Home Home > GIT Browse > SLE12-SP5-AZURE
summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorDenis Kirjanov <dkirjanov@suse.com>2019-09-05 13:56:06 +0300
committerDenis Kirjanov <dkirjanov@suse.com>2019-09-05 13:56:06 +0300
commit333892614d7d3a108130dfa6d1b966cefe549bbe (patch)
tree6b6cc53f3ca35b36bdaea020d1b75a59ad36227f
parente911bb80231b1d911e039080a1a3d109530d1c23 (diff)
parent6adcc08ca48fdfcb59379615227085a760d412e6 (diff)
Merge remote-tracking branch 'origin/SLE12-SP4' into SLE12-SP5
Conflicts: patches.suse/drm-amdgpu-psp-move-psp-version-specific-function-po.patch patches.suse/drm-etnaviv-add-missing-failure-path-to-destroy-suba.patch patches.suse/drm-i915-Fix-wrong-escape-clock-divisor-init-for-GLK.patch patches.suse/drm-i915-perf-ensure-we-keep-a-reference-on-the-driv.patch patches.suse/drm-imx-notify-drm-core-before-sending-event-during-.patch patches.suse/drm-imx-only-send-event-on-crtc-disable-if-kept-disa.patch patches.suse/drm-mediatek-call-drm_atomic_helper_shutdown-when-un.patch patches.suse/drm-mediatek-call-mtk_dsi_stop-after-mtk_drm_crtc_at.patch patches.suse/drm-mediatek-clear-num_pipes-when-unbind-driver.patch patches.suse/drm-mediatek-fix-unbind-functions.patch patches.suse/drm-mediatek-mtk_drm_drv.c-Add-of_node_put-before-go.patch patches.suse/drm-mediatek-unbind-components-in-mtk_drm_unbind.patch patches.suse/drm-mediatek-use-correct-device-to-import-PRIME-buff.patch patches.suse/drm-msm-mdp5-Fix-mdp5_cfg_init-error-return.patch patches.suse/drm-rockchip-Suspend-DP-late.patch patches.suse/drm-udl-introduce-a-macro-to-convert-dev-to-udl.patch patches.suse/drm-udl-move-to-embedding-drm-device-inside-udl-devi.patch patches.suse/drm-vmwgfx-Use-the-backdoor-port-if-the-HB-port-is-n.patch patches.suse/drm-vmwgfx-fix-a-warning-due-to-missing-dma_parms.patch patches.suse/gpu-ipu-v3-ipu-ic-Fix-saturation-bit-offset-in-TPMEM.patch series.conf
-rw-r--r--blacklist.conf1
-rw-r--r--patches.suse/0001-x86-ptrace-Fix-possible-spectre-v1-in-ptrace_get_deb.patch50
-rw-r--r--patches.suse/HID-Add-044f-b320-ThrustMaster-Inc.-2-in-1-DT.patch67
-rw-r--r--patches.suse/HID-hiddev-do-cleanup-in-failure-of-opening-a-device.patch33
-rw-r--r--patches.suse/USB-cdc-wdm-fix-race-between-write-and-disconnect-du.patch69
-rw-r--r--patches.suse/VMCI-Release-resource-if-the-work-is-already-queued.patch96
-rw-r--r--patches.suse/batman-adv-Only-read-OGM-tvlv_len-after-buffer-len-c.patch80
-rw-r--r--patches.suse/batman-adv-Only-read-OGM2-tvlv_len-after-buffer-len-.patch68
-rw-r--r--patches.suse/batman-adv-fix-uninit-value-in-batadv_netlink_get_if.patch69
-rw-r--r--patches.suse/can-peak_usb-force-the-string-buffer-NULL-terminated.patch40
-rw-r--r--patches.suse/can-sja1000-force-the-string-buffer-NULL-terminated.patch40
-rw-r--r--patches.suse/drm-nouveau-Don-t-retry-infinitely-when-receiving-no.patch107
-rw-r--r--patches.suse/gpio-mxs-Get-rid-of-external-API-call.patch52
-rw-r--r--patches.suse/gpio-pxa-handle-corner-case-of-unprobed-device.patch55
-rw-r--r--patches.suse/i2c-qup-fixed-releasing-dma-without-flush-operation-.patch53
-rw-r--r--patches.suse/isdn-hfcsusb-Fix-mISDN-driver-crash-caused-by-transf.patch87
-rw-r--r--patches.suse/isdn-mISDN-hfcsusb-Fix-possible-null-pointer-derefer.patch50
-rw-r--r--patches.suse/kconfig-mn-conf-handle-backspace-H-key.patch67
-rw-r--r--patches.suse/libata-add-SG-safety-checks-in-SFF-pio-transfers.patch48
-rw-r--r--patches.suse/libata-have-ata_scsi_rw_xlat-fail-invalid-passthroug.patch84
-rw-r--r--patches.suse/mac80211-fix-possible-sta-leak.patch51
-rw-r--r--patches.suse/mmc-sdhci-of-at91-add-quirk-for-broken-HS200.patch41
-rw-r--r--patches.suse/mpls-fix-warning-with-multi-label-encap.patch45
-rw-r--r--patches.suse/rtc-pcf8523-don-t-return-invalid-date-when-battery-i.patch87
-rw-r--r--patches.suse/samples-bpf-fix-to-change-the-buffer-size-for-read.patch45
-rw-r--r--patches.suse/samples-mei-use-dev-mei0-instead-of-dev-mei.patch36
-rw-r--r--patches.suse/scripts-checkstack.pl-Fix-arm64-wrong-or-unknown-arc.patch39
-rw-r--r--patches.suse/scripts-decode_stacktrace-only-strip-base-path-when-.patch49
-rw-r--r--patches.suse/scripts-decode_stacktrace.sh-prefix-addr2line-with-C.patch50
-rw-r--r--patches.suse/scripts-gdb-fix-lx-version-string-output.patch58
-rw-r--r--patches.suse/supported-flag-wildcards1
-rw-r--r--patches.suse/test_firmware-fix-a-memory-leak-bug.patch48
-rw-r--r--patches.suse/usb-host-xhci-rcar-Fix-typo-in-compatible-string-mat.patch40
-rw-r--r--series.conf31
34 files changed, 1837 insertions, 0 deletions
diff --git a/blacklist.conf b/blacklist.conf
index 43b201770b..f6f067fe40 100644
--- a/blacklist.conf
+++ b/blacklist.conf
@@ -1322,3 +1322,4 @@ e71769ae52609ea0044a9901709042e5634c2306 # major dependencies needed, bsc#114819
136ac591f047fc356072343eb85687f7c6ea191d # trivial
951531691c4bcaa59f56a316e018bc2ff1ddf855 # no CONFIG_HARDENED_USERCOPY
2c012a4ad1a2cd3fb5a0f9307b9d219f84eda1fa # hack, risk of regression, see bsc#1149215 comment 2
+7d3cd66261665da491d0ee582beabe23df60f983 # not applicable in v4.12: drm/i915: Fix various tracepoints for gen2
diff --git a/patches.suse/0001-x86-ptrace-Fix-possible-spectre-v1-in-ptrace_get_deb.patch b/patches.suse/0001-x86-ptrace-Fix-possible-spectre-v1-in-ptrace_get_deb.patch
new file mode 100644
index 0000000000..ddea858cd5
--- /dev/null
+++ b/patches.suse/0001-x86-ptrace-Fix-possible-spectre-v1-in-ptrace_get_deb.patch
@@ -0,0 +1,50 @@
+From 31a2fbb390fee4231281b939e1979e810f945415 Mon Sep 17 00:00:00 2001
+From: Dianzhang Chen <dianzhangchen0@gmail.com>
+Date: Tue, 25 Jun 2019 23:30:17 +0800
+Subject: [PATCH] x86/ptrace: Fix possible spectre-v1 in ptrace_get_debugreg()
+Git-commit: 31a2fbb390fee4231281b939e1979e810f945415
+Patch-mainline: v5.3-rc1
+References: bnc#1149376, CVE-2019-15902
+
+The index to access the threads ptrace_bps is controlled by userspace via
+Syscall: sys_ptrace(), hence leading to a potential exploitation of the
+Spectre variant 1 vulnerability.
+
+The index can be controlled from:
+ ptrace -> arch_ptrace -> ptrace_get_debugreg.
+
+Fix this by sanitizing the user supplied index before using it access
+thread->ptrace_bps.
+
+Signed-off-by: Dianzhang Chen <dianzhangchen0@gmail.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Cc: bp@alien8.de
+Cc: hpa@zytor.com
+Cc: stable@vger.kernel.org
+Link: https://lkml.kernel.org/r/1561476617-3759-1-git-send-email-dianzhangchen0@gmail.com
+Signed-off-by: Michal Hocko <mhocko@suse.com>
+
+---
+ arch/x86/kernel/ptrace.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/arch/x86/kernel/ptrace.c
++++ b/arch/x86/kernel/ptrace.c
+@@ -24,6 +24,7 @@
+ #include <linux/rcupdate.h>
+ #include <linux/export.h>
+ #include <linux/context_tracking.h>
++#include <linux/nospec.h>
+
+ #include <linux/uaccess.h>
+ #include <asm/pgtable.h>
+@@ -653,7 +654,8 @@ static unsigned long ptrace_get_debugreg
+ unsigned long val = 0;
+
+ if (n < HBP_NUM) {
+- struct perf_event *bp = thread->ptrace_bps[n];
++ int index = array_index_nospec(n, HBP_NUM);
++ struct perf_event *bp = thread->ptrace_bps[index];
+
+ if (bp)
+ val = bp->hw.info.address;
diff --git a/patches.suse/HID-Add-044f-b320-ThrustMaster-Inc.-2-in-1-DT.patch b/patches.suse/HID-Add-044f-b320-ThrustMaster-Inc.-2-in-1-DT.patch
new file mode 100644
index 0000000000..677d154b4d
--- /dev/null
+++ b/patches.suse/HID-Add-044f-b320-ThrustMaster-Inc.-2-in-1-DT.patch
@@ -0,0 +1,67 @@
+From 65f11c72780fa9d598df88def045ccb6a885cf80 Mon Sep 17 00:00:00 2001
+From: Ilya Trukhanov <lahvuun@gmail.com>
+Date: Tue, 2 Jul 2019 13:37:16 +0300
+Subject: [PATCH] HID: Add 044f:b320 ThrustMaster, Inc. 2 in 1 DT
+Git-commit: 65f11c72780fa9d598df88def045ccb6a885cf80
+Patch-mainline: v5.3-rc4
+References: bsc#1051510
+
+Enable force feedback for the Thrustmaster Dual Trigger 2 in 1 Rumble Force
+gamepad. Compared to other Thrustmaster devices, left and right rumble
+motors here are swapped.
+
+Signed-off-by: Ilya Trukhanov <lahvuun@gmail.com>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/hid/hid-tmff.c | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+diff --git a/drivers/hid/hid-tmff.c b/drivers/hid/hid-tmff.c
+index e12f2588ddeb..bdfc5ff3b2c5 100644
+--- a/drivers/hid/hid-tmff.c
++++ b/drivers/hid/hid-tmff.c
+@@ -22,6 +22,8 @@
+
+ #include "hid-ids.h"
+
++#define THRUSTMASTER_DEVICE_ID_2_IN_1_DT 0xb320
++
+ static const signed short ff_rumble[] = {
+ FF_RUMBLE,
+ -1
+@@ -76,6 +78,7 @@ static int tmff_play(struct input_dev *dev, void *data,
+ struct hid_field *ff_field = tmff->ff_field;
+ int x, y;
+ int left, right; /* Rumbling */
++ int motor_swap;
+
+ switch (effect->type) {
+ case FF_CONSTANT:
+@@ -100,6 +103,13 @@ static int tmff_play(struct input_dev *dev, void *data,
+ ff_field->logical_minimum,
+ ff_field->logical_maximum);
+
++ /* 2-in-1 strong motor is left */
++ if (hid->product == THRUSTMASTER_DEVICE_ID_2_IN_1_DT) {
++ motor_swap = left;
++ left = right;
++ right = motor_swap;
++ }
++
+ dbg_hid("(left,right)=(%08x, %08x)\n", left, right);
+ ff_field->value[0] = left;
+ ff_field->value[1] = right;
+@@ -226,6 +236,8 @@ static const struct hid_device_id tm_devices[] = {
+ .driver_data = (unsigned long)ff_rumble },
+ { HID_USB_DEVICE(USB_VENDOR_ID_THRUSTMASTER, 0xb304), /* FireStorm Dual Power 2 (and 3) */
+ .driver_data = (unsigned long)ff_rumble },
++ { HID_USB_DEVICE(USB_VENDOR_ID_THRUSTMASTER, THRUSTMASTER_DEVICE_ID_2_IN_1_DT), /* Dual Trigger 2-in-1 */
++ .driver_data = (unsigned long)ff_rumble },
+ { HID_USB_DEVICE(USB_VENDOR_ID_THRUSTMASTER, 0xb323), /* Dual Trigger 3-in-1 (PC Mode) */
+ .driver_data = (unsigned long)ff_rumble },
+ { HID_USB_DEVICE(USB_VENDOR_ID_THRUSTMASTER, 0xb324), /* Dual Trigger 3-in-1 (PS3 Mode) */
+--
+2.16.4
+
diff --git a/patches.suse/HID-hiddev-do-cleanup-in-failure-of-opening-a-device.patch b/patches.suse/HID-hiddev-do-cleanup-in-failure-of-opening-a-device.patch
new file mode 100644
index 0000000000..21f42b8721
--- /dev/null
+++ b/patches.suse/HID-hiddev-do-cleanup-in-failure-of-opening-a-device.patch
@@ -0,0 +1,33 @@
+From 6d4472d7bec39917b54e4e80245784ea5d60ce49 Mon Sep 17 00:00:00 2001
+From: Hillf Danton <hdanton@sina.com>
+Date: Tue, 6 Aug 2019 16:40:15 +0800
+Subject: [PATCH] HID: hiddev: do cleanup in failure of opening a device
+Git-commit: 6d4472d7bec39917b54e4e80245784ea5d60ce49
+Patch-mainline: v5.3-rc4
+References: bsc#1051510
+
+Undo what we did for opening before releasing the memory slice.
