Home Home > GIT Browse > SLE12-SP5-AZURE
summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorKernel Build Daemon <kbuild@suse.de>2019-08-21 07:11:03 +0200
committerKernel Build Daemon <kbuild@suse.de>2019-08-21 07:11:03 +0200
commit53d3f7775de3761c2413ccd4d59c5c4b01005f9a (patch)
tree92257c6d21c1e4d4b89537dc30a117dd96a6cf53
parent7fd612fb31bba157d551e380b20b3d18fcd6a1f1 (diff)
parent81777d6aa92760ae90507a076b4035fc0d4862a8 (diff)
Merge branch 'SLE12-SP5' into SLE12-SP5-AZURE
-rw-r--r--blacklist.conf4
-rw-r--r--kabi/severities89
-rw-r--r--patches.arch/cpu-speculation-warn-on-unsupported-mitigations-parameter.patch48
-rw-r--r--patches.arch/kvm-x86-fix-backward-migration-with-async_pf97
-rw-r--r--patches.arch/x86-boot-fix-memory-leak-in-default_get_smp_config.patch60
-rw-r--r--patches.arch/x86-speculation-allow-guests-to-use-ssbd-even-if-host-does-not.patch71
-rw-r--r--patches.arch/x86-speculation-mds-apply-more-accurate-check-on-hypervisor-platform.patch42
-rw-r--r--patches.drivers/ALSA-hda-Add-a-generic-reboot_notify.patch123
-rw-r--r--patches.drivers/ALSA-hda-Apply-workaround-for-another-AMD-chip-1022-.patch37
-rw-r--r--patches.drivers/ALSA-hda-Fix-a-memory-leak-bug.patch39
-rw-r--r--patches.drivers/ALSA-hda-Let-all-conexant-codec-enter-D3-when-reboot.patch50
-rw-r--r--patches.drivers/HID-sony-Fix-race-condition-between-rumble-and-devic.patch83
-rw-r--r--patches.drivers/Input-synaptics-enable-RMI-mode-for-HP-Spectre-X360.patch37
-rw-r--r--patches.drivers/drivers-pps-pps.c-clear-offset-flags-in-PPS_SETPARAM.patch54
-rw-r--r--patches.drivers/i2c-core-smbus-prevent-stack-corruption-on-read-I2C_.patch71
-rw-r--r--patches.drivers/iio-adc-max9611-Fix-misuse-of-GENMASK-macro.patch36
-rw-r--r--patches.drivers/iommu-dma-handle-sg-length-overflow-better42
-rw-r--r--patches.drivers/usb-usbfs-fix-double-free-of-usb-memory-upon-submitu.patch39
-rw-r--r--patches.drm/drm-silence-variable-conn-set-but-not-used.patch38
-rw-r--r--patches.fixes/0001-xfrm-Fix-NULL-pointer-dereference-when-skb_dst_force.patch61
-rw-r--r--patches.fixes/0002-xfrm-Fix-error-return-code-in-xfrm_output_one.patch37
-rw-r--r--patches.fixes/0003-xfrm-Fix-NULL-pointer-dereference-in-xfrm_input-when.patch61
-rw-r--r--patches.fixes/0004-xfrm-Fix-bucket-count-reported-to-userspace.patch36
-rw-r--r--patches.fixes/crypto-ccp-Add-support-for-valid-authsize-values-les.patch139
-rw-r--r--patches.fixes/crypto-ccp-Fix-3DES-complaint-from-ccp-crypto-module.patch12
-rw-r--r--patches.fixes/crypto-ccp-Validate-buffer-lengths-for-copy-operatio.patch263
-rw-r--r--patches.fixes/crypto-ccp-gcm-use-const-time-tag-comparison.patch4
-rw-r--r--patches.fixes/mac80211-don-t-WARN-on-short-WMM-parameters-from-AP.patch52
-rw-r--r--patches.fixes/mac80211-don-t-warn-about-CW-params-when-not-using-t.patch54
-rw-r--r--patches.suse/btrfs-add-missing-inode-version-ctime-and-mtime-upda.patch44
-rw-r--r--patches.suse/btrfs-fix-data-loss-after-inode-eviction-renaming-it.patch112
-rw-r--r--patches.suse/btrfs-fix-fsync-not-persisting-dentry-deletions-due-.patch135
-rw-r--r--patches.suse/btrfs-fix-incremental-send-failure-after-deduplicati.patch181
-rw-r--r--patches.suse/btrfs-fix-race-leading-to-fs-corruption-after-transa.patch144
-rw-r--r--series.conf30
-rw-r--r--supported.conf16
36 files changed, 2335 insertions, 106 deletions
diff --git a/blacklist.conf b/blacklist.conf
index 8a0c02e4c1..16628bc30e 100644
--- a/blacklist.conf
+++ b/blacklist.conf
@@ -163,6 +163,7 @@ CVE-2018-16880 # bsc#1122767, needed only for SLE15-SP1+
CVE-2019-9003 # bsc#1126704, needed only for SLE15-SP1+
CVE-2019-11811 # bsc#1134397, needed only for SLE15-SP1+
CVE-2019-12817 # bsc#1138263, bsc#1139619, needed only for SLE15-SP1+
+CVE-2019-13233 # bsc#1140454, needed only for SLE15-SP1+
# Blacklisted Commits
# -------------------
@@ -680,7 +681,6 @@ a158531f3c92467df0e93e000d58185acae78a6e # gpio: inapplicable
6de0b13cc0b4ba10e98a9263d7a83b940720b77a # HID: kABI
3064a03b94e60388f0955fcc29f3e8a978d28f75 # HID: kABI
2e210bbb7429cdcf1a1a3ad00c1bf98bd9bf2452 # HID: kABI
-89c6efa61f5709327ecfa24bff18e57a4e80c7fa # i2c: core-smbus: inapplicable
771b7bf05339081019d22452ebcab6929372e13e # i2c: i2c-stm32f7: inapplicable
4fb840c95f82652cece7352be9080884cafb92a0 # iio: adc: stm32: inapplicable
dd92d5ea20ef8a42be7aeda08c669c586c730451 # iio: multiplexer: inapplicable
@@ -1288,3 +1288,5 @@ fe60522ec60082a1dd735691b82c64f65d4ad15e # not needed (bsc#1088804)
3e3ebed3fef4878e6f1680ff98088db1a9688831 # config-only fix
d065ee93aab6ef4c2a5af5c455b5044bd5136547 # config-only fix
2b874a5c7b75fdc90fdd1e2ffaa3ec5a9d21e253 # config-only fix
+1e1c50a929bc9e49bc3f9935b92450d9e69f8158 # affects only single core-machines
+c2d1b3aae33605a61cbab445d8ae1c708ccd2698 # effectively reverted in upstream
diff --git a/kabi/severities b/kabi/severities
deleted file mode 100644
index e02df97345..0000000000
--- a/kabi/severities
+++ /dev/null
@@ -1,89 +0,0 @@
-# KABI rules for symbols and modules
-#
-# A matching line with PASS allows kabi changes for given modules or symbols,
-# FAIL causes an error. The first matching line is considered, the default is
-# FAIL if no match is found.
-#
-# A pattern that contains slashes is matched against the module name a given
-# symbol is exported from. The special pattern "vmlinux" matches built-in
-# symbols. All other patterns match against symbol names.
-
-drivers/staging/* PASS
-
-klp_*_patch PASS
-klp_shadow_* PASS
-
-kvm_x86_ops FAIL
-arch/x86/kvm/* PASS
-
-arch/powerpc/kvm/* PASS
-arch/x86/kvm/* PASS
-kvmppc_* PASS
-__xive_vm_h_* PASS
-realmode_pfn_to_page PASS
-iommu_tce_xchg_rm PASS
-mm_iommu_lookup_rm PASS
-mm_iommu_ua_to_hpa_rm PASS
-mm_iommu_ua_to_hpa_shift_rm PASS
-
-# only inter-module local symbols
-drivers/gpu/drm/meson/* PASS
-
-# qed inter-module local symbols
-drivers/net/ethernet/qlogic/qed/* PASS
-drivers/net/ethernet/qlogic/qede/* PASS
-drivers/infiniband/hw/qede/* PASS
-drivers/scsi/qedf/* PASS
-drivers/scsi/qedi/* PASS
-include/linux/qed/* PASS
-drivers/scsi/hisi_sas/* PASS
-
-# qla2xxx only has local symbols
-drivers/scsi/qla2xxx/* PASS
-
-# only inter-module local symbols
-drivers/nvdimm/* PASS
-
-# IBM Z internal symbols
-# Cf. bsc#894391 / LTC#115441 and bsc#1134730 / LTC#173388
-arch/s390/* PASS
-drivers/s390/* PASS
-net/iucv/* PASS
-airq_iv_* PASS
-ccw_device_* PASS
-ccw_driver_* PASS
-get_ccwdev_* PASS
-zpci_* PASS
-register_adapter_interrupt PASS
-unregister_adapter_interrupt PASS
-enable_cmf PASS
-disable_cmf PASS
-cmf_read PASS
-cmf_readall PASS
-sclp PASS
-
-# nobody cares bcache symbols
-drivers/md/bcache/* PASS
-
-# ceph-related modules
-net/ceph/libceph PASS
-drivers/block/rbd PASS
-fs/ceph PASS
-
-# intermodule syms shared between cxgb4 and cxgb4vf
-drivers/net/ethernet/chelsio/cxgb4/* PASS
-drivers/net/ethernet/chelsio/cxgb4vf/* PASS
-drivers/net/ethernet/chelsio/libcxgb/* PASS
-
-# inter-module symbols for qed/qede/qedf/qedi/qedr
-drivers/net/ethernet/qlogic/qed/* PASS
-drivers/net/ethernet/qlogic/qede/* PASS
-drivers/scsi/qedf/* PASS
-drivers/scsi/qedi/* PASS
-drivers/infiniband/hw/qedr/* PASS
-
-# inter-module symbols for hns3
-drivers/net/ethernet/hisilicon/hns3/* PASS
-drivers/net/ethernet/hisilicon/hns3/hns3pf/* PASS
-drivers/net/ethernet/hisilicon/hns3/hns3vf/* PASS
-drivers/infiniband/hw/hns/* PASS
diff --git a/patches.arch/cpu-speculation-warn-on-unsupported-mitigations-parameter.patch b/patches.arch/cpu-speculation-warn-on-unsupported-mitigations-parameter.patch
new file mode 100644
index 0000000000..f0fa424a0e
--- /dev/null
+++ b/patches.arch/cpu-speculation-warn-on-unsupported-mitigations-parameter.patch
@@ -0,0 +1,48 @@
+From: Geert Uytterhoeven <geert@linux-m68k.org>
+Date: Thu, 16 May 2019 09:09:35 +0200
+Subject: cpu/speculation: Warn on unsupported mitigations= parameter
+Git-commit: 1bf72720281770162c87990697eae1ba2f1d917a
+Patch-mainline: v5.2-rc7
+References: bsc#1114279
+
+Currently, if the user specifies an unsupported mitigation strategy on the
+kernel command line, it will be ignored silently. The code will fall back
+to the default strategy, possibly leaving the system more vulnerable than
+expected.
+
+This may happen due to e.g. a simple typo, or, for a stable kernel release,
+because not all mitigation strategies have been backported.
+
+Inform the user by printing a message.
+
+Fixes: 98af8452945c5565 ("cpu/speculation: Add 'mitigations=' cmdline option")
+Signed-off-by: Geert Uytterhoeven <geert@linux-m68k.org>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Acked-by: Josh Poimboeuf <jpoimboe@redhat.com>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Jiri Kosina <jkosina@suse.cz>
+Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Cc: Ben Hutchings <ben@decadent.org.uk>
+Cc: stable@vger.kernel.org
+Link: https://lkml.kernel.org/r/20190516070935.22546-1-geert@linux-m68k.org
+
+Acked-by: Borislav Petkov <bp@suse.de>
+---
+ kernel/cpu.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/kernel/cpu.c b/kernel/cpu.c
+index 077fde6fb953..551db494f153 100644
+--- a/kernel/cpu.c
++++ b/kernel/cpu.c
+@@ -2339,6 +2339,9 @@ static int __init mitigations_parse_cmdline(char *arg)
+ cpu_mitigations = CPU_MITIGATIONS_AUTO;
+ else if (!strcmp(arg, "auto,nosmt"))
+ cpu_mitigations = CPU_MITIGATIONS_AUTO_NOSMT;
++ else
++ pr_crit("Unsupported mitigations=%s, system may still be vulnerable\n",
++ arg);
+
+ return 0;
+ }
+
diff --git a/patches.arch/kvm-x86-fix-backward-migration-with-async_pf b/patches.arch/kvm-x86-fix-backward-migration-with-async_pf
new file mode 100644
index 0000000000..66a9b49970
--- /dev/null
+++ b/patches.arch/kvm-x86-fix-backward-migration-with-async_pf
@@ -0,0 +1,97 @@
+From: =?UTF-8?q?Radim=20Kr=C4=8Dm=C3=A1=C5=99?= <rkrcmar@redhat.com>
+Date: Thu, 1 Feb 2018 22:16:21 +0100
+Subject: KVM: x86: fix backward migration with async_PF
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+Git-commit: fe2a3027e74e40a3ece3a4c1e4e51403090a907a
+Patch-mainline: v4.16-rc4
+References: bsc#1146074
+
+Guests on new hypersiors might set KVM_ASYNC_PF_DELIVERY_AS_PF_VMEXIT
+bit when enabling async_PF, but this bit is reserved on old hypervisors,
+which results in a failure upon migration.
+
+To avoid breaking different cases, we are checking for CPUID feature bit
+before enabling the feature and nothing else.
+
+Fixes: 52a5c155cf79 ("KVM: async_pf: Let guest support delivery of async_pf from guest mode")
+Cc: <stable@vger.kernel.org>
+Reviewed-by: Wanpeng Li <wanpengli@tencent.com>
+Reviewed-by: David Hildenbrand <david@redhat.com>
+Signed-off-by: Radim Krčmář <rkrcmar@redhat.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Acked-by: Joerg Roedel <jroedel@suse.de>
+---
+ Documentation/virtual/kvm/cpuid.txt | 4 ++++
+ Documentation/virtual/kvm/msr.txt | 3 ++-
+ arch/x86/include/uapi/asm/kvm_para.h | 1 +
+ arch/x86/kernel/kvm.c | 8 ++++----
+ arch/x86/kvm/cpuid.c | 3 ++-
+ 5 files changed, 13 insertions(+), 6 deletions(-)
+
+--- a/Documentation/virtual/kvm/cpuid.txt
++++ b/Documentation/virtual/kvm/cpuid.txt
+@@ -54,6 +54,10 @@ KVM_FEATURE_PV_UNHALT ||
+ || || before enabling paravirtualized
+ || || spinlock support.
+ ------------------------------------------------------------------------------
++KVM_FEATURE_ASYNC_PF_VMEXIT || 10 || paravirtualized async PF VM exit
++ || || can be enabled by setting bit 2
++ || || when writing to msr 0x4b564d02
++------------------------------------------------------------------------------
+ KVM_FEATURE_CLOCKSOURCE_STABLE_BIT || 24 || host will warn if no guest-side
+ || || per-cpu warps are expected in
+ || || kvmclock.
+--- a/Documentation/virtual/kvm/msr.txt
++++ b/Documentation/virtual/kvm/msr.txt
+@@ -170,7 +170,8 @@ MSR_KVM_ASYNC_PF_EN: 0x4b564d02
+ when asynchronous page faults are enabled on the vcpu 0 when
+ disabled. Bit 1 is 1 if asynchronous page faults can be injected
+ when vcpu is in cpl == 0. Bit 2 is 1 if asynchronous page faults
+- are delivered to L1 as #PF vmexits.
++ are delivered to L1 as #PF vmexits. Bit 2 can be set only if
++ KVM_FEATURE_ASYNC_PF_VMEXIT is present in CPUID.
+
+ First 4 byte of 64 byte memory location will be written to by
+ the hypervisor at the time of asynchronous page fault (APF)
+--- a/arch/x86/include/uapi/asm/kvm_para.h
++++ b/arch/x86/include/uapi/asm/kvm_para.h
+@@ -24,6 +24,7 @@
+ #define KVM_FEATURE_STEAL_TIME 5
+ #define KVM_FEATURE_PV_EOI 6
+ #define KVM_FEATURE_PV_UNHALT 7
++#define KVM_FEATURE_ASYNC_PF_VMEXIT 10
+
+ /* The last 8 bits are used to indicate how to interpret the flags field
+ * in pvclock structure. If no bits are set, all flags are ignored.
+--- a/arch/x86/kernel/kvm.c
++++ b/arch/x86/kernel/kvm.c
+@@ -341,10 +341,10 @@ static void kvm_guest_cpu_init(void)
+ #endif
+ pa |= KVM_ASYNC_PF_ENABLED;
+
+- /* Async page fault support for L1 hypervisor is optional */
+- if (wrmsr_safe(MSR_KVM_ASYNC_PF_EN,
+- (pa | KVM_ASYNC_PF_DELIVERY_AS_PF_VMEXIT) & 0xffffffff, pa >> 32) < 0)
+- wrmsrl(MSR_KVM_ASYNC_PF_EN, pa);
++ if (kvm_para_has_feature(KVM_FEATURE_ASYNC_PF_VMEXIT))
++ pa |= KVM_ASYNC_PF_DELIVERY_AS_PF_VMEXIT;
++
++ wrmsrl(MSR_KVM_ASYNC_PF_EN, pa);
+ __this_cpu_write(apf_reason.enabled, 1);
+ printk(KERN_INFO"KVM setup async PF for cpu %d\n",
+ smp_processor_id());
+--- a/arch/x86/kvm/cpuid.c
++++ b/arch/x86/kvm/cpuid.c
+@@ -597,7 +597,8 @@ static inline int __do_cpuid_ent(struct
+ (1 << KVM_FEATURE_ASYNC_PF) |
+ (1 << KVM_FEATURE_PV_EOI) |
+ (1 << KVM_FEATURE_CLOCKSOURCE_STABLE_BIT) |
+- (1 << KVM_FEATURE_PV_UNHALT);
++ (1 << KVM_FEATURE_PV_UNHALT) |
++ (1 << KVM_FEATURE_ASYNC_PF_VMEXIT);
+
+ if (sched_info_on())
+ entry->eax |= (1 << KVM_FEATURE_STEAL_TIME);
+
diff --git a/patches.arch/x86-boot-fix-memory-leak-in-default_get_smp_config.patch b/patches.arch/x86-boot-fix-memory-leak-in-default_get_smp_config.patch
new file mode 100644
index 0000000000..c2700d86e5
--- /dev/null
+++ b/patches.arch/x86-boot-fix-memory-leak-in-default_get_smp_config.patch
@@ -0,0 +1,60 @@
+From: David Rientjes <rientjes@google.com>
+Date: Tue, 9 Jul 2019 19:44:03 -0700
+Subject: x86/boot: Fix memory leak in default_get_smp_config()
+Git-commit: e74bd96989dd42a51a73eddb4a5510a6f5e42ac3
+Patch-mainline: v5.3-rc1
+References: bsc#1114279
+
+When default_get_smp_config() is called with early == 1 and mpf->feature1
+is non-zero, mpf is leaked because the return path does not do
+early_memunmap().
