Home Home > GIT Browse > stable-xen
summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJohannes Thumshirn <jthumshirn@suse.de>2019-09-05 18:01:04 +0200
committerJohannes Thumshirn <jthumshirn@suse.de>2019-09-05 18:01:04 +0200
commitff88a5cdb82ea68ed2e514ebfda5ffcd0993b9e3 (patch)
tree7b404efef2bc4266ad7971f07e301575a6edd431
parent12bf7b7806d71d3554a4319adef99ef3d4916dc2 (diff)
parenta1da6e968a3fe7251d6b09646c9bdad599198696 (diff)
Merge remote-tracking branch 'origin/SLE15' into SLE12-SP4
Conflicts: series.conf
-rw-r--r--config/arm64/default5
-rw-r--r--patches.suse/ALSA-usb-audio-Avoid-access-before-bLength-check-in-.patch2
-rw-r--r--patches.suse/Bluetooth-hci_ldisc-Postpone-HCI_UART_PROTO_READY-bi.patch2
-rw-r--r--patches.suse/ath6kl-add-some-bounds-checking.patch2
-rw-r--r--patches.suse/btrfs-add-a-helper-to-retrive-extent-inline-ref-type.patch89
-rw-r--r--patches.suse/btrfs-add-one-more-sanity-check-for-shared-ref-type.patch141
-rw-r--r--patches.suse/btrfs-convert-to-use-btrfs_get_extent_inline_ref_type.patch176
-rw-r--r--patches.suse/btrfs-remove-bug-in-add_data_reference.patch35
-rw-r--r--patches.suse/btrfs-remove-bug-in-btrfs_extent_inline_ref_size.patch32
-rw-r--r--patches.suse/btrfs-remove-bug-in-print_extent_item.patch36
-rw-r--r--patches.suse/btrfs-remove-bug_on-in-_add_tree_block.patch54
-rw-r--r--patches.suse/ceph-don-t-blindly-unregister-session-that-is-in-opening-state.patch96
-rw-r--r--patches.suse/ceph-don-t-try-fill-file_lock-on-unsuccessful-getfilelock-reply.patch36
-rw-r--r--patches.suse/ceph-fix-buffer-free-while-holding-i_ceph_lock-in-_ceph_build_xattrs_blob.patch157
-rw-r--r--patches.suse/ceph-fix-buffer-free-while-holding-i_ceph_lock-in-_ceph_setxattr.patch88
-rw-r--r--patches.suse/ceph-fix-buffer-free-while-holding-i_ceph_lock-in-fill_inode.patch81
-rw-r--r--patches.suse/ceph-fix-ceph-dir-rctime-vxattr-value.patch31
-rw-r--r--patches.suse/ceph-fix-improper-use-of-smp_mb__before_atomic.patch42
-rw-r--r--patches.suse/ceph-hold-i_ceph_lock-when-removing-caps-for-freeing-inode.patch48
-rw-r--r--patches.suse/ceph-remove-request-from-waiting-list-before-unregister.patch37
-rw-r--r--patches.suse/ceph-silence-a-checker-warning-in-mdsc_show.patch37
-rw-r--r--patches.suse/cifs-Fix-use-after-free-in-SMB2_read.patch2
-rw-r--r--patches.suse/cifs-Fix-use-after-free-in-SMB2_write.patch2
-rw-r--r--patches.suse/ftrace-check-for-empty-hash-and-comment-the-race-with-registering-probes.patch49
-rw-r--r--patches.suse/ftrace-check-for-successful-allocation-of-hash.patch40
-rw-r--r--patches.suse/ftrace-fix-null-pointer-dereference-in-t_probe_next.patch77
-rw-r--r--patches.suse/genetlink-Fix-a-memory-leak-on-error-path.patch2
-rw-r--r--patches.suse/kvm-x86-move-msr_ia32_arch_capabilities-to-array-emulated_msrs37
-rw-r--r--patches.suse/libceph-allow-ceph_buffer_put-to-receive-a-null-ceph_buffer.patch29
-rw-r--r--patches.suse/libceph-fix-pg-split-vs-osd-reconnect-race.patch71
-rw-r--r--patches.suse/powerpc-fadump-when-fadump-is-supported-register-the.patch68
-rw-r--r--patches.suse/powerpc-xive-Fix-dump-of-XIVE-interrupt-under-pserie.patch215
-rw-r--r--patches.suse/powerpc-xmon-Add-a-dump-of-all-XIVE-interrupts.patch66
-rw-r--r--patches.suse/powerpc-xmon-Check-for-HV-mode-when-dumping-XIVE-inf.patch59
-rw-r--r--patches.suse/rsi-add-fix-for-crash-during-assertions.patch38
-rw-r--r--series.conf28
36 files changed, 2002 insertions, 8 deletions
diff --git a/config/arm64/default b/config/arm64/default
index f860338123..3a4e804656 100644
--- a/config/arm64/default
+++ b/config/arm64/default
@@ -465,7 +465,8 @@ CONFIG_PCI_PRI=y
CONFIG_PCI_PASID=y
CONFIG_PCI_LABEL=y
CONFIG_HOTPLUG_PCI=y
-# CONFIG_HOTPLUG_PCI_ACPI is not set
+CONFIG_HOTPLUG_PCI_ACPI=y
+# CONFIG_HOTPLUG_PCI_ACPI_IBM is not set
CONFIG_HOTPLUG_PCI_CPCI=y
CONFIG_HOTPLUG_PCI_SHPC=m
@@ -6966,7 +6967,7 @@ CONFIG_ACPI_CUSTOM_DSDT_FILE=""
CONFIG_ARCH_HAS_ACPI_TABLE_UPGRADE=y
CONFIG_ACPI_TABLE_UPGRADE=y
# CONFIG_ACPI_DEBUG is not set
-# CONFIG_ACPI_PCI_SLOT is not set
+CONFIG_ACPI_PCI_SLOT=y
CONFIG_ACPI_CONTAINER=y
CONFIG_ACPI_HED=y
# CONFIG_ACPI_CUSTOM_METHOD is not set
diff --git a/patches.suse/ALSA-usb-audio-Avoid-access-before-bLength-check-in-.patch b/patches.suse/ALSA-usb-audio-Avoid-access-before-bLength-check-in-.patch
index d0e3a70c51..d9276dc6d6 100644
--- a/patches.suse/ALSA-usb-audio-Avoid-access-before-bLength-check-in-.patch
+++ b/patches.suse/ALSA-usb-audio-Avoid-access-before-bLength-check-in-.patch
@@ -4,7 +4,7 @@ Date: Wed, 19 Dec 2018 12:36:27 +0100
Subject: [PATCH 1/9] ALSA: usb-audio: Avoid access before bLength check in build_audio_procunit()
Git-commit: f4351a199cc120ff9d59e06d02e8657d08e6cc46
Patch-mainline: v5.0-rc2
-References: bsc#1051510
+References: bsc#1051510, CVE-2019-15927, bsc#1149522
The parser for the processing unit reads bNrInPins field before the
bLength sanity check, which may lead to an out-of-bound access when a
diff --git a/patches.suse/Bluetooth-hci_ldisc-Postpone-HCI_UART_PROTO_READY-bi.patch b/patches.suse/Bluetooth-hci_ldisc-Postpone-HCI_UART_PROTO_READY-bi.patch
index 513a00a150..0199ab859d 100644
--- a/patches.suse/Bluetooth-hci_ldisc-Postpone-HCI_UART_PROTO_READY-bi.patch
+++ b/patches.suse/Bluetooth-hci_ldisc-Postpone-HCI_UART_PROTO_READY-bi.patch
@@ -4,7 +4,7 @@ Date: Sat, 23 Feb 2019 12:33:27 +0800
Subject: [PATCH] Bluetooth: hci_ldisc: Postpone HCI_UART_PROTO_READY bit set in hci_uart_set_proto()
Git-commit: 56897b217a1d0a91c9920cb418d6b3fe922f590a
Patch-mainline: v5.1-rc1
-References: bsc#1051510
+References: bsc#1051510, CVE-2019-15917, bsc#1149539
task A: task B:
hci_uart_set_proto flush_to_ldisc
diff --git a/patches.suse/ath6kl-add-some-bounds-checking.patch b/patches.suse/ath6kl-add-some-bounds-checking.patch
index f8cfc55857..599d122c81 100644
--- a/patches.suse/ath6kl-add-some-bounds-checking.patch
+++ b/patches.suse/ath6kl-add-some-bounds-checking.patch
@@ -4,7 +4,7 @@ Date: Thu, 4 Apr 2019 11:56:51 +0300
Subject: [PATCH] ath6kl: add some bounds checking
Git-commit: 5d6751eaff672ea77642e74e92e6c0ac7f9709ab
Patch-mainline: v5.3-rc1
-References: bsc#1051510
+References: bsc#1051510, CVE-2019-15926, bsc#1149527
The "ev->traffic_class" and "reply->ac" variables come from the network
and they're used as an offset into the wmi->stream_exist_for_ac[] array.
diff --git a/patches.suse/btrfs-add-a-helper-to-retrive-extent-inline-ref-type.patch b/patches.suse/btrfs-add-a-helper-to-retrive-extent-inline-ref-type.patch
new file mode 100644
index 0000000000..c90a95e8e3
--- /dev/null
+++ b/patches.suse/btrfs-add-a-helper-to-retrive-extent-inline-ref-type.patch
@@ -0,0 +1,89 @@
+From: Liu Bo <bo.li.liu@oracle.com>
+Date: Fri, 18 Aug 2017 15:15:18 -0600
+Subject: Btrfs: add a helper to retrive extent inline ref type
+Git-commit: 167ce953ca55bdee20fe56c3c0fa51002435f745
+Patch-mainline: v4.14-rc1
+References: bsc#1149325
+
+An invalid value of extent inline ref type may be read from a
+malicious image which may force btrfs to crash.
+
+This adds a helper which does sanity check for the ref type, so we can
+know if it's sane, return he type, otherwise return an error.
+
+Signed-off-by: Liu Bo <bo.li.liu@oracle.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+[ minimal tweak const types, causing warnings due to other cleanup patches ]
+Signed-off-by: David Sterba <dsterba@suse.com>
+Acked-by: Johannes Thumshirn <jthumshirn@suse.de>
+---
+ fs/btrfs/ctree.h | 11 +++++++++++
+ fs/btrfs/extent-tree.c | 37 +++++++++++++++++++++++++++++++++++++
+ 2 files changed, 48 insertions(+)
+
+--- a/fs/btrfs/ctree.h
++++ b/fs/btrfs/ctree.h
+@@ -2587,6 +2587,17 @@ static inline gfp_t btrfs_alloc_write_ma
+
+ /* extent-tree.c */
+
++enum btrfs_inline_ref_type {
++ BTRFS_REF_TYPE_INVALID = 0,
++ BTRFS_REF_TYPE_BLOCK = 1,
++ BTRFS_REF_TYPE_DATA = 2,
++ BTRFS_REF_TYPE_ANY = 3,
++};
++
++int btrfs_get_extent_inline_ref_type(const struct extent_buffer *eb,
++ struct btrfs_extent_inline_ref *iref,
++ enum btrfs_inline_ref_type is_data);
++
+ u64 btrfs_csum_bytes_to_leaves(struct btrfs_fs_info *fs_info, u64 csum_bytes);
+
+ static inline u64 btrfs_calc_trans_metadata_size(struct btrfs_fs_info *fs_info,
+--- a/fs/btrfs/extent-tree.c
++++ b/fs/btrfs/extent-tree.c
+@@ -1147,6 +1147,43 @@ static int convert_extent_item_v0(struct
+ }
+ #endif
+
++/*
++ * is_data == BTRFS_REF_TYPE_BLOCK, tree block type is required,
++ * is_data == BTRFS_REF_TYPE_DATA, data type is requried,
++ * is_data == BTRFS_REF_TYPE_ANY, either type is OK.
++ */
++int btrfs_get_extent_inline_ref_type(const struct extent_buffer *eb,
++ struct btrfs_extent_inline_ref *iref,
++ enum btrfs_inline_ref_type is_data)
++{
++ int type = btrfs_extent_inline_ref_type(eb, iref);
++
++ if (type == BTRFS_TREE_BLOCK_REF_KEY ||
++ type == BTRFS_SHARED_BLOCK_REF_KEY ||
++ type == BTRFS_SHARED_DATA_REF_KEY ||
++ type == BTRFS_EXTENT_DATA_REF_KEY) {
++ if (is_data == BTRFS_REF_TYPE_BLOCK) {
++ if (type == BTRFS_TREE_BLOCK_REF_KEY ||
++ type == BTRFS_SHARED_BLOCK_REF_KEY)
++ return type;
++ } else if (is_data == BTRFS_REF_TYPE_DATA) {
++ if (type == BTRFS_EXTENT_DATA_REF_KEY ||
++ type == BTRFS_SHARED_DATA_REF_KEY)
++ return type;
++ } else {
++ ASSERT(is_data == BTRFS_REF_TYPE_ANY);
++ return type;
++ }
++ }
++
++ btrfs_print_leaf(eb->fs_info, (struct extent_buffer *) eb);
++ btrfs_err(eb->fs_info, "eb %llu invalid extent inline ref type %d",
++ eb->start, type);
++ WARN_ON(1);
++
++ return BTRFS_REF_TYPE_INVALID;
++}
++
+ static u64 hash_extent_data_ref(u64 root_objectid, u64 owner, u64 offset)
+ {
+ u32 high_crc = ~(u32)0;
diff --git a/patches.suse/btrfs-add-one-more-sanity-check-for-shared-ref-type.patch b/patches.suse/btrfs-add-one-more-sanity-check-for-shared-ref-type.patch
new file mode 100644
index 0000000000..d9970fdd51
--- /dev/null
+++ b/patches.suse/btrfs-add-one-more-sanity-check-for-shared-ref-type.patch
@@ -0,0 +1,141 @@
+From: Liu Bo <bo.li.liu@oracle.com>
+Date: Fri, 18 Aug 2017 15:15:24 -0600
+Subject: Btrfs: add one more sanity check for shared ref type
+Git-commit: 64ecdb647ddb83dcff9c8e2a5c40119f171ea004
+Patch-mainline: v4.14-rc1
+References: bsc#1149325
+
+Every shared ref has a parent tree block, which can be get from
+btrfs_extent_inline_ref_offset(). And the tree block must be aligned
+to the nodesize, so we'd know this inline ref is not valid if this
+block's bytenr is not aligned to the nodesize, in which case, most
+likely the ref type has been misused.
+
+This adds the above mentioned check and also updates
+print_extent_item() called by btrfs_print_leaf() to point out the
+invalid ref while printing the tree structure.
