Home Home > GIT Browse > SLE12-SP5-AZURE
summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJohannes Thumshirn <jthumshirn@suse.de>2019-08-22 11:27:15 +0200
committerJohannes Thumshirn <jthumshirn@suse.de>2019-08-22 11:27:15 +0200
commit79b0b2ea7f2370b63efaba3bdba4e1bc1723fc93 (patch)
treeaa3de4e460e31ce0c2520b434769f072769ffba9
parentb6b5bccca826b35cbe103991239d467ba5262ca5 (diff)
parent698ef197439e8220f2d8e6fca317e959200218e1 (diff)
Merge remote-tracking branch 'origin/SLE12-SP4' into SLE12-SP5
Conflicts: blacklist.conf series.conf
-rw-r--r--blacklist.conf2
-rw-r--r--patches.arch/powerpc-rtas-use-device-model-APIs-and-serialization.patch98
-rw-r--r--patches.arch/v2-powerpc-Allow-flush_-inval_-dcache_range-to-work-across-ranges-4GB.patch58
-rw-r--r--patches.arch/x86-unwind-handle-null-pointer-calls-better-in-frame-unwinder.patch126
-rw-r--r--patches.drivers/ALSA-info-Fix-racy-addition-deletion-of-nodes.patch2
-rw-r--r--patches.drivers/ALSA-line6-Fix-write-on-zero-sized-buffer.patch2
-rw-r--r--patches.drivers/ALSA-usb-audio-Fix-gpf-in-snd_usb_pipe_sanity_check.patch2
-rw-r--r--patches.drivers/media-usb-siano-Fix-general-protection-fault-in-smsu.patch2
-rw-r--r--patches.fixes/0001-HID-wacom-Correct-distance-scale-for-2nd-gen-Intuos-.patch39
-rw-r--r--patches.fixes/0001-HID-wacom-correct-misreported-EKR-ring-values.patch39
-rw-r--r--patches.fixes/0001-media-cpia2_usb-first-wake-up-then-free-in-disconnec.patch2
-rw-r--r--patches.fixes/nvme-multipath-fix-ana-log-nsid-lookup-when-nsid-is-.patch71
-rw-r--r--patches.fixes/scsi-qedi-remove-memset-memcpy-to-nfunc-and-use-func-instead165
-rw-r--r--patches.suse/libnvdimm-pfn-Store-correct-value-of-npfns-in-namespace.patch47
-rw-r--r--patches.suse/nvme-Return-BLK_STS_TARGET-if-the-DNR-bit-is-set.patch36
-rw-r--r--series.conf11
16 files changed, 697 insertions, 5 deletions
diff --git a/blacklist.conf b/blacklist.conf
index edffe2e719..a2d3912725 100644
--- a/blacklist.conf
+++ b/blacklist.conf
@@ -1291,3 +1291,5 @@ d065ee93aab6ef4c2a5af5c455b5044bd5136547 # config-only fix
1e1c50a929bc9e49bc3f9935b92450d9e69f8158 # affects only single core-machines
c2d1b3aae33605a61cbab445d8ae1c708ccd2698 # effectively reverted in upstream
2170a0d53bee1a6c1a4ebd042f99d85aafc6c0ea # only affects libnvdimm unit test code
+ce02ef06fcf7a399a6276adb83f37373d10cbbe1 # fixed in gcc instead, see bsc#1131264
+a9d57ef15cbe327fe54416dd194ee0ea66ae53a4 # ditto
diff --git a/patches.arch/powerpc-rtas-use-device-model-APIs-and-serialization.patch b/patches.arch/powerpc-rtas-use-device-model-APIs-and-serialization.patch
new file mode 100644
index 0000000000..8e5507ca13
--- /dev/null
+++ b/patches.arch/powerpc-rtas-use-device-model-APIs-and-serialization.patch
@@ -0,0 +1,98 @@
+From a6717c01ddc259f6f73364779df058e2c67309f8 Mon Sep 17 00:00:00 2001
+From: Nathan Lynch <nathanl@linux.ibm.com>
+Date: Fri, 2 Aug 2019 14:29:24 -0500
+Subject: [PATCH] powerpc/rtas: use device model APIs and serialization during
+ LPM
+
+References: bsc#1144123 ltc#178840
+Patch-mainline: queued
+Git-repo: https://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux.git
+Git-commit: a6717c01ddc259f6f73364779df058e2c67309f8
+
+The LPAR migration implementation and userspace-initiated cpu hotplug
+can interleave their executions like so:
+
+1. Set cpu 7 offline via sysfs.
+
+2. Begin a partition migration, whose implementation requires the OS
+ to ensure all present cpus are online; cpu 7 is onlined:
+
+ rtas_ibm_suspend_me -> rtas_online_cpus_mask -> cpu_up
+
+ This sets cpu 7 online in all respects except for the cpu's
+ corresponding struct device; dev->offline remains true.
+
+3. Set cpu 7 online via sysfs. _cpu_up() determines that cpu 7 is
+ already online and returns success. The driver core (device_online)
+ sets dev->offline = false.
+
+4. The migration completes and restores cpu 7 to offline state:
+
+ rtas_ibm_suspend_me -> rtas_offline_cpus_mask -> cpu_down
+
+This leaves cpu7 in a state where the driver core considers the cpu
+device online, but in all other respects it is offline and
+unused. Attempts to online the cpu via sysfs appear to succeed but the
+driver core actually does not pass the request to the lower-level
+cpuhp support code. This makes the cpu unusable until the cpu device
+is manually set offline and then online again via sysfs.
+
+Instead of directly calling cpu_up/cpu_down, the migration code should
+use the higher-level device core APIs to maintain consistent state and
+serialize operations.
