Home Home > GIT Browse > SLE12-SP4
summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJohannes Thumshirn <jthumshirn@suse.de>2019-05-20 09:51:11 +0200
committerJohannes Thumshirn <jthumshirn@suse.de>2019-05-20 09:51:11 +0200
commit57e9c31f0c46a9738cddb800d4e7a26aa506c361 (patch)
tree76e5a0b3dc622579a9d691b00df3a1eef487ef6c
parent302584947af0c5d744dbc303185f92914acbf1bd (diff)
parent1d28cd14e0a05e8f6cd8043f44ded7f8d09ed007 (diff)
Merge remote-tracking branch 'origin/SLE15' into SLE12-SP4
Conflicts: series.conf
-rw-r--r--blacklist.conf1
-rw-r--r--patches.drivers/ALSA-hda-Use-a-macro-for-snd_array-iteration-loops.patch422
-rw-r--r--patches.drivers/ALSA-hda-realtek-Avoid-superfluous-COEF-EAPD-setups.patch143
-rw-r--r--patches.drivers/ALSA-hda-realtek-Corrected-fixup-for-System76-Gazell.patch43
-rw-r--r--patches.drivers/ALSA-hda-realtek-Fix-for-Lenovo-B50-70-inverted-inte.patch44
-rw-r--r--patches.drivers/ALSA-hda-realtek-Fixup-headphone-noise-via-runtime-s.patch113
-rw-r--r--patches.drivers/HID-input-add-mapping-for-Expose-Overview-key.patch39
-rw-r--r--patches.drivers/HID-input-add-mapping-for-Toggle-Display-key.patch41
-rw-r--r--patches.drivers/HID-input-add-mapping-for-keyboard-Brightness-Up-Dow.patch36
-rw-r--r--patches.drivers/Input-elan_i2c-add-hardware-ID-for-multiple-Lenovo-l.patch70
-rw-r--r--patches.drivers/Input-synaptics-rmi4-fix-possible-double-free.patch47
-rw-r--r--patches.drivers/iio-adc-xilinx-fix-potential-use-after-free-on-remov.patch35
-rw-r--r--patches.drivers/leds-pwm-silently-error-out-on-EPROBE_DEFER.patch38
-rw-r--r--patches.drivers/media-atmel-atmel-isc-fix-INIT_WORK-misplacement.patch46
-rw-r--r--patches.drivers/media-davinci-vpbe-array-underflow-in-vpbe_enum_outp.patch54
-rw-r--r--patches.drivers/media-omap_vout-potential-buffer-overflow-in-vidioc_.patch68
-rw-r--r--patches.drivers/power-supply-axp20x_usb_power-Fix-typo-in-VBUS-curre.patch66
-rw-r--r--patches.drivers/power-supply-axp288_charger-Fix-unchecked-return-val.patch46
-rw-r--r--patches.drivers/spi-Micrel-eth-switch-declare-missing-of-table.patch65
-rw-r--r--patches.drivers/spi-ST-ST95HF-NFC-declare-missing-of-table.patch57
-rw-r--r--patches.drivers/thermal-cpu_cooling-Actually-trace-CPU-load-in-therm.patch58
-rw-r--r--patches.drm/drm-bridge-adv7511-Fix-low-refresh-rate-selection.patch51
-rw-r--r--patches.drm/drm-i915-Disable-LP3-watermarks-on-all-SNB-machines.patch139
-rw-r--r--patches.drm/drm-i915-Downgrade-Gen9-Plane-WM-latency-error.patch41
-rw-r--r--patches.drm/drm-i915-fbc-disable-framebuffer-compression-on-Gemi.patch55
-rw-r--r--patches.drm/drm-imx-don-t-skip-DP-channel-disable-for-background.patch34
-rw-r--r--patches.drm/drm-rockchip-fix-for-mailbox-read-validation.patch39
-rw-r--r--patches.drm/gpu-ipu-v3-dp-fix-CSC-handling.patch71
-rw-r--r--patches.fixes/0001-netlink-fix-uninit-value-in-netlink_sendmsg.patch36
-rw-r--r--patches.fixes/0001-packet-fix-reserve-calculation.patch49
-rw-r--r--patches.fixes/0002-net-fix-rtnh_ok.patch40
-rw-r--r--patches.fixes/0002-packet-reset-network-header-if-packet-shorter-than-l.patch37
-rw-r--r--patches.fixes/0003-l2tp-fix-missing-refcount-drop-in-pppol2tp_tunnel_io.patch48
-rw-r--r--patches.fixes/0003-net-initialize-skb-peeked-when-cloning.patch35
-rw-r--r--patches.fixes/0004-net-fix-uninit-value-in-__hw_addr_add_ex.patch57
-rw-r--r--patches.fixes/0004-rxrpc-Fix-transport-sockopts-to-get-IPv4-errors-on-a.patch82
-rw-r--r--patches.fixes/0005-inetpeer-fix-uninit-value-in-inet_getpeer.patch119
-rw-r--r--patches.fixes/0006-ipvs-fix-rtnl_lock-lockups-caused-by-start_sync_thre.patch641
-rw-r--r--patches.fixes/0007-netfilter-nf_tables-can-t-fail-after-linking-rule-in.patch112
-rw-r--r--patches.fixes/0008-rxrpc-Fix-error-reception-on-AF_INET6-sockets.patch95
-rw-r--r--patches.fixes/0009-packet-in-packet_snd-start-writing-at-link-layer-all.patch59
-rw-r--r--patches.fixes/0010-ipvs-fix-stats-update-from-local-clients.patch124
-rw-r--r--patches.fixes/0011-tcp-purge-write-queue-in-tcp_connect_init.patch90
-rw-r--r--patches.fixes/0012-net-test-tailroom-before-appending-to-linear-skb.patch58
-rw-r--r--patches.fixes/0013-net-Fix-a-bug-in-removing-queues-from-XPS-map.patch35
-rw-r--r--patches.fixes/0014-netfilter-nf_tables-fix-NULL-pointer-dereference-on-.patch164
-rw-r--r--patches.fixes/0015-netfilter-ebtables-handle-string-from-userspace-with.patch102
-rw-r--r--patches.fixes/0016-ipvs-fix-buffer-overflow-with-sync-daemon-and-servic.patch147
-rw-r--r--patches.fixes/0017-xfrm6-avoid-potential-infinite-loop-in-_decode_sessi.patch100
-rw-r--r--patches.fixes/0018-sctp-fix-identification-of-new-acks-for-SFR-CACC.patch120
-rw-r--r--patches.fixes/0019-ip_tunnel-Fix-name-string-concatenate-in-__ip_tunnel.patch39
-rw-r--r--patches.fixes/0020-netfilter-nf_tables-check-msg_type-before-nft_trans_.patch145
-rw-r--r--patches.fixes/0022-ipvs-fix-check-on-xmit-to-non-local-addresses.patch42
-rw-r--r--patches.fixes/0023-netfilter-ebtables-reject-non-bridge-targets.patch66
-rw-r--r--patches.fixes/0024-netfilter-x_tables-initialise-match-target-check-par.patch77
-rw-r--r--patches.fixes/0025-l2tp-only-accept-PPP-sessions-in-pppol2tp_connect.patch40
-rw-r--r--patches.fixes/0026-l2tp-prevent-pppol2tp_connect-from-creating-kernel-s.patch49
-rw-r--r--patches.fixes/0027-l2tp-filter-out-non-PPP-sessions-in-pppol2tp_tunnel_.patch41
-rw-r--r--patches.fixes/0028-ipv6-mcast-fix-unsolicited-report-interval-after-rec.patch60
-rw-r--r--patches.fixes/0038-xfs-split-xfs_bmap_shift_extents.patch32
-rw-r--r--patches.fixes/ACPI-button-reinitialize-button-state-upon-resume.patch46
-rw-r--r--patches.fixes/ACPI-utils-Drop-reference-in-test-for-device-presenc.patch35
-rw-r--r--patches.fixes/ACPICA-AML-interpreter-add-region-addresses-in-globa.patch49
-rw-r--r--patches.fixes/ACPICA-Namespace-remove-address-node-from-global-lis.patch66
-rw-r--r--patches.fixes/appletalk-Fix-compile-regression.patch71
-rw-r--r--patches.fixes/appletalk-Fix-use-after-free-in-atalk_proc_exit.patch204
-rw-r--r--patches.fixes/configfs-fix-possible-use-after-free-in-configfs_reg.patch134
-rw-r--r--patches.fixes/crypto-caam-fix-caam_dump_sg-that-iterates-through-s.patch40
-rw-r--r--patches.fixes/devres-Align-data-to-ARCH_KMALLOC_MINALIGN.patch62
-rw-r--r--patches.fixes/mISDN-Check-address-length-before-reading-address-fa.patch39
-rw-r--r--patches.fixes/mac80211-fix-memory-accounting-with-A-MSDU-aggregati.patch49
-rw-r--r--patches.fixes/mac80211-fix-unaligned-access-in-mesh-table-hash-fun.patch35
-rw-r--r--patches.fixes/nl80211-Add-NL80211_FLAG_CLEAR_SKB-flag-for-other-NL.patch85
-rw-r--r--patches.fixes/team-set-slave-to-promisc-if-team-is-already-in-prom.patch78
-rw-r--r--patches.fixes/vt-always-call-notifier-with-the-console-lock-held.patch32
-rw-r--r--patches.fixes/xfs-add-log-item-pinning-error-injection-tag.patch120
-rw-r--r--patches.fixes/xfs-buffer-lru-reference-count-error-injection-tag.patch137
-rw-r--r--patches.fixes/xfs-check-_btree_check_block-value.patch49
-rw-r--r--patches.fixes/xfs-convert-drop_writes-to-use-the-errortag-mechanis.patch194
-rw-r--r--patches.fixes/xfs-create-block-pointer-check-functions.patch137
-rw-r--r--patches.fixes/xfs-create-inode-pointer-verifiers.patch212
-rw-r--r--patches.fixes/xfs-export-_inobt_btrec_to_irec-and-_ialloc_cluster_.patch111
-rw-r--r--patches.fixes/xfs-export-various-function-for-the-online-scrubber.patch277
-rw-r--r--patches.fixes/xfs-expose-errortag-knobs-via-sysfs.patch244
-rw-r--r--patches.fixes/xfs-fix-unused-variable-warning-in-xfs_buf_set_ref.patch45
-rw-r--r--patches.fixes/xfs-force-summary-counter-recalc-at-next-mount.patch131
-rw-r--r--patches.fixes/xfs-make-errortag-a-per-mountpoint-structure.patch336
-rw-r--r--patches.fixes/xfs-move-error-injection-tags-into-their-own-file.patch425
-rw-r--r--patches.fixes/xfs-refactor-btree-block-header-checking-functions.patch279
-rw-r--r--patches.fixes/xfs-refactor-btree-pointer-checks.patch162
-rw-r--r--patches.fixes/xfs-refactor-unmount-record-write.patch203
-rw-r--r--patches.fixes/xfs-remove-unneeded-parameter-from-XFS_TEST_ERROR.patch306
-rw-r--r--patches.fixes/xfs-rename-MAXPATHLEN-to-XFS_SYMLINK_MAXLEN.patch138
-rw-r--r--patches.fixes/xfs-replace-log_badcrc_factor-knob-with-error-inject.patch158
-rw-r--r--patches.fixes/xfs-sanity-check-the-unused-space-before-trying-to-u.patch321
-rw-r--r--patches.kabi/kabi-protect-ip_options_rcv_srr.patch66
-rw-r--r--patches.kabi/kabi-protect-struct-mlx5_td.patch30
-rw-r--r--patches.suse/bnxt_en-Improve-RX-consumer-index-validity-check.patch54
-rw-r--r--patches.suse/bnxt_en-Reset-device-on-RX-buffer-errors.patch39
-rw-r--r--patches.suse/ip6_tunnel-Match-to-ARPHRD_TUNNEL6-for-dev-type.patch48
-rw-r--r--patches.suse/net-ethtool-not-call-vzalloc-for-zero-sized-memory-r.patch94
-rw-r--r--patches.suse/net-gro-Fix-GRO-flush-when-receiving-a-GSO-packet.patch37
-rw-r--r--patches.suse/net-mlx5-Decrease-default-mr-cache-size.patch55
-rw-r--r--patches.suse/net-mlx5e-Add-a-lock-on-tir-list.patch78
-rw-r--r--patches.suse/net-mlx5e-Fix-error-handling-when-refreshing-TIRs.patch43
-rw-r--r--patches.suse/net-sched-act_sample-fix-divide-by-zero-in-the-traff.patch96
-rw-r--r--patches.suse/net-sched-fix-get-helper-of-the-matchall-cls.patch54
-rw-r--r--patches.suse/sched-do-not-re-read-h_load_next-during-hierarchical-load-calculation.patch11
-rw-r--r--patches.suse/sctp-initialize-_pad-of-sockaddr_in-before-copying-t.patch53
-rw-r--r--patches.suse/tcp-Ensure-DCTCP-reacts-to-losses.patch140
-rw-r--r--patches.suse/vrf-check-accept_source_route-on-the-original-netdev.patch89
-rw-r--r--series.conf111
112 files changed, 10987 insertions, 24 deletions
diff --git a/blacklist.conf b/blacklist.conf
index f3540b02d0..3d39a0ce08 100644
--- a/blacklist.conf
+++ b/blacklist.conf
@@ -1116,3 +1116,4 @@ f7a621728a6a23bfd2c6ac4d3e42e1303aefde0f # regulator: missing regulator_lock() A
401e7e88d4ef80188ffa07095ac00456f901b8c4 # base patch missing in SLE12-SP4
98fdaaca9537b997062f1abc0aa87c61b50ce40a # Duplicate of fc89a38d99d4b1b33ca5b0e2329f5ddea02ecfb5: drm/i915/opregion: fix version check
a0f52c3d357af218a9c1f7cd906ab70426176a1a # Duplicate of 16eb0f34cdf4cf04cd92762c7a79f98aa51e053f: drm/i915/opregion: rvda is relative from opregion base in opregion 2.1+
+ed180abba7f1fc3cf04ffa27767b1bcc8e8c842a # sound/hda: breaks kABI
diff --git a/patches.drivers/ALSA-hda-Use-a-macro-for-snd_array-iteration-loops.patch b/patches.drivers/ALSA-hda-Use-a-macro-for-snd_array-iteration-loops.patch
new file mode 100644
index 0000000000..8a80fee511
--- /dev/null
+++ b/patches.drivers/ALSA-hda-Use-a-macro-for-snd_array-iteration-loops.patch
@@ -0,0 +1,422 @@
+From a9c2dfc8527318a27db045cd7ea51e8ecab8c884 Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Mon, 23 Apr 2018 17:24:56 +0200
+Subject: [PATCH] ALSA: hda - Use a macro for snd_array iteration loops
+Git-commit: a9c2dfc8527318a27db045cd7ea51e8ecab8c884
+Patch-mainline: v4.18-rc1
+References: bsc#1051510
+
+Introduce a new helper macro, snd_array_for_each(), to iterate for
+each snd_array element. It slightly improves the readability than
+lengthy open codes at each place.
+
+Along with it, add const prefix to some obvious places.
+
+There should be no functional changes by this.
+
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ include/sound/hdaudio.h | 5 +++++
+ sound/hda/hdac_regmap.c | 4 ++--
+ sound/pci/hda/hda_auto_parser.c | 10 +++++-----
+ sound/pci/hda/hda_codec.c | 36 ++++++++++++++++++------------------
+ sound/pci/hda/hda_generic.c | 27 +++++++++++++--------------
+ sound/pci/hda/hda_sysfs.c | 20 ++++++++++----------
+ sound/pci/hda/patch_conexant.c | 5 ++---
+ sound/pci/hda/patch_realtek.c | 4 ++--
+ 8 files changed, 57 insertions(+), 54 deletions(-)
+
+diff --git a/include/sound/hdaudio.h b/include/sound/hdaudio.h
+index 06536e01ed94..c052afc27547 100644
+--- a/include/sound/hdaudio.h
++++ b/include/sound/hdaudio.h
+@@ -571,4 +571,9 @@ static inline unsigned int snd_array_index(struct snd_array *array, void *ptr)
+ return (unsigned long)(ptr - array->list) / array->elem_size;
+ }
+
++/* a helper macro to iterate for each snd_array element */
++#define snd_array_for_each(array, idx, ptr) \
++ for ((idx) = 0, (ptr) = (array)->list; (idx) < (array)->used; \
++ (ptr) = snd_array_elem(array, ++(idx)))
++
+ #endif /* __SOUND_HDAUDIO_H */
+diff --git a/sound/hda/hdac_regmap.c b/sound/hda/hdac_regmap.c
+index 47a358fab132..419e285e0226 100644
+--- a/sound/hda/hdac_regmap.c
++++ b/sound/hda/hdac_regmap.c
+@@ -65,10 +65,10 @@ static bool hda_writeable_reg(struct device *dev, unsigned int reg)
+ {
+ struct hdac_device *codec = dev_to_hdac_dev(dev);
+ unsigned int verb = get_verb(reg);
++ const unsigned int *v;
+ int i;
+
+- for (i = 0; i < codec->vendor_verbs.used; i++) {
+- unsigned int *v = snd_array_elem(&codec->vendor_verbs, i);
++ snd_array_for_each(&codec->vendor_verbs, i, v) {
+ if (verb == *v)
+ return true;
+ }
+diff --git a/sound/pci/hda/hda_auto_parser.c b/sound/pci/hda/hda_auto_parser.c
+index d3ea73171a3d..b9a6b66aeb0e 100644
+--- a/sound/pci/hda/hda_auto_parser.c
++++ b/sound/pci/hda/hda_auto_parser.c
+@@ -793,11 +793,11 @@ EXPORT_SYMBOL_GPL(snd_hda_add_verbs);
+ */
+ void snd_hda_apply_verbs(struct hda_codec *codec)
+ {
++ const struct hda_verb **v;
+ int i;
+- for (i = 0; i < codec->verbs.used; i++) {
+- struct hda_verb **v = snd_array_elem(&codec->verbs, i);
++
++ snd_array_for_each(&codec->verbs, i, v)
+ snd_hda_sequence_write(codec, *v);
+- }
+ }
+ EXPORT_SYMBOL_GPL(snd_hda_apply_verbs);
+
+@@ -890,10 +890,10 @@ EXPORT_SYMBOL_GPL(snd_hda_apply_fixup);
+ static bool pin_config_match(struct hda_codec *codec,
+ const struct hda_pintbl *pins)
+ {
++ const struct hda_pincfg *pin;
+ int i;
+
+- for (i = 0; i < codec->init_pins.used; i++) {
+- struct hda_pincfg *pin = snd_array_elem(&codec->init_pins, i);
++ snd_array_for_each(&codec->init_pins, i, pin) {
+ hda_nid_t nid = pin->nid;
+ u32 cfg = pin->cfg;
+ const struct hda_pintbl *t_pins;
+diff --git a/sound/pci/hda/hda_codec.c b/sound/pci/hda/hda_codec.c
+index 5bc3a7468e17..0aa923d129f5 100644
+--- a/sound/pci/hda/hda_codec.c
++++ b/sound/pci/hda/hda_codec.c
+@@ -481,9 +481,10 @@ static struct hda_pincfg *look_up_pincfg(struct hda_codec *codec,
+ struct snd_array *array,
+ hda_nid_t nid)
+ {
++ struct hda_pincfg *pin;
+ int i;
+- for (i = 0; i < array->used; i++) {
+- struct hda_pincfg *pin = snd_array_elem(array, i);
++
++ snd_array_for_each(array, i, pin) {
+ if (pin->nid == nid)
+ return pin;
+ }
+@@ -618,14 +619,15 @@ EXPORT_SYMBOL_GPL(snd_hda_codec_get_pin_target);
+ */
+ void snd_hda_shutup_pins(struct hda_codec *codec)
+ {
++ const struct hda_pincfg *pin;
+ int i;
++
+ /* don't shut up pins when unloading the driver; otherwise it breaks
+ * the default pin setup at the next load of the driver
+ */
+ if (codec->bus->shutdown)
+ return;
+- for (i = 0; i < codec->init_pins.used; i++) {
+- struct hda_pincfg *pin = snd_array_elem(&codec->init_pins, i);
++ snd_array_for_each(&codec->init_pins, i, pin) {
+ /* use read here for syncing after issuing each verb */
+ snd_hda_codec_read(codec, pin->nid, 0,
+ AC_VERB_SET_PIN_WIDGET_CONTROL, 0);
+@@ -638,13 +640,14 @@ EXPORT_SYMBOL_GPL(snd_hda_shutup_pins);
+ /* Restore the pin controls cleared previously via snd_hda_shutup_pins() */
+ static void restore_shutup_pins(struct hda_codec *codec)
+ {
++ const struct hda_pincfg *pin;
+ int i;
++
+ if (!codec->pins_shutup)
+ return;
+ if (codec->bus->shutdown)
+ return;
+- for (i = 0; i < codec->init_pins.used; i++) {
+- struct hda_pincfg *pin = snd_array_elem(&codec->init_pins, i);
++ snd_array_for_each(&codec->init_pins, i, pin) {
+ snd_hda_codec_write(codec, pin->nid, 0,
+ AC_VERB_SET_PIN_WIDGET_CONTROL,
+ pin->ctrl);
+@@ -697,8 +700,7 @@ get_hda_cvt_setup(struct hda_codec *codec, hda_nid_t nid)
+ struct hda_cvt_setup *p;
+ int i;
+
+- for (i = 0; i < codec->cvt_setups.used; i++) {
+- p = snd_array_elem(&codec->cvt_setups, i);
++ snd_array_for_each(&codec->cvt_setups, i, p) {
+ if (p->nid == nid)
+ return p;
+ }
+@@ -1076,8 +1078,7 @@ void snd_hda_codec_setup_stream(struct hda_codec *codec, hda_nid_t nid,
+ /* make other inactive cvts with the same stream-tag dirty */
+ type = get_wcaps_type(get_wcaps(codec, nid));
+ list_for_each_codec(c, codec->bus) {
+- for (i = 0; i < c->cvt_setups.used; i++) {
+- p = snd_array_elem(&c->cvt_setups, i);
++ snd_array_for_each(&c->cvt_setups, i, p) {
+ if (!p->active && p->stream_tag == stream_tag &&
+ get_wcaps_type(get_wcaps(c, p->nid)) == type)
+ p->dirty = 1;
+@@ -1140,12 +1141,11 @@ static void really_cleanup_stream(struct hda_codec *codec,
+ static void purify_inactive_streams(struct hda_codec *codec)
+ {
+ struct hda_codec *c;
++ struct hda_cvt_setup *p;
+ int i;
+
+ list_for_each_codec(c, codec->bus) {
+- for (i = 0; i < c->cvt_setups.used; i++) {
+- struct hda_cvt_setup *p;
+- p = snd_array_elem(&c->cvt_setups, i);
++ snd_array_for_each(&c->cvt_setups, i, p) {
+ if (p->dirty)
+ really_cleanup_stream(c, p);
+ }
+@@ -1156,10 +1156,10 @@ static void purify_inactive_streams(struct hda_codec *codec)
+ /* clean up all streams; called from suspend */
+ static void hda_cleanup_all_streams(struct hda_codec *codec)
+ {
++ struct hda_cvt_setup *p;
+ int i;
+
+- for (i = 0; i < codec->cvt_setups.used; i++) {
+- struct hda_cvt_setup *p = snd_array_elem(&codec->cvt_setups, i);
++ snd_array_for_each(&codec->cvt_setups, i, p) {
+ if (p->stream_tag)
+ really_cleanup_stream(codec, p);
+ }
+@@ -2461,10 +2461,10 @@ EXPORT_SYMBOL_GPL(snd_hda_create_dig_out_ctls);
+ struct hda_spdif_out *snd_hda_spdif_out_of_nid(struct hda_codec *codec,
+ hda_nid_t nid)
+ {
++ struct hda_spdif_out *spdif;
+ int i;
+- for (i = 0; i < codec->spdif_out.used; i++) {
+- struct hda_spdif_out *spdif =
+- snd_array_elem(&codec->spdif_out, i);
++
++ snd_array_for_each(&codec->spdif_out, i, spdif) {
+ if (spdif->nid == nid)
+ return spdif;
+ }
+diff --git a/sound/pci/hda/hda_generic.c b/sound/pci/hda/hda_generic.c
+index 5cc65093d941..51030f040745 100644
+--- a/sound/pci/hda/hda_generic.c
++++ b/sound/pci/hda/hda_generic.c
+@@ -264,10 +264,10 @@ static struct nid_path *get_nid_path(struct hda_codec *codec,
+ int anchor_nid)
+ {
+ struct hda_gen_spec *spec = codec->spec;
++ struct nid_path *path;
+ int i;
+
+- for (i = 0; i < spec->paths.used; i++) {
+- struct nid_path *path = snd_array_elem(&spec->paths, i);
++ snd_array_for_each(&spec->paths, i, path) {
+ if (path->depth <= 0)
+ continue;
+ if ((!from_nid || path->path[0] == from_nid) &&
+@@ -325,10 +325,10 @@ EXPORT_SYMBOL_GPL(snd_hda_get_path_from_idx);
+ static bool is_dac_already_used(struct hda_codec *codec, hda_nid_t nid)
+ {
+ struct hda_gen_spec *spec = codec->spec;
++ const struct nid_path *path;
+ int i;
+
+- for (i = 0; i < spec->paths.used; i++) {
+- struct nid_path *path = snd_array_elem(&spec->paths, i);
++ snd_array_for_each(&spec->paths, i, path) {
+ if (path->path[0] == nid)
+ return true;
+ }
+@@ -351,11 +351,11 @@ static bool is_reachable_path(struct hda_codec *codec,
+ static bool is_ctl_used(struct hda_codec *codec, unsigned int val, int type)
+ {
+ struct hda_gen_spec *spec = codec->spec;
++ const struct nid_path *path;
+ int i;
+
+ val &= AMP_VAL_COMPARE_MASK;
+- for (i = 0; i < spec->paths.used; i++) {
+- struct nid_path *path = snd_array_elem(&spec->paths, i);
++ snd_array_for_each(&spec->paths, i, path) {
+ if ((path->ctls[type] & AMP_VAL_COMPARE_MASK) == val)
+ return true;
+ }
+@@ -638,13 +638,13 @@ static bool is_active_nid(struct hda_codec *codec, hda_nid_t nid,
+ {
+ struct hda_gen_spec *spec = codec->spec;
+ int type = get_wcaps_type(get_wcaps(codec, nid));
++ const struct nid_path *path;
+ int i, n;
+
+ if (nid == codec->core.afg)
+ return true;
+
+- for (n = 0; n < spec->paths.used; n++) {
+- struct nid_path *path = snd_array_elem(&spec->paths, n);
++ snd_array_for_each(&spec->paths, n, path) {
+ if (!path->active)
+ continue;
+ if (codec->power_save_node) {
+@@ -2696,10 +2696,10 @@ static const struct snd_kcontrol_new out_jack_mode_enum = {
+ static bool find_kctl_name(struct hda_codec *codec, const char *name, int idx)
+ {
+ struct hda_gen_spec *spec = codec->spec;
++ const struct snd_kcontrol_new *kctl;
+ int i;
+
+- for (i = 0; i < spec->kctls.used; i++) {
+- struct snd_kcontrol_new *kctl = snd_array_elem(&spec->kctls, i);
++ snd_array_for_each(&spec->kctls, i, kctl) {
+ if (!strcmp(kctl->name, name) && kctl->index == idx)
+ return true;
+ }
+@@ -4021,8 +4021,7 @@ static hda_nid_t set_path_power(struct hda_codec *codec, hda_nid_t nid,
+ struct nid_path *path;
+ int n;
+
+- for (n = 0; n < spec->paths.used; n++) {
+- path = snd_array_elem(&spec->paths, n);
++ snd_array_for_each(&spec->paths, n, path) {
+ if (!path->depth)
+ continue;
+ if (path->path[0] == nid ||
+@@ -5831,10 +5830,10 @@ static void init_digital(struct hda_codec *codec)
+ */
+ static void clear_unsol_on_unused_pins(struct hda_codec *codec)
+ {
++ const struct hda_pincfg *pin;
+ int i;
+
+- for (i = 0; i < codec->init_pins.used; i++) {
+- struct hda_pincfg *pin = snd_array_elem(&codec->init_pins, i);
++ snd_array_for_each(&codec->init_pins, i, pin) {
+ hda_nid_t nid = pin->nid;
+ if (is_jack_detectable(codec, nid) &&
+ !snd_hda_jack_tbl_get(codec, nid))
+diff --git a/sound/pci/hda/hda_sysfs.c b/sound/pci/hda/hda_sysfs.c
+index 9b7efece4484..6ec79c58d48d 100644
+--- a/sound/pci/hda/hda_sysfs.c
++++ b/sound/pci/hda/hda_sysfs.c
+@@ -80,10 +80,10 @@ static ssize_t pin_configs_show(struct hda_codec *codec,
+ struct snd_array *list,
+ char *buf)
+ {
++ const struct hda_pincfg *pin;
+ int i, len = 0;
+ mutex_lock(&codec->user_mutex);
+- for (i = 0; i < list->used; i++) {
+- struct hda_pincfg *pin = snd_array_elem(list, i);
++ snd_array_for_each(list, i, pin) {
+ len += sprintf(buf + len, "0x%02x 0x%08x\n",
+ pin->nid, pin->cfg);
+ }
+@@ -217,10 +217,10 @@ static ssize_t init_verbs_show(struct device *dev,
+ char *buf)
+ {
+ struct hda_codec *codec = dev_get_drvdata(dev);
++ const struct hda_verb *v;
+ int i, len = 0;
+ mutex_lock(&codec->user_mutex);
+- for (i = 0; i < codec->init_verbs.used; i++) {
+- struct hda_verb *v = snd_array_elem(&codec->init_verbs, i);
++ snd_array_for_each(&codec->init_verbs, i, v) {
+ len += snprintf(buf + len, PAGE_SIZE - len,
+ "0x%02x 0x%03x 0x%04x\n",
+ v->nid, v->verb, v->param);
+@@ -267,10 +267,10 @@ static ssize_t hints_show(struct device *dev,
+ char *buf)
+ {
+ struct hda_codec *codec = dev_get_drvdata(dev);
++ const struct hda_hint *hint;
+ int i, len = 0;
+ mutex_lock(&codec->user_mutex);
+- for (i = 0; i < codec->hints.used; i++) {
+- struct hda_hint *hint = snd_array_elem(&codec->hints, i);
++ snd_array_for_each(&codec->hints, i, hint) {
+ len += snprintf(buf + len, PAGE_SIZE - len,
+ "%s = %s\n", hint->key, hint->val);
+ }
+@@ -280,10 +280,10 @@ static ssize_t hints_show(struct device *dev,
+
+ static struct hda_hint *get_hint(struct hda_codec *codec, const char *key)
+ {
++ struct hda_hint *hint;
+ int i;
+
+- for (i = 0; i < codec->hints.used; i++) {
+- struct hda_hint *hint = snd_array_elem(&codec->hints, i);
++ snd_array_for_each(&codec->hints, i, hint) {
+ if (!strcmp(hint->key, key))
+ return hint;
+ }
+@@ -783,13 +783,13 @@ void snd_hda_sysfs_init(struct hda_codec *codec)
+ void snd_hda_sysfs_clear(struct hda_codec *codec)
+ {
+ #ifdef CONFIG_SND_HDA_RECONFIG
++ struct hda_hint *hint;
+ int i;
+
+ /* clear init verbs */
+ snd_array_free(&codec->init_verbs);
+ /* clear hints */
+- for (i = 0; i < codec->hints.used; i++) {
+- struct hda_hint *hint = snd_array_elem(&codec->hints, i);
++ snd_array_for_each(&codec->hints, i, hint) {
+ kfree(hint->key); /* we don't need to free hint->val */
+ }
+ snd_array_free(&codec->hints);
+diff --git a/sound/pci/hda/patch_conexant.c b/sound/pci/hda/patch_conexant.c
+index 5b4dbcec6de8..093d2a9ece85 100644
+--- a/sound/pci/hda/patch_conexant.c
++++ b/sound/pci/hda/patch_conexant.c
+@@ -588,6 +588,7 @@ static void cxt_fixup_olpc_xo(struct hda_codec *codec,
+ const struct hda_fixup *fix, int action)
+ {
+ struct conexant_spec *spec = codec->spec;
++ struct snd_kcontrol_new *kctl;
+ int i;
+
+ if (action != HDA_FIXUP_ACT_PROBE)
+@@ -606,9 +607,7 @@ static void cxt_fixup_olpc_xo(struct hda_codec *codec,
+ snd_hda_codec_set_pin_target(codec, 0x1a, PIN_VREF50);
+
+ /* override mic boost control */
+- for (i = 0; i < spec->gen.kctls.used; i++) {
+- struct snd_kcontrol_new *kctl =
+- snd_array_elem(&spec->gen.kctls, i);
++ snd_array_for_each(&spec->gen.kctls, i, kctl) {
+ if (!strcmp(kctl->name, "Mic Boost Volume")) {
+ kctl->put = olpc_xo_mic_boost_put;
+ break;
+diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c
+index aef1f52db7d9..7f2d5b157b75 100644
+--- a/sound/pci/hda/patch_realtek.c
++++ b/sound/pci/hda/patch_realtek.c
+@@ -2828,6 +2828,7 @@ static int find_ext_mic_pin(struct hda_codec *codec);
+
+ static void alc286_shutup(struct hda_codec *codec)
+ {
++ const struct hda_pincfg *pin;
+ int i;
+ int mic_pin = find_ext_mic_pin(codec);
+ /* don't shut up pins when unloading the driver; otherwise it breaks
+@@ -2835,8 +2836,7 @@ static void alc286_shutup(struct hda_codec *codec)
+ */
+ if (codec->bus->shutdown)
+ return;
+- for (i = 0; i < codec->init_pins.used; i++) {
+- struct hda_pincfg *pin = snd_array_elem(&codec->init_pins, i);
++ snd_array_for_each(&codec->init_pins, i, pin) {
+ /* use read here for syncing after issuing each verb */
+ if (pin->nid != mic_pin)
+ snd_hda_codec_read(codec, pin->nid, 0,
+--
+2.16.4
+
diff --git a/patches.drivers/ALSA-hda-realtek-Avoid-superfluous-COEF-EAPD-setups.patch b/patches.drivers/ALSA-hda-realtek-Avoid-superfluous-COEF-EAPD-setups.patch
new file mode 100644
index 0000000000..5644dd7536
--- /dev/null
+++ b/patches.drivers/ALSA-hda-realtek-Avoid-superfluous-COEF-EAPD-setups.patch
@@ -0,0 +1,143 @@
+From c9af753f26bdf80291eb2c2279b9de1989fbc591 Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Fri, 10 May 2019 11:01:43 +0200
+Subject: [PATCH] ALSA: hda/realtek - Avoid superfluous COEF EAPD setups
+Git-commit: c9af753f26bdf80291eb2c2279b9de1989fbc591
+Patch-mainline: v5.2-rc1
+References: bsc#1051510
+
+Realtek codec driver applied the COEF setups to change the EAPD
+control to the default mode (i.e. control by EPAD verbs) at the init
+callback. It works, but this is too excessive at the same time, since
+it's called at each runtime PM resume. That is, the initialization
+should be done only once after the probe. One may think that moving
+this to the probe should be OK, but no -- there is a catch; when a
+system resumes from S4 (hibernation), we need to re-initialize this
+again manually, because it's out of regcache restoration.
+
+This patch addresses the issue by introducing alc_pre_init() function
+that performs such a task. This is called from each codec probe
+function, and it's called from the resume callback conditionally only
+from S4 resume.
+
+Reported-and-tested-by: Kailang Yang <kailang@realtek.com>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ sound/pci/hda/patch_realtek.c | 31 ++++++++++++++++++++++++++++++-
+ 1 file changed, 30 insertions(+), 1 deletion(-)
+
+--- a/sound/pci/hda/patch_realtek.c
++++ b/sound/pci/hda/patch_realtek.c
+@@ -509,7 +509,6 @@ static void alc_eapd_shutup(struct hda_c
+ /* generic EAPD initialization */
+ static void alc_auto_init_amp(struct hda_codec *codec, int type)
+ {
+- alc_fill_eapd_coef(codec);
+ alc_auto_setup_eapd(codec, true);
+ alc_write_gpio(codec);
+ switch (type) {
+@@ -837,10 +836,22 @@ static int alc_build_controls(struct hda
+ * Common callbacks
+ */
+
++static void alc_pre_init(struct hda_codec *codec)
++{
++ alc_fill_eapd_coef(codec);
++}
++
++#define is_s4_resume(codec) \
++ ((codec)->core.dev.power.power_state.event == PM_EVENT_RESTORE)
++
+ static int alc_init(struct hda_codec *codec)
+ {
+ struct alc_spec *spec = codec->spec;
+
++ /* hibernation resume needs the full chip initialization */
++ if (is_s4_resume(codec))
++ alc_pre_init(codec);
++
+ if (spec->init_hook)
+ spec->init_hook(codec);
+
+@@ -1556,6 +1567,8 @@ static int patch_alc880(struct hda_codec
+
+ codec->patch_ops.unsol_event = alc880_unsol_event;
+
++ alc_pre_init(codec);
++
+ snd_hda_pick_fixup(codec, alc880_fixup_models, alc880_fixup_tbl,
+ alc880_fixups);
+ snd_hda_apply_fixup(codec, HDA_FIXUP_ACT_PRE_PROBE);
+@@ -1804,6 +1817,8 @@ static int patch_alc260(struct hda_codec
+
+ spec->shutup = alc_eapd_shutup;
+
++ alc_pre_init(codec);
++
+ snd_hda_pick_fixup(codec, alc260_fixup_models, alc260_fixup_tbl,
+ alc260_fixups);
+ snd_hda_apply_fixup(codec, HDA_FIXUP_ACT_PRE_PROBE);
+@@ -2512,6 +2527,8 @@ static int patch_alc882(struct hda_codec
+ break;
+ }
+
++ alc_pre_init(codec);
++
+ snd_hda_pick_fixup(codec, alc882_fixup_models, alc882_fixup_tbl,
+ alc882_fixups);
+ snd_hda_apply_fixup(codec, HDA_FIXUP_ACT_PRE_PROBE);
+@@ -2675,6 +2692,8 @@ static int patch_alc262(struct hda_codec
+ #endif
+ alc_fix_pll_init(codec, 0x20, 0x0a, 10);
+
++ alc_pre_init(codec);
++
+ snd_hda_pick_fixup(codec, alc262_fixup_models, alc262_fixup_tbl,
+ alc262_fixups);
+ snd_hda_apply_fixup(codec, HDA_FIXUP_ACT_PRE_PROBE);
+@@ -2816,6 +2835,8 @@ static int patch_alc268(struct hda_codec
+
+ spec->shutup = alc_eapd_shutup;
+
++ alc_pre_init(codec);
++
+ snd_hda_pick_fixup(codec, alc268_fixup_models, alc268_fixup_tbl, alc268_fixups);
+ snd_hda_apply_fixup(codec, HDA_FIXUP_ACT_PRE_PROBE);
+
+@@ -7518,6 +7539,8 @@ static int patch_alc269(struct hda_codec
+ spec->shutup = alc_default_shutup;
+ spec->init_hook = alc_default_init;
+
++ alc_pre_init(codec);
++
+ snd_hda_pick_fixup(codec, alc269_fixup_models,
+ alc269_fixup_tbl, alc269_fixups);
+ snd_hda_pick_pin_fixup(codec, alc269_pin_fixup_tbl, alc269_fixups);
+@@ -7782,6 +7805,8 @@ static int patch_alc861(struct hda_codec
+ spec->power_hook = alc_power_eapd;
+ #endif
+
++ alc_pre_init(codec);
++
+ snd_hda_pick_fixup(codec, NULL, alc861_fixup_tbl, alc861_fixups);
+ snd_hda_apply_fixup(codec, HDA_FIXUP_ACT_PRE_PROBE);
+
+@@ -7871,6 +7896,8 @@ static int patch_alc861vd(struct hda_cod
+
+ spec->shutup = alc_eapd_shutup;
+
++ alc_pre_init(codec);
++
+ snd_hda_pick_fixup(codec, NULL, alc861vd_fixup_tbl, alc861vd_fixups);
+ snd_hda_apply_fixup(codec, HDA_FIXUP_ACT_PRE_PROBE);
+
+@@ -8592,6 +8619,8 @@ static int patch_alc662(struct hda_codec
+ break;
+ }
+
++ alc_pre_init(codec);
++
+ snd_hda_pick_fixup(codec, alc662_fixup_models,
+ alc662_fixup_tbl, alc662_fixups);
+ snd_hda_pick_pin_fixup(codec, alc662_pin_fixup_tbl, alc662_fixups);
diff --git a/patches.drivers/ALSA-hda-realtek-Corrected-fixup-for-System76-Gazell.patch b/patches.drivers/ALSA-hda-realtek-Corrected-fixup-for-System76-Gazell.patch
new file mode 100644
index 0000000000..1814966393
--- /dev/null
+++ b/patches.drivers/ALSA-hda-realtek-Corrected-fixup-for-System76-Gazell.patch
@@ -0,0 +1,43 @@
+From 891afcf2462d2cc4ef7caf94215358ca61fa32cb Mon Sep 17 00:00:00 2001
+From: Jeremy Soller <jeremy@system76.com>
+Date: Fri, 10 May 2019 10:15:07 -0400
+Subject: [PATCH] ALSA: hda/realtek - Corrected fixup for System76 Gazelle (gaze14)
+Git-commit: 891afcf2462d2cc4ef7caf94215358ca61fa32cb
+Patch-mainline: v5.2-rc1
+References: bsc#1051510
+
+A mistake was made in the identification of the four variants of the
+System76 Gazelle (gaze14). This patch corrects the PCI ID of the
+17-inch, GTX 1660 Ti variant from 0x8560 to 0x8551. This patch also
+adds the correct fixups for the 15-inch and 17-inch GTX 1650 variants
+with PCI IDs 0x8560 and 0x8561.
+
+Tests were done on all four variants ensuring full audio capability.
+
+Fixes: 80a5052db751 ("ALSA: hdea/realtek - Headset fixup for System76 Gazelle (gaze14)")
+Signed-off-by: Jeremy Soller <jeremy@system76.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ sound/pci/hda/patch_realtek.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c
+index 2a50e580aa56..3511ea91eae8 100644
+--- a/sound/pci/hda/patch_realtek.c
++++ b/sound/pci/hda/patch_realtek.c
+@@ -6997,7 +6997,9 @@ static const struct snd_pci_quirk alc269_fixup_tbl[] = {
+ SND_PCI_QUIRK(0x1462, 0xb171, "Cubi N 8GL (MS-B171)", ALC283_FIXUP_HEADSET_MIC),
+ SND_PCI_QUIRK(0x1558, 0x1325, "System76 Darter Pro (darp5)", ALC293_FIXUP_SYSTEM76_MIC_NO_PRESENCE),
+ SND_PCI_QUIRK(0x1558, 0x8550, "System76 Gazelle (gaze14)", ALC293_FIXUP_SYSTEM76_MIC_NO_PRESENCE),
+- SND_PCI_QUIRK(0x1558, 0x8560, "System76 Gazelle (gaze14)", ALC293_FIXUP_SYSTEM76_MIC_NO_PRESENCE),
++ SND_PCI_QUIRK(0x1558, 0x8551, "System76 Gazelle (gaze14)", ALC293_FIXUP_SYSTEM76_MIC_NO_PRESENCE),
++ SND_PCI_QUIRK(0x1558, 0x8560, "System76 Gazelle (gaze14)", ALC269_FIXUP_HEADSET_MIC),
++ SND_PCI_QUIRK(0x1558, 0x8561, "System76 Gazelle (gaze14)", ALC269_FIXUP_HEADSET_MIC),
+ SND_PCI_QUIRK(0x17aa, 0x1036, "Lenovo P520", ALC233_FIXUP_LENOVO_MULTI_CODECS),
+ SND_PCI_QUIRK(0x17aa, 0x20f2, "Thinkpad SL410/510", ALC269_FIXUP_SKU_IGNORE),
+ SND_PCI_QUIRK(0x17aa, 0x215e, "Thinkpad L512", ALC269_FIXUP_SKU_IGNORE),
+--
+2.16.4
+
diff --git a/patches.drivers/ALSA-hda-realtek-Fix-for-Lenovo-B50-70-inverted-inte.patch b/patches.drivers/ALSA-hda-realtek-Fix-for-Lenovo-B50-70-inverted-inte.patch
new file mode 100644
index 0000000000..8d98d5c0bb
--- /dev/null
+++ b/patches.drivers/ALSA-hda-realtek-Fix-for-Lenovo-B50-70-inverted-inte.patch
@@ -0,0 +1,44 @@
+From 56df90b631fc027fe28b70d41352d820797239bb Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Micha=C5=82=20Wadowski?= <wadosm@gmail.com>
+Date: Tue, 14 May 2019 16:58:00 +0200
+Subject: [PATCH] ALSA: hda/realtek - Fix for Lenovo B50-70 inverted internal microphone bug
+Mime-version: 1.0
+Content-type: text/plain; charset=UTF-8
+Content-transfer-encoding: 8bit
+Git-commit: 56df90b631fc027fe28b70d41352d820797239bb
+Patch-mainline: v5.2-rc1
+References: bsc#1051510
+
+Add patch for realtek codec in Lenovo B50-70 that fixes inverted
+internal microphone channel.
+Device IdeaPad Y410P has the same PCI SSID as Lenovo B50-70,
+but first one is about fix the noise and it didn't seem help in a
+later kernel version.
+So I replaced IdeaPad Y410P device description with B50-70 and apply
+inverted microphone fix.
+
+Bugzilla: https://bugs.launchpad.net/ubuntu/+source/alsa-driver/+bug/1524215
+Signed-off-by: Michał Wadowski <wadosm@gmail.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ sound/pci/hda/patch_realtek.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c
+index 3511ea91eae8..f83f21d64dd4 100644
+--- a/sound/pci/hda/patch_realtek.c
++++ b/sound/pci/hda/patch_realtek.c
+@@ -7042,7 +7042,7 @@ static const struct snd_pci_quirk alc269_fixup_tbl[] = {
+ SND_PCI_QUIRK(0x17aa, 0x313c, "ThinkCentre Station", ALC294_FIXUP_LENOVO_MIC_LOCATION),
+ SND_PCI_QUIRK(0x17aa, 0x3902, "Lenovo E50-80", ALC269_FIXUP_DMIC_THINKPAD_ACPI),
+ SND_PCI_QUIRK(0x17aa, 0x3977, "IdeaPad S210", ALC283_FIXUP_INT_MIC),
+- SND_PCI_QUIRK(0x17aa, 0x3978, "IdeaPad Y410P", ALC269_FIXUP_NO_SHUTUP),
++ SND_PCI_QUIRK(0x17aa, 0x3978, "Lenovo B50-70", ALC269_FIXUP_DMIC_THINKPAD_ACPI),
+ SND_PCI_QUIRK(0x17aa, 0x5013, "Thinkpad", ALC269_FIXUP_LIMIT_INT_MIC_BOOST),
+ SND_PCI_QUIRK(0x17aa, 0x501a, "Thinkpad", ALC283_FIXUP_INT_MIC),
+ SND_PCI_QUIRK(0x17aa, 0x501e, "Thinkpad L440", ALC292_FIXUP_TPT440_DOCK),
+--
+2.16.4
+
diff --git a/patches.drivers/ALSA-hda-realtek-Fixup-headphone-noise-via-runtime-s.patch b/patches.drivers/ALSA-hda-realtek-Fixup-headphone-noise-via-runtime-s.patch
new file mode 100644
index 0000000000..8bb6f289b5
--- /dev/null
+++ b/patches.drivers/ALSA-hda-realtek-Fixup-headphone-noise-via-runtime-s.patch
@@ -0,0 +1,113 @@
+From dad3197da7a3817f27bb24f7fd3c135ffa707202 Mon Sep 17 00:00:00 2001
+From: Kailang Yang <kailang@realtek.com>
+Date: Fri, 10 May 2019 16:28:57 +0800
+Subject: [PATCH] ALSA: hda/realtek - Fixup headphone noise via runtime suspend
+Git-commit: dad3197da7a3817f27bb24f7fd3c135ffa707202
+Patch-mainline: v5.2-rc1
+References: bsc#1051510
+
+Dell platform with ALC298.
+system enter to runtime suspend. Headphone had noise.
+Let Headset Mic not shutup will solve this issue.
+
+[ Fixed minor coding style issues by tiwai ]
+
+Signed-off-by: Kailang Yang <kailang@realtek.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ sound/pci/hda/patch_realtek.c | 59 +++++++++++++++++++++++++------------------
+ 1 file changed, 35 insertions(+), 24 deletions(-)
+
+diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c
+index c53ca589c930..c39f48e02ee9 100644
+--- a/sound/pci/hda/patch_realtek.c
++++ b/sound/pci/hda/patch_realtek.c
+@@ -478,12 +478,45 @@ static void alc_auto_setup_eapd(struct hda_codec *codec, bool on)
+ set_eapd(codec, *p, on);
+ }
+
++static int find_ext_mic_pin(struct hda_codec *codec);
++
++static void alc_headset_mic_no_shutup(struct hda_codec *codec)
++{
++ const struct hda_pincfg *pin;
++ int mic_pin = find_ext_mic_pin(codec);
++ int i;
++
++ /* don't shut up pins when unloading the driver; otherwise it breaks
++ * the default pin setup at the next load of the driver
++ */
++ if (codec->bus->shutdown)
++ return;
++
++ snd_array_for_each(&codec->init_pins, i, pin) {
++ /* use read here for syncing after issuing each verb */
++ if (pin->nid != mic_pin)
++ snd_hda_codec_read(codec, pin->nid, 0,
++ AC_VERB_SET_PIN_WIDGET_CONTROL, 0);
++ }
++
++ codec->pins_shutup = 1;
++}
++
+ static void alc_shutup_pins(struct hda_codec *codec)
+ {
+ struct alc_spec *spec = codec->spec;
+
+- if (!spec->no_shutup_pins)
+- snd_hda_shutup_pins(codec);
++ switch (codec->core.vendor_id) {
++ case 0x10ec0286:
++ case 0x10ec0288:
++ case 0x10ec0298:
++ alc_headset_mic_no_shutup(codec);
++ break;
++ default:
++ if (!spec->no_shutup_pins)
++ snd_hda_shutup_pins(codec);
++ break;
++ }
+ }
+
+ /* generic shutup callback;
+@@ -2924,27 +2957,6 @@ static int alc269_parse_auto_config(struct hda_codec *codec)
+ return alc_parse_auto_config(codec, alc269_ignore, ssids);
+ }
+
+-static int find_ext_mic_pin(struct hda_codec *codec);
+-
+-static void alc286_shutup(struct hda_codec *codec)
+-{
+- const struct hda_pincfg *pin;
+- int i;
+- int mic_pin = find_ext_mic_pin(codec);
+- /* don't shut up pins when unloading the driver; otherwise it breaks
+- * the default pin setup at the next load of the driver
+- */
+- if (codec->bus->shutdown)
+- return;
+- snd_array_for_each(&codec->init_pins, i, pin) {
+- /* use read here for syncing after issuing each verb */
+- if (pin->nid != mic_pin)
+- snd_hda_codec_read(codec, pin->nid, 0,
+- AC_VERB_SET_PIN_WIDGET_CONTROL, 0);
+- }
+- codec->pins_shutup = 1;
+-}
+-
+ static void alc269vb_toggle_power_output(struct hda_codec *codec, int power_up)
+ {
+ alc_update_coef_idx(codec, 0x04, 1 << 11, power_up ? (1 << 11) : 0);
+@@ -7736,7 +7748,6 @@ static int patch_alc269(struct hda_codec *codec)
+ case 0x10ec0286:
+ case 0x10ec0288:
+ spec->codec_variant = ALC269_TYPE_ALC286;
+- spec->shutup = alc286_shutup;
+ break;
+ case 0x10ec0298:
+ spec->codec_variant = ALC269_TYPE_ALC298;
+--
+2.16.4
+
diff --git a/patches.drivers/HID-input-add-mapping-for-Expose-Overview-key.patch b/patches.drivers/HID-input-add-mapping-for-Expose-Overview-key.patch
new file mode 100644
index 0000000000..f7893ce1ca
--- /dev/null
+++ b/patches.drivers/HID-input-add-mapping-for-Expose-Overview-key.patch
@@ -0,0 +1,39 @@
+From 96dd86871e1fffbc39e4fa61c9c75ec54ee9af0f Mon Sep 17 00:00:00 2001
+From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Date: Fri, 18 Jan 2019 13:59:08 -0800
+Subject: [PATCH] HID: input: add mapping for Expose/Overview key
+Mime-version: 1.0
+Content-type: text/plain; charset=UTF-8
+Content-transfer-encoding: 8bit
+Git-commit: 96dd86871e1fffbc39e4fa61c9c75ec54ee9af0f
+Patch-mainline: v5.1-rc6
+References: bsc#1051510
+
+According to HUTRR77 usage 0x29f from the consumer page is reserved for
+the Desktop application to present all running user’s application windows.
+Linux defines KEY_SCALE to request Compiz Scale (Expose) mode, so let's
+add the mapping.
+
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/hid/hid-input.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/hid/hid-input.c b/drivers/hid/hid-input.c
+index def58c6aa835..5f800e7b04f2 100644
+--- a/drivers/hid/hid-input.c
++++ b/drivers/hid/hid-input.c
+@@ -1030,6 +1030,8 @@ static void hidinput_configure_usage(struct hid_input *hidinput, struct hid_fiel
+ case 0x2cb: map_key_clear(KEY_KBDINPUTASSIST_ACCEPT); break;
+ case 0x2cc: map_key_clear(KEY_KBDINPUTASSIST_CANCEL); break;
+
++ case 0x29f: map_key_clear(KEY_SCALE); break;
++
+ default: map_key_clear(KEY_UNKNOWN);
+ }
+ break;
+--
+2.16.4
+
diff --git a/patches.drivers/HID-input-add-mapping-for-Toggle-Display-key.patch b/patches.drivers/HID-input-add-mapping-for-Toggle-Display-key.patch
new file mode 100644
index 0000000000..106c5c7a36
--- /dev/null
+++ b/patches.drivers/HID-input-add-mapping-for-Toggle-Display-key.patch
@@ -0,0 +1,41 @@
+From c01908a14bf735b871170092807c618bb9dae654 Mon Sep 17 00:00:00 2001
+From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Date: Fri, 18 Jan 2019 14:35:45 -0800
+Subject: [PATCH] HID: input: add mapping for "Toggle Display" key
+Git-commit: c01908a14bf735b871170092807c618bb9dae654
+Patch-mainline: v5.1-rc6
+References: bsc#1051510
+
+According to HUT 1.12 usage 0xb5 from the generic desktop page is reserved
+for switching between external and internal display, so let's add the
+mapping.
+
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/hid/hid-input.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/drivers/hid/hid-input.c b/drivers/hid/hid-input.c
+index ecb1b6f26853..da76358cde06 100644
+--- a/drivers/hid/hid-input.c
++++ b/drivers/hid/hid-input.c
+@@ -677,6 +677,14 @@ static void hidinput_configure_usage(struct hid_input *hidinput, struct hid_fiel
+ break;
+ }
+
++ if ((usage->hid & 0xf0) == 0xb0) { /* SC - Display */
++ switch (usage->hid & 0xf) {
++ case 0x05: map_key_clear(KEY_SWITCHVIDEOMODE); break;
++ default: goto ignore;
++ }
++ break;
++ }
++
+ /*
+ * Some lazy vendors declare 255 usages for System Control,
+ * leading to the creation of ABS_X|Y axis and too many others.
+--
+2.16.4
+
diff --git a/patches.drivers/HID-input-add-mapping-for-keyboard-Brightness-Up-Dow.patch b/patches.drivers/HID-input-add-mapping-for-keyboard-Brightness-Up-Dow.patch
new file mode 100644
index 0000000000..4c91542c96
--- /dev/null
+++ b/patches.drivers/HID-input-add-mapping-for-keyboard-Brightness-Up-Dow.patch
@@ -0,0 +1,36 @@
+From 7975a1d6a7afeb3eb61c971a153d24dd8fa032f3 Mon Sep 17 00:00:00 2001
+From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Date: Fri, 18 Jan 2019 14:05:52 -0800
+Subject: [PATCH] HID: input: add mapping for keyboard Brightness Up/Down/Toggle keys
+Git-commit: 7975a1d6a7afeb3eb61c971a153d24dd8fa032f3
+Patch-mainline: v5.1-rc6
+References: bsc#1051510
+
+According to HUTRR73 usages 0x79, 0x7a and 0x7c from the consumer page
+correspond to Brightness Up/Down/Toggle keys, so let's add the mappings.
+
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/hid/hid-input.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/hid/hid-input.c b/drivers/hid/hid-input.c
+index 5f800e7b04f2..cebe8a8cce2e 100644
+--- a/drivers/hid/hid-input.c
++++ b/drivers/hid/hid-input.c
+@@ -900,6 +900,10 @@ static void hidinput_configure_usage(struct hid_input *hidinput, struct hid_fiel
+ case 0x074: map_key_clear(KEY_BRIGHTNESS_MAX); break;
+ case 0x075: map_key_clear(KEY_BRIGHTNESS_AUTO); break;
+
++ case 0x079: map_key_clear(KEY_KBDILLUMUP); break;
++ case 0x07a: map_key_clear(KEY_KBDILLUMDOWN); break;
++ case 0x07c: map_key_clear(KEY_KBDILLUMTOGGLE); break;
++
+ case 0x082: map_key_clear(KEY_VIDEO_NEXT); break;
+ case 0x083: map_key_clear(KEY_LAST); break;
+ case 0x084: map_key_clear(KEY_ENTER); break;
+--
+2.16.4
+
diff --git a/patches.drivers/Input-elan_i2c-add-hardware-ID-for-multiple-Lenovo-l.patch b/patches.drivers/Input-elan_i2c-add-hardware-ID-for-multiple-Lenovo-l.patch
new file mode 100644
index 0000000000..daab894a07
--- /dev/null
+++ b/patches.drivers/Input-elan_i2c-add-hardware-ID-for-multiple-Lenovo-l.patch
@@ -0,0 +1,70 @@
+From 738c06d0e4562e0acf9f2c7438a22b2d5afc67aa Mon Sep 17 00:00:00 2001
+From: KT Liao <kt.liao@emc.com.tw>
+Date: Tue, 26 Mar 2019 17:28:32 -0700
+Subject: [PATCH] Input: elan_i2c - add hardware ID for multiple Lenovo laptops
+Git-commit: 738c06d0e4562e0acf9f2c7438a22b2d5afc67aa
+Patch-mainline: v5.1-rc6
+References: bsc#1051510
+
+There are many Lenovo laptops which need elan_i2c support, this patch adds
+relevant IDs to the Elan driver so that touchpads are recognized.
+
+Signed-off-by: KT Liao <kt.liao@emc.com.tw>
+Cc: stable@vger.kernel.org
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/input/mouse/elan_i2c_core.c | 25 +++++++++++++++++++++++++
+ 1 file changed, 25 insertions(+)
+
+--- a/drivers/input/mouse/elan_i2c_core.c
++++ b/drivers/input/mouse/elan_i2c_core.c
+@@ -1225,22 +1225,47 @@ static const struct acpi_device_id elan_
+ { "ELAN0600", 0 },
+ { "ELAN0601", 0 },
+ { "ELAN0602", 0 },
++ { "ELAN0603", 0 },
++ { "ELAN0604", 0 },
+ { "ELAN0605", 0 },
++ { "ELAN0606", 0 },
++ { "ELAN0607", 0 },
+ { "ELAN0608", 0 },
+ { "ELAN0605", 0 },
+ { "ELAN0609", 0 },
+ { "ELAN060B", 0 },
+ { "ELAN060C", 0 },
++ { "ELAN060F", 0 },
++ { "ELAN0610", 0 },
+ { "ELAN0611", 0 },
+ { "ELAN0612", 0 },
++ { "ELAN0615", 0 },
++ { "ELAN0616", 0 },
+ { "ELAN0617", 0 },
+ { "ELAN0618", 0 },
++ { "ELAN0619", 0 },
++ { "ELAN061A", 0 },
++ { "ELAN061B", 0 },
+ { "ELAN061C", 0 },
+ { "ELAN061D", 0 },
+ { "ELAN061E", 0 },
++ { "ELAN061F", 0 },
+ { "ELAN0620", 0 },
+ { "ELAN0621", 0 },
+ { "ELAN0622", 0 },
++ { "ELAN0623", 0 },
++ { "ELAN0624", 0 },
++ { "ELAN0625", 0 },
++ { "ELAN0626", 0 },
++ { "ELAN0627", 0 },
++ { "ELAN0628", 0 },
++ { "ELAN0629", 0 },
++ { "ELAN062A", 0 },
++ { "ELAN062B", 0 },
++ { "ELAN062C", 0 },
++ { "ELAN062D", 0 },
++ { "ELAN0631", 0 },
++ { "ELAN0632", 0 },
+ { "ELAN1000", 0 },
+ { }
+ };
diff --git a/patches.drivers/Input-synaptics-rmi4-fix-possible-double-free.patch b/patches.drivers/Input-synaptics-rmi4-fix-possible-double-free.patch
new file mode 100644
index 0000000000..53b55e4051
--- /dev/null
+++ b/patches.drivers/Input-synaptics-rmi4-fix-possible-double-free.patch
@@ -0,0 +1,47 @@
+From bce1a78423961fce676ac65540a31b6ffd179e6d Mon Sep 17 00:00:00 2001
+From: Pan Bian <bianpan2016@163.com>
+Date: Fri, 19 Apr 2019 07:39:00 +0000
+Subject: [PATCH] Input: synaptics-rmi4 - fix possible double free
+Git-commit: bce1a78423961fce676ac65540a31b6ffd179e6d
+Patch-mainline: v5.1-rc7
+References: bsc#1051510
+
+The RMI4 function structure has been released in rmi_register_function
+if error occurs. However, it will be released again in the function
+rmi_create_function, which may result in a double-free bug.
+
+Signed-off-by: Pan Bian <bianpan2016@163.com>
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/input/rmi4/rmi_driver.c | 6 +-----
+ 1 file changed, 1 insertion(+), 5 deletions(-)
+
+diff --git a/drivers/input/rmi4/rmi_driver.c b/drivers/input/rmi4/rmi_driver.c
+index fc3ab93b7aea..7fb358f96195 100644
+--- a/drivers/input/rmi4/rmi_driver.c
++++ b/drivers/input/rmi4/rmi_driver.c
+@@ -860,7 +860,7 @@ static int rmi_create_function(struct rmi_device *rmi_dev,
+
+ error = rmi_register_function(fn);
+ if (error)
+- goto err_put_fn;
++ return error;
+
+ if (pdt->function_number == 0x01)
+ data->f01_container = fn;
+@@ -870,10 +870,6 @@ static int rmi_create_function(struct rmi_device *rmi_dev,
+ list_add_tail(&fn->node, &data->function_list);
+
+ return RMI_SCAN_CONTINUE;
+-
+-err_put_fn:
+- put_device(&fn->dev);
+- return error;
+ }
+
+ void rmi_enable_irq(struct rmi_device *rmi_dev, bool clear_wake)
+--
+2.16.4
+
diff --git a/patches.drivers/iio-adc-xilinx-fix-potential-use-after-free-on-remov.patch b/patches.drivers/iio-adc-xilinx-fix-potential-use-after-free-on-remov.patch
new file mode 100644
index 0000000000..94befeb519
--- /dev/null
+++ b/patches.drivers/iio-adc-xilinx-fix-potential-use-after-free-on-remov.patch
@@ -0,0 +1,35 @@
+From 62039b6aef63380ba7a37c113bbaeee8a55c5342 Mon Sep 17 00:00:00 2001
+From: Sven Van Asbroeck <thesven73@gmail.com>
+Date: Sun, 10 Mar 2019 14:58:24 -0400
+Subject: [PATCH] iio: adc: xilinx: fix potential use-after-free on remove
+Git-commit: 62039b6aef63380ba7a37c113bbaeee8a55c5342
+Patch-mainline: v5.1-rc6
+References: bsc#1051510
+
+When cancel_delayed_work() returns, the delayed work may still
+be running. This means that the core could potentially free
+the private structure (struct xadc) while the delayed work
+is still using it. This is a potential use-after-free.
+
+Fix by calling cancel_delayed_work_sync(), which waits for
+any residual work to finish before returning.
+
+Signed-off-by: Sven Van Asbroeck <TheSven73@gmail.com>
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/iio/adc/xilinx-xadc-core.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/iio/adc/xilinx-xadc-core.c
++++ b/drivers/iio/adc/xilinx-xadc-core.c
+@@ -1299,7 +1299,7 @@ static int xadc_remove(struct platform_d
+ }
+ free_irq(irq, indio_dev);
+ clk_disable_unprepare(xadc->clk);
+- cancel_delayed_work(&xadc->zynq_unmask_work);
++ cancel_delayed_work_sync(&xadc->zynq_unmask_work);
+ kfree(xadc->data);
+ kfree(indio_dev->channels);
+
diff --git a/patches.drivers/leds-pwm-silently-error-out-on-EPROBE_DEFER.patch b/patches.drivers/leds-pwm-silently-error-out-on-EPROBE_DEFER.patch
new file mode 100644
index 0000000000..f690b8f16b
--- /dev/null
+++ b/patches.drivers/leds-pwm-silently-error-out-on-EPROBE_DEFER.patch
@@ -0,0 +1,38 @@
+From 9aec30371fb095a0c9415f3f0146ae269c3713d8 Mon Sep 17 00:00:00 2001
+From: Jerome Brunet <jbrunet@baylibre.com>
+Date: Thu, 6 Sep 2018 15:59:04 +0200
+Subject: [PATCH] leds: pwm: silently error out on EPROBE_DEFER
+Git-commit: 9aec30371fb095a0c9415f3f0146ae269c3713d8
+Patch-mainline: v4.20-rc1
+References: bsc#1051510
+
+When probing, if we fail to get the pwm due to probe deferal, we shouldn't
+print an error message. Just be silent in this case.
+
+Signed-off-by: Jerome Brunet <jbrunet@baylibre.com>
+Signed-off-by: Jacek Anaszewski <jacek.anaszewski@gmail.com>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/leds/leds-pwm.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/leds/leds-pwm.c b/drivers/leds/leds-pwm.c
+index df80c89ebe7f..5d3faae51d59 100644
+--- a/drivers/leds/leds-pwm.c
++++ b/drivers/leds/leds-pwm.c
+@@ -100,8 +100,9 @@ static int led_pwm_add(struct device *dev, struct led_pwm_priv *priv,
+ led_data->pwm = devm_pwm_get(dev, led->name);
+ if (IS_ERR(led_data->pwm)) {
+ ret = PTR_ERR(led_data->pwm);
+- dev_err(dev, "unable to request PWM for %s: %d\n",
+- led->name, ret);
++ if (ret != -EPROBE_DEFER)
++ dev_err(dev, "unable to request PWM for %s: %d\n",
++ led->name, ret);
+ return ret;
+ }
+
+--
+2.16.4
+
diff --git a/patches.drivers/media-atmel-atmel-isc-fix-INIT_WORK-misplacement.patch b/patches.drivers/media-atmel-atmel-isc-fix-INIT_WORK-misplacement.patch
new file mode 100644
index 0000000000..91b7299f76
--- /dev/null
+++ b/patches.drivers/media-atmel-atmel-isc-fix-INIT_WORK-misplacement.patch
@@ -0,0 +1,46 @@
+From 79199002db5c571e335131856b3ff057ffd9f3c0 Mon Sep 17 00:00:00 2001
+From: Eugen Hristev <eugen.hristev@microchip.com>
+Date: Fri, 12 Apr 2019 06:19:46 -0400
+Subject: [PATCH] media: atmel: atmel-isc: fix INIT_WORK misplacement
+Git-commit: 79199002db5c571e335131856b3ff057ffd9f3c0
+Patch-mainline: v5.2-rc1
+References: bsc#1051510
+
+In case the completion function failes, unbind will be called
+which will call cancel_work for awb_work.
+This will trigger a WARN message from the workqueue.
+To avoid this, move the INIT_WORK call at the start of the completion
+function. This way the work is always initialized, which corresponds
+to the 'always canceled' unbind code.
+
+Fixes: 93d4a26c3d ("[media] atmel-isc: add the isc pipeline function")
+
+Signed-off-by: Eugen Hristev <eugen.hristev@microchip.com>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/media/platform/atmel/atmel-isc.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/media/platform/atmel/atmel-isc.c
++++ b/drivers/media/platform/atmel/atmel-isc.c
+@@ -1553,6 +1553,8 @@ static int isc_async_complete(struct v4l
+ struct vb2_queue *q = &isc->vb2_vidq;
+ int ret;
+
++ INIT_WORK(&isc->awb_work, isc_awb_work);
++
+ ret = v4l2_device_register_subdev_nodes(&isc->v4l2_dev);
+ if (ret < 0) {
+ v4l2_err(&isc->v4l2_dev, "Failed to register subdev nodes\n");
+@@ -1612,8 +1614,6 @@ static int isc_async_complete(struct v4l
+ return ret;
+ }
+
+- INIT_WORK(&isc->awb_work, isc_awb_work);
+-
+ /* Register video device */
+ strlcpy(vdev->name, ATMEL_ISC_NAME, sizeof(vdev->name));
+ vdev->release = video_device_release_empty;
diff --git a/patches.drivers/media-davinci-vpbe-array-underflow-in-vpbe_enum_outp.patch b/patches.drivers/media-davinci-vpbe-array-underflow-in-vpbe_enum_outp.patch
new file mode 100644
index 0000000000..94c1d793fa
--- /dev/null
+++ b/patches.drivers/media-davinci-vpbe-array-underflow-in-vpbe_enum_outp.patch
@@ -0,0 +1,54 @@
+From b72845ee5577b227131b1fef23f9d9a296621d7b Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Wed, 24 Apr 2019 05:46:27 -0400
+Subject: [PATCH] media: davinci/vpbe: array underflow in vpbe_enum_outputs()
+Git-commit: b72845ee5577b227131b1fef23f9d9a296621d7b
+Patch-mainline: v5.2-rc1
+References: bsc#1051510
+
+In vpbe_enum_outputs() we check if (temp_index >= cfg->num_outputs) but
+the problem is that "temp_index" can be negative. This patch changes
+the types to unsigned to address this array underflow bug.
+
+Fixes: 66715cdc3224 ("[media] davinci vpbe: VPBE display driver")
+
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Acked-by: "Lad, Prabhakar" <prabhakar.csengg@gmail.com>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/media/platform/davinci/vpbe.c | 2 +-
+ include/media/davinci/vpbe.h | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/media/platform/davinci/vpbe.c b/drivers/media/platform/davinci/vpbe.c
+index 8339163a5231..4e24f5d781f4 100644
+--- a/drivers/media/platform/davinci/vpbe.c
++++ b/drivers/media/platform/davinci/vpbe.c
+@@ -104,7 +104,7 @@ static int vpbe_enum_outputs(struct vpbe_device *vpbe_dev,
+ struct v4l2_output *output)
+ {
+ struct vpbe_config *cfg = vpbe_dev->cfg;
+- int temp_index = output->index;
++ unsigned int temp_index = output->index;
+
+ if (temp_index >= cfg->num_outputs)
+ return -EINVAL;
+diff --git a/include/media/davinci/vpbe.h b/include/media/davinci/vpbe.h
+index 5c31a7682492..f76d2f25a824 100644
+--- a/include/media/davinci/vpbe.h
++++ b/include/media/davinci/vpbe.h
+@@ -92,7 +92,7 @@ struct vpbe_config {
+ struct encoder_config_info *ext_encoders;
+ /* amplifier information goes here */
+ struct amp_config_info *amp;
+- int num_outputs;
++ unsigned int num_outputs;
+ /* Order is venc outputs followed by LCD and then external encoders */
+ struct vpbe_output *outputs;
+ };
+--
+2.16.4
+
diff --git a/patches.drivers/media-omap_vout-potential-buffer-overflow-in-vidioc_.patch b/patches.drivers/media-omap_vout-potential-buffer-overflow-in-vidioc_.patch
new file mode 100644
index 0000000000..04f40a3fb0
--- /dev/null
+++ b/patches.drivers/media-omap_vout-potential-buffer-overflow-in-vidioc_.patch
@@ -0,0 +1,68 @@
+From dd6e2a981bfe83aa4a493143fd8cf1edcda6c091 Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Thu, 11 Apr 2019 05:01:57 -0400
+Subject: [PATCH] media: omap_vout: potential buffer overflow in vidioc_dqbuf()
+Git-commit: dd6e2a981bfe83aa4a493143fd8cf1edcda6c091
+Patch-mainline: v5.2-rc1
+References: bsc#1051510
+
+The "b->index" is a u32 the comes from the user in the ioctl. It hasn't
+been checked. We aren't supposed to use it but we're instead supposed
+to use the value that gets written to it when we call videobuf_dqbuf().
+
+The videobuf_dqbuf() first memsets it to zero and then re-initializes it
+inside the videobuf_status() function. It's this final value which we
+want.
+
+Hans Verkuil pointed out that we need to check the return from
+videobuf_dqbuf(). I ended up doing a little cleanup related to that as
+well.
+
+Fixes: 72915e851da9 ("[media] V4L2: OMAP: VOUT: dma map and unmap v4l2 buffers in qbuf and dqbuf")
+
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/media/platform/omap/omap_vout.c | 15 ++++++---------
+ 1 file changed, 6 insertions(+), 9 deletions(-)
+
+diff --git a/drivers/media/platform/omap/omap_vout.c b/drivers/media/platform/omap/omap_vout.c
+index 37f0d7146dfa..cb6a9e3946b6 100644
+--- a/drivers/media/platform/omap/omap_vout.c
++++ b/drivers/media/platform/omap/omap_vout.c
+@@ -1527,23 +1527,20 @@ static int vidioc_dqbuf(struct file *file, void *fh, struct v4l2_buffer *b)
+ unsigned long size;
+ struct videobuf_buffer *vb;
+
+- vb = q->bufs[b->index];
+-
+ if (!vout->streaming)
+ return -EINVAL;
+
+- if (file->f_flags & O_NONBLOCK)
+- /* Call videobuf_dqbuf for non blocking mode */
+- ret = videobuf_dqbuf(q, (struct v4l2_buffer *)b, 1);
+- else
+- /* Call videobuf_dqbuf for blocking mode */
+- ret = videobuf_dqbuf(q, (struct v4l2_buffer *)b, 0);
++ ret = videobuf_dqbuf(q, b, !!(file->f_flags & O_NONBLOCK));
++ if (ret)
++ return ret;
++
++ vb = q->bufs[b->index];
+
+ addr = (unsigned long) vout->buf_phy_addr[vb->i];
+ size = (unsigned long) vb->size;
+ dma_unmap_single(vout->vid_dev->v4l2_dev.dev, addr,
+ size, DMA_TO_DEVICE);
+- return ret;
++ return 0;
+ }
+
+ static int vidioc_streamon(struct file *file, void *fh, enum v4l2_buf_type i)
+--
+2.16.4
+
diff --git a/patches.drivers/power-supply-axp20x_usb_power-Fix-typo-in-VBUS-curre.patch b/patches.drivers/power-supply-axp20x_usb_power-Fix-typo-in-VBUS-curre.patch
new file mode 100644
index 0000000000..f842e339af
--- /dev/null
+++ b/patches.drivers/power-supply-axp20x_usb_power-Fix-typo-in-VBUS-curre.patch
@@ -0,0 +1,66 @@
+From c11f0b8f226a411915f8d7467bd554a8c9ceec42 Mon Sep 17 00:00:00 2001
+From: Chen-Yu Tsai <wens@csie.org>
+Date: Tue, 16 Apr 2019 14:40:19 +0800
+Subject: [PATCH] power: supply: axp20x_usb_power: Fix typo in VBUS current limit macros
+Git-commit: c11f0b8f226a411915f8d7467bd554a8c9ceec42
+Patch-mainline: v5.2-rc1
+References: bsc#1051510
+
+The VBUS current limit value macros have VBUS typed as VBUC, while
+the bitmask macro is named correctly. Fix it.