+
+Signed-off-by: Liu Bo <bo.li.liu@oracle.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Acked-by: Johannes Thumshirn <jthumshirn@suse.de>
+---
+ fs/btrfs/extent-tree.c | 29 +++++++++++++++++++++++++----
+ fs/btrfs/print-tree.c | 27 +++++++++++++++++++++------
+ 2 files changed, 46 insertions(+), 10 deletions(-)
+
+diff --git a/fs/btrfs/extent-tree.c b/fs/btrfs/extent-tree.c
+index 51a691532fd8..96e49fd5b888 100644
+--- a/fs/btrfs/extent-tree.c
++++ b/fs/btrfs/extent-tree.c
+@@ -1158,19 +1158,40 @@ int btrfs_get_extent_inline_ref_type(const struct extent_buffer *eb,
+ enum btrfs_inline_ref_type is_data)
+ {
+ int type = btrfs_extent_inline_ref_type(eb, iref);
++ u64 offset = btrfs_extent_inline_ref_offset(eb, iref);
+
+ if (type == BTRFS_TREE_BLOCK_REF_KEY ||
+ type == BTRFS_SHARED_BLOCK_REF_KEY ||
+ type == BTRFS_SHARED_DATA_REF_KEY ||
+ type == BTRFS_EXTENT_DATA_REF_KEY) {
+ if (is_data == BTRFS_REF_TYPE_BLOCK) {
+- if (type == BTRFS_TREE_BLOCK_REF_KEY ||
+- type == BTRFS_SHARED_BLOCK_REF_KEY)
++ if (type == BTRFS_TREE_BLOCK_REF_KEY)
+ return type;
++ if (type == BTRFS_SHARED_BLOCK_REF_KEY) {
++ ASSERT(eb->fs_info);
++ /*
++ * Every shared one has parent tree
++ * block, which must be aligned to
++ * nodesize.
++ */
++ if (offset &&
++ IS_ALIGNED(offset, eb->fs_info->nodesize))
++ return type;
++ }
+ } else if (is_data == BTRFS_REF_TYPE_DATA) {
+- if (type == BTRFS_EXTENT_DATA_REF_KEY ||
+- type == BTRFS_SHARED_DATA_REF_KEY)
++ if (type == BTRFS_EXTENT_DATA_REF_KEY)
+ return type;
++ if (type == BTRFS_SHARED_DATA_REF_KEY) {
++ ASSERT(eb->fs_info);
++ /*
++ * Every shared one has parent tree
++ * block, which must be aligned to
++ * nodesize.
++ */
++ if (offset &&
++ IS_ALIGNED(offset, eb->fs_info->nodesize))
++ return type;
++ }
+ } else {
+ ASSERT(is_data == BTRFS_REF_TYPE_ANY);
+ return type;
+diff --git a/fs/btrfs/print-tree.c b/fs/btrfs/print-tree.c
+index c1acbdcb476c..569205e651c7 100644
+--- a/fs/btrfs/print-tree.c
++++ b/fs/btrfs/print-tree.c
+@@ -44,7 +44,7 @@ static void print_dev_item(struct extent_buffer *eb,
+ static void print_extent_data_ref(struct extent_buffer *eb,
+ struct btrfs_extent_data_ref *ref)
+ {
+- pr_info("\t\textent data backref root %llu objectid %llu offset %llu count %u\n",
++ pr_cont("extent data backref root %llu objectid %llu offset %llu count %u\n",
+ btrfs_extent_data_ref_root(eb, ref),
+ btrfs_extent_data_ref_objectid(eb, ref),
+ btrfs_extent_data_ref_offset(eb, ref),
+@@ -63,6 +63,7 @@ static void print_extent_item(struct extent_buffer *eb, int slot, int type)
+ u32 item_size = btrfs_item_size_nr(eb, slot);
+ u64 flags;
+ u64 offset;
++ int ref_index = 0;
+
+ if (item_size < sizeof(*ei)) {
+ #ifdef BTRFS_COMPAT_EXTENT_TREE_V0
+@@ -104,12 +105,20 @@ static void print_extent_item(struct extent_buffer *eb, int slot, int type)
+ iref = (struct btrfs_extent_inline_ref *)ptr;
+ type = btrfs_extent_inline_ref_type(eb, iref);
+ offset = btrfs_extent_inline_ref_offset(eb, iref);
++ pr_info("\t\tref#%d: ", ref_index++);
+ switch (type) {
+ case BTRFS_TREE_BLOCK_REF_KEY:
+- pr_info("\t\ttree block backref root %llu\n", offset);
++ pr_cont("tree block backref root %llu\n", offset);
+ break;
+ case BTRFS_SHARED_BLOCK_REF_KEY:
+- pr_info("\t\tshared block backref parent %llu\n", offset);
++ pr_cont("shared block backref parent %llu\n", offset);
++ /*
++ * offset is supposed to be a tree block which
++ * must be aligned to nodesize.
++ */
++ if (!IS_ALIGNED(offset, eb->fs_info->nodesize))
++ pr_info("\t\t\t(parent %llu is NOT ALIGNED to nodesize %llu)\n",
++ offset, (unsigned long long)eb->fs_info->nodesize);
+ break;
+ case BTRFS_EXTENT_DATA_REF_KEY:
+ dref = (struct btrfs_extent_data_ref *)(&iref->offset);
+@@ -117,12 +126,18 @@ static void print_extent_item(struct extent_buffer *eb, int slot, int type)
+ break;
+ case BTRFS_SHARED_DATA_REF_KEY:
+ sref = (struct btrfs_shared_data_ref *)(iref + 1);
+- pr_info("\t\tshared data backref parent %llu count %u\n",
++ pr_cont("shared data backref parent %llu count %u\n",
+ offset, btrfs_shared_data_ref_count(eb, sref));
++ /*
++ * offset is supposed to be a tree block which
++ * must be aligned to nodesize.
++ */
++ if (!IS_ALIGNED(offset, eb->fs_info->nodesize))
++ pr_info("\t\t\t(parent %llu is NOT ALIGNED to nodesize %llu)\n",
++ offset, (unsigned long long)eb->fs_info->nodesize);
+ break;
+ default:
+- btrfs_err(eb->fs_info,
+- "extent %llu has invalid ref type %d",
++ pr_cont("(extent %llu has INVALID ref type %d)\n",
+ eb->start, type);
+ return;
+ }
+
diff --git a/patches.suse/btrfs-convert-to-use-btrfs_get_extent_inline_ref_type.patch b/patches.suse/btrfs-convert-to-use-btrfs_get_extent_inline_ref_type.patch
new file mode 100644
index 0000000000..48bb420eed
--- /dev/null
+++ b/patches.suse/btrfs-convert-to-use-btrfs_get_extent_inline_ref_type.patch
@@ -0,0 +1,176 @@
+From: Liu Bo <bo.li.liu@oracle.com>
+Date: Fri, 18 Aug 2017 15:15:19 -0600
+Subject: Btrfs: convert to use btrfs_get_extent_inline_ref_type
+Git-commit: 3de28d579edbd35294bf44aee8402c804331bc37
+Patch-mainline: v4.14-rc1
+References: bsc#1149325
+
+Since we have a helper which can do sanity check, this converts all
+btrfs_extent_inline_ref_type to it.
+
+Signed-off-by: Liu Bo <bo.li.liu@oracle.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Acked-by: Johannes Thumshirn <jthumshirn@suse.de>
+---
+ fs/btrfs/backref.c | 11 +++++++++--
+ fs/btrfs/extent-tree.c | 36 ++++++++++++++++++++++++++++++------
+ fs/btrfs/relocation.c | 13 +++++++++++--
+ 3 files changed, 50 insertions(+), 10 deletions(-)
+
+diff --git a/fs/btrfs/backref.c b/fs/btrfs/backref.c
+index 6bae986bfcfb..b517ef1477ea 100644
+--- a/fs/btrfs/backref.c
++++ b/fs/btrfs/backref.c
+@@ -929,7 +929,11 @@ static int add_inline_refs(const struct btrfs_fs_info *fs_info,
+ int type;
+
+ iref = (struct btrfs_extent_inline_ref *)ptr;
+- type = btrfs_extent_inline_ref_type(leaf, iref);
++ type = btrfs_get_extent_inline_ref_type(leaf, iref,
++ BTRFS_REF_TYPE_ANY);
++ if (type == BTRFS_REF_TYPE_INVALID)
++ return -EINVAL;
++
+ offset = btrfs_extent_inline_ref_offset(leaf, iref);
+
+ switch (type) {
+@@ -1776,7 +1780,10 @@ static int get_extent_inline_ref(unsigned long *ptr,
+
+ end = (unsigned long)ei + item_size;
+ *out_eiref = (struct btrfs_extent_inline_ref *)(*ptr);
+- *out_type = btrfs_extent_inline_ref_type(eb, *out_eiref);
++ *out_type = btrfs_get_extent_inline_ref_type(eb, *out_eiref,
++ BTRFS_REF_TYPE_ANY);
++ if (*out_type == BTRFS_REF_TYPE_INVALID)
++ return -EINVAL;
+
+ *ptr += btrfs_extent_inline_ref_size(*out_type);
+ WARN_ON(*ptr > end);
+diff --git a/fs/btrfs/extent-tree.c b/fs/btrfs/extent-tree.c
+index 794b06dd824a..51a691532fd8 100644
+--- a/fs/btrfs/extent-tree.c
++++ b/fs/btrfs/extent-tree.c
+@@ -1454,12 +1454,18 @@ static noinline u32 extent_data_ref_count(struct btrfs_path *path,
+ struct btrfs_extent_data_ref *ref1;
+ struct btrfs_shared_data_ref *ref2;
+ u32 num_refs = 0;
++ int type;
+
+ leaf = path->nodes[0];
+ btrfs_item_key_to_cpu(leaf, &key, path->slots[0]);
+ if (iref) {
+- if (btrfs_extent_inline_ref_type(leaf, iref) ==
+- BTRFS_EXTENT_DATA_REF_KEY) {
++ /*
++ * If type is invalid, we should have bailed out earlier than
++ * this call.
++ */
++ type = btrfs_get_extent_inline_ref_type(leaf, iref, BTRFS_REF_TYPE_DATA);
++ ASSERT(type != BTRFS_REF_TYPE_INVALID);
++ if (type == BTRFS_EXTENT_DATA_REF_KEY) {
+ ref1 = (struct btrfs_extent_data_ref *)(&iref->offset);
+ num_refs = btrfs_extent_data_ref_count(leaf, ref1);
+ } else {
+@@ -1620,6 +1626,7 @@ int lookup_inline_extent_backref(struct btrfs_trans_handle *trans,
+ int ret;
+ int err = 0;
+ bool skinny_metadata = btrfs_fs_incompat(fs_info, SKINNY_METADATA);
++ int needed;
+
+ key.objectid = bytenr;
+ key.type = BTRFS_EXTENT_ITEM_KEY;
+@@ -1711,6 +1718,11 @@ int lookup_inline_extent_backref(struct btrfs_trans_handle *trans,
+ BUG_ON(ptr > end);
+ }
+
++ if (owner >= BTRFS_FIRST_FREE_OBJECTID)
++ needed = BTRFS_REF_TYPE_DATA;
++ else
++ needed = BTRFS_REF_TYPE_BLOCK;
++
+ err = -ENOENT;
+ while (1) {
+ if (ptr >= end) {
+@@ -1718,7 +1730,12 @@ int lookup_inline_extent_backref(struct btrfs_trans_handle *trans,
+ break;
+ }
+ iref = (struct btrfs_extent_inline_ref *)ptr;
+- type = btrfs_extent_inline_ref_type(leaf, iref);
++ type = btrfs_get_extent_inline_ref_type(leaf, iref, needed);
++ if (type == BTRFS_REF_TYPE_INVALID) {
++ err = -EINVAL;
++ goto out;
++ }
++
+ if (want < type)
+ break;
+ if (want > type) {
+@@ -1910,7 +1927,12 @@ void update_inline_extent_backref(struct btrfs_fs_info *fs_info,
+ if (extent_op)
+ __run_delayed_extent_op(extent_op, leaf, ei);
+
+- type = btrfs_extent_inline_ref_type(leaf, iref);
++ /*
++ * If type is invalid, we should have bailed out after
++ * lookup_inline_extent_backref().
++ */
++ type = btrfs_get_extent_inline_ref_type(leaf, iref, BTRFS_REF_TYPE_ANY);
++ ASSERT(type != BTRFS_REF_TYPE_INVALID);
+
+ if (type == BTRFS_EXTENT_DATA_REF_KEY) {
+ dref = (struct btrfs_extent_data_ref *)(&iref->offset);
+@@ -3195,6 +3217,7 @@ static noinline int check_committed_ref(struct btrfs_root *root,
+ struct btrfs_extent_item *ei;
+ struct btrfs_key key;
+ u32 item_size;
++ int type;
+ int ret;
+
+ key.objectid = bytenr;
+@@ -3236,8 +3259,9 @@ static noinline int check_committed_ref(struct btrfs_root *root,
+ goto out;
+
+ iref = (struct btrfs_extent_inline_ref *)(ei + 1);
+- if (btrfs_extent_inline_ref_type(leaf, iref) !=
+- BTRFS_EXTENT_DATA_REF_KEY)
++
++ type = btrfs_get_extent_inline_ref_type(leaf, iref, BTRFS_REF_TYPE_DATA);
++ if (type != BTRFS_EXTENT_DATA_REF_KEY)
+ goto out;
+
+ ref = (struct btrfs_extent_data_ref *)(&iref->offset);
+diff --git a/fs/btrfs/relocation.c b/fs/btrfs/relocation.c
+index 1a532bb72eab..96f816aa9ed3 100644
+--- a/fs/btrfs/relocation.c
++++ b/fs/btrfs/relocation.c
+@@ -799,9 +799,17 @@ struct backref_node *build_backref_tree(struct reloc_control *rc,
+ if (ptr < end) {
+ /* update key for inline back ref */
+ struct btrfs_extent_inline_ref *iref;
++ int type;
+ iref = (struct btrfs_extent_inline_ref *)ptr;
+- key.type = btrfs_extent_inline_ref_type(eb, iref);
++ type = btrfs_get_extent_inline_ref_type(eb, iref,
++ BTRFS_REF_TYPE_BLOCK);
++ if (type == BTRFS_REF_TYPE_INVALID) {
++ err = -EINVAL;
++ goto out;
++ }
++ key.type = type;
+ key.offset = btrfs_extent_inline_ref_offset(eb, iref);
++
+ WARN_ON(key.type != BTRFS_TREE_BLOCK_REF_KEY &&
+ key.type != BTRFS_SHARED_BLOCK_REF_KEY);
+ }
+@@ -3753,7 +3761,8 @@ int add_data_references(struct reloc_control *rc,
+
+ while (ptr < end) {
+ iref = (struct btrfs_extent_inline_ref *)ptr;
+- key.type = btrfs_extent_inline_ref_type(eb, iref);
++ key.type = btrfs_get_extent_inline_ref_type(eb, iref,
++ BTRFS_REF_TYPE_DATA);
+ if (key.type == BTRFS_SHARED_DATA_REF_KEY) {
+ key.offset = btrfs_extent_inline_ref_offset(eb, iref);
+ ret = __add_tree_block(rc, key.offset, blocksize,
+
diff --git a/patches.suse/btrfs-remove-bug-in-add_data_reference.patch b/patches.suse/btrfs-remove-bug-in-add_data_reference.patch
new file mode 100644
index 0000000000..21948a230e
--- /dev/null
+++ b/patches.suse/btrfs-remove-bug-in-add_data_reference.patch
@@ -0,0 +1,35 @@
+From: Liu Bo <bo.li.liu@oracle.com>
+Date: Fri, 18 Aug 2017 15:15:22 -0600
+Subject: Btrfs: remove BUG() in add_data_reference
+Git-commit: b14c55a191263889c379aeee85223bb72501824d
+Patch-mainline: v4.14-rc1
+References: bsc#1149325
+
+Now that we have a helper to report invalid value of extent inline ref
+type, we need to quit gracefully instead of throwing out a kernel panic.
