Home Home > GIT Browse > SLE12-SP4
summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJohannes Thumshirn <jthumshirn@suse.de>2019-10-22 11:28:58 +0200
committerJohannes Thumshirn <jthumshirn@suse.de>2019-10-22 11:28:58 +0200
commit8c86bede34a7caf5be7c6a6755980932d6fec994 (patch)
treeadc92fd44e2e40e823ba47e9c30898e0a8aab608
parent58a3bbcebf6aae8c1b2124d1fab40e2095350399 (diff)
parent95fc66891ede7395ec1498ad8c3564820c427852 (diff)
Merge remote-tracking branch 'origin/SLE15' into SLE12-SP4
Conflicts: series.conf
-rw-r--r--blacklist.conf6
-rw-r--r--patches.kabi/Fix-AMD-IOMMU-kABI.patch26
-rw-r--r--patches.suse/9p-avoid-attaching-writeback_fid-on-mmap-with-type-P.patch47
-rw-r--r--patches.suse/ACPI-CPPC-Set-pcc_data-pcc_ss_id-to-NULL-in-acpi_cpp.patch134
-rw-r--r--patches.suse/ACPI-CPPC-do-not-require-the-_PSD-method.patch55
-rw-r--r--patches.suse/ACPI-processor-don-t-print-errors-for-processorIDs-0.patch68
-rw-r--r--patches.suse/act_mirred-Fix-mirred_init_module-error-handling.patch40
-rw-r--r--patches.suse/appletalk-enforce-CAP_NET_RAW-for-raw-sockets.patch39
-rw-r--r--patches.suse/btrfs-ensure-btrfs_init_dev_replace_tgtdev-sees-up-to-date-values.patch52
-rw-r--r--patches.suse/btrfs-ensure-replaced-device-doesn-t-have-pending-chunk-allocation.patch123
-rw-r--r--patches.suse/btrfs-remove-wrong-use-of-volume_mutex-from-btrfs_dev_replace_start.patch59
-rw-r--r--patches.suse/cfg80211-wext-avoid-copying-malformed-SSIDs.patch3
-rw-r--r--patches.suse/iommu-amd-Apply-the-same-IVRS-IOAPIC-workaround-to-A.patch45
-rw-r--r--patches.suse/iommu-amd-Override-wrong-IVRS-IOAPIC-on-Raven-Ridge-.patch181
-rw-r--r--patches.suse/iommu-amd-check-pm_level_size-condition-in-locked-section53
-rw-r--r--patches.suse/iommu-amd-remove-domain-updated164
-rw-r--r--patches.suse/iommu-amd-wait-for-completion-of-iotlb-flush-in-attach_device32
-rw-r--r--patches.suse/iwlwifi-pcie-fix-rb_allocator-workqueue-allocation.patch59
-rw-r--r--patches.suse/libertas-fix-a-potential-NULL-pointer-dereference.patch46
-rw-r--r--patches.suse/net-ath6kl-Fix-a-NULL-ptr-deref-bug.patch26
-rw-r--r--patches.suse/rtlwifi-Fix-potential-overflow-on-P2P-code.patch38
-rw-r--r--patches.suse/video-of-display_timing-Add-of_node_put-in-of_get_di.patch57
-rw-r--r--patches.suse/watchdog-imx2_wdt-fix-min-calculation-in-imx2_wdt_se.patch57
-rw-r--r--series.conf25
24 files changed, 1422 insertions, 13 deletions
diff --git a/blacklist.conf b/blacklist.conf
index 0fab1a5d42..8aa7292f98 100644
--- a/blacklist.conf
+++ b/blacklist.conf
@@ -1390,3 +1390,9 @@ a521c44c3ded9fe184c5de3eed3a442af2d26f00 # book3e not supported
056d28d135bca0b1d0908990338e00e9dadaf057 # libelf is in the default location in SLES
3f384d7c490374b2ae8f61a6c67f14deab77bab2 # cosmetic change in logging
14e3cdbb00a885eedc95c0cf8eda8fe28d26d6b4 # only interesting in completely static builds
+3a11905b69eb026402448c750f97a0eadfa76b08 # amd_iommu_devtable_lock is sufficient
+f6c0bfce271b2dd613e8b8e009eefe89c1f788e8 # amd_iommu_devtable_lock is sufficient
+45e528d9c479aeef2d3d1db1e619b243f91e324f # amd_iommu_devtable_lock is sufficient
+ab7b2577f0d119052b98b8d913bad369ac2760eb # amd_iommu_devtable_lock is sufficient
+2a78f9962565e53b78363eaf516eb052009e8020 # amd_iommu_devtable_lock is sufficient
+7a0cf094944e2540758b7f957eb6846d5126f535 # too risky, fixes hypothetical situation, bsc#1142667
diff --git a/patches.kabi/Fix-AMD-IOMMU-kABI.patch b/patches.kabi/Fix-AMD-IOMMU-kABI.patch
new file mode 100644
index 0000000000..215f829917
--- /dev/null
+++ b/patches.kabi/Fix-AMD-IOMMU-kABI.patch
@@ -0,0 +1,26 @@
+From: Joerg Roedel <jroedel@suse.de>
+Date: Mon, 21 Oct 2019 13:45:28 +0200
+Subject: [PATCH] Fix AMD IOMMU kABI
+Patch-mainline: Never, kABI Fix
+References: bsc#1154610
+
+Signed-off-by: Joerg Roedel <jroedel@suse.de>
+---
+ drivers/iommu/amd_iommu_types.h | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/iommu/amd_iommu_types.h b/drivers/iommu/amd_iommu_types.h
+index 57926646b334..9a505104b1cf 100644
+--- a/drivers/iommu/amd_iommu_types.h
++++ b/drivers/iommu/amd_iommu_types.h
+@@ -483,6 +483,7 @@ struct protection_domain {
+ int glx; /* Number of levels for GCR3 table */
+ u64 *gcr3_tbl; /* Guest CR3 table */
+ unsigned long flags; /* flags to find out type of domain */
++ bool updated; /* complete domain flush required */
+ unsigned dev_cnt; /* devices assigned to this domain */
+ unsigned dev_iommu[MAX_IOMMUS]; /* per-IOMMU reference count */
+ };
+--
+2.16.3
+
diff --git a/patches.suse/9p-avoid-attaching-writeback_fid-on-mmap-with-type-P.patch b/patches.suse/9p-avoid-attaching-writeback_fid-on-mmap-with-type-P.patch
new file mode 100644
index 0000000000..2a4c0ac620
--- /dev/null
+++ b/patches.suse/9p-avoid-attaching-writeback_fid-on-mmap-with-type-P.patch
@@ -0,0 +1,47 @@
+From c87a37ebd40b889178664c2c09cc187334146292 Mon Sep 17 00:00:00 2001
+From: Chengguang Xu <cgxu519@zoho.com.cn>
+Date: Tue, 20 Aug 2019 18:03:25 +0800
+Subject: [PATCH] 9p: avoid attaching writeback_fid on mmap with type PRIVATE
+Git-commit: c87a37ebd40b889178664c2c09cc187334146292
+Patch-mainline: v5.4-rc1
+References: bsc#1051510
+
+Currently on mmap cache policy, we always attach writeback_fid
+whether mmap type is SHARED or PRIVATE. However, in the use case
+of kata-container which combines 9p(Guest OS) with overlayfs(Host OS),
+this behavior will trigger overlayfs' copy-up when excute command
+inside container.
+
+Link: http://lkml.kernel.org/r/20190820100325.10313-1-cgxu519@zoho.com.cn
+Signed-off-by: Chengguang Xu <cgxu519@zoho.com.cn>
+Signed-off-by: Dominique Martinet <dominique.martinet@cea.fr>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ fs/9p/vfs_file.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/fs/9p/vfs_file.c b/fs/9p/vfs_file.c
+index 4cc966a31cb3..fe7f0bd2048e 100644
+--- a/fs/9p/vfs_file.c
++++ b/fs/9p/vfs_file.c
+@@ -513,6 +513,7 @@ v9fs_mmap_file_mmap(struct file *filp, struct vm_area_struct *vma)
+ v9inode = V9FS_I(inode);
+ mutex_lock(&v9inode->v_mutex);
+ if (!v9inode->writeback_fid &&
++ (vma->vm_flags & VM_SHARED) &&
+ (vma->vm_flags & VM_WRITE)) {
+ /*
+ * clone a fid and add it to writeback_fid
+@@ -614,6 +615,8 @@ static void v9fs_mmap_vm_close(struct vm_area_struct *vma)
+ (vma->vm_end - vma->vm_start - 1),
+ };
+
++ if (!(vma->vm_flags & VM_SHARED))
++ return;
+
+ p9_debug(P9_DEBUG_VFS, "9p VMA close, %p, flushing", vma);
+
+--
+2.16.4
+
diff --git a/patches.suse/ACPI-CPPC-Set-pcc_data-pcc_ss_id-to-NULL-in-acpi_cpp.patch b/patches.suse/ACPI-CPPC-Set-pcc_data-pcc_ss_id-to-NULL-in-acpi_cpp.patch
new file mode 100644
index 0000000000..c4b603ac43
--- /dev/null
+++ b/patches.suse/ACPI-CPPC-Set-pcc_data-pcc_ss_id-to-NULL-in-acpi_cpp.patch
@@ -0,0 +1,134 @@
+From 56a0b978d42f58c7e3ba715cf65af487d427524d Mon Sep 17 00:00:00 2001
+From: John Garry <john.garry@huawei.com>
+Date: Tue, 15 Oct 2019 22:07:31 +0800
+Subject: [PATCH] ACPI: CPPC: Set pcc_data[pcc_ss_id] to NULL in acpi_cppc_processor_exit()
+Git-commit: 56a0b978d42f58c7e3ba715cf65af487d427524d
+Patch-mainline: v5.4-rc4
+References: bsc#1051510
+
+When enabling KASAN and DEBUG_TEST_DRIVER_REMOVE, I find this KASAN
+Warning:
+
+[ 20.872057] BUG: KASAN: use-after-free in pcc_data_alloc+0x40/0xb8
+[ 20.878226] Read of size 4 at addr ffff00236cdeb684 by task swapper/0/1
+[ 20.884826]
+[ 20.886309] CPU: 19 PID: 1 Comm: swapper/0 Not tainted 5.4.0-rc1-00009-ge7f7df3db5bf-dirty #289
+[ 20.894994] Hardware name: Huawei D06 /D06, BIOS Hisilicon D06 UEFI RC0 - V1.16.01 03/15/2019
+[ 20.903505] Call trace:
+[ 20.905942] dump_backtrace+0x0/0x200
+[ 20.909593] show_stack+0x14/0x20
+[ 20.912899] dump_stack+0xd4/0x130
+[ 20.916291] print_address_description.isra.9+0x6c/0x3b8
+[ 20.921592] __kasan_report+0x12c/0x23c
+[ 20.925417] kasan_report+0xc/0x18
+[ 20.928808] __asan_load4+0x94/0xb8
+[ 20.932286] pcc_data_alloc+0x40/0xb8
+[ 20.935938] acpi_cppc_processor_probe+0x4e8/0xb08
+[ 20.940717] __acpi_processor_start+0x48/0xb0
+[ 20.945062] acpi_processor_start+0x40/0x60
+[ 20.949235] really_probe+0x118/0x548
+[ 20.952887] driver_probe_device+0x7c/0x148
+[ 20.957059] device_driver_attach+0x94/0xa0
+[ 20.961231] __driver_attach+0xa4/0x110
+[ 20.965055] bus_for_each_dev+0xe8/0x158
+[ 20.968966] driver_attach+0x30/0x40
+[ 20.972531] bus_add_driver+0x234/0x2f0
