Home Home > GIT Browse > openSUSE-15.0
summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorKernel Build Daemon <kbuild@suse.de>2019-10-18 07:28:56 +0200
committerKernel Build Daemon <kbuild@suse.de>2019-10-18 07:28:56 +0200
commita0f97f5d386f5189e661317bb473a91de8b74bd5 (patch)
tree625dbeec324e3fea61146dc1c38349912d3965b7
parent294e38633e180262d5cea49bc93509562fd4c1f4 (diff)
parent805df8f0e82f0b6d961e0da65823af29f80e8b08 (diff)
Merge branch 'SLE15' into openSUSE-15.0openSUSE-15.0
-rw-r--r--blacklist.conf1
-rw-r--r--patches.kabi/Fix-KVM-kABI-after-x86-mmu-backports.patch65
-rw-r--r--patches.suse/0001-USB-adutux-fix-NULL-derefs-on-disconnect.patch108
-rw-r--r--patches.suse/0001-USB-adutux-fix-use-after-free-on-disconnect.patch52
-rw-r--r--patches.suse/0001-USB-legousbtower-fix-deadlock-on-disconnect.patch129
-rw-r--r--patches.suse/0001-USB-legousbtower-fix-open-after-failed-reset-request.patch55
-rw-r--r--patches.suse/0001-USB-legousbtower-fix-potential-NULL-deref-on-disconn.patch139
-rw-r--r--patches.suse/0001-USB-legousbtower-fix-slab-info-leak-at-probe.patch42
-rw-r--r--patches.suse/0001-USB-microtek-fix-info-leak-at-probe.patch42
-rw-r--r--patches.suse/0001-USB-usblcd-fix-I-O-after-disconnect.patch132
-rw-r--r--patches.suse/0001-crypto-talitos-fix-missing-break-in-switch-statement.patch37
-rw-r--r--patches.suse/0001-rtlwifi-rtl8192cu-Fix-value-set-in-descriptor.patch35
-rw-r--r--patches.suse/ceph-fix-directories-inode-i_blkbits-initialization.patch46
-rw-r--r--patches.suse/ceph-reconnect-connection-if-session-hang-in-opening-state.patch43
-rw-r--r--patches.suse/ceph-update-the-mtime-when-truncating-up.patch88
-rw-r--r--patches.suse/cfg80211-wext-avoid-copying-malformed-SSIDs.patch54
-rw-r--r--patches.suse/ipoib-Do-not-overreact-to-SM-LID-change-even.patch147
-rw-r--r--patches.suse/kvm-convert-kvm_lock-to-a-mutex242
-rw-r--r--patches.suse/kvm-mmu-drop-vcpu-param-in-gpte_access59
-rw-r--r--patches.suse/kvm-x86-add-tracepoints-around-_direct_map-and-fnamefetch142
-rw-r--r--patches.suse/kvm-x86-adjust-kvm_mmu_page-member-to-save-8-bytes56
-rw-r--r--patches.suse/kvm-x86-change-kvm_mmu_page_get_gfn-bug_on-to-warn_on40
-rw-r--r--patches.suse/kvm-x86-do-not-release-the-page-inside-mmu_set_spte134
-rw-r--r--patches.suse/kvm-x86-make-fnamefetch-and-_direct_map-more-similar169
-rw-r--r--patches.suse/kvm-x86-powerpc-do-not-allow-clearing-largepages-debugfs-entry97
-rw-r--r--patches.suse/kvm-x86-remove-now-unneeded-hugepage-gfn-adjustment71
-rw-r--r--patches.suse/nfc-enforce-cap_net_raw-for-raw-sockets.patch39
-rw-r--r--patches.suse/scsi-lpfc-Fix-null-ptr-oops-updating-lpfc_devloss_tm.patch43
-rw-r--r--patches.suse/scsi-lpfc-Fix-propagation-of-devloss_tmo-setting-to-.patch64
-rw-r--r--patches.suse/sock_diag-fix-autoloading-of-the-raw_diag-module.patch37
-rw-r--r--patches.suse/sock_diag-request-_diag-module-only-when-the-family-.patch205
-rw-r--r--patches.suse/tracing-Initialize-iter-seq-after-zeroing-in-tracing.patch82
-rw-r--r--series.conf32
33 files changed, 2727 insertions, 0 deletions
diff --git a/blacklist.conf b/blacklist.conf
index de4f28718e..4b29ac88f4 100644
--- a/blacklist.conf
+++ b/blacklist.conf
@@ -1383,3 +1383,4 @@ aea447141c7e7824b81b49acd1bc785506fba46e # clang not supported
a521c44c3ded9fe184c5de3eed3a442af2d26f00 # book3e not supported
2a1a3fa0f29270583f0e6e3100d609e09697add1 # CONFIG_KALLSYMS_ALL is set everywhere
056d28d135bca0b1d0908990338e00e9dadaf057 # libelf is in the default location in SLES
+3f384d7c490374b2ae8f61a6c67f14deab77bab2 # cosmetic change in logging
diff --git a/patches.kabi/Fix-KVM-kABI-after-x86-mmu-backports.patch b/patches.kabi/Fix-KVM-kABI-after-x86-mmu-backports.patch
new file mode 100644
index 0000000000..757153ec7c
--- /dev/null
+++ b/patches.kabi/Fix-KVM-kABI-after-x86-mmu-backports.patch
@@ -0,0 +1,65 @@
+From: Joerg Roedel <jroedel@suse.de>
+Date: Wed, 16 Oct 2019 13:46:24 +0200
+Subject: [PATCH] Fix KVM kABI after x86 mmu backports
+References: bsc#1117665
+Patch-mainline: Never, kABI fix only
+
+Signed-off-by: Joerg Roedel <jroedel@suse.de>
+---
+ arch/x86/include/asm/kvm_host.h | 4 ++--
+ include/linux/kvm_host.h | 6 +++++-
+ 2 files changed, 7 insertions(+), 3 deletions(-)
+
+diff --git a/arch/x86/include/asm/kvm_host.h b/arch/x86/include/asm/kvm_host.h
+index 442c7fcb1bf6..66f9b603a6d8 100644
+--- a/arch/x86/include/asm/kvm_host.h
++++ b/arch/x86/include/asm/kvm_host.h
+@@ -276,18 +276,18 @@ struct kvm_rmap_head {
+ struct kvm_mmu_page {
+ struct list_head link;
+ struct hlist_node hash_link;
+- bool unsync;
+
+ /*
+ * The following two entries are used to key the shadow page in the
+ * hash table.
+ */
+- union kvm_mmu_page_role role;
+ gfn_t gfn;
++ union kvm_mmu_page_role role;
+
+ u64 *spt;
+ /* hold the gfn of each spte inside spt */
+ gfn_t *gfns;
++ bool unsync;
+ int root_count; /* Currently serving as active root */
+ unsigned int unsync_children;
+ struct kvm_rmap_head parent_ptes; /* rmap pointers to parent sptes */
+diff --git a/include/linux/kvm_host.h b/include/linux/kvm_host.h
+index 9635792374a4..2499d43b1600 100644
+--- a/include/linux/kvm_host.h
++++ b/include/linux/kvm_host.h
+@@ -1016,15 +1016,19 @@ enum kvm_stat_kind {
+
+ struct kvm_stat_data {
+ int offset;
+- int mode;
+ struct kvm *kvm;
++#ifndef __GENKSYMS__
++ int mode;
++#endif
+ };
+
+ struct kvm_stats_debugfs_item {
+ const char *name;
+ int offset;
+ enum kvm_stat_kind kind;
++#ifndef __GENKSYMS__
+ int mode;
++#endif
+ };
+ extern struct kvm_stats_debugfs_item debugfs_entries[];
+ extern struct dentry *kvm_debugfs_dir;
+--
+2.16.3
+
diff --git a/patches.suse/0001-USB-adutux-fix-NULL-derefs-on-disconnect.patch b/patches.suse/0001-USB-adutux-fix-NULL-derefs-on-disconnect.patch
new file mode 100644
index 0000000000..09d193aba5
--- /dev/null
+++ b/patches.suse/0001-USB-adutux-fix-NULL-derefs-on-disconnect.patch
@@ -0,0 +1,108 @@
+From b2fa7baee744fde746c17bc1860b9c6f5c2eebb7 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Wed, 25 Sep 2019 11:29:13 +0200
+Subject: [PATCH] USB: adutux: fix NULL-derefs on disconnect
+Git-commit: b2fa7baee744fde746c17bc1860b9c6f5c2eebb7
+Patch-mainline: v5.4-rc1
+References: bsc#1142635
+
+The driver was using its struct usb_device pointer as an inverted
+disconnected flag, but was setting it to NULL before making sure all
+completion handlers had run. This could lead to a NULL-pointer
+dereference in a number of dev_dbg statements in the completion handlers
+which relies on said pointer.
+
+The pointer was also dereferenced unconditionally in a dev_dbg statement
+release() something which would lead to a NULL-deref whenever a device
+was disconnected before the final character-device close if debugging
+was enabled.
+
+Fix this by unconditionally stopping all I/O and preventing
+resubmissions by poisoning the interrupt URBs at disconnect and using a
+dedicated disconnected flag.
+
+This also makes sure that all I/O has completed by the time the
+disconnect callback returns.
+
+Fixes: 1ef37c6047fe ("USB: adutux: remove custom debug macro and module parameter")
+Fixes: 66d4bc30d128 ("USB: adutux: remove custom debug macro")
+Cc: stable <stable@vger.kernel.org> # 3.12
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Link: https://lore.kernel.org/r/20190925092913.8608-2-johan@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Oliver Neukum <oneukum@suse.com>
+---
+ drivers/usb/misc/adutux.c | 16 ++++++++++------
+ 1 file changed, 10 insertions(+), 6 deletions(-)
+
+--- a/drivers/usb/misc/adutux.c
++++ b/drivers/usb/misc/adutux.c
+@@ -81,6 +81,7 @@ struct adu_device {
+ char serial_number[8];
+
+ int open_count; /* number of times this port has been opened */
++ unsigned long disconnected:1;
+
+ char *read_buffer_primary;
+ int read_buffer_length;
+@@ -122,7 +123,7 @@ static void adu_abort_transfers(struct a
+ {
+ unsigned long flags;
+
+- if (dev->udev == NULL)
++ if (dev->disconnected)
+ return;
+
+ /* shutdown transfer */
+@@ -245,7 +246,7 @@ static int adu_open(struct inode *inode,
+ }
+
+ dev = usb_get_intfdata(interface);
+- if (!dev || !dev->udev) {
++ if (!dev) {
+ retval = -ENODEV;
+ goto exit_no_device;
+ }
+@@ -328,7 +329,7 @@ static int adu_release(struct inode *ino
+ }
+
+ adu_release_internal(dev);
+- if (dev->udev == NULL) {
++ if (dev->disconnected) {
+ /* the device was unplugged before the file was released */
+ if (!dev->open_count) /* ... and we're the last user */
+ adu_delete(dev);
+@@ -357,7 +358,7 @@ static ssize_t adu_read(struct file *fil
+ return -ERESTARTSYS;
+
+ /* verify that the device wasn't unplugged */
+- if (dev->udev == NULL) {
++ if (dev->disconnected) {
+ retval = -ENODEV;
+ pr_err("No device or device unplugged %d\n", retval);
+ goto exit;
+@@ -522,7 +523,7 @@ static ssize_t adu_write(struct file *fi
+ goto exit_nolock;
+
+ /* verify that the device wasn't unplugged */
+- if (dev->udev == NULL) {
++ if (dev->disconnected) {
+ retval = -ENODEV;
+ pr_err("No device or device unplugged %d\n", retval);
+ goto exit;
+@@ -770,11 +771,14 @@ static void adu_disconnect(struct usb_in
+ minor = dev->minor;
+ usb_deregister_dev(interface, &adu_class);
+
++ usb_poison_urb(dev->interrupt_in_urb);
++ usb_poison_urb(dev->interrupt_out_urb);
++
+ mutex_lock(&adutux_mutex);
+ usb_set_intfdata(interface, NULL);
+
+ mutex_lock(&dev->mtx); /* not interruptible */
+- dev->udev = NULL; /* poison */
++ dev->disconnected = 1;
+ mutex_unlock(&dev->mtx);
+
+ /* if the device is not opened, then we clean up right now */
diff --git a/patches.suse/0001-USB-adutux-fix-use-after-free-on-disconnect.patch b/patches.suse/0001-USB-adutux-fix-use-after-free-on-disconnect.patch
new file mode 100644
index 0000000000..9f33f27a22
--- /dev/null
+++ b/patches.suse/0001-USB-adutux-fix-use-after-free-on-disconnect.patch
@@ -0,0 +1,52 @@
+From 44efc269db7929f6275a1fa927ef082e533ecde0 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Wed, 25 Sep 2019 11:29:12 +0200
+Subject: [PATCH] USB: adutux: fix use-after-free on disconnect
+Git-commit: 44efc269db7929f6275a1fa927ef082e533ecde0
+References: bsc#1142635
+Patch-mainline: v5.4-rc1
+
+The driver was clearing its struct usb_device pointer, which it used as
+an inverted disconnected flag, before deregistering the character device
+and without serialising against racing release().
+
+This could lead to a use-after-free if a racing release() callback
+observes the cleared pointer and frees the driver data before
+disconnect() is finished with it.
+
+This could also lead to NULL-pointer dereferences in a racing open().
+
+Fixes: f08812d5eb8f ("USB: FIx locks and urb->status in adutux (updated)")
+Cc: stable <stable@vger.kernel.org> # 2.6.24
+Reported-by: syzbot+0243cb250a51eeefb8cc@syzkaller.appspotmail.com
+Tested-by: syzbot+0243cb250a51eeefb8cc@syzkaller.appspotmail.com
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Link: https://lore.kernel.org/r/20190925092913.8608-1-johan@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Oliver Neukum <oneukum@suse.com>
+---
+ drivers/usb/misc/adutux.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+--- a/drivers/usb/misc/adutux.c
++++ b/drivers/usb/misc/adutux.c
+@@ -767,15 +767,16 @@ static void adu_disconnect(struct usb_in
+
+ dev = usb_get_intfdata(interface);
+
+- mutex_lock(&dev->mtx); /* not interruptible */
+- dev->udev = NULL; /* poison */
+ minor = dev->minor;
+ usb_deregister_dev(interface, &adu_class);
+- mutex_unlock(&dev->mtx);
+
+ mutex_lock(&adutux_mutex);
+ usb_set_intfdata(interface, NULL);
+
++ mutex_lock(&dev->mtx); /* not interruptible */
++ dev->udev = NULL; /* poison */
++ mutex_unlock(&dev->mtx);
++
+ /* if the device is not opened, then we clean up right now */
+ if (!dev->open_count)
+ adu_delete(dev);
diff --git a/patches.suse/0001-USB-legousbtower-fix-deadlock-on-disconnect.patch b/patches.suse/0001-USB-legousbtower-fix-deadlock-on-disconnect.patch
new file mode 100644
index 0000000000..317aca39db
--- /dev/null
+++ b/patches.suse/0001-USB-legousbtower-fix-deadlock-on-disconnect.patch
@@ -0,0 +1,129 @@
+From 33a7813219f208f4952ece60ee255fd983272dec Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Thu, 19 Sep 2019 10:30:37 +0200
+Subject: [PATCH] USB: legousbtower: fix deadlock on disconnect
+Git-commit: 33a7813219f208f4952ece60ee255fd983272dec
+Patch-mainline: v5.4-rc3
+References: bsc#1142635
+
+Fix a potential deadlock if disconnect races with open.
+
+Since commit d4ead16f50f9 ("USB: prevent char device open/deregister
+race") core holds an rw-semaphore while open is called and when
+releasing the minor number during deregistration. This can lead to an
+ABBA deadlock if a driver takes a lock in open which it also holds
+during deregistration.
+
+This effectively reverts commit 78663ecc344b ("USB: disconnect open race
+in legousbtower") which needlessly introduced this issue after a generic
+fix for this race had been added to core by commit d4ead16f50f9 ("USB:
+prevent char device open/deregister race").