+
+Signed-off-by: Liu Bo <bo.li.liu@oracle.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Acked-by: Johannes Thumshirn <jthumshirn@suse.de>
+---
+ fs/btrfs/relocation.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/fs/btrfs/relocation.c b/fs/btrfs/relocation.c
+index 96f816aa9ed3..1c086d0667be 100644
+--- a/fs/btrfs/relocation.c
++++ b/fs/btrfs/relocation.c
+@@ -3772,7 +3772,10 @@ int add_data_references(struct reloc_control *rc,
+ ret = find_data_references(rc, extent_key,
+ eb, dref, blocks);
+ } else {
+- BUG();
++ ret = -EINVAL;
++ btrfs_err(rc->extent_root->fs_info,
++ "extent %llu slot %d has an invalid inline ref type",
++ eb->start, path->slots[0]);
+ }
+ if (ret) {
+ err = ret;
+
diff --git a/patches.suse/btrfs-remove-bug-in-btrfs_extent_inline_ref_size.patch b/patches.suse/btrfs-remove-bug-in-btrfs_extent_inline_ref_size.patch
new file mode 100644
index 0000000000..5e664614b4
--- /dev/null
+++ b/patches.suse/btrfs-remove-bug-in-btrfs_extent_inline_ref_size.patch
@@ -0,0 +1,32 @@
+From: Liu Bo <bo.li.liu@oracle.com>
+Date: Fri, 18 Aug 2017 15:15:20 -0600
+Subject: Btrfs: remove BUG() in btrfs_extent_inline_ref_size
+Git-commit: 4335958de2a43c6790c7f6aa0682aa7189983fa4
+Patch-mainline: v4.14-rc1
+References: bsc#1149325
+
+Now that btrfs_get_extent_inline_ref_type() can report if type is a
+valid one and all callers can gracefully deal with that, we don't need
+to crash here.
+
+Signed-off-by: Liu Bo <bo.li.liu@oracle.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Acked-by: Johannes Thumshirn <jthumshirn@suse.de>
+---
+ fs/btrfs/ctree.h | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/fs/btrfs/ctree.h b/fs/btrfs/ctree.h
+index 542db9d0dbcd..b7cfc74c1757 100644
+--- a/fs/btrfs/ctree.h
++++ b/fs/btrfs/ctree.h
+@@ -1804,7 +1804,6 @@ static inline u32 btrfs_extent_inline_ref_size(int type)
+ if (type == BTRFS_EXTENT_DATA_REF_KEY)
+ return sizeof(struct btrfs_extent_data_ref) +
+ offsetof(struct btrfs_extent_inline_ref, offset);
+- BUG();
+ return 0;
+ }
+
+
diff --git a/patches.suse/btrfs-remove-bug-in-print_extent_item.patch b/patches.suse/btrfs-remove-bug-in-print_extent_item.patch
new file mode 100644
index 0000000000..25e39229ee
--- /dev/null
+++ b/patches.suse/btrfs-remove-bug-in-print_extent_item.patch
@@ -0,0 +1,36 @@
+From: Liu Bo <bo.li.liu@oracle.com>
+Date: Fri, 18 Aug 2017 15:15:21 -0600
+Subject: Btrfs: remove BUG() in print_extent_item
+Git-commit: 07638ea5987e51715b35eb5a9a9e908f18ffabf7
+Patch-mainline: v4.14-rc1
+References: bsc#1149325
+
+btrfs_print_leaf() is used in btrfs_get_extent_inline_ref_type, so
+here we really want to print the invalid value of ref type instead of
+causing a kernel panic.
+
+Signed-off-by: Liu Bo <bo.li.liu@oracle.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Acked-by: Johannes Thumshirn <jthumshirn@suse.de>
+---
+ fs/btrfs/print-tree.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/fs/btrfs/print-tree.c b/fs/btrfs/print-tree.c
+index 6e7a8c40dcd9..c1acbdcb476c 100644
+--- a/fs/btrfs/print-tree.c
++++ b/fs/btrfs/print-tree.c
+@@ -121,7 +121,10 @@ static void print_extent_item(struct extent_buffer *eb, int slot, int type)
+ offset, btrfs_shared_data_ref_count(eb, sref));
+ break;
+ default:
+- BUG();
++ btrfs_err(eb->fs_info,
++ "extent %llu has invalid ref type %d",
++ eb->start, type);
++ return;
+ }
+ ptr += btrfs_extent_inline_ref_size(type);
+ }
+
diff --git a/patches.suse/btrfs-remove-bug_on-in-_add_tree_block.patch b/patches.suse/btrfs-remove-bug_on-in-_add_tree_block.patch
new file mode 100644
index 0000000000..0e045736ec
--- /dev/null
+++ b/patches.suse/btrfs-remove-bug_on-in-_add_tree_block.patch
@@ -0,0 +1,54 @@
+From: Liu Bo <bo.li.liu@oracle.com>
+Date: Fri, 18 Aug 2017 15:15:23 -0600
+Subject: Btrfs: remove BUG_ON in __add_tree_block
+Git-commit: cdccee993f2f3466f69a358daec19de744a02f92
+Patch-mainline: v4.14-rc1
+References: bsc#1149325
+
+The BUG_ON() can be triggered when the caller is processing an invalid
+extent inline ref, e.g.
+
+a shared data ref is offered instead of an extent data ref, such that
+it tries to find a non-existent tree block and then btrfs_search_slot
+returns 1 for no such item.
+
+This replaces the BUG_ON() with a WARN() followed by calling
+btrfs_print_leaf() to show more details about what's going on and
+returning -EINVAL to upper callers.
+
+Signed-off-by: Liu Bo <bo.li.liu@oracle.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Acked-by: Johannes Thumshirn <jthumshirn@suse.de>
+---
+ fs/btrfs/relocation.c | 12 +++++++++++-
+ 1 file changed, 11 insertions(+), 1 deletion(-)
+
+--- a/fs/btrfs/relocation.c
++++ b/fs/btrfs/relocation.c
+@@ -32,6 +32,7 @@
+ #include "free-space-cache.h"
+ #include "inode-map.h"
+ #include "qgroup.h"
++#include "print-tree.h"
+
+ /*
+ * backref_node, mapping_node and tree_block start with this
+@@ -3485,7 +3486,16 @@ again:
+ goto again;
+ }
+ }
+- BUG_ON(ret);
++ if (ret) {
++ ASSERT(ret == 1);
++ btrfs_print_leaf(fs_info, path->nodes[0]);
++ btrfs_err(fs_info,
++ "tree block extent item (%llu) is not found in extent tree",
++ bytenr);
++ WARN_ON(1);
++ ret = -EINVAL;
++ goto out;
++ }
+
+ ret = add_tree_block(rc, &key, path, blocks);
+ out:
diff --git a/patches.suse/ceph-don-t-blindly-unregister-session-that-is-in-opening-state.patch b/patches.suse/ceph-don-t-blindly-unregister-session-that-is-in-opening-state.patch
new file mode 100644
index 0000000000..baab50a096
--- /dev/null
+++ b/patches.suse/ceph-don-t-blindly-unregister-session-that-is-in-opening-state.patch
@@ -0,0 +1,96 @@
+From: "Yan, Zheng" <zyan@redhat.com>
+Date: Mon, 10 Jun 2019 15:45:09 +0800
+Subject: ceph: don't blindly unregister session that is in opening state
+Git-commit: 6f0f597b5debc7c2356fa6a17e2f179066e340d0
+Patch-mainline: v5.3-rc1
+References: bsc#1148133
+
+handle_cap_export() may add placeholder caps to session that is in
+opening state. These caps' session pointer become wild after session get
+unregistered.
+
+The fix is not to unregister session in opening state during mds failovers,
+just let client to reconnect later when mds is recovered.
+
+Link: https://tracker.ceph.com/issues/40190
+Signed-off-by: "Yan, Zheng" <zyan@redhat.com>
+Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
+Acked-by: Luis Henriques <lhenriques@suse.com>
+---
+ fs/ceph/mds_client.c | 59 +++++++++++++++++++++++-----------------------------
+ 1 file changed, 26 insertions(+), 33 deletions(-)
+
+diff --git a/fs/ceph/mds_client.c b/fs/ceph/mds_client.c
+index 709ac3bde86e..fcea46a54622 100644
+--- a/fs/ceph/mds_client.c
++++ b/fs/ceph/mds_client.c
+@@ -3737,42 +3737,35 @@ static void check_new_map(struct ceph_mds_client *mdsc,
+ ceph_mdsmap_is_laggy(newmap, i) ? " (laggy)" : "",
+ ceph_session_state_name(s->s_state));
+
+- if (i >= newmap->m_num_mds ||
+- memcmp(ceph_mdsmap_get_addr(oldmap, i),
+- ceph_mdsmap_get_addr(newmap, i),
+- sizeof(struct ceph_entity_addr))) {
+- if (s->s_state == CEPH_MDS_SESSION_OPENING) {
+- /* the session never opened, just close it
+- * out now */
+- get_session(s);
+- __unregister_session(mdsc, s);
+- __wake_requests(mdsc, &s->s_waiting);
+- ceph_put_mds_session(s);
+- } else if (i >= newmap->m_num_mds) {
+- /* force close session for stopped mds */
+- get_session(s);
+- __unregister_session(mdsc, s);
+- __wake_requests(mdsc, &s->s_waiting);
+- kick_requests(mdsc, i);
+- mutex_unlock(&mdsc->mutex);
++ if (i >= newmap->m_num_mds) {
++ /* force close session for stopped mds */
++ get_session(s);
++ __unregister_session(mdsc, s);
++ __wake_requests(mdsc, &s->s_waiting);
++ mutex_unlock(&mdsc->mutex);
+
+- mutex_lock(&s->s_mutex);
+- cleanup_session_requests(mdsc, s);
+- remove_session_caps(s);
+- mutex_unlock(&s->s_mutex);
++ mutex_lock(&s->s_mutex);
++ cleanup_session_requests(mdsc, s);
++ remove_session_caps(s);
++ mutex_unlock(&s->s_mutex);
+
+- ceph_put_mds_session(s);
++ ceph_put_mds_session(s);
+
+- mutex_lock(&mdsc->mutex);
+- } else {
+- /* just close it */
+- mutex_unlock(&mdsc->mutex);
+- mutex_lock(&s->s_mutex);
+- mutex_lock(&mdsc->mutex);
+- ceph_con_close(&s->s_con);
+- mutex_unlock(&s->s_mutex);
+- s->s_state = CEPH_MDS_SESSION_RESTARTING;
+- }
++ mutex_lock(&mdsc->mutex);
++ kick_requests(mdsc, i);
++ continue;
++ }
++
++ if (memcmp(ceph_mdsmap_get_addr(oldmap, i),
++ ceph_mdsmap_get_addr(newmap, i),
++ sizeof(struct ceph_entity_addr))) {
++ /* just close it */
++ mutex_unlock(&mdsc->mutex);
++ mutex_lock(&s->s_mutex);
++ mutex_lock(&mdsc->mutex);
++ ceph_con_close(&s->s_con);
++ mutex_unlock(&s->s_mutex);
++ s->s_state = CEPH_MDS_SESSION_RESTARTING;
+ } else if (oldstate == newstate) {
+ continue; /* nothing new with this mds */
+ }
+
diff --git a/patches.suse/ceph-don-t-try-fill-file_lock-on-unsuccessful-getfilelock-reply.patch b/patches.suse/ceph-don-t-try-fill-file_lock-on-unsuccessful-getfilelock-reply.patch
new file mode 100644
index 0000000000..ccf9af3713
--- /dev/null
+++ b/patches.suse/ceph-don-t-try-fill-file_lock-on-unsuccessful-getfilelock-reply.patch
@@ -0,0 +1,36 @@
+From: Jeff Layton <jlayton@kernel.org>
+Date: Thu, 15 Aug 2019 06:23:38 -0400
+Subject: ceph: don't try fill file_lock on unsuccessful GETFILELOCK reply
+Git-commit: 28a282616f56990547b9dcd5c6fbd2001344664c
+Patch-mainline: v5.3-rc6
+References: bsc#1148133
+
+When ceph_mdsc_do_request returns an error, we can't assume that the
+filelock_reply pointer will be set. Only try to fetch fields out of
+the r_reply_info when it returns success.
+
+Cc: stable@vger.kernel.org
+Reported-by: Hector Martin <hector@marcansoft.com>
+Signed-off-by: Jeff Layton <jlayton@kernel.org>
+Reviewed-by: "Yan, Zheng" <zyan@redhat.com>
+Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
+Acked-by: Luis Henriques <lhenriques@suse.com>
+---
+ fs/ceph/locks.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/fs/ceph/locks.c b/fs/ceph/locks.c
+index ac9b53b89365..5083e238ad15 100644
+--- a/fs/ceph/locks.c
++++ b/fs/ceph/locks.c
+@@ -110,8 +110,7 @@ static int ceph_lock_message(u8 lock_typ
+ req->r_wait_for_completion = ceph_lock_wait_for_completion;
+
+ err = ceph_mdsc_do_request(mdsc, inode, req);
+-
+- if (operation == CEPH_MDS_OP_GETFILELOCK) {
++ if (!err && operation == CEPH_MDS_OP_GETFILELOCK) {
+ fl->fl_pid = le64_to_cpu(req->r_reply_info.filelock_reply->pid);
+ if (CEPH_LOCK_SHARED == req->r_reply_info.filelock_reply->type)
+ fl->fl_type = F_RDLCK;
+
diff --git a/patches.suse/ceph-fix-buffer-free-while-holding-i_ceph_lock-in-_ceph_build_xattrs_blob.patch b/patches.suse/ceph-fix-buffer-free-while-holding-i_ceph_lock-in-_ceph_build_xattrs_blob.patch
new file mode 100644
index 0000000000..0dcc0e0edf
--- /dev/null
+++ b/patches.suse/ceph-fix-buffer-free-while-holding-i_ceph_lock-in-_ceph_build_xattrs_blob.patch
@@ -0,0 +1,157 @@
+From: Luis Henriques <lhenriques@suse.com>
+Date: Fri, 19 Jul 2019 15:32:21 +0100
+Subject: ceph: fix buffer free while holding i_ceph_lock in
+ __ceph_build_xattrs_blob()
+Git-commit: 12fe3dda7ed89c95cc0ef7abc001ad1ad3e092f8
+Patch-mainline: v5.3-rc6
+References: bsc#1148133
+
+Calling ceph_buffer_put() in __ceph_build_xattrs_blob() may result in
+freeing the i_xattrs.blob buffer while holding the i_ceph_lock. This can
+be fixed by having this function returning the old blob buffer and have
+the callers of this function freeing it when the lock is released.
+
+The following backtrace was triggered by fstests generic/117.
