Home Home > GIT Browse
summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorOlaf Hering <ohering@suse.de>2019-04-24 16:44:43 +0200
committerOlaf Hering <ohering@suse.de>2019-04-24 16:44:43 +0200
commit2d3fb103081027499860c0f3976ca47586c760a0 (patch)
treedbfe90f0eaef94e29eefcf9534129a005b1d6001
parent1f231cf84409679590cb965da87542c50a7c3309 (diff)
parent77b9d8908d9b24a966b7f3ac58314aa53087c7c4 (diff)
Merge remote-tracking branch 'kerncvs/SLE15' into SLE15-AZURE
-rw-r--r--blacklist.conf3
-rw-r--r--patches.drivers/ASoC-fsl_esai-fix-channel-swap-issue-when-stream-sta.patch135
-rw-r--r--patches.drivers/ASoC-topology-free-created-components-in-tplg-load-e.patch47
-rw-r--r--patches.drivers/Input-snvs_pwrkey-initialize-necessary-driver-data-b.patch50
-rw-r--r--patches.drivers/PCI-Add-function-1-DMA-alias-quirk-for-Marvell-9170-.patch41
-rw-r--r--patches.drivers/ath10k-avoid-possible-string-overflow.patch40
-rw-r--r--patches.drivers/iio-ad_sigma_delta-select-channel-when-reading-regis.patch39
-rw-r--r--patches.drivers/iio-core-fix-a-possible-circular-locking-dependency.patch154
-rw-r--r--patches.drivers/iio-cros_ec-Fix-the-maths-for-gyro-scale-calculation.patch63
-rw-r--r--patches.drivers/mmc-davinci-remove-extraneous-__init-annotation.patch42
-rw-r--r--patches.drm/drm-nouveau-volt-gf117-fix-speedo-readout-register.patch130
-rw-r--r--patches.fixes/0001-cxgb4-fix-the-error-path-of-cxgb4_uld_register.patch136
-rw-r--r--patches.fixes/0001-cxgb4-remove-the-unneeded-locks.patch247
-rw-r--r--patches.fixes/9p-do-not-trust-pdu-content-for-stat-item-size.patch77
-rw-r--r--patches.fixes/ACPI-SBS-Fix-GPE-storm-on-recent-MacBookPro-s.patch56
-rw-r--r--patches.fixes/NFS-Fix-dentry-revalidation-on-NFSv4-lookup.patch65
-rw-r--r--patches.fixes/bpf-fix-use-after-free-in-bpf_evict_inode.patch172
-rw-r--r--patches.fixes/crypto-sha256-arm-fix-crash-bug-in-Thumb2-build.patch99
-rw-r--r--patches.fixes/crypto-sha512-arm-fix-crash-bug-in-Thumb2-build.patch99
-rw-r--r--patches.fixes/crypto-x86-poly1305-fix-overflow-during-partial-redu.patch192
-rw-r--r--patches.suse/bonding-fix-PACKET_ORIGDEV-regression.patch96
-rw-r--r--patches.suse/bridge-do-not-add-port-to-router-list-when-receives-.patch55
-rw-r--r--patches.suse/net-bridge-remove-ipv6-zero-address-check-in-mcast-q.patch48
-rw-r--r--patches.suse/rds-fix-refcount-bug-in-rds_sock_addref.patch98
-rw-r--r--series.conf23
25 files changed, 2102 insertions, 105 deletions
diff --git a/blacklist.conf b/blacklist.conf
index d047ca90b7..2a6d195420 100644
--- a/blacklist.conf
+++ b/blacklist.conf
@@ -1074,3 +1074,6 @@ bbbe211c295ffb309247adb7b871dda60d92d2d5 # there is no do_xdp_generic() function
1de7edbb59c8f1b46071f66c5c97b8a59569eb51 # not needed
62461ac2e5b6520b6d65fc6d7d7b4b8df4b848d8 # ditto
69a330007091ea8a801dd9fcd897ec52f9529586 # breaks module options
+c7084edc3f6d67750f50d4183134c4fb5712a5c8 # do not disable R3964 in released products
+f76a16adc485699f95bb71fce114f97c832fe664 # don't change layout of kernel or modules
+1cab826b30c6275d479a6ab1dea1067e15dbec62 # pcie-dwc: not buildable, missing helper functions
diff --git a/patches.drivers/ASoC-fsl_esai-fix-channel-swap-issue-when-stream-sta.patch b/patches.drivers/ASoC-fsl_esai-fix-channel-swap-issue-when-stream-sta.patch
new file mode 100644
index 0000000000..11e8aed196
--- /dev/null
+++ b/patches.drivers/ASoC-fsl_esai-fix-channel-swap-issue-when-stream-sta.patch
@@ -0,0 +1,135 @@
+From 0ff4e8c61b794a4bf6c854ab071a1abaaa80f358 Mon Sep 17 00:00:00 2001
+From: "S.j. Wang" <shengjiu.wang@nxp.com>
+Date: Wed, 27 Feb 2019 06:31:12 +0000
+Subject: [PATCH] ASoC: fsl_esai: fix channel swap issue when stream starts
+Git-commit: 0ff4e8c61b794a4bf6c854ab071a1abaaa80f358
+Patch-mainline: v5.1-rc5
+References: bsc#1051510
+
+There is very low possibility ( < 0.1% ) that channel swap happened
+in beginning when multi output/input pin is enabled. The issue is
+that hardware can't send data to correct pin in the beginning with
+the normal enable flow.
+
+This is hardware issue, but there is no errata, the workaround flow
+is that: Each time playback/recording, firstly clear the xSMA/xSMB,
+then enable TE/RE, then enable xSMB and xSMA (xSMB must be enabled
+before xSMA). Which is to use the xSMA as the trigger start register,
+previously the xCR_TE or xCR_RE is the bit for starting.
+
+Fixes commit 43d24e76b698 ("ASoC: fsl_esai: Add ESAI CPU DAI driver")
+
+Cc: <stable@vger.kernel.org>
+Reviewed-by: Fabio Estevam <festevam@gmail.com>
+Acked-by: Nicolin Chen <nicoleotsuka@gmail.com>
+Signed-off-by: Shengjiu Wang <shengjiu.wang@nxp.com>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ sound/soc/fsl/fsl_esai.c | 47 +++++++++++++++++++++++++++++++++++++----------
+ 1 file changed, 37 insertions(+), 10 deletions(-)
+
+diff --git a/sound/soc/fsl/fsl_esai.c b/sound/soc/fsl/fsl_esai.c
+index afe67c865330..3623aa9a6f2e 100644
+--- a/sound/soc/fsl/fsl_esai.c
++++ b/sound/soc/fsl/fsl_esai.c
+@@ -54,6 +54,8 @@ struct fsl_esai {
+ u32 fifo_depth;
+ u32 slot_width;
+ u32 slots;
++ u32 tx_mask;
++ u32 rx_mask;
+ u32 hck_rate[2];
+ u32 sck_rate[2];
+ bool hck_dir[2];
+@@ -361,21 +363,13 @@ static int fsl_esai_set_dai_tdm_slot(struct snd_soc_dai *dai, u32 tx_mask,
+ regmap_update_bits(esai_priv->regmap, REG_ESAI_TCCR,
+ ESAI_xCCR_xDC_MASK, ESAI_xCCR_xDC(slots));
+
+- regmap_update_bits(esai_priv->regmap, REG_ESAI_TSMA,
+- ESAI_xSMA_xS_MASK, ESAI_xSMA_xS(tx_mask));
+- regmap_update_bits(esai_priv->regmap, REG_ESAI_TSMB,
+- ESAI_xSMB_xS_MASK, ESAI_xSMB_xS(tx_mask));
+-
+ regmap_update_bits(esai_priv->regmap, REG_ESAI_RCCR,
+ ESAI_xCCR_xDC_MASK, ESAI_xCCR_xDC(slots));
+
+- regmap_update_bits(esai_priv->regmap, REG_ESAI_RSMA,
+- ESAI_xSMA_xS_MASK, ESAI_xSMA_xS(rx_mask));
+- regmap_update_bits(esai_priv->regmap, REG_ESAI_RSMB,
+- ESAI_xSMB_xS_MASK, ESAI_xSMB_xS(rx_mask));
+-
+ esai_priv->slot_width = slot_width;
+ esai_priv->slots = slots;
++ esai_priv->tx_mask = tx_mask;
++ esai_priv->rx_mask = rx_mask;
+
+ return 0;
+ }
+@@ -596,6 +590,7 @@ static int fsl_esai_trigger(struct snd_pcm_substream *substream, int cmd,
+ bool tx = substream->stream == SNDRV_PCM_STREAM_PLAYBACK;
+ u8 i, channels = substream->runtime->channels;
+ u32 pins = DIV_ROUND_UP(channels, esai_priv->slots);
++ u32 mask;
+
+ switch (cmd) {
+ case SNDRV_PCM_TRIGGER_START:
+@@ -608,15 +603,38 @@ static int fsl_esai_trigger(struct snd_pcm_substream *substream, int cmd,
+ for (i = 0; tx && i < channels; i++)
+ regmap_write(esai_priv->regmap, REG_ESAI_ETDR, 0x0);
+
++ /*
++ * When set the TE/RE in the end of enablement flow, there
++ * will be channel swap issue for multi data line case.
++ * In order to workaround this issue, we switch the bit
++ * enablement sequence to below sequence
++ * 1) clear the xSMB & xSMA: which is done in probe and
++ * stop state.
++ * 2) set TE/RE
++ * 3) set xSMB
++ * 4) set xSMA: xSMA is the last one in this flow, which
++ * will trigger esai to start.
++ */
+ regmap_update_bits(esai_priv->regmap, REG_ESAI_xCR(tx),
+ tx ? ESAI_xCR_TE_MASK : ESAI_xCR_RE_MASK,
+ tx ? ESAI_xCR_TE(pins) : ESAI_xCR_RE(pins));
++ mask = tx ? esai_priv->tx_mask : esai_priv->rx_mask;
++
++ regmap_update_bits(esai_priv->regmap, REG_ESAI_xSMB(tx),
++ ESAI_xSMB_xS_MASK, ESAI_xSMB_xS(mask));
++ regmap_update_bits(esai_priv->regmap, REG_ESAI_xSMA(tx),
++ ESAI_xSMA_xS_MASK, ESAI_xSMA_xS(mask));
++
+ break;
+ case SNDRV_PCM_TRIGGER_SUSPEND:
+ case SNDRV_PCM_TRIGGER_STOP:
+ case SNDRV_PCM_TRIGGER_PAUSE_PUSH:
+ regmap_update_bits(esai_priv->regmap, REG_ESAI_xCR(tx),
+ tx ? ESAI_xCR_TE_MASK : ESAI_xCR_RE_MASK, 0);
++ regmap_update_bits(esai_priv->regmap, REG_ESAI_xSMA(tx),
++ ESAI_xSMA_xS_MASK, 0);
++ regmap_update_bits(esai_priv->regmap, REG_ESAI_xSMB(tx),
++ ESAI_xSMB_xS_MASK, 0);
+
+ /* Disable and reset FIFO */
+ regmap_update_bits(esai_priv->regmap, REG_ESAI_xFCR(tx),
+@@ -906,6 +924,15 @@ static int fsl_esai_probe(struct platform_device *pdev)
+ return ret;
+ }
+
++ esai_priv->tx_mask = 0xFFFFFFFF;
++ esai_priv->rx_mask = 0xFFFFFFFF;
++
++ /* Clear the TSMA, TSMB, RSMA, RSMB */
++ regmap_write(esai_priv->regmap, REG_ESAI_TSMA, 0);
++ regmap_write(esai_priv->regmap, REG_ESAI_TSMB, 0);
++ regmap_write(esai_priv->regmap, REG_ESAI_RSMA, 0);
++ regmap_write(esai_priv->regmap, REG_ESAI_RSMB, 0);
++
+ ret = devm_snd_soc_register_component(&pdev->dev, &fsl_esai_component,
+ &fsl_esai_dai, 1);
+ if (ret) {
+--
+2.16.4
+
diff --git a/patches.drivers/ASoC-topology-free-created-components-in-tplg-load-e.patch b/patches.drivers/ASoC-topology-free-created-components-in-tplg-load-e.patch
new file mode 100644
index 0000000000..954291ac19
--- /dev/null
+++ b/patches.drivers/ASoC-topology-free-created-components-in-tplg-load-e.patch
@@ -0,0 +1,47 @@
+From 304017d31df36fb61eb2ed3ebf65fb6870b3c731 Mon Sep 17 00:00:00 2001
+From: Bard liao <yung-chuan.liao@linux.intel.com>
+Date: Sun, 17 Feb 2019 21:23:47 +0800
+Subject: [PATCH] ASoC: topology: free created components in tplg load error
+Git-commit: 304017d31df36fb61eb2ed3ebf65fb6870b3c731
+Patch-mainline: v5.0-rc8
+References: bsc#1051510
+
+Topology resources are no longer needed if any element failed to load.
