Home Home > GIT Browse > stable
summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJiri Slaby <jslaby@suse.cz>2019-06-25 09:55:47 +0200
committerJiri Slaby <jslaby@suse.cz>2019-06-25 09:55:47 +0200
commite22274311ea2d45083ef2d7a9f019a21c7701b87 (patch)
tree26dfa78469d7e25588da76197718e08d2037662b
parentf2910422fade67260018eeba7a0d50450650ffb2 (diff)
- Linux 5.1.15 (bnc#1012628).stable
- tracing: Silence GCC 9 array bounds warning (bnc#1012628). - mmc: sdhci: sdhci-pci-o2micro: Correctly set bus width when tuning (bnc#1012628). - mmc: sdhi: disallow HS400 for M3-W ES1.2, RZ/G2M, and V3H (bnc#1012628). - mmc: mediatek: fix SDIO IRQ interrupt handle flow (bnc#1012628). - mmc: mediatek: fix SDIO IRQ detection issue (bnc#1012628). - mmc: core: API to temporarily disable retuning for SDIO CRC errors (bnc#1012628). - mmc: core: Add sdio_retune_hold_now() and sdio_retune_release() (bnc#1012628). - mmc: core: Prevent processing SDIO IRQs when the card is suspended (bnc#1012628). - scsi: ufs: Avoid runtime suspend possibly being blocked forever (bnc#1012628). - usb: chipidea: udc: workaround for endpoint conflict issue (bnc#1012628). - xhci: detect USB 3.2 capable host controllers correctly (bnc#1012628). - usb: xhci: Don't try to recover an endpoint if port is in error state (bnc#1012628). - cifs: add spinlock for the openFileList to cifsInodeInfo (bnc#1012628). - cifs: fix GlobalMid_Lock bug in cifs_reconnect (bnc#1012628). - IB/hfi1: Validate fault injection opcode user input (bnc#1012628). - IB/hfi1: Close PSM sdma_progress sleep window (bnc#1012628). - IB/hfi1: Avoid hardlockup with flushlist_lock (bnc#1012628). - IB/hfi1: Correct tid qp rcd to match verbs context (bnc#1012628). - IB/hfi1: Silence txreq allocation warnings (bnc#1012628). - iio: imu: st_lsm6dsx: fix PM support for st_lsm6dsx i2c controller (bnc#1012628). - iio: temperature: mlx90632 Relax the compatibility check (bnc#1012628). - Input: synaptics - enable SMBus on ThinkPad E480 and E580 (bnc#1012628). - Input: uinput - add compat ioctl number translation for UI_*_FF_UPLOAD (bnc#1012628). - Input: silead - add MSSL0017 to acpi_device_id (bnc#1012628). - apparmor: fix PROFILE_MEDIATES for untrusted input (bnc#1012628). - apparmor: enforce nullbyte at end of tag string (bnc#1012628). - apparmor: reset pos on failure to unpack for various functions (bnc#1012628). - Revert "brcmfmac: disable command decode in sdio_aos" (bnc#1012628). - brcmfmac: sdio: Disable auto-tuning around commands expected to fail (bnc#1012628). - brcmfmac: sdio: Don't tune while the card is off (bnc#1012628). - lkdtm/usercopy: Moves the KERNEL_DS test to non-canonical (bnc#1012628). - ARC: fix build warnings (bnc#1012628). - dmaengine: jz4780: Fix transfers being ACKed too soon (bnc#1012628). - dmaengine: dw-axi-dmac: fix null dereference when pointer first is null (bnc#1012628). - dmaengine: mediatek-cqdma: sleeping in atomic context (bnc#1012628). - dmaengine: sprd: Fix the possible crash when getting descriptor status (bnc#1012628). - dmaengine: sprd: Add validation of current descriptor in irq handler (bnc#1012628). - dmaengine: sprd: Fix the incorrect start for 2-stage destination channels (bnc#1012628). - dmaengine: sprd: Fix block length overflow (bnc#1012628). - dmaengine: sprd: Fix the right place to configure 2-stage transfer (bnc#1012628). - ARC: [plat-hsdk]: Add missing multicast filter bins number to GMAC node (bnc#1012628). - ARC: [plat-hsdk]: Add missing FIFO size entry in GMAC node (bnc#1012628). - MIPS: mark ginvt() as __always_inline (bnc#1012628). - fpga: stratix10-soc: fix use-after-free on s10_init() (bnc#1012628). - fpga: dfl: afu: Pass the correct device to dma_mapping_error() (bnc#1012628). - fpga: dfl: Add lockdep classes for pdata->lock (bnc#1012628). - parport: Fix mem leak in parport_register_dev_model (bnc#1012628). - parisc: Fix compiler warnings in float emulation code (bnc#1012628). - habanalabs: fix bug in checking huge page optimization (bnc#1012628). - IB/rdmavt: Fix alloc_qpn() WARN_ON() (bnc#1012628). - IB/hfi1: Insure freeze_work work_struct is canceled on shutdown (bnc#1012628). - IB/{qib, hfi1, rdmavt}: Correct ibv_devinfo max_mr value (bnc#1012628). - IB/hfi1: Validate page aligned for a given virtual address (bnc#1012628). - MIPS: uprobes: remove set but not used variable 'epc' (bnc#1012628). - crypto: hmac - fix memory leak in hmac_init_tfm() (bnc#1012628). - xtensa: Fix section mismatch between memblock_reserve and mem_reserve (bnc#1012628). - kselftest/cgroup: fix unexpected testing failure on test_memcontrol (bnc#1012628). - kselftest/cgroup: fix unexpected testing failure on test_core (bnc#1012628). - kselftest/cgroup: fix incorrect test_core skip (bnc#1012628). - userfaultfd: selftest: fix compiler warning (bnc#1012628). - selftests: vm: install test_vmalloc.sh for run_vmtests (bnc#1012628). - net: dsa: mv88e6xxx: avoid error message on remove from VLAN 0 (bnc#1012628). - net: hns: Fix loopback test failed at copper ports (bnc#1012628). - mdesc: fix a missing-check bug in get_vdev_port_node_info() (bnc#1012628). - sparc: perf: fix updated event period in response to PERF_EVENT_IOC_PERIOD (bnc#1012628). - net: ethernet: mediatek: Use hw_feature to judge if HWLRO is supported (bnc#1012628). - net: ethernet: mediatek: Use NET_IP_ALIGN to judge if HW RX_2BYTE_OFFSET is enabled (bnc#1012628). - selftests: set sysctl bc_forwarding properly in router_broadcast.sh (bnc#1012628). - drm/arm/mali-dp: Add a loop around the second set CVAL and try 5 times (bnc#1012628). - drm/arm/hdlcd: Actually validate CRTC modes (bnc#1012628). - drm/arm/hdlcd: Allow a bit of clock tolerance (bnc#1012628). - nvmet: fix data_len to 0 for bdev-backed write_zeroes (bnc#1012628). - kbuild: tar-pkg: enable communication with jobserver (bnc#1012628). - scripts/checkstack.pl: Fix arm64 wrong or unknown architecture (bnc#1012628). - net: phylink: avoid reducing support mask (bnc#1012628). - scsi: ufs: Check that space was properly alloced in copy_query_response (bnc#1012628). - scsi: smartpqi: unlock on error in pqi_submit_raid_request_synchronous() (bnc#1012628). - net: ipvlan: Fix ipvlan device tso disabled while NETIF_F_IP_CSUM is set (bnc#1012628). - udmabuf: actually unmap the scatterlist (bnc#1012628). - tests: fix pidfd-test compilation (bnc#1012628). - s390/qeth: handle limited IPv4 broadcast in L3 TX path (bnc#1012628). - s390/qeth: check dst entry before use (bnc#1012628). - s390/qeth: fix VLAN attribute in bridge_hostnotify udev event (bnc#1012628). - hwmon: (core) add thermal sensors only if dev->of_node is present (bnc#1012628). - hwmon: (pmbus/core) Treat parameters as paged if on multiple pages (bnc#1012628). - arm64: Silence gcc warnings about arch ABI drift (bnc#1012628). - nvme: Fix u32 overflow in the number of namespace list calculation (bnc#1012628). - ovl: detect overlapping layers (bnc#1012628). - ovl: don't fail with disconnected lower NFS (bnc#1012628). - ovl: fix bogus -Wmaybe-unitialized warning (bnc#1012628). - btrfs: start readahead also in seed devices (bnc#1012628). - can: xilinx_can: use correct bittiming_const for CAN FD core (bnc#1012628). - can: flexcan: fix timeout when set small bitrate (bnc#1012628). - can: purge socket error queue on sock destruct (bnc#1012628). - riscv: mm: synchronize MMU after pte change (bnc#1012628). - powerpc/bpf: use unsigned division instruction for 64-bit operations (bnc#1012628). - ARM: imx: cpuidle-imx6sx: Restrict the SW2ISO increase to i.MX6SX (bnc#1012628). - ARM: mvebu_v7_defconfig: fix Ethernet on Clearfog (bnc#1012628). - ARM: dts: dra76x: Update MMC2_HS200_MANUAL1 iodelay values (bnc#1012628). - ARM: dts: am57xx-idk: Remove support for voltage switching for SD card (bnc#1012628). - arm64/sve: <uapi/asm/ptrace.h> should not depend on <uapi/linux/prctl.h> (bnc#1012628). - arm64: ssbd: explicitly depend on <linux/prctl.h> (bnc#1012628). - KVM: x86/mmu: Allocate PAE root array when using SVM's 32-bit NPT (bnc#1012628). - ovl: make i_ino consistent with st_ino in more cases (bnc#1012628). - drm/vmwgfx: Use the backdoor port if the HB port is not available (bnc#1012628). - drm/i915: Don't clobber M/N values during fastset check (bnc#1012628). - binder: fix possible UAF when freeing buffer (bnc#1012628). - staging: erofs: add requirements field in superblock (bnc#1012628). - Bluetooth: Align minimum encryption key size for LE and BR/EDR connections (bnc#1012628). - Bluetooth: Fix regression with minimum encryption key size alignment (bnc#1012628). - SMB3: retry on STATUS_INSUFFICIENT_RESOURCES instead of failing write (bnc#1012628). - x86/vdso: Prevent segfaults due to hoisted vclock reads (bnc#1012628). - fs/namespace: fix unprivileged mount propagation (bnc#1012628). - cfg80211: fix memory leak of wiphy device name (bnc#1012628). - mac80211: drop robust management frames from unknown TA (bnc#1012628). - {nl,mac}80211: allow 4addr AP operation on crypto controlled devices (bnc#1012628). - mac80211: handle deauthentication/disassociation from TDLS peer (bnc#1012628). - nl80211: fix station_info pertid memory leak (bnc#1012628). - mac80211: Do not use stack memory with scatterlist for GMAC (bnc#1012628). - x86/resctrl: Don't stop walking closids when a locksetup group is found (bnc#1012628). - powerpc/mm/64s/hash: Reallocate context ids on fork (bnc#1012628). - Refresh patches.suse/apparmor-compatibility-with-v2.x-net.patch.
-rw-r--r--patches.kernel.org/5.1.15-001-tracing-Silence-GCC-9-array-bounds-warning.patch112
-rw-r--r--patches.kernel.org/5.1.15-002-mmc-sdhci-sdhci-pci-o2micro-Correctly-set-bus-.patch55
-rw-r--r--patches.kernel.org/5.1.15-003-mmc-sdhi-disallow-HS400-for-M3-W-ES1.2-RZ-G2M-.patch54
-rw-r--r--patches.kernel.org/5.1.15-004-mmc-mediatek-fix-SDIO-IRQ-interrupt-handle-flo.patch114
-rw-r--r--patches.kernel.org/5.1.15-005-mmc-mediatek-fix-SDIO-IRQ-detection-issue.patch40
-rw-r--r--patches.kernel.org/5.1.15-006-mmc-core-API-to-temporarily-disable-retuning-f.patch145
-rw-r--r--patches.kernel.org/5.1.15-007-mmc-core-Add-sdio_retune_hold_now-and-sdio_ret.patch97
-rw-r--r--patches.kernel.org/5.1.15-008-mmc-core-Prevent-processing-SDIO-IRQs-when-the.patch85
-rw-r--r--patches.kernel.org/5.1.15-009-scsi-ufs-Avoid-runtime-suspend-possibly-being-.patch75
-rw-r--r--patches.kernel.org/5.1.15-010-usb-chipidea-udc-workaround-for-endpoint-confl.patch81
-rw-r--r--patches.kernel.org/5.1.15-011-xhci-detect-USB-3.2-capable-host-controllers-c.patch72
-rw-r--r--patches.kernel.org/5.1.15-012-usb-xhci-Don-t-try-to-recover-an-endpoint-if-p.patch128
-rw-r--r--patches.kernel.org/5.1.15-013-cifs-add-spinlock-for-the-openFileList-to-cifs.patch112
-rw-r--r--patches.kernel.org/5.1.15-014-cifs-fix-GlobalMid_Lock-bug-in-cifs_reconnect.patch52
-rw-r--r--patches.kernel.org/5.1.15-015-IB-hfi1-Validate-fault-injection-opcode-user-i.patch52
-rw-r--r--patches.kernel.org/5.1.15-016-IB-hfi1-Close-PSM-sdma_progress-sleep-window.patch92
-rw-r--r--patches.kernel.org/5.1.15-017-IB-hfi1-Avoid-hardlockup-with-flushlist_lock.patch65
-rw-r--r--patches.kernel.org/5.1.15-018-IB-hfi1-Correct-tid-qp-rcd-to-match-verbs-cont.patch125
-rw-r--r--patches.kernel.org/5.1.15-019-IB-hfi1-Silence-txreq-allocation-warnings.patch98
-rw-r--r--patches.kernel.org/5.1.15-020-iio-imu-st_lsm6dsx-fix-PM-support-for-st_lsm6d.patch103
-rw-r--r--patches.kernel.org/5.1.15-021-iio-temperature-mlx90632-Relax-the-compatibili.patch61
-rw-r--r--patches.kernel.org/5.1.15-022-Input-synaptics-enable-SMBus-on-ThinkPad-E480-.patch41
-rw-r--r--patches.kernel.org/5.1.15-023-Input-uinput-add-compat-ioctl-number-translati.patch67
-rw-r--r--patches.kernel.org/5.1.15-024-Input-silead-add-MSSL0017-to-acpi_device_id.patch36
-rw-r--r--patches.kernel.org/5.1.15-025-apparmor-fix-PROFILE_MEDIATES-for-untrusted-in.patch57
-rw-r--r--patches.kernel.org/5.1.15-026-apparmor-enforce-nullbyte-at-end-of-tag-string.patch43
-rw-r--r--patches.kernel.org/5.1.15-027-apparmor-reset-pos-on-failure-to-unpack-for-va.patch173
-rw-r--r--patches.kernel.org/5.1.15-028-Revert-brcmfmac-disable-command-decode-in-sdio.patch61
-rw-r--r--patches.kernel.org/5.1.15-029-brcmfmac-sdio-Disable-auto-tuning-around-comma.patch60
-rw-r--r--patches.kernel.org/5.1.15-030-brcmfmac-sdio-Don-t-tune-while-the-card-is-off.patch86
-rw-r--r--patches.kernel.org/5.1.15-031-lkdtm-usercopy-Moves-the-KERNEL_DS-test-to-non.patch49
-rw-r--r--patches.kernel.org/5.1.15-032-ARC-fix-build-warnings.patch102
-rw-r--r--patches.kernel.org/5.1.15-033-dmaengine-jz4780-Fix-transfers-being-ACKed-too.patch111
-rw-r--r--patches.kernel.org/5.1.15-034-dmaengine-dw-axi-dmac-fix-null-dereference-whe.patch43
-rw-r--r--patches.kernel.org/5.1.15-035-dmaengine-mediatek-cqdma-sleeping-in-atomic-co.patch52
-rw-r--r--patches.kernel.org/5.1.15-036-dmaengine-sprd-Fix-the-possible-crash-when-get.patch45
-rw-r--r--patches.kernel.org/5.1.15-037-dmaengine-sprd-Add-validation-of-current-descr.patch50
-rw-r--r--patches.kernel.org/5.1.15-038-dmaengine-sprd-Fix-the-incorrect-start-for-2-s.patch40
-rw-r--r--patches.kernel.org/5.1.15-039-dmaengine-sprd-Fix-block-length-overflow.patch41
-rw-r--r--patches.kernel.org/5.1.15-040-dmaengine-sprd-Fix-the-right-place-to-configur.patch56
-rw-r--r--patches.kernel.org/5.1.15-041-ARC-plat-hsdk-Add-missing-multicast-filter-bin.patch42
-rw-r--r--patches.kernel.org/5.1.15-042-ARC-plat-hsdk-Add-missing-FIFO-size-entry-in-G.patch42
-rw-r--r--patches.kernel.org/5.1.15-043-MIPS-mark-ginvt-as-__always_inline.patch40
-rw-r--r--patches.kernel.org/5.1.15-044-fpga-stratix10-soc-fix-use-after-free-on-s10_i.patch56
-rw-r--r--patches.kernel.org/5.1.15-045-fpga-dfl-afu-Pass-the-correct-device-to-dma_ma.patch41
-rw-r--r--patches.kernel.org/5.1.15-046-fpga-dfl-Add-lockdep-classes-for-pdata-lock.patch142
-rw-r--r--patches.kernel.org/5.1.15-047-parport-Fix-mem-leak-in-parport_register_dev_m.patch70
-rw-r--r--patches.kernel.org/5.1.15-048-parisc-Fix-compiler-warnings-in-float-emulatio.patch56
-rw-r--r--patches.kernel.org/5.1.15-049-habanalabs-fix-bug-in-checking-huge-page-optim.patch54
-rw-r--r--patches.kernel.org/5.1.15-050-IB-rdmavt-Fix-alloc_qpn-WARN_ON.patch60
-rw-r--r--patches.kernel.org/5.1.15-051-IB-hfi1-Insure-freeze_work-work_struct-is-canc.patch42
-rw-r--r--patches.kernel.org/5.1.15-052-IB-qib-hfi1-rdmavt-Correct-ibv_devinfo-max_mr-.patch69
-rw-r--r--patches.kernel.org/5.1.15-053-IB-hfi1-Validate-page-aligned-for-a-given-virt.patch44
-rw-r--r--patches.kernel.org/5.1.15-054-MIPS-uprobes-remove-set-but-not-used-variable-.patch46
-rw-r--r--patches.kernel.org/5.1.15-055-crypto-hmac-fix-memory-leak-in-hmac_init_tfm.patch41
-rw-r--r--patches.kernel.org/5.1.15-056-xtensa-Fix-section-mismatch-between-memblock_r.patch54
-rw-r--r--patches.kernel.org/5.1.15-057-kselftest-cgroup-fix-unexpected-testing-failur.patch66
-rw-r--r--patches.kernel.org/5.1.15-058-kselftest-cgroup-fix-unexpected-testing-failur.patch58
-rw-r--r--patches.kernel.org/5.1.15-059-kselftest-cgroup-fix-incorrect-test_core-skip.patch52
-rw-r--r--patches.kernel.org/5.1.15-060-userfaultfd-selftest-fix-compiler-warning.patch45
-rw-r--r--patches.kernel.org/5.1.15-061-selftests-vm-install-test_vmalloc.sh-for-run_v.patch41
-rw-r--r--patches.kernel.org/5.1.15-062-net-dsa-mv88e6xxx-avoid-error-message-on-remov.patch52
-rw-r--r--patches.kernel.org/5.1.15-063-net-hns-Fix-loopback-test-failed-at-copper-por.patch48
-rw-r--r--patches.kernel.org/5.1.15-064-mdesc-fix-a-missing-check-bug-in-get_vdev_port.patch37
-rw-r--r--patches.kernel.org/5.1.15-065-sparc-perf-fix-updated-event-period-in-respons.patch47
-rw-r--r--patches.kernel.org/5.1.15-066-net-ethernet-mediatek-Use-hw_feature-to-judge-.patch73
-rw-r--r--patches.kernel.org/5.1.15-067-net-ethernet-mediatek-Use-NET_IP_ALIGN-to-judg.patch46
-rw-r--r--patches.kernel.org/5.1.15-068-selftests-set-sysctl-bc_forwarding-properly-in.patch69
-rw-r--r--patches.kernel.org/5.1.15-069-drm-arm-mali-dp-Add-a-loop-around-the-second-s.patch57
-rw-r--r--patches.kernel.org/5.1.15-070-drm-arm-hdlcd-Actually-validate-CRTC-modes.patch66
-rw-r--r--patches.kernel.org/5.1.15-071-drm-arm-hdlcd-Allow-a-bit-of-clock-tolerance.patch42
-rw-r--r--patches.kernel.org/5.1.15-072-nvmet-fix-data_len-to-0-for-bdev-backed-write_.patch57
-rw-r--r--patches.kernel.org/5.1.15-073-kbuild-tar-pkg-enable-communication-with-jobse.patch45
-rw-r--r--patches.kernel.org/5.1.15-074-scripts-checkstack.pl-Fix-arm64-wrong-or-unkno.patch46
-rw-r--r--patches.kernel.org/5.1.15-075-net-phylink-avoid-reducing-support-mask.patch95
-rw-r--r--patches.kernel.org/5.1.15-076-scsi-ufs-Check-that-space-was-properly-alloced.patch45
-rw-r--r--patches.kernel.org/5.1.15-077-scsi-smartpqi-unlock-on-error-in-pqi_submit_ra.patch42
-rw-r--r--patches.kernel.org/5.1.15-078-net-ipvlan-Fix-ipvlan-device-tso-disabled-whil.patch48
-rw-r--r--patches.kernel.org/5.1.15-079-udmabuf-actually-unmap-the-scatterlist.patch37
-rw-r--r--patches.kernel.org/5.1.15-080-tests-fix-pidfd-test-compilation.patch42
-rw-r--r--patches.kernel.org/5.1.15-081-s390-qeth-handle-limited-IPv4-broadcast-in-L3-.patch40
-rw-r--r--patches.kernel.org/5.1.15-082-s390-qeth-check-dst-entry-before-use.patch105
-rw-r--r--patches.kernel.org/5.1.15-083-s390-qeth-fix-VLAN-attribute-in-bridge_hostnot.patch54
-rw-r--r--patches.kernel.org/5.1.15-084-hwmon-core-add-thermal-sensors-only-if-dev-of_.patch66
-rw-r--r--patches.kernel.org/5.1.15-085-hwmon-pmbus-core-Treat-parameters-as-paged-if-.patch105
-rw-r--r--patches.kernel.org/5.1.15-086-arm64-Silence-gcc-warnings-about-arch-ABI-drif.patch49
-rw-r--r--patches.kernel.org/5.1.15-087-nvme-Fix-u32-overflow-in-the-number-of-namespa.patch41
-rw-r--r--patches.kernel.org/5.1.15-088-ovl-detect-overlapping-layers.patch576
-rw-r--r--patches.kernel.org/5.1.15-089-ovl-don-t-fail-with-disconnected-lower-NFS.patch82
-rw-r--r--patches.kernel.org/5.1.15-090-ovl-fix-bogus-Wmaybe-unitialized-warning.patch48
-rw-r--r--patches.kernel.org/5.1.15-091-btrfs-start-readahead-also-in-seed-devices.patch54
-rw-r--r--patches.kernel.org/5.1.15-092-can-xilinx_can-use-correct-bittiming_const-for.patch47
-rw-r--r--patches.kernel.org/5.1.15-093-can-flexcan-fix-timeout-when-set-small-bitrate.patch60
-rw-r--r--patches.kernel.org/5.1.15-094-can-purge-socket-error-queue-on-sock-destruct.patch38
-rw-r--r--patches.kernel.org/5.1.15-095-riscv-mm-synchronize-MMU-after-pte-change.patch62
-rw-r--r--patches.kernel.org/5.1.15-096-powerpc-bpf-use-unsigned-division-instruction-.patch91
-rw-r--r--patches.kernel.org/5.1.15-097-ARM-imx-cpuidle-imx6sx-Restrict-the-SW2ISO-inc.patch61
-rw-r--r--patches.kernel.org/5.1.15-098-ARM-mvebu_v7_defconfig-fix-Ethernet-on-Clearfo.patch50
-rw-r--r--patches.kernel.org/5.1.15-099-ARM-dts-dra76x-Update-MMC2_HS200_MANUAL1-iodel.patch89
-rw-r--r--patches.kernel.org/5.1.15-100-ARM-dts-am57xx-idk-Remove-support-for-voltage-.patch47
-rw-r--r--patches.kernel.org/5.1.15-101-arm64-sve-uapi-asm-ptrace.h-should-not-depend-.patch66
-rw-r--r--patches.kernel.org/5.1.15-102-arm64-ssbd-explicitly-depend-on-linux-prctl.h.patch42
-rw-r--r--patches.kernel.org/5.1.15-103-KVM-x86-mmu-Allocate-PAE-root-array-when-using.patch57
-rw-r--r--patches.kernel.org/5.1.15-104-ovl-make-i_ino-consistent-with-st_ino-in-more-.patch56
-rw-r--r--patches.kernel.org/5.1.15-105-drm-vmwgfx-Use-the-backdoor-port-if-the-HB-por.patch227
-rw-r--r--patches.kernel.org/5.1.15-106-drm-i915-Don-t-clobber-M-N-values-during-fasts.patch111
-rw-r--r--patches.kernel.org/5.1.15-107-binder-fix-possible-UAF-when-freeing-buffer.patch65
-rw-r--r--patches.kernel.org/5.1.15-108-staging-erofs-add-requirements-field-in-superb.patch115
-rw-r--r--patches.kernel.org/5.1.15-109-Bluetooth-Align-minimum-encryption-key-size-fo.patch60
-rw-r--r--patches.kernel.org/5.1.15-110-Bluetooth-Fix-regression-with-minimum-encrypti.patch156
-rw-r--r--patches.kernel.org/5.1.15-111-SMB3-retry-on-STATUS_INSUFFICIENT_RESOURCES-in.patch43
-rw-r--r--patches.kernel.org/5.1.15-112-x86-vdso-Prevent-segfaults-due-to-hoisted-vclo.patch72
-rw-r--r--patches.kernel.org/5.1.15-113-fs-namespace-fix-unprivileged-mount-propagatio.patch79
-rw-r--r--patches.kernel.org/5.1.15-114-cfg80211-fix-memory-leak-of-wiphy-device-name.patch40
-rw-r--r--patches.kernel.org/5.1.15-115-mac80211-drop-robust-management-frames-from-un.patch37
-rw-r--r--patches.kernel.org/5.1.15-116-nl-mac-80211-allow-4addr-AP-operation-on-crypt.patch120
-rw-r--r--patches.kernel.org/5.1.15-117-mac80211-handle-deauthentication-disassociatio.patch127
-rw-r--r--patches.kernel.org/5.1.15-118-nl80211-fix-station_info-pertid-memory-leak.patch44
-rw-r--r--patches.kernel.org/5.1.15-119-mac80211-Do-not-use-stack-memory-with-scatterl.patch65
-rw-r--r--patches.kernel.org/5.1.15-120-x86-resctrl-Don-t-stop-walking-closids-when-a-.patch57
-rw-r--r--patches.kernel.org/5.1.15-121-powerpc-mm-64s-hash-Reallocate-context-ids-on-.patch145
-rw-r--r--patches.kernel.org/5.1.15-122-Linux-5.1.15.patch28
-rw-r--r--patches.suse/apparmor-compatibility-with-v2.x-net.patch38
-rw-r--r--series.conf122
124 files changed, 8904 insertions, 19 deletions
diff --git a/patches.kernel.org/5.1.15-001-tracing-Silence-GCC-9-array-bounds-warning.patch b/patches.kernel.org/5.1.15-001-tracing-Silence-GCC-9-array-bounds-warning.patch
new file mode 100644
index 0000000000..83e3d5dd8d
--- /dev/null
+++ b/patches.kernel.org/5.1.15-001-tracing-Silence-GCC-9-array-bounds-warning.patch
@@ -0,0 +1,112 @@
+From: Miguel Ojeda <miguel.ojeda.sandonis@gmail.com>
+Date: Thu, 23 May 2019 14:45:35 +0200
+Subject: [PATCH] tracing: Silence GCC 9 array bounds warning
+References: bnc#1012628
+Patch-mainline: 5.1.15
+Git-commit: 0c97bf863efce63d6ab7971dad811601e6171d2f
+
+commit 0c97bf863efce63d6ab7971dad811601e6171d2f upstream.
+
+Starting with GCC 9, -Warray-bounds detects cases when memset is called
+starting on a member of a struct but the size to be cleared ends up
+writing over further members.
+
+Such a call happens in the trace code to clear, at once, all members
+after and including `seq` on struct trace_iterator:
+
+ In function 'memset',
+ inlined from 'ftrace_dump' at kernel/trace/trace.c:8914:3:
+ ./include/linux/string.h:344:9: warning: '__builtin_memset' offset
+ [8505, 8560] from the object at 'iter' is out of the bounds of
+ referenced subobject 'seq' with type 'struct trace_seq' at offset
+ 4368 [-Warray-bounds]
+ 344 | return __builtin_memset(p, c, size);
+ | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+In order to avoid GCC complaining about it, we compute the address
+ourselves by adding the offsetof distance instead of referring
+directly to the member.
+
+Since there are two places doing this clear (trace.c and trace_kdb.c),
+take the chance to move the workaround into a single place in
+the internal header.
+
+Link: http://lkml.kernel.org/r/20190523124535.GA12931@gmail.com
+
+Signed-off-by: Miguel Ojeda <miguel.ojeda.sandonis@gmail.com>
+[ Removed unnecessary parenthesis around "iter" ]
+Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ kernel/trace/trace.c | 6 +-----
+ kernel/trace/trace.h | 18 ++++++++++++++++++
+ kernel/trace/trace_kdb.c | 6 +-----
+ 3 files changed, 20 insertions(+), 10 deletions(-)
+
+diff --git a/kernel/trace/trace.c b/kernel/trace/trace.c
+index ca1ee656d6d8..5880c993002b 100644
+--- a/kernel/trace/trace.c
++++ b/kernel/trace/trace.c
+@@ -8627,12 +8627,8 @@ void ftrace_dump(enum ftrace_dump_mode oops_dump_mode)
+
+ cnt++;
+
+- /* reset all but tr, trace, and overruns */
+- memset(&iter.seq, 0,
+- sizeof(struct trace_iterator) -
+- offsetof(struct trace_iterator, seq));
++ trace_iterator_reset(&iter);
+ iter.iter_flags |= TRACE_FILE_LAT_FMT;
+- iter.pos = -1;
+
+ if (trace_find_next_entry_inc(&iter) != NULL) {
+ int ret;
+diff --git a/kernel/trace/trace.h b/kernel/trace/trace.h
+index d80cee49e0eb..8ddf36e5eb42 100644
+--- a/kernel/trace/trace.h
++++ b/kernel/trace/trace.h
+@@ -1964,4 +1964,22 @@ static inline void tracer_hardirqs_off(unsigned long a0, unsigned long a1) { }
+
+ extern struct trace_iterator *tracepoint_print_iter;
+
++/*
++ * Reset the state of the trace_iterator so that it can read consumed data.
++ * Normally, the trace_iterator is used for reading the data when it is not
++ * consumed, and must retain state.
++ */
++static __always_inline void trace_iterator_reset(struct trace_iterator *iter)
++{
++ const size_t offset = offsetof(struct trace_iterator, seq);
++
++ /*
++ * Keep gcc from complaining about overwriting more than just one
++ * member in the structure.
++ */
++ memset((char *)iter + offset, 0, sizeof(struct trace_iterator) - offset);
++
++ iter->pos = -1;
++}
++
+ #endif /* _LINUX_KERNEL_TRACE_H */
+diff --git a/kernel/trace/trace_kdb.c b/kernel/trace/trace_kdb.c
+index 810d78a8d14c..2905a3dd94c1 100644
+--- a/kernel/trace/trace_kdb.c
++++ b/kernel/trace/trace_kdb.c
+@@ -41,12 +41,8 @@ static void ftrace_dump_buf(int skip_lines, long cpu_file)
+
+ kdb_printf("Dumping ftrace buffer:\n");
+
+- /* reset all but tr, trace, and overruns */
+- memset(&iter.seq, 0,
+- sizeof(struct trace_iterator) -
+- offsetof(struct trace_iterator, seq));
++ trace_iterator_reset(&iter);
+ iter.iter_flags |= TRACE_FILE_LAT_FMT;
+- iter.pos = -1;
+
+ if (cpu_file == RING_BUFFER_ALL_CPUS) {
+ for_each_tracing_cpu(cpu) {
+--
+2.22.0
+
diff --git a/patches.kernel.org/5.1.15-002-mmc-sdhci-sdhci-pci-o2micro-Correctly-set-bus-.patch b/patches.kernel.org/5.1.15-002-mmc-sdhci-sdhci-pci-o2micro-Correctly-set-bus-.patch
new file mode 100644
index 0000000000..97707e352c
--- /dev/null
+++ b/patches.kernel.org/5.1.15-002-mmc-sdhci-sdhci-pci-o2micro-Correctly-set-bus-.patch
@@ -0,0 +1,55 @@
+From: Raul E Rangel <rrangel@chromium.org>
+Date: Mon, 17 Jun 2019 14:10:12 -0600
+Subject: [PATCH] mmc: sdhci: sdhci-pci-o2micro: Correctly set bus width when
+ tuning
+References: bnc#1012628
+Patch-mainline: 5.1.15
+Git-commit: 0f7b79a44e7d7dd3ef1f59758c1a341f217ff5e5
+
+commit 0f7b79a44e7d7dd3ef1f59758c1a341f217ff5e5 upstream.
+
+The O2Micro controller only supports tuning at 4-bits. So the host driver
+needs to change the bus width while tuning and then set it back when done.
+
+There was a bug in the original implementation in that mmc->ios.bus_width
+also wasn't updated. Thus setting the incorrect blocksize in
+sdhci_send_tuning which results in a tuning failure.
+
+Signed-off-by: Raul E Rangel <rrangel@chromium.org>
+Fixes: 0086fc217d5d7 ("mmc: sdhci: Add support for O2 hardware tuning")
+Acked-by: Adrian Hunter <adrian.hunter@intel.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/mmc/host/sdhci-pci-o2micro.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/mmc/host/sdhci-pci-o2micro.c b/drivers/mmc/host/sdhci-pci-o2micro.c
+index 05a012a694b2..423c3339c03b 100644
+--- a/drivers/mmc/host/sdhci-pci-o2micro.c
++++ b/drivers/mmc/host/sdhci-pci-o2micro.c
+@@ -124,6 +124,7 @@ static int sdhci_o2_execute_tuning(struct mmc_host *mmc, u32 opcode)
+ */
+ if (mmc->ios.bus_width == MMC_BUS_WIDTH_8) {
+ current_bus_width = mmc->ios.bus_width;
++ mmc->ios.bus_width = MMC_BUS_WIDTH_4;
+ sdhci_set_bus_width(host, MMC_BUS_WIDTH_4);
+ }
+
+@@ -135,8 +136,10 @@ static int sdhci_o2_execute_tuning(struct mmc_host *mmc, u32 opcode)
+
+ sdhci_end_tuning(host);
+
+- if (current_bus_width == MMC_BUS_WIDTH_8)
++ if (current_bus_width == MMC_BUS_WIDTH_8) {
++ mmc->ios.bus_width = MMC_BUS_WIDTH_8;
+ sdhci_set_bus_width(host, current_bus_width);
++ }
+
+ host->flags &= ~SDHCI_HS400_TUNING;
+ return 0;
+--
+2.22.0
+
diff --git a/patches.kernel.org/5.1.15-003-mmc-sdhi-disallow-HS400-for-M3-W-ES1.2-RZ-G2M-.patch b/patches.kernel.org/5.1.15-003-mmc-sdhi-disallow-HS400-for-M3-W-ES1.2-RZ-G2M-.patch
new file mode 100644
index 0000000000..098ac7e232
--- /dev/null
+++ b/patches.kernel.org/5.1.15-003-mmc-sdhi-disallow-HS400-for-M3-W-ES1.2-RZ-G2M-.patch
@@ -0,0 +1,54 @@
+From: Wolfram Sang <wsa+renesas@sang-engineering.com>
+Date: Thu, 6 Jun 2019 13:35:35 +0200
+Subject: [PATCH] mmc: sdhi: disallow HS400 for M3-W ES1.2, RZ/G2M, and V3H
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+References: bnc#1012628
+Patch-mainline: 5.1.15
+Git-commit: 97bf85b6ec9e6597ce81c79b26a28f7918fc4eaf
+
+commit 97bf85b6ec9e6597ce81c79b26a28f7918fc4eaf upstream.
+
+Our HW engineers informed us that HS400 is not working on these SoC
+revisions.
+
+Fixes: 0f4e2054c971 ("mmc: renesas_sdhi: disable HS400 on H3 ES1.x and M3-W ES1.[012]")
+Signed-off-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
+Reviewed-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Reviewed-by: Fabrizio Castro <fabrizio.castro@bp.renesas.com>
+Reviewed-by: Niklas Söderlund <niklas.soderlund+renesas@ragnatech.se>
+Cc: stable@vger.kernel.org
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/mmc/host/renesas_sdhi_core.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/mmc/host/renesas_sdhi_core.c b/drivers/mmc/host/renesas_sdhi_core.c
+index 8742e27e4e8b..c42e442ba7ab 100644
+--- a/drivers/mmc/host/renesas_sdhi_core.c
++++ b/drivers/mmc/host/renesas_sdhi_core.c
+@@ -620,11 +620,16 @@ static const struct renesas_sdhi_quirks sdhi_quirks_h3_es2 = {
+ .hs400_4taps = true,
+ };
+
++static const struct renesas_sdhi_quirks sdhi_quirks_nohs400 = {
++ .hs400_disabled = true,
++};
++
+ static const struct soc_device_attribute sdhi_quirks_match[] = {
+ { .soc_id = "r8a7795", .revision = "ES1.*", .data = &sdhi_quirks_h3_m3w_es1 },
+ { .soc_id = "r8a7795", .revision = "ES2.0", .data = &sdhi_quirks_h3_es2 },
+- { .soc_id = "r8a7796", .revision = "ES1.0", .data = &sdhi_quirks_h3_m3w_es1 },
+- { .soc_id = "r8a7796", .revision = "ES1.1", .data = &sdhi_quirks_h3_m3w_es1 },
++ { .soc_id = "r8a7796", .revision = "ES1.[012]", .data = &sdhi_quirks_h3_m3w_es1 },
++ { .soc_id = "r8a774a1", .revision = "ES1.[012]", .data = &sdhi_quirks_h3_m3w_es1 },
++ { .soc_id = "r8a77980", .data = &sdhi_quirks_nohs400 },
+ { /* Sentinel. */ },
+ };
+
+--
+2.22.0
+
diff --git a/patches.kernel.org/5.1.15-004-mmc-mediatek-fix-SDIO-IRQ-interrupt-handle-flo.patch b/patches.kernel.org/5.1.15-004-mmc-mediatek-fix-SDIO-IRQ-interrupt-handle-flo.patch
new file mode 100644
index 0000000000..7423d49ea2
--- /dev/null
+++ b/patches.kernel.org/5.1.15-004-mmc-mediatek-fix-SDIO-IRQ-interrupt-handle-flo.patch
@@ -0,0 +1,114 @@
+From: jjian zhou <jjian.zhou@mediatek.com>
+Date: Mon, 17 Jun 2019 19:04:07 +0800
+Subject: [PATCH] mmc: mediatek: fix SDIO IRQ interrupt handle flow
+References: bnc#1012628
+Patch-mainline: 5.1.15
+Git-commit: 8a5df8ac628f4febea1e6cd3044bff2d536dd096
+
+commit 8a5df8ac628f4febea1e6cd3044bff2d536dd096 upstream.
+
+SDIO IRQ is triggered by low level. It need disable SDIO IRQ
+detected function. Otherwise the interrupt register can't be cleared.
+It will process the interrupt more.
+
+Signed-off-by: Jjian Zhou <jjian.zhou@mediatek.com>
+Signed-off-by: Chaotian Jing <chaotian.jing@mediatek.com>
+Signed-off-by: Yong Mao <yong.mao@mediatek.com>
+Fixes: 5215b2e952f3 ("mmc: mediatek: Add MMC_CAP_SDIO_IRQ support")
+Cc: stable@vger.kernel.org
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/mmc/host/mtk-sd.c | 37 ++++++++++++++++++++-----------------
+ 1 file changed, 20 insertions(+), 17 deletions(-)
+
+diff --git a/drivers/mmc/host/mtk-sd.c b/drivers/mmc/host/mtk-sd.c
+index 833ef0590af8..336935a334ef 100644
+--- a/drivers/mmc/host/mtk-sd.c
++++ b/drivers/mmc/host/mtk-sd.c
+@@ -1355,24 +1355,25 @@ static void msdc_request_timeout(struct work_struct *work)
+ }
+ }
+
+-static void __msdc_enable_sdio_irq(struct mmc_host *mmc, int enb)
++static void __msdc_enable_sdio_irq(struct msdc_host *host, int enb)
+ {
+- unsigned long flags;
+- struct msdc_host *host = mmc_priv(mmc);
+-
+- spin_lock_irqsave(&host->lock, flags);
+- if (enb)
++ if (enb) {
+ sdr_set_bits(host->base + MSDC_INTEN, MSDC_INTEN_SDIOIRQ);
+- else
++ sdr_set_bits(host->base + SDC_CFG, SDC_CFG_SDIOIDE);
++ } else {
+ sdr_clr_bits(host->base + MSDC_INTEN, MSDC_INTEN_SDIOIRQ);
+- spin_unlock_irqrestore(&host->lock, flags);
++ sdr_clr_bits(host->base + SDC_CFG, SDC_CFG_SDIOIDE);
++ }
+ }
+
+ static void msdc_enable_sdio_irq(struct mmc_host *mmc, int enb)
+ {
++ unsigned long flags;
+ struct msdc_host *host = mmc_priv(mmc);
+
+- __msdc_enable_sdio_irq(mmc, enb);
++ spin_lock_irqsave(&host->lock, flags);
++ __msdc_enable_sdio_irq(host, enb);
++ spin_unlock_irqrestore(&host->lock, flags);
+
+ if (enb)
+ pm_runtime_get_noresume(host->dev);
+@@ -1394,6 +1395,8 @@ static irqreturn_t msdc_irq(int irq, void *dev_id)
+ spin_lock_irqsave(&host->lock, flags);
+ events = readl(host->base + MSDC_INT);
+ event_mask = readl(host->base + MSDC_INTEN);
++ if ((events & event_mask) & MSDC_INT_SDIOIRQ)
++ __msdc_enable_sdio_irq(host, 0);
+ /* clear interrupts */
+ writel(events & event_mask, host->base + MSDC_INT);
+
+@@ -1402,10 +1405,8 @@ static irqreturn_t msdc_irq(int irq, void *dev_id)
+ data = host->data;
+ spin_unlock_irqrestore(&host->lock, flags);
+
+- if ((events & event_mask) & MSDC_INT_SDIOIRQ) {
+- __msdc_enable_sdio_irq(host->mmc, 0);
++ if ((events & event_mask) & MSDC_INT_SDIOIRQ)
+ sdio_signal_irq(host->mmc);
+- }
+
+ if (!(events & (event_mask & ~MSDC_INT_SDIOIRQ)))
+ break;
+@@ -1528,10 +1529,7 @@ static void msdc_init_hw(struct msdc_host *host)
+ sdr_set_bits(host->base + SDC_CFG, SDC_CFG_SDIO);
+
+ /* Config SDIO device detect interrupt function */
+- if (host->mmc->caps & MMC_CAP_SDIO_IRQ)
+- sdr_set_bits(host->base + SDC_CFG, SDC_CFG_SDIOIDE);
+- else
+- sdr_clr_bits(host->base + SDC_CFG, SDC_CFG_SDIOIDE);
++ sdr_clr_bits(host->base + SDC_CFG, SDC_CFG_SDIOIDE);
+
+ /* Configure to default data timeout */
+ sdr_set_field(host->base + SDC_CFG, SDC_CFG_DTOC, 3);
+@@ -2052,7 +2050,12 @@ static void msdc_hw_reset(struct mmc_host *mmc)
+
+ static void msdc_ack_sdio_irq(struct mmc_host *mmc)
+ {
+- __msdc_enable_sdio_irq(mmc, 1);
++ unsigned long flags;
++ struct msdc_host *host = mmc_priv(mmc);
++
++ spin_lock_irqsave(&host->lock, flags);
++ __msdc_enable_sdio_irq(host, 1);
++ spin_unlock_irqrestore(&host->lock, flags);
+ }
+
+ static const struct mmc_host_ops mt_msdc_ops = {
+--
+2.22.0
+
diff --git a/patches.kernel.org/5.1.15-005-mmc-mediatek-fix-SDIO-IRQ-detection-issue.patch b/patches.kernel.org/5.1.15-005-mmc-mediatek-fix-SDIO-IRQ-detection-issue.patch
new file mode 100644
index 0000000000..3aafde22eb
--- /dev/null
+++ b/patches.kernel.org/5.1.15-005-mmc-mediatek-fix-SDIO-IRQ-detection-issue.patch
@@ -0,0 +1,40 @@
+From: jjian zhou <jjian.zhou@mediatek.com>
+Date: Mon, 17 Jun 2019 19:04:08 +0800
+Subject: [PATCH] mmc: mediatek: fix SDIO IRQ detection issue
+References: bnc#1012628
+Patch-mainline: 5.1.15
+Git-commit: 20314ce30af197963b0c239f0952db6aaef73f99
+
+commit 20314ce30af197963b0c239f0952db6aaef73f99 upstream.
+
+If cmd19 timeout or response crcerr occurs during execute_tuning(),
+it need invoke msdc_reset_hw(). Otherwise SDIO IRQ can't be detected.
+
+Signed-off-by: jjian zhou <jjian.zhou@mediatek.com>
+Signed-off-by: Chaotian Jing <chaotian.jing@mediatek.com>
+Signed-off-by: Yong Mao <yong.mao@mediatek.com>
+Fixes: 5215b2e952f3 ("mmc: mediatek: Add MMC_CAP_SDIO_IRQ support")
+Cc: stable@vger.kernel.org
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/mmc/host/mtk-sd.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/mmc/host/mtk-sd.c b/drivers/mmc/host/mtk-sd.c
+index 336935a334ef..b33f2c90d8d8 100644
+--- a/drivers/mmc/host/mtk-sd.c
++++ b/drivers/mmc/host/mtk-sd.c
+@@ -1003,6 +1003,8 @@ static void msdc_request_done(struct msdc_host *host, struct mmc_request *mrq)
+ msdc_track_cmd_data(host, mrq->cmd, mrq->data);
+ if (mrq->data)
+ msdc_unprepare_data(host, mrq);
++ if (host->error)
++ msdc_reset_hw(host);
+ mmc_request_done(host->mmc, mrq);
+ }
+
+--
+2.22.0
+
diff --git a/patches.kernel.org/5.1.15-006-mmc-core-API-to-temporarily-disable-retuning-f.patch b/patches.kernel.org/5.1.15-006-mmc-core-API-to-temporarily-disable-retuning-f.patch
new file mode 100644
index 0000000000..9cb585c85d
--- /dev/null
+++ b/patches.kernel.org/5.1.15-006-mmc-core-API-to-temporarily-disable-retuning-f.patch
@@ -0,0 +1,145 @@
+From: Douglas Anderson <dianders@chromium.org>
+Date: Mon, 17 Jun 2019 10:56:50 -0700
+Subject: [PATCH] mmc: core: API to temporarily disable retuning for SDIO CRC
+ errors
+References: bnc#1012628
+Patch-mainline: 5.1.15
+Git-commit: 0a55f4ab9678413a01e740c86e9367ba0c612b36
+
+commit 0a55f4ab9678413a01e740c86e9367ba0c612b36 upstream.
+
+Normally when the MMC core sees an "-EILSEQ" error returned by a host
+controller then it will trigger a retuning of the card. This is
+generally a good idea.
+
+However, if a command is expected to sometimes cause transfer errors
+then these transfer errors shouldn't cause a re-tuning. This
+re-tuning will be a needless waste of time. One example case where a
+transfer is expected to cause errors is when transitioning between
+idle (sometimes referred to as "sleep" in Broadcom code) and active
+state on certain Broadcom WiFi SDIO cards. Specifically if the card
+was already transitioning between states when the command was sent it
+could cause an error on the SDIO bus.
+
+Let's add an API that the SDIO function drivers can call that will
+temporarily disable the auto-tuning functionality. Then we can add a
+call to this in the Broadcom WiFi driver and any other driver that
+might have similar needs.
+
+NOTE: this makes the assumption that the card is already tuned well
+enough that it's OK to disable the auto-retuning during one of these
+error-prone situations. Presumably the driver code performing the
+error-prone transfer knows how to recover / retry from errors. ...and
+after we can get back to a state where transfers are no longer
+error-prone then we can enable the auto-retuning again. If we truly
+find ourselves in a case where the card needs to be retuned sometimes
+to handle one of these error-prone transfers then we can always try a
+few transfers first without auto-retuning and then re-try with
+auto-retuning if the first few fail.
+
+Without this change on rk3288-veyron-minnie I periodically see this in
+the logs of a machine just sitting there idle:
+ dwmmc_rockchip ff0d0000.dwmmc: Successfully tuned phase to XYZ
+
+Cc: stable@vger.kernel.org #v4.18+
+Signed-off-by: Douglas Anderson <dianders@chromium.org>
+Acked-by: Adrian Hunter <adrian.hunter@intel.com>
+Acked-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/mmc/core/core.c | 5 +++--
+ drivers/mmc/core/sdio_io.c | 37 +++++++++++++++++++++++++++++++++++
+ include/linux/mmc/host.h | 1 +
+ include/linux/mmc/sdio_func.h | 3 +++
+ 4 files changed, 44 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/mmc/core/core.c b/drivers/mmc/core/core.c
+index 6db36dc870b5..9020cb2490f7 100644
+--- a/drivers/mmc/core/core.c
++++ b/drivers/mmc/core/core.c
+@@ -144,8 +144,9 @@ void mmc_request_done(struct mmc_host *host, struct mmc_request *mrq)
+ int err = cmd->error;
+
+ /* Flag re-tuning needed on CRC errors */
+- if ((cmd->opcode != MMC_SEND_TUNING_BLOCK &&
+- cmd->opcode != MMC_SEND_TUNING_BLOCK_HS200) &&
++ if (cmd->opcode != MMC_SEND_TUNING_BLOCK &&
++ cmd->opcode != MMC_SEND_TUNING_BLOCK_HS200 &&
++ !host->retune_crc_disable &&
+ (err == -EILSEQ || (mrq->sbc && mrq->sbc->error == -EILSEQ) ||
+ (mrq->data && mrq->data->error == -EILSEQ) ||
+ (mrq->stop && mrq->stop->error == -EILSEQ)))
+diff --git a/drivers/mmc/core/sdio_io.c b/drivers/mmc/core/sdio_io.c
+index 3f67fbbe0d75..890a94f6dc6a 100644
+--- a/drivers/mmc/core/sdio_io.c
++++ b/drivers/mmc/core/sdio_io.c
+@@ -738,3 +738,40 @@ int sdio_set_host_pm_flags(struct sdio_func *func, mmc_pm_flag_t flags)
+ return 0;
+ }
+ EXPORT_SYMBOL_GPL(sdio_set_host_pm_flags);
++
++/**
++ * sdio_retune_crc_disable - temporarily disable retuning on CRC errors
++ * @func: SDIO function attached to host
++ *
++ * If the SDIO card is known to be in a state where it might produce
++ * CRC errors on the bus in response to commands (like if we know it is
++ * transitioning between power states), an SDIO function driver can
++ * call this function to temporarily disable the SD/MMC core behavior of
++ * triggering an automatic retuning.
++ *
++ * This function should be called while the host is claimed and the host
++ * should remain claimed until sdio_retune_crc_enable() is called.
++ * Specifically, the expected sequence of calls is:
++ * - sdio_claim_host()
++ * - sdio_retune_crc_disable()
++ * - some number of calls like sdio_writeb() and sdio_readb()
++ * - sdio_retune_crc_enable()
++ * - sdio_release_host()
++ */
++void sdio_retune_crc_disable(struct sdio_func *func)
++{
++ func->card->host->retune_crc_disable = true;
++}
++EXPORT_SYMBOL_GPL(sdio_retune_crc_disable);
++
++/**
++ * sdio_retune_crc_enable - re-enable retuning on CRC errors
++ * @func: SDIO function attached to host
++ *
++ * This is the compement to sdio_retune_crc_disable().
++ */
++void sdio_retune_crc_enable(struct sdio_func *func)
++{
++ func->card->host->retune_crc_disable = false;
++}
++EXPORT_SYMBOL_GPL(sdio_retune_crc_enable);
+diff --git a/include/linux/mmc/host.h b/include/linux/mmc/host.h
+index 43d0f0c496f6..ecb7972e2423 100644
+--- a/include/linux/mmc/host.h
++++ b/include/linux/mmc/host.h
+@@ -398,6 +398,7 @@ struct mmc_host {
+ unsigned int retune_now:1; /* do re-tuning at next req */
+ unsigned int retune_paused:1; /* re-tuning is temporarily disabled */
+ unsigned int use_blk_mq:1; /* use blk-mq */
++ unsigned int retune_crc_disable:1; /* don't trigger retune upon crc */
+
+ int rescan_disable; /* disable card detection */
+ int rescan_entered; /* used with nonremovable devices */
+diff --git a/include/linux/mmc/sdio_func.h b/include/linux/mmc/sdio_func.h
+index 97ca105347a6..b51eb7dfb4b9 100644
+--- a/include/linux/mmc/sdio_func.h
++++ b/include/linux/mmc/sdio_func.h
+@@ -159,4 +159,7 @@ extern void sdio_f0_writeb(struct sdio_func *func, unsigned char b,
+ extern mmc_pm_flag_t sdio_get_host_pm_caps(struct sdio_func *func);
+ extern int sdio_set_host_pm_flags(struct sdio_func *func, mmc_pm_flag_t flags);
+
++extern void sdio_retune_crc_disable(struct sdio_func *func);
++extern void sdio_retune_crc_enable(struct sdio_func *func);
++
+ #endif /* LINUX_MMC_SDIO_FUNC_H */
+--
+2.22.0
+
diff --git a/patches.kernel.org/5.1.15-007-mmc-core-Add-sdio_retune_hold_now-and-sdio_ret.patch b/patches.kernel.org/5.1.15-007-mmc-core-Add-sdio_retune_hold_now-and-sdio_ret.patch
new file mode 100644
index 0000000000..a28f8046e8
--- /dev/null
+++ b/patches.kernel.org/5.1.15-007-mmc-core-Add-sdio_retune_hold_now-and-sdio_ret.patch
@@ -0,0 +1,97 @@
+From: Douglas Anderson <dianders@chromium.org>
+Date: Mon, 17 Jun 2019 10:56:52 -0700
+Subject: [PATCH] mmc: core: Add sdio_retune_hold_now() and
+ sdio_retune_release()
+References: bnc#1012628
+Patch-mainline: 5.1.15
+Git-commit: b4c9f938d542d5f88c501744d2d12fad4fd2915f
+
+commit b4c9f938d542d5f88c501744d2d12fad4fd2915f upstream.
+
+We want SDIO drivers to be able to temporarily stop retuning when the
+driver knows that the SDIO card is not in a state where retuning will
+work (maybe because the card is asleep). We'll move the relevant
+functions to a place where drivers can call them.
+
+Cc: stable@vger.kernel.org #v4.18+
+Signed-off-by: Douglas Anderson <dianders@chromium.org>
+Acked-by: Adrian Hunter <adrian.hunter@intel.com>
+Acked-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/mmc/core/sdio_io.c | 40 +++++++++++++++++++++++++++++++++++
+ include/linux/mmc/sdio_func.h | 3 +++
+ 2 files changed, 43 insertions(+)
+
+diff --git a/drivers/mmc/core/sdio_io.c b/drivers/mmc/core/sdio_io.c
+index 890a94f6dc6a..df887ced9666 100644
+--- a/drivers/mmc/core/sdio_io.c
++++ b/drivers/mmc/core/sdio_io.c
+@@ -19,6 +19,7 @@
+ #include "sdio_ops.h"
+ #include "core.h"
+ #include "card.h"
++#include "host.h"
+
+ /**
+ * sdio_claim_host - exclusively claim a bus for a certain SDIO function
+@@ -775,3 +776,42 @@ void sdio_retune_crc_enable(struct sdio_func *func)
+ func->card->host->retune_crc_disable = false;
+ }
+ EXPORT_SYMBOL_GPL(sdio_retune_crc_enable);
++
++/**
++ * sdio_retune_hold_now - start deferring retuning requests till release
++ * @func: SDIO function attached to host
++ *
++ * This function can be called if it's currently a bad time to do
++ * a retune of the SDIO card. Retune requests made during this time
++ * will be held and we'll actually do the retune sometime after the
++ * release.
++ *
++ * This function could be useful if an SDIO card is in a power state
++ * where it can respond to a small subset of commands that doesn't
++ * include the retuning command. Care should be taken when using
++ * this function since (presumably) the retuning request we might be
++ * deferring was made for a good reason.
++ *
++ * This function should be called while the host is claimed.
++ */
++void sdio_retune_hold_now(struct sdio_func *func)
++{
++ mmc_retune_hold_now(func->card->host);
++}
++EXPORT_SYMBOL_GPL(sdio_retune_hold_now);
++
++/**
++ * sdio_retune_release - signal that it's OK to retune now
++ * @func: SDIO function attached to host
++ *
++ * This is the complement to sdio_retune_hold_now(). Calling this
++ * function won't make a retune happen right away but will allow
++ * them to be scheduled normally.
++ *
++ * This function should be called while the host is claimed.
++ */
++void sdio_retune_release(struct sdio_func *func)
++{
++ mmc_retune_release(func->card->host);
++}
++EXPORT_SYMBOL_GPL(sdio_retune_release);
+diff --git a/include/linux/mmc/sdio_func.h b/include/linux/mmc/sdio_func.h
+index b51eb7dfb4b9..6905f3f641cc 100644
+--- a/include/linux/mmc/sdio_func.h
++++ b/include/linux/mmc/sdio_func.h
+@@ -162,4 +162,7 @@ extern int sdio_set_host_pm_flags(struct sdio_func *func, mmc_pm_flag_t flags);
+ extern void sdio_retune_crc_disable(struct sdio_func *func);
+ extern void sdio_retune_crc_enable(struct sdio_func *func);
+
++extern void sdio_retune_hold_now(struct sdio_func *func);
++extern void sdio_retune_release(struct sdio_func *func);
++
+ #endif /* LINUX_MMC_SDIO_FUNC_H */
+--
+2.22.0
+
diff --git a/patches.kernel.org/5.1.15-008-mmc-core-Prevent-processing-SDIO-IRQs-when-the.patch b/patches.kernel.org/5.1.15-008-mmc-core-Prevent-processing-SDIO-IRQs-when-the.patch
new file mode 100644
index 0000000000..6117d93333
--- /dev/null
+++ b/patches.kernel.org/5.1.15-008-mmc-core-Prevent-processing-SDIO-IRQs-when-the.patch
@@ -0,0 +1,85 @@
+From: Ulf Hansson <ulf.hansson@linaro.org>
+Date: Tue, 18 Jun 2019 14:05:17 +0200
+Subject: [PATCH] mmc: core: Prevent processing SDIO IRQs when the card is
+ suspended
+References: bnc#1012628
+Patch-mainline: 5.1.15
+Git-commit: 83293386bc95cf5e9f0c0175794455835bd1cb4a
+
+commit 83293386bc95cf5e9f0c0175794455835bd1cb4a upstream.
+
+Processing of SDIO IRQs must obviously be prevented while the card is
+system suspended, otherwise we may end up trying to communicate with an
+uninitialized SDIO card.
+
+Reports throughout the years shows that this is not only a theoretical
+problem, but a real issue. So, let's finally fix this problem, by keeping
+track of the state for the card and bail out before processing the SDIO
+IRQ, in case the card is suspended.
+
+Cc: stable@vger.kernel.org
+Reported-by: Douglas Anderson <dianders@chromium.org>
+Tested-by: Douglas Anderson <dianders@chromium.org>
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/mmc/core/sdio.c | 13 ++++++++++++-
+ drivers/mmc/core/sdio_irq.c | 4 ++++
+ 2 files changed, 16 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/mmc/core/sdio.c b/drivers/mmc/core/sdio.c
+index 6718fc8bb40f..0f51e774183e 100644
+--- a/drivers/mmc/core/sdio.c
++++ b/drivers/mmc/core/sdio.c
+@@ -941,6 +941,10 @@ static int mmc_sdio_pre_suspend(struct mmc_host *host)
+ */
+ static int mmc_sdio_suspend(struct mmc_host *host)
+ {
++ /* Prevent processing of SDIO IRQs in suspended state. */
++ mmc_card_set_suspended(host->card);
++ cancel_delayed_work_sync(&host->sdio_irq_work);
++
+ mmc_claim_host(host);
+
+ if (mmc_card_keep_power(host) && mmc_card_wake_sdio_irq(host))
+@@ -989,13 +993,20 @@ static int mmc_sdio_resume(struct mmc_host *host)
+ err = sdio_enable_4bit_bus(host->card);
+ }
+
+- if (!err && host->sdio_irqs) {
++ if (err)
++ goto out;
++
++ /* Allow SDIO IRQs to be processed again. */
++ mmc_card_clr_suspended(host->card);
++
++ if (host->sdio_irqs) {
+ if (!(host->caps2 & MMC_CAP2_SDIO_IRQ_NOTHREAD))
+ wake_up_process(host->sdio_irq_thread);
+ else if (host->caps & MMC_CAP_SDIO_IRQ)
+ host->ops->enable_sdio_irq(host, 1);
+ }
+
++out:
+ mmc_release_host(host);
+
+ host->pm_flags &= ~MMC_PM_KEEP_POWER;
+diff --git a/drivers/mmc/core/sdio_irq.c b/drivers/mmc/core/sdio_irq.c
+index 7ca7b99413f0..b299a24d33f9 100644
+--- a/drivers/mmc/core/sdio_irq.c
++++ b/drivers/mmc/core/sdio_irq.c
+@@ -38,6 +38,10 @@ static int process_sdio_pending_irqs(struct mmc_host *host)
+ unsigned char pending;
+ struct sdio_func *func;
+
++ /* Don't process SDIO IRQs if the card is suspended. */
++ if (mmc_card_suspended(card))
++ return 0;
++
+ /*
+ * Optimization, if there is only 1 function interrupt registered
+ * and we know an IRQ was signaled then call irq handler directly.