+
+ BUG: sleeping function called from invalid context at mm/vmalloc.c:2283
+ in_atomic(): 1, irqs_disabled(): 0, pid: 649, name: fsstress
+ 4 locks held by fsstress/649:
+ #0: 00000000a7478e7e (&type->s_umount_key#19){++++}, at: iterate_supers+0x77/0xf0
+ #1: 00000000f8de1423 (&(&ci->i_ceph_lock)->rlock){+.+.}, at: ceph_check_caps+0x7b/0xc60
+ #2: 00000000562f2b27 (&s->s_mutex){+.+.}, at: ceph_check_caps+0x3bd/0xc60
+ #3: 00000000f83ce16a (&mdsc->snap_rwsem){++++}, at: ceph_check_caps+0x3ed/0xc60
+ CPU: 1 PID: 649 Comm: fsstress Not tainted 5.2.0+ #439
+ Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.1-0-ga5cab58-prebuilt.qemu.org 04/01/2014
+ Call Trace:
+ dump_stack+0x67/0x90
+ ___might_sleep.cold+0x9f/0xb1
+ vfree+0x4b/0x60
+ ceph_buffer_release+0x1b/0x60
+ __ceph_build_xattrs_blob+0x12b/0x170
+ __send_cap+0x302/0x540
+ ? __lock_acquire+0x23c/0x1e40
+ ? __mark_caps_flushing+0x15c/0x280
+ ? _raw_spin_unlock+0x24/0x30
+ ceph_check_caps+0x5f0/0xc60
+ ceph_flush_dirty_caps+0x7c/0x150
+ ? __ia32_sys_fdatasync+0x20/0x20
+ ceph_sync_fs+0x5a/0x130
+ iterate_supers+0x8f/0xf0
+ ksys_sync+0x4f/0xb0
+ __ia32_sys_sync+0xa/0x10
+ do_syscall_64+0x50/0x1c0
+ entry_SYSCALL_64_after_hwframe+0x49/0xbe
+ RIP: 0033:0x7fc6409ab617
+
+Signed-off-by: Luis Henriques <lhenriques@suse.com>
+Reviewed-by: Jeff Layton <jlayton@kernel.org>
+Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
+---
+ fs/ceph/caps.c | 5 ++++-
+ fs/ceph/snap.c | 4 +++-
+ fs/ceph/super.h | 2 +-
+ fs/ceph/xattr.c | 11 ++++++++---
+ 4 files changed, 16 insertions(+), 6 deletions(-)
+
+--- a/fs/ceph/caps.c
++++ b/fs/ceph/caps.c
+@@ -1290,6 +1290,7 @@ static int __send_cap(struct ceph_mds_cl
+ {
+ struct ceph_inode_info *ci = cap->ci;
+ struct inode *inode = &ci->vfs_inode;
++ struct ceph_buffer *old_blob = NULL;
+ struct cap_msg_args arg;
+ int held, revoking;
+ int wake = 0;
+@@ -1354,7 +1355,7 @@ static int __send_cap(struct ceph_mds_cl
+ ci->i_requested_max_size = arg.max_size;
+
+ if (flushing & CEPH_CAP_XATTR_EXCL) {
+- __ceph_build_xattrs_blob(ci);
++ old_blob = __ceph_build_xattrs_blob(ci);
+ arg.xattr_version = ci->i_xattrs.version;
+ arg.xattr_buf = ci->i_xattrs.blob;
+ } else {
+@@ -1389,6 +1390,8 @@ static int __send_cap(struct ceph_mds_cl
+
+ spin_unlock(&ci->i_ceph_lock);
+
++ ceph_buffer_put(old_blob);
++
+ ret = send_cap_msg(&arg);
+ if (ret < 0) {
+ dout("error sending cap msg, must requeue %p\n", inode);
+--- a/fs/ceph/snap.c
++++ b/fs/ceph/snap.c
+@@ -459,6 +459,7 @@ void ceph_queue_cap_snap(struct ceph_ino
+ struct inode *inode = &ci->vfs_inode;
+ struct ceph_cap_snap *capsnap;
+ struct ceph_snap_context *old_snapc, *new_snapc;
++ struct ceph_buffer *old_blob = NULL;
+ int used, dirty;
+
+ capsnap = kzalloc(sizeof(*capsnap), GFP_NOFS);
+@@ -535,7 +536,7 @@ void ceph_queue_cap_snap(struct ceph_ino
+ capsnap->gid = inode->i_gid;
+
+ if (dirty & CEPH_CAP_XATTR_EXCL) {
+- __ceph_build_xattrs_blob(ci);
++ old_blob = __ceph_build_xattrs_blob(ci);
+ capsnap->xattr_blob =
+ ceph_buffer_get(ci->i_xattrs.blob);
+ capsnap->xattr_version = ci->i_xattrs.version;
+@@ -578,6 +579,7 @@ update_snapc:
+ }
+ spin_unlock(&ci->i_ceph_lock);
+
++ ceph_buffer_put(old_blob);
+ kfree(capsnap);
+ ceph_put_snap_context(old_snapc);
+ }
+--- a/fs/ceph/super.h
++++ b/fs/ceph/super.h
+@@ -895,7 +895,7 @@ extern int ceph_getattr(const struct pat
+ int __ceph_setxattr(struct inode *, const char *, const void *, size_t, int);
+ ssize_t __ceph_getxattr(struct inode *, const char *, void *, size_t);
+ extern ssize_t ceph_listxattr(struct dentry *, char *, size_t);
+-extern void __ceph_build_xattrs_blob(struct ceph_inode_info *ci);
++extern struct ceph_buffer *__ceph_build_xattrs_blob(struct ceph_inode_info *ci);
+ extern void __ceph_destroy_xattrs(struct ceph_inode_info *ci);
+ extern void __init ceph_xattr_init(void);
+ extern void ceph_xattr_exit(void);
+--- a/fs/ceph/xattr.c
++++ b/fs/ceph/xattr.c
+@@ -754,12 +754,15 @@ static int __get_required_blob_size(stru
+
+ /*
+ * If there are dirty xattrs, reencode xattrs into the prealloc_blob
+- * and swap into place.
++ * and swap into place. It returns the old i_xattrs.blob (or NULL) so
++ * that it can be freed by the caller as the i_ceph_lock is likely to be
++ * held.
+ */
+-void __ceph_build_xattrs_blob(struct ceph_inode_info *ci)
++struct ceph_buffer *__ceph_build_xattrs_blob(struct ceph_inode_info *ci)
+ {
+ struct rb_node *p;
+ struct ceph_inode_xattr *xattr = NULL;
++ struct ceph_buffer *old_blob = NULL;
+ void *dest;
+
+ dout("__build_xattrs_blob %p\n", &ci->vfs_inode);
+@@ -790,12 +793,14 @@ void __ceph_build_xattrs_blob(struct cep
+ dest - ci->i_xattrs.prealloc_blob->vec.iov_base;
+
+ if (ci->i_xattrs.blob)
+- ceph_buffer_put(ci->i_xattrs.blob);
++ old_blob = ci->i_xattrs.blob;
+ ci->i_xattrs.blob = ci->i_xattrs.prealloc_blob;
+ ci->i_xattrs.prealloc_blob = NULL;
+ ci->i_xattrs.dirty = false;
+ ci->i_xattrs.version++;
+ }
++
++ return old_blob;
+ }
+
+ static inline int __get_request_mask(struct inode *in) {
diff --git a/patches.suse/ceph-fix-buffer-free-while-holding-i_ceph_lock-in-_ceph_setxattr.patch b/patches.suse/ceph-fix-buffer-free-while-holding-i_ceph_lock-in-_ceph_setxattr.patch
new file mode 100644
index 0000000000..ce9b3ed848
--- /dev/null
+++ b/patches.suse/ceph-fix-buffer-free-while-holding-i_ceph_lock-in-_ceph_setxattr.patch
@@ -0,0 +1,88 @@
+From: Luis Henriques <lhenriques@suse.com>
+Date: Fri, 19 Jul 2019 15:32:20 +0100
+Subject: ceph: fix buffer free while holding i_ceph_lock in __ceph_setxattr()
+Git-commit: 86968ef21596515958d5f0a40233d02be78ecec0
+Patch-mainline: v5.3-rc6
+References: bsc#1148133
+
+Calling ceph_buffer_put() in __ceph_setxattr() may end up freeing the
+i_xattrs.prealloc_blob buffer while holding the i_ceph_lock. This can be
+fixed by postponing the call until later, when the lock is released.
+
+The following backtrace was triggered by fstests generic/117.
+
+ BUG: sleeping function called from invalid context at mm/vmalloc.c:2283
+ in_atomic(): 1, irqs_disabled(): 0, pid: 650, name: fsstress
+ 3 locks held by fsstress/650:
+ #0: 00000000870a0fe8 (sb_writers#8){.+.+}, at: mnt_want_write+0x20/0x50
+ #1: 00000000ba0c4c74 (&type->i_mutex_dir_key#6){++++}, at: vfs_setxattr+0x55/0xa0
+ #2: 000000008dfbb3f2 (&(&ci->i_ceph_lock)->rlock){+.+.}, at: __ceph_setxattr+0x297/0x810
+ CPU: 1 PID: 650 Comm: fsstress Not tainted 5.2.0+ #437
+ Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.1-0-ga5cab58-prebuilt.qemu.org 04/01/2014
+ Call Trace:
+ dump_stack+0x67/0x90
+ ___might_sleep.cold+0x9f/0xb1
+ vfree+0x4b/0x60
+ ceph_buffer_release+0x1b/0x60
+ __ceph_setxattr+0x2b4/0x810
+ __vfs_setxattr+0x66/0x80
+ __vfs_setxattr_noperm+0x59/0xf0
+ vfs_setxattr+0x81/0xa0
+ setxattr+0x115/0x230
+ ? filename_lookup+0xc9/0x140
+ ? rcu_read_lock_sched_held+0x74/0x80
+ ? rcu_sync_lockdep_assert+0x2e/0x60
+ ? __sb_start_write+0x142/0x1a0
+ ? mnt_want_write+0x20/0x50
+ path_setxattr+0xba/0xd0
+ __x64_sys_lsetxattr+0x24/0x30
+ do_syscall_64+0x50/0x1c0
+ entry_SYSCALL_64_after_hwframe+0x49/0xbe
+ RIP: 0033:0x7ff23514359a
+
+Signed-off-by: Luis Henriques <lhenriques@suse.com>
+Reviewed-by: Jeff Layton <jlayton@kernel.org>
+Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
+---
+ fs/ceph/xattr.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/fs/ceph/xattr.c b/fs/ceph/xattr.c
+index 37b458a9af3a..c083557b3657 100644
+--- a/fs/ceph/xattr.c
++++ b/fs/ceph/xattr.c
+@@ -1036,6 +1036,7 @@ int __ceph_setxattr(struct inode *inode, const char *name,
+ struct ceph_inode_info *ci = ceph_inode(inode);
+ struct ceph_mds_client *mdsc = ceph_sb_to_client(inode->i_sb)->mdsc;
+ struct ceph_cap_flush *prealloc_cf = NULL;
++ struct ceph_buffer *old_blob = NULL;
+ int issued;
+ int err;
+ int dirty = 0;
+@@ -1109,13 +1110,15 @@ int __ceph_setxattr(struct inode *inode, const char *name,
+ struct ceph_buffer *blob;
+
+ spin_unlock(&ci->i_ceph_lock);
+- dout(" preaallocating new blob size=%d\n", required_blob_size);
++ ceph_buffer_put(old_blob); /* Shouldn't be required */
++ dout(" pre-allocating new blob size=%d\n", required_blob_size);
+ blob = ceph_buffer_new(required_blob_size, GFP_NOFS);
+ if (!blob)
+ goto do_sync_unlocked;
+ spin_lock(&ci->i_ceph_lock);
++ /* prealloc_blob can't be released while holding i_ceph_lock */
+ if (ci->i_xattrs.prealloc_blob)
+- ceph_buffer_put(ci->i_xattrs.prealloc_blob);
++ old_blob = ci->i_xattrs.prealloc_blob;
+ ci->i_xattrs.prealloc_blob = blob;
+ goto retry;
+ }
+@@ -1131,6 +1134,7 @@ int __ceph_setxattr(struct inode *inode, const char *name,
+ }
+
+ spin_unlock(&ci->i_ceph_lock);
++ ceph_buffer_put(old_blob);
+ if (lock_snap_rwsem)
+ up_read(&mdsc->snap_rwsem);
+ if (dirty)
+
diff --git a/patches.suse/ceph-fix-buffer-free-while-holding-i_ceph_lock-in-fill_inode.patch b/patches.suse/ceph-fix-buffer-free-while-holding-i_ceph_lock-in-fill_inode.patch
new file mode 100644
index 0000000000..ac35db37f1
--- /dev/null
+++ b/patches.suse/ceph-fix-buffer-free-while-holding-i_ceph_lock-in-fill_inode.patch
@@ -0,0 +1,81 @@
+From: Luis Henriques <lhenriques@suse.com>
+Date: Fri, 19 Jul 2019 15:32:22 +0100
+Subject: ceph: fix buffer free while holding i_ceph_lock in fill_inode()
+Git-commit: af8a85a41734f37b67ba8ce69d56b685bee4ac48
+Patch-mainline: v5.3-rc6
+References: bsc#1148133
+
+Calling ceph_buffer_put() in fill_inode() may result in freeing the
+i_xattrs.blob buffer while holding the i_ceph_lock. This can be fixed by
+postponing the call until later, when the lock is released.
+
+The following backtrace was triggered by fstests generic/070.