+
+Reported-by: syzbot <syzbot+62a1e04fd3ec2abf099e@syzkaller.appspotmail.com>
+Cc: Andrey Konovalov <andreyknvl@google.com>
+Signed-off-by: Hillf Danton <hdanton@sina.com>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/hid/usbhid/hiddev.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/hid/usbhid/hiddev.c
++++ b/drivers/hid/usbhid/hiddev.c
+@@ -321,6 +321,10 @@ static int hiddev_open(struct inode *ino
+ return 0;
+ bail_unlock:
+ mutex_unlock(&hiddev->existancelock);
++
++ spin_lock_irq(&list->hiddev->list_lock);
++ list_del(&list->node);
++ spin_unlock_irq(&list->hiddev->list_lock);
+ bail:
+ file->private_data = NULL;
+ vfree(list);
diff --git a/patches.suse/USB-cdc-wdm-fix-race-between-write-and-disconnect-du.patch b/patches.suse/USB-cdc-wdm-fix-race-between-write-and-disconnect-du.patch
new file mode 100644
index 0000000000..bcef7aa7f7
--- /dev/null
+++ b/patches.suse/USB-cdc-wdm-fix-race-between-write-and-disconnect-du.patch
@@ -0,0 +1,69 @@
+From 1426bd2c9f7e3126e2678e7469dca9fd9fc6dd3e Mon Sep 17 00:00:00 2001
+From: Oliver Neukum <oneukum@suse.com>
+Date: Tue, 27 Aug 2019 12:34:36 +0200
+Subject: [PATCH] USB: cdc-wdm: fix race between write and disconnect due to flag abuse
+Git-commit: 1426bd2c9f7e3126e2678e7469dca9fd9fc6dd3e
+Patch-mainline: v5.3-rc7
+References: bsc#1051510
+
+In case of a disconnect an ongoing flush() has to be made fail.
+Nevertheless we cannot be sure that any pending URB has already
+finished, so although they will never succeed, they still must
+not be touched.
+The clean solution for this is to check for WDM_IN_USE
+and WDM_DISCONNECTED in flush(). There is no point in ever
+clearing WDM_IN_USE, as no further writes make sense.
+
+The issue is as old as the driver.
+
+Fixes: afba937e540c9 ("USB: CDC WDM driver")
+Reported-by: syzbot+d232cca6ec42c2edb3fc@syzkaller.appspotmail.com
+Signed-off-by: Oliver Neukum <oneukum@suse.com>
+Cc: stable <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20190827103436.21143-1-oneukum@suse.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/usb/class/cdc-wdm.c | 16 ++++++++++++----
+ 1 file changed, 12 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/usb/class/cdc-wdm.c b/drivers/usb/class/cdc-wdm.c
+index a7824a51f86d..70afb2ca1eab 100644
+--- a/drivers/usb/class/cdc-wdm.c
++++ b/drivers/usb/class/cdc-wdm.c
+@@ -587,10 +587,20 @@ static int wdm_flush(struct file *file, fl_owner_t id)
+ {
+ struct wdm_device *desc = file->private_data;
+
+- wait_event(desc->wait, !test_bit(WDM_IN_USE, &desc->flags));
++ wait_event(desc->wait,
++ /*
++ * needs both flags. We cannot do with one
++ * because resetting it would cause a race
++ * with write() yet we need to signal
++ * a disconnect
++ */
++ !test_bit(WDM_IN_USE, &desc->flags) ||
++ test_bit(WDM_DISCONNECTING, &desc->flags));
+
+ /* cannot dereference desc->intf if WDM_DISCONNECTING */
+- if (desc->werr < 0 && !test_bit(WDM_DISCONNECTING, &desc->flags))
++ if (test_bit(WDM_DISCONNECTING, &desc->flags))
++ return -ENODEV;
++ if (desc->werr < 0)
+ dev_err(&desc->intf->dev, "Error in flush path: %d\n",
+ desc->werr);
+
+@@ -974,8 +984,6 @@ static void wdm_disconnect(struct usb_interface *intf)
+ spin_lock_irqsave(&desc->iuspin, flags);
+ set_bit(WDM_DISCONNECTING, &desc->flags);
+ set_bit(WDM_READ, &desc->flags);
+- /* to terminate pending flushes */
+- clear_bit(WDM_IN_USE, &desc->flags);
+ spin_unlock_irqrestore(&desc->iuspin, flags);
+ wake_up_all(&desc->wait);
+ mutex_lock(&desc->rlock);
+--
+2.16.4
+
diff --git a/patches.suse/VMCI-Release-resource-if-the-work-is-already-queued.patch b/patches.suse/VMCI-Release-resource-if-the-work-is-already-queued.patch
new file mode 100644
index 0000000000..f35707af7e
--- /dev/null
+++ b/patches.suse/VMCI-Release-resource-if-the-work-is-already-queued.patch
@@ -0,0 +1,96 @@
+From ba03a9bbd17b149c373c0ea44017f35fc2cd0f28 Mon Sep 17 00:00:00 2001
+From: Nadav Amit <namit@vmware.com>
+Date: Tue, 20 Aug 2019 13:26:38 -0700
+Subject: [PATCH] VMCI: Release resource if the work is already queued
+Git-commit: ba03a9bbd17b149c373c0ea44017f35fc2cd0f28
+Patch-mainline: v5.3-rc7
+References: bsc#1051510
+
+Francois reported that VMware balloon gets stuck after a balloon reset,
+when the VMCI doorbell is removed. A similar error can occur when the
+balloon driver is removed with the following splat:
+
+[ 1088.622000] INFO: task modprobe:3565 blocked for more than 120 seconds.
+[ 1088.622035] Tainted: G W 5.2.0 #4
+[ 1088.622087] "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
+[ 1088.622205] modprobe D 0 3565 1450 0x00000000
+[ 1088.622210] Call Trace:
+[ 1088.622246] __schedule+0x2a8/0x690
+[ 1088.622248] schedule+0x2d/0x90
+[ 1088.622250] schedule_timeout+0x1d3/0x2f0
+[ 1088.622252] wait_for_completion+0xba/0x140
+[ 1088.622320] ? wake_up_q+0x80/0x80
+[ 1088.622370] vmci_resource_remove+0xb9/0xc0 [vmw_vmci]
+[ 1088.622373] vmci_doorbell_destroy+0x9e/0xd0 [vmw_vmci]
+[ 1088.622379] vmballoon_vmci_cleanup+0x6e/0xf0 [vmw_balloon]
+[ 1088.622381] vmballoon_exit+0x18/0xcc8 [vmw_balloon]
+[ 1088.622394] __x64_sys_delete_module+0x146/0x280
+[ 1088.622408] do_syscall_64+0x5a/0x130
+[ 1088.622410] entry_SYSCALL_64_after_hwframe+0x44/0xa9
+[ 1088.622415] RIP: 0033:0x7f54f62791b7
+[ 1088.622421] Code: Bad RIP value.
+[ 1088.622421] RSP: 002b:00007fff2a949008 EFLAGS: 00000206 ORIG_RAX: 00000000000000b0
+[ 1088.622426] RAX: ffffffffffffffda RBX: 000055dff8b55d00 RCX: 00007f54f62791b7
+[ 1088.622426] RDX: 0000000000000000 RSI: 0000000000000800 RDI: 000055dff8b55d68
+[ 1088.622427] RBP: 000055dff8b55d00 R08: 00007fff2a947fb1 R09: 0000000000000000
+[ 1088.622427] R10: 00007f54f62f5cc0 R11: 0000000000000206 R12: 000055dff8b55d68
+[ 1088.622428] R13: 0000000000000001 R14: 000055dff8b55d68 R15: 00007fff2a94a3f0
+
+The cause for the bug is that when the "delayed" doorbell is invoked, it
+takes a reference on the doorbell entry and schedules work that is
+supposed to run the appropriate code and drop the doorbell entry
+reference. The code ignores the fact that if the work is already queued,
+it will not be scheduled to run one more time. As a result one of the
+references would not be dropped. When the code waits for the reference
+to get to zero, during balloon reset or module removal, it gets stuck.
+
+Fix it. Drop the reference if schedule_work() indicates that the work is
+already queued.
+
+Note that this bug got more apparent (or apparent at all) due to
+commit ce664331b248 ("vmw_balloon: VMCI_DOORBELL_SET does not check status").
+
+Fixes: 83e2ec765be03 ("VMCI: doorbell implementation.")
+Reported-by: Francois Rigault <rigault.francois@gmail.com>
+Cc: Jorgen Hansen <jhansen@vmware.com>
+Cc: Adit Ranadive <aditr@vmware.com>
+Cc: Alexios Zavras <alexios.zavras@intel.com>
+Cc: Vishnu DASA <vdasa@vmware.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Nadav Amit <namit@vmware.com>
+Reviewed-by: Vishnu Dasa <vdasa@vmware.com>
+Link: https://lore.kernel.org/r/20190820202638.49003-1-namit@vmware.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/misc/vmw_vmci/vmci_doorbell.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/misc/vmw_vmci/vmci_doorbell.c b/drivers/misc/vmw_vmci/vmci_doorbell.c
+index bad89b6e0802..345addd9306d 100644
+--- a/drivers/misc/vmw_vmci/vmci_doorbell.c
++++ b/drivers/misc/vmw_vmci/vmci_doorbell.c
+@@ -310,7 +310,8 @@ int vmci_dbell_host_context_notify(u32 src_cid, struct vmci_handle handle)
+
+ entry = container_of(resource, struct dbell_entry, resource);
+ if (entry->run_delayed) {
+- schedule_work(&entry->work);
++ if (!schedule_work(&entry->work))
++ vmci_resource_put(resource);
+ } else {
+ entry->notify_cb(entry->client_data);
+ vmci_resource_put(resource);
+@@ -361,7 +362,8 @@ static void dbell_fire_entries(u32 notify_idx)
+ atomic_read(&dbell->active) == 1) {
+ if (dbell->run_delayed) {
+ vmci_resource_get(&dbell->resource);
+- schedule_work(&dbell->work);
++ if (!schedule_work(&dbell->work))
++ vmci_resource_put(&dbell->resource);
+ } else {
+ dbell->notify_cb(dbell->client_data);
+ }
+--
+2.16.4
+
diff --git a/patches.suse/batman-adv-Only-read-OGM-tvlv_len-after-buffer-len-c.patch b/patches.suse/batman-adv-Only-read-OGM-tvlv_len-after-buffer-len-c.patch
new file mode 100644
index 0000000000..443b5063d1
--- /dev/null
+++ b/patches.suse/batman-adv-Only-read-OGM-tvlv_len-after-buffer-len-c.patch
@@ -0,0 +1,80 @@
+From a15d56a60760aa9dbe26343b9a0ac5228f35d445 Mon Sep 17 00:00:00 2001
+From: Sven Eckelmann <sven@narfation.org>
+Date: Thu, 22 Aug 2019 08:55:36 +0200
+Subject: [PATCH] batman-adv: Only read OGM tvlv_len after buffer len check
+Git-commit: a15d56a60760aa9dbe26343b9a0ac5228f35d445
+Patch-mainline: v5.3-rc7
+References: bsc#1051510
+
+Multiple batadv_ogm_packet can be stored in an skbuff. The functions
+batadv_iv_ogm_send_to_if()/batadv_iv_ogm_receive() use
+batadv_iv_ogm_aggr_packet() to check if there is another additional
+batadv_ogm_packet in the skb or not before they continue processing the
+packet.
+
+The length for such an OGM is BATADV_OGM_HLEN +
+batadv_ogm_packet->tvlv_len. The check must first check that at least
+BATADV_OGM_HLEN bytes are available before it accesses tvlv_len (which is
+part of the header. Otherwise it might try read outside of the currently
+available skbuff to get the content of tvlv_len.
+
+Fixes: ef26157747d4 ("batman-adv: tvlv - basic infrastructure")
+Reported-by: syzbot+355cab184197dbbfa384@syzkaller.appspotmail.com
+Signed-off-by: Sven Eckelmann <sven@narfation.org>
+Acked-by: Antonio Quartulli <a@unstable.cc>
+Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ net/batman-adv/bat_iv_ogm.c | 20 +++++++++++++-------
+ 1 file changed, 13 insertions(+), 7 deletions(-)
+
+--- a/net/batman-adv/bat_iv_ogm.c
++++ b/net/batman-adv/bat_iv_ogm.c
+@@ -454,17 +454,23 @@ static u8 batadv_hop_penalty(u8 tq, cons
+ * batadv_iv_ogm_aggr_packet - checks if there is another OGM attached
+ * @buff_pos: current position in the skb
+ * @packet_len: total length of the skb
+- * @tvlv_len: tvlv length of the previously considered OGM
++ * @ogm_packet: potential OGM in buffer
+ *
+ * Return: true if there is enough space for another OGM, false otherwise.
+ */
+-static bool batadv_iv_ogm_aggr_packet(int buff_pos, int packet_len,
+- __be16 tvlv_len)
++static bool
++batadv_iv_ogm_aggr_packet(int buff_pos, int packet_len,
++ const struct batadv_ogm_packet *ogm_packet)
+ {
+ int next_buff_pos = 0;
+
+- next_buff_pos += buff_pos + BATADV_OGM_HLEN;
+- next_buff_pos += ntohs(tvlv_len);
++ /* check if there is enough space for the header */
++ next_buff_pos += buff_pos + sizeof(*ogm_packet);
++ if (next_buff_pos > packet_len)
++ return false;
++
++ /* check if there is enough space for the optional TVLV */
++ next_buff_pos += ntohs(ogm_packet->tvlv_len);
+
+ return (next_buff_pos <= packet_len) &&
+ (next_buff_pos <= BATADV_MAX_AGGREGATION_BYTES);
+@@ -492,7 +498,7 @@ static void batadv_iv_ogm_send_to_if(str
+
+ /* adjust all flags and log packets */
+ while (batadv_iv_ogm_aggr_packet(buff_pos, forw_packet->packet_len,
+- batadv_ogm_packet->tvlv_len)) {
++ batadv_ogm_packet)) {
+ /* we might have aggregated direct link packets with an
+ * ordinary base packet
+ */
+@@ -1843,7 +1849,7 @@ static int batadv_iv_ogm_receive(struct
+
+ /* unpack the aggregated packets and process them one by one */
+ while (batadv_iv_ogm_aggr_packet(ogm_offset, skb_headlen(skb),
+- ogm_packet->tvlv_len)) {
++ ogm_packet)) {
+ batadv_iv_ogm_process(skb, ogm_offset, if_incoming);
+
+ ogm_offset += BATADV_OGM_HLEN;
diff --git a/patches.suse/batman-adv-Only-read-OGM2-tvlv_len-after-buffer-len-.patch b/patches.suse/batman-adv-Only-read-OGM2-tvlv_len-after-buffer-len-.patch
new file mode 100644
index 0000000000..edb503fdfc
--- /dev/null
+++ b/patches.suse/batman-adv-Only-read-OGM2-tvlv_len-after-buffer-len-.patch
@@ -0,0 +1,68 @@
+From 0ff0f15a32c093381ad1abc06abe85afb561ab28 Mon Sep 17 00:00:00 2001
+From: Sven Eckelmann <sven@narfation.org>
+Date: Thu, 22 Aug 2019 08:55:36 +0200
+Subject: [PATCH] batman-adv: Only read OGM2 tvlv_len after buffer len check
+Git-commit: 0ff0f15a32c093381ad1abc06abe85afb561ab28
+Patch-mainline: v5.3-rc7
+References: bsc#1051510
+
+Multiple batadv_ogm2_packet can be stored in an skbuff. The functions
+batadv_v_ogm_send_to_if() uses batadv_v_ogm_aggr_packet() to check if there
+is another additional batadv_ogm2_packet in the skb or not before they
+continue processing the packet.