+[ 20.976356] driver_register+0xbc/0x1d0
+[ 20.980182] acpi_processor_driver_init+0x40/0xe4
+[ 20.984875] do_one_initcall+0xb4/0x254
+[ 20.988700] kernel_init_freeable+0x24c/0x2f8
+[ 20.993047] kernel_init+0x10/0x118
+[ 20.996524] ret_from_fork+0x10/0x18
+[ 21.000087]
+[ 21.001567] Allocated by task 1:
+[ 21.004785] save_stack+0x28/0xc8
+[ 21.008089] __kasan_kmalloc.isra.9+0xbc/0xd8
+[ 21.012435] kasan_kmalloc+0xc/0x18
+[ 21.015913] pcc_data_alloc+0x94/0xb8
+[ 21.019564] acpi_cppc_processor_probe+0x4e8/0xb08
+[ 21.024343] __acpi_processor_start+0x48/0xb0
+[ 21.028689] acpi_processor_start+0x40/0x60
+[ 21.032860] really_probe+0x118/0x548
+[ 21.036512] driver_probe_device+0x7c/0x148
+[ 21.040684] device_driver_attach+0x94/0xa0
+[ 21.044855] __driver_attach+0xa4/0x110
+[ 21.048680] bus_for_each_dev+0xe8/0x158
+[ 21.052591] driver_attach+0x30/0x40
+[ 21.056155] bus_add_driver+0x234/0x2f0
+[ 21.059980] driver_register+0xbc/0x1d0
+[ 21.063805] acpi_processor_driver_init+0x40/0xe4
+[ 21.068497] do_one_initcall+0xb4/0x254
+[ 21.072322] kernel_init_freeable+0x24c/0x2f8
+[ 21.076667] kernel_init+0x10/0x118
+[ 21.080144] ret_from_fork+0x10/0x18
+[ 21.083707]
+[ 21.085186] Freed by task 1:
+[ 21.088056] save_stack+0x28/0xc8
+[ 21.091360] __kasan_slab_free+0x118/0x180
+[ 21.095445] kasan_slab_free+0x10/0x18
+[ 21.099183] kfree+0x80/0x268
+[ 21.102139] acpi_cppc_processor_exit+0x1a8/0x1b8
+[ 21.106832] acpi_processor_stop+0x70/0x80
+[ 21.110917] really_probe+0x174/0x548
+[ 21.114568] driver_probe_device+0x7c/0x148
+[ 21.118740] device_driver_attach+0x94/0xa0
+[ 21.122912] __driver_attach+0xa4/0x110
+[ 21.126736] bus_for_each_dev+0xe8/0x158
+[ 21.130648] driver_attach+0x30/0x40
+[ 21.134212] bus_add_driver+0x234/0x2f0
+[ 21.0x10/0x18
+[ 21.161764]
+[ 21.163244] The buggy address belongs to the object at ffff00236cdeb600
+[ 21.163244] which belongs to the cache kmalloc-256 of size 256
+[ 21.175750] The buggy address is located 132 bytes inside of
+[ 21.175750] 256-byte region [ffff00236cdeb600, ffff00236cdeb700)
+[ 21.187473] The buggy address belongs to the page:
+[ 21.192254] page:fffffe008d937a00 refcount:1 mapcount:0 mapping:ffff002370c0fa00 index:0x0 compound_mapcount: 0
+[ 21.202331] flags: 0x1ffff00000010200(slab|head)
+[ 21.206940] raw: 1ffff00000010200 dead000000000100 dead000000000122 ffff002370c0fa00
+[ 21.214671] raw: 0000000000000000 00000000802a002a 00000001ffffffff 0000000000000000
+[ 21.222400] page dumped because: kasan: bad access detected
+[ 21.227959]
+[ 21.229438] Memory state around the buggy address:
+[ 21.234218] ffff00236cdeb580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
+[ 21.241427] ffff00236cdeb600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+[ 21.248637] >ffff00236cdeb680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+[ 21.255845] ^
+[ 21.259062] ffff00236cdeb700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
+[ 21.266272] ffff00236cdeb780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+[ 21.273480] ==================================================================
+
+It seems that global pcc_data[pcc_ss_id] can be freed in
+acpi_cppc_processor_exit(), but we may later reference this value, so
+NULLify it when freed.
+
+Also remove the useless setting of data "pcc_channel_acquired", which
+we're about to free.
+
+Fixes: 85b1407bf6d2 ("ACPI / CPPC: Make CPPC ACPI driver aware of PCC subspace IDs")
+Signed-off-by: John Garry <john.garry@huawei.com>
+Cc: 4.15+ <stable@vger.kernel.org> # 4.15+
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/acpi/cppc_acpi.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/acpi/cppc_acpi.c b/drivers/acpi/cppc_acpi.c
+index 3b2525908dd8..a1a858ad4d18 100644
+--- a/drivers/acpi/cppc_acpi.c
++++ b/drivers/acpi/cppc_acpi.c
+@@ -905,8 +905,8 @@ void acpi_cppc_processor_exit(struct acpi_processor *pr)
+ pcc_data[pcc_ss_id]->refcount--;
+ if (!pcc_data[pcc_ss_id]->refcount) {
+ pcc_mbox_free_channel(pcc_data[pcc_ss_id]->pcc_channel);
+- pcc_data[pcc_ss_id]->pcc_channel_acquired = 0;
+ kfree(pcc_data[pcc_ss_id]);
++ pcc_data[pcc_ss_id] = NULL;
+ }
+ }
+ }
+--
+2.16.4
+
diff --git a/patches.suse/ACPI-CPPC-do-not-require-the-_PSD-method.patch b/patches.suse/ACPI-CPPC-do-not-require-the-_PSD-method.patch
new file mode 100644
index 0000000000..899f4c5a5f
--- /dev/null
+++ b/patches.suse/ACPI-CPPC-do-not-require-the-_PSD-method.patch
@@ -0,0 +1,55 @@
+From 4c4cdc4c63853fee48c02e25c8605fb65a6c9924 Mon Sep 17 00:00:00 2001
+From: Al Stone <ahs3@redhat.com>
+Date: Tue, 27 Aug 2019 18:21:20 -0600
+Subject: [PATCH] ACPI / CPPC: do not require the _PSD method
+Git-commit: 4c4cdc4c63853fee48c02e25c8605fb65a6c9924
+Patch-mainline: v5.4-rc1
+References: bsc#1051510
+
+According to the ACPI 6.3 specification, the _PSD method is optional
+when using CPPC. The underlying assumption is that each CPU can change
+frequency independently from all other CPUs; _PSD is provided to tell
+the OS that some processors can NOT do that.
+
+However, the acpi_get_psd() function returns ENODEV if there is no _PSD
+method present, or an ACPI error status if an error occurs when evaluating
+_PSD, if present. This makes _PSD mandatory when using CPPC, in violation
+of the specification, and only on Linux.
+
+This has forced some firmware writers to provide a dummy _PSD, even though
+it is irrelevant, but only because Linux requires it; other OSPMs follow
+the spec. We really do not want to have OS specific ACPI tables, though.
+
+So, correct acpi_get_psd() so that it does not return an error if there
+is no _PSD method present, but does return a failure when the method can
+not be executed properly. This allows _PSD to be optional as it should
+be.
+
+Signed-off-by: Al Stone <ahs3@redhat.com>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/acpi/cppc_acpi.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/acpi/cppc_acpi.c b/drivers/acpi/cppc_acpi.c
+index 15f103d7532b..3b2525908dd8 100644
+--- a/drivers/acpi/cppc_acpi.c
++++ b/drivers/acpi/cppc_acpi.c
+@@ -365,8 +365,10 @@ static int acpi_get_psd(struct cpc_desc *cpc_ptr, acpi_handle handle)
+ union acpi_object *psd = NULL;
+ struct acpi_psd_package *pdomain;
+
+- status = acpi_evaluate_object_typed(handle, "_PSD", NULL, &buffer,
+- ACPI_TYPE_PACKAGE);
++ status = acpi_evaluate_object_typed(handle, "_PSD", NULL,
++ &buffer, ACPI_TYPE_PACKAGE);
++ if (status == AE_NOT_FOUND) /* _PSD is optional */
++ return 0;
+ if (ACPI_FAILURE(status))
+ return -ENODEV;
+
+--
+2.16.4
+
diff --git a/patches.suse/ACPI-processor-don-t-print-errors-for-processorIDs-0.patch b/patches.suse/ACPI-processor-don-t-print-errors-for-processorIDs-0.patch
new file mode 100644
index 0000000000..cda73c5c01
--- /dev/null
+++ b/patches.suse/ACPI-processor-don-t-print-errors-for-processorIDs-0.patch
@@ -0,0 +1,68 @@
+From 2c2b005f549544c13ef4cfb0e4842949066889bc Mon Sep 17 00:00:00 2001
+From: Jiri Slaby <jslaby@suse.cz>
+Date: Wed, 7 Aug 2019 13:10:37 +0200
+Subject: [PATCH] ACPI / processor: don't print errors for processorIDs == 0xff
+Git-commit: 2c2b005f549544c13ef4cfb0e4842949066889bc
+Patch-mainline: v5.4-rc1
+References: bsc#1051510
+
+Some platforms define their processors in this manner:
+ Device (SCK0)
+ {
+ Name (_HID, "ACPI0004" /* Module Device */) // _HID: Hardware ID
+ Name (_UID, "CPUSCK0") // _UID: Unique ID
+ Processor (CP00, 0x00, 0x00000410, 0x06){}
+ Processor (CP01, 0x02, 0x00000410, 0x06){}
+ Processor (CP02, 0x04, 0x00000410, 0x06){}
+ Processor (CP03, 0x06, 0x00000410, 0x06){}
+ Processor (CP04, 0x01, 0x00000410, 0x06){}
+ Processor (CP05, 0x03, 0x00000410, 0x06){}
+ Processor (CP06, 0x05, 0x00000410, 0x06){}
+ Processor (CP07, 0x07, 0x00000410, 0x06){}
+ Processor (CP08, 0xFF, 0x00000410, 0x06){}
+ Processor (CP09, 0xFF, 0x00000410, 0x06){}
+ Processor (CP0A, 0xFF, 0x00000410, 0x06){}
+ Processor (CP0B, 0xFF, 0x00000410, 0x06){}
+...
+
+The processors marked as 0xff are invalid, there are only 8 of them in
+this case.
+
+So do not print an error on ids == 0xff, just print an info message.
+Actually, we could return ENODEV even on the first CPU with ID 0xff, but
+ACPI spec does not forbid the 0xff value to be a processor ID. Given
+0xff could be a correct one, we would break working systems if we
+returned ENODEV.