+
+ BUG: sleeping function called from invalid context at mm/vmalloc.c:2283
+ in_atomic(): 1, irqs_disabled(): 0, pid: 3852, name: kworker/0:4
+ 6 locks held by kworker/0:4/3852:
+ #0: 000000004270f6bb ((wq_completion)ceph-msgr){+.+.}, at: process_one_work+0x1b8/0x5f0
+ #1: 00000000eb420803 ((work_completion)(&(&con->work)->work)){+.+.}, at: process_one_work+0x1b8/0x5f0
+ #2: 00000000be1c53a4 (&s->s_mutex){+.+.}, at: dispatch+0x288/0x1476
+ #3: 00000000559cb958 (&mdsc->snap_rwsem){++++}, at: dispatch+0x2eb/0x1476
+ #4: 000000000d5ebbae (&req->r_fill_mutex){+.+.}, at: dispatch+0x2fc/0x1476
+ #5: 00000000a83d0514 (&(&ci->i_ceph_lock)->rlock){+.+.}, at: fill_inode.isra.0+0xf8/0xf70
+ CPU: 0 PID: 3852 Comm: kworker/0:4 Not tainted 5.2.0+ #441
+ Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.1-0-ga5cab58-prebuilt.qemu.org 04/01/2014
+ Workqueue: ceph-msgr ceph_con_workfn
+ Call Trace:
+ dump_stack+0x67/0x90
+ ___might_sleep.cold+0x9f/0xb1
+ vfree+0x4b/0x60
+ ceph_buffer_release+0x1b/0x60
+ fill_inode.isra.0+0xa9b/0xf70
+ ceph_fill_trace+0x13b/0xc70
+ ? dispatch+0x2eb/0x1476
+ dispatch+0x320/0x1476
+ ? __mutex_unlock_slowpath+0x4d/0x2a0
+ ceph_con_workfn+0xc97/0x2ec0
+ ? process_one_work+0x1b8/0x5f0
+ process_one_work+0x244/0x5f0
+ worker_thread+0x4d/0x3e0
+ kthread+0x105/0x140
+ ? process_one_work+0x5f0/0x5f0
+ ? kthread_park+0x90/0x90
+ ret_from_fork+0x3a/0x50
+
+Signed-off-by: Luis Henriques <lhenriques@suse.com>
+Reviewed-by: Jeff Layton <jlayton@kernel.org>
+Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
+---
+ fs/ceph/inode.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+--- a/fs/ceph/inode.c
++++ b/fs/ceph/inode.c
+@@ -744,6 +744,7 @@ static int fill_inode(struct inode *inod
+ int issued = 0, implemented, new_issued;
+ struct timespec mtime, atime, ctime;
+ struct ceph_buffer *xattr_blob = NULL;
++ struct ceph_buffer *old_blob = NULL;
+ struct ceph_string *pool_ns = NULL;
+ struct ceph_cap *new_cap = NULL;
+ int err = 0;
+@@ -874,7 +875,7 @@ static int fill_inode(struct inode *inod
+ if ((ci->i_xattrs.version == 0 || !(issued & CEPH_CAP_XATTR_EXCL)) &&
+ le64_to_cpu(info->xattr_version) > ci->i_xattrs.version) {
+ if (ci->i_xattrs.blob)
+- ceph_buffer_put(ci->i_xattrs.blob);
++ old_blob = ci->i_xattrs.blob;
+ ci->i_xattrs.blob = xattr_blob;
+ if (xattr_blob)
+ memcpy(ci->i_xattrs.blob->vec.iov_base,
+@@ -1019,8 +1020,8 @@ static int fill_inode(struct inode *inod
+ out:
+ if (new_cap)
+ ceph_put_cap(mdsc, new_cap);
+- if (xattr_blob)
+- ceph_buffer_put(xattr_blob);
++ ceph_buffer_put(old_blob);
++ ceph_buffer_put(xattr_blob);
+ ceph_put_string(pool_ns);
+ return err;
+ }
diff --git a/patches.suse/ceph-fix-ceph-dir-rctime-vxattr-value.patch b/patches.suse/ceph-fix-ceph-dir-rctime-vxattr-value.patch
new file mode 100644
index 0000000000..b54da58a5e
--- /dev/null
+++ b/patches.suse/ceph-fix-ceph-dir-rctime-vxattr-value.patch
@@ -0,0 +1,31 @@
+From: David Disseldorp <ddiss@suse.de>
+Date: Wed, 15 May 2019 16:56:39 +0200
+Subject: ceph: fix "ceph.dir.rctime" vxattr value
+Git-commit: 718807289d4130be1fe13f24f018733116958070
+Patch-mainline: v5.3-rc1
+References: bsc#1148133 bsc#1135219
+
+The vxattr value incorrectly places a "09" prefix to the nanoseconds
+field, instead of providing it as a zero-pad width specifier after '%'.
+
+Fixes: 3489b42a72a4 ("ceph: fix three bugs, two in ceph_vxattrcb_file_layout()")
+Link: https://tracker.ceph.com/issues/39943
+Signed-off-by: David Disseldorp <ddiss@suse.de>
+Reviewed-by: Ilya Dryomov <idryomov@gmail.com>
+Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
+Acked-by: Luis Henriques <lhenriques@suse.com>
+---
+ fs/ceph/xattr.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/ceph/xattr.c
++++ b/fs/ceph/xattr.c
+@@ -223,7 +223,7 @@ static size_t ceph_vxattrcb_dir_rbytes(s
+ static size_t ceph_vxattrcb_dir_rctime(struct ceph_inode_info *ci, char *val,
+ size_t size)
+ {
+- return snprintf(val, size, "%ld.09%ld", (long)ci->i_rctime.tv_sec,
++ return snprintf(val, size, "%ld.%09ld", (long)ci->i_rctime.tv_sec,
+ (long)ci->i_rctime.tv_nsec);
+ }
+
diff --git a/patches.suse/ceph-fix-improper-use-of-smp_mb__before_atomic.patch b/patches.suse/ceph-fix-improper-use-of-smp_mb__before_atomic.patch
new file mode 100644
index 0000000000..97b6034377
--- /dev/null
+++ b/patches.suse/ceph-fix-improper-use-of-smp_mb__before_atomic.patch
@@ -0,0 +1,42 @@
+From: Andrea Parri <andrea.parri@amarulasolutions.com>
+Date: Mon, 20 May 2019 19:23:58 +0200
+Subject: ceph: fix improper use of smp_mb__before_atomic()
+Git-commit: 749607731e26dfb2558118038c40e9c0c80d23b5
+Patch-mainline: v5.3-rc1
+References: bsc#1148133
+
+This barrier only applies to the read-modify-write operations; in
+particular, it does not apply to the atomic64_set() primitive.
+
+Replace the barrier with an smp_mb().
+
+Fixes: fdd4e15838e59 ("ceph: rework dcache readdir")
+Reported-by: "Paul E. McKenney" <paulmck@linux.ibm.com>
+Reported-by: Peter Zijlstra <peterz@infradead.org>
+Signed-off-by: Andrea Parri <andrea.parri@amarulasolutions.com>
+Reviewed-by: "Yan, Zheng" <zyan@redhat.com>
+Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
+Acked-by: Luis Henriques <lhenriques@suse.com>
+---
+ fs/ceph/super.h | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/fs/ceph/super.h b/fs/ceph/super.h
+index 7209548527ab..29ea4eba98fe 100644
+--- a/fs/ceph/super.h
++++ b/fs/ceph/super.h
+@@ -545,7 +545,12 @@ static inline void __ceph_dir_set_complete(struct ceph_inode_info *ci,
+ long long release_count,
+ long long ordered_count)
+ {
+- smp_mb__before_atomic();
++ /*
++ * Makes sure operations that setup readdir cache (update page
++ * cache and i_size) are strongly ordered w.r.t. the following
++ * atomic64_set() operations.
++ */
++ smp_mb();
+ atomic64_set(&ci->i_complete_seq[0], release_count);
+ atomic64_set(&ci->i_complete_seq[1], ordered_count);
+ }
+
diff --git a/patches.suse/ceph-hold-i_ceph_lock-when-removing-caps-for-freeing-inode.patch b/patches.suse/ceph-hold-i_ceph_lock-when-removing-caps-for-freeing-inode.patch
new file mode 100644
index 0000000000..30c6488231
--- /dev/null
+++ b/patches.suse/ceph-hold-i_ceph_lock-when-removing-caps-for-freeing-inode.patch
@@ -0,0 +1,48 @@
+From: "Yan, Zheng" <zyan@redhat.com>
+Date: Thu, 23 May 2019 11:01:37 +0800
+Subject: ceph: hold i_ceph_lock when removing caps for freeing inode
+Git-commit: d6e47819721ae2d9d090058ad5570a66f3c42e39
+Patch-mainline: v5.3-rc1
+References: bsc#1148133
+
+ceph_d_revalidate(, LOOKUP_RCU) may call __ceph_caps_issued_mask()
+on a freeing inode.
+
+Signed-off-by: "Yan, Zheng" <zyan@redhat.com>
+Reviewed-by: Jeff Layton <jlayton@redhat.com>
+Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
+Acked-by: Luis Henriques <lhenriques@suse.com>
+[luis: modified ceph_queue_caps_release() instead of __ceph_remove_caps,
+ as in stable 4.14]
+---
+ fs/ceph/caps.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+--- a/fs/ceph/caps.c
++++ b/fs/ceph/caps.c
+@@ -1239,20 +1239,23 @@ static int send_cap_msg(struct cap_msg_a
+ }
+
+ /*
+- * Queue cap releases when an inode is dropped from our cache. Since
+- * inode is about to be destroyed, there is no need for i_ceph_lock.
++ * Queue cap releases when an inode is dropped from our cache.
+ */
+ void ceph_queue_caps_release(struct inode *inode)
+ {
+ struct ceph_inode_info *ci = ceph_inode(inode);
+ struct rb_node *p;
+
++ /* lock i_ceph_lock, because ceph_d_revalidate(..., LOOKUP_RCU)
++ * may call __ceph_caps_issued_mask() on a freeing inode. */
++ spin_lock(&ci->i_ceph_lock);
+ p = rb_first(&ci->i_caps);
+ while (p) {
+ struct ceph_cap *cap = rb_entry(p, struct ceph_cap, ci_node);
+ p = rb_next(p);
+ __ceph_remove_cap(cap, true);
+ }
++ spin_unlock(&ci->i_ceph_lock);
+ }
+
+ /*
diff --git a/patches.suse/ceph-remove-request-from-waiting-list-before-unregister.patch b/patches.suse/ceph-remove-request-from-waiting-list-before-unregister.patch
new file mode 100644
index 0000000000..8f6074ae19
--- /dev/null
+++ b/patches.suse/ceph-remove-request-from-waiting-list-before-unregister.patch
@@ -0,0 +1,37 @@
+From: "Yan, Zheng" <zyan@redhat.com>
+Date: Fri, 14 Jun 2019 10:55:05 +0800
+Subject: ceph: remove request from waiting list before unregister
+Git-commit: 428138c9892fac19a682973bbb6d8c2a904b6639
+Patch-mainline: v5.3-rc1
+References: bsc#1148133
+
+Link: https://tracker.ceph.com/issues/40339
+Signed-off-by: "Yan, Zheng" <zyan@redhat.com>
+Reviewed-by: Jeff Layton <jlayton@redhat.com>
+Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
+Acked-by: Luis Henriques <lhenriques@suse.com>
+---
+ fs/ceph/mds_client.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/fs/ceph/mds_client.c b/fs/ceph/mds_client.c
+index fcea46a54622..598a3fa280a7 100644
+--- a/fs/ceph/mds_client.c
++++ b/fs/ceph/mds_client.c
+@@ -727,6 +727,7 @@ void ceph_mdsc_release_request(struct kref *kref)
+ ceph_pagelist_release(req->r_pagelist);
+ put_request_session(req);
+ ceph_unreserve_caps(req->r_mdsc, &req->r_caps_reservation);
++ WARN_ON_ONCE(!list_empty(&req->r_wait));
+ kfree(req);
+ }
+
+@@ -4162,6 +4163,7 @@ static void wait_requests(struct ceph_mds_client *mdsc)
+ while ((req = __get_oldest_req(mdsc))) {
+ dout("wait_requests timed out on tid %llu\n",
+ req->r_tid);
++ list_del_init(&req->r_wait);
+ __unregister_request(mdsc, req);
+ }
+ }
+
diff --git a/patches.suse/ceph-silence-a-checker-warning-in-mdsc_show.patch b/patches.suse/ceph-silence-a-checker-warning-in-mdsc_show.patch
new file mode 100644
index 0000000000..2c659bed7e
--- /dev/null
+++ b/patches.suse/ceph-silence-a-checker-warning-in-mdsc_show.patch
@@ -0,0 +1,37 @@
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Thu, 9 May 2019 13:11:25 +0300
+Subject: ceph: silence a checker warning in mdsc_show()
+Git-commit: 13c41737b912a6f6354369c9b20a02c3868ab304
+Patch-mainline: v5.3-rc1
+References: bsc#1148133
+
+The problem is that if ceph_mdsc_build_path() fails then we set "path"
+to NULL and the "pathlen" variable is uninitialized. Then we call
+ceph_mdsc_free_path(path, pathlen) to clean up. Since "path" is NULL,
+the function is a no-op but Smatch and UBSan still complain that
+"pathlen" is uninitialized.
+
+This patch doesn't change run time, it just silence the warnings.
+
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Reviewed-by: Ilya Dryomov <idryomov@gmail.com>
+Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
+Acked-by: Luis Henriques <lhenriques@suse.com>
+---
+ fs/ceph/debugfs.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/ceph/debugfs.c b/fs/ceph/debugfs.c
+index b3fc5fe26a1a..a14d64664878 100644
+--- a/fs/ceph/debugfs.c
++++ b/fs/ceph/debugfs.c
+@@ -52,7 +52,7 @@ static int mdsc_show(struct seq_file *s, void *p)
+ struct ceph_mds_client *mdsc = fsc->mdsc;
+ struct ceph_mds_request *req;
+ struct rb_node *rp;
+- int pathlen;
++ int pathlen = 0;
+ u64 pathbase;
+ char *path;
+
+
diff --git a/patches.suse/cifs-Fix-use-after-free-in-SMB2_read.patch b/patches.suse/cifs-Fix-use-after-free-in-SMB2_read.patch
index 17c5d49528..24b3b641df 100644
--- a/patches.suse/cifs-Fix-use-after-free-in-SMB2_read.patch
+++ b/patches.suse/cifs-Fix-use-after-free-in-SMB2_read.patch
@@ -3,7 +3,7 @@ Date: Sat, 6 Apr 2019 15:47:39 +0800
Subject: [PATCH] cifs: Fix use-after-free in SMB2_read
Git-commit: 088aaf17aa79300cab14dbee2569c58cfafd7d6e
Patch-mainline: v5.1-rc6
-References: bsc#1144333
+References: bsc#1144333, CVE-2019-15920, bsc#1149626
There is a KASAN use-after-free:
BUG: KASAN: use-after-free in SMB2_read+0x1136/0x1190
diff --git a/patches.suse/cifs-Fix-use-after-free-in-SMB2_write.patch b/patches.suse/cifs-Fix-use-after-free-in-SMB2_write.patch
index f484ff2a94..48c747ebc5 100644
--- a/patches.suse/cifs-Fix-use-after-free-in-SMB2_write.patch
+++ b/patches.suse/cifs-Fix-use-after-free-in-SMB2_write.patch
@@ -3,7 +3,7 @@ Date: Sat, 6 Apr 2019 15:47:38 +0800
Subject: [PATCH] cifs: Fix use-after-free in SMB2_write
Git-commit: 6a3eb3360667170988f8a6477f6686242061488a
Patch-mainline: v5.1-rc6
-References: bsc#1144333
+References: bsc#1144333, CVE-2019-15919, bsc#1149552
There is a KASAN use-after-free:
BUG: KASAN: use-after-free in SMB2_write+0x1342/0x1580
diff --git a/patches.suse/ftrace-check-for-empty-hash-and-comment-the-race-with-registering-probes.patch b/patches.suse/ftrace-check-for-empty-hash-and-comment-the-race-with-registering-probes.patch
new file mode 100644
index 0000000000..2ecf741c35
--- /dev/null
+++ b/patches.suse/ftrace-check-for-empty-hash-and-comment-the-race-with-registering-probes.patch
@@ -0,0 +1,49 @@
+From: "Steven Rostedt (VMware)" <rostedt@goodmis.org>
+Date: Fri, 30 Aug 2019 16:30:01 -0400
+Subject: ftrace: Check for empty hash and comment the race with registering
+ probes
+Git-commit: 372e0d01da71c84dcecf7028598a33813b0d5256
+Patch-mainline: v5.3-rc7
+References: bsc#1149418
+
+The race between adding a function probe and reading the probes that exist
+is very subtle. It needs a comment. Also, the issue can also happen if the
+probe has has the EMPTY_HASH as its func_hash.
+
+Cc: stable@vger.kernel.org
+Fixes: 7b60f3d876156 ("ftrace: Dynamically create the probe ftrace_ops for the trace_array")
+Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
+Acked-by: Miroslav Benes <mbenes@suse.cz>
+---
+ kernel/trace/ftrace.c | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+diff --git a/kernel/trace/ftrace.c b/kernel/trace/ftrace.c
+index 80beed2cf0da..6200a6fe10e3 100644
+--- a/kernel/trace/ftrace.c
++++ b/kernel/trace/ftrace.c
+@@ -3096,7 +3096,11 @@ t_probe_next(struct seq_file *m, loff_t *pos)
+
+ hash = iter->probe->ops.func_hash->filter_hash;
+
+- if (!hash)
++ /*
++ * A probe being registered may temporarily have an empty hash
++ * and it's at the end of the func_probes list.
