Home Home > GIT Browse
summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorTakashi Iwai <tiwai@suse.de>2018-07-07 19:01:25 +0200
committerTakashi Iwai <tiwai@suse.de>2018-07-07 19:01:25 +0200
commitf93705fdd910b3338a8e427c8bc32d2786e413be (patch)
tree0a26645b7887a826c8a89a0d48675e570eebed16
parent4933ef5de53b19c8b45b79381c4517f31f949d7e (diff)
parent5e898b1bfef24f0ccda949028a5f2509b958327d (diff)
Merge branch 'SLE12-SP3' into openSUSE-42.3
-rw-r--r--blacklist.conf1
-rw-r--r--patches.arch/s390-sles12sp3-17-01-01-zfcp-missing-SCSI-trace-result-eh_host_reset.patch285
-rw-r--r--patches.arch/s390-sles12sp3-17-01-02-zfcp-missing-SCSI-trace-retry-abort-TMF.patch247
-rw-r--r--patches.arch/s390-sles12sp3-17-01-03-zfcp-misleading-REC-trig-trace-erp-setup-failed.patch262
-rw-r--r--patches.arch/s390-sles12sp3-17-01-04-zfcp-missing-REC-trig-trace-t_rport_io-early-ret.patch257
-rw-r--r--patches.arch/s390-sles12sp3-17-01-05-zfcp-missing-REC-trig-trace-t_rport_io-ERP_FAILED.patch273
-rw-r--r--patches.arch/s390-sles12sp3-17-01-06-zfcp-missing-REC-trig-trace-all-objects-ERP_FAILED.patch330
-rw-r--r--patches.arch/s390-sles12sp3-17-01-07-zfcp-missing-REC-trig-trace-enqueue-no-ERP-thread.patch203
-rw-r--r--patches.drivers/0144-block-remove-driverfs_dev.patch23
-rw-r--r--patches.drivers/0165-block-Fix-front-merge-check.patch23
-rw-r--r--patches.drivers/ALSA-hda-Add-HP-ZBook-15u-G3-Conexant-CX20724-GPIO-m6
-rw-r--r--patches.drivers/ib-qib-add-device-specific-info-prints.patch6
-rw-r--r--patches.fixes/Fix-up-non-directory-creation-in-SGID-directories.patch52
-rw-r--r--patches.fixes/ovl-fix-random-return-value-on-mount.patch43
-rw-r--r--patches.fixes/ovl-fix-uid-gid-when-creating-over-whiteout.patch61
-rw-r--r--patches.fixes/ovl-override-creds-with-the-ones-from-the-superblock.patch346
-rw-r--r--patches.kernel.org/4.4.139-001-xfrm6-avoid-potential-infinite-loop-in-_decod.patch103
-rw-r--r--patches.kernel.org/4.4.139-002-netfilter-ebtables-handle-string-from-userspa.patch106
-rw-r--r--patches.kernel.org/4.4.139-003-ipvs-fix-buffer-overflow-with-sync-daemon-and.patch152
-rw-r--r--patches.kernel.org/4.4.139-004-atm-zatm-fix-memcmp-casting.patch40
-rw-r--r--patches.kernel.org/4.4.139-005-net-qmi_wwan-Add-Netgear-Aircard-779S.patch39
-rw-r--r--patches.kernel.org/4.4.139-006-net-sonic-Use-dma_mapping_error.patch40
-rw-r--r--patches.kernel.org/4.4.139-007-Revert-Btrfs-fix-scrub-to-repair-raid6-corrup.patch73
-rw-r--r--patches.kernel.org/4.4.139-008-tcp-do-not-overshoot-window_clamp-in-tcp_rcv_.patch48
-rw-r--r--patches.kernel.org/4.4.139-009-Btrfs-make-raid6-rebuild-retry-more.patch98
-rw-r--r--patches.kernel.org/4.4.139-010-usb-musb-fix-remote-wakeup-racing-with-suspen.patch139
-rw-r--r--patches.kernel.org/4.4.139-011-bonding-re-evaluate-force_primary-when-the-pr.patch39
-rw-r--r--patches.kernel.org/4.4.139-012-tcp-verify-the-checksum-of-the-first-data-seg.patch69
-rw-r--r--patches.kernel.org/4.4.139-013-ext4-update-mtime-in-ext4_punch_hole-even-if-.patch81
-rw-r--r--patches.kernel.org/4.4.139-014-ext4-fix-fencepost-error-in-check-for-inode-c.patch43
-rw-r--r--patches.kernel.org/4.4.139-015-driver-core-Don-t-ignore-class_dir_create_and.patch84
-rw-r--r--patches.kernel.org/4.4.139-016-btrfs-scrub-Don-t-use-inode-pages-for-device-.patch72
-rw-r--r--patches.kernel.org/4.4.139-017-ALSA-hda-Handle-kzalloc-failure-in-snd_hda_at.patch52
-rw-r--r--patches.kernel.org/4.4.139-018-ALSA-hda-add-dock-and-led-support-for-HP-Elit.patch (renamed from patches.drivers/ALSA-hda-add-dock-and-led-support-for-HP-EliteBook-8)16
-rw-r--r--patches.kernel.org/4.4.139-019-ALSA-hda-add-dock-and-led-support-for-HP-ProB.patch (renamed from patches.drivers/ALSA-hda-add-dock-and-led-support-for-HP-ProBook-640)16
-rw-r--r--patches.kernel.org/4.4.139-020-cpufreq-Fix-new-policy-initialization-during-.patch56
-rw-r--r--patches.kernel.org/4.4.139-021-libata-zpodd-make-arrays-cdb-static-reduces-o.patch54
-rw-r--r--patches.kernel.org/4.4.139-022-libata-zpodd-small-read-overflow-in-eject_tra.patch38
-rw-r--r--patches.kernel.org/4.4.139-023-libata-Drop-SanDisk-SD7UB3Q-G1001-NOLPM-quirk.patch61
-rw-r--r--patches.kernel.org/4.4.139-024-w1-mxc_w1-Enable-clock-before-calling-clk_get.patch73
-rw-r--r--patches.kernel.org/4.4.139-025-fs-binfmt_misc.c-do-not-allow-offset-overflow.patch (renamed from patches.fixes/fs-binfmt_misc-c-do-not-allow-offset-overflow.patch)14
-rw-r--r--patches.kernel.org/4.4.139-026-x86-spectre_v1-Disable-compiler-optimizations.patch (renamed from patches.suse/x86-spectre_v1-Disable-compiler-optimizations-over-a.patch)20
-rw-r--r--patches.kernel.org/4.4.139-027-m68k-mm-Adjust-VM-area-to-be-unmapped-by-gap-.patch62
-rw-r--r--patches.kernel.org/4.4.139-028-serial-sh-sci-Use-spin_-try-lock_irqsave-inst.patch109
-rw-r--r--patches.kernel.org/4.4.139-029-signal-xtensa-Consistenly-use-SIGBUS-in-do_un.patch44
-rw-r--r--patches.kernel.org/4.4.139-030-usb-do-not-reset-if-a-low-speed-or-full-speed.patch43
-rw-r--r--patches.kernel.org/4.4.139-031-1wire-family-module-autoload-fails-because-of.patch41
-rw-r--r--patches.kernel.org/4.4.139-032-ASoC-dapm-delete-dapm_kcontrol_data-paths-lis.patch44
-rw-r--r--patches.kernel.org/4.4.139-033-ASoC-cirrus-i2s-Fix-LRCLK-configuration.patch89
-rw-r--r--patches.kernel.org/4.4.139-034-ASoC-cirrus-i2s-Fix-TX-RX-LinCtrlData-setup.patch90
-rw-r--r--patches.kernel.org/4.4.139-035-lib-vsprintf-Remove-atomic-unsafe-support-for.patch87
-rw-r--r--patches.kernel.org/4.4.139-036-mips-ftrace-fix-static-function-graph-tracing.patch85
-rw-r--r--patches.kernel.org/4.4.139-037-branch-check-fix-long-int-truncation-when-pro.patch47
-rw-r--r--patches.kernel.org/4.4.139-038-ipmi-bt-Set-the-timeout-before-doing-a-capabi.patch47
-rw-r--r--patches.kernel.org/4.4.139-039-Bluetooth-hci_qca-Avoid-missing-rampatch-fail.patch48
-rw-r--r--patches.kernel.org/4.4.139-040-fuse-atomic_o_trunc-should-truncate-pagecache.patch57
-rw-r--r--patches.kernel.org/4.4.139-041-fuse-don-t-keep-dead-fuse_conn-at-fuse_fill_s.patch46
-rw-r--r--patches.kernel.org/4.4.139-042-fuse-fix-control-dir-setup-and-teardown.patch73
-rw-r--r--patches.kernel.org/4.4.139-043-powerpc-mm-hash-Add-missing-isync-prior-to-ke.patch69
-rw-r--r--patches.kernel.org/4.4.139-044-powerpc-ptrace-Fix-setting-512B-aligned-break.patch48
-rw-r--r--patches.kernel.org/4.4.139-045-powerpc-ptrace-Fix-enforcement-of-DAWR-constr.patch46
-rw-r--r--patches.kernel.org/4.4.139-046-cpuidle-powernv-Fix-promotion-from-snooze-if-.patch152
-rw-r--r--patches.kernel.org/4.4.139-047-powerpc-fadump-Unregister-fadump-on-kexec-dow.patch44
-rw-r--r--patches.kernel.org/4.4.139-048-ARM-8764-1-kgdb-fix-NUMREGBYTES-so-that-gdb_r.patch51
-rw-r--r--patches.kernel.org/4.4.139-049-of-unittest-for-strings-account-for-trailing-.patch69
-rw-r--r--patches.kernel.org/4.4.139-050-IB-qib-Fix-DMA-api-warning-with-debug-kernel.patch162
-rw-r--r--patches.kernel.org/4.4.139-051-RDMA-mlx4-Discard-unknown-SQP-work-requests.patch37
-rw-r--r--patches.kernel.org/4.4.139-052-mtd-cfi_cmdset_0002-Change-write-buffer-to-ch.patch51
-rw-r--r--patches.kernel.org/4.4.139-053-mtd-cfi_cmdset_0002-Use-right-chip-in-do_ppb_.patch62
-rw-r--r--patches.kernel.org/4.4.139-054-mtd-cfi_cmdset_0002-fix-SEGV-unlocking-multip.patch59
-rw-r--r--patches.kernel.org/4.4.139-055-mtd-cfi_cmdset_0002-Fix-unlocking-requests-cr.patch42
-rw-r--r--patches.kernel.org/4.4.139-056-mtd-cfi_cmdset_0002-Avoid-walking-all-chips-w.patch38
-rw-r--r--patches.kernel.org/4.4.139-057-MIPS-BCM47XX-Enable-74K-Core-ExternalSync-for.patch91
-rw-r--r--patches.kernel.org/4.4.139-058-PCI-pciehp-Clear-Presence-Detect-and-Data-Lin.patch93
-rw-r--r--patches.kernel.org/4.4.139-059-MIPS-io-Add-barrier-after-register-read-in-in.patch50
-rw-r--r--patches.kernel.org/4.4.139-060-time-Make-sure-jiffies_to_msecs-preserves-non.patch74
-rw-r--r--patches.kernel.org/4.4.139-061-Btrfs-fix-clone-vs-chattr-NODATASUM-race.patch74
-rw-r--r--patches.kernel.org/4.4.139-062-iio-buffer-make-length-types-match-kfifo-type.patch83
-rw-r--r--patches.kernel.org/4.4.139-063-scsi-qla2xxx-Fix-setting-lower-transfer-speed.patch47
-rw-r--r--patches.kernel.org/4.4.139-064-scsi-zfcp-fix-missing-SCSI-trace-for-result-o.patch149
-rw-r--r--patches.kernel.org/4.4.139-065-scsi-zfcp-fix-missing-SCSI-trace-for-retry-of.patch107
-rw-r--r--patches.kernel.org/4.4.139-066-scsi-zfcp-fix-misleading-REC-trigger-trace-wh.patch122
-rw-r--r--patches.kernel.org/4.4.139-067-scsi-zfcp-fix-missing-REC-trigger-trace-on-te.patch121
-rw-r--r--patches.kernel.org/4.4.139-068-scsi-zfcp-fix-missing-REC-trigger-trace-on-te.patch133
-rw-r--r--patches.kernel.org/4.4.139-069-scsi-zfcp-fix-missing-REC-trigger-trace-for-a.patch190
-rw-r--r--patches.kernel.org/4.4.139-070-scsi-zfcp-fix-missing-REC-trigger-trace-on-en.patch63
-rw-r--r--patches.kernel.org/4.4.139-071-linvdimm-pmem-Preserve-read-only-setting-for-.patch80
-rw-r--r--patches.kernel.org/4.4.139-072-md-fix-two-problems-with-setting-the-re-add-d.patch (renamed from patches.fixes/0003-md-fix-two-problems-with-setting-the-re-add-device-s.patch)25
-rw-r--r--patches.kernel.org/4.4.139-073-ubi-fastmap-Cancel-work-upon-detach.patch74
-rw-r--r--patches.kernel.org/4.4.139-074-UBIFS-Fix-potential-integer-overflow-in-alloc.patch40
-rw-r--r--patches.kernel.org/4.4.139-075-xfrm-Ignore-socket-policies-when-rebuilding-h.patch52
-rw-r--r--patches.kernel.org/4.4.139-076-xfrm-skip-policies-marked-as-dead-while-rehas.patch70
-rw-r--r--patches.kernel.org/4.4.139-077-backlight-as3711_bl-Fix-Device-Tree-node-look.patch113
-rw-r--r--patches.kernel.org/4.4.139-078-backlight-max8925_bl-Fix-Device-Tree-node-loo.patch52
-rw-r--r--patches.kernel.org/4.4.139-079-backlight-tps65217_bl-Fix-Device-Tree-node-lo.patch48
-rw-r--r--patches.kernel.org/4.4.139-080-mfd-intel-lpss-Program-REMAP-register-in-PIO-.patch46
-rw-r--r--patches.kernel.org/4.4.139-081-perf-tools-Fix-symbol-and-object-code-resolut.patch42
-rw-r--r--patches.kernel.org/4.4.139-082-perf-intel-pt-Fix-sync_switch-INTEL_PT_SS_NOT.patch41
-rw-r--r--patches.kernel.org/4.4.139-083-perf-intel-pt-Fix-decoding-to-accept-CBR-betw.patch49
-rw-r--r--patches.kernel.org/4.4.139-084-perf-intel-pt-Fix-MTC-timing-after-overflow.patch39
-rw-r--r--patches.kernel.org/4.4.139-085-perf-intel-pt-Fix-Unexpected-indirect-branch-.patch134
-rw-r--r--patches.kernel.org/4.4.139-086-perf-intel-pt-Fix-packet-decoding-of-CYC-pack.patch38
-rw-r--r--patches.kernel.org/4.4.139-087-media-v4l2-compat-ioctl32-prevent-go-past-max.patch38
-rw-r--r--patches.kernel.org/4.4.139-088-media-cx231xx-Add-support-for-AverMedia-DVD-E.patch41
-rw-r--r--patches.kernel.org/4.4.139-089-media-dvb_frontend-fix-locking-issues-at-dvb_.patch79
-rw-r--r--patches.kernel.org/4.4.139-090-nfsd-restrict-rd_maxcount-to-svc_max_payload-.patch53
-rw-r--r--patches.kernel.org/4.4.139-091-NFSv4-Fix-possible-1-byte-stack-overflow-in-n.patch83
-rw-r--r--patches.kernel.org/4.4.139-092-video-uvesafb-Fix-integer-overflow-in-allocat.patch39
-rw-r--r--patches.kernel.org/4.4.139-093-Input-elan_i2c-add-ELAN0618-Lenovo-v330-15IKB.patch36
-rw-r--r--patches.kernel.org/4.4.139-094-xen-Remove-unnecessary-BUG_ON-from-__unbind_f.patch45
-rw-r--r--patches.kernel.org/4.4.139-095-udf-Detect-incorrect-directory-size.patch41
-rw-r--r--patches.kernel.org/4.4.139-096-Input-elan_i2c_smbus-fix-more-potential-stack.patch105
-rw-r--r--patches.kernel.org/4.4.139-097-Input-elantech-enable-middle-button-of-touchp.patch53
-rw-r--r--patches.kernel.org/4.4.139-098-Input-elantech-fix-V4-report-decoding-for-mod.patch38
-rw-r--r--patches.kernel.org/4.4.139-099-ALSA-hda-realtek-Add-a-quirk-for-FSC-ESPRIMO-.patch (renamed from patches.drivers/ALSA-hda-realtek-Add-a-quirk-for-FSC-ESPRIMO-U9210)14
-rw-r--r--patches.kernel.org/4.4.139-100-Btrfs-fix-unexpected-cow-in-run_delalloc_noco.patch98
-rw-r--r--patches.kernel.org/4.4.139-101-spi-Fix-scatterlist-elements-size-in-spi_map_.patch56
-rw-r--r--patches.kernel.org/4.4.139-102-block-Fix-transfer-when-chunk-sectors-exceeds.patch43
-rw-r--r--patches.kernel.org/4.4.139-103-dm-thin-handle-running-out-of-data-space-vs-c.patch98
-rw-r--r--patches.kernel.org/4.4.139-104-cdc_ncm-avoid-padding-beyond-end-of-skb.patch121
-rw-r--r--patches.kernel.org/4.4.139-105-Bluetooth-Fix-connection-if-directed-advertis.patch299
-rw-r--r--patches.kernel.org/4.4.139-106-Linux-4.4.139.patch27
-rw-r--r--patches.suse/btrfs-0287-fix-race-between-block-group-relocation-and-no.patch16
-rw-r--r--patches.suse/x86-speculation-Fix-up-array_index_nospec_mask-asm-c.patch2
-rw-r--r--series.conf124
125 files changed, 7919 insertions, 1956 deletions
diff --git a/blacklist.conf b/blacklist.conf
index b0e56755f7..e76550cf0b 100644
--- a/blacklist.conf
+++ b/blacklist.conf
@@ -402,3 +402,4 @@ fc218544fbc800d1c91348ec834cacfb257348f7 # requires major changes to libceph fro
16001c10725e11b73b8518f42e414506bf73c291 # Preliminary patches are missing
ab1068d6866e28bf6427ceaea681a381e5870a4a # iwlwifi: not applicable
dc82e52492f684dcd5ed9e4773e72dbf2203d75e # ALSA core: breaks kABI
+92397a6c38d139d50fabbe9e2dc09b61d53b2377 # the backport of c043ec1ca5ba does not need this
diff --git a/patches.arch/s390-sles12sp3-17-01-01-zfcp-missing-SCSI-trace-result-eh_host_reset.patch b/patches.arch/s390-sles12sp3-17-01-01-zfcp-missing-SCSI-trace-result-eh_host_reset.patch
deleted file mode 100644
index caaab64252..0000000000
--- a/patches.arch/s390-sles12sp3-17-01-01-zfcp-missing-SCSI-trace-result-eh_host_reset.patch
+++ /dev/null
@@ -1,285 +0,0 @@
-From: Steffen Maier <maier@linux.ibm.com>
-Subject: scsi: zfcp: fix missing SCSI trace for result of eh_host_reset_handler
-Patch-mainline: v4.18-rc1
-Git-commit: df30781699f53e4fd4c494c6f7dd16e3d5c21d30
-References: bnc#1099713, LTC#168765
-
-Description: zfcp: fix tracing regressions, part 3
-Symptom: Cannot determine result of eh_host_reset_handler.
-
- Cannot see if and when zfcp retries abort or task management
- functions (LUN/target reset) while synchronizing scsi_eh and
- zfcp-internal recovery.
-
- Confusing zfcp ERP trace record if a SCSI device is deleted
- during scsi_eh host reset.
-
- Cannot determine that our terminate_rport_io callback was
- invoked if it returned early.
-
- Cannot determine that our terminate_rport_io callback was
- invoked if a long fast_io_fail_tmo was configured (typically
- longer than 12 seconds, e.g. 27 seconds).
-
- Cannot determine if something wanted to enqueue zfcp recovery
- for an object (adapter/port regular/unit) in ERP_FAILED state.
-
- Cannot determine if something wanted to enqueue zfcp recovery
- but no zfcp ERP thread was running.
-Problem: v2.6.35 commit a1dbfddd02d2 ("[SCSI] zfcp: Pass return code
- from fc_block_scsi_eh to scsi eh") introduced the first
- return with something other than the previously hardcoded
- single SUCCESS return path.
-
- Due to zfcp_erp_wait() and fc_block_scsi_eh() time can pass
- between the start of our eh callback and an actual send/recv
- of an abort / TMF request.
-
- If a SCSI device is deleted during scsi_eh host reset, we
- cannot get a reference to the SCSI device anymore since
- scsi_device_get returns !=0 by design. Assuming the recovery
- of adapter and port(s) was successful,
- zfcp_erp_strategy_followup_success() attempts to trigger a
- LUN reset for the half-gone SCSI device. However,
- zfcp_erp_setup_act() returns NULL as it cannot get the
- reference. Hence, zfcp_erp_action_enqueue() takes an early
- goto out and _NO_ recovery actually happens, but it writes a
- confusing trace record which states that zfcp will do a LUN
- recovery as "ERP need" is ZFCP_ERP_ACTION_REOPEN_LUN == 1 and
- equals "ERP want".
- Before v2.6.38 commit ae0904f60fab ("[SCSI] zfcp: Redesign of
- the debug tracing for recovery actions.") we could detect
- this case because the "erp_action" field in the trace was
- NULL. The rework removed erp_action as argument and field
- from the trace.
-
- If we get an fc_rport in terminate_rport_io() for which we
- cannot find a match within zfcp_get_port_by_wwpn(), the
- latter can return NULL. v2.6.30 commit 70932935b61e ("[SCSI]
- zfcp: Fix oops when port disappears") introduced an early
- return without adding a trace record for this case.
-
- After target cable pull: The ADISC for "link" test times out
- after typically 4 seconds. The open port recovery times out
- after typically 8 seconds, causing zfcp_port.status to
- contain ERP_FAILED. zfcp_scsi_terminate_rport_io() tries to
- enqueue forced port recovery, but due to ERP_FAILED this
- resulted in a silent early return.
-
- Trying to enqueue recovery for adapter / port regular / LUN
- resulted in silent early returns.
-
- Trying to enqueue recovery if no ERP thread was running
- resulted in silent early returns.
-Solution: Write trace record in zfcp area SCSI and re-use SCSI result
- field to contain the return value of eh_host_reset_handler.
-
- Add a trace before calling the two blocking functions
- zfcp_erp_wait() and fc_block_scsi_eh().
-
- Introduce an eyecatcher "flag" to mark the "ERP need" as 'not
- needed' but still keep the information which erp_action type,
- that zfcp_erp_required_act() had decided upon, is needed.
- 0xc_ is chosen to be visibly different from 0x0_ in "ERP
- want".
-
- Write trace record in zfcp area REC with "ERP need" none.
-
- Write trace record in zfcp area REC with "ERP need" 0xe0.
-
- zfcp_erp_action_enqueue() already had two early outs which
- re-used the one zfcp_dbf_rec_trig() call. All ERP trigger
- functions finally run through zfcp_erp_action_enqueue(). So
- move the special handling for ZFCP_STATUS_COMMON_ERP_FAILED
- into zfcp_erp_action_enqueue() and add another early out with
- new trace marker for pseudo ERP need in this case. This
- removes all early returns from all ERP trigger functions so
- we always end up at zfcp_dbf_rec_trig().
-
- Write trace record in zfcp area REC with "ERP need" 0xc0.
-Reproduction: If NPIV is not enabled with subchannel, ensure that your
- subchannel is the only one active on the entire channel.
- Set eh_deadline to a short enough time interval, e.g. 5
- seconds (before FCP device online: scsi_mod.eh_deadline=5).
- Enable RSCN suppression on the SAN switch port beyond the
- first link, i.e. towards the storage target. Disable that
- switch port. Send one SCSI command to the single path SCSI
- disk of that port in the background (because it will block
- for a while) e.g. via "dd if=/dev/sd... of=/dev/null
- iflag=direct count=1 &". After <SCSI command timeout>
- seconds, the command runs into the timeout. Due to the short
- eh_deadline, the SCSI midlayer immediately performs SCSI host
- reset. After the corresponding adapter recovery, the new
- trace record "schrh_r" appears.
-
- Difficult to reproduce as we need to have a SCSI command time
- out once (abort) or twice (scsi_eh), and timely have to
- prevent sending of the abort or TMF. Examples to prevent
- sending is severe memory pressure, or zfcp-internal recovery
- of the zfcp unit (e.g. write 0 to failed sysfs attribute) or
- of the target port (depending on potentially escalated
- scsi_eh scope) so the zfcp object is blocked.
-
- Difficult to reproduce as we need to get into scsi_eh, fully
- escalate to host reset, and something has to timely delete a
- SCSI device of this Scsi_Host.
-
- Disable auto port REscan with zfcp.no_auto_port_rescan=1. Let
- always enabled zfcp auto port scan attach a target remote
- port without attaching LUNs to it (zfcp.allow_lun_scan=0 and
- no explicit zfcp unit_add). Use zfcp port_remove to remove
- such target port again. After fast_io_fail_tmo or
- dev_loss_tmo, the new trace record "sctrpin" can appear.
-
- If NPIV is not enabled with subchannel, ensure that your
- subchannel is the only one active on the entire channel.
- Configure a large enough fast_io_fail_tmo, e.g. 27 seconds.
- Pull cable at target side. Wait until fast_io_fail_tmo runs
- out and with the fix a zfcp trace "sctrpi1" with "ERP need"
- 0xe0 must appear in the REC area. (for shared non-NPIV
- subchannels, only the first subchannel, that happens to
- complete the corresponding code path, ends up in this
- particular case)
-
- Difficult to reproduce as we need a "soft" recovery trigger
- that does not clear ERP_FAILED (as opposed to e.g. failed
- sysfs attribute).
-
- No known reproduction.
-
-Upstream-Description:
-
- scsi: zfcp: fix missing SCSI trace for result of eh_host_reset_handler
-
- For problem determination we need to see whether and why we were successful
- or not. This allows deduction of scsi_eh escalation.
-
- Example trace record formatted with zfcpdbf from s390-tools:
-
- Timestamp : ...
- Area : SCSI
- Subarea : 00
- Level : 1
- Exception : -
- CPU ID : ..
- Caller : 0x...
- Record ID : 1
- Tag : schrh_r SCSI host reset handler result
- Request ID : 0x0000000000000000 none (invalid)
- SCSI ID : 0xffffffff none (invalid)
- SCSI LUN : 0xffffffff none (invalid)
- SCSI LUN high : 0xffffffff none (invalid)
- SCSI result : 0x00002002 field re-used for midlayer value: SUCCESS
- or in other cases: 0x2009 == FAST_IO_FAIL
- SCSI retries : 0xff none (invalid)
- SCSI allowed : 0xff none (invalid)
- SCSI scribble : 0xffffffffffffffff none (invalid)
- SCSI opcode : ffffffff ffffffff ffffffff ffffffff none (invalid)
- FCP rsp inf cod: 0xff none (invalid)
- FCP rsp IU : 00000000 00000000 00000000 00000000 none (invalid)
- 00000000 00000000
-
- v2.6.35 commit a1dbfddd02d2 ("[SCSI] zfcp: Pass return code from
- fc_block_scsi_eh to scsi eh") introduced the first return with something
- other than the previously hardcoded single SUCCESS return path.
-
- Signed-off-by: Steffen Maier <maier@linux.ibm.com>
- Fixes: a1dbfddd02d2 ("[SCSI] zfcp: Pass return code from fc_block_scsi_eh to scsi eh")
- Cc: <stable@vger.kernel.org> #2.6.38+
- Reviewed-by: Jens Remus <jremus@linux.ibm.com>
- Reviewed-by: Benjamin Block <bblock@linux.ibm.com>
- Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
-
-
-Signed-off-by: Steffen Maier <maier@linux.ibm.com>
-Acked-by: Johannes Thumshirn <jthumshirn@suse.de>
----
- drivers/s390/scsi/zfcp_dbf.c | 40 ++++++++++++++++++++++++++++++++++++++++
- drivers/s390/scsi/zfcp_ext.h | 2 ++
- drivers/s390/scsi/zfcp_scsi.c | 11 ++++++-----
- 3 files changed, 48 insertions(+), 5 deletions(-)
-
---- a/drivers/s390/scsi/zfcp_dbf.c
-+++ b/drivers/s390/scsi/zfcp_dbf.c
-@@ -625,6 +625,46 @@ void zfcp_dbf_scsi(char *tag, int level,
- spin_unlock_irqrestore(&dbf->scsi_lock, flags);
- }
-
-+/**
-+ * zfcp_dbf_scsi_eh() - Trace event for special cases of scsi_eh callbacks.
-+ * @tag: Identifier for event.
-+ * @adapter: Pointer to zfcp adapter as context for this event.
-+ * @scsi_id: SCSI ID/target to indicate scope of task management function (TMF).
-+ * @ret: Return value of calling function.
-+ *
-+ * This SCSI trace variant does not depend on any of:
-+ * scsi_cmnd, zfcp_fsf_req, scsi_device.
-+ */
-+void zfcp_dbf_scsi_eh(char *tag, struct zfcp_adapter *adapter,
-+ unsigned int scsi_id, int ret)
-+{
-+ struct zfcp_dbf *dbf = adapter->dbf;
-+ struct zfcp_dbf_scsi *rec = &dbf->scsi_buf;
-+ unsigned long flags;
-+ static int const level = 1;
-+
-+ if (unlikely(!debug_level_enabled(adapter->dbf->scsi, level)))
-+ return;
-+
-+ spin_lock_irqsave(&dbf->scsi_lock, flags);
-+ memset(rec, 0, sizeof(*rec));
-+
-+ memcpy(rec->tag, tag, ZFCP_DBF_TAG_LEN);
-+ rec->id = ZFCP_DBF_SCSI_CMND;
-+ rec->scsi_result = ret; /* re-use field, int is 4 bytes and fits */
-+ rec->scsi_retries = ~0;
-+ rec->scsi_allowed = ~0;
-+ rec->fcp_rsp_info = ~0;
-+ rec->scsi_id = scsi_id;
-+ rec->scsi_lun = (u32)ZFCP_DBF_INVALID_LUN;
-+ rec->scsi_lun_64_hi = (u32)(ZFCP_DBF_INVALID_LUN >> 32);
-+ rec->host_scribble = ~0;
-+ memset(rec->scsi_opcode, 0xff, ZFCP_DBF_SCSI_OPCODE);
-+
-+ debug_event(dbf->scsi, level, rec, sizeof(*rec));
-+ spin_unlock_irqrestore(&dbf->scsi_lock, flags);
-+}
-+
- static debug_info_t *zfcp_dbf_reg(const char *name, int size, int rec_size)
- {
- struct debug_info *d;
---- a/drivers/s390/scsi/zfcp_ext.h
-+++ b/drivers/s390/scsi/zfcp_ext.h
-@@ -52,6 +52,8 @@ extern void zfcp_dbf_san_res(char *, str
- extern void zfcp_dbf_san_in_els(char *, struct zfcp_fsf_req *);
- extern void zfcp_dbf_scsi(char *, int, struct scsi_cmnd *,
- struct zfcp_fsf_req *);
-+extern void zfcp_dbf_scsi_eh(char *tag, struct zfcp_adapter *adapter,
-+ unsigned int scsi_id, int ret);
-
- /* zfcp_erp.c */
- extern void zfcp_erp_set_adapter_status(struct zfcp_adapter *, u32);
---- a/drivers/s390/scsi/zfcp_scsi.c
-+++ b/drivers/s390/scsi/zfcp_scsi.c
-@@ -322,15 +322,16 @@ static int zfcp_scsi_eh_host_reset_handl
- {
- struct zfcp_scsi_dev *zfcp_sdev = sdev_to_zfcp(scpnt->device);
- struct zfcp_adapter *adapter = zfcp_sdev->port->adapter;
-- int ret;
-+ int ret = SUCCESS, fc_ret;
-
- zfcp_erp_adapter_reopen(adapter, 0, "schrh_1");
- zfcp_erp_wait(adapter);
-- ret = fc_block_scsi_eh(scpnt);
-- if (ret)
-- return ret;
-+ fc_ret = fc_block_scsi_eh(scpnt);
-+ if (fc_ret)
-+ ret = fc_ret;
-
-- return SUCCESS;
-+ zfcp_dbf_scsi_eh("schrh_r", adapter, ~0, ret);
-+ return ret;
- }
-
- struct scsi_transport_template *zfcp_scsi_transport_template;
diff --git a/patches.arch/s390-sles12sp3-17-01-02-zfcp-missing-SCSI-trace-retry-abort-TMF.patch b/patches.arch/s390-sles12sp3-17-01-02-zfcp-missing-SCSI-trace-retry-abort-TMF.patch
deleted file mode 100644
index 376f100f4a..0000000000
--- a/patches.arch/s390-sles12sp3-17-01-02-zfcp-missing-SCSI-trace-retry-abort-TMF.patch
+++ /dev/null
@@ -1,247 +0,0 @@
-From: Steffen Maier <maier@linux.ibm.com>
-Subject: scsi: zfcp: fix missing SCSI trace for retry of abort / scsi_eh TMF
-Patch-mainline: v4.18-rc1
-Git-commit: 81979ae63e872ef650a7197f6ce6590059d37172
-References: bnc#1099713, LTC#168765
-
-Description: zfcp: fix tracing regressions, part 3
-Symptom: Cannot determine result of eh_host_reset_handler.
-
- Cannot see if and when zfcp retries abort or task management
- functions (LUN/target reset) while synchronizing scsi_eh and
- zfcp-internal recovery.
-
- Confusing zfcp ERP trace record if a SCSI device is deleted
- during scsi_eh host reset.
-
- Cannot determine that our terminate_rport_io callback was
- invoked if it returned early.
-
- Cannot determine that our terminate_rport_io callback was
- invoked if a long fast_io_fail_tmo was configured (typically
- longer than 12 seconds, e.g. 27 seconds).
-
- Cannot determine if something wanted to enqueue zfcp recovery
- for an object (adapter/port regular/unit) in ERP_FAILED state.
-
- Cannot determine if something wanted to enqueue zfcp recovery
- but no zfcp ERP thread was running.
-Problem: v2.6.35 commit a1dbfddd02d2 ("[SCSI] zfcp: Pass return code
- from fc_block_scsi_eh to scsi eh") introduced the first
- return with something other than the previously hardcoded
- single SUCCESS return path.
-
- Due to zfcp_erp_wait() and fc_block_scsi_eh() time can pass
- between the start of our eh callback and an actual send/recv
- of an abort / TMF request.
-
- If a SCSI device is deleted during scsi_eh host reset, we
- cannot get a reference to the SCSI device anymore since
- scsi_device_get returns !=0 by design. Assuming the recovery
- of adapter and port(s) was successful,
- zfcp_erp_strategy_followup_success() attempts to trigger a
- LUN reset for the half-gone SCSI device. However,
- zfcp_erp_setup_act() returns NULL as it cannot get the
- reference. Hence, zfcp_erp_action_enqueue() takes an early
- goto out and _NO_ recovery actually happens, but it writes a
- confusing trace record which states that zfcp will do a LUN
- recovery as "ERP need" is ZFCP_ERP_ACTION_REOPEN_LUN == 1 and
- equals "ERP want".
- Before v2.6.38 commit ae0904f60fab ("[SCSI] zfcp: Redesign of
- the debug tracing for recovery actions.") we could detect
- this case because the "erp_action" field in the trace was
- NULL. The rework removed erp_action as argument and field
- from the trace.
-
- If we get an fc_rport in terminate_rport_io() for which we
- cannot find a match within zfcp_get_port_by_wwpn(), the
- latter can return NULL. v2.6.30 commit 70932935b61e ("[SCSI]
- zfcp: Fix oops when port disappears") introduced an early
- return without adding a trace record for this case.
-
- After target cable pull: The ADISC for "link" test times out
- after typically 4 seconds. The open port recovery times out
- after typically 8 seconds, causing zfcp_port.status to
- contain ERP_FAILED. zfcp_scsi_terminate_rport_io() tries to
- enqueue forced port recovery, but due to ERP_FAILED this
- resulted in a silent early return.
-
- Trying to enqueue recovery for adapter / port regular / LUN
- resulted in silent early returns.
-
- Trying to enqueue recovery if no ERP thread was running
- resulted in silent early returns.
-Solution: Write trace record in zfcp area SCSI and re-use SCSI result
- field to contain the return value of eh_host_reset_handler.
-
- Add a trace before calling the two blocking functions
- zfcp_erp_wait() and fc_block_scsi_eh().
-
- Introduce an eyecatcher "flag" to mark the "ERP need" as 'not
- needed' but still keep the information which erp_action type,
- that zfcp_erp_required_act() had decided upon, is needed.
- 0xc_ is chosen to be visibly different from 0x0_ in "ERP
- want".
-
- Write trace record in zfcp area REC with "ERP need" none.
-
- Write trace record in zfcp area REC with "ERP need" 0xe0.
-
- zfcp_erp_action_enqueue() already had two early outs which
- re-used the one zfcp_dbf_rec_trig() call. All ERP trigger
- functions finally run through zfcp_erp_action_enqueue(). So
- move the special handling for ZFCP_STATUS_COMMON_ERP_FAILED
- into zfcp_erp_action_enqueue() and add another early out with
- new trace marker for pseudo ERP need in this case. This
- removes all early returns from all ERP trigger functions so
- we always end up at zfcp_dbf_rec_trig().
-
- Write trace record in zfcp area REC with "ERP need" 0xc0.
-Reproduction: If NPIV is not enabled with subchannel, ensure that your
- subchannel is the only one active on the entire channel.
- Set eh_deadline to a short enough time interval, e.g. 5
- seconds (before FCP device online: scsi_mod.eh_deadline=5).
- Enable RSCN suppression on the SAN switch port beyond the
- first link, i.e. towards the storage target. Disable that
- switch port. Send one SCSI command to the single path SCSI
- disk of that port in the background (because it will block
- for a while) e.g. via "dd if=/dev/sd... of=/dev/null
- iflag=direct count=1 &". After <SCSI command timeout>
- seconds, the command runs into the timeout. Due to the short
- eh_deadline, the SCSI midlayer immediately performs SCSI host
- reset. After the corresponding adapter recovery, the new
- trace record "schrh_r" appears.
-
- Difficult to reproduce as we need to have a SCSI command time
- out once (abort) or twice (scsi_eh), and timely have to
- prevent sending of the abort or TMF. Examples to prevent
- sending is severe memory pressure, or zfcp-internal recovery
- of the zfcp unit (e.g. write 0 to failed sysfs attribute) or
- of the target port (depending on potentially escalated
- scsi_eh scope) so the zfcp object is blocked.
-
- Difficult to reproduce as we need to get into scsi_eh, fully
- escalate to host reset, and something has to timely delete a
- SCSI device of this Scsi_Host.
-
- Disable auto port REscan with zfcp.no_auto_port_rescan=1. Let
- always enabled zfcp auto port scan attach a target remote
- port without attaching LUNs to it (zfcp.allow_lun_scan=0 and
- no explicit zfcp unit_add). Use zfcp port_remove to remove
- such target port again. After fast_io_fail_tmo or
- dev_loss_tmo, the new trace record "sctrpin" can appear.
-
- If NPIV is not enabled with subchannel, ensure that your
- subchannel is the only one active on the entire channel.
- Configure a large enough fast_io_fail_tmo, e.g. 27 seconds.
- Pull cable at target side. Wait until fast_io_fail_tmo runs
- out and with the fix a zfcp trace "sctrpi1" with "ERP need"
- 0xe0 must appear in the REC area. (for shared non-NPIV
- subchannels, only the first subchannel, that happens to
- complete the corresponding code path, ends up in this
- particular case)
-
- Difficult to reproduce as we need a "soft" recovery trigger
- that does not clear ERP_FAILED (as opposed to e.g. failed
- sysfs attribute).
-
- No known reproduction.
-
-Upstream-Description:
-
- scsi: zfcp: fix missing SCSI trace for retry of abort / scsi_eh TMF
-
- We already have a SCSI trace for the end of abort and scsi_eh TMF. Due to
- zfcp_erp_wait() and fc_block_scsi_eh() time can pass between the start of
- our eh callback and an actual send/recv of an abort / TMF request. In order
- to see the temporal sequence including any abort / TMF send retries, add a
- trace before the above two blocking functions. This supports problem
- determination with scsi_eh and parallel zfcp ERP.
-
- No need to explicitly trace the beginning of our eh callback, since we
- typically can send an abort / TMF and see its HBA response (in the worst
- case, it's a pseudo response on dismiss all of adapter recovery, e.g. due to
- an FSF request timeout [fsrth_1] of the abort / TMF). If we cannot send, we
- now get a trace record for the first "abrt_wt" or "[lt]r_wait" which denotes
- almost the beginning of the callback.
-
- No need to explicitly trace the wakeup after the above two blocking
- functions because the next retry loop causes another trace in any case and
- that is sufficient.
-
- Example trace records formatted with zfcpdbf from s390-tools:
-
- Timestamp : ...
- Area : SCSI
- Subarea : 00
- Level : 1
- Exception : -
- CPU ID : ..
- Caller : 0x...
- Record ID : 1
- Tag : abrt_wt abort, before zfcp_erp_wait()
- Request ID : 0x0000000000000000 none (invalid)
- SCSI ID : 0x<scsi_id>
- SCSI LUN : 0x<scsi_lun>
- SCSI LUN high : 0x<scsi_lun_high>
- SCSI result : 0x<scsi_result_of_cmd_to_be_aborted>
- SCSI retries : 0x<retries_of_cmd_to_be_aborted>
- SCSI allowed : 0x<allowed_retries_of_cmd_to_be_aborted>
- SCSI scribble : 0x<req_id_of_cmd_to_be_aborted>
- SCSI opcode : <CDB_of_cmd_to_be_aborted>
- FCP rsp inf cod: 0x.. none (invalid)
- FCP rsp IU : ... none (invalid)
-
- Timestamp : ...
- Area : SCSI
- Subarea : 00
- Level : 1
- Exception : -
- CPU ID : ..
- Caller : 0x...
- Record ID : 1
- Tag : lr_wait LUN reset, before zfcp_erp_wait()
- Request ID : 0x0000000000000000 none (invalid)
- SCSI ID : 0x<scsi_id>
- SCSI LUN : 0x<scsi_lun>
- SCSI LUN high : 0x<scsi_lun_high>
- SCSI result : 0x... unrelated
- SCSI retries : 0x.. unrelated
- SCSI allowed : 0x.. unrelated
- SCSI scribble : 0x... unrelated
- SCSI opcode : ... unrelated
- FCP rsp inf cod: 0x.. none (invalid)
- FCP rsp IU : ... none (invalid)
-
- Signed-off-by: Steffen Maier <maier@linux.ibm.com>
- Fixes: 63caf367e1c9 ("[SCSI] zfcp: Improve reliability of SCSI eh handlers in zfcp")
- Fixes: af4de36d911a ("[SCSI] zfcp: Block scsi_eh thread for rport state BLOCKED")
- Cc: <stable@vger.kernel.org> #2.6.38+
- Reviewed-by: Benjamin Block <bblock@linux.ibm.com>
- Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
-
-
-Signed-off-by: Steffen Maier <maier@linux.ibm.com>
-Acked-by: Johannes Thumshirn <jthumshirn@suse.de>
----
- drivers/s390/scsi/zfcp_scsi.c | 2 ++
- 1 file changed, 2 insertions(+)
-
---- a/drivers/s390/scsi/zfcp_scsi.c
-+++ b/drivers/s390/scsi/zfcp_scsi.c
-@@ -180,6 +180,7 @@ static int zfcp_scsi_eh_abort_handler(st
- if (abrt_req)
- break;
-
-+ zfcp_dbf_scsi_abort("abrt_wt", scpnt, NULL);
- zfcp_erp_wait(adapter);
- ret = fc_block_scsi_eh(scpnt);
- if (ret) {
-@@ -276,6 +277,7 @@ static int zfcp_task_mgmt_function(struc
- if (fsf_req)
- break;
-
-+ zfcp_dbf_scsi_devreset("wait", scpnt, tm_flags, NULL);
- zfcp_erp_wait(adapter);
- ret = fc_block_scsi_eh(scpnt);
- if (ret) {
diff --git a/patches.arch/s390-sles12sp3-17-01-03-zfcp-misleading-REC-trig-trace-erp-setup-failed.patch b/patches.arch/s390-sles12sp3-17-01-03-zfcp-misleading-REC-trig-trace-erp-setup-failed.patch
deleted file mode 100644
index dcb7a3a8bb..0000000000
--- a/patches.arch/s390-sles12sp3-17-01-03-zfcp-misleading-REC-trig-trace-erp-setup-failed.patch
+++ /dev/null
@@ -1,262 +0,0 @@
-From: Steffen Maier <maier@linux.ibm.com>
-Subject: scsi: zfcp: fix misleading REC trigger trace where erp_action setup failed
-Patch-mainline: v4.18-rc1
-Git-commit: 512857a795cbbda5980efa4cdb3c0b6602330408
-References: bnc#1099713, LTC#168765
-
-Description: zfcp: fix tracing regressions, part 3
-Symptom: Cannot determine result of eh_host_reset_handler.
-
- Cannot see if and when zfcp retries abort or task management
- functions (LUN/target reset) while synchronizing scsi_eh and
- zfcp-internal recovery.
-
- Confusing zfcp ERP trace record if a SCSI device is deleted
- during scsi_eh host reset.
-
- Cannot determine that our terminate_rport_io callback was
- invoked if it returned early.
-
- Cannot determine that our terminate_rport_io callback was
- invoked if a long fast_io_fail_tmo was configured (typically
- longer than 12 seconds, e.g. 27 seconds).
-
- Cannot determine if something wanted to enqueue zfcp recovery
- for an object (adapter/port regular/unit) in ERP_FAILED state.
-
- Cannot determine if something wanted to enqueue zfcp recovery
- but no zfcp ERP thread was running.
-Problem: v2.6.35 commit a1dbfddd02d2 ("[SCSI] zfcp: Pass return code
- from fc_block_scsi_eh to scsi eh") introduced the first
- return with something other than the previously hardcoded
- single SUCCESS return path.
-
- Due to zfcp_erp_wait() and fc_block_scsi_eh() time can pass
- between the start of our eh callback and an actual send/recv
- of an abort / TMF request.
-
- If a SCSI device is deleted during scsi_eh host reset, we
- cannot get a reference to the SCSI device anymore since
- scsi_device_get returns !=0 by design. Assuming the recovery
- of adapter and port(s) was successful,
- zfcp_erp_strategy_followup_success() attempts to trigger a
- LUN reset for the half-gone SCSI device. However,
- zfcp_erp_setup_act() returns NULL as it cannot get the
- reference. Hence, zfcp_erp_action_enqueue() takes an early
- goto out and _NO_ recovery actually happens, but it writes a
- confusing trace record which states that zfcp will do a LUN
- recovery as "ERP need" is ZFCP_ERP_ACTION_REOPEN_LUN == 1 and
- equals "ERP want".
- Before v2.6.38 commit ae0904f60fab ("[SCSI] zfcp: Redesign of
- the debug tracing for recovery actions.") we could detect
- this case because the "erp_action" field in the trace was
- NULL. The rework removed erp_action as argument and field
- from the trace.
-
- If we get an fc_rport in terminate_rport_io() for which we
- cannot find a match within zfcp_get_port_by_wwpn(), the
- latter can return NULL. v2.6.30 commit 70932935b61e ("[SCSI]
- zfcp: Fix oops when port disappears") introduced an early
- return without adding a trace record for this case.
-
- After target cable pull: The ADISC for "link" test times out
- after typically 4 seconds. The open port recovery times out
- after typically 8 seconds, causing zfcp_port.status to
- contain ERP_FAILED. zfcp_scsi_terminate_rport_io() tries to
- enqueue forced port recovery, but due to ERP_FAILED this
- resulted in a silent early return.
-
- Trying to enqueue recovery for adapter / port regular / LUN
- resulted in silent early returns.
-
- Trying to enqueue recovery if no ERP thread was running
- resulted in silent early returns.
-Solution: Write trace record in zfcp area SCSI and re-use SCSI result
- field to contain the return value of eh_host_reset_handler.
-
- Add a trace before calling the two blocking functions
- zfcp_erp_wait() and fc_block_scsi_eh().
-
- Introduce an eyecatcher "flag" to mark the "ERP need" as 'not
- needed' but still keep the information which erp_action type,
- that zfcp_erp_required_act() had decided upon, is needed.
- 0xc_ is chosen to be visibly different from 0x0_ in "ERP
- want".
-
- Write trace record in zfcp area REC with "ERP need" none.
-
- Write trace record in zfcp area REC with "ERP need" 0xe0.
-
- zfcp_erp_action_enqueue() already had two early outs which
- re-used the one zfcp_dbf_rec_trig() call. All ERP trigger
- functions finally run through zfcp_erp_action_enqueue(). So
- move the special handling for ZFCP_STATUS_COMMON_ERP_FAILED
- into zfcp_erp_action_enqueue() and add another early out with
- new trace marker for pseudo ERP need in this case. This
- removes all early returns from all ERP trigger functions so
- we always end up at zfcp_dbf_rec_trig().
-
- Write trace record in zfcp area REC with "ERP need" 0xc0.
-Reproduction: If NPIV is not enabled with subchannel, ensure that your
- subchannel is the only one active on the entire channel.
- Set eh_deadline to a short enough time interval, e.g. 5
- seconds (before FCP device online: scsi_mod.eh_deadline=5).
- Enable RSCN suppression on the SAN switch port beyond the
- first link, i.e. towards the storage target. Disable that
- switch port. Send one SCSI command to the single path SCSI
- disk of that port in the background (because it will block
- for a while) e.g. via "dd if=/dev/sd... of=/dev/null
- iflag=direct count=1 &". After <SCSI command timeout>
- seconds, the command runs into the timeout. Due to the short
- eh_deadline, the SCSI midlayer immediately performs SCSI host
- reset. After the corresponding adapter recovery, the new
- trace record "schrh_r" appears.
-
- Difficult to reproduce as we need to have a SCSI command time
- out once (abort) or twice (scsi_eh), and timely have to
- prevent sending of the abort or TMF. Examples to prevent
- sending is severe memory pressure, or zfcp-internal recovery
- of the zfcp unit (e.g. write 0 to failed sysfs attribute) or
- of the target port (depending on potentially escalated
- scsi_eh scope) so the zfcp object is blocked.
-
- Difficult to reproduce as we need to get into scsi_eh, fully
- escalate to host reset, and something has to timely delete a
- SCSI device of this Scsi_Host.
-
- Disable auto port REscan with zfcp.no_auto_port_rescan=1. Let
- always enabled zfcp auto port scan attach a target remote
- port without attaching LUNs to it (zfcp.allow_lun_scan=0 and
- no explicit zfcp unit_add). Use zfcp port_remove to remove
- such target port again. After fast_io_fail_tmo or
- dev_loss_tmo, the new trace record "sctrpin" can appear.
-
- If NPIV is not enabled with subchannel, ensure that your
- subchannel is the only one active on the entire channel.
- Configure a large enough fast_io_fail_tmo, e.g. 27 seconds.
- Pull cable at target side. Wait until fast_io_fail_tmo runs
- out and with the fix a zfcp trace "sctrpi1" with "ERP need"
- 0xe0 must appear in the REC area. (for shared non-NPIV
- subchannels, only the first subchannel, that happens to
- complete the corresponding code path, ends up in this
- particular case)
-
- Difficult to reproduce as we need a "soft" recovery trigger
- that does not clear ERP_FAILED (as opposed to e.g. failed
- sysfs attribute).
-
- No known reproduction.
-
-Upstream-Description:
-
- scsi: zfcp: fix misleading REC trigger trace where erp_action setup failed
-
- If a SCSI device is deleted during scsi_eh host reset, we cannot get a
- reference to the SCSI device anymore since scsi_device_get returns !=0 by
- design. Assuming the recovery of adapter and port(s) was successful,
- zfcp_erp_strategy_followup_success() attempts to trigger a LUN reset for the
- half-gone SCSI device. Unfortunately, it causes the following confusing
- trace record which states that zfcp will do a LUN recovery as "ERP need" is
- ZFCP_ERP_ACTION_REOPEN_LUN == 1 and equals "ERP want".
-
- Old example trace record formatted with zfcpdbf from s390-tools:
-
- Tag: : ersfs_3 ERP, trigger, unit reopen, port reopen succeeded
- LUN : 0x<FCP_LUN>
- WWPN : 0x<WWPN>
- D_ID : 0x<N_Port-ID>
- Adapter status : 0x5400050b
- Port status : 0x54000001
- LUN status : 0x40000000 ZFCP_STATUS_COMMON_RUNNING
- but not ZFCP_STATUS_COMMON_UNBLOCKED as it
- was closed on close part of adapter reopen
- ERP want : 0x01
- ERP need : 0x01 misleading
-
- However, zfcp_erp_setup_act() returns NULL as it cannot get the reference.
- Hence, zfcp_erp_action_enqueue() takes an early goto out and _NO_ recovery
- actually happens.
-
- We always do want the recovery trigger trace record even if no erp_action
- could be enqueued as in this case. For other cases where we did not enqueue
- an erp_action, 'need' has always been zero to indicate this. In order to
- indicate above goto out, introduce an eyecatcher "flag" to mark the "ERP
- need" as 'not needed' but still keep the information which erp_action type,
- that zfcp_erp_required_act() had decided upon, is needed. 0xc_ is chosen to
- be visibly different from 0x0_ in "ERP want".
-
- New example trace record formatted with zfcpdbf from s390-tools:
-
- Tag: : ersfs_3 ERP, trigger, unit reopen, port reopen succeeded
- LUN : 0x<FCP_LUN>
- WWPN : 0x<WWPN>
- D_ID : 0x<N_Port-ID>
- Adapter status : 0x5400050b
- Port status : 0x54000001
- LUN status : 0x40000000
- ERP want : 0x01
- ERP need : 0xc1 would need LUN ERP, but no action set up
- ^
-
- Before v2.6.38 commit ae0904f60fab ("[SCSI] zfcp: Redesign of the debug
- tracing for recovery actions.") we could detect this case because the
- "erp_action" field in the trace was NULL. The rework removed erp_action as
- argument and field from the trace.
-
- This patch here is for tracing. A fix to allow LUN recovery in the case at
- hand is a topic for a separate patch.
-
- See also commit fdbd1c5e27da ("[SCSI] zfcp: Allow running unit/LUN shutdown
- without acquiring reference") for a similar case and background info.
-
- Signed-off-by: Steffen Maier <maier@linux.ibm.com>
- Fixes: ae0904f60fab ("[SCSI] zfcp: Redesign of the debug tracing for recovery actions.")
- Cc: <stable@vger.kernel.org> #2.6.38+
- Reviewed-by: Benjamin Block <bblock@linux.ibm.com>
- Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
-
-
-Signed-off-by: Steffen Maier <maier@linux.ibm.com>
-Acked-by: Johannes Thumshirn <jthumshirn@suse.de>
----
- drivers/s390/scsi/zfcp_erp.c | 16 +++++++++++++++-
- 1 file changed, 15 insertions(+), 1 deletion(-)
-
---- a/drivers/s390/scsi/zfcp_erp.c
-+++ b/drivers/s390/scsi/zfcp_erp.c
-@@ -34,11 +34,23 @@ enum zfcp_erp_steps {
- ZFCP_ERP_STEP_LUN_OPENING = 0x2000,
- };
-
-+/**
-+ * enum zfcp_erp_act_type - Type of ERP action object.
-+ * @ZFCP_ERP_ACTION_REOPEN_LUN: LUN recovery.
-+ * @ZFCP_ERP_ACTION_REOPEN_PORT: Port recovery.
-+ * @ZFCP_ERP_ACTION_REOPEN_PORT_FORCED: Forced port recovery.
-+ * @ZFCP_ERP_ACTION_REOPEN_ADAPTER: Adapter recovery.
-+ * @ZFCP_ERP_ACTION_NONE: Eyecatcher pseudo flag to bitwise or-combine with
-+ * either of the other enum values.
-+ * Used to indicate that an ERP action could not be
-+ * set up despite a detected need for some recovery.
-+ */
- enum zfcp_erp_act_type {
- ZFCP_ERP_ACTION_REOPEN_LUN = 1,
- ZFCP_ERP_ACTION_REOPEN_PORT = 2,
- ZFCP_ERP_ACTION_REOPEN_PORT_FORCED = 3,
- ZFCP_ERP_ACTION_REOPEN_ADAPTER = 4,
-+ ZFCP_ERP_ACTION_NONE = 0xc0,
- };
-
- enum zfcp_erp_act_state {
-@@ -256,8 +268,10 @@ static int zfcp_erp_action_enqueue(int w
- goto out;
-
- act = zfcp_erp_setup_act(need, act_status, adapter, port, sdev);
-- if (!act)
-+ if (!act) {
-+ need |= ZFCP_ERP_ACTION_NONE; /* marker for trace */
- goto out;
-+ }
- atomic_or(ZFCP_STATUS_ADAPTER_ERP_PENDING, &adapter->status);
- ++adapter->erp_total_count;
- list_add_tail(&act->list, &adapter->erp_ready_head);
diff --git a/patches.arch/s390-sles12sp3-17-01-04-zfcp-missing-REC-trig-trace-t_rport_io-early-ret.patch b/patches.arch/s390-sles12sp3-17-01-04-zfcp-missing-REC-trig-trace-t_rport_io-early-ret.patch
deleted file mode 100644
index 8918e0956b..0000000000
--- a/patches.arch/s390-sles12sp3-17-01-04-zfcp-missing-REC-trig-trace-t_rport_io-early-ret.patch
+++ /dev/null
@@ -1,257 +0,0 @@
-From: Steffen Maier <maier@linux.ibm.com>
-Subject: scsi: zfcp: fix missing REC trigger trace on terminate_rport_io early return
-Patch-mainline: v4.18-rc1
-Git-commit: 96d9270499471545048ed8a6d7f425a49762283d
-References: bnc#1099713, LTC#168765
-
-Description: zfcp: fix tracing regressions, part 3
-Symptom: Cannot determine result of eh_host_reset_handler.
-
- Cannot see if and when zfcp retries abort or task management
- functions (LUN/target reset) while synchronizing scsi_eh and
- zfcp-internal recovery.
-
- Confusing zfcp ERP trace record if a SCSI device is deleted
- during scsi_eh host reset.
-
- Cannot determine that our terminate_rport_io callback was
- invoked if it returned early.
-
- Cannot determine that our terminate_rport_io callback was
- invoked if a long fast_io_fail_tmo was configured (typically
- longer than 12 seconds, e.g. 27 seconds).
-
- Cannot determine if something wanted to enqueue zfcp recovery
- for an object (adapter/port regular/unit) in ERP_FAILED state.
-
- Cannot determine if something wanted to enqueue zfcp recovery
- but no zfcp ERP thread was running.
-Problem: v2.6.35 commit a1dbfddd02d2 ("[SCSI] zfcp: Pass return code
- from fc_block_scsi_eh to scsi eh") introduced the first
- return with something other than the previously hardcoded
- single SUCCESS return path.
-
- Due to zfcp_erp_wait() and fc_block_scsi_eh() time can pass
- between the start of our eh callback and an actual send/recv
- of an abort / TMF request.
-
- If a SCSI device is deleted during scsi_eh host reset, we
- cannot get a reference to the SCSI device anymore since
- scsi_device_get returns !=0 by design. Assuming the recovery
- of adapter and port(s) was successful,
- zfcp_erp_strategy_followup_success() attempts to trigger a
- LUN reset for the half-gone SCSI device. However,
- zfcp_erp_setup_act() returns NULL as it cannot get the
- reference. Hence, zfcp_erp_action_enqueue() takes an early
- goto out and _NO_ recovery actually happens, but it writes a
- confusing trace record which states that zfcp will do a LUN
- recovery as "ERP need" is ZFCP_ERP_ACTION_REOPEN_LUN == 1 and
- equals "ERP want".
- Before v2.6.38 commit ae0904f60fab ("[SCSI] zfcp: Redesign of
- the debug tracing for recovery actions.") we could detect
- this case because the "erp_action" field in the trace was
- NULL. The rework removed erp_action as argument and field
- from the trace.
-
- If we get an fc_rport in terminate_rport_io() for which we
- cannot find a match within zfcp_get_port_by_wwpn(), the
- latter can return NULL. v2.6.30 commit 70932935b61e ("[SCSI]
- zfcp: Fix oops when port disappears") introduced an early
- return without adding a trace record for this case.
-
- After target cable pull: The ADISC for "link" test times out
- after typically 4 seconds. The open port recovery times out
- after typically 8 seconds, causing zfcp_port.status to
- contain ERP_FAILED. zfcp_scsi_terminate_rport_io() tries to
- enqueue forced port recovery, but due to ERP_FAILED this
- resulted in a silent early return.
-
- Trying to enqueue recovery for adapter / port regular / LUN
- resulted in silent early returns.
-
- Trying to enqueue recovery if no ERP thread was running
- resulted in silent early returns.
-Solution: Write trace record in zfcp area SCSI and re-use SCSI result
- field to contain the return value of eh_host_reset_handler.
-
- Add a trace before calling the two blocking functions
- zfcp_erp_wait() and fc_block_scsi_eh().
-
- Introduce an eyecatcher "flag" to mark the "ERP need" as 'not
- needed' but still keep the information which erp_action type,
- that zfcp_erp_required_act() had decided upon, is needed.
- 0xc_ is chosen to be visibly different from 0x0_ in "ERP
- want".
-
- Write trace record in zfcp area REC with "ERP need" none.
-
- Write trace record in zfcp area REC with "ERP need" 0xe0.
-
- zfcp_erp_action_enqueue() already had two early outs which
- re-used the one zfcp_dbf_rec_trig() call. All ERP trigger
- functions finally run through zfcp_erp_action_enqueue(). So
- move the special handling for ZFCP_STATUS_COMMON_ERP_FAILED
- into zfcp_erp_action_enqueue() and add another early out with
- new trace marker for pseudo ERP need in this case. This
- removes all early returns from all ERP trigger functions so
- we always end up at zfcp_dbf_rec_trig().
-
- Write trace record in zfcp area REC with "ERP need" 0xc0.
-Reproduction: If NPIV is not enabled with subchannel, ensure that your
- subchannel is the only one active on the entire channel.
- Set eh_deadline to a short enough time interval, e.g. 5
- seconds (before FCP device online: scsi_mod.eh_deadline=5).
- Enable RSCN suppression on the SAN switch port beyond the
- first link, i.e. towards the storage target. Disable that
- switch port. Send one SCSI command to the single path SCSI
- disk of that port in the background (because it will block
- for a while) e.g. via "dd if=/dev/sd... of=/dev/null
- iflag=direct count=1 &". After <SCSI command timeout>
- seconds, the command runs into the timeout. Due to the short
- eh_deadline, the SCSI midlayer immediately performs SCSI host
- reset. After the corresponding adapter recovery, the new
- trace record "schrh_r" appears.
-
- Difficult to reproduce as we need to have a SCSI command time
- out once (abort) or twice (scsi_eh), and timely have to
- prevent sending of the abort or TMF. Examples to prevent
- sending is severe memory pressure, or zfcp-internal recovery
- of the zfcp unit (e.g. write 0 to failed sysfs attribute) or
- of the target port (depending on potentially escalated
- scsi_eh scope) so the zfcp object is blocked.
-
- Difficult to reproduce as we need to get into scsi_eh, fully
- escalate to host reset, and something has to timely delete a
- SCSI device of this Scsi_Host.
-
- Disable auto port REscan with zfcp.no_auto_port_rescan=1. Let
- always enabled zfcp auto port scan attach a target remote
- port without attaching LUNs to it (zfcp.allow_lun_scan=0 and
- no explicit zfcp unit_add). Use zfcp port_remove to remove
- such target port again. After fast_io_fail_tmo or
- dev_loss_tmo, the new trace record "sctrpin" can appear.
-
- If NPIV is not enabled with subchannel, ensure that your
- subchannel is the only one active on the entire channel.
- Configure a large enough fast_io_fail_tmo, e.g. 27 seconds.
- Pull cable at target side. Wait until fast_io_fail_tmo runs
- out and with the fix a zfcp trace "sctrpi1" with "ERP need"
- 0xe0 must appear in the REC area. (for shared non-NPIV
- subchannels, only the first subchannel, that happens to
- complete the corresponding code path, ends up in this
- particular case)
-
- Difficult to reproduce as we need a "soft" recovery trigger
- that does not clear ERP_FAILED (as opposed to e.g. failed
- sysfs attribute).
-
- No known reproduction.
-
-Upstream-Description:
-
- scsi: zfcp: fix missing REC trigger trace on terminate_rport_io early return
-
- get_device() and its internally used kobject_get() only return NULL if they
- get passed NULL as argument. zfcp_get_port_by_wwpn() loops over
- adapter->port_list so the iteration variable port is always non-NULL.
- Struct device is embedded in struct zfcp_port so &port->dev is always
- non-NULL. This is the argument to get_device(). However, if we get an
- fc_rport in terminate_rport_io() for which we cannot find a match within
- zfcp_get_port_by_wwpn(), the latter can return NULL. v2.6.30 commit
- 70932935b61e ("[SCSI] zfcp: Fix oops when port disappears") introduced an
- early return without adding a trace record for this case. Even if we don't
- need recovery in this case, for debugging we should still see that our
- callback was invoked originally by scsi_transport_fc.
-
- Example trace record formatted with zfcpdbf from s390-tools:
-
- Timestamp : ...
- Area : REC
- Subarea : 00
- Level : 1
- Exception : -
- CPU ID : ..
- Caller : 0x...
- Record ID : 1
- Tag : sctrpin SCSI terminate rport I/O, no zfcp port
- LUN : 0xffffffffffffffff none (invalid)
- WWPN : 0x<wwpn> WWPN
- D_ID : 0x<n_port_id> N_Port-ID
- Adapter status : 0x...
- Port status : 0xffffffff unknown (-1)
- LUN status : 0x00000000 none (invalid)
- Ready count : 0x...
- Running count : 0x...
- ERP want : 0x03 ZFCP_ERP_ACTION_REOPEN_PORT_FORCED
- ERP need : 0xc0 ZFCP_ERP_ACTION_NONE
-
- Signed-off-by: Steffen Maier <maier@linux.ibm.com>
- Fixes: 70932935b61e ("[SCSI] zfcp: Fix oops when port disappears")
- Cc: <stable@vger.kernel.org> #2.6.38+
- Reviewed-by: Benjamin Block <bblock@linux.ibm.com>
- Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
-
-
-Signed-off-by: Steffen Maier <maier@linux.ibm.com>
-Acked-by: Johannes Thumshirn <jthumshirn@suse.de>
----
- drivers/s390/scsi/zfcp_erp.c | 20 ++++++++++++++++++++
- drivers/s390/scsi/zfcp_ext.h | 3 +++
- drivers/s390/scsi/zfcp_scsi.c | 5 +++++
- 3 files changed, 28 insertions(+)
-
---- a/drivers/s390/scsi/zfcp_erp.c
-+++ b/drivers/s390/scsi/zfcp_erp.c
-@@ -282,6 +282,26 @@ static int zfcp_erp_action_enqueue(int w
- return retval;
- }
-
-+void zfcp_erp_port_forced_no_port_dbf(char *id, struct zfcp_adapter *adapter,
-+ u64 port_name, u32 port_id)
-+{
-+ unsigned long flags;
-+ static /* don't waste stack */ struct zfcp_port tmpport;
-+
-+ write_lock_irqsave(&adapter->erp_lock, flags);
-+ /* Stand-in zfcp port with fields just good enough for
-+ * zfcp_dbf_rec_trig() and zfcp_dbf_set_common().
-+ * Under lock because tmpport is static.