+
+Fixes: 69fb4dcada77 ("power: Add an axp20x-usb-power driver")
+Signed-off-by: Chen-Yu Tsai <wens@csie.org>
+Signed-off-by: Sebastian Reichel <sebastian.reichel@collabora.com>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/power/supply/axp20x_usb_power.c | 16 ++++++++--------
+ 1 file changed, 8 insertions(+), 8 deletions(-)
+
+diff --git a/drivers/power/supply/axp20x_usb_power.c b/drivers/power/supply/axp20x_usb_power.c
+index f52fe77edb6f..cd9b90d79839 100644
+--- a/drivers/power/supply/axp20x_usb_power.c
++++ b/drivers/power/supply/axp20x_usb_power.c
+@@ -36,10 +36,10 @@
+ #define AXP20X_VBUS_VHOLD_MASK GENMASK(5, 3)
+ #define AXP20X_VBUS_VHOLD_OFFSET 3
+ #define AXP20X_VBUS_CLIMIT_MASK 3
+-#define AXP20X_VBUC_CLIMIT_900mA 0
+-#define AXP20X_VBUC_CLIMIT_500mA 1
+-#define AXP20X_VBUC_CLIMIT_100mA 2
+-#define AXP20X_VBUC_CLIMIT_NONE 3
++#define AXP20X_VBUS_CLIMIT_900mA 0
++#define AXP20X_VBUS_CLIMIT_500mA 1
++#define AXP20X_VBUS_CLIMIT_100mA 2
++#define AXP20X_VBUS_CLIMIT_NONE 3
+
+ #define AXP20X_ADC_EN1_VBUS_CURR BIT(2)
+ #define AXP20X_ADC_EN1_VBUS_VOLT BIT(3)
+@@ -107,19 +107,19 @@ static int axp20x_usb_power_get_property(struct power_supply *psy,
+ return ret;
+
+ switch (v & AXP20X_VBUS_CLIMIT_MASK) {
+- case AXP20X_VBUC_CLIMIT_100mA:
++ case AXP20X_VBUS_CLIMIT_100mA:
+ if (power->axp20x_id == AXP221_ID)
+ val->intval = -1; /* No 100mA limit */
+ else
+ val->intval = 100000;
+ break;
+- case AXP20X_VBUC_CLIMIT_500mA:
++ case AXP20X_VBUS_CLIMIT_500mA:
+ val->intval = 500000;
+ break;
+- case AXP20X_VBUC_CLIMIT_900mA:
++ case AXP20X_VBUS_CLIMIT_900mA:
+ val->intval = 900000;
+ break;
+- case AXP20X_VBUC_CLIMIT_NONE:
++ case AXP20X_VBUS_CLIMIT_NONE:
+ val->intval = -1;
+ break;
+ }
+--
+2.16.4
+
diff --git a/patches.drivers/power-supply-axp288_charger-Fix-unchecked-return-val.patch b/patches.drivers/power-supply-axp288_charger-Fix-unchecked-return-val.patch
new file mode 100644
index 0000000000..115d9f2bb3
--- /dev/null
+++ b/patches.drivers/power-supply-axp288_charger-Fix-unchecked-return-val.patch
@@ -0,0 +1,46 @@
+From c3422ad5f84a66739ec6a37251ca27638c85b6be Mon Sep 17 00:00:00 2001
+From: "Gustavo A. R. Silva" <gustavo@embeddedor.com>
+Date: Mon, 18 Mar 2019 11:14:39 -0500
+Subject: [PATCH] power: supply: axp288_charger: Fix unchecked return value
+Git-commit: c3422ad5f84a66739ec6a37251ca27638c85b6be
+Patch-mainline: v5.2-rc1
+References: bsc#1051510
+
+Currently there is no check on platform_get_irq() return value
+in case it fails, hence never actually reporting any errors and
+causing unexpected behavior when using such value as argument
+for function regmap_irq_get_virq().
+
+Fix this by adding a proper check, a message reporting any errors
+and returning *pirq*
+
+Addresses-coverity-id: 1443940 ("Improper use of negative value")
+Fixes: 843735b788a4 ("power: axp288_charger: axp288 charger driver")
+Cc: stable@vger.kernel.org
+Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com>
+Reviewed-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Sebastian Reichel <sebastian.reichel@collabora.com>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/power/supply/axp288_charger.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/power/supply/axp288_charger.c b/drivers/power/supply/axp288_charger.c
+index f8c6da9277b3..00b961890a38 100644
+--- a/drivers/power/supply/axp288_charger.c
++++ b/drivers/power/supply/axp288_charger.c
+@@ -833,6 +833,10 @@ static int axp288_charger_probe(struct platform_device *pdev)
+ /* Register charger interrupts */
+ for (i = 0; i < CHRG_INTR_END; i++) {
+ pirq = platform_get_irq(info->pdev, i);
++ if (pirq < 0) {
++ dev_err(&pdev->dev, "Failed to get IRQ: %d\n", pirq);
++ return pirq;
++ }
+ info->irq[i] = regmap_irq_get_virq(info->regmap_irqc, pirq);
+ if (info->irq[i] < 0) {
+ dev_warn(&info->pdev->dev,
+--
+2.16.4
+
diff --git a/patches.drivers/spi-Micrel-eth-switch-declare-missing-of-table.patch b/patches.drivers/spi-Micrel-eth-switch-declare-missing-of-table.patch
new file mode 100644
index 0000000000..2a1715bd58
--- /dev/null
+++ b/patches.drivers/spi-Micrel-eth-switch-declare-missing-of-table.patch
@@ -0,0 +1,65 @@
+From 2f23a2a768bee7ad2ff1e9527c3f7e279e794a46 Mon Sep 17 00:00:00 2001
+From: Daniel Gomez <dagmcr@gmail.com>
+Date: Mon, 22 Apr 2019 21:08:03 +0200
+Subject: [PATCH] spi: Micrel eth switch: declare missing of table
+Git-commit: 2f23a2a768bee7ad2ff1e9527c3f7e279e794a46
+Patch-mainline: v5.1-rc7
+References: bsc#1051510
+
+Add missing <of_device_id> table for SPI driver relying on SPI
+device match since compatible is in a DT binding or in a DTS.
+
+Before this patch:
+modinfo drivers/net/phy/spi_ks8995.ko | grep alias
+Alias: spi:ksz8795
+Alias: spi:ksz8864
+Alias: spi:ks8995
+
+After this patch:
+modinfo drivers/net/phy/spi_ks8995.ko | grep alias
+Alias: of:N*T*Cmicrel,ksz8795C*
+Alias: of:N*T*Cmicrel,ksz8795
+Alias: of:N*T*Cmicrel,ksz8864C*
+Alias: of:N*T*Cmicrel,ksz8864
+Alias: of:N*T*Cmicrel,ks8995C*
+Alias: of:N*T*Cmicrel,ks8995
+
+Reported-by: Javier Martinez Canillas <javier@dowhile0.org>
+Signed-off-by: Daniel Gomez <dagmcr@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/net/phy/spi_ks8995.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/drivers/net/phy/spi_ks8995.c b/drivers/net/phy/spi_ks8995.c
+index 92b64e254b44..7475cef17cf7 100644
+--- a/drivers/net/phy/spi_ks8995.c
++++ b/drivers/net/phy/spi_ks8995.c
+@@ -159,6 +159,14 @@ static const struct spi_device_id ks8995_id[] = {
+ };
+ MODULE_DEVICE_TABLE(spi, ks8995_id);
+
++static const struct of_device_id ks8895_spi_of_match[] = {
++ { .compatible = "micrel,ks8995" },
++ { .compatible = "micrel,ksz8864" },
++ { .compatible = "micrel,ksz8795" },
++ { },
++ };
++MODULE_DEVICE_TABLE(of, ks8895_spi_of_match);
++
+ static inline u8 get_chip_id(u8 val)
+ {
+ return (val >> ID1_CHIPID_S) & ID1_CHIPID_M;
+@@ -526,6 +534,7 @@ static int ks8995_remove(struct spi_device *spi)
+ static struct spi_driver ks8995_driver = {
+ .driver = {
+ .name = "spi-ks8995",
++ .of_match_table = of_match_ptr(ks8895_spi_of_match),
+ },
+ .probe = ks8995_probe,
+ .remove = ks8995_remove,
+--
+2.16.4
+
diff --git a/patches.drivers/spi-ST-ST95HF-NFC-declare-missing-of-table.patch b/patches.drivers/spi-ST-ST95HF-NFC-declare-missing-of-table.patch
new file mode 100644
index 0000000000..2cc18f34ea
--- /dev/null
+++ b/patches.drivers/spi-ST-ST95HF-NFC-declare-missing-of-table.patch
@@ -0,0 +1,57 @@
+From d04830531d0c4a99c897a44038e5da3d23331d2f Mon Sep 17 00:00:00 2001
+From: Daniel Gomez <dagmcr@gmail.com>
+Date: Mon, 22 Apr 2019 21:08:04 +0200
+Subject: [PATCH] spi: ST ST95HF NFC: declare missing of table
+Git-commit: d04830531d0c4a99c897a44038e5da3d23331d2f
+Patch-mainline: v5.1-rc7
+References: bsc#1051510
+
+Add missing <of_device_id> table for SPI driver relying on SPI
+device match since compatible is in a DT binding or in a DTS.
+
+Before this patch:
+modinfo drivers/nfc/st95hf/st95hf.ko | grep alias
+Alias: spi:st95hf
+
+After this patch:
+modinfo drivers/nfc/st95hf/st95hf.ko | grep alias
+Alias: of:N*T*Cst,st95hfC*
+Alias: of:N*T*Cst,st95hf
+
+Reported-by: Javier Martinez Canillas <javier@dowhile0.org>
+Signed-off-by: Daniel Gomez <dagmcr@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/nfc/st95hf/core.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/drivers/nfc/st95hf/core.c b/drivers/nfc/st95hf/core.c
+index 2b26f762fbc3..01acb6e53365 100644
+--- a/drivers/nfc/st95hf/core.c
++++ b/drivers/nfc/st95hf/core.c
+@@ -1074,6 +1074,12 @@ static const struct spi_device_id st95hf_id[] = {
+ };
+ MODULE_DEVICE_TABLE(spi, st95hf_id);
+
++static const struct of_device_id st95hf_spi_of_match[] = {
++ { .compatible = "st,st95hf" },
++ { },
++};
++MODULE_DEVICE_TABLE(of, st95hf_spi_of_match);
++
+ static int st95hf_probe(struct spi_device *nfc_spi_dev)
+ {
+ int ret;
+@@ -1260,6 +1266,7 @@ static struct spi_driver st95hf_driver = {
+ .driver = {
+ .name = "st95hf",
+ .owner = THIS_MODULE,
++ .of_match_table = of_match_ptr(st95hf_spi_of_match),
+ },
+ .id_table = st95hf_id,
+ .probe = st95hf_probe,
+--
+2.16.4
+
diff --git a/patches.drivers/thermal-cpu_cooling-Actually-trace-CPU-load-in-therm.patch b/patches.drivers/thermal-cpu_cooling-Actually-trace-CPU-load-in-therm.patch
new file mode 100644
index 0000000000..2f43967f7e
--- /dev/null
+++ b/patches.drivers/thermal-cpu_cooling-Actually-trace-CPU-load-in-therm.patch
@@ -0,0 +1,58 @@
+From bf45ac18b78038e43af3c1a273cae4ab5704d2ce Mon Sep 17 00:00:00 2001
+From: Matthias Kaehlcke <mka@chromium.org>
+Date: Thu, 2 May 2019 11:32:38 -0700
+Subject: [PATCH] thermal: cpu_cooling: Actually trace CPU load in thermal_power_cpu_get_power
+Git-commit: bf45ac18b78038e43af3c1a273cae4ab5704d2ce
+Patch-mainline: v5.2-rc1
+References: bsc#1051510
+
+The CPU load values passed to the thermal_power_cpu_get_power
+tracepoint are zero for all CPUs, unless, unless the
+thermal_power_cpu_limit tracepoint is enabled too:
+
+ irq/41-rockchip-98 [000] .... 290.972410: thermal_power_cpu_get_power:
+ cpus=0000000f freq=1800000 load={{0x0,0x0,0x0,0x0}} dynamic_power=4815
+
+vs
+
+ irq/41-rockchip-96 [000] .... 95.773585: thermal_power_cpu_get_power:
+ cpus=0000000f freq=1800000 load={{0x56,0x64,0x64,0x5e}} dynamic_power=4959
+ irq/41-rockchip-96 [000] .... 95.773596: thermal_power_cpu_limit:
+ cpus=0000000f freq=408000 cdev_state=10 power=416
+
+There seems to be no good reason for omitting the CPU load information
+depending on another tracepoint. My guess is that the intention was to
+check whether thermal_power_cpu_get_power is (still) enabled, however
+'load_cpu != NULL' already indicates that it was at least enabled when
+cpufreq_get_requested_power() was entered, there seems little gain
+from omitting the assignment if the tracepoint was just disabled, so
+just remove the check.
+
+Fixes: 6828a4711f99 ("thermal: add trace events to the power allocator governor")
+Signed-off-by: Matthias Kaehlcke <mka@chromium.org>
+Reviewed-by: Daniel Lezcano <daniel.lezcano@linaro.org>
+Acked-by: Javi Merino <javi.merino@kernel.org>
+Acked-by: Viresh Kumar <viresh.kumar@linaro.org>
+Signed-off-by: Eduardo Valentin <edubezval@gmail.com>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/thermal/cpu_cooling.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/thermal/cpu_cooling.c b/drivers/thermal/cpu_cooling.c
+index 9b014d0e8e70..4c5db59a619b 100644
+--- a/drivers/thermal/cpu_cooling.c
++++ b/drivers/thermal/cpu_cooling.c
+@@ -444,7 +444,7 @@ static int cpufreq_get_requested_power(struct thermal_cooling_device *cdev,
+ load = 0;
+
+ total_load += load;
+- if (trace_thermal_power_cpu_limit_enabled() && load_cpu)
++ if (load_cpu)
+ load_cpu[i] = load;
+
+ i++;
+--
+2.16.4
+
diff --git a/patches.drm/drm-bridge-adv7511-Fix-low-refresh-rate-selection.patch b/patches.drm/drm-bridge-adv7511-Fix-low-refresh-rate-selection.patch
new file mode 100644
index 0000000000..e105b76f1c
--- /dev/null
+++ b/patches.drm/drm-bridge-adv7511-Fix-low-refresh-rate-selection.patch
@@ -0,0 +1,51 @@
+From 67793bd3b3948dc8c8384b6430e036a30a0ecb43 Mon Sep 17 00:00:00 2001
+From: Matt Redfearn <matt.redfearn@thinci.com>
+Date: Wed, 24 Apr 2019 13:22:27 +0000
+Subject: [PATCH] drm/bridge: adv7511: Fix low refresh rate selection
+Git-commit: 67793bd3b3948dc8c8384b6430e036a30a0ecb43
+Patch-mainline: v5.2-rc1
+References: bsc#1051510
+
+The driver currently sets register 0xfb (Low Refresh Rate) based on the
+value of mode->vrefresh. Firstly, this field is specified to be in Hz,
+but the magic numbers used by the code are Hz * 1000. This essentially
+leads to the low refresh rate always being set to 0x01, since the
+vrefresh value will always be less than 24000. Fix the magic numbers to
+be in Hz.
+Secondly, according to the comment in drm_modes.h, the field is not
+supposed to be used in a functional way anyway. Instead, use the helper
+function drm_mode_vrefresh().
+
+Fixes: 9c8af882bf12 ("drm: Add adv7511 encoder driver")
+Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
+Signed-off-by: Matt Redfearn <matt.redfearn@thinci.com>
+Signed-off-by: Sean Paul <seanpaul@chromium.org>
+Link: https://patchwork.freedesktop.org/patch/msgid/20190424132210.26338-1-matt.redfearn@thinci.com
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/gpu/drm/bridge/adv7511/adv7511_drv.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/gpu/drm/bridge/adv7511/adv7511_drv.c b/drivers/gpu/drm/bridge/adv7511/adv7511_drv.c
+index ec2ca71e1323..c532e9c9e491 100644
+--- a/drivers/gpu/drm/bridge/adv7511/adv7511_drv.c
++++ b/drivers/gpu/drm/bridge/adv7511/adv7511_drv.c
+@@ -748,11 +748,11 @@ static void adv7511_mode_set(struct adv7511 *adv7511,
+ vsync_polarity = 1;
+ }
+
+- if (mode->vrefresh <= 24000)
++ if (drm_mode_vrefresh(mode) <= 24)
+ low_refresh_rate = ADV7511_LOW_REFRESH_RATE_24HZ;
+- else if (mode->vrefresh <= 25000)
++ else if (drm_mode_vrefresh(mode) <= 25)
+ low_refresh_rate = ADV7511_LOW_REFRESH_RATE_25HZ;
+- else if (mode->vrefresh <= 30000)
++ else if (drm_mode_vrefresh(mode) <= 30)
+ low_refresh_rate = ADV7511_LOW_REFRESH_RATE_30HZ;
+ else
+ low_refresh_rate = ADV7511_LOW_REFRESH_RATE_NONE;
+--
+2.16.4
+
diff --git a/patches.drm/drm-i915-Disable-LP3-watermarks-on-all-SNB-machines.patch b/patches.drm/drm-i915-Disable-LP3-watermarks-on-all-SNB-machines.patch
new file mode 100644
index 0000000000..2bcc793cb0
--- /dev/null
+++ b/patches.drm/drm-i915-Disable-LP3-watermarks-on-all-SNB-machines.patch
@@ -0,0 +1,139 @@
+From 03981c6ebec4fc7056b9b45f847393aeac90d060 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Ville=20Syrj=C3=A4l=C3=A4?= <ville.syrjala@linux.intel.com>
+Date: Wed, 14 Nov 2018 19:34:40 +0200
+Subject: [PATCH] drm/i915: Disable LP3 watermarks on all SNB machines
+Mime-version: 1.0
+Content-type: text/plain; charset=UTF-8
+Content-transfer-encoding: 8bit
+Git-commit: 03981c6ebec4fc7056b9b45f847393aeac90d060
+Patch-mainline: v5.0-rc1
+References: bsc#1051510
+
+I have a Thinkpad X220 Tablet in my hands that is losing vblank
+interrupts whenever LP3 watermarks are used.
+
+If I nudge the latency value written to the WM3 register just
+by one in either direction the problem disappears. That to me
+suggests that the punit will not enter the corrsponding
+powersave mode (MPLL shutdown IIRC) unless the latency value
+in the register matches exactly what we read from SSKPD. Ie.
+it's not really a latency value but rather just a cookie
+by which the punit can identify the desired power saving state.
+On HSW/BDW this was changed such that we actually just write
+the WM level number into those bits, which makes much more
+sense given the observed behaviour.
+
+We could try to handle this by disallowing LP3 watermarks
+only when vblank interrupts are enabled but we'd first have
+to prove that only vblank interrupts are affected, which
+seems unlikely. Also we can't grab the wm mutex from the
+vblank enable/disable hooks because those are called with
+various spinlocks held. Thus we'd have to redesigne the
+watermark locking. So to play it safe and keep the code
+simple we simply disable LP3 watermarks on all SNB machines.
+
+To do that we simply zero out the latency values for
+watermark level 3, and we adjust the watermark computation
+to check for that. The behaviour now matches that of the
+g4x/vlv/skl wm code in the presence of a zeroed latency
+value.
+
+V2: s/USHRT_MAX/U32_MAX/ for consistency with the types (Chris)
+
+Cc: stable@vger.kernel.org
+Cc: Chris Wilson <chris@chris-wilson.co.uk>
+Acked-by: Chris Wilson <chris@chris-wilson.co.uk>
+Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=101269
+Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=103713
+Signed-off-by: Ville Syrjälä <ville.syrjala@linux.intel.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20181114173440.6730-1-ville.syrjala@linux.intel.com
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/gpu/drm/i915/intel_pm.c | 41 ++++++++++++++++++++++++++++++++++++++++-
+ 1 file changed, 40 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/i915/intel_pm.c b/drivers/gpu/drm/i915/intel_pm.c
+index 27498ded4949..897a791662c5 100644
+--- a/drivers/gpu/drm/i915/intel_pm.c
++++ b/drivers/gpu/drm/i915/intel_pm.c
+@@ -2493,6 +2493,9 @@ static uint32_t ilk_compute_pri_wm(const struct intel_crtc_state *cstate,
+ uint32_t method1, method2;
+ int cpp;
+
++ if (mem_value == 0)
++ return U32_MAX;
++
+ if (!intel_wm_plane_visible(cstate, pstate))
+ return 0;
+
+@@ -2522,6 +2525,9 @@ static uint32_t ilk_compute_spr_wm(const struct intel_crtc_state *cstate,
+ uint32_t method1, method2;
+ int cpp;
+
++ if (mem_value == 0)
++ return U32_MAX;
++
+ if (!intel_wm_plane_visible(cstate, pstate))
+ return 0;
+
+@@ -2545,6 +2551,9 @@ static uint32_t ilk_compute_cur_wm(const struct intel_crtc_state *cstate,
+ {
+ int cpp;
+
++ if (mem_value == 0)
++ return U32_MAX;
++
+ if (!intel_wm_plane_visible(cstate, pstate))
+ return 0;
+
+@@ -3008,6 +3017,34 @@ static void snb_wm_latency_quirk(struct drm_i915_private *dev_priv)
+ intel_print_wm_latency(dev_priv, "Cursor", dev_priv->wm.cur_latency);
+ }
+
++static void snb_wm_lp3_irq_quirk(struct drm_i915_private *dev_priv)
++{
++ /*
++ * On some SNB machines (Thinkpad X220 Tablet at least)
++ * LP3 usage can cause vblank interrupts to be lost.
++ * The DEIIR bit will go high but it looks like the CPU
++ * never gets interrupted.
++ *
++ * It's not clear whether other interrupt source could
++ * be affected or if this is somehow limited to vblank
++ * interrupts only. To play it safe we disable LP3
++ * watermarks entirely.
++ */
++ if (dev_priv->wm.pri_latency[3] == 0 &&
++ dev_priv->wm.spr_latency[3] == 0 &&
++ dev_priv->wm.cur_latency[3] == 0)
++ return;
++
++ dev_priv->wm.pri_latency[3] = 0;
++ dev_priv->wm.spr_latency[3] = 0;
++ dev_priv->wm.cur_latency[3] = 0;
++
++ DRM_DEBUG_KMS("LP3 watermarks disabled due to potential for lost interrupts\n");
++ intel_print_wm_latency(dev_priv, "Primary", dev_priv->wm.pri_latency);
++ intel_print_wm_latency(dev_priv, "Sprite", dev_priv->wm.spr_latency);
++ intel_print_wm_latency(dev_priv, "Cursor", dev_priv->wm.cur_latency);
++}
++
+ static void ilk_setup_wm_latency(struct drm_i915_private *dev_priv)
+ {
+ intel_read_wm_latency(dev_priv, dev_priv->wm.pri_latency);
+@@ -3024,8 +3061,10 @@ static void ilk_setup_wm_latency(struct drm_i915_private *dev_priv)
+ intel_print_wm_latency(dev_priv, "Sprite", dev_priv->wm.spr_latency);
+ intel_print_wm_latency(dev_priv, "Cursor", dev_priv->wm.cur_latency);
+
+- if (IS_GEN6(dev_priv))
++ if (IS_GEN6(dev_priv)) {
+ snb_wm_latency_quirk(dev_priv);
++ snb_wm_lp3_irq_quirk(dev_priv);
++ }
+ }
+
+ static void skl_setup_wm_latency(struct drm_i915_private *dev_priv)
+--
+2.16.4
+
diff --git a/patches.drm/drm-i915-Downgrade-Gen9-Plane-WM-latency-error.patch b/patches.drm/drm-i915-Downgrade-Gen9-Plane-WM-latency-error.patch
new file mode 100644
index 0000000000..0fc56eddf2
--- /dev/null
+++ b/patches.drm/drm-i915-Downgrade-Gen9-Plane-WM-latency-error.patch
@@ -0,0 +1,41 @@
+From 86c1c87d0e6241cbe35bd52badfc84b154e1b959 Mon Sep 17 00:00:00 2001
+From: Chris Wilson <chris@chris-wilson.co.uk>
+Date: Thu, 26 Jul 2018 17:15:27 +0100
+Subject: [PATCH] drm/i915: Downgrade Gen9 Plane WM latency error
+Git-commit: 86c1c87d0e6241cbe35bd52badfc84b154e1b959
+Patch-mainline: v4.20-rc1
+References: bsc#1051510
+
+According to intel_read_wm_latency() it is perfectly legal for one WM
+and all subsequent levels to be 0 (and the deeper powersaving states
+disabled), so don't shout *ERROR*, over and over again.
+
+Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
+Cc: Maarten Lankhorst <maarten.lankhorst@linux.intel.com>
+Cc: Ville Syrjala <ville.syrjala@linux.intel.com>
+Acked-by: Maarten Lankhorst <maarten.lankhorst@linux.intel.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20180726161527.10516-1-chris@chris-wilson.co.uk
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/gpu/drm/i915/intel_pm.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/gpu/drm/i915/intel_pm.c b/drivers/gpu/drm/i915/intel_pm.c
+index f175923939ae..8a4152244571 100644
+--- a/drivers/gpu/drm/i915/intel_pm.c
++++ b/drivers/gpu/drm/i915/intel_pm.c
+@@ -2942,8 +2942,8 @@ static void intel_print_wm_latency(struct drm_i915_private *dev_priv,
+ unsigned int latency = wm[level];
+
+ if (latency == 0) {
+- DRM_ERROR("%s WM%d latency not provided\n",
+- name, level);
++ DRM_DEBUG_KMS("%s WM%d latency not provided\n",
++ name, level);
+ continue;
+ }
+
+--
+2.16.4
+
diff --git a/patches.drm/drm-i915-fbc-disable-framebuffer-compression-on-Gemi.patch b/patches.drm/drm-i915-fbc-disable-framebuffer-compression-on-Gemi.patch
new file mode 100644
index 0000000000..e222d5d735
--- /dev/null
+++ b/patches.drm/drm-i915-fbc-disable-framebuffer-compression-on-Gemi.patch
@@ -0,0 +1,55 @@
+From 396dd8143bdd94bd1c358a228a631c8c895a1126 Mon Sep 17 00:00:00 2001
+From: Daniel Drake <drake@endlessm.com>
+Date: Tue, 23 Apr 2019 17:28:10 +0800
+Subject: [PATCH] drm/i915/fbc: disable framebuffer compression on GeminiLake
+Git-commit: 396dd8143bdd94bd1c358a228a631c8c895a1126
+Patch-mainline: v5.2-rc1
+No-fix: 1d25724b41fad7eeb2c3058a5c8190d6ece73e08
+References: bsc#1051510
+
+On many (all?) the Gemini Lake systems we work with, there is frequent
+momentary graphical corruption at the top of the screen, and it seems
+that disabling framebuffer compression can avoid this.
+
+The ticket was reported 6 months ago and has already affected a
+multitude of users, without any real progress being made. So, lets
+disable framebuffer compression on GeminiLake until a solution is found.
+
+Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=108085
+Fixes: fd7d6c5c8f3e ("drm/i915: enable FBC on gen9+ too")
+Cc: Paulo Zanoni <paulo.r.zanoni@intel.com>
+Cc: Daniel Vetter <daniel.vetter@ffwll.ch>
+Cc: Jani Nikula <jani.nikula@linux.intel.com>
+Cc: <stable@vger.kernel.org> # v4.11+
+Reviewed-by: Paulo Zanoni <paulo.r.zanoni@intel.com>
+Signed-off-by: Daniel Drake <drake@endlessm.com>
+Signed-off-by: Jian-Hong Pan <jian-hong@endlessm.com>
+Signed-off-by: Jani Nikula <jani.nikula@intel.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20190423092810.28359-1-jian-hong@endlessm.com
+(cherry picked from commit 1d25724b41fad7eeb2c3058a5c8190d6ece73e08)
+
+Signed-off-by: Joonas Lahtinen <joonas.lahtinen@linux.intel.com>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/gpu/drm/i915/intel_fbc.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/gpu/drm/i915/intel_fbc.c b/drivers/gpu/drm/i915/intel_fbc.c
+index c805a0966395..5679f2fffb7c 100644
+--- a/drivers/gpu/drm/i915/intel_fbc.c
++++ b/drivers/gpu/drm/i915/intel_fbc.c
+@@ -1280,6 +1280,10 @@ static int intel_sanitize_fbc_option(struct drm_i915_private *dev_priv)
+ if (!HAS_FBC(dev_priv))
+ return 0;
+
++ /* https://bugs.freedesktop.org/show_bug.cgi?id=108085 */
++ if (IS_GEMINILAKE(dev_priv))
++ return 0;
++
+ if (IS_BROADWELL(dev_priv) || INTEL_GEN(dev_priv) >= 9)
+ return 1;
+
+--
+2.16.4
+
diff --git a/patches.drm/drm-imx-don-t-skip-DP-channel-disable-for-background.patch b/patches.drm/drm-imx-don-t-skip-DP-channel-disable-for-background.patch
new file mode 100644
index 0000000000..e27805258f
--- /dev/null
+++ b/patches.drm/drm-imx-don-t-skip-DP-channel-disable-for-background.patch
@@ -0,0 +1,34 @@
+From 7bcde275eb1d0ac8793c77c7e666a886eb16633d Mon Sep 17 00:00:00 2001
+From: Lucas Stach <l.stach@pengutronix.de>
+Date: Fri, 12 Apr 2019 17:59:41 +0200
+Subject: [PATCH] drm/imx: don't skip DP channel disable for background plane
+Git-commit: 7bcde275eb1d0ac8793c77c7e666a886eb16633d
+Patch-mainline: v5.1-rc7
+References: bsc#1051510
+
+In order to make sure that the plane color space gets reset correctly.
+
+Signed-off-by: Lucas Stach <l.stach@pengutronix.de>
+Signed-off-by: Philipp Zabel <p.zabel@pengutronix.de>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/gpu/drm/imx/ipuv3-crtc.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/imx/ipuv3-crtc.c b/drivers/gpu/drm/imx/ipuv3-crtc.c
+index ec3602ebbc1c..54011df8c2e8 100644
+--- a/drivers/gpu/drm/imx/ipuv3-crtc.c
++++ b/drivers/gpu/drm/imx/ipuv3-crtc.c
+@@ -71,7 +71,7 @@ static void ipu_crtc_disable_planes(struct ipu_crtc *ipu_crtc,
+ if (disable_partial)
+ ipu_plane_disable(ipu_crtc->plane[1], true);
+ if (disable_full)
+- ipu_plane_disable(ipu_crtc->plane[0], false);
++ ipu_plane_disable(ipu_crtc->plane[0], true);
+ }
+
+ static void ipu_crtc_atomic_disable(struct drm_crtc *crtc,
+--
+2.16.4
+
diff --git a/patches.drm/drm-rockchip-fix-for-mailbox-read-validation.patch b/patches.drm/drm-rockchip-fix-for-mailbox-read-validation.patch
new file mode 100644
index 0000000000..73e6a37375
--- /dev/null
+++ b/patches.drm/drm-rockchip-fix-for-mailbox-read-validation.patch
@@ -0,0 +1,39 @@
+From e4056bbb6719fe713bfc4030ac78e8e97ddf7574 Mon Sep 17 00:00:00 2001
+From: Damian Kos <dkos@cadence.com>
+Date: Mon, 19 Nov 2018 15:14:14 +0000
+Subject: [PATCH] drm/rockchip: fix for mailbox read validation.
+Git-commit: e4056bbb6719fe713bfc4030ac78e8e97ddf7574
+Patch-mainline: v5.1-rc1
+References: bsc#1051510
+
+This is basically the same fix as in
+commit fa68d4f8476b ("drm/rockchip: fix for mailbox read size")
+but for cdn_dp_mailbox_validate_receive function.
+
+See patchwork.kernel.org/patch/10671981/ for details.
+
+Signed-off-by: Damian Kos <dkos@cadence.com>
+Signed-off-by: Heiko Stuebner <heiko@sntech.de>
+Link: https://patchwork.freedesktop.org/patch/msgid/1542640463-18332-1-git-send-email-dkos@cadence.com
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/gpu/drm/rockchip/cdn-dp-reg.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/rockchip/cdn-dp-reg.c b/drivers/gpu/drm/rockchip/cdn-dp-reg.c
+index 5a485489a1e2..6c8b14fb1d2f 100644
+--- a/drivers/gpu/drm/rockchip/cdn-dp-reg.c
++++ b/drivers/gpu/drm/rockchip/cdn-dp-reg.c
+@@ -113,7 +113,7 @@ static int cdp_dp_mailbox_write(struct cdn_dp_device *dp, u8 val)
+
+ static int cdn_dp_mailbox_validate_receive(struct cdn_dp_device *dp,
+ u8 module_id, u8 opcode,
+- u8 req_size)
++ u16 req_size)
+ {
+ u32 mbox_size, i;
+ u8 header[4];
+--
+2.16.4
+
diff --git a/patches.drm/gpu-ipu-v3-dp-fix-CSC-handling.patch b/patches.drm/gpu-ipu-v3-dp-fix-CSC-handling.patch
new file mode 100644
index 0000000000..088bcd1145
--- /dev/null
+++ b/patches.drm/gpu-ipu-v3-dp-fix-CSC-handling.patch
@@ -0,0 +1,71 @@
+From d4fad0a426c6e26f48c9a7cdd21a7fe9c198d645 Mon Sep 17 00:00:00 2001
+From: Lucas Stach <l.stach@pengutronix.de>
+Date: Fri, 12 Apr 2019 17:59:40 +0200
+Subject: [PATCH] gpu: ipu-v3: dp: fix CSC handling
+Git-commit: d4fad0a426c6e26f48c9a7cdd21a7fe9c198d645
+Patch-mainline: v5.1-rc7
+References: bsc#1051510
+
+Initialize the flow input colorspaces to unknown and reset to that value
+when the channel gets disabled. This avoids the state getting mixed up
+with a previous mode.
+
+Also keep the CSC settings for the background flow intact when disabling
+the foreground flow.
+
+Root-caused-by: Jonathan Marek <jonathan@marek.ca>
+Signed-off-by: Lucas Stach <l.stach@pengutronix.de>
+Signed-off-by: Philipp Zabel <p.zabel@pengutronix.de>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/gpu/ipu-v3/ipu-dp.c | 12 +++++++++---
+ 1 file changed, 9 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/gpu/ipu-v3/ipu-dp.c b/drivers/gpu/ipu-v3/ipu-dp.c
+index 9b2b3fa479c4..5e44ff1f2085 100644
+--- a/drivers/gpu/ipu-v3/ipu-dp.c
++++ b/drivers/gpu/ipu-v3/ipu-dp.c
+@@ -195,7 +195,8 @@ int ipu_dp_setup_channel(struct ipu_dp *dp,
+ ipu_dp_csc_init(flow, flow->foreground.in_cs, flow->out_cs,
+ DP_COM_CONF_CSC_DEF_BOTH);
+ } else {
+- if (flow->foreground.in_cs == flow->out_cs)
++ if (flow->foreground.in_cs == IPUV3_COLORSPACE_UNKNOWN ||
++ flow->foreground.in_cs == flow->out_cs)
+ /*
+ * foreground identical to output, apply color
+ * conversion on background
+@@ -261,6 +262,8 @@ void ipu_dp_disable_channel(struct ipu_dp *dp, bool sync)
+ struct ipu_dp_priv *priv = flow->priv;
+ u32 reg, csc;
+
++ dp->in_cs = IPUV3_COLORSPACE_UNKNOWN;
++
+ if (!dp->foreground)
+ return;
+
+@@ -268,8 +271,9 @@ void ipu_dp_disable_channel(struct ipu_dp *dp, bool sync)
+
+ reg = readl(flow->base + DP_COM_CONF);
+ csc = reg & DP_COM_CONF_CSC_DEF_MASK;
+- if (csc == DP_COM_CONF_CSC_DEF_FG)
+- reg &= ~DP_COM_CONF_CSC_DEF_MASK;
++ reg &= ~DP_COM_CONF_CSC_DEF_MASK;
++ if (csc == DP_COM_CONF_CSC_DEF_BOTH || csc == DP_COM_CONF_CSC_DEF_BG)
++ reg |= DP_COM_CONF_CSC_DEF_BG;
+
+ reg &= ~DP_COM_CONF_FG_EN;
+ writel(reg, flow->base + DP_COM_CONF);
+@@ -347,6 +351,8 @@ int ipu_dp_init(struct ipu_soc *ipu, struct device *dev, unsigned long base)
+ mutex_init(&priv->mutex);
+
+ for (i = 0; i < IPUV3_NUM_FLOWS; i++) {
++ priv->flow[i].background.in_cs = IPUV3_COLORSPACE_UNKNOWN;
++ priv->flow[i].foreground.in_cs = IPUV3_COLORSPACE_UNKNOWN;
+ priv->flow[i].foreground.foreground = true;
+ priv->flow[i].base = priv->base + ipu_dp_flow_base[i];
+ priv->flow[i].priv = priv;
+--
+2.16.4
+
diff --git a/patches.fixes/0001-netlink-fix-uninit-value-in-netlink_sendmsg.patch b/patches.fixes/0001-netlink-fix-uninit-value-in-netlink_sendmsg.patch
new file mode 100644
index 0000000000..b46b050f49
--- /dev/null
+++ b/patches.fixes/0001-netlink-fix-uninit-value-in-netlink_sendmsg.patch
@@ -0,0 +1,36 @@
+From: Eric Dumazet <edumazet@google.com>
+Subject: netlink: fix uninit-value in netlink_sendmsg
+Patch-mainline: v4.17-rc1
+Git-commit: 6091f09c2f79730d895149bcfe3d66140288cd0e
+References: git-fixes
+
+syzbot reported :
+
+BUG: KMSAN: uninit-value in ffs arch/x86/include/asm/bitops.h:432 [inline]
+BUG: KMSAN: uninit-value in netlink_sendmsg+0xb26/0x1310 net/netlink/af_netlink.c:1851
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Acked-by: Denis Kirjanov <dkirjanov@suse.com>
+---
+ net/netlink/af_netlink.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c
+index 3e012d578ccd..70cf781ececb 100644
+--- a/net/netlink/af_netlink.c
++++ b/net/netlink/af_netlink.c
+@@ -1812,6 +1812,8 @@ static int netlink_sendmsg(struct socket *sock, struct msghdr *msg, size_t len)
+
+ if (msg->msg_namelen) {
+ err = -EINVAL;
++ if (msg->msg_namelen < sizeof(struct sockaddr_nl))
++ goto out;
+ if (addr->nl_family != AF_NETLINK)
+ goto out;
+ dst_portid = addr->nl_pid;
+--
+2.12.3
+
diff --git a/patches.fixes/0001-packet-fix-reserve-calculation.patch b/patches.fixes/0001-packet-fix-reserve-calculation.patch
new file mode 100644
index 0000000000..4031fe8608
--- /dev/null
+++ b/patches.fixes/0001-packet-fix-reserve-calculation.patch
@@ -0,0 +1,49 @@
+From: Willem de Bruijn <willemb@google.com>
+Subject: packet: fix reserve calculation
+Patch-mainline: v4.17-rc7
+Git-commit: 9aad13b087ab0a588cd68259de618f100053360e
+References: git-fixes
+
+
+Commit b84bbaf7a6c8 ("packet: in packet_snd start writing at link
+layer allocation") ensures that packet_snd always starts writing
+the link layer header in reserved headroom allocated for this
+purpose.
+
+This is needed because packets may be shorter than hard_header_len,
+in which case the space up to hard_header_len may be zeroed. But
+that necessary padding is not accounted for in skb->len.
+
+The fix, however, is buggy. It calls skb_push, which grows skb->len
+when moving skb->data back. But in this case packet length should not
+change.
+
+Instead, call skb_reserve, which moves both skb->data and skb->tail
+back, without changing length.
+
+Fixes: b84bbaf7a6c8 ("packet: in packet_snd start writing at link layer allocation")
+Reported-by: Tariq Toukan <tariqt@mellanox.com>
+Signed-off-by: Willem de Bruijn <willemb@google.com>
+Acked-by: Soheil Hassas Yeganeh <soheil@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Acked-by: Denis Kirjanov <dkirjanov@suse.com>
+---
+ net/packet/af_packet.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c
+index 901618eb2725..9689622eaef7 100644
+--- a/net/packet/af_packet.c
++++ b/net/packet/af_packet.c
+@@ -2933,7 +2933,7 @@ static int packet_snd(struct socket *sock, struct msghdr *msg, size_t len)
+ if (unlikely(offset < 0))
+ goto out_free;
+ } else if (reserve) {
+- skb_push(skb, reserve);
++ skb_reserve(skb, -reserve);
+ }
+
+ /* Returns -EFAULT on error */
+--
+2.12.3
+
diff --git a/patches.fixes/0002-net-fix-rtnh_ok.patch b/patches.fixes/0002-net-fix-rtnh_ok.patch
new file mode 100644
index 0000000000..ff95b40996
--- /dev/null
+++ b/patches.fixes/0002-net-fix-rtnh_ok.patch
@@ -0,0 +1,40 @@
+From: Eric Dumazet <edumazet@google.com>
+Subject: fix rtnh_ok()
+Patch-mainline: v4.17-rc1
+Git-commit: b1993a2de12c9e75c35729e2ffbc3a92d50c0d31
+References: git-fixes
+
+syzbot reported :
+
+BUG: KMSAN: uninit-value in rtnh_ok include/net/nexthop.h:11 [inline]
+BUG: KMSAN: uninit-value in fib_count_nexthops net/ipv4/fib_semantics.c:469 [inline]
+BUG: KMSAN: uninit-value in fib_create_info+0x554/0x8d20 net/ipv4/fib_semantics.c:1091
+
+@remaining is an integer, coming from user space.
+If it is negative we want rtnh_ok() to return false.
+
+Fixes: 4e902c57417c ("[IPv4]: FIB configuration using struct fib_config")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Acked-by: Denis Kirjanov <dkirjanov@suse.com>
+---
+ include/net/nexthop.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/include/net/nexthop.h b/include/net/nexthop.h
+index 3334dbfa5aa4..7fc78663ec9d 100644
+--- a/include/net/nexthop.h
++++ b/include/net/nexthop.h
+@@ -6,7 +6,7 @@
+
+ static inline int rtnh_ok(const struct rtnexthop *rtnh, int remaining)
+ {
+- return remaining >= sizeof(*rtnh) &&
++ return remaining >= (int)sizeof(*rtnh) &&
+ rtnh->rtnh_len >= sizeof(*rtnh) &&
+ rtnh->rtnh_len <= remaining;
+ }
+--
+2.12.3
+
diff --git a/patches.fixes/0002-packet-reset-network-header-if-packet-shorter-than-l.patch b/patches.fixes/0002-packet-reset-network-header-if-packet-shorter-than-l.patch
new file mode 100644
index 0000000000..a826f3d726
--- /dev/null
+++ b/patches.fixes/0002-packet-reset-network-header-if-packet-shorter-than-l.patch
@@ -0,0 +1,37 @@
+From: Willem de Bruijn <willemb@google.com>
+Subject: packet: reset network header if packet shorter than ll
+ reserved space
+Patch-mainline: v4.18-rc6
+Git-commit: 993675a3100b16a4c80dfd70cbcde8ea7127b31d
+References: git-fixes
+
+If variable length link layer headers result in a packet shorter
+than dev->hard_header_len, reset the network header offset. Else
+skb->mac_len may exceed skb->len after skb_mac_reset_len.
+
+packet_sendmsg_spkt already has similar logic.
+
+Fixes: b84bbaf7a6c8 ("packet: in packet_snd start writing at link layer allocation")
+Signed-off-by: Willem de Bruijn <willemb@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Acked-by: Denis Kirjanov <dkirjanov@suse.com>
+---
+ net/packet/af_packet.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c
+index 9689622eaef7..cf7652bb2218 100644
+--- a/net/packet/af_packet.c
++++ b/net/packet/af_packet.c
+@@ -2934,6 +2934,8 @@ static int packet_snd(struct socket *sock, struct msghdr *msg, size_t len)
+ goto out_free;
+ } else if (reserve) {
+ skb_reserve(skb, -reserve);
++ if (len < reserve)
++ skb_reset_network_header(skb);
+ }
+
+ /* Returns -EFAULT on error */
+--
+2.12.3
+
diff --git a/patches.fixes/0003-l2tp-fix-missing-refcount-drop-in-pppol2tp_tunnel_io.patch b/patches.fixes/0003-l2tp-fix-missing-refcount-drop-in-pppol2tp_tunnel_io.patch
new file mode 100644
index 0000000000..fbe8993bb3
--- /dev/null
+++ b/patches.fixes/0003-l2tp-fix-missing-refcount-drop-in-pppol2tp_tunnel_io.patch
@@ -0,0 +1,48 @@
+From: Guillaume Nault <g.nault@alphalink.fr>
+Subject: l2tp: fix missing refcount drop in
+ pppol2tp_tunnel_ioctl()
+Patch-mainline: v4.18-rc8
+Git-commit: f664e37dcc525768280cb94321424a09beb1c992
+References: git-fixes
+
+If 'session' is not NULL and is not a PPP pseudo-wire, then we fail to
+drop the reference taken by l2tp_session_get().
+
+Fixes: ecd012e45ab5 ("l2tp: filter out non-PPP sessions in pppol2tp_tunnel_ioctl()")
+Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Acked-by: Denis Kirjanov <dkirjanov@suse.com>
+---
+ net/l2tp/l2tp_ppp.c | 13 +++++++++----
+ 1 file changed, 9 insertions(+), 4 deletions(-)
+
+diff --git a/net/l2tp/l2tp_ppp.c b/net/l2tp/l2tp_ppp.c
+index 3cd4cce8338c..93d4c72e4ee5 100644
+--- a/net/l2tp/l2tp_ppp.c
++++ b/net/l2tp/l2tp_ppp.c
+@@ -1214,13 +1214,18 @@ static int pppol2tp_tunnel_ioctl(struct l2tp_tunnel *tunnel,
+ l2tp_session_get(sock_net(sk), tunnel,
+ stats.session_id);
+
+- if (session && session->pwtype == L2TP_PWTYPE_PPP) {
+- err = pppol2tp_session_ioctl(session, cmd,
+- arg);
++ if (!session) {
++ err = -EBADR;
++ break;
++ }
++ if (session->pwtype != L2TP_PWTYPE_PPP) {
+ l2tp_session_dec_refcount(session);
+- } else {
+ err = -EBADR;
++ break;
+ }
++
++ err = pppol2tp_session_ioctl(session, cmd, arg);
++ l2tp_session_dec_refcount(session);
+ break;
+ }
+ #ifdef CONFIG_XFRM
+--
+2.12.3
+
diff --git a/patches.fixes/0003-net-initialize-skb-peeked-when-cloning.patch b/patches.fixes/0003-net-initialize-skb-peeked-when-cloning.patch
new file mode 100644
index 0000000000..9f11b92b6c
--- /dev/null
+++ b/patches.fixes/0003-net-initialize-skb-peeked-when-cloning.patch
@@ -0,0 +1,35 @@
+From: Eric Dumazet <edumazet@google.com>
+Subject: net: initialize skb->peeked when cloning
+Patch-mainline: v4.17-rc1
+Git-commit: b13dda9f9aa7caceeee61c080c2e544d5f5d85e5
+References: git-fixes
+
+syzbot reported __skb_try_recv_from_queue() was using skb->peeked
+while it was potentially unitialized.
+
+We need to clear it in __skb_clone()
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Acked-by: Denis Kirjanov <dkirjanov@suse.com>
+---
+ net/core/skbuff.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/net/core/skbuff.c b/net/core/skbuff.c
+index 4fd1eec0b79f..c160048283bc 100644
+--- a/net/core/skbuff.c
++++ b/net/core/skbuff.c
+@@ -896,6 +896,7 @@ static struct sk_buff *__skb_clone(struct sk_buff *n, struct sk_buff *skb)
+ n->hdr_len = skb->nohdr ? skb_headroom(skb) : skb->hdr_len;
+ n->cloned = 1;
+ n->nohdr = 0;
++ n->peeked = 0;
+ n->destructor = NULL;
+ C(tail);
+ C(end);
+--
+2.12.3
+
diff --git a/patches.fixes/0004-net-fix-uninit-value-in-__hw_addr_add_ex.patch b/patches.fixes/0004-net-fix-uninit-value-in-__hw_addr_add_ex.patch
new file mode 100644
index 0000000000..61ccd449bc
--- /dev/null
+++ b/patches.fixes/0004-net-fix-uninit-value-in-__hw_addr_add_ex.patch
@@ -0,0 +1,57 @@
+From: Eric Dumazet <edumazet@google.com>
+Subject: net: fix uninit-value in __hw_addr_add_ex()
+Patch-mainline: v4.17-rc1
+Git-commit: 77d36398d99f2565c0a8d43a86fd520a82e64bb8
+References: git-fixes
+
+syzbot complained :
+
+BUG: KMSAN: uninit-value in memcmp+0x119/0x180 lib/string.c:861
+CPU: 0 PID: 3 Comm: kworker/0:0 Not tainted 4.16.0+ #82
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+Workqueue: ipv6_addrconf addrconf_dad_work
+Call Trace:
+ __dump_stack lib/dump_stack.c:17 [inline]
+ dump_stack+0x185/0x1d0 lib/dump_stack.c:53
+ kmsan_report+0x142/0x240 mm/kmsan/kmsan.c:1067
+ __msan_warning_32+0x6c/0xb0 mm/kmsan/kmsan_instr.c:676
+ memcmp+0x119/0x180 lib/string.c:861
+ __hw_addr_add_ex net/core/dev_addr_lists.c:60 [inline]
+ __dev_mc_add+0x1c2/0x8e0 net/core/dev_addr_lists.c:670
+ dev_mc_add+0x6d/0x80 net/core/dev_addr_lists.c:687
+ igmp6_group_added+0x2db/0xa00 net/ipv6/mcast.c:662
+ ipv6_dev_mc_inc+0xe9e/0x1130 net/ipv6/mcast.c:914
+ addrconf_join_solict net/ipv6/addrconf.c:2078 [inline]
+ addrconf_dad_begin net/ipv6/addrconf.c:3828 [inline]
+ addrconf_dad_work+0x427/0x2150 net/ipv6/addrconf.c:3954
+ process_one_work+0x12c6/0x1f60 kernel/workqueue.c:2113
+ worker_thread+0x113c/0x24f0 kernel/workqueue.c:2247
+ kthread+0x539/0x720 kernel/kthread.c:239
+
+Fixes: f001fde5eadd ("net: introduce a list of device addresses dev_addr_list (v6)")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Acked-by: Denis Kirjanov <dkirjanov@suse.com>
+---
+ net/core/dev_addr_lists.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/net/core/dev_addr_lists.c b/net/core/dev_addr_lists.c
+index c0548d268e1a..e3e6a3e2ca22 100644
+--- a/net/core/dev_addr_lists.c
++++ b/net/core/dev_addr_lists.c
+@@ -57,8 +57,8 @@ static int __hw_addr_add_ex(struct netdev_hw_addr_list *list,
+ return -EINVAL;
+
+ list_for_each_entry(ha, &list->list, list) {
+- if (!memcmp(ha->addr, addr, addr_len) &&
+- ha->type == addr_type) {
++ if (ha->type == addr_type &&
++ !memcmp(ha->addr, addr, addr_len)) {
+ if (global) {
+ /* check if addr is already used as global */
+ if (ha->global_use)
+--
+2.12.3
+
diff --git a/patches.fixes/0004-rxrpc-Fix-transport-sockopts-to-get-IPv4-errors-on-a.patch b/patches.fixes/0004-rxrpc-Fix-transport-sockopts-to-get-IPv4-errors-on-a.patch
new file mode 100644
index 0000000000..b3b9fdbd1c
--- /dev/null
+++ b/patches.fixes/0004-rxrpc-Fix-transport-sockopts-to-get-IPv4-errors-on-a.patch
@@ -0,0 +1,82 @@
+From: David Howells <dhowells@redhat.com>
+Subject: rxrpc: Fix transport sockopts to get IPv4 errors on an
+ IPv6 socket
+Patch-mainline: v4.19-rc7
+Git-commit: 37a675e768d7606fe8a53e0c459c9b53e121ac20
+References: git-fixes
+
+It seems that enabling IPV6_RECVERR on an IPv6 socket doesn't also turn on
+IP_RECVERR, so neither local errors nor ICMP-transported remote errors from
+IPv4 peer addresses are returned to the AF_RXRPC protocol.
+
+Make the sockopt setting code in rxrpc_open_socket() fall through from the
+AF_INET6 case to the AF_INET case to turn on all the AF_INET options too in
+the AF_INET6 case.
+
+Fixes: f2aeed3a591f ("rxrpc: Fix error reception on AF_INET6 sockets")
+Signed-off-by: David Howells <dhowells@redhat.com>
+Acked-by: Denis Kirjanov <dkirjanov@suse.com>
+---
+ net/rxrpc/local_object.c | 23 +++++++++++++----------
+ 1 file changed, 13 insertions(+), 10 deletions(-)
+
+diff --git a/net/rxrpc/local_object.c b/net/rxrpc/local_object.c
+index adc49d8285bf..852a036c775e 100644
+--- a/net/rxrpc/local_object.c
++++ b/net/rxrpc/local_object.c
+@@ -134,10 +134,10 @@ static int rxrpc_open_socket(struct rxrpc_local *local)
+ }
+
+ switch (local->srx.transport.family) {
+- case AF_INET:
+- /* we want to receive ICMP errors */
++ case AF_INET6:
++ /* we want to receive ICMPv6 errors */
+ opt = 1;
+- ret = kernel_setsockopt(local->socket, SOL_IP, IP_RECVERR,
++ ret = kernel_setsockopt(local->socket, SOL_IPV6, IPV6_RECVERR,
+ (char *) &opt, sizeof(opt));
+ if (ret < 0) {
+ _debug("setsockopt failed");
+@@ -145,19 +145,22 @@ static int rxrpc_open_socket(struct rxrpc_local *local)
+ }
+
+ /* we want to set the don't fragment bit */
+- opt = IP_PMTUDISC_DO;
+- ret = kernel_setsockopt(local->socket, SOL_IP, IP_MTU_DISCOVER,
++ opt = IPV6_PMTUDISC_DO;
++ ret = kernel_setsockopt(local->socket, SOL_IPV6, IPV6_MTU_DISCOVER,
+ (char *) &opt, sizeof(opt));
+ if (ret < 0) {
+ _debug("setsockopt failed");
+ goto error;
+ }
+- break;
+
+- case AF_INET6:
++ /* Fall through and set IPv4 options too otherwise we don't get
++ * errors from IPv4 packets sent through the IPv6 socket.
++ */
++
++ case AF_INET:
+ /* we want to receive ICMP errors */
+ opt = 1;
+- ret = kernel_setsockopt(local->socket, SOL_IPV6, IPV6_RECVERR,
++ ret = kernel_setsockopt(local->socket, SOL_IP, IP_RECVERR,
+ (char *) &opt, sizeof(opt));
+ if (ret < 0) {
+ _debug("setsockopt failed");
+@@ -165,8 +168,8 @@ static int rxrpc_open_socket(struct rxrpc_local *local)
+ }
+
+ /* we want to set the don't fragment bit */
+- opt = IPV6_PMTUDISC_DO;
+- ret = kernel_setsockopt(local->socket, SOL_IPV6, IPV6_MTU_DISCOVER,
++ opt = IP_PMTUDISC_DO;
++ ret = kernel_setsockopt(local->socket, SOL_IP, IP_MTU_DISCOVER,
+ (char *) &opt, sizeof(opt));
+ if (ret < 0) {
+ _debug("setsockopt failed");
+--
+2.12.3
+
diff --git a/patches.fixes/0005-inetpeer-fix-uninit-value-in-inet_getpeer.patch b/patches.fixes/0005-inetpeer-fix-uninit-value-in-inet_getpeer.patch
new file mode 100644
index 0000000000..1a25b0ee0f
--- /dev/null
+++ b/patches.fixes/0005-inetpeer-fix-uninit-value-in-inet_getpeer.patch
@@ -0,0 +1,119 @@
+From: Eric Dumazet <edumazet@google.com>
+Subject: inetpeer: fix uninit-value in inet_getpeer
+Patch-mainline: v4.17-rc1
+Git-commit: b6a37e5e25414df4b8e9140a5c6f5ee0ec6f3b90
+References: git-fixes
+
+syzbot/KMSAN reported that p->dtime was read while it was
+not yet initialized in :
+
+ delta = (__u32)jiffies - p->dtime;
+ if (delta < ttl || !refcount_dec_if_one(&p->refcnt))
+ gc_stack[i] = NULL;
+
+This is a false positive, because the inetpeer wont be erased
+from rb-tree if the refcount_dec_if_one(&p->refcnt) does not
+succeed. And this wont happen before first inet_putpeer() call
+for this inetpeer has been done, and ->dtime field is written
+exactly before the refcount_dec_and_test(&p->refcnt).
+
+The KMSAN report was :
+
+BUG: KMSAN: uninit-value in inet_peer_gc net/ipv4/inetpeer.c:163 [inline]
+BUG: KMSAN: uninit-value in inet_getpeer+0x1567/0x1e70 net/ipv4/inetpeer.c:228
+CPU: 0 PID: 9494 Comm: syz-executor5 Not tainted 4.16.0+ #82
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+Call Trace:
+ __dump_stack lib/dump_stack.c:17 [inline]
+ dump_stack+0x185/0x1d0 lib/dump_stack.c:53
+ kmsan_report+0x142/0x240 mm/kmsan/kmsan.c:1067
+ __msan_warning_32+0x6c/0xb0 mm/kmsan/kmsan_instr.c:676
+ inet_peer_gc net/ipv4/inetpeer.c:163 [inline]
+ inet_getpeer+0x1567/0x1e70 net/ipv4/inetpeer.c:228
+ inet_getpeer_v4 include/net/inetpeer.h:110 [inline]
+ icmpv4_xrlim_allow net/ipv4/icmp.c:330 [inline]
+ icmp_send+0x2b44/0x3050 net/ipv4/icmp.c:725
+ ip_options_compile+0x237c/0x29f0 net/ipv4/ip_options.c:472
+ ip_rcv_options net/ipv4/ip_input.c:284 [inline]
+ ip_rcv_finish+0xda8/0x16d0 net/ipv4/ip_input.c:365
+ NF_HOOK include/linux/netfilter.h:288 [inline]
+ ip_rcv+0x119d/0x16f0 net/ipv4/ip_input.c:493
+ __netif_receive_skb_core+0x47cf/0x4a80 net/core/dev.c:4562
+ __netif_receive_skb net/core/dev.c:4627 [inline]
+ netif_receive_skb_internal+0x49d/0x630 net/core/dev.c:4701
+ netif_receive_skb+0x230/0x240 net/core/dev.c:4725
+ tun_rx_batched drivers/net/tun.c:1555 [inline]
+ tun_get_user+0x6d88/0x7580 drivers/net/tun.c:1962
+ tun_chr_write_iter+0x1d4/0x330 drivers/net/tun.c:1990
+ do_iter_readv_writev+0x7bb/0x970 include/linux/fs.h:1776
+ do_iter_write+0x30d/0xd40 fs/read_write.c:932
+ vfs_writev fs/read_write.c:977 [inline]
+ do_writev+0x3c9/0x830 fs/read_write.c:1012
+ SYSC_writev+0x9b/0xb0 fs/read_write.c:1085
+ SyS_writev+0x56/0x80 fs/read_write.c:1082
+ do_syscall_64+0x309/0x430 arch/x86/entry/common.c:287
+ entry_SYSCALL_64_after_hwframe+0x3d/0xa2
+RIP: 0033:0x455111
+RSP: 002b:00007fae0365cba0 EFLAGS: 00000293 ORIG_RAX: 0000000000000014
+RAX: ffffffffffffffda RBX: 000000000000002e RCX: 0000000000455111
+RDX: 0000000000000001 RSI: 00007fae0365cbf0 RDI: 00000000000000fc
+RBP: 0000000020000040 R08: 00000000000000fc R09: 0000000000000000
+R10: 000000000000002e R11: 0000000000000293 R12: 00000000ffffffff
+R13: 0000000000000658 R14: 00000000006fc8e0 R15: 0000000000000000
+
+Uninit was created at:
+ kmsan_save_stack_with_flags mm/kmsan/kmsan.c:278 [inline]
+ kmsan_internal_poison_shadow+0xb8/0x1b0 mm/kmsan/kmsan.c:188
+ kmsan_kmalloc+0x94/0x100 mm/kmsan/kmsan.c:314
+ kmem_cache_alloc+0xaab/0xb90 mm/slub.c:2756
+ inet_getpeer+0xed8/0x1e70 net/ipv4/inetpeer.c:210
+ inet_getpeer_v4 include/net/inetpeer.h:110 [inline]
+ ip4_frag_init+0x4d1/0x740 net/ipv4/ip_fragment.c:153
+ inet_frag_alloc net/ipv4/inet_fragment.c:369 [inline]
+ inet_frag_create net/ipv4/inet_fragment.c:385 [inline]
+ inet_frag_find+0x7da/0x1610 net/ipv4/inet_fragment.c:418
+ ip_find net/ipv4/ip_fragment.c:275 [inline]
+ ip_defrag+0x448/0x67a0 net/ipv4/ip_fragment.c:676
+ ip_check_defrag+0x775/0xda0 net/ipv4/ip_fragment.c:724
+ packet_rcv_fanout+0x2a8/0x8d0 net/packet/af_packet.c:1447
+ deliver_skb net/core/dev.c:1897 [inline]
+ deliver_ptype_list_skb net/core/dev.c:1912 [inline]
+ __netif_receive_skb_core+0x314a/0x4a80 net/core/dev.c:4545
+ __netif_receive_skb net/core/dev.c:4627 [inline]
+ netif_receive_skb_internal+0x49d/0x630 net/core/dev.c:4701
+ netif_receive_skb+0x230/0x240 net/core/dev.c:4725
+ tun_rx_batched drivers/net/tun.c:1555 [inline]
+ tun_get_user+0x6d88/0x7580 drivers/net/tun.c:1962
+ tun_chr_write_iter+0x1d4/0x330 drivers/net/tun.c:1990
+ do_iter_readv_writev+0x7bb/0x970 include/linux/fs.h:1776
+ do_iter_write+0x30d/0xd40 fs/read_write.c:932
+ vfs_writev fs/read_write.c:977 [inline]
+ do_writev+0x3c9/0x830 fs/read_write.c:1012
+ SYSC_writev+0x9b/0xb0 fs/read_write.c:1085
+ SyS_writev+0x56/0x80 fs/read_write.c:1082
+ do_syscall_64+0x309/0x430 arch/x86/entry/common.c:287
+ entry_SYSCALL_64_after_hwframe+0x3d/0xa2
+
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Acked-by: Denis Kirjanov <dkirjanov@suse.com>
+---
+ net/ipv4/inetpeer.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/net/ipv4/inetpeer.c b/net/ipv4/inetpeer.c
+index b20c8ac64081..64007ce87273 100644
+--- a/net/ipv4/inetpeer.c
++++ b/net/ipv4/inetpeer.c
+@@ -210,6 +210,7 @@ struct inet_peer *inet_getpeer(struct inet_peer_base *base,
+ p = kmem_cache_alloc(peer_cachep, GFP_ATOMIC);
+ if (p) {
+ p->daddr = *daddr;
++ p->dtime = (__u32)jiffies;
+ refcount_set(&p->refcnt, 2);
+ atomic_set(&p->rid, 0);
+ p->metrics[RTAX_LOCK-1] = INETPEER_METRICS_NEW;
+--
+2.12.3
+
diff --git a/patches.fixes/0006-ipvs-fix-rtnl_lock-lockups-caused-by-start_sync_thre.patch b/patches.fixes/0006-ipvs-fix-rtnl_lock-lockups-caused-by-start_sync_thre.patch
new file mode 100644
index 0000000000..a3796b4c6b
--- /dev/null
+++ b/patches.fixes/0006-ipvs-fix-rtnl_lock-lockups-caused-by-start_sync_thre.patch
@@ -0,0 +1,641 @@
+From: Julian Anastasov <ja@ssi.bg>
+Subject: ipvs: fix rtnl_lock lockups caused by start_sync_thread
+Patch-mainline: v4.17-rc3
+Git-commit: 5c64576a77894a50be80be0024bed27171b55989
+References: git-fixes
+
+syzkaller reports for wrong rtnl_lock usage in sync code [1] and [2]
+
+We have 2 problems in start_sync_thread if error path is
+taken, eg. on memory allocation error or failure to configure
+sockets for mcast group or addr/port binding:
+
+1. recursive locking: holding rtnl_lock while calling sock_release
+which in turn calls again rtnl_lock in ip_mc_drop_socket to leave
+the mcast group, as noticed by Florian Westphal. Additionally,
+sock_release can not be called while holding sync_mutex (ABBA
+deadlock).
+
+2. task hung: holding rtnl_lock while calling kthread_stop to
+stop the running kthreads. As the kthreads do the same to leave
+the mcast group (sock_release -> ip_mc_drop_socket -> rtnl_lock)
+they hang.
+
+Fix the problems by calling rtnl_unlock early in the error path,
+now sock_release is called after unlocking both mutexes.
+
+Problem 3 (task hung reported by syzkaller [2]) is variant of
+problem 2: use _trylock to prevent one user to call rtnl_lock and
+then while waiting for sync_mutex to block kthreads that execute
+sock_release when they are stopped by stop_sync_thread.
+
+[1]
+IPVS: stopping backup sync thread 4500 ...
+WARNING: possible recursive locking detected
+4.16.0-rc7+ #3 Not tainted
+--------------------------------------------
+syzkaller688027/4497 is trying to acquire lock:
+ (rtnl_mutex){+.+.}, at: [<00000000bb14d7fb>] rtnl_lock+0x17/0x20
+net/core/rtnetlink.c:74
+
+but task is already holding lock:
+IPVS: stopping backup sync thread 4495 ...
+ (rtnl_mutex){+.+.}, at: [<00000000bb14d7fb>] rtnl_lock+0x17/0x20
+net/core/rtnetlink.c:74
+
+other info that might help us debug this:
+ Possible unsafe locking scenario:
+
+ CPU0
+ ----
+ lock(rtnl_mutex);
+ lock(rtnl_mutex);
+
+ *** DEADLOCK ***
+
+ May be due to missing lock nesting notation
+
+2 locks held by syzkaller688027/4497:
+ #0: (rtnl_mutex){+.+.}, at: [<00000000bb14d7fb>] rtnl_lock+0x17/0x20
+net/core/rtnetlink.c:74
+ #1: (ipvs->sync_mutex){+.+.}, at: [<00000000703f78e3>]
+do_ip_vs_set_ctl+0x10f8/0x1cc0 net/netfilter/ipvs/ip_vs_ctl.c:2388
+
+stack backtrace:
+CPU: 1 PID: 4497 Comm: syzkaller688027 Not tainted 4.16.0-rc7+ #3
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
+Google 01/01/2011
+Call Trace:
+ __dump_stack lib/dump_stack.c:17 [inline]
+ dump_stack+0x194/0x24d lib/dump_stack.c:53
+ print_deadlock_bug kernel/locking/lockdep.c:1761 [inline]
+ check_deadlock kernel/locking/lockdep.c:1805 [inline]
+ validate_chain kernel/locking/lockdep.c:2401 [inline]
+ __lock_acquire+0xe8f/0x3e00 kernel/locking/lockdep.c:3431
+ lock_acquire+0x1d5/0x580 kernel/locking/lockdep.c:3920
+ __mutex_lock_common kernel/locking/mutex.c:756 [inline]
+ __mutex_lock+0x16f/0x1a80 kernel/locking/mutex.c:893
+ mutex_lock_nested+0x16/0x20 kernel/locking/mutex.c:908
+ rtnl_lock+0x17/0x20 net/core/rtnetlink.c:74
+ ip_mc_drop_socket+0x88/0x230 net/ipv4/igmp.c:2643
+ inet_release+0x4e/0x1c0 net/ipv4/af_inet.c:413
+ sock_release+0x8d/0x1e0 net/socket.c:595
+ start_sync_thread+0x2213/0x2b70 net/netfilter/ipvs/ip_vs_sync.c:1924
+ do_ip_vs_set_ctl+0x1139/0x1cc0 net/netfilter/ipvs/ip_vs_ctl.c:2389
+ nf_sockopt net/netfilter/nf_sockopt.c:106 [inline]
+ nf_setsockopt+0x67/0xc0 net/netfilter/nf_sockopt.c:115
+ ip_setsockopt+0x97/0xa0 net/ipv4/ip_sockglue.c:1261
+ udp_setsockopt+0x45/0x80 net/ipv4/udp.c:2406
+ sock_common_setsockopt+0x95/0xd0 net/core/sock.c:2975
+ SYSC_setsockopt net/socket.c:1849 [inline]
+ SyS_setsockopt+0x189/0x360 net/socket.c:1828
+ do_syscall_64+0x281/0x940 arch/x86/entry/common.c:287
+ entry_SYSCALL_64_after_hwframe+0x42/0xb7
+RIP: 0033:0x446a69
+RSP: 002b:00007fa1c3a64da8 EFLAGS: 00000246 ORIG_RAX: 0000000000000036
+RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000446a69
+RDX: 000000000000048b RSI: 0000000000000000 RDI: 0000000000000003
+RBP: 00000000006e29fc R08: 0000000000000018 R09: 0000000000000000
+R10: 00000000200000c0 R11: 0000000000000246 R12: 00000000006e29f8
+R13: 00676e697279656b R14: 00007fa1c3a659c0 R15: 00000000006e2b60
+
+[2]
+IPVS: sync thread started: state = BACKUP, mcast_ifn = syz_tun, syncid = 4,
+id = 0
+IPVS: stopping backup sync thread 25415 ...
+INFO: task syz-executor7:25421 blocked for more than 120 seconds.
+ Not tainted 4.16.0-rc6+ #284
+"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
+syz-executor7 D23688 25421 4408 0x00000004
+Call Trace:
+ context_switch kernel/sched/core.c:2862 [inline]
+ __schedule+0x8fb/0x1ec0 kernel/sched/core.c:3440
+ schedule+0xf5/0x430 kernel/sched/core.c:3499
+ schedule_timeout+0x1a3/0x230 kernel/time/timer.c:1777
+ do_wait_for_common kernel/sched/completion.c:86 [inline]
+ __wait_for_common kernel/sched/completion.c:107 [inline]
+ wait_for_common kernel/sched/completion.c:118 [inline]
+ wait_for_completion+0x415/0x770 kernel/sched/completion.c:139
+ kthread_stop+0x14a/0x7a0 kernel/kthread.c:530
+ stop_sync_thread+0x3d9/0x740 net/netfilter/ipvs/ip_vs_sync.c:1996
+ do_ip_vs_set_ctl+0x2b1/0x1cc0 net/netfilter/ipvs/ip_vs_ctl.c:2394
+ nf_sockopt net/netfilter/nf_sockopt.c:106 [inline]
+ nf_setsockopt+0x67/0xc0 net/netfilter/nf_sockopt.c:115
+ ip_setsockopt+0x97/0xa0 net/ipv4/ip_sockglue.c:1253
+ sctp_setsockopt+0x2ca/0x63e0 net/sctp/socket.c:4154
+ sock_common_setsockopt+0x95/0xd0 net/core/sock.c:3039
+ SYSC_setsockopt net/socket.c:1850 [inline]
+ SyS_setsockopt+0x189/0x360 net/socket.c:1829
+ do_syscall_64+0x281/0x940 arch/x86/entry/common.c:287
+ entry_SYSCALL_64_after_hwframe+0x42/0xb7
+RIP: 0033:0x454889
+RSP: 002b:00007fc927626c68 EFLAGS: 00000246 ORIG_RAX: 0000000000000036
+RAX: ffffffffffffffda RBX: 00007fc9276276d4 RCX: 0000000000454889
+RDX: 000000000000048c RSI: 0000000000000000 RDI: 0000000000000017
+RBP: 000000000072bf58 R08: 0000000000000018 R09: 0000000000000000
+R10: 0000000020000000 R11: 0000000000000246 R12: 00000000ffffffff
+R13: 000000000000051c R14: 00000000006f9b40 R15: 0000000000000001
+
+Showing all locks held in the system:
+2 locks held by khungtaskd/868:
+ #0: (rcu_read_lock){....}, at: [<00000000a1a8f002>]
+check_hung_uninterruptible_tasks kernel/hung_task.c:175 [inline]
+ #0: (rcu_read_lock){....}, at: [<00000000a1a8f002>] watchdog+0x1c5/0xd60
+kernel/hung_task.c:249
+ #1: (tasklist_lock){.+.+}, at: [<0000000037c2f8f9>]
+debug_show_all_locks+0xd3/0x3d0 kernel/locking/lockdep.c:4470
+1 lock held by rsyslogd/4247:
+ #0: (&f->f_pos_lock){+.+.}, at: [<000000000d8d6983>]
+__fdget_pos+0x12b/0x190 fs/file.c:765
+2 locks held by getty/4338:
+ #0: (&tty->ldisc_sem){++++}, at: [<00000000bee98654>]
+ldsem_down_read+0x37/0x40 drivers/tty/tty_ldsem.c:365
+ #1: (&ldata->atomic_read_lock){+.+.}, at: [<00000000c1d180aa>]
+n_tty_read+0x2ef/0x1a40 drivers/tty/n_tty.c:2131
+2 locks held by getty/4339:
+ #0: (&tty->ldisc_sem){++++}, at: [<00000000bee98654>]
+ldsem_down_read+0x37/0x40 drivers/tty/tty_ldsem.c:365
+ #1: (&ldata->atomic_read_lock){+.+.}, at: [<00000000c1d180aa>]
+n_tty_read+0x2ef/0x1a40 drivers/tty/n_tty.c:2131
+2 locks held by getty/4340:
+ #0: (&tty->ldisc_sem){++++}, at: [<00000000bee98654>]
+ldsem_down_read+0x37/0x40 drivers/tty/tty_ldsem.c:365
+ #1: (&ldata->atomic_read_lock){+.+.}, at: [<00000000c1d180aa>]
+n_tty_read+0x2ef/0x1a40 drivers/tty/n_tty.c:2131
+2 locks held by getty/4341:
+ #0: (&tty->ldisc_sem){++++}, at: [<00000000bee98654>]
+ldsem_down_read+0x37/0x40 drivers/tty/tty_ldsem.c:365
+ #1: (&ldata->atomic_read_lock){+.+.}, at: [<00000000c1d180aa>]
+n_tty_read+0x2ef/0x1a40 drivers/tty/n_tty.c:2131
+2 locks held by getty/4342:
+ #0: (&tty->ldisc_sem){++++}, at: [<00000000bee98654>]
+ldsem_down_read+0x37/0x40 drivers/tty/tty_ldsem.c:365
+ #1: (&ldata->atomic_read_lock){+.+.}, at: [<00000000c1d180aa>]
+n_tty_read+0x2ef/0x1a40 drivers/tty/n_tty.c:2131
+2 locks held by getty/4343:
+ #0: (&tty->ldisc_sem){++++}, at: [<00000000bee98654>]
+ldsem_down_read+0x37/0x40 drivers/tty/tty_ldsem.c:365
+ #1: (&ldata->atomic_read_lock){+.+.}, at: [<00000000c1d180aa>]
+n_tty_read+0x2ef/0x1a40 drivers/tty/n_tty.c:2131
+2 locks held by getty/4344:
+ #0: (&tty->ldisc_sem){++++}, at: [<00000000bee98654>]
+ldsem_down_read+0x37/0x40 drivers/tty/tty_ldsem.c:365
+ #1: (&ldata->atomic_read_lock){+.+.}, at: [<00000000c1d180aa>]
+n_tty_read+0x2ef/0x1a40 drivers/tty/n_tty.c:2131
+3 locks held by kworker/0:5/6494:
+ #0: ((wq_completion)"%s"("ipv6_addrconf")){+.+.}, at:
+[<00000000a062b18e>] work_static include/linux/workqueue.h:198 [inline]
+ #0: ((wq_completion)"%s"("ipv6_addrconf")){+.+.}, at:
+[<00000000a062b18e>] set_work_data kernel/workqueue.c:619 [inline]
+ #0: ((wq_completion)"%s"("ipv6_addrconf")){+.+.}, at:
+[<00000000a062b18e>] set_work_pool_and_clear_pending kernel/workqueue.c:646
+[inline]
+ #0: ((wq_completion)"%s"("ipv6_addrconf")){+.+.}, at:
+[<00000000a062b18e>] process_one_work+0xb12/0x1bb0 kernel/workqueue.c:2084
+ #1: ((addr_chk_work).work){+.+.}, at: [<00000000278427d5>]
+process_one_work+0xb89/0x1bb0 kernel/workqueue.c:2088
+ #2: (rtnl_mutex){+.+.}, at: [<00000000066e35ac>] rtnl_lock+0x17/0x20
+net/core/rtnetlink.c:74
+1 lock held by syz-executor7/25421:
+ #0: (ipvs->sync_mutex){+.+.}, at: [<00000000d414a689>]
+do_ip_vs_set_ctl+0x277/0x1cc0 net/netfilter/ipvs/ip_vs_ctl.c:2393
+2 locks held by syz-executor7/25427:
+ #0: (rtnl_mutex){+.+.}, at: [<00000000066e35ac>] rtnl_lock+0x17/0x20
+net/core/rtnetlink.c:74
+ #1: (ipvs->sync_mutex){+.+.}, at: [<00000000e6d48489>]
+do_ip_vs_set_ctl+0x10f8/0x1cc0 net/netfilter/ipvs/ip_vs_ctl.c:2388
+1 lock held by syz-executor7/25435:
+ #0: (rtnl_mutex){+.+.}, at: [<00000000066e35ac>] rtnl_lock+0x17/0x20
+net/core/rtnetlink.c:74
+1 lock held by ipvs-b:2:0/25415:
+ #0: (rtnl_mutex){+.+.}, at: [<00000000066e35ac>] rtnl_lock+0x17/0x20
+net/core/rtnetlink.c:74
+
+Reported-and-tested-by: syzbot+a46d6abf9d56b1365a72@syzkaller.appspotmail.com
+Reported-and-tested-by: syzbot+5fe074c01b2032ce9618@syzkaller.appspotmail.com
+Fixes: e0b26cc997d5 ("ipvs: call rtnl_lock early")
+Signed-off-by: Julian Anastasov <ja@ssi.bg>
+Signed-off-by: Simon Horman <horms@verge.net.au>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Acked-by: Denis Kirjanov <dkirjanov@suse.com>
+---
+ net/netfilter/ipvs/ip_vs_ctl.c | 8 ---
+ net/netfilter/ipvs/ip_vs_sync.c | 155 +++++++++++++++++++++-------------------
+ 2 files changed, 80 insertions(+), 83 deletions(-)
+
+diff --git a/net/netfilter/ipvs/ip_vs_ctl.c b/net/netfilter/ipvs/ip_vs_ctl.c
+index 1fa3c2307b6e..ce51ba12c605 100644
+--- a/net/netfilter/ipvs/ip_vs_ctl.c
++++ b/net/netfilter/ipvs/ip_vs_ctl.c
+@@ -2386,11 +2386,7 @@ do_ip_vs_set_ctl(struct sock *sk, int cmd, void __user *user, unsigned int len)
+ strlcpy(cfg.mcast_ifn, dm->mcast_ifn,
+ sizeof(cfg.mcast_ifn));
+ cfg.syncid = dm->syncid;
+- rtnl_lock();
+- mutex_lock(&ipvs->sync_mutex);
+ ret = start_sync_thread(ipvs, &cfg, dm->state);
+- mutex_unlock(&ipvs->sync_mutex);
+- rtnl_unlock();
+ } else {
+ mutex_lock(&ipvs->sync_mutex);
+ ret = stop_sync_thread(ipvs, dm->state);
+@@ -3483,12 +3479,8 @@ static int ip_vs_genl_new_daemon(struct netns_ipvs *ipvs, struct nlattr **attrs)
+ if (ipvs->mixed_address_family_dests > 0)
+ return -EINVAL;
+
+- rtnl_lock();
+- mutex_lock(&ipvs->sync_mutex);
+ ret = start_sync_thread(ipvs, &c,
+ nla_get_u32(attrs[IPVS_DAEMON_ATTR_STATE]));
+- mutex_unlock(&ipvs->sync_mutex);
+- rtnl_unlock();
+ return ret;
+ }
+
+diff --git a/net/netfilter/ipvs/ip_vs_sync.c b/net/netfilter/ipvs/ip_vs_sync.c
+index 0e5b64a75da0..9f1aa78e837d 100644
+--- a/net/netfilter/ipvs/ip_vs_sync.c
++++ b/net/netfilter/ipvs/ip_vs_sync.c
+@@ -48,6 +48,7 @@
+ #include <linux/kthread.h>
+ #include <linux/wait.h>
+ #include <linux/kernel.h>
++#include <linux/sched/signal.h>
+
+ #include <asm/unaligned.h> /* Used for ntoh_seq and hton_seq */
+
+@@ -1359,15 +1360,9 @@ static void set_mcast_pmtudisc(struct sock *sk, int val)
+ /*
+ * Specifiy default interface for outgoing multicasts
+ */
+-static int set_mcast_if(struct sock *sk, char *ifname)
++static int set_mcast_if(struct sock *sk, struct net_device *dev)
+ {
+- struct net_device *dev;
+ struct inet_sock *inet = inet_sk(sk);
+- struct net *net = sock_net(sk);
+-
+- dev = __dev_get_by_name(net, ifname);
+- if (!dev)
+- return -ENODEV;
+
+ if (sk->sk_bound_dev_if && dev->ifindex != sk->sk_bound_dev_if)
+ return -EINVAL;
+@@ -1395,19 +1390,14 @@ static int set_mcast_if(struct sock *sk, char *ifname)
+ * in the in_addr structure passed in as a parameter.