++ */
++ if (!hash || hash == EMPTY_HASH)
+ return NULL;
+
+ size = 1 << hash->size_bits;
+@@ -4324,6 +4328,10 @@ register_ftrace_function_probe(char *glob, struct trace_array *tr,
+
+ mutex_unlock(&ftrace_lock);
+
++ /*
++ * Note, there's a small window here that the func_hash->filter_hash
++ * may be NULL or empty. Need to be carefule when reading the loop.
++ */
+ mutex_lock(&probe->ops.func_hash->regex_lock);
+
+ orig_hash = &probe->ops.func_hash->filter_hash;
+
diff --git a/patches.suse/ftrace-check-for-successful-allocation-of-hash.patch b/patches.suse/ftrace-check-for-successful-allocation-of-hash.patch
new file mode 100644
index 0000000000..35572e2cfe
--- /dev/null
+++ b/patches.suse/ftrace-check-for-successful-allocation-of-hash.patch
@@ -0,0 +1,40 @@
+From: "Naveen N. Rao" <naveen.n.rao@linux.vnet.ibm.com>
+Date: Thu, 4 Jul 2019 20:04:42 +0530
+Subject: ftrace: Check for successful allocation of hash
+Git-commit: 5b0022dd32b7c2e15edf1827ba80aa1407edf9ff
+Patch-mainline: v5.3-rc7
+References: bsc#1149424
+
+In register_ftrace_function_probe(), we are not checking the return
+value of alloc_and_copy_ftrace_hash(). The subsequent call to
+ftrace_match_records() may end up dereferencing the same. Add a check to
+ensure this doesn't happen.
+
+Link: http://lkml.kernel.org/r/26e92574f25ad23e7cafa3cf5f7a819de1832cbe.1562249521.git.naveen.n.rao@linux.vnet.ibm.com
+
+Cc: stable@vger.kernel.org
+Fixes: 1ec3a81a0cf42 ("ftrace: Have each function probe use its own ftrace_ops")
+Signed-off-by: Naveen N. Rao <naveen.n.rao@linux.vnet.ibm.com>
+Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
+Acked-by: Miroslav Benes <mbenes@suse.cz>
+---
+ kernel/trace/ftrace.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/kernel/trace/ftrace.c b/kernel/trace/ftrace.c
+index 6200a6fe10e3..f9821a3374e9 100644
+--- a/kernel/trace/ftrace.c
++++ b/kernel/trace/ftrace.c
+@@ -4338,6 +4338,11 @@ register_ftrace_function_probe(char *glob, struct trace_array *tr,
+ old_hash = *orig_hash;
+ hash = alloc_and_copy_ftrace_hash(FTRACE_HASH_DEFAULT_BITS, old_hash);
+
++ if (!hash) {
++ ret = -ENOMEM;
++ goto out;
++ }
++
+ ret = ftrace_match_records(hash, glob, strlen(glob));
+
+ /* Nothing found? */
+
diff --git a/patches.suse/ftrace-fix-null-pointer-dereference-in-t_probe_next.patch b/patches.suse/ftrace-fix-null-pointer-dereference-in-t_probe_next.patch
new file mode 100644
index 0000000000..4505f4355b
--- /dev/null
+++ b/patches.suse/ftrace-fix-null-pointer-dereference-in-t_probe_next.patch
@@ -0,0 +1,77 @@
+From: "Naveen N. Rao" <naveen.n.rao@linux.vnet.ibm.com>
+Date: Thu, 4 Jul 2019 20:04:41 +0530
+Subject: ftrace: Fix NULL pointer dereference in t_probe_next()
+Git-commit: 7bd46644ea0f6021dc396a39a8bfd3a58f6f1f9f
+Patch-mainline: v5.3-rc7
+References: bsc#1149413
+
+LTP testsuite on powerpc results in the below crash:
+
+ Unable to handle kernel paging request for data at address 0x00000000
+ Faulting instruction address: 0xc00000000029d800
+ Oops: Kernel access of bad area, sig: 11 [#1]
+ LE SMP NR_CPUS=2048 NUMA PowerNV
+ ...
+ CPU: 68 PID: 96584 Comm: cat Kdump: loaded Tainted: G W
+ NIP: c00000000029d800 LR: c00000000029dac4 CTR: c0000000001e6ad0
+ REGS: c0002017fae8ba10 TRAP: 0300 Tainted: G W
+ MSR: 9000000000009033 <SF,HV,EE,ME,IR,DR,RI,LE> CR: 28022422 XER: 20040000
+ CFAR: c00000000029d90c DAR: 0000000000000000 DSISR: 40000000 IRQMASK: 0
+ ...
+ NIP [c00000000029d800] t_probe_next+0x60/0x180
+ LR [c00000000029dac4] t_mod_start+0x1a4/0x1f0
+ Call Trace:
+ [c0002017fae8bc90] [c000000000cdbc40] _cond_resched+0x10/0xb0 (unreliable)
+ [c0002017fae8bce0] [c0000000002a15b0] t_start+0xf0/0x1c0
+ [c0002017fae8bd30] [c0000000004ec2b4] seq_read+0x184/0x640
+ [c0002017fae8bdd0] [c0000000004a57bc] sys_read+0x10c/0x300
+ [c0002017fae8be30] [c00000000000b388] system_call+0x5c/0x70
+
+The test (ftrace_set_ftrace_filter.sh) is part of ftrace stress tests
+and the crash happens when the test does 'cat
+$TRACING_PATH/set_ftrace_filter'.
+
+The address points to the second line below, in t_probe_next(), where
+filter_hash is dereferenced:
+ hash = iter->probe->ops.func_hash->filter_hash;
+ size = 1 << hash->size_bits;
+
+This happens due to a race with register_ftrace_function_probe(). A new
+ftrace_func_probe is created and added into the func_probes list in
+trace_array under ftrace_lock. However, before initializing the filter,
+we drop ftrace_lock, and re-acquire it after acquiring regex_lock. If
+another process is trying to read set_ftrace_filter, it will be able to
+acquire ftrace_lock during this window and it will end up seeing a NULL
+filter_hash.
+
+Fix this by just checking for a NULL filter_hash in t_probe_next(). If
+the filter_hash is NULL, then this probe is just being added and we can
+simply return from here.
+
+Link: http://lkml.kernel.org/r/05e021f757625cbbb006fad41380323dbe4e3b43.1562249521.git.naveen.n.rao@linux.vnet.ibm.com
+
+Cc: stable@vger.kernel.org
+Fixes: 7b60f3d876156 ("ftrace: Dynamically create the probe ftrace_ops for the trace_array")
+Signed-off-by: Naveen N. Rao <naveen.n.rao@linux.vnet.ibm.com>
+Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
+Acked-by: Miroslav Benes <mbenes@suse.cz>
+---
+ kernel/trace/ftrace.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/kernel/trace/ftrace.c b/kernel/trace/ftrace.c
+index eca34503f178..80beed2cf0da 100644
+--- a/kernel/trace/ftrace.c
++++ b/kernel/trace/ftrace.c
+@@ -3095,6 +3095,10 @@ t_probe_next(struct seq_file *m, loff_t *pos)
+ hnd = &iter->probe_entry->hlist;
+
+ hash = iter->probe->ops.func_hash->filter_hash;
++
++ if (!hash)
++ return NULL;
++
+ size = 1 << hash->size_bits;
+
+ retry:
+
diff --git a/patches.suse/genetlink-Fix-a-memory-leak-on-error-path.patch b/patches.suse/genetlink-Fix-a-memory-leak-on-error-path.patch
index 0df45b8fe5..d414720ca1 100644
--- a/patches.suse/genetlink-Fix-a-memory-leak-on-error-path.patch
+++ b/patches.suse/genetlink-Fix-a-memory-leak-on-error-path.patch
@@ -3,7 +3,7 @@ Date: Thu, 21 Mar 2019 15:02:50 +0800
Subject: genetlink: Fix a memory leak on error path
Git-commit: ceabee6c59943bdd5e1da1a6a20dc7ee5f8113a2
Patch-mainline: v5.1-rc3
-References: networking-stable-19_03_28
+References: networking-stable-19_03_28, CVE-2019-15921, bsc#1149602
In genl_register_family(), when idr_alloc() fails,
we forget to free the memory we possibly allocate for
diff --git a/patches.suse/kvm-x86-move-msr_ia32_arch_capabilities-to-array-emulated_msrs b/patches.suse/kvm-x86-move-msr_ia32_arch_capabilities-to-array-emulated_msrs
new file mode 100644
index 0000000000..3a7dba426d
--- /dev/null
+++ b/patches.suse/kvm-x86-move-msr_ia32_arch_capabilities-to-array-emulated_msrs
@@ -0,0 +1,37 @@
+From: Xiaoyao Li <xiaoyao.li@linux.intel.com>
+Date: Fri, 8 Mar 2019 15:57:20 +0800
+Subject: kvm/x86: Move MSR_IA32_ARCH_CAPABILITIES to array emulated_msrs
+Git-commit: 2bdb76c015df7125783d8394d6339d181cb5bc30
+Patch-mainline: v5.1-rc3
+References: bsc#1134881 bsc#1134882
+
+Since MSR_IA32_ARCH_CAPABILITIES is emualted unconditionally even if
+host doesn't suppot it. We should move it to array emulated_msrs from
+arry msrs_to_save, to report to userspace that guest support this msr.
+
+Signed-off-by: Xiaoyao Li <xiaoyao.li@linux.intel.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Acked-by: Joerg Roedel <jroedel@suse.de>
+---
+ arch/x86/kvm/x86.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/arch/x86/kvm/x86.c
++++ b/arch/x86/kvm/x86.c
+@@ -1010,7 +1010,7 @@ static u32 msrs_to_save[] = {
+ #endif
+ MSR_IA32_TSC, MSR_IA32_CR_PAT, MSR_VM_HSAVE_PA,
+ MSR_IA32_FEATURE_CONTROL, MSR_IA32_BNDCFGS, MSR_TSC_AUX,
+- MSR_IA32_SPEC_CTRL, MSR_IA32_ARCH_CAPABILITIES
++ MSR_IA32_SPEC_CTRL,
+ };
+
+ static unsigned num_msrs_to_save;
+@@ -1033,6 +1033,7 @@ static u32 emulated_msrs[] = {
+
+ MSR_IA32_TSC_ADJUST,
+ MSR_IA32_TSCDEADLINE,
++ MSR_IA32_ARCH_CAPABILITIES,
+ MSR_IA32_MISC_ENABLE,
+ MSR_IA32_MCG_STATUS,
+ MSR_IA32_MCG_CTL,
diff --git a/patches.suse/libceph-allow-ceph_buffer_put-to-receive-a-null-ceph_buffer.patch b/patches.suse/libceph-allow-ceph_buffer_put-to-receive-a-null-ceph_buffer.patch
new file mode 100644
index 0000000000..e4cf896236
--- /dev/null
+++ b/patches.suse/libceph-allow-ceph_buffer_put-to-receive-a-null-ceph_buffer.patch
@@ -0,0 +1,29 @@
+From: Luis Henriques <lhenriques@suse.com>
+Date: Fri, 19 Jul 2019 15:32:19 +0100
+Subject: libceph: allow ceph_buffer_put() to receive a NULL ceph_buffer
+Git-commit: 5c498950f730aa17c5f8a2cdcb903524e4002ed2
+Patch-mainline: v5.3-rc6
+References: bsc#1148133
+
+Signed-off-by: Luis Henriques <lhenriques@suse.com>
+Reviewed-by: Jeff Layton <jlayton@kernel.org>
+Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
+---
+ include/linux/ceph/buffer.h | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/include/linux/ceph/buffer.h b/include/linux/ceph/buffer.h
+index 5e58bb29b1a3..11cdc7c60480 100644
+--- a/include/linux/ceph/buffer.h
++++ b/include/linux/ceph/buffer.h
+@@ -30,7 +30,8 @@ static inline struct ceph_buffer *ceph_buffer_get(struct ceph_buffer *b)
+
+ static inline void ceph_buffer_put(struct ceph_buffer *b)
+ {
+- kref_put(&b->kref, ceph_buffer_release);
++ if (b)
++ kref_put(&b->kref, ceph_buffer_release);
+ }
+
+ extern int ceph_decode_buffer(struct ceph_buffer **b, void **p, void *end);
+
diff --git a/patches.suse/libceph-fix-pg-split-vs-osd-reconnect-race.patch b/patches.suse/libceph-fix-pg-split-vs-osd-reconnect-race.patch
new file mode 100644
index 0000000000..211e407664
--- /dev/null
+++ b/patches.suse/libceph-fix-pg-split-vs-osd-reconnect-race.patch
@@ -0,0 +1,71 @@
+From: Ilya Dryomov <idryomov@gmail.com>
+Date: Tue, 20 Aug 2019 16:40:33 +0200
+Subject: libceph: fix PG split vs OSD (re)connect race
+Git-commit: a561372405cf6bc6f14239b3a9e57bb39f2788b0
+Patch-mainline: v5.3-rc6
+References: bsc#1148133
+
+We can't rely on ->peer_features in calc_target() because it may be
+called both when the OSD session is established and open and when it's
+not. ->peer_features is not valid unless the OSD session is open. If
+this happens on a PG split (pg_num increase), that could mean we don't
+resend a request that should have been resent, hanging the client
+indefinitely.
+
+In userspace this was fixed by looking at require_osd_release and
+get_xinfo[osd].features fields of the osdmap. However these fields
+belong to the OSD section of the osdmap, which the kernel doesn't
+decode (only the client section is decoded).
+
+Instead, let's drop this feature check. It effectively checks for
+luminous, so only pre-luminous OSDs would be affected in that on a PG
+split the kernel might resend a request that should not have been
+resent. Duplicates can occur in other scenarios, so both sides should
+already be prepared for them: see dup/replay logic on the OSD side and
+retry_attempt check on the client side.