+
+Fixes: 78663ecc344b ("USB: disconnect open race in legousbtower")
+Cc: stable <stable@vger.kernel.org> # 2.6.24
+Reported-by: syzbot+f9549f5ee8a5416f0b95@syzkaller.appspotmail.com
+Tested-by: syzbot+f9549f5ee8a5416f0b95@syzkaller.appspotmail.com
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Link: https://lore.kernel.org/r/20190919083039.30898-3-johan@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Oliver Neukum <oneukum@suse.com>
+---
+ drivers/usb/misc/legousbtower.c | 19 ++-----------------
+ 1 file changed, 2 insertions(+), 17 deletions(-)
+
+diff --git a/drivers/usb/misc/legousbtower.c b/drivers/usb/misc/legousbtower.c
+index 1db07d4dc738..773e4188f336 100644
+--- a/drivers/usb/misc/legousbtower.c
++++ b/drivers/usb/misc/legousbtower.c
+@@ -179,7 +179,6 @@ static const struct usb_device_id tower_table[] = {
+ };
+
+ MODULE_DEVICE_TABLE (usb, tower_table);
+-static DEFINE_MUTEX(open_disc_mutex);
+
+ #define LEGO_USB_TOWER_MINOR_BASE 160
+
+@@ -332,18 +331,14 @@ static int tower_open (struct inode *inode, struct file *file)
+ goto exit;
+ }
+
+- mutex_lock(&open_disc_mutex);
+ dev = usb_get_intfdata(interface);
+-
+ if (!dev) {
+- mutex_unlock(&open_disc_mutex);
+ retval = -ENODEV;
+ goto exit;
+ }
+
+ /* lock this device */
+ if (mutex_lock_interruptible(&dev->lock)) {
+- mutex_unlock(&open_disc_mutex);
+ retval = -ERESTARTSYS;
+ goto exit;
+ }
+@@ -351,12 +346,10 @@ static int tower_open (struct inode *inode, struct file *file)
+
+ /* allow opening only once */
+ if (dev->open_count) {
+- mutex_unlock(&open_disc_mutex);
+ retval = -EBUSY;
+ goto unlock_exit;
+ }
+ dev->open_count = 1;
+- mutex_unlock(&open_disc_mutex);
+
+ /* reset the tower */
+ result = usb_control_msg (dev->udev,
+@@ -423,10 +416,9 @@ static int tower_release (struct inode *inode, struct file *file)
+
+ if (dev == NULL) {
+ retval = -ENODEV;
+- goto exit_nolock;
++ goto exit;
+ }
+
+- mutex_lock(&open_disc_mutex);
+ if (mutex_lock_interruptible(&dev->lock)) {
+ retval = -ERESTARTSYS;
+ goto exit;
+@@ -456,10 +448,7 @@ static int tower_release (struct inode *inode, struct file *file)
+
+ unlock_exit:
+ mutex_unlock(&dev->lock);
+-
+ exit:
+- mutex_unlock(&open_disc_mutex);
+-exit_nolock:
+ return retval;
+ }
+
+@@ -912,7 +901,6 @@ static int tower_probe (struct usb_interface *interface, const struct usb_device
+ if (retval) {
+ /* something prevented us from registering this driver */
+ dev_err(idev, "Not able to get a minor for this device.\n");
+- usb_set_intfdata (interface, NULL);
+ goto error;
+ }
+ dev->minor = interface->minor;
+@@ -944,16 +932,13 @@ static void tower_disconnect (struct usb_interface *interface)
+ int minor;
+
+ dev = usb_get_intfdata (interface);
+- mutex_lock(&open_disc_mutex);
+- usb_set_intfdata (interface, NULL);
+
+ minor = dev->minor;
+
+- /* give back our minor */
++ /* give back our minor and prevent further open() */
+ usb_deregister_dev (interface, &tower_class);
+
+ mutex_lock(&dev->lock);
+- mutex_unlock(&open_disc_mutex);
+
+ /* if the device is not opened, then we clean up right now */
+ if (!dev->open_count) {
+--
+2.16.4
+
diff --git a/patches.suse/0001-USB-legousbtower-fix-open-after-failed-reset-request.patch b/patches.suse/0001-USB-legousbtower-fix-open-after-failed-reset-request.patch
new file mode 100644
index 0000000000..99d0c6db8c
--- /dev/null
+++ b/patches.suse/0001-USB-legousbtower-fix-open-after-failed-reset-request.patch
@@ -0,0 +1,55 @@
+From 0b074f6986751361ff442bc1127c1648567aa8d6 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Thu, 19 Sep 2019 10:30:39 +0200
+Subject: [PATCH] USB: legousbtower: fix open after failed reset request
+Git-commit: 0b074f6986751361ff442bc1127c1648567aa8d6
+Patch-mainline: v5.4-rc3
+References: bsc#1142635
+
+The driver would return with a nonzero open count in case the reset
+control request failed. This would prevent any further attempts to open
+the char dev until the device was disconnected.
+
+Fix this by incrementing the open count only on successful open.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Cc: stable <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20190919083039.30898-5-johan@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Oliver Neukum <oneukum@suse.com>
+---
+ drivers/usb/misc/legousbtower.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/usb/misc/legousbtower.c b/drivers/usb/misc/legousbtower.c
+index 4fa999882635..44d6a3381804 100644
+--- a/drivers/usb/misc/legousbtower.c
++++ b/drivers/usb/misc/legousbtower.c
+@@ -348,7 +348,6 @@ static int tower_open (struct inode *inode, struct file *file)
+ retval = -EBUSY;
+ goto unlock_exit;
+ }
+- dev->open_count = 1;
+
+ /* reset the tower */
+ result = usb_control_msg (dev->udev,
+@@ -388,13 +387,14 @@ static int tower_open (struct inode *inode, struct file *file)
+ dev_err(&dev->udev->dev,
+ "Couldn't submit interrupt_in_urb %d\n", retval);
+ dev->interrupt_in_running = 0;
+- dev->open_count = 0;
+ goto unlock_exit;
+ }
+
+ /* save device in the file's private structure */
+ file->private_data = dev;
+
++ dev->open_count = 1;
++
+ unlock_exit:
+ mutex_unlock(&dev->lock);
+
+--
+2.16.4
+
diff --git a/patches.suse/0001-USB-legousbtower-fix-potential-NULL-deref-on-disconn.patch b/patches.suse/0001-USB-legousbtower-fix-potential-NULL-deref-on-disconn.patch
new file mode 100644
index 0000000000..922718df11
--- /dev/null
+++ b/patches.suse/0001-USB-legousbtower-fix-potential-NULL-deref-on-disconn.patch
@@ -0,0 +1,139 @@
+From cd81e6fa8e033e7bcd59415b4a65672b4780030b Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Thu, 19 Sep 2019 10:30:38 +0200
+Subject: [PATCH] USB: legousbtower: fix potential NULL-deref on disconnect
+Git-commit: cd81e6fa8e033e7bcd59415b4a65672b4780030b
+Patch-mainline: v5.4-rc3
+References: bsc#1142635
+
+The driver is using its struct usb_device pointer as an inverted
+disconnected flag, but was setting it to NULL before making sure all
+completion handlers had run. This could lead to a NULL-pointer
+dereference in a number of dev_dbg and dev_err statements in the
+completion handlers which relies on said pointer.
+
+Fix this by unconditionally stopping all I/O and preventing
+resubmissions by poisoning the interrupt URBs at disconnect and using a
+dedicated disconnected flag.
+
+This also makes sure that all I/O has completed by the time the
+disconnect callback returns.
+
+Fixes: 9d974b2a06e3 ("USB: legousbtower.c: remove err() usage")
+Fixes: fef526cae700 ("USB: legousbtower: remove custom debug macro")
+Fixes: 4dae99638097 ("USB: legotower: remove custom debug macro and module parameter")
+Cc: stable <stable@vger.kernel.org> # 3.5
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Link: https://lore.kernel.org/r/20190919083039.30898-4-johan@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Oliver Neukum <oneukum@suse.com>
+---
+ drivers/usb/misc/legousbtower.c | 26 +++++++++++++++-----------
+ 1 file changed, 15 insertions(+), 11 deletions(-)
+
+--- a/drivers/usb/misc/legousbtower.c
++++ b/drivers/usb/misc/legousbtower.c
+@@ -196,6 +196,7 @@ struct lego_usb_tower {
+ unsigned char minor; /* the starting minor number for this device */
+
+ int open_count; /* number of times this port has been opened */
++ unsigned long disconnected:1;
+
+ char* read_buffer;
+ size_t read_buffer_length; /* this much came in */
+@@ -295,8 +296,6 @@ static inline void lego_usb_tower_debug_
+ */
+ static inline void tower_delete (struct lego_usb_tower *dev)
+ {
+- tower_abort_transfers (dev);
+-
+ /* free data structures */
+ usb_free_urb(dev->interrupt_in_urb);
+ usb_free_urb(dev->interrupt_out_urb);
+@@ -436,7 +435,8 @@ static int tower_release (struct inode *
+ retval = -ENODEV;
+ goto unlock_exit;
+ }
+- if (dev->udev == NULL) {
++
++ if (dev->disconnected) {
+ /* the device was unplugged before the file was released */
+
+ /* unlock here as tower_delete frees dev */
+@@ -472,10 +472,9 @@ static void tower_abort_transfers (struc
+ if (dev->interrupt_in_running) {
+ dev->interrupt_in_running = 0;
+ mb();
+- if (dev->udev)
+- usb_kill_urb (dev->interrupt_in_urb);
++ usb_kill_urb(dev->interrupt_in_urb);
+ }
+- if (dev->interrupt_out_busy && dev->udev)
++ if (dev->interrupt_out_busy)
+ usb_kill_urb(dev->interrupt_out_urb);
+ }
+
+@@ -511,7 +510,7 @@ static unsigned int tower_poll (struct f
+
+ dev = file->private_data;
+
+- if (!dev->udev)
++ if (dev->disconnected)
+ return POLLERR | POLLHUP;
+
+ poll_wait(file, &dev->read_wait, wait);
+@@ -558,7 +557,7 @@ static ssize_t tower_read (struct file *
+ }
+
+ /* verify that the device wasn't unplugged */
+- if (dev->udev == NULL) {
++ if (dev->disconnected) {
+ retval = -ENODEV;
+ pr_err("No device or device unplugged %d\n", retval);
+ goto unlock_exit;
+@@ -644,7 +643,7 @@ static ssize_t tower_write (struct file
+ }
+
+ /* verify that the device wasn't unplugged */
+- if (dev->udev == NULL) {
++ if (dev->disconnected) {
+ retval = -ENODEV;
+ pr_err("No device or device unplugged %d\n", retval);
+ goto unlock_exit;
+@@ -753,7 +752,7 @@ static void tower_interrupt_in_callback
+
+ resubmit:
+ /* resubmit if we're still running */
+- if (dev->interrupt_in_running && dev->udev) {
++ if (dev->interrupt_in_running) {
+ retval = usb_submit_urb (dev->interrupt_in_urb, GFP_ATOMIC);
+ if (retval)
+ dev_err(&dev->udev->dev,
+@@ -818,6 +817,7 @@ static int tower_probe (struct usb_inter
+
+ dev->udev = udev;
+ dev->open_count = 0;
++ dev->disconnected = 0;
+
+ dev->read_buffer = NULL;
+ dev->read_buffer_length = 0;
+@@ -943,6 +943,10 @@ static void tower_disconnect (struct usb
+ /* give back our minor and prevent further open() */
+ usb_deregister_dev (interface, &tower_class);
+
++ /* stop I/O */
++ usb_poison_urb(dev->interrupt_in_urb);
++ usb_poison_urb(dev->interrupt_out_urb);
++
+ mutex_lock(&dev->lock);
+
+ /* if the device is not opened, then we clean up right now */
+@@ -950,7 +954,7 @@ static void tower_disconnect (struct usb
+ mutex_unlock(&dev->lock);
+ tower_delete (dev);
+ } else {
+- dev->udev = NULL;
++ dev->disconnected = 1;
+ /* wake up pollers */
+ wake_up_interruptible_all(&dev->read_wait);
+ wake_up_interruptible_all(&dev->write_wait);
diff --git a/patches.suse/0001-USB-legousbtower-fix-slab-info-leak-at-probe.patch b/patches.suse/0001-USB-legousbtower-fix-slab-info-leak-at-probe.patch
new file mode 100644
index 0000000000..1526a8e0b9
--- /dev/null
+++ b/patches.suse/0001-USB-legousbtower-fix-slab-info-leak-at-probe.patch
@@ -0,0 +1,42 @@
+From 1d427be4a39defadda6dd8f4659bc17f7591740f Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Thu, 19 Sep 2019 10:30:36 +0200
+Subject: [PATCH] USB: legousbtower: fix slab info leak at probe
+Git-commit: 1d427be4a39defadda6dd8f4659bc17f7591740f
+Patch-mainline: v5.4-rc3
+References: bsc#1142635
+
+Make sure to check for short transfers when retrieving the version
+information at probe to avoid leaking uninitialised slab data when
+logging it.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Link: https://lore.kernel.org/r/20190919083039.30898-2-johan@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Oliver Neukum <oneukum@suse.com>
+---
+ drivers/usb/misc/legousbtower.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/usb/misc/legousbtower.c b/drivers/usb/misc/legousbtower.c
+index 006cf13b2199..1db07d4dc738 100644
+--- a/drivers/usb/misc/legousbtower.c
++++ b/drivers/usb/misc/legousbtower.c
+@@ -891,8 +891,10 @@ static int tower_probe (struct usb_interface *interface, const struct usb_device
+ get_version_reply,
+ sizeof(*get_version_reply),
+ 1000);
+- if (result < 0) {
+- dev_err(idev, "LEGO USB Tower get version control request failed\n");
++ if (result < sizeof(*get_version_reply)) {
++ if (result >= 0)
++ result = -EIO;
++ dev_err(idev, "get version request failed: %d\n", result);
+ retval = result;
+ goto error;
+ }
+--
+2.16.4
+
diff --git a/patches.suse/0001-USB-microtek-fix-info-leak-at-probe.patch b/patches.suse/0001-USB-microtek-fix-info-leak-at-probe.patch
new file mode 100644
index 0000000000..41829d1264
--- /dev/null
+++ b/patches.suse/0001-USB-microtek-fix-info-leak-at-probe.patch
@@ -0,0 +1,42 @@
+From 177238c3d47d54b2ed8f0da7a4290db492f4a057 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Thu, 3 Oct 2019 09:09:31 +0200
+Subject: [PATCH] USB: microtek: fix info-leak at probe
+Git-commit: 177238c3d47d54b2ed8f0da7a4290db492f4a057
+Patch-mainline: v5.4-rc1
+References: bsc#1142635
+
+Add missing bulk-in endpoint sanity check to prevent uninitialised stack
+data from being reported to the system log and used as endpoint
+addresses.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Cc: stable <stable@vger.kernel.org>
+Reported-by: syzbot+5630ca7c3b2be5c9da5e@syzkaller.appspotmail.com
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Acked-by: Oliver Neukum <oneukum@suse.com>
+Link: https://lore.kernel.org/r/20191003070931.17009-1-johan@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Oliver Neukum <oneukum@suse.com>
+---
+ drivers/usb/image/microtek.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/usb/image/microtek.c b/drivers/usb/image/microtek.c
+index 0a57c2cc8e5a..7a6b122c833f 100644
+--- a/drivers/usb/image/microtek.c
++++ b/drivers/usb/image/microtek.c
+@@ -716,6 +716,10 @@ static int mts_usb_probe(struct usb_interface *intf,
+
+ }
+
++ if (ep_in_current != &ep_in_set[2]) {
++ MTS_WARNING("couldn't find two input bulk endpoints. Bailing out.\n");
++ return -ENODEV;
++ }
+
+ if ( ep_out == -1 ) {
+ MTS_WARNING( "couldn't find an output bulk endpoint. Bailing out.\n" );
+--
+2.16.4
+
diff --git a/patches.suse/0001-USB-usblcd-fix-I-O-after-disconnect.patch b/patches.suse/0001-USB-usblcd-fix-I-O-after-disconnect.patch
new file mode 100644
index 0000000000..3dec9c0545
--- /dev/null
+++ b/patches.suse/0001-USB-usblcd-fix-I-O-after-disconnect.patch
@@ -0,0 +1,132 @@
+From eb7f5a490c5edfe8126f64bc58b9ba2edef0a425 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Thu, 26 Sep 2019 11:12:25 +0200
+Subject: [PATCH] USB: usblcd: fix I/O after disconnect
+Git-commit: eb7f5a490c5edfe8126f64bc58b9ba2edef0a425
+Patch-mainline: v5.4-rc3
+References: bsc#1142635
+
+Make sure to stop all I/O on disconnect by adding a disconnected flag
+which is used to prevent new I/O from being started and by stopping all
+ongoing I/O before returning.
+
+This also fixes a potential use-after-free on driver unbind in case the
+driver data is freed before the completion handler has run.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Cc: stable <stable@vger.kernel.org> # 7bbe990c989e
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Link: https://lore.kernel.org/r/20190926091228.24634-7-johan@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Oliver Neukum <oneukum@suse.com>
+---
+ drivers/usb/misc/usblcd.c | 33 +++++++++++++++++++++++++++++++--
+ 1 file changed, 31 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/usb/misc/usblcd.c b/drivers/usb/misc/usblcd.c
+index 9ba4a4e68d91..aa982d3ca36b 100644
+--- a/drivers/usb/misc/usblcd.c
++++ b/drivers/usb/misc/usblcd.c
+@@ -18,6 +18,7 @@
+ #include <linux/slab.h>
+ #include <linux/errno.h>
+ #include <linux/mutex.h>
++#include <linux/rwsem.h>
+ #include <linux/uaccess.h>
+ #include <linux/usb.h>
+
+@@ -57,6 +58,8 @@ struct usb_lcd {
+ using up all RAM */
+ struct usb_anchor submitted; /* URBs to wait for
+ before suspend */
++ struct rw_semaphore io_rwsem;
++ unsigned long disconnected:1;
+ };
+ #define to_lcd_dev(d) container_of(d, struct usb_lcd, kref)
+
+@@ -142,6 +145,13 @@ static ssize_t lcd_read(struct file *file, char __user * buffer,
+
+ dev = file->private_data;
+
++ down_read(&dev->io_rwsem);
++
++ if (dev->disconnected) {
++ retval = -ENODEV;
++ goto out_up_io;
++ }
++
+ /* do a blocking bulk read to get data from the device */
+ retval = usb_bulk_msg(dev->udev,
+ usb_rcvbulkpipe(dev->udev,
+@@ -158,6 +168,9 @@ static ssize_t lcd_read(struct file *file, char __user * buffer,
+ retval = bytes_read;
+ }
+
++out_up_io:
++ up_read(&dev->io_rwsem);
++
+ return retval;
+ }
+
+@@ -237,11 +250,18 @@ static ssize_t lcd_write(struct file *file, const char __user * user_buffer,
+ if (r < 0)
+ return -EINTR;
+
++ down_read(&dev->io_rwsem);
++
++ if (dev->disconnected) {
++ retval = -ENODEV;
++ goto err_up_io;
++ }
++
+ /* create a urb, and a buffer for it, and copy the data to the urb */
+ urb = usb_alloc_urb(0, GFP_KERNEL);
+ if (!urb) {
+ retval = -ENOMEM;
+- goto err_no_buf;
++ goto err_up_io;
+ }
+
+ buf = usb_alloc_coherent(dev->udev, count, GFP_KERNEL,
+@@ -278,6 +298,7 @@ static ssize_t lcd_write(struct file *file, const char __user * user_buffer,
+ the USB core will eventually free it entirely */
+ usb_free_urb(urb);
+
++ up_read(&dev->io_rwsem);
+ exit:
+ return count;
+ error_unanchor:
+@@ -285,7 +306,8 @@ static ssize_t lcd_write(struct file *file, const char __user * user_buffer,
+ error:
+ usb_free_coherent(dev->udev, count, buf, urb->transfer_dma);
+ usb_free_urb(urb);
+-err_no_buf:
++err_up_io:
++ up_read(&dev->io_rwsem);
+ up(&dev->limit_sem);
+ return retval;
+ }
+@@ -325,6 +347,7 @@ static int lcd_probe(struct usb_interface *interface,
+
+ kref_init(&dev->kref);
+ sema_init(&dev->limit_sem, USB_LCD_CONCURRENT_WRITES);
++ init_rwsem(&dev->io_rwsem);
+ init_usb_anchor(&dev->submitted);
+
+ dev->udev = usb_get_dev(interface_to_usbdev(interface));
+@@ -422,6 +445,12 @@ static void lcd_disconnect(struct usb_interface *interface)
+ /* give back our minor */
+ usb_deregister_dev(interface, &lcd_class);
+
++ down_write(&dev->io_rwsem);
++ dev->disconnected = 1;
++ up_write(&dev->io_rwsem);
++
++ usb_kill_anchored_urbs(&dev->submitted);
++
+ /* decrement our usage count */
+ kref_put(&dev->kref, lcd_delete);
+
+--
+2.16.4
+
diff --git a/patches.suse/0001-crypto-talitos-fix-missing-break-in-switch-statement.patch b/patches.suse/0001-crypto-talitos-fix-missing-break-in-switch-statement.patch
new file mode 100644
index 0000000000..12bac3bf60
--- /dev/null
+++ b/patches.suse/0001-crypto-talitos-fix-missing-break-in-switch-statement.patch
@@ -0,0 +1,37 @@
+From 5fc194ea6d34dfad9833d3043ce41d6c52aff39a Mon Sep 17 00:00:00 2001
+From: "Gustavo A. R. Silva" <gustavo@embeddedor.com>
+Date: Mon, 9 Sep 2019 00:29:52 -0500
+Subject: [PATCH] crypto: talitos - fix missing break in switch statement
+Git-commit: 5fc194ea6d34dfad9833d3043ce41d6c52aff39a
+Patch-mainline: v5.4-rc1
+References: bsc#1142635
+
+Add missing break statement in order to prevent the code from falling
+through to case CRYPTO_ALG_TYPE_AHASH.