+
+Fixes: 120496ac2d2d ("powerpc: Bring all threads online prior to migration/hibernation")
+Signed-off-by: Nathan Lynch <nathanl@linux.ibm.com>
+Reviewed-by: Gautham R. Shenoy <ego@linux.vnet.ibm.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://lore.kernel.org/r/20190802192926.19277-2-nathanl@linux.ibm.com
+Acked-by: Michal Suchanek <msuchanek@suse.de>
+---
+ arch/powerpc/kernel/rtas.c | 11 ++++++++---
+ 1 file changed, 8 insertions(+), 3 deletions(-)
+
+diff --git a/arch/powerpc/kernel/rtas.c b/arch/powerpc/kernel/rtas.c
+index 49159bb38949..ef290d4036ba 100644
+--- a/arch/powerpc/kernel/rtas.c
++++ b/arch/powerpc/kernel/rtas.c
+@@ -871,15 +871,17 @@ static int rtas_cpu_state_change_mask(enum rtas_cpu_state state,
+ return 0;
+
+ for_each_cpu(cpu, cpus) {
++ struct device *dev = get_cpu_device(cpu);
++
+ switch (state) {
+ case DOWN:
+- cpuret = cpu_down(cpu);
++ cpuret = device_offline(dev);
+ break;
+ case UP:
+- cpuret = cpu_up(cpu);
++ cpuret = device_online(dev);
+ break;
+ }
+- if (cpuret) {
++ if (cpuret < 0) {
+ pr_debug("%s: cpu_%s for cpu#%d returned %d.\n",
+ __func__,
+ ((state == UP) ? "up" : "down"),
+@@ -966,6 +968,8 @@ int rtas_ibm_suspend_me(u64 handle)
+ data.token = rtas_token("ibm,suspend-me");
+ data.complete = &done;
+
++ lock_device_hotplug();
++
+ /* All present CPUs must be online */
+ cpumask_andnot(offline_mask, cpu_present_mask, cpu_online_mask);
+ cpuret = rtas_online_cpus_mask(offline_mask);
+@@ -1004,6 +1008,7 @@ int rtas_ibm_suspend_me(u64 handle)
+ __func__);
+
+ out:
++ unlock_device_hotplug();
+ free_cpumask_var(offline_mask);
+ return atomic_read(&data.error);
+ }
+--
+2.22.0
+
diff --git a/patches.arch/v2-powerpc-Allow-flush_-inval_-dcache_range-to-work-across-ranges-4GB.patch b/patches.arch/v2-powerpc-Allow-flush_-inval_-dcache_range-to-work-across-ranges-4GB.patch
new file mode 100644
index 0000000000..3bd2b96a34
--- /dev/null
+++ b/patches.arch/v2-powerpc-Allow-flush_-inval_-dcache_range-to-work-across-ranges-4GB.patch
@@ -0,0 +1,58 @@
+From patchwork Wed Aug 21 00:19:27 2019
+X-Patchwork-Submitter: Alastair D'Silva <alastair@au1.ibm.com>
+X-Patchwork-Id: 1150498
+From: Alastair D'Silva <alastair@d-silva.org>
+Subject: [PATCH v2] powerpc: Allow flush_(inval_)dcache_range to work across
+ ranges >4GB
+Date: Wed, 21 Aug 2019 10:19:27 +1000
+
+References: bsc#1146575 ltc#180764
+Patch-mainline: no, stable-only
+
+The upstream commit:
+22e9c88d486a ("powerpc/64: reuse PPC32 static inline flush_dcache_range()")
+has a similar effect, but since it is a rewrite of the assembler to C, is
+too invasive for stable. This patch is a minimal fix to address the issue in
+assembler.
+
+This patch applies cleanly to v5.2, v4.19 & v4.14.
+
+When calling flush_(inval_)dcache_range with a size >4GB, we were masking
+off the upper 32 bits, so we would incorrectly flush a range smaller
+than intended.
+
+This patch replaces the 32 bit shifts with 64 bit ones, so that
+the full size is accounted for.
+
+Changelog:
+v2
+ - Add related upstream commit
+
+Signed-off-by: Alastair D'Silva <alastair@d-silva.org>
+Acked-by: Michal Suchanek <msuchanek@suse.de>
+---
+ arch/powerpc/kernel/misc_64.S | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/arch/powerpc/kernel/misc_64.S b/arch/powerpc/kernel/misc_64.S
+index 1ad4089dd110..d4d096f80f4b 100644
+--- a/arch/powerpc/kernel/misc_64.S
++++ b/arch/powerpc/kernel/misc_64.S
+@@ -130,7 +130,7 @@ _GLOBAL_TOC(flush_dcache_range)
+ subf r8,r6,r4 /* compute length */
+ add r8,r8,r5 /* ensure we get enough */
+ lwz r9,DCACHEL1LOGBLOCKSIZE(r10) /* Get log-2 of dcache block size */
+- srw. r8,r8,r9 /* compute line count */
++ srd. r8,r8,r9 /* compute line count */
+ beqlr /* nothing to do? */
+ mtctr r8
+ 0: dcbst 0,r6
+@@ -148,7 +148,7 @@ _GLOBAL(flush_inval_dcache_range)
+ subf r8,r6,r4 /* compute length */
+ add r8,r8,r5 /* ensure we get enough */
+ lwz r9,DCACHEL1LOGBLOCKSIZE(r10)/* Get log-2 of dcache block size */
+- srw. r8,r8,r9 /* compute line count */
++ srd. r8,r8,r9 /* compute line count */
+ beqlr /* nothing to do? */
+ sync
+ isync
diff --git a/patches.arch/x86-unwind-handle-null-pointer-calls-better-in-frame-unwinder.patch b/patches.arch/x86-unwind-handle-null-pointer-calls-better-in-frame-unwinder.patch
new file mode 100644
index 0000000000..97a0fab515
--- /dev/null
+++ b/patches.arch/x86-unwind-handle-null-pointer-calls-better-in-frame-unwinder.patch
@@ -0,0 +1,126 @@
+From: Jann Horn <jannh@google.com>
+Date: Fri, 1 Mar 2019 04:12:00 +0100
+Subject: x86/unwind: Handle NULL pointer calls better in frame unwinder
+Git-commit: f4f34e1b82eb4219d8eaa1c7e2e17ca219a6a2b5
+Patch-mainline: v5.1-rc1
+References: bsc#1114279
+
+When the frame unwinder is invoked for an oops caused by a call to NULL, it
+currently skips the parent function because BP still points to the parent's
+stack frame; the (nonexistent) current function only has the first half of
+a stack frame, and BP doesn't point to it yet.