+
+The length for such an OGM2 is BATADV_OGM2_HLEN +
+batadv_ogm2_packet->tvlv_len. The check must first check that at least
+BATADV_OGM2_HLEN bytes are available before it accesses tvlv_len (which is
+part of the header. Otherwise it might try read outside of the currently
+available skbuff to get the content of tvlv_len.
+
+Fixes: 9323158ef9f4 ("batman-adv: OGMv2 - implement originators logic")
+Signed-off-by: Sven Eckelmann <sven@narfation.org>
+Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ net/batman-adv/bat_v_ogm.c | 18 ++++++++++++------
+ 1 file changed, 12 insertions(+), 6 deletions(-)
+
+--- a/net/batman-adv/bat_v_ogm.c
++++ b/net/batman-adv/bat_v_ogm.c
+@@ -642,17 +642,23 @@ batadv_v_ogm_process_per_outif(struct ba
+ * batadv_v_ogm_aggr_packet - checks if there is another OGM aggregated
+ * @buff_pos: current position in the skb
+ * @packet_len: total length of the skb
+- * @tvlv_len: tvlv length of the previously considered OGM
++ * @ogm2_packet: potential OGM2 in buffer
+ *
+ * Return: true if there is enough space for another OGM, false otherwise.
+ */
+-static bool batadv_v_ogm_aggr_packet(int buff_pos, int packet_len,
+- __be16 tvlv_len)
++static bool
++batadv_v_ogm_aggr_packet(int buff_pos, int packet_len,
++ const struct batadv_ogm2_packet *ogm2_packet)
+ {
+ int next_buff_pos = 0;
+
+- next_buff_pos += buff_pos + BATADV_OGM2_HLEN;
+- next_buff_pos += ntohs(tvlv_len);
++ /* check if there is enough space for the header */
++ next_buff_pos += buff_pos + sizeof(*ogm2_packet);
++ if (next_buff_pos > packet_len)
++ return false;
++
++ /* check if there is enough space for the optional TVLV */
++ next_buff_pos += ntohs(ogm2_packet->tvlv_len);
+
+ return (next_buff_pos <= packet_len) &&
+ (next_buff_pos <= BATADV_MAX_AGGREGATION_BYTES);
+@@ -829,7 +835,7 @@ int batadv_v_ogm_packet_recv(struct sk_b
+ ogm_packet = (struct batadv_ogm2_packet *)skb->data;
+
+ while (batadv_v_ogm_aggr_packet(ogm_offset, skb_headlen(skb),
+- ogm_packet->tvlv_len)) {
++ ogm_packet)) {
+ batadv_v_ogm_process(skb, ogm_offset, if_incoming);
+
+ ogm_offset += BATADV_OGM2_HLEN;
diff --git a/patches.suse/batman-adv-fix-uninit-value-in-batadv_netlink_get_if.patch b/patches.suse/batman-adv-fix-uninit-value-in-batadv_netlink_get_if.patch
new file mode 100644
index 0000000000..43fa6be362
--- /dev/null
+++ b/patches.suse/batman-adv-fix-uninit-value-in-batadv_netlink_get_if.patch
@@ -0,0 +1,69 @@
+From 3ee1bb7aae97324ec9078da1f00cb2176919563f Mon Sep 17 00:00:00 2001
+From: Eric Dumazet <edumazet@google.com>
+Date: Mon, 12 Aug 2019 04:57:27 -0700
+Subject: [PATCH] batman-adv: fix uninit-value in batadv_netlink_get_ifindex()
+Git-commit: 3ee1bb7aae97324ec9078da1f00cb2176919563f
+Patch-mainline: v5.3-rc7
+References: bsc#1051510
+
+batadv_netlink_get_ifindex() needs to make sure user passed
+a correct u32 attribute.
+
+syzbot reported :
+Bug: KMSAN: uninit-value in batadv_netlink_dump_hardif+0x70d/0x880 net/batman-adv/netlink.c:968
+Cpu: 1 PID: 11705 Comm: syz-executor888 Not tainted 5.1.0+ #1
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+Call Trace:
+ __dump_stack lib/dump_stack.c:77 [inline]
+ dump_stack+0x191/0x1f0 lib/dump_stack.c:113
+ kmsan_report+0x130/0x2a0 mm/kmsan/kmsan.c:622
+ __msan_warning+0x75/0xe0 mm/kmsan/kmsan_instr.c:310
+ batadv_netlink_dump_hardif+0x70d/0x880 net/batman-adv/netlink.c:968
+ genl_lock_dumpit+0xc6/0x130 net/netlink/genetlink.c:482
+ netlink_dump+0xa84/0x1ab0 net/netlink/af_netlink.c:2253
+ __netlink_dump_start+0xa3a/0xb30 net/netlink/af_netlink.c:2361
+ genl_family_rcv_msg net/netlink/genetlink.c:550 [inline]
+ genl_rcv_msg+0xfc1/0x1a40 net/netlink/genetlink.c:627
+ netlink_rcv_skb+0x431/0x620 net/netlink/af_netlink.c:2486
+ genl_rcv+0x63/0x80 net/netlink/genetlink.c:638
+ netlink_unicast_kernel net/netlink/af_netlink.c:1311 [inline]
+ netlink_unicast+0xf3e/0x1020 net/netlink/af_netlink.c:1337
+ netlink_sendmsg+0x127e/0x12f0 net/netlink/af_netlink.c:1926
+ sock_sendmsg_nosec net/socket.c:651 [inline]
+ sock_sendmsg net/socket.c:661 [inline]
+ ___sys_sendmsg+0xcc6/0x1200 net/socket.c:2260
+ __sys_sendmsg net/socket.c:2298 [inline]
+ __do_sys_sendmsg net/socket.c:2307 [inline]
+ __se_sys_sendmsg+0x305/0x460 net/socket.c:2305
+ __x64_sys_sendmsg+0x4a/0x70 net/socket.c:2305
+ do_syscall_64+0xbc/0xf0 arch/x86/entry/common.c:291
+ entry_SYSCALL_64_after_hwframe+0x63/0xe7
+Rip: 0033:0x440209
+
+Fixes: b60620cf567b ("batman-adv: netlink: hardif query")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: Sven Eckelmann <sven@narfation.org>
+Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ net/batman-adv/netlink.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/batman-adv/netlink.c b/net/batman-adv/netlink.c
+index 6f08fd122a8d..7e052d6f759b 100644
+--- a/net/batman-adv/netlink.c
++++ b/net/batman-adv/netlink.c
+@@ -164,7 +164,7 @@ batadv_netlink_get_ifindex(const struct nlmsghdr *nlh, int attrtype)
+ {
+ struct nlattr *attr = nlmsg_find_attr(nlh, GENL_HDRLEN, attrtype);
+
+- return attr ? nla_get_u32(attr) : 0;
++ return (attr && nla_len(attr) == sizeof(u32)) ? nla_get_u32(attr) : 0;
+ }
+
+ /**
+--
+2.16.4
+
diff --git a/patches.suse/can-peak_usb-force-the-string-buffer-NULL-terminated.patch b/patches.suse/can-peak_usb-force-the-string-buffer-NULL-terminated.patch
new file mode 100644
index 0000000000..64cef6eca3
--- /dev/null
+++ b/patches.suse/can-peak_usb-force-the-string-buffer-NULL-terminated.patch
@@ -0,0 +1,40 @@
+From e787f19373b8a5fa24087800ed78314fd17b984a Mon Sep 17 00:00:00 2001
+From: Wang Xiayang <xywang.sjtu@sjtu.edu.cn>
+Date: Wed, 31 Jul 2019 15:25:59 +0800
+Subject: [PATCH] can: peak_usb: force the string buffer NULL-terminated
+Git-commit: e787f19373b8a5fa24087800ed78314fd17b984a
+Patch-mainline: v5.3-rc4
+References: bsc#1051510
+
+strncpy() does not ensure NULL-termination when the input string size
+equals to the destination buffer size IFNAMSIZ. The output string is
+passed to dev_info() which relies on the NULL-termination.
+
+Use strlcpy() instead.
+
+This issue is identified by a Coccinelle script.
+
+Signed-off-by: Wang Xiayang <xywang.sjtu@sjtu.edu.cn>
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/net/can/usb/peak_usb/pcan_usb_core.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/can/usb/peak_usb/pcan_usb_core.c b/drivers/net/can/usb/peak_usb/pcan_usb_core.c
+index 22b9c8e6d040..65dce642b86b 100644
+--- a/drivers/net/can/usb/peak_usb/pcan_usb_core.c
++++ b/drivers/net/can/usb/peak_usb/pcan_usb_core.c
+@@ -855,7 +855,7 @@ static void peak_usb_disconnect(struct usb_interface *intf)
+
+ dev_prev_siblings = dev->prev_siblings;
+ dev->state &= ~PCAN_USB_STATE_CONNECTED;
+- strncpy(name, netdev->name, IFNAMSIZ);
++ strlcpy(name, netdev->name, IFNAMSIZ);
+
+ unregister_netdev(netdev);
+
+--
+2.16.4
+
diff --git a/patches.suse/can-sja1000-force-the-string-buffer-NULL-terminated.patch b/patches.suse/can-sja1000-force-the-string-buffer-NULL-terminated.patch
new file mode 100644
index 0000000000..d184163943
--- /dev/null
+++ b/patches.suse/can-sja1000-force-the-string-buffer-NULL-terminated.patch
@@ -0,0 +1,40 @@
+From cd28aa2e056cd1ea79fc5f24eed0ce868c6cab5c Mon Sep 17 00:00:00 2001
+From: Wang Xiayang <xywang.sjtu@sjtu.edu.cn>
+Date: Wed, 31 Jul 2019 15:31:14 +0800
+Subject: [PATCH] can: sja1000: force the string buffer NULL-terminated
+Git-commit: cd28aa2e056cd1ea79fc5f24eed0ce868c6cab5c
+Patch-mainline: v5.3-rc4
+References: bsc#1051510
+
+strncpy() does not ensure NULL-termination when the input string size
+equals to the destination buffer size IFNAMSIZ. The output string
+'name' is passed to dev_info which relies on NULL-termination.
+
+Use strlcpy() instead.
+
+This issue is identified by a Coccinelle script.
+
+Signed-off-by: Wang Xiayang <xywang.sjtu@sjtu.edu.cn>
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/net/can/sja1000/peak_pcmcia.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/can/sja1000/peak_pcmcia.c b/drivers/net/can/sja1000/peak_pcmcia.c
+index 185c7f7d38a4..5e0d5e8101c8 100644
+--- a/drivers/net/can/sja1000/peak_pcmcia.c
++++ b/drivers/net/can/sja1000/peak_pcmcia.c
+@@ -479,7 +479,7 @@ static void pcan_free_channels(struct pcan_pccard *card)
+ if (!netdev)
+ continue;
+
+- strncpy(name, netdev->name, IFNAMSIZ);
++ strlcpy(name, netdev->name, IFNAMSIZ);
+
+ unregister_sja1000dev(netdev);
+
+--
+2.16.4
+
diff --git a/patches.suse/drm-nouveau-Don-t-retry-infinitely-when-receiving-no.patch b/patches.suse/drm-nouveau-Don-t-retry-infinitely-when-receiving-no.patch
new file mode 100644
index 0000000000..931b32d0b4
--- /dev/null
+++ b/patches.suse/drm-nouveau-Don-t-retry-infinitely-when-receiving-no.patch
@@ -0,0 +1,107 @@
+From c358ebf59634f06d8ed176da651ec150df3c8686 Mon Sep 17 00:00:00 2001
+From: Lyude Paul <lyude@redhat.com>
+Date: Thu, 25 Jul 2019 15:40:01 -0400
+Subject: drm/nouveau: Don't retry infinitely when receiving no data on i2c
+ over AUX
+Git-commit: c358ebf59634f06d8ed176da651ec150df3c8686
+Patch-mainline: v5.3-rc6
+References: bsc#1142635
+
+While I had thought I had fixed this issue in:
+
+commit 342406e4fbba ("drm/nouveau/i2c: Disable i2c bus access after
+->fini()")
+
+It turns out that while I did fix the error messages I was seeing on my
+P50 when trying to access i2c busses with the GPU in runtime suspend, I
+accidentally had missed one important detail that was mentioned on the
+bug report this commit was supposed to fix: that the CPU would only lock
+up when trying to access i2c busses _on connected devices_ _while the
+GPU is not in runtime suspend_. Whoops. That definitely explains why I
+was not able to get my machine to hang with i2c bus interactions until
+now, as plugging my P50 into it's dock with an HDMI monitor connected
+allowed me to finally reproduce this locally.
+
+Now that I have managed to reproduce this issue properly, it looks like
+the problem is much simpler then it looks. It turns out that some
+connected devices, such as MST laptop docks, will actually ACK i2c reads
+even if no data was actually read:
+
+[ 275.063043] nouveau 0000:01:00.0: i2c: aux 000a: 1: 0000004c 1
+[ 275.063447] nouveau 0000:01:00.0: i2c: aux 000a: 00 01101000 10040000
+[ 275.063759] nouveau 0000:01:00.0: i2c: aux 000a: rd 00000001
+[ 275.064024] nouveau 0000:01:00.0: i2c: aux 000a: rd 00000000
+[ 275.064285] nouveau 0000:01:00.0: i2c: aux 000a: rd 00000000
+[ 275.064594] nouveau 0000:01:00.0: i2c: aux 000a: rd 00000000
+
+Because we don't handle the situation of i2c ack without any data, we
+end up entering an infinite loop in nvkm_i2c_aux_i2c_xfer() since the
+value of cnt always remains at 0. This finally properly explains how
+this could result in a CPU hang like the ones observed in the
+aforementioned commit.