+
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/acpi/acpi_processor.c | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/acpi/acpi_processor.c b/drivers/acpi/acpi_processor.c
+index 24f065114d42..2c4dda0787e8 100644
+--- a/drivers/acpi/acpi_processor.c
++++ b/drivers/acpi/acpi_processor.c
+@@ -279,9 +279,13 @@ static int acpi_processor_get_info(struct acpi_device *device)
+ }
+
+ if (acpi_duplicate_processor_id(pr->acpi_id)) {
+- dev_err(&device->dev,
+- "Failed to get unique processor _UID (0x%x)\n",
+- pr->acpi_id);
++ if (pr->acpi_id == 0xff)
++ dev_info_once(&device->dev,
++ "Entry not well-defined, consider updating BIOS\n");
++ else
++ dev_err(&device->dev,
++ "Failed to get unique processor _UID (0x%x)\n",
++ pr->acpi_id);
+ return -ENODEV;
+ }
+
+--
+2.16.4
+
diff --git a/patches.suse/act_mirred-Fix-mirred_init_module-error-handling.patch b/patches.suse/act_mirred-Fix-mirred_init_module-error-handling.patch
new file mode 100644
index 0000000000..a8dedbe79f
--- /dev/null
+++ b/patches.suse/act_mirred-Fix-mirred_init_module-error-handling.patch
@@ -0,0 +1,40 @@
+From 11c9a7d38af524217efb7a176ad322b97ac2f163 Mon Sep 17 00:00:00 2001
+From: YueHaibing <yuehaibing@huawei.com>
+Date: Wed, 9 Oct 2019 11:10:52 +0800
+Subject: [PATCH] act_mirred: Fix mirred_init_module error handling
+Git-commit: 11c9a7d38af524217efb7a176ad322b97ac2f163
+Patch-mainline: v5.4-rc4
+References: bsc#1051510
+
+If tcf_register_action failed, mirred_device_notifier
+should be unregistered.
+
+Fixes: 3b87956ea645 ("net sched: fix race in mirred device removal")
+Signed-off-by: YueHaibing <yuehaibing@huawei.com>
+Signed-off-by: Jakub Kicinski <jakub.kicinski@netronome.com>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ net/sched/act_mirred.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/net/sched/act_mirred.c b/net/sched/act_mirred.c
+index 9ce073a05414..08923b21e566 100644
+--- a/net/sched/act_mirred.c
++++ b/net/sched/act_mirred.c
+@@ -484,7 +484,11 @@ static int __init mirred_init_module(void)
+ return err;
+
+ pr_info("Mirror/redirect action on\n");
+- return tcf_register_action(&act_mirred_ops, &mirred_net_ops);
++ err = tcf_register_action(&act_mirred_ops, &mirred_net_ops);
++ if (err)
++ unregister_netdevice_notifier(&mirred_device_notifier);
++
++ return err;
+ }
+
+ static void __exit mirred_cleanup_module(void)
+--
+2.16.4
+
diff --git a/patches.suse/appletalk-enforce-CAP_NET_RAW-for-raw-sockets.patch b/patches.suse/appletalk-enforce-CAP_NET_RAW-for-raw-sockets.patch
new file mode 100644
index 0000000000..f064d86876
--- /dev/null
+++ b/patches.suse/appletalk-enforce-CAP_NET_RAW-for-raw-sockets.patch
@@ -0,0 +1,39 @@
+From 6cc03e8aa36c51f3b26a0d21a3c4ce2809c842ac Mon Sep 17 00:00:00 2001
+From: Ori Nimron <orinimron123@gmail.com>
+Date: Fri, 20 Sep 2019 09:35:46 +0200
+Subject: [PATCH] appletalk: enforce CAP_NET_RAW for raw sockets
+Git-commit: 6cc03e8aa36c51f3b26a0d21a3c4ce2809c842ac
+Patch-mainline: v5.4-rc1
+References: bsc#1051510
+
+When creating a raw AF_APPLETALK socket, CAP_NET_RAW needs to be checked
+first.
+
+Signed-off-by: Ori Nimron <orinimron123@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ net/appletalk/ddp.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/net/appletalk/ddp.c b/net/appletalk/ddp.c
+index 4072e9d394d6..b41375d4d295 100644
+--- a/net/appletalk/ddp.c
++++ b/net/appletalk/ddp.c
+@@ -1023,6 +1023,11 @@ static int atalk_create(struct net *net, struct socket *sock, int protocol,
+ */
+ if (sock->type != SOCK_RAW && sock->type != SOCK_DGRAM)
+ goto out;
++
++ rc = -EPERM;
++ if (sock->type == SOCK_RAW && !kern && !capable(CAP_NET_RAW))
++ goto out;
++
+ rc = -ENOMEM;
+ sk = sk_alloc(net, PF_APPLETALK, GFP_KERNEL, &ddp_proto, kern);
+ if (!sk)
+--
+2.16.4
+
diff --git a/patches.suse/btrfs-ensure-btrfs_init_dev_replace_tgtdev-sees-up-to-date-values.patch b/patches.suse/btrfs-ensure-btrfs_init_dev_replace_tgtdev-sees-up-to-date-values.patch
new file mode 100644
index 0000000000..03e7b31d25
--- /dev/null
+++ b/patches.suse/btrfs-ensure-btrfs_init_dev_replace_tgtdev-sees-up-to-date-values.patch
@@ -0,0 +1,52 @@
+From: Nikolay Borisov <nborisov@suse.com>
+Date: Tue, 14 May 2019 13:54:41 +0300
+Subject: btrfs: Ensure btrfs_init_dev_replace_tgtdev sees up to date values
+Git-commit: e1e0eb43ce1fd7bbdd9590715623cb3799896434
+Patch-mainline: v5.3-rc1
+References: bsc#1154651
+
+btrfs_init_dev_replace_tgtdev reads certain values from the source
+device (such as commit_total_bytes) which are updated during transaction
+commit. Currently this function is called before committing any pending
+transaction, leading to possibly reading outdated values.
+
+Fix this by moving the function below the transaction commit, at this
+point the EXCL_OP bit it set hence once transaction is complete the
+total size of the device cannot be changed (it's usually changed by
+resize/remove ops which are blocked).
+
+Fixes: 9e271ae27e44 ("Btrfs: kernel operation should come after user input has been verified")
+Signed-off-by: Nikolay Borisov <nborisov@suse.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+---
+ fs/btrfs/dev-replace.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+--- a/fs/btrfs/dev-replace.c
++++ b/fs/btrfs/dev-replace.c
+@@ -320,11 +320,6 @@ int btrfs_dev_replace_start(struct btrfs
+ if (ret)
+ return ret;
+
+- ret = btrfs_init_dev_replace_tgtdev(fs_info, tgtdev_name,
+- src_device, &tgt_device);
+- if (ret)
+- return ret;
+-
+ /*
+ * Here we commit the transaction to make sure commit_total_bytes
+ * of all the devices are updated.
+@@ -338,6 +333,11 @@ int btrfs_dev_replace_start(struct btrfs
+ return PTR_ERR(trans);
+ }
+
++ ret = btrfs_init_dev_replace_tgtdev(fs_info, tgtdev_name,
++ src_device, &tgt_device);
++ if (ret)
++ return ret;
++
+ btrfs_dev_replace_lock(dev_replace, 1);
+ switch (dev_replace->replace_state) {
+ case BTRFS_IOCTL_DEV_REPLACE_STATE_NEVER_STARTED:
+
diff --git a/patches.suse/btrfs-ensure-replaced-device-doesn-t-have-pending-chunk-allocation.patch b/patches.suse/btrfs-ensure-replaced-device-doesn-t-have-pending-chunk-allocation.patch
new file mode 100644
index 0000000000..926d7e17ac
--- /dev/null
+++ b/patches.suse/btrfs-ensure-replaced-device-doesn-t-have-pending-chunk-allocation.patch
@@ -0,0 +1,123 @@
+From: Nikolay Borisov <nborisov@suse.com>
+Date: Fri, 17 May 2019 10:44:25 +0300
+Subject: btrfs: Ensure replaced device doesn't have pending chunk allocation
+Git-commit: debd1c065d2037919a7da67baf55cc683fee09f0
+Patch-mainline: v5.2-rc3
+References: bsc#1154607
+
+Recent FITRIM work, namely bbbf7243d62d ("btrfs: combine device update
+operations during transaction commit") combined the way certain
+operations are recoded in a transaction. As a result an ASSERT was added
+in dev_replace_finish to ensure the new code works correctly.
+Unfortunately I got reports that it's possible to trigger the assert,
+meaning that during a device replace it's possible to have an unfinished
+chunk allocation on the source device.
+
+This is supposed to be prevented by the fact that a transaction is
+committed before finishing the replace oepration and alter acquiring the
+chunk mutex. This is not sufficient since by the time the transaction is
+committed and the chunk mutex acquired it's possible to allocate a chunk
+depending on the workload being executed on the replaced device. This
+bug has been present ever since device replace was introduced but there
+was never code which checks for it.
+
+The correct way to fix is to ensure that there is no pending device
+modification operation when the chunk mutex is acquire and if there is
+repeat transaction commit. Unfortunately it's not possible to just
+exclude the source device from btrfs_fs_devices::dev_alloc_list since
+this causes ENOSPC to be hit in transaction commit.
+
+Fixing that in another way would need to add special cases to handle the
+last writes and forbid new ones. The looped transaction fix is more
+obvious, and can be easily backported. The runtime of dev-replace is
+long so there's no noticeable delay caused by that.