+
+Add a special case for IP==0 that calculates a fake BP from SP, then uses
+the real BP for the next frame.
+
+Note that this handles first_frame specially: Return information about the
+parent function as long as the saved IP is >=first_frame, even if the fake
+BP points below it.
+
+With an artificially-added NULL call in prctl_set_seccomp(), before this
+patch, the trace is:
+
+Call Trace:
+ ? prctl_set_seccomp+0x3a/0x50
+ __x64_sys_prctl+0x457/0x6f0
+ ? __ia32_sys_prctl+0x750/0x750
+ do_syscall_64+0x72/0x160
+ entry_SYSCALL_64_after_hwframe+0x44/0xa9
+
+After this patch, the trace is:
+
+Call Trace:
+ prctl_set_seccomp+0x3a/0x50
+ __x64_sys_prctl+0x457/0x6f0
+ ? __ia32_sys_prctl+0x750/0x750
+ do_syscall_64+0x72/0x160
+ entry_SYSCALL_64_after_hwframe+0x44/0xa9
+
+Signed-off-by: Jann Horn <jannh@google.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Acked-by: Josh Poimboeuf <jpoimboe@redhat.com>
+Cc: Borislav Petkov <bp@alien8.de>
+Cc: Andrew Morton <akpm@linux-foundation.org>
+Cc: syzbot <syzbot+ca95b2b7aef9e7cbd6ab@syzkaller.appspotmail.com>
+Cc: "H. Peter Anvin" <hpa@zytor.com>
+Cc: Masahiro Yamada <yamada.masahiro@socionext.com>
+Cc: Michal Marek <michal.lkml@markovi.net>
+Cc: linux-kbuild@vger.kernel.org
+Link: https://lkml.kernel.org/r/20190301031201.7416-1-jannh@google.com
+
+Acked-by: Borislav Petkov <bp@suse.de>
+---
+ arch/x86/include/asm/unwind.h | 6 ++++++
+ arch/x86/kernel/unwind_frame.c | 25 ++++++++++++++++++++++---
+ 2 files changed, 28 insertions(+), 3 deletions(-)
+
+diff --git a/arch/x86/include/asm/unwind.h b/arch/x86/include/asm/unwind.h
+index 1f86e1b0a5cd..499578f7e6d7 100644
+--- a/arch/x86/include/asm/unwind.h
++++ b/arch/x86/include/asm/unwind.h
+@@ -23,6 +23,12 @@ struct unwind_state {
+ #elif defined(CONFIG_UNWINDER_FRAME_POINTER)
+ bool got_irq;
+ unsigned long *bp, *orig_sp, ip;
++ /*
++ * If non-NULL: The current frame is incomplete and doesn't contain a
++ * valid BP. When looking for the next frame, use this instead of the
++ * non-existent saved BP.
++ */
++ unsigned long *next_bp;
+ struct pt_regs *regs;
+ #else
+ unsigned long *sp;
+diff --git a/arch/x86/kernel/unwind_frame.c b/arch/x86/kernel/unwind_frame.c
+index 3dc26f95d46e..9b9fd4826e7a 100644
+--- a/arch/x86/kernel/unwind_frame.c
++++ b/arch/x86/kernel/unwind_frame.c
+@@ -320,10 +320,14 @@ bool unwind_next_frame(struct unwind_state *state)
+ }
+
+ /* Get the next frame pointer: */
+- if (state->regs)
++ if (state->next_bp) {
++ next_bp = state->next_bp;
++ state->next_bp = NULL;
++ } else if (state->regs) {
+ next_bp = (unsigned long *)state->regs->bp;
+- else
++ } else {
+ next_bp = (unsigned long *)READ_ONCE_TASK_STACK(state->task, *state->bp);
++ }
+
+ /* Move to the next frame if it's safe: */
+ if (!update_stack_state(state, next_bp))
+@@ -398,6 +402,21 @@ void __unwind_start(struct unwind_state *state, struct task_struct *task,
+
+ bp = get_frame_pointer(task, regs);
+
++ /*
++ * If we crash with IP==0, the last successfully executed instruction
++ * was probably an indirect function call with a NULL function pointer.
++ * That means that SP points into the middle of an incomplete frame:
++ * *SP is a return pointer, and *(SP-sizeof(unsigned long)) is where we
++ * would have written a frame pointer if we hadn't crashed.
++ * Pretend that the frame is complete and that BP points to it, but save
++ * the real BP so that we can use it when looking for the next frame.
