Home Home > GIT Browse > SLE12-SP5-AZURE
summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorKernel Build Daemon <kbuild@suse.de>2019-09-06 07:01:10 +0200
committerKernel Build Daemon <kbuild@suse.de>2019-09-06 07:01:10 +0200
commit24f66da101241f3e9111233bae9e3f4c80ec5e69 (patch)
treedceb2d6c1e2bb887445f854a2d1b537a6e20c436
parent5cff4556dd1d9649caf52d56592b4e6da9e044e6 (diff)
parentccdea012f12680a7e8eeea173fcf92bc536ee474 (diff)
Merge branch 'SLE12-SP5' into SLE12-SP5-AZURE
-rw-r--r--blacklist.conf1
-rw-r--r--config/arm64/default6
-rw-r--r--config/arm64/vanilla1
-rw-r--r--config/ppc64le/vanilla1
-rw-r--r--patches.suse/0001-x86-ptrace-Fix-possible-spectre-v1-in-ptrace_get_deb.patch50
-rw-r--r--patches.suse/0006-arm64-Add-ARCH_WORKAROUND_2-probing.patch16
-rw-r--r--patches.suse/0008-kabi-arm64-reserve-space-in-cpu_hwcaps-and-cpu_hwcap.patch8
-rw-r--r--patches.suse/0017-arm64-capabilities-Clean-up-midr-range-helpers.patch28
-rw-r--r--patches.suse/0021-arm64-Delay-enabling-hardware-DBM-feature.patch12
-rw-r--r--patches.suse/0026-arm64-mm-Support-Common-Not-Private-translations.patch26
-rw-r--r--patches.suse/0046-arm64-sve-Document-firmware-support-requirements-in-.patch13
-rw-r--r--patches.suse/ALSA-usb-audio-Avoid-access-before-bLength-check-in-.patch2
-rw-r--r--patches.suse/Bluetooth-hci_ldisc-Postpone-HCI_UART_PROTO_READY-bi.patch2
-rw-r--r--patches.suse/HID-Add-044f-b320-ThrustMaster-Inc.-2-in-1-DT.patch67
-rw-r--r--patches.suse/HID-hiddev-do-cleanup-in-failure-of-opening-a-device.patch33
-rw-r--r--patches.suse/USB-cdc-wdm-fix-race-between-write-and-disconnect-du.patch69
-rw-r--r--patches.suse/VMCI-Release-resource-if-the-work-is-already-queued.patch96
-rw-r--r--patches.suse/apparmor-compatibility-patch-for-v5-network-control3
-rw-r--r--patches.suse/apparmor-fix-open-after-profile-replacement.patch2
-rw-r--r--patches.suse/apparmor-fix-replacement-not-being-applied.patch2
-rw-r--r--patches.suse/arm64-fix-undefined-reference-to-printk.patch57
-rw-r--r--patches.suse/arm64-kernel-don-t-ban-ADRP-to-work-around-Cortex-A5.patch349
-rw-r--r--patches.suse/arm64-kernel-enable-A53-erratum-8434319-handling-at-.patch75
-rw-r--r--patches.suse/arm64-kernel-rename-module_emit_adrp_veneer-module_e.patch87
-rw-r--r--patches.suse/arm64-module-don-t-BUG-when-exceeding-preallocated-P.patch56
-rw-r--r--patches.suse/ath6kl-add-some-bounds-checking.patch2
-rw-r--r--patches.suse/batman-adv-Only-read-OGM-tvlv_len-after-buffer-len-c.patch80
-rw-r--r--patches.suse/batman-adv-Only-read-OGM2-tvlv_len-after-buffer-len-.patch68
-rw-r--r--patches.suse/batman-adv-fix-uninit-value-in-batadv_netlink_get_if.patch69
-rw-r--r--patches.suse/btrfs-add-a-helper-to-retrive-extent-inline-ref-type.patch89
-rw-r--r--patches.suse/btrfs-add-one-more-sanity-check-for-shared-ref-type.patch141
-rw-r--r--patches.suse/btrfs-convert-to-use-btrfs_get_extent_inline_ref_type.patch176
-rw-r--r--patches.suse/btrfs-remove-bug-in-add_data_reference.patch35
-rw-r--r--patches.suse/btrfs-remove-bug-in-btrfs_extent_inline_ref_size.patch32
-rw-r--r--patches.suse/btrfs-remove-bug-in-print_extent_item.patch36
-rw-r--r--patches.suse/btrfs-remove-bug_on-in-_add_tree_block.patch54
-rw-r--r--patches.suse/can-peak_usb-force-the-string-buffer-NULL-terminated.patch40
-rw-r--r--patches.suse/can-sja1000-force-the-string-buffer-NULL-terminated.patch40
-rw-r--r--patches.suse/ceph-add-btime-field-to-ceph_inode_info.patch104
-rw-r--r--patches.suse/ceph-add-ceph-snap-btime-vxattr.patch76
-rw-r--r--patches.suse/ceph-add-change_attr-field-to-ceph_inode_info.patch83
-rw-r--r--patches.suse/ceph-carry-snapshot-creation-time-with-inodes.patch89
-rw-r--r--patches.suse/ceph-clear-page-dirty-before-invalidate-page.patch38
-rw-r--r--patches.suse/ceph-don-t-blindly-unregister-session-that-is-in-opening-state.patch96
-rw-r--r--patches.suse/ceph-don-t-try-fill-file_lock-on-unsuccessful-getfilelock-reply.patch36
-rw-r--r--patches.suse/ceph-fix-buffer-free-while-holding-i_ceph_lock-in-_ceph_build_xattrs_blob.patch157
-rw-r--r--patches.suse/ceph-fix-buffer-free-while-holding-i_ceph_lock-in-_ceph_setxattr.patch88
-rw-r--r--patches.suse/ceph-fix-buffer-free-while-holding-i_ceph_lock-in-fill_inode.patch81
-rw-r--r--patches.suse/ceph-fix-ceph-dir-rctime-vxattr-value.patch31
-rw-r--r--patches.suse/ceph-fix-decode_locker-to-use-ceph_decode_entity_addr.patch35
-rw-r--r--patches.suse/ceph-fix-improper-use-of-smp_mb__before_atomic.patch42
-rw-r--r--patches.suse/ceph-fix-infinite-loop-in-get_quota_realm.patch52
-rw-r--r--patches.suse/ceph-fix-listxattr-vxattr-buffer-length-calculation.patch114
-rw-r--r--patches.suse/ceph-handle-btime-in-cap-messages.patch130
-rw-r--r--patches.suse/ceph-handle-change_attr-in-cap-messages.patch139
-rw-r--r--patches.suse/ceph-have-mds-map-decoding-use-entity_addr_t-decoder.patch61
-rw-r--r--patches.suse/ceph-hold-i_ceph_lock-when-removing-caps-for-freeing-inode.patch48
-rw-r--r--patches.suse/ceph-increment-change_attribute-on-local-changes.patch62
-rw-r--r--patches.suse/ceph-initialize-superblock-s_time_gran-to-1.patch34
-rw-r--r--patches.suse/ceph-remove-request-from-waiting-list-before-unregister.patch37
-rw-r--r--patches.suse/ceph-remove-unused-vxattr-length-helpers.patch135
-rw-r--r--patches.suse/ceph-silence-a-checker-warning-in-mdsc_show.patch37
-rw-r--r--patches.suse/cifs-Fix-use-after-free-in-SMB2_read.patch2
-rw-r--r--patches.suse/cifs-Fix-use-after-free-in-SMB2_write.patch2
-rw-r--r--patches.suse/crypto-virtio-read-crypto-services-and-algorithm-masks96
-rw-r--r--patches.suse/crypto-virtio-register-an-algo-only-if-it-s-supported339
-rw-r--r--patches.suse/drm-amdgpu-psp-move-psp-version-specific-function-po.patch16
-rw-r--r--patches.suse/drm-etnaviv-add-missing-failure-path-to-destroy-suba.patch20
-rw-r--r--patches.suse/drm-i915-Fix-wrong-escape-clock-divisor-init-for-GLK.patch22
-rw-r--r--patches.suse/drm-i915-perf-ensure-we-keep-a-reference-on-the-driv.patch19
-rw-r--r--patches.suse/drm-imx-notify-drm-core-before-sending-event-during-.patch9
-rw-r--r--patches.suse/drm-imx-only-send-event-on-crtc-disable-if-kept-disa.patch9
-rw-r--r--patches.suse/drm-mediatek-call-drm_atomic_helper_shutdown-when-un.patch16
-rw-r--r--patches.suse/drm-mediatek-call-mtk_dsi_stop-after-mtk_drm_crtc_at.patch9
-rw-r--r--patches.suse/drm-mediatek-clear-num_pipes-when-unbind-driver.patch16
-rw-r--r--patches.suse/drm-mediatek-fix-unbind-functions.patch9
-rw-r--r--patches.suse/drm-mediatek-mtk_drm_drv.c-Add-of_node_put-before-go.patch9
-rw-r--r--patches.suse/drm-mediatek-unbind-components-in-mtk_drm_unbind.patch18
-rw-r--r--patches.suse/drm-mediatek-use-correct-device-to-import-PRIME-buff.patch9
-rw-r--r--patches.suse/drm-msm-mdp5-Fix-mdp5_cfg_init-error-return.patch14
-rw-r--r--patches.suse/drm-nouveau-Don-t-retry-infinitely-when-receiving-no.patch107
-rw-r--r--patches.suse/drm-rockchip-Suspend-DP-late.patch16
-rw-r--r--patches.suse/drm-udl-introduce-a-macro-to-convert-dev-to-udl.patch48
-rw-r--r--patches.suse/drm-udl-move-to-embedding-drm-device-inside-udl-devi.patch46
-rw-r--r--patches.suse/drm-vmwgfx-Use-the-backdoor-port-if-the-HB-port-is-n.patch26
-rw-r--r--patches.suse/drm-vmwgfx-fix-a-warning-due-to-missing-dma_parms.patch17
-rw-r--r--patches.suse/ftrace-check-for-empty-hash-and-comment-the-race-with-registering-probes.patch49
-rw-r--r--patches.suse/ftrace-check-for-successful-allocation-of-hash.patch40
-rw-r--r--patches.suse/ftrace-fix-null-pointer-dereference-in-t_probe_next.patch77
-rw-r--r--patches.suse/genetlink-Fix-a-memory-leak-on-error-path.patch2
-rw-r--r--patches.suse/gpio-mxs-Get-rid-of-external-API-call.patch52
-rw-r--r--patches.suse/gpio-pxa-handle-corner-case-of-unprobed-device.patch55
-rw-r--r--patches.suse/gpu-ipu-v3-ipu-ic-Fix-saturation-bit-offset-in-TPMEM.patch9
-rw-r--r--patches.suse/i2c-qup-fixed-releasing-dma-without-flush-operation-.patch53
-rw-r--r--patches.suse/isdn-hfcsusb-Fix-mISDN-driver-crash-caused-by-transf.patch87
-rw-r--r--patches.suse/isdn-mISDN-hfcsusb-Fix-possible-null-pointer-derefer.patch50
-rw-r--r--patches.suse/iversion-add-a-routine-to-update-a-raw-value-with-a-larger-one.patch57
-rw-r--r--patches.suse/kconfig-mn-conf-handle-backspace-H-key.patch67
-rw-r--r--patches.suse/kvm-x86-move-msr_ia32_arch_capabilities-to-array-emulated_msrs37
-rw-r--r--patches.suse/libata-add-SG-safety-checks-in-SFF-pio-transfers.patch48
-rw-r--r--patches.suse/libata-have-ata_scsi_rw_xlat-fail-invalid-passthroug.patch84
-rw-r--r--patches.suse/libceph-add-ceph_decode_entity_addr.patch147
-rw-r--r--patches.suse/libceph-addr2-support-for-monmap.patch99
-rw-r--r--patches.suse/libceph-allow-ceph_buffer_put-to-receive-a-null-ceph_buffer.patch29
-rw-r--r--patches.suse/libceph-correctly-decode-addr2-addresses-in-incremental-osd-maps.patch58
-rw-r--r--patches.suse/libceph-fix-pg-split-vs-osd-reconnect-race.patch71
-rw-r--r--patches.suse/libceph-fix-sa_family-just-after-reading-address.patch48
-rw-r--r--patches.suse/libceph-fix-unaligned-accesses-in-ceph_entity_addr-handling.patch242
-rw-r--r--patches.suse/libceph-fix-watch_item_t-decoding-to-use-ceph_decode_entity_addr.patch58
-rw-r--r--patches.suse/libceph-make-ceph_pr_addr-take-an-struct-ceph_entity_addr-pointer.patch333
-rw-r--r--patches.suse/libceph-rename-ceph_encode_addr-to-ceph_encode_banner_addr.patch73
-rw-r--r--patches.suse/libceph-switch-osdmap-decoding-to-use-ceph_decode_entity_addr.patch51
-rw-r--r--patches.suse/libceph-turn-on-ceph_feature_msg_addr2.patch32
-rw-r--r--patches.suse/libceph-use-type_legacy-for-entity-addrs-instead-of-type_none.patch117
-rw-r--r--patches.suse/mac80211-Correctly-set-noencrypt-for-PAE-frames.patch39
-rw-r--r--patches.suse/mac80211-Don-t-memset-RXCB-prior-to-PAE-intercept.patch51
-rw-r--r--patches.suse/mac80211-fix-possible-sta-leak.patch51
-rw-r--r--patches.suse/mmc-sdhci-of-at91-add-quirk-for-broken-HS200.patch41
-rw-r--r--patches.suse/mpls-fix-warning-with-multi-label-encap.patch45
-rw-r--r--patches.suse/powerpc-fadump-when-fadump-is-supported-register-the.patch68
-rw-r--r--patches.suse/powerpc-xive-Fix-dump-of-XIVE-interrupt-under-pserie.patch215
-rw-r--r--patches.suse/powerpc-xmon-Add-a-dump-of-all-XIVE-interrupts.patch66
-rw-r--r--patches.suse/powerpc-xmon-Check-for-HV-mode-when-dumping-XIVE-inf.patch59
-rw-r--r--patches.suse/rsi-add-fix-for-crash-during-assertions.patch38
-rw-r--r--patches.suse/rtc-pcf8523-don-t-return-invalid-date-when-battery-i.patch87
-rw-r--r--patches.suse/samples-bpf-fix-to-change-the-buffer-size-for-read.patch45
-rw-r--r--patches.suse/samples-mei-use-dev-mei0-instead-of-dev-mei.patch36
-rw-r--r--patches.suse/scripts-checkstack.pl-Fix-arm64-wrong-or-unknown-arc.patch39
-rw-r--r--patches.suse/scripts-decode_stacktrace-only-strip-base-path-when-.patch49
-rw-r--r--patches.suse/scripts-decode_stacktrace.sh-prefix-addr2line-with-C.patch50
-rw-r--r--patches.suse/scripts-gdb-fix-lx-version-string-output.patch58
-rw-r--r--patches.suse/supported-flag-wildcards1
-rw-r--r--patches.suse/test_firmware-fix-a-memory-leak-bug.patch48
-rw-r--r--patches.suse/usb-host-xhci-rcar-Fix-typo-in-compatible-string-mat.patch40
-rw-r--r--series.conf94
135 files changed, 7678 insertions, 290 deletions
diff --git a/blacklist.conf b/blacklist.conf
index 43b201770b..f6f067fe40 100644
--- a/blacklist.conf
+++ b/blacklist.conf
@@ -1322,3 +1322,4 @@ e71769ae52609ea0044a9901709042e5634c2306 # major dependencies needed, bsc#114819
136ac591f047fc356072343eb85687f7c6ea191d # trivial
951531691c4bcaa59f56a316e018bc2ff1ddf855 # no CONFIG_HARDENED_USERCOPY
2c012a4ad1a2cd3fb5a0f9307b9d219f84eda1fa # hack, risk of regression, see bsc#1149215 comment 2
+7d3cd66261665da491d0ee582beabe23df60f983 # not applicable in v4.12: drm/i915: Fix various tracepoints for gen2
diff --git a/config/arm64/default b/config/arm64/default
index 8432a0cd4e..2dc4677032 100644
--- a/config/arm64/default
+++ b/config/arm64/default
@@ -469,7 +469,8 @@ CONFIG_PCI_PRI=y
CONFIG_PCI_PASID=y
CONFIG_PCI_LABEL=y
CONFIG_HOTPLUG_PCI=y
-# CONFIG_HOTPLUG_PCI_ACPI is not set
+CONFIG_HOTPLUG_PCI_ACPI=y
+# CONFIG_HOTPLUG_PCI_ACPI_IBM is not set
CONFIG_HOTPLUG_PCI_CPCI=y
CONFIG_HOTPLUG_PCI_SHPC=y
@@ -665,7 +666,6 @@ CONFIG_ARM64_VHE=y
CONFIG_ARM64_UAO=y
CONFIG_ARM64_CNP=y
CONFIG_ARM64_SVE=y
-CONFIG_ARM64_MODULE_CMODEL_LARGE=y
CONFIG_ARM64_MODULE_PLTS=y
CONFIG_RELOCATABLE=y
CONFIG_RANDOMIZE_BASE=y
@@ -7170,7 +7170,7 @@ CONFIG_ACPI_CUSTOM_DSDT_FILE=""
CONFIG_ARCH_HAS_ACPI_TABLE_UPGRADE=y
CONFIG_ACPI_TABLE_UPGRADE=y
# CONFIG_ACPI_DEBUG is not set
-# CONFIG_ACPI_PCI_SLOT is not set
+CONFIG_ACPI_PCI_SLOT=y
CONFIG_ACPI_CONTAINER=y
CONFIG_ACPI_HED=y
# CONFIG_ACPI_CUSTOM_METHOD is not set
diff --git a/config/arm64/vanilla b/config/arm64/vanilla
index 47c8e7174c..e9b3af66ca 100644
--- a/config/arm64/vanilla
+++ b/config/arm64/vanilla
@@ -1,3 +1,4 @@
+CONFIG_ARM64_MODULE_CMODEL_LARGE=y
# CONFIG_BCM2835_VCHIQ_SUPPORT_MEMDUMP is not set
CONFIG_BLK_CPQ_CISS_DA=m
# CONFIG_BLK_DEV_NVME_SCSI is not set
diff --git a/config/ppc64le/vanilla b/config/ppc64le/vanilla
index 03e5a8eb1a..9ae4b41f19 100644
--- a/config/ppc64le/vanilla
+++ b/config/ppc64le/vanilla
@@ -11,7 +11,6 @@ CONFIG_CISS_SCSI_TAPE=y
CONFIG_CPU_FREQ_GOV_CONSERVATIVE=y
CONFIG_CPU_FREQ_GOV_POWERSAVE=y
CONFIG_CPU_FREQ_GOV_USERSPACE=y
-CONFIG_DMA_VIRT_OPS=y
# CONFIG_DRM_DEBUG_MM_SELFTEST is not set
CONFIG_HW_RANDOM_TPM=m
# CONFIG_INFINIBAND_CXGB3_DEBUG is not set
diff --git a/patches.suse/0001-x86-ptrace-Fix-possible-spectre-v1-in-ptrace_get_deb.patch b/patches.suse/0001-x86-ptrace-Fix-possible-spectre-v1-in-ptrace_get_deb.patch
new file mode 100644
index 0000000000..ddea858cd5
--- /dev/null
+++ b/patches.suse/0001-x86-ptrace-Fix-possible-spectre-v1-in-ptrace_get_deb.patch
@@ -0,0 +1,50 @@
+From 31a2fbb390fee4231281b939e1979e810f945415 Mon Sep 17 00:00:00 2001
+From: Dianzhang Chen <dianzhangchen0@gmail.com>
+Date: Tue, 25 Jun 2019 23:30:17 +0800
+Subject: [PATCH] x86/ptrace: Fix possible spectre-v1 in ptrace_get_debugreg()
+Git-commit: 31a2fbb390fee4231281b939e1979e810f945415
+Patch-mainline: v5.3-rc1
+References: bnc#1149376, CVE-2019-15902
+
+The index to access the threads ptrace_bps is controlled by userspace via
+Syscall: sys_ptrace(), hence leading to a potential exploitation of the
+Spectre variant 1 vulnerability.
+
+The index can be controlled from:
+ ptrace -> arch_ptrace -> ptrace_get_debugreg.
+
+Fix this by sanitizing the user supplied index before using it access
+thread->ptrace_bps.
+
+Signed-off-by: Dianzhang Chen <dianzhangchen0@gmail.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Cc: bp@alien8.de
+Cc: hpa@zytor.com
+Cc: stable@vger.kernel.org
+Link: https://lkml.kernel.org/r/1561476617-3759-1-git-send-email-dianzhangchen0@gmail.com
+Signed-off-by: Michal Hocko <mhocko@suse.com>
+
+---
+ arch/x86/kernel/ptrace.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/arch/x86/kernel/ptrace.c
++++ b/arch/x86/kernel/ptrace.c
+@@ -24,6 +24,7 @@
+ #include <linux/rcupdate.h>
+ #include <linux/export.h>
+ #include <linux/context_tracking.h>
++#include <linux/nospec.h>
+
+ #include <linux/uaccess.h>
+ #include <asm/pgtable.h>
+@@ -653,7 +654,8 @@ static unsigned long ptrace_get_debugreg
+ unsigned long val = 0;
+
+ if (n < HBP_NUM) {
+- struct perf_event *bp = thread->ptrace_bps[n];
++ int index = array_index_nospec(n, HBP_NUM);
++ struct perf_event *bp = thread->ptrace_bps[index];
+
+ if (bp)
+ val = bp->hw.info.address;
diff --git a/patches.suse/0006-arm64-Add-ARCH_WORKAROUND_2-probing.patch b/patches.suse/0006-arm64-Add-ARCH_WORKAROUND_2-probing.patch
index 86f53d8886..4801d3cebc 100644
--- a/patches.suse/0006-arm64-Add-ARCH_WORKAROUND_2-probing.patch
+++ b/patches.suse/0006-arm64-Add-ARCH_WORKAROUND_2-probing.patch
@@ -22,13 +22,13 @@ Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
Signed-off-by: Mian Yousaf Kaukab <yousaf.kaukab@suse.com>
---
arch/arm64/Kconfig | 9 +++++
- arch/arm64/include/asm/cpucaps.h | 3 +
+ arch/arm64/include/asm/cpucaps.h | 1
arch/arm64/kernel/cpu_errata.c | 69 +++++++++++++++++++++++++++++++++++++++
- 3 files changed, 80 insertions(+), 1 deletion(-)
+ 3 files changed, 79 insertions(+)
--- a/arch/arm64/Kconfig
+++ b/arch/arm64/Kconfig
-@@ -880,6 +880,15 @@ config HARDEN_BRANCH_PREDICTOR
+@@ -895,6 +895,15 @@ config HARDEN_BRANCH_PREDICTOR
If unsure, say Y.
@@ -46,16 +46,14 @@ Signed-off-by: Mian Yousaf Kaukab <yousaf.kaukab@suse.com>
depends on COMPAT
--- a/arch/arm64/include/asm/cpucaps.h
+++ b/arch/arm64/include/asm/cpucaps.h
-@@ -45,7 +45,8 @@
+@@ -45,6 +45,7 @@
#define ARM64_HARDEN_BP_POST_GUEST_EXIT 24
#define ARM64_HAS_RAS_EXTN 25
#define ARM64_HW_DBM 26
+#define ARM64_SSBD 27
+ #define ARM64_WORKAROUND_843419 29
--#define ARM64_NCAPS 27
-+#define ARM64_NCAPS 28
-
- #endif /* __ASM_CPUCAPS_H */
+ #define ARM64_NCAPS 30
--- a/arch/arm64/kernel/cpu_errata.c
+++ b/arch/arm64/kernel/cpu_errata.c
@@ -253,6 +253,67 @@ void __init arm64_update_smccc_conduit(s
@@ -126,7 +124,7 @@ Signed-off-by: Mian Yousaf Kaukab <yousaf.kaukab@suse.com>
#endif /* CONFIG_ARM64_SSBD */
#define CAP_MIDR_RANGE(model, v_min, r_min, v_max, r_max) \
-@@ -497,6 +558,14 @@ const struct arm64_cpu_capabilities arm6
+@@ -506,6 +567,14 @@ const struct arm64_cpu_capabilities arm6
ERRATA_MIDR_RANGE_LIST(qcom_bp_harden_cpus),
},
#endif
diff --git a/patches.suse/0008-kabi-arm64-reserve-space-in-cpu_hwcaps-and-cpu_hwcap.patch b/patches.suse/0008-kabi-arm64-reserve-space-in-cpu_hwcaps-and-cpu_hwcap.patch
index 85d2312204..8f8308fc9b 100644
--- a/patches.suse/0008-kabi-arm64-reserve-space-in-cpu_hwcaps-and-cpu_hwcap.patch
+++ b/patches.suse/0008-kabi-arm64-reserve-space-in-cpu_hwcaps-and-cpu_hwcap.patch
@@ -17,12 +17,12 @@ Signed-off-by: Mian Yousaf Kaukab <yousaf.kaukab@suse.com>
--- a/arch/arm64/include/asm/cpucaps.h
+++ b/arch/arm64/include/asm/cpucaps.h
-@@ -48,6 +48,7 @@
- #define ARM64_SSBD 27
+@@ -49,6 +49,7 @@
#define ARM64_HAS_CNP 28
+ #define ARM64_WORKAROUND_843419 29
--#define ARM64_NCAPS 29
-+/* kabi: reserve 29 - 40 for future cpu capabilities */
+-#define ARM64_NCAPS 30
++/* kabi: reserve 30 - 40 for future cpu capabilities */
+#define ARM64_NCAPS 40
#endif /* __ASM_CPUCAPS_H */
diff --git a/patches.suse/0017-arm64-capabilities-Clean-up-midr-range-helpers.patch b/patches.suse/0017-arm64-capabilities-Clean-up-midr-range-helpers.patch
index 79c91fa822..ea82ca3504 100644
--- a/patches.suse/0017-arm64-capabilities-Clean-up-midr-range-helpers.patch
+++ b/patches.suse/0017-arm64-capabilities-Clean-up-midr-range-helpers.patch
@@ -1,7 +1,6 @@
-From 191e2637594cf42cc9c304c51c2b854323a2936d Mon Sep 17 00:00:00 2001
From: Suzuki K Poulose <suzuki.poulose@arm.com>
Date: Mon, 26 Mar 2018 15:12:43 +0100
-Subject: [PATCH] arm64: capabilities: Clean up midr range helpers
+Subject: arm64: capabilities: Clean up midr range helpers
Git-commit: 5e7951ce19abf4113645ae789c033917356ee96f
Patch-mainline: v4.17-rc1
@@ -19,8 +18,8 @@ Signed-off-by: Suzuki K Poulose <suzuki.poulose@arm.com>
Signed-off-by: Will Deacon <will.deacon@arm.com>
Signed-off-by: Mian Yousaf Kaukab <yousaf.kaukab@suse.com>
---
- arch/arm64/kernel/cpu_errata.c | 106 ++++++++++++++++++++++-------------------
- 1 file changed, 59 insertions(+), 47 deletions(-)
+ arch/arm64/kernel/cpu_errata.c | 108 ++++++++++++++++++++++-------------------
+ 1 file changed, 60 insertions(+), 48 deletions(-)
--- a/arch/arm64/kernel/cpu_errata.c
+++ b/arch/arm64/kernel/cpu_errata.c
@@ -118,9 +117,18 @@ Signed-off-by: Mian Yousaf Kaukab <yousaf.kaukab@suse.com>
+ 1, 2),
},
#endif
- #ifdef CONFIG_ARM64_ERRATUM_845719
+ #ifdef CONFIG_ARM64_ERRATUM_843419
@@ -286,7 +301,7 @@ const struct arm64_cpu_capabilities arm6
/* Cortex-A53 r0p[01234] */
+ .desc = "ARM erratum 843419",
+ .capability = ARM64_WORKAROUND_843419,
+- MIDR_RANGE(MIDR_CORTEX_A53, 0x00, 0x04),
++ ERRATA_MIDR_REV_RANGE(MIDR_CORTEX_A53, 0, 0, 4),
+ MIDR_FIXED(0x4, BIT(8)),
+ },
+ #endif
+@@ -295,7 +310,7 @@ const struct arm64_cpu_capabilities arm6
+ /* Cortex-A53 r0p[01234] */
.desc = "ARM erratum 845719",
.capability = ARM64_WORKAROUND_845719,
- MIDR_RANGE(MIDR_CORTEX_A53, 0x00, 0x04),
@@ -128,7 +136,7 @@ Signed-off-by: Mian Yousaf Kaukab <yousaf.kaukab@suse.com>
},
#endif
#ifdef CONFIG_CAVIUM_ERRATUM_23154
-@@ -294,7 +309,7 @@ const struct arm64_cpu_capabilities arm6
+@@ -303,7 +318,7 @@ const struct arm64_cpu_capabilities arm6
/* Cavium ThunderX, pass 1.x */
.desc = "Cavium erratum 23154",
.capability = ARM64_WORKAROUND_CAVIUM_23154,
@@ -137,7 +145,7 @@ Signed-off-by: Mian Yousaf Kaukab <yousaf.kaukab@suse.com>
},
#endif
#ifdef CONFIG_CAVIUM_ERRATUM_27456
-@@ -302,15 +317,15 @@ const struct arm64_cpu_capabilities arm6
+@@ -311,15 +326,15 @@ const struct arm64_cpu_capabilities arm6
/* Cavium ThunderX, T88 pass 1.x - 2.1 */
.desc = "Cavium erratum 27456",
.capability = ARM64_WORKAROUND_CAVIUM_27456,
@@ -157,7 +165,7 @@ Signed-off-by: Mian Yousaf Kaukab <yousaf.kaukab@suse.com>
},
#endif
#ifdef CONFIG_CAVIUM_ERRATUM_30115
-@@ -318,20 +333,21 @@ const struct arm64_cpu_capabilities arm6
+@@ -327,20 +342,21 @@ const struct arm64_cpu_capabilities arm6
/* Cavium ThunderX, T88 pass 1.x - 2.2 */
.desc = "Cavium erratum 30115",
.capability = ARM64_WORKAROUND_CAVIUM_30115,
@@ -183,7 +191,7 @@ Signed-off-by: Mian Yousaf Kaukab <yousaf.kaukab@suse.com>
},
#endif
{
-@@ -345,18 +361,14 @@ const struct arm64_cpu_capabilities arm6
+@@ -354,18 +370,14 @@ const struct arm64_cpu_capabilities arm6
{
.desc = "Qualcomm Technologies Falkor erratum 1003",
.capability = ARM64_WORKAROUND_QCOM_FALKOR_E1003,
@@ -204,7 +212,7 @@ Signed-off-by: Mian Yousaf Kaukab <yousaf.kaukab@suse.com>
},
#endif
#ifdef CONFIG_ARM64_ERRATUM_858921
-@@ -364,56 +376,56 @@ const struct arm64_cpu_capabilities arm6
+@@ -373,56 +385,56 @@ const struct arm64_cpu_capabilities arm6
/* Cortex-A73 all versions */
.desc = "ARM erratum 858921",
.capability = ARM64_WORKAROUND_858921,
diff --git a/patches.suse/0021-arm64-Delay-enabling-hardware-DBM-feature.patch b/patches.suse/0021-arm64-Delay-enabling-hardware-DBM-feature.patch
index 6d6f48d18e..580ed66750 100644
--- a/patches.suse/0021-arm64-Delay-enabling-hardware-DBM-feature.patch
+++ b/patches.suse/0021-arm64-Delay-enabling-hardware-DBM-feature.patch
@@ -33,23 +33,21 @@ Signed-off-by: Suzuki K Poulose <suzuki.poulose@arm.com>
Signed-off-by: Will Deacon <will.deacon@arm.com>
Signed-off-by: Mian Yousaf Kaukab <yousaf.kaukab@suse.com>
---
- arch/arm64/include/asm/cpucaps.h | 3 +
+ arch/arm64/include/asm/cpucaps.h | 1
arch/arm64/kernel/cpufeature.c | 71 +++++++++++++++++++++++++++++++++++++++
arch/arm64/mm/proc.S | 13 +++----
- 3 files changed, 79 insertions(+), 8 deletions(-)
+ 3 files changed, 78 insertions(+), 7 deletions(-)
--- a/arch/arm64/include/asm/cpucaps.h
+++ b/arch/arm64/include/asm/cpucaps.h
-@@ -44,7 +44,8 @@
+@@ -44,6 +44,7 @@
#define ARM64_HARDEN_BRANCH_PREDICTOR 23
#define ARM64_HARDEN_BP_POST_GUEST_EXIT 24
#define ARM64_HAS_RAS_EXTN 25
+#define ARM64_HW_DBM 26
+ #define ARM64_WORKAROUND_843419 29
--#define ARM64_NCAPS 26
-+#define ARM64_NCAPS 27
-
- #endif /* __ASM_CPUCAPS_H */
+ #define ARM64_NCAPS 30
--- a/arch/arm64/kernel/cpufeature.c
+++ b/arch/arm64/kernel/cpufeature.c
@@ -959,6 +959,57 @@ static void cpu_copy_el2regs(const struc
diff --git a/patches.suse/0026-arm64-mm-Support-Common-Not-Private-translations.patch b/patches.suse/0026-arm64-mm-Support-Common-Not-Private-translations.patch
index c57235ae79..b3a051b688 100644
--- a/patches.suse/0026-arm64-mm-Support-Common-Not-Private-translations.patch
+++ b/patches.suse/0026-arm64-mm-Support-Common-Not-Private-translations.patch
@@ -43,7 +43,7 @@ Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
Signed-off-by: Mian Yousaf Kaukab <yousaf.kaukab@suse.com>
---
arch/arm64/Kconfig | 14 +++++++++++++
- arch/arm64/include/asm/cpucaps.h | 3 +-
+ arch/arm64/include/asm/cpucaps.h | 1
arch/arm64/include/asm/cpufeature.h | 6 +++++
arch/arm64/include/asm/mmu_context.h | 17 ++++++++++++++--
arch/arm64/include/asm/pgtable-hwdef.h | 2 +
@@ -51,7 +51,7 @@ Signed-off-by: Mian Yousaf Kaukab <yousaf.kaukab@suse.com>
arch/arm64/kernel/suspend.c | 4 +++
arch/arm64/mm/context.c | 3 ++
arch/arm64/mm/proc.S | 11 +++++++---
- 9 files changed, 88 insertions(+), 6 deletions(-)
+ 9 files changed, 87 insertions(+), 5 deletions(-)
--- a/arch/arm64/Kconfig
+++ b/arch/arm64/Kconfig
@@ -78,16 +78,14 @@ Signed-off-by: Mian Yousaf Kaukab <yousaf.kaukab@suse.com>
config ARM64_SVE
--- a/arch/arm64/include/asm/cpucaps.h
+++ b/arch/arm64/include/asm/cpucaps.h
-@@ -45,7 +45,8 @@
+@@ -46,6 +46,7 @@
#define ARM64_HAS_RAS_EXTN 25
#define ARM64_HW_DBM 26
#define ARM64_SSBD 27
+#define ARM64_HAS_CNP 28
+ #define ARM64_WORKAROUND_843419 29
--#define ARM64_NCAPS 28
-+#define ARM64_NCAPS 29
-
- #endif /* __ASM_CPUCAPS_H */
+ #define ARM64_NCAPS 30
--- a/arch/arm64/include/asm/cpufeature.h
+++ b/arch/arm64/include/asm/cpufeature.h
@@ -510,6 +510,12 @@ static inline bool system_supports_sve(v
@@ -162,7 +160,7 @@ Signed-off-by: Mian Yousaf Kaukab <yousaf.kaukab@suse.com>
/*
* NOTE: Any changes to the visibility of features should be kept in
-@@ -858,6 +860,20 @@ static bool has_no_fpsimd(const struct a
+@@ -859,6 +861,20 @@ static bool has_no_fpsimd(const struct a
ID_AA64PFR0_FP_SHIFT) < 0;
}
@@ -183,7 +181,7 @@ Signed-off-by: Mian Yousaf Kaukab <yousaf.kaukab@suse.com>
#ifdef CONFIG_UNMAP_KERNEL_AT_EL0
static int __kpti_forced; /* 0: not forced, >0: forced on, <0: forced off */
-@@ -1159,6 +1175,19 @@ static const struct arm64_cpu_capabiliti
+@@ -1188,6 +1204,19 @@ static const struct arm64_cpu_capabiliti
.cpu_enable = cpu_enable_hw_dbm,
},
#endif
@@ -203,7 +201,7 @@ Signed-off-by: Mian Yousaf Kaukab <yousaf.kaukab@suse.com>
{},
};
-@@ -1599,6 +1628,11 @@ cpufeature_pan_not_uao(const struct arm6
+@@ -1628,6 +1657,11 @@ cpufeature_pan_not_uao(const struct arm6
return (cpus_have_const_cap(ARM64_HAS_PAN) && !cpus_have_const_cap(ARM64_HAS_UAO));
}
@@ -217,7 +215,7 @@ Signed-off-by: Mian Yousaf Kaukab <yousaf.kaukab@suse.com>
* Op0 = 0x3, CRn = 0x0, Op1 = 0x0, CRm = [0, 4 - 7]
--- a/arch/arm64/kernel/suspend.c
+++ b/arch/arm64/kernel/suspend.c
-@@ -47,6 +47,10 @@ void notrace __cpu_suspend_exit(void)
+@@ -48,6 +48,10 @@ void notrace __cpu_suspend_exit(void)
*/
cpu_uninstall_idmap();
@@ -242,7 +240,7 @@ Signed-off-by: Mian Yousaf Kaukab <yousaf.kaukab@suse.com>
/*
--- a/arch/arm64/mm/proc.S
+++ b/arch/arm64/mm/proc.S
-@@ -141,6 +141,12 @@ ENTRY(cpu_do_switch_mm)
+@@ -154,6 +154,12 @@ ENTRY(cpu_do_switch_mm)
mrs x2, ttbr1_el1
mmid x1, x1 // get mm->context.id
phys_to_ttbr x3, x0
@@ -255,7 +253,7 @@ Signed-off-by: Mian Yousaf Kaukab <yousaf.kaukab@suse.com>
#ifdef CONFIG_ARM64_SW_TTBR0_PAN
bfi x3, x1, #48, #16 // set the ASID field in TTBR0
#endif
-@@ -165,7 +171,7 @@ ENDPROC(cpu_do_switch_mm)
+@@ -178,7 +184,7 @@ ENDPROC(cpu_do_switch_mm)
.endm
/*
@@ -264,7 +262,7 @@ Signed-off-by: Mian Yousaf Kaukab <yousaf.kaukab@suse.com>
*
* This is the low-level counterpart to cpu_replace_ttbr1, and should not be
* called by anything else. It can only be executed from a TTBR0 mapping.
-@@ -175,8 +181,7 @@ ENTRY(idmap_cpu_replace_ttbr1)
+@@ -188,8 +194,7 @@ ENTRY(idmap_cpu_replace_ttbr1)
__idmap_cpu_set_reserved_ttbr1 x1, x3
diff --git a/patches.suse/0046-arm64-sve-Document-firmware-support-requirements-in-.patch b/patches.suse/0046-arm64-sve-Document-firmware-support-requirements-in-.patch
index 7a6e227767..ffdcce98b9 100644
--- a/patches.suse/0046-arm64-sve-Document-firmware-support-requirements-in-.patch
+++ b/patches.suse/0046-arm64-sve-Document-firmware-support-requirements-in-.patch
@@ -27,14 +27,12 @@ Acked-by: Catalin Marinas <catalin.marinas@arm.com>
Signed-off-by: Will Deacon <will.deacon@arm.com>
Signed-off-by: Mian Yousaf Kaukab <yousaf.kaukab@suse.com>
---
- arch/arm64/Kconfig | 17 +++++++++++++++++
+ arch/arm64/Kconfig | 17 +++++++++++++++++
1 file changed, 17 insertions(+)
-diff --git a/arch/arm64/Kconfig b/arch/arm64/Kconfig
-index 2fc83d3298a7..0a8fadc91073 100644
--- a/arch/arm64/Kconfig
+++ b/arch/arm64/Kconfig
-@@ -1060,6 +1060,23 @@ config ARM64_SVE
+@@ -1054,6 +1054,23 @@ config ARM64_SVE
To enable use of this extension on CPUs that implement it, say Y.
@@ -55,9 +53,6 @@ index 2fc83d3298a7..0a8fadc91073 100644
+ booting the kernel. If unsure and you are not observing these
+ symptoms, you should assume that it is safe to say Y.
+
- config ARM64_MODULE_CMODEL_LARGE
+ config ARM64_MODULE_PLTS
bool
-
---
-2.11.0
-
+ select ARM64_MODULE_CMODEL_LARGE
diff --git a/patches.suse/ALSA-usb-audio-Avoid-access-before-bLength-check-in-.patch b/patches.suse/ALSA-usb-audio-Avoid-access-before-bLength-check-in-.patch
index d0e3a70c51..d9276dc6d6 100644
--- a/patches.suse/ALSA-usb-audio-Avoid-access-before-bLength-check-in-.patch
+++ b/patches.suse/ALSA-usb-audio-Avoid-access-before-bLength-check-in-.patch
@@ -4,7 +4,7 @@ Date: Wed, 19 Dec 2018 12:36:27 +0100
Subject: [PATCH 1/9] ALSA: usb-audio: Avoid access before bLength check in build_audio_procunit()
Git-commit: f4351a199cc120ff9d59e06d02e8657d08e6cc46
Patch-mainline: v5.0-rc2
-References: bsc#1051510
+References: bsc#1051510, CVE-2019-15927, bsc#1149522
The parser for the processing unit reads bNrInPins field before the
bLength sanity check, which may lead to an out-of-bound access when a
diff --git a/patches.suse/Bluetooth-hci_ldisc-Postpone-HCI_UART_PROTO_READY-bi.patch b/patches.suse/Bluetooth-hci_ldisc-Postpone-HCI_UART_PROTO_READY-bi.patch
index 513a00a150..0199ab859d 100644
--- a/patches.suse/Bluetooth-hci_ldisc-Postpone-HCI_UART_PROTO_READY-bi.patch
+++ b/patches.suse/Bluetooth-hci_ldisc-Postpone-HCI_UART_PROTO_READY-bi.patch
@@ -4,7 +4,7 @@ Date: Sat, 23 Feb 2019 12:33:27 +0800
Subject: [PATCH] Bluetooth: hci_ldisc: Postpone HCI_UART_PROTO_READY bit set in hci_uart_set_proto()
Git-commit: 56897b217a1d0a91c9920cb418d6b3fe922f590a
Patch-mainline: v5.1-rc1
-References: bsc#1051510
+References: bsc#1051510, CVE-2019-15917, bsc#1149539
task A: task B:
hci_uart_set_proto flush_to_ldisc
diff --git a/patches.suse/HID-Add-044f-b320-ThrustMaster-Inc.-2-in-1-DT.patch b/patches.suse/HID-Add-044f-b320-ThrustMaster-Inc.-2-in-1-DT.patch
new file mode 100644
index 0000000000..677d154b4d
--- /dev/null
+++ b/patches.suse/HID-Add-044f-b320-ThrustMaster-Inc.-2-in-1-DT.patch
@@ -0,0 +1,67 @@
+From 65f11c72780fa9d598df88def045ccb6a885cf80 Mon Sep 17 00:00:00 2001
+From: Ilya Trukhanov <lahvuun@gmail.com>
+Date: Tue, 2 Jul 2019 13:37:16 +0300
+Subject: [PATCH] HID: Add 044f:b320 ThrustMaster, Inc. 2 in 1 DT
+Git-commit: 65f11c72780fa9d598df88def045ccb6a885cf80
+Patch-mainline: v5.3-rc4
+References: bsc#1051510
+
+Enable force feedback for the Thrustmaster Dual Trigger 2 in 1 Rumble Force
+gamepad. Compared to other Thrustmaster devices, left and right rumble
+motors here are swapped.
+
+Signed-off-by: Ilya Trukhanov <lahvuun@gmail.com>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/hid/hid-tmff.c | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+diff --git a/drivers/hid/hid-tmff.c b/drivers/hid/hid-tmff.c
+index e12f2588ddeb..bdfc5ff3b2c5 100644
+--- a/drivers/hid/hid-tmff.c
++++ b/drivers/hid/hid-tmff.c
+@@ -22,6 +22,8 @@
+
+ #include "hid-ids.h"
+
++#define THRUSTMASTER_DEVICE_ID_2_IN_1_DT 0xb320
++
+ static const signed short ff_rumble[] = {
+ FF_RUMBLE,
+ -1
+@@ -76,6 +78,7 @@ static int tmff_play(struct input_dev *dev, void *data,
+ struct hid_field *ff_field = tmff->ff_field;
+ int x, y;
+ int left, right; /* Rumbling */
++ int motor_swap;
+
+ switch (effect->type) {
+ case FF_CONSTANT:
+@@ -100,6 +103,13 @@ static int tmff_play(struct input_dev *dev, void *data,
+ ff_field->logical_minimum,
+ ff_field->logical_maximum);
+
++ /* 2-in-1 strong motor is left */
++ if (hid->product == THRUSTMASTER_DEVICE_ID_2_IN_1_DT) {
++ motor_swap = left;
++ left = right;
++ right = motor_swap;
++ }
++
+ dbg_hid("(left,right)=(%08x, %08x)\n", left, right);
+ ff_field->value[0] = left;
+ ff_field->value[1] = right;
+@@ -226,6 +236,8 @@ static const struct hid_device_id tm_devices[] = {
+ .driver_data = (unsigned long)ff_rumble },
+ { HID_USB_DEVICE(USB_VENDOR_ID_THRUSTMASTER, 0xb304), /* FireStorm Dual Power 2 (and 3) */
+ .driver_data = (unsigned long)ff_rumble },
++ { HID_USB_DEVICE(USB_VENDOR_ID_THRUSTMASTER, THRUSTMASTER_DEVICE_ID_2_IN_1_DT), /* Dual Trigger 2-in-1 */
++ .driver_data = (unsigned long)ff_rumble },
+ { HID_USB_DEVICE(USB_VENDOR_ID_THRUSTMASTER, 0xb323), /* Dual Trigger 3-in-1 (PC Mode) */
+ .driver_data = (unsigned long)ff_rumble },
+ { HID_USB_DEVICE(USB_VENDOR_ID_THRUSTMASTER, 0xb324), /* Dual Trigger 3-in-1 (PS3 Mode) */
+--
+2.16.4
+
diff --git a/patches.suse/HID-hiddev-do-cleanup-in-failure-of-opening-a-device.patch b/patches.suse/HID-hiddev-do-cleanup-in-failure-of-opening-a-device.patch
new file mode 100644
index 0000000000..21f42b8721
--- /dev/null
+++ b/patches.suse/HID-hiddev-do-cleanup-in-failure-of-opening-a-device.patch
@@ -0,0 +1,33 @@
+From 6d4472d7bec39917b54e4e80245784ea5d60ce49 Mon Sep 17 00:00:00 2001
+From: Hillf Danton <hdanton@sina.com>
+Date: Tue, 6 Aug 2019 16:40:15 +0800
+Subject: [PATCH] HID: hiddev: do cleanup in failure of opening a device
+Git-commit: 6d4472d7bec39917b54e4e80245784ea5d60ce49
+Patch-mainline: v5.3-rc4
+References: bsc#1051510
+
+Undo what we did for opening before releasing the memory slice.
+
+Reported-by: syzbot <syzbot+62a1e04fd3ec2abf099e@syzkaller.appspotmail.com>
+Cc: Andrey Konovalov <andreyknvl@google.com>
+Signed-off-by: Hillf Danton <hdanton@sina.com>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/hid/usbhid/hiddev.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/hid/usbhid/hiddev.c
++++ b/drivers/hid/usbhid/hiddev.c
+@@ -321,6 +321,10 @@ static int hiddev_open(struct inode *ino
+ return 0;
+ bail_unlock:
+ mutex_unlock(&hiddev->existancelock);
++
++ spin_lock_irq(&list->hiddev->list_lock);
++ list_del(&list->node);
++ spin_unlock_irq(&list->hiddev->list_lock);
+ bail:
+ file->private_data = NULL;
+ vfree(list);
diff --git a/patches.suse/USB-cdc-wdm-fix-race-between-write-and-disconnect-du.patch b/patches.suse/USB-cdc-wdm-fix-race-between-write-and-disconnect-du.patch
new file mode 100644
index 0000000000..bcef7aa7f7
--- /dev/null
+++ b/patches.suse/USB-cdc-wdm-fix-race-between-write-and-disconnect-du.patch
@@ -0,0 +1,69 @@
+From 1426bd2c9f7e3126e2678e7469dca9fd9fc6dd3e Mon Sep 17 00:00:00 2001
+From: Oliver Neukum <oneukum@suse.com>
+Date: Tue, 27 Aug 2019 12:34:36 +0200
+Subject: [PATCH] USB: cdc-wdm: fix race between write and disconnect due to flag abuse
+Git-commit: 1426bd2c9f7e3126e2678e7469dca9fd9fc6dd3e
+Patch-mainline: v5.3-rc7
+References: bsc#1051510
+
+In case of a disconnect an ongoing flush() has to be made fail.
+Nevertheless we cannot be sure that any pending URB has already
+finished, so although they will never succeed, they still must
+not be touched.
+The clean solution for this is to check for WDM_IN_USE
+and WDM_DISCONNECTED in flush(). There is no point in ever
+clearing WDM_IN_USE, as no further writes make sense.
+
+The issue is as old as the driver.
+
+Fixes: afba937e540c9 ("USB: CDC WDM driver")
+Reported-by: syzbot+d232cca6ec42c2edb3fc@syzkaller.appspotmail.com
+Signed-off-by: Oliver Neukum <oneukum@suse.com>
+Cc: stable <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20190827103436.21143-1-oneukum@suse.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/usb/class/cdc-wdm.c | 16 ++++++++++++----
+ 1 file changed, 12 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/usb/class/cdc-wdm.c b/drivers/usb/class/cdc-wdm.c
+index a7824a51f86d..70afb2ca1eab 100644
+--- a/drivers/usb/class/cdc-wdm.c
++++ b/drivers/usb/class/cdc-wdm.c
+@@ -587,10 +587,20 @@ static int wdm_flush(struct file *file, fl_owner_t id)
+ {
+ struct wdm_device *desc = file->private_data;
+
+- wait_event(desc->wait, !test_bit(WDM_IN_USE, &desc->flags));
++ wait_event(desc->wait,
++ /*
++ * needs both flags. We cannot do with one
++ * because resetting it would cause a race
++ * with write() yet we need to signal
++ * a disconnect
++ */
++ !test_bit(WDM_IN_USE, &desc->flags) ||
++ test_bit(WDM_DISCONNECTING, &desc->flags));
+
+ /* cannot dereference desc->intf if WDM_DISCONNECTING */
+- if (desc->werr < 0 && !test_bit(WDM_DISCONNECTING, &desc->flags))
++ if (test_bit(WDM_DISCONNECTING, &desc->flags))
++ return -ENODEV;
++ if (desc->werr < 0)
+ dev_err(&desc->intf->dev, "Error in flush path: %d\n",
+ desc->werr);
+
+@@ -974,8 +984,6 @@ static void wdm_disconnect(struct usb_interface *intf)
+ spin_lock_irqsave(&desc->iuspin, flags);
+ set_bit(WDM_DISCONNECTING, &desc->flags);
+ set_bit(WDM_READ, &desc->flags);
+- /* to terminate pending flushes */
+- clear_bit(WDM_IN_USE, &desc->flags);
+ spin_unlock_irqrestore(&desc->iuspin, flags);
+ wake_up_all(&desc->wait);
+ mutex_lock(&desc->rlock);
+--
+2.16.4
+
diff --git a/patches.suse/VMCI-Release-resource-if-the-work-is-already-queued.patch b/patches.suse/VMCI-Release-resource-if-the-work-is-already-queued.patch
new file mode 100644
index 0000000000..f35707af7e
--- /dev/null
+++ b/patches.suse/VMCI-Release-resource-if-the-work-is-already-queued.patch
@@ -0,0 +1,96 @@
+From ba03a9bbd17b149c373c0ea44017f35fc2cd0f28 Mon Sep 17 00:00:00 2001
+From: Nadav Amit <namit@vmware.com>
+Date: Tue, 20 Aug 2019 13:26:38 -0700
+Subject: [PATCH] VMCI: Release resource if the work is already queued
+Git-commit: ba03a9bbd17b149c373c0ea44017f35fc2cd0f28
+Patch-mainline: v5.3-rc7
+References: bsc#1051510
+
+Francois reported that VMware balloon gets stuck after a balloon reset,
+when the VMCI doorbell is removed. A similar error can occur when the
+balloon driver is removed with the following splat:
+
+[ 1088.622000] INFO: task modprobe:3565 blocked for more than 120 seconds.
+[ 1088.622035] Tainted: G W 5.2.0 #4
+[ 1088.622087] "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
+[ 1088.622205] modprobe D 0 3565 1450 0x00000000
+[ 1088.622210] Call Trace:
+[ 1088.622246] __schedule+0x2a8/0x690
+[ 1088.622248] schedule+0x2d/0x90
+[ 1088.622250] schedule_timeout+0x1d3/0x2f0
+[ 1088.622252] wait_for_completion+0xba/0x140
+[ 1088.622320] ? wake_up_q+0x80/0x80
+[ 1088.622370] vmci_resource_remove+0xb9/0xc0 [vmw_vmci]
+[ 1088.622373] vmci_doorbell_destroy+0x9e/0xd0 [vmw_vmci]
+[ 1088.622379] vmballoon_vmci_cleanup+0x6e/0xf0 [vmw_balloon]
+[ 1088.622381] vmballoon_exit+0x18/0xcc8 [vmw_balloon]
+[ 1088.622394] __x64_sys_delete_module+0x146/0x280
+[ 1088.622408] do_syscall_64+0x5a/0x130
+[ 1088.622410] entry_SYSCALL_64_after_hwframe+0x44/0xa9
+[ 1088.622415] RIP: 0033:0x7f54f62791b7
+[ 1088.622421] Code: Bad RIP value.
+[ 1088.622421] RSP: 002b:00007fff2a949008 EFLAGS: 00000206 ORIG_RAX: 00000000000000b0
+[ 1088.622426] RAX: ffffffffffffffda RBX: 000055dff8b55d00 RCX: 00007f54f62791b7
+[ 1088.622426] RDX: 0000000000000000 RSI: 0000000000000800 RDI: 000055dff8b55d68
+[ 1088.622427] RBP: 000055dff8b55d00 R08: 00007fff2a947fb1 R09: 0000000000000000
+[ 1088.622427] R10: 00007f54f62f5cc0 R11: 0000000000000206 R12: 000055dff8b55d68
+[ 1088.622428] R13: 0000000000000001 R14: 000055dff8b55d68 R15: 00007fff2a94a3f0
+
+The cause for the bug is that when the "delayed" doorbell is invoked, it
+takes a reference on the doorbell entry and schedules work that is
+supposed to run the appropriate code and drop the doorbell entry
+reference. The code ignores the fact that if the work is already queued,
+it will not be scheduled to run one more time. As a result one of the
+references would not be dropped. When the code waits for the reference
+to get to zero, during balloon reset or module removal, it gets stuck.
+
+Fix it. Drop the reference if schedule_work() indicates that the work is
+already queued.
+
+Note that this bug got more apparent (or apparent at all) due to
+commit ce664331b248 ("vmw_balloon: VMCI_DOORBELL_SET does not check status").
+
+Fixes: 83e2ec765be03 ("VMCI: doorbell implementation.")
+Reported-by: Francois Rigault <rigault.francois@gmail.com>
+Cc: Jorgen Hansen <jhansen@vmware.com>
+Cc: Adit Ranadive <aditr@vmware.com>
+Cc: Alexios Zavras <alexios.zavras@intel.com>
+Cc: Vishnu DASA <vdasa@vmware.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Nadav Amit <namit@vmware.com>
+Reviewed-by: Vishnu Dasa <vdasa@vmware.com>
+Link: https://lore.kernel.org/r/20190820202638.49003-1-namit@vmware.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/misc/vmw_vmci/vmci_doorbell.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/misc/vmw_vmci/vmci_doorbell.c b/drivers/misc/vmw_vmci/vmci_doorbell.c
+index bad89b6e0802..345addd9306d 100644
+--- a/drivers/misc/vmw_vmci/vmci_doorbell.c
++++ b/drivers/misc/vmw_vmci/vmci_doorbell.c
+@@ -310,7 +310,8 @@ int vmci_dbell_host_context_notify(u32 src_cid, struct vmci_handle handle)
+
+ entry = container_of(resource, struct dbell_entry, resource);
+ if (entry->run_delayed) {
+- schedule_work(&entry->work);
++ if (!schedule_work(&entry->work))
++ vmci_resource_put(resource);
+ } else {
+ entry->notify_cb(entry->client_data);
+ vmci_resource_put(resource);
+@@ -361,7 +362,8 @@ static void dbell_fire_entries(u32 notify_idx)
+ atomic_read(&dbell->active) == 1) {
+ if (dbell->run_delayed) {
+ vmci_resource_get(&dbell->resource);
+- schedule_work(&dbell->work);
++ if (!schedule_work(&dbell->work))
++ vmci_resource_put(&dbell->resource);
+ } else {
+ dbell->notify_cb(dbell->client_data);
+ }
+--
+2.16.4
+
diff --git a/patches.suse/apparmor-compatibility-patch-for-v5-network-control b/patches.suse/apparmor-compatibility-patch-for-v5-network-control
index 1bf19e115c..acb3be125c 100644
--- a/patches.suse/apparmor-compatibility-patch-for-v5-network-control
+++ b/patches.suse/apparmor-compatibility-patch-for-v5-network-control
@@ -1,7 +1,8 @@
From: John Johansen <john.johansen@canonical.com>
Date: Mon, 4 Oct 2010 15:03:36 -0700
Subject: AppArmor: compatibility patch for v5 network control
-Patch-mainline: Uncertain
+Patch-mainline: never, only for compatibility up to SLE15-SP1
+References: none
Add compatibility for v5 network rules.
diff --git a/patches.suse/apparmor-fix-open-after-profile-replacement.patch b/patches.suse/apparmor-fix-open-after-profile-replacement.patch
index d5dcd94340..d726a01674 100644
--- a/patches.suse/apparmor-fix-open-after-profile-replacement.patch
+++ b/patches.suse/apparmor-fix-open-after-profile-replacement.patch
@@ -1,6 +1,6 @@
From: Miklos Szeredi <mszeredi@suse.cz>
Subject: apparmor: fix open after profile replacement
-Patch-mainline: not yet
+Patch-mainline: never, deprecated since SLE15-SP1
References: bnc#885599
Don't use obsolete profile in apparmor_file_open().
diff --git a/patches.suse/apparmor-fix-replacement-not-being-applied.patch b/patches.suse/apparmor-fix-replacement-not-being-applied.patch
index 73ccc2330b..10e6c79806 100644
--- a/patches.suse/apparmor-fix-replacement-not-being-applied.patch
+++ b/patches.suse/apparmor-fix-replacement-not-being-applied.patch
@@ -1,7 +1,7 @@
From: John Johansen <john.johansen@canonical.com>
Date: Tue, 5 Aug 2014 09:48:54 -0700
Subject: apparmor: Fix: replacement not being applied due to cred not being updated
-Patch-mainline: not yet
+Patch-mainline: never, deprecated since SLE15-SP1
References: bnc#885599
The task cred can only be updated by the task it self. So profile
replacement is achieved by the task recognizing its profile is no longer
diff --git a/patches.suse/arm64-fix-undefined-reference-to-printk.patch b/patches.suse/arm64-fix-undefined-reference-to-printk.patch
new file mode 100644
index 0000000000..510395e0fc
--- /dev/null
+++ b/patches.suse/arm64-fix-undefined-reference-to-printk.patch
@@ -0,0 +1,57 @@
+From: Arnd Bergmann <arnd@arndb.de>
+Date: Tue, 13 Mar 2018 12:41:41 +0100
+Subject: arm64: fix undefined reference to 'printk'
+
+Git-commit: bd99f9a159b072be743c6681f81e06b9ebd370a4
+Patch-mainline: v4.17-rc1
+References: bsc#1148219
+
+The printk symbol was intended as a generic address that is always
+exported, however that turned out to be false with CONFIG_PRINTK=n:
+
+ERROR: "printk" [arch/arm64/kernel/arm64-reloc-test.ko] undefined!
+
+This changes the references to memstart_addr, which should be there
+regardless of configuration.
+
+Fixes: a257e02579e4 ("arm64/kernel: don't ban ADRP to work around Cortex-A53 erratum #843419")
+Acked-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Signed-off-by: Will Deacon <will.deacon@arm.com>
+Signed-off-by: Mian Yousaf Kaukab <yousaf.kaukab@suse.com>
+---
+ arch/arm64/kernel/reloc_test_core.c | 2 +-
+ arch/arm64/kernel/reloc_test_syms.S | 4 ++--
+ 2 files changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/arch/arm64/kernel/reloc_test_core.c b/arch/arm64/kernel/reloc_test_core.c
+index a70489c584c7..5915ce5759cc 100644
+--- a/arch/arm64/kernel/reloc_test_core.c
++++ b/arch/arm64/kernel/reloc_test_core.c
+@@ -45,7 +45,7 @@ static struct {
+ { "R_AARCH64_MOVW_SABS_Gn", signed_movw, UL(SYM64_ABS_VAL) },
+ { "R_AARCH64_MOVW_UABS_Gn", unsigned_movw, UL(SYM64_ABS_VAL) },
+ { "R_AARCH64_ADR_PREL_PG_HI21", relative_adrp, (u64)&sym64_rel },
+- { "R_AARCH64_ADR_PREL_PG_HI21", relative_adrp_far, (u64)&printk },
++ { "R_AARCH64_ADR_PREL_PG_HI21", relative_adrp_far, (u64)&memstart_addr },
+ { "R_AARCH64_ADR_PREL_LO21", relative_adr, (u64)&sym64_rel },
+ { "R_AARCH64_PREL64", relative_data64, (u64)&sym64_rel },
+ { "R_AARCH64_PREL32", relative_data32, (u64)&sym64_rel },
+diff --git a/arch/arm64/kernel/reloc_test_syms.S b/arch/arm64/kernel/reloc_test_syms.S
+index f333b4b7880d..2b8d9cb8b078 100644
+--- a/arch/arm64/kernel/reloc_test_syms.S
++++ b/arch/arm64/kernel/reloc_test_syms.S
+@@ -54,8 +54,8 @@ ENDPROC(relative_adrp)
+ .align 12
+ .space 0xffc
+ ENTRY(relative_adrp_far)
+- adrp x0, printk
+- add x0, x0, #:lo12:printk
++ adrp x0, memstart_addr
++ add x0, x0, #:lo12:memstart_addr
+ ret
+ ENDPROC(relative_adrp_far)
+
+--
+2.11.0
+
diff --git a/patches.suse/arm64-kernel-don-t-ban-ADRP-to-work-around-Cortex-A5.patch b/patches.suse/arm64-kernel-don-t-ban-ADRP-to-work-around-Cortex-A5.patch
new file mode 100644
index 0000000000..8832606c56
--- /dev/null
+++ b/patches.suse/arm64-kernel-don-t-ban-ADRP-to-work-around-Cortex-A5.patch
@@ -0,0 +1,349 @@
+From: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+Date: Tue, 6 Mar 2018 17:15:33 +0000
+Subject: arm64/kernel: don't ban ADRP to work around Cortex-A53 erratum
+ #843419
+
+Git-commit: a257e02579e42703de1b7825cbd56cd7191f97b0
+Patch-mainline: v4.17-rc1
+References: bsc#1148219
+
+Working around Cortex-A53 erratum #843419 involves special handling of
+ADRP instructions that end up in the last two instruction slots of a
+4k page, or whose output register gets overwritten without having been
+read. (Note that the latter instruction sequence is never emitted by
+a properly functioning compiler, which is why it is disregarded by the
+handling of the same erratum in the bfd.ld linker which we rely on for
+the core kernel)
+
+Normally, this gets taken care of by the linker, which can spot such
+sequences at final link time, and insert a veneer if the ADRP ends up
+at a vulnerable offset. However, linux kernel modules are partially
+linked ELF objects, and so there is no 'final link time' other than the
+runtime loading of the module, at which time all the static relocations
+are resolved.