+
+Reported-by: David Sterba <dsterba@suse.com>
+Fixes: 391cd9df81ac ("Btrfs: fix unprotected alloc list insertion during the finishing procedure of replace")
+CC: stable@vger.kernel.org # 4.4+
+Signed-off-by: Nikolay Borisov <nborisov@suse.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+---
+ fs/btrfs/dev-replace.c | 31 +++++++++++++++++++++----------
+ fs/btrfs/volumes.c | 2 ++
+ fs/btrfs/volumes.h | 7 +++++++
+ 3 files changed, 30 insertions(+), 10 deletions(-)
+
+--- a/fs/btrfs/dev-replace.c
++++ b/fs/btrfs/dev-replace.c
+@@ -512,18 +512,29 @@ static int btrfs_dev_replace_finishing(s
+ }
+ btrfs_wait_ordered_roots(fs_info, -1, 0, (u64)-1);
+
+- trans = btrfs_start_transaction(root, 0);
+- if (IS_ERR(trans)) {
+- mutex_unlock(&dev_replace->lock_finishing_cancel_unmount);
+- return PTR_ERR(trans);
++ while (1) {
++ trans = btrfs_start_transaction(root, 0);
++ if (IS_ERR(trans)) {
++ mutex_unlock(&dev_replace->lock_finishing_cancel_unmount);
++ return PTR_ERR(trans);
++ }
++ ret = btrfs_commit_transaction(trans);
++ WARN_ON(ret);
++
++ mutex_lock(&uuid_mutex);
++ /* keep away write_all_supers() during the finishing procedure */
++ mutex_lock(&fs_info->fs_devices->device_list_mutex);
++ /* Prevent new chunks being allocated on the source device */
++ mutex_lock(&fs_info->chunk_mutex);
++ if (src_device->has_pending_chunks) {
++ mutex_unlock(&fs_info->chunk_mutex);
++ mutex_unlock(&fs_info->fs_devices->device_list_mutex);
++ mutex_unlock(&uuid_mutex);
++ } else {
++ break;
++ }
+ }
+- ret = btrfs_commit_transaction(trans);
+- WARN_ON(ret);
+
+- mutex_lock(&uuid_mutex);
+- /* keep away write_all_supers() during the finishing procedure */
+- mutex_lock(&fs_info->fs_devices->device_list_mutex);
+- mutex_lock(&fs_info->chunk_mutex);
+ btrfs_dev_replace_lock(dev_replace, 1);
+ dev_replace->replace_state =
+ scrub_ret ? BTRFS_IOCTL_DEV_REPLACE_STATE_CANCELED
+--- a/fs/btrfs/volumes.c
++++ b/fs/btrfs/volumes.c
+@@ -4949,6 +4949,7 @@ static int __btrfs_alloc_chunk(struct bt
+ for (i = 0; i < map->num_stripes; i++) {
+ num_bytes = map->stripes[i].dev->bytes_used + stripe_size;
+ btrfs_device_set_bytes_used(map->stripes[i].dev, num_bytes);
++ map->stripes[i].dev->has_pending_chunks = true;
+ }
+
+ spin_lock(&info->free_chunk_lock);
+@@ -7311,6 +7312,7 @@ void btrfs_update_commit_device_bytes_us
+ for (i = 0; i < map->num_stripes; i++) {
+ dev = map->stripes[i].dev;
+ dev->commit_bytes_used = dev->bytes_used;
++ dev->has_pending_chunks = false;
+ }
+ }
+ mutex_unlock(&fs_info->chunk_mutex);
+--- a/fs/btrfs/volumes.h
++++ b/fs/btrfs/volumes.h
+@@ -61,6 +61,13 @@ struct btrfs_device {
+
+ spinlock_t io_lock ____cacheline_aligned;
+ int running_pending;
++
++ /*
++ * When true means this device has pending chunk alloc in
++ * current transaction. Protected by chunk_mutex.
++ */
++ bool has_pending_chunks;
++
+ /* regular prio bios */
+ struct btrfs_pending_bios pending_bios;
+ /* sync bios */
+
diff --git a/patches.suse/btrfs-remove-wrong-use-of-volume_mutex-from-btrfs_dev_replace_start.patch b/patches.suse/btrfs-remove-wrong-use-of-volume_mutex-from-btrfs_dev_replace_start.patch
new file mode 100644
index 0000000000..fffccd29a7
--- /dev/null
+++ b/patches.suse/btrfs-remove-wrong-use-of-volume_mutex-from-btrfs_dev_replace_start.patch
@@ -0,0 +1,59 @@
+From: David Sterba <dsterba@suse.com>
+Date: Tue, 20 Mar 2018 23:44:50 +0100
+Subject: btrfs: remove wrong use of volume_mutex from btrfs_dev_replace_start
+Git-commit: a0fecc23718aa9ef020b8c86173a0b783ed37dcf
+Patch-mainline: v4.18-rc1
+References:bsc#1154651
+
+The volume mutex does not protect against anything in this case, the
+comment about scrub is right but not related to locking and looks
+confusing. The comment in btrfs_find_device_missing_or_by_path is wrong
+and confusing too.
+
+The device_list_mutex is not held here to protect device lookup, but in
+this case device replace cannot run in parallel with device removal (due
+to exclusive op protection), so we don't need further locking here.
+
+Reviewed-by: Anand Jain <anand.jain@oracle.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Acked-by: Nikolay Borisov <nborisov@suse.com>
+---
+ fs/btrfs/dev-replace.c | 7 +------
+ fs/btrfs/volumes.c | 4 ----
+ 2 files changed, 1 insertion(+), 10 deletions(-)
+
+--- a/fs/btrfs/dev-replace.c
++++ b/fs/btrfs/dev-replace.c
+@@ -315,18 +315,13 @@ int btrfs_dev_replace_start(struct btrfs
+ struct btrfs_device *tgt_device = NULL;
+ struct btrfs_device *src_device = NULL;
+
+- /* the disk copy procedure reuses the scrub code */
+- mutex_lock(&fs_info->volume_mutex);
+ ret = btrfs_find_device_by_devspec(fs_info, srcdevid,
+ srcdev_name, &src_device);
+- if (ret) {
+- mutex_unlock(&fs_info->volume_mutex);
++ if (ret)
+ return ret;
+- }
+
+ ret = btrfs_init_dev_replace_tgtdev(fs_info, tgtdev_name,
+ src_device, &tgt_device);
+- mutex_unlock(&fs_info->volume_mutex);
+ if (ret)
+ return ret;
+
+--- a/fs/btrfs/volumes.c
++++ b/fs/btrfs/volumes.c
+@@ -2133,10 +2133,6 @@ int btrfs_find_device_missing_or_by_path
+ struct btrfs_device *tmp;
+
+ devices = &fs_info->fs_devices->devices;
+- /*
+- * It is safe to read the devices since the volume_mutex
+- * is held by the caller.
+- */
+ list_for_each_entry(tmp, devices, dev_list) {
+ if (tmp->in_fs_metadata && !tmp->bdev) {
+ *device = tmp;
diff --git a/patches.suse/cfg80211-wext-avoid-copying-malformed-SSIDs.patch b/patches.suse/cfg80211-wext-avoid-copying-malformed-SSIDs.patch
index 60bcddb2f7..9cd219282b 100644
--- a/patches.suse/cfg80211-wext-avoid-copying-malformed-SSIDs.patch
+++ b/patches.suse/cfg80211-wext-avoid-copying-malformed-SSIDs.patch
@@ -1,9 +1,8 @@
From: Will Deacon <will@kernel.org>
Date: Fri, 4 Oct 2019 10:51:32 +0100
Subject: [PATCH] cfg80211: wext: avoid copying malformed SSIDs
-Patch-mainline: Queued in subsystem maintainer repository
+Patch-mainline: v5.4-rc4
Git-commit: 4ac2813cc867ae563a1ba5a9414bfb554e5796fa
-Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net.git
References: bsc#1153158 CVE-2019-17133
Ensure the SSID element is bounds-checked prior to invoking memcpy()
diff --git a/patches.suse/iommu-amd-Apply-the-same-IVRS-IOAPIC-workaround-to-A.patch b/patches.suse/iommu-amd-Apply-the-same-IVRS-IOAPIC-workaround-to-A.patch
new file mode 100644
index 0000000000..e693b8ebae
--- /dev/null
+++ b/patches.suse/iommu-amd-Apply-the-same-IVRS-IOAPIC-workaround-to-A.patch
@@ -0,0 +1,45 @@
+From: Takashi Iwai <tiwai@suse.de>
+Date: Mon, 21 Oct 2019 17:17:21 +0200
+Subject: [PATCH] iommu/amd: Apply the same IVRS IOAPIC workaround to Acer
+ Aspire A315-41
+Message-Id: <20191021151721.12393-1-tiwai@suse.de>
+Patch-mainline: Submitted, iommu ML
+References: bsc#1137799
+
+Acer Aspire A315-41 requires the very same workaround as the existing
+quirk for Dell Latitude 5495. Add the new entry for that.
+
+Buglink: https://bugzilla.suse.com/show_bug.cgi?id=1137799
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/iommu/amd_iommu_quirks.c | 13 +++++++++++++
+ 1 file changed, 13 insertions(+)
+
+diff --git a/drivers/iommu/amd_iommu_quirks.c b/drivers/iommu/amd_iommu_quirks.c
+index c235f79b7a20..5120ce4fdce3 100644
+--- a/drivers/iommu/amd_iommu_quirks.c
++++ b/drivers/iommu/amd_iommu_quirks.c
+@@ -73,6 +73,19 @@ static const struct dmi_system_id ivrs_quirks[] __initconst = {
+ },
+ .driver_data = (void *)&ivrs_ioapic_quirks[DELL_LATITUDE_5495],
+ },
++ {
++ /*
++ * Acer Aspire A315-41 requires the very same workaround as
++ * Dell Latitude 5495
++ */
++ .callback = ivrs_ioapic_quirk_cb,
++ .ident = "Acer Aspire A315-41",
++ .matches = {
++ DMI_MATCH(DMI_SYS_VENDOR, "Acer"),
++ DMI_MATCH(DMI_PRODUCT_NAME, "Aspire A315-41"),
++ },
++ .driver_data = (void *)&ivrs_ioapic_quirks[DELL_LATITUDE_5495],
++ },
+ {
+ .callback = ivrs_ioapic_quirk_cb,
+ .ident = "Lenovo ideapad 330S-15ARR",
+--
+2.16.4
+
diff --git a/patches.suse/iommu-amd-Override-wrong-IVRS-IOAPIC-on-Raven-Ridge-.patch b/patches.suse/iommu-amd-Override-wrong-IVRS-IOAPIC-on-Raven-Ridge-.patch
new file mode 100644
index 0000000000..4e8ff55cf7
--- /dev/null
+++ b/patches.suse/iommu-amd-Override-wrong-IVRS-IOAPIC-on-Raven-Ridge-.patch
@@ -0,0 +1,181 @@
+From 93d051550ee02eaff9a2541d825605a7bd778027 Mon Sep 17 00:00:00 2001
+From: Kai-Heng Feng <kai.heng.feng@canonical.com>
+Date: Wed, 21 Aug 2019 13:10:04 +0800
+Subject: [PATCH] iommu/amd: Override wrong IVRS IOAPIC on Raven Ridge systems
+Git-commit: 93d051550ee02eaff9a2541d825605a7bd778027
+Patch-mainline: v5.4-rc1
+References: bsc#1137799
+
+Raven Ridge systems may have malfunction touchpad or hang at boot if
+incorrect IVRS IOAPIC is provided by BIOS.
+
+Users already found correct "ivrs_ioapic=" values, let's put them inside
+kernel to workaround buggy BIOS.