++ */
++ if (regs && regs->ip == 0 &&
++ (unsigned long *)kernel_stack_pointer(regs) >= first_frame) {
++ state->next_bp = bp;
++ bp = ((unsigned long *)kernel_stack_pointer(regs)) - 1;
++ }
++
+ /* Initialize stack info and make sure the frame data is accessible: */
+ get_stack_info(bp, state->task, &state->stack_info,
+ &state->stack_mask);
+@@ -410,7 +429,7 @@ void __unwind_start(struct unwind_state *state, struct task_struct *task,
+ */
+ while (!unwind_done(state) &&
+ (!on_stack(&state->stack_info, first_frame, sizeof(long)) ||
+- state->bp < first_frame))
++ (state->next_bp == NULL && state->bp < first_frame)))
+ unwind_next_frame(state);
+ }
+ EXPORT_SYMBOL_GPL(__unwind_start);
+
diff --git a/patches.drivers/ALSA-info-Fix-racy-addition-deletion-of-nodes.patch b/patches.drivers/ALSA-info-Fix-racy-addition-deletion-of-nodes.patch
index 49e6da1cc3..0861a29066 100644
--- a/patches.drivers/ALSA-info-Fix-racy-addition-deletion-of-nodes.patch
+++ b/patches.drivers/ALSA-info-Fix-racy-addition-deletion-of-nodes.patch
@@ -4,7 +4,7 @@ Date: Tue, 16 Apr 2019 15:25:00 +0200
Subject: [PATCH] ALSA: info: Fix racy addition/deletion of nodes
Git-commit: 8c2f870890fd28e023b0fcf49dcee333f2c8bad7
Patch-mainline: v5.1-rc6
-References: bsc#1051510
+References: bsc#1051510,CVE-2019-15214,bsc#1146550
The ALSA proc helper manages the child nodes in a linked list, but its
addition and deletion is done without any lock. This leads to a
diff --git a/patches.drivers/ALSA-line6-Fix-write-on-zero-sized-buffer.patch b/patches.drivers/ALSA-line6-Fix-write-on-zero-sized-buffer.patch
index 63ae7ade56..f3c6b8927c 100644
--- a/patches.drivers/ALSA-line6-Fix-write-on-zero-sized-buffer.patch
+++ b/patches.drivers/ALSA-line6-Fix-write-on-zero-sized-buffer.patch
@@ -4,7 +4,7 @@ Date: Tue, 2 Jul 2019 20:07:21 +0200
Subject: [PATCH 7/7] ALSA: line6: Fix write on zero-sized buffer
Git-commit: 3450121997ce872eb7f1248417225827ea249710
Patch-mainline: v5.2
-References: bsc#1051510
+References: bsc#1051510,CVE-2019-15221,bsc#1146529
LINE6 drivers allocate the buffers based on the value returned from
usb_maxpacket() calls. The manipulated device may return zero for
diff --git a/patches.drivers/ALSA-usb-audio-Fix-gpf-in-snd_usb_pipe_sanity_check.patch b/patches.drivers/ALSA-usb-audio-Fix-gpf-in-snd_usb_pipe_sanity_check.patch
index 6814b19067..eb0ff57818 100644
--- a/patches.drivers/ALSA-usb-audio-Fix-gpf-in-snd_usb_pipe_sanity_check.patch
+++ b/patches.drivers/ALSA-usb-audio-Fix-gpf-in-snd_usb_pipe_sanity_check.patch
@@ -4,7 +4,7 @@ Date: Tue, 30 Jul 2019 17:24:36 +0800
Subject: [PATCH] ALSA: usb-audio: Fix gpf in snd_usb_pipe_sanity_check
Git-commit: 5d78e1c2b7f4be00bbe62141603a631dc7812f35
Patch-mainline: 5.3-rc3
-References: bsc#1051510
+References: bsc#1051510,CVE-2019-15222,bsc#1146531
syzbot found the following crash on:
diff --git a/patches.drivers/media-usb-siano-Fix-general-protection-fault-in-smsu.patch b/patches.drivers/media-usb-siano-Fix-general-protection-fault-in-smsu.patch
index 784711a9e7..0cd64aef1e 100644
--- a/patches.drivers/media-usb-siano-Fix-general-protection-fault-in-smsu.patch
+++ b/patches.drivers/media-usb-siano-Fix-general-protection-fault-in-smsu.patch
@@ -4,7 +4,7 @@ Date: Tue, 7 May 2019 12:39:47 -0400
Subject: [PATCH] media: usb: siano: Fix general protection fault in smsusb
Git-commit: 31e0456de5be379b10fea0fa94a681057114a96e
Patch-mainline: v5.2-rc3
-References: bsc#1051510
+References: bsc#1051510 bsc#1146413 CVE-2019-15218
The syzkaller USB fuzzer found a general-protection-fault bug in the
smsusb part of the Siano DVB driver. The fault occurs during probe
diff --git a/patches.fixes/0001-HID-wacom-Correct-distance-scale-for-2nd-gen-Intuos-.patch b/patches.fixes/0001-HID-wacom-Correct-distance-scale-for-2nd-gen-Intuos-.patch
new file mode 100644
index 0000000000..fe3f106b4c
--- /dev/null
+++ b/patches.fixes/0001-HID-wacom-Correct-distance-scale-for-2nd-gen-Intuos-.patch
@@ -0,0 +1,39 @@
+From b72fb1dcd2ea9d29417711cb302cef3006fa8d5a Mon Sep 17 00:00:00 2001
+From: Jason Gerecke <jason.gerecke@wacom.com>
+Date: Wed, 7 Aug 2019 14:11:55 -0700
+Subject: [PATCH] HID: wacom: Correct distance scale for 2nd-gen Intuos devices
+Git-commit: b72fb1dcd2ea9d29417711cb302cef3006fa8d5a
+Patch-mainline: v5.3-rc5
+References: bsc#1142635
+
+Distance values reported by 2nd-gen Intuos tablets are on an inverted
+scale (0 == far, 63 == near). We need to change them over to a normal
+scale before reporting to userspace or else userspace drivers and
+applications can get confused.
+
+Ref: https://github.com/linuxwacom/input-wacom/issues/98
+Fixes: eda01dab53 ("HID: wacom: Add four new Intuos devices")
+Signed-off-by: Jason Gerecke <jason.gerecke@wacom.com>
+Cc: <stable@vger.kernel.org> # v4.4+
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Oliver Neukum <oneukum@suse.com>
+---
+ drivers/hid/wacom_wac.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/hid/wacom_wac.c b/drivers/hid/wacom_wac.c
+index 50074485b88b..7a9e229e6253 100644
+--- a/drivers/hid/wacom_wac.c
++++ b/drivers/hid/wacom_wac.c
+@@ -846,6 +846,8 @@ static int wacom_intuos_general(struct wacom_wac *wacom)
+ y >>= 1;
+ distance >>= 1;
+ }
++ if (features->type == INTUOSHT2)
++ distance = features->distance_max - distance;
+ input_report_abs(input, ABS_X, x);
+ input_report_abs(input, ABS_Y, y);
+ input_report_abs(input, ABS_DISTANCE, distance);
+--
+2.16.4
+
diff --git a/patches.fixes/0001-HID-wacom-correct-misreported-EKR-ring-values.patch b/patches.fixes/0001-HID-wacom-correct-misreported-EKR-ring-values.patch
new file mode 100644
index 0000000000..4c351fa9dc
--- /dev/null
+++ b/patches.fixes/0001-HID-wacom-correct-misreported-EKR-ring-values.patch
@@ -0,0 +1,39 @@
+From fcf887e7caaa813eea821d11bf2b7619a37df37a Mon Sep 17 00:00:00 2001
+From: Aaron Armstrong Skomra <skomra@gmail.com>
+Date: Fri, 16 Aug 2019 12:00:54 -0700
+Subject: [PATCH] HID: wacom: correct misreported EKR ring values
+Git-commit: fcf887e7caaa813eea821d11bf2b7619a37df37a
+Patch-mainline: v5.3-rc5
+References: bsc#1142635
+
+The EKR ring claims a range of 0 to 71 but actually reports
+values 1 to 72. The ring is used in relative mode so this
+change should not affect users.