+ */
+ static int
+-join_mcast_group(struct sock *sk, struct in_addr *addr, char *ifname)
++join_mcast_group(struct sock *sk, struct in_addr *addr, struct net_device *dev)
+ {
+- struct net *net = sock_net(sk);
+ struct ip_mreqn mreq;
+- struct net_device *dev;
+ int ret;
+
+ memset(&mreq, 0, sizeof(mreq));
+ memcpy(&mreq.imr_multiaddr, addr, sizeof(struct in_addr));
+
+- dev = __dev_get_by_name(net, ifname);
+- if (!dev)
+- return -ENODEV;
+ if (sk->sk_bound_dev_if && dev->ifindex != sk->sk_bound_dev_if)
+ return -EINVAL;
+
+@@ -1422,15 +1412,10 @@ join_mcast_group(struct sock *sk, struct in_addr *addr, char *ifname)
+
+ #ifdef CONFIG_IP_VS_IPV6
+ static int join_mcast_group6(struct sock *sk, struct in6_addr *addr,
+- char *ifname)
++ struct net_device *dev)
+ {
+- struct net *net = sock_net(sk);
+- struct net_device *dev;
+ int ret;
+
+- dev = __dev_get_by_name(net, ifname);
+- if (!dev)
+- return -ENODEV;
+ if (sk->sk_bound_dev_if && dev->ifindex != sk->sk_bound_dev_if)
+ return -EINVAL;
+
+@@ -1442,24 +1427,18 @@ static int join_mcast_group6(struct sock *sk, struct in6_addr *addr,
+ }
+ #endif
+
+-static int bind_mcastif_addr(struct socket *sock, char *ifname)
++static int bind_mcastif_addr(struct socket *sock, struct net_device *dev)
+ {
+- struct net *net = sock_net(sock->sk);
+- struct net_device *dev;
+ __be32 addr;
+ struct sockaddr_in sin;
+
+- dev = __dev_get_by_name(net, ifname);
+- if (!dev)
+- return -ENODEV;
+-
+ addr = inet_select_addr(dev, 0, RT_SCOPE_UNIVERSE);
+ if (!addr)
+ pr_err("You probably need to specify IP address on "
+ "multicast interface.\n");
+
+ IP_VS_DBG(7, "binding socket with (%s) %pI4\n",
+- ifname, &addr);
++ dev->name, &addr);
+
+ /* Now bind the socket with the address of multicast interface */
+ sin.sin_family = AF_INET;
+@@ -1492,7 +1471,8 @@ static void get_mcast_sockaddr(union ipvs_sockaddr *sa, int *salen,
+ /*
+ * Set up sending multicast socket over UDP
+ */
+-static struct socket *make_send_sock(struct netns_ipvs *ipvs, int id)
++static int make_send_sock(struct netns_ipvs *ipvs, int id,
++ struct net_device *dev, struct socket **sock_ret)
+ {
+ /* multicast addr */
+ union ipvs_sockaddr mcast_addr;
+@@ -1504,9 +1484,10 @@ static struct socket *make_send_sock(struct netns_ipvs *ipvs, int id)
+ IPPROTO_UDP, &sock);
+ if (result < 0) {
+ pr_err("Error during creation of socket; terminating\n");
+- return ERR_PTR(result);
++ goto error;
+ }
+- result = set_mcast_if(sock->sk, ipvs->mcfg.mcast_ifn);
++ *sock_ret = sock;
++ result = set_mcast_if(sock->sk, dev);
+ if (result < 0) {
+ pr_err("Error setting outbound mcast interface\n");
+ goto error;
+@@ -1521,7 +1502,7 @@ static struct socket *make_send_sock(struct netns_ipvs *ipvs, int id)
+ set_sock_size(sock->sk, 1, result);
+
+ if (AF_INET == ipvs->mcfg.mcast_af)
+- result = bind_mcastif_addr(sock, ipvs->mcfg.mcast_ifn);
++ result = bind_mcastif_addr(sock, dev);
+ else
+ result = 0;
+ if (result < 0) {
+@@ -1537,19 +1518,18 @@ static struct socket *make_send_sock(struct netns_ipvs *ipvs, int id)
+ goto error;
+ }
+
+- return sock;
++ return 0;
+
+ error:
+- sock_release(sock);
+- return ERR_PTR(result);
++ return result;
+ }
+
+
+ /*
+ * Set up receiving multicast socket over UDP
+ */
+-static struct socket *make_receive_sock(struct netns_ipvs *ipvs, int id,
+- int ifindex)
++static int make_receive_sock(struct netns_ipvs *ipvs, int id,
++ struct net_device *dev, struct socket **sock_ret)
+ {
+ /* multicast addr */
+ union ipvs_sockaddr mcast_addr;
+@@ -1561,8 +1541,9 @@ static struct socket *make_receive_sock(struct netns_ipvs *ipvs, int id,
+ IPPROTO_UDP, &sock);
+ if (result < 0) {
+ pr_err("Error during creation of socket; terminating\n");
+- return ERR_PTR(result);
++ goto error;
+ }
++ *sock_ret = sock;
+ /* it is equivalent to the REUSEADDR option in user-space */
+ sock->sk->sk_reuse = SK_CAN_REUSE;
+ result = sysctl_sync_sock_size(ipvs);
+@@ -1570,7 +1551,7 @@ static struct socket *make_receive_sock(struct netns_ipvs *ipvs, int id,
+ set_sock_size(sock->sk, 0, result);
+
+ get_mcast_sockaddr(&mcast_addr, &salen, &ipvs->bcfg, id);
+- sock->sk->sk_bound_dev_if = ifindex;
++ sock->sk->sk_bound_dev_if = dev->ifindex;
+ result = sock->ops->bind(sock, (struct sockaddr *)&mcast_addr, salen);
+ if (result < 0) {
+ pr_err("Error binding to the multicast addr\n");
+@@ -1581,21 +1562,20 @@ static struct socket *make_receive_sock(struct netns_ipvs *ipvs, int id,
+ #ifdef CONFIG_IP_VS_IPV6
+ if (ipvs->bcfg.mcast_af == AF_INET6)
+ result = join_mcast_group6(sock->sk, &mcast_addr.in6.sin6_addr,
+- ipvs->bcfg.mcast_ifn);
++ dev);
+ else
+ #endif
+ result = join_mcast_group(sock->sk, &mcast_addr.in.sin_addr,
+- ipvs->bcfg.mcast_ifn);
++ dev);
+ if (result < 0) {
+ pr_err("Error joining to the multicast group\n");
+ goto error;
+ }
+
+- return sock;
++ return 0;
+
+ error:
+- sock_release(sock);
+- return ERR_PTR(result);
++ return result;
+ }
+
+
+@@ -1780,13 +1760,12 @@ static int sync_thread_backup(void *data)
+ int start_sync_thread(struct netns_ipvs *ipvs, struct ipvs_sync_daemon_cfg *c,
+ int state)
+ {
+- struct ip_vs_sync_thread_data *tinfo;
++ struct ip_vs_sync_thread_data *tinfo = NULL;
+ struct task_struct **array = NULL, *task;
+- struct socket *sock;
+ struct net_device *dev;
+ char *name;
+ int (*threadfn)(void *data);
+- int id, count, hlen;
++ int id = 0, count, hlen;
+ int result = -ENOMEM;
+ u16 mtu, min_mtu;
+
+@@ -1794,6 +1773,18 @@ int start_sync_thread(struct netns_ipvs *ipvs, struct ipvs_sync_daemon_cfg *c,
+ IP_VS_DBG(7, "Each ip_vs_sync_conn entry needs %zd bytes\n",
+ sizeof(struct ip_vs_sync_conn_v0));
+
++ /* Do not hold one mutex and then to block on another */
++ for (;;) {
++ rtnl_lock();
++ if (mutex_trylock(&ipvs->sync_mutex))
++ break;
++ rtnl_unlock();
++ mutex_lock(&ipvs->sync_mutex);
++ if (rtnl_trylock())
++ break;
++ mutex_unlock(&ipvs->sync_mutex);
++ }
++
+ if (!ipvs->sync_state) {
+ count = clamp(sysctl_sync_ports(ipvs), 1, IPVS_SYNC_PORTS_MAX);
+ ipvs->threads_mask = count - 1;
+@@ -1812,7 +1803,8 @@ int start_sync_thread(struct netns_ipvs *ipvs, struct ipvs_sync_daemon_cfg *c,
+ dev = __dev_get_by_name(ipvs->net, c->mcast_ifn);
+ if (!dev) {
+ pr_err("Unknown mcast interface: %s\n", c->mcast_ifn);
+- return -ENODEV;
++ result = -ENODEV;
++ goto out_early;
+ }
+ hlen = (AF_INET6 == c->mcast_af) ?
+ sizeof(struct ipv6hdr) + sizeof(struct udphdr) :
+@@ -1829,26 +1821,30 @@ int start_sync_thread(struct netns_ipvs *ipvs, struct ipvs_sync_daemon_cfg *c,
+ c->sync_maxlen = mtu - hlen;
+
+ if (state == IP_VS_STATE_MASTER) {
++ result = -EEXIST;
+ if (ipvs->ms)
+- return -EEXIST;
++ goto out_early;
+
+ ipvs->mcfg = *c;
+ name = "ipvs-m:%d:%d";
+ threadfn = sync_thread_master;
+ } else if (state == IP_VS_STATE_BACKUP) {
++ result = -EEXIST;
+ if (ipvs->backup_threads)
+- return -EEXIST;
++ goto out_early;
+
+ ipvs->bcfg = *c;
+ name = "ipvs-b:%d:%d";
+ threadfn = sync_thread_backup;
+ } else {
+- return -EINVAL;
++ result = -EINVAL;
++ goto out_early;
+ }
+
+ if (state == IP_VS_STATE_MASTER) {
+ struct ipvs_master_sync_state *ms;
+
++ result = -ENOMEM;
+ ipvs->ms = kcalloc(count, sizeof(ipvs->ms[0]), GFP_KERNEL);
+ if (!ipvs->ms)
+ goto out;
+@@ -1864,39 +1860,38 @@ int start_sync_thread(struct netns_ipvs *ipvs, struct ipvs_sync_daemon_cfg *c,
+ } else {
+ array = kcalloc(count, sizeof(struct task_struct *),
+ GFP_KERNEL);
++ result = -ENOMEM;
+ if (!array)
+ goto out;
+ }
+
+- tinfo = NULL;
+ for (id = 0; id < count; id++) {
+- if (state == IP_VS_STATE_MASTER)
+- sock = make_send_sock(ipvs, id);
+- else
+- sock = make_receive_sock(ipvs, id, dev->ifindex);
+- if (IS_ERR(sock)) {
+- result = PTR_ERR(sock);
+- goto outtinfo;
+- }
++ result = -ENOMEM;
+ tinfo = kmalloc(sizeof(*tinfo), GFP_KERNEL);
+ if (!tinfo)
+- goto outsocket;
++ goto out;
+ tinfo->ipvs = ipvs;
+- tinfo->sock = sock;
++ tinfo->sock = NULL;
+ if (state == IP_VS_STATE_BACKUP) {
+ tinfo->buf = kmalloc(ipvs->bcfg.sync_maxlen,
+ GFP_KERNEL);
+ if (!tinfo->buf)
+- goto outtinfo;
++ goto out;
+ } else {
+ tinfo->buf = NULL;
+ }
+ tinfo->id = id;
++ if (state == IP_VS_STATE_MASTER)
++ result = make_send_sock(ipvs, id, dev, &tinfo->sock);
++ else
++ result = make_receive_sock(ipvs, id, dev, &tinfo->sock);
++ if (result < 0)
++ goto out;
+
+ task = kthread_run(threadfn, tinfo, name, ipvs->gen, id);
+ if (IS_ERR(task)) {
+ result = PTR_ERR(task);
+- goto outtinfo;
++ goto out;
+ }
+ tinfo = NULL;
+ if (state == IP_VS_STATE_MASTER)
+@@ -1913,20 +1908,20 @@ int start_sync_thread(struct netns_ipvs *ipvs, struct ipvs_sync_daemon_cfg *c,
+ ipvs->sync_state |= state;
+ spin_unlock_bh(&ipvs->sync_buff_lock);
+
++ mutex_unlock(&ipvs->sync_mutex);
++ rtnl_unlock();
++
+ /* increase the module use count */
+ ip_vs_use_count_inc();
+
+ return 0;
+
+-outsocket:
+- sock_release(sock);
+-
+-outtinfo:
+- if (tinfo) {
+- sock_release(tinfo->sock);
+- kfree(tinfo->buf);
+- kfree(tinfo);
+- }
++out:
++ /* We do not need RTNL lock anymore, release it here so that
++ * sock_release below and in the kthreads can use rtnl_lock
++ * to leave the mcast group.
++ */
++ rtnl_unlock();
+ count = id;
+ while (count-- > 0) {
+ if (state == IP_VS_STATE_MASTER)
+@@ -1934,13 +1929,23 @@ int start_sync_thread(struct netns_ipvs *ipvs, struct ipvs_sync_daemon_cfg *c,
+ else
+ kthread_stop(array[count]);
+ }
+- kfree(array);
+-
+-out:
+ if (!(ipvs->sync_state & IP_VS_STATE_MASTER)) {
+ kfree(ipvs->ms);
+ ipvs->ms = NULL;
+ }
++ mutex_unlock(&ipvs->sync_mutex);
++ if (tinfo) {
++ if (tinfo->sock)
++ sock_release(tinfo->sock);
++ kfree(tinfo->buf);
++ kfree(tinfo);
++ }
++ kfree(array);
++ return result;
++
++out_early:
++ mutex_unlock(&ipvs->sync_mutex);
++ rtnl_unlock();
+ return result;
+ }
+
+--
+2.12.3
+
diff --git a/patches.fixes/0007-netfilter-nf_tables-can-t-fail-after-linking-rule-in.patch b/patches.fixes/0007-netfilter-nf_tables-can-t-fail-after-linking-rule-in.patch
new file mode 100644
index 0000000000..36254a92b1
--- /dev/null
+++ b/patches.fixes/0007-netfilter-nf_tables-can-t-fail-after-linking-rule-in.patch
@@ -0,0 +1,112 @@
+From: Florian Westphal <fw@strlen.de>
+Subject: netfilter: nf_tables: can't fail after linking rule
+ into active rule list
+Patch-mainline: v4.17-rc3
+Git-commit: 569ccae68b38654f04b6842b034aa33857f605fe
+References: git-fixes
+
+rules in nftables a free'd using kfree, but protected by rcu, i.e. we
+must wait for a grace period to elapse.
+
+Normal removal patch does this, but nf_tables_newrule() doesn't obey
+this rule during error handling.
+
+It calls nft_trans_rule_add() *after* linking rule, and, if that
+fails to allocate memory, it unlinks the rule and then kfree() it --
+this is unsafe.
+
+Switch order -- first add rule to transaction list, THEN link it
+to public list.
+
+Note: nft_trans_rule_add() uses GFP_KERNEL; it will not fail so this
+is not a problem in practice (spotted only during code review).
+
+Fixes: 0628b123c96d12 ("netfilter: nfnetlink: add batch support and use it from nf_tables")
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Acked-by: Denis Kirjanov <dkirjanov@suse.com>
+---
+ net/netfilter/nf_tables_api.c | 59 +++++++++++++++++++++++--------------------
+ 1 file changed, 32 insertions(+), 27 deletions(-)
+
+diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
+index 595004098410..d627a479e332 100644
+--- a/net/netfilter/nf_tables_api.c
++++ b/net/netfilter/nf_tables_api.c
+@@ -2251,41 +2251,46 @@ static int nf_tables_newrule(struct net *net, struct sock *nlsk,
+ }
+
+ if (nlh->nlmsg_flags & NLM_F_REPLACE) {
+- if (nft_is_active_next(net, old_rule)) {
+- trans = nft_trans_rule_add(&ctx, NFT_MSG_DELRULE,
+- old_rule);
+- if (trans == NULL) {
+- err = -ENOMEM;
+- goto err2;
+- }
+- nft_deactivate_next(net, old_rule);
+- chain->use--;
+- list_add_tail_rcu(&rule->list, &old_rule->list);
+- } else {
++ if (!nft_is_active_next(net, old_rule)) {
+ err = -ENOENT;
+ goto err2;
+ }
+- } else if (nlh->nlmsg_flags & NLM_F_APPEND)
+- if (old_rule)
+- list_add_rcu(&rule->list, &old_rule->list);
+- else
+- list_add_tail_rcu(&rule->list, &chain->rules);
+- else {
+- if (old_rule)
+- list_add_tail_rcu(&rule->list, &old_rule->list);
+- else
+- list_add_rcu(&rule->list, &chain->rules);
+- }
++ trans = nft_trans_rule_add(&ctx, NFT_MSG_DELRULE,
++ old_rule);
++ if (trans == NULL) {
++ err = -ENOMEM;
++ goto err2;
++ }
++ nft_deactivate_next(net, old_rule);
++ chain->use--;
+
+- if (nft_trans_rule_add(&ctx, NFT_MSG_NEWRULE, rule) == NULL) {
+- err = -ENOMEM;
+- goto err3;
++ if (nft_trans_rule_add(&ctx, NFT_MSG_NEWRULE, rule) == NULL) {
++ err = -ENOMEM;
++ goto err2;
++ }
++
++ list_add_tail_rcu(&rule->list, &old_rule->list);
++ } else {
++ if (nft_trans_rule_add(&ctx, NFT_MSG_NEWRULE, rule) == NULL) {
++ err = -ENOMEM;
++ goto err2;
++ }
++
++ if (nlh->nlmsg_flags & NLM_F_APPEND) {
++ if (old_rule)
++ list_add_rcu(&rule->list, &old_rule->list);
++ else
++ list_add_tail_rcu(&rule->list, &chain->rules);
++ } else {
++ if (old_rule)
++ list_add_tail_rcu(&rule->list, &old_rule->list);
++ else
++ list_add_rcu(&rule->list, &chain->rules);
++ }
+ }
+ chain->use++;
+ return 0;
+
+-err3:
+- list_del_rcu(&rule->list);
+ err2:
+ nf_tables_rule_destroy(&ctx, rule);
+ err1:
+--
+2.12.3
+
diff --git a/patches.fixes/0008-rxrpc-Fix-error-reception-on-AF_INET6-sockets.patch b/patches.fixes/0008-rxrpc-Fix-error-reception-on-AF_INET6-sockets.patch
new file mode 100644
index 0000000000..995ee8bf73
--- /dev/null
+++ b/patches.fixes/0008-rxrpc-Fix-error-reception-on-AF_INET6-sockets.patch
@@ -0,0 +1,95 @@
+From: David Howells <dhowells@redhat.com>
+Subject: rxrpc: Fix error reception on AF_INET6 sockets
+Patch-mainline: v4.17-rc5
+Git-commit: f2aeed3a591ff29a82495eeaa92ac4780bad7487
+References: git-fixes
+
+AF_RXRPC tries to turn on IP_RECVERR and IP_MTU_DISCOVER on the UDP socket
+it just opened for communications with the outside world, regardless of the
+type of socket. Unfortunately, this doesn't work with an AF_INET6 socket.
+
+Fix this by turning on IPV6_RECVERR and IPV6_MTU_DISCOVER instead if the
+socket is of the AF_INET6 family.
+
+Without this, kAFS server and address rotation doesn't work correctly
+because the algorithm doesn't detect received network errors.
+
+Fixes: 75b54cb57ca3 ("rxrpc: Add IPv6 support")
+Signed-off-by: David Howells <dhowells@redhat.com>
+Acked-by: Denis Kirjanov <dkirjanov@suse.com>
+---
+ net/rxrpc/local_object.c | 57 +++++++++++++++++++++++++++++++++++-------------
+ 1 file changed, 42 insertions(+), 15 deletions(-)
+
+diff --git a/net/rxrpc/local_object.c b/net/rxrpc/local_object.c
+index ff4864d550b8..adc49d8285bf 100644
+--- a/net/rxrpc/local_object.c
++++ b/net/rxrpc/local_object.c
+@@ -133,22 +133,49 @@ static int rxrpc_open_socket(struct rxrpc_local *local)
+ }
+ }
+
+- /* we want to receive ICMP errors */
+- opt = 1;
+- ret = kernel_setsockopt(local->socket, SOL_IP, IP_RECVERR,
+- (char *) &opt, sizeof(opt));
+- if (ret < 0) {
+- _debug("setsockopt failed");
+- goto error;
+- }
++ switch (local->srx.transport.family) {
++ case AF_INET:
++ /* we want to receive ICMP errors */
++ opt = 1;
++ ret = kernel_setsockopt(local->socket, SOL_IP, IP_RECVERR,
++ (char *) &opt, sizeof(opt));
++ if (ret < 0) {
++ _debug("setsockopt failed");
++ goto error;
++ }
+
+- /* we want to set the don't fragment bit */
+- opt = IP_PMTUDISC_DO;
+- ret = kernel_setsockopt(local->socket, SOL_IP, IP_MTU_DISCOVER,
+- (char *) &opt, sizeof(opt));
+- if (ret < 0) {
+- _debug("setsockopt failed");
+- goto error;
++ /* we want to set the don't fragment bit */
++ opt = IP_PMTUDISC_DO;
++ ret = kernel_setsockopt(local->socket, SOL_IP, IP_MTU_DISCOVER,
++ (char *) &opt, sizeof(opt));
++ if (ret < 0) {
++ _debug("setsockopt failed");
++ goto error;
++ }
++ break;
++
++ case AF_INET6:
++ /* we want to receive ICMP errors */
++ opt = 1;
++ ret = kernel_setsockopt(local->socket, SOL_IPV6, IPV6_RECVERR,
++ (char *) &opt, sizeof(opt));
++ if (ret < 0) {
++ _debug("setsockopt failed");
++ goto error;
++ }
++
++ /* we want to set the don't fragment bit */
++ opt = IPV6_PMTUDISC_DO;
++ ret = kernel_setsockopt(local->socket, SOL_IPV6, IPV6_MTU_DISCOVER,
++ (char *) &opt, sizeof(opt));
++ if (ret < 0) {
++ _debug("setsockopt failed");
++ goto error;
++ }
++ break;
++
++ default:
++ BUG();
+ }
+
+ /* set the socket up */
+--
+2.12.3
+
diff --git a/patches.fixes/0009-packet-in-packet_snd-start-writing-at-link-layer-all.patch b/patches.fixes/0009-packet-in-packet_snd-start-writing-at-link-layer-all.patch
new file mode 100644
index 0000000000..98f7330676
--- /dev/null
+++ b/patches.fixes/0009-packet-in-packet_snd-start-writing-at-link-layer-all.patch
@@ -0,0 +1,59 @@
+From: Willem de Bruijn <willemb@google.com>
+Subject: packet: in packet_snd start writing at link layer
+ allocation
+Patch-mainline: v4.17-rc7
+Git-commit: b84bbaf7a6c8cca24f8acf25a2c8e46913a947ba
+References: git-fixes
+
+Packet sockets allow construction of packets shorter than
+dev->hard_header_len to accommodate protocols with variable length
+link layer headers. These packets are padded to dev->hard_header_len,
+because some device drivers interpret that as a minimum packet size.
+
+packet_snd reserves dev->hard_header_len bytes on allocation.
+SOCK_DGRAM sockets call skb_push in dev_hard_header() to ensure that
+link layer headers are stored in the reserved range. SOCK_RAW sockets
+do the same in tpacket_snd, but not in packet_snd.
+
+Syzbot was able to send a zero byte packet to a device with massive
+116B link layer header, causing padding to cross over into skb_shinfo.
+Fix this by writing from the start of the llheader reserved range also
+in the case of packet_snd/SOCK_RAW.
+
+Update skb_set_network_header to the new offset. This also corrects
+it for SOCK_DGRAM, where it incorrectly double counted reserve due to
+the skb_push in dev_hard_header.
+
+Fixes: 9ed988cd5915 ("packet: validate variable length ll headers")
+Reported-by: syzbot+71d74a5406d02057d559@syzkaller.appspotmail.com
+Signed-off-by: Willem de Bruijn <willemb@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Acked-by: Denis Kirjanov <dkirjanov@suse.com>
+---
+ net/packet/af_packet.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c
+index c6c4d9be2276..901618eb2725 100644
+--- a/net/packet/af_packet.c
++++ b/net/packet/af_packet.c
+@@ -2925,13 +2925,15 @@ static int packet_snd(struct socket *sock, struct msghdr *msg, size_t len)
+ if (skb == NULL)
+ goto out_unlock;
+
+- skb_set_network_header(skb, reserve);
++ skb_reset_network_header(skb);
+
+ err = -EINVAL;
+ if (sock->type == SOCK_DGRAM) {
+ offset = dev_hard_header(skb, dev, ntohs(proto), addr, NULL, len);
+ if (unlikely(offset < 0))
+ goto out_free;
++ } else if (reserve) {
++ skb_push(skb, reserve);
+ }
+
+ /* Returns -EFAULT on error */
+--
+2.12.3
+
diff --git a/patches.fixes/0010-ipvs-fix-stats-update-from-local-clients.patch b/patches.fixes/0010-ipvs-fix-stats-update-from-local-clients.patch
new file mode 100644
index 0000000000..f77c884071
--- /dev/null
+++ b/patches.fixes/0010-ipvs-fix-stats-update-from-local-clients.patch
@@ -0,0 +1,124 @@
+From: Julian Anastasov <ja@ssi.bg>
+Subject: ipvs: fix stats update from local clients
+Patch-mainline: v4.17-rc7
+Git-commit: d5e032fc5697b6c0d6b4958bcacb981a08f8174e
+References: git-fixes
+
+
+Local clients are not properly synchronized on 32-bit CPUs when
+updating stats (3.10+). Now it is possible estimation_timer (timer),
+a stats reader, to interrupt the local client in the middle of
+write_seqcount_{begin,end} sequence leading to loop (DEADLOCK).
+The same interrupt can happen from received packet (SoftIRQ)
+which updates the same per-CPU stats.
+
+Fix it by disabling BH while updating stats.
+
+Found with debug:
+
+WARNING: inconsistent lock state
+4.17.0-rc2-00105-g35cb6d7-dirty #2 Not tainted
+--------------------------------
+inconsistent {IN-SOFTIRQ-R} -> {SOFTIRQ-ON-W} usage.
+ftp/2545 [HC0[0]:SC0[0]:HE1:SE1] takes:
+86845479 (&syncp->seq#6){+.+-}, at: ip_vs_schedule+0x1c5/0x59e [ip_vs]
+{IN-SOFTIRQ-R} state was registered at:
+ lock_acquire+0x44/0x5b
+ estimation_timer+0x1b3/0x341 [ip_vs]
+ call_timer_fn+0x54/0xcd
+ run_timer_softirq+0x10c/0x12b
+ __do_softirq+0xc1/0x1a9
+ do_softirq_own_stack+0x1d/0x23
+ irq_exit+0x4a/0x64
+ smp_apic_timer_interrupt+0x63/0x71
+ apic_timer_interrupt+0x3a/0x40
+ default_idle+0xa/0xc
+ arch_cpu_idle+0x9/0xb
+ default_idle_call+0x21/0x23
+ do_idle+0xa0/0x167
+ cpu_startup_entry+0x19/0x1b
+ start_secondary+0x133/0x182
+ startup_32_smp+0x164/0x168
+irq event stamp: 42213
+
+other info that might help us debug this:
+Possible unsafe locking scenario:
+
+ CPU0
+ ----
+ lock(&syncp->seq#6);
+ <Interrupt>
+ lock(&syncp->seq#6);
+
+*** DEADLOCK ***
+
+Fixes: ac69269a45e8 ("ipvs: do not disable bh for long time")
+Signed-off-by: Julian Anastasov <ja@ssi.bg>
+Acked-by: Simon Horman <horms@verge.net.au>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Acked-by: Denis Kirjanov <dkirjanov@suse.com>
+---
+ net/netfilter/ipvs/ip_vs_core.c | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+diff --git a/net/netfilter/ipvs/ip_vs_core.c b/net/netfilter/ipvs/ip_vs_core.c
+index ad99c1ceea6f..62ed310e2397 100644
+--- a/net/netfilter/ipvs/ip_vs_core.c
++++ b/net/netfilter/ipvs/ip_vs_core.c
+@@ -119,6 +119,8 @@ ip_vs_in_stats(struct ip_vs_conn *cp, struct sk_buff *skb)
+ struct ip_vs_cpu_stats *s;
+ struct ip_vs_service *svc;
+
++ local_bh_disable();
++
+ s = this_cpu_ptr(dest->stats.cpustats);
+ u64_stats_update_begin(&s->syncp);
+ s->cnt.inpkts++;
+@@ -139,6 +141,8 @@ ip_vs_in_stats(struct ip_vs_conn *cp, struct sk_buff *skb)
+ s->cnt.inpkts++;
+ s->cnt.inbytes += skb->len;
+ u64_stats_update_end(&s->syncp);
++
++ local_bh_enable();
+ }
+ }
+
+@@ -153,6 +157,8 @@ ip_vs_out_stats(struct ip_vs_conn *cp, struct sk_buff *skb)
+ struct ip_vs_cpu_stats *s;
+ struct ip_vs_service *svc;
+
++ local_bh_disable();
++
+ s = this_cpu_ptr(dest->stats.cpustats);
+ u64_stats_update_begin(&s->syncp);
+ s->cnt.outpkts++;
+@@ -173,6 +179,8 @@ ip_vs_out_stats(struct ip_vs_conn *cp, struct sk_buff *skb)
+ s->cnt.outpkts++;
+ s->cnt.outbytes += skb->len;
+ u64_stats_update_end(&s->syncp);
++
++ local_bh_enable();
+ }
+ }
+
+@@ -183,6 +191,8 @@ ip_vs_conn_stats(struct ip_vs_conn *cp, struct ip_vs_service *svc)
+ struct netns_ipvs *ipvs = svc->ipvs;
+ struct ip_vs_cpu_stats *s;
+
++ local_bh_disable();
++
+ s = this_cpu_ptr(cp->dest->stats.cpustats);
+ u64_stats_update_begin(&s->syncp);
+ s->cnt.conns++;
+@@ -197,6 +207,8 @@ ip_vs_conn_stats(struct ip_vs_conn *cp, struct ip_vs_service *svc)
+ u64_stats_update_begin(&s->syncp);
+ s->cnt.conns++;
+ u64_stats_update_end(&s->syncp);
++
++ local_bh_enable();
+ }
+
+
+--
+2.12.3
+
diff --git a/patches.fixes/0011-tcp-purge-write-queue-in-tcp_connect_init.patch b/patches.fixes/0011-tcp-purge-write-queue-in-tcp_connect_init.patch
new file mode 100644
index 0000000000..fa8a24755f
--- /dev/null
+++ b/patches.fixes/0011-tcp-purge-write-queue-in-tcp_connect_init.patch
@@ -0,0 +1,90 @@
+From: Eric Dumazet <edumazet@google.com>
+Subject: tcp: purge write queue in tcp_connect_init()
+Patch-mainline: v4.17-rc7
+Git-commit: 7f582b248d0a86bae5788c548d7bb5bca6f7691a
+References: git-fixes
+
+syzkaller found a reliable way to crash the host, hitting a BUG()
+in __tcp_retransmit_skb()
+
+Malicous MSG_FASTOPEN is the root cause. We need to purge write queue
+in tcp_connect_init() at the point we init snd_una/write_seq.
+
+This patch also replaces the BUG() by a less intrusive WARN_ON_ONCE()
+
+kernel BUG at net/ipv4/tcp_output.c:2837!
+invalid opcode: 0000 [#1] SMP KASAN
+Dumping ftrace buffer:
+ (ftrace buffer empty)
+Modules linked in:
+CPU: 0 PID: 5276 Comm: syz-executor0 Not tainted 4.17.0-rc3+ #51
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+RIP: 0010:__tcp_retransmit_skb+0x2992/0x2eb0 net/ipv4/tcp_output.c:2837
+RSP: 0000:ffff8801dae06ff8 EFLAGS: 00010206
+RAX: ffff8801b9fe61c0 RBX: 00000000ffc18a16 RCX: ffffffff864e1a49
+RDX: 0000000000000100 RSI: ffffffff864e2e12 RDI: 0000000000000005
+RBP: ffff8801dae073a0 R08: ffff8801b9fe61c0 R09: ffffed0039c40dd2
+R10: ffffed0039c40dd2 R11: ffff8801ce206e93 R12: 00000000421eeaad
+R13: ffff8801ce206d4e R14: ffff8801ce206cc0 R15: ffff8801cd4f4a80
+FS: 0000000000000000(0000) GS:ffff8801dae00000(0063) knlGS:00000000096bc900
+CS: 0010 DS: 002b ES: 002b CR0: 0000000080050033
+CR2: 0000000020000000 CR3: 00000001c47b6000 CR4: 00000000001406f0
+DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+Call Trace:
+ <IRQ>
+ tcp_retransmit_skb+0x2e/0x250 net/ipv4/tcp_output.c:2923
+ tcp_retransmit_timer+0xc50/0x3060 net/ipv4/tcp_timer.c:488
+ tcp_write_timer_handler+0x339/0x960 net/ipv4/tcp_timer.c:573
+ tcp_write_timer+0x111/0x1d0 net/ipv4/tcp_timer.c:593
+ call_timer_fn+0x230/0x940 kernel/time/timer.c:1326
+ expire_timers kernel/time/timer.c:1363 [inline]
+ __run_timers+0x79e/0xc50 kernel/time/timer.c:1666
+ run_timer_softirq+0x4c/0x70 kernel/time/timer.c:1692
+ __do_softirq+0x2e0/0xaf5 kernel/softirq.c:285
+ invoke_softirq kernel/softirq.c:365 [inline]
+ irq_exit+0x1d1/0x200 kernel/softirq.c:405
+ exiting_irq arch/x86/include/asm/apic.h:525 [inline]
+ smp_apic_timer_interrupt+0x17e/0x710 arch/x86/kernel/apic/apic.c:1052
+ apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:863
+
+Fixes: cf60af03ca4e ("net-tcp: Fast Open client - sendmsg(MSG_FASTOPEN)")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Cc: Yuchung Cheng <ycheng@google.com>
+Cc: Neal Cardwell <ncardwell@google.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Acked-by: Neal Cardwell <ncardwell@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Acked-by: Denis Kirjanov <dkirjanov@suse.com>
+---
+ net/ipv4/tcp_output.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c
+index 2d139697bcd8..beda69aad37d 100644
+--- a/net/ipv4/tcp_output.c
++++ b/net/ipv4/tcp_output.c
+@@ -2842,8 +2842,10 @@ int __tcp_retransmit_skb(struct sock *sk, struct sk_buff *skb, int segs)
+ return -EBUSY;
+
+ if (before(TCP_SKB_CB(skb)->seq, tp->snd_una)) {
+- if (before(TCP_SKB_CB(skb)->end_seq, tp->snd_una))
+- BUG();
++ if (unlikely(before(TCP_SKB_CB(skb)->end_seq, tp->snd_una))) {
++ WARN_ON_ONCE(1);
++ return -EINVAL;
++ }
+ if (tcp_trim_head(sk, skb, tp->snd_una - TCP_SKB_CB(skb)->seq))
+ return -ENOMEM;
+ }
+@@ -3332,6 +3334,7 @@ static void tcp_connect_init(struct sock *sk)
+ sock_reset_flag(sk, SOCK_DONE);
+ tp->snd_wnd = 0;
+ tcp_init_wl(tp, 0);
++ tcp_write_queue_purge(sk);
+ tp->snd_una = tp->write_seq;
+ tp->snd_sml = tp->write_seq;
+ tp->snd_up = tp->write_seq;
+--
+2.12.3
+
diff --git a/patches.fixes/0012-net-test-tailroom-before-appending-to-linear-skb.patch b/patches.fixes/0012-net-test-tailroom-before-appending-to-linear-skb.patch
new file mode 100644
index 0000000000..705d0dab79
--- /dev/null
+++ b/patches.fixes/0012-net-test-tailroom-before-appending-to-linear-skb.patch
@@ -0,0 +1,58 @@
+From: Willem de Bruijn <willemb@google.com>
+Subject: net: test tailroom before appending to linear skb
+Patch-mainline: v4.17-rc7
+Git-commit: 113f99c3358564a0647d444c2ae34e8b1abfd5b9
+References: git-fixes
+
+Device features may change during transmission. In particular with
+corking, a device may toggle scatter-gather in between allocating
+and writing to an skb.
+
+Do not unconditionally assume that !NETIF_F_SG at write time implies
+that the same held at alloc time and thus the skb has sufficient
+tailroom.
+
+This issue predates git history.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Reported-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: Willem de Bruijn <willemb@google.com>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Acked-by: Denis Kirjanov <dkirjanov@suse.com>
+---
+ net/ipv4/ip_output.c | 3 ++-
+ net/ipv6/ip6_output.c | 3 ++-
+ 2 files changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/net/ipv4/ip_output.c b/net/ipv4/ip_output.c
+index 41c5d8bdc768..c81916930652 100644
+--- a/net/ipv4/ip_output.c
++++ b/net/ipv4/ip_output.c
+@@ -1042,7 +1042,8 @@ static int __ip_append_data(struct sock *sk,
+ if (copy > length)
+ copy = length;
+
+- if (!(rt->dst.dev->features&NETIF_F_SG)) {
++ if (!(rt->dst.dev->features&NETIF_F_SG) &&
++ skb_tailroom(skb) >= copy) {
+ unsigned int off;
+
+ off = skb->len;
+diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c
+index 42a97e490737..04729272dfb3 100644
+--- a/net/ipv6/ip6_output.c
++++ b/net/ipv6/ip6_output.c
+@@ -1484,7 +1484,8 @@ static int __ip6_append_data(struct sock *sk,
+ if (copy > length)
+ copy = length;
+
+- if (!(rt->dst.dev->features&NETIF_F_SG)) {
++ if (!(rt->dst.dev->features&NETIF_F_SG) &&
++ skb_tailroom(skb) >= copy) {
+ unsigned int off;
+
+ off = skb->len;
+--
+2.12.3
+
diff --git a/patches.fixes/0013-net-Fix-a-bug-in-removing-queues-from-XPS-map.patch b/patches.fixes/0013-net-Fix-a-bug-in-removing-queues-from-XPS-map.patch
new file mode 100644
index 0000000000..c833d893d3
--- /dev/null
+++ b/patches.fixes/0013-net-Fix-a-bug-in-removing-queues-from-XPS-map.patch
@@ -0,0 +1,35 @@
+From: Amritha Nambiar <amritha.nambiar@intel.com>
+Subject: net: Fix a bug in removing queues from XPS map
+Patch-mainline: v4.17-rc7
+Git-commit: 6358d49ac23995fdfe157cc8747ab0f274d3954b
+References: git-fixes
+
+While removing queues from the XPS map, the individual CPU ID
+alone was used to index the CPUs map, this should be changed to also
+factor in the traffic class mapping for the CPU-to-queue lookup.
+
+Fixes: 184c449f91fe ("net: Add support for XPS with QoS via traffic classes")
+Signed-off-by: Amritha Nambiar <amritha.nambiar@intel.com>
+Acked-by: Alexander Duyck <alexander.h.duyck@intel.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Acked-by: Denis Kirjanov <dkirjanov@suse.com>
+---
+ net/core/dev.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/core/dev.c b/net/core/dev.c
+index 15880ba084a9..f259eb1b21b8 100644
+--- a/net/core/dev.c
++++ b/net/core/dev.c
+@@ -2078,7 +2078,7 @@ static bool remove_xps_queue_cpu(struct net_device *dev,
+ int i, j;
+
+ for (i = count, j = offset; i--; j++) {
+- if (!remove_xps_queue(dev_maps, cpu, j))
++ if (!remove_xps_queue(dev_maps, tci, j))
+ break;
+ }
+
+--
+2.12.3
+
diff --git a/patches.fixes/0014-netfilter-nf_tables-fix-NULL-pointer-dereference-on-.patch b/patches.fixes/0014-netfilter-nf_tables-fix-NULL-pointer-dereference-on-.patch
new file mode 100644
index 0000000000..59aff0b412
--- /dev/null
+++ b/patches.fixes/0014-netfilter-nf_tables-fix-NULL-pointer-dereference-on-.patch
@@ -0,0 +1,164 @@
+From: Taehee Yoo <ap420073@gmail.com>
+Subject: netfilter: nf_tables: fix NULL pointer dereference on
+ nft_ct_helper_obj_dump()
+Patch-mainline: v4.17
+Git-commit: b71534583f22d08c3e3563bf5100aeb5f5c9fbe5
+References: git-fixes
+
+
+In the nft_ct_helper_obj_dump(), always priv->helper4 is dereferenced.
+But if family is ipv6, priv->helper6 should be dereferenced.
+
+Steps to reproduces:
+
+ #test.nft
+ table ip6 filter {
+ ct helper ftp {
+ type "ftp" protocol tcp
+ }
+ chain input {
+ type filter hook input priority 4;
+ ct helper set "ftp"
+ }
+ }
+
+ %nft -f test.nft
+ %nft list ruleset
+
+we can see the below messages:
+
+[ 916.286233] kasan: GPF could be caused by NULL-ptr deref or user memory access
+[ 916.294777] general protection fault: 0000 [#1] SMP DEBUG_PAGEALLOC KASAN PTI
+[ 916.302613] Modules linked in: nft_objref nf_conntrack_sip nf_conntrack_snmp nf_conntrack_broadcast nf_conntrack_ftp nft_ct nf_conntrack nf_tables nfnetlink [last unloaded: nfnetlink]
+[ 916.318758] CPU: 1 PID: 2093 Comm: nft Not tainted 4.17.0-rc4+ #181
+[ 916.326772] Hardware name: To be filled by O.E.M. To be filled by O.E.M./Aptio CRB, BIOS 5.6.5 07/08/2015
+[ 916.338773] RIP: 0010:strlen+0x1a/0x90
+[ 916.342781] RSP: 0018:ffff88010ff0f2f8 EFLAGS: 00010292
+[ 916.346773] RAX: dffffc0000000000 RBX: ffff880119b26ee8 RCX: ffff88010c150038
+[ 916.354777] RDX: 0000000000000002 RSI: ffff880119b26ee8 RDI: 0000000000000010
+[ 916.362773] RBP: 0000000000000010 R08: 0000000000007e88 R09: ffff88010c15003c
+[ 916.370773] R10: ffff88010c150037 R11: ffffed002182a007 R12: ffff88010ff04040
+[ 916.378779] R13: 0000000000000010 R14: ffff880119b26f30 R15: ffff88010ff04110
+[ 916.387265] FS: 00007f57a1997700(0000) GS:ffff88011b800000(0000) knlGS:0000000000000000
+[ 916.394785] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 916.402778] CR2: 00007f57a0ac80f0 CR3: 000000010ff02000 CR4: 00000000001006e0
+[ 916.410772] Call Trace:
+[ 916.414787] nft_ct_helper_obj_dump+0x94/0x200 [nft_ct]
+[ 916.418779] ? nft_ct_set_eval+0x560/0x560 [nft_ct]
+[ 916.426771] ? memset+0x1f/0x40
+[ 916.426771] ? __nla_reserve+0x92/0xb0
+[ 916.434774] ? memcpy+0x34/0x50
+[ 916.434774] nf_tables_fill_obj_info+0x484/0x860 [nf_tables]
+[ 916.442773] ? __nft_release_basechain+0x600/0x600 [nf_tables]
+[ 916.450779] ? lock_acquire+0x193/0x380
+[ 916.454771] ? lock_acquire+0x193/0x380
+[ 916.458789] ? nf_tables_dump_obj+0x148/0xcb0 [nf_tables]
+[ 916.462777] nf_tables_dump_obj+0x5f0/0xcb0 [nf_tables]
+[ 916.470769] ? __alloc_skb+0x30b/0x500
+[ 916.474779] netlink_dump+0x752/0xb50
+[ 916.478775] __netlink_dump_start+0x4d3/0x750
+[ 916.482784] nf_tables_getobj+0x27a/0x930 [nf_tables]
+[ 916.490774] ? nft_obj_notify+0x100/0x100 [nf_tables]
+[ 916.494772] ? nf_tables_getobj+0x930/0x930 [nf_tables]
+[ 916.502579] ? nf_tables_dump_flowtable_done+0x70/0x70 [nf_tables]
+[ 916.506774] ? nft_obj_notify+0x100/0x100 [nf_tables]
+[ 916.514808] nfnetlink_rcv_msg+0x8ab/0xa86 [nfnetlink]
+[ 916.518771] ? nfnetlink_rcv_msg+0x550/0xa86 [nfnetlink]
+[ 916.526782] netlink_rcv_skb+0x23e/0x360
+[ 916.530773] ? nfnetlink_bind+0x200/0x200 [nfnetlink]
+[ 916.534778] ? debug_check_no_locks_freed+0x280/0x280
+[ 916.542770] ? netlink_ack+0x870/0x870
+[ 916.546786] ? ns_capable_common+0xf4/0x130
+[ 916.550765] nfnetlink_rcv+0x172/0x16c0 [nfnetlink]
+[ 916.554771] ? sched_clock_local+0xe2/0x150
+[ 916.558774] ? sched_clock_cpu+0x144/0x180
+[ 916.566575] ? lock_acquire+0x380/0x380
+[ 916.570775] ? sched_clock_local+0xe2/0x150
+[ 916.574765] ? nfnetlink_net_init+0x130/0x130 [nfnetlink]
+[ 916.578763] ? sched_clock_cpu+0x144/0x180
+[ 916.582770] ? lock_acquire+0x193/0x380
+[ 916.590771] ? lock_acquire+0x193/0x380
+[ 916.594766] ? lock_acquire+0x380/0x380
+[ 916.598760] ? netlink_deliver_tap+0x262/0xa60
+[ 916.602766] ? lock_acquire+0x193/0x380
+[ 916.606766] netlink_unicast+0x3ef/0x5a0
+[ 916.610771] ? netlink_attachskb+0x630/0x630
+[ 916.614763] netlink_sendmsg+0x72a/0xb00
+[ 916.618769] ? netlink_unicast+0x5a0/0x5a0
+[ 916.626766] ? _copy_from_user+0x92/0xc0
+[ 916.630773] __sys_sendto+0x202/0x300
+[ 916.634772] ? __ia32_sys_getpeername+0xb0/0xb0
+[ 916.638759] ? lock_acquire+0x380/0x380
+[ 916.642769] ? lock_acquire+0x193/0x380
+[ 916.646761] ? finish_task_switch+0xf4/0x560
+[ 916.650763] ? __schedule+0x582/0x19a0
+[ 916.655301] ? __sched_text_start+0x8/0x8
+[ 916.655301] ? up_read+0x1c/0x110
+[ 916.655301] ? __do_page_fault+0x48b/0xaa0
+[ 916.655301] ? entry_SYSCALL_64_after_hwframe+0x59/0xbe
+[ 916.655301] __x64_sys_sendto+0xdd/0x1b0
+[ 916.655301] do_syscall_64+0x96/0x3d0
+[ 916.655301] entry_SYSCALL_64_after_hwframe+0x49/0xbe
+[ 916.655301] RIP: 0033:0x7f57a0ff5e03
+[ 916.655301] RSP: 002b:00007fff6367e0a8 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
+[ 916.655301] RAX: ffffffffffffffda RBX: 00007fff6367f1e0 RCX: 00007f57a0ff5e03
+[ 916.655301] RDX: 0000000000000020 RSI: 00007fff6367e110 RDI: 0000000000000003
+[ 916.655301] RBP: 00007fff6367e100 R08: 00007f57a0ce9160 R09: 000000000000000c
+[ 916.655301] R10: 0000000000000000 R11: 0000000000000246 R12: 00007fff6367e110
+[ 916.655301] R13: 0000000000000020 R14: 00007f57a153c610 R15: 0000562417258de0
+[ 916.655301] Code: ff ff ff 0f 1f 40 00 66 2e 0f 1f 84 00 00 00 00 00 55 48 89 fa 53 48 c1 ea 03 48 b8 00 00 00 00 00 fc ff df 48 89 fd 48 83 ec 08 <0f> b6 04 02 48 89 fa 83 e2 07 38 d0 7f
+[ 916.655301] RIP: strlen+0x1a/0x90 RSP: ffff88010ff0f2f8
+[ 916.771929] ---[ end trace 1065e048e72479fe ]---
+[ 916.777204] Kernel panic - not syncing: Fatal exception
+[ 916.778158] Kernel Offset: 0x14000000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff)
+
+Signed-off-by: Taehee Yoo <ap420073@gmail.com>
+Acked-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Acked-by: Denis Kirjanov <dkirjanov@suse.com>
+---
+ net/netfilter/nft_ct.c | 20 ++++++++++++--------
+ 1 file changed, 12 insertions(+), 8 deletions(-)
+
+diff --git a/net/netfilter/nft_ct.c b/net/netfilter/nft_ct.c
+index 1678e9e75e8e..2cded8ee6d30 100644
+--- a/net/netfilter/nft_ct.c
++++ b/net/netfilter/nft_ct.c
+@@ -875,22 +875,26 @@ static int nft_ct_helper_obj_dump(struct sk_buff *skb,
+ struct nft_object *obj, bool reset)
+ {
+ const struct nft_ct_helper_obj *priv = nft_obj_data(obj);
+- const struct nf_conntrack_helper *helper = priv->helper4;
++ const struct nf_conntrack_helper *helper;
+ u16 family;
+
++ if (priv->helper4 && priv->helper6) {
++ family = NFPROTO_INET;
++ helper = priv->helper4;
++ } else if (priv->helper6) {
++ family = NFPROTO_IPV6;
++ helper = priv->helper6;
++ } else {
++ family = NFPROTO_IPV4;
++ helper = priv->helper4;
++ }
++
+ if (nla_put_string(skb, NFTA_CT_HELPER_NAME, helper->name))
+ return -1;
+
+ if (nla_put_u8(skb, NFTA_CT_HELPER_L4PROTO, priv->l4proto))
+ return -1;
+
+- if (priv->helper4 && priv->helper6)
+- family = NFPROTO_INET;
+- else if (priv->helper6)
+- family = NFPROTO_IPV6;
+- else
+- family = NFPROTO_IPV4;
+-
+ if (nla_put_be16(skb, NFTA_CT_HELPER_L3PROTO, htons(family)))
+ return -1;
+
+--
+2.12.3
+
diff --git a/patches.fixes/0015-netfilter-ebtables-handle-string-from-userspace-with.patch b/patches.fixes/0015-netfilter-ebtables-handle-string-from-userspace-with.patch
new file mode 100644
index 0000000000..f97ecde4f7
--- /dev/null
+++ b/patches.fixes/0015-netfilter-ebtables-handle-string-from-userspace-with.patch
@@ -0,0 +1,102 @@
+From: Paolo Abeni <pabeni@redhat.com>
+Subject: netfilter: ebtables: handle string from userspace with
+ care
+Patch-mainline: v4.17
+Git-commit: 94c752f99954797da583a84c4907ff19e92550a4
+References: git-fixes
+
+strlcpy() can't be safely used on a user-space provided string,
+as it can try to read beyond the buffer's end, if the latter is
+not NULL terminated.
+
+Leveraging the above, syzbot has been able to trigger the following
+splat:
+
+BUG: KASAN: stack-out-of-bounds in strlcpy include/linux/string.h:300
+[inline]
+BUG: KASAN: stack-out-of-bounds in compat_mtw_from_user
+net/bridge/netfilter/ebtables.c:1957 [inline]
+BUG: KASAN: stack-out-of-bounds in ebt_size_mwt
+net/bridge/netfilter/ebtables.c:2059 [inline]
+BUG: KASAN: stack-out-of-bounds in size_entry_mwt
+net/bridge/netfilter/ebtables.c:2155 [inline]
+BUG: KASAN: stack-out-of-bounds in compat_copy_entries+0x96c/0x14a0
+net/bridge/netfilter/ebtables.c:2194
+Write of size 33 at addr ffff8801b0abf888 by task syz-executor0/4504
+
+CPU: 0 PID: 4504 Comm: syz-executor0 Not tainted 4.17.0-rc2+ #40
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
+Google 01/01/2011
+Call Trace:
+ __dump_stack lib/dump_stack.c:77 [inline]
+ dump_stack+0x1b9/0x294 lib/dump_stack.c:113
+ print_address_description+0x6c/0x20b mm/kasan/report.c:256
+ kasan_report_error mm/kasan/report.c:354 [inline]
+ kasan_report.cold.7+0x242/0x2fe mm/kasan/report.c:412
+ check_memory_region_inline mm/kasan/kasan.c:260 [inline]
+ check_memory_region+0x13e/0x1b0 mm/kasan/kasan.c:267
+ memcpy+0x37/0x50 mm/kasan/kasan.c:303
+ strlcpy include/linux/string.h:300 [inline]
+ compat_mtw_from_user net/bridge/netfilter/ebtables.c:1957 [inline]
+ ebt_size_mwt net/bridge/netfilter/ebtables.c:2059 [inline]
+ size_entry_mwt net/bridge/netfilter/ebtables.c:2155 [inline]
+ compat_copy_entries+0x96c/0x14a0 net/bridge/netfilter/ebtables.c:2194
+ compat_do_replace+0x483/0x900 net/bridge/netfilter/ebtables.c:2285
+ compat_do_ebt_set_ctl+0x2ac/0x324 net/bridge/netfilter/ebtables.c:2367
+ compat_nf_sockopt net/netfilter/nf_sockopt.c:144 [inline]
+ compat_nf_setsockopt+0x9b/0x140 net/netfilter/nf_sockopt.c:156
+ compat_ip_setsockopt+0xff/0x140 net/ipv4/ip_sockglue.c:1279
+ inet_csk_compat_setsockopt+0x97/0x120 net/ipv4/inet_connection_sock.c:1041
+ compat_tcp_setsockopt+0x49/0x80 net/ipv4/tcp.c:2901
+ compat_sock_common_setsockopt+0xb4/0x150 net/core/sock.c:3050
+ __compat_sys_setsockopt+0x1ab/0x7c0 net/compat.c:403
+ __do_compat_sys_setsockopt net/compat.c:416 [inline]
+ __se_compat_sys_setsockopt net/compat.c:413 [inline]
+ __ia32_compat_sys_setsockopt+0xbd/0x150 net/compat.c:413
+ do_syscall_32_irqs_on arch/x86/entry/common.c:323 [inline]
+ do_fast_syscall_32+0x345/0xf9b arch/x86/entry/common.c:394
+ entry_SYSENTER_compat+0x70/0x7f arch/x86/entry/entry_64_compat.S:139
+RIP: 0023:0xf7fb3cb9
+RSP: 002b:00000000fff0c26c EFLAGS: 00000282 ORIG_RAX: 000000000000016e
+RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000000000
+RDX: 0000000000000080 RSI: 0000000020000300 RDI: 00000000000005f4
+RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
+R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
+R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
+
+The buggy address belongs to the page:
+page:ffffea0006c2afc0 count:0 mapcount:0 mapping:0000000000000000 index:0x0
+flags: 0x2fffc0000000000()
+raw: 02fffc0000000000 0000000000000000 0000000000000000 00000000ffffffff
+raw: 0000000000000000 ffffea0006c20101 0000000000000000 0000000000000000
+page dumped because: kasan: bad access detected
+
+Fix the issue replacing the unsafe function with strscpy() and
+taking care of possible errors.
+
+Fixes: 81e675c227ec ("netfilter: ebtables: add CONFIG_COMPAT support")
+Reported-and-tested-by: syzbot+4e42a04e0bc33cb6c087@syzkaller.appspotmail.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Acked-by: Denis Kirjanov <dkirjanov@suse.com>
+---
+ net/bridge/netfilter/ebtables.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c
+index 9b11e61c4b7e..546c20cf632e 100644
+--- a/net/bridge/netfilter/ebtables.c
++++ b/net/bridge/netfilter/ebtables.c
+@@ -1950,7 +1950,8 @@ static int compat_mtw_from_user(struct compat_ebt_entry_mwt *mwt,
+ int off, pad = 0;
+ unsigned int size_kern, match_size = mwt->match_size;
+
+- strlcpy(name, mwt->u.name, sizeof(name));
++ if (strscpy(name, mwt->u.name, sizeof(name)) < 0)
++ return -EINVAL;
+
+ if (state->buf_kern_start)
+ dst = state->buf_kern_start + state->buf_kern_offset;
+--
+2.12.3
+
diff --git a/patches.fixes/0016-ipvs-fix-buffer-overflow-with-sync-daemon-and-servic.patch b/patches.fixes/0016-ipvs-fix-buffer-overflow-with-sync-daemon-and-servic.patch
new file mode 100644
index 0000000000..08f73e30d6
--- /dev/null
+++ b/patches.fixes/0016-ipvs-fix-buffer-overflow-with-sync-daemon-and-servic.patch
@@ -0,0 +1,147 @@
+From: Julian Anastasov <ja@ssi.bg>
+Subject: ipvs: fix buffer overflow with sync daemon and service
+Patch-mainline: v4.17
+Git-commit: 52f96757905bbf0edef47f3ee6c7c784e7f8ff8a
+References: git-fixes
+
+syzkaller reports for buffer overflow for interface name
+when starting sync daemons [1]
+
+What we do is that we copy user structure into larger stack
+buffer but later we search NUL past the stack buffer.
+The same happens for sched_name when adding/editing virtual server.
+
+We are restricted by IP_VS_SCHEDNAME_MAXLEN and IP_VS_IFNAME_MAXLEN
+being used as size in include/uapi/linux/ip_vs.h, so they
+include the space for NUL.
+
+As using strlcpy is wrong for unsafe source, replace it with
+strscpy and add checks to return EINVAL if source string is not
+NUL-terminated. The incomplete strlcpy fix comes from 2.6.13.
+
+For the netlink interface reduce the len parameter for
+IPVS_DAEMON_ATTR_MCAST_IFN and IPVS_SVC_ATTR_SCHED_NAME,
+so that we get proper EINVAL.
+
+[1]
+kernel BUG at lib/string.c:1052!
+invalid opcode: 0000 [#1] SMP KASAN
+Dumping ftrace buffer:
+ (ftrace buffer empty)
+Modules linked in:
+CPU: 1 PID: 373 Comm: syz-executor936 Not tainted 4.17.0-rc4+ #45
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
+Google 01/01/2011
+RIP: 0010:fortify_panic+0x13/0x20 lib/string.c:1051
+RSP: 0018:ffff8801c976f800 EFLAGS: 00010282
+RAX: 0000000000000022 RBX: 0000000000000040 RCX: 0000000000000000
+RDX: 0000000000000022 RSI: ffffffff8160f6f1 RDI: ffffed00392edef6
+RBP: ffff8801c976f800 R08: ffff8801cf4c62c0 R09: ffffed003b5e4fb0
+R10: ffffed003b5e4fb0 R11: ffff8801daf27d87 R12: ffff8801c976fa20
+R13: ffff8801c976fae4 R14: ffff8801c976fae0 R15: 000000000000048b
+FS: 00007fd99f75e700(0000) GS:ffff8801daf00000(0000)
+knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 00000000200001c0 CR3: 00000001d6843000 CR4: 00000000001406e0
+DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+Call Trace:
+ strlen include/linux/string.h:270 [inline]
+ strlcpy include/linux/string.h:293 [inline]
+ do_ip_vs_set_ctl+0x31c/0x1d00 net/netfilter/ipvs/ip_vs_ctl.c:2388
+ nf_sockopt net/netfilter/nf_sockopt.c:106 [inline]
+ nf_setsockopt+0x7d/0xd0 net/netfilter/nf_sockopt.c:115
+ ip_setsockopt+0xd8/0xf0 net/ipv4/ip_sockglue.c:1253
+ udp_setsockopt+0x62/0xa0 net/ipv4/udp.c:2487
+ ipv6_setsockopt+0x149/0x170 net/ipv6/ipv6_sockglue.c:917
+ tcp_setsockopt+0x93/0xe0 net/ipv4/tcp.c:3057
+ sock_common_setsockopt+0x9a/0xe0 net/core/sock.c:3046
+ __sys_setsockopt+0x1bd/0x390 net/socket.c:1903
+ __do_sys_setsockopt net/socket.c:1914 [inline]
+ __se_sys_setsockopt net/socket.c:1911 [inline]
+ __x64_sys_setsockopt+0xbe/0x150 net/socket.c:1911
+ do_syscall_64+0x1b1/0x800 arch/x86/entry/common.c:287
+ entry_SYSCALL_64_after_hwframe+0x49/0xbe
+RIP: 0033:0x447369
+RSP: 002b:00007fd99f75dda8 EFLAGS: 00000246 ORIG_RAX: 0000000000000036
+RAX: ffffffffffffffda RBX: 00000000006e39e4 RCX: 0000000000447369
+RDX: 000000000000048b RSI: 0000000000000000 RDI: 0000000000000003
+RBP: 0000000000000000 R08: 0000000000000018 R09: 0000000000000000
+R10: 00000000200001c0 R11: 0000000000000246 R12: 00000000006e39e0
+R13: 75a1ff93f0896195 R14: 6f745f3168746576 R15: 0000000000000001
+Code: 08 5b 41 5c 41 5d 41 5e 41 5f 5d c3 0f 0b 48 89 df e8 d2 8f 48 fa eb
+de 55 48 89 fe 48 c7 c7 60 65 64 88 48 89 e5 e8 91 dd f3 f9 <0f> 0b 90 90
+90 90 90 90 90 90 90 90 90 55 48 89 e5 41 57 41 56
+RIP: fortify_panic+0x13/0x20 lib/string.c:1051 RSP: ffff8801c976f800
+
+Reported-and-tested-by: syzbot+aac887f77319868646df@syzkaller.appspotmail.com
+Fixes: e4ff67513096 ("ipvs: add sync_maxlen parameter for the sync daemon")
+Fixes: 4da62fc70d7c ("[IPVS]: Fix for overflows")
+Signed-off-by: Julian Anastasov <ja@ssi.bg>
+Acked-by: Simon Horman <horms+renesas@verge.net.au>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Acked-by: Denis Kirjanov <dkirjanov@suse.com>
+---
+ net/netfilter/ipvs/ip_vs_ctl.c | 21 +++++++++++++++------
+ 1 file changed, 15 insertions(+), 6 deletions(-)
+
+diff --git a/net/netfilter/ipvs/ip_vs_ctl.c b/net/netfilter/ipvs/ip_vs_ctl.c
+index ce51ba12c605..90dc25c5d938 100644
+--- a/net/netfilter/ipvs/ip_vs_ctl.c
++++ b/net/netfilter/ipvs/ip_vs_ctl.c
+@@ -2383,8 +2383,10 @@ do_ip_vs_set_ctl(struct sock *sk, int cmd, void __user *user, unsigned int len)
+ struct ipvs_sync_daemon_cfg cfg;
+
+ memset(&cfg, 0, sizeof(cfg));
+- strlcpy(cfg.mcast_ifn, dm->mcast_ifn,
+- sizeof(cfg.mcast_ifn));
++ ret = -EINVAL;
++ if (strscpy(cfg.mcast_ifn, dm->mcast_ifn,
++ sizeof(cfg.mcast_ifn)) <= 0)
++ goto out_dec;
+ cfg.syncid = dm->syncid;
+ ret = start_sync_thread(ipvs, &cfg, dm->state);
+ } else {
+@@ -2422,12 +2424,19 @@ do_ip_vs_set_ctl(struct sock *sk, int cmd, void __user *user, unsigned int len)
+ }
+ }
+
++ if ((cmd == IP_VS_SO_SET_ADD || cmd == IP_VS_SO_SET_EDIT) &&
++ strnlen(usvc.sched_name, IP_VS_SCHEDNAME_MAXLEN) ==
++ IP_VS_SCHEDNAME_MAXLEN) {
++ ret = -EINVAL;
++ goto out_unlock;
++ }
++
+ /* Check for valid protocol: TCP or UDP or SCTP, even for fwmark!=0 */
+ if (usvc.protocol != IPPROTO_TCP && usvc.protocol != IPPROTO_UDP &&
+ usvc.protocol != IPPROTO_SCTP) {
+- pr_err("set_ctl: invalid protocol: %d %pI4:%d %s\n",
++ pr_err("set_ctl: invalid protocol: %d %pI4:%d\n",
+ usvc.protocol, &usvc.addr.ip,
+- ntohs(usvc.port), usvc.sched_name);
++ ntohs(usvc.port));
+ ret = -EFAULT;
+ goto out_unlock;
+ }
+@@ -2849,7 +2858,7 @@ static const struct nla_policy ip_vs_cmd_policy[IPVS_CMD_ATTR_MAX + 1] = {
+ static const struct nla_policy ip_vs_daemon_policy[IPVS_DAEMON_ATTR_MAX + 1] = {
+ [IPVS_DAEMON_ATTR_STATE] = { .type = NLA_U32 },
+ [IPVS_DAEMON_ATTR_MCAST_IFN] = { .type = NLA_NUL_STRING,
+- .len = IP_VS_IFNAME_MAXLEN },
++ .len = IP_VS_IFNAME_MAXLEN - 1 },
+ [IPVS_DAEMON_ATTR_SYNC_ID] = { .type = NLA_U32 },
+ [IPVS_DAEMON_ATTR_SYNC_MAXLEN] = { .type = NLA_U16 },
+ [IPVS_DAEMON_ATTR_MCAST_GROUP] = { .type = NLA_U32 },
+@@ -2867,7 +2876,7 @@ static const struct nla_policy ip_vs_svc_policy[IPVS_SVC_ATTR_MAX + 1] = {
+ [IPVS_SVC_ATTR_PORT] = { .type = NLA_U16 },
+ [IPVS_SVC_ATTR_FWMARK] = { .type = NLA_U32 },
+ [IPVS_SVC_ATTR_SCHED_NAME] = { .type = NLA_NUL_STRING,
+- .len = IP_VS_SCHEDNAME_MAXLEN },
++ .len = IP_VS_SCHEDNAME_MAXLEN - 1 },
+ [IPVS_SVC_ATTR_PE_NAME] = { .type = NLA_NUL_STRING,
+ .len = IP_VS_PENAME_MAXLEN },
+ [IPVS_SVC_ATTR_FLAGS] = { .type = NLA_BINARY,
+--
+2.12.3
+
diff --git a/patches.fixes/0017-xfrm6-avoid-potential-infinite-loop-in-_decode_sessi.patch b/patches.fixes/0017-xfrm6-avoid-potential-infinite-loop-in-_decode_sessi.patch
new file mode 100644
index 0000000000..445826bdfa
--- /dev/null
+++ b/patches.fixes/0017-xfrm6-avoid-potential-infinite-loop-in-_decode_sessi.patch
@@ -0,0 +1,100 @@
+From: Eric Dumazet <edumazet@google.com>
+Subject: xfrm6: avoid potential infinite loop in
+ _decode_session6()
+Patch-mainline: v4.17
+Git-commit: d9f92772e8ec388d070752ee8f187ef8fa18621f
+References: git-fixes
+
+
+syzbot found a way to trigger an infinitie loop by overflowing
+@offset variable that has been forced to use u16 for some very
+obscure reason in the past.
+
+We probably want to look at NEXTHDR_FRAGMENT handling which looks
+wrong, in a separate patch.
+
+In net-next, we shall try to use skb_header_pointer() instead of
+pskb_may_pull().
+
+watchdog: BUG: soft lockup - CPU#1 stuck for 134s! [syz-executor738:4553]
+Modules linked in:
+irq event stamp: 13885653
+hardirqs last enabled at (13885652): [<ffffffff878009d5>] restore_regs_and_return_to_kernel+0x0/0x2b
+hardirqs last disabled at (13885653): [<ffffffff87800905>] interrupt_entry+0xb5/0xf0 arch/x86/entry/entry_64.S:625
+softirqs last enabled at (13614028): [<ffffffff84df0809>] tun_napi_alloc_frags drivers/net/tun.c:1478 [inline]
+softirqs last enabled at (13614028): [<ffffffff84df0809>] tun_get_user+0x1dd9/0x4290 drivers/net/tun.c:1825
+softirqs last disabled at (13614032): [<ffffffff84df1b6f>] tun_get_user+0x313f/0x4290 drivers/net/tun.c:1942
+CPU: 1 PID: 4553 Comm: syz-executor738 Not tainted 4.17.0-rc3+ #40
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+RIP: 0010:check_kcov_mode kernel/kcov.c:67 [inline]
+RIP: 0010:__sanitizer_cov_trace_pc+0x20/0x50 kernel/kcov.c:101
+RSP: 0018:ffff8801d8cfe250 EFLAGS: 00000246 ORIG_RAX: ffffffffffffff13
+RAX: ffff8801d88a8080 RBX: ffff8801d7389e40 RCX: 0000000000000006
+RDX: 0000000000000000 RSI: ffffffff868da4ad RDI: ffff8801c8a53277
+RBP: ffff8801d8cfe250 R08: ffff8801d88a8080 R09: ffff8801d8cfe3e8
+R10: ffffed003b19fc87 R11: ffff8801d8cfe43f R12: ffff8801c8a5327f
+R13: 0000000000000000 R14: ffff8801c8a4e5fe R15: ffff8801d8cfe3e8
+FS: 0000000000d88940(0000) GS:ffff8801daf00000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: ffffffffff600400 CR3: 00000001acab3000 CR4: 00000000001406e0
+DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+Call Trace:
+ _decode_session6+0xc1d/0x14f0 net/ipv6/xfrm6_policy.c:150
+ __xfrm_decode_session+0x71/0x140 net/xfrm/xfrm_policy.c:2368
+ xfrm_decode_session_reverse include/net/xfrm.h:1213 [inline]
+ icmpv6_route_lookup+0x395/0x6e0 net/ipv6/icmp.c:372
+ icmp6_send+0x1982/0x2da0 net/ipv6/icmp.c:551
+ icmpv6_send+0x17a/0x300 net/ipv6/ip6_icmp.c:43
+ ip6_input_finish+0x14e1/0x1a30 net/ipv6/ip6_input.c:305
+ NF_HOOK include/linux/netfilter.h:288 [inline]
+ ip6_input+0xe1/0x5e0 net/ipv6/ip6_input.c:327
+ dst_input include/net/dst.h:450 [inline]
+ ip6_rcv_finish+0x29c/0xa10 net/ipv6/ip6_input.c:71
+ NF_HOOK include/linux/netfilter.h:288 [inline]
+ ipv6_rcv+0xeb8/0x2040 net/ipv6/ip6_input.c:208
+ __netif_receive_skb_core+0x2468/0x3650 net/core/dev.c:4646
+ __netif_receive_skb+0x2c/0x1e0 net/core/dev.c:4711
+ netif_receive_skb_internal+0x126/0x7b0 net/core/dev.c:4785
+ napi_frags_finish net/core/dev.c:5226 [inline]
+ napi_gro_frags+0x631/0xc40 net/core/dev.c:5299
+ tun_get_user+0x3168/0x4290 drivers/net/tun.c:1951
+ tun_chr_write_iter+0xb9/0x154 drivers/net/tun.c:1996
+ call_write_iter include/linux/fs.h:1784 [inline]
+ do_iter_readv_writev+0x859/0xa50 fs/read_write.c:680
+ do_iter_write+0x185/0x5f0 fs/read_write.c:959
+ vfs_writev+0x1c7/0x330 fs/read_write.c:1004
+ do_writev+0x112/0x2f0 fs/read_write.c:1039
+ __do_sys_writev fs/read_write.c:1112 [inline]
+ __se_sys_writev fs/read_write.c:1109 [inline]
+ __x64_sys_writev+0x75/0xb0 fs/read_write.c:1109
+ do_syscall_64+0x1b1/0x800 arch/x86/entry/common.c:287
+ entry_SYSCALL_64_after_hwframe+0x49/0xbe
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Cc: Steffen Klassert <steffen.klassert@secunet.com>
+Cc: Nicolas Dichtel <nicolas.dichtel@6wind.com>
+Reported-by: syzbot+0053c8...@syzkaller.appspotmail.com
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Acked-by: Denis Kirjanov <dkirjanov@suse.com>
+---
+ net/ipv6/xfrm6_policy.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/ipv6/xfrm6_policy.c b/net/ipv6/xfrm6_policy.c
+index 79651bc71bf0..7d89acf2fdd6 100644
+--- a/net/ipv6/xfrm6_policy.c
++++ b/net/ipv6/xfrm6_policy.c
+@@ -119,7 +119,7 @@ _decode_session6(struct sk_buff *skb, struct flowi *fl, int reverse)
+ struct flowi6 *fl6 = &fl->u.ip6;
+ int onlyproto = 0;
+ const struct ipv6hdr *hdr = ipv6_hdr(skb);
+- u16 offset = sizeof(*hdr);
++ u32 offset = sizeof(*hdr);
+ struct ipv6_opt_hdr *exthdr;
+ const unsigned char *nh = skb_network_header(skb);
+ u16 nhoff = IP6CB(skb)->nhoff;
+--
+2.12.3
+
diff --git a/patches.fixes/0018-sctp-fix-identification-of-new-acks-for-SFR-CACC.patch b/patches.fixes/0018-sctp-fix-identification-of-new-acks-for-SFR-CACC.patch
new file mode 100644
index 0000000000..4c76abe212
--- /dev/null
+++ b/patches.fixes/0018-sctp-fix-identification-of-new-acks-for-SFR-CACC.patch
@@ -0,0 +1,120 @@
+From: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
+Subject: sctp: fix identification of new acks for SFR-CACC
+Patch-mainline: v4.18-rc1
+Git-commit: 51446780fc33e45cb790c05a7fa2c5bf7e8bc53b
+References: git-fixes
+
+
+It's currently written as:
+
+if (!tchunk->tsn_gap_acked) { [1]
+ tchunk->tsn_gap_acked = 1;
+ ...