+
+So, fix this by retrying transactions if no data is written or received,
+and give up and fail the transaction if we continue to not write or
+receive any data after 32 retries.
+
+Signed-off-by: Lyude Paul <lyude@redhat.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Ben Skeggs <bskeggs@redhat.com>
+Acked-by: Thomas Zimmermann <tzimmermann@suse.de>
+---
+ drivers/gpu/drm/nouveau/nvkm/subdev/i2c/aux.c | 24 +++++++++++++------
+ 1 file changed, 17 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/gpu/drm/nouveau/nvkm/subdev/i2c/aux.c b/drivers/gpu/drm/nouveau/nvkm/subdev/i2c/aux.c
+index b4e7404fe660..a11637b0f6cc 100644
+--- a/drivers/gpu/drm/nouveau/nvkm/subdev/i2c/aux.c
++++ b/drivers/gpu/drm/nouveau/nvkm/subdev/i2c/aux.c
+@@ -40,8 +40,7 @@ nvkm_i2c_aux_i2c_xfer(struct i2c_adapter *adap, struct i2c_msg *msgs, int num)
+ u8 *ptr = msg->buf;
+
+ while (remaining) {
+- u8 cnt = (remaining > 16) ? 16 : remaining;
+- u8 cmd;
++ u8 cnt, retries, cmd;
+
+ if (msg->flags & I2C_M_RD)
+ cmd = 1;
+@@ -51,10 +50,19 @@ nvkm_i2c_aux_i2c_xfer(struct i2c_adapter *adap, struct i2c_msg *msgs, int num)
+ if (mcnt || remaining > 16)
+ cmd |= 4; /* MOT */
+
+- ret = aux->func->xfer(aux, true, cmd, msg->addr, ptr, &cnt);
+- if (ret < 0) {
+- nvkm_i2c_aux_release(aux);
+- return ret;
++ for (retries = 0, cnt = 0;
++ retries < 32 && !cnt;
++ retries++) {
++ cnt = min_t(u8, remaining, 16);
++ ret = aux->func->xfer(aux, true, cmd,
++ msg->addr, ptr, &cnt);
++ if (ret < 0)
++ goto out;
++ }
++ if (!cnt) {
++ AUX_TRACE(aux, "no data after 32 retries");
++ ret = -EIO;
++ goto out;
+ }
+
+ ptr += cnt;
+@@ -64,8 +72,10 @@ nvkm_i2c_aux_i2c_xfer(struct i2c_adapter *adap, struct i2c_msg *msgs, int num)
+ msg++;
+ }
+
++ ret = num;
++out:
+ nvkm_i2c_aux_release(aux);
+- return num;
++ return ret;
+ }
+
+ static u32
+--
+2.22.0
+
diff --git a/patches.suse/gpio-mxs-Get-rid-of-external-API-call.patch b/patches.suse/gpio-mxs-Get-rid-of-external-API-call.patch
new file mode 100644
index 0000000000..6117414f43
--- /dev/null
+++ b/patches.suse/gpio-mxs-Get-rid-of-external-API-call.patch
@@ -0,0 +1,52 @@
+From 833eacc7b5913da9896bacd30db7d490aa777868 Mon Sep 17 00:00:00 2001
+From: Linus Walleij <linus.walleij@linaro.org>
+Date: Wed, 29 Aug 2018 17:02:16 +0200
+Subject: [PATCH] gpio: mxs: Get rid of external API call
+Git-commit: 833eacc7b5913da9896bacd30db7d490aa777868
+Patch-mainline: v4.20-rc1
+References: bsc#1051510
+
+The MXS driver was calling back into the GPIO API from
+its irqchip. This is not very elegant, as we are a driver,
+let's just shortcut back into the gpio_chip .get() function
+instead.
+
+This is a tricky case since the .get() callback is not in
+this file, instead assigned by bgpio_init(). Calling the
+function direcly in the gpio_chip is however the lesser
+evil.
+
+Cc: Sascha Hauer <s.hauer@pengutronix.de>
+Cc: Janusz Uzycki <j.uzycki@elproma.com.pl>
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/gpio/gpio-mxs.c | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+diff --git a/drivers/gpio/gpio-mxs.c b/drivers/gpio/gpio-mxs.c
+index df30490da820..ea874fd033a5 100644
+--- a/drivers/gpio/gpio-mxs.c
++++ b/drivers/gpio/gpio-mxs.c
+@@ -18,8 +18,6 @@
+ #include <linux/platform_device.h>
+ #include <linux/slab.h>
+ #include <linux/gpio/driver.h>
+-/* FIXME: for gpio_get_value(), replace this by direct register read */
+-#include <linux/gpio.h>
+ #include <linux/module.h>
+
+ #define MXS_SET 0x4
+@@ -86,7 +84,7 @@ static int mxs_gpio_set_irq_type(struct irq_data *d, unsigned int type)
+ port->both_edges &= ~pin_mask;
+ switch (type) {
+ case IRQ_TYPE_EDGE_BOTH:
+- val = gpio_get_value(port->gc.base + d->hwirq);
++ val = port->gc.get(&port->gc, d->hwirq);
+ if (val)
+ edge = GPIO_INT_FALL_EDGE;
+ else
+--
+2.16.4
+
diff --git a/patches.suse/gpio-pxa-handle-corner-case-of-unprobed-device.patch b/patches.suse/gpio-pxa-handle-corner-case-of-unprobed-device.patch
new file mode 100644
index 0000000000..4fcbbd9d2b
--- /dev/null
+++ b/patches.suse/gpio-pxa-handle-corner-case-of-unprobed-device.patch
@@ -0,0 +1,55 @@
+From 9ce3ebe973bf4073426f35f282c6b955ed802765 Mon Sep 17 00:00:00 2001
+From: Robert Jarzmik <robert.jarzmik@free.fr>
+Date: Sat, 25 Aug 2018 10:44:17 +0200
+Subject: [PATCH] gpio: pxa: handle corner case of unprobed device
+Git-commit: 9ce3ebe973bf4073426f35f282c6b955ed802765
+Patch-mainline: v4.20-rc1
+References: bsc#1051510
+
+In the corner case where the gpio driver probe fails, for whatever
+reason, the suspend and resume handlers will still be called as they
+have to be registered as syscore operations. This applies as well when
+no probe was called while the driver has been built in the kernel.
+
+Nicolas tracked this in :
+https://bugzilla.kernel.org/show_bug.cgi?id=200905
+
+Therefore, add a failsafe in these function, and test if a proper probe
+succeeded and the driver is functional.
+
+Signed-off-by: Robert Jarzmik <robert.jarzmik@free.fr>
+Reported-by: Nicolas Chauvet <kwizart@gmail.com>
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/gpio/gpio-pxa.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/drivers/gpio/gpio-pxa.c b/drivers/gpio/gpio-pxa.c
+index c18712dabf93..bfe4c5c9f41c 100644
+--- a/drivers/gpio/gpio-pxa.c
++++ b/drivers/gpio/gpio-pxa.c
+@@ -776,6 +776,9 @@ static int pxa_gpio_suspend(void)
+ struct pxa_gpio_bank *c;
+ int gpio;
+
++ if (!pchip)
++ return 0;
++
+ for_each_gpio_bank(gpio, c, pchip) {
+ c->saved_gplr = readl_relaxed(c->regbase + GPLR_OFFSET);
+ c->saved_gpdr = readl_relaxed(c->regbase + GPDR_OFFSET);
+@@ -794,6 +797,9 @@ static void pxa_gpio_resume(void)
+ struct pxa_gpio_bank *c;
+ int gpio;
+
++ if (!pchip)
++ return;
++
+ for_each_gpio_bank(gpio, c, pchip) {
+ /* restore level with set/clear */
+ writel_relaxed(c->saved_gplr, c->regbase + GPSR_OFFSET);
+--
+2.16.4
+
diff --git a/patches.suse/i2c-qup-fixed-releasing-dma-without-flush-operation-.patch b/patches.suse/i2c-qup-fixed-releasing-dma-without-flush-operation-.patch
new file mode 100644
index 0000000000..ad7d4bd306
--- /dev/null
+++ b/patches.suse/i2c-qup-fixed-releasing-dma-without-flush-operation-.patch
@@ -0,0 +1,53 @@
+From 7239872fb3400b21a8f5547257f9f86455867bd6 Mon Sep 17 00:00:00 2001
+From: Abhishek Sahu <absahu@codeaurora.org>
+Date: Mon, 12 Mar 2018 18:44:51 +0530
+Subject: [PATCH] i2c: qup: fixed releasing dma without flush operation completion
+Mime-version: 1.0
+Content-type: text/plain; charset=UTF-8
+Content-transfer-encoding: 8bit
+Git-commit: 7239872fb3400b21a8f5547257f9f86455867bd6
+Patch-mainline: v4.17-rc1
+References: bsc#1051510
+
+The QUP BSLP BAM generates the following error sometimes if the
+current I2C DMA transfer fails and the flush operation has been
+scheduled
+
+ “bam-dma-engine 7884000.dma: Cannot free busy channel”
+
+If any I2C error comes during BAM DMA transfer, then the QUP I2C
+interrupt will be generated and the flush operation will be
+carried out to make I2C consume all scheduled DMA transfer.
+Currently, the same completion structure is being used for BAM
+transfer which has already completed without reinit. It will make
+flush operation wait_for_completion_timeout completed immediately
+and will proceed for freeing the DMA resources where the
+descriptors are still in process.
+
+Signed-off-by: Abhishek Sahu <absahu@codeaurora.org>
+Acked-by: Sricharan R <sricharan@codeaurora.org>
+Reviewed-by: Austin Christ <austinwc@codeaurora.org>
+Reviewed-by: Andy Gross <andy.gross@linaro.org>
+Signed-off-by: Wolfram Sang <wsa@the-dreams.de>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/i2c/busses/i2c-qup.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/i2c/busses/i2c-qup.c b/drivers/i2c/busses/i2c-qup.c
+index ac5edfac2d5c..75e9819a161c 100644
+--- a/drivers/i2c/busses/i2c-qup.c
++++ b/drivers/i2c/busses/i2c-qup.c
+@@ -835,6 +835,8 @@ static int qup_i2c_bam_do_xfer(struct qup_i2c_dev *qup, struct i2c_msg *msg,
+ }
+
+ if (ret || qup->bus_err || qup->qup_err) {
++ reinit_completion(&qup->xfer);
++
+ if (qup_i2c_change_state(qup, QUP_RUN_STATE)) {
+ dev_err(qup->dev, "change to run state timed out");
+ goto desc_err;
+--
+2.16.4
+
diff --git a/patches.suse/isdn-hfcsusb-Fix-mISDN-driver-crash-caused-by-transf.patch b/patches.suse/isdn-hfcsusb-Fix-mISDN-driver-crash-caused-by-transf.patch
new file mode 100644
index 0000000000..5f111841c6
--- /dev/null
+++ b/patches.suse/isdn-hfcsusb-Fix-mISDN-driver-crash-caused-by-transf.patch
@@ -0,0 +1,87 @@
+From d8a1de3d5bb881507602bc02e004904828f88711 Mon Sep 17 00:00:00 2001
+From: Juliana Rodrigueiro <juliana.rodrigueiro@intra2net.com>
+Date: Wed, 31 Jul 2019 15:17:23 +0200
+Subject: [PATCH] isdn: hfcsusb: Fix mISDN driver crash caused by transfer buffer on the stack
+Git-commit: d8a1de3d5bb881507602bc02e004904828f88711
+Patch-mainline: v5.3-rc4
+References: bsc#1051510
+
+Since linux 4.9 it is not possible to use buffers on the stack for DMA transfers.
+
+During usb probe the driver crashes with "transfer buffer is on stack" message.
+
+This fix k-allocates a buffer to be used on "read_reg_atomic", which is a macro
+that calls "usb_control_msg" under the hood.
+
+Kernel 4.19 backtrace:
+
+usb_hcd_submit_urb+0x3e5/0x900
+? sched_clock+0x9/0x10
+? log_store+0x203/0x270
+? get_random_u32+0x6f/0x90
+? cache_alloc_refill+0x784/0x8a0
+usb_submit_urb+0x3b4/0x550
+usb_start_wait_urb+0x4e/0xd0
+usb_control_msg+0xb8/0x120
+hfcsusb_probe+0x6bc/0xb40 [hfcsusb]
+usb_probe_interface+0xc2/0x260
+really_probe+0x176/0x280
+driver_probe_device+0x49/0x130
+__driver_attach+0xa9/0xb0
+? driver_probe_device+0x130/0x130
+bus_for_each_dev+0x5a/0x90
+driver_attach+0x14/0x20
+? driver_probe_device+0x130/0x130
+bus_add_driver+0x157/0x1e0
+driver_register+0x51/0xe0
+usb_register_driver+0x5d/0x120
+? 0xf81ed000
+hfcsusb_drv_init+0x17/0x1000 [hfcsusb]
+do_one_initcall+0x44/0x190
+? free_unref_page_commit+0x6a/0xd0
+do_init_module+0x46/0x1c0
+load_module+0x1dc1/0x2400
+sys_init_module+0xed/0x120
+do_fast_syscall_32+0x7a/0x200
+entry_SYSENTER_32+0x6b/0xbe
+
+Signed-off-by: Juliana Rodrigueiro <juliana.rodrigueiro@intra2net.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/isdn/hardware/mISDN/hfcsusb.c | 12 +++++++++++-
+ 1 file changed, 11 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/isdn/hardware/mISDN/hfcsusb.c b/drivers/isdn/hardware/mISDN/hfcsusb.c
+index 8fb7c5dea07f..008a74a1ed44 100644
+--- a/drivers/isdn/hardware/mISDN/hfcsusb.c
++++ b/drivers/isdn/hardware/mISDN/hfcsusb.c
+@@ -1693,13 +1693,23 @@ hfcsusb_stop_endpoint(struct hfcsusb *hw, int channel)
+ static int
+ setup_hfcsusb(struct hfcsusb *hw)
+ {
++ void *dmabuf = kmalloc(sizeof(u_char), GFP_KERNEL);
+ u_char b;
++ int ret;
+
+ if (debug & DBG_HFC_CALL_TRACE)
+ printk(KERN_DEBUG "%s: %s\n", hw->name, __func__);
+
++ if (!dmabuf)
++ return -ENOMEM;
++
++ ret = read_reg_atomic(hw, HFCUSB_CHIP_ID, dmabuf);
++
++ memcpy(&b, dmabuf, sizeof(u_char));
++ kfree(dmabuf);
++
+ /* check the chip id */
+- if (read_reg_atomic(hw, HFCUSB_CHIP_ID, &b) != 1) {
++ if (ret != 1) {
+ printk(KERN_DEBUG "%s: %s: cannot read chip id\n",
+ hw->name, __func__);
+ return 1;
+--
+2.16.4
+
diff --git a/patches.suse/isdn-mISDN-hfcsusb-Fix-possible-null-pointer-derefer.patch b/patches.suse/isdn-mISDN-hfcsusb-Fix-possible-null-pointer-derefer.patch
new file mode 100644
index 0000000000..f526c0246a
--- /dev/null
+++ b/patches.suse/isdn-mISDN-hfcsusb-Fix-possible-null-pointer-derefer.patch
@@ -0,0 +1,50 @@
+From a0d57a552b836206ad7705a1060e6e1ce5a38203 Mon Sep 17 00:00:00 2001
+From: Jia-Ju Bai <baijiaju1990@gmail.com>
+Date: Fri, 26 Jul 2019 16:27:36 +0800
+Subject: [PATCH] isdn: mISDN: hfcsusb: Fix possible null-pointer dereferences in start_isoc_chain()
+Git-commit: a0d57a552b836206ad7705a1060e6e1ce5a38203
+Patch-mainline: v5.3-rc4
+References: bsc#1051510
+
+In start_isoc_chain(), usb_alloc_urb() on line 1392 may fail
+and return NULL. At this time, fifo->iso[i].urb is assigned to NULL.