-+ */
-+ atomic_set(&tmpport.status, -1); /* unknown */
-+ tmpport.wwpn = port_name;
-+ tmpport.d_id = port_id;
-+ zfcp_dbf_rec_trig(id, adapter, &tmpport, NULL,
-+ ZFCP_ERP_ACTION_REOPEN_PORT_FORCED,
-+ ZFCP_ERP_ACTION_NONE);
-+ write_unlock_irqrestore(&adapter->erp_lock, flags);
-+}
-+
- static int _zfcp_erp_adapter_reopen(struct zfcp_adapter *adapter,
- int clear_mask, char *id)
- {
---- a/drivers/s390/scsi/zfcp_ext.h
-+++ b/drivers/s390/scsi/zfcp_ext.h
-@@ -58,6 +58,9 @@ extern void zfcp_dbf_scsi_eh(char *tag,
- /* zfcp_erp.c */
- extern void zfcp_erp_set_adapter_status(struct zfcp_adapter *, u32);
- extern void zfcp_erp_clear_adapter_status(struct zfcp_adapter *, u32);
-+extern void zfcp_erp_port_forced_no_port_dbf(char *id,
-+ struct zfcp_adapter *adapter,
-+ u64 port_name, u32 port_id);
- extern void zfcp_erp_adapter_reopen(struct zfcp_adapter *, int, char *);
- extern void zfcp_erp_adapter_shutdown(struct zfcp_adapter *, int, char *);
- extern void zfcp_erp_set_port_status(struct zfcp_port *, u32);
---- a/drivers/s390/scsi/zfcp_scsi.c
-+++ b/drivers/s390/scsi/zfcp_scsi.c
-@@ -603,6 +603,11 @@ static void zfcp_scsi_terminate_rport_io
- if (port) {
- zfcp_erp_port_forced_reopen(port, 0, "sctrpi1");
- put_device(&port->dev);
-+ } else {
-+ zfcp_erp_port_forced_no_port_dbf(
-+ "sctrpin", adapter,
-+ rport->port_name /* zfcp_scsi_rport_register */,
-+ rport->port_id /* zfcp_scsi_rport_register */);
- }
- }
-
diff --git a/patches.arch/s390-sles12sp3-17-01-05-zfcp-missing-REC-trig-trace-t_rport_io-ERP_FAILED.patch b/patches.arch/s390-sles12sp3-17-01-05-zfcp-missing-REC-trig-trace-t_rport_io-ERP_FAILED.patch
deleted file mode 100644
index 089dd76604..0000000000
--- a/patches.arch/s390-sles12sp3-17-01-05-zfcp-missing-REC-trig-trace-t_rport_io-ERP_FAILED.patch
+++ /dev/null
@@ -1,273 +0,0 @@
-From: Steffen Maier <maier@linux.ibm.com>
-Subject: scsi: zfcp: fix missing REC trigger trace on terminate_rport_io for ERP_FAILED
-Patch-mainline: v4.18-rc1
-Git-commit: d70aab55924b44f213fec2b900b095430b33eec6
-References: bnc#1099713, LTC#168765
-
-Description: zfcp: fix tracing regressions, part 3
-Symptom: Cannot determine result of eh_host_reset_handler.
-
- Cannot see if and when zfcp retries abort or task management
- functions (LUN/target reset) while synchronizing scsi_eh and
- zfcp-internal recovery.
-
- Confusing zfcp ERP trace record if a SCSI device is deleted
- during scsi_eh host reset.
-
- Cannot determine that our terminate_rport_io callback was
- invoked if it returned early.
-
- Cannot determine that our terminate_rport_io callback was
- invoked if a long fast_io_fail_tmo was configured (typically
- longer than 12 seconds, e.g. 27 seconds).
-
- Cannot determine if something wanted to enqueue zfcp recovery
- for an object (adapter/port regular/unit) in ERP_FAILED state.
-
- Cannot determine if something wanted to enqueue zfcp recovery
- but no zfcp ERP thread was running.
-Problem: v2.6.35 commit a1dbfddd02d2 ("[SCSI] zfcp: Pass return code
- from fc_block_scsi_eh to scsi eh") introduced the first
- return with something other than the previously hardcoded
- single SUCCESS return path.
-
- Due to zfcp_erp_wait() and fc_block_scsi_eh() time can pass
- between the start of our eh callback and an actual send/recv
- of an abort / TMF request.
-
- If a SCSI device is deleted during scsi_eh host reset, we
- cannot get a reference to the SCSI device anymore since
- scsi_device_get returns !=0 by design. Assuming the recovery
- of adapter and port(s) was successful,
- zfcp_erp_strategy_followup_success() attempts to trigger a
- LUN reset for the half-gone SCSI device. However,
- zfcp_erp_setup_act() returns NULL as it cannot get the
- reference. Hence, zfcp_erp_action_enqueue() takes an early
- goto out and _NO_ recovery actually happens, but it writes a
- confusing trace record which states that zfcp will do a LUN
- recovery as "ERP need" is ZFCP_ERP_ACTION_REOPEN_LUN == 1 and
- equals "ERP want".
- Before v2.6.38 commit ae0904f60fab ("[SCSI] zfcp: Redesign of
- the debug tracing for recovery actions.") we could detect
- this case because the "erp_action" field in the trace was
- NULL. The rework removed erp_action as argument and field
- from the trace.
-
- If we get an fc_rport in terminate_rport_io() for which we
- cannot find a match within zfcp_get_port_by_wwpn(), the
- latter can return NULL. v2.6.30 commit 70932935b61e ("[SCSI]
- zfcp: Fix oops when port disappears") introduced an early
- return without adding a trace record for this case.
-
- After target cable pull: The ADISC for "link" test times out
- after typically 4 seconds. The open port recovery times out
- after typically 8 seconds, causing zfcp_port.status to
- contain ERP_FAILED. zfcp_scsi_terminate_rport_io() tries to
- enqueue forced port recovery, but due to ERP_FAILED this
- resulted in a silent early return.
-
- Trying to enqueue recovery for adapter / port regular / LUN
- resulted in silent early returns.
-
- Trying to enqueue recovery if no ERP thread was running
- resulted in silent early returns.
-Solution: Write trace record in zfcp area SCSI and re-use SCSI result
- field to contain the return value of eh_host_reset_handler.
-
- Add a trace before calling the two blocking functions
- zfcp_erp_wait() and fc_block_scsi_eh().
-
- Introduce an eyecatcher "flag" to mark the "ERP need" as 'not
- needed' but still keep the information which erp_action type,
- that zfcp_erp_required_act() had decided upon, is needed.
- 0xc_ is chosen to be visibly different from 0x0_ in "ERP
- want".
-
- Write trace record in zfcp area REC with "ERP need" none.
-
- Write trace record in zfcp area REC with "ERP need" 0xe0.
-
- zfcp_erp_action_enqueue() already had two early outs which
- re-used the one zfcp_dbf_rec_trig() call. All ERP trigger
- functions finally run through zfcp_erp_action_enqueue(). So
- move the special handling for ZFCP_STATUS_COMMON_ERP_FAILED
- into zfcp_erp_action_enqueue() and add another early out with
- new trace marker for pseudo ERP need in this case. This
- removes all early returns from all ERP trigger functions so
- we always end up at zfcp_dbf_rec_trig().
-
- Write trace record in zfcp area REC with "ERP need" 0xc0.
-Reproduction: If NPIV is not enabled with subchannel, ensure that your
- subchannel is the only one active on the entire channel.
- Set eh_deadline to a short enough time interval, e.g. 5
- seconds (before FCP device online: scsi_mod.eh_deadline=5).
- Enable RSCN suppression on the SAN switch port beyond the
- first link, i.e. towards the storage target. Disable that
- switch port. Send one SCSI command to the single path SCSI
- disk of that port in the background (because it will block
- for a while) e.g. via "dd if=/dev/sd... of=/dev/null
- iflag=direct count=1 &". After <SCSI command timeout>
- seconds, the command runs into the timeout. Due to the short
- eh_deadline, the SCSI midlayer immediately performs SCSI host
- reset. After the corresponding adapter recovery, the new
- trace record "schrh_r" appears.
-
- Difficult to reproduce as we need to have a SCSI command time
- out once (abort) or twice (scsi_eh), and timely have to
- prevent sending of the abort or TMF. Examples to prevent
- sending is severe memory pressure, or zfcp-internal recovery
- of the zfcp unit (e.g. write 0 to failed sysfs attribute) or
- of the target port (depending on potentially escalated
- scsi_eh scope) so the zfcp object is blocked.
-
- Difficult to reproduce as we need to get into scsi_eh, fully
- escalate to host reset, and something has to timely delete a
- SCSI device of this Scsi_Host.
-
- Disable auto port REscan with zfcp.no_auto_port_rescan=1. Let
- always enabled zfcp auto port scan attach a target remote
- port without attaching LUNs to it (zfcp.allow_lun_scan=0 and
- no explicit zfcp unit_add). Use zfcp port_remove to remove
- such target port again. After fast_io_fail_tmo or
- dev_loss_tmo, the new trace record "sctrpin" can appear.
-
- If NPIV is not enabled with subchannel, ensure that your
- subchannel is the only one active on the entire channel.
- Configure a large enough fast_io_fail_tmo, e.g. 27 seconds.
- Pull cable at target side. Wait until fast_io_fail_tmo runs
- out and with the fix a zfcp trace "sctrpi1" with "ERP need"
- 0xe0 must appear in the REC area. (for shared non-NPIV
- subchannels, only the first subchannel, that happens to
- complete the corresponding code path, ends up in this
- particular case)
-
- Difficult to reproduce as we need a "soft" recovery trigger
- that does not clear ERP_FAILED (as opposed to e.g. failed
- sysfs attribute).
-
- No known reproduction.
-
-Upstream-Description:
-
- scsi: zfcp: fix missing REC trigger trace on terminate_rport_io for ERP_FAILED
-
- For problem determination we always want to see when we were invoked on the
- terminate_rport_io callback whether we perform something or not.
-
- Temporal event sequence of interest with a long fast_io_fail_tmo of 27 sec:
-
- loose remote port
-
- t workqueue
- [s] zfcp_q_<dev> IRQ zfcperp<dev>
-
- === ================== =================== ============================
-
- 0 recv RSCN
- q p.test_link_work
- block rport
- start fast_io_fail_tmo
- send ADISC ELS
- 4 recv ADISC fail
- block zfcp_port
- port forced reopen
- send open port
- 12 recv open port fail
- q p.gid_pn_work
- zfcp_erp_wakeup
- (zfcp_erp_wait would return)
- GID_PN fail
-
- Before this point, we got a SCSI trace with tag "sctrpi1" on fast_io_fail,
- e.g. with the typical 5 sec setting.
-
- port.status |= ERP_FAILED
-
- If fast_io_fail_tmo triggers after this point, we missed a SCSI trace.
-
- workqueue
- fc_dl_<host>
- ==================
- 27 fc_timeout_fail_rport_io
- fc_terminate_rport_io
- zfcp_scsi_terminate_rport_io
- zfcp_erp_port_forced_reopen
- _zfcp_erp_port_forced_reopen
- if (port.status & ERP_FAILED)
- return;
-
- Therefore, write a trace before above early return.
-
- Example trace record formatted with zfcpdbf from s390-tools:
-
- Timestamp : ...
- Area : REC
- Subarea : 00
- Level : 1
- Exception : -
- CPU ID : ..
- Caller : 0x...
- Record ID : 1 ZFCP_DBF_REC_TRIG
- Tag : sctrpi1 SCSI terminate rport I/O
- LUN : 0xffffffffffffffff none (invalid)
- WWPN : 0x<wwpn>
- D_ID : 0x<n_port_id>
- Adapter status : 0x...
- Port status : 0x...
- LUN status : 0x00000000 none (invalid)
- Ready count : 0x...
- Running count : 0x...
- ERP want : 0x03 ZFCP_ERP_ACTION_REOPEN_PORT_FORCED
- ERP need : 0xe0 ZFCP_ERP_ACTION_FAILED
-
- Signed-off-by: Steffen Maier <maier@linux.ibm.com>
- Cc: <stable@vger.kernel.org> #2.6.38+
- Reviewed-by: Benjamin Block <bblock@linux.ibm.com>
- Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
-
-
-Signed-off-by: Steffen Maier <maier@linux.ibm.com>
-Acked-by: Johannes Thumshirn <jthumshirn@suse.de>
----
- drivers/s390/scsi/zfcp_erp.c | 13 +++++++++++--
- 1 file changed, 11 insertions(+), 2 deletions(-)
-
---- a/drivers/s390/scsi/zfcp_erp.c
-+++ b/drivers/s390/scsi/zfcp_erp.c
-@@ -41,9 +41,13 @@ enum zfcp_erp_steps {
- * @ZFCP_ERP_ACTION_REOPEN_PORT_FORCED: Forced port recovery.
- * @ZFCP_ERP_ACTION_REOPEN_ADAPTER: Adapter recovery.
- * @ZFCP_ERP_ACTION_NONE: Eyecatcher pseudo flag to bitwise or-combine with
-- * either of the other enum values.
-+ * either of the first four enum values.
- * Used to indicate that an ERP action could not be
- * set up despite a detected need for some recovery.
-+ * @ZFCP_ERP_ACTION_FAILED: Eyecatcher pseudo flag to bitwise or-combine with
-+ * either of the first four enum values.
-+ * Used to indicate that ERP not needed because
-+ * the object has ZFCP_STATUS_COMMON_ERP_FAILED.
- */
- enum zfcp_erp_act_type {
- ZFCP_ERP_ACTION_REOPEN_LUN = 1,
-@@ -51,6 +55,7 @@ enum zfcp_erp_act_type {
- ZFCP_ERP_ACTION_REOPEN_PORT_FORCED = 3,
- ZFCP_ERP_ACTION_REOPEN_ADAPTER = 4,
- ZFCP_ERP_ACTION_NONE = 0xc0,
-+ ZFCP_ERP_ACTION_FAILED = 0xe0,
- };
-
- enum zfcp_erp_act_state {
-@@ -378,8 +383,12 @@ static void _zfcp_erp_port_forced_reopen
- zfcp_erp_port_block(port, clear);
- zfcp_scsi_schedule_rport_block(port);
-
-- if (atomic_read(&port->status) & ZFCP_STATUS_COMMON_ERP_FAILED)
-+ if (atomic_read(&port->status) & ZFCP_STATUS_COMMON_ERP_FAILED) {
-+ zfcp_dbf_rec_trig(id, port->adapter, port, NULL,
-+ ZFCP_ERP_ACTION_REOPEN_PORT_FORCED,
-+ ZFCP_ERP_ACTION_FAILED);
- return;
-+ }
-
- zfcp_erp_action_enqueue(ZFCP_ERP_ACTION_REOPEN_PORT_FORCED,
- port->adapter, port, NULL, id, 0);
diff --git a/patches.arch/s390-sles12sp3-17-01-06-zfcp-missing-REC-trig-trace-all-objects-ERP_FAILED.patch b/patches.arch/s390-sles12sp3-17-01-06-zfcp-missing-REC-trig-trace-all-objects-ERP_FAILED.patch
deleted file mode 100644
index 91c51f7c8f..0000000000
--- a/patches.arch/s390-sles12sp3-17-01-06-zfcp-missing-REC-trig-trace-all-objects-ERP_FAILED.patch
+++ /dev/null
@@ -1,330 +0,0 @@
-From: Steffen Maier <maier@linux.ibm.com>
-Subject: scsi: zfcp: fix missing REC trigger trace for all objects in ERP_FAILED
-Patch-mainline: v4.18-rc1
-Git-commit: 8c3d20aada70042a39c6a6625be037c1472ca610
-References: bnc#1099713, LTC#168765
-
-Description: zfcp: fix tracing regressions, part 3
-Symptom: Cannot determine result of eh_host_reset_handler.
-
- Cannot see if and when zfcp retries abort or task management
- functions (LUN/target reset) while synchronizing scsi_eh and
- zfcp-internal recovery.
-
- Confusing zfcp ERP trace record if a SCSI device is deleted
- during scsi_eh host reset.
-
- Cannot determine that our terminate_rport_io callback was
- invoked if it returned early.
-
- Cannot determine that our terminate_rport_io callback was
- invoked if a long fast_io_fail_tmo was configured (typically
- longer than 12 seconds, e.g. 27 seconds).
-
- Cannot determine if something wanted to enqueue zfcp recovery
- for an object (adapter/port regular/unit) in ERP_FAILED state.
-
- Cannot determine if something wanted to enqueue zfcp recovery
- but no zfcp ERP thread was running.
-Problem: v2.6.35 commit a1dbfddd02d2 ("[SCSI] zfcp: Pass return code
- from fc_block_scsi_eh to scsi eh") introduced the first
- return with something other than the previously hardcoded
- single SUCCESS return path.
-
- Due to zfcp_erp_wait() and fc_block_scsi_eh() time can pass
- between the start of our eh callback and an actual send/recv
- of an abort / TMF request.
-
- If a SCSI device is deleted during scsi_eh host reset, we
- cannot get a reference to the SCSI device anymore since
- scsi_device_get returns !=0 by design. Assuming the recovery
- of adapter and port(s) was successful,
- zfcp_erp_strategy_followup_success() attempts to trigger a
- LUN reset for the half-gone SCSI device. However,
- zfcp_erp_setup_act() returns NULL as it cannot get the
- reference. Hence, zfcp_erp_action_enqueue() takes an early
- goto out and _NO_ recovery actually happens, but it writes a
- confusing trace record which states that zfcp will do a LUN
- recovery as "ERP need" is ZFCP_ERP_ACTION_REOPEN_LUN == 1 and
- equals "ERP want".
- Before v2.6.38 commit ae0904f60fab ("[SCSI] zfcp: Redesign of
- the debug tracing for recovery actions.") we could detect
- this case because the "erp_action" field in the trace was
- NULL. The rework removed erp_action as argument and field
- from the trace.
-
- If we get an fc_rport in terminate_rport_io() for which we
- cannot find a match within zfcp_get_port_by_wwpn(), the
- latter can return NULL. v2.6.30 commit 70932935b61e ("[SCSI]
- zfcp: Fix oops when port disappears") introduced an early
- return without adding a trace record for this case.
-
- After target cable pull: The ADISC for "link" test times out
- after typically 4 seconds. The open port recovery times out
- after typically 8 seconds, causing zfcp_port.status to
- contain ERP_FAILED. zfcp_scsi_terminate_rport_io() tries to
- enqueue forced port recovery, but due to ERP_FAILED this
- resulted in a silent early return.
-
- Trying to enqueue recovery for adapter / port regular / LUN
- resulted in silent early returns.
-
- Trying to enqueue recovery if no ERP thread was running
- resulted in silent early returns.
-Solution: Write trace record in zfcp area SCSI and re-use SCSI result
- field to contain the return value of eh_host_reset_handler.
-
- Add a trace before calling the two blocking functions
- zfcp_erp_wait() and fc_block_scsi_eh().
-
- Introduce an eyecatcher "flag" to mark the "ERP need" as 'not
- needed' but still keep the information which erp_action type,
- that zfcp_erp_required_act() had decided upon, is needed.
- 0xc_ is chosen to be visibly different from 0x0_ in "ERP
- want".
-
- Write trace record in zfcp area REC with "ERP need" none.
-
- Write trace record in zfcp area REC with "ERP need" 0xe0.
-
- zfcp_erp_action_enqueue() already had two early outs which
- re-used the one zfcp_dbf_rec_trig() call. All ERP trigger
- functions finally run through zfcp_erp_action_enqueue(). So
- move the special handling for ZFCP_STATUS_COMMON_ERP_FAILED
- into zfcp_erp_action_enqueue() and add another early out with
- new trace marker for pseudo ERP need in this case. This
- removes all early returns from all ERP trigger functions so
- we always end up at zfcp_dbf_rec_trig().
-
- Write trace record in zfcp area REC with "ERP need" 0xc0.
-Reproduction: If NPIV is not enabled with subchannel, ensure that your
- subchannel is the only one active on the entire channel.
- Set eh_deadline to a short enough time interval, e.g. 5
- seconds (before FCP device online: scsi_mod.eh_deadline=5).
- Enable RSCN suppression on the SAN switch port beyond the
- first link, i.e. towards the storage target. Disable that
- switch port. Send one SCSI command to the single path SCSI
- disk of that port in the background (because it will block
- for a while) e.g. via "dd if=/dev/sd... of=/dev/null
- iflag=direct count=1 &". After <SCSI command timeout>
- seconds, the command runs into the timeout. Due to the short
- eh_deadline, the SCSI midlayer immediately performs SCSI host
- reset. After the corresponding adapter recovery, the new
- trace record "schrh_r" appears.
-
- Difficult to reproduce as we need to have a SCSI command time
- out once (abort) or twice (scsi_eh), and timely have to
- prevent sending of the abort or TMF. Examples to prevent
- sending is severe memory pressure, or zfcp-internal recovery
- of the zfcp unit (e.g. write 0 to failed sysfs attribute) or
- of the target port (depending on potentially escalated
- scsi_eh scope) so the zfcp object is blocked.
-
- Difficult to reproduce as we need to get into scsi_eh, fully
- escalate to host reset, and something has to timely delete a
- SCSI device of this Scsi_Host.
-
- Disable auto port REscan with zfcp.no_auto_port_rescan=1. Let
- always enabled zfcp auto port scan attach a target remote
- port without attaching LUNs to it (zfcp.allow_lun_scan=0 and
- no explicit zfcp unit_add). Use zfcp port_remove to remove
- such target port again. After fast_io_fail_tmo or
- dev_loss_tmo, the new trace record "sctrpin" can appear.
-
- If NPIV is not enabled with subchannel, ensure that your
- subchannel is the only one active on the entire channel.
- Configure a large enough fast_io_fail_tmo, e.g. 27 seconds.
- Pull cable at target side. Wait until fast_io_fail_tmo runs
- out and with the fix a zfcp trace "sctrpi1" with "ERP need"
- 0xe0 must appear in the REC area. (for shared non-NPIV
- subchannels, only the first subchannel, that happens to
- complete the corresponding code path, ends up in this
- particular case)
-
- Difficult to reproduce as we need a "soft" recovery trigger
- that does not clear ERP_FAILED (as opposed to e.g. failed
- sysfs attribute).
-
- No known reproduction.
-
-Upstream-Description:
-
- scsi: zfcp: fix missing REC trigger trace for all objects in ERP_FAILED
-
- That other commit introduced an inconsistency because it would trace on
- ERP_FAILED for all callers of port forced reopen triggers (not just
- terminate_rport_io), but it would not trace on ERP_FAILED for all callers of
- other ERP triggers such as adapter, port regular, LUN.
-
- Therefore, generalize that other commit. zfcp_erp_action_enqueue() already
- had two early outs which re-used the one zfcp_dbf_rec_trig() call. All ERP
- trigger functions finally run through zfcp_erp_action_enqueue(). So move
- the special handling for ZFCP_STATUS_COMMON_ERP_FAILED into
- zfcp_erp_action_enqueue() and add another early out with new trace marker
- for pseudo ERP need in this case. This removes all early returns from all
- ERP trigger functions so we always end up at zfcp_dbf_rec_trig().
-
- Example trace record formatted with zfcpdbf from s390-tools:
-
- Timestamp : ...
- Area : REC
- Subarea : 00
- Level : 1
- Exception : -
- CPU ID : ..
- Caller : 0x...
- Record ID : 1 ZFCP_DBF_REC_TRIG
- Tag : .......
- LUN : 0x...
- WWPN : 0x...
- D_ID : 0x...
- Adapter status : 0x...
- Port status : 0x...
- LUN status : 0x...
- Ready count : 0x...
- Running count : 0x...
- ERP want : 0x0. ZFCP_ERP_ACTION_REOPEN_...
- ERP need : 0xe0 ZFCP_ERP_ACTION_FAILED
-
- Signed-off-by: Steffen Maier <maier@linux.ibm.com>
- Cc: <stable@vger.kernel.org> #2.6.38+
- Reviewed-by: Benjamin Block <bblock@linux.ibm.com>
- Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
-
-
-Signed-off-by: Steffen Maier <maier@linux.ibm.com>
-Acked-by: Johannes Thumshirn <jthumshirn@suse.de>
----
- drivers/s390/scsi/zfcp_erp.c | 79 +++++++++++++++++++++++++++----------------
- 1 file changed, 51 insertions(+), 28 deletions(-)
-
---- a/drivers/s390/scsi/zfcp_erp.c
-+++ b/drivers/s390/scsi/zfcp_erp.c
-@@ -142,6 +142,49 @@ static void zfcp_erp_action_dismiss_adap
- }
- }
-
-+static int zfcp_erp_handle_failed(int want, struct zfcp_adapter *adapter,
-+ struct zfcp_port *port,
-+ struct scsi_device *sdev)
-+{
-+ int need = want;
-+ struct zfcp_scsi_dev *zsdev;
-+
-+ switch (want) {
-+ case ZFCP_ERP_ACTION_REOPEN_LUN:
-+ zsdev = sdev_to_zfcp(sdev);
-+ if (atomic_read(&zsdev->status) & ZFCP_STATUS_COMMON_ERP_FAILED)
-+ need = 0;
-+ break;
-+ case ZFCP_ERP_ACTION_REOPEN_PORT_FORCED:
-+ if (atomic_read(&port->status) & ZFCP_STATUS_COMMON_ERP_FAILED)
-+ need = 0;
-+ break;
-+ case ZFCP_ERP_ACTION_REOPEN_PORT:
-+ if (atomic_read(&port->status) &
-+ ZFCP_STATUS_COMMON_ERP_FAILED) {
-+ need = 0;
-+ /* ensure propagation of failed status to new devices */
-+ zfcp_erp_set_port_status(
-+ port, ZFCP_STATUS_COMMON_ERP_FAILED);
-+ }
-+ break;
-+ case ZFCP_ERP_ACTION_REOPEN_ADAPTER:
-+ if (atomic_read(&adapter->status) &
-+ ZFCP_STATUS_COMMON_ERP_FAILED) {
-+ need = 0;
-+ /* ensure propagation of failed status to new devices */
-+ zfcp_erp_set_adapter_status(
-+ adapter, ZFCP_STATUS_COMMON_ERP_FAILED);
-+ }
-+ break;
-+ default:
-+ need = 0;
-+ break;
-+ }
-+
-+ return need;
-+}
-+
- static int zfcp_erp_required_act(int want, struct zfcp_adapter *adapter,
- struct zfcp_port *port,
- struct scsi_device *sdev)
-@@ -265,6 +308,12 @@ static int zfcp_erp_action_enqueue(int w
- int retval = 1, need;
- struct zfcp_erp_action *act;
-
-+ need = zfcp_erp_handle_failed(want, adapter, port, sdev);
-+ if (!need) {
-+ need = ZFCP_ERP_ACTION_FAILED; /* marker for trace */
-+ goto out;
-+ }
-+
- if (!adapter->erp_thread)
- return -EIO;
-
-@@ -313,12 +362,6 @@ static int _zfcp_erp_adapter_reopen(stru
- zfcp_erp_adapter_block(adapter, clear_mask);
- zfcp_scsi_schedule_rports_block(adapter);
-
-- /* ensure propagation of failed status to new devices */
-- if (atomic_read(&adapter->status) & ZFCP_STATUS_COMMON_ERP_FAILED) {
-- zfcp_erp_set_adapter_status(adapter,
-- ZFCP_STATUS_COMMON_ERP_FAILED);
-- return -EIO;
-- }
- return zfcp_erp_action_enqueue(ZFCP_ERP_ACTION_REOPEN_ADAPTER,
- adapter, NULL, NULL, id, 0);
- }
-@@ -337,12 +380,8 @@ void zfcp_erp_adapter_reopen(struct zfcp
- zfcp_scsi_schedule_rports_block(adapter);
-
- write_lock_irqsave(&adapter->erp_lock, flags);
-- if (atomic_read(&adapter->status) & ZFCP_STATUS_COMMON_ERP_FAILED)
-- zfcp_erp_set_adapter_status(adapter,
-- ZFCP_STATUS_COMMON_ERP_FAILED);
-- else
-- zfcp_erp_action_enqueue(ZFCP_ERP_ACTION_REOPEN_ADAPTER, adapter,
-- NULL, NULL, id, 0);
-+ zfcp_erp_action_enqueue(ZFCP_ERP_ACTION_REOPEN_ADAPTER, adapter,
-+ NULL, NULL, id, 0);
- write_unlock_irqrestore(&adapter->erp_lock, flags);
- }
-
-@@ -383,13 +422,6 @@ static void _zfcp_erp_port_forced_reopen
- zfcp_erp_port_block(port, clear);
- zfcp_scsi_schedule_rport_block(port);
-
-- if (atomic_read(&port->status) & ZFCP_STATUS_COMMON_ERP_FAILED) {
-- zfcp_dbf_rec_trig(id, port->adapter, port, NULL,
-- ZFCP_ERP_ACTION_REOPEN_PORT_FORCED,
-- ZFCP_ERP_ACTION_FAILED);
-- return;
-- }
--
- zfcp_erp_action_enqueue(ZFCP_ERP_ACTION_REOPEN_PORT_FORCED,
- port->adapter, port, NULL, id, 0);
- }
-@@ -415,12 +447,6 @@ static int _zfcp_erp_port_reopen(struct
- zfcp_erp_port_block(port, clear);
- zfcp_scsi_schedule_rport_block(port);
-
-- if (atomic_read(&port->status) & ZFCP_STATUS_COMMON_ERP_FAILED) {
-- /* ensure propagation of failed status to new devices */
-- zfcp_erp_set_port_status(port, ZFCP_STATUS_COMMON_ERP_FAILED);
-- return -EIO;
-- }
--
- return zfcp_erp_action_enqueue(ZFCP_ERP_ACTION_REOPEN_PORT,
- port->adapter, port, NULL, id, 0);
- }
-@@ -460,9 +486,6 @@ static void _zfcp_erp_lun_reopen(struct
-
- zfcp_erp_lun_block(sdev, clear);
-
-- if (atomic_read(&zfcp_sdev->status) & ZFCP_STATUS_COMMON_ERP_FAILED)
-- return;
--
- zfcp_erp_action_enqueue(ZFCP_ERP_ACTION_REOPEN_LUN, adapter,
- zfcp_sdev->port, sdev, id, act_status);
- }
diff --git a/patches.arch/s390-sles12sp3-17-01-07-zfcp-missing-REC-trig-trace-enqueue-no-ERP-thread.patch b/patches.arch/s390-sles12sp3-17-01-07-zfcp-missing-REC-trig-trace-enqueue-no-ERP-thread.patch
deleted file mode 100644
index 2ce1ede321..0000000000
--- a/patches.arch/s390-sles12sp3-17-01-07-zfcp-missing-REC-trig-trace-enqueue-no-ERP-thread.patch
+++ /dev/null
@@ -1,203 +0,0 @@
-From: Steffen Maier <maier@linux.ibm.com>
-Subject: scsi: zfcp: fix missing REC trigger trace on enqueue without ERP thread
-Patch-mainline: v4.18-rc1
-Git-commit: 6a76550841d412330bd86aed3238d1888ba70f0e
-References: bnc#1099713, LTC#168765
-
-Description: zfcp: fix tracing regressions, part 3
-Symptom: Cannot determine result of eh_host_reset_handler.
-
- Cannot see if and when zfcp retries abort or task management
- functions (LUN/target reset) while synchronizing scsi_eh and
- zfcp-internal recovery.
-
- Confusing zfcp ERP trace record if a SCSI device is deleted
- during scsi_eh host reset.
-
- Cannot determine that our terminate_rport_io callback was
- invoked if it returned early.
-
- Cannot determine that our terminate_rport_io callback was
- invoked if a long fast_io_fail_tmo was configured (typically
- longer than 12 seconds, e.g. 27 seconds).
-
- Cannot determine if something wanted to enqueue zfcp recovery
- for an object (adapter/port regular/unit) in ERP_FAILED state.
-
- Cannot determine if something wanted to enqueue zfcp recovery
- but no zfcp ERP thread was running.
-Problem: v2.6.35 commit a1dbfddd02d2 ("[SCSI] zfcp: Pass return code
- from fc_block_scsi_eh to scsi eh") introduced the first
- return with something other than the previously hardcoded
- single SUCCESS return path.
-
- Due to zfcp_erp_wait() and fc_block_scsi_eh() time can pass
- between the start of our eh callback and an actual send/recv
- of an abort / TMF request.
-
- If a SCSI device is deleted during scsi_eh host reset, we
- cannot get a reference to the SCSI device anymore since
- scsi_device_get returns !=0 by design. Assuming the recovery
- of adapter and port(s) was successful,
- zfcp_erp_strategy_followup_success() attempts to trigger a
- LUN reset for the half-gone SCSI device. However,
- zfcp_erp_setup_act() returns NULL as it cannot get the
- reference. Hence, zfcp_erp_action_enqueue() takes an early
- goto out and _NO_ recovery actually happens, but it writes a
- confusing trace record which states that zfcp will do a LUN
- recovery as "ERP need" is ZFCP_ERP_ACTION_REOPEN_LUN == 1 and
- equals "ERP want".
- Before v2.6.38 commit ae0904f60fab ("[SCSI] zfcp: Redesign of
- the debug tracing for recovery actions.") we could detect
- this case because the "erp_action" field in the trace was
- NULL. The rework removed erp_action as argument and field
- from the trace.
-
- If we get an fc_rport in terminate_rport_io() for which we
- cannot find a match within zfcp_get_port_by_wwpn(), the
- latter can return NULL. v2.6.30 commit 70932935b61e ("[SCSI]
- zfcp: Fix oops when port disappears") introduced an early
- return without adding a trace record for this case.
-
- After target cable pull: The ADISC for "link" test times out
- after typically 4 seconds. The open port recovery times out
- after typically 8 seconds, causing zfcp_port.status to
- contain ERP_FAILED. zfcp_scsi_terminate_rport_io() tries to
- enqueue forced port recovery, but due to ERP_FAILED this
- resulted in a silent early return.
-
- Trying to enqueue recovery for adapter / port regular / LUN
- resulted in silent early returns.
-
- Trying to enqueue recovery if no ERP thread was running
- resulted in silent early returns.
-Solution: Write trace record in zfcp area SCSI and re-use SCSI result
- field to contain the return value of eh_host_reset_handler.
-
- Add a trace before calling the two blocking functions
- zfcp_erp_wait() and fc_block_scsi_eh().
-
- Introduce an eyecatcher "flag" to mark the "ERP need" as 'not
- needed' but still keep the information which erp_action type,
- that zfcp_erp_required_act() had decided upon, is needed.
- 0xc_ is chosen to be visibly different from 0x0_ in "ERP
- want".
-
- Write trace record in zfcp area REC with "ERP need" none.
-
- Write trace record in zfcp area REC with "ERP need" 0xe0.
-
- zfcp_erp_action_enqueue() already had two early outs which
- re-used the one zfcp_dbf_rec_trig() call. All ERP trigger
- functions finally run through zfcp_erp_action_enqueue(). So
- move the special handling for ZFCP_STATUS_COMMON_ERP_FAILED
- into zfcp_erp_action_enqueue() and add another early out with
- new trace marker for pseudo ERP need in this case. This
- removes all early returns from all ERP trigger functions so
- we always end up at zfcp_dbf_rec_trig().
-
- Write trace record in zfcp area REC with "ERP need" 0xc0.
-Reproduction: If NPIV is not enabled with subchannel, ensure that your
- subchannel is the only one active on the entire channel.
- Set eh_deadline to a short enough time interval, e.g. 5
- seconds (before FCP device online: scsi_mod.eh_deadline=5).
- Enable RSCN suppression on the SAN switch port beyond the
- first link, i.e. towards the storage target. Disable that
- switch port. Send one SCSI command to the single path SCSI
- disk of that port in the background (because it will block
- for a while) e.g. via "dd if=/dev/sd... of=/dev/null
- iflag=direct count=1 &". After <SCSI command timeout>
- seconds, the command runs into the timeout. Due to the short
- eh_deadline, the SCSI midlayer immediately performs SCSI host
- reset. After the corresponding adapter recovery, the new
- trace record "schrh_r" appears.
-
- Difficult to reproduce as we need to have a SCSI command time
- out once (abort) or twice (scsi_eh), and timely have to
- prevent sending of the abort or TMF. Examples to prevent
- sending is severe memory pressure, or zfcp-internal recovery
- of the zfcp unit (e.g. write 0 to failed sysfs attribute) or
- of the target port (depending on potentially escalated
- scsi_eh scope) so the zfcp object is blocked.
-
- Difficult to reproduce as we need to get into scsi_eh, fully
- escalate to host reset, and something has to timely delete a
- SCSI device of this Scsi_Host.
-
- Disable auto port REscan with zfcp.no_auto_port_rescan=1. Let
- always enabled zfcp auto port scan attach a target remote
- port without attaching LUNs to it (zfcp.allow_lun_scan=0 and
- no explicit zfcp unit_add). Use zfcp port_remove to remove
- such target port again. After fast_io_fail_tmo or
- dev_loss_tmo, the new trace record "sctrpin" can appear.
-
- If NPIV is not enabled with subchannel, ensure that your
- subchannel is the only one active on the entire channel.
- Configure a large enough fast_io_fail_tmo, e.g. 27 seconds.
- Pull cable at target side. Wait until fast_io_fail_tmo runs
- out and with the fix a zfcp trace "sctrpi1" with "ERP need"
- 0xe0 must appear in the REC area. (for shared non-NPIV
- subchannels, only the first subchannel, that happens to
- complete the corresponding code path, ends up in this
- particular case)
-
- Difficult to reproduce as we need a "soft" recovery trigger
- that does not clear ERP_FAILED (as opposed to e.g. failed
- sysfs attribute).
-
- No known reproduction.
-
-Upstream-Description:
-
- scsi: zfcp: fix missing REC trigger trace on enqueue without ERP thread
-
- Example trace record formatted with zfcpdbf from s390-tools:
-
- Timestamp : ...
- Area : REC
- Subarea : 00
- Level : 1
- Exception : -
- CPU ID : ..
- Caller : 0x...
- Record ID : 1 ZFCP_DBF_REC_TRIG
- Tag : .......
- LUN : 0x...
- WWPN : 0x...
- D_ID : 0x...
- Adapter status : 0x...
- Port status : 0x...
- LUN status : 0x...
- Ready count : 0x...
- Running count : 0x...
- ERP want : 0x0. ZFCP_ERP_ACTION_REOPEN_...
- ERP need : 0xc0 ZFCP_ERP_ACTION_NONE
-
- Signed-off-by: Steffen Maier <maier@linux.ibm.com>
- Cc: <stable@vger.kernel.org> #2.6.38+
- Reviewed-by: Benjamin Block <bblock@linux.ibm.com>
- Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
-
-
-Signed-off-by: Steffen Maier <maier@linux.ibm.com>
-Acked-by: Johannes Thumshirn <jthumshirn@suse.de>
----
- drivers/s390/scsi/zfcp_erp.c | 7 +++++--
- 1 file changed, 5 insertions(+), 2 deletions(-)
-
---- a/drivers/s390/scsi/zfcp_erp.c
-+++ b/drivers/s390/scsi/zfcp_erp.c
-@@ -314,8 +314,11 @@ static int zfcp_erp_action_enqueue(int w
- goto out;
- }
-
-- if (!adapter->erp_thread)
-- return -EIO;
-+ if (!adapter->erp_thread) {
-+ need = ZFCP_ERP_ACTION_NONE; /* marker for trace */
-+ retval = -EIO;
-+ goto out;
-+ }
-
- need = zfcp_erp_required_act(want, adapter, port, sdev);
- if (!need)
diff --git a/patches.drivers/0144-block-remove-driverfs_dev.patch b/patches.drivers/0144-block-remove-driverfs_dev.patch
index b5934aa530..f5f03b2537 100644
--- a/patches.drivers/0144-block-remove-driverfs_dev.patch
+++ b/patches.drivers/0144-block-remove-driverfs_dev.patch
@@ -15,16 +15,14 @@ Reviewed-by: Johannes Thumshirn <jthumshirn@suse.de>
Signed-off-by: Dan Williams <dan.j.williams@intel.com>
Acked-by: Hannes Reinecke <hare@suse.de>
---
- block/genhd.c | 9 ++-------
- drivers/nvdimm/bus.c | 2 +-
- include/linux/genhd.h | 4 +---
+ block/genhd.c | 9 ++-------
+ drivers/nvdimm/bus.c | 2 +-
+ include/linux/genhd.h | 4 +---
3 files changed, 4 insertions(+), 11 deletions(-)
-diff --git a/block/genhd.c b/block/genhd.c
-index e80e821..a03c3b6 100644
--- a/block/genhd.c
+++ b/block/genhd.c
-@@ -618,10 +618,6 @@ void device_add_disk(struct device *parent, struct gendisk *disk)
+@@ -618,10 +618,6 @@ void device_add_disk(struct device *pare
blk_register_region(disk_devt(disk), disk->minors, NULL,
exact_match, exact_lock, disk);
@@ -48,21 +46,17 @@ index e80e821..a03c3b6 100644
else
printk(" (driver?)\n");
} else
-diff --git a/drivers/nvdimm/bus.c b/drivers/nvdimm/bus.c
-index f085f8b..5e4e5c7 100644
--- a/drivers/nvdimm/bus.c
+++ b/drivers/nvdimm/bus.c
-@@ -312,7 +312,7 @@ EXPORT_SYMBOL(__nd_driver_register);
+@@ -500,7 +500,7 @@ EXPORT_SYMBOL(__nd_driver_register);
int nvdimm_revalidate_disk(struct gendisk *disk)
{
- struct device *dev = disk->driverfs_dev;
+ struct device *dev = disk_to_dev(disk)->parent;
struct nd_region *nd_region = to_nd_region(dev->parent);
- const char *pol = nd_region->ro ? "only" : "write";
+ int disk_ro = get_disk_ro(disk);
-diff --git a/include/linux/genhd.h b/include/linux/genhd.h
-index e736b85..2e80f4a 100644
--- a/include/linux/genhd.h
+++ b/include/linux/genhd.h
@@ -204,7 +204,6 @@ struct gendisk {
@@ -73,7 +67,7 @@ index e736b85..2e80f4a 100644
struct kobject *slave_dir;
struct timer_rand_state *random;
-@@ -434,8 +433,7 @@ extern void part_round_stats(int cpu, struct hd_struct *part);
+@@ -434,8 +433,7 @@ extern void part_round_stats(int cpu, st
extern void device_add_disk(struct device *parent, struct gendisk *disk);
static inline void add_disk(struct gendisk *disk)
{
@@ -83,6 +77,3 @@ index e736b85..2e80f4a 100644
}
extern void del_gendisk(struct gendisk *gp);
---
-1.8.5.6
-
diff --git a/patches.drivers/0165-block-Fix-front-merge-check.patch b/patches.drivers/0165-block-Fix-front-merge-check.patch
index 3879576fc4..e6db61130e 100644
--- a/patches.drivers/0165-block-Fix-front-merge-check.patch
+++ b/patches.drivers/0165-block-Fix-front-merge-check.patch
@@ -14,15 +14,13 @@ Reviewed-by: Hannes Reinecke <hare@suse.com>
Signed-off-by: Jens Axboe <axboe@fb.com>
Acked-by: Hannes Reinecke <hare@suse.de>
---
- block/blk-merge.c | 6 +++---
- include/linux/blkdev.h | 5 +++--
+ block/blk-merge.c | 6 +++---
+ include/linux/blkdev.h | 5 +++--
2 files changed, 6 insertions(+), 5 deletions(-)
-diff --git a/block/blk-merge.c b/block/blk-merge.c
-index 4f9d875..26d9b5d 100644
--- a/block/blk-merge.c
+++ b/block/blk-merge.c
-@@ -522,7 +522,7 @@ int ll_back_merge_fn(struct request_queue *q, struct request *req,
+@@ -522,7 +522,7 @@ int ll_back_merge_fn(struct request_queu
integrity_req_gap_back_merge(req, bio))
return 0;
if (blk_rq_sectors(req) + bio_sectors(bio) >
@@ -31,7 +29,7 @@ index 4f9d875..26d9b5d 100644
req->cmd_flags |= REQ_NOMERGE;
if (req == q->last_merge)
q->last_merge = NULL;
-@@ -546,7 +546,7 @@ int ll_front_merge_fn(struct request_queue *q, struct request *req,
+@@ -546,7 +546,7 @@ int ll_front_merge_fn(struct request_que
integrity_req_gap_front_merge(req, bio))
return 0;
if (blk_rq_sectors(req) + bio_sectors(bio) >
@@ -40,7 +38,7 @@ index 4f9d875..26d9b5d 100644
req->cmd_flags |= REQ_NOMERGE;
if (req == q->last_merge)
q->last_merge = NULL;
-@@ -592,7 +592,7 @@ static int ll_merge_requests_fn(struct request_queue *q, struct request *req,
+@@ -592,7 +592,7 @@ static int ll_merge_requests_fn(struct r
* Will it become too large?
*/
if ((blk_rq_sectors(req) + blk_rq_sectors(next)) >
@@ -49,12 +47,10 @@ index 4f9d875..26d9b5d 100644
return 0;
total_phys_segments = req->nr_phys_segments + next->nr_phys_segments;
-diff --git a/include/linux/blkdev.h b/include/linux/blkdev.h
-index ca92057..8933c11 100644
--- a/include/linux/blkdev.h
+++ b/include/linux/blkdev.h
-@@ -895,7 +895,8 @@ static inline unsigned int blk_max_size_offset(struct request_queue *q,
- (offset & (q->limits.chunk_sectors - 1));
+@@ -906,7 +906,8 @@ static inline unsigned int blk_max_size_
+ (offset & (q->limits.chunk_sectors - 1))));
}
-static inline unsigned int blk_rq_get_max_sectors(struct request *rq)
@@ -63,7 +59,7 @@ index ca92057..8933c11 100644
{
struct request_queue *q = rq->q;
-@@ -905,7 +906,7 @@ static inline unsigned int blk_rq_get_max_sectors(struct request *rq)
+@@ -916,7 +917,7 @@ static inline unsigned int blk_rq_get_ma
if (!q->limits.chunk_sectors || (req_op(rq) == REQ_OP_DISCARD))
return blk_queue_get_max_sectors(q, req_op(rq));
@@ -72,6 +68,3 @@ index ca92057..8933c11 100644
blk_queue_get_max_sectors(q, req_op(rq)));
}
---
-1.8.5.6
-
diff --git a/patches.drivers/ALSA-hda-Add-HP-ZBook-15u-G3-Conexant-CX20724-GPIO-m b/patches.drivers/ALSA-hda-Add-HP-ZBook-15u-G3-Conexant-CX20724-GPIO-m
index 7166ccc56c..0840c68270 100644
--- a/patches.drivers/ALSA-hda-Add-HP-ZBook-15u-G3-Conexant-CX20724-GPIO-m
+++ b/patches.drivers/ALSA-hda-Add-HP-ZBook-15u-G3-Conexant-CX20724-GPIO-m
@@ -129,15 +129,15 @@ Signed-off-by: Takashi Iwai <tiwai@suse.de>
};
static const struct snd_pci_quirk cxt5045_fixups[] = {
-@@ -853,6 +932,7 @@ static const struct snd_pci_quirk cxt506
- SND_PCI_QUIRK(0x103c, 0x80FD, "HP ProBook 640 G2", CXT_FIXUP_HP_DOCK),
+@@ -855,6 +934,7 @@ static const struct snd_pci_quirk cxt506
+ SND_PCI_QUIRK(0x103c, 0x83d3, "HP ProBook 640 G4", CXT_FIXUP_HP_DOCK),
SND_PCI_QUIRK(0x103c, 0x8174, "HP Spectre x360", CXT_FIXUP_HP_SPECTRE),
SND_PCI_QUIRK(0x103c, 0x8115, "HP Z1 Gen3", CXT_FIXUP_HP_GATE_MIC),
+ SND_PCI_QUIRK(0x103c, 0x814f, "HP ZBook 15u G3", CXT_FIXUP_MUTE_LED_GPIO),
SND_PCI_QUIRK(0x1043, 0x138d, "Asus", CXT_FIXUP_HEADPHONE_MIC_PIN),
SND_PCI_QUIRK(0x152d, 0x0833, "OLPC XO-1.5", CXT_FIXUP_OLPC_XO),
SND_PCI_QUIRK(0x17aa, 0x20f2, "Lenovo T400", CXT_PINCFG_LENOVO_TP410),
-@@ -885,6 +965,7 @@ static const struct hda_model_fixup cxt5
+@@ -887,6 +967,7 @@ static const struct hda_model_fixup cxt5
{ .id = CXT_FIXUP_OLPC_XO, .name = "olpc-xo" },
{ .id = CXT_FIXUP_MUTE_LED_EAPD, .name = "mute-led-eapd" },
{ .id = CXT_FIXUP_HP_DOCK, .name = "hp-dock" },
diff --git a/patches.drivers/ib-qib-add-device-specific-info-prints.patch b/patches.drivers/ib-qib-add-device-specific-info-prints.patch
index a0c5abb3ba..cf3e696859 100644
--- a/patches.drivers/ib-qib-add-device-specific-info-prints.patch
+++ b/patches.drivers/ib-qib-add-device-specific-info-prints.patch
@@ -20,9 +20,9 @@ Signed-off-by: Doug Ledford <dledford@redhat.com>
--- a/drivers/infiniband/hw/qib/qib.h
+++ b/drivers/infiniband/hw/qib/qib.h
-@@ -1455,6 +1455,8 @@ u64 qib_sps_ints(void);
- dma_addr_t qib_map_page(struct pci_dev *, struct page *, unsigned long,
- size_t, int);
+@@ -1454,6 +1454,8 @@ u64 qib_sps_ints(void);
+ */
+ int qib_map_page(struct pci_dev *d, struct page *p, dma_addr_t *daddr);
const char *qib_get_unit_name(int unit);
+const char *qib_get_card_name(struct rvt_dev_info *rdi);
+struct pci_dev *qib_get_pci_dev(struct rvt_dev_info *rdi);
diff --git a/patches.fixes/Fix-up-non-directory-creation-in-SGID-directories.patch b/patches.fixes/Fix-up-non-directory-creation-in-SGID-directories.patch
new file mode 100644
index 0000000000..c134ec42aa
--- /dev/null
+++ b/patches.fixes/Fix-up-non-directory-creation-in-SGID-directories.patch
@@ -0,0 +1,52 @@
+From 0fa3ecd87848c9c93c2c828ef4c3a8ca36ce46c7 Mon Sep 17 00:00:00 2001
+From: Linus Torvalds <torvalds@linux-foundation.org>
+Date: Tue, 3 Jul 2018 17:10:19 -0700
+Subject: [PATCH] Fix up non-directory creation in SGID directories
+References: CVE-2018-13405, bsc#1100416
+Git-commit: 0fa3ecd87848c9c93c2c828ef4c3a8ca36ce46c7
+Patch-mainline: Queued in subsystem maintainer repository
+Git-repo: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
+
+sgid directories have special semantics, making newly created files in
+the directory belong to the group of the directory, and newly created
+subdirectories will also become sgid. This is historically used for
+group-shared directories.
+
+But group directories writable by non-group members should not imply
+that such non-group members can magically join the group, so make sure
+to clear the sgid bit on non-directories for non-members (but remember
+that sgid without group execute means "mandatory locking", just to
+confuse things even more).
+
+Reported-by: Jann Horn <jannh@google.com>
+Cc: Andy Lutomirski <luto@kernel.org>
+Cc: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Acked-by: Goldwyn Rodrigues <rgoldwyn@suse.com>
+
+---
+ fs/inode.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/fs/inode.c b/fs/inode.c
+index 75309374dcdc..2b18d30b458c 100644
+--- a/fs/inode.c
++++ b/fs/inode.c
+@@ -1943,8 +1943,14 @@ void inode_init_owner(struct inode *inode, const struct inode *dir,
+ inode->i_uid = current_fsuid();
+ if (dir && dir->i_mode & S_ISGID) {
+ inode->i_gid = dir->i_gid;
++
++ /* Directories are special, and always inherit S_ISGID */
+ if (S_ISDIR(mode))
+ mode |= S_ISGID;
++ else if ((mode & (S_ISGID | S_IXGRP)) == (S_ISGID | S_IXGRP) &&
++ !in_group_p(inode->i_gid) &&
++ !capable_wrt_inode_uidgid(dir, CAP_FSETID))
++ mode &= ~S_ISGID;
+ } else
+ inode->i_gid = current_fsgid();
+ inode->i_mode = mode;
+--
+2.16.4
+
diff --git a/patches.fixes/ovl-fix-random-return-value-on-mount.patch b/patches.fixes/ovl-fix-random-return-value-on-mount.patch
new file mode 100644
index 0000000000..6812348a1c
--- /dev/null
+++ b/patches.fixes/ovl-fix-random-return-value-on-mount.patch
@@ -0,0 +1,43 @@
+From: Amir Goldstein <amir73il@gmail.com>
+Date: Tue, 11 Jul 2017 15:58:35 +0300
+Subject: [PATCH] ovl: fix random return value on mount
+References: bsc#1099993
+Git-commit: 8fc646b44385ff0a9853f6590497e43049eeb311
+Patch-mainline: v4.13-rc2
+
+On failure to prepare_creds(), mount fails with a random
+return value, as err was last set to an integer cast of
+a valid lower mnt pointer or set to 0 if inodes index feature
+is enabled.
+
+Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
+Fixes: 3fe6e52f0626 ("ovl: override creds with the ones from ...")
+Cc: <stable@vger.kernel.org> # v4.7
+Signed-off-by: Amir Goldstein <amir73il@gmail.com>
+Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
+Acked-by: Goldwyn Rodrigues <rgoldwyn@suse.com>
+
+---
+ fs/overlayfs/super.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/overlayfs/super.c b/fs/overlayfs/super.c
+index f85e73f49543..6a06c35d6e86 100644
+--- a/fs/overlayfs/super.c
++++ b/fs/overlayfs/super.c
+@@ -1182,11 +1182,11 @@ static int ovl_fill_super(struct super_block *sb, void *data, int silent)
+ else
+ sb->s_d_op = &ovl_dentry_operations;
+
++ err = -ENOMEM;
+ ufs->creator_cred = prepare_creds();
+ if (!ufs->creator_cred)
+ goto out_put_lower_mnt;
+
+- err = -ENOMEM;
+ oe = ovl_alloc_entry(numlower);
+ if (!oe)
+ goto out_put_cred;
+--
+2.16.4
+
diff --git a/patches.fixes/ovl-fix-uid-gid-when-creating-over-whiteout.patch b/patches.fixes/ovl-fix-uid-gid-when-creating-over-whiteout.patch
new file mode 100644
index 0000000000..db6a9a6804
--- /dev/null
+++ b/patches.fixes/ovl-fix-uid-gid-when-creating-over-whiteout.patch
@@ -0,0 +1,61 @@
+From: Miklos Szeredi <mszeredi@redhat.com>
+Date: Wed, 15 Jun 2016 14:18:59 +0200
+Subject: [PATCH] ovl: fix uid/gid when creating over whiteout
+References: bsc#1099993
+Git-commit: d0e13f5bbe4be7c8f27736fc40503dcec04b7de0
+Patch-mainline: v4.7-rc4
+
+Fix a regression when creating a file over a whiteout. The new
+file/directory needs to use the current fsuid/fsgid, not the ones from the
+mounter's credentials.
+
+The refcounting is a bit tricky: prepare_creds() sets an original refcount,
+override_creds() gets one more, which revert_cred() drops. So
+
+ 1) we need to expicitly put the mounter's credentials when overriding
+ with the updated one
+
+ 2) we need to put the original ref to the updated creds (and this can
+ safely be done before revert_creds(), since we'll still have the ref
+ from override_creds()).
+
+Reported-by: Stephen Smalley <sds@tycho.nsa.gov>
+Fixes: 3fe6e52f0626 ("ovl: override creds with the ones from the superblock mounter")
+Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
+Acked-by: Goldwyn Rodrigues <rgoldwyn@suse.com>
+
+---
+ fs/overlayfs/dir.c | 13 +++++++++++--
+ 1 file changed, 11 insertions(+), 2 deletions(-)
+
+diff --git a/fs/overlayfs/dir.c b/fs/overlayfs/dir.c
+index 1ead1cbd1c19..7a3fb6f73f0b 100644
+--- a/fs/overlayfs/dir.c
++++ b/fs/overlayfs/dir.c
+@@ -422,12 +422,21 @@ static int ovl_create_or_link(struct dentry *dentry, int mode, dev_t rdev,
+ err = ovl_create_upper(dentry, inode, &stat, link, hardlink);
+ } else {
+ const struct cred *old_cred;
++ struct cred *override_cred;
+
+ old_cred = ovl_override_creds(dentry->d_sb);
+
+- err = ovl_create_over_whiteout(dentry, inode, &stat, link,
+- hardlink);
++ err = -ENOMEM;
++ override_cred = prepare_creds();
++ if (override_cred) {
++ override_cred->fsuid = old_cred->fsuid;
++ override_cred->fsgid = old_cred->fsgid;
++ put_cred(override_creds(override_cred));
++ put_cred(override_cred);
+
++ err = ovl_create_over_whiteout(dentry, inode, &stat,
++ link, hardlink);
++ }
+ revert_creds(old_cred);
+ }
+
+--
+2.16.4
+
diff --git a/patches.fixes/ovl-override-creds-with-the-ones-from-the-superblock.patch b/patches.fixes/ovl-override-creds-with-the-ones-from-the-superblock.patch
new file mode 100644
index 0000000000..3b7be1bf5f
--- /dev/null
+++ b/patches.fixes/ovl-override-creds-with-the-ones-from-the-superblock.patch
@@ -0,0 +1,346 @@
+From 3fe6e52f062643676eb4518d68cee3bc1272091b Mon Sep 17 00:00:00 2001
+From: Antonio Murdaca <amurdaca@redhat.com>
+Date: Thu, 7 Apr 2016 15:48:25 +0200
+Subject: [PATCH] ovl: override creds with the ones from the superblock mounter
+References: bsc#1099993
+Git-commit: 3fe6e52f062643676eb4518d68cee3bc1272091b
+Patch-mainline: v4.7-rc1
+
+In user namespace the whiteout creation fails with -EPERM because the
+current process isn't capable(CAP_SYS_ADMIN) when setting xattr.
+
+A simple reproducer:
+
+$ mkdir upper lower work merged lower/dir
+$ sudo mount -t overlay overlay -olowerdir=lower,upperdir=upper,workdir=work merged
+$ unshare -m -p -f -U -r bash
+
+Now as root in the user namespace:
+
+\# touch merged/dir/{1,2,3} # this will force a copy up of lower/dir
+\# rm -fR merged/*
+
+This ends up failing with -EPERM after the files in dir has been
+correctly deleted:
+
+unlinkat(4, "2", 0) = 0
+unlinkat(4, "1", 0) = 0
+unlinkat(4, "3", 0) = 0
+close(4) = 0
+unlinkat(AT_FDCWD, "merged/dir", AT_REMOVEDIR) = -1 EPERM (Operation not
+permitted)
+
+Interestingly, if you don't place files in merged/dir you can remove it,
+meaning if upper/dir does not exist, creating the char device file works
+properly in that same location.
+
+This patch uses ovl_sb_creator_cred() to get the cred struct from the
+superblock mounter and override the old cred with these new ones so that
+the whiteout creation is possible because overlay is wrong in assuming that
+the creds it will get with prepare_creds will be in the initial user
+namespace. The old cap_raise game is removed in favor of just overriding
+the old cred struct.
+
+This patch also drops from ovl_copy_up_one() the following two lines:
+
+override_cred->fsuid = stat->uid;
+override_cred->fsgid = stat->gid;
+
+This is because the correct uid and gid are taken directly with the stat
+struct and correctly set with ovl_set_attr().
+
+Signed-off-by: Antonio Murdaca <runcom@redhat.com>
+Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
+Acked-by: Goldwyn Rodrigues <rgoldwyn@suse.com>
+
+---
+ fs/overlayfs/copy_up.c | 26 +------------------
+ fs/overlayfs/dir.c | 67 ++++--------------------------------------------
+ fs/overlayfs/overlayfs.h | 1 +
+ fs/overlayfs/readdir.c | 13 ++--------
+ fs/overlayfs/super.c | 18 ++++++++++++-
+ 5 files changed, 26 insertions(+), 99 deletions(-)
+
+diff --git a/fs/overlayfs/copy_up.c b/fs/overlayfs/copy_up.c
+index 762f2eb246d9..65fe6d2deb00 100644
+--- a/fs/overlayfs/copy_up.c
++++ b/fs/overlayfs/copy_up.c
+@@ -318,7 +318,6 @@ int ovl_copy_up_one(struct dentry *parent, struct dentry *dentry,
+ struct dentry *upperdir;
+ struct dentry *upperdentry;
+ const struct cred *old_cred;
+- struct cred *override_cred;
+ char *link = NULL;
+ struct dentry *d, *ancestor = NULL;
+
+@@ -341,28 +340,7 @@ int ovl_copy_up_one(struct dentry *parent, struct dentry *dentry,
+ return PTR_ERR(link);
+ }
+
+- err = -ENOMEM;
+- override_cred = prepare_creds();
+- if (!override_cred)
+- goto out_free_link;
+-
+- override_cred->fsuid = stat->uid;
+- override_cred->fsgid = stat->gid;
+- /*
+- * CAP_SYS_ADMIN for copying up extended attributes
+- * CAP_DAC_OVERRIDE for create
+- * CAP_FOWNER for chmod, timestamp update
+- * CAP_FSETID for chmod
+- * CAP_CHOWN for chown
+- * CAP_MKNOD for mknod
+- */
+- cap_raise(override_cred->cap_effective, CAP_SYS_ADMIN);
+- cap_raise(override_cred->cap_effective, CAP_DAC_OVERRIDE);
+- cap_raise(override_cred->cap_effective, CAP_FOWNER);
+- cap_raise(override_cred->cap_effective, CAP_FSETID);
+- cap_raise(override_cred->cap_effective, CAP_CHOWN);
+- cap_raise(override_cred->cap_effective, CAP_MKNOD);
+- old_cred = override_creds(override_cred);
++ old_cred = ovl_override_creds(dentry->d_sb);
+
+ err = -EIO;
+
+@@ -387,9 +365,7 @@ int ovl_copy_up_one(struct dentry *parent, struct dentry *dentry,
+ out_unlock:
+ unlock_rename(workdir, upperdir);
+ revert_creds(old_cred);
+- put_cred(override_cred);
+
+-out_free_link:
+ if (link)
+ free_page((unsigned long) link);
+
+diff --git a/fs/overlayfs/dir.c b/fs/overlayfs/dir.c
+index 0c2451b135da..1ead1cbd1c19 100644
+--- a/fs/overlayfs/dir.c
++++ b/fs/overlayfs/dir.c
+@@ -422,28 +422,13 @@ static int ovl_create_or_link(struct dentry *dentry, int mode, dev_t rdev,
+ err = ovl_create_upper(dentry, inode, &stat, link, hardlink);
+ } else {
+ const struct cred *old_cred;
+- struct cred *override_cred;
+
+- err = -ENOMEM;
+- override_cred = prepare_creds();
+- if (!override_cred)
+- goto out_iput;
+-
+- /*
+- * CAP_SYS_ADMIN for setting opaque xattr
+- * CAP_DAC_OVERRIDE for create in workdir, rename
+- * CAP_FOWNER for removing whiteout from sticky dir
+- */
+- cap_raise(override_cred->cap_effective, CAP_SYS_ADMIN);
+- cap_raise(override_cred->cap_effective, CAP_DAC_OVERRIDE);
+- cap_raise(override_cred->cap_effective, CAP_FOWNER);
+- old_cred = override_creds(override_cred);
++ old_cred = ovl_override_creds(dentry->d_sb);
+
+ err = ovl_create_over_whiteout(dentry, inode, &stat, link,
+ hardlink);
+
+ revert_creds(old_cred);
+- put_cred(override_cred);
+ }
+
+ if (!err)
+@@ -673,32 +658,11 @@ static int ovl_do_remove(struct dentry *dentry, bool is_dir)
+ if (OVL_TYPE_PURE_UPPER(type)) {
+ err = ovl_remove_upper(dentry, is_dir);
+ } else {
+- const struct cred *old_cred;
+- struct cred *override_cred;
+-
+- err = -ENOMEM;
+- override_cred = prepare_creds();
+- if (!override_cred)
+- goto out_drop_write;
+-
+- /*
+- * CAP_SYS_ADMIN for setting xattr on whiteout, opaque dir
+- * CAP_DAC_OVERRIDE for create in workdir, rename
+- * CAP_FOWNER for removing whiteout from sticky dir
+- * CAP_FSETID for chmod of opaque dir
+- * CAP_CHOWN for chown of opaque dir
+- */
+- cap_raise(override_cred->cap_effective, CAP_SYS_ADMIN);
+- cap_raise(override_cred->cap_effective, CAP_DAC_OVERRIDE);
+- cap_raise(override_cred->cap_effective, CAP_FOWNER);
+- cap_raise(override_cred->cap_effective, CAP_FSETID);
+- cap_raise(override_cred->cap_effective, CAP_CHOWN);
+- old_cred = override_creds(override_cred);
++ const struct cred *old_cred = ovl_override_creds(dentry->d_sb);
+
+ err = ovl_remove_and_whiteout(dentry, is_dir);
+
+ revert_creds(old_cred);
+- put_cred(override_cred);
+ }
+ out_drop_write:
+ ovl_drop_write(dentry);
+@@ -737,7 +701,6 @@ static int ovl_rename2(struct inode *olddir, struct dentry *old,
+ bool new_is_dir = false;
+ struct dentry *opaquedir = NULL;
+ const struct cred *old_cred = NULL;
+- struct cred *override_cred = NULL;
+
+ err = -EINVAL;
+ if (flags & ~(RENAME_EXCHANGE | RENAME_NOREPLACE))
+@@ -806,26 +769,8 @@ static int ovl_rename2(struct inode *olddir, struct dentry *old,
+ old_opaque = !OVL_TYPE_PURE_UPPER(old_type);
+ new_opaque = !OVL_TYPE_PURE_UPPER(new_type);
+
+- if (old_opaque || new_opaque) {
+- err = -ENOMEM;
+- override_cred = prepare_creds();
+- if (!override_cred)
+- goto out_drop_write;
+-
+- /*
+- * CAP_SYS_ADMIN for setting xattr on whiteout, opaque dir
+- * CAP_DAC_OVERRIDE for create in workdir
+- * CAP_FOWNER for removing whiteout from sticky dir
+- * CAP_FSETID for chmod of opaque dir
+- * CAP_CHOWN for chown of opaque dir
+- */
+- cap_raise(override_cred->cap_effective, CAP_SYS_ADMIN);
+- cap_raise(override_cred->cap_effective, CAP_DAC_OVERRIDE);
+- cap_raise(override_cred->cap_effective, CAP_FOWNER);
+- cap_raise(override_cred->cap_effective, CAP_FSETID);
+- cap_raise(override_cred->cap_effective, CAP_CHOWN);
+- old_cred = override_creds(override_cred);
+- }
++ if (old_opaque || new_opaque)
++ old_cred = ovl_override_creds(old->d_sb);
+
+ if (overwrite && OVL_TYPE_MERGE_OR_LOWER(new_type) && new_is_dir) {
+ opaquedir = ovl_check_empty_and_clear(new);
+@@ -956,10 +901,8 @@ out_dput_old:
+ out_unlock:
+ unlock_rename(new_upperdir, old_upperdir);
+ out_revert_creds:
+- if (old_opaque || new_opaque) {
++ if (old_opaque || new_opaque)
+ revert_creds(old_cred);
+- put_cred(override_cred);
+- }
+ out_drop_write:
+ ovl_drop_write(old);
+ out:
+diff --git a/fs/overlayfs/overlayfs.h b/fs/overlayfs/overlayfs.h
+index 5cd41b095f3e..255ae187d437 100644
+--- a/fs/overlayfs/overlayfs.h
++++ b/fs/overlayfs/overlayfs.h
+@@ -153,6 +153,7 @@ void ovl_drop_write(struct dentry *dentry);
+ bool ovl_dentry_is_opaque(struct dentry *dentry);
+ void ovl_dentry_set_opaque(struct dentry *dentry, bool opaque);
+ bool ovl_is_whiteout(struct dentry *dentry, struct dentry *ovl_dir);
++const struct cred *ovl_override_creds(struct super_block *sb);
+ void ovl_dentry_update(struct dentry *dentry, struct dentry *upperdentry);
+ struct dentry *ovl_lookup(struct inode *dir, struct dentry *dentry,
+ unsigned int flags);
+diff --git a/fs/overlayfs/readdir.c b/fs/overlayfs/readdir.c
+index f20a90bd4096..3bdafb303ef5 100644
+--- a/fs/overlayfs/readdir.c
++++ b/fs/overlayfs/readdir.c
+@@ -208,17 +208,8 @@ static int ovl_check_whiteouts(struct dentry *dir, struct ovl_readdir_data *rdd)
+ struct ovl_cache_entry *p;
+ struct dentry *dentry;
+ const struct cred *old_cred;
+- struct cred *override_cred;
+
+- override_cred = prepare_creds();
+- if (!override_cred)
+- return -ENOMEM;
+-
+- /*
+- * CAP_DAC_OVERRIDE for lookup
+- */
+- cap_raise(override_cred->cap_effective, CAP_DAC_OVERRIDE);
+- old_cred = override_creds(override_cred);
++ old_cred = ovl_override_creds(rdd->dentry->d_sb);
+
+ err = mutex_lock_killable(&dir->d_inode->i_mutex);
+ if (!err) {
+@@ -235,7 +226,6 @@ static int ovl_check_whiteouts(struct dentry *dir, struct ovl_readdir_data *rdd)
+ mutex_unlock(&dir->d_inode->i_mutex);
+ }
+ revert_creds(old_cred);
+- put_cred(override_cred);
+
+ return err;
+ }
+@@ -291,6 +281,7 @@ static int ovl_dir_read_merged(struct dentry *dentry, struct list_head *list)
+ struct path realpath;
+ struct ovl_readdir_data rdd = {
+ .ctx.actor = ovl_fill_merge,
++ .dentry = dentry,
+ .list = list,
+ .root = RB_ROOT,
+ .is_merge = false,
+diff --git a/fs/overlayfs/super.c b/fs/overlayfs/super.c
+index 00bf03a1f081..f85e73f49543 100644
+--- a/fs/overlayfs/super.c
++++ b/fs/overlayfs/super.c
+@@ -44,6 +44,8 @@ struct ovl_fs {
+ long lower_namelen;
+ /* pathnames of lower and upper dirs, for show_options */
+ struct ovl_config config;
++ /* creds of process who forced instantiation of super block */
++ const struct cred *creator_cred;
+ bool compat;
+ };
+
+@@ -279,6 +281,13 @@ bool ovl_is_whiteout(struct dentry *dentry, struct dentry *ovl_dir)
+ return inode && IS_WHITEOUT(inode);
+ }
+
++const struct cred *ovl_override_creds(struct super_block *sb)
++{
++ struct ovl_fs *ofs = sb->s_fs_info;
++
++ return override_creds(ofs->creator_cred);
++}
++
+ static bool ovl_is_opaquedir(struct dentry *dentry)
+ {
+ int res;
+@@ -620,6 +629,7 @@ static void ovl_put_super(struct super_block *sb)
+ kfree(ufs->config.lowerdir);
+ kfree(ufs->config.upperdir);
+ kfree(ufs->config.workdir);
++ put_cred(ufs->creator_cred);
+ kfree(ufs);
+ }
+
+@@ -1172,10 +1182,14 @@ static int ovl_fill_super(struct super_block *sb, void *data, int silent)
+ else
+ sb->s_d_op = &ovl_dentry_operations;
+
++ ufs->creator_cred = prepare_creds();
++ if (!ufs->creator_cred)
++ goto out_put_lower_mnt;
++
+ err = -ENOMEM;
+ oe = ovl_alloc_entry(numlower);
+ if (!oe)
+- goto out_put_lower_mnt;
++ goto out_put_cred;
+
+ root_dentry = d_make_root(ovl_new_inode(sb, S_IFDIR, oe));
+ if (!root_dentry)
+@@ -1211,6 +1225,8 @@ static int ovl_fill_super(struct super_block *sb, void *data, int silent)
+
+ out_free_oe:
+ kfree(oe);
++out_put_cred:
++ put_cred(ufs->creator_cred);
+ out_put_lower_mnt:
+ for (i = 0; i < ufs->numlower; i++)
+ mntput(ufs->lower_mnt[i]);
+--
+2.16.4
+
diff --git a/patches.kernel.org/4.4.139-001-xfrm6-avoid-potential-infinite-loop-in-_decod.patch b/patches.kernel.org/4.4.139-001-xfrm6-avoid-potential-infinite-loop-in-_decod.patch
new file mode 100644
index 0000000000..073b5ddeed
--- /dev/null
+++ b/patches.kernel.org/4.4.139-001-xfrm6-avoid-potential-infinite-loop-in-_decod.patch
@@ -0,0 +1,103 @@
+From: Eric Dumazet <edumazet@google.com>
+Date: Sat, 12 May 2018 02:49:30 -0700
+Subject: [PATCH] xfrm6: avoid potential infinite loop in _decode_session6()
+References: bnc#1012382
+Patch-mainline: 4.4.139
+Git-commit: d9f92772e8ec388d070752ee8f187ef8fa18621f
+
+[ Upstream commit d9f92772e8ec388d070752ee8f187ef8fa18621f ]
+
+syzbot found a way to trigger an infinitie loop by overflowing
+@offset variable that has been forced to use u16 for some very
+obscure reason in the past.