+
+Fix this and share a common exit routine.
+
+Fixes: 5997efb96756 ("x86/boot: Use memremap() to map the MPF and MPC data")
+Reported-by: Cfir Cohen <cfir@google.com>
+Signed-off-by: David Rientjes <rientjes@google.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Cc: stable@vger.kernel.org
+Link: https://lkml.kernel.org/r/alpine.DEB.2.21.1907091942570.28240@chino.kir.corp.google.com
+
+Acked-by: Borislav Petkov <bp@suse.de>
+---
+ arch/x86/kernel/mpparse.c | 10 ++++------
+ 1 file changed, 4 insertions(+), 6 deletions(-)
+
+diff --git a/arch/x86/kernel/mpparse.c b/arch/x86/kernel/mpparse.c
+index 1bfe5c6e6cfe..afac7ccce72f 100644
+--- a/arch/x86/kernel/mpparse.c
++++ b/arch/x86/kernel/mpparse.c
+@@ -546,17 +546,15 @@ void __init default_get_smp_config(unsigned int early)
+ * local APIC has default address
+ */
+ mp_lapic_addr = APIC_DEFAULT_PHYS_BASE;
+- return;
++ goto out;
+ }
+
+ pr_info("Default MP configuration #%d\n", mpf->feature1);
+ construct_default_ISA_mptable(mpf->feature1);
+
+ } else if (mpf->physptr) {
+- if (check_physptr(mpf, early)) {
+- early_memunmap(mpf, sizeof(*mpf));
+- return;
+- }
++ if (check_physptr(mpf, early))
++ goto out;
+ } else
+ BUG();
+
+@@ -565,7 +563,7 @@ void __init default_get_smp_config(unsigned int early)
+ /*
+ * Only use the first configuration found.
+ */
+-
++out:
+ early_memunmap(mpf, sizeof(*mpf));
+ }
+
+
diff --git a/patches.arch/x86-speculation-allow-guests-to-use-ssbd-even-if-host-does-not.patch b/patches.arch/x86-speculation-allow-guests-to-use-ssbd-even-if-host-does-not.patch
new file mode 100644
index 0000000000..eba44ed109
--- /dev/null
+++ b/patches.arch/x86-speculation-allow-guests-to-use-ssbd-even-if-host-does-not.patch
@@ -0,0 +1,71 @@
+From: Alejandro Jimenez <alejandro.j.jimenez@oracle.com>
+Date: Mon, 10 Jun 2019 13:20:10 -0400
+Subject: x86/speculation: Allow guests to use SSBD even if host does not
+Git-commit: c1f7fec1eb6a2c86d01bc22afce772c743451d88
+Patch-mainline: v5.2-rc7
+References: bsc#1114279
+
+The bits set in x86_spec_ctrl_mask are used to calculate the guest's value
+of SPEC_CTRL that is written to the MSR before VMENTRY, and control which
+mitigations the guest can enable. In the case of SSBD, unless the host has
+enabled SSBD always on mode (by passing "spec_store_bypass_disable=on" in
+the kernel parameters), the SSBD bit is not set in the mask and the guest
+can not properly enable the SSBD always on mitigation mode.
+
+This has been confirmed by running the SSBD PoC on a guest using the SSBD
+always on mitigation mode (booted with kernel parameter
+"spec_store_bypass_disable=on"), and verifying that the guest is vulnerable
+unless the host is also using SSBD always on mode. In addition, the guest
+OS incorrectly reports the SSB vulnerability as mitigated.
+
+Always set the SSBD bit in x86_spec_ctrl_mask when the host CPU supports
+it, allowing the guest to use SSBD whether or not the host has chosen to
+enable the mitigation in any of its modes.
+
+Fixes: be6fcb5478e9 ("x86/bugs: Rework spec_ctrl base and mask logic")
+Signed-off-by: Alejandro Jimenez <alejandro.j.jimenez@oracle.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Reviewed-by: Liam Merwick <liam.merwick@oracle.com>
+Reviewed-by: Mark Kanda <mark.kanda@oracle.com>
+Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
+Cc: bp@alien8.de
+Cc: rkrcmar@redhat.com
+Cc: kvm@vger.kernel.org
+Cc: stable@vger.kernel.org
+Link: https://lkml.kernel.org/r/1560187210-11054-1-git-send-email-alejandro.j.jimenez@oracle.com
+
+Acked-by: Borislav Petkov <bp@suse.de>
+---
+ arch/x86/kernel/cpu/bugs.c | 11 ++++++++++-
+ 1 file changed, 10 insertions(+), 1 deletion(-)
+
+diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c
+index 03b4cc0ec3a7..66ca906aa790 100644
+--- a/arch/x86/kernel/cpu/bugs.c
++++ b/arch/x86/kernel/cpu/bugs.c
+@@ -835,6 +835,16 @@ static enum ssb_mitigation __init __ssb_select_mitigation(void)
+ break;
+ }
+
++ /*
++ * If SSBD is controlled by the SPEC_CTRL MSR, then set the proper
++ * bit in the mask to allow guests to use the mitigation even in the
++ * case where the host does not enable it.
++ */
++ if (static_cpu_has(X86_FEATURE_SPEC_CTRL_SSBD) ||
++ static_cpu_has(X86_FEATURE_AMD_SSBD)) {
++ x86_spec_ctrl_mask |= SPEC_CTRL_SSBD;
++ }
++
+ /*
+ * We have three CPU feature flags that are in play here:
+ * - X86_BUG_SPEC_STORE_BYPASS - CPU is susceptible.
+@@ -852,7 +862,6 @@ static enum ssb_mitigation __init __ssb_select_mitigation(void)
+ x86_amd_ssb_disable();
+ } else {
+ x86_spec_ctrl_base |= SPEC_CTRL_SSBD;
+- x86_spec_ctrl_mask |= SPEC_CTRL_SSBD;
+ wrmsrl(MSR_IA32_SPEC_CTRL, x86_spec_ctrl_base);
+ }
+ }
+
diff --git a/patches.arch/x86-speculation-mds-apply-more-accurate-check-on-hypervisor-platform.patch b/patches.arch/x86-speculation-mds-apply-more-accurate-check-on-hypervisor-platform.patch
new file mode 100644
index 0000000000..05bc51dfe5
--- /dev/null
+++ b/patches.arch/x86-speculation-mds-apply-more-accurate-check-on-hypervisor-platform.patch
@@ -0,0 +1,42 @@
+From: Zhenzhong Duan <zhenzhong.duan@oracle.com>
+Date: Thu, 25 Jul 2019 10:39:09 +0800
+Subject: x86/speculation/mds: Apply more accurate check on hypervisor platform
+Git-commit: 517c3ba00916383af6411aec99442c307c23f684
+Patch-mainline: v5.3-rc2
+References: bsc#1114279
+
+X86_HYPER_NATIVE isn't accurate for checking if running on native platform,
+e.g. CONFIG_HYPERVISOR_GUEST isn't set or "nopv" is enabled.
+
+Checking the CPU feature bit X86_FEATURE_HYPERVISOR to determine if it's
+running on native platform is more accurate.
+
+This still doesn't cover the platforms on which X86_FEATURE_HYPERVISOR is
+unsupported, e.g. VMware, but there is nothing which can be done about this
+scenario.
+
+Fixes: 8a4b06d391b0 ("x86/speculation/mds: Add sysfs reporting for MDS")
+Signed-off-by: Zhenzhong Duan <zhenzhong.duan@oracle.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Cc: stable@vger.kernel.org
+Link: https://lkml.kernel.org/r/1564022349-17338-1-git-send-email-zhenzhong.duan@oracle.com
+
+Acked-by: Borislav Petkov <bp@suse.de>
+---
+ arch/x86/kernel/cpu/bugs.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c
+index 66ca906aa790..801ecd1c3fd5 100644
+--- a/arch/x86/kernel/cpu/bugs.c
++++ b/arch/x86/kernel/cpu/bugs.c
+@@ -1226,7 +1226,7 @@ static ssize_t l1tf_show_state(char *buf)
+
+ static ssize_t mds_show_state(char *buf)
+ {
+- if (!hypervisor_is_type(X86_HYPER_NATIVE)) {
++ if (boot_cpu_has(X86_FEATURE_HYPERVISOR)) {
+ return sprintf(buf, "%s; SMT Host state unknown\n",
+ mds_strings[mds_mitigation]);
+ }
+
diff --git a/patches.drivers/ALSA-hda-Add-a-generic-reboot_notify.patch b/patches.drivers/ALSA-hda-Add-a-generic-reboot_notify.patch
new file mode 100644
index 0000000000..39ebe22668
--- /dev/null
+++ b/patches.drivers/ALSA-hda-Add-a-generic-reboot_notify.patch
@@ -0,0 +1,123 @@
+From 871b9066027702e6e6589da0e1edd3b7dede7205 Mon Sep 17 00:00:00 2001
+From: Hui Wang <hui.wang@canonical.com>
+Date: Wed, 14 Aug 2019 12:09:08 +0800
+Subject: [PATCH] ALSA: hda - Add a generic reboot_notify
+Git-commit: 871b9066027702e6e6589da0e1edd3b7dede7205
+Patch-mainline: v5.3-rc5
+References: bsc#1051510
+
+Make codec enter D3 before rebooting or poweroff can fix the noise
+issue on some laptops. And in theory it is harmless for all codecs
+to enter D3 before rebooting or poweroff, let us add a generic
+reboot_notify, then realtek and conexant drivers can call this
+function.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Hui Wang <hui.wang@canonical.com>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ sound/pci/hda/hda_generic.c | 19 +++++++++++++++++++
+ sound/pci/hda/hda_generic.h | 1 +
+ sound/pci/hda/patch_conexant.c | 6 +-----
+ sound/pci/hda/patch_realtek.c | 11 +----------
+ 4 files changed, 22 insertions(+), 15 deletions(-)
+
+diff --git a/sound/pci/hda/hda_generic.c b/sound/pci/hda/hda_generic.c
+index 8f2beb1f3ae4..5bf24fb819d2 100644
+--- a/sound/pci/hda/hda_generic.c
++++ b/sound/pci/hda/hda_generic.c
+@@ -6051,6 +6051,24 @@ void snd_hda_gen_free(struct hda_codec *codec)
+ }
+ EXPORT_SYMBOL_GPL(snd_hda_gen_free);
+
++/**
++ * snd_hda_gen_reboot_notify - Make codec enter D3 before rebooting
++ * @codec: the HDA codec
++ *
++ * This can be put as patch_ops reboot_notify function.
++ */
++void snd_hda_gen_reboot_notify(struct hda_codec *codec)
++{
++ /* Make the codec enter D3 to avoid spurious noises from the internal
++ * speaker during (and after) reboot
++ */
++ snd_hda_codec_set_power_to_all(codec, codec->core.afg, AC_PWRST_D3);
++ snd_hda_codec_write(codec, codec->core.afg, 0,
++ AC_VERB_SET_POWER_STATE, AC_PWRST_D3);
++ msleep(10);
++}
++EXPORT_SYMBOL_GPL(snd_hda_gen_reboot_notify);
++
+ #ifdef CONFIG_PM
+ /**
+ * snd_hda_gen_check_power_status - check the loopback power save state
+@@ -6078,6 +6096,7 @@ static const struct hda_codec_ops generic_patch_ops = {
+ .init = snd_hda_gen_init,
+ .free = snd_hda_gen_free,
+ .unsol_event = snd_hda_jack_unsol_event,
++ .reboot_notify = snd_hda_gen_reboot_notify,
+ #ifdef CONFIG_PM
+ .check_power_status = snd_hda_gen_check_power_status,
+ #endif
+diff --git a/sound/pci/hda/hda_generic.h b/sound/pci/hda/hda_generic.h
+index 35a670a71c42..5f199dcb0d18 100644
+--- a/sound/pci/hda/hda_generic.h
++++ b/sound/pci/hda/hda_generic.h
+@@ -332,6 +332,7 @@ int snd_hda_gen_parse_auto_config(struct hda_codec *codec,
+ struct auto_pin_cfg *cfg);
+ int snd_hda_gen_build_controls(struct hda_codec *codec);
+ int snd_hda_gen_build_pcms(struct hda_codec *codec);
++void snd_hda_gen_reboot_notify(struct hda_codec *codec);
+
+ /* standard jack event callbacks */
+ void snd_hda_gen_hp_automute(struct hda_codec *codec,
+diff --git a/sound/pci/hda/patch_conexant.c b/sound/pci/hda/patch_conexant.c
+index 93a303676aea..14298ef45b21 100644
+--- a/sound/pci/hda/patch_conexant.c
++++ b/sound/pci/hda/patch_conexant.c
+@@ -166,11 +166,7 @@ static void cx_auto_reboot_notify(struct hda_codec *codec)
+ /* Turn the problematic codec into D3 to avoid spurious noises
+ from the internal speaker during (and after) reboot */
+ cx_auto_turn_eapd(codec, spec->num_eapds, spec->eapds, false);
+-
+- snd_hda_codec_set_power_to_all(codec, codec->core.afg, AC_PWRST_D3);
+- snd_hda_codec_write(codec, codec->core.afg, 0,
+- AC_VERB_SET_POWER_STATE, AC_PWRST_D3);
+- msleep(10);
++ snd_hda_gen_reboot_notify(codec);
+ }
+
+ static void cx_auto_free(struct hda_codec *codec)
+diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c
+index 8aaf1d9c55cf..e333b3e30e31 100644
+--- a/sound/pci/hda/patch_realtek.c
++++ b/sound/pci/hda/patch_realtek.c
+@@ -869,15 +869,6 @@ static void alc_reboot_notify(struct hda_codec *codec)
+ alc_shutup(codec);
+ }
+
+-/* power down codec to D3 at reboot/shutdown; set as reboot_notify ops */
+-static void alc_d3_at_reboot(struct hda_codec *codec)
+-{
+- snd_hda_codec_set_power_to_all(codec, codec->core.afg, AC_PWRST_D3);
+- snd_hda_codec_write(codec, codec->core.afg, 0,
+- AC_VERB_SET_POWER_STATE, AC_PWRST_D3);
+- msleep(10);
+-}
+-
+ #define alc_free snd_hda_gen_free
+
+ #ifdef CONFIG_PM
+@@ -5152,7 +5143,7 @@ static void alc_fixup_tpt440_dock(struct hda_codec *codec,
+ struct alc_spec *spec = codec->spec;
+
+ if (action == HDA_FIXUP_ACT_PRE_PROBE) {
+- spec->reboot_notify = alc_d3_at_reboot; /* reduce noise */
++ spec->reboot_notify = snd_hda_gen_reboot_notify; /* reduce noise */
+ spec->parse_flags = HDA_PINCFG_NO_HP_FIXUP;
+ codec->power_save_node = 0; /* avoid click noises */
+ snd_hda_apply_pincfgs(codec, pincfgs);
+--
+2.16.4
+
diff --git a/patches.drivers/ALSA-hda-Apply-workaround-for-another-AMD-chip-1022-.patch b/patches.drivers/ALSA-hda-Apply-workaround-for-another-AMD-chip-1022-.patch
new file mode 100644
index 0000000000..e705cc901d
--- /dev/null
+++ b/patches.drivers/ALSA-hda-Apply-workaround-for-another-AMD-chip-1022-.patch
@@ -0,0 +1,37 @@
+From de768ce45466f3009809719eb7b1f6f5277d9373 Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Fri, 9 Aug 2019 11:23:00 +0200
+Subject: [PATCH] ALSA: hda - Apply workaround for another AMD chip 1022:1487
+Git-commit: de768ce45466f3009809719eb7b1f6f5277d9373
+Patch-mainline: v5.3-rc5
+References: bsc#1051510
+
+MSI MPG X570 board is with another AMD HD-audio controller (PCI ID
+1022:1487) and it requires the same workaround applied for X370, etc
+(PCI ID 1022:1457).
+
+Buglink: https://bugzilla.kernel.org/show_bug.cgi?id=195303
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ sound/pci/hda/hda_intel.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/sound/pci/hda/hda_intel.c b/sound/pci/hda/hda_intel.c
+index a6d8c0d77b84..99fc0917339b 100644
+--- a/sound/pci/hda/hda_intel.c
++++ b/sound/pci/hda/hda_intel.c
+@@ -2508,6 +2508,9 @@ static const struct pci_device_id azx_ids[] = {
+ /* AMD, X370 & co */
+ { PCI_DEVICE(0x1022, 0x1457),
+ .driver_data = AZX_DRIVER_GENERIC | AZX_DCAPS_PRESET_AMD_SB },
++ /* AMD, X570 & co */
++ { PCI_DEVICE(0x1022, 0x1487),
++ .driver_data = AZX_DRIVER_GENERIC | AZX_DCAPS_PRESET_AMD_SB },
+ /* AMD Stoney */
+ { PCI_DEVICE(0x1022, 0x157a),
+ .driver_data = AZX_DRIVER_GENERIC | AZX_DCAPS_PRESET_ATI_SB |
+--
+2.16.4
+
diff --git a/patches.drivers/ALSA-hda-Fix-a-memory-leak-bug.patch b/patches.drivers/ALSA-hda-Fix-a-memory-leak-bug.patch
new file mode 100644
index 0000000000..5b401274b4
--- /dev/null
+++ b/patches.drivers/ALSA-hda-Fix-a-memory-leak-bug.patch
@@ -0,0 +1,39 @@
+From cfef67f016e4c00a2f423256fc678a6967a9fc09 Mon Sep 17 00:00:00 2001
+From: Wenwen Wang <wenwen@cs.uga.edu>
+Date: Fri, 9 Aug 2019 23:29:48 -0500
+Subject: [PATCH] ALSA: hda - Fix a memory leak bug
+Git-commit: cfef67f016e4c00a2f423256fc678a6967a9fc09
+Patch-mainline: v5.3-rc5
+References: bsc#1051510
+
+In snd_hda_parse_generic_codec(), 'spec' is allocated through kzalloc().