+
+Then, fifo->iso[i].urb is used at some places, such as:
+LINE 1405: fill_isoc_urb(fifo->iso[i].urb, ...)
+ urb->number_of_packets = num_packets;
+ urb->transfer_flags = URB_ISO_ASAP;
+ urb->actual_length = 0;
+ urb->interval = interval;
+LINE 1416: fifo->iso[i].urb->...
+LINE 1419: fifo->iso[i].urb->...
+
+Thus, possible null-pointer dereferences may occur.
+
+To fix these bugs, "continue" is added to avoid using fifo->iso[i].urb
+when it is NULL.
+
+These bugs are found by a static analysis tool STCheck written by us.
+
+Signed-off-by: Jia-Ju Bai <baijiaju1990@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/isdn/hardware/mISDN/hfcsusb.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/isdn/hardware/mISDN/hfcsusb.c b/drivers/isdn/hardware/mISDN/hfcsusb.c
+index 0e224232f746..8fb7c5dea07f 100644
+--- a/drivers/isdn/hardware/mISDN/hfcsusb.c
++++ b/drivers/isdn/hardware/mISDN/hfcsusb.c
+@@ -1394,6 +1394,7 @@ start_isoc_chain(struct usb_fifo *fifo, int num_packets_per_urb,
+ printk(KERN_DEBUG
+ "%s: %s: alloc urb for fifo %i failed",
+ hw->name, __func__, fifo->fifonum);
++ continue;
+ }
+ fifo->iso[i].owner_fifo = (struct usb_fifo *) fifo;
+ fifo->iso[i].indx = i;
+--
+2.16.4
+
diff --git a/patches.suse/kconfig-mn-conf-handle-backspace-H-key.patch b/patches.suse/kconfig-mn-conf-handle-backspace-H-key.patch
new file mode 100644
index 0000000000..b6e26f50ca
--- /dev/null
+++ b/patches.suse/kconfig-mn-conf-handle-backspace-H-key.patch
@@ -0,0 +1,67 @@
+From 9c38f1f044080392603c497ecca4d7d09876ff99 Mon Sep 17 00:00:00 2001
+From: Changbin Du <changbin.du@gmail.com>
+Date: Mon, 25 Mar 2019 15:16:47 +0000
+Subject: [PATCH] kconfig/[mn]conf: handle backspace (^H) key
+Git-commit: 9c38f1f044080392603c497ecca4d7d09876ff99
+Patch-mainline: v5.1-rc3
+References: bsc#1051510
+
+Backspace is not working on some terminal emulators which do not send the
+key code defined by terminfo. Terminals either send '^H' (8) or '^?' (127).
+But currently only '^?' is handled. Let's also handle '^H' for those
+terminals.
+
+Signed-off-by: Changbin Du <changbin.du@gmail.com>
+Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ scripts/kconfig/lxdialog/inputbox.c | 3 ++-
+ scripts/kconfig/nconf.c | 2 +-
+ scripts/kconfig/nconf.gui.c | 3 ++-
+ 3 files changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/scripts/kconfig/lxdialog/inputbox.c b/scripts/kconfig/lxdialog/inputbox.c
+index 611945611bf8..1dcfb288ee63 100644
+--- a/scripts/kconfig/lxdialog/inputbox.c
++++ b/scripts/kconfig/lxdialog/inputbox.c
+@@ -113,7 +113,8 @@ int dialog_inputbox(const char *title, const char *prompt, int height, int width
+ case KEY_DOWN:
+ break;
+ case KEY_BACKSPACE:
+- case 127:
++ case 8: /* ^H */
++ case 127: /* ^? */
+ if (pos) {
+ wattrset(dialog, dlg.inputbox.atr);
+ if (input_x == 0) {
+diff --git a/scripts/kconfig/nconf.c b/scripts/kconfig/nconf.c
+index a4670f4e825a..ac92c0ded6c5 100644
+--- a/scripts/kconfig/nconf.c
++++ b/scripts/kconfig/nconf.c
+@@ -1048,7 +1048,7 @@ static int do_match(int key, struct match_state *state, int *ans)
+ state->match_direction = FIND_NEXT_MATCH_UP;
+ *ans = get_mext_match(state->pattern,
+ state->match_direction);
+- } else if (key == KEY_BACKSPACE || key == 127) {
++ } else if (key == KEY_BACKSPACE || key == 8 || key == 127) {
+ state->pattern[strlen(state->pattern)-1] = '\0';
+ adj_match_dir(&state->match_direction);
+ } else
+diff --git a/scripts/kconfig/nconf.gui.c b/scripts/kconfig/nconf.gui.c
+index 7be620a1fcdb..77f525a8617c 100644
+--- a/scripts/kconfig/nconf.gui.c
++++ b/scripts/kconfig/nconf.gui.c
+@@ -439,7 +439,8 @@ int dialog_inputbox(WINDOW *main_window,
+ case KEY_F(F_EXIT):
+ case KEY_F(F_BACK):
+ break;
+- case 127:
++ case 8: /* ^H */
++ case 127: /* ^? */
+ case KEY_BACKSPACE:
+ if (cursor_position > 0) {
+ memmove(&result[cursor_position-1],
+--
+2.16.4
+
diff --git a/patches.suse/libata-add-SG-safety-checks-in-SFF-pio-transfers.patch b/patches.suse/libata-add-SG-safety-checks-in-SFF-pio-transfers.patch
new file mode 100644
index 0000000000..70b4b99611
--- /dev/null
+++ b/patches.suse/libata-add-SG-safety-checks-in-SFF-pio-transfers.patch
@@ -0,0 +1,48 @@
+From 752ead44491e8c91e14d7079625c5916b30921c5 Mon Sep 17 00:00:00 2001
+From: Jens Axboe <axboe@kernel.dk>
+Date: Wed, 7 Aug 2019 12:23:57 -0600
+Subject: [PATCH] libata: add SG safety checks in SFF pio transfers
+Git-commit: 752ead44491e8c91e14d7079625c5916b30921c5
+Patch-mainline: v5.3-rc4
+References: bsc#1051510
+
+Abort processing of a command if we run out of mapped data in the
+SG list. This should never happen, but a previous bug caused it to
+be possible. Play it safe and attempt to abort nicely if we don't
+have more SG segments left.
+
+Reviewed-by: Kees Cook <keescook@chromium.org>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/ata/libata-sff.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/drivers/ata/libata-sff.c b/drivers/ata/libata-sff.c
+index 10aa27882142..4f115adb4ee8 100644
+--- a/drivers/ata/libata-sff.c
++++ b/drivers/ata/libata-sff.c
+@@ -658,6 +658,10 @@ static void ata_pio_sector(struct ata_queued_cmd *qc)
+ unsigned int offset;
+ unsigned char *buf;
+
++ if (!qc->cursg) {
++ qc->curbytes = qc->nbytes;
++ return;
++ }
+ if (qc->curbytes == qc->nbytes - qc->sect_size)
+ ap->hsm_task_state = HSM_ST_LAST;
+
+@@ -683,6 +687,8 @@ static void ata_pio_sector(struct ata_queued_cmd *qc)
+
+ if (qc->cursg_ofs == qc->cursg->length) {
+ qc->cursg = sg_next(qc->cursg);
++ if (!qc->cursg)
++ ap->hsm_task_state = HSM_ST_LAST;
+ qc->cursg_ofs = 0;
+ }
+ }
+--
+2.16.4
+
diff --git a/patches.suse/libata-have-ata_scsi_rw_xlat-fail-invalid-passthroug.patch b/patches.suse/libata-have-ata_scsi_rw_xlat-fail-invalid-passthroug.patch
new file mode 100644
index 0000000000..a537027556
--- /dev/null
+++ b/patches.suse/libata-have-ata_scsi_rw_xlat-fail-invalid-passthroug.patch
@@ -0,0 +1,84 @@
+From 2d7271501720038381d45fb3dcbe4831228fc8cc Mon Sep 17 00:00:00 2001
+From: Jens Axboe <axboe@kernel.dk>
+Date: Wed, 7 Aug 2019 12:20:52 -0600
+Subject: [PATCH] libata: have ata_scsi_rw_xlat() fail invalid passthrough requests
+Git-commit: 2d7271501720038381d45fb3dcbe4831228fc8cc
+Patch-mainline: v5.3-rc4
+References: bsc#1051510
+
+For passthrough requests, libata-scsi takes what the user passes in
+as gospel. This can be problematic if the user fills in the CDB
+incorrectly. One example of that is in request sizes. For read/write
+commands, the CDB contains fields describing the transfer length of
+the request. These should match with the SG_IO header fields, but
+libata-scsi currently does no validation of that.
+
+Check that the number of blocks in the CDB for passthrough requests
+matches what was mapped into the request. If the CDB asks for more
+data then the validated SG_IO header fields, error it.
+
+Reported-by: Krishna Ram Prakash R <krp@gtux.in>
+Reviewed-by: Kees Cook <keescook@chromium.org>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/ata/libata-scsi.c | 21 +++++++++++++++++++++
+ 1 file changed, 21 insertions(+)
+
+diff --git a/drivers/ata/libata-scsi.c b/drivers/ata/libata-scsi.c
+index 391ac0503dc0..76d0f9de767b 100644
+--- a/drivers/ata/libata-scsi.c
++++ b/drivers/ata/libata-scsi.c
+@@ -1786,6 +1786,21 @@ static unsigned int ata_scsi_verify_xlat(struct ata_queued_cmd *qc)
+ return 1;
+ }
+
++static bool ata_check_nblocks(struct scsi_cmnd *scmd, u32 n_blocks)
++{
++ struct request *rq = scmd->request;
++ u32 req_blocks;
++
++ if (!blk_rq_is_passthrough(rq))
++ return true;
++
++ req_blocks = blk_rq_bytes(rq) / scmd->device->sector_size;
++ if (n_blocks > req_blocks)
++ return false;
++
++ return true;
++}
++
+ /**
+ * ata_scsi_rw_xlat - Translate SCSI r/w command into an ATA one
+ * @qc: Storage for translated ATA taskfile
+@@ -1830,6 +1845,8 @@ static unsigned int ata_scsi_rw_xlat(struct ata_queued_cmd *qc)
+ scsi_10_lba_len(cdb, &block, &n_block);
+ if (cdb[1] & (1 << 3))
+ tf_flags |= ATA_TFLAG_FUA;
++ if (!ata_check_nblocks(scmd, n_block))
++ goto invalid_fld;
+ break;
+ case READ_6:
+ case WRITE_6:
+@@ -1844,6 +1861,8 @@ static unsigned int ata_scsi_rw_xlat(struct ata_queued_cmd *qc)
+ */
+ if (!n_block)
+ n_block = 256;
++ if (!ata_check_nblocks(scmd, n_block))
++ goto invalid_fld;
+ break;
+ case READ_16:
+ case WRITE_16:
+@@ -1854,6 +1873,8 @@ static unsigned int ata_scsi_rw_xlat(struct ata_queued_cmd *qc)
+ scsi_16_lba_len(cdb, &block, &n_block);
+ if (cdb[1] & (1 << 3))
+ tf_flags |= ATA_TFLAG_FUA;
++ if (!ata_check_nblocks(scmd, n_block))
++ goto invalid_fld;
+ break;
+ default:
+ DPRINTK("no-byte command\n");
+--
+2.16.4
+
diff --git a/patches.suse/mac80211-fix-possible-sta-leak.patch b/patches.suse/mac80211-fix-possible-sta-leak.patch
new file mode 100644
index 0000000000..2316cbeaf0
--- /dev/null
+++ b/patches.suse/mac80211-fix-possible-sta-leak.patch
@@ -0,0 +1,51 @@
+From 5fd2f91ad483baffdbe798f8a08f1b41442d1e24 Mon Sep 17 00:00:00 2001
+From: Johannes Berg <johannes.berg@intel.com>
+Date: Thu, 1 Aug 2019 09:30:33 +0200
+Subject: [PATCH] mac80211: fix possible sta leak
+Git-commit: 5fd2f91ad483baffdbe798f8a08f1b41442d1e24
+Patch-mainline: v5.3-rc7
+References: bsc#1051510
+
+If TDLS station addition is rejected, the sta memory is leaked.
+Avoid this by moving the check before the allocation.