+
+We probably want to look at NEXTHDR_FRAGMENT handling which looks
+wrong, in a separate patch.
+
+In net-next, we shall try to use skb_header_pointer() instead of
+pskb_may_pull().
+
+watchdog: BUG: soft lockup - CPU#1 stuck for 134s! [syz-executor738:4553]
+Modules linked in:
+irq event stamp: 13885653
+hardirqs last enabled at (13885652): [<ffffffff878009d5>] restore_regs_and_return_to_kernel+0x0/0x2b
+hardirqs last disabled at (13885653): [<ffffffff87800905>] interrupt_entry+0xb5/0xf0 arch/x86/entry/entry_64.S:625
+softirqs last enabled at (13614028): [<ffffffff84df0809>] tun_napi_alloc_frags drivers/net/tun.c:1478 [inline]
+softirqs last enabled at (13614028): [<ffffffff84df0809>] tun_get_user+0x1dd9/0x4290 drivers/net/tun.c:1825
+softirqs last disabled at (13614032): [<ffffffff84df1b6f>] tun_get_user+0x313f/0x4290 drivers/net/tun.c:1942
+CPU: 1 PID: 4553 Comm: syz-executor738 Not tainted 4.17.0-rc3+ #40
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+RIP: 0010:check_kcov_mode kernel/kcov.c:67 [inline]
+RIP: 0010:__sanitizer_cov_trace_pc+0x20/0x50 kernel/kcov.c:101
+RSP: 0018:ffff8801d8cfe250 EFLAGS: 00000246 ORIG_RAX: ffffffffffffff13
+RAX: ffff8801d88a8080 RBX: ffff8801d7389e40 RCX: 0000000000000006
+RDX: 0000000000000000 RSI: ffffffff868da4ad RDI: ffff8801c8a53277
+RBP: ffff8801d8cfe250 R08: ffff8801d88a8080 R09: ffff8801d8cfe3e8
+R10: ffffed003b19fc87 R11: ffff8801d8cfe43f R12: ffff8801c8a5327f
+R13: 0000000000000000 R14: ffff8801c8a4e5fe R15: ffff8801d8cfe3e8
+FS: 0000000000d88940(0000) GS:ffff8801daf00000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: ffffffffff600400 CR3: 00000001acab3000 CR4: 00000000001406e0
+DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+Call Trace:
+ _decode_session6+0xc1d/0x14f0 net/ipv6/xfrm6_policy.c:150
+ __xfrm_decode_session+0x71/0x140 net/xfrm/xfrm_policy.c:2368
+ xfrm_decode_session_reverse include/net/xfrm.h:1213 [inline]
+ icmpv6_route_lookup+0x395/0x6e0 net/ipv6/icmp.c:372
+ icmp6_send+0x1982/0x2da0 net/ipv6/icmp.c:551
+ icmpv6_send+0x17a/0x300 net/ipv6/ip6_icmp.c:43
+ ip6_input_finish+0x14e1/0x1a30 net/ipv6/ip6_input.c:305
+ NF_HOOK include/linux/netfilter.h:288 [inline]
+ ip6_input+0xe1/0x5e0 net/ipv6/ip6_input.c:327
+ dst_input include/net/dst.h:450 [inline]
+ ip6_rcv_finish+0x29c/0xa10 net/ipv6/ip6_input.c:71
+ NF_HOOK include/linux/netfilter.h:288 [inline]
+ ipv6_rcv+0xeb8/0x2040 net/ipv6/ip6_input.c:208
+ __netif_receive_skb_core+0x2468/0x3650 net/core/dev.c:4646
+ __netif_receive_skb+0x2c/0x1e0 net/core/dev.c:4711
+ netif_receive_skb_internal+0x126/0x7b0 net/core/dev.c:4785
+ napi_frags_finish net/core/dev.c:5226 [inline]
+ napi_gro_frags+0x631/0xc40 net/core/dev.c:5299
+ tun_get_user+0x3168/0x4290 drivers/net/tun.c:1951
+ tun_chr_write_iter+0xb9/0x154 drivers/net/tun.c:1996
+ call_write_iter include/linux/fs.h:1784 [inline]
+ do_iter_readv_writev+0x859/0xa50 fs/read_write.c:680
+ do_iter_write+0x185/0x5f0 fs/read_write.c:959
+ vfs_writev+0x1c7/0x330 fs/read_write.c:1004
+ do_writev+0x112/0x2f0 fs/read_write.c:1039
+ __do_sys_writev fs/read_write.c:1112 [inline]
+ __se_sys_writev fs/read_write.c:1109 [inline]
+ __x64_sys_writev+0x75/0xb0 fs/read_write.c:1109
+ do_syscall_64+0x1b1/0x800 arch/x86/entry/common.c:287
+ entry_SYSCALL_64_after_hwframe+0x49/0xbe
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Cc: Steffen Klassert <steffen.klassert@secunet.com>
+Cc: Nicolas Dichtel <nicolas.dichtel@6wind.com>
+Reported-by: syzbot+0053c8...@syzkaller.appspotmail.com
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ net/ipv6/xfrm6_policy.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/ipv6/xfrm6_policy.c b/net/ipv6/xfrm6_policy.c
+index c074771a10f7..1ca0c2f3d92b 100644
+--- a/net/ipv6/xfrm6_policy.c
++++ b/net/ipv6/xfrm6_policy.c
+@@ -121,7 +121,7 @@ _decode_session6(struct sk_buff *skb, struct flowi *fl, int reverse)
+ struct flowi6 *fl6 = &fl->u.ip6;
+ int onlyproto = 0;
+ const struct ipv6hdr *hdr = ipv6_hdr(skb);
+- u16 offset = sizeof(*hdr);
++ u32 offset = sizeof(*hdr);
+ struct ipv6_opt_hdr *exthdr;
+ const unsigned char *nh = skb_network_header(skb);
+ u16 nhoff = IP6CB(skb)->nhoff;
+--
+2.18.0
+
diff --git a/patches.kernel.org/4.4.139-002-netfilter-ebtables-handle-string-from-userspa.patch b/patches.kernel.org/4.4.139-002-netfilter-ebtables-handle-string-from-userspa.patch
new file mode 100644
index 0000000000..3d963c6032
--- /dev/null
+++ b/patches.kernel.org/4.4.139-002-netfilter-ebtables-handle-string-from-userspa.patch
@@ -0,0 +1,106 @@
+From: Paolo Abeni <pabeni@redhat.com>
+Date: Fri, 27 Apr 2018 10:45:31 +0200
+Subject: [PATCH] netfilter: ebtables: handle string from userspace with care
+References: bnc#1012382
+Patch-mainline: 4.4.139
+Git-commit: 94c752f99954797da583a84c4907ff19e92550a4
+
+[ Upstream commit 94c752f99954797da583a84c4907ff19e92550a4 ]
+
+strlcpy() can't be safely used on a user-space provided string,
+as it can try to read beyond the buffer's end, if the latter is
+not NULL terminated.
+
+Leveraging the above, syzbot has been able to trigger the following
+splat:
+
+BUG: KASAN: stack-out-of-bounds in strlcpy include/linux/string.h:300
+[inline]
+BUG: KASAN: stack-out-of-bounds in compat_mtw_from_user
+net/bridge/netfilter/ebtables.c:1957 [inline]
+BUG: KASAN: stack-out-of-bounds in ebt_size_mwt
+net/bridge/netfilter/ebtables.c:2059 [inline]
+BUG: KASAN: stack-out-of-bounds in size_entry_mwt
+net/bridge/netfilter/ebtables.c:2155 [inline]
+BUG: KASAN: stack-out-of-bounds in compat_copy_entries+0x96c/0x14a0
+net/bridge/netfilter/ebtables.c:2194
+Write of size 33 at addr ffff8801b0abf888 by task syz-executor0/4504
+
+CPU: 0 PID: 4504 Comm: syz-executor0 Not tainted 4.17.0-rc2+ #40
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
+Google 01/01/2011
+Call Trace:
+ __dump_stack lib/dump_stack.c:77 [inline]
+ dump_stack+0x1b9/0x294 lib/dump_stack.c:113
+ print_address_description+0x6c/0x20b mm/kasan/report.c:256
+ kasan_report_error mm/kasan/report.c:354 [inline]
+ kasan_report.cold.7+0x242/0x2fe mm/kasan/report.c:412
+ check_memory_region_inline mm/kasan/kasan.c:260 [inline]
+ check_memory_region+0x13e/0x1b0 mm/kasan/kasan.c:267
+ memcpy+0x37/0x50 mm/kasan/kasan.c:303
+ strlcpy include/linux/string.h:300 [inline]
+ compat_mtw_from_user net/bridge/netfilter/ebtables.c:1957 [inline]
+ ebt_size_mwt net/bridge/netfilter/ebtables.c:2059 [inline]
+ size_entry_mwt net/bridge/netfilter/ebtables.c:2155 [inline]
+ compat_copy_entries+0x96c/0x14a0 net/bridge/netfilter/ebtables.c:2194
+ compat_do_replace+0x483/0x900 net/bridge/netfilter/ebtables.c:2285
+ compat_do_ebt_set_ctl+0x2ac/0x324 net/bridge/netfilter/ebtables.c:2367
+ compat_nf_sockopt net/netfilter/nf_sockopt.c:144 [inline]
+ compat_nf_setsockopt+0x9b/0x140 net/netfilter/nf_sockopt.c:156
+ compat_ip_setsockopt+0xff/0x140 net/ipv4/ip_sockglue.c:1279
+ inet_csk_compat_setsockopt+0x97/0x120 net/ipv4/inet_connection_sock.c:1041
+ compat_tcp_setsockopt+0x49/0x80 net/ipv4/tcp.c:2901
+ compat_sock_common_setsockopt+0xb4/0x150 net/core/sock.c:3050
+ __compat_sys_setsockopt+0x1ab/0x7c0 net/compat.c:403
+ __do_compat_sys_setsockopt net/compat.c:416 [inline]
+ __se_compat_sys_setsockopt net/compat.c:413 [inline]
+ __ia32_compat_sys_setsockopt+0xbd/0x150 net/compat.c:413
+ do_syscall_32_irqs_on arch/x86/entry/common.c:323 [inline]
+ do_fast_syscall_32+0x345/0xf9b arch/x86/entry/common.c:394
+ entry_SYSENTER_compat+0x70/0x7f arch/x86/entry/entry_64_compat.S:139
+RIP: 0023:0xf7fb3cb9
+RSP: 002b:00000000fff0c26c EFLAGS: 00000282 ORIG_RAX: 000000000000016e
+RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000000000
+RDX: 0000000000000080 RSI: 0000000020000300 RDI: 00000000000005f4
+RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
+R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
+R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
+
+The buggy address belongs to the page:
+page:ffffea0006c2afc0 count:0 mapcount:0 mapping:0000000000000000 index:0x0
+flags: 0x2fffc0000000000()
+raw: 02fffc0000000000 0000000000000000 0000000000000000 00000000ffffffff
+raw: 0000000000000000 ffffea0006c20101 0000000000000000 0000000000000000
+page dumped because: kasan: bad access detected
+
+Fix the issue replacing the unsafe function with strscpy() and
+taking care of possible errors.
+
+Fixes: 81e675c227ec ("netfilter: ebtables: add CONFIG_COMPAT support")
+Reported-and-tested-by: syzbot+4e42a04e0bc33cb6c087@syzkaller.appspotmail.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ net/bridge/netfilter/ebtables.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c
+index 51eab9b5baa1..9f70c267a7a5 100644
+--- a/net/bridge/netfilter/ebtables.c
++++ b/net/bridge/netfilter/ebtables.c
+@@ -1912,7 +1912,8 @@ static int compat_mtw_from_user(struct compat_ebt_entry_mwt *mwt,
+ int off, pad = 0;
+ unsigned int size_kern, match_size = mwt->match_size;
+
+- strlcpy(name, mwt->u.name, sizeof(name));
++ if (strscpy(name, mwt->u.name, sizeof(name)) < 0)
++ return -EINVAL;
+
+ if (state->buf_kern_start)
+ dst = state->buf_kern_start + state->buf_kern_offset;
+--
+2.18.0
+
diff --git a/patches.kernel.org/4.4.139-003-ipvs-fix-buffer-overflow-with-sync-daemon-and.patch b/patches.kernel.org/4.4.139-003-ipvs-fix-buffer-overflow-with-sync-daemon-and.patch
new file mode 100644
index 0000000000..1dcede1a71
--- /dev/null
+++ b/patches.kernel.org/4.4.139-003-ipvs-fix-buffer-overflow-with-sync-daemon-and.patch
@@ -0,0 +1,152 @@
+From: Julian Anastasov <ja@ssi.bg>
+Date: Sat, 19 May 2018 18:22:35 +0300
+Subject: [PATCH] ipvs: fix buffer overflow with sync daemon and service
+References: bnc#1012382
+Patch-mainline: 4.4.139
+Git-commit: 52f96757905bbf0edef47f3ee6c7c784e7f8ff8a
+
+[ Upstream commit 52f96757905bbf0edef47f3ee6c7c784e7f8ff8a ]
+
+syzkaller reports for buffer overflow for interface name
+when starting sync daemons [1]
+
+What we do is that we copy user structure into larger stack
+buffer but later we search NUL past the stack buffer.
+The same happens for sched_name when adding/editing virtual server.
+
+We are restricted by IP_VS_SCHEDNAME_MAXLEN and IP_VS_IFNAME_MAXLEN
+being used as size in include/uapi/linux/ip_vs.h, so they
+include the space for NUL.
+
+As using strlcpy is wrong for unsafe source, replace it with
+strscpy and add checks to return EINVAL if source string is not
+NUL-terminated. The incomplete strlcpy fix comes from 2.6.13.
+
+For the netlink interface reduce the len parameter for
+IPVS_DAEMON_ATTR_MCAST_IFN and IPVS_SVC_ATTR_SCHED_NAME,
+so that we get proper EINVAL.
+
+[1]
+kernel BUG at lib/string.c:1052!
+invalid opcode: 0000 [#1] SMP KASAN
+Dumping ftrace buffer:
+ (ftrace buffer empty)
+Modules linked in:
+CPU: 1 PID: 373 Comm: syz-executor936 Not tainted 4.17.0-rc4+ #45
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
+Google 01/01/2011
+RIP: 0010:fortify_panic+0x13/0x20 lib/string.c:1051
+RSP: 0018:ffff8801c976f800 EFLAGS: 00010282
+RAX: 0000000000000022 RBX: 0000000000000040 RCX: 0000000000000000
+RDX: 0000000000000022 RSI: ffffffff8160f6f1 RDI: ffffed00392edef6
+RBP: ffff8801c976f800 R08: ffff8801cf4c62c0 R09: ffffed003b5e4fb0
+R10: ffffed003b5e4fb0 R11: ffff8801daf27d87 R12: ffff8801c976fa20
+R13: ffff8801c976fae4 R14: ffff8801c976fae0 R15: 000000000000048b
+FS: 00007fd99f75e700(0000) GS:ffff8801daf00000(0000)
+knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 00000000200001c0 CR3: 00000001d6843000 CR4: 00000000001406e0
+DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+Call Trace:
+ strlen include/linux/string.h:270 [inline]
+ strlcpy include/linux/string.h:293 [inline]
+ do_ip_vs_set_ctl+0x31c/0x1d00 net/netfilter/ipvs/ip_vs_ctl.c:2388
+ nf_sockopt net/netfilter/nf_sockopt.c:106 [inline]
+ nf_setsockopt+0x7d/0xd0 net/netfilter/nf_sockopt.c:115
+ ip_setsockopt+0xd8/0xf0 net/ipv4/ip_sockglue.c:1253
+ udp_setsockopt+0x62/0xa0 net/ipv4/udp.c:2487
+ ipv6_setsockopt+0x149/0x170 net/ipv6/ipv6_sockglue.c:917
+ tcp_setsockopt+0x93/0xe0 net/ipv4/tcp.c:3057
+ sock_common_setsockopt+0x9a/0xe0 net/core/sock.c:3046
+ __sys_setsockopt+0x1bd/0x390 net/socket.c:1903
+ __do_sys_setsockopt net/socket.c:1914 [inline]
+ __se_sys_setsockopt net/socket.c:1911 [inline]
+ __x64_sys_setsockopt+0xbe/0x150 net/socket.c:1911
+ do_syscall_64+0x1b1/0x800 arch/x86/entry/common.c:287
+ entry_SYSCALL_64_after_hwframe+0x49/0xbe
+RIP: 0033:0x447369
+RSP: 002b:00007fd99f75dda8 EFLAGS: 00000246 ORIG_RAX: 0000000000000036
+RAX: ffffffffffffffda RBX: 00000000006e39e4 RCX: 0000000000447369
+RDX: 000000000000048b RSI: 0000000000000000 RDI: 0000000000000003
+RBP: 0000000000000000 R08: 0000000000000018 R09: 0000000000000000
+R10: 00000000200001c0 R11: 0000000000000246 R12: 00000000006e39e0
+R13: 75a1ff93f0896195 R14: 6f745f3168746576 R15: 0000000000000001
+Code: 08 5b 41 5c 41 5d 41 5e 41 5f 5d c3 0f 0b 48 89 df e8 d2 8f 48 fa eb
+de 55 48 89 fe 48 c7 c7 60 65 64 88 48 89 e5 e8 91 dd f3 f9 <0f> 0b 90 90
+90 90 90 90 90 90 90 90 90 55 48 89 e5 41 57 41 56
+RIP: fortify_panic+0x13/0x20 lib/string.c:1051 RSP: ffff8801c976f800
+
+Reported-and-tested-by: syzbot+aac887f77319868646df@syzkaller.appspotmail.com
+Fixes: e4ff67513096 ("ipvs: add sync_maxlen parameter for the sync daemon")
+Fixes: 4da62fc70d7c ("[IPVS]: Fix for overflows")
+Signed-off-by: Julian Anastasov <ja@ssi.bg>
+Acked-by: Simon Horman <horms+renesas@verge.net.au>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ net/netfilter/ipvs/ip_vs_ctl.c | 21 +++++++++++++++------
+ 1 file changed, 15 insertions(+), 6 deletions(-)
+
+diff --git a/net/netfilter/ipvs/ip_vs_ctl.c b/net/netfilter/ipvs/ip_vs_ctl.c
+index c0656510c4dc..3167ec76903a 100644
+--- a/net/netfilter/ipvs/ip_vs_ctl.c
++++ b/net/netfilter/ipvs/ip_vs_ctl.c
+@@ -2349,8 +2349,10 @@ do_ip_vs_set_ctl(struct sock *sk, int cmd, void __user *user, unsigned int len)
+ struct ipvs_sync_daemon_cfg cfg;
+
+ memset(&cfg, 0, sizeof(cfg));
+- strlcpy(cfg.mcast_ifn, dm->mcast_ifn,
+- sizeof(cfg.mcast_ifn));
++ ret = -EINVAL;
++ if (strscpy(cfg.mcast_ifn, dm->mcast_ifn,
++ sizeof(cfg.mcast_ifn)) <= 0)
++ goto out_dec;
+ cfg.syncid = dm->syncid;
+ ret = start_sync_thread(ipvs, &cfg, dm->state);
+ } else {
+@@ -2388,12 +2390,19 @@ do_ip_vs_set_ctl(struct sock *sk, int cmd, void __user *user, unsigned int len)
+ }
+ }
+
++ if ((cmd == IP_VS_SO_SET_ADD || cmd == IP_VS_SO_SET_EDIT) &&
++ strnlen(usvc.sched_name, IP_VS_SCHEDNAME_MAXLEN) ==
++ IP_VS_SCHEDNAME_MAXLEN) {
++ ret = -EINVAL;
++ goto out_unlock;
++ }
++
+ /* Check for valid protocol: TCP or UDP or SCTP, even for fwmark!=0 */
+ if (usvc.protocol != IPPROTO_TCP && usvc.protocol != IPPROTO_UDP &&
+ usvc.protocol != IPPROTO_SCTP) {
+- pr_err("set_ctl: invalid protocol: %d %pI4:%d %s\n",
++ pr_err("set_ctl: invalid protocol: %d %pI4:%d\n",
+ usvc.protocol, &usvc.addr.ip,
+- ntohs(usvc.port), usvc.sched_name);
++ ntohs(usvc.port));
+ ret = -EFAULT;
+ goto out_unlock;
+ }
+@@ -2822,7 +2831,7 @@ static const struct nla_policy ip_vs_cmd_policy[IPVS_CMD_ATTR_MAX + 1] = {
+ static const struct nla_policy ip_vs_daemon_policy[IPVS_DAEMON_ATTR_MAX + 1] = {
+ [IPVS_DAEMON_ATTR_STATE] = { .type = NLA_U32 },
+ [IPVS_DAEMON_ATTR_MCAST_IFN] = { .type = NLA_NUL_STRING,
+- .len = IP_VS_IFNAME_MAXLEN },
++ .len = IP_VS_IFNAME_MAXLEN - 1 },
+ [IPVS_DAEMON_ATTR_SYNC_ID] = { .type = NLA_U32 },
+ [IPVS_DAEMON_ATTR_SYNC_MAXLEN] = { .type = NLA_U16 },
+ [IPVS_DAEMON_ATTR_MCAST_GROUP] = { .type = NLA_U32 },
+@@ -2840,7 +2849,7 @@ static const struct nla_policy ip_vs_svc_policy[IPVS_SVC_ATTR_MAX + 1] = {
+ [IPVS_SVC_ATTR_PORT] = { .type = NLA_U16 },
+ [IPVS_SVC_ATTR_FWMARK] = { .type = NLA_U32 },
+ [IPVS_SVC_ATTR_SCHED_NAME] = { .type = NLA_NUL_STRING,
+- .len = IP_VS_SCHEDNAME_MAXLEN },
++ .len = IP_VS_SCHEDNAME_MAXLEN - 1 },
+ [IPVS_SVC_ATTR_PE_NAME] = { .type = NLA_NUL_STRING,
+ .len = IP_VS_PENAME_MAXLEN },
+ [IPVS_SVC_ATTR_FLAGS] = { .type = NLA_BINARY,
+--
+2.18.0
+
diff --git a/patches.kernel.org/4.4.139-004-atm-zatm-fix-memcmp-casting.patch b/patches.kernel.org/4.4.139-004-atm-zatm-fix-memcmp-casting.patch
new file mode 100644
index 0000000000..375af39a9d
--- /dev/null
+++ b/patches.kernel.org/4.4.139-004-atm-zatm-fix-memcmp-casting.patch
@@ -0,0 +1,40 @@
+From: Ivan Bornyakov <brnkv.i1@gmail.com>
+Date: Fri, 25 May 2018 20:49:52 +0300
+Subject: [PATCH] atm: zatm: fix memcmp casting
+References: bnc#1012382
+Patch-mainline: 4.4.139
+Git-commit: f9c6442a8f0b1dde9e755eb4ff6fa22bcce4eabc
+
+[ Upstream commit f9c6442a8f0b1dde9e755eb4ff6fa22bcce4eabc ]
+
+memcmp() returns int, but eprom_try_esi() cast it to unsigned char. One
+can lose significant bits and get 0 from non-0 value returned by the
+memcmp().
+
+Signed-off-by: Ivan Bornyakov <brnkv.i1@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/atm/zatm.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/atm/zatm.c b/drivers/atm/zatm.c
+index 6eab52b92e01..c302f47f6323 100644
+--- a/drivers/atm/zatm.c
++++ b/drivers/atm/zatm.c
+@@ -1149,8 +1149,8 @@ static void eprom_get_byte(struct zatm_dev *zatm_dev, unsigned char *byte,
+ }
+
+
+-static unsigned char eprom_try_esi(struct atm_dev *dev, unsigned short cmd,
+- int offset, int swap)
++static int eprom_try_esi(struct atm_dev *dev, unsigned short cmd, int offset,
++ int swap)
+ {
+ unsigned char buf[ZEPROM_SIZE];
+ struct zatm_dev *zatm_dev;
+--
+2.18.0
+
diff --git a/patches.kernel.org/4.4.139-005-net-qmi_wwan-Add-Netgear-Aircard-779S.patch b/patches.kernel.org/4.4.139-005-net-qmi_wwan-Add-Netgear-Aircard-779S.patch
new file mode 100644
index 0000000000..f1e2adbcc3
--- /dev/null
+++ b/patches.kernel.org/4.4.139-005-net-qmi_wwan-Add-Netgear-Aircard-779S.patch
@@ -0,0 +1,39 @@
+From: Josh Hill <josh@joshuajhill.com>
+Date: Sun, 27 May 2018 20:10:41 -0400
+Subject: [PATCH] net: qmi_wwan: Add Netgear Aircard 779S
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+References: bnc#1012382
+Patch-mainline: 4.4.139
+Git-commit: 2415f3bd059fe050eb98aedf93664d000ceb4e92
+
+[ Upstream commit 2415f3bd059fe050eb98aedf93664d000ceb4e92 ]
+
+Add support for Netgear Aircard 779S
+
+Signed-off-by: Josh Hill <josh@joshuajhill.com>
+Acked-by: Bjørn Mork <bjorn@mork.no>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/net/usb/qmi_wwan.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/net/usb/qmi_wwan.c b/drivers/net/usb/qmi_wwan.c
+index d72205f06a1d..3b67140eed73 100644
+--- a/drivers/net/usb/qmi_wwan.c
++++ b/drivers/net/usb/qmi_wwan.c
+@@ -635,6 +635,7 @@ static const struct usb_device_id products[] = {
+ {QMI_FIXED_INTF(0x05c6, 0x920d, 0)},
+ {QMI_FIXED_INTF(0x05c6, 0x920d, 5)},
+ {QMI_FIXED_INTF(0x0846, 0x68a2, 8)},
++ {QMI_FIXED_INTF(0x0846, 0x68d3, 8)}, /* Netgear Aircard 779S */
+ {QMI_FIXED_INTF(0x12d1, 0x140c, 1)}, /* Huawei E173 */
+ {QMI_FIXED_INTF(0x12d1, 0x14ac, 1)}, /* Huawei E1820 */
+ {QMI_FIXED_INTF(0x1435, 0xd181, 3)}, /* Wistron NeWeb D18Q1 */
+--
+2.18.0
+
diff --git a/patches.kernel.org/4.4.139-006-net-sonic-Use-dma_mapping_error.patch b/patches.kernel.org/4.4.139-006-net-sonic-Use-dma_mapping_error.patch
new file mode 100644
index 0000000000..80a6665632
--- /dev/null
+++ b/patches.kernel.org/4.4.139-006-net-sonic-Use-dma_mapping_error.patch
@@ -0,0 +1,40 @@
+From: Finn Thain <fthain@telegraphics.com.au>
+Date: Wed, 30 May 2018 13:03:51 +1000
+Subject: [PATCH] net/sonic: Use dma_mapping_error()
+References: bnc#1012382
+Patch-mainline: 4.4.139
+Git-commit: 26de0b76d9ba3200f09c6cb9d9618bda338be5f7
+
+[ Upstream commit 26de0b76d9ba3200f09c6cb9d9618bda338be5f7 ]
+
+With CONFIG_DMA_API_DEBUG=y, calling sonic_open() produces the
+message, "DMA-API: device driver failed to check map error".
+Add the missing dma_mapping_error() call.
+
+Cc: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
+Signed-off-by: Finn Thain <fthain@telegraphics.com.au>
+Acked-by: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/net/ethernet/natsemi/sonic.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/natsemi/sonic.c b/drivers/net/ethernet/natsemi/sonic.c
+index 1bd419dbda6d..0798b4adb039 100644
+--- a/drivers/net/ethernet/natsemi/sonic.c
++++ b/drivers/net/ethernet/natsemi/sonic.c
+@@ -71,7 +71,7 @@ static int sonic_open(struct net_device *dev)
+ for (i = 0; i < SONIC_NUM_RRS; i++) {
+ dma_addr_t laddr = dma_map_single(lp->device, skb_put(lp->rx_skb[i], SONIC_RBSIZE),
+ SONIC_RBSIZE, DMA_FROM_DEVICE);
+- if (!laddr) {
++ if (dma_mapping_error(lp->device, laddr)) {
+ while(i > 0) { /* free any that were mapped successfully */
+ i--;
+ dma_unmap_single(lp->device, lp->rx_laddr[i], SONIC_RBSIZE, DMA_FROM_DEVICE);
+--
+2.18.0
+
diff --git a/patches.kernel.org/4.4.139-007-Revert-Btrfs-fix-scrub-to-repair-raid6-corrup.patch b/patches.kernel.org/4.4.139-007-Revert-Btrfs-fix-scrub-to-repair-raid6-corrup.patch
new file mode 100644
index 0000000000..ace8350696
--- /dev/null
+++ b/patches.kernel.org/4.4.139-007-Revert-Btrfs-fix-scrub-to-repair-raid6-corrup.patch
@@ -0,0 +1,73 @@
+From: Sasha Levin <Alexander.Levin@microsoft.com>
+Date: Fri, 15 Jun 2018 02:39:22 +0000
+Subject: [PATCH] Revert "Btrfs: fix scrub to repair raid6 corruption"
+References: bnc#1012382
+Patch-mainline: 4.4.139
+Git-commit: 2cb1b6033d10b2c613f79da40da9777a033ad85f
+
+This reverts commit 95b286daf7ba784191023ad110122703eb2ebabc.
+
+This commit used an incorrect log message.
+
+Reported-by: Ben Hutchings <ben.hutchings@codethink.co.uk>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ fs/btrfs/raid56.c | 18 ++++--------------
+ fs/btrfs/volumes.c | 9 +--------
+ 2 files changed, 5 insertions(+), 22 deletions(-)
+
+diff --git a/fs/btrfs/raid56.c b/fs/btrfs/raid56.c
+index b9fa99577bf7..1a33d3eb36de 100644
+--- a/fs/btrfs/raid56.c
++++ b/fs/btrfs/raid56.c
+@@ -2160,21 +2160,11 @@ int raid56_parity_recover(struct btrfs_root *root, struct bio *bio,
+ }
+
+ /*
+- * Loop retry:
+- * for 'mirror == 2', reconstruct from all other stripes.
+- * for 'mirror_num > 2', select a stripe to fail on every retry.
++ * reconstruct from the q stripe if they are
++ * asking for mirror 3
+ */
+- if (mirror_num > 2) {
+- /*
+- * 'mirror == 3' is to fail the p stripe and
+- * reconstruct from the q stripe. 'mirror > 3' is to
+- * fail a data stripe and reconstruct from p+q stripe.
+- */
+- rbio->failb = rbio->real_stripes - (mirror_num - 1);
+- ASSERT(rbio->failb > 0);
+- if (rbio->failb <= rbio->faila)
+- rbio->failb--;
+- }
++ if (mirror_num == 3)
++ rbio->failb = rbio->real_stripes - 2;
+
+ ret = lock_stripe_add(rbio);
+
+diff --git a/fs/btrfs/volumes.c b/fs/btrfs/volumes.c
+index b4d63a9842fa..ed75d70b4bc2 100644
+--- a/fs/btrfs/volumes.c
++++ b/fs/btrfs/volumes.c
+@@ -5056,14 +5056,7 @@ int btrfs_num_copies(struct btrfs_fs_info *fs_info, u64 logical, u64 len)
+ else if (map->type & BTRFS_BLOCK_GROUP_RAID5)
+ ret = 2;
+ else if (map->type & BTRFS_BLOCK_GROUP_RAID6)
+- /*
+- * There could be two corrupted data stripes, we need
+- * to loop retry in order to rebuild the correct data.
+- *
+- * Fail a stripe at a time on every retry except the
+- * stripe under reconstruction.
+- */
+- ret = map->num_stripes;
++ ret = 3;
+ else
+ ret = 1;
+ free_extent_map(em);
+--
+2.18.0
+
diff --git a/patches.kernel.org/4.4.139-008-tcp-do-not-overshoot-window_clamp-in-tcp_rcv_.patch b/patches.kernel.org/4.4.139-008-tcp-do-not-overshoot-window_clamp-in-tcp_rcv_.patch
new file mode 100644
index 0000000000..7d08b27dc8
--- /dev/null
+++ b/patches.kernel.org/4.4.139-008-tcp-do-not-overshoot-window_clamp-in-tcp_rcv_.patch
@@ -0,0 +1,48 @@
+From: Eric Dumazet <edumazet@google.com>
+Date: Sun, 10 Dec 2017 17:55:02 -0800
+Subject: [PATCH] tcp: do not overshoot window_clamp in tcp_rcv_space_adjust()
+References: bnc#1012382
+Patch-mainline: 4.4.139
+Git-commit: 02db55718d53f9d426cee504c27fb768e9ed4ffe
+
+commit 02db55718d53f9d426cee504c27fb768e9ed4ffe upstream.
+
+While rcvbuf is properly clamped by tcp_rmem[2], rcvwin
+is left to a potentially too big value.
+
+It has no serious effect, since :
+1) tcp_grow_window() has very strict checks.
+2) window_clamp can be mangled by user space to any value anyway.
+
+tcp_init_buffer_space() and companions use tcp_full_space(),
+we use tcp_win_from_space() to avoid reloading sk->sk_rcvbuf
+
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Acked-by: Soheil Hassas Yeganeh <soheil@google.com>
+Acked-by: Wei Wang <weiwan@google.com>
+Acked-by: Neal Cardwell <ncardwell@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Cc: Benjamin Gilbert <benjamin.gilbert@coreos.com>
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ net/ipv4/tcp_input.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c
+index 23b95aead897..a9041915afc0 100644
+--- a/net/ipv4/tcp_input.c
++++ b/net/ipv4/tcp_input.c
+@@ -612,7 +612,7 @@ void tcp_rcv_space_adjust(struct sock *sk)
+ sk->sk_rcvbuf = rcvbuf;
+
+ /* Make the window clamp follow along. */
+- tp->window_clamp = rcvwin;
++ tp->window_clamp = tcp_win_from_space(rcvbuf);
+ }
+ }
+ tp->rcvq_space.space = copied;
+--
+2.18.0
+
diff --git a/patches.kernel.org/4.4.139-009-Btrfs-make-raid6-rebuild-retry-more.patch b/patches.kernel.org/4.4.139-009-Btrfs-make-raid6-rebuild-retry-more.patch
new file mode 100644
index 0000000000..afec7f8027
--- /dev/null
+++ b/patches.kernel.org/4.4.139-009-Btrfs-make-raid6-rebuild-retry-more.patch
@@ -0,0 +1,98 @@
+From: Liu Bo <bo.li.liu@oracle.com>
+Date: Fri, 15 Jun 2018 02:39:23 +0000
+Subject: [PATCH] Btrfs: make raid6 rebuild retry more
+References: bnc#1012382
+Patch-mainline: 4.4.139
+Git-commit: 8810f7517a3bc4ca2d41d022446d3f5fd6b77c09
+
+[ Upstream commit 8810f7517a3bc4ca2d41d022446d3f5fd6b77c09 ]
+
+There is a scenario that can end up with rebuild process failing to
+return good content, i.e.
+suppose that all disks can be read without problems and if the content
+that was read out doesn't match its checksum, currently for raid6
+btrfs at most retries twice,
+
+- the 1st retry is to rebuild with all other stripes, it'll eventually
+ be a raid5 xor rebuild,
+- if the 1st fails, the 2nd retry will deliberately fail parity p so
+ that it will do raid6 style rebuild,
+
+however, the chances are that another non-parity stripe content also
+has something corrupted, so that the above retries are not able to
+return correct content, and users will think of this as data loss.
+More seriouly, if the loss happens on some important internal btree
+roots, it could refuse to mount.
+
+This extends btrfs to do more retries and each retry fails only one
+stripe. Since raid6 can tolerate 2 disk failures, if there is one
+more failure besides the failure on which we're recovering, this can
+always work.
+
+The worst case is to retry as many times as the number of raid6 disks,
+but given the fact that such a scenario is really rare in practice,
+it's still acceptable.
+
+Signed-off-by: Liu Bo <bo.li.liu@oracle.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ fs/btrfs/raid56.c | 18 ++++++++++++++----
+ fs/btrfs/volumes.c | 9 ++++++++-
+ 2 files changed, 22 insertions(+), 5 deletions(-)
+
+diff --git a/fs/btrfs/raid56.c b/fs/btrfs/raid56.c
+index 1a33d3eb36de..b9fa99577bf7 100644
+--- a/fs/btrfs/raid56.c
++++ b/fs/btrfs/raid56.c
+@@ -2160,11 +2160,21 @@ int raid56_parity_recover(struct btrfs_root *root, struct bio *bio,
+ }
+
+ /*
+- * reconstruct from the q stripe if they are
+- * asking for mirror 3
++ * Loop retry:
++ * for 'mirror == 2', reconstruct from all other stripes.
++ * for 'mirror_num > 2', select a stripe to fail on every retry.
+ */
+- if (mirror_num == 3)
+- rbio->failb = rbio->real_stripes - 2;
++ if (mirror_num > 2) {
++ /*
++ * 'mirror == 3' is to fail the p stripe and
++ * reconstruct from the q stripe. 'mirror > 3' is to
++ * fail a data stripe and reconstruct from p+q stripe.
++ */
++ rbio->failb = rbio->real_stripes - (mirror_num - 1);
++ ASSERT(rbio->failb > 0);
++ if (rbio->failb <= rbio->faila)
++ rbio->failb--;
++ }
+
+ ret = lock_stripe_add(rbio);
+
+diff --git a/fs/btrfs/volumes.c b/fs/btrfs/volumes.c
+index ed75d70b4bc2..b4d63a9842fa 100644
+--- a/fs/btrfs/volumes.c
++++ b/fs/btrfs/volumes.c
+@@ -5056,7 +5056,14 @@ int btrfs_num_copies(struct btrfs_fs_info *fs_info, u64 logical, u64 len)
+ else if (map->type & BTRFS_BLOCK_GROUP_RAID5)
+ ret = 2;
+ else if (map->type & BTRFS_BLOCK_GROUP_RAID6)
+- ret = 3;
++ /*
++ * There could be two corrupted data stripes, we need
++ * to loop retry in order to rebuild the correct data.
++ *
++ * Fail a stripe at a time on every retry except the
++ * stripe under reconstruction.
++ */
++ ret = map->num_stripes;
+ else
+ ret = 1;
+ free_extent_map(em);
+--
+2.18.0
+
diff --git a/patches.kernel.org/4.4.139-010-usb-musb-fix-remote-wakeup-racing-with-suspen.patch b/patches.kernel.org/4.4.139-010-usb-musb-fix-remote-wakeup-racing-with-suspen.patch
new file mode 100644
index 0000000000..cfe588c80d
--- /dev/null
+++ b/patches.kernel.org/4.4.139-010-usb-musb-fix-remote-wakeup-racing-with-suspen.patch
@@ -0,0 +1,139 @@
+From: =?UTF-8?q?Daniel=20Gl=C3=B6ckner?= <dg@emlix.com>
+Date: Mon, 14 May 2018 09:40:05 -0500
+Subject: [PATCH] usb: musb: fix remote wakeup racing with suspend
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+References: bnc#1012382
+Patch-mainline: 4.4.139
+Git-commit: ebc3dd688cd988754a304147753b13e58de1b5a1
+
+[ Upstream commit ebc3dd688cd988754a304147753b13e58de1b5a1 ]
+
+It has been observed that writing 0xF2 to the power register while it
+reads as 0xF4 results in the register having the value 0xF0, i.e. clearing
+RESUME and setting SUSPENDM in one go does not work. It might also violate
+the USB spec to transition directly from resume to suspend, especially
+when not taking T_DRSMDN into account. But this is what happens when a
+remote wakeup occurs between SetPortFeature USB_PORT_FEAT_SUSPEND on the
+root hub and musb_bus_suspend being called.
+
+This commit returns -EBUSY when musb_bus_suspend is called while remote
+wakeup is signalled and thus avoids to reset the RESUME bit. Ignoring
+this error when musb_port_suspend is called from musb_hub_control is ok.
+
+Signed-off-by: Daniel Glöckner <dg@emlix.com>
+Signed-off-by: Bin Liu <b-liu@ti.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/usb/musb/musb_host.c | 5 ++++-
+ drivers/usb/musb/musb_host.h | 7 +++++--
+ drivers/usb/musb/musb_virthub.c | 25 +++++++++++++++----------
+ 3 files changed, 24 insertions(+), 13 deletions(-)
+
+diff --git a/drivers/usb/musb/musb_host.c b/drivers/usb/musb/musb_host.c
+index 494823f21c28..7ec66f1db418 100644
+--- a/drivers/usb/musb/musb_host.c
++++ b/drivers/usb/musb/musb_host.c
+@@ -2580,8 +2580,11 @@ static int musb_bus_suspend(struct usb_hcd *hcd)
+ {
+ struct musb *musb = hcd_to_musb(hcd);
+ u8 devctl;
++ int ret;
+
+- musb_port_suspend(musb, true);
++ ret = musb_port_suspend(musb, true);
++ if (ret)
++ return ret;
+
+ if (!is_host_active(musb))
+ return 0;
+diff --git a/drivers/usb/musb/musb_host.h b/drivers/usb/musb/musb_host.h
+index 7bbf01bf4bb0..54d02ed032df 100644
+--- a/drivers/usb/musb/musb_host.h
++++ b/drivers/usb/musb/musb_host.h
+@@ -92,7 +92,7 @@ extern void musb_host_rx(struct musb *, u8);
+ extern void musb_root_disconnect(struct musb *musb);
+ extern void musb_host_resume_root_hub(struct musb *musb);
+ extern void musb_host_poke_root_hub(struct musb *musb);
+-extern void musb_port_suspend(struct musb *musb, bool do_suspend);
++extern int musb_port_suspend(struct musb *musb, bool do_suspend);
+ extern void musb_port_reset(struct musb *musb, bool do_reset);
+ extern void musb_host_finish_resume(struct work_struct *work);
+ #else
+@@ -124,7 +124,10 @@ static inline void musb_root_disconnect(struct musb *musb) {}
+ static inline void musb_host_resume_root_hub(struct musb *musb) {}
+ static inline void musb_host_poll_rh_status(struct musb *musb) {}
+ static inline void musb_host_poke_root_hub(struct musb *musb) {}
+-static inline void musb_port_suspend(struct musb *musb, bool do_suspend) {}
++static inline int musb_port_suspend(struct musb *musb, bool do_suspend)
++{
++ return 0;
++}
+ static inline void musb_port_reset(struct musb *musb, bool do_reset) {}
+ static inline void musb_host_finish_resume(struct work_struct *work) {}
+ #endif
+diff --git a/drivers/usb/musb/musb_virthub.c b/drivers/usb/musb/musb_virthub.c
+index 92d5f718659b..ac5458a69de5 100644
+--- a/drivers/usb/musb/musb_virthub.c
++++ b/drivers/usb/musb/musb_virthub.c
+@@ -74,14 +74,14 @@ void musb_host_finish_resume(struct work_struct *work)
+ spin_unlock_irqrestore(&musb->lock, flags);
+ }
+
+-void musb_port_suspend(struct musb *musb, bool do_suspend)
++int musb_port_suspend(struct musb *musb, bool do_suspend)
+ {
+ struct usb_otg *otg = musb->xceiv->otg;
+ u8 power;
+ void __iomem *mbase = musb->mregs;
+
+ if (!is_host_active(musb))
+- return;
++ return 0;
+
+ /* NOTE: this doesn't necessarily put PHY into low power mode,
+ * turning off its clock; that's a function of PHY integration and
+@@ -92,16 +92,20 @@ void musb_port_suspend(struct musb *musb, bool do_suspend)
+ if (do_suspend) {
+ int retries = 10000;
+
+- power &= ~MUSB_POWER_RESUME;
+- power |= MUSB_POWER_SUSPENDM;
+- musb_writeb(mbase, MUSB_POWER, power);
++ if (power & MUSB_POWER_RESUME)
++ return -EBUSY;
+
+- /* Needed for OPT A tests */
+- power = musb_readb(mbase, MUSB_POWER);
+- while (power & MUSB_POWER_SUSPENDM) {
++ if (!(power & MUSB_POWER_SUSPENDM)) {
++ power |= MUSB_POWER_SUSPENDM;
++ musb_writeb(mbase, MUSB_POWER, power);
++
++ /* Needed for OPT A tests */
+ power = musb_readb(mbase, MUSB_POWER);
+- if (retries-- < 1)
+- break;
++ while (power & MUSB_POWER_SUSPENDM) {
++ power = musb_readb(mbase, MUSB_POWER);
++ if (retries-- < 1)
++ break;
++ }
+ }
+
+ dev_dbg(musb->controller, "Root port suspended, power %02x\n", power);
+@@ -138,6 +142,7 @@ void musb_port_suspend(struct musb *musb, bool do_suspend)
+ schedule_delayed_work(&musb->finish_resume_work,
+ msecs_to_jiffies(USB_RESUME_TIMEOUT));
+ }
++ return 0;
+ }
+
+ void musb_port_reset(struct musb *musb, bool do_reset)
+--
+2.18.0
+
diff --git a/patches.kernel.org/4.4.139-011-bonding-re-evaluate-force_primary-when-the-pr.patch b/patches.kernel.org/4.4.139-011-bonding-re-evaluate-force_primary-when-the-pr.patch
new file mode 100644
index 0000000000..0c96fc0ded
--- /dev/null
+++ b/patches.kernel.org/4.4.139-011-bonding-re-evaluate-force_primary-when-the-pr.patch
@@ -0,0 +1,39 @@
+From: Xiangning Yu <yuxiangning@gmail.com>
+Date: Thu, 7 Jun 2018 13:39:59 +0800
+Subject: [PATCH] bonding: re-evaluate force_primary when the primary slave
+ name changes
+References: bnc#1012382
+Patch-mainline: 4.4.139
+Git-commit: eb55bbf865d9979098c6a7a17cbdb41237ece951
+
+[ Upstream commit eb55bbf865d9979098c6a7a17cbdb41237ece951 ]
+
+There is a timing issue under active-standy mode, when bond_enslave() is
+called, bond->params.primary might not be initialized yet.
+
+Any time the primary slave string changes, bond->force_primary should be
+set to true to make sure the primary becomes the active slave.
+
+Signed-off-by: Xiangning Yu <yuxiangning@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/net/bonding/bond_options.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/net/bonding/bond_options.c b/drivers/net/bonding/bond_options.c
+index 55e93b6b6d21..66560a8fcfa2 100644
+--- a/drivers/net/bonding/bond_options.c
++++ b/drivers/net/bonding/bond_options.c
+@@ -1115,6 +1115,7 @@ static int bond_option_primary_set(struct bonding *bond,
+ slave->dev->name);
+ rcu_assign_pointer(bond->primary_slave, slave);
+ strcpy(bond->params.primary, slave->dev->name);
++ bond->force_primary = true;
+ bond_select_active_slave(bond);
+ goto out;
+ }
+--
+2.18.0
+
diff --git a/patches.kernel.org/4.4.139-012-tcp-verify-the-checksum-of-the-first-data-seg.patch b/patches.kernel.org/4.4.139-012-tcp-verify-the-checksum-of-the-first-data-seg.patch
new file mode 100644
index 0000000000..c0447e69f6
--- /dev/null
+++ b/patches.kernel.org/4.4.139-012-tcp-verify-the-checksum-of-the-first-data-seg.patch
@@ -0,0 +1,69 @@
+From: Frank van der Linden <fllinden@amazon.com>
+Date: Tue, 12 Jun 2018 23:09:37 +0000
+Subject: [PATCH] tcp: verify the checksum of the first data segment in a new
+ connection
+References: bnc#1012382
+Patch-mainline: 4.4.139
+Git-commit: 4fd44a98ffe0d048246efef67ed640fdf2098a62
+
+[ Upstream commit 4fd44a98ffe0d048246efef67ed640fdf2098a62 ]
+
+commit 079096f103fa ("tcp/dccp: install syn_recv requests into ehash
+table") introduced an optimization for the handling of child sockets
+created for a new TCP connection.
+
+But this optimization passes any data associated with the last ACK of the
+connection handshake up the stack without verifying its checksum, because it
+calls tcp_child_process(), which in turn calls tcp_rcv_state_process()
+directly. These lower-level processing functions do not do any checksum
+verification.
+
+Insert a tcp_checksum_complete call in the TCP_NEW_SYN_RECEIVE path to
+fix this.
+
+Fixes: 079096f103fa ("tcp/dccp: install syn_recv requests into ehash table")
+Signed-off-by: Frank van der Linden <fllinden@amazon.com>
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Tested-by: Balbir Singh <bsingharora@gmail.com>
+Reviewed-by: Balbir Singh <bsingharora@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ net/ipv4/tcp_ipv4.c | 4 ++++
+ net/ipv6/tcp_ipv6.c | 4 ++++
+ 2 files changed, 8 insertions(+)
+
+diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c
+index 61c93a93f228..eeda67c3dd11 100644
+--- a/net/ipv4/tcp_ipv4.c
++++ b/net/ipv4/tcp_ipv4.c
+@@ -1627,6 +1627,10 @@ int tcp_v4_rcv(struct sk_buff *skb)
+ reqsk_put(req);
+ goto discard_it;
+ }
++ if (tcp_checksum_complete(skb)) {
++ reqsk_put(req);
++ goto csum_error;
++ }
+ if (unlikely(sk->sk_state != TCP_LISTEN)) {
+ inet_csk_reqsk_queue_drop_and_put(sk, req);
+ goto lookup;
+diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c
+index 74cbcc4b399c..90abe88e1b40 100644
+--- a/net/ipv6/tcp_ipv6.c
++++ b/net/ipv6/tcp_ipv6.c
+@@ -1415,6 +1415,10 @@ static int tcp_v6_rcv(struct sk_buff *skb)
+ reqsk_put(req);
+ goto discard_it;
+ }
++ if (tcp_checksum_complete(skb)) {
++ reqsk_put(req);
++ goto csum_error;
++ }
+ if (unlikely(sk->sk_state != TCP_LISTEN)) {
+ inet_csk_reqsk_queue_drop_and_put(sk, req);
+ goto lookup;
+--
+2.18.0
+
diff --git a/patches.kernel.org/4.4.139-013-ext4-update-mtime-in-ext4_punch_hole-even-if-.patch b/patches.kernel.org/4.4.139-013-ext4-update-mtime-in-ext4_punch_hole-even-if-.patch
new file mode 100644
index 0000000000..a626c9a25e
--- /dev/null
+++ b/patches.kernel.org/4.4.139-013-ext4-update-mtime-in-ext4_punch_hole-even-if-.patch
@@ -0,0 +1,81 @@
+From: Lukas Czerner <lczerner@redhat.com>
+Date: Sun, 13 May 2018 19:28:35 -0400
+Subject: [PATCH] ext4: update mtime in ext4_punch_hole even if no blocks are
+ released
+References: bnc#1012382
+Patch-mainline: 4.4.139
+Git-commit: eee597ac931305eff3d3fd1d61d6aae553bc0984
+
+commit eee597ac931305eff3d3fd1d61d6aae553bc0984 upstream.
+
+Currently in ext4_punch_hole we're going to skip the mtime update if
+there are no actual blocks to release. However we've actually modified
+the file by zeroing the partial block so the mtime should be updated.
+
+Moreover the sync and datasync handling is skipped as well, which is
+also wrong. Fix it.
+
+Signed-off-by: Lukas Czerner <lczerner@redhat.com>
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Reported-by: Joe Habermann <joe.habermann@quantum.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ fs/ext4/inode.c | 36 ++++++++++++++++++------------------
+ 1 file changed, 18 insertions(+), 18 deletions(-)
+
+diff --git a/fs/ext4/inode.c b/fs/ext4/inode.c
+index 56ce7fd0f0d0..30efeb656c1e 100644
+--- a/fs/ext4/inode.c
++++ b/fs/ext4/inode.c
+@@ -3787,28 +3787,28 @@ int ext4_punch_hole(struct inode *inode, loff_t offset, loff_t length)
+ EXT4_BLOCK_SIZE_BITS(sb);
+ stop_block = (offset + length) >> EXT4_BLOCK_SIZE_BITS(sb);
+
+- /* If there are no blocks to remove, return now */
+- if (first_block >= stop_block)
+- goto out_stop;
++ /* If there are blocks to remove, do it */
++ if (stop_block > first_block) {
+
+- down_write(&EXT4_I(inode)->i_data_sem);
+- ext4_discard_preallocations(inode);
++ down_write(&EXT4_I(inode)->i_data_sem);
++ ext4_discard_preallocations(inode);
+
+- ret = ext4_es_remove_extent(inode, first_block,
+- stop_block - first_block);
+- if (ret) {
+- up_write(&EXT4_I(inode)->i_data_sem);
+- goto out_stop;
+- }
++ ret = ext4_es_remove_extent(inode, first_block,
++ stop_block - first_block);
++ if (ret) {
++ up_write(&EXT4_I(inode)->i_data_sem);
++ goto out_stop;
++ }
+
+- if (ext4_test_inode_flag(inode, EXT4_INODE_EXTENTS))
+- ret = ext4_ext_remove_space(inode, first_block,
+- stop_block - 1);
+- else
+- ret = ext4_ind_remove_space(handle, inode, first_block,
+- stop_block);
++ if (ext4_test_inode_flag(inode, EXT4_INODE_EXTENTS))
++ ret = ext4_ext_remove_space(inode, first_block,
++ stop_block - 1);
++ else
++ ret = ext4_ind_remove_space(handle, inode, first_block,
++ stop_block);
+
+- up_write(&EXT4_I(inode)->i_data_sem);
++ up_write(&EXT4_I(inode)->i_data_sem);
++ }
+ if (IS_SYNC(inode))
+ ext4_handle_sync(handle);
+
+--
+2.18.0
+
diff --git a/patches.kernel.org/4.4.139-014-ext4-fix-fencepost-error-in-check-for-inode-c.patch b/patches.kernel.org/4.4.139-014-ext4-fix-fencepost-error-in-check-for-inode-c.patch
new file mode 100644
index 0000000000..fdf6f4616d
--- /dev/null
+++ b/patches.kernel.org/4.4.139-014-ext4-fix-fencepost-error-in-check-for-inode-c.patch
@@ -0,0 +1,43 @@
+From: Jan Kara <jack@suse.cz>
+Date: Fri, 25 May 2018 12:51:25 -0400
+Subject: [PATCH] ext4: fix fencepost error in check for inode count overflow
+ during resize
+References: bnc#1012382
+Patch-mainline: 4.4.139
+Git-commit: 4f2f76f751433908364ccff82f437a57d0e6e9b7
+
+commit 4f2f76f751433908364ccff82f437a57d0e6e9b7 upstream.
+
+ext4_resize_fs() has an off-by-one bug when checking whether growing of
+a filesystem will not overflow inode count. As a result it allows a
+filesystem with 8192 inodes per group to grow to 64TB which overflows
+inode count to 0 and makes filesystem unusable. Fix it.
+
+Cc: stable@vger.kernel.org
+Fixes: 3f8a6411fbada1fa482276591e037f3b1adcf55b
+Reported-by: Jaco Kroon <jaco@uls.co.za>
+Signed-off-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Reviewed-by: Andreas Dilger <adilger@dilger.ca>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ fs/ext4/resize.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/ext4/resize.c b/fs/ext4/resize.c
+index 74516efd874c..d2421fd38833 100644
+--- a/fs/ext4/resize.c
++++ b/fs/ext4/resize.c
+@@ -1903,7 +1903,7 @@ int ext4_resize_fs(struct super_block *sb, ext4_fsblk_t n_blocks_count)
+ return 0;
+
+ n_group = ext4_get_group_number(sb, n_blocks_count - 1);
+- if (n_group > (0xFFFFFFFFUL / EXT4_INODES_PER_GROUP(sb))) {
++ if (n_group >= (0xFFFFFFFFUL / EXT4_INODES_PER_GROUP(sb))) {
+ ext4_warning(sb, "resize would cause inodes_count overflow");
+ return -EINVAL;
+ }
+--
+2.18.0
+
diff --git a/patches.kernel.org/4.4.139-015-driver-core-Don-t-ignore-class_dir_create_and.patch b/patches.kernel.org/4.4.139-015-driver-core-Don-t-ignore-class_dir_create_and.patch
new file mode 100644
index 0000000000..eb646a838a
--- /dev/null
+++ b/patches.kernel.org/4.4.139-015-driver-core-Don-t-ignore-class_dir_create_and.patch
@@ -0,0 +1,84 @@
+From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+Date: Mon, 7 May 2018 19:10:31 +0900
+Subject: [PATCH] driver core: Don't ignore class_dir_create_and_add() failure.
+References: bnc#1012382
+Patch-mainline: 4.4.139
+Git-commit: 84d0c27d6233a9ba0578b20f5a09701eb66cee42
+
+commit 84d0c27d6233a9ba0578b20f5a09701eb66cee42 upstream.
+
+syzbot is hitting WARN() at kernfs_add_one() [1].
+This is because kernfs_create_link() is confused by previous device_add()
+call which continued without setting dev->kobj.parent field when
+get_device_parent() failed by memory allocation fault injection.
+Fix this by propagating the error from class_dir_create_and_add() to
+the calllers of get_device_parent().
+
+[1] https://syzkaller.appspot.com/bug?id=fae0fb607989ea744526d1c082a5b8de6529116f
+
+Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+Reported-by: syzbot <syzbot+df47f81c226b31d89fb1@syzkaller.appspotmail.com>
+Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/base/core.c | 14 ++++++++++++--
+ 1 file changed, 12 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/base/core.c b/drivers/base/core.c
+index afe045792796..049ccc070ce5 100644
+--- a/drivers/base/core.c
++++ b/drivers/base/core.c
+@@ -759,7 +759,7 @@ class_dir_create_and_add(struct class *class, struct kobject *parent_kobj)
+
+ dir = kzalloc(sizeof(*dir), GFP_KERNEL);
+ if (!dir)
+- return NULL;
++ return ERR_PTR(-ENOMEM);
+
+ dir->class = class;
+ kobject_init(&dir->kobj, &class_dir_ktype);
+@@ -769,7 +769,7 @@ class_dir_create_and_add(struct class *class, struct kobject *parent_kobj)
+ retval = kobject_add(&dir->kobj, parent_kobj, "%s", class->name);
+ if (retval < 0) {
+ kobject_put(&dir->kobj);
+- return NULL;
++ return ERR_PTR(retval);
+ }
+ return &dir->kobj;
+ }
+@@ -1076,6 +1076,10 @@ int device_add(struct device *dev)
+
+ parent = get_device(dev->parent);
+ kobj = get_device_parent(dev, parent);
++ if (IS_ERR(kobj)) {
++ error = PTR_ERR(kobj);
++ goto parent_error;
++ }
+ if (kobj)
+ dev->kobj.parent = kobj;
+
+@@ -1174,6 +1178,7 @@ int device_add(struct device *dev)
+ kobject_del(&dev->kobj);
+ Error:
+ cleanup_glue_dir(dev, glue_dir);
++parent_error:
+ put_device(parent);
+ name_error:
+ kfree(dev->p);
+@@ -1990,6 +1995,11 @@ int device_move(struct device *dev, struct device *new_parent,
+ device_pm_lock();
+ new_parent = get_device(new_parent);
+ new_parent_kobj = get_device_parent(dev, new_parent);
++ if (IS_ERR(new_parent_kobj)) {
++ error = PTR_ERR(new_parent_kobj);
++ put_device(new_parent);
++ goto out;
++ }
+
+ pr_debug("device: '%s': %s: moving to '%s'\n", dev_name(dev),
+ __func__, new_parent ? dev_name(new_parent) : "<NULL>");
+--
+2.18.0
+
diff --git a/patches.kernel.org/4.4.139-016-btrfs-scrub-Don-t-use-inode-pages-for-device-.patch b/patches.kernel.org/4.4.139-016-btrfs-scrub-Don-t-use-inode-pages-for-device-.patch
new file mode 100644
index 0000000000..e575dfd001
--- /dev/null
+++ b/patches.kernel.org/4.4.139-016-btrfs-scrub-Don-t-use-inode-pages-for-device-.patch
@@ -0,0 +1,72 @@
+From: Qu Wenruo <wqu@suse.com>
+Date: Tue, 5 Jun 2018 12:36:56 +0800
+Subject: [PATCH] btrfs: scrub: Don't use inode pages for device replace
+References: bnc#1012382
+Patch-mainline: 4.4.139
+Git-commit: ac0b4145d662a3b9e34085dea460fb06ede9b69b
+
+commit ac0b4145d662a3b9e34085dea460fb06ede9b69b upstream.
+
+[BUG]
+Btrfs can create compressed extent without checksum (even though it
+shouldn't), and if we then try to replace device containing such extent,
+the result device will contain all the uncompressed data instead of the
+compressed one.
+
+Test case already submitted to fstests:
+https://patchwork.kernel.org/patch/10442353/
+
+[CAUSE]
+When handling compressed extent without checksum, device replace will
+goe into copy_nocow_pages() function.
+
+In that function, btrfs will get all inodes referring to this data
+extents and then use find_or_create_page() to get pages direct from that
+inode.
+
+The problem here is, pages directly from inode are always uncompressed.
+And for compressed data extent, they mismatch with on-disk data.
+Thus this leads to corrupted compressed data extent written to replace
+device.
+
+[FIX]
+In this attempt, we could just remove the "optimization" branch, and let
+unified scrub_pages() to handle it.
+
+Although scrub_pages() won't bother reusing page cache, it will be a
+little slower, but it does the correct csum checking and won't cause
+such data corruption caused by "optimization".
+
+Note about the fix: this is the minimal fix that can be backported to
+older stable trees without conflicts. The whole callchain from
+copy_nocow_pages() can be deleted, and will be in followup patches.
+
+Fixes: ff023aac3119 ("Btrfs: add code to scrub to copy read data to another disk")
+CC: stable@vger.kernel.org # 4.4+
+Reported-by: James Harvey <jamespharvey20@gmail.com>
+Reviewed-by: James Harvey <jamespharvey20@gmail.com>
+Signed-off-by: Qu Wenruo <wqu@suse.com>
+[ remove code removal, add note why ]
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ fs/btrfs/scrub.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/btrfs/scrub.c b/fs/btrfs/scrub.c
+index b091d94ceef6..6dca9f937bf6 100644
+--- a/fs/btrfs/scrub.c
++++ b/fs/btrfs/scrub.c
+@@ -2513,7 +2513,7 @@ static int scrub_extent(struct scrub_ctx *sctx, u64 logical, u64 len,
+ have_csum = scrub_find_csum(sctx, logical, csum);
+ if (have_csum == 0)
+ ++sctx->stat.no_csum;
+- if (sctx->is_dev_replace && !have_csum) {
++ if (0 && sctx->is_dev_replace && !have_csum) {
+ ret = copy_nocow_pages(sctx, logical, l,
+ mirror_num,
+ physical_for_dev_replace);
+--
+2.18.0
+
diff --git a/patches.kernel.org/4.4.139-017-ALSA-hda-Handle-kzalloc-failure-in-snd_hda_at.patch b/patches.kernel.org/4.4.139-017-ALSA-hda-Handle-kzalloc-failure-in-snd_hda_at.patch
new file mode 100644
index 0000000000..de656f5823
--- /dev/null
+++ b/patches.kernel.org/4.4.139-017-ALSA-hda-Handle-kzalloc-failure-in-snd_hda_at.patch
@@ -0,0 +1,52 @@
+From: Bo Chen <chenbo@pdx.edu>
+Date: Thu, 31 May 2018 15:35:18 -0700
+Subject: [PATCH] ALSA: hda - Handle kzalloc() failure in
+ snd_hda_attach_pcm_stream()
+References: bnc#1012382
+Patch-mainline: 4.4.139
+Git-commit: a3aa60d511746bd6c0d0366d4eb90a7998bcde8b
+
+commit a3aa60d511746bd6c0d0366d4eb90a7998bcde8b upstream.
+
+When 'kzalloc()' fails in 'snd_hda_attach_pcm_stream()', a new pcm instance is
+created without setting its operators via 'snd_pcm_set_ops()'. Following
+operations on the new pcm instance can trigger kernel null pointer dereferences
+and cause kernel oops.
+
+This bug was found with my work on building a gray-box fault-injection tool for
+linux-kernel-module binaries. A kernel null pointer dereference was confirmed
+from line 'substream->ops->open()' in function 'snd_pcm_open_substream()' in
+file 'sound/core/pcm_native.c'.
+
+This patch fixes the bug by calling 'snd_device_free()' in the error handling
+path of 'kzalloc()', which removes the new pcm instance from the snd card before
+returns with an error code.