+}
+
+if (TSN_lte(tsn, sack_ctsn)) {
+ if (!tchunk->tsn_gap_acked) {
+ /* SFR-CACC processing */
+ ...
+ }
+}
+
+Which causes the SFR-CACC processing on ack reception to never process,
+as tchunk->tsn_gap_acked is always true by then. Block [1] was
+moved to that position by the commit marked below.
+
+This patch fixes it by doing SFR-CACC processing earlier, before
+tsn_gap_acked is set to true.
+
+Fixes: 31b02e154940 ("sctp: Failover transmitted list on transport delete")
+Signed-off-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
+Reviewed-by: Xin Long <lucien.xin@gmail.com>
+Acked-by: Neil Horman <nhorman@tuxdriver.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Acked-by: Denis Kirjanov <dkirjanov@suse.com>
+---
+ net/sctp/outqueue.c | 48 +++++++++++++++++++++++-------------------------
+ 1 file changed, 23 insertions(+), 25 deletions(-)
+
+diff --git a/net/sctp/outqueue.c b/net/sctp/outqueue.c
+index 05be058255ea..b3f44daf3af6 100644
+--- a/net/sctp/outqueue.c
++++ b/net/sctp/outqueue.c
+@@ -1447,7 +1447,7 @@ static void sctp_check_transmitted(struct sctp_outq *q,
+ * the outstanding bytes for this chunk, so only
+ * count bytes associated with a transport.
+ */
+- if (transport) {
++ if (transport && !tchunk->tsn_gap_acked) {
+ /* If this chunk is being used for RTT
+ * measurement, calculate the RTT and update
+ * the RTO using this value.
+@@ -1459,14 +1459,34 @@ static void sctp_check_transmitted(struct sctp_outq *q,
+ * first instance of the packet or a later
+ * instance).
+ */
+- if (!tchunk->tsn_gap_acked &&
+- !sctp_chunk_retransmitted(tchunk) &&
++ if (!sctp_chunk_retransmitted(tchunk) &&
+ tchunk->rtt_in_progress) {
+ tchunk->rtt_in_progress = 0;
+ rtt = jiffies - tchunk->sent_at;
+ sctp_transport_update_rto(transport,
+ rtt);
+ }
++
++ if (TSN_lte(tsn, sack_ctsn)) {
++ /*
++ * SFR-CACC algorithm:
++ * 2) If the SACK contains gap acks
++ * and the flag CHANGEOVER_ACTIVE is
++ * set the receiver of the SACK MUST
++ * take the following action:
++ *
++ * B) For each TSN t being acked that
++ * has not been acked in any SACK so
++ * far, set cacc_saw_newack to 1 for
++ * the destination that the TSN was
++ * sent to.
++ */
++ if (sack->num_gap_ack_blocks &&
++ q->asoc->peer.primary_path->cacc.
++ changeover_active)
++ transport->cacc.cacc_saw_newack
++ = 1;
++ }
+ }
+
+ /* If the chunk hasn't been marked as ACKED,
+@@ -1498,28 +1518,6 @@ static void sctp_check_transmitted(struct sctp_outq *q,
+ restart_timer = 1;
+ forward_progress = true;
+
+- if (!tchunk->tsn_gap_acked) {
+- /*
+- * SFR-CACC algorithm:
+- * 2) If the SACK contains gap acks
+- * and the flag CHANGEOVER_ACTIVE is
+- * set the receiver of the SACK MUST
+- * take the following action:
+- *
+- * B) For each TSN t being acked that
+- * has not been acked in any SACK so
+- * far, set cacc_saw_newack to 1 for
+- * the destination that the TSN was
+- * sent to.
+- */
+- if (transport &&
+- sack->num_gap_ack_blocks &&
+- q->asoc->peer.primary_path->cacc.
+- changeover_active)
+- transport->cacc.cacc_saw_newack
+- = 1;
+- }
+-
+ list_add_tail(&tchunk->transmitted_list,
+ &q->sacked);
+ } else {
+--
+2.12.3
+
diff --git a/patches.fixes/0019-ip_tunnel-Fix-name-string-concatenate-in-__ip_tunnel.patch b/patches.fixes/0019-ip_tunnel-Fix-name-string-concatenate-in-__ip_tunnel.patch
new file mode 100644
index 0000000000..e06411857d
--- /dev/null
+++ b/patches.fixes/0019-ip_tunnel-Fix-name-string-concatenate-in-__ip_tunnel.patch
@@ -0,0 +1,39 @@
+From: Sultan Alsawaf <sultanxda@gmail.com>
+Subject: ip_tunnel: Fix name string concatenate in
+ __ip_tunnel_create()
+Patch-mainline: v4.18-rc1
+Git-commit: 000ade8016400d93b4d7c89970d96b8c14773d45
+References: git-fixes
+
+
+By passing a limit of 2 bytes to strncat, strncat is limited to writing
+fewer bytes than what it's supposed to append to the name here.
+
+Since the bounds are checked on the line above this, just remove the string
+bounds checks entirely since they're unneeded.
+
+Signed-off-by: Sultan Alsawaf <sultanxda@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Acked-by: Denis Kirjanov <dkirjanov@suse.com>
+---
+ net/ipv4/ip_tunnel.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/net/ipv4/ip_tunnel.c b/net/ipv4/ip_tunnel.c
+index 440a289ebd68..9b5d313f445c 100644
+--- a/net/ipv4/ip_tunnel.c
++++ b/net/ipv4/ip_tunnel.c
+@@ -261,8 +261,8 @@ static struct net_device *__ip_tunnel_create(struct net *net,
+ } else {
+ if (strlen(ops->kind) > (IFNAMSIZ - 3))
+ goto failed;
+- strlcpy(name, ops->kind, IFNAMSIZ);
+- strncat(name, "%d", 2);
++ strcpy(name, ops->kind);
++ strcat(name, "%d");
+ }
+
+ ASSERT_RTNL();
+--
+2.12.3
+
diff --git a/patches.fixes/0020-netfilter-nf_tables-check-msg_type-before-nft_trans_.patch b/patches.fixes/0020-netfilter-nf_tables-check-msg_type-before-nft_trans_.patch
new file mode 100644
index 0000000000..a1ededb25d
--- /dev/null
+++ b/patches.fixes/0020-netfilter-nf_tables-check-msg_type-before-nft_trans_.patch
@@ -0,0 +1,145 @@
+From: Alexey Kodanev <alexey.kodanev@oracle.com>
+Subject: netfilter: nf_tables: check msg_type before
+ nft_trans_set(trans)
+Patch-mainline: v4.18-rc1
+Git-commit: 9c7f96fd77b0dbe1fe7ed1f9c462c45dc48a1076
+References: git-fixes
+
+
+The patch moves the "trans->msg_type == NFT_MSG_NEWSET" check before
+using nft_trans_set(trans). Otherwise we can get out of bounds read.
+
+For example, KASAN reported the one when running 0001_cache_handling_0 nft
+test. In this case "trans->msg_type" was NFT_MSG_NEWTABLE:
+
+[75517.177808] BUG: KASAN: slab-out-of-bounds in nft_set_lookup_global+0x22f/0x270 [nf_tables]
+[75517.279094] Read of size 8 at addr ffff881bdb643fc8 by task nft/7356
+...
+[75517.375605] CPU: 26 PID: 7356 Comm: nft Tainted: G E 4.17.0-rc7.1.x86_64 #1
+[75517.489587] Hardware name: Oracle Corporation SUN SERVER X4-2
+[75517.618129] Call Trace:
+[75517.648821] dump_stack+0xd1/0x13b
+[75517.691040] ? show_regs_print_info+0x5/0x5
+[75517.742519] ? kmsg_dump_rewind_nolock+0xf5/0xf5
+[75517.799300] ? lock_acquire+0x143/0x310
+[75517.846738] print_address_description+0x85/0x3a0
+[75517.904547] kasan_report+0x18d/0x4b0
+[75517.949892] ? nft_set_lookup_global+0x22f/0x270 [nf_tables]
+[75518.019153] ? nft_set_lookup_global+0x22f/0x270 [nf_tables]
+[75518.088420] ? nft_set_lookup_global+0x22f/0x270 [nf_tables]
+[75518.157689] nft_set_lookup_global+0x22f/0x270 [nf_tables]
+[75518.224869] nf_tables_newsetelem+0x1a5/0x5d0 [nf_tables]
+[75518.291024] ? nft_add_set_elem+0x2280/0x2280 [nf_tables]
+[75518.357154] ? nla_parse+0x1a5/0x300
+[75518.401455] ? kasan_kmalloc+0xa6/0xd0
+[75518.447842] nfnetlink_rcv+0xc43/0x1bdf [nfnetlink]
+[75518.507743] ? nfnetlink_rcv+0x7a5/0x1bdf [nfnetlink]
+[75518.569745] ? nfnl_err_reset+0x3c0/0x3c0 [nfnetlink]
+[75518.631711] ? lock_acquire+0x143/0x310
+[75518.679133] ? netlink_deliver_tap+0x9b/0x1070
+[75518.733840] ? kasan_unpoison_shadow+0x31/0x40
+[75518.788542] netlink_unicast+0x45d/0x680
+[75518.837111] ? __isolate_free_page+0x890/0x890
+[75518.891913] ? netlink_attachskb+0x6b0/0x6b0
+[75518.944542] netlink_sendmsg+0x6fa/0xd30
+[75518.993107] ? netlink_unicast+0x680/0x680
+[75519.043758] ? netlink_unicast+0x680/0x680
+[75519.094402] sock_sendmsg+0xd9/0x160
+[75519.138810] ___sys_sendmsg+0x64d/0x980
+[75519.186234] ? copy_msghdr_from_user+0x350/0x350
+[75519.243118] ? lock_downgrade+0x650/0x650
+[75519.292738] ? do_raw_spin_unlock+0x5d/0x250
+[75519.345456] ? _raw_spin_unlock+0x24/0x30
+[75519.395065] ? __handle_mm_fault+0xbde/0x3410
+[75519.448830] ? sock_setsockopt+0x3d2/0x1940
+[75519.500516] ? __lock_acquire.isra.25+0xdc/0x19d0
+[75519.558448] ? lock_downgrade+0x650/0x650
+[75519.608057] ? __audit_syscall_entry+0x317/0x720
+[75519.664960] ? __fget_light+0x58/0x250
+[75519.711325] ? __sys_sendmsg+0xde/0x170
+[75519.758850] __sys_sendmsg+0xde/0x170
+[75519.804193] ? __ia32_sys_shutdown+0x90/0x90
+[75519.856725] ? syscall_trace_enter+0x897/0x10e0
+[75519.912354] ? trace_event_raw_event_sys_enter+0x920/0x920
+[75519.979432] ? __audit_syscall_entry+0x720/0x720
+[75520.036118] do_syscall_64+0xa3/0x3d0
+[75520.081248] ? prepare_exit_to_usermode+0x47/0x1d0
+[75520.139904] entry_SYSCALL_64_after_hwframe+0x44/0xa9
+[75520.201680] RIP: 0033:0x7fc153320ba0
+[75520.245772] RSP: 002b:00007ffe294c3638 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
+[75520.337708] RAX: ffffffffffffffda RBX: 00007ffe294c4820 RCX: 00007fc153320ba0
+[75520.424547] RDX: 0000000000000000 RSI: 00007ffe294c46b0 RDI: 0000000000000003
+[75520.511386] RBP: 00007ffe294c47b0 R08: 0000000000000004 R09: 0000000002114090
+[75520.598225] R10: 00007ffe294c30a0 R11: 0000000000000246 R12: 00007ffe294c3660
+[75520.684961] R13: 0000000000000001 R14: 00007ffe294c3650 R15: 0000000000000001
+
+[75520.790946] Allocated by task 7356:
+[75520.833994] kasan_kmalloc+0xa6/0xd0
+[75520.878088] __kmalloc+0x189/0x450
+[75520.920107] nft_trans_alloc_gfp+0x20/0x190 [nf_tables]
+[75520.983961] nf_tables_newtable+0xcd0/0x1bd0 [nf_tables]
+[75521.048857] nfnetlink_rcv+0xc43/0x1bdf [nfnetlink]
+[75521.108655] netlink_unicast+0x45d/0x680
+[75521.157013] netlink_sendmsg+0x6fa/0xd30
+[75521.205271] sock_sendmsg+0xd9/0x160
+[75521.249365] ___sys_sendmsg+0x64d/0x980
+[75521.296686] __sys_sendmsg+0xde/0x170
+[75521.341822] do_syscall_64+0xa3/0x3d0
+[75521.386957] entry_SYSCALL_64_after_hwframe+0x44/0xa9
+
+[75521.467867] Freed by task 23454:
+[75521.507804] __kasan_slab_free+0x132/0x180
+[75521.558137] kfree+0x14d/0x4d0
+[75521.596005] free_rt_sched_group+0x153/0x280
+[75521.648410] sched_autogroup_create_attach+0x19a/0x520
+[75521.711330] ksys_setsid+0x2ba/0x400
+[75521.755529] __ia32_sys_setsid+0xa/0x10
+[75521.802850] do_syscall_64+0xa3/0x3d0
+[75521.848090] entry_SYSCALL_64_after_hwframe+0x44/0xa9
+
+[75521.929000] The buggy address belongs to the object at ffff881bdb643f80
+ which belongs to the cache kmalloc-96 of size 96
+[75522.079797] The buggy address is located 72 bytes inside of
+ 96-byte region [ffff881bdb643f80, ffff881bdb643fe0)
+[75522.221234] The buggy address belongs to the page:
+[75522.280100] page:ffffea006f6d90c0 count:1 mapcount:0 mapping:0000000000000000 index:0x0
+[75522.377443] flags: 0x2fffff80000100(slab)
+[75522.426956] raw: 002fffff80000100 0000000000000000 0000000000000000 0000000180200020
+[75522.521275] raw: ffffea006e6fafc0 0000000c0000000c ffff881bf180f400 0000000000000000
+[75522.615601] page dumped because: kasan: bad access detected
+
+Fixes: 37a9cc525525 ("netfilter: nf_tables: add generation mask to sets")
+Signed-off-by: Alexey Kodanev <alexey.kodanev@oracle.com>
+Acked-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Acked-by: Denis Kirjanov <dkirjanov@suse.com>
+---
+ net/netfilter/nf_tables_api.c | 11 ++++++-----
+ 1 file changed, 6 insertions(+), 5 deletions(-)
+
+diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
+index d627a479e332..02b79bde519f 100644
+--- a/net/netfilter/nf_tables_api.c
++++ b/net/netfilter/nf_tables_api.c
+@@ -2564,12 +2564,13 @@ static struct nft_set *nf_tables_set_lookup_byid(const struct net *net,
+ u32 id = ntohl(nla_get_be32(nla));
+
+ list_for_each_entry(trans, &net->nft.commit_list, list) {
+- struct nft_set *set = nft_trans_set(trans);
++ if (trans->msg_type == NFT_MSG_NEWSET) {
++ struct nft_set *set = nft_trans_set(trans);
+
+- if (trans->msg_type == NFT_MSG_NEWSET &&
+- id == nft_trans_set_id(trans) &&
+- nft_active_genmask(set, genmask))
+- return set;
++ if (id == nft_trans_set_id(trans) &&
++ nft_active_genmask(set, genmask))
++ return set;
++ }
+ }
+ return ERR_PTR(-ENOENT);
+ }
+--
+2.12.3
+
diff --git a/patches.fixes/0022-ipvs-fix-check-on-xmit-to-non-local-addresses.patch b/patches.fixes/0022-ipvs-fix-check-on-xmit-to-non-local-addresses.patch
new file mode 100644
index 0000000000..ecf4e516f3
--- /dev/null
+++ b/patches.fixes/0022-ipvs-fix-check-on-xmit-to-non-local-addresses.patch
@@ -0,0 +1,42 @@
+From: Julian Anastasov <ja@ssi.bg>
+Subject: ipvs: fix check on xmit to non-local addresses
+Patch-mainline: v4.18-rc1
+Git-commit: 6fcc02e3c2bddeaf628fde3c6a5ab3216d45691a
+References: git-fixes
+
+There is mistake in the rt_mode_allow_non_local assignment.
+It should be used to check if sending to non-local addresses is
+allowed, now it checks if local addresses are allowed.
+
+As local addresses are allowed for most of the cases, the only
+places that are affected are for traffic to transparent cache
+servers:
+
+- bypass connections when cache server is not available
+- related ICMP in FORWARD hook when sent to cache server
+
+Fixes: 4a4739d56b00 ("ipvs: Pull out crosses_local_route_boundary logic")
+Signed-off-by: Julian Anastasov <ja@ssi.bg>
+Acked-by: Simon Horman <horms@verge.net.au>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Acked-by: Denis Kirjanov <dkirjanov@suse.com>
+---
+ net/netfilter/ipvs/ip_vs_xmit.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/netfilter/ipvs/ip_vs_xmit.c b/net/netfilter/ipvs/ip_vs_xmit.c
+index 2eab1e0400f4..6edbd8db80af 100644
+--- a/net/netfilter/ipvs/ip_vs_xmit.c
++++ b/net/netfilter/ipvs/ip_vs_xmit.c
+@@ -168,7 +168,7 @@ static inline bool crosses_local_route_boundary(int skb_af, struct sk_buff *skb,
+ bool new_rt_is_local)
+ {
+ bool rt_mode_allow_local = !!(rt_mode & IP_VS_RT_MODE_LOCAL);
+- bool rt_mode_allow_non_local = !!(rt_mode & IP_VS_RT_MODE_LOCAL);
++ bool rt_mode_allow_non_local = !!(rt_mode & IP_VS_RT_MODE_NON_LOCAL);
+ bool rt_mode_allow_redirect = !!(rt_mode & IP_VS_RT_MODE_RDR);
+ bool source_is_loopback;
+ bool old_rt_is_local;
+--
+2.12.3
+
diff --git a/patches.fixes/0023-netfilter-ebtables-reject-non-bridge-targets.patch b/patches.fixes/0023-netfilter-ebtables-reject-non-bridge-targets.patch
new file mode 100644
index 0000000000..d24b7de86e
--- /dev/null
+++ b/patches.fixes/0023-netfilter-ebtables-reject-non-bridge-targets.patch
@@ -0,0 +1,66 @@
+From: Florian Westphal <fw@strlen.de>
+Subject: netfilter: ebtables: reject non-bridge targets
+Patch-mainline: v4.18-rc1
+Git-commit: 11ff7288beb2b7da889a014aff0a7b80bf8efcf3
+References: git-fixes
+
+
+the ebtables evaluation loop expects targets to return
+positive values (jumps), or negative values (absolute verdicts).
+
+This is completely different from what xtables does.
+In xtables, targets are expected to return the standard netfilter
+verdicts, i.e. NF_DROP, NF_ACCEPT, etc.
+
+ebtables will consider these as jumps.
+
+Therefore reject any target found due to unspec fallback.
+v2: also reject watchers. ebtables ignores their return value, so
+a target that assumes skb ownership (and returns NF_STOLEN) causes
+use-after-free.
+
+The only watchers in the 'ebtables' front-end are log and nflog;
+both have AF_BRIDGE specific wrappers on kernel side.
+
+Reported-by: syzbot+2b43f681169a2a0d306a@syzkaller.appspotmail.com
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Acked-by: Denis Kirjanov <dkirjanov@suse.com>
+---
+ net/bridge/netfilter/ebtables.c | 13 +++++++++++++
+ 1 file changed, 13 insertions(+)
+
+diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c
+index 546c20cf632e..a97cd8c3f1a7 100644
+--- a/net/bridge/netfilter/ebtables.c
++++ b/net/bridge/netfilter/ebtables.c
+@@ -402,6 +402,12 @@ ebt_check_watcher(struct ebt_entry_watcher *w, struct xt_tgchk_param *par,
+ watcher = xt_request_find_target(NFPROTO_BRIDGE, w->u.name, 0);
+ if (IS_ERR(watcher))
+ return PTR_ERR(watcher);
++
++ if (watcher->family != NFPROTO_BRIDGE) {
++ module_put(watcher->me);
++ return -ENOENT;
++ }
++
+ w->u.watcher = watcher;
+
+ par->target = watcher;
+@@ -721,6 +727,13 @@ ebt_check_entry(struct ebt_entry *e, struct net *net,
+ goto cleanup_watchers;
+ }
+
++ /* Reject UNSPEC, xtables verdicts/return values are incompatible */
++ if (target->family != NFPROTO_BRIDGE) {
++ module_put(target->me);
++ ret = -ENOENT;
++ goto cleanup_watchers;
++ }
++
+ t->u.target = target;
+ if (t->u.target == &ebt_standard_target) {
+ if (gap < sizeof(struct ebt_standard_target)) {
+--
+2.12.3
+
diff --git a/patches.fixes/0024-netfilter-x_tables-initialise-match-target-check-par.patch b/patches.fixes/0024-netfilter-x_tables-initialise-match-target-check-par.patch
new file mode 100644
index 0000000000..24704aa03b
--- /dev/null
+++ b/patches.fixes/0024-netfilter-x_tables-initialise-match-target-check-par.patch
@@ -0,0 +1,77 @@
+From: Florian Westphal <fw@strlen.de>
+Subject: netfilter: x_tables: initialise match/target check
+ parameter struct
+Patch-mainline: 4.18-rc1
+Git-commit: c568503ef02030f169c9e19204def610a3510918
+References: git-fixes
+
+
+syzbot reports following splat:
+
+BUG: KMSAN: uninit-value in ebt_stp_mt_check+0x24b/0x450
+ net/bridge/netfilter/ebt_stp.c:162
+ ebt_stp_mt_check+0x24b/0x450 net/bridge/netfilter/ebt_stp.c:162
+ xt_check_match+0x1438/0x1650 net/netfilter/x_tables.c:506
+ ebt_check_match net/bridge/netfilter/ebtables.c:372 [inline]
+ ebt_check_entry net/bridge/netfilter/ebtables.c:702 [inline]
+
+The uninitialised access is
+ xt_mtchk_param->nft_compat
+
+... which should be set to 0.
+Fix it by zeroing the struct beforehand, same for tgchk.
+
+ip(6)tables targetinfo uses c99-style initialiser, so no change
+needed there.
+
+Reported-by: syzbot+da4494182233c23a5fcf@syzkaller.appspotmail.com
+Fixes: 55917a21d0cc0 ("netfilter: x_tables: add context to know if extension runs from nft_compat")
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Acked-by: Denis Kirjanov <dkirjanov@suse.com>
+---
+ net/bridge/netfilter/ebtables.c | 2 ++
+ net/ipv4/netfilter/ip_tables.c | 1 +
+ net/ipv6/netfilter/ip6_tables.c | 1 +
+ 3 files changed, 4 insertions(+)
+
+diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c
+index a97cd8c3f1a7..d7418e1d70e8 100644
+--- a/net/bridge/netfilter/ebtables.c
++++ b/net/bridge/netfilter/ebtables.c
+@@ -706,6 +706,8 @@ ebt_check_entry(struct ebt_entry *e, struct net *net,
+ }
+ i = 0;
+
++ memset(&mtpar, 0, sizeof(mtpar));
++ memset(&tgpar, 0, sizeof(tgpar));
+ mtpar.net = tgpar.net = net;
+ mtpar.table = tgpar.table = name;
+ mtpar.entryinfo = tgpar.entryinfo = e;
+diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c
+index b3b49c07b7af..7bf9d034112f 100644
+--- a/net/ipv4/netfilter/ip_tables.c
++++ b/net/ipv4/netfilter/ip_tables.c
+@@ -546,6 +546,7 @@ find_check_entry(struct ipt_entry *e, struct net *net, const char *name,
+ return -ENOMEM;
+
+ j = 0;
++ memset(&mtpar, 0, sizeof(mtpar));
+ mtpar.net = net;
+ mtpar.table = name;
+ mtpar.entryinfo = &e->ip;
+diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c
+index 7d2228be6fa5..f2b3b5879536 100644
+--- a/net/ipv6/netfilter/ip6_tables.c
++++ b/net/ipv6/netfilter/ip6_tables.c
+@@ -567,6 +567,7 @@ find_check_entry(struct ip6t_entry *e, struct net *net, const char *name,
+ return -ENOMEM;
+
+ j = 0;
++ memset(&mtpar, 0, sizeof(mtpar));
+ mtpar.net = net;
+ mtpar.table = name;
+ mtpar.entryinfo = &e->ipv6;
+--
+2.12.3
+
diff --git a/patches.fixes/0025-l2tp-only-accept-PPP-sessions-in-pppol2tp_connect.patch b/patches.fixes/0025-l2tp-only-accept-PPP-sessions-in-pppol2tp_connect.patch
new file mode 100644
index 0000000000..504fa0cd1e
--- /dev/null
+++ b/patches.fixes/0025-l2tp-only-accept-PPP-sessions-in-pppol2tp_connect.patch
@@ -0,0 +1,40 @@
+From: Guillaume Nault <g.nault@alphalink.fr>
+Subject: l2tp: only accept PPP sessions in pppol2tp_connect()
+Patch-mainline: v4.18-rc1
+Git-commit: 7ac6ab1f8a38ba7f8d97f95475bb6a2575db4658
+References: git-fixes
+
+l2tp_session_priv() returns a struct pppol2tp_session pointer only for
+PPPoL2TP sessions. In particular, if the session is an L2TP_PWTYPE_ETH
+pseudo-wire, l2tp_session_priv() returns a pointer to an l2tp_eth_sess
+structure, which is much smaller than struct pppol2tp_session. This
+leads to invalid memory dereference when trying to lock ps->sk_lock.
+
+Fixes: d9e31d17ceba ("l2tp: Add L2TP ethernet pseudowire support")
+Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Acked-by: Denis Kirjanov <dkirjanov@suse.com>
+---
+ net/l2tp/l2tp_ppp.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/net/l2tp/l2tp_ppp.c b/net/l2tp/l2tp_ppp.c
+index 6541e8103187..4718916e9bdc 100644
+--- a/net/l2tp/l2tp_ppp.c
++++ b/net/l2tp/l2tp_ppp.c
+@@ -746,6 +746,12 @@ static int pppol2tp_connect(struct socket *sock, struct sockaddr *uservaddr,
+ session = l2tp_session_get(sock_net(sk), tunnel, session_id);
+ if (session) {
+ drop_refcnt = true;
++
++ if (session->pwtype != L2TP_PWTYPE_PPP) {
++ error = -EPROTOTYPE;
++ goto end;
++ }
++
+ ps = l2tp_session_priv(session);
+
+ /* Using a pre-existing session is fine as long as it hasn't
+--
+2.12.3
+
diff --git a/patches.fixes/0026-l2tp-prevent-pppol2tp_connect-from-creating-kernel-s.patch b/patches.fixes/0026-l2tp-prevent-pppol2tp_connect-from-creating-kernel-s.patch
new file mode 100644
index 0000000000..025c5cdc0b
--- /dev/null
+++ b/patches.fixes/0026-l2tp-prevent-pppol2tp_connect-from-creating-kernel-s.patch
@@ -0,0 +1,49 @@
+From: Guillaume Nault <g.nault@alphalink.fr>
+Subject: l2tp: prevent pppol2tp_connect() from creating kernel
+ sockets
+Patch-mainline: v4.18-rc1
+Git-commit: 3e1bc8bf974e2d4e7beb842a4c801c2542eff3bd
+References: git-fixes
+
+
+If 'fd' is negative, l2tp_tunnel_create() creates a tunnel socket using
+the configuration passed in 'tcfg'. Currently, pppol2tp_connect() sets
+the relevant fields to zero, tricking l2tp_tunnel_create() into setting
+up an unusable kernel socket.
+
+We can't set 'tcfg' with the required fields because there's no way to
+get them from the current connect() parameters. So let's restrict
+kernel sockets creation to the netlink API, which is the original use
+case.
+
+Fixes: 789a4a2c61d8 ("l2tp: Add support for static unmanaged L2TPv3 tunnels")
+Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Acked-by: Denis Kirjanov <dkirjanov@suse.com>
+---
+ net/l2tp/l2tp_ppp.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/net/l2tp/l2tp_ppp.c b/net/l2tp/l2tp_ppp.c
+index 4718916e9bdc..a28829c2eb41 100644
+--- a/net/l2tp/l2tp_ppp.c
++++ b/net/l2tp/l2tp_ppp.c
+@@ -722,6 +722,15 @@ static int pppol2tp_connect(struct socket *sock, struct sockaddr *uservaddr,
+ .encap = L2TP_ENCAPTYPE_UDP,
+ .debug = 0,
+ };
++
++ /* Prevent l2tp_tunnel_register() from trying to set up
++ * a kernel socket.
++ */
++ if (fd < 0) {
++ error = -EBADF;
++ goto end;
++ }
++
+ error = l2tp_tunnel_create(sock_net(sk), fd, ver, tunnel_id, peer_tunnel_id, &tcfg, &tunnel);
+ if (error < 0)
+ goto end;
+--
+2.12.3
+
diff --git a/patches.fixes/0027-l2tp-filter-out-non-PPP-sessions-in-pppol2tp_tunnel_.patch b/patches.fixes/0027-l2tp-filter-out-non-PPP-sessions-in-pppol2tp_tunnel_.patch
new file mode 100644
index 0000000000..6505086df6
--- /dev/null
+++ b/patches.fixes/0027-l2tp-filter-out-non-PPP-sessions-in-pppol2tp_tunnel_.patch
@@ -0,0 +1,41 @@
+From: Guillaume Nault <g.nault@alphalink.fr>
+Subject: l2tp: filter out non-PPP sessions in
+ pppol2tp_tunnel_ioctl()
+Patch-mainline: v4.18-rc1
+Git-commit: ecd012e45ab5fd76ed57546865897ce35920f56b
+References: git-fixes
+
+
+pppol2tp_tunnel_ioctl() can act on an L2TPv3 tunnel, in which case
+'session' may be an Ethernet pseudo-wire.
+
+However, pppol2tp_session_ioctl() expects a PPP pseudo-wire, as it
+assumes l2tp_session_priv() points to a pppol2tp_session structure. For
+an Ethernet pseudo-wire l2tp_session_priv() points to an l2tp_eth_sess
+structure instead, making pppol2tp_session_ioctl() access invalid
+memory.
+
+Fixes: d9e31d17ceba ("l2tp: Add L2TP ethernet pseudowire support")
+Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Acked-by: Denis Kirjanov <dkirjanov@suse.com>
+---
+ net/l2tp/l2tp_ppp.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/l2tp/l2tp_ppp.c b/net/l2tp/l2tp_ppp.c
+index a28829c2eb41..3cd4cce8338c 100644
+--- a/net/l2tp/l2tp_ppp.c
++++ b/net/l2tp/l2tp_ppp.c
+@@ -1214,7 +1214,7 @@ static int pppol2tp_tunnel_ioctl(struct l2tp_tunnel *tunnel,
+ l2tp_session_get(sock_net(sk), tunnel,
+ stats.session_id);
+
+- if (session) {
++ if (session && session->pwtype == L2TP_PWTYPE_PPP) {
+ err = pppol2tp_session_ioctl(session, cmd,
+ arg);
+ l2tp_session_dec_refcount(session);
+--
+2.12.3
+
diff --git a/patches.fixes/0028-ipv6-mcast-fix-unsolicited-report-interval-after-rec.patch b/patches.fixes/0028-ipv6-mcast-fix-unsolicited-report-interval-after-rec.patch
new file mode 100644
index 0000000000..91b46dde8e
--- /dev/null
+++ b/patches.fixes/0028-ipv6-mcast-fix-unsolicited-report-interval-after-rec.patch
@@ -0,0 +1,60 @@
+From: Hangbin Liu <liuhangbin@gmail.com>
+Subject: ipv6: mcast: fix unsolicited report interval after
+ receiving querys
+Patch-mainline: v4.18-rc3
+Git-commit: 6c6da92808442908287fae8ebb0ca041a52469f4
+References: git-fixes
+
+After recieving MLD querys, we update idev->mc_maxdelay with max_delay
+from query header. This make the later unsolicited reports have the same
+interval with mc_maxdelay, which means we may send unsolicited reports with
+long interval time instead of default configured interval time.
+
+Also as we will not call ipv6_mc_reset() after device up. This issue will
+be there even after leave the group and join other groups.
+
+Fixes: fc4eba58b4c14 ("ipv6: make unsolicited report intervals configurable for mld")
+Signed-off-by: Hangbin Liu <liuhangbin@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Acked-by: Denis Kirjanov <dkirjanov@suse.com>
+---
+ net/ipv6/mcast.c | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+diff --git a/net/ipv6/mcast.c b/net/ipv6/mcast.c
+index 0642884bb08f..3c6479b32b97 100644
+--- a/net/ipv6/mcast.c
++++ b/net/ipv6/mcast.c
+@@ -2084,7 +2084,8 @@ void ipv6_mc_dad_complete(struct inet6_dev *idev)
+ mld_send_initial_cr(idev);
+ idev->mc_dad_count--;
+ if (idev->mc_dad_count)
+- mld_dad_start_timer(idev, idev->mc_maxdelay);
++ mld_dad_start_timer(idev,
++ unsolicited_report_interval(idev));
+ }
+ }
+
+@@ -2096,7 +2097,8 @@ static void mld_dad_timer_expire(unsigned long data)
+ if (idev->mc_dad_count) {
+ idev->mc_dad_count--;
+ if (idev->mc_dad_count)
+- mld_dad_start_timer(idev, idev->mc_maxdelay);
++ mld_dad_start_timer(idev,
++ unsolicited_report_interval(idev));
+ }
+ in6_dev_put(idev);
+ }
+@@ -2454,7 +2456,8 @@ static void mld_ifc_timer_expire(unsigned long data)
+ if (idev->mc_ifc_count) {
+ idev->mc_ifc_count--;
+ if (idev->mc_ifc_count)
+- mld_ifc_start_timer(idev, idev->mc_maxdelay);
++ mld_ifc_start_timer(idev,
++ unsolicited_report_interval(idev));
+ }
+ in6_dev_put(idev);
+ }
+--
+2.12.3
+
diff --git a/patches.fixes/0038-xfs-split-xfs_bmap_shift_extents.patch b/patches.fixes/0038-xfs-split-xfs_bmap_shift_extents.patch
index 38b5598818..960381715b 100644
--- a/patches.fixes/0038-xfs-split-xfs_bmap_shift_extents.patch
+++ b/patches.fixes/0038-xfs-split-xfs_bmap_shift_extents.patch
@@ -23,10 +23,10 @@ Acked-by: Nikolay Borisov <nborisov@suse.com>
3 files changed, 148 insertions(+), 73 deletions(-)
diff --git a/fs/xfs/libxfs/xfs_bmap.c b/fs/xfs/libxfs/xfs_bmap.c
-index 4062ec298497..186f4719a582 100644
+index d0118a2e51d3..47fb51774fcc 100644
--- a/fs/xfs/libxfs/xfs_bmap.c
+++ b/fs/xfs/libxfs/xfs_bmap.c
-@@ -5687,57 +5687,151 @@ xfs_bmse_shift_one(
+@@ -5700,57 +5700,151 @@ xfs_bmse_shift_one(
return xfs_rmap_map_extent(mp, dfops, ip, whichfork, &new);
}
@@ -78,10 +78,10 @@ index 4062ec298497..186f4719a582 100644
if (unlikely(XFS_TEST_ERROR(
(XFS_IFORK_FORMAT(ip, whichfork) != XFS_DINODE_FMT_EXTENTS &&
XFS_IFORK_FORMAT(ip, whichfork) != XFS_DINODE_FMT_BTREE),
- mp, XFS_ERRTAG_BMAPIFORMAT, XFS_RANDOM_BMAPIFORMAT))) {
+ mp, XFS_ERRTAG_BMAPIFORMAT))) {
- XFS_ERROR_REPORT("xfs_bmap_shift_extents",
- XFS_ERRLEVEL_LOW, mp);
-+ XFS_ERROR_REPORT("__func__", XFS_ERRLEVEL_LOW, mp);
++ XFS_ERROR_REPORT(__func__, XFS_ERRLEVEL_LOW, mp);
return -EFSCORRUPTED;
}
@@ -192,7 +192,7 @@ index 4062ec298497..186f4719a582 100644
+ if (unlikely(XFS_TEST_ERROR(
+ (XFS_IFORK_FORMAT(ip, whichfork) != XFS_DINODE_FMT_EXTENTS &&
+ XFS_IFORK_FORMAT(ip, whichfork) != XFS_DINODE_FMT_BTREE),
-+ mp, XFS_ERRTAG_BMAPIFORMAT, XFS_RANDOM_BMAPIFORMAT))) {
++ mp, XFS_ERRTAG_BMAPIFORMAT))) {
+ XFS_ERROR_REPORT(__func__, XFS_ERRLEVEL_LOW, mp);
+ return -EFSCORRUPTED;
+ }
@@ -208,7 +208,7 @@ index 4062ec298497..186f4719a582 100644
error = xfs_iread_extents(tp, ip, whichfork);
if (error)
return error;
-@@ -5757,7 +5851,7 @@ xfs_bmap_shift_extents(
+@@ -5770,7 +5864,7 @@ xfs_bmap_shift_extents(
*/
total_extents = xfs_iext_count(ifp);
if (total_extents == 0) {
@@ -217,7 +217,7 @@ index 4062ec298497..186f4719a582 100644
goto del_cursor;
}
-@@ -5765,12 +5859,10 @@ xfs_bmap_shift_extents(
+@@ -5778,12 +5872,10 @@ xfs_bmap_shift_extents(
* In case of first right shift, we need to initialize next_fsb
*/
if (*next_fsb == NULLFSBLOCK) {
@@ -231,7 +231,7 @@ index 4062ec298497..186f4719a582 100644
goto del_cursor;
}
*next_fsb = got.br_startoff;
-@@ -5785,46 +5877,27 @@ xfs_bmap_shift_extents(
+@@ -5798,46 +5890,27 @@ xfs_bmap_shift_extents(
*/
if (!xfs_iext_lookup_extent(ip, ifp, *next_fsb, &current_ext,
&got)) {
@@ -288,7 +288,7 @@ index 4062ec298497..186f4719a582 100644
}
xfs_iext_get_extent(ifp, current_ext, &got);
diff --git a/fs/xfs/libxfs/xfs_bmap.h b/fs/xfs/libxfs/xfs_bmap.h
-index 7eb1cf199138..cee680f01d87 100644
+index ba5a4835bb13..ca37030f4cfb 100644
--- a/fs/xfs/libxfs/xfs_bmap.h
+++ b/fs/xfs/libxfs/xfs_bmap.h
@@ -228,10 +228,14 @@ int xfs_bmap_del_extent_delay(struct xfs_inode *ip, int whichfork,
@@ -310,10 +310,10 @@ index 7eb1cf199138..cee680f01d87 100644
int xfs_bmapi_reserve_delalloc(struct xfs_inode *ip, int whichfork,
xfs_fileoff_t off, xfs_filblks_t len, xfs_filblks_t prealloc,
diff --git a/fs/xfs/xfs_bmap_util.c b/fs/xfs/xfs_bmap_util.c
-index 29b999e86571..09e21f704444 100644
+index 3273f083c496..034f3429ca8c 100644
--- a/fs/xfs/xfs_bmap_util.c
+++ b/fs/xfs/xfs_bmap_util.c
-@@ -1303,7 +1303,6 @@ xfs_collapse_file_space(
+@@ -1322,7 +1322,6 @@ xfs_collapse_file_space(
xfs_off_t offset,
xfs_off_t len)
{
@@ -321,7 +321,7 @@ index 29b999e86571..09e21f704444 100644
struct xfs_mount *mp = ip->i_mount;
struct xfs_trans *tp;
int error;
-@@ -1313,6 +1312,7 @@ xfs_collapse_file_space(
+@@ -1332,6 +1331,7 @@ xfs_collapse_file_space(
xfs_fileoff_t next_fsb = XFS_B_TO_FSB(mp, offset + len);
xfs_fileoff_t shift_fsb = XFS_B_TO_FSB(mp, len);
uint resblks = XFS_DIOSTRAT_SPACE_RES(mp, 0);
@@ -329,7 +329,7 @@ index 29b999e86571..09e21f704444 100644
ASSERT(xfs_isilocked(ip, XFS_IOLOCK_EXCL));
trace_xfs_collapse_file_space(ip);
-@@ -1340,9 +1340,8 @@ xfs_collapse_file_space(
+@@ -1359,9 +1359,8 @@ xfs_collapse_file_space(
xfs_trans_ijoin(tp, ip, XFS_ILOCK_EXCL);
xfs_defer_init(&dfops, &first_block);
@@ -341,7 +341,7 @@ index 29b999e86571..09e21f704444 100644
if (error)
goto out_bmap_cancel;
-@@ -1387,7 +1386,7 @@ xfs_insert_file_space(
+@@ -1406,7 +1405,7 @@ xfs_insert_file_space(
xfs_fileoff_t stop_fsb = XFS_B_TO_FSB(mp, offset);
xfs_fileoff_t next_fsb = NULLFSBLOCK;
xfs_fileoff_t shift_fsb = XFS_B_TO_FSB(mp, len);
@@ -350,7 +350,7 @@ index 29b999e86571..09e21f704444 100644
ASSERT(xfs_isilocked(ip, XFS_IOLOCK_EXCL));
trace_xfs_insert_file_space(ip);
-@@ -1414,9 +1413,8 @@ xfs_insert_file_space(
+@@ -1433,9 +1432,8 @@ xfs_insert_file_space(
xfs_ilock(ip, XFS_ILOCK_EXCL);
xfs_trans_ijoin(tp, ip, XFS_ILOCK_EXCL);
xfs_defer_init(&dfops, &first_block);
@@ -363,5 +363,5 @@ index 29b999e86571..09e21f704444 100644
goto out_bmap_cancel;
--
-2.7.4
+2.16.4
diff --git a/patches.fixes/ACPI-button-reinitialize-button-state-upon-resume.patch b/patches.fixes/ACPI-button-reinitialize-button-state-upon-resume.patch
new file mode 100644
index 0000000000..d9752fa0cd
--- /dev/null
+++ b/patches.fixes/ACPI-button-reinitialize-button-state-upon-resume.patch
@@ -0,0 +1,46 @@
+From 13e962140be671f31a011543f11477af67a6c33e Mon Sep 17 00:00:00 2001
+From: Zhang Rui <rui.zhang@intel.com>
+Date: Tue, 2 Apr 2019 21:38:32 +0800
+Subject: [PATCH] ACPI: button: reinitialize button state upon resume
+Git-commit: 13e962140be671f31a011543f11477af67a6c33e
+Patch-mainline: v5.2-rc1
+References: bsc#1051510
+
+With commit dfa46c50f65b ("ACPI / button: Fix an issue in
+button.lid_init_state=ignore mode"), the lid device is considered to be
+not compliant to SW_LID if the Lid state is unchanged when updating it.
+
+This is not wrong, but we overlooked the resume case, where Lid state is
+updated unconditionally in the button driver .resume() callback. And this
+results in warning message "ACPI: button: The lid device is not compliant
+to SW_LID." after resume, if the machine is suspended with Lid opened and
+then resumed with Lid opened.
+
+Fix this by flushing the cached lid state before updating the Lid device
+in .resume() callback.
+
+Fixes: dfa46c50f65b ("ACPI / button: Fix an issue in button.lid_init_state=ignore mode")
+Reported-and-tested-by: Zhao Lijian <lijian.zhao@intel.com>
+Signed-off-by: Zhang Rui <rui.zhang@intel.com>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/acpi/button.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/drivers/acpi/button.c
++++ b/drivers/acpi/button.c
+@@ -442,8 +442,11 @@ static int acpi_button_resume(struct dev
+ struct acpi_button *button = acpi_driver_data(device);
+
+ button->suspended = false;
+- if (button->type == ACPI_BUTTON_TYPE_LID)
++ if (button->type == ACPI_BUTTON_TYPE_LID) {
++ button->last_state = !!acpi_lid_evaluate_state(device);
++ button->last_time = ktime_get();
+ acpi_lid_initialize_state(device);
++ }
+ return 0;
+ }
+ #endif
diff --git a/patches.fixes/ACPI-utils-Drop-reference-in-test-for-device-presenc.patch b/patches.fixes/ACPI-utils-Drop-reference-in-test-for-device-presenc.patch
new file mode 100644
index 0000000000..6e27ead003
--- /dev/null
+++ b/patches.fixes/ACPI-utils-Drop-reference-in-test-for-device-presenc.patch
@@ -0,0 +1,35 @@
+From 54e3aca84e571559915998aa6cc05e5ac37c043b Mon Sep 17 00:00:00 2001
+From: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Date: Mon, 18 Mar 2019 21:47:09 +0300
+Subject: [PATCH] ACPI / utils: Drop reference in test for device presence
+Git-commit: 54e3aca84e571559915998aa6cc05e5ac37c043b
+Patch-mainline: v5.1-rc2
+References: bsc#1051510
+
+When commit 8661423eea1a ("ACPI / utils: Add new acpi_dev_present
+helper") introduced acpi_dev_present(), it missed the fact that
+bus_find_device() took a reference on the device found by it and
+the callers of acpi_dev_present() don't drop that reference.
+
+Drop the reference on the device in acpi_dev_present().
+
+Fixes: 8661423eea1a ("ACPI / utils: Add new acpi_dev_present helper")
+Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Reviewed-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/acpi/utils.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/acpi/utils.c
++++ b/drivers/acpi/utils.c
+@@ -798,6 +798,7 @@ bool acpi_dev_present(const char *hid, c
+ dev = bus_find_device(&acpi_bus_type, NULL, &match,
+ acpi_dev_present_cb);
+
++ put_device(dev);
+ return !!dev;
+ }
+ EXPORT_SYMBOL(acpi_dev_present);
diff --git a/patches.fixes/ACPICA-AML-interpreter-add-region-addresses-in-globa.patch b/patches.fixes/ACPICA-AML-interpreter-add-region-addresses-in-globa.patch
new file mode 100644
index 0000000000..87b2a9052c
--- /dev/null
+++ b/patches.fixes/ACPICA-AML-interpreter-add-region-addresses-in-globa.patch
@@ -0,0 +1,49 @@
+From 4abb951b73ff0a8a979113ef185651aa3c8da19b Mon Sep 17 00:00:00 2001
+From: Erik Schmauss <erik.schmauss@intel.com>
+Date: Wed, 17 Oct 2018 14:09:35 -0700
+Subject: [PATCH] ACPICA: AML interpreter: add region addresses in global list during initialization
+Git-commit: 4abb951b73ff0a8a979113ef185651aa3c8da19b
+Patch-mainline: v4.20-rc1
+References: bsc#1051510
+
+The table load process omitted adding the operation region address
+range to the global list. This omission is problematic because the OS
+queries the global list to check for address range conflicts before
+deciding which drivers to load. This commit may result in warning
+messages that look like the following:
+
+[ 7.871761] ACPI Warning: system_IO range 0x00000428-0x0000042F conflicts with op_region 0x00000400-0x0000047F (\PMIO) (20180531/utaddress-213)
+[ 7.871769] ACPI: If an ACPI driver is available for this device, you should use it instead of the native driver
+
+However, these messages do not signify regressions. It is a result of
+properly adding address ranges within the global address list.
+
+Link: https://bugzilla.kernel.org/show_bug.cgi?id=200011
+Tested-by: Jean-Marc Lenoir <archlinux@jihemel.com>
+Signed-off-by: Erik Schmauss <erik.schmauss@intel.com>
+Cc: All applicable <stable@vger.kernel.org>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/acpi/acpica/dsopcode.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/acpi/acpica/dsopcode.c b/drivers/acpi/acpica/dsopcode.c
+index e9fb0bf3c8d2..78f9de260d5f 100644
+--- a/drivers/acpi/acpica/dsopcode.c
++++ b/drivers/acpi/acpica/dsopcode.c
+@@ -417,6 +417,10 @@ acpi_ds_eval_region_operands(struct acpi_walk_state *walk_state,
+ ACPI_FORMAT_UINT64(obj_desc->region.address),
+ obj_desc->region.length));
+
++ status = acpi_ut_add_address_range(obj_desc->region.space_id,
++ obj_desc->region.address,
++ obj_desc->region.length, node);
++
+ /* Now the address and length are valid for this opregion */
+
+ obj_desc->region.flags |= AOPOBJ_DATA_VALID;
+--
+2.16.4
+
diff --git a/patches.fixes/ACPICA-Namespace-remove-address-node-from-global-lis.patch b/patches.fixes/ACPICA-Namespace-remove-address-node-from-global-lis.patch
new file mode 100644
index 0000000000..a60359796c
--- /dev/null
+++ b/patches.fixes/ACPICA-Namespace-remove-address-node-from-global-lis.patch
@@ -0,0 +1,66 @@
+From c5781ffbbd4f742a58263458145fe7f0ac01d9e0 Mon Sep 17 00:00:00 2001
+From: Erik Schmauss <erik.schmauss@intel.com>
+Date: Mon, 8 Apr 2019 13:42:26 -0700
+Subject: [PATCH] ACPICA: Namespace: remove address node from global list after method termination
+Git-commit: c5781ffbbd4f742a58263458145fe7f0ac01d9e0
+Patch-mainline: v5.1-rc5
+References: bsc#1051510
+
+ACPICA commit b233720031a480abd438f2e9c643080929d144c3
+
+ASL operation_regions declare a range of addresses that it uses. In a
+perfect world, the range of addresses should be used exclusively by
+the AML interpreter. The OS can use this information to decide which
+drivers to load so that the AML interpreter and device drivers use
+different regions of memory.
+
+During table load, the address information is added to a global
+address range list. Each node in this list contains an address range
+as well as a namespace node of the operation_region. This list is
+deleted at ACPI shutdown.
+
+Unfortunately, ASL operation_regions can be declared inside of control
+methods. Although this is not recommended, modern firmware contains
+such code. New module level code changes unintentionally removed the
+functionality of adding and removing nodes to the global address
+range list.
+
+A few months ago, support for adding addresses has been re-
+implemented. However, the removal of the address range list was
+missed and resulted in some systems to crash due to the address list
+containing bogus namespace nodes from operation_regions declared in
+control methods. In order to fix the crash, this change removes
+dynamic operation_regions after control method termination.
+
+Link: https://github.com/acpica/acpica/commit/b2337200
+Link: https://bugzilla.kernel.org/show_bug.cgi?id=202475
+Fixes: 4abb951b73ff ("ACPICA: AML interpreter: add region addresses in global list during initialization")
+Reported-by: Michael J Gruber <mjg@fedoraproject.org>
+Signed-off-by: Erik Schmauss <erik.schmauss@intel.com>
+Signed-off-by: Bob Moore <robert.moore@intel.com>
+Cc: 4.20+ <stable@vger.kernel.org> # 4.20+
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/acpi/acpica/nsobject.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/acpi/acpica/nsobject.c b/drivers/acpi/acpica/nsobject.c
+index 8638f43cfc3d..79d86da1c892 100644
+--- a/drivers/acpi/acpica/nsobject.c
++++ b/drivers/acpi/acpica/nsobject.c
+@@ -186,6 +186,10 @@ void acpi_ns_detach_object(struct acpi_namespace_node *node)
+ }
+ }
+
++ if (obj_desc->common.type == ACPI_TYPE_REGION) {
++ acpi_ut_remove_address_range(obj_desc->region.space_id, node);
++ }
++
+ /* Clear the Node entry in all cases */
+
+ node->object = NULL;
+--
+2.16.4
+
diff --git a/patches.fixes/appletalk-Fix-compile-regression.patch b/patches.fixes/appletalk-Fix-compile-regression.patch
new file mode 100644
index 0000000000..bb0bdee640
--- /dev/null
+++ b/patches.fixes/appletalk-Fix-compile-regression.patch
@@ -0,0 +1,71 @@
+From 27da0d2ef998e222a876c0cec72aa7829a626266 Mon Sep 17 00:00:00 2001
+From: Arnd Bergmann <arnd@arndb.de>
+Date: Wed, 6 Mar 2019 11:52:36 +0100
+Subject: [PATCH] appletalk: Fix compile regression
+Git-commit: 27da0d2ef998e222a876c0cec72aa7829a626266
+Patch-mainline: v5.1-rc1
+References: bsc#1051510
+
+A bugfix just broke compilation of appletalk when CONFIG_SYSCTL
+is disabled:
+
+In file included from net/appletalk/ddp.c:65:
+Net/appletalk/ddp.c: In function 'atalk_init':
+include/linux/atalk.h:164:34: error: expected expression before 'do'
+ #define atalk_register_sysctl() do { } while(0)
+ ^~
+net/appletalk/ddp.c:1934:7: note: in expansion of macro 'atalk_register_sysctl'
+ rc = atalk_register_sysctl();
+
+This is easier to avoid by using conventional inline functions
+as stubs rather than macros. The header already has inline
+functions for other purposes, so I'm changing over all the
+macros for consistency.
+
+Fixes: 6377f787aeb9 ("appletalk: Fix use-after-free in atalk_proc_exit")
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ include/linux/atalk.h | 18 ++++++++++++++----
+ 1 file changed, 14 insertions(+), 4 deletions(-)
+
+diff --git a/include/linux/atalk.h b/include/linux/atalk.h
+index 5a90f28d5ff2..d5cfc0b15b76 100644
+--- a/include/linux/atalk.h
++++ b/include/linux/atalk.h
+@@ -161,16 +161,26 @@ extern int sysctl_aarp_resolve_time;
+ extern int atalk_register_sysctl(void);
+ extern void atalk_unregister_sysctl(void);
+ #else
+-#define atalk_register_sysctl() do { } while(0)
+-#define atalk_unregister_sysctl() do { } while(0)
++static inline int atalk_register_sysctl(void)
++{
++ return 0;
++}
++static inline void atalk_unregister_sysctl(void)
++{
++}
+ #endif
+
+ #ifdef CONFIG_PROC_FS
+ extern int atalk_proc_init(void);
+ extern void atalk_proc_exit(void);
+ #else
+-#define atalk_proc_init() ({ 0; })
+-#define atalk_proc_exit() do { } while(0)
++static inline int atalk_proc_init(void)
++{
++ return 0;
++}
++static inline void atalk_proc_exit(void)
++{
++}
+ #endif /* CONFIG_PROC_FS */
+
+ #endif /* __LINUX_ATALK_H__ */
+--
+2.16.4
+
diff --git a/patches.fixes/appletalk-Fix-use-after-free-in-atalk_proc_exit.patch b/patches.fixes/appletalk-Fix-use-after-free-in-atalk_proc_exit.patch
new file mode 100644
index 0000000000..8bb642942b
--- /dev/null
+++ b/patches.fixes/appletalk-Fix-use-after-free-in-atalk_proc_exit.patch
@@ -0,0 +1,204 @@
+From 6377f787aeb945cae7abbb6474798de129e1f3ac Mon Sep 17 00:00:00 2001
+From: YueHaibing <yuehaibing@huawei.com>
+Date: Fri, 1 Mar 2019 10:57:57 +0800
+Subject: [PATCH] appletalk: Fix use-after-free in atalk_proc_exit
+Git-commit: 6377f787aeb945cae7abbb6474798de129e1f3ac
+Patch-mainline: v5.1-rc1
+References: bsc#1051510
+
+KASAN report this:
+
+Bug: KASAN: use-after-free in pde_subdir_find+0x12d/0x150 fs/proc/generic.c:71
+Read of size 8 at addr ffff8881f41fe5b0 by task syz-executor.0/2806
+
+Cpu: 0 PID: 2806 Comm: syz-executor.0 Not tainted 5.0.0-rc7+ #45
+Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014
+Call Trace:
+ __dump_stack lib/dump_stack.c:77 [inline]
+ dump_stack+0xfa/0x1ce lib/dump_stack.c:113
+ print_address_description+0x65/0x270 mm/kasan/report.c:187
+ kasan_report+0x149/0x18d mm/kasan/report.c:317
+ pde_subdir_find+0x12d/0x150 fs/proc/generic.c:71
+ remove_proc_entry+0xe8/0x420 fs/proc/generic.c:667
+ atalk_proc_exit+0x18/0x820 [appletalk]
+ atalk_exit+0xf/0x5a [appletalk]
+ __do_sys_delete_module kernel/module.c:1018 [inline]
+ __se_sys_delete_module kernel/module.c:961 [inline]
+ __x64_sys_delete_module+0x3dc/0x5e0 kernel/module.c:961
+ do_syscall_64+0x147/0x600 arch/x86/entry/common.c:290
+ entry_SYSCALL_64_after_hwframe+0x49/0xbe
+Rip: 0033:0x462e99
+Code: f7 d8 64 89 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
+Rsp: 002b:00007fb2de6b9c58 EFLAGS: 00000246 ORIG_RAX: 00000000000000b0
+Rax: ffffffffffffffda RBX: 000000000073bf00 RCX: 0000000000462e99
+Rdx: 0000000000000000 RSI: 0000000000000000 RDI: 00000000200001c0
+Rbp: 0000000000000002 R08: 0000000000000000 R09: 0000000000000000
+R10: 0000000000000000 R11: 0000000000000246 R12: 00007fb2de6ba6bc
+R13: 00000000004bccaa R14: 00000000006f6bc8 R15: 00000000ffffffff
+
+Allocated by task 2806:
+ set_track mm/kasan/common.c:85 [inline]
+ __kasan_kmalloc.constprop.3+0xa0/0xd0 mm/kasan/common.c:496
+ slab_post_alloc_hook mm/slab.h:444 [inline]
+ slab_alloc_node mm/slub.c:2739 [inline]
+ slab_alloc mm/slub.c:2747 [inline]
+ kmem_cache_alloc+0xcf/0x250 mm/slub.c:2752
+ kmem_cache_zalloc include/linux/slab.h:730 [inline]
+ __proc_create+0x30f/0xa20 fs/proc/generic.c:408
+ proc_mkdir_data+0x47/0x190 fs/proc/generic.c:469
+ 0xffffffffc10c01bb
+ 0xffffffffc10c0166
+ do_one_initcall+0xfa/0x5ca init/main.c:887
+ do_init_module+0x204/0x5f6 kernel/module.c:3460
+ load_module+0x66b2/0x8570 kernel/module.c:3808
+ __do_sys_finit_module+0x238/0x2a0 kernel/module.c:3902
+ do_syscall_64+0x147/0x600 arch/x86/entry/common.c:290
+ entry_SYSCALL_64_after_hwframe+0x49/0xbe
+
+Freed by task 2806:
+ set_track mm/kasan/common.c:85 [inline]
+ __kasan_slab_free+0x130/0x180 mm/kasan/common.c:458
+ slab_free_hook mm/slub.c:1409 [inline]
+ slab_free_freelist_hook mm/slub.c:1436 [inline]
+ slab_free mm/slub.c:2986 [inline]
+ kmem_cache_free+0xa6/0x2a0 mm/slub.c:3002
+ pde_put+0x6e/0x80 fs/proc/generic.c:647
+ remove_proc_entry+0x1d3/0x420 fs/proc/generic.c:684
+ 0xffffffffc10c031c
+ 0xffffffffc10c0166
+ do_one_initcall+0xfa/0x5ca init/main.c:887
+ do_init_module+0x204/0x5f6 kernel/module.c:3460
+ load_module+0x66b2/0x8570 kernel/module.c:3808
+ __do_sys_finit_module+0x238/0x2a0 kernel/module.c:3902
+ do_syscall_64+0x147/0x600 arch/x86/entry/common.c:290
+ entry_SYSCALL_64_after_hwframe+0x49/0xbe
+
+The buggy address belongs to the object at ffff8881f41fe500
+ which belongs to the cache proc_dir_entry of size 256
+The buggy address is located 176 bytes inside of
+ 256-byte region [ffff8881f41fe500, ffff8881f41fe600)
+The buggy address belongs to the page:
+page:ffffea0007d07f80 count:1 mapcount:0 mapping:ffff8881f6e69a00 index:0x0
+Flags: 0x2fffc0000000200(slab)
+Raw: 02fffc0000000200 dead000000000100 dead000000000200 ffff8881f6e69a00
+Raw: 0000000000000000 00000000800c000c 00000001ffffffff 0000000000000000
+page dumped because: kasan: bad access detected
+
+Memory state around the buggy address:
+ ffff8881f41fe480: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
+ ffff8881f41fe500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+>ffff8881f41fe580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8881f41fe600: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb ffff8881f41fe680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+
+It should check the return value of atalk_proc_init fails,
+otherwise atalk_exit will trgger use-after-free in pde_subdir_find
+while unload the module.This patch fix error cleanup path of atalk_init
+
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Signed-off-by: YueHaibing <yuehaibing@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ include/linux/atalk.h | 2 +-
+ net/appletalk/atalk_proc.c | 2 +-
+ net/appletalk/ddp.c | 37 +++++++++++++++++++++++++++++++------
+ net/appletalk/sysctl_net_atalk.c | 5 ++++-
+ 4 files changed, 37 insertions(+), 9 deletions(-)
+
+--- a/include/linux/atalk.h
++++ b/include/linux/atalk.h
+@@ -150,7 +150,7 @@ extern int sysctl_aarp_retransmit_limit;
+ extern int sysctl_aarp_resolve_time;
+
+ #ifdef CONFIG_SYSCTL
+-extern void atalk_register_sysctl(void);
++extern int atalk_register_sysctl(void);
+ extern void atalk_unregister_sysctl(void);
+ #else
+ #define atalk_register_sysctl() do { } while(0)
+--- a/net/appletalk/atalk_proc.c
++++ b/net/appletalk/atalk_proc.c
+@@ -293,7 +293,7 @@ out_interface:
+ goto out;
+ }
+
+-void __exit atalk_proc_exit(void)
++void atalk_proc_exit(void)
+ {
+ remove_proc_entry("interface", atalk_proc_dir);
+ remove_proc_entry("route", atalk_proc_dir);
+--- a/net/appletalk/ddp.c
++++ b/net/appletalk/ddp.c
+@@ -1912,12 +1912,16 @@ static const char atalk_err_snap[] __ini
+ /* Called by proto.c on kernel start up */
+ static int __init atalk_init(void)
+ {
+- int rc = proto_register(&ddp_proto, 0);
++ int rc;
+
+- if (rc != 0)
++ rc = proto_register(&ddp_proto, 0);
++ if (rc)
+ goto out;
+
+- (void)sock_register(&atalk_family_ops);
++ rc = sock_register(&atalk_family_ops);
++ if (rc)
++ goto out_proto;
++
+ ddp_dl = register_snap_client(ddp_snap_id, atalk_rcv);
+ if (!ddp_dl)
+ printk(atalk_err_snap);
+@@ -1925,12 +1929,33 @@ static int __init atalk_init(void)
+ dev_add_pack(&ltalk_packet_type);
+ dev_add_pack(&ppptalk_packet_type);
+
+- register_netdevice_notifier(&ddp_notifier);
++ rc = register_netdevice_notifier(&ddp_notifier);
++ if (rc)
++ goto out_sock;
++
+ aarp_proto_init();
+- atalk_proc_init();
+- atalk_register_sysctl();
++ rc = atalk_proc_init();
++ if (rc)
++ goto out_aarp;
++
++ rc = atalk_register_sysctl();
++ if (rc)
++ goto out_proc;
+ out:
+ return rc;
++out_proc:
++ atalk_proc_exit();
++out_aarp:
++ aarp_cleanup_module();
++ unregister_netdevice_notifier(&ddp_notifier);
++out_sock:
++ dev_remove_pack(&ppptalk_packet_type);
++ dev_remove_pack(&ltalk_packet_type);
++ unregister_snap_client(ddp_dl);
++ sock_unregister(PF_APPLETALK);
++out_proto:
++ proto_unregister(&ddp_proto);
++ goto out;
+ }
+ module_init(atalk_init);
+
+--- a/net/appletalk/sysctl_net_atalk.c
++++ b/net/appletalk/sysctl_net_atalk.c
+@@ -44,9 +44,12 @@ static struct ctl_table atalk_table[] =
+
+ static struct ctl_table_header *atalk_table_header;
+
+-void atalk_register_sysctl(void)
++int __init atalk_register_sysctl(void)
+ {
+ atalk_table_header = register_net_sysctl(&init_net, "net/appletalk", atalk_table);
++ if (!atalk_table_header)
++ return -ENOMEM;
++ return 0;
+ }
+
+ void atalk_unregister_sysctl(void)
diff --git a/patches.fixes/configfs-fix-possible-use-after-free-in-configfs_reg.patch b/patches.fixes/configfs-fix-possible-use-after-free-in-configfs_reg.patch
new file mode 100644
index 0000000000..d1317a9a1e
--- /dev/null
+++ b/patches.fixes/configfs-fix-possible-use-after-free-in-configfs_reg.patch
@@ -0,0 +1,134 @@
+From 35399f87e271f7cf3048eab00a421a6519ac8441 Mon Sep 17 00:00:00 2001
+From: YueHaibing <yuehaibing@huawei.com>
+Date: Sun, 5 May 2019 11:03:12 +0800
+Subject: [PATCH] configfs: fix possible use-after-free in configfs_register_group
+Git-commit: 35399f87e271f7cf3048eab00a421a6519ac8441
+Patch-mainline: v5.2-rc1
+References: bsc#1051510
+
+In configfs_register_group(), if create_default_group() failed, we
+forget to unlink the group. It will left a invalid item in the parent list,
+which may trigger the use-after-free issue seen below:
+
+Bug: KASAN: use-after-free in __list_add_valid+0xd4/0xe0 lib/list_debug.c:26
+Read of size 8 at addr ffff8881ef61ae20 by task syz-executor.0/5996
+
+Cpu: 1 PID: 5996 Comm: syz-executor.0 Tainted: G C 5.0.0+ #5
+Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014
+Call Trace:
+ __dump_stack lib/dump_stack.c:77 [inline]
+ dump_stack+0xa9/0x10e lib/dump_stack.c:113
+ print_address_description+0x65/0x270 mm/kasan/report.c:187
+ kasan_report+0x149/0x18d mm/kasan/report.c:317
+ __list_add_valid+0xd4/0xe0 lib/list_debug.c:26
+ __list_add include/linux/list.h:60 [inline]
+ list_add_tail include/linux/list.h:93 [inline]
+ link_obj+0xb0/0x190 fs/configfs/dir.c:759
+ link_group+0x1c/0x130 fs/configfs/dir.c:784
+ configfs_register_group+0x56/0x1e0 fs/configfs/dir.c:1751
+ configfs_register_default_group+0x72/0xc0 fs/configfs/dir.c:1834
+ ? 0xffffffffc1be0000
+ iio_sw_trigger_init+0x23/0x1000 [industrialio_sw_trigger]
+ do_one_initcall+0xbc/0x47d init/main.c:887
+ do_init_module+0x1b5/0x547 kernel/module.c:3456
+ load_module+0x6405/0x8c10 kernel/module.c:3804
+ __do_sys_finit_module+0x162/0x190 kernel/module.c:3898
+ do_syscall_64+0x9f/0x450 arch/x86/entry/common.c:290
+ entry_SYSCALL_64_after_hwframe+0x49/0xbe
+Rip: 0033:0x462e99
+Code: f7 d8 64 89 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
+Rsp: 002b:00007f494ecbcc58 EFLAGS: 00000246 ORIG_RAX: 0000000000000139
+Rax: ffffffffffffffda RBX: 000000000073bf00 RCX: 0000000000462e99
+Rdx: 0000000000000000 RSI: 0000000020000180 RDI: 0000000000000003
+Rbp: 00007f494ecbcc70 R08: 0000000000000000 R09: 0000000000000000
+R10: 0000000000000000 R11: 0000000000000246 R12: 00007f494ecbd6bc
+R13: 00000000004bcefa R14: 00000000006f6fb0 R15: 0000000000000004
+
+Allocated by task 5987:
+ set_track mm/kasan/common.c:87 [inline]
+ __kasan_kmalloc.constprop.3+0xa0/0xd0 mm/kasan/common.c:497
+ kmalloc include/linux/slab.h:545 [inline]
+ kzalloc include/linux/slab.h:740 [inline]
+ configfs_register_default_group+0x4c/0xc0 fs/configfs/dir.c:1829
+ 0xffffffffc1bd0023
+ do_one_initcall+0xbc/0x47d init/main.c:887
+ do_init_module+0x1b5/0x547 kernel/module.c:3456
+ load_module+0x6405/0x8c10 kernel/module.c:3804
+ __do_sys_finit_module+0x162/0x190 kernel/module.c:3898
+ do_syscall_64+0x9f/0x450 arch/x86/entry/common.c:290
+ entry_SYSCALL_64_after_hwframe+0x49/0xbe
+
+Freed by task 5987:
+ set_track mm/kasan/common.c:87 [inline]
+ __kasan_slab_free+0x130/0x180 mm/kasan/common.c:459
+ slab_free_hook mm/slub.c:1429 [inline]
+ slab_free_freelist_hook mm/slub.c:1456 [inline]
+ slab_free mm/slub.c:3003 [inline]
+ kfree+0xe1/0x270 mm/slub.c:3955
+ configfs_register_default_group+0x9a/0xc0 fs/configfs/dir.c:1836
+ 0xffffffffc1bd0023
+ do_one_initcall+0xbc/0x47d init/main.c:887
+ do_init_module+0x1b5/0x547 kernel/module.c:3456
+ load_module+0x6405/0x8c10 kernel/module.c:3804
+ __do_sys_finit_module+0x162/0x190 kernel/module.c:3898
+ do_syscall_64+0x9f/0x450 arch/x86/entry/common.c:290
+ entry_SYSCALL_64_after_hwframe+0x49/0xbe
+
+The buggy address belongs to the object at ffff8881ef61ae00
+ which belongs to the cache kmalloc-192 of size 192
+The buggy address is located 32 bytes inside of
+ 192-byte region [ffff8881ef61ae00, ffff8881ef61aec0)
+The buggy address belongs to the page:
+page:ffffea0007bd8680 count:1 mapcount:0 mapping:ffff8881f6c03000 index:0xffff8881ef61a700
+Flags: 0x2fffc0000000200(slab)
+Raw: 02fffc0000000200 ffffea0007ca4740 0000000500000005 ffff8881f6c03000
+Raw: ffff8881ef61a700 000000008010000c 00000001ffffffff 0000000000000000
+page dumped because: kasan: bad access detected
+
+Memory state around the buggy address:
+ ffff8881ef61ad00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+ ffff8881ef61ad80: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc
+>ffff8881ef61ae00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8881ef61ae80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc ffff8881ef61af00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+
+Fixes: 5cf6a51e6062 ("configfs: allow dynamic group creation")
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Signed-off-by: YueHaibing <yuehaibing@huawei.com>
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ fs/configfs/dir.c | 17 ++++++++++++-----
+ 1 file changed, 12 insertions(+), 5 deletions(-)
+
+diff --git a/fs/configfs/dir.c b/fs/configfs/dir.c
+index 39843fa7e11b..920d350df37b 100644
+--- a/fs/configfs/dir.c
++++ b/fs/configfs/dir.c
+@@ -1755,12 +1755,19 @@ int configfs_register_group(struct config_group *parent_group,
+
+ inode_lock_nested(d_inode(parent), I_MUTEX_PARENT);
+ ret = create_default_group(parent_group, group);
+- if (!ret) {
+- spin_lock(&configfs_dirent_lock);
+- configfs_dir_set_ready(group->cg_item.ci_dentry->d_fsdata);
+- spin_unlock(&configfs_dirent_lock);
+- }
++ if (ret)
++ goto err_out;
++
++ spin_lock(&configfs_dirent_lock);
++ configfs_dir_set_ready(group->cg_item.ci_dentry->d_fsdata);
++ spin_unlock(&configfs_dirent_lock);
++ inode_unlock(d_inode(parent));
++ return 0;
++err_out:
+ inode_unlock(d_inode(parent));
++ mutex_lock(&subsys->su_mutex);
++ unlink_group(group);
++ mutex_unlock(&subsys->su_mutex);
+ return ret;
+ }
+ EXPORT_SYMBOL(configfs_register_group);
+--
+2.16.4
+
diff --git a/patches.fixes/crypto-caam-fix-caam_dump_sg-that-iterates-through-s.patch b/patches.fixes/crypto-caam-fix-caam_dump_sg-that-iterates-through-s.patch
new file mode 100644
index 0000000000..9eb3e1cf24
--- /dev/null
+++ b/patches.fixes/crypto-caam-fix-caam_dump_sg-that-iterates-through-s.patch
@@ -0,0 +1,40 @@
+From 8c65d35435e8cbfdf953cafe5ebe3648ee9276a2 Mon Sep 17 00:00:00 2001
+From: Iuliana Prodan <iuliana.prodan@nxp.com>
+Date: Tue, 7 May 2019 16:37:03 +0300
+Subject: [PATCH] crypto: caam - fix caam_dump_sg that iterates through scatterlist
+Mime-version: 1.0
+Content-type: text/plain; charset=UTF-8
+Content-transfer-encoding: 8bit
+Git-commit: 8c65d35435e8cbfdf953cafe5ebe3648ee9276a2
+Patch-mainline: v5.2-rc1
+References: bsc#1051510
+
+Fix caam_dump_sg by correctly determining the next scatterlist
+entry in the list.
+
+Fixes: 5ecf8ef9103c ("crypto: caam - fix sg dump")
+Signed-off-by: Iuliana Prodan <iuliana.prodan@nxp.com>
+Reviewed-by: Horia Geantă <horia.geanta@nxp.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/crypto/caam/error.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/crypto/caam/error.c b/drivers/crypto/caam/error.c
+index a4129a35a330..4da844e4b61d 100644
+--- a/drivers/crypto/caam/error.c
++++ b/drivers/crypto/caam/error.c
+@@ -22,7 +22,7 @@ void caam_dump_sg(const char *level, const char *prefix_str, int prefix_type,
+ size_t len;
+ void *buf;
+
+- for (it = sg; it && tlen > 0 ; it = sg_next(sg)) {
++ for (it = sg; it && tlen > 0 ; it = sg_next(it)) {
+ /*
+ * make sure the scatterlist's page
+ * has a valid virtual memory mapping
+--
+2.16.4
+
diff --git a/patches.fixes/devres-Align-data-to-ARCH_KMALLOC_MINALIGN.patch b/patches.fixes/devres-Align-data-to-ARCH_KMALLOC_MINALIGN.patch
new file mode 100644
index 0000000000..97316dd307
--- /dev/null
+++ b/patches.fixes/devres-Align-data-to-ARCH_KMALLOC_MINALIGN.patch
@@ -0,0 +1,62 @@
+From a66d972465d15b1d89281258805eb8b47d66bd36 Mon Sep 17 00:00:00 2001
+From: Alexey Brodkin <alexey.brodkin@synopsys.com>
+Date: Wed, 31 Oct 2018 18:25:47 +0300
+Subject: [PATCH] devres: Align data[] to ARCH_KMALLOC_MINALIGN
+Git-commit: a66d972465d15b1d89281258805eb8b47d66bd36
+Patch-mainline: v4.20-rc5
+References: bsc#1051510
+
+Initially we bumped into problem with 32-bit aligned atomic64_t
+on ARC, see [1]. And then during quite lengthly discussion Peter Z.
+mentioned ARCH_KMALLOC_MINALIGN which IMHO makes perfect sense.
+If allocation is done by plain kmalloc() obtained buffer will be
+ARCH_KMALLOC_MINALIGN aligned and then why buffer obtained via
+devm_kmalloc() should have any other alignment?
+
+This way we at least get the same behavior for both types of
+allocation.
+
+[1] http://lists.infradead.org/pipermail/linux-snps-arc/2018-July/004009.html
+[2] http://lists.infradead.org/pipermail/linux-snps-arc/2018-July/004036.html
+
+Signed-off-by: Alexey Brodkin <abrodkin@synopsys.com>
+Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Cc: Geert Uytterhoeven <geert@linux-m68k.org>
+Cc: David Laight <David.Laight@ACULAB.COM>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: Vineet Gupta <vgupta@synopsys.com>
+Cc: Will Deacon <will.deacon@arm.com>
+Cc: Greg KH <greg@kroah.com>
+Cc: <stable@vger.kernel.org> # 4.8+
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/base/devres.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/base/devres.c b/drivers/base/devres.c
+index 4aaf00d2098b..e038e2b3b7ea 100644
+--- a/drivers/base/devres.c
++++ b/drivers/base/devres.c
+@@ -26,8 +26,14 @@ struct devres_node {
+
+ struct devres {
+ struct devres_node node;
+- /* -- 3 pointers */
+- unsigned long long data[]; /* guarantee ull alignment */
++ /*
++ * Some archs want to perform DMA into kmalloc caches
++ * and need a guaranteed alignment larger than
++ * the alignment of a 64-bit integer.