+
+Fixes: aeb4c132f33d ("crypto: talitos - Convert to new AEAD interface")
+Cc: stable@vger.kernel.org
+Reported-by: kbuild test robot <lkp@intel.com>
+Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com>
+Reviewed-by: Christophe Leroy <christophe.leroy@c-s.fr>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Oliver Neukum <oneukum@suse.com>
+---
+ drivers/crypto/talitos.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/crypto/talitos.c b/drivers/crypto/talitos.c
+index cb6c10b1bf36..56e3068c9947 100644
+--- a/drivers/crypto/talitos.c
++++ b/drivers/crypto/talitos.c
+@@ -3116,6 +3116,7 @@ static int talitos_remove(struct platform_device *ofdev)
+ break;
+ case CRYPTO_ALG_TYPE_AEAD:
+ crypto_unregister_aead(&t_alg->algt.alg.aead);
++ break;
+ case CRYPTO_ALG_TYPE_AHASH:
+ crypto_unregister_ahash(&t_alg->algt.alg.hash);
+ break;
+--
+2.16.4
+
diff --git a/patches.suse/0001-rtlwifi-rtl8192cu-Fix-value-set-in-descriptor.patch b/patches.suse/0001-rtlwifi-rtl8192cu-Fix-value-set-in-descriptor.patch
new file mode 100644
index 0000000000..0727f8a7a3
--- /dev/null
+++ b/patches.suse/0001-rtlwifi-rtl8192cu-Fix-value-set-in-descriptor.patch
@@ -0,0 +1,35 @@
+From 01bb31de526265e51e21e3efcdcbbe7e6906b051 Mon Sep 17 00:00:00 2001
+From: Larry Finger <Larry.Finger@lwfinger.net>
+Date: Mon, 12 Aug 2019 14:27:41 -0500
+Subject: [PATCH] rtlwifi: rtl8192cu: Fix value set in descriptor
+Git-commit: 01bb31de526265e51e21e3efcdcbbe7e6906b051
+Patch-mainline: v5.4-rc1
+References: bsc#1142635
+
+In the process of converting the bit manipulation macros were converted
+to use GENMASK(), the compiler reported a value too big for the field.
+The offending statement was trying to write 0x100 into a 5-bit field.
+An accompaning comment says to set bit 3, thus the code is changed
+appropriately.
+
+This error has been in the driver since its initial submission.
+
+Fixes: 29d00a3e46bb ("rtlwifi: rtl8192cu: Add routine trx")
+Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Oliver Neukum <oneukum@suse.com>
+---
+ drivers/net/wireless/realtek/rtlwifi/rtl8192cu/trx.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/wireless/realtek/rtlwifi/rtl8192cu/trx.c
++++ b/drivers/net/wireless/realtek/rtlwifi/rtl8192cu/trx.c
+@@ -634,7 +634,7 @@ void rtl92cu_fill_fake_txdesc(struct iee
+ SET_TX_DESC_NAV_USE_HDR(pDesc, 1);
+ } else {
+ SET_TX_DESC_HWSEQ_EN(pDesc, 1); /* Hw set sequence number */
+- SET_TX_DESC_PKT_ID(pDesc, 0x100); /* set bit3 to 1. */
++ SET_TX_DESC_PKT_ID(pDesc, BIT(3)); /* set bit3 to 1. */
+ }
+ SET_TX_DESC_USE_RATE(pDesc, 1); /* use data rate which is set by Sw */
+ SET_TX_DESC_OWN(pDesc, 1);
diff --git a/patches.suse/ceph-fix-directories-inode-i_blkbits-initialization.patch b/patches.suse/ceph-fix-directories-inode-i_blkbits-initialization.patch
new file mode 100644
index 0000000000..d91eb470fc
--- /dev/null
+++ b/patches.suse/ceph-fix-directories-inode-i_blkbits-initialization.patch
@@ -0,0 +1,46 @@
+From: Luis Henriques <lhenriques@suse.com>
+Date: Tue, 23 Jul 2019 16:50:20 +0100
+Subject: ceph: fix directories inode i_blkbits initialization
+Git-commit: 750670341a24cb714e624e0fd7da30900ad93752
+Patch-mainline: v5.4-rc1
+References: bsc#1153717
+
+When filling an inode with info from the MDS, i_blkbits is being
+initialized using fl_stripe_unit, which contains the stripe unit in
+bytes. Unfortunately, this doesn't make sense for directories as they
+have fl_stripe_unit set to '0'. This means that i_blkbits will be set
+to 0xff, causing an UBSAN undefined behaviour in i_blocksize():
+
+ UBSAN: Undefined behaviour in ./include/linux/fs.h:731:12
+ shift exponent 255 is too large for 32-bit type 'int'
+
+Fix this by initializing i_blkbits to CEPH_BLOCK_SHIFT if fl_stripe_unit
+is zero.
+
+Signed-off-by: Luis Henriques <lhenriques@suse.com>
+Reviewed-by: Jeff Layton <jlayton@kernel.org>
+Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
+
+---
+ fs/ceph/inode.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/fs/ceph/inode.c b/fs/ceph/inode.c
+index 18500edefc56..3b537e7038c7 100644
+--- a/fs/ceph/inode.c
++++ b/fs/ceph/inode.c
+@@ -801,7 +801,12 @@ static int fill_inode(struct inode *inode, struct page *locked_page,
+
+ /* update inode */
+ inode->i_rdev = le32_to_cpu(info->rdev);
+- inode->i_blkbits = fls(le32_to_cpu(info->layout.fl_stripe_unit)) - 1;
++ /* directories have fl_stripe_unit set to zero */
++ if (le32_to_cpu(info->layout.fl_stripe_unit))
++ inode->i_blkbits =
++ fls(le32_to_cpu(info->layout.fl_stripe_unit)) - 1;
++ else
++ inode->i_blkbits = CEPH_BLOCK_SHIFT;
+
+ __ceph_update_quota(ci, iinfo->max_bytes, iinfo->max_files);
+
+
diff --git a/patches.suse/ceph-reconnect-connection-if-session-hang-in-opening-state.patch b/patches.suse/ceph-reconnect-connection-if-session-hang-in-opening-state.patch
new file mode 100644
index 0000000000..b1c92fb006
--- /dev/null
+++ b/patches.suse/ceph-reconnect-connection-if-session-hang-in-opening-state.patch
@@ -0,0 +1,43 @@
+From: Erqi Chen <chenerqi@gmail.com>
+Date: Wed, 28 Aug 2019 21:22:45 +0800
+Subject: ceph: reconnect connection if session hang in opening state
+Git-commit: 71a228bc8d65900179e37ac309e678f8c523f133
+Patch-mainline: v5.4-rc1
+References: bsc#1153718
+
+If client mds session is evicted in CEPH_MDS_SESSION_OPENING state,
+mds won't send session msg to client, and delayed_work skip
+CEPH_MDS_SESSION_OPENING state session, the session hang forever.
+
+Allow ceph_con_keepalive to reconnect a session in OPENING to avoid
+session hang. Also, ensure that we skip sessions in RESTARTING and
+REJECTED states since those states can't be resurrected by issuing
+a keepalive.
+
+Link: https://tracker.ceph.com/issues/41551
+Signed-off-by: Erqi Chen chenerqi@gmail.com
+Reviewed-by: "Yan, Zheng" <zyan@redhat.com>
+Signed-off-by: Jeff Layton <jlayton@kernel.org>
+Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
+Acked-by: Luis Henriques <lhenriques@suse.com>
+
+---
+ fs/ceph/mds_client.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/fs/ceph/mds_client.c b/fs/ceph/mds_client.c
+index 959dcf2ab0b8..a8a8f84f3bbf 100644
+--- a/fs/ceph/mds_client.c
++++ b/fs/ceph/mds_client.c
+@@ -4088,7 +4088,9 @@ static void delayed_work(struct work_struct *work)
+ pr_info("mds%d hung\n", s->s_mds);
+ }
+ }
+- if (s->s_state < CEPH_MDS_SESSION_OPEN) {
++ if (s->s_state == CEPH_MDS_SESSION_NEW ||
++ s->s_state == CEPH_MDS_SESSION_RESTARTING ||
++ s->s_state == CEPH_MDS_SESSION_REJECTED) {
+ /* this mds is failed or recovering, just wait */
+ ceph_put_mds_session(s);
+ continue;
+
diff --git a/patches.suse/ceph-update-the-mtime-when-truncating-up.patch b/patches.suse/ceph-update-the-mtime-when-truncating-up.patch
new file mode 100644
index 0000000000..68610b2738
--- /dev/null
+++ b/patches.suse/ceph-update-the-mtime-when-truncating-up.patch
@@ -0,0 +1,88 @@
+From: Jeff Layton <jlayton@kernel.org>
+Date: Thu, 25 Jul 2019 13:03:32 -0400
+Subject: ceph: update the mtime when truncating up
+Git-commit: c62498d7f9d37d5e60d61ca2a4e1f88211af7645
+Patch-mainline: v5.4-rc1
+References: bsc#1153719
+
+If we have Fx caps, and the we're truncating the size to be larger, then
+we'll cache the size attribute change, but the mtime won't be updated.
+
+Move the size handling before the mtime, and add ATTR_MTIME to ia_valid
+in that case to make sure the mtime also gets updated.
+
+This fixes xfstest generic/313.
+
+Signed-off-by: Jeff Layton <jlayton@kernel.org>
+Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
+Acked-by: Luis Henriques <lhenriques@suse.com>
+
+---
+ fs/ceph/inode.c | 41 +++++++++++++++++++++--------------------
+ 1 file changed, 21 insertions(+), 20 deletions(-)
+
+--- a/fs/ceph/inode.c
++++ b/fs/ceph/inode.c
+@@ -1966,7 +1966,7 @@ static const struct inode_operations cep
+ int __ceph_setattr(struct inode *inode, struct iattr *attr)
+ {
+ struct ceph_inode_info *ci = ceph_inode(inode);
+- const unsigned int ia_valid = attr->ia_valid;
++ unsigned int ia_valid = attr->ia_valid;
+ struct ceph_mds_request *req;
+ struct ceph_mds_client *mdsc = ceph_sb_to_client(inode->i_sb)->mdsc;
+ struct ceph_cap_flush *prealloc_cf;
+@@ -2071,6 +2071,26 @@ int __ceph_setattr(struct inode *inode,
+ CEPH_CAP_FILE_RD | CEPH_CAP_FILE_WR;
+ }
+ }
++ if (ia_valid & ATTR_SIZE) {
++ dout("setattr %p size %lld -> %lld\n", inode,
++ inode->i_size, attr->ia_size);
++ if ((issued & CEPH_CAP_FILE_EXCL) &&
++ attr->ia_size > inode->i_size) {
++ i_size_write(inode, attr->ia_size);
++ inode->i_blocks = calc_inode_blocks(attr->ia_size);
++ ci->i_reported_size = attr->ia_size;
++ dirtied |= CEPH_CAP_FILE_EXCL;
++ ia_valid |= ATTR_MTIME;
++ } else if ((issued & CEPH_CAP_FILE_SHARED) == 0 ||
++ attr->ia_size != inode->i_size) {
++ req->r_args.setattr.size = cpu_to_le64(attr->ia_size);
++ req->r_args.setattr.old_size =
++ cpu_to_le64(inode->i_size);
++ mask |= CEPH_SETATTR_SIZE;
++ release |= CEPH_CAP_FILE_SHARED | CEPH_CAP_FILE_EXCL |
++ CEPH_CAP_FILE_RD | CEPH_CAP_FILE_WR;
++ }
++ }
+ if (ia_valid & ATTR_MTIME) {
+ dout("setattr %p mtime %ld.%ld -> %ld.%ld\n", inode,
+ inode->i_mtime.tv_sec, inode->i_mtime.tv_nsec,
+@@ -2093,25 +2113,6 @@ int __ceph_setattr(struct inode *inode,
+ CEPH_CAP_FILE_RD | CEPH_CAP_FILE_WR;
+ }
+ }
+- if (ia_valid & ATTR_SIZE) {
+- dout("setattr %p size %lld -> %lld\n", inode,
+- inode->i_size, attr->ia_size);
+- if ((issued & CEPH_CAP_FILE_EXCL) &&
+- attr->ia_size > inode->i_size) {
+- i_size_write(inode, attr->ia_size);
+- inode->i_blocks = calc_inode_blocks(attr->ia_size);
+- ci->i_reported_size = attr->ia_size;
+- dirtied |= CEPH_CAP_FILE_EXCL;
+- } else if ((issued & CEPH_CAP_FILE_SHARED) == 0 ||
+- attr->ia_size != inode->i_size) {
+- req->r_args.setattr.size = cpu_to_le64(attr->ia_size);
+- req->r_args.setattr.old_size =
+- cpu_to_le64(inode->i_size);
+- mask |= CEPH_SETATTR_SIZE;
+- release |= CEPH_CAP_FILE_SHARED | CEPH_CAP_FILE_EXCL |
+- CEPH_CAP_FILE_RD | CEPH_CAP_FILE_WR;
+- }
+- }
+
+ /* these do nothing */
+ if (ia_valid & ATTR_CTIME) {
+
diff --git a/patches.suse/cfg80211-wext-avoid-copying-malformed-SSIDs.patch b/patches.suse/cfg80211-wext-avoid-copying-malformed-SSIDs.patch
new file mode 100644
index 0000000000..60bcddb2f7
--- /dev/null
+++ b/patches.suse/cfg80211-wext-avoid-copying-malformed-SSIDs.patch
@@ -0,0 +1,54 @@
+From: Will Deacon <will@kernel.org>
+Date: Fri, 4 Oct 2019 10:51:32 +0100
+Subject: [PATCH] cfg80211: wext: avoid copying malformed SSIDs
+Patch-mainline: Queued in subsystem maintainer repository
+Git-commit: 4ac2813cc867ae563a1ba5a9414bfb554e5796fa
+Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net.git
+References: bsc#1153158 CVE-2019-17133
+
+Ensure the SSID element is bounds-checked prior to invoking memcpy()
+with its length field, when copying to userspace.
+
+Cc: <stable@vger.kernel.org>
+Cc: Kees Cook <keescook@chromium.org>
+Reported-by: Nicolas Waisman <nico@semmle.com>
+Signed-off-by: Will Deacon <will@kernel.org>
+Link: https://lore.kernel.org/r/20191004095132.15777-2-will@kernel.org
+[adjust commit log a bit]
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Acked-by: Cho, Yu-Chen <acho@suse.com>
+---
+ net/wireless/wext-sme.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+--- a/net/wireless/wext-sme.c
++++ b/net/wireless/wext-sme.c
+@@ -201,6 +201,7 @@ int cfg80211_mgd_wext_giwessid(struct ne
+ struct iw_point *data, char *ssid)
+ {
+ struct wireless_dev *wdev = dev->ieee80211_ptr;
++ int ret = 0;
+
+ /* call only for station! */
+ if (WARN_ON(wdev->iftype != NL80211_IFTYPE_STATION))
+@@ -218,7 +219,10 @@ int cfg80211_mgd_wext_giwessid(struct ne
+ if (ie) {
+ data->flags = 1;
+ data->length = ie[1];
+- memcpy(ssid, ie + 2, data->length);
++ if (data->length > IW_ESSID_MAX_SIZE)
++ ret = -EINVAL;
++ else
++ memcpy(ssid, ie + 2, data->length);
+ }
+ rcu_read_unlock();
+ } else if (wdev->wext.connect.ssid && wdev->wext.connect.ssid_len) {
+@@ -228,7 +232,7 @@ int cfg80211_mgd_wext_giwessid(struct ne
+ }
+ wdev_unlock(wdev);
+
+- return 0;
++ return ret;
+ }
+
+ int cfg80211_mgd_wext_siwap(struct net_device *dev,
diff --git a/patches.suse/ipoib-Do-not-overreact-to-SM-LID-change-even.patch b/patches.suse/ipoib-Do-not-overreact-to-SM-LID-change-even.patch
new file mode 100644
index 0000000000..e61e802e60
--- /dev/null
+++ b/patches.suse/ipoib-Do-not-overreact-to-SM-LID-change-even.patch
@@ -0,0 +1,147 @@
+From ba7d8117f3cca8eb70d579fde3f9ec8cd6a28f39 Mon Sep 17 00:00:00 2001
+From: Dennis Dalessandro <dennis.dalessandro@intel.com>
+Date: Thu, 11 Apr 2019 07:22:35 -0700
+Subject: [PATCH 1/1] IB/core, ipoib: Do not overreact to SM LID change event
+Patch-mainline: v5.2
+Git-commit: ba7d8117f3cca8eb70d579fde3f9ec8cd6a28f39
+References: bsc#1154108
+
+When IPoIB receives an SM LID change event, it reacts by flushing its
+path record cache and rejoining multicast groups. This is the same
+behavior it performs when it receives a reregistration event. This
+behavior is unnecessary as an SM may have database backup or
+synchronization mechanisms which permit the SM location or LID to change
+without loss of multicast membership and without impact to path records.