+
+Signed-off-by: Bo Chen <chenbo@pdx.edu>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ sound/pci/hda/hda_controller.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/sound/pci/hda/hda_controller.c b/sound/pci/hda/hda_controller.c
+index 9c6e10fb479f..273364c39171 100644
+--- a/sound/pci/hda/hda_controller.c
++++ b/sound/pci/hda/hda_controller.c
+@@ -547,8 +547,10 @@ int snd_hda_attach_pcm_stream(struct hda_bus *_bus, struct hda_codec *codec,
+ return err;
+ strlcpy(pcm->name, cpcm->name, sizeof(pcm->name));
+ apcm = kzalloc(sizeof(*apcm), GFP_KERNEL);
+- if (apcm == NULL)
++ if (apcm == NULL) {
++ snd_device_free(chip->card, pcm);
+ return -ENOMEM;
++ }
+ apcm->chip = chip;
+ apcm->pcm = pcm;
+ apcm->codec = codec;
+--
+2.18.0
+
diff --git a/patches.drivers/ALSA-hda-add-dock-and-led-support-for-HP-EliteBook-8 b/patches.kernel.org/4.4.139-018-ALSA-hda-add-dock-and-led-support-for-HP-Elit.patch
index 033ec3423d..aab6284fca 100644
--- a/patches.drivers/ALSA-hda-add-dock-and-led-support-for-HP-EliteBook-8
+++ b/patches.kernel.org/4.4.139-018-ALSA-hda-add-dock-and-led-support-for-HP-Elit.patch
@@ -1,10 +1,11 @@
-From 2861751f67b91e1d24e68010ced96614fb3140f4 Mon Sep 17 00:00:00 2001
From: Dennis Wassenberg <dennis.wassenberg@secunet.com>
Date: Tue, 12 Jun 2018 07:10:59 +0200
Subject: [PATCH] ALSA: hda: add dock and led support for HP EliteBook 830 G5
+Patch-mainline: 4.4.139
+References: bnc#1012382 bsc#1099810
Git-commit: 2861751f67b91e1d24e68010ced96614fb3140f4
-Patch-mainline: v4.18-rc1
-References: bsc#1099810
+
+commit 2861751f67b91e1d24e68010ced96614fb3140f4 upstream.
This patch adds missing initialisation for HP 2013 UltraSlim Dock
Line-In/Out PINs and activates keyboard mute/micmute leds
@@ -13,23 +14,24 @@ for HP EliteBook 830 G5
Signed-off-by: Dennis Wassenberg <dennis.wassenberg@secunet.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
-
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
sound/pci/hda/patch_conexant.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/sound/pci/hda/patch_conexant.c b/sound/pci/hda/patch_conexant.c
-index dbf9910c5269..2655f9d92fd2 100644
+index 9fae1d248318..88118458b48e 100644
--- a/sound/pci/hda/patch_conexant.c
+++ b/sound/pci/hda/patch_conexant.c
-@@ -958,6 +958,7 @@ static const struct snd_pci_quirk cxt5066_fixups[] = {
+@@ -851,6 +851,7 @@ static const struct snd_pci_quirk cxt5066_fixups[] = {
SND_PCI_QUIRK(0x103c, 0x8079, "HP EliteBook 840 G3", CXT_FIXUP_HP_DOCK),
SND_PCI_QUIRK(0x103c, 0x807C, "HP EliteBook 820 G3", CXT_FIXUP_HP_DOCK),
SND_PCI_QUIRK(0x103c, 0x80FD, "HP ProBook 640 G2", CXT_FIXUP_HP_DOCK),
+ SND_PCI_QUIRK(0x103c, 0x83b3, "HP EliteBook 830 G5", CXT_FIXUP_HP_DOCK),
SND_PCI_QUIRK(0x103c, 0x8174, "HP Spectre x360", CXT_FIXUP_HP_SPECTRE),
SND_PCI_QUIRK(0x103c, 0x8115, "HP Z1 Gen3", CXT_FIXUP_HP_GATE_MIC),
- SND_PCI_QUIRK(0x103c, 0x814f, "HP ZBook 15u G3", CXT_FIXUP_MUTE_LED_GPIO),
+ SND_PCI_QUIRK(0x1043, 0x138d, "Asus", CXT_FIXUP_HEADPHONE_MIC_PIN),
--
2.18.0
diff --git a/patches.drivers/ALSA-hda-add-dock-and-led-support-for-HP-ProBook-640 b/patches.kernel.org/4.4.139-019-ALSA-hda-add-dock-and-led-support-for-HP-ProB.patch
index 44c6c156fc..6ffff3d822 100644
--- a/patches.drivers/ALSA-hda-add-dock-and-led-support-for-HP-ProBook-640
+++ b/patches.kernel.org/4.4.139-019-ALSA-hda-add-dock-and-led-support-for-HP-ProB.patch
@@ -1,10 +1,11 @@
-From 7eef32c1ef895a3a96463f9cbd04203007cd5555 Mon Sep 17 00:00:00 2001
From: Dennis Wassenberg <dennis.wassenberg@secunet.com>
Date: Tue, 12 Jun 2018 07:11:11 +0200
Subject: [PATCH] ALSA: hda: add dock and led support for HP ProBook 640 G4
+Patch-mainline: 4.4.139
+References: bnc#1012382 bsc#1099810
Git-commit: 7eef32c1ef895a3a96463f9cbd04203007cd5555
-Patch-mainline: v4.18-rc1
-References: bsc#1099810
+
+commit 7eef32c1ef895a3a96463f9cbd04203007cd5555 upstream.
This patch adds missing initialisation for HP 2013 UltraSlim Dock
Line-In/Out PINs and activates keyboard mute/micmute leds
@@ -13,23 +14,24 @@ for HP ProBook 640 G4
Signed-off-by: Dennis Wassenberg <dennis.wassenberg@secunet.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
-
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
sound/pci/hda/patch_conexant.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/sound/pci/hda/patch_conexant.c b/sound/pci/hda/patch_conexant.c
-index 2655f9d92fd2..e7fcfc3b8885 100644
+index 88118458b48e..cb19af145f46 100644
--- a/sound/pci/hda/patch_conexant.c
+++ b/sound/pci/hda/patch_conexant.c
-@@ -959,6 +959,7 @@ static const struct snd_pci_quirk cxt5066_fixups[] = {
+@@ -852,6 +852,7 @@ static const struct snd_pci_quirk cxt5066_fixups[] = {
SND_PCI_QUIRK(0x103c, 0x807C, "HP EliteBook 820 G3", CXT_FIXUP_HP_DOCK),
SND_PCI_QUIRK(0x103c, 0x80FD, "HP ProBook 640 G2", CXT_FIXUP_HP_DOCK),
SND_PCI_QUIRK(0x103c, 0x83b3, "HP EliteBook 830 G5", CXT_FIXUP_HP_DOCK),
+ SND_PCI_QUIRK(0x103c, 0x83d3, "HP ProBook 640 G4", CXT_FIXUP_HP_DOCK),
SND_PCI_QUIRK(0x103c, 0x8174, "HP Spectre x360", CXT_FIXUP_HP_SPECTRE),
SND_PCI_QUIRK(0x103c, 0x8115, "HP Z1 Gen3", CXT_FIXUP_HP_GATE_MIC),
- SND_PCI_QUIRK(0x103c, 0x814f, "HP ZBook 15u G3", CXT_FIXUP_MUTE_LED_GPIO),
+ SND_PCI_QUIRK(0x1043, 0x138d, "Asus", CXT_FIXUP_HEADPHONE_MIC_PIN),
--
2.18.0
diff --git a/patches.kernel.org/4.4.139-020-cpufreq-Fix-new-policy-initialization-during-.patch b/patches.kernel.org/4.4.139-020-cpufreq-Fix-new-policy-initialization-during-.patch
new file mode 100644
index 0000000000..cab3ccb007
--- /dev/null
+++ b/patches.kernel.org/4.4.139-020-cpufreq-Fix-new-policy-initialization-during-.patch
@@ -0,0 +1,56 @@
+From: Tao Wang <kevin.wangtao@hisilicon.com>
+Date: Sat, 26 May 2018 15:16:48 +0800
+Subject: [PATCH] cpufreq: Fix new policy initialization during limits updates
+ via sysfs
+References: bnc#1012382
+Patch-mainline: 4.4.139
+Git-commit: c7d1f119c48f64bebf0fa1e326af577c6152fe30
+
+commit c7d1f119c48f64bebf0fa1e326af577c6152fe30 upstream.
+
+If the policy limits are updated via cpufreq_update_policy() and
+subsequently via sysfs, the limits stored in user_policy may be
+set incorrectly.
+
+For example, if both min and max are set via sysfs to the maximum
+available frequency, user_policy.min and user_policy.max will also
+be the maximum. If a policy notifier triggered by
+cpufreq_update_policy() lowers both the min and the max at this
+point, that change is not reflected by the user_policy limits, so
+if the max is updated again via sysfs to the same lower value,
+then user_policy.max will be lower than user_policy.min which
+shouldn't happen. In particular, if one of the policy CPUs is
+then taken offline and back online, cpufreq_set_policy() will
+fail for it due to a failing limits check.
+
+To prevent that from happening, initialize the min and max fields
+of the new_policy object to the ones stored in user_policy that
+were previously set via sysfs.
+
+Signed-off-by: Kevin Wangtao <kevin.wangtao@hisilicon.com>
+Acked-by: Viresh Kumar <viresh.kumar@linaro.org>
+[ rjw: Subject & changelog ]
+Cc: All applicable <stable@vger.kernel.org>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/cpufreq/cpufreq.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/cpufreq/cpufreq.c b/drivers/cpufreq/cpufreq.c
+index ebed319657e7..68b604ad8413 100644
+--- a/drivers/cpufreq/cpufreq.c
++++ b/drivers/cpufreq/cpufreq.c
+@@ -603,6 +603,8 @@ static ssize_t store_##file_name \
+ struct cpufreq_policy new_policy; \
+ \
+ memcpy(&new_policy, policy, sizeof(*policy)); \
++ new_policy.min = policy->user_policy.min; \
++ new_policy.max = policy->user_policy.max; \
+ \
+ ret = sscanf(buf, "%u", &new_policy.object); \
+ if (ret != 1) \
+--
+2.18.0
+
diff --git a/patches.kernel.org/4.4.139-021-libata-zpodd-make-arrays-cdb-static-reduces-o.patch b/patches.kernel.org/4.4.139-021-libata-zpodd-make-arrays-cdb-static-reduces-o.patch
new file mode 100644
index 0000000000..e4ff29ee6d
--- /dev/null
+++ b/patches.kernel.org/4.4.139-021-libata-zpodd-make-arrays-cdb-static-reduces-o.patch
@@ -0,0 +1,54 @@
+From: Colin Ian King <colin.king@canonical.com>
+Date: Wed, 6 Sep 2017 09:56:29 +0100
+Subject: [PATCH] libata: zpodd: make arrays cdb static, reduces object code
+ size
+References: bnc#1012382
+Patch-mainline: 4.4.139
+Git-commit: 795ef788145ed2fa023efdf11e8d5d7bedc21462
+
+commit 795ef788145ed2fa023efdf11e8d5d7bedc21462 upstream.
+
+Don't populate the arrays cdb on the stack, instead make them static.
+Makes the object code smaller by 230 bytes:
+
+Before:
+ text data bss dec hex filename
+ 3797 240 0 4037 fc5 drivers/ata/libata-zpodd.o
+
+After:
+ text data bss dec hex filename
+ 3407 400 0 3807 edf drivers/ata/libata-zpodd.o
+
+Signed-off-by: Colin Ian King <colin.king@canonical.com>
+Signed-off-by: Tejun Heo <tj@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/ata/libata-zpodd.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/ata/libata-zpodd.c b/drivers/ata/libata-zpodd.c
+index f3a65a3140d3..db64f81a4840 100644
+--- a/drivers/ata/libata-zpodd.c
++++ b/drivers/ata/libata-zpodd.c
+@@ -34,7 +34,7 @@ struct zpodd {
+ static int eject_tray(struct ata_device *dev)
+ {
+ struct ata_taskfile tf;
+- const char cdb[] = { GPCMD_START_STOP_UNIT,
++ static const char cdb[] = { GPCMD_START_STOP_UNIT,
+ 0, 0, 0,
+ 0x02, /* LoEj */
+ 0, 0, 0, 0, 0, 0, 0,
+@@ -55,7 +55,7 @@ static enum odd_mech_type zpodd_get_mech_type(struct ata_device *dev)
+ unsigned int ret;
+ struct rm_feature_desc *desc = (void *)(buf + 8);
+ struct ata_taskfile tf;
+- char cdb[] = { GPCMD_GET_CONFIGURATION,
++ static const char cdb[] = { GPCMD_GET_CONFIGURATION,
+ 2, /* only 1 feature descriptor requested */
+ 0, 3, /* 3, removable medium feature */
+ 0, 0, 0,/* reserved */
+--
+2.18.0
+
diff --git a/patches.kernel.org/4.4.139-022-libata-zpodd-small-read-overflow-in-eject_tra.patch b/patches.kernel.org/4.4.139-022-libata-zpodd-small-read-overflow-in-eject_tra.patch
new file mode 100644
index 0000000000..71047c0b94
--- /dev/null
+++ b/patches.kernel.org/4.4.139-022-libata-zpodd-small-read-overflow-in-eject_tra.patch
@@ -0,0 +1,38 @@
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Tue, 29 May 2018 12:13:24 +0300
+Subject: [PATCH] libata: zpodd: small read overflow in eject_tray()
+References: bnc#1012382
+Patch-mainline: 4.4.139
+Git-commit: 18c9a99bce2a57dfd7e881658703b5d7469cc7b9
+
+commit 18c9a99bce2a57dfd7e881658703b5d7469cc7b9 upstream.
+
+We read from the cdb[] buffer in ata_exec_internal_sg(). It has to be
+ATAPI_CDB_LEN (16) bytes long, but this buffer is only 12 bytes.
+
+Fixes: 213342053db5 ("libata: handle power transition of ODD")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Tejun Heo <tj@kernel.org>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/ata/libata-zpodd.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/ata/libata-zpodd.c b/drivers/ata/libata-zpodd.c
+index db64f81a4840..0ad96c647541 100644
+--- a/drivers/ata/libata-zpodd.c
++++ b/drivers/ata/libata-zpodd.c
+@@ -34,7 +34,7 @@ struct zpodd {
+ static int eject_tray(struct ata_device *dev)
+ {
+ struct ata_taskfile tf;
+- static const char cdb[] = { GPCMD_START_STOP_UNIT,
++ static const char cdb[ATAPI_CDB_LEN] = { GPCMD_START_STOP_UNIT,
+ 0, 0, 0,
+ 0x02, /* LoEj */
+ 0, 0, 0, 0, 0, 0, 0,
+--
+2.18.0
+
diff --git a/patches.kernel.org/4.4.139-023-libata-Drop-SanDisk-SD7UB3Q-G1001-NOLPM-quirk.patch b/patches.kernel.org/4.4.139-023-libata-Drop-SanDisk-SD7UB3Q-G1001-NOLPM-quirk.patch
new file mode 100644
index 0000000000..996ec15f5d
--- /dev/null
+++ b/patches.kernel.org/4.4.139-023-libata-Drop-SanDisk-SD7UB3Q-G1001-NOLPM-quirk.patch
@@ -0,0 +1,61 @@
+From: Hans de Goede <hdegoede@redhat.com>
+Date: Thu, 31 May 2018 13:21:07 +0200
+Subject: [PATCH] libata: Drop SanDisk SD7UB3Q*G1001 NOLPM quirk
+References: bnc#1012382
+Patch-mainline: 4.4.139
+Git-commit: 2cfce3a86b64b53f0a70e92a6a659c720c319b45
+
+commit 2cfce3a86b64b53f0a70e92a6a659c720c319b45 upstream.
+
+Commit 184add2ca23c ("libata: Apply NOLPM quirk for SanDisk
+SD7UB3Q*G1001 SSDs") disabled LPM for SanDisk SD7UB3Q*G1001 SSDs.
+
+This has lead to several reports of users of that SSD where LPM
+was working fine and who know have a significantly increased idle
+power consumption on their laptops.
+
+Likely there is another problem on the T450s from the original
+reporter which gets exposed by the uncore reaching deeper sleep
+states (higher PC-states) due to LPM being enabled. The problem as
+reported, a hardfreeze about once a day, already did not sound like
+it would be caused by LPM and the reports of the SSD working fine
+confirm this. The original reporter is ok with dropping the quirk.
+
+A X250 user has reported the same hard freeze problem and for him
+the problem went away after unrelated updates, I suspect some GPU
+driver stack changes fixed things.
+
+TL;DR: The original reporters problem were triggered by LPM but not
+an LPM issue, so drop the quirk for the SSD in question.
+
+BugLink: https://bugzilla.redhat.com/show_bug.cgi?id=1583207
+Cc: stable@vger.kernel.org
+Cc: Richard W.M. Jones <rjones@redhat.com>
+Cc: Lorenzo Dalrio <lorenzo.dalrio@gmail.com>
+Reported-by: Lorenzo Dalrio <lorenzo.dalrio@gmail.com>
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Tejun Heo <tj@kernel.org>
+Acked-by: "Richard W.M. Jones" <rjones@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/ata/libata-core.c | 3 ---
+ 1 file changed, 3 deletions(-)
+
+diff --git a/drivers/ata/libata-core.c b/drivers/ata/libata-core.c
+index f9b86a1d922d..9afd06ee5b30 100644
+--- a/drivers/ata/libata-core.c
++++ b/drivers/ata/libata-core.c
+@@ -4247,9 +4247,6 @@ static const struct ata_blacklist_entry ata_device_blacklist [] = {
+ ATA_HORKAGE_ZERO_AFTER_TRIM |
+ ATA_HORKAGE_NOLPM, },
+
+- /* Sandisk devices which are known to not handle LPM well */
+- { "SanDisk SD7UB3Q*G1001", NULL, ATA_HORKAGE_NOLPM, },
+-
+ /* devices that don't properly handle queued TRIM commands */
+ { "Micron_M500IT_*", "MU01", ATA_HORKAGE_NO_NCQ_TRIM |
+ ATA_HORKAGE_ZERO_AFTER_TRIM, },
+--
+2.18.0
+
diff --git a/patches.kernel.org/4.4.139-024-w1-mxc_w1-Enable-clock-before-calling-clk_get.patch b/patches.kernel.org/4.4.139-024-w1-mxc_w1-Enable-clock-before-calling-clk_get.patch
new file mode 100644
index 0000000000..eeb757d528
--- /dev/null
+++ b/patches.kernel.org/4.4.139-024-w1-mxc_w1-Enable-clock-before-calling-clk_get.patch
@@ -0,0 +1,73 @@
+From: Stefan Potyra <Stefan.Potyra@elektrobit.com>
+Date: Wed, 2 May 2018 10:55:31 +0200
+Subject: [PATCH] w1: mxc_w1: Enable clock before calling clk_get_rate() on it
+References: bnc#1012382
+Patch-mainline: 4.4.139
+Git-commit: 955bc61328dc0a297fb3baccd84e9d3aee501ed8
+
+commit 955bc61328dc0a297fb3baccd84e9d3aee501ed8 upstream.
+
+According to the API, you may only call clk_get_rate() after actually
+enabling it.
+
+Found by Linux Driver Verification project (linuxtesting.org).
+
+Fixes: a5fd9139f74c ("w1: add 1-wire master driver for i.MX27 / i.MX31")
+Signed-off-by: Stefan Potyra <Stefan.Potyra@elektrobit.com>
+Acked-by: Evgeniy Polyakov <zbr@ioremap.net>
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/w1/masters/mxc_w1.c | 20 +++++++++++++-------
+ 1 file changed, 13 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/w1/masters/mxc_w1.c b/drivers/w1/masters/mxc_w1.c
+index a4621757a47f..dacb5919970c 100644
+--- a/drivers/w1/masters/mxc_w1.c
++++ b/drivers/w1/masters/mxc_w1.c
+@@ -113,6 +113,10 @@ static int mxc_w1_probe(struct platform_device *pdev)
+ if (IS_ERR(mdev->clk))
+ return PTR_ERR(mdev->clk);
+
++ err = clk_prepare_enable(mdev->clk);
++ if (err)
++ return err;
++
+ clkrate = clk_get_rate(mdev->clk);
+ if (clkrate < 10000000)
+ dev_warn(&pdev->dev,
+@@ -126,12 +130,10 @@ static int mxc_w1_probe(struct platform_device *pdev)
+
+ res = platform_get_resource(pdev, IORESOURCE_MEM, 0);
+ mdev->regs = devm_ioremap_resource(&pdev->dev, res);
+- if (IS_ERR(mdev->regs))
+- return PTR_ERR(mdev->regs);
+-
+- err = clk_prepare_enable(mdev->clk);
+- if (err)
+- return err;
++ if (IS_ERR(mdev->regs)) {
++ err = PTR_ERR(mdev->regs);
++ goto out_disable_clk;
++ }
+
+ /* Software reset 1-Wire module */
+ writeb(MXC_W1_RESET_RST, mdev->regs + MXC_W1_RESET);
+@@ -147,8 +149,12 @@ static int mxc_w1_probe(struct platform_device *pdev)
+
+ err = w1_add_master_device(&mdev->bus_master);
+ if (err)
+- clk_disable_unprepare(mdev->clk);
++ goto out_disable_clk;
+
++ return 0;
++
++out_disable_clk:
++ clk_disable_unprepare(mdev->clk);
+ return err;
+ }
+
+--
+2.18.0
+
diff --git a/patches.fixes/fs-binfmt_misc-c-do-not-allow-offset-overflow.patch b/patches.kernel.org/4.4.139-025-fs-binfmt_misc.c-do-not-allow-offset-overflow.patch
index 98b300fcb3..b6a101fe83 100644
--- a/patches.fixes/fs-binfmt_misc-c-do-not-allow-offset-overflow.patch
+++ b/patches.kernel.org/4.4.139-025-fs-binfmt_misc.c-do-not-allow-offset-overflow.patch
@@ -1,10 +1,11 @@
-From cf0417650a62569cfa2bfa1adf68762868970386 Mon Sep 17 00:00:00 2001
From: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
Date: Thu, 7 Jun 2018 17:11:01 -0700
-Subject: fs/binfmt_misc.c: do not allow offset overflow
+Subject: [PATCH] fs/binfmt_misc.c: do not allow offset overflow
+Patch-mainline: 4.4.139
+References: bnc#1012382 bsc#1099279
Git-commit: 5cc41e099504b77014358b58567c5ea6293dd220
-Patch-mainline: v4.18-rc1
-References: bsc#1099279
+
+commit 5cc41e099504b77014358b58567c5ea6293dd220 upstream.
WHen registering a new binfmt_misc handler, it is possible to overflow
the offset to get a negative value, which might crash the system, or
@@ -43,7 +44,8 @@ Cc: Alexander Viro <viro@zeniv.linux.org.uk>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
-Acked-by: Luis Henriques <lhenriques@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
fs/binfmt_misc.c | 12 +++++++++---
1 file changed, 9 insertions(+), 3 deletions(-)
@@ -78,4 +80,6 @@ index 78f005f37847..dd784bcf7c96 100644
goto einval;
pr_debug("register: magic/mask length: %i\n", e->size);
if (USE_DEBUG) {
+--
+2.18.0
diff --git a/patches.suse/x86-spectre_v1-Disable-compiler-optimizations-over-a.patch b/patches.kernel.org/4.4.139-026-x86-spectre_v1-Disable-compiler-optimizations.patch
index 6d12010343..d7f189c858 100644
--- a/patches.suse/x86-spectre_v1-Disable-compiler-optimizations-over-a.patch
+++ b/patches.kernel.org/4.4.139-026-x86-spectre_v1-Disable-compiler-optimizations.patch
@@ -1,10 +1,12 @@
From: Dan Williams <dan.j.williams@intel.com>
Date: Thu, 7 Jun 2018 09:13:48 -0700
-Subject: x86/spectre_v1: Disable compiler optimizations over
+Subject: [PATCH] x86/spectre_v1: Disable compiler optimizations over
array_index_mask_nospec()
+Patch-mainline: 4.4.139
+References: CVE-2017-5753 bnc#1012382 bsc#1068032
Git-commit: eab6870fee877258122a042bfd99ee7908c40280
-Patch-mainline: v4.18-rc2
-References: bsc#1068032 CVE-2017-5753
+
+commit eab6870fee877258122a042bfd99ee7908c40280 upstream.
Mark Rutland noticed that GCC optimization passes have the potential to elide
necessary invocations of the array_index_mask_nospec() instruction sequence,
@@ -61,19 +63,25 @@ Cc: Peter Zijlstra <peterz@infradead.org>
Fixes: babdde2698d4 ("x86: Implement array_index_mask_nospec")
Link: https://lkml.kernel.org/lkml/152838798950.14521.4893346294059739135.stgit@dwillia2-desk3.amr.corp.intel.com
Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
- arch/x86/include/asm/barrier.h | 2 +-
+ arch/x86/include/asm/barrier.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
+diff --git a/arch/x86/include/asm/barrier.h b/arch/x86/include/asm/barrier.h
+index 814ef83c6720..e3a6f66d288c 100644
--- a/arch/x86/include/asm/barrier.h
+++ b/arch/x86/include/asm/barrier.h
-@@ -38,7 +38,7 @@ static inline unsigned long array_index_
+@@ -38,7 +38,7 @@ static inline unsigned long array_index_mask_nospec(unsigned long index,
{
unsigned long mask;
- asm ("cmp %1,%2; sbb %0,%0;"
+ asm volatile ("cmp %1,%2; sbb %0,%0;"
:"=r" (mask)
- :"g"(size),"r" (index)
+ :"r"(size),"r" (index)
:"cc");
+--
+2.18.0
+
diff --git a/patches.kernel.org/4.4.139-027-m68k-mm-Adjust-VM-area-to-be-unmapped-by-gap-.patch b/patches.kernel.org/4.4.139-027-m68k-mm-Adjust-VM-area-to-be-unmapped-by-gap-.patch
new file mode 100644
index 0000000000..a7c7b4331a
--- /dev/null
+++ b/patches.kernel.org/4.4.139-027-m68k-mm-Adjust-VM-area-to-be-unmapped-by-gap-.patch
@@ -0,0 +1,62 @@
+From: Michael Schmitz <schmitzmic@gmail.com>
+Date: Mon, 14 May 2018 23:10:53 +1200
+Subject: [PATCH] m68k/mm: Adjust VM area to be unmapped by gap size for
+ __iounmap()
+References: bnc#1012382
+Patch-mainline: 4.4.139
+Git-commit: 3f90f9ef2dda316d64e420d5d51ba369587ccc55
+
+commit 3f90f9ef2dda316d64e420d5d51ba369587ccc55 upstream.
+
+If 020/030 support is enabled, get_io_area() leaves an IO_SIZE gap
+between mappings which is added to the vm_struct representing the
+mapping. __ioremap() uses the actual requested size (after alignment),
+while __iounmap() is passed the size from the vm_struct.
+
+On 020/030, early termination descriptors are used to set up mappings of
+extent 'size', which are validated on unmapping. The unmapped gap of
+size IO_SIZE defeats the sanity check of the pmd tables, causing
+__iounmap() to loop forever on 030.
+
+On 040/060, unmapping of page table entries does not check for a valid
+mapping, so the umapping loop always completes there.
+
+Adjust size to be unmapped by the gap that had been added in the
+vm_struct prior.
+
+This fixes the hang in atari_platform_init() reported a long time ago,
+and a similar one reported by Finn recently (addressed by removing
+ioremap() use from the SWIM driver.
+
+Tested on my Falcon in 030 mode - untested but should work the same on
+040/060 (the extra page tables cleared there would never have been set
+up anyway).
+
+Signed-off-by: Michael Schmitz <schmitzmic@gmail.com>
+[geert: Minor commit description improvements]
+[geert: This was fixed in 2.4.23, but not in 2.5.x]
+Signed-off-by: Geert Uytterhoeven <geert@linux-m68k.org>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ arch/m68k/mm/kmap.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/arch/m68k/mm/kmap.c b/arch/m68k/mm/kmap.c
+index 6e4955bc542b..fcd52cefee29 100644
+--- a/arch/m68k/mm/kmap.c
++++ b/arch/m68k/mm/kmap.c
+@@ -88,7 +88,8 @@ static inline void free_io_area(void *addr)
+ for (p = &iolist ; (tmp = *p) ; p = &tmp->next) {
+ if (tmp->addr == addr) {
+ *p = tmp->next;
+- __iounmap(tmp->addr, tmp->size);
++ /* remove gap added in get_io_area() */
++ __iounmap(tmp->addr, tmp->size - IO_SIZE);
+ kfree(tmp);
+ return;
+ }
+--
+2.18.0
+
diff --git a/patches.kernel.org/4.4.139-028-serial-sh-sci-Use-spin_-try-lock_irqsave-inst.patch b/patches.kernel.org/4.4.139-028-serial-sh-sci-Use-spin_-try-lock_irqsave-inst.patch
new file mode 100644
index 0000000000..df5c47701d
--- /dev/null
+++ b/patches.kernel.org/4.4.139-028-serial-sh-sci-Use-spin_-try-lock_irqsave-inst.patch
@@ -0,0 +1,109 @@
+From: Daniel Wagner <daniel.wagner@siemens.com>
+Date: Tue, 8 May 2018 10:55:09 +0200
+Subject: [PATCH] serial: sh-sci: Use spin_{try}lock_irqsave instead of open
+ coding version
+References: bnc#1012382
+Patch-mainline: 4.4.139
+Git-commit: 8afb1d2c12163f77777f84616a8e9444d0050ebe
+
+commit 8afb1d2c12163f77777f84616a8e9444d0050ebe upstream.
+
+Commit 40f70c03e33a ("serial: sh-sci: add locking to console write
+function to avoid SMP lockup") copied the strategy to avoid locking
+problems in conjuncture with the console from the UART8250
+driver. Instead using directly spin_{try}lock_irqsave(),
+local_irq_save() followed by spin_{try}lock() was used. While this is
+correct on mainline, for -rt it is a problem. spin_{try}lock() will
+check if it is running in a valid context. Since the local_irq_save()
+has already been executed, the context has changed and
+spin_{try}lock() will complain. The reason why spin_{try}lock()
+complains is that on -rt the spin locks are turned into mutexes and
+therefore can sleep. Sleeping with interrupts disabled is not valid.
+
+BUG: sleeping function called from invalid context at /home/wagi/work/rt/v4.4-cip-rt/kernel/locking/rtmutex.c:995
+in_atomic(): 0, irqs_disabled(): 128, pid: 778, name: irq/76-eth0
+CPU: 0 PID: 778 Comm: irq/76-eth0 Not tainted 4.4.126-test-cip22-rt14-00403-gcd03665c8318 #12
+Hardware name: Generic RZ/G1 (Flattened Device Tree)
+Backtrace:
+[<c00140a0>] (dump_backtrace) from [<c001424c>] (show_stack+0x18/0x1c)
+ r7:c06b01f0 r6:60010193 r5:00000000 r4:c06b01f0
+[<c0014234>] (show_stack) from [<c01d3c94>] (dump_stack+0x78/0x94)
+[<c01d3c1c>] (dump_stack) from [<c004c134>] (___might_sleep+0x134/0x194)
+ r7:60010113 r6:c06d3559 r5:00000000 r4:ffffe000
+[<c004c000>] (___might_sleep) from [<c04ded60>] (rt_spin_lock+0x20/0x74)
+ r5:c06f4d60 r4:c06f4d60
+[<c04ded40>] (rt_spin_lock) from [<c02577e4>] (serial_console_write+0x100/0x118)
+ r5:c06f4d60 r4:c06f4d60
+[<c02576e4>] (serial_console_write) from [<c0061060>] (call_console_drivers.constprop.15+0x10c/0x124)
+ r10:c06d2894 r9:c04e18b0 r8:00000028 r7:00000000 r6:c06d3559 r5:c06d2798
+ r4:c06b9914 r3:c02576e4
+[<c0060f54>] (call_console_drivers.constprop.15) from [<c0062984>] (console_unlock+0x32c/0x430)
+ r10:c06d30d8 r9:00000028 r8:c06dd518 r7:00000005 r6:00000000 r5:c06d2798
+ r4:c06d2798 r3:00000028
+[<c0062658>] (console_unlock) from [<c0062e1c>] (vprintk_emit+0x394/0x4f0)
+ r10:c06d2798 r9:c06d30ee r8:00000006 r7:00000005 r6:c06a78fc r5:00000027
+ r4:00000003
+[<c0062a88>] (vprintk_emit) from [<c0062fa0>] (vprintk+0x28/0x30)
+ r10:c060bd46 r9:00001000 r8:c06b9a90 r7:c06b9a90 r6:c06b994c r5:c06b9a3c
+ r4:c0062fa8
+[<c0062f78>] (vprintk) from [<c0062fb8>] (vprintk_default+0x10/0x14)
+[<c0062fa8>] (vprintk_default) from [<c009cd30>] (printk+0x78/0x84)
+[<c009ccbc>] (printk) from [<c025afdc>] (credit_entropy_bits+0x17c/0x2cc)
+ r3:00000001 r2:decade60 r1:c061a5ee r0:c061a523
+ r4:00000006
+[<c025ae60>] (credit_entropy_bits) from [<c025bf74>] (add_interrupt_randomness+0x160/0x178)
+ r10:466e7196 r9:1f536000 r8:fffeef74 r7:00000000 r6:c06b9a60 r5:c06b9a3c
+ r4:dfbcf680
+[<c025be14>] (add_interrupt_randomness) from [<c006536c>] (irq_thread+0x1e8/0x248)
+ r10:c006537c r9:c06cdf21 r8:c0064fcc r7:df791c24 r6:df791c00 r5:ffffe000
+ r4:df525180
+[<c0065184>] (irq_thread) from [<c003fba4>] (kthread+0x108/0x11c)
+ r10:00000000 r9:00000000 r8:c0065184 r7:df791c00 r6:00000000 r5:df791d00
+ r4:decac000
+[<c003fa9c>] (kthread) from [<c00101b8>] (ret_from_fork+0x14/0x3c)
+ r8:00000000 r7:00000000 r6:00000000 r5:c003fa9c r4:df791d00
+
+Cc: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
+Signed-off-by: Daniel Wagner <daniel.wagner@siemens.com>
+Reviewed-by: Geert Uytterhoeven <geert+renesas@glider.be>
+[dw: Backported to 4.4.]
+Signed-off-by: Daniel Wagner <daniel.wagner@siemens.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/tty/serial/sh-sci.c | 8 +++-----
+ 1 file changed, 3 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/tty/serial/sh-sci.c b/drivers/tty/serial/sh-sci.c
+index 8dd822feb972..b63920481b1d 100644
+--- a/drivers/tty/serial/sh-sci.c
++++ b/drivers/tty/serial/sh-sci.c
+@@ -2419,13 +2419,12 @@ static void serial_console_write(struct console *co, const char *s,
+ unsigned long flags;
+ int locked = 1;
+
+- local_irq_save(flags);
+ if (port->sysrq)
+ locked = 0;
+ else if (oops_in_progress)
+- locked = spin_trylock(&port->lock);
++ locked = spin_trylock_irqsave(&port->lock, flags);
+ else
+- spin_lock(&port->lock);
++ spin_lock_irqsave(&port->lock, flags);
+
+ /* first save the SCSCR then disable the interrupts */
+ ctrl = serial_port_in(port, SCSCR);
+@@ -2442,8 +2441,7 @@ static void serial_console_write(struct console *co, const char *s,
+ serial_port_out(port, SCSCR, ctrl);
+
+ if (locked)
+- spin_unlock(&port->lock);
+- local_irq_restore(flags);
++ spin_unlock_irqrestore(&port->lock, flags);
+ }
+
+ static int serial_console_setup(struct console *co, char *options)
+--
+2.18.0
+
diff --git a/patches.kernel.org/4.4.139-029-signal-xtensa-Consistenly-use-SIGBUS-in-do_un.patch b/patches.kernel.org/4.4.139-029-signal-xtensa-Consistenly-use-SIGBUS-in-do_un.patch
new file mode 100644
index 0000000000..bb68ea55b7
--- /dev/null
+++ b/patches.kernel.org/4.4.139-029-signal-xtensa-Consistenly-use-SIGBUS-in-do_un.patch
@@ -0,0 +1,44 @@
+From: "Eric W. Biederman" <ebiederm@xmission.com>
+Date: Fri, 20 Apr 2018 09:14:56 -0500
+Subject: [PATCH] signal/xtensa: Consistenly use SIGBUS in do_unaligned_user
+References: bnc#1012382
+Patch-mainline: 4.4.139
+Git-commit: 7de712ccc096b81d23cc0a941cd9b8cb3956605d
+
+commit 7de712ccc096b81d23cc0a941cd9b8cb3956605d upstream.
+
+While working on changing this code to use force_sig_fault I
+discovered that do_unaliged_user is sets si_signo to SIGBUS and passes
+SIGSEGV to force_sig_info. Which is just b0rked.
+
+The code is reporting a SIGBUS error so replace the SIGSEGV with SIGBUS.
+
+Cc: Chris Zankel <chris@zankel.net>
+Cc: Max Filippov <jcmvbkbc@gmail.com>
+Cc: linux-xtensa@linux-xtensa.org
+Cc: stable@vger.kernel.org
+Acked-by: Max Filippov <jcmvbkbc@gmail.com>
+Fixes: 5a0015d62668 ("[PATCH] xtensa: Architecture support for Tensilica Xtensa Part 3")
+Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ arch/xtensa/kernel/traps.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/xtensa/kernel/traps.c b/arch/xtensa/kernel/traps.c
+index 42d441f7898b..1edce040f470 100644
+--- a/arch/xtensa/kernel/traps.c
++++ b/arch/xtensa/kernel/traps.c
+@@ -309,7 +309,7 @@ do_unaligned_user (struct pt_regs *regs)
+ info.si_errno = 0;
+ info.si_code = BUS_ADRALN;
+ info.si_addr = (void *) regs->excvaddr;
+- force_sig_info(SIGSEGV, &info, current);
++ force_sig_info(SIGBUS, &info, current);
+
+ }
+ #endif
+--
+2.18.0
+
diff --git a/patches.kernel.org/4.4.139-030-usb-do-not-reset-if-a-low-speed-or-full-speed.patch b/patches.kernel.org/4.4.139-030-usb-do-not-reset-if-a-low-speed-or-full-speed.patch
new file mode 100644
index 0000000000..da7ee0880f
--- /dev/null
+++ b/patches.kernel.org/4.4.139-030-usb-do-not-reset-if-a-low-speed-or-full-speed.patch
@@ -0,0 +1,43 @@
+From: Maxim Moseychuk <franchesko.salias.hudro.pedros@gmail.com>
+Date: Thu, 4 Jan 2018 21:43:03 +0300
+Subject: [PATCH] usb: do not reset if a low-speed or full-speed device timed
+ out
+References: bnc#1012382
+Patch-mainline: 4.4.139
+Git-commit: 6e01827ed93947895680fbdad68c072a0f4e2450
+
+commit 6e01827ed93947895680fbdad68c072a0f4e2450 upstream.
+
+Some low-speed and full-speed devices (for example, bluetooth)
+do not have time to initialize. For them, ETIMEDOUT is a valid error.
+We need to give them another try. Otherwise, they will
+never be initialized correctly and in dmesg will be messages
+"Bluetooth: hci0 command 0x1002 tx timeout" or similars.
+
+Fixes: 264904ccc33c ("usb: retry reset if a device times out")
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Maxim Moseychuk <franchesko.salias.hudro.pedros@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/usb/core/hub.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/usb/core/hub.c b/drivers/usb/core/hub.c
+index 6d84f6c8fbe6..4d86da0df131 100644
+--- a/drivers/usb/core/hub.c
++++ b/drivers/usb/core/hub.c
+@@ -4442,7 +4442,9 @@ hub_port_init(struct usb_hub *hub, struct usb_device *udev, int port1,
+ * reset. But only on the first attempt,
+ * lest we get into a time out/reset loop
+ */
+- if (r == 0 || (r == -ETIMEDOUT && retries == 0))
++ if (r == 0 || (r == -ETIMEDOUT &&
++ retries == 0 &&
++ udev->speed > USB_SPEED_FULL))
+ break;
+ }
+ udev->descriptor.bMaxPacketSize0 =
+--
+2.18.0
+
diff --git a/patches.kernel.org/4.4.139-031-1wire-family-module-autoload-fails-because-of.patch b/patches.kernel.org/4.4.139-031-1wire-family-module-autoload-fails-because-of.patch
new file mode 100644
index 0000000000..85a1c9a21e
--- /dev/null
+++ b/patches.kernel.org/4.4.139-031-1wire-family-module-autoload-fails-because-of.patch
@@ -0,0 +1,41 @@
+From: Ingo Flaschberger <ingo.flaschberger@gmail.com>
+Date: Tue, 1 May 2018 16:10:33 +0200
+Subject: [PATCH] 1wire: family module autoload fails because of upper/lower
+ case mismatch.
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+References: bnc#1012382
+Patch-mainline: 4.4.139
+Git-commit: 065c09563c872e52813a17218c52cd642be1dca6
+
+commit 065c09563c872e52813a17218c52cd642be1dca6 upstream.
+
+1wire family module autoload fails because of upper/lower
+  case mismatch.
+
+Signed-off-by: Ingo Flaschberger <ingo.flaschberger@gmail.com>
+Acked-by: Evgeniy Polyakov <zbr@ioremap.net>
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/w1/w1.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/w1/w1.c b/drivers/w1/w1.c
+index 39886edfa222..88c1b8c01473 100644
+--- a/drivers/w1/w1.c
++++ b/drivers/w1/w1.c
+@@ -741,7 +741,7 @@ int w1_attach_slave_device(struct w1_master *dev, struct w1_reg_num *rn)
+
+ /* slave modules need to be loaded in a context with unlocked mutex */
+ mutex_unlock(&dev->mutex);
+- request_module("w1-family-0x%02x", rn->family);
++ request_module("w1-family-0x%02X", rn->family);
+ mutex_lock(&dev->mutex);
+
+ spin_lock(&w1_flock);
+--
+2.18.0
+
diff --git a/patches.kernel.org/4.4.139-032-ASoC-dapm-delete-dapm_kcontrol_data-paths-lis.patch b/patches.kernel.org/4.4.139-032-ASoC-dapm-delete-dapm_kcontrol_data-paths-lis.patch
new file mode 100644
index 0000000000..80dce21479
--- /dev/null
+++ b/patches.kernel.org/4.4.139-032-ASoC-dapm-delete-dapm_kcontrol_data-paths-lis.patch
@@ -0,0 +1,44 @@
+From: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
+Date: Mon, 4 Jun 2018 12:13:26 +0100
+Subject: [PATCH] ASoC: dapm: delete dapm_kcontrol_data paths list before
+ freeing it
+References: bnc#1012382
+Patch-mainline: 4.4.139
+Git-commit: ff2faf1289c1f81b5b26b9451dd1c2006aac8db8
+
+commit ff2faf1289c1f81b5b26b9451dd1c2006aac8db8 upstream.
+
+dapm_kcontrol_data is freed as part of dapm_kcontrol_free(), leaving the
+paths pointer dangling in the list.
+
+This leads to system crash when we try to unload and reload sound card.
+I hit this bug during ADSP crash/reboot test case on Dragon board DB410c.
+
+Without this patch, on SLAB Poisoning enabled build, kernel crashes with
+"BUG kmalloc-128 (Tainted: G W ): Poison overwritten"
+
+Signed-off-by: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ sound/soc/soc-dapm.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/sound/soc/soc-dapm.c b/sound/soc/soc-dapm.c
+index 6a438a361592..9e784cc3e5d2 100644
+--- a/sound/soc/soc-dapm.c
++++ b/sound/soc/soc-dapm.c
+@@ -425,6 +425,8 @@ static int dapm_kcontrol_data_alloc(struct snd_soc_dapm_widget *widget,
+ static void dapm_kcontrol_free(struct snd_kcontrol *kctl)
+ {
+ struct dapm_kcontrol_data *data = snd_kcontrol_chip(kctl);
++
++ list_del(&data->paths);
+ kfree(data->wlist);
+ kfree(data);
+ }
+--
+2.18.0
+
diff --git a/patches.kernel.org/4.4.139-033-ASoC-cirrus-i2s-Fix-LRCLK-configuration.patch b/patches.kernel.org/4.4.139-033-ASoC-cirrus-i2s-Fix-LRCLK-configuration.patch
new file mode 100644
index 0000000000..77aac41b94
--- /dev/null
+++ b/patches.kernel.org/4.4.139-033-ASoC-cirrus-i2s-Fix-LRCLK-configuration.patch
@@ -0,0 +1,89 @@
+From: Alexander Sverdlin <alexander.sverdlin@gmail.com>
+Date: Sat, 28 Apr 2018 22:51:38 +0200
+Subject: [PATCH] ASoC: cirrus: i2s: Fix LRCLK configuration
+References: bnc#1012382
+Patch-mainline: 4.4.139
+Git-commit: 2d534113be9a2aa532a1ae127a57e83558aed358
+
+commit 2d534113be9a2aa532a1ae127a57e83558aed358 upstream.
+
+The bit responsible for LRCLK polarity is i2s_tlrs (0), not i2s_trel (2)
+(refer to "EP93xx User's Guide").
+
+Previously card drivers which specified SND_SOC_DAIFMT_NB_IF actually got
+SND_SOC_DAIFMT_NB_NF, an adaptation is necessary to retain the old
+behavior.
+
+Signed-off-by: Alexander Sverdlin <alexander.sverdlin@gmail.com>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ sound/soc/cirrus/edb93xx.c | 2 +-
+ sound/soc/cirrus/ep93xx-i2s.c | 8 ++++----
+ sound/soc/cirrus/snappercl15.c | 2 +-
+ 3 files changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/sound/soc/cirrus/edb93xx.c b/sound/soc/cirrus/edb93xx.c
+index 85962657aabe..517963ef4847 100644
+--- a/sound/soc/cirrus/edb93xx.c
++++ b/sound/soc/cirrus/edb93xx.c
+@@ -67,7 +67,7 @@ static struct snd_soc_dai_link edb93xx_dai = {
+ .cpu_dai_name = "ep93xx-i2s",
+ .codec_name = "spi0.0",
+ .codec_dai_name = "cs4271-hifi",
+- .dai_fmt = SND_SOC_DAIFMT_I2S | SND_SOC_DAIFMT_NB_IF |
++ .dai_fmt = SND_SOC_DAIFMT_I2S | SND_SOC_DAIFMT_NB_NF |
+ SND_SOC_DAIFMT_CBS_CFS,
+ .ops = &edb93xx_ops,
+ };
+diff --git a/sound/soc/cirrus/ep93xx-i2s.c b/sound/soc/cirrus/ep93xx-i2s.c
+index 934f8aefdd90..38c240c97041 100644
+--- a/sound/soc/cirrus/ep93xx-i2s.c
++++ b/sound/soc/cirrus/ep93xx-i2s.c
+@@ -213,24 +213,24 @@ static int ep93xx_i2s_set_dai_fmt(struct snd_soc_dai *cpu_dai,
+ switch (fmt & SND_SOC_DAIFMT_INV_MASK) {
+ case SND_SOC_DAIFMT_NB_NF:
+ /* Negative bit clock, lrclk low on left word */
+- clk_cfg &= ~(EP93XX_I2S_CLKCFG_CKP | EP93XX_I2S_CLKCFG_REL);
++ clk_cfg &= ~(EP93XX_I2S_CLKCFG_CKP | EP93XX_I2S_CLKCFG_LRS);
+ break;
+
+ case SND_SOC_DAIFMT_NB_IF:
+ /* Negative bit clock, lrclk low on right word */
+ clk_cfg &= ~EP93XX_I2S_CLKCFG_CKP;
+- clk_cfg |= EP93XX_I2S_CLKCFG_REL;
++ clk_cfg |= EP93XX_I2S_CLKCFG_LRS;
+ break;
+
+ case SND_SOC_DAIFMT_IB_NF:
+ /* Positive bit clock, lrclk low on left word */
+ clk_cfg |= EP93XX_I2S_CLKCFG_CKP;
+- clk_cfg &= ~EP93XX_I2S_CLKCFG_REL;
++ clk_cfg &= ~EP93XX_I2S_CLKCFG_LRS;
+ break;
+
+ case SND_SOC_DAIFMT_IB_IF:
+ /* Positive bit clock, lrclk low on right word */
+- clk_cfg |= EP93XX_I2S_CLKCFG_CKP | EP93XX_I2S_CLKCFG_REL;
++ clk_cfg |= EP93XX_I2S_CLKCFG_CKP | EP93XX_I2S_CLKCFG_LRS;
+ break;
+ }
+
+diff --git a/sound/soc/cirrus/snappercl15.c b/sound/soc/cirrus/snappercl15.c
+index 98089df08df6..c6737a573bc0 100644
+--- a/sound/soc/cirrus/snappercl15.c
++++ b/sound/soc/cirrus/snappercl15.c
+@@ -72,7 +72,7 @@ static struct snd_soc_dai_link snappercl15_dai = {
+ .codec_dai_name = "tlv320aic23-hifi",
+ .codec_name = "tlv320aic23-codec.0-001a",
+ .platform_name = "ep93xx-i2s",
+- .dai_fmt = SND_SOC_DAIFMT_I2S | SND_SOC_DAIFMT_NB_IF |
++ .dai_fmt = SND_SOC_DAIFMT_I2S | SND_SOC_DAIFMT_NB_NF |
+ SND_SOC_DAIFMT_CBS_CFS,
+ .ops = &snappercl15_ops,
+ };
+--
+2.18.0
+
diff --git a/patches.kernel.org/4.4.139-034-ASoC-cirrus-i2s-Fix-TX-RX-LinCtrlData-setup.patch b/patches.kernel.org/4.4.139-034-ASoC-cirrus-i2s-Fix-TX-RX-LinCtrlData-setup.patch
new file mode 100644
index 0000000000..e40ac0f86a
--- /dev/null
+++ b/patches.kernel.org/4.4.139-034-ASoC-cirrus-i2s-Fix-TX-RX-LinCtrlData-setup.patch
@@ -0,0 +1,90 @@
+From: Alexander Sverdlin <alexander.sverdlin@gmail.com>
+Date: Sat, 28 Apr 2018 22:51:39 +0200
+Subject: [PATCH] ASoC: cirrus: i2s: Fix {TX|RX}LinCtrlData setup
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+References: bnc#1012382
+Patch-mainline: 4.4.139
+Git-commit: 5d302ed3cc80564fb835bed5fdba1e1250ecc9e5
+
+commit 5d302ed3cc80564fb835bed5fdba1e1250ecc9e5 upstream.
+
+According to "EP93xx User’s Guide", I2STXLinCtrlData and I2SRXLinCtrlData
+registers actually have different format. The only currently used bit
+(Left_Right_Justify) has different position. Fix this and simplify the
+whole setup taking into account the fact that both registers have zero
+default value.
+
+The practical effect of the above is repaired SND_SOC_DAIFMT_RIGHT_J
+support (currently unused).
+
+Signed-off-by: Alexander Sverdlin <alexander.sverdlin@gmail.com>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ sound/soc/cirrus/ep93xx-i2s.c | 18 ++++++++++--------
+ 1 file changed, 10 insertions(+), 8 deletions(-)
+
+diff --git a/sound/soc/cirrus/ep93xx-i2s.c b/sound/soc/cirrus/ep93xx-i2s.c
+index 38c240c97041..0dc3852c4621 100644
+--- a/sound/soc/cirrus/ep93xx-i2s.c
++++ b/sound/soc/cirrus/ep93xx-i2s.c
+@@ -51,7 +51,9 @@
+ #define EP93XX_I2S_WRDLEN_24 (1 << 0)
+ #define EP93XX_I2S_WRDLEN_32 (2 << 0)
+
+-#define EP93XX_I2S_LINCTRLDATA_R_JUST (1 << 2) /* Right justify */
++#define EP93XX_I2S_RXLINCTRLDATA_R_JUST BIT(1) /* Right justify */
++
++#define EP93XX_I2S_TXLINCTRLDATA_R_JUST BIT(2) /* Right justify */
+
+ #define EP93XX_I2S_CLKCFG_LRS (1 << 0) /* lrclk polarity */
+ #define EP93XX_I2S_CLKCFG_CKP (1 << 1) /* Bit clock polarity */
+@@ -170,25 +172,25 @@ static int ep93xx_i2s_set_dai_fmt(struct snd_soc_dai *cpu_dai,
+ unsigned int fmt)
+ {
+ struct ep93xx_i2s_info *info = snd_soc_dai_get_drvdata(cpu_dai);
+- unsigned int clk_cfg, lin_ctrl;
++ unsigned int clk_cfg;
++ unsigned int txlin_ctrl = 0;
++ unsigned int rxlin_ctrl = 0;
+
+ clk_cfg = ep93xx_i2s_read_reg(info, EP93XX_I2S_RXCLKCFG);
+- lin_ctrl = ep93xx_i2s_read_reg(info, EP93XX_I2S_RXLINCTRLDATA);
+
+ switch (fmt & SND_SOC_DAIFMT_FORMAT_MASK) {
+ case SND_SOC_DAIFMT_I2S:
+ clk_cfg |= EP93XX_I2S_CLKCFG_REL;
+- lin_ctrl &= ~EP93XX_I2S_LINCTRLDATA_R_JUST;
+ break;
+
+ case SND_SOC_DAIFMT_LEFT_J:
+ clk_cfg &= ~EP93XX_I2S_CLKCFG_REL;
+- lin_ctrl &= ~EP93XX_I2S_LINCTRLDATA_R_JUST;
+ break;
+
+ case SND_SOC_DAIFMT_RIGHT_J:
+ clk_cfg &= ~EP93XX_I2S_CLKCFG_REL;
+- lin_ctrl |= EP93XX_I2S_LINCTRLDATA_R_JUST;
++ rxlin_ctrl |= EP93XX_I2S_RXLINCTRLDATA_R_JUST;
++ txlin_ctrl |= EP93XX_I2S_TXLINCTRLDATA_R_JUST;
+ break;
+
+ default:
+@@ -237,8 +239,8 @@ static int ep93xx_i2s_set_dai_fmt(struct snd_soc_dai *cpu_dai,
+ /* Write new register values */
+ ep93xx_i2s_write_reg(info, EP93XX_I2S_RXCLKCFG, clk_cfg);
+ ep93xx_i2s_write_reg(info, EP93XX_I2S_TXCLKCFG, clk_cfg);
+- ep93xx_i2s_write_reg(info, EP93XX_I2S_RXLINCTRLDATA, lin_ctrl);
+- ep93xx_i2s_write_reg(info, EP93XX_I2S_TXLINCTRLDATA, lin_ctrl);
++ ep93xx_i2s_write_reg(info, EP93XX_I2S_RXLINCTRLDATA, rxlin_ctrl);
++ ep93xx_i2s_write_reg(info, EP93XX_I2S_TXLINCTRLDATA, txlin_ctrl);
+ return 0;
+ }
+
+--
+2.18.0
+
diff --git a/patches.kernel.org/4.4.139-035-lib-vsprintf-Remove-atomic-unsafe-support-for.patch b/patches.kernel.org/4.4.139-035-lib-vsprintf-Remove-atomic-unsafe-support-for.patch
new file mode 100644
index 0000000000..f2412409c9
--- /dev/null
+++ b/patches.kernel.org/4.4.139-035-lib-vsprintf-Remove-atomic-unsafe-support-for.patch
@@ -0,0 +1,87 @@
+From: Geert Uytterhoeven <geert+renesas@glider.be>
+Date: Fri, 1 Jun 2018 11:28:22 +0200
+Subject: [PATCH] lib/vsprintf: Remove atomic-unsafe support for %pCr
+References: bnc#1012382
+Patch-mainline: 4.4.139
+Git-commit: 666902e42fd8344b923c02dc5b0f37948ff4f225
+
+commit 666902e42fd8344b923c02dc5b0f37948ff4f225 upstream.
+
+"%pCr" formats the current rate of a clock, and calls clk_get_rate().
+The latter obtains a mutex, hence it must not be called from atomic
+context.
+
+Remove support for this rarely-used format, as vsprintf() (and e.g.
+printk()) must be callable from any context.
+
+Any remaining out-of-tree users will start seeing the clock's name
+printed instead of its rate.
+
+Reported-by: Jia-Ju Bai <baijiaju1990@gmail.com>
+Fixes: 900cca2944254edd ("lib/vsprintf: add %pC{,n,r} format specifiers for clocks")
+Link: http://lkml.kernel.org/r/1527845302-12159-5-git-send-email-geert+renesas@glider.be
+To: Jia-Ju Bai <baijiaju1990@gmail.com>
+To: Jonathan Corbet <corbet@lwn.net>
+To: Michael Turquette <mturquette@baylibre.com>
+To: Stephen Boyd <sboyd@kernel.org>
+To: Zhang Rui <rui.zhang@intel.com>
+To: Eduardo Valentin <edubezval@gmail.com>
+To: Eric Anholt <eric@anholt.net>
+To: Stefan Wahren <stefan.wahren@i2se.com>
+To: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Cc: Sergey Senozhatsky <sergey.senozhatsky.work@gmail.com>
+Cc: Petr Mladek <pmladek@suse.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Steven Rostedt <rostedt@goodmis.org>
+Cc: linux-doc@vger.kernel.org
+Cc: linux-clk@vger.kernel.org
+Cc: linux-pm@vger.kernel.org
+Cc: linux-serial@vger.kernel.org
+Cc: linux-arm-kernel@lists.infradead.org
+Cc: linux-renesas-soc@vger.kernel.org
+Cc: linux-kernel@vger.kernel.org
+Cc: Geert Uytterhoeven <geert+renesas@glider.be>
+Cc: stable@vger.kernel.org # 4.1+
+Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Signed-off-by: Petr Mladek <pmladek@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ Documentation/printk-formats.txt | 3 +--
+ lib/vsprintf.c | 3 ---
+ 2 files changed, 1 insertion(+), 5 deletions(-)
+
+diff --git a/Documentation/printk-formats.txt b/Documentation/printk-formats.txt
+index b784c270105f..ed6f6abaad57 100644
+--- a/Documentation/printk-formats.txt
++++ b/Documentation/printk-formats.txt
+@@ -273,11 +273,10 @@ struct clk:
+
+ %pC pll1
+ %pCn pll1
+- %pCr 1560000000
+
+ For printing struct clk structures. '%pC' and '%pCn' print the name
+ (Common Clock Framework) or address (legacy clock framework) of the
+- structure; '%pCr' prints the current clock rate.
++ structure.
+
+ Passed by reference.
+
+diff --git a/lib/vsprintf.c b/lib/vsprintf.c
+index f9cee8e1233c..646009db4198 100644
+--- a/lib/vsprintf.c
++++ b/lib/vsprintf.c
+@@ -1345,9 +1345,6 @@ char *clock(char *buf, char *end, struct clk *clk, struct printf_spec spec,
+ return string(buf, end, NULL, spec);
+
+ switch (fmt[1]) {
+- case 'r':
+- return number(buf, end, clk_get_rate(clk), spec);
+-
+ case 'n':
+ default:
+ #ifdef CONFIG_COMMON_CLK
+--
+2.18.0
+
diff --git a/patches.kernel.org/4.4.139-036-mips-ftrace-fix-static-function-graph-tracing.patch b/patches.kernel.org/4.4.139-036-mips-ftrace-fix-static-function-graph-tracing.patch
new file mode 100644
index 0000000000..1a1a58f24a
--- /dev/null
+++ b/patches.kernel.org/4.4.139-036-mips-ftrace-fix-static-function-graph-tracing.patch
@@ -0,0 +1,85 @@
+From: Matthias Schiffer <mschiffer@universe-factory.net>
+Date: Sat, 24 Mar 2018 17:57:49 +0100
+Subject: [PATCH] mips: ftrace: fix static function graph tracing
+References: bnc#1012382
+Patch-mainline: 4.4.139
+Git-commit: 6fb8656646f996d1eef42e6d56203c4915cb9e08
+
+commit 6fb8656646f996d1eef42e6d56203c4915cb9e08 upstream.
+
+ftrace_graph_caller was never run after calling ftrace_trace_function,
+breaking the function graph tracer. Fix this, bringing it in line with the
+x86 implementation.
+
+While we're at it, also streamline the control flow of _mcount a bit to
+reduce the number of branches.
+
+This issue was reported before:
+https://www.linux-mips.org/archives/linux-mips/2014-11/msg00295.html
+
+Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
+Tested-by: Matt Redfearn <matt.redfearn@mips.com>
+Patchwork: https://patchwork.linux-mips.org/patch/18929/
+Signed-off-by: Paul Burton <paul.burton@mips.com>
+Cc: stable@vger.kernel.org # v3.17+
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ arch/mips/kernel/mcount.S | 27 ++++++++++++---------------
+ 1 file changed, 12 insertions(+), 15 deletions(-)
+
+diff --git a/arch/mips/kernel/mcount.S b/arch/mips/kernel/mcount.S
+index 2f7c734771f4..0df911e772ae 100644
+--- a/arch/mips/kernel/mcount.S
++++ b/arch/mips/kernel/mcount.S
+@@ -116,10 +116,20 @@ ftrace_stub:
+ NESTED(_mcount, PT_SIZE, ra)
+ PTR_LA t1, ftrace_stub
+ PTR_L t2, ftrace_trace_function /* Prepare t2 for (1) */
+- bne t1, t2, static_trace
++ beq t1, t2, fgraph_trace
+ nop
+
++ MCOUNT_SAVE_REGS
++
++ move a0, ra /* arg1: self return address */
++ jalr t2 /* (1) call *ftrace_trace_function */
++ move a1, AT /* arg2: parent's return address */
++
++ MCOUNT_RESTORE_REGS
++
++fgraph_trace:
+ #ifdef CONFIG_FUNCTION_GRAPH_TRACER
++ PTR_LA t1, ftrace_stub
+ PTR_L t3, ftrace_graph_return
+ bne t1, t3, ftrace_graph_caller
+ nop
+@@ -128,24 +138,11 @@ NESTED(_mcount, PT_SIZE, ra)
+ bne t1, t3, ftrace_graph_caller
+ nop
+ #endif
+- b ftrace_stub
+-#ifdef CONFIG_32BIT
+- addiu sp, sp, 8
+-#else
+- nop
+-#endif
+
+-static_trace:
+- MCOUNT_SAVE_REGS
+-
+- move a0, ra /* arg1: self return address */
+- jalr t2 /* (1) call *ftrace_trace_function */
+- move a1, AT /* arg2: parent's return address */
+-
+- MCOUNT_RESTORE_REGS
+ #ifdef CONFIG_32BIT
+ addiu sp, sp, 8
+ #endif
++
+ .globl ftrace_stub
+ ftrace_stub:
+ RETURN_BACK
+--
+2.18.0
+
diff --git a/patches.kernel.org/4.4.139-037-branch-check-fix-long-int-truncation-when-pro.patch b/patches.kernel.org/4.4.139-037-branch-check-fix-long-int-truncation-when-pro.patch
new file mode 100644
index 0000000000..4112f8bcbf
--- /dev/null
+++ b/patches.kernel.org/4.4.139-037-branch-check-fix-long-int-truncation-when-pro.patch
@@ -0,0 +1,47 @@
+From: Mikulas Patocka <mpatocka@redhat.com>
+Date: Wed, 30 May 2018 08:19:22 -0400
+Subject: [PATCH] branch-check: fix long->int truncation when profiling
+ branches
+References: bnc#1012382
+Patch-mainline: 4.4.139
+Git-commit: 2026d35741f2c3ece73c11eb7e4a15d7c2df9ebe
+
+commit 2026d35741f2c3ece73c11eb7e4a15d7c2df9ebe upstream.
+
+The function __builtin_expect returns long type (see the gcc
+documentation), and so do macros likely and unlikely. Unfortunatelly, when
+CONFIG_PROFILE_ANNOTATED_BRANCHES is selected, the macros likely and
+unlikely expand to __branch_check__ and __branch_check__ truncates the
+long type to int. This unintended truncation may cause bugs in various
+kernel code (we found a bug in dm-writecache because of it), so it's
+better to fix __branch_check__ to return long.
+
+Link: http://lkml.kernel.org/r/alpine.LRH.2.02.1805300818140.24812@file01.intranet.prod.int.rdu2.redhat.com
+
+Cc: Ingo Molnar <mingo@redhat.com>
+Cc: stable@vger.kernel.org
+Fixes: 1f0d69a9fc815 ("tracing: profile likely and unlikely annotations")
+Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
+Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ include/linux/compiler.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/include/linux/compiler.h b/include/linux/compiler.h
+index 6fc9a6dd5ed2..0db1fa621d8a 100644
+--- a/include/linux/compiler.h
++++ b/include/linux/compiler.h
+@@ -111,7 +111,7 @@ void ftrace_likely_update(struct ftrace_branch_data *f, int val, int expect);
+ #define unlikely_notrace(x) __builtin_expect(!!(x), 0)
+
+ #define __branch_check__(x, expect) ({ \
+- int ______r; \
++ long ______r; \
+ static struct ftrace_branch_data \
+ __attribute__((__aligned__(4))) \
+ __attribute__((section("_ftrace_annotated_branch"))) \
+--
+2.18.0
+
diff --git a/patches.kernel.org/4.4.139-038-ipmi-bt-Set-the-timeout-before-doing-a-capabi.patch b/patches.kernel.org/4.4.139-038-ipmi-bt-Set-the-timeout-before-doing-a-capabi.patch
new file mode 100644
index 0000000000..6bbe37f176
--- /dev/null
+++ b/patches.kernel.org/4.4.139-038-ipmi-bt-Set-the-timeout-before-doing-a-capabi.patch
@@ -0,0 +1,47 @@
+From: Corey Minyard <cminyard@mvista.com>
+Date: Tue, 22 May 2018 08:14:51 -0500
+Subject: [PATCH] ipmi:bt: Set the timeout before doing a capabilities check
+References: bnc#1012382
+Patch-mainline: 4.4.139
+Git-commit: fe50a7d0393a552e4539da2d31261a59d6415950
+
+commit fe50a7d0393a552e4539da2d31261a59d6415950 upstream.
+
+There was one place where the timeout value for an operation was
+not being set, if a capabilities request was done from idle. Move
+the timeout value setting to before where that change might be
+requested.
+
+IMHO the cause here is the invisible returns in the macros. Maybe
+that's a job for later, though.
+
+Reported-by: Nordmark Claes <Claes.Nordmark@tieto.com>
+Signed-off-by: Corey Minyard <cminyard@mvista.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/char/ipmi/ipmi_bt_sm.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/char/ipmi/ipmi_bt_sm.c b/drivers/char/ipmi/ipmi_bt_sm.c
+index feafdab734ae..4835b588b783 100644
+--- a/drivers/char/ipmi/ipmi_bt_sm.c
++++ b/drivers/char/ipmi/ipmi_bt_sm.c
+@@ -522,11 +522,12 @@ static enum si_sm_result bt_event(struct si_sm_data *bt, long time)
+ if (status & BT_H_BUSY) /* clear a leftover H_BUSY */
+ BT_CONTROL(BT_H_BUSY);
+
++ bt->timeout = bt->BT_CAP_req2rsp;
++
+ /* Read BT capabilities if it hasn't been done yet */
+ if (!bt->BT_CAP_outreqs)
+ BT_STATE_CHANGE(BT_STATE_CAPABILITIES_BEGIN,
+ SI_SM_CALL_WITHOUT_DELAY);
+- bt->timeout = bt->BT_CAP_req2rsp;
+ BT_SI_SM_RETURN(SI_SM_IDLE);
+
+ case BT_STATE_XACTION_START:
+--
+2.18.0
+
diff --git a/patches.kernel.org/4.4.139-039-Bluetooth-hci_qca-Avoid-missing-rampatch-fail.patch b/patches.kernel.org/4.4.139-039-Bluetooth-hci_qca-Avoid-missing-rampatch-fail.patch
new file mode 100644
index 0000000000..e7c92a0fb3
--- /dev/null
+++ b/patches.kernel.org/4.4.139-039-Bluetooth-hci_qca-Avoid-missing-rampatch-fail.patch
@@ -0,0 +1,48 @@
+From: Amit Pundir <amit.pundir@linaro.org>
+Date: Mon, 16 Apr 2018 12:10:24 +0530
+Subject: [PATCH] Bluetooth: hci_qca: Avoid missing rampatch failure with
+ userspace fw loader
+References: bnc#1012382
+Patch-mainline: 4.4.139
+Git-commit: 7dc5fe0814c35ec4e7d2e8fa30abab72e0e6a172
+
+commit 7dc5fe0814c35ec4e7d2e8fa30abab72e0e6a172 upstream.
+
+AOSP use userspace firmware loader to load firmwares, which will
+return -EAGAIN in case qca/rampatch_00440302.bin is not found.
+Since there is no rampatch for dragonboard820c QCA controller
+revision, just make it work as is.