++ * Thus we use ARCH_KMALLOC_MINALIGN here and get exactly the same
++ * buffer alignment as if it was allocated by plain kmalloc().
++ */
++ u8 __aligned(ARCH_KMALLOC_MINALIGN) data[];
+ };
+
+ struct devres_group {
+--
+2.16.4
+
diff --git a/patches.fixes/mISDN-Check-address-length-before-reading-address-fa.patch b/patches.fixes/mISDN-Check-address-length-before-reading-address-fa.patch
new file mode 100644
index 0000000000..81d467cd9f
--- /dev/null
+++ b/patches.fixes/mISDN-Check-address-length-before-reading-address-fa.patch
@@ -0,0 +1,39 @@
+From 238ffdc49ef98b15819cfd5e3fb23194e3ea3d39 Mon Sep 17 00:00:00 2001
+From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+Date: Fri, 12 Apr 2019 19:52:36 +0900
+Subject: [PATCH] mISDN: Check address length before reading address family
+Git-commit: 238ffdc49ef98b15819cfd5e3fb23194e3ea3d39
+Patch-mainline: v5.1-rc6
+References: bsc#1051510
+
+KMSAN will complain if valid address length passed to bind() is shorter
+than sizeof("struct sockaddr_mISDN"->family) bytes.
+
+Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/isdn/mISDN/socket.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/isdn/mISDN/socket.c b/drivers/isdn/mISDN/socket.c
+index 4ab8b1b6608f..a14e35d40538 100644
+--- a/drivers/isdn/mISDN/socket.c
++++ b/drivers/isdn/mISDN/socket.c
+@@ -710,10 +710,10 @@ base_sock_bind(struct socket *sock, struct sockaddr *addr, int addr_len)
+ struct sock *sk = sock->sk;
+ int err = 0;
+
+- if (!maddr || maddr->family != AF_ISDN)
++ if (addr_len < sizeof(struct sockaddr_mISDN))
+ return -EINVAL;
+
+- if (addr_len < sizeof(struct sockaddr_mISDN))
++ if (!maddr || maddr->family != AF_ISDN)
+ return -EINVAL;
+
+ lock_sock(sk);
+--
+2.16.4
+
diff --git a/patches.fixes/mac80211-fix-memory-accounting-with-A-MSDU-aggregati.patch b/patches.fixes/mac80211-fix-memory-accounting-with-A-MSDU-aggregati.patch
new file mode 100644
index 0000000000..cf21e90f94
--- /dev/null
+++ b/patches.fixes/mac80211-fix-memory-accounting-with-A-MSDU-aggregati.patch
@@ -0,0 +1,49 @@
+From eb9b64e3a9f8483e6e54f4e03b2ae14ae5db2690 Mon Sep 17 00:00:00 2001
+From: Felix Fietkau <nbd@nbd.name>
+Date: Sat, 16 Mar 2019 18:06:31 +0100
+Subject: [PATCH] mac80211: fix memory accounting with A-MSDU aggregation
+Mime-version: 1.0
+Content-type: text/plain; charset=UTF-8
+Content-transfer-encoding: 8bit
+Git-commit: eb9b64e3a9f8483e6e54f4e03b2ae14ae5db2690
+Patch-mainline: v5.1-rc6
+References: bsc#1051510
+
+skb->truesize can change due to memory reallocation or when adding extra
+fragments. Adjust fq->memory_usage accordingly
+
+Signed-off-by: Felix Fietkau <nbd@nbd.name>
+Acked-by: Toke Høiland-Jørgensen <toke@redhat.com>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ net/mac80211/tx.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/net/mac80211/tx.c
++++ b/net/mac80211/tx.c
+@@ -3118,6 +3118,7 @@ static bool ieee80211_amsdu_aggregate(st
+ u8 max_subframes = sta->sta.max_amsdu_subframes;
+ int max_frags = local->hw.max_tx_fragments;
+ int max_amsdu_len = sta->sta.max_amsdu_len;
++ int orig_truesize;
+ __be16 len;
+ void *data;
+ bool ret = false;
+@@ -3151,6 +3152,7 @@ static bool ieee80211_amsdu_aggregate(st
+ if (!head)
+ goto out;
+
++ orig_truesize = head->truesize;
+ orig_len = head->len;
+
+ if (skb->len + head->len > max_amsdu_len)
+@@ -3205,6 +3207,7 @@ static bool ieee80211_amsdu_aggregate(st
+ *frag_tail = skb;
+
+ out_recalc:
++ fq->memory_usage += head->truesize - orig_truesize;
+ if (head->len != orig_len) {
+ flow->backlog += head->len - orig_len;
+ tin->backlog_bytes += head->len - orig_len;
diff --git a/patches.fixes/mac80211-fix-unaligned-access-in-mesh-table-hash-fun.patch b/patches.fixes/mac80211-fix-unaligned-access-in-mesh-table-hash-fun.patch
new file mode 100644
index 0000000000..24494157bd
--- /dev/null
+++ b/patches.fixes/mac80211-fix-unaligned-access-in-mesh-table-hash-fun.patch
@@ -0,0 +1,35 @@
+From 40586e3fc400c00c11151804dcdc93f8c831c808 Mon Sep 17 00:00:00 2001
+From: Felix Fietkau <nbd@nbd.name>
+Date: Wed, 13 Mar 2019 18:54:27 +0100
+Subject: [PATCH] mac80211: fix unaligned access in mesh table hash function
+Git-commit: 40586e3fc400c00c11151804dcdc93f8c831c808
+Patch-mainline: v5.1-rc6
+References: bsc#1051510
+
+The pointer to the last four bytes of the address is not guaranteed to be
+aligned, so we need to use __get_unaligned_cpu32 here
+
+Signed-off-by: Felix Fietkau <nbd@nbd.name>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ net/mac80211/mesh_pathtbl.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/mac80211/mesh_pathtbl.c b/net/mac80211/mesh_pathtbl.c
+index 95eb5064fa91..b76a2aefa9ec 100644
+--- a/net/mac80211/mesh_pathtbl.c
++++ b/net/mac80211/mesh_pathtbl.c
+@@ -23,7 +23,7 @@ static void mesh_path_free_rcu(struct mesh_table *tbl, struct mesh_path *mpath);
+ static u32 mesh_table_hash(const void *addr, u32 len, u32 seed)
+ {
+ /* Use last four bytes of hw addr as hash index */
+- return jhash_1word(*(u32 *)(addr+2), seed);
++ return jhash_1word(__get_unaligned_cpu32((u8 *)addr + 2), seed);
+ }
+
+ static const struct rhashtable_params mesh_rht_params = {
+--
+2.16.4
+
diff --git a/patches.fixes/nl80211-Add-NL80211_FLAG_CLEAR_SKB-flag-for-other-NL.patch b/patches.fixes/nl80211-Add-NL80211_FLAG_CLEAR_SKB-flag-for-other-NL.patch
new file mode 100644
index 0000000000..bff32a3c7b
--- /dev/null
+++ b/patches.fixes/nl80211-Add-NL80211_FLAG_CLEAR_SKB-flag-for-other-NL.patch
@@ -0,0 +1,85 @@
+From d6db02a88a4aaa1cd7105137c67ddec7f3bdbc05 Mon Sep 17 00:00:00 2001
+From: Sunil Dutt <usdutt@codeaurora.org>
+Date: Mon, 25 Feb 2019 15:37:20 +0530
+Subject: [PATCH] nl80211: Add NL80211_FLAG_CLEAR_SKB flag for other NL commands
+Git-commit: d6db02a88a4aaa1cd7105137c67ddec7f3bdbc05
+Patch-mainline: v5.1-rc6
+References: bsc#1051510
+
+This commit adds NL80211_FLAG_CLEAR_SKB flag to other NL commands
+that carry key data to ensure they do not stick around on heap
+after the SKB is freed.
+
+Also introduced this flag for NL80211_CMD_VENDOR as there are sub
+commands which configure the keys.
+
+Signed-off-by: Sunil Dutt <usdutt@codeaurora.org>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ net/wireless/nl80211.c | 18 ++++++++++++------
+ 1 file changed, 12 insertions(+), 6 deletions(-)
+
+--- a/net/wireless/nl80211.c
++++ b/net/wireless/nl80211.c
+@@ -12682,7 +12682,8 @@ static const struct genl_ops nl80211_ops
+ .policy = nl80211_policy,
+ .flags = GENL_UNS_ADMIN_PERM,
+ .internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
+- NL80211_FLAG_NEED_RTNL,
++ NL80211_FLAG_NEED_RTNL |
++ NL80211_FLAG_CLEAR_SKB,
+ },
+ {
+ .cmd = NL80211_CMD_DEAUTHENTICATE,
+@@ -12733,7 +12734,8 @@ static const struct genl_ops nl80211_ops
+ .policy = nl80211_policy,
+ .flags = GENL_UNS_ADMIN_PERM,
+ .internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
+- NL80211_FLAG_NEED_RTNL,
++ NL80211_FLAG_NEED_RTNL |
++ NL80211_FLAG_CLEAR_SKB,
+ },
+ {
+ .cmd = NL80211_CMD_UPDATE_CONNECT_PARAMS,
+@@ -12741,7 +12743,8 @@ static const struct genl_ops nl80211_ops
+ .policy = nl80211_policy,
+ .flags = GENL_ADMIN_PERM,
+ .internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
+- NL80211_FLAG_NEED_RTNL,
++ NL80211_FLAG_NEED_RTNL |
++ NL80211_FLAG_CLEAR_SKB,
+ },
+ {
+ .cmd = NL80211_CMD_DISCONNECT,
+@@ -12770,7 +12773,8 @@ static const struct genl_ops nl80211_ops
+ .policy = nl80211_policy,
+ .flags = GENL_UNS_ADMIN_PERM,
+ .internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
+- NL80211_FLAG_NEED_RTNL,
++ NL80211_FLAG_NEED_RTNL |
++ NL80211_FLAG_CLEAR_SKB,
+ },
+ {
+ .cmd = NL80211_CMD_DEL_PMKSA,
+@@ -13122,7 +13126,8 @@ static const struct genl_ops nl80211_ops
+ .policy = nl80211_policy,
+ .flags = GENL_UNS_ADMIN_PERM,
+ .internal_flags = NL80211_FLAG_NEED_WIPHY |
+- NL80211_FLAG_NEED_RTNL,
++ NL80211_FLAG_NEED_RTNL |
++ NL80211_FLAG_CLEAR_SKB,
+ },
+ {
+ .cmd = NL80211_CMD_SET_QOS_MAP,
+@@ -13162,7 +13167,8 @@ static const struct genl_ops nl80211_ops
+ .policy = nl80211_policy,
+ .flags = GENL_UNS_ADMIN_PERM,
+ .internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
+- NL80211_FLAG_NEED_RTNL,
++ NL80211_FLAG_NEED_RTNL |
++ NL80211_FLAG_CLEAR_SKB,
+ },
+ {
+ .cmd = NL80211_CMD_SET_MULTICAST_TO_UNICAST,
diff --git a/patches.fixes/team-set-slave-to-promisc-if-team-is-already-in-prom.patch b/patches.fixes/team-set-slave-to-promisc-if-team-is-already-in-prom.patch
new file mode 100644
index 0000000000..78382650bd
--- /dev/null
+++ b/patches.fixes/team-set-slave-to-promisc-if-team-is-already-in-prom.patch
@@ -0,0 +1,78 @@
+From 43c2adb9df7ddd6560fd3546d925b42cef92daa0 Mon Sep 17 00:00:00 2001
+From: Hangbin Liu <liuhangbin@gmail.com>
+Date: Mon, 8 Apr 2019 16:45:17 +0800
+Subject: [PATCH] team: set slave to promisc if team is already in promisc mode
+Git-commit: 43c2adb9df7ddd6560fd3546d925b42cef92daa0
+Patch-mainline: v5.1-rc6
+References: bsc#1051510
+
+After adding a team interface to bridge, the team interface will enter
+promisc mode. Then if we add a new slave to team0, the slave will keep
+promisc off. Fix it by setting slave to promisc on if team master is
+already in promisc mode, also do the same for allmulti.
+
+V2: add promisc and allmulti checking when delete ports
+
+Fixes: 3d249d4ca7d0 ("net: introduce ethernet teaming device")
+Signed-off-by: Hangbin Liu <liuhangbin@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/net/team/team.c | 26 ++++++++++++++++++++++++++
+ 1 file changed, 26 insertions(+)
+
+diff --git a/drivers/net/team/team.c b/drivers/net/team/team.c
+index 6ed96fdfd96d..9ce61b019aad 100644
+--- a/drivers/net/team/team.c
++++ b/drivers/net/team/team.c
+@@ -1246,6 +1246,23 @@ static int team_port_add(struct team *team, struct net_device *port_dev,
+ goto err_option_port_add;
+ }
+
++ /* set promiscuity level to new slave */
++ if (dev->flags & IFF_PROMISC) {
++ err = dev_set_promiscuity(port_dev, 1);
++ if (err)
++ goto err_set_slave_promisc;
++ }
++
++ /* set allmulti level to new slave */
++ if (dev->flags & IFF_ALLMULTI) {
++ err = dev_set_allmulti(port_dev, 1);
++ if (err) {
++ if (dev->flags & IFF_PROMISC)
++ dev_set_promiscuity(port_dev, -1);
++ goto err_set_slave_promisc;
++ }
++ }
++
+ netif_addr_lock_bh(dev);
+ dev_uc_sync_multiple(port_dev, dev);
+ dev_mc_sync_multiple(port_dev, dev);
+@@ -1262,6 +1279,9 @@ static int team_port_add(struct team *team, struct net_device *port_dev,
+
+ return 0;
+
++err_set_slave_promisc:
++ __team_option_inst_del_port(team, port);
++
+ err_option_port_add:
+ team_upper_dev_unlink(team, port);
+
+@@ -1307,6 +1327,12 @@ static int team_port_del(struct team *team, struct net_device *port_dev)
+
+ team_port_disable(team, port);
+ list_del_rcu(&port->list);
++
++ if (dev->flags & IFF_PROMISC)
++ dev_set_promiscuity(port_dev, -1);
++ if (dev->flags & IFF_ALLMULTI)
++ dev_set_allmulti(port_dev, -1);
++
+ team_upper_dev_unlink(team, port);
+ netdev_rx_handler_unregister(port_dev);
+ team_port_disable_netpoll(port);
+--
+2.16.4
+
diff --git a/patches.fixes/vt-always-call-notifier-with-the-console-lock-held.patch b/patches.fixes/vt-always-call-notifier-with-the-console-lock-held.patch
new file mode 100644
index 0000000000..59e2139795
--- /dev/null
+++ b/patches.fixes/vt-always-call-notifier-with-the-console-lock-held.patch
@@ -0,0 +1,32 @@
+From 7e1d226345f89ad5d0216a9092c81386c89b4983 Mon Sep 17 00:00:00 2001
+From: Nicolas Pitre <nicolas.pitre@linaro.org>
+Date: Tue, 8 Jan 2019 22:55:00 -0500
+Subject: [PATCH] vt: always call notifier with the console lock held
+Git-commit: 7e1d226345f89ad5d0216a9092c81386c89b4983
+Patch-mainline: v5.0-rc4
+References: bsc#1051510
+
+Every invocation of notify_write() and notify_update() is performed
+under the console lock, except for one case. Let's fix that.
+
+Signed-off-by: Nicolas Pitre <nico@linaro.org>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/tty/vt/vt.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/tty/vt/vt.c
++++ b/drivers/tty/vt/vt.c
+@@ -2435,8 +2435,8 @@ rescan_last_byte:
+ }
+ con_flush(vc, draw_from, draw_to, &draw_x);
+ console_conditional_schedule();
+- console_unlock();
+ notify_update(vc);
++ console_unlock();
+ return n;
+ }
+
diff --git a/patches.fixes/xfs-add-log-item-pinning-error-injection-tag.patch b/patches.fixes/xfs-add-log-item-pinning-error-injection-tag.patch
new file mode 100644
index 0000000000..47768954c7
--- /dev/null
+++ b/patches.fixes/xfs-add-log-item-pinning-error-injection-tag.patch
@@ -0,0 +1,120 @@
+From 7f4d01f36a3ac16f539f0fd3839de5d58fa4940f Mon Sep 17 00:00:00 2001
+From: Brian Foster <bfoster@redhat.com>
+Date: Tue, 8 Aug 2017 18:21:52 -0700
+Subject: [PATCH] xfs: add log item pinning error injection tag
+Git-commit: 7f4d01f36a3ac16f539f0fd3839de5d58fa4940f
+Patch-mainline: v4.14-rc1
+References: bsc#1114427
+
+Add an error injection tag to force log items in the AIL to the
+pinned state. This option can be used by test infrastructure to
+induce head behind tail conditions. Specifically, this is intended
+to be used by xfstests to reproduce log recovery problems after
+failed/corrupted log writes overwrite the last good tail LSN in the
+log.
+
+When enabled, AIL push attempts see log items in the AIL in the
+pinned state. This stalls metadata writeback and thus prevents the
+current tail of the log from moving forward. When disabled,
+subsequent AIL pushes observe the log items in their appropriate
+state and filesystem operation continues as normal.
+
+Signed-off-by: Brian Foster <bfoster@redhat.com>
+Reviewed-by: Darrick J. Wong <darrick.wong@oracle.com>
+Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
+Acked-by: Anthony Iliopoulos <ailiopoulos@suse.com>
+
+---
+ fs/xfs/xfs_error.c | 3 +++
+ fs/xfs/xfs_error.h | 4 +++-
+ fs/xfs/xfs_trans_ail.c | 17 ++++++++++++++++-
+ 3 files changed, 22 insertions(+), 2 deletions(-)
+
+diff --git a/fs/xfs/xfs_error.c b/fs/xfs/xfs_error.c
+index 2f4feb959bfb..bd786a9ac2c3 100644
+--- a/fs/xfs/xfs_error.c
++++ b/fs/xfs/xfs_error.c
+@@ -57,6 +57,7 @@ static unsigned int xfs_errortag_random_default[] = {
+ XFS_RANDOM_AG_RESV_CRITICAL,
+ XFS_RANDOM_DROP_WRITES,
+ XFS_RANDOM_LOG_BAD_CRC,
++ XFS_RANDOM_LOG_ITEM_PIN,
+ };
+
+ struct xfs_errortag_attr {
+@@ -161,6 +162,7 @@ XFS_ERRORTAG_ATTR_RW(bmap_finish_one, XFS_ERRTAG_BMAP_FINISH_ONE);
+ XFS_ERRORTAG_ATTR_RW(ag_resv_critical, XFS_ERRTAG_AG_RESV_CRITICAL);
+ XFS_ERRORTAG_ATTR_RW(drop_writes, XFS_ERRTAG_DROP_WRITES);
+ XFS_ERRORTAG_ATTR_RW(log_bad_crc, XFS_ERRTAG_LOG_BAD_CRC);
++XFS_ERRORTAG_ATTR_RW(log_item_pin, XFS_ERRTAG_LOG_ITEM_PIN);
+
+ static struct attribute *xfs_errortag_attrs[] = {
+ XFS_ERRORTAG_ATTR_LIST(noerror),
+@@ -193,6 +195,7 @@ static struct attribute *xfs_errortag_attrs[] = {
+ XFS_ERRORTAG_ATTR_LIST(ag_resv_critical),
+ XFS_ERRORTAG_ATTR_LIST(drop_writes),
+ XFS_ERRORTAG_ATTR_LIST(log_bad_crc),
++ XFS_ERRORTAG_ATTR_LIST(log_item_pin),
+ NULL,
+ };
+
+diff --git a/fs/xfs/xfs_error.h b/fs/xfs/xfs_error.h
+index 7577be5f09bc..7c4bef3bddb7 100644
+--- a/fs/xfs/xfs_error.h
++++ b/fs/xfs/xfs_error.h
+@@ -106,7 +106,8 @@ extern void xfs_verifier_error(struct xfs_buf *bp);
+ */
+ #define XFS_ERRTAG_DROP_WRITES 28
+ #define XFS_ERRTAG_LOG_BAD_CRC 29
+-#define XFS_ERRTAG_MAX 30
++#define XFS_ERRTAG_LOG_ITEM_PIN 30
++#define XFS_ERRTAG_MAX 31
+
+ /*
+ * Random factors for above tags, 1 means always, 2 means 1/2 time, etc.
+@@ -141,6 +142,7 @@ extern void xfs_verifier_error(struct xfs_buf *bp);
+ #define XFS_RANDOM_AG_RESV_CRITICAL 4
+ #define XFS_RANDOM_DROP_WRITES 1
+ #define XFS_RANDOM_LOG_BAD_CRC 1
++#define XFS_RANDOM_LOG_ITEM_PIN 1
+
+ #ifdef DEBUG
+ extern int xfs_errortag_init(struct xfs_mount *mp);
+diff --git a/fs/xfs/xfs_trans_ail.c b/fs/xfs/xfs_trans_ail.c
+index 70f5ab017323..354368a906e5 100644
+--- a/fs/xfs/xfs_trans_ail.c
++++ b/fs/xfs/xfs_trans_ail.c
+@@ -325,6 +325,21 @@ xfs_ail_delete(
+ xfs_trans_ail_cursor_clear(ailp, lip);
+ }
+
++static inline uint
++xfsaild_push_item(
++ struct xfs_ail *ailp,
++ struct xfs_log_item *lip)
++{
++ /*
++ * If log item pinning is enabled, skip the push and track the item as
++ * pinned. This can help induce head-behind-tail conditions.
++ */
++ if (XFS_TEST_ERROR(false, ailp->xa_mount, XFS_ERRTAG_LOG_ITEM_PIN))
++ return XFS_ITEM_PINNED;
++
++ return lip->li_ops->iop_push(lip, &ailp->xa_buf_list);
++}
++
+ static long
+ xfsaild_push(
+ struct xfs_ail *ailp)
+@@ -382,7 +397,7 @@ xfsaild_push(
+ * rely on the AIL cursor implementation to be able to deal with
+ * the dropped lock.
+ */
+- lock_result = lip->li_ops->iop_push(lip, &ailp->xa_buf_list);
++ lock_result = xfsaild_push_item(ailp, lip);
+ switch (lock_result) {
+ case XFS_ITEM_SUCCESS:
+ XFS_STATS_INC(mp, xs_push_ail_success);
+--
+2.16.4
+
diff --git a/patches.fixes/xfs-buffer-lru-reference-count-error-injection-tag.patch b/patches.fixes/xfs-buffer-lru-reference-count-error-injection-tag.patch
new file mode 100644
index 0000000000..8f22bc056d
--- /dev/null
+++ b/patches.fixes/xfs-buffer-lru-reference-count-error-injection-tag.patch
@@ -0,0 +1,137 @@
+From 7561d27e90fa0df0aac2a1d6b49c2a28eaae7026 Mon Sep 17 00:00:00 2001
+From: Brian Foster <bfoster@redhat.com>
+Date: Tue, 17 Oct 2017 14:16:29 -0700
+Subject: [PATCH] xfs: buffer lru reference count error injection tag
+Git-commit: 7561d27e90fa0df0aac2a1d6b49c2a28eaae7026
+Patch-mainline: v4.15-rc1
+References: bsc#1114427
+
+XFS uses a fixed reference count for certain types of buffers in the
+internal LRU cache. These reference counts dictate how aggressively
+certain buffers are reclaimed vs. others. While the reference counts
+implements priority across different buffer types, all buffers
+(other than uncached buffers) are typically cached for at least one
+reclaim cycle.
+
+We've had at least one bug recently that has been hidden by a
+released buffer sitting around in the LRU. Users hitting the problem
+were able to reproduce under enough memory pressure to cause
+aggressive reclaim in a particular window of time.
+
+To support future xfstests cases, add an error injection tag to
+hardcode the buffer reference count to zero. When enabled, this
+bypasses caching of associated buffers and facilitates test cases
+that depend on this behavior.
+
+Signed-off-by: Brian Foster <bfoster@redhat.com>
+Reviewed-by: Darrick J. Wong <darrick.wong@oracle.com>
+Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
+Acked-by: Anthony Iliopoulos <ailiopoulos@suse.com>
+
+---
+ fs/xfs/xfs_buf.c | 16 ++++++++++++++++
+ fs/xfs/xfs_buf.h | 5 +----
+ fs/xfs/xfs_error.c | 3 +++
+ fs/xfs/xfs_error.h | 4 +++-
+ 4 files changed, 23 insertions(+), 5 deletions(-)
+
+diff --git a/fs/xfs/xfs_buf.c b/fs/xfs/xfs_buf.c
+index 2f97c12ca75e..d481dd2b29a6 100644
+--- a/fs/xfs/xfs_buf.c
++++ b/fs/xfs/xfs_buf.c
+@@ -42,6 +42,7 @@
+ #include "xfs_mount.h"
+ #include "xfs_trace.h"
+ #include "xfs_log.h"
++#include "xfs_error.h"
+
+ static kmem_zone_t *xfs_buf_zone;
+
+@@ -2129,3 +2130,18 @@ xfs_buf_terminate(void)
+ {
+ kmem_zone_destroy(xfs_buf_zone);
+ }
++
++void xfs_buf_set_ref(struct xfs_buf *bp, int lru_ref)
++{
++ struct xfs_mount *mp = bp->b_target->bt_mount;
++
++ /*
++ * Set the lru reference count to 0 based on the error injection tag.
++ * This allows userspace to disrupt buffer caching for debug/testing
++ * purposes.
++ */
++ if (XFS_TEST_ERROR(false, mp, XFS_ERRTAG_BUF_LRU_REF))
++ lru_ref = 0;
++
++ atomic_set(&bp->b_lru_ref, lru_ref);
++}
+diff --git a/fs/xfs/xfs_buf.h b/fs/xfs/xfs_buf.h
+index bf71507ddb16..f873bb786824 100644
+--- a/fs/xfs/xfs_buf.h
++++ b/fs/xfs/xfs_buf.h
+@@ -352,10 +352,7 @@ extern void xfs_buf_terminate(void);
+ #define XFS_BUF_ADDR(bp) ((bp)->b_maps[0].bm_bn)
+ #define XFS_BUF_SET_ADDR(bp, bno) ((bp)->b_maps[0].bm_bn = (xfs_daddr_t)(bno))
+
+-static inline void xfs_buf_set_ref(struct xfs_buf *bp, int lru_ref)
+-{
+- atomic_set(&bp->b_lru_ref, lru_ref);
+-}
++void xfs_buf_set_ref(struct xfs_buf *bp, int lru_ref);
+
+ static inline int xfs_buf_ispinned(struct xfs_buf *bp)
+ {
+diff --git a/fs/xfs/xfs_error.c b/fs/xfs/xfs_error.c
+index eaf86f55b7f2..6732b0a0d826 100644
+--- a/fs/xfs/xfs_error.c
++++ b/fs/xfs/xfs_error.c
+@@ -58,6 +58,7 @@ static unsigned int xfs_errortag_random_default[] = {
+ XFS_RANDOM_DROP_WRITES,
+ XFS_RANDOM_LOG_BAD_CRC,
+ XFS_RANDOM_LOG_ITEM_PIN,
++ XFS_RANDOM_BUF_LRU_REF,
+ };
+
+ struct xfs_errortag_attr {
+@@ -163,6 +164,7 @@ XFS_ERRORTAG_ATTR_RW(ag_resv_critical, XFS_ERRTAG_AG_RESV_CRITICAL);
+ XFS_ERRORTAG_ATTR_RW(drop_writes, XFS_ERRTAG_DROP_WRITES);
+ XFS_ERRORTAG_ATTR_RW(log_bad_crc, XFS_ERRTAG_LOG_BAD_CRC);
+ XFS_ERRORTAG_ATTR_RW(log_item_pin, XFS_ERRTAG_LOG_ITEM_PIN);
++XFS_ERRORTAG_ATTR_RW(buf_lru_ref, XFS_ERRTAG_BUF_LRU_REF);
+
+ static struct attribute *xfs_errortag_attrs[] = {
+ XFS_ERRORTAG_ATTR_LIST(noerror),
+@@ -196,6 +198,7 @@ static struct attribute *xfs_errortag_attrs[] = {
+ XFS_ERRORTAG_ATTR_LIST(drop_writes),
+ XFS_ERRORTAG_ATTR_LIST(log_bad_crc),
+ XFS_ERRORTAG_ATTR_LIST(log_item_pin),
++ XFS_ERRORTAG_ATTR_LIST(buf_lru_ref),
+ NULL,
+ };
+
+diff --git a/fs/xfs/xfs_error.h b/fs/xfs/xfs_error.h
+index 7c4bef3bddb7..78a7f43f8d01 100644
+--- a/fs/xfs/xfs_error.h
++++ b/fs/xfs/xfs_error.h
+@@ -107,7 +107,8 @@ extern void xfs_verifier_error(struct xfs_buf *bp);
+ #define XFS_ERRTAG_DROP_WRITES 28
+ #define XFS_ERRTAG_LOG_BAD_CRC 29
+ #define XFS_ERRTAG_LOG_ITEM_PIN 30
+-#define XFS_ERRTAG_MAX 31
++#define XFS_ERRTAG_BUF_LRU_REF 31
++#define XFS_ERRTAG_MAX 32
+
+ /*
+ * Random factors for above tags, 1 means always, 2 means 1/2 time, etc.
+@@ -143,6 +144,7 @@ extern void xfs_verifier_error(struct xfs_buf *bp);
+ #define XFS_RANDOM_DROP_WRITES 1
+ #define XFS_RANDOM_LOG_BAD_CRC 1
+ #define XFS_RANDOM_LOG_ITEM_PIN 1
++#define XFS_RANDOM_BUF_LRU_REF 2
+
+ #ifdef DEBUG
+ extern int xfs_errortag_init(struct xfs_mount *mp);
+--
+2.16.4
+
diff --git a/patches.fixes/xfs-check-_btree_check_block-value.patch b/patches.fixes/xfs-check-_btree_check_block-value.patch
new file mode 100644
index 0000000000..a5d0edf4c8
--- /dev/null
+++ b/patches.fixes/xfs-check-_btree_check_block-value.patch
@@ -0,0 +1,49 @@
+From 1e86eabe73b73c82e1110c746ed3ec6d5e1c0a0d Mon Sep 17 00:00:00 2001
+From: "Darrick J. Wong" <darrick.wong@oracle.com>
+Date: Mon, 17 Jul 2017 14:30:45 -0700
+Subject: [PATCH] xfs: check _btree_check_block value
+Git-commit: 1e86eabe73b73c82e1110c746ed3ec6d5e1c0a0d
+Patch-mainline: v4.13-rc3
+References: bsc#1123663
+
+Check the _btree_check_block return value for the firstrec and lastrec
+functions, since we have the ability to signal that the repositioning
+did not succeed.
+
+Fixes-coverity-id: 114067
+Fixes-coverity-id: 114068
+Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
+Reviewed-by: Brian Foster <bfoster@redhat.com>
+Acked-by: Anthony Iliopoulos <ailiopoulos@suse.com>
+
+---
+ fs/xfs/libxfs/xfs_btree.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/fs/xfs/libxfs/xfs_btree.c b/fs/xfs/libxfs/xfs_btree.c
+index 4da85fff69ad..e0bcc4a59efd 100644
+--- a/fs/xfs/libxfs/xfs_btree.c
++++ b/fs/xfs/libxfs/xfs_btree.c
+@@ -728,7 +728,8 @@ xfs_btree_firstrec(
+ * Get the block pointer for this level.
+ */
+ block = xfs_btree_get_block(cur, level, &bp);
+- xfs_btree_check_block(cur, block, level, bp);
++ if (xfs_btree_check_block(cur, block, level, bp))
++ return 0;
+ /*
+ * It's empty, there is no such record.
+ */
+@@ -757,7 +758,8 @@ xfs_btree_lastrec(
+ * Get the block pointer for this level.
+ */
+ block = xfs_btree_get_block(cur, level, &bp);
+- xfs_btree_check_block(cur, block, level, bp);
++ if (xfs_btree_check_block(cur, block, level, bp))
++ return 0;
+ /*
+ * It's empty, there is no such record.
+ */
+--
+2.16.4
+
diff --git a/patches.fixes/xfs-convert-drop_writes-to-use-the-errortag-mechanis.patch b/patches.fixes/xfs-convert-drop_writes-to-use-the-errortag-mechanis.patch
new file mode 100644
index 0000000000..6381bef09e
--- /dev/null
+++ b/patches.fixes/xfs-convert-drop_writes-to-use-the-errortag-mechanis.patch
@@ -0,0 +1,194 @@
+From f8c47250ba46eb221d1ac537266ac65bcf2866d5 Mon Sep 17 00:00:00 2001
+From: "Darrick J. Wong" <darrick.wong@oracle.com>
+Date: Tue, 20 Jun 2017 17:54:48 -0700
+Subject: [PATCH] xfs: convert drop_writes to use the errortag mechanism
+Git-commit: f8c47250ba46eb221d1ac537266ac65bcf2866d5
+Patch-mainline: v4.13-rc1
+References: bsc#1114427
+
+We now have enhanced error injection that can control the frequency
+with which errors happen, so convert drop_writes to use this.
+
+Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
+Reviewed-by: Brian Foster <bfoster@redhat.com>
+Reviewed-by: Carlos Maiolino <cmaiolino@redhat.com>
+Acked-by: Anthony Iliopoulos <ailiopoulos@suse.com>
+
+---
+ fs/xfs/xfs_error.c | 3 +++
+ fs/xfs/xfs_error.h | 12 +++++++++++-
+ fs/xfs/xfs_iomap.c | 2 +-
+ fs/xfs/xfs_mount.h | 24 ------------------------
+ fs/xfs/xfs_sysfs.c | 42 ------------------------------------------
+ 5 files changed, 15 insertions(+), 68 deletions(-)
+
+diff --git a/fs/xfs/xfs_error.c b/fs/xfs/xfs_error.c
+index e2278af6aed1..a2f23d2bab16 100644
+--- a/fs/xfs/xfs_error.c
++++ b/fs/xfs/xfs_error.c
+@@ -55,6 +55,7 @@ static unsigned int xfs_errortag_random_default[] = {
+ XFS_RANDOM_REFCOUNT_FINISH_ONE,
+ XFS_RANDOM_BMAP_FINISH_ONE,
+ XFS_RANDOM_AG_RESV_CRITICAL,
++ XFS_RANDOM_DROP_WRITES,
+ };
+
+ struct xfs_errortag_attr {
+@@ -157,6 +158,7 @@ XFS_ERRORTAG_ATTR_RW(refcount_continue_update, XFS_ERRTAG_REFCOUNT_CONTINUE_UPDA
+ XFS_ERRORTAG_ATTR_RW(refcount_finish_one, XFS_ERRTAG_REFCOUNT_FINISH_ONE);
+ XFS_ERRORTAG_ATTR_RW(bmap_finish_one, XFS_ERRTAG_BMAP_FINISH_ONE);
+ XFS_ERRORTAG_ATTR_RW(ag_resv_critical, XFS_ERRTAG_AG_RESV_CRITICAL);
++XFS_ERRORTAG_ATTR_RW(drop_writes, XFS_ERRTAG_DROP_WRITES);
+
+ static struct attribute *xfs_errortag_attrs[] = {
+ XFS_ERRORTAG_ATTR_LIST(noerror),
+@@ -187,6 +189,7 @@ static struct attribute *xfs_errortag_attrs[] = {
+ XFS_ERRORTAG_ATTR_LIST(refcount_finish_one),
+ XFS_ERRORTAG_ATTR_LIST(bmap_finish_one),
+ XFS_ERRORTAG_ATTR_LIST(ag_resv_critical),
++ XFS_ERRORTAG_ATTR_LIST(drop_writes),
+ NULL,
+ };
+
+diff --git a/fs/xfs/xfs_error.h b/fs/xfs/xfs_error.h
+index ae8935b90a93..e0e4cf776fac 100644
+--- a/fs/xfs/xfs_error.h
++++ b/fs/xfs/xfs_error.h
+@@ -96,7 +96,16 @@ extern void xfs_verifier_error(struct xfs_buf *bp);
+ #define XFS_ERRTAG_REFCOUNT_FINISH_ONE 25
+ #define XFS_ERRTAG_BMAP_FINISH_ONE 26
+ #define XFS_ERRTAG_AG_RESV_CRITICAL 27
+-#define XFS_ERRTAG_MAX 28
++/*
++ * DEBUG mode instrumentation to test and/or trigger delayed allocation
++ * block killing in the event of failed writes. When enabled, all
++ * buffered writes are silenty dropped and handled as if they failed.
++ * All delalloc blocks in the range of the write (including pre-existing
++ * delalloc blocks!) are tossed as part of the write failure error
++ * handling sequence.
++ */
++#define XFS_ERRTAG_DROP_WRITES 28
++#define XFS_ERRTAG_MAX 29
+
+ /*
+ * Random factors for above tags, 1 means always, 2 means 1/2 time, etc.
+@@ -129,6 +138,7 @@ extern void xfs_verifier_error(struct xfs_buf *bp);
+ #define XFS_RANDOM_REFCOUNT_FINISH_ONE 1
+ #define XFS_RANDOM_BMAP_FINISH_ONE 1
+ #define XFS_RANDOM_AG_RESV_CRITICAL 4
++#define XFS_RANDOM_DROP_WRITES 1
+
+ #ifdef DEBUG
+ extern int xfs_errortag_init(struct xfs_mount *mp);
+diff --git a/fs/xfs/xfs_iomap.c b/fs/xfs/xfs_iomap.c
+index 304b79d681e4..86f1a9fa46d2 100644
+--- a/fs/xfs/xfs_iomap.c
++++ b/fs/xfs/xfs_iomap.c
+@@ -1097,7 +1097,7 @@ xfs_file_iomap_end_delalloc(
+ * Behave as if the write failed if drop writes is enabled. Set the NEW
+ * flag to force delalloc cleanup.
+ */
+- if (xfs_mp_drop_writes(mp)) {
++ if (XFS_TEST_ERROR(false, mp, XFS_ERRTAG_DROP_WRITES)) {
+ iomap->flags |= IOMAP_F_NEW;
+ written = 0;
+ }
+diff --git a/fs/xfs/xfs_mount.h b/fs/xfs/xfs_mount.h
+index 931e9fc21a1c..e0792d036be2 100644
+--- a/fs/xfs/xfs_mount.h
++++ b/fs/xfs/xfs_mount.h
+@@ -205,16 +205,6 @@ typedef struct xfs_mount {
+ */
+ unsigned int *m_errortag;
+ struct xfs_kobj m_errortag_kobj;
+-
+- /*
+- * DEBUG mode instrumentation to test and/or trigger delayed allocation
+- * block killing in the event of failed writes. When enabled, all
+- * buffered writes are silenty dropped and handled as if they failed.
+- * All delalloc blocks in the range of the write (including pre-existing
+- * delalloc blocks!) are tossed as part of the write failure error
+- * handling sequence.
+- */
+- bool m_drop_writes;
+ #endif
+ } xfs_mount_t;
+
+@@ -333,20 +323,6 @@ xfs_daddr_to_agbno(struct xfs_mount *mp, xfs_daddr_t d)
+ return (xfs_agblock_t) do_div(ld, mp->m_sb.sb_agblocks);
+ }
+
+-#ifdef DEBUG
+-static inline bool
+-xfs_mp_drop_writes(struct xfs_mount *mp)
+-{
+- return mp->m_drop_writes;
+-}
+-#else
+-static inline bool
+-xfs_mp_drop_writes(struct xfs_mount *mp)
+-{
+- return 0;
+-}
+-#endif
+-
+ /* per-AG block reservation data structures*/
+ enum xfs_ag_resv_type {
+ XFS_AG_RESV_NONE = 0,
+diff --git a/fs/xfs/xfs_sysfs.c b/fs/xfs/xfs_sysfs.c
+index ec6e0e2f95d6..56610a973593 100644
+--- a/fs/xfs/xfs_sysfs.c
++++ b/fs/xfs/xfs_sysfs.c
+@@ -90,49 +90,7 @@ to_mp(struct kobject *kobject)
+ return container_of(kobj, struct xfs_mount, m_kobj);
+ }
+
+-#ifdef DEBUG
+-
+-STATIC ssize_t
+-drop_writes_store(
+- struct kobject *kobject,
+- const char *buf,
+- size_t count)
+-{
+- struct xfs_mount *mp = to_mp(kobject);
+- int ret;
+- int val;
+-
+- ret = kstrtoint(buf, 0, &val);
+- if (ret)
+- return ret;
+-
+- if (val == 1)
+- mp->m_drop_writes = true;
+- else if (val == 0)
+- mp->m_drop_writes = false;
+- else
+- return -EINVAL;
+-
+- return count;
+-}
+-
+-STATIC ssize_t
+-drop_writes_show(
+- struct kobject *kobject,
+- char *buf)
+-{
+- struct xfs_mount *mp = to_mp(kobject);
+-
+- return snprintf(buf, PAGE_SIZE, "%d\n", mp->m_drop_writes ? 1 : 0);
+-}
+-XFS_SYSFS_ATTR_RW(drop_writes);
+-
+-#endif /* DEBUG */
+-
+ static struct attribute *xfs_mp_attrs[] = {
+-#ifdef DEBUG
+- ATTR_LIST(drop_writes),
+-#endif
+ NULL,
+ };
+
+--
+2.16.4
+
diff --git a/patches.fixes/xfs-create-block-pointer-check-functions.patch b/patches.fixes/xfs-create-block-pointer-check-functions.patch
new file mode 100644
index 0000000000..c4c84d8308
--- /dev/null
+++ b/patches.fixes/xfs-create-block-pointer-check-functions.patch
@@ -0,0 +1,137 @@
+From 21ec54168b368f1a98097dee00625ec8ec2d47f3 Mon Sep 17 00:00:00 2001
+From: "Darrick J. Wong" <darrick.wong@oracle.com>
+Date: Tue, 17 Oct 2017 21:37:32 -0700
+Subject: [PATCH] xfs: create block pointer check functions
+Git-commit: 21ec54168b368f1a98097dee00625ec8ec2d47f3
+Patch-mainline: v4.15-rc1
+References: bsc#1123663
+
+Create some helper functions to check that a block pointer points
+within the filesystem (or AG) and doesn't point at static metadata.
+We will use this for scrub.
+
+Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
+Reviewed-by: Dave Chinner <dchinner@redhat.com>
+Acked-by: Anthony Iliopoulos <ailiopoulos@suse.com>
+
+---
+ fs/xfs/libxfs/xfs_alloc.c | 49 ++++++++++++++++++++++++++++++++++++++++++++
+ fs/xfs/libxfs/xfs_alloc.h | 4 ++++
+ fs/xfs/libxfs/xfs_rtbitmap.c | 12 +++++++++++
+ fs/xfs/xfs_rtalloc.h | 2 ++
+ 4 files changed, 67 insertions(+)
+
+diff --git a/fs/xfs/libxfs/xfs_alloc.c b/fs/xfs/libxfs/xfs_alloc.c
+index f965ce832bc0..11c01e2668bf 100644
+--- a/fs/xfs/libxfs/xfs_alloc.c
++++ b/fs/xfs/libxfs/xfs_alloc.c
+@@ -2931,3 +2931,52 @@ xfs_alloc_query_all(
+ query.fn = fn;
+ return xfs_btree_query_all(cur, xfs_alloc_query_range_helper, &query);
+ }
++
++/* Find the size of the AG, in blocks. */
++xfs_agblock_t
++xfs_ag_block_count(
++ struct xfs_mount *mp,
++ xfs_agnumber_t agno)
++{
++ ASSERT(agno < mp->m_sb.sb_agcount);
++
++ if (agno < mp->m_sb.sb_agcount - 1)
++ return mp->m_sb.sb_agblocks;
++ return mp->m_sb.sb_dblocks - (agno * mp->m_sb.sb_agblocks);
++}
++
++/*
++ * Verify that an AG block number pointer neither points outside the AG
++ * nor points at static metadata.
++ */
++bool
++xfs_verify_agbno(
++ struct xfs_mount *mp,
++ xfs_agnumber_t agno,
++ xfs_agblock_t agbno)
++{
++ xfs_agblock_t eoag;
++
++ eoag = xfs_ag_block_count(mp, agno);
++ if (agbno >= eoag)
++ return false;
++ if (agbno <= XFS_AGFL_BLOCK(mp))
++ return false;
++ return true;
++}
++
++/*
++ * Verify that an FS block number pointer neither points outside the
++ * filesystem nor points at static AG metadata.
++ */
++bool
++xfs_verify_fsbno(
++ struct xfs_mount *mp,
++ xfs_fsblock_t fsbno)
++{
++ xfs_agnumber_t agno = XFS_FSB_TO_AGNO(mp, fsbno);
++
++ if (agno >= mp->m_sb.sb_agcount)
++ return false;
++ return xfs_verify_agbno(mp, agno, XFS_FSB_TO_AGBNO(mp, fsbno));
++}
+diff --git a/fs/xfs/libxfs/xfs_alloc.h b/fs/xfs/libxfs/xfs_alloc.h
+index ef26edc2e938..7ba2d129d504 100644
+--- a/fs/xfs/libxfs/xfs_alloc.h
++++ b/fs/xfs/libxfs/xfs_alloc.h
+@@ -232,5 +232,9 @@ int xfs_alloc_query_range(struct xfs_btree_cur *cur,
+ xfs_alloc_query_range_fn fn, void *priv);
+ int xfs_alloc_query_all(struct xfs_btree_cur *cur, xfs_alloc_query_range_fn fn,
+ void *priv);
++xfs_agblock_t xfs_ag_block_count(struct xfs_mount *mp, xfs_agnumber_t agno);
++bool xfs_verify_agbno(struct xfs_mount *mp, xfs_agnumber_t agno,
++ xfs_agblock_t agbno);
++bool xfs_verify_fsbno(struct xfs_mount *mp, xfs_fsblock_t fsbno);
+
+ #endif /* __XFS_ALLOC_H__ */
+diff --git a/fs/xfs/libxfs/xfs_rtbitmap.c b/fs/xfs/libxfs/xfs_rtbitmap.c
+index 5d4e43ef4eea..4523a92d5507 100644
+--- a/fs/xfs/libxfs/xfs_rtbitmap.c
++++ b/fs/xfs/libxfs/xfs_rtbitmap.c
+@@ -1086,3 +1086,15 @@ xfs_rtalloc_query_all(
+
+ return xfs_rtalloc_query_range(tp, &keys[0], &keys[1], fn, priv);
+ }
++
++/*
++ * Verify that an realtime block number pointer doesn't point off the
++ * end of the realtime device.
++ */
++bool
++xfs_verify_rtbno(
++ struct xfs_mount *mp,
++ xfs_rtblock_t rtbno)
++{
++ return rtbno < mp->m_sb.sb_rblocks;
++}
+diff --git a/fs/xfs/xfs_rtalloc.h b/fs/xfs/xfs_rtalloc.h
+index 79defa722bf1..3f30f846d7f2 100644
+--- a/fs/xfs/xfs_rtalloc.h
++++ b/fs/xfs/xfs_rtalloc.h
+@@ -138,6 +138,7 @@ int xfs_rtalloc_query_range(struct xfs_trans *tp,
+ int xfs_rtalloc_query_all(struct xfs_trans *tp,
+ xfs_rtalloc_query_range_fn fn,
+ void *priv);
++bool xfs_verify_rtbno(struct xfs_mount *mp, xfs_rtblock_t rtbno);
+ #else
+ # define xfs_rtallocate_extent(t,b,min,max,l,f,p,rb) (ENOSYS)
+ # define xfs_rtfree_extent(t,b,l) (ENOSYS)
+@@ -146,6 +147,7 @@ int xfs_rtalloc_query_all(struct xfs_trans *tp,
+ # define xfs_rtalloc_query_range(t,l,h,f,p) (ENOSYS)
+ # define xfs_rtalloc_query_all(t,f,p) (ENOSYS)
+ # define xfs_rtbuf_get(m,t,b,i,p) (ENOSYS)
++# define xfs_verify_rtbno(m, r) (false)
+ static inline int /* error */
+ xfs_rtmount_init(
+ xfs_mount_t *mp) /* file system mount structure */
+--
+2.16.4
+
diff --git a/patches.fixes/xfs-create-inode-pointer-verifiers.patch b/patches.fixes/xfs-create-inode-pointer-verifiers.patch
new file mode 100644
index 0000000000..63a7eb4284
--- /dev/null
+++ b/patches.fixes/xfs-create-inode-pointer-verifiers.patch
@@ -0,0 +1,212 @@
+From 91fb9afc0847926ef6ea7695b8125c8fbe7974d6 Mon Sep 17 00:00:00 2001
+From: "Darrick J. Wong" <darrick.wong@oracle.com>
+Date: Tue, 17 Oct 2017 21:37:34 -0700
+Subject: [PATCH] xfs: create inode pointer verifiers
+Git-commit: 91fb9afc0847926ef6ea7695b8125c8fbe7974d6
+Patch-mainline: v4.15-rc1
+References: bsc#1114427
+
+Create some helper functions to check that inode pointers point to
+somewhere within the filesystem and not at the static AG metadata.
+Move xfs_internal_inum and create a directory inode check function.
+We will use these functions in scrub and elsewhere.
+
+Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
+Reviewed-by: Dave Chinner <dchinner@redhat.com>
+Acked-by: Anthony Iliopoulos <ailiopoulos@suse.com>
+
+---
+ fs/xfs/libxfs/xfs_dir2.c | 19 ++--------
+ fs/xfs/libxfs/xfs_ialloc.c | 90 ++++++++++++++++++++++++++++++++++++++++++++++
+ fs/xfs/libxfs/xfs_ialloc.h | 7 ++++
+ fs/xfs/xfs_itable.c | 10 ------
+ fs/xfs/xfs_itable.h | 2 --
+ 5 files changed, 100 insertions(+), 28 deletions(-)
+
+diff --git a/fs/xfs/libxfs/xfs_dir2.c b/fs/xfs/libxfs/xfs_dir2.c
+index ccf9783fd3f0..ee5e9160eb01 100644
+--- a/fs/xfs/libxfs/xfs_dir2.c
++++ b/fs/xfs/libxfs/xfs_dir2.c
+@@ -30,6 +30,7 @@
+ #include "xfs_bmap.h"
+ #include "xfs_dir2.h"
+ #include "xfs_dir2_priv.h"
++#include "xfs_ialloc.h"
+ #include "xfs_error.h"
+ #include "xfs_trace.h"
+
+@@ -202,22 +203,8 @@ xfs_dir_ino_validate(
+ xfs_mount_t *mp,
+ xfs_ino_t ino)
+ {
+- xfs_agblock_t agblkno;
+- xfs_agino_t agino;
+- xfs_agnumber_t agno;
+- int ino_ok;
+- int ioff;
+-
+- agno = XFS_INO_TO_AGNO(mp, ino);
+- agblkno = XFS_INO_TO_AGBNO(mp, ino);
+- ioff = XFS_INO_TO_OFFSET(mp, ino);
+- agino = XFS_OFFBNO_TO_AGINO(mp, agblkno, ioff);
+- ino_ok =
+- agno < mp->m_sb.sb_agcount &&
+- agblkno < mp->m_sb.sb_agblocks &&
+- agblkno != 0 &&
+- ioff < (1 << mp->m_sb.sb_inopblog) &&
+- XFS_AGINO_TO_INO(mp, agno, agino) == ino;
++ bool ino_ok = xfs_verify_dir_ino(mp, ino);
++
+ if (unlikely(XFS_TEST_ERROR(!ino_ok, mp, XFS_ERRTAG_DIR_INO_VALIDATE))) {
+ xfs_warn(mp, "Invalid inode number 0x%Lx",
+ (unsigned long long) ino);
+diff --git a/fs/xfs/libxfs/xfs_ialloc.c b/fs/xfs/libxfs/xfs_ialloc.c
+index dfd643909f85..e11f8af8a725 100644
+--- a/fs/xfs/libxfs/xfs_ialloc.c
++++ b/fs/xfs/libxfs/xfs_ialloc.c
+@@ -2664,3 +2664,93 @@ xfs_ialloc_pagi_init(
+ xfs_trans_brelse(tp, bp);
+ return 0;
+ }
++
++/* Calculate the first and last possible inode number in an AG. */
++void
++xfs_ialloc_agino_range(
++ struct xfs_mount *mp,
++ xfs_agnumber_t agno,
++ xfs_agino_t *first,
++ xfs_agino_t *last)
++{
++ xfs_agblock_t bno;
++ xfs_agblock_t eoag;
++
++ eoag = xfs_ag_block_count(mp, agno);
++
++ /*
++ * Calculate the first inode, which will be in the first
++ * cluster-aligned block after the AGFL.
++ */
++ bno = round_up(XFS_AGFL_BLOCK(mp) + 1,
++ xfs_ialloc_cluster_alignment(mp));
++ *first = XFS_OFFBNO_TO_AGINO(mp, bno, 0);
++
++ /*
++ * Calculate the last inode, which will be at the end of the
++ * last (aligned) cluster that can be allocated in the AG.
++ */
++ bno = round_down(eoag, xfs_ialloc_cluster_alignment(mp));
++ *last = XFS_OFFBNO_TO_AGINO(mp, bno, 0) - 1;
++}
++
++/*
++ * Verify that an AG inode number pointer neither points outside the AG
++ * nor points at static metadata.
++ */
++bool
++xfs_verify_agino(
++ struct xfs_mount *mp,
++ xfs_agnumber_t agno,
++ xfs_agino_t agino)
++{
++ xfs_agino_t first;
++ xfs_agino_t last;
++
++ xfs_ialloc_agino_range(mp, agno, &first, &last);
++ return agino >= first && agino <= last;
++}
++
++/*
++ * Verify that an FS inode number pointer neither points outside the
++ * filesystem nor points at static AG metadata.
++ */
++bool
++xfs_verify_ino(
++ struct xfs_mount *mp,
++ xfs_ino_t ino)
++{
++ xfs_agnumber_t agno = XFS_INO_TO_AGNO(mp, ino);
++ xfs_agino_t agino = XFS_INO_TO_AGINO(mp, ino);
++
++ if (agno >= mp->m_sb.sb_agcount)
++ return false;
++ if (XFS_AGINO_TO_INO(mp, agno, agino) != ino)
++ return false;
++ return xfs_verify_agino(mp, agno, agino);
++}
++
++/* Is this an internal inode number? */
++bool
++xfs_internal_inum(
++ struct xfs_mount *mp,
++ xfs_ino_t ino)
++{
++ return ino == mp->m_sb.sb_rbmino || ino == mp->m_sb.sb_rsumino ||
++ (xfs_sb_version_hasquota(&mp->m_sb) &&
++ xfs_is_quota_inode(&mp->m_sb, ino));
++}
++
++/*
++ * Verify that a directory entry's inode number doesn't point at an internal
++ * inode, empty space, or static AG metadata.
++ */
++bool
++xfs_verify_dir_ino(
++ struct xfs_mount *mp,
++ xfs_ino_t ino)
++{
++ if (xfs_internal_inum(mp, ino))
++ return false;
++ return xfs_verify_ino(mp, ino);
++}
+diff --git a/fs/xfs/libxfs/xfs_ialloc.h b/fs/xfs/libxfs/xfs_ialloc.h
+index b32cfb5aeb5b..d2bdcd5e7312 100644
+--- a/fs/xfs/libxfs/xfs_ialloc.h
++++ b/fs/xfs/libxfs/xfs_ialloc.h
+@@ -173,5 +173,12 @@ void xfs_inobt_btrec_to_irec(struct xfs_mount *mp, union xfs_btree_rec *rec,
+ struct xfs_inobt_rec_incore *irec);
+
+ int xfs_ialloc_cluster_alignment(struct xfs_mount *mp);
++void xfs_ialloc_agino_range(struct xfs_mount *mp, xfs_agnumber_t agno,
++ xfs_agino_t *first, xfs_agino_t *last);
++bool xfs_verify_agino(struct xfs_mount *mp, xfs_agnumber_t agno,
++ xfs_agino_t agino);
++bool xfs_verify_ino(struct xfs_mount *mp, xfs_ino_t ino);
++bool xfs_internal_inum(struct xfs_mount *mp, xfs_ino_t ino);
++bool xfs_verify_dir_ino(struct xfs_mount *mp, xfs_ino_t ino);
+
+ #endif /* __XFS_IALLOC_H__ */
+diff --git a/fs/xfs/xfs_itable.c b/fs/xfs/xfs_itable.c
+index c393a2f6d8c3..0172d0b72c95 100644
+--- a/fs/xfs/xfs_itable.c
++++ b/fs/xfs/xfs_itable.c
+@@ -31,16 +31,6 @@
+ #include "xfs_trace.h"
+ #include "xfs_icache.h"
+
+-int
+-xfs_internal_inum(
+- xfs_mount_t *mp,
+- xfs_ino_t ino)
+-{
+- return (ino == mp->m_sb.sb_rbmino || ino == mp->m_sb.sb_rsumino ||
+- (xfs_sb_version_hasquota(&mp->m_sb) &&
+- xfs_is_quota_inode(&mp->m_sb, ino)));
+-}
+-
+ /*
+ * Return stat information for one inode.
+ * Return 0 if ok, else errno.
+diff --git a/fs/xfs/xfs_itable.h b/fs/xfs/xfs_itable.h
+index 17e86e0541af..6ea8b3912fa4 100644
+--- a/fs/xfs/xfs_itable.h
++++ b/fs/xfs/xfs_itable.h
+@@ -96,6 +96,4 @@ xfs_inumbers(
+ void __user *buffer, /* buffer with inode info */
+ inumbers_fmt_pf formatter);
+
+-int xfs_internal_inum(struct xfs_mount *mp, xfs_ino_t ino);
+-
+ #endif /* __XFS_ITABLE_H__ */
+--
+2.16.4
+
diff --git a/patches.fixes/xfs-export-_inobt_btrec_to_irec-and-_ialloc_cluster_.patch b/patches.fixes/xfs-export-_inobt_btrec_to_irec-and-_ialloc_cluster_.patch
new file mode 100644
index 0000000000..3ec898a8d9
--- /dev/null
+++ b/patches.fixes/xfs-export-_inobt_btrec_to_irec-and-_ialloc_cluster_.patch
@@ -0,0 +1,111 @@
+From e936945ee49693f40217db82a7db55c94e34ce4c Mon Sep 17 00:00:00 2001
+From: "Darrick J. Wong" <darrick.wong@oracle.com>
+Date: Fri, 16 Jun 2017 11:00:08 -0700
+Subject: [PATCH] xfs: export _inobt_btrec_to_irec and
+ _ialloc_cluster_alignment for scrub
+Git-commit: e936945ee49693f40217db82a7db55c94e34ce4c
+Patch-mainline: v4.13-rc1
+References: bsc#1114427
+
+Create a function to extract an in-core inobt record from a generic
+btree_rec union so that scrub will be able to check inobt records
+and check inode block alignment.
+
+Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
+Reviewed-by: Brian Foster <bfoster@redhat.com>
+Acked-by: Anthony Iliopoulos <ailiopoulos@suse.com>
+
+---
+ fs/xfs/libxfs/xfs_ialloc.c | 44 +++++++++++++++++++++++++++-----------------
+ fs/xfs/libxfs/xfs_ialloc.h | 5 +++++
+ 2 files changed, 32 insertions(+), 17 deletions(-)
+
+diff --git a/fs/xfs/libxfs/xfs_ialloc.c b/fs/xfs/libxfs/xfs_ialloc.c
+index 1e5ed940b84d..c514fe98bbab 100644
+--- a/fs/xfs/libxfs/xfs_ialloc.c
++++ b/fs/xfs/libxfs/xfs_ialloc.c
+@@ -46,7 +46,7 @@
+ /*
+ * Allocation group level functions.
+ */
+-static inline int
++int
+ xfs_ialloc_cluster_alignment(
+ struct xfs_mount *mp)
+ {
+@@ -98,24 +98,15 @@ xfs_inobt_update(
+ return xfs_btree_update(cur, &rec);
+ }
+
+-/*
+- * Get the data from the pointed-to record.
+- */
+-int /* error */
+-xfs_inobt_get_rec(
+- struct xfs_btree_cur *cur, /* btree cursor */
+- xfs_inobt_rec_incore_t *irec, /* btree record */
+- int *stat) /* output: success/failure */
++/* Convert on-disk btree record to incore inobt record. */
++void
++xfs_inobt_btrec_to_irec(
++ struct xfs_mount *mp,
++ union xfs_btree_rec *rec,
++ struct xfs_inobt_rec_incore *irec)
+ {
+- union xfs_btree_rec *rec;
+- int error;
+-
+- error = xfs_btree_get_rec(cur, &rec, stat);
+- if (error || *stat == 0)
+- return error;
+-
+ irec->ir_startino = be32_to_cpu(rec->inobt.ir_startino);
+- if (xfs_sb_version_hassparseinodes(&cur->bc_mp->m_sb)) {
++ if (xfs_sb_version_hassparseinodes(&mp->m_sb)) {
+ irec->ir_holemask = be16_to_cpu(rec->inobt.ir_u.sp.ir_holemask);
+ irec->ir_count = rec->inobt.ir_u.sp.ir_count;
+ irec->ir_freecount = rec->inobt.ir_u.sp.ir_freecount;
+@@ -130,6 +121,25 @@ xfs_inobt_get_rec(
+ be32_to_cpu(rec->inobt.ir_u.f.ir_freecount);
+ }
+ irec->ir_free = be64_to_cpu(rec->inobt.ir_free);
++}
++
++/*
++ * Get the data from the pointed-to record.
++ */
++int
++xfs_inobt_get_rec(
++ struct xfs_btree_cur *cur,
++ struct xfs_inobt_rec_incore *irec,
++ int *stat)
++{
++ union xfs_btree_rec *rec;
++ int error;
++
++ error = xfs_btree_get_rec(cur, &rec, stat);
++ if (error || *stat == 0)
++ return error;
++
++ xfs_inobt_btrec_to_irec(cur->bc_mp, rec, irec);
+
+ return 0;
+ }
+diff --git a/fs/xfs/libxfs/xfs_ialloc.h b/fs/xfs/libxfs/xfs_ialloc.h
+index 0bb89669fc07..b32cfb5aeb5b 100644
+--- a/fs/xfs/libxfs/xfs_ialloc.h
++++ b/fs/xfs/libxfs/xfs_ialloc.h
+@@ -168,5 +168,10 @@ int xfs_ialloc_inode_init(struct xfs_mount *mp, struct xfs_trans *tp,
+ int xfs_read_agi(struct xfs_mount *mp, struct xfs_trans *tp,
+ xfs_agnumber_t agno, struct xfs_buf **bpp);
+
++union xfs_btree_rec;
++void xfs_inobt_btrec_to_irec(struct xfs_mount *mp, union xfs_btree_rec *rec,
++ struct xfs_inobt_rec_incore *irec);
++
++int xfs_ialloc_cluster_alignment(struct xfs_mount *mp);
+
+ #endif /* __XFS_IALLOC_H__ */
+--
+2.16.4
+
diff --git a/patches.fixes/xfs-export-various-function-for-the-online-scrubber.patch b/patches.fixes/xfs-export-various-function-for-the-online-scrubber.patch
new file mode 100644
index 0000000000..efc78e3892
--- /dev/null
+++ b/patches.fixes/xfs-export-various-function-for-the-online-scrubber.patch
@@ -0,0 +1,277 @@
+From 2678809799e6e37db0800725157f5ebfc03a9df7 Mon Sep 17 00:00:00 2001
+From: "Darrick J. Wong" <darrick.wong@oracle.com>
+Date: Fri, 16 Jun 2017 11:00:07 -0700
+Subject: [PATCH] xfs: export various function for the online scrubber
+Git-commit: 2678809799e6e37db0800725157f5ebfc03a9df7
+Patch-mainline: v4.13-rc1
+References: bsc#1123663
+
+Export various internal functions so that the online scrubber can use
+them to check the state of metadata.
+
+Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
+Reviewed-by: Brian Foster <bfoster@redhat.com>
+Acked-by: Anthony Iliopoulos <ailiopoulos@suse.com>
+
+---
+ fs/xfs/libxfs/xfs_alloc.c | 2 +-
+ fs/xfs/libxfs/xfs_alloc.h | 2 ++
+ fs/xfs/libxfs/xfs_btree.c | 12 ++++++------
+ fs/xfs/libxfs/xfs_btree.h | 13 +++++++++++++
+ fs/xfs/libxfs/xfs_dir2_leaf.c | 2 +-
+ fs/xfs/libxfs/xfs_dir2_priv.h | 2 ++
+ fs/xfs/libxfs/xfs_inode_buf.c | 2 +-
+ fs/xfs/libxfs/xfs_inode_buf.h | 3 +++
+ fs/xfs/libxfs/xfs_rmap.c | 3 ++-
+ fs/xfs/libxfs/xfs_rmap.h | 3 +++
+ fs/xfs/libxfs/xfs_rtbitmap.c | 2 +-
+ fs/xfs/xfs_itable.c | 2 +-
+ fs/xfs/xfs_itable.h | 2 ++
+ fs/xfs/xfs_rtalloc.h | 3 +++
+ 14 files changed, 41 insertions(+), 12 deletions(-)
+
+diff --git a/fs/xfs/libxfs/xfs_alloc.c b/fs/xfs/libxfs/xfs_alloc.c
+index 7486401ccbd3..fefa8daa1c36 100644
+--- a/fs/xfs/libxfs/xfs_alloc.c
++++ b/fs/xfs/libxfs/xfs_alloc.c
+@@ -606,7 +606,7 @@ const struct xfs_buf_ops xfs_agfl_buf_ops = {
+ /*
+ * Read in the allocation group free block array.
+ */
+-STATIC int /* error */
++int /* error */
+ xfs_alloc_read_agfl(
+ xfs_mount_t *mp, /* mount point structure */
+ xfs_trans_t *tp, /* transaction pointer */
+diff --git a/fs/xfs/libxfs/xfs_alloc.h b/fs/xfs/libxfs/xfs_alloc.h
+index 77d9c27330ab..ef26edc2e938 100644
+--- a/fs/xfs/libxfs/xfs_alloc.h
++++ b/fs/xfs/libxfs/xfs_alloc.h
+@@ -213,6 +213,8 @@ xfs_alloc_get_rec(
+
+ int xfs_read_agf(struct xfs_mount *mp, struct xfs_trans *tp,
+ xfs_agnumber_t agno, int flags, struct xfs_buf **bpp);
++int xfs_alloc_read_agfl(struct xfs_mount *mp, struct xfs_trans *tp,
++ xfs_agnumber_t agno, struct xfs_buf **bpp);
+ int xfs_alloc_fix_freelist(struct xfs_alloc_arg *args, int flags);
+ int xfs_free_extent_fix_freelist(struct xfs_trans *tp, xfs_agnumber_t agno,
+ struct xfs_buf **agbp);
+diff --git a/fs/xfs/libxfs/xfs_btree.c b/fs/xfs/libxfs/xfs_btree.c
+index 2aac3f499d97..2f8075aa8725 100644
+--- a/fs/xfs/libxfs/xfs_btree.c
++++ b/fs/xfs/libxfs/xfs_btree.c
+@@ -568,7 +568,7 @@ xfs_btree_ptr_offset(
+ /*
+ * Return a pointer to the n-th record in the btree block.
+ */
+-STATIC union xfs_btree_rec *
++union xfs_btree_rec *
+ xfs_btree_rec_addr(
+ struct xfs_btree_cur *cur,
+ int n,
+@@ -581,7 +581,7 @@ xfs_btree_rec_addr(
+ /*
+ * Return a pointer to the n-th key in the btree block.
+ */
+-STATIC union xfs_btree_key *
++union xfs_btree_key *
+ xfs_btree_key_addr(
+ struct xfs_btree_cur *cur,
+ int n,
+@@ -594,7 +594,7 @@ xfs_btree_key_addr(
+ /*
+ * Return a pointer to the n-th high key in the btree block.
+ */
+-STATIC union xfs_btree_key *
++union xfs_btree_key *
+ xfs_btree_high_key_addr(
+ struct xfs_btree_cur *cur,
+ int n,
+@@ -607,7 +607,7 @@ xfs_btree_high_key_addr(
+ /*
+ * Return a pointer to the n-th block pointer in the btree block.
+ */
+-STATIC union xfs_btree_ptr *
++union xfs_btree_ptr *
+ xfs_btree_ptr_addr(
+ struct xfs_btree_cur *cur,
+ int n,
+@@ -641,7 +641,7 @@ xfs_btree_get_iroot(
+ * Retrieve the block pointer from the cursor at the given level.
+ * This may be an inode btree root or from a buffer.
+ */
+-STATIC struct xfs_btree_block * /* generic btree block pointer */
++struct xfs_btree_block * /* generic btree block pointer */
+ xfs_btree_get_block(
+ struct xfs_btree_cur *cur, /* btree cursor */
+ int level, /* level in btree */
+@@ -1756,7 +1756,7 @@ xfs_btree_decrement(
+ return error;
+ }
+
+-STATIC int
++int
+ xfs_btree_lookup_get_block(
+ struct xfs_btree_cur *cur, /* btree cursor */
+ int level, /* level in the btree */
+diff --git a/fs/xfs/libxfs/xfs_btree.h b/fs/xfs/libxfs/xfs_btree.h
+index 177a364ce5cf..9c95e965cfe5 100644
+--- a/fs/xfs/libxfs/xfs_btree.h
++++ b/fs/xfs/libxfs/xfs_btree.h
+@@ -504,4 +504,17 @@ int xfs_btree_visit_blocks(struct xfs_btree_cur *cur,
+
+ int xfs_btree_count_blocks(struct xfs_btree_cur *cur, xfs_extlen_t *blocks);
+
++union xfs_btree_rec *xfs_btree_rec_addr(struct xfs_btree_cur *cur, int n,
++ struct xfs_btree_block *block);
++union xfs_btree_key *xfs_btree_key_addr(struct xfs_btree_cur *cur, int n,
++ struct xfs_btree_block *block);
++union xfs_btree_key *xfs_btree_high_key_addr(struct xfs_btree_cur *cur, int n,
++ struct xfs_btree_block *block);
++union xfs_btree_ptr *xfs_btree_ptr_addr(struct xfs_btree_cur *cur, int n,
++ struct xfs_btree_block *block);
++int xfs_btree_lookup_get_block(struct xfs_btree_cur *cur, int level,
++ union xfs_btree_ptr *pp, struct xfs_btree_block **blkp);
++struct xfs_btree_block *xfs_btree_get_block(struct xfs_btree_cur *cur,
++ int level, struct xfs_buf **bpp);
++
+ #endif /* __XFS_BTREE_H__ */
+diff --git a/fs/xfs/libxfs/xfs_dir2_leaf.c b/fs/xfs/libxfs/xfs_dir2_leaf.c
+index 68bf3e860a90..7002024a5d0d 100644
+--- a/fs/xfs/libxfs/xfs_dir2_leaf.c
++++ b/fs/xfs/libxfs/xfs_dir2_leaf.c
+@@ -256,7 +256,7 @@ const struct xfs_buf_ops xfs_dir3_leafn_buf_ops = {
+ .verify_write = xfs_dir3_leafn_write_verify,
+ };
+
+-static int
++int
+ xfs_dir3_leaf_read(
+ struct xfs_trans *tp,
+ struct xfs_inode *dp,
+diff --git a/fs/xfs/libxfs/xfs_dir2_priv.h b/fs/xfs/libxfs/xfs_dir2_priv.h
+index 011df4da6cc2..576f2d267fa7 100644
+--- a/fs/xfs/libxfs/xfs_dir2_priv.h
++++ b/fs/xfs/libxfs/xfs_dir2_priv.h
+@@ -58,6 +58,8 @@ extern int xfs_dir3_data_init(struct xfs_da_args *args, xfs_dir2_db_t blkno,
+ struct xfs_buf **bpp);
+
+ /* xfs_dir2_leaf.c */
++extern int xfs_dir3_leaf_read(struct xfs_trans *tp, struct xfs_inode *dp,
++ xfs_dablk_t fbno, xfs_daddr_t mappedbno, struct xfs_buf **bpp);
+ extern int xfs_dir3_leafn_read(struct xfs_trans *tp, struct xfs_inode *dp,
+ xfs_dablk_t fbno, xfs_daddr_t mappedbno, struct xfs_buf **bpp);
+ extern int xfs_dir2_block_to_leaf(struct xfs_da_args *args,
+diff --git a/fs/xfs/libxfs/xfs_inode_buf.c b/fs/xfs/libxfs/xfs_inode_buf.c
+index d887af940f09..0c970cf7ab63 100644
+--- a/fs/xfs/libxfs/xfs_inode_buf.c
++++ b/fs/xfs/libxfs/xfs_inode_buf.c
+@@ -381,7 +381,7 @@ xfs_log_dinode_to_disk(
+ }
+ }
+
+-static bool
++bool
+ xfs_dinode_verify(
+ struct xfs_mount *mp,
+ xfs_ino_t ino,
+diff --git a/fs/xfs/libxfs/xfs_inode_buf.h b/fs/xfs/libxfs/xfs_inode_buf.h
+index 0827d7def1ce..a9c97a356c30 100644
+--- a/fs/xfs/libxfs/xfs_inode_buf.h
++++ b/fs/xfs/libxfs/xfs_inode_buf.h
+@@ -82,4 +82,7 @@ void xfs_inobp_check(struct xfs_mount *, struct xfs_buf *);
+ #define xfs_inobp_check(mp, bp)
+ #endif /* DEBUG */
+
++bool xfs_dinode_verify(struct xfs_mount *mp, xfs_ino_t ino,
++ struct xfs_dinode *dip);
++
+ #endif /* __XFS_INODE_BUF_H__ */
+diff --git a/fs/xfs/libxfs/xfs_rmap.c b/fs/xfs/libxfs/xfs_rmap.c
+index 1bcb41fe0156..eda275beebe0 100644
+--- a/fs/xfs/libxfs/xfs_rmap.c
++++ b/fs/xfs/libxfs/xfs_rmap.c
+@@ -179,7 +179,8 @@ xfs_rmap_delete(
+ return error;
+ }
+
+-static int
++/* Convert an internal btree record to an rmap record. */
++int
+ xfs_rmap_btrec_to_irec(
+ union xfs_btree_rec *rec,
+ struct xfs_rmap_irec *irec)
+diff --git a/fs/xfs/libxfs/xfs_rmap.h b/fs/xfs/libxfs/xfs_rmap.h
+index 265116d044f4..466ede637080 100644
+--- a/fs/xfs/libxfs/xfs_rmap.h
++++ b/fs/xfs/libxfs/xfs_rmap.h
+@@ -216,5 +216,8 @@ int xfs_rmap_lookup_le_range(struct xfs_btree_cur *cur, xfs_agblock_t bno,
+ struct xfs_rmap_irec *irec, int *stat);
+ int xfs_rmap_compare(const struct xfs_rmap_irec *a,
+ const struct xfs_rmap_irec *b);
++union xfs_btree_rec;
++int xfs_rmap_btrec_to_irec(union xfs_btree_rec *rec,
++ struct xfs_rmap_irec *irec);
+
+ #endif /* __XFS_RMAP_H__ */
+diff --git a/fs/xfs/libxfs/xfs_rtbitmap.c b/fs/xfs/libxfs/xfs_rtbitmap.c
+index 26bba7f90fdf..5d4e43ef4eea 100644
+--- a/fs/xfs/libxfs/xfs_rtbitmap.c
++++ b/fs/xfs/libxfs/xfs_rtbitmap.c
+@@ -70,7 +70,7 @@ const struct xfs_buf_ops xfs_rtbuf_ops = {
+ * Get a buffer for the bitmap or summary file block specified.
+ * The buffer is returned read and locked.