+
+For this reason, we have implemented the #843419 workaround for modules
+by avoiding ADRP instructions altogether, by using the large C model,
+and by passing -mpc-relative-literal-loads to recent versions of GCC
+that may emit adrp/ldr pairs to perform literal loads. However, this
+workaround forces us to keep literal data mixed with the instructions
+in the executable .text segment, and literal data may inadvertently
+turn into an exploitable speculative gadget depending on the relative
+offsets of arbitrary symbols.
+
+So let's reimplement this workaround in a way that allows us to switch
+back to the small C model, and to drop the -mpc-relative-literal-loads
+GCC switch, by patching affected ADRP instructions at runtime:
+- ADRP instructions that do not appear at 4k relative offset 0xff8 or
+ 0xffc are ignored
+- ADRP instructions that are within 1 MB of their target symbol are
+ converted into ADR instructions
+- remaining ADRP instructions are redirected via a veneer that performs
+ the load using an unaffected movn/movk sequence.
+
+Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+[will: tidied up ADRP -> ADR instruction patching.]
+[will: use ULL suffix for 64-bit immediate]
+Signed-off-by: Will Deacon <will.deacon@arm.com>
+
+Signed-off-by: Mian Yousaf Kaukab <yousaf.kaukab@suse.com>
+---
+ arch/arm64/Kconfig | 11 +---
+ arch/arm64/Makefile | 5 --
+ arch/arm64/include/asm/module.h | 2
+ arch/arm64/kernel/module-plts.c | 86 ++++++++++++++++++++++++++++++++++--
+ arch/arm64/kernel/module.c | 34 ++++++++++++--
+ arch/arm64/kernel/reloc_test_core.c | 4 -
+ arch/arm64/kernel/reloc_test_syms.S | 12 +++--
+ 7 files changed, 130 insertions(+), 24 deletions(-)
+
+--- a/arch/arm64/Kconfig
++++ b/arch/arm64/Kconfig
+@@ -433,12 +433,12 @@ config ARM64_ERRATUM_845719
+ config ARM64_ERRATUM_843419
+ bool "Cortex-A53: 843419: A load or store might access an incorrect address"
+ default y
+- select ARM64_MODULE_CMODEL_LARGE if MODULES
++ select ARM64_MODULE_PLTS if MODULES
+ help
+ This option links the kernel with '--fix-cortex-a53-843419' and
+- builds modules using the large memory model in order to avoid the use
+- of the ADRP instruction, which can cause a subsequent memory access
+- to use an incorrect address on Cortex-A53 parts up to r0p4.
++ enables PLT support to replace certain ADRP instructions, which can
++ cause subsequent memory accesses to use an incorrect address on
++ Cortex-A53 parts up to r0p4.
+
+ If unsure, say Y.
+
+@@ -1054,9 +1054,6 @@ config ARM64_SVE
+
+ To enable use of this extension on CPUs that implement it, say Y.
+
+-config ARM64_MODULE_CMODEL_LARGE
+- bool
+-
+ config ARM64_MODULE_PLTS
+ bool
+ select ARM64_MODULE_CMODEL_LARGE
+--- a/arch/arm64/Makefile
++++ b/arch/arm64/Makefile
+@@ -51,7 +51,6 @@ endif
+
+ KBUILD_CFLAGS += -mgeneral-regs-only $(lseinstr) $(brokengasinst)
+ KBUILD_CFLAGS += -fno-asynchronous-unwind-tables
+-KBUILD_CFLAGS += $(call cc-option, -mpc-relative-literal-loads)
+ KBUILD_AFLAGS += $(lseinstr) $(brokengasinst)
+
+ ifeq ($(CONFIG_CPU_BIG_ENDIAN), y)
+@@ -68,10 +67,6 @@ endif
+
+ CHECKFLAGS += -D__aarch64__
+
+-ifeq ($(CONFIG_ARM64_MODULE_CMODEL_LARGE), y)
+-KBUILD_CFLAGS_MODULE += -mcmodel=large
+-endif
+-
+ ifeq ($(CONFIG_ARM64_MODULE_PLTS),y)
+ KBUILD_LDFLAGS_MODULE += -T $(srctree)/arch/arm64/kernel/module.lds
+ endif
+--- a/arch/arm64/include/asm/module.h
++++ b/arch/arm64/include/asm/module.h
+@@ -36,6 +36,8 @@ struct mod_arch_specific {
+ u64 module_emit_plt_entry(struct module *mod, void *loc, const Elf64_Rela *rela,
+ Elf64_Sym *sym);
+
++u64 module_emit_adrp_veneer(struct module *mod, void *loc, u64 val);
++
+ #ifdef CONFIG_RANDOMIZE_BASE
+ extern u64 module_alloc_base;
+ #else
+--- a/arch/arm64/kernel/module-plts.c
++++ b/arch/arm64/kernel/module-plts.c
+@@ -75,6 +75,47 @@ u64 module_emit_plt_entry(struct module
+ return (u64)&plt[i];
+ }
+
++#ifdef CONFIG_ARM64_ERRATUM_843419
++u64 module_emit_adrp_veneer(struct module *mod, void *loc, u64 val)
++{
++ struct mod_plt_sec *pltsec = !in_init(mod, loc) ? &mod->arch.core :
++ &mod->arch.init;
++ struct plt_entry *plt = (struct plt_entry *)pltsec->plt->sh_addr;
++ int i = pltsec->plt_num_entries++;
++ u32 mov0, mov1, mov2, br;
++ int rd;
++
++ if (WARN_ON(pltsec->plt_num_entries > pltsec->plt_max_entries))
++ return 0;
++
++ /* get the destination register of the ADRP instruction */
++ rd = aarch64_insn_decode_register(AARCH64_INSN_REGTYPE_RD,
++ le32_to_cpup((__le32 *)loc));
++
++ /* generate the veneer instructions */
++ mov0 = aarch64_insn_gen_movewide(rd, (u16)~val, 0,
++ AARCH64_INSN_VARIANT_64BIT,
++ AARCH64_INSN_MOVEWIDE_INVERSE);
++ mov1 = aarch64_insn_gen_movewide(rd, (u16)(val >> 16), 16,
++ AARCH64_INSN_VARIANT_64BIT,
++ AARCH64_INSN_MOVEWIDE_KEEP);
++ mov2 = aarch64_insn_gen_movewide(rd, (u16)(val >> 32), 32,
++ AARCH64_INSN_VARIANT_64BIT,
++ AARCH64_INSN_MOVEWIDE_KEEP);
++ br = aarch64_insn_gen_branch_imm((u64)&plt[i].br, (u64)loc + 4,
++ AARCH64_INSN_BRANCH_NOLINK);
++
++ plt[i] = (struct plt_entry){
++ cpu_to_le32(mov0),
++ cpu_to_le32(mov1),
++ cpu_to_le32(mov2),
++ cpu_to_le32(br)
++ };
++
++ return (u64)&plt[i];
++}
++#endif
++
+ #define cmp_3way(a,b) ((a) < (b) ? -1 : (a) > (b))
+
+ static int cmp_rela(const void *a, const void *b)
+@@ -102,16 +143,21 @@ static bool duplicate_rel(const Elf64_Re
+ }
+
+ static unsigned int count_plts(Elf64_Sym *syms, Elf64_Rela *rela, int num,
+- Elf64_Word dstidx)
++ Elf64_Word dstidx, Elf_Shdr *dstsec)
+ {
+ unsigned int ret = 0;
+ Elf64_Sym *s;
+ int i;
+
+ for (i = 0; i < num; i++) {
++ u64 min_align;
++
+ switch (ELF64_R_TYPE(rela[i].r_info)) {
+ case R_AARCH64_JUMP26:
+ case R_AARCH64_CALL26:
++ if (!IS_ENABLED(CONFIG_RANDOMIZE_BASE))
++ break;
++
+ /*
+ * We only have to consider branch targets that resolve
+ * to symbols that are defined in a different section.
+@@ -143,6 +189,40 @@ static unsigned int count_plts(Elf64_Sym
+ if (rela[i].r_addend != 0 || !duplicate_rel(rela, i))
+ ret++;
+ break;
++ case R_AARCH64_ADR_PREL_PG_HI21_NC:
++ case R_AARCH64_ADR_PREL_PG_HI21:
++ if (!IS_ENABLED(CONFIG_ARM64_ERRATUM_843419))
++ break;
++
++ /*
++ * Determine the minimal safe alignment for this ADRP
++ * instruction: the section alignment at which it is
++ * guaranteed not to appear at a vulnerable offset.
++ *
++ * This comes down to finding the least significant zero
++ * bit in bits [11:3] of the section offset, and
++ * increasing the section's alignment so that the
++ * resulting address of this instruction is guaranteed
++ * to equal the offset in that particular bit (as well
++ * as all less signficant bits). This ensures that the
++ * address modulo 4 KB != 0xfff8 or 0xfffc (which would
++ * have all ones in bits [11:3])
++ */
++ min_align = 2ULL << ffz(rela[i].r_offset | 0x7);
++
++ /*
++ * Allocate veneer space for each ADRP that may appear
++ * at a vulnerable offset nonetheless. At relocation
++ * time, some of these will remain unused since some
++ * ADRP instructions can be patched to ADR instructions
++ * instead.
++ */
++ if (min_align > SZ_4K)
++ ret++;
++ else
++ dstsec->sh_addralign = max(dstsec->sh_addralign,
++ min_align);
++ break;
+ }
+ }
+ return ret;
+@@ -195,10 +275,10 @@ int module_frob_arch_sections(Elf_Ehdr *
+
+ if (strncmp(secstrings + dstsec->sh_name, ".init", 5) != 0)
+ core_plts += count_plts(syms, rels, numrels,
+- sechdrs[i].sh_info);
++ sechdrs[i].sh_info, dstsec);
+ else
+ init_plts += count_plts(syms, rels, numrels,
+- sechdrs[i].sh_info);
++ sechdrs[i].sh_info, dstsec);
+ }
+
+ mod->arch.core.plt->sh_type = SHT_NOBITS;
+--- a/arch/arm64/kernel/module.c
++++ b/arch/arm64/kernel/module.c
+@@ -197,6 +197,33 @@ static int reloc_insn_imm(enum aarch64_r
+ return 0;
+ }
+
++static int reloc_insn_adrp(struct module *mod, __le32 *place, u64 val)
++{
++ u32 insn;
++
++ if (!IS_ENABLED(CONFIG_ARM64_ERRATUM_843419) ||
++ ((u64)place & 0xfff) < 0xff8)
++ return reloc_insn_imm(RELOC_OP_PAGE, place, val, 12, 21,
++ AARCH64_INSN_IMM_ADR);
++
++ /* patch ADRP to ADR if it is in range */
++ if (!reloc_insn_imm(RELOC_OP_PREL, place, val & ~0xfff, 0, 21,
++ AARCH64_INSN_IMM_ADR)) {
++ insn = le32_to_cpu(*place);
++ insn &= ~BIT(31);
++ } else {
++ /* out of range for ADR -> emit a veneer */
++ val = module_emit_adrp_veneer(mod, place, val & ~0xfff);
++ if (!val)
++ return -ENOEXEC;
++ insn = aarch64_insn_gen_branch_imm((u64)place, val,
++ AARCH64_INSN_BRANCH_NOLINK);
++ }
++
++ *place = cpu_to_le32(insn);
++ return 0;
++}
++
+ int apply_relocate_add(Elf64_Shdr *sechdrs,
+ const char *strtab,
+ unsigned int symindex,
+@@ -336,14 +363,13 @@ int apply_relocate_add(Elf64_Shdr *sechd
+ ovf = reloc_insn_imm(RELOC_OP_PREL, loc, val, 0, 21,
+ AARCH64_INSN_IMM_ADR);
+ break;
+-#ifndef CONFIG_ARM64_ERRATUM_843419
+ case R_AARCH64_ADR_PREL_PG_HI21_NC:
+ overflow_check = false;
+ case R_AARCH64_ADR_PREL_PG_HI21:
+- ovf = reloc_insn_imm(RELOC_OP_PAGE, loc, val, 12, 21,
+- AARCH64_INSN_IMM_ADR);
++ ovf = reloc_insn_adrp(me, loc, val);
++ if (ovf && ovf != -ERANGE)
++ return ovf;
+ break;
+-#endif
+ case R_AARCH64_ADD_ABS_LO12_NC:
+ case R_AARCH64_LDST8_ABS_LO12_NC:
+ overflow_check = false;
+--- a/arch/arm64/kernel/reloc_test_core.c
++++ b/arch/arm64/kernel/reloc_test_core.c
+@@ -28,6 +28,7 @@ asmlinkage u64 absolute_data16(void);
+ asmlinkage u64 signed_movw(void);
+ asmlinkage u64 unsigned_movw(void);
+ asmlinkage u64 relative_adrp(void);
++asmlinkage u64 relative_adrp_far(void);
+ asmlinkage u64 relative_adr(void);
+ asmlinkage u64 relative_data64(void);
+ asmlinkage u64 relative_data32(void);
+@@ -43,9 +44,8 @@ static struct {
+ { "R_AARCH64_ABS16", absolute_data16, UL(SYM16_ABS_VAL) },
+ { "R_AARCH64_MOVW_SABS_Gn", signed_movw, UL(SYM64_ABS_VAL) },
+ { "R_AARCH64_MOVW_UABS_Gn", unsigned_movw, UL(SYM64_ABS_VAL) },
+-#ifndef CONFIG_ARM64_ERRATUM_843419
+ { "R_AARCH64_ADR_PREL_PG_HI21", relative_adrp, (u64)&sym64_rel },
+-#endif
++ { "R_AARCH64_ADR_PREL_PG_HI21", relative_adrp_far, (u64)&printk },
+ { "R_AARCH64_ADR_PREL_LO21", relative_adr, (u64)&sym64_rel },
+ { "R_AARCH64_PREL64", relative_data64, (u64)&sym64_rel },
+ { "R_AARCH64_PREL32", relative_data32, (u64)&sym64_rel },
+--- a/arch/arm64/kernel/reloc_test_syms.S
++++ b/arch/arm64/kernel/reloc_test_syms.S
+@@ -43,15 +43,21 @@ ENTRY(unsigned_movw)
+ ret
+ ENDPROC(unsigned_movw)
+
+-#ifndef CONFIG_ARM64_ERRATUM_843419
+-
++ .align 12
++ .space 0xff8
+ ENTRY(relative_adrp)
+ adrp x0, sym64_rel
+ add x0, x0, #:lo12:sym64_rel
+ ret
+ ENDPROC(relative_adrp)
+
+-#endif
++ .align 12
++ .space 0xffc
++ENTRY(relative_adrp_far)
++ adrp x0, printk
++ add x0, x0, #:lo12:printk
++ ret
++ENDPROC(relative_adrp_far)
+
+ ENTRY(relative_adr)
+ adr x0, sym64_rel
diff --git a/patches.suse/arm64-kernel-enable-A53-erratum-8434319-handling-at-.patch b/patches.suse/arm64-kernel-enable-A53-erratum-8434319-handling-at-.patch
new file mode 100644
index 0000000000..78e4044e5f
--- /dev/null
+++ b/patches.suse/arm64-kernel-enable-A53-erratum-8434319-handling-at-.patch
@@ -0,0 +1,75 @@
+From: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+Date: Tue, 6 Mar 2018 17:15:35 +0000
+Subject: arm64/kernel: enable A53 erratum #8434319 handling at runtime
+
+Git-commit: ca79acca273630935f2cfdfdf3fc7425ff51ce1c
+Patch-mainline: v4.17-rc1
+References: bsc#1148219
+
+Omit patching of ADRP instruction at module load time if the current
+CPUs are not susceptible to the erratum.
+
+Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+[will: Drop duplicate initialisation of .def_scope field]
+Signed-off-by: Will Deacon <will.deacon@arm.com>
+
+Signed-off-by: Mian Yousaf Kaukab <yousaf.kaukab@suse.com>
+---
+ arch/arm64/include/asm/cpucaps.h | 3 ++-
+ arch/arm64/kernel/cpu_errata.c | 9 +++++++++
+ arch/arm64/kernel/module-plts.c | 3 ++-
+ arch/arm64/kernel/module.c | 1 +
+ 4 files changed, 14 insertions(+), 2 deletions(-)
+
+--- a/arch/arm64/include/asm/cpucaps.h
++++ b/arch/arm64/include/asm/cpucaps.h
+@@ -44,7 +44,8 @@
+ #define ARM64_HARDEN_BRANCH_PREDICTOR 23
+ #define ARM64_HARDEN_BP_POST_GUEST_EXIT 24
+ #define ARM64_HAS_RAS_EXTN 25
++#define ARM64_WORKAROUND_843419 29
+
+-#define ARM64_NCAPS 26
++#define ARM64_NCAPS 30
+
+ #endif /* __ASM_CPUCAPS_H */
+--- a/arch/arm64/kernel/cpu_errata.c
++++ b/arch/arm64/kernel/cpu_errata.c
+@@ -284,6 +284,15 @@ const struct arm64_cpu_capabilities arm6
+ MIDR_CPU_VAR_REV(1, 2)),
+ },
+ #endif
++#ifdef CONFIG_ARM64_ERRATUM_843419
++ {
++ /* Cortex-A53 r0p[01234] */
++ .desc = "ARM erratum 843419",
++ .capability = ARM64_WORKAROUND_843419,
++ MIDR_RANGE(MIDR_CORTEX_A53, 0x00, 0x04),
++ MIDR_FIXED(0x4, BIT(8)),
++ },
++#endif
+ #ifdef CONFIG_ARM64_ERRATUM_845719
+ {
+ /* Cortex-A53 r0p[01234] */
+--- a/arch/arm64/kernel/module-plts.c
++++ b/arch/arm64/kernel/module-plts.c
+@@ -158,7 +158,8 @@ static unsigned int count_plts(Elf64_Sym
+ break;
+ case R_AARCH64_ADR_PREL_PG_HI21_NC:
+ case R_AARCH64_ADR_PREL_PG_HI21:
+- if (!IS_ENABLED(CONFIG_ARM64_ERRATUM_843419))
++ if (!IS_ENABLED(CONFIG_ARM64_ERRATUM_843419) ||
++ !cpus_have_const_cap(ARM64_WORKAROUND_843419))
+ break;
+
+ /*
+--- a/arch/arm64/kernel/module.c
++++ b/arch/arm64/kernel/module.c
+@@ -203,6 +203,7 @@ static int reloc_insn_adrp(struct module
+ u32 insn;
+
+ if (!IS_ENABLED(CONFIG_ARM64_ERRATUM_843419) ||
++ !cpus_have_const_cap(ARM64_WORKAROUND_843419) ||
+ ((u64)place & 0xfff) < 0xff8)
+ return reloc_insn_imm(RELOC_OP_PAGE, place, val, 12, 21,
+ AARCH64_INSN_IMM_ADR);
diff --git a/patches.suse/arm64-kernel-rename-module_emit_adrp_veneer-module_e.patch b/patches.suse/arm64-kernel-rename-module_emit_adrp_veneer-module_e.patch
new file mode 100644
index 0000000000..326e414b85
--- /dev/null
+++ b/patches.suse/arm64-kernel-rename-module_emit_adrp_veneer-module_e.patch
@@ -0,0 +1,87 @@
+From: Kim Phillips <kim.phillips@arm.com>
+Date: Tue, 24 Apr 2018 10:39:43 -0500
+Subject: arm64/kernel: rename
+ module_emit_adrp_veneer->module_emit_veneer_for_adrp
+
+Git-commit: ed231ae384fdfcb546b63b2fe7add65029e3a94c
+Patch-mainline: v4.17-rc3
+References: bsc#1148219
+
+Commit a257e02579e ("arm64/kernel: don't ban ADRP to work around
+Cortex-A53 erratum #843419") introduced a function whose name ends with
+"_veneer".
+
+This clashes with commit bd8b22d2888e ("Kbuild: kallsyms: ignore veneers
+emitted by the ARM linker"), which removes symbols ending in "_veneer"
+from kallsyms.
+
+The problem was manifested as 'perf test -vvvvv vmlinux' failed,
+correctly claiming the symbol 'module_emit_adrp_veneer' was present in
+vmlinux, but not in kallsyms.
+
+...
+ ERR : 0xffff00000809aa58: module_emit_adrp_veneer not on kallsyms
+...
+ test child finished with -1
+ ---- end ----
+ vmlinux symtab matches kallsyms: FAILED!
+
+Fix the problem by renaming module_emit_adrp_veneer to
+module_emit_veneer_for_adrp. Now the test passes.
+
+Fixes: a257e02579e ("arm64/kernel: don't ban ADRP to work around Cortex-A53 erratum #843419")
+Acked-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+Cc: Will Deacon <will.deacon@arm.com>
+Cc: Catalin Marinas <catalin.marinas@arm.com>
+Cc: Michal Marek <mmarek@suse.cz>
+Signed-off-by: Kim Phillips <kim.phillips@arm.com>
+Signed-off-by: Will Deacon <will.deacon@arm.com>
+Signed-off-by: Mian Yousaf Kaukab <yousaf.kaukab@suse.com>
+---
+ arch/arm64/include/asm/module.h | 2 +-
+ arch/arm64/kernel/module-plts.c | 2 +-
+ arch/arm64/kernel/module.c | 2 +-
+ 3 files changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/arch/arm64/include/asm/module.h b/arch/arm64/include/asm/module.h
+index b6dbbe3123a9..97d0ef12e2ff 100644
+--- a/arch/arm64/include/asm/module.h
++++ b/arch/arm64/include/asm/module.h
+@@ -39,7 +39,7 @@ struct mod_arch_specific {
+ u64 module_emit_plt_entry(struct module *mod, void *loc, const Elf64_Rela *rela,
+ Elf64_Sym *sym);
+
+-u64 module_emit_adrp_veneer(struct module *mod, void *loc, u64 val);
++u64 module_emit_veneer_for_adrp(struct module *mod, void *loc, u64 val);
+
+ #ifdef CONFIG_RANDOMIZE_BASE
+ extern u64 module_alloc_base;
+diff --git a/arch/arm64/kernel/module-plts.c b/arch/arm64/kernel/module-plts.c
+index fa3637284a3d..f0690c2ca3e0 100644
+--- a/arch/arm64/kernel/module-plts.c
++++ b/arch/arm64/kernel/module-plts.c
+@@ -43,7 +43,7 @@ u64 module_emit_plt_entry(struct module *mod, void *loc, const Elf64_Rela *rela,
+ }
+
+ #ifdef CONFIG_ARM64_ERRATUM_843419
+-u64 module_emit_adrp_veneer(struct module *mod, void *loc, u64 val)
++u64 module_emit_veneer_for_adrp(struct module *mod, void *loc, u64 val)
+ {
+ struct mod_plt_sec *pltsec = !in_init(mod, loc) ? &mod->arch.core :
+ &mod->arch.init;
+diff --git a/arch/arm64/kernel/module.c b/arch/arm64/kernel/module.c
+index 719fde8dcc19..155fd91e78f4 100644
+--- a/arch/arm64/kernel/module.c
++++ b/arch/arm64/kernel/module.c
+@@ -215,7 +215,7 @@ static int reloc_insn_adrp(struct module *mod, __le32 *place, u64 val)
+ insn &= ~BIT(31);
+ } else {
+ /* out of range for ADR -> emit a veneer */
+- val = module_emit_adrp_veneer(mod, place, val & ~0xfff);
++ val = module_emit_veneer_for_adrp(mod, place, val & ~0xfff);
+ if (!val)
+ return -ENOEXEC;
+ insn = aarch64_insn_gen_branch_imm((u64)place, val,
+--
+2.11.0
+
diff --git a/patches.suse/arm64-module-don-t-BUG-when-exceeding-preallocated-P.patch b/patches.suse/arm64-module-don-t-BUG-when-exceeding-preallocated-P.patch
new file mode 100644
index 0000000000..2f4d3088b5
--- /dev/null
+++ b/patches.suse/arm64-module-don-t-BUG-when-exceeding-preallocated-P.patch
@@ -0,0 +1,56 @@
+From: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+Date: Tue, 6 Mar 2018 17:15:31 +0000
+Subject: arm64: module: don't BUG when exceeding preallocated PLT count
+
+Git-commit: 5e8307b9c6f40526f290663e5a4de0f78bb0446a
+Patch-mainline: v4.17-rc1
+References: bsc#1148219
+
+When PLTs are emitted at relocation time, we really should not exceed
+the number that we counted when parsing the relocation tables, and so
+currently, we BUG() on this condition. However, even though this is a
+clear bug in this particular piece of code, we can easily recover by
+failing to load the module.
+
+So instead, return 0 from module_emit_plt_entry() if this condition
+occurs, which is not a valid kernel address, and can hence serve as
+a flag value that makes the relocation routine bail out.
+
+Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+Signed-off-by: Will Deacon <will.deacon@arm.com>
+Signed-off-by: Mian Yousaf Kaukab <yousaf.kaukab@suse.com>
+---
+ arch/arm64/kernel/module-plts.c | 3 ++-
+ arch/arm64/kernel/module.c | 2 ++
+ 2 files changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/arch/arm64/kernel/module-plts.c b/arch/arm64/kernel/module-plts.c
+index ea640f92fe5a..6bf07c602bd4 100644
+--- a/arch/arm64/kernel/module-plts.c
++++ b/arch/arm64/kernel/module-plts.c
+@@ -36,7 +36,8 @@ u64 module_emit_plt_entry(struct module *mod, void *loc, const Elf64_Rela *rela,
+ return (u64)&plt[i - 1];
+
+ pltsec->plt_num_entries++;
+- BUG_ON(pltsec->plt_num_entries > pltsec->plt_max_entries);
++ if (WARN_ON(pltsec->plt_num_entries > pltsec->plt_max_entries))
++ return 0;
+
+ return (u64)&plt[i];
+ }
+diff --git a/arch/arm64/kernel/module.c b/arch/arm64/kernel/module.c
+index f469e0435903..c8c6c2828b79 100644
+--- a/arch/arm64/kernel/module.c
++++ b/arch/arm64/kernel/module.c
+@@ -386,6 +386,8 @@ int apply_relocate_add(Elf64_Shdr *sechdrs,
+ if (IS_ENABLED(CONFIG_ARM64_MODULE_PLTS) &&
+ ovf == -ERANGE) {
+ val = module_emit_plt_entry(me, loc, &rel[i], sym);
++ if (!val)
++ return -ENOEXEC;
+ ovf = reloc_insn_imm(RELOC_OP_PREL, loc, val, 2,
+ 26, AARCH64_INSN_IMM_26);
+ }
+--
+2.11.0
+
diff --git a/patches.suse/ath6kl-add-some-bounds-checking.patch b/patches.suse/ath6kl-add-some-bounds-checking.patch
index f8cfc55857..599d122c81 100644
--- a/patches.suse/ath6kl-add-some-bounds-checking.patch
+++ b/patches.suse/ath6kl-add-some-bounds-checking.patch
@@ -4,7 +4,7 @@ Date: Thu, 4 Apr 2019 11:56:51 +0300
Subject: [PATCH] ath6kl: add some bounds checking
Git-commit: 5d6751eaff672ea77642e74e92e6c0ac7f9709ab
Patch-mainline: v5.3-rc1
-References: bsc#1051510
+References: bsc#1051510, CVE-2019-15926, bsc#1149527
The "ev->traffic_class" and "reply->ac" variables come from the network
and they're used as an offset into the wmi->stream_exist_for_ac[] array.
diff --git a/patches.suse/batman-adv-Only-read-OGM-tvlv_len-after-buffer-len-c.patch b/patches.suse/batman-adv-Only-read-OGM-tvlv_len-after-buffer-len-c.patch
new file mode 100644
index 0000000000..443b5063d1
--- /dev/null
+++ b/patches.suse/batman-adv-Only-read-OGM-tvlv_len-after-buffer-len-c.patch
@@ -0,0 +1,80 @@
+From a15d56a60760aa9dbe26343b9a0ac5228f35d445 Mon Sep 17 00:00:00 2001
+From: Sven Eckelmann <sven@narfation.org>
+Date: Thu, 22 Aug 2019 08:55:36 +0200
+Subject: [PATCH] batman-adv: Only read OGM tvlv_len after buffer len check
+Git-commit: a15d56a60760aa9dbe26343b9a0ac5228f35d445
+Patch-mainline: v5.3-rc7
+References: bsc#1051510
+
+Multiple batadv_ogm_packet can be stored in an skbuff. The functions
+batadv_iv_ogm_send_to_if()/batadv_iv_ogm_receive() use
+batadv_iv_ogm_aggr_packet() to check if there is another additional
+batadv_ogm_packet in the skb or not before they continue processing the
+packet.
+
+The length for such an OGM is BATADV_OGM_HLEN +
+batadv_ogm_packet->tvlv_len. The check must first check that at least
+BATADV_OGM_HLEN bytes are available before it accesses tvlv_len (which is
+part of the header. Otherwise it might try read outside of the currently
+available skbuff to get the content of tvlv_len.
+
+Fixes: ef26157747d4 ("batman-adv: tvlv - basic infrastructure")
+Reported-by: syzbot+355cab184197dbbfa384@syzkaller.appspotmail.com
+Signed-off-by: Sven Eckelmann <sven@narfation.org>
+Acked-by: Antonio Quartulli <a@unstable.cc>
+Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ net/batman-adv/bat_iv_ogm.c | 20 +++++++++++++-------
+ 1 file changed, 13 insertions(+), 7 deletions(-)
+
+--- a/net/batman-adv/bat_iv_ogm.c
++++ b/net/batman-adv/bat_iv_ogm.c
+@@ -454,17 +454,23 @@ static u8 batadv_hop_penalty(u8 tq, cons
+ * batadv_iv_ogm_aggr_packet - checks if there is another OGM attached
+ * @buff_pos: current position in the skb
+ * @packet_len: total length of the skb
+- * @tvlv_len: tvlv length of the previously considered OGM
++ * @ogm_packet: potential OGM in buffer
+ *
+ * Return: true if there is enough space for another OGM, false otherwise.
+ */
+-static bool batadv_iv_ogm_aggr_packet(int buff_pos, int packet_len,
+- __be16 tvlv_len)
++static bool
++batadv_iv_ogm_aggr_packet(int buff_pos, int packet_len,
++ const struct batadv_ogm_packet *ogm_packet)
+ {
+ int next_buff_pos = 0;
+
+- next_buff_pos += buff_pos + BATADV_OGM_HLEN;
+- next_buff_pos += ntohs(tvlv_len);
++ /* check if there is enough space for the header */
++ next_buff_pos += buff_pos + sizeof(*ogm_packet);
++ if (next_buff_pos > packet_len)
++ return false;
++
++ /* check if there is enough space for the optional TVLV */
++ next_buff_pos += ntohs(ogm_packet->tvlv_len);
+
+ return (next_buff_pos <= packet_len) &&
+ (next_buff_pos <= BATADV_MAX_AGGREGATION_BYTES);
+@@ -492,7 +498,7 @@ static void batadv_iv_ogm_send_to_if(str
+
+ /* adjust all flags and log packets */
+ while (batadv_iv_ogm_aggr_packet(buff_pos, forw_packet->packet_len,
+- batadv_ogm_packet->tvlv_len)) {
++ batadv_ogm_packet)) {
+ /* we might have aggregated direct link packets with an
+ * ordinary base packet
+ */
+@@ -1843,7 +1849,7 @@ static int batadv_iv_ogm_receive(struct
+
+ /* unpack the aggregated packets and process them one by one */
+ while (batadv_iv_ogm_aggr_packet(ogm_offset, skb_headlen(skb),
+- ogm_packet->tvlv_len)) {
++ ogm_packet)) {
+ batadv_iv_ogm_process(skb, ogm_offset, if_incoming);
+
+ ogm_offset += BATADV_OGM_HLEN;
diff --git a/patches.suse/batman-adv-Only-read-OGM2-tvlv_len-after-buffer-len-.patch b/patches.suse/batman-adv-Only-read-OGM2-tvlv_len-after-buffer-len-.patch
new file mode 100644
index 0000000000..edb503fdfc
--- /dev/null
+++ b/patches.suse/batman-adv-Only-read-OGM2-tvlv_len-after-buffer-len-.patch
@@ -0,0 +1,68 @@
+From 0ff0f15a32c093381ad1abc06abe85afb561ab28 Mon Sep 17 00:00:00 2001
+From: Sven Eckelmann <sven@narfation.org>
+Date: Thu, 22 Aug 2019 08:55:36 +0200
+Subject: [PATCH] batman-adv: Only read OGM2 tvlv_len after buffer len check
+Git-commit: 0ff0f15a32c093381ad1abc06abe85afb561ab28
+Patch-mainline: v5.3-rc7
+References: bsc#1051510
+
+Multiple batadv_ogm2_packet can be stored in an skbuff. The functions
+batadv_v_ogm_send_to_if() uses batadv_v_ogm_aggr_packet() to check if there
+is another additional batadv_ogm2_packet in the skb or not before they
+continue processing the packet.
+
+The length for such an OGM2 is BATADV_OGM2_HLEN +
+batadv_ogm2_packet->tvlv_len. The check must first check that at least
+BATADV_OGM2_HLEN bytes are available before it accesses tvlv_len (which is
+part of the header. Otherwise it might try read outside of the currently
+available skbuff to get the content of tvlv_len.
+
+Fixes: 9323158ef9f4 ("batman-adv: OGMv2 - implement originators logic")
+Signed-off-by: Sven Eckelmann <sven@narfation.org>
+Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ net/batman-adv/bat_v_ogm.c | 18 ++++++++++++------
+ 1 file changed, 12 insertions(+), 6 deletions(-)
+
+--- a/net/batman-adv/bat_v_ogm.c
++++ b/net/batman-adv/bat_v_ogm.c
+@@ -642,17 +642,23 @@ batadv_v_ogm_process_per_outif(struct ba
+ * batadv_v_ogm_aggr_packet - checks if there is another OGM aggregated
+ * @buff_pos: current position in the skb
+ * @packet_len: total length of the skb
+- * @tvlv_len: tvlv length of the previously considered OGM
++ * @ogm2_packet: potential OGM2 in buffer
+ *
+ * Return: true if there is enough space for another OGM, false otherwise.
+ */
+-static bool batadv_v_ogm_aggr_packet(int buff_pos, int packet_len,
+- __be16 tvlv_len)
++static bool
++batadv_v_ogm_aggr_packet(int buff_pos, int packet_len,
++ const struct batadv_ogm2_packet *ogm2_packet)
+ {
+ int next_buff_pos = 0;
+
+- next_buff_pos += buff_pos + BATADV_OGM2_HLEN;
+- next_buff_pos += ntohs(tvlv_len);
++ /* check if there is enough space for the header */
++ next_buff_pos += buff_pos + sizeof(*ogm2_packet);
++ if (next_buff_pos > packet_len)
++ return false;
++
++ /* check if there is enough space for the optional TVLV */
++ next_buff_pos += ntohs(ogm2_packet->tvlv_len);
+
+ return (next_buff_pos <= packet_len) &&
+ (next_buff_pos <= BATADV_MAX_AGGREGATION_BYTES);
+@@ -829,7 +835,7 @@ int batadv_v_ogm_packet_recv(struct sk_b
+ ogm_packet = (struct batadv_ogm2_packet *)skb->data;
+
+ while (batadv_v_ogm_aggr_packet(ogm_offset, skb_headlen(skb),
+- ogm_packet->tvlv_len)) {
++ ogm_packet)) {
+ batadv_v_ogm_process(skb, ogm_offset, if_incoming);
+
+ ogm_offset += BATADV_OGM2_HLEN;
diff --git a/patches.suse/batman-adv-fix-uninit-value-in-batadv_netlink_get_if.patch b/patches.suse/batman-adv-fix-uninit-value-in-batadv_netlink_get_if.patch
new file mode 100644
index 0000000000..43fa6be362
--- /dev/null
+++ b/patches.suse/batman-adv-fix-uninit-value-in-batadv_netlink_get_if.patch
@@ -0,0 +1,69 @@
+From 3ee1bb7aae97324ec9078da1f00cb2176919563f Mon Sep 17 00:00:00 2001
+From: Eric Dumazet <edumazet@google.com>
+Date: Mon, 12 Aug 2019 04:57:27 -0700
+Subject: [PATCH] batman-adv: fix uninit-value in batadv_netlink_get_ifindex()
+Git-commit: 3ee1bb7aae97324ec9078da1f00cb2176919563f
+Patch-mainline: v5.3-rc7
+References: bsc#1051510
+
+batadv_netlink_get_ifindex() needs to make sure user passed
+a correct u32 attribute.
+
+syzbot reported :
+Bug: KMSAN: uninit-value in batadv_netlink_dump_hardif+0x70d/0x880 net/batman-adv/netlink.c:968
+Cpu: 1 PID: 11705 Comm: syz-executor888 Not tainted 5.1.0+ #1
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+Call Trace:
+ __dump_stack lib/dump_stack.c:77 [inline]
+ dump_stack+0x191/0x1f0 lib/dump_stack.c:113
+ kmsan_report+0x130/0x2a0 mm/kmsan/kmsan.c:622
+ __msan_warning+0x75/0xe0 mm/kmsan/kmsan_instr.c:310
+ batadv_netlink_dump_hardif+0x70d/0x880 net/batman-adv/netlink.c:968
+ genl_lock_dumpit+0xc6/0x130 net/netlink/genetlink.c:482
+ netlink_dump+0xa84/0x1ab0 net/netlink/af_netlink.c:2253
+ __netlink_dump_start+0xa3a/0xb30 net/netlink/af_netlink.c:2361
+ genl_family_rcv_msg net/netlink/genetlink.c:550 [inline]
+ genl_rcv_msg+0xfc1/0x1a40 net/netlink/genetlink.c:627
+ netlink_rcv_skb+0x431/0x620 net/netlink/af_netlink.c:2486
+ genl_rcv+0x63/0x80 net/netlink/genetlink.c:638
+ netlink_unicast_kernel net/netlink/af_netlink.c:1311 [inline]
+ netlink_unicast+0xf3e/0x1020 net/netlink/af_netlink.c:1337
+ netlink_sendmsg+0x127e/0x12f0 net/netlink/af_netlink.c:1926
+ sock_sendmsg_nosec net/socket.c:651 [inline]
+ sock_sendmsg net/socket.c:661 [inline]
+ ___sys_sendmsg+0xcc6/0x1200 net/socket.c:2260
+ __sys_sendmsg net/socket.c:2298 [inline]
+ __do_sys_sendmsg net/socket.c:2307 [inline]
+ __se_sys_sendmsg+0x305/0x460 net/socket.c:2305
+ __x64_sys_sendmsg+0x4a/0x70 net/socket.c:2305
+ do_syscall_64+0xbc/0xf0 arch/x86/entry/common.c:291
+ entry_SYSCALL_64_after_hwframe+0x63/0xe7
+Rip: 0033:0x440209
+
+Fixes: b60620cf567b ("batman-adv: netlink: hardif query")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: Sven Eckelmann <sven@narfation.org>
+Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ net/batman-adv/netlink.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/batman-adv/netlink.c b/net/batman-adv/netlink.c
+index 6f08fd122a8d..7e052d6f759b 100644
+--- a/net/batman-adv/netlink.c
++++ b/net/batman-adv/netlink.c
+@@ -164,7 +164,7 @@ batadv_netlink_get_ifindex(const struct nlmsghdr *nlh, int attrtype)
+ {
+ struct nlattr *attr = nlmsg_find_attr(nlh, GENL_HDRLEN, attrtype);
+
+- return attr ? nla_get_u32(attr) : 0;
++ return (attr && nla_len(attr) == sizeof(u32)) ? nla_get_u32(attr) : 0;
+ }
+
+ /**
+--
+2.16.4
+
diff --git a/patches.suse/btrfs-add-a-helper-to-retrive-extent-inline-ref-type.patch b/patches.suse/btrfs-add-a-helper-to-retrive-extent-inline-ref-type.patch
new file mode 100644
index 0000000000..c90a95e8e3
--- /dev/null
+++ b/patches.suse/btrfs-add-a-helper-to-retrive-extent-inline-ref-type.patch
@@ -0,0 +1,89 @@
+From: Liu Bo <bo.li.liu@oracle.com>
+Date: Fri, 18 Aug 2017 15:15:18 -0600
+Subject: Btrfs: add a helper to retrive extent inline ref type
+Git-commit: 167ce953ca55bdee20fe56c3c0fa51002435f745
+Patch-mainline: v4.14-rc1
+References: bsc#1149325
+
+An invalid value of extent inline ref type may be read from a
+malicious image which may force btrfs to crash.
+
+This adds a helper which does sanity check for the ref type, so we can
+know if it's sane, return he type, otherwise return an error.
+
+Signed-off-by: Liu Bo <bo.li.liu@oracle.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+[ minimal tweak const types, causing warnings due to other cleanup patches ]
+Signed-off-by: David Sterba <dsterba@suse.com>
+Acked-by: Johannes Thumshirn <jthumshirn@suse.de>
+---
+ fs/btrfs/ctree.h | 11 +++++++++++
+ fs/btrfs/extent-tree.c | 37 +++++++++++++++++++++++++++++++++++++
+ 2 files changed, 48 insertions(+)
+
+--- a/fs/btrfs/ctree.h
++++ b/fs/btrfs/ctree.h
+@@ -2587,6 +2587,17 @@ static inline gfp_t btrfs_alloc_write_ma
+
+ /* extent-tree.c */
+
++enum btrfs_inline_ref_type {
++ BTRFS_REF_TYPE_INVALID = 0,
++ BTRFS_REF_TYPE_BLOCK = 1,
++ BTRFS_REF_TYPE_DATA = 2,
++ BTRFS_REF_TYPE_ANY = 3,
++};
++
++int btrfs_get_extent_inline_ref_type(const struct extent_buffer *eb,
++ struct btrfs_extent_inline_ref *iref,
++ enum btrfs_inline_ref_type is_data);
++
+ u64 btrfs_csum_bytes_to_leaves(struct btrfs_fs_info *fs_info, u64 csum_bytes);
+
+ static inline u64 btrfs_calc_trans_metadata_size(struct btrfs_fs_info *fs_info,
+--- a/fs/btrfs/extent-tree.c
++++ b/fs/btrfs/extent-tree.c
+@@ -1147,6 +1147,43 @@ static int convert_extent_item_v0(struct
+ }
+ #endif
+
++/*
++ * is_data == BTRFS_REF_TYPE_BLOCK, tree block type is required,
++ * is_data == BTRFS_REF_TYPE_DATA, data type is requried,
++ * is_data == BTRFS_REF_TYPE_ANY, either type is OK.
++ */
++int btrfs_get_extent_inline_ref_type(const struct extent_buffer *eb,
++ struct btrfs_extent_inline_ref *iref,
++ enum btrfs_inline_ref_type is_data)
++{
++ int type = btrfs_extent_inline_ref_type(eb, iref);
++
++ if (type == BTRFS_TREE_BLOCK_REF_KEY ||
++ type == BTRFS_SHARED_BLOCK_REF_KEY ||
++ type == BTRFS_SHARED_DATA_REF_KEY ||
++ type == BTRFS_EXTENT_DATA_REF_KEY) {
++ if (is_data == BTRFS_REF_TYPE_BLOCK) {
++ if (type == BTRFS_TREE_BLOCK_REF_KEY ||
++ type == BTRFS_SHARED_BLOCK_REF_KEY)
++ return type;
++ } else if (is_data == BTRFS_REF_TYPE_DATA) {
++ if (type == BTRFS_EXTENT_DATA_REF_KEY ||
++ type == BTRFS_SHARED_DATA_REF_KEY)
++ return type;
++ } else {
++ ASSERT(is_data == BTRFS_REF_TYPE_ANY);
++ return type;
++ }
++ }
++
++ btrfs_print_leaf(eb->fs_info, (struct extent_buffer *) eb);
++ btrfs_err(eb->fs_info, "eb %llu invalid extent inline ref type %d",
++ eb->start, type);
++ WARN_ON(1);
++
++ return BTRFS_REF_TYPE_INVALID;
++}
++
+ static u64 hash_extent_data_ref(u64 root_objectid, u64 owner, u64 offset)
+ {
+ u32 high_crc = ~(u32)0;
diff --git a/patches.suse/btrfs-add-one-more-sanity-check-for-shared-ref-type.patch b/patches.suse/btrfs-add-one-more-sanity-check-for-shared-ref-type.patch
new file mode 100644
index 0000000000..d9970fdd51
--- /dev/null
+++ b/patches.suse/btrfs-add-one-more-sanity-check-for-shared-ref-type.patch
@@ -0,0 +1,141 @@
+From: Liu Bo <bo.li.liu@oracle.com>
+Date: Fri, 18 Aug 2017 15:15:24 -0600
+Subject: Btrfs: add one more sanity check for shared ref type
+Git-commit: 64ecdb647ddb83dcff9c8e2a5c40119f171ea004
+Patch-mainline: v4.14-rc1
+References: bsc#1149325
+
+Every shared ref has a parent tree block, which can be get from
+btrfs_extent_inline_ref_offset(). And the tree block must be aligned
+to the nodesize, so we'd know this inline ref is not valid if this
+block's bytenr is not aligned to the nodesize, in which case, most
+likely the ref type has been misused.
+
+This adds the above mentioned check and also updates
+print_extent_item() called by btrfs_print_leaf() to point out the
+invalid ref while printing the tree structure.
+
+Signed-off-by: Liu Bo <bo.li.liu@oracle.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Acked-by: Johannes Thumshirn <jthumshirn@suse.de>
+---
+ fs/btrfs/extent-tree.c | 29 +++++++++++++++++++++++++----
+ fs/btrfs/print-tree.c | 27 +++++++++++++++++++++------
+ 2 files changed, 46 insertions(+), 10 deletions(-)
+
+diff --git a/fs/btrfs/extent-tree.c b/fs/btrfs/extent-tree.c
+index 51a691532fd8..96e49fd5b888 100644
+--- a/fs/btrfs/extent-tree.c
++++ b/fs/btrfs/extent-tree.c
+@@ -1158,19 +1158,40 @@ int btrfs_get_extent_inline_ref_type(const struct extent_buffer *eb,
+ enum btrfs_inline_ref_type is_data)
+ {
+ int type = btrfs_extent_inline_ref_type(eb, iref);
++ u64 offset = btrfs_extent_inline_ref_offset(eb, iref);
+
+ if (type == BTRFS_TREE_BLOCK_REF_KEY ||
+ type == BTRFS_SHARED_BLOCK_REF_KEY ||
+ type == BTRFS_SHARED_DATA_REF_KEY ||
+ type == BTRFS_EXTENT_DATA_REF_KEY) {
+ if (is_data == BTRFS_REF_TYPE_BLOCK) {
+- if (type == BTRFS_TREE_BLOCK_REF_KEY ||
+- type == BTRFS_SHARED_BLOCK_REF_KEY)
++ if (type == BTRFS_TREE_BLOCK_REF_KEY)
+ return type;
++ if (type == BTRFS_SHARED_BLOCK_REF_KEY) {
++ ASSERT(eb->fs_info);
++ /*
++ * Every shared one has parent tree
++ * block, which must be aligned to
++ * nodesize.
++ */
++ if (offset &&
++ IS_ALIGNED(offset, eb->fs_info->nodesize))
++ return type;
++ }
+ } else if (is_data == BTRFS_REF_TYPE_DATA) {
+- if (type == BTRFS_EXTENT_DATA_REF_KEY ||
+- type == BTRFS_SHARED_DATA_REF_KEY)
++ if (type == BTRFS_EXTENT_DATA_REF_KEY)
+ return type;
++ if (type == BTRFS_SHARED_DATA_REF_KEY) {
++ ASSERT(eb->fs_info);
++ /*
++ * Every shared one has parent tree
++ * block, which must be aligned to
++ * nodesize.
++ */
++ if (offset &&
++ IS_ALIGNED(offset, eb->fs_info->nodesize))
++ return type;
++ }
+ } else {
+ ASSERT(is_data == BTRFS_REF_TYPE_ANY);
+ return type;
+diff --git a/fs/btrfs/print-tree.c b/fs/btrfs/print-tree.c
+index c1acbdcb476c..569205e651c7 100644
+--- a/fs/btrfs/print-tree.c
++++ b/fs/btrfs/print-tree.c
+@@ -44,7 +44,7 @@ static void print_dev_item(struct extent_buffer *eb,
+ static void print_extent_data_ref(struct extent_buffer *eb,
+ struct btrfs_extent_data_ref *ref)
+ {
+- pr_info("\t\textent data backref root %llu objectid %llu offset %llu count %u\n",
++ pr_cont("extent data backref root %llu objectid %llu offset %llu count %u\n",
+ btrfs_extent_data_ref_root(eb, ref),
+ btrfs_extent_data_ref_objectid(eb, ref),
+ btrfs_extent_data_ref_offset(eb, ref),
+@@ -63,6 +63,7 @@ static void print_extent_item(struct extent_buffer *eb, int slot, int type)
+ u32 item_size = btrfs_item_size_nr(eb, slot);
+ u64 flags;
+ u64 offset;
++ int ref_index = 0;
+
+ if (item_size < sizeof(*ei)) {
+ #ifdef BTRFS_COMPAT_EXTENT_TREE_V0
+@@ -104,12 +105,20 @@ static void print_extent_item(struct extent_buffer *eb, int slot, int type)
+ iref = (struct btrfs_extent_inline_ref *)ptr;
+ type = btrfs_extent_inline_ref_type(eb, iref);
+ offset = btrfs_extent_inline_ref_offset(eb, iref);
++ pr_info("\t\tref#%d: ", ref_index++);
+ switch (type) {
+ case BTRFS_TREE_BLOCK_REF_KEY:
+- pr_info("\t\ttree block backref root %llu\n", offset);
++ pr_cont("tree block backref root %llu\n", offset);
+ break;
+ case BTRFS_SHARED_BLOCK_REF_KEY:
+- pr_info("\t\tshared block backref parent %llu\n", offset);
++ pr_cont("shared block backref parent %llu\n", offset);
++ /*
++ * offset is supposed to be a tree block which
++ * must be aligned to nodesize.
++ */
++ if (!IS_ALIGNED(offset, eb->fs_info->nodesize))
++ pr_info("\t\t\t(parent %llu is NOT ALIGNED to nodesize %llu)\n",
++ offset, (unsigned long long)eb->fs_info->nodesize);
+ break;
+ case BTRFS_EXTENT_DATA_REF_KEY:
+ dref = (struct btrfs_extent_data_ref *)(&iref->offset);
+@@ -117,12 +126,18 @@ static void print_extent_item(struct extent_buffer *eb, int slot, int type)
+ break;
+ case BTRFS_SHARED_DATA_REF_KEY:
+ sref = (struct btrfs_shared_data_ref *)(iref + 1);
+- pr_info("\t\tshared data backref parent %llu count %u\n",
++ pr_cont("shared data backref parent %llu count %u\n",
+ offset, btrfs_shared_data_ref_count(eb, sref));
++ /*
++ * offset is supposed to be a tree block which
++ * must be aligned to nodesize.
++ */
++ if (!IS_ALIGNED(offset, eb->fs_info->nodesize))
++ pr_info("\t\t\t(parent %llu is NOT ALIGNED to nodesize %llu)\n",
++ offset, (unsigned long long)eb->fs_info->nodesize);
+ break;
+ default:
+- btrfs_err(eb->fs_info,
+- "extent %llu has invalid ref type %d",
++ pr_cont("(extent %llu has INVALID ref type %d)\n",
+ eb->start, type);
+ return;
+ }
+
diff --git a/patches.suse/btrfs-convert-to-use-btrfs_get_extent_inline_ref_type.patch b/patches.suse/btrfs-convert-to-use-btrfs_get_extent_inline_ref_type.patch
new file mode 100644
index 0000000000..48bb420eed
--- /dev/null
+++ b/patches.suse/btrfs-convert-to-use-btrfs_get_extent_inline_ref_type.patch
@@ -0,0 +1,176 @@
+From: Liu Bo <bo.li.liu@oracle.com>
+Date: Fri, 18 Aug 2017 15:15:19 -0600
+Subject: Btrfs: convert to use btrfs_get_extent_inline_ref_type
+Git-commit: 3de28d579edbd35294bf44aee8402c804331bc37
+Patch-mainline: v4.14-rc1
+References: bsc#1149325
+
+Since we have a helper which can do sanity check, this converts all
+btrfs_extent_inline_ref_type to it.
+
+Signed-off-by: Liu Bo <bo.li.liu@oracle.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Acked-by: Johannes Thumshirn <jthumshirn@suse.de>
+---
+ fs/btrfs/backref.c | 11 +++++++++--
+ fs/btrfs/extent-tree.c | 36 ++++++++++++++++++++++++++++++------
+ fs/btrfs/relocation.c | 13 +++++++++++--
+ 3 files changed, 50 insertions(+), 10 deletions(-)
+
+diff --git a/fs/btrfs/backref.c b/fs/btrfs/backref.c
+index 6bae986bfcfb..b517ef1477ea 100644
+--- a/fs/btrfs/backref.c
++++ b/fs/btrfs/backref.c
+@@ -929,7 +929,11 @@ static int add_inline_refs(const struct btrfs_fs_info *fs_info,
+ int type;
+
+ iref = (struct btrfs_extent_inline_ref *)ptr;
+- type = btrfs_extent_inline_ref_type(leaf, iref);
++ type = btrfs_get_extent_inline_ref_type(leaf, iref,
++ BTRFS_REF_TYPE_ANY);
++ if (type == BTRFS_REF_TYPE_INVALID)
++ return -EINVAL;
++
+ offset = btrfs_extent_inline_ref_offset(leaf, iref);
+
+ switch (type) {
+@@ -1776,7 +1780,10 @@ static int get_extent_inline_ref(unsigned long *ptr,
+
+ end = (unsigned long)ei + item_size;
+ *out_eiref = (struct btrfs_extent_inline_ref *)(*ptr);
+- *out_type = btrfs_extent_inline_ref_type(eb, *out_eiref);
++ *out_type = btrfs_get_extent_inline_ref_type(eb, *out_eiref,
++ BTRFS_REF_TYPE_ANY);
++ if (*out_type == BTRFS_REF_TYPE_INVALID)
++ return -EINVAL;
+
+ *ptr += btrfs_extent_inline_ref_size(*out_type);
+ WARN_ON(*ptr > end);
+diff --git a/fs/btrfs/extent-tree.c b/fs/btrfs/extent-tree.c
+index 794b06dd824a..51a691532fd8 100644
+--- a/fs/btrfs/extent-tree.c
++++ b/fs/btrfs/extent-tree.c
+@@ -1454,12 +1454,18 @@ static noinline u32 extent_data_ref_count(struct btrfs_path *path,
+ struct btrfs_extent_data_ref *ref1;
+ struct btrfs_shared_data_ref *ref2;
+ u32 num_refs = 0;
++ int type;
+
+ leaf = path->nodes[0];
+ btrfs_item_key_to_cpu(leaf, &key, path->slots[0]);
+ if (iref) {
+- if (btrfs_extent_inline_ref_type(leaf, iref) ==
+- BTRFS_EXTENT_DATA_REF_KEY) {
++ /*
++ * If type is invalid, we should have bailed out earlier than
++ * this call.
++ */
++ type = btrfs_get_extent_inline_ref_type(leaf, iref, BTRFS_REF_TYPE_DATA);
++ ASSERT(type != BTRFS_REF_TYPE_INVALID);
++ if (type == BTRFS_EXTENT_DATA_REF_KEY) {
+ ref1 = (struct btrfs_extent_data_ref *)(&iref->offset);
+ num_refs = btrfs_extent_data_ref_count(leaf, ref1);
+ } else {
+@@ -1620,6 +1626,7 @@ int lookup_inline_extent_backref(struct btrfs_trans_handle *trans,
+ int ret;
+ int err = 0;
+ bool skinny_metadata = btrfs_fs_incompat(fs_info, SKINNY_METADATA);
++ int needed;
+
+ key.objectid = bytenr;
+ key.type = BTRFS_EXTENT_ITEM_KEY;
+@@ -1711,6 +1718,11 @@ int lookup_inline_extent_backref(struct btrfs_trans_handle *trans,
+ BUG_ON(ptr > end);
+ }
+
++ if (owner >= BTRFS_FIRST_FREE_OBJECTID)
++ needed = BTRFS_REF_TYPE_DATA;
++ else
++ needed = BTRFS_REF_TYPE_BLOCK;
++
+ err = -ENOENT;
+ while (1) {
+ if (ptr >= end) {
+@@ -1718,7 +1730,12 @@ int lookup_inline_extent_backref(struct btrfs_trans_handle *trans,
+ break;
+ }
+ iref = (struct btrfs_extent_inline_ref *)ptr;
+- type = btrfs_extent_inline_ref_type(leaf, iref);
++ type = btrfs_get_extent_inline_ref_type(leaf, iref, needed);
++ if (type == BTRFS_REF_TYPE_INVALID) {
++ err = -EINVAL;
++ goto out;
++ }
++
+ if (want < type)
+ break;
+ if (want > type) {
+@@ -1910,7 +1927,12 @@ void update_inline_extent_backref(struct btrfs_fs_info *fs_info,
+ if (extent_op)
+ __run_delayed_extent_op(extent_op, leaf, ei);
+
+- type = btrfs_extent_inline_ref_type(leaf, iref);
++ /*
++ * If type is invalid, we should have bailed out after
++ * lookup_inline_extent_backref().
++ */
++ type = btrfs_get_extent_inline_ref_type(leaf, iref, BTRFS_REF_TYPE_ANY);
++ ASSERT(type != BTRFS_REF_TYPE_INVALID);
+
+ if (type == BTRFS_EXTENT_DATA_REF_KEY) {
+ dref = (struct btrfs_extent_data_ref *)(&iref->offset);
+@@ -3195,6 +3217,7 @@ static noinline int check_committed_ref(struct btrfs_root *root,
+ struct btrfs_extent_item *ei;
+ struct btrfs_key key;
+ u32 item_size;
++ int type;
+ int ret;
+
+ key.objectid = bytenr;
+@@ -3236,8 +3259,9 @@ static noinline int check_committed_ref(struct btrfs_root *root,
+ goto out;
+
+ iref = (struct btrfs_extent_inline_ref *)(ei + 1);
+- if (btrfs_extent_inline_ref_type(leaf, iref) !=
+- BTRFS_EXTENT_DATA_REF_KEY)
++
++ type = btrfs_get_extent_inline_ref_type(leaf, iref, BTRFS_REF_TYPE_DATA);
++ if (type != BTRFS_EXTENT_DATA_REF_KEY)
+ goto out;
+
+ ref = (struct btrfs_extent_data_ref *)(&iref->offset);
+diff --git a/fs/btrfs/relocation.c b/fs/btrfs/relocation.c
+index 1a532bb72eab..96f816aa9ed3 100644
+--- a/fs/btrfs/relocation.c
++++ b/fs/btrfs/relocation.c
+@@ -799,9 +799,17 @@ struct backref_node *build_backref_tree(struct reloc_control *rc,
+ if (ptr < end) {
+ /* update key for inline back ref */
+ struct btrfs_extent_inline_ref *iref;
++ int type;
+ iref = (struct btrfs_extent_inline_ref *)ptr;
+- key.type = btrfs_extent_inline_ref_type(eb, iref);
++ type = btrfs_get_extent_inline_ref_type(eb, iref,
++ BTRFS_REF_TYPE_BLOCK);
++ if (type == BTRFS_REF_TYPE_INVALID) {
++ err = -EINVAL;
++ goto out;
++ }
++ key.type = type;
+ key.offset = btrfs_extent_inline_ref_offset(eb, iref);
++
+ WARN_ON(key.type != BTRFS_TREE_BLOCK_REF_KEY &&
+ key.type != BTRFS_SHARED_BLOCK_REF_KEY);
+ }
+@@ -3753,7 +3761,8 @@ int add_data_references(struct reloc_control *rc,
+
+ while (ptr < end) {
+ iref = (struct btrfs_extent_inline_ref *)ptr;
+- key.type = btrfs_extent_inline_ref_type(eb, iref);
++ key.type = btrfs_get_extent_inline_ref_type(eb, iref,
++ BTRFS_REF_TYPE_DATA);
+ if (key.type == BTRFS_SHARED_DATA_REF_KEY) {
+ key.offset = btrfs_extent_inline_ref_offset(eb, iref);
+ ret = __add_tree_block(rc, key.offset, blocksize,
+
diff --git a/patches.suse/btrfs-remove-bug-in-add_data_reference.patch b/patches.suse/btrfs-remove-bug-in-add_data_reference.patch
new file mode 100644
index 0000000000..21948a230e
--- /dev/null
+++ b/patches.suse/btrfs-remove-bug-in-add_data_reference.patch
@@ -0,0 +1,35 @@
+From: Liu Bo <bo.li.liu@oracle.com>
+Date: Fri, 18 Aug 2017 15:15:22 -0600
+Subject: Btrfs: remove BUG() in add_data_reference
+Git-commit: b14c55a191263889c379aeee85223bb72501824d
+Patch-mainline: v4.14-rc1
+References: bsc#1149325
+
+Now that we have a helper to report invalid value of extent inline ref
+type, we need to quit gracefully instead of throwing out a kernel panic.
+
+Signed-off-by: Liu Bo <bo.li.liu@oracle.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Acked-by: Johannes Thumshirn <jthumshirn@suse.de>
+---
+ fs/btrfs/relocation.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/fs/btrfs/relocation.c b/fs/btrfs/relocation.c
+index 96f816aa9ed3..1c086d0667be 100644
+--- a/fs/btrfs/relocation.c
++++ b/fs/btrfs/relocation.c
+@@ -3772,7 +3772,10 @@ int add_data_references(struct reloc_control *rc,
+ ret = find_data_references(rc, extent_key,
+ eb, dref, blocks);
+ } else {
+- BUG();
++ ret = -EINVAL;
++ btrfs_err(rc->extent_root->fs_info,
++ "extent %llu slot %d has an invalid inline ref type",
++ eb->start, path->slots[0]);
+ }
+ if (ret) {
+ err = ret;
+
diff --git a/patches.suse/btrfs-remove-bug-in-btrfs_extent_inline_ref_size.patch b/patches.suse/btrfs-remove-bug-in-btrfs_extent_inline_ref_size.patch
new file mode 100644
index 0000000000..5e664614b4
--- /dev/null
+++ b/patches.suse/btrfs-remove-bug-in-btrfs_extent_inline_ref_size.patch
@@ -0,0 +1,32 @@
+From: Liu Bo <bo.li.liu@oracle.com>
+Date: Fri, 18 Aug 2017 15:15:20 -0600
+Subject: Btrfs: remove BUG() in btrfs_extent_inline_ref_size
+Git-commit: 4335958de2a43c6790c7f6aa0682aa7189983fa4
+Patch-mainline: v4.14-rc1
+References: bsc#1149325
+
+Now that btrfs_get_extent_inline_ref_type() can report if type is a
+valid one and all callers can gracefully deal with that, we don't need
+to crash here.
