patches.drivers/uio-ensure-class-is-registered-before-devices.patch
+ patches.fixes/coresight-etb10-Fix-handling-of-perf-mode.patch
patches.drivers/VMCI-Resource-wildcard-match-fixed.patch
patches.drivers/w1-omap-hdq-fix-missing-bus-unregister-at-removal.patch
patches.drivers/uio-make-symbol-uio_class_registered-static.patch
@@ -21798,6 +21800,7 @@
patches.drivers/intel_th-Don-t-reference-unassigned-outputs.patch
patches.drivers/stm-class-Fix-an-endless-loop-in-channel-allocation.patch
patches.drivers/stm-class-Prevent-division-by-zero.patch
+ patches.fixes/coresight-etm4x-Add-support-to-enable-ETMv4.2.patch
patches.drivers/VMCI-Support-upto-64-bit-PPNs.patch
patches.drivers/misc-hpilo-Exclude-unsupported-device-via-blacklist.patch
patches.drivers/misc-hpilo-Do-not-claim-unsupported-hardware.patch
@@ -22043,10 +22046,14 @@
patches.fixes/acpi-nfit-Fix-bus-command-validation.patch
patches.fixes/libnvdimm-label-clear-updating-flag-after-label-set-update.patch
patches.fixes/nfit-acpi_nfit_ctl-check-out_obj-type-in-the-right-place.patch
+ patches.fixes/libnvdimm-pfn-fix-over-trim-in-trim_pfn_device.patch
patches.fixes/libnvdimm-Fix-altmap-reservation-size-calculation.patch
patches.fixes/libnvdimm-pmem-honor-force_raw-for-legacy-pmem-regions.patch
patches.fixes/nfit-ars-Attempt-a-short-ARS-whenever-the-ARS-state-.patch
patches.fixes/nfit-ars-Attempt-short-ARS-even-in-the-no_init_ars-c.patch
+ patches.drivers/nfit-ars-introduce-scrub_flags.patch
+ patches.fixes/nfit-ars-allow-root-to-busy-poll-the-ars-state-machine.patch
+ patches.drivers/nfit-ars-avoid-stale-ars-results.patch
patches.fixes/0001-crypto-caam-add-missing-put_device-call.patch
patches.drivers/clk-highbank-fix-refcount-leak-in-hb_clk_init.patch
patches.drivers/clk-qoriq-fix-refcount-leak-in-clockgen_init.patch
@@ -22239,6 +22246,7 @@
patches.drivers/serial-ar933x_uart-Fix-build-failure-with-disabled-c.patch
patches.drivers/serial-sh-sci-Fix-setting-SCSCR_TIE-while-transferri.patch
patches.drivers/Disable-kgdboc-failed-by-echo-space-to-sys-module-kg.patch
+ patches.drivers/staging-comedi-ni_mio_common-Fix-divide-by-zero-for-.patch
patches.drivers/staging-rtl8188eu-Fix-potential-NULL-pointer-derefer.patch
patches.drivers/staging-rtl8712-uninitialized-memory-in-read_bbreg_h.patch
patches.drivers/staging-vt6655-Fix-interrupt-race-condition-on-devic.patch
@@ -22264,6 +22272,7 @@
patches.fixes/batman-adv-Reduce-tt_global-hash-refcnt-only-for-rem.patch
patches.drivers/fm10k-Fix-a-potential-NULL-pointer-dereference.patch
patches.drivers/qmi_wwan-add-Olicard-600.patch
+ patches.fixes/netns-provide-pure-entropy-for-net_hash_mix.patch
patches.fixes/openvswitch-fix-flow-actions-reallocation.patch
patches.fixes/net-rds-force-to-destroy-connection-if-t_sock-is-NUL.patch
patches.suse/net-ethtool-not-call-vzalloc-for-zero-sized-memory-r.patch
@@ -22556,6 +22565,7 @@
patches.fixes/0001-of-fix-clang-Wunsequenced-for-be32_to_cpu.patch
patches.drivers/ibmvnic-Report-actual-backing-device-speed-and-duple.patch
patches.fixes/openvswitch-add-seqadj-extension-when-NAT-is-used.patch
+ patches.fixes/inet-switch-IP-ID-generator-to-siphash.patch
patches.fixes/batman-adv-allow-updating-DAT-entry-timeouts-on-inco.patch
patches.drivers/ibmvnic-remove-set-but-not-used-variable-netdev.patch
patches.drivers/net-hns3-remove-resetting-check-in-hclgevf_reset_tas.patch
@@ -22615,6 +22625,8 @@
patches.drivers/scsi-qedf-missing-kref_put-in-qedf_xmit.patch
patches.drivers/scsi-qedf-fixup-locking-in-qedf_restart_rport.patch
patches.drivers/scsi-qedf-fixup-bit-operations.patch