+ */
+-static int
++int
+ xfs_rtbuf_get(
+ xfs_mount_t *mp, /* file system mount structure */
+ xfs_trans_t *tp, /* transaction pointer */
+diff --git a/fs/xfs/xfs_itable.c b/fs/xfs/xfs_itable.c
+index 26d67ce3c18d..c393a2f6d8c3 100644
+--- a/fs/xfs/xfs_itable.c
++++ b/fs/xfs/xfs_itable.c
+@@ -31,7 +31,7 @@
+ #include "xfs_trace.h"
+ #include "xfs_icache.h"
+
+-STATIC int
++int
+ xfs_internal_inum(
+ xfs_mount_t *mp,
+ xfs_ino_t ino)
+diff --git a/fs/xfs/xfs_itable.h b/fs/xfs/xfs_itable.h
+index 6ea8b3912fa4..17e86e0541af 100644
+--- a/fs/xfs/xfs_itable.h
++++ b/fs/xfs/xfs_itable.h
+@@ -96,4 +96,6 @@ xfs_inumbers(
+ void __user *buffer, /* buffer with inode info */
+ inumbers_fmt_pf formatter);
+
++int xfs_internal_inum(struct xfs_mount *mp, xfs_ino_t ino);
++
+ #endif /* __XFS_ITABLE_H__ */
+diff --git a/fs/xfs/xfs_rtalloc.h b/fs/xfs/xfs_rtalloc.h
+index f13133e6f19f..79defa722bf1 100644
+--- a/fs/xfs/xfs_rtalloc.h
++++ b/fs/xfs/xfs_rtalloc.h
+@@ -107,6 +107,8 @@ xfs_growfs_rt(
+ /*
+ * From xfs_rtbitmap.c
+ */
++int xfs_rtbuf_get(struct xfs_mount *mp, struct xfs_trans *tp,
++ xfs_rtblock_t block, int issum, struct xfs_buf **bpp);
+ int xfs_rtcheck_range(struct xfs_mount *mp, struct xfs_trans *tp,
+ xfs_rtblock_t start, xfs_extlen_t len, int val,
+ xfs_rtblock_t *new, int *stat);
+@@ -143,6 +145,7 @@ int xfs_rtalloc_query_all(struct xfs_trans *tp,
+ # define xfs_growfs_rt(mp,in) (ENOSYS)
+ # define xfs_rtalloc_query_range(t,l,h,f,p) (ENOSYS)
+ # define xfs_rtalloc_query_all(t,f,p) (ENOSYS)
++# define xfs_rtbuf_get(m,t,b,i,p) (ENOSYS)
+ static inline int /* error */
+ xfs_rtmount_init(
+ xfs_mount_t *mp) /* file system mount structure */
+--
+2.16.4
+
diff --git a/patches.fixes/xfs-expose-errortag-knobs-via-sysfs.patch b/patches.fixes/xfs-expose-errortag-knobs-via-sysfs.patch
new file mode 100644
index 0000000000..0b86e0b326
--- /dev/null
+++ b/patches.fixes/xfs-expose-errortag-knobs-via-sysfs.patch
@@ -0,0 +1,244 @@
+From c684010115221978b17968dbddc8e31a09da85e7 Mon Sep 17 00:00:00 2001
+From: "Darrick J. Wong" <darrick.wong@oracle.com>
+Date: Tue, 20 Jun 2017 17:54:47 -0700
+Subject: [PATCH] xfs: expose errortag knobs via sysfs
+Git-commit: c684010115221978b17968dbddc8e31a09da85e7
+Patch-mainline: v4.13-rc1
+References: bsc#1114427
+
+Creates a /sys/fs/xfs/$dev/errortag/ directory to control the errortag
+values directly. This enables us to control the randomness values,
+rather than having to accept the defaults.
+
+Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
+Reviewed-by: Brian Foster <bfoster@redhat.com>
+Reviewed-by: Carlos Maiolino <cmaiolino@redhat.com>
+Acked-by: Anthony Iliopoulos <ailiopoulos@suse.com>
+
+---
+ fs/xfs/xfs_error.c | 156 ++++++++++++++++++++++++++++++++++++++++++++++++++++-
+ fs/xfs/xfs_error.h | 1 +
+ fs/xfs/xfs_mount.h | 1 +
+ 3 files changed, 157 insertions(+), 1 deletion(-)
+
+diff --git a/fs/xfs/xfs_error.c b/fs/xfs/xfs_error.c
+index 52f75bc1abac..e2278af6aed1 100644
+--- a/fs/xfs/xfs_error.c
++++ b/fs/xfs/xfs_error.c
+@@ -22,6 +22,7 @@
+ #include "xfs_trans_resv.h"
+ #include "xfs_mount.h"
+ #include "xfs_error.h"
++#include "xfs_sysfs.h"
+
+ #ifdef DEBUG
+
+@@ -56,6 +57,145 @@ static unsigned int xfs_errortag_random_default[] = {
+ XFS_RANDOM_AG_RESV_CRITICAL,
+ };
+
++struct xfs_errortag_attr {
++ struct attribute attr;
++ unsigned int tag;
++};
++
++static inline struct xfs_errortag_attr *
++to_attr(struct attribute *attr)
++{
++ return container_of(attr, struct xfs_errortag_attr, attr);
++}
++
++static inline struct xfs_mount *
++to_mp(struct kobject *kobject)
++{
++ struct xfs_kobj *kobj = to_kobj(kobject);
++
++ return container_of(kobj, struct xfs_mount, m_errortag_kobj);
++}
++
++STATIC ssize_t
++xfs_errortag_attr_store(
++ struct kobject *kobject,
++ struct attribute *attr,
++ const char *buf,
++ size_t count)
++{
++ struct xfs_mount *mp = to_mp(kobject);
++ struct xfs_errortag_attr *xfs_attr = to_attr(attr);
++ int ret;
++ unsigned int val;
++
++ if (strcmp(buf, "default") == 0) {
++ val = xfs_errortag_random_default[xfs_attr->tag];
++ } else {
++ ret = kstrtouint(buf, 0, &val);
++ if (ret)
++ return ret;
++ }
++
++ ret = xfs_errortag_set(mp, xfs_attr->tag, val);
++ if (ret)
++ return ret;
++ return count;
++}
++
++STATIC ssize_t
++xfs_errortag_attr_show(
++ struct kobject *kobject,
++ struct attribute *attr,
++ char *buf)
++{
++ struct xfs_mount *mp = to_mp(kobject);
++ struct xfs_errortag_attr *xfs_attr = to_attr(attr);
++
++ return snprintf(buf, PAGE_SIZE, "%u\n",
++ xfs_errortag_get(mp, xfs_attr->tag));
++}
++
++static const struct sysfs_ops xfs_errortag_sysfs_ops = {
++ .show = xfs_errortag_attr_show,
++ .store = xfs_errortag_attr_store,
++};
++
++#define XFS_ERRORTAG_ATTR_RW(_name, _tag) \
++static struct xfs_errortag_attr xfs_errortag_attr_##_name = { \
++ .attr = {.name = __stringify(_name), \
++ .mode = VERIFY_OCTAL_PERMISSIONS(S_IWUSR | S_IRUGO) }, \
++ .tag = (_tag), \
++}
++
++#define XFS_ERRORTAG_ATTR_LIST(_name) &xfs_errortag_attr_##_name.attr
++
++XFS_ERRORTAG_ATTR_RW(noerror, XFS_ERRTAG_NOERROR);
++XFS_ERRORTAG_ATTR_RW(iflush1, XFS_ERRTAG_IFLUSH_1);
++XFS_ERRORTAG_ATTR_RW(iflush2, XFS_ERRTAG_IFLUSH_2);
++XFS_ERRORTAG_ATTR_RW(iflush3, XFS_ERRTAG_IFLUSH_3);
++XFS_ERRORTAG_ATTR_RW(iflush4, XFS_ERRTAG_IFLUSH_4);
++XFS_ERRORTAG_ATTR_RW(iflush5, XFS_ERRTAG_IFLUSH_5);
++XFS_ERRORTAG_ATTR_RW(iflush6, XFS_ERRTAG_IFLUSH_6);
++XFS_ERRORTAG_ATTR_RW(dareadbuf, XFS_ERRTAG_DA_READ_BUF);
++XFS_ERRORTAG_ATTR_RW(btree_chk_lblk, XFS_ERRTAG_BTREE_CHECK_LBLOCK);
++XFS_ERRORTAG_ATTR_RW(btree_chk_sblk, XFS_ERRTAG_BTREE_CHECK_SBLOCK);
++XFS_ERRORTAG_ATTR_RW(readagf, XFS_ERRTAG_ALLOC_READ_AGF);
++XFS_ERRORTAG_ATTR_RW(readagi, XFS_ERRTAG_IALLOC_READ_AGI);
++XFS_ERRORTAG_ATTR_RW(itobp, XFS_ERRTAG_ITOBP_INOTOBP);
++XFS_ERRORTAG_ATTR_RW(iunlink, XFS_ERRTAG_IUNLINK);
++XFS_ERRORTAG_ATTR_RW(iunlinkrm, XFS_ERRTAG_IUNLINK_REMOVE);
++XFS_ERRORTAG_ATTR_RW(dirinovalid, XFS_ERRTAG_DIR_INO_VALIDATE);
++XFS_ERRORTAG_ATTR_RW(bulkstat, XFS_ERRTAG_BULKSTAT_READ_CHUNK);
++XFS_ERRORTAG_ATTR_RW(logiodone, XFS_ERRTAG_IODONE_IOERR);
++XFS_ERRORTAG_ATTR_RW(stratread, XFS_ERRTAG_STRATREAD_IOERR);
++XFS_ERRORTAG_ATTR_RW(stratcmpl, XFS_ERRTAG_STRATCMPL_IOERR);
++XFS_ERRORTAG_ATTR_RW(diowrite, XFS_ERRTAG_DIOWRITE_IOERR);
++XFS_ERRORTAG_ATTR_RW(bmapifmt, XFS_ERRTAG_BMAPIFORMAT);
++XFS_ERRORTAG_ATTR_RW(free_extent, XFS_ERRTAG_FREE_EXTENT);
++XFS_ERRORTAG_ATTR_RW(rmap_finish_one, XFS_ERRTAG_RMAP_FINISH_ONE);
++XFS_ERRORTAG_ATTR_RW(refcount_continue_update, XFS_ERRTAG_REFCOUNT_CONTINUE_UPDATE);
++XFS_ERRORTAG_ATTR_RW(refcount_finish_one, XFS_ERRTAG_REFCOUNT_FINISH_ONE);
++XFS_ERRORTAG_ATTR_RW(bmap_finish_one, XFS_ERRTAG_BMAP_FINISH_ONE);
++XFS_ERRORTAG_ATTR_RW(ag_resv_critical, XFS_ERRTAG_AG_RESV_CRITICAL);
++
++static struct attribute *xfs_errortag_attrs[] = {
++ XFS_ERRORTAG_ATTR_LIST(noerror),
++ XFS_ERRORTAG_ATTR_LIST(iflush1),
++ XFS_ERRORTAG_ATTR_LIST(iflush2),
++ XFS_ERRORTAG_ATTR_LIST(iflush3),
++ XFS_ERRORTAG_ATTR_LIST(iflush4),
++ XFS_ERRORTAG_ATTR_LIST(iflush5),
++ XFS_ERRORTAG_ATTR_LIST(iflush6),
++ XFS_ERRORTAG_ATTR_LIST(dareadbuf),
++ XFS_ERRORTAG_ATTR_LIST(btree_chk_lblk),
++ XFS_ERRORTAG_ATTR_LIST(btree_chk_sblk),
++ XFS_ERRORTAG_ATTR_LIST(readagf),
++ XFS_ERRORTAG_ATTR_LIST(readagi),
++ XFS_ERRORTAG_ATTR_LIST(itobp),
++ XFS_ERRORTAG_ATTR_LIST(iunlink),
++ XFS_ERRORTAG_ATTR_LIST(iunlinkrm),
++ XFS_ERRORTAG_ATTR_LIST(dirinovalid),
++ XFS_ERRORTAG_ATTR_LIST(bulkstat),
++ XFS_ERRORTAG_ATTR_LIST(logiodone),
++ XFS_ERRORTAG_ATTR_LIST(stratread),
++ XFS_ERRORTAG_ATTR_LIST(stratcmpl),
++ XFS_ERRORTAG_ATTR_LIST(diowrite),
++ XFS_ERRORTAG_ATTR_LIST(bmapifmt),
++ XFS_ERRORTAG_ATTR_LIST(free_extent),
++ XFS_ERRORTAG_ATTR_LIST(rmap_finish_one),
++ XFS_ERRORTAG_ATTR_LIST(refcount_continue_update),
++ XFS_ERRORTAG_ATTR_LIST(refcount_finish_one),
++ XFS_ERRORTAG_ATTR_LIST(bmap_finish_one),
++ XFS_ERRORTAG_ATTR_LIST(ag_resv_critical),
++ NULL,
++};
++
++struct kobj_type xfs_errortag_ktype = {
++ .release = xfs_sysfs_release,
++ .sysfs_ops = &xfs_errortag_sysfs_ops,
++ .default_attrs = xfs_errortag_attrs,
++};
++
+ int
+ xfs_errortag_init(
+ struct xfs_mount *mp)
+@@ -64,13 +204,16 @@ xfs_errortag_init(
+ KM_SLEEP | KM_MAYFAIL);
+ if (!mp->m_errortag)
+ return -ENOMEM;
+- return 0;
++
++ return xfs_sysfs_init(&mp->m_errortag_kobj, &xfs_errortag_ktype,
++ &mp->m_kobj, "errortag");
+ }
+
+ void
+ xfs_errortag_del(
+ struct xfs_mount *mp)
+ {
++ xfs_sysfs_del(&mp->m_errortag_kobj);
+ kmem_free(mp->m_errortag);
+ }
+
+@@ -95,6 +238,17 @@ xfs_errortag_test(
+ return true;
+ }
+
++int
++xfs_errortag_get(
++ struct xfs_mount *mp,
++ unsigned int error_tag)
++{
++ if (error_tag >= XFS_ERRTAG_MAX)
++ return -EINVAL;
++
++ return mp->m_errortag[error_tag];
++}
++
+ int
+ xfs_errortag_set(
+ struct xfs_mount *mp,
+diff --git a/fs/xfs/xfs_error.h b/fs/xfs/xfs_error.h
+index b4316d39e1ca..8915bdeb6128 100644
+--- a/fs/xfs/xfs_error.h
++++ b/fs/xfs/xfs_error.h
+@@ -138,6 +138,7 @@ extern bool xfs_errortag_test(struct xfs_mount *mp, const char *expression,
+ #define XFS_TEST_ERROR(expr, mp, tag, rf) \
+ ((expr) || xfs_errortag_test((mp), #expr, __FILE__, __LINE__, (tag)))
+
++extern int xfs_errortag_get(struct xfs_mount *mp, unsigned int error_tag);
+ extern int xfs_errortag_set(struct xfs_mount *mp, unsigned int error_tag,
+ unsigned int tag_value);
+ extern int xfs_errortag_add(struct xfs_mount *mp, unsigned int error_tag);
+diff --git a/fs/xfs/xfs_mount.h b/fs/xfs/xfs_mount.h
+index e002ac52a4e6..931e9fc21a1c 100644
+--- a/fs/xfs/xfs_mount.h
++++ b/fs/xfs/xfs_mount.h
+@@ -204,6 +204,7 @@ typedef struct xfs_mount {
+ * error triggers. 1 = always, 2 = half the time, etc.
+ */
+ unsigned int *m_errortag;
++ struct xfs_kobj m_errortag_kobj;
+
+ /*
+ * DEBUG mode instrumentation to test and/or trigger delayed allocation
+--
+2.16.4
+
diff --git a/patches.fixes/xfs-fix-unused-variable-warning-in-xfs_buf_set_ref.patch b/patches.fixes/xfs-fix-unused-variable-warning-in-xfs_buf_set_ref.patch
new file mode 100644
index 0000000000..97eaa8e2b2
--- /dev/null
+++ b/patches.fixes/xfs-fix-unused-variable-warning-in-xfs_buf_set_ref.patch
@@ -0,0 +1,45 @@
+From 4eadcf9a417a4689e596e3c2a99857c2e3603049 Mon Sep 17 00:00:00 2001
+From: Brian Foster <bfoster@redhat.com>
+Date: Fri, 27 Oct 2017 09:20:28 -0700
+Subject: [PATCH] xfs: fix unused variable warning in xfs_buf_set_ref()
+Git-commit: 4eadcf9a417a4689e596e3c2a99857c2e3603049
+Patch-mainline: v4.15-rc1
+References: bsc#1114427
+
+Fix an unused variable warning on non-DEBUG builds introduced by
+commit 7561d27e90 ("xfs: buffer lru reference count error injection
+tag").
+
+Signed-off-by: Brian Foster <bfoster@redhat.com>
+Reviewed-by: Darrick J. Wong <darrick.wong@oracle.com>
+Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
+Acked-by: Anthony Iliopoulos <ailiopoulos@suse.com>
+
+---
+ fs/xfs/xfs_buf.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+diff --git a/fs/xfs/xfs_buf.c b/fs/xfs/xfs_buf.c
+index d481dd2b29a6..db786bce7c03 100644
+--- a/fs/xfs/xfs_buf.c
++++ b/fs/xfs/xfs_buf.c
+@@ -2133,14 +2133,13 @@ xfs_buf_terminate(void)
+
+ void xfs_buf_set_ref(struct xfs_buf *bp, int lru_ref)
+ {
+- struct xfs_mount *mp = bp->b_target->bt_mount;
+-
+ /*
+ * Set the lru reference count to 0 based on the error injection tag.
+ * This allows userspace to disrupt buffer caching for debug/testing
+ * purposes.
+ */
+- if (XFS_TEST_ERROR(false, mp, XFS_ERRTAG_BUF_LRU_REF))
++ if (XFS_TEST_ERROR(false, bp->b_target->bt_mount,
++ XFS_ERRTAG_BUF_LRU_REF))
+ lru_ref = 0;
+
+ atomic_set(&bp->b_lru_ref, lru_ref);
+--
+2.16.4
+
diff --git a/patches.fixes/xfs-force-summary-counter-recalc-at-next-mount.patch b/patches.fixes/xfs-force-summary-counter-recalc-at-next-mount.patch
new file mode 100644
index 0000000000..dc4f88542c
--- /dev/null
+++ b/patches.fixes/xfs-force-summary-counter-recalc-at-next-mount.patch
@@ -0,0 +1,131 @@
+From f467cad95f5e3814fda408dea76eb962ab19685d Mon Sep 17 00:00:00 2001
+From: "Darrick J. Wong" <darrick.wong@oracle.com>
+Date: Fri, 20 Jul 2018 09:28:40 -0700
+Subject: [PATCH] xfs: force summary counter recalc at next mount
+Git-commit: f467cad95f5e3814fda408dea76eb962ab19685d
+Patch-mainline: v4.19-rc1
+References: bsc#1114427
+
+Use the "bad summary count" mount flag from the previous patch to skip
+writing the unmount record to force log recovery at the next mount,
+which will recalculate the summary counters for us.
+
+Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Acked-by: Anthony Iliopoulos <ailiopoulos@suse.com>
+
+---
+ fs/xfs/libxfs/xfs_errortag.h | 4 +++-
+ fs/xfs/xfs_error.c | 3 +++
+ fs/xfs/xfs_log.c | 16 +++++++++++++++-
+ fs/xfs/xfs_mount.c | 13 +++++++++++++
+ fs/xfs/xfs_mount.h | 1 +
+ 5 files changed, 35 insertions(+), 2 deletions(-)
+
+--- a/fs/xfs/libxfs/xfs_errortag.h
++++ b/fs/xfs/libxfs/xfs_errortag.h
+@@ -65,7 +65,8 @@
+ #define XFS_ERRTAG_LOG_BAD_CRC 29
+ #define XFS_ERRTAG_LOG_ITEM_PIN 30
+ #define XFS_ERRTAG_BUF_LRU_REF 31
+-#define XFS_ERRTAG_MAX 32
++#define XFS_ERRTAG_FORCE_SUMMARY_RECALC 33
++#define XFS_ERRTAG_MAX 34
+
+ /*
+ * Random factors for above tags, 1 means always, 2 means 1/2 time, etc.
+@@ -102,5 +103,6 @@
+ #define XFS_RANDOM_LOG_BAD_CRC 1
+ #define XFS_RANDOM_LOG_ITEM_PIN 1
+ #define XFS_RANDOM_BUF_LRU_REF 2
++#define XFS_RANDOM_FORCE_SUMMARY_RECALC 1
+
+ #endif /* __XFS_ERRORTAG_H_ */
+--- a/fs/xfs/xfs_error.c
++++ b/fs/xfs/xfs_error.c
+@@ -60,6 +60,7 @@
+ XFS_RANDOM_LOG_BAD_CRC,
+ XFS_RANDOM_LOG_ITEM_PIN,
+ XFS_RANDOM_BUF_LRU_REF,
++ XFS_RANDOM_FORCE_SUMMARY_RECALC,
+ };
+
+ struct xfs_errortag_attr {
+@@ -166,6 +167,7 @@
+ XFS_ERRORTAG_ATTR_RW(log_bad_crc, XFS_ERRTAG_LOG_BAD_CRC);
+ XFS_ERRORTAG_ATTR_RW(log_item_pin, XFS_ERRTAG_LOG_ITEM_PIN);
+ XFS_ERRORTAG_ATTR_RW(buf_lru_ref, XFS_ERRTAG_BUF_LRU_REF);
++XFS_ERRORTAG_ATTR_RW(bad_summary, XFS_ERRTAG_FORCE_SUMMARY_RECALC);
+
+ static struct attribute *xfs_errortag_attrs[] = {
+ XFS_ERRORTAG_ATTR_LIST(noerror),
+@@ -200,6 +202,7 @@
+ XFS_ERRORTAG_ATTR_LIST(log_bad_crc),
+ XFS_ERRORTAG_ATTR_LIST(log_item_pin),
+ XFS_ERRORTAG_ATTR_LIST(buf_lru_ref),
++ XFS_ERRORTAG_ATTR_LIST(bad_summary),
+ NULL,
+ };
+
+--- a/fs/xfs/xfs_log.c
++++ b/fs/xfs/xfs_log.c
+@@ -845,16 +845,30 @@
+ struct xlog_in_core *iclog;
+ struct xlog_ticket *tic = NULL;
+ xfs_lsn_t lsn;
++ uint flags = XLOG_UNMOUNT_TRANS;
+ int error;
+
+ error = xfs_log_reserve(mp, 600, 1, &tic, XFS_LOG, 0);
+ if (error)
+ goto out_err;
+
++ /*
++ * If we think the summary counters are bad, clear the unmount header
++ * flag in the unmount record so that the summary counters will be
++ * recalculated during log recovery at next mount. Refer to
++ * xlog_check_unmount_rec for more details.
++ */
++ if (XFS_TEST_ERROR((mp->m_flags & XFS_MOUNT_BAD_SUMMARY), mp,
++ XFS_ERRTAG_FORCE_SUMMARY_RECALC)) {
++ xfs_alert(mp, "%s: will fix summary counters at next mount",
++ __func__);
++ flags &= ~XLOG_UNMOUNT_TRANS;
++ }
++
+ /* remove inited flag, and account for space used */
+ tic->t_flags = 0;
+ tic->t_curr_res -= sizeof(magic);
+- error = xlog_write(log, &vec, tic, &lsn, NULL, XLOG_UNMOUNT_TRANS);
++ error = xlog_write(log, &vec, tic, &lsn, NULL, flags);
+ /*
+ * At this point, we're umounting anyway, so there's no point in
+ * transitioning log state to IOERROR. Just continue...
+--- a/fs/xfs/xfs_mount.c
++++ b/fs/xfs/xfs_mount.c
+@@ -1422,3 +1422,16 @@
+ }
+ return 0;
+ }
++
++/* Force the summary counters to be recalculated at next mount. */
++void
++xfs_force_summary_recalc(
++ struct xfs_mount *mp)
++{
++ if (!xfs_sb_version_haslazysbcount(&mp->m_sb))
++ return;
++
++ spin_lock(&mp->m_sb_lock);
++ mp->m_flags |= XFS_MOUNT_BAD_SUMMARY;
++ spin_unlock(&mp->m_sb_lock);
++}
+--- a/fs/xfs/xfs_mount.h
++++ b/fs/xfs/xfs_mount.h
+@@ -447,5 +447,6 @@
+
+ struct xfs_error_cfg * xfs_error_get_cfg(struct xfs_mount *mp,
+ int error_class, int error);
++void xfs_force_summary_recalc(struct xfs_mount *mp);
+
+ #endif /* __XFS_MOUNT_H__ */
diff --git a/patches.fixes/xfs-make-errortag-a-per-mountpoint-structure.patch b/patches.fixes/xfs-make-errortag-a-per-mountpoint-structure.patch
new file mode 100644
index 0000000000..fe026452b2
--- /dev/null
+++ b/patches.fixes/xfs-make-errortag-a-per-mountpoint-structure.patch
@@ -0,0 +1,336 @@
+From 31965ef34802f49903bba06dd7c3b96a2e2ed4e4 Mon Sep 17 00:00:00 2001
+From: "Darrick J. Wong" <darrick.wong@oracle.com>
+Date: Tue, 20 Jun 2017 17:54:46 -0700
+Subject: [PATCH] xfs: make errortag a per-mountpoint structure
+Git-commit: 31965ef34802f49903bba06dd7c3b96a2e2ed4e4
+Patch-mainline: v4.13-rc1
+References: bsc#1123663
+
+Remove the xfs_etest structure in favor of a per-mountpoint structure.
+This will give us the flexibility to set as many error injection points
+as we want, and later enable us to set up sysfs knobs to set the trigger
+frequency as we wish. This comes at a cost of higher memory use, but
+unti we hit 1024 injection points (we're at 29) or a lot of mounts this
+shouldn't be a huge issue.
+
+Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
+Reviewed-by: Brian Foster <bfoster@redhat.com>
+Reviewed-by: Carlos Maiolino <cmaiolino@redhat.com>
+Acked-by: Anthony Iliopoulos <ailiopoulos@suse.com>
+
+---
+ fs/xfs/xfs_error.c | 154 ++++++++++++++++++++++++++++-------------------------
+ fs/xfs/xfs_error.h | 25 +++++----
+ fs/xfs/xfs_ioctl.c | 4 +-
+ fs/xfs/xfs_mount.c | 10 +++-
+ fs/xfs/xfs_mount.h | 7 +++
+ 5 files changed, 111 insertions(+), 89 deletions(-)
+
+diff --git a/fs/xfs/xfs_error.c b/fs/xfs/xfs_error.c
+index ed7ee4e8af73..52f75bc1abac 100644
+--- a/fs/xfs/xfs_error.c
++++ b/fs/xfs/xfs_error.c
+@@ -25,100 +25,106 @@
+
+ #ifdef DEBUG
+
+-int xfs_etest[XFS_NUM_INJECT_ERROR];
+-int64_t xfs_etest_fsid[XFS_NUM_INJECT_ERROR];
+-char * xfs_etest_fsname[XFS_NUM_INJECT_ERROR];
+-int xfs_error_test_active;
++static unsigned int xfs_errortag_random_default[] = {
++ XFS_RANDOM_DEFAULT,
++ XFS_RANDOM_IFLUSH_1,
++ XFS_RANDOM_IFLUSH_2,
++ XFS_RANDOM_IFLUSH_3,
++ XFS_RANDOM_IFLUSH_4,
++ XFS_RANDOM_IFLUSH_5,
++ XFS_RANDOM_IFLUSH_6,
++ XFS_RANDOM_DA_READ_BUF,
++ XFS_RANDOM_BTREE_CHECK_LBLOCK,
++ XFS_RANDOM_BTREE_CHECK_SBLOCK,
++ XFS_RANDOM_ALLOC_READ_AGF,
++ XFS_RANDOM_IALLOC_READ_AGI,
++ XFS_RANDOM_ITOBP_INOTOBP,
++ XFS_RANDOM_IUNLINK,
++ XFS_RANDOM_IUNLINK_REMOVE,
++ XFS_RANDOM_DIR_INO_VALIDATE,
++ XFS_RANDOM_BULKSTAT_READ_CHUNK,
++ XFS_RANDOM_IODONE_IOERR,
++ XFS_RANDOM_STRATREAD_IOERR,
++ XFS_RANDOM_STRATCMPL_IOERR,
++ XFS_RANDOM_DIOWRITE_IOERR,
++ XFS_RANDOM_BMAPIFORMAT,
++ XFS_RANDOM_FREE_EXTENT,
++ XFS_RANDOM_RMAP_FINISH_ONE,
++ XFS_RANDOM_REFCOUNT_CONTINUE_UPDATE,
++ XFS_RANDOM_REFCOUNT_FINISH_ONE,
++ XFS_RANDOM_BMAP_FINISH_ONE,
++ XFS_RANDOM_AG_RESV_CRITICAL,
++};
+
+ int
+-xfs_error_test(int error_tag, int *fsidp, char *expression,
+- int line, char *file, unsigned long randfactor)
++xfs_errortag_init(
++ struct xfs_mount *mp)
+ {
+- int i;
+- int64_t fsid;
++ mp->m_errortag = kmem_zalloc(sizeof(unsigned int) * XFS_ERRTAG_MAX,
++ KM_SLEEP | KM_MAYFAIL);
++ if (!mp->m_errortag)
++ return -ENOMEM;
++ return 0;
++}
+
+- if (prandom_u32() % randfactor)
+- return 0;
++void
++xfs_errortag_del(
++ struct xfs_mount *mp)
++{
++ kmem_free(mp->m_errortag);
++}
+
+- memcpy(&fsid, fsidp, sizeof(xfs_fsid_t));
++bool
++xfs_errortag_test(
++ struct xfs_mount *mp,
++ const char *expression,
++ const char *file,
++ int line,
++ unsigned int error_tag)
++{
++ unsigned int randfactor;
+
+- for (i = 0; i < XFS_NUM_INJECT_ERROR; i++) {
+- if (xfs_etest[i] == error_tag && xfs_etest_fsid[i] == fsid) {
+- xfs_warn(NULL,
+- "Injecting error (%s) at file %s, line %d, on filesystem \"%s\"",
+- expression, file, line, xfs_etest_fsname[i]);
+- return 1;
+- }
+- }
++ ASSERT(error_tag < XFS_ERRTAG_MAX);
++ randfactor = mp->m_errortag[error_tag];
++ if (!randfactor || prandom_u32() % randfactor)
++ return false;
+
+- return 0;
++ xfs_warn_ratelimited(mp,
++"Injecting error (%s) at file %s, line %d, on filesystem \"%s\"",
++ expression, file, line, mp->m_fsname);
++ return true;
+ }
+
+ int
+-xfs_errortag_add(unsigned int error_tag, xfs_mount_t *mp)
++xfs_errortag_set(
++ struct xfs_mount *mp,
++ unsigned int error_tag,
++ unsigned int tag_value)
+ {
+- int i;
+- int len;
+- int64_t fsid;
+-
+ if (error_tag >= XFS_ERRTAG_MAX)
+ return -EINVAL;
+
+- memcpy(&fsid, mp->m_fixedfsid, sizeof(xfs_fsid_t));
+-
+- for (i = 0; i < XFS_NUM_INJECT_ERROR; i++) {
+- if (xfs_etest_fsid[i] == fsid && xfs_etest[i] == error_tag) {
+- xfs_warn(mp, "error tag #%d on", error_tag);
+- return 0;
+- }
+- }
+-
+- for (i = 0; i < XFS_NUM_INJECT_ERROR; i++) {
+- if (xfs_etest[i] == 0) {
+- xfs_warn(mp, "Turned on XFS error tag #%d",
+- error_tag);
+- xfs_etest[i] = error_tag;
+- xfs_etest_fsid[i] = fsid;
+- len = strlen(mp->m_fsname);
+- xfs_etest_fsname[i] = kmem_alloc(len + 1, KM_SLEEP);
+- strcpy(xfs_etest_fsname[i], mp->m_fsname);
+- xfs_error_test_active++;
+- return 0;
+- }
+- }
+-
+- xfs_warn(mp, "error tag overflow, too many turned on");
+-
+- return 1;
++ mp->m_errortag[error_tag] = tag_value;
++ return 0;
+ }
+
+ int
+-xfs_errortag_clearall(xfs_mount_t *mp, int loud)
++xfs_errortag_add(
++ struct xfs_mount *mp,
++ unsigned int error_tag)
+ {
+- int64_t fsid;
+- int cleared = 0;
+- int i;
+-
+- memcpy(&fsid, mp->m_fixedfsid, sizeof(xfs_fsid_t));
+-
+-
+- for (i = 0; i < XFS_NUM_INJECT_ERROR; i++) {
+- if ((fsid == 0LL || xfs_etest_fsid[i] == fsid) &&
+- xfs_etest[i] != 0) {
+- cleared = 1;
+- xfs_warn(mp, "Clearing XFS error tag #%d",
+- xfs_etest[i]);
+- xfs_etest[i] = 0;
+- xfs_etest_fsid[i] = 0LL;
+- kmem_free(xfs_etest_fsname[i]);
+- xfs_etest_fsname[i] = NULL;
+- xfs_error_test_active--;
+- }
+- }
++ if (error_tag >= XFS_ERRTAG_MAX)
++ return -EINVAL;
+
+- if (loud || cleared)
+- xfs_warn(mp, "Cleared all XFS error tags for filesystem");
++ return xfs_errortag_set(mp, error_tag,
++ xfs_errortag_random_default[error_tag]);
++}
+
++int
++xfs_errortag_clearall(
++ struct xfs_mount *mp)
++{
++ memset(mp->m_errortag, 0, sizeof(unsigned int) * XFS_ERRTAG_MAX);
+ return 0;
+ }
+ #endif /* DEBUG */
+diff --git a/fs/xfs/xfs_error.h b/fs/xfs/xfs_error.h
+index 05f8666733a0..b4316d39e1ca 100644
+--- a/fs/xfs/xfs_error.h
++++ b/fs/xfs/xfs_error.h
+@@ -131,21 +131,24 @@ extern void xfs_verifier_error(struct xfs_buf *bp);
+ #define XFS_RANDOM_AG_RESV_CRITICAL 4
+
+ #ifdef DEBUG
+-extern int xfs_error_test_active;
+-extern int xfs_error_test(int, int *, char *, int, char *, unsigned long);
+-
+-#define XFS_NUM_INJECT_ERROR 10
++extern int xfs_errortag_init(struct xfs_mount *mp);
++extern void xfs_errortag_del(struct xfs_mount *mp);
++extern bool xfs_errortag_test(struct xfs_mount *mp, const char *expression,
++ const char *file, int line, unsigned int error_tag);
+ #define XFS_TEST_ERROR(expr, mp, tag, rf) \
+- ((expr) || (xfs_error_test_active && \
+- xfs_error_test((tag), (mp)->m_fixedfsid, "expr", __LINE__, __FILE__, \
+- (rf))))
++ ((expr) || xfs_errortag_test((mp), #expr, __FILE__, __LINE__, (tag)))
+
+-extern int xfs_errortag_add(unsigned int error_tag, struct xfs_mount *mp);
+-extern int xfs_errortag_clearall(struct xfs_mount *mp, int loud);
++extern int xfs_errortag_set(struct xfs_mount *mp, unsigned int error_tag,
++ unsigned int tag_value);
++extern int xfs_errortag_add(struct xfs_mount *mp, unsigned int error_tag);
++extern int xfs_errortag_clearall(struct xfs_mount *mp);
+ #else
++#define xfs_errortag_init(mp) (0)
++#define xfs_errortag_del(mp)
+ #define XFS_TEST_ERROR(expr, mp, tag, rf) (expr)
+-#define xfs_errortag_add(tag, mp) (ENOSYS)
+-#define xfs_errortag_clearall(mp, loud) (ENOSYS)
++#define xfs_errortag_set(mp, tag, val) (ENOSYS)
++#define xfs_errortag_add(mp, tag) (ENOSYS)
++#define xfs_errortag_clearall(mp) (ENOSYS)
+ #endif /* DEBUG */
+
+ /*
+diff --git a/fs/xfs/xfs_ioctl.c b/fs/xfs/xfs_ioctl.c
+index 8ffe4eac0b48..9c0c7a920304 100644
+--- a/fs/xfs/xfs_ioctl.c
++++ b/fs/xfs/xfs_ioctl.c
+@@ -2037,14 +2037,14 @@ xfs_file_ioctl(
+ if (copy_from_user(&in, arg, sizeof(in)))
+ return -EFAULT;
+
+- return xfs_errortag_add(in.errtag, mp);
++ return xfs_errortag_add(mp, in.errtag);
+ }
+
+ case XFS_IOC_ERROR_CLEARALL:
+ if (!capable(CAP_SYS_ADMIN))
+ return -EPERM;
+
+- return xfs_errortag_clearall(mp, 1);
++ return xfs_errortag_clearall(mp);
+
+ case XFS_IOC_FREE_EOFBLOCKS: {
+ struct xfs_fs_eofblocks eofb;
+diff --git a/fs/xfs/xfs_mount.c b/fs/xfs/xfs_mount.c
+index cc6789d35232..1a98c35e1ccf 100644
+--- a/fs/xfs/xfs_mount.c
++++ b/fs/xfs/xfs_mount.c
+@@ -720,10 +720,13 @@ xfs_mountfs(
+ if (error)
+ goto out_del_stats;
+
++ error = xfs_errortag_init(mp);
++ if (error)
++ goto out_remove_error_sysfs;
+
+ error = xfs_uuid_mount(mp);
+ if (error)
+- goto out_remove_error_sysfs;
++ goto out_remove_errortag;
+
+ /*
+ * Set the minimum read and write sizes
+@@ -1042,6 +1045,8 @@ xfs_mountfs(
+ xfs_da_unmount(mp);
+ out_remove_uuid:
+ xfs_uuid_unmount(mp);
++ out_remove_errortag:
++ xfs_errortag_del(mp);
+ out_remove_error_sysfs:
+ xfs_error_sysfs_del(mp);
+ out_del_stats:
+@@ -1145,10 +1150,11 @@ xfs_unmountfs(
+ xfs_uuid_unmount(mp);
+
+ #if defined(DEBUG)
+- xfs_errortag_clearall(mp, 0);
++ xfs_errortag_clearall(mp);
+ #endif
+ xfs_free_perag(mp);
+
++ xfs_errortag_del(mp);
+ xfs_error_sysfs_del(mp);
+ xfs_sysfs_del(&mp->m_stats.xs_kobj);
+ xfs_sysfs_del(&mp->m_kobj);
+diff --git a/fs/xfs/xfs_mount.h b/fs/xfs/xfs_mount.h
+index 305d95394e2d..e002ac52a4e6 100644
+--- a/fs/xfs/xfs_mount.h
++++ b/fs/xfs/xfs_mount.h
+@@ -198,6 +198,13 @@ typedef struct xfs_mount {
+
+ bool m_fail_unmount;
+ #ifdef DEBUG
++ /*
++ * Frequency with which errors are injected. Replaces xfs_etest; the
++ * value stored in here is the inverse of the frequency with which the
++ * error triggers. 1 = always, 2 = half the time, etc.
++ */
++ unsigned int *m_errortag;
++
+ /*
+ * DEBUG mode instrumentation to test and/or trigger delayed allocation
+ * block killing in the event of failed writes. When enabled, all
+--
+2.16.4
+
diff --git a/patches.fixes/xfs-move-error-injection-tags-into-their-own-file.patch b/patches.fixes/xfs-move-error-injection-tags-into-their-own-file.patch
new file mode 100644
index 0000000000..977d054990
--- /dev/null
+++ b/patches.fixes/xfs-move-error-injection-tags-into-their-own-file.patch
@@ -0,0 +1,425 @@
+From e9e899a2a8c3c23b3084b048466f417ed92286d3 Mon Sep 17 00:00:00 2001
+From: "Darrick J. Wong" <darrick.wong@oracle.com>
+Date: Tue, 31 Oct 2017 12:04:49 -0700
+Subject: [PATCH] xfs: move error injection tags into their own file
+Git-commit: e9e899a2a8c3c23b3084b048466f417ed92286d3
+Patch-mainline: v4.15-rc1
+References: bsc#1114427
+
+Move the error injection tag names into a libxfs header so that we can
+share it between kernel and userspace.
+
+Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
+Reviewed-by: Dave Chinner <dchinner@redhat.com>
+Acked-by: Anthony Iliopoulos <ailiopoulos@suse.com>
+
+---
+ fs/xfs/libxfs/xfs_ag_resv.c | 1 +
+ fs/xfs/libxfs/xfs_alloc.c | 1 +
+ fs/xfs/libxfs/xfs_bmap.c | 1 +
+ fs/xfs/libxfs/xfs_btree.c | 1 +
+ fs/xfs/libxfs/xfs_dir2.c | 1 +
+ fs/xfs/libxfs/xfs_errortag.h | 106 ++++++++++++++++++++++++++++++++++++++++++
+ fs/xfs/libxfs/xfs_ialloc.c | 1 +
+ fs/xfs/libxfs/xfs_inode_buf.c | 1 +
+ fs/xfs/libxfs/xfs_refcount.c | 1 +
+ fs/xfs/libxfs/xfs_rmap.c | 1 +
+ fs/xfs/xfs_buf.c | 1 +
+ fs/xfs/xfs_error.c | 1 +
+ fs/xfs/xfs_error.h | 83 ---------------------------------
+ fs/xfs/xfs_inode.c | 1 +
+ fs/xfs/xfs_iomap.c | 1 +
+ fs/xfs/xfs_log.c | 1 +
+ fs/xfs/xfs_trans_ail.c | 1 +
+ 17 files changed, 121 insertions(+), 83 deletions(-)
+ create mode 100644 fs/xfs/libxfs/xfs_errortag.h
+
+diff --git a/fs/xfs/libxfs/xfs_ag_resv.c b/fs/xfs/libxfs/xfs_ag_resv.c
+index df3e600835e8..2291f4224e24 100644
+--- a/fs/xfs/libxfs/xfs_ag_resv.c
++++ b/fs/xfs/libxfs/xfs_ag_resv.c
+@@ -27,6 +27,7 @@
+ #include "xfs_mount.h"
+ #include "xfs_defer.h"
+ #include "xfs_alloc.h"
++#include "xfs_errortag.h"
+ #include "xfs_error.h"
+ #include "xfs_trace.h"
+ #include "xfs_cksum.h"
+diff --git a/fs/xfs/libxfs/xfs_alloc.c b/fs/xfs/libxfs/xfs_alloc.c
+index 11c01e2668bf..0da80019a917 100644
+--- a/fs/xfs/libxfs/xfs_alloc.c
++++ b/fs/xfs/libxfs/xfs_alloc.c
+@@ -31,6 +31,7 @@
+ #include "xfs_alloc_btree.h"
+ #include "xfs_alloc.h"
+ #include "xfs_extent_busy.h"
++#include "xfs_errortag.h"
+ #include "xfs_error.h"
+ #include "xfs_cksum.h"
+ #include "xfs_trace.h"
+diff --git a/fs/xfs/libxfs/xfs_bmap.c b/fs/xfs/libxfs/xfs_bmap.c
+index f45f05c45e15..ebb5958f1c5c 100644
+--- a/fs/xfs/libxfs/xfs_bmap.c
++++ b/fs/xfs/libxfs/xfs_bmap.c
+@@ -38,6 +38,7 @@
+ #include "xfs_bmap_util.h"
+ #include "xfs_bmap_btree.h"
+ #include "xfs_rtalloc.h"
++#include "xfs_errortag.h"
+ #include "xfs_error.h"
+ #include "xfs_quota.h"
+ #include "xfs_trans_space.h"
+diff --git a/fs/xfs/libxfs/xfs_btree.c b/fs/xfs/libxfs/xfs_btree.c
+index 848f3713d73c..994fc1c8c7c6 100644
+--- a/fs/xfs/libxfs/xfs_btree.c
++++ b/fs/xfs/libxfs/xfs_btree.c
+@@ -29,6 +29,7 @@
+ #include "xfs_inode_item.h"
+ #include "xfs_buf_item.h"
+ #include "xfs_btree.h"
++#include "xfs_errortag.h"
+ #include "xfs_error.h"
+ #include "xfs_trace.h"
+ #include "xfs_cksum.h"
+diff --git a/fs/xfs/libxfs/xfs_dir2.c b/fs/xfs/libxfs/xfs_dir2.c
+index 41ea6d40bbeb..e10778c102ea 100644
+--- a/fs/xfs/libxfs/xfs_dir2.c
++++ b/fs/xfs/libxfs/xfs_dir2.c
+@@ -31,6 +31,7 @@
+ #include "xfs_dir2.h"
+ #include "xfs_dir2_priv.h"
+ #include "xfs_ialloc.h"
++#include "xfs_errortag.h"
+ #include "xfs_error.h"
+ #include "xfs_trace.h"
+
+diff --git a/fs/xfs/libxfs/xfs_errortag.h b/fs/xfs/libxfs/xfs_errortag.h
+new file mode 100644
+index 000000000000..bc1789d95152
+--- /dev/null
++++ b/fs/xfs/libxfs/xfs_errortag.h
+@@ -0,0 +1,106 @@
++/*
++ * Copyright (c) 2000-2002,2005 Silicon Graphics, Inc.
++ * Copyright (C) 2017 Oracle.
++ * All Rights Reserved.
++ *
++ * This program is free software; you can redistribute it and/or
++ * modify it under the terms of the GNU General Public License
++ * as published by the Free Software Foundation; either version 2
++ * of the License, or (at your option) any later version.
++ *
++ * This program is distributed in the hope that it would be useful,
++ * but WITHOUT ANY WARRANTY; without even the implied warranty of
++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
++ * GNU General Public License for more details.
++ *
++ * You should have received a copy of the GNU General Public License
++ * along with this program; if not, write the Free Software Foundation,
++ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA.
++ */
++#ifndef __XFS_ERRORTAG_H_
++#define __XFS_ERRORTAG_H_
++
++/*
++ * error injection tags - the labels can be anything you want
++ * but each tag should have its own unique number
++ */
++
++#define XFS_ERRTAG_NOERROR 0
++#define XFS_ERRTAG_IFLUSH_1 1
++#define XFS_ERRTAG_IFLUSH_2 2
++#define XFS_ERRTAG_IFLUSH_3 3
++#define XFS_ERRTAG_IFLUSH_4 4
++#define XFS_ERRTAG_IFLUSH_5 5
++#define XFS_ERRTAG_IFLUSH_6 6
++#define XFS_ERRTAG_DA_READ_BUF 7
++#define XFS_ERRTAG_BTREE_CHECK_LBLOCK 8
++#define XFS_ERRTAG_BTREE_CHECK_SBLOCK 9
++#define XFS_ERRTAG_ALLOC_READ_AGF 10
++#define XFS_ERRTAG_IALLOC_READ_AGI 11
++#define XFS_ERRTAG_ITOBP_INOTOBP 12
++#define XFS_ERRTAG_IUNLINK 13
++#define XFS_ERRTAG_IUNLINK_REMOVE 14
++#define XFS_ERRTAG_DIR_INO_VALIDATE 15
++#define XFS_ERRTAG_BULKSTAT_READ_CHUNK 16
++#define XFS_ERRTAG_IODONE_IOERR 17
++#define XFS_ERRTAG_STRATREAD_IOERR 18
++#define XFS_ERRTAG_STRATCMPL_IOERR 19
++#define XFS_ERRTAG_DIOWRITE_IOERR 20
++#define XFS_ERRTAG_BMAPIFORMAT 21
++#define XFS_ERRTAG_FREE_EXTENT 22
++#define XFS_ERRTAG_RMAP_FINISH_ONE 23
++#define XFS_ERRTAG_REFCOUNT_CONTINUE_UPDATE 24
++#define XFS_ERRTAG_REFCOUNT_FINISH_ONE 25
++#define XFS_ERRTAG_BMAP_FINISH_ONE 26
++#define XFS_ERRTAG_AG_RESV_CRITICAL 27
++/*
++ * DEBUG mode instrumentation to test and/or trigger delayed allocation
++ * block killing in the event of failed writes. When enabled, all
++ * buffered writes are silenty dropped and handled as if they failed.
++ * All delalloc blocks in the range of the write (including pre-existing
++ * delalloc blocks!) are tossed as part of the write failure error
++ * handling sequence.
++ */
++#define XFS_ERRTAG_DROP_WRITES 28
++#define XFS_ERRTAG_LOG_BAD_CRC 29
++#define XFS_ERRTAG_LOG_ITEM_PIN 30
++#define XFS_ERRTAG_BUF_LRU_REF 31
++#define XFS_ERRTAG_MAX 32
++
++/*
++ * Random factors for above tags, 1 means always, 2 means 1/2 time, etc.
++ */
++#define XFS_RANDOM_DEFAULT 100
++#define XFS_RANDOM_IFLUSH_1 XFS_RANDOM_DEFAULT
++#define XFS_RANDOM_IFLUSH_2 XFS_RANDOM_DEFAULT
++#define XFS_RANDOM_IFLUSH_3 XFS_RANDOM_DEFAULT
++#define XFS_RANDOM_IFLUSH_4 XFS_RANDOM_DEFAULT
++#define XFS_RANDOM_IFLUSH_5 XFS_RANDOM_DEFAULT
++#define XFS_RANDOM_IFLUSH_6 XFS_RANDOM_DEFAULT
++#define XFS_RANDOM_DA_READ_BUF XFS_RANDOM_DEFAULT
++#define XFS_RANDOM_BTREE_CHECK_LBLOCK (XFS_RANDOM_DEFAULT/4)
++#define XFS_RANDOM_BTREE_CHECK_SBLOCK XFS_RANDOM_DEFAULT
++#define XFS_RANDOM_ALLOC_READ_AGF XFS_RANDOM_DEFAULT
++#define XFS_RANDOM_IALLOC_READ_AGI XFS_RANDOM_DEFAULT
++#define XFS_RANDOM_ITOBP_INOTOBP XFS_RANDOM_DEFAULT
++#define XFS_RANDOM_IUNLINK XFS_RANDOM_DEFAULT
++#define XFS_RANDOM_IUNLINK_REMOVE XFS_RANDOM_DEFAULT
++#define XFS_RANDOM_DIR_INO_VALIDATE XFS_RANDOM_DEFAULT
++#define XFS_RANDOM_BULKSTAT_READ_CHUNK XFS_RANDOM_DEFAULT
++#define XFS_RANDOM_IODONE_IOERR (XFS_RANDOM_DEFAULT/10)
++#define XFS_RANDOM_STRATREAD_IOERR (XFS_RANDOM_DEFAULT/10)
++#define XFS_RANDOM_STRATCMPL_IOERR (XFS_RANDOM_DEFAULT/10)
++#define XFS_RANDOM_DIOWRITE_IOERR (XFS_RANDOM_DEFAULT/10)
++#define XFS_RANDOM_BMAPIFORMAT XFS_RANDOM_DEFAULT
++#define XFS_RANDOM_FREE_EXTENT 1
++#define XFS_RANDOM_RMAP_FINISH_ONE 1
++#define XFS_RANDOM_REFCOUNT_CONTINUE_UPDATE 1
++#define XFS_RANDOM_REFCOUNT_FINISH_ONE 1
++#define XFS_RANDOM_BMAP_FINISH_ONE 1
++#define XFS_RANDOM_AG_RESV_CRITICAL 4
++#define XFS_RANDOM_DROP_WRITES 1
++#define XFS_RANDOM_LOG_BAD_CRC 1
++#define XFS_RANDOM_LOG_ITEM_PIN 1
++#define XFS_RANDOM_BUF_LRU_REF 2
++
++#endif /* __XFS_ERRORTAG_H_ */
+diff --git a/fs/xfs/libxfs/xfs_ialloc.c b/fs/xfs/libxfs/xfs_ialloc.c
+index e11f8af8a725..de3f04a98656 100644
+--- a/fs/xfs/libxfs/xfs_ialloc.c
++++ b/fs/xfs/libxfs/xfs_ialloc.c
+@@ -31,6 +31,7 @@
+ #include "xfs_ialloc_btree.h"
+ #include "xfs_alloc.h"
+ #include "xfs_rtalloc.h"
++#include "xfs_errortag.h"
+ #include "xfs_error.h"
+ #include "xfs_bmap.h"
+ #include "xfs_cksum.h"
+diff --git a/fs/xfs/libxfs/xfs_inode_buf.c b/fs/xfs/libxfs/xfs_inode_buf.c
+index 378f8fbc91a7..6b7989038d75 100644
+--- a/fs/xfs/libxfs/xfs_inode_buf.c
++++ b/fs/xfs/libxfs/xfs_inode_buf.c
+@@ -24,6 +24,7 @@
+ #include "xfs_mount.h"
+ #include "xfs_defer.h"
+ #include "xfs_inode.h"
++#include "xfs_errortag.h"
+ #include "xfs_error.h"
+ #include "xfs_cksum.h"
+ #include "xfs_icache.h"
+diff --git a/fs/xfs/libxfs/xfs_refcount.c b/fs/xfs/libxfs/xfs_refcount.c
+index 9d5406b4f663..585b35d34142 100644
+--- a/fs/xfs/libxfs/xfs_refcount.c
++++ b/fs/xfs/libxfs/xfs_refcount.c
+@@ -30,6 +30,7 @@
+ #include "xfs_bmap.h"
+ #include "xfs_refcount_btree.h"
+ #include "xfs_alloc.h"
++#include "xfs_errortag.h"
+ #include "xfs_error.h"
+ #include "xfs_trace.h"
+ #include "xfs_cksum.h"
+diff --git a/fs/xfs/libxfs/xfs_rmap.c b/fs/xfs/libxfs/xfs_rmap.c
+index 55c88a732690..dd019cee1b3b 100644
+--- a/fs/xfs/libxfs/xfs_rmap.c
++++ b/fs/xfs/libxfs/xfs_rmap.c
+@@ -34,6 +34,7 @@
+ #include "xfs_rmap_btree.h"
+ #include "xfs_trans_space.h"
+ #include "xfs_trace.h"
++#include "xfs_errortag.h"
+ #include "xfs_error.h"
+ #include "xfs_extent_busy.h"
+ #include "xfs_bmap.h"
+diff --git a/fs/xfs/xfs_buf.c b/fs/xfs/xfs_buf.c
+index db786bce7c03..4db6e8d780f6 100644
+--- a/fs/xfs/xfs_buf.c
++++ b/fs/xfs/xfs_buf.c
+@@ -42,6 +42,7 @@
+ #include "xfs_mount.h"
+ #include "xfs_trace.h"
+ #include "xfs_log.h"
++#include "xfs_errortag.h"
+ #include "xfs_error.h"
+
+ static kmem_zone_t *xfs_buf_zone;
+diff --git a/fs/xfs/xfs_error.c b/fs/xfs/xfs_error.c
+index 6732b0a0d826..92396d5eb259 100644
+--- a/fs/xfs/xfs_error.c
++++ b/fs/xfs/xfs_error.c
+@@ -21,6 +21,7 @@
+ #include "xfs_log_format.h"
+ #include "xfs_trans_resv.h"
+ #include "xfs_mount.h"
++#include "xfs_errortag.h"
+ #include "xfs_error.h"
+ #include "xfs_sysfs.h"
+
+diff --git a/fs/xfs/xfs_error.h b/fs/xfs/xfs_error.h
+index 78a7f43f8d01..ea816c1bf8db 100644
+--- a/fs/xfs/xfs_error.h
++++ b/fs/xfs/xfs_error.h
+@@ -63,89 +63,6 @@ extern void xfs_verifier_error(struct xfs_buf *bp);
+ } \
+ }
+
+-/*
+- * error injection tags - the labels can be anything you want
+- * but each tag should have its own unique number
+- */
+-
+-#define XFS_ERRTAG_NOERROR 0
+-#define XFS_ERRTAG_IFLUSH_1 1
+-#define XFS_ERRTAG_IFLUSH_2 2
+-#define XFS_ERRTAG_IFLUSH_3 3
+-#define XFS_ERRTAG_IFLUSH_4 4
+-#define XFS_ERRTAG_IFLUSH_5 5
+-#define XFS_ERRTAG_IFLUSH_6 6
+-#define XFS_ERRTAG_DA_READ_BUF 7
+-#define XFS_ERRTAG_BTREE_CHECK_LBLOCK 8
+-#define XFS_ERRTAG_BTREE_CHECK_SBLOCK 9
+-#define XFS_ERRTAG_ALLOC_READ_AGF 10
+-#define XFS_ERRTAG_IALLOC_READ_AGI 11
+-#define XFS_ERRTAG_ITOBP_INOTOBP 12
+-#define XFS_ERRTAG_IUNLINK 13
+-#define XFS_ERRTAG_IUNLINK_REMOVE 14
+-#define XFS_ERRTAG_DIR_INO_VALIDATE 15
+-#define XFS_ERRTAG_BULKSTAT_READ_CHUNK 16
+-#define XFS_ERRTAG_IODONE_IOERR 17
+-#define XFS_ERRTAG_STRATREAD_IOERR 18
+-#define XFS_ERRTAG_STRATCMPL_IOERR 19
+-#define XFS_ERRTAG_DIOWRITE_IOERR 20
+-#define XFS_ERRTAG_BMAPIFORMAT 21
+-#define XFS_ERRTAG_FREE_EXTENT 22
+-#define XFS_ERRTAG_RMAP_FINISH_ONE 23
+-#define XFS_ERRTAG_REFCOUNT_CONTINUE_UPDATE 24
+-#define XFS_ERRTAG_REFCOUNT_FINISH_ONE 25
+-#define XFS_ERRTAG_BMAP_FINISH_ONE 26
+-#define XFS_ERRTAG_AG_RESV_CRITICAL 27
+-/*
+- * DEBUG mode instrumentation to test and/or trigger delayed allocation
+- * block killing in the event of failed writes. When enabled, all
+- * buffered writes are silenty dropped and handled as if they failed.
+- * All delalloc blocks in the range of the write (including pre-existing
+- * delalloc blocks!) are tossed as part of the write failure error
+- * handling sequence.
+- */
+-#define XFS_ERRTAG_DROP_WRITES 28
+-#define XFS_ERRTAG_LOG_BAD_CRC 29
+-#define XFS_ERRTAG_LOG_ITEM_PIN 30
+-#define XFS_ERRTAG_BUF_LRU_REF 31
+-#define XFS_ERRTAG_MAX 32
+-
+-/*
+- * Random factors for above tags, 1 means always, 2 means 1/2 time, etc.
+- */
+-#define XFS_RANDOM_DEFAULT 100
+-#define XFS_RANDOM_IFLUSH_1 XFS_RANDOM_DEFAULT
+-#define XFS_RANDOM_IFLUSH_2 XFS_RANDOM_DEFAULT
+-#define XFS_RANDOM_IFLUSH_3 XFS_RANDOM_DEFAULT
+-#define XFS_RANDOM_IFLUSH_4 XFS_RANDOM_DEFAULT
+-#define XFS_RANDOM_IFLUSH_5 XFS_RANDOM_DEFAULT
+-#define XFS_RANDOM_IFLUSH_6 XFS_RANDOM_DEFAULT
+-#define XFS_RANDOM_DA_READ_BUF XFS_RANDOM_DEFAULT
+-#define XFS_RANDOM_BTREE_CHECK_LBLOCK (XFS_RANDOM_DEFAULT/4)
+-#define XFS_RANDOM_BTREE_CHECK_SBLOCK XFS_RANDOM_DEFAULT
+-#define XFS_RANDOM_ALLOC_READ_AGF XFS_RANDOM_DEFAULT
+-#define XFS_RANDOM_IALLOC_READ_AGI XFS_RANDOM_DEFAULT
+-#define XFS_RANDOM_ITOBP_INOTOBP XFS_RANDOM_DEFAULT
+-#define XFS_RANDOM_IUNLINK XFS_RANDOM_DEFAULT
+-#define XFS_RANDOM_IUNLINK_REMOVE XFS_RANDOM_DEFAULT
+-#define XFS_RANDOM_DIR_INO_VALIDATE XFS_RANDOM_DEFAULT
+-#define XFS_RANDOM_BULKSTAT_READ_CHUNK XFS_RANDOM_DEFAULT
+-#define XFS_RANDOM_IODONE_IOERR (XFS_RANDOM_DEFAULT/10)
+-#define XFS_RANDOM_STRATREAD_IOERR (XFS_RANDOM_DEFAULT/10)
+-#define XFS_RANDOM_STRATCMPL_IOERR (XFS_RANDOM_DEFAULT/10)
+-#define XFS_RANDOM_DIOWRITE_IOERR (XFS_RANDOM_DEFAULT/10)
+-#define XFS_RANDOM_BMAPIFORMAT XFS_RANDOM_DEFAULT
+-#define XFS_RANDOM_FREE_EXTENT 1
+-#define XFS_RANDOM_RMAP_FINISH_ONE 1
+-#define XFS_RANDOM_REFCOUNT_CONTINUE_UPDATE 1
+-#define XFS_RANDOM_REFCOUNT_FINISH_ONE 1
+-#define XFS_RANDOM_BMAP_FINISH_ONE 1
+-#define XFS_RANDOM_AG_RESV_CRITICAL 4
+-#define XFS_RANDOM_DROP_WRITES 1
+-#define XFS_RANDOM_LOG_BAD_CRC 1
+-#define XFS_RANDOM_LOG_ITEM_PIN 1
+-#define XFS_RANDOM_BUF_LRU_REF 2
+-
+ #ifdef DEBUG
+ extern int xfs_errortag_init(struct xfs_mount *mp);
+ extern void xfs_errortag_del(struct xfs_mount *mp);
+diff --git a/fs/xfs/xfs_inode.c b/fs/xfs/xfs_inode.c
+index a929ca72fa8e..02497828e993 100644
+--- a/fs/xfs/xfs_inode.c
++++ b/fs/xfs/xfs_inode.c
+@@ -39,6 +39,7 @@
+ #include "xfs_ialloc.h"
+ #include "xfs_bmap.h"
+ #include "xfs_bmap_util.h"
++#include "xfs_errortag.h"
+ #include "xfs_error.h"
+ #include "xfs_quota.h"
+ #include "xfs_filestream.h"
+diff --git a/fs/xfs/xfs_iomap.c b/fs/xfs/xfs_iomap.c
+index f179bdf1644d..da0abc8a0725 100644
+--- a/fs/xfs/xfs_iomap.c
++++ b/fs/xfs/xfs_iomap.c
+@@ -30,6 +30,7 @@
+ #include "xfs_bmap_btree.h"
+ #include "xfs_bmap.h"
+ #include "xfs_bmap_util.h"
++#include "xfs_errortag.h"
+ #include "xfs_error.h"
+ #include "xfs_trans.h"
+ #include "xfs_trans_space.h"
+diff --git a/fs/xfs/xfs_log.c b/fs/xfs/xfs_log.c
+index 0c4c9ad3be70..3ce44e6d6639 100644
+--- a/fs/xfs/xfs_log.c
++++ b/fs/xfs/xfs_log.c
+@@ -22,6 +22,7 @@
+ #include "xfs_log_format.h"
+ #include "xfs_trans_resv.h"
+ #include "xfs_mount.h"
++#include "xfs_errortag.h"
+ #include "xfs_error.h"
+ #include "xfs_trans.h"
+ #include "xfs_trans_priv.h"
+diff --git a/fs/xfs/xfs_trans_ail.c b/fs/xfs/xfs_trans_ail.c
+index 4b1669f9d2b2..cef89f7127d3 100644
+--- a/fs/xfs/xfs_trans_ail.c
++++ b/fs/xfs/xfs_trans_ail.c
+@@ -25,6 +25,7 @@
+ #include "xfs_trans.h"
+ #include "xfs_trans_priv.h"
+ #include "xfs_trace.h"
++#include "xfs_errortag.h"
+ #include "xfs_error.h"
+ #include "xfs_log.h"
+
+--
+2.16.4
+
diff --git a/patches.fixes/xfs-refactor-btree-block-header-checking-functions.patch b/patches.fixes/xfs-refactor-btree-block-header-checking-functions.patch
new file mode 100644
index 0000000000..0091045f8a
--- /dev/null
+++ b/patches.fixes/xfs-refactor-btree-block-header-checking-functions.patch
@@ -0,0 +1,279 @@
+From 52c732eee78b47ac2eb828b1c7fa611cd37b0090 Mon Sep 17 00:00:00 2001
+From: "Darrick J. Wong" <darrick.wong@oracle.com>
+Date: Tue, 17 Oct 2017 21:37:33 -0700
+Subject: [PATCH] xfs: refactor btree block header checking functions
+Git-commit: 52c732eee78b47ac2eb828b1c7fa611cd37b0090
+Patch-mainline: v4.15-rc1
+References: bsc#1123663
+
+Refactor the btree block header checks to have an internal function that
+returns the address of the failing check without logging errors. The
+scrubber will call the internal function, while the external version
+will maintain the current logging behavior.
+
+Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
+Reviewed-by: Dave Chinner <dchinner@redhat.com>
+Acked-by: Anthony Iliopoulos <ailiopoulos@suse.com>
+
+---
+ fs/xfs/libxfs/xfs_btree.c | 168 +++++++++++++++++++++++++++-------------------
+ fs/xfs/libxfs/xfs_btree.h | 8 +++
+ fs/xfs/libxfs/xfs_types.h | 6 ++
+ fs/xfs/xfs_linux.h | 7 ++
+ 4 files changed, 121 insertions(+), 68 deletions(-)
+
+diff --git a/fs/xfs/libxfs/xfs_btree.c b/fs/xfs/libxfs/xfs_btree.c
+index ae19f242c237..8bb20e1cf57b 100644
+--- a/fs/xfs/libxfs/xfs_btree.c
++++ b/fs/xfs/libxfs/xfs_btree.c
+@@ -63,44 +63,63 @@ xfs_btree_magic(
+ return magic;
+ }
+
+-STATIC int /* error (0 or EFSCORRUPTED) */
+-xfs_btree_check_lblock(
+- struct xfs_btree_cur *cur, /* btree cursor */
+- struct xfs_btree_block *block, /* btree long form block pointer */
+- int level, /* level of the btree block */
+- struct xfs_buf *bp) /* buffer for block, if any */
++/*
++ * Check a long btree block header. Return the address of the failing check,
++ * or NULL if everything is ok.
++ */
++xfs_failaddr_t
++__xfs_btree_check_lblock(
++ struct xfs_btree_cur *cur,
++ struct xfs_btree_block *block,
++ int level,
++ struct xfs_buf *bp)
+ {
+- int lblock_ok = 1; /* block passes checks */
+- struct xfs_mount *mp; /* file system mount point */
++ struct xfs_mount *mp = cur->bc_mp;
+ xfs_btnum_t btnum = cur->bc_btnum;
+- int crc;
+-
+- mp = cur->bc_mp;
+- crc = xfs_sb_version_hascrc(&mp->m_sb);
++ int crc = xfs_sb_version_hascrc(&mp->m_sb);
+
+ if (crc) {
+- lblock_ok = lblock_ok &&
+- uuid_equal(&block->bb_u.l.bb_uuid,
+- &mp->m_sb.sb_meta_uuid) &&
+- block->bb_u.l.bb_blkno == cpu_to_be64(
+- bp ? bp->b_bn : XFS_BUF_DADDR_NULL);
++ if (!uuid_equal(&block->bb_u.l.bb_uuid, &mp->m_sb.sb_meta_uuid))
++ return __this_address;
++ if (block->bb_u.l.bb_blkno !=
++ cpu_to_be64(bp ? bp->b_bn : XFS_BUF_DADDR_NULL))
++ return __this_address;
++ if (block->bb_u.l.bb_pad != cpu_to_be32(0))
++ return __this_address;
+ }
+
+- lblock_ok = lblock_ok &&
+- be32_to_cpu(block->bb_magic) == xfs_btree_magic(crc, btnum) &&
+- be16_to_cpu(block->bb_level) == level &&
+- be16_to_cpu(block->bb_numrecs) <=
+- cur->bc_ops->get_maxrecs(cur, level) &&
+- block->bb_u.l.bb_leftsib &&
+- (block->bb_u.l.bb_leftsib == cpu_to_be64(NULLFSBLOCK) ||
+- XFS_FSB_SANITY_CHECK(mp,
+- be64_to_cpu(block->bb_u.l.bb_leftsib))) &&
+- block->bb_u.l.bb_rightsib &&
+- (block->bb_u.l.bb_rightsib == cpu_to_be64(NULLFSBLOCK) ||
+- XFS_FSB_SANITY_CHECK(mp,
+- be64_to_cpu(block->bb_u.l.bb_rightsib)));
+-
+- if (unlikely(XFS_TEST_ERROR(!lblock_ok, mp,
++ if (be32_to_cpu(block->bb_magic) != xfs_btree_magic(crc, btnum))
++ return __this_address;
++ if (be16_to_cpu(block->bb_level) != level)
++ return __this_address;
++ if (be16_to_cpu(block->bb_numrecs) >
++ cur->bc_ops->get_maxrecs(cur, level))
++ return __this_address;
++ if (block->bb_u.l.bb_leftsib != cpu_to_be64(NULLFSBLOCK) &&
++ !xfs_btree_check_lptr(cur, be64_to_cpu(block->bb_u.l.bb_leftsib),
++ level + 1))
++ return __this_address;
++ if (block->bb_u.l.bb_rightsib != cpu_to_be64(NULLFSBLOCK) &&
++ !xfs_btree_check_lptr(cur, be64_to_cpu(block->bb_u.l.bb_rightsib),
++ level + 1))
++ return __this_address;
++
++ return NULL;
++}
++
++/* Check a long btree block header. */
++int
++xfs_btree_check_lblock(
++ struct xfs_btree_cur *cur,
++ struct xfs_btree_block *block,
++ int level,
++ struct xfs_buf *bp)
++{
++ struct xfs_mount *mp = cur->bc_mp;
++ xfs_failaddr_t fa;
++
++ fa = __xfs_btree_check_lblock(cur, block, level, bp);
++ if (unlikely(XFS_TEST_ERROR(fa != NULL, mp,
+ XFS_ERRTAG_BTREE_CHECK_LBLOCK))) {
+ if (bp)
+ trace_xfs_btree_corrupt(bp, _RET_IP_);
+@@ -110,48 +129,61 @@ xfs_btree_check_lblock(
+ return 0;
+ }
+
+-STATIC int /* error (0 or EFSCORRUPTED) */
+-xfs_btree_check_sblock(
+- struct xfs_btree_cur *cur, /* btree cursor */
+- struct xfs_btree_block *block, /* btree short form block pointer */
+- int level, /* level of the btree block */
+- struct xfs_buf *bp) /* buffer containing block */
++/*
++ * Check a short btree block header. Return the address of the failing check,
++ * or NULL if everything is ok.
++ */
++xfs_failaddr_t
++__xfs_btree_check_sblock(
++ struct xfs_btree_cur *cur,
++ struct xfs_btree_block *block,
++ int level,
++ struct xfs_buf *bp)
+ {
+- struct xfs_mount *mp; /* file system mount point */
+- struct xfs_buf *agbp; /* buffer for ag. freespace struct */
+- struct xfs_agf *agf; /* ag. freespace structure */
+- xfs_agblock_t agflen; /* native ag. freespace length */
+- int sblock_ok = 1; /* block passes checks */
++ struct xfs_mount *mp = cur->bc_mp;
+ xfs_btnum_t btnum = cur->bc_btnum;
+- int crc;
+-
+- mp = cur->bc_mp;
+- crc = xfs_sb_version_hascrc(&mp->m_sb);
+- agbp = cur->bc_private.a.agbp;
+- agf = XFS_BUF_TO_AGF(agbp);
+- agflen = be32_to_cpu(agf->agf_length);
++ int crc = xfs_sb_version_hascrc(&mp->m_sb);
+
+ if (crc) {
+- sblock_ok = sblock_ok &&
+- uuid_equal(&block->bb_u.s.bb_uuid,
+- &mp->m_sb.sb_meta_uuid) &&
+- block->bb_u.s.bb_blkno == cpu_to_be64(
+- bp ? bp->b_bn : XFS_BUF_DADDR_NULL);
++ if (!uuid_equal(&block->bb_u.s.bb_uuid, &mp->m_sb.sb_meta_uuid))
++ return __this_address;
++ if (block->bb_u.s.bb_blkno !=
++ cpu_to_be64(bp ? bp->b_bn : XFS_BUF_DADDR_NULL))
++ return __this_address;
+ }
+
+- sblock_ok = sblock_ok &&
+- be32_to_cpu(block->bb_magic) == xfs_btree_magic(crc, btnum) &&
+- be16_to_cpu(block->bb_level) == level &&
+- be16_to_cpu(block->bb_numrecs) <=
+- cur->bc_ops->get_maxrecs(cur, level) &&
+- (block->bb_u.s.bb_leftsib == cpu_to_be32(NULLAGBLOCK) ||
+- be32_to_cpu(block->bb_u.s.bb_leftsib) < agflen) &&
+- block->bb_u.s.bb_leftsib &&
+- (block->bb_u.s.bb_rightsib == cpu_to_be32(NULLAGBLOCK) ||
+- be32_to_cpu(block->bb_u.s.bb_rightsib) < agflen) &&
+- block->bb_u.s.bb_rightsib;
+-
+- if (unlikely(XFS_TEST_ERROR(!sblock_ok, mp,
++ if (be32_to_cpu(block->bb_magic) != xfs_btree_magic(crc, btnum))
++ return __this_address;
++ if (be16_to_cpu(block->bb_level) != level)
++ return __this_address;
++ if (be16_to_cpu(block->bb_numrecs) >
++ cur->bc_ops->get_maxrecs(cur, level))
++ return __this_address;
++ if (block->bb_u.s.bb_leftsib != cpu_to_be32(NULLAGBLOCK) &&
++ !xfs_btree_check_sptr(cur, be32_to_cpu(block->bb_u.s.bb_leftsib),
++ level + 1))
++ return __this_address;
++ if (block->bb_u.s.bb_rightsib != cpu_to_be32(NULLAGBLOCK) &&
++ !xfs_btree_check_sptr(cur, be32_to_cpu(block->bb_u.s.bb_rightsib),
++ level + 1))
++ return __this_address;
++
++ return NULL;
++}
++
++/* Check a short btree block header. */
++STATIC int
++xfs_btree_check_sblock(
++ struct xfs_btree_cur *cur,
++ struct xfs_btree_block *block,
++ int level,
++ struct xfs_buf *bp)
++{
++ struct xfs_mount *mp = cur->bc_mp;
++ xfs_failaddr_t fa;
++
++ fa = __xfs_btree_check_sblock(cur, block, level, bp);
++ if (unlikely(XFS_TEST_ERROR(fa != NULL, mp,
+ XFS_ERRTAG_BTREE_CHECK_SBLOCK))) {
+ if (bp)
+ trace_xfs_btree_corrupt(bp, _RET_IP_);
+diff --git a/fs/xfs/libxfs/xfs_btree.h b/fs/xfs/libxfs/xfs_btree.h
+index 8f52eda8eb82..3f8001de2493 100644
+--- a/fs/xfs/libxfs/xfs_btree.h
++++ b/fs/xfs/libxfs/xfs_btree.h
+@@ -255,6 +255,14 @@ typedef struct xfs_btree_cur
+ */
+ #define XFS_BUF_TO_BLOCK(bp) ((struct xfs_btree_block *)((bp)->b_addr))
+
++/*
++ * Internal long and short btree block checks. They return NULL if the
++ * block is ok or the address of the failed check otherwise.
++ */
++xfs_failaddr_t __xfs_btree_check_lblock(struct xfs_btree_cur *cur,
++ struct xfs_btree_block *block, int level, struct xfs_buf *bp);
++xfs_failaddr_t __xfs_btree_check_sblock(struct xfs_btree_cur *cur,
++ struct xfs_btree_block *block, int level, struct xfs_buf *bp);
+
+ /*
+ * Check that block header is ok.
+diff --git a/fs/xfs/libxfs/xfs_types.h b/fs/xfs/libxfs/xfs_types.h
+index 0220159bd463..f04dbfb2f50d 100644
+--- a/fs/xfs/libxfs/xfs_types.h
++++ b/fs/xfs/libxfs/xfs_types.h
+@@ -47,6 +47,12 @@ typedef uint64_t xfs_filblks_t; /* number of blocks in a file */
+ typedef int64_t xfs_srtblock_t; /* signed version of xfs_rtblock_t */
+ typedef int64_t xfs_sfiloff_t; /* signed block number in a file */
+
++/*
++ * New verifiers will return the instruction address of the failing check.
++ * NULL means everything is ok.
++ */
++typedef void * xfs_failaddr_t;
++
+ /*
+ * Null values for the types.
+ */
+diff --git a/fs/xfs/xfs_linux.h b/fs/xfs/xfs_linux.h
+index dcd1292664b3..00a5efeec496 100644
+--- a/fs/xfs/xfs_linux.h
++++ b/fs/xfs/xfs_linux.h
+@@ -142,6 +142,13 @@ typedef __u32 xfs_nlink_t;
+ #define SYNCHRONIZE() barrier()
+ #define __return_address __builtin_return_address(0)
+
++/*
++ * Return the address of a label. Use barrier() so that the optimizer
++ * won't reorder code to refactor the error jumpouts into a single
++ * return, which throws off the reported address.
++ */
++#define __this_address ({ __label__ __here; __here: barrier(); &&__here; })
++
+ #define XFS_PROJID_DEFAULT 0
+
+ #define MIN(a,b) (min(a,b))
+--
+2.16.4
+
diff --git a/patches.fixes/xfs-refactor-btree-pointer-checks.patch b/patches.fixes/xfs-refactor-btree-pointer-checks.patch
new file mode 100644
index 0000000000..ceae8b7a6a
--- /dev/null
+++ b/patches.fixes/xfs-refactor-btree-pointer-checks.patch
@@ -0,0 +1,162 @@
+From f135761a73b18877bdfb44018fe993172c7be203 Mon Sep 17 00:00:00 2001
+From: "Darrick J. Wong" <darrick.wong@oracle.com>
+Date: Tue, 17 Oct 2017 21:37:33 -0700
+Subject: [PATCH] xfs: refactor btree pointer checks
+Git-commit: f135761a73b18877bdfb44018fe993172c7be203
+Patch-mainline: v4.15-rc1
+References: bsc#1123663
+
+Refactor the btree pointer checks so that we can call them from the
+scrub code without logging errors to dmesg. Preserve the existing error
+reporting for regular operations.