+
+Buglink: https://bugs.launchpad.net/bugs/1795292
+Buglink: https://bugs.launchpad.net/bugs/1837688
+Reported-by: kbuild test robot <lkp@intel.com>
+Signed-off-by: Kai-Heng Feng <kai.heng.feng@canonical.com>
+Signed-off-by: Joerg Roedel <jroedel@suse.de>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/iommu/Makefile | 2
+ drivers/iommu/amd_iommu.h | 14 +++++
+ drivers/iommu/amd_iommu_init.c | 5 +-
+ drivers/iommu/amd_iommu_quirks.c | 92 +++++++++++++++++++++++++++++++++++++++
+ 4 files changed, 111 insertions(+), 2 deletions(-)
+ create mode 100644 drivers/iommu/amd_iommu.h
+ create mode 100644 drivers/iommu/amd_iommu_quirks.c
+
+--- a/drivers/iommu/Makefile
++++ b/drivers/iommu/Makefile
+@@ -8,7 +8,7 @@ obj-$(CONFIG_IOMMU_IO_PGTABLE_LPAE) += i
+ obj-$(CONFIG_IOMMU_IOVA) += iova.o
+ obj-$(CONFIG_OF_IOMMU) += of_iommu.o
+ obj-$(CONFIG_MSM_IOMMU) += msm_iommu.o
+-obj-$(CONFIG_AMD_IOMMU) += amd_iommu.o amd_iommu_init.o
++obj-$(CONFIG_AMD_IOMMU) += amd_iommu.o amd_iommu_init.o amd_iommu_quirks.o
+ obj-$(CONFIG_AMD_IOMMU_V2) += amd_iommu_v2.o
+ obj-$(CONFIG_ARM_SMMU) += arm-smmu.o
+ obj-$(CONFIG_ARM_SMMU_V3) += arm-smmu-v3.o
+--- /dev/null
++++ b/drivers/iommu/amd_iommu.h
+@@ -0,0 +1,14 @@
++/* SPDX-License-Identifier: GPL-2.0-only */
++
++#ifndef AMD_IOMMU_H
++#define AMD_IOMMU_H
++
++int __init add_special_device(u8 type, u8 id, u16 *devid, bool cmd_line);
++
++#ifdef CONFIG_DMI
++void amd_iommu_apply_ivrs_quirks(void);
++#else
++static void amd_iommu_apply_ivrs_quirks(void) { }
++#endif
++
++#endif
+--- a/drivers/iommu/amd_iommu_init.c
++++ b/drivers/iommu/amd_iommu_init.c
+@@ -41,6 +41,7 @@
+ #include <asm/irq_remapping.h>
+
+ #include <linux/crash_dump.h>
++#include "amd_iommu.h"
+ #include "amd_iommu_proto.h"
+ #include "amd_iommu_types.h"
+ #include "irq_remapping.h"
+@@ -1007,7 +1008,7 @@ static void __init set_dev_entry_from_ac
+ set_iommu_for_device(iommu, devid);
+ }
+
+-static int __init add_special_device(u8 type, u8 id, u16 *devid, bool cmd_line)
++int __init add_special_device(u8 type, u8 id, u16 *devid, bool cmd_line)
+ {
+ struct devid_map *entry;
+ struct list_head *list;
+@@ -1158,6 +1159,8 @@ static int __init init_iommu_from_acpi(s
+ if (ret)
+ return ret;
+
++ amd_iommu_apply_ivrs_quirks();
++
+ /*
+ * First save the recommended feature enable bits from ACPI
+ */
+--- /dev/null
++++ b/drivers/iommu/amd_iommu_quirks.c
+@@ -0,0 +1,92 @@
++/* SPDX-License-Identifier: GPL-2.0-only */
++
++/*
++ * Quirks for AMD IOMMU
++ *
++ * Copyright (C) 2019 Kai-Heng Feng <kai.heng.feng@canonical.com>
++ */
++
++#ifdef CONFIG_DMI
++#include <linux/dmi.h>
++
++#include "amd_iommu.h"
++
++#define IVHD_SPECIAL_IOAPIC 1
++
++struct ivrs_quirk_entry {
++ u8 id;
++ u16 devid;
++};
++
++enum {
++ DELL_INSPIRON_7375 = 0,
++ DELL_LATITUDE_5495,
++ LENOVO_IDEAPAD_330S_15ARR,
++};
++
++static const struct ivrs_quirk_entry ivrs_ioapic_quirks[][3] __initconst = {
++ /* ivrs_ioapic[4]=00:14.0 ivrs_ioapic[5]=00:00.2 */
++ [DELL_INSPIRON_7375] = {
++ { .id = 4, .devid = 0xa0 },
++ { .id = 5, .devid = 0x2 },
++ {}
++ },
++ /* ivrs_ioapic[4]=00:14.0 */
++ [DELL_LATITUDE_5495] = {
++ { .id = 4, .devid = 0xa0 },
++ {}
++ },
++ /* ivrs_ioapic[32]=00:14.0 */
++ [LENOVO_IDEAPAD_330S_15ARR] = {
++ { .id = 32, .devid = 0xa0 },
++ {}
++ },
++ {}
++};
++
++static int __init ivrs_ioapic_quirk_cb(const struct dmi_system_id *d)
++{
++ const struct ivrs_quirk_entry *i;
++
++ for (i = d->driver_data; i->id != 0 && i->devid != 0; i++)
++ add_special_device(IVHD_SPECIAL_IOAPIC, i->id, (u16 *)&i->devid, 0);
++
++ return 0;
++}
++
++static const struct dmi_system_id ivrs_quirks[] __initconst = {
++ {
++ .callback = ivrs_ioapic_quirk_cb,
++ .ident = "Dell Inspiron 7375",
++ .matches = {
++ DMI_MATCH(DMI_SYS_VENDOR, "Dell Inc."),
++ DMI_MATCH(DMI_PRODUCT_NAME, "Inspiron 7375"),
++ },
++ .driver_data = (void *)&ivrs_ioapic_quirks[DELL_INSPIRON_7375],
++ },
++ {
++ .callback = ivrs_ioapic_quirk_cb,
++ .ident = "Dell Latitude 5495",
++ .matches = {
++ DMI_MATCH(DMI_SYS_VENDOR, "Dell Inc."),
++ DMI_MATCH(DMI_PRODUCT_NAME, "Latitude 5495"),
++ },
++ .driver_data = (void *)&ivrs_ioapic_quirks[DELL_LATITUDE_5495],
++ },
++ {
++ .callback = ivrs_ioapic_quirk_cb,
++ .ident = "Lenovo ideapad 330S-15ARR",
++ .matches = {
++ DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"),
++ DMI_MATCH(DMI_PRODUCT_NAME, "81FB"),
++ },
++ .driver_data = (void *)&ivrs_ioapic_quirks[LENOVO_IDEAPAD_330S_15ARR],
++ },
++ {}
++};
++
++void __init amd_iommu_apply_ivrs_quirks(void)
++{
++ dmi_check_system(ivrs_quirks);
++}
++#endif
diff --git a/patches.suse/iommu-amd-check-pm_level_size-condition-in-locked-section b/patches.suse/iommu-amd-check-pm_level_size-condition-in-locked-section
new file mode 100644
index 0000000000..6fe09e3fd7
--- /dev/null
+++ b/patches.suse/iommu-amd-check-pm_level_size-condition-in-locked-section
@@ -0,0 +1,53 @@
+From: Joerg Roedel <jroedel@suse.de>
+Date: Fri, 18 Oct 2019 11:34:22 +0200
+Subject: iommu/amd: Check PM_LEVEL_SIZE() condition in locked section
+Git-commit: 46ac18c347b00be29b265c28209b0f3c38a1f142
+Patch-mainline: v5.4-rc4
+References: bsc#1154608
+
+The increase_address_space() function has to check the PM_LEVEL_SIZE()
+condition again under the domain->lock to avoid a false trigger of the
+WARN_ON_ONCE() and to avoid that the address space is increase more
+often than necessary.
+
+Reported-by: Qian Cai <cai@lca.pw>
+Fixes: 754265bcab78 ("iommu/amd: Fix race in increase_address_space()")
+Reviewed-by: Jerry Snitselaar <jsnitsel@redhat.com>
+Signed-off-by: Joerg Roedel <jroedel@suse.de>
+---
+ drivers/iommu/amd_iommu.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/iommu/amd_iommu.c b/drivers/iommu/amd_iommu.c
+index bcd89ea50a8b..dd555078258c 100644
+--- a/drivers/iommu/amd_iommu.c
++++ b/drivers/iommu/amd_iommu.c
+@@ -1464,6 +1464,7 @@ static void free_pagetable(struct protection_domain *domain)
+ * to 64 bits.
+ */
+ static bool increase_address_space(struct protection_domain *domain,
++ unsigned long address,
+ gfp_t gfp)
+ {
+ unsigned long flags;
+@@ -1472,8 +1473,8 @@ static bool increase_address_space(struct protection_domain *domain,
+
+ spin_lock_irqsave(&domain->lock, flags);
+
+- if (WARN_ON_ONCE(domain->mode == PAGE_MODE_6_LEVEL))
+- /* address space already 64 bit large */
++ if (address <= PM_LEVEL_SIZE(domain->mode) ||
++ WARN_ON_ONCE(domain->mode == PAGE_MODE_6_LEVEL))
+ goto out;
+
+ pte = (void *)get_zeroed_page(gfp);
+@@ -1506,7 +1507,7 @@ static u64 *alloc_pte(struct protection_domain *domain,
+ BUG_ON(!is_power_of_2(page_size));
+
+ while (address > PM_LEVEL_SIZE(domain->mode))
+- *updated = increase_address_space(domain, gfp) || *updated;
++ *updated = increase_address_space(domain, address, gfp) || *updated;
+
+ level = domain->mode - 1;
+ pte = &domain->pt_root[PM_LEVEL_INDEX(level, address)];
+
diff --git a/patches.suse/iommu-amd-remove-domain-updated b/patches.suse/iommu-amd-remove-domain-updated
new file mode 100644
index 0000000000..0fe90e6d79
--- /dev/null
+++ b/patches.suse/iommu-amd-remove-domain-updated
@@ -0,0 +1,164 @@
+From: Joerg Roedel <jroedel@suse.de>
+Date: Wed, 25 Sep 2019 15:22:55 +0200
+Subject: iommu/amd: Remove domain->updated
+Git-commit: f15d9a992f901d4f22db868adf800844d1cac9f2
+Patch-mainline: v5.4-rc1
+References: bsc#1154610
+
+This struct member was used to track whether a domain
+change requires updates to the device-table and IOMMU cache
+flushes. The problem is, that access to this field is racy
+since locking in the common mapping code-paths has been
+eliminated.
+
+Move the updated field to the stack to get rid of all
+potential races and remove the field from the struct.
+
+Fixes: 92d420ec028d ("iommu/amd: Relax locking in dma_ops path")
+Reviewed-by: Filippo Sironi <sironi@amazon.de>
+Reviewed-by: Jerry Snitselaar <jsnitsel@redhat.com>
+Signed-off-by: Joerg Roedel <jroedel@suse.de>
+---
+ drivers/iommu/amd_iommu.c | 49 +++++++++++++++++++++--------------------
+ drivers/iommu/amd_iommu_types.h | 1 -
+ 2 files changed, 25 insertions(+), 25 deletions(-)
+
+--- a/drivers/iommu/amd_iommu.c
++++ b/drivers/iommu/amd_iommu.c
+@@ -1382,10 +1382,11 @@ static void domain_flush_devices(struct
+ * another level increases the size of the address space by 9 bits to a size up
+ * to 64 bits.