+
+Both opensm and the OPA FM issue reregistration events if a new SM is
+started (or restarted with a new config) or an SM event occurs which
+results in loss of multicast membership records by the SM (such as
+opensm failover) or the SM encounters new nodes with Active ports (such
+as after joining 2 fabrics by connecting switches via ISLs). Hence this
+event can be depended on as the trigger for IPoIB cache and multicast
+flushing.
+
+It appears that some drivers, such as qib, and hfi1 issue the
+IB_EVENT_SM_CHANGE but other drivers such as mlx4 and mlx5 do not.
+Empirical testing on Mellanox EDR using ibv_asyncwatch has confirmed
+that Mellanox EDR HCAs do not generate SM change events and that opensm
+does generate reregistration.
+
+An SM LID change event is generated by the mentioned drivers to reflect
+that sm_lid and/or sm_sl in the local port info has changed. The intent
+of this event is to permit applications and ULPs which have a local copy
+of this information (or an address handle using it) to update their
+information.
+
+The intent is that the reregistration event (caused by the SM via a bit
+in Set(PortInfo)) be used to inform nodes that they need to rejoin
+multicast groups, resubscribe for notices and potentially update path
+records.
+
+When an SM migrates or fails over, a SM LID change event can occur. In
+response IPoIB discards path records and multicast membership and loses
+connectivity until these records are restored via SA requests. In very
+large fabrics, it may take minutes for the SM to be ready and for the SA
+responses to be supplied. This can result in undesirable and
+unnecessary IPoIB connectivity impacts. It also can result in an
+unnecessary storm of SA queries from all nodes in a cluster potentially
+followed by yet another storm if the SM issues the reregistration
+request.
+
+The fact the Mellanox HCAs do not even generate this event, is further
+evidence that on modern IB fabrics there will be no ill side effects
+from the proposed changes below to reduce the reaction by 3 kernel
+components to this event. So these changes should be benign for Mellanox
+IB fabrics and will benefit OPA fabrics while also making ib_core and
+ULP behavor "correct" as intended by the IBTA spec and kernel RDMA event
+APIs.
+
+Address these issues by removing IB_EVENT_SM_CHANGE handling from ipoib.
+IPoIB does not locally store sm_lid nor sm_sl, so it does not need to do
+anything on SM LID change. IPoIB makes use of other ib_core components
+to issue SA requests for it and those components correctly track SM LID
+and SM LID changes.
+
+Also in ib_core multicast handling, remove the test for
+IB_EVENT_SM_CHANGE. This code is moving all multicast groups to the
+error state, which will trigger rejoins. This code is used by IPoIB as
+well as the connection manager and other clients of multicast groups.
+This kernel module centralizes group membership status and joins since a
+node can only join a given group once but multiple ULPs or applications
+may want to join the same group. It makes use of the sa_query.c
+component in ib_core, which correctly trackes SM LID and SL. This
+component does not track SM LID nor SL itself and hence need not react
+to their changes.
+
+Similarly in the ib_core cache code remove the handling for the
+IB_EVENT_SM_CHANGE. In this function. The ib_cache_update function
+which is ultimately called is updating local copies of the pkey table,
+gid table and lmc. It does not update nor retain sm_lid nor sm_sl. As
+such it does not need to be called on an SM LID change. It technically
+also does not need to be called on a reregistration. The LID_CHANGE,
+PKEY_CHANGE, GID_CHANGE and port state change events (PORT_ERR,
+PORT_ACTICE) should be sufficient triggers.
+
+It is worth noting that the alternative of simply having the hfi1 and
+qib drivers not generate the SM LID change event was explored. While
+this would duplicate what Mellanox drivers do now, it is not the correct
+behavior and removes the ability for an SM to migrate without requiring
+reregistration. Since both opensm and OPA SM have mechanisms to backup
+or synchronize registration information, it is desirable to let them
+perform SM migrations (with LID or SL changes) without requiring
+reregistration when they deem it appropriate.
+
+Suggested-by: Todd Rimmer <todd.rimmer@intel.com>
+Tested-by: Michael Brooks <michael.brooks@intel.com>
+Reviewed-by: Mike Marciniszyn <mike.marciniszyn@intel.com>
+Reviewed-by: Todd Rimmer <todd.rimmer@intel.com>
+Signed-off-by: Dennis Dalessandro <dennis.dalessandro@intel.com>
+Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
+Reviewed-by: Nicolas Morey-Chaisemartin <NMoreyChaisemartin@suse.com>
+---
+ drivers/infiniband/core/cache.c | 1 -
+ drivers/infiniband/core/multicast.c | 1 -
+ drivers/infiniband/ulp/ipoib/ipoib_verbs.c | 3 +--
+ 3 files changed, 1 insertion(+), 4 deletions(-)
+
+diff --git a/drivers/infiniband/core/cache.c b/drivers/infiniband/core/cache.c
+index 7ebb4924fa85..c0b94aafbdbb 100644
+--- a/drivers/infiniband/core/cache.c
++++ b/drivers/infiniband/core/cache.c
+@@ -1168,7 +1168,6 @@ static void ib_cache_event(struct ib_event_handler *handler,
+ event->event == IB_EVENT_PORT_ACTIVE ||
+ event->event == IB_EVENT_LID_CHANGE ||
+ event->event == IB_EVENT_PKEY_CHANGE ||
+- event->event == IB_EVENT_SM_CHANGE ||
+ event->event == IB_EVENT_CLIENT_REREGISTER ||
+ event->event == IB_EVENT_GID_CHANGE) {
+ work = kmalloc(sizeof *work, GFP_ATOMIC);
+diff --git a/drivers/infiniband/core/multicast.c b/drivers/infiniband/core/multicast.c
+index 4eb72ff539fc..8b358ec31cfd 100644
+--- a/drivers/infiniband/core/multicast.c
++++ b/drivers/infiniband/core/multicast.c
+@@ -794,7 +794,6 @@ static void mcast_event_handler(struct ib_event_handler *handler,
+ switch (event->event) {
+ case IB_EVENT_PORT_ERR:
+ case IB_EVENT_LID_CHANGE:
+- case IB_EVENT_SM_CHANGE:
+ case IB_EVENT_CLIENT_REREGISTER:
+ mcast_groups_event(&dev->port[index], MCAST_GROUP_ERROR);
+ break;
+diff --git a/drivers/infiniband/ulp/ipoib/ipoib_verbs.c b/drivers/infiniband/ulp/ipoib/ipoib_verbs.c
+index a1ed25422b72..5e59ca378966 100644
+--- a/drivers/infiniband/ulp/ipoib/ipoib_verbs.c
++++ b/drivers/infiniband/ulp/ipoib/ipoib_verbs.c
+@@ -279,8 +279,7 @@ void ipoib_event(struct ib_event_handler *handler,
+ ipoib_dbg(priv, "Event %d on device %s port %d\n", record->event,
+ record->device->name, record->element.port_num);
+
+- if (record->event == IB_EVENT_SM_CHANGE ||
+- record->event == IB_EVENT_CLIENT_REREGISTER) {
++ if (record->event == IB_EVENT_CLIENT_REREGISTER) {
+ queue_work(ipoib_workqueue, &priv->flush_light);
+ } else if (record->event == IB_EVENT_PORT_ERR ||
+ record->event == IB_EVENT_PORT_ACTIVE ||
+--
+2.21.0
+
diff --git a/patches.suse/kvm-convert-kvm_lock-to-a-mutex b/patches.suse/kvm-convert-kvm_lock-to-a-mutex
new file mode 100644
index 0000000000..c998752032
--- /dev/null
+++ b/patches.suse/kvm-convert-kvm_lock-to-a-mutex
@@ -0,0 +1,242 @@
+From: Junaid Shahid <junaids@google.com>
+Date: Thu, 3 Jan 2019 17:14:28 -0800
+Subject: kvm: Convert kvm_lock to a mutex
+Git-commit: 0d9ce162cf46c99628cc5da9510b959c7976735b
+Patch-mainline: v5.3-rc1
+References: bsc#1117665
+
+It doesn't seem as if there is any particular need for kvm_lock to be a
+spinlock, so convert the lock to a mutex so that sleepable functions (in
+particular cond_resched()) can be called while holding it.
+
+Signed-off-by: Junaid Shahid <junaids@google.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Acked-by: Joerg Roedel <jroedel@suse.de>
+---
+ Documentation/virtual/kvm/locking.txt | 4 +---
+ arch/s390/kvm/kvm-s390.c | 4 ++--
+ arch/x86/kvm/mmu.c | 4 ++--
+ arch/x86/kvm/x86.c | 14 +++++++-------
+ include/linux/kvm_host.h | 2 +-
+ virt/kvm/kvm_main.c | 30 +++++++++++++++---------------
+ 6 files changed, 28 insertions(+), 30 deletions(-)
+
+--- a/Documentation/virtual/kvm/locking.txt
++++ b/Documentation/virtual/kvm/locking.txt
+@@ -15,8 +15,6 @@ The acquisition orders for mutexes are a
+
+ On x86, vcpu->mutex is taken outside kvm->arch.hyperv.hv_lock.
+
+-For spinlocks, kvm_lock is taken outside kvm->mmu_lock.
+-
+ Everything else is a leaf: no other lock is taken inside the critical
+ sections.
+
+@@ -169,7 +167,7 @@ which time it will be set using the Dirt
+ ------------
+
+ Name: kvm_lock
+-Type: spinlock_t
++Type: mutex
+ Arch: any
+ Protects: - vm_list
+
+--- a/arch/s390/kvm/kvm-s390.c
++++ b/arch/s390/kvm/kvm-s390.c
+@@ -1961,13 +1961,13 @@ int kvm_arch_init_vm(struct kvm *kvm, un
+ kvm->arch.sca = (struct bsca_block *) get_zeroed_page(alloc_flags);
+ if (!kvm->arch.sca)
+ goto out_err;
+- spin_lock(&kvm_lock);
++ mutex_lock(&kvm_lock);
+ sca_offset += 16;
+ if (sca_offset + sizeof(struct bsca_block) > PAGE_SIZE)
+ sca_offset = 0;
+ kvm->arch.sca = (struct bsca_block *)
+ ((char *) kvm->arch.sca + sca_offset);
+- spin_unlock(&kvm_lock);
++ mutex_unlock(&kvm_lock);
+
+ sprintf(debug_name, "kvm-%u", current->pid);
+
+--- a/arch/x86/kvm/mmu.c
++++ b/arch/x86/kvm/mmu.c
+@@ -5485,7 +5485,7 @@ mmu_shrink_scan(struct shrinker *shrink,
+ int nr_to_scan = sc->nr_to_scan;
+ unsigned long freed = 0;
+
+- spin_lock(&kvm_lock);
++ mutex_lock(&kvm_lock);
+
+ list_for_each_entry(kvm, &vm_list, vm_list) {
+ int idx;
+@@ -5535,7 +5535,7 @@ unlock:
+ break;
+ }
+
+- spin_unlock(&kvm_lock);
++ mutex_unlock(&kvm_lock);
+ return freed;
+ }
+
+--- a/arch/x86/kvm/x86.c
++++ b/arch/x86/kvm/x86.c
+@@ -6147,7 +6147,7 @@ static int kvmclock_cpufreq_notifier(str
+
+ smp_call_function_single(freq->cpu, tsc_khz_changed, freq, 1);
+
+- spin_lock(&kvm_lock);
++ mutex_lock(&kvm_lock);
+ list_for_each_entry(kvm, &vm_list, vm_list) {
+ kvm_for_each_vcpu(i, vcpu, kvm) {
+ if (vcpu->cpu != freq->cpu)
+@@ -6157,7 +6157,7 @@ static int kvmclock_cpufreq_notifier(str
+ send_ipi = 1;
+ }
+ }
+- spin_unlock(&kvm_lock);
++ mutex_unlock(&kvm_lock);
+
+ if (freq->old < freq->new && send_ipi) {
+ /*
+@@ -6294,12 +6294,12 @@ static void pvclock_gtod_update_fn(struc
+ struct kvm_vcpu *vcpu;
+ int i;
+
+- spin_lock(&kvm_lock);
++ mutex_lock(&kvm_lock);
+ list_for_each_entry(kvm, &vm_list, vm_list)
+ kvm_for_each_vcpu(i, vcpu, kvm)
+ kvm_make_request(KVM_REQ_MASTERCLOCK_UPDATE, vcpu);
+ atomic_set(&kvm_guest_has_master_clock, 0);
+- spin_unlock(&kvm_lock);
++ mutex_unlock(&kvm_lock);
+ }
+
+ static DECLARE_WORK(pvclock_gtod_work, pvclock_gtod_update_fn);
+--- a/include/linux/kvm_host.h
++++ b/include/linux/kvm_host.h
+@@ -140,7 +140,7 @@ static inline bool is_error_page(struct
+
+ extern struct kmem_cache *kvm_vcpu_cache;
+
+-extern spinlock_t kvm_lock;
++extern struct mutex kvm_lock;
+ extern struct list_head vm_list;
+
+ struct kvm_io_range {
+--- a/virt/kvm/kvm_main.c
++++ b/virt/kvm/kvm_main.c
+@@ -92,7 +92,7 @@ EXPORT_SYMBOL_GPL(halt_poll_ns_shrink);
+ * kvm->lock --> kvm->slots_lock --> kvm->irq_lock
+ */
+
+-DEFINE_SPINLOCK(kvm_lock);
++DEFINE_MUTEX(kvm_lock);
+ static DEFINE_RAW_SPINLOCK(kvm_count_lock);
+ LIST_HEAD(vm_list);
+
+@@ -713,9 +713,9 @@ static struct kvm *kvm_create_vm(unsigne
+ if (r)
+ goto out_err;
+
+- spin_lock(&kvm_lock);
++ mutex_lock(&kvm_lock);
+ list_add(&kvm->vm_list, &vm_list);
+- spin_unlock(&kvm_lock);
++ mutex_unlock(&kvm_lock);
+
+ preempt_notifier_inc();
+
+@@ -761,9 +761,9 @@ static void kvm_destroy_vm(struct kvm *k
+ kvm_uevent_notify_change(KVM_EVENT_DESTROY_VM, kvm);
+ kvm_destroy_vm_debugfs(kvm);
+ kvm_arch_sync_events(kvm);
+- spin_lock(&kvm_lock);
++ mutex_lock(&kvm_lock);
+ list_del(&kvm->vm_list);
+- spin_unlock(&kvm_lock);
++ mutex_unlock(&kvm_lock);
+ kvm_free_irq_routing(kvm);
+ for (i = 0; i < KVM_NR_BUSES; i++) {
+ struct kvm_io_bus *bus = kvm_get_bus(kvm, i);
+@@ -3842,13 +3842,13 @@ static int vm_stat_get(void *_offset, u6
+ u64 tmp_val;
+
+ *val = 0;
+- spin_lock(&kvm_lock);
++ mutex_lock(&kvm_lock);
+ list_for_each_entry(kvm, &vm_list, vm_list) {
+ stat_tmp.kvm = kvm;
+ vm_stat_get_per_vm((void *)&stat_tmp, &tmp_val);
+ *val += tmp_val;
+ }
+- spin_unlock(&kvm_lock);
++ mutex_unlock(&kvm_lock);
+ return 0;
+ }
+
+@@ -3861,12 +3861,12 @@ static int vm_stat_clear(void *_offset,
+ if (val)
+ return -EINVAL;
+
+- spin_lock(&kvm_lock);
++ mutex_lock(&kvm_lock);
+ list_for_each_entry(kvm, &vm_list, vm_list) {
+ stat_tmp.kvm = kvm;
+ vm_stat_clear_per_vm((void *)&stat_tmp, 0);
+ }
+- spin_unlock(&kvm_lock);
++ mutex_unlock(&kvm_lock);
+
+ return 0;
+ }
+@@ -3881,13 +3881,13 @@ static int vcpu_stat_get(void *_offset,
+ u64 tmp_val;
+
+ *val = 0;
+- spin_lock(&kvm_lock);
++ mutex_lock(&kvm_lock);
+ list_for_each_entry(kvm, &vm_list, vm_list) {
+ stat_tmp.kvm = kvm;
+ vcpu_stat_get_per_vm((void *)&stat_tmp, &tmp_val);
+ *val += tmp_val;
+ }
+- spin_unlock(&kvm_lock);
++ mutex_unlock(&kvm_lock);
+ return 0;
+ }
+
+@@ -3900,12 +3900,12 @@ static int vcpu_stat_clear(void *_offset
+ if (val)
+ return -EINVAL;
+
+- spin_lock(&kvm_lock);
++ mutex_lock(&kvm_lock);
+ list_for_each_entry(kvm, &vm_list, vm_list) {
+ stat_tmp.kvm = kvm;
+ vcpu_stat_clear_per_vm((void *)&stat_tmp, 0);
+ }
+- spin_unlock(&kvm_lock);
++ mutex_unlock(&kvm_lock);
+
+ return 0;
+ }
+@@ -3926,7 +3926,7 @@ static void kvm_uevent_notify_change(uns
+ if (!kvm_dev.this_device || !kvm)
+ return;
+
+- spin_lock(&kvm_lock);
++ mutex_lock(&kvm_lock);
+ if (type == KVM_EVENT_CREATE_VM) {
+ kvm_createvm_count++;
+ kvm_active_vms++;
+@@ -3935,7 +3935,7 @@ static void kvm_uevent_notify_change(uns
+ }
+ created = kvm_createvm_count;
+ active = kvm_active_vms;
+- spin_unlock(&kvm_lock);
++ mutex_unlock(&kvm_lock);
+
+ env = kzalloc(sizeof(*env), GFP_KERNEL);
+ if (!env)
diff --git a/patches.suse/kvm-mmu-drop-vcpu-param-in-gpte_access b/patches.suse/kvm-mmu-drop-vcpu-param-in-gpte_access
new file mode 100644
index 0000000000..fb2d509884
--- /dev/null
+++ b/patches.suse/kvm-mmu-drop-vcpu-param-in-gpte_access
@@ -0,0 +1,59 @@
+From: Peter Xu <peterx@redhat.com>
+Date: Wed, 18 Jul 2018 15:57:50 +0800
+Subject: KVM: MMU: drop vcpu param in gpte_access
+Git-commit: 42522d08cdba6d8be4247e4f0770f39f4708b71f
+Patch-mainline: v4.19-rc1
+References: bsc#1117665
+
+It's never used. Drop it.