+
+Signed-off-by: Liu Bo <bo.li.liu@oracle.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Acked-by: Johannes Thumshirn <jthumshirn@suse.de>
+---
+ fs/btrfs/ctree.h | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/fs/btrfs/ctree.h b/fs/btrfs/ctree.h
+index 542db9d0dbcd..b7cfc74c1757 100644
+--- a/fs/btrfs/ctree.h
++++ b/fs/btrfs/ctree.h
+@@ -1804,7 +1804,6 @@ static inline u32 btrfs_extent_inline_ref_size(int type)
+ if (type == BTRFS_EXTENT_DATA_REF_KEY)
+ return sizeof(struct btrfs_extent_data_ref) +
+ offsetof(struct btrfs_extent_inline_ref, offset);
+- BUG();
+ return 0;
+ }
+
+
diff --git a/patches.suse/btrfs-remove-bug-in-print_extent_item.patch b/patches.suse/btrfs-remove-bug-in-print_extent_item.patch
new file mode 100644
index 0000000000..25e39229ee
--- /dev/null
+++ b/patches.suse/btrfs-remove-bug-in-print_extent_item.patch
@@ -0,0 +1,36 @@
+From: Liu Bo <bo.li.liu@oracle.com>
+Date: Fri, 18 Aug 2017 15:15:21 -0600
+Subject: Btrfs: remove BUG() in print_extent_item
+Git-commit: 07638ea5987e51715b35eb5a9a9e908f18ffabf7
+Patch-mainline: v4.14-rc1
+References: bsc#1149325
+
+btrfs_print_leaf() is used in btrfs_get_extent_inline_ref_type, so
+here we really want to print the invalid value of ref type instead of
+causing a kernel panic.
+
+Signed-off-by: Liu Bo <bo.li.liu@oracle.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Acked-by: Johannes Thumshirn <jthumshirn@suse.de>
+---
+ fs/btrfs/print-tree.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/fs/btrfs/print-tree.c b/fs/btrfs/print-tree.c
+index 6e7a8c40dcd9..c1acbdcb476c 100644
+--- a/fs/btrfs/print-tree.c
++++ b/fs/btrfs/print-tree.c
+@@ -121,7 +121,10 @@ static void print_extent_item(struct extent_buffer *eb, int slot, int type)
+ offset, btrfs_shared_data_ref_count(eb, sref));
+ break;
+ default:
+- BUG();
++ btrfs_err(eb->fs_info,
++ "extent %llu has invalid ref type %d",
++ eb->start, type);
++ return;
+ }
+ ptr += btrfs_extent_inline_ref_size(type);
+ }
+
diff --git a/patches.suse/btrfs-remove-bug_on-in-_add_tree_block.patch b/patches.suse/btrfs-remove-bug_on-in-_add_tree_block.patch
new file mode 100644
index 0000000000..0e045736ec
--- /dev/null
+++ b/patches.suse/btrfs-remove-bug_on-in-_add_tree_block.patch
@@ -0,0 +1,54 @@
+From: Liu Bo <bo.li.liu@oracle.com>
+Date: Fri, 18 Aug 2017 15:15:23 -0600
+Subject: Btrfs: remove BUG_ON in __add_tree_block
+Git-commit: cdccee993f2f3466f69a358daec19de744a02f92
+Patch-mainline: v4.14-rc1
+References: bsc#1149325
+
+The BUG_ON() can be triggered when the caller is processing an invalid
+extent inline ref, e.g.
+
+a shared data ref is offered instead of an extent data ref, such that
+it tries to find a non-existent tree block and then btrfs_search_slot
+returns 1 for no such item.
+
+This replaces the BUG_ON() with a WARN() followed by calling
+btrfs_print_leaf() to show more details about what's going on and
+returning -EINVAL to upper callers.
+
+Signed-off-by: Liu Bo <bo.li.liu@oracle.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Acked-by: Johannes Thumshirn <jthumshirn@suse.de>
+---
+ fs/btrfs/relocation.c | 12 +++++++++++-
+ 1 file changed, 11 insertions(+), 1 deletion(-)
+
+--- a/fs/btrfs/relocation.c
++++ b/fs/btrfs/relocation.c
+@@ -32,6 +32,7 @@
+ #include "free-space-cache.h"
+ #include "inode-map.h"
+ #include "qgroup.h"
++#include "print-tree.h"
+
+ /*
+ * backref_node, mapping_node and tree_block start with this
+@@ -3485,7 +3486,16 @@ again:
+ goto again;
+ }
+ }
+- BUG_ON(ret);
++ if (ret) {
++ ASSERT(ret == 1);
++ btrfs_print_leaf(fs_info, path->nodes[0]);
++ btrfs_err(fs_info,
++ "tree block extent item (%llu) is not found in extent tree",
++ bytenr);
++ WARN_ON(1);
++ ret = -EINVAL;
++ goto out;
++ }
+
+ ret = add_tree_block(rc, &key, path, blocks);
+ out:
diff --git a/patches.suse/can-peak_usb-force-the-string-buffer-NULL-terminated.patch b/patches.suse/can-peak_usb-force-the-string-buffer-NULL-terminated.patch
new file mode 100644
index 0000000000..64cef6eca3
--- /dev/null
+++ b/patches.suse/can-peak_usb-force-the-string-buffer-NULL-terminated.patch
@@ -0,0 +1,40 @@
+From e787f19373b8a5fa24087800ed78314fd17b984a Mon Sep 17 00:00:00 2001
+From: Wang Xiayang <xywang.sjtu@sjtu.edu.cn>
+Date: Wed, 31 Jul 2019 15:25:59 +0800
+Subject: [PATCH] can: peak_usb: force the string buffer NULL-terminated
+Git-commit: e787f19373b8a5fa24087800ed78314fd17b984a
+Patch-mainline: v5.3-rc4
+References: bsc#1051510
+
+strncpy() does not ensure NULL-termination when the input string size
+equals to the destination buffer size IFNAMSIZ. The output string is
+passed to dev_info() which relies on the NULL-termination.
+
+Use strlcpy() instead.
+
+This issue is identified by a Coccinelle script.
+
+Signed-off-by: Wang Xiayang <xywang.sjtu@sjtu.edu.cn>
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/net/can/usb/peak_usb/pcan_usb_core.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/can/usb/peak_usb/pcan_usb_core.c b/drivers/net/can/usb/peak_usb/pcan_usb_core.c
+index 22b9c8e6d040..65dce642b86b 100644
+--- a/drivers/net/can/usb/peak_usb/pcan_usb_core.c
++++ b/drivers/net/can/usb/peak_usb/pcan_usb_core.c
+@@ -855,7 +855,7 @@ static void peak_usb_disconnect(struct usb_interface *intf)
+
+ dev_prev_siblings = dev->prev_siblings;
+ dev->state &= ~PCAN_USB_STATE_CONNECTED;
+- strncpy(name, netdev->name, IFNAMSIZ);
++ strlcpy(name, netdev->name, IFNAMSIZ);
+
+ unregister_netdev(netdev);
+
+--
+2.16.4
+
diff --git a/patches.suse/can-sja1000-force-the-string-buffer-NULL-terminated.patch b/patches.suse/can-sja1000-force-the-string-buffer-NULL-terminated.patch
new file mode 100644
index 0000000000..d184163943
--- /dev/null
+++ b/patches.suse/can-sja1000-force-the-string-buffer-NULL-terminated.patch
@@ -0,0 +1,40 @@
+From cd28aa2e056cd1ea79fc5f24eed0ce868c6cab5c Mon Sep 17 00:00:00 2001
+From: Wang Xiayang <xywang.sjtu@sjtu.edu.cn>
+Date: Wed, 31 Jul 2019 15:31:14 +0800
+Subject: [PATCH] can: sja1000: force the string buffer NULL-terminated
+Git-commit: cd28aa2e056cd1ea79fc5f24eed0ce868c6cab5c
+Patch-mainline: v5.3-rc4
+References: bsc#1051510
+
+strncpy() does not ensure NULL-termination when the input string size
+equals to the destination buffer size IFNAMSIZ. The output string
+'name' is passed to dev_info which relies on NULL-termination.
+
+Use strlcpy() instead.
+
+This issue is identified by a Coccinelle script.
+
+Signed-off-by: Wang Xiayang <xywang.sjtu@sjtu.edu.cn>
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/net/can/sja1000/peak_pcmcia.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/can/sja1000/peak_pcmcia.c b/drivers/net/can/sja1000/peak_pcmcia.c
+index 185c7f7d38a4..5e0d5e8101c8 100644
+--- a/drivers/net/can/sja1000/peak_pcmcia.c
++++ b/drivers/net/can/sja1000/peak_pcmcia.c
+@@ -479,7 +479,7 @@ static void pcan_free_channels(struct pcan_pccard *card)
+ if (!netdev)
+ continue;
+
+- strncpy(name, netdev->name, IFNAMSIZ);
++ strlcpy(name, netdev->name, IFNAMSIZ);
+
+ unregister_sja1000dev(netdev);
+
+--
+2.16.4
+
diff --git a/patches.suse/ceph-add-btime-field-to-ceph_inode_info.patch b/patches.suse/ceph-add-btime-field-to-ceph_inode_info.patch
new file mode 100644
index 0000000000..f68b7ddf2d
--- /dev/null
+++ b/patches.suse/ceph-add-btime-field-to-ceph_inode_info.patch
@@ -0,0 +1,104 @@
+From: Jeff Layton <jlayton@kernel.org>
+Date: Wed, 29 May 2019 11:19:42 -0400
+Subject: ceph: add btime field to ceph_inode_info
+Git-commit: 245ce991cca55eb16cfc43d1655574121b8ed85f
+Patch-mainline: v5.3-rc1
+References: bsc#1148133 bsc#1136682
+
+Signed-off-by: Jeff Layton <jlayton@kernel.org>
+Reviewed-by: "Yan, Zheng" <zyan@redhat.com>
+Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
+Acked-by: Luis Henriques <lhenriques@suse.com>
+[luis: s/timespec64/timespec]
+---
+ fs/ceph/inode.c | 3 +++
+ fs/ceph/mds_client.c | 21 +++++++++++++--------
+ fs/ceph/mds_client.h | 1 +
+ fs/ceph/super.h | 1 +
+ 4 files changed, 17 insertions(+), 8 deletions(-)
+
+diff --git a/fs/ceph/inode.c b/fs/ceph/inode.c
+index b2988e9f8e15..909f13d4d664 100644
+--- a/fs/ceph/inode.c
++++ b/fs/ceph/inode.c
+@@ -513,6 +513,8 @@ struct inode *ceph_alloc_inode(struct su
+
+ INIT_WORK(&ci->i_vmtruncate_work, ceph_vmtruncate_work);
+
++ memset(&ci->i_btime, '\0', sizeof(ci->i_btime));
++
+ ceph_fscache_inode_init(ci);
+
+ return &ci->vfs_inode;
+@@ -811,6 +813,7 @@ static int fill_inode(struct inode *inod
+ dout("%p mode 0%o uid.gid %d.%d\n", inode, inode->i_mode,
+ from_kuid(&init_user_ns, inode->i_uid),
+ from_kgid(&init_user_ns, inode->i_gid));
++ ceph_decode_timespec(&ci->i_btime, &iinfo->btime);
+ ceph_decode_timespec(&ci->i_snap_btime, &iinfo->snap_btime);
+ }
+
+diff --git a/fs/ceph/mds_client.c b/fs/ceph/mds_client.c
+index 598a3fa280a7..636d3df47df6 100644
+--- a/fs/ceph/mds_client.c
++++ b/fs/ceph/mds_client.c
+@@ -143,14 +143,13 @@ static int parse_reply_info_in(void **p,
+ info->pool_ns_data = *p;
+ *p += info->pool_ns_len;
+ }
+- /* btime, change_attr */
+- {
+- struct ceph_timespec btime;
+- u64 change_attr;
+- ceph_decode_need(p, end, sizeof(btime), bad);
+- ceph_decode_copy(p, &btime, sizeof(btime));
+- ceph_decode_64_safe(p, end, change_attr, bad);
+- }
++
++ /* btime */
++ ceph_decode_need(p, end, sizeof(info->btime), bad);
++ ceph_decode_copy(p, &info->btime, sizeof(info->btime));
++
++ /* change attribute */
++ ceph_decode_skip_64(p, end, bad);
+
+ /* dir pin */
+ if (struct_v >= 2) {
+@@ -199,6 +198,12 @@ static int parse_reply_info_in(void **p,
+ }
+ }
+
++ if (features & CEPH_FEATURE_FS_BTIME) {
++ ceph_decode_need(p, end, sizeof(info->btime), bad);
++ ceph_decode_copy(p, &info->btime, sizeof(info->btime));
++ ceph_decode_skip_64(p, end, bad);
++ }
++
+ info->dir_pin = -ENODATA;
+ /* info->snap_btime remains zero */
+ }
+diff --git a/fs/ceph/mds_client.h b/fs/ceph/mds_client.h
+index 330769ecb601..da2f53646217 100644
+--- a/fs/ceph/mds_client.h
++++ b/fs/ceph/mds_client.h
+@@ -66,6 +66,7 @@ struct ceph_mds_reply_info_in {
+ u64 max_bytes;
+ u64 max_files;
+ s32 dir_pin;
++ struct ceph_timespec btime;
+ struct ceph_timespec snap_btime;
+ };
+
+diff --git a/fs/ceph/super.h b/fs/ceph/super.h
+index 81bbb197fc3c..859d1f3a0d4a 100644
+--- a/fs/ceph/super.h
++++ b/fs/ceph/super.h
+@@ -372,6 +372,7 @@ struct ceph_inode_info {
+ int i_snap_realm_counter; /* snap realm (if caps) */
+ struct list_head i_snap_realm_item;
+ struct list_head i_snap_flush_item;
++ struct timespec i_btime;
+ struct timespec i_snap_btime;
+
+ struct work_struct i_wb_work; /* writeback work */
+
diff --git a/patches.suse/ceph-add-ceph-snap-btime-vxattr.patch b/patches.suse/ceph-add-ceph-snap-btime-vxattr.patch
new file mode 100644
index 0000000000..10816fbc44
--- /dev/null
+++ b/patches.suse/ceph-add-ceph-snap-btime-vxattr.patch
@@ -0,0 +1,76 @@
+From: David Disseldorp <ddiss@suse.de>
+Date: Thu, 18 Apr 2019 14:15:47 +0200
+Subject: ceph: add ceph.snap.btime vxattr
+Git-commit: 100cc610a550affcbef13d74855f736b92caa947
+Patch-mainline: v5.3-rc1
+References: bsc#1148133 bsc#1148570
+
+The ceph.snap.btime virtual xattr provides the snapshot creation (birth)
+time in $secs.$nsecs format.
+
+Link: https://tracker.ceph.com/issues/38838
+Signed-off-by: David Disseldorp <ddiss@suse.de>
+Reviewed-by: "Yan, Zheng" <zyan@redhat.com>
+Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
+Acked-by: Luis Henriques <lhenriques@suse.com>
+[luis: modified snprintf format specifier %lld to %ld since i_snap_btime
+ has been changed to a struct timespec, instead of timespec64. This is
+ because we're not carrying commit 473bd2d780d1 ("libceph: use timespec64
+ in for keepalive2 and ticket validity").]
+---
+ fs/ceph/xattr.c | 27 +++++++++++++++++++++++++++
+ 1 file changed, 27 insertions(+)
+
+diff --git a/fs/ceph/xattr.c b/fs/ceph/xattr.c
+index 2cbb9c239183..5d8a6f7c5869 100644
+--- a/fs/ceph/xattr.c
++++ b/fs/ceph/xattr.c
+@@ -272,6 +272,19 @@ static size_t ceph_vxattrcb_quota_max_fi
+ return snprintf(val, size, "%llu", ci->i_max_files);
+ }
+
++/* snapshots */
++static bool ceph_vxattrcb_snap_btime_exists(struct ceph_inode_info *ci)
++{
++ return (ci->i_snap_btime.tv_sec != 0 || ci->i_snap_btime.tv_nsec != 0);
++}
++
++static size_t ceph_vxattrcb_snap_btime(struct ceph_inode_info *ci, char *val,
++ size_t size)
++{
++ return snprintf(val, size, "%ld.%09ld", ci->i_snap_btime.tv_sec,
++ ci->i_snap_btime.tv_nsec);
++}
++
+ #define CEPH_XATTR_NAME(_type, _name) XATTR_CEPH_PREFIX #_type "." #_name
+ #define CEPH_XATTR_NAME2(_type, _name, _name2) \
+ XATTR_CEPH_PREFIX #_type "." #_name "." #_name2
+@@ -340,6 +353,13 @@ static struct ceph_vxattr ceph_dir_vxatt
+ },
+ XATTR_QUOTA_FIELD(quota, max_bytes),
+ XATTR_QUOTA_FIELD(quota, max_files),
++ {
++ .name = "ceph.snap.btime",
++ .name_size = sizeof("ceph.snap.btime"),
++ .getxattr_cb = ceph_vxattrcb_snap_btime,
++ .exists_cb = ceph_vxattrcb_snap_btime_exists,
++ .flags = VXATTR_FLAG_READONLY,
++ },
+ { .name = NULL, 0 } /* Required table terminator */
+ };
+ static size_t ceph_dir_vxattrs_name_size; /* total size of all names */
+@@ -359,6 +379,13 @@ static struct ceph_vxattr ceph_file_vxat
+ XATTR_LAYOUT_FIELD(file, layout, object_size),
+ XATTR_LAYOUT_FIELD(file, layout, pool),
+ XATTR_LAYOUT_FIELD(file, layout, pool_namespace),
++ {
++ .name = "ceph.snap.btime",
++ .name_size = sizeof("ceph.snap.btime"),
++ .getxattr_cb = ceph_vxattrcb_snap_btime,
++ .exists_cb = ceph_vxattrcb_snap_btime_exists,
++ .flags = VXATTR_FLAG_READONLY,
++ },
+ { .name = NULL, 0 } /* Required table terminator */
+ };
+ static size_t ceph_file_vxattrs_name_size; /* total size of all names */
+
diff --git a/patches.suse/ceph-add-change_attr-field-to-ceph_inode_info.patch b/patches.suse/ceph-add-change_attr-field-to-ceph_inode_info.patch
new file mode 100644
index 0000000000..a71699cb2e
--- /dev/null
+++ b/patches.suse/ceph-add-change_attr-field-to-ceph_inode_info.patch
@@ -0,0 +1,83 @@
+From: Jeff Layton <jlayton@kernel.org>
+Date: Thu, 6 Jun 2019 07:29:23 -0400
+Subject: ceph: add change_attr field to ceph_inode_info
+Git-commit: a35ead314e0b9252a92a5e179a00b242d1af7bff
+Patch-mainline: v5.3-rc1
+References: bsc#1148133 bsc#1136682
+
+Signed-off-by: Jeff Layton <jlayton@kernel.org>
+Reviewed-by: "Yan, Zheng" <zyan@redhat.com>
+Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
+Acked-by: Luis Henriques <lhenriques@suse.com>
+
+---
+ fs/ceph/inode.c | 5 +++++
+ fs/ceph/mds_client.c | 4 ++--
+ fs/ceph/mds_client.h | 1 +
+ 3 files changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/fs/ceph/inode.c b/fs/ceph/inode.c
+index a13b627270f3..2c49eb831c6f 100644
+--- a/fs/ceph/inode.c
++++ b/fs/ceph/inode.c
+@@ -13,6 +13,7 @@
+ #include <linux/posix_acl.h>
+ #include <linux/random.h>
+ #include <linux/sort.h>
++#include <linux/iversion.h>
+
+ #include "super.h"
+ #include "mds_client.h"
+@@ -42,6 +43,7 @@ static int ceph_set_ino_cb(struct inode *inode, void *data)
+ {
+ ceph_inode(inode)->i_vino = *(struct ceph_vino *)data;
+ inode->i_ino = ceph_vino_to_ino(*(struct ceph_vino *)data);
++ inode_set_iversion_raw(inode, 0);
+ return 0;
+ }
+
+@@ -796,6 +798,9 @@ static int fill_inode(struct inode *inode, struct page *locked_page,
+ le64_to_cpu(info->version) > (ci->i_version & ~1)))
+ new_version = true;
+
++ /* Update change_attribute */
++ inode_set_max_iversion_raw(inode, iinfo->change_attr);
++
+ __ceph_caps_issued(ci, &issued);
+ issued |= __ceph_caps_dirty(ci);
+ new_issued = ~issued & info_caps;
+diff --git a/fs/ceph/mds_client.c b/fs/ceph/mds_client.c
+index 636d3df47df6..920e9f048bd8 100644
+--- a/fs/ceph/mds_client.c
++++ b/fs/ceph/mds_client.c
+@@ -156,7 +156,7 @@ static int parse_reply_info_in(void **p, void *end,
+ ceph_decode_copy(p, &info->btime, sizeof(info->btime));
+
+ /* change attribute */
+- ceph_decode_skip_64(p, end, bad);
++ ceph_decode_64_safe(p, end, info->change_attr, bad);
+
+ /* dir pin */
+ if (struct_v >= 2) {
+@@ -208,7 +208,7 @@ static int parse_reply_info_in(void **p, void *end,
+ if (features & CEPH_FEATURE_FS_BTIME) {
+ ceph_decode_need(p, end, sizeof(info->btime), bad);
+ ceph_decode_copy(p, &info->btime, sizeof(info->btime));
+- ceph_decode_skip_64(p, end, bad);
++ ceph_decode_64_safe(p, end, info->change_attr, bad);
+ }
+
+ info->dir_pin = -ENODATA;
+diff --git a/fs/ceph/mds_client.h b/fs/ceph/mds_client.h
+index da2f53646217..f7c8603484fe 100644
+--- a/fs/ceph/mds_client.h
++++ b/fs/ceph/mds_client.h
+@@ -71,6 +71,7 @@ struct ceph_mds_reply_info_in {
+ s32 dir_pin;
+ struct ceph_timespec btime;
+ struct ceph_timespec snap_btime;
++ u64 change_attr;
+ };
+
+ struct ceph_mds_reply_dir_entry {
+
diff --git a/patches.suse/ceph-carry-snapshot-creation-time-with-inodes.patch b/patches.suse/ceph-carry-snapshot-creation-time-with-inodes.patch
new file mode 100644
index 0000000000..5fbed6b4b7
--- /dev/null
+++ b/patches.suse/ceph-carry-snapshot-creation-time-with-inodes.patch
@@ -0,0 +1,89 @@
+From: David Disseldorp <ddiss@suse.de>
+Date: Thu, 18 Apr 2019 14:15:46 +0200
+Subject: ceph: carry snapshot creation time with inodes
+Git-commit: 193e7b37628e97c6e66ec26a2c062dace68b4acd
+Patch-mainline: v5.3-rc1
+References: bsc#1148133 bsc#1148570
+
+MDS InodeStat v3 wire structures include a trailing snapshot creation
+time member. Unmarshall this and retain it for a future vxattr.
+
+Signed-off-by: David Disseldorp <ddiss@suse.de>
+Reviewed-by: "Yan, Zheng" <zyan@redhat.com>
+Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
+Acked-by: Luis Henriques <lhenriques@suse.com>
+[luis: replaced all occurrences of timespec64 by timespec, including the
+ ceph_inode_info field i_snap_btime. This is because we're not carrying
+ commit 473bd2d780d1 ("libceph: use timespec64 in for keepalive2 and
+ticket validity").]
+---
+ fs/ceph/inode.c | 1 +
+ fs/ceph/mds_client.c | 10 ++++++++++
+ fs/ceph/mds_client.h | 1 +
+ fs/ceph/super.h | 1 +
+ 4 files changed, 13 insertions(+)
+
+diff --git a/fs/ceph/inode.c b/fs/ceph/inode.c
+index 761451f36e2d..eb35d47d4e2e 100644
+--- a/fs/ceph/inode.c
++++ b/fs/ceph/inode.c
+@@ -811,6 +811,7 @@ static int fill_inode(struct inode *inod
+ dout("%p mode 0%o uid.gid %d.%d\n", inode, inode->i_mode,
+ from_kuid(&init_user_ns, inode->i_uid),
+ from_kgid(&init_user_ns, inode->i_gid));
++ ceph_decode_timespec(&ci->i_snap_btime, &iinfo->snap_btime);
+ }
+
+ if ((new_version || (new_issued & CEPH_CAP_LINK_SHARED)) &&
+diff --git a/fs/ceph/mds_client.c b/fs/ceph/mds_client.c
+index c8a9b89b922d..0b78507eccb0 100644
+--- a/fs/ceph/mds_client.c
++++ b/fs/ceph/mds_client.c
+@@ -159,6 +159,15 @@ static int parse_reply_info_in(void **p,
+ info->dir_pin = -ENODATA;
+ }
+
++ /* snapshot birth time, remains zero for v<=2 */
++ if (struct_v >= 3) {
++ ceph_decode_need(p, end, sizeof(info->snap_btime), bad);
++ ceph_decode_copy(p, &info->snap_btime,
++ sizeof(info->snap_btime));
++ } else {
++ memset(&info->snap_btime, 0, sizeof(info->snap_btime));
++ }
++
+ *p = end;
+ } else {
+ if (features & CEPH_FEATURE_MDS_INLINE_DATA) {
+@@ -191,6 +200,7 @@ static int parse_reply_info_in(void **p,
+ }
+
+ info->dir_pin = -ENODATA;
++ /* info->snap_btime remains zero */
+ }
+ return 0;
+ bad:
+diff --git a/fs/ceph/mds_client.h b/fs/ceph/mds_client.h
+index a83f28bc2387..9c28b86abcf4 100644
+--- a/fs/ceph/mds_client.h
++++ b/fs/ceph/mds_client.h
+@@ -66,6 +66,7 @@ struct ceph_mds_reply_info_in {
+ u64 max_bytes;
+ u64 max_files;
+ s32 dir_pin;
++ struct ceph_timespec snap_btime;
+ };
+
+ struct ceph_mds_reply_dir_entry {
+diff --git a/fs/ceph/super.h b/fs/ceph/super.h
+index 5f27e1f7f2d6..1de6b1f4f094 100644
+--- a/fs/ceph/super.h
++++ b/fs/ceph/super.h
+@@ -372,6 +372,7 @@ struct ceph_inode_info {
+ int i_snap_realm_counter; /* snap realm (if caps) */
+ struct list_head i_snap_realm_item;
+ struct list_head i_snap_flush_item;
++ struct timespec i_snap_btime;
+
+ struct work_struct i_wb_work; /* writeback work */
+ struct work_struct i_pg_inv_work; /* page invalidation work */
diff --git a/patches.suse/ceph-clear-page-dirty-before-invalidate-page.patch b/patches.suse/ceph-clear-page-dirty-before-invalidate-page.patch
new file mode 100644
index 0000000000..9e41a5267b
--- /dev/null
+++ b/patches.suse/ceph-clear-page-dirty-before-invalidate-page.patch
@@ -0,0 +1,38 @@
+From: Erqi Chen <chenerqi@gmail.com>
+Date: Wed, 24 Jul 2019 10:26:09 +0800
+Subject: ceph: clear page dirty before invalidate page
+Git-commit: c95f1c5f436badb9bb87e9b30fd573f6b3d59423
+Patch-mainline: v5.3-rc6
+References: bsc#1148133
+
+clear_page_dirty_for_io(page) before mapping->a_ops->invalidatepage().
+invalidatepage() clears page's private flag, if dirty flag is not
+cleared, the page may cause BUG_ON failure in ceph_set_page_dirty().
+
+Cc: stable@vger.kernel.org
+Link: https://tracker.ceph.com/issues/40862
+Signed-off-by: Erqi Chen <chenerqi@gmail.com>
+Reviewed-by: Jeff Layton <jlayton@kernel.org>
+Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
+Acked-by: Luis Henriques <lhenriques@suse.com>
+---
+ fs/ceph/addr.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/fs/ceph/addr.c b/fs/ceph/addr.c
+index e078cc55b989..b3c8b886bf64 100644
+--- a/fs/ceph/addr.c
++++ b/fs/ceph/addr.c
+@@ -913,8 +913,9 @@ static int ceph_writepages_start(struct address_space *mapping,
+ if (page_offset(page) >= ceph_wbc.i_size) {
+ dout("%p page eof %llu\n",
+ page, ceph_wbc.i_size);
+- if (ceph_wbc.size_stable ||
+- page_offset(page) >= i_size_read(inode))
++ if ((ceph_wbc.size_stable ||
++ page_offset(page) >= i_size_read(inode)) &&
++ clear_page_dirty_for_io(page))
+ mapping->a_ops->invalidatepage(page,
+ 0, PAGE_SIZE);
+ unlock_page(page);
+
diff --git a/patches.suse/ceph-don-t-blindly-unregister-session-that-is-in-opening-state.patch b/patches.suse/ceph-don-t-blindly-unregister-session-that-is-in-opening-state.patch
new file mode 100644
index 0000000000..baab50a096
--- /dev/null
+++ b/patches.suse/ceph-don-t-blindly-unregister-session-that-is-in-opening-state.patch
@@ -0,0 +1,96 @@
+From: "Yan, Zheng" <zyan@redhat.com>
+Date: Mon, 10 Jun 2019 15:45:09 +0800
+Subject: ceph: don't blindly unregister session that is in opening state
+Git-commit: 6f0f597b5debc7c2356fa6a17e2f179066e340d0
+Patch-mainline: v5.3-rc1
+References: bsc#1148133
+
+handle_cap_export() may add placeholder caps to session that is in
+opening state. These caps' session pointer become wild after session get
+unregistered.
+
+The fix is not to unregister session in opening state during mds failovers,
+just let client to reconnect later when mds is recovered.
+
+Link: https://tracker.ceph.com/issues/40190
+Signed-off-by: "Yan, Zheng" <zyan@redhat.com>
+Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
+Acked-by: Luis Henriques <lhenriques@suse.com>
+---
+ fs/ceph/mds_client.c | 59 +++++++++++++++++++++++-----------------------------
+ 1 file changed, 26 insertions(+), 33 deletions(-)
+
+diff --git a/fs/ceph/mds_client.c b/fs/ceph/mds_client.c
+index 709ac3bde86e..fcea46a54622 100644
+--- a/fs/ceph/mds_client.c
++++ b/fs/ceph/mds_client.c
+@@ -3737,42 +3737,35 @@ static void check_new_map(struct ceph_mds_client *mdsc,
+ ceph_mdsmap_is_laggy(newmap, i) ? " (laggy)" : "",
+ ceph_session_state_name(s->s_state));
+
+- if (i >= newmap->m_num_mds ||
+- memcmp(ceph_mdsmap_get_addr(oldmap, i),
+- ceph_mdsmap_get_addr(newmap, i),
+- sizeof(struct ceph_entity_addr))) {
+- if (s->s_state == CEPH_MDS_SESSION_OPENING) {
+- /* the session never opened, just close it
+- * out now */
+- get_session(s);
+- __unregister_session(mdsc, s);
+- __wake_requests(mdsc, &s->s_waiting);
+- ceph_put_mds_session(s);
+- } else if (i >= newmap->m_num_mds) {
+- /* force close session for stopped mds */
+- get_session(s);
+- __unregister_session(mdsc, s);
+- __wake_requests(mdsc, &s->s_waiting);
+- kick_requests(mdsc, i);
+- mutex_unlock(&mdsc->mutex);
++ if (i >= newmap->m_num_mds) {
++ /* force close session for stopped mds */
++ get_session(s);
++ __unregister_session(mdsc, s);
++ __wake_requests(mdsc, &s->s_waiting);
++ mutex_unlock(&mdsc->mutex);
+
+- mutex_lock(&s->s_mutex);
+- cleanup_session_requests(mdsc, s);
+- remove_session_caps(s);
+- mutex_unlock(&s->s_mutex);
++ mutex_lock(&s->s_mutex);
++ cleanup_session_requests(mdsc, s);
++ remove_session_caps(s);
++ mutex_unlock(&s->s_mutex);
+
+- ceph_put_mds_session(s);
++ ceph_put_mds_session(s);
+
+- mutex_lock(&mdsc->mutex);
+- } else {
+- /* just close it */
+- mutex_unlock(&mdsc->mutex);
+- mutex_lock(&s->s_mutex);
+- mutex_lock(&mdsc->mutex);
+- ceph_con_close(&s->s_con);
+- mutex_unlock(&s->s_mutex);
+- s->s_state = CEPH_MDS_SESSION_RESTARTING;
+- }
++ mutex_lock(&mdsc->mutex);
++ kick_requests(mdsc, i);
++ continue;
++ }
++
++ if (memcmp(ceph_mdsmap_get_addr(oldmap, i),
++ ceph_mdsmap_get_addr(newmap, i),
++ sizeof(struct ceph_entity_addr))) {
++ /* just close it */
++ mutex_unlock(&mdsc->mutex);
++ mutex_lock(&s->s_mutex);
++ mutex_lock(&mdsc->mutex);
++ ceph_con_close(&s->s_con);
++ mutex_unlock(&s->s_mutex);
++ s->s_state = CEPH_MDS_SESSION_RESTARTING;
+ } else if (oldstate == newstate) {
+ continue; /* nothing new with this mds */
+ }
+
diff --git a/patches.suse/ceph-don-t-try-fill-file_lock-on-unsuccessful-getfilelock-reply.patch b/patches.suse/ceph-don-t-try-fill-file_lock-on-unsuccessful-getfilelock-reply.patch
new file mode 100644
index 0000000000..ccf9af3713
--- /dev/null
+++ b/patches.suse/ceph-don-t-try-fill-file_lock-on-unsuccessful-getfilelock-reply.patch
@@ -0,0 +1,36 @@
+From: Jeff Layton <jlayton@kernel.org>
+Date: Thu, 15 Aug 2019 06:23:38 -0400
+Subject: ceph: don't try fill file_lock on unsuccessful GETFILELOCK reply
+Git-commit: 28a282616f56990547b9dcd5c6fbd2001344664c
+Patch-mainline: v5.3-rc6
+References: bsc#1148133
+
+When ceph_mdsc_do_request returns an error, we can't assume that the
+filelock_reply pointer will be set. Only try to fetch fields out of
+the r_reply_info when it returns success.
+
+Cc: stable@vger.kernel.org
+Reported-by: Hector Martin <hector@marcansoft.com>
+Signed-off-by: Jeff Layton <jlayton@kernel.org>
+Reviewed-by: "Yan, Zheng" <zyan@redhat.com>
+Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
+Acked-by: Luis Henriques <lhenriques@suse.com>
+---
+ fs/ceph/locks.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/fs/ceph/locks.c b/fs/ceph/locks.c
+index ac9b53b89365..5083e238ad15 100644
+--- a/fs/ceph/locks.c
++++ b/fs/ceph/locks.c
+@@ -110,8 +110,7 @@ static int ceph_lock_message(u8 lock_typ
+ req->r_wait_for_completion = ceph_lock_wait_for_completion;
+
+ err = ceph_mdsc_do_request(mdsc, inode, req);
+-
+- if (operation == CEPH_MDS_OP_GETFILELOCK) {
++ if (!err && operation == CEPH_MDS_OP_GETFILELOCK) {
+ fl->fl_pid = le64_to_cpu(req->r_reply_info.filelock_reply->pid);
+ if (CEPH_LOCK_SHARED == req->r_reply_info.filelock_reply->type)
+ fl->fl_type = F_RDLCK;
+
diff --git a/patches.suse/ceph-fix-buffer-free-while-holding-i_ceph_lock-in-_ceph_build_xattrs_blob.patch b/patches.suse/ceph-fix-buffer-free-while-holding-i_ceph_lock-in-_ceph_build_xattrs_blob.patch
new file mode 100644
index 0000000000..6398b525b4
--- /dev/null
+++ b/patches.suse/ceph-fix-buffer-free-while-holding-i_ceph_lock-in-_ceph_build_xattrs_blob.patch
@@ -0,0 +1,157 @@
+From: Luis Henriques <lhenriques@suse.com>
+Date: Fri, 19 Jul 2019 15:32:21 +0100
+Subject: ceph: fix buffer free while holding i_ceph_lock in
+ __ceph_build_xattrs_blob()
+Git-commit: 12fe3dda7ed89c95cc0ef7abc001ad1ad3e092f8
+Patch-mainline: v5.3-rc6
+References: bsc#1148133
+
+Calling ceph_buffer_put() in __ceph_build_xattrs_blob() may result in
+freeing the i_xattrs.blob buffer while holding the i_ceph_lock. This can
+be fixed by having this function returning the old blob buffer and have
+the callers of this function freeing it when the lock is released.
+
+The following backtrace was triggered by fstests generic/117.
+
+ BUG: sleeping function called from invalid context at mm/vmalloc.c:2283
+ in_atomic(): 1, irqs_disabled(): 0, pid: 649, name: fsstress
+ 4 locks held by fsstress/649:
+ #0: 00000000a7478e7e (&type->s_umount_key#19){++++}, at: iterate_supers+0x77/0xf0
+ #1: 00000000f8de1423 (&(&ci->i_ceph_lock)->rlock){+.+.}, at: ceph_check_caps+0x7b/0xc60
+ #2: 00000000562f2b27 (&s->s_mutex){+.+.}, at: ceph_check_caps+0x3bd/0xc60
+ #3: 00000000f83ce16a (&mdsc->snap_rwsem){++++}, at: ceph_check_caps+0x3ed/0xc60
+ CPU: 1 PID: 649 Comm: fsstress Not tainted 5.2.0+ #439
+ Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.1-0-ga5cab58-prebuilt.qemu.org 04/01/2014
+ Call Trace:
+ dump_stack+0x67/0x90
+ ___might_sleep.cold+0x9f/0xb1
+ vfree+0x4b/0x60
+ ceph_buffer_release+0x1b/0x60
+ __ceph_build_xattrs_blob+0x12b/0x170
+ __send_cap+0x302/0x540
+ ? __lock_acquire+0x23c/0x1e40
+ ? __mark_caps_flushing+0x15c/0x280
+ ? _raw_spin_unlock+0x24/0x30
+ ceph_check_caps+0x5f0/0xc60
+ ceph_flush_dirty_caps+0x7c/0x150
+ ? __ia32_sys_fdatasync+0x20/0x20
+ ceph_sync_fs+0x5a/0x130
+ iterate_supers+0x8f/0xf0
+ ksys_sync+0x4f/0xb0
+ __ia32_sys_sync+0xa/0x10
+ do_syscall_64+0x50/0x1c0
+ entry_SYSCALL_64_after_hwframe+0x49/0xbe
+ RIP: 0033:0x7fc6409ab617
+
+Signed-off-by: Luis Henriques <lhenriques@suse.com>
+Reviewed-by: Jeff Layton <jlayton@kernel.org>
+Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
+---
+ fs/ceph/caps.c | 5 ++++-
+ fs/ceph/snap.c | 4 +++-
+ fs/ceph/super.h | 2 +-
+ fs/ceph/xattr.c | 11 ++++++++---
+ 4 files changed, 16 insertions(+), 6 deletions(-)
+
+--- a/fs/ceph/caps.c
++++ b/fs/ceph/caps.c
+@@ -1290,6 +1290,7 @@ static int __send_cap(struct ceph_mds_cl
+ {
+ struct ceph_inode_info *ci = cap->ci;
+ struct inode *inode = &ci->vfs_inode;
++ struct ceph_buffer *old_blob = NULL;
+ struct cap_msg_args arg;
+ int held, revoking;
+ int wake = 0;
+@@ -1354,7 +1355,7 @@ static int __send_cap(struct ceph_mds_cl
+ ci->i_requested_max_size = arg.max_size;
+
+ if (flushing & CEPH_CAP_XATTR_EXCL) {
+- __ceph_build_xattrs_blob(ci);
++ old_blob = __ceph_build_xattrs_blob(ci);
+ arg.xattr_version = ci->i_xattrs.version;
+ arg.xattr_buf = ci->i_xattrs.blob;
+ } else {
+@@ -1389,6 +1390,8 @@ static int __send_cap(struct ceph_mds_cl
+
+ spin_unlock(&ci->i_ceph_lock);
+
++ ceph_buffer_put(old_blob);
++
+ ret = send_cap_msg(&arg);
+ if (ret < 0) {
+ dout("error sending cap msg, must requeue %p\n", inode);
+--- a/fs/ceph/snap.c
++++ b/fs/ceph/snap.c
+@@ -459,6 +459,7 @@ void ceph_queue_cap_snap(struct ceph_ino
+ struct inode *inode = &ci->vfs_inode;
+ struct ceph_cap_snap *capsnap;
+ struct ceph_snap_context *old_snapc, *new_snapc;
++ struct ceph_buffer *old_blob = NULL;
+ int used, dirty;
+
+ capsnap = kzalloc(sizeof(*capsnap), GFP_NOFS);
+@@ -535,7 +536,7 @@ void ceph_queue_cap_snap(struct ceph_ino
+ capsnap->gid = inode->i_gid;
+
+ if (dirty & CEPH_CAP_XATTR_EXCL) {
+- __ceph_build_xattrs_blob(ci);
++ old_blob = __ceph_build_xattrs_blob(ci);
+ capsnap->xattr_blob =
+ ceph_buffer_get(ci->i_xattrs.blob);
+ capsnap->xattr_version = ci->i_xattrs.version;
+@@ -578,6 +579,7 @@ update_snapc:
+ }
+ spin_unlock(&ci->i_ceph_lock);
+
++ ceph_buffer_put(old_blob);
+ kfree(capsnap);
+ ceph_put_snap_context(old_snapc);
+ }
+--- a/fs/ceph/super.h
++++ b/fs/ceph/super.h
+@@ -895,7 +895,7 @@ extern int ceph_getattr(const struct pat
+ int __ceph_setxattr(struct inode *, const char *, const void *, size_t, int);
+ ssize_t __ceph_getxattr(struct inode *, const char *, void *, size_t);
+ extern ssize_t ceph_listxattr(struct dentry *, char *, size_t);
+-extern void __ceph_build_xattrs_blob(struct ceph_inode_info *ci);
++extern struct ceph_buffer *__ceph_build_xattrs_blob(struct ceph_inode_info *ci);
+ extern void __ceph_destroy_xattrs(struct ceph_inode_info *ci);
+ extern const struct xattr_handler *ceph_xattr_handlers[];
+
+--- a/fs/ceph/xattr.c
++++ b/fs/ceph/xattr.c
+@@ -754,12 +754,15 @@ static int __get_required_blob_size(stru
+
+ /*
+ * If there are dirty xattrs, reencode xattrs into the prealloc_blob
+- * and swap into place.
++ * and swap into place. It returns the old i_xattrs.blob (or NULL) so
++ * that it can be freed by the caller as the i_ceph_lock is likely to be
++ * held.
+ */
+-void __ceph_build_xattrs_blob(struct ceph_inode_info *ci)
++struct ceph_buffer *__ceph_build_xattrs_blob(struct ceph_inode_info *ci)
+ {
+ struct rb_node *p;
+ struct ceph_inode_xattr *xattr = NULL;
++ struct ceph_buffer *old_blob = NULL;
+ void *dest;
+
+ dout("__build_xattrs_blob %p\n", &ci->vfs_inode);
+@@ -790,12 +793,14 @@ void __ceph_build_xattrs_blob(struct cep
+ dest - ci->i_xattrs.prealloc_blob->vec.iov_base;
+
+ if (ci->i_xattrs.blob)
+- ceph_buffer_put(ci->i_xattrs.blob);
++ old_blob = ci->i_xattrs.blob;
+ ci->i_xattrs.blob = ci->i_xattrs.prealloc_blob;
+ ci->i_xattrs.prealloc_blob = NULL;
+ ci->i_xattrs.dirty = false;
+ ci->i_xattrs.version++;
+ }
++
++ return old_blob;
+ }
+
+ static inline int __get_request_mask(struct inode *in) {
diff --git a/patches.suse/ceph-fix-buffer-free-while-holding-i_ceph_lock-in-_ceph_setxattr.patch b/patches.suse/ceph-fix-buffer-free-while-holding-i_ceph_lock-in-_ceph_setxattr.patch
new file mode 100644
index 0000000000..ce9b3ed848
--- /dev/null
+++ b/patches.suse/ceph-fix-buffer-free-while-holding-i_ceph_lock-in-_ceph_setxattr.patch
@@ -0,0 +1,88 @@
+From: Luis Henriques <lhenriques@suse.com>
+Date: Fri, 19 Jul 2019 15:32:20 +0100
+Subject: ceph: fix buffer free while holding i_ceph_lock in __ceph_setxattr()
+Git-commit: 86968ef21596515958d5f0a40233d02be78ecec0
+Patch-mainline: v5.3-rc6
+References: bsc#1148133
+
+Calling ceph_buffer_put() in __ceph_setxattr() may end up freeing the
+i_xattrs.prealloc_blob buffer while holding the i_ceph_lock. This can be
+fixed by postponing the call until later, when the lock is released.
+
+The following backtrace was triggered by fstests generic/117.
+
+ BUG: sleeping function called from invalid context at mm/vmalloc.c:2283
+ in_atomic(): 1, irqs_disabled(): 0, pid: 650, name: fsstress
+ 3 locks held by fsstress/650:
+ #0: 00000000870a0fe8 (sb_writers#8){.+.+}, at: mnt_want_write+0x20/0x50
+ #1: 00000000ba0c4c74 (&type->i_mutex_dir_key#6){++++}, at: vfs_setxattr+0x55/0xa0
+ #2: 000000008dfbb3f2 (&(&ci->i_ceph_lock)->rlock){+.+.}, at: __ceph_setxattr+0x297/0x810
+ CPU: 1 PID: 650 Comm: fsstress Not tainted 5.2.0+ #437
+ Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.1-0-ga5cab58-prebuilt.qemu.org 04/01/2014
+ Call Trace:
+ dump_stack+0x67/0x90
+ ___might_sleep.cold+0x9f/0xb1
+ vfree+0x4b/0x60
+ ceph_buffer_release+0x1b/0x60
+ __ceph_setxattr+0x2b4/0x810
+ __vfs_setxattr+0x66/0x80
+ __vfs_setxattr_noperm+0x59/0xf0
+ vfs_setxattr+0x81/0xa0
+ setxattr+0x115/0x230
+ ? filename_lookup+0xc9/0x140
+ ? rcu_read_lock_sched_held+0x74/0x80
+ ? rcu_sync_lockdep_assert+0x2e/0x60
+ ? __sb_start_write+0x142/0x1a0
+ ? mnt_want_write+0x20/0x50
+ path_setxattr+0xba/0xd0
+ __x64_sys_lsetxattr+0x24/0x30
+ do_syscall_64+0x50/0x1c0
+ entry_SYSCALL_64_after_hwframe+0x49/0xbe
+ RIP: 0033:0x7ff23514359a
+
+Signed-off-by: Luis Henriques <lhenriques@suse.com>
+Reviewed-by: Jeff Layton <jlayton@kernel.org>
+Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
+---
+ fs/ceph/xattr.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/fs/ceph/xattr.c b/fs/ceph/xattr.c
+index 37b458a9af3a..c083557b3657 100644
+--- a/fs/ceph/xattr.c
++++ b/fs/ceph/xattr.c
+@@ -1036,6 +1036,7 @@ int __ceph_setxattr(struct inode *inode, const char *name,
+ struct ceph_inode_info *ci = ceph_inode(inode);
+ struct ceph_mds_client *mdsc = ceph_sb_to_client(inode->i_sb)->mdsc;
+ struct ceph_cap_flush *prealloc_cf = NULL;
++ struct ceph_buffer *old_blob = NULL;
+ int issued;
+ int err;
+ int dirty = 0;
+@@ -1109,13 +1110,15 @@ int __ceph_setxattr(struct inode *inode, const char *name,
+ struct ceph_buffer *blob;
+
+ spin_unlock(&ci->i_ceph_lock);
+- dout(" preaallocating new blob size=%d\n", required_blob_size);
++ ceph_buffer_put(old_blob); /* Shouldn't be required */
++ dout(" pre-allocating new blob size=%d\n", required_blob_size);
+ blob = ceph_buffer_new(required_blob_size, GFP_NOFS);
+ if (!blob)
+ goto do_sync_unlocked;
+ spin_lock(&ci->i_ceph_lock);
++ /* prealloc_blob can't be released while holding i_ceph_lock */
+ if (ci->i_xattrs.prealloc_blob)
+- ceph_buffer_put(ci->i_xattrs.prealloc_blob);
++ old_blob = ci->i_xattrs.prealloc_blob;
+ ci->i_xattrs.prealloc_blob = blob;
+ goto retry;
+ }
+@@ -1131,6 +1134,7 @@ int __ceph_setxattr(struct inode *inode, const char *name,
+ }
+
+ spin_unlock(&ci->i_ceph_lock);
++ ceph_buffer_put(old_blob);
+ if (lock_snap_rwsem)
+ up_read(&mdsc->snap_rwsem);
+ if (dirty)
+
diff --git a/patches.suse/ceph-fix-buffer-free-while-holding-i_ceph_lock-in-fill_inode.patch b/patches.suse/ceph-fix-buffer-free-while-holding-i_ceph_lock-in-fill_inode.patch
new file mode 100644
index 0000000000..6c69fc429a
--- /dev/null
+++ b/patches.suse/ceph-fix-buffer-free-while-holding-i_ceph_lock-in-fill_inode.patch
@@ -0,0 +1,81 @@
+From: Luis Henriques <lhenriques@suse.com>
+Date: Fri, 19 Jul 2019 15:32:22 +0100
+Subject: ceph: fix buffer free while holding i_ceph_lock in fill_inode()
+Git-commit: af8a85a41734f37b67ba8ce69d56b685bee4ac48
+Patch-mainline: v5.3-rc6
+References: bsc#1148133
+
+Calling ceph_buffer_put() in fill_inode() may result in freeing the
+i_xattrs.blob buffer while holding the i_ceph_lock. This can be fixed by
+postponing the call until later, when the lock is released.
+
+The following backtrace was triggered by fstests generic/070.
+
+ BUG: sleeping function called from invalid context at mm/vmalloc.c:2283
+ in_atomic(): 1, irqs_disabled(): 0, pid: 3852, name: kworker/0:4
+ 6 locks held by kworker/0:4/3852:
+ #0: 000000004270f6bb ((wq_completion)ceph-msgr){+.+.}, at: process_one_work+0x1b8/0x5f0
+ #1: 00000000eb420803 ((work_completion)(&(&con->work)->work)){+.+.}, at: process_one_work+0x1b8/0x5f0
+ #2: 00000000be1c53a4 (&s->s_mutex){+.+.}, at: dispatch+0x288/0x1476
+ #3: 00000000559cb958 (&mdsc->snap_rwsem){++++}, at: dispatch+0x2eb/0x1476
+ #4: 000000000d5ebbae (&req->r_fill_mutex){+.+.}, at: dispatch+0x2fc/0x1476
+ #5: 00000000a83d0514 (&(&ci->i_ceph_lock)->rlock){+.+.}, at: fill_inode.isra.0+0xf8/0xf70
+ CPU: 0 PID: 3852 Comm: kworker/0:4 Not tainted 5.2.0+ #441
+ Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.1-0-ga5cab58-prebuilt.qemu.org 04/01/2014
+ Workqueue: ceph-msgr ceph_con_workfn
+ Call Trace:
+ dump_stack+0x67/0x90
+ ___might_sleep.cold+0x9f/0xb1
+ vfree+0x4b/0x60
+ ceph_buffer_release+0x1b/0x60
+ fill_inode.isra.0+0xa9b/0xf70
+ ceph_fill_trace+0x13b/0xc70
+ ? dispatch+0x2eb/0x1476
+ dispatch+0x320/0x1476
+ ? __mutex_unlock_slowpath+0x4d/0x2a0
+ ceph_con_workfn+0xc97/0x2ec0
+ ? process_one_work+0x1b8/0x5f0
+ process_one_work+0x244/0x5f0
+ worker_thread+0x4d/0x3e0
+ kthread+0x105/0x140
+ ? process_one_work+0x5f0/0x5f0
+ ? kthread_park+0x90/0x90
+ ret_from_fork+0x3a/0x50
+
+Signed-off-by: Luis Henriques <lhenriques@suse.com>
+Reviewed-by: Jeff Layton <jlayton@kernel.org>
+Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
+---
+ fs/ceph/inode.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+--- a/fs/ceph/inode.c
++++ b/fs/ceph/inode.c
+@@ -744,6 +744,7 @@ static int fill_inode(struct inode *inod
+ int issued, new_issued, info_caps;
+ struct timespec mtime, atime, ctime;
+ struct ceph_buffer *xattr_blob = NULL;
++ struct ceph_buffer *old_blob = NULL;
+ struct ceph_string *pool_ns = NULL;
+ struct ceph_cap *new_cap = NULL;
+ int err = 0;
+@@ -874,7 +875,7 @@ static int fill_inode(struct inode *inod
+ if ((ci->i_xattrs.version == 0 || !(issued & CEPH_CAP_XATTR_EXCL)) &&
+ le64_to_cpu(info->xattr_version) > ci->i_xattrs.version) {
+ if (ci->i_xattrs.blob)
+- ceph_buffer_put(ci->i_xattrs.blob);
++ old_blob = ci->i_xattrs.blob;
+ ci->i_xattrs.blob = xattr_blob;
+ if (xattr_blob)
+ memcpy(ci->i_xattrs.blob->vec.iov_base,
+@@ -1019,8 +1020,8 @@ static int fill_inode(struct inode *inod
+ out:
+ if (new_cap)
+ ceph_put_cap(mdsc, new_cap);
+- if (xattr_blob)
+- ceph_buffer_put(xattr_blob);
++ ceph_buffer_put(old_blob);
++ ceph_buffer_put(xattr_blob);
+ ceph_put_string(pool_ns);
+ return err;
+ }
diff --git a/patches.suse/ceph-fix-ceph-dir-rctime-vxattr-value.patch b/patches.suse/ceph-fix-ceph-dir-rctime-vxattr-value.patch
new file mode 100644
index 0000000000..b54da58a5e
--- /dev/null
+++ b/patches.suse/ceph-fix-ceph-dir-rctime-vxattr-value.patch
@@ -0,0 +1,31 @@
+From: David Disseldorp <ddiss@suse.de>
+Date: Wed, 15 May 2019 16:56:39 +0200
+Subject: ceph: fix "ceph.dir.rctime" vxattr value
+Git-commit: 718807289d4130be1fe13f24f018733116958070
+Patch-mainline: v5.3-rc1
+References: bsc#1148133 bsc#1135219
+
+The vxattr value incorrectly places a "09" prefix to the nanoseconds
+field, instead of providing it as a zero-pad width specifier after '%'.
+
+Fixes: 3489b42a72a4 ("ceph: fix three bugs, two in ceph_vxattrcb_file_layout()")
+Link: https://tracker.ceph.com/issues/39943
+Signed-off-by: David Disseldorp <ddiss@suse.de>
+Reviewed-by: Ilya Dryomov <idryomov@gmail.com>
+Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
+Acked-by: Luis Henriques <lhenriques@suse.com>
+---
+ fs/ceph/xattr.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/ceph/xattr.c
++++ b/fs/ceph/xattr.c
+@@ -223,7 +223,7 @@ static size_t ceph_vxattrcb_dir_rbytes(s
+ static size_t ceph_vxattrcb_dir_rctime(struct ceph_inode_info *ci, char *val,
+ size_t size)
+ {
+- return snprintf(val, size, "%ld.09%ld", (long)ci->i_rctime.tv_sec,
++ return snprintf(val, size, "%ld.%09ld", (long)ci->i_rctime.tv_sec,
+ (long)ci->i_rctime.tv_nsec);
+ }
+
diff --git a/patches.suse/ceph-fix-decode_locker-to-use-ceph_decode_entity_addr.patch b/patches.suse/ceph-fix-decode_locker-to-use-ceph_decode_entity_addr.patch
new file mode 100644
index 0000000000..29949f0fda
--- /dev/null
+++ b/patches.suse/ceph-fix-decode_locker-to-use-ceph_decode_entity_addr.patch
@@ -0,0 +1,35 @@
+From: Jeff Layton <jlayton@kernel.org>
+Date: Tue, 4 Jun 2019 15:17:32 -0400
+Subject: ceph: fix decode_locker to use ceph_decode_entity_addr
+Git-commit: 2f9800c899dc1f4ad0ca32105069bfa83e80a05b
+Patch-mainline: v5.3-rc1
+References: bsc#1148133 bsc#1136682
+
+Signed-off-by: Jeff Layton <jlayton@kernel.org>
+Reviewed-by: "Yan, Zheng" <zyan@redhat.com>
+Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
+Acked-by: Luis Henriques <lhenriques@suse.com>
+
+---
+ net/ceph/cls_lock_client.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/net/ceph/cls_lock_client.c b/net/ceph/cls_lock_client.c
+index 4cc28541281b..b1d12bf4b83e 100644
+--- a/net/ceph/cls_lock_client.c
++++ b/net/ceph/cls_lock_client.c
+@@ -264,8 +264,11 @@ static int decode_locker(void **p, void *end, struct ceph_locker *locker)
+ return ret;
+
+ *p += sizeof(struct ceph_timespec); /* skip expiration */
+- ceph_decode_copy(p, &locker->info.addr, sizeof(locker->info.addr));
+- ceph_decode_addr(&locker->info.addr);
++
++ ret = ceph_decode_entity_addr(p, end, &locker->info.addr);
++ if (ret)
++ return ret;
++
+ len = ceph_decode_32(p);
+ *p += len; /* skip description */
+
+
diff --git a/patches.suse/ceph-fix-improper-use-of-smp_mb__before_atomic.patch b/patches.suse/ceph-fix-improper-use-of-smp_mb__before_atomic.patch
new file mode 100644
index 0000000000..97b6034377
--- /dev/null
+++ b/patches.suse/ceph-fix-improper-use-of-smp_mb__before_atomic.patch
@@ -0,0 +1,42 @@
+From: Andrea Parri <andrea.parri@amarulasolutions.com>
+Date: Mon, 20 May 2019 19:23:58 +0200
+Subject: ceph: fix improper use of smp_mb__before_atomic()
+Git-commit: 749607731e26dfb2558118038c40e9c0c80d23b5
+Patch-mainline: v5.3-rc1
+References: bsc#1148133
+
+This barrier only applies to the read-modify-write operations; in
+particular, it does not apply to the atomic64_set() primitive.
+
+Replace the barrier with an smp_mb().
+
+Fixes: fdd4e15838e59 ("ceph: rework dcache readdir")
+Reported-by: "Paul E. McKenney" <paulmck@linux.ibm.com>
+Reported-by: Peter Zijlstra <peterz@infradead.org>
+Signed-off-by: Andrea Parri <andrea.parri@amarulasolutions.com>
+Reviewed-by: "Yan, Zheng" <zyan@redhat.com>
+Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
+Acked-by: Luis Henriques <lhenriques@suse.com>
+---
+ fs/ceph/super.h | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/fs/ceph/super.h b/fs/ceph/super.h
+index 7209548527ab..29ea4eba98fe 100644
+--- a/fs/ceph/super.h
++++ b/fs/ceph/super.h
+@@ -545,7 +545,12 @@ static inline void __ceph_dir_set_complete(struct ceph_inode_info *ci,
+ long long release_count,
+ long long ordered_count)
+ {
+- smp_mb__before_atomic();
++ /*
++ * Makes sure operations that setup readdir cache (update page
++ * cache and i_size) are strongly ordered w.r.t. the following
++ * atomic64_set() operations.
++ */
++ smp_mb();
+ atomic64_set(&ci->i_complete_seq[0], release_count);
+ atomic64_set(&ci->i_complete_seq[1], ordered_count);
+ }
+
diff --git a/patches.suse/ceph-fix-infinite-loop-in-get_quota_realm.patch b/patches.suse/ceph-fix-infinite-loop-in-get_quota_realm.patch
new file mode 100644
index 0000000000..39051d8fec
--- /dev/null
+++ b/patches.suse/ceph-fix-infinite-loop-in-get_quota_realm.patch
@@ -0,0 +1,52 @@
+From: "Yan, Zheng" <zyan@redhat.com>
+Date: Fri, 31 May 2019 20:19:18 +0800
+Subject: ceph: fix infinite loop in get_quota_realm()
+Git-commit: 2ef5df1abe6777b463cdfec20211d9846b116d24
+Patch-mainline: v5.3-rc1
+References: bsc#1148133
+
+get_quota_realm() enters infinite loop if quota inode has no caps.
+This can happen after client gets evicted.
+
+Signed-off-by: "Yan, Zheng" <zyan@redhat.com>
+Reviewed-by: Luis Henriques <lhenriques@suse.com>
+Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
+Acked-by: Luis Henriques <lhenriques@suse.com>
+---
+ fs/ceph/quota.c | 15 +++++++++++++--
+ 1 file changed, 13 insertions(+), 2 deletions(-)
+
+diff --git a/fs/ceph/quota.c b/fs/ceph/quota.c
+index d629fc857450..de56dee60540 100644
+--- a/fs/ceph/quota.c
++++ b/fs/ceph/quota.c
+@@ -135,7 +135,7 @@ static struct inode *lookup_quotarealm_inode(struct ceph_mds_client *mdsc,
+ return NULL;
+
+ mutex_lock(&qri->mutex);
+- if (qri->inode) {
++ if (qri->inode && ceph_is_any_caps(qri->inode)) {
+ /* A request has already returned the inode */
+ mutex_unlock(&qri->mutex);
+ return qri->inode;
+@@ -146,7 +146,18 @@ static struct inode *lookup_quotarealm_inode(struct ceph_mds_client *mdsc,
+ mutex_unlock(&qri->mutex);
+ return NULL;
+ }
+- in = ceph_lookup_inode(sb, realm->ino);
++ if (qri->inode) {
++ /* get caps */
++ int ret = __ceph_do_getattr(qri->inode, NULL,
++ CEPH_STAT_CAP_INODE, true);
++ if (ret >= 0)
++ in = qri->inode;
++ else
++ in = ERR_PTR(ret);
++ } else {
++ in = ceph_lookup_inode(sb, realm->ino);
++ }
++
+ if (IS_ERR(in)) {
+ pr_warn("Can't lookup inode %llx (err: %ld)\n",
+ realm->ino, PTR_ERR(in));
+
diff --git a/patches.suse/ceph-fix-listxattr-vxattr-buffer-length-calculation.patch b/patches.suse/ceph-fix-listxattr-vxattr-buffer-length-calculation.patch
new file mode 100644
index 0000000000..3ad40a4ea9
--- /dev/null
+++ b/patches.suse/ceph-fix-listxattr-vxattr-buffer-length-calculation.patch
@@ -0,0 +1,114 @@
+From: David Disseldorp <ddiss@suse.de>
+Date: Thu, 18 Apr 2019 14:15:48 +0200
+Subject: ceph: fix listxattr vxattr buffer length calculation
+Git-commit: 2b2abcac8c251d1c77a4cc9d9f248daefae0fb4e
+Patch-mainline: v5.3-rc1
+References: bsc#1148133 bsc#1148570
+
+ceph_listxattr() incorrectly returns a length based on the static
+ceph_vxattrs_name_size() value, which only takes into account whether
+vxattrs are hidden, ignoring vxattr.exists_cb().
+
+When filling the xattr buffer ceph_listxattr() checks VXATTR_FLAG_HIDDEN
+and vxattr.exists_cb(). If both are false, we return an incorrect
+(oversize) length.