+
+Signed-off-by: Bard liao <yung-chuan.liao@linux.intel.com>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ sound/soc/soc-topology.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/sound/soc/soc-topology.c b/sound/soc/soc-topology.c
+index fc79ec6927e3..731b963b6995 100644
+--- a/sound/soc/soc-topology.c
++++ b/sound/soc/soc-topology.c
+@@ -2487,6 +2487,7 @@ int snd_soc_tplg_component_load(struct snd_soc_component *comp,
+ struct snd_soc_tplg_ops *ops, const struct firmware *fw, u32 id)
+ {
+ struct soc_tplg tplg;
++ int ret;
+
+ /* setup parsing context */
+ memset(&tplg, 0, sizeof(tplg));
+@@ -2500,7 +2501,12 @@ int snd_soc_tplg_component_load(struct snd_soc_component *comp,
+ tplg.bytes_ext_ops = ops->bytes_ext_ops;
+ tplg.bytes_ext_ops_count = ops->bytes_ext_ops_count;
+
+- return soc_tplg_load(&tplg);
++ ret = soc_tplg_load(&tplg);
++ /* free the created components if fail to load topology */
++ if (ret)
++ snd_soc_tplg_component_remove(comp, SND_SOC_TPLG_INDEX_ALL);
++
++ return ret;
+ }
+ EXPORT_SYMBOL_GPL(snd_soc_tplg_component_load);
+
+--
+2.16.4
+
diff --git a/patches.drivers/Input-snvs_pwrkey-initialize-necessary-driver-data-b.patch b/patches.drivers/Input-snvs_pwrkey-initialize-necessary-driver-data-b.patch
new file mode 100644
index 0000000000..8fe8fdd705
--- /dev/null
+++ b/patches.drivers/Input-snvs_pwrkey-initialize-necessary-driver-data-b.patch
@@ -0,0 +1,50 @@
+From bf2a7ca39fd3ab47ef71c621a7ee69d1813b1f97 Mon Sep 17 00:00:00 2001
+From: Anson Huang <anson.huang@nxp.com>
+Date: Wed, 3 Apr 2019 15:14:44 -0700
+Subject: [PATCH] Input: snvs_pwrkey - initialize necessary driver data before enabling IRQ
+Git-commit: bf2a7ca39fd3ab47ef71c621a7ee69d1813b1f97
+Patch-mainline: v5.1-rc6
+References: bsc#1051510
+
+SNVS IRQ is requested before necessary driver data initialized,
+if there is a pending IRQ during driver probe phase, kernel
+NULL pointer panic will occur in IRQ handler. To avoid such
+scenario, just initialize necessary driver data before enabling
+IRQ. This patch is inspired by NXP's internal kernel tree.
+
+Fixes: d3dc6e232215 ("input: keyboard: imx: add snvs power key driver")
+Signed-off-by: Anson Huang <Anson.Huang@nxp.com>
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/input/keyboard/snvs_pwrkey.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/input/keyboard/snvs_pwrkey.c b/drivers/input/keyboard/snvs_pwrkey.c
+index effb63205d3d..4c67cf30a5d9 100644
+--- a/drivers/input/keyboard/snvs_pwrkey.c
++++ b/drivers/input/keyboard/snvs_pwrkey.c
+@@ -148,6 +148,9 @@ static int imx_snvs_pwrkey_probe(struct platform_device *pdev)
+ return error;
+ }
+
++ pdata->input = input;
++ platform_set_drvdata(pdev, pdata);
++
+ error = devm_request_irq(&pdev->dev, pdata->irq,
+ imx_snvs_pwrkey_interrupt,
+ 0, pdev->name, pdev);
+@@ -163,9 +166,6 @@ static int imx_snvs_pwrkey_probe(struct platform_device *pdev)
+ return error;
+ }
+
+- pdata->input = input;
+- platform_set_drvdata(pdev, pdata);
+-
+ device_init_wakeup(&pdev->dev, pdata->wakeup);
+
+ return 0;
+--
+2.16.4
+
diff --git a/patches.drivers/PCI-Add-function-1-DMA-alias-quirk-for-Marvell-9170-.patch b/patches.drivers/PCI-Add-function-1-DMA-alias-quirk-for-Marvell-9170-.patch
new file mode 100644
index 0000000000..0e84e27fa3
--- /dev/null
+++ b/patches.drivers/PCI-Add-function-1-DMA-alias-quirk-for-Marvell-9170-.patch
@@ -0,0 +1,41 @@
+From 9cde402a59770a0669d895399c13407f63d7d209 Mon Sep 17 00:00:00 2001
+From: Andre Przywara <andre.przywara@arm.com>
+Date: Fri, 5 Apr 2019 16:20:47 +0100
+Subject: [PATCH] PCI: Add function 1 DMA alias quirk for Marvell 9170 SATA controller
+Git-commit: 9cde402a59770a0669d895399c13407f63d7d209
+Patch-mainline: v5.1-rc5
+References: bsc#1051510
+
+There is a Marvell 88SE9170 PCIe SATA controller I found on a board here.
+Some quick testing with the ARM SMMU enabled reveals that it suffers from
+the same requester ID mixup problems as the other Marvell chips listed
+already.
+
+Add the PCI vendor/device ID to the list of chips which need the
+workaround.
+
+Signed-off-by: Andre Przywara <andre.przywara@arm.com>
+Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
+Cc: stable@vger.kernel.org
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/pci/quirks.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/pci/quirks.c b/drivers/pci/quirks.c
+index a59ad09ce911..a077f67fe1da 100644
+--- a/drivers/pci/quirks.c
++++ b/drivers/pci/quirks.c
+@@ -3877,6 +3877,8 @@ DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_MARVELL_EXT, 0x9128,
+ /* https://bugzilla.kernel.org/show_bug.cgi?id=42679#c14 */
+ DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_MARVELL_EXT, 0x9130,
+ quirk_dma_func1_alias);
++DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_MARVELL_EXT, 0x9170,
++ quirk_dma_func1_alias);
+ /* https://bugzilla.kernel.org/show_bug.cgi?id=42679#c47 + c57 */
+ DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_MARVELL_EXT, 0x9172,
+ quirk_dma_func1_alias);
+--
+2.16.4
+
diff --git a/patches.drivers/ath10k-avoid-possible-string-overflow.patch b/patches.drivers/ath10k-avoid-possible-string-overflow.patch
new file mode 100644
index 0000000000..477a0f80c8
--- /dev/null
+++ b/patches.drivers/ath10k-avoid-possible-string-overflow.patch
@@ -0,0 +1,40 @@
+From 6707ba0105a2d350710bc0a537a98f49eb4b895d Mon Sep 17 00:00:00 2001
+From: Arnd Bergmann <arnd@arndb.de>
+Date: Thu, 29 Mar 2018 00:06:10 +0200
+Subject: [PATCH] ath10k: avoid possible string overflow
+Git-commit: 6707ba0105a2d350710bc0a537a98f49eb4b895d
+Patch-mainline: v4.18-rc1
+References: bsc#1051510
+
+[ backport note: only the first chunk was applied -- tiwai ]
+
+The way that 'strncat' is used here raised a warning in gcc-8:
+
+Drivers/net/wireless/ath/ath10k/wmi.c: In function 'ath10k_wmi_tpc_stats_final_disp_tables':
+drivers/net/wireless/ath/ath10k/wmi.c:4649:4: error: 'strncat' output truncated before terminating nul copying as many bytes from a string as its length [-Werror=stringop-truncation]
+
+Effectively, this is simply a strcat() but the use of strncat() suggests
+some form of overflow check. Regardless of whether this might actually
+overflow, using strlcat() instead of strncat() avoids the warning and
+makes the code more robust.
+
+Fixes: bc64d05220f3 ("ath10k: debugfs support to get final TPC stats for 10.4 variants")
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/net/wireless/ath/ath10k/wmi.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/wireless/ath/ath10k/wmi.c
++++ b/drivers/net/wireless/ath/ath10k/wmi.c
+@@ -4284,7 +4284,7 @@ static void ath10k_tpc_config_disp_table
+ rate_code[i],
+ type);
+ snprintf(buff, sizeof(buff), "%8d ", tpc[j]);
+- strncat(tpc_value, buff, strlen(buff));
++ strlcat(tpc_value, buff, sizeof(tpc_value));
+ }
+ tpc_stats->tpc_table[type].pream_idx[i] = pream_idx;
+ tpc_stats->tpc_table[type].rate_code[i] = rate_code[i];
diff --git a/patches.drivers/iio-ad_sigma_delta-select-channel-when-reading-regis.patch b/patches.drivers/iio-ad_sigma_delta-select-channel-when-reading-regis.patch
new file mode 100644
index 0000000000..1ffb03c9e7
--- /dev/null
+++ b/patches.drivers/iio-ad_sigma_delta-select-channel-when-reading-regis.patch
@@ -0,0 +1,39 @@
+From fccfb9ce70ed4ea7a145f77b86de62e38178517f Mon Sep 17 00:00:00 2001
+From: Dragos Bogdan <dragos.bogdan@analog.com>
+Date: Tue, 19 Mar 2019 12:47:00 +0200
+Subject: [PATCH] iio: ad_sigma_delta: select channel when reading register
+Git-commit: fccfb9ce70ed4ea7a145f77b86de62e38178517f
+Patch-mainline: v5.1-rc6
+References: bsc#1051510
+
+The desired channel has to be selected in order to correctly fill the
+buffer with the corresponding data.
+The `ad_sd_write_reg()` already does this, but for the
+`ad_sd_read_reg_raw()` this was omitted.