+
+Signed-off-by: Peter Xu <peterx@redhat.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Acked-by: Joerg Roedel <jroedel@suse.de>
+---
+ arch/x86/kvm/paging_tmpl.h | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/arch/x86/kvm/paging_tmpl.h b/arch/x86/kvm/paging_tmpl.h
+index 6288e9d7068e..74996fc2fc97 100644
+--- a/arch/x86/kvm/paging_tmpl.h
++++ b/arch/x86/kvm/paging_tmpl.h
+@@ -181,7 +181,7 @@ static bool FNAME(prefetch_invalid_gpte)(struct kvm_vcpu *vcpu,
+ * set bit 0 if execute only is supported. Here, we repurpose ACC_USER_MASK
+ * to signify readability since it isn't used in the EPT case
+ */
+-static inline unsigned FNAME(gpte_access)(struct kvm_vcpu *vcpu, u64 gpte)
++static inline unsigned FNAME(gpte_access)(u64 gpte)
+ {
+ unsigned access;
+ #if PTTYPE == PTTYPE_EPT
+@@ -394,8 +394,8 @@ static int FNAME(walk_addr_generic)(struct guest_walker *walker,
+ accessed_dirty = have_ad ? pte_access & PT_GUEST_ACCESSED_MASK : 0;
+
+ /* Convert to ACC_*_MASK flags for struct guest_walker. */
+- walker->pt_access = FNAME(gpte_access)(vcpu, pt_access ^ walk_nx_mask);
+- walker->pte_access = FNAME(gpte_access)(vcpu, pte_access ^ walk_nx_mask);
++ walker->pt_access = FNAME(gpte_access)(pt_access ^ walk_nx_mask);
++ walker->pte_access = FNAME(gpte_access)(pte_access ^ walk_nx_mask);
+ errcode = permission_fault(vcpu, mmu, walker->pte_access, pte_pkey, access);
+ if (unlikely(errcode))
+ goto error;
+@@ -508,7 +508,7 @@ FNAME(prefetch_gpte)(struct kvm_vcpu *vcpu, struct kvm_mmu_page *sp,
+ pgprintk("%s: gpte %llx spte %p\n", __func__, (u64)gpte, spte);
+
+ gfn = gpte_to_gfn(gpte);
+- pte_access = sp->role.access & FNAME(gpte_access)(vcpu, gpte);
++ pte_access = sp->role.access & FNAME(gpte_access)(gpte);
+ FNAME(protect_clean_gpte)(&vcpu->arch.mmu, &pte_access, gpte);
+ pfn = pte_prefetch_gfn_to_pfn(vcpu, gfn,
+ no_dirty_log && (pte_access & ACC_WRITE_MASK));
+@@ -1002,7 +1002,7 @@ static int FNAME(sync_page)(struct kvm_vcpu *vcpu, struct kvm_mmu_page *sp)
+
+ gfn = gpte_to_gfn(gpte);
+ pte_access = sp->role.access;
+- pte_access &= FNAME(gpte_access)(vcpu, gpte);
++ pte_access &= FNAME(gpte_access)(gpte);
+ FNAME(protect_clean_gpte)(&vcpu->arch.mmu, &pte_access, gpte);
+
+ if (sync_mmio_spte(vcpu, &sp->spt[i], gfn, pte_access,
+
diff --git a/patches.suse/kvm-x86-add-tracepoints-around-_direct_map-and-fnamefetch b/patches.suse/kvm-x86-add-tracepoints-around-_direct_map-and-fnamefetch
new file mode 100644
index 0000000000..35d7a50b15
--- /dev/null
+++ b/patches.suse/kvm-x86-add-tracepoints-around-_direct_map-and-fnamefetch
@@ -0,0 +1,142 @@
+From: Paolo Bonzini <pbonzini@redhat.com>
+Date: Mon, 1 Jul 2019 06:22:57 -0400
+Subject: KVM: x86: add tracepoints around __direct_map and FNAME(fetch)
+Git-commit: 335e192a3fa415e1202c8b9ecdaaecd643f823cc
+Patch-mainline: v5.3-rc1
+References: bsc#1117665
+
+These are useful in debugging shadow paging.
+
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Acked-by: Joerg Roedel <jroedel@suse.de>
+---
+ arch/x86/kvm/mmu.c | 13 +++++-----
+ arch/x86/kvm/mmutrace.h | 59 ++++++++++++++++++++++++++++++++++++++++++++++
+ arch/x86/kvm/paging_tmpl.h | 2 ++
+ 3 files changed, 67 insertions(+), 7 deletions(-)
+
+--- a/arch/x86/kvm/mmu.c
++++ b/arch/x86/kvm/mmu.c
+@@ -140,9 +140,6 @@ module_param(dbg, bool, 0644);
+
+ #include <trace/events/kvm.h>
+
+-#define CREATE_TRACE_POINTS
+-#include "mmutrace.h"
+-
+ #define SPTE_HOST_WRITEABLE (1ULL << PT_FIRST_AVAIL_BITS_SHIFT)
+ #define SPTE_MMU_WRITEABLE (1ULL << (PT_FIRST_AVAIL_BITS_SHIFT + 1))
+
+@@ -244,8 +241,13 @@ static u64 __read_mostly shadow_nonprese
+
+
+ static void mmu_spte_set(u64 *sptep, u64 spte);
++static bool is_executable_pte(u64 spte);
+ static void mmu_free_roots(struct kvm_vcpu *vcpu);
+
++#define CREATE_TRACE_POINTS
++#include "mmutrace.h"
++
++
+ void kvm_mmu_set_mmio_spte_mask(u64 mmio_mask, u64 mmio_value)
+ {
+ BUG_ON((mmio_mask & mmio_value) != mmio_value);
+@@ -2921,10 +2923,7 @@ static int mmu_set_spte(struct kvm_vcpu
+ ret = RET_PF_EMULATE;
+
+ pgprintk("%s: setting spte %llx\n", __func__, *sptep);
+- pgprintk("instantiating %s PTE (%s) at %llx (%llx) addr %p\n",
+- is_large_pte(*sptep)? "2MB" : "4kB",
+- *sptep & PT_WRITABLE_MASK ? "RW" : "R", gfn,
+- *sptep, sptep);
++ trace_kvm_mmu_set_spte(level, gfn, sptep);
+ if (!was_rmapped && is_large_pte(*sptep))
+ ++vcpu->kvm->stat.lpages;
+
+@@ -3035,6 +3034,7 @@ static int __direct_map(struct kvm_vcpu
+ if (!VALID_PAGE(vcpu->arch.mmu.root_hpa))
+ return RET_PF_RETRY;
+
++ trace_kvm_mmu_spte_requested(gpa, level, pfn);
+ for_each_shadow_entry(vcpu, gpa, it) {
+ base_gfn = gfn & ~(KVM_PAGES_PER_HPAGE(it.level) - 1);
+ if (it.level == level)
+--- a/arch/x86/kvm/mmutrace.h
++++ b/arch/x86/kvm/mmutrace.h
+@@ -324,6 +324,65 @@ TRACE_EVENT(
+ __entry->kvm_gen == __entry->spte_gen
+ )
+ );
++
++TRACE_EVENT(
++ kvm_mmu_set_spte,
++ TP_PROTO(int level, gfn_t gfn, u64 *sptep),
++ TP_ARGS(level, gfn, sptep),
++
++ TP_STRUCT__entry(
++ __field(u64, gfn)
++ __field(u64, spte)
++ __field(u64, sptep)
++ __field(u8, level)
++ /* These depend on page entry type, so compute them now. */
++ __field(bool, r)
++ __field(bool, x)
++ __field(u8, u)
++ ),
++
++ TP_fast_assign(
++ __entry->gfn = gfn;
++ __entry->spte = *sptep;
++ __entry->sptep = virt_to_phys(sptep);
++ __entry->level = level;
++ __entry->r = shadow_present_mask || (__entry->spte & PT_PRESENT_MASK);
++ __entry->x = is_executable_pte(__entry->spte);
++ __entry->u = shadow_user_mask ? !!(__entry->spte & shadow_user_mask) : -1;
++ ),
++
++ TP_printk("gfn %llx spte %llx (%s%s%s%s) level %d at %llx",
++ __entry->gfn, __entry->spte,
++ __entry->r ? "r" : "-",
++ __entry->spte & PT_WRITABLE_MASK ? "w" : "-",
++ __entry->x ? "x" : "-",
++ __entry->u == -1 ? "" : (__entry->u ? "u" : "-"),
++ __entry->level, __entry->sptep
++ )
++);
++
++TRACE_EVENT(
++ kvm_mmu_spte_requested,
++ TP_PROTO(gpa_t addr, int level, kvm_pfn_t pfn),
++ TP_ARGS(addr, level, pfn),
++
++ TP_STRUCT__entry(
++ __field(u64, gfn)
++ __field(u64, pfn)
++ __field(u8, level)
++ ),
++
++ TP_fast_assign(
++ __entry->gfn = addr >> PAGE_SHIFT;
++ __entry->pfn = pfn | (__entry->gfn & (KVM_PAGES_PER_HPAGE(level) - 1));
++ __entry->level = level;
++ ),
++
++ TP_printk("gfn %llx pfn %llx level %d",
++ __entry->gfn, __entry->pfn, __entry->level
++ )
++);
++
+ #endif /* _TRACE_KVMMMU_H */
+
+ #undef TRACE_INCLUDE_PATH
+--- a/arch/x86/kvm/paging_tmpl.h
++++ b/arch/x86/kvm/paging_tmpl.h
+@@ -642,6 +642,8 @@ static int FNAME(fetch)(struct kvm_vcpu
+
+ base_gfn = gw->gfn;
+
++ trace_kvm_mmu_spte_requested(addr, gw->level, pfn);
++
+ for (; shadow_walk_okay(&it); shadow_walk_next(&it)) {
+ clear_sp_write_flooding_count(it.sptep);
+ base_gfn = gw->gfn & ~(KVM_PAGES_PER_HPAGE(it.level) - 1);
diff --git a/patches.suse/kvm-x86-adjust-kvm_mmu_page-member-to-save-8-bytes b/patches.suse/kvm-x86-adjust-kvm_mmu_page-member-to-save-8-bytes
new file mode 100644
index 0000000000..2fbfcb163b
--- /dev/null
+++ b/patches.suse/kvm-x86-adjust-kvm_mmu_page-member-to-save-8-bytes
@@ -0,0 +1,56 @@
+From: Wei Yang <richard.weiyang@gmail.com>
+Date: Thu, 6 Sep 2018 05:58:16 +0800
+Subject: KVM: x86: adjust kvm_mmu_page member to save 8 bytes
+Git-commit: 3ff519f29d98ecdc1961d825d105d68711093b6b
+Patch-mainline: v4.20-rc1
+References: bsc#1117665
+
+On a 64bits machine, struct is naturally aligned with 8 bytes. Since
+kvm_mmu_page member *unsync* and *role* are less then 4 bytes, we can
+rearrange the sequence to compace the struct.
+
+As the comment shows, *role* and *gfn* are used to key the shadow page. In
+order to keep the comment valid, this patch moves the *unsync* up and
+exchange the position of *role* and *gfn*.
+
+>From /proc/slabinfo, it shows the size of kvm_mmu_page is 8 bytes less and
+with one more object per slap after applying this patch.
+
+ # name <active_objs> <num_objs> <objsize> <objperslab>
+ kvm_mmu_page_header 0 0 168 24
+
+ kvm_mmu_page_header 0 0 160 25
+
+Signed-off-by: Wei Yang <richard.weiyang@gmail.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Acked-by: Joerg Roedel <jroedel@suse.de>
+---
+ arch/x86/include/asm/kvm_host.h | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/arch/x86/include/asm/kvm_host.h b/arch/x86/include/asm/kvm_host.h
+index 1c09a0d1771f..576ff47a79c4 100644
+--- a/arch/x86/include/asm/kvm_host.h
++++ b/arch/x86/include/asm/kvm_host.h
+@@ -281,18 +281,18 @@ struct kvm_rmap_head {
+ struct kvm_mmu_page {
+ struct list_head link;
+ struct hlist_node hash_link;
++ bool unsync;
+
+ /*
+ * The following two entries are used to key the shadow page in the
+ * hash table.
+ */
+- gfn_t gfn;
+ union kvm_mmu_page_role role;
++ gfn_t gfn;
+
+ u64 *spt;
+ /* hold the gfn of each spte inside spt */
+ gfn_t *gfns;
+- bool unsync;
+ int root_count; /* Currently serving as active root */
+ unsigned int unsync_children;
+ struct kvm_rmap_head parent_ptes; /* rmap pointers to parent sptes */
+
diff --git a/patches.suse/kvm-x86-change-kvm_mmu_page_get_gfn-bug_on-to-warn_on b/patches.suse/kvm-x86-change-kvm_mmu_page_get_gfn-bug_on-to-warn_on
new file mode 100644
index 0000000000..d4aa9d69b4
--- /dev/null
+++ b/patches.suse/kvm-x86-change-kvm_mmu_page_get_gfn-bug_on-to-warn_on
@@ -0,0 +1,40 @@
+From: Paolo Bonzini <pbonzini@redhat.com>
+Date: Sun, 30 Jun 2019 08:36:21 -0400
+Subject: KVM: x86: change kvm_mmu_page_get_gfn BUG_ON to WARN_ON
+Git-commit: e9f2a760b158551bfbef6db31d2cae45ab8072e5
+Patch-mainline: v5.3-rc1
+References: bsc#1117665
+
+Note that in such a case it is quite likely that KVM will BUG_ON
+in __pte_list_remove when the VM is closed. However, there is no
+immediate risk of memory corruption in the host so a WARN_ON is
+enough and it lets you gather traces for debugging.
+
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Acked-by: Joerg Roedel <jroedel@suse.de>
+---
+ arch/x86/kvm/mmu.c | 12 +++++++++---
+ 1 file changed, 9 insertions(+), 3 deletions(-)
+
+--- a/arch/x86/kvm/mmu.c
++++ b/arch/x86/kvm/mmu.c
+@@ -1009,10 +1009,16 @@ static gfn_t kvm_mmu_page_get_gfn(struct
+
+ static void kvm_mmu_page_set_gfn(struct kvm_mmu_page *sp, int index, gfn_t gfn)
+ {
+- if (sp->role.direct)
+- BUG_ON(gfn != kvm_mmu_page_get_gfn(sp, index));
+- else
++ if (!sp->role.direct) {
+ sp->gfns[index] = gfn;
++ return;
++ }
++
++ if (WARN_ON(gfn != kvm_mmu_page_get_gfn(sp, index)))
++ pr_err_ratelimited("gfn mismatch under direct page %llx "
++ "(expected %llx, got %llx)\n",
++ sp->gfn,
++ kvm_mmu_page_get_gfn(sp, index), gfn);
+ }
+
+ /*
diff --git a/patches.suse/kvm-x86-do-not-release-the-page-inside-mmu_set_spte b/patches.suse/kvm-x86-do-not-release-the-page-inside-mmu_set_spte
new file mode 100644
index 0000000000..20b83b2fe5
--- /dev/null
+++ b/patches.suse/kvm-x86-do-not-release-the-page-inside-mmu_set_spte
@@ -0,0 +1,134 @@
+From: Junaid Shahid <junaids@google.com>
+Date: Thu, 3 Jan 2019 16:22:21 -0800
+Subject: kvm: x86: Do not release the page inside mmu_set_spte()
+Git-commit: 43fdcda96e2550c6d1c46fb8a78801aa2f7276ed
+Patch-mainline: v5.3-rc1
+References: bsc#1117665
+
+Release the page at the call-site where it was originally acquired.
+This makes the exit code cleaner for most call sites, since they
+do not need to duplicate code between success and the failure
+label.