+--
+2.22.0
+
diff --git a/patches.kernel.org/5.1.15-009-scsi-ufs-Avoid-runtime-suspend-possibly-being-.patch b/patches.kernel.org/5.1.15-009-scsi-ufs-Avoid-runtime-suspend-possibly-being-.patch
new file mode 100644
index 0000000000..eee33cbbf4
--- /dev/null
+++ b/patches.kernel.org/5.1.15-009-scsi-ufs-Avoid-runtime-suspend-possibly-being-.patch
@@ -0,0 +1,75 @@
+From: Stanley Chu <stanley.chu@mediatek.com>
+Date: Wed, 12 Jun 2019 23:19:05 +0800
+Subject: [PATCH] scsi: ufs: Avoid runtime suspend possibly being blocked
+ forever
+References: bnc#1012628
+Patch-mainline: 5.1.15
+Git-commit: 24e2e7a19f7e4b83d0d5189040d997bce3596473
+
+commit 24e2e7a19f7e4b83d0d5189040d997bce3596473 upstream.
+
+UFS runtime suspend can be triggered after pm_runtime_enable() is invoked
+in ufshcd_pltfrm_init(). However if the first runtime suspend is triggered
+before binding ufs_hba structure to ufs device structure via
+platform_set_drvdata(), then UFS runtime suspend will be no longer
+triggered in the future because its dev->power.runtime_error was set in the
+first triggering and does not have any chance to be cleared.
+
+To be more clear, dev->power.runtime_error is set if hba is NULL in
+ufshcd_runtime_suspend() which returns -EINVAL to rpm_callback() where
+dev->power.runtime_error is set as -EINVAL. In this case, any future
+rpm_suspend() for UFS device fails because rpm_check_suspend_allowed()
+fails due to non-zero
+dev->power.runtime_error.
+
+To resolve this issue, make sure the first UFS runtime suspend get valid
+"hba" in ufshcd_runtime_suspend(): Enable UFS runtime PM only after hba is
+successfully bound to UFS device structure.
+
+Fixes: 62694735ca95 ([SCSI] ufs: Add runtime PM support for UFS host controller driver)
+Cc: stable@vger.kernel.org
+Signed-off-by: Stanley Chu <stanley.chu@mediatek.com>
+Reviewed-by: Avri Altman <avri.altman@wdc.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/scsi/ufs/ufshcd-pltfrm.c | 11 ++++-------
+ 1 file changed, 4 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/scsi/ufs/ufshcd-pltfrm.c b/drivers/scsi/ufs/ufshcd-pltfrm.c
+index 27213676329c..848c7478efd6 100644
+--- a/drivers/scsi/ufs/ufshcd-pltfrm.c
++++ b/drivers/scsi/ufs/ufshcd-pltfrm.c
+@@ -340,24 +340,21 @@ int ufshcd_pltfrm_init(struct platform_device *pdev,
+ goto dealloc_host;
+ }
+
+- pm_runtime_set_active(&pdev->dev);
+- pm_runtime_enable(&pdev->dev);
+-
+ ufshcd_init_lanes_per_dir(hba);
+
+ err = ufshcd_init(hba, mmio_base, irq);
+ if (err) {
+ dev_err(dev, "Initialization failed\n");
+- goto out_disable_rpm;
++ goto dealloc_host;
+ }
+
+ platform_set_drvdata(pdev, hba);
+
++ pm_runtime_set_active(&pdev->dev);
++ pm_runtime_enable(&pdev->dev);
++
+ return 0;
+
+-out_disable_rpm:
+- pm_runtime_disable(&pdev->dev);
+- pm_runtime_set_suspended(&pdev->dev);
+ dealloc_host:
+ ufshcd_dealloc_host(hba);
+ out:
+--
+2.22.0
+
diff --git a/patches.kernel.org/5.1.15-010-usb-chipidea-udc-workaround-for-endpoint-confl.patch b/patches.kernel.org/5.1.15-010-usb-chipidea-udc-workaround-for-endpoint-confl.patch
new file mode 100644
index 0000000000..e45040f525
--- /dev/null
+++ b/patches.kernel.org/5.1.15-010-usb-chipidea-udc-workaround-for-endpoint-confl.patch
@@ -0,0 +1,81 @@
+From: Peter Chen <peter.chen@nxp.com>
+Date: Mon, 17 Jun 2019 09:49:07 +0800
+Subject: [PATCH] usb: chipidea: udc: workaround for endpoint conflict issue
+References: bnc#1012628
+Patch-mainline: 5.1.15
+Git-commit: c19dffc0a9511a7d7493ec21019aefd97e9a111b
+
+commit c19dffc0a9511a7d7493ec21019aefd97e9a111b upstream.
+
+An endpoint conflict occurs when the USB is working in device mode
+during an isochronous communication. When the endpointA IN direction
+is an isochronous IN endpoint, and the host sends an IN token to
+endpointA on another device, then the OUT transaction may be missed
+regardless the OUT endpoint number. Generally, this occurs when the
+device is connected to the host through a hub and other devices are
+connected to the same hub.
+
+The affected OUT endpoint can be either control, bulk, isochronous, or
+an interrupt endpoint. After the OUT endpoint is primed, if an IN token
+to the same endpoint number on another device is received, then the OUT
+endpoint may be unprimed (cannot be detected by software), which causes
+this endpoint to no longer respond to the host OUT token, and thus, no
+corresponding interrupt occurs.
+
+There is no good workaround for this issue, the only thing the software
+could do is numbering isochronous IN from the highest endpoint since we
+have observed most of device number endpoint from the lowest.
+
+Cc: <stable@vger.kernel.org> #v3.14+
+Cc: Fabio Estevam <festevam@gmail.com>
+Cc: Greg KH <gregkh@linuxfoundation.org>
+Cc: Sergei Shtylyov <sergei.shtylyov@cogentembedded.com>
+Cc: Jun Li <jun.li@nxp.com>
+Signed-off-by: Peter Chen <peter.chen@nxp.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/usb/chipidea/udc.c | 20 ++++++++++++++++++++
+ 1 file changed, 20 insertions(+)
+
+diff --git a/drivers/usb/chipidea/udc.c b/drivers/usb/chipidea/udc.c
+index 829e947cabf5..6a5ee8e6da10 100644
+--- a/drivers/usb/chipidea/udc.c
++++ b/drivers/usb/chipidea/udc.c
+@@ -1622,6 +1622,25 @@ static int ci_udc_pullup(struct usb_gadget *_gadget, int is_on)
+ static int ci_udc_start(struct usb_gadget *gadget,
+ struct usb_gadget_driver *driver);
+ static int ci_udc_stop(struct usb_gadget *gadget);
++
++/* Match ISOC IN from the highest endpoint */
++static struct usb_ep *ci_udc_match_ep(struct usb_gadget *gadget,
++ struct usb_endpoint_descriptor *desc,
++ struct usb_ss_ep_comp_descriptor *comp_desc)
++{
++ struct ci_hdrc *ci = container_of(gadget, struct ci_hdrc, gadget);
++ struct usb_ep *ep;
++
++ if (usb_endpoint_xfer_isoc(desc) && usb_endpoint_dir_in(desc)) {
++ list_for_each_entry_reverse(ep, &ci->gadget.ep_list, ep_list) {
++ if (ep->caps.dir_in && !ep->claimed)
++ return ep;
++ }
++ }
++
++ return NULL;
++}
++
+ /**
+ * Device operations part of the API to the USB controller hardware,
+ * which don't involve endpoints (or i/o)
+@@ -1635,6 +1654,7 @@ static const struct usb_gadget_ops usb_gadget_ops = {
+ .vbus_draw = ci_udc_vbus_draw,
+ .udc_start = ci_udc_start,
+ .udc_stop = ci_udc_stop,
++ .match_ep = ci_udc_match_ep,
+ };
+
+ static int init_eps(struct ci_hdrc *ci)
+--
+2.22.0
+
diff --git a/patches.kernel.org/5.1.15-011-xhci-detect-USB-3.2-capable-host-controllers-c.patch b/patches.kernel.org/5.1.15-011-xhci-detect-USB-3.2-capable-host-controllers-c.patch
new file mode 100644
index 0000000000..9c6030970b
--- /dev/null
+++ b/patches.kernel.org/5.1.15-011-xhci-detect-USB-3.2-capable-host-controllers-c.patch
@@ -0,0 +1,72 @@
+From: Mathias Nyman <mathias.nyman@linux.intel.com>
+Date: Tue, 18 Jun 2019 17:27:48 +0300
+Subject: [PATCH] xhci: detect USB 3.2 capable host controllers correctly
+References: bnc#1012628
+Patch-mainline: 5.1.15
+Git-commit: ddd57980a0fde30f7b5d14b888a2cc84d01610e8
+
+commit ddd57980a0fde30f7b5d14b888a2cc84d01610e8 upstream.
+
+USB 3.2 capability in a host can be detected from the
+xHCI Supported Protocol Capability major and minor revision fields.
+
+If major is 0x3 and minor 0x20 then the host is USB 3.2 capable.
+
+For USB 3.2 capable hosts set the root hub lane count to 2.
+
+The Major Revision and Minor Revision fields contain a BCD version number.
+The value of the Major Revision field is JJh and the value of the Minor
+Revision field is MNh for version JJ.M.N, where JJ = major revision number,
+M - minor version number, N = sub-minor version number,
+e.g. version 3.1 is represented with a value of 0310h.
+
+Also fix the extra whitespace printed out when announcing regular
+SuperSpeed hosts.
+
+Cc: <stable@vger.kernel.org> # v4.18+
+Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/usb/host/xhci.c | 20 +++++++++++++++-----
+ 1 file changed, 15 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/usb/host/xhci.c b/drivers/usb/host/xhci.c
+index 448e3f812833..6bc928b9e7a6 100644
+--- a/drivers/usb/host/xhci.c
++++ b/drivers/usb/host/xhci.c
+@@ -5029,16 +5029,26 @@ int xhci_gen_setup(struct usb_hcd *hcd, xhci_get_quirks_t get_quirks)
+ } else {
+ /*
+ * Some 3.1 hosts return sbrn 0x30, use xhci supported protocol
+- * minor revision instead of sbrn
++ * minor revision instead of sbrn. Minor revision is a two digit
++ * BCD containing minor and sub-minor numbers, only show minor.
+ */
+- minor_rev = xhci->usb3_rhub.min_rev;
+- if (minor_rev) {
++ minor_rev = xhci->usb3_rhub.min_rev / 0x10;
++
++ switch (minor_rev) {
++ case 2:
++ hcd->speed = HCD_USB32;
++ hcd->self.root_hub->speed = USB_SPEED_SUPER_PLUS;
++ hcd->self.root_hub->rx_lanes = 2;
++ hcd->self.root_hub->tx_lanes = 2;
++ break;
++ case 1:
+ hcd->speed = HCD_USB31;
+ hcd->self.root_hub->speed = USB_SPEED_SUPER_PLUS;
++ break;
+ }
+- xhci_info(xhci, "Host supports USB 3.%x %s SuperSpeed\n",
++ xhci_info(xhci, "Host supports USB 3.%x %sSuperSpeed\n",
+ minor_rev,
+- minor_rev ? "Enhanced" : "");
++ minor_rev ? "Enhanced " : "");
+
+ xhci->usb3_rhub.hcd = hcd;
+ /* xHCI private pointer was set in xhci_pci_probe for the second
+--
+2.22.0
+
diff --git a/patches.kernel.org/5.1.15-012-usb-xhci-Don-t-try-to-recover-an-endpoint-if-p.patch b/patches.kernel.org/5.1.15-012-usb-xhci-Don-t-try-to-recover-an-endpoint-if-p.patch
new file mode 100644
index 0000000000..1ff8cb7f56
--- /dev/null
+++ b/patches.kernel.org/5.1.15-012-usb-xhci-Don-t-try-to-recover-an-endpoint-if-p.patch
@@ -0,0 +1,128 @@
+From: Mathias Nyman <mathias.nyman@linux.intel.com>
+Date: Tue, 18 Jun 2019 17:27:47 +0300
+Subject: [PATCH] usb: xhci: Don't try to recover an endpoint if port is in
+ error state.
+References: bnc#1012628
+Patch-mainline: 5.1.15
+Git-commit: b8c3b718087bf7c3c8e388eb1f72ac1108a4926e
+
+commit b8c3b718087bf7c3c8e388eb1f72ac1108a4926e upstream.
+
+A USB3 device needs to be reset and re-enumarated if the port it
+connects to goes to a error state, with link state inactive.
+
+There is no use in trying to recover failed transactions by resetting
+endpoints at this stage. Tests show that in rare cases, after multiple
+endpoint resets of a roothub port the whole host controller might stop
+completely.
+
+Several retries to recover from transaction error can happen as
+it can take a long time before the hub thread discovers the USB3
+port error and inactive link.
+
+We can't reliably detect the port error from slot or endpoint context
+due to a limitation in xhci, see xhci specs section 4.8.3:
+"There are several cases where the EP State field in the Output
+Endpoint Context may not reflect the current state of an endpoint"
+and
+"Software should maintain an accurate value for EP State, by tracking it
+with an internal variable that is driven by Events and Doorbell accesses"
+
+Same appears to be true for slot state.
+
+set a flag to the corresponding slot if a USB3 roothub port link goes
+inactive to prevent both queueing new URBs and resetting endpoints.
+
+Reported-by: Rapolu Chiranjeevi <chiranjeevi.rapolu@intel.com>
+Tested-by: Rapolu Chiranjeevi <chiranjeevi.rapolu@intel.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/usb/host/xhci-ring.c | 15 ++++++++++++++-
+ drivers/usb/host/xhci.c | 5 +++++
+ drivers/usb/host/xhci.h | 9 +++++++++
+ 3 files changed, 28 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/usb/host/xhci-ring.c b/drivers/usb/host/xhci-ring.c
+index 765ef5f1ffb8..3c8e65900dcb 100644
+--- a/drivers/usb/host/xhci-ring.c
++++ b/drivers/usb/host/xhci-ring.c
+@@ -1608,8 +1608,13 @@ static void handle_port_status(struct xhci_hcd *xhci,
+ usb_hcd_resume_root_hub(hcd);
+ }
+
+- if (hcd->speed >= HCD_USB3 && (portsc & PORT_PLS_MASK) == XDEV_INACTIVE)
++ if (hcd->speed >= HCD_USB3 &&
++ (portsc & PORT_PLS_MASK) == XDEV_INACTIVE) {
++ slot_id = xhci_find_slot_id_by_port(hcd, xhci, hcd_portnum + 1);
++ if (slot_id && xhci->devs[slot_id])
++ xhci->devs[slot_id]->flags |= VDEV_PORT_ERROR;
+ bus_state->port_remote_wakeup &= ~(1 << hcd_portnum);
++ }
+
+ if ((portsc & PORT_PLC) && (portsc & PORT_PLS_MASK) == XDEV_RESUME) {
+ xhci_dbg(xhci, "port resume event for port %d\n", port_id);
+@@ -1797,6 +1802,14 @@ static void xhci_cleanup_halted_endpoint(struct xhci_hcd *xhci,
+ {
+ struct xhci_virt_ep *ep = &xhci->devs[slot_id]->eps[ep_index];
+ struct xhci_command *command;
++
++ /*
++ * Avoid resetting endpoint if link is inactive. Can cause host hang.
++ * Device will be reset soon to recover the link so don't do anything
++ */
++ if (xhci->devs[slot_id]->flags & VDEV_PORT_ERROR)
++ return;
++
+ command = xhci_alloc_command(xhci, false, GFP_ATOMIC);
+ if (!command)
+ return;
+diff --git a/drivers/usb/host/xhci.c b/drivers/usb/host/xhci.c
+index 6bc928b9e7a6..f39ca3980e48 100644
+--- a/drivers/usb/host/xhci.c
++++ b/drivers/usb/host/xhci.c
+@@ -1442,6 +1442,10 @@ static int xhci_urb_enqueue(struct usb_hcd *hcd, struct urb *urb, gfp_t mem_flag
+ xhci_dbg(xhci, "urb submitted during PCI suspend\n");
+ return -ESHUTDOWN;
+ }
++ if (xhci->devs[slot_id]->flags & VDEV_PORT_ERROR) {
++ xhci_dbg(xhci, "Can't queue urb, port error, link inactive\n");
++ return -ENODEV;
++ }
+
+ if (usb_endpoint_xfer_isoc(&urb->ep->desc))
+ num_tds = urb->number_of_packets;
+@@ -3724,6 +3728,7 @@ static int xhci_discover_or_reset_device(struct usb_hcd *hcd,
+ }
+ /* If necessary, update the number of active TTs on this root port */
+ xhci_update_tt_active_eps(xhci, virt_dev, old_active_eps);
++ virt_dev->flags = 0;
+ ret = 0;
+
+ command_cleanup:
+diff --git a/drivers/usb/host/xhci.h b/drivers/usb/host/xhci.h
+index 9334cdee382a..a0035e7b62d8 100644
+--- a/drivers/usb/host/xhci.h
++++ b/drivers/usb/host/xhci.h
+@@ -1010,6 +1010,15 @@ struct xhci_virt_device {
+ u8 real_port;
+ struct xhci_interval_bw_table *bw_table;
+ struct xhci_tt_bw_info *tt_info;
++ /*
++ * flags for state tracking based on events and issued commands.
++ * Software can not rely on states from output contexts because of
++ * latency between events and xHC updating output context values.
++ * See xhci 1.1 section 4.8.3 for more details
++ */
++ unsigned long flags;
++#define VDEV_PORT_ERROR BIT(0) /* Port error, link inactive */
++
+ /* The current max exit latency for the enabled USB3 link states. */
+ u16 current_mel;
+ /* Used for the debugfs interfaces. */
+--
+2.22.0
+
diff --git a/patches.kernel.org/5.1.15-013-cifs-add-spinlock-for-the-openFileList-to-cifs.patch b/patches.kernel.org/5.1.15-013-cifs-add-spinlock-for-the-openFileList-to-cifs.patch
new file mode 100644
index 0000000000..63db7c1c2f
--- /dev/null
+++ b/patches.kernel.org/5.1.15-013-cifs-add-spinlock-for-the-openFileList-to-cifs.patch
@@ -0,0 +1,112 @@
+From: Ronnie Sahlberg <lsahlber@redhat.com>
+Date: Wed, 5 Jun 2019 10:38:38 +1000
+Subject: [PATCH] cifs: add spinlock for the openFileList to cifsInodeInfo
+References: bnc#1012628
+Patch-mainline: 5.1.15
+Git-commit: 487317c99477d00f22370625d53be3239febabbe
+
+commit 487317c99477d00f22370625d53be3239febabbe upstream.
+
+We can not depend on the tcon->open_file_lock here since in multiuser mode
+we may have the same file/inode open via multiple different tcons.
+
+The current code is race prone and will crash if one user deletes a file
+at the same time a different user opens/create the file.
+
+To avoid this we need to have a spinlock attached to the inode and not the tcon.
+
+RHBZ: 1580165
+
+CC: Stable <stable@vger.kernel.org>
+Signed-off-by: Ronnie Sahlberg <lsahlber@redhat.com>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Reviewed-by: Pavel Shilovsky <pshilov@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ fs/cifs/cifsfs.c | 1 +
+ fs/cifs/cifsglob.h | 5 +++++
+ fs/cifs/file.c | 8 ++++++--
+ 3 files changed, 12 insertions(+), 2 deletions(-)
+
+diff --git a/fs/cifs/cifsfs.c b/fs/cifs/cifsfs.c
+index a05bf1d6e1d0..2ab3de440927 100644
+--- a/fs/cifs/cifsfs.c
++++ b/fs/cifs/cifsfs.c
+@@ -303,6 +303,7 @@ cifs_alloc_inode(struct super_block *sb)
+ cifs_inode->uniqueid = 0;
+ cifs_inode->createtime = 0;
+ cifs_inode->epoch = 0;
++ spin_lock_init(&cifs_inode->open_file_lock);
+ generate_random_uuid(cifs_inode->lease_key);
+
+ /*
+diff --git a/fs/cifs/cifsglob.h b/fs/cifs/cifsglob.h
+index 607468948f72..a588fbc54968 100644
+--- a/fs/cifs/cifsglob.h
++++ b/fs/cifs/cifsglob.h
+@@ -1357,6 +1357,7 @@ struct cifsInodeInfo {
+ struct rw_semaphore lock_sem; /* protect the fields above */
+ /* BB add in lists for dirty pages i.e. write caching info for oplock */
+ struct list_head openFileList;
++ spinlock_t open_file_lock; /* protects openFileList */
+ __u32 cifsAttrs; /* e.g. DOS archive bit, sparse, compressed, system */
+ unsigned int oplock; /* oplock/lease level we have */
+ unsigned int epoch; /* used to track lease state changes */
+@@ -1760,10 +1761,14 @@ require use of the stronger protocol */
+ * tcp_ses_lock protects:
+ * list operations on tcp and SMB session lists
+ * tcon->open_file_lock protects the list of open files hanging off the tcon
++ * inode->open_file_lock protects the openFileList hanging off the inode
+ * cfile->file_info_lock protects counters and fields in cifs file struct
+ * f_owner.lock protects certain per file struct operations
+ * mapping->page_lock protects certain per page operations
+ *
++ * Note that the cifs_tcon.open_file_lock should be taken before
++ * not after the cifsInodeInfo.open_file_lock
++ *
+ * Semaphores
+ * ----------
+ * sesSem operations on smb session
+diff --git a/fs/cifs/file.c b/fs/cifs/file.c
+index 9a1db37b303a..736a61843e73 100644
+--- a/fs/cifs/file.c
++++ b/fs/cifs/file.c
+@@ -338,10 +338,12 @@ cifs_new_fileinfo(struct cifs_fid *fid, struct file *file,
+ atomic_inc(&tcon->num_local_opens);
+
+ /* if readable file instance put first in list*/
++ spin_lock(&cinode->open_file_lock);
+ if (file->f_mode & FMODE_READ)
+ list_add(&cfile->flist, &cinode->openFileList);
+ else
+ list_add_tail(&cfile->flist, &cinode->openFileList);
++ spin_unlock(&cinode->open_file_lock);
+ spin_unlock(&tcon->open_file_lock);
+
+ if (fid->purge_cache)
+@@ -413,7 +415,9 @@ void _cifsFileInfo_put(struct cifsFileInfo *cifs_file, bool wait_oplock_handler)
+ cifs_add_pending_open_locked(&fid, cifs_file->tlink, &open);
+
+ /* remove it from the lists */
++ spin_lock(&cifsi->open_file_lock);
+ list_del(&cifs_file->flist);
++ spin_unlock(&cifsi->open_file_lock);
+ list_del(&cifs_file->tlist);
+ atomic_dec(&tcon->num_local_opens);
+
+@@ -1950,9 +1954,9 @@ cifs_get_writable_file(struct cifsInodeInfo *cifs_inode, bool fsuid_only,
+ return 0;
+ }
+
+- spin_lock(&tcon->open_file_lock);
++ spin_lock(&cifs_inode->open_file_lock);
+ list_move_tail(&inv_file->flist, &cifs_inode->openFileList);
+- spin_unlock(&tcon->open_file_lock);
++ spin_unlock(&cifs_inode->open_file_lock);
+ cifsFileInfo_put(inv_file);
+ ++refind;
+ inv_file = NULL;
+--
+2.22.0
+
diff --git a/patches.kernel.org/5.1.15-014-cifs-fix-GlobalMid_Lock-bug-in-cifs_reconnect.patch b/patches.kernel.org/5.1.15-014-cifs-fix-GlobalMid_Lock-bug-in-cifs_reconnect.patch
new file mode 100644
index 0000000000..9e15ea60fa
--- /dev/null
+++ b/patches.kernel.org/5.1.15-014-cifs-fix-GlobalMid_Lock-bug-in-cifs_reconnect.patch
@@ -0,0 +1,52 @@
+From: Ronnie Sahlberg <lsahlber@redhat.com>
+Date: Fri, 14 Jun 2019 13:02:29 +1000
+Subject: [PATCH] cifs: fix GlobalMid_Lock bug in cifs_reconnect
+References: bnc#1012628
+Patch-mainline: 5.1.15
+Git-commit: 61cabc7b0a5cf0d3c532cfa96594c801743fe7f6
+
+commit 61cabc7b0a5cf0d3c532cfa96594c801743fe7f6 upstream.
+
+We can not hold the GlobalMid_Lock spinlock during the
+dfs processing in cifs_reconnect since it invokes things that may sleep
+and thus trigger :
+
+BUG: sleeping function called from invalid context at kernel/locking/rwsem.c:23
+
+Thus we need to drop the spinlock during this code block.
+
+RHBZ: 1716743
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Ronnie Sahlberg <lsahlber@redhat.com>
+Acked-by: Pavel Shilovsky <pshilov@microsoft.com>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ fs/cifs/connect.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/fs/cifs/connect.c b/fs/cifs/connect.c
+index 4c0e44489f21..e9507fba0b36 100644
+--- a/fs/cifs/connect.c
++++ b/fs/cifs/connect.c
+@@ -478,6 +478,7 @@ cifs_reconnect(struct TCP_Server_Info *server)
+ spin_lock(&GlobalMid_Lock);
+ server->nr_targets = 1;
+ #ifdef CONFIG_CIFS_DFS_UPCALL
++ spin_unlock(&GlobalMid_Lock);
+ cifs_sb = find_super_by_tcp(server);
+ if (IS_ERR(cifs_sb)) {
+ rc = PTR_ERR(cifs_sb);
+@@ -495,6 +496,7 @@ cifs_reconnect(struct TCP_Server_Info *server)
+ }
+ cifs_dbg(FYI, "%s: will retry %d target(s)\n", __func__,
+ server->nr_targets);
++ spin_lock(&GlobalMid_Lock);
+ #endif
+ if (server->tcpStatus == CifsExiting) {
+ /* the demux thread will exit normally
+--
+2.22.0
+
diff --git a/patches.kernel.org/5.1.15-015-IB-hfi1-Validate-fault-injection-opcode-user-i.patch b/patches.kernel.org/5.1.15-015-IB-hfi1-Validate-fault-injection-opcode-user-i.patch
new file mode 100644
index 0000000000..cd12da64e1
--- /dev/null
+++ b/patches.kernel.org/5.1.15-015-IB-hfi1-Validate-fault-injection-opcode-user-i.patch
@@ -0,0 +1,52 @@
+From: Kaike Wan <kaike.wan@intel.com>
+Date: Fri, 7 Jun 2019 08:25:25 -0400
+Subject: [PATCH] IB/hfi1: Validate fault injection opcode user input
+References: bnc#1012628
+Patch-mainline: 5.1.15
+Git-commit: 5f90677ed31963abb184ee08ebee4a4a68225dd8
+
+commit 5f90677ed31963abb184ee08ebee4a4a68225dd8 upstream.
+
+The opcode range for fault injection from user should be validated before
+it is applied to the fault->opcodes[] bitmap to avoid out-of-bound
+error.
+
+Cc: <stable@vger.kernel.org>
+Fixes: a74d5307caba ("IB/hfi1: Rework fault injection machinery")
+Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
+Reviewed-by: Mike Marciniszyn <mike.marciniszyn@intel.com>
+Signed-off-by: Kaike Wan <kaike.wan@intel.com>
+Signed-off-by: Dennis Dalessandro <dennis.dalessandro@intel.com>
+Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/infiniband/hw/hfi1/fault.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/drivers/infiniband/hw/hfi1/fault.c b/drivers/infiniband/hw/hfi1/fault.c
+index 3fd3315d0fb0..93613e5def9b 100644
+--- a/drivers/infiniband/hw/hfi1/fault.c
++++ b/drivers/infiniband/hw/hfi1/fault.c
+@@ -153,6 +153,7 @@ static ssize_t fault_opcodes_write(struct file *file, const char __user *buf,
+ char *dash;
+ unsigned long range_start, range_end, i;
+ bool remove = false;
++ unsigned long bound = 1U << BITS_PER_BYTE;
+
+ end = strchr(ptr, ',');
+ if (end)
+@@ -178,6 +179,10 @@ static ssize_t fault_opcodes_write(struct file *file, const char __user *buf,
+ BITS_PER_BYTE);
+ break;
+ }
++ /* Check the inputs */
++ if (range_start >= bound || range_end >= bound)
++ break;
++
+ for (i = range_start; i <= range_end; i++) {
+ if (remove)
+ clear_bit(i, fault->opcodes);
+--
+2.22.0
+
diff --git a/patches.kernel.org/5.1.15-016-IB-hfi1-Close-PSM-sdma_progress-sleep-window.patch b/patches.kernel.org/5.1.15-016-IB-hfi1-Close-PSM-sdma_progress-sleep-window.patch
new file mode 100644
index 0000000000..93bc80fb83
--- /dev/null
+++ b/patches.kernel.org/5.1.15-016-IB-hfi1-Close-PSM-sdma_progress-sleep-window.patch
@@ -0,0 +1,92 @@
+From: Mike Marciniszyn <mike.marciniszyn@intel.com>
+Date: Fri, 7 Jun 2019 08:25:31 -0400
+Subject: [PATCH] IB/hfi1: Close PSM sdma_progress sleep window
+References: bnc#1012628
+Patch-mainline: 5.1.15
+Git-commit: da9de5f8527f4b9efc82f967d29a583318c034c7
+
+commit da9de5f8527f4b9efc82f967d29a583318c034c7 upstream.
+
+The call to sdma_progress() is called outside the wait lock.
+
+In this case, there is a race condition where sdma_progress() can return
+false and the sdma_engine can idle. If that happens, there will be no
+more sdma interrupts to cause the wakeup and the user_sdma xmit will hang.
+
+Fix by moving the lock to enclose the sdma_progress() call.
+
+Also, delete busycount. The need for this was removed by:
+commit bcad29137a97 ("IB/hfi1: Serve the most starved iowait entry first")
+
+Cc: <stable@vger.kernel.org>
+Fixes: 7724105686e7 ("IB/hfi1: add driver files")
+Reviewed-by: Gary Leshner <Gary.S.Leshner@intel.com>
+Signed-off-by: Mike Marciniszyn <mike.marciniszyn@intel.com>
+Signed-off-by: Dennis Dalessandro <dennis.dalessandro@intel.com>
+Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/infiniband/hw/hfi1/user_sdma.c | 12 ++++--------
+ drivers/infiniband/hw/hfi1/user_sdma.h | 1 -
+ 2 files changed, 4 insertions(+), 9 deletions(-)
+
+diff --git a/drivers/infiniband/hw/hfi1/user_sdma.c b/drivers/infiniband/hw/hfi1/user_sdma.c
+index 8bfbc6d7ea34..fd754a16475a 100644
+--- a/drivers/infiniband/hw/hfi1/user_sdma.c
++++ b/drivers/infiniband/hw/hfi1/user_sdma.c
+@@ -130,20 +130,16 @@ static int defer_packet_queue(
+ {
+ struct hfi1_user_sdma_pkt_q *pq =
+ container_of(wait->iow, struct hfi1_user_sdma_pkt_q, busy);
+- struct user_sdma_txreq *tx =
+- container_of(txreq, struct user_sdma_txreq, txreq);
+
+- if (sdma_progress(sde, seq, txreq)) {
+- if (tx->busycount++ < MAX_DEFER_RETRY_COUNT)
+- goto eagain;
+- }
++ write_seqlock(&sde->waitlock);
++ if (sdma_progress(sde, seq, txreq))
++ goto eagain;
+ /*
+ * We are assuming that if the list is enqueued somewhere, it
+ * is to the dmawait list since that is the only place where
+ * it is supposed to be enqueued.
+ */
+ xchg(&pq->state, SDMA_PKT_Q_DEFERRED);
+- write_seqlock(&sde->waitlock);
+ if (list_empty(&pq->busy.list)) {
+ iowait_get_priority(&pq->busy);
+ iowait_queue(pkts_sent, &pq->busy, &sde->dmawait);
+@@ -151,6 +147,7 @@ static int defer_packet_queue(
+ write_sequnlock(&sde->waitlock);
+ return -EBUSY;
+ eagain:
++ write_sequnlock(&sde->waitlock);
+ return -EAGAIN;
+ }
+
+@@ -804,7 +801,6 @@ static int user_sdma_send_pkts(struct user_sdma_request *req, u16 maxpkts)
+
+ tx->flags = 0;
+ tx->req = req;
+- tx->busycount = 0;
+ INIT_LIST_HEAD(&tx->list);
+
+ /*
+diff --git a/drivers/infiniband/hw/hfi1/user_sdma.h b/drivers/infiniband/hw/hfi1/user_sdma.h
+index 14dfd757dafd..4d8510b0fc38 100644
+--- a/drivers/infiniband/hw/hfi1/user_sdma.h
++++ b/drivers/infiniband/hw/hfi1/user_sdma.h
+@@ -245,7 +245,6 @@ struct user_sdma_txreq {
+ struct list_head list;
+ struct user_sdma_request *req;
+ u16 flags;
+- unsigned int busycount;
+ u16 seqnum;
+ };
+
+--
+2.22.0
+
diff --git a/patches.kernel.org/5.1.15-017-IB-hfi1-Avoid-hardlockup-with-flushlist_lock.patch b/patches.kernel.org/5.1.15-017-IB-hfi1-Avoid-hardlockup-with-flushlist_lock.patch
new file mode 100644
index 0000000000..5376011065
--- /dev/null
+++ b/patches.kernel.org/5.1.15-017-IB-hfi1-Avoid-hardlockup-with-flushlist_lock.patch
@@ -0,0 +1,65 @@
+From: Mike Marciniszyn <mike.marciniszyn@intel.com>
+Date: Fri, 14 Jun 2019 12:32:26 -0400
+Subject: [PATCH] IB/hfi1: Avoid hardlockup with flushlist_lock
+References: bnc#1012628
+Patch-mainline: 5.1.15
+Git-commit: cf131a81967583ae737df6383a0893b9fee75b4e
+
+commit cf131a81967583ae737df6383a0893b9fee75b4e upstream.
+
+Heavy contention of the sde flushlist_lock can cause hard lockups at
+extreme scale when the flushing logic is under stress.
+
+Mitigate by replacing the item at a time copy to the local list with
+an O(1) list_splice_init() and using the high priority work queue to
+do the flushes.
+
+Fixes: 7724105686e7 ("IB/hfi1: add driver files")
+Cc: <stable@vger.kernel.org>
+Reviewed-by: Dennis Dalessandro <dennis.dalessandro@intel.com>
+Signed-off-by: Mike Marciniszyn <mike.marciniszyn@intel.com>
+Signed-off-by: Dennis Dalessandro <dennis.dalessandro@intel.com>
+Signed-off-by: Doug Ledford <dledford@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/infiniband/hw/hfi1/sdma.c | 9 +++------
+ 1 file changed, 3 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/infiniband/hw/hfi1/sdma.c b/drivers/infiniband/hw/hfi1/sdma.c
+index b0110728f541..70828de7436b 100644
+--- a/drivers/infiniband/hw/hfi1/sdma.c
++++ b/drivers/infiniband/hw/hfi1/sdma.c
+@@ -410,10 +410,7 @@ static void sdma_flush(struct sdma_engine *sde)
+ sdma_flush_descq(sde);
+ spin_lock_irqsave(&sde->flushlist_lock, flags);
+ /* copy flush list */
+- list_for_each_entry_safe(txp, txp_next, &sde->flushlist, list) {
+- list_del_init(&txp->list);
+- list_add_tail(&txp->list, &flushlist);
+- }
++ list_splice_init(&sde->flushlist, &flushlist);
+ spin_unlock_irqrestore(&sde->flushlist_lock, flags);
+ /* flush from flush list */
+ list_for_each_entry_safe(txp, txp_next, &flushlist, list)
+@@ -2413,7 +2410,7 @@ int sdma_send_txreq(struct sdma_engine *sde,
+ list_add_tail(&tx->list, &sde->flushlist);
+ spin_unlock(&sde->flushlist_lock);
+ iowait_inc_wait_count(wait, tx->num_desc);
+- schedule_work(&sde->flush_worker);
++ queue_work_on(sde->cpu, system_highpri_wq, &sde->flush_worker);
+ ret = -ECOMM;
+ goto unlock;
+ nodesc:
+@@ -2511,7 +2508,7 @@ int sdma_send_txlist(struct sdma_engine *sde, struct iowait_work *wait,
+ iowait_inc_wait_count(wait, tx->num_desc);
+ }
+ spin_unlock(&sde->flushlist_lock);
+- schedule_work(&sde->flush_worker);
++ queue_work_on(sde->cpu, system_highpri_wq, &sde->flush_worker);
+ ret = -ECOMM;
+ goto update_tail;
+ nodesc:
+--
+2.22.0
+
diff --git a/patches.kernel.org/5.1.15-018-IB-hfi1-Correct-tid-qp-rcd-to-match-verbs-cont.patch b/patches.kernel.org/5.1.15-018-IB-hfi1-Correct-tid-qp-rcd-to-match-verbs-cont.patch
new file mode 100644
index 0000000000..3fe4f90e28
--- /dev/null
+++ b/patches.kernel.org/5.1.15-018-IB-hfi1-Correct-tid-qp-rcd-to-match-verbs-cont.patch
@@ -0,0 +1,125 @@
+From: Mike Marciniszyn <mike.marciniszyn@intel.com>
+Date: Mon, 10 Jun 2019 12:28:18 -0400
+Subject: [PATCH] IB/hfi1: Correct tid qp rcd to match verbs context
+References: bnc#1012628
+Patch-mainline: 5.1.15
+Git-commit: cc78076af14e1478c1a8fb18997674b5f8cbe3c8
+
+commit cc78076af14e1478c1a8fb18997674b5f8cbe3c8 upstream.
+
+The qp priv rcd pointer doesn't match the context being used for verbs
+causing issues when 9B and kdeth packets are processed by different
+receive contexts and hence different CPUs.
+
+When running on different CPUs the following panic can occur:
+
+ WARNING: CPU: 3 PID: 2584 at lib/list_debug.c:59 __list_del_entry+0xa1/0xd0
+ list_del corruption. prev->next should be ffff9a7ac31f7a30, but was ffff9a7c3bc89230
+ CPU: 3 PID: 2584 Comm: z_wr_iss Kdump: loaded Tainted: P OE ------------ 3.10.0-862.2.3.el7_lustre.x86_64 #1
+ Call Trace:
+ <IRQ> [<ffffffffb7b0d78e>] dump_stack+0x19/0x1b
+ [<ffffffffb74916d8>] __warn+0xd8/0x100
+ [<ffffffffb749175f>] warn_slowpath_fmt+0x5f/0x80
+ [<ffffffffb7768671>] __list_del_entry+0xa1/0xd0
+ [<ffffffffc0c7a945>] process_rcv_qp_work+0xb5/0x160 [hfi1]
+ [<ffffffffc0c7bc2b>] handle_receive_interrupt_nodma_rtail+0x20b/0x2b0 [hfi1]
+ [<ffffffffc0c70683>] receive_context_interrupt+0x23/0x40 [hfi1]
+ [<ffffffffb7540a94>] __handle_irq_event_percpu+0x44/0x1c0
+ [<ffffffffb7540c42>] handle_irq_event_percpu+0x32/0x80
+ [<ffffffffb7540ccc>] handle_irq_event+0x3c/0x60
+ [<ffffffffb7543a1f>] handle_edge_irq+0x7f/0x150
+ [<ffffffffb742d504>] handle_irq+0xe4/0x1a0
+ [<ffffffffb7b23f7d>] do_IRQ+0x4d/0xf0
+ [<ffffffffb7b16362>] common_interrupt+0x162/0x162
+ <EOI> [<ffffffffb775a326>] ? memcpy+0x6/0x110
+ [<ffffffffc109210d>] ? abd_copy_from_buf_off_cb+0x1d/0x30 [zfs]
+ [<ffffffffc10920f0>] ? abd_copy_to_buf_off_cb+0x30/0x30 [zfs]
+ [<ffffffffc1093257>] abd_iterate_func+0x97/0x120 [zfs]
+ [<ffffffffc10934d9>] abd_copy_from_buf_off+0x39/0x60 [zfs]
+ [<ffffffffc109b828>] arc_write_ready+0x178/0x300 [zfs]
+ [<ffffffffb7b11032>] ? mutex_lock+0x12/0x2f
+ [<ffffffffb7b11032>] ? mutex_lock+0x12/0x2f
+ [<ffffffffc1164d05>] zio_ready+0x65/0x3d0 [zfs]
+ [<ffffffffc04d725e>] ? tsd_get_by_thread+0x2e/0x50 [spl]
+ [<ffffffffc04d1318>] ? taskq_member+0x18/0x30 [spl]
+ [<ffffffffc115ef22>] zio_execute+0xa2/0x100 [zfs]
+ [<ffffffffc04d1d2c>] taskq_thread+0x2ac/0x4f0 [spl]
+ [<ffffffffb74cee80>] ? wake_up_state+0x20/0x20
+ [<ffffffffc115ee80>] ? zio_taskq_member.isra.7.constprop.10+0x80/0x80 [zfs]
+ [<ffffffffc04d1a80>] ? taskq_thread_spawn+0x60/0x60 [spl]
+ [<ffffffffb74bae31>] kthread+0xd1/0xe0
+ [<ffffffffb74bad60>] ? insert_kthread_work+0x40/0x40
+ [<ffffffffb7b1f5f7>] ret_from_fork_nospec_begin+0x21/0x21
+ [<ffffffffb74bad60>] ? insert_kthread_work+0x40/0x40
+
+Fix by reading the map entry in the same manner as the hardware so that
+the kdeth and verbs contexts match.
+
+Cc: <stable@vger.kernel.org>
+Fixes: 5190f052a365 ("IB/hfi1: Allow the driver to initialize QP priv struct")
+Reviewed-by: Kaike Wan <kaike.wan@intel.com>
+Signed-off-by: Mike Marciniszyn <mike.marciniszyn@intel.com>
+Signed-off-by: Dennis Dalessandro <dennis.dalessandro@intel.com>
+Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/infiniband/hw/hfi1/chip.c | 13 +++++++++++++
+ drivers/infiniband/hw/hfi1/chip.h | 1 +
+ drivers/infiniband/hw/hfi1/tid_rdma.c | 4 +---
+ 3 files changed, 15 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/infiniband/hw/hfi1/chip.c b/drivers/infiniband/hw/hfi1/chip.c
+index 9784c6c0d2ec..e02d9a739e9c 100644
+--- a/drivers/infiniband/hw/hfi1/chip.c
++++ b/drivers/infiniband/hw/hfi1/chip.c
+@@ -14027,6 +14027,19 @@ static void init_kdeth_qp(struct hfi1_devdata *dd)
+ RCV_BTH_QP_KDETH_QP_SHIFT);
+ }
+
++/**
++ * hfi1_get_qp_map
++ * @dd: device data
++ * @idx: index to read
++ */
++u8 hfi1_get_qp_map(struct hfi1_devdata *dd, u8 idx)
++{
++ u64 reg = read_csr(dd, RCV_QP_MAP_TABLE + (idx / 8) * 8);
++
++ reg >>= (idx % 8) * 8;
++ return reg;
++}
++
+ /**
+ * init_qpmap_table
+ * @dd - device data
+diff --git a/drivers/infiniband/hw/hfi1/chip.h b/drivers/infiniband/hw/hfi1/chip.h
+index 6c27c1c6a868..a5c61400b295 100644
+--- a/drivers/infiniband/hw/hfi1/chip.h
++++ b/drivers/infiniband/hw/hfi1/chip.h
+@@ -1442,6 +1442,7 @@ void clear_all_interrupts(struct hfi1_devdata *dd);
+ void remap_intr(struct hfi1_devdata *dd, int isrc, int msix_intr);
+ void remap_sdma_interrupts(struct hfi1_devdata *dd, int engine, int msix_intr);
+ void reset_interrupts(struct hfi1_devdata *dd);
++u8 hfi1_get_qp_map(struct hfi1_devdata *dd, u8 idx);
+
+ /*
+ * Interrupt source table.
+diff --git a/drivers/infiniband/hw/hfi1/tid_rdma.c b/drivers/infiniband/hw/hfi1/tid_rdma.c
+index 43cbce7a19ea..e0851f01a804 100644
+--- a/drivers/infiniband/hw/hfi1/tid_rdma.c
++++ b/drivers/infiniband/hw/hfi1/tid_rdma.c
+@@ -305,9 +305,7 @@ static struct hfi1_ctxtdata *qp_to_rcd(struct rvt_dev_info *rdi,
+ if (qp->ibqp.qp_num == 0)
+ ctxt = 0;
+ else
+- ctxt = ((qp->ibqp.qp_num >> dd->qos_shift) %
+- (dd->n_krcv_queues - 1)) + 1;
+-
++ ctxt = hfi1_get_qp_map(dd, qp->ibqp.qp_num >> dd->qos_shift);
+ return dd->rcd[ctxt];
+ }
+
+--
+2.22.0
+
diff --git a/patches.kernel.org/5.1.15-019-IB-hfi1-Silence-txreq-allocation-warnings.patch b/patches.kernel.org/5.1.15-019-IB-hfi1-Silence-txreq-allocation-warnings.patch
new file mode 100644
index 0000000000..b1f9ad34be
--- /dev/null
+++ b/patches.kernel.org/5.1.15-019-IB-hfi1-Silence-txreq-allocation-warnings.patch
@@ -0,0 +1,98 @@
+From: Mike Marciniszyn <mike.marciniszyn@intel.com>
+Date: Fri, 14 Jun 2019 12:32:32 -0400
+Subject: [PATCH] IB/hfi1: Silence txreq allocation warnings
+References: bnc#1012628
+Patch-mainline: 5.1.15
+Git-commit: 3230f4a8d44e4a0bb7afea814b280b5129521f52
+
+commit 3230f4a8d44e4a0bb7afea814b280b5129521f52 upstream.
+
+The following warning can happen when a memory shortage
+occurs during txreq allocation:
+
+[10220.939246] SLUB: Unable to allocate memory on node -1, gfp=0xa20(GFP_ATOMIC)
+[10220.939246] Hardware name: Intel Corporation S2600WT2R/S2600WT2R, BIOS SE5C610.86B.01.01.0018.C4.072020161249 07/20/2016
+[10220.939247] cache: mnt_cache, object size: 384, buffer size: 384, default order: 2, min order: 0
+[10220.939260] Workqueue: hfi0_0 _hfi1_do_send [hfi1]
+[10220.939261] node 0: slabs: 1026568, objs: 43115856, free: 0
+[10220.939262] Call Trace:
+[10220.939262] node 1: slabs: 820872, objs: 34476624, free: 0
+[10220.939263] dump_stack+0x5a/0x73
+[10220.939265] warn_alloc+0x103/0x190
+[10220.939267] ? wake_all_kswapds+0x54/0x8b
+[10220.939268] __alloc_pages_slowpath+0x86c/0xa2e
+[10220.939270] ? __alloc_pages_nodemask+0x2fe/0x320
+[10220.939271] __alloc_pages_nodemask+0x2fe/0x320
+[10220.939273] new_slab+0x475/0x550
+[10220.939275] ___slab_alloc+0x36c/0x520
+[10220.939287] ? hfi1_make_rc_req+0x90/0x18b0 [hfi1]
+[10220.939299] ? __get_txreq+0x54/0x160 [hfi1]
+[10220.939310] ? hfi1_make_rc_req+0x90/0x18b0 [hfi1]
+[10220.939312] __slab_alloc+0x40/0x61
+[10220.939323] ? hfi1_make_rc_req+0x90/0x18b0 [hfi1]
+[10220.939325] kmem_cache_alloc+0x181/0x1b0
+[10220.939336] hfi1_make_rc_req+0x90/0x18b0 [hfi1]
+[10220.939348] ? hfi1_verbs_send_dma+0x386/0xa10 [hfi1]
+[10220.939359] ? find_prev_entry+0xb0/0xb0 [hfi1]
+[10220.939371] hfi1_do_send+0x1d9/0x3f0 [hfi1]
+[10220.939372] process_one_work+0x171/0x380
+[10220.939374] worker_thread+0x49/0x3f0
+[10220.939375] kthread+0xf8/0x130
+[10220.939377] ? max_active_store+0x80/0x80
+[10220.939378] ? kthread_bind+0x10/0x10
+[10220.939379] ret_from_fork+0x35/0x40
+[10220.939381] SLUB: Unable to allocate memory on node -1, gfp=0xa20(GFP_ATOMIC)
+
+The shortage is handled properly so the message isn't needed. Silence by
+adding the no warn option to the slab allocation.
+
+Fixes: 45842abbb292 ("staging/rdma/hfi1: move txreq header code")
+Cc: <stable@vger.kernel.org>
+Reviewed-by: Dennis Dalessandro <dennis.dalessandro@intel.com>
+Signed-off-by: Mike Marciniszyn <mike.marciniszyn@intel.com>
+Signed-off-by: Dennis Dalessandro <dennis.dalessandro@intel.com>
+Signed-off-by: Doug Ledford <dledford@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/infiniband/hw/hfi1/verbs_txreq.c | 2 +-
+ drivers/infiniband/hw/hfi1/verbs_txreq.h | 3 ++-
+ 2 files changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/infiniband/hw/hfi1/verbs_txreq.c b/drivers/infiniband/hw/hfi1/verbs_txreq.c
+index c4ab2d5b4502..8f766dd3f61c 100644
+--- a/drivers/infiniband/hw/hfi1/verbs_txreq.c
++++ b/drivers/infiniband/hw/hfi1/verbs_txreq.c
+@@ -100,7 +100,7 @@ struct verbs_txreq *__get_txreq(struct hfi1_ibdev *dev,
+ if (ib_rvt_state_ops[qp->state] & RVT_PROCESS_RECV_OK) {
+ struct hfi1_qp_priv *priv;
+
+- tx = kmem_cache_alloc(dev->verbs_txreq_cache, GFP_ATOMIC);
++ tx = kmem_cache_alloc(dev->verbs_txreq_cache, VERBS_TXREQ_GFP);
+ if (tx)
+ goto out;
+ priv = qp->priv;
+diff --git a/drivers/infiniband/hw/hfi1/verbs_txreq.h b/drivers/infiniband/hw/hfi1/verbs_txreq.h
+index b002e96eb335..bfa6e081cb56 100644
+--- a/drivers/infiniband/hw/hfi1/verbs_txreq.h
++++ b/drivers/infiniband/hw/hfi1/verbs_txreq.h
+@@ -72,6 +72,7 @@ struct hfi1_ibdev;
+ struct verbs_txreq *__get_txreq(struct hfi1_ibdev *dev,
+ struct rvt_qp *qp);
+
++#define VERBS_TXREQ_GFP (GFP_ATOMIC | __GFP_NOWARN)
+ static inline struct verbs_txreq *get_txreq(struct hfi1_ibdev *dev,
+ struct rvt_qp *qp)
+ __must_hold(&qp->slock)
+@@ -79,7 +80,7 @@ static inline struct verbs_txreq *get_txreq(struct hfi1_ibdev *dev,
+ struct verbs_txreq *tx;
+ struct hfi1_qp_priv *priv = qp->priv;
+
+- tx = kmem_cache_alloc(dev->verbs_txreq_cache, GFP_ATOMIC);
++ tx = kmem_cache_alloc(dev->verbs_txreq_cache, VERBS_TXREQ_GFP);
+ if (unlikely(!tx)) {
+ /* call slow path to get the lock */
+ tx = __get_txreq(dev, qp);
+--
+2.22.0
+
diff --git a/patches.kernel.org/5.1.15-020-iio-imu-st_lsm6dsx-fix-PM-support-for-st_lsm6d.patch b/patches.kernel.org/5.1.15-020-iio-imu-st_lsm6dsx-fix-PM-support-for-st_lsm6d.patch
new file mode 100644
index 0000000000..adcb2a0444
--- /dev/null
+++ b/patches.kernel.org/5.1.15-020-iio-imu-st_lsm6dsx-fix-PM-support-for-st_lsm6d.patch
@@ -0,0 +1,103 @@
+From: Lorenzo Bianconi <lorenzo@kernel.org>
+Date: Sun, 19 May 2019 10:58:23 +0200
+Subject: [PATCH] iio: imu: st_lsm6dsx: fix PM support for st_lsm6dsx i2c
+ controller
+References: bnc#1012628
+Patch-mainline: 5.1.15
+Git-commit: bce0d57db388cdb1c1931d0aa7d31c77b590e0f0
+
+commit bce0d57db388cdb1c1931d0aa7d31c77b590e0f0 upstream.
+
+Properly suspend/resume i2c slaves connected to st_lsm6dsx master
+controller if the CPU goes in suspended state
+
+Fixes: c91c1c844ebd ("imu: st_lsm6dsx: add i2c embedded controller support")
+Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org>
+Cc: <Stable@vger.kernel.org>
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/iio/imu/st_lsm6dsx/st_lsm6dsx.h | 2 ++
+ drivers/iio/imu/st_lsm6dsx/st_lsm6dsx_core.c | 25 +++++++++++++-------
+ 2 files changed, 19 insertions(+), 8 deletions(-)
+
+diff --git a/drivers/iio/imu/st_lsm6dsx/st_lsm6dsx.h b/drivers/iio/imu/st_lsm6dsx/st_lsm6dsx.h
+index d1d8d07a0714..83425b7b580c 100644
+--- a/drivers/iio/imu/st_lsm6dsx/st_lsm6dsx.h
++++ b/drivers/iio/imu/st_lsm6dsx/st_lsm6dsx.h
+@@ -265,6 +265,7 @@ struct st_lsm6dsx_sensor {
+ * @conf_lock: Mutex to prevent concurrent FIFO configuration update.
+ * @page_lock: Mutex to prevent concurrent memory page configuration.
+ * @fifo_mode: FIFO operating mode supported by the device.
++ * @suspend_mask: Suspended sensor bitmask.
+ * @enable_mask: Enabled sensor bitmask.
+ * @ts_sip: Total number of timestamp samples in a given pattern.
+ * @sip: Total number of samples (acc/gyro/ts) in a given pattern.
+@@ -282,6 +283,7 @@ struct st_lsm6dsx_hw {
+ struct mutex page_lock;
+
+ enum st_lsm6dsx_fifo_mode fifo_mode;
++ u8 suspend_mask;
+ u8 enable_mask;
+ u8 ts_sip;
+ u8 sip;
+diff --git a/drivers/iio/imu/st_lsm6dsx/st_lsm6dsx_core.c b/drivers/iio/imu/st_lsm6dsx/st_lsm6dsx_core.c
+index 12e29dda9b98..96986d84e418 100644
+--- a/drivers/iio/imu/st_lsm6dsx/st_lsm6dsx_core.c
++++ b/drivers/iio/imu/st_lsm6dsx/st_lsm6dsx_core.c
+@@ -1023,8 +1023,6 @@ static int __maybe_unused st_lsm6dsx_suspend(struct device *dev)
+ {
+ struct st_lsm6dsx_hw *hw = dev_get_drvdata(dev);
+ struct st_lsm6dsx_sensor *sensor;
+- const struct st_lsm6dsx_reg *reg;
+- unsigned int data;
+ int i, err = 0;
+
+ for (i = 0; i < ST_LSM6DSX_ID_MAX; i++) {
+@@ -1035,12 +1033,16 @@ static int __maybe_unused st_lsm6dsx_suspend(struct device *dev)
+ if (!(hw->enable_mask & BIT(sensor->id)))
+ continue;
+
+- reg = &st_lsm6dsx_odr_table[sensor->id].reg;
+- data = ST_LSM6DSX_SHIFT_VAL(0, reg->mask);
+- err = st_lsm6dsx_update_bits_locked(hw, reg->addr, reg->mask,
+- data);
++ if (sensor->id == ST_LSM6DSX_ID_EXT0 ||
++ sensor->id == ST_LSM6DSX_ID_EXT1 ||
++ sensor->id == ST_LSM6DSX_ID_EXT2)
++ err = st_lsm6dsx_shub_set_enable(sensor, false);
++ else
++ err = st_lsm6dsx_sensor_set_enable(sensor, false);
+ if (err < 0)
+ return err;
++
++ hw->suspend_mask |= BIT(sensor->id);
+ }
+
+ if (hw->fifo_mode != ST_LSM6DSX_FIFO_BYPASS)
+@@ -1060,12 +1062,19 @@ static int __maybe_unused st_lsm6dsx_resume(struct device *dev)
+ continue;
+
+ sensor = iio_priv(hw->iio_devs[i]);
+- if (!(hw->enable_mask & BIT(sensor->id)))
++ if (!(hw->suspend_mask & BIT(sensor->id)))
+ continue;
+
+- err = st_lsm6dsx_set_odr(sensor, sensor->odr);
++ if (sensor->id == ST_LSM6DSX_ID_EXT0 ||
++ sensor->id == ST_LSM6DSX_ID_EXT1 ||
++ sensor->id == ST_LSM6DSX_ID_EXT2)
++ err = st_lsm6dsx_shub_set_enable(sensor, true);
++ else
++ err = st_lsm6dsx_sensor_set_enable(sensor, true);
+ if (err < 0)
+ return err;
++
++ hw->suspend_mask &= ~BIT(sensor->id);
+ }
+
+ if (hw->enable_mask)
+--
+2.22.0
+
diff --git a/patches.kernel.org/5.1.15-021-iio-temperature-mlx90632-Relax-the-compatibili.patch b/patches.kernel.org/5.1.15-021-iio-temperature-mlx90632-Relax-the-compatibili.patch
new file mode 100644
index 0000000000..74a29d11b6
--- /dev/null
+++ b/patches.kernel.org/5.1.15-021-iio-temperature-mlx90632-Relax-the-compatibili.patch
@@ -0,0 +1,61 @@
+From: Crt Mori <cmo@melexis.com>
+Date: Thu, 23 May 2019 14:07:22 +0200
+Subject: [PATCH] iio: temperature: mlx90632 Relax the compatibility check
+References: bnc#1012628
+Patch-mainline: 5.1.15
+Git-commit: 389fc70b60f534d679aea9a3f05146040ce20d77
+
+commit 389fc70b60f534d679aea9a3f05146040ce20d77 upstream.
+
+Register EE_VERSION contains mixture of calibration information and DSP
+version. So far, because calibrations were definite, the driver
+compatibility depended on whole contents, but in the newer production
+process the calibration part changes. Because of that, value in EE_VERSION
+will be changed and to avoid that calibration value is same as DSP version
+the MSB in calibration part was fixed to 1.
+That means existing calibrations (medical and consumer) will now have
+hex values (bits 8 to 15) of 83 and 84 respectively. Driver compatibility
+should be based only on DSP version part of the EE_VERSION (bits 0 to 7)
+register.
+
+Signed-off-by: Crt Mori <cmo@melexis.com>
+Cc: <Stable@vger.kernel.org>
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/iio/temperature/mlx90632.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/iio/temperature/mlx90632.c b/drivers/iio/temperature/mlx90632.c
+index be03be719efe..f71918430f95 100644
+--- a/drivers/iio/temperature/mlx90632.c
++++ b/drivers/iio/temperature/mlx90632.c
+@@ -81,6 +81,8 @@
+ /* Magic constants */
+ #define MLX90632_ID_MEDICAL 0x0105 /* EEPROM DSPv5 Medical device id */
+ #define MLX90632_ID_CONSUMER 0x0205 /* EEPROM DSPv5 Consumer device id */
++#define MLX90632_DSP_VERSION 5 /* DSP version */
++#define MLX90632_DSP_MASK GENMASK(7, 0) /* DSP version in EE_VERSION */
+ #define MLX90632_RESET_CMD 0x0006 /* Reset sensor (address or global) */
+ #define MLX90632_REF_12 12LL /**< ResCtrlRef value of Ch 1 or Ch 2 */
+ #define MLX90632_REF_3 12LL /**< ResCtrlRef value of Channel 3 */
+@@ -667,10 +669,13 @@ static int mlx90632_probe(struct i2c_client *client,
+ } else if (read == MLX90632_ID_CONSUMER) {
+ dev_dbg(&client->dev,
+ "Detected Consumer EEPROM calibration %x\n", read);
++ } else if ((read & MLX90632_DSP_MASK) == MLX90632_DSP_VERSION) {
++ dev_dbg(&client->dev,
++ "Detected Unknown EEPROM calibration %x\n", read);
+ } else {
+ dev_err(&client->dev,
+- "EEPROM version mismatch %x (expected %x or %x)\n",
+- read, MLX90632_ID_CONSUMER, MLX90632_ID_MEDICAL);
++ "Wrong DSP version %x (expected %x)\n",
++ read, MLX90632_DSP_VERSION);
+ return -EPROTONOSUPPORT;
+ }
+
+--
+2.22.0
+
diff --git a/patches.kernel.org/5.1.15-022-Input-synaptics-enable-SMBus-on-ThinkPad-E480-.patch b/patches.kernel.org/5.1.15-022-Input-synaptics-enable-SMBus-on-ThinkPad-E480-.patch
new file mode 100644
index 0000000000..f97a4ddc2a
--- /dev/null
+++ b/patches.kernel.org/5.1.15-022-Input-synaptics-enable-SMBus-on-ThinkPad-E480-.patch
@@ -0,0 +1,41 @@
+From: Alexander Mikhaylenko <exalm7659@gmail.com>
+Date: Wed, 12 Jun 2019 14:59:46 -0700
+Subject: [PATCH] Input: synaptics - enable SMBus on ThinkPad E480 and E580
+References: bnc#1012628
+Patch-mainline: 5.1.15
+Git-commit: 9843f3e08e2144724be7148e08d77a195dea257a
+
+commit 9843f3e08e2144724be7148e08d77a195dea257a upstream.