+
+Fixes: af3008485ea03 ("iio:adc: Add common code for ADI Sigma Delta devices")
+Signed-off-by: Dragos Bogdan <dragos.bogdan@analog.com>
+Signed-off-by: Alexandru Ardelean <alexandru.ardelean@analog.com>
+Cc: <Stable@vger.kernel.org>
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/iio/adc/ad_sigma_delta.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/iio/adc/ad_sigma_delta.c b/drivers/iio/adc/ad_sigma_delta.c
+index ff5f2da2e1b1..54d9978b2740 100644
+--- a/drivers/iio/adc/ad_sigma_delta.c
++++ b/drivers/iio/adc/ad_sigma_delta.c
+@@ -121,6 +121,7 @@ static int ad_sd_read_reg_raw(struct ad_sigma_delta *sigma_delta,
+ if (sigma_delta->info->has_registers) {
+ data[0] = reg << sigma_delta->info->addr_shift;
+ data[0] |= sigma_delta->info->read_mask;
++ data[0] |= sigma_delta->comm;
+ spi_message_add_tail(&t[0], &m);
+ }
+ spi_message_add_tail(&t[1], &m);
+--
+2.16.4
+
diff --git a/patches.drivers/iio-core-fix-a-possible-circular-locking-dependency.patch b/patches.drivers/iio-core-fix-a-possible-circular-locking-dependency.patch
new file mode 100644
index 0000000000..8219c16533
--- /dev/null
+++ b/patches.drivers/iio-core-fix-a-possible-circular-locking-dependency.patch
@@ -0,0 +1,154 @@
+From 7f75591fc5a123929a29636834d1bcb8b5c9fee3 Mon Sep 17 00:00:00 2001
+From: Fabrice Gasnier <fabrice.gasnier@st.com>
+Date: Mon, 25 Mar 2019 14:01:23 +0100
+Subject: [PATCH] iio: core: fix a possible circular locking dependency
+Git-commit: 7f75591fc5a123929a29636834d1bcb8b5c9fee3
+Patch-mainline: v5.1-rc6
+References: bsc#1051510
+
+This fixes a possible circular locking dependency detected warning seen
+With:
+- CONFIG_PROVE_LOCKING=y
+- consumer/provider IIO devices (ex: "voltage-divider" consumer of "adc")
+
+When using the IIO consumer interface, e.g. iio_channel_get(), the consumer
+device will likely call iio_read_channel_raw() or similar that rely on
+'info_exist_lock' mutex.
+
+Typically:
+...
+ mutex_lock(&chan->indio_dev->info_exist_lock);
+ if (chan->indio_dev->info == NULL) {
+ ret = -ENODEV;
+ goto err_unlock;
+ }
+ ret = do_some_ops()
+Err_unlock: mutex_unlock(&chan->indio_dev->info_exist_lock); return ret;
+...
+
+Same mutex is also hold in iio_device_unregister().
+
+The following deadlock warning happens when:
+- the consumer device has called an API like iio_read_channel_raw()
+ at least once.
+- the consumer driver is unregistered, removed (unbind from sysfs)
+
+======================================================
+Warning: possible circular locking dependency detected
+4.19.24 #577 Not tainted
+
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+------------------------------------------------------
+sh/372 is trying to acquire lock:
+(kn->count#30){++++}, at: kernfs_remove_by_name_ns+0x3c/0x84
+
+but task is already holding lock:
+(&dev->info_exist_lock){+.+.}, at: iio_device_unregister+0x18/0x60
+
+which lock already depends on the new lock.
+
+the existing dependency chain (in reverse order) is:
+
+-> #1 (&dev->info_exist_lock){+.+.}:
+ __mutex_lock+0x70/0xa3c
+ mutex_lock_nested+0x1c/0x24
+ iio_read_channel_raw+0x1c/0x60
+ iio_read_channel_info+0xa8/0xb0
+ dev_attr_show+0x1c/0x48
+ sysfs_kf_seq_show+0x84/0xec
+ seq_read+0x154/0x528
+ __vfs_read+0x2c/0x15c
+ vfs_read+0x8c/0x110
+ ksys_read+0x4c/0xac
+ ret_fast_syscall+0x0/0x28
+ 0xbedefb60
+
+-> #0 (kn->count#30){++++}:
+ lock_acquire+0xd8/0x268
+ __kernfs_remove+0x288/0x374
+ kernfs_remove_by_name_ns+0x3c/0x84
+ remove_files+0x34/0x78
+ sysfs_remove_group+0x40/0x9c
+ sysfs_remove_groups+0x24/0x34
+ device_remove_attrs+0x38/0x64
+ device_del+0x11c/0x360
+ cdev_device_del+0x14/0x2c
+ iio_device_unregister+0x24/0x60
+ release_nodes+0x1bc/0x200
+ device_release_driver_internal+0x1a0/0x230
+ unbind_store+0x80/0x130
+ kernfs_fop_write+0x100/0x1e4
+ __vfs_write+0x2c/0x160
+ vfs_write+0xa4/0x17c
+ ksys_write+0x4c/0xac
+ ret_fast_syscall+0x0/0x28
+ 0xbe906840
+
+other info that might help us debug this:
+
+ Possible unsafe locking scenario:
+
+ CPU0 CPU1
+ ---- ----
+ lock(&dev->info_exist_lock);
+ lock(kn->count#30);
+ lock(&dev->info_exist_lock);
+ lock(kn->count#30);
+
+ *** DEADLOCK ***
+...
+
+cdev_device_del() can be called without holding the lock. It should be safe
+as info_exist_lock prevents kernelspace consumers to use the exported
+routines during/after provider removal. cdev_device_del() is for userspace.
+
+Help to reproduce:
+See example: Documentation/devicetree/bindings/iio/afe/voltage-divider.txt
+sysv {
+ compatible = "voltage-divider";
+ io-channels = <&adc 0>;
+ output-ohms = <22>;
+ full-ohms = <222>;
+};
+
+First, go to iio:deviceX for the "voltage-divider", do one read:
+$ cd /sys/bus/iio/devices/iio:deviceX
+$ cat in_voltage0_raw
+
+Then, unbind the consumer driver. It triggers above deadlock warning.
+$ cd /sys/bus/platform/drivers/iio-rescale/
+$ echo sysv > unbind
+
+Note I don't actually expect stable will pick this up all the
+way back into IIO being in staging, but if's probably valid that
+far back.
+
+Signed-off-by: Fabrice Gasnier <fabrice.gasnier@st.com>
+Fixes: ac917a81117c ("staging:iio:core set the iio_dev.info pointer to null on unregister")
+Cc: <Stable@vger.kernel.org>
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+---
+ drivers/iio/industrialio-core.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/iio/industrialio-core.c b/drivers/iio/industrialio-core.c
+index 4700fd5d8c90..9c4d92115504 100644
+--- a/drivers/iio/industrialio-core.c
++++ b/drivers/iio/industrialio-core.c
+@@ -1743,10 +1743,10 @@ EXPORT_SYMBOL(__iio_device_register);
+ **/
+ void iio_device_unregister(struct iio_dev *indio_dev)
+ {
+- mutex_lock(&indio_dev->info_exist_lock);
+-
+ cdev_device_del(&indio_dev->chrdev, &indio_dev->dev);
+
++ mutex_lock(&indio_dev->info_exist_lock);
++
+ iio_device_unregister_debugfs(indio_dev);
+
+ iio_disable_all_buffers(indio_dev);
+--
+2.16.4
+
diff --git a/patches.drivers/iio-cros_ec-Fix-the-maths-for-gyro-scale-calculation.patch b/patches.drivers/iio-cros_ec-Fix-the-maths-for-gyro-scale-calculation.patch
new file mode 100644
index 0000000000..0a6f5b7c4c
--- /dev/null
+++ b/patches.drivers/iio-cros_ec-Fix-the-maths-for-gyro-scale-calculation.patch
@@ -0,0 +1,63 @@
+From 3d02d7082e5823598090530c3988a35f69689943 Mon Sep 17 00:00:00 2001
+From: Gwendal Grignou <gwendal@chromium.org>
+Date: Wed, 13 Mar 2019 12:40:02 +0100
+Subject: [PATCH] iio: cros_ec: Fix the maths for gyro scale calculation
+Git-commit: 3d02d7082e5823598090530c3988a35f69689943
+Patch-mainline: v5.1-rc6
+References: bsc#1051510
+
+Calculation did not use IIO_DEGREE_TO_RAD and implemented a variant to
+avoid precision loss as we aim a nano value. The offset added to avoid
+rounding error, though, doesn't give us a close result to the expected
+value. E.g.
+
+For 1000dps, the result should be:
+
+ (1000 * pi ) / 180 >> 15 ~= 0.000532632218
+
+But with current calculation we get
+
+ $ cat scale
+ 0.000547890
+
+Fix the calculation by just doing the maths involved for a nano value
+
+ val * pi * 10e12 / (180 * 2^15)
+
+so we get a closer result.
+
+ $ cat scale
+ 0.000532632
+
+Fixes: c14dca07a31d ("iio: cros_ec_sensors: add ChromeOS EC Contiguous Sensors driver")
+Signed-off-by: Gwendal Grignou <gwendal@chromium.org>
+Signed-off-by: Enric Balletbo i Serra <enric.balletbo@collabora.com>
+Cc: <Stable@vger.kernel.org>
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/iio/common/cros_ec_sensors/cros_ec_sensors.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/iio/common/cros_ec_sensors/cros_ec_sensors.c b/drivers/iio/common/cros_ec_sensors/cros_ec_sensors.c
+index 89cb0066a6e0..8d76afb87d87 100644
+--- a/drivers/iio/common/cros_ec_sensors/cros_ec_sensors.c
++++ b/drivers/iio/common/cros_ec_sensors/cros_ec_sensors.c
+@@ -103,9 +103,10 @@ static int cros_ec_sensors_read(struct iio_dev *indio_dev,
+ * Do not use IIO_DEGREE_TO_RAD to avoid precision
+ * loss. Round to the nearest integer.
+ */
+- *val = div_s64(val64 * 314159 + 9000000ULL, 1000);
+- *val2 = 18000 << (CROS_EC_SENSOR_BITS - 1);
+- ret = IIO_VAL_FRACTIONAL;
++ *val = 0;
++ *val2 = div_s64(val64 * 3141592653ULL,
++ 180 << (CROS_EC_SENSOR_BITS - 1));
++ ret = IIO_VAL_INT_PLUS_NANO;
+ break;
+ case MOTIONSENSE_TYPE_MAG:
+ /*
+--
+2.16.4
+
diff --git a/patches.drivers/mmc-davinci-remove-extraneous-__init-annotation.patch b/patches.drivers/mmc-davinci-remove-extraneous-__init-annotation.patch
new file mode 100644
index 0000000000..8016b508b6
--- /dev/null
+++ b/patches.drivers/mmc-davinci-remove-extraneous-__init-annotation.patch
@@ -0,0 +1,42 @@
+From 9ce58dd7d9da3ca0d7cb8c9568f1c6f4746da65a Mon Sep 17 00:00:00 2001
+From: Arnd Bergmann <arnd@arndb.de>
+Date: Thu, 7 Mar 2019 11:10:11 +0100
+Subject: [PATCH] mmc: davinci: remove extraneous __init annotation
+Git-commit: 9ce58dd7d9da3ca0d7cb8c9568f1c6f4746da65a
+Patch-mainline: v5.1-rc2
+References: bsc#1051510
+
+Building with clang finds a mistaken __init tag:
+
+Warning: vmlinux.o(.text+0x5e4250): Section mismatch in reference from the function davinci_mmcsd_probe() to the function .init.text:init_mmcsd_host()
+The function davinci_mmcsd_probe() references
+the function __init init_mmcsd_host().