+
+Fix this behaviour by always calculating the vxattrs length at runtime,
+taking both vxattr.hidden and vxattr.exists_cb() into account.
+
+This bug is only exposed with the new "ceph.snap.btime" vxattr, as all
+other vxattrs with a non-null exists_cb also carry VXATTR_FLAG_HIDDEN.
+
+Signed-off-by: David Disseldorp <ddiss@suse.de>
+Reviewed-by: "Yan, Zheng" <zyan@redhat.com>
+Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
+Acked-by: Luis Henriques <lhenriques@suse.com>
+---
+ fs/ceph/xattr.c | 54 ++++++++++++++++++++++++++++++------------------------
+ 1 file changed, 30 insertions(+), 24 deletions(-)
+
+diff --git a/fs/ceph/xattr.c b/fs/ceph/xattr.c
+index 5d8a6f7c5869..ffbe1c006bb6 100644
+--- a/fs/ceph/xattr.c
++++ b/fs/ceph/xattr.c
+@@ -924,10 +924,9 @@ ssize_t ceph_listxattr(struct dentry *dentry, char *names, size_t size)
+ struct inode *inode = d_inode(dentry);
+ struct ceph_inode_info *ci = ceph_inode(inode);
+ struct ceph_vxattr *vxattrs = ceph_inode_vxattrs(inode);
+- u32 vir_namelen = 0;
++ bool len_only = (size == 0);
+ u32 namelen;
+ int err;
+- u32 len;
+ int i;
+
+ spin_lock(&ci->i_ceph_lock);
+@@ -946,38 +945,45 @@ ssize_t ceph_listxattr(struct dentry *dentry, char *names, size_t size)
+ err = __build_xattrs(inode);
+ if (err < 0)
+ goto out;
+- /*
+- * Start with virtual dir xattr names (if any) (including
+- * terminating '\0' characters for each).
+- */
+- vir_namelen = ceph_vxattrs_name_size(vxattrs);
+
+- /* adding 1 byte per each variable due to the null termination */
++ /* add 1 byte for each xattr due to the null termination */
+ namelen = ci->i_xattrs.names_size + ci->i_xattrs.count;
+- err = -ERANGE;
+- if (size && vir_namelen + namelen > size)
+- goto out;
+-
+- err = namelen + vir_namelen;
+- if (size == 0)
+- goto out;
++ if (!len_only) {
++ if (namelen > size) {
++ err = -ERANGE;
++ goto out;
++ }
++ names = __copy_xattr_names(ci, names);
++ size -= namelen;
++ }
+
+- names = __copy_xattr_names(ci, names);
+
+ /* virtual xattr names, too */
+- err = namelen;
+ if (vxattrs) {
+ for (i = 0; vxattrs[i].name; i++) {
+- if (!(vxattrs[i].flags & VXATTR_FLAG_HIDDEN) &&
+- !(vxattrs[i].exists_cb &&
+- !vxattrs[i].exists_cb(ci))) {
+- len = sprintf(names, "%s", vxattrs[i].name);
+- names += len + 1;
+- err += len + 1;
++ size_t this_len;
++
++ if (vxattrs[i].flags & VXATTR_FLAG_HIDDEN)
++ continue;
++ if (vxattrs[i].exists_cb && !vxattrs[i].exists_cb(ci))
++ continue;
++
++ this_len = strlen(vxattrs[i].name) + 1;
++ namelen += this_len;
++ if (len_only)
++ continue;
++
++ if (this_len > size) {
++ err = -ERANGE;
++ goto out;
+ }
++
++ memcpy(names, vxattrs[i].name, this_len);
++ names += this_len;
++ size -= this_len;
+ }
+ }
+-
++ err = namelen;
+ out:
+ spin_unlock(&ci->i_ceph_lock);
+ return err;
+
diff --git a/patches.suse/ceph-handle-btime-in-cap-messages.patch b/patches.suse/ceph-handle-btime-in-cap-messages.patch
new file mode 100644
index 0000000000..b302074c52
--- /dev/null
+++ b/patches.suse/ceph-handle-btime-in-cap-messages.patch
@@ -0,0 +1,130 @@
+From: Jeff Layton <jlayton@kernel.org>
+Date: Wed, 29 May 2019 12:23:14 -0400
+Subject: ceph: handle btime in cap messages
+Git-commit: ec62b894df1ae69eb8e66d69317dfff517f6d1f3
+Patch-mainline: v5.3-rc1
+References: bsc#1148133 bsc#1136682
+
+Signed-off-by: Jeff Layton <jlayton@kernel.org>
+Reviewed-by: "Yan, Zheng" <zyan@redhat.com>
+Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
+Acked-by: Luis Henriques <lhenriques@suse.com>
+[luis: s/timespec64/timespec]
+---
+ fs/ceph/caps.c | 18 ++++++++++++------
+ fs/ceph/snap.c | 1 +
+ fs/ceph/super.h | 2 +-
+ 3 files changed, 14 insertions(+), 7 deletions(-)
+
+diff --git a/fs/ceph/caps.c b/fs/ceph/caps.c
+index 50409d9fdc90..623b82684e90 100644
+--- a/fs/ceph/caps.c
++++ b/fs/ceph/caps.c
+@@ -1115,7 +1115,7 @@ struct cap_msg_args {
+ u64 flush_tid, oldest_flush_tid, size, max_size;
+ u64 xattr_version;
+ struct ceph_buffer *xattr_buf;
+- struct timespec atime, mtime, ctime;
++ struct timespec atime, mtime, ctime, btime;
+ int op, caps, wanted, dirty;
+ u32 seq, issue_seq, mseq, time_warp_seq;
+ u32 flags;
+@@ -1136,7 +1136,6 @@ static int send_cap_msg(struct cap_msg_a
+ struct ceph_msg *msg;
+ void *p;
+ size_t extra_len;
+- struct timespec zerotime = {0};
+ struct ceph_osd_client *osdc = &arg->session->s_mdsc->fsc->client->osdc;
+
+ dout("send_cap_msg %s %llx %llx caps %s wanted %s dirty %s"
+@@ -1227,7 +1226,7 @@ static int send_cap_msg(struct cap_msg_a
+ * We just zero these out for now, as the MDS ignores them unless
+ * the requisite feature flags are set (which we don't do yet).
+ */
+- ceph_encode_timespec(p, &zerotime);
++ ceph_encode_timespec(p, &arg->btime);
+ p += sizeof(struct ceph_timespec);
+ ceph_encode_64(&p, 0);
+
+@@ -1353,6 +1352,7 @@ static int __send_cap(struct ceph_mds_cl
+ arg.mtime = inode->i_mtime;
+ arg.atime = inode->i_atime;
+ arg.ctime = inode->i_ctime;
++ arg.btime = ci->i_btime;
+
+ arg.op = op;
+ arg.caps = cap->implemented;
+@@ -1412,6 +1412,7 @@ static inline int __send_flush_snap(stru
+ arg.atime = capsnap->atime;
+ arg.mtime = capsnap->mtime;
+ arg.ctime = capsnap->ctime;
++ arg.btime = capsnap->btime;
+
+ arg.op = CEPH_CAP_OP_FLUSHSNAP;
+ arg.caps = capsnap->issued;
+@@ -3028,6 +3029,7 @@ struct cap_extra_info {
+ u64 nsubdirs;
+ /* currently issued */
+ int issued;
++ struct timespec btime;
+ };
+
+ /*
+@@ -3114,6 +3116,7 @@ static void handle_cap_grant(struct inod
+ inode->i_mode = le32_to_cpu(grant->mode);
+ inode->i_uid = make_kuid(&init_user_ns, le32_to_cpu(grant->uid));
+ inode->i_gid = make_kgid(&init_user_ns, le32_to_cpu(grant->gid));
++ ci->i_btime = extra_info->btime;
+ dout("%p mode 0%o uid.gid %d.%d\n", inode, inode->i_mode,
+ from_kuid(&init_user_ns, inode->i_uid),
+ from_kgid(&init_user_ns, inode->i_gid));
+@@ -3834,17 +3837,20 @@ void ceph_handle_caps(struct ceph_mds_se
+ }
+ }
+
+- if (msg_version >= 11) {
++ if (msg_version >= 9) {
+ struct ceph_timespec *btime;
+ u64 change_attr;
+- u32 flags;
+
+- /* version >= 9 */
+ if (p + sizeof(*btime) > end)
+ goto bad;
+ btime = p;
++ ceph_decode_timespec(&extra_info.btime, btime);
+ p += sizeof(*btime);
+ ceph_decode_64_safe(&p, end, change_attr, bad);
++ }
++
++ if (msg_version >= 11) {
++ u32 flags;
+ /* version >= 10 */
+ ceph_decode_32_safe(&p, end, flags, bad);
+ /* version >= 11 */
+diff --git a/fs/ceph/snap.c b/fs/ceph/snap.c
+index 72c6c022f02b..854308e13f12 100644
+--- a/fs/ceph/snap.c
++++ b/fs/ceph/snap.c
+@@ -601,6 +601,7 @@ int __ceph_finish_cap_snap(struct ceph_i
+ capsnap->mtime = inode->i_mtime;
+ capsnap->atime = inode->i_atime;
+ capsnap->ctime = inode->i_ctime;
++ capsnap->btime = ci->i_btime;
+ capsnap->time_warp_seq = ci->i_time_warp_seq;
+ capsnap->truncate_size = ci->i_truncate_size;
+ capsnap->truncate_seq = ci->i_truncate_seq;
+diff --git a/fs/ceph/super.h b/fs/ceph/super.h
+index 859d1f3a0d4a..2e20fc780f53 100644
+--- a/fs/ceph/super.h
++++ b/fs/ceph/super.h
+@@ -193,7 +193,7 @@ struct ceph_cap_snap {
+ u64 xattr_version;
+
+ u64 size;
+- struct timespec mtime, atime, ctime;
++ struct timespec mtime, atime, ctime, btime;
+ u64 time_warp_seq;
+ u64 truncate_size;
+ u32 truncate_seq;
+
diff --git a/patches.suse/ceph-handle-change_attr-in-cap-messages.patch b/patches.suse/ceph-handle-change_attr-in-cap-messages.patch
new file mode 100644
index 0000000000..6dd64600cb
--- /dev/null
+++ b/patches.suse/ceph-handle-change_attr-in-cap-messages.patch
@@ -0,0 +1,139 @@
+From: Jeff Layton <jlayton@kernel.org>
+Date: Thu, 6 Jun 2019 08:06:40 -0400
+Subject: ceph: handle change_attr in cap messages
+Git-commit: 176c77c9c9b1f843332496a28f4545eb96d5dab9
+Patch-mainline: v5.3-rc1
+References: bsc#1148133 bsc#1136682
+
+Signed-off-by: Jeff Layton <jlayton@kernel.org>
+Reviewed-by: "Yan, Zheng" <zyan@redhat.com>
+Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
+Acked-by: Luis Henriques <lhenriques@suse.com>
+[luis: s/timespec64/timespec]
+---
+ fs/ceph/caps.c | 19 ++++++++++---------
+ fs/ceph/snap.c | 3 ++-
+ fs/ceph/super.h | 1 +
+ 3 files changed, 13 insertions(+), 10 deletions(-)
+
+diff --git a/fs/ceph/caps.c b/fs/ceph/caps.c
+index 623b82684e90..2e22efd79b0c 100644
+--- a/fs/ceph/caps.c
++++ b/fs/ceph/caps.c
+@@ -7,6 +7,7 @@
+ #include <linux/vmalloc.h>
+ #include <linux/wait.h>
+ #include <linux/writeback.h>
++#include <linux/iversion.h>
+
+ #include "super.h"
+ #include "mds_client.h"
+@@ -1114,6 +1115,7 @@ struct cap_msg_args {
+ u64 ino, cid, follows;
+ u64 flush_tid, oldest_flush_tid, size, max_size;
+ u64 xattr_version;
++ u64 change_attr;
+ struct ceph_buffer *xattr_buf;
+ struct timespec atime, mtime, ctime, btime;
+ int op, caps, wanted, dirty;
+@@ -1220,15 +1222,10 @@ static int send_cap_msg(struct cap_msg_a
+ /* pool namespace (version 8) (mds always ignores this) */
+ ceph_encode_32(&p, 0);
+
+- /*
+- * btime and change_attr (version 9)
+- *
+- * We just zero these out for now, as the MDS ignores them unless
+- * the requisite feature flags are set (which we don't do yet).
+- */
++ /* btime and change_attr (version 9) */
+ ceph_encode_timespec(p, &arg->btime);
+ p += sizeof(struct ceph_timespec);
+- ceph_encode_64(&p, 0);
++ ceph_encode_64(&p, arg->change_attr);
+
+ /* Advisory flags (version 10) */
+ ceph_encode_32(&p, arg->flags);
+@@ -1353,6 +1350,7 @@ static int __send_cap(struct ceph_mds_cl
+ arg.atime = inode->i_atime;
+ arg.ctime = inode->i_ctime;
+ arg.btime = ci->i_btime;
++ arg.change_attr = inode_peek_iversion_raw(inode);
+
+ arg.op = op;
+ arg.caps = cap->implemented;
+@@ -1413,6 +1411,7 @@ static inline int __send_flush_snap(stru
+ arg.mtime = capsnap->mtime;
+ arg.ctime = capsnap->ctime;
+ arg.btime = capsnap->btime;
++ arg.change_attr = capsnap->change_attr;
+
+ arg.op = CEPH_CAP_OP_FLUSHSNAP;
+ arg.caps = capsnap->issued;
+@@ -3027,6 +3026,7 @@ struct cap_extra_info {
+ bool dirstat_valid;
+ u64 nfiles;
+ u64 nsubdirs;
++ u64 change_attr;
+ /* currently issued */
+ int issued;
+ struct timespec btime;
+@@ -3111,6 +3111,8 @@ static void handle_cap_grant(struct inod
+
+ __check_cap_issue(ci, cap, newcaps);
+
++ inode_set_max_iversion_raw(inode, extra_info->change_attr);
++
+ if ((newcaps & CEPH_CAP_AUTH_SHARED) &&
+ (extra_info->issued & CEPH_CAP_AUTH_EXCL) == 0) {
+ inode->i_mode = le32_to_cpu(grant->mode);
+@@ -3839,14 +3841,13 @@ void ceph_handle_caps(struct ceph_mds_se
+
+ if (msg_version >= 9) {
+ struct ceph_timespec *btime;
+- u64 change_attr;
+
+ if (p + sizeof(*btime) > end)
+ goto bad;
+ btime = p;
+ ceph_decode_timespec(&extra_info.btime, btime);
+ p += sizeof(*btime);
+- ceph_decode_64_safe(&p, end, change_attr, bad);
++ ceph_decode_64_safe(&p, end, extra_info.change_attr, bad);
+ }
+
+ if (msg_version >= 11) {
+diff --git a/fs/ceph/snap.c b/fs/ceph/snap.c
+index 854308e13f12..4c6494eb02b5 100644
+--- a/fs/ceph/snap.c
++++ b/fs/ceph/snap.c
+@@ -2,7 +2,7 @@
+
+ #include <linux/sort.h>
+ #include <linux/slab.h>
+-
++#include <linux/iversion.h>
+ #include "super.h"
+ #include "mds_client.h"
+
+@@ -602,6 +602,7 @@ int __ceph_finish_cap_snap(struct ceph_i
+ capsnap->atime = inode->i_atime;
+ capsnap->ctime = inode->i_ctime;
+ capsnap->btime = ci->i_btime;
++ capsnap->change_attr = inode_peek_iversion_raw(inode);
+ capsnap->time_warp_seq = ci->i_time_warp_seq;
+ capsnap->truncate_size = ci->i_truncate_size;
+ capsnap->truncate_seq = ci->i_truncate_seq;
+diff --git a/fs/ceph/super.h b/fs/ceph/super.h
+index 2e20fc780f53..a592d4a8266c 100644
+--- a/fs/ceph/super.h
++++ b/fs/ceph/super.h
+@@ -193,6 +193,7 @@ struct ceph_cap_snap {
+ u64 xattr_version;
+
+ u64 size;
++ u64 change_attr;
+ struct timespec mtime, atime, ctime, btime;
+ u64 time_warp_seq;
+ u64 truncate_size;
+
diff --git a/patches.suse/ceph-have-mds-map-decoding-use-entity_addr_t-decoder.patch b/patches.suse/ceph-have-mds-map-decoding-use-entity_addr_t-decoder.patch
new file mode 100644
index 0000000000..ad97fc2aa6
--- /dev/null
+++ b/patches.suse/ceph-have-mds-map-decoding-use-entity_addr_t-decoder.patch
@@ -0,0 +1,61 @@
+From: Jeff Layton <jlayton@kernel.org>
+Date: Tue, 4 Jun 2019 11:26:36 -0400
+Subject: ceph: have MDS map decoding use entity_addr_t decoder
+Git-commit: f3848af1bf545575d7a98084f82f67e96ffdf4d5
+Patch-mainline: v5.3-rc1
+References: bsc#1148133 bsc#1136682
+
+Signed-off-by: Jeff Layton <jlayton@kernel.org>
+Reviewed-by: "Yan, Zheng" <zyan@redhat.com>
+Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
+Acked-by: Luis Henriques <lhenriques@suse.com>
+
+---
+ fs/ceph/mdsmap.c | 12 ++++++++----
+ 1 file changed, 8 insertions(+), 4 deletions(-)
+
+diff --git a/fs/ceph/mdsmap.c b/fs/ceph/mdsmap.c
+index 701b4fb0fb5a..ce2d00da5096 100644
+--- a/fs/ceph/mdsmap.c
++++ b/fs/ceph/mdsmap.c
+@@ -107,7 +107,7 @@ struct ceph_mdsmap *ceph_mdsmap_decode(void **p, void *end)
+ struct ceph_mdsmap *m;
+ const void *start = *p;
+ int i, j, n;
+- int err = -EINVAL;
++ int err;
+ u8 mdsmap_v, mdsmap_cv;
+ u16 mdsmap_ev;
+
+@@ -183,8 +183,9 @@ struct ceph_mdsmap *ceph_mdsmap_decode(void **p, void *end)
+ inc = ceph_decode_32(p);
+ state = ceph_decode_32(p);
+ state_seq = ceph_decode_64(p);
+- ceph_decode_copy(p, &addr, sizeof(addr));
+- ceph_decode_addr(&addr);
++ err = ceph_decode_entity_addr(p, end, &addr);
++ if (err)
++ goto corrupt;
+ ceph_decode_copy(p, &laggy_since, sizeof(laggy_since));
+ *p += sizeof(u32);
+ ceph_decode_32_safe(p, end, namelen, bad);
+@@ -357,7 +358,7 @@ struct ceph_mdsmap *ceph_mdsmap_decode(void **p, void *end)
+ nomem:
+ err = -ENOMEM;
+ goto out_err;
+-bad:
++corrupt:
+ pr_err("corrupt mdsmap\n");
+ print_hex_dump(KERN_DEBUG, "mdsmap: ",
+ DUMP_PREFIX_OFFSET, 16, 1,
+@@ -365,6 +366,9 @@ struct ceph_mdsmap *ceph_mdsmap_decode(void **p, void *end)
+ out_err:
+ ceph_mdsmap_destroy(m);
+ return ERR_PTR(err);
++bad:
++ err = -EINVAL;
++ goto corrupt;
+ }
+
+ void ceph_mdsmap_destroy(struct ceph_mdsmap *m)
+
diff --git a/patches.suse/ceph-hold-i_ceph_lock-when-removing-caps-for-freeing-inode.patch b/patches.suse/ceph-hold-i_ceph_lock-when-removing-caps-for-freeing-inode.patch
new file mode 100644
index 0000000000..30c6488231
--- /dev/null
+++ b/patches.suse/ceph-hold-i_ceph_lock-when-removing-caps-for-freeing-inode.patch
@@ -0,0 +1,48 @@
+From: "Yan, Zheng" <zyan@redhat.com>
+Date: Thu, 23 May 2019 11:01:37 +0800
+Subject: ceph: hold i_ceph_lock when removing caps for freeing inode
+Git-commit: d6e47819721ae2d9d090058ad5570a66f3c42e39
+Patch-mainline: v5.3-rc1
+References: bsc#1148133
+
+ceph_d_revalidate(, LOOKUP_RCU) may call __ceph_caps_issued_mask()
+on a freeing inode.
+
+Signed-off-by: "Yan, Zheng" <zyan@redhat.com>
+Reviewed-by: Jeff Layton <jlayton@redhat.com>
+Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
+Acked-by: Luis Henriques <lhenriques@suse.com>
+[luis: modified ceph_queue_caps_release() instead of __ceph_remove_caps,
+ as in stable 4.14]
+---
+ fs/ceph/caps.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+--- a/fs/ceph/caps.c
++++ b/fs/ceph/caps.c
+@@ -1239,20 +1239,23 @@ static int send_cap_msg(struct cap_msg_a
+ }
+
+ /*
+- * Queue cap releases when an inode is dropped from our cache. Since
+- * inode is about to be destroyed, there is no need for i_ceph_lock.
++ * Queue cap releases when an inode is dropped from our cache.
+ */
+ void ceph_queue_caps_release(struct inode *inode)
+ {
+ struct ceph_inode_info *ci = ceph_inode(inode);
+ struct rb_node *p;
+
++ /* lock i_ceph_lock, because ceph_d_revalidate(..., LOOKUP_RCU)
++ * may call __ceph_caps_issued_mask() on a freeing inode. */
++ spin_lock(&ci->i_ceph_lock);
+ p = rb_first(&ci->i_caps);
+ while (p) {
+ struct ceph_cap *cap = rb_entry(p, struct ceph_cap, ci_node);
+ p = rb_next(p);
+ __ceph_remove_cap(cap, true);
+ }
++ spin_unlock(&ci->i_ceph_lock);
+ }
+
+ /*
diff --git a/patches.suse/ceph-increment-change_attribute-on-local-changes.patch b/patches.suse/ceph-increment-change_attribute-on-local-changes.patch
new file mode 100644
index 0000000000..c320914b48
--- /dev/null
+++ b/patches.suse/ceph-increment-change_attribute-on-local-changes.patch
@@ -0,0 +1,62 @@
+From: Jeff Layton <jlayton@kernel.org>
+Date: Thu, 6 Jun 2019 08:57:27 -0400
+Subject: ceph: increment change_attribute on local changes
+Git-commit: 5c30835690f12e14f88dd2e90c8cbb0ea8eb975f
+Patch-mainline: v5.3-rc1
+References: bsc#1148133 bsc#1136682
+
+We don't set SB_I_VERSION on ceph since we need to manage it ourselves,
+so we must increment it whenever we update the file times.
+
+Signed-off-by: Jeff Layton <jlayton@kernel.org>
+Reviewed-by: "Yan, Zheng" <zyan@redhat.com>
+Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
+Acked-by: Luis Henriques <lhenriques@suse.com>
+[luis: dropped changes to ceph_copy_file_range]
+---
+ fs/ceph/addr.c | 2 ++
+ fs/ceph/file.c | 3 +++
+ 2 files changed, 5 insertions(+)
+
+diff --git a/fs/ceph/addr.c b/fs/ceph/addr.c
+index a47c541f8006..e078cc55b989 100644
+--- a/fs/ceph/addr.c
++++ b/fs/ceph/addr.c
+@@ -9,6 +9,7 @@
+ #include <linux/pagevec.h>
+ #include <linux/task_io_accounting_ops.h>
+ #include <linux/signal.h>
++#include <linux/iversion.h>
+
+ #include "super.h"
+ #include "mds_client.h"
+@@ -1592,6 +1593,7 @@ static int ceph_page_mkwrite(struct vm_f
+
+ /* Update time before taking page lock */
+ file_update_time(vma->vm_file);
++ inode_inc_iversion_raw(inode);
+
+ do {
+ lock_page(page);
+diff --git a/fs/ceph/file.c b/fs/ceph/file.c
+index d616e4b50b57..a06090c8281e 100644
+--- a/fs/ceph/file.c
++++ b/fs/ceph/file.c
+@@ -8,6 +8,7 @@
+ #include <linux/namei.h>
+ #include <linux/writeback.h>
+ #include <linux/falloc.h>
++#include <linux/iversion.h>
+
+ #include "super.h"
+ #include "mds_client.h"
+@@ -1428,6 +1429,8 @@ retry_snap:
+ if (err)
+ goto out;
+
++ inode_inc_iversion_raw(inode);
++
+ if (ci->i_inline_version != CEPH_INLINE_NONE) {
+ err = ceph_uninline_data(file, NULL);
+ if (err < 0)
+
diff --git a/patches.suse/ceph-initialize-superblock-s_time_gran-to-1.patch b/patches.suse/ceph-initialize-superblock-s_time_gran-to-1.patch
new file mode 100644
index 0000000000..03d98ca0b8
--- /dev/null
+++ b/patches.suse/ceph-initialize-superblock-s_time_gran-to-1.patch
@@ -0,0 +1,34 @@
+From: Luis Henriques <lhenriques@suse.com>
+Date: Thu, 27 Jun 2019 14:51:22 +0100
+Subject: ceph: initialize superblock s_time_gran to 1
+Git-commit: 0f7cf80ae96c2a585a00b2cd8b6d24699db47f35
+Patch-mainline: v5.3-rc1
+References: bsc#1148133
+
+Having granularity set to 1us results in having inode timestamps with a
+accurancy different from the fuse client (i.e. atime, ctime and mtime will
+always end with '000'). This patch normalizes this behaviour and sets the
+granularity to 1.
+
+Signed-off-by: Luis Henriques <lhenriques@suse.com>
+Reviewed-by: Jeff Layton <jlayton@kernel.org>
+Reviewed-by: Sage Weil <sage@redhat.com>
+Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
+---
+ fs/ceph/super.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/ceph/super.c b/fs/ceph/super.c
+index 542b31994e3b..c21201a951ce 100644
+--- a/fs/ceph/super.c
++++ b/fs/ceph/super.c
+@@ -980,7 +980,7 @@ static int ceph_set_super(struct super_block *s, void *data)
+ s->s_d_op = &ceph_dentry_ops;
+ s->s_export_op = &ceph_export_ops;
+
+- s->s_time_gran = 1000; /* 1000 ns == 1 us */
++ s->s_time_gran = 1;
+
+ ret = set_anon_super(s, NULL); /* what is that second arg for? */
+ if (ret != 0)
+
diff --git a/patches.suse/ceph-remove-request-from-waiting-list-before-unregister.patch b/patches.suse/ceph-remove-request-from-waiting-list-before-unregister.patch
new file mode 100644
index 0000000000..8f6074ae19
--- /dev/null
+++ b/patches.suse/ceph-remove-request-from-waiting-list-before-unregister.patch
@@ -0,0 +1,37 @@
+From: "Yan, Zheng" <zyan@redhat.com>
+Date: Fri, 14 Jun 2019 10:55:05 +0800
+Subject: ceph: remove request from waiting list before unregister
+Git-commit: 428138c9892fac19a682973bbb6d8c2a904b6639
+Patch-mainline: v5.3-rc1
+References: bsc#1148133
+
+Link: https://tracker.ceph.com/issues/40339
+Signed-off-by: "Yan, Zheng" <zyan@redhat.com>
+Reviewed-by: Jeff Layton <jlayton@redhat.com>
+Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
+Acked-by: Luis Henriques <lhenriques@suse.com>
+---
+ fs/ceph/mds_client.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/fs/ceph/mds_client.c b/fs/ceph/mds_client.c
+index fcea46a54622..598a3fa280a7 100644
+--- a/fs/ceph/mds_client.c
++++ b/fs/ceph/mds_client.c
+@@ -727,6 +727,7 @@ void ceph_mdsc_release_request(struct kref *kref)
+ ceph_pagelist_release(req->r_pagelist);
+ put_request_session(req);
+ ceph_unreserve_caps(req->r_mdsc, &req->r_caps_reservation);
++ WARN_ON_ONCE(!list_empty(&req->r_wait));
+ kfree(req);
+ }
+
+@@ -4162,6 +4163,7 @@ static void wait_requests(struct ceph_mds_client *mdsc)
+ while ((req = __get_oldest_req(mdsc))) {
+ dout("wait_requests timed out on tid %llu\n",
+ req->r_tid);
++ list_del_init(&req->r_wait);
+ __unregister_request(mdsc, req);
+ }
+ }
+
diff --git a/patches.suse/ceph-remove-unused-vxattr-length-helpers.patch b/patches.suse/ceph-remove-unused-vxattr-length-helpers.patch
new file mode 100644
index 0000000000..ab6c74b61f
--- /dev/null
+++ b/patches.suse/ceph-remove-unused-vxattr-length-helpers.patch
@@ -0,0 +1,135 @@
+From: David Disseldorp <ddiss@suse.de>
+Date: Thu, 18 Apr 2019 14:15:49 +0200
+Subject: ceph: remove unused vxattr length helpers
+Git-commit: d0f191d20c1ce22ccfd7c8e2327f19fbba7f7521
+Patch-mainline: v5.3-rc1
+References: bsc#1148133 bsc#1148570
+
+ceph_listxattr() now calculates the length of vxattrs dynamically, so
+these helpers, which incorrectly ignore vxattr.exists_cb(), can be
+removed.
+
+Signed-off-by: David Disseldorp <ddiss@suse.de>
+Reviewed-by: "Yan, Zheng" <zyan@redhat.com>
+Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
+Acked-by: Luis Henriques <lhenriques@suse.com>
+---
+ fs/ceph/super.c | 7 ++-----
+ fs/ceph/super.h | 2 --
+ fs/ceph/xattr.c | 43 -------------------------------------------
+ 3 files changed, 2 insertions(+), 50 deletions(-)
+
+diff --git a/fs/ceph/super.c b/fs/ceph/super.c
+index d57fa60dcd43..542b31994e3b 100644
+--- a/fs/ceph/super.c
++++ b/fs/ceph/super.c
+@@ -1161,17 +1161,15 @@ static int __init init_ceph(void)
+ goto out;
+
+ ceph_flock_init();
+- ceph_xattr_init();
+ ret = register_filesystem(&ceph_fs_type);
+ if (ret)
+- goto out_xattr;
++ goto out_caches;
+
+ pr_info("loaded (mds proto %d)\n", CEPH_MDSC_PROTOCOL);
+
+ return 0;
+
+-out_xattr:
+- ceph_xattr_exit();
++out_caches:
+ destroy_caches();
+ out:
+ return ret;
+@@ -1181,7 +1179,6 @@ static void __exit exit_ceph(void)
+ {
+ dout("exit_ceph\n");
+ unregister_filesystem(&ceph_fs_type);
+- ceph_xattr_exit();
+ destroy_caches();
+ }
+
+diff --git a/fs/ceph/super.h b/fs/ceph/super.h
+index 1de6b1f4f094..7209548527ab 100644
+--- a/fs/ceph/super.h
++++ b/fs/ceph/super.h
+@@ -922,8 +922,6 @@ ssize_t __ceph_getxattr(struct inode *, const char *, void *, size_t);
+ extern ssize_t ceph_listxattr(struct dentry *, char *, size_t);
+ extern void __ceph_build_xattrs_blob(struct ceph_inode_info *ci);
+ extern void __ceph_destroy_xattrs(struct ceph_inode_info *ci);
+-extern void __init ceph_xattr_init(void);
+-extern void ceph_xattr_exit(void);
+ extern const struct xattr_handler *ceph_xattr_handlers[];
+
+ #ifdef CONFIG_SECURITY
+diff --git a/fs/ceph/xattr.c b/fs/ceph/xattr.c
+index ffbe1c006bb6..57350e4b7da0 100644
+--- a/fs/ceph/xattr.c
++++ b/fs/ceph/xattr.c
+@@ -363,7 +363,6 @@ static struct ceph_vxattr ceph_dir_vxattrs[] = {
+ },
+ { .name = NULL, 0 } /* Required table terminator */
+ };
+-static size_t ceph_dir_vxattrs_name_size; /* total size of all names */
+
+ /* files */
+
+@@ -389,7 +388,6 @@ static struct ceph_vxattr ceph_file_vxattrs[] = {
+ },
+ { .name = NULL, 0 } /* Required table terminator */
+ };
+-static size_t ceph_file_vxattrs_name_size; /* total size of all names */
+
+ static struct ceph_vxattr *ceph_inode_vxattrs(struct inode *inode)
+ {
+@@ -400,47 +398,6 @@ static struct ceph_vxattr *ceph_inode_vxattrs(struct inode *inode)
+ return NULL;
+ }
+
+-static size_t ceph_vxattrs_name_size(struct ceph_vxattr *vxattrs)
+-{
+- if (vxattrs == ceph_dir_vxattrs)
+- return ceph_dir_vxattrs_name_size;
+- if (vxattrs == ceph_file_vxattrs)
+- return ceph_file_vxattrs_name_size;
+- BUG_ON(vxattrs);
+- return 0;
+-}
+-
+-/*
+- * Compute the aggregate size (including terminating '\0') of all
+- * virtual extended attribute names in the given vxattr table.
+- */
+-static size_t __init vxattrs_name_size(struct ceph_vxattr *vxattrs)
+-{
+- struct ceph_vxattr *vxattr;
+- size_t size = 0;
+-
+- for (vxattr = vxattrs; vxattr->name; vxattr++) {
+- if (!(vxattr->flags & VXATTR_FLAG_HIDDEN))
+- size += vxattr->name_size;
+- }
+-
+- return size;
+-}
+-
+-/* Routines called at initialization and exit time */
+-
+-void __init ceph_xattr_init(void)
+-{
+- ceph_dir_vxattrs_name_size = vxattrs_name_size(ceph_dir_vxattrs);
+- ceph_file_vxattrs_name_size = vxattrs_name_size(ceph_file_vxattrs);
+-}
+-
+-void ceph_xattr_exit(void)
+-{
+- ceph_dir_vxattrs_name_size = 0;
+- ceph_file_vxattrs_name_size = 0;
+-}
+-
+ static struct ceph_vxattr *ceph_match_vxattr(struct inode *inode,
+ const char *name)
+ {
+
diff --git a/patches.suse/ceph-silence-a-checker-warning-in-mdsc_show.patch b/patches.suse/ceph-silence-a-checker-warning-in-mdsc_show.patch
new file mode 100644
index 0000000000..2c659bed7e
--- /dev/null
+++ b/patches.suse/ceph-silence-a-checker-warning-in-mdsc_show.patch
@@ -0,0 +1,37 @@
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Thu, 9 May 2019 13:11:25 +0300
+Subject: ceph: silence a checker warning in mdsc_show()
+Git-commit: 13c41737b912a6f6354369c9b20a02c3868ab304
+Patch-mainline: v5.3-rc1
+References: bsc#1148133
+
+The problem is that if ceph_mdsc_build_path() fails then we set "path"
+to NULL and the "pathlen" variable is uninitialized. Then we call
+ceph_mdsc_free_path(path, pathlen) to clean up. Since "path" is NULL,
+the function is a no-op but Smatch and UBSan still complain that
+"pathlen" is uninitialized.
+
+This patch doesn't change run time, it just silence the warnings.
+
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Reviewed-by: Ilya Dryomov <idryomov@gmail.com>
+Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
+Acked-by: Luis Henriques <lhenriques@suse.com>
+---
+ fs/ceph/debugfs.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/ceph/debugfs.c b/fs/ceph/debugfs.c
+index b3fc5fe26a1a..a14d64664878 100644
+--- a/fs/ceph/debugfs.c
++++ b/fs/ceph/debugfs.c
+@@ -52,7 +52,7 @@ static int mdsc_show(struct seq_file *s, void *p)
+ struct ceph_mds_client *mdsc = fsc->mdsc;
+ struct ceph_mds_request *req;
+ struct rb_node *rp;
+- int pathlen;
++ int pathlen = 0;
+ u64 pathbase;
+ char *path;
+
+
diff --git a/patches.suse/cifs-Fix-use-after-free-in-SMB2_read.patch b/patches.suse/cifs-Fix-use-after-free-in-SMB2_read.patch
index 17c5d49528..24b3b641df 100644
--- a/patches.suse/cifs-Fix-use-after-free-in-SMB2_read.patch
+++ b/patches.suse/cifs-Fix-use-after-free-in-SMB2_read.patch
@@ -3,7 +3,7 @@ Date: Sat, 6 Apr 2019 15:47:39 +0800
Subject: [PATCH] cifs: Fix use-after-free in SMB2_read
Git-commit: 088aaf17aa79300cab14dbee2569c58cfafd7d6e
Patch-mainline: v5.1-rc6
-References: bsc#1144333
+References: bsc#1144333, CVE-2019-15920, bsc#1149626
There is a KASAN use-after-free:
BUG: KASAN: use-after-free in SMB2_read+0x1136/0x1190
diff --git a/patches.suse/cifs-Fix-use-after-free-in-SMB2_write.patch b/patches.suse/cifs-Fix-use-after-free-in-SMB2_write.patch
index f484ff2a94..48c747ebc5 100644
--- a/patches.suse/cifs-Fix-use-after-free-in-SMB2_write.patch
+++ b/patches.suse/cifs-Fix-use-after-free-in-SMB2_write.patch
@@ -3,7 +3,7 @@ Date: Sat, 6 Apr 2019 15:47:38 +0800
Subject: [PATCH] cifs: Fix use-after-free in SMB2_write
Git-commit: 6a3eb3360667170988f8a6477f6686242061488a
Patch-mainline: v5.1-rc6
-References: bsc#1144333
+References: bsc#1144333, CVE-2019-15919, bsc#1149552
There is a KASAN use-after-free:
BUG: KASAN: use-after-free in SMB2_write+0x1342/0x1580
diff --git a/patches.suse/crypto-virtio-read-crypto-services-and-algorithm-masks b/patches.suse/crypto-virtio-read-crypto-services-and-algorithm-masks
new file mode 100644
index 0000000000..fb39b0e4c1
--- /dev/null
+++ b/patches.suse/crypto-virtio-read-crypto-services-and-algorithm-masks
@@ -0,0 +1,96 @@
+From: Farhan Ali <alifm@linux.ibm.com>
+Date: Tue, 19 Jun 2018 11:41:33 -0400
+Subject: crypto: virtio - Read crypto services and algorithm masks
+Git-commit: b551bac14acab9c601269e2007a6b6cad2250a4c
+Patch-mainline: v4.19-rc1
+References: jsc#SLE-5844 jsc#SLE-6331 FATE#327377 bsc#1145446 LTC#175307
+
+Read the crypto services and algorithm masks which provides
+information about the services and algorithms supported by
+virtio-crypto backend.
+
+Signed-off-by: Farhan Ali <alifm@linux.ibm.com>
+Acked-by: Gonglei <arei.gonglei@huawei.com>
+Acked-by: Christian Borntraeger <borntraeger@de.ibm.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Acked-by: Petr Tesarik <ptesarik@suse.com>
+---
+ drivers/crypto/virtio/virtio_crypto_common.h | 14 +++++++++++++
+ drivers/crypto/virtio/virtio_crypto_core.c | 29 +++++++++++++++++++++++++++
+ 2 files changed, 43 insertions(+)
+
+--- a/drivers/crypto/virtio/virtio_crypto_common.h
++++ b/drivers/crypto/virtio/virtio_crypto_common.h
+@@ -55,6 +55,20 @@ struct virtio_crypto {
+ /* Number of queue currently used by the driver */
+ u32 curr_queue;
+
++ /*
++ * Specifies the services mask which the device support,
++ * see VIRTIO_CRYPTO_SERVICE_*
++ */
++ u32 crypto_services;
++
++ /* Detailed algorithms mask */
++ u32 cipher_algo_l;
++ u32 cipher_algo_h;
++ u32 hash_algo;
++ u32 mac_algo_l;
++ u32 mac_algo_h;
++ u32 aead_algo;
++
+ /* Maximum length of cipher key */
+ u32 max_cipher_key_len;
+ /* Maximum length of authenticated key */
+--- a/drivers/crypto/virtio/virtio_crypto_core.c
++++ b/drivers/crypto/virtio/virtio_crypto_core.c
+@@ -329,6 +329,13 @@ static int virtcrypto_probe(struct virti
+ u32 max_data_queues = 0, max_cipher_key_len = 0;
+ u32 max_auth_key_len = 0;
+ u64 max_size = 0;
++ u32 cipher_algo_l = 0;
++ u32 cipher_algo_h = 0;
++ u32 hash_algo = 0;
++ u32 mac_algo_l = 0;
++ u32 mac_algo_h = 0;
++ u32 aead_algo = 0;
++ u32 crypto_services = 0;
+
+ if (!virtio_has_feature(vdev, VIRTIO_F_VERSION_1))
+ return -ENODEV;
+@@ -365,6 +372,20 @@ static int virtcrypto_probe(struct virti
+ max_auth_key_len, &max_auth_key_len);
+ virtio_cread(vdev, struct virtio_crypto_config,
+ max_size, &max_size);
++ virtio_cread(vdev, struct virtio_crypto_config,
++ crypto_services, &crypto_services);
++ virtio_cread(vdev, struct virtio_crypto_config,
++ cipher_algo_l, &cipher_algo_l);
++ virtio_cread(vdev, struct virtio_crypto_config,
++ cipher_algo_h, &cipher_algo_h);
++ virtio_cread(vdev, struct virtio_crypto_config,
++ hash_algo, &hash_algo);
++ virtio_cread(vdev, struct virtio_crypto_config,
++ mac_algo_l, &mac_algo_l);
++ virtio_cread(vdev, struct virtio_crypto_config,
++ mac_algo_h, &mac_algo_h);
++ virtio_cread(vdev, struct virtio_crypto_config,
++ aead_algo, &aead_algo);
+
+ /* Add virtio crypto device to global table */
+ err = virtcrypto_devmgr_add_dev(vcrypto);
+@@ -384,6 +405,14 @@ static int virtcrypto_probe(struct virti
+ vcrypto->max_cipher_key_len = max_cipher_key_len;
+ vcrypto->max_auth_key_len = max_auth_key_len;
+ vcrypto->max_size = max_size;
++ vcrypto->crypto_services = crypto_services;
++ vcrypto->cipher_algo_l = cipher_algo_l;
++ vcrypto->cipher_algo_h = cipher_algo_h;
++ vcrypto->mac_algo_l = mac_algo_l;
++ vcrypto->mac_algo_h = mac_algo_h;
++ vcrypto->hash_algo = hash_algo;
++ vcrypto->aead_algo = aead_algo;
++
+
+ dev_info(&vdev->dev,
+ "max_queues: %u, max_cipher_key_len: %u, max_auth_key_len: %u, max_size 0x%llx\n",
diff --git a/patches.suse/crypto-virtio-register-an-algo-only-if-it-s-supported b/patches.suse/crypto-virtio-register-an-algo-only-if-it-s-supported
new file mode 100644
index 0000000000..4879510a28
--- /dev/null
+++ b/patches.suse/crypto-virtio-register-an-algo-only-if-it-s-supported
@@ -0,0 +1,339 @@
+From: Farhan Ali <alifm@linux.vnet.ibm.com>
+Date: Tue, 19 Jun 2018 11:41:34 -0400
+Subject: crypto: virtio - Register an algo only if it's supported
+Git-commit: d0d859bb87ac3b4df1cb6692531fc95d093357c5
+Patch-mainline: v4.19-rc1
+References: jsc#SLE-5844 jsc#SLE-6331 FATE#327377 bsc#1145446 LTC#175307
+
+Register a crypto algo with the Linux crypto layer only if
+the algorithm is supported by the backend virtio-crypto
+device.
+
+Also route crypto requests to a virtio-crypto
+device, only if it can support the requested service and
+algorithm.
+
+Signed-off-by: Farhan Ali <alifm@linux.ibm.com>
+Acked-by: Gonglei <arei.gonglei@huawei.com>
+Acked-by: Christian Borntraeger <borntraeger@de.ibm.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Acked-by: Petr Tesarik <ptesarik@suse.com>
+---
+ drivers/crypto/virtio/virtio_crypto_algs.c | 112 ++++++++++++++++++---------
+ drivers/crypto/virtio/virtio_crypto_common.h | 11 +-
+ drivers/crypto/virtio/virtio_crypto_mgr.c | 81 ++++++++++++++++++-
+ 3 files changed, 159 insertions(+), 45 deletions(-)
+
+--- a/drivers/crypto/virtio/virtio_crypto_algs.c
++++ b/drivers/crypto/virtio/virtio_crypto_algs.c
+@@ -27,12 +27,18 @@
+ #include <uapi/linux/virtio_crypto.h>
+ #include "virtio_crypto_common.h"
+
++struct virtio_crypto_algo {
++ uint32_t algonum;
++ uint32_t service;
++ unsigned int active_devs;
++ struct crypto_alg algo;
++};
++
+ /*
+ * The algs_lock protects the below global virtio_crypto_active_devs
+ * and crypto algorithms registion.
+ */
+ static DEFINE_MUTEX(algs_lock);
+-static unsigned int virtio_crypto_active_devs;
+
+ static u64 virtio_crypto_alg_sg_nents_length(struct scatterlist *sg)
+ {
+@@ -255,15 +261,21 @@ static int virtio_crypto_ablkcipher_setk
+ unsigned int keylen)
+ {
+ struct virtio_crypto_ablkcipher_ctx *ctx = crypto_ablkcipher_ctx(tfm);
++ uint32_t alg;
+ int ret;
+
++ ret = virtio_crypto_alg_validate_key(keylen, &alg);
++ if (ret)
++ return ret;
++
+ if (!ctx->vcrypto) {
+ /* New key */
+ int node = virtio_crypto_get_current_node();
+ struct virtio_crypto *vcrypto =
+- virtcrypto_get_dev_node(node);
++ virtcrypto_get_dev_node(node,
++ VIRTIO_CRYPTO_SERVICE_CIPHER, alg);
+ if (!vcrypto) {
+- pr_err("virtio_crypto: Could not find a virtio device in the system");
++ pr_err("virtio_crypto: Could not find a virtio device in the system or unsupported algo\n");
+ return -ENODEV;
+ }
+
+@@ -502,57 +514,85 @@ void virtio_crypto_ablkcipher_finalize_r
+ virtcrypto_clear_request(vc_req);
+ }
+
+-static struct crypto_alg virtio_crypto_algs[] = { {
+- .cra_name = "cbc(aes)",
+- .cra_driver_name = "virtio_crypto_aes_cbc",
+- .cra_priority = 150,
+- .cra_flags = CRYPTO_ALG_TYPE_ABLKCIPHER | CRYPTO_ALG_ASYNC,
+- .cra_blocksize = AES_BLOCK_SIZE,
+- .cra_ctxsize = sizeof(struct virtio_crypto_ablkcipher_ctx),
+- .cra_alignmask = 0,
+- .cra_module = THIS_MODULE,
+- .cra_type = &crypto_ablkcipher_type,
+- .cra_init = virtio_crypto_ablkcipher_init,
+- .cra_exit = virtio_crypto_ablkcipher_exit,
+- .cra_u = {
+- .ablkcipher = {
+- .setkey = virtio_crypto_ablkcipher_setkey,
+- .decrypt = virtio_crypto_ablkcipher_decrypt,
+- .encrypt = virtio_crypto_ablkcipher_encrypt,
+- .min_keysize = AES_MIN_KEY_SIZE,
+- .max_keysize = AES_MAX_KEY_SIZE,
+- .ivsize = AES_BLOCK_SIZE,
++static struct virtio_crypto_algo virtio_crypto_algs[] = { {
++ .algonum = VIRTIO_CRYPTO_CIPHER_AES_CBC,
++ .service = VIRTIO_CRYPTO_SERVICE_CIPHER,
++ .algo = {
++ .cra_name = "cbc(aes)",
++ .cra_driver_name = "virtio_crypto_aes_cbc",
++ .cra_priority = 150,
++ .cra_flags = CRYPTO_ALG_TYPE_ABLKCIPHER | CRYPTO_ALG_ASYNC,
++ .cra_blocksize = AES_BLOCK_SIZE,
++ .cra_ctxsize = sizeof(struct virtio_crypto_ablkcipher_ctx),
++ .cra_alignmask = 0,
++ .cra_module = THIS_MODULE,
++ .cra_type = &crypto_ablkcipher_type,
++ .cra_init = virtio_crypto_ablkcipher_init,
++ .cra_exit = virtio_crypto_ablkcipher_exit,
++ .cra_u = {
++ .ablkcipher = {
++ .setkey = virtio_crypto_ablkcipher_setkey,
++ .decrypt = virtio_crypto_ablkcipher_decrypt,
++ .encrypt = virtio_crypto_ablkcipher_encrypt,
++ .min_keysize = AES_MIN_KEY_SIZE,
++ .max_keysize = AES_MAX_KEY_SIZE,
++ .ivsize = AES_BLOCK_SIZE,
++ },
+ },
+ },
+ } };
+
+-int virtio_crypto_algs_register(void)
++int virtio_crypto_algs_register(struct virtio_crypto *vcrypto)
+ {
+ int ret = 0;
++ int i = 0;
+
+ mutex_lock(&algs_lock);
+- if (++virtio_crypto_active_devs != 1)
+- goto unlock;
+
+- ret = crypto_register_algs(virtio_crypto_algs,
+- ARRAY_SIZE(virtio_crypto_algs));
+- if (ret)
+- virtio_crypto_active_devs--;
++ for (i = 0; i < ARRAY_SIZE(virtio_crypto_algs); i++) {
++
++ uint32_t service = virtio_crypto_algs[i].service;
++ uint32_t algonum = virtio_crypto_algs[i].algonum;
++
++ if (!virtcrypto_algo_is_supported(vcrypto, service, algonum))
++ continue;
++
++ if (virtio_crypto_algs[i].active_devs == 0) {
++ ret = crypto_register_alg(&virtio_crypto_algs[i].algo);
++ if (ret)
++ goto unlock;
++ }
++
++ virtio_crypto_algs[i].active_devs++;
++ dev_info(&vcrypto->vdev->dev, "Registered algo %s\n",
++ virtio_crypto_algs[i].algo.cra_name);
++ }
+
+ unlock:
+ mutex_unlock(&algs_lock);
+ return ret;
+ }
+
+-void virtio_crypto_algs_unregister(void)
++void virtio_crypto_algs_unregister(struct virtio_crypto *vcrypto)
+ {
++ int i = 0;
++
+ mutex_lock(&algs_lock);
+- if (--virtio_crypto_active_devs != 0)
+- goto unlock;
+
+- crypto_unregister_algs(virtio_crypto_algs,
+- ARRAY_SIZE(virtio_crypto_algs));
++ for (i = 0; i < ARRAY_SIZE(virtio_crypto_algs); i++) {
++
++ uint32_t service = virtio_crypto_algs[i].service;
++ uint32_t algonum = virtio_crypto_algs[i].algonum;
++
++ if (virtio_crypto_algs[i].active_devs == 0 ||
++ !virtcrypto_algo_is_supported(vcrypto, service, algonum))
++ continue;
++
++ if (virtio_crypto_algs[i].active_devs == 1)
++ crypto_unregister_alg(&virtio_crypto_algs[i].algo);
++
++ virtio_crypto_algs[i].active_devs--;
++ }
+
+-unlock:
+ mutex_unlock(&algs_lock);
+ }
+--- a/drivers/crypto/virtio/virtio_crypto_common.h
++++ b/drivers/crypto/virtio/virtio_crypto_common.h
+@@ -126,7 +126,12 @@ int virtcrypto_dev_in_use(struct virtio_
+ int virtcrypto_dev_get(struct virtio_crypto *vcrypto_dev);
+ void virtcrypto_dev_put(struct virtio_crypto *vcrypto_dev);
+ int virtcrypto_dev_started(struct virtio_crypto *vcrypto_dev);
+-struct virtio_crypto *virtcrypto_get_dev_node(int node);
++bool virtcrypto_algo_is_supported(struct virtio_crypto *vcrypto_dev,
++ uint32_t service,
++ uint32_t algo);
++struct virtio_crypto *virtcrypto_get_dev_node(int node,
++ uint32_t service,
++ uint32_t algo);
+ int virtcrypto_dev_start(struct virtio_crypto *vcrypto);
+ void virtcrypto_dev_stop(struct virtio_crypto *vcrypto);
+ int virtio_crypto_ablkcipher_crypt_req(
+@@ -151,7 +156,7 @@ static inline int virtio_crypto_get_curr
+ return node;
+ }
+
+-int virtio_crypto_algs_register(void);
+-void virtio_crypto_algs_unregister(void);
++int virtio_crypto_algs_register(struct virtio_crypto *vcrypto);
++void virtio_crypto_algs_unregister(struct virtio_crypto *vcrypto);
+
+ #endif /* _VIRTIO_CRYPTO_COMMON_H */
+--- a/drivers/crypto/virtio/virtio_crypto_mgr.c
++++ b/drivers/crypto/virtio/virtio_crypto_mgr.c
+@@ -181,14 +181,20 @@ int virtcrypto_dev_started(struct virtio
+ /*
+ * virtcrypto_get_dev_node() - Get vcrypto_dev on the node.
+ * @node: Node id the driver works.
++ * @service: Crypto service that needs to be supported by the
++ * dev
++ * @algo: The algorithm number that needs to be supported by the
++ * dev
+ *
+- * Function returns the virtio crypto device used fewest on the node.
++ * Function returns the virtio crypto device used fewest on the node,
++ * and supports the given crypto service and algorithm.
+ *
+ * To be used by virtio crypto device specific drivers.
+ *
+ * Return: pointer to vcrypto_dev or NULL if not found.
+ */
+-struct virtio_crypto *virtcrypto_get_dev_node(int node)
++struct virtio_crypto *virtcrypto_get_dev_node(int node, uint32_t service,
++ uint32_t algo)
+ {
+ struct virtio_crypto *vcrypto_dev = NULL, *tmp_dev;
+ unsigned long best = ~0;
+@@ -199,7 +205,8 @@ struct virtio_crypto *virtcrypto_get_dev
+
+ if ((node == dev_to_node(&tmp_dev->vdev->dev) ||
+ dev_to_node(&tmp_dev->vdev->dev) < 0) &&
+- virtcrypto_dev_started(tmp_dev)) {
++ virtcrypto_dev_started(tmp_dev) &&
++ virtcrypto_algo_is_supported(tmp_dev, service, algo)) {
+ ctr = atomic_read(&tmp_dev->ref_count);
+ if (best > ctr) {
+ vcrypto_dev = tmp_dev;
+@@ -214,7 +221,9 @@ struct virtio_crypto *virtcrypto_get_dev
+ /* Get any started device */
+ list_for_each_entry(tmp_dev,
+ virtcrypto_devmgr_get_head(), list) {
+- if (virtcrypto_dev_started(tmp_dev)) {
++ if (virtcrypto_dev_started(tmp_dev) &&
++ virtcrypto_algo_is_supported(tmp_dev,
++ service, algo)) {
+ vcrypto_dev = tmp_dev;
+ break;
+ }
+@@ -240,7 +249,7 @@ struct virtio_crypto *virtcrypto_get_dev
+ */
+ int virtcrypto_dev_start(struct virtio_crypto *vcrypto)
+ {
+- if (virtio_crypto_algs_register()) {
++ if (virtio_crypto_algs_register(vcrypto)) {
+ pr_err("virtio_crypto: Failed to register crypto algs\n");
+ return -EFAULT;
+ }
+@@ -260,5 +269,65 @@ int virtcrypto_dev_start(struct virtio_c
+ */
+ void virtcrypto_dev_stop(struct virtio_crypto *vcrypto)
+ {
+- virtio_crypto_algs_unregister();
++ virtio_crypto_algs_unregister(vcrypto);
++}
++
++/*
++ * vcrypto_algo_is_supported()
++ * @vcrypto: Pointer to virtio crypto device.
++ * @service: The bit number for service validate.
++ * See VIRTIO_CRYPTO_SERVICE_*
++ * @algo : The bit number for the algorithm to validate.
++ *
++ *
++ * Validate if the virtio crypto device supports a service and
++ * algo.
++ *
++ * Return true if device supports a service and algo.
++ */
++
++bool virtcrypto_algo_is_supported(struct virtio_crypto *vcrypto,
++ uint32_t service,
++ uint32_t algo)
++{
++ uint32_t service_mask = 1u << service;
++ uint32_t algo_mask = 0;
++ bool low = true;
++
++ if (algo > 31) {
++ algo -= 32;
++ low = false;
++ }
++
++ if (!(vcrypto->crypto_services & service_mask))
++ return false;
++
++ switch (service) {
++ case VIRTIO_CRYPTO_SERVICE_CIPHER:
++ if (low)
++ algo_mask = vcrypto->cipher_algo_l;
++ else
++ algo_mask = vcrypto->cipher_algo_h;
++ break;
++
++ case VIRTIO_CRYPTO_SERVICE_HASH:
++ algo_mask = vcrypto->hash_algo;
++ break;
++
++ case VIRTIO_CRYPTO_SERVICE_MAC:
++ if (low)
++ algo_mask = vcrypto->mac_algo_l;
++ else
++ algo_mask = vcrypto->mac_algo_h;
++ break;
++
++ case VIRTIO_CRYPTO_SERVICE_AEAD:
++ algo_mask = vcrypto->aead_algo;
++ break;
++ }
++
++ if (!(algo_mask & (1u << algo)))
++ return false;
++
++ return true;
+ }
diff --git a/patches.suse/drm-amdgpu-psp-move-psp-version-specific-function-po.patch b/patches.suse/drm-amdgpu-psp-move-psp-version-specific-function-po.patch
index 4c2916382b..69488d740e 100644
--- a/patches.suse/drm-amdgpu-psp-move-psp-version-specific-function-po.patch
+++ b/patches.suse/drm-amdgpu-psp-move-psp-version-specific-function-po.patch
@@ -1,13 +1,14 @@
From 9d6fea5744d6798353f37ac42a8a653a2607ca69 Mon Sep 17 00:00:00 2001
From: Alex Deucher <alexander.deucher@amd.com>
Date: Wed, 8 May 2019 21:45:06 -0500
-Subject: [PATCH] drm/amdgpu/psp: move psp version specific function pointers to early_init
-Mime-version: 1.0
-Content-type: text/plain; charset=UTF-8
-Content-transfer-encoding: 8bit
+Subject: drm/amdgpu/psp: move psp version specific function pointers to
+ early_init
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
Git-commit: 9d6fea5744d6798353f37ac42a8a653a2607ca69
Patch-mainline: v5.2-rc1
-References: bsc#1111666
+References: bsc#1111666 bsc#1135642
In case we need to use them for GPU reset prior initializing the
asic. Fixes a crash if the driver attempts to reset the GPU at driver
@@ -16,15 +17,14 @@ load time.
Acked-by: Christian König <christian.koenig@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Cc: stable@vger.kernel.org
-Acked-by: Takashi Iwai <tiwai@suse.de>
-
+Acked-by: Thomas Zimmermann <tzimmermann@suse.de>
---
drivers/gpu/drm/amd/amdgpu/amdgpu_psp.c | 19 ++++++++++---------
1 file changed, 10 insertions(+), 9 deletions(-)
--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_psp.c
+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_psp.c
-@@ -37,18 +37,10 @@ static void psp_set_funcs(struct amdgpu_
+@@ -36,18 +36,10 @@ static void psp_set_funcs(struct amdgpu_
static int psp_early_init(void *handle)
{
struct amdgpu_device *adev = (struct amdgpu_device *)handle;
diff --git a/patches.suse/drm-etnaviv-add-missing-failure-path-to-destroy-suba.patch b/patches.suse/drm-etnaviv-add-missing-failure-path-to-destroy-suba.patch
index e1b0330ccd..59d4199528 100644
--- a/patches.suse/drm-etnaviv-add-missing-failure-path-to-destroy-suba.patch
+++ b/patches.suse/drm-etnaviv-add-missing-failure-path-to-destroy-suba.patch
@@ -1,10 +1,10 @@
From be132e1375c1fffe48801296279079f8a59a9ed3 Mon Sep 17 00:00:00 2001
From: Lucas Stach <l.stach@pengutronix.de>
Date: Thu, 27 Jun 2019 16:42:00 +0200
-Subject: [PATCH] drm/etnaviv: add missing failure path to destroy suballoc
+Subject: drm/etnaviv: add missing failure path to destroy suballoc
Git-commit: be132e1375c1fffe48801296279079f8a59a9ed3
Patch-mainline: v5.2
-References: bsc#1111666
+References: bsc#1111666 bsc#1135642
When something goes wrong in the GPU init after the cmdbuf suballocator
has been constructed, we fail to destroy it properly. This causes havok
@@ -13,17 +13,14 @@ later when the GPU is unbound due to a module unload or similar.
Fixes: e66774dd6f6a (drm/etnaviv: add cmdbuf suballocator)
Signed-off-by: Lucas Stach <l.stach@pengutronix.de>
Tested-by: Russell King <rmk+kernel@armlinux.org.uk>
-Acked-by: Takashi Iwai <tiwai@suse.de>
-
+Acked-by: Thomas Zimmermann <tzimmermann@suse.de>
---
- drivers/gpu/drm/etnaviv/etnaviv_gpu.c | 7 +++++--
+ drivers/gpu/drm/etnaviv/etnaviv_gpu.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
-diff --git a/drivers/gpu/drm/etnaviv/etnaviv_gpu.c b/drivers/gpu/drm/etnaviv/etnaviv_gpu.c
-index 72d01e873160..5418a1a87b2c 100644
--- a/drivers/gpu/drm/etnaviv/etnaviv_gpu.c
+++ b/drivers/gpu/drm/etnaviv/etnaviv_gpu.c
-@@ -760,7 +760,7 @@ int etnaviv_gpu_init(struct etnaviv_gpu *gpu)
+@@ -705,7 +705,7 @@ int etnaviv_gpu_init(struct etnaviv_gpu
if (IS_ERR(gpu->cmdbuf_suballoc)) {
dev_err(gpu->dev, "Failed to create cmdbuf suballocator\n");
ret = PTR_ERR(gpu->cmdbuf_suballoc);
@@ -32,7 +29,7 @@ index 72d01e873160..5418a1a87b2c 100644
}
/* Create buffer: */
-@@ -768,7 +768,7 @@ int etnaviv_gpu_init(struct etnaviv_gpu *gpu)
+@@ -713,7 +713,7 @@ int etnaviv_gpu_init(struct etnaviv_gpu
PAGE_SIZE);
if (ret) {
dev_err(gpu->dev, "could not create command buffer\n");
@@ -41,7 +38,7 @@ index 72d01e873160..5418a1a87b2c 100644
}
if (gpu->mmu->version == ETNAVIV_IOMMU_V1 &&
-@@ -800,6 +800,9 @@ int etnaviv_gpu_init(struct etnaviv_gpu *gpu)
+@@ -746,6 +746,9 @@ int etnaviv_gpu_init(struct etnaviv_gpu
free_buffer:
etnaviv_cmdbuf_free(&gpu->buffer);
gpu->buffer.suballoc = NULL;
@@ -51,6 +48,3 @@ index 72d01e873160..5418a1a87b2c 100644
destroy_iommu:
etnaviv_iommu_destroy(gpu->mmu);
gpu->mmu = NULL;
---
-2.16.4
-
diff --git a/patches.suse/drm-i915-Fix-wrong-escape-clock-divisor-init-for-GLK.patch b/patches.suse/drm-i915-Fix-wrong-escape-clock-divisor-init-for-GLK.patch
index b9fe49c71e..fe17b0dbf0 100644
--- a/patches.suse/drm-i915-Fix-wrong-escape-clock-divisor-init-for-GLK.patch
+++ b/patches.suse/drm-i915-Fix-wrong-escape-clock-divisor-init-for-GLK.patch
@@ -1,11 +1,11 @@
From 73a0ff0b30af79bf0303d557eb82f1d1945bb6ee Mon Sep 17 00:00:00 2001
From: Stanislav Lisovskiy <stanislav.lisovskiy@intel.com>
Date: Fri, 12 Jul 2019 11:19:38 +0300
-Subject: [PATCH] drm/i915: Fix wrong escape clock divisor init for GLK
+Subject: drm/i915: Fix wrong escape clock divisor init for GLK
Git-commit: 73a0ff0b30af79bf0303d557eb82f1d1945bb6ee
Patch-mainline: v5.3-rc4
+References: bsc#1051510 bsc#1142635
No-fix: ce52ad5dd52cfaf3398058384e0ff94134bbd89c
-References: bsc#1051510
According to Bspec clock divisor registers in GeminiLake
should be initialized by shifting 1(<<) to amount of correspondent
@@ -14,8 +14,8 @@ divisor. While i915 was writing all this time that value as is.