+Then, the pin widgets in 'codec' are parsed. However, if the parsing
+process fails, 'spec' is not deallocated, leading to a memory leak.
+
+To fix the above issue, free 'spec' before returning the error.
+
+Fixes: 352f7f914ebb ("ALSA: hda - Merge Realtek parser code to generic parser")
+Signed-off-by: Wenwen Wang <wenwen@cs.uga.edu>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ sound/pci/hda/hda_generic.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/sound/pci/hda/hda_generic.c b/sound/pci/hda/hda_generic.c
+index 485edaba0037..8f2beb1f3ae4 100644
+--- a/sound/pci/hda/hda_generic.c
++++ b/sound/pci/hda/hda_generic.c
+@@ -6100,7 +6100,7 @@ static int snd_hda_parse_generic_codec(struct hda_codec *codec)
+
+ err = snd_hda_parse_pin_defcfg(codec, &spec->autocfg, NULL, 0);
+ if (err < 0)
+- return err;
++ goto error;
+
+ err = snd_hda_gen_parse_auto_config(codec, &spec->autocfg);
+ if (err < 0)
+--
+2.16.4
+
diff --git a/patches.drivers/ALSA-hda-Let-all-conexant-codec-enter-D3-when-reboot.patch b/patches.drivers/ALSA-hda-Let-all-conexant-codec-enter-D3-when-reboot.patch
new file mode 100644
index 0000000000..18dd8d5104
--- /dev/null
+++ b/patches.drivers/ALSA-hda-Let-all-conexant-codec-enter-D3-when-reboot.patch
@@ -0,0 +1,50 @@
+From 401714d9534aad8c24196b32600da683116bbe09 Mon Sep 17 00:00:00 2001
+From: Hui Wang <hui.wang@canonical.com>
+Date: Wed, 14 Aug 2019 12:09:07 +0800
+Subject: [PATCH] ALSA: hda - Let all conexant codec enter D3 when rebooting
+Git-commit: 401714d9534aad8c24196b32600da683116bbe09
+Patch-mainline: v5.3-rc5
+References: bsc#1051510
+
+We have 3 new lenovo laptops which have conexant codec 0x14f11f86,
+these 3 laptops also have the noise issue when rebooting, after
+letting the codec enter D3 before rebooting or poweroff, the noise
+disappers.
+
+Instead of adding a new ID again in the reboot_notify(), let us make
+this function apply to all conexant codec. In theory make codec enter
+D3 before rebooting or poweroff is harmless, and I tested this change
+on a couple of other Lenovo laptops which have different conexant
+codecs, there is no side effect so far.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Hui Wang <hui.wang@canonical.com>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ sound/pci/hda/patch_conexant.c | 9 ---------
+ 1 file changed, 9 deletions(-)
+
+diff --git a/sound/pci/hda/patch_conexant.c b/sound/pci/hda/patch_conexant.c
+index f299f137eaea..93a303676aea 100644
+--- a/sound/pci/hda/patch_conexant.c
++++ b/sound/pci/hda/patch_conexant.c
+@@ -163,15 +163,6 @@ static void cx_auto_reboot_notify(struct hda_codec *codec)
+ {
+ struct conexant_spec *spec = codec->spec;
+
+- switch (codec->core.vendor_id) {
+- case 0x14f12008: /* CX8200 */
+- case 0x14f150f2: /* CX20722 */
+- case 0x14f150f4: /* CX20724 */
+- break;
+- default:
+- return;
+- }
+-
+ /* Turn the problematic codec into D3 to avoid spurious noises
+ from the internal speaker during (and after) reboot */
+ cx_auto_turn_eapd(codec, spec->num_eapds, spec->eapds, false);
+--
+2.16.4
+
diff --git a/patches.drivers/HID-sony-Fix-race-condition-between-rumble-and-devic.patch b/patches.drivers/HID-sony-Fix-race-condition-between-rumble-and-devic.patch
new file mode 100644
index 0000000000..32d6cb9c24
--- /dev/null
+++ b/patches.drivers/HID-sony-Fix-race-condition-between-rumble-and-devic.patch
@@ -0,0 +1,83 @@
+From e0f6974a54d3f7f1b5fdf5a593bd43ce9206ec04 Mon Sep 17 00:00:00 2001
+From: Roderick Colenbrander <roderick@gaikai.com>
+Date: Fri, 2 Aug 2019 15:50:19 -0700
+Subject: [PATCH] HID: sony: Fix race condition between rumble and device remove.
+Git-commit: e0f6974a54d3f7f1b5fdf5a593bd43ce9206ec04
+Patch-mainline: v5.3-rc4
+References: bsc#1051510
+
+Valve reported a kernel crash on Ubuntu 18.04 when disconnecting a DS4
+gamepad while rumble is enabled. This issue is reproducible with a
+frequency of 1 in 3 times in the game Borderlands 2 when using an
+automatic weapon, which triggers many rumble operations.
+
+We found the issue to be a race condition between sony_remove and the
+final device destruction by the HID / input system. The problem was
+that sony_remove didn't clean some of its work_item state in
+"struct sony_sc". After sony_remove work, the corresponding evdev
+node was around for sufficient time for applications to still queue
+rumble work after "sony_remove".
+
+On pre-4.19 kernels the race condition caused a kernel crash due to a
+NULL-pointer dereference as "sc->output_report_dmabuf" got freed during
+sony_remove. On newer kernels this crash doesn't happen due the buffer
+now being allocated using devm_kzalloc. However we can still queue work,
+while the driver is an undefined state.
+
+This patch fixes the described problem, by guarding the work_item
+"state_worker" with an initialized variable, which we are setting back
+to 0 on cleanup.
+
+Signed-off-by: Roderick Colenbrander <roderick.colenbrander@sony.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/hid/hid-sony.c | 15 ++++++++++++---
+ 1 file changed, 12 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/hid/hid-sony.c b/drivers/hid/hid-sony.c
+index 93942063b51b..49dd2d905c7f 100644
+--- a/drivers/hid/hid-sony.c
++++ b/drivers/hid/hid-sony.c
+@@ -585,10 +585,14 @@ static void sony_set_leds(struct sony_sc *sc);
+ static inline void sony_schedule_work(struct sony_sc *sc,
+ enum sony_worker which)
+ {
++ unsigned long flags;
++
+ switch (which) {
+ case SONY_WORKER_STATE:
+- if (!sc->defer_initialization)
++ spin_lock_irqsave(&sc->lock, flags);
++ if (!sc->defer_initialization && sc->state_worker_initialized)
+ schedule_work(&sc->state_worker);
++ spin_unlock_irqrestore(&sc->lock, flags);
+ break;
+ case SONY_WORKER_HOTPLUG:
+ if (sc->hotplug_worker_initialized)
+@@ -2558,13 +2562,18 @@ static inline void sony_init_output_report(struct sony_sc *sc,
+
+ static inline void sony_cancel_work_sync(struct sony_sc *sc)
+ {
++ unsigned long flags;
++
+ if (sc->hotplug_worker_initialized)
+ cancel_work_sync(&sc->hotplug_worker);
+- if (sc->state_worker_initialized)
++ if (sc->state_worker_initialized) {
++ spin_lock_irqsave(&sc->lock, flags);
++ sc->state_worker_initialized = 0;
++ spin_unlock_irqrestore(&sc->lock, flags);
+ cancel_work_sync(&sc->state_worker);
++ }
+ }
+
+-
+ static int sony_input_configured(struct hid_device *hdev,
+ struct hid_input *hidinput)
+ {
+--
+2.16.4
+
diff --git a/patches.drivers/Input-synaptics-enable-RMI-mode-for-HP-Spectre-X360.patch b/patches.drivers/Input-synaptics-enable-RMI-mode-for-HP-Spectre-X360.patch
new file mode 100644
index 0000000000..c1f6aa33ec
--- /dev/null
+++ b/patches.drivers/Input-synaptics-enable-RMI-mode-for-HP-Spectre-X360.patch
@@ -0,0 +1,37 @@
+From 25f8c834e2a6871920cc1ca113f02fb301d007c3 Mon Sep 17 00:00:00 2001
+From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Date: Fri, 12 Jul 2019 11:37:17 -0700
+Subject: [PATCH] Input: synaptics - enable RMI mode for HP Spectre X360
+Git-commit: 25f8c834e2a6871920cc1ca113f02fb301d007c3
+Patch-mainline: v5.3-rc4
+References: bsc#1051510
+
+The 2016 kabylake HP Spectre X360 (model number 13-w013dx) works much better
+with psmouse.synaptics_intertouch=1 kernel parameter, so let's enable RMI4
+mode automatically.
+
+Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=204115
+Reported-by: Nate Graham <pointedstick@zoho.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/input/mouse/synaptics.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/input/mouse/synaptics.c b/drivers/input/mouse/synaptics.c
+index b1956ed4c0dd..46bbe99d6511 100644
+--- a/drivers/input/mouse/synaptics.c
++++ b/drivers/input/mouse/synaptics.c
+@@ -182,6 +182,7 @@ static const char * const smbus_pnp_ids[] = {
+ "LEN2055", /* E580 */
+ "SYN3052", /* HP EliteBook 840 G4 */
+ "SYN3221", /* HP 15-ay000 */
++ "SYN323d", /* HP Spectre X360 13-w013dx */
+ NULL
+ };
+
+--
+2.16.4
+
diff --git a/patches.drivers/drivers-pps-pps.c-clear-offset-flags-in-PPS_SETPARAM.patch b/patches.drivers/drivers-pps-pps.c-clear-offset-flags-in-PPS_SETPARAM.patch
new file mode 100644
index 0000000000..f1a9697d61
--- /dev/null
+++ b/patches.drivers/drivers-pps-pps.c-clear-offset-flags-in-PPS_SETPARAM.patch
@@ -0,0 +1,54 @@
+From 5515e9a6273b8c02034466bcbd717ac9f53dab99 Mon Sep 17 00:00:00 2001
+From: Miroslav Lichvar <mlichvar@redhat.com>
+Date: Tue, 16 Jul 2019 16:30:09 -0700
+Subject: [PATCH] drivers/pps/pps.c: clear offset flags in PPS_SETPARAMS ioctl
+Git-commit: 5515e9a6273b8c02034466bcbd717ac9f53dab99
+Patch-mainline: v5.3-rc1
+References: bsc#1051510
+
+The PPS assert/clear offset corrections are set by the PPS_SETPARAMS
+ioctl in the pps_ktime structs, which also contain flags. The flags are
+not initialized by applications (using the timepps.h header) and they
+are not used by the kernel for anything except returning them back in
+the PPS_GETPARAMS ioctl.
+
+Set the flags to zero to make it clear they are unused and avoid leaking
+uninitialized data of the PPS_SETPARAMS caller to other applications
+that have a read access to the PPS device.
+
+Link: http://lkml.kernel.org/r/20190702092251.24303-1-mlichvar@redhat.com
+Signed-off-by: Miroslav Lichvar <mlichvar@redhat.com>
+Reviewed-by: Thomas Gleixner <tglx@linutronix.de>
+Acked-by: Rodolfo Giometti <giometti@enneenne.com>
+Cc: Greg KH <greg@kroah.com>
+Cc: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/pps/pps.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/drivers/pps/pps.c b/drivers/pps/pps.c
+index 3a546ec10d90..22a65ad4e46e 100644
+--- a/drivers/pps/pps.c
++++ b/drivers/pps/pps.c
+@@ -152,6 +152,14 @@ static long pps_cdev_ioctl(struct file *file,
+ pps->params.mode |= PPS_CANWAIT;
+ pps->params.api_version = PPS_API_VERS;
+
++ /*
++ * Clear unused fields of pps_kparams to avoid leaking
++ * uninitialized data of the PPS_SETPARAMS caller via
++ * PPS_GETPARAMS
++ */
++ pps->params.assert_off_tu.flags = 0;
++ pps->params.clear_off_tu.flags = 0;
++
+ spin_unlock_irq(&pps->lock);
+
+ break;
+--
+2.16.4
+
diff --git a/patches.drivers/i2c-core-smbus-prevent-stack-corruption-on-read-I2C_.patch b/patches.drivers/i2c-core-smbus-prevent-stack-corruption-on-read-I2C_.patch
new file mode 100644
index 0000000000..109248d1ba
--- /dev/null
+++ b/patches.drivers/i2c-core-smbus-prevent-stack-corruption-on-read-I2C_.patch
@@ -0,0 +1,71 @@
+From 89c6efa61f5709327ecfa24bff18e57a4e80c7fa Mon Sep 17 00:00:00 2001
+From: Jeremy Compostella <jeremy.compostella@intel.com>
+Date: Wed, 15 Nov 2017 12:31:44 -0700
+Subject: [PATCH] i2c: core-smbus: prevent stack corruption on read I2C_BLOCK_DATA
+Git-commit: 89c6efa61f5709327ecfa24bff18e57a4e80c7fa
+Patch-mainline: v4.15-rc9
+References: CVE-2017-18551,bsc#1146163
+
+[ Applied to drivers/i2c/i2c-core.c instead of i2c-core-smbus.c for older
+ code base -- tiwai ]
+
+On a I2C_SMBUS_I2C_BLOCK_DATA read request, if data->block[0] is
+greater than I2C_SMBUS_BLOCK_MAX + 1, the underlying I2C driver writes
+data out of the msgbuf1 array boundary.
+
+It is possible from a user application to run into that issue by
+calling the I2C_SMBUS ioctl with data.block[0] greater than
+I2C_SMBUS_BLOCK_MAX + 1.
+
+This patch makes the code compliant with
+Documentation/i2c/dev-interface by raising an error when the requested
+size is larger than 32 bytes.
+
+Call Trace:
+ [<ffffffff8139f695>] dump_stack+0x67/0x92
+ [<ffffffff811802a4>] panic+0xc5/0x1eb
+ [<ffffffff810ecb5f>] ? vprintk_default+0x1f/0x30
+ [<ffffffff817456d3>] ? i2cdev_ioctl_smbus+0x303/0x320
+ [<ffffffff8109a68b>] __stack_chk_fail+0x1b/0x20
+ [<ffffffff817456d3>] i2cdev_ioctl_smbus+0x303/0x320
+ [<ffffffff81745aed>] i2cdev_ioctl+0x4d/0x1e0
+ [<ffffffff811f761a>] do_vfs_ioctl+0x2ba/0x490
+ [<ffffffff81336e43>] ? security_file_ioctl+0x43/0x60
+ [<ffffffff811f7869>] SyS_ioctl+0x79/0x90
+ [<ffffffff81a22e97>] entry_SYSCALL_64_fastpath+0x12/0x6a
+
+Signed-off-by: Jeremy Compostella <jeremy.compostella@intel.com>
+Signed-off-by: Wolfram Sang <wsa@the-dreams.de>
+Cc: stable@kernel.org
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/i2c/i2c-core.c | 13 +++++++------
+ 1 file changed, 7 insertions(+), 6 deletions(-)
+
+--- a/drivers/i2c/i2c-core.c
++++ b/drivers/i2c/i2c-core.c
+@@ -3536,16 +3536,17 @@ static s32 i2c_smbus_xfer_emulated(struc
+ the underlying bus driver */
+ break;
+ case I2C_SMBUS_I2C_BLOCK_DATA:
++ if (data->block[0] > I2C_SMBUS_BLOCK_MAX) {
++ dev_err(&adapter->dev, "Invalid block %s size %d\n",
++ read_write == I2C_SMBUS_READ ? "read" : "write",
++ data->block[0]);
++ return -EINVAL;
++ }
++
+ if (read_write == I2C_SMBUS_READ) {
+ msg[1].len = data->block[0];
+ } else {
+ msg[0].len = data->block[0] + 1;
+- if (msg[0].len > I2C_SMBUS_BLOCK_MAX + 1) {
+- dev_err(&adapter->dev,
+- "Invalid block write size %d\n",
+- data->block[0]);
+- return -EINVAL;
+- }
+ for (i = 1; i <= data->block[0]; i++)
+ msgbuf0[i] = data->block[i];
+ }
diff --git a/patches.drivers/iio-adc-max9611-Fix-misuse-of-GENMASK-macro.patch b/patches.drivers/iio-adc-max9611-Fix-misuse-of-GENMASK-macro.patch
new file mode 100644
index 0000000000..15d62d6c9c
--- /dev/null
+++ b/patches.drivers/iio-adc-max9611-Fix-misuse-of-GENMASK-macro.patch
@@ -0,0 +1,36 @@
+From ae8cc91a7d85e018c0c267f580820b2bb558cd48 Mon Sep 17 00:00:00 2001
+From: Joe Perches <joe@perches.com>
+Date: Tue, 9 Jul 2019 22:04:17 -0700
+Subject: [PATCH] iio: adc: max9611: Fix misuse of GENMASK macro
+Git-commit: ae8cc91a7d85e018c0c267f580820b2bb558cd48
+Patch-mainline: v5.3-rc4
+References: bsc#1051510
+
+Arguments are supposed to be ordered high then low.