+
+Cc: stable@vger.kernel.org
+Fixes: 7ed5285396c2 ("mac80211: don't initiate TDLS connection if station is not associated to AP")
+Link: https://lore.kernel.org/r/20190801073033.7892-1-johannes@sipsolutions.net
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ net/mac80211/cfg.c | 9 +++++----
+ 1 file changed, 5 insertions(+), 4 deletions(-)
+
+diff --git a/net/mac80211/cfg.c b/net/mac80211/cfg.c
+index 4d458067d80d..111c400199ec 100644
+--- a/net/mac80211/cfg.c
++++ b/net/mac80211/cfg.c
+@@ -1546,6 +1546,11 @@ static int ieee80211_add_station(struct wiphy *wiphy, struct net_device *dev,
+ if (is_multicast_ether_addr(mac))
+ return -EINVAL;
+
++ if (params->sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER) &&
++ sdata->vif.type == NL80211_IFTYPE_STATION &&
++ !sdata->u.mgd.associated)
++ return -EINVAL;
++
+ sta = sta_info_alloc(sdata, mac, GFP_KERNEL);
+ if (!sta)
+ return -ENOMEM;
+@@ -1553,10 +1558,6 @@ static int ieee80211_add_station(struct wiphy *wiphy, struct net_device *dev,
+ if (params->sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER))
+ sta->sta.tdls = true;
+
+- if (sta->sta.tdls && sdata->vif.type == NL80211_IFTYPE_STATION &&
+- !sdata->u.mgd.associated)
+- return -EINVAL;
+-
+ err = sta_apply_parameters(local, sta, params);
+ if (err) {
+ sta_info_free(local, sta);
+--
+2.16.4
+
diff --git a/patches.suse/mmc-sdhci-of-at91-add-quirk-for-broken-HS200.patch b/patches.suse/mmc-sdhci-of-at91-add-quirk-for-broken-HS200.patch
new file mode 100644
index 0000000000..af4a39d92c
--- /dev/null
+++ b/patches.suse/mmc-sdhci-of-at91-add-quirk-for-broken-HS200.patch
@@ -0,0 +1,41 @@
+From 7871aa60ae0086fe4626abdf5ed13eeddf306c61 Mon Sep 17 00:00:00 2001
+From: Eugen Hristev <eugen.hristev@microchip.com>
+Date: Thu, 8 Aug 2019 08:35:40 +0000
+Subject: [PATCH] mmc: sdhci-of-at91: add quirk for broken HS200
+Git-commit: 7871aa60ae0086fe4626abdf5ed13eeddf306c61
+Patch-mainline: v5.3-rc7
+References: bsc#1051510
+
+HS200 is not implemented in the driver, but the controller claims it
+through caps. Remove it via a quirk, to make sure the mmc core do not try
+to enable HS200, as it causes the eMMC initialization to fail.
+
+Signed-off-by: Eugen Hristev <eugen.hristev@microchip.com>
+Acked-by: Ludovic Desroches <ludovic.desroches@microchip.com>
+Acked-by: Adrian Hunter <adrian.hunter@intel.com>
+Fixes: bb5f8ea4d514 ("mmc: sdhci-of-at91: introduce driver for the Atmel SDMMC")
+Cc: stable@vger.kernel.org # v4.4+
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/mmc/host/sdhci-of-at91.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/mmc/host/sdhci-of-at91.c b/drivers/mmc/host/sdhci-of-at91.c
+index d4e7e8b7be77..e7d1920729fb 100644
+--- a/drivers/mmc/host/sdhci-of-at91.c
++++ b/drivers/mmc/host/sdhci-of-at91.c
+@@ -357,6 +357,9 @@ static int sdhci_at91_probe(struct platform_device *pdev)
+ pm_runtime_set_autosuspend_delay(&pdev->dev, 50);
+ pm_runtime_use_autosuspend(&pdev->dev);
+
++ /* HS200 is broken at this moment */
++ host->quirks2 = SDHCI_QUIRK2_BROKEN_HS200;
++
+ ret = sdhci_add_host(host);
+ if (ret)
+ goto pm_runtime_disable;
+--
+2.16.4
+
diff --git a/patches.suse/mpls-fix-warning-with-multi-label-encap.patch b/patches.suse/mpls-fix-warning-with-multi-label-encap.patch
new file mode 100644
index 0000000000..9b472caa5c
--- /dev/null
+++ b/patches.suse/mpls-fix-warning-with-multi-label-encap.patch
@@ -0,0 +1,45 @@
+From 2f3f7d1fa0d1039b24a55d127ed190f196fc3e79 Mon Sep 17 00:00:00 2001
+From: George Wilkie <gwilkie@vyatta.att-mail.com>
+Date: Fri, 7 Jun 2019 11:49:41 +0100
+Subject: [PATCH] mpls: fix warning with multi-label encap
+Git-commit: 2f3f7d1fa0d1039b24a55d127ed190f196fc3e79
+Patch-mainline: v5.2-rc6
+References: bsc#1051510
+
+If you configure a route with multiple labels, e.g.
+ ip route add 10.10.3.0/24 encap mpls 16/100 via 10.10.2.2 dev ens4
+A warning is logged:
+ kernel: [ 130.561819] netlink: 'ip': attribute type 1 has an invalid
+ length.
+
+This happens because mpls_iptunnel_policy has set the type of
+MPLS_IPTUNNEL_DST to fixed size NLA_U32.
+Change it to a minimum size.
+nla_get_labels() does the remaining validation.
+
+Fixes: e3e4712ec096 ("mpls: ip tunnel support")
+Signed-off-by: George Wilkie <gwilkie@vyatta.att-mail.com>
+Reviewed-by: David Ahern <dsahern@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ net/mpls/mpls_iptunnel.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/mpls/mpls_iptunnel.c b/net/mpls/mpls_iptunnel.c
+index 500596130760..d25e91d7bdc1 100644
+--- a/net/mpls/mpls_iptunnel.c
++++ b/net/mpls/mpls_iptunnel.c
+@@ -23,7 +23,7 @@
+ #include "internal.h"
+
+ static const struct nla_policy mpls_iptunnel_policy[MPLS_IPTUNNEL_MAX + 1] = {
+- [MPLS_IPTUNNEL_DST] = { .type = NLA_U32 },
++ [MPLS_IPTUNNEL_DST] = { .len = sizeof(u32) },
+ [MPLS_IPTUNNEL_TTL] = { .type = NLA_U8 },
+ };
+
+--
+2.16.4
+
diff --git a/patches.suse/rtc-pcf8523-don-t-return-invalid-date-when-battery-i.patch b/patches.suse/rtc-pcf8523-don-t-return-invalid-date-when-battery-i.patch
new file mode 100644
index 0000000000..415085b17f
--- /dev/null
+++ b/patches.suse/rtc-pcf8523-don-t-return-invalid-date-when-battery-i.patch
@@ -0,0 +1,87 @@
+From ecb4a353d3afd45b9bb30c85d03ee113a0589079 Mon Sep 17 00:00:00 2001
+From: Baruch Siach <baruch@tkos.co.il>
+Date: Wed, 5 Dec 2018 17:00:09 +0200
+Subject: [PATCH] rtc: pcf8523: don't return invalid date when battery is low
+Mime-version: 1.0
+Content-type: text/plain; charset=UTF-8
+Content-transfer-encoding: 8bit
+Git-commit: ecb4a353d3afd45b9bb30c85d03ee113a0589079
+Patch-mainline: v5.0-rc1
+References: bsc#1051510
+
+The RTC_VL_READ ioctl reports the low battery condition. Still,
+pcf8523_rtc_read_time() happily returns invalid dates in this case.
+Check the battery health on pcf8523_rtc_read_time() to avoid that.
+
+Reported-by: Erik Čuk <erik.cuk@domel.com>
+Signed-off-by: Baruch Siach <baruch@tkos.co.il>
+Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/rtc/rtc-pcf8523.c | 32 ++++++++++++++++++++++++--------
+ 1 file changed, 24 insertions(+), 8 deletions(-)
+
+diff --git a/drivers/rtc/rtc-pcf8523.c b/drivers/rtc/rtc-pcf8523.c
+index 453615f8ac9a..3fcd2cbafc84 100644
+--- a/drivers/rtc/rtc-pcf8523.c
++++ b/drivers/rtc/rtc-pcf8523.c
+@@ -85,6 +85,18 @@ static int pcf8523_write(struct i2c_client *client, u8 reg, u8 value)
+ return 0;
+ }
+
++static int pcf8523_voltage_low(struct i2c_client *client)
++{
++ u8 value;
++ int err;
++
++ err = pcf8523_read(client, REG_CONTROL3, &value);
++ if (err < 0)
++ return err;
++
++ return !!(value & REG_CONTROL3_BLF);
++}
++
+ static int pcf8523_select_capacitance(struct i2c_client *client, bool high)
+ {
+ u8 value;
+@@ -167,6 +179,14 @@ static int pcf8523_rtc_read_time(struct device *dev, struct rtc_time *tm)
+ struct i2c_msg msgs[2];
+ int err;
+
++ err = pcf8523_voltage_low(client);
++ if (err < 0) {
++ return err;
++ } else if (err > 0) {
++ dev_err(dev, "low voltage detected, time is unreliable\n");
++ return -EINVAL;
++ }
++
+ msgs[0].addr = client->addr;
+ msgs[0].flags = 0;
+ msgs[0].len = 1;
+@@ -251,17 +271,13 @@ static int pcf8523_rtc_ioctl(struct device *dev, unsigned int cmd,
+ unsigned long arg)
+ {
+ struct i2c_client *client = to_i2c_client(dev);
+- u8 value;
+- int ret = 0, err;
++ int ret;
+
+ switch (cmd) {
+ case RTC_VL_READ:
+- err = pcf8523_read(client, REG_CONTROL3, &value);
+- if (err < 0)
+- return err;
+-
+- if (value & REG_CONTROL3_BLF)
+- ret = 1;
++ ret = pcf8523_voltage_low(client);
++ if (ret < 0)
++ return ret;
+
+ if (copy_to_user((void __user *)arg, &ret, sizeof(int)))
+ return -EFAULT;
+--
+2.16.4
+
diff --git a/patches.suse/samples-bpf-fix-to-change-the-buffer-size-for-read.patch b/patches.suse/samples-bpf-fix-to-change-the-buffer-size-for-read.patch
new file mode 100644
index 0000000000..5ef61a07f9
--- /dev/null
+++ b/patches.suse/samples-bpf-fix-to-change-the-buffer-size-for-read.patch
@@ -0,0 +1,45 @@
+From f7c2d64bac1be2ff32f8e4f500c6e5429c1003e0 Mon Sep 17 00:00:00 2001
+From: Chang-Hsien Tsai <luke.tw@gmail.com>
+Date: Sun, 19 May 2019 09:05:44 +0000
+Subject: [PATCH] samples, bpf: fix to change the buffer size for read()
+Git-commit: f7c2d64bac1be2ff32f8e4f500c6e5429c1003e0
+Patch-mainline: v5.2-rc6
+References: bsc#1051510
+
+If the trace for read is larger than 4096, the return
+value sz will be 4096. This results in off-by-one error
+on buf:
+
+ static char buf[4096];
+ ssize_t sz;
+
+ sz = read(trace_fd, buf, sizeof(buf));
+ if (sz > 0) {
+ buf[sz] = 0;
+ puts(buf);
+ }
+
+Signed-off-by: Chang-Hsien Tsai <luke.tw@gmail.com>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ samples/bpf/bpf_load.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/samples/bpf/bpf_load.c b/samples/bpf/bpf_load.c
+index eae7b635343d..6e87cc831e84 100644
+--- a/samples/bpf/bpf_load.c
++++ b/samples/bpf/bpf_load.c
+@@ -678,7 +678,7 @@ void read_trace_pipe(void)
+ static char buf[4096];
+ ssize_t sz;
+
+- sz = read(trace_fd, buf, sizeof(buf));
++ sz = read(trace_fd, buf, sizeof(buf) - 1);
+ if (sz > 0) {
+ buf[sz] = 0;
+ puts(buf);
+--
+2.16.4
+
diff --git a/patches.suse/samples-mei-use-dev-mei0-instead-of-dev-mei.patch b/patches.suse/samples-mei-use-dev-mei0-instead-of-dev-mei.patch
new file mode 100644
index 0000000000..0d27474fa0
--- /dev/null
+++ b/patches.suse/samples-mei-use-dev-mei0-instead-of-dev-mei.patch
@@ -0,0 +1,36 @@
+From c4a46acf1db3ce547d290c29e55b3476c78dd76c Mon Sep 17 00:00:00 2001
+From: Tomas Winkler <tomas.winkler@intel.com>
+Date: Thu, 24 Jan 2019 14:45:03 +0200
+Subject: [PATCH] samples: mei: use /dev/mei0 instead of /dev/mei
+Git-commit: c4a46acf1db3ce547d290c29e55b3476c78dd76c
+Patch-mainline: v5.0-rc6
+References: bsc#1051510
+
+The device was moved from misc device to character devices
+to support multiple mei devices.
+
+Cc: <stable@vger.kernel.org> #v4.9+
+Signed-off-by: Tomas Winkler <tomas.winkler@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ samples/mei/mei-amt-version.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/samples/mei/mei-amt-version.c b/samples/mei/mei-amt-version.c
+index 33e67bd1dc34..32234481ad7d 100644
+--- a/samples/mei/mei-amt-version.c
++++ b/samples/mei/mei-amt-version.c
+@@ -117,7 +117,7 @@ static bool mei_init(struct mei *me, const uuid_le *guid,
+
+ me->verbose = verbose;
+
+- me->fd = open("/dev/mei", O_RDWR);
++ me->fd = open("/dev/mei0", O_RDWR);
+ if (me->fd == -1) {
+ mei_err(me, "Cannot establish a handle to the Intel MEI driver\n");
+ goto err;
+--
+2.16.4
+
diff --git a/patches.suse/scripts-checkstack.pl-Fix-arm64-wrong-or-unknown-arc.patch b/patches.suse/scripts-checkstack.pl-Fix-arm64-wrong-or-unknown-arc.patch
new file mode 100644
index 0000000000..f645c0d10f
--- /dev/null
+++ b/patches.suse/scripts-checkstack.pl-Fix-arm64-wrong-or-unknown-arc.patch
@@ -0,0 +1,39 @@
+From 4f45d62a52297b10ded963412a158685647ecdec Mon Sep 17 00:00:00 2001
+From: "George G. Davis" <george_davis@mentor.com>
+Date: Mon, 3 Jun 2019 10:30:39 -0400
+Subject: [PATCH] scripts/checkstack.pl: Fix arm64 wrong or unknown architecture
+Git-commit: 4f45d62a52297b10ded963412a158685647ecdec
+Patch-mainline: v5.2-rc4
+References: bsc#1051510
+
+The following error occurs for the `make ARCH=arm64 checkstack` case:
+
+aarch64-linux-gnu-objdump -d vmlinux $(find . -name '*.ko') | \
+perl ./scripts/checkstack.pl arm64
+wrong or unknown architecture "arm64"
+
+As suggested by Masahiro Yamada, fix the above error using regular
+expressions in the same way it was fixed for the `ARCH=x86` case via
+commit fda9f9903be6 ("scripts/checkstack.pl: automatically handle
+32-bit and 64-bit mode for ARCH=x86").