+
+Signed-off-by: Aaron Armstrong Skomra <aaron.skomra@wacom.com>
+Fixes: 72b236d60218f ("HID: wacom: Add support for Express Key Remote.")
+Cc: <stable@vger.kernel.org> # v4.3+
+Reviewed-by: Ping Cheng <ping.cheng@wacom.com>
+Reviewed-by: Jason Gerecke <jason.gerecke@wacom.com>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Oliver Neukum <oneukum@suse.com>
+---
+ drivers/hid/wacom_wac.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/hid/wacom_wac.c b/drivers/hid/wacom_wac.c
+index 7a9e229e6253..1713235d28cb 100644
+--- a/drivers/hid/wacom_wac.c
++++ b/drivers/hid/wacom_wac.c
+@@ -1061,7 +1061,7 @@ static int wacom_remote_irq(struct wacom_wac *wacom_wac, size_t len)
+ input_report_key(input, BTN_BASE2, (data[11] & 0x02));
+
+ if (data[12] & 0x80)
+- input_report_abs(input, ABS_WHEEL, (data[12] & 0x7f));
++ input_report_abs(input, ABS_WHEEL, (data[12] & 0x7f) - 1);
+ else
+ input_report_abs(input, ABS_WHEEL, 0);
+
+--
+2.16.4
+
diff --git a/patches.fixes/0001-media-cpia2_usb-first-wake-up-then-free-in-disconnec.patch b/patches.fixes/0001-media-cpia2_usb-first-wake-up-then-free-in-disconnec.patch
index af2452c696..361663a331 100644
--- a/patches.fixes/0001-media-cpia2_usb-first-wake-up-then-free-in-disconnec.patch
+++ b/patches.fixes/0001-media-cpia2_usb-first-wake-up-then-free-in-disconnec.patch
@@ -4,7 +4,7 @@ Date: Thu, 9 May 2019 04:57:09 -0400
Subject: [PATCH] media: cpia2_usb: first wake up, then free in disconnect
Git-commit: eff73de2b1600ad8230692f00bc0ab49b166512a
Patch-mainline: v5.2
-References: bsc#1135642
+References: bsc#1135642 bsc#1146425 CVE-2019-15215
Kasan reported a use after free in cpia2_usb_disconnect()
diff --git a/patches.fixes/nvme-multipath-fix-ana-log-nsid-lookup-when-nsid-is-.patch b/patches.fixes/nvme-multipath-fix-ana-log-nsid-lookup-when-nsid-is-.patch
new file mode 100644
index 0000000000..0a06483778
--- /dev/null
+++ b/patches.fixes/nvme-multipath-fix-ana-log-nsid-lookup-when-nsid-is-.patch
@@ -0,0 +1,71 @@
+From: Anton Eidelman <anton@lightbitslabs.com>
+Date: Tue, 20 Aug 2019 16:00:27 -0700
+Subject: [PATCH] nvme-multipath: fix ana log nsid lookup when nsid is not found
+Patch-Mainline: submitted linux-nvme 2019/08/21
+References: bsc#1141554
+
+ANA log parsing invokes nvme_update_ana_state() per ANA group desc.
+This updates the state of namespaces with nsids in desc->nsids[].
+
+Both ctrl->namespaces list and desc->nsids[] array are sorted by nsid.
+Hence nvme_update_ana_state() performs a single walk over ctrl->namespaces:
+- if current namespace matches the current desc->nsids[n],
+ this namespace is updated, and n is incremented.
+- the process stops when it encounters the end of either
+ ctrl->namespaces end or desc->nsids[]
+
+In case desc->nsids[n] does not match any of ctrl->namespaces,
+the remaining nsids following desc->nsids[n] will not be updated.
+Such situation was considered abnormal and generated WARN_ON_ONCE.
+
+However ANA log MAY contain nsids not (yet) found in ctrl->namespaces.
+For example, lets consider the following scenario:
+- nvme0 exposes namespaces with nsids = [2, 3] to the host
+- a new namespace nsid = 1 is added dynamically
+- also, a ANA topology change is triggered
+- NS_CHANGED aen is generated and triggers scan_work
+- before scan_work discovers nsid=1 and creates a namespace, a NOTICE_ANA
+ aen was issues and ana_work receives ANA log with nsids=[1, 2, 3]
+
+Result: ana_work fails to update ANA state on existing namespaces [2, 3]
+
+Solution:
+Change the way nvme_update_ana_state() namespace list walk
+checks the current namespace against desc->nsids[n] as follows:
+a) ns->head->ns_id < desc->nsids[n]: keep walking ctrl->namespaces.
+b) ns->head->ns_id == desc->nsids[n]: match, update the namespace
+c) ns->head->ns_id >= desc->nsids[n]: skip to desc->nsids[n+1]
+
+This enables correct operation in the scenario described above.
+This also allows ANA log to contain nsids currently invisible
+to the host, i.e. inactive nsids.