+
+They are capable of using intertouch and it works well with
+psmouse.synaptics_intertouch=1, so add them to the list.
+
+Without it, scrolling and gestures are jumpy, three-finger pinch gesture
+doesn't work and three- or four-finger swipes sometimes get stuck.
+
+Signed-off-by: Alexander Mikhaylenko <exalm7659@gmail.com>
+Reviewed-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/input/mouse/synaptics.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/input/mouse/synaptics.c b/drivers/input/mouse/synaptics.c
+index b6da0c1267e3..8e6077d8e434 100644
+--- a/drivers/input/mouse/synaptics.c
++++ b/drivers/input/mouse/synaptics.c
+@@ -179,6 +179,8 @@ static const char * const smbus_pnp_ids[] = {
+ "LEN0096", /* X280 */
+ "LEN0097", /* X280 -> ALPS trackpoint */
+ "LEN200f", /* T450s */
++ "LEN2054", /* E480 */
++ "LEN2055", /* E580 */
+ "SYN3052", /* HP EliteBook 840 G4 */
+ "SYN3221", /* HP 15-ay000 */
+ NULL
+--
+2.22.0
+
diff --git a/patches.kernel.org/5.1.15-023-Input-uinput-add-compat-ioctl-number-translati.patch b/patches.kernel.org/5.1.15-023-Input-uinput-add-compat-ioctl-number-translati.patch
new file mode 100644
index 0000000000..f8002c7716
--- /dev/null
+++ b/patches.kernel.org/5.1.15-023-Input-uinput-add-compat-ioctl-number-translati.patch
@@ -0,0 +1,67 @@
+From: Andrey Smirnov <andrew.smirnov@gmail.com>
+Date: Thu, 23 May 2019 12:55:26 -0700
+Subject: [PATCH] Input: uinput - add compat ioctl number translation for
+ UI_*_FF_UPLOAD
+References: bnc#1012628
+Patch-mainline: 5.1.15
+Git-commit: 7c7da40da1640ce6814dab1e8031b44e19e5a3f6
+
+commit 7c7da40da1640ce6814dab1e8031b44e19e5a3f6 upstream.
+
+In the case of compat syscall ioctl numbers for UI_BEGIN_FF_UPLOAD and
+UI_END_FF_UPLOAD need to be adjusted before being passed on
+uinput_ioctl_handler() since code built with -m32 will be passing
+slightly different values. Extend the code already covering
+UI_SET_PHYS to cover UI_BEGIN_FF_UPLOAD and UI_END_FF_UPLOAD as well.
+
+Reported-by: Pierre-Loup A. Griffais <pgriffais@valvesoftware.com>
+Signed-off-by: Andrey Smirnov <andrew.smirnov@gmail.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/input/misc/uinput.c | 22 ++++++++++++++++++++--
+ 1 file changed, 20 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/input/misc/uinput.c b/drivers/input/misc/uinput.c
+index 26ec603fe220..83d1499fe021 100644
+--- a/drivers/input/misc/uinput.c
++++ b/drivers/input/misc/uinput.c
+@@ -1051,13 +1051,31 @@ static long uinput_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
+
+ #ifdef CONFIG_COMPAT
+
+-#define UI_SET_PHYS_COMPAT _IOW(UINPUT_IOCTL_BASE, 108, compat_uptr_t)
++/*
++ * These IOCTLs change their size and thus their numbers between
++ * 32 and 64 bits.
++ */
++#define UI_SET_PHYS_COMPAT \
++ _IOW(UINPUT_IOCTL_BASE, 108, compat_uptr_t)
++#define UI_BEGIN_FF_UPLOAD_COMPAT \
++ _IOWR(UINPUT_IOCTL_BASE, 200, struct uinput_ff_upload_compat)
++#define UI_END_FF_UPLOAD_COMPAT \
++ _IOW(UINPUT_IOCTL_BASE, 201, struct uinput_ff_upload_compat)
+
+ static long uinput_compat_ioctl(struct file *file,
+ unsigned int cmd, unsigned long arg)
+ {
+- if (cmd == UI_SET_PHYS_COMPAT)
++ switch (cmd) {
++ case UI_SET_PHYS_COMPAT:
+ cmd = UI_SET_PHYS;
++ break;
++ case UI_BEGIN_FF_UPLOAD_COMPAT:
++ cmd = UI_BEGIN_FF_UPLOAD;
++ break;
++ case UI_END_FF_UPLOAD_COMPAT:
++ cmd = UI_END_FF_UPLOAD;
++ break;
++ }
+
+ return uinput_ioctl_handler(file, cmd, arg, compat_ptr(arg));
+ }
+--
+2.22.0
+
diff --git a/patches.kernel.org/5.1.15-024-Input-silead-add-MSSL0017-to-acpi_device_id.patch b/patches.kernel.org/5.1.15-024-Input-silead-add-MSSL0017-to-acpi_device_id.patch
new file mode 100644
index 0000000000..3a96e35675
--- /dev/null
+++ b/patches.kernel.org/5.1.15-024-Input-silead-add-MSSL0017-to-acpi_device_id.patch
@@ -0,0 +1,36 @@
+From: Daniel Smith <danct12@disroot.org>
+Date: Thu, 23 May 2019 12:54:18 -0700
+Subject: [PATCH] Input: silead - add MSSL0017 to acpi_device_id
+References: bnc#1012628
+Patch-mainline: 5.1.15
+Git-commit: 0e658060e5fc50dc282885dc424a94b5d95547e5
+
+commit 0e658060e5fc50dc282885dc424a94b5d95547e5 upstream.
+
+On Chuwi Hi10 Plus, the Silead device id is MSSL0017.
+
+Signed-off-by: Daniel Smith <danct12@disroot.org>
+Reviewed-by: Hans de Goede <hdegoede@redhat.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/input/touchscreen/silead.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/input/touchscreen/silead.c b/drivers/input/touchscreen/silead.c
+index 09241d4cdebc..06f0eb04a8fd 100644
+--- a/drivers/input/touchscreen/silead.c
++++ b/drivers/input/touchscreen/silead.c
+@@ -617,6 +617,7 @@ static const struct acpi_device_id silead_ts_acpi_match[] = {
+ { "MSSL1680", 0 },
+ { "MSSL0001", 0 },
+ { "MSSL0002", 0 },
++ { "MSSL0017", 0 },
+ { }
+ };
+ MODULE_DEVICE_TABLE(acpi, silead_ts_acpi_match);
+--
+2.22.0
+
diff --git a/patches.kernel.org/5.1.15-025-apparmor-fix-PROFILE_MEDIATES-for-untrusted-in.patch b/patches.kernel.org/5.1.15-025-apparmor-fix-PROFILE_MEDIATES-for-untrusted-in.patch
new file mode 100644
index 0000000000..ac6f20ba4c
--- /dev/null
+++ b/patches.kernel.org/5.1.15-025-apparmor-fix-PROFILE_MEDIATES-for-untrusted-in.patch
@@ -0,0 +1,57 @@
+From: John Johansen <john.johansen@canonical.com>
+Date: Sun, 26 May 2019 06:42:23 -0700
+Subject: [PATCH] apparmor: fix PROFILE_MEDIATES for untrusted input
+References: bnc#1012628
+Patch-mainline: 5.1.15
+Git-commit: 23375b13f98c5464c2b4d15f983cc062940f1f4e
+
+commit 23375b13f98c5464c2b4d15f983cc062940f1f4e upstream.
+
+While commit 11c236b89d7c2 ("apparmor: add a default null dfa") ensure
+every profile has a policy.dfa it does not resize the policy.start[]
+to have entries for every possible start value. Which means
+PROFILE_MEDIATES is not safe to use on untrusted input. Unforunately
+commit b9590ad4c4f2 ("apparmor: remove POLICY_MEDIATES_SAFE") did not
+take into account the start value usage.
+
+The input string in profile_query_cb() is user controlled and is not
+properly checked to be within the limited start[] entries, even worse
+it can't be as userspace policy is allowed to make us of entries types
+the kernel does not know about. This mean usespace can currently cause
+the kernel to access memory up to 240 entries beyond the start array
+bounds.
+
+Cc: stable@vger.kernel.org
+Fixes: b9590ad4c4f2 ("apparmor: remove POLICY_MEDIATES_SAFE")
+Signed-off-by: John Johansen <john.johansen@canonical.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ security/apparmor/include/policy.h | 11 ++++++++++-
+ 1 file changed, 10 insertions(+), 1 deletion(-)
+
+diff --git a/security/apparmor/include/policy.h b/security/apparmor/include/policy.h
+index 8e6707c837be..06ed62f00b4b 100644
+--- a/security/apparmor/include/policy.h
++++ b/security/apparmor/include/policy.h
+@@ -217,7 +217,16 @@ static inline struct aa_profile *aa_get_newest_profile(struct aa_profile *p)
+ return labels_profile(aa_get_newest_label(&p->label));
+ }
+
+-#define PROFILE_MEDIATES(P, T) ((P)->policy.start[(unsigned char) (T)])
++static inline unsigned int PROFILE_MEDIATES(struct aa_profile *profile,
++ unsigned char class)
++{
++ if (class <= AA_CLASS_LAST)
++ return profile->policy.start[class];
++ else
++ return aa_dfa_match_len(profile->policy.dfa,
++ profile->policy.start[0], &class, 1);
++}
++
+ static inline unsigned int PROFILE_MEDIATES_AF(struct aa_profile *profile,
+ u16 AF) {
+ unsigned int state = PROFILE_MEDIATES(profile, AA_CLASS_NET);
+--
+2.22.0
+
diff --git a/patches.kernel.org/5.1.15-026-apparmor-enforce-nullbyte-at-end-of-tag-string.patch b/patches.kernel.org/5.1.15-026-apparmor-enforce-nullbyte-at-end-of-tag-string.patch
new file mode 100644
index 0000000000..5122225e2d
--- /dev/null
+++ b/patches.kernel.org/5.1.15-026-apparmor-enforce-nullbyte-at-end-of-tag-string.patch
@@ -0,0 +1,43 @@
+From: Jann Horn <jannh@google.com>
+Date: Tue, 28 May 2019 17:32:26 +0200
+Subject: [PATCH] apparmor: enforce nullbyte at end of tag string
+References: bnc#1012628
+Patch-mainline: 5.1.15
+Git-commit: 8404d7a674c49278607d19726e0acc0cae299357
+
+commit 8404d7a674c49278607d19726e0acc0cae299357 upstream.
+
+A packed AppArmor policy contains null-terminated tag strings that are read
+by unpack_nameX(). However, unpack_nameX() uses string functions on them
+without ensuring that they are actually null-terminated, potentially
+leading to out-of-bounds accesses.
+
+Make sure that the tag string is null-terminated before passing it to
+strcmp().
+
+Cc: stable@vger.kernel.org
+Fixes: 736ec752d95e ("AppArmor: policy routines for loading and unpacking policy")
+Signed-off-by: Jann Horn <jannh@google.com>
+Signed-off-by: John Johansen <john.johansen@canonical.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ security/apparmor/policy_unpack.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/security/apparmor/policy_unpack.c b/security/apparmor/policy_unpack.c
+index f6c2bcb2ab14..33041c4fb69f 100644
+--- a/security/apparmor/policy_unpack.c
++++ b/security/apparmor/policy_unpack.c
+@@ -276,7 +276,7 @@ static bool unpack_nameX(struct aa_ext *e, enum aa_code code, const char *name)
+ char *tag = NULL;
+ size_t size = unpack_u16_chunk(e, &tag);
+ /* if a name is specified it must match. otherwise skip tag */
+- if (name && (!size || strcmp(name, tag)))
++ if (name && (!size || tag[size-1] != '\0' || strcmp(name, tag)))
+ goto fail;
+ } else if (name) {
+ /* if a name is specified and there is no name tag fail */
+--
+2.22.0
+
diff --git a/patches.kernel.org/5.1.15-027-apparmor-reset-pos-on-failure-to-unpack-for-va.patch b/patches.kernel.org/5.1.15-027-apparmor-reset-pos-on-failure-to-unpack-for-va.patch
new file mode 100644
index 0000000000..21867186de
--- /dev/null
+++ b/patches.kernel.org/5.1.15-027-apparmor-reset-pos-on-failure-to-unpack-for-va.patch
@@ -0,0 +1,173 @@
+From: Mike Salvatore <mike.salvatore@canonical.com>
+Date: Wed, 12 Jun 2019 14:55:14 -0700
+Subject: [PATCH] apparmor: reset pos on failure to unpack for various
+ functions
+References: bnc#1012628
+Patch-mainline: 5.1.15
+Git-commit: 156e42996bd84eccb6acf319f19ce0cb140d00e3
+
+commit 156e42996bd84eccb6acf319f19ce0cb140d00e3 upstream.
+
+Each function that manipulates the aa_ext struct should reset it's "pos"
+member on failure. This ensures that, on failure, no changes are made to
+the state of the aa_ext struct.
+
+There are paths were elements are optional and the error path is
+used to indicate the optional element is not present. This means
+instead of just aborting on error the unpack stream can become
+unsynchronized on optional elements, if using one of the affected
+functions.
+
+Cc: stable@vger.kernel.org
+Fixes: 736ec752d95e ("AppArmor: policy routines for loading and unpacking policy")
+Signed-off-by: Mike Salvatore <mike.salvatore@canonical.com>
+Signed-off-by: John Johansen <john.johansen@canonical.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ security/apparmor/policy_unpack.c | 47 +++++++++++++++++++++++++------
+ 1 file changed, 39 insertions(+), 8 deletions(-)
+
+diff --git a/security/apparmor/policy_unpack.c b/security/apparmor/policy_unpack.c
+index 33041c4fb69f..f1b2202f725e 100644
+--- a/security/apparmor/policy_unpack.c
++++ b/security/apparmor/policy_unpack.c
+@@ -223,16 +223,21 @@ static void *kvmemdup(const void *src, size_t len)
+ static size_t unpack_u16_chunk(struct aa_ext *e, char **chunk)
+ {
+ size_t size = 0;
++ void *pos = e->pos;
+
+ if (!inbounds(e, sizeof(u16)))
+- return 0;
++ goto fail;
+ size = le16_to_cpu(get_unaligned((__le16 *) e->pos));
+ e->pos += sizeof(__le16);
+ if (!inbounds(e, size))
+- return 0;
++ goto fail;
+ *chunk = e->pos;
+ e->pos += size;
+ return size;
++
++fail:
++ e->pos = pos;
++ return 0;
+ }
+
+ /* unpack control byte */
+@@ -294,62 +299,84 @@ static bool unpack_nameX(struct aa_ext *e, enum aa_code code, const char *name)
+
+ static bool unpack_u8(struct aa_ext *e, u8 *data, const char *name)
+ {
++ void *pos = e->pos;
++
+ if (unpack_nameX(e, AA_U8, name)) {
+ if (!inbounds(e, sizeof(u8)))
+- return 0;
++ goto fail;
+ if (data)
+ *data = get_unaligned((u8 *)e->pos);
+ e->pos += sizeof(u8);
+ return 1;
+ }
++
++fail:
++ e->pos = pos;
+ return 0;
+ }
+
+ static bool unpack_u32(struct aa_ext *e, u32 *data, const char *name)
+ {
++ void *pos = e->pos;
++
+ if (unpack_nameX(e, AA_U32, name)) {
+ if (!inbounds(e, sizeof(u32)))
+- return 0;
++ goto fail;
+ if (data)
+ *data = le32_to_cpu(get_unaligned((__le32 *) e->pos));
+ e->pos += sizeof(u32);
+ return 1;
+ }
++
++fail:
++ e->pos = pos;
+ return 0;
+ }
+
+ static bool unpack_u64(struct aa_ext *e, u64 *data, const char *name)
+ {
++ void *pos = e->pos;
++
+ if (unpack_nameX(e, AA_U64, name)) {
+ if (!inbounds(e, sizeof(u64)))
+- return 0;
++ goto fail;
+ if (data)
+ *data = le64_to_cpu(get_unaligned((__le64 *) e->pos));
+ e->pos += sizeof(u64);
+ return 1;
+ }
++
++fail:
++ e->pos = pos;
+ return 0;
+ }
+
+ static size_t unpack_array(struct aa_ext *e, const char *name)
+ {
++ void *pos = e->pos;
++
+ if (unpack_nameX(e, AA_ARRAY, name)) {
+ int size;
+ if (!inbounds(e, sizeof(u16)))
+- return 0;
++ goto fail;
+ size = (int)le16_to_cpu(get_unaligned((__le16 *) e->pos));
+ e->pos += sizeof(u16);
+ return size;
+ }
++
++fail:
++ e->pos = pos;
+ return 0;
+ }
+
+ static size_t unpack_blob(struct aa_ext *e, char **blob, const char *name)
+ {
++ void *pos = e->pos;
++
+ if (unpack_nameX(e, AA_BLOB, name)) {
+ u32 size;
+ if (!inbounds(e, sizeof(u32)))
+- return 0;
++ goto fail;
+ size = le32_to_cpu(get_unaligned((__le32 *) e->pos));
+ e->pos += sizeof(u32);
+ if (inbounds(e, (size_t) size)) {
+@@ -358,6 +385,9 @@ static size_t unpack_blob(struct aa_ext *e, char **blob, const char *name)
+ return size;
+ }
+ }
++
++fail:
++ e->pos = pos;
+ return 0;
+ }
+
+@@ -374,9 +404,10 @@ static int unpack_str(struct aa_ext *e, const char **string, const char *name)
+ if (src_str[size - 1] != 0)
+ goto fail;
+ *string = src_str;
++
++ return size;
+ }
+ }
+- return size;
+
+ fail:
+ e->pos = pos;
+--
+2.22.0
+
diff --git a/patches.kernel.org/5.1.15-028-Revert-brcmfmac-disable-command-decode-in-sdio.patch b/patches.kernel.org/5.1.15-028-Revert-brcmfmac-disable-command-decode-in-sdio.patch
new file mode 100644
index 0000000000..2e6c2197e6
--- /dev/null
+++ b/patches.kernel.org/5.1.15-028-Revert-brcmfmac-disable-command-decode-in-sdio.patch
@@ -0,0 +1,61 @@
+From: Douglas Anderson <dianders@chromium.org>
+Date: Mon, 17 Jun 2019 10:56:49 -0700
+Subject: [PATCH] Revert "brcmfmac: disable command decode in sdio_aos"
+References: bnc#1012628
+Patch-mainline: 5.1.15
+Git-commit: abdd5dcc00207e7c38680f3754d1bfffafff1093
+
+commit abdd5dcc00207e7c38680f3754d1bfffafff1093 upstream.
+
+This reverts commit 29f6589140a10ece8c1d73f58043ea5b3473ab3e.
+
+After that patch landed I find that my kernel log on
+rk3288-veyron-minnie and rk3288-veyron-speedy is filled with:
+brcmfmac: brcmf_sdio_bus_sleep: error while changing bus sleep state -110
+
+This seems to happen every time the Broadcom WiFi transitions out of
+sleep mode. Reverting the commit fixes the problem for me, so that's
+what this patch does.
+
+Note that, in general, the justification in the original commit seemed
+a little weak. It looked like someone was testing on a SD card
+controller that would sometimes die if there were CRC errors on the
+bus. This used to happen back in early days of dw_mmc (the controller
+on my boards), but we fixed it. Disabling a feature on all boards
+just because one SD card controller is broken seems bad.
+
+Fixes: 29f6589140a1 ("brcmfmac: disable command decode in sdio_aos")
+Cc: Wright Feng <wright.feng@cypress.com>
+Cc: Double Lo <double.lo@cypress.com>
+Cc: Madhan Mohan R <madhanmohan.r@cypress.com>
+Cc: Chi-Hsien Lin <chi-hsien.lin@cypress.com>
+Signed-off-by: Douglas Anderson <dianders@chromium.org>
+Cc: stable@vger.kernel.org
+Acked-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c | 6 +-----
+ 1 file changed, 1 insertion(+), 5 deletions(-)
+
+diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c
+index 4d104ab80fd8..cacf05dec4f1 100644
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c
+@@ -3373,11 +3373,7 @@ static int brcmf_sdio_download_firmware(struct brcmf_sdio *bus,
+
+ static bool brcmf_sdio_aos_no_decode(struct brcmf_sdio *bus)
+ {
+- if (bus->ci->chip == CY_CC_43012_CHIP_ID ||
+- bus->ci->chip == CY_CC_4373_CHIP_ID ||
+- bus->ci->chip == BRCM_CC_4339_CHIP_ID ||
+- bus->ci->chip == BRCM_CC_4345_CHIP_ID ||
+- bus->ci->chip == BRCM_CC_4354_CHIP_ID)
++ if (bus->ci->chip == CY_CC_43012_CHIP_ID)
+ return true;
+ else
+ return false;
+--
+2.22.0
+
diff --git a/patches.kernel.org/5.1.15-029-brcmfmac-sdio-Disable-auto-tuning-around-comma.patch b/patches.kernel.org/5.1.15-029-brcmfmac-sdio-Disable-auto-tuning-around-comma.patch
new file mode 100644
index 0000000000..617f5e67a2
--- /dev/null
+++ b/patches.kernel.org/5.1.15-029-brcmfmac-sdio-Disable-auto-tuning-around-comma.patch
@@ -0,0 +1,60 @@
+From: Douglas Anderson <dianders@chromium.org>
+Date: Mon, 17 Jun 2019 10:56:51 -0700
+Subject: [PATCH] brcmfmac: sdio: Disable auto-tuning around commands expected
+ to fail
+References: bnc#1012628
+Patch-mainline: 5.1.15
+Git-commit: 2de0b42da263c97d330d276f5ccf7c4470e3324f
+
+commit 2de0b42da263c97d330d276f5ccf7c4470e3324f upstream.
+
+There are certain cases, notably when transitioning between sleep and
+active state, when Broadcom SDIO WiFi cards will produce errors on the
+SDIO bus. This is evident from the source code where you can see that
+we try commands in a loop until we either get success or we've tried
+too many times. The comment in the code reinforces this by saying
+"just one write attempt may fail"
+
+Unfortunately these failures sometimes end up causing an "-EILSEQ"
+back to the core which triggers a retuning of the SDIO card and that
+blocks all traffic to the card until it's done.
+
+Let's disable retuning around the commands we expect might fail.
+
+Cc: stable@vger.kernel.org #v4.18+
+Signed-off-by: Douglas Anderson <dianders@chromium.org>
+Acked-by: Adrian Hunter <adrian.hunter@intel.com>
+Reviewed-by: Arend van Spriel <arend.vanspriel@broadcom.com>
+Acked-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c
+index cacf05dec4f1..36ca5e2bd274 100644
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c
+@@ -676,6 +676,8 @@ brcmf_sdio_kso_control(struct brcmf_sdio *bus, bool on)
+
+ brcmf_dbg(TRACE, "Enter: on=%d\n", on);
+
++ sdio_retune_crc_disable(bus->sdiodev->func1);
++
+ wr_val = (on << SBSDIO_FUNC1_SLEEPCSR_KSO_SHIFT);
+ /* 1st KSO write goes to AOS wake up core if device is asleep */
+ brcmf_sdiod_writeb(bus->sdiodev, SBSDIO_FUNC1_SLEEPCSR, wr_val, &err);
+@@ -736,6 +738,8 @@ brcmf_sdio_kso_control(struct brcmf_sdio *bus, bool on)
+ if (try_cnt > MAX_KSO_ATTEMPTS)
+ brcmf_err("max tries: rd_val=0x%x err=%d\n", rd_val, err);
+
++ sdio_retune_crc_enable(bus->sdiodev->func1);
++
+ return err;
+ }
+
+--
+2.22.0
+
diff --git a/patches.kernel.org/5.1.15-030-brcmfmac-sdio-Don-t-tune-while-the-card-is-off.patch b/patches.kernel.org/5.1.15-030-brcmfmac-sdio-Don-t-tune-while-the-card-is-off.patch
new file mode 100644
index 0000000000..fe14843a35
--- /dev/null
+++ b/patches.kernel.org/5.1.15-030-brcmfmac-sdio-Don-t-tune-while-the-card-is-off.patch
@@ -0,0 +1,86 @@
+From: Douglas Anderson <dianders@chromium.org>
+Date: Mon, 17 Jun 2019 10:56:53 -0700
+Subject: [PATCH] brcmfmac: sdio: Don't tune while the card is off
+References: bnc#1012628
+Patch-mainline: 5.1.15
+Git-commit: 65dade6044079a5c206fd1803642ff420061417a
+
+commit 65dade6044079a5c206fd1803642ff420061417a upstream.
+
+When Broadcom SDIO cards are idled they go to sleep and a whole
+separate subsystem takes over their SDIO communication. This is the
+Always-On-Subsystem (AOS) and it can't handle tuning requests.
+
+Specifically, as tested on rk3288-veyron-minnie (which reports having
+BCM4354/1 in dmesg), if I force a retune in brcmf_sdio_kso_control()
+when "on = 1" (aka we're transition from sleep to wake) by whacking:
+ bus->sdiodev->func1->card->host->need_retune = 1
+...then I can often see tuning fail. In this case dw_mmc reports "All
+phases bad!"). Note that I don't get 100% failure, presumably because
+sometimes the card itself has already transitioned away from the AOS
+itself by the time we try to wake it up. If I force retuning when "on
+= 0" (AKA force retuning right before sending the command to go to
+sleep) then retuning is always OK.
+
+NOTE: we need _both_ this patch and the patch to avoid triggering
+tuning due to CRC errors in the sleep/wake transition, AKA ("brcmfmac:
+sdio: Disable auto-tuning around commands expected to fail"). Though
+both patches handle issues with Broadcom's AOS, the problems are
+distinct:
+1. We want to defer (but not ignore) asynchronous (like
+ timer-requested) tuning requests till the card is awake. However,
+ we want to ignore CRC errors during the transition, we don't want
+ to queue deferred tuning request.
+2. You could imagine that the AOS could implement retuning but we
+ could still get errors while transitioning in and out of the AOS.
+ Similarly you could imagine a seamless transition into and out of
+ the AOS (with no CRC errors) even if the AOS couldn't handle
+ tuning.
+
+ALSO NOTE: presumably there is never a desperate need to retune in
+order to wake up the card, since doing so is impossible. Luckily the
+only way the card can get into sleep state is if we had a good enough
+tuning to send it the command to put it into sleep, so presumably that
+"good enough" tuning is enough to wake us up, at least with a few
+retries.
+
+Cc: stable@vger.kernel.org #v4.18+
+Signed-off-by: Douglas Anderson <dianders@chromium.org>
+Acked-by: Adrian Hunter <adrian.hunter@intel.com>
+Reviewed-by: Arend van Spriel <arend.vanspriel@broadcom.com>
+Acked-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c
+index 36ca5e2bd274..f757c9e72e71 100644
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c
+@@ -678,6 +678,10 @@ brcmf_sdio_kso_control(struct brcmf_sdio *bus, bool on)
+
+ sdio_retune_crc_disable(bus->sdiodev->func1);
+
++ /* Cannot re-tune if device is asleep; defer till we're awake */
++ if (on)
++ sdio_retune_hold_now(bus->sdiodev->func1);
++
+ wr_val = (on << SBSDIO_FUNC1_SLEEPCSR_KSO_SHIFT);
+ /* 1st KSO write goes to AOS wake up core if device is asleep */
+ brcmf_sdiod_writeb(bus->sdiodev, SBSDIO_FUNC1_SLEEPCSR, wr_val, &err);
+@@ -738,6 +742,9 @@ brcmf_sdio_kso_control(struct brcmf_sdio *bus, bool on)
+ if (try_cnt > MAX_KSO_ATTEMPTS)
+ brcmf_err("max tries: rd_val=0x%x err=%d\n", rd_val, err);
+
++ if (on)
++ sdio_retune_release(bus->sdiodev->func1);
++
+ sdio_retune_crc_enable(bus->sdiodev->func1);
+
+ return err;
+--
+2.22.0
+
diff --git a/patches.kernel.org/5.1.15-031-lkdtm-usercopy-Moves-the-KERNEL_DS-test-to-non.patch b/patches.kernel.org/5.1.15-031-lkdtm-usercopy-Moves-the-KERNEL_DS-test-to-non.patch
new file mode 100644
index 0000000000..380b1bd733
--- /dev/null
+++ b/patches.kernel.org/5.1.15-031-lkdtm-usercopy-Moves-the-KERNEL_DS-test-to-non.patch
@@ -0,0 +1,49 @@
+From: Kees Cook <keescook@chromium.org>
+Date: Sat, 6 Apr 2019 08:52:11 -0700
+Subject: [PATCH] lkdtm/usercopy: Moves the KERNEL_DS test to non-canonical
+References: bnc#1012628
+Patch-mainline: 5.1.15
+Git-commit: 2bf8496f6e9b7e9a557f65eb95eab16fea7958c7
+
+[ Upstream commit 2bf8496f6e9b7e9a557f65eb95eab16fea7958c7 ]
+
+The prior implementation of the KERNEL_DS fault checking would work on
+any unmapped kernel address, but this was narrowed to the non-canonical
+range instead. This adjusts the LKDTM test to match.
+
+Fixes: 00c42373d397 ("x86-64: add warning for non-canonical user access address dereferences")
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/misc/lkdtm/usercopy.c | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/misc/lkdtm/usercopy.c b/drivers/misc/lkdtm/usercopy.c
+index d5a0e7f1813b..e172719dd86d 100644
+--- a/drivers/misc/lkdtm/usercopy.c
++++ b/drivers/misc/lkdtm/usercopy.c
+@@ -324,14 +324,16 @@ void lkdtm_USERCOPY_KERNEL(void)
+
+ void lkdtm_USERCOPY_KERNEL_DS(void)
+ {
+- char __user *user_ptr = (char __user *)ERR_PTR(-EINVAL);
++ char __user *user_ptr =
++ (char __user *)(0xFUL << (sizeof(unsigned long) * 8 - 4));
+ mm_segment_t old_fs = get_fs();
+ char buf[10] = {0};
+
+- pr_info("attempting copy_to_user on unmapped kernel address\n");
++ pr_info("attempting copy_to_user() to noncanonical address: %px\n",
++ user_ptr);
+ set_fs(KERNEL_DS);
+- if (copy_to_user(user_ptr, buf, sizeof(buf)))
+- pr_info("copy_to_user un unmapped kernel address failed\n");
++ if (copy_to_user(user_ptr, buf, sizeof(buf)) == 0)
++ pr_err("copy_to_user() to noncanonical address succeeded!?\n");
+ set_fs(old_fs);
+ }
+
+--
+2.22.0
+
diff --git a/patches.kernel.org/5.1.15-032-ARC-fix-build-warnings.patch b/patches.kernel.org/5.1.15-032-ARC-fix-build-warnings.patch
new file mode 100644
index 0000000000..5569421f46
--- /dev/null
+++ b/patches.kernel.org/5.1.15-032-ARC-fix-build-warnings.patch
@@ -0,0 +1,102 @@
+From: Vineet Gupta <vgupta@synopsys.com>
+Date: Tue, 7 May 2019 10:45:24 -0700
+Subject: [PATCH] ARC: fix build warnings
+References: bnc#1012628
+Patch-mainline: 5.1.15
+Git-commit: 89c92142f75eb80064f5b9f1111484b1b4d81790
+
+[ Upstream commit 89c92142f75eb80064f5b9f1111484b1b4d81790 ]
+
+| arch/arc/mm/tlb.c:914:2: warning: variable length array 'pd0' is used [-Wvla]
+| arch/arc/include/asm/cmpxchg.h:95:29: warning: value computed is not used [-Wunused-value]
+
+Signed-off-by: Vineet Gupta <vgupta@synopsys.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ arch/arc/include/asm/cmpxchg.h | 14 ++++++++++----
+ arch/arc/mm/tlb.c | 13 ++++++++-----
+ 2 files changed, 18 insertions(+), 9 deletions(-)
+
+diff --git a/arch/arc/include/asm/cmpxchg.h b/arch/arc/include/asm/cmpxchg.h
+index d819de1c5d10..3ea4112c8302 100644
+--- a/arch/arc/include/asm/cmpxchg.h
++++ b/arch/arc/include/asm/cmpxchg.h
+@@ -92,8 +92,11 @@ __cmpxchg(volatile void *ptr, unsigned long expected, unsigned long new)
+
+ #endif /* CONFIG_ARC_HAS_LLSC */
+
+-#define cmpxchg(ptr, o, n) ((typeof(*(ptr)))__cmpxchg((ptr), \
+- (unsigned long)(o), (unsigned long)(n)))
++#define cmpxchg(ptr, o, n) ({ \
++ (typeof(*(ptr)))__cmpxchg((ptr), \
++ (unsigned long)(o), \
++ (unsigned long)(n)); \
++})
+
+ /*
+ * atomic_cmpxchg is same as cmpxchg
+@@ -198,8 +201,11 @@ static inline unsigned long __xchg(unsigned long val, volatile void *ptr,
+ return __xchg_bad_pointer();
+ }
+
+-#define xchg(ptr, with) ((typeof(*(ptr)))__xchg((unsigned long)(with), (ptr), \
+- sizeof(*(ptr))))
++#define xchg(ptr, with) ({ \
++ (typeof(*(ptr)))__xchg((unsigned long)(with), \
++ (ptr), \
++ sizeof(*(ptr))); \
++})
+
+ #endif /* CONFIG_ARC_PLAT_EZNPS */
+
+diff --git a/arch/arc/mm/tlb.c b/arch/arc/mm/tlb.c
+index 4097764fea23..fa18c00b0cfd 100644
+--- a/arch/arc/mm/tlb.c
++++ b/arch/arc/mm/tlb.c
+@@ -911,9 +911,11 @@ void do_tlb_overlap_fault(unsigned long cause, unsigned long address,
+ struct pt_regs *regs)
+ {
+ struct cpuinfo_arc_mmu *mmu = &cpuinfo_arc700[smp_processor_id()].mmu;
+- unsigned int pd0[mmu->ways];
+ unsigned long flags;
+- int set;
++ int set, n_ways = mmu->ways;
++
++ n_ways = min(n_ways, 4);
++ BUG_ON(mmu->ways > 4);
+
+ local_irq_save(flags);
+
+@@ -921,9 +923,10 @@ void do_tlb_overlap_fault(unsigned long cause, unsigned long address,
+ for (set = 0; set < mmu->sets; set++) {
+
+ int is_valid, way;
++ unsigned int pd0[4];
+
+ /* read out all the ways of current set */
+- for (way = 0, is_valid = 0; way < mmu->ways; way++) {
++ for (way = 0, is_valid = 0; way < n_ways; way++) {
+ write_aux_reg(ARC_REG_TLBINDEX,
+ SET_WAY_TO_IDX(mmu, set, way));
+ write_aux_reg(ARC_REG_TLBCOMMAND, TLBRead);
+@@ -937,14 +940,14 @@ void do_tlb_overlap_fault(unsigned long cause, unsigned long address,
+ continue;
+
+ /* Scan the set for duplicate ways: needs a nested loop */
+- for (way = 0; way < mmu->ways - 1; way++) {
++ for (way = 0; way < n_ways - 1; way++) {
+
+ int n;
+
+ if (!pd0[way])
+ continue;
+
+- for (n = way + 1; n < mmu->ways; n++) {
++ for (n = way + 1; n < n_ways; n++) {
+ if (pd0[way] != pd0[n])
+ continue;
+
+--
+2.22.0
+
diff --git a/patches.kernel.org/5.1.15-033-dmaengine-jz4780-Fix-transfers-being-ACKed-too.patch b/patches.kernel.org/5.1.15-033-dmaengine-jz4780-Fix-transfers-being-ACKed-too.patch
new file mode 100644
index 0000000000..8d928b37b9
--- /dev/null
+++ b/patches.kernel.org/5.1.15-033-dmaengine-jz4780-Fix-transfers-being-ACKed-too.patch
@@ -0,0 +1,111 @@
+From: Paul Cercueil <paul@crapouillou.net>
+Date: Sat, 4 May 2019 23:37:57 +0200
+Subject: [PATCH] dmaengine: jz4780: Fix transfers being ACKed too soon
+References: bnc#1012628
+Patch-mainline: 5.1.15
+Git-commit: 4e4106f5e942bff65548e82fc330d40385c89220
+
+[ Upstream commit 4e4106f5e942bff65548e82fc330d40385c89220 ]
+
+When a multi-descriptor DMA transfer is in progress, the "IRQ pending"
+flag will apparently be set for that channel as soon as the last
+descriptor loads, way before the IRQ actually happens. This behaviour
+has been observed on the JZ4725B, but maybe other SoCs are affected.
+
+In the case where another DMA transfer is running into completion on a
+separate channel, the IRQ handler would then run the completion handler
+for our previous channel even if the transfer didn't actually finish.
+
+Fix this by checking in the completion handler that we're indeed done;
+if not the interrupted DMA transfer will simply be resumed.
+
+Signed-off-by: Paul Cercueil <paul@crapouillou.net>
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/dma/dma-jz4780.c | 32 +++++++++++++++++++++-----------
+ 1 file changed, 21 insertions(+), 11 deletions(-)
+
+diff --git a/drivers/dma/dma-jz4780.c b/drivers/dma/dma-jz4780.c
+index 9ce0a386225b..f49534019d37 100644
+--- a/drivers/dma/dma-jz4780.c
++++ b/drivers/dma/dma-jz4780.c
+@@ -666,10 +666,11 @@ static enum dma_status jz4780_dma_tx_status(struct dma_chan *chan,
+ return status;
+ }
+
+-static void jz4780_dma_chan_irq(struct jz4780_dma_dev *jzdma,
+- struct jz4780_dma_chan *jzchan)
++static bool jz4780_dma_chan_irq(struct jz4780_dma_dev *jzdma,
++ struct jz4780_dma_chan *jzchan)
+ {
+ uint32_t dcs;
++ bool ack = true;
+
+ spin_lock(&jzchan->vchan.lock);
+
+@@ -692,12 +693,20 @@ static void jz4780_dma_chan_irq(struct jz4780_dma_dev *jzdma,
+ if ((dcs & (JZ_DMA_DCS_AR | JZ_DMA_DCS_HLT)) == 0) {
+ if (jzchan->desc->type == DMA_CYCLIC) {
+ vchan_cyclic_callback(&jzchan->desc->vdesc);
+- } else {
++
++ jz4780_dma_begin(jzchan);
++ } else if (dcs & JZ_DMA_DCS_TT) {
+ vchan_cookie_complete(&jzchan->desc->vdesc);
+ jzchan->desc = NULL;
+- }
+
+- jz4780_dma_begin(jzchan);
++ jz4780_dma_begin(jzchan);
++ } else {
++ /* False positive - continue the transfer */
++ ack = false;
++ jz4780_dma_chn_writel(jzdma, jzchan->id,
++ JZ_DMA_REG_DCS,
++ JZ_DMA_DCS_CTE);
++ }
+ }
+ } else {
+ dev_err(&jzchan->vchan.chan.dev->device,
+@@ -705,21 +714,22 @@ static void jz4780_dma_chan_irq(struct jz4780_dma_dev *jzdma,
+ }
+
+ spin_unlock(&jzchan->vchan.lock);
++
++ return ack;
+ }
+
+ static irqreturn_t jz4780_dma_irq_handler(int irq, void *data)
+ {
+ struct jz4780_dma_dev *jzdma = data;
++ unsigned int nb_channels = jzdma->soc_data->nb_channels;
+ uint32_t pending, dmac;
+ int i;
+
+ pending = jz4780_dma_ctrl_readl(jzdma, JZ_DMA_REG_DIRQP);
+
+- for (i = 0; i < jzdma->soc_data->nb_channels; i++) {
+- if (!(pending & (1<<i)))
+- continue;
+-
+- jz4780_dma_chan_irq(jzdma, &jzdma->chan[i]);
++ for_each_set_bit(i, (unsigned long *)&pending, nb_channels) {
++ if (jz4780_dma_chan_irq(jzdma, &jzdma->chan[i]))
++ pending &= ~BIT(i);
+ }
+
+ /* Clear halt and address error status of all channels. */
+@@ -728,7 +738,7 @@ static irqreturn_t jz4780_dma_irq_handler(int irq, void *data)
+ jz4780_dma_ctrl_writel(jzdma, JZ_DMA_REG_DMAC, dmac);
+
+ /* Clear interrupt pending status. */
+- jz4780_dma_ctrl_writel(jzdma, JZ_DMA_REG_DIRQP, 0);
++ jz4780_dma_ctrl_writel(jzdma, JZ_DMA_REG_DIRQP, pending);
+
+ return IRQ_HANDLED;
+ }
+--
+2.22.0
+
diff --git a/patches.kernel.org/5.1.15-034-dmaengine-dw-axi-dmac-fix-null-dereference-whe.patch b/patches.kernel.org/5.1.15-034-dmaengine-dw-axi-dmac-fix-null-dereference-whe.patch
new file mode 100644
index 0000000000..3cf4843049
--- /dev/null
+++ b/patches.kernel.org/5.1.15-034-dmaengine-dw-axi-dmac-fix-null-dereference-whe.patch
@@ -0,0 +1,43 @@
+From: Colin Ian King <colin.king@canonical.com>
+Date: Wed, 8 May 2019 23:33:29 +0100
+Subject: [PATCH] dmaengine: dw-axi-dmac: fix null dereference when pointer
+ first is null
+References: bnc#1012628
+Patch-mainline: 5.1.15
+Git-commit: 0788611c9a0925c607de536b2449de5ed98ef8df
+
+[ Upstream commit 0788611c9a0925c607de536b2449de5ed98ef8df ]
+
+In the unlikely event that axi_desc_get returns a null desc in the
+very first iteration of the while-loop the error exit path ends
+up calling axi_desc_put on a null pointer 'first' and this causes
+a null pointer dereference. Fix this by adding a null check on
+pointer 'first' before calling axi_desc_put.
+
+Addresses-Coverity: ("Explicit null dereference")
+Fixes: 1fe20f1b8454 ("dmaengine: Introduce DW AXI DMAC driver")
+Signed-off-by: Colin Ian King <colin.king@canonical.com>
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/dma/dw-axi-dmac/dw-axi-dmac-platform.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/dma/dw-axi-dmac/dw-axi-dmac-platform.c b/drivers/dma/dw-axi-dmac/dw-axi-dmac-platform.c
+index b2ac1d2c5b86..a1ce307c502f 100644
+--- a/drivers/dma/dw-axi-dmac/dw-axi-dmac-platform.c
++++ b/drivers/dma/dw-axi-dmac/dw-axi-dmac-platform.c
+@@ -512,7 +512,8 @@ dma_chan_prep_dma_memcpy(struct dma_chan *dchan, dma_addr_t dst_adr,
+ return vchan_tx_prep(&chan->vc, &first->vd, flags);
+
+ err_desc_get:
+- axi_desc_put(first);
++ if (first)
++ axi_desc_put(first);
+ return NULL;
+ }
+
+--
+2.22.0
+
diff --git a/patches.kernel.org/5.1.15-035-dmaengine-mediatek-cqdma-sleeping-in-atomic-co.patch b/patches.kernel.org/5.1.15-035-dmaengine-mediatek-cqdma-sleeping-in-atomic-co.patch
new file mode 100644
index 0000000000..55f71b3e9e
--- /dev/null
+++ b/patches.kernel.org/5.1.15-035-dmaengine-mediatek-cqdma-sleeping-in-atomic-co.patch
@@ -0,0 +1,52 @@
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Thu, 9 May 2019 13:09:23 +0300
+Subject: [PATCH] dmaengine: mediatek-cqdma: sleeping in atomic context
+References: bnc#1012628
+Patch-mainline: 5.1.15
+Git-commit: 069b3c4214f27b130d0642f32438560db30f452e
+
+[ Upstream commit 069b3c4214f27b130d0642f32438560db30f452e ]
+
+The mtk_cqdma_poll_engine_done() function takes a true/false parameter
+where true means it's called from atomic context. There are a couple
+places where it was set to false but it's actually in atomic context
+so it should be true.
+
+All the callers for mtk_cqdma_hard_reset() are holding a spin_lock and
+in mtk_cqdma_free_chan_resources() we take a spin_lock before calling
+the mtk_cqdma_poll_engine_done() function.
+
+Fixes: b1f01e48df5a ("dmaengine: mediatek: Add MediaTek Command-Queue DMA controller for MT6765 SoC")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/dma/mediatek/mtk-cqdma.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/dma/mediatek/mtk-cqdma.c b/drivers/dma/mediatek/mtk-cqdma.c
+index 814853842e29..723b11c190b3 100644
+--- a/drivers/dma/mediatek/mtk-cqdma.c
++++ b/drivers/dma/mediatek/mtk-cqdma.c
+@@ -225,7 +225,7 @@ static int mtk_cqdma_hard_reset(struct mtk_cqdma_pchan *pc)
+ mtk_dma_set(pc, MTK_CQDMA_RESET, MTK_CQDMA_HARD_RST_BIT);
+ mtk_dma_clr(pc, MTK_CQDMA_RESET, MTK_CQDMA_HARD_RST_BIT);
+
+- return mtk_cqdma_poll_engine_done(pc, false);
++ return mtk_cqdma_poll_engine_done(pc, true);
+ }
+
+ static void mtk_cqdma_start(struct mtk_cqdma_pchan *pc,
+@@ -671,7 +671,7 @@ static void mtk_cqdma_free_chan_resources(struct dma_chan *c)
+ mtk_dma_set(cvc->pc, MTK_CQDMA_FLUSH, MTK_CQDMA_FLUSH_BIT);
+
+ /* wait for the completion of flush operation */
+- if (mtk_cqdma_poll_engine_done(cvc->pc, false) < 0)
++ if (mtk_cqdma_poll_engine_done(cvc->pc, true) < 0)
+ dev_err(cqdma2dev(to_cqdma_dev(c)), "cqdma flush timeout\n");
+
+ /* clear the flush bit and interrupt flag */
+--
+2.22.0
+
diff --git a/patches.kernel.org/5.1.15-036-dmaengine-sprd-Fix-the-possible-crash-when-get.patch b/patches.kernel.org/5.1.15-036-dmaengine-sprd-Fix-the-possible-crash-when-get.patch
new file mode 100644
index 0000000000..1d165506aa
--- /dev/null
+++ b/patches.kernel.org/5.1.15-036-dmaengine-sprd-Fix-the-possible-crash-when-get.patch
@@ -0,0 +1,45 @@
+From: Baolin Wang <baolin.wang@linaro.org>
+Date: Mon, 6 May 2019 15:28:28 +0800
+Subject: [PATCH] dmaengine: sprd: Fix the possible crash when getting
+ descriptor status
+References: bnc#1012628
+Patch-mainline: 5.1.15
+Git-commit: 16d0f85e45b99411ac10cb12cdd9279204a72381
+
+[ Upstream commit 16d0f85e45b99411ac10cb12cdd9279204a72381 ]
+
+We will get a NULL virtual descriptor by vchan_find_desc() when the descriptor
+has been submitted, that will crash the kernel when getting the descriptor
+status.
+
+In this case, since the descriptor has been submitted to process, but it
+is not completed now, which means the descriptor is listed into the
+'vc->desc_submitted' list now. So we can not get current processing descriptor
+by vchan_find_desc(), but the pointer 'schan->cur_desc' will point to the
+current processing descriptor, then we can use 'schan->cur_desc' to get
+current processing descriptor's status to avoid this issue.
+
+Signed-off-by: Baolin Wang <baolin.wang@linaro.org>
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/dma/sprd-dma.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/dma/sprd-dma.c b/drivers/dma/sprd-dma.c
+index 48431e2da987..e29342ab85f6 100644
+--- a/drivers/dma/sprd-dma.c
++++ b/drivers/dma/sprd-dma.c
+@@ -625,7 +625,7 @@ static enum dma_status sprd_dma_tx_status(struct dma_chan *chan,
+ else
+ pos = 0;
+ } else if (schan->cur_desc && schan->cur_desc->vd.tx.cookie == cookie) {
+- struct sprd_dma_desc *sdesc = to_sprd_dma_desc(vd);
++ struct sprd_dma_desc *sdesc = schan->cur_desc;
+
+ if (sdesc->dir == DMA_DEV_TO_MEM)
+ pos = sprd_dma_get_dst_addr(schan);
+--
+2.22.0
+
diff --git a/patches.kernel.org/5.1.15-037-dmaengine-sprd-Add-validation-of-current-descr.patch b/patches.kernel.org/5.1.15-037-dmaengine-sprd-Add-validation-of-current-descr.patch
new file mode 100644
index 0000000000..c0dad71faa
--- /dev/null
+++ b/patches.kernel.org/5.1.15-037-dmaengine-sprd-Add-validation-of-current-descr.patch
@@ -0,0 +1,50 @@
+From: Baolin Wang <baolin.wang@linaro.org>
+Date: Mon, 6 May 2019 15:28:29 +0800
+Subject: [PATCH] dmaengine: sprd: Add validation of current descriptor in irq
+ handler
+References: bnc#1012628
+Patch-mainline: 5.1.15
+Git-commit: 58152b0e573e5581c4b9ef7cf06d2e9fafae27d4
+
+[ Upstream commit 58152b0e573e5581c4b9ef7cf06d2e9fafae27d4 ]
+
+When user terminates one DMA channel to free all its descriptors, but
+at the same time one transaction interrupt was triggered possibly, now
+we should not handle this interrupt by validating if the 'schan->cur_desc'
+was set as NULL to avoid crashing the kernel.
+
+Signed-off-by: Baolin Wang <baolin.wang@linaro.org>
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/dma/sprd-dma.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/dma/sprd-dma.c b/drivers/dma/sprd-dma.c
+index e29342ab85f6..431e289d59a5 100644
+--- a/drivers/dma/sprd-dma.c
++++ b/drivers/dma/sprd-dma.c
+@@ -552,12 +552,17 @@ static irqreturn_t dma_irq_handle(int irq, void *dev_id)
+ schan = &sdev->channels[i];
+
+ spin_lock(&schan->vc.lock);
++
++ sdesc = schan->cur_desc;
++ if (!sdesc) {
++ spin_unlock(&schan->vc.lock);
++ return IRQ_HANDLED;
++ }
++
+ int_type = sprd_dma_get_int_type(schan);
+ req_type = sprd_dma_get_req_type(schan);
+ sprd_dma_clear_int(schan);
+
+- sdesc = schan->cur_desc;
+-
+ /* cyclic mode schedule callback */
+ cyclic = schan->linklist.phy_addr ? true : false;
+ if (cyclic == true) {
+--
+2.22.0
+
diff --git a/patches.kernel.org/5.1.15-038-dmaengine-sprd-Fix-the-incorrect-start-for-2-s.patch b/patches.kernel.org/5.1.15-038-dmaengine-sprd-Fix-the-incorrect-start-for-2-s.patch
new file mode 100644
index 0000000000..55e374cd87
--- /dev/null
+++ b/patches.kernel.org/5.1.15-038-dmaengine-sprd-Fix-the-incorrect-start-for-2-s.patch
@@ -0,0 +1,40 @@
+From: Eric Long <eric.long@unisoc.com>
+Date: Mon, 6 May 2019 15:28:30 +0800
+Subject: [PATCH] dmaengine: sprd: Fix the incorrect start for 2-stage
+ destination channels
+References: bnc#1012628
+Patch-mainline: 5.1.15
+Git-commit: 3d626a97f0303e9c30d063434b749de3f0f91fb5
+
+[ Upstream commit 3d626a97f0303e9c30d063434b749de3f0f91fb5 ]
+
+The 2-stage destination channel will be triggered by source channel
+automatically, which means we should not trigger it by software request.
+
+Signed-off-by: Eric Long <eric.long@unisoc.com>
+Signed-off-by: Baolin Wang <baolin.wang@linaro.org>
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/dma/sprd-dma.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/dma/sprd-dma.c b/drivers/dma/sprd-dma.c
+index 431e289d59a5..0f92e60529d1 100644
+--- a/drivers/dma/sprd-dma.c
++++ b/drivers/dma/sprd-dma.c
+@@ -510,7 +510,9 @@ static void sprd_dma_start(struct sprd_dma_chn *schan)
+ sprd_dma_set_uid(schan);
+ sprd_dma_enable_chn(schan);
+
+- if (schan->dev_id == SPRD_DMA_SOFTWARE_UID)
++ if (schan->dev_id == SPRD_DMA_SOFTWARE_UID &&
++ schan->chn_mode != SPRD_DMA_DST_CHN0 &&
++ schan->chn_mode != SPRD_DMA_DST_CHN1)
+ sprd_dma_soft_request(schan);
+ }
+
+--
+2.22.0
+
diff --git a/patches.kernel.org/5.1.15-039-dmaengine-sprd-Fix-block-length-overflow.patch b/patches.kernel.org/5.1.15-039-dmaengine-sprd-Fix-block-length-overflow.patch
new file mode 100644
index 0000000000..d56c322dd8
--- /dev/null
+++ b/patches.kernel.org/5.1.15-039-dmaengine-sprd-Fix-block-length-overflow.patch
@@ -0,0 +1,41 @@
+From: Eric Long <eric.long@unisoc.com>
+Date: Mon, 6 May 2019 15:28:31 +0800
+Subject: [PATCH] dmaengine: sprd: Fix block length overflow
+References: bnc#1012628
+Patch-mainline: 5.1.15
+Git-commit: 89d03b3c126d683f7b2cd5b07178493993d12448
+
+[ Upstream commit 89d03b3c126d683f7b2cd5b07178493993d12448 ]
+
+The maximum value of block length is 0xffff, so if the configured transfer length
+is more than 0xffff, that will cause block length overflow to lead a configuration
+error.
+
+Thus we can set block length as the maximum burst length to avoid this issue, since
+the maximum burst length will not be a big value which is more than 0xffff.
+
+Signed-off-by: Eric Long <eric.long@unisoc.com>
+Signed-off-by: Baolin Wang <baolin.wang@linaro.org>
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/dma/sprd-dma.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/dma/sprd-dma.c b/drivers/dma/sprd-dma.c
+index 0f92e60529d1..a01c23246632 100644
+--- a/drivers/dma/sprd-dma.c
++++ b/drivers/dma/sprd-dma.c
+@@ -778,7 +778,7 @@ static int sprd_dma_fill_desc(struct dma_chan *chan,
+ temp |= slave_cfg->src_maxburst & SPRD_DMA_FRG_LEN_MASK;
+ hw->frg_len = temp;
+
+- hw->blk_len = len & SPRD_DMA_BLK_LEN_MASK;
++ hw->blk_len = slave_cfg->src_maxburst & SPRD_DMA_BLK_LEN_MASK;
+ hw->trsc_len = len & SPRD_DMA_TRSC_LEN_MASK;
+
+ temp = (dst_step & SPRD_DMA_TRSF_STEP_MASK) << SPRD_DMA_DEST_TRSF_STEP_OFFSET;
+--
+2.22.0
+
diff --git a/patches.kernel.org/5.1.15-040-dmaengine-sprd-Fix-the-right-place-to-configur.patch b/patches.kernel.org/5.1.15-040-dmaengine-sprd-Fix-the-right-place-to-configur.patch
new file mode 100644
index 0000000000..fd14912f52
--- /dev/null
+++ b/patches.kernel.org/5.1.15-040-dmaengine-sprd-Fix-the-right-place-to-configur.patch
@@ -0,0 +1,56 @@
+From: Eric Long <eric.long@unisoc.com>
+Date: Mon, 6 May 2019 15:28:32 +0800
+Subject: [PATCH] dmaengine: sprd: Fix the right place to configure 2-stage
+ transfer
+References: bnc#1012628
+Patch-mainline: 5.1.15
+Git-commit: c434e377dad1dec05cad1870ce21bc539e1e024f
+
+[ Upstream commit c434e377dad1dec05cad1870ce21bc539e1e024f ]
+
+Move the 2-stage configuration before configuring the link-list mode,
+since we will use some 2-stage configuration to fill the link-list
+configuration.
+
+Signed-off-by: Eric Long <eric.long@unisoc.com>
+Signed-off-by: Baolin Wang <baolin.wang@linaro.org>
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/dma/sprd-dma.c | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/dma/sprd-dma.c b/drivers/dma/sprd-dma.c
+index a01c23246632..01abed5cde49 100644
+--- a/drivers/dma/sprd-dma.c
++++ b/drivers/dma/sprd-dma.c
+@@ -911,6 +911,12 @@ sprd_dma_prep_slave_sg(struct dma_chan *chan, struct scatterlist *sgl,
+ schan->linklist.virt_addr = 0;
+ }
+
++ /* Set channel mode and trigger mode for 2-stage transfer */
++ schan->chn_mode =
++ (flags >> SPRD_DMA_CHN_MODE_SHIFT) & SPRD_DMA_CHN_MODE_MASK;
++ schan->trg_mode =
++ (flags >> SPRD_DMA_TRG_MODE_SHIFT) & SPRD_DMA_TRG_MODE_MASK;
++
+ sdesc = kzalloc(sizeof(*sdesc), GFP_NOWAIT);
+ if (!sdesc)
+ return NULL;
+@@ -944,12 +950,6 @@ sprd_dma_prep_slave_sg(struct dma_chan *chan, struct scatterlist *sgl,
+ }
+ }
+
+- /* Set channel mode and trigger mode for 2-stage transfer */
+- schan->chn_mode =
+- (flags >> SPRD_DMA_CHN_MODE_SHIFT) & SPRD_DMA_CHN_MODE_MASK;
+- schan->trg_mode =
+- (flags >> SPRD_DMA_TRG_MODE_SHIFT) & SPRD_DMA_TRG_MODE_MASK;
+-
+ ret = sprd_dma_fill_desc(chan, &sdesc->chn_hw, 0, 0, src, dst, len,
+ dir, flags, slave_cfg);
+ if (ret) {
+--
+2.22.0
+
diff --git a/patches.kernel.org/5.1.15-041-ARC-plat-hsdk-Add-missing-multicast-filter-bin.patch b/patches.kernel.org/5.1.15-041-ARC-plat-hsdk-Add-missing-multicast-filter-bin.patch
new file mode 100644
index 0000000000..60dfb6fc16
--- /dev/null
+++ b/patches.kernel.org/5.1.15-041-ARC-plat-hsdk-Add-missing-multicast-filter-bin.patch
@@ -0,0 +1,42 @@
+From: Jose Abreu <joabreu@synopsys.com>
+Date: Mon, 20 May 2019 15:43:12 +0200
+Subject: [PATCH] ARC: [plat-hsdk]: Add missing multicast filter bins number to
+ GMAC node
+References: bnc#1012628
+Patch-mainline: 5.1.15
+Git-commit: ecc906a11c2a0940e1a380debd8bd5bc09faf454
+
+[ Upstream commit ecc906a11c2a0940e1a380debd8bd5bc09faf454 ]
+
+GMAC controller on HSDK boards supports 256 Hash Table size so we need to
+add the multicast filter bins property. This allows for the Hash filter
+to work properly using stmmac driver.
+
+Cc: Joao Pinto <jpinto@synopsys.com>
+Cc: Rob Herring <robh+dt@kernel.org>
+Cc: Mark Rutland <mark.rutland@arm.com>
+Cc: Eugeniy Paltsev <Eugeniy.Paltsev@synopsys.com>
+Acked-by: Alexey Brodkin <abrodkin@synopsys.com>
+Signed-off-by: Jose Abreu <joabreu@synopsys.com>
+Signed-off-by: Vineet Gupta <vgupta@synopsys.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ arch/arc/boot/dts/hsdk.dts | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/arch/arc/boot/dts/hsdk.dts b/arch/arc/boot/dts/hsdk.dts
+index 7425bb0f2d1b..699f372b2a6f 100644
+--- a/arch/arc/boot/dts/hsdk.dts
++++ b/arch/arc/boot/dts/hsdk.dts
+@@ -187,6 +187,7 @@
+ interrupt-names = "macirq";
+ phy-mode = "rgmii";
+ snps,pbl = <32>;
++ snps,multicast-filter-bins = <256>;
+ clocks = <&gmacclk>;
+ clock-names = "stmmaceth";
+ phy-handle = <&phy0>;
+--
+2.22.0
+
diff --git a/patches.kernel.org/5.1.15-042-ARC-plat-hsdk-Add-missing-FIFO-size-entry-in-G.patch b/patches.kernel.org/5.1.15-042-ARC-plat-hsdk-Add-missing-FIFO-size-entry-in-G.patch
new file mode 100644
index 0000000000..c752d0c7c2
--- /dev/null
+++ b/patches.kernel.org/5.1.15-042-ARC-plat-hsdk-Add-missing-FIFO-size-entry-in-G.patch
@@ -0,0 +1,42 @@
+From: Jose Abreu <joabreu@synopsys.com>
+Date: Mon, 20 May 2019 15:43:13 +0200
+Subject: [PATCH] ARC: [plat-hsdk]: Add missing FIFO size entry in GMAC node
+References: bnc#1012628
+Patch-mainline: 5.1.15
+Git-commit: 4c70850aeb2e40016722cd1abd43c679666d3ca0
+
+[ Upstream commit 4c70850aeb2e40016722cd1abd43c679666d3ca0 ]
+
+Add the binding for RX/TX fifo size of GMAC node.