+
+Suggested-by: Masahiro Yamada <yamada.masahiro@socionext.com>
+Signed-off-by: George G. Davis <george_davis@mentor.com>
+Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ scripts/checkstack.pl | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/scripts/checkstack.pl
++++ b/scripts/checkstack.pl
+@@ -44,7 +44,7 @@ my (@stack, $re, $dre, $x, $xs, $funcre)
+ $x = "[0-9a-f]"; # hex character
+ $xs = "[0-9a-f ]"; # hex character or space
+ $funcre = qr/^$x* <(.*)>:$/;
+- if ($arch eq 'aarch64') {
++ if ($arch =~ '^(aarch|arm)64$') {
+ #ffffffc0006325cc: a9bb7bfd stp x29, x30, [sp, #-80]!
+ $re = qr/^.*stp.*sp, \#-([0-9]{1,8})\]\!/o;
+ } elsif ($arch eq 'arm') {
diff --git a/patches.suse/scripts-decode_stacktrace-only-strip-base-path-when-.patch b/patches.suse/scripts-decode_stacktrace-only-strip-base-path-when-.patch
new file mode 100644
index 0000000000..cde403ac46
--- /dev/null
+++ b/patches.suse/scripts-decode_stacktrace-only-strip-base-path-when-.patch
@@ -0,0 +1,49 @@
+From 67a28de47faa83585dd644bd4c31e5a1d9346c50 Mon Sep 17 00:00:00 2001
+From: Marc Zyngier <marc.zyngier@arm.com>
+Date: Fri, 28 Dec 2018 00:31:25 -0800
+Subject: [PATCH] scripts/decode_stacktrace: only strip base path when a prefix of the path
+Git-commit: 67a28de47faa83585dd644bd4c31e5a1d9346c50
+Patch-mainline: v5.0-rc1
+References: bsc#1051510
+
+Running something like:
+
+ decodecode vmlinux .
+
+leads to interested results where not only the leading "." gets stripped
+from the displayed paths, but also anywhere in the string, displaying
+something like:
+
+ kvm_vcpu_check_block (arch/arm64/kvm/virt/kvm/kvm_mainc:2141)
+
+which doesn't help further processing.
+
+Fix it by only stripping the base path if it is a prefix of the path.
+
+Link: http://lkml.kernel.org/r/20181210174659.31054-3-marc.zyngier@arm.com
+Signed-off-by: Marc Zyngier <marc.zyngier@arm.com>
+Cc: Will Deacon <will.deacon@arm.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ scripts/decode_stacktrace.sh | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/scripts/decode_stacktrace.sh b/scripts/decode_stacktrace.sh
+index 64220e36ce3b..98a7d63a723e 100755
+--- a/scripts/decode_stacktrace.sh
++++ b/scripts/decode_stacktrace.sh
+@@ -78,7 +78,7 @@ parse_symbol() {
+ fi
+
+ # Strip out the base of the path
+- code=${code//$basepath/""}
++ code=${code//^$basepath/""}
+
+ # In the case of inlines, move everything to same line
+ code=${code//$'\n'/' '}
+--
+2.16.4
+
diff --git a/patches.suse/scripts-decode_stacktrace.sh-prefix-addr2line-with-C.patch b/patches.suse/scripts-decode_stacktrace.sh-prefix-addr2line-with-C.patch
new file mode 100644
index 0000000000..fe32b820e1
--- /dev/null
+++ b/patches.suse/scripts-decode_stacktrace.sh-prefix-addr2line-with-C.patch
@@ -0,0 +1,50 @@
+From c04e32e911653442fc834be6e92e072aeebe01a1 Mon Sep 17 00:00:00 2001
+From: Manuel Traut <manut@linutronix.de>
+Date: Thu, 13 Jun 2019 15:55:52 -0700
+Subject: [PATCH] scripts/decode_stacktrace.sh: prefix addr2line with $CROSS_COMPILE
+Git-commit: c04e32e911653442fc834be6e92e072aeebe01a1
+Patch-mainline: v5.2-rc5
+References: bsc#1051510
+
+At least for ARM64 kernels compiled with the crosstoolchain from
+Debian/stretch or with the toolchain from kernel.org the line number is
+not decoded correctly by 'decode_stacktrace.sh':
+
+ $ echo "[ 136.513051] f1+0x0/0xc [kcrash]" | \
+ CROSS_COMPILE=/opt/gcc-8.1.0-nolibc/aarch64-linux/bin/aarch64-linux- \
+ ./scripts/decode_stacktrace.sh /scratch/linux-arm64/vmlinux \
+ /scratch/linux-arm64 \
+ /nfs/debian/lib/modules/4.20.0-devel
+ [ 136.513051] f1 (/linux/drivers/staging/kcrash/kcrash.c:68) kcrash
+
+If addr2line from the toolchain is used the decoded line number is correct:
+
+ [ 136.513051] f1 (/linux/drivers/staging/kcrash/kcrash.c:57) kcrash
+
+Link: http://lkml.kernel.org/r/20190527083425.3763-1-manut@linutronix.de
+Signed-off-by: Manuel Traut <manut@linutronix.de>
+Acked-by: Konstantin Khlebnikov <khlebnikov@yandex-team.ru>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ scripts/decode_stacktrace.sh | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/scripts/decode_stacktrace.sh b/scripts/decode_stacktrace.sh
+index bcdd45df3f51..a7a36209a193 100755
+--- a/scripts/decode_stacktrace.sh
++++ b/scripts/decode_stacktrace.sh
+@@ -73,7 +73,7 @@ parse_symbol() {
+ if [[ "${cache[$module,$address]+isset}" == "isset" ]]; then
+ local code=${cache[$module,$address]}
+ else
+- local code=$(addr2line -i -e "$objfile" "$address")
++ local code=$(${CROSS_COMPILE}addr2line -i -e "$objfile" "$address")
+ cache[$module,$address]=$code
+ fi
+
+--
+2.16.4
+
diff --git a/patches.suse/scripts-gdb-fix-lx-version-string-output.patch b/patches.suse/scripts-gdb-fix-lx-version-string-output.patch
new file mode 100644
index 0000000000..a754371831
--- /dev/null
+++ b/patches.suse/scripts-gdb-fix-lx-version-string-output.patch
@@ -0,0 +1,58 @@
+From b058809bfc8faeb7b7cae047666e23375a060059 Mon Sep 17 00:00:00 2001
+From: Du Changbin <changbin.du@gmail.com>
+Date: Thu, 3 Jan 2019 15:28:27 -0800
+Subject: [PATCH] scripts/gdb: fix lx-version string output
+Git-commit: b058809bfc8faeb7b7cae047666e23375a060059
+Patch-mainline: v5.0-rc1
+References: bsc#1051510
+
+A bug is present in GDB which causes early string termination when
+parsing variables. This has been reported [0], but we should ensure
+that we can support at least basic printing of the core kernel strings.
+
+For current gdb version (has been tested with 7.3 and 8.1), 'lx-version'
+only prints one character.
+
+ (gdb) lx-version
+ L(gdb)
+
+This can be fixed by casting 'linux_banner' as (char *).
+
+ (gdb) lx-version
+ Linux version 4.19.0-rc1+ (changbin@acer) (gcc version 7.3.0 (Ubuntu 7.3.0-16ubuntu3)) #21 SMP Sat Sep 1 21:43:30 CST 2018
+
+[0] https://sourceware.org/bugzilla/show_bug.cgi?id=20077
+
+[kbingham@kernel.org: add detail to commit message]
+Link: http://lkml.kernel.org/r/20181111162035.8356-1-kieran.bingham@ideasonboard.com
+Fixes: 2d061d999424 ("scripts/gdb: add version command")
+Signed-off-by: Du Changbin <changbin.du@gmail.com>
+Signed-off-by: Kieran Bingham <kbingham@kernel.org>
+Acked-by: Jan Kiszka <jan.kiszka@siemens.com>
+Cc: Jan Kiszka <jan.kiszka@siemens.com>
+Cc: Jason Wessel <jason.wessel@windriver.com>
+Cc: Daniel Thompson <daniel.thompson@linaro.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ scripts/gdb/linux/proc.py | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/scripts/gdb/linux/proc.py b/scripts/gdb/linux/proc.py
+index 086d27223c0c..0aebd7565b03 100644
+--- a/scripts/gdb/linux/proc.py
++++ b/scripts/gdb/linux/proc.py
+@@ -41,7 +41,7 @@ class LxVersion(gdb.Command):
+
+ def invoke(self, arg, from_tty):
+ # linux_banner should contain a newline
+- gdb.write(gdb.parse_and_eval("linux_banner").string())
++ gdb.write(gdb.parse_and_eval("(char *)linux_banner").string())
+
+ LxVersion()
+
+--
+2.16.4
+
diff --git a/patches.suse/supported-flag-wildcards b/patches.suse/supported-flag-wildcards
index 8006b16d91..778a20de64 100644
--- a/patches.suse/supported-flag-wildcards
+++ b/patches.suse/supported-flag-wildcards
@@ -3,6 +3,7 @@ From: Michal Marek <mmarek@suse.cz>
Date: Mon, 19 Sep 2011 16:31:49 +0200
Subject: [PATCH] modpost: Allow wildcards in the Module.supported file
Patch-mainline: Never, SLES feature
+References: none
Signed-off-by: Michal Marek <mmarek@suse.cz>
diff --git a/patches.suse/test_firmware-fix-a-memory-leak-bug.patch b/patches.suse/test_firmware-fix-a-memory-leak-bug.patch
new file mode 100644
index 0000000000..93cb35eb34
--- /dev/null
+++ b/patches.suse/test_firmware-fix-a-memory-leak-bug.patch
@@ -0,0 +1,48 @@
+From d4fddac5a51c378c5d3e68658816c37132611e1f Mon Sep 17 00:00:00 2001
+From: Wenwen Wang <wenwen@cs.uga.edu>
+Date: Sun, 14 Jul 2019 01:11:35 -0500
+Subject: [PATCH] test_firmware: fix a memory leak bug
+Git-commit: d4fddac5a51c378c5d3e68658816c37132611e1f
+Patch-mainline: v5.3-rc2
+References: bsc#1051510
+
+In test_firmware_init(), the buffer pointed to by the global pointer
+'test_fw_config' is allocated through kzalloc(). Then, the buffer is
+initialized in __test_firmware_config_init(). In the case that the
+initialization fails, the following execution in test_firmware_init() needs
+to be terminated with an error code returned to indicate this failure.
+However, the allocated buffer is not freed on this execution path, leading
+to a memory leak bug.
+
+To fix the above issue, free the allocated buffer before returning from
+test_firmware_init().
+
+Signed-off-by: Wenwen Wang <wenwen@cs.uga.edu>
+Link: https://lore.kernel.org/r/1563084696-6865-1-git-send-email-wang6495@umn.edu
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ lib/test_firmware.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/lib/test_firmware.c b/lib/test_firmware.c
+index 83ea6c4e623c..6ca97a63b3d6 100644
+--- a/lib/test_firmware.c
++++ b/lib/test_firmware.c
+@@ -886,8 +886,11 @@ static int __init test_firmware_init(void)
+ return -ENOMEM;
+
+ rc = __test_firmware_config_init();
+- if (rc)
++ if (rc) {
++ kfree(test_fw_config);
++ pr_err("could not init firmware test config: %d\n", rc);
+ return rc;
++ }
+
+ rc = misc_register(&test_fw_misc_device);
+ if (rc) {
+--
+2.16.4
+
diff --git a/patches.suse/usb-host-xhci-rcar-Fix-typo-in-compatible-string-mat.patch b/patches.suse/usb-host-xhci-rcar-Fix-typo-in-compatible-string-mat.patch
new file mode 100644
index 0000000000..d3964c43d5
--- /dev/null
+++ b/patches.suse/usb-host-xhci-rcar-Fix-typo-in-compatible-string-mat.patch
@@ -0,0 +1,40 @@
+From 636bd02a7ba9025ff851d0cfb92768c8fa865859 Mon Sep 17 00:00:00 2001
+From: Geert Uytterhoeven <geert+renesas@glider.be>
+Date: Tue, 27 Aug 2019 14:51:12 +0200
+Subject: [PATCH] usb: host: xhci: rcar: Fix typo in compatible string matching
+Git-commit: 636bd02a7ba9025ff851d0cfb92768c8fa865859
+Patch-mainline: v5.3-rc7
+References: bsc#1051510
+
+It's spelled "renesas", not "renensas".
+
+Due to this typo, RZ/G1M and RZ/G1N were not covered by the check.