+
+Cc: stable@vger.kernel.org
+Fixes: 7de030d6b10a ("libceph: resend on PG splits if OSD has RESEND_ON_SPLIT")
+Link: https://tracker.ceph.com/issues/41162
+Reported-by: Jerry Lee <leisurelysw24@gmail.com>
+Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
+Tested-by: Jerry Lee <leisurelysw24@gmail.com>
+Reviewed-by: Jeff Layton <jlayton@kernel.org>
+Acked-by: Luis Henriques <lhenriques@suse.com>
+---
+ net/ceph/osd_client.c | 9 ++++-----
+ 1 file changed, 4 insertions(+), 5 deletions(-)
+
+diff --git a/net/ceph/osd_client.c b/net/ceph/osd_client.c
+index 0b2df09b2554..78ae6e8c953d 100644
+--- a/net/ceph/osd_client.c
++++ b/net/ceph/osd_client.c
+@@ -1496,7 +1496,7 @@ static enum calc_target_result calc_target(struct ceph_osd_client *osdc,
+ struct ceph_osds up, acting;
+ bool force_resend = false;
+ bool unpaused = false;
+- bool legacy_change;
++ bool legacy_change = false;
+ bool split = false;
+ bool sort_bitwise = ceph_osdmap_flag(osdc, CEPH_OSDMAP_SORTBITWISE);
+ bool recovery_deletes = ceph_osdmap_flag(osdc,
+@@ -1584,15 +1584,14 @@ static enum calc_target_result calc_target(struct ceph_osd_client *osdc,
+ t->osd = acting.primary;
+ }
+
+- if (unpaused || legacy_change || force_resend ||
+- (split && con && CEPH_HAVE_FEATURE(con->peer_features,
+- RESEND_ON_SPLIT)))
++ if (unpaused || legacy_change || force_resend || split)
+ ct_res = CALC_TARGET_NEED_RESEND;
+ else
+ ct_res = CALC_TARGET_NO_ACTION;
+
+ out:
+- dout("%s t %p -> ct_res %d osd %d\n", __func__, t, ct_res, t->osd);
++ dout("%s t %p -> %d%d%d%d ct_res %d osd%d\n", __func__, t, unpaused,
++ legacy_change, force_resend, split, ct_res, t->osd);
+ return ct_res;
+ }
+
+
diff --git a/patches.suse/powerpc-fadump-when-fadump-is-supported-register-the.patch b/patches.suse/powerpc-fadump-when-fadump-is-supported-register-the.patch
new file mode 100644
index 0000000000..36df0b9c09
--- /dev/null
+++ b/patches.suse/powerpc-fadump-when-fadump-is-supported-register-the.patch
@@ -0,0 +1,68 @@
+From d34ad20a798191a6217cf245b85a26b07c0edd01 Mon Sep 17 00:00:00 2001
+From: Michal Suchanek <msuchanek@suse.de>
+Date: Tue, 20 Aug 2019 13:29:45 +0200
+Subject: [PATCH v2] powerpc/fadump: when fadump is supported register the
+ fadump sysfs files.
+To: linuxppc-dev@lists.ozlabs.org
+Cc: Benjamin Herrenschmidt <benh@kernel.crashing.org>, Paul Mackerras <paulus@samba.org>, Michael Ellerman <mpe@ellerman.id.au>, Michal Suchanek <msuchanek@suse.de>, Mahesh Salgaonkar <mahesh@linux.vnet.ibm.com>, Hari Bathini <hbathini@linux.vnet.ibm.com>, Christophe Leroy <christophe.leroy@c-s.fr>, Yangtao Li <tiny.windzz@gmail.com>, Thomas Gleixner <tglx@linutronix.de>, linux-kernel@vger.kernel.org
+
+References: bsc#1146352
+Patch-mainline: submitted https://patchwork.ozlabs.org/patch/1154687/
+
+Currently it is not possible to distinguish the case when fadump is
+supported by firmware and disabled in kernel and completely unsupported
+using the kernel sysfs interface. User can investigate the devicetree
+but it is more reasonable to provide sysfs files in case we get some
+fadumpv2 in the future.
+
+With this patch sysfs files are available whenever fadump is supported
+by firmware.
+
+Signed-off-by: Michal Suchanek <msuchanek@suse.de>
+---
+v2: move the sysfs initialization earlier to avoid condition nesting
+---
+ arch/powerpc/kernel/fadump.c | 15 +++++++++------
+ 1 file changed, 9 insertions(+), 6 deletions(-)
+
+diff --git a/arch/powerpc/kernel/fadump.c b/arch/powerpc/kernel/fadump.c
+index 4eab97292cc2..13741380b2f7 100644
+--- a/arch/powerpc/kernel/fadump.c
++++ b/arch/powerpc/kernel/fadump.c
+@@ -1671,16 +1671,20 @@ static void fadump_init_files(void)
+ */
+ int __init setup_fadump(void)
+ {
+- if (!fw_dump.fadump_enabled)
+- return 0;
+-
+- if (!fw_dump.fadump_supported) {
++ if (!fw_dump.fadump_supported && fw_dump.fadump_enabled) {
+ printk(KERN_ERR "Firmware-assisted dump is not supported on"
+ " this hardware\n");
+- return 0;
+ }
+
++ if (!fw_dump.fadump_supported)
++ return 0;
++
++ fadump_init_files();
+ fadump_show_config();
++
++ if (!fw_dump.fadump_enabled)
++ return 1;
++
+ /*
+ * If dump data is available then see if it is valid and prepare for
+ * saving it to the disk.
+@@ -1696,7 +1700,6 @@ int __init setup_fadump(void)
+ /* Initialize the kernel dump memory structure for FAD registration. */
+ else if (fw_dump.reserve_dump_area_size)
+ init_fadump_mem_struct(&fdm, fw_dump.reserve_dump_area_start);
+- fadump_init_files();
+
+ return 1;
+ }
+--
+2.22.0
+
diff --git a/patches.suse/powerpc-xive-Fix-dump-of-XIVE-interrupt-under-pserie.patch b/patches.suse/powerpc-xive-Fix-dump-of-XIVE-interrupt-under-pserie.patch
new file mode 100644
index 0000000000..391d8a5049
--- /dev/null
+++ b/patches.suse/powerpc-xive-Fix-dump-of-XIVE-interrupt-under-pserie.patch
@@ -0,0 +1,215 @@
+From b4868ff55d082bc66b0c287a41e4888f6d3e5f87 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?C=C3=A9dric=20Le=20Goater?= <clg@kaod.org>
+Date: Wed, 14 Aug 2019 17:47:53 +0200
+Subject: [PATCH] powerpc/xive: Fix dump of XIVE interrupt under pseries
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+References: bsc#1142019
+Patch-mainline: queued
+Git-repo: https://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux.git
+Git-commit: b4868ff55d082bc66b0c287a41e4888f6d3e5f87
+
+The xmon 'dxi' command calls OPAL to query the XIVE configuration of a
+interrupt. This can only be done on baremetal (PowerNV) and it will
+crash a pseries machine.
+
+Introduce a new XIVE get_irq_config() operation which implements a
+different query depending on the platform, PowerNV or pseries, and
+modify xmon to use a top level wrapper.
+
+Signed-off-by: Cédric Le Goater <clg@kaod.org>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://lore.kernel.org/r/20190814154754.23682-3-clg@kaod.org
+Acked-by: Michal Suchanek <msuchanek@suse.de>
+---
+ arch/powerpc/include/asm/xive.h | 2 +
+ arch/powerpc/sysdev/xive/common.c | 7 ++++
+ arch/powerpc/sysdev/xive/native.c | 15 +++++++
+ arch/powerpc/sysdev/xive/spapr.c | 51 ++++++++++++++++++++++++
+ arch/powerpc/sysdev/xive/xive-internal.h | 2 +
+ arch/powerpc/xmon/xmon.c | 12 +++---
+ 6 files changed, 83 insertions(+), 6 deletions(-)
+
+diff --git a/arch/powerpc/include/asm/xive.h b/arch/powerpc/include/asm/xive.h
+index efb0e597b272..967d6ab3c977 100644
+--- a/arch/powerpc/include/asm/xive.h
++++ b/arch/powerpc/include/asm/xive.h
+@@ -99,6 +99,8 @@ extern void xive_flush_interrupt(void);
+
+ /* xmon hook */
+ extern void xmon_xive_do_dump(int cpu);
++extern int xmon_xive_get_irq_config(u32 irq, u32 *target, u8 *prio,
++ u32 *sw_irq);
+
+ /* APIs used by KVM */
+ extern u32 xive_native_default_eq_shift(void);
+diff --git a/arch/powerpc/sysdev/xive/common.c b/arch/powerpc/sysdev/xive/common.c
+index 6b973b7cdd8a..f75a660365e5 100644
+--- a/arch/powerpc/sysdev/xive/common.c
++++ b/arch/powerpc/sysdev/xive/common.c
+@@ -257,6 +257,13 @@ notrace void xmon_xive_do_dump(int cpu)
+ }
+ #endif
+ }
++
++int xmon_xive_get_irq_config(u32 irq, u32 *target, u8 *prio,
++ u32 *sw_irq)
++{
++ return xive_ops->get_irq_config(irq, target, prio, sw_irq);
++}
++
+ #endif /* CONFIG_XMON */
+
+ static unsigned int xive_get_irq(void)
+diff --git a/arch/powerpc/sysdev/xive/native.c b/arch/powerpc/sysdev/xive/native.c
+index 2f26b74f6cfa..4b61e44f0171 100644
+--- a/arch/powerpc/sysdev/xive/native.c
++++ b/arch/powerpc/sysdev/xive/native.c
+@@ -111,6 +111,20 @@ int xive_native_configure_irq(u32 hw_irq, u32 target, u8 prio, u32 sw_irq)
+ }
+ EXPORT_SYMBOL_GPL(xive_native_configure_irq);
+
++static int xive_native_get_irq_config(u32 hw_irq, u32 *target, u8 *prio,
++ u32 *sw_irq)
++{
++ s64 rc;
++ __be64 vp;
++ __be32 lirq;
++
++ rc = opal_xive_get_irq_config(hw_irq, &vp, prio, &lirq);
++
++ *target = be64_to_cpu(vp);
++ *sw_irq = be32_to_cpu(lirq);
++
++ return rc == 0 ? 0 : -ENXIO;
++}
+
+ /* This can be called multiple time to change a queue configuration */
+ int xive_native_configure_queue(u32 vp_id, struct xive_q *q, u8 prio,
+@@ -442,6 +456,7 @@ EXPORT_SYMBOL_GPL(xive_native_sync_queue);
+ static const struct xive_ops xive_native_ops = {
+ .populate_irq_data = xive_native_populate_irq_data,
+ .configure_irq = xive_native_configure_irq,
++ .get_irq_config = xive_native_get_irq_config,
+ .setup_queue = xive_native_setup_queue,
+ .cleanup_queue = xive_native_cleanup_queue,
+ .match = xive_native_match,
+diff --git a/arch/powerpc/sysdev/xive/spapr.c b/arch/powerpc/sysdev/xive/spapr.c
+index 52198131c75e..33c10749edec 100644
+--- a/arch/powerpc/sysdev/xive/spapr.c
++++ b/arch/powerpc/sysdev/xive/spapr.c
+@@ -215,6 +215,38 @@ static long plpar_int_set_source_config(unsigned long flags,
+ return 0;
+ }
+
++static long plpar_int_get_source_config(unsigned long flags,
++ unsigned long lisn,
++ unsigned long *target,
++ unsigned long *prio,
++ unsigned long *sw_irq)
++{
++ unsigned long retbuf[PLPAR_HCALL_BUFSIZE];
++ long rc;
++
++ pr_devel("H_INT_GET_SOURCE_CONFIG flags=%lx lisn=%lx\n", flags, lisn);
++
++ do {
++ rc = plpar_hcall(H_INT_GET_SOURCE_CONFIG, retbuf, flags, lisn,
++ target, prio, sw_irq);
++ } while (plpar_busy_delay(rc));
++
++ if (rc) {
++ pr_err("H_INT_GET_SOURCE_CONFIG lisn=%ld failed %ld\n",
++ lisn, rc);
++ return rc;
++ }
++
++ *target = retbuf[0];
++ *prio = retbuf[1];
++ *sw_irq = retbuf[2];
++
++ pr_devel("H_INT_GET_SOURCE_CONFIG target=%lx prio=%lx sw_irq=%lx\n",
++ retbuf[0], retbuf[1], retbuf[2]);
++
++ return 0;
++}
++
+ static long plpar_int_get_queue_info(unsigned long flags,
+ unsigned long target,
+ unsigned long priority,
+@@ -398,6 +430,24 @@ static int xive_spapr_configure_irq(u32 hw_irq, u32 target, u8 prio, u32 sw_irq)
+ return rc == 0 ? 0 : -ENXIO;
+ }
+
++static int xive_spapr_get_irq_config(u32 hw_irq, u32 *target, u8 *prio,
++ u32 *sw_irq)
++{
++ long rc;
++ unsigned long h_target;
++ unsigned long h_prio;
++ unsigned long h_sw_irq;
++
++ rc = plpar_int_get_source_config(0, hw_irq, &h_target, &h_prio,
++ &h_sw_irq);
++
++ *target = h_target;
++ *prio = h_prio;
++ *sw_irq = h_sw_irq;
++
++ return rc == 0 ? 0 : -ENXIO;
++}
++
+ /* This can be called multiple time to change a queue configuration */
+ static int xive_spapr_configure_queue(u32 target, struct xive_q *q, u8 prio,
+ __be32 *qpage, u32 order)
+@@ -590,6 +640,7 @@ static void xive_spapr_sync_source(u32 hw_irq)
+ static const struct xive_ops xive_spapr_ops = {
+ .populate_irq_data = xive_spapr_populate_irq_data,
+ .configure_irq = xive_spapr_configure_irq,
++ .get_irq_config = xive_spapr_get_irq_config,
+ .setup_queue = xive_spapr_setup_queue,
+ .cleanup_queue = xive_spapr_cleanup_queue,
+ .match = xive_spapr_match,
+diff --git a/arch/powerpc/sysdev/xive/xive-internal.h b/arch/powerpc/sysdev/xive/xive-internal.h
+index 211725dbf364..59cd366e7933 100644
+--- a/arch/powerpc/sysdev/xive/xive-internal.h
++++ b/arch/powerpc/sysdev/xive/xive-internal.h
+@@ -33,6 +33,8 @@ struct xive_cpu {
+ struct xive_ops {
+ int (*populate_irq_data)(u32 hw_irq, struct xive_irq_data *data);
+ int (*configure_irq)(u32 hw_irq, u32 target, u8 prio, u32 sw_irq);
++ int (*get_irq_config)(u32 hw_irq, u32 *target, u8 *prio,
++ u32 *sw_irq);
+ int (*setup_queue)(unsigned int cpu, struct xive_cpu *xc, u8 prio);
+ void (*cleanup_queue)(unsigned int cpu, struct xive_cpu *xc, u8 prio);
+ void (*setup_cpu)(unsigned int cpu, struct xive_cpu *xc);
+diff --git a/arch/powerpc/xmon/xmon.c b/arch/powerpc/xmon/xmon.c
+index 25d4adccf750..4ea53e05053f 100644
+--- a/arch/powerpc/xmon/xmon.c
++++ b/arch/powerpc/xmon/xmon.c
+@@ -2574,14 +2574,14 @@ static void dump_all_xives(void)
+
+ static void dump_one_xive_irq(u32 num)
+ {
+- s64 rc;
+- __be64 vp;
++ int rc;
++ u32 target;
+ u8 prio;
+- __be32 lirq;
++ u32 lirq;
+
+- rc = opal_xive_get_irq_config(num, &vp, &prio, &lirq);
+- xmon_printf("IRQ 0x%x config: vp=0x%llx prio=%d lirq=0x%x (rc=%lld)\n",
+- num, be64_to_cpu(vp), prio, be32_to_cpu(lirq), rc);
++ rc = xmon_xive_get_irq_config(num, &target, &prio, &lirq);
++ xmon_printf("IRQ 0x%08x : target=0x%x prio=%d lirq=0x%x (rc=%d)\n",
++ num, target, prio, lirq, rc);
+ }
+
+ static void dump_xives(void)
+--
+2.22.0
+
diff --git a/patches.suse/powerpc-xmon-Add-a-dump-of-all-XIVE-interrupts.patch b/patches.suse/powerpc-xmon-Add-a-dump-of-all-XIVE-interrupts.patch
new file mode 100644
index 0000000000..de520390d9
--- /dev/null
+++ b/patches.suse/powerpc-xmon-Add-a-dump-of-all-XIVE-interrupts.patch
@@ -0,0 +1,66 @@
+From 39f14e79b15a40709ef177bc4c07f193b6d3bce3 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?C=C3=A9dric=20Le=20Goater?= <clg@kaod.org>
+Date: Wed, 14 Aug 2019 17:47:54 +0200
+Subject: [PATCH] powerpc/xmon: Add a dump of all XIVE interrupts
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+References: bsc#1142019
+Patch-mainline: queued
+Git-repo: https://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux.git
+Git-commit: 39f14e79b15a40709ef177bc4c07f193b6d3bce3
+
+Modify the xmon 'dxi' command to query all interrupts if no IRQ number
+is specified.