Surprisingly that it by accident worked, until we met some issues
with Microtech Etab.
-V2: Added Fixes tag and cc
-V3: Added stable to cc as well.
+v2: Added Fixes tag and cc
+v3: Added stable to cc as well.
Signed-off-by: Stanislav Lisovskiy <stanislav.lisovskiy@intel.com>
Reviewed-by: Vandita Kulkarni <vandita.kulkarni@intel.com>
@@ -32,18 +32,15 @@ Cc: stable@vger.kernel.org
Signed-off-by: Jani Nikula <jani.nikula@intel.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20190712081938.14185-1-stanislav.lisovskiy@intel.com
(cherry picked from commit ce52ad5dd52cfaf3398058384e0ff94134bbd89c)
-
-Acked-by: Takashi Iwai <tiwai@suse.de>
-
+Signed-off-by: Jani Nikula <jani.nikula@intel.com>
+Acked-by: Thomas Zimmermann <tzimmermann@suse.de>
---
- drivers/gpu/drm/i915/display/vlv_dsi_pll.c | 4 ++--
+ drivers/gpu/drm/i915/vlv_dsi_pll.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
-diff --git a/drivers/gpu/drm/i915/display/vlv_dsi_pll.c b/drivers/gpu/drm/i915/display/vlv_dsi_pll.c
-index 99cc3e2e9c2c..f016a776a39e 100644
--- a/drivers/gpu/drm/i915/vlv_dsi_pll.c
+++ b/drivers/gpu/drm/i915/vlv_dsi_pll.c
-@@ -396,8 +396,8 @@ static void glk_dsi_program_esc_clock(struct drm_device *dev,
+@@ -422,8 +422,8 @@ static void glk_dsi_program_esc_clock(st
else
txesc2_div = 10;
@@ -54,6 +51,3 @@ index 99cc3e2e9c2c..f016a776a39e 100644
}
/* Program BXT Mipi clocks and dividers */
---
-2.16.4
-
diff --git a/patches.suse/drm-i915-perf-ensure-we-keep-a-reference-on-the-driv.patch b/patches.suse/drm-i915-perf-ensure-we-keep-a-reference-on-the-driv.patch
index 0e45493703..09eb704be2 100644
--- a/patches.suse/drm-i915-perf-ensure-we-keep-a-reference-on-the-driv.patch
+++ b/patches.suse/drm-i915-perf-ensure-we-keep-a-reference-on-the-driv.patch
@@ -1,11 +1,11 @@
From 06c12ae3b401238477e65e8c4e04e065699a6115 Mon Sep 17 00:00:00 2001
From: Lionel Landwerlin <lionel.g.landwerlin@intel.com>
Date: Tue, 9 Jul 2019 15:33:39 +0300
-Subject: [PATCH] drm/i915/perf: ensure we keep a reference on the driver
+Subject: drm/i915/perf: ensure we keep a reference on the driver
Git-commit: 06c12ae3b401238477e65e8c4e04e065699a6115
Patch-mainline: v5.3-rc3
+References: bsc#1051510 bsc#1142635
No-fix: a5af1df716c123a09341351008fc497bea137b77
-References: bsc#1051510
The i915 perf stream has its own file descriptor and is tied to
reference of the driver. We haven't taken care of keep the driver
@@ -18,19 +18,15 @@ Reviewed-by: Chris Wilson <chris@chris-wilson.co.uk>
Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
Link: https://patchwork.freedesktop.org/patch/msgid/20190709123351.5645-2-lionel.g.landwerlin@intel.com
(cherry picked from commit a5af1df716c123a09341351008fc497bea137b77)
-
Signed-off-by: Jani Nikula <jani.nikula@intel.com>
-Acked-by: Takashi Iwai <tiwai@suse.de>
-
+Acked-by: Thomas Zimmermann <tzimmermann@suse.de>
---
- drivers/gpu/drm/i915/i915_perf.c | 8 ++++++++
+ drivers/gpu/drm/i915/i915_perf.c | 8 ++++++++
1 file changed, 8 insertions(+)
-diff --git a/drivers/gpu/drm/i915/i915_perf.c b/drivers/gpu/drm/i915/i915_perf.c
-index 1ae06a1b6749..629511ea9a18 100644
--- a/drivers/gpu/drm/i915/i915_perf.c
+++ b/drivers/gpu/drm/i915/i915_perf.c
-@@ -2515,6 +2515,9 @@ static int i915_perf_release(struct inode *inode, struct file *file)
+@@ -2523,6 +2523,9 @@ static int i915_perf_release(struct inod
i915_perf_destroy_locked(stream);
mutex_unlock(&dev_priv->perf.lock);
@@ -40,7 +36,7 @@ index 1ae06a1b6749..629511ea9a18 100644
return 0;
}
-@@ -2650,6 +2653,11 @@ i915_perf_open_ioctl_locked(struct drm_i915_private *dev_priv,
+@@ -2658,6 +2661,11 @@ i915_perf_open_ioctl_locked(struct drm_i
if (!(param->flags & I915_PERF_FLAG_DISABLED))
i915_perf_enable_locked(stream);
@@ -52,6 +48,3 @@ index 1ae06a1b6749..629511ea9a18 100644
return stream_fd;
err_open:
---
-2.16.4
-
diff --git a/patches.suse/drm-imx-notify-drm-core-before-sending-event-during-.patch b/patches.suse/drm-imx-notify-drm-core-before-sending-event-during-.patch
index 1c2e9dd01d..5c424acc8c 100644
--- a/patches.suse/drm-imx-notify-drm-core-before-sending-event-during-.patch
+++ b/patches.suse/drm-imx-notify-drm-core-before-sending-event-during-.patch
@@ -1,10 +1,10 @@
From 78c68e8f5cd24bd32ba4ca1cdfb0c30cf0642685 Mon Sep 17 00:00:00 2001
From: Robert Beckett <bob.beckett@collabora.com>
Date: Tue, 25 Jun 2019 18:59:13 +0100
-Subject: [PATCH] drm/imx: notify drm core before sending event during crtc disable
+Subject: drm/imx: notify drm core before sending event during crtc disable
Git-commit: 78c68e8f5cd24bd32ba4ca1cdfb0c30cf0642685
Patch-mainline: v5.2
-References: bsc#1111666
+References: bsc#1111666 bsc#1135642
Notify drm core before sending pending events during crtc disable.
This fixes the first event after disable having an old stale timestamp
@@ -28,8 +28,7 @@ Fixes: a474478642d5 ("drm/imx: fix crtc vblank state regression")
Signed-off-by: Robert Beckett <bob.beckett@collabora.com>
Reviewed-by: Daniel Vetter <daniel.vetter@ffwll.ch>
Signed-off-by: Philipp Zabel <p.zabel@pengutronix.de>
-Acked-by: Takashi Iwai <tiwai@suse.de>
-
+Acked-by: Thomas Zimmermann <tzimmermann@suse.de>
---
drivers/gpu/drm/imx/ipuv3-crtc.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
@@ -56,5 +55,5 @@ index 9cc1d678674f..e04d6efff1b5 100644
static void imx_drm_crtc_reset(struct drm_crtc *crtc)
--
-2.16.4
+2.22.0
diff --git a/patches.suse/drm-imx-only-send-event-on-crtc-disable-if-kept-disa.patch b/patches.suse/drm-imx-only-send-event-on-crtc-disable-if-kept-disa.patch
index 2ac3f6b068..40f9da3b6a 100644
--- a/patches.suse/drm-imx-only-send-event-on-crtc-disable-if-kept-disa.patch
+++ b/patches.suse/drm-imx-only-send-event-on-crtc-disable-if-kept-disa.patch
@@ -1,10 +1,10 @@
From 5aeab2bfc9ffa72d3ca73416635cb3785dfc076f Mon Sep 17 00:00:00 2001
From: Robert Beckett <bob.beckett@collabora.com>
Date: Tue, 25 Jun 2019 18:59:15 +0100
-Subject: [PATCH] drm/imx: only send event on crtc disable if kept disabled
+Subject: drm/imx: only send event on crtc disable if kept disabled
Git-commit: 5aeab2bfc9ffa72d3ca73416635cb3785dfc076f
Patch-mainline: v5.2
-References: bsc#1111666
+References: bsc#1111666 bsc#1135642
The event will be sent as part of the vblank enable during the modeset
if the crtc is not being kept disabled.
@@ -14,8 +14,7 @@ Fixes: 5f2f911578fb ("drm/imx: atomic phase 3 step 1: Use atomic configuration")
Signed-off-by: Robert Beckett <bob.beckett@collabora.com>
Reviewed-by: Daniel Vetter <daniel.vetter@ffwll.ch>
Signed-off-by: Philipp Zabel <p.zabel@pengutronix.de>
-Acked-by: Takashi Iwai <tiwai@suse.de>
-
+Acked-by: Thomas Zimmermann <tzimmermann@suse.de>
---
drivers/gpu/drm/imx/ipuv3-crtc.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
@@ -34,5 +33,5 @@ index e04d6efff1b5..c436a28d50e4 100644
crtc->state->event = NULL;
}
--
-2.16.4
+2.22.0
diff --git a/patches.suse/drm-mediatek-call-drm_atomic_helper_shutdown-when-un.patch b/patches.suse/drm-mediatek-call-drm_atomic_helper_shutdown-when-un.patch
index fb671f18d2..48fda0cf3d 100644
--- a/patches.suse/drm-mediatek-call-drm_atomic_helper_shutdown-when-un.patch
+++ b/patches.suse/drm-mediatek-call-drm_atomic_helper_shutdown-when-un.patch
@@ -1,27 +1,24 @@
From cf49b24ffa62766f8f04cd1c4cf17b75d29b240a Mon Sep 17 00:00:00 2001
From: Hsin-Yi Wang <hsinyi@chromium.org>
Date: Wed, 29 May 2019 18:25:54 +0800
-Subject: [PATCH] drm/mediatek: call drm_atomic_helper_shutdown() when unbinding driver
+Subject: drm/mediatek: call drm_atomic_helper_shutdown() when unbinding driver
Git-commit: cf49b24ffa62766f8f04cd1c4cf17b75d29b240a
Patch-mainline: v5.2-rc5
-References: bsc#1111666
+References: bsc#1111666 bsc#1135642
shutdown all CRTC when unbinding drm driver.
Fixes: 119f5173628a ("drm/mediatek: Add DRM Driver for Mediatek SoC MT8173.")
Signed-off-by: Hsin-Yi Wang <hsinyi@chromium.org>
Signed-off-by: CK Hu <ck.hu@mediatek.com>
-Acked-by: Takashi Iwai <tiwai@suse.de>
-
+Acked-by: Thomas Zimmermann <tzimmermann@suse.de>
---
- drivers/gpu/drm/mediatek/mtk_drm_drv.c | 1 +
+ drivers/gpu/drm/mediatek/mtk_drm_drv.c | 1 +
1 file changed, 1 insertion(+)
-diff --git a/drivers/gpu/drm/mediatek/mtk_drm_drv.c b/drivers/gpu/drm/mediatek/mtk_drm_drv.c
-index e7362bdafa82..8718d123ccaa 100644
--- a/drivers/gpu/drm/mediatek/mtk_drm_drv.c
+++ b/drivers/gpu/drm/mediatek/mtk_drm_drv.c
-@@ -311,6 +311,7 @@ static int mtk_drm_kms_init(struct drm_device *drm)
+@@ -265,6 +265,7 @@ err_config_cleanup:
static void mtk_drm_kms_deinit(struct drm_device *drm)
{
drm_kms_helper_poll_fini(drm);
@@ -29,6 +26,3 @@ index e7362bdafa82..8718d123ccaa 100644
component_unbind_all(drm->dev, drm);
drm_mode_config_cleanup(drm);
---
-2.16.4
-
diff --git a/patches.suse/drm-mediatek-call-mtk_dsi_stop-after-mtk_drm_crtc_at.patch b/patches.suse/drm-mediatek-call-mtk_dsi_stop-after-mtk_drm_crtc_at.patch
index ff5c60736c..d38353f2b9 100644
--- a/patches.suse/drm-mediatek-call-mtk_dsi_stop-after-mtk_drm_crtc_at.patch
+++ b/patches.suse/drm-mediatek-call-mtk_dsi_stop-after-mtk_drm_crtc_at.patch
@@ -1,10 +1,10 @@
From 2458d9d6d94be982b917e93c61a89b4426f32e31 Mon Sep 17 00:00:00 2001
From: Hsin-Yi Wang <hsinyi@chromium.org>
Date: Thu, 30 May 2019 17:18:47 +0800
-Subject: [PATCH] drm/mediatek: call mtk_dsi_stop() after mtk_drm_crtc_atomic_disable()
+Subject: drm/mediatek: call mtk_dsi_stop() after mtk_drm_crtc_atomic_disable()
Git-commit: 2458d9d6d94be982b917e93c61a89b4426f32e31
Patch-mainline: v5.2-rc5
-References: bsc#1111666
+References: bsc#1111666 bsc#1135642
mtk_dsi_stop() should be called after mtk_drm_crtc_atomic_disable(), which
needs ovl irq for drm_crtc_wait_one_vblank(), since after mtk_dsi_stop() is
@@ -32,8 +32,7 @@ mtk_dsi_stop() called in mtk_dsi_poweroff() when refcount is 0.
Fixes: 0707632b5bac ("drm/mediatek: update DSI sub driver flow for sending commands to panel")
Signed-off-by: Hsin-Yi Wang <hsinyi@chromium.org>
Signed-off-by: CK Hu <ck.hu@mediatek.com>
-Acked-by: Takashi Iwai <tiwai@suse.de>
-
+Acked-by: Thomas Zimmermann <tzimmermann@suse.de>
---
drivers/gpu/drm/mediatek/mtk_dsi.c | 10 +++++++++-
1 file changed, 9 insertions(+), 1 deletion(-)
@@ -67,5 +66,5 @@ index 1ae3be99e0ff..179f2b080342 100644
dsi->enabled = false;
--
-2.16.4
+2.22.0
diff --git a/patches.suse/drm-mediatek-clear-num_pipes-when-unbind-driver.patch b/patches.suse/drm-mediatek-clear-num_pipes-when-unbind-driver.patch
index 408997ee98..a9ff6630dc 100644
--- a/patches.suse/drm-mediatek-clear-num_pipes-when-unbind-driver.patch
+++ b/patches.suse/drm-mediatek-clear-num_pipes-when-unbind-driver.patch
@@ -1,10 +1,10 @@
From a4cd1d2b016d5d043ab2c4b9c4ec50a5805f5396 Mon Sep 17 00:00:00 2001
From: Hsin-Yi Wang <hsinyi@chromium.org>
Date: Wed, 29 May 2019 18:25:55 +0800
-Subject: [PATCH] drm/mediatek: clear num_pipes when unbind driver
+Subject: drm/mediatek: clear num_pipes when unbind driver
Git-commit: a4cd1d2b016d5d043ab2c4b9c4ec50a5805f5396
Patch-mainline: v5.2-rc5
-References: bsc#1111666
+References: bsc#1111666 bsc#1135642
num_pipes is used for mutex created in mtk_drm_crtc_create(). If we
don't clear num_pipes count, when rebinding driver, the count will
@@ -14,17 +14,14 @@ be accumulated. From mtk_disp_mutex_get(), there can only be at most
Fixes: 119f5173628a ("drm/mediatek: Add DRM Driver for Mediatek SoC MT8173.")
Signed-off-by: Hsin-Yi Wang <hsinyi@chromium.org>
Signed-off-by: CK Hu <ck.hu@mediatek.com>
-Acked-by: Takashi Iwai <tiwai@suse.de>
-
+Acked-by: Thomas Zimmermann <tzimmermann@suse.de>
---
- drivers/gpu/drm/mediatek/mtk_drm_drv.c | 1 +
+ drivers/gpu/drm/mediatek/mtk_drm_drv.c | 1 +
1 file changed, 1 insertion(+)
-diff --git a/drivers/gpu/drm/mediatek/mtk_drm_drv.c b/drivers/gpu/drm/mediatek/mtk_drm_drv.c
-index 8718d123ccaa..bbfe3a464aea 100644
--- a/drivers/gpu/drm/mediatek/mtk_drm_drv.c
+++ b/drivers/gpu/drm/mediatek/mtk_drm_drv.c
-@@ -400,6 +400,7 @@ static void mtk_drm_unbind(struct device *dev)
+@@ -351,6 +351,7 @@ static void mtk_drm_unbind(struct device
drm_dev_unregister(private->drm);
mtk_drm_kms_deinit(private->drm);
drm_dev_put(private->drm);
@@ -32,6 +29,3 @@ index 8718d123ccaa..bbfe3a464aea 100644
private->drm = NULL;
}
---
-2.16.4
-
diff --git a/patches.suse/drm-mediatek-fix-unbind-functions.patch b/patches.suse/drm-mediatek-fix-unbind-functions.patch
index 29f453ab42..bff0f3d083 100644
--- a/patches.suse/drm-mediatek-fix-unbind-functions.patch
+++ b/patches.suse/drm-mediatek-fix-unbind-functions.patch
@@ -1,10 +1,10 @@
From 8fd7a37b191f93737f6280a9b5de65f98acc12c9 Mon Sep 17 00:00:00 2001
From: Hsin-Yi Wang <hsinyi@chromium.org>
Date: Wed, 29 May 2019 18:25:52 +0800
-Subject: [PATCH] drm/mediatek: fix unbind functions
+Subject: drm/mediatek: fix unbind functions
Git-commit: 8fd7a37b191f93737f6280a9b5de65f98acc12c9
Patch-mainline: v5.2-rc5
-References: bsc#1111666
+References: bsc#1111666 bsc#1135642
detatch panel in mtk_dsi_destroy_conn_enc(), since .bind will try to
attach it again.
@@ -12,8 +12,7 @@ attach it again.
Fixes: 2e54c14e310f ("drm/mediatek: Add DSI sub driver")
Signed-off-by: Hsin-Yi Wang <hsinyi@chromium.org>
Signed-off-by: CK Hu <ck.hu@mediatek.com>
-Acked-by: Takashi Iwai <tiwai@suse.de>
-
+Acked-by: Thomas Zimmermann <tzimmermann@suse.de>
---
drivers/gpu/drm/mediatek/mtk_dsi.c | 2 ++
1 file changed, 2 insertions(+)
@@ -32,5 +31,5 @@ index b00eb2d2e086..1ae3be99e0ff 100644
static void mtk_dsi_ddp_start(struct mtk_ddp_comp *comp)
--
-2.16.4
+2.22.0
diff --git a/patches.suse/drm-mediatek-mtk_drm_drv.c-Add-of_node_put-before-go.patch b/patches.suse/drm-mediatek-mtk_drm_drv.c-Add-of_node_put-before-go.patch
index a3db7b22f1..786a7549b0 100644
--- a/patches.suse/drm-mediatek-mtk_drm_drv.c-Add-of_node_put-before-go.patch
+++ b/patches.suse/drm-mediatek-mtk_drm_drv.c-Add-of_node_put-before-go.patch
@@ -1,10 +1,10 @@
From 165d42c012be69900f0e2f8545626cb9e7d4a832 Mon Sep 17 00:00:00 2001
From: Nishka Dasgupta <nishkadg.linux@gmail.com>
Date: Sat, 6 Jul 2019 19:00:21 +0530
-Subject: [PATCH] drm/mediatek: mtk_drm_drv.c: Add of_node_put() before goto
+Subject: drm/mediatek: mtk_drm_drv.c: Add of_node_put() before goto
Git-commit: 165d42c012be69900f0e2f8545626cb9e7d4a832
Patch-mainline: v5.3-rc6
-References: bsc#1111666
+References: bsc#1111666 bsc#1142635
Each iteration of for_each_child_of_node puts the previous
node, but in the case of a goto from the middle of the loop, there is
@@ -16,8 +16,7 @@ Fixes: 119f5173628a (drm/mediatek: Add DRM Driver for Mediatek SoC MT8173)
Signed-off-by: Nishka Dasgupta <nishkadg.linux@gmail.com>
Signed-off-by: CK Hu <ck.hu@mediatek.com>
-Acked-by: Takashi Iwai <tiwai@suse.de>
-
+Acked-by: Thomas Zimmermann <tzimmermann@suse.de>
---
drivers/gpu/drm/mediatek/mtk_drm_drv.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
@@ -44,5 +43,5 @@ index c021d4c8324f..7f5408cb2377 100644
private->ddp_comp[comp_id] = comp;
}
--
-2.16.4
+2.22.0
diff --git a/patches.suse/drm-mediatek-unbind-components-in-mtk_drm_unbind.patch b/patches.suse/drm-mediatek-unbind-components-in-mtk_drm_unbind.patch
index 05fc9c54aa..98f5c2410c 100644
--- a/patches.suse/drm-mediatek-unbind-components-in-mtk_drm_unbind.patch
+++ b/patches.suse/drm-mediatek-unbind-components-in-mtk_drm_unbind.patch
@@ -1,10 +1,10 @@
From f0fd848342802bc0f74620d387eead53e8905804 Mon Sep 17 00:00:00 2001
From: Hsin-Yi Wang <hsinyi@chromium.org>
Date: Wed, 29 May 2019 18:25:53 +0800
-Subject: [PATCH] drm/mediatek: unbind components in mtk_drm_unbind()
+Subject: drm/mediatek: unbind components in mtk_drm_unbind()
Git-commit: f0fd848342802bc0f74620d387eead53e8905804
Patch-mainline: v5.2-rc5
-References: bsc#1111666
+References: bsc#1111666 bsc#1135642
Unbinding components (i.e. mtk_dsi and mtk_disp_ovl/rdma/color) will
trigger master(mtk_drm)'s .unbind(), and currently mtk_drm's unbind
@@ -20,17 +20,14 @@ called here.
Fixes: 119f5173628a ("drm/mediatek: Add DRM Driver for Mediatek SoC MT8173.")
Signed-off-by: Hsin-Yi Wang <hsinyi@chromium.org>
Signed-off-by: CK Hu <ck.hu@mediatek.com>
-Acked-by: Takashi Iwai <tiwai@suse.de>
-
+Acked-by: Thomas Zimmermann <tzimmermann@suse.de>
---
- drivers/gpu/drm/mediatek/mtk_drm_drv.c | 6 +-----
+ drivers/gpu/drm/mediatek/mtk_drm_drv.c | 6 +-----
1 file changed, 1 insertion(+), 5 deletions(-)
-diff --git a/drivers/gpu/drm/mediatek/mtk_drm_drv.c b/drivers/gpu/drm/mediatek/mtk_drm_drv.c
-index 57ce4708ef1b..e7362bdafa82 100644
--- a/drivers/gpu/drm/mediatek/mtk_drm_drv.c
+++ b/drivers/gpu/drm/mediatek/mtk_drm_drv.c
-@@ -397,6 +397,7 @@ static void mtk_drm_unbind(struct device *dev)
+@@ -348,6 +348,7 @@ static void mtk_drm_unbind(struct device
struct mtk_drm_private *private = dev_get_drvdata(dev);
drm_dev_unregister(private->drm);
@@ -38,7 +35,7 @@ index 57ce4708ef1b..e7362bdafa82 100644
drm_dev_put(private->drm);
private->drm = NULL;
}
-@@ -568,13 +569,8 @@ static int mtk_drm_probe(struct platform_device *pdev)
+@@ -497,13 +498,8 @@ err_node:
static int mtk_drm_remove(struct platform_device *pdev)
{
struct mtk_drm_private *private = platform_get_drvdata(pdev);
@@ -52,6 +49,3 @@ index 57ce4708ef1b..e7362bdafa82 100644
component_master_del(&pdev->dev, &mtk_drm_ops);
pm_runtime_disable(&pdev->dev);
of_node_put(private->mutex_node);
---
-2.16.4
-
diff --git a/patches.suse/drm-mediatek-use-correct-device-to-import-PRIME-buff.patch b/patches.suse/drm-mediatek-use-correct-device-to-import-PRIME-buff.patch
index 3ff6bbb579..66a335b904 100644
--- a/patches.suse/drm-mediatek-use-correct-device-to-import-PRIME-buff.patch
+++ b/patches.suse/drm-mediatek-use-correct-device-to-import-PRIME-buff.patch
@@ -1,10 +1,10 @@
From 4c6f3196e6ea111c456c6086dc3f57d4706b0b2d Mon Sep 17 00:00:00 2001
From: Alexandre Courbot <acourbot@chromium.org>
Date: Mon, 29 Jul 2019 14:33:34 +0900
-Subject: [PATCH] drm/mediatek: use correct device to import PRIME buffers
+Subject: drm/mediatek: use correct device to import PRIME buffers
Git-commit: 4c6f3196e6ea111c456c6086dc3f57d4706b0b2d
Patch-mainline: v5.3-rc6
-References: bsc#1111666
+References: bsc#1111666 bsc#1142635
PRIME buffers should be imported using the DMA device. To this end, use
a custom import function that mimics drm_gem_prime_import_dev(), but
@@ -13,8 +13,7 @@ passes the correct device.
Fixes: 119f5173628aa ("drm/mediatek: Add DRM Driver for Mediatek SoC MT8173.")
Signed-off-by: Alexandre Courbot <acourbot@chromium.org>
Signed-off-by: CK Hu <ck.hu@mediatek.com>
-Acked-by: Takashi Iwai <tiwai@suse.de>
-
+Acked-by: Thomas Zimmermann <tzimmermann@suse.de>
---
drivers/gpu/drm/mediatek/mtk_drm_drv.c | 14 +++++++++++++-
1 file changed, 13 insertions(+), 1 deletion(-)
@@ -52,5 +51,5 @@ index 95fdbd0fbcac..8b18a00a58c7 100644
.gem_prime_import_sg_table = mtk_gem_prime_import_sg_table,
.gem_prime_mmap = mtk_drm_gem_mmap_buf,
--
-2.16.4
+2.22.0
diff --git a/patches.suse/drm-msm-mdp5-Fix-mdp5_cfg_init-error-return.patch b/patches.suse/drm-msm-mdp5-Fix-mdp5_cfg_init-error-return.patch
index 37ca0495b1..4670b0d4ff 100644
--- a/patches.suse/drm-msm-mdp5-Fix-mdp5_cfg_init-error-return.patch
+++ b/patches.suse/drm-msm-mdp5-Fix-mdp5_cfg_init-error-return.patch
@@ -1,10 +1,10 @@
From fc19cbb785d7bbd1a1af26229b5240a3ab332744 Mon Sep 17 00:00:00 2001
From: Jeffrey Hugo <jeffrey.l.hugo@gmail.com>
Date: Tue, 21 May 2019 08:00:30 -0700
-Subject: [PATCH] drm/msm/mdp5: Fix mdp5_cfg_init error return
+Subject: drm/msm/mdp5: Fix mdp5_cfg_init error return
Git-commit: fc19cbb785d7bbd1a1af26229b5240a3ab332744
Patch-mainline: v5.3-rc1
-References: bsc#1111666
+References: bsc#1111666 bsc#1142635
If mdp5_cfg_init fails because of an unknown major version, a null pointer
dereference occurs. This is because the caller of init expects error
@@ -15,17 +15,14 @@ Fixes: 2e362e1772b8 (drm/msm/mdp5: introduce mdp5_cfg module)
Signed-off-by: Jeffrey Hugo <jeffrey.l.hugo@gmail.com>
Reviewed-by: Bjorn Andersson <bjorn.andersson@linaro.org>
Signed-off-by: Rob Clark <robdclark@chromium.org>
-Acked-by: Takashi Iwai <tiwai@suse.de>
-
+Acked-by: Thomas Zimmermann <tzimmermann@suse.de>
---
drivers/gpu/drm/msm/disp/mdp5/mdp5_cfg.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
-diff --git a/drivers/gpu/drm/msm/disp/mdp5/mdp5_cfg.c b/drivers/gpu/drm/msm/disp/mdp5/mdp5_cfg.c
-index ea8f7d7daf7f..52e23780fce1 100644
--- a/drivers/gpu/drm/msm/disp/mdp5/mdp5_cfg.c
+++ b/drivers/gpu/drm/msm/disp/mdp5/mdp5_cfg.c
-@@ -721,7 +721,7 @@ struct mdp5_cfg_handler *mdp5_cfg_init(struct mdp5_kms *mdp5_kms,
+@@ -633,7 +633,7 @@ fail:
if (cfg_handler)
mdp5_cfg_destroy(cfg_handler);
@@ -34,6 +31,3 @@ index ea8f7d7daf7f..52e23780fce1 100644
}
static struct mdp5_cfg_platform *mdp5_get_config(struct platform_device *dev)
---
-2.16.4
-
diff --git a/patches.suse/drm-nouveau-Don-t-retry-infinitely-when-receiving-no.patch b/patches.suse/drm-nouveau-Don-t-retry-infinitely-when-receiving-no.patch
new file mode 100644
index 0000000000..931b32d0b4
--- /dev/null
+++ b/patches.suse/drm-nouveau-Don-t-retry-infinitely-when-receiving-no.patch
@@ -0,0 +1,107 @@
+From c358ebf59634f06d8ed176da651ec150df3c8686 Mon Sep 17 00:00:00 2001
+From: Lyude Paul <lyude@redhat.com>
+Date: Thu, 25 Jul 2019 15:40:01 -0400
+Subject: drm/nouveau: Don't retry infinitely when receiving no data on i2c
+ over AUX
+Git-commit: c358ebf59634f06d8ed176da651ec150df3c8686
+Patch-mainline: v5.3-rc6
+References: bsc#1142635
+
+While I had thought I had fixed this issue in:
+
+commit 342406e4fbba ("drm/nouveau/i2c: Disable i2c bus access after
+->fini()")
+
+It turns out that while I did fix the error messages I was seeing on my
+P50 when trying to access i2c busses with the GPU in runtime suspend, I
+accidentally had missed one important detail that was mentioned on the
+bug report this commit was supposed to fix: that the CPU would only lock
+up when trying to access i2c busses _on connected devices_ _while the
+GPU is not in runtime suspend_. Whoops. That definitely explains why I
+was not able to get my machine to hang with i2c bus interactions until
+now, as plugging my P50 into it's dock with an HDMI monitor connected
+allowed me to finally reproduce this locally.
+
+Now that I have managed to reproduce this issue properly, it looks like
+the problem is much simpler then it looks. It turns out that some
+connected devices, such as MST laptop docks, will actually ACK i2c reads
+even if no data was actually read:
+
+[ 275.063043] nouveau 0000:01:00.0: i2c: aux 000a: 1: 0000004c 1
+[ 275.063447] nouveau 0000:01:00.0: i2c: aux 000a: 00 01101000 10040000
+[ 275.063759] nouveau 0000:01:00.0: i2c: aux 000a: rd 00000001
+[ 275.064024] nouveau 0000:01:00.0: i2c: aux 000a: rd 00000000
+[ 275.064285] nouveau 0000:01:00.0: i2c: aux 000a: rd 00000000
+[ 275.064594] nouveau 0000:01:00.0: i2c: aux 000a: rd 00000000
+
+Because we don't handle the situation of i2c ack without any data, we
+end up entering an infinite loop in nvkm_i2c_aux_i2c_xfer() since the
+value of cnt always remains at 0. This finally properly explains how
+this could result in a CPU hang like the ones observed in the
+aforementioned commit.
+
+So, fix this by retrying transactions if no data is written or received,
+and give up and fail the transaction if we continue to not write or
+receive any data after 32 retries.
+
+Signed-off-by: Lyude Paul <lyude@redhat.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Ben Skeggs <bskeggs@redhat.com>
+Acked-by: Thomas Zimmermann <tzimmermann@suse.de>
+---
+ drivers/gpu/drm/nouveau/nvkm/subdev/i2c/aux.c | 24 +++++++++++++------
+ 1 file changed, 17 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/gpu/drm/nouveau/nvkm/subdev/i2c/aux.c b/drivers/gpu/drm/nouveau/nvkm/subdev/i2c/aux.c
+index b4e7404fe660..a11637b0f6cc 100644
+--- a/drivers/gpu/drm/nouveau/nvkm/subdev/i2c/aux.c
++++ b/drivers/gpu/drm/nouveau/nvkm/subdev/i2c/aux.c
+@@ -40,8 +40,7 @@ nvkm_i2c_aux_i2c_xfer(struct i2c_adapter *adap, struct i2c_msg *msgs, int num)
+ u8 *ptr = msg->buf;
+
+ while (remaining) {
+- u8 cnt = (remaining > 16) ? 16 : remaining;
+- u8 cmd;
++ u8 cnt, retries, cmd;
+
+ if (msg->flags & I2C_M_RD)
+ cmd = 1;
+@@ -51,10 +50,19 @@ nvkm_i2c_aux_i2c_xfer(struct i2c_adapter *adap, struct i2c_msg *msgs, int num)
+ if (mcnt || remaining > 16)
+ cmd |= 4; /* MOT */
+
+- ret = aux->func->xfer(aux, true, cmd, msg->addr, ptr, &cnt);
+- if (ret < 0) {
+- nvkm_i2c_aux_release(aux);
+- return ret;
++ for (retries = 0, cnt = 0;
++ retries < 32 && !cnt;
++ retries++) {
++ cnt = min_t(u8, remaining, 16);
++ ret = aux->func->xfer(aux, true, cmd,
++ msg->addr, ptr, &cnt);
++ if (ret < 0)
++ goto out;
++ }
++ if (!cnt) {
++ AUX_TRACE(aux, "no data after 32 retries");
++ ret = -EIO;
++ goto out;
+ }
+
+ ptr += cnt;
+@@ -64,8 +72,10 @@ nvkm_i2c_aux_i2c_xfer(struct i2c_adapter *adap, struct i2c_msg *msgs, int num)
+ msg++;
+ }
+
++ ret = num;
++out:
+ nvkm_i2c_aux_release(aux);
+- return num;
++ return ret;
+ }
+
+ static u32
+--
+2.22.0
+
diff --git a/patches.suse/drm-rockchip-Suspend-DP-late.patch b/patches.suse/drm-rockchip-Suspend-DP-late.patch
index 1d86d66a3b..11e56910b9 100644
--- a/patches.suse/drm-rockchip-Suspend-DP-late.patch
+++ b/patches.suse/drm-rockchip-Suspend-DP-late.patch
@@ -1,10 +1,10 @@
From f7ccbed656f78212593ca965d9a8f34bf24e0aab Mon Sep 17 00:00:00 2001
From: Douglas Anderson <dianders@chromium.org>
Date: Fri, 2 Aug 2019 11:46:16 -0700
-Subject: [PATCH] drm/rockchip: Suspend DP late
+Subject: drm/rockchip: Suspend DP late
Git-commit: f7ccbed656f78212593ca965d9a8f34bf24e0aab
Patch-mainline: v5.3-rc4
-References: bsc#1051510
+References: bsc#1051510 bsc#1142635
In commit fe64ba5c6323 ("drm/rockchip: Resume DP early") we moved
resume to be early but left suspend at its normal time. This seems
@@ -22,17 +22,14 @@ Fixes: fe64ba5c6323 ("drm/rockchip: Resume DP early")
Signed-off-by: Douglas Anderson <dianders@chromium.org>
Signed-off-by: Sean Paul <seanpaul@chromium.org>
Link: https://patchwork.freedesktop.org/patch/msgid/20190802184616.44822-1-dianders@chromium.org
-Acked-by: Takashi Iwai <tiwai@suse.de>
-
+Acked-by: Thomas Zimmermann <tzimmermann@suse.de>
---
- drivers/gpu/drm/rockchip/analogix_dp-rockchip.c | 2 +-
+ drivers/gpu/drm/rockchip/analogix_dp-rockchip.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
-diff --git a/drivers/gpu/drm/rockchip/analogix_dp-rockchip.c b/drivers/gpu/drm/rockchip/analogix_dp-rockchip.c
-index 95e5c517a15f..9aae3d8e99ef 100644
--- a/drivers/gpu/drm/rockchip/analogix_dp-rockchip.c
+++ b/drivers/gpu/drm/rockchip/analogix_dp-rockchip.c
-@@ -432,7 +432,7 @@ static int rockchip_dp_resume(struct device *dev)
+@@ -428,7 +428,7 @@ static int rockchip_dp_remove(struct pla
static const struct dev_pm_ops rockchip_dp_pm_ops = {
#ifdef CONFIG_PM_SLEEP
@@ -41,6 +38,3 @@ index 95e5c517a15f..9aae3d8e99ef 100644
.resume_early = rockchip_dp_resume,
#endif
};
---
-2.16.4
-
diff --git a/patches.suse/drm-udl-introduce-a-macro-to-convert-dev-to-udl.patch b/patches.suse/drm-udl-introduce-a-macro-to-convert-dev-to-udl.patch
index 8048420148..8b0896bdc1 100644
--- a/patches.suse/drm-udl-introduce-a-macro-to-convert-dev-to-udl.patch
+++ b/patches.suse/drm-udl-introduce-a-macro-to-convert-dev-to-udl.patch
@@ -1,30 +1,27 @@
From fd96e0dba19c53c2d66f2a398716bb74df8ca85e Mon Sep 17 00:00:00 2001
From: Dave Airlie <airlied@redhat.com>
Date: Fri, 5 Apr 2019 13:17:14 +1000
-Subject: [PATCH] drm/udl: introduce a macro to convert dev to udl.
+Subject: drm/udl: introduce a macro to convert dev to udl.
Git-commit: fd96e0dba19c53c2d66f2a398716bb74df8ca85e
Patch-mainline: v5.2-rc1
-References: bsc#1111666
+References: bsc#1111666 bsc#1113722
This just makes it easier to later embed drm into udl.
Reviewed-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20190405031715.5959-3-airlied@gmail.com
-Acked-by: Takashi Iwai <tiwai@suse.de>
-
+Acked-by: Thomas Zimmermann <tzimmermann@suse.de>
---
- drivers/gpu/drm/udl/udl_drv.h | 2 ++
- drivers/gpu/drm/udl/udl_fb.c | 10 +++++-----
- drivers/gpu/drm/udl/udl_gem.c | 2 +-
- drivers/gpu/drm/udl/udl_main.c | 12 ++++++------
+ drivers/gpu/drm/udl/udl_drv.h | 2 ++
+ drivers/gpu/drm/udl/udl_fb.c | 10 +++++-----
+ drivers/gpu/drm/udl/udl_gem.c | 2 +-
+ drivers/gpu/drm/udl/udl_main.c | 12 ++++++------
4 files changed, 14 insertions(+), 12 deletions(-)
-diff --git a/drivers/gpu/drm/udl/udl_drv.h b/drivers/gpu/drm/udl/udl_drv.h
-index 4ae67d882eae..b3e08e876d62 100644
--- a/drivers/gpu/drm/udl/udl_drv.h
+++ b/drivers/gpu/drm/udl/udl_drv.h
-@@ -71,6 +71,8 @@ struct udl_device {
+@@ -68,6 +68,8 @@ struct udl_device {
atomic_t cpu_kcycles_used; /* transpired during pixel processing */
};
@@ -33,11 +30,9 @@ index 4ae67d882eae..b3e08e876d62 100644
struct udl_gem_object {
struct drm_gem_object base;
struct page **pages;
-diff --git a/drivers/gpu/drm/udl/udl_fb.c b/drivers/gpu/drm/udl/udl_fb.c
-index f8ff5a6f559e..16593d4f02b4 100644
--- a/drivers/gpu/drm/udl/udl_fb.c
+++ b/drivers/gpu/drm/udl/udl_fb.c
-@@ -82,7 +82,7 @@ int udl_handle_damage(struct udl_framebuffer *fb, int x, int y,
+@@ -82,7 +82,7 @@ int udl_handle_damage(struct udl_framebu
int width, int height)
{
struct drm_device *dev = fb->base.dev;
@@ -46,7 +41,7 @@ index f8ff5a6f559e..16593d4f02b4 100644
int i, ret;
char *cmd;
cycles_t start_cycles, end_cycles;
-@@ -210,7 +210,7 @@ static int udl_fb_open(struct fb_info *info, int user)
+@@ -210,7 +210,7 @@ static int udl_fb_open(struct fb_info *i
{
struct udl_fbdev *ufbdev = info->par;
struct drm_device *dev = ufbdev->ufb.base.dev;
@@ -55,7 +50,7 @@ index f8ff5a6f559e..16593d4f02b4 100644
/* If the USB device is gone, we don't accept new opens */
if (drm_dev_is_unplugged(udl->ddev))
-@@ -437,7 +437,7 @@ static void udl_fbdev_destroy(struct drm_device *dev,
+@@ -442,7 +442,7 @@ static void udl_fbdev_destroy(struct drm
int udl_fbdev_init(struct drm_device *dev)
{
@@ -64,7 +59,7 @@ index f8ff5a6f559e..16593d4f02b4 100644
int bpp_sel = fb_bpp;
struct udl_fbdev *ufbdev;
int ret;
-@@ -476,7 +476,7 @@ int udl_fbdev_init(struct drm_device *dev)
+@@ -481,7 +481,7 @@ free:
void udl_fbdev_cleanup(struct drm_device *dev)
{
@@ -73,7 +68,7 @@ index f8ff5a6f559e..16593d4f02b4 100644
if (!udl->fbdev)
return;
-@@ -487,7 +487,7 @@ void udl_fbdev_cleanup(struct drm_device *dev)
+@@ -492,7 +492,7 @@ void udl_fbdev_cleanup(struct drm_device
void udl_fbdev_unplug(struct drm_device *dev)
{
@@ -82,8 +77,6 @@ index f8ff5a6f559e..16593d4f02b4 100644
struct udl_fbdev *ufbdev;
if (!udl->fbdev)
return;
-diff --git a/drivers/gpu/drm/udl/udl_gem.c b/drivers/gpu/drm/udl/udl_gem.c
-index bb7b58407039..3b3e17652bb2 100644
--- a/drivers/gpu/drm/udl/udl_gem.c
+++ b/drivers/gpu/drm/udl/udl_gem.c
@@ -203,7 +203,7 @@ int udl_gem_mmap(struct drm_file *file, struct drm_device *dev,
@@ -95,8 +88,6 @@ index bb7b58407039..3b3e17652bb2 100644
int ret = 0;
mutex_lock(&udl->gem_lock);
-diff --git a/drivers/gpu/drm/udl/udl_main.c b/drivers/gpu/drm/udl/udl_main.c
-index 1f8ef34ade24..862c099d7c4c 100644
--- a/drivers/gpu/drm/udl/udl_main.c
+++ b/drivers/gpu/drm/udl/udl_main.c
@@ -30,7 +30,7 @@
@@ -108,7 +99,7 @@ index 1f8ef34ade24..862c099d7c4c 100644
char *desc;
char *buf;
char *desc_end;
-@@ -166,7 +166,7 @@ void udl_urb_completion(struct urb *urb)
+@@ -164,7 +164,7 @@ void udl_urb_completion(struct urb *urb)
static void udl_free_urb_list(struct drm_device *dev)
{
@@ -117,7 +108,7 @@ index 1f8ef34ade24..862c099d7c4c 100644
int count = udl->urbs.count;
struct list_head *node;
struct urb_node *unode;
-@@ -199,7 +199,7 @@ static void udl_free_urb_list(struct drm_device *dev)
+@@ -198,7 +198,7 @@ static void udl_free_urb_list(struct drm
static int udl_alloc_urb_list(struct drm_device *dev, int count, size_t size)
{
@@ -126,7 +117,7 @@ index 1f8ef34ade24..862c099d7c4c 100644
struct urb *urb;
struct urb_node *unode;
char *buf;
-@@ -263,7 +263,7 @@ static int udl_alloc_urb_list(struct drm_device *dev, int count, size_t size)
+@@ -262,7 +262,7 @@ retry:
struct urb *udl_get_urb(struct drm_device *dev)
{
@@ -135,7 +126,7 @@ index 1f8ef34ade24..862c099d7c4c 100644
int ret = 0;
struct list_head *entry;
struct urb_node *unode;
-@@ -296,7 +296,7 @@ struct urb *udl_get_urb(struct drm_device *dev)
+@@ -296,7 +296,7 @@ error:
int udl_submit_urb(struct drm_device *dev, struct urb *urb, size_t len)
{
@@ -144,7 +135,7 @@ index 1f8ef34ade24..862c099d7c4c 100644
int ret;
BUG_ON(len > udl->urbs.size);
-@@ -371,7 +371,7 @@ int udl_drop_usb(struct drm_device *dev)
+@@ -372,7 +372,7 @@ int udl_drop_usb(struct drm_device *dev)
void udl_driver_unload(struct drm_device *dev)
{
@@ -153,6 +144,3 @@ index 1f8ef34ade24..862c099d7c4c 100644
drm_kms_helper_poll_fini(dev);
---
-2.16.4
-
diff --git a/patches.suse/drm-udl-move-to-embedding-drm-device-inside-udl-devi.patch b/patches.suse/drm-udl-move-to-embedding-drm-device-inside-udl-devi.patch
index 0f44d4a83a..f0da7d6e7a 100644
--- a/patches.suse/drm-udl-move-to-embedding-drm-device-inside-udl-devi.patch
+++ b/patches.suse/drm-udl-move-to-embedding-drm-device-inside-udl-devi.patch
@@ -1,10 +1,10 @@
From 6ecac85eadb9d4065b9038fa3d3c66d49038e14b Mon Sep 17 00:00:00 2001
From: Dave Airlie <airlied@redhat.com>
Date: Fri, 5 Apr 2019 13:17:15 +1000
-Subject: [PATCH] drm/udl: move to embedding drm device inside udl device.
+Subject: drm/udl: move to embedding drm device inside udl device.
Git-commit: 6ecac85eadb9d4065b9038fa3d3c66d49038e14b
Patch-mainline: v5.2-rc1
-References: bsc#1111666
+References: bsc#1111666 bsc#1113722
This should help with some of the lifetime issues, and move us away
from load/unload.
@@ -12,20 +12,17 @@ from load/unload.
Acked-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20190405031715.5959-4-airlied@gmail.com
-Acked-by: Takashi Iwai <tiwai@suse.de>
-
+Acked-by: Thomas Zimmermann <tzimmermann@suse.de>
---
- drivers/gpu/drm/udl/udl_drv.c | 56 +++++++++++++++++++++++++++++++++---------
- drivers/gpu/drm/udl/udl_drv.h | 9 +++----
- drivers/gpu/drm/udl/udl_fb.c | 2 +-
- drivers/gpu/drm/udl/udl_main.c | 23 +++--------------
+ drivers/gpu/drm/udl/udl_drv.c | 56 ++++++++++++++++++++++++++++++++---------
+ drivers/gpu/drm/udl/udl_drv.h | 9 ++----
+ drivers/gpu/drm/udl/udl_fb.c | 2 -
+ drivers/gpu/drm/udl/udl_main.c | 23 ++--------------
4 files changed, 53 insertions(+), 37 deletions(-)
-diff --git a/drivers/gpu/drm/udl/udl_drv.c b/drivers/gpu/drm/udl/udl_drv.c
-index b7d01b3664cb..312bf324841a 100644
--- a/drivers/gpu/drm/udl/udl_drv.c
+++ b/drivers/gpu/drm/udl/udl_drv.c
-@@ -48,10 +48,16 @@ static const struct file_operations udl_driver_fops = {
+@@ -48,10 +48,16 @@ static const struct file_operations udl_
.llseek = noop_llseek,
};
@@ -44,7 +41,7 @@ index b7d01b3664cb..312bf324841a 100644
.release = udl_driver_release,
/* gem hooks */
-@@ -75,28 +81,56 @@ static struct drm_driver driver = {
+@@ -77,28 +83,56 @@ static struct drm_driver driver = {
.patchlevel = DRIVER_PATCHLEVEL,
};
@@ -110,11 +107,9 @@ index b7d01b3664cb..312bf324841a 100644
return r;
}
-diff --git a/drivers/gpu/drm/udl/udl_drv.h b/drivers/gpu/drm/udl/udl_drv.h
-index b3e08e876d62..35c1f33fbc1a 100644
--- a/drivers/gpu/drm/udl/udl_drv.h
+++ b/drivers/gpu/drm/udl/udl_drv.h
-@@ -50,8 +50,8 @@ struct urb_list {
+@@ -49,8 +49,8 @@ struct urb_list {
struct udl_fbdev;
struct udl_device {
@@ -124,7 +119,7 @@ index b3e08e876d62..35c1f33fbc1a 100644
struct usb_device *udev;
struct drm_crtc *crtc;
-@@ -71,7 +71,7 @@ struct udl_device {
+@@ -68,7 +68,7 @@ struct udl_device {
atomic_t cpu_kcycles_used; /* transpired during pixel processing */
};
@@ -133,7 +128,7 @@ index b3e08e876d62..35c1f33fbc1a 100644
struct udl_gem_object {
struct drm_gem_object base;
-@@ -104,9 +104,8 @@ struct urb *udl_get_urb(struct drm_device *dev);
+@@ -101,9 +101,8 @@ struct urb *udl_get_urb(struct drm_devic
int udl_submit_urb(struct drm_device *dev, struct urb *urb, size_t len);
void udl_urb_completion(struct urb *urb);
@@ -145,11 +140,9 @@ index b3e08e876d62..35c1f33fbc1a 100644
int udl_fbdev_init(struct drm_device *dev);
void udl_fbdev_cleanup(struct drm_device *dev);
-diff --git a/drivers/gpu/drm/udl/udl_fb.c b/drivers/gpu/drm/udl/udl_fb.c
-index 16593d4f02b4..b9b67a546d4c 100644
--- a/drivers/gpu/drm/udl/udl_fb.c
+++ b/drivers/gpu/drm/udl/udl_fb.c
-@@ -213,7 +213,7 @@ static int udl_fb_open(struct fb_info *info, int user)
+@@ -213,7 +213,7 @@ static int udl_fb_open(struct fb_info *i
struct udl_device *udl = to_udl(dev);
/* If the USB device is gone, we don't accept new opens */
@@ -158,11 +151,9 @@ index 16593d4f02b4..b9b67a546d4c 100644
return -ENODEV;
ufbdev->fb_count++;
-diff --git a/drivers/gpu/drm/udl/udl_main.c b/drivers/gpu/drm/udl/udl_main.c
-index 862c099d7c4c..6743eaef4594 100644
--- a/drivers/gpu/drm/udl/udl_main.c
+++ b/drivers/gpu/drm/udl/udl_main.c
-@@ -311,20 +311,12 @@ int udl_submit_urb(struct drm_device *dev, struct urb *urb, size_t len)
+@@ -311,20 +311,12 @@ int udl_submit_urb(struct drm_device *de
return ret;
}
@@ -185,7 +176,7 @@ index 862c099d7c4c..6743eaef4594 100644
mutex_init(&udl->gem_lock);
-@@ -358,7 +350,6 @@ int udl_driver_load(struct drm_device *dev, unsigned long flags)
+@@ -359,7 +351,6 @@ err_fb:
err:
if (udl->urbs.count)
udl_free_urb_list(dev);
@@ -193,7 +184,7 @@ index 862c099d7c4c..6743eaef4594 100644
DRM_ERROR("%d\n", ret);
return ret;
}
-@@ -369,7 +360,7 @@ int udl_drop_usb(struct drm_device *dev)
+@@ -370,7 +361,7 @@ int udl_drop_usb(struct drm_device *dev)
return 0;
}
@@ -202,7 +193,7 @@ index 862c099d7c4c..6743eaef4594 100644
{
struct udl_device *udl = to_udl(dev);
-@@ -379,12 +370,4 @@ void udl_driver_unload(struct drm_device *dev)
+@@ -380,12 +371,4 @@ void udl_driver_unload(struct drm_device
udl_free_urb_list(dev);
udl_fbdev_cleanup(dev);
@@ -215,6 +206,3 @@ index 862c099d7c4c..6743eaef4594 100644
- drm_dev_fini(dev);
- kfree(dev);
}
---
-2.16.4
-
diff --git a/patches.suse/drm-vmwgfx-Use-the-backdoor-port-if-the-HB-port-is-n.patch b/patches.suse/drm-vmwgfx-Use-the-backdoor-port-if-the-HB-port-is-n.patch
index a85481df2f..35754c6465 100644
--- a/patches.suse/drm-vmwgfx-Use-the-backdoor-port-if-the-HB-port-is-n.patch
+++ b/patches.suse/drm-vmwgfx-Use-the-backdoor-port-if-the-HB-port-is-n.patch
@@ -1,10 +1,10 @@
From cc0ba0d8624f210995924bb57a8b181ce8976606 Mon Sep 17 00:00:00 2001
From: Thomas Hellstrom <thellstrom@vmware.com>
Date: Wed, 29 May 2019 08:15:19 +0200
-Subject: [PATCH] drm/vmwgfx: Use the backdoor port if the HB port is not available
+Subject: drm/vmwgfx: Use the backdoor port if the HB port is not available
Git-commit: cc0ba0d8624f210995924bb57a8b181ce8976606
Patch-mainline: v5.2-rc6
-References: bsc#1111666
+References: bsc#1111666 bsc#1135642
The HB port may not be available for various reasons. Either it has been
disabled by a config option or by the hypervisor for other reasons.
@@ -15,17 +15,14 @@ Cc: stable@vger.kernel.org
Fixes: 89da76fde68d ("drm/vmwgfx: Add VMWare host messaging capability")
Signed-off-by: Thomas Hellstrom <thellstrom@vmware.com>
Reviewed-by: Deepak Rawat <drawat@vmware.com>
-Acked-by: Takashi Iwai <tiwai@suse.de>
-
+Acked-by: Thomas Zimmermann <tzimmermann@suse.de>
---
- drivers/gpu/drm/vmwgfx/vmwgfx_msg.c | 146 +++++++++++++++++++++++++++++-------
+ drivers/gpu/drm/vmwgfx/vmwgfx_msg.c | 146 ++++++++++++++++++++++++++++--------
1 file changed, 117 insertions(+), 29 deletions(-)
-diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_msg.c b/drivers/gpu/drm/vmwgfx/vmwgfx_msg.c
-index 8b9270f31409..e4e09d47c5c0 100644
--- a/drivers/gpu/drm/vmwgfx/vmwgfx_msg.c
+++ b/drivers/gpu/drm/vmwgfx/vmwgfx_msg.c
-@@ -136,6 +136,114 @@ static int vmw_close_channel(struct rpc_channel *channel)
+@@ -135,6 +135,114 @@ static int vmw_close_channel(struct rpc_
return 0;
}
@@ -140,7 +137,7 @@ index 8b9270f31409..e4e09d47c5c0 100644
/**
-@@ -148,11 +256,10 @@ static int vmw_close_channel(struct rpc_channel *channel)
+@@ -147,11 +255,10 @@ static int vmw_close_channel(struct rpc_
*/
static int vmw_send_msg(struct rpc_channel *channel, const char *msg)
{
@@ -153,7 +150,7 @@ index 8b9270f31409..e4e09d47c5c0 100644
while (retries < RETRIES) {
retries++;
-@@ -166,23 +273,14 @@ static int vmw_send_msg(struct rpc_channel *channel, const char *msg)
+@@ -165,23 +272,14 @@ static int vmw_send_msg(struct rpc_chann
VMW_HYPERVISOR_MAGIC,
eax, ebx, ecx, edx, si, di);
@@ -181,7 +178,7 @@ index 8b9270f31409..e4e09d47c5c0 100644
if ((HIGH_WORD(ebx) & MESSAGE_STATUS_SUCCESS) != 0) {
return 0;
-@@ -211,7 +309,7 @@ STACK_FRAME_NON_STANDARD(vmw_send_msg);
+@@ -210,7 +308,7 @@ STACK_FRAME_NON_STANDARD(vmw_send_msg);
static int vmw_recv_msg(struct rpc_channel *channel, void **msg,
size_t *msg_len)
{
@@ -190,7 +187,7 @@ index 8b9270f31409..e4e09d47c5c0 100644
char *reply;
size_t reply_len;
int retries = 0;
-@@ -233,8 +331,7 @@ static int vmw_recv_msg(struct rpc_channel *channel, void **msg,
+@@ -232,8 +330,7 @@ static int vmw_recv_msg(struct rpc_chann
VMW_HYPERVISOR_MAGIC,
eax, ebx, ecx, edx, si, di);
@@ -200,7 +197,7 @@ index 8b9270f31409..e4e09d47c5c0 100644
DRM_ERROR("Failed to get reply size for host message.\n");
return -EINVAL;
}
-@@ -252,17 +349,8 @@ static int vmw_recv_msg(struct rpc_channel *channel, void **msg,
+@@ -251,17 +348,8 @@ static int vmw_recv_msg(struct rpc_chann
/* Receive buffer */
@@ -220,6 +217,3 @@ index 8b9270f31409..e4e09d47c5c0 100644
if ((HIGH_WORD(ebx) & MESSAGE_STATUS_SUCCESS) == 0) {
kfree(reply);
---
-2.16.4
-
diff --git a/patches.suse/drm-vmwgfx-fix-a-warning-due-to-missing-dma_parms.patch b/patches.suse/drm-vmwgfx-fix-a-warning-due-to-missing-dma_parms.patch
index e73740852c..67b5e597a7 100644
--- a/patches.suse/drm-vmwgfx-fix-a-warning-due-to-missing-dma_parms.patch
+++ b/patches.suse/drm-vmwgfx-fix-a-warning-due-to-missing-dma_parms.patch
@@ -1,22 +1,22 @@
From 39916897cd815a0ee07ba1f6820cf88a63e459fc Mon Sep 17 00:00:00 2001
From: Qian Cai <cai@lca.pw>
Date: Mon, 3 Jun 2019 16:44:15 -0400
-Subject: [PATCH] drm/vmwgfx: fix a warning due to missing dma_parms
+Subject: drm/vmwgfx: fix a warning due to missing dma_parms
Git-commit: 39916897cd815a0ee07ba1f6820cf88a63e459fc
Patch-mainline: v5.2-rc6
-References: bsc#1111666
+References: bsc#1111666 bsc#1135642
Booting up with DMA_API_DEBUG_SG=y generates a warning due to the driver
forgot to set dma_parms appropriately. Set it just after vmw_dma_masks()
in vmw_driver_load().
-Dma-api: vmwgfx 0000:00:0f.0: mapping sg segment longer than device
+DMA-API: vmwgfx 0000:00:0f.0: mapping sg segment longer than device
claims to support [len=2097152] [max=65536]
-Warning: CPU: 2 PID: 261 at kernel/dma/debug.c:1232
+WARNING: CPU: 2 PID: 261 at kernel/dma/debug.c:1232
debug_dma_map_sg+0x360/0x480
Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop
Reference Platform, BIOS 6.00 04/13/2018
-Rip: 0010:debug_dma_map_sg+0x360/0x480
+RIP: 0010:debug_dma_map_sg+0x360/0x480
Call Trace:
vmw_ttm_map_dma+0x3b1/0x5b0 [vmwgfx]
vmw_bo_map_dma+0x25/0x30 [vmwgfx]
@@ -57,11 +57,9 @@ Acked-by: Takashi Iwai <tiwai@suse.de>
drivers/gpu/drm/vmwgfx/vmwgfx_drv.c | 3 +++
1 file changed, 3 insertions(+)
-diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_drv.c b/drivers/gpu/drm/vmwgfx/vmwgfx_drv.c
-index 4ff11a0077e1..9506190a0300 100644
--- a/drivers/gpu/drm/vmwgfx/vmwgfx_drv.c
+++ b/drivers/gpu/drm/vmwgfx/vmwgfx_drv.c
-@@ -747,6 +747,9 @@ static int vmw_driver_load(struct drm_device *dev, unsigned long chipset)
+@@ -758,6 +758,9 @@ static int vmw_driver_load(struct drm_de
if (unlikely(ret != 0))
goto out_err0;
@@ -71,6 +69,3 @@ index 4ff11a0077e1..9506190a0300 100644
if (dev_priv->capabilities & SVGA_CAP_GMR2) {
DRM_INFO("Max GMR ids is %u\n",
(unsigned)dev_priv->max_gmr_ids);
---
-2.16.4
-
diff --git a/patches.suse/ftrace-check-for-empty-hash-and-comment-the-race-with-registering-probes.patch b/patches.suse/ftrace-check-for-empty-hash-and-comment-the-race-with-registering-probes.patch
new file mode 100644
index 0000000000..2ecf741c35
--- /dev/null
+++ b/patches.suse/ftrace-check-for-empty-hash-and-comment-the-race-with-registering-probes.patch
@@ -0,0 +1,49 @@
+From: "Steven Rostedt (VMware)" <rostedt@goodmis.org>
+Date: Fri, 30 Aug 2019 16:30:01 -0400
+Subject: ftrace: Check for empty hash and comment the race with registering
+ probes
+Git-commit: 372e0d01da71c84dcecf7028598a33813b0d5256
+Patch-mainline: v5.3-rc7
+References: bsc#1149418
+
+The race between adding a function probe and reading the probes that exist
+is very subtle. It needs a comment. Also, the issue can also happen if the
+probe has has the EMPTY_HASH as its func_hash.
+
+Cc: stable@vger.kernel.org
+Fixes: 7b60f3d876156 ("ftrace: Dynamically create the probe ftrace_ops for the trace_array")
+Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
+Acked-by: Miroslav Benes <mbenes@suse.cz>
+---
+ kernel/trace/ftrace.c | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+diff --git a/kernel/trace/ftrace.c b/kernel/trace/ftrace.c
+index 80beed2cf0da..6200a6fe10e3 100644
+--- a/kernel/trace/ftrace.c
++++ b/kernel/trace/ftrace.c
+@@ -3096,7 +3096,11 @@ t_probe_next(struct seq_file *m, loff_t *pos)
+
+ hash = iter->probe->ops.func_hash->filter_hash;
+
+- if (!hash)
++ /*
++ * A probe being registered may temporarily have an empty hash
++ * and it's at the end of the func_probes list.
++ */
++ if (!hash || hash == EMPTY_HASH)
+ return NULL;
+
+ size = 1 << hash->size_bits;
+@@ -4324,6 +4328,10 @@ register_ftrace_function_probe(char *glob, struct trace_array *tr,
+
+ mutex_unlock(&ftrace_lock);
+
++ /*
++ * Note, there's a small window here that the func_hash->filter_hash
++ * may be NULL or empty. Need to be carefule when reading the loop.