+
+Signed-off-by: Junaid Shahid <junaids@google.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Acked-by: Joerg Roedel <jroedel@suse.de>
+---
+ arch/x86/kvm/mmu.c | 18 +++++++-----------
+ arch/x86/kvm/paging_tmpl.h | 8 +++-----
+ 2 files changed, 10 insertions(+), 16 deletions(-)
+
+--- a/arch/x86/kvm/mmu.c
++++ b/arch/x86/kvm/mmu.c
+@@ -2930,8 +2930,6 @@ static int mmu_set_spte(struct kvm_vcpu
+ }
+ }
+
+- kvm_release_pfn_clean(pfn);
+-
+ return ret;
+ }
+
+@@ -2966,9 +2964,11 @@ static int direct_pte_prefetch_many(stru
+ if (ret <= 0)
+ return -1;
+
+- for (i = 0; i < ret; i++, gfn++, start++)
++ for (i = 0; i < ret; i++, gfn++, start++) {
+ mmu_set_spte(vcpu, start, access, 0, sp->role.level, gfn,
+ page_to_pfn(pages[i]), true, true);
++ put_page(pages[i]);
++ }
+
+ return 0;
+ }
+@@ -3373,6 +3373,7 @@ static int nonpaging_map(struct kvm_vcpu
+ if (handle_abnormal_pfn(vcpu, v, gfn, pfn, ACC_ALL, &r))
+ return r;
+
++ r = RET_PF_RETRY;
+ spin_lock(&vcpu->kvm->mmu_lock);
+ if (mmu_notifier_retry(vcpu->kvm, mmu_seq))
+ goto out_unlock;
+@@ -3381,14 +3382,11 @@ static int nonpaging_map(struct kvm_vcpu
+ if (likely(!force_pt_level))
+ transparent_hugepage_adjust(vcpu, &gfn, &pfn, &level);
+ r = __direct_map(vcpu, write, map_writable, level, gfn, pfn, prefault);
+- spin_unlock(&vcpu->kvm->mmu_lock);
+-
+- return r;
+
+ out_unlock:
+ spin_unlock(&vcpu->kvm->mmu_lock);
+ kvm_release_pfn_clean(pfn);
+- return RET_PF_RETRY;
++ return r;
+ }
+
+
+@@ -3965,6 +3963,7 @@ static int tdp_page_fault(struct kvm_vcp
+ if (handle_abnormal_pfn(vcpu, 0, gfn, pfn, ACC_ALL, &r))
+ return r;
+
++ r = RET_PF_RETRY;
+ spin_lock(&vcpu->kvm->mmu_lock);
+ if (mmu_notifier_retry(vcpu->kvm, mmu_seq))
+ goto out_unlock;
+@@ -3973,14 +3972,11 @@ static int tdp_page_fault(struct kvm_vcp
+ if (likely(!force_pt_level))
+ transparent_hugepage_adjust(vcpu, &gfn, &pfn, &level);
+ r = __direct_map(vcpu, write, map_writable, level, gfn, pfn, prefault);
+- spin_unlock(&vcpu->kvm->mmu_lock);
+-
+- return r;
+
+ out_unlock:
+ spin_unlock(&vcpu->kvm->mmu_lock);
+ kvm_release_pfn_clean(pfn);
+- return RET_PF_RETRY;
++ return r;
+ }
+
+ static void nonpaging_init_context(struct kvm_vcpu *vcpu,
+--- a/arch/x86/kvm/paging_tmpl.h
++++ b/arch/x86/kvm/paging_tmpl.h
+@@ -515,6 +515,7 @@ FNAME(prefetch_gpte)(struct kvm_vcpu *vc
+ mmu_set_spte(vcpu, spte, pte_access, 0, PT_PAGE_TABLE_LEVEL, gfn, pfn,
+ true, true);
+
++ kvm_release_pfn_clean(pfn);
+ return true;
+ }
+
+@@ -666,7 +667,6 @@ static int FNAME(fetch)(struct kvm_vcpu
+ return ret;
+
+ out_gpte_changed:
+- kvm_release_pfn_clean(pfn);
+ return RET_PF_RETRY;
+ }
+
+@@ -814,6 +814,7 @@ static int FNAME(page_fault)(struct kvm_
+ walker.pte_access &= ~ACC_EXEC_MASK;
+ }
+
++ r = RET_PF_RETRY;
+ spin_lock(&vcpu->kvm->mmu_lock);
+ if (mmu_notifier_retry(vcpu->kvm, mmu_seq))
+ goto out_unlock;
+@@ -827,14 +828,11 @@ static int FNAME(page_fault)(struct kvm_
+ level, pfn, map_writable, prefault);
+ ++vcpu->stat.pf_fixed;
+ kvm_mmu_audit(vcpu, AUDIT_POST_PAGE_FAULT);
+- spin_unlock(&vcpu->kvm->mmu_lock);
+-
+- return r;
+
+ out_unlock:
+ spin_unlock(&vcpu->kvm->mmu_lock);
+ kvm_release_pfn_clean(pfn);
+- return RET_PF_RETRY;
++ return r;
+ }
+
+ static gpa_t FNAME(get_level1_sp_gpa)(struct kvm_mmu_page *sp)
diff --git a/patches.suse/kvm-x86-make-fnamefetch-and-_direct_map-more-similar b/patches.suse/kvm-x86-make-fnamefetch-and-_direct_map-more-similar
new file mode 100644
index 0000000000..10304f1683
--- /dev/null
+++ b/patches.suse/kvm-x86-make-fnamefetch-and-_direct_map-more-similar
@@ -0,0 +1,169 @@
+From: Paolo Bonzini <pbonzini@redhat.com>
+Date: Mon, 24 Jun 2019 13:06:21 +0200
+Subject: KVM: x86: make FNAME(fetch) and __direct_map more similar
+Git-commit: 3fcf2d1bdeb6a513523cb2c77012a6b047aa859c
+Patch-mainline: v5.3-rc1
+References: bsc#1117665
+
+These two functions are basically doing the same thing through
+kvm_mmu_get_page, link_shadow_page and mmu_set_spte; yet, for historical
+reasons, their code looks very different. This patch tries to take the
+best of each and make them very similar, so that it is easy to understand
+changes that apply to both of them.
+
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Acked-by: Joerg Roedel <jroedel@suse.de>
+---
+ arch/x86/kvm/mmu.c | 53 ++++++++++++++++++++++------------------------
+ arch/x86/kvm/paging_tmpl.h | 30 ++++++++++++--------------
+ 2 files changed, 39 insertions(+), 44 deletions(-)
+
+--- a/arch/x86/kvm/mmu.c
++++ b/arch/x86/kvm/mmu.c
+@@ -3016,40 +3016,39 @@ static void direct_pte_prefetch(struct k
+ __direct_pte_prefetch(vcpu, sp, sptep);
+ }
+
+-static int __direct_map(struct kvm_vcpu *vcpu, int write, int map_writable,
+- int level, gfn_t gfn, kvm_pfn_t pfn, bool prefault)
++static int __direct_map(struct kvm_vcpu *vcpu, gpa_t gpa, int write,
++ int map_writable, int level, kvm_pfn_t pfn,
++ bool prefault)
+ {
+- struct kvm_shadow_walk_iterator iterator;
++ struct kvm_shadow_walk_iterator it;
+ struct kvm_mmu_page *sp;
+- int emulate = 0;
+- gfn_t pseudo_gfn;
++ int ret;
++ gfn_t gfn = gpa >> PAGE_SHIFT;
++ gfn_t base_gfn = gfn;
+
+ if (!VALID_PAGE(vcpu->arch.mmu.root_hpa))
+- return 0;
++ return RET_PF_RETRY;
+
+- for_each_shadow_entry(vcpu, (u64)gfn << PAGE_SHIFT, iterator) {
+- if (iterator.level == level) {
+- emulate = mmu_set_spte(vcpu, iterator.sptep, ACC_ALL,
+- write, level, gfn, pfn, prefault,
+- map_writable);
+- direct_pte_prefetch(vcpu, iterator.sptep);
+- ++vcpu->stat.pf_fixed;
++ for_each_shadow_entry(vcpu, gpa, it) {
++ base_gfn = gfn & ~(KVM_PAGES_PER_HPAGE(it.level) - 1);
++ if (it.level == level)
+ break;
+- }
+
+- drop_large_spte(vcpu, iterator.sptep);
+- if (!is_shadow_present_pte(*iterator.sptep)) {
+- u64 base_addr = iterator.addr;
++ drop_large_spte(vcpu, it.sptep);
++ if (!is_shadow_present_pte(*it.sptep)) {
++ sp = kvm_mmu_get_page(vcpu, base_gfn, it.addr,
++ it.level - 1, true, ACC_ALL);
+
+- base_addr &= PT64_LVL_ADDR_MASK(iterator.level);
+- pseudo_gfn = base_addr >> PAGE_SHIFT;
+- sp = kvm_mmu_get_page(vcpu, pseudo_gfn, iterator.addr,
+- iterator.level - 1, 1, ACC_ALL);
+-
+- link_shadow_page(vcpu, iterator.sptep, sp);
++ link_shadow_page(vcpu, it.sptep, sp);
+ }
+ }
+- return emulate;
++
++ ret = mmu_set_spte(vcpu, it.sptep, ACC_ALL,
++ write, level, base_gfn, pfn, prefault,
++ map_writable);
++ direct_pte_prefetch(vcpu, it.sptep);
++ ++vcpu->stat.pf_fixed;
++ return ret;
+ }
+
+ static void kvm_send_hwpoison_signal(unsigned long address, struct task_struct *tsk)
+@@ -3381,8 +3380,7 @@ static int nonpaging_map(struct kvm_vcpu
+ goto out_unlock;
+ if (likely(!force_pt_level))
+ transparent_hugepage_adjust(vcpu, &gfn, &pfn, &level);
+- r = __direct_map(vcpu, write, map_writable, level, gfn, pfn, prefault);
+-
++ r = __direct_map(vcpu, v, write, map_writable, level, pfn, prefault);
+ out_unlock:
+ spin_unlock(&vcpu->kvm->mmu_lock);
+ kvm_release_pfn_clean(pfn);
+@@ -3971,8 +3969,7 @@ static int tdp_page_fault(struct kvm_vcp
+ goto out_unlock;
+ if (likely(!force_pt_level))
+ transparent_hugepage_adjust(vcpu, &gfn, &pfn, &level);
+- r = __direct_map(vcpu, write, map_writable, level, gfn, pfn, prefault);
+-
++ r = __direct_map(vcpu, gpa, write, map_writable, level, pfn, prefault);
+ out_unlock:
+ spin_unlock(&vcpu->kvm->mmu_lock);
+ kvm_release_pfn_clean(pfn);
+--- a/arch/x86/kvm/paging_tmpl.h
++++ b/arch/x86/kvm/paging_tmpl.h
+@@ -595,6 +595,7 @@ static int FNAME(fetch)(struct kvm_vcpu
+ struct kvm_shadow_walk_iterator it;
+ unsigned direct_access, access = gw->pt_access;
+ int top_level, ret;
++ gfn_t base_gfn;
+
+ direct_access = gw->pte_access;
+
+@@ -639,31 +640,29 @@ static int FNAME(fetch)(struct kvm_vcpu
+ link_shadow_page(vcpu, it.sptep, sp);
+ }
+
+- for (;
+- shadow_walk_okay(&it) && it.level > hlevel;
+- shadow_walk_next(&it)) {
+- gfn_t direct_gfn;
++ base_gfn = gw->gfn;
+
++ for (; shadow_walk_okay(&it); shadow_walk_next(&it)) {
+ clear_sp_write_flooding_count(it.sptep);
++ base_gfn = gw->gfn & ~(KVM_PAGES_PER_HPAGE(it.level) - 1);
++ if (it.level == hlevel)
++ break;
++
+ validate_direct_spte(vcpu, it.sptep, direct_access);
+
+ drop_large_spte(vcpu, it.sptep);
+
+- if (is_shadow_present_pte(*it.sptep))
+- continue;
+-
+- direct_gfn = gw->gfn & ~(KVM_PAGES_PER_HPAGE(it.level) - 1);
+-
+- sp = kvm_mmu_get_page(vcpu, direct_gfn, addr, it.level-1,
+- true, direct_access);
+- link_shadow_page(vcpu, it.sptep, sp);
++ if (!is_shadow_present_pte(*it.sptep)) {
++ sp = kvm_mmu_get_page(vcpu, base_gfn, addr,
++ it.level - 1, true, direct_access);
++ link_shadow_page(vcpu, it.sptep, sp);
++ }
+ }
+
+- clear_sp_write_flooding_count(it.sptep);
+ ret = mmu_set_spte(vcpu, it.sptep, gw->pte_access, write_fault,
+- it.level, gw->gfn, pfn, prefault, map_writable);
++ it.level, base_gfn, pfn, prefault, map_writable);
+ FNAME(pte_prefetch)(vcpu, gw, it.sptep);
+-
++ ++vcpu->stat.pf_fixed;
+ return ret;
+
+ out_gpte_changed:
+@@ -826,7 +825,6 @@ static int FNAME(page_fault)(struct kvm_
+ transparent_hugepage_adjust(vcpu, &walker.gfn, &pfn, &level);
+ r = FNAME(fetch)(vcpu, addr, &walker, write_fault,
+ level, pfn, map_writable, prefault);
+- ++vcpu->stat.pf_fixed;
+ kvm_mmu_audit(vcpu, AUDIT_POST_PAGE_FAULT);
+
+ out_unlock:
diff --git a/patches.suse/kvm-x86-powerpc-do-not-allow-clearing-largepages-debugfs-entry b/patches.suse/kvm-x86-powerpc-do-not-allow-clearing-largepages-debugfs-entry
new file mode 100644
index 0000000000..b31ea1b639
--- /dev/null
+++ b/patches.suse/kvm-x86-powerpc-do-not-allow-clearing-largepages-debugfs-entry
@@ -0,0 +1,97 @@
+From: Paolo Bonzini <pbonzini@redhat.com>
+Date: Mon, 30 Sep 2019 18:48:44 +0200
+Subject: kvm: x86, powerpc: do not allow clearing largepages debugfs entry
+Git-commit: 833b45de69a6016c4b0cebe6765d526a31a81580
+Patch-mainline: v5.4-rc2
+References: bsc#1117665
+
+The largepages debugfs entry is incremented/decremented as shadow
+pages are created or destroyed. Clearing it will result in an
+underflow, which is harmless to KVM but ugly (and could be
+misinterpreted by tools that use debugfs information), so make
+this particular statistic read-only.
+
+Cc: kvm-ppc@vger.kernel.org
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Acked-by: Joerg Roedel <jroedel@suse.de>
+---
+ arch/powerpc/kvm/book3s.c | 8 ++++----
+ arch/x86/kvm/x86.c | 6 +++---
+ include/linux/kvm_host.h | 2 ++
+ virt/kvm/kvm_main.c | 10 +++++++---
+ 4 files changed, 16 insertions(+), 10 deletions(-)
+
+--- a/arch/x86/kvm/x86.c
++++ b/arch/x86/kvm/x86.c
+@@ -90,8 +90,8 @@ u64 __read_mostly efer_reserved_bits = ~
+ static u64 __read_mostly efer_reserved_bits = ~((u64)EFER_SCE);
+ #endif
+
+-#define VM_STAT(x) offsetof(struct kvm, stat.x), KVM_STAT_VM
+-#define VCPU_STAT(x) offsetof(struct kvm_vcpu, stat.x), KVM_STAT_VCPU
++#define VM_STAT(x, ...) offsetof(struct kvm, stat.x), KVM_STAT_VM, ## __VA_ARGS__
++#define VCPU_STAT(x, ...) offsetof(struct kvm_vcpu, stat.x), KVM_STAT_VCPU, ## __VA_ARGS__
+
+ #define KVM_X2APIC_API_VALID_FLAGS (KVM_X2APIC_API_USE_32BIT_IDS | \
+ KVM_X2APIC_API_DISABLE_BROADCAST_QUIRK)
+@@ -194,7 +194,7 @@ struct kvm_stats_debugfs_item debugfs_en
+ { "mmu_cache_miss", VM_STAT(mmu_cache_miss) },
+ { "mmu_unsync", VM_STAT(mmu_unsync) },
+ { "remote_tlb_flush", VM_STAT(remote_tlb_flush) },
+- { "largepages", VM_STAT(lpages) },
++ { "largepages", VM_STAT(lpages, .mode = 0444) },
+ { "max_mmu_page_hash_collisions",
+ VM_STAT(max_mmu_page_hash_collisions) },
+ { NULL }
+--- a/include/linux/kvm_host.h
++++ b/include/linux/kvm_host.h
+@@ -1016,6 +1016,7 @@ enum kvm_stat_kind {
+
+ struct kvm_stat_data {
+ int offset;
++ int mode;
+ struct kvm *kvm;
+ };
+
+@@ -1023,6 +1024,7 @@ struct kvm_stats_debugfs_item {
+ const char *name;
+ int offset;
+ enum kvm_stat_kind kind;
++ int mode;
+ };
+ extern struct kvm_stats_debugfs_item debugfs_entries[];
+ extern struct dentry *kvm_debugfs_dir;
+--- a/virt/kvm/kvm_main.c
++++ b/virt/kvm/kvm_main.c
+@@ -642,8 +642,9 @@ static int kvm_create_vm_debugfs(struct
+
+ stat_data->kvm = kvm;
+ stat_data->offset = p->offset;
++ stat_data->mode = p->mode ? p->mode : 0644;
+ kvm->debugfs_stat_data[p - debugfs_entries] = stat_data;
+- if (!debugfs_create_file(p->name, 0644,
++ if (!debugfs_create_file(p->name, stat_data->mode,
+ kvm->debugfs_dentry,
+ stat_data,
+ stat_fops_per_vm[p->kind]))
+@@ -3751,7 +3752,9 @@ static int kvm_debugfs_open(struct inode
+ if (!refcount_inc_not_zero(&stat_data->kvm->users_count))
+ return -ENOENT;
+
+- if (simple_attr_open(inode, file, get, set, fmt)) {
++ if (simple_attr_open(inode, file, get,
++ stat_data->mode & S_IWUGO ? set : NULL,
++ fmt)) {
+ kvm_put_kvm(stat_data->kvm);
+ return -ENOMEM;
+ }
+@@ -4002,7 +4005,8 @@ static int kvm_init_debug(void)
+
+ kvm_debugfs_num_entries = 0;
+ for (p = debugfs_entries; p->name; ++p, kvm_debugfs_num_entries++) {
+- if (!debugfs_create_file(p->name, 0644, kvm_debugfs_dir,
++ int mode = p->mode ? p->mode : 0644;
++ if (!debugfs_create_file(p->name, mode, kvm_debugfs_dir,
+ (void *)(long)p->offset,
+ stat_fops[p->kind]))
+ goto out_dir;
diff --git a/patches.suse/kvm-x86-remove-now-unneeded-hugepage-gfn-adjustment b/patches.suse/kvm-x86-remove-now-unneeded-hugepage-gfn-adjustment
new file mode 100644
index 0000000000..9c01a8225d
--- /dev/null
+++ b/patches.suse/kvm-x86-remove-now-unneeded-hugepage-gfn-adjustment
@@ -0,0 +1,71 @@
+From: Paolo Bonzini <pbonzini@redhat.com>
+Date: Sun, 23 Jun 2019 19:15:49 +0200
+Subject: KVM: x86: remove now unneeded hugepage gfn adjustment
+Git-commit: d679b32611c0102ce33b9e1a4e4b94854ed1812a
+Patch-mainline: v5.3-rc1
+References: bsc#1117665
+
+After the previous patch, the low bits of the gfn are masked in
+both FNAME(fetch) and __direct_map, so we do not need to clear them
+in transparent_hugepage_adjust.