+
+CC: Loic Poulain <loic.poulain@linaro.org>
+CC: Nicolas Dechesne <nicolas.dechesne@linaro.org>
+CC: Marcel Holtmann <marcel@holtmann.org>
+CC: Johan Hedberg <johan.hedberg@gmail.com>
+CC: Stable <stable@vger.kernel.org>
+Signed-off-by: Amit Pundir <amit.pundir@linaro.org>
+Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/bluetooth/hci_qca.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/drivers/bluetooth/hci_qca.c b/drivers/bluetooth/hci_qca.c
+index 8a3bf0a8c31d..476d39c7ba20 100644
+--- a/drivers/bluetooth/hci_qca.c
++++ b/drivers/bluetooth/hci_qca.c
+@@ -939,6 +939,12 @@ static int qca_setup(struct hci_uart *hu)
+ } else if (ret == -ENOENT) {
+ /* No patch/nvm-config found, run with original fw/config */
+ ret = 0;
++ } else if (ret == -EAGAIN) {
++ /*
++ * Userspace firmware loader will return -EAGAIN in case no
++ * patch/nvm-config is found, so run with original fw/config.
++ */
++ ret = 0;
+ }
+
+ /* Setup bdaddr */
+--
+2.18.0
+
diff --git a/patches.kernel.org/4.4.139-040-fuse-atomic_o_trunc-should-truncate-pagecache.patch b/patches.kernel.org/4.4.139-040-fuse-atomic_o_trunc-should-truncate-pagecache.patch
new file mode 100644
index 0000000000..7dee4279eb
--- /dev/null
+++ b/patches.kernel.org/4.4.139-040-fuse-atomic_o_trunc-should-truncate-pagecache.patch
@@ -0,0 +1,57 @@
+From: Miklos Szeredi <mszeredi@redhat.com>
+Date: Thu, 8 Feb 2018 15:17:38 +0100
+Subject: [PATCH] fuse: atomic_o_trunc should truncate pagecache
+References: bnc#1012382
+Patch-mainline: 4.4.139
+Git-commit: df0e91d488276086bc07da2e389986cae0048c37
+
+commit df0e91d488276086bc07da2e389986cae0048c37 upstream.
+
+Fuse has an "atomic_o_trunc" mode, where userspace filesystem uses the
+O_TRUNC flag in the OPEN request to truncate the file atomically with the
+open.
+
+In this mode there's no need to send a SETATTR request to userspace after
+the open, so fuse_do_setattr() checks this mode and returns. But this
+misses the important step of truncating the pagecache.
+
+Add the missing parts of truncation to the ATTR_OPEN branch.
+
+Reported-by: Chad Austin <chadaustin@fb.com>
+Fixes: 6ff958edbf39 ("fuse: add atomic open+truncate support")
+Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ fs/fuse/dir.c | 13 ++++++++++++-
+ 1 file changed, 12 insertions(+), 1 deletion(-)
+
+diff --git a/fs/fuse/dir.c b/fs/fuse/dir.c
+index 5068dbf80ff8..49b7b40f7598 100644
+--- a/fs/fuse/dir.c
++++ b/fs/fuse/dir.c
+@@ -1609,8 +1609,19 @@ int fuse_do_setattr(struct inode *inode, struct iattr *attr,
+ return err;
+
+ if (attr->ia_valid & ATTR_OPEN) {
+- if (fc->atomic_o_trunc)
++ /* This is coming from open(..., ... | O_TRUNC); */
++ WARN_ON(!(attr->ia_valid & ATTR_SIZE));
++ WARN_ON(attr->ia_size != 0);
++ if (fc->atomic_o_trunc) {
++ /*
++ * No need to send request to userspace, since actual
++ * truncation has already been done by OPEN. But still
++ * need to truncate page cache.
++ */
++ i_size_write(inode, 0);
++ truncate_pagecache(inode, 0);
+ return 0;
++ }
+ file = NULL;
+ }
+
+--
+2.18.0
+
diff --git a/patches.kernel.org/4.4.139-041-fuse-don-t-keep-dead-fuse_conn-at-fuse_fill_s.patch b/patches.kernel.org/4.4.139-041-fuse-don-t-keep-dead-fuse_conn-at-fuse_fill_s.patch
new file mode 100644
index 0000000000..e424ae9f1e
--- /dev/null
+++ b/patches.kernel.org/4.4.139-041-fuse-don-t-keep-dead-fuse_conn-at-fuse_fill_s.patch
@@ -0,0 +1,46 @@
+From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+Date: Tue, 1 May 2018 13:12:14 +0900
+Subject: [PATCH] fuse: don't keep dead fuse_conn at fuse_fill_super().
+References: bnc#1012382
+Patch-mainline: 4.4.139
+Git-commit: 543b8f8662fe6d21f19958b666ab0051af9db21a
+
+commit 543b8f8662fe6d21f19958b666ab0051af9db21a upstream.
+
+syzbot is reporting use-after-free at fuse_kill_sb_blk() [1].
+Since sb->s_fs_info field is not cleared after fc was released by
+fuse_conn_put() when initialization failed, fuse_kill_sb_blk() finds
+already released fc and tries to hold the lock. Fix this by clearing
+sb->s_fs_info field after calling fuse_conn_put().
+
+[1] https://syzkaller.appspot.com/bug?id=a07a680ed0a9290585ca424546860464dd9658db
+
+Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+Reported-by: syzbot <syzbot+ec3986119086fe4eec97@syzkaller.appspotmail.com>
+Fixes: 3b463ae0c626 ("fuse: invalidation reverse calls")
+Cc: John Muir <john@jmuir.com>
+Cc: Csaba Henk <csaba@gluster.com>
+Cc: Anand Avati <avati@redhat.com>
+Cc: <stable@vger.kernel.org> # v2.6.31
+Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ fs/fuse/inode.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/fs/fuse/inode.c b/fs/fuse/inode.c
+index 0d5e8e59b390..f0b73e0c6d48 100644
+--- a/fs/fuse/inode.c
++++ b/fs/fuse/inode.c
+@@ -1158,6 +1158,7 @@ static int fuse_fill_super(struct super_block *sb, void *data, int silent)
+ err_put_conn:
+ fuse_bdi_destroy(fc);
+ fuse_conn_put(fc);
++ sb->s_fs_info = NULL;
+ err_fput:
+ fput(file);
+ err:
+--
+2.18.0
+
diff --git a/patches.kernel.org/4.4.139-042-fuse-fix-control-dir-setup-and-teardown.patch b/patches.kernel.org/4.4.139-042-fuse-fix-control-dir-setup-and-teardown.patch
new file mode 100644
index 0000000000..507ac80dfd
--- /dev/null
+++ b/patches.kernel.org/4.4.139-042-fuse-fix-control-dir-setup-and-teardown.patch
@@ -0,0 +1,73 @@
+From: Miklos Szeredi <mszeredi@redhat.com>
+Date: Thu, 31 May 2018 12:26:10 +0200
+Subject: [PATCH] fuse: fix control dir setup and teardown
+References: bnc#1012382
+Patch-mainline: 4.4.139
+Git-commit: 6becdb601bae2a043d7fb9762c4d48699528ea6e
+
+commit 6becdb601bae2a043d7fb9762c4d48699528ea6e upstream.
+
+syzbot is reporting NULL pointer dereference at fuse_ctl_remove_conn() [1].
+Since fc->ctl_ndents is incremented by fuse_ctl_add_conn() when new_inode()
+failed, fuse_ctl_remove_conn() reaches an inode-less dentry and tries to
+clear d_inode(dentry)->i_private field.
+
+Fix by only adding the dentry to the array after being fully set up.
+
+When tearing down the control directory, do d_invalidate() on it to get rid
+of any mounts that might have been added.
+
+[1] https://syzkaller.appspot.com/bug?id=f396d863067238959c91c0b7cfc10b163638cac6
+Reported-by: syzbot <syzbot+32c236387d66c4516827@syzkaller.appspotmail.com>
+Fixes: bafa96541b25 ("[PATCH] fuse: add control filesystem")
+Cc: <stable@vger.kernel.org> # v2.6.18
+Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ fs/fuse/control.c | 13 ++++++++++---
+ 1 file changed, 10 insertions(+), 3 deletions(-)
+
+diff --git a/fs/fuse/control.c b/fs/fuse/control.c
+index f863ac6647ac..89a4b231e79c 100644
+--- a/fs/fuse/control.c
++++ b/fs/fuse/control.c
+@@ -211,10 +211,11 @@ static struct dentry *fuse_ctl_add_dentry(struct dentry *parent,
+ if (!dentry)
+ return NULL;
+
+- fc->ctl_dentry[fc->ctl_ndents++] = dentry;
+ inode = new_inode(fuse_control_sb);
+- if (!inode)
++ if (!inode) {
++ dput(dentry);
+ return NULL;
++ }
+
+ inode->i_ino = get_next_ino();
+ inode->i_mode = mode;
+@@ -228,6 +229,9 @@ static struct dentry *fuse_ctl_add_dentry(struct dentry *parent,
+ set_nlink(inode, nlink);
+ inode->i_private = fc;
+ d_add(dentry, inode);
++
++ fc->ctl_dentry[fc->ctl_ndents++] = dentry;
++
+ return dentry;
+ }
+
+@@ -284,7 +288,10 @@ void fuse_ctl_remove_conn(struct fuse_conn *fc)
+ for (i = fc->ctl_ndents - 1; i >= 0; i--) {
+ struct dentry *dentry = fc->ctl_dentry[i];
+ d_inode(dentry)->i_private = NULL;
+- d_drop(dentry);
++ if (!i) {
++ /* Get rid of submounts: */
++ d_invalidate(dentry);
++ }
+ dput(dentry);
+ }
+ drop_nlink(d_inode(fuse_control_sb->s_root));
+--
+2.18.0
+
diff --git a/patches.kernel.org/4.4.139-043-powerpc-mm-hash-Add-missing-isync-prior-to-ke.patch b/patches.kernel.org/4.4.139-043-powerpc-mm-hash-Add-missing-isync-prior-to-ke.patch
new file mode 100644
index 0000000000..c0f60c0413
--- /dev/null
+++ b/patches.kernel.org/4.4.139-043-powerpc-mm-hash-Add-missing-isync-prior-to-ke.patch
@@ -0,0 +1,69 @@
+From: "Aneesh Kumar K.V" <aneesh.kumar@linux.ibm.com>
+Date: Wed, 30 May 2018 18:48:04 +0530
+Subject: [PATCH] powerpc/mm/hash: Add missing isync prior to kernel stack SLB
+ switch
+References: bnc#1012382
+Patch-mainline: 4.4.139
+Git-commit: 91d06971881f71d945910de128658038513d1b24
+
+commit 91d06971881f71d945910de128658038513d1b24 upstream.
+
+Currently we do not have an isync, or any other context synchronizing
+instruction prior to the slbie/slbmte in _switch() that updates the
+SLB entry for the kernel stack.
+
+However that is not correct as outlined in the ISA.
+
+From Power ISA Version 3.0B, Book III, Chapter 11, page 1133:
+
+ "Changing the contents of ... the contents of SLB entries ... can
+ have the side effect of altering the context in which data
+ addresses and instruction addresses are interpreted, and in which
+ instructions are executed and data accesses are performed.
+ ...
+ These side effects need not occur in program order, and therefore
+ may require explicit synchronization by software.
+ ...
+ The synchronizing instruction before the context-altering
+ instruction ensures that all instructions up to and including that
+ synchronizing instruction are fetched and executed in the context
+ that existed before the alteration."
+
+And page 1136:
+
+ "For data accesses, the context synchronizing instruction before the
+ slbie, slbieg, slbia, slbmte, tlbie, or tlbiel instruction ensures
+ that all preceding instructions that access data storage have
+ completed to a point at which they have reported all exceptions
+ they will cause."
+
+We're not aware of any bugs caused by this, but it should be fixed
+regardless.
+
+Add the missing isync when updating kernel stack SLB entry.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Aneesh Kumar K.V <aneesh.kumar@linux.ibm.com>
+[mpe: Flesh out change log with more ISA text & explanation]
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ arch/powerpc/kernel/entry_64.S | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/arch/powerpc/kernel/entry_64.S b/arch/powerpc/kernel/entry_64.S
+index 2837232bbffb..59be96917369 100644
+--- a/arch/powerpc/kernel/entry_64.S
++++ b/arch/powerpc/kernel/entry_64.S
+@@ -574,6 +574,7 @@ END_MMU_FTR_SECTION_IFSET(MMU_FTR_1T_SEGMENT)
+ * actually hit this code path.
+ */
+
++ isync
+ slbie r6
+ slbie r6 /* Workaround POWER5 < DD2.1 issue */
+ slbmte r7,r0
+--
+2.18.0
+
diff --git a/patches.kernel.org/4.4.139-044-powerpc-ptrace-Fix-setting-512B-aligned-break.patch b/patches.kernel.org/4.4.139-044-powerpc-ptrace-Fix-setting-512B-aligned-break.patch
new file mode 100644
index 0000000000..1f35c6b213
--- /dev/null
+++ b/patches.kernel.org/4.4.139-044-powerpc-ptrace-Fix-setting-512B-aligned-break.patch
@@ -0,0 +1,48 @@
+From: Michael Neuling <mikey@neuling.org>
+Date: Thu, 17 May 2018 15:37:15 +1000
+Subject: [PATCH] powerpc/ptrace: Fix setting 512B aligned breakpoints with
+ PTRACE_SET_DEBUGREG
+References: bnc#1012382
+Patch-mainline: 4.4.139
+Git-commit: 4f7c06e26ec9cf7fe9f0c54dc90079b6a4f4b2c3
+
+commit 4f7c06e26ec9cf7fe9f0c54dc90079b6a4f4b2c3 upstream.
+
+In commit e2a800beaca1 ("powerpc/hw_brk: Fix off by one error when
+validating DAWR region end") we fixed setting the DAWR end point to
+its max value via PPC_PTRACE_SETHWDEBUG. Unfortunately we broke
+PTRACE_SET_DEBUGREG when setting a 512 byte aligned breakpoint.
+
+PTRACE_SET_DEBUGREG currently sets the length of the breakpoint to
+zero (memset() in hw_breakpoint_init()). This worked with
+arch_validate_hwbkpt_settings() before the above patch was applied but
+is now broken if the breakpoint is 512byte aligned.
+
+This sets the length of the breakpoint to 8 bytes when using
+PTRACE_SET_DEBUGREG.
+
+Fixes: e2a800beaca1 ("powerpc/hw_brk: Fix off by one error when validating DAWR region end")
+Cc: stable@vger.kernel.org # v3.11+
+Signed-off-by: Michael Neuling <mikey@neuling.org>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ arch/powerpc/kernel/ptrace.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/arch/powerpc/kernel/ptrace.c b/arch/powerpc/kernel/ptrace.c
+index b38fd081b222..3b63655efa3c 100644
+--- a/arch/powerpc/kernel/ptrace.c
++++ b/arch/powerpc/kernel/ptrace.c
+@@ -1004,6 +1004,7 @@ static int ptrace_set_debugreg(struct task_struct *task, unsigned long addr,
+ /* Create a new breakpoint request if one doesn't exist already */
+ hw_breakpoint_init(&attr);
+ attr.bp_addr = hw_brk.address;
++ attr.bp_len = 8;
+ arch_bp_generic_fields(hw_brk.type,
+ &attr.bp_type);
+
+--
+2.18.0
+
diff --git a/patches.kernel.org/4.4.139-045-powerpc-ptrace-Fix-enforcement-of-DAWR-constr.patch b/patches.kernel.org/4.4.139-045-powerpc-ptrace-Fix-enforcement-of-DAWR-constr.patch
new file mode 100644
index 0000000000..713d1318f4
--- /dev/null
+++ b/patches.kernel.org/4.4.139-045-powerpc-ptrace-Fix-enforcement-of-DAWR-constr.patch
@@ -0,0 +1,46 @@
+From: Michael Neuling <mikey@neuling.org>
+Date: Thu, 17 May 2018 15:37:14 +1000
+Subject: [PATCH] powerpc/ptrace: Fix enforcement of DAWR constraints
+References: bnc#1012382
+Patch-mainline: 4.4.139
+Git-commit: cd6ef7eebf171bfcba7dc2df719c2a4958775040
+
+commit cd6ef7eebf171bfcba7dc2df719c2a4958775040 upstream.
+
+Back when we first introduced the DAWR, in commit 4ae7ebe9522a
+("powerpc: Change hardware breakpoint to allow longer ranges"), we
+screwed up the constraint making it a 1024 byte boundary rather than a
+512. This makes the check overly permissive. Fortunately GDB is the
+only real user and it always did they right thing, so we never
+noticed.
+
+This fixes the constraint to 512 bytes.
+
+Fixes: 4ae7ebe9522a ("powerpc: Change hardware breakpoint to allow longer ranges")
+Cc: stable@vger.kernel.org # v3.9+
+Signed-off-by: Michael Neuling <mikey@neuling.org>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ arch/powerpc/kernel/hw_breakpoint.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/arch/powerpc/kernel/hw_breakpoint.c b/arch/powerpc/kernel/hw_breakpoint.c
+index fdf48785d3e9..56e4571e3a02 100644
+--- a/arch/powerpc/kernel/hw_breakpoint.c
++++ b/arch/powerpc/kernel/hw_breakpoint.c
+@@ -174,8 +174,8 @@ int arch_validate_hwbkpt_settings(struct perf_event *bp)
+ if (cpu_has_feature(CPU_FTR_DAWR)) {
+ length_max = 512 ; /* 64 doublewords */
+ /* DAWR region can't cross 512 boundary */
+- if ((bp->attr.bp_addr >> 10) !=
+- ((bp->attr.bp_addr + bp->attr.bp_len - 1) >> 10))
++ if ((bp->attr.bp_addr >> 9) !=
++ ((bp->attr.bp_addr + bp->attr.bp_len - 1) >> 9))
+ return -EINVAL;
+ }
+ if (info->len >
+--
+2.18.0
+
diff --git a/patches.kernel.org/4.4.139-046-cpuidle-powernv-Fix-promotion-from-snooze-if-.patch b/patches.kernel.org/4.4.139-046-cpuidle-powernv-Fix-promotion-from-snooze-if-.patch
new file mode 100644
index 0000000000..0cfb314acc
--- /dev/null
+++ b/patches.kernel.org/4.4.139-046-cpuidle-powernv-Fix-promotion-from-snooze-if-.patch
@@ -0,0 +1,152 @@
+From: "Gautham R. Shenoy" <ego@linux.vnet.ibm.com>
+Date: Thu, 31 May 2018 17:45:09 +0530
+Subject: [PATCH] cpuidle: powernv: Fix promotion from snooze if next state
+ disabled
+References: bnc#1012382
+Patch-mainline: 4.4.139
+Git-commit: 0a4ec6aa035a52c422eceb2ed51ed88392a3d6c2
+
+commit 0a4ec6aa035a52c422eceb2ed51ed88392a3d6c2 upstream.
+
+The commit 78eaa10f027c ("cpuidle: powernv/pseries: Auto-promotion of
+snooze to deeper idle state") introduced a timeout for the snooze idle
+state so that it could be eventually be promoted to a deeper idle
+state. The snooze timeout value is static and set to the target
+residency of the next idle state, which would train the cpuidle
+governor to pick the next idle state eventually.
+
+The unfortunate side-effect of this is that if the next idle state(s)
+is disabled, the CPU will forever remain in snooze, despite the fact
+that the system is completely idle, and other deeper idle states are
+available.
+
+This patch fixes the issue by dynamically setting the snooze timeout
+to the target residency of the next enabled state on the device.
+
+Before Patch:
+ POWER8 : Only nap disabled.
+ $ cpupower monitor sleep 30
+ sleep took 30.01297 seconds and exited with status 0
+ |Idle_Stats
+ PKG |CORE|CPU | snoo | Nap | Fast
+ 0| 8| 0| 96.41| 0.00| 0.00
+ 0| 8| 1| 96.43| 0.00| 0.00
+ 0| 8| 2| 96.47| 0.00| 0.00
+ 0| 8| 3| 96.35| 0.00| 0.00
+ 0| 8| 4| 96.37| 0.00| 0.00
+ 0| 8| 5| 96.37| 0.00| 0.00
+ 0| 8| 6| 96.47| 0.00| 0.00
+ 0| 8| 7| 96.47| 0.00| 0.00
+
+ POWER9: Shallow states (stop0lite, stop1lite, stop2lite, stop0, stop1,
+ stop2) disabled:
+ $ cpupower monitor sleep 30
+ sleep took 30.05033 seconds and exited with status 0
+ |Idle_Stats
+ PKG |CORE|CPU | snoo | stop | stop | stop | stop | stop | stop | stop | stop
+ 0| 16| 0| 89.79| 0.00| 0.00| 0.00| 0.00| 0.00| 0.00| 0.00| 0.00
+ 0| 16| 1| 90.12| 0.00| 0.00| 0.00| 0.00| 0.00| 0.00| 0.00| 0.00
+ 0| 16| 2| 90.21| 0.00| 0.00| 0.00| 0.00| 0.00| 0.00| 0.00| 0.00
+ 0| 16| 3| 90.29| 0.00| 0.00| 0.00| 0.00| 0.00| 0.00| 0.00| 0.00
+
+After Patch:
+ POWER8 : Only nap disabled.
+ $ cpupower monitor sleep 30
+ sleep took 30.01200 seconds and exited with status 0
+ |Idle_Stats
+ PKG |CORE|CPU | snoo | Nap | Fast
+ 0| 8| 0| 16.58| 0.00| 77.21
+ 0| 8| 1| 18.42| 0.00| 75.38
+ 0| 8| 2| 4.70| 0.00| 94.09
+ 0| 8| 3| 17.06| 0.00| 81.73
+ 0| 8| 4| 3.06| 0.00| 95.73
+ 0| 8| 5| 7.00| 0.00| 96.80
+ 0| 8| 6| 1.00| 0.00| 98.79
+ 0| 8| 7| 5.62| 0.00| 94.17
+
+ POWER9: Shallow states (stop0lite, stop1lite, stop2lite, stop0, stop1,
+ stop2) disabled:
+
+ $ cpupower monitor sleep 30
+ sleep took 30.02110 seconds and exited with status 0
+ |Idle_Stats
+ PKG |CORE|CPU | snoo | stop | stop | stop | stop | stop | stop | stop | stop
+ 0| 0| 0| 0.69| 0.00| 0.00| 0.00| 0.00| 0.00| 0.00| 9.39| 89.70
+ 0| 0| 1| 0.00| 0.00| 0.00| 0.00| 0.00| 0.00| 0.00| 0.05| 93.21
+ 0| 0| 2| 0.00| 0.00| 0.00| 0.00| 0.00| 0.00| 0.00| 0.00| 89.93
+ 0| 0| 3| 0.00| 0.00| 0.00| 0.00| 0.00| 0.00| 0.00| 0.00| 93.26
+
+Fixes: 78eaa10f027c ("cpuidle: powernv/pseries: Auto-promotion of snooze to deeper idle state")
+Cc: stable@vger.kernel.org # v4.2+
+Signed-off-by: Gautham R. Shenoy <ego@linux.vnet.ibm.com>
+Reviewed-by: Balbir Singh <bsingharora@gmail.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/cpuidle/cpuidle-powernv.c | 32 +++++++++++++++++++++++++------
+ 1 file changed, 26 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/cpuidle/cpuidle-powernv.c b/drivers/cpuidle/cpuidle-powernv.c
+index c44a843cb405..44ebda8bbc84 100644
+--- a/drivers/cpuidle/cpuidle-powernv.c
++++ b/drivers/cpuidle/cpuidle-powernv.c
+@@ -29,9 +29,31 @@ struct cpuidle_driver powernv_idle_driver = {
+
+ static int max_idle_state;
+ static struct cpuidle_state *cpuidle_state_table;
+-static u64 snooze_timeout;
++static u64 default_snooze_timeout;
+ static bool snooze_timeout_en;
+
++static u64 get_snooze_timeout(struct cpuidle_device *dev,
++ struct cpuidle_driver *drv,
++ int index)
++{
++ int i;
++
++ if (unlikely(!snooze_timeout_en))
++ return default_snooze_timeout;
++
++ for (i = index + 1; i < drv->state_count; i++) {
++ struct cpuidle_state *s = &drv->states[i];
++ struct cpuidle_state_usage *su = &dev->states_usage[i];
++
++ if (s->disabled || su->disable)
++ continue;
++
++ return s->target_residency * tb_ticks_per_usec;
++ }
++
++ return default_snooze_timeout;
++}
++
+ static int snooze_loop(struct cpuidle_device *dev,
+ struct cpuidle_driver *drv,
+ int index)
+@@ -41,7 +63,7 @@ static int snooze_loop(struct cpuidle_device *dev,
+ local_irq_enable();
+ set_thread_flag(TIF_POLLING_NRFLAG);
+
+- snooze_exit_time = get_tb() + snooze_timeout;
++ snooze_exit_time = get_tb() + get_snooze_timeout(dev, drv, index);
+ ppc64_runlatch_off();
+ while (!need_resched()) {
+ HMT_low();
+@@ -286,11 +308,9 @@ static int powernv_idle_probe(void)
+ cpuidle_state_table = powernv_states;
+ /* Device tree can indicate more idle states */
+ max_idle_state = powernv_add_idle_states();
+- if (max_idle_state > 1) {
++ default_snooze_timeout = TICK_USEC * tb_ticks_per_usec;
++ if (max_idle_state > 1)
+ snooze_timeout_en = true;
+- snooze_timeout = powernv_states[1].target_residency *
+- tb_ticks_per_usec;
+- }
+ } else
+ return -ENODEV;
+
+--
+2.18.0
+
diff --git a/patches.kernel.org/4.4.139-047-powerpc-fadump-Unregister-fadump-on-kexec-dow.patch b/patches.kernel.org/4.4.139-047-powerpc-fadump-Unregister-fadump-on-kexec-dow.patch
new file mode 100644
index 0000000000..c22b2c36d2
--- /dev/null
+++ b/patches.kernel.org/4.4.139-047-powerpc-fadump-Unregister-fadump-on-kexec-dow.patch
@@ -0,0 +1,44 @@
+From: Mahesh Salgaonkar <mahesh@linux.vnet.ibm.com>
+Date: Fri, 27 Apr 2018 11:53:18 +0530
+Subject: [PATCH] powerpc/fadump: Unregister fadump on kexec down path.
+References: bnc#1012382
+Patch-mainline: 4.4.139
+Git-commit: 722cde76d68e8cc4f3de42e71c82fd40dea4f7b9
+
+commit 722cde76d68e8cc4f3de42e71c82fd40dea4f7b9 upstream.
+
+Unregister fadump on kexec down path otherwise the fadump registration
+in new kexec-ed kernel complains that fadump is already registered.
+This makes new kernel to continue using fadump registered by previous
+kernel which may lead to invalid vmcore generation. Hence this patch
+fixes this issue by un-registering fadump in fadump_cleanup() which is
+called during kexec path so that new kernel can register fadump with
+new valid values.
+
+Fixes: b500afff11f6 ("fadump: Invalidate registration and release reserved memory for general use.")
+Cc: stable@vger.kernel.org # v3.4+
+Signed-off-by: Mahesh Salgaonkar <mahesh@linux.vnet.ibm.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ arch/powerpc/kernel/fadump.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/arch/powerpc/kernel/fadump.c b/arch/powerpc/kernel/fadump.c
+index 26d091a1a54c..791d4c3329c3 100644
+--- a/arch/powerpc/kernel/fadump.c
++++ b/arch/powerpc/kernel/fadump.c
+@@ -1025,6 +1025,9 @@ void fadump_cleanup(void)
+ init_fadump_mem_struct(&fdm,
+ be64_to_cpu(fdm_active->cpu_state_data.destination_address));
+ fadump_invalidate_dump(&fdm);
++ } else if (fw_dump.dump_registered) {
++ /* Un-register Firmware-assisted dump if it was registered. */
++ fadump_unregister_dump(&fdm);
+ }
+ }
+
+--
+2.18.0
+
diff --git a/patches.kernel.org/4.4.139-048-ARM-8764-1-kgdb-fix-NUMREGBYTES-so-that-gdb_r.patch b/patches.kernel.org/4.4.139-048-ARM-8764-1-kgdb-fix-NUMREGBYTES-so-that-gdb_r.patch
new file mode 100644
index 0000000000..e85e4cf982
--- /dev/null
+++ b/patches.kernel.org/4.4.139-048-ARM-8764-1-kgdb-fix-NUMREGBYTES-so-that-gdb_r.patch
@@ -0,0 +1,51 @@
+From: David Rivshin <DRivshin@allworx.com>
+Date: Wed, 25 Apr 2018 21:15:01 +0100
+Subject: [PATCH] ARM: 8764/1: kgdb: fix NUMREGBYTES so that gdb_regs[] is the
+ correct size
+References: bnc#1012382
+Patch-mainline: 4.4.139
+Git-commit: 76ed0b803a2ab793a1b27d1dfe0de7955282cd34
+
+commit 76ed0b803a2ab793a1b27d1dfe0de7955282cd34 upstream.
+
+NUMREGBYTES (which is used as the size for gdb_regs[]) is incorrectly
+based on DBG_MAX_REG_NUM instead of GDB_MAX_REGS. DBG_MAX_REG_NUM
+is the number of total registers, while GDB_MAX_REGS is the number
+of 'unsigned longs' it takes to serialize those registers. Since
+FP registers require 3 'unsigned longs' each, DBG_MAX_REG_NUM is
+smaller than GDB_MAX_REGS.
+
+This causes GDB 8.0 give the following error on connect:
+"Truncated register 19 in remote 'g' packet"
+
+This also causes the register serialization/deserialization logic
+to overflow gdb_regs[], overwriting whatever follows.
+
+Fixes: 834b2964b7ab ("kgdb,arm: fix register dump")
+Cc: <stable@vger.kernel.org> # 2.6.37+
+Signed-off-by: David Rivshin <drivshin@allworx.com>
+Acked-by: Rabin Vincent <rabin@rab.in>
+Tested-by: Daniel Thompson <daniel.thompson@linaro.org>
+Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ arch/arm/include/asm/kgdb.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/arm/include/asm/kgdb.h b/arch/arm/include/asm/kgdb.h
+index 0a9d5dd93294..6949c7d4481c 100644
+--- a/arch/arm/include/asm/kgdb.h
++++ b/arch/arm/include/asm/kgdb.h
+@@ -76,7 +76,7 @@ extern int kgdb_fault_expected;
+
+ #define KGDB_MAX_NO_CPUS 1
+ #define BUFMAX 400
+-#define NUMREGBYTES (DBG_MAX_REG_NUM << 2)
++#define NUMREGBYTES (GDB_MAX_REGS << 2)
+ #define NUMCRITREGBYTES (32 << 2)
+
+ #define _R0 0
+--
+2.18.0
+
diff --git a/patches.kernel.org/4.4.139-049-of-unittest-for-strings-account-for-trailing-.patch b/patches.kernel.org/4.4.139-049-of-unittest-for-strings-account-for-trailing-.patch
new file mode 100644
index 0000000000..27f6095b23
--- /dev/null
+++ b/patches.kernel.org/4.4.139-049-of-unittest-for-strings-account-for-trailing-.patch
@@ -0,0 +1,69 @@
+From: Stefan M Schaeckeler <sschaeck@cisco.com>
+Date: Mon, 21 May 2018 16:26:14 -0700
+Subject: [PATCH] of: unittest: for strings, account for trailing \0 in
+ property length field
+References: bnc#1012382
+Patch-mainline: 4.4.139
+Git-commit: 3b9cf7905fe3ab35ab437b5072c883e609d3498d
+
+commit 3b9cf7905fe3ab35ab437b5072c883e609d3498d upstream.
+
+For strings, account for trailing \0 in property length field:
+
+This is consistent with how dtc builds string properties.
+
+Function __of_prop_dup() would misbehave on such properties as it duplicates
+properties based on the property length field creating new string values
+without trailing \0s.
+
+Signed-off-by: Stefan M Schaeckeler <sschaeck@cisco.com>
+Reviewed-by: Frank Rowand <frank.rowand@sony.com>
+Tested-by: Frank Rowand <frank.rowand@sony.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Rob Herring <robh@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/of/unittest.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/of/unittest.c b/drivers/of/unittest.c
+index e16ea5717b7f..2a547ca3d443 100644
+--- a/drivers/of/unittest.c
++++ b/drivers/of/unittest.c
+@@ -156,20 +156,20 @@ static void __init of_unittest_dynamic(void)
+ /* Add a new property - should pass*/
+ prop->name = "new-property";
+ prop->value = "new-property-data";
+- prop->length = strlen(prop->value);
++ prop->length = strlen(prop->value) + 1;
+ unittest(of_add_property(np, prop) == 0, "Adding a new property failed\n");
+
+ /* Try to add an existing property - should fail */
+ prop++;
+ prop->name = "new-property";
+ prop->value = "new-property-data-should-fail";
+- prop->length = strlen(prop->value);
++ prop->length = strlen(prop->value) + 1;
+ unittest(of_add_property(np, prop) != 0,
+ "Adding an existing property should have failed\n");
+
+ /* Try to modify an existing property - should pass */
+ prop->value = "modify-property-data-should-pass";
+- prop->length = strlen(prop->value);
++ prop->length = strlen(prop->value) + 1;
+ unittest(of_update_property(np, prop) == 0,
+ "Updating an existing property should have passed\n");
+
+@@ -177,7 +177,7 @@ static void __init of_unittest_dynamic(void)
+ prop++;
+ prop->name = "modify-property";
+ prop->value = "modify-missing-property-data-should-pass";
+- prop->length = strlen(prop->value);
++ prop->length = strlen(prop->value) + 1;
+ unittest(of_update_property(np, prop) == 0,
+ "Updating a missing property should have passed\n");
+
+--
+2.18.0
+
diff --git a/patches.kernel.org/4.4.139-050-IB-qib-Fix-DMA-api-warning-with-debug-kernel.patch b/patches.kernel.org/4.4.139-050-IB-qib-Fix-DMA-api-warning-with-debug-kernel.patch
new file mode 100644
index 0000000000..a63ec14c53
--- /dev/null
+++ b/patches.kernel.org/4.4.139-050-IB-qib-Fix-DMA-api-warning-with-debug-kernel.patch
@@ -0,0 +1,162 @@
+From: Mike Marciniszyn <mike.marciniszyn@intel.com>
+Date: Fri, 18 May 2018 17:07:01 -0700
+Subject: [PATCH] IB/qib: Fix DMA api warning with debug kernel
+References: bnc#1012382
+Patch-mainline: 4.4.139
+Git-commit: 0252f73334f9ef68868e4684200bea3565a4fcee
+
+commit 0252f73334f9ef68868e4684200bea3565a4fcee upstream.
+
+The following error occurs in a debug build when running MPI PSM:
+
+[ 307.415911] WARNING: CPU: 4 PID: 23867 at lib/dma-debug.c:1158
+check_unmap+0x4ee/0xa20
+[ 307.455661] ib_qib 0000:05:00.0: DMA-API: device driver failed to check map
+error[device address=0x00000000df82b000] [size=4096 bytes] [mapped as page]
+[ 307.517494] Modules linked in:
+[ 307.531584] ib_isert iscsi_target_mod ib_srpt target_core_mod rpcrdma
+sunrpc ib_srp scsi_transport_srp scsi_tgt ib_iser libiscsi ib_ipoib
+scsi_transport_iscsi rdma_ucm ib_ucm ib_uverbs ib_umad rdma_cm ib_cm iw_cm
+ib_qib intel_powerclamp coretemp rdmavt intel_rapl iosf_mbi kvm_intel kvm
+irqbypass crc32_pclmul ghash_clmulni_intel ipmi_ssif ib_core aesni_intel sg
+ipmi_si lrw gf128mul dca glue_helper ipmi_devintf iTCO_wdt gpio_ich hpwdt
+iTCO_vendor_support ablk_helper hpilo acpi_power_meter cryptd ipmi_msghandler
+ie31200_edac shpchp pcc_cpufreq lpc_ich pcspkr ip_tables xfs libcrc32c sd_mod
+crc_t10dif crct10dif_generic mgag200 i2c_algo_bit drm_kms_helper syscopyarea
+sysfillrect sysimgblt fb_sys_fops ttm ahci crct10dif_pclmul crct10dif_common
+drm crc32c_intel libahci tg3 libata serio_raw ptp i2c_core
+[ 307.846113] pps_core dm_mirror dm_region_hash dm_log dm_mod
+[ 307.866505] CPU: 4 PID: 23867 Comm: mpitests-IMB-MP Kdump: loaded Not
+tainted 3.10.0-862.el7.x86_64.debug #1
+[ 307.911178] Hardware name: HP ProLiant DL320e Gen8, BIOS J05 11/09/2013
+[ 307.944206] Call Trace:
+[ 307.956973] [<ffffffffbd9e915b>] dump_stack+0x19/0x1b
+[ 307.982201] [<ffffffffbd2a2f58>] __warn+0xd8/0x100
+[ 308.005999] [<ffffffffbd2a2fdf>] warn_slowpath_fmt+0x5f/0x80
+[ 308.034260] [<ffffffffbd5f667e>] check_unmap+0x4ee/0xa20
+[ 308.060801] [<ffffffffbd41acaa>] ? page_add_file_rmap+0x2a/0x1d0
+[ 308.090689] [<ffffffffbd5f6c4d>] debug_dma_unmap_page+0x9d/0xb0
+[ 308.120155] [<ffffffffbd4082e0>] ? might_fault+0xa0/0xb0
+[ 308.146656] [<ffffffffc07761a5>] qib_tid_free.isra.14+0x215/0x2a0 [ib_qib]
+[ 308.180739] [<ffffffffc0776bf4>] qib_write+0x894/0x1280 [ib_qib]
+[ 308.210733] [<ffffffffbd540b00>] ? __inode_security_revalidate+0x70/0x80
+[ 308.244837] [<ffffffffbd53c2b7>] ? security_file_permission+0x27/0xb0
+[ 308.266025] qib_ib0.8006: multicast join failed for
+ff12:401b:8006:0000:0000:0000:ffff:ffff, status -22
+[ 308.323421] [<ffffffffbd46f5d3>] vfs_write+0xc3/0x1f0
+[ 308.347077] [<ffffffffbd492a5c>] ? fget_light+0xfc/0x510
+[ 308.372533] [<ffffffffbd47045a>] SyS_write+0x8a/0x100
+[ 308.396456] [<ffffffffbd9ff355>] system_call_fastpath+0x1c/0x21
+
+The code calls a qib_map_page() which has never correctly tested for a
+mapping error.
+
+Fix by testing for pci_dma_mapping_error() in all cases and properly
+handling the failure in the caller.
+
+Additionally, streamline qib_map_page() arguments to satisfy just
+the single caller.
+
+Cc: <stable@vger.kernel.org>
+Reviewed-by: Alex Estrin <alex.estrin@intel.com>
+Tested-by: Don Dutile <ddutile@redhat.com>
+Reviewed-by: Don Dutile <ddutile@redhat.com>
+Signed-off-by: Mike Marciniszyn <mike.marciniszyn@intel.com>
+Signed-off-by: Dennis Dalessandro <dennis.dalessandro@intel.com>
+Signed-off-by: Doug Ledford <dledford@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/infiniband/hw/qib/qib.h | 3 +--
+ drivers/infiniband/hw/qib/qib_file_ops.c | 10 +++++++---
+ drivers/infiniband/hw/qib/qib_user_pages.c | 20 ++++++++++++--------
+ 3 files changed, 20 insertions(+), 13 deletions(-)
+
+diff --git a/drivers/infiniband/hw/qib/qib.h b/drivers/infiniband/hw/qib/qib.h
+index 7df16f74bb45..c6c75b99cf2c 100644
+--- a/drivers/infiniband/hw/qib/qib.h
++++ b/drivers/infiniband/hw/qib/qib.h
+@@ -1451,8 +1451,7 @@ u64 qib_sps_ints(void);
+ /*
+ * dma_addr wrappers - all 0's invalid for hw
+ */
+-dma_addr_t qib_map_page(struct pci_dev *, struct page *, unsigned long,
+- size_t, int);
++int qib_map_page(struct pci_dev *d, struct page *p, dma_addr_t *daddr);
+ const char *qib_get_unit_name(int unit);
+
+ /*
+diff --git a/drivers/infiniband/hw/qib/qib_file_ops.c b/drivers/infiniband/hw/qib/qib_file_ops.c
+index 24f4a782e0f4..5908fd3af00d 100644
+--- a/drivers/infiniband/hw/qib/qib_file_ops.c
++++ b/drivers/infiniband/hw/qib/qib_file_ops.c
+@@ -364,6 +364,8 @@ static int qib_tid_update(struct qib_ctxtdata *rcd, struct file *fp,
+ goto done;
+ }
+ for (i = 0; i < cnt; i++, vaddr += PAGE_SIZE) {
++ dma_addr_t daddr;
++
+ for (; ntids--; tid++) {
+ if (tid == tidcnt)
+ tid = 0;
+@@ -380,12 +382,14 @@ static int qib_tid_update(struct qib_ctxtdata *rcd, struct file *fp,
+ ret = -ENOMEM;
+ break;
+ }
++ ret = qib_map_page(dd->pcidev, pagep[i], &daddr);
++ if (ret)
++ break;
++
+ tidlist[i] = tid + tidoff;
+ /* we "know" system pages and TID pages are same size */
+ dd->pageshadow[ctxttid + tid] = pagep[i];
+- dd->physshadow[ctxttid + tid] =
+- qib_map_page(dd->pcidev, pagep[i], 0, PAGE_SIZE,
+- PCI_DMA_FROMDEVICE);
++ dd->physshadow[ctxttid + tid] = daddr;
+ /*
+ * don't need atomic or it's overhead
+ */
+diff --git a/drivers/infiniband/hw/qib/qib_user_pages.c b/drivers/infiniband/hw/qib/qib_user_pages.c
+index 74f90b2619f6..ab1588ae1c85 100644
+--- a/drivers/infiniband/hw/qib/qib_user_pages.c
++++ b/drivers/infiniband/hw/qib/qib_user_pages.c
+@@ -98,23 +98,27 @@ static int __qib_get_user_pages(unsigned long start_page, size_t num_pages,
+ *
+ * I'm sure we won't be so lucky with other iommu's, so FIXME.
+ */
+-dma_addr_t qib_map_page(struct pci_dev *hwdev, struct page *page,
+- unsigned long offset, size_t size, int direction)
++int qib_map_page(struct pci_dev *hwdev, struct page *page, dma_addr_t *daddr)
+ {
+ dma_addr_t phys;
+
+- phys = pci_map_page(hwdev, page, offset, size, direction);
++ phys = pci_map_page(hwdev, page, 0, PAGE_SIZE, PCI_DMA_FROMDEVICE);
++ if (pci_dma_mapping_error(hwdev, phys))
++ return -ENOMEM;
+
+- if (phys == 0) {
+- pci_unmap_page(hwdev, phys, size, direction);
+- phys = pci_map_page(hwdev, page, offset, size, direction);
++ if (!phys) {
++ pci_unmap_page(hwdev, phys, PAGE_SIZE, PCI_DMA_FROMDEVICE);
++ phys = pci_map_page(hwdev, page, 0, PAGE_SIZE,
++ PCI_DMA_FROMDEVICE);
++ if (pci_dma_mapping_error(hwdev, phys))
++ return -ENOMEM;
+ /*
+ * FIXME: If we get 0 again, we should keep this page,
+ * map another, then free the 0 page.
+ */
+ }
+-
+- return phys;
++ *daddr = phys;
++ return 0;
+ }
+
+ /**
+--
+2.18.0
+
diff --git a/patches.kernel.org/4.4.139-051-RDMA-mlx4-Discard-unknown-SQP-work-requests.patch b/patches.kernel.org/4.4.139-051-RDMA-mlx4-Discard-unknown-SQP-work-requests.patch
new file mode 100644
index 0000000000..df49dde01f
--- /dev/null
+++ b/patches.kernel.org/4.4.139-051-RDMA-mlx4-Discard-unknown-SQP-work-requests.patch
@@ -0,0 +1,37 @@
+From: Leon Romanovsky <leonro@mellanox.com>
+Date: Tue, 29 May 2018 14:56:14 +0300
+Subject: [PATCH] RDMA/mlx4: Discard unknown SQP work requests
+References: bnc#1012382
+Patch-mainline: 4.4.139
+Git-commit: 6b1ca7ece15e94251d1d0d919f813943e4a58059
+
+commit 6b1ca7ece15e94251d1d0d919f813943e4a58059 upstream.
+
+There is no need to crash the machine if unknown work request was
+received in SQP MAD.
+
+Cc: <stable@vger.kernel.org> # 3.6
+Fixes: 37bfc7c1e83f ("IB/mlx4: SR-IOV multiplex and demultiplex MADs")
+Signed-off-by: Leon Romanovsky <leonro@mellanox.com>
+Signed-off-by: Doug Ledford <dledford@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/infiniband/hw/mlx4/mad.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/drivers/infiniband/hw/mlx4/mad.c b/drivers/infiniband/hw/mlx4/mad.c
+index d862b9b7910e..199a9cdd0d12 100644
+--- a/drivers/infiniband/hw/mlx4/mad.c
++++ b/drivers/infiniband/hw/mlx4/mad.c
+@@ -1780,7 +1780,6 @@ static void mlx4_ib_sqp_comp_worker(struct work_struct *work)
+ "buf:%lld\n", wc.wr_id);
+ break;
+ default:
+- BUG_ON(1);
+ break;
+ }
+ } else {
+--
+2.18.0
+
diff --git a/patches.kernel.org/4.4.139-052-mtd-cfi_cmdset_0002-Change-write-buffer-to-ch.patch b/patches.kernel.org/4.4.139-052-mtd-cfi_cmdset_0002-Change-write-buffer-to-ch.patch
new file mode 100644
index 0000000000..e857c16f13
--- /dev/null
+++ b/patches.kernel.org/4.4.139-052-mtd-cfi_cmdset_0002-Change-write-buffer-to-ch.patch
@@ -0,0 +1,51 @@
+From: Tokunori Ikegami <ikegami@allied-telesis.co.jp>
+Date: Wed, 30 May 2018 18:32:26 +0900
+Subject: [PATCH] mtd: cfi_cmdset_0002: Change write buffer to check correct
+ value
+References: bnc#1012382
+Patch-mainline: 4.4.139
+Git-commit: dfeae1073583dc35c33b32150e18b7048bbb37e6
+
+commit dfeae1073583dc35c33b32150e18b7048bbb37e6 upstream.
+
+For the word write it is checked if the chip has the correct value.
+But it is not checked for the write buffer as only checked if ready.
+To make sure for the write buffer change to check the value.
+
+It is enough as this patch is only checking the last written word.
+Since it is described by data sheets to check the operation status.
+
+Signed-off-by: Tokunori Ikegami <ikegami@allied-telesis.co.jp>
+Reviewed-by: Joakim Tjernlund <Joakim.Tjernlund@infinera.com>
+Cc: Chris Packham <chris.packham@alliedtelesis.co.nz>
+Cc: Brian Norris <computersforpeace@gmail.com>
+Cc: David Woodhouse <dwmw2@infradead.org>
+Cc: Boris Brezillon <boris.brezillon@free-electrons.com>
+Cc: Marek Vasut <marek.vasut@gmail.com>
+Cc: Richard Weinberger <richard@nod.at>
+Cc: Cyrille Pitchen <cyrille.pitchen@wedev4u.fr>
+Cc: linux-mtd@lists.infradead.org
+Cc: stable@vger.kernel.org
+Signed-off-by: Boris Brezillon <boris.brezillon@bootlin.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/mtd/chips/cfi_cmdset_0002.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/mtd/chips/cfi_cmdset_0002.c b/drivers/mtd/chips/cfi_cmdset_0002.c
+index 31448a2b39ae..2e94c02d5211 100644
+--- a/drivers/mtd/chips/cfi_cmdset_0002.c
++++ b/drivers/mtd/chips/cfi_cmdset_0002.c
+@@ -1878,7 +1878,7 @@ static int __xipram do_write_buffer(struct map_info *map, struct flchip *chip,
+ if (time_after(jiffies, timeo) && !chip_ready(map, adr))
+ break;
+
+- if (chip_ready(map, adr)) {
++ if (chip_good(map, adr, datum)) {
+ xip_enable(map, chip, adr);
+ goto op_done;
+ }
+--
+2.18.0
+
diff --git a/patches.kernel.org/4.4.139-053-mtd-cfi_cmdset_0002-Use-right-chip-in-do_ppb_.patch b/patches.kernel.org/4.4.139-053-mtd-cfi_cmdset_0002-Use-right-chip-in-do_ppb_.patch
new file mode 100644
index 0000000000..483c40ee46
--- /dev/null
+++ b/patches.kernel.org/4.4.139-053-mtd-cfi_cmdset_0002-Use-right-chip-in-do_ppb_.patch
@@ -0,0 +1,62 @@
+From: Joakim Tjernlund <joakim.tjernlund@infinera.com>
+Date: Wed, 6 Jun 2018 12:13:27 +0200
+Subject: [PATCH] mtd: cfi_cmdset_0002: Use right chip in do_ppb_xxlock()
+References: bnc#1012382
+Patch-mainline: 4.4.139
+Git-commit: f93aa8c4de307069c270b2d81741961162bead6c
+
+commit f93aa8c4de307069c270b2d81741961162bead6c upstream.
+
+do_ppb_xxlock() fails to add chip->start when querying for lock status
+(and chip_ready test), which caused false status reports.
+Fix that by adding adr += chip->start and adjust call sites
+accordingly.
+
+Fixes: 1648eaaa1575 ("mtd: cfi_cmdset_0002: Support Persistent Protection Bits (PPB) locking")
+Cc: stable@vger.kernel.org
+Signed-off-by: Joakim Tjernlund <joakim.tjernlund@infinera.com>
+Signed-off-by: Boris Brezillon <boris.brezillon@bootlin.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/mtd/chips/cfi_cmdset_0002.c | 9 +++++----
+ 1 file changed, 5 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/mtd/chips/cfi_cmdset_0002.c b/drivers/mtd/chips/cfi_cmdset_0002.c
+index 2e94c02d5211..45e8bedf6984 100644
+--- a/drivers/mtd/chips/cfi_cmdset_0002.c
++++ b/drivers/mtd/chips/cfi_cmdset_0002.c
+@@ -2551,8 +2551,9 @@ static int __maybe_unused do_ppb_xxlock(struct map_info *map,
+ unsigned long timeo;
+ int ret;
+
++ adr += chip->start;
+ mutex_lock(&chip->mutex);
+- ret = get_chip(map, chip, adr + chip->start, FL_LOCKING);
++ ret = get_chip(map, chip, adr, FL_LOCKING);
+ if (ret) {
+ mutex_unlock(&chip->mutex);
+ return ret;
+@@ -2570,8 +2571,8 @@ static int __maybe_unused do_ppb_xxlock(struct map_info *map,
+
+ if (thunk == DO_XXLOCK_ONEBLOCK_LOCK) {
+ chip->state = FL_LOCKING;
+- map_write(map, CMD(0xA0), chip->start + adr);
+- map_write(map, CMD(0x00), chip->start + adr);
++ map_write(map, CMD(0xA0), adr);
++ map_write(map, CMD(0x00), adr);
+ } else if (thunk == DO_XXLOCK_ONEBLOCK_UNLOCK) {
+ /*
+ * Unlocking of one specific sector is not supported, so we
+@@ -2609,7 +2610,7 @@ static int __maybe_unused do_ppb_xxlock(struct map_info *map,
+ map_write(map, CMD(0x00), chip->start);
+
+ chip->state = FL_READY;
+- put_chip(map, chip, adr + chip->start);
++ put_chip(map, chip, adr);
+ mutex_unlock(&chip->mutex);
+
+ return ret;
+--
+2.18.0
+
diff --git a/patches.kernel.org/4.4.139-054-mtd-cfi_cmdset_0002-fix-SEGV-unlocking-multip.patch b/patches.kernel.org/4.4.139-054-mtd-cfi_cmdset_0002-fix-SEGV-unlocking-multip.patch
new file mode 100644
index 0000000000..ae5ab4b955
--- /dev/null
+++ b/patches.kernel.org/4.4.139-054-mtd-cfi_cmdset_0002-fix-SEGV-unlocking-multip.patch
@@ -0,0 +1,59 @@
+From: Joakim Tjernlund <joakim.tjernlund@infinera.com>
+Date: Wed, 6 Jun 2018 12:13:28 +0200
+Subject: [PATCH] mtd: cfi_cmdset_0002: fix SEGV unlocking multiple chips
+References: bnc#1012382
+Patch-mainline: 4.4.139
+Git-commit: 5fdfc3dbad099281bf027a353d5786c09408a8e5
+
+commit 5fdfc3dbad099281bf027a353d5786c09408a8e5 upstream.
+
+cfi_ppb_unlock() tries to relock all sectors that were locked before
+unlocking the whole chip.
+This locking used the chip start address + the FULL offset from the
+first flash chip, thereby forming an illegal address. Fix that by using
+the chip offset(adr).
+
+Fixes: 1648eaaa1575 ("mtd: cfi_cmdset_0002: Support Persistent Protection Bits (PPB) locking")
+Cc: stable@vger.kernel.org
+Signed-off-by: Joakim Tjernlund <joakim.tjernlund@infinera.com>
+Signed-off-by: Boris Brezillon <boris.brezillon@bootlin.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/mtd/chips/cfi_cmdset_0002.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/mtd/chips/cfi_cmdset_0002.c b/drivers/mtd/chips/cfi_cmdset_0002.c
+index 45e8bedf6984..9b5cada414fe 100644
+--- a/drivers/mtd/chips/cfi_cmdset_0002.c
++++ b/drivers/mtd/chips/cfi_cmdset_0002.c
+@@ -2533,7 +2533,7 @@ static int cfi_atmel_unlock(struct mtd_info *mtd, loff_t ofs, uint64_t len)
+
+ struct ppb_lock {
+ struct flchip *chip;
+- loff_t offset;
++ unsigned long adr;
+ int locked;
+ };
+
+@@ -2669,7 +2669,7 @@ static int __maybe_unused cfi_ppb_unlock(struct mtd_info *mtd, loff_t ofs,
+ */
+ if ((adr < ofs) || (adr >= (ofs + len))) {
+ sect[sectors].chip = &cfi->chips[chipnum];
+- sect[sectors].offset = offset;
++ sect[sectors].adr = adr;
+ sect[sectors].locked = do_ppb_xxlock(
+ map, &cfi->chips[chipnum], adr, 0,
+ DO_XXLOCK_ONEBLOCK_GETLOCK);
+@@ -2713,7 +2713,7 @@ static int __maybe_unused cfi_ppb_unlock(struct mtd_info *mtd, loff_t ofs,
+ */
+ for (i = 0; i < sectors; i++) {
+ if (sect[i].locked)
+- do_ppb_xxlock(map, sect[i].chip, sect[i].offset, 0,
++ do_ppb_xxlock(map, sect[i].chip, sect[i].adr, 0,
+ DO_XXLOCK_ONEBLOCK_LOCK);
+ }
+
+--
+2.18.0
+
diff --git a/patches.kernel.org/4.4.139-055-mtd-cfi_cmdset_0002-Fix-unlocking-requests-cr.patch b/patches.kernel.org/4.4.139-055-mtd-cfi_cmdset_0002-Fix-unlocking-requests-cr.patch
new file mode 100644
index 0000000000..16846b6b2f
--- /dev/null
+++ b/patches.kernel.org/4.4.139-055-mtd-cfi_cmdset_0002-Fix-unlocking-requests-cr.patch
@@ -0,0 +1,42 @@
+From: Joakim Tjernlund <joakim.tjernlund@infinera.com>
+Date: Wed, 6 Jun 2018 12:13:29 +0200
+Subject: [PATCH] mtd: cfi_cmdset_0002: Fix unlocking requests crossing a chip
+ boudary
+References: bnc#1012382
+Patch-mainline: 4.4.139
+Git-commit: 0cd8116f172eed018907303dbff5c112690eeb91
+
+commit 0cd8116f172eed018907303dbff5c112690eeb91 upstream.
+
+The "sector is in requested range" test used to determine whether
+sectors should be re-locked or not is done on a variable that is reset
+everytime we cross a chip boundary, which can lead to some blocks being
+re-locked while the caller expect them to be unlocked.
+Fix the check to make sure this cannot happen.
+
+Fixes: 1648eaaa1575 ("mtd: cfi_cmdset_0002: Support Persistent Protection Bits (PPB) locking")
+Cc: stable@vger.kernel.org
+Signed-off-by: Joakim Tjernlund <joakim.tjernlund@infinera.com>
+Signed-off-by: Boris Brezillon <boris.brezillon@bootlin.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/mtd/chips/cfi_cmdset_0002.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/mtd/chips/cfi_cmdset_0002.c b/drivers/mtd/chips/cfi_cmdset_0002.c
+index 9b5cada414fe..cfddd0f9985a 100644
+--- a/drivers/mtd/chips/cfi_cmdset_0002.c
++++ b/drivers/mtd/chips/cfi_cmdset_0002.c
+@@ -2667,7 +2667,7 @@ static int __maybe_unused cfi_ppb_unlock(struct mtd_info *mtd, loff_t ofs,
+ * sectors shall be unlocked, so lets keep their locking
+ * status at "unlocked" (locked=0) for the final re-locking.
+ */
+- if ((adr < ofs) || (adr >= (ofs + len))) {
++ if ((offset < ofs) || (offset >= (ofs + len))) {
+ sect[sectors].chip = &cfi->chips[chipnum];
+ sect[sectors].adr = adr;
+ sect[sectors].locked = do_ppb_xxlock(
+--
+2.18.0
+
diff --git a/patches.kernel.org/4.4.139-056-mtd-cfi_cmdset_0002-Avoid-walking-all-chips-w.patch b/patches.kernel.org/4.4.139-056-mtd-cfi_cmdset_0002-Avoid-walking-all-chips-w.patch
new file mode 100644
index 0000000000..982e919a51
--- /dev/null
+++ b/patches.kernel.org/4.4.139-056-mtd-cfi_cmdset_0002-Avoid-walking-all-chips-w.patch
@@ -0,0 +1,38 @@
+From: Joakim Tjernlund <joakim.tjernlund@infinera.com>
+Date: Wed, 6 Jun 2018 12:13:30 +0200
+Subject: [PATCH] mtd: cfi_cmdset_0002: Avoid walking all chips when unlocking.
+References: bnc#1012382
+Patch-mainline: 4.4.139
+Git-commit: f1ce87f6080b1dda7e7b1eda3da332add19d87b9
+
+commit f1ce87f6080b1dda7e7b1eda3da332add19d87b9 upstream.
+
+cfi_ppb_unlock() walks all flash chips when unlocking sectors,
+avoid walking chips unaffected by the unlock operation.
+
+Fixes: 1648eaaa1575 ("mtd: cfi_cmdset_0002: Support Persistent Protection Bits (PPB) locking")
+Cc: stable@vger.kernel.org
+Signed-off-by: Joakim Tjernlund <joakim.tjernlund@infinera.com>
+Signed-off-by: Boris Brezillon <boris.brezillon@bootlin.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/mtd/chips/cfi_cmdset_0002.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/mtd/chips/cfi_cmdset_0002.c b/drivers/mtd/chips/cfi_cmdset_0002.c
+index cfddd0f9985a..c484ca8c909c 100644
+--- a/drivers/mtd/chips/cfi_cmdset_0002.c
++++ b/drivers/mtd/chips/cfi_cmdset_0002.c
+@@ -2683,6 +2683,8 @@ static int __maybe_unused cfi_ppb_unlock(struct mtd_info *mtd, loff_t ofs,
+ i++;
+
+ if (adr >> cfi->chipshift) {
++ if (offset >= (ofs + len))
++ break;
+ adr = 0;
+ chipnum++;
+
+--
+2.18.0
+
diff --git a/patches.kernel.org/4.4.139-057-MIPS-BCM47XX-Enable-74K-Core-ExternalSync-for.patch b/patches.kernel.org/4.4.139-057-MIPS-BCM47XX-Enable-74K-Core-ExternalSync-for.patch
new file mode 100644
index 0000000000..c3f6fefab0
--- /dev/null
+++ b/patches.kernel.org/4.4.139-057-MIPS-BCM47XX-Enable-74K-Core-ExternalSync-for.patch
@@ -0,0 +1,91 @@
+From: Tokunori Ikegami <ikegami@allied-telesis.co.jp>
+Date: Sun, 3 Jun 2018 23:02:01 +0900
+Subject: [PATCH] MIPS: BCM47XX: Enable 74K Core ExternalSync for PCIe erratum
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+References: bnc#1012382
+Patch-mainline: 4.4.139
+Git-commit: 2a027b47dba6b77ab8c8e47b589ae9bbc5ac6175
+
+commit 2a027b47dba6b77ab8c8e47b589ae9bbc5ac6175 upstream.
+
+The erratum and workaround are described by BCM5300X-ES300-RDS.pdf as
+below.
+
+ R10: PCIe Transactions Periodically Fail
+
+ Description: The BCM5300X PCIe does not maintain transaction ordering.
+ This may cause PCIe transaction failure.
+ Fix Comment: Add a dummy PCIe configuration read after a PCIe
+ configuration write to ensure PCIe configuration access
+ ordering. Set ES bit of CP0 configu7 register to enable
+ sync function so that the sync instruction is functional.
+ Resolution: hndpci.c: extpci_write_config()
+ hndmips.c: si_mips_init()
+ mipsinc.h CONF7_ES
+
+This is fixed by the CFE MIPS bcmsi chipset driver also for BCM47XX.
+Also the dummy PCIe configuration read is already implemented in the
+Linux BCMA driver.
+
+Enable ExternalSync in Config7 when CONFIG_BCMA_DRIVER_PCI_HOSTMODE=y
+too so that the sync instruction is externalised.
+
+Signed-off-by: Tokunori Ikegami <ikegami@allied-telesis.co.jp>
+Reviewed-by: Paul Burton <paul.burton@mips.com>
+Acked-by: Hauke Mehrtens <hauke@hauke-m.de>
+Cc: Chris Packham <chris.packham@alliedtelesis.co.nz>
+Cc: Rafał Miłecki <zajec5@gmail.com>
+Cc: linux-mips@linux-mips.org
+Cc: stable@vger.kernel.org
+Patchwork: https://patchwork.linux-mips.org/patch/19461/
+Signed-off-by: James Hogan <jhogan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ arch/mips/bcm47xx/setup.c | 6 ++++++
+ arch/mips/include/asm/mipsregs.h | 3 +++
+ 2 files changed, 9 insertions(+)
+
+diff --git a/arch/mips/bcm47xx/setup.c b/arch/mips/bcm47xx/setup.c
+index 6d38948f0f1e..4ca33175ec05 100644
+--- a/arch/mips/bcm47xx/setup.c
++++ b/arch/mips/bcm47xx/setup.c
+@@ -249,6 +249,12 @@ static int __init bcm47xx_cpu_fixes(void)
+ */
+ if (bcm47xx_bus.bcma.bus.chipinfo.id == BCMA_CHIP_ID_BCM4706)
+ cpu_wait = NULL;
++
++ /*
++ * BCM47XX Erratum "R10: PCIe Transactions Periodically Fail"
++ * Enable ExternalSync for sync instruction to take effect
++ */
++ set_c0_config7(MIPS_CONF7_ES);
+ break;
+ #endif
+ }
+diff --git a/arch/mips/include/asm/mipsregs.h b/arch/mips/include/asm/mipsregs.h
+index e43aca183c99..15c183ce9d4f 100644
+--- a/arch/mips/include/asm/mipsregs.h
++++ b/arch/mips/include/asm/mipsregs.h
+@@ -605,6 +605,8 @@
+ #define MIPS_CONF7_WII (_ULCAST_(1) << 31)
+
+ #define MIPS_CONF7_RPS (_ULCAST_(1) << 2)
++/* ExternalSync */
++#define MIPS_CONF7_ES (_ULCAST_(1) << 8)
+
+ #define MIPS_CONF7_IAR (_ULCAST_(1) << 10)
+ #define MIPS_CONF7_AR (_ULCAST_(1) << 16)
+@@ -2012,6 +2014,7 @@ __BUILD_SET_C0(status)
+ __BUILD_SET_C0(cause)
+ __BUILD_SET_C0(config)
+ __BUILD_SET_C0(config5)
++__BUILD_SET_C0(config7)
+ __BUILD_SET_C0(intcontrol)
+ __BUILD_SET_C0(intctl)
+ __BUILD_SET_C0(srsmap)
+--
+2.18.0
+
diff --git a/patches.kernel.org/4.4.139-058-PCI-pciehp-Clear-Presence-Detect-and-Data-Lin.patch b/patches.kernel.org/4.4.139-058-PCI-pciehp-Clear-Presence-Detect-and-Data-Lin.patch
new file mode 100644
index 0000000000..efe0cc0f2f
--- /dev/null
+++ b/patches.kernel.org/4.4.139-058-PCI-pciehp-Clear-Presence-Detect-and-Data-Lin.patch
@@ -0,0 +1,93 @@
+From: Mika Westerberg <mika.westerberg@linux.intel.com>
+Date: Wed, 23 May 2018 17:14:39 -0500
+Subject: [PATCH] PCI: pciehp: Clear Presence Detect and Data Link Layer Status
+ Changed on resume
+References: bnc#1012382
+Patch-mainline: 4.4.139
+Git-commit: 13c65840feab8109194f9490c9870587173cb29d
+
+commit 13c65840feab8109194f9490c9870587173cb29d upstream.
+
+After a suspend/resume cycle the Presence Detect or Data Link Layer Status
+Changed bits might be set. If we don't clear them those events will not
+fire anymore and nothing happens for instance when a device is now
+hot-unplugged.
+
+Fix this by clearing those bits in a newly introduced function
+pcie_reenable_notification(). This should be fine because immediately
+after, we check if the adapter is still present by reading directly from
+the status register.
+
+Signed-off-by: Mika Westerberg <mika.westerberg@linux.intel.com>
+Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
+Reviewed-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Reviewed-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/pci/hotplug/pciehp.h | 2 +-
+ drivers/pci/hotplug/pciehp_core.c | 2 +-
+ drivers/pci/hotplug/pciehp_hpc.c | 13 ++++++++++++-
+ 3 files changed, 14 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/pci/hotplug/pciehp.h b/drivers/pci/hotplug/pciehp.h
+index 62d6fe6c3714..cbe58480b474 100644
+--- a/drivers/pci/hotplug/pciehp.h
++++ b/drivers/pci/hotplug/pciehp.h
+@@ -134,7 +134,7 @@ struct controller *pcie_init(struct pcie_device *dev);
+ int pcie_init_notification(struct controller *ctrl);
+ int pciehp_enable_slot(struct slot *p_slot);
+ int pciehp_disable_slot(struct slot *p_slot);
+-void pcie_enable_notification(struct controller *ctrl);
++void pcie_reenable_notification(struct controller *ctrl);
+ int pciehp_power_on_slot(struct slot *slot);
+ void pciehp_power_off_slot(struct slot *slot);
+ void pciehp_get_power_status(struct slot *slot, u8 *status);
+diff --git a/drivers/pci/hotplug/pciehp_core.c b/drivers/pci/hotplug/pciehp_core.c
+index 612b21a14df5..8f6ded43760a 100644
+--- a/drivers/pci/hotplug/pciehp_core.c
++++ b/drivers/pci/hotplug/pciehp_core.c
+@@ -295,7 +295,7 @@ static int pciehp_resume(struct pcie_device *dev)
+ ctrl = get_service_data(dev);
+
+ /* reinitialize the chipset's event detection logic */
+- pcie_enable_notification(ctrl);
++ pcie_reenable_notification(ctrl);
+
+ slot = ctrl->slot;
+
+diff --git a/drivers/pci/hotplug/pciehp_hpc.c b/drivers/pci/hotplug/pciehp_hpc.c
+index 5c24e938042f..63c6c7fce3eb 100644
+--- a/drivers/pci/hotplug/pciehp_hpc.c
++++ b/drivers/pci/hotplug/pciehp_hpc.c
+@@ -628,7 +628,7 @@ static irqreturn_t pcie_isr(int irq, void *dev_id)
+ return IRQ_HANDLED;
+ }
+
+-void pcie_enable_notification(struct controller *ctrl)
++static void pcie_enable_notification(struct controller *ctrl)
+ {
+ u16 cmd, mask;
+
+@@ -666,6 +666,17 @@ void pcie_enable_notification(struct controller *ctrl)
+ pci_pcie_cap(ctrl->pcie->port) + PCI_EXP_SLTCTL, cmd);
+ }
+
++void pcie_reenable_notification(struct controller *ctrl)
++{
++ /*
++ * Clear both Presence and Data Link Layer Changed to make sure
++ * those events still fire after we have re-enabled them.