+This is often because davinci_mmcsd_probe lacks a __init
+annotation or the annotation of init_mmcsd_host is wrong.
+
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Acked-by: Wolfram Sang <wsa@the-dreams.de>
+Reviewed-by: Nathan Chancellor <natechancellor@gmail.com>
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/mmc/host/davinci_mmc.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/mmc/host/davinci_mmc.c b/drivers/mmc/host/davinci_mmc.c
+index 49e0daf2ef5e..f37003df1e01 100644
+--- a/drivers/mmc/host/davinci_mmc.c
++++ b/drivers/mmc/host/davinci_mmc.c
+@@ -1117,7 +1117,7 @@ static inline void mmc_davinci_cpufreq_deregister(struct mmc_davinci_host *host)
+ {
+ }
+ #endif
+-static void __init init_mmcsd_host(struct mmc_davinci_host *host)
++static void init_mmcsd_host(struct mmc_davinci_host *host)
+ {
+
+ mmc_davinci_reset_ctrl(host, 1);
+--
+2.16.4
+
diff --git a/patches.drm/drm-nouveau-volt-gf117-fix-speedo-readout-register.patch b/patches.drm/drm-nouveau-volt-gf117-fix-speedo-readout-register.patch
new file mode 100644
index 0000000000..02161258b6
--- /dev/null
+++ b/patches.drm/drm-nouveau-volt-gf117-fix-speedo-readout-register.patch
@@ -0,0 +1,130 @@
+From fc782242749fa4235592854fafe1a1297583c1fb Mon Sep 17 00:00:00 2001
+From: Ilia Mirkin <imirkin@alum.mit.edu>
+Date: Sun, 13 Jan 2019 17:50:10 -0500
+Subject: [PATCH] drm/nouveau/volt/gf117: fix speedo readout register
+Git-commit: fc782242749fa4235592854fafe1a1297583c1fb
+Patch-mainline: v5.1-rc1
+References: bsc#1051510
+
+GF117 appears to use the same register as GK104 (but still with the
+general Fermi readout mechanism).
+
+Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=108980
+Signed-off-by: Ilia Mirkin <imirkin@alum.mit.edu>
+Signed-off-by: Ben Skeggs <bskeggs@redhat.com>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/gpu/drm/nouveau/include/nvkm/subdev/volt.h | 1 +
+ drivers/gpu/drm/nouveau/nvkm/engine/device/base.c | 2 +-
+ drivers/gpu/drm/nouveau/nvkm/subdev/volt/Kbuild | 1 +
+ drivers/gpu/drm/nouveau/nvkm/subdev/volt/gf117.c | 60 ++++++++++++++++++++++
+ 4 files changed, 63 insertions(+), 1 deletion(-)
+ create mode 100644 drivers/gpu/drm/nouveau/nvkm/subdev/volt/gf117.c
+
+diff --git a/drivers/gpu/drm/nouveau/include/nvkm/subdev/volt.h b/drivers/gpu/drm/nouveau/include/nvkm/subdev/volt.h
+index 8a0f85f5fc1a..6a765682fbfa 100644
+--- a/drivers/gpu/drm/nouveau/include/nvkm/subdev/volt.h
++++ b/drivers/gpu/drm/nouveau/include/nvkm/subdev/volt.h
+@@ -38,6 +38,7 @@ int nvkm_volt_set_id(struct nvkm_volt *, u8 id, u8 min_id, u8 temp,
+
+ int nv40_volt_new(struct nvkm_device *, int, struct nvkm_volt **);
+ int gf100_volt_new(struct nvkm_device *, int, struct nvkm_volt **);
++int gf117_volt_new(struct nvkm_device *, int, struct nvkm_volt **);
+ int gk104_volt_new(struct nvkm_device *, int, struct nvkm_volt **);
+ int gk20a_volt_new(struct nvkm_device *, int, struct nvkm_volt **);
+ int gm20b_volt_new(struct nvkm_device *, int, struct nvkm_volt **);
+diff --git a/drivers/gpu/drm/nouveau/nvkm/engine/device/base.c b/drivers/gpu/drm/nouveau/nvkm/engine/device/base.c
+index d9edb5785813..d75fa7678483 100644
+--- a/drivers/gpu/drm/nouveau/nvkm/engine/device/base.c
++++ b/drivers/gpu/drm/nouveau/nvkm/engine/device/base.c
+@@ -1613,7 +1613,7 @@ nvd7_chipset = {
+ .pci = gf106_pci_new,
+ .therm = gf119_therm_new,
+ .timer = nv41_timer_new,
+- .volt = gf100_volt_new,
++ .volt = gf117_volt_new,
+ .ce[0] = gf100_ce_new,
+ .disp = gf119_disp_new,
+ .dma = gf119_dma_new,
+diff --git a/drivers/gpu/drm/nouveau/nvkm/subdev/volt/Kbuild b/drivers/gpu/drm/nouveau/nvkm/subdev/volt/Kbuild
+index bcd179ba11d0..146adcdd316a 100644
+--- a/drivers/gpu/drm/nouveau/nvkm/subdev/volt/Kbuild
++++ b/drivers/gpu/drm/nouveau/nvkm/subdev/volt/Kbuild
+@@ -2,6 +2,7 @@ nvkm-y += nvkm/subdev/volt/base.o
+ nvkm-y += nvkm/subdev/volt/gpio.o
+ nvkm-y += nvkm/subdev/volt/nv40.o
+ nvkm-y += nvkm/subdev/volt/gf100.o
++nvkm-y += nvkm/subdev/volt/gf117.o
+ nvkm-y += nvkm/subdev/volt/gk104.o
+ nvkm-y += nvkm/subdev/volt/gk20a.o
+ nvkm-y += nvkm/subdev/volt/gm20b.o
+diff --git a/drivers/gpu/drm/nouveau/nvkm/subdev/volt/gf117.c b/drivers/gpu/drm/nouveau/nvkm/subdev/volt/gf117.c
+new file mode 100644
+index 000000000000..547a58f0aeac
+--- /dev/null
++++ b/drivers/gpu/drm/nouveau/nvkm/subdev/volt/gf117.c
+@@ -0,0 +1,60 @@
++/*
++ * Copyright 2019 Ilia Mirkin
++ *
++ * Permission is hereby granted, free of charge, to any person obtaining a
++ * copy of this software and associated documentation files (the "Software"),
++ * to deal in the Software without restriction, including without limitation
++ * the rights to use, copy, modify, merge, publish, distribute, sublicense,
++ * and/or sell copies of the Software, and to permit persons to whom the
++ * Software is furnished to do so, subject to the following conditions:
++ *
++ * The above copyright notice and this permission notice shall be included in
++ * all copies or substantial portions of the Software.
++ *
++ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
++ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
++ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
++ * THE COPYRIGHT HOLDER(S) OR AUTHOR(S) BE LIABLE FOR ANY CLAIM, DAMAGES OR
++ * OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE,
++ * ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR
++ * OTHER DEALINGS IN THE SOFTWARE.
++ *
++ * Authors: Ilia Mirkin
++ */
++#include "priv.h"
++
++#include <subdev/fuse.h>
++
++static int
++gf117_volt_speedo_read(struct nvkm_volt *volt)
++{
++ struct nvkm_device *device = volt->subdev.device;
++ struct nvkm_fuse *fuse = device->fuse;
++
++ if (!fuse)
++ return -EINVAL;
++
++ return nvkm_fuse_read(fuse, 0x3a8);
++}
++
++static const struct nvkm_volt_func
++gf117_volt = {
++ .oneinit = gf100_volt_oneinit,
++ .vid_get = nvkm_voltgpio_get,
++ .vid_set = nvkm_voltgpio_set,
++ .speedo_read = gf117_volt_speedo_read,
++};
++
++int
++gf117_volt_new(struct nvkm_device *device, int index, struct nvkm_volt **pvolt)
++{
++ struct nvkm_volt *volt;
++ int ret;
++
++ ret = nvkm_volt_new_(&gf117_volt, device, index, &volt);
++ *pvolt = volt;
++ if (ret)
++ return ret;
++
++ return nvkm_voltgpio_init(volt);
++}
+--
+2.16.4
+
diff --git a/patches.fixes/0001-cxgb4-fix-the-error-path-of-cxgb4_uld_register.patch b/patches.fixes/0001-cxgb4-fix-the-error-path-of-cxgb4_uld_register.patch
new file mode 100644
index 0000000000..88beb95d27
--- /dev/null
+++ b/patches.fixes/0001-cxgb4-fix-the-error-path-of-cxgb4_uld_register.patch
@@ -0,0 +1,136 @@
+From: Ganesh Goudar <ganeshgr@chelsio.com>
+Subject: cxgb4: fix the error path of cxgb4_uld_register()
+Patch-mainline: v4.20-rc1
+Git-commit: 40b06553c906a56ae31677b3ecbd49546947698d
+References: bsc#1127371
+
+On multi adapter setup if the uld registration fails even on
+one adapter, the allocated resources for the uld on all the
+adapters are freed, rendering the functioning adapters unusable.
+
+This commit fixes the issue by freeing the allocated resources
+only for the failed adapter.
+
+Signed-off-by: Ganesh Goudar <ganeshgr@chelsio.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Denis Kirjanov <dkirjanov@suse.com>
+---
+ drivers/crypto/chelsio/chcr_core.c | 3 +-
+ drivers/net/ethernet/chelsio/cxgb4/cxgb4_uld.c | 46 ++++++--------------------
+ drivers/net/ethernet/chelsio/cxgb4/cxgb4_uld.h | 2 +-
+ 3 files changed, 13 insertions(+), 38 deletions(-)
+
+diff --git a/drivers/crypto/chelsio/chcr_core.c b/drivers/crypto/chelsio/chcr_core.c
+index b6dd9cbe815f..0e873994b32f 100644
+--- a/drivers/crypto/chelsio/chcr_core.c
++++ b/drivers/crypto/chelsio/chcr_core.c
+@@ -223,8 +223,7 @@ static int chcr_uld_state_change(void *handle, enum cxgb4_state state)
+
+ static int __init chcr_crypto_init(void)
+ {
+- if (cxgb4_register_uld(CXGB4_ULD_CRYPTO, &chcr_uld_info))
+- pr_err("ULD register fail: No chcr crypto support in cxgb4");
++ cxgb4_register_uld(CXGB4_ULD_CRYPTO, &chcr_uld_info);
+
+ return 0;
+ }
+diff --git a/drivers/net/ethernet/chelsio/cxgb4/cxgb4_uld.c b/drivers/net/ethernet/chelsio/cxgb4/cxgb4_uld.c
+index 198533ecd60a..529b961d8076 100644
+--- a/drivers/net/ethernet/chelsio/cxgb4/cxgb4_uld.c
++++ b/drivers/net/ethernet/chelsio/cxgb4/cxgb4_uld.c
+@@ -702,15 +702,14 @@ static void uld_attach(struct adapter *adap, unsigned int uld)
+ * about any presently available devices that support its type. Returns
+ * %-EBUSY if a ULD of the same type is already registered.