+
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Acked-by: Joerg Roedel <jroedel@suse.de>
+---
+ arch/x86/kvm/mmu.c | 9 +++------
+ arch/x86/kvm/paging_tmpl.h | 2 +-
+ 2 files changed, 4 insertions(+), 7 deletions(-)
+
+--- a/arch/x86/kvm/mmu.c
++++ b/arch/x86/kvm/mmu.c
+@@ -3083,11 +3083,10 @@ static int kvm_handle_bad_page(struct kv
+ }
+
+ static void transparent_hugepage_adjust(struct kvm_vcpu *vcpu,
+- gfn_t *gfnp, kvm_pfn_t *pfnp,
++ gfn_t gfn, kvm_pfn_t *pfnp,
+ int *levelp)
+ {
+ kvm_pfn_t pfn = *pfnp;
+- gfn_t gfn = *gfnp;
+ int level = *levelp;
+
+ /*
+@@ -3114,8 +3113,6 @@ static void transparent_hugepage_adjust(
+ mask = KVM_PAGES_PER_HPAGE(level) - 1;
+ VM_BUG_ON((gfn & mask) != (pfn & mask));
+ if (pfn & mask) {
+- gfn &= ~mask;
+- *gfnp = gfn;
+ kvm_release_pfn_clean(pfn);
+ pfn &= ~mask;
+ kvm_get_pfn(pfn);
+@@ -3379,7 +3376,7 @@ static int nonpaging_map(struct kvm_vcpu
+ if (make_mmu_pages_available(vcpu) < 0)
+ goto out_unlock;
+ if (likely(!force_pt_level))
+- transparent_hugepage_adjust(vcpu, &gfn, &pfn, &level);
++ transparent_hugepage_adjust(vcpu, gfn, &pfn, &level);
+ r = __direct_map(vcpu, v, write, map_writable, level, pfn, prefault);
+ out_unlock:
+ spin_unlock(&vcpu->kvm->mmu_lock);
+@@ -3968,7 +3965,7 @@ static int tdp_page_fault(struct kvm_vcp
+ if (make_mmu_pages_available(vcpu) < 0)
+ goto out_unlock;
+ if (likely(!force_pt_level))
+- transparent_hugepage_adjust(vcpu, &gfn, &pfn, &level);
++ transparent_hugepage_adjust(vcpu, gfn, &pfn, &level);
+ r = __direct_map(vcpu, gpa, write, map_writable, level, pfn, prefault);
+ out_unlock:
+ spin_unlock(&vcpu->kvm->mmu_lock);
+--- a/arch/x86/kvm/paging_tmpl.h
++++ b/arch/x86/kvm/paging_tmpl.h
+@@ -822,7 +822,7 @@ static int FNAME(page_fault)(struct kvm_
+ if (make_mmu_pages_available(vcpu) < 0)
+ goto out_unlock;
+ if (!force_pt_level)
+- transparent_hugepage_adjust(vcpu, &walker.gfn, &pfn, &level);
++ transparent_hugepage_adjust(vcpu, walker.gfn, &pfn, &level);
+ r = FNAME(fetch)(vcpu, addr, &walker, write_fault,
+ level, pfn, map_writable, prefault);
+ kvm_mmu_audit(vcpu, AUDIT_POST_PAGE_FAULT);
diff --git a/patches.suse/nfc-enforce-cap_net_raw-for-raw-sockets.patch b/patches.suse/nfc-enforce-cap_net_raw-for-raw-sockets.patch
new file mode 100644
index 0000000000..6b5cb0977f
--- /dev/null
+++ b/patches.suse/nfc-enforce-cap_net_raw-for-raw-sockets.patch
@@ -0,0 +1,39 @@
+From: Ori Nimron <orinimron123@gmail.com>
+Date: Fri, 20 Sep 2019 09:35:49 +0200
+Subject: nfc: enforce CAP_NET_RAW for raw sockets
+Git-commit: 3a359798b176183ef09efb7a3dc59abad1cc7104
+Patch-mainline: v5.4-rc1
+References: bsc#1152788 CVE-2019-17056
+
+When creating a raw AF_NFC socket, CAP_NET_RAW needs to be checked
+first.
+
+Signed-off-by: Ori Nimron <orinimron123@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Acked-by: Borislav Petkov <bp@suse.de>
+---
+ net/nfc/llcp_sock.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/net/nfc/llcp_sock.c b/net/nfc/llcp_sock.c
+index 9b8742947aff..8dfea26536c9 100644
+--- a/net/nfc/llcp_sock.c
++++ b/net/nfc/llcp_sock.c
+@@ -1004,10 +1004,13 @@ static int llcp_sock_create(struct net *net, struct socket *sock,
+ sock->type != SOCK_RAW)
+ return -ESOCKTNOSUPPORT;
+
+- if (sock->type == SOCK_RAW)
++ if (sock->type == SOCK_RAW) {
++ if (!capable(CAP_NET_RAW))
++ return -EPERM;
+ sock->ops = &llcp_rawsock_ops;
+- else
++ } else {
+ sock->ops = &llcp_sock_ops;
++ }
+
+ sk = nfc_llcp_sock_alloc(sock, sock->type, GFP_ATOMIC, kern);
+ if (sk == NULL)
+
diff --git a/patches.suse/scsi-lpfc-Fix-null-ptr-oops-updating-lpfc_devloss_tm.patch b/patches.suse/scsi-lpfc-Fix-null-ptr-oops-updating-lpfc_devloss_tm.patch
new file mode 100644
index 0000000000..d8a8dc5260
--- /dev/null
+++ b/patches.suse/scsi-lpfc-Fix-null-ptr-oops-updating-lpfc_devloss_tm.patch
@@ -0,0 +1,43 @@
+From: James Smart <jsmart2021@gmail.com>
+Date: Wed, 14 Aug 2019 16:56:45 -0700
+Subject: [PATCH] scsi: lpfc: Fix null ptr oops updating lpfc_devloss_tmo via
+ sysfs attribute
+Git-commit: 07f50997d66c3273121dd6b8a7d433cdfb5395c1
+Patch-Mainline: v5.4-rc1
+References: bsc#1140845
+
+If an admin updates lpfc's devloss_tmo sysfs attribute, the kernel will
+oops.
+
+Coding of a loop allowed a new value (rport) to be set/checked for null
+followed by an older value (remoteport) checked for null to allow progress
+where the new value, even though null, will be referenced.
+
+Rework the logic to validate and prevent any reference to the null ptr.
+
+Signed-off-by: Dick Kennedy <dick.kennedy@broadcom.com>
+Signed-off-by: James Smart <jsmart2021@gmail.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Acked-by: Hannes Reinecke <hare@suse.com>
+---
+ drivers/scsi/lpfc/lpfc_attr.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/scsi/lpfc/lpfc_attr.c b/drivers/scsi/lpfc/lpfc_attr.c
+index ea62322ffe2b..0e71348bf3a3 100644
+--- a/drivers/scsi/lpfc/lpfc_attr.c
++++ b/drivers/scsi/lpfc/lpfc_attr.c
+@@ -3682,8 +3682,8 @@ lpfc_update_rport_devloss_tmo(struct lpfc_vport *vport)
+ if (rport)
+ remoteport = rport->remoteport;
+ spin_unlock(&vport->phba->hbalock);
+- if (remoteport)
+- nvme_fc_set_remoteport_devloss(rport->remoteport,
++ if (rport && remoteport)
++ nvme_fc_set_remoteport_devloss(remoteport,
+ vport->cfg_devloss_tmo);
+ #endif
+ }
+--
+2.16.4
+
diff --git a/patches.suse/scsi-lpfc-Fix-propagation-of-devloss_tmo-setting-to-.patch b/patches.suse/scsi-lpfc-Fix-propagation-of-devloss_tmo-setting-to-.patch
new file mode 100644
index 0000000000..2293e147d5
--- /dev/null
+++ b/patches.suse/scsi-lpfc-Fix-propagation-of-devloss_tmo-setting-to-.patch
@@ -0,0 +1,64 @@
+From: James Smart <jsmart2021@gmail.com>
+Date: Wed, 14 Aug 2019 16:56:48 -0700
+Subject: [PATCH] scsi: lpfc: Fix propagation of devloss_tmo setting to nvme
+ transport
+Git-commit: a643c6de1441e5cdab88452c46fe7c38b318009e
+Patch-Mainline: v5.4-rc1
+References: bsc#1140883
+
+If admin changes the devloss_tmo on an rport via the fc_remote_port rport
+dev_loss_tmo attribute, the value is on set on scsi stack. The change is
+not propagated to NVMe.
+
+The set routine in the lldd lacks the call to
+nvme_fc_set_remoteport_devloss() to set the value.
+
+Fix by adding the call to the lldd set routine.
+
+Signed-off-by: Dick Kennedy <dick.kennedy@broadcom.com>
+Signed-off-by: James Smart <jsmart2021@gmail.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Acked-by: Hannes Reinecke <hare@suse.com>
+---
+ drivers/scsi/lpfc/lpfc_attr.c | 21 +++++++++++++++++++++
+ 1 file changed, 21 insertions(+)
+
+diff --git a/drivers/scsi/lpfc/lpfc_attr.c b/drivers/scsi/lpfc/lpfc_attr.c
+index e593787fa82b..e401fe1249f4 100644
+--- a/drivers/scsi/lpfc/lpfc_attr.c
++++ b/drivers/scsi/lpfc/lpfc_attr.c
+@@ -6503,10 +6503,31 @@ lpfc_get_starget_port_name(struct scsi_target *starget)
+ static void
+ lpfc_set_rport_loss_tmo(struct fc_rport *rport, uint32_t timeout)
+ {
++ struct lpfc_rport_data *rdata = rport->dd_data;
++ struct lpfc_nodelist *ndlp = rdata->pnode;
++#if (IS_ENABLED(CONFIG_NVME_FC))
++ struct lpfc_nvme_rport *nrport = NULL;
++#endif
++
+ if (timeout)
+ rport->dev_loss_tmo = timeout;
+ else
+ rport->dev_loss_tmo = 1;
++
++ if (!ndlp || !NLP_CHK_NODE_ACT(ndlp)) {
++ dev_info(&rport->dev, "Cannot find remote node to "
++ "set rport dev loss tmo, port_id x%x\n",
++ rport->port_id);
++ return;
++ }
++
++#if (IS_ENABLED(CONFIG_NVME_FC))
++ nrport = lpfc_ndlp_get_nrport(ndlp);
++
++ if (nrport && nrport->remoteport)
++ nvme_fc_set_remoteport_devloss(nrport->remoteport,
++ rport->dev_loss_tmo);
++#endif
+ }
+
+ /**
+--
+2.16.4
+
diff --git a/patches.suse/sock_diag-fix-autoloading-of-the-raw_diag-module.patch b/patches.suse/sock_diag-fix-autoloading-of-the-raw_diag-module.patch
new file mode 100644
index 0000000000..c2c51cd6cd
--- /dev/null
+++ b/patches.suse/sock_diag-fix-autoloading-of-the-raw_diag-module.patch
@@ -0,0 +1,37 @@
+From c34c1287778b080ed692c0a46a8e345206cc29e6 Mon Sep 17 00:00:00 2001
+From: Andrei Vagin <avagin@gmail.com>
+Date: Sun, 4 Nov 2018 22:37:15 -0800
+Subject: [PATCH] sock_diag: fix autoloading of the raw_diag module
+References: bsc#1152791
+Git-commit: c34c1287778b080ed692c0a46a8e345206cc29e6
+Patch-mainline: v4.20-rc2
+
+IPPROTO_RAW isn't registred as an inet protocol, so
+inet_protos[protocol] is always NULL for it.
+
+Cc: Cyrill Gorcunov <gorcunov@gmail.com>
+Cc: Xin Long <lucien.xin@gmail.com>
+Fixes: bf2ae2e4bf93 ("sock_diag: request _diag module only when the family or proto has been registered")
+Signed-off-by: Andrei Vagin <avagin@gmail.com>
+Reviewed-by: Cyrill Gorcunov <gorcunov@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Thomas Abraham <tabraham@suse.com>
+---
+ net/core/sock.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/net/core/sock.c b/net/core/sock.c
+index 6fcc4bc07d19..080a880a1761 100644
+--- a/net/core/sock.c
++++ b/net/core/sock.c
+@@ -3279,6 +3279,7 @@ int sock_load_diag_module(int family, int protocol)
+
+ #ifdef CONFIG_INET
+ if (family == AF_INET &&
++ protocol != IPPROTO_RAW &&
+ !rcu_access_pointer(inet_protos[protocol]))
+ return -ENOENT;
+ #endif
+--
+2.16.4
+
diff --git a/patches.suse/sock_diag-request-_diag-module-only-when-the-family-.patch b/patches.suse/sock_diag-request-_diag-module-only-when-the-family-.patch
new file mode 100644
index 0000000000..7ac8acb19c
--- /dev/null
+++ b/patches.suse/sock_diag-request-_diag-module-only-when-the-family-.patch
@@ -0,0 +1,205 @@
+From bf2ae2e4bf9360e07c0cdfa166bcdc0afd92f4ce Mon Sep 17 00:00:00 2001
+From: Xin Long <lucien.xin@gmail.com>
+Date: Sat, 10 Mar 2018 18:57:50 +0800
+Subject: [PATCH] sock_diag: request _diag module only when the family or proto
+ has been registered
+References: bsc#1152791
+Git-commit: bf2ae2e4bf9360e07c0cdfa166bcdc0afd92f4ce
+Patch-mainline: v4.16-rc7
+
+Now when using 'ss' in iproute, kernel would try to load all _diag
+modules, which also causes corresponding family and proto modules
+to be loaded as well due to module dependencies.
+
+Like after running 'ss', sctp, dccp, af_packet (if it works as a module)
+would be loaded.
+
+For example:
+
+ $ lsmod|grep sctp
+ $ ss
+ $ lsmod|grep sctp
+ sctp_diag 16384 0
+ sctp 323584 5 sctp_diag
+ inet_diag 24576 4 raw_diag,tcp_diag,sctp_diag,udp_diag
+ libcrc32c 16384 3 nf_conntrack,nf_nat,sctp
+
+As these family and proto modules are loaded unintentionally, it
+could cause some problems, like:
+
+- Some debug tools use 'ss' to collect the socket info, which loads all
+ those diag and family and protocol modules. It's noisy for identifying
+ issues.
+
+- Users usually expect to drop sctp init packet silently when they
+ have no sense of sctp protocol instead of sending abort back.
+
+- It wastes resources (especially with multiple netns), and SCTP module
+ can't be unloaded once it's loaded.
+
+...
+
+In short, it's really inappropriate to have these family and proto
+modules loaded unexpectedly when just doing debugging with inet_diag.
+
+This patch is to introduce sock_load_diag_module() where it loads
+the _diag module only when it's corresponding family or proto has
+been already registered.
+
+Note that we can't just load _diag module without the family or
+proto loaded, as some symbols used in _diag module are from the
+family or proto module.
+
+v1->v2:
+ - move inet proto check to inet_diag to avoid a compiling err.
+v2->v3:
+ - define sock_load_diag_module in sock.c and export one symbol
+ only.
+ - improve the changelog.