+
+Cc: Joao Pinto <jpinto@synopsys.com>
+Cc: Rob Herring <robh+dt@kernel.org>
+Cc: Mark Rutland <mark.rutland@arm.com>
+Cc: Vineet Gupta <vgupta@synopsys.com>
+Tested-by: Eugeniy Paltsev <Eugeniy.Paltsev@synopsys.com>
+Acked-by: Alexey Brodkin <abrodkin@synopsys.com>
+Signed-off-by: Jose Abreu <joabreu@synopsys.com>
+Signed-off-by: Vineet Gupta <vgupta@synopsys.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ arch/arc/boot/dts/hsdk.dts | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/arch/arc/boot/dts/hsdk.dts b/arch/arc/boot/dts/hsdk.dts
+index 699f372b2a6f..6219b372e9c1 100644
+--- a/arch/arc/boot/dts/hsdk.dts
++++ b/arch/arc/boot/dts/hsdk.dts
+@@ -196,6 +196,9 @@
+ mac-address = [00 00 00 00 00 00]; /* Filled in by U-Boot */
+ dma-coherent;
+
++ tx-fifo-depth = <4096>;
++ rx-fifo-depth = <4096>;
++
+ mdio {
+ #address-cells = <1>;
+ #size-cells = <0>;
+--
+2.22.0
+
diff --git a/patches.kernel.org/5.1.15-043-MIPS-mark-ginvt-as-__always_inline.patch b/patches.kernel.org/5.1.15-043-MIPS-mark-ginvt-as-__always_inline.patch
new file mode 100644
index 0000000000..ed73e9d772
--- /dev/null
+++ b/patches.kernel.org/5.1.15-043-MIPS-mark-ginvt-as-__always_inline.patch
@@ -0,0 +1,40 @@
+From: Masahiro Yamada <yamada.masahiro@socionext.com>
+Date: Tue, 21 May 2019 15:20:39 +0900
+Subject: [PATCH] MIPS: mark ginvt() as __always_inline
+References: bnc#1012628
+Patch-mainline: 5.1.15
+Git-commit: 6074c33c6b2eabc70867ef76d57ca256e9ea9da7
+
+[ Upstream commit 6074c33c6b2eabc70867ef76d57ca256e9ea9da7 ]
+
+To meet the 'i' (immediate) constraint for the asm operands,
+this function must be always inlined.
+
+Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>
+Signed-off-by: Paul Burton <paul.burton@mips.com>
+Cc: linux-mips@vger.kernel.org
+Cc: Ralf Baechle <ralf@linux-mips.org>
+Cc: James Hogan <jhogan@kernel.org>
+Cc: linux-kernel@vger.kernel.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ arch/mips/include/asm/ginvt.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/mips/include/asm/ginvt.h b/arch/mips/include/asm/ginvt.h
+index 49c6dbe37338..6eb7c2b94dc7 100644
+--- a/arch/mips/include/asm/ginvt.h
++++ b/arch/mips/include/asm/ginvt.h
+@@ -19,7 +19,7 @@ _ASM_MACRO_1R1I(ginvt, rs, type,
+ # define _ASM_SET_GINV
+ #endif
+
+-static inline void ginvt(unsigned long addr, enum ginvt_type type)
++static __always_inline void ginvt(unsigned long addr, enum ginvt_type type)
+ {
+ asm volatile(
+ ".set push\n"
+--
+2.22.0
+
diff --git a/patches.kernel.org/5.1.15-044-fpga-stratix10-soc-fix-use-after-free-on-s10_i.patch b/patches.kernel.org/5.1.15-044-fpga-stratix10-soc-fix-use-after-free-on-s10_i.patch
new file mode 100644
index 0000000000..ad614a65c6
--- /dev/null
+++ b/patches.kernel.org/5.1.15-044-fpga-stratix10-soc-fix-use-after-free-on-s10_i.patch
@@ -0,0 +1,56 @@
+From: Wen Yang <wen.yang99@zte.com.cn>
+Date: Thu, 9 May 2019 16:08:26 -0500
+Subject: [PATCH] fpga: stratix10-soc: fix use-after-free on s10_init()
+References: bnc#1012628
+Patch-mainline: 5.1.15
+Git-commit: f5dd87326fefe42a4b1a4b1a1a695060c33a88d6
+
+[ Upstream commit f5dd87326fefe42a4b1a4b1a1a695060c33a88d6 ]
+
+The refcount of fw_np has already been decreased by of_find_matching_node()
+so it shouldn't be used anymore.
+This patch adds an of_node_get() before of_find_matching_node() to avoid
+the use-after-free problem.
+
+Fixes: e7eef1d7633a ("fpga: add intel stratix10 soc fpga manager driver")
+Signed-off-by: Wen Yang <wen.yang99@zte.com.cn>
+Cc: Alan Tull <atull@kernel.org>
+Cc: Moritz Fischer <mdf@kernel.org>
+Cc: Nicolas Saenz Julienne <nsaenzjulienne@suse.de>
+Cc: linux-fpga@vger.kernel.org
+Cc: linux-kernel@vger.kernel.org
+Reviewed-by: Moritz Fischer <mdf@kernel.org>
+Reviewed-by: Nicolas Saenz Julienne <nsaenzjulienne@suse.de>
+Acked-by: Alan Tull <atull@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/fpga/stratix10-soc.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/fpga/stratix10-soc.c b/drivers/fpga/stratix10-soc.c
+index 13851b3d1c56..215d33789c74 100644
+--- a/drivers/fpga/stratix10-soc.c
++++ b/drivers/fpga/stratix10-soc.c
+@@ -507,12 +507,16 @@ static int __init s10_init(void)
+ if (!fw_np)
+ return -ENODEV;
+
++ of_node_get(fw_np);
+ np = of_find_matching_node(fw_np, s10_of_match);
+- if (!np)
++ if (!np) {
++ of_node_put(fw_np);
+ return -ENODEV;
++ }
+
+ of_node_put(np);
+ ret = of_platform_populate(fw_np, s10_of_match, NULL, NULL);
++ of_node_put(fw_np);
+ if (ret)
+ return ret;
+
+--
+2.22.0
+
diff --git a/patches.kernel.org/5.1.15-045-fpga-dfl-afu-Pass-the-correct-device-to-dma_ma.patch b/patches.kernel.org/5.1.15-045-fpga-dfl-afu-Pass-the-correct-device-to-dma_ma.patch
new file mode 100644
index 0000000000..4bae27dc5b
--- /dev/null
+++ b/patches.kernel.org/5.1.15-045-fpga-dfl-afu-Pass-the-correct-device-to-dma_ma.patch
@@ -0,0 +1,41 @@
+From: Scott Wood <swood@redhat.com>
+Date: Thu, 9 May 2019 16:08:27 -0500
+Subject: [PATCH] fpga: dfl: afu: Pass the correct device to
+ dma_mapping_error()
+References: bnc#1012628
+Patch-mainline: 5.1.15
+Git-commit: 13069847a475b60069918dc9971f5adb42811ce3
+
+[ Upstream commit 13069847a475b60069918dc9971f5adb42811ce3 ]
+
+dma_mapping_error() was being called on a different device struct than
+what was passed to map/unmap. Besides rendering the error checking
+ineffective, it caused a debug splat with CONFIG_DMA_API_DEBUG.
+
+Signed-off-by: Scott Wood <swood@redhat.com>
+Acked-by: Wu Hao <hao.wu@intel.com>
+Acked-by: Moritz Fischer <mdf@kernel.org>
+Acked-by: Alan Tull <atull@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/fpga/dfl-afu-dma-region.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/fpga/dfl-afu-dma-region.c b/drivers/fpga/dfl-afu-dma-region.c
+index e18a786fc943..cd68002ac097 100644
+--- a/drivers/fpga/dfl-afu-dma-region.c
++++ b/drivers/fpga/dfl-afu-dma-region.c
+@@ -399,7 +399,7 @@ int afu_dma_map_region(struct dfl_feature_platform_data *pdata,
+ region->pages[0], 0,
+ region->length,
+ DMA_BIDIRECTIONAL);
+- if (dma_mapping_error(&pdata->dev->dev, region->iova)) {
++ if (dma_mapping_error(dfl_fpga_pdata_to_parent(pdata), region->iova)) {
+ dev_err(&pdata->dev->dev, "failed to map for dma\n");
+ ret = -EFAULT;
+ goto unpin_pages;
+--
+2.22.0
+
diff --git a/patches.kernel.org/5.1.15-046-fpga-dfl-Add-lockdep-classes-for-pdata-lock.patch b/patches.kernel.org/5.1.15-046-fpga-dfl-Add-lockdep-classes-for-pdata-lock.patch
new file mode 100644
index 0000000000..1415dfc122
--- /dev/null
+++ b/patches.kernel.org/5.1.15-046-fpga-dfl-Add-lockdep-classes-for-pdata-lock.patch
@@ -0,0 +1,142 @@
+From: Scott Wood <swood@redhat.com>
+Date: Thu, 9 May 2019 16:08:28 -0500
+Subject: [PATCH] fpga: dfl: Add lockdep classes for pdata->lock
+References: bnc#1012628
+Patch-mainline: 5.1.15
+Git-commit: dfe3de8d397bf878b31864d4e489d41118ec475f
+
+[ Upstream commit dfe3de8d397bf878b31864d4e489d41118ec475f ]
+
+struct dfl_feature_platform_data (and it's mutex) is used
+by both fme and port devices, and when lockdep is enabled it
+complains about nesting between these locks. Tell lockdep about
+the difference so it can track each class separately.
+
+Here's the lockdep complaint:
+[ 409.680668] WARNING: possible recursive locking detected
+[ 409.685983] 5.1.0-rc3.fpga+ #1 Tainted: G E
+[ 409.691469] --------------------------------------------
+[ 409.696779] fpgaconf/9348 is trying to acquire lock:
+[ 409.701746] 00000000a443fe2e (&pdata->lock){+.+.}, at: port_enable_set+0x24/0x60 [dfl_afu]
+[ 409.710006]
+[ 409.710006] but task is already holding lock:
+[ 409.715837] 0000000063b78782 (&pdata->lock){+.+.}, at: fme_pr_ioctl+0x21d/0x330 [dfl_fme]
+[ 409.724012]
+[ 409.724012] other info that might help us debug this:
+[ 409.730535] Possible unsafe locking scenario:
+[ 409.730535]
+[ 409.736457] CPU0
+[ 409.738910] ----
+[ 409.741360] lock(&pdata->lock);
+[ 409.744679] lock(&pdata->lock);
+[ 409.747999]
+[ 409.747999] *** DEADLOCK ***
+[ 409.747999]
+[ 409.753920] May be due to missing lock nesting notation
+[ 409.753920]
+[ 409.760704] 4 locks held by fpgaconf/9348:
+[ 409.764805] #0: 0000000063b78782 (&pdata->lock){+.+.}, at: fme_pr_ioctl+0x21d/0x330 [dfl_fme]
+[ 409.773408] #1: 00000000213c8a66 (&region->mutex){+.+.}, at: fpga_region_program_fpga+0x24/0x200 [fpga_region]
+[ 409.783489] #2: 00000000fe63afb9 (&mgr->ref_mutex){+.+.}, at: fpga_mgr_lock+0x15/0x40 [fpga_mgr]
+[ 409.792354] #3: 000000000b2285c5 (&bridge->mutex){+.+.}, at: __fpga_bridge_get+0x26/0xa0 [fpga_bridge]
+[ 409.801740]
+[ 409.801740] stack backtrace:
+[ 409.806102] CPU: 45 PID: 9348 Comm: fpgaconf Kdump: loaded Tainted: G E 5.1.0-rc3.fpga+ #1
+[ 409.815658] Hardware name: Intel Corporation S2600BT/S2600BT, BIOS SE5C620.86B.01.00.0763.022420181017 02/24/2018
+[ 409.825911] Call Trace:
+[ 409.828369] dump_stack+0x5e/0x8b
+[ 409.831686] __lock_acquire+0xf3d/0x10e0
+[ 409.835612] ? find_held_lock+0x3c/0xa0
+[ 409.839451] lock_acquire+0xbc/0x1d0
+[ 409.843030] ? port_enable_set+0x24/0x60 [dfl_afu]
+[ 409.847823] ? port_enable_set+0x24/0x60 [dfl_afu]
+[ 409.852616] __mutex_lock+0x86/0x970
+[ 409.856195] ? port_enable_set+0x24/0x60 [dfl_afu]
+[ 409.860989] ? port_enable_set+0x24/0x60 [dfl_afu]
+[ 409.865777] ? __mutex_unlock_slowpath+0x4b/0x290
+[ 409.870486] port_enable_set+0x24/0x60 [dfl_afu]
+[ 409.875106] fpga_bridges_disable+0x36/0x50 [fpga_bridge]
+[ 409.880502] fpga_region_program_fpga+0xea/0x200 [fpga_region]
+[ 409.886338] fme_pr_ioctl+0x13e/0x330 [dfl_fme]
+[ 409.890870] fme_ioctl+0x66/0xe0 [dfl_fme]
+[ 409.894973] do_vfs_ioctl+0xa9/0x720
+[ 409.898548] ? lockdep_hardirqs_on+0xf0/0x1a0
+[ 409.902907] ksys_ioctl+0x60/0x90
+[ 409.906225] __x64_sys_ioctl+0x16/0x20
+[ 409.909981] do_syscall_64+0x5a/0x220
+[ 409.913644] entry_SYSCALL_64_after_hwframe+0x49/0xbe
+[ 409.918698] RIP: 0033:0x7f9d31b9b8d7
+[ 409.922276] Code: 44 00 00 48 8b 05 b9 15 2d 00 64 c7 00 26 00 00 00 48 c7 c0 ff ff ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 b8 10 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 89 15 2d 00 f7 d8 64 89 01 48
+[ 409.941020] RSP: 002b:00007ffe4cae0d68 EFLAGS: 00000202 ORIG_RAX: 0000000000000010
+[ 409.948588] RAX: ffffffffffffffda RBX: 00007f9d32ade6a0 RCX: 00007f9d31b9b8d7
+[ 409.955719] RDX: 00007ffe4cae0df0 RSI: 000000000000b680 RDI: 0000000000000003
+[ 409.962852] RBP: 0000000000000003 R08: 00007f9d2b70a177 R09: 00007ffe4cae0e40
+[ 409.969984] R10: 00007ffe4cae0160 R11: 0000000000000202 R12: 00007ffe4cae0df0
+[ 409.977115] R13: 000000000000b680 R14: 0000000000000000 R15: 00007ffe4cae0f60
+
+Signed-off-by: Scott Wood <swood@redhat.com>
+Acked-by: Wu Hao <hao.wu@intel.com>
+Acked-by: Alan Tull <atull@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/fpga/dfl.c | 16 +++++++++++++++-
+ 1 file changed, 15 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/fpga/dfl.c b/drivers/fpga/dfl.c
+index 2c09e502e721..c25217cde5ca 100644
+--- a/drivers/fpga/dfl.c
++++ b/drivers/fpga/dfl.c
+@@ -40,6 +40,13 @@ enum dfl_fpga_devt_type {
+ DFL_FPGA_DEVT_MAX,
+ };
+
++static struct lock_class_key dfl_pdata_keys[DFL_ID_MAX];
++
++static const char *dfl_pdata_key_strings[DFL_ID_MAX] = {
++ "dfl-fme-pdata",
++ "dfl-port-pdata",
++};
++
+ /**
+ * dfl_dev_info - dfl feature device information.
+ * @name: name string of the feature platform device.
+@@ -443,11 +450,16 @@ static int build_info_commit_dev(struct build_feature_devs_info *binfo)
+ struct platform_device *fdev = binfo->feature_dev;
+ struct dfl_feature_platform_data *pdata;
+ struct dfl_feature_info *finfo, *p;
++ enum dfl_id_type type;
+ int ret, index = 0;
+
+ if (!fdev)
+ return 0;
+
++ type = feature_dev_id_type(fdev);
++ if (WARN_ON_ONCE(type >= DFL_ID_MAX))
++ return -EINVAL;
++
+ /*
+ * we do not need to care for the memory which is associated with
+ * the platform device. After calling platform_device_unregister(),
+@@ -463,6 +475,8 @@ static int build_info_commit_dev(struct build_feature_devs_info *binfo)
+ pdata->num = binfo->feature_num;
+ pdata->dfl_cdev = binfo->cdev;
+ mutex_init(&pdata->lock);
++ lockdep_set_class_and_name(&pdata->lock, &dfl_pdata_keys[type],
++ dfl_pdata_key_strings[type]);
+
+ /*
+ * the count should be initialized to 0 to make sure
+@@ -497,7 +511,7 @@ static int build_info_commit_dev(struct build_feature_devs_info *binfo)
+
+ ret = platform_device_add(binfo->feature_dev);
+ if (!ret) {
+- if (feature_dev_id_type(binfo->feature_dev) == PORT_ID)
++ if (type == PORT_ID)
+ dfl_fpga_cdev_add_port_dev(binfo->cdev,
+ binfo->feature_dev);
+ else
+--
+2.22.0
+
diff --git a/patches.kernel.org/5.1.15-047-parport-Fix-mem-leak-in-parport_register_dev_m.patch b/patches.kernel.org/5.1.15-047-parport-Fix-mem-leak-in-parport_register_dev_m.patch
new file mode 100644
index 0000000000..47163fa7f9
--- /dev/null
+++ b/patches.kernel.org/5.1.15-047-parport-Fix-mem-leak-in-parport_register_dev_m.patch
@@ -0,0 +1,70 @@
+From: YueHaibing <yuehaibing@huawei.com>
+Date: Tue, 14 May 2019 23:24:37 +0800
+Subject: [PATCH] parport: Fix mem leak in parport_register_dev_model
+References: bnc#1012628
+Patch-mainline: 5.1.15
+Git-commit: 1c7ebeabc9e5ee12e42075a597de40fdb9059530
+
+[ Upstream commit 1c7ebeabc9e5ee12e42075a597de40fdb9059530 ]
+
+BUG: memory leak
+unreferenced object 0xffff8881df48cda0 (size 16):
+ comm "syz-executor.0", pid 5077, jiffies 4295994670 (age 22.280s)
+ hex dump (first 16 bytes):
+ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
+ backtrace:
+ [<00000000d2d0d5fe>] parport_register_dev_model+0x141/0x6e0 [parport]
+ [<00000000782f6dab>] 0xffffffffc15d1196
+ [<00000000d2ca6ae4>] platform_drv_probe+0x7e/0x100
+ [<00000000628c2a94>] really_probe+0x342/0x4d0
+ [<000000006874f5da>] driver_probe_device+0x8c/0x170
+ [<00000000424de37a>] __device_attach_driver+0xda/0x100
+ [<000000002acab09a>] bus_for_each_drv+0xfe/0x170
+ [<000000003d9e5f31>] __device_attach+0x190/0x230
+ [<0000000035d32f80>] bus_probe_device+0x123/0x140
+ [<00000000a05ba627>] device_add+0x7cc/0xce0
+ [<000000003f7560bf>] platform_device_add+0x230/0x3c0
+ [<000000002a0be07d>] 0xffffffffc15d0949
+ [<000000007361d8d2>] port_check+0x3b/0x50 [parport]
+ [<000000004d67200f>] bus_for_each_dev+0x115/0x180
+ [<000000003ccfd11c>] __parport_register_driver+0x1f0/0x210 [parport]
+ [<00000000987f06fc>] 0xffffffffc15d803e
+
+After commit 4e5a74f1db8d ("parport: Revert "parport: fix
+memory leak""), free_pardevice do not free par_dev->state,
+we should free it in error path of parport_register_dev_model
+before return.
+
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Fixes: 4e5a74f1db8d ("parport: Revert "parport: fix memory leak"")
+Signed-off-by: YueHaibing <yuehaibing@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/parport/share.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/parport/share.c b/drivers/parport/share.c
+index 5dc53d420ca8..7b4ee33c1935 100644
+--- a/drivers/parport/share.c
++++ b/drivers/parport/share.c
+@@ -895,6 +895,7 @@ parport_register_dev_model(struct parport *port, const char *name,
+ par_dev->devmodel = true;
+ ret = device_register(&par_dev->dev);
+ if (ret) {
++ kfree(par_dev->state);
+ put_device(&par_dev->dev);
+ goto err_put_port;
+ }
+@@ -912,6 +913,7 @@ parport_register_dev_model(struct parport *port, const char *name,
+ spin_unlock(&port->physport->pardevice_lock);
+ pr_debug("%s: cannot grant exclusive access for device %s\n",
+ port->name, name);
++ kfree(par_dev->state);
+ device_unregister(&par_dev->dev);
+ goto err_put_port;
+ }
+--
+2.22.0
+
diff --git a/patches.kernel.org/5.1.15-048-parisc-Fix-compiler-warnings-in-float-emulatio.patch b/patches.kernel.org/5.1.15-048-parisc-Fix-compiler-warnings-in-float-emulatio.patch
new file mode 100644
index 0000000000..559e71fd35
--- /dev/null
+++ b/patches.kernel.org/5.1.15-048-parisc-Fix-compiler-warnings-in-float-emulatio.patch
@@ -0,0 +1,56 @@
+From: Helge Deller <deller@gmx.de>
+Date: Fri, 24 May 2019 23:16:25 +0200
+Subject: [PATCH] parisc: Fix compiler warnings in float emulation code
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+References: bnc#1012628
+Patch-mainline: 5.1.15
+Git-commit: 6b98d9134e14f5ef4bcf64b27eedf484ed19a1ec
+
+[ Upstream commit 6b98d9134e14f5ef4bcf64b27eedf484ed19a1ec ]
+
+Avoid such compiler warnings:
+arch/parisc/math-emu/cnv_float.h:71:27: warning: ‘<<’ in boolean context, did you mean ‘<’ ? [-Wint-in-bool-context]
+ ((Dintp1(dint_valueA) << 33 - SGL_EXP_LENGTH) || Dintp2(dint_valueB))
+arch/parisc/math-emu/fcnvxf.c:257:6: note: in expansion of macro ‘Dint_isinexact_to_sgl’
+ if (Dint_isinexact_to_sgl(srcp1,srcp2)) {
+
+Signed-off-by: Helge Deller <deller@gmx.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ arch/parisc/math-emu/cnv_float.h | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/arch/parisc/math-emu/cnv_float.h b/arch/parisc/math-emu/cnv_float.h
+index 933423fa5144..b0db61188a61 100644
+--- a/arch/parisc/math-emu/cnv_float.h
++++ b/arch/parisc/math-emu/cnv_float.h
+@@ -60,19 +60,19 @@
+ ((exponent < (SGL_P - 1)) ? \
+ (Sall(sgl_value) << (SGL_EXP_LENGTH + 1 + exponent)) : FALSE)
+
+-#define Int_isinexact_to_sgl(int_value) (int_value << 33 - SGL_EXP_LENGTH)
++#define Int_isinexact_to_sgl(int_value) ((int_value << 33 - SGL_EXP_LENGTH) != 0)
+
+ #define Sgl_roundnearest_from_int(int_value,sgl_value) \
+ if (int_value & 1<<(SGL_EXP_LENGTH - 2)) /* round bit */ \
+- if ((int_value << 34 - SGL_EXP_LENGTH) || Slow(sgl_value)) \
++ if (((int_value << 34 - SGL_EXP_LENGTH) != 0) || Slow(sgl_value)) \
+ Sall(sgl_value)++
+
+ #define Dint_isinexact_to_sgl(dint_valueA,dint_valueB) \
+- ((Dintp1(dint_valueA) << 33 - SGL_EXP_LENGTH) || Dintp2(dint_valueB))
++ (((Dintp1(dint_valueA) << 33 - SGL_EXP_LENGTH) != 0) || Dintp2(dint_valueB))
+
+ #define Sgl_roundnearest_from_dint(dint_valueA,dint_valueB,sgl_value) \
+ if (Dintp1(dint_valueA) & 1<<(SGL_EXP_LENGTH - 2)) \
+- if ((Dintp1(dint_valueA) << 34 - SGL_EXP_LENGTH) || \
++ if (((Dintp1(dint_valueA) << 34 - SGL_EXP_LENGTH) != 0) || \
+ Dintp2(dint_valueB) || Slow(sgl_value)) Sall(sgl_value)++
+
+ #define Dint_isinexact_to_dbl(dint_value) \
+--
+2.22.0
+
diff --git a/patches.kernel.org/5.1.15-049-habanalabs-fix-bug-in-checking-huge-page-optim.patch b/patches.kernel.org/5.1.15-049-habanalabs-fix-bug-in-checking-huge-page-optim.patch
new file mode 100644
index 0000000000..2d0e527f89
--- /dev/null
+++ b/patches.kernel.org/5.1.15-049-habanalabs-fix-bug-in-checking-huge-page-optim.patch
@@ -0,0 +1,54 @@
+From: Oded Gabbay <oded.gabbay@gmail.com>
+Date: Tue, 28 May 2019 23:03:54 +0300
+Subject: [PATCH] habanalabs: fix bug in checking huge page optimization
+References: bnc#1012628
+Patch-mainline: 5.1.15
+Git-commit: d724170160f800fa8dfd3c0cdebb8b093570b504
+
+[ Upstream commit d724170160f800fa8dfd3c0cdebb8b093570b504 ]
+
+This patch fix a bug in the mmu code that checks whether we can use huge
+page mappings for host pages.
+
+The code is supposed to enable huge page mappings only if ALL DMA
+addresses are aligned to 2MB AND the number of pages in each DMA chunk is
+a modulo of the number of pages in 2MB. However, the code ignored the
+first requirement for the first DMA chunk.
+
+This patch fix that issue by making sure the requirement of address
+alignment is validated against all DMA chunks.
+
+Signed-off-by: Oded Gabbay <oded.gabbay@gmail.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/misc/habanalabs/memory.c | 6 ------
+ 1 file changed, 6 deletions(-)
+
+diff --git a/drivers/misc/habanalabs/memory.c b/drivers/misc/habanalabs/memory.c
+index fadaf557603f..425442819d31 100644
+--- a/drivers/misc/habanalabs/memory.c
++++ b/drivers/misc/habanalabs/memory.c
+@@ -675,11 +675,6 @@ static int init_phys_pg_pack_from_userptr(struct hl_ctx *ctx,
+
+ total_npages += npages;
+
+- if (first) {
+- first = false;
+- dma_addr &= PAGE_MASK_2MB;
+- }
+-
+ if ((npages % PGS_IN_2MB_PAGE) ||
+ (dma_addr & (PAGE_SIZE_2MB - 1)))
+ is_huge_page_opt = false;
+@@ -704,7 +699,6 @@ static int init_phys_pg_pack_from_userptr(struct hl_ctx *ctx,
+ phys_pg_pack->total_size = total_npages * page_size;
+
+ j = 0;
+- first = true;
+ for_each_sg(userptr->sgt->sgl, sg, userptr->sgt->nents, i) {
+ npages = get_sg_info(sg, &dma_addr);
+
+--
+2.22.0
+
diff --git a/patches.kernel.org/5.1.15-050-IB-rdmavt-Fix-alloc_qpn-WARN_ON.patch b/patches.kernel.org/5.1.15-050-IB-rdmavt-Fix-alloc_qpn-WARN_ON.patch
new file mode 100644
index 0000000000..65988bb229
--- /dev/null
+++ b/patches.kernel.org/5.1.15-050-IB-rdmavt-Fix-alloc_qpn-WARN_ON.patch
@@ -0,0 +1,60 @@
+From: Mike Marciniszyn <mike.marciniszyn@intel.com>
+Date: Fri, 24 May 2019 11:44:38 -0400
+Subject: [PATCH] IB/rdmavt: Fix alloc_qpn() WARN_ON()
+References: bnc#1012628
+Patch-mainline: 5.1.15
+Git-commit: 2abae62a26a265129b364d8c1ef3be55e2c01309
+
+[ Upstream commit 2abae62a26a265129b364d8c1ef3be55e2c01309 ]
+
+The qpn allocation logic has a WARN_ON() that intends to detect the use of
+an index that will introduce bits in the lower order bits of the QOS bits
+in the QPN.
+
+Unfortunately, it has the following bugs:
+- it misfires when wrapping QPN allocation for non-QOS
+- it doesn't correctly detect low order QOS bits (despite the comment)
+
+The WARN_ON() should not be applied to non-QOS (qos_shift == 1).
+
+Additionally, it SHOULD test the qpn bits per the table below:
+
+2 data VLs: [qp7, qp6, qp5, qp4, qp3, qp2, qp1] ^
+ [ 0, 0, 0, 0, 0, 0, sc0], qp bit 1 always 0*
+3-4 data VLs: [qp7, qp6, qp5, qp4, qp3, qp2, qp1] ^
+ [ 0, 0, 0, 0, 0, sc1, sc0], qp bits [21] always 0
+5-8 data VLs: [qp7, qp6, qp5, qp4, qp3, qp2, qp1] ^
+ [ 0, 0, 0, 0, sc2, sc1, sc0] qp bits [321] always 0
+
+Fix by qualifying the warning for qos_shift > 1 and producing the correct
+mask to insure the above bits are zero without generating a superfluous
+warning.
+
+Fixes: 501edc42446e ("IB/rdmavt: Correct warning during QPN allocation")
+Reviewed-by: Kaike Wan <kaike.wan@intel.com>
+Signed-off-by: Mike Marciniszyn <mike.marciniszyn@intel.com>
+Signed-off-by: Dennis Dalessandro <dennis.dalessandro@intel.com>
+Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/infiniband/sw/rdmavt/qp.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/infiniband/sw/rdmavt/qp.c b/drivers/infiniband/sw/rdmavt/qp.c
+index a34b9a2a32b6..a77436ee5ff7 100644
+--- a/drivers/infiniband/sw/rdmavt/qp.c
++++ b/drivers/infiniband/sw/rdmavt/qp.c
+@@ -594,7 +594,8 @@ static int alloc_qpn(struct rvt_dev_info *rdi, struct rvt_qpn_table *qpt,
+ offset = qpt->incr | ((offset & 1) ^ 1);
+ }
+ /* there can be no set bits in low-order QoS bits */
+- WARN_ON(offset & (BIT(rdi->dparms.qos_shift) - 1));
++ WARN_ON(rdi->dparms.qos_shift > 1 &&
++ offset & ((BIT(rdi->dparms.qos_shift - 1) - 1) << 1));
+ qpn = mk_qpn(qpt, map, offset);
+ }
+
+--
+2.22.0
+
diff --git a/patches.kernel.org/5.1.15-051-IB-hfi1-Insure-freeze_work-work_struct-is-canc.patch b/patches.kernel.org/5.1.15-051-IB-hfi1-Insure-freeze_work-work_struct-is-canc.patch
new file mode 100644
index 0000000000..fc9334f242
--- /dev/null
+++ b/patches.kernel.org/5.1.15-051-IB-hfi1-Insure-freeze_work-work_struct-is-canc.patch
@@ -0,0 +1,42 @@
+From: Mike Marciniszyn <mike.marciniszyn@intel.com>
+Date: Fri, 24 May 2019 11:44:45 -0400
+Subject: [PATCH] IB/hfi1: Insure freeze_work work_struct is canceled on
+ shutdown
+References: bnc#1012628
+Patch-mainline: 5.1.15
+Git-commit: 6d517353c70bb0818b691ca003afdcb5ee5ea44e
+
+[ Upstream commit 6d517353c70bb0818b691ca003afdcb5ee5ea44e ]
+
+By code inspection, the freeze_work is never canceled.
+
+Fix by adding a cancel_work_sync in the shutdown path to insure it is no
+longer running.
+
+Fixes: 7724105686e7 ("IB/hfi1: add driver files")
+Reviewed-by: Michael J. Ruhl <michael.j.ruhl@intel.com>
+Reviewed-by: Dennis Dalessandro <dennis.dalessandro@intel.com>
+Signed-off-by: Mike Marciniszyn <mike.marciniszyn@intel.com>
+Signed-off-by: Dennis Dalessandro <dennis.dalessandro@intel.com>
+Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/infiniband/hw/hfi1/chip.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/infiniband/hw/hfi1/chip.c b/drivers/infiniband/hw/hfi1/chip.c
+index e02d9a739e9c..597f2f02f3a8 100644
+--- a/drivers/infiniband/hw/hfi1/chip.c
++++ b/drivers/infiniband/hw/hfi1/chip.c
+@@ -9848,6 +9848,7 @@ void hfi1_quiet_serdes(struct hfi1_pportdata *ppd)
+
+ /* disable the port */
+ clear_rcvctrl(dd, RCV_CTRL_RCV_PORT_ENABLE_SMASK);
++ cancel_work_sync(&ppd->freeze_work);
+ }
+
+ static inline int init_cpu_counters(struct hfi1_devdata *dd)
+--
+2.22.0
+
diff --git a/patches.kernel.org/5.1.15-052-IB-qib-hfi1-rdmavt-Correct-ibv_devinfo-max_mr-.patch b/patches.kernel.org/5.1.15-052-IB-qib-hfi1-rdmavt-Correct-ibv_devinfo-max_mr-.patch
new file mode 100644
index 0000000000..1e8af2c0f8
--- /dev/null
+++ b/patches.kernel.org/5.1.15-052-IB-qib-hfi1-rdmavt-Correct-ibv_devinfo-max_mr-.patch
@@ -0,0 +1,69 @@
+From: Mike Marciniszyn <mike.marciniszyn@intel.com>
+Date: Fri, 24 May 2019 11:44:51 -0400
+Subject: [PATCH] IB/{qib, hfi1, rdmavt}: Correct ibv_devinfo max_mr value
+References: bnc#1012628
+Patch-mainline: 5.1.15
+Git-commit: 35164f5259a47ea756fa1deb3e463ac2a4f10dc9
+
+[ Upstream commit 35164f5259a47ea756fa1deb3e463ac2a4f10dc9 ]
+
+The command 'ibv_devinfo -v' reports 0 for max_mr.
+
+Fix by assigning the query values after the mr lkey_table has been built
+rather than early on in the driver.
+
+Fixes: 7b1e2099adc8 ("IB/rdmavt: Move memory registration into rdmavt")
+Reviewed-by: Josh Collier <josh.d.collier@intel.com>
+Signed-off-by: Mike Marciniszyn <mike.marciniszyn@intel.com>
+Signed-off-by: Dennis Dalessandro <dennis.dalessandro@intel.com>
+Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/infiniband/hw/hfi1/verbs.c | 2 --
+ drivers/infiniband/hw/qib/qib_verbs.c | 2 --
+ drivers/infiniband/sw/rdmavt/mr.c | 2 ++
+ 3 files changed, 2 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/infiniband/hw/hfi1/verbs.c b/drivers/infiniband/hw/hfi1/verbs.c
+index 55a56b3d7f83..ea68eeba3f22 100644
+--- a/drivers/infiniband/hw/hfi1/verbs.c
++++ b/drivers/infiniband/hw/hfi1/verbs.c
+@@ -1355,8 +1355,6 @@ static void hfi1_fill_device_attr(struct hfi1_devdata *dd)
+ rdi->dparms.props.max_cq = hfi1_max_cqs;
+ rdi->dparms.props.max_ah = hfi1_max_ahs;
+ rdi->dparms.props.max_cqe = hfi1_max_cqes;
+- rdi->dparms.props.max_mr = rdi->lkey_table.max;
+- rdi->dparms.props.max_fmr = rdi->lkey_table.max;
+ rdi->dparms.props.max_map_per_fmr = 32767;
+ rdi->dparms.props.max_pd = hfi1_max_pds;
+ rdi->dparms.props.max_qp_rd_atom = HFI1_MAX_RDMA_ATOMIC;
+diff --git a/drivers/infiniband/hw/qib/qib_verbs.c b/drivers/infiniband/hw/qib/qib_verbs.c
+index 5ff32d32c61c..2c4e569ce438 100644
+--- a/drivers/infiniband/hw/qib/qib_verbs.c
++++ b/drivers/infiniband/hw/qib/qib_verbs.c
+@@ -1459,8 +1459,6 @@ static void qib_fill_device_attr(struct qib_devdata *dd)
+ rdi->dparms.props.max_cq = ib_qib_max_cqs;
+ rdi->dparms.props.max_cqe = ib_qib_max_cqes;
+ rdi->dparms.props.max_ah = ib_qib_max_ahs;
+- rdi->dparms.props.max_mr = rdi->lkey_table.max;
+- rdi->dparms.props.max_fmr = rdi->lkey_table.max;
+ rdi->dparms.props.max_map_per_fmr = 32767;
+ rdi->dparms.props.max_qp_rd_atom = QIB_MAX_RDMA_ATOMIC;
+ rdi->dparms.props.max_qp_init_rd_atom = 255;
+diff --git a/drivers/infiniband/sw/rdmavt/mr.c b/drivers/infiniband/sw/rdmavt/mr.c
+index 0bb6e39dd03a..b04d2173e3f4 100644
+--- a/drivers/infiniband/sw/rdmavt/mr.c
++++ b/drivers/infiniband/sw/rdmavt/mr.c
+@@ -96,6 +96,8 @@ int rvt_driver_mr_init(struct rvt_dev_info *rdi)
+ for (i = 0; i < rdi->lkey_table.max; i++)
+ RCU_INIT_POINTER(rdi->lkey_table.table[i], NULL);
+
++ rdi->dparms.props.max_mr = rdi->lkey_table.max;
++ rdi->dparms.props.max_fmr = rdi->lkey_table.max;
+ return 0;
+ }
+
+--
+2.22.0
+
diff --git a/patches.kernel.org/5.1.15-053-IB-hfi1-Validate-page-aligned-for-a-given-virt.patch b/patches.kernel.org/5.1.15-053-IB-hfi1-Validate-page-aligned-for-a-given-virt.patch
new file mode 100644
index 0000000000..f7b236c1c0
--- /dev/null
+++ b/patches.kernel.org/5.1.15-053-IB-hfi1-Validate-page-aligned-for-a-given-virt.patch
@@ -0,0 +1,44 @@
+From: Kamenee Arumugam <kamenee.arumugam@intel.com>
+Date: Fri, 24 May 2019 11:45:04 -0400
+Subject: [PATCH] IB/hfi1: Validate page aligned for a given virtual address
+References: bnc#1012628
+Patch-mainline: 5.1.15
+Git-commit: 97736f36dbebf2cda2799db3b54717ba5b388255
+
+[ Upstream commit 97736f36dbebf2cda2799db3b54717ba5b388255 ]
+
+User applications can register memory regions for TID buffers that are not
+aligned on page boundaries. Hfi1 is expected to pin those pages in memory
+and cache the pages with mmu_rb. The rb tree will fail to insert pages
+that are not aligned correctly.
+
+Validate whether a given virtual address is page aligned before pinning.
+
+Fixes: 7e7a436ecb6e ("staging/hfi1: Add TID entry program function body")
+Reviewed-by: Michael J. Ruhl <michael.j.ruhl@intel.com>
+Signed-off-by: Kamenee Arumugam <kamenee.arumugam@intel.com>
+Signed-off-by: Dennis Dalessandro <dennis.dalessandro@intel.com>
+Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/infiniband/hw/hfi1/user_exp_rcv.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/infiniband/hw/hfi1/user_exp_rcv.c b/drivers/infiniband/hw/hfi1/user_exp_rcv.c
+index 0cd71ce7cc71..3592a9ec155e 100644
+--- a/drivers/infiniband/hw/hfi1/user_exp_rcv.c
++++ b/drivers/infiniband/hw/hfi1/user_exp_rcv.c
+@@ -324,6 +324,9 @@ int hfi1_user_exp_rcv_setup(struct hfi1_filedata *fd,
+ u32 *tidlist = NULL;
+ struct tid_user_buf *tidbuf;
+
++ if (!PAGE_ALIGNED(tinfo->vaddr))
++ return -EINVAL;
++
+ tidbuf = kzalloc(sizeof(*tidbuf), GFP_KERNEL);
+ if (!tidbuf)
+ return -ENOMEM;
+--
+2.22.0
+
diff --git a/patches.kernel.org/5.1.15-054-MIPS-uprobes-remove-set-but-not-used-variable-.patch b/patches.kernel.org/5.1.15-054-MIPS-uprobes-remove-set-but-not-used-variable-.patch
new file mode 100644
index 0000000000..3efe141532
--- /dev/null
+++ b/patches.kernel.org/5.1.15-054-MIPS-uprobes-remove-set-but-not-used-variable-.patch
@@ -0,0 +1,46 @@
+From: YueHaibing <yuehaibing@huawei.com>
+Date: Sat, 25 May 2019 20:20:24 +0800
+Subject: [PATCH] MIPS: uprobes: remove set but not used variable 'epc'
+References: bnc#1012628
+Patch-mainline: 5.1.15
+Git-commit: f532beeeff0c0a3586cc15538bc52d249eb19e7c
+
+[ Upstream commit f532beeeff0c0a3586cc15538bc52d249eb19e7c ]
+
+Fixes gcc '-Wunused-but-set-variable' warning:
+
+arch/mips/kernel/uprobes.c: In function 'arch_uprobe_pre_xol':
+arch/mips/kernel/uprobes.c:115:17: warning: variable 'epc' set but not used [-Wunused-but-set-variable]
+
+It's never used since introduction in
+commit 40e084a506eb ("MIPS: Add uprobes support.")
+
+Signed-off-by: YueHaibing <yuehaibing@huawei.com>
+Signed-off-by: Paul Burton <paul.burton@mips.com>
+Cc: <ralf@linux-mips.org>
+Cc: <jhogan@kernel.org>
+Cc: <linux-kernel@vger.kernel.org>
+Cc: <linux-mips@vger.kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ arch/mips/kernel/uprobes.c | 3 ---
+ 1 file changed, 3 deletions(-)
+
+diff --git a/arch/mips/kernel/uprobes.c b/arch/mips/kernel/uprobes.c
+index 4aaff3b3175c..6dbe4eab0a0e 100644
+--- a/arch/mips/kernel/uprobes.c
++++ b/arch/mips/kernel/uprobes.c
+@@ -112,9 +112,6 @@ int arch_uprobe_pre_xol(struct arch_uprobe *aup, struct pt_regs *regs)
+ */
+ aup->resume_epc = regs->cp0_epc + 4;
+ if (insn_has_delay_slot((union mips_instruction) aup->insn[0])) {
+- unsigned long epc;
+-
+- epc = regs->cp0_epc;
+ __compute_return_epc_for_insn(regs,
+ (union mips_instruction) aup->insn[0]);
+ aup->resume_epc = regs->cp0_epc;
+--
+2.22.0
+
diff --git a/patches.kernel.org/5.1.15-055-crypto-hmac-fix-memory-leak-in-hmac_init_tfm.patch b/patches.kernel.org/5.1.15-055-crypto-hmac-fix-memory-leak-in-hmac_init_tfm.patch
new file mode 100644
index 0000000000..2e729e689f
--- /dev/null
+++ b/patches.kernel.org/5.1.15-055-crypto-hmac-fix-memory-leak-in-hmac_init_tfm.patch
@@ -0,0 +1,41 @@
+From: Eric Biggers <ebiggers@google.com>
+Date: Wed, 22 May 2019 12:42:29 -0700
+Subject: [PATCH] crypto: hmac - fix memory leak in hmac_init_tfm()
+References: bnc#1012628
+Patch-mainline: 5.1.15
+Git-commit: 7829a0c1cb9c80debfb4fdb49b4d90019f2ea1ac
+
+[ Upstream commit 7829a0c1cb9c80debfb4fdb49b4d90019f2ea1ac ]
+
+When I added the sanity check of 'descsize', I missed that the child
+hash tfm needs to be freed if the sanity check fails. Of course this
+should never happen, hence the use of WARN_ON(), but it should be fixed.
+
+Fixes: e1354400b25d ("crypto: hash - fix incorrect HASH_MAX_DESCSIZE")
+Signed-off-by: Eric Biggers <ebiggers@google.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ crypto/hmac.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/crypto/hmac.c b/crypto/hmac.c
+index 4b8c8ee8f15c..c623778b36ba 100644
+--- a/crypto/hmac.c
++++ b/crypto/hmac.c
+@@ -168,8 +168,10 @@ static int hmac_init_tfm(struct crypto_tfm *tfm)
+
+ parent->descsize = sizeof(struct shash_desc) +
+ crypto_shash_descsize(hash);
+- if (WARN_ON(parent->descsize > HASH_MAX_DESCSIZE))
++ if (WARN_ON(parent->descsize > HASH_MAX_DESCSIZE)) {
++ crypto_free_shash(hash);
+ return -EINVAL;
++ }
+
+ ctx->hash = hash;
+ return 0;
+--
+2.22.0
+
diff --git a/patches.kernel.org/5.1.15-056-xtensa-Fix-section-mismatch-between-memblock_r.patch b/patches.kernel.org/5.1.15-056-xtensa-Fix-section-mismatch-between-memblock_r.patch
new file mode 100644
index 0000000000..28acc414df
--- /dev/null
+++ b/patches.kernel.org/5.1.15-056-xtensa-Fix-section-mismatch-between-memblock_r.patch
@@ -0,0 +1,54 @@
+From: Guenter Roeck <linux@roeck-us.net>
+Date: Thu, 30 May 2019 05:41:38 -0700
+Subject: [PATCH] xtensa: Fix section mismatch between memblock_reserve and
+ mem_reserve
+References: bnc#1012628
+Patch-mainline: 5.1.15
+Git-commit: adefd051a6707a6ca0ebad278d3c1c05c960fc3b
+
+[ Upstream commit adefd051a6707a6ca0ebad278d3c1c05c960fc3b ]
+
+Since commit 9012d011660ea5cf2 ("compiler: allow all arches to enable
+CONFIG_OPTIMIZE_INLINING"), xtensa:tinyconfig fails to build with section
+mismatch errors.
+
+WARNING: vmlinux.o(.text.unlikely+0x68): Section mismatch in reference
+ from the function ___pa()
+ to the function .meminit.text:memblock_reserve()
+WARNING: vmlinux.o(.text.unlikely+0x74): Section mismatch in reference
+ from the function mem_reserve()
+ to the function .meminit.text:memblock_reserve()
+FATAL: modpost: Section mismatches detected.
+
+This was not seen prior to the above mentioned commit because mem_reserve()
+was always inlined.
+
+Mark mem_reserve(() as __init_memblock to have it reside in the same
+section as memblock_reserve().
+
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Message-Id: <1559220098-9955-1-git-send-email-linux@roeck-us.net>
+Signed-off-by: Max Filippov <jcmvbkbc@gmail.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ arch/xtensa/kernel/setup.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/arch/xtensa/kernel/setup.c b/arch/xtensa/kernel/setup.c
+index 4ec6fbb696bf..a5139f1d9220 100644
+--- a/arch/xtensa/kernel/setup.c
++++ b/arch/xtensa/kernel/setup.c
+@@ -310,7 +310,8 @@ extern char _SecondaryResetVector_text_start;
+ extern char _SecondaryResetVector_text_end;
+ #endif
+
+-static inline int mem_reserve(unsigned long start, unsigned long end)
++static inline int __init_memblock mem_reserve(unsigned long start,
++ unsigned long end)
+ {
+ return memblock_reserve(start, end - start);
+ }
+--
+2.22.0
+
diff --git a/patches.kernel.org/5.1.15-057-kselftest-cgroup-fix-unexpected-testing-failur.patch b/patches.kernel.org/5.1.15-057-kselftest-cgroup-fix-unexpected-testing-failur.patch
new file mode 100644
index 0000000000..a9e2e8e6cb
--- /dev/null
+++ b/patches.kernel.org/5.1.15-057-kselftest-cgroup-fix-unexpected-testing-failur.patch
@@ -0,0 +1,66 @@
+From: Alex Shi <alex.shi@linux.alibaba.com>
+Date: Mon, 27 May 2019 14:28:05 +0800
+Subject: [PATCH] kselftest/cgroup: fix unexpected testing failure on
+ test_memcontrol
+References: bnc#1012628
+Patch-mainline: 5.1.15
+Git-commit: f6131f28057d4fd8922599339e701a2504e0f23d
+
+[ Upstream commit f6131f28057d4fd8922599339e701a2504e0f23d ]
+
+The cgroup testing relies on the root cgroup's subtree_control setting,
+If the 'memory' controller isn't set, all test cases will be failed
+as following:
+
+$ sudo ./test_memcontrol
+not ok 1 test_memcg_subtree_control
+not ok 2 test_memcg_current
+ok 3 # skip test_memcg_min
+not ok 4 test_memcg_low
+not ok 5 test_memcg_high
+not ok 6 test_memcg_max
+not ok 7 test_memcg_oom_events
+ok 8 # skip test_memcg_swap_max
+not ok 9 test_memcg_sock
+not ok 10 test_memcg_oom_group_leaf_events
+not ok 11 test_memcg_oom_group_parent_events
+not ok 12 test_memcg_oom_group_score_events
+
+To correct this unexpected failure, this patch write the 'memory' to
+subtree_control of root to get a right result.
+
+Signed-off-by: Alex Shi <alex.shi@linux.alibaba.com>
+Cc: Shuah Khan <shuah@kernel.org>
+Cc: Roman Gushchin <guro@fb.com>
+Cc: Tejun Heo <tj@kernel.org>
+Cc: Mike Rapoport <rppt@linux.vnet.ibm.com>
+Cc: Jay Kamat <jgkamat@fb.com>
+Cc: linux-kselftest@vger.kernel.org
+Cc: linux-kernel@vger.kernel.org
+Reviewed-by: Roman Gushchin <guro@fb.com>
+Acked-by: Tejun Heo <tj@kernel.org>
+Signed-off-by: Shuah Khan <skhan@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ tools/testing/selftests/cgroup/test_memcontrol.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/tools/testing/selftests/cgroup/test_memcontrol.c b/tools/testing/selftests/cgroup/test_memcontrol.c
+index 6f339882a6ca..c19a97dd02d4 100644
+--- a/tools/testing/selftests/cgroup/test_memcontrol.c
++++ b/tools/testing/selftests/cgroup/test_memcontrol.c
+@@ -1205,6 +1205,10 @@ int main(int argc, char **argv)
+ if (cg_read_strstr(root, "cgroup.controllers", "memory"))
+ ksft_exit_skip("memory controller isn't available\n");
+
++ if (cg_read_strstr(root, "cgroup.subtree_control", "memory"))
++ if (cg_write(root, "cgroup.subtree_control", "+memory"))
++ ksft_exit_skip("Failed to set memory controller\n");
++
+ for (i = 0; i < ARRAY_SIZE(tests); i++) {
+ switch (tests[i].fn(root)) {
+ case KSFT_PASS:
+--
+2.22.0
+
diff --git a/patches.kernel.org/5.1.15-058-kselftest-cgroup-fix-unexpected-testing-failur.patch b/patches.kernel.org/5.1.15-058-kselftest-cgroup-fix-unexpected-testing-failur.patch
new file mode 100644
index 0000000000..42f2db4f20
--- /dev/null
+++ b/patches.kernel.org/5.1.15-058-kselftest-cgroup-fix-unexpected-testing-failur.patch
@@ -0,0 +1,58 @@
+From: Alex Shi <alex.shi@linux.alibaba.com>
+Date: Mon, 27 May 2019 14:28:06 +0800
+Subject: [PATCH] kselftest/cgroup: fix unexpected testing failure on test_core
+References: bnc#1012628
+Patch-mainline: 5.1.15
+Git-commit: 00e38a5d753d7788852f81703db804a60a84c26e
+
+[ Upstream commit 00e38a5d753d7788852f81703db804a60a84c26e ]
+
+The cgroup testing relys on the root cgroup's subtree_control setting,
+If the 'memory' controller isn't set, some test cases will be failed
+as following:
+
+$sudo ./test_core
+not ok 1 test_cgcore_internal_process_constraint
+ok 2 test_cgcore_top_down_constraint_enable
+not ok 3 test_cgcore_top_down_constraint_disable
+...
+
+To correct this unexpected failure, this patch write the 'memory' to
+subtree_control of root to get a right result.
+
+Signed-off-by: Alex Shi <alex.shi@linux.alibaba.com>
+Cc: Shuah Khan <shuah@kernel.org>
+Cc: Tejun Heo <tj@kernel.org>
+Cc: Roman Gushchin <guro@fb.com>
+Cc: Claudio Zumbo <claudioz@fb.com>
+Cc: Claudio <claudiozumbo@gmail.com>
+Cc: linux-kselftest@vger.kernel.org
+Cc: linux-kernel@vger.kernel.org
+Reviewed-by: Roman Gushchin <guro@fb.com>
+Acked-by: Tejun Heo <tj@kernel.org>
+Signed-off-by: Shuah Khan <skhan@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ tools/testing/selftests/cgroup/test_core.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/tools/testing/selftests/cgroup/test_core.c b/tools/testing/selftests/cgroup/test_core.c
+index be59f9c34ea2..d78f1c5366d3 100644
+--- a/tools/testing/selftests/cgroup/test_core.c
++++ b/tools/testing/selftests/cgroup/test_core.c
+@@ -376,6 +376,11 @@ int main(int argc, char *argv[])
+
+ if (cg_find_unified_root(root, sizeof(root)))
+ ksft_exit_skip("cgroup v2 isn't mounted\n");
++
++ if (cg_read_strstr(root, "cgroup.subtree_control", "memory"))
++ if (cg_write(root, "cgroup.subtree_control", "+memory"))
++ ksft_exit_skip("Failed to set memory controller\n");
++
+ for (i = 0; i < ARRAY_SIZE(tests); i++) {
+ switch (tests[i].fn(root)) {
+ case KSFT_PASS:
+--
+2.22.0
+
diff --git a/patches.kernel.org/5.1.15-059-kselftest-cgroup-fix-incorrect-test_core-skip.patch b/patches.kernel.org/5.1.15-059-kselftest-cgroup-fix-incorrect-test_core-skip.patch
new file mode 100644
index 0000000000..ee4dc706e0
--- /dev/null
+++ b/patches.kernel.org/5.1.15-059-kselftest-cgroup-fix-incorrect-test_core-skip.patch
@@ -0,0 +1,52 @@
+From: Alex Shi <alex.shi@linux.alibaba.com>
+Date: Mon, 27 May 2019 14:28:07 +0800
+Subject: [PATCH] kselftest/cgroup: fix incorrect test_core skip
+References: bnc#1012628
+Patch-mainline: 5.1.15
+Git-commit: f97f3f8839eb9de5843066d80819884f7722c8c5
+
+[ Upstream commit f97f3f8839eb9de5843066d80819884f7722c8c5 ]
+
+The test_core will skip the
+test_cgcore_no_internal_process_constraint_on_threads test case if the
+'cpu' controller missing in root's subtree_control. In fact we need to
+set the 'cpu' in subtree_control, to make the testing meaningful.
+
+./test_core
+...
+ok 4 # skip test_cgcore_no_internal_process_constraint_on_threads
+...
+
+Signed-off-by: Alex Shi <alex.shi@linux.alibaba.com>
+Cc: Shuah Khan <shuah@kernel.org>
+Cc: Tejun Heo <tj@kernel.org>
+Cc: Roman Gushchin <guro@fb.com>
+Cc: Claudio Zumbo <claudioz@fb.com>
+Cc: Claudio <claudiozumbo@gmail.com>
+Cc: linux-kselftest@vger.kernel.org
+Cc: linux-kernel@vger.kernel.org
+Reviewed-by: Roman Gushchin <guro@fb.com>
+Acked-by: Tejun Heo <tj@kernel.org>
+Signed-off-by: Shuah Khan <skhan@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ tools/testing/selftests/cgroup/test_core.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tools/testing/selftests/cgroup/test_core.c b/tools/testing/selftests/cgroup/test_core.c
+index d78f1c5366d3..79053a4f4783 100644
+--- a/tools/testing/selftests/cgroup/test_core.c
++++ b/tools/testing/selftests/cgroup/test_core.c
+@@ -198,7 +198,7 @@ static int test_cgcore_no_internal_process_constraint_on_threads(const char *roo
+ char *parent = NULL, *child = NULL;
+
+ if (cg_read_strstr(root, "cgroup.controllers", "cpu") ||
+- cg_read_strstr(root, "cgroup.subtree_control", "cpu")) {
++ cg_write(root, "cgroup.subtree_control", "+cpu")) {
+ ret = KSFT_SKIP;
+ goto cleanup;
+ }
+--
+2.22.0
+
diff --git a/patches.kernel.org/5.1.15-060-userfaultfd-selftest-fix-compiler-warning.patch b/patches.kernel.org/5.1.15-060-userfaultfd-selftest-fix-compiler-warning.patch
new file mode 100644
index 0000000000..acbe60f84e
--- /dev/null
+++ b/patches.kernel.org/5.1.15-060-userfaultfd-selftest-fix-compiler-warning.patch
@@ -0,0 +1,45 @@
+From: Alakesh Haloi <alakesh.haloi@gmail.com>
+Date: Mon, 27 May 2019 15:18:59 +0000
+Subject: [PATCH] userfaultfd: selftest: fix compiler warning
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+References: bnc#1012628
+Patch-mainline: 5.1.15
+Git-commit: 98a13a8d253999cf25eb16d901c35fbd2a8455c4
+
+[ Upstream commit 98a13a8d253999cf25eb16d901c35fbd2a8455c4 ]
+
+Fixes following compiler warning
+
+userfaultfd.c: In function ‘usage’:
+userfaultfd.c:126:2: warning: format not a string literal and no format
+ arguments [-Wformat-security]
+ fprintf(stderr, examples);
+
+Signed-off-by: Alakesh Haloi <alakesh.haloi@gmail.com>
+Reviewed-by: Peter Xu <peterx@redhat.com>
+Reviewed-by: Mike Rapoport <rppt@linux.ibm.com>
+Signed-off-by: Shuah Khan <skhan@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ tools/testing/selftests/vm/userfaultfd.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tools/testing/selftests/vm/userfaultfd.c b/tools/testing/selftests/vm/userfaultfd.c
+index 5d1db824f73a..b3e6497b080c 100644
+--- a/tools/testing/selftests/vm/userfaultfd.c
++++ b/tools/testing/selftests/vm/userfaultfd.c
+@@ -123,7 +123,7 @@ static void usage(void)
+ fprintf(stderr, "Supported <test type>: anon, hugetlb, "
+ "hugetlb_shared, shmem\n\n");
+ fprintf(stderr, "Examples:\n\n");
+- fprintf(stderr, examples);
++ fprintf(stderr, "%s", examples);
+ exit(1);
+ }
+
+--
+2.22.0
+
diff --git a/patches.kernel.org/5.1.15-061-selftests-vm-install-test_vmalloc.sh-for-run_v.patch b/patches.kernel.org/5.1.15-061-selftests-vm-install-test_vmalloc.sh-for-run_v.patch
new file mode 100644
index 0000000000..8f02c82acc
--- /dev/null
+++ b/patches.kernel.org/5.1.15-061-selftests-vm-install-test_vmalloc.sh-for-run_v.patch
@@ -0,0 +1,41 @@
+From: Naresh Kamboju <naresh.kamboju@linaro.org>
+Date: Tue, 28 May 2019 13:18:09 +0100
+Subject: [PATCH] selftests: vm: install test_vmalloc.sh for run_vmtests
+References: bnc#1012628
+Patch-mainline: 5.1.15
+Git-commit: bc2cce3f2ebcae02aa4bb29e3436bf75ee674c32
+
+[ Upstream commit bc2cce3f2ebcae02aa4bb29e3436bf75ee674c32 ]
+
+Add test_vmalloc.sh to TEST_FILES to make sure it gets installed for
+run_vmtests.