+ */
+-static void increase_address_space(struct protection_domain *domain,
++static bool increase_address_space(struct protection_domain *domain,
+ gfp_t gfp)
+ {
+ unsigned long flags;
++ bool ret = false;
+ u64 *pte;
+
+ spin_lock_irqsave(&domain->lock, flags);
+@@ -1402,19 +1403,21 @@ static void increase_address_space(struc
+ iommu_virt_to_phys(domain->pt_root));
+ domain->pt_root = pte;
+ domain->mode += 1;
+- domain->updated = true;
++
++ ret = true;
+
+ out:
+ spin_unlock_irqrestore(&domain->lock, flags);
+
+- return;
++ return ret;
+ }
+
+ static u64 *alloc_pte(struct protection_domain *domain,
+ unsigned long address,
+ unsigned long page_size,
+ u64 **pte_page,
+- gfp_t gfp)
++ gfp_t gfp,
++ bool *updated)
+ {
+ int level, end_lvl;
+ u64 *pte, *page;
+@@ -1422,7 +1425,7 @@ static u64 *alloc_pte(struct protection_
+ BUG_ON(!is_power_of_2(page_size));
+
+ while (address > PM_LEVEL_SIZE(domain->mode))
+- increase_address_space(domain, gfp);
++ *updated = increase_address_space(domain, gfp) || *updated;
+
+ level = domain->mode - 1;
+ pte = &domain->pt_root[PM_LEVEL_INDEX(level, address)];
+@@ -1535,8 +1538,9 @@ static int iommu_map_page(struct protect
+ int prot,
+ gfp_t gfp)
+ {
++ bool updated = false;
+ u64 __pte, *pte;
+- int i, count;
++ int ret, i, count;
+
+ BUG_ON(!IS_ALIGNED(bus_addr, page_size));
+ BUG_ON(!IS_ALIGNED(phys_addr, page_size));
+@@ -1545,14 +1549,16 @@ static int iommu_map_page(struct protect
+ return -EINVAL;
+
+ count = PAGE_SIZE_PTE_COUNT(page_size);
+- pte = alloc_pte(dom, bus_addr, page_size, NULL, gfp);
++ pte = alloc_pte(dom, bus_addr, page_size, NULL, gfp, &updated);
+
++ ret = -ENOMEM;
+ if (!pte)
+- return -ENOMEM;
++ goto out;
+
++ ret = -EBUSY;
+ for (i = 0; i < count; ++i)
+ if (IOMMU_PTE_PRESENT(pte[i]))
+- return -EBUSY;
++ goto out;
+
+ if (count > 1) {
+ __pte = PAGE_SIZE_PTE(__sme_set(phys_addr), page_size);
+@@ -1568,9 +1574,13 @@ static int iommu_map_page(struct protect
+ for (i = 0; i < count; ++i)
+ pte[i] = __pte;
+
+- update_domain(dom);
++ ret = 0;
++
++out:
++ if (updated)
++ update_domain(dom);
+
+- return 0;
++ return ret;
+ }
+
+ static unsigned long iommu_unmap_page(struct protection_domain *dom,
+@@ -2556,15 +2566,10 @@ static void update_device_table(struct p
+
+ static void update_domain(struct protection_domain *domain)
+ {
+- if (!domain->updated)
+- return;
+-
+ update_device_table(domain);
+
+ domain_flush_devices(domain);
+ domain_flush_tlb_pde(domain);
+-
+- domain->updated = false;
+ }
+
+ static int dir2prot(enum dma_data_direction direction)
+@@ -3486,7 +3491,6 @@ void amd_iommu_domain_direct_map(struct
+
+ /* Update data structure */
+ domain->mode = PAGE_MODE_NONE;
+- domain->updated = true;
+
+ /* Make changes visible to IOMMUs */
+ update_domain(domain);
+@@ -3532,7 +3536,6 @@ int amd_iommu_domain_enable_v2(struct io
+
+ domain->glx = levels;
+ domain->flags |= PD_IOMMUV2_MASK;
+- domain->updated = true;
+
+ update_domain(domain);
+
+--- a/drivers/iommu/amd_iommu_types.h
++++ b/drivers/iommu/amd_iommu_types.h
+@@ -483,7 +483,6 @@ struct protection_domain {
+ int glx; /* Number of levels for GCR3 table */
+ u64 *gcr3_tbl; /* Guest CR3 table */
+ unsigned long flags; /* flags to find out type of domain */
+- bool updated; /* complete domain flush required */
+ unsigned dev_cnt; /* devices assigned to this domain */
+ unsigned dev_iommu[MAX_IOMMUS]; /* per-IOMMU reference count */
+ };
+
diff --git a/patches.suse/iommu-amd-wait-for-completion-of-iotlb-flush-in-attach_device b/patches.suse/iommu-amd-wait-for-completion-of-iotlb-flush-in-attach_device
new file mode 100644
index 0000000000..ce7148d000
--- /dev/null
+++ b/patches.suse/iommu-amd-wait-for-completion-of-iotlb-flush-in-attach_device
@@ -0,0 +1,32 @@
+From: Filippo Sironi <sironi@amazon.de>
+Date: Tue, 10 Sep 2019 19:49:21 +0200
+Subject: iommu/amd: Wait for completion of IOTLB flush in attach_device
+Git-commit: 0b15e02f0cc4fb34a9160de7ba6db3a4013dc1b7
+Patch-mainline: v5.4-rc1
+References: bsc#1154611
+
+To make sure the domain tlb flush completes before the
+function returns, explicitly wait for its completion.
+
+Signed-off-by: Filippo Sironi <sironi@amazon.de>
+Fixes: 42a49f965a8d ("amd-iommu: flush domain tlb when attaching a new device")
+[joro: Added commit message and fixes tag]
+Signed-off-by: Joerg Roedel <jroedel@suse.de>
+---
+ drivers/iommu/amd_iommu.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/iommu/amd_iommu.c b/drivers/iommu/amd_iommu.c
+index fda9923542c9..7bdce3b10f3d 100644
+--- a/drivers/iommu/amd_iommu.c
++++ b/drivers/iommu/amd_iommu.c
+@@ -2212,6 +2212,8 @@ static int attach_device(struct device *dev,
+ */
+ domain_flush_tlb_pde(domain);
+
++ domain_flush_complete(domain);
++
+ return ret;
+ }
+
+
diff --git a/patches.suse/iwlwifi-pcie-fix-rb_allocator-workqueue-allocation.patch b/patches.suse/iwlwifi-pcie-fix-rb_allocator-workqueue-allocation.patch
new file mode 100644
index 0000000000..49ad0cbd83
--- /dev/null
+++ b/patches.suse/iwlwifi-pcie-fix-rb_allocator-workqueue-allocation.patch
@@ -0,0 +1,59 @@
+From 8188a18ee2e48c9a7461139838048363bfce3fef Mon Sep 17 00:00:00 2001
+From: Johannes Berg <johannes.berg@intel.com>
+Date: Thu, 19 Sep 2019 09:04:09 +0200
+Subject: [PATCH] iwlwifi: pcie: fix rb_allocator workqueue allocation
+Git-commit: 8188a18ee2e48c9a7461139838048363bfce3fef
+Patch-mainline: v5.4-rc4
+References: CVE-2019-16234,bsc#1150452
+
+We don't handle failures in the rb_allocator workqueue allocation
+correctly. To fix that, move the code earlier so the cleanup is
+easier and we don't have to undo all the interrupt allocations in
+this case.
+
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/net/wireless/intel/iwlwifi/pcie/trans.c | 15 +++++++++++----
+ 1 file changed, 11 insertions(+), 4 deletions(-)
+
+--- a/drivers/net/wireless/intel/iwlwifi/pcie/trans.c
++++ b/drivers/net/wireless/intel/iwlwifi/pcie/trans.c
+@@ -3030,6 +3030,15 @@ struct iwl_trans *iwl_trans_pcie_alloc(s
+ spin_lock_init(&trans_pcie->reg_lock);
+ mutex_init(&trans_pcie->mutex);
+ init_waitqueue_head(&trans_pcie->ucode_write_waitq);
++
++ trans_pcie->rba.alloc_wq = alloc_workqueue("rb_allocator",
++ WQ_HIGHPRI | WQ_UNBOUND, 1);
++ if (!trans_pcie->rba.alloc_wq) {
++ ret = -ENOMEM;
++ goto out_free_trans;
++ }
++ INIT_WORK(&trans_pcie->rba.rx_alloc, iwl_pcie_rx_allocator_work);
++
+ trans_pcie->tso_hdr_page = alloc_percpu(struct iwl_tso_hdr_page);
+ if (!trans_pcie->tso_hdr_page) {
+ ret = -ENOMEM;
+@@ -3202,10 +3211,6 @@ struct iwl_trans *iwl_trans_pcie_alloc(s
+ trans_pcie->inta_mask = CSR_INI_SET_MASK;
+ }
+
+- trans_pcie->rba.alloc_wq = alloc_workqueue("rb_allocator",
+- WQ_HIGHPRI | WQ_UNBOUND, 1);
+- INIT_WORK(&trans_pcie->rba.rx_alloc, iwl_pcie_rx_allocator_work);
+-
+ #ifdef CONFIG_IWLWIFI_PCIE_RTPM
+ trans->runtime_pm_mode = IWL_PLAT_PM_MODE_D0I3;
+ #else
+@@ -3218,6 +3223,8 @@ out_free_ict:
+ iwl_pcie_free_ict(trans);
+ out_no_pci:
+ free_percpu(trans_pcie->tso_hdr_page);
++ destroy_workqueue(trans_pcie->rba.alloc_wq);
++out_free_trans:
+ iwl_trans_free(trans);
+ return ERR_PTR(ret);
+ }
diff --git a/patches.suse/libertas-fix-a-potential-NULL-pointer-dereference.patch b/patches.suse/libertas-fix-a-potential-NULL-pointer-dereference.patch
new file mode 100644
index 0000000000..3849a100d8
--- /dev/null
+++ b/patches.suse/libertas-fix-a-potential-NULL-pointer-dereference.patch
@@ -0,0 +1,46 @@
+From 7da413a18583baaf35dd4a8eb414fa410367d7f2 Mon Sep 17 00:00:00 2001
+From: Allen Pais <allen.pais@oracle.com>
+Date: Wed, 18 Sep 2019 22:05:00 +0530
+Subject: [PATCH] libertas: fix a potential NULL pointer dereference
+Git-commit: 7da413a18583baaf35dd4a8eb414fa410367d7f2
+Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/kvalo/wireless-drivers.git
+Patch-mainline: Queued in subsystem maintainer repo
+References: CVE-2019-16232,bsc#1150465
+
+alloc_workqueue is not checked for errors and as a result,
+a potential NULL dereference could occur.