+
+Reported-by: Sabrina Dubroca <sd@queasysnail.net>
+Acked-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
+Acked-by: Phil Sutter <phil@nwl.cc>
+Acked-by: Sabrina Dubroca <sd@queasysnail.net>
+Signed-off-by: Xin Long <lucien.xin@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Thomas Abraham <tabraham@suse.com>
+---
+ include/linux/net.h | 1 +
+ include/net/sock.h | 1 +
+ net/core/sock.c | 21 +++++++++++++++++++++
+ net/core/sock_diag.c | 12 ++++--------
+ net/ipv4/inet_diag.c | 3 +--
+ net/socket.c | 5 +++++
+ 6 files changed, 33 insertions(+), 10 deletions(-)
+
+diff --git a/include/linux/net.h b/include/linux/net.h
+index 91216b16feb7..2a0391eea05c 100644
+--- a/include/linux/net.h
++++ b/include/linux/net.h
+@@ -222,6 +222,7 @@ enum {
+ int sock_wake_async(struct socket_wq *sk_wq, int how, int band);
+ int sock_register(const struct net_proto_family *fam);
+ void sock_unregister(int family);
++bool sock_is_registered(int family);
+ int __sock_create(struct net *net, int family, int type, int proto,
+ struct socket **res, int kern);
+ int sock_create(int family, int type, int proto, struct socket **res);
+diff --git a/include/net/sock.h b/include/net/sock.h
+index 169c92afcafa..ae23f3b389ca 100644
+--- a/include/net/sock.h
++++ b/include/net/sock.h
+@@ -1137,6 +1137,7 @@ struct proto {
+
+ int proto_register(struct proto *prot, int alloc_slab);
+ void proto_unregister(struct proto *prot);
++int sock_load_diag_module(int family, int protocol);
+
+ #ifdef SOCK_REFCNT_DEBUG
+ static inline void sk_refcnt_debug_inc(struct sock *sk)
+diff --git a/net/core/sock.c b/net/core/sock.c
+index c501499a04fe..85b0b64e7f9d 100644
+--- a/net/core/sock.c
++++ b/net/core/sock.c
+@@ -3261,6 +3261,27 @@ void proto_unregister(struct proto *prot)
+ }
+ EXPORT_SYMBOL(proto_unregister);
+
++int sock_load_diag_module(int family, int protocol)
++{
++ if (!protocol) {
++ if (!sock_is_registered(family))
++ return -ENOENT;
++
++ return request_module("net-pf-%d-proto-%d-type-%d", PF_NETLINK,
++ NETLINK_SOCK_DIAG, family);
++ }
++
++#ifdef CONFIG_INET
++ if (family == AF_INET &&
++ !rcu_access_pointer(inet_protos[protocol]))
++ return -ENOENT;
++#endif
++
++ return request_module("net-pf-%d-proto-%d-type-%d-%d", PF_NETLINK,
++ NETLINK_SOCK_DIAG, family, protocol);
++}
++EXPORT_SYMBOL(sock_load_diag_module);
++
+ #ifdef CONFIG_PROC_FS
+ static void *proto_seq_start(struct seq_file *seq, loff_t *pos)
+ __acquires(proto_list_mutex)
+diff --git a/net/core/sock_diag.c b/net/core/sock_diag.c
+index 146b50e30659..c37b5be7c5e4 100644
+--- a/net/core/sock_diag.c
++++ b/net/core/sock_diag.c
+@@ -220,8 +220,7 @@ static int __sock_diag_cmd(struct sk_buff *skb, struct nlmsghdr *nlh)
+ return -EINVAL;
+
+ if (sock_diag_handlers[req->sdiag_family] == NULL)
+- request_module("net-pf-%d-proto-%d-type-%d", PF_NETLINK,
+- NETLINK_SOCK_DIAG, req->sdiag_family);
++ sock_load_diag_module(req->sdiag_family, 0);
+
+ mutex_lock(&sock_diag_table_mutex);
+ hndl = sock_diag_handlers[req->sdiag_family];
+@@ -247,8 +246,7 @@ static int sock_diag_rcv_msg(struct sk_buff *skb, struct nlmsghdr *nlh,
+ case TCPDIAG_GETSOCK:
+ case DCCPDIAG_GETSOCK:
+ if (inet_rcv_compat == NULL)
+- request_module("net-pf-%d-proto-%d-type-%d", PF_NETLINK,
+- NETLINK_SOCK_DIAG, AF_INET);
++ sock_load_diag_module(AF_INET, 0);
+
+ mutex_lock(&sock_diag_table_mutex);
+ if (inet_rcv_compat != NULL)
+@@ -281,14 +279,12 @@ static int sock_diag_bind(struct net *net, int group)
+ case SKNLGRP_INET_TCP_DESTROY:
+ case SKNLGRP_INET_UDP_DESTROY:
+ if (!sock_diag_handlers[AF_INET])
+- request_module("net-pf-%d-proto-%d-type-%d", PF_NETLINK,
+- NETLINK_SOCK_DIAG, AF_INET);
++ sock_load_diag_module(AF_INET, 0);
+ break;
+ case SKNLGRP_INET6_TCP_DESTROY:
+ case SKNLGRP_INET6_UDP_DESTROY:
+ if (!sock_diag_handlers[AF_INET6])
+- request_module("net-pf-%d-proto-%d-type-%d", PF_NETLINK,
+- NETLINK_SOCK_DIAG, AF_INET6);
++ sock_load_diag_module(AF_INET6, 0);
+ break;
+ }
+ return 0;
+diff --git a/net/ipv4/inet_diag.c b/net/ipv4/inet_diag.c
+index a383f299ce24..4e5bc4b2f14e 100644
+--- a/net/ipv4/inet_diag.c
++++ b/net/ipv4/inet_diag.c
+@@ -53,8 +53,7 @@ static DEFINE_MUTEX(inet_diag_table_mutex);
+ static const struct inet_diag_handler *inet_diag_lock_handler(int proto)
+ {
+ if (!inet_diag_table[proto])
+- request_module("net-pf-%d-proto-%d-type-%d-%d", PF_NETLINK,
+- NETLINK_SOCK_DIAG, AF_INET, proto);
++ sock_load_diag_module(AF_INET, proto);
+
+ mutex_lock(&inet_diag_table_mutex);
+ if (!inet_diag_table[proto])
+diff --git a/net/socket.c b/net/socket.c
+index a93c99b518ca..08847c3b8c39 100644
+--- a/net/socket.c
++++ b/net/socket.c
+@@ -2587,6 +2587,11 @@ void sock_unregister(int family)
+ }
+ EXPORT_SYMBOL(sock_unregister);
+
++bool sock_is_registered(int family)
++{
++ return family < NPROTO && rcu_access_pointer(net_families[family]);
++}
++
+ static int __init sock_init(void)
+ {
+ int err;
+--
+2.12.3
+
diff --git a/patches.suse/tracing-Initialize-iter-seq-after-zeroing-in-tracing.patch b/patches.suse/tracing-Initialize-iter-seq-after-zeroing-in-tracing.patch
new file mode 100644
index 0000000000..bd5fe75584
--- /dev/null
+++ b/patches.suse/tracing-Initialize-iter-seq-after-zeroing-in-tracing.patch
@@ -0,0 +1,82 @@
+From d303de1fcf344ff7c15ed64c3f48a991c9958775 Mon Sep 17 00:00:00 2001
+From: Petr Mladek <pmladek@suse.com>
+Date: Fri, 11 Oct 2019 16:21:34 +0200
+Subject: [PATCH] tracing: Initialize iter->seq after zeroing in
+ tracing_read_pipe()
+Git-commit: d303de1fcf344ff7c15ed64c3f48a991c9958775
+Patch-mainline: v5.4-rc3
+References: bsc#1151508
+
+A customer reported the following softlockup:
+
+[899688.160002] NMI watchdog: BUG: soft lockup - CPU#0 stuck for 22s! [test.sh:16464]
+[899688.160002] CPU: 0 PID: 16464 Comm: test.sh Not tainted 4.12.14-6.23-azure #1 SLE12-SP4
+[899688.160002] RIP: 0010:up_write+0x1a/0x30
+[899688.160002] Kernel panic - not syncing: softlockup: hung tasks
+[899688.160002] RIP: 0010:up_write+0x1a/0x30
+[899688.160002] RSP: 0018:ffffa86784d4fde8 EFLAGS: 00000257 ORIG_RAX: ffffffffffffff12
+[899688.160002] RAX: ffffffff970fea00 RBX: 0000000000000001 RCX: 0000000000000000
+[899688.160002] RDX: ffffffff00000001 RSI: 0000000000000080 RDI: ffffffff970fea00
+[899688.160002] RBP: ffffffffffffffff R08: ffffffffffffffff R09: 0000000000000000
+[899688.160002] R10: 0000000000000000 R11: 0000000000000000 R12: ffff8b59014720d8
+[899688.160002] R13: ffff8b59014720c0 R14: ffff8b5901471090 R15: ffff8b5901470000
+[899688.160002] tracing_read_pipe+0x336/0x3c0
+[899688.160002] __vfs_read+0x26/0x140
+[899688.160002] vfs_read+0x87/0x130
+[899688.160002] SyS_read+0x42/0x90
+[899688.160002] do_syscall_64+0x74/0x160
+
+It caught the process in the middle of trace_access_unlock(). There is
+no loop. So, it must be looping in the caller tracing_read_pipe()
+via the "waitagain" label.
+
+Crashdump analyze uncovered that iter->seq was completely zeroed
+at this point, including iter->seq.seq.size. It means that
+print_trace_line() was never able to print anything and
+there was no forward progress.
+
+The culprit seems to be in the code:
+
+ /* reset all but tr, trace, and overruns */
+ memset(&iter->seq, 0,
+ sizeof(struct trace_iterator) -
+ offsetof(struct trace_iterator, seq));
+
+It was added by the commit 53d0aa773053ab182877 ("ftrace:
+add logic to record overruns"). It was v2.6.27-rc1.
+It was the time when iter->seq looked like:
+
+ struct trace_seq {
+ unsigned char buffer[PAGE_SIZE];
+ unsigned int len;
+ };
+
+There was no "size" variable and zeroing was perfectly fine.
+
+The solution is to reinitialize the structure after or without
+zeroing.
+
+Link: http://lkml.kernel.org/r/20191011142134.11997-1-pmladek@suse.com
+
+Signed-off-by: Petr Mladek <pmladek@suse.com>
+Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
+
+---
+ kernel/trace/trace.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/kernel/trace/trace.c b/kernel/trace/trace.c
+index 2b4eff383505..6a0ee9178365 100644
+--- a/kernel/trace/trace.c
++++ b/kernel/trace/trace.c
+@@ -6036,6 +6036,7 @@ tracing_read_pipe(struct file *filp, char __user *ubuf,
+ sizeof(struct trace_iterator) -
+ offsetof(struct trace_iterator, seq));
+ cpumask_clear(iter->started);
++ trace_seq_init(&iter->seq);
+ iter->pos = -1;
+
+ trace_event_read_lock();
+--
+2.16.4
+
diff --git a/series.conf b/series.conf
index 8b9dc42acb..a3474b2d63 100644
--- a/series.conf
+++ b/series.conf
@@ -14538,6 +14538,7 @@
patches.suse/bnxt_en-Return-standard-Linux-error-codes-for-hwrm-f.patch
patches.suse/bnxt_en-close-open-NIC-only-when-the-interface-is-in.patch
patches.suse/bnxt_en-Check-valid-VNIC-ID-in-bnxt_hwrm_vnic_set_tp.patch
+ patches.suse/sock_diag-request-_diag-module-only-when-the-family-.patch
patches.suse/can-m_can-change-comparison-to-bitshift-when-dealing
patches.suse/can-ifi-Check-core-revision-upon-probe
patches.suse/can-ifi-Repair-the-error-handling
@@ -19175,6 +19176,7 @@
patches.suse/KVM-PPC-Book3S-HV-Allow-creating-max-number-of-VCPUs.patch
patches.suse/KVM-PPC-Book3S-HV-Read-kvm-arch.emul_smt_mode-under-.patch
patches.suse/kvm-s390-add-etoken-support-for-guests.patch
+ patches.suse/kvm-mmu-drop-vcpu-param-in-gpte_access
patches.suse/kvm-nvmx-fix-fault-vector-for-vmx-operation-at-cpl-0
patches.suse/kvm-vmx-track-host_state-loaded-using-a-loaded_vmcs-pointer
patches.suse/kvm-x86-set-highest-physical-address-bits-in-non-present-reserved-sptes
@@ -20279,6 +20281,7 @@
patches.suse/KVM-PPC-Remove-redundand-permission-bits-removal.patch
patches.suse/kvm-nvmx-clear-reserved-bits-of-db-exit-qualification
patches.suse/kvm-nvmx-restore-host-state-in-nested_vmx_vmexit-for-vmfail
+ patches.suse/kvm-x86-adjust-kvm_mmu_page-member-to-save-8-bytes
patches.suse/kvm-nvmx-always-reflect-nm-vm-exits-to-l1
patches.suse/kvm-nvmx-move-check_vmentry_postreqs-call-to-nested_vmx_enter_non_root_mode
patches.suse/KVM-arm64-Fix-caching-of-host-MDCR_EL2-value.patch
@@ -20601,6 +20604,7 @@
patches.suse/mlxsw-spectrum-Fix-IP2ME-CPU-policer-configuration.patch
patches.suse/sctp-fix-strchange_flags-name-for-Stream-Change-Even.patch
patches.suse/bonding-802.3ad-fix-link_failure_count-tracking.patch
+ patches.suse/sock_diag-fix-autoloading-of-the-raw_diag-module.patch
patches.suse/netfilter-conntrack-fix-calculation-of-next-bucket-n.patch
patches.suse/HID-hiddev-fix-potential-Spectre-v1.patch
patches.suse/hwmon-core-Fix-double-free-in-__hwmon_device_registe.patch
@@ -23388,6 +23392,7 @@
patches.suse/dmaengine-axi-dmac-Don-t-check-the-number-of-frames-.patch
patches.suse/dmaengine-tegra210-dma-free-dma-controller-in-remove.patch
patches.suse/RDMA-rxe-Consider-skb-reserve-space-based-on-netdev-.patch
+ patches.suse/ipoib-Do-not-overreact-to-SM-LID-change-even.patch
patches.suse/NFS-Don-t-interrupt-file-writeout-due-to-fatal-error.patch
patches.suse/NFS-make-nfs_match_client-killable.patch
patches.suse/PNFS-fallback-to-MDS-if-no-deviceid-found.patch
@@ -24103,12 +24108,18 @@
patches.suse/0003-ocfs2-add-first-lock-wait-time-in-locking_state.patch
patches.suse/9p-pass-the-correct-prototype-to-read_cache_page.patch
patches.suse/kvm-svm-avic-do-not-send-avic-doorbell-to-self
+ patches.suse/kvm-convert-kvm_lock-to-a-mutex
patches.suse/kvm-vmx-fix-handling-of-mc-that-occurs-during-vm-entry
patches.suse/kvm-vmx-always-signal-gp-on-wrmsr-to-msr_ia32_cr_pat-with-bad-value
patches.suse/kvm-nvmx-use-adjusted-pin-controls-for-vmcs02
patches.suse/kvm-vmx-check-cpuid-before-allowing-read-write-of-ia32_xss
patches.suse/kvm-nvmx-allow-setting-the-vmfunc-controls-msr
patches.suse/kvm-nvmx-remove-unnecessary-sync_roots-from-handle_invept
+ patches.suse/kvm-x86-do-not-release-the-page-inside-mmu_set_spte
+ patches.suse/kvm-x86-make-fnamefetch-and-_direct_map-more-similar
+ patches.suse/kvm-x86-remove-now-unneeded-hugepage-gfn-adjustment
+ patches.suse/kvm-x86-change-kvm_mmu_page_get_gfn-bug_on-to-warn_on
+ patches.suse/kvm-x86-add-tracepoints-around-_direct_map-and-fnamefetch
patches.suse/kvm-x86-unconditionally-enable-irqs-in-guest-context
patches.suse/9p-virtio-Add-cleanup-path-in-p9_virtio_init.patch
patches.suse/9p-xen-Add-cleanup-path-in-p9_trans_xen_init.patch
@@ -24613,6 +24624,7 @@
patches.suse/libertas_tf-Use-correct-channel-range-in-lbtf_geo_in.patch
patches.suse/Revert-mwifiex-fix-system-hang-problem-after-resume.patch
patches.suse/mac80211-minstrel_ht-fix-per-group-max-throughput-ra.patch
+ patches.suse/0001-rtlwifi-rtl8192cu-Fix-value-set-in-descriptor.patch
patches.suse/bcma-fix-incorrect-update-of-BCMA_CORE_PCI_MDIO_DATA.patch
patches.suse/nl80211-Fix-possible-Spectre-v1-for-CQM-RSSI-4b2c5a14.patch
patches.suse/ath9k-dynack-fix-possible-deadlock-in-ath_dynack_nod.patch
@@ -24722,6 +24734,8 @@
patches.suse/scsi-qla2xxx-Fix-a-NULL-pointer-dereference.patch
patches.suse/scsi-qla2xxx-qla2x00_alloc_fw_dump-set-ha-eft.patch
patches.suse/scsi-qla2xxx-cleanup-trace-buffer-initialization.patch
+ patches.suse/scsi-lpfc-Fix-null-ptr-oops-updating-lpfc_devloss_tm.patch
+ patches.suse/scsi-lpfc-Fix-propagation-of-devloss_tmo-setting-to-.patch
patches.suse/scsi-qla2xxx-Fix-a-recently-introduced-kernel-warnin.patch
patches.suse/scsi-qla2xxx-fix-spelling-mistake-initializatin-init.patch
patches.suse/scsi-qedf-print-message-during-bailout-conditions
@@ -24749,16 +24763,21 @@
patches.suse/quota-fix-wrong-condition-in-is_quota_modification.patch
patches.suse/power-supply-Init-device-wakeup-after-device_add.patch
patches.suse/power-reset-gpio-restart-Fix-typo-when-gpio-reset-is.patch
+ patches.suse/0001-crypto-talitos-fix-missing-break-in-switch-statement.patch
patches.suse/hwrng-core-don-t-wait-on-add_early_randomness.patch
patches.suse/livepatch-nullify-obj-mod-in-klp_module_coming-s-error-path.patch
patches.suse/suse-hv-PCI-hv-Detect-and-fix-Hyper-V-PCI-domain-number-coll.patch
patches.suse/msft-hv-1947-PCI-hv-Use-bytes-4-and-5-from-instance-ID-as-the-PCI.patch
+ patches.suse/ceph-fix-directories-inode-i_blkbits-initialization.patch
+ patches.suse/ceph-update-the-mtime-when-truncating-up.patch
+ patches.suse/ceph-reconnect-connection-if-session-hang-in-opening-state.patch
patches.suse/KVM-PPC-Book3S-HV-use-smp_mb-when-setting-clearing-h.patch
patches.suse/powerpc-pseries-Read-TLB-Block-Invalidate-Characteri.patch
patches.suse/powerpc-pseries-Call-H_BLOCK_REMOVE-when-supported.patch
patches.suse/powerpc-book3s64-mm-Don-t-do-tlbie-fixup-for-some-ha.patch
patches.suse/powerpc-book3s64-radix-Rename-CPU_FTR_P9_TLBIE_BUG-f.patch
patches.suse/powerpc-mm-Fixup-tlbie-vs-mtpidr-mtlpidr-ordering-is.patch
+ patches.suse/nfc-enforce-cap_net_raw-for-raw-sockets.patch
patches.suse/net-ibmvnic-unlock-rtnl_lock-in-reset-so-linkwatch_e.patch
patches.suse/net-ibmvnic-prevent-more-than-one-thread-from-runnin.patch
patches.suse/ppp-Fix-memory-leak-in-ppp_write.patch
@@ -24768,9 +24787,19 @@
patches.suse/0001-btrfs-qgroup-Fix-the-wrong-target-io_tree-when-freei.patch
patches.suse/0002-btrfs-qgroup-Fix-reserved-data-space-leak-if-we-have.patch
patches.suse/0001-xen-xenbus-fix-self-deadlock-after-killing-user-proc.patch
+ patches.suse/kvm-x86-powerpc-do-not-allow-clearing-largepages-debugfs-entry
patches.suse/0001-xen-netfront-do-not-use-0U-as-error-return-value-for.patch
patches.suse/msft-hv-1948-scsi-storvsc-setup-1-1-mapping-between-hardware-queu.patch
patches.suse/0001-kernel-sysctl.c-do-not-override-max_threads-provided.patch
+ patches.suse/0001-USB-microtek-fix-info-leak-at-probe.patch
+ patches.suse/0001-USB-adutux-fix-use-after-free-on-disconnect.patch
+ patches.suse/0001-USB-adutux-fix-NULL-derefs-on-disconnect.patch
+ patches.suse/0001-USB-usblcd-fix-I-O-after-disconnect.patch
+ patches.suse/0001-USB-legousbtower-fix-slab-info-leak-at-probe.patch
+ patches.suse/0001-USB-legousbtower-fix-deadlock-on-disconnect.patch
+ patches.suse/0001-USB-legousbtower-fix-potential-NULL-deref-on-disconn.patch
+ patches.suse/0001-USB-legousbtower-fix-open-after-failed-reset-request.patch
+ patches.suse/tracing-Initialize-iter-seq-after-zeroing-in-tracing.patch
# davem/net
patches.suse/net-ibmvnic-Fix-EOI-when-running-in-XIVE-mode.patch
@@ -25263,6 +25292,7 @@
patches.kabi/bt_accept_enqueue-kabi-workaround.patch
patches.kabi/mwifiex-ieee-types-kabi-fix.patch
patches.suse/net-ath6kl-Fix-a-NULL-ptr-deref-bug.patch
+ patches.suse/cfg80211-wext-avoid-copying-malformed-SSIDs.patch
########################################################
# ISDN
@@ -25630,6 +25660,8 @@
patches.kabi/NFSv4-Fix-OPEN-CLOSE-race.patch
patches.kabi/net-sched-act_sample-fix-psample-group-handling-on-o.patch
+ patches.kabi/Fix-KVM-kABI-after-x86-mmu-backports.patch
+
########################################################
# You'd better have a good reason for adding a patch
# below here.