+
+Fixed below error:
+./run_vmtests: line 217: ./test_vmalloc.sh: No such file or directory
+
+Tested with: make TARGETS=vm install INSTALL_PATH=$PWD/x
+
+Signed-off-by: Naresh Kamboju <naresh.kamboju@linaro.org>
+Signed-off-by: Shuah Khan <skhan@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ tools/testing/selftests/vm/Makefile | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/tools/testing/selftests/vm/Makefile b/tools/testing/selftests/vm/Makefile
+index e13eb6cc8901..05306c58ff9f 100644
+--- a/tools/testing/selftests/vm/Makefile
++++ b/tools/testing/selftests/vm/Makefile
+@@ -25,6 +25,8 @@ TEST_GEN_FILES += virtual_address_range
+
+ TEST_PROGS := run_vmtests
+
++TEST_FILES := test_vmalloc.sh
++
+ KSFT_KHDR_INSTALL := 1
+ include ../lib.mk
+
+--
+2.22.0
+
diff --git a/patches.kernel.org/5.1.15-062-net-dsa-mv88e6xxx-avoid-error-message-on-remov.patch b/patches.kernel.org/5.1.15-062-net-dsa-mv88e6xxx-avoid-error-message-on-remov.patch
new file mode 100644
index 0000000000..37d9877c12
--- /dev/null
+++ b/patches.kernel.org/5.1.15-062-net-dsa-mv88e6xxx-avoid-error-message-on-remov.patch
@@ -0,0 +1,52 @@
+From: Nikita Yushchenko <nikita.yoush@cogentembedded.com>
+Date: Fri, 31 May 2019 10:35:14 +0300
+Subject: [PATCH] net: dsa: mv88e6xxx: avoid error message on remove from VLAN
+ 0
+References: bnc#1012628
+Patch-mainline: 5.1.15
+Git-commit: 62394708f3e01c9f2be6be74eb6305bae1ed924f
+
+[ Upstream commit 62394708f3e01c9f2be6be74eb6305bae1ed924f ]
+
+When non-bridged, non-vlan'ed mv88e6xxx port is moving down, error
+message is logged:
+
+failed to kill vid 0081/0 for device eth_cu_1000_4
+
+This is caused by call from __vlan_vid_del() with vin set to zero, over
+call chain this results into _mv88e6xxx_port_vlan_del() called with
+vid=0, and mv88e6xxx_vtu_get() called from there returns -EINVAL.
+
+On symmetric path moving port up, call goes through
+mv88e6xxx_port_vlan_prepare() that calls mv88e6xxx_port_check_hw_vlan()
+that returns -EOPNOTSUPP for zero vid.
+
+This patch changes mv88e6xxx_vtu_get() to also return -EOPNOTSUPP for
+zero vid, then this error code is explicitly cleared in
+dsa_slave_vlan_rx_kill_vid() and error message is no longer logged.
+
+Signed-off-by: Nikita Yushchenko <nikita.yoush@cogentembedded.com>
+Reviewed-by: Vivien Didelot <vivien.didelot@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/net/dsa/mv88e6xxx/chip.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/dsa/mv88e6xxx/chip.c b/drivers/net/dsa/mv88e6xxx/chip.c
+index 720f1dde2c2d..ae750ab9a4d7 100644
+--- a/drivers/net/dsa/mv88e6xxx/chip.c
++++ b/drivers/net/dsa/mv88e6xxx/chip.c
+@@ -1517,7 +1517,7 @@ static int mv88e6xxx_vtu_get(struct mv88e6xxx_chip *chip, u16 vid,
+ int err;
+
+ if (!vid)
+- return -EINVAL;
++ return -EOPNOTSUPP;
+
+ entry->vid = vid - 1;
+ entry->valid = false;
+--
+2.22.0
+
diff --git a/patches.kernel.org/5.1.15-063-net-hns-Fix-loopback-test-failed-at-copper-por.patch b/patches.kernel.org/5.1.15-063-net-hns-Fix-loopback-test-failed-at-copper-por.patch
new file mode 100644
index 0000000000..0dae015356
--- /dev/null
+++ b/patches.kernel.org/5.1.15-063-net-hns-Fix-loopback-test-failed-at-copper-por.patch
@@ -0,0 +1,48 @@
+From: Yonglong Liu <liuyonglong@huawei.com>
+Date: Fri, 31 May 2019 16:59:50 +0800
+Subject: [PATCH] net: hns: Fix loopback test failed at copper ports
+References: bnc#1012628
+Patch-mainline: 5.1.15
+Git-commit: 2e1f164861e500f4e068a9d909bbd3fcc7841483
+
+[ Upstream commit 2e1f164861e500f4e068a9d909bbd3fcc7841483 ]
+
+When doing a loopback test at copper ports, the serdes loopback
+and the phy loopback will fail, because of the adjust link had
+not finished, and phy not ready.
+
+Adds sleep between adjust link and test process to fix it.
+
+Signed-off-by: Yonglong Liu <liuyonglong@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/net/ethernet/hisilicon/hns/hns_ethtool.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/net/ethernet/hisilicon/hns/hns_ethtool.c b/drivers/net/ethernet/hisilicon/hns/hns_ethtool.c
+index ce15d2350db9..188c3f6791b5 100644
+--- a/drivers/net/ethernet/hisilicon/hns/hns_ethtool.c
++++ b/drivers/net/ethernet/hisilicon/hns/hns_ethtool.c
+@@ -339,6 +339,7 @@ static int __lb_setup(struct net_device *ndev,
+ static int __lb_up(struct net_device *ndev,
+ enum hnae_loop loop_mode)
+ {
++#define NIC_LB_TEST_WAIT_PHY_LINK_TIME 300
+ struct hns_nic_priv *priv = netdev_priv(ndev);
+ struct hnae_handle *h = priv->ae_handle;
+ int speed, duplex;
+@@ -365,6 +366,9 @@ static int __lb_up(struct net_device *ndev,
+
+ h->dev->ops->adjust_link(h, speed, duplex);
+
++ /* wait adjust link done and phy ready */
++ msleep(NIC_LB_TEST_WAIT_PHY_LINK_TIME);
++
+ return 0;
+ }
+
+--
+2.22.0
+
diff --git a/patches.kernel.org/5.1.15-064-mdesc-fix-a-missing-check-bug-in-get_vdev_port.patch b/patches.kernel.org/5.1.15-064-mdesc-fix-a-missing-check-bug-in-get_vdev_port.patch
new file mode 100644
index 0000000000..8384fc2d67
--- /dev/null
+++ b/patches.kernel.org/5.1.15-064-mdesc-fix-a-missing-check-bug-in-get_vdev_port.patch
@@ -0,0 +1,37 @@
+From: Gen Zhang <blackgod016574@gmail.com>
+Date: Fri, 31 May 2019 09:24:18 +0800
+Subject: [PATCH] mdesc: fix a missing-check bug in get_vdev_port_node_info()
+References: bnc#1012628
+Patch-mainline: 5.1.15
+Git-commit: 80caf43549e7e41a695c6d1e11066286538b336f
+
+[ Upstream commit 80caf43549e7e41a695c6d1e11066286538b336f ]
+
+In get_vdev_port_node_info(), 'node_info->vdev_port.name' is allcoated
+by kstrdup_const(), and it returns NULL when fails. So
+'node_info->vdev_port.name' should be checked.
+
+Signed-off-by: Gen Zhang <blackgod016574@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ arch/sparc/kernel/mdesc.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/arch/sparc/kernel/mdesc.c b/arch/sparc/kernel/mdesc.c
+index 9a26b442f820..8e645ddac58e 100644
+--- a/arch/sparc/kernel/mdesc.c
++++ b/arch/sparc/kernel/mdesc.c
+@@ -356,6 +356,8 @@ static int get_vdev_port_node_info(struct mdesc_handle *md, u64 node,
+
+ node_info->vdev_port.id = *idp;
+ node_info->vdev_port.name = kstrdup_const(name, GFP_KERNEL);
++ if (!node_info->vdev_port.name)
++ return -1;
+ node_info->vdev_port.parent_cfg_hdl = *parent_cfg_hdlp;
+
+ return 0;
+--
+2.22.0
+
diff --git a/patches.kernel.org/5.1.15-065-sparc-perf-fix-updated-event-period-in-respons.patch b/patches.kernel.org/5.1.15-065-sparc-perf-fix-updated-event-period-in-respons.patch
new file mode 100644
index 0000000000..7cd3ee4194
--- /dev/null
+++ b/patches.kernel.org/5.1.15-065-sparc-perf-fix-updated-event-period-in-respons.patch
@@ -0,0 +1,47 @@
+From: Young Xiao <92siuyang@gmail.com>
+Date: Wed, 29 May 2019 10:21:48 +0800
+Subject: [PATCH] sparc: perf: fix updated event period in response to
+ PERF_EVENT_IOC_PERIOD
+References: bnc#1012628
+Patch-mainline: 5.1.15
+Git-commit: 56cd0aefa475079e9613085b14a0f05037518fed
+
+[ Upstream commit 56cd0aefa475079e9613085b14a0f05037518fed ]
+
+The PERF_EVENT_IOC_PERIOD ioctl command can be used to change the
+sample period of a running perf_event. Consequently, when calculating
+the next event period, the new period will only be considered after the
+previous one has overflowed.
+
+This patch changes the calculation of the remaining event ticks so that
+they are offset if the period has changed.
+
+See commit 3581fe0ef37c ("ARM: 7556/1: perf: fix updated event period in
+response to PERF_EVENT_IOC_PERIOD") for details.
+
+Signed-off-by: Young Xiao <92siuyang@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ arch/sparc/kernel/perf_event.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/arch/sparc/kernel/perf_event.c b/arch/sparc/kernel/perf_event.c
+index 6de7c684c29f..a58ae9c42803 100644
+--- a/arch/sparc/kernel/perf_event.c
++++ b/arch/sparc/kernel/perf_event.c
+@@ -891,6 +891,10 @@ static int sparc_perf_event_set_period(struct perf_event *event,
+ s64 period = hwc->sample_period;
+ int ret = 0;
+
++ /* The period may have been changed by PERF_EVENT_IOC_PERIOD */
++ if (unlikely(period != hwc->last_period))
++ left = period - (hwc->last_period - left);
++
+ if (unlikely(left <= -period)) {
+ left = period;
+ local64_set(&hwc->period_left, left);
+--
+2.22.0
+
diff --git a/patches.kernel.org/5.1.15-066-net-ethernet-mediatek-Use-hw_feature-to-judge-.patch b/patches.kernel.org/5.1.15-066-net-ethernet-mediatek-Use-hw_feature-to-judge-.patch
new file mode 100644
index 0000000000..af9385fe45
--- /dev/null
+++ b/patches.kernel.org/5.1.15-066-net-ethernet-mediatek-Use-hw_feature-to-judge-.patch
@@ -0,0 +1,73 @@
+From: Sean Wang <sean.wang@mediatek.com>
+Date: Sat, 1 Jun 2019 08:16:26 +0800
+Subject: [PATCH] net: ethernet: mediatek: Use hw_feature to judge if HWLRO is
+ supported
+References: bnc#1012628
+Patch-mainline: 5.1.15
+Git-commit: 9e4f56f1a7f3287718d0083b5cb85298dc05a5fd
+
+[ Upstream commit 9e4f56f1a7f3287718d0083b5cb85298dc05a5fd ]
+
+Should hw_feature as hardware capability flags to check if hardware LRO
+got support.
+
+Signed-off-by: Mark Lee <mark-mc.lee@mediatek.com>
+Signed-off-by: Sean Wang <sean.wang@mediatek.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/net/ethernet/mediatek/mtk_eth_soc.c | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/net/ethernet/mediatek/mtk_eth_soc.c b/drivers/net/ethernet/mediatek/mtk_eth_soc.c
+index 549d36497b8c..59601cb5aeee 100644
+--- a/drivers/net/ethernet/mediatek/mtk_eth_soc.c
++++ b/drivers/net/ethernet/mediatek/mtk_eth_soc.c
+@@ -2297,13 +2297,13 @@ static int mtk_get_rxnfc(struct net_device *dev, struct ethtool_rxnfc *cmd,
+
+ switch (cmd->cmd) {
+ case ETHTOOL_GRXRINGS:
+- if (dev->features & NETIF_F_LRO) {
++ if (dev->hw_features & NETIF_F_LRO) {
+ cmd->data = MTK_MAX_RX_RING_NUM;
+ ret = 0;
+ }
+ break;
+ case ETHTOOL_GRXCLSRLCNT:
+- if (dev->features & NETIF_F_LRO) {
++ if (dev->hw_features & NETIF_F_LRO) {
+ struct mtk_mac *mac = netdev_priv(dev);
+
+ cmd->rule_cnt = mac->hwlro_ip_cnt;
+@@ -2311,11 +2311,11 @@ static int mtk_get_rxnfc(struct net_device *dev, struct ethtool_rxnfc *cmd,
+ }
+ break;
+ case ETHTOOL_GRXCLSRULE:
+- if (dev->features & NETIF_F_LRO)
++ if (dev->hw_features & NETIF_F_LRO)
+ ret = mtk_hwlro_get_fdir_entry(dev, cmd);
+ break;
+ case ETHTOOL_GRXCLSRLALL:
+- if (dev->features & NETIF_F_LRO)
++ if (dev->hw_features & NETIF_F_LRO)
+ ret = mtk_hwlro_get_fdir_all(dev, cmd,
+ rule_locs);
+ break;
+@@ -2332,11 +2332,11 @@ static int mtk_set_rxnfc(struct net_device *dev, struct ethtool_rxnfc *cmd)
+
+ switch (cmd->cmd) {
+ case ETHTOOL_SRXCLSRLINS:
+- if (dev->features & NETIF_F_LRO)
++ if (dev->hw_features & NETIF_F_LRO)
+ ret = mtk_hwlro_add_ipaddr(dev, cmd);
+ break;
+ case ETHTOOL_SRXCLSRLDEL:
+- if (dev->features & NETIF_F_LRO)
++ if (dev->hw_features & NETIF_F_LRO)
+ ret = mtk_hwlro_del_ipaddr(dev, cmd);
+ break;
+ default:
+--
+2.22.0
+
diff --git a/patches.kernel.org/5.1.15-067-net-ethernet-mediatek-Use-NET_IP_ALIGN-to-judg.patch b/patches.kernel.org/5.1.15-067-net-ethernet-mediatek-Use-NET_IP_ALIGN-to-judg.patch
new file mode 100644
index 0000000000..a238456baa
--- /dev/null
+++ b/patches.kernel.org/5.1.15-067-net-ethernet-mediatek-Use-NET_IP_ALIGN-to-judg.patch
@@ -0,0 +1,46 @@
+From: Sean Wang <sean.wang@mediatek.com>
+Date: Sat, 1 Jun 2019 08:16:27 +0800
+Subject: [PATCH] net: ethernet: mediatek: Use NET_IP_ALIGN to judge if HW
+ RX_2BYTE_OFFSET is enabled
+References: bnc#1012628
+Patch-mainline: 5.1.15
+Git-commit: 880c2d4b2fdfd580ebcd6bb7240a8027a1d34751
+
+[ Upstream commit 880c2d4b2fdfd580ebcd6bb7240a8027a1d34751 ]
+
+Should only enable HW RX_2BYTE_OFFSET function in the case NET_IP_ALIGN
+equals to 2.
+
+Signed-off-by: Mark Lee <mark-mc.lee@mediatek.com>
+Signed-off-by: Sean Wang <sean.wang@mediatek.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/net/ethernet/mediatek/mtk_eth_soc.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/mediatek/mtk_eth_soc.c b/drivers/net/ethernet/mediatek/mtk_eth_soc.c
+index 59601cb5aeee..f3f7551162a9 100644
+--- a/drivers/net/ethernet/mediatek/mtk_eth_soc.c
++++ b/drivers/net/ethernet/mediatek/mtk_eth_soc.c
+@@ -1777,6 +1777,7 @@ static void mtk_poll_controller(struct net_device *dev)
+
+ static int mtk_start_dma(struct mtk_eth *eth)
+ {
++ u32 rx_2b_offset = (NET_IP_ALIGN == 2) ? MTK_RX_2B_OFFSET : 0;
+ int err;
+
+ err = mtk_dma_init(eth);
+@@ -1793,7 +1794,7 @@ static int mtk_start_dma(struct mtk_eth *eth)
+ MTK_QDMA_GLO_CFG);
+
+ mtk_w32(eth,
+- MTK_RX_DMA_EN | MTK_RX_2B_OFFSET |
++ MTK_RX_DMA_EN | rx_2b_offset |
+ MTK_RX_BT_32DWORDS | MTK_MULTI_EN,
+ MTK_PDMA_GLO_CFG);
+
+--
+2.22.0
+
diff --git a/patches.kernel.org/5.1.15-068-selftests-set-sysctl-bc_forwarding-properly-in.patch b/patches.kernel.org/5.1.15-068-selftests-set-sysctl-bc_forwarding-properly-in.patch
new file mode 100644
index 0000000000..7fda0f39fe
--- /dev/null
+++ b/patches.kernel.org/5.1.15-068-selftests-set-sysctl-bc_forwarding-properly-in.patch
@@ -0,0 +1,69 @@
+From: Xin Long <lucien.xin@gmail.com>
+Date: Sun, 2 Jun 2019 19:09:55 +0800
+Subject: [PATCH] selftests: set sysctl bc_forwarding properly in
+ router_broadcast.sh
+References: bnc#1012628
+Patch-mainline: 5.1.15
+Git-commit: 67c0aaa1eaec60e9dab301012bdebe6726ae04bd
+
+[ Upstream commit 67c0aaa1eaec60e9dab301012bdebe6726ae04bd ]
+
+sysctl setting bc_forwarding for $rp2 is needed when ping_test_from h2,
+otherwise the bc packets from $rp2 won't be forwarded. This patch is to
+add this setting for $rp2.
+
+Also, as ping_test_from does grep "$from" only, which could match some
+unexpected output, some test case doesn't really work, like:
+
+ # ping_test_from $h2 198.51.200.255 198.51.200.2
+ PING 198.51.200.255 from 198.51.100.2 veth3: 56(84) bytes of data.
+ 64 bytes from 198.51.100.1: icmp_seq=1 ttl=64 time=0.336 ms
+
+When doing grep $form (198.51.200.2), the output could still match.
+So change to grep "bytes from $from" instead.
+
+Fixes: 40f98b9af943 ("selftests: add a selftest for directed broadcast forwarding")
+Signed-off-by: Xin Long <lucien.xin@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ tools/testing/selftests/net/forwarding/router_broadcast.sh | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/tools/testing/selftests/net/forwarding/router_broadcast.sh b/tools/testing/selftests/net/forwarding/router_broadcast.sh
+index 9a678ece32b4..4eac0a06f451 100755
+--- a/tools/testing/selftests/net/forwarding/router_broadcast.sh
++++ b/tools/testing/selftests/net/forwarding/router_broadcast.sh
+@@ -145,16 +145,19 @@ bc_forwarding_disable()
+ {
+ sysctl_set net.ipv4.conf.all.bc_forwarding 0
+ sysctl_set net.ipv4.conf.$rp1.bc_forwarding 0
++ sysctl_set net.ipv4.conf.$rp2.bc_forwarding 0
+ }
+
+ bc_forwarding_enable()
+ {
+ sysctl_set net.ipv4.conf.all.bc_forwarding 1
+ sysctl_set net.ipv4.conf.$rp1.bc_forwarding 1
++ sysctl_set net.ipv4.conf.$rp2.bc_forwarding 1
+ }
+
+ bc_forwarding_restore()
+ {
++ sysctl_restore net.ipv4.conf.$rp2.bc_forwarding
+ sysctl_restore net.ipv4.conf.$rp1.bc_forwarding
+ sysctl_restore net.ipv4.conf.all.bc_forwarding
+ }
+@@ -171,7 +174,7 @@ ping_test_from()
+ log_info "ping $dip, expected reply from $from"
+ ip vrf exec $(master_name_get $oif) \
+ $PING -I $oif $dip -c 10 -i 0.1 -w $PING_TIMEOUT -b 2>&1 \
+- | grep $from &> /dev/null
++ | grep "bytes from $from" > /dev/null
+ check_err_fail $fail $?
+ }
+
+--
+2.22.0
+
diff --git a/patches.kernel.org/5.1.15-069-drm-arm-mali-dp-Add-a-loop-around-the-second-s.patch b/patches.kernel.org/5.1.15-069-drm-arm-mali-dp-Add-a-loop-around-the-second-s.patch
new file mode 100644
index 0000000000..1bfc34f041
--- /dev/null
+++ b/patches.kernel.org/5.1.15-069-drm-arm-mali-dp-Add-a-loop-around-the-second-s.patch
@@ -0,0 +1,57 @@
+From: Wen He <wen.he_1@nxp.com>
+Date: Wed, 8 May 2019 10:58:18 +0000
+Subject: [PATCH] drm/arm/mali-dp: Add a loop around the second set CVAL and
+ try 5 times
+References: bnc#1012628
+Patch-mainline: 5.1.15
+Git-commit: 6a88e0c14813d00f8520d0e16cd4136c6cf8b4d4
+
+[ Upstream commit 6a88e0c14813d00f8520d0e16cd4136c6cf8b4d4 ]
+
+This patch trying to fix monitor freeze issue caused by drm error
+'flip_done timed out' on LS1028A platform. this set try is make a loop
+around the second setting CVAL and try like 5 times before giveing up.
+
+Signed-off-by: Wen He <wen.he_1@nxp.com>
+Signed-off-by: Liviu Dudau <liviu.dudau@arm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/gpu/drm/arm/malidp_drv.c | 13 ++++++++++++-
+ 1 file changed, 12 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/arm/malidp_drv.c b/drivers/gpu/drm/arm/malidp_drv.c
+index ab50ad06e271..64da56f4b0cf 100644
+--- a/drivers/gpu/drm/arm/malidp_drv.c
++++ b/drivers/gpu/drm/arm/malidp_drv.c
+@@ -192,6 +192,7 @@ static void malidp_atomic_commit_hw_done(struct drm_atomic_state *state)
+ {
+ struct drm_device *drm = state->dev;
+ struct malidp_drm *malidp = drm->dev_private;
++ int loop = 5;
+
+ malidp->event = malidp->crtc.state->event;
+ malidp->crtc.state->event = NULL;
+@@ -206,8 +207,18 @@ static void malidp_atomic_commit_hw_done(struct drm_atomic_state *state)
+ drm_crtc_vblank_get(&malidp->crtc);
+
+ /* only set config_valid if the CRTC is enabled */
+- if (malidp_set_and_wait_config_valid(drm) < 0)
++ if (malidp_set_and_wait_config_valid(drm) < 0) {
++ /*
++ * make a loop around the second CVAL setting and
++ * try 5 times before giving up.
++ */
++ while (loop--) {
++ if (!malidp_set_and_wait_config_valid(drm))
++ break;
++ }
+ DRM_DEBUG_DRIVER("timed out waiting for updated configuration\n");
++ }
++
+ } else if (malidp->event) {
+ /* CRTC inactive means vblank IRQ is disabled, send event directly */
+ spin_lock_irq(&drm->event_lock);
+--
+2.22.0
+
diff --git a/patches.kernel.org/5.1.15-070-drm-arm-hdlcd-Actually-validate-CRTC-modes.patch b/patches.kernel.org/5.1.15-070-drm-arm-hdlcd-Actually-validate-CRTC-modes.patch
new file mode 100644
index 0000000000..4fbc1848ac
--- /dev/null
+++ b/patches.kernel.org/5.1.15-070-drm-arm-hdlcd-Actually-validate-CRTC-modes.patch
@@ -0,0 +1,66 @@
+From: Robin Murphy <robin.murphy@arm.com>
+Date: Fri, 17 May 2019 17:37:21 +0100
+Subject: [PATCH] drm/arm/hdlcd: Actually validate CRTC modes
+References: bnc#1012628
+Patch-mainline: 5.1.15
+Git-commit: b96151edced4edb6a18aa89a5fa02c7066efff45
+
+[ Upstream commit b96151edced4edb6a18aa89a5fa02c7066efff45 ]
+
+Rather than allowing any old mode through, then subsequently refusing
+unmatchable clock rates in atomic_check when it's too late to back out
+and pick a different mode, let's do that validation up-front where it
+will cause unsupported modes to be correctly pruned in the first place.
+
+This also eliminates an issue whereby a perceived clock rate of 0 would
+cause atomic disable to fail and prevent the module from being unloaded.
+
+Signed-off-by: Robin Murphy <robin.murphy@arm.com>
+Signed-off-by: Liviu Dudau <liviu.dudau@arm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/gpu/drm/arm/hdlcd_crtc.c | 11 +++++------
+ 1 file changed, 5 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/gpu/drm/arm/hdlcd_crtc.c b/drivers/gpu/drm/arm/hdlcd_crtc.c
+index 0b2b62f8fa3c..ecac6fe0b213 100644
+--- a/drivers/gpu/drm/arm/hdlcd_crtc.c
++++ b/drivers/gpu/drm/arm/hdlcd_crtc.c
+@@ -186,20 +186,19 @@ static void hdlcd_crtc_atomic_disable(struct drm_crtc *crtc,
+ clk_disable_unprepare(hdlcd->clk);
+ }
+
+-static int hdlcd_crtc_atomic_check(struct drm_crtc *crtc,
+- struct drm_crtc_state *state)
++static enum drm_mode_status hdlcd_crtc_mode_valid(struct drm_crtc *crtc,
++ const struct drm_display_mode *mode)
+ {
+ struct hdlcd_drm_private *hdlcd = crtc_to_hdlcd_priv(crtc);
+- struct drm_display_mode *mode = &state->adjusted_mode;
+ long rate, clk_rate = mode->clock * 1000;
+
+ rate = clk_round_rate(hdlcd->clk, clk_rate);
+ if (rate != clk_rate) {
+ /* clock required by mode not supported by hardware */
+- return -EINVAL;
++ return MODE_NOCLOCK;
+ }
+
+- return 0;
++ return MODE_OK;
+ }
+
+ static void hdlcd_crtc_atomic_begin(struct drm_crtc *crtc,
+@@ -220,7 +219,7 @@ static void hdlcd_crtc_atomic_begin(struct drm_crtc *crtc,
+ }
+
+ static const struct drm_crtc_helper_funcs hdlcd_crtc_helper_funcs = {
+- .atomic_check = hdlcd_crtc_atomic_check,
++ .mode_valid = hdlcd_crtc_mode_valid,
+ .atomic_begin = hdlcd_crtc_atomic_begin,
+ .atomic_enable = hdlcd_crtc_atomic_enable,
+ .atomic_disable = hdlcd_crtc_atomic_disable,
+--
+2.22.0
+
diff --git a/patches.kernel.org/5.1.15-071-drm-arm-hdlcd-Allow-a-bit-of-clock-tolerance.patch b/patches.kernel.org/5.1.15-071-drm-arm-hdlcd-Allow-a-bit-of-clock-tolerance.patch
new file mode 100644
index 0000000000..984ce47b47
--- /dev/null
+++ b/patches.kernel.org/5.1.15-071-drm-arm-hdlcd-Allow-a-bit-of-clock-tolerance.patch
@@ -0,0 +1,42 @@
+From: Robin Murphy <robin.murphy@arm.com>
+Date: Fri, 17 May 2019 17:37:22 +0100
+Subject: [PATCH] drm/arm/hdlcd: Allow a bit of clock tolerance
+References: bnc#1012628
+Patch-mainline: 5.1.15
+Git-commit: 1c810739097fdeb31b393b67a0a1e3d7ffdd9f63
+
+[ Upstream commit 1c810739097fdeb31b393b67a0a1e3d7ffdd9f63 ]
+
+On the Arm Juno platform, the HDLCD pixel clock is constrained to 250KHz
+resolution in order to avoid the tiny System Control Processor spending
+aeons trying to calculate exact PLL coefficients. This means that modes
+like my oddball 1600x1200 with 130.89MHz clock get rejected since the
+rate cannot be matched exactly. In practice, though, this mode works
+quite happily with the clock at 131MHz, so let's relax the check to
+allow a little bit of slop.
+
+Signed-off-by: Robin Murphy <robin.murphy@arm.com>
+Signed-off-by: Liviu Dudau <liviu.dudau@arm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/gpu/drm/arm/hdlcd_crtc.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/arm/hdlcd_crtc.c b/drivers/gpu/drm/arm/hdlcd_crtc.c
+index ecac6fe0b213..a3efa28436ea 100644
+--- a/drivers/gpu/drm/arm/hdlcd_crtc.c
++++ b/drivers/gpu/drm/arm/hdlcd_crtc.c
+@@ -193,7 +193,8 @@ static enum drm_mode_status hdlcd_crtc_mode_valid(struct drm_crtc *crtc,
+ long rate, clk_rate = mode->clock * 1000;
+
+ rate = clk_round_rate(hdlcd->clk, clk_rate);
+- if (rate != clk_rate) {
++ /* 0.1% seems a close enough tolerance for the TDA19988 on Juno */
++ if (abs(rate - clk_rate) * 1000 > clk_rate) {
+ /* clock required by mode not supported by hardware */
+ return MODE_NOCLOCK;
+ }
+--
+2.22.0
+
diff --git a/patches.kernel.org/5.1.15-072-nvmet-fix-data_len-to-0-for-bdev-backed-write_.patch b/patches.kernel.org/5.1.15-072-nvmet-fix-data_len-to-0-for-bdev-backed-write_.patch
new file mode 100644
index 0000000000..404d212aed
--- /dev/null
+++ b/patches.kernel.org/5.1.15-072-nvmet-fix-data_len-to-0-for-bdev-backed-write_.patch
@@ -0,0 +1,57 @@
+From: Minwoo Im <minwoo.im.dev@gmail.com>
+Date: Sun, 2 Jun 2019 12:43:39 +0900
+Subject: [PATCH] nvmet: fix data_len to 0 for bdev-backed write_zeroes
+References: bnc#1012628
+Patch-mainline: 5.1.15
+Git-commit: 3562f5d9f21e7779ae442a45197fed6cb247fd22
+
+[ Upstream commit 3562f5d9f21e7779ae442a45197fed6cb247fd22 ]
+
+The WRITE ZEROES command has no data transfer so that we need to
+initialize the struct (nvmet_req *req)->data_len to 0x0. While
+(nvmet_req *req)->transfer_len is initialized in nvmet_req_init(),
+data_len will be initialized by nowhere which might cause the failure
+with status code NVME_SC_SGL_INVALID_DATA | NVME_SC_DNR randomly. It's
+because nvmet_req_execute() checks like:
+
+ if (unlikely(req->data_len != req->transfer_len)) {
+ req->error_loc = offsetof(struct nvme_common_command, dptr);
+ nvmet_req_complete(req, NVME_SC_SGL_INVALID_DATA | NVME_SC_DNR);
+ } else
+ req->execute(req);
+
+This patch fixes req->data_len not to be a randomly assigned by
+initializing it to 0x0 when preparing the command in
+nvmet_bdev_parse_io_cmd().
+
+nvmet_file_parse_io_cmd() which is for file-backed I/O has already
+initialized the data_len field to 0x0, though.
+
+Cc: Christoph Hellwig <hch@lst.de>
+Cc: Sagi Grimberg <sagi@grimberg.me>
+Cc: Chaitanya Kulkarni <Chaitanya.Kulkarni@wdc.com>
+Signed-off-by: Minwoo Im <minwoo.im.dev@gmail.com>
+Reviewed-by: Chaitanya Kulkarni <chaitanya.kulkarni@wdc.com>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Sagi Grimberg <sagi@grimberg.me>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/nvme/target/io-cmd-bdev.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/nvme/target/io-cmd-bdev.c b/drivers/nvme/target/io-cmd-bdev.c
+index a065dbfc43b1..a77fd8674ecf 100644
+--- a/drivers/nvme/target/io-cmd-bdev.c
++++ b/drivers/nvme/target/io-cmd-bdev.c
+@@ -295,6 +295,7 @@ u16 nvmet_bdev_parse_io_cmd(struct nvmet_req *req)
+ return 0;
+ case nvme_cmd_write_zeroes:
+ req->execute = nvmet_bdev_execute_write_zeroes;
++ req->data_len = 0;
+ return 0;
+ default:
+ pr_err("unhandled cmd %d on qid %d\n", cmd->common.opcode,
+--
+2.22.0
+
diff --git a/patches.kernel.org/5.1.15-073-kbuild-tar-pkg-enable-communication-with-jobse.patch b/patches.kernel.org/5.1.15-073-kbuild-tar-pkg-enable-communication-with-jobse.patch
new file mode 100644
index 0000000000..29b8da8abd
--- /dev/null
+++ b/patches.kernel.org/5.1.15-073-kbuild-tar-pkg-enable-communication-with-jobse.patch
@@ -0,0 +1,45 @@
+From: Trevor Bourget <tgb.kernel@gmail.com>
+Date: Mon, 27 May 2019 16:54:23 -0700
+Subject: [PATCH] kbuild: tar-pkg: enable communication with jobserver
+References: bnc#1012628
+Patch-mainline: 5.1.15
+Git-commit: a6e0487709ded7cd1ba0c390d9771e5cb76a8453
+
+[ Upstream commit a6e0487709ded7cd1ba0c390d9771e5cb76a8453 ]
+
+The buildtar script might want to invoke a make, so tell the parent
+make to pass the jobserver token pipe to the subcommand by prefixing
+the command with a +.
+
+This addresses the issue seen here:
+
+ /bin/sh ../scripts/package/buildtar tar-pkg
+ make[3]: warning: jobserver unavailable: using -j1. Add '+' to parent make rule.
+
+See https://www.gnu.org/software/make/manual/html_node/Job-Slots.html
+for more information.
+
+Signed-off-by: Trevor Bourget <tgb.kernel@gmail.com>
+Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ scripts/package/Makefile | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/scripts/package/Makefile b/scripts/package/Makefile
+index 2c6de21e5152..fd854439de0f 100644
+--- a/scripts/package/Makefile
++++ b/scripts/package/Makefile
+@@ -103,7 +103,7 @@ clean-dirs += $(objtree)/snap/
+ # ---------------------------------------------------------------------------
+ tar%pkg: FORCE
+ $(MAKE) -f $(srctree)/Makefile
+- $(CONFIG_SHELL) $(srctree)/scripts/package/buildtar $@
++ +$(CONFIG_SHELL) $(srctree)/scripts/package/buildtar $@
+
+ clean-dirs += $(objtree)/tar-install/
+
+--
+2.22.0
+
diff --git a/patches.kernel.org/5.1.15-074-scripts-checkstack.pl-Fix-arm64-wrong-or-unkno.patch b/patches.kernel.org/5.1.15-074-scripts-checkstack.pl-Fix-arm64-wrong-or-unkno.patch
new file mode 100644
index 0000000000..820b50cfb4
--- /dev/null
+++ b/patches.kernel.org/5.1.15-074-scripts-checkstack.pl-Fix-arm64-wrong-or-unkno.patch
@@ -0,0 +1,46 @@
+From: "George G. Davis" <george_davis@mentor.com>
+Date: Mon, 3 Jun 2019 10:30:39 -0400
+Subject: [PATCH] scripts/checkstack.pl: Fix arm64 wrong or unknown
+ architecture
+References: bnc#1012628
+Patch-mainline: 5.1.15
+Git-commit: 4f45d62a52297b10ded963412a158685647ecdec
+
+[ Upstream commit 4f45d62a52297b10ded963412a158685647ecdec ]
+
+The following error occurs for the `make ARCH=arm64 checkstack` case:
+
+aarch64-linux-gnu-objdump -d vmlinux $(find . -name '*.ko') | \
+perl ./scripts/checkstack.pl arm64
+wrong or unknown architecture "arm64"
+
+As suggested by Masahiro Yamada, fix the above error using regular
+expressions in the same way it was fixed for the `ARCH=x86` case via
+commit fda9f9903be6 ("scripts/checkstack.pl: automatically handle
+32-bit and 64-bit mode for ARCH=x86").
+
+Suggested-by: Masahiro Yamada <yamada.masahiro@socionext.com>
+Signed-off-by: George G. Davis <george_davis@mentor.com>
+Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ scripts/checkstack.pl | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/scripts/checkstack.pl b/scripts/checkstack.pl
+index 122aef5e4e14..371bd17a4983 100755
+--- a/scripts/checkstack.pl
++++ b/scripts/checkstack.pl
+@@ -46,7 +46,7 @@ my (@stack, $re, $dre, $x, $xs, $funcre);
+ $x = "[0-9a-f]"; # hex character
+ $xs = "[0-9a-f ]"; # hex character or space
+ $funcre = qr/^$x* <(.*)>:$/;
+- if ($arch eq 'aarch64') {
++ if ($arch =~ '^(aarch|arm)64$') {
+ #ffffffc0006325cc: a9bb7bfd stp x29, x30, [sp, #-80]!
+ #a110: d11643ff sub sp, sp, #0x590
+ $re = qr/^.*stp.*sp, \#-([0-9]{1,8})\]\!/o;
+--
+2.22.0
+
diff --git a/patches.kernel.org/5.1.15-075-net-phylink-avoid-reducing-support-mask.patch b/patches.kernel.org/5.1.15-075-net-phylink-avoid-reducing-support-mask.patch
new file mode 100644
index 0000000000..3f0078df88
--- /dev/null
+++ b/patches.kernel.org/5.1.15-075-net-phylink-avoid-reducing-support-mask.patch
@@ -0,0 +1,95 @@
+From: Russell King <rmk+kernel@armlinux.org.uk>
+Date: Sun, 2 Jun 2019 15:12:54 +0100
+Subject: [PATCH] net: phylink: avoid reducing support mask
+References: bnc#1012628
+Patch-mainline: 5.1.15
+Git-commit: 77316763321ee4050f0576ffd472183aa90dcb30
+
+[ Upstream commit 77316763321ee4050f0576ffd472183aa90dcb30 ]
+
+Avoid reducing the support mask as a result of the interface type
+selected for SFP modules, or when setting the link settings through
+ethtool - this should only change when the supported link modes of
+the hardware combination change.
+
+Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/net/phy/phylink.c | 13 +++++++++----
+ 1 file changed, 9 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/net/phy/phylink.c b/drivers/net/phy/phylink.c
+index efa31fcda505..611dfc3d89a0 100644
+--- a/drivers/net/phy/phylink.c
++++ b/drivers/net/phy/phylink.c
+@@ -1080,6 +1080,7 @@ EXPORT_SYMBOL_GPL(phylink_ethtool_ksettings_get);
+ int phylink_ethtool_ksettings_set(struct phylink *pl,
+ const struct ethtool_link_ksettings *kset)
+ {
++ __ETHTOOL_DECLARE_LINK_MODE_MASK(support);
+ struct ethtool_link_ksettings our_kset;
+ struct phylink_link_state config;
+ int ret;
+@@ -1090,11 +1091,12 @@ int phylink_ethtool_ksettings_set(struct phylink *pl,
+ kset->base.autoneg != AUTONEG_ENABLE)
+ return -EINVAL;
+
++ linkmode_copy(support, pl->supported);
+ config = pl->link_config;
+
+ /* Mask out unsupported advertisements */
+ linkmode_and(config.advertising, kset->link_modes.advertising,
+- pl->supported);
++ support);
+
+ /* FIXME: should we reject autoneg if phy/mac does not support it? */
+ if (kset->base.autoneg == AUTONEG_DISABLE) {
+@@ -1104,7 +1106,7 @@ int phylink_ethtool_ksettings_set(struct phylink *pl,
+ * duplex.
+ */
+ s = phy_lookup_setting(kset->base.speed, kset->base.duplex,
+- pl->supported, false);
++ support, false);
+ if (!s)
+ return -EINVAL;
+
+@@ -1133,7 +1135,7 @@ int phylink_ethtool_ksettings_set(struct phylink *pl,
+ __set_bit(ETHTOOL_LINK_MODE_Autoneg_BIT, config.advertising);
+ }
+
+- if (phylink_validate(pl, pl->supported, &config))
++ if (phylink_validate(pl, support, &config))
+ return -EINVAL;
+
+ /* If autonegotiation is enabled, we must have an advertisement */
+@@ -1583,6 +1585,7 @@ static int phylink_sfp_module_insert(void *upstream,
+ {
+ struct phylink *pl = upstream;
+ __ETHTOOL_DECLARE_LINK_MODE_MASK(support) = { 0, };
++ __ETHTOOL_DECLARE_LINK_MODE_MASK(support1);
+ struct phylink_link_state config;
+ phy_interface_t iface;
+ int ret = 0;
+@@ -1610,6 +1613,8 @@ static int phylink_sfp_module_insert(void *upstream,
+ return ret;
+ }
+
++ linkmode_copy(support1, support);
++
+ iface = sfp_select_interface(pl->sfp_bus, id, config.advertising);
+ if (iface == PHY_INTERFACE_MODE_NA) {
+ netdev_err(pl->netdev,
+@@ -1619,7 +1624,7 @@ static int phylink_sfp_module_insert(void *upstream,
+ }
+
+ config.interface = iface;
+- ret = phylink_validate(pl, support, &config);
++ ret = phylink_validate(pl, support1, &config);
+ if (ret) {
+ netdev_err(pl->netdev, "validation of %s/%s with support %*pb failed: %d\n",
+ phylink_an_mode_str(MLO_AN_INBAND),
+--
+2.22.0
+
diff --git a/patches.kernel.org/5.1.15-076-scsi-ufs-Check-that-space-was-properly-alloced.patch b/patches.kernel.org/5.1.15-076-scsi-ufs-Check-that-space-was-properly-alloced.patch
new file mode 100644
index 0000000000..86deacba27
--- /dev/null
+++ b/patches.kernel.org/5.1.15-076-scsi-ufs-Check-that-space-was-properly-alloced.patch
@@ -0,0 +1,45 @@
+From: Avri Altman <avri.altman@wdc.com>
+Date: Tue, 21 May 2019 11:24:22 +0300
+Subject: [PATCH] scsi: ufs: Check that space was properly alloced in
+ copy_query_response
+References: bnc#1012628
+Patch-mainline: 5.1.15
+Git-commit: 1c90836f70f9a8ef7b7ad9e1fdd8961903e6ced6
+
+[ Upstream commit 1c90836f70f9a8ef7b7ad9e1fdd8961903e6ced6 ]
+
+struct ufs_dev_cmd is the main container that supports device management
+commands. In the case of a read descriptor request, we assume that the
+proper space was allocated in dev_cmd to hold the returning descriptor.
+
+This is no longer true, as there are flows that doesn't use dev_cmd for
+device management requests, and was wrong in the first place.
+
+Fixes: d44a5f98bb49 (ufs: query descriptor API)
+Signed-off-by: Avri Altman <avri.altman@wdc.com>
+Reviewed-by: Alim Akhtar <alim.akhtar@samsung.com>
+Acked-by: Bean Huo <beanhuo@micron.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/scsi/ufs/ufshcd.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/scsi/ufs/ufshcd.c b/drivers/scsi/ufs/ufshcd.c
+index 5ba49c8cd2a3..dbd1f8c253bf 100644
+--- a/drivers/scsi/ufs/ufshcd.c
++++ b/drivers/scsi/ufs/ufshcd.c
+@@ -1917,7 +1917,8 @@ int ufshcd_copy_query_response(struct ufs_hba *hba, struct ufshcd_lrb *lrbp)
+ memcpy(&query_res->upiu_res, &lrbp->ucd_rsp_ptr->qr, QUERY_OSF_SIZE);
+
+ /* Get the descriptor */
+- if (lrbp->ucd_rsp_ptr->qr.opcode == UPIU_QUERY_OPCODE_READ_DESC) {
++ if (hba->dev_cmd.query.descriptor &&
++ lrbp->ucd_rsp_ptr->qr.opcode == UPIU_QUERY_OPCODE_READ_DESC) {
+ u8 *descp = (u8 *)lrbp->ucd_rsp_ptr +
+ GENERAL_UPIU_REQUEST_SIZE;
+ u16 resp_len;
+--
+2.22.0
+
diff --git a/patches.kernel.org/5.1.15-077-scsi-smartpqi-unlock-on-error-in-pqi_submit_ra.patch b/patches.kernel.org/5.1.15-077-scsi-smartpqi-unlock-on-error-in-pqi_submit_ra.patch
new file mode 100644
index 0000000000..bf4a0ac1df
--- /dev/null
+++ b/patches.kernel.org/5.1.15-077-scsi-smartpqi-unlock-on-error-in-pqi_submit_ra.patch
@@ -0,0 +1,42 @@
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Wed, 29 May 2019 14:07:39 +0300
+Subject: [PATCH] scsi: smartpqi: unlock on error in
+ pqi_submit_raid_request_synchronous()
+References: bnc#1012628
+Patch-mainline: 5.1.15
+Git-commit: cc8f52609bb4177febade24d11713e20c0893b0a
+
+[ Upstream commit cc8f52609bb4177febade24d11713e20c0893b0a ]
+
+We need to drop the "ctrl_info->sync_request_sem" lock before returning.
+
+Fixes: 6c223761eb54 ("smartpqi: initial commit of Microsemi smartpqi driver")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Acked-by: Don Brace <don.brace@microsemi.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/scsi/smartpqi/smartpqi_init.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/scsi/smartpqi/smartpqi_init.c b/drivers/scsi/smartpqi/smartpqi_init.c
+index 531824afba5f..392695b4691a 100644
+--- a/drivers/scsi/smartpqi/smartpqi_init.c
++++ b/drivers/scsi/smartpqi/smartpqi_init.c
+@@ -4044,8 +4044,10 @@ static int pqi_submit_raid_request_synchronous(struct pqi_ctrl_info *ctrl_info,
+ return -ETIMEDOUT;
+ msecs_blocked =
+ jiffies_to_msecs(jiffies - start_jiffies);
+- if (msecs_blocked >= timeout_msecs)
+- return -ETIMEDOUT;
++ if (msecs_blocked >= timeout_msecs) {
++ rc = -ETIMEDOUT;
++ goto out;
++ }
+ timeout_msecs -= msecs_blocked;
+ }
+ }
+--
+2.22.0
+
diff --git a/patches.kernel.org/5.1.15-078-net-ipvlan-Fix-ipvlan-device-tso-disabled-whil.patch b/patches.kernel.org/5.1.15-078-net-ipvlan-Fix-ipvlan-device-tso-disabled-whil.patch
new file mode 100644
index 0000000000..67e7d35f4e
--- /dev/null
+++ b/patches.kernel.org/5.1.15-078-net-ipvlan-Fix-ipvlan-device-tso-disabled-whil.patch
@@ -0,0 +1,48 @@
+From: Miaohe Lin <linmiaohe@huawei.com>
+Date: Tue, 4 Jun 2019 06:07:34 +0000
+Subject: [PATCH] net: ipvlan: Fix ipvlan device tso disabled while
+ NETIF_F_IP_CSUM is set
+References: bnc#1012628
+Patch-mainline: 5.1.15
+Git-commit: ceae266bf0ae6564ac16d086bf749a096fa90ded
+
+[ Upstream commit ceae266bf0ae6564ac16d086bf749a096fa90ded ]
+
+There's some NICs, such as hinic, with NETIF_F_IP_CSUM and NETIF_F_TSO
+on but NETIF_F_HW_CSUM off. And ipvlan device features will be
+NETIF_F_TSO on with NETIF_F_IP_CSUM and NETIF_F_IP_CSUM both off as
+IPVLAN_FEATURES only care about NETIF_F_HW_CSUM. So TSO will be
+disabled in netdev_fix_features.
+For example:
+Features for enp129s0f0:
+rx-checksumming: on
+tx-checksumming: on
+ tx-checksum-ipv4: on
+ tx-checksum-ip-generic: off [fixed]
+ tx-checksum-ipv6: on
+
+Fixes: a188222b6ed2 ("net: Rename NETIF_F_ALL_CSUM to NETIF_F_CSUM_MASK")
+Signed-off-by: Miaohe Lin <linmiaohe@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/net/ipvlan/ipvlan_main.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ipvlan/ipvlan_main.c b/drivers/net/ipvlan/ipvlan_main.c
+index bbeb1623e2d5..717fce6edeb7 100644
+--- a/drivers/net/ipvlan/ipvlan_main.c
++++ b/drivers/net/ipvlan/ipvlan_main.c
+@@ -112,7 +112,7 @@ static void ipvlan_port_destroy(struct net_device *dev)
+ }
+
+ #define IPVLAN_FEATURES \
+- (NETIF_F_SG | NETIF_F_HW_CSUM | NETIF_F_HIGHDMA | NETIF_F_FRAGLIST | \
++ (NETIF_F_SG | NETIF_F_CSUM_MASK | NETIF_F_HIGHDMA | NETIF_F_FRAGLIST | \
+ NETIF_F_GSO | NETIF_F_TSO | NETIF_F_GSO_ROBUST | \
+ NETIF_F_TSO_ECN | NETIF_F_TSO6 | NETIF_F_GRO | NETIF_F_RXCSUM | \
+ NETIF_F_HW_VLAN_CTAG_FILTER | NETIF_F_HW_VLAN_STAG_FILTER)
+--
+2.22.0
+
diff --git a/patches.kernel.org/5.1.15-079-udmabuf-actually-unmap-the-scatterlist.patch b/patches.kernel.org/5.1.15-079-udmabuf-actually-unmap-the-scatterlist.patch
new file mode 100644
index 0000000000..6a99473129
--- /dev/null
+++ b/patches.kernel.org/5.1.15-079-udmabuf-actually-unmap-the-scatterlist.patch
@@ -0,0 +1,37 @@
+From: Lucas Stach <l.stach@pengutronix.de>
+Date: Tue, 4 Jun 2019 22:23:31 +0200
+Subject: [PATCH] udmabuf: actually unmap the scatterlist
+References: bnc#1012628
+Patch-mainline: 5.1.15
+Git-commit: 283f1e383e91d96fe652fad549537ae15cf31d60
+
+[ Upstream commit 283f1e383e91d96fe652fad549537ae15cf31d60 ]
+
+unmap_udmabuf fails to actually unmap the scatterlist, leaving dangling
+mappings around.
+
+Fixes: fbb0de795078 ("Add udmabuf misc device")
+Signed-off-by: Lucas Stach <l.stach@pengutronix.de>
+Link: http://patchwork.freedesktop.org/patch/msgid/20190604202331.17482-1-l.stach@pengutronix.de
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/dma-buf/udmabuf.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/dma-buf/udmabuf.c b/drivers/dma-buf/udmabuf.c
+index cd57747286f2..9635897458a0 100644
+--- a/drivers/dma-buf/udmabuf.c
++++ b/drivers/dma-buf/udmabuf.c
+@@ -77,6 +77,7 @@ static void unmap_udmabuf(struct dma_buf_attachment *at,
+ struct sg_table *sg,
+ enum dma_data_direction direction)
+ {
++ dma_unmap_sg(at->dev, sg->sgl, sg->nents, direction);
+ sg_free_table(sg);
+ kfree(sg);
+ }
+--
+2.22.0
+
diff --git a/patches.kernel.org/5.1.15-080-tests-fix-pidfd-test-compilation.patch b/patches.kernel.org/5.1.15-080-tests-fix-pidfd-test-compilation.patch
new file mode 100644
index 0000000000..5434e6e0a5
--- /dev/null
+++ b/patches.kernel.org/5.1.15-080-tests-fix-pidfd-test-compilation.patch
@@ -0,0 +1,42 @@
+From: Christian Brauner <christian@brauner.io>
+Date: Wed, 5 Jun 2019 15:06:32 +0200
+Subject: [PATCH] tests: fix pidfd-test compilation
+References: bnc#1012628
+Patch-mainline: 5.1.15
+Git-commit: 1fcd0eb356ad56c4e405f06e31dd9fde2109d5ab
+
+[ Upstream commit 1fcd0eb356ad56c4e405f06e31dd9fde2109d5ab ]
+
+Define __NR_pidfd_send_signal if it isn't to prevent a potential
+compilation error.
+
+To make pidfd-test compile on all arches, irrespective of whether
+or not syscall numbers are assigned, define the syscall number to -1.
+If it isn't defined this will cause the kernel to return -ENOSYS.
+
+Fixes: 575a0ae9744d ("selftests: add tests for pidfd_send_signal()")
+Signed-off-by: Christian Brauner <christian@brauner.io>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ tools/testing/selftests/pidfd/pidfd_test.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/tools/testing/selftests/pidfd/pidfd_test.c b/tools/testing/selftests/pidfd/pidfd_test.c
+index d59378a93782..20323f55613a 100644
+--- a/tools/testing/selftests/pidfd/pidfd_test.c
++++ b/tools/testing/selftests/pidfd/pidfd_test.c
+@@ -16,6 +16,10 @@
+
+ #include "../kselftest.h"
+
++#ifndef __NR_pidfd_send_signal
++#define __NR_pidfd_send_signal -1
++#endif
++
+ static inline int sys_pidfd_send_signal(int pidfd, int sig, siginfo_t *info,
+ unsigned int flags)
+ {
+--
+2.22.0
+
diff --git a/patches.kernel.org/5.1.15-081-s390-qeth-handle-limited-IPv4-broadcast-in-L3-.patch b/patches.kernel.org/5.1.15-081-s390-qeth-handle-limited-IPv4-broadcast-in-L3-.patch
new file mode 100644
index 0000000000..8fc6ba491f
--- /dev/null
+++ b/patches.kernel.org/5.1.15-081-s390-qeth-handle-limited-IPv4-broadcast-in-L3-.patch
@@ -0,0 +1,40 @@
+From: Julian Wiedmann <jwi@linux.ibm.com>
+Date: Wed, 5 Jun 2019 13:48:48 +0200
+Subject: [PATCH] s390/qeth: handle limited IPv4 broadcast in L3 TX path
+References: bnc#1012628
+Patch-mainline: 5.1.15
+Git-commit: 72c87976c5abbf8a834ad85f10d03c0cd58b985c
+
+[ Upstream commit 72c87976c5abbf8a834ad85f10d03c0cd58b985c ]
+
+When selecting the cast type of a neighbourless IPv4 skb (eg. on a raw
+socket), qeth_l3 falls back to the packet's destination IP address.
+For this case we should classify traffic sent to 255.255.255.255 as
+broadcast.
+This fixes DHCP requests, which were misclassified as unicast
+(and for IQD interfaces thus ended up on the wrong HW queue).
+
+Signed-off-by: Julian Wiedmann <jwi@linux.ibm.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/s390/net/qeth_l3_main.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/s390/net/qeth_l3_main.c b/drivers/s390/net/qeth_l3_main.c
+index 53712cf26406..cb641fd303d3 100644
+--- a/drivers/s390/net/qeth_l3_main.c
++++ b/drivers/s390/net/qeth_l3_main.c
+@@ -1906,6 +1906,8 @@ static int qeth_l3_get_cast_type(struct sk_buff *skb)
+ /* no neighbour (eg AF_PACKET), fall back to target's IP address ... */
+ switch (qeth_get_ip_version(skb)) {
+ case 4:
++ if (ipv4_is_lbcast(ip_hdr(skb)->daddr))
++ return RTN_BROADCAST;
+ return ipv4_is_multicast(ip_hdr(skb)->daddr) ?
+ RTN_MULTICAST : RTN_UNICAST;
+ case 6:
+--
+2.22.0
+
diff --git a/patches.kernel.org/5.1.15-082-s390-qeth-check-dst-entry-before-use.patch b/patches.kernel.org/5.1.15-082-s390-qeth-check-dst-entry-before-use.patch
new file mode 100644
index 0000000000..c31a5c189d
--- /dev/null
+++ b/patches.kernel.org/5.1.15-082-s390-qeth-check-dst-entry-before-use.patch
@@ -0,0 +1,105 @@
+From: Julian Wiedmann <jwi@linux.ibm.com>
+Date: Wed, 5 Jun 2019 13:48:49 +0200
+Subject: [PATCH] s390/qeth: check dst entry before use
+References: bnc#1012628
+Patch-mainline: 5.1.15
+Git-commit: 0cd6783d3c7d40be165d1f3c811cedf0e3dfcdf1
+
+[ Upstream commit 0cd6783d3c7d40be165d1f3c811cedf0e3dfcdf1 ]
+
+While qeth_l3 uses netif_keep_dst() to hold onto the dst, a skb's dst
+may still have been obsoleted (via dst_dev_put()) by the time that we
+end up using it. The dst then points to the loopback interface, which
+means the neighbour lookup in qeth_l3_get_cast_type() determines a bogus
+cast type of RTN_BROADCAST.
+For IQD interfaces this causes us to place such skbs on the wrong
+HW queue, resulting in TX errors.
+
+Fix-up the various call sites to first validate the dst entry with
+dst_check(), and fall back accordingly.
+
+Signed-off-by: Julian Wiedmann <jwi@linux.ibm.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/s390/net/qeth_l3_main.c | 30 +++++++++++++++++++++++++-----
+ 1 file changed, 25 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/s390/net/qeth_l3_main.c b/drivers/s390/net/qeth_l3_main.c
+index cb641fd303d3..93a5748036de 100644
+--- a/drivers/s390/net/qeth_l3_main.c
++++ b/drivers/s390/net/qeth_l3_main.c
+@@ -1883,13 +1883,20 @@ static int qeth_l3_do_ioctl(struct net_device *dev, struct ifreq *rq, int cmd)
+
+ static int qeth_l3_get_cast_type(struct sk_buff *skb)
+ {
++ int ipv = qeth_get_ip_version(skb);
+ struct neighbour *n = NULL;
+ struct dst_entry *dst;
+
+ rcu_read_lock();
+ dst = skb_dst(skb);
+- if (dst)
+- n = dst_neigh_lookup_skb(dst, skb);
++ if (dst) {
++ struct rt6_info *rt = (struct rt6_info *) dst;
++
++ dst = dst_check(dst, (ipv == 6) ? rt6_get_cookie(rt) : 0);
++ if (dst)
++ n = dst_neigh_lookup_skb(dst, skb);
++ }
++
+ if (n) {
+ int cast_type = n->type;
+
+@@ -1904,7 +1911,7 @@ static int qeth_l3_get_cast_type(struct sk_buff *skb)
+ rcu_read_unlock();
+
+ /* no neighbour (eg AF_PACKET), fall back to target's IP address ... */
+- switch (qeth_get_ip_version(skb)) {
++ switch (ipv) {
+ case 4:
+ if (ipv4_is_lbcast(ip_hdr(skb)->daddr))
+ return RTN_BROADCAST;
+@@ -1943,6 +1950,7 @@ static void qeth_l3_fill_header(struct qeth_qdio_out_q *queue,
+ struct qeth_hdr_layer3 *l3_hdr = &hdr->hdr.l3;
+ struct vlan_ethhdr *veth = vlan_eth_hdr(skb);
+ struct qeth_card *card = queue->card;
++ struct dst_entry *dst;
+
+ hdr->hdr.l3.length = data_len;
+
+@@ -1993,15 +2001,27 @@ static void qeth_l3_fill_header(struct qeth_qdio_out_q *queue,
+
+ hdr->hdr.l3.flags = qeth_l3_cast_type_to_flag(cast_type);
+ rcu_read_lock();
++ dst = skb_dst(skb);
++
+ if (ipv == 4) {
+- struct rtable *rt = skb_rtable(skb);
++ struct rtable *rt;
++
++ if (dst)
++ dst = dst_check(dst, 0);
++ rt = (struct rtable *) dst;
+
+ *((__be32 *) &hdr->hdr.l3.next_hop.ipv4.addr) = (rt) ?
+ rt_nexthop(rt, ip_hdr(skb)->daddr) :
+ ip_hdr(skb)->daddr;
+ } else {
+ /* IPv6 */
+- const struct rt6_info *rt = skb_rt6_info(skb);
++ struct rt6_info *rt;
++
++ if (dst) {
++ rt = (struct rt6_info *) dst;
++ dst = dst_check(dst, rt6_get_cookie(rt));
++ }
++ rt = (struct rt6_info *) dst;
+
+ if (rt && !ipv6_addr_any(&rt->rt6i_gateway))
+ l3_hdr->next_hop.ipv6_addr = rt->rt6i_gateway;
+--
+2.22.0
+
diff --git a/patches.kernel.org/5.1.15-083-s390-qeth-fix-VLAN-attribute-in-bridge_hostnot.patch b/patches.kernel.org/5.1.15-083-s390-qeth-fix-VLAN-attribute-in-bridge_hostnot.patch
new file mode 100644
index 0000000000..dbcf0c4c79
--- /dev/null
+++ b/patches.kernel.org/5.1.15-083-s390-qeth-fix-VLAN-attribute-in-bridge_hostnot.patch
@@ -0,0 +1,54 @@
+From: Alexandra Winter <wintera@linux.ibm.com>
+Date: Wed, 5 Jun 2019 13:48:50 +0200
+Subject: [PATCH] s390/qeth: fix VLAN attribute in bridge_hostnotify udev event
+References: bnc#1012628
+Patch-mainline: 5.1.15
+Git-commit: 335726195e460cb6b3f795b695bfd31f0ea70ef0
+
+[ Upstream commit 335726195e460cb6b3f795b695bfd31f0ea70ef0 ]
+
+Enabling sysfs attribute bridge_hostnotify triggers a series of udev events
+for the MAC addresses of all currently connected peers. In case no VLAN is
+set for a peer, the device reports the corresponding MAC addresses with
+VLAN ID 4096. This currently results in attribute VLAN=4096 for all
+non-VLAN interfaces in the initial series of events after host-notify is
+enabled.
+
+Instead, no VLAN attribute should be reported in the udev event for
+non-VLAN interfaces.
+
+Only the initial events face this issue. For dynamic changes that are
+reported later, the device uses a validity flag.
+
+This also changes the code so that it now sets the VLAN attribute for
+MAC addresses with VID 0. On Linux, no qeth interface will ever be
+registered with VID 0: Linux kernel registers VID 0 on all network
+interfaces initially, but qeth will drop .ndo_vlan_rx_add_vid for VID 0.
+Peers with other OSs could register MACs with VID 0.