+
+Signed-off-by: Anton Eidelman <anton@lightbitslabs.com>
+Signed-off-by: Sagi Grimberg <sagi@grimberg.me>
+Signed-off-by: Hannes Reinecke <hare@suse.com>
+---
+ drivers/nvme/host/multipath.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+--- a/drivers/nvme/host/multipath.c
++++ b/drivers/nvme/host/multipath.c
+@@ -477,14 +477,16 @@ static int nvme_update_ana_state(struct
+
+ down_write(&ctrl->namespaces_rwsem);
+ list_for_each_entry(ns, &ctrl->namespaces, list) {
+- if (ns->head->ns_id != le32_to_cpu(desc->nsids[n]))
++ unsigned nsid = le32_to_cpu(desc->nsids[n]);
++
++ if (ns->head->ns_id < nsid)
+ continue;
+- nvme_update_ns_ana_state(desc, ns);
++ if (ns->head->ns_id == nsid)
++ nvme_update_ns_ana_state(desc, ns);
+ if (++n == nr_nsids)
+ break;
+ }
+ up_write(&ctrl->namespaces_rwsem);
+- WARN_ON_ONCE(n < nr_nsids);
+ return 0;
+ }
+
diff --git a/patches.fixes/scsi-qedi-remove-memset-memcpy-to-nfunc-and-use-func-instead b/patches.fixes/scsi-qedi-remove-memset-memcpy-to-nfunc-and-use-func-instead
new file mode 100644
index 0000000000..eaa79529e9
--- /dev/null
+++ b/patches.fixes/scsi-qedi-remove-memset-memcpy-to-nfunc-and-use-func-instead
@@ -0,0 +1,165 @@
+From: YueHaibing <yuehaibing@huawei.com>
+Date: Sat, 20 Apr 2019 12:05:54 +0800
+Subject: scsi: qedi: remove memset/memcpy to nfunc and use func instead
+Git-commit: c09581a52765a85f19fc35340127396d5e3379cc
+Patch-mainline: v5.2-rc2
+References: bsc#1146399 CVE-2019-15090
+
+KASAN reports this:
+
+BUG: KASAN: global-out-of-bounds in qedi_dbg_err+0xda/0x330 [qedi]
+Read of size 31 at addr ffffffffc12b0ae0 by task syz-executor.0/2429
+
+CPU: 0 PID: 2429 Comm: syz-executor.0 Not tainted 5.0.0-rc7+ #45
+Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014
+Call Trace:
+ __dump_stack lib/dump_stack.c:77 [inline]
+ dump_stack+0xfa/0x1ce lib/dump_stack.c:113
+ print_address_description+0x1c4/0x270 mm/kasan/report.c:187
+ kasan_report+0x149/0x18d mm/kasan/report.c:317
+ memcpy+0x1f/0x50 mm/kasan/common.c:130
+ qedi_dbg_err+0xda/0x330 [qedi]
+ ? 0xffffffffc12d0000
+ qedi_init+0x118/0x1000 [qedi]
+ ? 0xffffffffc12d0000
+ ? 0xffffffffc12d0000
+ ? 0xffffffffc12d0000
+ do_one_initcall+0xfa/0x5ca init/main.c:887
+ do_init_module+0x204/0x5f6 kernel/module.c:3460
+ load_module+0x66b2/0x8570 kernel/module.c:3808
+ __do_sys_finit_module+0x238/0x2a0 kernel/module.c:3902
+ do_syscall_64+0x147/0x600 arch/x86/entry/common.c:290
+ entry_SYSCALL_64_after_hwframe+0x49/0xbe
+RIP: 0033:0x462e99
+Code: f7 d8 64 89 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
+RSP: 002b:00007f2d57e55c58 EFLAGS: 00000246 ORIG_RAX: 0000000000000139
+RAX: ffffffffffffffda RBX: 000000000073bfa0 RCX: 0000000000462e99
+RDX: 0000000000000000 RSI: 00000000200003c0 RDI: 0000000000000003
+RBP: 00007f2d57e55c70 R08: 0000000000000000 R09: 0000000000000000
+R10: 0000000000000000 R11: 0000000000000246 R12: 00007f2d57e566bc
+R13: 00000000004bcefb R14: 00000000006f7030 R15: 0000000000000004
+
+The buggy address belongs to the variable:
+ __func__.67584+0x0/0xffffffffffffd520 [qedi]
+
+Memory state around the buggy address:
+ ffffffffc12b0980: fa fa fa fa 00 04 fa fa fa fa fa fa 00 00 05 fa
+ ffffffffc12b0a00: fa fa fa fa 00 00 04 fa fa fa fa fa 00 05 fa fa
+> ffffffffc12b0a80: fa fa fa fa 00 06 fa fa fa fa fa fa 00 02 fa fa
+ ^
+ ffffffffc12b0b00: fa fa fa fa 00 00 04 fa fa fa fa fa 00 00 03 fa
+ ffffffffc12b0b80: fa fa fa fa 00 00 02 fa fa fa fa fa 00 00 04 fa
+
+Currently the qedi_dbg_* family of functions can overrun the end of the
+source string if it is less than the destination buffer length because of
+the use of a fixed sized memcpy. Remove the memset/memcpy calls to nfunc
+and just use func instead as it is always a null terminated string.
+
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Fixes: ace7f46ba5fd ("scsi: qedi: Add QLogic FastLinQ offload iSCSI driver framework.")