+
+Signed-off-by: Cédric Le Goater <clg@kaod.org>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://lore.kernel.org/r/20190814154754.23682-4-clg@kaod.org
+Acked-by: Michal Suchanek <msuchanek@suse.de>
+---
+ arch/powerpc/xmon/xmon.c | 21 +++++++++++++++++++++
+ 1 file changed, 21 insertions(+)
+
+diff --git a/arch/powerpc/xmon/xmon.c b/arch/powerpc/xmon/xmon.c
+index 4ea53e05053f..dc9832e06256 100644
+--- a/arch/powerpc/xmon/xmon.c
++++ b/arch/powerpc/xmon/xmon.c
+@@ -2584,6 +2584,25 @@ static void dump_one_xive_irq(u32 num)
+ num, target, prio, lirq, rc);
+ }
+
++static void dump_all_xive_irq(void)
++{
++ unsigned int i;
++ struct irq_desc *desc;
++
++ for_each_irq_desc(i, desc) {
++ struct irq_data *d = irq_desc_get_irq_data(desc);
++ unsigned int hwirq;
++
++ if (!d)
++ continue;
++
++ hwirq = (unsigned int)irqd_to_hwirq(d);
++ /* IPIs are special (HW number 0) */
++ if (hwirq)
++ dump_one_xive_irq(hwirq);
++ }
++}
++
+ static void dump_xives(void)
+ {
+ unsigned long num;
+@@ -2601,6 +2620,8 @@ static void dump_xives(void)
+ } else if (c == 'i') {
+ if (scanhex(&num))
+ dump_one_xive_irq(num);
++ else
++ dump_all_xive_irq();
+ return;
+ }
+
+--
+2.22.0
+
diff --git a/patches.suse/powerpc-xmon-Check-for-HV-mode-when-dumping-XIVE-inf.patch b/patches.suse/powerpc-xmon-Check-for-HV-mode-when-dumping-XIVE-inf.patch
new file mode 100644
index 0000000000..bcea95d6fe
--- /dev/null
+++ b/patches.suse/powerpc-xmon-Check-for-HV-mode-when-dumping-XIVE-inf.patch
@@ -0,0 +1,59 @@
+From c3e0dbd7f780a58c4695f1cd8fc8afde80376737 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?C=C3=A9dric=20Le=20Goater?= <clg@kaod.org>
+Date: Wed, 14 Aug 2019 17:47:52 +0200
+Subject: [PATCH] powerpc/xmon: Check for HV mode when dumping XIVE info from
+ OPAL
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+References: bsc#1142019
+Patch-mainline: queued
+Git-repo: https://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux.git
+Git-commit: c3e0dbd7f780a58c4695f1cd8fc8afde80376737
+
+Currently, the xmon 'dx' command calls OPAL to dump the XIVE state in
+the OPAL logs and also outputs some of the fields of the internal XIVE
+structures in Linux. The OPAL calls can only be done on baremetal
+(PowerNV) and they crash a pseries machine. Fix by checking the
+hypervisor feature of the CPU.
+
+Signed-off-by: Cédric Le Goater <clg@kaod.org>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://lore.kernel.org/r/20190814154754.23682-2-clg@kaod.org
+Acked-by: Michal Suchanek <msuchanek@suse.de>
+---
+ arch/powerpc/xmon/xmon.c | 17 ++++++++++-------
+ 1 file changed, 10 insertions(+), 7 deletions(-)
+
+diff --git a/arch/powerpc/xmon/xmon.c b/arch/powerpc/xmon/xmon.c
+index 14e56c25879f..25d4adccf750 100644
+--- a/arch/powerpc/xmon/xmon.c
++++ b/arch/powerpc/xmon/xmon.c
+@@ -2534,13 +2534,16 @@ static void dump_pacas(void)
+ static void dump_one_xive(int cpu)
+ {
+ unsigned int hwid = get_hard_smp_processor_id(cpu);
+-
+- opal_xive_dump(XIVE_DUMP_TM_HYP, hwid);
+- opal_xive_dump(XIVE_DUMP_TM_POOL, hwid);
+- opal_xive_dump(XIVE_DUMP_TM_OS, hwid);
+- opal_xive_dump(XIVE_DUMP_TM_USER, hwid);
+- opal_xive_dump(XIVE_DUMP_VP, hwid);
+- opal_xive_dump(XIVE_DUMP_EMU_STATE, hwid);
++ bool hv = cpu_has_feature(CPU_FTR_HVMODE);
++
++ if (hv) {
++ opal_xive_dump(XIVE_DUMP_TM_HYP, hwid);
++ opal_xive_dump(XIVE_DUMP_TM_POOL, hwid);
++ opal_xive_dump(XIVE_DUMP_TM_OS, hwid);
++ opal_xive_dump(XIVE_DUMP_TM_USER, hwid);
++ opal_xive_dump(XIVE_DUMP_VP, hwid);
++ opal_xive_dump(XIVE_DUMP_EMU_STATE, hwid);
++ }
+
+ if (setjmp(bus_error_jmp) != 0) {
+ catch_memory_errors = 0;
+--
+2.22.0
+
diff --git a/patches.suse/rsi-add-fix-for-crash-during-assertions.patch b/patches.suse/rsi-add-fix-for-crash-during-assertions.patch
new file mode 100644
index 0000000000..677a81e06e
--- /dev/null
+++ b/patches.suse/rsi-add-fix-for-crash-during-assertions.patch
@@ -0,0 +1,38 @@
+From abd39c6ded9db53aa44c2540092bdd5fb6590fa8 Mon Sep 17 00:00:00 2001
+From: Sanjay Konduri <sanjay.konduri@redpinesignals.com>
+Date: Tue, 15 May 2018 14:34:30 +0530
+Subject: [PATCH] rsi: add fix for crash during assertions
+Git-commit: abd39c6ded9db53aa44c2540092bdd5fb6590fa8
+Patch-mainline: v4.18-rc1
+References: CVE-2018-21008,bsc#1149591
+
+Observed crash in some scenarios when assertion has occurred,
+this is because hw structure is freed and is tried to get
+accessed in some functions where null check is already
+present. So, avoided the crash by making the hw to NULL after
+freeing.
+
+Signed-off-by: Sanjay Konduri <sanjay.konduri@redpinesignals.com>
+Signed-off-by: Sushant Kumar Mishra <sushant.mishra@redpinesignals.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/net/wireless/rsi/rsi_91x_mac80211.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/net/wireless/rsi/rsi_91x_mac80211.c b/drivers/net/wireless/rsi/rsi_91x_mac80211.c
+index 3faa0449a5ef..bfa7569c85bb 100644
+--- a/drivers/net/wireless/rsi/rsi_91x_mac80211.c
++++ b/drivers/net/wireless/rsi/rsi_91x_mac80211.c
+@@ -245,6 +245,7 @@ void rsi_mac80211_detach(struct rsi_hw *adapter)
+ ieee80211_stop_queues(hw);
+ ieee80211_unregister_hw(hw);
+ ieee80211_free_hw(hw);
++ adapter->hw = NULL;
+ }
+
+ for (band = 0; band < NUM_NL80211_BANDS; band++) {
+--
+2.16.4
+
diff --git a/series.conf b/series.conf
index ac53f72672..28df95af9a 100644
--- a/series.conf
+++ b/series.conf
@@ -6774,6 +6774,13 @@
patches.suse/0001-Btrfs-fix-assertion-failure-during-fsync-in-no-holes.patch
patches.suse/btrfs-incremental-send-fix-emission-of-invalid-clone-operations.patch
patches.suse/btrfs-preserve-i_mode-if-_btrfs_set_acl-fails.patch
+ patches.suse/btrfs-add-a-helper-to-retrive-extent-inline-ref-type.patch
+ patches.suse/btrfs-convert-to-use-btrfs_get_extent_inline_ref_type.patch
+ patches.suse/btrfs-remove-bug-in-btrfs_extent_inline_ref_size.patch
+ patches.suse/btrfs-remove-bug-in-print_extent_item.patch
+ patches.suse/btrfs-remove-bug-in-add_data_reference.patch
+ patches.suse/btrfs-remove-bug_on-in-_add_tree_block.patch
+ patches.suse/btrfs-add-one-more-sanity-check-for-shared-ref-type.patch
patches.suse/svcrdma-Limit-RQ-depth.patch
patches.suse/rdma-core-Add-rdma_rw_mr_payload.patch
patches.suse/svcrdma-Estimate-Send-Queue-depth-properly.patch
@@ -17329,6 +17336,7 @@
patches.suse/net-hns3-Optimize-the-VF-s-process-of-updating-multi.patch
patches.suse/s390-sles15sp1-00-12-net-smc-fix-error-return-code-in-smc_setsockopt.patch
patches.suse/mwifiex-correct-histogram-data-with-appropriate-inde
+ patches.suse/rsi-add-fix-for-crash-during-assertions.patch
patches.suse/wlcore-sdio-check-for-valid-platform-device-data-bef
patches.suse/mwifiex-handle-race-during-mwifiex_usb_disconnect
patches.suse/iwlmvm-tdls-Check-TDLS-channel-switch-support
@@ -22882,6 +22890,7 @@
patches.suse/KVM-Reject-device-ioctls-from-processes-other-than-t.patch
patches.suse/kvm-svm-workaround-errata-1096-insn_len-maybe-zero-on-smap-violation
patches.suse/kvm-x86-emulate-msr_ia32_arch_capabilities-on-amd-hosts.patch
+ patches.suse/kvm-x86-move-msr_ia32_arch_capabilities-to-array-emulated_msrs
patches.suse/msft-hv-1857-x86-kvm-hyper-v-avoid-spurious-pending-stimer-on-vCP.patch
patches.suse/KVM-arm-arm64-vgic-its-Take-the-srcu-lock-when-writi.patch
patches.suse/KVM-arm-arm64-vgic-its-Take-the-srcu-lock-when-parsi.patch
@@ -24189,7 +24198,13 @@
patches.suse/ALSA-hda-realtek-Fixed-Headphone-Mic-can-t-record-on.patch
patches.suse/ALSA-hda-realtek-apply-ALC891-headset-fixup-to-one-D.patch
patches.suse/ALSA-seq-Break-too-long-mutex-context-in-the-write-l.patch
+ patches.suse/ceph-silence-a-checker-warning-in-mdsc_show.patch
patches.suse/ceph-clean-up-ceph-dir-pin-vxattr-name-sizeof.patch
+ patches.suse/ceph-fix-ceph-dir-rctime-vxattr-value.patch
+ patches.suse/ceph-fix-improper-use-of-smp_mb__before_atomic.patch
+ patches.suse/ceph-hold-i_ceph_lock-when-removing-caps-for-freeing-inode.patch
+ patches.suse/ceph-don-t-blindly-unregister-session-that-is-in-opening-state.patch
+ patches.suse/ceph-remove-request-from-waiting-list-before-unregister.patch
patches.suse/cifs-Use-kmemdup-in-SMB2_ioctl_init-.patch
patches.suse/fs-cifs-Drop-unlikely-before-IS_ERR-_OR_NULL-.patch
patches.suse/SMB3-Add-SMB3-1-1-GCM-to-negotiated-crypto-algorigthms.patch
@@ -24404,6 +24419,12 @@
patches.suse/0001-HID-wacom-correct-misreported-EKR-ring-values.patch
patches.suse/drm-mediatek-use-correct-device-to-import-PRIME-buff.patch
patches.suse/drm-mediatek-mtk_drm_drv.c-Add-of_node_put-before-go.patch
+ patches.suse/libceph-allow-ceph_buffer_put-to-receive-a-null-ceph_buffer.patch
+ patches.suse/ceph-fix-buffer-free-while-holding-i_ceph_lock-in-_ceph_setxattr.patch
+ patches.suse/ceph-fix-buffer-free-while-holding-i_ceph_lock-in-_ceph_build_xattrs_blob.patch
+ patches.suse/ceph-fix-buffer-free-while-holding-i_ceph_lock-in-fill_inode.patch
+ patches.suse/ceph-don-t-try-fill-file_lock-on-unsuccessful-getfilelock-reply.patch
+ patches.suse/libceph-fix-pg-split-vs-osd-reconnect-race.patch
patches.suse/vfs-fix-page-locking-deadlocks-when-deduping-files.patch
patches.suse/fs-xfs-Fix-return-code-of-xfs_break_leased_layouts.patch
patches.suse/Revert-dm-bufio-fix-deadlock-with-loop-device.patch
@@ -24429,6 +24450,9 @@
patches.suse/mmc-sdhci-of-at91-add-quirk-for-broken-HS200.patch
patches.suse/crypto-ccp-Ignore-unconfigured-CCP-device-on-suspend.patch
patches.suse/kvm-x86-don-t-update-rip-or-do-single-step-on-faulting-emulation
+ patches.suse/ftrace-fix-null-pointer-dereference-in-t_probe_next.patch
+ patches.suse/ftrace-check-for-empty-hash-and-comment-the-race-with-registering-probes.patch
+ patches.suse/ftrace-check-for-successful-allocation-of-hash.patch
patches.suse/batman-adv-Only-read-OGM-tvlv_len-after-buffer-len-c.patch
patches.suse/batman-adv-Only-read-OGM2-tvlv_len-after-buffer-len-.patch
patches.suse/usb-host-xhci-rcar-Fix-typo-in-compatible-string-mat.patch
@@ -24436,6 +24460,9 @@
patches.suse/VMCI-Release-resource-if-the-work-is-already-queued.patch
# powerpc/linux next
+ patches.suse/powerpc-xmon-Check-for-HV-mode-when-dumping-XIVE-inf.patch
+ patches.suse/powerpc-xive-Fix-dump-of-XIVE-interrupt-under-pserie.patch
+ patches.suse/powerpc-xmon-Add-a-dump-of-all-XIVE-interrupts.patch
patches.suse/powerpc-rtas-use-device-model-APIs-and-serialization.patch
patches.suse/powerpc-64s-support-nospectre_v2-cmdline-option.patch
@@ -24492,6 +24519,7 @@
patches.suse/0002-x86-speculation-Enable-Spectre-v1-swapgs-mitigations.patch
patches.suse/x86-speculation-swapgs-exclude-ATOMs-from-speculating-through-SWAPGS.patch
patches.fixes/0001-ACPICA-Increase-total-number-of-possible-Owner-IDs.patch
+ patches.suse/powerpc-fadump-when-fadump-is-supported-register-the.patch
########################################################
# end of sorted patches