+ */
+-int cxgb4_register_uld(enum cxgb4_uld type,
+- const struct cxgb4_uld_info *p)
++void cxgb4_register_uld(enum cxgb4_uld type,
++ const struct cxgb4_uld_info *p)
+ {
+ int ret = 0;
+- unsigned int adap_idx = 0;
+ struct adapter *adap;
+
+ if (type >= CXGB4_ULD_MAX)
+- return -EINVAL;
++ return;
+
+ mutex_lock(&uld_mutex);
+ list_for_each_entry(adap, &adapter_list, list_node) {
+@@ -733,52 +732,29 @@ int cxgb4_register_uld(enum cxgb4_uld type,
+ }
+ if (adap->flags & FULL_INIT_DONE)
+ enable_rx_uld(adap, type);
+- if (adap->uld[type].add) {
+- ret = -EBUSY;
++ if (adap->uld[type].add)
+ goto free_irq;
+- }
+ ret = setup_sge_txq_uld(adap, type, p);
+ if (ret)
+ goto free_irq;
+ adap->uld[type] = *p;
+ uld_attach(adap, type);
+- adap_idx++;
+- }
+- mutex_unlock(&uld_mutex);
+- return 0;
+-
++ continue;
+ free_irq:
+- if (adap->flags & FULL_INIT_DONE)
+- quiesce_rx_uld(adap, type);
+- if (adap->flags & USING_MSIX)
+- free_msix_queue_irqs_uld(adap, type);
+-free_rxq:
+- free_sge_queues_uld(adap, type);
+-free_queues:
+- free_queues_uld(adap, type);
+-out:
+-
+- list_for_each_entry(adap, &adapter_list, list_node) {
+- if ((type == CXGB4_ULD_CRYPTO && !is_pci_uld(adap)) ||
+- (type != CXGB4_ULD_CRYPTO && !is_offload(adap)))
+- continue;
+- if (type == CXGB4_ULD_ISCSIT && is_t4(adap->params.chip))
+- continue;
+- if (!adap_idx)
+- break;
+- adap->uld[type].handle = NULL;
+- adap->uld[type].add = NULL;
+- release_sge_txq_uld(adap, type);
+ if (adap->flags & FULL_INIT_DONE)
+ quiesce_rx_uld(adap, type);
+ if (adap->flags & USING_MSIX)
+ free_msix_queue_irqs_uld(adap, type);
++free_rxq:
+ free_sge_queues_uld(adap, type);
++free_queues:
+ free_queues_uld(adap, type);
+- adap_idx--;
++out:
++ dev_warn(adap->pdev_dev,
++ "ULD registration failed for uld type %d\n", type);
+ }
+ mutex_unlock(&uld_mutex);
+- return ret;
++ return;
+ }
+ EXPORT_SYMBOL(cxgb4_register_uld);
+
+diff --git a/drivers/net/ethernet/chelsio/cxgb4/cxgb4_uld.h b/drivers/net/ethernet/chelsio/cxgb4/cxgb4_uld.h
+index 96d57cf1a7e7..d04a6d324c62 100644
+--- a/drivers/net/ethernet/chelsio/cxgb4/cxgb4_uld.h
++++ b/drivers/net/ethernet/chelsio/cxgb4/cxgb4_uld.h
+@@ -384,7 +384,7 @@ struct cxgb4_uld_info {
+ void (*lro_flush)(struct t4_lro_mgr *);
+ };
+
+-int cxgb4_register_uld(enum cxgb4_uld type, const struct cxgb4_uld_info *p);
++void cxgb4_register_uld(enum cxgb4_uld type, const struct cxgb4_uld_info *p);
+ int cxgb4_unregister_uld(enum cxgb4_uld type);
+ int cxgb4_ofld_send(struct net_device *dev, struct sk_buff *skb);
+ int cxgb4_crypto_send(struct net_device *dev, struct sk_buff *skb);
+--
+2.12.3
+
diff --git a/patches.fixes/0001-cxgb4-remove-the-unneeded-locks.patch b/patches.fixes/0001-cxgb4-remove-the-unneeded-locks.patch
new file mode 100644
index 0000000000..54c512bf54
--- /dev/null
+++ b/patches.fixes/0001-cxgb4-remove-the-unneeded-locks.patch
@@ -0,0 +1,247 @@
+From: Ganesh Goudar <ganeshgr@chelsio.com>
+Subject: cxgb4: remove the unneeded locks
+Patch-mainline: v4.20-rc1
+Git-commit: db3408a150dbe6da5117a25ce9937633166cd604
+References: bsc#1127371
+
+cxgb_set_tx_maxrate will be called holding rtnl lock,
+hence remove all unneeded locks.
+
+Signed-off-by: Ganesh Goudar <ganeshgr@chelsio.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Acked-by: Denis Kirjanov <dkirjanov@suse.com>
+---
+ drivers/net/ethernet/chelsio/cxgb4/sched.c | 68 +++++++-----------------------
+ drivers/net/ethernet/chelsio/cxgb4/sched.h | 2 -
+ 2 files changed, 15 insertions(+), 55 deletions(-)
+
+diff --git a/drivers/net/ethernet/chelsio/cxgb4/sched.c b/drivers/net/ethernet/chelsio/cxgb4/sched.c
+index 7fc656680299..52edb688942b 100644
+--- a/drivers/net/ethernet/chelsio/cxgb4/sched.c
++++ b/drivers/net/ethernet/chelsio/cxgb4/sched.c
+@@ -38,7 +38,6 @@
+ #include "cxgb4.h"
+ #include "sched.h"
+
+-/* Spinlock must be held by caller */
+ static int t4_sched_class_fw_cmd(struct port_info *pi,
+ struct ch_sched_params *p,
+ enum sched_fw_ops op)
+@@ -67,7 +66,6 @@ static int t4_sched_class_fw_cmd(struct port_info *pi,
+ return err;
+ }
+
+-/* Spinlock must be held by caller */
+ static int t4_sched_bind_unbind_op(struct port_info *pi, void *arg,
+ enum sched_bind_type type, bool bind)
+ {
+@@ -163,7 +161,6 @@ static int t4_sched_queue_unbind(struct port_info *pi, struct ch_sched_queue *p)
+ if (e && index >= 0) {
+ int i = 0;
+
+- spin_lock(&e->lock);
+ list_for_each_entry(qe, &e->queue_list, list) {
+ if (i == index)
+ break;
+@@ -171,10 +168,8 @@ static int t4_sched_queue_unbind(struct port_info *pi, struct ch_sched_queue *p)
+ }
+ err = t4_sched_bind_unbind_op(pi, (void *)qe, SCHED_QUEUE,
+ false);
+- if (err) {
+- spin_unlock(&e->lock);
+- goto out;
+- }
++ if (err)
++ return err;
+
+ list_del(&qe->list);
+ kvfree(qe);
+@@ -182,9 +177,7 @@ static int t4_sched_queue_unbind(struct port_info *pi, struct ch_sched_queue *p)
+ e->state = SCHED_STATE_UNUSED;
+ memset(&e->info, 0, sizeof(e->info));
+ }
+- spin_unlock(&e->lock);
+ }
+-out:
+ return err;
+ }
+
+@@ -210,10 +203,8 @@ static int t4_sched_queue_bind(struct port_info *pi, struct ch_sched_queue *p)
+
+ /* Unbind queue from any existing class */
+ err = t4_sched_queue_unbind(pi, p);
+- if (err) {
+- kvfree(qe);
+- goto out;
+- }
++ if (err)
++ goto out_err;
+
+ /* Bind queue to specified class */
+ memset(qe, 0, sizeof(*qe));
+@@ -221,18 +212,16 @@ static int t4_sched_queue_bind(struct port_info *pi, struct ch_sched_queue *p)
+ memcpy(&qe->param, p, sizeof(qe->param));
+
+ e = &s->tab[qe->param.class];
+- spin_lock(&e->lock);
+ err = t4_sched_bind_unbind_op(pi, (void *)qe, SCHED_QUEUE, true);
+- if (err) {
+- kvfree(qe);
+- spin_unlock(&e->lock);
+- goto out;
+- }
++ if (err)
++ goto out_err;
+
+ list_add_tail(&qe->list, &e->queue_list);
+ atomic_inc(&e->refcnt);
+- spin_unlock(&e->lock);
+-out:
++ return err;
++
++out_err:
++ kvfree(qe);
+ return err;
+ }
+
+@@ -296,8 +285,6 @@ int cxgb4_sched_class_bind(struct net_device *dev, void *arg,
+ enum sched_bind_type type)
+ {
+ struct port_info *pi = netdev2pinfo(dev);
+- struct sched_table *s;
+- int err = 0;
+ u8 class_id;
+
+ if (!can_sched(dev))
+@@ -323,12 +310,8 @@ int cxgb4_sched_class_bind(struct net_device *dev, void *arg,
+ if (class_id == SCHED_CLS_NONE)
+ return -ENOTSUPP;
+
+- s = pi->sched_tbl;
+- write_lock(&s->rw_lock);
+- err = t4_sched_class_bind_unbind_op(pi, arg, type, true);
+- write_unlock(&s->rw_lock);
++ return t4_sched_class_bind_unbind_op(pi, arg, type, true);
+
+- return err;
+ }
+
+ /**
+@@ -343,8 +326,6 @@ int cxgb4_sched_class_unbind(struct net_device *dev, void *arg,
+ enum sched_bind_type type)
+ {
+ struct port_info *pi = netdev2pinfo(dev);
+- struct sched_table *s;
+- int err = 0;
+ u8 class_id;
+
+ if (!can_sched(dev))
+@@ -367,12 +348,7 @@ int cxgb4_sched_class_unbind(struct net_device *dev, void *arg,
+ if (!valid_class_id(dev, class_id))
+ return -EINVAL;
+
+- s = pi->sched_tbl;
+- write_lock(&s->rw_lock);
+- err = t4_sched_class_bind_unbind_op(pi, arg, type, false);
+- write_unlock(&s->rw_lock);
+-
+- return err;
++ return t4_sched_class_bind_unbind_op(pi, arg, type, false);
+ }
+
+ /* If @p is NULL, fetch any available unused class */
+@@ -425,7 +401,6 @@ static struct sched_class *t4_sched_class_lookup(struct port_info *pi,
+ static struct sched_class *t4_sched_class_alloc(struct port_info *pi,
+ struct ch_sched_params *p)
+ {
+- struct sched_table *s = pi->sched_tbl;
+ struct sched_class *e;
+ u8 class_id;
+ int err;
+@@ -441,7 +416,6 @@ static struct sched_class *t4_sched_class_alloc(struct port_info *pi,
+ if (class_id != SCHED_CLS_NONE)
+ return NULL;
+
+- write_lock(&s->rw_lock);
+ /* See if there's an exisiting class with same
+ * requested sched params
+ */
+@@ -452,27 +426,19 @@ static struct sched_class *t4_sched_class_alloc(struct port_info *pi,
+ /* Fetch any available unused class */