+
+Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
+Reviewed-by: Dave Chinner <dchinner@redhat.com>
+Acked-by: Anthony Iliopoulos <ailiopoulos@suse.com>
+
+---
+ fs/xfs/libxfs/xfs_bmap.c | 4 +--
+ fs/xfs/libxfs/xfs_btree.c | 70 ++++++++++++++++++++++-------------------------
+ fs/xfs/libxfs/xfs_btree.h | 13 +++++++--
+ 3 files changed, 45 insertions(+), 42 deletions(-)
+
+diff --git a/fs/xfs/libxfs/xfs_bmap.c b/fs/xfs/libxfs/xfs_bmap.c
+index dd6672b81c26..7eac21a310bf 100644
+--- a/fs/xfs/libxfs/xfs_bmap.c
++++ b/fs/xfs/libxfs/xfs_bmap.c
+@@ -646,8 +646,8 @@ xfs_bmap_btree_to_extents(
+ cbno = be64_to_cpu(*pp);
+ *logflagsp = 0;
+ #ifdef DEBUG
+- if ((error = xfs_btree_check_lptr(cur, cbno, 1)))
+- return error;
++ XFS_WANT_CORRUPTED_RETURN(cur->bc_mp,
++ xfs_btree_check_lptr(cur, cbno, 1));
+ #endif
+ error = xfs_btree_read_bufl(mp, tp, cbno, 0, &cbp, XFS_BMAP_BTREE_REF,
+ &xfs_bmbt_buf_ops);
+diff --git a/fs/xfs/libxfs/xfs_btree.c b/fs/xfs/libxfs/xfs_btree.c
+index 5bfb88261c7e..ae19f242c237 100644
+--- a/fs/xfs/libxfs/xfs_btree.c
++++ b/fs/xfs/libxfs/xfs_btree.c
+@@ -177,59 +177,53 @@ xfs_btree_check_block(
+ return xfs_btree_check_sblock(cur, block, level, bp);
+ }
+
+-/*
+- * Check that (long) pointer is ok.
+- */
+-int /* error (0 or EFSCORRUPTED) */
++/* Check that this long pointer is valid and points within the fs. */
++bool
+ xfs_btree_check_lptr(
+- struct xfs_btree_cur *cur, /* btree cursor */
+- xfs_fsblock_t bno, /* btree block disk address */
+- int level) /* btree block level */
++ struct xfs_btree_cur *cur,
++ xfs_fsblock_t fsbno,
++ int level)
+ {
+- XFS_WANT_CORRUPTED_RETURN(cur->bc_mp,
+- level > 0 &&
+- bno != NULLFSBLOCK &&
+- XFS_FSB_SANITY_CHECK(cur->bc_mp, bno));
+- return 0;
++ if (level <= 0)
++ return false;
++ return xfs_verify_fsbno(cur->bc_mp, fsbno);
+ }
+
+-#ifdef DEBUG
+-/*
+- * Check that (short) pointer is ok.
+- */
+-STATIC int /* error (0 or EFSCORRUPTED) */
++/* Check that this short pointer is valid and points within the AG. */
++bool
+ xfs_btree_check_sptr(
+- struct xfs_btree_cur *cur, /* btree cursor */
+- xfs_agblock_t bno, /* btree block disk address */
+- int level) /* btree block level */
++ struct xfs_btree_cur *cur,
++ xfs_agblock_t agbno,
++ int level)
+ {
+- xfs_agblock_t agblocks = cur->bc_mp->m_sb.sb_agblocks;
+-
+- XFS_WANT_CORRUPTED_RETURN(cur->bc_mp,
+- level > 0 &&
+- bno != NULLAGBLOCK &&
+- bno != 0 &&
+- bno < agblocks);
+- return 0;
++ if (level <= 0)
++ return false;
++ return xfs_verify_agbno(cur->bc_mp, cur->bc_private.a.agno, agbno);
+ }
+
++#ifdef DEBUG
+ /*
+- * Check that block ptr is ok.
++ * Check that a given (indexed) btree pointer at a certain level of a
++ * btree is valid and doesn't point past where it should.
+ */
+-STATIC int /* error (0 or EFSCORRUPTED) */
++int
+ xfs_btree_check_ptr(
+- struct xfs_btree_cur *cur, /* btree cursor */
+- union xfs_btree_ptr *ptr, /* btree block disk address */
+- int index, /* offset from ptr to check */
+- int level) /* btree block level */
++ struct xfs_btree_cur *cur,
++ union xfs_btree_ptr *ptr,
++ int index,
++ int level)
+ {
+ if (cur->bc_flags & XFS_BTREE_LONG_PTRS) {
+- return xfs_btree_check_lptr(cur,
+- be64_to_cpu((&ptr->l)[index]), level);
++ XFS_WANT_CORRUPTED_RETURN(cur->bc_mp,
++ xfs_btree_check_lptr(cur,
++ be64_to_cpu((&ptr->l)[index]), level));
+ } else {
+- return xfs_btree_check_sptr(cur,
+- be32_to_cpu((&ptr->s)[index]), level);
++ XFS_WANT_CORRUPTED_RETURN(cur->bc_mp,
++ xfs_btree_check_sptr(cur,
++ be32_to_cpu((&ptr->s)[index]), level));
+ }
++
++ return 0;
+ }
+ #endif
+
+diff --git a/fs/xfs/libxfs/xfs_btree.h b/fs/xfs/libxfs/xfs_btree.h
+index f2a88c3b1159..8f52eda8eb82 100644
+--- a/fs/xfs/libxfs/xfs_btree.h
++++ b/fs/xfs/libxfs/xfs_btree.h
+@@ -269,10 +269,19 @@ xfs_btree_check_block(
+ /*
+ * Check that (long) pointer is ok.
+ */
+-int /* error (0 or EFSCORRUPTED) */
++bool /* error (0 or EFSCORRUPTED) */
+ xfs_btree_check_lptr(
+ struct xfs_btree_cur *cur, /* btree cursor */
+- xfs_fsblock_t ptr, /* btree block disk address */
++ xfs_fsblock_t fsbno, /* btree block disk address */
++ int level); /* btree block level */
++
++/*
++ * Check that (short) pointer is ok.
++ */
++bool /* error (0 or EFSCORRUPTED) */
++xfs_btree_check_sptr(
++ struct xfs_btree_cur *cur, /* btree cursor */
++ xfs_agblock_t agbno, /* btree block disk address */
+ int level); /* btree block level */
+
+ /*
+--
+2.16.4
+
diff --git a/patches.fixes/xfs-refactor-unmount-record-write.patch b/patches.fixes/xfs-refactor-unmount-record-write.patch
new file mode 100644
index 0000000000..6a4a6c6804
--- /dev/null
+++ b/patches.fixes/xfs-refactor-unmount-record-write.patch
@@ -0,0 +1,203 @@
+From 53235f22151ea7229e1251e46e68098bcf74922d Mon Sep 17 00:00:00 2001
+From: "Darrick J. Wong" <darrick.wong@oracle.com>
+Date: Fri, 20 Jul 2018 09:28:39 -0700
+Subject: [PATCH] xfs: refactor unmount record write
+Git-commit: 53235f22151ea7229e1251e46e68098bcf74922d
+Patch-mainline: v4.19-rc1
+References: bsc#1114427
+
+Refactor the writing of the unmount record into a separate helper. No
+functionality changes.
+
+Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Acked-by: Anthony Iliopoulos <ailiopoulos@suse.com>
+
+---
+ fs/xfs/libxfs/xfs_log_format.h | 13 ++++
+ fs/xfs/xfs_log.c | 131 ++++++++++++++++++++++-------------------
+ 2 files changed, 82 insertions(+), 62 deletions(-)
+
+diff --git a/fs/xfs/libxfs/xfs_log_format.h b/fs/xfs/libxfs/xfs_log_format.h
+index 79bb79853c9f..e5f97c69b320 100644
+--- a/fs/xfs/libxfs/xfs_log_format.h
++++ b/fs/xfs/libxfs/xfs_log_format.h
+@@ -77,6 +77,19 @@ static inline uint xlog_get_cycle(char *ptr)
+
+ #define XLOG_UNMOUNT_TYPE 0x556e /* Un for Unmount */
+
++/*
++ * Log item for unmount records.
++ *
++ * The unmount record used to have a string "Unmount filesystem--" in the
++ * data section where the "Un" was really a magic number (XLOG_UNMOUNT_TYPE).
++ * We just write the magic number now; see xfs_log_unmount_write.
++ */
++struct xfs_unmount_log_format {
++ uint16_t magic; /* XLOG_UNMOUNT_TYPE */
++ uint16_t pad1;
++ uint32_t pad2; /* may as well make it 64 bits */
++};
++
+ /* Region types for iovec's i_type */
+ #define XLOG_REG_TYPE_BFORMAT 1
+ #define XLOG_REG_TYPE_BCHUNK 2
+diff --git a/fs/xfs/xfs_log.c b/fs/xfs/xfs_log.c
+index 5e56f3b93d4b..bac586cbc54e 100644
+--- a/fs/xfs/xfs_log.c
++++ b/fs/xfs/xfs_log.c
+@@ -826,6 +826,74 @@ xfs_log_mount_cancel(
+ * deallocation must not be done until source-end.
+ */
+
++/* Actually write the unmount record to disk. */
++static void
++xfs_log_write_unmount_record(
++ struct xfs_mount *mp)
++{
++ /* the data section must be 32 bit size aligned */
++ struct xfs_unmount_log_format magic = {
++ .magic = XLOG_UNMOUNT_TYPE,
++ };
++ struct xfs_log_iovec reg = {
++ .i_addr = &magic,
++ .i_len = sizeof(magic),
++ .i_type = XLOG_REG_TYPE_UNMOUNT,
++ };
++ struct xfs_log_vec vec = {
++ .lv_niovecs = 1,
++ .lv_iovecp = &reg,
++ };
++ struct xlog *log = mp->m_log;
++ struct xlog_in_core *iclog;
++ struct xlog_ticket *tic = NULL;
++ xfs_lsn_t lsn;
++ int error;
++
++ error = xfs_log_reserve(mp, 600, 1, &tic, XFS_LOG, 0);
++ if (error)
++ goto out_err;
++
++ /* remove inited flag, and account for space used */
++ tic->t_flags = 0;
++ tic->t_curr_res -= sizeof(magic);
++ error = xlog_write(log, &vec, tic, &lsn, NULL, XLOG_UNMOUNT_TRANS);
++ /*
++ * At this point, we're umounting anyway, so there's no point in
++ * transitioning log state to IOERROR. Just continue...
++ */
++out_err:
++ if (error)
++ xfs_alert(mp, "%s: unmount record failed", __func__);
++
++ spin_lock(&log->l_icloglock);
++ iclog = log->l_iclog;
++ atomic_inc(&iclog->ic_refcnt);
++ xlog_state_want_sync(log, iclog);
++ spin_unlock(&log->l_icloglock);
++ error = xlog_state_release_iclog(log, iclog);
++
++ spin_lock(&log->l_icloglock);
++ switch (iclog->ic_state) {
++ default:
++ if (!XLOG_FORCED_SHUTDOWN(log)) {
++ xlog_wait(&iclog->ic_force_wait, &log->l_icloglock);
++ break;
++ }
++ /* fall through */
++ case XLOG_STATE_ACTIVE:
++ case XLOG_STATE_DIRTY:
++ spin_unlock(&log->l_icloglock);
++ break;
++ }
++
++ if (tic) {
++ trace_xfs_log_umount_write(log, tic);
++ xlog_ungrant_log_space(log, tic);
++ xfs_log_ticket_put(tic);
++ }
++}
++
+ /*
+ * Unmount record used to have a string "Unmount filesystem--" in the
+ * data section where the "Un" was really a magic number (XLOG_UNMOUNT_TYPE).
+@@ -842,8 +910,6 @@ xfs_log_unmount_write(xfs_mount_t *mp)
+ #ifdef DEBUG
+ xlog_in_core_t *first_iclog;
+ #endif
+- xlog_ticket_t *tic = NULL;
+- xfs_lsn_t lsn;
+ int error;
+
+ /*
+@@ -870,66 +936,7 @@ xfs_log_unmount_write(xfs_mount_t *mp)
+ } while (iclog != first_iclog);
+ #endif
+ if (! (XLOG_FORCED_SHUTDOWN(log))) {
+- error = xfs_log_reserve(mp, 600, 1, &tic, XFS_LOG, 0);
+- if (!error) {
+- /* the data section must be 32 bit size aligned */
+- struct {
+- uint16_t magic;
+- uint16_t pad1;
+- uint32_t pad2; /* may as well make it 64 bits */
+- } magic = {
+- .magic = XLOG_UNMOUNT_TYPE,
+- };
+- struct xfs_log_iovec reg = {
+- .i_addr = &magic,
+- .i_len = sizeof(magic),
+- .i_type = XLOG_REG_TYPE_UNMOUNT,
+- };
+- struct xfs_log_vec vec = {
+- .lv_niovecs = 1,
+- .lv_iovecp = &reg,
+- };
+-
+- /* remove inited flag, and account for space used */
+- tic->t_flags = 0;
+- tic->t_curr_res -= sizeof(magic);
+- error = xlog_write(log, &vec, tic, &lsn,
+- NULL, XLOG_UNMOUNT_TRANS);
+- /*
+- * At this point, we're umounting anyway,
+- * so there's no point in transitioning log state
+- * to IOERROR. Just continue...
+- */
+- }
+-
+- if (error)
+- xfs_alert(mp, "%s: unmount record failed", __func__);
+-
+-
+- spin_lock(&log->l_icloglock);
+- iclog = log->l_iclog;
+- atomic_inc(&iclog->ic_refcnt);
+- xlog_state_want_sync(log, iclog);
+- spin_unlock(&log->l_icloglock);
+- error = xlog_state_release_iclog(log, iclog);
+-
+- spin_lock(&log->l_icloglock);
+- if (!(iclog->ic_state == XLOG_STATE_ACTIVE ||
+- iclog->ic_state == XLOG_STATE_DIRTY)) {
+- if (!XLOG_FORCED_SHUTDOWN(log)) {
+- xlog_wait(&iclog->ic_force_wait,
+- &log->l_icloglock);
+- } else {
+- spin_unlock(&log->l_icloglock);
+- }
+- } else {
+- spin_unlock(&log->l_icloglock);
+- }
+- if (tic) {
+- trace_xfs_log_umount_write(log, tic);
+- xlog_ungrant_log_space(log, tic);
+- xfs_log_ticket_put(tic);
+- }
++ xfs_log_write_unmount_record(mp);
+ } else {
+ /*
+ * We're already in forced_shutdown mode, couldn't
+--
+2.16.4
+
diff --git a/patches.fixes/xfs-remove-unneeded-parameter-from-XFS_TEST_ERROR.patch b/patches.fixes/xfs-remove-unneeded-parameter-from-XFS_TEST_ERROR.patch
new file mode 100644
index 0000000000..0ebf252f9a
--- /dev/null
+++ b/patches.fixes/xfs-remove-unneeded-parameter-from-XFS_TEST_ERROR.patch
@@ -0,0 +1,306 @@
+From 9e24cfd044853e0e46e7149b91b7bb09effb0a79 Mon Sep 17 00:00:00 2001
+From: "Darrick J. Wong" <darrick.wong@oracle.com>
+Date: Tue, 20 Jun 2017 17:54:47 -0700
+Subject: [PATCH] xfs: remove unneeded parameter from XFS_TEST_ERROR
+Git-commit: 9e24cfd044853e0e46e7149b91b7bb09effb0a79
+Patch-mainline: v4.13-rc1
+References: bsc#1123663
+
+Since we moved the injected error frequency controls to the mountpoint,
+we can get rid of the last argument to XFS_TEST_ERROR.
+
+Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
+Reviewed-by: Brian Foster <bfoster@redhat.com>
+Reviewed-by: Carlos Maiolino <cmaiolino@redhat.com>
+Acked-by: Anthony Iliopoulos <ailiopoulos@suse.com>
+
+---
+ fs/xfs/libxfs/xfs_ag_resv.c | 3 +--
+ fs/xfs/libxfs/xfs_alloc.c | 6 ++----
+ fs/xfs/libxfs/xfs_bmap.c | 13 ++++++-------
+ fs/xfs/libxfs/xfs_btree.c | 6 ++----
+ fs/xfs/libxfs/xfs_dir2.c | 3 +--
+ fs/xfs/libxfs/xfs_ialloc.c | 3 +--
+ fs/xfs/libxfs/xfs_inode_buf.c | 3 +--
+ fs/xfs/libxfs/xfs_refcount.c | 6 ++----
+ fs/xfs/libxfs/xfs_rmap.c | 3 +--
+ fs/xfs/xfs_error.h | 4 ++--
+ fs/xfs/xfs_inode.c | 11 +++++------
+ fs/xfs/xfs_iomap.c | 2 +-
+ fs/xfs/xfs_log.c | 3 +--
+ 13 files changed, 26 insertions(+), 40 deletions(-)
+
+--- a/fs/xfs/libxfs/xfs_ag_resv.c
++++ b/fs/xfs/libxfs/xfs_ag_resv.c
+@@ -111,8 +111,7 @@
+
+ /* Critically low if less than 10% or max btree height remains. */
+ return XFS_TEST_ERROR(avail < orig / 10 || avail < XFS_BTREE_MAXLEVELS,
+- pag->pag_mount, XFS_ERRTAG_AG_RESV_CRITICAL,
+- XFS_RANDOM_AG_RESV_CRITICAL);
++ pag->pag_mount, XFS_ERRTAG_AG_RESV_CRITICAL);
+ }
+
+ /*
+--- a/fs/xfs/libxfs/xfs_alloc.c
++++ b/fs/xfs/libxfs/xfs_alloc.c
+@@ -2454,8 +2454,7 @@
+ !xfs_buf_verify_cksum(bp, XFS_AGF_CRC_OFF))
+ xfs_buf_ioerror(bp, -EFSBADCRC);
+ else if (XFS_TEST_ERROR(!xfs_agf_verify(mp, bp), mp,
+- XFS_ERRTAG_ALLOC_READ_AGF,
+- XFS_RANDOM_ALLOC_READ_AGF))
++ XFS_ERRTAG_ALLOC_READ_AGF))
+ xfs_buf_ioerror(bp, -EFSCORRUPTED);
+
+ if (bp->b_error)
+@@ -2842,8 +2841,7 @@
+ ASSERT(type != XFS_AG_RESV_AGFL);
+
+ if (XFS_TEST_ERROR(false, mp,
+- XFS_ERRTAG_FREE_EXTENT,
+- XFS_RANDOM_FREE_EXTENT))
++ XFS_ERRTAG_FREE_EXTENT))
+ return -EIO;
+
+ error = xfs_free_extent_fix_freelist(tp, agno, &agbp);
+--- a/fs/xfs/libxfs/xfs_bmap.c
++++ b/fs/xfs/libxfs/xfs_bmap.c
+@@ -3992,7 +3992,7 @@
+ if (unlikely(XFS_TEST_ERROR(
+ (XFS_IFORK_FORMAT(ip, whichfork) != XFS_DINODE_FMT_EXTENTS &&
+ XFS_IFORK_FORMAT(ip, whichfork) != XFS_DINODE_FMT_BTREE),
+- mp, XFS_ERRTAG_BMAPIFORMAT, XFS_RANDOM_BMAPIFORMAT))) {
++ mp, XFS_ERRTAG_BMAPIFORMAT))) {
+ XFS_ERROR_REPORT("xfs_bmapi_read", XFS_ERRLEVEL_LOW, mp);
+ return -EFSCORRUPTED;
+ }
+@@ -4473,7 +4473,7 @@
+ if (unlikely(XFS_TEST_ERROR(
+ (XFS_IFORK_FORMAT(ip, whichfork) != XFS_DINODE_FMT_EXTENTS &&
+ XFS_IFORK_FORMAT(ip, whichfork) != XFS_DINODE_FMT_BTREE),
+- mp, XFS_ERRTAG_BMAPIFORMAT, XFS_RANDOM_BMAPIFORMAT))) {
++ mp, XFS_ERRTAG_BMAPIFORMAT))) {
+ XFS_ERROR_REPORT("xfs_bmapi_write", XFS_ERRLEVEL_LOW, mp);
+ return -EFSCORRUPTED;
+ }
+@@ -4694,7 +4694,7 @@
+ if (unlikely(XFS_TEST_ERROR(
+ (XFS_IFORK_FORMAT(ip, XFS_DATA_FORK) != XFS_DINODE_FMT_EXTENTS &&
+ XFS_IFORK_FORMAT(ip, XFS_DATA_FORK) != XFS_DINODE_FMT_BTREE),
+- mp, XFS_ERRTAG_BMAPIFORMAT, XFS_RANDOM_BMAPIFORMAT))) {
++ mp, XFS_ERRTAG_BMAPIFORMAT))) {
+ XFS_ERROR_REPORT("xfs_bmapi_remap", XFS_ERRLEVEL_LOW, mp);
+ return -EFSCORRUPTED;
+ }
+@@ -6077,7 +6077,7 @@
+ if (unlikely(XFS_TEST_ERROR(
+ (XFS_IFORK_FORMAT(ip, whichfork) != XFS_DINODE_FMT_EXTENTS &&
+ XFS_IFORK_FORMAT(ip, whichfork) != XFS_DINODE_FMT_BTREE),
+- mp, XFS_ERRTAG_BMAPIFORMAT, XFS_RANDOM_BMAPIFORMAT))) {
++ mp, XFS_ERRTAG_BMAPIFORMAT))) {
+ XFS_ERROR_REPORT("xfs_bmap_shift_extents",
+ XFS_ERRLEVEL_LOW, mp);
+ return -EFSCORRUPTED;
+@@ -6229,7 +6229,7 @@
+ if (unlikely(XFS_TEST_ERROR(
+ (XFS_IFORK_FORMAT(ip, whichfork) != XFS_DINODE_FMT_EXTENTS &&
+ XFS_IFORK_FORMAT(ip, whichfork) != XFS_DINODE_FMT_BTREE),
+- mp, XFS_ERRTAG_BMAPIFORMAT, XFS_RANDOM_BMAPIFORMAT))) {
++ mp, XFS_ERRTAG_BMAPIFORMAT))) {
+ XFS_ERROR_REPORT("xfs_bmap_split_extent_at",
+ XFS_ERRLEVEL_LOW, mp);
+ return -EFSCORRUPTED;
+@@ -6486,8 +6486,7 @@
+ return -EFSCORRUPTED;
+
+ if (XFS_TEST_ERROR(false, tp->t_mountp,
+- XFS_ERRTAG_BMAP_FINISH_ONE,
+- XFS_RANDOM_BMAP_FINISH_ONE))
++ XFS_ERRTAG_BMAP_FINISH_ONE))
+ return -EIO;
+
+ switch (type) {
+--- a/fs/xfs/libxfs/xfs_btree.c
++++ b/fs/xfs/libxfs/xfs_btree.c
+@@ -101,8 +101,7 @@
+ be64_to_cpu(block->bb_u.l.bb_rightsib)));
+
+ if (unlikely(XFS_TEST_ERROR(!lblock_ok, mp,
+- XFS_ERRTAG_BTREE_CHECK_LBLOCK,
+- XFS_RANDOM_BTREE_CHECK_LBLOCK))) {
++ XFS_ERRTAG_BTREE_CHECK_LBLOCK))) {
+ if (bp)
+ trace_xfs_btree_corrupt(bp, _RET_IP_);
+ XFS_ERROR_REPORT(__func__, XFS_ERRLEVEL_LOW, mp);
+@@ -153,8 +152,7 @@
+ block->bb_u.s.bb_rightsib;
+
+ if (unlikely(XFS_TEST_ERROR(!sblock_ok, mp,
+- XFS_ERRTAG_BTREE_CHECK_SBLOCK,
+- XFS_RANDOM_BTREE_CHECK_SBLOCK))) {
++ XFS_ERRTAG_BTREE_CHECK_SBLOCK))) {
+ if (bp)
+ trace_xfs_btree_corrupt(bp, _RET_IP_);
+ XFS_ERROR_REPORT(__func__, XFS_ERRLEVEL_LOW, mp);
+--- a/fs/xfs/libxfs/xfs_dir2.c
++++ b/fs/xfs/libxfs/xfs_dir2.c
+@@ -218,8 +218,7 @@
+ agblkno != 0 &&
+ ioff < (1 << mp->m_sb.sb_inopblog) &&
+ XFS_AGINO_TO_INO(mp, agno, agino) == ino;
+- if (unlikely(XFS_TEST_ERROR(!ino_ok, mp, XFS_ERRTAG_DIR_INO_VALIDATE,
+- XFS_RANDOM_DIR_INO_VALIDATE))) {
++ if (unlikely(XFS_TEST_ERROR(!ino_ok, mp, XFS_ERRTAG_DIR_INO_VALIDATE))) {
+ xfs_warn(mp, "Invalid inode number 0x%Lx",
+ (unsigned long long) ino);
+ XFS_ERROR_REPORT("xfs_dir_ino_validate", XFS_ERRLEVEL_LOW, mp);
+--- a/fs/xfs/libxfs/xfs_ialloc.c
++++ b/fs/xfs/libxfs/xfs_ialloc.c
+@@ -2542,8 +2542,7 @@
+ !xfs_buf_verify_cksum(bp, XFS_AGI_CRC_OFF))
+ xfs_buf_ioerror(bp, -EFSBADCRC);
+ else if (XFS_TEST_ERROR(!xfs_agi_verify(bp), mp,
+- XFS_ERRTAG_IALLOC_READ_AGI,
+- XFS_RANDOM_IALLOC_READ_AGI))
++ XFS_ERRTAG_IALLOC_READ_AGI))
+ xfs_buf_ioerror(bp, -EFSCORRUPTED);
+
+ if (bp->b_error)
+--- a/fs/xfs/libxfs/xfs_inode_buf.c
++++ b/fs/xfs/libxfs/xfs_inode_buf.c
+@@ -105,8 +105,7 @@
+ di_ok = dip->di_magic == cpu_to_be16(XFS_DINODE_MAGIC) &&
+ xfs_dinode_good_version(mp, dip->di_version);
+ if (unlikely(XFS_TEST_ERROR(!di_ok, mp,
+- XFS_ERRTAG_ITOBP_INOTOBP,
+- XFS_RANDOM_ITOBP_INOTOBP))) {
++ XFS_ERRTAG_ITOBP_INOTOBP))) {
+ if (readahead) {
+ bp->b_flags &= ~XBF_DONE;
+ xfs_buf_ioerror(bp, -EIO);
+--- a/fs/xfs/libxfs/xfs_refcount.c
++++ b/fs/xfs/libxfs/xfs_refcount.c
+@@ -813,8 +813,7 @@
+ */
+ if (cur->bc_private.a.priv.refc.nr_ops > 2 &&
+ XFS_TEST_ERROR(false, cur->bc_mp,
+- XFS_ERRTAG_REFCOUNT_CONTINUE_UPDATE,
+- XFS_RANDOM_REFCOUNT_CONTINUE_UPDATE))
++ XFS_ERRTAG_REFCOUNT_CONTINUE_UPDATE))
+ return false;
+
+ if (cur->bc_private.a.priv.refc.nr_ops == 0)
+@@ -1076,8 +1075,7 @@
+ blockcount);
+
+ if (XFS_TEST_ERROR(false, mp,
+- XFS_ERRTAG_REFCOUNT_FINISH_ONE,
+- XFS_RANDOM_REFCOUNT_FINISH_ONE))
++ XFS_ERRTAG_REFCOUNT_FINISH_ONE))
+ return -EIO;
+
+ /*
+--- a/fs/xfs/libxfs/xfs_rmap.c
++++ b/fs/xfs/libxfs/xfs_rmap.c
+@@ -2087,8 +2087,7 @@
+ startoff, blockcount, state);
+
+ if (XFS_TEST_ERROR(false, mp,
+- XFS_ERRTAG_RMAP_FINISH_ONE,
+- XFS_RANDOM_RMAP_FINISH_ONE))
++ XFS_ERRTAG_RMAP_FINISH_ONE))
+ return -EIO;
+
+ /*
+--- a/fs/xfs/xfs_error.h
++++ b/fs/xfs/xfs_error.h
+@@ -135,7 +135,7 @@
+ extern void xfs_errortag_del(struct xfs_mount *mp);
+ extern bool xfs_errortag_test(struct xfs_mount *mp, const char *expression,
+ const char *file, int line, unsigned int error_tag);
+-#define XFS_TEST_ERROR(expr, mp, tag, rf) \
++#define XFS_TEST_ERROR(expr, mp, tag) \
+ ((expr) || xfs_errortag_test((mp), #expr, __FILE__, __LINE__, (tag)))
+
+ extern int xfs_errortag_get(struct xfs_mount *mp, unsigned int error_tag);
+@@ -146,7 +146,7 @@
+ #else
+ #define xfs_errortag_init(mp) (0)
+ #define xfs_errortag_del(mp)
+-#define XFS_TEST_ERROR(expr, mp, tag, rf) (expr)
++#define XFS_TEST_ERROR(expr, mp, tag) (expr)
+ #define xfs_errortag_set(mp, tag, val) (ENOSYS)
+ #define xfs_errortag_add(mp, tag) (ENOSYS)
+ #define xfs_errortag_clearall(mp) (ENOSYS)
+--- a/fs/xfs/xfs_inode.c
++++ b/fs/xfs/xfs_inode.c
+@@ -3489,7 +3489,7 @@
+ dip = xfs_buf_offset(bp, ip->i_imap.im_boffset);
+
+ if (XFS_TEST_ERROR(dip->di_magic != cpu_to_be16(XFS_DINODE_MAGIC),
+- mp, XFS_ERRTAG_IFLUSH_1, XFS_RANDOM_IFLUSH_1)) {
++ mp, XFS_ERRTAG_IFLUSH_1)) {
+ xfs_alert_tag(mp, XFS_PTAG_IFLUSH,
+ "%s: Bad inode %Lu magic number 0x%x, ptr 0x%p",
+ __func__, ip->i_ino, be16_to_cpu(dip->di_magic), dip);
+@@ -3499,7 +3499,7 @@
+ if (XFS_TEST_ERROR(
+ (ip->i_d.di_format != XFS_DINODE_FMT_EXTENTS) &&
+ (ip->i_d.di_format != XFS_DINODE_FMT_BTREE),
+- mp, XFS_ERRTAG_IFLUSH_3, XFS_RANDOM_IFLUSH_3)) {
++ mp, XFS_ERRTAG_IFLUSH_3)) {
+ xfs_alert_tag(mp, XFS_PTAG_IFLUSH,
+ "%s: Bad regular inode %Lu, ptr 0x%p",
+ __func__, ip->i_ino, ip);
+@@ -3510,7 +3510,7 @@
+ (ip->i_d.di_format != XFS_DINODE_FMT_EXTENTS) &&
+ (ip->i_d.di_format != XFS_DINODE_FMT_BTREE) &&
+ (ip->i_d.di_format != XFS_DINODE_FMT_LOCAL),
+- mp, XFS_ERRTAG_IFLUSH_4, XFS_RANDOM_IFLUSH_4)) {
++ mp, XFS_ERRTAG_IFLUSH_4)) {
+ xfs_alert_tag(mp, XFS_PTAG_IFLUSH,
+ "%s: Bad directory inode %Lu, ptr 0x%p",
+ __func__, ip->i_ino, ip);
+@@ -3518,8 +3518,7 @@
+ }
+ }
+ if (XFS_TEST_ERROR(ip->i_d.di_nextents + ip->i_d.di_anextents >
+- ip->i_d.di_nblocks, mp, XFS_ERRTAG_IFLUSH_5,
+- XFS_RANDOM_IFLUSH_5)) {
++ ip->i_d.di_nblocks, mp, XFS_ERRTAG_IFLUSH_5)) {
+ xfs_alert_tag(mp, XFS_PTAG_IFLUSH,
+ "%s: detected corrupt incore inode %Lu, "
+ "total extents = %d, nblocks = %Ld, ptr 0x%p",
+@@ -3529,7 +3528,7 @@
+ goto corrupt_out;
+ }
+ if (XFS_TEST_ERROR(ip->i_d.di_forkoff > mp->m_sb.sb_inodesize,
+- mp, XFS_ERRTAG_IFLUSH_6, XFS_RANDOM_IFLUSH_6)) {
++ mp, XFS_ERRTAG_IFLUSH_6)) {
+ xfs_alert_tag(mp, XFS_PTAG_IFLUSH,
+ "%s: bad inode %Lu, forkoff 0x%x, ptr 0x%p",
+ __func__, ip->i_ino, ip->i_d.di_forkoff, ip);
+--- a/fs/xfs/xfs_iomap.c
++++ b/fs/xfs/xfs_iomap.c
+@@ -543,7 +543,7 @@
+ if (unlikely(XFS_TEST_ERROR(
+ (XFS_IFORK_FORMAT(ip, XFS_DATA_FORK) != XFS_DINODE_FMT_EXTENTS &&
+ XFS_IFORK_FORMAT(ip, XFS_DATA_FORK) != XFS_DINODE_FMT_BTREE),
+- mp, XFS_ERRTAG_BMAPIFORMAT, XFS_RANDOM_BMAPIFORMAT))) {
++ mp, XFS_ERRTAG_BMAPIFORMAT))) {
+ XFS_ERROR_REPORT(__func__, XFS_ERRLEVEL_LOW, mp);
+ error = -EFSCORRUPTED;
+ goto out_unlock;
+--- a/fs/xfs/xfs_log.c
++++ b/fs/xfs/xfs_log.c
+@@ -1189,8 +1189,7 @@
+ * IOABORT state. The IOABORT state is only set in DEBUG mode to inject
+ * CRC errors into log recovery.
+ */
+- if (XFS_TEST_ERROR(bp->b_error, l->l_mp, XFS_ERRTAG_IODONE_IOERR,
+- XFS_RANDOM_IODONE_IOERR) ||
++ if (XFS_TEST_ERROR(bp->b_error, l->l_mp, XFS_ERRTAG_IODONE_IOERR) ||
+ iclog->ic_state & XLOG_STATE_IOABORT) {
+ if (iclog->ic_state & XLOG_STATE_IOABORT)
+ iclog->ic_state &= ~XLOG_STATE_IOABORT;
diff --git a/patches.fixes/xfs-rename-MAXPATHLEN-to-XFS_SYMLINK_MAXLEN.patch b/patches.fixes/xfs-rename-MAXPATHLEN-to-XFS_SYMLINK_MAXLEN.patch
new file mode 100644
index 0000000000..19cb718dda
--- /dev/null
+++ b/patches.fixes/xfs-rename-MAXPATHLEN-to-XFS_SYMLINK_MAXLEN.patch
@@ -0,0 +1,138 @@
+From 6eb0b8df9f74f33d1a69100117630a7a87a9cc96 Mon Sep 17 00:00:00 2001
+From: "Darrick J. Wong" <darrick.wong@oracle.com>
+Date: Fri, 7 Jul 2017 08:37:26 -0700
+Subject: [PATCH] xfs: rename MAXPATHLEN to XFS_SYMLINK_MAXLEN
+Git-commit: 6eb0b8df9f74f33d1a69100117630a7a87a9cc96
+Patch-mainline: v4.13-rc1
+References: bsc#1123663
+
+XFS has a maximum symlink target length of 1024 bytes; this is a
+holdover from the Irix days. Unfortunately, the constant establishing
+this is 'MAXPATHLEN' and is /not/ the same as the Linux MAXPATHLEN,
+which is 4096.
+
+The kernel enforces its 1024 byte MAXPATHLEN on symlink targets, but
+xfsprogs picks up the (Linux) system 4096 byte MAXPATHLEN, which means
+that xfs_repair doesn't complain about oversized symlinks.
+
+Since this is an on-disk format constraint, put the define in the XFS
+namespace and move everything over to use the new name.
+
+Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
+Reviewed-by: Brian Foster <bfoster@redhat.com>
+Acked-by: Anthony Iliopoulos <ailiopoulos@suse.com>
+
+---
+ fs/xfs/libxfs/xfs_format.h | 1 +
+ fs/xfs/libxfs/xfs_symlink_remote.c | 2 +-
+ fs/xfs/libxfs/xfs_trans_resv.c | 4 ++--
+ fs/xfs/xfs_iops.c | 2 +-
+ fs/xfs/xfs_linux.h | 1 -
+ fs/xfs/xfs_symlink.c | 6 +++---
+ 6 files changed, 8 insertions(+), 8 deletions(-)
+
+diff --git a/fs/xfs/libxfs/xfs_format.h b/fs/xfs/libxfs/xfs_format.h
+index e204a942e5bf..23229f0c5b15 100644
+--- a/fs/xfs/libxfs/xfs_format.h
++++ b/fs/xfs/libxfs/xfs_format.h
+@@ -1211,6 +1211,7 @@ struct xfs_dsymlink_hdr {
+
+ #define XFS_SYMLINK_CRC_OFF offsetof(struct xfs_dsymlink_hdr, sl_crc)
+
++#define XFS_SYMLINK_MAXLEN 1024
+ /*
+ * The maximum pathlen is 1024 bytes. Since the minimum file system
+ * blocksize is 512 bytes, we can get a max of 3 extents back from
+diff --git a/fs/xfs/libxfs/xfs_symlink_remote.c b/fs/xfs/libxfs/xfs_symlink_remote.c
+index 2e2c6716b623..c484877129a0 100644
+--- a/fs/xfs/libxfs/xfs_symlink_remote.c
++++ b/fs/xfs/libxfs/xfs_symlink_remote.c
+@@ -114,7 +114,7 @@ xfs_symlink_verify(
+ if (bp->b_bn != be64_to_cpu(dsl->sl_blkno))
+ return false;
+ if (be32_to_cpu(dsl->sl_offset) +
+- be32_to_cpu(dsl->sl_bytes) >= MAXPATHLEN)
++ be32_to_cpu(dsl->sl_bytes) >= XFS_SYMLINK_MAXLEN)
+ return false;
+ if (dsl->sl_owner == 0)
+ return false;
+diff --git a/fs/xfs/libxfs/xfs_trans_resv.c b/fs/xfs/libxfs/xfs_trans_resv.c
+index b456cca1bfb2..6bd916bd35e2 100644
+--- a/fs/xfs/libxfs/xfs_trans_resv.c
++++ b/fs/xfs/libxfs/xfs_trans_resv.c
+@@ -477,14 +477,14 @@ xfs_calc_mkdir_reservation(
+ /*
+ * Making a new symplink is the same as creating a new file, but
+ * with the added blocks for remote symlink data which can be up to 1kB in
+- * length (MAXPATHLEN).
++ * length (XFS_SYMLINK_MAXLEN).
+ */
+ STATIC uint
+ xfs_calc_symlink_reservation(
+ struct xfs_mount *mp)
+ {
+ return xfs_calc_create_reservation(mp) +
+- xfs_calc_buf_res(1, MAXPATHLEN);
++ xfs_calc_buf_res(1, XFS_SYMLINK_MAXLEN);
+ }
+
+ /*
+diff --git a/fs/xfs/xfs_iops.c b/fs/xfs/xfs_iops.c
+index 077e2b2ac773..469c9fa4c178 100644
+--- a/fs/xfs/xfs_iops.c
++++ b/fs/xfs/xfs_iops.c
+@@ -460,7 +460,7 @@ xfs_vn_get_link(
+ if (!dentry)
+ return ERR_PTR(-ECHILD);
+
+- link = kmalloc(MAXPATHLEN+1, GFP_KERNEL);
++ link = kmalloc(XFS_SYMLINK_MAXLEN+1, GFP_KERNEL);
+ if (!link)
+ goto out_err;
+
+diff --git a/fs/xfs/xfs_linux.h b/fs/xfs/xfs_linux.h
+index ecdae42267d3..44abaecd1481 100644
+--- a/fs/xfs/xfs_linux.h
++++ b/fs/xfs/xfs_linux.h
+@@ -143,7 +143,6 @@ typedef __u32 xfs_nlink_t;
+ #define __return_address __builtin_return_address(0)
+
+ #define XFS_PROJID_DEFAULT 0
+-#define MAXPATHLEN 1024
+
+ #define MIN(a,b) (min(a,b))
+ #define MAX(a,b) (max(a,b))
+diff --git a/fs/xfs/xfs_symlink.c b/fs/xfs/xfs_symlink.c
+index 493804857d67..12cd9cf7de41 100644
+--- a/fs/xfs/xfs_symlink.c
++++ b/fs/xfs/xfs_symlink.c
+@@ -143,7 +143,7 @@ xfs_readlink(
+ if (!pathlen)
+ goto out;
+
+- if (pathlen < 0 || pathlen > MAXPATHLEN) {
++ if (pathlen < 0 || pathlen > XFS_SYMLINK_MAXLEN) {
+ xfs_alert(mp, "%s: inode (%llu) bad symlink length (%lld)",
+ __func__, (unsigned long long) ip->i_ino,
+ (long long) pathlen);
+@@ -202,7 +202,7 @@ xfs_symlink(
+ * Check component lengths of the target path name.
+ */
+ pathlen = strlen(target_path);
+- if (pathlen >= MAXPATHLEN) /* total string too long */
++ if (pathlen >= XFS_SYMLINK_MAXLEN) /* total string too long */
+ return -ENAMETOOLONG;
+
+ udqp = gdqp = NULL;
+@@ -559,7 +559,7 @@ xfs_inactive_symlink(
+ return 0;
+ }
+
+- if (pathlen < 0 || pathlen > MAXPATHLEN) {
++ if (pathlen < 0 || pathlen > XFS_SYMLINK_MAXLEN) {
+ xfs_alert(mp, "%s: inode (0x%llx) bad symlink length (%d)",
+ __func__, (unsigned long long)ip->i_ino, pathlen);
+ xfs_iunlock(ip, XFS_ILOCK_EXCL);
+--
+2.16.4
+
diff --git a/patches.fixes/xfs-replace-log_badcrc_factor-knob-with-error-inject.patch b/patches.fixes/xfs-replace-log_badcrc_factor-knob-with-error-inject.patch
new file mode 100644
index 0000000000..197d0a8b87
--- /dev/null
+++ b/patches.fixes/xfs-replace-log_badcrc_factor-knob-with-error-inject.patch
@@ -0,0 +1,158 @@
+From 3e88a0078ba8ef61816c85d33131827b4a307852 Mon Sep 17 00:00:00 2001
+From: Brian Foster <bfoster@redhat.com>
+Date: Tue, 27 Jun 2017 09:52:32 -0700
+Subject: [PATCH] xfs: replace log_badcrc_factor knob with error injection tag
+Git-commit: 3e88a0078ba8ef61816c85d33131827b4a307852
+Patch-mainline: v4.13-rc1
+References: bsc#1114427
+
+Now that error injection tags support dynamic frequency adjustment,
+replace the debug mode sysfs knob that controls log record CRC error
+injection with an error injection tag.
+
+Signed-off-by: Brian Foster <bfoster@redhat.com>
+Reviewed-by: Darrick J. Wong <darrick.wong@oracle.com>
+Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
+Acked-by: Anthony Iliopoulos <ailiopoulos@suse.com>
+
+---
+ fs/xfs/xfs_error.c | 3 +++
+ fs/xfs/xfs_error.h | 4 +++-
+ fs/xfs/xfs_log.c | 5 +----
+ fs/xfs/xfs_sysfs.c | 36 ------------------------------------
+ 4 files changed, 7 insertions(+), 41 deletions(-)
+
+diff --git a/fs/xfs/xfs_error.c b/fs/xfs/xfs_error.c
+index a2f23d2bab16..26c32bc5cd34 100644
+--- a/fs/xfs/xfs_error.c
++++ b/fs/xfs/xfs_error.c
+@@ -56,6 +56,7 @@ static unsigned int xfs_errortag_random_default[] = {
+ XFS_RANDOM_BMAP_FINISH_ONE,
+ XFS_RANDOM_AG_RESV_CRITICAL,
+ XFS_RANDOM_DROP_WRITES,
++ XFS_RANDOM_LOG_BAD_CRC,
+ };
+
+ struct xfs_errortag_attr {
+@@ -159,6 +160,7 @@ XFS_ERRORTAG_ATTR_RW(refcount_finish_one, XFS_ERRTAG_REFCOUNT_FINISH_ONE);
+ XFS_ERRORTAG_ATTR_RW(bmap_finish_one, XFS_ERRTAG_BMAP_FINISH_ONE);
+ XFS_ERRORTAG_ATTR_RW(ag_resv_critical, XFS_ERRTAG_AG_RESV_CRITICAL);
+ XFS_ERRORTAG_ATTR_RW(drop_writes, XFS_ERRTAG_DROP_WRITES);
++XFS_ERRORTAG_ATTR_RW(log_bad_crc, XFS_ERRTAG_LOG_BAD_CRC);
+
+ static struct attribute *xfs_errortag_attrs[] = {
+ XFS_ERRORTAG_ATTR_LIST(noerror),
+@@ -190,6 +192,7 @@ static struct attribute *xfs_errortag_attrs[] = {
+ XFS_ERRORTAG_ATTR_LIST(bmap_finish_one),
+ XFS_ERRORTAG_ATTR_LIST(ag_resv_critical),
+ XFS_ERRORTAG_ATTR_LIST(drop_writes),
++ XFS_ERRORTAG_ATTR_LIST(log_bad_crc),
+ NULL,
+ };
+
+diff --git a/fs/xfs/xfs_error.h b/fs/xfs/xfs_error.h
+index e0e4cf776fac..7577be5f09bc 100644
+--- a/fs/xfs/xfs_error.h
++++ b/fs/xfs/xfs_error.h
+@@ -105,7 +105,8 @@ extern void xfs_verifier_error(struct xfs_buf *bp);
+ * handling sequence.
+ */
+ #define XFS_ERRTAG_DROP_WRITES 28
+-#define XFS_ERRTAG_MAX 29
++#define XFS_ERRTAG_LOG_BAD_CRC 29
++#define XFS_ERRTAG_MAX 30
+
+ /*
+ * Random factors for above tags, 1 means always, 2 means 1/2 time, etc.
+@@ -139,6 +140,7 @@ extern void xfs_verifier_error(struct xfs_buf *bp);
+ #define XFS_RANDOM_BMAP_FINISH_ONE 1
+ #define XFS_RANDOM_AG_RESV_CRITICAL 4
+ #define XFS_RANDOM_DROP_WRITES 1
++#define XFS_RANDOM_LOG_BAD_CRC 1
+
+ #ifdef DEBUG
+ extern int xfs_errortag_init(struct xfs_mount *mp);
+diff --git a/fs/xfs/xfs_log.c b/fs/xfs/xfs_log.c
+index 2d1112ee1f86..31f11be42f01 100644
+--- a/fs/xfs/xfs_log.c
++++ b/fs/xfs/xfs_log.c
+@@ -1841,7 +1841,6 @@ xlog_sync(
+ /* calculcate the checksum */
+ iclog->ic_header.h_crc = xlog_cksum(log, &iclog->ic_header,
+ iclog->ic_datap, size);
+-#ifdef DEBUG
+ /*
+ * Intentionally corrupt the log record CRC based on the error injection
+ * frequency, if defined. This facilitates testing log recovery in the
+@@ -1849,15 +1848,13 @@ xlog_sync(
+ * write on I/O completion and shutdown the fs. The subsequent mount
+ * detects the bad CRC and attempts to recover.
+ */
+- if (log->l_badcrc_factor &&
+- (prandom_u32() % log->l_badcrc_factor == 0)) {
++ if (XFS_TEST_ERROR(false, log->l_mp, XFS_ERRTAG_LOG_BAD_CRC)) {
+ iclog->ic_header.h_crc &= cpu_to_le32(0xAAAAAAAA);
+ iclog->ic_state |= XLOG_STATE_IOABORT;
+ xfs_warn(log->l_mp,
+ "Intentionally corrupted log record at LSN 0x%llx. Shutdown imminent.",
+ be64_to_cpu(iclog->ic_header.h_lsn));
+ }
+-#endif
+
+ bp->b_io_length = BTOBB(count);
+ bp->b_fspriv = iclog;
+diff --git a/fs/xfs/xfs_sysfs.c b/fs/xfs/xfs_sysfs.c
+index 56610a973593..8b2ccc234f36 100644
+--- a/fs/xfs/xfs_sysfs.c
++++ b/fs/xfs/xfs_sysfs.c
+@@ -305,47 +305,11 @@ write_grant_head_show(
+ }
+ XFS_SYSFS_ATTR_RO(write_grant_head);
+
+-#ifdef DEBUG
+-STATIC ssize_t
+-log_badcrc_factor_store(
+- struct kobject *kobject,
+- const char *buf,
+- size_t count)
+-{
+- struct xlog *log = to_xlog(kobject);
+- int ret;
+- uint32_t val;
+-
+- ret = kstrtouint(buf, 0, &val);
+- if (ret)
+- return ret;
+-
+- log->l_badcrc_factor = val;
+-
+- return count;
+-}
+-
+-STATIC ssize_t
+-log_badcrc_factor_show(
+- struct kobject *kobject,
+- char *buf)
+-{
+- struct xlog *log = to_xlog(kobject);
+-
+- return snprintf(buf, PAGE_SIZE, "%d\n", log->l_badcrc_factor);
+-}
+-
+-XFS_SYSFS_ATTR_RW(log_badcrc_factor);
+-#endif /* DEBUG */
+-
+ static struct attribute *xfs_log_attrs[] = {
+ ATTR_LIST(log_head_lsn),
+ ATTR_LIST(log_tail_lsn),
+ ATTR_LIST(reserve_grant_head),
+ ATTR_LIST(write_grant_head),
+-#ifdef DEBUG
+- ATTR_LIST(log_badcrc_factor),
+-#endif
+ NULL,
+ };
+
+--
+2.16.4
+
diff --git a/patches.fixes/xfs-sanity-check-the-unused-space-before-trying-to-u.patch b/patches.fixes/xfs-sanity-check-the-unused-space-before-trying-to-u.patch
new file mode 100644
index 0000000000..9f1ce38986
--- /dev/null
+++ b/patches.fixes/xfs-sanity-check-the-unused-space-before-trying-to-u.patch
@@ -0,0 +1,321 @@
+From 6915ef35c0350e87a104cb4c4ab2121c81ca7a34 Mon Sep 17 00:00:00 2001
+From: "Darrick J. Wong" <darrick.wong@oracle.com>
+Date: Fri, 23 Mar 2018 10:06:51 -0700
+Subject: [PATCH] xfs: sanity-check the unused space before trying to use it
+Git-commit: 6915ef35c0350e87a104cb4c4ab2121c81ca7a34
+Patch-mainline: v4.17-rc1
+References: bsc#1123663
+
+In xfs_dir2_data_use_free, we examine on-disk metadata and ASSERT if
+it doesn't make sense. Since a carefully crafted fuzzed image can cause
+the kernel to crash after blowing a bunch of assertions, let's move
+those checks into a validator function and rig everything up to return
+EFSCORRUPTED to userspace. Found by lastbit fuzzing ltail.bestcount via
+xfs/391.
+
+Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
+Reviewed-by: Brian Foster <bfoster@redhat.com>
+Acked-by: Anthony Iliopoulos <ailiopoulos@suse.com>
+
+---
+ fs/xfs/libxfs/xfs_dir2.h | 2 -
+ fs/xfs/libxfs/xfs_dir2_block.c | 59 ++++++++++++++++++-------------
+ fs/xfs/libxfs/xfs_dir2_data.c | 78 +++++++++++++++++++++++++++++++----------
+ fs/xfs/libxfs/xfs_dir2_leaf.c | 10 +++--
+ fs/xfs/libxfs/xfs_dir2_node.c | 11 ++++-
+ 5 files changed, 111 insertions(+), 49 deletions(-)
+
+--- a/fs/xfs/libxfs/xfs_dir2.h
++++ b/fs/xfs/libxfs/xfs_dir2.h
+@@ -173,7 +173,7 @@
+ extern void xfs_dir2_data_make_free(struct xfs_da_args *args,
+ struct xfs_buf *bp, xfs_dir2_data_aoff_t offset,
+ xfs_dir2_data_aoff_t len, int *needlogp, int *needscanp);
+-extern void xfs_dir2_data_use_free(struct xfs_da_args *args,
++extern int xfs_dir2_data_use_free(struct xfs_da_args *args,
+ struct xfs_buf *bp, struct xfs_dir2_data_unused *dup,
+ xfs_dir2_data_aoff_t offset, xfs_dir2_data_aoff_t len,
+ int *needlogp, int *needscanp);
+--- a/fs/xfs/libxfs/xfs_dir2_block.c
++++ b/fs/xfs/libxfs/xfs_dir2_block.c
+@@ -450,15 +450,19 @@
+ * No stale entries, will use enddup space to hold new leaf.
+ */
+ if (!btp->stale) {
++ xfs_dir2_data_aoff_t aoff;
++
+ /*
+ * Mark the space needed for the new leaf entry, now in use.
+ */
+- xfs_dir2_data_use_free(args, bp, enddup,
+- (xfs_dir2_data_aoff_t)
+- ((char *)enddup - (char *)hdr + be16_to_cpu(enddup->length) -
+- sizeof(*blp)),
+- (xfs_dir2_data_aoff_t)sizeof(*blp),
+- &needlog, &needscan);
++ aoff = (xfs_dir2_data_aoff_t)((char *)enddup - (char *)hdr +
++ be16_to_cpu(enddup->length) - sizeof(*blp));
++ error = xfs_dir2_data_use_free(args, bp, enddup, aoff,
++ (xfs_dir2_data_aoff_t)sizeof(*blp), &needlog,
++ &needscan);
++ if (error)
++ return error;
++
+ /*
+ * Update the tail (entry count).
+ */
+@@ -540,9 +544,11 @@
+ /*
+ * Mark space for the data entry used.
+ */
+- xfs_dir2_data_use_free(args, bp, dup,
+- (xfs_dir2_data_aoff_t)((char *)dup - (char *)hdr),
+- (xfs_dir2_data_aoff_t)len, &needlog, &needscan);
++ error = xfs_dir2_data_use_free(args, bp, dup,
++ (xfs_dir2_data_aoff_t)((char *)dup - (char *)hdr),
++ (xfs_dir2_data_aoff_t)len, &needlog, &needscan);
++ if (error)
++ return error;
+ /*
+ * Create the new data entry.
+ */
+@@ -996,8 +1002,10 @@
+ /*
+ * Use up the space at the end of the block (blp/btp).
+ */
+- xfs_dir2_data_use_free(args, dbp, dup, args->geo->blksize - size, size,
+- &needlog, &needscan);
++ error = xfs_dir2_data_use_free(args, dbp, dup,
++ args->geo->blksize - size, size, &needlog, &needscan);
++ if (error)
++ return error;
+ /*
+ * Initialize the block tail.
+ */
+@@ -1109,18 +1117,14 @@
+ * Add block 0 to the inode.
+ */
+ error = xfs_dir2_grow_inode(args, XFS_DIR2_DATA_SPACE, &blkno);
+- if (error) {
+- kmem_free(sfp);
+- return error;
+- }
++ if (error)
++ goto out_free;
+ /*
+ * Initialize the data block, then convert it to block format.
+ */
+ error = xfs_dir3_data_init(args, blkno, &bp);
+- if (error) {
+- kmem_free(sfp);
+- return error;
+- }
++ if (error)
++ goto out_free;
+ xfs_dir3_block_init(mp, tp, bp, dp);
+ hdr = bp->b_addr;
+
+@@ -1135,8 +1139,10 @@
+ */
+ dup = dp->d_ops->data_unused_p(hdr);
+ needlog = needscan = 0;
+- xfs_dir2_data_use_free(args, bp, dup, args->geo->blksize - i,
+- i, &needlog, &needscan);
++ error = xfs_dir2_data_use_free(args, bp, dup, args->geo->blksize - i,
++ i, &needlog, &needscan);
++ if (error)
++ goto out_free;
+ ASSERT(needscan == 0);
+ /*
+ * Fill in the tail.
+@@ -1149,9 +1155,11 @@
+ /*
+ * Remove the freespace, we'll manage it.
+ */
+- xfs_dir2_data_use_free(args, bp, dup,
+- (xfs_dir2_data_aoff_t)((char *)dup - (char *)hdr),
+- be16_to_cpu(dup->length), &needlog, &needscan);
++ error = xfs_dir2_data_use_free(args, bp, dup,
++ (xfs_dir2_data_aoff_t)((char *)dup - (char *)hdr),
++ be16_to_cpu(dup->length), &needlog, &needscan);
++ if (error)
++ goto out_free;
+ /*
+ * Create entry for .
+ */
+@@ -1255,4 +1263,7 @@
+ xfs_dir2_block_log_tail(tp, bp);
+ xfs_dir3_data_check(dp, bp);
+ return 0;
++out_free:
++ kmem_free(sfp);
++ return error;
+ }
+--- a/fs/xfs/libxfs/xfs_dir2_data.c
++++ b/fs/xfs/libxfs/xfs_dir2_data.c
+@@ -910,10 +910,51 @@
+ *needscanp = needscan;
+ }
+
++/* Check our free data for obvious signs of corruption. */
++static inline xfs_failaddr_t
++xfs_dir2_data_check_free(
++ struct xfs_dir2_data_hdr *hdr,
++ struct xfs_dir2_data_unused *dup,
++ xfs_dir2_data_aoff_t offset,
++ xfs_dir2_data_aoff_t len)
++{
++ if (hdr->magic != cpu_to_be32(XFS_DIR2_DATA_MAGIC) &&
++ hdr->magic != cpu_to_be32(XFS_DIR3_DATA_MAGIC) &&
++ hdr->magic != cpu_to_be32(XFS_DIR2_BLOCK_MAGIC) &&
++ hdr->magic != cpu_to_be32(XFS_DIR3_BLOCK_MAGIC))
++ return __this_address;
++ if (be16_to_cpu(dup->freetag) != XFS_DIR2_DATA_FREE_TAG)
++ return __this_address;
++ if (offset < (char *)dup - (char *)hdr)
++ return __this_address;
++ if (offset + len > (char *)dup + be16_to_cpu(dup->length) - (char *)hdr)
++ return __this_address;
++ if ((char *)dup - (char *)hdr !=
++ be16_to_cpu(*xfs_dir2_data_unused_tag_p(dup)))
++ return __this_address;
++ return NULL;
++}
++
++/* Sanity-check a new bestfree entry. */
++static inline xfs_failaddr_t
++xfs_dir2_data_check_new_free(
++ struct xfs_dir2_data_hdr *hdr,
++ struct xfs_dir2_data_free *dfp,
++ struct xfs_dir2_data_unused *newdup)
++{
++ if (dfp == NULL)
++ return __this_address;
++ if (dfp->length != newdup->length)
++ return __this_address;
++ if (be16_to_cpu(dfp->offset) != (char *)newdup - (char *)hdr)
++ return __this_address;
++ return NULL;
++}
++
+ /*
+ * Take a byte range out of an existing unused space and make it un-free.
+ */
+-void
++int
+ xfs_dir2_data_use_free(
+ struct xfs_da_args *args,
+ struct xfs_buf *bp,
+@@ -925,23 +966,19 @@
+ {
+ xfs_dir2_data_hdr_t *hdr; /* data block header */
+ xfs_dir2_data_free_t *dfp; /* bestfree pointer */
++ xfs_dir2_data_unused_t *newdup; /* new unused entry */
++ xfs_dir2_data_unused_t *newdup2; /* another new unused entry */
++ struct xfs_dir2_data_free *bf;
++ xfs_failaddr_t fa;
+ int matchback; /* matches end of freespace */
+ int matchfront; /* matches start of freespace */
+ int needscan; /* need to regen bestfree */
+- xfs_dir2_data_unused_t *newdup; /* new unused entry */
+- xfs_dir2_data_unused_t *newdup2; /* another new unused entry */
+ int oldlen; /* old unused entry's length */
+- struct xfs_dir2_data_free *bf;
+
+ hdr = bp->b_addr;
+- ASSERT(hdr->magic == cpu_to_be32(XFS_DIR2_DATA_MAGIC) ||
+- hdr->magic == cpu_to_be32(XFS_DIR3_DATA_MAGIC) ||
+- hdr->magic == cpu_to_be32(XFS_DIR2_BLOCK_MAGIC) ||
+- hdr->magic == cpu_to_be32(XFS_DIR3_BLOCK_MAGIC));
+- ASSERT(be16_to_cpu(dup->freetag) == XFS_DIR2_DATA_FREE_TAG);
+- ASSERT(offset >= (char *)dup - (char *)hdr);
+- ASSERT(offset + len <= (char *)dup + be16_to_cpu(dup->length) - (char *)hdr);
+- ASSERT((char *)dup - (char *)hdr == be16_to_cpu(*xfs_dir2_data_unused_tag_p(dup)));
++ fa = xfs_dir2_data_check_free(hdr, dup, offset, len);
++ if (fa)
++ goto corrupt;
+ /*
+ * Look up the entry in the bestfree table.
+ */
+@@ -986,9 +1023,9 @@
+ xfs_dir2_data_freeremove(hdr, bf, dfp, needlogp);
+ dfp = xfs_dir2_data_freeinsert(hdr, bf, newdup,
+ needlogp);
+- ASSERT(dfp != NULL);
+- ASSERT(dfp->length == newdup->length);
+- ASSERT(be16_to_cpu(dfp->offset) == (char *)newdup - (char *)hdr);
++ fa = xfs_dir2_data_check_new_free(hdr, dfp, newdup);
++ if (fa)
++ goto corrupt;
+ /*
+ * If we got inserted at the last slot,
+ * that means we don't know if there was a better
+@@ -1014,9 +1051,9 @@
+ xfs_dir2_data_freeremove(hdr, bf, dfp, needlogp);
+ dfp = xfs_dir2_data_freeinsert(hdr, bf, newdup,
+ needlogp);
+- ASSERT(dfp != NULL);
+- ASSERT(dfp->length == newdup->length);
+- ASSERT(be16_to_cpu(dfp->offset) == (char *)newdup - (char *)hdr);
++ fa = xfs_dir2_data_check_new_free(hdr, dfp, newdup);
++ if (fa)
++ goto corrupt;
+ /*
+ * If we got inserted at the last slot,
+ * that means we don't know if there was a better
+@@ -1062,4 +1099,9 @@
+ }
+ }
+ *needscanp = needscan;
++ return 0;
++corrupt:
++ xfs_corruption_error(__func__, XFS_ERRLEVEL_LOW, args->dp->i_mount,
++ hdr, __FILE__, __LINE__, fa);
++ return -EFSCORRUPTED;
+ }
+--- a/fs/xfs/libxfs/xfs_dir2_leaf.c
++++ b/fs/xfs/libxfs/xfs_dir2_leaf.c
+@@ -850,9 +850,13 @@
+ /*
+ * Mark the initial part of our freespace in use for the new entry.
+ */
+- xfs_dir2_data_use_free(args, dbp, dup,
+- (xfs_dir2_data_aoff_t)((char *)dup - (char *)hdr), length,
+- &needlog, &needscan);
++ error = xfs_dir2_data_use_free(args, dbp, dup,
++ (xfs_dir2_data_aoff_t)((char *)dup - (char *)hdr),
++ length, &needlog, &needscan);
++ if (error) {
++ xfs_trans_brelse(tp, lbp);
++ return error;
++ }
+ /*
+ * Initialize our new entry (at last).
+ */
+--- a/fs/xfs/libxfs/xfs_dir2_node.c
++++ b/fs/xfs/libxfs/xfs_dir2_node.c
+@@ -1713,6 +1713,7 @@
+ __be16 *bests;
+ struct xfs_dir3_icfree_hdr freehdr;
+ struct xfs_dir2_data_free *bf;
++ xfs_dir2_data_aoff_t aoff;
+
+ dp = args->dp;
+ mp = dp->i_mount;
+@@ -2007,9 +2008,13 @@
+ /*
+ * Mark the first part of the unused space, inuse for us.
+ */
+- xfs_dir2_data_use_free(args, dbp, dup,
+- (xfs_dir2_data_aoff_t)((char *)dup - (char *)hdr), length,
+- &needlog, &needscan);
++ aoff = (xfs_dir2_data_aoff_t)((char *)dup - (char *)hdr);
++ error = xfs_dir2_data_use_free(args, dbp, dup, aoff, length,
++ &needlog, &needscan);
++ if (error) {
++ xfs_trans_brelse(tp, dbp);
++ return error;
++ }
+ /*
+ * Fill in the new entry and log it.
+ */
diff --git a/patches.kabi/kabi-protect-ip_options_rcv_srr.patch b/patches.kabi/kabi-protect-ip_options_rcv_srr.patch
new file mode 100644
index 0000000000..a7498c980f
--- /dev/null
+++ b/patches.kabi/kabi-protect-ip_options_rcv_srr.patch
@@ -0,0 +1,66 @@
+From: Jiri Slaby <jslaby@suse.cz>
+Subject: kABI: protect ip_options_rcv_srr
+Patch-mainline: never, kabi
+References: kabi
+
+In networking-stable-19_04_10, commit
+8c83f2df9c6578ea4c5b940d8238ad8a41b87e9e (vrf: check accept_source_route
+on the original netdevice) added a parameter to ip_options_rcv_srr.
+This indeed changed the checksum of this exported function and the kABI
+checker now complains.
+
+Introduce ip_options_rcv_srr2 with the new set of parameters and let
+ip_options_rcv_srr as it was.
+
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ include/net/ip.h | 3 ++-
+ net/ipv4/ip_input.c | 2 +-
+ net/ipv4/ip_options.c | 8 +++++++-
+ 3 files changed, 10 insertions(+), 3 deletions(-)
+
+--- a/include/net/ip.h
++++ b/include/net/ip.h
+@@ -594,7 +594,8 @@ int ip_options_get_from_user(struct net
+ unsigned char __user *data, int optlen);
+ void ip_options_undo(struct ip_options *opt);
+ void ip_forward_options(struct sk_buff *skb);
+-int ip_options_rcv_srr(struct sk_buff *skb, struct net_device *dev);
++int ip_options_rcv_srr(struct sk_buff *skb);
++int ip_options_rcv_srr2(struct sk_buff *skb, struct net_device *dev);
+
+ /*
+ * Functions provided by ip_sockglue.c
+--- a/net/ipv4/ip_input.c
++++ b/net/ipv4/ip_input.c
+@@ -298,7 +298,7 @@ static inline bool ip_rcv_options(struct
+ }
+ }
+
+- if (ip_options_rcv_srr(skb, dev))
++ if (ip_options_rcv_srr2(skb, dev))
+ goto drop;
+ }
+
+--- a/net/ipv4/ip_options.c
++++ b/net/ipv4/ip_options.c
+@@ -614,7 +614,7 @@ void ip_forward_options(struct sk_buff *
+ }
+ }
+
+-int ip_options_rcv_srr(struct sk_buff *skb, struct net_device *dev)
++int ip_options_rcv_srr2(struct sk_buff *skb, struct net_device *dev)
+ {
+ struct ip_options *opt = &(IPCB(skb)->opt);
+ int srrspace, srrptr;
+@@ -670,4 +670,10 @@ int ip_options_rcv_srr(struct sk_buff *s
+ }
+ return 0;
+ }
++EXPORT_SYMBOL(ip_options_rcv_srr2);
++
++int ip_options_rcv_srr(struct sk_buff *skb)
++{
++ return ip_options_rcv_srr2(skb, skb->dev);
++}
+ EXPORT_SYMBOL(ip_options_rcv_srr);
diff --git a/patches.kabi/kabi-protect-struct-mlx5_td.patch b/patches.kabi/kabi-protect-struct-mlx5_td.patch
new file mode 100644
index 0000000000..606bbe4a3d
--- /dev/null
+++ b/patches.kabi/kabi-protect-struct-mlx5_td.patch
@@ -0,0 +1,30 @@
+From: Jiri Slaby <jslaby@suse.cz>
+Subject: kABI: protect struct mlx5_td
+Patch-mainline: never, kabi
+References: kabi
+
+In networking-stable-19_04_10, upstream commit
+80a2a9026b24c6bd34b8d58256973e22270bedec (net/mlx5e: Add a lock on tir
+list) added a list_lock to struct mlx5_td. It made the kABI checker to
+complain.
+
+Given the structure is private to mlx5, hide the change from the kABI
+checker.
+
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ include/linux/mlx5/driver.h | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/include/linux/mlx5/driver.h
++++ b/include/linux/mlx5/driver.h
+@@ -746,7 +746,9 @@ struct mlx5_pagefault {
+
+ struct mlx5_td {
+ /* protects tirs list changes while tirs refresh */
++#ifndef __GENKSYMS__
+ struct mutex list_lock;
++#endif
+ struct list_head tirs_list;
+ u32 tdn;
+ };
diff --git a/patches.suse/bnxt_en-Improve-RX-consumer-index-validity-check.patch b/patches.suse/bnxt_en-Improve-RX-consumer-index-validity-check.patch
new file mode 100644
index 0000000000..aa55f26c24
--- /dev/null
+++ b/patches.suse/bnxt_en-Improve-RX-consumer-index-validity-check.patch
@@ -0,0 +1,54 @@
+From: Michael Chan <michael.chan@broadcom.com>
+Date: Mon, 8 Apr 2019 17:39:54 -0400
+Subject: bnxt_en: Improve RX consumer index validity check.
+Git-commit: a1b0e4e684e9c300b9e759b46cb7a0147e61ddff
+Patch-mainline: v5.1-rc5
+References: networking-stable-19_04_10
+
+There is logic to check that the RX/TPA consumer index is the expected
+index to work around a hardware problem. However, the potentially bad
+consumer index is first used to index into an array to reference an entry.
+This can potentially crash if the bad consumer index is beyond legal
+range. Improve the logic to use the consumer index for dereferencing
+after the validity check and log an error message.
+
+Fixes: fa7e28127a5a ("bnxt_en: Add workaround to detect bad opaque in rx completion (part 2)")
+Signed-off-by: Michael Chan <michael.chan@broadcom.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/net/ethernet/broadcom/bnxt/bnxt.c | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.c
++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.c
+@@ -1089,6 +1089,8 @@ static void bnxt_tpa_start(struct bnxt *
+ tpa_info = &rxr->rx_tpa[agg_id];
+
+ if (unlikely(cons != rxr->rx_next_cons)) {
++ netdev_warn(bp->dev, "TPA cons %x != expected cons %x\n",
++ cons, rxr->rx_next_cons);
+ bnxt_sched_reset(bp, rxr);
+ return;
+ }
+@@ -1541,15 +1543,17 @@ static int bnxt_rx_pkt(struct bnxt *bp,
+ }
+
+ cons = rxcmp->rx_cmp_opaque;
+- rx_buf = &rxr->rx_buf_ring[cons];
+- data = rx_buf->data;
+- data_ptr = rx_buf->data_ptr;
+ if (unlikely(cons != rxr->rx_next_cons)) {
+ int rc1 = bnxt_discard_rx(bp, bnapi, raw_cons, rxcmp);
+
++ netdev_warn(bp->dev, "RX cons %x != expected cons %x\n",
++ cons, rxr->rx_next_cons);
+ bnxt_sched_reset(bp, rxr);
+ return rc1;
+ }
++ rx_buf = &rxr->rx_buf_ring[cons];
++ data = rx_buf->data;
++ data_ptr = rx_buf->data_ptr;
+ prefetch(data_ptr);
+
+ misc = le32_to_cpu(rxcmp->rx_cmp_misc_v1);
diff --git a/patches.suse/bnxt_en-Reset-device-on-RX-buffer-errors.patch b/patches.suse/bnxt_en-Reset-device-on-RX-buffer-errors.patch
new file mode 100644
index 0000000000..665c611824
--- /dev/null
+++ b/patches.suse/bnxt_en-Reset-device-on-RX-buffer-errors.patch
@@ -0,0 +1,39 @@
+From: Michael Chan <michael.chan@broadcom.com>
+Date: Mon, 8 Apr 2019 17:39:55 -0400
+Subject: bnxt_en: Reset device on RX buffer errors.
+Git-commit: 8e44e96c6c8e8fb80b84a2ca11798a8554f710f2
+Patch-mainline: v5.1-rc5
+References: networking-stable-19_04_10
+
+If the RX completion indicates RX buffers errors, the RX ring will be
+disabled by firmware and no packets will be received on that ring from
+that point on. Recover by resetting the device.
+
+Fixes: c0c050c58d84 ("bnxt_en: New Broadcom ethernet driver.")
+Signed-off-by: Michael Chan <michael.chan@broadcom.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/net/ethernet/broadcom/bnxt/bnxt.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.c
++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.c
+@@ -1570,11 +1570,17 @@ static int bnxt_rx_pkt(struct bnxt *bp,
+
+ rx_buf->data = NULL;
+ if (rxcmp1->rx_cmp_cfa_code_errors_v2 & RX_CMP_L2_ERRORS) {
++ u32 rx_err = le32_to_cpu(rxcmp1->rx_cmp_cfa_code_errors_v2);
++
+ bnxt_reuse_rx_data(rxr, cons, data);
+ if (agg_bufs)
+ bnxt_reuse_rx_agg_bufs(bnapi, cp_cons, agg_bufs);
+
+ rc = -EIO;
++ if (rx_err & RX_CMPL_ERRORS_BUFFER_ERROR_MASK) {
++ netdev_warn(bp->dev, "RX buffer error %x\n", rx_err);
++ bnxt_sched_reset(bp, rxr);
++ }
+ goto next_rx;
+ }
+
diff --git a/patches.suse/ip6_tunnel-Match-to-ARPHRD_TUNNEL6-for-dev-type.patch b/patches.suse/ip6_tunnel-Match-to-ARPHRD_TUNNEL6-for-dev-type.patch
new file mode 100644
index 0000000000..a6a8d99d70
--- /dev/null
+++ b/patches.suse/ip6_tunnel-Match-to-ARPHRD_TUNNEL6-for-dev-type.patch
@@ -0,0 +1,48 @@
+From: Sheena Mira-ato <sheena.mira-ato@alliedtelesis.co.nz>
+Date: Mon, 1 Apr 2019 13:04:42 +1300
+Subject: ip6_tunnel: Match to ARPHRD_TUNNEL6 for dev type
+Git-commit: b2e54b09a3d29c4db883b920274ca8dca4d9f04d
+Patch-mainline: v5.1-rc4
+References: networking-stable-19_04_10
+
+The device type for ip6 tunnels is set to
+ARPHRD_TUNNEL6. However, the ip4ip6_err function
+is expecting the device type of the tunnel to be
+ARPHRD_TUNNEL. Since the device types do not
+match, the function exits and the ICMP error
+packet is not sent to the originating host. Note
+that the device type for IPv4 tunnels is set to
+ARPHRD_TUNNEL.
+
+Fix is to expect a tunnel device type of
+ARPHRD_TUNNEL6 instead. Now the tunnel device
+type matches and the ICMP error packet is sent
+to the originating host.