+
+Signed-off-by: Joe Perches <joe@perches.com>
+Fixes: 69780a3bbc0b ("iio: adc: Add Maxim max9611 ADC driver")
+Cc: <Stable@vger.kernel.org>
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/iio/adc/max9611.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/iio/adc/max9611.c b/drivers/iio/adc/max9611.c
+index 917223d5ff5b..0e3c6529fc4c 100644
+--- a/drivers/iio/adc/max9611.c
++++ b/drivers/iio/adc/max9611.c
+@@ -83,7 +83,7 @@
+ #define MAX9611_TEMP_MAX_POS 0x7f80
+ #define MAX9611_TEMP_MAX_NEG 0xff80
+ #define MAX9611_TEMP_MIN_NEG 0xd980
+-#define MAX9611_TEMP_MASK GENMASK(7, 15)
++#define MAX9611_TEMP_MASK GENMASK(15, 7)
+ #define MAX9611_TEMP_SHIFT 0x07
+ #define MAX9611_TEMP_RAW(_r) ((_r) >> MAX9611_TEMP_SHIFT)
+ #define MAX9611_TEMP_SCALE_NUM 1000000
+--
+2.16.4
+
diff --git a/patches.drivers/iommu-dma-handle-sg-length-overflow-better b/patches.drivers/iommu-dma-handle-sg-length-overflow-better
new file mode 100644
index 0000000000..9a978e6c60
--- /dev/null
+++ b/patches.drivers/iommu-dma-handle-sg-length-overflow-better
@@ -0,0 +1,42 @@
+From: Robin Murphy <robin.murphy@arm.com>
+Date: Mon, 29 Jul 2019 17:46:00 +0100
+Subject: iommu/dma: Handle SG length overflow better
+Git-commit: ab2cbeb0ed301a9f0460078e91b09f39958212ef
+Patch-mainline: v5.3-rc5
+References: bsc#1146084
+
+Since scatterlist dimensions are all unsigned ints, in the relatively
+rare cases where a device's max_segment_size is set to UINT_MAX, then
+the "cur_len + s_length <= max_len" check in __finalise_sg() will always
+return true. As a result, the corner case of such a device mapping an
+excessively large scatterlist which is mergeable to or beyond a total
+length of 4GB can lead to overflow and a bogus truncated dma_length in
+the resulting segment.
+
+As we already assume that any single segment must be no longer than
+max_len to begin with, this can easily be addressed by reshuffling the
+comparison.
+
+Fixes: 809eac54cdd6 ("iommu/dma: Implement scatterlist segment merging")
+Reported-by: Nicolin Chen <nicoleotsuka@gmail.com>
+Tested-by: Nicolin Chen <nicoleotsuka@gmail.com>
+Signed-off-by: Robin Murphy <robin.murphy@arm.com>
+Signed-off-by: Joerg Roedel <jroedel@suse.de>
+---
+ drivers/iommu/dma-iommu.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/iommu/dma-iommu.c b/drivers/iommu/dma-iommu.c
+index 6441197a75ea..4ea9cf02ba2d 100644
+--- a/drivers/iommu/dma-iommu.c
++++ b/drivers/iommu/dma-iommu.c
+@@ -762,7 +762,7 @@ static int __finalise_sg(struct device *dev, struct scatterlist *sg, int nents,
+ * - and wouldn't make the resulting output segment too long
+ */
+ if (cur_len && !s_iova_off && (dma_addr & seg_mask) &&
+- (cur_len + s_length <= max_len)) {
++ (max_len - cur_len >= s_length)) {
+ /* ...then concatenate it with the previous one */
+ cur_len += s_length;
+ } else {
+
diff --git a/patches.drivers/usb-usbfs-fix-double-free-of-usb-memory-upon-submitu.patch b/patches.drivers/usb-usbfs-fix-double-free-of-usb-memory-upon-submitu.patch
new file mode 100644
index 0000000000..ed379a6a97
--- /dev/null
+++ b/patches.drivers/usb-usbfs-fix-double-free-of-usb-memory-upon-submitu.patch
@@ -0,0 +1,39 @@
+From c43f28dfdc4654e738aa6d3fd08a105b2bee758d Mon Sep 17 00:00:00 2001
+From: Gavin Li <git@thegavinli.com>
+Date: Sun, 4 Aug 2019 16:50:44 -0700
+Subject: [PATCH] usb: usbfs: fix double-free of usb memory upon submiturb error
+Git-commit: c43f28dfdc4654e738aa6d3fd08a105b2bee758d
+Patch-mainline: v5.3-rc4
+References: bsc#1051510
+
+Upon an error within proc_do_submiturb(), dec_usb_memory_use_count()
+gets called once by the error handling tail and again by free_async().
+Remove the first call.
+
+Signed-off-by: Gavin Li <git@thegavinli.com>
+Acked-by: Alan Stern <stern@rowland.harvard.edu>
+Cc: stable <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20190804235044.22327-1-gavinli@thegavinli.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/usb/core/devio.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+diff --git a/drivers/usb/core/devio.c b/drivers/usb/core/devio.c
+index b265ab5405f9..9063ede411ae 100644
+--- a/drivers/usb/core/devio.c
++++ b/drivers/usb/core/devio.c
+@@ -1812,8 +1812,6 @@ static int proc_do_submiturb(struct usb_dev_state *ps, struct usbdevfs_urb *uurb
+ return 0;
+
+ error:
+- if (as && as->usbm)
+- dec_usb_memory_use_count(as->usbm, &as->usbm->urb_use_count);
+ kfree(isopkt);
+ kfree(dr);
+ if (as)
+--
+2.16.4
+
diff --git a/patches.drm/drm-silence-variable-conn-set-but-not-used.patch b/patches.drm/drm-silence-variable-conn-set-but-not-used.patch
new file mode 100644
index 0000000000..2812418b80
--- /dev/null
+++ b/patches.drm/drm-silence-variable-conn-set-but-not-used.patch
@@ -0,0 +1,38 @@
+From bbb6fc43f131f77fcb7ae8081f6d7c51396a2120 Mon Sep 17 00:00:00 2001
+From: Qian Cai <cai@lca.pw>
+Date: Mon, 22 Jul 2019 15:14:46 -0400
+Subject: [PATCH] drm: silence variable 'conn' set but not used
+Git-commit: bbb6fc43f131f77fcb7ae8081f6d7c51396a2120
+Patch-mainline: v5.3-rc2
+References: bsc#1051510
+
+The "struct drm_connector" iteration cursor from
+"for_each_new_connector_in_state" is never used in atomic_remove_fb()
+which generates a compilation warning,
+
+Drivers/gpu/drm/drm_framebuffer.c: In function 'atomic_remove_fb':
+drivers/gpu/drm/drm_framebuffer.c:838:24: warning: variable 'conn' set
+but not used [-Wunused-but-set-variable]
+
+Silence it by marking "conn" __maybe_unused.
+
+Signed-off-by: Qian Cai <cai@lca.pw>
+Signed-off-by: Sean Paul <seanpaul@chromium.org>
+Link: https://patchwork.freedesktop.org/patch/msgid/1563822886-13570-1-git-send-email-cai@lca.pw
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/gpu/drm/drm_framebuffer.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/drm_framebuffer.c
++++ b/drivers/gpu/drm/drm_framebuffer.c
+@@ -792,7 +792,7 @@ static int atomic_remove_fb(struct drm_f
+ struct drm_device *dev = fb->dev;
+ struct drm_atomic_state *state;
+ struct drm_plane *plane;
+- struct drm_connector *conn;
++ struct drm_connector *conn __maybe_unused;
+ struct drm_connector_state *conn_state;
+ int i, ret;
+ unsigned plane_mask;
diff --git a/patches.fixes/0001-xfrm-Fix-NULL-pointer-dereference-when-skb_dst_force.patch b/patches.fixes/0001-xfrm-Fix-NULL-pointer-dereference-when-skb_dst_force.patch
new file mode 100644
index 0000000000..175210aec6
--- /dev/null
+++ b/patches.fixes/0001-xfrm-Fix-NULL-pointer-dereference-when-skb_dst_force.patch
@@ -0,0 +1,61 @@
+From bb8bb584c2948558b39451338b862136327e564f Mon Sep 17 00:00:00 2001
+From: Steffen Klassert <steffen.klassert@secunet.com>
+Date: Tue, 11 Sep 2018 10:31:15 +0200
+Subject: [PATCH 1/4] xfrm: Fix NULL pointer dereference when skb_dst_force
+ clears the dst_entry.
+
+Patch-mainline: v4.19-rc7
+Git-commit: 9e1437937807b0122e8da1ca8765be2adca9aee6
+References: bsc#1143300
+
+Since commit 222d7dbd258d ("net: prevent dst uses after free")
+skb_dst_force() might clear the dst_entry attached to the skb.
+The xfrm code don't expect this to happen, so we crash with
+a NULL pointer dereference in this case. Fix it by checking
+skb_dst(skb) for NULL after skb_dst_force() and drop the packet
+in cast the dst_entry was cleared.
+
+Fixes: 222d7dbd258d ("net: prevent dst uses after free")
+Reported-by: Tobias Hommel <netdev-list@genoetigt.de>
+Reported-by: Kristian Evensen <kristian.evensen@gmail.com>
+Reported-by: Wolfgang Walter <linux@stwm.de>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Firo Yang <firo.yang@suse.com>
+---
+ net/xfrm/xfrm_output.c | 4 ++++
+ net/xfrm/xfrm_policy.c | 4 ++++
+ 2 files changed, 8 insertions(+)
+
+diff --git a/net/xfrm/xfrm_output.c b/net/xfrm/xfrm_output.c
+index 7e7b6c6004f1..f576b05c4f72 100644
+--- a/net/xfrm/xfrm_output.c
++++ b/net/xfrm/xfrm_output.c
+@@ -98,6 +98,10 @@ static int xfrm_output_one(struct sk_buff *skb, int err)
+ spin_unlock_bh(&x->lock);
+
+ skb_dst_force(skb);
++ if (!skb_dst(skb)) {
++ XFRM_INC_STATS(net, LINUX_MIB_XFRMOUTERROR);
++ goto error_nolock;
++ }
+
+ if (xfrm_offload(skb)) {
+ x->type_offload->encap(x, skb);
+diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c
+index c82c695fa3fd..89bbe40736f9 100644
+--- a/net/xfrm/xfrm_policy.c
++++ b/net/xfrm/xfrm_policy.c
+@@ -2625,6 +2625,10 @@ int __xfrm_route_forward(struct sk_buff *skb, unsigned short family)
+ }
+
+ skb_dst_force(skb);
++ if (!skb_dst(skb)) {
++ XFRM_INC_STATS(net, LINUX_MIB_XFRMFWDHDRERROR);
++ return 0;
++ }
+
+ dst = xfrm_lookup(net, skb_dst(skb), &fl, NULL, XFRM_LOOKUP_QUEUE);
+ if (IS_ERR(dst)) {
+--
+2.16.4
+
diff --git a/patches.fixes/0002-xfrm-Fix-error-return-code-in-xfrm_output_one.patch b/patches.fixes/0002-xfrm-Fix-error-return-code-in-xfrm_output_one.patch
new file mode 100644
index 0000000000..28e29ebff3
--- /dev/null
+++ b/patches.fixes/0002-xfrm-Fix-error-return-code-in-xfrm_output_one.patch
@@ -0,0 +1,37 @@
+From 615887d455094dfdb598ca6df7093c6f0626005b Mon Sep 17 00:00:00 2001
+From: Wei Yongjun <weiyongjun1@huawei.com>
+Date: Sat, 27 Oct 2018 06:12:06 +0000
+Subject: [PATCH 2/4] xfrm: Fix error return code in xfrm_output_one()
+
+Patch-mainline: v4.20
+Git-commit: 533555e5cbb6aa2d77598917871ae5b579fe724b
+References: bsc#1143300
+
+xfrm_output_one() does not return a error code when there is
+no dst_entry attached to the skb, it is still possible crash
+with a NULL pointer dereference in xfrm_output_resume(). Fix
+it by return error code -EHOSTUNREACH.
+
+Fixes: 9e1437937807 ("xfrm: Fix NULL pointer dereference when skb_dst_force clears the dst_entry.")
+Signed-off-by: Wei Yongjun <weiyongjun1@huawei.com>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Firo Yang <firo.yang@suse.com>
+---
+ net/xfrm/xfrm_output.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/net/xfrm/xfrm_output.c b/net/xfrm/xfrm_output.c
+index f576b05c4f72..58aaa0aefc5d 100644
+--- a/net/xfrm/xfrm_output.c
++++ b/net/xfrm/xfrm_output.c
+@@ -100,6 +100,7 @@ static int xfrm_output_one(struct sk_buff *skb, int err)
+ skb_dst_force(skb);
+ if (!skb_dst(skb)) {
+ XFRM_INC_STATS(net, LINUX_MIB_XFRMOUTERROR);
++ err = -EHOSTUNREACH;
+ goto error_nolock;
+ }
+
+--
+2.16.4
+
diff --git a/patches.fixes/0003-xfrm-Fix-NULL-pointer-dereference-in-xfrm_input-when.patch b/patches.fixes/0003-xfrm-Fix-NULL-pointer-dereference-in-xfrm_input-when.patch
new file mode 100644
index 0000000000..d871a18294
--- /dev/null
+++ b/patches.fixes/0003-xfrm-Fix-NULL-pointer-dereference-in-xfrm_input-when.patch
@@ -0,0 +1,61 @@
+From 567cfbae0919ca98efaeaed21a1b4304fdca2ebf Mon Sep 17 00:00:00 2001
+From: Steffen Klassert <steffen.klassert@secunet.com>
+Date: Thu, 22 Nov 2018 07:26:24 +0100
+Subject: [PATCH 3/4] xfrm: Fix NULL pointer dereference in xfrm_input when
+ skb_dst_force clears the dst_entry.
+
+Patch-mainline: v4.20
+Git-commit: 0152eee6fc3b84298bb6a79961961734e8afa5b8
+References: bsc#1143300
+
+Since commit 222d7dbd258d ("net: prevent dst uses after free")
+skb_dst_force() might clear the dst_entry attached to the skb.
+The xfrm code doesn't expect this to happen, so we crash with
+a NULL pointer dereference in this case.
+
+Fix it by checking skb_dst(skb) for NULL after skb_dst_force()
+and drop the packet in case the dst_entry was cleared. We also
+move the skb_dst_force() to a codepath that is not used when
+the transformation was offloaded, because in this case we
+don't have a dst_entry attached to the skb.
+
+The output and forwarding path was already fixed by
+commit 9e1437937807 ("xfrm: Fix NULL pointer dereference when
+skb_dst_force clears the dst_entry.")
+
+Fixes: 222d7dbd258d ("net: prevent dst uses after free")
+Reported-by: Jean-Philippe Menil <jpmenil@gmail.com>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Firo Yang <firo.yang@suse.com>
+---
+ net/xfrm/xfrm_input.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/net/xfrm/xfrm_input.c b/net/xfrm/xfrm_input.c
+index a18b0e37b8eb..1399907235a2 100644
+--- a/net/xfrm/xfrm_input.c
++++ b/net/xfrm/xfrm_input.c
+@@ -334,6 +334,12 @@ int xfrm_input(struct sk_buff *skb, int nexthdr, __be32 spi, int encap_type)
+
+ skb->sp->xvec[skb->sp->len++] = x;
+
++ skb_dst_force(skb);
++ if (!skb_dst(skb)) {
++ XFRM_INC_STATS(net, LINUX_MIB_XFRMINERROR);
++ goto drop;
++ }
++
+ lock:
+ spin_lock(&x->lock);
+
+@@ -373,7 +379,6 @@ int xfrm_input(struct sk_buff *skb, int nexthdr, __be32 spi, int encap_type)
+ XFRM_SKB_CB(skb)->seq.input.low = seq;
+ XFRM_SKB_CB(skb)->seq.input.hi = seq_hi;
+
+- skb_dst_force(skb);
+ dev_hold(skb->dev);
+
+ if (crypto_done)
+--
+2.16.4
+
diff --git a/patches.fixes/0004-xfrm-Fix-bucket-count-reported-to-userspace.patch b/patches.fixes/0004-xfrm-Fix-bucket-count-reported-to-userspace.patch
new file mode 100644
index 0000000000..50c43bd9a3
--- /dev/null
+++ b/patches.fixes/0004-xfrm-Fix-bucket-count-reported-to-userspace.patch
@@ -0,0 +1,36 @@
+From 6d4e563fdf41bad51e26bc8a1d8b61901053c311 Mon Sep 17 00:00:00 2001
+From: Benjamin Poirier <bpoirier@suse.com>
+Date: Mon, 5 Nov 2018 17:00:53 +0900
+Subject: [PATCH 4/4] xfrm: Fix bucket count reported to userspace
+
+Git-commit: ca92e173ab34a4f7fc4128bd372bd96f1af6f507
+Patch-mainline: v4.20
+References: bsc#1143300
+
+sadhcnt is reported by `ip -s xfrm state count` as "buckets count", not the
+hash mask.
+
+Fixes: 28d8909bc790 ("[XFRM]: Export SAD info.")
+Signed-off-by: Benjamin Poirier <bpoirier@suse.com>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Firo Yang <firo.yang@suse.com>
+---
+ net/xfrm/xfrm_state.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/xfrm/xfrm_state.c b/net/xfrm/xfrm_state.c
+index 609f7fdb9fb4..d4b49a2f698b 100644
+--- a/net/xfrm/xfrm_state.c
++++ b/net/xfrm/xfrm_state.c
+@@ -788,7 +788,7 @@ void xfrm_sad_getinfo(struct net *net, struct xfrmk_sadinfo *si)
+ {
+ spin_lock_bh(&net->xfrm.xfrm_state_lock);
+ si->sadcnt = net->xfrm.state_num;
+- si->sadhcnt = net->xfrm.state_hmask;
++ si->sadhcnt = net->xfrm.state_hmask + 1;
+ si->sadhmcnt = xfrm_state_hashmax;
+ spin_unlock_bh(&net->xfrm.xfrm_state_lock);
+ }
+--
+2.16.4
+
diff --git a/patches.fixes/crypto-ccp-Add-support-for-valid-authsize-values-les.patch b/patches.fixes/crypto-ccp-Add-support-for-valid-authsize-values-les.patch
new file mode 100644
index 0000000000..6d9c7f5637
--- /dev/null
+++ b/patches.fixes/crypto-ccp-Add-support-for-valid-authsize-values-les.patch
@@ -0,0 +1,139 @@
+From 9f00baf74e4b6f79a3a3dfab44fb7bb2e797b551 Mon Sep 17 00:00:00 2001
+From: Gary R Hook <gary.hook@amd.com>
+Date: Tue, 30 Jul 2019 16:05:24 +0000
+Subject: [PATCH] crypto: ccp - Add support for valid authsize values less than 16
+Git-commit: 9f00baf74e4b6f79a3a3dfab44fb7bb2e797b551
+Patch-mainline: v5.3-rc4
+References: bsc#1051510
+
+AES GCM encryption allows for authsize values of 4, 8, and 12-16 bytes.