++ */
++ pcie_capability_write_word(ctrl->pcie->port, PCI_EXP_SLTSTA,
++ PCI_EXP_SLTSTA_PDC | PCI_EXP_SLTSTA_DLLSC);
++ pcie_enable_notification(ctrl);
++}
++
+ static void pcie_disable_notification(struct controller *ctrl)
+ {
+ u16 mask;
+--
+2.18.0
+
diff --git a/patches.kernel.org/4.4.139-059-MIPS-io-Add-barrier-after-register-read-in-in.patch b/patches.kernel.org/4.4.139-059-MIPS-io-Add-barrier-after-register-read-in-in.patch
new file mode 100644
index 0000000000..74723206be
--- /dev/null
+++ b/patches.kernel.org/4.4.139-059-MIPS-io-Add-barrier-after-register-read-in-in.patch
@@ -0,0 +1,50 @@
+From: Huacai Chen <chenhc@lemote.com>
+Date: Tue, 12 Jun 2018 17:54:42 +0800
+Subject: [PATCH] MIPS: io: Add barrier after register read in inX()
+References: bnc#1012382
+Patch-mainline: 4.4.139
+Git-commit: 18f3e95b90b28318ef35910d21c39908de672331
+
+commit 18f3e95b90b28318ef35910d21c39908de672331 upstream.
+
+While a barrier is present in the outX() functions before the register
+write, a similar barrier is missing in the inX() functions after the
+register read. This could allow memory accesses following inX() to
+observe stale data.
+
+This patch is very similar to commit a1cc7034e33d12dc1 ("MIPS: io: Add
+barrier after register read in readX()"). Because war_io_reorder_wmb()
+is both used by writeX() and outX(), if readX() need a barrier then so
+does inX().
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Huacai Chen <chenhc@lemote.com>
+Patchwork: https://patchwork.linux-mips.org/patch/19516/
+Signed-off-by: Paul Burton <paul.burton@mips.com>
+Cc: James Hogan <james.hogan@mips.com>
+Cc: linux-mips@linux-mips.org
+Cc: Fuxin Zhang <zhangfx@lemote.com>
+Cc: Zhangjin Wu <wuzhangjin@gmail.com>
+Cc: Huacai Chen <chenhuacai@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ arch/mips/include/asm/io.h | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/arch/mips/include/asm/io.h b/arch/mips/include/asm/io.h
+index d10fd80dbb7e..75fa296836fc 100644
+--- a/arch/mips/include/asm/io.h
++++ b/arch/mips/include/asm/io.h
+@@ -411,6 +411,8 @@ static inline type pfx##in##bwlq##p(unsigned long port) \
+ __val = *__addr; \
+ slow; \
+ \
++ /* prevent prefetching of coherent DMA data prematurely */ \
++ rmb(); \
+ return pfx##ioswab##bwlq(__addr, __val); \
+ }
+
+--
+2.18.0
+
diff --git a/patches.kernel.org/4.4.139-060-time-Make-sure-jiffies_to_msecs-preserves-non.patch b/patches.kernel.org/4.4.139-060-time-Make-sure-jiffies_to_msecs-preserves-non.patch
new file mode 100644
index 0000000000..c9291a1c63
--- /dev/null
+++ b/patches.kernel.org/4.4.139-060-time-Make-sure-jiffies_to_msecs-preserves-non.patch
@@ -0,0 +1,74 @@
+From: Geert Uytterhoeven <geert@linux-m68k.org>
+Date: Fri, 22 Jun 2018 16:33:57 +0200
+Subject: [PATCH] time: Make sure jiffies_to_msecs() preserves non-zero time
+ periods
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+References: bnc#1012382
+Patch-mainline: 4.4.139
+Git-commit: abcbcb80cd09cd40f2089d912764e315459b71f7
+
+commit abcbcb80cd09cd40f2089d912764e315459b71f7 upstream.
+
+For the common cases where 1000 is a multiple of HZ, or HZ is a multiple of
+1000, jiffies_to_msecs() never returns zero when passed a non-zero time
+period.
+
+However, if HZ > 1000 and not an integer multiple of 1000 (e.g. 1024 or
+1200, as used on alpha and DECstation), jiffies_to_msecs() may return zero
+for small non-zero time periods. This may break code that relies on
+receiving back a non-zero value.
+
+jiffies_to_usecs() does not need such a fix: one jiffy can only be less
+than one µs if HZ > 1000000, and such large values of HZ are already
+rejected at build time, twice:
+
+ - include/linux/jiffies.h does #error if HZ >= 12288,
+ - kernel/time/time.c has BUILD_BUG_ON(HZ > USEC_PER_SEC).
+
+Broken since forever.
+
+Signed-off-by: Geert Uytterhoeven <geert@linux-m68k.org>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Reviewed-by: Arnd Bergmann <arnd@arndb.de>
+Cc: John Stultz <john.stultz@linaro.org>
+Cc: Stephen Boyd <sboyd@kernel.org>
+Cc: linux-alpha@vger.kernel.org
+Cc: linux-mips@linux-mips.org
+Cc: stable@vger.kernel.org
+Link: https://lkml.kernel.org/r/20180622143357.7495-1-geert@linux-m68k.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ kernel/time/time.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/kernel/time/time.c b/kernel/time/time.c
+index 86751c68e08d..de70ac1f84d0 100644
+--- a/kernel/time/time.c
++++ b/kernel/time/time.c
+@@ -28,6 +28,7 @@
+ */
+
+ #include <linux/export.h>
++#include <linux/kernel.h>
+ #include <linux/timex.h>
+ #include <linux/capability.h>
+ #include <linux/timekeeper_internal.h>
+@@ -258,9 +259,10 @@ unsigned int jiffies_to_msecs(const unsigned long j)
+ return (j + (HZ / MSEC_PER_SEC) - 1)/(HZ / MSEC_PER_SEC);
+ #else
+ # if BITS_PER_LONG == 32
+- return (HZ_TO_MSEC_MUL32 * j) >> HZ_TO_MSEC_SHR32;
++ return (HZ_TO_MSEC_MUL32 * j + (1ULL << HZ_TO_MSEC_SHR32) - 1) >>
++ HZ_TO_MSEC_SHR32;
+ # else
+- return (j * HZ_TO_MSEC_NUM) / HZ_TO_MSEC_DEN;
++ return DIV_ROUND_UP(j * HZ_TO_MSEC_NUM, HZ_TO_MSEC_DEN);
+ # endif
+ #endif
+ }
+--
+2.18.0
+
diff --git a/patches.kernel.org/4.4.139-061-Btrfs-fix-clone-vs-chattr-NODATASUM-race.patch b/patches.kernel.org/4.4.139-061-Btrfs-fix-clone-vs-chattr-NODATASUM-race.patch
new file mode 100644
index 0000000000..2be99005f3
--- /dev/null
+++ b/patches.kernel.org/4.4.139-061-Btrfs-fix-clone-vs-chattr-NODATASUM-race.patch
@@ -0,0 +1,74 @@
+From: Omar Sandoval <osandov@fb.com>
+Date: Tue, 22 May 2018 15:02:12 -0700
+Subject: [PATCH] Btrfs: fix clone vs chattr NODATASUM race
+References: bnc#1012382
+Patch-mainline: 4.4.139
+Git-commit: b5c40d598f5408bd0ca22dfffa82f03cd9433f23
+
+commit b5c40d598f5408bd0ca22dfffa82f03cd9433f23 upstream.
+
+In btrfs_clone_files(), we must check the NODATASUM flag while the
+inodes are locked. Otherwise, it's possible that btrfs_ioctl_setflags()
+will change the flags after we check and we can end up with a party
+checksummed file.
+
+The race window is only a few instructions in size, between the if and
+the locks which is:
+
+3834 if (S_ISDIR(src->i_mode) || S_ISDIR(inode->i_mode))
+3835 return -EISDIR;
+
+where the setflags must be run and toggle the NODATASUM flag (provided
+the file size is 0). The clone will block on the inode lock, segflags
+takes the inode lock, changes flags, releases log and clone continues.
+
+Not impossible but still needs a lot of bad luck to hit unintentionally.
+
+Fixes: 0e7b824c4ef9 ("Btrfs: don't make a file partly checksummed through file clone")
+CC: stable@vger.kernel.org # 4.4+
+Signed-off-by: Omar Sandoval <osandov@fb.com>
+Reviewed-by: Nikolay Borisov <nborisov@suse.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+[ update changelog ]
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+[ adjusted for 4.4 ]
+Signed-off-by: Nikolay Borisov <nborisov@suse.com>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ fs/btrfs/ioctl.c | 12 +++++++-----
+ 1 file changed, 7 insertions(+), 5 deletions(-)
+
+diff --git a/fs/btrfs/ioctl.c b/fs/btrfs/ioctl.c
+index 4e3c889c1876..6caeb946fc1d 100644
+--- a/fs/btrfs/ioctl.c
++++ b/fs/btrfs/ioctl.c
+@@ -3923,11 +3923,6 @@ static noinline long btrfs_ioctl_clone(struct file *file, unsigned long srcfd,
+ if (!(src_file.file->f_mode & FMODE_READ))
+ goto out_fput;
+
+- /* don't make the dst file partly checksummed */
+- if ((BTRFS_I(src)->flags & BTRFS_INODE_NODATASUM) !=
+- (BTRFS_I(inode)->flags & BTRFS_INODE_NODATASUM))
+- goto out_fput;
+-
+ ret = -EISDIR;
+ if (S_ISDIR(src->i_mode) || S_ISDIR(inode->i_mode))
+ goto out_fput;
+@@ -3942,6 +3937,13 @@ static noinline long btrfs_ioctl_clone(struct file *file, unsigned long srcfd,
+ mutex_lock(&src->i_mutex);
+ }
+
++ /* don't make the dst file partly checksummed */
++ if ((BTRFS_I(src)->flags & BTRFS_INODE_NODATASUM) !=
++ (BTRFS_I(inode)->flags & BTRFS_INODE_NODATASUM)) {
++ ret = -EINVAL;
++ goto out_unlock;
++ }
++
+ /* determine range to clone */
+ ret = -EINVAL;
+ if (off + len > src->i_size || off + len < off)
+--
+2.18.0
+
diff --git a/patches.kernel.org/4.4.139-062-iio-buffer-make-length-types-match-kfifo-type.patch b/patches.kernel.org/4.4.139-062-iio-buffer-make-length-types-match-kfifo-type.patch
new file mode 100644
index 0000000000..73ef745b9f
--- /dev/null
+++ b/patches.kernel.org/4.4.139-062-iio-buffer-make-length-types-match-kfifo-type.patch
@@ -0,0 +1,83 @@
+From: Martin Kelly <mkelly@xevo.com>
+Date: Mon, 26 Mar 2018 14:27:51 -0700
+Subject: [PATCH] iio:buffer: make length types match kfifo types
+References: bnc#1012382
+Patch-mainline: 4.4.139
+Git-commit: c043ec1ca5baae63726aae32abbe003192bc6eec
+
+commit c043ec1ca5baae63726aae32abbe003192bc6eec upstream.
+
+Currently, we use int for buffer length and bytes_per_datum. However,
+kfifo uses unsigned int for length and size_t for element size. We need
+to make sure these matches or we will have bugs related to overflow (in
+the range between INT_MAX and UINT_MAX for length, for example).
+
+In addition, set_bytes_per_datum uses size_t while bytes_per_datum is an
+int, which would cause bugs for large values of bytes_per_datum.
+
+Change buffer length to use unsigned int and bytes_per_datum to use
+size_t.
+
+Signed-off-by: Martin Kelly <mkelly@xevo.com>
+Cc: <Stable@vger.kernel.org>
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+[bwh: Backported to 4.4:
+ - Drop change to iio_dma_buffer_set_length()
+ - Adjust filename, context]
+Signed-off-by: Ben Hutchings <ben.hutchings@codethink.co.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/iio/buffer/kfifo_buf.c | 4 ++--
+ include/linux/iio/buffer.h | 6 +++---
+ 2 files changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/iio/buffer/kfifo_buf.c b/drivers/iio/buffer/kfifo_buf.c
+index 7ef9b13262a8..e44181f9eb36 100644
+--- a/drivers/iio/buffer/kfifo_buf.c
++++ b/drivers/iio/buffer/kfifo_buf.c
+@@ -19,7 +19,7 @@ struct iio_kfifo {
+ #define iio_to_kfifo(r) container_of(r, struct iio_kfifo, buffer)
+
+ static inline int __iio_allocate_kfifo(struct iio_kfifo *buf,
+- int bytes_per_datum, int length)
++ size_t bytes_per_datum, unsigned int length)
+ {
+ if ((length == 0) || (bytes_per_datum == 0))
+ return -EINVAL;
+@@ -71,7 +71,7 @@ static int iio_set_bytes_per_datum_kfifo(struct iio_buffer *r, size_t bpd)
+ return 0;
+ }
+
+-static int iio_set_length_kfifo(struct iio_buffer *r, int length)
++static int iio_set_length_kfifo(struct iio_buffer *r, unsigned int length)
+ {
+ /* Avoid an invalid state */
+ if (length < 2)
+diff --git a/include/linux/iio/buffer.h b/include/linux/iio/buffer.h
+index 1600c55828e0..93a774ce4922 100644
+--- a/include/linux/iio/buffer.h
++++ b/include/linux/iio/buffer.h
+@@ -49,7 +49,7 @@ struct iio_buffer_access_funcs {
+ int (*request_update)(struct iio_buffer *buffer);
+
+ int (*set_bytes_per_datum)(struct iio_buffer *buffer, size_t bpd);
+- int (*set_length)(struct iio_buffer *buffer, int length);
++ int (*set_length)(struct iio_buffer *buffer, unsigned int length);
+
+ void (*release)(struct iio_buffer *buffer);
+
+@@ -78,8 +78,8 @@ struct iio_buffer_access_funcs {
+ * @watermark: [INTERN] number of datums to wait for poll/read.
+ */
+ struct iio_buffer {
+- int length;
+- int bytes_per_datum;
++ unsigned int length;
++ size_t bytes_per_datum;
+ struct attribute_group *scan_el_attrs;
+ long *scan_mask;
+ bool scan_timestamp;
+--
+2.18.0
+
diff --git a/patches.kernel.org/4.4.139-063-scsi-qla2xxx-Fix-setting-lower-transfer-speed.patch b/patches.kernel.org/4.4.139-063-scsi-qla2xxx-Fix-setting-lower-transfer-speed.patch
new file mode 100644
index 0000000000..6017290cb0
--- /dev/null
+++ b/patches.kernel.org/4.4.139-063-scsi-qla2xxx-Fix-setting-lower-transfer-speed.patch
@@ -0,0 +1,47 @@
+From: Himanshu Madhani <himanshu.madhani@cavium.com>
+Date: Sun, 3 Jun 2018 22:09:53 -0700
+Subject: [PATCH] scsi: qla2xxx: Fix setting lower transfer speed if GPSC fails
+References: bnc#1012382
+Patch-mainline: 4.4.139
+Git-commit: 413c2f33489b134e3cc65d9c3ff7861e8fdfe899
+
+commit 413c2f33489b134e3cc65d9c3ff7861e8fdfe899 upstream.
+
+This patch prevents driver from setting lower default speed of 1 GB/sec,
+if the switch does not support Get Port Speed Capabilities (GPSC)
+command. Setting this default speed results into much lower write
+performance for large sequential WRITE. This patch modifies driver to
+check for gpsc_supported flags and prevents driver from issuing
+MBC_SET_PORT_PARAM (001Ah) to set default speed of 1 GB/sec. If driver
+does not send this mailbox command, firmware assumes maximum supported
+link speed and will operate at the max speed.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Himanshu Madhani <himanshu.madhani@cavium.com>
+Reported-by: Eda Zhou <ezhou@redhat.com>
+Reviewed-by: Ewan D. Milne <emilne@redhat.com>
+Tested-by: Ewan D. Milne <emilne@redhat.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/scsi/qla2xxx/qla_init.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/scsi/qla2xxx/qla_init.c b/drivers/scsi/qla2xxx/qla_init.c
+index aa18c729d23a..a9eb3cd453be 100644
+--- a/drivers/scsi/qla2xxx/qla_init.c
++++ b/drivers/scsi/qla2xxx/qla_init.c
+@@ -3261,7 +3261,8 @@ qla2x00_iidma_fcport(scsi_qla_host_t *vha, fc_port_t *fcport)
+ return;
+
+ if (fcport->fp_speed == PORT_SPEED_UNKNOWN ||
+- fcport->fp_speed > ha->link_data_rate)
++ fcport->fp_speed > ha->link_data_rate ||
++ !ha->flags.gpsc_supported)
+ return;
+
+ rval = qla2x00_set_idma_speed(vha, fcport->loop_id, fcport->fp_speed,
+--
+2.18.0
+
diff --git a/patches.kernel.org/4.4.139-064-scsi-zfcp-fix-missing-SCSI-trace-for-result-o.patch b/patches.kernel.org/4.4.139-064-scsi-zfcp-fix-missing-SCSI-trace-for-result-o.patch
new file mode 100644
index 0000000000..ae0985903d
--- /dev/null
+++ b/patches.kernel.org/4.4.139-064-scsi-zfcp-fix-missing-SCSI-trace-for-result-o.patch
@@ -0,0 +1,149 @@
+From: Steffen Maier <maier@linux.ibm.com>
+Date: Thu, 17 May 2018 19:14:43 +0200
+Subject: [PATCH] scsi: zfcp: fix missing SCSI trace for result of
+ eh_host_reset_handler
+Patch-mainline: 4.4.139
+References: LTC#168765 bnc#1012382 bnc#1099713
+Git-commit: df30781699f53e4fd4c494c6f7dd16e3d5c21d30
+
+commit df30781699f53e4fd4c494c6f7dd16e3d5c21d30 upstream.
+
+For problem determination we need to see whether and why we were successful
+or not. This allows deduction of scsi_eh escalation.
+
+Example trace record formatted with zfcpdbf from s390-tools:
+
+Timestamp : ...
+Area : SCSI
+Subarea : 00
+Level : 1
+Exception : -
+CPU ID : ..
+Caller : 0x...
+Record ID : 1
+Tag : schrh_r SCSI host reset handler result
+Request ID : 0x0000000000000000 none (invalid)
+SCSI ID : 0xffffffff none (invalid)
+SCSI LUN : 0xffffffff none (invalid)
+SCSI LUN high : 0xffffffff none (invalid)
+SCSI result : 0x00002002 field re-used for midlayer value: SUCCESS
+ or in other cases: 0x2009 == FAST_IO_FAIL
+SCSI retries : 0xff none (invalid)
+SCSI allowed : 0xff none (invalid)
+SCSI scribble : 0xffffffffffffffff none (invalid)
+SCSI opcode : ffffffff ffffffff ffffffff ffffffff none (invalid)
+FCP rsp inf cod: 0xff none (invalid)
+FCP rsp IU : 00000000 00000000 00000000 00000000 none (invalid)
+ 00000000 00000000
+
+v2.6.35 commit a1dbfddd02d2 ("[SCSI] zfcp: Pass return code from
+fc_block_scsi_eh to scsi eh") introduced the first return with something
+other than the previously hardcoded single SUCCESS return path.
+
+Signed-off-by: Steffen Maier <maier@linux.ibm.com>
+Fixes: a1dbfddd02d2 ("[SCSI] zfcp: Pass return code from fc_block_scsi_eh to scsi eh")
+Cc: <stable@vger.kernel.org> #2.6.38+
+Reviewed-by: Jens Remus <jremus@linux.ibm.com>
+Reviewed-by: Benjamin Block <bblock@linux.ibm.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/s390/scsi/zfcp_dbf.c | 40 +++++++++++++++++++++++++++++++++++
+ drivers/s390/scsi/zfcp_ext.h | 2 ++
+ drivers/s390/scsi/zfcp_scsi.c | 11 +++++-----
+ 3 files changed, 48 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/s390/scsi/zfcp_dbf.c b/drivers/s390/scsi/zfcp_dbf.c
+index 4534a7ce77b8..b6caad0fee24 100644
+--- a/drivers/s390/scsi/zfcp_dbf.c
++++ b/drivers/s390/scsi/zfcp_dbf.c
+@@ -625,6 +625,46 @@ void zfcp_dbf_scsi(char *tag, int level, struct scsi_cmnd *sc,
+ spin_unlock_irqrestore(&dbf->scsi_lock, flags);
+ }
+
++/**
++ * zfcp_dbf_scsi_eh() - Trace event for special cases of scsi_eh callbacks.
++ * @tag: Identifier for event.
++ * @adapter: Pointer to zfcp adapter as context for this event.
++ * @scsi_id: SCSI ID/target to indicate scope of task management function (TMF).
++ * @ret: Return value of calling function.
++ *
++ * This SCSI trace variant does not depend on any of:
++ * scsi_cmnd, zfcp_fsf_req, scsi_device.
++ */
++void zfcp_dbf_scsi_eh(char *tag, struct zfcp_adapter *adapter,
++ unsigned int scsi_id, int ret)
++{
++ struct zfcp_dbf *dbf = adapter->dbf;
++ struct zfcp_dbf_scsi *rec = &dbf->scsi_buf;
++ unsigned long flags;
++ static int const level = 1;
++
++ if (unlikely(!debug_level_enabled(adapter->dbf->scsi, level)))
++ return;
++
++ spin_lock_irqsave(&dbf->scsi_lock, flags);
++ memset(rec, 0, sizeof(*rec));
++
++ memcpy(rec->tag, tag, ZFCP_DBF_TAG_LEN);
++ rec->id = ZFCP_DBF_SCSI_CMND;
++ rec->scsi_result = ret; /* re-use field, int is 4 bytes and fits */
++ rec->scsi_retries = ~0;
++ rec->scsi_allowed = ~0;
++ rec->fcp_rsp_info = ~0;
++ rec->scsi_id = scsi_id;
++ rec->scsi_lun = (u32)ZFCP_DBF_INVALID_LUN;
++ rec->scsi_lun_64_hi = (u32)(ZFCP_DBF_INVALID_LUN >> 32);
++ rec->host_scribble = ~0;
++ memset(rec->scsi_opcode, 0xff, ZFCP_DBF_SCSI_OPCODE);
++
++ debug_event(dbf->scsi, level, rec, sizeof(*rec));
++ spin_unlock_irqrestore(&dbf->scsi_lock, flags);
++}
++
+ static debug_info_t *zfcp_dbf_reg(const char *name, int size, int rec_size)
+ {
+ struct debug_info *d;
+diff --git a/drivers/s390/scsi/zfcp_ext.h b/drivers/s390/scsi/zfcp_ext.h
+index 7a7984a50683..7eaa2e13721f 100644
+--- a/drivers/s390/scsi/zfcp_ext.h
++++ b/drivers/s390/scsi/zfcp_ext.h
+@@ -52,6 +52,8 @@ extern void zfcp_dbf_san_res(char *, struct zfcp_fsf_req *);
+ extern void zfcp_dbf_san_in_els(char *, struct zfcp_fsf_req *);
+ extern void zfcp_dbf_scsi(char *, int, struct scsi_cmnd *,
+ struct zfcp_fsf_req *);
++extern void zfcp_dbf_scsi_eh(char *tag, struct zfcp_adapter *adapter,
++ unsigned int scsi_id, int ret);
+
+ /* zfcp_erp.c */
+ extern void zfcp_erp_set_adapter_status(struct zfcp_adapter *, u32);
+diff --git a/drivers/s390/scsi/zfcp_scsi.c b/drivers/s390/scsi/zfcp_scsi.c
+index bb99db2948ab..fbabf7e15cb7 100644
+--- a/drivers/s390/scsi/zfcp_scsi.c
++++ b/drivers/s390/scsi/zfcp_scsi.c
+@@ -322,15 +322,16 @@ static int zfcp_scsi_eh_host_reset_handler(struct scsi_cmnd *scpnt)
+ {
+ struct zfcp_scsi_dev *zfcp_sdev = sdev_to_zfcp(scpnt->device);
+ struct zfcp_adapter *adapter = zfcp_sdev->port->adapter;
+- int ret;
++ int ret = SUCCESS, fc_ret;
+
+ zfcp_erp_adapter_reopen(adapter, 0, "schrh_1");
+ zfcp_erp_wait(adapter);
+- ret = fc_block_scsi_eh(scpnt);
+- if (ret)
+- return ret;
++ fc_ret = fc_block_scsi_eh(scpnt);
++ if (fc_ret)
++ ret = fc_ret;
+
+- return SUCCESS;
++ zfcp_dbf_scsi_eh("schrh_r", adapter, ~0, ret);
++ return ret;
+ }
+
+ struct scsi_transport_template *zfcp_scsi_transport_template;
+--
+2.18.0
+
diff --git a/patches.kernel.org/4.4.139-065-scsi-zfcp-fix-missing-SCSI-trace-for-retry-of.patch b/patches.kernel.org/4.4.139-065-scsi-zfcp-fix-missing-SCSI-trace-for-retry-of.patch
new file mode 100644
index 0000000000..ed0c12d24c
--- /dev/null
+++ b/patches.kernel.org/4.4.139-065-scsi-zfcp-fix-missing-SCSI-trace-for-retry-of.patch
@@ -0,0 +1,107 @@
+From: Steffen Maier <maier@linux.ibm.com>
+Date: Thu, 17 May 2018 19:14:44 +0200
+Subject: [PATCH] scsi: zfcp: fix missing SCSI trace for retry of abort /
+ scsi_eh TMF
+Patch-mainline: 4.4.139
+References: LTC#168765 bnc#1012382 bnc#1099713
+Git-commit: 81979ae63e872ef650a7197f6ce6590059d37172
+
+commit 81979ae63e872ef650a7197f6ce6590059d37172 upstream.
+
+We already have a SCSI trace for the end of abort and scsi_eh TMF. Due to
+zfcp_erp_wait() and fc_block_scsi_eh() time can pass between the start of
+our eh callback and an actual send/recv of an abort / TMF request. In order
+to see the temporal sequence including any abort / TMF send retries, add a
+trace before the above two blocking functions. This supports problem
+determination with scsi_eh and parallel zfcp ERP.
+
+No need to explicitly trace the beginning of our eh callback, since we
+typically can send an abort / TMF and see its HBA response (in the worst
+case, it's a pseudo response on dismiss all of adapter recovery, e.g. due to
+an FSF request timeout [fsrth_1] of the abort / TMF). If we cannot send, we
+now get a trace record for the first "abrt_wt" or "[lt]r_wait" which denotes
+almost the beginning of the callback.
+
+No need to explicitly trace the wakeup after the above two blocking
+functions because the next retry loop causes another trace in any case and
+that is sufficient.
+
+Example trace records formatted with zfcpdbf from s390-tools:
+
+Timestamp : ...
+Area : SCSI
+Subarea : 00
+Level : 1
+Exception : -
+CPU ID : ..
+Caller : 0x...
+Record ID : 1
+Tag : abrt_wt abort, before zfcp_erp_wait()
+Request ID : 0x0000000000000000 none (invalid)
+SCSI ID : 0x<scsi_id>
+SCSI LUN : 0x<scsi_lun>
+SCSI LUN high : 0x<scsi_lun_high>
+SCSI result : 0x<scsi_result_of_cmd_to_be_aborted>
+SCSI retries : 0x<retries_of_cmd_to_be_aborted>
+SCSI allowed : 0x<allowed_retries_of_cmd_to_be_aborted>
+SCSI scribble : 0x<req_id_of_cmd_to_be_aborted>
+SCSI opcode : <CDB_of_cmd_to_be_aborted>
+FCP rsp inf cod: 0x.. none (invalid)
+FCP rsp IU : ... none (invalid)
+
+Timestamp : ...
+Area : SCSI
+Subarea : 00
+Level : 1
+Exception : -
+CPU ID : ..
+Caller : 0x...
+Record ID : 1
+Tag : lr_wait LUN reset, before zfcp_erp_wait()
+Request ID : 0x0000000000000000 none (invalid)
+SCSI ID : 0x<scsi_id>
+SCSI LUN : 0x<scsi_lun>
+SCSI LUN high : 0x<scsi_lun_high>
+SCSI result : 0x... unrelated
+SCSI retries : 0x.. unrelated
+SCSI allowed : 0x.. unrelated
+SCSI scribble : 0x... unrelated
+SCSI opcode : ... unrelated
+FCP rsp inf cod: 0x.. none (invalid)
+FCP rsp IU : ... none (invalid)
+
+Signed-off-by: Steffen Maier <maier@linux.ibm.com>
+Fixes: 63caf367e1c9 ("[SCSI] zfcp: Improve reliability of SCSI eh handlers in zfcp")
+Fixes: af4de36d911a ("[SCSI] zfcp: Block scsi_eh thread for rport state BLOCKED")
+Cc: <stable@vger.kernel.org> #2.6.38+
+Reviewed-by: Benjamin Block <bblock@linux.ibm.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/s390/scsi/zfcp_scsi.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/s390/scsi/zfcp_scsi.c b/drivers/s390/scsi/zfcp_scsi.c
+index fbabf7e15cb7..e7a36109c79c 100644
+--- a/drivers/s390/scsi/zfcp_scsi.c
++++ b/drivers/s390/scsi/zfcp_scsi.c
+@@ -180,6 +180,7 @@ static int zfcp_scsi_eh_abort_handler(struct scsi_cmnd *scpnt)
+ if (abrt_req)
+ break;
+
++ zfcp_dbf_scsi_abort("abrt_wt", scpnt, NULL);
+ zfcp_erp_wait(adapter);
+ ret = fc_block_scsi_eh(scpnt);
+ if (ret) {
+@@ -276,6 +277,7 @@ static int zfcp_task_mgmt_function(struct scsi_cmnd *scpnt, u8 tm_flags)
+ if (fsf_req)
+ break;
+
++ zfcp_dbf_scsi_devreset("wait", scpnt, tm_flags, NULL);
+ zfcp_erp_wait(adapter);
+ ret = fc_block_scsi_eh(scpnt);
+ if (ret) {
+--
+2.18.0
+
diff --git a/patches.kernel.org/4.4.139-066-scsi-zfcp-fix-misleading-REC-trigger-trace-wh.patch b/patches.kernel.org/4.4.139-066-scsi-zfcp-fix-misleading-REC-trigger-trace-wh.patch
new file mode 100644
index 0000000000..2879ef169f
--- /dev/null
+++ b/patches.kernel.org/4.4.139-066-scsi-zfcp-fix-misleading-REC-trigger-trace-wh.patch
@@ -0,0 +1,122 @@
+From: Steffen Maier <maier@linux.ibm.com>
+Date: Thu, 17 May 2018 19:14:45 +0200
+Subject: [PATCH] scsi: zfcp: fix misleading REC trigger trace where erp_action
+ setup failed
+Patch-mainline: 4.4.139
+References: LTC#168765 bnc#1012382 bnc#1099713
+Git-commit: 512857a795cbbda5980efa4cdb3c0b6602330408
+
+commit 512857a795cbbda5980efa4cdb3c0b6602330408 upstream.
+
+If a SCSI device is deleted during scsi_eh host reset, we cannot get a
+reference to the SCSI device anymore since scsi_device_get returns !=0 by
+design. Assuming the recovery of adapter and port(s) was successful,
+zfcp_erp_strategy_followup_success() attempts to trigger a LUN reset for the
+half-gone SCSI device. Unfortunately, it causes the following confusing
+trace record which states that zfcp will do a LUN recovery as "ERP need" is
+ZFCP_ERP_ACTION_REOPEN_LUN == 1 and equals "ERP want".
+
+Old example trace record formatted with zfcpdbf from s390-tools:
+
+Tag: : ersfs_3 ERP, trigger, unit reopen, port reopen succeeded
+LUN : 0x<FCP_LUN>
+WWPN : 0x<WWPN>
+D_ID : 0x<N_Port-ID>
+Adapter status : 0x5400050b
+Port status : 0x54000001
+LUN status : 0x40000000 ZFCP_STATUS_COMMON_RUNNING
+ but not ZFCP_STATUS_COMMON_UNBLOCKED as it
+ was closed on close part of adapter reopen
+ERP want : 0x01
+ERP need : 0x01 misleading
+
+However, zfcp_erp_setup_act() returns NULL as it cannot get the reference.
+Hence, zfcp_erp_action_enqueue() takes an early goto out and _NO_ recovery
+actually happens.
+
+We always do want the recovery trigger trace record even if no erp_action
+could be enqueued as in this case. For other cases where we did not enqueue
+an erp_action, 'need' has always been zero to indicate this. In order to
+indicate above goto out, introduce an eyecatcher "flag" to mark the "ERP
+need" as 'not needed' but still keep the information which erp_action type,
+that zfcp_erp_required_act() had decided upon, is needed. 0xc_ is chosen to
+be visibly different from 0x0_ in "ERP want".
+
+New example trace record formatted with zfcpdbf from s390-tools:
+
+Tag: : ersfs_3 ERP, trigger, unit reopen, port reopen succeeded
+LUN : 0x<FCP_LUN>
+WWPN : 0x<WWPN>
+D_ID : 0x<N_Port-ID>
+Adapter status : 0x5400050b
+Port status : 0x54000001
+LUN status : 0x40000000
+ERP want : 0x01
+ERP need : 0xc1 would need LUN ERP, but no action set up
+ ^
+
+Before v2.6.38 commit ae0904f60fab ("[SCSI] zfcp: Redesign of the debug
+tracing for recovery actions.") we could detect this case because the
+"erp_action" field in the trace was NULL. The rework removed erp_action as
+argument and field from the trace.
+
+This patch here is for tracing. A fix to allow LUN recovery in the case at
+hand is a topic for a separate patch.
+
+See also commit fdbd1c5e27da ("[SCSI] zfcp: Allow running unit/LUN shutdown
+without acquiring reference") for a similar case and background info.
+
+Signed-off-by: Steffen Maier <maier@linux.ibm.com>
+Fixes: ae0904f60fab ("[SCSI] zfcp: Redesign of the debug tracing for recovery actions.")
+Cc: <stable@vger.kernel.org> #2.6.38+
+Reviewed-by: Benjamin Block <bblock@linux.ibm.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/s390/scsi/zfcp_erp.c | 16 +++++++++++++++-
+ 1 file changed, 15 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/s390/scsi/zfcp_erp.c b/drivers/s390/scsi/zfcp_erp.c
+index 3b23d6754598..ae624789a6c4 100644
+--- a/drivers/s390/scsi/zfcp_erp.c
++++ b/drivers/s390/scsi/zfcp_erp.c
+@@ -34,11 +34,23 @@ enum zfcp_erp_steps {
+ ZFCP_ERP_STEP_LUN_OPENING = 0x2000,
+ };
+
++/**
++ * enum zfcp_erp_act_type - Type of ERP action object.
++ * @ZFCP_ERP_ACTION_REOPEN_LUN: LUN recovery.
++ * @ZFCP_ERP_ACTION_REOPEN_PORT: Port recovery.
++ * @ZFCP_ERP_ACTION_REOPEN_PORT_FORCED: Forced port recovery.
++ * @ZFCP_ERP_ACTION_REOPEN_ADAPTER: Adapter recovery.
++ * @ZFCP_ERP_ACTION_NONE: Eyecatcher pseudo flag to bitwise or-combine with
++ * either of the other enum values.
++ * Used to indicate that an ERP action could not be
++ * set up despite a detected need for some recovery.
++ */
+ enum zfcp_erp_act_type {
+ ZFCP_ERP_ACTION_REOPEN_LUN = 1,
+ ZFCP_ERP_ACTION_REOPEN_PORT = 2,
+ ZFCP_ERP_ACTION_REOPEN_PORT_FORCED = 3,
+ ZFCP_ERP_ACTION_REOPEN_ADAPTER = 4,
++ ZFCP_ERP_ACTION_NONE = 0xc0,
+ };
+
+ enum zfcp_erp_act_state {
+@@ -256,8 +268,10 @@ static int zfcp_erp_action_enqueue(int want, struct zfcp_adapter *adapter,
+ goto out;
+
+ act = zfcp_erp_setup_act(need, act_status, adapter, port, sdev);
+- if (!act)
++ if (!act) {
++ need |= ZFCP_ERP_ACTION_NONE; /* marker for trace */
+ goto out;
++ }
+ atomic_or(ZFCP_STATUS_ADAPTER_ERP_PENDING, &adapter->status);
+ ++adapter->erp_total_count;
+ list_add_tail(&act->list, &adapter->erp_ready_head);
+--
+2.18.0
+
diff --git a/patches.kernel.org/4.4.139-067-scsi-zfcp-fix-missing-REC-trigger-trace-on-te.patch b/patches.kernel.org/4.4.139-067-scsi-zfcp-fix-missing-REC-trigger-trace-on-te.patch
new file mode 100644
index 0000000000..953d38d571
--- /dev/null
+++ b/patches.kernel.org/4.4.139-067-scsi-zfcp-fix-missing-REC-trigger-trace-on-te.patch
@@ -0,0 +1,121 @@
+From: Steffen Maier <maier@linux.ibm.com>
+Date: Thu, 17 May 2018 19:14:46 +0200
+Subject: [PATCH] scsi: zfcp: fix missing REC trigger trace on
+ terminate_rport_io early return
+Patch-mainline: 4.4.139
+References: LTC#168765 bnc#1012382 bnc#1099713
+Git-commit: 96d9270499471545048ed8a6d7f425a49762283d
+
+commit 96d9270499471545048ed8a6d7f425a49762283d upstream.
+
+get_device() and its internally used kobject_get() only return NULL if they
+get passed NULL as argument. zfcp_get_port_by_wwpn() loops over
+adapter->port_list so the iteration variable port is always non-NULL.
+Struct device is embedded in struct zfcp_port so &port->dev is always
+non-NULL. This is the argument to get_device(). However, if we get an
+fc_rport in terminate_rport_io() for which we cannot find a match within
+zfcp_get_port_by_wwpn(), the latter can return NULL. v2.6.30 commit
+70932935b61e ("[SCSI] zfcp: Fix oops when port disappears") introduced an
+early return without adding a trace record for this case. Even if we don't
+need recovery in this case, for debugging we should still see that our
+callback was invoked originally by scsi_transport_fc.
+
+Example trace record formatted with zfcpdbf from s390-tools:
+
+Timestamp : ...
+Area : REC
+Subarea : 00
+Level : 1
+Exception : -
+CPU ID : ..
+Caller : 0x...
+Record ID : 1
+Tag : sctrpin SCSI terminate rport I/O, no zfcp port
+LUN : 0xffffffffffffffff none (invalid)
+WWPN : 0x<wwpn> WWPN
+D_ID : 0x<n_port_id> N_Port-ID
+Adapter status : 0x...
+Port status : 0xffffffff unknown (-1)
+LUN status : 0x00000000 none (invalid)
+Ready count : 0x...
+Running count : 0x...
+ERP want : 0x03 ZFCP_ERP_ACTION_REOPEN_PORT_FORCED
+ERP need : 0xc0 ZFCP_ERP_ACTION_NONE
+
+Signed-off-by: Steffen Maier <maier@linux.ibm.com>
+Fixes: 70932935b61e ("[SCSI] zfcp: Fix oops when port disappears")
+Cc: <stable@vger.kernel.org> #2.6.38+
+Reviewed-by: Benjamin Block <bblock@linux.ibm.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/s390/scsi/zfcp_erp.c | 20 ++++++++++++++++++++
+ drivers/s390/scsi/zfcp_ext.h | 3 +++
+ drivers/s390/scsi/zfcp_scsi.c | 5 +++++
+ 3 files changed, 28 insertions(+)
+
+diff --git a/drivers/s390/scsi/zfcp_erp.c b/drivers/s390/scsi/zfcp_erp.c
+index ae624789a6c4..e60c16b2ba45 100644
+--- a/drivers/s390/scsi/zfcp_erp.c
++++ b/drivers/s390/scsi/zfcp_erp.c
+@@ -282,6 +282,26 @@ static int zfcp_erp_action_enqueue(int want, struct zfcp_adapter *adapter,
+ return retval;
+ }
+
++void zfcp_erp_port_forced_no_port_dbf(char *id, struct zfcp_adapter *adapter,
++ u64 port_name, u32 port_id)
++{
++ unsigned long flags;
++ static /* don't waste stack */ struct zfcp_port tmpport;
++
++ write_lock_irqsave(&adapter->erp_lock, flags);
++ /* Stand-in zfcp port with fields just good enough for
++ * zfcp_dbf_rec_trig() and zfcp_dbf_set_common().
++ * Under lock because tmpport is static.
++ */
++ atomic_set(&tmpport.status, -1); /* unknown */
++ tmpport.wwpn = port_name;
++ tmpport.d_id = port_id;
++ zfcp_dbf_rec_trig(id, adapter, &tmpport, NULL,
++ ZFCP_ERP_ACTION_REOPEN_PORT_FORCED,
++ ZFCP_ERP_ACTION_NONE);
++ write_unlock_irqrestore(&adapter->erp_lock, flags);
++}
++
+ static int _zfcp_erp_adapter_reopen(struct zfcp_adapter *adapter,
+ int clear_mask, char *id)
+ {
+diff --git a/drivers/s390/scsi/zfcp_ext.h b/drivers/s390/scsi/zfcp_ext.h
+index 7eaa2e13721f..b326f05c7f89 100644
+--- a/drivers/s390/scsi/zfcp_ext.h
++++ b/drivers/s390/scsi/zfcp_ext.h
+@@ -58,6 +58,9 @@ extern void zfcp_dbf_scsi_eh(char *tag, struct zfcp_adapter *adapter,
+ /* zfcp_erp.c */
+ extern void zfcp_erp_set_adapter_status(struct zfcp_adapter *, u32);
+ extern void zfcp_erp_clear_adapter_status(struct zfcp_adapter *, u32);
++extern void zfcp_erp_port_forced_no_port_dbf(char *id,
++ struct zfcp_adapter *adapter,
++ u64 port_name, u32 port_id);
+ extern void zfcp_erp_adapter_reopen(struct zfcp_adapter *, int, char *);
+ extern void zfcp_erp_adapter_shutdown(struct zfcp_adapter *, int, char *);
+ extern void zfcp_erp_set_port_status(struct zfcp_port *, u32);
+diff --git a/drivers/s390/scsi/zfcp_scsi.c b/drivers/s390/scsi/zfcp_scsi.c
+index e7a36109c79c..3afb200b2829 100644
+--- a/drivers/s390/scsi/zfcp_scsi.c
++++ b/drivers/s390/scsi/zfcp_scsi.c
+@@ -603,6 +603,11 @@ static void zfcp_scsi_terminate_rport_io(struct fc_rport *rport)
+ if (port) {
+ zfcp_erp_port_forced_reopen(port, 0, "sctrpi1");
+ put_device(&port->dev);
++ } else {
++ zfcp_erp_port_forced_no_port_dbf(
++ "sctrpin", adapter,
++ rport->port_name /* zfcp_scsi_rport_register */,
++ rport->port_id /* zfcp_scsi_rport_register */);
+ }
+ }
+
+--
+2.18.0
+
diff --git a/patches.kernel.org/4.4.139-068-scsi-zfcp-fix-missing-REC-trigger-trace-on-te.patch b/patches.kernel.org/4.4.139-068-scsi-zfcp-fix-missing-REC-trigger-trace-on-te.patch
new file mode 100644
index 0000000000..020aae45de
--- /dev/null
+++ b/patches.kernel.org/4.4.139-068-scsi-zfcp-fix-missing-REC-trigger-trace-on-te.patch
@@ -0,0 +1,133 @@
+From: Steffen Maier <maier@linux.ibm.com>
+Date: Thu, 17 May 2018 19:14:47 +0200
+Subject: [PATCH] scsi: zfcp: fix missing REC trigger trace on
+ terminate_rport_io for ERP_FAILED
+Patch-mainline: 4.4.139
+References: LTC#168765 bnc#1012382 bnc#1099713
+Git-commit: d70aab55924b44f213fec2b900b095430b33eec6
+
+commit d70aab55924b44f213fec2b900b095430b33eec6 upstream.
+
+For problem determination we always want to see when we were invoked on the
+terminate_rport_io callback whether we perform something or not.
+
+Temporal event sequence of interest with a long fast_io_fail_tmo of 27 sec:
+
+loose remote port
+
+t workqueue
+[s] zfcp_q_<dev> IRQ zfcperp<dev>
+
+=== ================== =================== ============================
+
+ 0 recv RSCN
+ q p.test_link_work
+ block rport
+ start fast_io_fail_tmo
+ send ADISC ELS
+ 4 recv ADISC fail
+ block zfcp_port
+ port forced reopen
+ send open port
+ 12 recv open port fail
+ q p.gid_pn_work
+ zfcp_erp_wakeup
+ (zfcp_erp_wait would return)
+ GID_PN fail
+
+Before this point, we got a SCSI trace with tag "sctrpi1" on fast_io_fail,
+e.g. with the typical 5 sec setting.
+
+ port.status |= ERP_FAILED
+
+If fast_io_fail_tmo triggers after this point, we missed a SCSI trace.
+
+ workqueue
+ fc_dl_<host>
+ ==================
+ 27 fc_timeout_fail_rport_io
+ fc_terminate_rport_io
+ zfcp_scsi_terminate_rport_io
+ zfcp_erp_port_forced_reopen
+ _zfcp_erp_port_forced_reopen
+ if (port.status & ERP_FAILED)
+ return;
+
+Therefore, write a trace before above early return.
+
+Example trace record formatted with zfcpdbf from s390-tools:
+
+Timestamp : ...
+Area : REC
+Subarea : 00
+Level : 1
+Exception : -
+CPU ID : ..
+Caller : 0x...
+Record ID : 1 ZFCP_DBF_REC_TRIG
+Tag : sctrpi1 SCSI terminate rport I/O
+LUN : 0xffffffffffffffff none (invalid)
+WWPN : 0x<wwpn>
+D_ID : 0x<n_port_id>
+Adapter status : 0x...
+Port status : 0x...
+LUN status : 0x00000000 none (invalid)
+Ready count : 0x...
+Running count : 0x...
+ERP want : 0x03 ZFCP_ERP_ACTION_REOPEN_PORT_FORCED
+ERP need : 0xe0 ZFCP_ERP_ACTION_FAILED
+
+Signed-off-by: Steffen Maier <maier@linux.ibm.com>
+Cc: <stable@vger.kernel.org> #2.6.38+
+Reviewed-by: Benjamin Block <bblock@linux.ibm.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/s390/scsi/zfcp_erp.c | 13 +++++++++++--
+ 1 file changed, 11 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/s390/scsi/zfcp_erp.c b/drivers/s390/scsi/zfcp_erp.c
+index e60c16b2ba45..e695f95ac3c2 100644
+--- a/drivers/s390/scsi/zfcp_erp.c
++++ b/drivers/s390/scsi/zfcp_erp.c
+@@ -41,9 +41,13 @@ enum zfcp_erp_steps {
+ * @ZFCP_ERP_ACTION_REOPEN_PORT_FORCED: Forced port recovery.
+ * @ZFCP_ERP_ACTION_REOPEN_ADAPTER: Adapter recovery.
+ * @ZFCP_ERP_ACTION_NONE: Eyecatcher pseudo flag to bitwise or-combine with
+- * either of the other enum values.
++ * either of the first four enum values.
+ * Used to indicate that an ERP action could not be
+ * set up despite a detected need for some recovery.
++ * @ZFCP_ERP_ACTION_FAILED: Eyecatcher pseudo flag to bitwise or-combine with
++ * either of the first four enum values.
++ * Used to indicate that ERP not needed because
++ * the object has ZFCP_STATUS_COMMON_ERP_FAILED.
+ */
+ enum zfcp_erp_act_type {
+ ZFCP_ERP_ACTION_REOPEN_LUN = 1,
+@@ -51,6 +55,7 @@ enum zfcp_erp_act_type {
+ ZFCP_ERP_ACTION_REOPEN_PORT_FORCED = 3,
+ ZFCP_ERP_ACTION_REOPEN_ADAPTER = 4,
+ ZFCP_ERP_ACTION_NONE = 0xc0,
++ ZFCP_ERP_ACTION_FAILED = 0xe0,
+ };
+
+ enum zfcp_erp_act_state {
+@@ -378,8 +383,12 @@ static void _zfcp_erp_port_forced_reopen(struct zfcp_port *port, int clear,
+ zfcp_erp_port_block(port, clear);
+ zfcp_scsi_schedule_rport_block(port);
+
+- if (atomic_read(&port->status) & ZFCP_STATUS_COMMON_ERP_FAILED)
++ if (atomic_read(&port->status) & ZFCP_STATUS_COMMON_ERP_FAILED) {
++ zfcp_dbf_rec_trig(id, port->adapter, port, NULL,
++ ZFCP_ERP_ACTION_REOPEN_PORT_FORCED,
++ ZFCP_ERP_ACTION_FAILED);
+ return;
++ }
+
+ zfcp_erp_action_enqueue(ZFCP_ERP_ACTION_REOPEN_PORT_FORCED,
+ port->adapter, port, NULL, id, 0);
+--
+2.18.0
+
diff --git a/patches.kernel.org/4.4.139-069-scsi-zfcp-fix-missing-REC-trigger-trace-for-a.patch b/patches.kernel.org/4.4.139-069-scsi-zfcp-fix-missing-REC-trigger-trace-for-a.patch
new file mode 100644
index 0000000000..0b22856fd5
--- /dev/null
+++ b/patches.kernel.org/4.4.139-069-scsi-zfcp-fix-missing-REC-trigger-trace-for-a.patch
@@ -0,0 +1,190 @@
+From: Steffen Maier <maier@linux.ibm.com>
+Date: Thu, 17 May 2018 19:14:48 +0200
+Subject: [PATCH] scsi: zfcp: fix missing REC trigger trace for all objects in
+ ERP_FAILED
+Patch-mainline: 4.4.139
+References: LTC#168765 bnc#1012382 bnc#1099713
+Git-commit: 8c3d20aada70042a39c6a6625be037c1472ca610
+
+commit 8c3d20aada70042a39c6a6625be037c1472ca610 upstream.
+
+That other commit introduced an inconsistency because it would trace on
+ERP_FAILED for all callers of port forced reopen triggers (not just
+terminate_rport_io), but it would not trace on ERP_FAILED for all callers of
+other ERP triggers such as adapter, port regular, LUN.
+
+Therefore, generalize that other commit. zfcp_erp_action_enqueue() already
+had two early outs which re-used the one zfcp_dbf_rec_trig() call. All ERP
+trigger functions finally run through zfcp_erp_action_enqueue(). So move
+the special handling for ZFCP_STATUS_COMMON_ERP_FAILED into
+zfcp_erp_action_enqueue() and add another early out with new trace marker
+for pseudo ERP need in this case. This removes all early returns from all
+ERP trigger functions so we always end up at zfcp_dbf_rec_trig().
+
+Example trace record formatted with zfcpdbf from s390-tools:
+
+Timestamp : ...
+Area : REC
+Subarea : 00
+Level : 1
+Exception : -
+CPU ID : ..
+Caller : 0x...
+Record ID : 1 ZFCP_DBF_REC_TRIG
+Tag : .......
+LUN : 0x...
+WWPN : 0x...
+D_ID : 0x...
+Adapter status : 0x...
+Port status : 0x...
+LUN status : 0x...
+Ready count : 0x...
+Running count : 0x...
+ERP want : 0x0. ZFCP_ERP_ACTION_REOPEN_...
+ERP need : 0xe0 ZFCP_ERP_ACTION_FAILED
+
+Signed-off-by: Steffen Maier <maier@linux.ibm.com>
+Cc: <stable@vger.kernel.org> #2.6.38+
+Reviewed-by: Benjamin Block <bblock@linux.ibm.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/s390/scsi/zfcp_erp.c | 79 +++++++++++++++++++++++-------------
+ 1 file changed, 51 insertions(+), 28 deletions(-)
+
+diff --git a/drivers/s390/scsi/zfcp_erp.c b/drivers/s390/scsi/zfcp_erp.c
+index e695f95ac3c2..0ac35f8e4429 100644
+--- a/drivers/s390/scsi/zfcp_erp.c
++++ b/drivers/s390/scsi/zfcp_erp.c
+@@ -142,6 +142,49 @@ static void zfcp_erp_action_dismiss_adapter(struct zfcp_adapter *adapter)
+ }
+ }
+
++static int zfcp_erp_handle_failed(int want, struct zfcp_adapter *adapter,
++ struct zfcp_port *port,
++ struct scsi_device *sdev)
++{
++ int need = want;
++ struct zfcp_scsi_dev *zsdev;
++
++ switch (want) {
++ case ZFCP_ERP_ACTION_REOPEN_LUN:
++ zsdev = sdev_to_zfcp(sdev);
++ if (atomic_read(&zsdev->status) & ZFCP_STATUS_COMMON_ERP_FAILED)
++ need = 0;
++ break;
++ case ZFCP_ERP_ACTION_REOPEN_PORT_FORCED:
++ if (atomic_read(&port->status) & ZFCP_STATUS_COMMON_ERP_FAILED)
++ need = 0;
++ break;
++ case ZFCP_ERP_ACTION_REOPEN_PORT:
++ if (atomic_read(&port->status) &
++ ZFCP_STATUS_COMMON_ERP_FAILED) {
++ need = 0;
++ /* ensure propagation of failed status to new devices */
++ zfcp_erp_set_port_status(
++ port, ZFCP_STATUS_COMMON_ERP_FAILED);
++ }
++ break;
++ case ZFCP_ERP_ACTION_REOPEN_ADAPTER:
++ if (atomic_read(&adapter->status) &
++ ZFCP_STATUS_COMMON_ERP_FAILED) {
++ need = 0;
++ /* ensure propagation of failed status to new devices */
++ zfcp_erp_set_adapter_status(
++ adapter, ZFCP_STATUS_COMMON_ERP_FAILED);
++ }
++ break;
++ default:
++ need = 0;
++ break;
++ }
++
++ return need;
++}
++
+ static int zfcp_erp_required_act(int want, struct zfcp_adapter *adapter,
+ struct zfcp_port *port,
+ struct scsi_device *sdev)
+@@ -265,6 +308,12 @@ static int zfcp_erp_action_enqueue(int want, struct zfcp_adapter *adapter,
+ int retval = 1, need;
+ struct zfcp_erp_action *act;
+
++ need = zfcp_erp_handle_failed(want, adapter, port, sdev);
++ if (!need) {
++ need = ZFCP_ERP_ACTION_FAILED; /* marker for trace */
++ goto out;
++ }
++
+ if (!adapter->erp_thread)
+ return -EIO;
+
+@@ -313,12 +362,6 @@ static int _zfcp_erp_adapter_reopen(struct zfcp_adapter *adapter,
+ zfcp_erp_adapter_block(adapter, clear_mask);
+ zfcp_scsi_schedule_rports_block(adapter);
+
+- /* ensure propagation of failed status to new devices */
+- if (atomic_read(&adapter->status) & ZFCP_STATUS_COMMON_ERP_FAILED) {
+- zfcp_erp_set_adapter_status(adapter,
+- ZFCP_STATUS_COMMON_ERP_FAILED);
+- return -EIO;
+- }
+ return zfcp_erp_action_enqueue(ZFCP_ERP_ACTION_REOPEN_ADAPTER,
+ adapter, NULL, NULL, id, 0);
+ }
+@@ -337,12 +380,8 @@ void zfcp_erp_adapter_reopen(struct zfcp_adapter *adapter, int clear, char *id)
+ zfcp_scsi_schedule_rports_block(adapter);
+
+ write_lock_irqsave(&adapter->erp_lock, flags);
+- if (atomic_read(&adapter->status) & ZFCP_STATUS_COMMON_ERP_FAILED)
+- zfcp_erp_set_adapter_status(adapter,
+- ZFCP_STATUS_COMMON_ERP_FAILED);
+- else
+- zfcp_erp_action_enqueue(ZFCP_ERP_ACTION_REOPEN_ADAPTER, adapter,
+- NULL, NULL, id, 0);
++ zfcp_erp_action_enqueue(ZFCP_ERP_ACTION_REOPEN_ADAPTER, adapter,
++ NULL, NULL, id, 0);
+ write_unlock_irqrestore(&adapter->erp_lock, flags);
+ }
+
+@@ -383,13 +422,6 @@ static void _zfcp_erp_port_forced_reopen(struct zfcp_port *port, int clear,
+ zfcp_erp_port_block(port, clear);
+ zfcp_scsi_schedule_rport_block(port);
+
+- if (atomic_read(&port->status) & ZFCP_STATUS_COMMON_ERP_FAILED) {
+- zfcp_dbf_rec_trig(id, port->adapter, port, NULL,
+- ZFCP_ERP_ACTION_REOPEN_PORT_FORCED,
+- ZFCP_ERP_ACTION_FAILED);
+- return;
+- }
+-
+ zfcp_erp_action_enqueue(ZFCP_ERP_ACTION_REOPEN_PORT_FORCED,
+ port->adapter, port, NULL, id, 0);
+ }
+@@ -415,12 +447,6 @@ static int _zfcp_erp_port_reopen(struct zfcp_port *port, int clear, char *id)
+ zfcp_erp_port_block(port, clear);
+ zfcp_scsi_schedule_rport_block(port);
+
+- if (atomic_read(&port->status) & ZFCP_STATUS_COMMON_ERP_FAILED) {
+- /* ensure propagation of failed status to new devices */
+- zfcp_erp_set_port_status(port, ZFCP_STATUS_COMMON_ERP_FAILED);
+- return -EIO;
+- }
+-
+ return zfcp_erp_action_enqueue(ZFCP_ERP_ACTION_REOPEN_PORT,
+ port->adapter, port, NULL, id, 0);
+ }
+@@ -460,9 +486,6 @@ static void _zfcp_erp_lun_reopen(struct scsi_device *sdev, int clear, char *id,
+
+ zfcp_erp_lun_block(sdev, clear);
+
+- if (atomic_read(&zfcp_sdev->status) & ZFCP_STATUS_COMMON_ERP_FAILED)
+- return;
+-
+ zfcp_erp_action_enqueue(ZFCP_ERP_ACTION_REOPEN_LUN, adapter,
+ zfcp_sdev->port, sdev, id, act_status);
+ }
+--
+2.18.0
+
diff --git a/patches.kernel.org/4.4.139-070-scsi-zfcp-fix-missing-REC-trigger-trace-on-en.patch b/patches.kernel.org/4.4.139-070-scsi-zfcp-fix-missing-REC-trigger-trace-on-en.patch
new file mode 100644
index 0000000000..0d5438812e
--- /dev/null
+++ b/patches.kernel.org/4.4.139-070-scsi-zfcp-fix-missing-REC-trigger-trace-on-en.patch
@@ -0,0 +1,63 @@
+From: Steffen Maier <maier@linux.ibm.com>
+Date: Thu, 17 May 2018 19:14:49 +0200
+Subject: [PATCH] scsi: zfcp: fix missing REC trigger trace on enqueue without
+ ERP thread
+Patch-mainline: 4.4.139
+References: LTC#168765 bnc#1012382 bnc#1099713
+Git-commit: 6a76550841d412330bd86aed3238d1888ba70f0e
+
+commit 6a76550841d412330bd86aed3238d1888ba70f0e upstream.
+
+Example trace record formatted with zfcpdbf from s390-tools:
+
+Timestamp : ...
+Area : REC
+Subarea : 00
+Level : 1
+Exception : -
+CPU ID : ..
+Caller : 0x...
+Record ID : 1 ZFCP_DBF_REC_TRIG
+Tag : .......
+LUN : 0x...
+WWPN : 0x...
+D_ID : 0x...
+Adapter status : 0x...
+Port status : 0x...
+LUN status : 0x...
+Ready count : 0x...
+Running count : 0x...
+ERP want : 0x0. ZFCP_ERP_ACTION_REOPEN_...
+ERP need : 0xc0 ZFCP_ERP_ACTION_NONE
+
+Signed-off-by: Steffen Maier <maier@linux.ibm.com>
+Cc: <stable@vger.kernel.org> #2.6.38+
+Reviewed-by: Benjamin Block <bblock@linux.ibm.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/s390/scsi/zfcp_erp.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/s390/scsi/zfcp_erp.c b/drivers/s390/scsi/zfcp_erp.c
+index 0ac35f8e4429..2abcd331b05d 100644
+--- a/drivers/s390/scsi/zfcp_erp.c
++++ b/drivers/s390/scsi/zfcp_erp.c
+@@ -314,8 +314,11 @@ static int zfcp_erp_action_enqueue(int want, struct zfcp_adapter *adapter,
+ goto out;
+ }
+
+- if (!adapter->erp_thread)
+- return -EIO;
++ if (!adapter->erp_thread) {
++ need = ZFCP_ERP_ACTION_NONE; /* marker for trace */
++ retval = -EIO;
++ goto out;
++ }
+
+ need = zfcp_erp_required_act(want, adapter, port, sdev);
+ if (!need)
+--
+2.18.0
+
diff --git a/patches.kernel.org/4.4.139-071-linvdimm-pmem-Preserve-read-only-setting-for-.patch b/patches.kernel.org/4.4.139-071-linvdimm-pmem-Preserve-read-only-setting-for-.patch
new file mode 100644
index 0000000000..2711af79ec
--- /dev/null
+++ b/patches.kernel.org/4.4.139-071-linvdimm-pmem-Preserve-read-only-setting-for-.patch
@@ -0,0 +1,80 @@
+From: Robert Elliott <elliott@hpe.com>
+Date: Thu, 31 May 2018 18:36:36 -0500
+Subject: [PATCH] linvdimm, pmem: Preserve read-only setting for pmem devices
+References: bnc#1012382
+Patch-mainline: 4.4.139
+Git-commit: 254a4cd50b9fe2291a12b8902e08e56dcc4e9b10
+
+commit 254a4cd50b9fe2291a12b8902e08e56dcc4e9b10 upstream.
+
+The pmem driver does not honor a forced read-only setting for very long:
+ $ blockdev --setro /dev/pmem0
+ $ blockdev --getro /dev/pmem0
+ 1
+
+followed by various commands like these:
+ $ blockdev --rereadpt /dev/pmem0
+ or
+ $ mkfs.ext4 /dev/pmem0
+
+results in this in the kernel serial log:
+ nd_pmem namespace0.0: region0 read-write, marking pmem0 read-write
+
+with the read-only setting lost:
+ $ blockdev --getro /dev/pmem0
+ 0
+
+That's from bus.c nvdimm_revalidate_disk(), which always applies the
+setting from nd_region (which is initially based on the ACPI NFIT
+NVDIMM state flags not_armed bit).
+
+In contrast, commit 20bd1d026aac ("scsi: sd: Keep disk read-only when
+re-reading partition") fixed this issue for SCSI devices to preserve
+the previous setting if it was set to read-only.
+
+This patch modifies bus.c to preserve any previous read-only setting.
+It also eliminates the kernel serial log print except for cases where
+read-write is changed to read-only, so it doesn't print read-only to
+read-only non-changes.
+
+Cc: <stable@vger.kernel.org>
+Fixes: 581388209405 ("libnvdimm, nfit: handle unarmed dimms, mark namespaces read-only")
+Signed-off-by: Robert Elliott <elliott@hpe.com>
+Signed-off-by: Dan Williams <dan.j.williams@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/nvdimm/bus.c | 14 +++++++++-----
+ 1 file changed, 9 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/nvdimm/bus.c b/drivers/nvdimm/bus.c
+index 254b0ee37039..a71187c783b7 100644
+--- a/drivers/nvdimm/bus.c
++++ b/drivers/nvdimm/bus.c
+@@ -237,14 +237,18 @@ int nvdimm_revalidate_disk(struct gendisk *disk)
+ {
+ struct device *dev = disk->driverfs_dev;
+ struct nd_region *nd_region = to_nd_region(dev->parent);
+- const char *pol = nd_region->ro ? "only" : "write";
++ int disk_ro = get_disk_ro(disk);
+
+- if (nd_region->ro == get_disk_ro(disk))
++ /*
++ * Upgrade to read-only if the region is read-only preserve as
++ * read-only if the disk is already read-only.
++ */
++ if (disk_ro || nd_region->ro == disk_ro)
+ return 0;
+
+- dev_info(dev, "%s read-%s, marking %s read-%s\n",
+- dev_name(&nd_region->dev), pol, disk->disk_name, pol);
+- set_disk_ro(disk, nd_region->ro);
++ dev_info(dev, "%s read-only, marking %s read-only\n",
++ dev_name(&nd_region->dev), disk->disk_name);
++ set_disk_ro(disk, 1);
+
+ return 0;
+
+--
+2.18.0
+
diff --git a/patches.fixes/0003-md-fix-two-problems-with-setting-the-re-add-device-s.patch b/patches.kernel.org/4.4.139-072-md-fix-two-problems-with-setting-the-re-add-d.patch
index 5dbb4871b2..857951cc82 100644
--- a/patches.fixes/0003-md-fix-two-problems-with-setting-the-re-add-device-s.patch
+++ b/patches.kernel.org/4.4.139-072-md-fix-two-problems-with-setting-the-re-add-d.patch
@@ -1,9 +1,11 @@
From: NeilBrown <neilb@suse.com>
-Date: Thu, 26 Apr 2018 14:41:51 +1000
+Date: Thu, 26 Apr 2018 14:46:29 +1000
Subject: [PATCH] md: fix two problems with setting the "re-add" device state.
+Patch-mainline: 4.4.139
+References: bnc#1012382 bsc#1089023
Git-commit: 011abdc9df559ec75779bb7c53a744c69b2a94c6
-Patch-mainline: v4.18-rc1
-References: bsc#1089023
+
+commit 011abdc9df559ec75779bb7c53a744c69b2a94c6 upstream.
If "re-add" is written to the "state" file for a device
which is faulty, this has an effect similar to removing
@@ -32,15 +34,19 @@ more risk.
Cc: <stable@vger.kernel.org> (v4.1)
Fixes: 97f6cd39da22 ("md-cluster: re-add capabilities")
Signed-off-by: NeilBrown <neilb@suse.com>
-Acked-by: NeilBrown <neilb@suse.com>
-
+Reviewed-by: Goldwyn Rodrigues <rgoldwyn@suse.com>
+Signed-off-by: Shaohua Li <shli@fb.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
- drivers/md/md.c | 4 +++-
+ drivers/md/md.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
+diff --git a/drivers/md/md.c b/drivers/md/md.c
+index 62c3328e2a1d..0663463df2f7 100644
--- a/drivers/md/md.c
+++ b/drivers/md/md.c
-@@ -2796,7 +2796,8 @@ state_store(struct md_rdev *rdev, const
+@@ -2690,7 +2690,8 @@ state_store(struct md_rdev *rdev, const char *buf, size_t len)
err = 0;
}
} else if (cmd_match(buf, "re-add")) {
@@ -50,7 +56,7 @@ Acked-by: NeilBrown <neilb@suse.com>
/* clear_bit is performed _after_ all the devices
* have their local Faulty bit cleared. If any writes
* happen in the meantime in the local node, they
-@@ -8501,6 +8502,7 @@ static int remove_and_add_spares(struct
+@@ -8153,6 +8154,7 @@ static int remove_and_add_spares(struct mddev *mddev,
if (mddev->pers->hot_remove_disk(
mddev, rdev) == 0) {
sysfs_unlink_rdev(mddev, rdev);
@@ -58,3 +64,6 @@ Acked-by: NeilBrown <neilb@suse.com>
rdev->raid_disk = -1;
removed++;
}
+--
+2.18.0
+
diff --git a/patches.kernel.org/4.4.139-073-ubi-fastmap-Cancel-work-upon-detach.patch b/patches.kernel.org/4.4.139-073-ubi-fastmap-Cancel-work-upon-detach.patch
new file mode 100644
index 0000000000..29cc72a8ea
--- /dev/null
+++ b/patches.kernel.org/4.4.139-073-ubi-fastmap-Cancel-work-upon-detach.patch
@@ -0,0 +1,74 @@
+From: Richard Weinberger <richard@nod.at>
+Date: Wed, 16 May 2018 22:17:03 +0200
+Subject: [PATCH] ubi: fastmap: Cancel work upon detach
+References: bnc#1012382
+Patch-mainline: 4.4.139
+Git-commit: 6e7d80161066c99d12580d1b985cb1408bb58cf1
+
+commit 6e7d80161066c99d12580d1b985cb1408bb58cf1 upstream.
+
+Ben Hutchings pointed out that 29b7a6fa1ec0 ("ubi: fastmap: Don't flush
+fastmap work on detach") does not really fix the problem, it just
+reduces the risk to hit the race window where fastmap work races against
+free()'ing ubi->volumes[].
+
+The correct approach is making sure that no more fastmap work is in
+progress before we free ubi data structures.
+So we cancel fastmap work right after the ubi background thread is
+stopped.
+By setting ubi->thread_enabled to zero we make sure that no further work
+tries to wake the thread.