+ e = t4_sched_class_lookup(pi, NULL);
+ if (!e)
+- goto out;
++ return NULL;
+
+ memcpy(&np, p, sizeof(np));
+ np.u.params.class = e->idx;
+-
+- spin_lock(&e->lock);
+ /* New class */
+ err = t4_sched_class_fw_cmd(pi, &np, SCHED_FW_OP_ADD);
+- if (err) {
+- spin_unlock(&e->lock);
+- e = NULL;
+- goto out;
+- }
++ if (err)
++ return NULL;
+ memcpy(&e->info, &np, sizeof(e->info));
+ atomic_set(&e->refcnt, 0);
+ e->state = SCHED_STATE_ACTIVE;
+- spin_unlock(&e->lock);
+ }
+
+-out:
+- write_unlock(&s->rw_lock);
+ return e;
+ }
+
+@@ -517,14 +483,12 @@ struct sched_table *t4_init_sched(unsigned int sched_size)
+ return NULL;
+
+ s->sched_size = sched_size;
+- rwlock_init(&s->rw_lock);
+
+ for (i = 0; i < s->sched_size; i++) {
+ memset(&s->tab[i], 0, sizeof(struct sched_class));
+ s->tab[i].idx = i;
+ s->tab[i].state = SCHED_STATE_UNUSED;
+ INIT_LIST_HEAD(&s->tab[i].queue_list);
+- spin_lock_init(&s->tab[i].lock);
+ atomic_set(&s->tab[i].refcnt, 0);
+ }
+ return s;
+@@ -545,11 +509,9 @@ void t4_cleanup_sched(struct adapter *adap)
+ for (i = 0; i < s->sched_size; i++) {
+ struct sched_class *e;
+
+- write_lock(&s->rw_lock);
+ e = &s->tab[i];
+ if (e->state == SCHED_STATE_ACTIVE)
+ t4_sched_class_free(pi, e);
+- write_unlock(&s->rw_lock);
+ }
+ kvfree(s);
+ }
+diff --git a/drivers/net/ethernet/chelsio/cxgb4/sched.h b/drivers/net/ethernet/chelsio/cxgb4/sched.h
+index 3a49e00a38a1..168fb4ce3759 100644
+--- a/drivers/net/ethernet/chelsio/cxgb4/sched.h
++++ b/drivers/net/ethernet/chelsio/cxgb4/sched.h
+@@ -69,13 +69,11 @@ struct sched_class {
+ u8 idx;
+ struct ch_sched_params info;
+ struct list_head queue_list;
+- spinlock_t lock; /* Per class lock */
+ atomic_t refcnt;
+ };
+
+ struct sched_table { /* per port scheduling table */
+ u8 sched_size;
+- rwlock_t rw_lock; /* Table lock */
+ struct sched_class tab[0];
+ };
+
+--
+2.12.3
+
diff --git a/patches.fixes/9p-do-not-trust-pdu-content-for-stat-item-size.patch b/patches.fixes/9p-do-not-trust-pdu-content-for-stat-item-size.patch
new file mode 100644
index 0000000000..895e881f91
--- /dev/null
+++ b/patches.fixes/9p-do-not-trust-pdu-content-for-stat-item-size.patch
@@ -0,0 +1,77 @@
+From 2803cf4379ed252894f046cb8812a48db35294e3 Mon Sep 17 00:00:00 2001
+From: Gertjan Halkes <gertjan@google.com>
+Date: Wed, 5 Sep 2018 15:41:29 +0900
+Subject: [PATCH] 9p: do not trust pdu content for stat item size
+Git-commit: 2803cf4379ed252894f046cb8812a48db35294e3
+Patch-mainline: v4.20-rc1
+References: bsc#1051510
+
+v9fs_dir_readdir() could deadloop if a struct was sent with a size set
+to -2
+
+Link: http://lkml.kernel.org/r/1536134432-11997-1-git-send-email-asmadeus@codewreck.org
+Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=88021
+Signed-off-by: Gertjan Halkes <gertjan@google.com>
+Signed-off-by: Dominique Martinet <dominique.martinet@cea.fr>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ fs/9p/vfs_dir.c | 8 +++-----
+ net/9p/protocol.c | 3 ++-
+ 2 files changed, 5 insertions(+), 6 deletions(-)
+
+diff --git a/fs/9p/vfs_dir.c b/fs/9p/vfs_dir.c
+index 48db9a9f13f9..cb6c4031af55 100644
+--- a/fs/9p/vfs_dir.c
++++ b/fs/9p/vfs_dir.c
+@@ -105,7 +105,6 @@ static int v9fs_dir_readdir(struct file *file, struct dir_context *ctx)
+ int err = 0;
+ struct p9_fid *fid;
+ int buflen;
+- int reclen = 0;
+ struct p9_rdir *rdir;
+ struct kvec kvec;
+
+@@ -138,11 +137,10 @@ static int v9fs_dir_readdir(struct file *file, struct dir_context *ctx)
+ while (rdir->head < rdir->tail) {
+ err = p9stat_read(fid->clnt, rdir->buf + rdir->head,
+ rdir->tail - rdir->head, &st);
+- if (err) {
++ if (err <= 0) {
+ p9_debug(P9_DEBUG_VFS, "returned %d\n", err);
+ return -EIO;
+ }
+- reclen = st.size+2;
+
+ over = !dir_emit(ctx, st.name, strlen(st.name),
+ v9fs_qid2ino(&st.qid), dt_type(&st));
+@@ -150,8 +148,8 @@ static int v9fs_dir_readdir(struct file *file, struct dir_context *ctx)
+ if (over)
+ return 0;
+
+- rdir->head += reclen;
+- ctx->pos += reclen;
++ rdir->head += err;
++ ctx->pos += err;
+ }
+ }
+ }
+diff --git a/net/9p/protocol.c b/net/9p/protocol.c
+index ee32bbf12675..b4d80c533f89 100644
+--- a/net/9p/protocol.c
++++ b/net/9p/protocol.c
+@@ -571,9 +571,10 @@ int p9stat_read(struct p9_client *clnt, char *buf, int len, struct p9_wstat *st)
+ if (ret) {
+ p9_debug(P9_DEBUG_9P, "<<< p9stat_read failed: %d\n", ret);
+ trace_9p_protocol_dump(clnt, &fake_pdu);
++ return ret;
+ }
+
+- return ret;
++ return fake_pdu.offset;
+ }
+ EXPORT_SYMBOL(p9stat_read);
+
+--
+2.16.4
+
diff --git a/patches.fixes/ACPI-SBS-Fix-GPE-storm-on-recent-MacBookPro-s.patch b/patches.fixes/ACPI-SBS-Fix-GPE-storm-on-recent-MacBookPro-s.patch
new file mode 100644
index 0000000000..3268426ae7
--- /dev/null
+++ b/patches.fixes/ACPI-SBS-Fix-GPE-storm-on-recent-MacBookPro-s.patch
@@ -0,0 +1,56 @@
+From ca1721c5bee77105829cbd7baab8ee0eab85b06d Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Ronald=20Tschal=C3=A4r?= <ronald@innovation.ch>
+Date: Sun, 30 Sep 2018 19:52:51 -0700
+Subject: [PATCH] ACPI / SBS: Fix GPE storm on recent MacBookPro's
+Mime-version: 1.0
+Content-type: text/plain; charset=UTF-8
+Content-transfer-encoding: 8bit
+Git-commit: ca1721c5bee77105829cbd7baab8ee0eab85b06d
+Patch-mainline: v4.20-rc1
+References: bsc#1051510
+
+On Apple machines, plugging-in or unplugging the power triggers a GPE
+for the EC. Since these machines expose an SBS device, this GPE ends
+up triggering the acpi_sbs_callback(). This in turn tries to get the
+status of the SBS charger. However, on MBP13,* and MBP14,* machines,
+performing the smbus-read operation to get the charger's status triggers
+the EC's GPE again. The result is an endless re-triggering and handling
+of that GPE, consuming significant CPU resources (> 50% in irq).
+
+In the end this is quite similar to commit 3031cddea633 (ACPI / SBS:
+Don't assume the existence of an SBS charger), except that on the above
+machines a status of all 1's is returned. And like there, we just want
+ignore the charger here.
+
+Link: https://bugzilla.kernel.org/show_bug.cgi?id=198169
+Signed-off-by: Ronald Tschalär <ronald@innovation.ch>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/acpi/sbs.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/acpi/sbs.c b/drivers/acpi/sbs.c
+index 295b59271189..96c5e27967f4 100644
+--- a/drivers/acpi/sbs.c
++++ b/drivers/acpi/sbs.c
+@@ -441,9 +441,13 @@ static int acpi_ac_get_present(struct acpi_sbs *sbs)
+
+ /*
+ * The spec requires that bit 4 always be 1. If it's not set, assume
+- * that the implementation doesn't support an SBS charger
++ * that the implementation doesn't support an SBS charger.
++ *
++ * And on some MacBooks a status of 0xffff is always returned, no
++ * matter whether the charger is plugged in or not, which is also
++ * wrong, so ignore the SBS charger for those too.
+ */
+- if (!((status >> 4) & 0x1))
++ if (!((status >> 4) & 0x1) || status == 0xffff)
+ return -ENODEV;
+
+ sbs->charger_present = (status >> 15) & 0x1;
+--
+2.16.4
+
diff --git a/patches.fixes/NFS-Fix-dentry-revalidation-on-NFSv4-lookup.patch b/patches.fixes/NFS-Fix-dentry-revalidation-on-NFSv4-lookup.patch
new file mode 100644
index 0000000000..5acc031faf
--- /dev/null
+++ b/patches.fixes/NFS-Fix-dentry-revalidation-on-NFSv4-lookup.patch
@@ -0,0 +1,65 @@
+From: Trond Myklebust <trond.myklebust@hammerspace.com>
+Date: Thu, 27 Sep 2018 17:12:33 -0400
+Subject: [PATCH] NFS: Fix dentry revalidation on NFSv4 lookup
+Git-commit: be189f7e7f03de35887e5a85ddcf39b91b5d7fc1
+Patch-mainline: v4.20
+References: bsc#1132618
+
+We need to ensure that inode and dentry revalidation occurs correctly
+on reopen of a file that is already open. Currently, we can end up
+not revalidating either in the case of NFSv4.0, due to the 'cached open'
+path.
+Let's fix that by ensuring that we only do cached open for the special
+cases of open recovery and delegation return.