+Signed-off-by: YueHaibing <yuehaibing@huawei.com>
+Reviewed-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Acked-by: Lee Duncan <lduncan@suse.com>
+---
+ drivers/scsi/qedi/qedi_dbg.c | 32 ++++++++------------------------
+ 1 file changed, 8 insertions(+), 24 deletions(-)
+
+diff --git a/drivers/scsi/qedi/qedi_dbg.c b/drivers/scsi/qedi/qedi_dbg.c
+index 8fd28b056f73..3383314a3882 100644
+--- a/drivers/scsi/qedi/qedi_dbg.c
++++ b/drivers/scsi/qedi/qedi_dbg.c
+@@ -16,10 +16,6 @@ qedi_dbg_err(struct qedi_dbg_ctx *qedi, const char *func, u32 line,
+ {
+ va_list va;
+ struct va_format vaf;
+- char nfunc[32];
+-
+- memset(nfunc, 0, sizeof(nfunc));
+- memcpy(nfunc, func, sizeof(nfunc) - 1);
+
+ va_start(va, fmt);
+
+@@ -28,9 +24,9 @@ qedi_dbg_err(struct qedi_dbg_ctx *qedi, const char *func, u32 line,
+
+ if (likely(qedi) && likely(qedi->pdev))
+ pr_err("[%s]:[%s:%d]:%d: %pV", dev_name(&qedi->pdev->dev),
+- nfunc, line, qedi->host_no, &vaf);
++ func, line, qedi->host_no, &vaf);
+ else
+- pr_err("[0000:00:00.0]:[%s:%d]: %pV", nfunc, line, &vaf);
++ pr_err("[0000:00:00.0]:[%s:%d]: %pV", func, line, &vaf);
+
+ va_end(va);
+ }
+@@ -41,10 +37,6 @@ qedi_dbg_warn(struct qedi_dbg_ctx *qedi, const char *func, u32 line,
+ {
+ va_list va;
+ struct va_format vaf;
+- char nfunc[32];
+-
+- memset(nfunc, 0, sizeof(nfunc));
+- memcpy(nfunc, func, sizeof(nfunc) - 1);
+
+ va_start(va, fmt);
+
+@@ -56,9 +48,9 @@ qedi_dbg_warn(struct qedi_dbg_ctx *qedi, const char *func, u32 line,
+
+ if (likely(qedi) && likely(qedi->pdev))
+ pr_warn("[%s]:[%s:%d]:%d: %pV", dev_name(&qedi->pdev->dev),
+- nfunc, line, qedi->host_no, &vaf);
++ func, line, qedi->host_no, &vaf);
+ else
+- pr_warn("[0000:00:00.0]:[%s:%d]: %pV", nfunc, line, &vaf);
++ pr_warn("[0000:00:00.0]:[%s:%d]: %pV", func, line, &vaf);
+
+ ret:
+ va_end(va);
+@@ -70,10 +62,6 @@ qedi_dbg_notice(struct qedi_dbg_ctx *qedi, const char *func, u32 line,
+ {
+ va_list va;
+ struct va_format vaf;
+- char nfunc[32];
+-
+- memset(nfunc, 0, sizeof(nfunc));
+- memcpy(nfunc, func, sizeof(nfunc) - 1);
+
+ va_start(va, fmt);
+
+@@ -85,10 +73,10 @@ qedi_dbg_notice(struct qedi_dbg_ctx *qedi, const char *func, u32 line,
+
+ if (likely(qedi) && likely(qedi->pdev))
+ pr_notice("[%s]:[%s:%d]:%d: %pV",
+- dev_name(&qedi->pdev->dev), nfunc, line,
++ dev_name(&qedi->pdev->dev), func, line,
+ qedi->host_no, &vaf);
+ else
+- pr_notice("[0000:00:00.0]:[%s:%d]: %pV", nfunc, line, &vaf);
++ pr_notice("[0000:00:00.0]:[%s:%d]: %pV", func, line, &vaf);
+
+ ret:
+ va_end(va);
+@@ -100,10 +88,6 @@ qedi_dbg_info(struct qedi_dbg_ctx *qedi, const char *func, u32 line,
+ {
+ va_list va;
+ struct va_format vaf;
+- char nfunc[32];
+-
+- memset(nfunc, 0, sizeof(nfunc));
+- memcpy(nfunc, func, sizeof(nfunc) - 1);
+
+ va_start(va, fmt);
+
+@@ -115,9 +99,9 @@ qedi_dbg_info(struct qedi_dbg_ctx *qedi, const char *func, u32 line,
+
+ if (likely(qedi) && likely(qedi->pdev))
+ pr_info("[%s]:[%s:%d]:%d: %pV", dev_name(&qedi->pdev->dev),
+- nfunc, line, qedi->host_no, &vaf);
++ func, line, qedi->host_no, &vaf);
+ else
+- pr_info("[0000:00:00.0]:[%s:%d]: %pV", nfunc, line, &vaf);
++ pr_info("[0000:00:00.0]:[%s:%d]: %pV", func, line, &vaf);
+
+ ret:
+ va_end(va);
+
diff --git a/patches.suse/libnvdimm-pfn-Store-correct-value-of-npfns-in-namespace.patch b/patches.suse/libnvdimm-pfn-Store-correct-value-of-npfns-in-namespace.patch
new file mode 100644
index 0000000000..9cb05b457c
--- /dev/null
+++ b/patches.suse/libnvdimm-pfn-Store-correct-value-of-npfns-in-namespace.patch
@@ -0,0 +1,47 @@
+From b1092ec9fe1c5f6e8cadb2ee54fc010052e5cd06 Mon Sep 17 00:00:00 2001
+From: root <you@example.com>
+Date: Tue, 20 Aug 2019 03:09:58 -0400
+Subject: [PATCH] libnvdimm/pfn: Store correct value of npfns in namespace
+ superblock
+
+References: bsc#1146381 ltc#180720
+Patch-mainline: no, stable-only
+
+Commit a3619190d62e ("libnvdimm/pfn: stop padding pmem namespaces to
+section alignment") fixed an issue with nd_pfn_init() where the count
+of number of PFNs stored in pfn superblock was calculated assuming
+PAGE_SIZE == SZ_4K.
+
+Without the fix a wrong comparison happens in __nvdimm_setup_pfn()
+between recaulcaulted value of nd_pfn->npfns against one stored in
+superblock via nd_pfn->pfn_sb->npfns. This causes a warning to be
+issued of the form:
+
+ dax_pmem dax1.0: number of pfns truncated from 2093056 to 130816
+
+This warning is harmless but may confuse the user. Hence this patch
+picks the relavent hunk from commit a3619190d62e ("libnvdimm/pfn: stop
+padding pmem namespaces to section alignment") that fixes this issue.