++ */
+ mutex_lock(&probe->ops.func_hash->regex_lock);
+
+ orig_hash = &probe->ops.func_hash->filter_hash;
+
diff --git a/patches.suse/ftrace-check-for-successful-allocation-of-hash.patch b/patches.suse/ftrace-check-for-successful-allocation-of-hash.patch
new file mode 100644
index 0000000000..35572e2cfe
--- /dev/null
+++ b/patches.suse/ftrace-check-for-successful-allocation-of-hash.patch
@@ -0,0 +1,40 @@
+From: "Naveen N. Rao" <naveen.n.rao@linux.vnet.ibm.com>
+Date: Thu, 4 Jul 2019 20:04:42 +0530
+Subject: ftrace: Check for successful allocation of hash
+Git-commit: 5b0022dd32b7c2e15edf1827ba80aa1407edf9ff
+Patch-mainline: v5.3-rc7
+References: bsc#1149424
+
+In register_ftrace_function_probe(), we are not checking the return
+value of alloc_and_copy_ftrace_hash(). The subsequent call to
+ftrace_match_records() may end up dereferencing the same. Add a check to
+ensure this doesn't happen.
+
+Link: http://lkml.kernel.org/r/26e92574f25ad23e7cafa3cf5f7a819de1832cbe.1562249521.git.naveen.n.rao@linux.vnet.ibm.com
+
+Cc: stable@vger.kernel.org
+Fixes: 1ec3a81a0cf42 ("ftrace: Have each function probe use its own ftrace_ops")
+Signed-off-by: Naveen N. Rao <naveen.n.rao@linux.vnet.ibm.com>
+Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
+Acked-by: Miroslav Benes <mbenes@suse.cz>
+---
+ kernel/trace/ftrace.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/kernel/trace/ftrace.c b/kernel/trace/ftrace.c
+index 6200a6fe10e3..f9821a3374e9 100644
+--- a/kernel/trace/ftrace.c
++++ b/kernel/trace/ftrace.c
+@@ -4338,6 +4338,11 @@ register_ftrace_function_probe(char *glob, struct trace_array *tr,
+ old_hash = *orig_hash;
+ hash = alloc_and_copy_ftrace_hash(FTRACE_HASH_DEFAULT_BITS, old_hash);
+
++ if (!hash) {
++ ret = -ENOMEM;
++ goto out;
++ }
++
+ ret = ftrace_match_records(hash, glob, strlen(glob));
+
+ /* Nothing found? */
+
diff --git a/patches.suse/ftrace-fix-null-pointer-dereference-in-t_probe_next.patch b/patches.suse/ftrace-fix-null-pointer-dereference-in-t_probe_next.patch
new file mode 100644
index 0000000000..4505f4355b
--- /dev/null
+++ b/patches.suse/ftrace-fix-null-pointer-dereference-in-t_probe_next.patch
@@ -0,0 +1,77 @@
+From: "Naveen N. Rao" <naveen.n.rao@linux.vnet.ibm.com>
+Date: Thu, 4 Jul 2019 20:04:41 +0530
+Subject: ftrace: Fix NULL pointer dereference in t_probe_next()
+Git-commit: 7bd46644ea0f6021dc396a39a8bfd3a58f6f1f9f
+Patch-mainline: v5.3-rc7
+References: bsc#1149413
+
+LTP testsuite on powerpc results in the below crash:
+
+ Unable to handle kernel paging request for data at address 0x00000000
+ Faulting instruction address: 0xc00000000029d800
+ Oops: Kernel access of bad area, sig: 11 [#1]
+ LE SMP NR_CPUS=2048 NUMA PowerNV
+ ...
+ CPU: 68 PID: 96584 Comm: cat Kdump: loaded Tainted: G W
+ NIP: c00000000029d800 LR: c00000000029dac4 CTR: c0000000001e6ad0
+ REGS: c0002017fae8ba10 TRAP: 0300 Tainted: G W
+ MSR: 9000000000009033 <SF,HV,EE,ME,IR,DR,RI,LE> CR: 28022422 XER: 20040000
+ CFAR: c00000000029d90c DAR: 0000000000000000 DSISR: 40000000 IRQMASK: 0
+ ...
+ NIP [c00000000029d800] t_probe_next+0x60/0x180
+ LR [c00000000029dac4] t_mod_start+0x1a4/0x1f0
+ Call Trace:
+ [c0002017fae8bc90] [c000000000cdbc40] _cond_resched+0x10/0xb0 (unreliable)
+ [c0002017fae8bce0] [c0000000002a15b0] t_start+0xf0/0x1c0
+ [c0002017fae8bd30] [c0000000004ec2b4] seq_read+0x184/0x640
+ [c0002017fae8bdd0] [c0000000004a57bc] sys_read+0x10c/0x300
+ [c0002017fae8be30] [c00000000000b388] system_call+0x5c/0x70
+
+The test (ftrace_set_ftrace_filter.sh) is part of ftrace stress tests
+and the crash happens when the test does 'cat
+$TRACING_PATH/set_ftrace_filter'.
+
+The address points to the second line below, in t_probe_next(), where
+filter_hash is dereferenced:
+ hash = iter->probe->ops.func_hash->filter_hash;
+ size = 1 << hash->size_bits;
+
+This happens due to a race with register_ftrace_function_probe(). A new
+ftrace_func_probe is created and added into the func_probes list in
+trace_array under ftrace_lock. However, before initializing the filter,
+we drop ftrace_lock, and re-acquire it after acquiring regex_lock. If
+another process is trying to read set_ftrace_filter, it will be able to
+acquire ftrace_lock during this window and it will end up seeing a NULL
+filter_hash.
+
+Fix this by just checking for a NULL filter_hash in t_probe_next(). If
+the filter_hash is NULL, then this probe is just being added and we can
+simply return from here.
+
+Link: http://lkml.kernel.org/r/05e021f757625cbbb006fad41380323dbe4e3b43.1562249521.git.naveen.n.rao@linux.vnet.ibm.com
+
+Cc: stable@vger.kernel.org
+Fixes: 7b60f3d876156 ("ftrace: Dynamically create the probe ftrace_ops for the trace_array")
+Signed-off-by: Naveen N. Rao <naveen.n.rao@linux.vnet.ibm.com>
+Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
+Acked-by: Miroslav Benes <mbenes@suse.cz>
+---
+ kernel/trace/ftrace.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/kernel/trace/ftrace.c b/kernel/trace/ftrace.c
+index eca34503f178..80beed2cf0da 100644
+--- a/kernel/trace/ftrace.c
++++ b/kernel/trace/ftrace.c
+@@ -3095,6 +3095,10 @@ t_probe_next(struct seq_file *m, loff_t *pos)
+ hnd = &iter->probe_entry->hlist;
+
+ hash = iter->probe->ops.func_hash->filter_hash;
++
++ if (!hash)
++ return NULL;
++
+ size = 1 << hash->size_bits;
+
+ retry:
+
diff --git a/patches.suse/genetlink-Fix-a-memory-leak-on-error-path.patch b/patches.suse/genetlink-Fix-a-memory-leak-on-error-path.patch
index 0df45b8fe5..d414720ca1 100644
--- a/patches.suse/genetlink-Fix-a-memory-leak-on-error-path.patch
+++ b/patches.suse/genetlink-Fix-a-memory-leak-on-error-path.patch
@@ -3,7 +3,7 @@ Date: Thu, 21 Mar 2019 15:02:50 +0800
Subject: genetlink: Fix a memory leak on error path
Git-commit: ceabee6c59943bdd5e1da1a6a20dc7ee5f8113a2
Patch-mainline: v5.1-rc3
-References: networking-stable-19_03_28
+References: networking-stable-19_03_28, CVE-2019-15921, bsc#1149602
In genl_register_family(), when idr_alloc() fails,
we forget to free the memory we possibly allocate for
diff --git a/patches.suse/gpio-mxs-Get-rid-of-external-API-call.patch b/patches.suse/gpio-mxs-Get-rid-of-external-API-call.patch
new file mode 100644
index 0000000000..6117414f43
--- /dev/null
+++ b/patches.suse/gpio-mxs-Get-rid-of-external-API-call.patch
@@ -0,0 +1,52 @@
+From 833eacc7b5913da9896bacd30db7d490aa777868 Mon Sep 17 00:00:00 2001
+From: Linus Walleij <linus.walleij@linaro.org>
+Date: Wed, 29 Aug 2018 17:02:16 +0200
+Subject: [PATCH] gpio: mxs: Get rid of external API call
+Git-commit: 833eacc7b5913da9896bacd30db7d490aa777868
+Patch-mainline: v4.20-rc1
+References: bsc#1051510
+
+The MXS driver was calling back into the GPIO API from
+its irqchip. This is not very elegant, as we are a driver,
+let's just shortcut back into the gpio_chip .get() function
+instead.
+
+This is a tricky case since the .get() callback is not in
+this file, instead assigned by bgpio_init(). Calling the
+function direcly in the gpio_chip is however the lesser
+evil.
+
+Cc: Sascha Hauer <s.hauer@pengutronix.de>
+Cc: Janusz Uzycki <j.uzycki@elproma.com.pl>
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/gpio/gpio-mxs.c | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+diff --git a/drivers/gpio/gpio-mxs.c b/drivers/gpio/gpio-mxs.c
+index df30490da820..ea874fd033a5 100644
+--- a/drivers/gpio/gpio-mxs.c
++++ b/drivers/gpio/gpio-mxs.c
+@@ -18,8 +18,6 @@
+ #include <linux/platform_device.h>
+ #include <linux/slab.h>
+ #include <linux/gpio/driver.h>
+-/* FIXME: for gpio_get_value(), replace this by direct register read */
+-#include <linux/gpio.h>
+ #include <linux/module.h>
+
+ #define MXS_SET 0x4
+@@ -86,7 +84,7 @@ static int mxs_gpio_set_irq_type(struct irq_data *d, unsigned int type)
+ port->both_edges &= ~pin_mask;
+ switch (type) {
+ case IRQ_TYPE_EDGE_BOTH:
+- val = gpio_get_value(port->gc.base + d->hwirq);
++ val = port->gc.get(&port->gc, d->hwirq);
+ if (val)
+ edge = GPIO_INT_FALL_EDGE;
+ else
+--
+2.16.4
+
diff --git a/patches.suse/gpio-pxa-handle-corner-case-of-unprobed-device.patch b/patches.suse/gpio-pxa-handle-corner-case-of-unprobed-device.patch
new file mode 100644
index 0000000000..4fcbbd9d2b
--- /dev/null
+++ b/patches.suse/gpio-pxa-handle-corner-case-of-unprobed-device.patch
@@ -0,0 +1,55 @@
+From 9ce3ebe973bf4073426f35f282c6b955ed802765 Mon Sep 17 00:00:00 2001
+From: Robert Jarzmik <robert.jarzmik@free.fr>
+Date: Sat, 25 Aug 2018 10:44:17 +0200
+Subject: [PATCH] gpio: pxa: handle corner case of unprobed device
+Git-commit: 9ce3ebe973bf4073426f35f282c6b955ed802765
+Patch-mainline: v4.20-rc1
+References: bsc#1051510
+
+In the corner case where the gpio driver probe fails, for whatever
+reason, the suspend and resume handlers will still be called as they
+have to be registered as syscore operations. This applies as well when
+no probe was called while the driver has been built in the kernel.
+
+Nicolas tracked this in :
+https://bugzilla.kernel.org/show_bug.cgi?id=200905
+
+Therefore, add a failsafe in these function, and test if a proper probe
+succeeded and the driver is functional.
+
+Signed-off-by: Robert Jarzmik <robert.jarzmik@free.fr>
+Reported-by: Nicolas Chauvet <kwizart@gmail.com>
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/gpio/gpio-pxa.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/drivers/gpio/gpio-pxa.c b/drivers/gpio/gpio-pxa.c
+index c18712dabf93..bfe4c5c9f41c 100644
+--- a/drivers/gpio/gpio-pxa.c
++++ b/drivers/gpio/gpio-pxa.c
+@@ -776,6 +776,9 @@ static int pxa_gpio_suspend(void)
+ struct pxa_gpio_bank *c;
+ int gpio;
+
++ if (!pchip)
++ return 0;
++
+ for_each_gpio_bank(gpio, c, pchip) {
+ c->saved_gplr = readl_relaxed(c->regbase + GPLR_OFFSET);
+ c->saved_gpdr = readl_relaxed(c->regbase + GPDR_OFFSET);
+@@ -794,6 +797,9 @@ static void pxa_gpio_resume(void)
+ struct pxa_gpio_bank *c;
+ int gpio;
+
++ if (!pchip)
++ return;
++
+ for_each_gpio_bank(gpio, c, pchip) {
+ /* restore level with set/clear */
+ writel_relaxed(c->saved_gplr, c->regbase + GPSR_OFFSET);
+--
+2.16.4
+
diff --git a/patches.suse/gpu-ipu-v3-ipu-ic-Fix-saturation-bit-offset-in-TPMEM.patch b/patches.suse/gpu-ipu-v3-ipu-ic-Fix-saturation-bit-offset-in-TPMEM.patch
index ed98088b98..b7f545ed52 100644
--- a/patches.suse/gpu-ipu-v3-ipu-ic-Fix-saturation-bit-offset-in-TPMEM.patch
+++ b/patches.suse/gpu-ipu-v3-ipu-ic-Fix-saturation-bit-offset-in-TPMEM.patch
@@ -1,10 +1,10 @@
From 3d1f62c686acdedf5ed9642b763f3808d6a47d1e Mon Sep 17 00:00:00 2001
From: Steve Longerbeam <slongerbeam@gmail.com>
Date: Tue, 21 May 2019 18:03:13 -0700
-Subject: [PATCH] gpu: ipu-v3: ipu-ic: Fix saturation bit offset in TPMEM
+Subject: gpu: ipu-v3: ipu-ic: Fix saturation bit offset in TPMEM
Git-commit: 3d1f62c686acdedf5ed9642b763f3808d6a47d1e
Patch-mainline: v5.3-rc1
-References: bsc#1111666
+References: bsc#1111666 bsc#1142635
The saturation bit was being set at bit 9 in the second 32-bit word
of the TPMEM CSC. This isn't correct, the saturation bit is bit 42,
@@ -16,8 +16,7 @@ Signed-off-by: Steve Longerbeam <slongerbeam@gmail.com>
Reviewed-by: Philipp Zabel <p.zabel@pengutronix.de>
Cc: stable@vger.kernel.org
Signed-off-by: Philipp Zabel <p.zabel@pengutronix.de>
-Acked-by: Takashi Iwai <tiwai@suse.de>
-
+Acked-by: Thomas Zimmermann <tzimmermann@suse.de>
---
drivers/gpu/ipu-v3/ipu-ic.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
@@ -36,5 +35,5 @@ index 89c3961f0fce..3428b0e72bc5 100644
param = ((a[1] & 0x1f) << 27) | ((c[0][1] & 0x1ff) << 18) |
--
-2.16.4
+2.22.0
diff --git a/patches.suse/i2c-qup-fixed-releasing-dma-without-flush-operation-.patch b/patches.suse/i2c-qup-fixed-releasing-dma-without-flush-operation-.patch
new file mode 100644
index 0000000000..ad7d4bd306
--- /dev/null
+++ b/patches.suse/i2c-qup-fixed-releasing-dma-without-flush-operation-.patch
@@ -0,0 +1,53 @@
+From 7239872fb3400b21a8f5547257f9f86455867bd6 Mon Sep 17 00:00:00 2001
+From: Abhishek Sahu <absahu@codeaurora.org>
+Date: Mon, 12 Mar 2018 18:44:51 +0530
+Subject: [PATCH] i2c: qup: fixed releasing dma without flush operation completion
+Mime-version: 1.0
+Content-type: text/plain; charset=UTF-8
+Content-transfer-encoding: 8bit
+Git-commit: 7239872fb3400b21a8f5547257f9f86455867bd6
+Patch-mainline: v4.17-rc1
+References: bsc#1051510
+
+The QUP BSLP BAM generates the following error sometimes if the
+current I2C DMA transfer fails and the flush operation has been
+scheduled
+
+ “bam-dma-engine 7884000.dma: Cannot free busy channel”
+
+If any I2C error comes during BAM DMA transfer, then the QUP I2C
+interrupt will be generated and the flush operation will be
+carried out to make I2C consume all scheduled DMA transfer.
+Currently, the same completion structure is being used for BAM
+transfer which has already completed without reinit. It will make
+flush operation wait_for_completion_timeout completed immediately
+and will proceed for freeing the DMA resources where the
+descriptors are still in process.
+
+Signed-off-by: Abhishek Sahu <absahu@codeaurora.org>
+Acked-by: Sricharan R <sricharan@codeaurora.org>
+Reviewed-by: Austin Christ <austinwc@codeaurora.org>
+Reviewed-by: Andy Gross <andy.gross@linaro.org>
+Signed-off-by: Wolfram Sang <wsa@the-dreams.de>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/i2c/busses/i2c-qup.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/i2c/busses/i2c-qup.c b/drivers/i2c/busses/i2c-qup.c
+index ac5edfac2d5c..75e9819a161c 100644
+--- a/drivers/i2c/busses/i2c-qup.c
++++ b/drivers/i2c/busses/i2c-qup.c
+@@ -835,6 +835,8 @@ static int qup_i2c_bam_do_xfer(struct qup_i2c_dev *qup, struct i2c_msg *msg,
+ }
+
+ if (ret || qup->bus_err || qup->qup_err) {
++ reinit_completion(&qup->xfer);
++
+ if (qup_i2c_change_state(qup, QUP_RUN_STATE)) {
+ dev_err(qup->dev, "change to run state timed out");
+ goto desc_err;
+--
+2.16.4
+
diff --git a/patches.suse/isdn-hfcsusb-Fix-mISDN-driver-crash-caused-by-transf.patch b/patches.suse/isdn-hfcsusb-Fix-mISDN-driver-crash-caused-by-transf.patch
new file mode 100644
index 0000000000..5f111841c6
--- /dev/null
+++ b/patches.suse/isdn-hfcsusb-Fix-mISDN-driver-crash-caused-by-transf.patch
@@ -0,0 +1,87 @@
+From d8a1de3d5bb881507602bc02e004904828f88711 Mon Sep 17 00:00:00 2001
+From: Juliana Rodrigueiro <juliana.rodrigueiro@intra2net.com>
+Date: Wed, 31 Jul 2019 15:17:23 +0200
+Subject: [PATCH] isdn: hfcsusb: Fix mISDN driver crash caused by transfer buffer on the stack
+Git-commit: d8a1de3d5bb881507602bc02e004904828f88711
+Patch-mainline: v5.3-rc4
+References: bsc#1051510
+
+Since linux 4.9 it is not possible to use buffers on the stack for DMA transfers.
+
+During usb probe the driver crashes with "transfer buffer is on stack" message.
+
+This fix k-allocates a buffer to be used on "read_reg_atomic", which is a macro
+that calls "usb_control_msg" under the hood.
+
+Kernel 4.19 backtrace:
+
+usb_hcd_submit_urb+0x3e5/0x900
+? sched_clock+0x9/0x10
+? log_store+0x203/0x270
+? get_random_u32+0x6f/0x90
+? cache_alloc_refill+0x784/0x8a0
+usb_submit_urb+0x3b4/0x550
+usb_start_wait_urb+0x4e/0xd0
+usb_control_msg+0xb8/0x120
+hfcsusb_probe+0x6bc/0xb40 [hfcsusb]
+usb_probe_interface+0xc2/0x260
+really_probe+0x176/0x280
+driver_probe_device+0x49/0x130
+__driver_attach+0xa9/0xb0
+? driver_probe_device+0x130/0x130
+bus_for_each_dev+0x5a/0x90
+driver_attach+0x14/0x20
+? driver_probe_device+0x130/0x130
+bus_add_driver+0x157/0x1e0
+driver_register+0x51/0xe0
+usb_register_driver+0x5d/0x120
+? 0xf81ed000
+hfcsusb_drv_init+0x17/0x1000 [hfcsusb]
+do_one_initcall+0x44/0x190
+? free_unref_page_commit+0x6a/0xd0
+do_init_module+0x46/0x1c0
+load_module+0x1dc1/0x2400
+sys_init_module+0xed/0x120
+do_fast_syscall_32+0x7a/0x200
+entry_SYSENTER_32+0x6b/0xbe
+
+Signed-off-by: Juliana Rodrigueiro <juliana.rodrigueiro@intra2net.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/isdn/hardware/mISDN/hfcsusb.c | 12 +++++++++++-
+ 1 file changed, 11 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/isdn/hardware/mISDN/hfcsusb.c b/drivers/isdn/hardware/mISDN/hfcsusb.c
+index 8fb7c5dea07f..008a74a1ed44 100644
+--- a/drivers/isdn/hardware/mISDN/hfcsusb.c
++++ b/drivers/isdn/hardware/mISDN/hfcsusb.c
+@@ -1693,13 +1693,23 @@ hfcsusb_stop_endpoint(struct hfcsusb *hw, int channel)
+ static int
+ setup_hfcsusb(struct hfcsusb *hw)
+ {
++ void *dmabuf = kmalloc(sizeof(u_char), GFP_KERNEL);
+ u_char b;
++ int ret;
+
+ if (debug & DBG_HFC_CALL_TRACE)
+ printk(KERN_DEBUG "%s: %s\n", hw->name, __func__);
+
++ if (!dmabuf)
++ return -ENOMEM;
++
++ ret = read_reg_atomic(hw, HFCUSB_CHIP_ID, dmabuf);
++
++ memcpy(&b, dmabuf, sizeof(u_char));
++ kfree(dmabuf);
++
+ /* check the chip id */
+- if (read_reg_atomic(hw, HFCUSB_CHIP_ID, &b) != 1) {
++ if (ret != 1) {
+ printk(KERN_DEBUG "%s: %s: cannot read chip id\n",
+ hw->name, __func__);
+ return 1;
+--
+2.16.4
+
diff --git a/patches.suse/isdn-mISDN-hfcsusb-Fix-possible-null-pointer-derefer.patch b/patches.suse/isdn-mISDN-hfcsusb-Fix-possible-null-pointer-derefer.patch
new file mode 100644
index 0000000000..f526c0246a
--- /dev/null
+++ b/patches.suse/isdn-mISDN-hfcsusb-Fix-possible-null-pointer-derefer.patch
@@ -0,0 +1,50 @@
+From a0d57a552b836206ad7705a1060e6e1ce5a38203 Mon Sep 17 00:00:00 2001
+From: Jia-Ju Bai <baijiaju1990@gmail.com>
+Date: Fri, 26 Jul 2019 16:27:36 +0800
+Subject: [PATCH] isdn: mISDN: hfcsusb: Fix possible null-pointer dereferences in start_isoc_chain()
+Git-commit: a0d57a552b836206ad7705a1060e6e1ce5a38203
+Patch-mainline: v5.3-rc4
+References: bsc#1051510
+
+In start_isoc_chain(), usb_alloc_urb() on line 1392 may fail
+and return NULL. At this time, fifo->iso[i].urb is assigned to NULL.
+
+Then, fifo->iso[i].urb is used at some places, such as:
+LINE 1405: fill_isoc_urb(fifo->iso[i].urb, ...)
+ urb->number_of_packets = num_packets;
+ urb->transfer_flags = URB_ISO_ASAP;
+ urb->actual_length = 0;
+ urb->interval = interval;
+LINE 1416: fifo->iso[i].urb->...
+LINE 1419: fifo->iso[i].urb->...
+
+Thus, possible null-pointer dereferences may occur.
+
+To fix these bugs, "continue" is added to avoid using fifo->iso[i].urb
+when it is NULL.
+
+These bugs are found by a static analysis tool STCheck written by us.
+
+Signed-off-by: Jia-Ju Bai <baijiaju1990@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/isdn/hardware/mISDN/hfcsusb.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/isdn/hardware/mISDN/hfcsusb.c b/drivers/isdn/hardware/mISDN/hfcsusb.c
+index 0e224232f746..8fb7c5dea07f 100644
+--- a/drivers/isdn/hardware/mISDN/hfcsusb.c
++++ b/drivers/isdn/hardware/mISDN/hfcsusb.c
+@@ -1394,6 +1394,7 @@ start_isoc_chain(struct usb_fifo *fifo, int num_packets_per_urb,
+ printk(KERN_DEBUG
+ "%s: %s: alloc urb for fifo %i failed",
+ hw->name, __func__, fifo->fifonum);
++ continue;
+ }
+ fifo->iso[i].owner_fifo = (struct usb_fifo *) fifo;
+ fifo->iso[i].indx = i;
+--
+2.16.4
+
diff --git a/patches.suse/iversion-add-a-routine-to-update-a-raw-value-with-a-larger-one.patch b/patches.suse/iversion-add-a-routine-to-update-a-raw-value-with-a-larger-one.patch
new file mode 100644
index 0000000000..2d6e5be622
--- /dev/null
+++ b/patches.suse/iversion-add-a-routine-to-update-a-raw-value-with-a-larger-one.patch
@@ -0,0 +1,57 @@
+From: Jeff Layton <jlayton@kernel.org>
+Date: Wed, 5 Jun 2019 17:24:22 -0400
+Subject: iversion: add a routine to update a raw value with a larger one
+Git-commit: 441d367644e2f60b37f36bfc656deee551acba5b
+Patch-mainline: v5.3-rc1
+References: bsc#1148133
+
+Under ceph, clients can be independently updating iversion themselves,
+while working under comprehensive sets of caps on an inode. In that
+situation we always want to prefer the largest value of a change
+attribute. Add a new function that will update a raw value with a larger
+one, but otherwise leave it alone.
+
+Signed-off-by: Jeff Layton <jlayton@kernel.org>
+Reviewed-by: "Yan, Zheng" <zyan@redhat.com>
+Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
+Acked-by: Luis Henriques <lhenriques@suse.com>
+---
+ include/linux/iversion.h | 24 ++++++++++++++++++++++++
+ 1 file changed, 24 insertions(+)
+
+diff --git a/include/linux/iversion.h b/include/linux/iversion.h
+index be50ef7cedab..2917ef990d43 100644
+--- a/include/linux/iversion.h
++++ b/include/linux/iversion.h
+@@ -112,6 +112,30 @@ inode_peek_iversion_raw(const struct inode *inode)
+ return atomic64_read(&inode->i_version);
+ }
+
++/**
++ * inode_set_max_iversion_raw - update i_version new value is larger
++ * @inode: inode to set
++ * @val: new i_version to set
++ *
++ * Some self-managed filesystems (e.g Ceph) will only update the i_version
++ * value if the new value is larger than the one we already have.
++ */
++static inline void
++inode_set_max_iversion_raw(struct inode *inode, u64 val)
++{
++ u64 cur, old;
++
++ cur = inode_peek_iversion_raw(inode);
++ for (;;) {
++ if (cur > val)
++ break;
++ old = atomic64_cmpxchg(&inode->i_version, cur, val);
++ if (likely(old == cur))
++ break;
++ cur = old;
++ }
++}
++
+ /**
+ * inode_set_iversion - set i_version to a particular value
+ * @inode: inode to set
+
diff --git a/patches.suse/kconfig-mn-conf-handle-backspace-H-key.patch b/patches.suse/kconfig-mn-conf-handle-backspace-H-key.patch
new file mode 100644
index 0000000000..b6e26f50ca
--- /dev/null
+++ b/patches.suse/kconfig-mn-conf-handle-backspace-H-key.patch
@@ -0,0 +1,67 @@
+From 9c38f1f044080392603c497ecca4d7d09876ff99 Mon Sep 17 00:00:00 2001
+From: Changbin Du <changbin.du@gmail.com>
+Date: Mon, 25 Mar 2019 15:16:47 +0000
+Subject: [PATCH] kconfig/[mn]conf: handle backspace (^H) key
+Git-commit: 9c38f1f044080392603c497ecca4d7d09876ff99
+Patch-mainline: v5.1-rc3
+References: bsc#1051510
+
+Backspace is not working on some terminal emulators which do not send the
+key code defined by terminfo. Terminals either send '^H' (8) or '^?' (127).
+But currently only '^?' is handled. Let's also handle '^H' for those
+terminals.
+
+Signed-off-by: Changbin Du <changbin.du@gmail.com>
+Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ scripts/kconfig/lxdialog/inputbox.c | 3 ++-
+ scripts/kconfig/nconf.c | 2 +-
+ scripts/kconfig/nconf.gui.c | 3 ++-
+ 3 files changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/scripts/kconfig/lxdialog/inputbox.c b/scripts/kconfig/lxdialog/inputbox.c
+index 611945611bf8..1dcfb288ee63 100644
+--- a/scripts/kconfig/lxdialog/inputbox.c
++++ b/scripts/kconfig/lxdialog/inputbox.c
+@@ -113,7 +113,8 @@ int dialog_inputbox(const char *title, const char *prompt, int height, int width
+ case KEY_DOWN:
+ break;
+ case KEY_BACKSPACE:
+- case 127:
++ case 8: /* ^H */
++ case 127: /* ^? */
+ if (pos) {
+ wattrset(dialog, dlg.inputbox.atr);
+ if (input_x == 0) {
+diff --git a/scripts/kconfig/nconf.c b/scripts/kconfig/nconf.c
+index a4670f4e825a..ac92c0ded6c5 100644
+--- a/scripts/kconfig/nconf.c
++++ b/scripts/kconfig/nconf.c
+@@ -1048,7 +1048,7 @@ static int do_match(int key, struct match_state *state, int *ans)
+ state->match_direction = FIND_NEXT_MATCH_UP;
+ *ans = get_mext_match(state->pattern,
+ state->match_direction);
+- } else if (key == KEY_BACKSPACE || key == 127) {
++ } else if (key == KEY_BACKSPACE || key == 8 || key == 127) {
+ state->pattern[strlen(state->pattern)-1] = '\0';
+ adj_match_dir(&state->match_direction);
+ } else
+diff --git a/scripts/kconfig/nconf.gui.c b/scripts/kconfig/nconf.gui.c
+index 7be620a1fcdb..77f525a8617c 100644
+--- a/scripts/kconfig/nconf.gui.c
++++ b/scripts/kconfig/nconf.gui.c
+@@ -439,7 +439,8 @@ int dialog_inputbox(WINDOW *main_window,
+ case KEY_F(F_EXIT):
+ case KEY_F(F_BACK):
+ break;
+- case 127:
++ case 8: /* ^H */
++ case 127: /* ^? */
+ case KEY_BACKSPACE:
+ if (cursor_position > 0) {
+ memmove(&result[cursor_position-1],
+--
+2.16.4
+
diff --git a/patches.suse/kvm-x86-move-msr_ia32_arch_capabilities-to-array-emulated_msrs b/patches.suse/kvm-x86-move-msr_ia32_arch_capabilities-to-array-emulated_msrs
new file mode 100644
index 0000000000..3a7dba426d
--- /dev/null
+++ b/patches.suse/kvm-x86-move-msr_ia32_arch_capabilities-to-array-emulated_msrs
@@ -0,0 +1,37 @@
+From: Xiaoyao Li <xiaoyao.li@linux.intel.com>
+Date: Fri, 8 Mar 2019 15:57:20 +0800
+Subject: kvm/x86: Move MSR_IA32_ARCH_CAPABILITIES to array emulated_msrs
+Git-commit: 2bdb76c015df7125783d8394d6339d181cb5bc30
+Patch-mainline: v5.1-rc3
+References: bsc#1134881 bsc#1134882
+
+Since MSR_IA32_ARCH_CAPABILITIES is emualted unconditionally even if
+host doesn't suppot it. We should move it to array emulated_msrs from
+arry msrs_to_save, to report to userspace that guest support this msr.
+
+Signed-off-by: Xiaoyao Li <xiaoyao.li@linux.intel.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Acked-by: Joerg Roedel <jroedel@suse.de>
+---
+ arch/x86/kvm/x86.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/arch/x86/kvm/x86.c
++++ b/arch/x86/kvm/x86.c
+@@ -1010,7 +1010,7 @@ static u32 msrs_to_save[] = {
+ #endif
+ MSR_IA32_TSC, MSR_IA32_CR_PAT, MSR_VM_HSAVE_PA,
+ MSR_IA32_FEATURE_CONTROL, MSR_IA32_BNDCFGS, MSR_TSC_AUX,
+- MSR_IA32_SPEC_CTRL, MSR_IA32_ARCH_CAPABILITIES
++ MSR_IA32_SPEC_CTRL,
+ };
+
+ static unsigned num_msrs_to_save;
+@@ -1033,6 +1033,7 @@ static u32 emulated_msrs[] = {
+
+ MSR_IA32_TSC_ADJUST,
+ MSR_IA32_TSCDEADLINE,
++ MSR_IA32_ARCH_CAPABILITIES,
+ MSR_IA32_MISC_ENABLE,
+ MSR_IA32_MCG_STATUS,
+ MSR_IA32_MCG_CTL,
diff --git a/patches.suse/libata-add-SG-safety-checks-in-SFF-pio-transfers.patch b/patches.suse/libata-add-SG-safety-checks-in-SFF-pio-transfers.patch
new file mode 100644
index 0000000000..70b4b99611
--- /dev/null
+++ b/patches.suse/libata-add-SG-safety-checks-in-SFF-pio-transfers.patch
@@ -0,0 +1,48 @@
+From 752ead44491e8c91e14d7079625c5916b30921c5 Mon Sep 17 00:00:00 2001
+From: Jens Axboe <axboe@kernel.dk>
+Date: Wed, 7 Aug 2019 12:23:57 -0600
+Subject: [PATCH] libata: add SG safety checks in SFF pio transfers
+Git-commit: 752ead44491e8c91e14d7079625c5916b30921c5
+Patch-mainline: v5.3-rc4
+References: bsc#1051510
+
+Abort processing of a command if we run out of mapped data in the
+SG list. This should never happen, but a previous bug caused it to
+be possible. Play it safe and attempt to abort nicely if we don't
+have more SG segments left.
+
+Reviewed-by: Kees Cook <keescook@chromium.org>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/ata/libata-sff.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/drivers/ata/libata-sff.c b/drivers/ata/libata-sff.c
+index 10aa27882142..4f115adb4ee8 100644
+--- a/drivers/ata/libata-sff.c
++++ b/drivers/ata/libata-sff.c
+@@ -658,6 +658,10 @@ static void ata_pio_sector(struct ata_queued_cmd *qc)
+ unsigned int offset;
+ unsigned char *buf;
+
++ if (!qc->cursg) {
++ qc->curbytes = qc->nbytes;
++ return;
++ }
+ if (qc->curbytes == qc->nbytes - qc->sect_size)
+ ap->hsm_task_state = HSM_ST_LAST;
+
+@@ -683,6 +687,8 @@ static void ata_pio_sector(struct ata_queued_cmd *qc)
+
+ if (qc->cursg_ofs == qc->cursg->length) {
+ qc->cursg = sg_next(qc->cursg);
++ if (!qc->cursg)
++ ap->hsm_task_state = HSM_ST_LAST;
+ qc->cursg_ofs = 0;
+ }
+ }
+--
+2.16.4
+
diff --git a/patches.suse/libata-have-ata_scsi_rw_xlat-fail-invalid-passthroug.patch b/patches.suse/libata-have-ata_scsi_rw_xlat-fail-invalid-passthroug.patch
new file mode 100644
index 0000000000..a537027556
--- /dev/null
+++ b/patches.suse/libata-have-ata_scsi_rw_xlat-fail-invalid-passthroug.patch
@@ -0,0 +1,84 @@
+From 2d7271501720038381d45fb3dcbe4831228fc8cc Mon Sep 17 00:00:00 2001
+From: Jens Axboe <axboe@kernel.dk>
+Date: Wed, 7 Aug 2019 12:20:52 -0600
+Subject: [PATCH] libata: have ata_scsi_rw_xlat() fail invalid passthrough requests
+Git-commit: 2d7271501720038381d45fb3dcbe4831228fc8cc
+Patch-mainline: v5.3-rc4
+References: bsc#1051510
+
+For passthrough requests, libata-scsi takes what the user passes in
+as gospel. This can be problematic if the user fills in the CDB
+incorrectly. One example of that is in request sizes. For read/write
+commands, the CDB contains fields describing the transfer length of
+the request. These should match with the SG_IO header fields, but
+libata-scsi currently does no validation of that.
+
+Check that the number of blocks in the CDB for passthrough requests
+matches what was mapped into the request. If the CDB asks for more
+data then the validated SG_IO header fields, error it.
+
+Reported-by: Krishna Ram Prakash R <krp@gtux.in>
+Reviewed-by: Kees Cook <keescook@chromium.org>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/ata/libata-scsi.c | 21 +++++++++++++++++++++
+ 1 file changed, 21 insertions(+)
+
+diff --git a/drivers/ata/libata-scsi.c b/drivers/ata/libata-scsi.c
+index 391ac0503dc0..76d0f9de767b 100644
+--- a/drivers/ata/libata-scsi.c
++++ b/drivers/ata/libata-scsi.c
+@@ -1786,6 +1786,21 @@ static unsigned int ata_scsi_verify_xlat(struct ata_queued_cmd *qc)
+ return 1;
+ }
+
++static bool ata_check_nblocks(struct scsi_cmnd *scmd, u32 n_blocks)
++{
++ struct request *rq = scmd->request;
++ u32 req_blocks;
++
++ if (!blk_rq_is_passthrough(rq))
++ return true;
++
++ req_blocks = blk_rq_bytes(rq) / scmd->device->sector_size;
++ if (n_blocks > req_blocks)
++ return false;
++
++ return true;
++}
++
+ /**
+ * ata_scsi_rw_xlat - Translate SCSI r/w command into an ATA one
+ * @qc: Storage for translated ATA taskfile
+@@ -1830,6 +1845,8 @@ static unsigned int ata_scsi_rw_xlat(struct ata_queued_cmd *qc)
+ scsi_10_lba_len(cdb, &block, &n_block);
+ if (cdb[1] & (1 << 3))
+ tf_flags |= ATA_TFLAG_FUA;
++ if (!ata_check_nblocks(scmd, n_block))
++ goto invalid_fld;
+ break;
+ case READ_6:
+ case WRITE_6:
+@@ -1844,6 +1861,8 @@ static unsigned int ata_scsi_rw_xlat(struct ata_queued_cmd *qc)
+ */
+ if (!n_block)
+ n_block = 256;
++ if (!ata_check_nblocks(scmd, n_block))
++ goto invalid_fld;
+ break;
+ case READ_16:
+ case WRITE_16:
+@@ -1854,6 +1873,8 @@ static unsigned int ata_scsi_rw_xlat(struct ata_queued_cmd *qc)
+ scsi_16_lba_len(cdb, &block, &n_block);
+ if (cdb[1] & (1 << 3))
+ tf_flags |= ATA_TFLAG_FUA;
++ if (!ata_check_nblocks(scmd, n_block))
++ goto invalid_fld;
+ break;
+ default:
+ DPRINTK("no-byte command\n");
+--
+2.16.4
+
diff --git a/patches.suse/libceph-add-ceph_decode_entity_addr.patch b/patches.suse/libceph-add-ceph_decode_entity_addr.patch
new file mode 100644
index 0000000000..991357c9f7
--- /dev/null
+++ b/patches.suse/libceph-add-ceph_decode_entity_addr.patch
@@ -0,0 +1,147 @@
+From: Jeff Layton <jlayton@kernel.org>
+Date: Mon, 3 Jun 2019 14:45:16 -0400
+Subject: libceph: add ceph_decode_entity_addr
+Git-commit: 6c37f0e64173571914a443f74d36e5a22dabfc05
+Patch-mainline: v5.3-rc1
+References: bsc#1148133 bsc#1136682
+
+Add a function for decoding an entity_addr_t. Once
+CEPH_FEATURE_MSG_ADDR2 is enabled, the server daemons will start
+encoding entity_addr_t differently.
+
+Add a new helper function that can handle either format.
+
+Signed-off-by: Jeff Layton <jlayton@kernel.org>
+Reviewed-by: "Yan, Zheng" <zyan@redhat.com>
+Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
+Acked-by: Luis Henriques <lhenriques@suse.com>
+
+---
+ include/linux/ceph/decode.h | 2 +
+ net/ceph/Makefile | 2 +-
+ net/ceph/decode.c | 90 +++++++++++++++++++++++++++++++++++++++++++++
+ 3 files changed, 93 insertions(+), 1 deletion(-)
+
+diff --git a/include/linux/ceph/decode.h b/include/linux/ceph/decode.h
+index a6c2a48d42e0..1c0a665bfc03 100644
+--- a/include/linux/ceph/decode.h
++++ b/include/linux/ceph/decode.h
+@@ -223,6 +223,8 @@ static inline void ceph_decode_addr(stru
+ WARN_ON(a->in_addr.ss_family == 512);
+ }
+
++extern int ceph_decode_entity_addr(void **p, void *end,
++ struct ceph_entity_addr *addr);
+ /*
+ * encoders
+ */
+diff --git a/net/ceph/Makefile b/net/ceph/Makefile
+index db09defe27d0..59d0ba2072de 100644
+--- a/net/ceph/Makefile
++++ b/net/ceph/Makefile
+@@ -4,7 +4,7 @@
+ obj-$(CONFIG_CEPH_LIB) += libceph.o
+
+ libceph-y := ceph_common.o messenger.o msgpool.o buffer.o pagelist.o \
+- mon_client.o \
++ mon_client.o decode.o \
+ cls_lock_client.o \
+ osd_client.o osdmap.o crush/crush.o crush/mapper.o crush/hash.o \
+ debugfs.o \
+diff --git a/net/ceph/decode.c b/net/ceph/decode.c
+new file mode 100644
+index 000000000000..b82981199549
+--- /dev/null
++++ b/net/ceph/decode.c
+@@ -0,0 +1,90 @@
++// SPDX-License-Identifier: GPL-2.0
++
++#include <linux/ceph/decode.h>
++
++static int
++ceph_decode_entity_addr_versioned(void **p, void *end,
++ struct ceph_entity_addr *addr)
++{
++ int ret;
++ u8 struct_v;
++ u32 struct_len, addr_len;
++ void *struct_end;
++
++ ret = ceph_start_decoding(p, end, 1, "entity_addr_t", &struct_v,
++ &struct_len);
++ if (ret)
++ goto bad;
++
++ ret = -EINVAL;
++ struct_end = *p + struct_len;
++
++ ceph_decode_copy_safe(p, end, &addr->type, sizeof(addr->type), bad);
++
++ /*
++ * TYPE_NONE == 0
++ * TYPE_LEGACY == 1
++ *
++ * Clients that don't support ADDR2 always send TYPE_NONE.
++ * For now, since all we support is msgr1, just set this to 0
++ * when we get a TYPE_LEGACY type.
++ */
++ if (addr->type == cpu_to_le32(1))
++ addr->type = 0;
++
++ ceph_decode_copy_safe(p, end, &addr->nonce, sizeof(addr->nonce), bad);
++
++ ceph_decode_32_safe(p, end, addr_len, bad);
++ if (addr_len > sizeof(addr->in_addr))
++ goto bad;
++
++ memset(&addr->in_addr, 0, sizeof(addr->in_addr));
++ if (addr_len) {
++ ceph_decode_copy_safe(p, end, &addr->in_addr, addr_len, bad);
++
++ addr->in_addr.ss_family =
++ le16_to_cpu((__force __le16)addr->in_addr.ss_family);
++ }
++
++ /* Advance past anything the client doesn't yet understand */
++ *p = struct_end;
++ ret = 0;
++bad:
++ return ret;
++}
++
++static int
++ceph_decode_entity_addr_legacy(void **p, void *end,
++ struct ceph_entity_addr *addr)
++{
++ int ret = -EINVAL;
++
++ /* Skip rest of type field */
++ ceph_decode_skip_n(p, end, 3, bad);
++ addr->type = 0;
++ ceph_decode_copy_safe(p, end, &addr->nonce, sizeof(addr->nonce), bad);
++ memset(&addr->in_addr, 0, sizeof(addr->in_addr));
++ ceph_decode_copy_safe(p, end, &addr->in_addr,
++ sizeof(addr->in_addr), bad);
++ addr->in_addr.ss_family =
++ be16_to_cpu((__force __be16)addr->in_addr.ss_family);
++ ret = 0;
++bad:
++ return ret;
++}
++
++int
++ceph_decode_entity_addr(void **p, void *end, struct ceph_entity_addr *addr)
++{
++ u8 marker;
++
++ ceph_decode_8_safe(p, end, marker, bad);
++ if (marker == 1)
++ return ceph_decode_entity_addr_versioned(p, end, addr);
++ else if (marker == 0)
++ return ceph_decode_entity_addr_legacy(p, end, addr);
++bad:
++ return -EINVAL;
++}
++EXPORT_SYMBOL(ceph_decode_entity_addr);
++
+
diff --git a/patches.suse/libceph-addr2-support-for-monmap.patch b/patches.suse/libceph-addr2-support-for-monmap.patch
new file mode 100644
index 0000000000..0e40b4b87e
--- /dev/null
+++ b/patches.suse/libceph-addr2-support-for-monmap.patch
@@ -0,0 +1,99 @@
+From: Jeff Layton <jlayton@kernel.org>
+Date: Fri, 31 May 2019 15:32:28 -0400
+Subject: libceph: ADDR2 support for monmap
+Git-commit: 0bfb0f288992adbf8d1f0d5f22f0fd398b146316
+Patch-mainline: v5.3-rc1
+References: bsc#1148133 bsc#1136682
+
+Switch the MonMap decoder to use the new decoding routine for
+entity_addr_t's.
+
+Signed-off-by: Jeff Layton <jlayton@kernel.org>
+Reviewed-by: "Yan, Zheng" <zyan@redhat.com>
+Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
+Acked-by: Luis Henriques <lhenriques@suse.com>
+
+---
+ include/linux/ceph/mon_client.h | 1 -
+ net/ceph/mon_client.c | 21 +++++++++++++--------
+ 2 files changed, 13 insertions(+), 9 deletions(-)
+
+diff --git a/include/linux/ceph/mon_client.h b/include/linux/ceph/mon_client.h
+index 3a4688af7455..b4d134d3312a 100644
+--- a/include/linux/ceph/mon_client.h
++++ b/include/linux/ceph/mon_client.h
+@@ -104,7 +104,6 @@ struct ceph_mon_client {
+ #endif
+ };
+
+-extern struct ceph_monmap *ceph_monmap_decode(void *p, void *end);
+ extern int ceph_monmap_contains(struct ceph_monmap *m,
+ struct ceph_entity_addr *addr);
+
+diff --git a/net/ceph/mon_client.c b/net/ceph/mon_client.c
+index 895679d3529b..0520bf9825aa 100644
+--- a/net/ceph/mon_client.c
++++ b/net/ceph/mon_client.c
+@@ -39,7 +39,7 @@ static int __validate_auth(struct ceph_mon_client *monc);
+ /*
+ * Decode a monmap blob (e.g., during mount).
+ */
+-struct ceph_monmap *ceph_monmap_decode(void *p, void *end)
++static struct ceph_monmap *ceph_monmap_decode(void *p, void *end)
+ {
+ struct ceph_monmap *m = NULL;
+ int i, err = -EINVAL;
+@@ -50,7 +50,7 @@ struct ceph_monmap *ceph_monmap_decode(void *p, void *end)
+ ceph_decode_32_safe(&p, end, len, bad);
+ ceph_decode_need(&p, end, len, bad);
+
+- dout("monmap_decode %p %p len %d\n", p, end, (int)(end-p));
++ dout("monmap_decode %p %p len %d (%d)\n", p, end, len, (int)(end-p));
+ p += sizeof(u16); /* skip version */
+
+ ceph_decode_need(&p, end, sizeof(fsid) + 2*sizeof(u32), bad);
+@@ -58,7 +58,6 @@ struct ceph_monmap *ceph_monmap_decode(void *p, void *end)
+ epoch = ceph_decode_32(&p);
+
+ num_mon = ceph_decode_32(&p);
+- ceph_decode_need(&p, end, num_mon*sizeof(m->mon_inst[0]), bad);
+
+ if (num_mon > CEPH_MAX_MON)
+ goto bad;
+@@ -68,17 +67,22 @@ struct ceph_monmap *ceph_monmap_decode(void *p, void *end)
+ m->fsid = fsid;
+ m->epoch = epoch;
+ m->num_mon = num_mon;
+- ceph_decode_copy(&p, m->mon_inst, num_mon*sizeof(m->mon_inst[0]));
+- for (i = 0; i < num_mon; i++)
+- ceph_decode_addr(&m->mon_inst[i].addr);
+-
++ for (i = 0; i < num_mon; ++i) {
++ struct ceph_entity_inst *inst = &m->mon_inst[i];
++
++ /* copy name portion */
++ ceph_decode_copy_safe(&p, end, &inst->name,
++ sizeof(inst->name), bad);
++ err = ceph_decode_entity_addr(&p, end, &inst->addr);
++ if (err)
++ goto bad;
++ }
+ dout("monmap_decode epoch %d, num_mon %d\n", m->epoch,
+ m->num_mon);
+ for (i = 0; i < m->num_mon; i++)
+ dout("monmap_decode mon%d is %s\n", i,
+ ceph_pr_addr(&m->mon_inst[i].addr));
+ return m;
+-
+ bad:
+ dout("monmap_decode failed with %d\n", err);
+ kfree(m);
+@@ -469,6 +473,7 @@ static void ceph_monc_handle_map(struct ceph_mon_client *monc,
+ if (IS_ERR(monmap)) {
+ pr_err("problem decoding monmap, %d\n",
+ (int)PTR_ERR(monmap));
++ ceph_msg_dump(msg);
+ goto out;
+ }
+
+
diff --git a/patches.suse/libceph-allow-ceph_buffer_put-to-receive-a-null-ceph_buffer.patch b/patches.suse/libceph-allow-ceph_buffer_put-to-receive-a-null-ceph_buffer.patch
new file mode 100644
index 0000000000..e4cf896236
--- /dev/null
+++ b/patches.suse/libceph-allow-ceph_buffer_put-to-receive-a-null-ceph_buffer.patch
@@ -0,0 +1,29 @@
+From: Luis Henriques <lhenriques@suse.com>
+Date: Fri, 19 Jul 2019 15:32:19 +0100
+Subject: libceph: allow ceph_buffer_put() to receive a NULL ceph_buffer
+Git-commit: 5c498950f730aa17c5f8a2cdcb903524e4002ed2
+Patch-mainline: v5.3-rc6
+References: bsc#1148133
+
+Signed-off-by: Luis Henriques <lhenriques@suse.com>
+Reviewed-by: Jeff Layton <jlayton@kernel.org>
+Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
+---
+ include/linux/ceph/buffer.h | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/include/linux/ceph/buffer.h b/include/linux/ceph/buffer.h
+index 5e58bb29b1a3..11cdc7c60480 100644
+--- a/include/linux/ceph/buffer.h
++++ b/include/linux/ceph/buffer.h
+@@ -30,7 +30,8 @@ static inline struct ceph_buffer *ceph_buffer_get(struct ceph_buffer *b)
+
+ static inline void ceph_buffer_put(struct ceph_buffer *b)
+ {
+- kref_put(&b->kref, ceph_buffer_release);
++ if (b)
++ kref_put(&b->kref, ceph_buffer_release);
+ }
+
+ extern int ceph_decode_buffer(struct ceph_buffer **b, void **p, void *end);
+
diff --git a/patches.suse/libceph-correctly-decode-addr2-addresses-in-incremental-osd-maps.patch b/patches.suse/libceph-correctly-decode-addr2-addresses-in-incremental-osd-maps.patch
new file mode 100644
index 0000000000..4d8045f77b
--- /dev/null
+++ b/patches.suse/libceph-correctly-decode-addr2-addresses-in-incremental-osd-maps.patch
@@ -0,0 +1,58 @@
+From: Jeff Layton <jlayton@kernel.org>
+Date: Tue, 4 Jun 2019 15:10:44 -0400
+Subject: libceph: correctly decode ADDR2 addresses in incremental OSD maps
+Git-commit: 8cb5f2b4fcf4b8a4043e26c232b435e83e2abe87
+Patch-mainline: v5.3-rc1
+References: bsc#1148133 bsc#1136682
+
+Given the new format, we have to decode the addresses twice. Once to
+skip past the new_up_client field, and a second time to collect the
+addresses.
+
+Signed-off-by: Jeff Layton <jlayton@kernel.org>
+Reviewed-by: "Yan, Zheng" <zyan@redhat.com>
+Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
+Acked-by: Luis Henriques <lhenriques@suse.com>
+
+---
+ net/ceph/osdmap.c | 15 ++++++++++-----
+ 1 file changed, 10 insertions(+), 5 deletions(-)
+
+diff --git a/net/ceph/osdmap.c b/net/ceph/osdmap.c
+index 95e98ae59a54..90437906b7bc 100644
+--- a/net/ceph/osdmap.c
++++ b/net/ceph/osdmap.c
+@@ -1618,12 +1618,17 @@ static int decode_new_up_state_weight(void **p, void *end, u8 struct_v,
+ void *new_state;
+ void *new_weight_end;
+ u32 len;
++ int i;
+
+ new_up_client = *p;
+ ceph_decode_32_safe(p, end, len, e_inval);
+- len *= sizeof(u32) + sizeof(struct ceph_entity_addr);
+- ceph_decode_need(p, end, len, e_inval);
+- *p += len;
++ for (i = 0; i < len; ++i) {
++ struct ceph_entity_addr addr;
++
++ ceph_decode_skip_32(p, end, e_inval);
++ if (ceph_decode_entity_addr(p, end, &addr))
++ goto e_inval;
++ }
+
+ new_state = *p;
+ ceph_decode_32_safe(p, end, len, e_inval);
+@@ -1699,9 +1704,9 @@ static int decode_new_up_state_weight(void **p, void *end, u8 struct_v,
+ struct ceph_entity_addr addr;
+
+ osd = ceph_decode_32(p);
+- ceph_decode_copy(p, &addr, sizeof(addr));
+- ceph_decode_addr(&addr);
+ BUG_ON(osd >= map->max_osd);
++ if (ceph_decode_entity_addr(p, end, &addr))
++ goto e_inval;
+ pr_info("osd%d up\n", osd);
+ map->osd_state[osd] |= CEPH_OSD_EXISTS | CEPH_OSD_UP;
+ map->osd_addr[osd] = addr;
+
diff --git a/patches.suse/libceph-fix-pg-split-vs-osd-reconnect-race.patch b/patches.suse/libceph-fix-pg-split-vs-osd-reconnect-race.patch
new file mode 100644
index 0000000000..211e407664
--- /dev/null
+++ b/patches.suse/libceph-fix-pg-split-vs-osd-reconnect-race.patch
@@ -0,0 +1,71 @@
+From: Ilya Dryomov <idryomov@gmail.com>
+Date: Tue, 20 Aug 2019 16:40:33 +0200
+Subject: libceph: fix PG split vs OSD (re)connect race
+Git-commit: a561372405cf6bc6f14239b3a9e57bb39f2788b0
+Patch-mainline: v5.3-rc6
+References: bsc#1148133
+
+We can't rely on ->peer_features in calc_target() because it may be
+called both when the OSD session is established and open and when it's
+not. ->peer_features is not valid unless the OSD session is open. If
+this happens on a PG split (pg_num increase), that could mean we don't
+resend a request that should have been resent, hanging the client
+indefinitely.
+
+In userspace this was fixed by looking at require_osd_release and
+get_xinfo[osd].features fields of the osdmap. However these fields
+belong to the OSD section of the osdmap, which the kernel doesn't
+decode (only the client section is decoded).
+
+Instead, let's drop this feature check. It effectively checks for
+luminous, so only pre-luminous OSDs would be affected in that on a PG
+split the kernel might resend a request that should not have been
+resent. Duplicates can occur in other scenarios, so both sides should
+already be prepared for them: see dup/replay logic on the OSD side and
+retry_attempt check on the client side.
+
+Cc: stable@vger.kernel.org
+Fixes: 7de030d6b10a ("libceph: resend on PG splits if OSD has RESEND_ON_SPLIT")
+Link: https://tracker.ceph.com/issues/41162
+Reported-by: Jerry Lee <leisurelysw24@gmail.com>
+Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
+Tested-by: Jerry Lee <leisurelysw24@gmail.com>
+Reviewed-by: Jeff Layton <jlayton@kernel.org>
+Acked-by: Luis Henriques <lhenriques@suse.com>
+---
+ net/ceph/osd_client.c | 9 ++++-----
+ 1 file changed, 4 insertions(+), 5 deletions(-)
+
+diff --git a/net/ceph/osd_client.c b/net/ceph/osd_client.c
+index 0b2df09b2554..78ae6e8c953d 100644
+--- a/net/ceph/osd_client.c
++++ b/net/ceph/osd_client.c
+@@ -1496,7 +1496,7 @@ static enum calc_target_result calc_target(struct ceph_osd_client *osdc,
+ struct ceph_osds up, acting;
+ bool force_resend = false;
+ bool unpaused = false;
+- bool legacy_change;
++ bool legacy_change = false;
+ bool split = false;
+ bool sort_bitwise = ceph_osdmap_flag(osdc, CEPH_OSDMAP_SORTBITWISE);
+ bool recovery_deletes = ceph_osdmap_flag(osdc,
+@@ -1584,15 +1584,14 @@ static enum calc_target_result calc_target(struct ceph_osd_client *osdc,
+ t->osd = acting.primary;
+ }
+
+- if (unpaused || legacy_change || force_resend ||
+- (split && con && CEPH_HAVE_FEATURE(con->peer_features,
+- RESEND_ON_SPLIT)))
++ if (unpaused || legacy_change || force_resend || split)
+ ct_res = CALC_TARGET_NEED_RESEND;
+ else
+ ct_res = CALC_TARGET_NO_ACTION;
+
+ out:
+- dout("%s t %p -> ct_res %d osd %d\n", __func__, t, ct_res, t->osd);
++ dout("%s t %p -> %d%d%d%d ct_res %d osd%d\n", __func__, t, unpaused,
++ legacy_change, force_resend, split, ct_res, t->osd);
+ return ct_res;
+ }
+
+
diff --git a/patches.suse/libceph-fix-sa_family-just-after-reading-address.patch b/patches.suse/libceph-fix-sa_family-just-after-reading-address.patch
new file mode 100644
index 0000000000..feb97a9f09
--- /dev/null
+++ b/patches.suse/libceph-fix-sa_family-just-after-reading-address.patch
@@ -0,0 +1,48 @@
+From: Jeff Layton <jlayton@kernel.org>
+Date: Tue, 4 Jun 2019 13:13:48 -0400
+Subject: libceph: fix sa_family just after reading address
+Git-commit: bc07532cc51f4c33cb6136405c9807c5961e468b
+Patch-mainline: v5.3-rc1
+References: bsc#1148133 bsc#1136682
+
+It doesn't make sense to leave it undecoded until later.
+
+Signed-off-by: Jeff Layton <jlayton@kernel.org>
+Reviewed-by: "Yan, Zheng" <zyan@redhat.com>
+Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
+Acked-by: Luis Henriques <lhenriques@suse.com>
+
+---
+ net/ceph/messenger.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+diff --git a/net/ceph/messenger.c b/net/ceph/messenger.c
+index cd0b094468b6..8d0c51dd4666 100644
+--- a/net/ceph/messenger.c
++++ b/net/ceph/messenger.c
+@@ -1732,12 +1732,14 @@ static int read_partial_banner(struct ceph_connection *con)
+ ret = read_partial(con, end, size, &con->actual_peer_addr);
+ if (ret <= 0)
+ goto out;
++ ceph_decode_addr(&con->actual_peer_addr);
+
+ size = sizeof (con->peer_addr_for_me);
+ end += size;
+ ret = read_partial(con, end, size, &con->peer_addr_for_me);
+ if (ret <= 0)
+ goto out;
++ ceph_decode_addr(&con->peer_addr_for_me);
+
+ out:
+ return ret;
+@@ -2010,9 +2012,6 @@ static int process_banner(struct ceph_connection *con)
+ if (verify_hello(con) < 0)
+ return -1;
+
+- ceph_decode_addr(&con->actual_peer_addr);
+- ceph_decode_addr(&con->peer_addr_for_me);
+-
+ /*
+ * Make sure the other end is who we wanted. note that the other
+ * end may not yet know their ip address, so if it's 0.0.0.0, give
+
diff --git a/patches.suse/libceph-fix-unaligned-accesses-in-ceph_entity_addr-handling.patch b/patches.suse/libceph-fix-unaligned-accesses-in-ceph_entity_addr-handling.patch
new file mode 100644
index 0000000000..640706df2b
--- /dev/null
+++ b/patches.suse/libceph-fix-unaligned-accesses-in-ceph_entity_addr-handling.patch
@@ -0,0 +1,242 @@
+From: Jeff Layton <jlayton@kernel.org>
+Date: Mon, 6 May 2019 09:38:46 -0400
+Subject: libceph: fix unaligned accesses in ceph_entity_addr handling
+Git-commit: cede185b1ba3118e1912385db4812a37d9e9b205
+Patch-mainline: v5.2-rc1
+References: bsc#1136682
+
+GCC9 is throwing a lot of warnings about unaligned access. This patch
+fixes some of them by changing most of the sockaddr handling functions
+to take a pointer to struct ceph_entity_addr instead of struct
+sockaddr_storage. The lower functions can then make copies or do
+unaligned accesses as needed.
+
+Signed-off-by: Jeff Layton <jlayton@kernel.org>
+Reviewed-by: Ilya Dryomov <idryomov@gmail.com>
+Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
+Acked-by: Luis Henriques <lhenriques@suse.com>
+---
+ net/ceph/messenger.c | 77 +++++++++++++++++++++++++---------------------------
+ 1 file changed, 37 insertions(+), 40 deletions(-)
+
+diff --git a/net/ceph/messenger.c b/net/ceph/messenger.c
+index 3083988ce729..3e0cc9808ae4 100644
+--- a/net/ceph/messenger.c
++++ b/net/ceph/messenger.c
+@@ -449,7 +449,7 @@ static void set_sock_callbacks(struct socket *sock,
+ */
+ static int ceph_tcp_connect(struct ceph_connection *con)
+ {
+- struct sockaddr_storage *paddr = &con->peer_addr.in_addr;
++ struct sockaddr_storage ss = con->peer_addr.in_addr; /* align */
+ struct socket *sock;
+ unsigned int noio_flag;
+ int ret;
+@@ -458,7 +458,7 @@ static int ceph_tcp_connect(struct ceph_connection *con)
+
+ /* sock_create_kern() allocates with GFP_KERNEL */
+ noio_flag = memalloc_noio_save();
+- ret = sock_create_kern(read_pnet(&con->msgr->net), paddr->ss_family,
++ ret = sock_create_kern(read_pnet(&con->msgr->net), ss.ss_family,
+ SOCK_STREAM, IPPROTO_TCP, &sock);
+ memalloc_noio_restore(noio_flag);
+ if (ret)
+@@ -474,7 +474,7 @@ static int ceph_tcp_connect(struct ceph_connection *con)
+ dout("connect %s\n", ceph_pr_addr(&con->peer_addr.in_addr));
+
+ con_sock_state_connecting(con);
+- ret = sock->ops->connect(sock, (struct sockaddr *)paddr, sizeof(*paddr),
++ ret = sock->ops->connect(sock, (struct sockaddr *)&ss, sizeof(ss),
+ O_NONBLOCK);
+ if (ret == -EINPROGRESS) {
+ dout("connect %s EINPROGRESS sk_state = %u\n",
+@@ -1795,14 +1795,15 @@ static int verify_hello(struct ceph_connection *con)
+ return 0;
+ }
+
+-static bool addr_is_blank(struct sockaddr_storage *ss)
++static bool addr_is_blank(struct ceph_entity_addr *addr)
+ {
+- struct in_addr *addr = &((struct sockaddr_in *)ss)->sin_addr;
+- struct in6_addr *addr6 = &((struct sockaddr_in6 *)ss)->sin6_addr;
++ struct sockaddr_storage ss = addr->in_addr; /* align */
++ struct in_addr *addr4 = &((struct sockaddr_in *)&ss)->sin_addr;
++ struct in6_addr *addr6 = &((struct sockaddr_in6 *)&ss)->sin6_addr;
+
+- switch (ss->ss_family) {
++ switch (ss.ss_family) {
+ case AF_INET:
+- return addr->s_addr == htonl(INADDR_ANY);
++ return addr4->s_addr == htonl(INADDR_ANY);
+ case AF_INET6:
+ return ipv6_addr_any(addr6);
+ default:
+@@ -1810,25 +1811,25 @@ static bool addr_is_blank(struct sockaddr_storage *ss)
+ }
+ }
+
+-static int addr_port(struct sockaddr_storage *ss)
++static int addr_port(struct ceph_entity_addr *addr)
+ {
+- switch (ss->ss_family) {
++ switch (get_unaligned(&addr->in_addr.ss_family)) {
+ case AF_INET:
+- return ntohs(((struct sockaddr_in *)ss)->sin_port);
++ return ntohs(get_unaligned(&((struct sockaddr_in *)&addr->in_addr)->sin_port));
+ case AF_INET6:
+- return ntohs(((struct sockaddr_in6 *)ss)->sin6_port);
++ return ntohs(get_unaligned(&((struct sockaddr_in6 *)&addr->in_addr)->sin6_port));
+ }
+ return 0;
+ }
+
+-static void addr_set_port(struct sockaddr_storage *ss, int p)
++static void addr_set_port(struct ceph_entity_addr *addr, int p)
+ {
+- switch (ss->ss_family) {
++ switch (get_unaligned(&addr->in_addr.ss_family)) {
+ case AF_INET:
+- ((struct sockaddr_in *)ss)->sin_port = htons(p);
++ put_unaligned(htons(p), &((struct sockaddr_in *)&addr->in_addr)->sin_port);
+ break;
+ case AF_INET6:
+- ((struct sockaddr_in6 *)ss)->sin6_port = htons(p);
++ put_unaligned(htons(p), &((struct sockaddr_in6 *)&addr->in_addr)->sin6_port);
+ break;
+ }
+ }
+@@ -1836,21 +1837,18 @@ static void addr_set_port(struct sockaddr_storage *ss, int p)
+ /*
+ * Unlike other *_pton function semantics, zero indicates success.