+
+Fixes: 29b7a6fa1ec0 ("ubi: fastmap: Don't flush fastmap work on detach")
+Fixes: 74cdaf24004a ("UBI: Fastmap: Fix memory leaks while closing the WL sub-system")
+Cc: stable@vger.kernel.org
+Cc: Ben Hutchings <ben.hutchings@codethink.co.uk>
+Cc: Martin Townsend <mtownsend1973@gmail.com>
+
+Signed-off-by: Richard Weinberger <richard@nod.at>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/mtd/ubi/build.c | 3 +++
+ drivers/mtd/ubi/wl.c | 4 +---
+ 2 files changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/mtd/ubi/build.c b/drivers/mtd/ubi/build.c
+index a2e6c7848b0a..c9f5ae424af7 100644
+--- a/drivers/mtd/ubi/build.c
++++ b/drivers/mtd/ubi/build.c
+@@ -1132,6 +1132,9 @@ int ubi_detach_mtd_dev(int ubi_num, int anyway)
+ */
+ get_device(&ubi->dev);
+
++#ifdef CONFIG_MTD_UBI_FASTMAP
++ cancel_work_sync(&ubi->fm_work);
++#endif
+ ubi_debugfs_exit_dev(ubi);
+ uif_close(ubi);
+
+diff --git a/drivers/mtd/ubi/wl.c b/drivers/mtd/ubi/wl.c
+index 75286588b823..ca9746f41ff1 100644
+--- a/drivers/mtd/ubi/wl.c
++++ b/drivers/mtd/ubi/wl.c
+@@ -1479,6 +1479,7 @@ int ubi_thread(void *u)
+ }
+
+ dbg_wl("background thread \"%s\" is killed", ubi->bgt_name);
++ ubi->thread_enabled = 0;
+ return 0;
+ }
+
+@@ -1488,9 +1489,6 @@ int ubi_thread(void *u)
+ */
+ static void shutdown_work(struct ubi_device *ubi)
+ {
+-#ifdef CONFIG_MTD_UBI_FASTMAP
+- flush_work(&ubi->fm_work);
+-#endif
+ while (!list_empty(&ubi->works)) {
+ struct ubi_work *wrk;
+
+--
+2.18.0
+
diff --git a/patches.kernel.org/4.4.139-074-UBIFS-Fix-potential-integer-overflow-in-alloc.patch b/patches.kernel.org/4.4.139-074-UBIFS-Fix-potential-integer-overflow-in-alloc.patch
new file mode 100644
index 0000000000..c307708a10
--- /dev/null
+++ b/patches.kernel.org/4.4.139-074-UBIFS-Fix-potential-integer-overflow-in-alloc.patch
@@ -0,0 +1,40 @@
+From: Silvio Cesare <silvio.cesare@gmail.com>
+Date: Fri, 4 May 2018 13:44:02 +1000
+Subject: [PATCH] UBIFS: Fix potential integer overflow in allocation
+References: bnc#1012382
+Patch-mainline: 4.4.139
+Git-commit: 353748a359f1821ee934afc579cf04572406b420
+
+commit 353748a359f1821ee934afc579cf04572406b420 upstream.
+
+There is potential for the size and len fields in ubifs_data_node to be
+too large causing either a negative value for the length fields or an
+integer overflow leading to an incorrect memory allocation. Likewise,
+when the len field is small, an integer underflow may occur.
+
+Signed-off-by: Silvio Cesare <silvio.cesare@gmail.com>
+Fixes: 1e51764a3c2ac ("UBIFS: add new flash file system")
+Cc: stable@vger.kernel.org
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ fs/ubifs/journal.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/ubifs/journal.c b/fs/ubifs/journal.c
+index 0b9da5b6e0f9..22dba8837a86 100644
+--- a/fs/ubifs/journal.c
++++ b/fs/ubifs/journal.c
+@@ -1107,7 +1107,7 @@ static int recomp_data_node(const struct ubifs_info *c,
+ int err, len, compr_type, out_len;
+
+ out_len = le32_to_cpu(dn->size);
+- buf = kmalloc(out_len * WORST_COMPR_FACTOR, GFP_NOFS);
++ buf = kmalloc_array(out_len, WORST_COMPR_FACTOR, GFP_NOFS);
+ if (!buf)
+ return -ENOMEM;
+
+--
+2.18.0
+
diff --git a/patches.kernel.org/4.4.139-075-xfrm-Ignore-socket-policies-when-rebuilding-h.patch b/patches.kernel.org/4.4.139-075-xfrm-Ignore-socket-policies-when-rebuilding-h.patch
new file mode 100644
index 0000000000..c79a91aeb8
--- /dev/null
+++ b/patches.kernel.org/4.4.139-075-xfrm-Ignore-socket-policies-when-rebuilding-h.patch
@@ -0,0 +1,52 @@
+From: Tobias Brunner <tobias@strongswan.org>
+Date: Fri, 29 Jul 2016 09:57:32 +0200
+Subject: [PATCH] xfrm: Ignore socket policies when rebuilding hash tables
+References: bnc#1012382
+Patch-mainline: 4.4.139
+Git-commit: 6916fb3b10b3cbe3b1f9f5b680675f53e4e299eb
+
+commit 6916fb3b10b3cbe3b1f9f5b680675f53e4e299eb upstream.
+
+Whenever thresholds are changed the hash tables are rebuilt. This is
+done by enumerating all policies and hashing and inserting them into
+the right table according to the thresholds and direction.
+
+Because socket policies are also contained in net->xfrm.policy_all but
+no hash tables are defined for their direction (dir + XFRM_POLICY_MAX)
+this causes a NULL or invalid pointer dereference after returning from
+policy_hash_bysel() if the rebuild is done while any socket policies
+are installed.
+
+Since the rebuild after changing thresholds is scheduled this crash
+could even occur if the userland sets thresholds seemingly before
+installing any socket policies.
+
+Fixes: 53c2e285f970 ("xfrm: Do not hash socket policies")
+Signed-off-by: Tobias Brunner <tobias@strongswan.org>
+Acked-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Cc: Zubin Mithra <zsm@chromium.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ net/xfrm/xfrm_policy.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c
+index d95cb69460f0..3c16aee93dfe 100644
+--- a/net/xfrm/xfrm_policy.c
++++ b/net/xfrm/xfrm_policy.c
+@@ -626,6 +626,10 @@ static void xfrm_hash_rebuild(struct work_struct *work)
+
+ /* re-insert all policies by order of creation */
+ list_for_each_entry_reverse(policy, &net->xfrm.policy_all, walk.all) {
++ if (xfrm_policy_id2dir(policy->index) >= XFRM_POLICY_MAX) {
++ /* skip socket policies */
++ continue;
++ }
+ newpos = NULL;
+ chain = policy_hash_bysel(net, &policy->selector,
+ policy->family,
+--
+2.18.0
+
diff --git a/patches.kernel.org/4.4.139-076-xfrm-skip-policies-marked-as-dead-while-rehas.patch b/patches.kernel.org/4.4.139-076-xfrm-skip-policies-marked-as-dead-while-rehas.patch
new file mode 100644
index 0000000000..672ea09a06
--- /dev/null
+++ b/patches.kernel.org/4.4.139-076-xfrm-skip-policies-marked-as-dead-while-rehas.patch
@@ -0,0 +1,70 @@
+From: Florian Westphal <fw@strlen.de>
+Date: Wed, 27 Dec 2017 23:25:45 +0100
+Subject: [PATCH] xfrm: skip policies marked as dead while rehashing
+References: bnc#1012382
+Patch-mainline: 4.4.139
+Git-commit: 862591bf4f519d1b8d859af720fafeaebdd0162a
+
+commit 862591bf4f519d1b8d859af720fafeaebdd0162a upstream.
+
+syzkaller triggered following KASAN splat:
+
+BUG: KASAN: slab-out-of-bounds in xfrm_hash_rebuild+0xdbe/0xf00 net/xfrm/xfrm_policy.c:618
+read of size 2 at addr ffff8801c8e92fe4 by task kworker/1:1/23 [..]
+Workqueue: events xfrm_hash_rebuild [..]
+ __asan_report_load2_noabort+0x14/0x20 mm/kasan/report.c:428
+ xfrm_hash_rebuild+0xdbe/0xf00 net/xfrm/xfrm_policy.c:618
+ process_one_work+0xbbf/0x1b10 kernel/workqueue.c:2112
+ worker_thread+0x223/0x1990 kernel/workqueue.c:2246 [..]
+
+The reproducer triggers:
+1016 if (error) {
+1017 list_move_tail(&walk->walk.all, &x->all);
+1018 goto out;
+1019 }
+
+in xfrm_policy_walk() via pfkey (it sets tiny rcv space, dump
+callback returns -ENOBUFS).
+
+In this case, *walk is located the pfkey socket struct, so this socket
+becomes visible in the global policy list.
+
+It looks like this is intentional -- phony walker has walk.dead set to 1
+and all other places skip such "policies".
+
+Ccing original authors of the two commits that seem to expose this
+issue (first patch missed ->dead check, second patch adds pfkey
+sockets to policies dumper list).
+
+Fixes: 880a6fab8f6ba5b ("xfrm: configure policy hash table thresholds by netlink")
+Fixes: 12a169e7d8f4b1c ("ipsec: Put dumpers on the dump list")
+Cc: Herbert Xu <herbert@gondor.apana.org.au>
+Cc: Timo Teras <timo.teras@iki.fi>
+Cc: Christophe Gouault <christophe.gouault@6wind.com>
+Reported-by: syzbot <bot+c028095236fcb6f4348811565b75084c754dc729@syzkaller.appspotmail.com>
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Cc: Zubin Mithra <zsm@chromium.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ net/xfrm/xfrm_policy.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c
+index 3c16aee93dfe..f9a13b67df5e 100644
+--- a/net/xfrm/xfrm_policy.c
++++ b/net/xfrm/xfrm_policy.c
+@@ -626,7 +626,8 @@ static void xfrm_hash_rebuild(struct work_struct *work)
+
+ /* re-insert all policies by order of creation */
+ list_for_each_entry_reverse(policy, &net->xfrm.policy_all, walk.all) {
+- if (xfrm_policy_id2dir(policy->index) >= XFRM_POLICY_MAX) {
++ if (policy->walk.dead ||
++ xfrm_policy_id2dir(policy->index) >= XFRM_POLICY_MAX) {
+ /* skip socket policies */
+ continue;
+ }
+--
+2.18.0
+
diff --git a/patches.kernel.org/4.4.139-077-backlight-as3711_bl-Fix-Device-Tree-node-look.patch b/patches.kernel.org/4.4.139-077-backlight-as3711_bl-Fix-Device-Tree-node-look.patch
new file mode 100644
index 0000000000..41380767a5
--- /dev/null
+++ b/patches.kernel.org/4.4.139-077-backlight-as3711_bl-Fix-Device-Tree-node-look.patch
@@ -0,0 +1,113 @@
+From: Johan Hovold <johan@kernel.org>
+Date: Mon, 20 Nov 2017 11:45:44 +0100
+Subject: [PATCH] backlight: as3711_bl: Fix Device Tree node lookup
+References: bnc#1012382
+Patch-mainline: 4.4.139
+Git-commit: 4a9c8bb2aca5b5a2a15744333729745dd9903562
+
+commit 4a9c8bb2aca5b5a2a15744333729745dd9903562 upstream.
+
+Fix child-node lookup during probe, which ended up searching the whole
+device tree depth-first starting at the parent rather than just matching
+on its children.
+
+To make things worse, the parent mfd node was also prematurely freed.
+
+Cc: stable <stable@vger.kernel.org> # 3.10
+Fixes: 59eb2b5e57ea ("drivers/video/backlight/as3711_bl.c: add OF support")
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Acked-by: Daniel Thompson <daniel.thompson@linaro.org>
+Signed-off-by: Lee Jones <lee.jones@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/video/backlight/as3711_bl.c | 33 ++++++++++++++++++++---------
+ 1 file changed, 23 insertions(+), 10 deletions(-)
+
+diff --git a/drivers/video/backlight/as3711_bl.c b/drivers/video/backlight/as3711_bl.c
+index 734a9158946b..e55304d5cf07 100644
+--- a/drivers/video/backlight/as3711_bl.c
++++ b/drivers/video/backlight/as3711_bl.c
+@@ -262,10 +262,10 @@ static int as3711_bl_register(struct platform_device *pdev,
+ static int as3711_backlight_parse_dt(struct device *dev)
+ {
+ struct as3711_bl_pdata *pdata = dev_get_platdata(dev);
+- struct device_node *bl =
+- of_find_node_by_name(dev->parent->of_node, "backlight"), *fb;
++ struct device_node *bl, *fb;
+ int ret;
+
++ bl = of_get_child_by_name(dev->parent->of_node, "backlight");
+ if (!bl) {
+ dev_dbg(dev, "backlight node not found\n");
+ return -ENODEV;
+@@ -279,7 +279,7 @@ static int as3711_backlight_parse_dt(struct device *dev)
+ if (pdata->su1_max_uA <= 0)
+ ret = -EINVAL;
+ if (ret < 0)
+- return ret;
++ goto err_put_bl;
+ }
+
+ fb = of_parse_phandle(bl, "su2-dev", 0);
+@@ -292,7 +292,7 @@ static int as3711_backlight_parse_dt(struct device *dev)
+ if (pdata->su2_max_uA <= 0)
+ ret = -EINVAL;
+ if (ret < 0)
+- return ret;
++ goto err_put_bl;
+
+ if (of_find_property(bl, "su2-feedback-voltage", NULL)) {
+ pdata->su2_feedback = AS3711_SU2_VOLTAGE;
+@@ -314,8 +314,10 @@ static int as3711_backlight_parse_dt(struct device *dev)
+ pdata->su2_feedback = AS3711_SU2_CURR_AUTO;
+ count++;
+ }
+- if (count != 1)
+- return -EINVAL;
++ if (count != 1) {
++ ret = -EINVAL;
++ goto err_put_bl;
++ }
+
+ count = 0;
+ if (of_find_property(bl, "su2-fbprot-lx-sd4", NULL)) {
+@@ -334,8 +336,10 @@ static int as3711_backlight_parse_dt(struct device *dev)
+ pdata->su2_fbprot = AS3711_SU2_GPIO4;
+ count++;
+ }
+- if (count != 1)
+- return -EINVAL;
++ if (count != 1) {
++ ret = -EINVAL;
++ goto err_put_bl;
++ }
+
+ count = 0;
+ if (of_find_property(bl, "su2-auto-curr1", NULL)) {
+@@ -355,11 +359,20 @@ static int as3711_backlight_parse_dt(struct device *dev)
+ * At least one su2-auto-curr* must be specified iff
+ * AS3711_SU2_CURR_AUTO is used
+ */
+- if (!count ^ (pdata->su2_feedback != AS3711_SU2_CURR_AUTO))
+- return -EINVAL;
++ if (!count ^ (pdata->su2_feedback != AS3711_SU2_CURR_AUTO)) {
++ ret = -EINVAL;
++ goto err_put_bl;
++ }
+ }
+
++ of_node_put(bl);
++
+ return 0;
++
++err_put_bl:
++ of_node_put(bl);
++
++ return ret;
+ }
+
+ static int as3711_backlight_probe(struct platform_device *pdev)
+--
+2.18.0
+
diff --git a/patches.kernel.org/4.4.139-078-backlight-max8925_bl-Fix-Device-Tree-node-loo.patch b/patches.kernel.org/4.4.139-078-backlight-max8925_bl-Fix-Device-Tree-node-loo.patch
new file mode 100644
index 0000000000..a06c0a872e
--- /dev/null
+++ b/patches.kernel.org/4.4.139-078-backlight-max8925_bl-Fix-Device-Tree-node-loo.patch
@@ -0,0 +1,52 @@
+From: Johan Hovold <johan@kernel.org>
+Date: Mon, 20 Nov 2017 11:45:45 +0100
+Subject: [PATCH] backlight: max8925_bl: Fix Device Tree node lookup
+References: bnc#1012382
+Patch-mainline: 4.4.139
+Git-commit: d1cc0ec3da23e44c23712579515494b374f111c9
+
+commit d1cc0ec3da23e44c23712579515494b374f111c9 upstream.
+
+Fix child-node lookup during probe, which ended up searching the whole
+device tree depth-first starting at the parent rather than just matching
+on its children.
+
+To make things worse, the parent mfd node was also prematurely freed,
+while the child backlight node was leaked.
+
+Cc: stable <stable@vger.kernel.org> # 3.9
+Fixes: 47ec340cb8e2 ("mfd: max8925: Support dt for backlight")
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Acked-by: Daniel Thompson <daniel.thompson@linaro.org>
+Signed-off-by: Lee Jones <lee.jones@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/video/backlight/max8925_bl.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/video/backlight/max8925_bl.c b/drivers/video/backlight/max8925_bl.c
+index 7b738d60ecc2..f3aa6088f1d9 100644
+--- a/drivers/video/backlight/max8925_bl.c
++++ b/drivers/video/backlight/max8925_bl.c
+@@ -116,7 +116,7 @@ static void max8925_backlight_dt_init(struct platform_device *pdev)
+ if (!pdata)
+ return;
+
+- np = of_find_node_by_name(nproot, "backlight");
++ np = of_get_child_by_name(nproot, "backlight");
+ if (!np) {
+ dev_err(&pdev->dev, "failed to find backlight node\n");
+ return;
+@@ -125,6 +125,8 @@ static void max8925_backlight_dt_init(struct platform_device *pdev)
+ if (!of_property_read_u32(np, "maxim,max8925-dual-string", &val))
+ pdata->dual_string = val;
+
++ of_node_put(np);
++
+ pdev->dev.platform_data = pdata;
+ }
+
+--
+2.18.0
+
diff --git a/patches.kernel.org/4.4.139-079-backlight-tps65217_bl-Fix-Device-Tree-node-lo.patch b/patches.kernel.org/4.4.139-079-backlight-tps65217_bl-Fix-Device-Tree-node-lo.patch
new file mode 100644
index 0000000000..0ddc4249a4
--- /dev/null
+++ b/patches.kernel.org/4.4.139-079-backlight-tps65217_bl-Fix-Device-Tree-node-lo.patch
@@ -0,0 +1,48 @@
+From: Johan Hovold <johan@kernel.org>
+Date: Mon, 20 Nov 2017 11:45:46 +0100
+Subject: [PATCH] backlight: tps65217_bl: Fix Device Tree node lookup
+References: bnc#1012382
+Patch-mainline: 4.4.139
+Git-commit: 2b12dfa124dbadf391cb9a616aaa6b056823bf75
+
+commit 2b12dfa124dbadf391cb9a616aaa6b056823bf75 upstream.
+
+Fix child-node lookup during probe, which ended up searching the whole
+device tree depth-first starting at the parent rather than just matching
+on its children.
+
+This would only cause trouble if the child node is missing while there
+is an unrelated node named "backlight" elsewhere in the tree.
+
+Cc: stable <stable@vger.kernel.org> # 3.7
+Fixes: eebfdc17cc6c ("backlight: Add TPS65217 WLED driver")
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Acked-by: Daniel Thompson <daniel.thompson@linaro.org>
+Signed-off-by: Lee Jones <lee.jones@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/video/backlight/tps65217_bl.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/video/backlight/tps65217_bl.c b/drivers/video/backlight/tps65217_bl.c
+index 61d72bffd402..dc920e2aa094 100644
+--- a/drivers/video/backlight/tps65217_bl.c
++++ b/drivers/video/backlight/tps65217_bl.c
+@@ -184,11 +184,11 @@ static struct tps65217_bl_pdata *
+ tps65217_bl_parse_dt(struct platform_device *pdev)
+ {
+ struct tps65217 *tps = dev_get_drvdata(pdev->dev.parent);
+- struct device_node *node = of_node_get(tps->dev->of_node);
++ struct device_node *node;
+ struct tps65217_bl_pdata *pdata, *err;
+ u32 val;
+
+- node = of_find_node_by_name(node, "backlight");
++ node = of_get_child_by_name(tps->dev->of_node, "backlight");
+ if (!node)
+ return ERR_PTR(-ENODEV);
+
+--
+2.18.0
+
diff --git a/patches.kernel.org/4.4.139-080-mfd-intel-lpss-Program-REMAP-register-in-PIO-.patch b/patches.kernel.org/4.4.139-080-mfd-intel-lpss-Program-REMAP-register-in-PIO-.patch
new file mode 100644
index 0000000000..6a1dcb8833
--- /dev/null
+++ b/patches.kernel.org/4.4.139-080-mfd-intel-lpss-Program-REMAP-register-in-PIO-.patch
@@ -0,0 +1,46 @@
+From: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Date: Tue, 24 Apr 2018 18:00:10 +0300
+Subject: [PATCH] mfd: intel-lpss: Program REMAP register in PIO mode
+References: bnc#1012382
+Patch-mainline: 4.4.139
+Git-commit: d28b62520830b2d0bffa2d98e81afc9f5e537e8b
+
+commit d28b62520830b2d0bffa2d98e81afc9f5e537e8b upstream.
+
+According to documentation REMAP register has to be programmed in
+either DMA or PIO mode of the slice.
+
+Move the DMA capability check below to let REMAP register be programmed
+in PIO mode.
+
+Cc: stable@vger.kernel.org # 4.3+
+Fixes: 4b45efe85263 ("mfd: Add support for Intel Sunrisepoint LPSS devices")
+Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Signed-off-by: Lee Jones <lee.jones@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/mfd/intel-lpss.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/mfd/intel-lpss.c b/drivers/mfd/intel-lpss.c
+index fe89e5e337d5..ac867489b5a9 100644
+--- a/drivers/mfd/intel-lpss.c
++++ b/drivers/mfd/intel-lpss.c
+@@ -269,11 +269,11 @@ static void intel_lpss_init_dev(const struct intel_lpss *lpss)
+
+ intel_lpss_deassert_reset(lpss);
+
++ intel_lpss_set_remap_addr(lpss);
++
+ if (!intel_lpss_has_idma(lpss))
+ return;
+
+- intel_lpss_set_remap_addr(lpss);
+-
+ /* Make sure that SPI multiblock DMA transfers are re-enabled */
+ if (lpss->type == LPSS_DEV_SPI)
+ writel(value, lpss->priv + LPSS_PRIV_SSP_REG);
+--
+2.18.0
+
diff --git a/patches.kernel.org/4.4.139-081-perf-tools-Fix-symbol-and-object-code-resolut.patch b/patches.kernel.org/4.4.139-081-perf-tools-Fix-symbol-and-object-code-resolut.patch
new file mode 100644
index 0000000000..074db8b886
--- /dev/null
+++ b/patches.kernel.org/4.4.139-081-perf-tools-Fix-symbol-and-object-code-resolut.patch
@@ -0,0 +1,42 @@
+From: Adrian Hunter <adrian.hunter@intel.com>
+Date: Mon, 4 Jun 2018 15:56:54 +0300
+Subject: [PATCH] perf tools: Fix symbol and object code resolution for vdso32
+ and vdsox32
+References: bnc#1012382
+Patch-mainline: 4.4.139
+Git-commit: aef4feace285f27c8ed35830a5d575bec7f3e90a
+
+commit aef4feace285f27c8ed35830a5d575bec7f3e90a upstream.
+
+Fix __kmod_path__parse() so that perf tools does not treat vdso32 and
+vdsox32 as kernel modules and fail to find the object.
+
+Signed-off-by: Adrian Hunter <adrian.hunter@intel.com>
+Cc: Jiri Olsa <jolsa@redhat.com>
+Cc: Wang Nan <wangnan0@huawei.com>
+Cc: stable@vger.kernel.org
+Fixes: 1f121b03d058 ("perf tools: Deal with kernel module names in '[]' correctly")
+Link: http://lkml.kernel.org/r/1528117014-30032-3-git-send-email-adrian.hunter@intel.com
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ tools/perf/util/dso.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/tools/perf/util/dso.c b/tools/perf/util/dso.c
+index 425df5c86c9c..425597186677 100644
+--- a/tools/perf/util/dso.c
++++ b/tools/perf/util/dso.c
+@@ -249,6 +249,8 @@ int __kmod_path__parse(struct kmod_path *m, const char *path,
+ if ((strncmp(name, "[kernel.kallsyms]", 17) == 0) ||
+ (strncmp(name, "[guest.kernel.kallsyms", 22) == 0) ||
+ (strncmp(name, "[vdso]", 6) == 0) ||
++ (strncmp(name, "[vdso32]", 8) == 0) ||
++ (strncmp(name, "[vdsox32]", 9) == 0) ||
+ (strncmp(name, "[vsyscall]", 10) == 0)) {
+ m->kmod = false;
+
+--
+2.18.0
+
diff --git a/patches.kernel.org/4.4.139-082-perf-intel-pt-Fix-sync_switch-INTEL_PT_SS_NOT.patch b/patches.kernel.org/4.4.139-082-perf-intel-pt-Fix-sync_switch-INTEL_PT_SS_NOT.patch
new file mode 100644
index 0000000000..9a3862703c
--- /dev/null
+++ b/patches.kernel.org/4.4.139-082-perf-intel-pt-Fix-sync_switch-INTEL_PT_SS_NOT.patch
@@ -0,0 +1,41 @@
+From: Adrian Hunter <adrian.hunter@intel.com>
+Date: Thu, 31 May 2018 13:23:42 +0300
+Subject: [PATCH] perf intel-pt: Fix sync_switch INTEL_PT_SS_NOT_TRACING
+References: bnc#1012382
+Patch-mainline: 4.4.139
+Git-commit: dbcb82b93f3e8322891e47472c89e63058b81e99
+
+commit dbcb82b93f3e8322891e47472c89e63058b81e99 upstream.
+
+sync_switch is a facility to synchronize decoding more closely with the
+point in the kernel when the context actually switched.
+
+In one case, INTEL_PT_SS_NOT_TRACING state was not correctly
+transitioning to INTEL_PT_SS_TRACING state due to a missing case clause.
+Add it.
+
+Signed-off-by: Adrian Hunter <adrian.hunter@intel.com>
+Cc: stable@vger.kernel.org
+Link: http://lkml.kernel.org/r/1527762225-26024-2-git-send-email-adrian.hunter@intel.com
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ tools/perf/util/intel-pt.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/tools/perf/util/intel-pt.c b/tools/perf/util/intel-pt.c
+index 3693cb26ec66..523989165c26 100644
+--- a/tools/perf/util/intel-pt.c
++++ b/tools/perf/util/intel-pt.c
+@@ -1246,6 +1246,7 @@ static int intel_pt_sample(struct intel_pt_queue *ptq)
+
+ if (intel_pt_is_switch_ip(ptq, state->to_ip)) {
+ switch (ptq->switch_state) {
++ case INTEL_PT_SS_NOT_TRACING:
+ case INTEL_PT_SS_UNKNOWN:
+ case INTEL_PT_SS_EXPECTING_SWITCH_IP:
+ err = intel_pt_next_tid(pt, ptq);
+--
+2.18.0
+
diff --git a/patches.kernel.org/4.4.139-083-perf-intel-pt-Fix-decoding-to-accept-CBR-betw.patch b/patches.kernel.org/4.4.139-083-perf-intel-pt-Fix-decoding-to-accept-CBR-betw.patch
new file mode 100644
index 0000000000..59e9349658
--- /dev/null
+++ b/patches.kernel.org/4.4.139-083-perf-intel-pt-Fix-decoding-to-accept-CBR-betw.patch
@@ -0,0 +1,49 @@
+From: Adrian Hunter <adrian.hunter@intel.com>
+Date: Thu, 31 May 2018 13:23:43 +0300
+Subject: [PATCH] perf intel-pt: Fix decoding to accept CBR between FUP and
+ corresponding TIP
+References: bnc#1012382
+Patch-mainline: 4.4.139
+Git-commit: bd2e49ec48feb1855f7624198849eea4610e2286
+
+commit bd2e49ec48feb1855f7624198849eea4610e2286 upstream.
+
+It is possible to have a CBR packet between a FUP packet and
+corresponding TIP packet. Stop treating it as an error.
+
+Signed-off-by: Adrian Hunter <adrian.hunter@intel.com>
+Cc: stable@vger.kernel.org
+Link: http://lkml.kernel.org/r/1527762225-26024-3-git-send-email-adrian.hunter@intel.com
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ tools/perf/util/intel-pt-decoder/intel-pt-decoder.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/tools/perf/util/intel-pt-decoder/intel-pt-decoder.c b/tools/perf/util/intel-pt-decoder/intel-pt-decoder.c
+index 0b540b84f8b7..c0596a11f20b 100644
+--- a/tools/perf/util/intel-pt-decoder/intel-pt-decoder.c
++++ b/tools/perf/util/intel-pt-decoder/intel-pt-decoder.c
+@@ -1487,7 +1487,6 @@ static int intel_pt_walk_fup_tip(struct intel_pt_decoder *decoder)
+ case INTEL_PT_PSB:
+ case INTEL_PT_TSC:
+ case INTEL_PT_TMA:
+- case INTEL_PT_CBR:
+ case INTEL_PT_MODE_TSX:
+ case INTEL_PT_BAD:
+ case INTEL_PT_PSBEND:
+@@ -1496,6 +1495,10 @@ static int intel_pt_walk_fup_tip(struct intel_pt_decoder *decoder)
+ decoder->pkt_step = 0;
+ return -ENOENT;
+
++ case INTEL_PT_CBR:
++ intel_pt_calc_cbr(decoder);
++ break;
++
+ case INTEL_PT_OVF:
+ return intel_pt_overflow(decoder);
+
+--
+2.18.0
+
diff --git a/patches.kernel.org/4.4.139-084-perf-intel-pt-Fix-MTC-timing-after-overflow.patch b/patches.kernel.org/4.4.139-084-perf-intel-pt-Fix-MTC-timing-after-overflow.patch
new file mode 100644
index 0000000000..58948b3068
--- /dev/null
+++ b/patches.kernel.org/4.4.139-084-perf-intel-pt-Fix-MTC-timing-after-overflow.patch
@@ -0,0 +1,39 @@
+From: Adrian Hunter <adrian.hunter@intel.com>
+Date: Thu, 31 May 2018 13:23:44 +0300
+Subject: [PATCH] perf intel-pt: Fix MTC timing after overflow
+References: bnc#1012382
+Patch-mainline: 4.4.139
+Git-commit: dd27b87ab5fcf3ea1c060b5e3ab5d31cc78e9f4c
+
+commit dd27b87ab5fcf3ea1c060b5e3ab5d31cc78e9f4c upstream.
+
+On some platforms, overflows will clear before MTC wraparound, and there
+is no following TSC/TMA packet. In that case the previous TMA is valid.
+Since there will be a valid TMA either way, stop setting 'have_tma' to
+false upon overflow.
+
+Signed-off-by: Adrian Hunter <adrian.hunter@intel.com>
+Cc: stable@vger.kernel.org
+Link: http://lkml.kernel.org/r/1527762225-26024-4-git-send-email-adrian.hunter@intel.com
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ tools/perf/util/intel-pt-decoder/intel-pt-decoder.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/tools/perf/util/intel-pt-decoder/intel-pt-decoder.c b/tools/perf/util/intel-pt-decoder/intel-pt-decoder.c
+index c0596a11f20b..492d13637be0 100644
+--- a/tools/perf/util/intel-pt-decoder/intel-pt-decoder.c
++++ b/tools/perf/util/intel-pt-decoder/intel-pt-decoder.c
+@@ -1268,7 +1268,6 @@ static int intel_pt_overflow(struct intel_pt_decoder *decoder)
+ {
+ intel_pt_log("ERROR: Buffer overflow\n");
+ intel_pt_clear_tx_flags(decoder);
+- decoder->have_tma = false;
+ decoder->cbr = 0;
+ decoder->timestamp_insn_cnt = 0;
+ decoder->pkt_state = INTEL_PT_STATE_ERR_RESYNC;
+--
+2.18.0
+
diff --git a/patches.kernel.org/4.4.139-085-perf-intel-pt-Fix-Unexpected-indirect-branch-.patch b/patches.kernel.org/4.4.139-085-perf-intel-pt-Fix-Unexpected-indirect-branch-.patch
new file mode 100644
index 0000000000..223094c9c2
--- /dev/null
+++ b/patches.kernel.org/4.4.139-085-perf-intel-pt-Fix-Unexpected-indirect-branch-.patch
@@ -0,0 +1,134 @@
+From: Adrian Hunter <adrian.hunter@intel.com>
+Date: Thu, 31 May 2018 13:23:45 +0300
+Subject: [PATCH] perf intel-pt: Fix "Unexpected indirect branch" error
+References: bnc#1012382
+Patch-mainline: 4.4.139
+Git-commit: 9fb523363f6e3984457fee95bb7019395384ffa7
+
+commit 9fb523363f6e3984457fee95bb7019395384ffa7 upstream.
+
+Some Atom CPUs can produce FUP packets that contain NLIP (next linear
+instruction pointer) instead of CLIP (current linear instruction
+pointer). That will result in "Unexpected indirect branch" errors. Fix
+by comparing IP to NLIP in that case.
+
+Signed-off-by: Adrian Hunter <adrian.hunter@intel.com>
+Cc: stable@vger.kernel.org
+Link: http://lkml.kernel.org/r/1527762225-26024-5-git-send-email-adrian.hunter@intel.com
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ .../util/intel-pt-decoder/intel-pt-decoder.c | 17 +++++++++++++++--
+ .../util/intel-pt-decoder/intel-pt-decoder.h | 9 +++++++++
+ tools/perf/util/intel-pt.c | 4 ++++
+ 3 files changed, 28 insertions(+), 2 deletions(-)
+
+diff --git a/tools/perf/util/intel-pt-decoder/intel-pt-decoder.c b/tools/perf/util/intel-pt-decoder/intel-pt-decoder.c
+index 492d13637be0..dc17c881275d 100644
+--- a/tools/perf/util/intel-pt-decoder/intel-pt-decoder.c
++++ b/tools/perf/util/intel-pt-decoder/intel-pt-decoder.c
+@@ -111,6 +111,7 @@ struct intel_pt_decoder {
+ bool have_cyc;
+ bool fixup_last_mtc;
+ bool have_last_ip;
++ enum intel_pt_param_flags flags;
+ uint64_t pos;
+ uint64_t last_ip;
+ uint64_t ip;
+@@ -213,6 +214,8 @@ struct intel_pt_decoder *intel_pt_decoder_new(struct intel_pt_params *params)
+ decoder->data = params->data;
+ decoder->return_compression = params->return_compression;
+
++ decoder->flags = params->flags;
++
+ decoder->period = params->period;
+ decoder->period_type = params->period_type;
+
+@@ -1010,6 +1013,15 @@ static int intel_pt_walk_insn(struct intel_pt_decoder *decoder,
+ return err;
+ }
+
++static inline bool intel_pt_fup_with_nlip(struct intel_pt_decoder *decoder,
++ struct intel_pt_insn *intel_pt_insn,
++ uint64_t ip, int err)
++{
++ return decoder->flags & INTEL_PT_FUP_WITH_NLIP && !err &&
++ intel_pt_insn->branch == INTEL_PT_BR_INDIRECT &&
++ ip == decoder->ip + intel_pt_insn->length;
++}
++
+ static int intel_pt_walk_fup(struct intel_pt_decoder *decoder)
+ {
+ struct intel_pt_insn intel_pt_insn;
+@@ -1022,7 +1034,8 @@ static int intel_pt_walk_fup(struct intel_pt_decoder *decoder)
+ err = intel_pt_walk_insn(decoder, &intel_pt_insn, ip);
+ if (err == INTEL_PT_RETURN)
+ return 0;
+- if (err == -EAGAIN) {
++ if (err == -EAGAIN ||
++ intel_pt_fup_with_nlip(decoder, &intel_pt_insn, ip, err)) {
+ if (decoder->set_fup_tx_flags) {
+ decoder->set_fup_tx_flags = false;
+ decoder->tx_flags = decoder->fup_tx_flags;
+@@ -1032,7 +1045,7 @@ static int intel_pt_walk_fup(struct intel_pt_decoder *decoder)
+ decoder->state.flags = decoder->fup_tx_flags;
+ return 0;
+ }
+- return err;
++ return -EAGAIN;
+ }
+ decoder->set_fup_tx_flags = false;
+ if (err)
+diff --git a/tools/perf/util/intel-pt-decoder/intel-pt-decoder.h b/tools/perf/util/intel-pt-decoder/intel-pt-decoder.h
+index 89a3eda6a318..e420bd3be159 100644
+--- a/tools/perf/util/intel-pt-decoder/intel-pt-decoder.h
++++ b/tools/perf/util/intel-pt-decoder/intel-pt-decoder.h
+@@ -53,6 +53,14 @@ enum {
+ INTEL_PT_ERR_MAX,
+ };
+
++enum intel_pt_param_flags {
++ /*
++ * FUP packet can contain next linear instruction pointer instead of
++ * current linear instruction pointer.
++ */
++ INTEL_PT_FUP_WITH_NLIP = 1 << 0,
++};
++
+ struct intel_pt_state {
+ enum intel_pt_sample_type type;
+ int err;
+@@ -91,6 +99,7 @@ struct intel_pt_params {
+ unsigned int mtc_period;
+ uint32_t tsc_ctc_ratio_n;
+ uint32_t tsc_ctc_ratio_d;
++ enum intel_pt_param_flags flags;
+ };
+
+ struct intel_pt_decoder;
+diff --git a/tools/perf/util/intel-pt.c b/tools/perf/util/intel-pt.c
+index 523989165c26..c8f2d084a8ce 100644
+--- a/tools/perf/util/intel-pt.c
++++ b/tools/perf/util/intel-pt.c
+@@ -676,6 +676,7 @@ static struct intel_pt_queue *intel_pt_alloc_queue(struct intel_pt *pt,
+ unsigned int queue_nr)
+ {
+ struct intel_pt_params params = { .get_trace = 0, };
++ struct perf_env *env = pt->machine->env;
+ struct intel_pt_queue *ptq;
+
+ ptq = zalloc(sizeof(struct intel_pt_queue));
+@@ -753,6 +754,9 @@ static struct intel_pt_queue *intel_pt_alloc_queue(struct intel_pt *pt,
+ }
+ }
+
++ if (env->cpuid && !strncmp(env->cpuid, "GenuineIntel,6,92,", 18))
++ params.flags |= INTEL_PT_FUP_WITH_NLIP;
++
+ ptq->decoder = intel_pt_decoder_new(&params);
+ if (!ptq->decoder)
+ goto out_free;
+--
+2.18.0
+
diff --git a/patches.kernel.org/4.4.139-086-perf-intel-pt-Fix-packet-decoding-of-CYC-pack.patch b/patches.kernel.org/4.4.139-086-perf-intel-pt-Fix-packet-decoding-of-CYC-pack.patch
new file mode 100644
index 0000000000..1d6e48c7d8
--- /dev/null
+++ b/patches.kernel.org/4.4.139-086-perf-intel-pt-Fix-packet-decoding-of-CYC-pack.patch
@@ -0,0 +1,38 @@
+From: Adrian Hunter <adrian.hunter@intel.com>
+Date: Thu, 7 Jun 2018 14:30:02 +0300
+Subject: [PATCH] perf intel-pt: Fix packet decoding of CYC packets
+References: bnc#1012382
+Patch-mainline: 4.4.139
+Git-commit: 621a5a327c1e36ffd7bb567f44a559f64f76358f
+
+commit 621a5a327c1e36ffd7bb567f44a559f64f76358f upstream.
+
+Use a 64-bit type so that the cycle count is not limited to 32-bits.
+
+Signed-off-by: Adrian Hunter <adrian.hunter@intel.com>
+Cc: Jiri Olsa <jolsa@redhat.com>
+Cc: stable@vger.kernel.org
+Link: http://lkml.kernel.org/r/1528371002-8862-1-git-send-email-adrian.hunter@intel.com
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ tools/perf/util/intel-pt-decoder/intel-pt-pkt-decoder.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tools/perf/util/intel-pt-decoder/intel-pt-pkt-decoder.c b/tools/perf/util/intel-pt-decoder/intel-pt-pkt-decoder.c
+index 7528ae4f7e28..e5c6caf913f3 100644
+--- a/tools/perf/util/intel-pt-decoder/intel-pt-pkt-decoder.c
++++ b/tools/perf/util/intel-pt-decoder/intel-pt-pkt-decoder.c
+@@ -281,7 +281,7 @@ static int intel_pt_get_cyc(unsigned int byte, const unsigned char *buf,
+ if (len < offs)
+ return INTEL_PT_NEED_MORE_BYTES;
+ byte = buf[offs++];
+- payload |= (byte >> 1) << shift;
++ payload |= ((uint64_t)byte >> 1) << shift;
+ }
+
+ packet->type = INTEL_PT_CYC;
+--
+2.18.0
+
diff --git a/patches.kernel.org/4.4.139-087-media-v4l2-compat-ioctl32-prevent-go-past-max.patch b/patches.kernel.org/4.4.139-087-media-v4l2-compat-ioctl32-prevent-go-past-max.patch
new file mode 100644
index 0000000000..6a973d57b8
--- /dev/null
+++ b/patches.kernel.org/4.4.139-087-media-v4l2-compat-ioctl32-prevent-go-past-max.patch
@@ -0,0 +1,38 @@
+From: Mauro Carvalho Chehab <mchehab@s-opensource.com>
+Date: Wed, 11 Apr 2018 11:47:32 -0400
+Subject: [PATCH] media: v4l2-compat-ioctl32: prevent go past max size
+References: bnc#1012382
+Patch-mainline: 4.4.139
+Git-commit: ea72fbf588ac9c017224dcdaa2019ff52ca56fee
+
+commit ea72fbf588ac9c017224dcdaa2019ff52ca56fee upstream.
+
+As warned by smatch:
+ drivers/media/v4l2-core/v4l2-compat-ioctl32.c:879 put_v4l2_ext_controls32() warn: check for integer overflow 'count'
+
+The access_ok() logic should check for too big arrays too.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/media/v4l2-core/v4l2-compat-ioctl32.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/media/v4l2-core/v4l2-compat-ioctl32.c b/drivers/media/v4l2-core/v4l2-compat-ioctl32.c
+index e0ae2f34623a..9292e35aef06 100644
+--- a/drivers/media/v4l2-core/v4l2-compat-ioctl32.c
++++ b/drivers/media/v4l2-core/v4l2-compat-ioctl32.c
+@@ -864,7 +864,7 @@ static int put_v4l2_ext_controls32(struct file *file,
+ get_user(kcontrols, &kp->controls))
+ return -EFAULT;
+
+- if (!count)
++ if (!count || count > (U32_MAX/sizeof(*ucontrols)))
+ return 0;
+ if (get_user(p, &up->controls))
+ return -EFAULT;
+--
+2.18.0
+
diff --git a/patches.kernel.org/4.4.139-088-media-cx231xx-Add-support-for-AverMedia-DVD-E.patch b/patches.kernel.org/4.4.139-088-media-cx231xx-Add-support-for-AverMedia-DVD-E.patch
new file mode 100644
index 0000000000..dab3a11d6c
--- /dev/null
+++ b/patches.kernel.org/4.4.139-088-media-cx231xx-Add-support-for-AverMedia-DVD-E.patch
@@ -0,0 +1,41 @@
+From: Kai-Heng Feng <kai.heng.feng@canonical.com>
+Date: Mon, 26 Mar 2018 02:06:16 -0400
+Subject: [PATCH] media: cx231xx: Add support for AverMedia DVD EZMaker 7
+References: bnc#1012382
+Patch-mainline: 4.4.139
+Git-commit: 29e61d6ef061b012d320327af7dbb3990e75be45
+
+commit 29e61d6ef061b012d320327af7dbb3990e75be45 upstream.
+
+User reports AverMedia DVD EZMaker 7 can be driven by VIDEO_GRABBER.
+Add the device to the id_table to make it work.
+
+BugLink: https://bugs.launchpad.net/bugs/1620762
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Kai-Heng Feng <kai.heng.feng@canonical.com>
+Signed-off-by: Hans Verkuil <hansverk@cisco.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/media/usb/cx231xx/cx231xx-cards.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/media/usb/cx231xx/cx231xx-cards.c b/drivers/media/usb/cx231xx/cx231xx-cards.c
+index 04ae21278440..77f54e4198d3 100644
+--- a/drivers/media/usb/cx231xx/cx231xx-cards.c
++++ b/drivers/media/usb/cx231xx/cx231xx-cards.c
+@@ -864,6 +864,9 @@ struct usb_device_id cx231xx_id_table[] = {
+ .driver_info = CX231XX_BOARD_CNXT_RDE_250},
+ {USB_DEVICE(0x0572, 0x58A0),
+ .driver_info = CX231XX_BOARD_CNXT_RDU_250},
++ /* AverMedia DVD EZMaker 7 */
++ {USB_DEVICE(0x07ca, 0xc039),
++ .driver_info = CX231XX_BOARD_CNXT_VIDEO_GRABBER},
+ {USB_DEVICE(0x2040, 0xb110),
+ .driver_info = CX231XX_BOARD_HAUPPAUGE_USB2_FM_PAL},
+ {USB_DEVICE(0x2040, 0xb111),
+--
+2.18.0
+
diff --git a/patches.kernel.org/4.4.139-089-media-dvb_frontend-fix-locking-issues-at-dvb_.patch b/patches.kernel.org/4.4.139-089-media-dvb_frontend-fix-locking-issues-at-dvb_.patch
new file mode 100644
index 0000000000..5bbc82c6e8
--- /dev/null
+++ b/patches.kernel.org/4.4.139-089-media-dvb_frontend-fix-locking-issues-at-dvb_.patch
@@ -0,0 +1,79 @@
+From: Mauro Carvalho Chehab <mchehab@s-opensource.com>
+Date: Thu, 5 Apr 2018 05:30:52 -0400
+Subject: [PATCH] media: dvb_frontend: fix locking issues at
+ dvb_frontend_get_event()
+References: bnc#1012382
+Patch-mainline: 4.4.139
+Git-commit: 76d81243a487c09619822ef8e7201a756e58a87d
+
+commit 76d81243a487c09619822ef8e7201a756e58a87d upstream.
+
+As warned by smatch:
+ drivers/media/dvb-core/dvb_frontend.c:314 dvb_frontend_get_event() warn: inconsistent returns 'sem:&fepriv->sem'.
+ Locked on: line 288
+ line 295
+ line 306
+ line 314
+ Unlocked on: line 303
+
+The lock implementation for get event is wrong, as, if an
+interrupt occurs, down_interruptible() will fail, and the
+routine will call up() twice when userspace calls the ioctl
+again.
+
+The bad code is there since when Linux migrated to git, in
+2005.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/media/dvb-core/dvb_frontend.c | 23 +++++++++++++++--------
+ 1 file changed, 15 insertions(+), 8 deletions(-)
+
+diff --git a/drivers/media/dvb-core/dvb_frontend.c b/drivers/media/dvb-core/dvb_frontend.c
+index e2a3833170e3..2c835e69c4df 100644
+--- a/drivers/media/dvb-core/dvb_frontend.c
++++ b/drivers/media/dvb-core/dvb_frontend.c
+@@ -230,8 +230,20 @@ static void dvb_frontend_add_event(struct dvb_frontend *fe,
+ wake_up_interruptible (&events->wait_queue);
+ }
+
++static int dvb_frontend_test_event(struct dvb_frontend_private *fepriv,
++ struct dvb_fe_events *events)
++{
++ int ret;
++
++ up(&fepriv->sem);
++ ret = events->eventw != events->eventr;
++ down(&fepriv->sem);
++
++ return ret;
++}
++
+ static int dvb_frontend_get_event(struct dvb_frontend *fe,
+- struct dvb_frontend_event *event, int flags)
++ struct dvb_frontend_event *event, int flags)
+ {
+ struct dvb_frontend_private *fepriv = fe->frontend_priv;
+ struct dvb_fe_events *events = &fepriv->events;
+@@ -249,13 +261,8 @@ static int dvb_frontend_get_event(struct dvb_frontend *fe,
+ if (flags & O_NONBLOCK)
+ return -EWOULDBLOCK;
+
+- up(&fepriv->sem);
+-
+- ret = wait_event_interruptible (events->wait_queue,
+- events->eventw != events->eventr);
+-
+- if (down_interruptible (&fepriv->sem))
+- return -ERESTARTSYS;
++ ret = wait_event_interruptible(events->wait_queue,
++ dvb_frontend_test_event(fepriv, events));
+
+ if (ret < 0)
+ return ret;
+--
+2.18.0
+
diff --git a/patches.kernel.org/4.4.139-090-nfsd-restrict-rd_maxcount-to-svc_max_payload-.patch b/patches.kernel.org/4.4.139-090-nfsd-restrict-rd_maxcount-to-svc_max_payload-.patch
new file mode 100644
index 0000000000..cda9b5a943
--- /dev/null
+++ b/patches.kernel.org/4.4.139-090-nfsd-restrict-rd_maxcount-to-svc_max_payload-.patch
@@ -0,0 +1,53 @@
+From: Scott Mayhew <smayhew@redhat.com>
+Date: Mon, 7 May 2018 09:01:08 -0400
+Subject: [PATCH] nfsd: restrict rd_maxcount to svc_max_payload in
+ nfsd_encode_readdir
+References: bnc#1012382
+Patch-mainline: 4.4.139
+Git-commit: 9c2ece6ef67e9d376f32823086169b489c422ed0
+
+commit 9c2ece6ef67e9d376f32823086169b489c422ed0 upstream.
+
+nfsd4_readdir_rsize restricts rd_maxcount to svc_max_payload when
+estimating the size of the readdir reply, but nfsd_encode_readdir
+restricts it to INT_MAX when encoding the reply. This can result in log
+messages like "kernel: RPC request reserved 32896 but used 1049444".
+
+Restrict rd_dircount similarly (no reason it should be larger than
+svc_max_payload).
+
+Signed-off-by: Scott Mayhew <smayhew@redhat.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: J. Bruce Fields <bfields@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ fs/nfsd/nfs4xdr.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/fs/nfsd/nfs4xdr.c b/fs/nfsd/nfs4xdr.c
+index 544672b440de..57e3262ec57a 100644
+--- a/fs/nfsd/nfs4xdr.c
++++ b/fs/nfsd/nfs4xdr.c
+@@ -3595,7 +3595,8 @@ nfsd4_encode_readdir(struct nfsd4_compoundres *resp, __be32 nfserr, struct nfsd4
+ nfserr = nfserr_resource;
+ goto err_no_verf;
+ }
+- maxcount = min_t(u32, readdir->rd_maxcount, INT_MAX);
++ maxcount = svc_max_payload(resp->rqstp);
++ maxcount = min_t(u32, readdir->rd_maxcount, maxcount);
+ /*
+ * Note the rfc defines rd_maxcount as the size of the
+ * READDIR4resok structure, which includes the verifier above
+@@ -3609,7 +3610,7 @@ nfsd4_encode_readdir(struct nfsd4_compoundres *resp, __be32 nfserr, struct nfsd4
+
+ /* RFC 3530 14.2.24 allows us to ignore dircount when it's 0: */
+ if (!readdir->rd_dircount)
+- readdir->rd_dircount = INT_MAX;
++ readdir->rd_dircount = svc_max_payload(resp->rqstp);
+
+ readdir->xdr = xdr;
+ readdir->rd_maxcount = maxcount;
+--
+2.18.0
+
diff --git a/patches.kernel.org/4.4.139-091-NFSv4-Fix-possible-1-byte-stack-overflow-in-n.patch b/patches.kernel.org/4.4.139-091-NFSv4-Fix-possible-1-byte-stack-overflow-in-n.patch
new file mode 100644
index 0000000000..9012825887
--- /dev/null
+++ b/patches.kernel.org/4.4.139-091-NFSv4-Fix-possible-1-byte-stack-overflow-in-n.patch
@@ -0,0 +1,83 @@
+From: Dave Wysochanski <dwysocha@redhat.com>
+Date: Tue, 29 May 2018 17:47:30 -0400
+Subject: [PATCH] NFSv4: Fix possible 1-byte stack overflow in
+ nfs_idmap_read_and_verify_message
+References: bnc#1012382
+Patch-mainline: 4.4.139
+Git-commit: d68894800ec5712d7ddf042356f11e36f87d7f78
+
+commit d68894800ec5712d7ddf042356f11e36f87d7f78 upstream.
+
+In nfs_idmap_read_and_verify_message there is an incorrect sprintf '%d'
+that converts the __u32 'im_id' from struct idmap_msg to 'id_str', which
+is a stack char array variable of length NFS_UINT_MAXLEN == 11.
+If a uid or gid value is > 2147483647 = 0x7fffffff, the conversion
+overflows into a negative value, for example:
+crash> p (unsigned) (0x80000000)
+$1 = 2147483648
+crash> p (signed) (0x80000000)
+$2 = -2147483648
+The '-' sign is written to the buffer and this causes a 1 byte overflow
+when the NULL byte is written, which corrupts kernel stack memory. If
+CONFIG_CC_STACKPROTECTOR_STRONG is set we see a stack-protector panic:
+
+[11558053.616565] Kernel panic - not syncing: stack-protector: Kernel stack is corrupted in: ffffffffa05b8a8c
+[11558053.639063] CPU: 6 PID: 9423 Comm: rpc.idmapd Tainted: G W ------------ T 3.10.0-514.el7.x86_64 #1
+[11558053.641990] Hardware name: Red Hat OpenStack Compute, BIOS 1.10.2-3.el7_4.1 04/01/2014
+[11558053.644462] ffffffff818c7bc0 00000000b1f3aec1 ffff880de0f9bd48 ffffffff81685eac
+[11558053.646430] ffff880de0f9bdc8 ffffffff8167f2b3 ffffffff00000010 ffff880de0f9bdd8
+[11558053.648313] ffff880de0f9bd78 00000000b1f3aec1 ffffffff811dcb03 ffffffffa05b8a8c
+[11558053.650107] Call Trace:
+[11558053.651347] [<ffffffff81685eac>] dump_stack+0x19/0x1b
+[11558053.653013] [<ffffffff8167f2b3>] panic+0xe3/0x1f2
+[11558053.666240] [<ffffffff811dcb03>] ? kfree+0x103/0x140
+[11558053.682589] [<ffffffffa05b8a8c>] ? idmap_pipe_downcall+0x1cc/0x1e0 [nfsv4]
+[11558053.689710] [<ffffffff810855db>] __stack_chk_fail+0x1b/0x30
+[11558053.691619] [<ffffffffa05b8a8c>] idmap_pipe_downcall+0x1cc/0x1e0 [nfsv4]
+[11558053.693867] [<ffffffffa00209d6>] rpc_pipe_write+0x56/0x70 [sunrpc]
+[11558053.695763] [<ffffffff811fe12d>] vfs_write+0xbd/0x1e0
+[11558053.702236] [<ffffffff810acccc>] ? task_work_run+0xac/0xe0
+[11558053.704215] [<ffffffff811fec4f>] SyS_write+0x7f/0xe0
+[11558053.709674] [<ffffffff816964c9>] system_call_fastpath+0x16/0x1b
+
+Fix this by calling the internally defined nfs_map_numeric_to_string()
+function which properly uses '%u' to convert this __u32. For consistency,
+also replace the one other place where snprintf is called.
+
+Signed-off-by: Dave Wysochanski <dwysocha@redhat.com>
+Reported-by: Stephen Johnston <sjohnsto@redhat.com>
+Fixes: cf4ab538f1516 ("NFSv4: Fix the string length returned by the idmapper")
+Cc: stable@vger.kernel.org # v3.4+
+Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ fs/nfs/nfs4idmap.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/fs/nfs/nfs4idmap.c b/fs/nfs/nfs4idmap.c
+index 1ee62e62ea76..c99a887100db 100644
+--- a/fs/nfs/nfs4idmap.c
++++ b/fs/nfs/nfs4idmap.c
+@@ -343,7 +343,7 @@ static ssize_t nfs_idmap_lookup_name(__u32 id, const char *type, char *buf,
+ int id_len;
+ ssize_t ret;
+
+- id_len = snprintf(id_str, sizeof(id_str), "%u", id);
++ id_len = nfs_map_numeric_to_string(id, id_str, sizeof(id_str));
+ ret = nfs_idmap_get_key(id_str, id_len, type, buf, buflen, idmap);
+ if (ret < 0)
+ return -EINVAL;
+@@ -626,7 +626,8 @@ static int nfs_idmap_read_and_verify_message(struct idmap_msg *im,
+ if (strcmp(upcall->im_name, im->im_name) != 0)
+ break;
+ /* Note: here we store the NUL terminator too */
+- len = sprintf(id_str, "%d", im->im_id) + 1;
++ len = 1 + nfs_map_numeric_to_string(im->im_id, id_str,
++ sizeof(id_str));
+ ret = nfs_idmap_instantiate(key, authkey, id_str, len);
+ break;
+ case IDMAP_CONV_IDTONAME:
+--
+2.18.0
+
diff --git a/patches.kernel.org/4.4.139-092-video-uvesafb-Fix-integer-overflow-in-allocat.patch b/patches.kernel.org/4.4.139-092-video-uvesafb-Fix-integer-overflow-in-allocat.patch
new file mode 100644
index 0000000000..5b1de8368e
--- /dev/null
+++ b/patches.kernel.org/4.4.139-092-video-uvesafb-Fix-integer-overflow-in-allocat.patch
@@ -0,0 +1,39 @@
+From: Kees Cook <keescook@chromium.org>
+Date: Fri, 11 May 2018 18:24:12 +1000
+Subject: [PATCH] video: uvesafb: Fix integer overflow in allocation
+References: bnc#1012382
+Patch-mainline: 4.4.139
+Git-commit: 9f645bcc566a1e9f921bdae7528a01ced5bc3713
+
+commit 9f645bcc566a1e9f921bdae7528a01ced5bc3713 upstream.
+
+cmap->len can get close to INT_MAX/2, allowing for an integer overflow in
+allocation. This uses kmalloc_array() instead to catch the condition.
+
+Reported-by: Dr Silvio Cesare of InfoSect <silvio.cesare@gmail.com>
+Fixes: 8bdb3a2d7df48 ("uvesafb: the driver core")
+Cc: stable@vger.kernel.org
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/video/fbdev/uvesafb.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/video/fbdev/uvesafb.c b/drivers/video/fbdev/uvesafb.c
+index 178ae93b7ebd..381236ff34d9 100644
+--- a/drivers/video/fbdev/uvesafb.c
++++ b/drivers/video/fbdev/uvesafb.c
+@@ -1059,7 +1059,8 @@ static int uvesafb_setcmap(struct fb_cmap *cmap, struct fb_info *info)
+ info->cmap.len || cmap->start < info->cmap.start)
+ return -EINVAL;
+
+- entries = kmalloc(sizeof(*entries) * cmap->len, GFP_KERNEL);
++ entries = kmalloc_array(cmap->len, sizeof(*entries),
++ GFP_KERNEL);
+ if (!entries)
+ return -ENOMEM;
+
+--
+2.18.0
+
diff --git a/patches.kernel.org/4.4.139-093-Input-elan_i2c-add-ELAN0618-Lenovo-v330-15IKB.patch b/patches.kernel.org/4.4.139-093-Input-elan_i2c-add-ELAN0618-Lenovo-v330-15IKB.patch
new file mode 100644
index 0000000000..aacc973608
--- /dev/null
+++ b/patches.kernel.org/4.4.139-093-Input-elan_i2c-add-ELAN0618-Lenovo-v330-15IKB.patch
@@ -0,0 +1,36 @@
+From: Alexandr Savca <alexandr.savca@saltedge.com>
+Date: Thu, 21 Jun 2018 17:12:54 -0700
+Subject: [PATCH] Input: elan_i2c - add ELAN0618 (Lenovo v330 15IKB) ACPI ID
+References: bnc#1012382
+Patch-mainline: 4.4.139
+Git-commit: 8938fc7b8fe9ccfa11751ead502a8d385b607967
+
+commit 8938fc7b8fe9ccfa11751ead502a8d385b607967 upstream.
+
+Add ELAN0618 to the list of supported touchpads; this ID is used in
+Lenovo v330 15IKB devices.
+
+Signed-off-by: Alexandr Savca <alexandr.savca@saltedge.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/input/mouse/elan_i2c_core.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/input/mouse/elan_i2c_core.c b/drivers/input/mouse/elan_i2c_core.c
+index aeb8250ab079..2d6481f3e89b 100644
+--- a/drivers/input/mouse/elan_i2c_core.c
++++ b/drivers/input/mouse/elan_i2c_core.c
+@@ -1250,6 +1250,7 @@ static const struct acpi_device_id elan_acpi_id[] = {
+ { "ELAN060C", 0 },
+ { "ELAN0611", 0 },
+ { "ELAN0612", 0 },
++ { "ELAN0618", 0 },
+ { "ELAN1000", 0 },
+ { }
+ };
+--
+2.18.0
+
diff --git a/patches.kernel.org/4.4.139-094-xen-Remove-unnecessary-BUG_ON-from-__unbind_f.patch b/patches.kernel.org/4.4.139-094-xen-Remove-unnecessary-BUG_ON-from-__unbind_f.patch
new file mode 100644
index 0000000000..9f479eadf3
--- /dev/null
+++ b/patches.kernel.org/4.4.139-094-xen-Remove-unnecessary-BUG_ON-from-__unbind_f.patch
@@ -0,0 +1,45 @@
+From: Boris Ostrovsky <boris.ostrovsky@oracle.com>
+Date: Thu, 21 Jun 2018 13:29:44 -0400
+Subject: [PATCH] xen: Remove unnecessary BUG_ON from __unbind_from_irq()
+References: bnc#1012382
+Patch-mainline: 4.4.139
+Git-commit: eef04c7b3786ff0c9cb1019278b6c6c2ea0ad4ff
+
+commit eef04c7b3786ff0c9cb1019278b6c6c2ea0ad4ff upstream.
+
+Commit 910f8befdf5b ("xen/pirq: fix error path cleanup when binding
+MSIs") fixed a couple of errors in error cleanup path of
+xen_bind_pirq_msi_to_irq(). This cleanup allowed a call to
+__unbind_from_irq() with an unbound irq, which would result in
+triggering the BUG_ON there.
+
+Since there is really no reason for the BUG_ON (xen_free_irq() can
+operate on unbound irqs) we can remove it.
+
+Reported-by: Ben Hutchings <ben.hutchings@codethink.co.uk>
+Signed-off-by: Boris Ostrovsky <boris.ostrovsky@oracle.com>
+Cc: stable@vger.kernel.org
+Reviewed-by: Juergen Gross <jgross@suse.com>
+Signed-off-by: Juergen Gross <jgross@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/xen/events/events_base.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+diff --git a/drivers/xen/events/events_base.c b/drivers/xen/events/events_base.c
+index 468961c59fa5..21d679f88dfa 100644
+--- a/drivers/xen/events/events_base.c
++++ b/drivers/xen/events/events_base.c
+@@ -637,8 +637,6 @@ static void __unbind_from_irq(unsigned int irq)
+ xen_irq_info_cleanup(info);
+ }
+
+- BUG_ON(info_for_irq(irq)->type == IRQT_UNBOUND);
+-
+ xen_free_irq(irq);
+ }
+
+--
+2.18.0
+
diff --git a/patches.kernel.org/4.4.139-095-udf-Detect-incorrect-directory-size.patch b/patches.kernel.org/4.4.139-095-udf-Detect-incorrect-directory-size.patch
new file mode 100644
index 0000000000..ebaf9aefb4
--- /dev/null
+++ b/patches.kernel.org/4.4.139-095-udf-Detect-incorrect-directory-size.patch
@@ -0,0 +1,41 @@
+From: Jan Kara <jack@suse.cz>
+Date: Wed, 13 Jun 2018 12:09:22 +0200
+Subject: [PATCH] udf: Detect incorrect directory size
+References: bnc#1012382
+Patch-mainline: 4.4.139
+Git-commit: fa65653e575fbd958bdf5fb9c4a71a324e39510d
+
+commit fa65653e575fbd958bdf5fb9c4a71a324e39510d upstream.
+
+Detect when a directory entry is (possibly partially) beyond directory
+size and return EIO in that case since it means the filesystem is
+corrupted. Otherwise directory operations can further corrupt the
+directory and possibly also oops the kernel.
+
+CC: Anatoly Trosinenko <anatoly.trosinenko@gmail.com>
+CC: stable@vger.kernel.org
+Reported-and-tested-by: Anatoly Trosinenko <anatoly.trosinenko@gmail.com>
+Signed-off-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ fs/udf/directory.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/fs/udf/directory.c b/fs/udf/directory.c
+index c763fda257bf..637114e8c7fd 100644
+--- a/fs/udf/directory.c
++++ b/fs/udf/directory.c
+@@ -150,6 +150,9 @@ struct fileIdentDesc *udf_fileident_read(struct inode *dir, loff_t *nf_pos,
+ sizeof(struct fileIdentDesc));
+ }
+ }
++ /* Got last entry outside of dir size - fs is corrupted! */
++ if (*nf_pos > dir->i_size)
++ return NULL;
+ return fi;
+ }
+
+--
+2.18.0
+
diff --git a/patches.kernel.org/4.4.139-096-Input-elan_i2c_smbus-fix-more-potential-stack.patch b/patches.kernel.org/4.4.139-096-Input-elan_i2c_smbus-fix-more-potential-stack.patch
new file mode 100644
index 0000000000..8209bd6bf8
--- /dev/null
+++ b/patches.kernel.org/4.4.139-096-Input-elan_i2c_smbus-fix-more-potential-stack.patch
@@ -0,0 +1,105 @@
+From: Ben Hutchings <ben.hutchings@codethink.co.uk>
+Date: Tue, 19 Jun 2018 11:17:32 -0700
+Subject: [PATCH] Input: elan_i2c_smbus - fix more potential stack buffer
+ overflows
+References: bnc#1012382
+Patch-mainline: 4.4.139
+Git-commit: 50fc7b61959af4b95fafce7fe5dd565199e0b61a
+
+commit 50fc7b61959af4b95fafce7fe5dd565199e0b61a upstream.
+
+Commit 40f7090bb1b4 ("Input: elan_i2c_smbus - fix corrupted stack")
+fixed most of the functions using i2c_smbus_read_block_data() to
+allocate a buffer with the maximum block size. However three
+functions were left unchanged:
+
+* In elan_smbus_initialize(), increase the buffer size in the same
+ way.
+* In elan_smbus_calibrate_result(), the buffer is provided by the
+ caller (calibrate_store()), so introduce a bounce buffer. Also
+ name the result buffer size.
+* In elan_smbus_get_report(), the buffer is provided by the caller
+ but happens to be the right length. Add a compile-time assertion
+ to ensure this remains the case.
+
+Cc: <stable@vger.kernel.org> # 3.19+
+Signed-off-by: Ben Hutchings <ben.hutchings@codethink.co.uk>
+Reviewed-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/input/mouse/elan_i2c.h | 2 ++
+ drivers/input/mouse/elan_i2c_core.c | 2 +-
+ drivers/input/mouse/elan_i2c_smbus.c | 10 ++++++++--
+ 3 files changed, 11 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/input/mouse/elan_i2c.h b/drivers/input/mouse/elan_i2c.h
+index c0ec26118732..83dd0ce3ad2a 100644
+--- a/drivers/input/mouse/elan_i2c.h
++++ b/drivers/input/mouse/elan_i2c.h
+@@ -27,6 +27,8 @@
+ #define ETP_DISABLE_POWER 0x0001
+ #define ETP_PRESSURE_OFFSET 25
+
++#define ETP_CALIBRATE_MAX_LEN 3
++
+ /* IAP Firmware handling */
+ #define ETP_PRODUCT_ID_FORMAT_STRING "%d.0"
+ #define ETP_FW_NAME "elan_i2c_" ETP_PRODUCT_ID_FORMAT_STRING ".bin"
+diff --git a/drivers/input/mouse/elan_i2c_core.c b/drivers/input/mouse/elan_i2c_core.c
+index 2d6481f3e89b..97f6e05cffce 100644
+--- a/drivers/input/mouse/elan_i2c_core.c
++++ b/drivers/input/mouse/elan_i2c_core.c
+@@ -595,7 +595,7 @@ static ssize_t calibrate_store(struct device *dev,
+ int tries = 20;
+ int retval;
+ int error;
+- u8 val[3];
++ u8 val[ETP_CALIBRATE_MAX_LEN];
+
+ retval = mutex_lock_interruptible(&data->sysfs_mutex);
+ if (retval)
+diff --git a/drivers/input/mouse/elan_i2c_smbus.c b/drivers/input/mouse/elan_i2c_smbus.c
+index 25dba1d7aa57..2ac85f5cbf31 100644
+--- a/drivers/input/mouse/elan_i2c_smbus.c
++++ b/drivers/input/mouse/elan_i2c_smbus.c
+@@ -56,7 +56,7 @@
+ static int elan_smbus_initialize(struct i2c_client *client)
+ {
+ u8 check[ETP_SMBUS_HELLOPACKET_LEN] = { 0x55, 0x55, 0x55, 0x55, 0x55 };
+- u8 values[ETP_SMBUS_HELLOPACKET_LEN] = { 0, 0, 0, 0, 0 };
++ u8 values[I2C_SMBUS_BLOCK_MAX] = {0};
+ int len, error;
+
+ /* Get hello packet */
+@@ -117,12 +117,16 @@ static int elan_smbus_calibrate(struct i2c_client *client)
+ static int elan_smbus_calibrate_result(struct i2c_client *client, u8 *val)
+ {
+ int error;
++ u8 buf[I2C_SMBUS_BLOCK_MAX] = {0};
++
++ BUILD_BUG_ON(ETP_CALIBRATE_MAX_LEN > sizeof(buf));
+
+ error = i2c_smbus_read_block_data(client,
+- ETP_SMBUS_CALIBRATE_QUERY, val);
++ ETP_SMBUS_CALIBRATE_QUERY, buf);
+ if (error < 0)
+ return error;
+
++ memcpy(val, buf, ETP_CALIBRATE_MAX_LEN);
+ return 0;
+ }
+
+@@ -466,6 +470,8 @@ static int elan_smbus_get_report(struct i2c_client *client, u8 *report)
+ {
+ int len;
+
++ BUILD_BUG_ON(I2C_SMBUS_BLOCK_MAX > ETP_SMBUS_REPORT_LEN);
++
+ len = i2c_smbus_read_block_data(client,
+ ETP_SMBUS_PACKET_QUERY,
+ &report[ETP_SMBUS_REPORT_OFFSET]);
+--
+2.18.0
+
diff --git a/patches.kernel.org/4.4.139-097-Input-elantech-enable-middle-button-of-touchp.patch b/patches.kernel.org/4.4.139-097-Input-elantech-enable-middle-button-of-touchp.patch
new file mode 100644
index 0000000000..cf6ae49470
--- /dev/null
+++ b/patches.kernel.org/4.4.139-097-Input-elantech-enable-middle-button-of-touchp.patch
@@ -0,0 +1,53 @@
+From: Aaron Ma <aaron.ma@canonical.com>
+Date: Thu, 21 Jun 2018 17:14:01 -0700
+Subject: [PATCH] Input: elantech - enable middle button of touchpads on
+ ThinkPad P52
+References: bnc#1012382
+Patch-mainline: 4.4.139
+Git-commit: 24bb555e6e46d96e2a954aa0295029a81cc9bbaa
+
+commit 24bb555e6e46d96e2a954aa0295029a81cc9bbaa upstream.