+
+Signed-off-by: Vaibhav Jain <vaibhav@linux.ibm.com>
+Acked-by: Michal Suchanek <msuchanek@suse.de>
+---
+ drivers/nvdimm/pfn_devs.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/nvdimm/pfn_devs.c b/drivers/nvdimm/pfn_devs.c
+index 6a2685e8fbc6..c22462a277b6 100644
+--- a/drivers/nvdimm/pfn_devs.c
++++ b/drivers/nvdimm/pfn_devs.c
+@@ -757,7 +757,7 @@ static int nd_pfn_init(struct nd_pfn *nd_pfn)
+ return -ENXIO;
+ }
+
+- npfns = (size - offset - start_pad - end_trunc) / SZ_4K;
++ npfns = PHYS_PFN(size - offset - start_pad - end_trunc);
+ pfn_sb->mode = cpu_to_le32(nd_pfn->mode);
+ pfn_sb->dataoff = cpu_to_le64(offset);
+ pfn_sb->npfns = cpu_to_le64(npfns);
+--
+2.16.4
+
diff --git a/patches.suse/nvme-Return-BLK_STS_TARGET-if-the-DNR-bit-is-set.patch b/patches.suse/nvme-Return-BLK_STS_TARGET-if-the-DNR-bit-is-set.patch
new file mode 100644
index 0000000000..723d7ced63
--- /dev/null
+++ b/patches.suse/nvme-Return-BLK_STS_TARGET-if-the-DNR-bit-is-set.patch
@@ -0,0 +1,36 @@
+From: Hannes Reinecke <hare@suse.de>
+Date: Tue, 6 Aug 2019 12:47:17 +0200
+Subject: [PATCH] nvme: Return BLK_STS_TARGET if the DNR bit is set
+References: bsc#1142076
+Patch-Mainline: never, solved differently upstream
+
+If the DNR bit is set we should not retry the command, even if
+the standard status evaluation indicates so.
+
+
+Signed-off-by: Hannes Reinecke <hare@suse.com>
+---
+ drivers/nvme/host/core.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/drivers/nvme/host/core.c b/drivers/nvme/host/core.c
+index 6afc37292f28..6faa3a99253a 100644
+--- a/drivers/nvme/host/core.c
++++ b/drivers/nvme/host/core.c
+@@ -265,6 +265,13 @@ void nvme_complete_rq(struct request *req)
+ return;
+ }
+ }
++ /*
++ * Any pathing error might be retried, but the DNR bit takes
++ * precedence. So return BLK_STS_TARGET if the DNR bit is set
++ * to avoid retrying.
++ */
++ if (blk_path_error(status) && nvme_req(req)->status & NVME_SC_DNR)
++ status = BLK_STS_TARGET;
+ blk_mq_end_request(req, status);
+ }
+ EXPORT_SYMBOL_GPL(nvme_complete_rq);
+--
+2.16.4
+
diff --git a/series.conf b/series.conf
index c6a13dc4b2..b57c38e344 100644
--- a/series.conf
+++ b/series.conf
@@ -46203,6 +46203,7 @@
patches.drivers/platform-x86-mlx-platform-Add-extra-CPLD-for-next-ge.patch
patches.drivers/platform-x86-mlx-platform-Add-UID-LED-for-the-next-g.patch
patches.drivers/platform-x86-mlx-platform-Fix-access-mode-for-fan_di.patch
+ patches.arch/x86-unwind-handle-null-pointer-calls-better-in-frame-unwinder.patch
patches.suse/msft-hv-1855-x86-hyperv-Fix-kernel-panic-when-kexec-on-HyperV.patch
patches.arch/perf-ring_buffer-use-high-order-allocations-for-aux-buffers-optimistically.patch
patches.fixes/tools-lib-traceevent-fix-buffer-overflow-in-arg_eval.patch
@@ -47998,6 +47999,7 @@
patches.fixes/blk-mq-fix-hang-caused-by-freeze-unfreeze-sequence.patch
patches.fixes/nvme-copy-mtfa-field-from-identify-controller.patch
patches.drivers/scsi-qla2xxx-Add-cleanup-for-PCI-EEH-recovery.patch
+ patches.fixes/scsi-qedi-remove-memset-memcpy-to-nfunc-and-use-func-instead
patches.drivers/scsi-qedi-remove-set-but-not-used-variables-cdev-and-udev
patches.fixes/scsi-bnx2fc-fix-incorrect-cast-to-u64-on-shift-operation
patches.fixes/ext4-wait-for-outstanding-dio-during-truncate-in-noj.patch
@@ -48946,6 +48948,11 @@
patches.fixes/0001-usb-cdc-acm-make-sure-a-refcount-is-taken-early-enou.patch
patches.fixes/0001-USB-CDC-fix-sanity-checks-in-CDC-union-parser.patch
patches.drivers/ibmvnic-Unmap-DMA-address-of-TX-descriptor-buffers-a.patch
+ patches.fixes/0001-HID-wacom-Correct-distance-scale-for-2nd-gen-Intuos-.patch
+ patches.fixes/0001-HID-wacom-correct-misreported-EKR-ring-values.patch
+
+ # powerpc/linux next
+ patches.arch/powerpc-rtas-use-device-model-APIs-and-serialization.patch
# tip/tip
patches.fixes/x86-kconfig-remove-x86_direct_gbpages-dependency-on-debug_pagealloc.patch
@@ -48976,6 +48983,8 @@
patches.fixes/block-Don-t-revalidate-bdev-of-hidden-gendisk.patch
patches.suse/nvme-flush-scan_work-when-resetting-controller.patch
patches.suse/nvme-skip-nvme_update_disk_info-if-the-controller-is.patch
+ patches.suse/nvme-Return-BLK_STS_TARGET-if-the-DNR-bit-is-set.patch
+ patches.fixes/nvme-multipath-fix-ana-log-nsid-lookup-when-nsid-is-.patch
patches.suse/block-Fix-a-NULL-pointer-dereference-in-generic_make.patch
patches.suse/dasd_fba-Display-00000000-for-zero-page-when-dumping.patch
patches.drivers/scsi-qla2xxx-do-not-crash-on-uninitialized-pool-list.patch
@@ -49193,6 +49202,7 @@
########################################################
# general lib/ optimizations
########################################################
+ patches.suse/libnvdimm-pfn-Store-correct-value-of-npfns-in-namespace.patch
########################################################
# CPUFREQ
@@ -49210,6 +49220,7 @@
########################################################
# powerpc/generic
########################################################
+ patches.arch/v2-powerpc-Allow-flush_-inval_-dcache_range-to-work-across-ranges-4GB.patch
patches.suse/Fix-build-error-in-drmem.c.patch
patches.arch/Documentation-x86-Move-protecton-key-documentation-t.patch
patches.arch/Documentation-vm-PowerPC-specific-updates-to-memory-.patch