+ */
+-static int ceph_pton(const char *str, size_t len, struct sockaddr_storage *ss,
++static int ceph_pton(const char *str, size_t len, struct ceph_entity_addr *addr,
+ char delim, const char **ipend)
+ {
+- struct sockaddr_in *in4 = (struct sockaddr_in *) ss;
+- struct sockaddr_in6 *in6 = (struct sockaddr_in6 *) ss;
+-
+- memset(ss, 0, sizeof(*ss));
++ memset(&addr->in_addr, 0, sizeof(addr->in_addr));
+
+- if (in4_pton(str, len, (u8 *)&in4->sin_addr.s_addr, delim, ipend)) {
+- ss->ss_family = AF_INET;
++ if (in4_pton(str, len, (u8 *)&((struct sockaddr_in *)&addr->in_addr)->sin_addr.s_addr, delim, ipend)) {
++ put_unaligned(AF_INET, &addr->in_addr.ss_family);
+ return 0;
+ }
+
+- if (in6_pton(str, len, (u8 *)&in6->sin6_addr.s6_addr, delim, ipend)) {
+- ss->ss_family = AF_INET6;
++ if (in6_pton(str, len, (u8 *)&((struct sockaddr_in6 *)&addr->in_addr)->sin6_addr.s6_addr, delim, ipend)) {
++ put_unaligned(AF_INET6, &addr->in_addr.ss_family);
+ return 0;
+ }
+
+@@ -1862,7 +1860,7 @@ static int ceph_pton(const char *str, size_t len, struct sockaddr_storage *ss,
+ */
+ #ifdef CONFIG_CEPH_LIB_USE_DNS_RESOLVER
+ static int ceph_dns_resolve_name(const char *name, size_t namelen,
+- struct sockaddr_storage *ss, char delim, const char **ipend)
++ struct ceph_entity_addr *addr, char delim, const char **ipend)
+ {
+ const char *end, *delim_p;
+ char *colon_p, *ip_addr = NULL;
+@@ -1891,7 +1889,7 @@ static int ceph_dns_resolve_name(const char *name, size_t namelen,
+ /* do dns_resolve upcall */
+ ip_len = dns_query(NULL, name, end - name, NULL, &ip_addr, NULL);
+ if (ip_len > 0)
+- ret = ceph_pton(ip_addr, ip_len, ss, -1, NULL);
++ ret = ceph_pton(ip_addr, ip_len, addr, -1, NULL);
+ else
+ ret = -ESRCH;
+
+@@ -1900,13 +1898,13 @@ static int ceph_dns_resolve_name(const char *name, size_t namelen,
+ *ipend = end;
+
+ pr_info("resolve '%.*s' (ret=%d): %s\n", (int)(end - name), name,
+- ret, ret ? "failed" : ceph_pr_addr(ss));
++ ret, ret ? "failed" : ceph_pr_addr(&addr->in_addr));
+
+ return ret;
+ }
+ #else
+ static inline int ceph_dns_resolve_name(const char *name, size_t namelen,
+- struct sockaddr_storage *ss, char delim, const char **ipend)
++ struct ceph_entity_addr *addr, char delim, const char **ipend)
+ {
+ return -EINVAL;
+ }
+@@ -1917,13 +1915,13 @@ static inline int ceph_dns_resolve_name(const char *name, size_t namelen,
+ * then try to extract a hostname to resolve using userspace DNS upcall.
+ */
+ static int ceph_parse_server_name(const char *name, size_t namelen,
+- struct sockaddr_storage *ss, char delim, const char **ipend)
++ struct ceph_entity_addr *addr, char delim, const char **ipend)
+ {
+ int ret;
+
+- ret = ceph_pton(name, namelen, ss, delim, ipend);
++ ret = ceph_pton(name, namelen, addr, delim, ipend);
+ if (ret)
+- ret = ceph_dns_resolve_name(name, namelen, ss, delim, ipend);
++ ret = ceph_dns_resolve_name(name, namelen, addr, delim, ipend);
+
+ return ret;
+ }
+@@ -1942,7 +1940,6 @@ int ceph_parse_ips(const char *c, const char *end,
+ dout("parse_ips on '%.*s'\n", (int)(end-c), c);
+ for (i = 0; i < max_count; i++) {
+ const char *ipend;
+- struct sockaddr_storage *ss = &addr[i].in_addr;
+ int port;
+ char delim = ',';
+
+@@ -1951,7 +1948,7 @@ int ceph_parse_ips(const char *c, const char *end,
+ p++;
+ }
+
+- ret = ceph_parse_server_name(p, end - p, ss, delim, &ipend);
++ ret = ceph_parse_server_name(p, end - p, &addr[i], delim, &ipend);
+ if (ret)
+ goto bad;
+ ret = -EINVAL;
+@@ -1982,9 +1979,9 @@ int ceph_parse_ips(const char *c, const char *end,
+ port = CEPH_MON_PORT;
+ }
+
+- addr_set_port(ss, port);
++ addr_set_port(&addr[i], port);
+
+- dout("parse_ips got %s\n", ceph_pr_addr(ss));
++ dout("parse_ips got %s\n", ceph_pr_addr(&addr[i].in_addr));
+
+ if (p == end)
+ break;
+@@ -2023,7 +2020,7 @@ static int process_banner(struct ceph_connection *con)
+ */
+ if (memcmp(&con->peer_addr, &con->actual_peer_addr,
+ sizeof(con->peer_addr)) != 0 &&
+- !(addr_is_blank(&con->actual_peer_addr.in_addr) &&
++ !(addr_is_blank(&con->actual_peer_addr) &&
+ con->actual_peer_addr.nonce == con->peer_addr.nonce)) {
+ pr_warn("wrong peer, want %s/%d, got %s/%d\n",
+ ceph_pr_addr(&con->peer_addr.in_addr),
+@@ -2037,13 +2034,13 @@ static int process_banner(struct ceph_connection *con)
+ /*
+ * did we learn our address?
+ */
+- if (addr_is_blank(&con->msgr->inst.addr.in_addr)) {
+- int port = addr_port(&con->msgr->inst.addr.in_addr);
++ if (addr_is_blank(&con->msgr->inst.addr)) {
++ int port = addr_port(&con->msgr->inst.addr);
+
+ memcpy(&con->msgr->inst.addr.in_addr,
+ &con->peer_addr_for_me.in_addr,
+ sizeof(con->peer_addr_for_me.in_addr));
+- addr_set_port(&con->msgr->inst.addr.in_addr, port);
++ addr_set_port(&con->msgr->inst.addr, port);
+ encode_my_addr(con->msgr);
+ dout("process_banner learned my addr is %s\n",
+ ceph_pr_addr(&con->msgr->inst.addr.in_addr));
+
diff --git a/patches.suse/libceph-fix-watch_item_t-decoding-to-use-ceph_decode_entity_addr.patch b/patches.suse/libceph-fix-watch_item_t-decoding-to-use-ceph_decode_entity_addr.patch
new file mode 100644
index 0000000000..79890afe76
--- /dev/null
+++ b/patches.suse/libceph-fix-watch_item_t-decoding-to-use-ceph_decode_entity_addr.patch
@@ -0,0 +1,58 @@
+From: Jeff Layton <jlayton@kernel.org>
+Date: Tue, 4 Jun 2019 14:35:18 -0400
+Subject: libceph: fix watch_item_t decoding to use ceph_decode_entity_addr
+Git-commit: 51fc7ab44519adc6684ac6575826f8b1a16ee4b3
+Patch-mainline: v5.3-rc1
+References: bsc#1148133 bsc#1136682
+
+While we're in there, let's also fix up the decoder to do proper
+bounds checking.
+
+Signed-off-by: Jeff Layton <jlayton@kernel.org>
+Reviewed-by: "Yan, Zheng" <zyan@redhat.com>
+Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
+Acked-by: Luis Henriques <lhenriques@suse.com>
+
+---
+ net/ceph/osd_client.c | 20 +++++++++++++-------
+ 1 file changed, 13 insertions(+), 7 deletions(-)
+
+diff --git a/net/ceph/osd_client.c b/net/ceph/osd_client.c
+index 9a8eca5eda65..54170a35ecec 100644
+--- a/net/ceph/osd_client.c
++++ b/net/ceph/osd_client.c
+@@ -4914,20 +4914,26 @@ static int decode_watcher(void **p, void *end, struct ceph_watch_item *item)
+ ret = ceph_start_decoding(p, end, 2, "watch_item_t",
+ &struct_v, &struct_len);
+ if (ret)
+- return ret;
++ goto bad;
++
++ ret = -EINVAL;
++ ceph_decode_copy_safe(p, end, &item->name, sizeof(item->name), bad);
++ ceph_decode_64_safe(p, end, item->cookie, bad);
++ ceph_decode_skip_32(p, end, bad); /* skip timeout seconds */
+
+- ceph_decode_copy(p, &item->name, sizeof(item->name));
+- item->cookie = ceph_decode_64(p);
+- *p += 4; /* skip timeout_seconds */
+ if (struct_v >= 2) {
+- ceph_decode_copy(p, &item->addr, sizeof(item->addr));
+- ceph_decode_addr(&item->addr);
++ ret = ceph_decode_entity_addr(p, end, &item->addr);
++ if (ret)
++ goto bad;
++ } else {
++ ret = 0;
+ }
+
+ dout("%s %s%llu cookie %llu addr %s\n", __func__,
+ ENTITY_NAME(item->name), item->cookie,
+ ceph_pr_addr(&item->addr));
+- return 0;
++bad:
++ return ret;
+ }
+
+ static int decode_watchers(void **p, void *end,
+
diff --git a/patches.suse/libceph-make-ceph_pr_addr-take-an-struct-ceph_entity_addr-pointer.patch b/patches.suse/libceph-make-ceph_pr_addr-take-an-struct-ceph_entity_addr-pointer.patch
new file mode 100644
index 0000000000..dd5bd93420
--- /dev/null
+++ b/patches.suse/libceph-make-ceph_pr_addr-take-an-struct-ceph_entity_addr-pointer.patch
@@ -0,0 +1,333 @@
+From: Jeff Layton <jlayton@kernel.org>
+Date: Mon, 6 May 2019 09:38:47 -0400
+Subject: libceph: make ceph_pr_addr take an struct ceph_entity_addr pointer
+Git-commit: b726ec972cf2122137fbc47847b4fcc7b3bc2801
+Patch-mainline: v5.2-rc1
+References: bsc#1136682
+
+GCC9 is throwing a lot of warnings about unaligned accesses by
+callers of ceph_pr_addr. All of the current callers are passing a
+pointer to the sockaddr inside struct ceph_entity_addr.
+
+Fix it to take a pointer to a struct ceph_entity_addr instead,
+and then have the function make a copy of the sockaddr before
+printing it.
+
+Signed-off-by: Jeff Layton <jlayton@kernel.org>
+Reviewed-by: Ilya Dryomov <idryomov@gmail.com>
+Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
+Acked-by: Luis Henriques <lhenriques@suse.com>
+---
+ fs/ceph/debugfs.c | 2 +-
+ fs/ceph/mdsmap.c | 2 +-
+ include/linux/ceph/messenger.h | 3 ++-
+ net/ceph/cls_lock_client.c | 2 +-
+ net/ceph/debugfs.c | 4 ++--
+ net/ceph/messenger.c | 48 +++++++++++++++++++++---------------------
+ net/ceph/mon_client.c | 6 +++---
+ net/ceph/osd_client.c | 2 +-
+ 8 files changed, 35 insertions(+), 34 deletions(-)
+
+diff --git a/fs/ceph/debugfs.c b/fs/ceph/debugfs.c
+index b014fc7d4e3c..b3fc5fe26a1a 100644
+--- a/fs/ceph/debugfs.c
++++ b/fs/ceph/debugfs.c
+@@ -37,7 +37,7 @@ static int mdsmap_show(struct seq_file *s, void *p)
+ struct ceph_entity_addr *addr = &mdsmap->m_info[i].addr;
+ int state = mdsmap->m_info[i].state;
+ seq_printf(s, "\tmds%d\t%s\t(%s)\n", i,
+- ceph_pr_addr(&addr->in_addr),
++ ceph_pr_addr(addr),
+ ceph_mds_state_name(state));
+ }
+ return 0;
+diff --git a/fs/ceph/mdsmap.c b/fs/ceph/mdsmap.c
+index 1a2c5d390f7f..701b4fb0fb5a 100644
+--- a/fs/ceph/mdsmap.c
++++ b/fs/ceph/mdsmap.c
+@@ -205,7 +205,7 @@ struct ceph_mdsmap *ceph_mdsmap_decode(void **p, void *end)
+
+ dout("mdsmap_decode %d/%d %lld mds%d.%d %s %s\n",
+ i+1, n, global_id, mds, inc,
+- ceph_pr_addr(&addr.in_addr),
++ ceph_pr_addr(&addr),
+ ceph_mds_state_name(state));
+
+ if (mds < 0 || state <= 0)
+diff --git a/include/linux/ceph/messenger.h b/include/linux/ceph/messenger.h
+index 800a2128d411..23895d178149 100644
+--- a/include/linux/ceph/messenger.h
++++ b/include/linux/ceph/messenger.h
+@@ -323,7 +323,8 @@ struct ceph_connection {
+ };
+
+
+-extern const char *ceph_pr_addr(const struct sockaddr_storage *ss);
++extern const char *ceph_pr_addr(const struct ceph_entity_addr *addr);
++
+ extern int ceph_parse_ips(const char *c, const char *end,
+ struct ceph_entity_addr *addr,
+ int max_count, int *count);
+diff --git a/net/ceph/cls_lock_client.c b/net/ceph/cls_lock_client.c
+index 2105a6eaa66c..4cc28541281b 100644
+--- a/net/ceph/cls_lock_client.c
++++ b/net/ceph/cls_lock_client.c
+@@ -271,7 +271,7 @@ static int decode_locker(void **p, void *end, struct ceph_locker *locker)
+
+ dout("%s %s%llu cookie %s addr %s\n", __func__,
+ ENTITY_NAME(locker->id.name), locker->id.cookie,
+- ceph_pr_addr(&locker->info.addr.in_addr));
++ ceph_pr_addr(&locker->info.addr));
+ return 0;
+ }
+
+diff --git a/net/ceph/debugfs.c b/net/ceph/debugfs.c
+index 46f65709a6ff..63aef9915f75 100644
+--- a/net/ceph/debugfs.c
++++ b/net/ceph/debugfs.c
+@@ -46,7 +46,7 @@ static int monmap_show(struct seq_file *s, void *p)
+
+ seq_printf(s, "\t%s%lld\t%s\n",
+ ENTITY_NAME(inst->name),
+- ceph_pr_addr(&inst->addr.in_addr));
++ ceph_pr_addr(&inst->addr));
+ }
+ return 0;
+ }
+@@ -82,7 +82,7 @@ static int osdmap_show(struct seq_file *s, void *p)
+ char sb[64];
+
+ seq_printf(s, "osd%d\t%s\t%3d%%\t(%s)\t%3d%%\n",
+- i, ceph_pr_addr(&addr->in_addr),
++ i, ceph_pr_addr(addr),
+ ((map->osd_weight[i]*100) >> 16),
+ ceph_osdmap_state_str(sb, sizeof(sb), state),
+ ((ceph_get_primary_affinity(map, i)*100) >> 16));
+diff --git a/net/ceph/messenger.c b/net/ceph/messenger.c
+index 3e0cc9808ae4..3ee380758ddd 100644
+--- a/net/ceph/messenger.c
++++ b/net/ceph/messenger.c
+@@ -186,17 +186,18 @@ static atomic_t addr_str_seq = ATOMIC_INIT(0);
+
+ static struct page *zero_page; /* used in certain error cases */
+
+-const char *ceph_pr_addr(const struct sockaddr_storage *ss)
++const char *ceph_pr_addr(const struct ceph_entity_addr *addr)
+ {
+ int i;
+ char *s;
+- struct sockaddr_in *in4 = (struct sockaddr_in *) ss;
+- struct sockaddr_in6 *in6 = (struct sockaddr_in6 *) ss;
++ struct sockaddr_storage ss = addr->in_addr; /* align */
++ struct sockaddr_in *in4 = (struct sockaddr_in *)&ss;
++ struct sockaddr_in6 *in6 = (struct sockaddr_in6 *)&ss;
+
+ i = atomic_inc_return(&addr_str_seq) & ADDR_STR_COUNT_MASK;
+ s = addr_str[i];
+
+- switch (ss->ss_family) {
++ switch (ss.ss_family) {
+ case AF_INET:
+ snprintf(s, MAX_ADDR_STR_LEN, "%pI4:%hu", &in4->sin_addr,
+ ntohs(in4->sin_port));
+@@ -209,7 +210,7 @@ const char *ceph_pr_addr(const struct sockaddr_storage *ss)
+
+ default:
+ snprintf(s, MAX_ADDR_STR_LEN, "(unknown sockaddr family %hu)",
+- ss->ss_family);
++ ss.ss_family);
+ }
+
+ return s;
+@@ -471,18 +472,18 @@ static int ceph_tcp_connect(struct ceph_connection *con)
+
+ set_sock_callbacks(sock, con);
+
+- dout("connect %s\n", ceph_pr_addr(&con->peer_addr.in_addr));
++ dout("connect %s\n", ceph_pr_addr(&con->peer_addr));
+
+ con_sock_state_connecting(con);
+ ret = sock->ops->connect(sock, (struct sockaddr *)&ss, sizeof(ss),
+ O_NONBLOCK);
+ if (ret == -EINPROGRESS) {
+ dout("connect %s EINPROGRESS sk_state = %u\n",
+- ceph_pr_addr(&con->peer_addr.in_addr),
++ ceph_pr_addr(&con->peer_addr),
+ sock->sk->sk_state);
+ } else if (ret < 0) {
+ pr_err("connect %s error %d\n",
+- ceph_pr_addr(&con->peer_addr.in_addr), ret);
++ ceph_pr_addr(&con->peer_addr), ret);
+ sock_release(sock);
+ return ret;
+ }
+@@ -669,8 +670,7 @@ static void reset_connection(struct ceph_connection *con)
+ void ceph_con_close(struct ceph_connection *con)
+ {
+ mutex_lock(&con->mutex);
+- dout("con_close %p peer %s\n", con,
+- ceph_pr_addr(&con->peer_addr.in_addr));
++ dout("con_close %p peer %s\n", con, ceph_pr_addr(&con->peer_addr));
+ con->state = CON_STATE_CLOSED;
+
+ con_flag_clear(con, CON_FLAG_LOSSYTX); /* so we retry next connect */
+@@ -694,7 +694,7 @@ void ceph_con_open(struct ceph_connection *con,
+ struct ceph_entity_addr *addr)
+ {
+ mutex_lock(&con->mutex);
+- dout("con_open %p %s\n", con, ceph_pr_addr(&addr->in_addr));
++ dout("con_open %p %s\n", con, ceph_pr_addr(addr));
+
+ WARN_ON(con->state != CON_STATE_CLOSED);
+ con->state = CON_STATE_PREOPEN;
+@@ -1788,7 +1788,7 @@ static int verify_hello(struct ceph_connection *con)
+ {
+ if (memcmp(con->in_banner, CEPH_BANNER, strlen(CEPH_BANNER))) {
+ pr_err("connect to %s got bad banner\n",
+- ceph_pr_addr(&con->peer_addr.in_addr));
++ ceph_pr_addr(&con->peer_addr));
+ con->error_msg = "protocol error, bad banner";
+ return -1;
+ }
+@@ -1898,7 +1898,7 @@ static int ceph_dns_resolve_name(const char *name, size_t namelen,
+ *ipend = end;
+
+ pr_info("resolve '%.*s' (ret=%d): %s\n", (int)(end - name), name,
+- ret, ret ? "failed" : ceph_pr_addr(&addr->in_addr));
++ ret, ret ? "failed" : ceph_pr_addr(addr));
+
+ return ret;
+ }
+@@ -1981,7 +1981,7 @@ int ceph_parse_ips(const char *c, const char *end,
+
+ addr_set_port(&addr[i], port);
+
+- dout("parse_ips got %s\n", ceph_pr_addr(&addr[i].in_addr));
++ dout("parse_ips got %s\n", ceph_pr_addr(&addr[i]));
+
+ if (p == end)
+ break;
+@@ -2023,9 +2023,9 @@ static int process_banner(struct ceph_connection *con)
+ !(addr_is_blank(&con->actual_peer_addr) &&
+ con->actual_peer_addr.nonce == con->peer_addr.nonce)) {
+ pr_warn("wrong peer, want %s/%d, got %s/%d\n",
+- ceph_pr_addr(&con->peer_addr.in_addr),
++ ceph_pr_addr(&con->peer_addr),
+ (int)le32_to_cpu(con->peer_addr.nonce),
+- ceph_pr_addr(&con->actual_peer_addr.in_addr),
++ ceph_pr_addr(&con->actual_peer_addr),
+ (int)le32_to_cpu(con->actual_peer_addr.nonce));
+ con->error_msg = "wrong peer at address";
+ return -1;
+@@ -2043,7 +2043,7 @@ static int process_banner(struct ceph_connection *con)
+ addr_set_port(&con->msgr->inst.addr, port);
+ encode_my_addr(con->msgr);
+ dout("process_banner learned my addr is %s\n",
+- ceph_pr_addr(&con->msgr->inst.addr.in_addr));
++ ceph_pr_addr(&con->msgr->inst.addr));
+ }
+
+ return 0;
+@@ -2094,7 +2094,7 @@ static int process_connect(struct ceph_connection *con)
+ pr_err("%s%lld %s feature set mismatch,"
+ " my %llx < server's %llx, missing %llx\n",
+ ENTITY_NAME(con->peer_name),
+- ceph_pr_addr(&con->peer_addr.in_addr),
++ ceph_pr_addr(&con->peer_addr),
+ sup_feat, server_feat, server_feat & ~sup_feat);
+ con->error_msg = "missing required protocol features";
+ reset_connection(con);
+@@ -2104,7 +2104,7 @@ static int process_connect(struct ceph_connection *con)
+ pr_err("%s%lld %s protocol version mismatch,"
+ " my %d != server's %d\n",
+ ENTITY_NAME(con->peer_name),
+- ceph_pr_addr(&con->peer_addr.in_addr),
++ ceph_pr_addr(&con->peer_addr),
+ le32_to_cpu(con->out_connect.protocol_version),
+ le32_to_cpu(con->in_reply.protocol_version));
+ con->error_msg = "protocol version mismatch";
+@@ -2138,7 +2138,7 @@ static int process_connect(struct ceph_connection *con)
+ le32_to_cpu(con->in_reply.connect_seq));
+ pr_err("%s%lld %s connection reset\n",
+ ENTITY_NAME(con->peer_name),
+- ceph_pr_addr(&con->peer_addr.in_addr));
++ ceph_pr_addr(&con->peer_addr));
+ reset_connection(con);
+ con_out_kvec_reset(con);
+ ret = prepare_write_connect(con);
+@@ -2195,7 +2195,7 @@ static int process_connect(struct ceph_connection *con)
+ pr_err("%s%lld %s protocol feature mismatch,"
+ " my required %llx > server's %llx, need %llx\n",
+ ENTITY_NAME(con->peer_name),
+- ceph_pr_addr(&con->peer_addr.in_addr),
++ ceph_pr_addr(&con->peer_addr),
+ req_feat, server_feat, req_feat & ~server_feat);
+ con->error_msg = "missing required protocol features";
+ reset_connection(con);
+@@ -2402,7 +2402,7 @@ static int read_partial_message(struct ceph_connection *con)
+ if ((s64)seq - (s64)con->in_seq < 1) {
+ pr_info("skipping %s%lld %s seq %lld expected %lld\n",
+ ENTITY_NAME(con->peer_name),
+- ceph_pr_addr(&con->peer_addr.in_addr),
++ ceph_pr_addr(&con->peer_addr),
+ seq, con->in_seq + 1);
+ con->in_base_pos = -front_len - middle_len - data_len -
+ sizeof_footer(con);
+@@ -2981,10 +2981,10 @@ static void ceph_con_workfn(struct work_struct *work)
+ static void con_fault(struct ceph_connection *con)
+ {
+ dout("fault %p state %lu to peer %s\n",
+- con, con->state, ceph_pr_addr(&con->peer_addr.in_addr));
++ con, con->state, ceph_pr_addr(&con->peer_addr));
+
+ pr_warn("%s%lld %s %s\n", ENTITY_NAME(con->peer_name),
+- ceph_pr_addr(&con->peer_addr.in_addr), con->error_msg);
++ ceph_pr_addr(&con->peer_addr), con->error_msg);
+ con->error_msg = NULL;
+
+ WARN_ON(con->state != CON_STATE_CONNECTING &&
+diff --git a/net/ceph/mon_client.c b/net/ceph/mon_client.c
+index a53e4fbb6319..895679d3529b 100644
+--- a/net/ceph/mon_client.c
++++ b/net/ceph/mon_client.c
+@@ -76,7 +76,7 @@ struct ceph_monmap *ceph_monmap_decode(void *p, void *end)
+ m->num_mon);
+ for (i = 0; i < m->num_mon; i++)
+ dout("monmap_decode mon%d is %s\n", i,
+- ceph_pr_addr(&m->mon_inst[i].addr.in_addr));
++ ceph_pr_addr(&m->mon_inst[i].addr));
+ return m;
+
+ bad:
+@@ -203,7 +203,7 @@ static void reopen_session(struct ceph_mon_client *monc)
+ {
+ if (!monc->hunting)
+ pr_info("mon%d %s session lost, hunting for new mon\n",
+- monc->cur_mon, ceph_pr_addr(&monc->con.peer_addr.in_addr));
++ monc->cur_mon, ceph_pr_addr(&monc->con.peer_addr));
+
+ __close_session(monc);
+ __open_session(monc);
+@@ -1178,7 +1178,7 @@ static void handle_auth_reply(struct ceph_mon_client *monc,
+ __resend_generic_request(monc);
+
+ pr_info("mon%d %s session established\n", monc->cur_mon,
+- ceph_pr_addr(&monc->con.peer_addr.in_addr));
++ ceph_pr_addr(&monc->con.peer_addr));
+ }
+
+ out:
+diff --git a/net/ceph/osd_client.c b/net/ceph/osd_client.c
+index fa9530dd876e..e6d31e0f0289 100644
+--- a/net/ceph/osd_client.c
++++ b/net/ceph/osd_client.c
+@@ -4926,7 +4926,7 @@ static int decode_watcher(void **p, void *end, struct ceph_watch_item *item)
+
+ dout("%s %s%llu cookie %llu addr %s\n", __func__,
+ ENTITY_NAME(item->name), item->cookie,
+- ceph_pr_addr(&item->addr.in_addr));
++ ceph_pr_addr(&item->addr));
+ return 0;
+ }
+
+
diff --git a/patches.suse/libceph-rename-ceph_encode_addr-to-ceph_encode_banner_addr.patch b/patches.suse/libceph-rename-ceph_encode_addr-to-ceph_encode_banner_addr.patch
new file mode 100644
index 0000000000..38f36a3772
--- /dev/null
+++ b/patches.suse/libceph-rename-ceph_encode_addr-to-ceph_encode_banner_addr.patch
@@ -0,0 +1,73 @@
+From: Jeff Layton <jlayton@kernel.org>
+Date: Mon, 17 Jun 2019 09:24:31 -0400
+Subject: libceph: rename ceph_encode_addr to ceph_encode_banner_addr
+Git-commit: 2c66de560fa2dda0a600e908897116914db8f500
+Patch-mainline: v5.3-rc1
+References: bsc#1148133 bsc#1136682
+
+...ditto for the decode function. We only use these functions to fix
+up banner addresses now, so let's name them more appropriately.
+
+Signed-off-by: Jeff Layton <jlayton@kernel.org>
+Reviewed-by: "Yan, Zheng" <zyan@redhat.com>
+Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
+Acked-by: Luis Henriques <lhenriques@suse.com>
+
+---
+ include/linux/ceph/decode.h | 4 ++--
+ net/ceph/messenger.c | 6 +++---
+ 2 files changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/include/linux/ceph/decode.h b/include/linux/ceph/decode.h
+index ce488d95be89..450384fe487c 100644
+--- a/include/linux/ceph/decode.h
++++ b/include/linux/ceph/decode.h
+@@ -221,7 +221,7 @@ static inline void ceph_encode_timespec64(struct ceph_timespec *tv,
+ #define CEPH_ENTITY_ADDR_TYPE_NONE 0
+ #define CEPH_ENTITY_ADDR_TYPE_LEGACY __cpu_to_le32(1)
+
+-static inline void ceph_encode_addr(struct ceph_entity_addr *a)
++static inline void ceph_encode_banner_addr(struct ceph_entity_addr *a)
+ {
+ __be16 ss_family = htons(a->in_addr.ss_family);
+ a->in_addr.ss_family = *(__u16 *)&ss_family;
+@@ -229,7 +229,7 @@ static inline void ceph_encode_addr(struct ceph_entity_addr *a)
+ /* Banner addresses require TYPE_NONE */
+ a->type = CEPH_ENTITY_ADDR_TYPE_NONE;
+ }
+-static inline void ceph_decode_addr(struct ceph_entity_addr *a)
++static inline void ceph_decode_banner_addr(struct ceph_entity_addr *a)
+ {
+ __be16 ss_family = *(__be16 *)&a->in_addr.ss_family;
+ a->in_addr.ss_family = ntohs(ss_family);
+diff --git a/net/ceph/messenger.c b/net/ceph/messenger.c
+index 0a3ef33cf7ac..0473d9a7b1f4 100644
+--- a/net/ceph/messenger.c
++++ b/net/ceph/messenger.c
+@@ -222,7 +222,7 @@ EXPORT_SYMBOL(ceph_pr_addr);
+ static void encode_my_addr(struct ceph_messenger *msgr)
+ {
+ memcpy(&msgr->my_enc_addr, &msgr->inst.addr, sizeof(msgr->my_enc_addr));
+- ceph_encode_addr(&msgr->my_enc_addr);
++ ceph_encode_banner_addr(&msgr->my_enc_addr);
+ }
+
+ /*
+@@ -1734,14 +1734,14 @@ static int read_partial_banner(struct ceph_connection *con)
+ ret = read_partial(con, end, size, &con->actual_peer_addr);
+ if (ret <= 0)
+ goto out;
+- ceph_decode_addr(&con->actual_peer_addr);
++ ceph_decode_banner_addr(&con->actual_peer_addr);
+
+ size = sizeof (con->peer_addr_for_me);
+ end += size;
+ ret = read_partial(con, end, size, &con->peer_addr_for_me);
+ if (ret <= 0)
+ goto out;
+- ceph_decode_addr(&con->peer_addr_for_me);
++ ceph_decode_banner_addr(&con->peer_addr_for_me);
+
+ out:
+ return ret;
+
diff --git a/patches.suse/libceph-switch-osdmap-decoding-to-use-ceph_decode_entity_addr.patch b/patches.suse/libceph-switch-osdmap-decoding-to-use-ceph_decode_entity_addr.patch
new file mode 100644
index 0000000000..d935146fa3
--- /dev/null
+++ b/patches.suse/libceph-switch-osdmap-decoding-to-use-ceph_decode_entity_addr.patch
@@ -0,0 +1,51 @@
+From: Jeff Layton <jlayton@kernel.org>
+Date: Mon, 3 Jun 2019 15:08:13 -0400
+Subject: libceph: switch osdmap decoding to use ceph_decode_entity_addr
+Git-commit: dcbc919a5dc8c2629684a113a90c0b6fe10c3462
+Patch-mainline: v5.3-rc1
+References: bsc#1148133 bsc#1136682
+
+Signed-off-by: Jeff Layton <jlayton@kernel.org>
+Reviewed-by: "Yan, Zheng" <zyan@redhat.com>
+Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
+Acked-by: Luis Henriques <lhenriques@suse.com>
+
+---
+ net/ceph/osdmap.c | 16 ++++++++--------
+ 1 file changed, 8 insertions(+), 8 deletions(-)
+
+diff --git a/net/ceph/osdmap.c b/net/ceph/osdmap.c
+index 48a31dc9161c..95e98ae59a54 100644
+--- a/net/ceph/osdmap.c
++++ b/net/ceph/osdmap.c
+@@ -1489,11 +1489,9 @@ static int osdmap_decode(void **p, void *end, struct ceph_osdmap *map)
+
+ /* osd_state, osd_weight, osd_addrs->client_addr */
+ ceph_decode_need(p, end, 3*sizeof(u32) +
+- map->max_osd*((struct_v >= 5 ? sizeof(u32) :
+- sizeof(u8)) +
+- sizeof(*map->osd_weight) +
+- sizeof(*map->osd_addr)), e_inval);
+-
++ map->max_osd*(struct_v >= 5 ? sizeof(u32) :
++ sizeof(u8)) +
++ sizeof(*map->osd_weight), e_inval);
+ if (ceph_decode_32(p) != map->max_osd)
+ goto e_inval;
+
+@@ -1514,9 +1512,11 @@ static int osdmap_decode(void **p, void *end, struct ceph_osdmap *map)
+ if (ceph_decode_32(p) != map->max_osd)
+ goto e_inval;
+
+- ceph_decode_copy(p, map->osd_addr, map->max_osd*sizeof(*map->osd_addr));
+- for (i = 0; i < map->max_osd; i++)
+- ceph_decode_addr(&map->osd_addr[i]);
++ for (i = 0; i < map->max_osd; i++) {
++ err = ceph_decode_entity_addr(p, end, &map->osd_addr[i]);
++ if (err)
++ goto bad;
++ }
+
+ /* pg_temp */
+ err = decode_pg_temp(p, end, map);
+
diff --git a/patches.suse/libceph-turn-on-ceph_feature_msg_addr2.patch b/patches.suse/libceph-turn-on-ceph_feature_msg_addr2.patch
new file mode 100644
index 0000000000..66bda386d5
--- /dev/null
+++ b/patches.suse/libceph-turn-on-ceph_feature_msg_addr2.patch
@@ -0,0 +1,32 @@
+From: Jeff Layton <jlayton@kernel.org>
+Date: Fri, 31 May 2019 12:24:22 -0400
+Subject: libceph: turn on CEPH_FEATURE_MSG_ADDR2
+Git-commit: 6adaaafdd81d5c01875fe233ab73deb81b34caa1
+Patch-mainline: v5.3-rc1
+References: bsc#1148133 bsc#1136682
+
+Now that the client can handle either address formatting, advertise to
+the peer that we can support it.
+
+Signed-off-by: Jeff Layton <jlayton@kernel.org>
+Reviewed-by: "Yan, Zheng" <zyan@redhat.com>
+Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
+Acked-by: Luis Henriques <lhenriques@suse.com>
+
+---
+ include/linux/ceph/ceph_features.h | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/include/linux/ceph/ceph_features.h b/include/linux/ceph/ceph_features.h
+index 65a38c4a02a1..39e6f4c57580 100644
+--- a/include/linux/ceph/ceph_features.h
++++ b/include/linux/ceph/ceph_features.h
+@@ -211,6 +211,7 @@ DEFINE_CEPH_FEATURE_DEPRECATED(63, 1, RESERVED_BROKEN, LUMINOUS) // client-facin
+ CEPH_FEATURE_MON_STATEFUL_SUB | \
+ CEPH_FEATURE_CRUSH_TUNABLES5 | \
+ CEPH_FEATURE_NEW_OSDOPREPLY_ENCODING | \
++ CEPH_FEATURE_MSG_ADDR2 | \
+ CEPH_FEATURE_CEPHX_V2)
+
+ #define CEPH_FEATURES_REQUIRED_DEFAULT 0
+
diff --git a/patches.suse/libceph-use-type_legacy-for-entity-addrs-instead-of-type_none.patch b/patches.suse/libceph-use-type_legacy-for-entity-addrs-instead-of-type_none.patch
new file mode 100644
index 0000000000..d268b7f37d
--- /dev/null
+++ b/patches.suse/libceph-use-type_legacy-for-entity-addrs-instead-of-type_none.patch
@@ -0,0 +1,117 @@
+From: Jeff Layton <jlayton@kernel.org>
+Date: Mon, 17 Jun 2019 06:57:25 -0400
+Subject: libceph: use TYPE_LEGACY for entity addrs instead of TYPE_NONE
+Git-commit: d3c3c0a841d5dafc5395be363996d619255a732f
+Patch-mainline: v5.3-rc1
+References: bsc#1148133 bsc#1136682
+
+Going forward, we'll have different address types so let's use
+the addr2 TYPE_LEGACY for internal tracking rather than TYPE_NONE.
+
+Also, make ceph_pr_addr print the address type value as well.
+
+Signed-off-by: Jeff Layton <jlayton@kernel.org>
+Reviewed-by: "Yan, Zheng" <zyan@redhat.com>
+Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
+Acked-by: Luis Henriques <lhenriques@suse.com>
+
+---
+ include/linux/ceph/decode.h | 7 +++++++
+ net/ceph/decode.c | 18 ++++++------------
+ net/ceph/messenger.c | 7 +++++--
+ 3 files changed, 18 insertions(+), 14 deletions(-)
+
+diff --git a/include/linux/ceph/decode.h b/include/linux/ceph/decode.h
+index 1c0a665bfc03..ce488d95be89 100644
+--- a/include/linux/ceph/decode.h
++++ b/include/linux/ceph/decode.h
+@@ -218,16 +218,23 @@ static inline void ceph_encode_timespec64(struct ceph_timespec *tv,
+ /*
+ * sockaddr_storage <-> ceph_sockaddr
+ */
++#define CEPH_ENTITY_ADDR_TYPE_NONE 0
++#define CEPH_ENTITY_ADDR_TYPE_LEGACY __cpu_to_le32(1)
++
+ static inline void ceph_encode_addr(struct ceph_entity_addr *a)
+ {
+ __be16 ss_family = htons(a->in_addr.ss_family);
+ a->in_addr.ss_family = *(__u16 *)&ss_family;
++
++ /* Banner addresses require TYPE_NONE */
++ a->type = CEPH_ENTITY_ADDR_TYPE_NONE;
+ }
+ static inline void ceph_decode_addr(struct ceph_entity_addr *a)
+ {
+ __be16 ss_family = *(__be16 *)&a->in_addr.ss_family;
+ a->in_addr.ss_family = ntohs(ss_family);
+ WARN_ON(a->in_addr.ss_family == 512);
++ a->type = CEPH_ENTITY_ADDR_TYPE_LEGACY;
+ }
+
+ extern int ceph_decode_entity_addr(void **p, void *end,
+diff --git a/net/ceph/decode.c b/net/ceph/decode.c
+index b82981199549..eea529595a7a 100644
+--- a/net/ceph/decode.c
++++ b/net/ceph/decode.c
+@@ -21,17 +21,6 @@ ceph_decode_entity_addr_versioned(void **p, void *end,
+
+ ceph_decode_copy_safe(p, end, &addr->type, sizeof(addr->type), bad);
+
+- /*
+- * TYPE_NONE == 0
+- * TYPE_LEGACY == 1
+- *
+- * Clients that don't support ADDR2 always send TYPE_NONE.
+- * For now, since all we support is msgr1, just set this to 0
+- * when we get a TYPE_LEGACY type.
+- */
+- if (addr->type == cpu_to_le32(1))
+- addr->type = 0;
+-
+ ceph_decode_copy_safe(p, end, &addr->nonce, sizeof(addr->nonce), bad);
+
+ ceph_decode_32_safe(p, end, addr_len, bad);
+@@ -61,7 +50,12 @@ ceph_decode_entity_addr_legacy(void **p, void *end,
+
+ /* Skip rest of type field */
+ ceph_decode_skip_n(p, end, 3, bad);
+- addr->type = 0;
++
++ /*
++ * Clients that don't support ADDR2 always send TYPE_NONE, change it
++ * to TYPE_LEGACY for forward compatibility.
++ */
++ addr->type = CEPH_ENTITY_ADDR_TYPE_LEGACY;
+ ceph_decode_copy_safe(p, end, &addr->nonce, sizeof(addr->nonce), bad);
+ memset(&addr->in_addr, 0, sizeof(addr->in_addr));
+ ceph_decode_copy_safe(p, end, &addr->in_addr,
+diff --git a/net/ceph/messenger.c b/net/ceph/messenger.c
+index 8d0c51dd4666..0a3ef33cf7ac 100644
+--- a/net/ceph/messenger.c
++++ b/net/ceph/messenger.c
+@@ -199,12 +199,14 @@ const char *ceph_pr_addr(const struct ceph_entity_addr *addr)
+
+ switch (ss.ss_family) {
+ case AF_INET:
+- snprintf(s, MAX_ADDR_STR_LEN, "%pI4:%hu", &in4->sin_addr,
++ snprintf(s, MAX_ADDR_STR_LEN, "(%d)%pI4:%hu",
++ le32_to_cpu(addr->type), &in4->sin_addr,
+ ntohs(in4->sin_port));
+ break;
+
+ case AF_INET6:
+- snprintf(s, MAX_ADDR_STR_LEN, "[%pI6c]:%hu", &in6->sin6_addr,
++ snprintf(s, MAX_ADDR_STR_LEN, "(%d)[%pI6c]:%hu",
++ le32_to_cpu(addr->type), &in6->sin6_addr,
+ ntohs(in6->sin6_port));
+ break;
+
+@@ -1982,6 +1984,7 @@ int ceph_parse_ips(const char *c, const char *end,
+ }
+
+ addr_set_port(&addr[i], port);
++ addr[i].type = CEPH_ENTITY_ADDR_TYPE_LEGACY;
+
+ dout("parse_ips got %s\n", ceph_pr_addr(&addr[i]));
+
+
diff --git a/patches.suse/mac80211-Correctly-set-noencrypt-for-PAE-frames.patch b/patches.suse/mac80211-Correctly-set-noencrypt-for-PAE-frames.patch
new file mode 100644
index 0000000000..39703d71c8
--- /dev/null
+++ b/patches.suse/mac80211-Correctly-set-noencrypt-for-PAE-frames.patch
@@ -0,0 +1,39 @@
+From f8b43c5cf4b62a19f2210a0f5367b84e1eff1ab9 Mon Sep 17 00:00:00 2001
+From: Denis Kenzior <denkenz@gmail.com>
+Date: Tue, 27 Aug 2019 17:41:20 -0500
+Subject: [PATCH] mac80211: Correctly set noencrypt for PAE frames
+Git-commit: f8b43c5cf4b62a19f2210a0f5367b84e1eff1ab9
+Patch-mainline: v5.3-rc7
+References: bsc#1111666
+
+The noencrypt flag was intended to be set if the "frame was received
+unencrypted" according to include/uapi/linux/nl80211.h. However, the
+current behavior is opposite of this.
+
+Cc: stable@vger.kernel.org
+Fixes: 018f6fbf540d ("mac80211: Send control port frames over nl80211")
+Signed-off-by: Denis Kenzior <denkenz@gmail.com>
+Link: https://lore.kernel.org/r/20190827224120.14545-3-denkenz@gmail.com
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ net/mac80211/rx.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/mac80211/rx.c b/net/mac80211/rx.c
+index 7c4aeac006fb..768d14c9a716 100644
+--- a/net/mac80211/rx.c
++++ b/net/mac80211/rx.c
+@@ -2447,7 +2447,7 @@ static void ieee80211_deliver_skb_to_local_stack(struct sk_buff *skb,
+ skb->protocol == cpu_to_be16(ETH_P_PREAUTH)) &&
+ sdata->control_port_over_nl80211)) {
+ struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb);
+- bool noencrypt = status->flag & RX_FLAG_DECRYPTED;
++ bool noencrypt = !(status->flag & RX_FLAG_DECRYPTED);
+
+ cfg80211_rx_control_port(dev, skb, noencrypt);
+ dev_kfree_skb(skb);
+--
+2.16.4
+
diff --git a/patches.suse/mac80211-Don-t-memset-RXCB-prior-to-PAE-intercept.patch b/patches.suse/mac80211-Don-t-memset-RXCB-prior-to-PAE-intercept.patch
new file mode 100644
index 0000000000..064ebacf0a
--- /dev/null
+++ b/patches.suse/mac80211-Don-t-memset-RXCB-prior-to-PAE-intercept.patch
@@ -0,0 +1,51 @@
+From c8a41c6afa27b8c3f61622dfd882b912da9d6721 Mon Sep 17 00:00:00 2001
+From: Denis Kenzior <denkenz@gmail.com>
+Date: Tue, 27 Aug 2019 17:41:19 -0500
+Subject: [PATCH] mac80211: Don't memset RXCB prior to PAE intercept
+Git-commit: c8a41c6afa27b8c3f61622dfd882b912da9d6721
+Patch-mainline: v5.3-rc7
+References: bsc#1111666
+
+In ieee80211_deliver_skb_to_local_stack intercepts EAPoL frames if
+mac80211 is configured to do so and forwards the contents over nl80211.
+During this process some additional data is also forwarded, including
+whether the frame was received encrypted or not. Unfortunately just
+prior to the call to ieee80211_deliver_skb_to_local_stack, skb->cb is
+cleared, resulting in incorrect data being exposed over nl80211.
+
+Fixes: 018f6fbf540d ("mac80211: Send control port frames over nl80211")
+Cc: stable@vger.kernel.org
+Signed-off-by: Denis Kenzior <denkenz@gmail.com>
+Link: https://lore.kernel.org/r/20190827224120.14545-2-denkenz@gmail.com
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ net/mac80211/rx.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/net/mac80211/rx.c b/net/mac80211/rx.c
+index 3c1ab870fefe..7c4aeac006fb 100644
+--- a/net/mac80211/rx.c
++++ b/net/mac80211/rx.c
+@@ -2452,6 +2452,8 @@ static void ieee80211_deliver_skb_to_local_stack(struct sk_buff *skb,
+ cfg80211_rx_control_port(dev, skb, noencrypt);
+ dev_kfree_skb(skb);
+ } else {
++ memset(skb->cb, 0, sizeof(skb->cb));
++
+ /* deliver to local stack */
+ if (rx->napi)
+ napi_gro_receive(rx->napi, skb);
+@@ -2546,8 +2548,6 @@ ieee80211_deliver_skb(struct ieee80211_rx_data *rx)
+
+ if (skb) {
+ skb->protocol = eth_type_trans(skb, dev);
+- memset(skb->cb, 0, sizeof(skb->cb));
+-
+ ieee80211_deliver_skb_to_local_stack(skb, rx);
+ }
+
+--
+2.16.4
+
diff --git a/patches.suse/mac80211-fix-possible-sta-leak.patch b/patches.suse/mac80211-fix-possible-sta-leak.patch
new file mode 100644
index 0000000000..2316cbeaf0
--- /dev/null
+++ b/patches.suse/mac80211-fix-possible-sta-leak.patch
@@ -0,0 +1,51 @@
+From 5fd2f91ad483baffdbe798f8a08f1b41442d1e24 Mon Sep 17 00:00:00 2001
+From: Johannes Berg <johannes.berg@intel.com>
+Date: Thu, 1 Aug 2019 09:30:33 +0200
+Subject: [PATCH] mac80211: fix possible sta leak
+Git-commit: 5fd2f91ad483baffdbe798f8a08f1b41442d1e24
+Patch-mainline: v5.3-rc7
+References: bsc#1051510
+
+If TDLS station addition is rejected, the sta memory is leaked.
+Avoid this by moving the check before the allocation.
+
+Cc: stable@vger.kernel.org
+Fixes: 7ed5285396c2 ("mac80211: don't initiate TDLS connection if station is not associated to AP")
+Link: https://lore.kernel.org/r/20190801073033.7892-1-johannes@sipsolutions.net
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ net/mac80211/cfg.c | 9 +++++----
+ 1 file changed, 5 insertions(+), 4 deletions(-)
+
+diff --git a/net/mac80211/cfg.c b/net/mac80211/cfg.c
+index 4d458067d80d..111c400199ec 100644
+--- a/net/mac80211/cfg.c
++++ b/net/mac80211/cfg.c
+@@ -1546,6 +1546,11 @@ static int ieee80211_add_station(struct wiphy *wiphy, struct net_device *dev,
+ if (is_multicast_ether_addr(mac))
+ return -EINVAL;
+
++ if (params->sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER) &&
++ sdata->vif.type == NL80211_IFTYPE_STATION &&
++ !sdata->u.mgd.associated)
++ return -EINVAL;
++
+ sta = sta_info_alloc(sdata, mac, GFP_KERNEL);
+ if (!sta)
+ return -ENOMEM;
+@@ -1553,10 +1558,6 @@ static int ieee80211_add_station(struct wiphy *wiphy, struct net_device *dev,
+ if (params->sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER))
+ sta->sta.tdls = true;
+
+- if (sta->sta.tdls && sdata->vif.type == NL80211_IFTYPE_STATION &&
+- !sdata->u.mgd.associated)
+- return -EINVAL;
+-
+ err = sta_apply_parameters(local, sta, params);
+ if (err) {
+ sta_info_free(local, sta);
+--
+2.16.4
+
diff --git a/patches.suse/mmc-sdhci-of-at91-add-quirk-for-broken-HS200.patch b/patches.suse/mmc-sdhci-of-at91-add-quirk-for-broken-HS200.patch
new file mode 100644
index 0000000000..af4a39d92c
--- /dev/null
+++ b/patches.suse/mmc-sdhci-of-at91-add-quirk-for-broken-HS200.patch
@@ -0,0 +1,41 @@
+From 7871aa60ae0086fe4626abdf5ed13eeddf306c61 Mon Sep 17 00:00:00 2001
+From: Eugen Hristev <eugen.hristev@microchip.com>
+Date: Thu, 8 Aug 2019 08:35:40 +0000
+Subject: [PATCH] mmc: sdhci-of-at91: add quirk for broken HS200
+Git-commit: 7871aa60ae0086fe4626abdf5ed13eeddf306c61
+Patch-mainline: v5.3-rc7
+References: bsc#1051510
+
+HS200 is not implemented in the driver, but the controller claims it
+through caps. Remove it via a quirk, to make sure the mmc core do not try
+to enable HS200, as it causes the eMMC initialization to fail.
+
+Signed-off-by: Eugen Hristev <eugen.hristev@microchip.com>
+Acked-by: Ludovic Desroches <ludovic.desroches@microchip.com>
+Acked-by: Adrian Hunter <adrian.hunter@intel.com>
+Fixes: bb5f8ea4d514 ("mmc: sdhci-of-at91: introduce driver for the Atmel SDMMC")
+Cc: stable@vger.kernel.org # v4.4+
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/mmc/host/sdhci-of-at91.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/mmc/host/sdhci-of-at91.c b/drivers/mmc/host/sdhci-of-at91.c
+index d4e7e8b7be77..e7d1920729fb 100644
+--- a/drivers/mmc/host/sdhci-of-at91.c
++++ b/drivers/mmc/host/sdhci-of-at91.c
+@@ -357,6 +357,9 @@ static int sdhci_at91_probe(struct platform_device *pdev)
+ pm_runtime_set_autosuspend_delay(&pdev->dev, 50);
+ pm_runtime_use_autosuspend(&pdev->dev);
+
++ /* HS200 is broken at this moment */
++ host->quirks2 = SDHCI_QUIRK2_BROKEN_HS200;
++
+ ret = sdhci_add_host(host);
+ if (ret)
+ goto pm_runtime_disable;
+--
+2.16.4
+
diff --git a/patches.suse/mpls-fix-warning-with-multi-label-encap.patch b/patches.suse/mpls-fix-warning-with-multi-label-encap.patch
new file mode 100644
index 0000000000..9b472caa5c
--- /dev/null
+++ b/patches.suse/mpls-fix-warning-with-multi-label-encap.patch
@@ -0,0 +1,45 @@
+From 2f3f7d1fa0d1039b24a55d127ed190f196fc3e79 Mon Sep 17 00:00:00 2001
+From: George Wilkie <gwilkie@vyatta.att-mail.com>
+Date: Fri, 7 Jun 2019 11:49:41 +0100
+Subject: [PATCH] mpls: fix warning with multi-label encap
+Git-commit: 2f3f7d1fa0d1039b24a55d127ed190f196fc3e79
+Patch-mainline: v5.2-rc6
+References: bsc#1051510
+
+If you configure a route with multiple labels, e.g.
+ ip route add 10.10.3.0/24 encap mpls 16/100 via 10.10.2.2 dev ens4
+A warning is logged:
+ kernel: [ 130.561819] netlink: 'ip': attribute type 1 has an invalid
+ length.
+
+This happens because mpls_iptunnel_policy has set the type of
+MPLS_IPTUNNEL_DST to fixed size NLA_U32.
+Change it to a minimum size.
+nla_get_labels() does the remaining validation.
+
+Fixes: e3e4712ec096 ("mpls: ip tunnel support")
+Signed-off-by: George Wilkie <gwilkie@vyatta.att-mail.com>
+Reviewed-by: David Ahern <dsahern@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ net/mpls/mpls_iptunnel.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/mpls/mpls_iptunnel.c b/net/mpls/mpls_iptunnel.c
+index 500596130760..d25e91d7bdc1 100644
+--- a/net/mpls/mpls_iptunnel.c
++++ b/net/mpls/mpls_iptunnel.c
+@@ -23,7 +23,7 @@
+ #include "internal.h"
+
+ static const struct nla_policy mpls_iptunnel_policy[MPLS_IPTUNNEL_MAX + 1] = {
+- [MPLS_IPTUNNEL_DST] = { .type = NLA_U32 },
++ [MPLS_IPTUNNEL_DST] = { .len = sizeof(u32) },
+ [MPLS_IPTUNNEL_TTL] = { .type = NLA_U8 },
+ };
+
+--
+2.16.4
+
diff --git a/patches.suse/powerpc-fadump-when-fadump-is-supported-register-the.patch b/patches.suse/powerpc-fadump-when-fadump-is-supported-register-the.patch
new file mode 100644
index 0000000000..36df0b9c09
--- /dev/null
+++ b/patches.suse/powerpc-fadump-when-fadump-is-supported-register-the.patch
@@ -0,0 +1,68 @@
+From d34ad20a798191a6217cf245b85a26b07c0edd01 Mon Sep 17 00:00:00 2001
+From: Michal Suchanek <msuchanek@suse.de>
+Date: Tue, 20 Aug 2019 13:29:45 +0200
+Subject: [PATCH v2] powerpc/fadump: when fadump is supported register the
+ fadump sysfs files.
+To: linuxppc-dev@lists.ozlabs.org
+Cc: Benjamin Herrenschmidt <benh@kernel.crashing.org>, Paul Mackerras <paulus@samba.org>, Michael Ellerman <mpe@ellerman.id.au>, Michal Suchanek <msuchanek@suse.de>, Mahesh Salgaonkar <mahesh@linux.vnet.ibm.com>, Hari Bathini <hbathini@linux.vnet.ibm.com>, Christophe Leroy <christophe.leroy@c-s.fr>, Yangtao Li <tiny.windzz@gmail.com>, Thomas Gleixner <tglx@linutronix.de>, linux-kernel@vger.kernel.org
+
+References: bsc#1146352
+Patch-mainline: submitted https://patchwork.ozlabs.org/patch/1154687/
+
+Currently it is not possible to distinguish the case when fadump is
+supported by firmware and disabled in kernel and completely unsupported
+using the kernel sysfs interface. User can investigate the devicetree
+but it is more reasonable to provide sysfs files in case we get some
+fadumpv2 in the future.
+
+With this patch sysfs files are available whenever fadump is supported
+by firmware.
+
+Signed-off-by: Michal Suchanek <msuchanek@suse.de>
+---
+v2: move the sysfs initialization earlier to avoid condition nesting
+---
+ arch/powerpc/kernel/fadump.c | 15 +++++++++------
+ 1 file changed, 9 insertions(+), 6 deletions(-)
+
+diff --git a/arch/powerpc/kernel/fadump.c b/arch/powerpc/kernel/fadump.c
+index 4eab97292cc2..13741380b2f7 100644
+--- a/arch/powerpc/kernel/fadump.c
++++ b/arch/powerpc/kernel/fadump.c
+@@ -1671,16 +1671,20 @@ static void fadump_init_files(void)
+ */
+ int __init setup_fadump(void)
+ {
+- if (!fw_dump.fadump_enabled)
+- return 0;
+-
+- if (!fw_dump.fadump_supported) {
++ if (!fw_dump.fadump_supported && fw_dump.fadump_enabled) {
+ printk(KERN_ERR "Firmware-assisted dump is not supported on"
+ " this hardware\n");
+- return 0;
+ }
+
++ if (!fw_dump.fadump_supported)
++ return 0;
++
++ fadump_init_files();
+ fadump_show_config();
++
++ if (!fw_dump.fadump_enabled)
++ return 1;
++
+ /*
+ * If dump data is available then see if it is valid and prepare for
+ * saving it to the disk.
+@@ -1696,7 +1700,6 @@ int __init setup_fadump(void)
+ /* Initialize the kernel dump memory structure for FAD registration. */
+ else if (fw_dump.reserve_dump_area_size)
+ init_fadump_mem_struct(&fdm, fw_dump.reserve_dump_area_start);
+- fadump_init_files();
+
+ return 1;
+ }
+--
+2.22.0
+
diff --git a/patches.suse/powerpc-xive-Fix-dump-of-XIVE-interrupt-under-pserie.patch b/patches.suse/powerpc-xive-Fix-dump-of-XIVE-interrupt-under-pserie.patch
new file mode 100644
index 0000000000..391d8a5049
--- /dev/null
+++ b/patches.suse/powerpc-xive-Fix-dump-of-XIVE-interrupt-under-pserie.patch
@@ -0,0 +1,215 @@
+From b4868ff55d082bc66b0c287a41e4888f6d3e5f87 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?C=C3=A9dric=20Le=20Goater?= <clg@kaod.org>
+Date: Wed, 14 Aug 2019 17:47:53 +0200
+Subject: [PATCH] powerpc/xive: Fix dump of XIVE interrupt under pseries
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+References: bsc#1142019
+Patch-mainline: queued
+Git-repo: https://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux.git
+Git-commit: b4868ff55d082bc66b0c287a41e4888f6d3e5f87
+
+The xmon 'dxi' command calls OPAL to query the XIVE configuration of a
+interrupt. This can only be done on baremetal (PowerNV) and it will
+crash a pseries machine.
+
+Introduce a new XIVE get_irq_config() operation which implements a
+different query depending on the platform, PowerNV or pseries, and
+modify xmon to use a top level wrapper.