+
+Reported-by: Stan Hu <stanhu@gmail.com>
+Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
+Acked-by: NeilBrown <neilb@suse.com>
+
+---
+ fs/nfs/nfs4proc.c | 15 ++++++++++++---
+ 1 file changed, 12 insertions(+), 3 deletions(-)
+
+--- a/fs/nfs/nfs4proc.c
++++ b/fs/nfs/nfs4proc.c
+@@ -1314,12 +1314,20 @@ static bool nfs4_mode_match_open_stateid
+ return false;
+ }
+
+-static int can_open_cached(struct nfs4_state *state, fmode_t mode, int open_mode)
++static int can_open_cached(struct nfs4_state *state, fmode_t mode,
++ int open_mode, enum open_claim_type4 claim)
+ {
+ int ret = 0;
+
+ if (open_mode & (O_EXCL|O_TRUNC))
+ goto out;
++ switch (claim) {
++ case NFS4_OPEN_CLAIM_NULL:
++ case NFS4_OPEN_CLAIM_FH:
++ goto out;
++ default:
++ break;
++ }
+ switch (mode & (FMODE_READ|FMODE_WRITE)) {
+ case FMODE_READ:
+ ret |= test_bit(NFS_O_RDONLY_STATE, &state->flags) != 0
+@@ -1614,7 +1622,7 @@ static struct nfs4_state *nfs4_try_open_
+
+ for (;;) {
+ spin_lock(&state->owner->so_lock);
+- if (can_open_cached(state, fmode, open_mode)) {
++ if (can_open_cached(state, fmode, open_mode, claim)) {
+ update_open_stateflags(state, fmode);
+ spin_unlock(&state->owner->so_lock);
+ goto out_return_state;
+@@ -2110,7 +2118,8 @@ static void nfs4_open_prepare(struct rpc
+ if (data->state != NULL) {
+ struct nfs_delegation *delegation;
+
+- if (can_open_cached(data->state, data->o_arg.fmode, data->o_arg.open_flags))
++ if (can_open_cached(data->state, data->o_arg.fmode,
++ data->o_arg.open_flags, claim))
+ goto out_no_action;
+ rcu_read_lock();
+ delegation = rcu_dereference(NFS_I(data->state->inode)->delegation);
diff --git a/patches.fixes/bpf-fix-use-after-free-in-bpf_evict_inode.patch b/patches.fixes/bpf-fix-use-after-free-in-bpf_evict_inode.patch
new file mode 100644
index 0000000000..a31a06fd0f
--- /dev/null
+++ b/patches.fixes/bpf-fix-use-after-free-in-bpf_evict_inode.patch
@@ -0,0 +1,172 @@
+From: Daniel Borkmann <daniel@iogearbox.net>
+Date: Mon, 25 Mar 2019 15:54:43 +0100
+Subject: bpf: fix use after free in bpf_evict_inode
+Patch-mainline: v5.1-rc4
+Git-commit: 1da6c4d9140cb7c13e87667dc4e1488d6c8fc10f
+References: bsc#1083647
+
+syzkaller was able to generate the following UAF in bpf:
+
+ BUG: KASAN: use-after-free in lookup_last fs/namei.c:2269 [inline]
+ BUG: KASAN: use-after-free in path_lookupat.isra.43+0x9f8/0xc00 fs/namei.c:2318
+ Read of size 1 at addr ffff8801c4865c47 by task syz-executor2/9423
+
+ CPU: 0 PID: 9423 Comm: syz-executor2 Not tainted 4.20.0-rc1-next-20181109+
+ #110
+ Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
+ Google 01/01/2011
+ Call Trace:
+ __dump_stack lib/dump_stack.c:77 [inline]
+ dump_stack+0x244/0x39d lib/dump_stack.c:113
+ print_address_description.cold.7+0x9/0x1ff mm/kasan/report.c:256
+ kasan_report_error mm/kasan/report.c:354 [inline]
+ kasan_report.cold.8+0x242/0x309 mm/kasan/report.c:412
+ __asan_report_load1_noabort+0x14/0x20 mm/kasan/report.c:430
+ lookup_last fs/namei.c:2269 [inline]
+ path_lookupat.isra.43+0x9f8/0xc00 fs/namei.c:2318
+ filename_lookup+0x26a/0x520 fs/namei.c:2348
+ user_path_at_empty+0x40/0x50 fs/namei.c:2608
+ user_path include/linux/namei.h:62 [inline]
+ do_mount+0x180/0x1ff0 fs/namespace.c:2980
+ ksys_mount+0x12d/0x140 fs/namespace.c:3258
+ __do_sys_mount fs/namespace.c:3272 [inline]
+ __se_sys_mount fs/namespace.c:3269 [inline]
+ __x64_sys_mount+0xbe/0x150 fs/namespace.c:3269
+ do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290
+ entry_SYSCALL_64_after_hwframe+0x49/0xbe
+ RIP: 0033:0x457569
+ Code: fd b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7
+ 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff
+ ff 0f 83 cb b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00
+ RSP: 002b:00007fde6ed96c78 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5
+ RAX: ffffffffffffffda RBX: 0000000000000005 RCX: 0000000000457569
+ RDX: 0000000020000040 RSI: 0000000020000000 RDI: 0000000000000000
+ RBP: 000000000072bf00 R08: 0000000020000340 R09: 0000000000000000
+ R10: 0000000000200000 R11: 0000000000000246 R12: 00007fde6ed976d4
+ R13: 00000000004c2c24 R14: 00000000004d4990 R15: 00000000ffffffff
+
+ Allocated by task 9424:
+ save_stack+0x43/0xd0 mm/kasan/kasan.c:448
+ set_track mm/kasan/kasan.c:460 [inline]
+ kasan_kmalloc+0xc7/0xe0 mm/kasan/kasan.c:553
+ __do_kmalloc mm/slab.c:3722 [inline]
+ __kmalloc_track_caller+0x157/0x760 mm/slab.c:3737
+ kstrdup+0x39/0x70 mm/util.c:49
+ bpf_symlink+0x26/0x140 kernel/bpf/inode.c:356
+ vfs_symlink+0x37a/0x5d0 fs/namei.c:4127
+ do_symlinkat+0x242/0x2d0 fs/namei.c:4154
+ __do_sys_symlink fs/namei.c:4173 [inline]
+ __se_sys_symlink fs/namei.c:4171 [inline]
+ __x64_sys_symlink+0x59/0x80 fs/namei.c:4171
+ do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290
+ entry_SYSCALL_64_after_hwframe+0x49/0xbe
+
+ Freed by task 9425:
+ save_stack+0x43/0xd0 mm/kasan/kasan.c:448
+ set_track mm/kasan/kasan.c:460 [inline]
+ __kasan_slab_free+0x102/0x150 mm/kasan/kasan.c:521
+ kasan_slab_free+0xe/0x10 mm/kasan/kasan.c:528
+ __cache_free mm/slab.c:3498 [inline]
+ kfree+0xcf/0x230 mm/slab.c:3817
+ bpf_evict_inode+0x11f/0x150 kernel/bpf/inode.c:565
+ evict+0x4b9/0x980 fs/inode.c:558
+ iput_final fs/inode.c:1550 [inline]
+ iput+0x674/0xa90 fs/inode.c:1576
+ do_unlinkat+0x733/0xa30 fs/namei.c:4069
+ __do_sys_unlink fs/namei.c:4110 [inline]
+ __se_sys_unlink fs/namei.c:4108 [inline]
+ __x64_sys_unlink+0x42/0x50 fs/namei.c:4108
+ do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290
+ entry_SYSCALL_64_after_hwframe+0x49/0xbe
+
+In this scenario path lookup under RCU is racing with the final
+unlink in case of symlinks. As Linus puts it in his analysis:
+
+ [...] We actually RCU-delay the inode freeing itself, but
+ when we do the final iput(), the "evict()" function is called
+ synchronously. Now, the simple fix would seem to just RCU-delay
+ the kfree() of the symlink data in bpf_evict_inode(). Maybe
+ that's the right thing to do. [...]
+
+Al suggested to piggy-back on the ->destroy_inode() callback in
+order to implement RCU deferral there which can then kfree() the
+inode->i_link eventually right before putting inode back into
+inode cache. By reusing free_inode_nonrcu() from there we can
+avoid the need for our own inode cache and just reuse generic
+one as we currently do.
+
+And in-fact on top of all this we should just get rid of the
+bpf_evict_inode() entirely. This means truncate_inode_pages_final()
+and clear_inode() will then simply be called by the fs core via
+evict(). Dropping the reference should really only be done when
+inode is unhashed and nothing reachable anymore, so it's better
+also moved into the final ->destroy_inode() callback.
+
+Fixes: 0f98621bef5d ("bpf, inode: add support for symlinks and fix mtime/ctime")
+Reported-by: syzbot+fb731ca573367b7f6564@syzkaller.appspotmail.com
+Reported-by: syzbot+a13e5ead792d6df37818@syzkaller.appspotmail.com
+Reported-by: syzbot+7a8ba368b47fdefca61e@syzkaller.appspotmail.com
+Suggested-by: Al Viro <viro@zeniv.linux.org.uk>
+Analyzed-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Acked-by: Alexei Starovoitov <ast@kernel.org>
+Acked-by: Linus Torvalds <torvalds@linux-foundation.org>
+Acked-by: Al Viro <viro@zeniv.linux.org.uk>
+Link: https://lore.kernel.org/lkml/0000000000006946d2057bbd0eef@google.com/T/
+Acked-by: Gary Lin <glin@suse.com>
+---
+ kernel/bpf/inode.c | 32 ++++++++++++++++++--------------
+ 1 file changed, 18 insertions(+), 14 deletions(-)
+
+--- a/kernel/bpf/inode.c
++++ b/kernel/bpf/inode.c
+@@ -365,19 +365,6 @@ out:
+ }
+ EXPORT_SYMBOL_GPL(bpf_obj_get_user);
+
+-static void bpf_evict_inode(struct inode *inode)
+-{
+- enum bpf_type type;
+-
+- truncate_inode_pages_final(&inode->i_data);
+- clear_inode(inode);
+-
+- if (S_ISLNK(inode->i_mode))
+- kfree(inode->i_link);
+- if (!bpf_inode_type(inode, &type))
+- bpf_any_put(inode->i_private, type);
+-}
+-
+ /*
+ * Display the mount options in /proc/mounts.
+ */
+@@ -390,11 +377,28 @@ static int bpf_show_options(struct seq_f
+ return 0;
+ }
+
++static void bpf_destroy_inode_deferred(struct rcu_head *head)
++{
++ struct inode *inode = container_of(head, struct inode, i_rcu);
++ enum bpf_type type;
++
++ if (S_ISLNK(inode->i_mode))
++ kfree(inode->i_link);
++ if (!bpf_inode_type(inode, &type))
++ bpf_any_put(inode->i_private, type);
++ free_inode_nonrcu(inode);
++}
++
++static void bpf_destroy_inode(struct inode *inode)
++{
++ call_rcu(&inode->i_rcu, bpf_destroy_inode_deferred);
++}
++
+ static const struct super_operations bpf_super_ops = {
+ .statfs = simple_statfs,
+ .drop_inode = generic_delete_inode,
+ .show_options = bpf_show_options,
+- .evict_inode = bpf_evict_inode,
++ .destroy_inode = bpf_destroy_inode,
+ };
+
+ enum {
diff --git a/patches.fixes/crypto-sha256-arm-fix-crash-bug-in-Thumb2-build.patch b/patches.fixes/crypto-sha256-arm-fix-crash-bug-in-Thumb2-build.patch
new file mode 100644
index 0000000000..9484ac0196
--- /dev/null
+++ b/patches.fixes/crypto-sha256-arm-fix-crash-bug-in-Thumb2-build.patch
@@ -0,0 +1,99 @@
+From 69216a545cf81b2b32d01948f7039315abaf75a0 Mon Sep 17 00:00:00 2001
+From: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+Date: Sat, 16 Feb 2019 14:51:25 +0100
+Subject: [PATCH] crypto: sha256/arm - fix crash bug in Thumb2 build
+Git-commit: 69216a545cf81b2b32d01948f7039315abaf75a0
+Patch-mainline: v5.0
+References: bsc#1051510
+
+The SHA256 code we adopted from the OpenSSL project uses a rather
+peculiar way to take the address of the round constant table: it
+takes the address of the sha256_block_data_order() routine, and
+substracts a constant known quantity to arrive at the base of the
+table, which is emitted by the same assembler code right before
+the routine's entry point.