+
+Fixes: 2dc240a3308b ("usb: host: xhci: rcar: retire use of xhci_plat_type_is()")
+Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Cc: stable <stable@vger.kernel.org>
+Reviewed-by: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
+Link: https://lore.kernel.org/r/20190827125112.12192-1-geert+renesas@glider.be
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/usb/host/xhci-rcar.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/usb/host/xhci-rcar.c b/drivers/usb/host/xhci-rcar.c
+index 8616c52849c6..2b0ccd150209 100644
+--- a/drivers/usb/host/xhci-rcar.c
++++ b/drivers/usb/host/xhci-rcar.c
+@@ -104,7 +104,7 @@ static int xhci_rcar_is_gen2(struct device *dev)
+ return of_device_is_compatible(node, "renesas,xhci-r8a7790") ||
+ of_device_is_compatible(node, "renesas,xhci-r8a7791") ||
+ of_device_is_compatible(node, "renesas,xhci-r8a7793") ||
+- of_device_is_compatible(node, "renensas,rcar-gen2-xhci");
++ of_device_is_compatible(node, "renesas,rcar-gen2-xhci");
+ }
+
+ static int xhci_rcar_is_gen3(struct device *dev)
+--
+2.16.4
+
diff --git a/series.conf b/series.conf
index 744d201bc7..3918fa9d35 100644
--- a/series.conf
+++ b/series.conf
@@ -29104,6 +29104,7 @@
patches.suse/i2c-mv64xxx-Apply-errata-delay-only-in-standard-mode
patches.suse/0004-i2c-xlp9xx-Check-for-Bus-state-before-every-transfer.patch
patches.suse/0005-i2c-xlp9xx-Handle-NACK-on-DATA-properly.patch
+ patches.suse/i2c-qup-fixed-releasing-dma-without-flush-operation-.patch
patches.suse/0315-i2c-imx-use-clk-notifier-for-rate-changes.patch
patches.suse/0316-i2c-imx-avoid-taking-clk_prepare-mutex-in-PM-callbac.patch
patches.suse/0022-i2c-add-support-for-Socionext-SynQuacer-I2C-controll.patch
@@ -40812,6 +40813,8 @@
patches.suse/pinctrl-qcom-spmi-mpp-Fix-drive-strength-setting.patch
patches.suse/pinctrl-at91-pio4-fix-has_config-check-in-atmel_pctl.patch
patches.suse/pinctrl-qcom-spmi-mpp-Fix-err-handling-of-pmic_mpp_s.patch
+ patches.suse/gpio-pxa-handle-corner-case-of-unprobed-device.patch
+ patches.suse/gpio-mxs-Get-rid-of-external-API-call.patch
patches.suse/gpio-davinci-remove-unused-member-of-davinci_gpio_controller.patch
patches.suse/leds-pwm-silently-error-out-on-EPROBE_DEFER.patch
patches.suse/ipmi-fix-return-value-of-ipmi_set_my_LUN.patch
@@ -44854,6 +44857,7 @@
patches.suse/0005-mmc-sdhci-of-esdhc-fix-spelling-mistake-upsupported-.patch
patches.suse/0006-mmc-sdhci-of-esdhc-Fix-timeout-checks.patch
patches.suse/mmc-sdhci-xenon-Fix-timeout-checks.patch
+ patches.suse/scripts-decode_stacktrace-only-strip-base-path-when-.patch
patches.suse/0001-mm-print-more-information-about-mapping-in-__dump_pa.patch
patches.suse/0002-mm-lower-the-printk-loglevel-for-__dump_page-message.patch
patches.suse/0003-mm-memory_hotplug-drop-pointless-block-alignment-che.patch
@@ -44977,6 +44981,7 @@
patches.suse/pinctrl-freescale-break-dependency-on-soc_imx8mq-for-i-mx8mq.patch
patches.suse/rtc-m41t80-Correct-alarm-month-range-with-RTC-reads.patch
patches.suse/0001-dt-bindings-rtc-sun6i-rtc-Fix-register-range-in-exam.patch
+ patches.suse/rtc-pcf8523-don-t-return-invalid-date-when-battery-i.patch
patches.suse/dmaengine-dw-dmac-implement-dma-protection-control-s.patch
patches.suse/dmaengine-xilinx_dma-Remove-__aligned-attribute-on-z.patch
patches.suse/revert-iommu-io-pgtable-arm-check-for-v7s-incapable-systems
@@ -45068,6 +45073,7 @@
patches.suse/ALSA-hda-realtek-Enable-the-headset-mic-auto-detecti.patch
patches.suse/ALSA-hda-tegra-clear-pending-irq-handlers.patch
patches.suse/proc-sysctl-fix-return-error-for-proc_doulongvec_min.patch
+ patches.suse/scripts-gdb-fix-lx-version-string-output.patch
patches.suse/mm-speed-up-mremap-by-20x-on-large-regions.patch
patches.suse/ARM-8808-1-kexec-offline-panic_smp_self_stop-CPU.patch
patches.suse/arm64-add-basic-kconfig-symbols-for-i-mx8.patch
@@ -45514,6 +45520,7 @@
patches.suse/serial-fix-race-between-flush_to_ldisc-and-tty_open.patch
patches.suse/iio-chemical-atlas-ph-sensor-correct-IIO_TEMP-values.patch
patches.suse/debugfs-fix-debugfs_rename-parameter-checking.patch
+ patches.suse/samples-mei-use-dev-mei0-instead-of-dev-mei.patch
patches.suse/0001-fpga-stratix10-soc-fix-wrong-of_node_put-in-init-fun.patch
patches.suse/ucc_geth-Reset-BQL-queue-when-stopping-device.patch
patches.suse/virtio_net-Don-t-enable-NAPI-when-interface-is-down.patch
@@ -46998,6 +47005,7 @@
patches.suse/nvmet-fix-building-bvec-from-sg-list.patch
patches.suse/kbuild-strip-whitespace-in-cmd_record_mcount-findstr.patch
patches.suse/kbuild-modversions-Fix-relative-CRC-byte-order-inter.patch
+ patches.suse/kconfig-mn-conf-handle-backspace-H-key.patch
patches.suse/ALSA-rawmidi-Fix-potential-Spectre-v1-vulnerability.patch
patches.suse/ALSA-seq-oss-Fix-Spectre-v1-vulnerability.patch
patches.suse/ALSA-hda-realtek-Enable-headset-MIC-of-Acer-Aspire-Z.patch
@@ -48656,6 +48664,7 @@
patches.suse/net-mvpp2-Use-strscpy-to-handle-stat-strings.patch
patches.suse/pktgen-do-not-sleep-with-the-thread-lock-held.patch
patches.suse/x86-insn-eval-Fix-use-after-free-access-to-LDT-entry.patch
+ patches.suse/scripts-checkstack.pl-Fix-arm64-wrong-or-unknown-arc.patch
patches.suse/hwmon-core-add-thermal-sensors-only-if-dev-of_node-i.patch
patches.suse/hwmon-pmbus-core-Treat-parameters-as-paged-if-on-mul.patch
patches.suse/drm-i915-icl-Add-WaDisableBankHangMode.patch
@@ -48696,6 +48705,7 @@
patches.suse/Revert-ALSA-hda-realtek-Improve-the-headset-mic-for-.patch
patches.suse/iommu-arm-smmu-avoid-constant-zero-in-tlbi-writes
patches.suse/mm-list_lru-c-fix-memory-leak-in-_memcg_init_list_lru_node.patch
+ patches.suse/scripts-decode_stacktrace.sh-prefix-addr2line-with-C.patch
patches.suse/mm-mlock-c-mlockall-error-for-flag-mcl_onfault.patch
patches.suse/fs-ocfs2-fix-race-in-ocfs2_dentry_attach_lock.patch
patches.suse/mm-mlock-c-change-count_mm_mlocked_page_nr-return-type.patch
@@ -48743,8 +48753,10 @@
patches.suse/0001-mwifiex-Abort-at-too-short-BSS-descriptor-element.patch
patches.suse/iwlwifi-Fix-double-free-problems-in-iwl_req_fw_callb.patch
patches.suse/0001-mwifiex-Fix-heap-overflow-in-mwifiex_uap_parse_tail_.patch
+ patches.suse/samples-bpf-fix-to-change-the-buffer-size-for-read.patch
patches.suse/bpf-sockmap-fix-use-after-free-from-sleep-in-psock-b.patch
patches.suse/ipv6-flowlabel-fl6_sock_lookup-must-use-atomic_inc_n.patch
+ patches.suse/mpls-fix-warning-with-multi-label-encap.patch
patches.suse/can-flexcan-fix-timeout-when-set-small-bitrate.patch
patches.suse/can-mcp251x-add-support-for-mcp25625.patch
patches.suse/can-m_can-implement-errata-Needless-activation-of-MR.patch
@@ -48903,6 +48915,7 @@
patches.suse/x86-umwait-Add-sysfs-interface-to-control-umwait-C0..patch
patches.suse/x86-umwait-Add-sysfs-interface-to-control-umwait-max.patch
patches.suse/Documentation-ABI-Document-umwait-control-sysfs-inte.patch
+ patches.suse/0001-x86-ptrace-Fix-possible-spectre-v1-in-ptrace_get_deb.patch
patches.suse/proc-add-proc-pid-arch_status
patches.suse/x86-process-add-avx-512-usage-elapsed-time-to-proc-pid-arch_status
patches.suse/documentation-filesystems-proc-txt-add-arch_status-file
@@ -49546,6 +49559,7 @@
patches.suse/usb-pci-quirks-Correct-AMD-PLL-quirk-detection.patch
patches.suse/usb-wusbcore-fix-unbalanced-get-put-cluster_id.patch
patches.suse/hpet-Fix-division-by-zero-in-hpet_time_div.patch
+ patches.suse/test_firmware-fix-a-memory-leak-bug.patch
patches.suse/tracing-fix-header-include-guards-in-trace-event-headers.patch
patches.suse/hci_uart-check-for-missing-tty-operations.patch
patches.suse/0012-gpiolib-fix-incorrect-IRQ-requesting-of-an-active-lo.patch
@@ -49578,11 +49592,13 @@
patches.suse/coredump-split-pipe-command-whitespace-before-expand.patch
patches.suse/mm-migrate-c-initialize-pud_entry-in-migrate_vma.patch
patches.suse/powerpc-nvdimm-Pick-nearby-online-node-if-the-device.patch
+ patches.suse/HID-Add-044f-b320-ThrustMaster-Inc.-2-in-1-DT.patch
patches.suse/0013-HID-wacom-fix-bit-shift-for-Cintiq-Companion-2.patch
patches.suse/HID-holtek-test-for-sanity-of-intfdata.patch
patches.suse/HID-Add-quirk-for-HP-X1200-PIXART-OEM-mouse.patch
patches.suse/hid-input-fix-a4tech-horizontal-wheel-custom-usage.patch
patches.suse/HID-hiddev-avoid-opening-a-disconnected-device.patch
+ patches.suse/HID-hiddev-do-cleanup-in-failure-of-opening-a-device.patch
patches.suse/HID-sony-Fix-race-condition-between-rumble-and-devic.patch
patches.suse/bonding-Force-slave-speed-check-after-link-state-rec.patch
patches.suse/net-mvpp2-Don-t-check-for-3-consecutive-Idle-frames-.patch
@@ -49599,15 +49615,19 @@
patches.suse/bpf-sockmap-synchronize_rcu-before-free-ing-map.patch
patches.suse/bpf-sockmap-only-create-entry-if-ulp-is-not-already-.patch
patches.suse/net-mlx5-Fix-modify_cq_in-alignment.patch
+ patches.suse/isdn-mISDN-hfcsusb-Fix-possible-null-pointer-derefer.patch
patches.suse/net-phylink-Fix-flow-control-for-fixed-link.patch
patches.suse/compat_ioctl-pppoe-fix-PPPOEIOCSFWD-handling.patch
patches.suse/mlxsw-spectrum-Fix-error-path-in-mlxsw_sp_module_ini.patch
patches.suse/nl-mac-80211-fix-interface-combinations-on-crypto-co.patch
patches.suse/mac80211-don-t-WARN-on-short-WMM-parameters-from-AP.patch
patches.suse/mac80211_hwsim-Fix-possible-null-pointer-dereference.patch
+ patches.suse/isdn-hfcsusb-Fix-mISDN-driver-crash-caused-by-transf.patch
patches.suse/net-usb-pegasus-fix-improper-read-if-get_registers-f.patch
patches.suse/net-mlx5e-always-initialize-frag-last_in_page.patch
patches.suse/net-fix-bpf_xdp_adjust_head-regression-for-generic-X.patch
+ patches.suse/can-sja1000-force-the-string-buffer-NULL-terminated.patch
+ patches.suse/can-peak_usb-force-the-string-buffer-NULL-terminated.patch
patches.suse/0005-can-peak_usb-pcan_usb_fd-Fix-info-leaks-to-USB-devic.patch
patches.suse/0006-can-peak_usb-pcan_usb_pro-Fix-info-leaks-to-USB-devi.patch
patches.suse/mwifiex-fix-802.11n-WPA-detection.patch
@@ -49634,6 +49654,8 @@
patches.suse/ALSA-firewire-fix-a-memory-leak-bug.patch
patches.suse/mmc-cavium-Set-the-correct-dma-max-segment-size-for-.patch
patches.suse/mmc-cavium-Add-the-missing-dma-unmap-when-the-dma-ha.patch
+ patches.suse/libata-have-ata_scsi_rw_xlat-fail-invalid-passthroug.patch
+ patches.suse/libata-add-SG-safety-checks-in-SFF-pio-transfers.patch
patches.suse/loop-set-PF_MEMALLOC_NOIO-for-the-worker-thread.patch
patches.suse/bcache-Revert-bcache-use-sysfs_match_string-instead-.patch
patches.suse/drm-vmwgfx-fix-memory-leak-when-too-many-retries-hav.patch
@@ -49708,11 +49730,14 @@
patches.suse/dm-btree-fix-order-of-block-initialization-in-btree_.patch
patches.suse/dm-space-map-metadata-fix-missing-store-of-apply_bop.patch
patches.suse/dm-table-fix-invalid-memory-accesses-with-too-high-s.patch
+ patches.suse/drm-nouveau-Don-t-retry-infinitely-when-receiving-no.patch
patches.suse/xfs-fix-missing-ILOCK-unlock-when-xfs_setattr_nonsiz.patch
patches.suse/scsi-ufs-fix-null-pointer-dereference-in-ufshcd_config_vreg_hpm
patches.suse/gpiolib-never-report-open-drain-source-lines-as-inpu.patch
patches.suse/gpio-Fix-build-error-of-function-redefinition.patch
patches.suse/mm-page_owner-handle-thp-splits-correctly.patch
+ patches.suse/mac80211-fix-possible-sta-leak.patch
+ patches.suse/batman-adv-fix-uninit-value-in-batadv_netlink_get_if.patch
patches.suse/ALSA-hda-Fixes-inverted-Conexant-GPIO-mic-mute-led.patch
patches.suse/ALSA-usb-audio-Add-implicit-fb-quirk-for-Behringer-U.patch
patches.suse/ALSA-hda-ca0132-Add-new-SBZ-quirk.patch
@@ -49720,10 +49745,16 @@
patches.suse/ALSA-line6-Fix-memory-leak-at-line6_init_pcm-error-p.patch
patches.suse/ALSA-usb-audio-Check-mixer-unit-bitmap-yet-more-stri.patch
patches.suse/ALSA-seq-Fix-potential-concurrent-access-to-the-dele.patch
+ patches.suse/mmc-sdhci-of-at91-add-quirk-for-broken-HS200.patch
patches.suse/crypto-ccp-Ignore-unconfigured-CCP-device-on-suspend.patch
patches.suse/kvm-x86-don-t-update-rip-or-do-single-step-on-faulting-emulation
patches.suse/mac80211-Don-t-memset-RXCB-prior-to-PAE-intercept.patch
patches.suse/mac80211-Correctly-set-noencrypt-for-PAE-frames.patch
+ patches.suse/batman-adv-Only-read-OGM-tvlv_len-after-buffer-len-c.patch
+ patches.suse/batman-adv-Only-read-OGM2-tvlv_len-after-buffer-len-.patch
+ patches.suse/usb-host-xhci-rcar-Fix-typo-in-compatible-string-mat.patch
+ patches.suse/USB-cdc-wdm-fix-race-between-write-and-disconnect-du.patch
+ patches.suse/VMCI-Release-resource-if-the-work-is-already-queued.patch
# jejb/scsi for-next
patches.suse/scsi-cxlflash-Mark-expected-switch-fall-throughs.patch