+
+Fixes: 9f48b9db9a22 ("qeth: bridgeport support - address notifications")
+Signed-off-by: Alexandra Winter <wintera@linux.ibm.com>
+Signed-off-by: Julian Wiedmann <jwi@linux.ibm.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/s390/net/qeth_l2_main.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/s390/net/qeth_l2_main.c b/drivers/s390/net/qeth_l2_main.c
+index c3067fd3bd9e..fece768efcb1 100644
+--- a/drivers/s390/net/qeth_l2_main.c
++++ b/drivers/s390/net/qeth_l2_main.c
+@@ -1679,7 +1679,7 @@ static void qeth_bridgeport_an_set_cb(void *priv,
+
+ l2entry = (struct qdio_brinfo_entry_l2 *)entry;
+ code = IPA_ADDR_CHANGE_CODE_MACADDR;
+- if (l2entry->addr_lnid.lnid)
++ if (l2entry->addr_lnid.lnid < VLAN_N_VID)
+ code |= IPA_ADDR_CHANGE_CODE_VLANID;
+ qeth_bridge_emit_host_event(card, anev_reg_unreg, code,
+ (struct net_if_token *)&l2entry->nit,
+--
+2.22.0
+
diff --git a/patches.kernel.org/5.1.15-084-hwmon-core-add-thermal-sensors-only-if-dev-of_.patch b/patches.kernel.org/5.1.15-084-hwmon-core-add-thermal-sensors-only-if-dev-of_.patch
new file mode 100644
index 0000000000..a436921e92
--- /dev/null
+++ b/patches.kernel.org/5.1.15-084-hwmon-core-add-thermal-sensors-only-if-dev-of_.patch
@@ -0,0 +1,66 @@
+From: Eduardo Valentin <eduval@amazon.com>
+Date: Wed, 29 May 2019 19:56:04 -0700
+Subject: [PATCH] hwmon: (core) add thermal sensors only if dev->of_node is
+ present
+References: bnc#1012628
+Patch-mainline: 5.1.15
+Git-commit: c41dd48e21fae3e55b3670ccf2eb562fc1f6a67d
+
+[ Upstream commit c41dd48e21fae3e55b3670ccf2eb562fc1f6a67d ]
+
+Drivers may register to hwmon and request for also registering
+with the thermal subsystem (HWMON_C_REGISTER_TZ). However,
+some of these driver, e.g. marvell phy, may be probed from
+Device Tree or being dynamically allocated, and in the later
+case, it will not have a dev->of_node entry.
+
+Registering with hwmon without the dev->of_node may result in
+different outcomes depending on the device tree, which may
+be a bit misleading. If the device tree blob has no 'thermal-zones'
+node, the *hwmon_device_register*() family functions are going
+to gracefully succeed, because of-thermal,
+*thermal_zone_of_sensor_register() return -ENODEV in this case,
+and the hwmon error path handles this error code as success to
+cover for the case where CONFIG_THERMAL_OF is not set.
+However, if the device tree blob has the 'thermal-zones'
+entry, the *hwmon_device_register*() will always fail on callers
+with no dev->of_node, propagating -EINVAL.
+
+If dev->of_node is not present, calling of-thermal does not
+make sense. For this reason, this patch checks first if the
+device has a of_node before going over the process of registering
+with the thermal subsystem of-thermal interface. And in this case,
+when a caller of *hwmon_device_register*() with HWMON_C_REGISTER_TZ
+and no dev->of_node will still register with hwmon, but not with
+the thermal subsystem. If all the hwmon part bits are in place,
+the registration will succeed.
+
+Fixes: d560168b5d0f ("hwmon: (core) New hwmon registration API")
+Cc: Jean Delvare <jdelvare@suse.com>
+Cc: Guenter Roeck <linux@roeck-us.net>
+Cc: linux-hwmon@vger.kernel.org
+Cc: linux-kernel@vger.kernel.org
+Signed-off-by: Eduardo Valentin <eduval@amazon.com>
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/hwmon/hwmon.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/hwmon/hwmon.c b/drivers/hwmon/hwmon.c
+index c22dc1e07911..c38883f748a1 100644
+--- a/drivers/hwmon/hwmon.c
++++ b/drivers/hwmon/hwmon.c
+@@ -633,7 +633,7 @@ __hwmon_device_register(struct device *dev, const char *name, void *drvdata,
+ if (err)
+ goto free_hwmon;
+
+- if (dev && chip && chip->ops->read &&
++ if (dev && dev->of_node && chip && chip->ops->read &&
+ chip->info[0]->type == hwmon_chip &&
+ (chip->info[0]->config[0] & HWMON_C_REGISTER_TZ)) {
+ const struct hwmon_channel_info **info = chip->info;
+--
+2.22.0
+
diff --git a/patches.kernel.org/5.1.15-085-hwmon-pmbus-core-Treat-parameters-as-paged-if-.patch b/patches.kernel.org/5.1.15-085-hwmon-pmbus-core-Treat-parameters-as-paged-if-.patch
new file mode 100644
index 0000000000..284c3c7df7
--- /dev/null
+++ b/patches.kernel.org/5.1.15-085-hwmon-pmbus-core-Treat-parameters-as-paged-if-.patch
@@ -0,0 +1,105 @@
+From: Robert Hancock <hancock@sedsystems.ca>
+Date: Wed, 5 Jun 2019 13:49:00 -0600
+Subject: [PATCH] hwmon: (pmbus/core) Treat parameters as paged if on multiple
+ pages
+References: bnc#1012628
+Patch-mainline: 5.1.15
+Git-commit: 4a60570dce658e3f8885bbcf852430b99f65aca5
+
+[ Upstream commit 4a60570dce658e3f8885bbcf852430b99f65aca5 ]
+
+Some chips have attributes which exist on more than one page but the
+attribute is not presently marked as paged. This causes the attributes
+to be generated with the same label, which makes it impossible for
+userspace to tell them apart.
+
+Marking all such attributes as paged would result in the page suffix
+being added regardless of whether they were present on more than one
+page or not, which might break existing setups. Therefore, we add a
+second check which treats the attribute as paged, even if not marked as
+such, if it is present on multiple pages.
+
+Fixes: b4ce237b7f7d ("hwmon: (pmbus) Introduce infrastructure to detect sensors and limit registers")
+Signed-off-by: Robert Hancock <hancock@sedsystems.ca>
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/hwmon/pmbus/pmbus_core.c | 34 ++++++++++++++++++++++++++++----
+ 1 file changed, 30 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/hwmon/pmbus/pmbus_core.c b/drivers/hwmon/pmbus/pmbus_core.c
+index 2e2b5851139c..cd24b375df1e 100644
+--- a/drivers/hwmon/pmbus/pmbus_core.c
++++ b/drivers/hwmon/pmbus/pmbus_core.c
+@@ -1230,7 +1230,8 @@ static int pmbus_add_sensor_attrs_one(struct i2c_client *client,
+ const struct pmbus_driver_info *info,
+ const char *name,
+ int index, int page,
+- const struct pmbus_sensor_attr *attr)
++ const struct pmbus_sensor_attr *attr,
++ bool paged)
+ {
+ struct pmbus_sensor *base;
+ bool upper = !!(attr->gbit & 0xff00); /* need to check STATUS_WORD */
+@@ -1238,7 +1239,7 @@ static int pmbus_add_sensor_attrs_one(struct i2c_client *client,
+
+ if (attr->label) {
+ ret = pmbus_add_label(data, name, index, attr->label,
+- attr->paged ? page + 1 : 0);
++ paged ? page + 1 : 0);
+ if (ret)
+ return ret;
+ }
+@@ -1271,6 +1272,30 @@ static int pmbus_add_sensor_attrs_one(struct i2c_client *client,
+ return 0;
+ }
+
++static bool pmbus_sensor_is_paged(const struct pmbus_driver_info *info,
++ const struct pmbus_sensor_attr *attr)
++{
++ int p;
++
++ if (attr->paged)
++ return true;
++
++ /*
++ * Some attributes may be present on more than one page despite
++ * not being marked with the paged attribute. If that is the case,
++ * then treat the sensor as being paged and add the page suffix to the
++ * attribute name.
++ * We don't just add the paged attribute to all such attributes, in
++ * order to maintain the un-suffixed labels in the case where the
++ * attribute is only on page 0.
++ */
++ for (p = 1; p < info->pages; p++) {
++ if (info->func[p] & attr->func)
++ return true;
++ }
++ return false;
++}
++
+ static int pmbus_add_sensor_attrs(struct i2c_client *client,
+ struct pmbus_data *data,
+ const char *name,
+@@ -1284,14 +1309,15 @@ static int pmbus_add_sensor_attrs(struct i2c_client *client,
+ index = 1;
+ for (i = 0; i < nattrs; i++) {
+ int page, pages;
++ bool paged = pmbus_sensor_is_paged(info, attrs);
+
+- pages = attrs->paged ? info->pages : 1;
++ pages = paged ? info->pages : 1;
+ for (page = 0; page < pages; page++) {
+ if (!(info->func[page] & attrs->func))
+ continue;
+ ret = pmbus_add_sensor_attrs_one(client, data, info,
+ name, index, page,
+- attrs);
++ attrs, paged);
+ if (ret)
+ return ret;
+ index++;
+--
+2.22.0
+
diff --git a/patches.kernel.org/5.1.15-086-arm64-Silence-gcc-warnings-about-arch-ABI-drif.patch b/patches.kernel.org/5.1.15-086-arm64-Silence-gcc-warnings-about-arch-ABI-drif.patch
new file mode 100644
index 0000000000..424d444db6
--- /dev/null
+++ b/patches.kernel.org/5.1.15-086-arm64-Silence-gcc-warnings-about-arch-ABI-drif.patch
@@ -0,0 +1,49 @@
+From: Dave Martin <Dave.Martin@arm.com>
+Date: Thu, 6 Jun 2019 11:33:43 +0100
+Subject: [PATCH] arm64: Silence gcc warnings about arch ABI drift
+References: bnc#1012628
+Patch-mainline: 5.1.15
+Git-commit: ebcc5928c5d925b1c8d968d9c89cdb0d0186db17
+
+[ Upstream commit ebcc5928c5d925b1c8d968d9c89cdb0d0186db17 ]
+
+Since GCC 9, the compiler warns about evolution of the
+platform-specific ABI, in particular relating for the marshaling of
+certain structures involving bitfields.
+
+The kernel is a standalone binary, and of course nobody would be
+so stupid as to expose structs containing bitfields as function
+arguments in ABI. (Passing a pointer to such a struct, however
+inadvisable, should be unaffected by this change. perf and various
+drivers rely on that.)
+
+So these warnings do more harm than good: turn them off.
+
+We may miss warnings about future ABI drift, but that's too bad.
+Future ABI breaks of this class will have to be debugged and fixed
+the traditional way unless the compiler evolves finer-grained
+diagnostics.
+
+Signed-off-by: Dave Martin <Dave.Martin@arm.com>
+Signed-off-by: Will Deacon <will.deacon@arm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ arch/arm64/Makefile | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/arch/arm64/Makefile b/arch/arm64/Makefile
+index b025304bde46..8fbd583b18e1 100644
+--- a/arch/arm64/Makefile
++++ b/arch/arm64/Makefile
+@@ -51,6 +51,7 @@ endif
+
+ KBUILD_CFLAGS += -mgeneral-regs-only $(lseinstr) $(brokengasinst)
+ KBUILD_CFLAGS += -fno-asynchronous-unwind-tables
++KBUILD_CFLAGS += -Wno-psabi
+ KBUILD_AFLAGS += $(lseinstr) $(brokengasinst)
+
+ KBUILD_CFLAGS += $(call cc-option,-mabi=lp64)
+--
+2.22.0
+
diff --git a/patches.kernel.org/5.1.15-087-nvme-Fix-u32-overflow-in-the-number-of-namespa.patch b/patches.kernel.org/5.1.15-087-nvme-Fix-u32-overflow-in-the-number-of-namespa.patch
new file mode 100644
index 0000000000..19f760ecd5
--- /dev/null
+++ b/patches.kernel.org/5.1.15-087-nvme-Fix-u32-overflow-in-the-number-of-namespa.patch
@@ -0,0 +1,41 @@
+From: Jaesoo Lee <jalee@purestorage.com>
+Date: Mon, 3 Jun 2019 16:42:28 -0700
+Subject: [PATCH] nvme: Fix u32 overflow in the number of namespace list
+ calculation
+References: bnc#1012628
+Patch-mainline: 5.1.15
+Git-commit: c8e8c77b3bdbade6e26e8e76595f141ede12b692
+
+[ Upstream commit c8e8c77b3bdbade6e26e8e76595f141ede12b692 ]
+
+The Number of Namespaces (nn) field in the identify controller data structure is
+defined as u32 and the maximum allowed value in NVMe specification is
+0xFFFFFFFEUL. This change fixes the possible overflow of the DIV_ROUND_UP()
+operation used in nvme_scan_ns_list() by casting the nn to u64.
+
+Signed-off-by: Jaesoo Lee <jalee@purestorage.com>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Sagi Grimberg <sagi@grimberg.me>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/nvme/host/core.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/nvme/host/core.c b/drivers/nvme/host/core.c
+index 35d2202ee2fd..3a390b2c7540 100644
+--- a/drivers/nvme/host/core.c
++++ b/drivers/nvme/host/core.c
+@@ -3397,7 +3397,8 @@ static int nvme_scan_ns_list(struct nvme_ctrl *ctrl, unsigned nn)
+ {
+ struct nvme_ns *ns;
+ __le32 *ns_list;
+- unsigned i, j, nsid, prev = 0, num_lists = DIV_ROUND_UP(nn, 1024);
++ unsigned i, j, nsid, prev = 0;
++ unsigned num_lists = DIV_ROUND_UP_ULL((u64)nn, 1024);
+ int ret = 0;
+
+ ns_list = kzalloc(NVME_IDENTIFY_DATA_SIZE, GFP_KERNEL);
+--
+2.22.0
+
diff --git a/patches.kernel.org/5.1.15-088-ovl-detect-overlapping-layers.patch b/patches.kernel.org/5.1.15-088-ovl-detect-overlapping-layers.patch
new file mode 100644
index 0000000000..ce09fe1522
--- /dev/null
+++ b/patches.kernel.org/5.1.15-088-ovl-detect-overlapping-layers.patch
@@ -0,0 +1,576 @@
+From: Amir Goldstein <amir73il@gmail.com>
+Date: Thu, 18 Apr 2019 17:42:08 +0300
+Subject: [PATCH] ovl: detect overlapping layers
+References: bnc#1012628
+Patch-mainline: 5.1.15
+Git-commit: 146d62e5a5867fbf84490d82455718bfb10fe824
+
+[ Upstream commit 146d62e5a5867fbf84490d82455718bfb10fe824 ]
+
+Overlapping overlay layers are not supported and can cause unexpected
+behavior, but overlayfs does not currently check or warn about these
+configurations.
+
+User is not supposed to specify the same directory for upper and
+lower dirs or for different lower layers and user is not supposed to
+specify directories that are descendants of each other for overlay
+layers, but that is exactly what this zysbot repro did:
+
+ https://syzkaller.appspot.com/x/repro.syz?x=12c7a94f400000
+
+Moving layer root directories into other layers while overlayfs
+is mounted could also result in unexpected behavior.
+
+This commit places "traps" in the overlay inode hash table.
+Those traps are dummy overlay inodes that are hashed by the layers
+root inodes.
+
+On mount, the hash table trap entries are used to verify that overlay
+layers are not overlapping. While at it, we also verify that overlay
+layers are not overlapping with directories "in-use" by other overlay
+instances as upperdir/workdir.
+
+On lookup, the trap entries are used to verify that overlay layers
+root inodes have not been moved into other layers after mount.
+
+Some examples:
+
+$ ./run --ov --samefs -s
+...
+( mkdir -p base/upper/0/u base/upper/0/w base/lower lower upper mnt
+ mount -o bind base/lower lower
+ mount -o bind base/upper upper
+ mount -t overlay none mnt ...
+ -o lowerdir=lower,upperdir=upper/0/u,workdir=upper/0/w)
+
+$ umount mnt
+$ mount -t overlay none mnt ...
+ -o lowerdir=base,upperdir=upper/0/u,workdir=upper/0/w
+
+ [ 94.434900] overlayfs: overlapping upperdir path
+ mount: mount overlay on mnt failed: Too many levels of symbolic links
+
+$ mount -t overlay none mnt ...
+ -o lowerdir=upper/0/u,upperdir=upper/0/u,workdir=upper/0/w
+
+ [ 151.350132] overlayfs: conflicting lowerdir path
+ mount: none is already mounted or mnt busy
+
+$ mount -t overlay none mnt ...
+ -o lowerdir=lower:lower/a,upperdir=upper/0/u,workdir=upper/0/w
+
+ [ 201.205045] overlayfs: overlapping lowerdir path
+ mount: mount overlay on mnt failed: Too many levels of symbolic links
+
+$ mount -t overlay none mnt ...
+ -o lowerdir=lower,upperdir=upper/0/u,workdir=upper/0/w
+$ mv base/upper/0/ base/lower/
+$ find mnt/0
+ mnt/0
+ mnt/0/w
+ find: 'mnt/0/w/work': Too many levels of symbolic links
+ find: 'mnt/0/u': Too many levels of symbolic links
+
+Reported-by: syzbot+9c69c282adc4edd2b540@syzkaller.appspotmail.com
+Signed-off-by: Amir Goldstein <amir73il@gmail.com>
+Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ fs/overlayfs/inode.c | 48 +++++++++++
+ fs/overlayfs/namei.c | 8 ++
+ fs/overlayfs/overlayfs.h | 3 +
+ fs/overlayfs/ovl_entry.h | 6 ++
+ fs/overlayfs/super.c | 169 +++++++++++++++++++++++++++++++++++----
+ fs/overlayfs/util.c | 12 +++
+ 6 files changed, 229 insertions(+), 17 deletions(-)
+
+diff --git a/fs/overlayfs/inode.c b/fs/overlayfs/inode.c
+index b48273e846ad..f7eba21effa5 100644
+--- a/fs/overlayfs/inode.c
++++ b/fs/overlayfs/inode.c
+@@ -777,6 +777,54 @@ struct inode *ovl_lookup_inode(struct super_block *sb, struct dentry *real,
+ return inode;
+ }
+
++bool ovl_lookup_trap_inode(struct super_block *sb, struct dentry *dir)
++{
++ struct inode *key = d_inode(dir);
++ struct inode *trap;
++ bool res;
++
++ trap = ilookup5(sb, (unsigned long) key, ovl_inode_test, key);
++ if (!trap)
++ return false;
++
++ res = IS_DEADDIR(trap) && !ovl_inode_upper(trap) &&
++ !ovl_inode_lower(trap);
++
++ iput(trap);
++ return res;
++}
++
++/*
++ * Create an inode cache entry for layer root dir, that will intentionally
++ * fail ovl_verify_inode(), so any lookup that will find some layer root
++ * will fail.
++ */
++struct inode *ovl_get_trap_inode(struct super_block *sb, struct dentry *dir)
++{
++ struct inode *key = d_inode(dir);
++ struct inode *trap;
++
++ if (!d_is_dir(dir))
++ return ERR_PTR(-ENOTDIR);
++
++ trap = iget5_locked(sb, (unsigned long) key, ovl_inode_test,
++ ovl_inode_set, key);
++ if (!trap)
++ return ERR_PTR(-ENOMEM);
++
++ if (!(trap->i_state & I_NEW)) {
++ /* Conflicting layer roots? */
++ iput(trap);
++ return ERR_PTR(-ELOOP);
++ }
++
++ trap->i_mode = S_IFDIR;
++ trap->i_flags = S_DEAD;
++ unlock_new_inode(trap);
++
++ return trap;
++}
++
+ /*
+ * Does overlay inode need to be hashed by lower inode?
+ */
+diff --git a/fs/overlayfs/namei.c b/fs/overlayfs/namei.c
+index efd372312ef1..badf039267a2 100644
+--- a/fs/overlayfs/namei.c
++++ b/fs/overlayfs/namei.c
+@@ -18,6 +18,7 @@
+ #include "overlayfs.h"
+
+ struct ovl_lookup_data {
++ struct super_block *sb;
+ struct qstr name;
+ bool is_dir;
+ bool opaque;
+@@ -244,6 +245,12 @@ static int ovl_lookup_single(struct dentry *base, struct ovl_lookup_data *d,
+ if (!d->metacopy || d->last)
+ goto out;
+ } else {
++ if (ovl_lookup_trap_inode(d->sb, this)) {
++ /* Caught in a trap of overlapping layers */
++ err = -ELOOP;
++ goto out_err;
++ }
++
+ if (last_element)
+ d->is_dir = true;
+ if (d->last)
+@@ -819,6 +826,7 @@ struct dentry *ovl_lookup(struct inode *dir, struct dentry *dentry,
+ int err;
+ bool metacopy = false;
+ struct ovl_lookup_data d = {
++ .sb = dentry->d_sb,
+ .name = dentry->d_name,
+ .is_dir = false,
+ .opaque = false,
+diff --git a/fs/overlayfs/overlayfs.h b/fs/overlayfs/overlayfs.h
+index d26efed9f80a..cec40077b522 100644
+--- a/fs/overlayfs/overlayfs.h
++++ b/fs/overlayfs/overlayfs.h
+@@ -270,6 +270,7 @@ void ovl_clear_flag(unsigned long flag, struct inode *inode);
+ bool ovl_test_flag(unsigned long flag, struct inode *inode);
+ bool ovl_inuse_trylock(struct dentry *dentry);
+ void ovl_inuse_unlock(struct dentry *dentry);
++bool ovl_is_inuse(struct dentry *dentry);
+ bool ovl_need_index(struct dentry *dentry);
+ int ovl_nlink_start(struct dentry *dentry);
+ void ovl_nlink_end(struct dentry *dentry);
+@@ -376,6 +377,8 @@ struct ovl_inode_params {
+ struct inode *ovl_new_inode(struct super_block *sb, umode_t mode, dev_t rdev);
+ struct inode *ovl_lookup_inode(struct super_block *sb, struct dentry *real,
+ bool is_upper);
++bool ovl_lookup_trap_inode(struct super_block *sb, struct dentry *dir);
++struct inode *ovl_get_trap_inode(struct super_block *sb, struct dentry *dir);
+ struct inode *ovl_get_inode(struct super_block *sb,
+ struct ovl_inode_params *oip);
+ static inline void ovl_copyattr(struct inode *from, struct inode *to)
+diff --git a/fs/overlayfs/ovl_entry.h b/fs/overlayfs/ovl_entry.h
+index ec237035333a..6ed1ace8f8b3 100644
+--- a/fs/overlayfs/ovl_entry.h
++++ b/fs/overlayfs/ovl_entry.h
+@@ -29,6 +29,8 @@ struct ovl_sb {
+
+ struct ovl_layer {
+ struct vfsmount *mnt;
++ /* Trap in ovl inode cache */
++ struct inode *trap;
+ struct ovl_sb *fs;
+ /* Index of this layer in fs root (upper idx == 0) */
+ int idx;
+@@ -65,6 +67,10 @@ struct ovl_fs {
+ /* Did we take the inuse lock? */
+ bool upperdir_locked;
+ bool workdir_locked;
++ /* Traps in ovl inode cache */
++ struct inode *upperdir_trap;
++ struct inode *workdir_trap;
++ struct inode *indexdir_trap;
+ /* Inode numbers in all layers do not use the high xino_bits */
+ unsigned int xino_bits;
+ };
+diff --git a/fs/overlayfs/super.c b/fs/overlayfs/super.c
+index 0116735cc321..c481bf5f6fe2 100644
+--- a/fs/overlayfs/super.c
++++ b/fs/overlayfs/super.c
+@@ -217,6 +217,9 @@ static void ovl_free_fs(struct ovl_fs *ofs)
+ {
+ unsigned i;
+
++ iput(ofs->indexdir_trap);
++ iput(ofs->workdir_trap);
++ iput(ofs->upperdir_trap);
+ dput(ofs->indexdir);
+ dput(ofs->workdir);
+ if (ofs->workdir_locked)
+@@ -225,8 +228,10 @@ static void ovl_free_fs(struct ovl_fs *ofs)
+ if (ofs->upperdir_locked)
+ ovl_inuse_unlock(ofs->upper_mnt->mnt_root);
+ mntput(ofs->upper_mnt);
+- for (i = 0; i < ofs->numlower; i++)
++ for (i = 0; i < ofs->numlower; i++) {
++ iput(ofs->lower_layers[i].trap);
+ mntput(ofs->lower_layers[i].mnt);
++ }
+ for (i = 0; i < ofs->numlowerfs; i++)
+ free_anon_bdev(ofs->lower_fs[i].pseudo_dev);
+ kfree(ofs->lower_layers);
+@@ -984,7 +989,26 @@ static const struct xattr_handler *ovl_xattr_handlers[] = {
+ NULL
+ };
+
+-static int ovl_get_upper(struct ovl_fs *ofs, struct path *upperpath)
++static int ovl_setup_trap(struct super_block *sb, struct dentry *dir,
++ struct inode **ptrap, const char *name)
++{
++ struct inode *trap;
++ int err;
++
++ trap = ovl_get_trap_inode(sb, dir);
++ err = PTR_ERR(trap);
++ if (IS_ERR(trap)) {
++ if (err == -ELOOP)
++ pr_err("overlayfs: conflicting %s path\n", name);
++ return err;
++ }
++
++ *ptrap = trap;
++ return 0;
++}
++
++static int ovl_get_upper(struct super_block *sb, struct ovl_fs *ofs,
++ struct path *upperpath)
+ {
+ struct vfsmount *upper_mnt;
+ int err;
+@@ -1004,6 +1028,11 @@ static int ovl_get_upper(struct ovl_fs *ofs, struct path *upperpath)
+ if (err)
+ goto out;
+
++ err = ovl_setup_trap(sb, upperpath->dentry, &ofs->upperdir_trap,
++ "upperdir");
++ if (err)
++ goto out;
++
+ upper_mnt = clone_private_mount(upperpath);
+ err = PTR_ERR(upper_mnt);
+ if (IS_ERR(upper_mnt)) {
+@@ -1030,7 +1059,8 @@ static int ovl_get_upper(struct ovl_fs *ofs, struct path *upperpath)
+ return err;
+ }
+
+-static int ovl_make_workdir(struct ovl_fs *ofs, struct path *workpath)
++static int ovl_make_workdir(struct super_block *sb, struct ovl_fs *ofs,
++ struct path *workpath)
+ {
+ struct vfsmount *mnt = ofs->upper_mnt;
+ struct dentry *temp;
+@@ -1045,6 +1075,10 @@ static int ovl_make_workdir(struct ovl_fs *ofs, struct path *workpath)
+ if (!ofs->workdir)
+ goto out;
+
++ err = ovl_setup_trap(sb, ofs->workdir, &ofs->workdir_trap, "workdir");
++ if (err)
++ goto out;
++
+ /*
+ * Upper should support d_type, else whiteouts are visible. Given
+ * workdir and upper are on same fs, we can do iterate_dir() on
+@@ -1105,7 +1139,8 @@ static int ovl_make_workdir(struct ovl_fs *ofs, struct path *workpath)
+ return err;
+ }
+
+-static int ovl_get_workdir(struct ovl_fs *ofs, struct path *upperpath)
++static int ovl_get_workdir(struct super_block *sb, struct ovl_fs *ofs,
++ struct path *upperpath)
+ {
+ int err;
+ struct path workpath = { };
+@@ -1136,19 +1171,16 @@ static int ovl_get_workdir(struct ovl_fs *ofs, struct path *upperpath)
+ pr_warn("overlayfs: workdir is in-use by another mount, accessing files from both mounts will result in undefined behavior.\n");
+ }
+
+- err = ovl_make_workdir(ofs, &workpath);
+- if (err)
+- goto out;
++ err = ovl_make_workdir(sb, ofs, &workpath);
+
+- err = 0;
+ out:
+ path_put(&workpath);
+
+ return err;
+ }
+
+-static int ovl_get_indexdir(struct ovl_fs *ofs, struct ovl_entry *oe,
+- struct path *upperpath)
++static int ovl_get_indexdir(struct super_block *sb, struct ovl_fs *ofs,
++ struct ovl_entry *oe, struct path *upperpath)
+ {
+ struct vfsmount *mnt = ofs->upper_mnt;
+ int err;
+@@ -1167,6 +1199,11 @@ static int ovl_get_indexdir(struct ovl_fs *ofs, struct ovl_entry *oe,
+
+ ofs->indexdir = ovl_workdir_create(ofs, OVL_INDEXDIR_NAME, true);
+ if (ofs->indexdir) {
++ err = ovl_setup_trap(sb, ofs->indexdir, &ofs->indexdir_trap,
++ "indexdir");
++ if (err)
++ goto out;
++
+ /*
+ * Verify upper root is exclusively associated with index dir.
+ * Older kernels stored upper fh in "trusted.overlay.origin"
+@@ -1254,8 +1291,8 @@ static int ovl_get_fsid(struct ovl_fs *ofs, const struct path *path)
+ return ofs->numlowerfs;
+ }
+
+-static int ovl_get_lower_layers(struct ovl_fs *ofs, struct path *stack,
+- unsigned int numlower)
++static int ovl_get_lower_layers(struct super_block *sb, struct ovl_fs *ofs,
++ struct path *stack, unsigned int numlower)
+ {
+ int err;
+ unsigned int i;
+@@ -1273,16 +1310,28 @@ static int ovl_get_lower_layers(struct ovl_fs *ofs, struct path *stack,
+
+ for (i = 0; i < numlower; i++) {
+ struct vfsmount *mnt;
++ struct inode *trap;
+ int fsid;
+
+ err = fsid = ovl_get_fsid(ofs, &stack[i]);
+ if (err < 0)
+ goto out;
+
++ err = -EBUSY;
++ if (ovl_is_inuse(stack[i].dentry)) {
++ pr_err("overlayfs: lowerdir is in-use as upperdir/workdir\n");
++ goto out;
++ }
++
++ err = ovl_setup_trap(sb, stack[i].dentry, &trap, "lowerdir");
++ if (err)
++ goto out;
++
+ mnt = clone_private_mount(&stack[i]);
+ err = PTR_ERR(mnt);
+ if (IS_ERR(mnt)) {
+ pr_err("overlayfs: failed to clone lowerpath\n");
++ iput(trap);
+ goto out;
+ }
+
+@@ -1292,6 +1341,7 @@ static int ovl_get_lower_layers(struct ovl_fs *ofs, struct path *stack,
+ */
+ mnt->mnt_flags |= MNT_READONLY | MNT_NOATIME;
+
++ ofs->lower_layers[ofs->numlower].trap = trap;
+ ofs->lower_layers[ofs->numlower].mnt = mnt;
+ ofs->lower_layers[ofs->numlower].idx = i + 1;
+ ofs->lower_layers[ofs->numlower].fsid = fsid;
+@@ -1386,7 +1436,7 @@ static struct ovl_entry *ovl_get_lowerstack(struct super_block *sb,
+ goto out_err;
+ }
+
+- err = ovl_get_lower_layers(ofs, stack, numlower);
++ err = ovl_get_lower_layers(sb, ofs, stack, numlower);
+ if (err)
+ goto out_err;
+
+@@ -1418,6 +1468,85 @@ static struct ovl_entry *ovl_get_lowerstack(struct super_block *sb,
+ goto out;
+ }
+
++/*
++ * Check if this layer root is a descendant of:
++ * - another layer of this overlayfs instance
++ * - upper/work dir of any overlayfs instance
++ * - a disconnected dentry (detached root)
++ */
++static int ovl_check_layer(struct super_block *sb, struct dentry *dentry,
++ const char *name)
++{
++ struct dentry *next, *parent;
++ bool is_root = false;
++ int err = 0;
++
++ if (!dentry || dentry == dentry->d_sb->s_root)
++ return 0;
++
++ next = dget(dentry);
++ /* Walk back ancestors to fs root (inclusive) looking for traps */
++ do {
++ parent = dget_parent(next);
++ is_root = (parent == next);
++ if (ovl_is_inuse(parent)) {
++ err = -EBUSY;
++ pr_err("overlayfs: %s path overlapping in-use upperdir/workdir\n",
++ name);
++ } else if (ovl_lookup_trap_inode(sb, parent)) {
++ err = -ELOOP;
++ pr_err("overlayfs: overlapping %s path\n", name);
++ }
++ dput(next);
++ next = parent;
++ } while (!err && !is_root);
++
++ /* Did we really walk to fs root or found a detached root? */
++ if (!err && next != dentry->d_sb->s_root) {
++ err = -ESTALE;
++ pr_err("overlayfs: disconnected %s path\n", name);
++ }
++
++ dput(next);
++
++ return err;
++}
++
++/*
++ * Check if any of the layers or work dirs overlap.
++ */
++static int ovl_check_overlapping_layers(struct super_block *sb,
++ struct ovl_fs *ofs)
++{
++ int i, err;
++
++ if (ofs->upper_mnt) {
++ err = ovl_check_layer(sb, ofs->upper_mnt->mnt_root, "upperdir");
++ if (err)
++ return err;
++
++ /*
++ * Checking workbasedir avoids hitting ovl_is_inuse(parent) of
++ * this instance and covers overlapping work and index dirs,
++ * unless work or index dir have been moved since created inside
++ * workbasedir. In that case, we already have their traps in
++ * inode cache and we will catch that case on lookup.
++ */
++ err = ovl_check_layer(sb, ofs->workbasedir, "workdir");
++ if (err)
++ return err;
++ }
++
++ for (i = 0; i < ofs->numlower; i++) {
++ err = ovl_check_layer(sb, ofs->lower_layers[i].mnt->mnt_root,
++ "lowerdir");
++ if (err)
++ return err;
++ }
++
++ return 0;
++}
++
+ static int ovl_fill_super(struct super_block *sb, void *data, int silent)
+ {
+ struct path upperpath = { };
+@@ -1457,17 +1586,20 @@ static int ovl_fill_super(struct super_block *sb, void *data, int silent)
+ if (ofs->config.xino != OVL_XINO_OFF)
+ ofs->xino_bits = BITS_PER_LONG - 32;
+
++ /* alloc/destroy_inode needed for setting up traps in inode cache */
++ sb->s_op = &ovl_super_operations;
++
+ if (ofs->config.upperdir) {
+ if (!ofs->config.workdir) {
+ pr_err("overlayfs: missing 'workdir'\n");
+ goto out_err;
+ }
+
+- err = ovl_get_upper(ofs, &upperpath);
++ err = ovl_get_upper(sb, ofs, &upperpath);
+ if (err)
+ goto out_err;
+
+- err = ovl_get_workdir(ofs, &upperpath);
++ err = ovl_get_workdir(sb, ofs, &upperpath);
+ if (err)
+ goto out_err;
+
+@@ -1488,7 +1620,7 @@ static int ovl_fill_super(struct super_block *sb, void *data, int silent)
+ sb->s_flags |= SB_RDONLY;
+
+ if (!(ovl_force_readonly(ofs)) && ofs->config.index) {
+- err = ovl_get_indexdir(ofs, oe, &upperpath);
++ err = ovl_get_indexdir(sb, ofs, oe, &upperpath);
+ if (err)
+ goto out_free_oe;
+
+@@ -1501,6 +1633,10 @@ static int ovl_fill_super(struct super_block *sb, void *data, int silent)
+
+ }
+
++ err = ovl_check_overlapping_layers(sb, ofs);
++ if (err)
++ goto out_free_oe;
++
+ /* Show index=off in /proc/mounts for forced r/o mount */
+ if (!ofs->indexdir) {
+ ofs->config.index = false;
+@@ -1522,7 +1658,6 @@ static int ovl_fill_super(struct super_block *sb, void *data, int silent)
+ cap_lower(cred->cap_effective, CAP_SYS_RESOURCE);
+
+ sb->s_magic = OVERLAYFS_SUPER_MAGIC;
+- sb->s_op = &ovl_super_operations;
+ sb->s_xattr = ovl_xattr_handlers;
+ sb->s_fs_info = ofs;
+ sb->s_flags |= SB_POSIXACL;
+diff --git a/fs/overlayfs/util.c b/fs/overlayfs/util.c
+index 4035e640f402..e135064e87ad 100644
+--- a/fs/overlayfs/util.c
++++ b/fs/overlayfs/util.c
+@@ -652,6 +652,18 @@ void ovl_inuse_unlock(struct dentry *dentry)
+ }
+ }
+
++bool ovl_is_inuse(struct dentry *dentry)
++{
++ struct inode *inode = d_inode(dentry);
++ bool inuse;
++
++ spin_lock(&inode->i_lock);
++ inuse = (inode->i_state & I_OVL_INUSE);
++ spin_unlock(&inode->i_lock);
++
++ return inuse;
++}
++
+ /*
+ * Does this overlay dentry need to be indexed on copy up?
+ */
+--
+2.22.0
+
diff --git a/patches.kernel.org/5.1.15-089-ovl-don-t-fail-with-disconnected-lower-NFS.patch b/patches.kernel.org/5.1.15-089-ovl-don-t-fail-with-disconnected-lower-NFS.patch
new file mode 100644
index 0000000000..6b1ec14706
--- /dev/null
+++ b/patches.kernel.org/5.1.15-089-ovl-don-t-fail-with-disconnected-lower-NFS.patch
@@ -0,0 +1,82 @@
+From: Miklos Szeredi <mszeredi@redhat.com>
+Date: Tue, 18 Jun 2019 15:06:16 +0200
+Subject: [PATCH] ovl: don't fail with disconnected lower NFS
+References: bnc#1012628
+Patch-mainline: 5.1.15
+Git-commit: 9179c21dc6ed1c993caa5fe4da876a6765c26af7
+
+[ Upstream commit 9179c21dc6ed1c993caa5fe4da876a6765c26af7 ]
+
+NFS mounts can be disconnected from fs root. Don't fail the overlapping
+layer check because of this.
+
+The check is not authoritative anyway, since topology can change during or
+after the check.
+
+Reported-by: Antti Antinoja <antti@fennosys.fi>
+Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
+Fixes: 146d62e5a586 ("ovl: detect overlapping layers")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ fs/overlayfs/super.c | 26 +++++++++-----------------
+ 1 file changed, 9 insertions(+), 17 deletions(-)
+
+diff --git a/fs/overlayfs/super.c b/fs/overlayfs/super.c
+index c481bf5f6fe2..fa5060f59b88 100644
+--- a/fs/overlayfs/super.c
++++ b/fs/overlayfs/super.c
+@@ -1472,23 +1472,20 @@ static struct ovl_entry *ovl_get_lowerstack(struct super_block *sb,
+ * Check if this layer root is a descendant of:
+ * - another layer of this overlayfs instance
+ * - upper/work dir of any overlayfs instance
+- * - a disconnected dentry (detached root)
+ */
+ static int ovl_check_layer(struct super_block *sb, struct dentry *dentry,
+ const char *name)
+ {
+- struct dentry *next, *parent;
+- bool is_root = false;
++ struct dentry *next = dentry, *parent;
+ int err = 0;
+
+- if (!dentry || dentry == dentry->d_sb->s_root)
++ if (!dentry)
+ return 0;
+
+- next = dget(dentry);
+- /* Walk back ancestors to fs root (inclusive) looking for traps */
+- do {
+- parent = dget_parent(next);
+- is_root = (parent == next);
++ parent = dget_parent(next);
++
++ /* Walk back ancestors to root (inclusive) looking for traps */
++ while (!err && parent != next) {
+ if (ovl_is_inuse(parent)) {
+ err = -EBUSY;
+ pr_err("overlayfs: %s path overlapping in-use upperdir/workdir\n",
+@@ -1497,17 +1494,12 @@ static int ovl_check_layer(struct super_block *sb, struct dentry *dentry,
+ err = -ELOOP;
+ pr_err("overlayfs: overlapping %s path\n", name);
+ }
+- dput(next);
+ next = parent;
+- } while (!err && !is_root);
+-
+- /* Did we really walk to fs root or found a detached root? */
+- if (!err && next != dentry->d_sb->s_root) {
+- err = -ESTALE;
+- pr_err("overlayfs: disconnected %s path\n", name);
++ parent = dget_parent(next);
++ dput(next);
+ }
+
+- dput(next);
++ dput(parent);
+
+ return err;
+ }
+--
+2.22.0
+
diff --git a/patches.kernel.org/5.1.15-090-ovl-fix-bogus-Wmaybe-unitialized-warning.patch b/patches.kernel.org/5.1.15-090-ovl-fix-bogus-Wmaybe-unitialized-warning.patch
new file mode 100644
index 0000000000..ee4495f0fc
--- /dev/null
+++ b/patches.kernel.org/5.1.15-090-ovl-fix-bogus-Wmaybe-unitialized-warning.patch
@@ -0,0 +1,48 @@
+From: Arnd Bergmann <arnd@arndb.de>
+Date: Mon, 17 Jun 2019 14:39:29 +0200
+Subject: [PATCH] ovl: fix bogus -Wmaybe-unitialized warning
+References: bnc#1012628
+Patch-mainline: 5.1.15
+Git-commit: 1dac6f5b0ed2601be21bb4e27a44b0c3e667b7f4
+
+[ Upstream commit 1dac6f5b0ed2601be21bb4e27a44b0c3e667b7f4 ]
+
+gcc gets a bit confused by the logic in ovl_setup_trap() and
+can't figure out whether the local 'trap' variable in the caller
+was initialized or not:
+
+fs/overlayfs/super.c: In function 'ovl_fill_super':
+fs/overlayfs/super.c:1333:4: error: 'trap' may be used uninitialized in this function [-Werror=maybe-uninitialized]
+ iput(trap);
+ ^~~~~~~~~~
+fs/overlayfs/super.c:1312:17: note: 'trap' was declared here
+
+Reword slightly to make it easier for the compiler to understand.
+
+Fixes: 146d62e5a586 ("ovl: detect overlapping layers")
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ fs/overlayfs/super.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/fs/overlayfs/super.c b/fs/overlayfs/super.c
+index fa5060f59b88..9780617c69ee 100644
+--- a/fs/overlayfs/super.c
++++ b/fs/overlayfs/super.c
+@@ -996,8 +996,8 @@ static int ovl_setup_trap(struct super_block *sb, struct dentry *dir,
+ int err;
+
+ trap = ovl_get_trap_inode(sb, dir);
+- err = PTR_ERR(trap);
+- if (IS_ERR(trap)) {
++ err = PTR_ERR_OR_ZERO(trap);
++ if (err) {
+ if (err == -ELOOP)
+ pr_err("overlayfs: conflicting %s path\n", name);
+ return err;
+--
+2.22.0
+
diff --git a/patches.kernel.org/5.1.15-091-btrfs-start-readahead-also-in-seed-devices.patch b/patches.kernel.org/5.1.15-091-btrfs-start-readahead-also-in-seed-devices.patch
new file mode 100644
index 0000000000..41c671aa28
--- /dev/null
+++ b/patches.kernel.org/5.1.15-091-btrfs-start-readahead-also-in-seed-devices.patch
@@ -0,0 +1,54 @@
+From: Naohiro Aota <naohiro.aota@wdc.com>
+Date: Thu, 6 Jun 2019 16:54:44 +0900
+Subject: [PATCH] btrfs: start readahead also in seed devices
+References: bnc#1012628
+Patch-mainline: 5.1.15
+Git-commit: c4e0540d0ad49c8ceab06cceed1de27c4fe29f6e
+
+commit c4e0540d0ad49c8ceab06cceed1de27c4fe29f6e upstream.
+
+Currently, btrfs does not consult seed devices to start readahead. As a
+result, if readahead zone is added to the seed devices, btrfs_reada_wait()
+indefinitely wait for the reada_ctl to finish.
+
+You can reproduce the hung by modifying btrfs/163 to have larger initial
+file size (e.g. xfs_io pwrite 4M instead of current 256K).
+
+Fixes: 7414a03fbf9e ("btrfs: initial readahead code and prototypes")
+Cc: stable@vger.kernel.org # 3.2+: ce7791ffee1e: Btrfs: fix race between readahead and device replace/removal
+Cc: stable@vger.kernel.org # 3.2+
+Reviewed-by: Filipe Manana <fdmanana@suse.com>
+Signed-off-by: Naohiro Aota <naohiro.aota@wdc.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ fs/btrfs/reada.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/fs/btrfs/reada.c b/fs/btrfs/reada.c
+index 10d9589001a9..bb5bd49573b4 100644
+--- a/fs/btrfs/reada.c
++++ b/fs/btrfs/reada.c
+@@ -747,6 +747,7 @@ static void __reada_start_machine(struct btrfs_fs_info *fs_info)
+ u64 total = 0;
+ int i;
+
++again:
+ do {
+ enqueued = 0;
+ mutex_lock(&fs_devices->device_list_mutex);
+@@ -758,6 +759,10 @@ static void __reada_start_machine(struct btrfs_fs_info *fs_info)
+ mutex_unlock(&fs_devices->device_list_mutex);
+ total += enqueued;
+ } while (enqueued && total < 10000);
++ if (fs_devices->seed) {
++ fs_devices = fs_devices->seed;
++ goto again;
++ }
+
+ if (enqueued == 0)
+ return;
+--
+2.22.0
+
diff --git a/patches.kernel.org/5.1.15-092-can-xilinx_can-use-correct-bittiming_const-for.patch b/patches.kernel.org/5.1.15-092-can-xilinx_can-use-correct-bittiming_const-for.patch
new file mode 100644
index 0000000000..05b498f8cb
--- /dev/null
+++ b/patches.kernel.org/5.1.15-092-can-xilinx_can-use-correct-bittiming_const-for.patch
@@ -0,0 +1,47 @@
+From: Anssi Hannula <anssi.hannula@bitwise.fi>
+Date: Tue, 11 Sep 2018 14:47:46 +0300
+Subject: [PATCH] can: xilinx_can: use correct bittiming_const for CAN FD core
+References: bnc#1012628
+Patch-mainline: 5.1.15
+Git-commit: 904044dd8fff43e289c11a2f90fa532e946a1d8b
+
+commit 904044dd8fff43e289c11a2f90fa532e946a1d8b upstream.
+
+Commit 9e5f1b273e6a ("can: xilinx_can: add support for Xilinx CAN FD
+core") added a new can_bittiming_const structure for CAN FD cores that
+support larger values for tseg1, tseg2, and sjw than previous Xilinx CAN
+cores, but the commit did not actually take that into use.
+
+Fix that.
+
+Tested with CAN FD core on a ZynqMP board.
+
+Fixes: 9e5f1b273e6a ("can: xilinx_can: add support for Xilinx CAN FD core")
+Reported-by: Shubhrajyoti Datta <shubhrajyoti.datta@gmail.com>
+Signed-off-by: Anssi Hannula <anssi.hannula@bitwise.fi>
+Cc: Michal Simek <michal.simek@xilinx.com>
+Reviewed-by: Shubhrajyoti Datta <shubhrajyoti.datta@gmail.com>
+Cc: linux-stable <stable@vger.kernel.org>
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/net/can/xilinx_can.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/can/xilinx_can.c b/drivers/net/can/xilinx_can.c
+index 97d0933d9bd9..e4a5038eba9a 100644
+--- a/drivers/net/can/xilinx_can.c
++++ b/drivers/net/can/xilinx_can.c
+@@ -1443,7 +1443,7 @@ static const struct xcan_devtype_data xcan_canfd_data = {
+ XCAN_FLAG_RXMNF |
+ XCAN_FLAG_TX_MAILBOXES |
+ XCAN_FLAG_RX_FIFO_MULTI,
+- .bittiming_const = &xcan_bittiming_const,
++ .bittiming_const = &xcan_bittiming_const_canfd,
+ .btr_ts2_shift = XCAN_BTR_TS2_SHIFT_CANFD,
+ .btr_sjw_shift = XCAN_BTR_SJW_SHIFT_CANFD,
+ .bus_clk_name = "s_axi_aclk",
+--
+2.22.0
+
diff --git a/patches.kernel.org/5.1.15-093-can-flexcan-fix-timeout-when-set-small-bitrate.patch b/patches.kernel.org/5.1.15-093-can-flexcan-fix-timeout-when-set-small-bitrate.patch
new file mode 100644
index 0000000000..cffe614bdb
--- /dev/null
+++ b/patches.kernel.org/5.1.15-093-can-flexcan-fix-timeout-when-set-small-bitrate.patch
@@ -0,0 +1,60 @@
+From: Joakim Zhang <qiangqing.zhang@nxp.com>
+Date: Thu, 31 Jan 2019 09:37:22 +0000
+Subject: [PATCH] can: flexcan: fix timeout when set small bitrate
+References: bnc#1012628
+Patch-mainline: 5.1.15
+Git-commit: 247e5356a709eb49a0d95ff2a7f07dac05c8252c
+
+commit 247e5356a709eb49a0d95ff2a7f07dac05c8252c upstream.
+
+Current we can meet timeout issue when setting a small bitrate like
+10000 as follows on i.MX6UL EVK board (ipg clock = 66MHZ, per clock =
+30MHZ):
+
+| root@imx6ul7d:~# ip link set can0 up type can bitrate 10000
+
+A link change request failed with some changes committed already.
+Interface can0 may have been left with an inconsistent configuration,
+please check.
+
+| RTNETLINK answers: Connection timed out
+
+It is caused by calling of flexcan_chip_unfreeze() timeout.
+
+Originally the code is using usleep_range(10, 20) for unfreeze
+operation, but the patch (8badd65 can: flexcan: avoid calling
+usleep_range from interrupt context) changed it into udelay(10) which is
+only a half delay of before, there're also some other delay changes.
+
+After double to FLEXCAN_TIMEOUT_US to 100 can fix the issue.
+
+Meanwhile, Rasmus Villemoes reported that even with a timeout of 100,
+flexcan_probe() fails on the MPC8309, which requires a value of at least
+140 to work reliably. 250 works for everyone.
+
+Signed-off-by: Joakim Zhang <qiangqing.zhang@nxp.com>
+Reviewed-by: Dong Aisheng <aisheng.dong@nxp.com>
+Cc: linux-stable <stable@vger.kernel.org>
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/net/can/flexcan.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/can/flexcan.c b/drivers/net/can/flexcan.c
+index 1c66fb2ad76b..f97c628eb2ad 100644
+--- a/drivers/net/can/flexcan.c
++++ b/drivers/net/can/flexcan.c
+@@ -166,7 +166,7 @@
+ #define FLEXCAN_MB_CNT_LENGTH(x) (((x) & 0xf) << 16)
+ #define FLEXCAN_MB_CNT_TIMESTAMP(x) ((x) & 0xffff)
+
+-#define FLEXCAN_TIMEOUT_US (50)
++#define FLEXCAN_TIMEOUT_US (250)
+
+ /* FLEXCAN hardware feature flags
+ *
+--
+2.22.0
+
diff --git a/patches.kernel.org/5.1.15-094-can-purge-socket-error-queue-on-sock-destruct.patch b/patches.kernel.org/5.1.15-094-can-purge-socket-error-queue-on-sock-destruct.patch
new file mode 100644
index 0000000000..f691a08612
--- /dev/null
+++ b/patches.kernel.org/5.1.15-094-can-purge-socket-error-queue-on-sock-destruct.patch
@@ -0,0 +1,38 @@
+From: Willem de Bruijn <willemb@google.com>
+Date: Fri, 7 Jun 2019 16:46:07 -0400
+Subject: [PATCH] can: purge socket error queue on sock destruct
+References: bnc#1012628
+Patch-mainline: 5.1.15
+Git-commit: fd704bd5ee749d560e86c4f1fd2ef486d8abf7cf
+
+commit fd704bd5ee749d560e86c4f1fd2ef486d8abf7cf upstream.
+
+CAN supports software tx timestamps as of the below commit. Purge
+any queued timestamp packets on socket destroy.
+
+Fixes: 51f31cabe3ce ("ip: support for TX timestamps on UDP and RAW sockets")
+Reported-by: syzbot+a90604060cb40f5bdd16@syzkaller.appspotmail.com
+Signed-off-by: Willem de Bruijn <willemb@google.com>
+Cc: linux-stable <stable@vger.kernel.org>
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ net/can/af_can.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/net/can/af_can.c b/net/can/af_can.c
+index 1684ba5b51eb..e386d654116d 100644
+--- a/net/can/af_can.c
++++ b/net/can/af_can.c
+@@ -105,6 +105,7 @@ EXPORT_SYMBOL(can_ioctl);
+ static void can_sock_destruct(struct sock *sk)
+ {
+ skb_queue_purge(&sk->sk_receive_queue);
++ skb_queue_purge(&sk->sk_error_queue);
+ }
+
+ static const struct can_proto *can_get_proto(int protocol)
+--
+2.22.0
+
diff --git a/patches.kernel.org/5.1.15-095-riscv-mm-synchronize-MMU-after-pte-change.patch b/patches.kernel.org/5.1.15-095-riscv-mm-synchronize-MMU-after-pte-change.patch
new file mode 100644
index 0000000000..11ffe95a95
--- /dev/null
+++ b/patches.kernel.org/5.1.15-095-riscv-mm-synchronize-MMU-after-pte-change.patch
@@ -0,0 +1,62 @@
+From: ShihPo Hung <shihpo.hung@sifive.com>
+Date: Mon, 17 Jun 2019 12:26:17 +0800
+Subject: [PATCH] riscv: mm: synchronize MMU after pte change
+References: bnc#1012628
+Patch-mainline: 5.1.15
+Git-commit: bf587caae305ae3b4393077fb22c98478ee55755
+
+commit bf587caae305ae3b4393077fb22c98478ee55755 upstream.
+
+Because RISC-V compliant implementations can cache invalid entries
+in TLB, an SFENCE.VMA is necessary after changes to the page table.
+This patch adds an SFENCE.vma for the vmalloc_fault path.
+
+Signed-off-by: ShihPo Hung <shihpo.hung@sifive.com>
+[paul.walmsley@sifive.com: reversed tab->whitespace conversion,
+ wrapped comment lines]
+Signed-off-by: Paul Walmsley <paul.walmsley@sifive.com>
+Cc: Palmer Dabbelt <palmer@sifive.com>
+Cc: Albert Ou <aou@eecs.berkeley.edu>
+Cc: Paul Walmsley <paul.walmsley@sifive.com>
+Cc: linux-riscv@lists.infradead.org
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ arch/riscv/mm/fault.c | 13 +++++++++++++
+ 1 file changed, 13 insertions(+)
+
+diff --git a/arch/riscv/mm/fault.c b/arch/riscv/mm/fault.c
+index 88401d5125bc..523dbfbac03d 100644
+--- a/arch/riscv/mm/fault.c
++++ b/arch/riscv/mm/fault.c
+@@ -29,6 +29,7 @@
+
+ #include <asm/pgalloc.h>
+ #include <asm/ptrace.h>
++#include <asm/tlbflush.h>
+
+ /*
+ * This routine handles page faults. It determines the address and the
+@@ -281,6 +282,18 @@ asmlinkage void do_page_fault(struct pt_regs *regs)
+ pte_k = pte_offset_kernel(pmd_k, addr);
+ if (!pte_present(*pte_k))
+ goto no_context;
++
++ /*
++ * The kernel assumes that TLBs don't cache invalid
++ * entries, but in RISC-V, SFENCE.VMA specifies an
++ * ordering constraint, not a cache flush; it is
++ * necessary even after writing invalid entries.
++ * Relying on flush_tlb_fix_spurious_fault would
++ * suffice, but the extra traps reduce
++ * performance. So, eagerly SFENCE.VMA.
++ */
++ local_flush_tlb_page(addr);
++
+ return;
+ }
+ }
+--
+2.22.0
+
diff --git a/patches.kernel.org/5.1.15-096-powerpc-bpf-use-unsigned-division-instruction-.patch b/patches.kernel.org/5.1.15-096-powerpc-bpf-use-unsigned-division-instruction-.patch
new file mode 100644
index 0000000000..4d76274a62
--- /dev/null
+++ b/patches.kernel.org/5.1.15-096-powerpc-bpf-use-unsigned-division-instruction-.patch
@@ -0,0 +1,91 @@
+From: "Naveen N. Rao" <naveen.n.rao@linux.vnet.ibm.com>
+Date: Thu, 13 Jun 2019 00:21:40 +0530
+Subject: [PATCH] powerpc/bpf: use unsigned division instruction for 64-bit
+ operations
+References: bnc#1012628
+Patch-mainline: 5.1.15
+Git-commit: 758f2046ea040773ae8ea7f72dd3bbd8fa984501
+
+commit 758f2046ea040773ae8ea7f72dd3bbd8fa984501 upstream.
+
+BPF_ALU64 div/mod operations are currently using signed division, unlike
+BPF_ALU32 operations. Fix the same. DIV64 and MOD64 overflow tests pass
+with this fix.
+
+Fixes: 156d0e290e969c ("powerpc/ebpf/jit: Implement JIT compiler for extended BPF")
+Cc: stable@vger.kernel.org # v4.8+
+Signed-off-by: Naveen N. Rao <naveen.n.rao@linux.vnet.ibm.com>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ arch/powerpc/include/asm/ppc-opcode.h | 1 +
+ arch/powerpc/net/bpf_jit.h | 2 +-
+ arch/powerpc/net/bpf_jit_comp64.c | 8 ++++----
+ 3 files changed, 6 insertions(+), 5 deletions(-)
+
+diff --git a/arch/powerpc/include/asm/ppc-opcode.h b/arch/powerpc/include/asm/ppc-opcode.h
+index 23f7ed796f38..49d65cd08ee0 100644
+--- a/arch/powerpc/include/asm/ppc-opcode.h
++++ b/arch/powerpc/include/asm/ppc-opcode.h
+@@ -342,6 +342,7 @@
+ #define PPC_INST_MADDLD 0x10000033
+ #define PPC_INST_DIVWU 0x7c000396
+ #define PPC_INST_DIVD 0x7c0003d2
++#define PPC_INST_DIVDU 0x7c000392
+ #define PPC_INST_RLWINM 0x54000000
+ #define PPC_INST_RLWINM_DOT 0x54000001
+ #define PPC_INST_RLWIMI 0x50000000
+diff --git a/arch/powerpc/net/bpf_jit.h b/arch/powerpc/net/bpf_jit.h
+index dcac37745b05..1e932898d430 100644
+--- a/arch/powerpc/net/bpf_jit.h
++++ b/arch/powerpc/net/bpf_jit.h
+@@ -116,7 +116,7 @@
+ ___PPC_RA(a) | IMM_L(i))
+ #define PPC_DIVWU(d, a, b) EMIT(PPC_INST_DIVWU | ___PPC_RT(d) | \
+ ___PPC_RA(a) | ___PPC_RB(b))
+-#define PPC_DIVD(d, a, b) EMIT(PPC_INST_DIVD | ___PPC_RT(d) | \
++#define PPC_DIVDU(d, a, b) EMIT(PPC_INST_DIVDU | ___PPC_RT(d) | \
+ ___PPC_RA(a) | ___PPC_RB(b))
+ #define PPC_AND(d, a, b) EMIT(PPC_INST_AND | ___PPC_RA(d) | \
+ ___PPC_RS(a) | ___PPC_RB(b))
+diff --git a/arch/powerpc/net/bpf_jit_comp64.c b/arch/powerpc/net/bpf_jit_comp64.c
+index 21a1dcd4b156..e3fedeffe40f 100644
+--- a/arch/powerpc/net/bpf_jit_comp64.c
++++ b/arch/powerpc/net/bpf_jit_comp64.c
+@@ -399,12 +399,12 @@ static int bpf_jit_build_body(struct bpf_prog *fp, u32 *image,
+ case BPF_ALU64 | BPF_DIV | BPF_X: /* dst /= src */
+ case BPF_ALU64 | BPF_MOD | BPF_X: /* dst %= src */
+ if (BPF_OP(code) == BPF_MOD) {
+- PPC_DIVD(b2p[TMP_REG_1], dst_reg, src_reg);
++ PPC_DIVDU(b2p[TMP_REG_1], dst_reg, src_reg);
+ PPC_MULD(b2p[TMP_REG_1], src_reg,
+ b2p[TMP_REG_1]);
+ PPC_SUB(dst_reg, dst_reg, b2p[TMP_REG_1]);
+ } else
+- PPC_DIVD(dst_reg, dst_reg, src_reg);
++ PPC_DIVDU(dst_reg, dst_reg, src_reg);
+ break;
+ case BPF_ALU | BPF_MOD | BPF_K: /* (u32) dst %= (u32) imm */
+ case BPF_ALU | BPF_DIV | BPF_K: /* (u32) dst /= (u32) imm */
+@@ -432,7 +432,7 @@ static int bpf_jit_build_body(struct bpf_prog *fp, u32 *image,
+ break;
+ case BPF_ALU64:
+ if (BPF_OP(code) == BPF_MOD) {
+- PPC_DIVD(b2p[TMP_REG_2], dst_reg,
++ PPC_DIVDU(b2p[TMP_REG_2], dst_reg,
+ b2p[TMP_REG_1]);
+ PPC_MULD(b2p[TMP_REG_1],
+ b2p[TMP_REG_1],
+@@ -440,7 +440,7 @@ static int bpf_jit_build_body(struct bpf_prog *fp, u32 *image,
+ PPC_SUB(dst_reg, dst_reg,
+ b2p[TMP_REG_1]);
+ } else
+- PPC_DIVD(dst_reg, dst_reg,
++ PPC_DIVDU(dst_reg, dst_reg,
+ b2p[TMP_REG_1]);
+ break;
+ }
+--
+2.22.0
+
diff --git a/patches.kernel.org/5.1.15-097-ARM-imx-cpuidle-imx6sx-Restrict-the-SW2ISO-inc.patch b/patches.kernel.org/5.1.15-097-ARM-imx-cpuidle-imx6sx-Restrict-the-SW2ISO-inc.patch
new file mode 100644
index 0000000000..eca75c90eb
--- /dev/null
+++ b/patches.kernel.org/5.1.15-097-ARM-imx-cpuidle-imx6sx-Restrict-the-SW2ISO-inc.patch
@@ -0,0 +1,61 @@
+From: Fabio Estevam <festevam@gmail.com>
+Date: Mon, 13 May 2019 00:15:31 -0300
+Subject: [PATCH] ARM: imx: cpuidle-imx6sx: Restrict the SW2ISO increase to
+ i.MX6SX
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+References: bnc#1012628
+Patch-mainline: 5.1.15
+Git-commit: b25af2ff7c07bd19af74e3f64ff82e2880d13d81
+
+commit b25af2ff7c07bd19af74e3f64ff82e2880d13d81 upstream.