+Validate the requested authsize, and retain it to save in the request
+context.
+
+Fixes: 36cf515b9bbe2 ("crypto: ccp - Enable support for AES GCM on v5 CCPs")
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Gary R Hook <gary.hook@amd.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/crypto/ccp/ccp-crypto-aes-galois.c | 14 ++++++++++++++
+ drivers/crypto/ccp/ccp-ops.c | 26 +++++++++++++++++++++-----
+ include/linux/ccp.h | 2 ++
+ 3 files changed, 37 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/crypto/ccp/ccp-crypto-aes-galois.c b/drivers/crypto/ccp/ccp-crypto-aes-galois.c
+index d22631cb2bb3..02eba84028b3 100644
+--- a/drivers/crypto/ccp/ccp-crypto-aes-galois.c
++++ b/drivers/crypto/ccp/ccp-crypto-aes-galois.c
+@@ -58,6 +58,19 @@ static int ccp_aes_gcm_setkey(struct crypto_aead *tfm, const u8 *key,
+ static int ccp_aes_gcm_setauthsize(struct crypto_aead *tfm,
+ unsigned int authsize)
+ {
++ switch (authsize) {
++ case 16:
++ case 15:
++ case 14:
++ case 13:
++ case 12:
++ case 8:
++ case 4:
++ break;
++ default:
++ return -EINVAL;
++ }
++
+ return 0;
+ }
+
+@@ -104,6 +117,7 @@ static int ccp_aes_gcm_crypt(struct aead_request *req, bool encrypt)
+ memset(&rctx->cmd, 0, sizeof(rctx->cmd));
+ INIT_LIST_HEAD(&rctx->cmd.entry);
+ rctx->cmd.engine = CCP_ENGINE_AES;
++ rctx->cmd.u.aes.authsize = crypto_aead_authsize(tfm);
+ rctx->cmd.u.aes.type = ctx->u.aes.type;
+ rctx->cmd.u.aes.mode = ctx->u.aes.mode;
+ rctx->cmd.u.aes.action = encrypt;
+diff --git a/drivers/crypto/ccp/ccp-ops.c b/drivers/crypto/ccp/ccp-ops.c
+index 59f9849c3662..ef723e2722a8 100644
+--- a/drivers/crypto/ccp/ccp-ops.c
++++ b/drivers/crypto/ccp/ccp-ops.c
+@@ -622,6 +622,7 @@ static int ccp_run_aes_gcm_cmd(struct ccp_cmd_queue *cmd_q,
+
+ unsigned long long *final;
+ unsigned int dm_offset;
++ unsigned int authsize;
+ unsigned int jobid;
+ unsigned int ilen;
+ bool in_place = true; /* Default value */
+@@ -643,6 +644,21 @@ static int ccp_run_aes_gcm_cmd(struct ccp_cmd_queue *cmd_q,
+ if (!aes->key) /* Gotta have a key SGL */
+ return -EINVAL;
+
++ /* Zero defaults to 16 bytes, the maximum size */
++ authsize = aes->authsize ? aes->authsize : AES_BLOCK_SIZE;
++ switch (authsize) {
++ case 16:
++ case 15:
++ case 14:
++ case 13:
++ case 12:
++ case 8:
++ case 4:
++ break;
++ default:
++ return -EINVAL;
++ }
++
+ /* First, decompose the source buffer into AAD & PT,
+ * and the destination buffer into AAD, CT & tag, or
+ * the input into CT & tag.
+@@ -657,7 +673,7 @@ static int ccp_run_aes_gcm_cmd(struct ccp_cmd_queue *cmd_q,
+ p_tag = scatterwalk_ffwd(sg_tag, p_outp, ilen);
+ } else {
+ /* Input length for decryption includes tag */
+- ilen = aes->src_len - AES_BLOCK_SIZE;
++ ilen = aes->src_len - authsize;
+ p_tag = scatterwalk_ffwd(sg_tag, p_inp, ilen);
+ }
+
+@@ -839,19 +855,19 @@ static int ccp_run_aes_gcm_cmd(struct ccp_cmd_queue *cmd_q,
+
+ if (aes->action == CCP_AES_ACTION_ENCRYPT) {
+ /* Put the ciphered tag after the ciphertext. */
+- ccp_get_dm_area(&final_wa, 0, p_tag, 0, AES_BLOCK_SIZE);
++ ccp_get_dm_area(&final_wa, 0, p_tag, 0, authsize);
+ } else {
+ /* Does this ciphered tag match the input? */
+- ret = ccp_init_dm_workarea(&tag, cmd_q, AES_BLOCK_SIZE,
++ ret = ccp_init_dm_workarea(&tag, cmd_q, authsize,
+ DMA_BIDIRECTIONAL);
+ if (ret)
+ goto e_tag;
+- ret = ccp_set_dm_area(&tag, 0, p_tag, 0, AES_BLOCK_SIZE);
++ ret = ccp_set_dm_area(&tag, 0, p_tag, 0, authsize);
+ if (ret)
+ goto e_tag;
+
+ ret = crypto_memneq(tag.address, final_wa.address,
+- AES_BLOCK_SIZE) ? -EBADMSG : 0;
++ authsize) ? -EBADMSG : 0;
+ ccp_dm_free(&tag);
+ }
+
+diff --git a/include/linux/ccp.h b/include/linux/ccp.h
+index 7e9c991c95e0..43ed9e77cf81 100644
+--- a/include/linux/ccp.h
++++ b/include/linux/ccp.h
+@@ -173,6 +173,8 @@ struct ccp_aes_engine {
+ enum ccp_aes_mode mode;
+ enum ccp_aes_action action;
+
++ u32 authsize;
++
+ struct scatterlist *key;
+ u32 key_len; /* In bytes */
+
+--
+2.16.4
+
diff --git a/patches.fixes/crypto-ccp-Fix-3DES-complaint-from-ccp-crypto-module.patch b/patches.fixes/crypto-ccp-Fix-3DES-complaint-from-ccp-crypto-module.patch
index dbd56525c1..d086a0ff50 100644
--- a/patches.fixes/crypto-ccp-Fix-3DES-complaint-from-ccp-crypto-module.patch
+++ b/patches.fixes/crypto-ccp-Fix-3DES-complaint-from-ccp-crypto-module.patch
@@ -26,7 +26,7 @@ Acked-by: Takashi Iwai <tiwai@suse.de>
--- a/drivers/crypto/ccp/ccp-ops.c
+++ b/drivers/crypto/ccp/ccp-ops.c
-@@ -1230,6 +1230,9 @@ static int ccp_run_des3_cmd(struct ccp_c
+@@ -1265,6 +1265,9 @@ static int ccp_run_des3_cmd(struct ccp_c
int ret;
/* Error checks */
@@ -36,7 +36,7 @@ Acked-by: Takashi Iwai <tiwai@suse.de>
if (!cmd_q->ccp->vdata->perform->des3)
return -EINVAL;
-@@ -1306,8 +1309,6 @@ static int ccp_run_des3_cmd(struct ccp_c
+@@ -1347,8 +1350,6 @@ static int ccp_run_des3_cmd(struct ccp_c
* passthru option to convert from big endian to little endian.
*/
if (des3->mode != CCP_DES3_MODE_ECB) {
@@ -45,9 +45,9 @@ Acked-by: Takashi Iwai <tiwai@suse.de>
op.sb_ctx = cmd_q->sb_ctx;
ret = ccp_init_dm_workarea(&ctx, cmd_q,
-@@ -1320,12 +1321,8 @@ static int ccp_run_des3_cmd(struct ccp_c
- dm_offset = CCP_SB_BYTES - des3->iv_len;
- ccp_set_dm_area(&ctx, dm_offset, des3->iv, 0, des3->iv_len);
+@@ -1364,12 +1365,8 @@ static int ccp_run_des3_cmd(struct ccp_c
+ if (ret)
+ goto e_ctx;
- if (cmd_q->ccp->vdata->version == CCP_VERSION(3, 0))
- load_mode = CCP_PASSTHRU_BYTESWAP_NOOP;
@@ -59,7 +59,7 @@ Acked-by: Takashi Iwai <tiwai@suse.de>
if (ret) {
cmd->engine_error = cmd_q->cmd_error;
goto e_ctx;
-@@ -1387,10 +1384,6 @@ static int ccp_run_des3_cmd(struct ccp_c
+@@ -1431,10 +1428,6 @@ static int ccp_run_des3_cmd(struct ccp_c
}
/* ...but we only need the last DES3_EDE_BLOCK_SIZE bytes */
diff --git a/patches.fixes/crypto-ccp-Validate-buffer-lengths-for-copy-operatio.patch b/patches.fixes/crypto-ccp-Validate-buffer-lengths-for-copy-operatio.patch
new file mode 100644
index 0000000000..85af63bc79
--- /dev/null
+++ b/patches.fixes/crypto-ccp-Validate-buffer-lengths-for-copy-operatio.patch
@@ -0,0 +1,263 @@
+From b698a9f4c5c52317db486b069190c7e3d2b97e7e Mon Sep 17 00:00:00 2001
+From: Gary R Hook <gary.hook@amd.com>
+Date: Wed, 7 Mar 2018 11:31:14 -0600
+Subject: [PATCH] crypto: ccp - Validate buffer lengths for copy operations
+Git-commit: b698a9f4c5c52317db486b069190c7e3d2b97e7e
+Patch-mainline: v4.17-rc1
+References: bsc#1051510
+
+The CCP driver copies data between scatter/gather lists and DMA buffers.
+The length of the requested copy operation must be checked against
+the available destination buffer length.
+
+Reported-by: Maciej S. Szmigiero <mail@maciej.szmigiero.name>
+Signed-off-by: Gary R Hook <gary.hook@amd.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/crypto/ccp/ccp-ops.c | 108 +++++++++++++++++++++++++++++++------------
+ 1 file changed, 78 insertions(+), 30 deletions(-)
+
+--- a/drivers/crypto/ccp/ccp-ops.c
++++ b/drivers/crypto/ccp/ccp-ops.c
+@@ -178,14 +178,18 @@ static int ccp_init_dm_workarea(struct c
+ return 0;
+ }
+
+-static void ccp_set_dm_area(struct ccp_dm_workarea *wa, unsigned int wa_offset,
+- struct scatterlist *sg, unsigned int sg_offset,
+- unsigned int len)
++static int ccp_set_dm_area(struct ccp_dm_workarea *wa, unsigned int wa_offset,
++ struct scatterlist *sg, unsigned int sg_offset,
++ unsigned int len)
+ {
+ WARN_ON(!wa->address);
+
++ if (len > (wa->length - wa_offset))
++ return -EINVAL;
++
+ scatterwalk_map_and_copy(wa->address + wa_offset, sg, sg_offset, len,
+ 0);
++ return 0;
+ }
+
+ static void ccp_get_dm_area(struct ccp_dm_workarea *wa, unsigned int wa_offset,
+@@ -205,8 +209,11 @@ static int ccp_reverse_set_dm_area(struc
+ unsigned int len)
+ {
+ u8 *p, *q;
++ int rc;
+
+- ccp_set_dm_area(wa, wa_offset, sg, sg_offset, len);
++ rc = ccp_set_dm_area(wa, wa_offset, sg, sg_offset, len);
++ if (rc)
++ return rc;
+
+ p = wa->address + wa_offset;
+ q = p + len - 1;
+@@ -509,7 +516,9 @@ static int ccp_run_aes_cmac_cmd(struct c
+ return ret;
+
+ dm_offset = CCP_SB_BYTES - aes->key_len;
+- ccp_set_dm_area(&key, dm_offset, aes->key, 0, aes->key_len);
++ ret = ccp_set_dm_area(&key, dm_offset, aes->key, 0, aes->key_len);
++ if (ret)
++ goto e_key;
+ ret = ccp_copy_to_sb(cmd_q, &key, op.jobid, op.sb_key,
+ CCP_PASSTHRU_BYTESWAP_256BIT);
+ if (ret) {
+@@ -528,7 +537,9 @@ static int ccp_run_aes_cmac_cmd(struct c
+ goto e_key;
+
+ dm_offset = CCP_SB_BYTES - AES_BLOCK_SIZE;
+- ccp_set_dm_area(&ctx, dm_offset, aes->iv, 0, aes->iv_len);
++ ret = ccp_set_dm_area(&ctx, dm_offset, aes->iv, 0, aes->iv_len);
++ if (ret)
++ goto e_ctx;
+ ret = ccp_copy_to_sb(cmd_q, &ctx, op.jobid, op.sb_ctx,
+ CCP_PASSTHRU_BYTESWAP_256BIT);
+ if (ret) {
+@@ -556,8 +567,10 @@ static int ccp_run_aes_cmac_cmd(struct c
+ goto e_src;
+ }
+
+- ccp_set_dm_area(&ctx, 0, aes->cmac_key, 0,
+- aes->cmac_key_len);
++ ret = ccp_set_dm_area(&ctx, 0, aes->cmac_key, 0,
++ aes->cmac_key_len);
++ if (ret)
++ goto e_src;
+ ret = ccp_copy_to_sb(cmd_q, &ctx, op.jobid, op.sb_ctx,
+ CCP_PASSTHRU_BYTESWAP_256BIT);
+ if (ret) {
+@@ -666,7 +679,9 @@ static int ccp_run_aes_gcm_cmd(struct cc
+ return ret;
+
+ dm_offset = CCP_SB_BYTES - aes->key_len;
+- ccp_set_dm_area(&key, dm_offset, aes->key, 0, aes->key_len);
++ ret = ccp_set_dm_area(&key, dm_offset, aes->key, 0, aes->key_len);
++ if (ret)
++ goto e_key;
+ ret = ccp_copy_to_sb(cmd_q, &key, op.jobid, op.sb_key,
+ CCP_PASSTHRU_BYTESWAP_256BIT);
+ if (ret) {
+@@ -685,7 +700,9 @@ static int ccp_run_aes_gcm_cmd(struct cc
+ goto e_key;
+
+ dm_offset = CCP_AES_CTX_SB_COUNT * CCP_SB_BYTES - aes->iv_len;
+- ccp_set_dm_area(&ctx, dm_offset, aes->iv, 0, aes->iv_len);
++ ret = ccp_set_dm_area(&ctx, dm_offset, aes->iv, 0, aes->iv_len);
++ if (ret)
++ goto e_ctx;
+
+ ret = ccp_copy_to_sb(cmd_q, &ctx, op.jobid, op.sb_ctx,
+ CCP_PASSTHRU_BYTESWAP_256BIT);
+@@ -777,7 +794,9 @@ static int ccp_run_aes_gcm_cmd(struct cc
+ goto e_dst;
+ }
+
+- ccp_set_dm_area(&ctx, dm_offset, aes->iv, 0, aes->iv_len);
++ ret = ccp_set_dm_area(&ctx, dm_offset, aes->iv, 0, aes->iv_len);
++ if (ret)
++ goto e_dst;
+
+ ret = ccp_copy_to_sb(cmd_q, &ctx, op.jobid, op.sb_ctx,
+ CCP_PASSTHRU_BYTESWAP_256BIT);
+@@ -820,7 +839,9 @@ static int ccp_run_aes_gcm_cmd(struct cc
+ DMA_BIDIRECTIONAL);
+ if (ret)
+ goto e_tag;
+- ccp_set_dm_area(&tag, 0, p_tag, 0, AES_BLOCK_SIZE);
++ ret = ccp_set_dm_area(&tag, 0, p_tag, 0, AES_BLOCK_SIZE);
++ if (ret)
++ goto e_tag;
+
+ ret = memcmp(tag.address, final_wa.address, AES_BLOCK_SIZE);
+ ccp_dm_free(&tag);
+@@ -914,7 +935,9 @@ static int ccp_run_aes_cmd(struct ccp_cm
+ return ret;
+
+ dm_offset = CCP_SB_BYTES - aes->key_len;
+- ccp_set_dm_area(&key, dm_offset, aes->key, 0, aes->key_len);
++ ret = ccp_set_dm_area(&key, dm_offset, aes->key, 0, aes->key_len);
++ if (ret)
++ goto e_key;
+ ret = ccp_copy_to_sb(cmd_q, &key, op.jobid, op.sb_key,
+ CCP_PASSTHRU_BYTESWAP_256BIT);
+ if (ret) {
+@@ -935,7 +958,9 @@ static int ccp_run_aes_cmd(struct ccp_cm
+ if (aes->mode != CCP_AES_MODE_ECB) {
+ /* Load the AES context - convert to LE */
+ dm_offset = CCP_SB_BYTES - AES_BLOCK_SIZE;
+- ccp_set_dm_area(&ctx, dm_offset, aes->iv, 0, aes->iv_len);
++ ret = ccp_set_dm_area(&ctx, dm_offset, aes->iv, 0, aes->iv_len);
++ if (ret)
++ goto e_ctx;
+ ret = ccp_copy_to_sb(cmd_q, &ctx, op.jobid, op.sb_ctx,
+ CCP_PASSTHRU_BYTESWAP_256BIT);
+ if (ret) {
+@@ -1111,8 +1136,12 @@ static int ccp_run_xts_aes_cmd(struct cc
+ * big endian to little endian.
+ */
+ dm_offset = CCP_SB_BYTES - AES_KEYSIZE_128;
+- ccp_set_dm_area(&key, dm_offset, xts->key, 0, xts->key_len);
+- ccp_set_dm_area(&key, 0, xts->key, xts->key_len, xts->key_len);
++ ret = ccp_set_dm_area(&key, dm_offset, xts->key, 0, xts->key_len);
++ if (ret)
++ goto e_key;
++ ret = ccp_set_dm_area(&key, 0, xts->key, xts->key_len, xts->key_len);
++ if (ret)
++ goto e_key;
+ } else {
+ /* Version 5 CCPs use a 512-bit space for the key: each portion
+ * occupies 256 bits, or one entire slot, and is zero-padded.