+
+Signed-off-by: Cédric Le Goater <clg@kaod.org>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://lore.kernel.org/r/20190814154754.23682-3-clg@kaod.org
+Acked-by: Michal Suchanek <msuchanek@suse.de>
+---
+ arch/powerpc/include/asm/xive.h | 2 +
+ arch/powerpc/sysdev/xive/common.c | 7 ++++
+ arch/powerpc/sysdev/xive/native.c | 15 +++++++
+ arch/powerpc/sysdev/xive/spapr.c | 51 ++++++++++++++++++++++++
+ arch/powerpc/sysdev/xive/xive-internal.h | 2 +
+ arch/powerpc/xmon/xmon.c | 12 +++---
+ 6 files changed, 83 insertions(+), 6 deletions(-)
+
+diff --git a/arch/powerpc/include/asm/xive.h b/arch/powerpc/include/asm/xive.h
+index efb0e597b272..967d6ab3c977 100644
+--- a/arch/powerpc/include/asm/xive.h
++++ b/arch/powerpc/include/asm/xive.h
+@@ -99,6 +99,8 @@ extern void xive_flush_interrupt(void);
+
+ /* xmon hook */
+ extern void xmon_xive_do_dump(int cpu);
++extern int xmon_xive_get_irq_config(u32 irq, u32 *target, u8 *prio,
++ u32 *sw_irq);
+
+ /* APIs used by KVM */
+ extern u32 xive_native_default_eq_shift(void);
+diff --git a/arch/powerpc/sysdev/xive/common.c b/arch/powerpc/sysdev/xive/common.c
+index 6b973b7cdd8a..f75a660365e5 100644
+--- a/arch/powerpc/sysdev/xive/common.c
++++ b/arch/powerpc/sysdev/xive/common.c
+@@ -257,6 +257,13 @@ notrace void xmon_xive_do_dump(int cpu)
+ }
+ #endif
+ }
++
++int xmon_xive_get_irq_config(u32 irq, u32 *target, u8 *prio,
++ u32 *sw_irq)
++{
++ return xive_ops->get_irq_config(irq, target, prio, sw_irq);
++}
++
+ #endif /* CONFIG_XMON */
+
+ static unsigned int xive_get_irq(void)
+diff --git a/arch/powerpc/sysdev/xive/native.c b/arch/powerpc/sysdev/xive/native.c
+index 2f26b74f6cfa..4b61e44f0171 100644
+--- a/arch/powerpc/sysdev/xive/native.c
++++ b/arch/powerpc/sysdev/xive/native.c
+@@ -111,6 +111,20 @@ int xive_native_configure_irq(u32 hw_irq, u32 target, u8 prio, u32 sw_irq)
+ }
+ EXPORT_SYMBOL_GPL(xive_native_configure_irq);
+
++static int xive_native_get_irq_config(u32 hw_irq, u32 *target, u8 *prio,
++ u32 *sw_irq)
++{
++ s64 rc;
++ __be64 vp;
++ __be32 lirq;
++
++ rc = opal_xive_get_irq_config(hw_irq, &vp, prio, &lirq);
++
++ *target = be64_to_cpu(vp);
++ *sw_irq = be32_to_cpu(lirq);
++
++ return rc == 0 ? 0 : -ENXIO;
++}
+
+ /* This can be called multiple time to change a queue configuration */
+ int xive_native_configure_queue(u32 vp_id, struct xive_q *q, u8 prio,
+@@ -442,6 +456,7 @@ EXPORT_SYMBOL_GPL(xive_native_sync_queue);
+ static const struct xive_ops xive_native_ops = {
+ .populate_irq_data = xive_native_populate_irq_data,
+ .configure_irq = xive_native_configure_irq,
++ .get_irq_config = xive_native_get_irq_config,
+ .setup_queue = xive_native_setup_queue,
+ .cleanup_queue = xive_native_cleanup_queue,
+ .match = xive_native_match,
+diff --git a/arch/powerpc/sysdev/xive/spapr.c b/arch/powerpc/sysdev/xive/spapr.c
+index 52198131c75e..33c10749edec 100644
+--- a/arch/powerpc/sysdev/xive/spapr.c
++++ b/arch/powerpc/sysdev/xive/spapr.c
+@@ -215,6 +215,38 @@ static long plpar_int_set_source_config(unsigned long flags,
+ return 0;
+ }
+
++static long plpar_int_get_source_config(unsigned long flags,
++ unsigned long lisn,
++ unsigned long *target,
++ unsigned long *prio,
++ unsigned long *sw_irq)
++{
++ unsigned long retbuf[PLPAR_HCALL_BUFSIZE];
++ long rc;
++
++ pr_devel("H_INT_GET_SOURCE_CONFIG flags=%lx lisn=%lx\n", flags, lisn);
++
++ do {
++ rc = plpar_hcall(H_INT_GET_SOURCE_CONFIG, retbuf, flags, lisn,
++ target, prio, sw_irq);
++ } while (plpar_busy_delay(rc));
++
++ if (rc) {
++ pr_err("H_INT_GET_SOURCE_CONFIG lisn=%ld failed %ld\n",
++ lisn, rc);
++ return rc;
++ }
++
++ *target = retbuf[0];
++ *prio = retbuf[1];
++ *sw_irq = retbuf[2];
++
++ pr_devel("H_INT_GET_SOURCE_CONFIG target=%lx prio=%lx sw_irq=%lx\n",
++ retbuf[0], retbuf[1], retbuf[2]);
++
++ return 0;
++}
++
+ static long plpar_int_get_queue_info(unsigned long flags,
+ unsigned long target,
+ unsigned long priority,
+@@ -398,6 +430,24 @@ static int xive_spapr_configure_irq(u32 hw_irq, u32 target, u8 prio, u32 sw_irq)
+ return rc == 0 ? 0 : -ENXIO;
+ }
+
++static int xive_spapr_get_irq_config(u32 hw_irq, u32 *target, u8 *prio,
++ u32 *sw_irq)
++{
++ long rc;
++ unsigned long h_target;
++ unsigned long h_prio;
++ unsigned long h_sw_irq;
++
++ rc = plpar_int_get_source_config(0, hw_irq, &h_target, &h_prio,
++ &h_sw_irq);
++
++ *target = h_target;
++ *prio = h_prio;
++ *sw_irq = h_sw_irq;
++
++ return rc == 0 ? 0 : -ENXIO;
++}
++
+ /* This can be called multiple time to change a queue configuration */
+ static int xive_spapr_configure_queue(u32 target, struct xive_q *q, u8 prio,
+ __be32 *qpage, u32 order)
+@@ -590,6 +640,7 @@ static void xive_spapr_sync_source(u32 hw_irq)
+ static const struct xive_ops xive_spapr_ops = {
+ .populate_irq_data = xive_spapr_populate_irq_data,
+ .configure_irq = xive_spapr_configure_irq,
++ .get_irq_config = xive_spapr_get_irq_config,
+ .setup_queue = xive_spapr_setup_queue,
+ .cleanup_queue = xive_spapr_cleanup_queue,
+ .match = xive_spapr_match,
+diff --git a/arch/powerpc/sysdev/xive/xive-internal.h b/arch/powerpc/sysdev/xive/xive-internal.h
+index 211725dbf364..59cd366e7933 100644
+--- a/arch/powerpc/sysdev/xive/xive-internal.h
++++ b/arch/powerpc/sysdev/xive/xive-internal.h
+@@ -33,6 +33,8 @@ struct xive_cpu {
+ struct xive_ops {
+ int (*populate_irq_data)(u32 hw_irq, struct xive_irq_data *data);
+ int (*configure_irq)(u32 hw_irq, u32 target, u8 prio, u32 sw_irq);
++ int (*get_irq_config)(u32 hw_irq, u32 *target, u8 *prio,
++ u32 *sw_irq);
+ int (*setup_queue)(unsigned int cpu, struct xive_cpu *xc, u8 prio);
+ void (*cleanup_queue)(unsigned int cpu, struct xive_cpu *xc, u8 prio);
+ void (*setup_cpu)(unsigned int cpu, struct xive_cpu *xc);
+diff --git a/arch/powerpc/xmon/xmon.c b/arch/powerpc/xmon/xmon.c
+index 25d4adccf750..4ea53e05053f 100644
+--- a/arch/powerpc/xmon/xmon.c
++++ b/arch/powerpc/xmon/xmon.c
+@@ -2574,14 +2574,14 @@ static void dump_all_xives(void)
+
+ static void dump_one_xive_irq(u32 num)
+ {
+- s64 rc;
+- __be64 vp;
++ int rc;
++ u32 target;
+ u8 prio;
+- __be32 lirq;
++ u32 lirq;
+
+- rc = opal_xive_get_irq_config(num, &vp, &prio, &lirq);
+- xmon_printf("IRQ 0x%x config: vp=0x%llx prio=%d lirq=0x%x (rc=%lld)\n",
+- num, be64_to_cpu(vp), prio, be32_to_cpu(lirq), rc);
++ rc = xmon_xive_get_irq_config(num, &target, &prio, &lirq);
++ xmon_printf("IRQ 0x%08x : target=0x%x prio=%d lirq=0x%x (rc=%d)\n",
++ num, target, prio, lirq, rc);
+ }
+
+ static void dump_xives(void)
+--
+2.22.0
+
diff --git a/patches.suse/powerpc-xmon-Add-a-dump-of-all-XIVE-interrupts.patch b/patches.suse/powerpc-xmon-Add-a-dump-of-all-XIVE-interrupts.patch
new file mode 100644
index 0000000000..de520390d9
--- /dev/null
+++ b/patches.suse/powerpc-xmon-Add-a-dump-of-all-XIVE-interrupts.patch
@@ -0,0 +1,66 @@
+From 39f14e79b15a40709ef177bc4c07f193b6d3bce3 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?C=C3=A9dric=20Le=20Goater?= <clg@kaod.org>
+Date: Wed, 14 Aug 2019 17:47:54 +0200
+Subject: [PATCH] powerpc/xmon: Add a dump of all XIVE interrupts
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+References: bsc#1142019
+Patch-mainline: queued
+Git-repo: https://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux.git
+Git-commit: 39f14e79b15a40709ef177bc4c07f193b6d3bce3
+
+Modify the xmon 'dxi' command to query all interrupts if no IRQ number
+is specified.
+
+Signed-off-by: Cédric Le Goater <clg@kaod.org>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://lore.kernel.org/r/20190814154754.23682-4-clg@kaod.org
+Acked-by: Michal Suchanek <msuchanek@suse.de>
+---
+ arch/powerpc/xmon/xmon.c | 21 +++++++++++++++++++++
+ 1 file changed, 21 insertions(+)
+
+diff --git a/arch/powerpc/xmon/xmon.c b/arch/powerpc/xmon/xmon.c
+index 4ea53e05053f..dc9832e06256 100644
+--- a/arch/powerpc/xmon/xmon.c
++++ b/arch/powerpc/xmon/xmon.c
+@@ -2584,6 +2584,25 @@ static void dump_one_xive_irq(u32 num)
+ num, target, prio, lirq, rc);
+ }
+
++static void dump_all_xive_irq(void)
++{
++ unsigned int i;
++ struct irq_desc *desc;
++
++ for_each_irq_desc(i, desc) {
++ struct irq_data *d = irq_desc_get_irq_data(desc);
++ unsigned int hwirq;
++
++ if (!d)
++ continue;
++
++ hwirq = (unsigned int)irqd_to_hwirq(d);
++ /* IPIs are special (HW number 0) */
++ if (hwirq)
++ dump_one_xive_irq(hwirq);
++ }
++}
++
+ static void dump_xives(void)
+ {
+ unsigned long num;
+@@ -2601,6 +2620,8 @@ static void dump_xives(void)
+ } else if (c == 'i') {
+ if (scanhex(&num))
+ dump_one_xive_irq(num);
++ else
++ dump_all_xive_irq();
+ return;
+ }
+
+--
+2.22.0
+
diff --git a/patches.suse/powerpc-xmon-Check-for-HV-mode-when-dumping-XIVE-inf.patch b/patches.suse/powerpc-xmon-Check-for-HV-mode-when-dumping-XIVE-inf.patch
new file mode 100644
index 0000000000..bcea95d6fe
--- /dev/null
+++ b/patches.suse/powerpc-xmon-Check-for-HV-mode-when-dumping-XIVE-inf.patch
@@ -0,0 +1,59 @@
+From c3e0dbd7f780a58c4695f1cd8fc8afde80376737 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?C=C3=A9dric=20Le=20Goater?= <clg@kaod.org>
+Date: Wed, 14 Aug 2019 17:47:52 +0200
+Subject: [PATCH] powerpc/xmon: Check for HV mode when dumping XIVE info from
+ OPAL
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+References: bsc#1142019
+Patch-mainline: queued
+Git-repo: https://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux.git
+Git-commit: c3e0dbd7f780a58c4695f1cd8fc8afde80376737
+
+Currently, the xmon 'dx' command calls OPAL to dump the XIVE state in
+the OPAL logs and also outputs some of the fields of the internal XIVE
+structures in Linux. The OPAL calls can only be done on baremetal
+(PowerNV) and they crash a pseries machine. Fix by checking the
+hypervisor feature of the CPU.
+
+Signed-off-by: Cédric Le Goater <clg@kaod.org>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://lore.kernel.org/r/20190814154754.23682-2-clg@kaod.org
+Acked-by: Michal Suchanek <msuchanek@suse.de>
+---
+ arch/powerpc/xmon/xmon.c | 17 ++++++++++-------
+ 1 file changed, 10 insertions(+), 7 deletions(-)
+
+diff --git a/arch/powerpc/xmon/xmon.c b/arch/powerpc/xmon/xmon.c
+index 14e56c25879f..25d4adccf750 100644
+--- a/arch/powerpc/xmon/xmon.c
++++ b/arch/powerpc/xmon/xmon.c
+@@ -2534,13 +2534,16 @@ static void dump_pacas(void)
+ static void dump_one_xive(int cpu)
+ {
+ unsigned int hwid = get_hard_smp_processor_id(cpu);
+-
+- opal_xive_dump(XIVE_DUMP_TM_HYP, hwid);
+- opal_xive_dump(XIVE_DUMP_TM_POOL, hwid);
+- opal_xive_dump(XIVE_DUMP_TM_OS, hwid);
+- opal_xive_dump(XIVE_DUMP_TM_USER, hwid);
+- opal_xive_dump(XIVE_DUMP_VP, hwid);
+- opal_xive_dump(XIVE_DUMP_EMU_STATE, hwid);
++ bool hv = cpu_has_feature(CPU_FTR_HVMODE);
++
++ if (hv) {
++ opal_xive_dump(XIVE_DUMP_TM_HYP, hwid);
++ opal_xive_dump(XIVE_DUMP_TM_POOL, hwid);
++ opal_xive_dump(XIVE_DUMP_TM_OS, hwid);
++ opal_xive_dump(XIVE_DUMP_TM_USER, hwid);
++ opal_xive_dump(XIVE_DUMP_VP, hwid);
++ opal_xive_dump(XIVE_DUMP_EMU_STATE, hwid);
++ }
+
+ if (setjmp(bus_error_jmp) != 0) {
+ catch_memory_errors = 0;
+--
+2.22.0
+
diff --git a/patches.suse/rsi-add-fix-for-crash-during-assertions.patch b/patches.suse/rsi-add-fix-for-crash-during-assertions.patch
new file mode 100644
index 0000000000..677a81e06e
--- /dev/null
+++ b/patches.suse/rsi-add-fix-for-crash-during-assertions.patch
@@ -0,0 +1,38 @@
+From abd39c6ded9db53aa44c2540092bdd5fb6590fa8 Mon Sep 17 00:00:00 2001
+From: Sanjay Konduri <sanjay.konduri@redpinesignals.com>
+Date: Tue, 15 May 2018 14:34:30 +0530
+Subject: [PATCH] rsi: add fix for crash during assertions
+Git-commit: abd39c6ded9db53aa44c2540092bdd5fb6590fa8
+Patch-mainline: v4.18-rc1
+References: CVE-2018-21008,bsc#1149591
+
+Observed crash in some scenarios when assertion has occurred,
+this is because hw structure is freed and is tried to get
+accessed in some functions where null check is already
+present. So, avoided the crash by making the hw to NULL after
+freeing.
+
+Signed-off-by: Sanjay Konduri <sanjay.konduri@redpinesignals.com>
+Signed-off-by: Sushant Kumar Mishra <sushant.mishra@redpinesignals.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/net/wireless/rsi/rsi_91x_mac80211.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/net/wireless/rsi/rsi_91x_mac80211.c b/drivers/net/wireless/rsi/rsi_91x_mac80211.c
+index 3faa0449a5ef..bfa7569c85bb 100644
+--- a/drivers/net/wireless/rsi/rsi_91x_mac80211.c
++++ b/drivers/net/wireless/rsi/rsi_91x_mac80211.c
+@@ -245,6 +245,7 @@ void rsi_mac80211_detach(struct rsi_hw *adapter)
+ ieee80211_stop_queues(hw);
+ ieee80211_unregister_hw(hw);
+ ieee80211_free_hw(hw);
++ adapter->hw = NULL;
+ }
+
+ for (band = 0; band < NUM_NL80211_BANDS; band++) {
+--
+2.16.4
+
diff --git a/patches.suse/rtc-pcf8523-don-t-return-invalid-date-when-battery-i.patch b/patches.suse/rtc-pcf8523-don-t-return-invalid-date-when-battery-i.patch
new file mode 100644
index 0000000000..415085b17f
--- /dev/null
+++ b/patches.suse/rtc-pcf8523-don-t-return-invalid-date-when-battery-i.patch
@@ -0,0 +1,87 @@
+From ecb4a353d3afd45b9bb30c85d03ee113a0589079 Mon Sep 17 00:00:00 2001
+From: Baruch Siach <baruch@tkos.co.il>
+Date: Wed, 5 Dec 2018 17:00:09 +0200
+Subject: [PATCH] rtc: pcf8523: don't return invalid date when battery is low
+Mime-version: 1.0
+Content-type: text/plain; charset=UTF-8
+Content-transfer-encoding: 8bit
+Git-commit: ecb4a353d3afd45b9bb30c85d03ee113a0589079
+Patch-mainline: v5.0-rc1
+References: bsc#1051510
+
+The RTC_VL_READ ioctl reports the low battery condition. Still,
+pcf8523_rtc_read_time() happily returns invalid dates in this case.
+Check the battery health on pcf8523_rtc_read_time() to avoid that.
+
+Reported-by: Erik Čuk <erik.cuk@domel.com>
+Signed-off-by: Baruch Siach <baruch@tkos.co.il>
+Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/rtc/rtc-pcf8523.c | 32 ++++++++++++++++++++++++--------
+ 1 file changed, 24 insertions(+), 8 deletions(-)
+
+diff --git a/drivers/rtc/rtc-pcf8523.c b/drivers/rtc/rtc-pcf8523.c
+index 453615f8ac9a..3fcd2cbafc84 100644
+--- a/drivers/rtc/rtc-pcf8523.c
++++ b/drivers/rtc/rtc-pcf8523.c
+@@ -85,6 +85,18 @@ static int pcf8523_write(struct i2c_client *client, u8 reg, u8 value)
+ return 0;
+ }
+
++static int pcf8523_voltage_low(struct i2c_client *client)
++{
++ u8 value;
++ int err;
++
++ err = pcf8523_read(client, REG_CONTROL3, &value);
++ if (err < 0)
++ return err;
++
++ return !!(value & REG_CONTROL3_BLF);
++}
++
+ static int pcf8523_select_capacitance(struct i2c_client *client, bool high)
+ {
+ u8 value;
+@@ -167,6 +179,14 @@ static int pcf8523_rtc_read_time(struct device *dev, struct rtc_time *tm)
+ struct i2c_msg msgs[2];
+ int err;
+
++ err = pcf8523_voltage_low(client);
++ if (err < 0) {
++ return err;
++ } else if (err > 0) {
++ dev_err(dev, "low voltage detected, time is unreliable\n");
++ return -EINVAL;
++ }
++
+ msgs[0].addr = client->addr;
+ msgs[0].flags = 0;
+ msgs[0].len = 1;
+@@ -251,17 +271,13 @@ static int pcf8523_rtc_ioctl(struct device *dev, unsigned int cmd,
+ unsigned long arg)
+ {
+ struct i2c_client *client = to_i2c_client(dev);
+- u8 value;
+- int ret = 0, err;
++ int ret;
+
+ switch (cmd) {
+ case RTC_VL_READ:
+- err = pcf8523_read(client, REG_CONTROL3, &value);
+- if (err < 0)
+- return err;
+-
+- if (value & REG_CONTROL3_BLF)
+- ret = 1;
++ ret = pcf8523_voltage_low(client);
++ if (ret < 0)
++ return ret;
+
+ if (copy_to_user((void __user *)arg, &ret, sizeof(int)))
+ return -EFAULT;
+--
+2.16.4
+
diff --git a/patches.suse/samples-bpf-fix-to-change-the-buffer-size-for-read.patch b/patches.suse/samples-bpf-fix-to-change-the-buffer-size-for-read.patch
new file mode 100644
index 0000000000..5ef61a07f9
--- /dev/null
+++ b/patches.suse/samples-bpf-fix-to-change-the-buffer-size-for-read.patch
@@ -0,0 +1,45 @@
+From f7c2d64bac1be2ff32f8e4f500c6e5429c1003e0 Mon Sep 17 00:00:00 2001
+From: Chang-Hsien Tsai <luke.tw@gmail.com>
+Date: Sun, 19 May 2019 09:05:44 +0000
+Subject: [PATCH] samples, bpf: fix to change the buffer size for read()
+Git-commit: f7c2d64bac1be2ff32f8e4f500c6e5429c1003e0
+Patch-mainline: v5.2-rc6
+References: bsc#1051510
+
+If the trace for read is larger than 4096, the return
+value sz will be 4096. This results in off-by-one error
+on buf:
+
+ static char buf[4096];
+ ssize_t sz;
+
+ sz = read(trace_fd, buf, sizeof(buf));
+ if (sz > 0) {
+ buf[sz] = 0;
+ puts(buf);
+ }
+
+Signed-off-by: Chang-Hsien Tsai <luke.tw@gmail.com>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ samples/bpf/bpf_load.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/samples/bpf/bpf_load.c b/samples/bpf/bpf_load.c
+index eae7b635343d..6e87cc831e84 100644
+--- a/samples/bpf/bpf_load.c
++++ b/samples/bpf/bpf_load.c
+@@ -678,7 +678,7 @@ void read_trace_pipe(void)
+ static char buf[4096];
+ ssize_t sz;
+
+- sz = read(trace_fd, buf, sizeof(buf));
++ sz = read(trace_fd, buf, sizeof(buf) - 1);
+ if (sz > 0) {
+ buf[sz] = 0;
+ puts(buf);
+--
+2.16.4
+
diff --git a/patches.suse/samples-mei-use-dev-mei0-instead-of-dev-mei.patch b/patches.suse/samples-mei-use-dev-mei0-instead-of-dev-mei.patch
new file mode 100644
index 0000000000..0d27474fa0
--- /dev/null
+++ b/patches.suse/samples-mei-use-dev-mei0-instead-of-dev-mei.patch
@@ -0,0 +1,36 @@
+From c4a46acf1db3ce547d290c29e55b3476c78dd76c Mon Sep 17 00:00:00 2001
+From: Tomas Winkler <tomas.winkler@intel.com>
+Date: Thu, 24 Jan 2019 14:45:03 +0200
+Subject: [PATCH] samples: mei: use /dev/mei0 instead of /dev/mei
+Git-commit: c4a46acf1db3ce547d290c29e55b3476c78dd76c
+Patch-mainline: v5.0-rc6
+References: bsc#1051510
+
+The device was moved from misc device to character devices
+to support multiple mei devices.
+
+Cc: <stable@vger.kernel.org> #v4.9+
+Signed-off-by: Tomas Winkler <tomas.winkler@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ samples/mei/mei-amt-version.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/samples/mei/mei-amt-version.c b/samples/mei/mei-amt-version.c
+index 33e67bd1dc34..32234481ad7d 100644
+--- a/samples/mei/mei-amt-version.c
++++ b/samples/mei/mei-amt-version.c
+@@ -117,7 +117,7 @@ static bool mei_init(struct mei *me, const uuid_le *guid,
+
+ me->verbose = verbose;
+
+- me->fd = open("/dev/mei", O_RDWR);
++ me->fd = open("/dev/mei0", O_RDWR);
+ if (me->fd == -1) {
+ mei_err(me, "Cannot establish a handle to the Intel MEI driver\n");
+ goto err;
+--
+2.16.4
+
diff --git a/patches.suse/scripts-checkstack.pl-Fix-arm64-wrong-or-unknown-arc.patch b/patches.suse/scripts-checkstack.pl-Fix-arm64-wrong-or-unknown-arc.patch
new file mode 100644
index 0000000000..f645c0d10f
--- /dev/null
+++ b/patches.suse/scripts-checkstack.pl-Fix-arm64-wrong-or-unknown-arc.patch
@@ -0,0 +1,39 @@
+From 4f45d62a52297b10ded963412a158685647ecdec Mon Sep 17 00:00:00 2001
+From: "George G. Davis" <george_davis@mentor.com>
+Date: Mon, 3 Jun 2019 10:30:39 -0400
+Subject: [PATCH] scripts/checkstack.pl: Fix arm64 wrong or unknown architecture
+Git-commit: 4f45d62a52297b10ded963412a158685647ecdec
+Patch-mainline: v5.2-rc4
+References: bsc#1051510
+
+The following error occurs for the `make ARCH=arm64 checkstack` case:
+
+aarch64-linux-gnu-objdump -d vmlinux $(find . -name '*.ko') | \
+perl ./scripts/checkstack.pl arm64
+wrong or unknown architecture "arm64"
+
+As suggested by Masahiro Yamada, fix the above error using regular
+expressions in the same way it was fixed for the `ARCH=x86` case via
+commit fda9f9903be6 ("scripts/checkstack.pl: automatically handle
+32-bit and 64-bit mode for ARCH=x86").
+
+Suggested-by: Masahiro Yamada <yamada.masahiro@socionext.com>
+Signed-off-by: George G. Davis <george_davis@mentor.com>
+Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ scripts/checkstack.pl | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/scripts/checkstack.pl
++++ b/scripts/checkstack.pl
+@@ -44,7 +44,7 @@ my (@stack, $re, $dre, $x, $xs, $funcre)
+ $x = "[0-9a-f]"; # hex character
+ $xs = "[0-9a-f ]"; # hex character or space
+ $funcre = qr/^$x* <(.*)>:$/;
+- if ($arch eq 'aarch64') {
++ if ($arch =~ '^(aarch|arm)64$') {
+ #ffffffc0006325cc: a9bb7bfd stp x29, x30, [sp, #-80]!
+ $re = qr/^.*stp.*sp, \#-([0-9]{1,8})\]\!/o;
+ } elsif ($arch eq 'arm') {
diff --git a/patches.suse/scripts-decode_stacktrace-only-strip-base-path-when-.patch b/patches.suse/scripts-decode_stacktrace-only-strip-base-path-when-.patch
new file mode 100644
index 0000000000..cde403ac46
--- /dev/null
+++ b/patches.suse/scripts-decode_stacktrace-only-strip-base-path-when-.patch
@@ -0,0 +1,49 @@
+From 67a28de47faa83585dd644bd4c31e5a1d9346c50 Mon Sep 17 00:00:00 2001
+From: Marc Zyngier <marc.zyngier@arm.com>
+Date: Fri, 28 Dec 2018 00:31:25 -0800
+Subject: [PATCH] scripts/decode_stacktrace: only strip base path when a prefix of the path
+Git-commit: 67a28de47faa83585dd644bd4c31e5a1d9346c50
+Patch-mainline: v5.0-rc1
+References: bsc#1051510
+
+Running something like:
+
+ decodecode vmlinux .
+
+leads to interested results where not only the leading "." gets stripped
+from the displayed paths, but also anywhere in the string, displaying
+something like:
+
+ kvm_vcpu_check_block (arch/arm64/kvm/virt/kvm/kvm_mainc:2141)
+
+which doesn't help further processing.
+
+Fix it by only stripping the base path if it is a prefix of the path.
+
+Link: http://lkml.kernel.org/r/20181210174659.31054-3-marc.zyngier@arm.com
+Signed-off-by: Marc Zyngier <marc.zyngier@arm.com>
+Cc: Will Deacon <will.deacon@arm.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ scripts/decode_stacktrace.sh | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/scripts/decode_stacktrace.sh b/scripts/decode_stacktrace.sh
+index 64220e36ce3b..98a7d63a723e 100755
+--- a/scripts/decode_stacktrace.sh
++++ b/scripts/decode_stacktrace.sh
+@@ -78,7 +78,7 @@ parse_symbol() {
+ fi
+
+ # Strip out the base of the path
+- code=${code//$basepath/""}
++ code=${code//^$basepath/""}
+
+ # In the case of inlines, move everything to same line
+ code=${code//$'\n'/' '}
+--
+2.16.4
+
diff --git a/patches.suse/scripts-decode_stacktrace.sh-prefix-addr2line-with-C.patch b/patches.suse/scripts-decode_stacktrace.sh-prefix-addr2line-with-C.patch
new file mode 100644
index 0000000000..fe32b820e1
--- /dev/null
+++ b/patches.suse/scripts-decode_stacktrace.sh-prefix-addr2line-with-C.patch
@@ -0,0 +1,50 @@
+From c04e32e911653442fc834be6e92e072aeebe01a1 Mon Sep 17 00:00:00 2001
+From: Manuel Traut <manut@linutronix.de>
+Date: Thu, 13 Jun 2019 15:55:52 -0700
+Subject: [PATCH] scripts/decode_stacktrace.sh: prefix addr2line with $CROSS_COMPILE
+Git-commit: c04e32e911653442fc834be6e92e072aeebe01a1
+Patch-mainline: v5.2-rc5
+References: bsc#1051510
+
+At least for ARM64 kernels compiled with the crosstoolchain from
+Debian/stretch or with the toolchain from kernel.org the line number is
+not decoded correctly by 'decode_stacktrace.sh':
+
+ $ echo "[ 136.513051] f1+0x0/0xc [kcrash]" | \
+ CROSS_COMPILE=/opt/gcc-8.1.0-nolibc/aarch64-linux/bin/aarch64-linux- \
+ ./scripts/decode_stacktrace.sh /scratch/linux-arm64/vmlinux \
+ /scratch/linux-arm64 \
+ /nfs/debian/lib/modules/4.20.0-devel
+ [ 136.513051] f1 (/linux/drivers/staging/kcrash/kcrash.c:68) kcrash
+
+If addr2line from the toolchain is used the decoded line number is correct:
+
+ [ 136.513051] f1 (/linux/drivers/staging/kcrash/kcrash.c:57) kcrash
+
+Link: http://lkml.kernel.org/r/20190527083425.3763-1-manut@linutronix.de
+Signed-off-by: Manuel Traut <manut@linutronix.de>
+Acked-by: Konstantin Khlebnikov <khlebnikov@yandex-team.ru>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ scripts/decode_stacktrace.sh | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/scripts/decode_stacktrace.sh b/scripts/decode_stacktrace.sh
+index bcdd45df3f51..a7a36209a193 100755
+--- a/scripts/decode_stacktrace.sh
++++ b/scripts/decode_stacktrace.sh
+@@ -73,7 +73,7 @@ parse_symbol() {
+ if [[ "${cache[$module,$address]+isset}" == "isset" ]]; then
+ local code=${cache[$module,$address]}
+ else
+- local code=$(addr2line -i -e "$objfile" "$address")
++ local code=$(${CROSS_COMPILE}addr2line -i -e "$objfile" "$address")
+ cache[$module,$address]=$code
+ fi
+
+--
+2.16.4
+
diff --git a/patches.suse/scripts-gdb-fix-lx-version-string-output.patch b/patches.suse/scripts-gdb-fix-lx-version-string-output.patch
new file mode 100644
index 0000000000..a754371831
--- /dev/null
+++ b/patches.suse/scripts-gdb-fix-lx-version-string-output.patch
@@ -0,0 +1,58 @@
+From b058809bfc8faeb7b7cae047666e23375a060059 Mon Sep 17 00:00:00 2001
+From: Du Changbin <changbin.du@gmail.com>
+Date: Thu, 3 Jan 2019 15:28:27 -0800
+Subject: [PATCH] scripts/gdb: fix lx-version string output
+Git-commit: b058809bfc8faeb7b7cae047666e23375a060059
+Patch-mainline: v5.0-rc1
+References: bsc#1051510
+
+A bug is present in GDB which causes early string termination when
+parsing variables. This has been reported [0], but we should ensure
+that we can support at least basic printing of the core kernel strings.
+
+For current gdb version (has been tested with 7.3 and 8.1), 'lx-version'
+only prints one character.
+
+ (gdb) lx-version
+ L(gdb)
+
+This can be fixed by casting 'linux_banner' as (char *).
+
+ (gdb) lx-version
+ Linux version 4.19.0-rc1+ (changbin@acer) (gcc version 7.3.0 (Ubuntu 7.3.0-16ubuntu3)) #21 SMP Sat Sep 1 21:43:30 CST 2018
+
+[0] https://sourceware.org/bugzilla/show_bug.cgi?id=20077
+
+[kbingham@kernel.org: add detail to commit message]
+Link: http://lkml.kernel.org/r/20181111162035.8356-1-kieran.bingham@ideasonboard.com
+Fixes: 2d061d999424 ("scripts/gdb: add version command")
+Signed-off-by: Du Changbin <changbin.du@gmail.com>
+Signed-off-by: Kieran Bingham <kbingham@kernel.org>
+Acked-by: Jan Kiszka <jan.kiszka@siemens.com>
+Cc: Jan Kiszka <jan.kiszka@siemens.com>
+Cc: Jason Wessel <jason.wessel@windriver.com>
+Cc: Daniel Thompson <daniel.thompson@linaro.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ scripts/gdb/linux/proc.py | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/scripts/gdb/linux/proc.py b/scripts/gdb/linux/proc.py
+index 086d27223c0c..0aebd7565b03 100644
+--- a/scripts/gdb/linux/proc.py
++++ b/scripts/gdb/linux/proc.py
+@@ -41,7 +41,7 @@ class LxVersion(gdb.Command):
+
+ def invoke(self, arg, from_tty):
+ # linux_banner should contain a newline
+- gdb.write(gdb.parse_and_eval("linux_banner").string())
++ gdb.write(gdb.parse_and_eval("(char *)linux_banner").string())
+
+ LxVersion()
+
+--
+2.16.4
+
diff --git a/patches.suse/supported-flag-wildcards b/patches.suse/supported-flag-wildcards
index 8006b16d91..778a20de64 100644
--- a/patches.suse/supported-flag-wildcards
+++ b/patches.suse/supported-flag-wildcards
@@ -3,6 +3,7 @@ From: Michal Marek <mmarek@suse.cz>
Date: Mon, 19 Sep 2011 16:31:49 +0200
Subject: [PATCH] modpost: Allow wildcards in the Module.supported file
Patch-mainline: Never, SLES feature
+References: none
Signed-off-by: Michal Marek <mmarek@suse.cz>
diff --git a/patches.suse/test_firmware-fix-a-memory-leak-bug.patch b/patches.suse/test_firmware-fix-a-memory-leak-bug.patch
new file mode 100644
index 0000000000..93cb35eb34
--- /dev/null
+++ b/patches.suse/test_firmware-fix-a-memory-leak-bug.patch
@@ -0,0 +1,48 @@
+From d4fddac5a51c378c5d3e68658816c37132611e1f Mon Sep 17 00:00:00 2001
+From: Wenwen Wang <wenwen@cs.uga.edu>
+Date: Sun, 14 Jul 2019 01:11:35 -0500
+Subject: [PATCH] test_firmware: fix a memory leak bug
+Git-commit: d4fddac5a51c378c5d3e68658816c37132611e1f
+Patch-mainline: v5.3-rc2
+References: bsc#1051510
+
+In test_firmware_init(), the buffer pointed to by the global pointer
+'test_fw_config' is allocated through kzalloc(). Then, the buffer is
+initialized in __test_firmware_config_init(). In the case that the
+initialization fails, the following execution in test_firmware_init() needs
+to be terminated with an error code returned to indicate this failure.
+However, the allocated buffer is not freed on this execution path, leading
+to a memory leak bug.
+
+To fix the above issue, free the allocated buffer before returning from
+test_firmware_init().
+
+Signed-off-by: Wenwen Wang <wenwen@cs.uga.edu>
+Link: https://lore.kernel.org/r/1563084696-6865-1-git-send-email-wang6495@umn.edu
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ lib/test_firmware.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/lib/test_firmware.c b/lib/test_firmware.c
+index 83ea6c4e623c..6ca97a63b3d6 100644
+--- a/lib/test_firmware.c
++++ b/lib/test_firmware.c
+@@ -886,8 +886,11 @@ static int __init test_firmware_init(void)
+ return -ENOMEM;
+
+ rc = __test_firmware_config_init();
+- if (rc)
++ if (rc) {
++ kfree(test_fw_config);
++ pr_err("could not init firmware test config: %d\n", rc);
+ return rc;
++ }
+
+ rc = misc_register(&test_fw_misc_device);
+ if (rc) {
+--
+2.16.4
+
diff --git a/patches.suse/usb-host-xhci-rcar-Fix-typo-in-compatible-string-mat.patch b/patches.suse/usb-host-xhci-rcar-Fix-typo-in-compatible-string-mat.patch
new file mode 100644
index 0000000000..d3964c43d5
--- /dev/null
+++ b/patches.suse/usb-host-xhci-rcar-Fix-typo-in-compatible-string-mat.patch
@@ -0,0 +1,40 @@
+From 636bd02a7ba9025ff851d0cfb92768c8fa865859 Mon Sep 17 00:00:00 2001
+From: Geert Uytterhoeven <geert+renesas@glider.be>
+Date: Tue, 27 Aug 2019 14:51:12 +0200
+Subject: [PATCH] usb: host: xhci: rcar: Fix typo in compatible string matching
+Git-commit: 636bd02a7ba9025ff851d0cfb92768c8fa865859
+Patch-mainline: v5.3-rc7
+References: bsc#1051510
+
+It's spelled "renesas", not "renensas".
+
+Due to this typo, RZ/G1M and RZ/G1N were not covered by the check.
+
+Fixes: 2dc240a3308b ("usb: host: xhci: rcar: retire use of xhci_plat_type_is()")
+Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Cc: stable <stable@vger.kernel.org>
+Reviewed-by: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
+Link: https://lore.kernel.org/r/20190827125112.12192-1-geert+renesas@glider.be
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/usb/host/xhci-rcar.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/usb/host/xhci-rcar.c b/drivers/usb/host/xhci-rcar.c
+index 8616c52849c6..2b0ccd150209 100644
+--- a/drivers/usb/host/xhci-rcar.c
++++ b/drivers/usb/host/xhci-rcar.c
+@@ -104,7 +104,7 @@ static int xhci_rcar_is_gen2(struct device *dev)
+ return of_device_is_compatible(node, "renesas,xhci-r8a7790") ||
+ of_device_is_compatible(node, "renesas,xhci-r8a7791") ||
+ of_device_is_compatible(node, "renesas,xhci-r8a7793") ||
+- of_device_is_compatible(node, "renensas,rcar-gen2-xhci");
++ of_device_is_compatible(node, "renesas,rcar-gen2-xhci");
+ }
+
+ static int xhci_rcar_is_gen3(struct device *dev)
+--
+2.16.4
+
diff --git a/series.conf b/series.conf
index 5589a558d9..f5b091562d 100644
--- a/series.conf
+++ b/series.conf
@@ -10254,6 +10254,13 @@
patches.suse/0001-Btrfs-fix-assertion-failure-during-fsync-in-no-holes.patch
patches.suse/btrfs-incremental-send-fix-emission-of-invalid-clone-operations.patch
patches.suse/btrfs-preserve-i_mode-if-_btrfs_set_acl-fails.patch
+ patches.suse/btrfs-add-a-helper-to-retrive-extent-inline-ref-type.patch
+ patches.suse/btrfs-convert-to-use-btrfs_get_extent_inline_ref_type.patch
+ patches.suse/btrfs-remove-bug-in-btrfs_extent_inline_ref_size.patch
+ patches.suse/btrfs-remove-bug-in-print_extent_item.patch
+ patches.suse/btrfs-remove-bug-in-add_data_reference.patch
+ patches.suse/btrfs-remove-bug_on-in-_add_tree_block.patch
+ patches.suse/btrfs-add-one-more-sanity-check-for-shared-ref-type.patch
patches.suse/sunrpc-Const-ify-instances-of-struct-svc_xprt_ops.patch
patches.suse/svcrdma-Clean-up-svc_rdma_build_read_chunk.patch
patches.suse/svcrdma-Populate-tail-iovec-when-receiving.patch
@@ -28034,8 +28041,12 @@
patches.suse/0012-arm64-cpufeature-Relocate-PAN-emulation-report.patch
patches.suse/0013-arm64-cpufeature-Remove-redundant-feature-in-reports.patch
patches.suse/0001-scripts-kallsyms-filter-arm64-s-__efistub_-symbols.patch
+ patches.suse/arm64-module-don-t-BUG-when-exceeding-preallocated-P.patch
+ patches.suse/arm64-kernel-don-t-ban-ADRP-to-work-around-Cortex-A5.patch
patches.suse/0015-arm64-errata-add-REVIDR-handling-to-framework.patch
+ patches.suse/arm64-kernel-enable-A53-erratum-8434319-handling-at-.patch
patches.suse/ACPI-IORT-Remove-temporary-iort_get_id_mapping_index.patch
+ patches.suse/arm64-fix-undefined-reference-to-printk.patch
patches.suse/0018-arm64-Expose-Arm-v8.4-features.patch
patches.suse/0046-arm64-sve-Document-firmware-support-requirements-in-.patch
patches.suse/0001-arm64-capabilities-Update-prototype-for-enable-call-.patch
@@ -29100,6 +29111,7 @@
patches.suse/i2c-mv64xxx-Apply-errata-delay-only-in-standard-mode
patches.suse/0004-i2c-xlp9xx-Check-for-Bus-state-before-every-transfer.patch
patches.suse/0005-i2c-xlp9xx-Handle-NACK-on-DATA-properly.patch
+ patches.suse/i2c-qup-fixed-releasing-dma-without-flush-operation-.patch
patches.suse/0315-i2c-imx-use-clk-notifier-for-rate-changes.patch
patches.suse/0316-i2c-imx-avoid-taking-clk_prepare-mutex-in-PM-callbac.patch
patches.suse/0022-i2c-add-support-for-Socionext-SynQuacer-I2C-controll.patch
@@ -29871,6 +29883,7 @@
patches.suse/libceph-reschedule-a-tick-in-finish_hunting.patch
patches.suse/libceph-validate-con-state-at-the-top-of-try_write.patch
patches.suse/0025-arm64-add-sentinel-to-kpti_safe_list.patch
+ patches.suse/arm64-kernel-rename-module_emit_adrp_veneer-module_e.patch
patches.suse/KVM-arm-arm64-Close-VMID-generation-race.patch
patches.suse/powerpc-powernv-npu-Add-lock-to-prevent-race-in-conc.patch
patches.suse/powerpc-powernv-npu-Prevent-overwriting-of-pnv_npu2_.patch
@@ -33287,6 +33300,7 @@
patches.suse/wil6210-rate-limit-wil_rx_refill-error.patch
patches.suse/mwifiex-correct-histogram-data-with-appropriate-inde
patches.suse/brcmfmac-add-debugfs-entry-for-reading-firmware-capa.patch
+ patches.suse/rsi-add-fix-for-crash-during-assertions.patch
patches.suse/brcmfmac-move-ALLFFMAC-variable-in-flowring-module.patch
patches.suse/rtlwifi-support-accurate-nullfunc-frame-tx-ack-repor.patch
patches.suse/rtlwifi-remove-CONNECTION_MONITOR-flag.patch
@@ -37146,6 +37160,8 @@
patches.suse/msft-hv-1749-hv-netvsc-Fix-NULL-dereference-at-single-queue-mode-.patch
patches.suse/crypto-vmac-require-a-block-cipher-with-128-bit-bloc
patches.suse/crypto-vmac-separate-tfm-and-request-context
+ patches.suse/crypto-virtio-read-crypto-services-and-algorithm-masks
+ patches.suse/crypto-virtio-register-an-algo-only-if-it-s-supported
patches.suse/crypto-skcipher-Fix-Wstringop-truncation-warnings.patch
patches.suse/crypto-x86-sha256-mb-fix-digest-copy-in-sha256_mb_mg
patches.suse/crypto-ccp-Fix-command-completion-detection-race
@@ -40807,6 +40823,8 @@
patches.suse/pinctrl-qcom-spmi-mpp-Fix-drive-strength-setting.patch
patches.suse/pinctrl-at91-pio4-fix-has_config-check-in-atmel_pctl.patch
patches.suse/pinctrl-qcom-spmi-mpp-Fix-err-handling-of-pmic_mpp_s.patch
+ patches.suse/gpio-pxa-handle-corner-case-of-unprobed-device.patch
+ patches.suse/gpio-mxs-Get-rid-of-external-API-call.patch
patches.suse/gpio-davinci-remove-unused-member-of-davinci_gpio_controller.patch
patches.suse/leds-pwm-silently-error-out-on-EPROBE_DEFER.patch
patches.suse/ipmi-fix-return-value-of-ipmi_set_my_LUN.patch
@@ -44849,6 +44867,7 @@
patches.suse/0005-mmc-sdhci-of-esdhc-fix-spelling-mistake-upsupported-.patch
patches.suse/0006-mmc-sdhci-of-esdhc-Fix-timeout-checks.patch
patches.suse/mmc-sdhci-xenon-Fix-timeout-checks.patch
+ patches.suse/scripts-decode_stacktrace-only-strip-base-path-when-.patch
patches.suse/0001-mm-print-more-information-about-mapping-in-__dump_pa.patch
patches.suse/0002-mm-lower-the-printk-loglevel-for-__dump_page-message.patch
patches.suse/0003-mm-memory_hotplug-drop-pointless-block-alignment-che.patch
@@ -44972,6 +44991,7 @@
patches.suse/pinctrl-freescale-break-dependency-on-soc_imx8mq-for-i-mx8mq.patch
patches.suse/rtc-m41t80-Correct-alarm-month-range-with-RTC-reads.patch
patches.suse/0001-dt-bindings-rtc-sun6i-rtc-Fix-register-range-in-exam.patch
+ patches.suse/rtc-pcf8523-don-t-return-invalid-date-when-battery-i.patch
patches.suse/dmaengine-dw-dmac-implement-dma-protection-control-s.patch
patches.suse/dmaengine-xilinx_dma-Remove-__aligned-attribute-on-z.patch
patches.suse/revert-iommu-io-pgtable-arm-check-for-v7s-incapable-systems
@@ -45063,6 +45083,7 @@
patches.suse/ALSA-hda-realtek-Enable-the-headset-mic-auto-detecti.patch
patches.suse/ALSA-hda-tegra-clear-pending-irq-handlers.patch
patches.suse/proc-sysctl-fix-return-error-for-proc_doulongvec_min.patch
+ patches.suse/scripts-gdb-fix-lx-version-string-output.patch
patches.suse/mm-speed-up-mremap-by-20x-on-large-regions.patch
patches.suse/ARM-8808-1-kexec-offline-panic_smp_self_stop-CPU.patch
patches.suse/arm64-add-basic-kconfig-symbols-for-i-mx8.patch
@@ -45509,6 +45530,7 @@
patches.suse/serial-fix-race-between-flush_to_ldisc-and-tty_open.patch
patches.suse/iio-chemical-atlas-ph-sensor-correct-IIO_TEMP-values.patch
patches.suse/debugfs-fix-debugfs_rename-parameter-checking.patch
+ patches.suse/samples-mei-use-dev-mei0-instead-of-dev-mei.patch
patches.suse/0001-fpga-stratix10-soc-fix-wrong-of_node_put-in-init-fun.patch
patches.suse/ucc_geth-Reset-BQL-queue-when-stopping-device.patch
patches.suse/virtio_net-Don-t-enable-NAPI-when-interface-is-down.patch
@@ -46993,6 +47015,7 @@
patches.suse/nvmet-fix-building-bvec-from-sg-list.patch
patches.suse/kbuild-strip-whitespace-in-cmd_record_mcount-findstr.patch
patches.suse/kbuild-modversions-Fix-relative-CRC-byte-order-inter.patch
+ patches.suse/kconfig-mn-conf-handle-backspace-H-key.patch
patches.suse/ALSA-rawmidi-Fix-potential-Spectre-v1-vulnerability.patch
patches.suse/ALSA-seq-oss-Fix-Spectre-v1-vulnerability.patch
patches.suse/ALSA-hda-realtek-Enable-headset-MIC-of-Acer-Aspire-Z.patch
@@ -47060,6 +47083,7 @@
patches.suse/KVM-Reject-device-ioctls-from-processes-other-than-t.patch
patches.suse/kvm-svm-workaround-errata-1096-insn_len-maybe-zero-on-smap-violation
patches.suse/kvm-x86-emulate-msr_ia32_arch_capabilities-on-amd-hosts.patch
+ patches.suse/kvm-x86-move-msr_ia32_arch_capabilities-to-array-emulated_msrs
patches.suse/msft-hv-1857-x86-kvm-hyper-v-avoid-spurious-pending-stimer-on-vCP.patch
patches.suse/KVM-arm-arm64-vgic-its-Take-the-srcu-lock-when-writi.patch
patches.suse/KVM-arm-arm64-vgic-its-Take-the-srcu-lock-when-parsi.patch
@@ -48455,6 +48479,8 @@
patches.suse/ceph-fix-potential-use-after-free-in-ceph_mdsc_build_path.patch
patches.suse/ceph-print-inode-number-in-_caps_issued_mask-debugging-messages.patch
patches.suse/rbd-don-t-assert-on-writes-to-snapshots.patch
+ patches.suse/libceph-fix-unaligned-accesses-in-ceph_entity_addr-handling.patch
+ patches.suse/libceph-make-ceph_pr_addr-take-an-struct-ceph_entity_addr-pointer.patch
patches.suse/ceph-flush-dirty-inodes-before-proceeding-with-remount.patch
patches.suse/nvme-fc-use-separate-work-queue-to-avoid-warning.patch
patches.suse/nvme-multipath-avoid-crash-on-invalid-subsystem-cntl.patch
@@ -48649,6 +48675,7 @@
patches.suse/net-mvpp2-Use-strscpy-to-handle-stat-strings.patch
patches.suse/pktgen-do-not-sleep-with-the-thread-lock-held.patch
patches.suse/x86-insn-eval-Fix-use-after-free-access-to-LDT-entry.patch
+ patches.suse/scripts-checkstack.pl-Fix-arm64-wrong-or-unknown-arc.patch
patches.suse/hwmon-core-add-thermal-sensors-only-if-dev-of_node-i.patch
patches.suse/hwmon-pmbus-core-Treat-parameters-as-paged-if-on-mul.patch
patches.suse/drm-i915-icl-Add-WaDisableBankHangMode.patch
@@ -48689,6 +48716,7 @@
patches.suse/Revert-ALSA-hda-realtek-Improve-the-headset-mic-for-.patch
patches.suse/iommu-arm-smmu-avoid-constant-zero-in-tlbi-writes
patches.suse/mm-list_lru-c-fix-memory-leak-in-_memcg_init_list_lru_node.patch
+ patches.suse/scripts-decode_stacktrace.sh-prefix-addr2line-with-C.patch
patches.suse/mm-mlock-c-mlockall-error-for-flag-mcl_onfault.patch
patches.suse/fs-ocfs2-fix-race-in-ocfs2_dentry_attach_lock.patch
patches.suse/mm-mlock-c-change-count_mm_mlocked_page_nr-return-type.patch
@@ -48736,8 +48764,10 @@
patches.suse/0001-mwifiex-Abort-at-too-short-BSS-descriptor-element.patch
patches.suse/iwlwifi-Fix-double-free-problems-in-iwl_req_fw_callb.patch
patches.suse/0001-mwifiex-Fix-heap-overflow-in-mwifiex_uap_parse_tail_.patch
+ patches.suse/samples-bpf-fix-to-change-the-buffer-size-for-read.patch
patches.suse/bpf-sockmap-fix-use-after-free-from-sleep-in-psock-b.patch
patches.suse/ipv6-flowlabel-fl6_sock_lookup-must-use-atomic_inc_n.patch
+ patches.suse/mpls-fix-warning-with-multi-label-encap.patch
patches.suse/can-flexcan-fix-timeout-when-set-small-bitrate.patch
patches.suse/can-mcp251x-add-support-for-mcp25625.patch
patches.suse/can-m_can-implement-errata-Needless-activation-of-MR.patch
@@ -48896,6 +48926,7 @@
patches.suse/x86-umwait-Add-sysfs-interface-to-control-umwait-C0..patch
patches.suse/x86-umwait-Add-sysfs-interface-to-control-umwait-max.patch
patches.suse/Documentation-ABI-Document-umwait-control-sysfs-inte.patch
+ patches.suse/0001-x86-ptrace-Fix-possible-spectre-v1-in-ptrace_get_deb.patch
patches.suse/proc-add-proc-pid-arch_status
patches.suse/x86-process-add-avx-512-usage-elapsed-time-to-proc-pid-arch_status
patches.suse/documentation-filesystems-proc-txt-add-arch_status-file
@@ -49391,7 +49422,36 @@
patches.suse/ALSA-hda-hdmi-Remove-duplicated-define.patch
patches.suse/ALSA-hda-hdmi-Fix-i915-reverse-port-pin-mapping.patch
patches.suse/ALSA-hda-Don-t-resume-forcibly-i915-HDMI-DP-codec.patch
+ patches.suse/ceph-silence-a-checker-warning-in-mdsc_show.patch
patches.suse/ceph-clean-up-ceph-dir-pin-vxattr-name-sizeof.patch
+ patches.suse/ceph-carry-snapshot-creation-time-with-inodes.patch
+ patches.suse/ceph-add-ceph-snap-btime-vxattr.patch
+ patches.suse/ceph-fix-listxattr-vxattr-buffer-length-calculation.patch
+ patches.suse/ceph-remove-unused-vxattr-length-helpers.patch
+ patches.suse/ceph-fix-ceph-dir-rctime-vxattr-value.patch
+ patches.suse/ceph-fix-improper-use-of-smp_mb__before_atomic.patch
+ patches.suse/ceph-hold-i_ceph_lock-when-removing-caps-for-freeing-inode.patch
+ patches.suse/ceph-fix-infinite-loop-in-get_quota_realm.patch
+ patches.suse/ceph-don-t-blindly-unregister-session-that-is-in-opening-state.patch
+ patches.suse/ceph-remove-request-from-waiting-list-before-unregister.patch
+ patches.suse/libceph-fix-sa_family-just-after-reading-address.patch
+ patches.suse/libceph-add-ceph_decode_entity_addr.patch
+ patches.suse/libceph-addr2-support-for-monmap.patch
+ patches.suse/libceph-switch-osdmap-decoding-to-use-ceph_decode_entity_addr.patch
+ patches.suse/libceph-fix-watch_item_t-decoding-to-use-ceph_decode_entity_addr.patch
+ patches.suse/libceph-correctly-decode-addr2-addresses-in-incremental-osd-maps.patch
+ patches.suse/ceph-have-mds-map-decoding-use-entity_addr_t-decoder.patch
+ patches.suse/ceph-fix-decode_locker-to-use-ceph_decode_entity_addr.patch
+ patches.suse/libceph-use-type_legacy-for-entity-addrs-instead-of-type_none.patch
+ patches.suse/libceph-rename-ceph_encode_addr-to-ceph_encode_banner_addr.patch
+ patches.suse/ceph-add-btime-field-to-ceph_inode_info.patch
+ patches.suse/ceph-handle-btime-in-cap-messages.patch
+ patches.suse/libceph-turn-on-ceph_feature_msg_addr2.patch
+ patches.suse/iversion-add-a-routine-to-update-a-raw-value-with-a-larger-one.patch
+ patches.suse/ceph-add-change_attr-field-to-ceph_inode_info.patch
+ patches.suse/ceph-handle-change_attr-in-cap-messages.patch
+ patches.suse/ceph-increment-change_attribute-on-local-changes.patch
+ patches.suse/ceph-initialize-superblock-s_time_gran-to-1.patch
patches.suse/cifs-Use-kmemdup-in-SMB2_ioctl_init-.patch
patches.suse/fs-cifs-Drop-unlikely-before-IS_ERR-_OR_NULL-.patch
patches.suse/SMB3-Add-SMB3-1-1-GCM-to-negotiated-crypto-algorigthms.patch
@@ -49510,6 +49570,7 @@
patches.suse/usb-pci-quirks-Correct-AMD-PLL-quirk-detection.patch
patches.suse/usb-wusbcore-fix-unbalanced-get-put-cluster_id.patch
patches.suse/hpet-Fix-division-by-zero-in-hpet_time_div.patch
+ patches.suse/test_firmware-fix-a-memory-leak-bug.patch
patches.suse/tracing-fix-header-include-guards-in-trace-event-headers.patch
patches.suse/hci_uart-check-for-missing-tty-operations.patch
patches.suse/0012-gpiolib-fix-incorrect-IRQ-requesting-of-an-active-lo.patch
@@ -49542,11 +49603,13 @@
patches.suse/coredump-split-pipe-command-whitespace-before-expand.patch
patches.suse/mm-migrate-c-initialize-pud_entry-in-migrate_vma.patch
patches.suse/powerpc-nvdimm-Pick-nearby-online-node-if-the-device.patch
+ patches.suse/HID-Add-044f-b320-ThrustMaster-Inc.-2-in-1-DT.patch
patches.suse/0013-HID-wacom-fix-bit-shift-for-Cintiq-Companion-2.patch
patches.suse/HID-holtek-test-for-sanity-of-intfdata.patch
patches.suse/HID-Add-quirk-for-HP-X1200-PIXART-OEM-mouse.patch
patches.suse/hid-input-fix-a4tech-horizontal-wheel-custom-usage.patch
patches.suse/HID-hiddev-avoid-opening-a-disconnected-device.patch
+ patches.suse/HID-hiddev-do-cleanup-in-failure-of-opening-a-device.patch
patches.suse/HID-sony-Fix-race-condition-between-rumble-and-devic.patch
patches.suse/bonding-Force-slave-speed-check-after-link-state-rec.patch
patches.suse/net-mvpp2-Don-t-check-for-3-consecutive-Idle-frames-.patch
@@ -49563,15 +49626,19 @@
patches.suse/bpf-sockmap-synchronize_rcu-before-free-ing-map.patch
patches.suse/bpf-sockmap-only-create-entry-if-ulp-is-not-already-.patch
patches.suse/net-mlx5-Fix-modify_cq_in-alignment.patch
+ patches.suse/isdn-mISDN-hfcsusb-Fix-possible-null-pointer-derefer.patch
patches.suse/net-phylink-Fix-flow-control-for-fixed-link.patch
patches.suse/compat_ioctl-pppoe-fix-PPPOEIOCSFWD-handling.patch
patches.suse/mlxsw-spectrum-Fix-error-path-in-mlxsw_sp_module_ini.patch
patches.suse/nl-mac-80211-fix-interface-combinations-on-crypto-co.patch
patches.suse/mac80211-don-t-WARN-on-short-WMM-parameters-from-AP.patch
patches.suse/mac80211_hwsim-Fix-possible-null-pointer-dereference.patch
+ patches.suse/isdn-hfcsusb-Fix-mISDN-driver-crash-caused-by-transf.patch
patches.suse/net-usb-pegasus-fix-improper-read-if-get_registers-f.patch
patches.suse/net-mlx5e-always-initialize-frag-last_in_page.patch
patches.suse/net-fix-bpf_xdp_adjust_head-regression-for-generic-X.patch
+ patches.suse/can-sja1000-force-the-string-buffer-NULL-terminated.patch
+ patches.suse/can-peak_usb-force-the-string-buffer-NULL-terminated.patch
patches.suse/0005-can-peak_usb-pcan_usb_fd-Fix-info-leaks-to-USB-devic.patch
patches.suse/0006-can-peak_usb-pcan_usb_pro-Fix-info-leaks-to-USB-devi.patch
patches.suse/mwifiex-fix-802.11n-WPA-detection.patch
@@ -49598,6 +49665,8 @@
patches.suse/ALSA-firewire-fix-a-memory-leak-bug.patch
patches.suse/mmc-cavium-Set-the-correct-dma-max-segment-size-for-.patch
patches.suse/mmc-cavium-Add-the-missing-dma-unmap-when-the-dma-ha.patch
+ patches.suse/libata-have-ata_scsi_rw_xlat-fail-invalid-passthroug.patch
+ patches.suse/libata-add-SG-safety-checks-in-SFF-pio-transfers.patch
patches.suse/loop-set-PF_MEMALLOC_NOIO-for-the-worker-thread.patch
patches.suse/bcache-Revert-bcache-use-sysfs_match_string-instead-.patch
patches.suse/drm-vmwgfx-fix-memory-leak-when-too-many-retries-hav.patch
@@ -49652,6 +49721,13 @@
patches.suse/drm-mediatek-use-correct-device-to-import-PRIME-buff.patch
patches.suse/drm-mediatek-mtk_drm_drv.c-Add-of_node_put-before-go.patch
patches.suse/drm-i915-Fix-HW-readout-for-crtc_clock-in-HDMI-mode.patch
+ patches.suse/libceph-allow-ceph_buffer_put-to-receive-a-null-ceph_buffer.patch
+ patches.suse/ceph-fix-buffer-free-while-holding-i_ceph_lock-in-_ceph_setxattr.patch
+ patches.suse/ceph-fix-buffer-free-while-holding-i_ceph_lock-in-_ceph_build_xattrs_blob.patch
+ patches.suse/ceph-fix-buffer-free-while-holding-i_ceph_lock-in-fill_inode.patch
+ patches.suse/ceph-clear-page-dirty-before-invalidate-page.patch
+ patches.suse/ceph-don-t-try-fill-file_lock-on-unsuccessful-getfilelock-reply.patch
+ patches.suse/libceph-fix-pg-split-vs-osd-reconnect-race.patch
patches.suse/vfs-fix-page-locking-deadlocks-when-deduping-files.patch
patches.suse/fs-xfs-Fix-return-code-of-xfs_break_leased_layouts.patch
patches.suse/Revert-dm-bufio-fix-deadlock-with-loop-device.patch
@@ -49665,11 +49741,14 @@
patches.suse/dm-btree-fix-order-of-block-initialization-in-btree_.patch
patches.suse/dm-space-map-metadata-fix-missing-store-of-apply_bop.patch
patches.suse/dm-table-fix-invalid-memory-accesses-with-too-high-s.patch
+ patches.suse/drm-nouveau-Don-t-retry-infinitely-when-receiving-no.patch
patches.suse/xfs-fix-missing-ILOCK-unlock-when-xfs_setattr_nonsiz.patch
patches.suse/scsi-ufs-fix-null-pointer-dereference-in-ufshcd_config_vreg_hpm
patches.suse/gpiolib-never-report-open-drain-source-lines-as-inpu.patch
patches.suse/gpio-Fix-build-error-of-function-redefinition.patch
patches.suse/mm-page_owner-handle-thp-splits-correctly.patch
+ patches.suse/mac80211-fix-possible-sta-leak.patch
+ patches.suse/batman-adv-fix-uninit-value-in-batadv_netlink_get_if.patch
patches.suse/ALSA-hda-Fixes-inverted-Conexant-GPIO-mic-mute-led.patch
patches.suse/ALSA-usb-audio-Add-implicit-fb-quirk-for-Behringer-U.patch
patches.suse/ALSA-hda-ca0132-Add-new-SBZ-quirk.patch
@@ -49677,8 +49756,19 @@
patches.suse/ALSA-line6-Fix-memory-leak-at-line6_init_pcm-error-p.patch
patches.suse/ALSA-usb-audio-Check-mixer-unit-bitmap-yet-more-stri.patch
patches.suse/ALSA-seq-Fix-potential-concurrent-access-to-the-dele.patch
+ patches.suse/mmc-sdhci-of-at91-add-quirk-for-broken-HS200.patch
patches.suse/crypto-ccp-Ignore-unconfigured-CCP-device-on-suspend.patch
patches.suse/kvm-x86-don-t-update-rip-or-do-single-step-on-faulting-emulation
+ patches.suse/ftrace-fix-null-pointer-dereference-in-t_probe_next.patch
+ patches.suse/ftrace-check-for-empty-hash-and-comment-the-race-with-registering-probes.patch
+ patches.suse/ftrace-check-for-successful-allocation-of-hash.patch
+ patches.suse/mac80211-Don-t-memset-RXCB-prior-to-PAE-intercept.patch
+ patches.suse/mac80211-Correctly-set-noencrypt-for-PAE-frames.patch
+ patches.suse/batman-adv-Only-read-OGM-tvlv_len-after-buffer-len-c.patch
+ patches.suse/batman-adv-Only-read-OGM2-tvlv_len-after-buffer-len-.patch
+ patches.suse/usb-host-xhci-rcar-Fix-typo-in-compatible-string-mat.patch
+ patches.suse/USB-cdc-wdm-fix-race-between-write-and-disconnect-du.patch
+ patches.suse/VMCI-Release-resource-if-the-work-is-already-queued.patch
# jejb/scsi for-next
patches.suse/scsi-cxlflash-Mark-expected-switch-fall-throughs.patch
@@ -49726,6 +49816,9 @@
patches.suse/scsi-lpfc-Update-lpfc-version-to-12.4.0.0.patch
# powerpc/linux next
+ patches.suse/powerpc-xmon-Check-for-HV-mode-when-dumping-XIVE-inf.patch
+ patches.suse/powerpc-xive-Fix-dump-of-XIVE-interrupt-under-pserie.patch
+ patches.suse/powerpc-xmon-Add-a-dump-of-all-XIVE-interrupts.patch
patches.suse/powerpc-rtas-use-device-model-APIs-and-serialization.patch
patches.suse/powerpc-64s-support-nospectre_v2-cmdline-option.patch
@@ -49778,6 +49871,7 @@
patches.suse/0001-x86-speculation-Prepare-entry-code-for-Spectre-v1-sw.patch
patches.suse/0002-x86-speculation-Enable-Spectre-v1-swapgs-mitigations.patch
patches.suse/x86-speculation-swapgs-exclude-ATOMs-from-speculating-through-SWAPGS.patch
+ patches.suse/powerpc-fadump-when-fadump-is-supported-register-the.patch
########################################################
# end of sorted patches