+
+Signed-off-by: Sheena Mira-ato <sheena.mira-ato@alliedtelesis.co.nz>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ net/ipv6/ip6_tunnel.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/net/ipv6/ip6_tunnel.c
++++ b/net/ipv6/ip6_tunnel.c
+@@ -633,7 +633,7 @@ ip4ip6_err(struct sk_buff *skb, struct i
+ IPPROTO_IPIP,
+ RT_TOS(eiph->tos), 0);
+ if (IS_ERR(rt) ||
+- rt->dst.dev->type != ARPHRD_TUNNEL) {
++ rt->dst.dev->type != ARPHRD_TUNNEL6) {
+ if (!IS_ERR(rt))
+ ip_rt_put(rt);
+ goto out;
+@@ -643,7 +643,7 @@ ip4ip6_err(struct sk_buff *skb, struct i
+ ip_rt_put(rt);
+ if (ip_route_input(skb2, eiph->daddr, eiph->saddr, eiph->tos,
+ skb2->dev) ||
+- skb_dst(skb2)->dev->type != ARPHRD_TUNNEL)
++ skb_dst(skb2)->dev->type != ARPHRD_TUNNEL6)
+ goto out;
+ }
+
diff --git a/patches.suse/net-ethtool-not-call-vzalloc-for-zero-sized-memory-r.patch b/patches.suse/net-ethtool-not-call-vzalloc-for-zero-sized-memory-r.patch
new file mode 100644
index 0000000000..f721c58362
--- /dev/null
+++ b/patches.suse/net-ethtool-not-call-vzalloc-for-zero-sized-memory-r.patch
@@ -0,0 +1,94 @@
+From: Li RongQing <lirongqing@baidu.com>
+Date: Fri, 29 Mar 2019 09:18:02 +0800
+Subject: net: ethtool: not call vzalloc for zero sized memory request
+Git-commit: 3d8830266ffc28c16032b859e38a0252e014b631
+Patch-mainline: v5.1-rc4
+References: networking-stable-19_04_10
+
+NULL or ZERO_SIZE_PTR will be returned for zero sized memory
+request, and derefencing them will lead to a segfault
+
+so it is unnecessory to call vzalloc for zero sized memory
+request and not call functions which maybe derefence the
+NULL allocated memory
+
+this also fixes a possible memory leak if phy_ethtool_get_stats
+returns error, memory should be freed before exit
+
+Signed-off-by: Li RongQing <lirongqing@baidu.com>
+Reviewed-by: Wang Li <wangli39@baidu.com>
+Reviewed-by: Michal Kubecek <mkubecek@suse.cz>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ net/core/ethtool.c | 42 ++++++++++++++++++++++++++++--------------
+ 1 file changed, 28 insertions(+), 14 deletions(-)
+
+--- a/net/core/ethtool.c
++++ b/net/core/ethtool.c
+@@ -1832,11 +1832,16 @@ static int ethtool_get_strings(struct ne
+ WARN_ON_ONCE(!ret);
+
+ gstrings.len = ret;
+- data = vzalloc(gstrings.len * ETH_GSTRING_LEN);
+- if (gstrings.len && !data)
+- return -ENOMEM;
+
+- __ethtool_get_strings(dev, gstrings.string_set, data);
++ if (gstrings.len) {
++ data = vzalloc(gstrings.len * ETH_GSTRING_LEN);
++ if (!data)
++ return -ENOMEM;
++
++ __ethtool_get_strings(dev, gstrings.string_set, data);
++ } else {
++ data = NULL;
++ }
+
+ ret = -EFAULT;
+ if (copy_to_user(useraddr, &gstrings, sizeof(gstrings)))
+@@ -1932,11 +1937,15 @@ static int ethtool_get_stats(struct net_
+ return -EFAULT;
+
+ stats.n_stats = n_stats;
+- data = vzalloc(n_stats * sizeof(u64));
+- if (n_stats && !data)
+- return -ENOMEM;
+
+- ops->get_ethtool_stats(dev, &stats, data);
++ if (n_stats) {
++ data = vzalloc(n_stats * sizeof(u64));
++ if (!data)
++ return -ENOMEM;
++ ops->get_ethtool_stats(dev, &stats, data);
++ } else {
++ data = NULL;
++ }
+
+ ret = -EFAULT;
+ if (copy_to_user(useraddr, &stats, sizeof(stats)))
+@@ -1972,13 +1981,18 @@ static int ethtool_get_phy_stats(struct
+ return -EFAULT;
+
+ stats.n_stats = n_stats;
+- data = vzalloc(n_stats * sizeof(u64));
+- if (n_stats && !data)
+- return -ENOMEM;
+
+- mutex_lock(&phydev->lock);
+- phydev->drv->get_stats(phydev, &stats, data);
+- mutex_unlock(&phydev->lock);
++ if (n_stats) {
++ data = vzalloc(n_stats * sizeof(u64));
++ if (!data)
++ return -ENOMEM;
++
++ mutex_lock(&phydev->lock);
++ phydev->drv->get_stats(phydev, &stats, data);
++ mutex_unlock(&phydev->lock);
++ } else {
++ data = NULL;
++ }
+
+ ret = -EFAULT;
+ if (copy_to_user(useraddr, &stats, sizeof(stats)))
diff --git a/patches.suse/net-gro-Fix-GRO-flush-when-receiving-a-GSO-packet.patch b/patches.suse/net-gro-Fix-GRO-flush-when-receiving-a-GSO-packet.patch
new file mode 100644
index 0000000000..3096cf699c
--- /dev/null
+++ b/patches.suse/net-gro-Fix-GRO-flush-when-receiving-a-GSO-packet.patch
@@ -0,0 +1,37 @@
+From: Steffen Klassert <steffen.klassert@secunet.com>
+Date: Tue, 2 Apr 2019 08:16:03 +0200
+Subject: net-gro: Fix GRO flush when receiving a GSO packet.
+Git-commit: 0ab03f353d3613ea49d1f924faf98559003670a8
+Patch-mainline: v5.1-rc4
+References: networking-stable-19_04_10
+
+Currently we may merge incorrectly a received GSO packet
+or a packet with frag_list into a packet sitting in the
+gro_hash list. skb_segment() may crash case because
+the assumptions on the skb layout are not met.
+The correct behaviour would be to flush the packet in the
+gro_hash list and send the received GSO packet directly
+afterwards. Commit d61d072e87c8e ("net-gro: avoid reorders")
+sets NAPI_GRO_CB(skb)->flush in this case, but this is not
+checked before merging. This patch makes sure to check this
+flag and to not merge in that case.
+
+Fixes: d61d072e87c8e ("net-gro: avoid reorders")
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ net/core/skbuff.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/core/skbuff.c
++++ b/net/core/skbuff.c
+@@ -3389,7 +3389,7 @@ int skb_gro_receive(struct sk_buff **hea
+ struct sk_buff *lp, *p = *head;
+ unsigned int delta_truesize;
+
+- if (unlikely(p->len + len >= 65536))
++ if (unlikely(p->len + len >= 65536 || NAPI_GRO_CB(skb)->flush))
+ return -E2BIG;
+
+ lp = NAPI_GRO_CB(p)->last;
diff --git a/patches.suse/net-mlx5-Decrease-default-mr-cache-size.patch b/patches.suse/net-mlx5-Decrease-default-mr-cache-size.patch
new file mode 100644
index 0000000000..b4de55c3d5
--- /dev/null
+++ b/patches.suse/net-mlx5-Decrease-default-mr-cache-size.patch
@@ -0,0 +1,55 @@
+From: Artemy Kovalyov <artemyko@mellanox.com>
+Date: Tue, 19 Mar 2019 11:24:38 +0200
+Subject: net/mlx5: Decrease default mr cache size
+Git-commit: e8b26b2135dedc0284490bfeac06dfc4418d0105
+Patch-mainline: v5.1-rc4
+References: networking-stable-19_04_10
+
+Delete initialization of high order entries in mr cache to decrease initial
+memory footprint. When required, the administrator can populate the
+entries with memory keys via the /sys interface.
+
+This approach is very helpful to significantly reduce the per HW function
+memory footprint in virtualization environments such as SRIOV.
+
+Fixes: 9603b61de1ee ("mlx5: Move pci device handling from mlx5_ib to mlx5_core")
+Signed-off-by: Artemy Kovalyov <artemyko@mellanox.com>
+Signed-off-by: Moni Shoua <monis@mellanox.com>
+Signed-off-by: Leon Romanovsky <leonro@mellanox.com>
+Reported-by: Shalom Toledo <shalomt@mellanox.com>
+Acked-by: Or Gerlitz <ogerlitz@mellanox.com>
+Signed-off-by: Saeed Mahameed <saeedm@mellanox.com>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/main.c | 20 --------------------
+ 1 file changed, 20 deletions(-)
+
+--- a/drivers/net/ethernet/mellanox/mlx5/core/main.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/main.c
+@@ -156,26 +156,6 @@ static struct mlx5_profile profile[] = {
+ .size = 8,
+ .limit = 4
+ },
+- .mr_cache[16] = {
+- .size = 8,
+- .limit = 4
+- },
+- .mr_cache[17] = {
+- .size = 8,
+- .limit = 4
+- },
+- .mr_cache[18] = {
+- .size = 8,
+- .limit = 4
+- },
+- .mr_cache[19] = {
+- .size = 4,
+- .limit = 2
+- },
+- .mr_cache[20] = {
+- .size = 4,
+- .limit = 2
+- },
+ },
+ };
+
diff --git a/patches.suse/net-mlx5e-Add-a-lock-on-tir-list.patch b/patches.suse/net-mlx5e-Add-a-lock-on-tir-list.patch
new file mode 100644
index 0000000000..e72ab4b477
--- /dev/null
+++ b/patches.suse/net-mlx5e-Add-a-lock-on-tir-list.patch
@@ -0,0 +1,78 @@
+From: Yuval Avnery <yuvalav@mellanox.com>
+Date: Mon, 11 Mar 2019 06:18:24 +0200
+Subject: net/mlx5e: Add a lock on tir list
+Git-commit: 80a2a9026b24c6bd34b8d58256973e22270bedec
+Patch-mainline: v5.1-rc4
+References: networking-stable-19_04_10
+
+Refresh tirs is looping over a global list of tirs while netdevs are
+adding and removing tirs from that list. That is why a lock is
+required.
+
+Fixes: 724b2aa15126 ("net/mlx5e: TIRs management refactoring")
+Signed-off-by: Yuval Avnery <yuvalav@mellanox.com>
+Signed-off-by: Saeed Mahameed <saeedm@mellanox.com>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/en_common.c | 7 +++++++
+ include/linux/mlx5/driver.h | 2 ++
+ 2 files changed, 9 insertions(+)
+
+--- a/drivers/net/ethernet/mellanox/mlx5/core/en_common.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_common.c
+@@ -45,7 +45,9 @@ int mlx5e_create_tir(struct mlx5_core_de
+ if (err)
+ return err;
+
++ mutex_lock(&mdev->mlx5e_res.td.list_lock);
+ list_add(&tir->list, &mdev->mlx5e_res.td.tirs_list);
++ mutex_unlock(&mdev->mlx5e_res.td.list_lock);
+
+ return 0;
+ }
+@@ -53,8 +55,10 @@ int mlx5e_create_tir(struct mlx5_core_de
+ void mlx5e_destroy_tir(struct mlx5_core_dev *mdev,
+ struct mlx5e_tir *tir)
+ {
++ mutex_lock(&mdev->mlx5e_res.td.list_lock);
+ mlx5_core_destroy_tir(mdev, tir->tirn);
+ list_del(&tir->list);
++ mutex_unlock(&mdev->mlx5e_res.td.list_lock);
+ }
+
+ static int mlx5e_create_mkey(struct mlx5_core_dev *mdev, u32 pdn,
+@@ -114,6 +118,7 @@ int mlx5e_create_mdev_resources(struct m
+ }
+
+ INIT_LIST_HEAD(&mdev->mlx5e_res.td.tirs_list);
++ mutex_init(&mdev->mlx5e_res.td.list_lock);
+
+ return 0;
+
+@@ -159,6 +164,7 @@ int mlx5e_refresh_tirs(struct mlx5e_priv
+
+ MLX5_SET(modify_tir_in, in, bitmask.self_lb_en, 1);
+
++ mutex_lock(&mdev->mlx5e_res.td.list_lock);
+ list_for_each_entry(tir, &mdev->mlx5e_res.td.tirs_list, list) {
+ tirn = tir->tirn;
+ err = mlx5_core_modify_tir(mdev, tirn, in, inlen);
+@@ -170,6 +176,7 @@ out:
+ kvfree(in);
+ if (err)
+ netdev_err(priv->netdev, "refresh tir(0x%x) failed, %d\n", tirn, err);
++ mutex_unlock(&mdev->mlx5e_res.td.list_lock);
+
+ return err;
+ }
+--- a/include/linux/mlx5/driver.h
++++ b/include/linux/mlx5/driver.h
+@@ -745,6 +745,8 @@ struct mlx5_pagefault {
+ };
+
+ struct mlx5_td {
++ /* protects tirs list changes while tirs refresh */
++ struct mutex list_lock;
+ struct list_head tirs_list;
+ u32 tdn;
+ };
diff --git a/patches.suse/net-mlx5e-Fix-error-handling-when-refreshing-TIRs.patch b/patches.suse/net-mlx5e-Fix-error-handling-when-refreshing-TIRs.patch
new file mode 100644
index 0000000000..6ee2167308
--- /dev/null
+++ b/patches.suse/net-mlx5e-Fix-error-handling-when-refreshing-TIRs.patch
@@ -0,0 +1,43 @@
+From: Gavi Teitz <gavi@mellanox.com>
+Date: Mon, 11 Mar 2019 11:56:34 +0200
+Subject: net/mlx5e: Fix error handling when refreshing TIRs
+Git-commit: bc87a0036826a37b43489b029af8143bd07c6cca
+Patch-mainline: v5.1-rc4
+References: networking-stable-19_04_10
+
+Previously, a false positive would be caught if the TIRs list is
+empty, since the err value was initialized to -ENOMEM, and was only
+updated if a TIR is refreshed. This is resolved by initializing the
+err value to zero.
+
+Fixes: b676f653896a ("net/mlx5e: Refactor refresh TIRs")
+Signed-off-by: Gavi Teitz <gavi@mellanox.com>
+Reviewed-by: Roi Dayan <roid@mellanox.com>
+Signed-off-by: Saeed Mahameed <saeedm@mellanox.com>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/en_common.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/ethernet/mellanox/mlx5/core/en_common.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_common.c
+@@ -141,15 +141,17 @@ int mlx5e_refresh_tirs(struct mlx5e_priv
+ {
+ struct mlx5_core_dev *mdev = priv->mdev;
+ struct mlx5e_tir *tir;
+- int err = -ENOMEM;
++ int err = 0;
+ u32 tirn = 0;
+ int inlen;
+ void *in;
+
+ inlen = MLX5_ST_SZ_BYTES(modify_tir_in);
+ in = kvzalloc(inlen, GFP_KERNEL);
+- if (!in)
++ if (!in) {
++ err = -ENOMEM;
+ goto out;
++ }
+
+ if (enable_uc_lb)
+ MLX5_SET(modify_tir_in, in, ctx.self_lb_block,
diff --git a/patches.suse/net-sched-act_sample-fix-divide-by-zero-in-the-traff.patch b/patches.suse/net-sched-act_sample-fix-divide-by-zero-in-the-traff.patch
new file mode 100644
index 0000000000..24920c5770
--- /dev/null
+++ b/patches.suse/net-sched-act_sample-fix-divide-by-zero-in-the-traff.patch
@@ -0,0 +1,96 @@
+From: Davide Caratti <dcaratti@redhat.com>
+Date: Thu, 4 Apr 2019 12:31:35 +0200
+Subject: net/sched: act_sample: fix divide by zero in the traffic path
+Git-commit: fae2708174ae95d98d19f194e03d6e8f688ae195
+Patch-mainline: v5.1-rc4
+References: networking-stable-19_04_10
+
+the control path of 'sample' action does not validate the value of 'rate'
+provided by the user, but then it uses it as divisor in the traffic path.
+Validate it in tcf_sample_init(), and return -EINVAL with a proper extack
+message in case that value is zero, to fix a splat with the script below:
+
+ # tc f a dev test0 egress matchall action sample rate 0 group 1 index 2
+ # tc -s a s action sample
+ total acts 1
+
+ action order 0: sample rate 1/0 group 1 pipe
+ index 2 ref 1 bind 1 installed 19 sec used 19 sec
+ Action statistics:
+ Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0)
+ backlog 0b 0p requeues 0
+ # ping 192.0.2.1 -I test0 -c1 -q
+
+ divide error: 0000 [#1] SMP PTI
+ CPU: 1 PID: 6192 Comm: ping Not tainted 5.1.0-rc2.diag2+ #591
+ Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011
+ RIP: 0010:tcf_sample_act+0x9e/0x1e0 [act_sample]
+ Code: 6a f1 85 c0 74 0d 80 3d 83 1a 00 00 00 0f 84 9c 00 00 00 4d 85 e4 0f 84 85 00 00 00 e8 9b d7 9c f1 44 8b 8b e0 00 00 00 31 d2 <41> f7 f1 85 d2 75 70 f6 85 83 00 00 00 10 48 8b 45 10 8b 88 08 01
+ RSP: 0018:ffffae320190ba30 EFLAGS: 00010246
+ RAX: 00000000b0677d21 RBX: ffff8af1ed9ec000 RCX: 0000000059a9fe49
+ RDX: 0000000000000000 RSI: 000000000c7e33b7 RDI: ffff8af23daa0af0
+ RBP: ffff8af1ee11b200 R08: 0000000074fcaf7e R09: 0000000000000000
+ R10: 0000000000000050 R11: ffffffffb3088680 R12: ffff8af232307f80
+ R13: 0000000000000003 R14: ffff8af1ed9ec000 R15: 0000000000000000
+ FS: 00007fe9c6d2f740(0000) GS:ffff8af23da80000(0000) knlGS:0000000000000000
+ CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+ CR2: 00007fff6772f000 CR3: 00000000746a2004 CR4: 00000000001606e0
+ Call Trace:
+ tcf_action_exec+0x7c/0x1c0
+ tcf_classify+0x57/0x160
+ __dev_queue_xmit+0x3dc/0xd10
+ ip_finish_output2+0x257/0x6d0
+ ip_output+0x75/0x280
+ ip_send_skb+0x15/0x40
+ raw_sendmsg+0xae3/0x1410
+ sock_sendmsg+0x36/0x40
+ __sys_sendto+0x10e/0x140
+ __x64_sys_sendto+0x24/0x30
+ do_syscall_64+0x60/0x210
+ entry_SYSCALL_64_after_hwframe+0x49/0xbe
+ [...]
+ Kernel panic - not syncing: Fatal exception in interrupt
+
+Add a TDC selftest to document that 'rate' is now being validated.
+
+[js] no selftest in 4.12 yet
+
+Reported-by: Matteo Croce <mcroce@redhat.com>
+Fixes: 5c5670fae430 ("net/sched: Introduce sample tc action")
+Signed-off-by: Davide Caratti <dcaratti@redhat.com>
+Acked-by: Yotam Gigi <yotam.gi@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ net/sched/act_sample.c | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+--- a/net/sched/act_sample.c
++++ b/net/sched/act_sample.c
+@@ -43,6 +43,7 @@ static int tcf_sample_init(struct net *n
+ struct tc_action_net *tn = net_generic(net, sample_net_id);
+ struct nlattr *tb[TCA_SAMPLE_MAX + 1];
+ struct psample_group *psample_group;
++ u32 rate;
+ struct tc_sample *parm;
+ struct tcf_sample *s;
+ bool exists = false;
+@@ -74,10 +75,17 @@ static int tcf_sample_init(struct net *n
+ if (!ovr)
+ return -EEXIST;
+ }
++
++ rate = nla_get_u32(tb[TCA_SAMPLE_RATE]);
++ if (!rate) {
++ if (ret == ACT_P_CREATED)
++ tcf_hash_release(*a, bind);
++ return -EINVAL;
++ }
+ s = to_sample(*a);
+
+ s->tcf_action = parm->action;
+- s->rate = nla_get_u32(tb[TCA_SAMPLE_RATE]);
++ s->rate = rate;
+ s->psample_group_num = nla_get_u32(tb[TCA_SAMPLE_PSAMPLE_GROUP]);
+ psample_group = psample_group_get(net, s->psample_group_num);
+ if (!psample_group) {
diff --git a/patches.suse/net-sched-fix-get-helper-of-the-matchall-cls.patch b/patches.suse/net-sched-fix-get-helper-of-the-matchall-cls.patch
new file mode 100644
index 0000000000..2972c257b6
--- /dev/null
+++ b/patches.suse/net-sched-fix-get-helper-of-the-matchall-cls.patch
@@ -0,0 +1,54 @@
+From: Nicolas Dichtel <nicolas.dichtel@6wind.com>
+Date: Thu, 28 Mar 2019 10:35:06 +0100
+Subject: net/sched: fix ->get helper of the matchall cls
+Git-commit: 0db6f8befc32c68bb13d7ffbb2e563c79e913e13
+Patch-mainline: v5.1-rc4
+References: networking-stable-19_04_10
+
+It returned always NULL, thus it was never possible to get the filter.
+
+Example:
+$ ip link add foo type dummy
+$ ip link add bar type dummy
+$ tc qdisc add dev foo clsact
+$ tc filter add dev foo protocol all pref 1 ingress handle 1234 \
+ matchall action mirred ingress mirror dev bar
+
+Before the patch:
+$ tc filter get dev foo protocol all pref 1 ingress handle 1234 matchall
+Error: Specified filter handle not found.
+We have an error talking to the kernel
+
+After:
+$ tc filter get dev foo protocol all pref 1 ingress handle 1234 matchall
+filter ingress protocol all pref 1 matchall chain 0 handle 0x4d2
+ not_in_hw
+ action order 1: mirred (Ingress Mirror to device bar) pipe
+ index 1 ref 1 bind 1
+
+[js] mall_get returns ulong in 4.12 yet
+
+CC: Yotam Gigi <yotamg@mellanox.com>
+CC: Jiri Pirko <jiri@mellanox.com>
+Fixes: fd62d9f5c575 ("net/sched: matchall: Fix configuration race")
+Signed-off-by: Nicolas Dichtel <nicolas.dichtel@6wind.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ net/sched/cls_matchall.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/net/sched/cls_matchall.c
++++ b/net/sched/cls_matchall.c
+@@ -103,6 +103,11 @@ static void mall_destroy(struct tcf_prot
+
+ static unsigned long mall_get(struct tcf_proto *tp, u32 handle)
+ {
++ struct cls_mall_head *head = rtnl_dereference(tp->root);
++
++ if (head && head->handle == handle)
++ return (unsigned long)head;
++
+ return 0UL;
+ }
+
diff --git a/patches.suse/sched-do-not-re-read-h_load_next-during-hierarchical-load-calculation.patch b/patches.suse/sched-do-not-re-read-h_load_next-during-hierarchical-load-calculation.patch
index 0fe5e22a26..256f20bd84 100644
--- a/patches.suse/sched-do-not-re-read-h_load_next-during-hierarchical-load-calculation.patch
+++ b/patches.suse/sched-do-not-re-read-h_load_next-during-hierarchical-load-calculation.patch
@@ -5,7 +5,8 @@ Subject: [PATCH] sched: Do not re-read h_load_next during hierarchical load
calculation
References: bnc#1120909
-Patch-mainline: No, under review, expected in 5.1
+Patch-mainline: v5.1
+Git-commit: 0e9f02450da07fc7b1346c8c32c771555173e397
A NULL pointer dereference bug was reported on a distribution kernel but
the same issue should be present on mainline kernel. It occured on s390
@@ -46,14 +47,12 @@ Reviewed-by: Valentin Schneider <valentin.schneider@arm.com>
Signed-off-by: Mel Gorman <mgorman@suse.com>
Cc: stable@vger.kernel.org
---
- kernel/sched/fair.c | 6 +++---
+ kernel/sched/fair.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
-diff --git a/kernel/sched/fair.c b/kernel/sched/fair.c
-index 310d0637fe4b..5e61a1a99e38 100644
--- a/kernel/sched/fair.c
+++ b/kernel/sched/fair.c
-@@ -7713,10 +7713,10 @@ static void update_cfs_rq_h_load(struct cfs_rq *cfs_rq)
+@@ -7455,10 +7455,10 @@ static void update_cfs_rq_h_load(struct
if (cfs_rq->last_h_load_update == now)
return;
@@ -66,7 +65,7 @@ index 310d0637fe4b..5e61a1a99e38 100644
if (cfs_rq->last_h_load_update == now)
break;
}
-@@ -7726,7 +7726,7 @@ static void update_cfs_rq_h_load(struct cfs_rq *cfs_rq)
+@@ -7468,7 +7468,7 @@ static void update_cfs_rq_h_load(struct
cfs_rq->last_h_load_update = now;
}
diff --git a/patches.suse/sctp-initialize-_pad-of-sockaddr_in-before-copying-t.patch b/patches.suse/sctp-initialize-_pad-of-sockaddr_in-before-copying-t.patch
new file mode 100644
index 0000000000..38ac04eeb5
--- /dev/null
+++ b/patches.suse/sctp-initialize-_pad-of-sockaddr_in-before-copying-t.patch
@@ -0,0 +1,53 @@
+From: Xin Long <lucien.xin@gmail.com>
+Date: Sun, 31 Mar 2019 16:58:15 +0800
+Subject: sctp: initialize _pad of sockaddr_in before copying to user memory
+Git-commit: 09279e615c81ce55e04835970601ae286e3facbe
+Patch-mainline: v5.1-rc4
+References: networking-stable-19_04_10
+
+Syzbot report a kernel-infoleak:
+
+ BUG: KMSAN: kernel-infoleak in _copy_to_user+0x16b/0x1f0 lib/usercopy.c:32
+ Call Trace:
+ _copy_to_user+0x16b/0x1f0 lib/usercopy.c:32
+ copy_to_user include/linux/uaccess.h:174 [inline]
+ sctp_getsockopt_peer_addrs net/sctp/socket.c:5911 [inline]
+ sctp_getsockopt+0x1668e/0x17f70 net/sctp/socket.c:7562
+ ...
+ Uninit was stored to memory at:
+ sctp_transport_init net/sctp/transport.c:61 [inline]
+ sctp_transport_new+0x16d/0x9a0 net/sctp/transport.c:115
+ sctp_assoc_add_peer+0x532/0x1f70 net/sctp/associola.c:637
+ sctp_process_param net/sctp/sm_make_chunk.c:2548 [inline]
+ sctp_process_init+0x1a1b/0x3ed0 net/sctp/sm_make_chunk.c:2361
+ ...
+ Bytes 8-15 of 16 are uninitialized
+
+It was caused by that th _pad field (the 8-15 bytes) of a v4 addr (saved in
+struct sockaddr_in) wasn't initialized, but directly copied to user memory
+in sctp_getsockopt_peer_addrs().
+
+So fix it by calling memset(addr->v4.sin_zero, 0, 8) to initialize _pad of
+sockaddr_in before copying it to user memory in sctp_v4_addr_to_user(), as
+sctp_v6_addr_to_user() does.
+
+Reported-by: syzbot+86b5c7c236a22616a72f@syzkaller.appspotmail.com
+Signed-off-by: Xin Long <lucien.xin@gmail.com>
+Tested-by: Alexander Potapenko <glider@google.com>
+Acked-by: Neil Horman <nhorman@tuxdriver.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ net/sctp/protocol.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/net/sctp/protocol.c
++++ b/net/sctp/protocol.c
+@@ -606,6 +606,7 @@ out:
+ static int sctp_v4_addr_to_user(struct sctp_sock *sp, union sctp_addr *addr)
+ {
+ /* No address mapping for V4 sockets */
++ memset(addr->v4.sin_zero, 0, sizeof(addr->v4.sin_zero));
+ return sizeof(struct sockaddr_in);
+ }
+
diff --git a/patches.suse/tcp-Ensure-DCTCP-reacts-to-losses.patch b/patches.suse/tcp-Ensure-DCTCP-reacts-to-losses.patch
new file mode 100644
index 0000000000..ea5f9b6086
--- /dev/null
+++ b/patches.suse/tcp-Ensure-DCTCP-reacts-to-losses.patch
@@ -0,0 +1,140 @@
+From: Koen De Schepper <koen.de_schepper@nokia-bell-labs.com>
+Date: Thu, 4 Apr 2019 12:24:02 +0000
+Subject: tcp: Ensure DCTCP reacts to losses
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+Git-commit: aecfde23108b8e637d9f5c5e523b24fb97035dc3
+Patch-mainline: v5.1-rc4
+References: networking-stable-19_04_10
+
+RFC8257 §3.5 explicitly states that "A DCTCP sender MUST react to
+loss episodes in the same way as conventional TCP".
+
+Currently, Linux DCTCP performs no cwnd reduction when losses
+are encountered. Optionally, the dctcp_clamp_alpha_on_loss resets
+alpha to its maximal value if a RTO happens. This behavior
+is sub-optimal for at least two reasons: i) it ignores losses
+triggering fast retransmissions; and ii) it causes unnecessary large
+cwnd reduction in the future if the loss was isolated as it resets
+the historical term of DCTCP's alpha EWMA to its maximal value (i.e.,
+denoting a total congestion). The second reason has an especially
+noticeable effect when using DCTCP in high BDP environments, where
+alpha normally stays at low values.
+
+This patch replace the clamping of alpha by setting ssthresh to
+half of cwnd for both fast retransmissions and RTOs, at most once
+per RTT. Consequently, the dctcp_clamp_alpha_on_loss module parameter
+has been removed.
+
+The table below shows experimental results where we measured the
+drop probability of a PIE AQM (not applying ECN marks) at a
+bottleneck in the presence of a single TCP flow with either the
+alpha-clamping option enabled or the cwnd halving proposed by this
+patch. Results using reno or cubic are given for comparison.
+
+ | Link | RTT | Drop
+ TCP CC | speed | base+AQM | probability
+ ==================|=========|==========|============
+ CUBIC | 40Mbps | 7+20ms | 0.21%
+ RENO | | | 0.19%
+ DCTCP-CLAMP-ALPHA | | | 25.80%
+ DCTCP-HALVE-CWND | | | 0.22%
+ ------------------|---------|----------|------------
+ CUBIC | 100Mbps | 7+20ms | 0.03%
+ RENO | | | 0.02%
+ DCTCP-CLAMP-ALPHA | | | 23.30%
+ DCTCP-HALVE-CWND | | | 0.04%
+ ------------------|---------|----------|------------
+ CUBIC | 800Mbps | 1+1ms | 0.04%
+ RENO | | | 0.05%
+ DCTCP-CLAMP-ALPHA | | | 18.70%
+ DCTCP-HALVE-CWND | | | 0.06%
+
+We see that, without halving its cwnd for all source of losses,
+DCTCP drives the AQM to large drop probabilities in order to keep
+the queue length under control (i.e., it repeatedly faces RTOs).
+Instead, if DCTCP reacts to all source of losses, it can then be
+controlled by the AQM using similar drop levels than cubic or reno.
+
+Signed-off-by: Koen De Schepper <koen.de_schepper@nokia-bell-labs.com>
+Signed-off-by: Olivier Tilmans <olivier.tilmans@nokia-bell-labs.com>
+Cc: Bob Briscoe <research@bobbriscoe.net>
+Cc: Lawrence Brakmo <brakmo@fb.com>
+Cc: Florian Westphal <fw@strlen.de>
+Cc: Daniel Borkmann <borkmann@iogearbox.net>
+Cc: Yuchung Cheng <ycheng@google.com>
+Cc: Neal Cardwell <ncardwell@google.com>
+Cc: Eric Dumazet <edumazet@google.com>
+Cc: Andrew Shewmaker <agshew@gmail.com>
+Cc: Glenn Judd <glenn.judd@morganstanley.com>
+Acked-by: Florian Westphal <fw@strlen.de>
+Acked-by: Neal Cardwell <ncardwell@google.com>
+Acked-by: Daniel Borkmann <daniel@iogearbox.net>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ net/ipv4/tcp_dctcp.c | 36 ++++++++++++++++++------------------
+ 1 file changed, 18 insertions(+), 18 deletions(-)
+
+--- a/net/ipv4/tcp_dctcp.c
++++ b/net/ipv4/tcp_dctcp.c
+@@ -67,11 +67,6 @@ static unsigned int dctcp_alpha_on_init
+ module_param(dctcp_alpha_on_init, uint, 0644);
+ MODULE_PARM_DESC(dctcp_alpha_on_init, "parameter for initial alpha value");
+
+-static unsigned int dctcp_clamp_alpha_on_loss __read_mostly;
+-module_param(dctcp_clamp_alpha_on_loss, uint, 0644);
+-MODULE_PARM_DESC(dctcp_clamp_alpha_on_loss,
+- "parameter for clamping alpha on loss");
+-
+ static struct tcp_congestion_ops dctcp_reno;
+
+ static void dctcp_reset(const struct tcp_sock *tp, struct dctcp *ca)
+@@ -213,21 +208,23 @@ static void dctcp_update_alpha(struct so
+ }
+ }
+
+-static void dctcp_state(struct sock *sk, u8 new_state)
++static void dctcp_react_to_loss(struct sock *sk)
+ {
+- if (dctcp_clamp_alpha_on_loss && new_state == TCP_CA_Loss) {
+- struct dctcp *ca = inet_csk_ca(sk);
++ struct dctcp *ca = inet_csk_ca(sk);
++ struct tcp_sock *tp = tcp_sk(sk);
+
+- /* If this extension is enabled, we clamp dctcp_alpha to
+- * max on packet loss; the motivation is that dctcp_alpha
+- * is an indicator to the extend of congestion and packet
+- * loss is an indicator of extreme congestion; setting
+- * this in practice turned out to be beneficial, and
+- * effectively assumes total congestion which reduces the
+- * window by half.
+- */
+- ca->dctcp_alpha = DCTCP_MAX_ALPHA;
+- }
++ ca->loss_cwnd = tp->snd_cwnd;
++ tp->snd_ssthresh = max(tp->snd_cwnd >> 1U, 2U);
++}
++
++static void dctcp_state(struct sock *sk, u8 new_state)
++{
++ if (new_state == TCP_CA_Recovery &&
++ new_state != inet_csk(sk)->icsk_ca_state)
++ dctcp_react_to_loss(sk);
++ /* We handle RTO in dctcp_cwnd_event to ensure that we perform only
++ * one loss-adjustment per RTT.
++ */
+ }
+
+ static void dctcp_update_ack_reserved(struct sock *sk, enum tcp_ca_event ev)
+@@ -258,6 +255,9 @@ static void dctcp_cwnd_event(struct sock
+ case CA_EVENT_ECN_NO_CE:
+ dctcp_ce_state_1_to_0(sk);
+ break;
++ case CA_EVENT_LOSS:
++ dctcp_react_to_loss(sk);
++ break;
+ case CA_EVENT_DELAYED_ACK:
+ case CA_EVENT_NON_DELAYED_ACK:
+ dctcp_update_ack_reserved(sk, ev);
diff --git a/patches.suse/vrf-check-accept_source_route-on-the-original-netdev.patch b/patches.suse/vrf-check-accept_source_route-on-the-original-netdev.patch
new file mode 100644
index 0000000000..b05e22363f
--- /dev/null
+++ b/patches.suse/vrf-check-accept_source_route-on-the-original-netdev.patch
@@ -0,0 +1,89 @@
+From: Stephen Suryaputra <ssuryaextr@gmail.com>
+Date: Mon, 1 Apr 2019 09:17:32 -0400
+Subject: vrf: check accept_source_route on the original netdevice
+Git-commit: 8c83f2df9c6578ea4c5b940d8238ad8a41b87e9e
+Patch-mainline: v5.1-rc4
+References: networking-stable-19_04_10
+
+Configuration check to accept source route IP options should be made on
+the incoming netdevice when the skb->dev is an l3mdev master. The route
+lookup for the source route next hop also needs the incoming netdev.
+
+v2->v3:
+- Simplify by passing the original netdevice down the stack (per David
+ Ahern).
+
+Signed-off-by: Stephen Suryaputra <ssuryaextr@gmail.com>
+Reviewed-by: David Ahern <dsahern@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ include/net/ip.h | 2 +-
+ net/ipv4/ip_input.c | 7 +++----
+ net/ipv4/ip_options.c | 4 ++--
+ 3 files changed, 6 insertions(+), 7 deletions(-)
+
+--- a/include/net/ip.h
++++ b/include/net/ip.h
+@@ -594,7 +594,7 @@ int ip_options_get_from_user(struct net
+ unsigned char __user *data, int optlen);
+ void ip_options_undo(struct ip_options *opt);
+ void ip_forward_options(struct sk_buff *skb);
+-int ip_options_rcv_srr(struct sk_buff *skb);
++int ip_options_rcv_srr(struct sk_buff *skb, struct net_device *dev);
+
+ /*
+ * Functions provided by ip_sockglue.c
+--- a/net/ipv4/ip_input.c
++++ b/net/ipv4/ip_input.c
+@@ -259,11 +259,10 @@ int ip_local_deliver(struct sk_buff *skb
+ ip_local_deliver_finish);
+ }
+
+-static inline bool ip_rcv_options(struct sk_buff *skb)
++static inline bool ip_rcv_options(struct sk_buff *skb, struct net_device *dev)
+ {
+ struct ip_options *opt;
+ const struct iphdr *iph;
+- struct net_device *dev = skb->dev;
+
+ /* It looks as overkill, because not all
+ IP options require packet mangling.
+@@ -299,7 +298,7 @@ static inline bool ip_rcv_options(struct
+ }
+ }
+
+- if (ip_options_rcv_srr(skb))
++ if (ip_options_rcv_srr(skb, dev))
+ goto drop;
+ }
+
+@@ -362,7 +361,7 @@ static int ip_rcv_finish(struct net *net
+ }
+ #endif
+
+- if (iph->ihl > 5 && ip_rcv_options(skb))
++ if (iph->ihl > 5 && ip_rcv_options(skb, dev))
+ goto drop;
+
+ rt = skb_rtable(skb);
+--- a/net/ipv4/ip_options.c
++++ b/net/ipv4/ip_options.c
+@@ -614,7 +614,7 @@ void ip_forward_options(struct sk_buff *
+ }
+ }
+
+-int ip_options_rcv_srr(struct sk_buff *skb)
++int ip_options_rcv_srr(struct sk_buff *skb, struct net_device *dev)
+ {
+ struct ip_options *opt = &(IPCB(skb)->opt);
+ int srrspace, srrptr;
+@@ -649,7 +649,7 @@ int ip_options_rcv_srr(struct sk_buff *s
+
+ orefdst = skb->_skb_refdst;
+ skb_dst_set(skb, NULL);
+- err = ip_route_input(skb, nexthop, iph->saddr, iph->tos, skb->dev);
++ err = ip_route_input(skb, nexthop, iph->saddr, iph->tos, dev);
+ rt2 = skb_rtable(skb);
+ if (err || (rt2->rt_type != RTN_UNICAST && rt2->rt_type != RTN_LOCAL)) {
+ skb_dst_drop(skb);
diff --git a/series.conf b/series.conf
index 759dddb283..3606ed74ae 100644
--- a/series.conf
+++ b/series.conf
@@ -3507,13 +3507,21 @@
patches.fixes/xfs-release-bli-from-transaction-properly-on-fs-shut.patch
patches.fixes/xfs-remove-bli-from-AIL-before-release-on-transactio.patch
patches.fixes/xfs-remove-double-underscore-integer-types.patch
+ patches.fixes/xfs-export-various-function-for-the-online-scrubber.patch
+ patches.fixes/xfs-export-_inobt_btrec_to_irec-and-_ialloc_cluster_.patch
patches.fixes/xfs-check-if-an-inode-is-cached-and-allocated.patch
patches.fixes/xfs-reflink-find-shared-should-take-a-transaction.patch
+ patches.fixes/xfs-make-errortag-a-per-mountpoint-structure.patch
+ patches.fixes/xfs-expose-errortag-knobs-via-sysfs.patch
+ patches.fixes/xfs-remove-unneeded-parameter-from-XFS_TEST_ERROR.patch
+ patches.fixes/xfs-convert-drop_writes-to-use-the-errortag-mechanis.patch
+ patches.fixes/xfs-replace-log_badcrc_factor-knob-with-error-inject.patch
patches.fixes/xfs-rewrite-xfs_dq_get_next_id-using-xfs_iext_lookup.patch
patches.fixes/vfs-Add-page_cache_seek_hole_data-helper.patch
patches.fixes/vfs-Add-iomap_seek_hole-and-iomap_seek_data-helpers.patch
patches.fixes/xfs-Switch-to-iomap-for-SEEK_HOLE-SEEK_DATA.patch
patches.fixes/xfs-fix-contiguous-dquot-chunk-iteration-livelock.patch
+ patches.fixes/xfs-rename-MAXPATHLEN-to-XFS_SYMLINK_MAXLEN.patch
patches.drivers/ipmi_ssif-unlock-on-allocation-failure
patches.drivers/0007-ipmi_ssif-remove-redundant-null-check-on-array-clien.patch
patches.drivers/0008-ipmi-Use-the-proper-default-value-for-register-size-.patch
@@ -4079,6 +4087,7 @@
patches.suse/KVM-nVMX-Fix-loss-of-L2-s-NMI-blocking-state.patch
patches.suse/KVM-s390-take-srcu-lock-when-getting-setting-storage.patch
patches.suse/KVM-LAPIC-Fix-reentrancy-issues-with-preempt-notifie.patch
+ patches.fixes/xfs-check-_btree_check_block-value.patch
patches.fixes/xfs-fix-quotacheck-dquot-id-overflow-infinite-loop.patch
patches.fixes/0001-NFS-Optimize-fallocate-by-refreshing-mapping-when-ne.patch
patches.fixes/perf-x86-intel-uncore-fix-skylake-upi-pmu-event-masks.patch
@@ -5498,6 +5507,7 @@
patches.fixes/xfs-fix-recovery-failure-when-log-record-header-wrap.patch
patches.fixes/xfs-always-verify-the-log-tail-during-recovery.patch
patches.fixes/xfs-fix-log-recovery-corruption-error-due-to-tail-ov.patch
+ patches.fixes/xfs-add-log-item-pinning-error-injection-tag.patch
patches.fixes/xfs-handle-EFSCORRUPTED-during-head-tail-verificatio.patch
patches.fixes/xfs-stop-searching-for-free-slots-in-an-inode-chunk-.patch
patches.fixes/xfs-evict-all-inodes-involved-with-log-redo-item.patch
@@ -8206,7 +8216,12 @@
patches.fixes/0026-xfs-replace-xfs_bmbt_lookup_ge-with-xfs_bmbt_lookup_.patch
patches.fixes/0027-xfs-remove-all-xfs_bmbt_set_-helpers-except-for-xfs_.patch
patches.fixes/0028-xfs-remove-xfs_bmbt_get_state.patch
+ patches.fixes/xfs-buffer-lru-reference-count-error-injection-tag.patch
patches.fixes/xfs-return-a-distinct-error-code-value-for-IGET_INCO.patch
+ patches.fixes/xfs-create-block-pointer-check-functions.patch
+ patches.fixes/xfs-refactor-btree-pointer-checks.patch
+ patches.fixes/xfs-refactor-btree-block-header-checking-functions.patch
+ patches.fixes/xfs-create-inode-pointer-verifiers.patch
patches.fixes/0029-xfs-add-a-xfs_bmap_fork_to_state-helper.patch
patches.fixes/0030-xfs-make-better-use-of-the-state-variable-in-xfs_bma.patch
patches.fixes/0031-xfs-remove-post-bmap-tracing-in-xfs_bmap_local_to_ex.patch
@@ -8227,6 +8242,8 @@
patches.fixes/0046-xfs-add-a-new-xfs_iext_lookup_extent_before-helper.patch
patches.fixes/xfs-fix-log-block-underflow-during-recovery-c.patch
patches.fixes/xfs-validate-sb_logsunit-is-a-multiple-of-the-fs-blo.patch
+ patches.fixes/xfs-fix-unused-variable-warning-in-xfs_buf_set_ref.patch
+ patches.fixes/xfs-move-error-injection-tags-into-their-own-file.patch
patches.fixes/xfs-truncate-pagecache-before-writeback-in-xfs_setat.patch
patches.fixes/0047-xfs-don-t-create-overlapping-extents-in-xfs_bmap_add.patch
patches.fixes/0048-xfs-remove-a-duplicate-assignment-in-xfs_bmap_add_ex.patch
@@ -14970,6 +14987,7 @@
patches.fixes/xfs-convert-XFS_AGFL_SIZE-to-a-helper-function.patch
patches.fixes/xfs-remove-xfs_zero_range.patch
patches.fixes/xfs-detect-agfl-count-corruption-and-reset-agfl.patch
+ patches.fixes/xfs-sanity-check-the-unused-space-before-trying-to-u.patch
patches.fixes/xfs-catch-inode-allocation-state-mismatch-corruption.patch
patches.suse/btrfs-do-not-check-inode-s-runtime-flags-under-root-orphan_lock.patch
patches.suse/0014-btrfs-tree-checker-Replace-root-parameter-with-fs_in.patch
@@ -15530,6 +15548,10 @@
patches.suse/net-ipv6-Increment-OUTxxx-counters-after-netfilter-h.patch
patches.drivers/net-sched-fix-NULL-dereference-in-the-error-path-of--3239534a.patch
patches.drivers/crypto-af_alg-fix-possible-uninit-value-in-alg_bind
+ patches.fixes/0001-netlink-fix-uninit-value-in-netlink_sendmsg.patch
+ patches.fixes/0002-net-fix-rtnh_ok.patch
+ patches.fixes/0003-net-initialize-skb-peeked-when-cloning.patch
+ patches.fixes/0004-net-fix-uninit-value-in-__hw_addr_add_ex.patch
patches.fixes/soreuseport-initialise-timewait-reuseport-field.patch
patches.suse/sctp-do-not-leak-kernel-memory-to-user-space.patch
patches.suse/sctp-sctp_sockaddr_af-must-check-minimal-addr-length.patch
@@ -15539,6 +15561,7 @@
patches.drivers/ibmvnic-Fix-failover-case-for-non-redundant-configur.patch
patches.drivers/ibmvnic-Do-not-reset-CRQ-for-Mobility-driver-resets.patch
patches.drivers/dp83640-Ensure-against-premature-access-to-PHY-regis
+ patches.fixes/0005-inetpeer-fix-uninit-value-in-inet_getpeer.patch
patches.drivers/net-thunderx-rework-mac-addresses-list-to-u64-array.patch
patches.drivers/hwmon-pmbus-max8688-Accept-negative-page-register-va
patches.drivers/hwmon-pmbus-adm1275-Accept-negative-page-register-va
@@ -15839,6 +15862,8 @@
patches.suse/tcp-don-t-read-out-of-bounds-opsize.patch
patches.suse/bonding-do-not-set-slave_dev-npinfo-before-slave_ena.patch
patches.suse/ipv6-add-RTA_TABLE-and-RTA_PREFSRC-to-rtm_ipv6_polic.patch
+ patches.fixes/0006-ipvs-fix-rtnl_lock-lockups-caused-by-start_sync_thre.patch
+ patches.fixes/0007-netfilter-nf_tables-can-t-fail-after-linking-rule-in.patch
patches.suse/l2tp-check-sockaddr-length-in-pppol2tp_connect.patch
patches.suse/pppoe-check-sockaddr-length-in-pppoe_connect.patch
patches.suse/amd-xgbe-Add-pre-post-auto-negotiation-phy-hooks.patch
@@ -16145,6 +16170,7 @@
patches.drivers/net-mlx5-Free-IRQs-in-shutdown-path.patch
patches.suse/net-mlx5-E-Switch-Include-VF-RDMA-stats-in-vport-sta.patch
patches.suse/net-mlx5e-Err-if-asked-to-offload-TC-match-on-frag-b.patch
+ patches.fixes/0008-rxrpc-Fix-error-reception-on-AF_INET6-sockets.patch
patches.drivers/ixgbe-return-error-on-unsupported-SFP-module-when-re.patch
patches.drivers/ixgbevf-fix-ixgbevf_xmit_frame-s-return-type.patch
patches.suse/net-sched-fix-error-path-in-tcf_proto_create-when-mo.patch
@@ -16260,8 +16286,10 @@
patches.suse/btrfs-fix-xattr-loss-after-power-failure.patch
patches.suse/btrfs-fix-duplicate-extents-after-fsync-of-file-with.patch
patches.suse/0002-btrfs-fix-reading-stale-metadata-blocks-after-degrad.patch
+ patches.fixes/0009-packet-in-packet_snd-start-writing-at-link-layer-all.patch
patches.drivers/qede-Fix-ref-cnt-usage-count.patch
patches.suse/netfilter-nf_tables-nft_compat-fix-refcount-leak-on-.patch
+ patches.fixes/0010-ipvs-fix-stats-update-from-local-clients.patch
patches.suse/netfilter-nf_tables-don-t-assume-chain-stats-are-set.patch
patches.suse/netfilter-nft_compat-prepare-for-indirect-info-stora.patch
patches.suse/netfilter-nft_compat-fix-handling-of-large-matchinfo.patch
@@ -16272,10 +16300,13 @@
patches.drivers/vmxnet3-set-the-DMA-mask-before-the-first-DMA-map-op.patch
patches.drivers/vmxnet3-use-DMA-memory-barriers-where-required.patch
patches.drivers/net-mlx5-Fix-build-break-when-CONFIG_SMP-n.patch
+ patches.fixes/0011-tcp-purge-write-queue-in-tcp_connect_init.patch
patches.drivers/qed-LL2-flush-isles-when-connection-is-closed.patch
patches.drivers/ibmvnic-Free-coherent-DMA-memory-if-FW-map-failed.patch
patches.drivers/ibmvnic-Fix-non-fatal-firmware-error-reset.patch
patches.drivers/ibmvnic-Fix-statistics-buffers-memory-leak.patch
+ patches.fixes/0012-net-test-tailroom-before-appending-to-linear-skb.patch
+ patches.fixes/0013-net-Fix-a-bug-in-removing-queues-from-XPS-map.patch
patches.fixes/sock_diag-fix-use-after-free-read-in-__sk_free.patch
patches.drivers/net-sched-red-avoid-hashing-NULL-child.patch
patches.drivers/cxgb4-fix-offset-in-collecting-TX-rate-limit-info.patch
@@ -16387,6 +16418,7 @@
patches.suse/net-phy-broadcom-Fix-auxiliary-control-register-read.patch
patches.suse/net-phy-broadcom-Fix-bcm_write_exp.patch
patches.suse/net-mlx4-Fix-irq-unsafe-spinlock-usage.patch
+ patches.fixes/0001-packet-fix-reserve-calculation.patch
patches.suse/net-mlx5e-When-RXFCS-is-set-add-FCS-data-into-checks.patch
patches.drivers/net-mlx5-IPSec-Fix-a-race-between-concurrent-sandbox.patch
patches.suse/vhost-synchronize-IOTLB-message-with-dev-cleanup.patch
@@ -16438,7 +16470,10 @@
patches.drm/drm-i915-lvds-Move-acpi-lid-notification-registratio
patches.drm/drm-psr-Fix-missed-entry-in-PSR-setup-time-table
patches.fixes/scsi-scsi_transport_srp-fix-shost-to-rport-translation
+ patches.fixes/0014-netfilter-nf_tables-fix-NULL-pointer-dereference-on-.patch
+ patches.fixes/0015-netfilter-ebtables-handle-string-from-userspace-with.patch
patches.suse/netfilter-nft_meta-fix-wrong-value-dereference-in-nf.patch
+ patches.fixes/0016-ipvs-fix-buffer-overflow-with-sync-daemon-and-servic.patch
patches.suse/netfilter-nf_tables-disable-preemption-in-nft_update.patch
patches.suse/ipv6-sr-fix-memory-OOB-access-in-seg6_do_srh_encap-i.patch
patches.fixes/atm-zatm-fix-memcmp-casting.patch
@@ -16450,6 +16485,7 @@
patches.suse/net-ethernet-davinci_emac-fix-error-handling-in-prob.patch
patches.suse/net-sysfs-Fix-memory-leak-in-XPS-configuration.patch
patches.suse/kcm-Fix-use-after-free-caused-by-clonned-sockets.patch
+ patches.fixes/0017-xfrm6-avoid-potential-infinite-loop-in-_decode_sessi.patch
patches.suse/ip6_tunnel-remove-magic-mtu-value-0xFFF8.patch
patches.suse/net-usb-cdc_mbim-add-flag-FLAG_SEND_ZLP.patch
patches.fixes/fix-io_destroy-aio_complete-race.patch
@@ -16687,6 +16723,7 @@
patches.drm/drm-exynos-Fix-default-value-for-zpos-plane-property
patches.drivers/ALSA-usb-audio-simplify-set_sync_ep_implicit_fb_quir
patches.drivers/ALSA-usb-audio-add-more-quirks-for-DSD-interfaces
+ patches.drivers/ALSA-hda-Use-a-macro-for-snd_array-iteration-loops.patch
patches.drivers/ALSA-hda-ca0132-fix-build-failure-when-a-local-macro
patches.drivers/ALSA-usb-audio-Initialize-Dell-Dock-playback-volumes
patches.drivers/ALSA-usb-audio-Avoid-superfluous-usb_set_interface-c
@@ -16765,6 +16802,7 @@
patches.drivers/qed-Delete-unused-parameter-p_ptt-from-mcp-APIs.patch
patches.drivers/qed-Add-configuration-information-to-register-dump-a.patch
patches.drivers/qed-Fix-copying-2-strings.patch
+ patches.fixes/0018-sctp-fix-identification-of-new-acks-for-SFR-CACC.patch
patches.drivers/ixgbe-Drop-support-for-macvlan-specific-unicast-list.patch
patches.drivers/igb-Fix-not-adding-filter-elements-to-the-list.patch
patches.drivers/igb-Fix-queue-selection-on-MAC-filters-on-i210.patch
@@ -17434,6 +17472,7 @@
patches.drivers/rtc-pxa-fix-probe-function
patches.suse/net-in-virtio_net_hdr-only-add-VLAN_HLEN-to-csum_sta.patch
patches.suse/msft-hv-1704-hv_netvsc-Fix-a-network-regression-after-ifdown-ifup.patch
+ patches.fixes/0019-ip_tunnel-Fix-name-string-concatenate-in-__ip_tunnel.patch
patches.suse/bonding-re-evaluate-force_primary-when-the-primary-s.patch
patches.suse/net-sched-act_simple-fix-parsing-of-TCA_DEF_DATA.patch
patches.suse/cdc_ncm-avoid-padding-beyond-end-of-skb.patch
@@ -17551,12 +17590,19 @@
patches.arch/KVM-PPC-Book3S-PR-Add-guest-MSR-parameter-for-kvmppc.patch
patches.suse/ipv6-allow-PMTU-exceptions-to-local-routes.patch
patches.suse/net-dsa-add-error-handling-for-pskb_trim_rcsum.patch
+ patches.fixes/0020-netfilter-nf_tables-check-msg_type-before-nft_trans_.patch
+ patches.fixes/0022-ipvs-fix-check-on-xmit-to-non-local-addresses.patch
+ patches.fixes/0023-netfilter-ebtables-reject-non-bridge-targets.patch
+ patches.fixes/0024-netfilter-x_tables-initialise-match-target-check-par.patch
patches.drivers/ixgbe-Fix-setting-of-TC-configuration-for-macvlan-ca.patch
patches.drivers/net-thunderx-prevent-concurrent-data-re-writing-by-n.patch
patches.fixes/xen-netfront-raise-max-number-of-slots-in-xennet_get_responses.patch
patches.suse/netfilter-nf_tables-use-WARN_ON_ONCE-instead-of-BUG_.patch
patches.suse/tcp-verify-the-checksum-of-the-first-data-segment-in.patch
+ patches.fixes/0025-l2tp-only-accept-PPP-sessions-in-pppol2tp_connect.patch
+ patches.fixes/0026-l2tp-prevent-pppol2tp_connect-from-creating-kernel-s.patch
patches.drivers/cfg80211-initialize-sinfo-in-cfg80211_get_station
+ patches.fixes/0027-l2tp-filter-out-non-PPP-sessions-in-pppol2tp_tunnel_.patch
patches.drivers/0001-video-omap-add-module-license-tags.patch
patches.suse/0001-arch-Kconfig-fix-documentation-for-NMI-watchdog.patch
patches.suse/0001-blk-mq-reinit-q-tag_set_list-entry-only-after-grace-.patch
@@ -17633,6 +17679,7 @@
patches.suse/net-packet-fix-use-after-free.patch
patches.suse/VSOCK-fix-loopback-on-big-endian-systems.patch
patches.suse/vhost_net-validate-sock-before-trying-to-put-its-fd.patch
+ patches.fixes/0028-ipv6-mcast-fix-unsolicited-report-interval-after-rec.patch
patches.suse/net-mvneta-fix-the-Rx-desc-DMA-address-in-the-Rx-pat.patch
patches.suse/net-dccp-avoid-crash-in-ccid3_hc_rx_send_feedback.patch
patches.suse/net-dccp-switch-rx_tstamp_last_feedback-to-monotonic.patch
@@ -17876,6 +17923,7 @@
patches.fixes/ieee802154-fakelb-switch-from-BUG_ON-to-WARN_ON-on-p.patch
patches.fixes/ixgbe-Be-more-careful-when-modifying-MAC-filters.patch
patches.suse/net-systemport-Fix-CRC-forwarding-check-for-SYSTEMPO.patch
+ patches.fixes/0002-packet-reset-network-header-if-packet-shorter-than-l.patch
patches.drivers/qlogic-check-kstrtoul-for-errors.patch
patches.suse/tcp-fix-dctcp-delayed-ACK-schedule.patch
patches.fixes/KEYS-DNS-fix-parsing-multiple-options.patch
@@ -18085,6 +18133,7 @@
patches.arch/kvm-x86-vmx-fix-vpid-leak
patches.suse/0084-Partially-revert-block-fail-op_is_write-requests-to-.patch
patches.drivers/mlxsw-core_acl_flex_actions-Return-error-for-conflic.patch
+ patches.fixes/0003-l2tp-fix-missing-refcount-drop-in-pppol2tp_tunnel_io.patch
patches.arch/s390-sles15sp1-00-12-34-net-smc-no-cursor-update-send-in-state-SMC_INIT.patch
patches.suse/netlink-Don-t-shift-on-64-for-ngroups.patch
patches.fixes/genirq-Make-force-irq-threading-setup-more-robust.patch
@@ -18189,6 +18238,8 @@
patches.fixes/ext4-fix-spectre-gadget-in-ext4_mb_regular_allocator.patch
patches.fixes/xfs-remove-unused-iolock-arg-from-xfs_break_dax_layo.patch
patches.fixes/xfs-detect-and-fix-bad-summary-counts-at-mount.patch
+ patches.fixes/xfs-refactor-unmount-record-write.patch
+ patches.fixes/xfs-force-summary-counter-recalc-at-next-mount.patch
patches.fixes/xfs-Close-race-between-direct-IO-and-xfs_break_layou.patch
patches.suse/xfs-fix-a-null-pointer-dereference-in-xfs_bmap_exten.patch
patches.arch/x86-l1tf-01-increase-32bitPAE-__PHYSICAL_PAGE_MASK.patch
@@ -19395,6 +19446,7 @@
patches.fixes/nl80211-Fix-possible-Spectre-v1-for-CQM-RSSI-thresho.patch
patches.drivers/net-ena-remove-ndo_poll_controller.patch
patches.drivers/ibmvnic-remove-ndo_poll_controller.patch
+ patches.fixes/0004-rxrpc-Fix-transport-sockopts-to-get-IPv4-errors-on-a.patch
patches.drivers/asix-Check-for-supported-Wake-on-LAN-modes.patch
patches.drivers/ax88179_178a-Check-for-supported-Wake-on-LAN-modes.patch
patches.drivers/lan78xx-Check-for-supported-Wake-on-LAN-modes.patch
@@ -19582,12 +19634,14 @@
patches.drivers/pinctrl-at91-pio4-fix-has_config-check-in-atmel_pctl.patch
patches.drivers/pinctrl-qcom-spmi-mpp-Fix-err-handling-of-pmic_mpp_s.patch
patches.drivers/gpio-davinci-remove-unused-member-of-davinci_gpio_controller.patch
+ patches.drivers/leds-pwm-silently-error-out-on-EPROBE_DEFER.patch
patches.drivers/0001-ipmi-ssif-Add-support-for-multi-part-transmit-messag.patch
patches.drivers/ipmi-Fix-timer-race-with-module-unload.patch
patches.drivers/pcmcia-Implement-CLKRUN-protocol-disabling-for-Ricoh.patch
patches.fixes/cpufreq-conservative-Take-limits-changes-into-accoun.patch
patches.arch/x86-hibernate-fix-nosave_regions-setup-for-hibernation
patches.fixes/cpupower-remove-stringop-truncation-waring.patch
+ patches.fixes/ACPICA-AML-interpreter-add-region-addresses-in-globa.patch
patches.drivers/ACPI-LPSS-Add-alternative-ACPI-HIDs-for-Cherry-Trail.patch
patches.drivers/ACPI-processor-Fix-the-return-value-of-acpi_processo.patch
patches.drivers/mailbox-PCC-handle-parse-error.patch
@@ -19950,6 +20004,7 @@
patches.drm/0001-drm-cirrus-Use-drm_framebuffer_put-to-avoid-kernel-o.patch
patches.drm/0001-drm-virtio-fix-bounds-check-in-virtio_gpu_cmd_get_ca.patch
patches.drm/drm-rockchip-Allow-driver-to-be-shutdown-on-reboot-k.patch
+ patches.drm/drm-i915-Downgrade-Gen9-Plane-WM-latency-error.patch
patches.drm/drm-i915-cfl-Add-a-new-CFL-PCI-ID
patches.drm/drm-amdgpu-add-missing-CHIP_HAINAN-in-amdgpu_ucode_g.patch
patches.drm/0001-drm-hisilicon-hibmc-Do-not-carry-error-code-in-HiBMC.patch
@@ -20334,6 +20389,7 @@
patches.drivers/staging-rtl8723bs-Add-missing-return-for-cfg80211_rt.patch
patches.drivers/staging-vchiq_arm-fix-compat-VCHIQ_IOC_AWAIT_COMPLET.patch
patches.drivers/iio-st_magn-Fix-enable-device-after-trigger.patch
+ patches.fixes/devres-Align-data-to-ARCH_KMALLOC_MINALIGN.patch
patches.drivers/misc-mic-scif-fix-copy-paste-error-in-scif_create_re.patch
patches.fixes/unifdef-use-memcpy-instead-of-strncpy.patch
patches.fixes/fscache-Fix-race-in-fscache_op_complete-due-to-split.patch
@@ -20594,6 +20650,7 @@
patches.drm/drm-rockchip-fix-for-mailbox-read-size.patch
patches.drm/0003-drm-i915-Redefine-some-Whiskey-Lake-SKUs.patch
patches.drivers/ALSA-x86-Fix-runtime-PM-for-hdmi-lpe-audio.patch
+ patches.drm/drm-i915-Disable-LP3-watermarks-on-all-SNB-machines.patch
patches.drm/0001-drm-rcar-du-Fix-vblank-initialization.patch
patches.drm/0001-drm-rcar-du-Fix-external-clock-error-checks.patch
patches.drm/0004-drm-atomic-helper-Complete-fake_commit-flip_done-pot.patch
@@ -21095,6 +21152,7 @@
patches.drivers/USB-serial-pl2303-add-new-PID-to-support-PL2303TB.patch
patches.drivers/uart-Fix-crash-in-uart_write-and-uart_put_char.patch
patches.drivers/tty-n_hdlc-fix-__might_sleep-warning.patch
+ patches.fixes/vt-always-call-notifier-with-the-console-lock-held.patch
patches.drivers/vt-invoke-notifier-on-screen-size-change.patch
patches.drivers/tty-Handle-problem-if-line-discipline-does-not-have-.patch
patches.drivers/serial-fsl_lpuart-fix-maximum-acceptable-baud-rate-w.patch
@@ -21447,6 +21505,7 @@
patches.fixes/0001-ip6mr-Do-not-call-__IP6_INC_STATS-from-preemptible-c.patch
patches.drivers/team-Free-BPF-filter-when-unregistering-netdev.patch
patches.drivers/sky2-Disable-MSI-on-Dell-Inspiron-1545-and-Gateway-P.patch
+ patches.fixes/appletalk-Fix-use-after-free-in-atalk_proc_exit.patch
patches.fixes/0001-net-dsa-mv88e6xxx-handle-unknown-duplex-modes-gracef.patch
patches.fixes/0001-net-sysfs-Fix-mem-leak-in-netdev_register_kobject.patch
patches.suse/qmi_wwan-Add-support-for-Quectel-EG12-EM12.patch
@@ -21563,6 +21622,7 @@
patches.drm/drm-nouveau-Stop-using-drm_crtc_force_disable.patch
patches.drm/drm-Auto-set-allow_fb_modifiers-when-given-modifiers.patch
patches.drm/0003-drm-shmob-Fix-return-value-check-in-shmob_drm_probe.patch
+ patches.drm/drm-rockchip-fix-for-mailbox-read-validation.patch
patches.drm/drm-disable-uncached-DMA-optimization-for-ARM-and-ar.patch
patches.drm/drm-nouveau-volt-gf117-fix-speedo-readout-register.patch
patches.drm/0001-drm-nouveau-bios-ramcfg-fix-missing-parentheses-when.patch
@@ -21673,6 +21733,7 @@
patches.drivers/tpm-Fix-some-name-collisions-with-drivers-char-tpm.h.patch
patches.fixes/tipc-fix-RDM-DGRAM-connect-regression.patch
patches.fixes/0001-ipv4-route-fail-early-when-inet-dev-is-missing.patch
+ patches.fixes/appletalk-Fix-compile-regression.patch
patches.suse/net-hsr-fix-memory-leak-in-hsr_dev_finalize.patch
patches.suse/ravb-Decrease-TxFIFO-depth-of-Q3-and-Q2-to-one.patch
patches.drivers/enic-fix-build-warning-without-CONFIG_CPUMASK_OFFSTA.patch
@@ -21808,6 +21869,7 @@
patches.drm/0001-drm-vmwgfx-Don-t-double-free-the-mode-stored-in-par-.patch
patches.drivers/mmc-pxamci-fix-enum-type-confusion.patch
patches.drivers/mmc-davinci-remove-extraneous-__init-annotation.patch
+ patches.fixes/ACPI-utils-Drop-reference-in-test-for-device-presenc.patch
patches.drivers/ALSA-echoaudio-add-a-check-for-ioremap_nocache.patch
patches.drivers/ALSA-sb8-add-a-check-for-request_region.patch
patches.drivers/ALSA-firewire-motu-use-version-field-of-unit-directo.patch
@@ -21934,9 +21996,20 @@
patches.drivers/qmi_wwan-add-Olicard-600.patch
patches.fixes/openvswitch-fix-flow-actions-reallocation.patch
patches.fixes/net-rds-force-to-destroy-connection-if-t_sock-is-NUL.patch
+ patches.suse/net-ethtool-not-call-vzalloc-for-zero-sized-memory-r.patch
+ patches.suse/net-mlx5-Decrease-default-mr-cache-size.patch
+ patches.suse/net-mlx5e-Fix-error-handling-when-refreshing-TIRs.patch
+ patches.suse/net-mlx5e-Add-a-lock-on-tir-list.patch
patches.fixes/bpf-fix-use-after-free-in-bpf_evict_inode.patch
+ patches.suse/vrf-check-accept_source_route-on-the-original-netdev.patch
+ patches.suse/net-sched-fix-get-helper-of-the-matchall-cls.patch
patches.suse/kcm-switch-order-of-device-registration-to-fix-a-cra.patch
+ patches.suse/sctp-initialize-_pad-of-sockaddr_in-before-copying-t.patch
+ patches.suse/ip6_tunnel-Match-to-ARPHRD_TUNNEL6-for-dev-type.patch
+ patches.suse/net-gro-Fix-GRO-flush-when-receiving-a-GSO-packet.patch
patches.fixes/0001-ipv6-Fix-dangling-pointer-when-ipv6-fragment.patch
+ patches.suse/net-sched-act_sample-fix-divide-by-zero-in-the-traff.patch
+ patches.suse/tcp-Ensure-DCTCP-reacts-to-losses.patch
patches.fixes/0001-ipv6-sit-reset-ip-header-pointer-in-ipip6_rcv.patch
patches.drivers/ibmvnic-Fix-completion-structure-initialization.patch
patches.drm/drm-i915-gvt-do-not-deliver-a-workload-if-its-creati.patch
@@ -21950,6 +22023,8 @@
patches.fixes/0001-xen-Prevent-buffer-overflow-in-privcmd-ioctl.patch
patches.drivers/tpm-Fix-the-type-of-the-return-value-in-calc_tpm2_ev.patch
patches.drivers/NFC-nci-Add-some-bounds-checking-in-nci_hci_cmd_rece.patch
+ patches.suse/bnxt_en-Improve-RX-consumer-index-validity-check.patch
+ patches.suse/bnxt_en-Reset-device-on-RX-buffer-errors.patch
patches.drivers/Bluetooth-btusb-request-wake-pin-with-NOAUTOEN.patch
patches.fixes/virtio_pci-fix-a-NULL-pointer-reference-in-vp_del_vq.patch
patches.fixes/virtio-Honour-may_reduce_num-in-vring_create_virtque.patch
@@ -21957,6 +22032,7 @@
patches.drm/0003-drm-mediatek-Fix-an-error-code-in-mtk_hdmi_dt_parse_.patch
patches.drm/drm-mediatek-fix-possible-object-reference-leak.patch
patches.drm/drm-i915-gvt-Annotate-iomem-usage.patch
+ patches.fixes/ACPICA-Namespace-remove-address-node-from-global-lis.patch
patches.drivers/ALSA-hda-realtek-Add-quirk-for-Tuxedo-XC-1509.patch
patches.drivers/ALSA-seq-Fix-OOB-reads-from-strlcpy.patch
patches.drivers/ALSA-hda-Add-two-more-machines-to-the-power_save_bla.patch
@@ -21972,6 +22048,7 @@
patches.drivers/ASoC-stm32-fix-sai-driver-name-initialisation.patch
patches.drivers/iommu-amd-set-exclusion-range-correctly
patches.fixes/linux-kernel.h-Use-parentheses-around-argument-in-u6.patch
+ patches.suse/sched-do-not-re-read-h_load_next-during-hierarchical-load-calculation.patch
patches.arch/powerpc-vdso32-fix-CLOCK_MONOTONIC-on-PPC64.patch
patches.drivers/PCI-Add-function-1-DMA-alias-quirk-for-Marvell-9170-.patch
patches.fixes/0001-PCI-pciehp-Ignore-Link-State-Changes-after-powering-.patch
@@ -21982,14 +22059,23 @@
patches.arch/kvm-x86-svm-make-sure-nmi-is-injected-after-nmi_singlestep
patches.arch/kvm-x86-don-t-clear-efer-during-smm-transitions-for-32-bit-vcpu
patches.arch/kvm-x86-always-use-32-bit-smram-save-state-for-32-bit-kernels
+ patches.fixes/mac80211-fix-unaligned-access-in-mesh-table-hash-fun.patch
+ patches.fixes/mac80211-fix-memory-accounting-with-A-MSDU-aggregati.patch
patches.fixes/mac80211-do-not-call-driver-wake_tx_queue-op-during-.patch
+ patches.fixes/nl80211-Add-NL80211_FLAG_CLEAR_SKB-flag-for-other-NL.patch
patches.drivers/ibmvnic-Enable-GRO.patch
patches.drivers/ibmvnic-Fix-netdev-feature-clobbering-during-a-reset.patch
+ patches.fixes/team-set-slave-to-promisc-if-team-is-already-in-prom.patch
patches.fixes/0001-net-bridge-multicast-use-rcu-to-access-port-list-fro.patch
+ patches.fixes/mISDN-Check-address-length-before-reading-address-fa.patch
patches.drivers/rt2x00-do-not-increment-sequence-number-while-re-tra.patch
patches.fixes/0001-net-bridge-fix-per-port-af_packet-sockets.patch
patches.fixes/CIFS-keep-FileInfo-handle-live-during-oplock-break.patch
patches.fixes/crypto-x86-poly1305-fix-overflow-during-partial-redu.patch
+ patches.drivers/Input-elan_i2c-add-hardware-ID-for-multiple-Lenovo-l.patch
+ patches.drivers/HID-input-add-mapping-for-Expose-Overview-key.patch
+ patches.drivers/HID-input-add-mapping-for-keyboard-Brightness-Up-Dow.patch
+ patches.drivers/HID-input-add-mapping-for-Toggle-Display-key.patch
patches.drivers/Input-snvs_pwrkey-initialize-necessary-driver-data-b.patch
patches.drivers/iio-gyro-bmg160-Use-millidegrees-for-temperature-sca.patch
patches.drivers/staging-iio-ad7192-Fix-ad7193-channel-address.patch
@@ -21998,6 +22084,7 @@
patches.drivers/iio-adc-at91-disable-adc-channel-interrupt-in-timeou.patch
patches.drivers/io-accel-kxcjk1013-restore-the-range-after-resume.patch
patches.drivers/iio-dac-mcp4725-add-missing-powerdown-bits-in-store-.patch
+ patches.drivers/iio-adc-xilinx-fix-potential-use-after-free-on-remov.patch
patches.drivers/iio-cros_ec-Fix-the-maths-for-gyro-scale-calculation.patch
patches.drivers/iio-ad_sigma_delta-select-channel-when-reading-regis.patch
patches.drivers/iio-core-fix-a-possible-circular-locking-dependency.patch
@@ -22013,6 +22100,8 @@
patches.drivers/ALSA-info-Fix-racy-addition-deletion-of-nodes.patch
patches.drivers/ALSA-core-Fix-card-races-between-register-and-discon.patch
patches.drivers/ALSA-hda-realtek-add-two-more-pin-configuration-sets.patch
+ patches.drivers/spi-Micrel-eth-switch-declare-missing-of-table.patch
+ patches.drivers/spi-ST-ST95HF-NFC-declare-missing-of-table.patch
patches.fixes/ceph-only-use-d_name-directly-when-parent-is-locked.patch
patches.fixes/ceph-ensure-d_name-stability-in-ceph_dentry_hash.patch
patches.fixes/ceph-fix-ci-i_head_snapc-leak.patch
@@ -22022,8 +22111,11 @@
patches.drm/0004-drm-sun4i-Fix-component-unbinding-and-component-mast.patch
patches.drm/0005-drm-vc4-Fix-memory-leak-during-gpu-reset.patch
patches.drm/0001-drm-sun4i-Unbind-components-before-releasing-DRM-and.patch
+ patches.drm/gpu-ipu-v3-dp-fix-CSC-handling.patch
+ patches.drm/drm-imx-don-t-skip-DP-channel-disable-for-background.patch
patches.suse/tracing-fix-buffer_ref-pipe-ops.patch
patches.suse/tracing-fix-a-memory-leak-by-early-error-exit-in-trace_pid_write.patch
+ patches.drivers/Input-synaptics-rmi4-fix-possible-double-free.patch
patches.drivers/Input-synaptics-rmi4-write-config-register-values-to.patch
patches.drivers/dmaengine-sh-rcar-dmac-With-cyclic-DMA-residue-0-is-.patch
patches.fixes/selinux-use-kernel-linux-socket.h-for-genheaders-and-mdp
@@ -22041,6 +22133,7 @@
patches.arch/x86-speculation-support-mitigations-cmdline-option.patch
patches.arch/powerpc-speculation-support-mitigations-cmdline-option.patch
patches.arch/s390-speculation-support-mitigations-cmdline-option.patch
+ patches.fixes/ACPI-button-reinitialize-button-state-upon-resume.patch
patches.arch/x86-mce-handle-varying-mca-bank-counts.patch
patches.drivers/hwmon-f71805f-Use-request_muxed_region-for-Super-IO-.patch
patches.drivers/hwmon-pc87427-Use-request_muxed_region-for-Super-IO-.patch
@@ -22209,6 +22302,20 @@
patches.drivers/PCI-Mark-AMD-Stoney-Radeon-R7-GPU-ATS-as-broken.patch
patches.drivers/PCI-Mark-Atheros-AR9462-to-avoid-bus-reset.patch
patches.drivers/backlight-lm3630a-Return-0-on-success-in-update_stat.patch
+ patches.fixes/crypto-caam-fix-caam_dump_sg-that-iterates-through-s.patch
+ patches.drivers/power-supply-axp288_charger-Fix-unchecked-return-val.patch
+ patches.drivers/power-supply-axp20x_usb_power-Fix-typo-in-VBUS-curre.patch
+ patches.drm/drm-i915-fbc-disable-framebuffer-compression-on-Gemi.patch
+ patches.drm/drm-bridge-adv7511-Fix-low-refresh-rate-selection.patch
+ patches.drivers/thermal-cpu_cooling-Actually-trace-CPU-load-in-therm.patch
+ patches.fixes/configfs-fix-possible-use-after-free-in-configfs_reg.patch
+ patches.drivers/media-atmel-atmel-isc-fix-INIT_WORK-misplacement.patch
+ patches.drivers/media-omap_vout-potential-buffer-overflow-in-vidioc_.patch
+ patches.drivers/media-davinci-vpbe-array-underflow-in-vpbe_enum_outp.patch
+ patches.drivers/ALSA-hda-realtek-Fixup-headphone-noise-via-runtime-s.patch
+ patches.drivers/ALSA-hda-realtek-Avoid-superfluous-COEF-EAPD-setups.patch
+ patches.drivers/ALSA-hda-realtek-Corrected-fixup-for-System76-Gazell.patch
+ patches.drivers/ALSA-hda-realtek-Fix-for-Lenovo-B50-70-inverted-inte.patch
# dhowells/linux-fs keys-uefi
patches.suse/0001-KEYS-Allow-unrestricted-boot-time-addition-of-keys-t.patch
@@ -22311,8 +22418,6 @@
patches.suse/do-not-default-to-ibrs-on-skl.patch
- patches.suse/sched-do-not-re-read-h_load_next-during-hierarchical-load-calculation.patch
-
########################################################
# locking/core
########################################################
@@ -22902,6 +23007,8 @@
patches.kabi/hid-debug-kfifo-kabi-workaround.patch
patches.kabi/kabi-protect-vhost_log_write.patch
patches.kabi/kabi-restore-icmp_send.patch
+ patches.kabi/kabi-protect-struct-mlx5_td.patch
+ patches.kabi/kabi-protect-ip_options_rcv_srr.patch
patches.kabi/nvme-kABI-fixes-for-nvme_subsystem.patch