+@@ -1121,9 +1150,13 @@ static int ccp_run_xts_aes_cmd(struct cc
+
+ dm_offset = CCP_SB_BYTES;
+ pad = dm_offset - xts->key_len;
+- ccp_set_dm_area(&key, pad, xts->key, 0, xts->key_len);
+- ccp_set_dm_area(&key, dm_offset + pad, xts->key, xts->key_len,
+- xts->key_len);
++ ret = ccp_set_dm_area(&key, pad, xts->key, 0, xts->key_len);
++ if (ret)
++ goto e_key;
++ ret = ccp_set_dm_area(&key, dm_offset + pad, xts->key,
++ xts->key_len, xts->key_len);
++ if (ret)
++ goto e_key;
+ }
+ ret = ccp_copy_to_sb(cmd_q, &key, op.jobid, op.sb_key,
+ CCP_PASSTHRU_BYTESWAP_256BIT);
+@@ -1142,7 +1175,9 @@ static int ccp_run_xts_aes_cmd(struct cc
+ if (ret)
+ goto e_key;
+
+- ccp_set_dm_area(&ctx, 0, xts->iv, 0, xts->iv_len);
++ ret = ccp_set_dm_area(&ctx, 0, xts->iv, 0, xts->iv_len);
++ if (ret)
++ goto e_ctx;
+ ret = ccp_copy_to_sb(cmd_q, &ctx, op.jobid, op.sb_ctx,
+ CCP_PASSTHRU_BYTESWAP_NOOP);
+ if (ret) {
+@@ -1285,12 +1320,18 @@ static int ccp_run_des3_cmd(struct ccp_c
+ dm_offset = CCP_SB_BYTES - des3->key_len; /* Basic offset */
+
+ len_singlekey = des3->key_len / 3;
+- ccp_set_dm_area(&key, dm_offset + 2 * len_singlekey,
+- des3->key, 0, len_singlekey);
+- ccp_set_dm_area(&key, dm_offset + len_singlekey,
+- des3->key, len_singlekey, len_singlekey);
+- ccp_set_dm_area(&key, dm_offset,
+- des3->key, 2 * len_singlekey, len_singlekey);
++ ret = ccp_set_dm_area(&key, dm_offset + 2 * len_singlekey,
++ des3->key, 0, len_singlekey);
++ if (ret)
++ goto e_key;
++ ret = ccp_set_dm_area(&key, dm_offset + len_singlekey,
++ des3->key, len_singlekey, len_singlekey);
++ if (ret)
++ goto e_key;
++ ret = ccp_set_dm_area(&key, dm_offset,
++ des3->key, 2 * len_singlekey, len_singlekey);
++ if (ret)
++ goto e_key;
+
+ /* Copy the key to the SB */
+ ret = ccp_copy_to_sb(cmd_q, &key, op.jobid, op.sb_key,
+@@ -1318,7 +1359,10 @@ static int ccp_run_des3_cmd(struct ccp_c
+
+ /* Load the context into the LSB */
+ dm_offset = CCP_SB_BYTES - des3->iv_len;
+- ccp_set_dm_area(&ctx, dm_offset, des3->iv, 0, des3->iv_len);
++ ret = ccp_set_dm_area(&ctx, dm_offset, des3->iv, 0,
++ des3->iv_len);
++ if (ret)
++ goto e_ctx;
+
+ if (cmd_q->ccp->vdata->version == CCP_VERSION(3, 0))
+ load_mode = CCP_PASSTHRU_BYTESWAP_NOOP;
+@@ -1602,8 +1646,10 @@ static int ccp_run_sha_cmd(struct ccp_cm
+ }
+ } else {
+ /* Restore the context */
+- ccp_set_dm_area(&ctx, 0, sha->ctx, 0,
+- sb_count * CCP_SB_BYTES);
++ ret = ccp_set_dm_area(&ctx, 0, sha->ctx, 0,
++ sb_count * CCP_SB_BYTES);
++ if (ret)
++ goto e_ctx;
+ }
+
+ ret = ccp_copy_to_sb(cmd_q, &ctx, op.jobid, op.sb_ctx,
+@@ -1903,7 +1949,9 @@ static int ccp_run_passthru_cmd(struct c
+ if (ret)
+ return ret;
+
+- ccp_set_dm_area(&mask, 0, pt->mask, 0, pt->mask_len);
++ ret = ccp_set_dm_area(&mask, 0, pt->mask, 0, pt->mask_len);
++ if (ret)
++ goto e_mask;
+ ret = ccp_copy_to_sb(cmd_q, &mask, op.jobid, op.sb_key,
+ CCP_PASSTHRU_BYTESWAP_NOOP);
+ if (ret) {
diff --git a/patches.fixes/crypto-ccp-gcm-use-const-time-tag-comparison.patch b/patches.fixes/crypto-ccp-gcm-use-const-time-tag-comparison.patch
index 2669c284ca..8f6df25061 100644
--- a/patches.fixes/crypto-ccp-gcm-use-const-time-tag-comparison.patch
+++ b/patches.fixes/crypto-ccp-gcm-use-const-time-tag-comparison.patch
@@ -21,9 +21,9 @@ Acked-by: Takashi Iwai <tiwai@suse.de>
--- a/drivers/crypto/ccp/ccp-ops.c
+++ b/drivers/crypto/ccp/ccp-ops.c
-@@ -832,7 +832,8 @@ static int ccp_run_aes_gcm_cmd(struct cc
+@@ -853,7 +853,8 @@ static int ccp_run_aes_gcm_cmd(struct cc
+ if (ret)
goto e_tag;
- ccp_set_dm_area(&tag, 0, p_tag, 0, AES_BLOCK_SIZE);
- ret = memcmp(tag.address, final_wa.address, AES_BLOCK_SIZE);
+ ret = crypto_memneq(tag.address, final_wa.address,
diff --git a/patches.fixes/mac80211-don-t-WARN-on-short-WMM-parameters-from-AP.patch b/patches.fixes/mac80211-don-t-WARN-on-short-WMM-parameters-from-AP.patch
new file mode 100644
index 0000000000..1e71189e1d
--- /dev/null
+++ b/patches.fixes/mac80211-don-t-WARN-on-short-WMM-parameters-from-AP.patch
@@ -0,0 +1,52 @@
+From 05aaa5c97dce4c10a9e7eae2f1569a684e0c5ced Mon Sep 17 00:00:00 2001
+From: Brian Norris <briannorris@chromium.org>
+Date: Fri, 26 Jul 2019 15:47:58 -0700
+Subject: [PATCH] mac80211: don't WARN on short WMM parameters from AP
+Git-commit: 05aaa5c97dce4c10a9e7eae2f1569a684e0c5ced
+Patch-mainline: v5.3-rc4
+References: bsc#1051510
+
+In a very similar spirit to commit c470bdc1aaf3 ("mac80211: don't WARN
+on bad WMM parameters from buggy APs"), an AP may not transmit a
+fully-formed WMM IE. For example, it may miss or repeat an Access
+Category. The above loop won't catch that and will instead leave one of
+the four ACs zeroed out. This triggers the following warning in
+drv_conf_tx()
+
+ wlan0: invalid CW_min/CW_max: 0/0
+
+and it may leave one of the hardware queues unconfigured. If we detect
+such a case, let's just print a warning and fall back to the defaults.
+
+Tested with a hacked version of hostapd, intentionally corrupting the
+IEs in hostapd_eid_wmm().
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Brian Norris <briannorris@chromium.org>
+Link: https://lore.kernel.org/r/20190726224758.210953-1-briannorris@chromium.org
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ net/mac80211/mlme.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+--- a/net/mac80211/mlme.c
++++ b/net/mac80211/mlme.c
+@@ -1872,6 +1872,16 @@ static bool ieee80211_sta_wmm_params(str
+ ieee80211_regulatory_limit_wmm_params(sdata, &params[ac], ac);
+ }
+
++ /* WMM specification requires all 4 ACIs. */
++ for (ac = 0; ac < IEEE80211_NUM_ACS; ac++) {
++ if (params[ac].cw_min == 0) {
++ sdata_info(sdata,
++ "AP has invalid WMM params (missing AC %d), using defaults\n",
++ ac);
++ return false;
++ }
++ }
++
+ for (ac = 0; ac < IEEE80211_NUM_ACS; ac++) {
+ mlme_dbg(sdata,
+ "WMM AC=%d acm=%d aifs=%d cWmin=%d cWmax=%d txop=%d uapsd=%d, downgraded=%d\n",
diff --git a/patches.fixes/mac80211-don-t-warn-about-CW-params-when-not-using-t.patch b/patches.fixes/mac80211-don-t-warn-about-CW-params-when-not-using-t.patch
new file mode 100644
index 0000000000..c00726a7bc
--- /dev/null
+++ b/patches.fixes/mac80211-don-t-warn-about-CW-params-when-not-using-t.patch
@@ -0,0 +1,54 @@
+From d2b3fe42bc629c2d4002f652b3abdfb2e72991c7 Mon Sep 17 00:00:00 2001
+From: Brian Norris <briannorris@chromium.org>
+Date: Wed, 17 Jul 2019 18:57:12 -0700
+Subject: [PATCH] mac80211: don't warn about CW params when not using them
+Git-commit: d2b3fe42bc629c2d4002f652b3abdfb2e72991c7
+Patch-mainline: v5.3-rc2
+References: bsc#1051510
+
+ieee80211_set_wmm_default() normally sets up the initial CW min/max for
+each queue, except that it skips doing this if the driver doesn't
+support ->conf_tx. We still end up calling drv_conf_tx() in some cases
+(e.g., ieee80211_reconfig()), which also still won't do anything
+useful...except it complains here about the invalid CW parameters.
+
+Let's just skip the WARN if we weren't going to do anything useful with
+the parameters.
+
+Signed-off-by: Brian Norris <briannorris@chromium.org>
+Link: https://lore.kernel.org/r/20190718015712.197499-1-briannorris@chromium.org
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ net/mac80211/driver-ops.c | 13 +++++++++----
+ 1 file changed, 9 insertions(+), 4 deletions(-)
+
+diff --git a/net/mac80211/driver-ops.c b/net/mac80211/driver-ops.c
+index acd4afb4944b..c9a8a2433e8a 100644
+--- a/net/mac80211/driver-ops.c
++++ b/net/mac80211/driver-ops.c
+@@ -187,11 +187,16 @@ int drv_conf_tx(struct ieee80211_local *local,
+ if (!check_sdata_in_driver(sdata))
+ return -EIO;
+
+- if (WARN_ONCE(params->cw_min == 0 ||
+- params->cw_min > params->cw_max,
+- "%s: invalid CW_min/CW_max: %d/%d\n",
+- sdata->name, params->cw_min, params->cw_max))
++ if (params->cw_min == 0 || params->cw_min > params->cw_max) {
++ /*
++ * If we can't configure hardware anyway, don't warn. We may
++ * never have initialized the CW parameters.
++ */
++ WARN_ONCE(local->ops->conf_tx,
++ "%s: invalid CW_min/CW_max: %d/%d\n",
++ sdata->name, params->cw_min, params->cw_max);
+ return -EINVAL;
++ }
+
+ trace_drv_conf_tx(local, sdata, ac, params);
+ if (local->ops->conf_tx)
+--
+2.16.4
+
diff --git a/patches.suse/btrfs-add-missing-inode-version-ctime-and-mtime-upda.patch b/patches.suse/btrfs-add-missing-inode-version-ctime-and-mtime-upda.patch
new file mode 100644
index 0000000000..1b679dd9cf
--- /dev/null
+++ b/patches.suse/btrfs-add-missing-inode-version-ctime-and-mtime-upda.patch
@@ -0,0 +1,44 @@
+From: Filipe Manana <fdmanana@suse.com>
+Date: Wed, 19 Jun 2019 13:05:50 +0100
+Git-commit: 179006688a7e888cbff39577189f2e034786d06a
+Patch-mainline: 5.3-rc1
+References: bsc#1140487
+Subject: [PATCH] Btrfs: add missing inode version, ctime and mtime updates
+ when punching hole
+
+If the range for which we are punching a hole covers only part of a page,
+we end up updating the inode item but we skip the update of the inode's
+iversion, mtime and ctime. Fix that by ensuring we update those properties
+of the inode.
+
+A patch for fstests test case generic/059 that tests this as been sent
+along with this fix.
+
+Fixes: 2aaa66558172b0 ("Btrfs: add hole punching")
+Fixes: e8c1c76e804b18 ("Btrfs: add missing inode update when punching hole")
+CC: stable@vger.kernel.org # 4.4+
+Signed-off-by: Filipe Manana <fdmanana@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+---
+ fs/btrfs/file.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/fs/btrfs/file.c b/fs/btrfs/file.c
+index e4137008e12b..320b01580f2e 100644
+--- a/fs/btrfs/file.c
++++ b/fs/btrfs/file.c
+@@ -2783,6 +2783,11 @@ static int btrfs_punch_hole(struct inode *inode, loff_t offset, loff_t len)
+ * for detecting, at fsync time, if the inode isn't yet in the
+ * log tree or it's there but not up to date.
+ */
++ struct timespec now = current_time(inode);
++
++ inode_inc_iversion(inode);
++ inode->i_mtime = now;
++ inode->i_ctime = now;
+ trans = btrfs_start_transaction(root, 1);
+ if (IS_ERR(trans)) {
+ err = PTR_ERR(trans);
+--
+2.16.4
+
diff --git a/patches.suse/btrfs-fix-data-loss-after-inode-eviction-renaming-it.patch b/patches.suse/btrfs-fix-data-loss-after-inode-eviction-renaming-it.patch
new file mode 100644
index 0000000000..eff82aba31
--- /dev/null
+++ b/patches.suse/btrfs-fix-data-loss-after-inode-eviction-renaming-it.patch
@@ -0,0 +1,112 @@
+From: Filipe Manana <fdmanana@suse.com>
+Date: Fri, 7 Jun 2019 11:25:24 +0100
+Git-commit: d1d832a0b51dd9570429bb4b81b2a6c1759e681a
+Patch-mainline: 5.3-rc1
+Subject: [PATCH] Btrfs: fix data loss after inode eviction, renaming it, and
+ fsync it
+References: bsc#1145941
+
+When we log an inode, regardless of logging it completely or only that it
+exists, we always update it as logged (logged_trans and last_log_commit
+fields of the inode are updated). This is generally fine and avoids future
+attempts to log it from having to do repeated work that brings no value.
+
+However, if we write data to a file, then evict its inode after all the
+dealloc was flushed (and ordered extents completed), rename the file and
+fsync it, we end up not logging the new extents, since the rename may
+result in logging that the inode exists in case the parent directory was
+logged before. The following reproducer shows and explains how this can
+happen:
+
+ $ mkfs.btrfs -f /dev/sdb
+ $ mount /dev/sdb /mnt
+
+ $ mkdir /mnt/dir
+ $ touch /mnt/dir/foo
+ $ touch /mnt/dir/bar
+
+ # Do a direct IO write instead of a buffered write because with a
+ # buffered write we would need to make sure dealloc gets flushed and
+ # complete before we do the inode eviction later, and we can not do that
+ # from user space with call to things such as sync(2) since that results
+ # in a transaction commit as well.
+ $ xfs_io -d -c "pwrite -S 0xd3 0 4K" /mnt/dir/bar
+
+ # Keep the directory dir in use while we evict inodes. We want our file
+ # bar's inode to be evicted but we don't want our directory's inode to
+ # be evicted (if it were evicted too, we would not be able to reproduce
+ # the issue since the first fsync below, of file foo, would result in a
+ # transaction commit.
+ $ ( cd /mnt/dir; while true; do :; done ) &
+ $ pid=$!
+
+ # Wait a bit to give time for the background process to chdir.
+ $ sleep 0.1
+
+ # Evict all inodes, except the inode for the directory dir because it is
+ # currently in use by our background process.
+ $ echo 2 > /proc/sys/vm/drop_caches
+
+ # fsync file foo, which ends up persisting information about the parent
+ # directory because it is a new inode.
+ $ xfs_io -c fsync /mnt/dir/foo
+
+ # Rename bar, this results in logging that this inode exists (inode item,
+ # names, xattrs) because the parent directory is in the log.
+ $ mv /mnt/dir/bar /mnt/dir/baz
+
+ # Now fsync baz, which ends up doing absolutely nothing because of the
+ # rename operation which logged that the inode exists only.
+ $ xfs_io -c fsync /mnt/dir/baz
+
+ <power failure>
+
+ $ mount /dev/sdb /mnt
+ $ od -t x1 -A d /mnt/dir/baz
+ 0000000
+
+ --> Empty file, data we wrote is missing.
+
+Fix this by not updating last_sub_trans of an inode when we are logging
+only that it exists and the inode was not yet logged since it was loaded
+from disk (full_sync bit set), this is enough to make btrfs_inode_in_log()
+return false for this scenario and make us log the inode. The logged_trans
+of the inode is still always setsince that alone is used to track if names
+need to be deleted as part of unlink operations.
+
+Fixes: 257c62e1bce03e ("Btrfs: avoid tree log commit when there are no changes")
+CC: stable@vger.kernel.org # 4.4+
+Signed-off-by: Filipe Manana <fdmanana@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+---
+ fs/btrfs/tree-log.c | 12 +++++++++++-
+ 1 file changed, 11 insertions(+), 1 deletion(-)
+
+diff --git a/fs/btrfs/tree-log.c b/fs/btrfs/tree-log.c
+index 46ba55a225ff..de05078bc634 100644
+--- a/fs/btrfs/tree-log.c
++++ b/fs/btrfs/tree-log.c
+@@ -5591,9 +5591,19 @@ static int btrfs_log_inode(struct btrfs_trans_handle *trans,
+ }
+ }
+
++ /*
++ * Don't update last_log_commit if we logged that an inode exists after
++ * it was loaded to memory (full_sync bit set).
++ * This is to prevent data loss when we do a write to the inode, then
++ * the inode gets evicted after all delalloc was flushed, then we log
++ * it exists (due to a rename for example) and then fsync it. This last
++ * fsync would do nothing (not logging the extents previously written).