+
+Since commit 1e434b703248 ("ARM: imx: update the cpu power up timing
+setting on i.mx6sx") some characters loss is noticed on i.MX6ULL UART
+as reported by Christoph Niedermaier.
+
+The intention of such commit was to increase the SW2ISO field for i.MX6SX
+only, but since cpuidle-imx6sx is also used on i.MX6UL/i.MX6ULL this caused
+unintended side effects on other SoCs.
+
+Fix this problem by keeping the original SW2ISO value for i.MX6UL/i.MX6ULL
+and only increase SW2ISO in the i.MX6SX case.
+
+Cc: stable@vger.kernel.org
+Fixes: 1e434b703248 ("ARM: imx: update the cpu power up timing setting on i.mx6sx")
+Reported-by: Christoph Niedermaier <cniedermaier@dh-electronics.com>
+Signed-off-by: Fabio Estevam <festevam@gmail.com>
+Tested-by: Sébastien Szymanski <sebastien.szymanski@armadeus.com>
+Tested-by: Christoph Niedermaier <cniedermaier@dh-electronics.com>
+Signed-off-by: Shawn Guo <shawnguo@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ arch/arm/mach-imx/cpuidle-imx6sx.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/arch/arm/mach-imx/cpuidle-imx6sx.c b/arch/arm/mach-imx/cpuidle-imx6sx.c
+index fd0053e47a15..3708a71f30e6 100644
+--- a/arch/arm/mach-imx/cpuidle-imx6sx.c
++++ b/arch/arm/mach-imx/cpuidle-imx6sx.c
+@@ -15,6 +15,7 @@
+
+ #include "common.h"
+ #include "cpuidle.h"
++#include "hardware.h"
+
+ static int imx6sx_idle_finish(unsigned long val)
+ {
+@@ -110,7 +111,7 @@ int __init imx6sx_cpuidle_init(void)
+ * except for power up sw2iso which need to be
+ * larger than LDO ramp up time.
+ */
+- imx_gpc_set_arm_power_up_timing(0xf, 1);
++ imx_gpc_set_arm_power_up_timing(cpu_is_imx6sx() ? 0xf : 0x2, 1);
+ imx_gpc_set_arm_power_down_timing(1, 1);
+
+ return cpuidle_register(&imx6sx_cpuidle_driver, NULL);
+--
+2.22.0
+
diff --git a/patches.kernel.org/5.1.15-098-ARM-mvebu_v7_defconfig-fix-Ethernet-on-Clearfo.patch b/patches.kernel.org/5.1.15-098-ARM-mvebu_v7_defconfig-fix-Ethernet-on-Clearfo.patch
new file mode 100644
index 0000000000..5a3bd78c93
--- /dev/null
+++ b/patches.kernel.org/5.1.15-098-ARM-mvebu_v7_defconfig-fix-Ethernet-on-Clearfo.patch
@@ -0,0 +1,50 @@
+From: =?UTF-8?q?Jan=20Kundr=C3=A1t?= <jan.kundrat@cesnet.cz>
+Date: Fri, 17 May 2019 17:01:42 +0200
+Subject: [PATCH] ARM: mvebu_v7_defconfig: fix Ethernet on Clearfog
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+References: bnc#1012628
+Patch-mainline: 5.1.15
+Git-commit: cc538ca4308372e81b824be08561c466b1d73b72
+
+commit cc538ca4308372e81b824be08561c466b1d73b72 upstream.
+
+Compared to kernel 5.0, patches merged for 5.1 added support for A38x'
+PHY guarded by a config option which was not enabled by default. As a
+result, there was no eth1 and eth2 on a Solid Run Clearfog Base.
+
+Ensure that A38x PHY is enabled on mvebu.
+
+[gregory: issue appeared in 5.1 not in 5.2 and added Fixes tag]
+
+Signed-off-by: Jan Kundrát <jan.kundrat@cesnet.cz>
+Cc: Baruch Siach <baruch@tkos.co.il>
+Cc: Gregory CLEMENT <gregory.clement@bootlin.com>
+Cc: Russell King <rmk+kernel@armlinux.org.uk>
+Cc: David S. Miller <davem@davemloft.net>
+Cc: Maxime Chevallier <maxime.chevallier@bootlin.com>
+Fixes: a10c1c8191e0 ("net: marvell: neta: add comphy support")
+Cc: stable@kernel.org
+Signed-off-by: Gregory CLEMENT <gregory.clement@bootlin.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ arch/arm/configs/mvebu_v7_defconfig | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/arch/arm/configs/mvebu_v7_defconfig b/arch/arm/configs/mvebu_v7_defconfig
+index 55140219ab11..001460ee519e 100644
+--- a/arch/arm/configs/mvebu_v7_defconfig
++++ b/arch/arm/configs/mvebu_v7_defconfig
+@@ -131,6 +131,7 @@ CONFIG_MV_XOR=y
+ # CONFIG_IOMMU_SUPPORT is not set
+ CONFIG_MEMORY=y
+ CONFIG_PWM=y
++CONFIG_PHY_MVEBU_A38X_COMPHY=y
+ CONFIG_EXT4_FS=y
+ CONFIG_ISO9660_FS=y
+ CONFIG_JOLIET=y
+--
+2.22.0
+
diff --git a/patches.kernel.org/5.1.15-099-ARM-dts-dra76x-Update-MMC2_HS200_MANUAL1-iodel.patch b/patches.kernel.org/5.1.15-099-ARM-dts-dra76x-Update-MMC2_HS200_MANUAL1-iodel.patch
new file mode 100644
index 0000000000..d5e2852934
--- /dev/null
+++ b/patches.kernel.org/5.1.15-099-ARM-dts-dra76x-Update-MMC2_HS200_MANUAL1-iodel.patch
@@ -0,0 +1,89 @@
+From: Faiz Abbas <faiz_abbas@ti.com>
+Date: Tue, 30 Apr 2019 11:38:56 +0530
+Subject: [PATCH] ARM: dts: dra76x: Update MMC2_HS200_MANUAL1 iodelay values
+References: bnc#1012628
+Patch-mainline: 5.1.15
+Git-commit: c3c0b70cd3f801bded7a548198ee1c9851a0ca82
+
+commit c3c0b70cd3f801bded7a548198ee1c9851a0ca82 upstream.
+
+Update the MMC2_HS200_MANUAL1 iodelay values to match with the latest
+dra76x data manual[1]. The new iodelay values will have better marginality
+and should prevent issues in corner cases.
+
+Also this particular pinctrl-array is using spaces instead of tabs for
+spacing between the values and the comments. Fix this as well.
+
+[1] http://www.ti.com/lit/ds/symlink/dra76p.pdf
+
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Faiz Abbas <faiz_abbas@ti.com>
+[tony@atomide.com: updated description with a bit more info]
+Signed-off-by: Tony Lindgren <tony@atomide.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ arch/arm/boot/dts/dra76x-mmc-iodelay.dtsi | 40 +++++++++++------------
+ 1 file changed, 20 insertions(+), 20 deletions(-)
+
+diff --git a/arch/arm/boot/dts/dra76x-mmc-iodelay.dtsi b/arch/arm/boot/dts/dra76x-mmc-iodelay.dtsi
+index baba7b00eca7..fdca48186916 100644
+--- a/arch/arm/boot/dts/dra76x-mmc-iodelay.dtsi
++++ b/arch/arm/boot/dts/dra76x-mmc-iodelay.dtsi
+@@ -22,7 +22,7 @@
+ *
+ * Datamanual Revisions:
+ *
+- * DRA76x Silicon Revision 1.0: SPRS993A, Revised July 2017
++ * DRA76x Silicon Revision 1.0: SPRS993E, Revised December 2018
+ *
+ */
+
+@@ -169,25 +169,25 @@
+ /* Corresponds to MMC2_HS200_MANUAL1 in datamanual */
+ mmc2_iodelay_hs200_conf: mmc2_iodelay_hs200_conf {
+ pinctrl-pin-array = <
+- 0x190 A_DELAY_PS(384) G_DELAY_PS(0) /* CFG_GPMC_A19_OEN */
+- 0x194 A_DELAY_PS(0) G_DELAY_PS(174) /* CFG_GPMC_A19_OUT */
+- 0x1a8 A_DELAY_PS(410) G_DELAY_PS(0) /* CFG_GPMC_A20_OEN */
+- 0x1ac A_DELAY_PS(85) G_DELAY_PS(0) /* CFG_GPMC_A20_OUT */
+- 0x1b4 A_DELAY_PS(468) G_DELAY_PS(0) /* CFG_GPMC_A21_OEN */
+- 0x1b8 A_DELAY_PS(139) G_DELAY_PS(0) /* CFG_GPMC_A21_OUT */
+- 0x1c0 A_DELAY_PS(676) G_DELAY_PS(0) /* CFG_GPMC_A22_OEN */
+- 0x1c4 A_DELAY_PS(69) G_DELAY_PS(0) /* CFG_GPMC_A22_OUT */
+- 0x1d0 A_DELAY_PS(1062) G_DELAY_PS(154) /* CFG_GPMC_A23_OUT */
+- 0x1d8 A_DELAY_PS(640) G_DELAY_PS(0) /* CFG_GPMC_A24_OEN */
+- 0x1dc A_DELAY_PS(0) G_DELAY_PS(0) /* CFG_GPMC_A24_OUT */
+- 0x1e4 A_DELAY_PS(356) G_DELAY_PS(0) /* CFG_GPMC_A25_OEN */
+- 0x1e8 A_DELAY_PS(0) G_DELAY_PS(0) /* CFG_GPMC_A25_OUT */
+- 0x1f0 A_DELAY_PS(579) G_DELAY_PS(0) /* CFG_GPMC_A26_OEN */
+- 0x1f4 A_DELAY_PS(0) G_DELAY_PS(0) /* CFG_GPMC_A26_OUT */
+- 0x1fc A_DELAY_PS(435) G_DELAY_PS(0) /* CFG_GPMC_A27_OEN */
+- 0x200 A_DELAY_PS(36) G_DELAY_PS(0) /* CFG_GPMC_A27_OUT */
+- 0x364 A_DELAY_PS(759) G_DELAY_PS(0) /* CFG_GPMC_CS1_OEN */
+- 0x368 A_DELAY_PS(72) G_DELAY_PS(0) /* CFG_GPMC_CS1_OUT */
++ 0x190 A_DELAY_PS(384) G_DELAY_PS(0) /* CFG_GPMC_A19_OEN */
++ 0x194 A_DELAY_PS(350) G_DELAY_PS(174) /* CFG_GPMC_A19_OUT */
++ 0x1a8 A_DELAY_PS(410) G_DELAY_PS(0) /* CFG_GPMC_A20_OEN */
++ 0x1ac A_DELAY_PS(335) G_DELAY_PS(0) /* CFG_GPMC_A20_OUT */
++ 0x1b4 A_DELAY_PS(468) G_DELAY_PS(0) /* CFG_GPMC_A21_OEN */
++ 0x1b8 A_DELAY_PS(339) G_DELAY_PS(0) /* CFG_GPMC_A21_OUT */
++ 0x1c0 A_DELAY_PS(676) G_DELAY_PS(0) /* CFG_GPMC_A22_OEN */
++ 0x1c4 A_DELAY_PS(219) G_DELAY_PS(0) /* CFG_GPMC_A22_OUT */
++ 0x1d0 A_DELAY_PS(1062) G_DELAY_PS(154) /* CFG_GPMC_A23_OUT */
++ 0x1d8 A_DELAY_PS(640) G_DELAY_PS(0) /* CFG_GPMC_A24_OEN */
++ 0x1dc A_DELAY_PS(150) G_DELAY_PS(0) /* CFG_GPMC_A24_OUT */
++ 0x1e4 A_DELAY_PS(356) G_DELAY_PS(0) /* CFG_GPMC_A25_OEN */
++ 0x1e8 A_DELAY_PS(150) G_DELAY_PS(0) /* CFG_GPMC_A25_OUT */
++ 0x1f0 A_DELAY_PS(579) G_DELAY_PS(0) /* CFG_GPMC_A26_OEN */
++ 0x1f4 A_DELAY_PS(200) G_DELAY_PS(0) /* CFG_GPMC_A26_OUT */
++ 0x1fc A_DELAY_PS(435) G_DELAY_PS(0) /* CFG_GPMC_A27_OEN */
++ 0x200 A_DELAY_PS(236) G_DELAY_PS(0) /* CFG_GPMC_A27_OUT */
++ 0x364 A_DELAY_PS(759) G_DELAY_PS(0) /* CFG_GPMC_CS1_OEN */
++ 0x368 A_DELAY_PS(372) G_DELAY_PS(0) /* CFG_GPMC_CS1_OUT */
+ >;
+ };
+
+--
+2.22.0
+
diff --git a/patches.kernel.org/5.1.15-100-ARM-dts-am57xx-idk-Remove-support-for-voltage-.patch b/patches.kernel.org/5.1.15-100-ARM-dts-am57xx-idk-Remove-support-for-voltage-.patch
new file mode 100644
index 0000000000..68790cb55d
--- /dev/null
+++ b/patches.kernel.org/5.1.15-100-ARM-dts-am57xx-idk-Remove-support-for-voltage-.patch
@@ -0,0 +1,47 @@
+From: Faiz Abbas <faiz_abbas@ti.com>
+Date: Thu, 2 May 2019 14:17:48 +0530
+Subject: [PATCH] ARM: dts: am57xx-idk: Remove support for voltage switching
+ for SD card
+References: bnc#1012628
+Patch-mainline: 5.1.15
+Git-commit: 88a748419b84187fd1da05637b8e5928b04a1e06
+
+commit 88a748419b84187fd1da05637b8e5928b04a1e06 upstream.
+
+If UHS speed modes are enabled, a compatible SD card switches down to
+1.8V during enumeration. If after this a software reboot/crash takes
+place and on-chip ROM tries to enumerate the SD card, the difference in
+IO voltages (host @ 3.3V and card @ 1.8V) may end up damaging the card.
+
+The fix for this is to have support for power cycling the card in
+hardware (with a PORz/soft-reset line causing a power cycle of the
+card). Since am571x-, am572x- and am574x-idk don't have this
+capability, disable voltage switching for these boards.
+
+The major effect of this is that the maximum supported speed
+mode is now high speed(50 MHz) down from SDR104(200 MHz).
+
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Faiz Abbas <faiz_abbas@ti.com>
+Signed-off-by: Tony Lindgren <tony@atomide.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ arch/arm/boot/dts/am57xx-idk-common.dtsi | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/arch/arm/boot/dts/am57xx-idk-common.dtsi b/arch/arm/boot/dts/am57xx-idk-common.dtsi
+index f7bd26458915..42e433da79ec 100644
+--- a/arch/arm/boot/dts/am57xx-idk-common.dtsi
++++ b/arch/arm/boot/dts/am57xx-idk-common.dtsi
+@@ -420,6 +420,7 @@
+ vqmmc-supply = <&ldo1_reg>;
+ bus-width = <4>;
+ cd-gpios = <&gpio6 27 GPIO_ACTIVE_LOW>; /* gpio 219 */
++ no-1-8-v;
+ };
+
+ &mmc2 {
+--
+2.22.0
+
diff --git a/patches.kernel.org/5.1.15-101-arm64-sve-uapi-asm-ptrace.h-should-not-depend-.patch b/patches.kernel.org/5.1.15-101-arm64-sve-uapi-asm-ptrace.h-should-not-depend-.patch
new file mode 100644
index 0000000000..901e4ba72c
--- /dev/null
+++ b/patches.kernel.org/5.1.15-101-arm64-sve-uapi-asm-ptrace.h-should-not-depend-.patch
@@ -0,0 +1,66 @@
+From: Anisse Astier <aastier@freebox.fr>
+Date: Mon, 17 Jun 2019 15:22:22 +0200
+Subject: [PATCH] arm64/sve: <uapi/asm/ptrace.h> should not depend on
+ <uapi/linux/prctl.h>
+References: bnc#1012628
+Patch-mainline: 5.1.15
+Git-commit: 35341ca0614ab13e1ef34ad4f29a39e15ef31fa8
+
+commit 35341ca0614ab13e1ef34ad4f29a39e15ef31fa8 upstream.
+
+Pulling linux/prctl.h into asm/ptrace.h in the arm64 UAPI headers causes
+userspace build issues for any program (e.g. strace and qemu) that
+includes both <sys/prctl.h> and <linux/ptrace.h> when using musl libc:
+
+ | error: redefinition of 'struct prctl_mm_map'
+ | struct prctl_mm_map {
+
+See https://github.com/foundriesio/meta-lmp/commit/6d4a106e191b5d79c41b9ac78fd321316d3013c0
+for a public example of people working around this issue.
+
+Although it's a bit grotty, fix this breakage by duplicating the prctl
+constant definitions. Since these are part of the kernel ABI, they
+cannot be changed in future and so it's not the end of the world to have
+them open-coded.
+
+Fixes: 43d4da2c45b2 ("arm64/sve: ptrace and ELF coredump support")
+Cc: stable@vger.kernel.org
+Acked-by: Dave Martin <Dave.Martin@arm.com>
+Signed-off-by: Anisse Astier <aastier@freebox.fr>
+Signed-off-by: Will Deacon <will.deacon@arm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ arch/arm64/include/uapi/asm/ptrace.h | 8 +++-----
+ 1 file changed, 3 insertions(+), 5 deletions(-)
+
+diff --git a/arch/arm64/include/uapi/asm/ptrace.h b/arch/arm64/include/uapi/asm/ptrace.h
+index d78623acb649..438759e7e8a7 100644
+--- a/arch/arm64/include/uapi/asm/ptrace.h
++++ b/arch/arm64/include/uapi/asm/ptrace.h
+@@ -65,8 +65,6 @@
+
+ #ifndef __ASSEMBLY__
+
+-#include <linux/prctl.h>
+-
+ /*
+ * User structures for general purpose, floating point and debug registers.
+ */
+@@ -113,10 +111,10 @@ struct user_sve_header {
+
+ /*
+ * Common SVE_PT_* flags:
+- * These must be kept in sync with prctl interface in <linux/ptrace.h>
++ * These must be kept in sync with prctl interface in <linux/prctl.h>
+ */
+-#define SVE_PT_VL_INHERIT (PR_SVE_VL_INHERIT >> 16)
+-#define SVE_PT_VL_ONEXEC (PR_SVE_SET_VL_ONEXEC >> 16)
++#define SVE_PT_VL_INHERIT ((1 << 17) /* PR_SVE_VL_INHERIT */ >> 16)
++#define SVE_PT_VL_ONEXEC ((1 << 18) /* PR_SVE_SET_VL_ONEXEC */ >> 16)
+
+
+ /*
+--
+2.22.0
+
diff --git a/patches.kernel.org/5.1.15-102-arm64-ssbd-explicitly-depend-on-linux-prctl.h.patch b/patches.kernel.org/5.1.15-102-arm64-ssbd-explicitly-depend-on-linux-prctl.h.patch
new file mode 100644
index 0000000000..fede9cc006
--- /dev/null
+++ b/patches.kernel.org/5.1.15-102-arm64-ssbd-explicitly-depend-on-linux-prctl.h.patch
@@ -0,0 +1,42 @@
+From: Anisse Astier <aastier@freebox.fr>
+Date: Mon, 17 Jun 2019 15:22:21 +0200
+Subject: [PATCH] arm64: ssbd: explicitly depend on <linux/prctl.h>
+References: bnc#1012628
+Patch-mainline: 5.1.15
+Git-commit: adeaa21a4b6954e878f3f7d1c5659ed9c1fe567a
+
+commit adeaa21a4b6954e878f3f7d1c5659ed9c1fe567a upstream.
+
+Fix ssbd.c which depends implicitly on asm/ptrace.h including
+linux/prctl.h (through for example linux/compat.h, then linux/time.h,
+linux/seqlock.h, linux/spinlock.h and linux/irqflags.h), and uses
+PR_SPEC* defines.
+
+This is an issue since we'll soon be removing the include from
+asm/ptrace.h.
+
+Fixes: 9cdc0108baa8 ("arm64: ssbd: Add prctl interface for per-thread mitigation")
+Cc: stable@vger.kernel.org
+Signed-off-by: Anisse Astier <aastier@freebox.fr>
+Signed-off-by: Will Deacon <will.deacon@arm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ arch/arm64/kernel/ssbd.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/arch/arm64/kernel/ssbd.c b/arch/arm64/kernel/ssbd.c
+index 885f13e58708..52cfc6148355 100644
+--- a/arch/arm64/kernel/ssbd.c
++++ b/arch/arm64/kernel/ssbd.c
+@@ -5,6 +5,7 @@
+
+ #include <linux/compat.h>
+ #include <linux/errno.h>
++#include <linux/prctl.h>
+ #include <linux/sched.h>
+ #include <linux/sched/task_stack.h>
+ #include <linux/thread_info.h>
+--
+2.22.0
+
diff --git a/patches.kernel.org/5.1.15-103-KVM-x86-mmu-Allocate-PAE-root-array-when-using.patch b/patches.kernel.org/5.1.15-103-KVM-x86-mmu-Allocate-PAE-root-array-when-using.patch
new file mode 100644
index 0000000000..4a37d6e4f8
--- /dev/null
+++ b/patches.kernel.org/5.1.15-103-KVM-x86-mmu-Allocate-PAE-root-array-when-using.patch
@@ -0,0 +1,57 @@
+From: Sean Christopherson <sean.j.christopherson@intel.com>
+Date: Thu, 13 Jun 2019 10:22:23 -0700
+Subject: [PATCH] KVM: x86/mmu: Allocate PAE root array when using SVM's 32-bit
+ NPT
+References: bnc#1012628
+Patch-mainline: 5.1.15
+Git-commit: b6b80c78af838bef17501416d5d383fedab0010a
+
+commit b6b80c78af838bef17501416d5d383fedab0010a upstream.
+
+SVM's Nested Page Tables (NPT) reuses x86 paging for the host-controlled
+page walk. For 32-bit KVM, this means PAE paging is used even when TDP
+is enabled, i.e. the PAE root array needs to be allocated.
+
+Fixes: ee6268ba3a68 ("KVM: x86: Skip pae_root shadow allocation if tdp enabled")
+Cc: stable@vger.kernel.org
+Reported-by: Jiri Palecek <jpalecek@web.de>
+Signed-off-by: Sean Christopherson <sean.j.christopherson@intel.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ arch/x86/kvm/mmu.c | 16 ++++++++++------
+ 1 file changed, 10 insertions(+), 6 deletions(-)
+
+diff --git a/arch/x86/kvm/mmu.c b/arch/x86/kvm/mmu.c
+index d9c7b45d231f..85438a624930 100644
+--- a/arch/x86/kvm/mmu.c
++++ b/arch/x86/kvm/mmu.c
+@@ -5591,14 +5591,18 @@ static int alloc_mmu_pages(struct kvm_vcpu *vcpu)
+ struct page *page;
+ int i;
+
+- if (tdp_enabled)
+- return 0;
+-
+ /*
+- * When emulating 32-bit mode, cr3 is only 32 bits even on x86_64.
+- * Therefore we need to allocate shadow page tables in the first
+- * 4GB of memory, which happens to fit the DMA32 zone.
++ * When using PAE paging, the four PDPTEs are treated as 'root' pages,
++ * while the PDP table is a per-vCPU construct that's allocated at MMU
++ * creation. When emulating 32-bit mode, cr3 is only 32 bits even on
++ * x86_64. Therefore we need to allocate the PDP table in the first
++ * 4GB of memory, which happens to fit the DMA32 zone. Except for
++ * SVM's 32-bit NPT support, TDP paging doesn't use PAE paging and can
++ * skip allocating the PDP table.
+ */
++ if (tdp_enabled && kvm_x86_ops->get_tdp_level(vcpu) > PT32E_ROOT_LEVEL)
++ return 0;
++
+ page = alloc_page(GFP_KERNEL_ACCOUNT | __GFP_DMA32);
+ if (!page)
+ return -ENOMEM;
+--
+2.22.0
+
diff --git a/patches.kernel.org/5.1.15-104-ovl-make-i_ino-consistent-with-st_ino-in-more-.patch b/patches.kernel.org/5.1.15-104-ovl-make-i_ino-consistent-with-st_ino-in-more-.patch
new file mode 100644
index 0000000000..b572be278c
--- /dev/null
+++ b/patches.kernel.org/5.1.15-104-ovl-make-i_ino-consistent-with-st_ino-in-more-.patch
@@ -0,0 +1,56 @@
+From: Amir Goldstein <amir73il@gmail.com>
+Date: Sun, 9 Jun 2019 19:03:44 +0300
+Subject: [PATCH] ovl: make i_ino consistent with st_ino in more cases
+References: bnc#1012628
+Patch-mainline: 5.1.15
+Git-commit: 6dde1e42f497b2d4e22466f23019016775607947
+
+commit 6dde1e42f497b2d4e22466f23019016775607947 upstream.
+
+Relax the condition that overlayfs supports nfs export, to require
+that i_ino is consistent with st_ino/d_ino.
+
+It is enough to require that st_ino and d_ino are consistent.
+
+This fixes the failure of xfstest generic/504, due to mismatch of
+st_ino to inode number in the output of /proc/locks.
+
+Fixes: 12574a9f4c9c ("ovl: consistent i_ino for non-samefs with xino")
+Cc: <stable@vger.kernel.org> # v4.19
+Signed-off-by: Amir Goldstein <amir73il@gmail.com>
+Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ fs/overlayfs/inode.c | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/fs/overlayfs/inode.c b/fs/overlayfs/inode.c
+index f7eba21effa5..f0389849fd80 100644
+--- a/fs/overlayfs/inode.c
++++ b/fs/overlayfs/inode.c
+@@ -553,15 +553,15 @@ static void ovl_fill_inode(struct inode *inode, umode_t mode, dev_t rdev,
+ int xinobits = ovl_xino_bits(inode->i_sb);
+
+ /*
+- * When NFS export is enabled and d_ino is consistent with st_ino
+- * (samefs or i_ino has enough bits to encode layer), set the same
+- * value used for d_ino to i_ino, because nfsd readdirplus compares
+- * d_ino values to i_ino values of child entries. When called from
++ * When d_ino is consistent with st_ino (samefs or i_ino has enough
++ * bits to encode layer), set the same value used for st_ino to i_ino,
++ * so inode number exposed via /proc/locks and a like will be
++ * consistent with d_ino and st_ino values. An i_ino value inconsistent
++ * with d_ino also causes nfsd readdirplus to fail. When called from
+ * ovl_new_inode(), ino arg is 0, so i_ino will be updated to real
+ * upper inode i_ino on ovl_inode_init() or ovl_inode_update().
+ */
+- if (inode->i_sb->s_export_op &&
+- (ovl_same_sb(inode->i_sb) || xinobits)) {
++ if (ovl_same_sb(inode->i_sb) || xinobits) {
+ inode->i_ino = ino;
+ if (xinobits && fsid && !(ino >> (64 - xinobits)))
+ inode->i_ino |= (unsigned long)fsid << (64 - xinobits);
+--
+2.22.0
+
diff --git a/patches.kernel.org/5.1.15-105-drm-vmwgfx-Use-the-backdoor-port-if-the-HB-por.patch b/patches.kernel.org/5.1.15-105-drm-vmwgfx-Use-the-backdoor-port-if-the-HB-por.patch
new file mode 100644
index 0000000000..57e4072663
--- /dev/null
+++ b/patches.kernel.org/5.1.15-105-drm-vmwgfx-Use-the-backdoor-port-if-the-HB-por.patch
@@ -0,0 +1,227 @@
+From: Thomas Hellstrom <thellstrom@vmware.com>
+Date: Wed, 29 May 2019 08:15:19 +0200
+Subject: [PATCH] drm/vmwgfx: Use the backdoor port if the HB port is not
+ available
+References: bnc#1012628
+Patch-mainline: 5.1.15
+Git-commit: cc0ba0d8624f210995924bb57a8b181ce8976606
+
+commit cc0ba0d8624f210995924bb57a8b181ce8976606 upstream.
+
+The HB port may not be available for various reasons. Either it has been
+disabled by a config option or by the hypervisor for other reasons.
+In that case, make sure we have a backup plan and use the backdoor port
+instead with a performance penalty.
+
+Cc: stable@vger.kernel.org
+Fixes: 89da76fde68d ("drm/vmwgfx: Add VMWare host messaging capability")
+Signed-off-by: Thomas Hellstrom <thellstrom@vmware.com>
+Reviewed-by: Deepak Rawat <drawat@vmware.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/gpu/drm/vmwgfx/vmwgfx_msg.c | 146 ++++++++++++++++++++++------
+ 1 file changed, 117 insertions(+), 29 deletions(-)
+
+diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_msg.c b/drivers/gpu/drm/vmwgfx/vmwgfx_msg.c
+index 8b9270f31409..e4e09d47c5c0 100644
+--- a/drivers/gpu/drm/vmwgfx/vmwgfx_msg.c
++++ b/drivers/gpu/drm/vmwgfx/vmwgfx_msg.c
+@@ -136,6 +136,114 @@ static int vmw_close_channel(struct rpc_channel *channel)
+ return 0;
+ }
+
++/**
++ * vmw_port_hb_out - Send the message payload either through the
++ * high-bandwidth port if available, or through the backdoor otherwise.
++ * @channel: The rpc channel.
++ * @msg: NULL-terminated message.
++ * @hb: Whether the high-bandwidth port is available.
++ *
++ * Return: The port status.
++ */
++static unsigned long vmw_port_hb_out(struct rpc_channel *channel,
++ const char *msg, bool hb)
++{
++ unsigned long si, di, eax, ebx, ecx, edx;
++ unsigned long msg_len = strlen(msg);
++
++ if (hb) {
++ unsigned long bp = channel->cookie_high;
++
++ si = (uintptr_t) msg;
++ di = channel->cookie_low;
++
++ VMW_PORT_HB_OUT(
++ (MESSAGE_STATUS_SUCCESS << 16) | VMW_PORT_CMD_HB_MSG,
++ msg_len, si, di,
++ VMW_HYPERVISOR_HB_PORT | (channel->channel_id << 16),
++ VMW_HYPERVISOR_MAGIC, bp,
++ eax, ebx, ecx, edx, si, di);
++
++ return ebx;
++ }
++
++ /* HB port not available. Send the message 4 bytes at a time. */
++ ecx = MESSAGE_STATUS_SUCCESS << 16;
++ while (msg_len && (HIGH_WORD(ecx) & MESSAGE_STATUS_SUCCESS)) {
++ unsigned int bytes = min_t(size_t, msg_len, 4);
++ unsigned long word = 0;
++
++ memcpy(&word, msg, bytes);
++ msg_len -= bytes;
++ msg += bytes;
++ si = channel->cookie_high;
++ di = channel->cookie_low;
++
++ VMW_PORT(VMW_PORT_CMD_MSG | (MSG_TYPE_SENDPAYLOAD << 16),
++ word, si, di,
++ VMW_HYPERVISOR_PORT | (channel->channel_id << 16),
++ VMW_HYPERVISOR_MAGIC,
++ eax, ebx, ecx, edx, si, di);
++ }
++
++ return ecx;
++}
++
++/**
++ * vmw_port_hb_in - Receive the message payload either through the
++ * high-bandwidth port if available, or through the backdoor otherwise.
++ * @channel: The rpc channel.
++ * @reply: Pointer to buffer holding reply.
++ * @reply_len: Length of the reply.
++ * @hb: Whether the high-bandwidth port is available.
++ *
++ * Return: The port status.
++ */
++static unsigned long vmw_port_hb_in(struct rpc_channel *channel, char *reply,
++ unsigned long reply_len, bool hb)
++{
++ unsigned long si, di, eax, ebx, ecx, edx;
++
++ if (hb) {
++ unsigned long bp = channel->cookie_low;
++
++ si = channel->cookie_high;
++ di = (uintptr_t) reply;
++
++ VMW_PORT_HB_IN(
++ (MESSAGE_STATUS_SUCCESS << 16) | VMW_PORT_CMD_HB_MSG,
++ reply_len, si, di,
++ VMW_HYPERVISOR_HB_PORT | (channel->channel_id << 16),
++ VMW_HYPERVISOR_MAGIC, bp,
++ eax, ebx, ecx, edx, si, di);
++
++ return ebx;
++ }
++
++ /* HB port not available. Retrieve the message 4 bytes at a time. */
++ ecx = MESSAGE_STATUS_SUCCESS << 16;
++ while (reply_len) {
++ unsigned int bytes = min_t(unsigned long, reply_len, 4);
++
++ si = channel->cookie_high;
++ di = channel->cookie_low;
++
++ VMW_PORT(VMW_PORT_CMD_MSG | (MSG_TYPE_RECVPAYLOAD << 16),
++ MESSAGE_STATUS_SUCCESS, si, di,
++ VMW_HYPERVISOR_PORT | (channel->channel_id << 16),
++ VMW_HYPERVISOR_MAGIC,
++ eax, ebx, ecx, edx, si, di);
++
++ if ((HIGH_WORD(ecx) & MESSAGE_STATUS_SUCCESS) == 0)
++ break;
++
++ memcpy(reply, &ebx, bytes);
++ reply_len -= bytes;
++ reply += bytes;
++ }
++
++ return ecx;
++}
+
+
+ /**
+@@ -148,11 +256,10 @@ static int vmw_close_channel(struct rpc_channel *channel)
+ */
+ static int vmw_send_msg(struct rpc_channel *channel, const char *msg)
+ {
+- unsigned long eax, ebx, ecx, edx, si, di, bp;
++ unsigned long eax, ebx, ecx, edx, si, di;
+ size_t msg_len = strlen(msg);
+ int retries = 0;
+
+-
+ while (retries < RETRIES) {
+ retries++;
+
+@@ -166,23 +273,14 @@ static int vmw_send_msg(struct rpc_channel *channel, const char *msg)
+ VMW_HYPERVISOR_MAGIC,
+ eax, ebx, ecx, edx, si, di);
+
+- if ((HIGH_WORD(ecx) & MESSAGE_STATUS_SUCCESS) == 0 ||
+- (HIGH_WORD(ecx) & MESSAGE_STATUS_HB) == 0) {
+- /* Expected success + high-bandwidth. Give up. */
++ if ((HIGH_WORD(ecx) & MESSAGE_STATUS_SUCCESS) == 0) {
++ /* Expected success. Give up. */
+ return -EINVAL;
+ }
+
+ /* Send msg */
+- si = (uintptr_t) msg;
+- di = channel->cookie_low;
+- bp = channel->cookie_high;
+-
+- VMW_PORT_HB_OUT(
+- (MESSAGE_STATUS_SUCCESS << 16) | VMW_PORT_CMD_HB_MSG,
+- msg_len, si, di,
+- VMW_HYPERVISOR_HB_PORT | (channel->channel_id << 16),
+- VMW_HYPERVISOR_MAGIC, bp,
+- eax, ebx, ecx, edx, si, di);
++ ebx = vmw_port_hb_out(channel, msg,
++ !!(HIGH_WORD(ecx) & MESSAGE_STATUS_HB));
+
+ if ((HIGH_WORD(ebx) & MESSAGE_STATUS_SUCCESS) != 0) {
+ return 0;
+@@ -211,7 +309,7 @@ STACK_FRAME_NON_STANDARD(vmw_send_msg);
+ static int vmw_recv_msg(struct rpc_channel *channel, void **msg,
+ size_t *msg_len)
+ {
+- unsigned long eax, ebx, ecx, edx, si, di, bp;
++ unsigned long eax, ebx, ecx, edx, si, di;
+ char *reply;
+ size_t reply_len;
+ int retries = 0;
+@@ -233,8 +331,7 @@ static int vmw_recv_msg(struct rpc_channel *channel, void **msg,
+ VMW_HYPERVISOR_MAGIC,
+ eax, ebx, ecx, edx, si, di);
+
+- if ((HIGH_WORD(ecx) & MESSAGE_STATUS_SUCCESS) == 0 ||
+- (HIGH_WORD(ecx) & MESSAGE_STATUS_HB) == 0) {
++ if ((HIGH_WORD(ecx) & MESSAGE_STATUS_SUCCESS) == 0) {
+ DRM_ERROR("Failed to get reply size for host message.\n");
+ return -EINVAL;
+ }
+@@ -252,17 +349,8 @@ static int vmw_recv_msg(struct rpc_channel *channel, void **msg,
+
+
+ /* Receive buffer */
+- si = channel->cookie_high;
+- di = (uintptr_t) reply;
+- bp = channel->cookie_low;
+-
+- VMW_PORT_HB_IN(
+- (MESSAGE_STATUS_SUCCESS << 16) | VMW_PORT_CMD_HB_MSG,
+- reply_len, si, di,
+- VMW_HYPERVISOR_HB_PORT | (channel->channel_id << 16),
+- VMW_HYPERVISOR_MAGIC, bp,
+- eax, ebx, ecx, edx, si, di);
+-
++ ebx = vmw_port_hb_in(channel, reply, reply_len,
++ !!(HIGH_WORD(ecx) & MESSAGE_STATUS_HB));
+ if ((HIGH_WORD(ebx) & MESSAGE_STATUS_SUCCESS) == 0) {
+ kfree(reply);
+
+--
+2.22.0
+
diff --git a/patches.kernel.org/5.1.15-106-drm-i915-Don-t-clobber-M-N-values-during-fasts.patch b/patches.kernel.org/5.1.15-106-drm-i915-Don-t-clobber-M-N-values-during-fasts.patch
new file mode 100644
index 0000000000..716033b471
--- /dev/null
+++ b/patches.kernel.org/5.1.15-106-drm-i915-Don-t-clobber-M-N-values-during-fasts.patch
@@ -0,0 +1,111 @@
+From: =?UTF-8?q?Ville=20Syrj=C3=A4l=C3=A4?= <ville.syrjala@linux.intel.com>
+Date: Wed, 19 Jun 2019 15:09:29 +0300
+Subject: [PATCH] drm/i915: Don't clobber M/N values during fastset check
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+References: bnc#1012628
+Patch-mainline: 5.1.15
+Git-commit: 475df5d0f3eb2d031e4505f84d8fba75baaf2e80
+Git-commit: f0521558a2a89d58a08745e225025d338572e60a
+
+commit 475df5d0f3eb2d031e4505f84d8fba75baaf2e80 upstream.
+
+We're now calling intel_pipe_config_compare(..., true) uncoditionally
+which means we're always going clobber the calculated M/N values with
+the old values if the fuzzy M/N check passes. That causes problems
+because the fuzzy check allows for a huge difference in the values.
+
+I'm actually tempted to just make the M/N checks exact, but that might
+prevent fastboot from kicking in when people want it. So for now let's
+overwrite the computed values with the old values only if decide to skip
+the modeset.
+
+v2: Copy has_drrs along with M/N M2/N2 values
+
+Cc: stable@vger.kernel.org
+Cc: Blubberbub@protonmail.com
+Cc: Maarten Lankhorst <maarten.lankhorst@linux.intel.com>
+Cc: Hans de Goede <hdegoede@redhat.com>
+Tested-by: Blubberbub@protonmail.com
+Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=110782
+Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=110675
+Fixes: d19f958db23c ("drm/i915: Enable fastset for non-boot modesets.")
+Signed-off-by: Ville Syrjälä <ville.syrjala@linux.intel.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20190612172423.25231-1-ville.syrjala@linux.intel.com
+Reviewed-by: Imre Deak <imre.deak@intel.com>
+(cherry picked from commit f0521558a2a89d58a08745e225025d338572e60a)
+Signed-off-by: Jani Nikula <jani.nikula@intel.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20190619120929.4057-1-ville.syrjala@linux.intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/gpu/drm/i915/intel_display.c | 38 +++++++++++++++++++++-------
+ 1 file changed, 29 insertions(+), 9 deletions(-)
+
+diff --git a/drivers/gpu/drm/i915/intel_display.c b/drivers/gpu/drm/i915/intel_display.c
+index cd8a22d6370e..be4024f0e3a8 100644
+--- a/drivers/gpu/drm/i915/intel_display.c
++++ b/drivers/gpu/drm/i915/intel_display.c
+@@ -11820,9 +11820,6 @@ intel_compare_link_m_n(const struct intel_link_m_n *m_n,
+ m2_n2->gmch_m, m2_n2->gmch_n, !adjust) &&
+ intel_compare_m_n(m_n->link_m, m_n->link_n,
+ m2_n2->link_m, m2_n2->link_n, !adjust)) {
+- if (adjust)
+- *m2_n2 = *m_n;
+-
+ return true;
+ }
+
+@@ -12855,6 +12852,33 @@ static int calc_watermark_data(struct intel_atomic_state *state)
+ return 0;
+ }
+
++static void intel_crtc_check_fastset(struct intel_crtc_state *old_crtc_state,
++ struct intel_crtc_state *new_crtc_state)
++{
++ struct drm_i915_private *dev_priv =
++ to_i915(new_crtc_state->base.crtc->dev);
++
++ if (!intel_pipe_config_compare(dev_priv, old_crtc_state,
++ new_crtc_state, true))
++ return;
++
++ new_crtc_state->base.mode_changed = false;
++ new_crtc_state->update_pipe = true;
++
++ /*
++ * If we're not doing the full modeset we want to
++ * keep the current M/N values as they may be
++ * sufficiently different to the computed values
++ * to cause problems.
++ *
++ * FIXME: should really copy more fuzzy state here
++ */
++ new_crtc_state->fdi_m_n = old_crtc_state->fdi_m_n;
++ new_crtc_state->dp_m_n = old_crtc_state->dp_m_n;
++ new_crtc_state->dp_m2_n2 = old_crtc_state->dp_m2_n2;
++ new_crtc_state->has_drrs = old_crtc_state->has_drrs;
++}
++
+ /**
+ * intel_atomic_check - validate state object
+ * @dev: drm device
+@@ -12903,12 +12927,8 @@ static int intel_atomic_check(struct drm_device *dev,
+ return ret;
+ }
+
+- if (intel_pipe_config_compare(dev_priv,
+- to_intel_crtc_state(old_crtc_state),
+- pipe_config, true)) {
+- crtc_state->mode_changed = false;
+- pipe_config->update_pipe = true;
+- }
++ intel_crtc_check_fastset(to_intel_crtc_state(old_crtc_state),
++ pipe_config);
+
+ if (needs_modeset(crtc_state))
+ any_ms = true;
+--
+2.22.0
+
diff --git a/patches.kernel.org/5.1.15-107-binder-fix-possible-UAF-when-freeing-buffer.patch b/patches.kernel.org/5.1.15-107-binder-fix-possible-UAF-when-freeing-buffer.patch
new file mode 100644
index 0000000000..f4a0dbf1ab
--- /dev/null
+++ b/patches.kernel.org/5.1.15-107-binder-fix-possible-UAF-when-freeing-buffer.patch
@@ -0,0 +1,65 @@
+From: Todd Kjos <tkjos@android.com>
+Date: Wed, 12 Jun 2019 13:29:27 -0700
+Subject: [PATCH] binder: fix possible UAF when freeing buffer
+References: bnc#1012628
+Patch-mainline: 5.1.15
+Git-commit: a370003cc301d4361bae20c9ef615f89bf8d1e8a
+
+commit a370003cc301d4361bae20c9ef615f89bf8d1e8a upstream.
+
+There is a race between the binder driver cleaning
+up a completed transaction via binder_free_transaction()
+and a user calling binder_ioctl(BC_FREE_BUFFER) to
+release a buffer. It doesn't matter which is first but
+they need to be protected against running concurrently
+which can result in a UAF.
+
+Signed-off-by: Todd Kjos <tkjos@google.com>
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/android/binder.c | 16 ++++++++++++++--
+ 1 file changed, 14 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/android/binder.c b/drivers/android/binder.c
+index 4b9c7ca492e6..cc19d91c1688 100644
+--- a/drivers/android/binder.c
++++ b/drivers/android/binder.c
+@@ -1950,8 +1950,18 @@ static void binder_free_txn_fixups(struct binder_transaction *t)
+
+ static void binder_free_transaction(struct binder_transaction *t)
+ {
+- if (t->buffer)
+- t->buffer->transaction = NULL;
++ struct binder_proc *target_proc = t->to_proc;
++
++ if (target_proc) {
++ binder_inner_proc_lock(target_proc);
++ if (t->buffer)
++ t->buffer->transaction = NULL;
++ binder_inner_proc_unlock(target_proc);
++ }
++ /*
++ * If the transaction has no target_proc, then
++ * t->buffer->transaction has already been cleared.
++ */
+ binder_free_txn_fixups(t);
+ kfree(t);
+ binder_stats_deleted(BINDER_STAT_TRANSACTION);
+@@ -3550,10 +3560,12 @@ static void binder_transaction(struct binder_proc *proc,
+ static void
+ binder_free_buf(struct binder_proc *proc, struct binder_buffer *buffer)
+ {
++ binder_inner_proc_lock(proc);
+ if (buffer->transaction) {
+ buffer->transaction->buffer = NULL;
+ buffer->transaction = NULL;
+ }
++ binder_inner_proc_unlock(proc);
+ if (buffer->async_transaction && buffer->target_node) {
+ struct binder_node *buf_node;
+ struct binder_work *w;
+--
+2.22.0
+
diff --git a/patches.kernel.org/5.1.15-108-staging-erofs-add-requirements-field-in-superb.patch b/patches.kernel.org/5.1.15-108-staging-erofs-add-requirements-field-in-superb.patch
new file mode 100644
index 0000000000..d115704022
--- /dev/null
+++ b/patches.kernel.org/5.1.15-108-staging-erofs-add-requirements-field-in-superb.patch
@@ -0,0 +1,115 @@
+From: Gao Xiang <gaoxiang25@huawei.com>
+Date: Thu, 13 Jun 2019 16:35:41 +0800
+Subject: [PATCH] staging: erofs: add requirements field in superblock
+References: bnc#1012628
+Patch-mainline: 5.1.15
+Git-commit: 5efe5137f05bbb4688890620934538c005e7d1d6
+
+commit 5efe5137f05bbb4688890620934538c005e7d1d6 upstream.
+
+There are some backward incompatible features pending
+for months, mainly due to on-disk format expensions.
+
+However, we should ensure that it cannot be mounted with
+old kernels. Otherwise, it will causes unexpected behaviors.
+
+Fixes: ba2b77a82022 ("staging: erofs: add super block operations")
+Cc: <stable@vger.kernel.org> # 4.19+
+Reviewed-by: Chao Yu <yuchao0@huawei.com>
+Signed-off-by: Gao Xiang <gaoxiang25@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/staging/erofs/erofs_fs.h | 13 ++++++++++---
+ drivers/staging/erofs/internal.h | 2 ++
+ drivers/staging/erofs/super.c | 19 +++++++++++++++++++
+ 3 files changed, 31 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/staging/erofs/erofs_fs.h b/drivers/staging/erofs/erofs_fs.h
+index fa52898df006..8ddb2b3e7d39 100644
+--- a/drivers/staging/erofs/erofs_fs.h
++++ b/drivers/staging/erofs/erofs_fs.h
+@@ -17,10 +17,16 @@
+ #define EROFS_SUPER_MAGIC_V1 0xE0F5E1E2
+ #define EROFS_SUPER_OFFSET 1024
+
++/*
++ * Any bits that aren't in EROFS_ALL_REQUIREMENTS should be
++ * incompatible with this kernel version.
++ */
++#define EROFS_ALL_REQUIREMENTS 0
++
+ struct erofs_super_block {
+ /* 0 */__le32 magic; /* in the little endian */
+ /* 4 */__le32 checksum; /* crc32c(super_block) */
+-/* 8 */__le32 features;
++/* 8 */__le32 features; /* (aka. feature_compat) */
+ /* 12 */__u8 blkszbits; /* support block_size == PAGE_SIZE only */
+ /* 13 */__u8 reserved;
+
+@@ -34,9 +40,10 @@ struct erofs_super_block {
+ /* 44 */__le32 xattr_blkaddr;
+ /* 48 */__u8 uuid[16]; /* 128-bit uuid for volume */
+ /* 64 */__u8 volume_name[16]; /* volume name */
++/* 80 */__le32 requirements; /* (aka. feature_incompat) */
+
+-/* 80 */__u8 reserved2[48]; /* 128 bytes */
+-} __packed;
++/* 84 */__u8 reserved2[44];
++} __packed; /* 128 bytes */
+
+ /*
+ * erofs inode data mapping:
+diff --git a/drivers/staging/erofs/internal.h b/drivers/staging/erofs/internal.h
+index e3bfde00c7d2..20cf6e7e170f 100644
+--- a/drivers/staging/erofs/internal.h
++++ b/drivers/staging/erofs/internal.h
+@@ -114,6 +114,8 @@ struct erofs_sb_info {
+
+ u8 uuid[16]; /* 128-bit uuid for volume */
+ u8 volume_name[16]; /* volume name */
++ u32 requirements;
++
+ char *dev_name;
+
+ unsigned int mount_opt;
+diff --git a/drivers/staging/erofs/super.c b/drivers/staging/erofs/super.c
+index c8981662a49b..2ed53dd7f50c 100644
+--- a/drivers/staging/erofs/super.c
++++ b/drivers/staging/erofs/super.c
+@@ -76,6 +76,22 @@ static void destroy_inode(struct inode *inode)
+ call_rcu(&inode->i_rcu, i_callback);
+ }
+
++static bool check_layout_compatibility(struct super_block *sb,
++ struct erofs_super_block *layout)
++{
++ const unsigned int requirements = le32_to_cpu(layout->requirements);
++
++ EROFS_SB(sb)->requirements = requirements;
++
++ /* check if current kernel meets all mandatory requirements */
++ if (requirements & (~EROFS_ALL_REQUIREMENTS)) {
++ errln("unidentified requirements %x, please upgrade kernel version",
++ requirements & ~EROFS_ALL_REQUIREMENTS);
++ return false;
++ }
++ return true;
++}
++
+ static int superblock_read(struct super_block *sb)
+ {
+ struct erofs_sb_info *sbi;
+@@ -109,6 +125,9 @@ static int superblock_read(struct super_block *sb)
+ goto out;
+ }
+
++ if (!check_layout_compatibility(sb, layout))
++ goto out;
++
+ sbi->blocks = le32_to_cpu(layout->blocks);
+ sbi->meta_blkaddr = le32_to_cpu(layout->meta_blkaddr);
+ #ifdef CONFIG_EROFS_FS_XATTR
+--
+2.22.0
+
diff --git a/patches.kernel.org/5.1.15-109-Bluetooth-Align-minimum-encryption-key-size-fo.patch b/patches.kernel.org/5.1.15-109-Bluetooth-Align-minimum-encryption-key-size-fo.patch
new file mode 100644
index 0000000000..a22a7712e2
--- /dev/null
+++ b/patches.kernel.org/5.1.15-109-Bluetooth-Align-minimum-encryption-key-size-fo.patch
@@ -0,0 +1,60 @@
+From: Marcel Holtmann <marcel@holtmann.org>
+Date: Wed, 24 Apr 2019 22:19:17 +0200
+Subject: [PATCH] Bluetooth: Align minimum encryption key size for LE and
+ BR/EDR connections
+References: bnc#1012628
+Patch-mainline: 5.1.15
+Git-commit: d5bb334a8e171b262e48f378bd2096c0ea458265
+
+commit d5bb334a8e171b262e48f378bd2096c0ea458265 upstream.
+
+The minimum encryption key size for LE connections is 56 bits and to
+align LE with BR/EDR, enforce 56 bits of minimum encryption key size for
+BR/EDR connections as well.
+
+Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
+Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ include/net/bluetooth/hci_core.h | 3 +++
+ net/bluetooth/hci_conn.c | 8 ++++++++
+ 2 files changed, 11 insertions(+)
+
+diff --git a/include/net/bluetooth/hci_core.h b/include/net/bluetooth/hci_core.h
+index 094e61e07030..05b1b96f4d9e 100644
+--- a/include/net/bluetooth/hci_core.h
++++ b/include/net/bluetooth/hci_core.h
+@@ -190,6 +190,9 @@ struct adv_info {
+
+ #define HCI_MAX_SHORT_NAME_LENGTH 10
+
++/* Min encryption key size to match with SMP */
++#define HCI_MIN_ENC_KEY_SIZE 7
++
+ /* Default LE RPA expiry time, 15 minutes */
+ #define HCI_DEFAULT_RPA_TIMEOUT (15 * 60)
+
+diff --git a/net/bluetooth/hci_conn.c b/net/bluetooth/hci_conn.c
+index bd4978ce8c45..3cf0764d5793 100644
+--- a/net/bluetooth/hci_conn.c
++++ b/net/bluetooth/hci_conn.c
+@@ -1276,6 +1276,14 @@ int hci_conn_check_link_mode(struct hci_conn *conn)
+ !test_bit(HCI_CONN_ENCRYPT, &conn->flags))
+ return 0;
+
++ /* The minimum encryption key size needs to be enforced by the
++ * host stack before establishing any L2CAP connections. The
++ * specification in theory allows a minimum of 1, but to align
++ * BR/EDR and LE transports, a minimum of 7 is chosen.
++ */
++ if (conn->enc_key_size < HCI_MIN_ENC_KEY_SIZE)
++ return 0;
++
+ return 1;
+ }
+
+--
+2.22.0
+
diff --git a/patches.kernel.org/5.1.15-110-Bluetooth-Fix-regression-with-minimum-encrypti.patch b/patches.kernel.org/5.1.15-110-Bluetooth-Fix-regression-with-minimum-encrypti.patch
new file mode 100644
index 0000000000..d022647b66
--- /dev/null
+++ b/patches.kernel.org/5.1.15-110-Bluetooth-Fix-regression-with-minimum-encrypti.patch
@@ -0,0 +1,156 @@
+From: Marcel Holtmann <marcel@holtmann.org>
+Date: Sat, 22 Jun 2019 15:47:01 +0200
+Subject: [PATCH] Bluetooth: Fix regression with minimum encryption key size
+ alignment
+References: bnc#1012628
+Patch-mainline: 5.1.15
+Git-commit: 693cd8ce3f882524a5d06f7800dd8492411877b3
+
+commit 693cd8ce3f882524a5d06f7800dd8492411877b3 upstream.
+
+When trying to align the minimum encryption key size requirement for
+Bluetooth connections, it turns out doing this in a central location in
+the HCI connection handling code is not possible.
+
+Original Bluetooth version up to 2.0 used a security model where the
+L2CAP service would enforce authentication and encryption. Starting
+with Bluetooth 2.1 and Secure Simple Pairing that model has changed into
+that the connection initiator is responsible for providing an encrypted
+ACL link before any L2CAP communication can happen.
+
+Now connecting Bluetooth 2.1 or later devices with Bluetooth 2.0 and
+before devices are causing a regression. The encryption key size check
+needs to be moved out of the HCI connection handling into the L2CAP
+channel setup.
+
+To achieve this, the current check inside hci_conn_security() has been
+moved into l2cap_check_enc_key_size() helper function and then called
+from four decisions point inside L2CAP to cover all combinations of
+Secure Simple Pairing enabled devices and device using legacy pairing
+and legacy service security model.
+
+Fixes: d5bb334a8e17 ("Bluetooth: Align minimum encryption key size for LE and BR/EDR connections")
+Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=203643
+Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
+Cc: stable@vger.kernel.org
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ net/bluetooth/hci_conn.c | 18 +++++++++---------
+ net/bluetooth/l2cap_core.c | 33 ++++++++++++++++++++++++++++-----
+ 2 files changed, 37 insertions(+), 14 deletions(-)
+
+diff --git a/net/bluetooth/hci_conn.c b/net/bluetooth/hci_conn.c
+index 3cf0764d5793..15d1cb5aee18 100644
+--- a/net/bluetooth/hci_conn.c
++++ b/net/bluetooth/hci_conn.c
+@@ -1276,14 +1276,6 @@ int hci_conn_check_link_mode(struct hci_conn *conn)
+ !test_bit(HCI_CONN_ENCRYPT, &conn->flags))
+ return 0;
+
+- /* The minimum encryption key size needs to be enforced by the
+- * host stack before establishing any L2CAP connections. The
+- * specification in theory allows a minimum of 1, but to align
+- * BR/EDR and LE transports, a minimum of 7 is chosen.
+- */
+- if (conn->enc_key_size < HCI_MIN_ENC_KEY_SIZE)
+- return 0;
+-
+ return 1;
+ }
+
+@@ -1400,8 +1392,16 @@ int hci_conn_security(struct hci_conn *conn, __u8 sec_level, __u8 auth_type,
+ return 0;
+
+ encrypt:
+- if (test_bit(HCI_CONN_ENCRYPT, &conn->flags))
++ if (test_bit(HCI_CONN_ENCRYPT, &conn->flags)) {
++ /* Ensure that the encryption key size has been read,
++ * otherwise stall the upper layer responses.
++ */
++ if (!conn->enc_key_size)
++ return 0;
++
++ /* Nothing else needed, all requirements are met */
+ return 1;
++ }
+
+ hci_conn_encrypt(conn);
+ return 0;
+diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
+index b53acd6c9a3d..9f77432dbe38 100644
+--- a/net/bluetooth/l2cap_core.c
++++ b/net/bluetooth/l2cap_core.c
+@@ -1341,6 +1341,21 @@ static void l2cap_request_info(struct l2cap_conn *conn)
+ sizeof(req), &req);
+ }
+
++static bool l2cap_check_enc_key_size(struct hci_conn *hcon)
++{
++ /* The minimum encryption key size needs to be enforced by the
++ * host stack before establishing any L2CAP connections. The
++ * specification in theory allows a minimum of 1, but to align
++ * BR/EDR and LE transports, a minimum of 7 is chosen.
++ *
++ * This check might also be called for unencrypted connections
++ * that have no key size requirements. Ensure that the link is
++ * actually encrypted before enforcing a key size.
++ */
++ return (!test_bit(HCI_CONN_ENCRYPT, &hcon->flags) ||
++ hcon->enc_key_size > HCI_MIN_ENC_KEY_SIZE);
++}
++
+ static void l2cap_do_start(struct l2cap_chan *chan)
+ {
+ struct l2cap_conn *conn = chan->conn;
+@@ -1358,9 +1373,14 @@ static void l2cap_do_start(struct l2cap_chan *chan)
+ if (!(conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE))
+ return;
+
+- if (l2cap_chan_check_security(chan, true) &&
+- __l2cap_no_conn_pending(chan))
++ if (!l2cap_chan_check_security(chan, true) ||
++ !__l2cap_no_conn_pending(chan))
++ return;
++
++ if (l2cap_check_enc_key_size(conn->hcon))
+ l2cap_start_connection(chan);
++ else
++ __set_chan_timer(chan, L2CAP_DISC_TIMEOUT);
+ }
+
+ static inline int l2cap_mode_supported(__u8 mode, __u32 feat_mask)
+@@ -1439,7 +1459,10 @@ static void l2cap_conn_start(struct l2cap_conn *conn)
+ continue;
+ }
+
+- l2cap_start_connection(chan);
++ if (l2cap_check_enc_key_size(conn->hcon))
++ l2cap_start_connection(chan);
++ else
++ l2cap_chan_close(chan, ECONNREFUSED);
+
+ } else if (chan->state == BT_CONNECT2) {
+ struct l2cap_conn_rsp rsp;
+@@ -7490,7 +7513,7 @@ static void l2cap_security_cfm(struct hci_conn *hcon, u8 status, u8 encrypt)
+ }
+
+ if (chan->state == BT_CONNECT) {
+- if (!status)
++ if (!status && l2cap_check_enc_key_size(hcon))
+ l2cap_start_connection(chan);
+ else
+ __set_chan_timer(chan, L2CAP_DISC_TIMEOUT);
+@@ -7499,7 +7522,7 @@ static void l2cap_security_cfm(struct hci_conn *hcon, u8 status, u8 encrypt)
+ struct l2cap_conn_rsp rsp;
+ __u16 res, stat;
+
+- if (!status) {
++ if (!status && l2cap_check_enc_key_size(hcon)) {
+ if (test_bit(FLAG_DEFER_SETUP, &chan->flags)) {
+ res = L2CAP_CR_PEND;
+ stat = L2CAP_CS_AUTHOR_PEND;
+--
+2.22.0
+
diff --git a/patches.kernel.org/5.1.15-111-SMB3-retry-on-STATUS_INSUFFICIENT_RESOURCES-in.patch b/patches.kernel.org/5.1.15-111-SMB3-retry-on-STATUS_INSUFFICIENT_RESOURCES-in.patch
new file mode 100644
index 0000000000..f7b0c330ae
--- /dev/null
+++ b/patches.kernel.org/5.1.15-111-SMB3-retry-on-STATUS_INSUFFICIENT_RESOURCES-in.patch
@@ -0,0 +1,43 @@
+From: Steve French <stfrench@microsoft.com>
+Date: Mon, 17 Jun 2019 14:49:07 -0500
+Subject: [PATCH] SMB3: retry on STATUS_INSUFFICIENT_RESOURCES instead of
+ failing write
+References: bnc#1012628
+Patch-mainline: 5.1.15
+Git-commit: 8d526d62db907e786fd88948c75d1833d82bd80e
+
+commit 8d526d62db907e786fd88948c75d1833d82bd80e upstream.