+
+Signed-off-by: Allen Pais <allen.pais@oracle.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/net/wireless/marvell/libertas/if_sdio.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/drivers/net/wireless/marvell/libertas/if_sdio.c b/drivers/net/wireless/marvell/libertas/if_sdio.c
+index 242d8845da3f..30f1025ecb9b 100644
+--- a/drivers/net/wireless/marvell/libertas/if_sdio.c
++++ b/drivers/net/wireless/marvell/libertas/if_sdio.c
+@@ -1179,6 +1179,10 @@ static int if_sdio_probe(struct sdio_func *func,
+
+ spin_lock_init(&card->lock);
+ card->workqueue = alloc_workqueue("libertas_sdio", WQ_MEM_RECLAIM, 0);
++ if (unlikely(!card->workqueue)) {
++ ret = -ENOMEM;
++ goto err_queue;
++ }
+ INIT_WORK(&card->packet_worker, if_sdio_host_to_card_worker);
+ init_waitqueue_head(&card->pwron_waitq);
+
+@@ -1230,6 +1234,7 @@ static int if_sdio_probe(struct sdio_func *func,
+ lbs_remove_card(priv);
+ free:
+ destroy_workqueue(card->workqueue);
++err_queue:
+ while (card->packets) {
+ packet = card->packets;
+ card->packets = card->packets->next;
+--
+2.16.4
+
diff --git a/patches.suse/net-ath6kl-Fix-a-NULL-ptr-deref-bug.patch b/patches.suse/net-ath6kl-Fix-a-NULL-ptr-deref-bug.patch
index 655d820710..b6a26fbb82 100644
--- a/patches.suse/net-ath6kl-Fix-a-NULL-ptr-deref-bug.patch
+++ b/patches.suse/net-ath6kl-Fix-a-NULL-ptr-deref-bug.patch
@@ -1,9 +1,10 @@
+From 39d170b3cb62ba98567f5c4f40c27b5864b304e5 Mon Sep 17 00:00:00 2001
From: Hui Peng <benquike@gmail.com>
-Subject: [PATCH] Fix a NULL-ptr-deref bug in ath6kl_usb_alloc_urb_from_pipe
-Date: Sat, 3 Aug 2019 20:29:04 -0400
-Message-id: <20190804002905.11292-1-benquike@gmail.com>
-Patch-mainline: Submitted, https://patchwork.kernel.org/patch/11074655/
-References: CVE-2019-15098,bsc#1146378,CVE-2019-15290,bsc#1146543
+Date: Sat, 3 Aug 2019 20:29:04 -0400
+Subject: [PATCH] ath6kl: fix a NULL-ptr-deref bug in ath6kl_usb_alloc_urb_from_pipe()
+Git-commit: 39d170b3cb62ba98567f5c4f40c27b5864b304e5
+Patch-mainline: v5.4-rc1
+References: CVE-2019-15098,bsc#1146378,CVE-2019-15290,bsc#1146543
The `ar_usb` field of `ath6kl_usb_pipe_usb_pipe` objects
are initialized to point to the containing `ath6kl_usb` object
@@ -31,21 +32,25 @@ malicious and does not report complete addresses, it may trigger
NULL-ptr-deref `ath6kl_usb_alloc_urb_from_pipe` and
`ath6kl_usb_free_urb_to_pipe`.
-This patch fixes the bug by preventing potential NULL-ptr-deref.
+This patch fixes the bug by preventing potential NULL-ptr-deref
+(CVE-2019-15098).
Signed-off-by: Hui Peng <benquike@gmail.com>
Reported-by: Hui Peng <benquike@gmail.com>
Reported-by: Mathias Payer <mathias.payer@nebelwelt.net>
Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
---
- drivers/net/wireless/ath/ath6kl/usb.c | 8 ++++++++
+ drivers/net/wireless/ath/ath6kl/usb.c | 8 ++++++++
1 file changed, 8 insertions(+)
+diff --git a/drivers/net/wireless/ath/ath6kl/usb.c b/drivers/net/wireless/ath/ath6kl/usb.c
+index 4defb7a0330f..53b66e9434c9 100644
--- a/drivers/net/wireless/ath/ath6kl/usb.c
+++ b/drivers/net/wireless/ath/ath6kl/usb.c
-@@ -132,6 +132,10 @@ ath6kl_usb_alloc_urb_from_pipe(struct at
+@@ -132,6 +132,10 @@ ath6kl_usb_alloc_urb_from_pipe(struct ath6kl_usb_pipe *pipe)
struct ath6kl_urb_context *urb_context = NULL;
unsigned long flags;
@@ -56,7 +61,7 @@ Signed-off-by: Takashi Iwai <tiwai@suse.de>
spin_lock_irqsave(&pipe->ar_usb->cs_lock, flags);
if (!list_empty(&pipe->urb_list_head)) {
urb_context =
-@@ -150,6 +154,10 @@ static void ath6kl_usb_free_urb_to_pipe(
+@@ -150,6 +154,10 @@ static void ath6kl_usb_free_urb_to_pipe(struct ath6kl_usb_pipe *pipe,
{
unsigned long flags;
@@ -67,3 +72,6 @@ Signed-off-by: Takashi Iwai <tiwai@suse.de>
spin_lock_irqsave(&pipe->ar_usb->cs_lock, flags);
pipe->urb_cnt++;
+--
+2.16.4
+
diff --git a/patches.suse/rtlwifi-Fix-potential-overflow-on-P2P-code.patch b/patches.suse/rtlwifi-Fix-potential-overflow-on-P2P-code.patch
new file mode 100644
index 0000000000..33cee0caf3
--- /dev/null
+++ b/patches.suse/rtlwifi-Fix-potential-overflow-on-P2P-code.patch
@@ -0,0 +1,38 @@
+From: Laura Abbott <labbott@redhat.com>
+Date: Fri, 18 Oct 2019 07:43:21 -0400
+Subject: [PATCH] rtlwifi: Fix potential overflow on P2P code
+Patch-mainline: Submitted, https://lkml.org/lkml/2019/10/18/557
+References: bsc#1154372 CVE-2019-17666
+
+Nicolas Waisman noticed that even though noa_len is checked for
+a compatible length it's still possible to overrun the buffers
+of p2pinfo since there's no check on the upper bound of noa_num.
+Bound noa_num against P2P_MAX_NOA_NUM.
+
+Reported-by: Nicolas Waisman <nico@semmle.com>
+Signed-off-by: Laura Abbott <labbott@redhat.com>
+Acked-by: Cho, Yu-Chen <acho@suse.com>
+---
+ drivers/net/wireless/realtek/rtlwifi/ps.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/net/wireless/realtek/rtlwifi/ps.c
++++ b/drivers/net/wireless/realtek/rtlwifi/ps.c
+@@ -772,6 +772,8 @@ static void rtl_p2p_noa_ie(struct ieee80
+ return;
+ } else {
+ noa_num = (noa_len - 2) / 13;
++ if (noa_num > P2P_MAX_NOA_NUM)
++ noa_num = P2P_MAX_NOA_NUM;
+ }
+ noa_index = ie[3];
+ if (rtlpriv->psc.p2p_ps_info.p2p_ps_mode ==
+@@ -866,6 +868,8 @@ static void rtl_p2p_action_ie(struct iee
+ return;
+ } else {
+ noa_num = (noa_len - 2) / 13;
++ if (noa_num > P2P_MAX_NOA_NUM)
++ noa_num = P2P_MAX_NOA_NUM;
+ }
+ noa_index = ie[3];
+ if (rtlpriv->psc.p2p_ps_info.p2p_ps_mode ==
diff --git a/patches.suse/video-of-display_timing-Add-of_node_put-in-of_get_di.patch b/patches.suse/video-of-display_timing-Add-of_node_put-in-of_get_di.patch
new file mode 100644
index 0000000000..244ce005ae
--- /dev/null
+++ b/patches.suse/video-of-display_timing-Add-of_node_put-in-of_get_di.patch
@@ -0,0 +1,57 @@
+From 4faba50edbcc1df467f8f308893edc3fdd95536e Mon Sep 17 00:00:00 2001
+From: Douglas Anderson <dianders@chromium.org>
+Date: Mon, 22 Jul 2019 11:24:36 -0700
+Subject: [PATCH] video: of: display_timing: Add of_node_put() in of_get_display_timing()
+Git-commit: 4faba50edbcc1df467f8f308893edc3fdd95536e
+Patch-mainline: v5.4-rc1
+References: bsc#1051510
+
+From code inspection it can be seen that of_get_display_timing() is
+lacking an of_node_put(). Add it.
+
+Fixes: ffa3fd21de8a ("videomode: implement public of_get_display_timing()")
+Signed-off-by: Douglas Anderson <dianders@chromium.org>
+Reviewed-by: Sam Ravnborg <sam@ravnborg.org>
+Cc: Thierry Reding <thierry.reding@gmail.com>
+Cc: David Airlie <airlied@linux.ie>
+Cc: Philipp Zabel <p.zabel@pengutronix.de>
+Cc: Tomi Valkeinen <tomi.valkeinen@ti.com>
+Cc: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
+Cc: Russell King <linux@armlinux.org.uk>
+Cc: Daniel Vetter <daniel@ffwll.ch>
+Signed-off-by: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20190722182439.44844-2-dianders@chromium.org
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/video/of_display_timing.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/video/of_display_timing.c b/drivers/video/of_display_timing.c
+index f5c1c469c0af..5eedae0799f0 100644
+--- a/drivers/video/of_display_timing.c
++++ b/drivers/video/of_display_timing.c
+@@ -119,6 +119,7 @@ int of_get_display_timing(const struct device_node *np, const char *name,
+ struct display_timing *dt)
+ {
+ struct device_node *timing_np;
++ int ret;
+
+ if (!np)
+ return -EINVAL;
+@@ -129,7 +130,11 @@ int of_get_display_timing(const struct device_node *np, const char *name,
+ return -ENOENT;
+ }
+
+- return of_parse_display_timing(timing_np, dt);
++ ret = of_parse_display_timing(timing_np, dt);
++
++ of_node_put(timing_np);
++
++ return ret;
+ }
+ EXPORT_SYMBOL_GPL(of_get_display_timing);
+
+--
+2.16.4
+
diff --git a/patches.suse/watchdog-imx2_wdt-fix-min-calculation-in-imx2_wdt_se.patch b/patches.suse/watchdog-imx2_wdt-fix-min-calculation-in-imx2_wdt_se.patch
new file mode 100644
index 0000000000..a7914b79be
--- /dev/null
+++ b/patches.suse/watchdog-imx2_wdt-fix-min-calculation-in-imx2_wdt_se.patch
@@ -0,0 +1,57 @@
+From 144783a80cd2cbc45c6ce17db649140b65f203dd Mon Sep 17 00:00:00 2001
+From: Rasmus Villemoes <linux@rasmusvillemoes.dk>
+Date: Mon, 12 Aug 2019 15:13:56 +0200
+Subject: [PATCH] watchdog: imx2_wdt: fix min() calculation in imx2_wdt_set_timeout
+Git-commit: 144783a80cd2cbc45c6ce17db649140b65f203dd
+Patch-mainline: v5.4-rc1
+References: bsc#1051510
+
+Converting from ms to s requires dividing by 1000, not multiplying. So
+this is currently taking the smaller of new_timeout and 1.28e8,
+i.e. effectively new_timeout.
+
+The driver knows what it set max_hw_heartbeat_ms to, so use that
+value instead of doing a division at run-time.
+
+FWIW, this can easily be tested by booting into a busybox shell and
+doing "watchdog -t 5 -T 130 /dev/watchdog" - without this patch, the
+watchdog fires after 130&127 == 2 seconds.