++ */
+ spin_lock(&inode->lock);
+ inode->logged_trans = trans->transid;
+- inode->last_log_commit = inode->last_sub_trans;
++ if (inode_only != LOG_INODE_EXISTS ||
++ !test_bit(BTRFS_INODE_NEEDS_FULL_SYNC, &inode->runtime_flags))
++ inode->last_log_commit = inode->last_sub_trans;
+ spin_unlock(&inode->lock);
+ out_unlock:
+ if (unlikely(err))
+--
+2.16.4
+
diff --git a/patches.suse/btrfs-fix-fsync-not-persisting-dentry-deletions-due-.patch b/patches.suse/btrfs-fix-fsync-not-persisting-dentry-deletions-due-.patch
new file mode 100644
index 0000000000..9c5d4f3d3b
--- /dev/null
+++ b/patches.suse/btrfs-fix-fsync-not-persisting-dentry-deletions-due-.patch
@@ -0,0 +1,135 @@
+From: Filipe Manana <fdmanana@suse.com>
+Date: Wed, 19 Jun 2019 13:05:39 +0100
+Git-commit: 803f0f64d17769071d7287d9e3e3b79a3e1ae937
+Patch-mainline: 5.3-rc1
+Subject: [PATCH] Btrfs: fix fsync not persisting dentry deletions due to inode
+ evictions
+References: bsc#1145942
+
+In order to avoid searches on a log tree when unlinking an inode, we check
+if the inode being unlinked was logged in the current transaction, as well
+as the inode of its parent directory. When any of the inodes are logged,
+we proceed to delete directory items and inode reference items from the
+log, to ensure that if a subsequent fsync of only the inode being unlinked
+or only of the parent directory when the other is not fsync'ed as well,
+does not result in the entry still existing after a power failure.
+
+That check however is not reliable when one of the inodes involved (the
+one being unlinked or its parent directory's inode) is evicted, since the
+logged_trans field is transient, that is, it is not stored on disk, so it
+is lost when the inode is evicted and loaded into memory again (which is
+set to zero on load). As a consequence the checks currently being done by
+btrfs_del_dir_entries_in_log() and btrfs_del_inode_ref_in_log() always
+return true if the inode was evicted before, regardless of the inode
+having been logged or not before (and in the current transaction), this
+results in the dentry being unlinked still existing after a log replay
+if after the unlink operation only one of the inodes involved is fsync'ed.
+
+Example:
+
+ $ mkfs.btrfs -f /dev/sdb
+ $ mount /dev/sdb /mnt
+
+ $ mkdir /mnt/dir
+ $ touch /mnt/dir/foo
+ $ xfs_io -c fsync /mnt/dir/foo
+
+ # Keep an open file descriptor on our directory while we evict inodes.
+ # We just want to evict the file's inode, the directory's inode must not
+ # be evicted.
+ $ ( cd /mnt/dir; while true; do :; done ) &
+ $ pid=$!
+
+ # Wait a bit to give time to background process to chdir to our test
+ # directory.
+ $ sleep 0.5
+
+ # Trigger eviction of the file's inode.
+ $ echo 2 > /proc/sys/vm/drop_caches
+
+ # Unlink our file and fsync the parent directory. After a power failure
+ # we don't expect to see the file anymore, since we fsync'ed the parent
+ # directory.
+ $ rm -f $SCRATCH_MNT/dir/foo
+ $ xfs_io -c fsync /mnt/dir
+
+ <power failure>
+
+ $ mount /dev/sdb /mnt
+ $ ls /mnt/dir
+ foo
+ $
+ --> file still there, unlink not persisted despite explicit fsync on dir
+
+Fix this by checking if the inode has the full_sync bit set in its runtime
+flags as well, since that bit is set everytime an inode is loaded from
+disk, or for other less common cases such as after a shrinking truncate
+or failure to allocate extent maps for holes, and gets cleared after the
+first fsync. Also consider the inode as possibly logged only if it was
+last modified in the current transaction (besides having the full_fsync
+flag set).
+
+Fixes: 3a5f1d458ad161 ("Btrfs: Optimize btree walking while logging inodes")
+CC: stable@vger.kernel.org # 4.4+
+Signed-off-by: Filipe Manana <fdmanana@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+---
+ fs/btrfs/tree-log.c | 28 ++++++++++++++++++++++++++--
+ 1 file changed, 26 insertions(+), 2 deletions(-)
+
+diff --git a/fs/btrfs/tree-log.c b/fs/btrfs/tree-log.c
+index de05078bc634..cc91cba8ca3e 100644
+--- a/fs/btrfs/tree-log.c
++++ b/fs/btrfs/tree-log.c
+@@ -3377,6 +3377,30 @@ int btrfs_free_log_root_tree(struct btrfs_trans_handle *trans,
+ return 0;
+ }
+
++/*
++ * Check if an inode was logged in the current transaction. We can't always rely
++ * on an inode's logged_trans value, because it's an in-memory only field and
++ * therefore not persisted. This means that its value is lost if the inode gets
++ * evicted and loaded again from disk (in which case it has a value of 0, and
++ * certainly it is smaller then any possible transaction ID), when that happens
++ * the full_sync flag is set in the inode's runtime flags, so on that case we
++ * assume eviction happened and ignore the logged_trans value, assuming the
++ * worst case, that the inode was logged before in the current transaction.
++ */
++static bool inode_logged(struct btrfs_trans_handle *trans,
++ struct btrfs_inode *inode)
++{
++ if (inode->logged_trans == trans->transid)
++ return true;
++
++ if (inode->last_trans == trans->transid &&
++ test_bit(BTRFS_INODE_NEEDS_FULL_SYNC, &inode->runtime_flags) &&
++ !test_bit(BTRFS_FS_LOG_RECOVERING, &trans->fs_info->flags))
++ return true;
++
++ return false;
++}
++
+ /*
+ * If both a file and directory are logged, and unlinks or renames are
+ * mixed in, we have a few interesting corners:
+@@ -3411,7 +3435,7 @@ int btrfs_del_dir_entries_in_log(struct btrfs_trans_handle *trans,
+ int bytes_del = 0;
+ u64 dir_ino = btrfs_ino(dir);
+
+- if (dir->logged_trans < trans->transid)
++ if (!inode_logged(trans, dir))
+ return 0;
+
+ ret = join_running_log_trans(root);
+@@ -3516,7 +3540,7 @@ int btrfs_del_inode_ref_in_log(struct btrfs_trans_handle *trans,
+ u64 index;
+ int ret;
+
+- if (inode->logged_trans < trans->transid)
++ if (!inode_logged(trans, inode))
+ return 0;
+
+ ret = join_running_log_trans(root);
+--
+2.16.4
+
diff --git a/patches.suse/btrfs-fix-incremental-send-failure-after-deduplicati.patch b/patches.suse/btrfs-fix-incremental-send-failure-after-deduplicati.patch
new file mode 100644
index 0000000000..9cd2be6ead
--- /dev/null
+++ b/patches.suse/btrfs-fix-incremental-send-failure-after-deduplicati.patch
@@ -0,0 +1,181 @@
+From: Filipe Manana <fdmanana@suse.com>
+Date: Wed, 17 Jul 2019 13:23:39 +0100
+Git-commit: b4f9a1a87a48c255bb90d8a6c3d555a1abb88130
+Patch-mainline: 5.3-rc3
+Subject: [PATCH] Btrfs: fix incremental send failure after deduplication
+References: bsc#1145940
+
+When doing an incremental send operation we can fail if we previously did
+deduplication operations against a file that exists in both snapshots. In
+that case we will fail the send operation with -EIO and print a message
+to dmesg/syslog like the following:
+
+ BTRFS error (device sdc): Send: inconsistent snapshot, found updated \
+ extent for inode 257 without updated inode item, send root is 258, \
+ parent root is 257
+
+This requires that we deduplicate to the same file in both snapshots for
+the same amount of times on each snapshot. The issue happens because a
+deduplication only updates the iversion of an inode and does not update
+any other field of the inode, therefore if we deduplicate the file on
+each snapshot for the same amount of time, the inode will have the same
+iversion value (stored as the "sequence" field on the inode item) on both
+snapshots, therefore it will be seen as unchanged between in the send
+snapshot while there are new/updated/deleted extent items when comparing
+to the parent snapshot. This makes the send operation return -EIO and
+print an error message.
+
+Example reproducer:
+
+ $ mkfs.btrfs -f /dev/sdb
+ $ mount /dev/sdb /mnt
+
+ # Create our first file. The first half of the file has several 64Kb
+ # extents while the second half as a single 512Kb extent.
+ $ xfs_io -f -s -c "pwrite -S 0xb8 -b 64K 0 512K" /mnt/foo
+ $ xfs_io -c "pwrite -S 0xb8 512K 512K" /mnt/foo
+
+ # Create the base snapshot and the parent send stream from it.
+ $ btrfs subvolume snapshot -r /mnt /mnt/mysnap1
+ $ btrfs send -f /tmp/1.snap /mnt/mysnap1
+
+ # Create our second file, that has exactly the same data as the first
+ # file.
+ $ xfs_io -f -c "pwrite -S 0xb8 0 1M" /mnt/bar
+
+ # Create the second snapshot, used for the incremental send, before
+ # doing the file deduplication.
+ $ btrfs subvolume snapshot -r /mnt /mnt/mysnap2
+
+ # Now before creating the incremental send stream:
+ #
+ # 1) Deduplicate into a subrange of file foo in snapshot mysnap1. This
+ # will drop several extent items and add a new one, also updating
+ # the inode's iversion (sequence field in inode item) by 1, but not
+ # any other field of the inode;
+ #
+ # 2) Deduplicate into a different subrange of file foo in snapshot
+ # mysnap2. This will replace an extent item with a new one, also
+ # updating the inode's iversion by 1 but not any other field of the
+ # inode.
+ #
+ # After these two deduplication operations, the inode items, for file
+ # foo, are identical in both snapshots, but we have different extent
+ # items for this inode in both snapshots. We want to check this doesn't
+ # cause send to fail with an error or produce an incorrect stream.
+
+ $ xfs_io -r -c "dedupe /mnt/bar 0 0 512K" /mnt/mysnap1/foo
+ $ xfs_io -r -c "dedupe /mnt/bar 512K 512K 512K" /mnt/mysnap2/foo
+
+ # Create the incremental send stream.
+ $ btrfs send -p /mnt/mysnap1 -f /tmp/2.snap /mnt/mysnap2
+ ERROR: send ioctl failed with -5: Input/output error
+
+This issue started happening back in 2015 when deduplication was updated
+to not update the inode's ctime and mtime and update only the iversion.
+Back then we would hit a BUG_ON() in send, but later in 2016 send was
+updated to return -EIO and print the error message instead of doing the
+BUG_ON().
+
+A test case for fstests follows soon.
+
+Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=203933
+Fixes: 1c919a5e13702c ("btrfs: don't update mtime/ctime on deduped inodes")
+CC: stable@vger.kernel.org # 4.4+
+Signed-off-by: Filipe Manana <fdmanana@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+---
+ fs/btrfs/send.c | 77 +++++++++++----------------------------------------------
+ 1 file changed, 15 insertions(+), 62 deletions(-)
+
+diff --git a/fs/btrfs/send.c b/fs/btrfs/send.c
+index bb1861ca7ddf..a3dd934ad293 100644
+--- a/fs/btrfs/send.c
++++ b/fs/btrfs/send.c
+@@ -6250,68 +6250,21 @@ static int changed_extent(struct send_ctx *sctx,
+ {
+ int ret = 0;
+
+- if (sctx->cur_ino != sctx->cmp_key->objectid) {
+-
+- if (result == BTRFS_COMPARE_TREE_CHANGED) {
+- struct extent_buffer *leaf_l;
+- struct extent_buffer *leaf_r;
+- struct btrfs_file_extent_item *ei_l;
+- struct btrfs_file_extent_item *ei_r;
+-
+- leaf_l = sctx->left_path->nodes[0];
+- leaf_r = sctx->right_path->nodes[0];
+- ei_l = btrfs_item_ptr(leaf_l,
+- sctx->left_path->slots[0],
+- struct btrfs_file_extent_item);
+- ei_r = btrfs_item_ptr(leaf_r,
+- sctx->right_path->slots[0],
+- struct btrfs_file_extent_item);
+-
+- /*
+- * We may have found an extent item that has changed
+- * only its disk_bytenr field and the corresponding
+- * inode item was not updated. This case happens due to
+- * very specific timings during relocation when a leaf
+- * that contains file extent items is COWed while
+- * relocation is ongoing and its in the stage where it
+- * updates data pointers. So when this happens we can
+- * safely ignore it since we know it's the same extent,
+- * but just at different logical and physical locations
+- * (when an extent is fully replaced with a new one, we
+- * know the generation number must have changed too,
+- * since snapshot creation implies committing the current
+- * transaction, and the inode item must have been updated
+- * as well).
+- * This replacement of the disk_bytenr happens at
+- * relocation.c:replace_file_extents() through
+- * relocation.c:btrfs_reloc_cow_block().
+- */
+- if (btrfs_file_extent_generation(leaf_l, ei_l) ==
+- btrfs_file_extent_generation(leaf_r, ei_r) &&
+- btrfs_file_extent_ram_bytes(leaf_l, ei_l) ==
+- btrfs_file_extent_ram_bytes(leaf_r, ei_r) &&
+- btrfs_file_extent_compression(leaf_l, ei_l) ==
+- btrfs_file_extent_compression(leaf_r, ei_r) &&
+- btrfs_file_extent_encryption(leaf_l, ei_l) ==
+- btrfs_file_extent_encryption(leaf_r, ei_r) &&
+- btrfs_file_extent_other_encoding(leaf_l, ei_l) ==
+- btrfs_file_extent_other_encoding(leaf_r, ei_r) &&
+- btrfs_file_extent_type(leaf_l, ei_l) ==
+- btrfs_file_extent_type(leaf_r, ei_r) &&
+- btrfs_file_extent_disk_bytenr(leaf_l, ei_l) !=
+- btrfs_file_extent_disk_bytenr(leaf_r, ei_r) &&
+- btrfs_file_extent_disk_num_bytes(leaf_l, ei_l) ==
+- btrfs_file_extent_disk_num_bytes(leaf_r, ei_r) &&
+- btrfs_file_extent_offset(leaf_l, ei_l) ==
+- btrfs_file_extent_offset(leaf_r, ei_r) &&
+- btrfs_file_extent_num_bytes(leaf_l, ei_l) ==
+- btrfs_file_extent_num_bytes(leaf_r, ei_r))
+- return 0;
+- }
+-
+- inconsistent_snapshot_error(sctx, result, "extent");
+- return -EIO;
+- }
++ /*
++ * We have found an extent item that changed without the inode item
++ * having changed. This can happen either after relocation (where the
++ * disk_bytenr of an extent item is replaced at
++ * relocation.c:replace_file_extents()) or after deduplication into a
++ * file in both the parent and send snapshots (where an extent item can
++ * get modified or replaced with a new one). Note that deduplication
++ * updates the inode item, but it only changes the iversion (sequence
++ * field in the inode item) of the inode, so if a file is deduplicated
++ * the same amount of times in both the parent and send snapshots, its
++ * iversion becames the same in both snapshots, whence the inode item is
++ * the same on both snapshots.
++ */
++ if (sctx->cur_ino != sctx->cmp_key->objectid)
++ return 0;
+
+ if (!sctx->cur_inode_new_gen && !sctx->cur_inode_deleted) {
+ if (result != BTRFS_COMPARE_TREE_DELETED)
+--
+2.16.4
+
diff --git a/patches.suse/btrfs-fix-race-leading-to-fs-corruption-after-transa.patch b/patches.suse/btrfs-fix-race-leading-to-fs-corruption-after-transa.patch
new file mode 100644
index 0000000000..dd70a59ff8
--- /dev/null
+++ b/patches.suse/btrfs-fix-race-leading-to-fs-corruption-after-transa.patch
@@ -0,0 +1,144 @@
+From: Filipe Manana <fdmanana@suse.com>
+Date: Thu, 25 Jul 2019 11:27:04 +0100
+Git-commit: cb2d3daddbfb6318d170e79aac1f7d5e4d49f0d7
+Patch-mainline: 5.3-rc3
+Subject: [PATCH] Btrfs: fix race leading to fs corruption after transaction
+ abort
+References: bsc#1145937
+
+When one transaction is finishing its commit, it is possible for another
+transaction to start and enter its initial commit phase as well. If the
+first ends up getting aborted, we have a small time window where the second
+transaction commit does not notice that the previous transaction aborted
+and ends up committing, writing a superblock that points to btrees that
+reference extent buffers (nodes and leafs) that were not persisted to disk.
+The consequence is that after mounting the filesystem again, we will be
+unable to load some btree nodes/leafs, either because the content on disk
+is either garbage (or just zeroes) or corresponds to the old content of a
+previouly COWed or deleted node/leaf, resulting in the well known error
+messages "parent transid verify failed on ...".
+The following sequence diagram illustrates how this can happen.
+
+ CPU 1 CPU 2
+
+ <at transaction N>
+
+ btrfs_commit_transaction()
+ (...)
+ --> sets transaction state to
+ TRANS_STATE_UNBLOCKED
+ --> sets fs_info->running_transaction
+ to NULL
+
+ (...)
+ btrfs_start_transaction()
+ start_transaction()
+ wait_current_trans()
+ --> returns immediately
+ because
+ fs_info->running_transaction
+ is NULL
+ join_transaction()
+ --> creates transaction N + 1
+ --> sets
+ fs_info->running_transaction
+ to transaction N + 1
+ --> adds transaction N + 1 to
+ the fs_info->trans_list list
+ --> returns transaction handle
+ pointing to the new
+ transaction N + 1
+ (...)
+
+ btrfs_sync_file()
+ btrfs_start_transaction()
+ --> returns handle to
+ transaction N + 1
+ (...)
+
+ btrfs_write_and_wait_transaction()
+ --> writeback of some extent
+ buffer fails, returns an
+ error
+ btrfs_handle_fs_error()
+ --> sets BTRFS_FS_STATE_ERROR in
+ fs_info->fs_state
+ --> jumps to label "scrub_continue"
+ cleanup_transaction()
+ btrfs_abort_transaction(N)
+ --> sets BTRFS_FS_STATE_TRANS_ABORTED
+ flag in fs_info->fs_state
+ --> sets aborted field in the
+ transaction and transaction
+ handle structures, for
+ transaction N only
+ --> removes transaction from the
+ list fs_info->trans_list
+ btrfs_commit_transaction(N + 1)
+ --> transaction N + 1 was not
+ aborted, so it proceeds
+ (...)
+ --> sets the transaction's state
+ to TRANS_STATE_COMMIT_START
+ --> does not find the previous
+ transaction (N) in the
+ fs_info->trans_list, so it
+ doesn't know that transaction
+ was aborted, and the commit
+ of transaction N + 1 proceeds
+ (...)