+
+Some servers such as Windows 10 will return STATUS_INSUFFICIENT_RESOURCES
+as the number of simultaneous SMB3 requests grows (even though the client
+has sufficient credits). Return EAGAIN on STATUS_INSUFFICIENT_RESOURCES
+so that we can retry writes which fail with this status code.
+
+This (for example) fixes large file copies to Windows 10 on fast networks.
+
+Signed-off-by: Steve French <stfrench@microsoft.com>
+CC: Stable <stable@vger.kernel.org>
+Reviewed-by: Ronnie Sahlberg <lsahlber@redhat.com>
+Reviewed-by: Pavel Shilovsky <pshilov@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ fs/cifs/smb2maperror.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/cifs/smb2maperror.c b/fs/cifs/smb2maperror.c
+index e32c264e3adb..82ade16c9501 100644
+--- a/fs/cifs/smb2maperror.c
++++ b/fs/cifs/smb2maperror.c
+@@ -457,7 +457,7 @@ static const struct status_to_posix_error smb2_error_map_table[] = {
+ {STATUS_FILE_INVALID, -EIO, "STATUS_FILE_INVALID"},
+ {STATUS_ALLOTTED_SPACE_EXCEEDED, -EIO,
+ "STATUS_ALLOTTED_SPACE_EXCEEDED"},
+- {STATUS_INSUFFICIENT_RESOURCES, -EREMOTEIO,
++ {STATUS_INSUFFICIENT_RESOURCES, -EAGAIN,
+ "STATUS_INSUFFICIENT_RESOURCES"},
+ {STATUS_DFS_EXIT_PATH_FOUND, -EIO, "STATUS_DFS_EXIT_PATH_FOUND"},
+ {STATUS_DEVICE_DATA_ERROR, -EIO, "STATUS_DEVICE_DATA_ERROR"},
+--
+2.22.0
+
diff --git a/patches.kernel.org/5.1.15-112-x86-vdso-Prevent-segfaults-due-to-hoisted-vclo.patch b/patches.kernel.org/5.1.15-112-x86-vdso-Prevent-segfaults-due-to-hoisted-vclo.patch
new file mode 100644
index 0000000000..37995bfc4d
--- /dev/null
+++ b/patches.kernel.org/5.1.15-112-x86-vdso-Prevent-segfaults-due-to-hoisted-vclo.patch
@@ -0,0 +1,72 @@
+From: Andy Lutomirski <luto@kernel.org>
+Date: Fri, 21 Jun 2019 08:43:04 -0700
+Subject: [PATCH] x86/vdso: Prevent segfaults due to hoisted vclock reads
+References: bnc#1012628
+Patch-mainline: 5.1.15
+Git-commit: ff17bbe0bb405ad8b36e55815d381841f9fdeebc
+
+commit ff17bbe0bb405ad8b36e55815d381841f9fdeebc upstream.
+
+GCC 5.5.0 sometimes cleverly hoists reads of the pvclock and/or hvclock
+pages before the vclock mode checks. This creates a path through
+vclock_gettime() in which no vclock is enabled at all (due to disabled
+TSC on old CPUs, for example) but the pvclock or hvclock page
+nevertheless read. This will segfault on bare metal.
+
+This fixes commit 459e3a21535a ("gcc-9: properly declare the
+{pv,hv}clock_page storage") in the sense that, before that commit, GCC
+didn't seem to generate the offending code. There was nothing wrong
+with that commit per se, and -stable maintainers should backport this to
+all supported kernels regardless of whether the offending commit was
+present, since the same crash could just as easily be triggered by the
+phase of the moon.
+
+On GCC 9.1.1, this doesn't seem to affect the generated code at all, so
+I'm not too concerned about performance regressions from this fix.
+
+Cc: stable@vger.kernel.org
+Cc: x86@kernel.org
+Cc: Borislav Petkov <bp@alien8.de>
+Reported-by: Duncan Roe <duncan_roe@optusnet.com.au>
+Signed-off-by: Andy Lutomirski <luto@kernel.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ arch/x86/entry/vdso/vclock_gettime.c | 15 +++++++++++++--
+ 1 file changed, 13 insertions(+), 2 deletions(-)
+
+diff --git a/arch/x86/entry/vdso/vclock_gettime.c b/arch/x86/entry/vdso/vclock_gettime.c
+index 98c7d12b945c..ed7ddee1ae69 100644
+--- a/arch/x86/entry/vdso/vclock_gettime.c
++++ b/arch/x86/entry/vdso/vclock_gettime.c
+@@ -128,13 +128,24 @@ notrace static inline u64 vgetcyc(int mode)
+ {
+ if (mode == VCLOCK_TSC)
+ return (u64)rdtsc_ordered();
++
++ /*
++ * For any memory-mapped vclock type, we need to make sure that gcc
++ * doesn't cleverly hoist a load before the mode check. Otherwise we
++ * might end up touching the memory-mapped page even if the vclock in
++ * question isn't enabled, which will segfault. Hence the barriers.
++ */
+ #ifdef CONFIG_PARAVIRT_CLOCK
+- else if (mode == VCLOCK_PVCLOCK)
++ if (mode == VCLOCK_PVCLOCK) {
++ barrier();
+ return vread_pvclock();
++ }
+ #endif
+ #ifdef CONFIG_HYPERV_TSCPAGE
+- else if (mode == VCLOCK_HVCLOCK)
++ if (mode == VCLOCK_HVCLOCK) {
++ barrier();
+ return vread_hvclock();
++ }
+ #endif
+ return U64_MAX;
+ }
+--
+2.22.0
+
diff --git a/patches.kernel.org/5.1.15-113-fs-namespace-fix-unprivileged-mount-propagatio.patch b/patches.kernel.org/5.1.15-113-fs-namespace-fix-unprivileged-mount-propagatio.patch
new file mode 100644
index 0000000000..507e2987c1
--- /dev/null
+++ b/patches.kernel.org/5.1.15-113-fs-namespace-fix-unprivileged-mount-propagatio.patch
@@ -0,0 +1,79 @@
+From: Christian Brauner <christian@brauner.io>
+Date: Mon, 17 Jun 2019 23:22:14 +0200
+Subject: [PATCH] fs/namespace: fix unprivileged mount propagation
+References: bnc#1012628
+Patch-mainline: 5.1.15
+Git-commit: d728cf79164bb38e9628d15276e636539f857ef1
+
+commit d728cf79164bb38e9628d15276e636539f857ef1 upstream.
+
+When propagating mounts across mount namespaces owned by different user
+namespaces it is not possible anymore to move or umount the mount in the
+less privileged mount namespace.
+
+Here is a reproducer:
+
+ sudo mount -t tmpfs tmpfs /mnt
+ sudo --make-rshared /mnt
+
+ # create unprivileged user + mount namespace and preserve propagation
+ unshare -U -m --map-root --propagation=unchanged
+
+ # now change back to the original mount namespace in another terminal:
+ sudo mkdir /mnt/aaa
+ sudo mount -t tmpfs tmpfs /mnt/aaa
+
+ # now in the unprivileged user + mount namespace
+ mount --move /mnt/aaa /opt
+
+Unfortunately, this is a pretty big deal for userspace since this is
+e.g. used to inject mounts into running unprivileged containers.
+So this regression really needs to go away rather quickly.
+
+The problem is that a recent change falsely locked the root of the newly
+added mounts by setting MNT_LOCKED. Fix this by only locking the mounts
+on copy_mnt_ns() and not when adding a new mount.
+
+Fixes: 3bd045cc9c4b ("separate copying and locking mount tree on cross-userns copies")
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Al Viro <viro@zeniv.linux.org.uk>
+Cc: <stable@vger.kernel.org>
+Tested-by: Christian Brauner <christian@brauner.io>
+Acked-by: Christian Brauner <christian@brauner.io>
+Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
+Signed-off-by: Christian Brauner <christian@brauner.io>
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ fs/namespace.c | 1 +
+ fs/pnode.c | 1 -
+ 2 files changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/namespace.c b/fs/namespace.c
+index c9cab307fa77..061f247a3cdb 100644
+--- a/fs/namespace.c
++++ b/fs/namespace.c
+@@ -2079,6 +2079,7 @@ static int attach_recursive_mnt(struct mount *source_mnt,
+ /* Notice when we are propagating across user namespaces */
+ if (child->mnt_parent->mnt_ns->user_ns != user_ns)
+ lock_mnt_tree(child);
++ child->mnt.mnt_flags &= ~MNT_LOCKED;
+ commit_tree(child);
+ }
+ put_mountpoint(smp);
+diff --git a/fs/pnode.c b/fs/pnode.c
+index 7ea6cfb65077..012be405fec0 100644
+--- a/fs/pnode.c
++++ b/fs/pnode.c
+@@ -262,7 +262,6 @@ static int propagate_one(struct mount *m)
+ child = copy_tree(last_source, last_source->mnt.mnt_root, type);
+ if (IS_ERR(child))
+ return PTR_ERR(child);
+- child->mnt.mnt_flags &= ~MNT_LOCKED;
+ mnt_set_mountpoint(m, mp, child);
+ last_dest = m;
+ last_source = child;
+--
+2.22.0
+
diff --git a/patches.kernel.org/5.1.15-114-cfg80211-fix-memory-leak-of-wiphy-device-name.patch b/patches.kernel.org/5.1.15-114-cfg80211-fix-memory-leak-of-wiphy-device-name.patch
new file mode 100644
index 0000000000..d795914d86
--- /dev/null
+++ b/patches.kernel.org/5.1.15-114-cfg80211-fix-memory-leak-of-wiphy-device-name.patch
@@ -0,0 +1,40 @@
+From: Eric Biggers <ebiggers@google.com>
+Date: Mon, 10 Jun 2019 13:02:19 -0700
+Subject: [PATCH] cfg80211: fix memory leak of wiphy device name
+References: bnc#1012628
+Patch-mainline: 5.1.15
+Git-commit: 4f488fbca2a86cc7714a128952eead92cac279ab
+
+commit 4f488fbca2a86cc7714a128952eead92cac279ab upstream.
+
+In wiphy_new_nm(), if an error occurs after dev_set_name() and
+device_initialize() have already been called, it's necessary to call
+put_device() (via wiphy_free()) to avoid a memory leak.
+
+Reported-by: syzbot+7fddca22578bc67c3fe4@syzkaller.appspotmail.com
+Fixes: 1f87f7d3a3b4 ("cfg80211: add rfkill support")
+Cc: stable@vger.kernel.org
+Signed-off-by: Eric Biggers <ebiggers@google.com>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ net/wireless/core.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/wireless/core.c b/net/wireless/core.c
+index b36ad8efb5e5..fb8983a5c915 100644
+--- a/net/wireless/core.c
++++ b/net/wireless/core.c
+@@ -513,7 +513,7 @@ struct wiphy *wiphy_new_nm(const struct cfg80211_ops *ops, int sizeof_priv,
+ &rdev->rfkill_ops, rdev);
+
+ if (!rdev->rfkill) {
+- kfree(rdev);
++ wiphy_free(&rdev->wiphy);
+ return NULL;
+ }
+
+--
+2.22.0
+
diff --git a/patches.kernel.org/5.1.15-115-mac80211-drop-robust-management-frames-from-un.patch b/patches.kernel.org/5.1.15-115-mac80211-drop-robust-management-frames-from-un.patch
new file mode 100644
index 0000000000..627fd8efe0
--- /dev/null
+++ b/patches.kernel.org/5.1.15-115-mac80211-drop-robust-management-frames-from-un.patch
@@ -0,0 +1,37 @@
+From: Johannes Berg <johannes.berg@intel.com>
+Date: Wed, 13 Feb 2019 15:13:30 +0100
+Subject: [PATCH] mac80211: drop robust management frames from unknown TA
+References: bnc#1012628
+Patch-mainline: 5.1.15
+Git-commit: 588f7d39b3592a36fb7702ae3b8bdd9be4621e2f
+
+commit 588f7d39b3592a36fb7702ae3b8bdd9be4621e2f upstream.
+
+When receiving a robust management frame, drop it if we don't have
+rx->sta since then we don't have a security association and thus
+couldn't possibly validate the frame.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ net/mac80211/rx.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/net/mac80211/rx.c b/net/mac80211/rx.c
+index bf0b187f994e..1a1f850b76fd 100644
+--- a/net/mac80211/rx.c
++++ b/net/mac80211/rx.c
+@@ -3823,6 +3823,8 @@ static bool ieee80211_accept_frame(struct ieee80211_rx_data *rx)
+ case NL80211_IFTYPE_STATION:
+ if (!bssid && !sdata->u.mgd.use_4addr)
+ return false;
++ if (ieee80211_is_robust_mgmt_frame(skb) && !rx->sta)
++ return false;
+ if (multicast)
+ return true;
+ return ether_addr_equal(sdata->vif.addr, hdr->addr1);
+--
+2.22.0
+
diff --git a/patches.kernel.org/5.1.15-116-nl-mac-80211-allow-4addr-AP-operation-on-crypt.patch b/patches.kernel.org/5.1.15-116-nl-mac-80211-allow-4addr-AP-operation-on-crypt.patch
new file mode 100644
index 0000000000..c45b33fd9a
--- /dev/null
+++ b/patches.kernel.org/5.1.15-116-nl-mac-80211-allow-4addr-AP-operation-on-crypt.patch
@@ -0,0 +1,120 @@
+From: Manikanta Pubbisetty <mpubbise@codeaurora.org>
+Date: Wed, 8 May 2019 14:55:33 +0530
+Subject: [PATCH] {nl,mac}80211: allow 4addr AP operation on crypto controlled
+ devices
+References: bnc#1012628
+Patch-mainline: 5.1.15
+Git-commit: 33d915d9e8ce811d8958915ccd18d71a66c7c495
+
+commit 33d915d9e8ce811d8958915ccd18d71a66c7c495 upstream.
+
+As per the current design, in the case of sw crypto controlled devices,
+it is the device which advertises the support for AP/VLAN iftype based
+on it's ability to tranmsit packets encrypted in software
+(In VLAN functionality, group traffic generated for a specific
+VLAN group is always encrypted in software). Commit db3bdcb9c3ff
+("mac80211: allow AP_VLAN operation on crypto controlled devices")
+has introduced this change.
+
+Since 4addr AP operation also uses AP/VLAN iftype, this conditional
+way of advertising AP/VLAN support has broken 4addr AP mode operation on
+crypto controlled devices which do not support VLAN functionality.
+
+In the case of ath10k driver, not all firmwares have support for VLAN
+functionality but all can support 4addr AP operation. Because AP/VLAN
+support is not advertised for these devices, 4addr AP operations are
+also blocked.
+
+Fix this by allowing 4addr operation on devices which do not support
+AP/VLAN iftype but can support 4addr AP operation (decision is based on
+the wiphy flag WIPHY_FLAG_4ADDR_AP).
+
+Cc: stable@vger.kernel.org
+Fixes: db3bdcb9c3ff ("mac80211: allow AP_VLAN operation on crypto controlled devices")
+Signed-off-by: Manikanta Pubbisetty <mpubbise@codeaurora.org>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ include/net/cfg80211.h | 3 ++-
+ net/mac80211/util.c | 4 +++-
+ net/wireless/core.c | 6 +++++-
+ net/wireless/nl80211.c | 8 ++++++--
+ 4 files changed, 16 insertions(+), 5 deletions(-)
+
+diff --git a/include/net/cfg80211.h b/include/net/cfg80211.h
+index 13bfeb712d36..ab00733087ac 100644
+--- a/include/net/cfg80211.h
++++ b/include/net/cfg80211.h
+@@ -3767,7 +3767,8 @@ struct cfg80211_ops {
+ * on wiphy_new(), but can be changed by the driver if it has a good
+ * reason to override the default
+ * @WIPHY_FLAG_4ADDR_AP: supports 4addr mode even on AP (with a single station
+- * on a VLAN interface)
++ * on a VLAN interface). This flag also serves an extra purpose of
++ * supporting 4ADDR AP mode on devices which do not support AP/VLAN iftype.
+ * @WIPHY_FLAG_4ADDR_STATION: supports 4addr mode even as a station
+ * @WIPHY_FLAG_CONTROL_PORT_PROTOCOL: This device supports setting the
+ * control port protocol ethertype. The device also honours the
+diff --git a/net/mac80211/util.c b/net/mac80211/util.c
+index 4c1655972565..447a55ae9df1 100644
+--- a/net/mac80211/util.c
++++ b/net/mac80211/util.c
+@@ -3757,7 +3757,9 @@ int ieee80211_check_combinations(struct ieee80211_sub_if_data *sdata,
+ }
+
+ /* Always allow software iftypes */
+- if (local->hw.wiphy->software_iftypes & BIT(iftype)) {
++ if (local->hw.wiphy->software_iftypes & BIT(iftype) ||
++ (iftype == NL80211_IFTYPE_AP_VLAN &&
++ local->hw.wiphy->flags & WIPHY_FLAG_4ADDR_AP)) {
+ if (radar_detect)
+ return -EINVAL;
+ return 0;
+diff --git a/net/wireless/core.c b/net/wireless/core.c
+index fb8983a5c915..c58acca09301 100644
+--- a/net/wireless/core.c
++++ b/net/wireless/core.c
+@@ -1396,8 +1396,12 @@ static int cfg80211_netdev_notifier_call(struct notifier_block *nb,
+ }
+ break;
+ case NETDEV_PRE_UP:
+- if (!(wdev->wiphy->interface_modes & BIT(wdev->iftype)))
++ if (!(wdev->wiphy->interface_modes & BIT(wdev->iftype)) &&
++ !(wdev->iftype == NL80211_IFTYPE_AP_VLAN &&
++ rdev->wiphy.flags & WIPHY_FLAG_4ADDR_AP &&
++ wdev->use_4addr))
+ return notifier_from_errno(-EOPNOTSUPP);
++
+ if (rfkill_blocked(rdev->rfkill))
+ return notifier_from_errno(-ERFKILL);
+ break;
+diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c
+index d2a7459a5da4..4919a613adb6 100644
+--- a/net/wireless/nl80211.c
++++ b/net/wireless/nl80211.c
+@@ -3385,8 +3385,7 @@ static int nl80211_new_interface(struct sk_buff *skb, struct genl_info *info)
+ if (info->attrs[NL80211_ATTR_IFTYPE])
+ type = nla_get_u32(info->attrs[NL80211_ATTR_IFTYPE]);
+
+- if (!rdev->ops->add_virtual_intf ||
+- !(rdev->wiphy.interface_modes & (1 << type)))
++ if (!rdev->ops->add_virtual_intf)
+ return -EOPNOTSUPP;
+
+ if ((type == NL80211_IFTYPE_P2P_DEVICE || type == NL80211_IFTYPE_NAN ||
+@@ -3405,6 +3404,11 @@ static int nl80211_new_interface(struct sk_buff *skb, struct genl_info *info)
+ return err;
+ }
+
++ if (!(rdev->wiphy.interface_modes & (1 << type)) &&
++ !(type == NL80211_IFTYPE_AP_VLAN && params.use_4addr &&
++ rdev->wiphy.flags & WIPHY_FLAG_4ADDR_AP))
++ return -EOPNOTSUPP;
++
+ err = nl80211_parse_mon_options(rdev, type, info, &params);
+ if (err < 0)
+ return err;
+--
+2.22.0
+
diff --git a/patches.kernel.org/5.1.15-117-mac80211-handle-deauthentication-disassociatio.patch b/patches.kernel.org/5.1.15-117-mac80211-handle-deauthentication-disassociatio.patch
new file mode 100644
index 0000000000..f780fe4f92
--- /dev/null
+++ b/patches.kernel.org/5.1.15-117-mac80211-handle-deauthentication-disassociatio.patch
@@ -0,0 +1,127 @@
+From: Yu Wang <yyuwang@codeaurora.org>
+Date: Fri, 10 May 2019 17:04:52 +0800
+Subject: [PATCH] mac80211: handle deauthentication/disassociation from TDLS
+ peer
+References: bnc#1012628
+Patch-mainline: 5.1.15
+Git-commit: 79c92ca42b5a3e0ea172ea2ce8df8e125af237da
+
+commit 79c92ca42b5a3e0ea172ea2ce8df8e125af237da upstream.
+
+When receiving a deauthentication/disassociation frame from a TDLS
+peer, a station should not disconnect the current AP, but only
+disable the current TDLS link if it's enabled.
+
+Without this change, a TDLS issue can be reproduced by following the
+steps as below:
+
+1. STA-1 and STA-2 are connected to AP, bidirection traffic is running
+ between STA-1 and STA-2.
+2. Set up TDLS link between STA-1 and STA-2, stay for a while, then
+ teardown TDLS link.
+3. Repeat step #2 and monitor the connection between STA and AP.
+
+During the test, one STA may send a deauthentication/disassociation
+frame to another, after TDLS teardown, with reason code 6/7, which
+means: Class 2/3 frame received from nonassociated STA.
+
+On receive this frame, the receiver STA will disconnect the current
+AP and then reconnect. It's not a expected behavior, purpose of this
+frame should be disabling the TDLS link, not the link with AP.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Yu Wang <yyuwang@codeaurora.org>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ net/mac80211/ieee80211_i.h | 3 +++
+ net/mac80211/mlme.c | 12 +++++++++++-
+ net/mac80211/tdls.c | 23 +++++++++++++++++++++++
+ 3 files changed, 37 insertions(+), 1 deletion(-)
+
+diff --git a/net/mac80211/ieee80211_i.h b/net/mac80211/ieee80211_i.h
+index e170f986d226..c875d45f1e1d 100644
+--- a/net/mac80211/ieee80211_i.h
++++ b/net/mac80211/ieee80211_i.h
+@@ -2222,6 +2222,9 @@ void ieee80211_tdls_cancel_channel_switch(struct wiphy *wiphy,
+ const u8 *addr);
+ void ieee80211_teardown_tdls_peers(struct ieee80211_sub_if_data *sdata);
+ void ieee80211_tdls_chsw_work(struct work_struct *wk);
++void ieee80211_tdls_handle_disconnect(struct ieee80211_sub_if_data *sdata,
++ const u8 *peer, u16 reason);
++const char *ieee80211_get_reason_code_string(u16 reason_code);
+
+ extern const struct ethtool_ops ieee80211_ethtool_ops;
+
+diff --git a/net/mac80211/mlme.c b/net/mac80211/mlme.c
+index b7a9fe3d5fcb..383b0df100e4 100644
+--- a/net/mac80211/mlme.c
++++ b/net/mac80211/mlme.c
+@@ -2963,7 +2963,7 @@ static void ieee80211_rx_mgmt_auth(struct ieee80211_sub_if_data *sdata,
+ #define case_WLAN(type) \
+ case WLAN_REASON_##type: return #type
+
+-static const char *ieee80211_get_reason_code_string(u16 reason_code)
++const char *ieee80211_get_reason_code_string(u16 reason_code)
+ {
+ switch (reason_code) {
+ case_WLAN(UNSPECIFIED);
+@@ -3028,6 +3028,11 @@ static void ieee80211_rx_mgmt_deauth(struct ieee80211_sub_if_data *sdata,
+ if (len < 24 + 2)
+ return;
+
++ if (!ether_addr_equal(mgmt->bssid, mgmt->sa)) {
++ ieee80211_tdls_handle_disconnect(sdata, mgmt->sa, reason_code);
++ return;
++ }
++
+ if (ifmgd->associated &&
+ ether_addr_equal(mgmt->bssid, ifmgd->associated->bssid)) {
+ const u8 *bssid = ifmgd->associated->bssid;
+@@ -3077,6 +3082,11 @@ static void ieee80211_rx_mgmt_disassoc(struct ieee80211_sub_if_data *sdata,
+
+ reason_code = le16_to_cpu(mgmt->u.disassoc.reason_code);
+
++ if (!ether_addr_equal(mgmt->bssid, mgmt->sa)) {
++ ieee80211_tdls_handle_disconnect(sdata, mgmt->sa, reason_code);
++ return;
++ }
++
+ sdata_info(sdata, "disassociated from %pM (Reason: %u=%s)\n",
+ mgmt->sa, reason_code,
+ ieee80211_get_reason_code_string(reason_code));
+diff --git a/net/mac80211/tdls.c b/net/mac80211/tdls.c
+index d30690d79a58..fcc5cd49c3ac 100644
+--- a/net/mac80211/tdls.c
++++ b/net/mac80211/tdls.c
+@@ -1994,3 +1994,26 @@ void ieee80211_tdls_chsw_work(struct work_struct *wk)
+ }
+ rtnl_unlock();
+ }
++
++void ieee80211_tdls_handle_disconnect(struct ieee80211_sub_if_data *sdata,
++ const u8 *peer, u16 reason)
++{
++ struct ieee80211_sta *sta;
++
++ rcu_read_lock();
++ sta = ieee80211_find_sta(&sdata->vif, peer);
++ if (!sta || !sta->tdls) {
++ rcu_read_unlock();
++ return;
++ }
++ rcu_read_unlock();
++
++ tdls_dbg(sdata, "disconnected from TDLS peer %pM (Reason: %u=%s)\n",
++ peer, reason,
++ ieee80211_get_reason_code_string(reason));
++
++ ieee80211_tdls_oper_request(&sdata->vif, peer,
++ NL80211_TDLS_TEARDOWN,
++ WLAN_REASON_TDLS_TEARDOWN_UNREACHABLE,
++ GFP_ATOMIC);
++}
+--
+2.22.0
+
diff --git a/patches.kernel.org/5.1.15-118-nl80211-fix-station_info-pertid-memory-leak.patch b/patches.kernel.org/5.1.15-118-nl80211-fix-station_info-pertid-memory-leak.patch
new file mode 100644
index 0000000000..2eb73ad359
--- /dev/null
+++ b/patches.kernel.org/5.1.15-118-nl80211-fix-station_info-pertid-memory-leak.patch
@@ -0,0 +1,44 @@
+From: Andy Strohman <andrew@andrewstrohman.com>
+Date: Fri, 24 May 2019 23:27:29 -0700
+Subject: [PATCH] nl80211: fix station_info pertid memory leak
+References: bnc#1012628
+Patch-mainline: 5.1.15
+Git-commit: f77bf4863dc2218362f4227d56af4a5f3f08830c
+
+commit f77bf4863dc2218362f4227d56af4a5f3f08830c upstream.
+
+When dumping stations, memory allocated for station_info's
+pertid member will leak if the nl80211 header cannot be added to
+the sk_buff due to insufficient tail room.
+
+I noticed this leak in the kmalloc-2048 cache.
+
+Cc: stable@vger.kernel.org
+Fixes: 8689c051a201 ("cfg80211: dynamically allocate per-tid stats for station info")
+Signed-off-by: Andy Strohman <andy@uplevelsystems.com>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ net/wireless/nl80211.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c
+index 4919a613adb6..d1553a661336 100644
+--- a/net/wireless/nl80211.c
++++ b/net/wireless/nl80211.c
+@@ -4804,8 +4804,10 @@ static int nl80211_send_station(struct sk_buff *msg, u32 cmd, u32 portid,
+ struct nlattr *sinfoattr, *bss_param;
+
+ hdr = nl80211hdr_put(msg, portid, seq, flags, cmd);
+- if (!hdr)
++ if (!hdr) {
++ cfg80211_sinfo_release_content(sinfo);
+ return -1;
++ }
+
+ if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
+ nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac_addr) ||
+--
+2.22.0
+
diff --git a/patches.kernel.org/5.1.15-119-mac80211-Do-not-use-stack-memory-with-scatterl.patch b/patches.kernel.org/5.1.15-119-mac80211-Do-not-use-stack-memory-with-scatterl.patch
new file mode 100644
index 0000000000..bab855767e
--- /dev/null
+++ b/patches.kernel.org/5.1.15-119-mac80211-Do-not-use-stack-memory-with-scatterl.patch
@@ -0,0 +1,65 @@
+From: Jouni Malinen <j@w1.fi>
+Date: Tue, 28 May 2019 01:46:43 +0300
+Subject: [PATCH] mac80211: Do not use stack memory with scatterlist for GMAC
+References: bnc#1012628
+Patch-mainline: 5.1.15
+Git-commit: a71fd9dac23613d96ba3c05619a8ef4fd6cdf9b9
+
+commit a71fd9dac23613d96ba3c05619a8ef4fd6cdf9b9 upstream.
+
+ieee80211_aes_gmac() uses the mic argument directly in sg_set_buf() and
+that does not allow use of stack memory (e.g., BUG_ON() is hit in
+sg_set_buf() with CONFIG_DEBUG_SG). BIP GMAC TX side is fine for this
+since it can use the skb data buffer, but the RX side was using a stack
+variable for deriving the local MIC value to compare against the
+received one.
+
+Fix this by allocating heap memory for the mic buffer.
+
+This was found with hwsim test case ap_cipher_bip_gmac_128 hitting that
+BUG_ON() and kernel panic.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Jouni Malinen <j@w1.fi>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ net/mac80211/wpa.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/net/mac80211/wpa.c b/net/mac80211/wpa.c
+index 58d0b258b684..5dd48f0a4b1b 100644
+--- a/net/mac80211/wpa.c
++++ b/net/mac80211/wpa.c
+@@ -1175,7 +1175,7 @@ ieee80211_crypto_aes_gmac_decrypt(struct ieee80211_rx_data *rx)
+ struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb);
+ struct ieee80211_key *key = rx->key;
+ struct ieee80211_mmie_16 *mmie;
+- u8 aad[GMAC_AAD_LEN], mic[GMAC_MIC_LEN], ipn[6], nonce[GMAC_NONCE_LEN];
++ u8 aad[GMAC_AAD_LEN], *mic, ipn[6], nonce[GMAC_NONCE_LEN];
+ struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)skb->data;
+
+ if (!ieee80211_is_mgmt(hdr->frame_control))
+@@ -1206,13 +1206,18 @@ ieee80211_crypto_aes_gmac_decrypt(struct ieee80211_rx_data *rx)
+ memcpy(nonce, hdr->addr2, ETH_ALEN);
+ memcpy(nonce + ETH_ALEN, ipn, 6);
+
++ mic = kmalloc(GMAC_MIC_LEN, GFP_ATOMIC);
++ if (!mic)
++ return RX_DROP_UNUSABLE;
+ if (ieee80211_aes_gmac(key->u.aes_gmac.tfm, aad, nonce,
+ skb->data + 24, skb->len - 24,
+ mic) < 0 ||
+ crypto_memneq(mic, mmie->mic, sizeof(mmie->mic))) {
+ key->u.aes_gmac.icverrors++;
++ kfree(mic);
+ return RX_DROP_UNUSABLE;
+ }
++ kfree(mic);
+ }
+
+ memcpy(key->u.aes_gmac.rx_pn, ipn, 6);
+--
+2.22.0
+
diff --git a/patches.kernel.org/5.1.15-120-x86-resctrl-Don-t-stop-walking-closids-when-a-.patch b/patches.kernel.org/5.1.15-120-x86-resctrl-Don-t-stop-walking-closids-when-a-.patch
new file mode 100644
index 0000000000..6b93d50c97
--- /dev/null
+++ b/patches.kernel.org/5.1.15-120-x86-resctrl-Don-t-stop-walking-closids-when-a-.patch
@@ -0,0 +1,57 @@
+From: James Morse <james.morse@arm.com>
+Date: Mon, 3 Jun 2019 18:25:31 +0100
+Subject: [PATCH] x86/resctrl: Don't stop walking closids when a locksetup
+ group is found
+References: bnc#1012628
+Patch-mainline: 5.1.15
+Git-commit: 87d3aa28f345bea77c396855fa5d5fec4c24461f
+
+commit 87d3aa28f345bea77c396855fa5d5fec4c24461f upstream.
+
+When a new control group is created __init_one_rdt_domain() walks all
+the other closids to calculate the sets of used and unused bits.
+
+If it discovers a pseudo_locksetup group, it breaks out of the loop. This
+means any later closid doesn't get its used bits added to used_b. These
+bits will then get set in unused_b, and added to the new control group's
+configuration, even if they were marked as exclusive for a later closid.
+
+When encountering a pseudo_locksetup group, we should continue. This is
+because "a resource group enters 'pseudo-locked' mode after the schemata is
+written while the resource group is in 'pseudo-locksetup' mode." When we
+find a pseudo_locksetup group, its configuration is expected to be
+overwritten, we can skip it.
+
+Fixes: dfe9674b04ff6 ("x86/intel_rdt: Enable entering of pseudo-locksetup mode")
+Signed-off-by: James Morse <james.morse@arm.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Acked-by: Reinette Chatre <reinette.chatre@intel.com>
+Cc: Fenghua Yu <fenghua.yu@intel.com>
+Cc: Borislav Petkov <bp@alien8.de>
+Cc: H Peter Avin <hpa@zytor.com>
+Cc: <stable@vger.kernel.org>
+Link: https://lkml.kernel.org/r/20190603172531.178830-1-james.morse@arm.com
+[Dropped comment due to lack of space]
+Signed-off-by: James Morse <james.morse@arm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ arch/x86/kernel/cpu/resctrl/rdtgroup.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/x86/kernel/cpu/resctrl/rdtgroup.c b/arch/x86/kernel/cpu/resctrl/rdtgroup.c
+index 85212a32b54d..c51b56e29948 100644
+--- a/arch/x86/kernel/cpu/resctrl/rdtgroup.c
++++ b/arch/x86/kernel/cpu/resctrl/rdtgroup.c
+@@ -2556,7 +2556,7 @@ static int rdtgroup_init_alloc(struct rdtgroup *rdtgrp)
+ if (closid_allocated(i) && i != closid) {
+ mode = rdtgroup_mode_by_closid(i);
+ if (mode == RDT_MODE_PSEUDO_LOCKSETUP)
+- break;
++ continue;
+ /*
+ * If CDP is active include peer
+ * domain's usage to ensure there
+--
+2.22.0
+
diff --git a/patches.kernel.org/5.1.15-121-powerpc-mm-64s-hash-Reallocate-context-ids-on-.patch b/patches.kernel.org/5.1.15-121-powerpc-mm-64s-hash-Reallocate-context-ids-on-.patch
new file mode 100644
index 0000000000..12144e52f5
--- /dev/null
+++ b/patches.kernel.org/5.1.15-121-powerpc-mm-64s-hash-Reallocate-context-ids-on-.patch
@@ -0,0 +1,145 @@
+From: Michael Ellerman <mpe@ellerman.id.au>
+Date: Wed, 12 Jun 2019 23:35:07 +1000
+Subject: [PATCH] powerpc/mm/64s/hash: Reallocate context ids on fork
+References: bnc#1012628
+Patch-mainline: 5.1.15
+Git-commit: ca72d88378b2f2444d3ec145dd442d449d3fefbc
+
+commit ca72d88378b2f2444d3ec145dd442d449d3fefbc upstream.
+
+When using the Hash Page Table (HPT) MMU, userspace memory mappings
+are managed at two levels. Firstly in the Linux page tables, much like
+other architectures, and secondly in the SLB (Segment Lookaside
+Buffer) and HPT. It's the SLB and HPT that are actually used by the
+hardware to do translations.
+
+As part of the series adding support for 4PB user virtual address
+space using the hash MMU, we added support for allocating multiple
+"context ids" per process, one for each 512TB chunk of address space.
+These are tracked in an array called extended_id in the mm_context_t
+of a process that has done a mapping above 512TB.
+
+If such a process forks (ie. clone(2) without CLONE_VM set) it's mm is
+copied, including the mm_context_t, and then init_new_context() is
+called to reinitialise parts of the mm_context_t as appropriate to
+separate the address spaces of the two processes.
+
+The key step in ensuring the two processes have separate address
+spaces is to allocate a new context id for the process, this is done
+at the beginning of hash__init_new_context(). If we didn't allocate a
+new context id then the two processes would share mappings as far as
+the SLB and HPT are concerned, even though their Linux page tables
+would be separate.
+
+For mappings above 512TB, which use the extended_id array, we
+neglected to allocate new context ids on fork, meaning the parent and
+child use the same ids and therefore share those mappings even though
+they're supposed to be separate. This can lead to the parent seeing
+writes done by the child, which is essentially memory corruption.
+
+There is an additional exposure which is that if the child process
+exits, all its context ids are freed, including the context ids that
+are still in use by the parent for mappings above 512TB. One or more
+of those ids can then be reallocated to a third process, that process
+can then read/write to the parent's mappings above 512TB. Additionally
+if the freed id is used for the third process's primary context id,
+then the parent is able to read/write to the third process's mappings
+*below* 512TB.
+
+All of these are fundamental failures to enforce separation between
+processes. The only mitigating factor is that the bug only occurs if a
+process creates mappings above 512TB, and most applications still do
+not create such mappings.
+
+Only machines using the hash page table MMU are affected, eg. PowerPC
+970 (G5), PA6T, Power5/6/7/8/9. By default Power9 bare metal machines
+(powernv) use the Radix MMU and are not affected, unless the machine
+has been explicitly booted in HPT mode (using disable_radix on the
+kernel command line). KVM guests on Power9 may be affected if the host
+or guest is configured to use the HPT MMU. LPARs under PowerVM on
+Power9 are affected as they always use the HPT MMU. Kernels built with
+PAGE_SIZE=4K are not affected.
+
+The fix is relatively simple, we need to reallocate context ids for
+all extended mappings on fork.
+
+Fixes: f384796c40dc ("powerpc/mm: Add support for handling > 512TB address in SLB miss")
+Cc: stable@vger.kernel.org # v4.17+
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ arch/powerpc/mm/mmu_context_book3s64.c | 46 +++++++++++++++++++++++---
+ 1 file changed, 42 insertions(+), 4 deletions(-)
+
+diff --git a/arch/powerpc/mm/mmu_context_book3s64.c b/arch/powerpc/mm/mmu_context_book3s64.c
+index f720c5cc0b5e..8751ae2e2d04 100644
+--- a/arch/powerpc/mm/mmu_context_book3s64.c
++++ b/arch/powerpc/mm/mmu_context_book3s64.c
+@@ -55,14 +55,48 @@ EXPORT_SYMBOL_GPL(hash__alloc_context_id);
+
+ void slb_setup_new_exec(void);
+
++static int realloc_context_ids(mm_context_t *ctx)
++{
++ int i, id;
++
++ /*
++ * id 0 (aka. ctx->id) is special, we always allocate a new one, even if
++ * there wasn't one allocated previously (which happens in the exec
++ * case where ctx is newly allocated).
++ *
++ * We have to be a bit careful here. We must keep the existing ids in
++ * the array, so that we can test if they're non-zero to decide if we
++ * need to allocate a new one. However in case of error we must free the
++ * ids we've allocated but *not* any of the existing ones (or risk a
++ * UAF). That's why we decrement i at the start of the error handling
++ * loop, to skip the id that we just tested but couldn't reallocate.
++ */
++ for (i = 0; i < ARRAY_SIZE(ctx->extended_id); i++) {
++ if (i == 0 || ctx->extended_id[i]) {
++ id = hash__alloc_context_id();
++ if (id < 0)
++ goto error;
++
++ ctx->extended_id[i] = id;
++ }
++ }
++
++ /* The caller expects us to return id */
++ return ctx->id;
++
++error:
++ for (i--; i >= 0; i--) {
++ if (ctx->extended_id[i])
++ ida_free(&mmu_context_ida, ctx->extended_id[i]);
++ }
++
++ return id;
++}
++
+ static int hash__init_new_context(struct mm_struct *mm)
+ {
+ int index;
+
+- index = hash__alloc_context_id();
+- if (index < 0)
+- return index;
+-
+ /*
+ * The old code would re-promote on fork, we don't do that when using
+ * slices as it could cause problem promoting slices that have been
+@@ -80,6 +114,10 @@ static int hash__init_new_context(struct mm_struct *mm)
+ if (mm->context.id == 0)
+ slice_init_new_context_exec(mm);
+
++ index = realloc_context_ids(&mm->context);
++ if (index < 0)
++ return index;
++
+ subpage_prot_init_new_context(mm);
+
+ pkey_mm_init(mm);
+--
+2.22.0
+
diff --git a/patches.kernel.org/5.1.15-122-Linux-5.1.15.patch b/patches.kernel.org/5.1.15-122-Linux-5.1.15.patch
new file mode 100644
index 0000000000..28077f3bf8
--- /dev/null
+++ b/patches.kernel.org/5.1.15-122-Linux-5.1.15.patch
@@ -0,0 +1,28 @@
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Date: Tue, 25 Jun 2019 11:34:56 +0800
+Subject: [PATCH] Linux 5.1.15
+References: bnc#1012628
+Patch-mainline: 5.1.15
+Git-commit: f0fae702de30331a8ce913cdb87ac0bdf990d85f
+
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ Makefile | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/Makefile b/Makefile
+index c4b1a345d3f0..d7b3c8e3ff3e 100644
+--- a/Makefile
++++ b/Makefile
+@@ -1,7 +1,7 @@
+ # SPDX-License-Identifier: GPL-2.0
+ VERSION = 5
+ PATCHLEVEL = 1
+-SUBLEVEL = 14
++SUBLEVEL = 15
+ EXTRAVERSION =
+ NAME = Shy Crocodile
+
+--
+2.22.0
+
diff --git a/patches.suse/apparmor-compatibility-with-v2.x-net.patch b/patches.suse/apparmor-compatibility-with-v2.x-net.patch
index 72cccb5fd4..9d84bc9760 100644
--- a/patches.suse/apparmor-compatibility-with-v2.x-net.patch
+++ b/patches.suse/apparmor-compatibility-with-v2.x-net.patch
@@ -15,18 +15,18 @@ to work on a newer kernel.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Goldwyn Rodrigues <rgoldwyn@suse.com>
---
- security/apparmor/apparmorfs.c | 1 +
- security/apparmor/include/apparmor.h | 2 +-
- security/apparmor/include/net.h | 11 ++++++
- security/apparmor/include/policy.h | 2 ++
- security/apparmor/net.c | 31 ++++++++++++----
- security/apparmor/policy.c | 1 +
- security/apparmor/policy_unpack.c | 54 ++++++++++++++++++++++++++--
+ security/apparmor/apparmorfs.c | 1
+ security/apparmor/include/apparmor.h | 2 -
+ security/apparmor/include/net.h | 11 +++++++
+ security/apparmor/include/policy.h | 2 +
+ security/apparmor/net.c | 31 +++++++++++++++-----
+ security/apparmor/policy.c | 1
+ security/apparmor/policy_unpack.c | 54 +++++++++++++++++++++++++++++++++--
7 files changed, 92 insertions(+), 10 deletions(-)
--- a/security/apparmor/apparmorfs.c
+++ b/security/apparmor/apparmorfs.c
-@@ -2269,6 +2269,7 @@ static struct aa_sfs_entry aa_sfs_entry_features[] = {
+@@ -2275,6 +2275,7 @@ static struct aa_sfs_entry aa_sfs_entry_
AA_SFS_DIR("domain", aa_sfs_entry_domain),
AA_SFS_DIR("file", aa_sfs_entry_file),
AA_SFS_DIR("network_v8", aa_sfs_entry_network),
@@ -92,7 +92,7 @@ Acked-by: Goldwyn Rodrigues <rgoldwyn@suse.com>
char **xattrs;
--- a/security/apparmor/net.c
+++ b/security/apparmor/net.c
-@@ -28,6 +28,11 @@ struct aa_sfs_entry aa_sfs_entry_network[] = {
+@@ -28,6 +28,11 @@ struct aa_sfs_entry aa_sfs_entry_network
{ }
};
@@ -104,11 +104,12 @@ Acked-by: Goldwyn Rodrigues <rgoldwyn@suse.com>
static const char * const net_mask_names[] = {
"unknown",
"send",
-@@ -120,14 +125,26 @@ int aa_profile_af_perm(struct aa_profile *profile, struct common_audit_data *sa,
+@@ -120,14 +125,26 @@ int aa_profile_af_perm(struct aa_profile
if (profile_unconfined(profile))
return 0;
state = PROFILE_MEDIATES(profile, AA_CLASS_NET);
- if (!state)
+- return 0;
+ if (state) {
+ if (!state)
+ return 0;
@@ -125,22 +126,21 @@ Acked-by: Goldwyn Rodrigues <rgoldwyn@suse.com>
+ ALL_PERMS_MASK : 0;
+ perms.quiet = (profile->net_compat->quiet[family] & (1 << type)) ?
+ ALL_PERMS_MASK : 0;
-+
-+ } else {
- return 0;
--
+
- buffer[0] = cpu_to_be16(family);
- buffer[1] = cpu_to_be16((u16) type);
- state = aa_dfa_match_len(profile->policy.dfa, state, (char *) &buffer,
- 4);
- aa_compute_perms(profile->policy.dfa, state, &perms);
++ } else {
++ return 0;
+ }
aa_apply_modes_to_perms(profile, &perms);
return aa_check_perms(profile, &perms, request, sa, audit_net_cb);
--- a/security/apparmor/policy.c
+++ b/security/apparmor/policy.c
-@@ -227,6 +227,7 @@ void aa_free_profile(struct aa_profile *profile)
+@@ -227,6 +227,7 @@ void aa_free_profile(struct aa_profile *
aa_free_file_rules(&profile->file);
aa_free_cap_rules(&profile->caps);
aa_free_rlimit_rules(&profile->rlimits);
@@ -159,7 +159,7 @@ Acked-by: Goldwyn Rodrigues <rgoldwyn@suse.com>
#define v8 8 /* full network masking */
/*
-@@ -305,6 +305,19 @@ static bool unpack_u8(struct aa_ext *e, u8 *data, const char *name)
+@@ -315,6 +315,19 @@ fail:
return 0;
}
@@ -178,8 +178,8 @@ Acked-by: Goldwyn Rodrigues <rgoldwyn@suse.com>
+
static bool unpack_u32(struct aa_ext *e, u32 *data, const char *name)
{
- if (unpack_nameX(e, AA_U32, name)) {
-@@ -645,7 +658,7 @@ static struct aa_profile *unpack_profile(struct aa_ext *e, char **ns_name)
+ void *pos = e->pos;
+@@ -677,7 +690,7 @@ static struct aa_profile *unpack_profile
struct aa_profile *profile = NULL;
const char *tmpname, *tmpns = NULL, *name = NULL;
const char *info = "failed to unpack profile";
@@ -188,7 +188,7 @@ Acked-by: Goldwyn Rodrigues <rgoldwyn@suse.com>
struct rhashtable_params params = { 0 };
char *key = NULL;
struct aa_data *data;
-@@ -788,6 +801,43 @@ static struct aa_profile *unpack_profile(struct aa_ext *e, char **ns_name)
+@@ -820,6 +833,43 @@ static struct aa_profile *unpack_profile
goto fail;
}
diff --git a/series.conf b/series.conf
index 6b9785a04f..7d9993d13f 100644
--- a/series.conf
+++ b/series.conf
@@ -1364,6 +1364,128 @@
patches.kernel.org/5.1.13-099-Linux-5.1.13.patch
patches.kernel.org/5.1.14-001-tcp-refine-memory-limit-test-in-tcp_fragment.patch
patches.kernel.org/5.1.14-002-Linux-5.1.14.patch
+ patches.kernel.org/5.1.15-001-tracing-Silence-GCC-9-array-bounds-warning.patch
+ patches.kernel.org/5.1.15-002-mmc-sdhci-sdhci-pci-o2micro-Correctly-set-bus-.patch
+ patches.kernel.org/5.1.15-003-mmc-sdhi-disallow-HS400-for-M3-W-ES1.2-RZ-G2M-.patch
+ patches.kernel.org/5.1.15-004-mmc-mediatek-fix-SDIO-IRQ-interrupt-handle-flo.patch
+ patches.kernel.org/5.1.15-005-mmc-mediatek-fix-SDIO-IRQ-detection-issue.patch
+ patches.kernel.org/5.1.15-006-mmc-core-API-to-temporarily-disable-retuning-f.patch
+ patches.kernel.org/5.1.15-007-mmc-core-Add-sdio_retune_hold_now-and-sdio_ret.patch
+ patches.kernel.org/5.1.15-008-mmc-core-Prevent-processing-SDIO-IRQs-when-the.patch
+ patches.kernel.org/5.1.15-009-scsi-ufs-Avoid-runtime-suspend-possibly-being-.patch
+ patches.kernel.org/5.1.15-010-usb-chipidea-udc-workaround-for-endpoint-confl.patch
+ patches.kernel.org/5.1.15-011-xhci-detect-USB-3.2-capable-host-controllers-c.patch
+ patches.kernel.org/5.1.15-012-usb-xhci-Don-t-try-to-recover-an-endpoint-if-p.patch
+ patches.kernel.org/5.1.15-013-cifs-add-spinlock-for-the-openFileList-to-cifs.patch
+ patches.kernel.org/5.1.15-014-cifs-fix-GlobalMid_Lock-bug-in-cifs_reconnect.patch
+ patches.kernel.org/5.1.15-015-IB-hfi1-Validate-fault-injection-opcode-user-i.patch
+ patches.kernel.org/5.1.15-016-IB-hfi1-Close-PSM-sdma_progress-sleep-window.patch
+ patches.kernel.org/5.1.15-017-IB-hfi1-Avoid-hardlockup-with-flushlist_lock.patch
+ patches.kernel.org/5.1.15-018-IB-hfi1-Correct-tid-qp-rcd-to-match-verbs-cont.patch
+ patches.kernel.org/5.1.15-019-IB-hfi1-Silence-txreq-allocation-warnings.patch
+ patches.kernel.org/5.1.15-020-iio-imu-st_lsm6dsx-fix-PM-support-for-st_lsm6d.patch
+ patches.kernel.org/5.1.15-021-iio-temperature-mlx90632-Relax-the-compatibili.patch
+ patches.kernel.org/5.1.15-022-Input-synaptics-enable-SMBus-on-ThinkPad-E480-.patch
+ patches.kernel.org/5.1.15-023-Input-uinput-add-compat-ioctl-number-translati.patch
+ patches.kernel.org/5.1.15-024-Input-silead-add-MSSL0017-to-acpi_device_id.patch
+ patches.kernel.org/5.1.15-025-apparmor-fix-PROFILE_MEDIATES-for-untrusted-in.patch
+ patches.kernel.org/5.1.15-026-apparmor-enforce-nullbyte-at-end-of-tag-string.patch
+ patches.kernel.org/5.1.15-027-apparmor-reset-pos-on-failure-to-unpack-for-va.patch
+ patches.kernel.org/5.1.15-028-Revert-brcmfmac-disable-command-decode-in-sdio.patch
+ patches.kernel.org/5.1.15-029-brcmfmac-sdio-Disable-auto-tuning-around-comma.patch
+ patches.kernel.org/5.1.15-030-brcmfmac-sdio-Don-t-tune-while-the-card-is-off.patch
+ patches.kernel.org/5.1.15-031-lkdtm-usercopy-Moves-the-KERNEL_DS-test-to-non.patch
+ patches.kernel.org/5.1.15-032-ARC-fix-build-warnings.patch
+ patches.kernel.org/5.1.15-033-dmaengine-jz4780-Fix-transfers-being-ACKed-too.patch
+ patches.kernel.org/5.1.15-034-dmaengine-dw-axi-dmac-fix-null-dereference-whe.patch
+ patches.kernel.org/5.1.15-035-dmaengine-mediatek-cqdma-sleeping-in-atomic-co.patch
+ patches.kernel.org/5.1.15-036-dmaengine-sprd-Fix-the-possible-crash-when-get.patch
+ patches.kernel.org/5.1.15-037-dmaengine-sprd-Add-validation-of-current-descr.patch
+ patches.kernel.org/5.1.15-038-dmaengine-sprd-Fix-the-incorrect-start-for-2-s.patch
+ patches.kernel.org/5.1.15-039-dmaengine-sprd-Fix-block-length-overflow.patch
+ patches.kernel.org/5.1.15-040-dmaengine-sprd-Fix-the-right-place-to-configur.patch
+ patches.kernel.org/5.1.15-041-ARC-plat-hsdk-Add-missing-multicast-filter-bin.patch
+ patches.kernel.org/5.1.15-042-ARC-plat-hsdk-Add-missing-FIFO-size-entry-in-G.patch
+ patches.kernel.org/5.1.15-043-MIPS-mark-ginvt-as-__always_inline.patch
+ patches.kernel.org/5.1.15-044-fpga-stratix10-soc-fix-use-after-free-on-s10_i.patch
+ patches.kernel.org/5.1.15-045-fpga-dfl-afu-Pass-the-correct-device-to-dma_ma.patch
+ patches.kernel.org/5.1.15-046-fpga-dfl-Add-lockdep-classes-for-pdata-lock.patch
+ patches.kernel.org/5.1.15-047-parport-Fix-mem-leak-in-parport_register_dev_m.patch
+ patches.kernel.org/5.1.15-048-parisc-Fix-compiler-warnings-in-float-emulatio.patch
+ patches.kernel.org/5.1.15-049-habanalabs-fix-bug-in-checking-huge-page-optim.patch
+ patches.kernel.org/5.1.15-050-IB-rdmavt-Fix-alloc_qpn-WARN_ON.patch
+ patches.kernel.org/5.1.15-051-IB-hfi1-Insure-freeze_work-work_struct-is-canc.patch
+ patches.kernel.org/5.1.15-052-IB-qib-hfi1-rdmavt-Correct-ibv_devinfo-max_mr-.patch
+ patches.kernel.org/5.1.15-053-IB-hfi1-Validate-page-aligned-for-a-given-virt.patch
+ patches.kernel.org/5.1.15-054-MIPS-uprobes-remove-set-but-not-used-variable-.patch
+ patches.kernel.org/5.1.15-055-crypto-hmac-fix-memory-leak-in-hmac_init_tfm.patch
+ patches.kernel.org/5.1.15-056-xtensa-Fix-section-mismatch-between-memblock_r.patch
+ patches.kernel.org/5.1.15-057-kselftest-cgroup-fix-unexpected-testing-failur.patch
+ patches.kernel.org/5.1.15-058-kselftest-cgroup-fix-unexpected-testing-failur.patch
+ patches.kernel.org/5.1.15-059-kselftest-cgroup-fix-incorrect-test_core-skip.patch
+ patches.kernel.org/5.1.15-060-userfaultfd-selftest-fix-compiler-warning.patch
+ patches.kernel.org/5.1.15-061-selftests-vm-install-test_vmalloc.sh-for-run_v.patch
+ patches.kernel.org/5.1.15-062-net-dsa-mv88e6xxx-avoid-error-message-on-remov.patch
+ patches.kernel.org/5.1.15-063-net-hns-Fix-loopback-test-failed-at-copper-por.patch
+ patches.kernel.org/5.1.15-064-mdesc-fix-a-missing-check-bug-in-get_vdev_port.patch
+ patches.kernel.org/5.1.15-065-sparc-perf-fix-updated-event-period-in-respons.patch
+ patches.kernel.org/5.1.15-066-net-ethernet-mediatek-Use-hw_feature-to-judge-.patch
+ patches.kernel.org/5.1.15-067-net-ethernet-mediatek-Use-NET_IP_ALIGN-to-judg.patch
+ patches.kernel.org/5.1.15-068-selftests-set-sysctl-bc_forwarding-properly-in.patch
+ patches.kernel.org/5.1.15-069-drm-arm-mali-dp-Add-a-loop-around-the-second-s.patch
+ patches.kernel.org/5.1.15-070-drm-arm-hdlcd-Actually-validate-CRTC-modes.patch
+ patches.kernel.org/5.1.15-071-drm-arm-hdlcd-Allow-a-bit-of-clock-tolerance.patch
+ patches.kernel.org/5.1.15-072-nvmet-fix-data_len-to-0-for-bdev-backed-write_.patch
+ patches.kernel.org/5.1.15-073-kbuild-tar-pkg-enable-communication-with-jobse.patch
+ patches.kernel.org/5.1.15-074-scripts-checkstack.pl-Fix-arm64-wrong-or-unkno.patch
+ patches.kernel.org/5.1.15-075-net-phylink-avoid-reducing-support-mask.patch
+ patches.kernel.org/5.1.15-076-scsi-ufs-Check-that-space-was-properly-alloced.patch
+ patches.kernel.org/5.1.15-077-scsi-smartpqi-unlock-on-error-in-pqi_submit_ra.patch
+ patches.kernel.org/5.1.15-078-net-ipvlan-Fix-ipvlan-device-tso-disabled-whil.patch
+ patches.kernel.org/5.1.15-079-udmabuf-actually-unmap-the-scatterlist.patch
+ patches.kernel.org/5.1.15-080-tests-fix-pidfd-test-compilation.patch
+ patches.kernel.org/5.1.15-081-s390-qeth-handle-limited-IPv4-broadcast-in-L3-.patch
+ patches.kernel.org/5.1.15-082-s390-qeth-check-dst-entry-before-use.patch
+ patches.kernel.org/5.1.15-083-s390-qeth-fix-VLAN-attribute-in-bridge_hostnot.patch
+ patches.kernel.org/5.1.15-084-hwmon-core-add-thermal-sensors-only-if-dev-of_.patch
+ patches.kernel.org/5.1.15-085-hwmon-pmbus-core-Treat-parameters-as-paged-if-.patch
+ patches.kernel.org/5.1.15-086-arm64-Silence-gcc-warnings-about-arch-ABI-drif.patch
+ patches.kernel.org/5.1.15-087-nvme-Fix-u32-overflow-in-the-number-of-namespa.patch
+ patches.kernel.org/5.1.15-088-ovl-detect-overlapping-layers.patch
+ patches.kernel.org/5.1.15-089-ovl-don-t-fail-with-disconnected-lower-NFS.patch
+ patches.kernel.org/5.1.15-090-ovl-fix-bogus-Wmaybe-unitialized-warning.patch
+ patches.kernel.org/5.1.15-091-btrfs-start-readahead-also-in-seed-devices.patch
+ patches.kernel.org/5.1.15-092-can-xilinx_can-use-correct-bittiming_const-for.patch
+ patches.kernel.org/5.1.15-093-can-flexcan-fix-timeout-when-set-small-bitrate.patch
+ patches.kernel.org/5.1.15-094-can-purge-socket-error-queue-on-sock-destruct.patch
+ patches.kernel.org/5.1.15-095-riscv-mm-synchronize-MMU-after-pte-change.patch
+ patches.kernel.org/5.1.15-096-powerpc-bpf-use-unsigned-division-instruction-.patch
+ patches.kernel.org/5.1.15-097-ARM-imx-cpuidle-imx6sx-Restrict-the-SW2ISO-inc.patch
+ patches.kernel.org/5.1.15-098-ARM-mvebu_v7_defconfig-fix-Ethernet-on-Clearfo.patch
+ patches.kernel.org/5.1.15-099-ARM-dts-dra76x-Update-MMC2_HS200_MANUAL1-iodel.patch
+ patches.kernel.org/5.1.15-100-ARM-dts-am57xx-idk-Remove-support-for-voltage-.patch
+ patches.kernel.org/5.1.15-101-arm64-sve-uapi-asm-ptrace.h-should-not-depend-.patch
+ patches.kernel.org/5.1.15-102-arm64-ssbd-explicitly-depend-on-linux-prctl.h.patch
+ patches.kernel.org/5.1.15-103-KVM-x86-mmu-Allocate-PAE-root-array-when-using.patch
+ patches.kernel.org/5.1.15-104-ovl-make-i_ino-consistent-with-st_ino-in-more-.patch
+ patches.kernel.org/5.1.15-105-drm-vmwgfx-Use-the-backdoor-port-if-the-HB-por.patch
+ patches.kernel.org/5.1.15-106-drm-i915-Don-t-clobber-M-N-values-during-fasts.patch
+ patches.kernel.org/5.1.15-107-binder-fix-possible-UAF-when-freeing-buffer.patch
+ patches.kernel.org/5.1.15-108-staging-erofs-add-requirements-field-in-superb.patch
+ patches.kernel.org/5.1.15-109-Bluetooth-Align-minimum-encryption-key-size-fo.patch
+ patches.kernel.org/5.1.15-110-Bluetooth-Fix-regression-with-minimum-encrypti.patch
+ patches.kernel.org/5.1.15-111-SMB3-retry-on-STATUS_INSUFFICIENT_RESOURCES-in.patch
+ patches.kernel.org/5.1.15-112-x86-vdso-Prevent-segfaults-due-to-hoisted-vclo.patch
+ patches.kernel.org/5.1.15-113-fs-namespace-fix-unprivileged-mount-propagatio.patch
+ patches.kernel.org/5.1.15-114-cfg80211-fix-memory-leak-of-wiphy-device-name.patch
+ patches.kernel.org/5.1.15-115-mac80211-drop-robust-management-frames-from-un.patch
+ patches.kernel.org/5.1.15-116-nl-mac-80211-allow-4addr-AP-operation-on-crypt.patch
+ patches.kernel.org/5.1.15-117-mac80211-handle-deauthentication-disassociatio.patch
+ patches.kernel.org/5.1.15-118-nl80211-fix-station_info-pertid-memory-leak.patch
+ patches.kernel.org/5.1.15-119-mac80211-Do-not-use-stack-memory-with-scatterl.patch
+ patches.kernel.org/5.1.15-120-x86-resctrl-Don-t-stop-walking-closids-when-a-.patch
+ patches.kernel.org/5.1.15-121-powerpc-mm-64s-hash-Reallocate-context-ids-on-.patch
+ patches.kernel.org/5.1.15-122-Linux-5.1.15.patch
########################################################
# Build fixes that apply to the vanilla kernel too.