+
+PNPID is better way to identify the type of touchpads.
+Enable middle button support on 2 types of touchpads on Lenovo P52.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Aaron Ma <aaron.ma@canonical.com>
+Reviewed-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/input/mouse/elantech.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/input/mouse/elantech.c b/drivers/input/mouse/elantech.c
+index 06ea28e5d7b4..706442f4a3d0 100644
+--- a/drivers/input/mouse/elantech.c
++++ b/drivers/input/mouse/elantech.c
+@@ -1177,6 +1177,12 @@ static const struct dmi_system_id elantech_dmi_has_middle_button[] = {
+ { }
+ };
+
++static const char * const middle_button_pnp_ids[] = {
++ "LEN2131", /* ThinkPad P52 w/ NFC */
++ "LEN2132", /* ThinkPad P52 */
++ NULL
++};
++
+ /*
+ * Set the appropriate event bits for the input subsystem
+ */
+@@ -1196,7 +1202,8 @@ static int elantech_set_input_params(struct psmouse *psmouse)
+ __clear_bit(EV_REL, dev->evbit);
+
+ __set_bit(BTN_LEFT, dev->keybit);
+- if (dmi_check_system(elantech_dmi_has_middle_button))
++ if (dmi_check_system(elantech_dmi_has_middle_button) ||
++ psmouse_matches_pnp_id(psmouse, middle_button_pnp_ids))
+ __set_bit(BTN_MIDDLE, dev->keybit);
+ __set_bit(BTN_RIGHT, dev->keybit);
+
+--
+2.18.0
+
diff --git a/patches.kernel.org/4.4.139-098-Input-elantech-fix-V4-report-decoding-for-mod.patch b/patches.kernel.org/4.4.139-098-Input-elantech-fix-V4-report-decoding-for-mod.patch
new file mode 100644
index 0000000000..ab78fb2868
--- /dev/null
+++ b/patches.kernel.org/4.4.139-098-Input-elantech-fix-V4-report-decoding-for-mod.patch
@@ -0,0 +1,38 @@
+From: ??? <kt.liao@emc.com.tw>
+Date: Thu, 21 Jun 2018 17:15:32 -0700
+Subject: [PATCH] Input: elantech - fix V4 report decoding for module with
+ middle key
+References: bnc#1012382
+Patch-mainline: 4.4.139
+Git-commit: e0ae2519ca004a628fa55aeef969c37edce522d3
+
+commit e0ae2519ca004a628fa55aeef969c37edce522d3 upstream.
+
+Some touchpad has middle key and it will be indicated in bit 2 of packet[0].
+We need to fix V4 formation's byte mask to prevent error decoding.
+
+Signed-off-by: KT Liao <kt.liao@emc.com.tw>
+Cc: stable@vger.kernel.org
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/input/mouse/elantech.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/input/mouse/elantech.c b/drivers/input/mouse/elantech.c
+index 706442f4a3d0..174bb52c578b 100644
+--- a/drivers/input/mouse/elantech.c
++++ b/drivers/input/mouse/elantech.c
+@@ -804,7 +804,7 @@ static int elantech_packet_check_v4(struct psmouse *psmouse)
+ else if (ic_version == 7 && etd->samples[1] == 0x2A)
+ sanity_check = ((packet[3] & 0x1c) == 0x10);
+ else
+- sanity_check = ((packet[0] & 0x0c) == 0x04 &&
++ sanity_check = ((packet[0] & 0x08) == 0x00 &&
+ (packet[3] & 0x1c) == 0x10);
+
+ if (!sanity_check)
+--
+2.18.0
+
diff --git a/patches.drivers/ALSA-hda-realtek-Add-a-quirk-for-FSC-ESPRIMO-U9210 b/patches.kernel.org/4.4.139-099-ALSA-hda-realtek-Add-a-quirk-for-FSC-ESPRIMO-.patch
index 2517a15124..94f7b5aee5 100644
--- a/patches.drivers/ALSA-hda-realtek-Add-a-quirk-for-FSC-ESPRIMO-U9210
+++ b/patches.kernel.org/4.4.139-099-ALSA-hda-realtek-Add-a-quirk-for-FSC-ESPRIMO-.patch
@@ -1,10 +1,11 @@
-From 275ec0cb946cb75ac8977f662e608fce92f8b8a8 Mon Sep 17 00:00:00 2001
From: Takashi Iwai <tiwai@suse.de>
Date: Fri, 22 Jun 2018 12:17:45 +0200
Subject: [PATCH] ALSA: hda/realtek - Add a quirk for FSC ESPRIMO U9210
+Patch-mainline: 4.4.139
+References: bnc#1012382 bsc#1099810
Git-commit: 275ec0cb946cb75ac8977f662e608fce92f8b8a8
-Patch-mainline: v4.18-rc3
-References: bsc#1099810
+
+commit 275ec0cb946cb75ac8977f662e608fce92f8b8a8 upstream.
Fujitsu Seimens ESPRIMO Mobile U9210 requires the same fixup as H270
for the correct pin configs.
@@ -12,16 +13,17 @@ for the correct pin configs.
Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=200107
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
-
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
sound/pci/hda/patch_realtek.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c
-index 487ceb9fd038..70bf4c30548a 100644
+index 580b8943b965..d706a416b587 100644
--- a/sound/pci/hda/patch_realtek.c
+++ b/sound/pci/hda/patch_realtek.c
-@@ -2545,6 +2545,7 @@ static const struct snd_pci_quirk alc262_fixup_tbl[] = {
+@@ -2447,6 +2447,7 @@ static const struct snd_pci_quirk alc262_fixup_tbl[] = {
SND_PCI_QUIRK(0x10cf, 0x1397, "Fujitsu Lifebook S7110", ALC262_FIXUP_FSC_S7110),
SND_PCI_QUIRK(0x10cf, 0x142d, "Fujitsu Lifebook E8410", ALC262_FIXUP_BENQ),
SND_PCI_QUIRK(0x10f1, 0x2915, "Tyan Thunder n6650W", ALC262_FIXUP_TYAN),
diff --git a/patches.kernel.org/4.4.139-100-Btrfs-fix-unexpected-cow-in-run_delalloc_noco.patch b/patches.kernel.org/4.4.139-100-Btrfs-fix-unexpected-cow-in-run_delalloc_noco.patch
new file mode 100644
index 0000000000..1389ea1d81
--- /dev/null
+++ b/patches.kernel.org/4.4.139-100-Btrfs-fix-unexpected-cow-in-run_delalloc_noco.patch
@@ -0,0 +1,98 @@
+From: Liu Bo <bo.li.liu@oracle.com>
+Date: Wed, 31 Jan 2018 17:09:13 -0700
+Subject: [PATCH] Btrfs: fix unexpected cow in run_delalloc_nocow
+References: bnc#1012382
+Patch-mainline: 4.4.139
+Git-commit: 5811375325420052fcadd944792a416a43072b7f
+
+commit 5811375325420052fcadd944792a416a43072b7f upstream.
+
+Fstests generic/475 provides a way to fail metadata reads while
+checking if checksum exists for the inode inside run_delalloc_nocow(),
+and csum_exist_in_range() interprets error (-EIO) as inode having
+checksum and makes its caller enter the cow path.
+
+In case of free space inode, this ends up with a warning in
+cow_file_range().
+
+The same problem applies to btrfs_cross_ref_exist() since it may also
+read metadata in between.
+
+With this, run_delalloc_nocow() bails out when errors occur at the two
+places.
+
+cc: <stable@vger.kernel.org> v2.6.28+
+Fixes: 17d217fe970d ("Btrfs: fix nodatasum handling in balancing code")
+Signed-off-by: Liu Bo <bo.li.liu@oracle.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Sudip Mukherjee <sudipm.mukherjee@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ fs/btrfs/inode.c | 33 ++++++++++++++++++++++++++++++---
+ 1 file changed, 30 insertions(+), 3 deletions(-)
+
+diff --git a/fs/btrfs/inode.c b/fs/btrfs/inode.c
+index 1f01a8172308..b895be3d4311 100644
+--- a/fs/btrfs/inode.c
++++ b/fs/btrfs/inode.c
+@@ -1202,6 +1202,8 @@ static noinline int csum_exist_in_range(struct btrfs_root *root,
+ list_del(&sums->list);
+ kfree(sums);
+ }
++ if (ret < 0)
++ return ret;
+ return 1;
+ }
+
+@@ -1351,10 +1353,23 @@ static noinline int run_delalloc_nocow(struct inode *inode,
+ goto out_check;
+ if (btrfs_extent_readonly(root, disk_bytenr))
+ goto out_check;
+- if (btrfs_cross_ref_exist(trans, root, ino,
++ ret = btrfs_cross_ref_exist(trans, root, ino,
+ found_key.offset -
+- extent_offset, disk_bytenr))
++ extent_offset, disk_bytenr);
++ if (ret) {
++ /*
++ * ret could be -EIO if the above fails to read
++ * metadata.
++ */
++ if (ret < 0) {
++ if (cow_start != (u64)-1)
++ cur_offset = cow_start;
++ goto error;
++ }
++
++ WARN_ON_ONCE(nolock);
+ goto out_check;
++ }
+ disk_bytenr += extent_offset;
+ disk_bytenr += cur_offset - found_key.offset;
+ num_bytes = min(end + 1, extent_end) - cur_offset;
+@@ -1372,8 +1387,20 @@ static noinline int run_delalloc_nocow(struct inode *inode,
+ * this ensure that csum for a given extent are
+ * either valid or do not exist.
+ */
+- if (csum_exist_in_range(root, disk_bytenr, num_bytes))
++ ret = csum_exist_in_range(root, disk_bytenr, num_bytes);
++ if (ret) {
++ /*
++ * ret could be -EIO if the above fails to read
++ * metadata.
++ */
++ if (ret < 0) {
++ if (cow_start != (u64)-1)
++ cur_offset = cow_start;
++ goto error;
++ }
++ WARN_ON_ONCE(nolock);
+ goto out_check;
++ }
+ nocow = 1;
+ } else if (extent_type == BTRFS_FILE_EXTENT_INLINE) {
+ extent_end = found_key.offset +
+--
+2.18.0
+
diff --git a/patches.kernel.org/4.4.139-101-spi-Fix-scatterlist-elements-size-in-spi_map_.patch b/patches.kernel.org/4.4.139-101-spi-Fix-scatterlist-elements-size-in-spi_map_.patch
new file mode 100644
index 0000000000..12233ed933
--- /dev/null
+++ b/patches.kernel.org/4.4.139-101-spi-Fix-scatterlist-elements-size-in-spi_map_.patch
@@ -0,0 +1,56 @@
+From: Maxime Chevallier <maxime.chevallier@bootlin.com>
+Date: Fri, 2 Mar 2018 15:55:09 +0100
+Subject: [PATCH] spi: Fix scatterlist elements size in spi_map_buf
+References: bnc#1012382
+Patch-mainline: 4.4.139
+Git-commit: ce99319a182fe766be67f96338386f3ec73e321c
+
+commit ce99319a182fe766be67f96338386f3ec73e321c upstream.
+
+When SPI transfers can be offloaded using DMA, the SPI core need to
+build a scatterlist to make sure that the buffer to be transferred is
+dma-able.
+
+This patch fixes the scatterlist entry size computation in the case
+where the maximum acceptable scatterlist entry supported by the DMA
+controller is less than PAGE_SIZE, when the buffer is vmalloced.
+
+For each entry, the actual size is given by the minimum between the
+desc_len (which is the max buffer size supported by the DMA controller)
+and the remaining buffer length until we cross a page boundary.
+
+Fixes: 65598c13fd66 ("spi: Fix per-page mapping of unaligned vmalloc-ed buffer")
+Signed-off-by: Maxime Chevallier <maxime.chevallier@bootlin.com>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Cc: stable@vger.kernel.org
+Signed-off-by: Sudip Mukherjee <sudipm.mukherjee@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/spi/spi.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/spi/spi.c b/drivers/spi/spi.c
+index dee1cb87d24f..04fd651f9e3e 100644
+--- a/drivers/spi/spi.c
++++ b/drivers/spi/spi.c
+@@ -707,8 +707,14 @@ static int spi_map_buf(struct spi_master *master, struct device *dev,
+ for (i = 0; i < sgs; i++) {
+
+ if (vmalloced_buf) {
+- min = min_t(size_t,
+- len, desc_len - offset_in_page(buf));
++ /*
++ * Next scatterlist entry size is the minimum between
++ * the desc_len and the remaining buffer length that
++ * fits in a page.
++ */
++ min = min_t(size_t, desc_len,
++ min_t(size_t, len,
++ PAGE_SIZE - offset_in_page(buf)));
+ vm_page = vmalloc_to_page(buf);
+ if (!vm_page) {
+ sg_free_table(sgt);
+--
+2.18.0
+
diff --git a/patches.kernel.org/4.4.139-102-block-Fix-transfer-when-chunk-sectors-exceeds.patch b/patches.kernel.org/4.4.139-102-block-Fix-transfer-when-chunk-sectors-exceeds.patch
new file mode 100644
index 0000000000..a85e2bf083
--- /dev/null
+++ b/patches.kernel.org/4.4.139-102-block-Fix-transfer-when-chunk-sectors-exceeds.patch
@@ -0,0 +1,43 @@
+From: Keith Busch <keith.busch@intel.com>
+Date: Tue, 26 Jun 2018 09:14:58 -0600
+Subject: [PATCH] block: Fix transfer when chunk sectors exceeds max
+References: bnc#1012382
+Patch-mainline: 4.4.139
+Git-commit: 15bfd21fbc5d35834b9ea383dc458a1f0c9e3434
+
+commit 15bfd21fbc5d35834b9ea383dc458a1f0c9e3434 upstream.
+
+A device may have boundary restrictions where the number of sectors
+between boundaries exceeds its max transfer size. In this case, we need
+to cap the max size to the smaller of the two limits.
+
+Reported-by: Jitendra Bhivare <jitendra.bhivare@broadcom.com>
+Tested-by: Jitendra Bhivare <jitendra.bhivare@broadcom.com>
+Cc: <stable@vger.kernel.org>
+Reviewed-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Keith Busch <keith.busch@intel.com>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ include/linux/blkdev.h | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/include/linux/blkdev.h b/include/linux/blkdev.h
+index fe14382f9664..1383e1c03ff2 100644
+--- a/include/linux/blkdev.h
++++ b/include/linux/blkdev.h
+@@ -882,8 +882,8 @@ static inline unsigned int blk_max_size_offset(struct request_queue *q,
+ if (!q->limits.chunk_sectors)
+ return q->limits.max_sectors;
+
+- return q->limits.chunk_sectors -
+- (offset & (q->limits.chunk_sectors - 1));
++ return min(q->limits.max_sectors, (unsigned int)(q->limits.chunk_sectors -
++ (offset & (q->limits.chunk_sectors - 1))));
+ }
+
+ static inline unsigned int blk_rq_get_max_sectors(struct request *rq)
+--
+2.18.0
+
diff --git a/patches.kernel.org/4.4.139-103-dm-thin-handle-running-out-of-data-space-vs-c.patch b/patches.kernel.org/4.4.139-103-dm-thin-handle-running-out-of-data-space-vs-c.patch
new file mode 100644
index 0000000000..0f01674ac8
--- /dev/null
+++ b/patches.kernel.org/4.4.139-103-dm-thin-handle-running-out-of-data-space-vs-c.patch
@@ -0,0 +1,98 @@
+From: Mike Snitzer <snitzer@redhat.com>
+Date: Tue, 26 Jun 2018 12:04:23 -0400
+Subject: [PATCH] dm thin: handle running out of data space vs concurrent
+ discard
+References: bnc#1012382
+Patch-mainline: 4.4.139
+Git-commit: a685557fbbc3122ed11e8ad3fa63a11ebc5de8c3
+
+commit a685557fbbc3122ed11e8ad3fa63a11ebc5de8c3 upstream.
+
+Discards issued to a DM thin device can complete to userspace (via
+fstrim) _before_ the metadata changes associated with the discards is
+reflected in the thinp superblock (e.g. free blocks). As such, if a
+user constructs a test that loops repeatedly over these steps, block
+allocation can fail due to discards not having completed yet:
+1) fill thin device via filesystem file
+2) remove file
+3) fstrim
+
+From initial report, here:
+https://www.redhat.com/archives/dm-devel/2018-April/msg00022.html
+
+"The root cause of this issue is that dm-thin will first remove
+mapping and increase corresponding blocks' reference count to prevent
+them from being reused before DISCARD bios get processed by the
+underlying layers. However. increasing blocks' reference count could
+also increase the nr_allocated_this_transaction in struct sm_disk
+which makes smd->old_ll.nr_allocated +
+smd->nr_allocated_this_transaction bigger than smd->old_ll.nr_blocks.
+In this case, alloc_data_block() will never commit metadata to reset
+the begin pointer of struct sm_disk, because sm_disk_get_nr_free()
+always return an underflow value."
+
+While there is room for improvement to the space-map accounting that
+thinp is making use of: the reality is this test is inherently racey and
+will result in the previous iteration's fstrim's discard(s) completing
+vs concurrent block allocation, via dd, in the next iteration of the
+loop.
+
+No amount of space map accounting improvements will be able to allow
+user's to use a block before a discard of that block has completed.
+
+So the best we can really do is allow DM thinp to gracefully handle such
+aggressive use of all the pool's data by degrading the pool into
+out-of-data-space (OODS) mode. We _should_ get that behaviour already
+(if space map accounting didn't falsely cause alloc_data_block() to
+believe free space was available).. but short of that we handle the
+current reality that dm_pool_alloc_data_block() can return -ENOSPC.
+
+Reported-by: Dennis Yang <dennisyang@qnap.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Mike Snitzer <snitzer@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/md/dm-thin.c | 11 +++++++++--
+ 1 file changed, 9 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/md/dm-thin.c b/drivers/md/dm-thin.c
+index a1cc797fe88f..315767e8ae4d 100644
+--- a/drivers/md/dm-thin.c
++++ b/drivers/md/dm-thin.c
+@@ -1299,6 +1299,8 @@ static void schedule_external_copy(struct thin_c *tc, dm_block_t virt_block,
+
+ static void set_pool_mode(struct pool *pool, enum pool_mode new_mode);
+
++static void requeue_bios(struct pool *pool);
++
+ static void check_for_space(struct pool *pool)
+ {
+ int r;
+@@ -1311,8 +1313,10 @@ static void check_for_space(struct pool *pool)
+ if (r)
+ return;
+
+- if (nr_free)
++ if (nr_free) {
+ set_pool_mode(pool, PM_WRITE);
++ requeue_bios(pool);
++ }
+ }
+
+ /*
+@@ -1389,7 +1393,10 @@ static int alloc_data_block(struct thin_c *tc, dm_block_t *result)
+
+ r = dm_pool_alloc_data_block(pool->pmd, result);
+ if (r) {
+- metadata_operation_failed(pool, "dm_pool_alloc_data_block", r);
++ if (r == -ENOSPC)
++ set_pool_mode(pool, PM_OUT_OF_DATA_SPACE);
++ else
++ metadata_operation_failed(pool, "dm_pool_alloc_data_block", r);
+ return r;
+ }
+
+--
+2.18.0
+
diff --git a/patches.kernel.org/4.4.139-104-cdc_ncm-avoid-padding-beyond-end-of-skb.patch b/patches.kernel.org/4.4.139-104-cdc_ncm-avoid-padding-beyond-end-of-skb.patch
new file mode 100644
index 0000000000..369df8dd7a
--- /dev/null
+++ b/patches.kernel.org/4.4.139-104-cdc_ncm-avoid-padding-beyond-end-of-skb.patch
@@ -0,0 +1,121 @@
+From: =?UTF-8?q?Bj=C3=B8rn=20Mork?= <bjorn@mork.no>
+Date: Fri, 8 Jun 2018 09:15:24 +0200
+Subject: [PATCH] cdc_ncm: avoid padding beyond end of skb
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+References: bnc#1012382
+Patch-mainline: 4.4.139
+Git-commit: 49c2c3f246e2fc3009039e31a826333dcd0283cd
+
+commit 49c2c3f246e2fc3009039e31a826333dcd0283cd upstream.
+
+Commit 4a0e3e989d66 ("cdc_ncm: Add support for moving NDP to end
+of NCM frame") added logic to reserve space for the NDP at the
+end of the NTB/skb. This reservation did not take the final
+alignment of the NDP into account, causing us to reserve too
+little space. Additionally the padding prior to NDP addition did
+not ensure there was enough space for the NDP.
+
+The NTB/skb with the NDP appended would then exceed the configured
+max size. This caused the final padding of the NTB to use a
+negative count, padding to almost INT_MAX, and resulting in:
+
+[60103.825970] BUG: unable to handle kernel paging request at ffff9641f2004000
+[60103.825998] IP: __memset+0x24/0x30
+[60103.826001] PGD a6a06067 P4D a6a06067 PUD 4f65a063 PMD 72003063 PTE 0
+[60103.826013] Oops: 0002 [#1] SMP NOPTI
+[60103.826018] Modules linked in: (removed(
+[60103.826158] CPU: 0 PID: 5990 Comm: Chrome_DevTools Tainted: G O 4.14.0-3-amd64 #1 Debian 4.14.17-1
+[60103.826162] Hardware name: LENOVO 20081 BIOS 41CN28WW(V2.04) 05/03/2012
+[60103.826166] task: ffff964193484fc0 task.stack: ffffb2890137c000
+[60103.826171] RIP: 0010:__memset+0x24/0x30
+[60103.826174] RSP: 0000:ffff964316c03b68 EFLAGS: 00010216
+[60103.826178] RAX: 0000000000000000 RBX: 00000000fffffffd RCX: 000000001ffa5000
+[60103.826181] RDX: 0000000000000005 RSI: 0000000000000000 RDI: ffff9641f2003ffc
+[60103.826184] RBP: ffff964192f6c800 R08: 00000000304d434e R09: ffff9641f1d2c004
+[60103.826187] R10: 0000000000000002 R11: 00000000000005ae R12: ffff9642e6957a80
+[60103.826190] R13: ffff964282ff2ee8 R14: 000000000000000d R15: ffff9642e4843900
+[60103.826194] FS: 00007f395aaf6700(0000) GS:ffff964316c00000(0000) knlGS:0000000000000000
+[60103.826197] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[60103.826200] CR2: ffff9641f2004000 CR3: 0000000013b0c000 CR4: 00000000000006f0
+[60103.826204] Call Trace:
+[60103.826212] <IRQ>
+[60103.826225] cdc_ncm_fill_tx_frame+0x5e3/0x740 [cdc_ncm]
+[60103.826236] cdc_ncm_tx_fixup+0x57/0x70 [cdc_ncm]
+[60103.826246] usbnet_start_xmit+0x5d/0x710 [usbnet]
+[60103.826254] ? netif_skb_features+0x119/0x250
+[60103.826259] dev_hard_start_xmit+0xa1/0x200
+[60103.826267] sch_direct_xmit+0xf2/0x1b0
+[60103.826273] __dev_queue_xmit+0x5e3/0x7c0
+[60103.826280] ? ip_finish_output2+0x263/0x3c0
+[60103.826284] ip_finish_output2+0x263/0x3c0
+[60103.826289] ? ip_output+0x6c/0xe0
+[60103.826293] ip_output+0x6c/0xe0
+[60103.826298] ? ip_forward_options+0x1a0/0x1a0
+[60103.826303] tcp_transmit_skb+0x516/0x9b0
+[60103.826309] tcp_write_xmit+0x1aa/0xee0
+[60103.826313] ? sch_direct_xmit+0x71/0x1b0
+[60103.826318] tcp_tasklet_func+0x177/0x180
+[60103.826325] tasklet_action+0x5f/0x110
+[60103.826332] __do_softirq+0xde/0x2b3
+[60103.826337] irq_exit+0xae/0xb0
+[60103.826342] do_IRQ+0x81/0xd0
+[60103.826347] common_interrupt+0x98/0x98
+[60103.826351] </IRQ>
+[60103.826355] RIP: 0033:0x7f397bdf2282
+[60103.826358] RSP: 002b:00007f395aaf57d8 EFLAGS: 00000206 ORIG_RAX: ffffffffffffff6e
+[60103.826362] RAX: 0000000000000000 RBX: 00002f07bc6d0900 RCX: 00007f39752d7fe7
+[60103.826365] RDX: 0000000000000022 RSI: 0000000000000147 RDI: 00002f07baea02c0
+[60103.826368] RBP: 0000000000000001 R08: 0000000000000000 R09: 0000000000000000
+[60103.826371] R10: 00000000ffffffff R11: 0000000000000000 R12: 00002f07baea02c0
+[60103.826373] R13: 00002f07bba227a0 R14: 00002f07bc6d090c R15: 0000000000000000
+[60103.826377] Code: 90 90 90 90 90 90 90 0f 1f 44 00 00 49 89 f9 48 89 d1 83
+e2 07 48 c1 e9 03 40 0f b6 f6 48 b8 01 01 01 01 01 01 01 01 48 0f af c6 <f3> 48
+ab 89 d1 f3 aa 4c 89 c8 c3 90 49 89 f9 40 88 f0 48 89 d1
+[60103.826442] RIP: __memset+0x24/0x30 RSP: ffff964316c03b68
+[60103.826444] CR2: ffff9641f2004000
+
+Commit e1069bbfcf3b ("net: cdc_ncm: Reduce memory use when kernel
+memory low") made this bug much more likely to trigger by reducing
+the NTB size under memory pressure.
+
+Link: https://bugs.debian.org/893393
+Reported-by: Горбешко Богдан <bodqhrohro@gmail.com>
+Reported-and-tested-by: Dennis Wassenberg <dennis.wassenberg@secunet.com>
+Cc: Enrico Mioso <mrkiko.rs@gmail.com>
+Fixes: 4a0e3e989d66 ("cdc_ncm: Add support for moving NDP to end of NCM frame")
+[ bmork: tx_curr_size => tx_max and context fixup for v4.12 and older ]
+Signed-off-by: Bjørn Mork <bjorn@mork.no>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/net/usb/cdc_ncm.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/usb/cdc_ncm.c b/drivers/net/usb/cdc_ncm.c
+index c8e98c8e29fa..36e1377fc954 100644
+--- a/drivers/net/usb/cdc_ncm.c
++++ b/drivers/net/usb/cdc_ncm.c
+@@ -1075,7 +1075,7 @@ cdc_ncm_fill_tx_frame(struct usbnet *dev, struct sk_buff *skb, __le32 sign)
+ * accordingly. Otherwise, we should check here.
+ */
+ if (ctx->drvflags & CDC_NCM_FLAG_NDP_TO_END)
+- delayed_ndp_size = ctx->max_ndp_size;
++ delayed_ndp_size = ALIGN(ctx->max_ndp_size, ctx->tx_ndp_modulus);
+ else
+ delayed_ndp_size = 0;
+
+@@ -1208,7 +1208,7 @@ cdc_ncm_fill_tx_frame(struct usbnet *dev, struct sk_buff *skb, __le32 sign)
+ /* If requested, put NDP at end of frame. */
+ if (ctx->drvflags & CDC_NCM_FLAG_NDP_TO_END) {
+ nth16 = (struct usb_cdc_ncm_nth16 *)skb_out->data;
+- cdc_ncm_align_tail(skb_out, ctx->tx_ndp_modulus, 0, ctx->tx_max);
++ cdc_ncm_align_tail(skb_out, ctx->tx_ndp_modulus, 0, ctx->tx_max - ctx->max_ndp_size);
+ nth16->wNdpIndex = cpu_to_le16(skb_out->len);
+ memcpy(skb_put(skb_out, ctx->max_ndp_size), ctx->delayed_ndp16, ctx->max_ndp_size);
+
+--
+2.18.0
+
diff --git a/patches.kernel.org/4.4.139-105-Bluetooth-Fix-connection-if-directed-advertis.patch b/patches.kernel.org/4.4.139-105-Bluetooth-Fix-connection-if-directed-advertis.patch
new file mode 100644
index 0000000000..ce07ac6ce3
--- /dev/null
+++ b/patches.kernel.org/4.4.139-105-Bluetooth-Fix-connection-if-directed-advertis.patch
@@ -0,0 +1,299 @@
+From: Szymon Janc <szymon.janc@codecoup.pl>
+Date: Tue, 3 Apr 2018 13:40:06 +0200
+Subject: [PATCH] Bluetooth: Fix connection if directed advertising and privacy
+ is used
+References: bnc#1012382
+Patch-mainline: 4.4.139
+Git-commit: 082f2300cfa1a3d9d5221c38c5eba85d4ab98bd8
+
+commit 082f2300cfa1a3d9d5221c38c5eba85d4ab98bd8 upstream.
+
+Local random address needs to be updated before creating connection if
+RPA from LE Direct Advertising Report was resolved in host. Otherwise
+remote device might ignore connection request due to address mismatch.
+
+This was affecting following qualification test cases:
+GAP/CONN/SCEP/BV-03-C, GAP/CONN/GCEP/BV-05-C, GAP/CONN/DCEP/BV-05-C
+
+Before patch:
+< HCI Command: LE Set Random Address (0x08|0x0005) plen 6 #11350 [hci0] 84680.231216
+ Address: 56:BC:E8:24:11:68 (Resolvable)
+ Identity type: Random (0x01)
+ Identity: F2:F1:06:3D:9C:42 (Static)
+> HCI Event: Command Complete (0x0e) plen 4 #11351 [hci0] 84680.246022
+ LE Set Random Address (0x08|0x0005) ncmd 1
+ Status: Success (0x00)
+< HCI Command: LE Set Scan Parameters (0x08|0x000b) plen 7 #11352 [hci0] 84680.246417
+ Type: Passive (0x00)
+ Interval: 60.000 msec (0x0060)
+ Window: 30.000 msec (0x0030)
+ Own address type: Random (0x01)
+ Filter policy: Accept all advertisement, inc. directed unresolved RPA (0x02)
+> HCI Event: Command Complete (0x0e) plen 4 #11353 [hci0] 84680.248854
+ LE Set Scan Parameters (0x08|0x000b) ncmd 1
+ Status: Success (0x00)
+< HCI Command: LE Set Scan Enable (0x08|0x000c) plen 2 #11354 [hci0] 84680.249466
+ Scanning: Enabled (0x01)
+ Filter duplicates: Enabled (0x01)
+> HCI Event: Command Complete (0x0e) plen 4 #11355 [hci0] 84680.253222
+ LE Set Scan Enable (0x08|0x000c) ncmd 1
+ Status: Success (0x00)
+> HCI Event: LE Meta Event (0x3e) plen 18 #11356 [hci0] 84680.458387
+ LE Direct Advertising Report (0x0b)
+ Num reports: 1
+ Event type: Connectable directed - ADV_DIRECT_IND (0x01)
+ Address type: Random (0x01)
+ Address: 53:38:DA:46:8C:45 (Resolvable)
+ Identity type: Public (0x00)
+ Identity: 11:22:33:44:55:66 (OUI 11-22-33)
+ Direct address type: Random (0x01)
+ Direct address: 7C:D6:76:8C:DF:82 (Resolvable)
+ Identity type: Random (0x01)
+ Identity: F2:F1:06:3D:9C:42 (Static)
+ RSSI: -74 dBm (0xb6)
+< HCI Command: LE Set Scan Enable (0x08|0x000c) plen 2 #11357 [hci0] 84680.458737
+ Scanning: Disabled (0x00)
+ Filter duplicates: Disabled (0x00)
+> HCI Event: Command Complete (0x0e) plen 4 #11358 [hci0] 84680.469982
+ LE Set Scan Enable (0x08|0x000c) ncmd 1
+ Status: Success (0x00)
+< HCI Command: LE Create Connection (0x08|0x000d) plen 25 #11359 [hci0] 84680.470444
+ Scan interval: 60.000 msec (0x0060)
+ Scan window: 60.000 msec (0x0060)
+ Filter policy: White list is not used (0x00)
+ Peer address type: Random (0x01)
+ Peer address: 53:38:DA:46:8C:45 (Resolvable)
+ Identity type: Public (0x00)
+ Identity: 11:22:33:44:55:66 (OUI 11-22-33)
+ Own address type: Random (0x01)
+ Min connection interval: 30.00 msec (0x0018)
+ Max connection interval: 50.00 msec (0x0028)
+ Connection latency: 0 (0x0000)
+ Supervision timeout: 420 msec (0x002a)
+ Min connection length: 0.000 msec (0x0000)
+ Max connection length: 0.000 msec (0x0000)
+> HCI Event: Command Status (0x0f) plen 4 #11360 [hci0] 84680.474971
+ LE Create Connection (0x08|0x000d) ncmd 1
+ Status: Success (0x00)
+< HCI Command: LE Create Connection Cancel (0x08|0x000e) plen 0 #11361 [hci0] 84682.545385
+> HCI Event: Command Complete (0x0e) plen 4 #11362 [hci0] 84682.551014
+ LE Create Connection Cancel (0x08|0x000e) ncmd 1
+ Status: Success (0x00)
+> HCI Event: LE Meta Event (0x3e) plen 19 #11363 [hci0] 84682.551074
+ LE Connection Complete (0x01)
+ Status: Unknown Connection Identifier (0x02)
+ Handle: 0
+ Role: Master (0x00)
+ Peer address type: Public (0x00)
+ Peer address: 00:00:00:00:00:00 (OUI 00-00-00)
+ Connection interval: 0.00 msec (0x0000)
+ Connection latency: 0 (0x0000)
+ Supervision timeout: 0 msec (0x0000)
+ Master clock accuracy: 0x00
+
+After patch:
+< HCI Command: LE Set Scan Parameters (0x08|0x000b) plen 7 #210 [hci0] 667.152459
+ Type: Passive (0x00)
+ Interval: 60.000 msec (0x0060)
+ Window: 30.000 msec (0x0030)
+ Own address type: Random (0x01)
+ Filter policy: Accept all advertisement, inc. directed unresolved RPA (0x02)
+> HCI Event: Command Complete (0x0e) plen 4 #211 [hci0] 667.153613
+ LE Set Scan Parameters (0x08|0x000b) ncmd 1
+ Status: Success (0x00)
+< HCI Command: LE Set Scan Enable (0x08|0x000c) plen 2 #212 [hci0] 667.153704
+ Scanning: Enabled (0x01)
+ Filter duplicates: Enabled (0x01)
+> HCI Event: Command Complete (0x0e) plen 4 #213 [hci0] 667.154584
+ LE Set Scan Enable (0x08|0x000c) ncmd 1
+ Status: Success (0x00)
+> HCI Event: LE Meta Event (0x3e) plen 18 #214 [hci0] 667.182619
+ LE Direct Advertising Report (0x0b)
+ Num reports: 1
+ Event type: Connectable directed - ADV_DIRECT_IND (0x01)
+ Address type: Random (0x01)
+ Address: 50:52:D9:A6:48:A0 (Resolvable)
+ Identity type: Public (0x00)
+ Identity: 11:22:33:44:55:66 (OUI 11-22-33)
+ Direct address type: Random (0x01)
+ Direct address: 7C:C1:57:A5:B7:A8 (Resolvable)
+ Identity type: Random (0x01)
+ Identity: F4:28:73:5D:38:B0 (Static)
+ RSSI: -70 dBm (0xba)
+< HCI Command: LE Set Scan Enable (0x08|0x000c) plen 2 #215 [hci0] 667.182704
+ Scanning: Disabled (0x00)
+ Filter duplicates: Disabled (0x00)
+> HCI Event: Command Complete (0x0e) plen 4 #216 [hci0] 667.183599
+ LE Set Scan Enable (0x08|0x000c) ncmd 1
+ Status: Success (0x00)
+< HCI Command: LE Set Random Address (0x08|0x0005) plen 6 #217 [hci0] 667.183645
+ Address: 7C:C1:57:A5:B7:A8 (Resolvable)
+ Identity type: Random (0x01)
+ Identity: F4:28:73:5D:38:B0 (Static)
+> HCI Event: Command Complete (0x0e) plen 4 #218 [hci0] 667.184590
+ LE Set Random Address (0x08|0x0005) ncmd 1
+ Status: Success (0x00)
+< HCI Command: LE Create Connection (0x08|0x000d) plen 25 #219 [hci0] 667.184613
+ Scan interval: 60.000 msec (0x0060)
+ Scan window: 60.000 msec (0x0060)
+ Filter policy: White list is not used (0x00)
+ Peer address type: Random (0x01)
+ Peer address: 50:52:D9:A6:48:A0 (Resolvable)
+ Identity type: Public (0x00)
+ Identity: 11:22:33:44:55:66 (OUI 11-22-33)
+ Own address type: Random (0x01)
+ Min connection interval: 30.00 msec (0x0018)
+ Max connection interval: 50.00 msec (0x0028)
+ Connection latency: 0 (0x0000)
+ Supervision timeout: 420 msec (0x002a)
+ Min connection length: 0.000 msec (0x0000)
+ Max connection length: 0.000 msec (0x0000)
+> HCI Event: Command Status (0x0f) plen 4 #220 [hci0] 667.186558
+ LE Create Connection (0x08|0x000d) ncmd 1
+ Status: Success (0x00)
+> HCI Event: LE Meta Event (0x3e) plen 19 #221 [hci0] 667.485824
+ LE Connection Complete (0x01)
+ Status: Success (0x00)
+ Handle: 0
+ Role: Master (0x00)
+ Peer address type: Random (0x01)
+ Peer address: 50:52:D9:A6:48:A0 (Resolvable)
+ Identity type: Public (0x00)
+ Identity: 11:22:33:44:55:66 (OUI 11-22-33)
+ Connection interval: 50.00 msec (0x0028)
+ Connection latency: 0 (0x0000)
+ Supervision timeout: 420 msec (0x002a)
+ Master clock accuracy: 0x07
+@ MGMT Event: Device Connected (0x000b) plen 13 {0x0002} [hci0] 667.485996
+ LE Address: 11:22:33:44:55:66 (OUI 11-22-33)
+ Flags: 0x00000000
+ Data length: 0
+
+Signed-off-by: Szymon Janc <szymon.janc@codecoup.pl>
+Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
+Cc: stable@vger.kernel.org
+Signed-off-by: Sudip Mukherjee <sudipm.mukherjee@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ include/net/bluetooth/hci_core.h | 2 +-
+ net/bluetooth/hci_conn.c | 27 ++++++++++++++++++++-------
+ net/bluetooth/hci_event.c | 15 +++++++++++----
+ 3 files changed, 32 insertions(+), 12 deletions(-)
+
+diff --git a/include/net/bluetooth/hci_core.h b/include/net/bluetooth/hci_core.h
+index 1878d0a96333..876688b5a356 100644
+--- a/include/net/bluetooth/hci_core.h
++++ b/include/net/bluetooth/hci_core.h
+@@ -878,7 +878,7 @@ struct hci_conn *hci_connect_le_scan(struct hci_dev *hdev, bdaddr_t *dst,
+ u16 conn_timeout, u8 role);
+ struct hci_conn *hci_connect_le(struct hci_dev *hdev, bdaddr_t *dst,
+ u8 dst_type, u8 sec_level, u16 conn_timeout,
+- u8 role);
++ u8 role, bdaddr_t *direct_rpa);
+ struct hci_conn *hci_connect_acl(struct hci_dev *hdev, bdaddr_t *dst,
+ u8 sec_level, u8 auth_type);
+ struct hci_conn *hci_connect_sco(struct hci_dev *hdev, int type, bdaddr_t *dst,
+diff --git a/net/bluetooth/hci_conn.c b/net/bluetooth/hci_conn.c
+index 24e9410923d0..80be0ee17ff3 100644
+--- a/net/bluetooth/hci_conn.c
++++ b/net/bluetooth/hci_conn.c
+@@ -708,7 +708,8 @@ static void create_le_conn_complete(struct hci_dev *hdev, u8 status, u16 opcode)
+ }
+
+ static void hci_req_add_le_create_conn(struct hci_request *req,
+- struct hci_conn *conn)
++ struct hci_conn *conn,
++ bdaddr_t *direct_rpa)
+ {
+ struct hci_cp_le_create_conn cp;
+ struct hci_dev *hdev = conn->hdev;
+@@ -716,11 +717,23 @@ static void hci_req_add_le_create_conn(struct hci_request *req,
+
+ memset(&cp, 0, sizeof(cp));
+
+- /* Update random address, but set require_privacy to false so
+- * that we never connect with an non-resolvable address.
++ /* If direct address was provided we use it instead of current
++ * address.
+ */
+- if (hci_update_random_address(req, false, &own_addr_type))
+- return;
++ if (direct_rpa) {
++ if (bacmp(&req->hdev->random_addr, direct_rpa))
++ hci_req_add(req, HCI_OP_LE_SET_RANDOM_ADDR, 6,
++ direct_rpa);
++
++ /* direct address is always RPA */
++ own_addr_type = ADDR_LE_DEV_RANDOM;
++ } else {
++ /* Update random address, but set require_privacy to false so
++ * that we never connect with an non-resolvable address.
++ */
++ if (hci_update_random_address(req, false, &own_addr_type))
++ return;
++ }
+
+ /* Set window to be the same value as the interval to enable
+ * continuous scanning.
+@@ -782,7 +795,7 @@ static void hci_req_directed_advertising(struct hci_request *req,
+
+ struct hci_conn *hci_connect_le(struct hci_dev *hdev, bdaddr_t *dst,
+ u8 dst_type, u8 sec_level, u16 conn_timeout,
+- u8 role)
++ u8 role, bdaddr_t *direct_rpa)
+ {
+ struct hci_conn_params *params;
+ struct hci_conn *conn, *conn_unfinished;
+@@ -913,7 +926,7 @@ struct hci_conn *hci_connect_le(struct hci_dev *hdev, bdaddr_t *dst,
+ hci_dev_set_flag(hdev, HCI_LE_SCAN_INTERRUPTED);
+ }
+
+- hci_req_add_le_create_conn(&req, conn);
++ hci_req_add_le_create_conn(&req, conn, direct_rpa);
+
+ create_conn:
+ err = hci_req_run(&req, create_le_conn_complete);
+diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c
+index d57c11c1c6b5..d40d32a2c12d 100644
+--- a/net/bluetooth/hci_event.c
++++ b/net/bluetooth/hci_event.c
+@@ -4632,7 +4632,8 @@ static void hci_le_conn_update_complete_evt(struct hci_dev *hdev,
+ /* This function requires the caller holds hdev->lock */
+ static struct hci_conn *check_pending_le_conn(struct hci_dev *hdev,
+ bdaddr_t *addr,
+- u8 addr_type, u8 adv_type)
++ u8 addr_type, u8 adv_type,
++ bdaddr_t *direct_rpa)
+ {
+ struct hci_conn *conn;
+ struct hci_conn_params *params;
+@@ -4683,7 +4684,8 @@ static struct hci_conn *check_pending_le_conn(struct hci_dev *hdev,
+ }
+
+ conn = hci_connect_le(hdev, addr, addr_type, BT_SECURITY_LOW,
+- HCI_LE_AUTOCONN_TIMEOUT, HCI_ROLE_MASTER);
++ HCI_LE_AUTOCONN_TIMEOUT, HCI_ROLE_MASTER,
++ direct_rpa);
+ if (!IS_ERR(conn)) {
+ /* If HCI_AUTO_CONN_EXPLICIT is set, conn is already owned
+ * by higher layer that tried to connect, if no then
+@@ -4780,8 +4782,13 @@ static void process_adv_report(struct hci_dev *hdev, u8 type, bdaddr_t *bdaddr,
+ bdaddr_type = irk->addr_type;
+ }
+
+- /* Check if we have been requested to connect to this device */
+- conn = check_pending_le_conn(hdev, bdaddr, bdaddr_type, type);
++ /* Check if we have been requested to connect to this device.
++ *
++ * direct_addr is set only for directed advertising reports (it is NULL
++ * for advertising reports) and is already verified to be RPA above.
++ */
++ conn = check_pending_le_conn(hdev, bdaddr, bdaddr_type, type,
++ direct_addr);
+ if (conn && type == LE_ADV_IND) {
+ /* Store report for later inclusion by
+ * mgmt_device_connected
+--
+2.18.0
+
diff --git a/patches.kernel.org/4.4.139-106-Linux-4.4.139.patch b/patches.kernel.org/4.4.139-106-Linux-4.4.139.patch
new file mode 100644
index 0000000000..21ec11eb1e
--- /dev/null
+++ b/patches.kernel.org/4.4.139-106-Linux-4.4.139.patch
@@ -0,0 +1,27 @@
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Date: Tue, 3 Jul 2018 11:21:35 +0200
+Subject: [PATCH] Linux 4.4.139
+References: bnc#1012382
+Patch-mainline: 4.4.139
+Git-commit: 16af098616e73b39c4d98b0d4358cc29a9539c98
+
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ Makefile | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/Makefile b/Makefile
+index 1a8c0fc6b997..20a11fd36656 100644
+--- a/Makefile
++++ b/Makefile
+@@ -1,6 +1,6 @@
+ VERSION = 4
+ PATCHLEVEL = 4
+-SUBLEVEL = 138
++SUBLEVEL = 139
+ EXTRAVERSION =
+ NAME = Blurry Fish Butt
+
+--
+2.18.0
+
diff --git a/patches.suse/btrfs-0287-fix-race-between-block-group-relocation-and-no.patch b/patches.suse/btrfs-0287-fix-race-between-block-group-relocation-and-no.patch
index 27fb096b0c..1745d45377 100644
--- a/patches.suse/btrfs-0287-fix-race-between-block-group-relocation-and-no.patch
+++ b/patches.suse/btrfs-0287-fix-race-between-block-group-relocation-and-no.patch
@@ -187,17 +187,17 @@ Signed-off-by: David Sterba <dsterba@suse.cz>
switch (flags) {
--- a/fs/btrfs/inode.c
+++ b/fs/btrfs/inode.c
-@@ -1382,6 +1382,9 @@ next_slot:
- */
- if (csum_exist_in_range(root, disk_bytenr, num_bytes))
+@@ -1412,6 +1412,9 @@ next_slot:
+ WARN_ON_ONCE(nolock);
goto out_check;
+ }
+ if (!btrfs_inc_nocow_writers(root->fs_info,
+ disk_bytenr))
+ goto out_check;
nocow = 1;
} else if (extent_type == BTRFS_FILE_EXTENT_INLINE) {
extent_end = found_key.offset +
-@@ -1396,6 +1399,9 @@ out_check:
+@@ -1426,6 +1429,9 @@ out_check:
path->slots[0]++;
if (!nolock && nocow)
btrfs_end_write_no_snapshoting(root);
@@ -207,7 +207,7 @@ Signed-off-by: David Sterba <dsterba@suse.cz>
goto next_slot;
}
if (!nocow) {
-@@ -1416,6 +1422,9 @@ out_check:
+@@ -1446,6 +1452,9 @@ out_check:
if (ret) {
if (!nolock && nocow)
btrfs_end_write_no_snapshoting(root);
@@ -217,7 +217,7 @@ Signed-off-by: David Sterba <dsterba@suse.cz>
goto error;
}
cow_start = (u64)-1;
-@@ -1458,6 +1467,8 @@ out_check:
+@@ -1488,6 +1497,8 @@ out_check:
ret = btrfs_add_ordered_extent(inode, cur_offset, disk_bytenr,
num_bytes, num_bytes, type);
@@ -226,7 +226,7 @@ Signed-off-by: David Sterba <dsterba@suse.cz>
BUG_ON(ret); /* -ENOMEM */
if (root->root_key.objectid ==
-@@ -7675,7 +7686,8 @@ static int btrfs_get_blocks_direct(struc
+@@ -7738,7 +7749,8 @@ static int btrfs_get_blocks_direct(struc
block_start = em->block_start + (start - em->start);
if (can_nocow_extent(inode, start, &len, &orig_start,
@@ -236,7 +236,7 @@ Signed-off-by: David Sterba <dsterba@suse.cz>
/*
* Create the ordered extent before the extent map. This
-@@ -7690,6 +7702,7 @@ static int btrfs_get_blocks_direct(struc
+@@ -7753,6 +7765,7 @@ static int btrfs_get_blocks_direct(struc
*/
ret = btrfs_add_ordered_extent_dio(inode, start,
block_start, len, len, type);
diff --git a/patches.suse/x86-speculation-Fix-up-array_index_nospec_mask-asm-c.patch b/patches.suse/x86-speculation-Fix-up-array_index_nospec_mask-asm-c.patch
index 3c0bede4c9..e48ce70d45 100644
--- a/patches.suse/x86-speculation-Fix-up-array_index_nospec_mask-asm-c.patch
+++ b/patches.suse/x86-speculation-Fix-up-array_index_nospec_mask-asm-c.patch
@@ -24,7 +24,7 @@ Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+++ b/arch/x86/include/asm/barrier.h
@@ -40,7 +40,7 @@ static inline unsigned long array_index_
- asm ("cmp %1,%2; sbb %0,%0;"
+ asm volatile ("cmp %1,%2; sbb %0,%0;"
:"=r" (mask)
- :"r"(size),"r" (index)
+ :"g"(size),"r" (index)
diff --git a/series.conf b/series.conf
index 637c086e4b..72a7ed9025 100644
--- a/series.conf
+++ b/series.conf
@@ -3306,6 +3306,112 @@
patches.kernel.org/4.4.138-023-Input-elan_i2c-add-ELAN0612-Lenovo-v330-14IKB.patch
patches.kernel.org/4.4.138-024-crypto-vmx-Remove-overly-verbose-printk-from-.patch
patches.kernel.org/4.4.138-025-Linux-4.4.138.patch
+ patches.kernel.org/4.4.139-001-xfrm6-avoid-potential-infinite-loop-in-_decod.patch
+ patches.kernel.org/4.4.139-002-netfilter-ebtables-handle-string-from-userspa.patch
+ patches.kernel.org/4.4.139-003-ipvs-fix-buffer-overflow-with-sync-daemon-and.patch
+ patches.kernel.org/4.4.139-004-atm-zatm-fix-memcmp-casting.patch
+ patches.kernel.org/4.4.139-005-net-qmi_wwan-Add-Netgear-Aircard-779S.patch
+ patches.kernel.org/4.4.139-006-net-sonic-Use-dma_mapping_error.patch
+ patches.kernel.org/4.4.139-007-Revert-Btrfs-fix-scrub-to-repair-raid6-corrup.patch
+ patches.kernel.org/4.4.139-008-tcp-do-not-overshoot-window_clamp-in-tcp_rcv_.patch
+ patches.kernel.org/4.4.139-009-Btrfs-make-raid6-rebuild-retry-more.patch
+ patches.kernel.org/4.4.139-010-usb-musb-fix-remote-wakeup-racing-with-suspen.patch
+ patches.kernel.org/4.4.139-011-bonding-re-evaluate-force_primary-when-the-pr.patch
+ patches.kernel.org/4.4.139-012-tcp-verify-the-checksum-of-the-first-data-seg.patch
+ patches.kernel.org/4.4.139-013-ext4-update-mtime-in-ext4_punch_hole-even-if-.patch
+ patches.kernel.org/4.4.139-014-ext4-fix-fencepost-error-in-check-for-inode-c.patch
+ patches.kernel.org/4.4.139-015-driver-core-Don-t-ignore-class_dir_create_and.patch
+ patches.kernel.org/4.4.139-016-btrfs-scrub-Don-t-use-inode-pages-for-device-.patch
+ patches.kernel.org/4.4.139-017-ALSA-hda-Handle-kzalloc-failure-in-snd_hda_at.patch
+ patches.kernel.org/4.4.139-018-ALSA-hda-add-dock-and-led-support-for-HP-Elit.patch
+ patches.kernel.org/4.4.139-019-ALSA-hda-add-dock-and-led-support-for-HP-ProB.patch
+ patches.kernel.org/4.4.139-020-cpufreq-Fix-new-policy-initialization-during-.patch
+ patches.kernel.org/4.4.139-021-libata-zpodd-make-arrays-cdb-static-reduces-o.patch
+ patches.kernel.org/4.4.139-022-libata-zpodd-small-read-overflow-in-eject_tra.patch
+ patches.kernel.org/4.4.139-023-libata-Drop-SanDisk-SD7UB3Q-G1001-NOLPM-quirk.patch
+ patches.kernel.org/4.4.139-024-w1-mxc_w1-Enable-clock-before-calling-clk_get.patch
+ patches.kernel.org/4.4.139-025-fs-binfmt_misc.c-do-not-allow-offset-overflow.patch
+ patches.kernel.org/4.4.139-026-x86-spectre_v1-Disable-compiler-optimizations.patch
+ patches.kernel.org/4.4.139-027-m68k-mm-Adjust-VM-area-to-be-unmapped-by-gap-.patch
+ patches.kernel.org/4.4.139-028-serial-sh-sci-Use-spin_-try-lock_irqsave-inst.patch
+ patches.kernel.org/4.4.139-029-signal-xtensa-Consistenly-use-SIGBUS-in-do_un.patch
+ patches.kernel.org/4.4.139-030-usb-do-not-reset-if-a-low-speed-or-full-speed.patch
+ patches.kernel.org/4.4.139-031-1wire-family-module-autoload-fails-because-of.patch
+ patches.kernel.org/4.4.139-032-ASoC-dapm-delete-dapm_kcontrol_data-paths-lis.patch
+ patches.kernel.org/4.4.139-033-ASoC-cirrus-i2s-Fix-LRCLK-configuration.patch
+ patches.kernel.org/4.4.139-034-ASoC-cirrus-i2s-Fix-TX-RX-LinCtrlData-setup.patch
+ patches.kernel.org/4.4.139-035-lib-vsprintf-Remove-atomic-unsafe-support-for.patch
+ patches.kernel.org/4.4.139-036-mips-ftrace-fix-static-function-graph-tracing.patch
+ patches.kernel.org/4.4.139-037-branch-check-fix-long-int-truncation-when-pro.patch
+ patches.kernel.org/4.4.139-038-ipmi-bt-Set-the-timeout-before-doing-a-capabi.patch
+ patches.kernel.org/4.4.139-039-Bluetooth-hci_qca-Avoid-missing-rampatch-fail.patch
+ patches.kernel.org/4.4.139-040-fuse-atomic_o_trunc-should-truncate-pagecache.patch
+ patches.kernel.org/4.4.139-041-fuse-don-t-keep-dead-fuse_conn-at-fuse_fill_s.patch
+ patches.kernel.org/4.4.139-042-fuse-fix-control-dir-setup-and-teardown.patch
+ patches.kernel.org/4.4.139-043-powerpc-mm-hash-Add-missing-isync-prior-to-ke.patch
+ patches.kernel.org/4.4.139-044-powerpc-ptrace-Fix-setting-512B-aligned-break.patch
+ patches.kernel.org/4.4.139-045-powerpc-ptrace-Fix-enforcement-of-DAWR-constr.patch
+ patches.kernel.org/4.4.139-046-cpuidle-powernv-Fix-promotion-from-snooze-if-.patch
+ patches.kernel.org/4.4.139-047-powerpc-fadump-Unregister-fadump-on-kexec-dow.patch
+ patches.kernel.org/4.4.139-048-ARM-8764-1-kgdb-fix-NUMREGBYTES-so-that-gdb_r.patch
+ patches.kernel.org/4.4.139-049-of-unittest-for-strings-account-for-trailing-.patch
+ patches.kernel.org/4.4.139-050-IB-qib-Fix-DMA-api-warning-with-debug-kernel.patch
+ patches.kernel.org/4.4.139-051-RDMA-mlx4-Discard-unknown-SQP-work-requests.patch
+ patches.kernel.org/4.4.139-052-mtd-cfi_cmdset_0002-Change-write-buffer-to-ch.patch
+ patches.kernel.org/4.4.139-053-mtd-cfi_cmdset_0002-Use-right-chip-in-do_ppb_.patch
+ patches.kernel.org/4.4.139-054-mtd-cfi_cmdset_0002-fix-SEGV-unlocking-multip.patch
+ patches.kernel.org/4.4.139-055-mtd-cfi_cmdset_0002-Fix-unlocking-requests-cr.patch
+ patches.kernel.org/4.4.139-056-mtd-cfi_cmdset_0002-Avoid-walking-all-chips-w.patch
+ patches.kernel.org/4.4.139-057-MIPS-BCM47XX-Enable-74K-Core-ExternalSync-for.patch
+ patches.kernel.org/4.4.139-058-PCI-pciehp-Clear-Presence-Detect-and-Data-Lin.patch
+ patches.kernel.org/4.4.139-059-MIPS-io-Add-barrier-after-register-read-in-in.patch
+ patches.kernel.org/4.4.139-060-time-Make-sure-jiffies_to_msecs-preserves-non.patch
+ patches.kernel.org/4.4.139-061-Btrfs-fix-clone-vs-chattr-NODATASUM-race.patch
+ patches.kernel.org/4.4.139-062-iio-buffer-make-length-types-match-kfifo-type.patch
+ patches.kernel.org/4.4.139-063-scsi-qla2xxx-Fix-setting-lower-transfer-speed.patch
+ patches.kernel.org/4.4.139-064-scsi-zfcp-fix-missing-SCSI-trace-for-result-o.patch
+ patches.kernel.org/4.4.139-065-scsi-zfcp-fix-missing-SCSI-trace-for-retry-of.patch
+ patches.kernel.org/4.4.139-066-scsi-zfcp-fix-misleading-REC-trigger-trace-wh.patch
+ patches.kernel.org/4.4.139-067-scsi-zfcp-fix-missing-REC-trigger-trace-on-te.patch
+ patches.kernel.org/4.4.139-068-scsi-zfcp-fix-missing-REC-trigger-trace-on-te.patch
+ patches.kernel.org/4.4.139-069-scsi-zfcp-fix-missing-REC-trigger-trace-for-a.patch
+ patches.kernel.org/4.4.139-070-scsi-zfcp-fix-missing-REC-trigger-trace-on-en.patch
+ patches.kernel.org/4.4.139-071-linvdimm-pmem-Preserve-read-only-setting-for-.patch
+ patches.kernel.org/4.4.139-072-md-fix-two-problems-with-setting-the-re-add-d.patch
+ patches.kernel.org/4.4.139-073-ubi-fastmap-Cancel-work-upon-detach.patch
+ patches.kernel.org/4.4.139-074-UBIFS-Fix-potential-integer-overflow-in-alloc.patch
+ patches.kernel.org/4.4.139-075-xfrm-Ignore-socket-policies-when-rebuilding-h.patch
+ patches.kernel.org/4.4.139-076-xfrm-skip-policies-marked-as-dead-while-rehas.patch
+ patches.kernel.org/4.4.139-077-backlight-as3711_bl-Fix-Device-Tree-node-look.patch
+ patches.kernel.org/4.4.139-078-backlight-max8925_bl-Fix-Device-Tree-node-loo.patch
+ patches.kernel.org/4.4.139-079-backlight-tps65217_bl-Fix-Device-Tree-node-lo.patch
+ patches.kernel.org/4.4.139-080-mfd-intel-lpss-Program-REMAP-register-in-PIO-.patch
+ patches.kernel.org/4.4.139-081-perf-tools-Fix-symbol-and-object-code-resolut.patch
+ patches.kernel.org/4.4.139-082-perf-intel-pt-Fix-sync_switch-INTEL_PT_SS_NOT.patch
+ patches.kernel.org/4.4.139-083-perf-intel-pt-Fix-decoding-to-accept-CBR-betw.patch
+ patches.kernel.org/4.4.139-084-perf-intel-pt-Fix-MTC-timing-after-overflow.patch
+ patches.kernel.org/4.4.139-085-perf-intel-pt-Fix-Unexpected-indirect-branch-.patch
+ patches.kernel.org/4.4.139-086-perf-intel-pt-Fix-packet-decoding-of-CYC-pack.patch
+ patches.kernel.org/4.4.139-087-media-v4l2-compat-ioctl32-prevent-go-past-max.patch
+ patches.kernel.org/4.4.139-088-media-cx231xx-Add-support-for-AverMedia-DVD-E.patch
+ patches.kernel.org/4.4.139-089-media-dvb_frontend-fix-locking-issues-at-dvb_.patch
+ patches.kernel.org/4.4.139-090-nfsd-restrict-rd_maxcount-to-svc_max_payload-.patch
+ patches.kernel.org/4.4.139-091-NFSv4-Fix-possible-1-byte-stack-overflow-in-n.patch
+ patches.kernel.org/4.4.139-092-video-uvesafb-Fix-integer-overflow-in-allocat.patch
+ patches.kernel.org/4.4.139-093-Input-elan_i2c-add-ELAN0618-Lenovo-v330-15IKB.patch
+ patches.kernel.org/4.4.139-094-xen-Remove-unnecessary-BUG_ON-from-__unbind_f.patch
+ patches.kernel.org/4.4.139-095-udf-Detect-incorrect-directory-size.patch
+ patches.kernel.org/4.4.139-096-Input-elan_i2c_smbus-fix-more-potential-stack.patch
+ patches.kernel.org/4.4.139-097-Input-elantech-enable-middle-button-of-touchp.patch
+ patches.kernel.org/4.4.139-098-Input-elantech-fix-V4-report-decoding-for-mod.patch
+ patches.kernel.org/4.4.139-099-ALSA-hda-realtek-Add-a-quirk-for-FSC-ESPRIMO-.patch
+ patches.kernel.org/4.4.139-100-Btrfs-fix-unexpected-cow-in-run_delalloc_noco.patch
+ patches.kernel.org/4.4.139-101-spi-Fix-scatterlist-elements-size-in-spi_map_.patch
+ patches.kernel.org/4.4.139-102-block-Fix-transfer-when-chunk-sectors-exceeds.patch
+ patches.kernel.org/4.4.139-103-dm-thin-handle-running-out-of-data-space-vs-c.patch
+ patches.kernel.org/4.4.139-104-cdc_ncm-avoid-padding-beyond-end-of-skb.patch
+ patches.kernel.org/4.4.139-105-Bluetooth-Fix-connection-if-directed-advertis.patch
+ patches.kernel.org/4.4.139-106-Linux-4.4.139.patch
########################################################
# Build fixes that apply to the vanilla kernel too.
@@ -3981,7 +4087,6 @@
# x86_64/i386 biarch
########################################################
patches.suse/x86-speculation-Fix-up-array_index_nospec_mask-asm-c.patch
- patches.suse/x86-spectre_v1-Disable-compiler-optimizations-over-a.patch
# fate#321909: Add KNM model
patches.arch/x86-cpu-intel-add-knights-mill-to-intel-family.patch
# Upstream commit c8b5db7de66b75330a96f9f1ad7376b89646c953
@@ -6151,14 +6256,6 @@
patches.arch/s390-dasd-configurable-IFCC-handling.patch
- # bsc#1099713 - SLES 12 SP3 - IBM LTC System z maintenance kernel patches (#17)
- patches.arch/s390-sles12sp3-17-01-01-zfcp-missing-SCSI-trace-result-eh_host_reset.patch
- patches.arch/s390-sles12sp3-17-01-02-zfcp-missing-SCSI-trace-retry-abort-TMF.patch
- patches.arch/s390-sles12sp3-17-01-03-zfcp-misleading-REC-trig-trace-erp-setup-failed.patch
- patches.arch/s390-sles12sp3-17-01-04-zfcp-missing-REC-trig-trace-t_rport_io-early-ret.patch
- patches.arch/s390-sles12sp3-17-01-05-zfcp-missing-REC-trig-trace-t_rport_io-ERP_FAILED.patch
- patches.arch/s390-sles12sp3-17-01-06-zfcp-missing-REC-trig-trace-all-objects-ERP_FAILED.patch
- patches.arch/s390-sles12sp3-17-01-07-zfcp-missing-REC-trig-trace-enqueue-no-ERP-thread.patch
########################################################
# arch misc patches
@@ -6379,6 +6476,7 @@
patches.suse/mm-madvise-ensure-poisoned-pages-are-removed-from-per-cpu-lists.patch
patches.suse/mm-page_alloc.c-apply-gfp_allowed_mask-before-the-first-allocation-attempt.patch
+ patches.fixes/Fix-up-non-directory-creation-in-SGID-directories.patch
# MADV_FREE
patches.suse/mm-support-madvise-MADV_FREE.patch
@@ -8002,7 +8100,6 @@
patches.fixes/0003-f2fs-cover-more-area-with-nat_tree_lock.patch
patches.fixes/0004-f2fs-fix-race-condition-in-between-free-nid-allocato.patch
patches.fixes/jfs-fix-inconsistency-between-memory-allocation-and-ea_buf-max_size.patch
- patches.fixes/fs-binfmt_misc-c-do-not-allow-offset-overflow.patch
########################################################
# Overlayfs
@@ -8018,6 +8115,9 @@
patches.suse/overlayfs-compat-fix-incorrect-dentry-use-in-ovl_rename2.patch
patches.fixes/ovl-fix-dentry-leak-for-default_permissions.patch
+ patches.fixes/ovl-override-creds-with-the-ones-from-the-superblock.patch
+ patches.fixes/ovl-fix-uid-gid-when-creating-over-whiteout.patch
+ patches.fixes/ovl-fix-random-return-value-on-mount.patch
########################################################
#
@@ -17215,7 +17315,6 @@
patches.drivers/ALSA-hda-realtek-Fix-Dell-headset-Mic-can-t-record
patches.drivers/ALSA-hda-realtek-Clevo-P950ER-ALC1220-Fixup
patches.drivers/ALSA-hda-realtek-Fix-pop-noise-on-Lenovo-P50-co
- patches.drivers/ALSA-hda-realtek-Add-a-quirk-for-FSC-ESPRIMO-U9210
patches.drivers/ALSA-hda-realtek-Reorder-ALC269-ASUS-quirk-entries
patches.drivers/ALSA-hda-realtek-Limit-mic-boost-on-T480
patches.drivers/ALSA-hda-realtek-Make-dock-sound-work-on-ThinkPad-L5
@@ -17227,8 +17326,6 @@
patches.drivers/ALSA-hda-realtek-Fix-the-problem-of-two-front-mics-o
patches.drivers/ALSA-hda-realtek-Fix-mic-and-headset-jack-sense-on-A
patches.drivers/ALSA-hda-add-a-new-condition-to-check-if-it-is-think
- patches.drivers/ALSA-hda-add-dock-and-led-support-for-HP-EliteBook-8
- patches.drivers/ALSA-hda-add-dock-and-led-support-for-HP-ProBook-640
patches.drivers/ALSA-hda-Enable-power_save_node-for-CX20722
patches.drivers/ALSA-hda-silence-uninitialized-variable-warning-in-a
patches.drivers/ALSA-hda-Fix-pincfg-at-resume-on-Lenovo-T470-dock
@@ -17919,7 +18016,6 @@
# bsc#1085402
patches.fixes/0001-md-cluster-fix-wrong-condition-check-in-raid1_write_.patch
- patches.fixes/0003-md-fix-two-problems-with-setting-the-re-add-device-s.patch
##########################################################
# NVDIMM