+ --> sets transaction N + 1 state
+ to TRANS_STATE_UNBLOCKED
+ btrfs_write_and_wait_transaction()
+ --> succeeds writing all extent
+ buffers created in the
+ transaction N + 1
+ write_all_supers()
+ --> succeeds
+ --> we now have a superblock on
+ disk that points to trees
+ that refer to at least one
+ extent buffer that was
+ never persisted
+
+So fix this by updating the transaction commit path to check if the flag
+BTRFS_FS_STATE_TRANS_ABORTED is set on fs_info->fs_state if after setting
+the transaction to the TRANS_STATE_COMMIT_START we do not find any previous
+transaction in the fs_info->trans_list. If the flag is set, just fail the
+transaction commit with -EROFS, as we do in other places. The exact error
+code for the previous transaction abort was already logged and reported.
+
+Fixes: 49b25e0540904b ("btrfs: enhance transaction abort infrastructure")
+CC: stable@vger.kernel.org # 4.4+
+Reviewed-by: Josef Bacik <josef@toxicpanda.com>
+Signed-off-by: Filipe Manana <fdmanana@suse.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+---
+ fs/btrfs/transaction.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/fs/btrfs/transaction.c b/fs/btrfs/transaction.c
+index 5ce9180030e6..0d0f5b4b819f 100644
+--- a/fs/btrfs/transaction.c
++++ b/fs/btrfs/transaction.c
+@@ -2064,6 +2064,16 @@ int btrfs_commit_transaction(struct btrfs_trans_handle *trans)
+ }
+ } else {
+ spin_unlock(&fs_info->trans_lock);
++ /*
++ * The previous transaction was aborted and was already removed
++ * from the list of transactions at fs_info->trans_list. So we
++ * abort to prevent writing a new superblock that reflects a
++ * corrupt state (pointing to trees with unwritten nodes/leafs).
++ */
++ if (test_bit(BTRFS_FS_STATE_TRANS_ABORTED, &fs_info->fs_state)) {
++ ret = -EROFS;
++ goto cleanup_transaction;
++ }
+ }
+
+ extwriter_counter_dec(cur_trans, trans->type);
+--
+2.16.4
+
diff --git a/series.conf b/series.conf
index f7d7edcafd..955db55f76 100644
--- a/series.conf
+++ b/series.conf
@@ -19157,6 +19157,7 @@
patches.drivers/phy-work-around-phys-references-to-usb-nop-xceiv-dev.patch
patches.fixes/workqueue-avoid-hard-lockups-in-show_workqueue_state.patch
patches.drivers/libata-apply-max_sec_1024-to-all-liteon-ep1-series-devices.patch
+ patches.drivers/i2c-core-smbus-prevent-stack-corruption-on-read-I2C_.patch
patches.drivers/Input-twl4030-vibra-fix-sibling-node-lookup
patches.drivers/Input-twl6040-vibra-fix-child-node-lookup
patches.drivers/Input-88pm860x-ts-fix-child-node-lookup
@@ -24514,6 +24515,7 @@
patches.arch/kvm-x86-remove-warn_on-for-when-vm_munmap-fails
patches.arch/KVM-mmu-Fix-overlap-between-public-and-private-memsl.patch
patches.arch/kvm-nvmx-don-t-halt-vcpu-when-l1-is-injecting-events-to-l2
+ patches.arch/kvm-x86-fix-backward-migration-with-async_pf
patches.suse/include-psp-sev-capitalize-invalid-length-enum.patch
patches.suse/kvm-svm-no-need-to-call-access_ok-in-launch_measure-command.patch
patches.suse/kvm-svm-fix-sev-launch_secret-command.patch
@@ -27988,6 +27990,7 @@
patches.drivers/crypto-chelsio-Fix-iv-passed-in-fallback-path-for-rf.patch
patches.drivers/crypto-chelsio-Split-Hash-requests-for-large-scatter.patch
patches.fixes/crypto-virtio-remove-dependency-on-CRYPTO_AUTHENC.patch
+ patches.fixes/crypto-ccp-Validate-buffer-lengths-for-copy-operatio.patch
patches.drivers/0056-crypto-inside-secure-fix-missing-unlock-on-error-in-.patch
patches.drivers/0057-crypto-inside-secure-fix-clock-management.patch
patches.drivers/0058-crypto-inside-secure-improve-clock-initialization.patch
@@ -40237,6 +40240,7 @@
patches.fixes/0019-xfrm6-call-kfree_skb-when-skb-is-toobig.patch
patches.fixes/0020-xfrm-reset-transport-header-back-to-network-header-a.patch
patches.fixes/0021-xfrm-reset-crypto_done-when-iterating-over-multiple-.patch
+ patches.fixes/0001-xfrm-Fix-NULL-pointer-dereference-when-skb_dst_force.patch
patches.drivers/net-sched-act_ipt-check-for-underflow-in-__tcf_ipt_i.patch
patches.fixes/Bluetooth-SMP-fix-crash-in-unpairing.patch
patches.fixes/Revert-openvswitch-Fix-template-leak-in-error-cases.patch
@@ -43437,6 +43441,9 @@
patches.drivers/mlxsw-core-Increase-timeout-during-firmware-flash-pr.patch
patches.drivers/mlxsw-spectrum-Add-trap-for-decapsulated-ARP-packets.patch
patches.drivers/mlxsw-spectrum_nve-Fix-memory-leak-upon-driver-reloa.patch
+ patches.fixes/0002-xfrm-Fix-error-return-code-in-xfrm_output_one.patch
+ patches.fixes/0004-xfrm-Fix-bucket-count-reported-to-userspace.patch
+ patches.fixes/0003-xfrm-Fix-NULL-pointer-dereference-in-xfrm_input-when.patch
patches.suse/VSOCK-Send-reset-control-packet-when-socket-is-parti.patch
patches.drivers/net-mvpp2-10G-modes-aren-t-supported-on-all-ports.patch
patches.drivers/qed-Fix-an-error-code-qed_ll2_start_xmit.patch
@@ -48193,6 +48200,8 @@
patches.arch/perf-x86-clean-up-pebs_xmm_regs.patch
patches.arch/perf-x86-remove-pmu-pebs_no_xmm_regs.patch
patches.arch/x86-microcode-fix-the-microcode-load-on-cpu-hotplug-for-real.patch
+ patches.arch/x86-speculation-allow-guests-to-use-ssbd-even-if-host-does-not.patch
+ patches.arch/cpu-speculation-warn-on-unsupported-mitigations-parameter.patch
patches.fixes/Bluetooth-Fix-faulty-expression-for-minimum-encrypti.patch
patches.suse/ftrace-x86-remove-possible-deadlock-between-register_kprobe-and-ftrace_run_update_code.patch
patches.suse/tracing-snapshot-resize-spare-buffer-if-size-changed.patch
@@ -48653,8 +48662,12 @@
patches.suse/msft-hv-1895-PCI-hv-Fix-a-use-after-free-bug-in-hv_eject_device_w.patch
patches.fixes/0001-PCI-qcom-Ensure-that-PERST-is-asserted-for-at-least-.patch
patches.fixes/0001-PCI-xilinx-nwl-Fix-Multi-MSI-data-programming.patch
+ patches.suse/btrfs-fix-data-loss-after-inode-eviction-renaming-it.patch
patches.suse/Btrfs-prevent-send-failures-and-crashes-due-to-concu.patch
+ patches.suse/btrfs-fix-fsync-not-persisting-dentry-deletions-due-.patch
+ patches.suse/btrfs-add-missing-inode-version-ctime-and-mtime-upda.patch
patches.drivers/0022-drivers-rapidio-devices-rio_mport_cdev.c-NUL-termina.patch
+ patches.drivers/drivers-pps-pps.c-clear-offset-flags-in-PPS_SETPARAM.patch
patches.fixes/0001-device-dax-fix-memory-and-resource-leak-if-hotplug-f.patch
patches.drivers/dmaengine-hsu-Revert-set-HSU_CH_MTSR-to-memory-width.patch
patches.drivers/0008-dmaengine-rcar-dmac-Reject-zero-length-slave-DMA-req.patch
@@ -48697,6 +48710,7 @@
patches.arch/kvm-svm-fix-detection-of-amd-errata-1096
patches.arch/kvm-x86-vpmu-refine-kvm_pmu-err-msg-when-event-creation-failed
patches.arch/kvm-nvmx-do-not-use-dangling-shadow-vmcs-after-guest-reset
+ patches.arch/x86-boot-fix-memory-leak-in-default_get_smp_config.patch
patches.suse/msft-hv-1901-x86-hyper-v-Zero-out-the-VP-ASSIST-PAGE-on-allocatio.patch
patches.drivers/Input-synaptics-whitelist-Lenovo-T580-SMBus-intertou.patch
patches.drivers/Input-gtco-bounds-check-collection-indent-level.patch
@@ -48705,6 +48719,7 @@
patches.drivers/Input-psmouse-fix-build-error-of-multiple-definition.patch
patches.drivers/Input-alps-fix-a-mismatch-between-a-condition-check-.patch
patches.fixes/0001-mac80211-fix-possible-memory-leak-in-ieee80211_assig.patch
+ patches.fixes/mac80211-don-t-warn-about-CW-params-when-not-using-t.patch
patches.drivers/bnx2x-Prevent-load-reordering-in-tx-completion-proce.patch
patches.drivers/be2net-Synchronize-be_update_queues-with-dev_watchdo.patch
patches.suse/msft-hv-1902-hv_netvsc-Fix-extra-rcu_read_unlock-in-netvsc_recv_c.patch
@@ -48730,6 +48745,7 @@
patches.drivers/ALSA-hda-Add-a-conexant-codec-entry-to-let-mute-led-.patch
patches.fixes/nvme-fix-memory-leak-caused-by-incorrect-subsystem-free.patch
patches.fixes/ACPI-IORT-Fix-off-by-one-check-in-iort_dev_find_its_.patch
+ patches.drm/drm-silence-variable-conn-set-but-not-used.patch
patches.drm/drm-amd-display-Wait-for-backlight-programming-compl.patch
patches.drm/drm-amd-display-use-encoder-s-engine-id-to-find-matc.patch
patches.drm/drm-amd-display-Fix-dc_create-failure-handling-and-6.patch
@@ -48747,6 +48763,7 @@
patches.arch/x86-mm-check-for-pfn-instead-of-page-in-vmalloc_sync_one
patches.arch/x86-mm-sync-also-unmappings-in-vmalloc_sync_all
patches.arch/mm-vmalloc-sync-unmappings-in-_purge_vmap_area_lazy
+ patches.arch/x86-speculation-mds-apply-more-accurate-check-on-hypervisor-platform.patch
patches.drivers/usb-pci-quirks-Correct-AMD-PLL-quirk-detection.patch
patches.drivers/usb-wusbcore-fix-unbalanced-get-put-cluster_id.patch
patches.fixes/hpet-Fix-division-by-zero-in-hpet_time_div.patch
@@ -48760,6 +48777,8 @@
patches.drivers/ALSA-pcm-fix-lost-wakeup-event-scenarios-in-snd_pcm_.patch
patches.drivers/ALSA-usb-audio-Fix-gpf-in-snd_usb_pipe_sanity_check.patch
patches.drivers/ACPI-PM-Fix-regression-in-acpi_device_set_power.patch
+ patches.suse/btrfs-fix-incremental-send-failure-after-deduplicati.patch
+ patches.suse/btrfs-fix-race-leading-to-fs-corruption-after-transa.patch
patches.drivers/IB-mlx5-Fix-MR-registration-flow-to-use-UMR-properly.patch
patches.drivers/libata-zpodd-Fix-small-read-overflow-in-zpodd_get_me.patch
patches.drivers/ata-libahci-do-not-complain-in-case-of-deferred-prob.patch
@@ -48776,6 +48795,7 @@
patches.drivers/0013-HID-wacom-fix-bit-shift-for-Cintiq-Companion-2.patch
patches.drivers/HID-Add-quirk-for-HP-X1200-PIXART-OEM-mouse.patch
patches.drivers/hid-input-fix-a4tech-horizontal-wheel-custom-usage.patch
+ patches.drivers/HID-sony-Fix-race-condition-between-rumble-and-devic.patch
patches.fixes/bonding-Force-slave-speed-check-after-link-state-rec.patch
patches.drivers/net-mvpp2-Don-t-check-for-3-consecutive-Idle-frames-.patch
patches.drivers/sky2-Disable-MSI-on-ASUS-P6T.patch
@@ -48790,6 +48810,7 @@
patches.drivers/net-phylink-Fix-flow-control-for-fixed-link.patch
patches.drivers/mlxsw-spectrum-Fix-error-path-in-mlxsw_sp_module_ini.patch
patches.fixes/nl-mac-80211-fix-interface-combinations-on-crypto-co.patch
+ patches.fixes/mac80211-don-t-WARN-on-short-WMM-parameters-from-AP.patch
patches.drivers/net-mlx5e-always-initialize-frag-last_in_page.patch
patches.drivers/net-fix-bpf_xdp_adjust_head-regression-for-generic-X.patch
patches.drivers/0005-can-peak_usb-pcan_usb_fd-Fix-info-leaks-to-USB-devic.patch
@@ -48801,6 +48822,7 @@
patches.drivers/iwlwifi-mvm-fix-an-out-of-bound-access.patch
patches.drivers/hwmon-nct7802-Fix-wrong-detection-of-in4-presence.patch
patches.fixes/crypto-ccp-Fix-oops-by-properly-managing-allocated-s.patch
+ patches.fixes/crypto-ccp-Add-support-for-valid-authsize-values-les.patch
patches.fixes/crypto-ccp-Ignore-tag-length-when-decrypting-GCM-cip.patch
patches.drivers/ASoC-dapm-Fix-handling-of-custom_stop_condition-on-D.patch
patches.drivers/ALSA-usb-audio-fix-a-memory-leak-bug.patch
@@ -48814,15 +48836,23 @@
patches.drm/drm-vmwgfx-fix-memory-leak-when-too-many-retries-hav.patch
patches.drm/drm-rockchip-Suspend-DP-late.patch
patches.drm/drm-i915-Fix-wrong-escape-clock-divisor-init-for-GLK.patch
+ patches.drivers/Input-synaptics-enable-RMI-mode-for-HP-Spectre-X360.patch
patches.arch/kvm-fix-leak-vcpu-s-vmcs-value-into-other-pcpu
patches.drivers/usb-typec-tcpm-free-log-buf-memory-when-remove-debug.patch
patches.drivers/usb-typec-tcpm-remove-tcpm-dir-if-no-children.patch
patches.drivers/usb-host-xhci-rcar-Fix-timeout-in-xhci_suspend.patch
patches.drivers/usb-typec-tcpm-Ignore-unsupported-unknown-alternate-.patch
patches.drivers/usb-yurex-Fix-use-after-free-in-yurex_delete.patch
+ patches.drivers/usb-usbfs-fix-double-free-of-usb-memory-upon-submitu.patch
patches.drivers/usb-iowarrior-fix-deadlock-on-disconnect.patch
+ patches.drivers/iio-adc-max9611-Fix-misuse-of-GENMASK-macro.patch
patches.fixes/driver_core-Fix_use-after-free_and_double_free_on_glue.patch
+ patches.drivers/iommu-dma-handle-sg-length-overflow-better
+ patches.drivers/ALSA-hda-Apply-workaround-for-another-AMD-chip-1022-.patch
+ patches.drivers/ALSA-hda-Fix-a-memory-leak-bug.patch
patches.drivers/ALSA-hda-realtek-Add-quirk-for-HP-Envy-x360.patch
+ patches.drivers/ALSA-hda-Let-all-conexant-codec-enter-D3-when-reboot.patch
+ patches.drivers/ALSA-hda-Add-a-generic-reboot_notify.patch
patches.drivers/ALSA-usb-audio-Fix-an-OOB-bug-in-parse_audio_mixer_u.patch
patches.drivers/ALSA-usb-audio-Fix-a-stack-buffer-overflow-bug-in-ch.patch
diff --git a/supported.conf b/supported.conf
index 192295d068..60a9623fa6 100644
--- a/supported.conf
+++ b/supported.conf
@@ -449,11 +449,11 @@
- drivers/cpufreq/mt8173-cpufreq
drivers/cpufreq/pcc-cpufreq # HP's PCC cpufreq driver -> fate#306746
drivers/cpufreq/powernow-k8 # Old Athlon64 and Opteron driver (IO based), MSR based switching is done via acpi-cpufreq
- drivers/cpufreq/qoriq-cpufreq
- drivers/cpufreq/raspberrypi-cpufreq
- drivers/cpufreq/scpi-cpufreq
-- drivers/cpufreq/tegra186-cpufreq
-- drivers/crypto/bcm/bcm_crypto_spu
+- drivers/cpufreq/qoriq-cpufreq # not listed in supported.conf
+ drivers/cpufreq/raspberrypi-cpufreq # jsc#SLE-7294
+- drivers/cpufreq/scpi-cpufreq # not listed in supported.conf
+- drivers/cpufreq/tegra186-cpufreq # not listed in supported.conf
+- drivers/crypto/bcm/bcm_crypto_spu # not listed in supported.conf
drivers/crypto/caam/*
drivers/crypto/cavium/cpt/cptpf
drivers/crypto/cavium/cpt/cptvf
@@ -1861,10 +1861,10 @@
drivers/pci/hotplug/shpchp # Standard Hot Plug PCI Controller Driver
drivers/pci/pci-iomul # PCI I/O port multiplexer interface
drivers/pci/pcie/aer/aer_inject # fate #306815
-- drivers/pci/switch/switchtec
+- drivers/pci/switch/switchtec # not listed in supported.conf
drivers/pci/xen-pcifront
- drivers/pcmcia/pcmcia_core # Linux Kernel Card Services
- drivers/pcmcia/pcmcia_rsrc
+ drivers/pcmcia/pcmcia_core # Linux Kernel Card Services (needed by yenta_socket)
+ drivers/pcmcia/pcmcia_rsrc # Linux Kernel Card Services (needed by yenta_socket)
drivers/pcmcia/yenta_socket
drivers/perf/arm_dsu_pmu
drivers/perf/arm_spe_pmu