+ patches.fixes/scsi-qla2xxx-fix-incorrect-region-size-setting-in-optrom-sysfs.patch
+ patches.fixes/scsi-qla2xxx-fix-abort-handling-in-tcm_qla2xxx_write_pending.patch
patches.drivers/ipmi-ssif-compare-block-number-correctly-for-multi-p.patch
patches.drivers/media-cpia2-Fix-use-after-free-in-cpia2_exit.patch
patches.drivers/media-saa7146-avoid-high-stack-usage-with-clang.patch
@@ -22688,6 +22700,8 @@
patches.drivers/rtc-88pm860x-prevent-use-after-free-on-device-remove.patch
patches.drivers/clk-rockchip-fix-wrong-clock-definitions-for-rk3328.patch
patches.drivers/clk-rockchip-Fix-video-codec-clocks-on-rk3288.patch
+ patches.drivers/clk-rockchip-Turn-on-aclk_dmac1-for-suspend-on-rk328.patch
+ patches.drivers/clk-tegra-Fix-PLLM-programming-on-Tegra124-when-PMC-.patch
patches.suse/tipc-fix-hanging-clients-using-poll-with-EPOLLOUT-fl.patch
patches.fixes/vlan-disable-SIOCSHWTSTAMP-in-container.patch
patches.arch/powerpc-numa-improve-control-of-topology-updates.patch
@@ -22828,6 +22842,7 @@
patches.drivers/platform-x86-pmc_atom-Add-several-Beckhoff-Automatio.patch
patches.fixes/sbitmap-fix-improper-use-of-smp_mb__before_atomic.patch
patches.fixes/blk-mq-fix-hang-caused-by-freeze-unfreeze-sequence.patch
+ patches.fixes/nvme-copy-mtfa-field-from-identify-controller.patch
patches.fixes/ext4-wait-for-outstanding-dio-during-truncate-in-noj.patch
patches.arch/kvm-x86-include-multiple-indices-with-cpuid-leaf-0x8000001d.patch
patches.arch/kvm-x86-include-cpuid-leaf-0x8000001e-in-kvm-s-supported-cpuid.patch
@@ -22944,13 +22959,17 @@
patches.fixes/tcp-enforce-tcp_min_snd_mss-in-tcp_mtu_probing.patch
patches.drivers/Input-uinput-add-compat-ioctl-number-translation-for.patch
patches.drivers/Input-synaptics-enable-SMBus-on-ThinkPad-E480-and-E5.patch
+ patches.fixes/apparmor-enforce-nullbyte-at-end-of-tag-string.patch
patches.drivers/PCI-PM-Skip-devices-in-D0-for-suspend-to-idle.patch
patches.drivers/mmc-core-Prevent-processing-SDIO-IRQs-when-the-card-.patch
patches.fixes/0001-usb-chipidea-udc-workaround-for-endpoint-conflict-is.patch
patches.drm/drm-i915-gvt-ignore-unexpected-pvinfo-write.patch
+ patches.fixes/tcp-refine-memory-limit-test-in-tcp_fragment.patch
patches.drivers/Bluetooth-Fix-regression-with-minimum-encryption-key.patch
patches.drivers/ppp-mppe-Add-softdep-to-arc4.patch
patches.fixes/Bluetooth-Fix-faulty-expression-for-minimum-encrypti.patch
+ patches.suse/ftrace-x86-remove-possible-deadlock-between-register_kprobe-and-ftrace_run_update_code.patch
+ patches.suse/tracing-snapshot-resize-spare-buffer-if-size-changed.patch
patches.drivers/ALSA-hda-realtek-Add-quirks-for-several-Clevo-notebo.patch
patches.drivers/ALSA-usb-audio-fix-sign-unintended-sign-extension-on.patch
patches.drivers/ALSA-hda-realtek-Change-front-mic-location-for-Lenov.patch
@@ -22960,6 +22979,7 @@
patches.fixes/crypto-cryptd-Fix-skcipher-instance-memory-leak.patch
patches.fixes/crypto-user-prevent-operating-on-larval-algorithms.patch
patches.fixes/scsi-target-iblock-fix-overrun-in-write-same-emulation
+ patches.drivers/dmaengine-imx-sdma-remove-BD_INTR-for-channel0.patch
# powerpc/linux next
patches.arch/powerpc-pseries-dlpar-Fix-a-missing-check-in-dlpar_p.patch
@@ -23418,6 +23438,8 @@
patches.kabi/kabi-handle-addition-of-ip6addrlbl_table-into-struct.patch
patches.kabi/kabi-restore-ip_tunnel_delete_net.patch
patches.kabi/kabi-handle-addition-of-uevent_sock-into-struct-net.patch
+ patches.kabi/kabi-handle-addition-of-net-hash_mix.patch
+ patches.kabi/kabi-handle-addition-of-netns_ipv4-ip_id_key.patch
########################################################
# Netfilter