+
+Fixes: b07e228eee69 "watchdog: imx2_wdt: Fix set_timeout for big timeout values"
+Cc: stable@vger.kernel.org # 5.2 plus anything the above got backported to
+Signed-off-by: Rasmus Villemoes <linux@rasmusvillemoes.dk>
+Reviewed-by: Guenter Roeck <linux@roeck-us.net>
+Link: https://lore.kernel.org/r/20190812131356.23039-1-linux@rasmusvillemoes.dk
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Wim Van Sebroeck <wim@linux-watchdog.org>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/watchdog/imx2_wdt.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/watchdog/imx2_wdt.c b/drivers/watchdog/imx2_wdt.c
+index 32af3974e6bb..8d019a961ccc 100644
+--- a/drivers/watchdog/imx2_wdt.c
++++ b/drivers/watchdog/imx2_wdt.c
+@@ -55,7 +55,7 @@
+
+ #define IMX2_WDT_WMCR 0x08 /* Misc Register */
+
+-#define IMX2_WDT_MAX_TIME 128
++#define IMX2_WDT_MAX_TIME 128U
+ #define IMX2_WDT_DEFAULT_TIME 60 /* in seconds */
+
+ #define WDOG_SEC_TO_COUNT(s) ((s * 2 - 1) << 8)
+@@ -180,7 +180,7 @@ static int imx2_wdt_set_timeout(struct watchdog_device *wdog,
+ {
+ unsigned int actual;
+
+- actual = min(new_timeout, wdog->max_hw_heartbeat_ms * 1000);
++ actual = min(new_timeout, IMX2_WDT_MAX_TIME);
+ __imx2_wdt_set_timeout(wdog, actual);
+ wdog->timeout = new_timeout;
+ return 0;
+--
+2.16.4
+
diff --git a/series.conf b/series.conf
index 98c0fd5726..15350d0a30 100644
--- a/series.conf
+++ b/series.conf
@@ -16833,6 +16833,7 @@
patches.suse/spi-pxa2xx-check-clk_prepare_enable-return-value
patches.suse/cifs_lookup-cifs_get_inode_-never-returns-0-with-inode-left.patch
patches.suse/cifs_lookup-switch-to-d_splice_alias-.patch
+ patches.suse/btrfs-remove-wrong-use-of-volume_mutex-from-btrfs_dev_replace_start.patch
patches.suse/btrfs-track-running-balance-in-a-simpler-way.patch
patches.suse/0001-btrfs-Factor-out-common-delayed-refs-init-code.patch
patches.suse/0002-btrfs-Use-init_delayed_ref_common-in-add_delayed_tre.patch
@@ -23910,6 +23911,7 @@
patches.suse/ALSA-hda-Force-polling-mode-on-CNL-for-fixing-codec-.patch
patches.suse/ALSA-hda-realtek-Improve-the-headset-mic-for-Acer-As.patch
patches.suse/configfs-Fix-use-after-free-when-accessing-sd-s_dent.patch
+ patches.suse/btrfs-ensure-replaced-device-doesn-t-have-pending-chunk-allocation.patch
patches.suse/btrfs-reloc-also-queue-orphan-reloc-tree-for-cleanup-to-avoid-bug_on.patch
patches.suse/0002-btrfs-qgroup-Check-bg-while-resuming-relocation-to-a.patch
patches.suse/btrfs-fix-fsync-not-persisting-changed-attributes-of.patch
@@ -24471,6 +24473,7 @@
patches.suse/0001-PCI-qcom-Ensure-that-PERST-is-asserted-for-at-least-.patch
patches.suse/0001-PCI-xilinx-nwl-Fix-Multi-MSI-data-programming.patch
patches.suse/nvme-fc-fix-module-unloads-while-lports-still-pendin.patch
+ patches.suse/btrfs-ensure-btrfs_init_dev_replace_tgtdev-sees-up-to-date-values.patch
patches.suse/btrfs-fix-data-loss-after-inode-eviction-renaming-it.patch
patches.suse/Btrfs-prevent-send-failures-and-crashes-due-to-concu.patch
patches.suse/btrfs-fix-fsync-not-persisting-dentry-deletions-due-.patch
@@ -24876,6 +24879,7 @@
patches.suse/hwmon-shtc1-fix-shtc1-and-shtw1-id-mask.patch
patches.suse/regulator-lm363x-Fix-off-by-one-n_voltages-for-lm363.patch
patches.suse/gpio-Move-gpiochip_lock-unlock_as_irq-to-gpio-driver.patch
+ patches.suse/iommu-amd-Override-wrong-IVRS-IOAPIC-on-Raven-Ridge-.patch
patches.suse/iommu-iova-avoid-false-sharing-on-fq_timer_on
patches.suse/iommu-dma-fix-for-dereferencing-before-null-checking
patches.suse/qla2xxx-remove-SGI-SN2-support.patch
@@ -24943,6 +24947,8 @@
patches.suse/dmaengine-dw-platform-Switch-to-acpi_dma_controller_.patch
patches.suse/dmaengine-iop-adma.c-fix-printk-format-warning.patch
patches.suse/PM-sleep-Fix-possible-overflow-in-pm_system_cancel_w.patch
+ patches.suse/ACPI-CPPC-do-not-require-the-_PSD-method.patch
+ patches.suse/ACPI-processor-don-t-print-errors-for-processorIDs-0.patch
patches.suse/ACPI-custom_method-fix-memory-leaks.patch
patches.suse/ACPI-PCI-fix-acpi_pci_irq_enable-memory-leak.patch
patches.suse/ACPI-property-Fix-acpi_graph_get_remote_endpoint-nam.patch
@@ -24979,6 +24985,7 @@
patches.suse/nl80211-Fix-possible-Spectre-v1-for-CQM-RSSI-4b2c5a14.patch
patches.suse/cfg80211-Purge-frame-registrations-on-iftype-change.patch
patches.suse/ath9k-dynack-fix-possible-deadlock-in-ath_dynack_nod.patch
+ patches.suse/net-ath6kl-Fix-a-NULL-ptr-deref-bug.patch
patches.suse/0001-xen-netfront-do-not-assume-sk_buff_head-list-is-empt.patch
patches.suse/Btrfs-fix-use-after-free-when-using-the-tree-modific.patch
patches.suse/ipmi_si-Only-schedule-continuously-in-the-thread-in-.patch
@@ -24987,6 +24994,7 @@
patches.suse/drm-bridge-tc358767-Increase-AUX-transfer-length-lim.patch
patches.suse/drm-panel-simple-fix-AUO-g185han01-horizontal-blanki.patch
patches.suse/0001-video-ssd1307fb-Start-page-range-at-page_offset.patch
+ patches.suse/video-of-display_timing-Add-of_node_put-in-of_get_di.patch
patches.suse/drm-radeon-Fix-EEH-during-kexec.patch
patches.suse/gpu-drm-radeon-Fix-a-possible-null-pointer-dereferen.patch
patches.suse/0001-drm-imx-Drop-unused-imx-ipuv3-crtc.o-build.patch
@@ -25147,8 +25155,10 @@
patches.suse/ceph-update-the-mtime-when-truncating-up.patch
patches.suse/ceph-reconnect-connection-if-session-hang-in-opening-state.patch
patches.suse/drm-amdgpu-Check-for-valid-number-of-registers-to-re.patch
+ patches.suse/watchdog-imx2_wdt-fix-min-calculation-in-imx2_wdt_se.patch
patches.suse/thermal_hwmon-Sanitize-thermal_zone-type.patch
patches.suse/thermal-Fix-use-after-free-when-unregistering-therma.patch
+ patches.suse/9p-avoid-attaching-writeback_fid-on-mmap-with-type-P.patch
patches.suse/ima-always-return-negative-code-for-error.patch
patches.suse/KVM-PPC-Book3S-HV-use-smp_mb-when-setting-clearing-h.patch
patches.suse/powerpc-pseries-Read-TLB-Block-Invalidate-Characteri.patch
@@ -25160,6 +25170,7 @@
patches.suse/cdc_ncm-fix-divide-by-zero-caused-by-invalid-wMaxPac.patch
patches.suse/usbnet-ignore-endpoints-with-invalid-wMaxPacketSize.patch
patches.suse/mISDN-enforce-CAP_NET_RAW-for-raw-sockets.patch
+ patches.suse/appletalk-enforce-CAP_NET_RAW-for-raw-sockets.patch
patches.suse/ax25-enforce-CAP_NET_RAW-for-raw-sockets.patch
patches.suse/ieee802154-enforce-CAP_NET_RAW-for-raw-sockets.patch
patches.suse/nfc-enforce-cap_net_raw-for-raw-sockets.patch
@@ -25169,6 +25180,8 @@
patches.suse/net-mlx5-Add-device-ID-of-upcoming-BlueField-2.patch
patches.suse/macsec-drop-skb-sk-before-calling-gro_cells_receive.patch
patches.suse/cxgb4-Signedness-bug-in-init_one.patch
+ patches.suse/iommu-amd-wait-for-completion-of-iotlb-flush-in-attach_device
+ patches.suse/iommu-amd-remove-domain-updated
patches.suse/i2c-riic-Clear-NACK-in-tend-isr.patch
patches.suse/mmc-sdhci-improve-ADMA-error-reporting.patch
patches.suse/mmc-sdhci-of-esdhc-set-DMA-snooping-based-on-DMA-coh.patch
@@ -25224,11 +25237,16 @@
patches.suse/Input-da9063-fix-capability-and-drop-KEY_SLEEP.patch
patches.suse/drm-msm-dsi-Implement-reset-correctly.patch
patches.suse/PCI-PM-Fix-pci_power_up.patch
+ patches.suse/ACPI-CPPC-Set-pcc_data-pcc_ss_id-to-NULL-in-acpi_cpp.patch
patches.suse/ALSA-hda-realtek-Reduce-the-Headphone-static-noise-o.patch
patches.suse/ALSA-usb-audio-Disable-quirks-for-BOSS-Katana-amplif.patch
patches.suse/memstick-jmb38x_ms-Fix-an-error-handling-path-in-jmb.patch
+ patches.suse/iommu-amd-check-pm_level_size-condition-in-locked-section
patches.suse/NFC-pn533-fix-use-after-free-and-memleaks.patch
+ patches.suse/cfg80211-wext-avoid-copying-malformed-SSIDs.patch
patches.suse/mac80211-accept-deauth-frames-in-IBSS-mode.patch
+ patches.suse/act_mirred-Fix-mirred_init_module-error-handling.patch
+ patches.suse/iwlwifi-pcie-fix-rb_allocator-workqueue-allocation.patch
patches.suse/0001-xen-netback-fix-error-path-of-xenvif_connect_data.patch
# davem/net
@@ -25555,6 +25573,8 @@
patches.suse/0001-irqchip-gic-v3-its-fix-build-warnings.patch
+ patches.suse/iommu-amd-Apply-the-same-IVRS-IOAPIC-workaround-to-A.patch
+
########################################################
# Filesystem
########################################################
@@ -25719,8 +25739,8 @@
patches.suse/ath10k-QCA9377-firmware-limit.patch
patches.kabi/bt_accept_enqueue-kabi-workaround.patch
patches.kabi/mwifiex-ieee-types-kabi-fix.patch
- patches.suse/net-ath6kl-Fix-a-NULL-ptr-deref-bug.patch
- patches.suse/cfg80211-wext-avoid-copying-malformed-SSIDs.patch
+ patches.suse/libertas-fix-a-potential-NULL-pointer-dereference.patch
+ patches.suse/rtlwifi-Fix-potential-overflow-on-P2P-code.patch
########################################################
# ISDN
@@ -26042,6 +26062,7 @@
patches.kabi/net-sched-act_sample-fix-psample-group-handling-on-o.patch
patches.kabi/Fix-KVM-kABI-after-x86-mmu-backports.patch
+ patches.kabi/Fix-AMD-IOMMU-kABI.patch
# bsc#1145099
patches.suse/vhost_net-conditionally-enable-tx-polling.patch