+
+However, recent versions of binutils have helpfully changed the
+behavior of references emitted via an ADR instruction when running
+in Thumb2 mode: it now takes the Thumb execution mode bit into
+account, which is bit 0 af the address. This means the produced
+table address also has bit 0 set, and so we end up with an address
+value pointing 1 byte past the start of the table, which results
+in crashes such as
+
+ Unable to handle kernel paging request at virtual address bf825000
+ pgd = 42f44b11
+ [bf825000] *pgd=80000040206003, *pmd=5f1bd003, *pte=00000000
+ Internal error: Oops: 207 [#1] PREEMPT SMP THUMB2
+ Modules linked in: sha256_arm(+) sha1_arm_ce sha1_arm ...
+ CPU: 7 PID: 396 Comm: cryptomgr_test Not tainted 5.0.0-rc6+ #144
+ Hardware name: QEMU KVM Virtual Machine, BIOS 0.0.0 02/06/2015
+ PC is at sha256_block_data_order+0xaaa/0xb30 [sha256_arm]
+ LR is at __this_module+0x17fd/0xffffe800 [sha256_arm]
+ pc : [<bf820bca>] lr : [<bf824ffd>] psr: 800b0033
+ sp : ebc8bbe8 ip : faaabe1c fp : 2fdd3433
+ r10: 4c5f1692 r9 : e43037df r8 : b04b0a5a
+ r7 : c369d722 r6 : 39c3693e r5 : 7a013189 r4 : 1580d26b
+ r3 : 8762a9b0 r2 : eea9c2cd r1 : 3e9ab536 r0 : 1dea4ae7
+ Flags: Nzcv IRQs on FIQs on Mode SVC_32 ISA Thumb Segment user
+ Control: 70c5383d Table: 6b8467c0 DAC: dbadc0de
+ Process cryptomgr_test (pid: 396, stack limit = 0x69e1fe23)
+ Stack: (0xebc8bbe8 to 0xebc8c000)
+ ...
+ unwind: Unknown symbol address bf820bca
+ unwind: Index not found bf820bca
+ Code: 441a ea80 40f9 440a (f85e) 3b04
+ ---[ end trace e560cce92700ef8a ]---
+
+Given that this affects older kernels as well, in case they are built
+with a recent toolchain, apply a minimal backportable fix, which is
+to emit another non-code label at the start of the routine, and
+reference that instead. (This is similar to the current upstream state
+of this file in OpenSSL)
+
+Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ arch/arm/crypto/sha256-armv4.pl | 3 ++-
+ arch/arm/crypto/sha256-core.S_shipped | 3 ++-
+ 2 files changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/arch/arm/crypto/sha256-armv4.pl b/arch/arm/crypto/sha256-armv4.pl
+index b9ec44060ed3..a03cf4dfb781 100644
+--- a/arch/arm/crypto/sha256-armv4.pl
++++ b/arch/arm/crypto/sha256-armv4.pl
+@@ -212,10 +212,11 @@ K256:
+ .global sha256_block_data_order
+ .type sha256_block_data_order,%function
+ sha256_block_data_order:
++.Lsha256_block_data_order:
+ #if __ARM_ARCH__<7
+ sub r3,pc,#8 @ sha256_block_data_order
+ #else
+- adr r3,sha256_block_data_order
++ adr r3,.Lsha256_block_data_order
+ #endif
+ #if __ARM_MAX_ARCH__>=7 && !defined(__KERNEL__)
+ ldr r12,.LOPENSSL_armcap
+diff --git a/arch/arm/crypto/sha256-core.S_shipped b/arch/arm/crypto/sha256-core.S_shipped
+index 3b58300d611c..054aae0edfce 100644
+--- a/arch/arm/crypto/sha256-core.S_shipped
++++ b/arch/arm/crypto/sha256-core.S_shipped
+@@ -93,10 +93,11 @@ K256:
+ .global sha256_block_data_order
+ .type sha256_block_data_order,%function
+ sha256_block_data_order:
++.Lsha256_block_data_order:
+ #if __ARM_ARCH__<7
+ sub r3,pc,#8 @ sha256_block_data_order
+ #else
+- adr r3,sha256_block_data_order
++ adr r3,.Lsha256_block_data_order
+ #endif
+ #if __ARM_MAX_ARCH__>=7 && !defined(__KERNEL__)
+ ldr r12,.LOPENSSL_armcap
+--
+2.16.4
+
diff --git a/patches.fixes/crypto-sha512-arm-fix-crash-bug-in-Thumb2-build.patch b/patches.fixes/crypto-sha512-arm-fix-crash-bug-in-Thumb2-build.patch
new file mode 100644
index 0000000000..cc777cec2a
--- /dev/null
+++ b/patches.fixes/crypto-sha512-arm-fix-crash-bug-in-Thumb2-build.patch
@@ -0,0 +1,99 @@
+From c64316502008064c158fa40cc250665e461b0f2a Mon Sep 17 00:00:00 2001
+From: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+Date: Sat, 16 Feb 2019 14:51:26 +0100
+Subject: [PATCH] crypto: sha512/arm - fix crash bug in Thumb2 build
+Git-commit: c64316502008064c158fa40cc250665e461b0f2a
+Patch-mainline: v5.0
+References: bsc#1051510
+
+The SHA512 code we adopted from the OpenSSL project uses a rather
+peculiar way to take the address of the round constant table: it
+takes the address of the sha256_block_data_order() routine, and
+substracts a constant known quantity to arrive at the base of the
+table, which is emitted by the same assembler code right before
+the routine's entry point.
+
+However, recent versions of binutils have helpfully changed the
+behavior of references emitted via an ADR instruction when running
+in Thumb2 mode: it now takes the Thumb execution mode bit into
+account, which is bit 0 af the address. This means the produced
+table address also has bit 0 set, and so we end up with an address
+value pointing 1 byte past the start of the table, which results
+in crashes such as
+
+ Unable to handle kernel paging request at virtual address bf825000
+ pgd = 42f44b11
+ [bf825000] *pgd=80000040206003, *pmd=5f1bd003, *pte=00000000
+ Internal error: Oops: 207 [#1] PREEMPT SMP THUMB2
+ Modules linked in: sha256_arm(+) sha1_arm_ce sha1_arm ...
+ CPU: 7 PID: 396 Comm: cryptomgr_test Not tainted 5.0.0-rc6+ #144
+ Hardware name: QEMU KVM Virtual Machine, BIOS 0.0.0 02/06/2015
+ PC is at sha256_block_data_order+0xaaa/0xb30 [sha256_arm]
+ LR is at __this_module+0x17fd/0xffffe800 [sha256_arm]
+ pc : [<bf820bca>] lr : [<bf824ffd>] psr: 800b0033
+ sp : ebc8bbe8 ip : faaabe1c fp : 2fdd3433
+ r10: 4c5f1692 r9 : e43037df r8 : b04b0a5a
+ r7 : c369d722 r6 : 39c3693e r5 : 7a013189 r4 : 1580d26b
+ r3 : 8762a9b0 r2 : eea9c2cd r1 : 3e9ab536 r0 : 1dea4ae7
+ Flags: Nzcv IRQs on FIQs on Mode SVC_32 ISA Thumb Segment user
+ Control: 70c5383d Table: 6b8467c0 DAC: dbadc0de
+ Process cryptomgr_test (pid: 396, stack limit = 0x69e1fe23)
+ Stack: (0xebc8bbe8 to 0xebc8c000)
+ ...
+ unwind: Unknown symbol address bf820bca
+ unwind: Index not found bf820bca
+ Code: 441a ea80 40f9 440a (f85e) 3b04
+ ---[ end trace e560cce92700ef8a ]---
+
+Given that this affects older kernels as well, in case they are built
+with a recent toolchain, apply a minimal backportable fix, which is
+to emit another non-code label at the start of the routine, and
+reference that instead. (This is similar to the current upstream state
+of this file in OpenSSL)
+
+Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ arch/arm/crypto/sha512-armv4.pl | 3 ++-
+ arch/arm/crypto/sha512-core.S_shipped | 3 ++-
+ 2 files changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/arch/arm/crypto/sha512-armv4.pl b/arch/arm/crypto/sha512-armv4.pl
+index fb5d15048c0b..788c17b56ecc 100644
+--- a/arch/arm/crypto/sha512-armv4.pl
++++ b/arch/arm/crypto/sha512-armv4.pl
+@@ -274,10 +274,11 @@ WORD64(0x5fcb6fab,0x3ad6faec, 0x6c44198c,0x4a475817)
+ .global sha512_block_data_order
+ .type sha512_block_data_order,%function
+ sha512_block_data_order:
++.Lsha512_block_data_order:
+ #if __ARM_ARCH__<7
+ sub r3,pc,#8 @ sha512_block_data_order
+ #else
+- adr r3,sha512_block_data_order
++ adr r3,.Lsha512_block_data_order
+ #endif
+ #if __ARM_MAX_ARCH__>=7 && !defined(__KERNEL__)
+ ldr r12,.LOPENSSL_armcap
+diff --git a/arch/arm/crypto/sha512-core.S_shipped b/arch/arm/crypto/sha512-core.S_shipped
+index b1c334a49cda..710ea309769e 100644
+--- a/arch/arm/crypto/sha512-core.S_shipped
++++ b/arch/arm/crypto/sha512-core.S_shipped
+@@ -141,10 +141,11 @@ WORD64(0x5fcb6fab,0x3ad6faec, 0x6c44198c,0x4a475817)
+ .global sha512_block_data_order
+ .type sha512_block_data_order,%function
+ sha512_block_data_order:
++.Lsha512_block_data_order:
+ #if __ARM_ARCH__<7
+ sub r3,pc,#8 @ sha512_block_data_order
+ #else
+- adr r3,sha512_block_data_order
++ adr r3,.Lsha512_block_data_order
+ #endif
+ #if __ARM_MAX_ARCH__>=7 && !defined(__KERNEL__)
+ ldr r12,.LOPENSSL_armcap
+--
+2.16.4
+
diff --git a/patches.fixes/crypto-x86-poly1305-fix-overflow-during-partial-redu.patch b/patches.fixes/crypto-x86-poly1305-fix-overflow-during-partial-redu.patch
new file mode 100644
index 0000000000..e98eb72b04
--- /dev/null
+++ b/patches.fixes/crypto-x86-poly1305-fix-overflow-during-partial-redu.patch
@@ -0,0 +1,192 @@
+From 678cce4019d746da6c680c48ba9e6d417803e127 Mon Sep 17 00:00:00 2001
+From: Eric Biggers <ebiggers@google.com>
+Date: Sun, 31 Mar 2019 13:04:11 -0700
+Subject: [PATCH] crypto: x86/poly1305 - fix overflow during partial reduction
+Git-commit: 678cce4019d746da6c680c48ba9e6d417803e127
+Patch-mainline: v5.1-rc6
+References: bsc#1051510
+
+The x86_64 implementation of Poly1305 produces the wrong result on some
+inputs because poly1305_4block_avx2() incorrectly assumes that when
+partially reducing the accumulator, the bits carried from limb 'd4' to
+limb 'h0' fit in a 32-bit integer. This is true for poly1305-generic
+which processes only one block at a time. However, it's not true for
+the AVX2 implementation, which processes 4 blocks at a time and
+therefore can produce intermediate limbs about 4x larger.
+
+Fix it by making the relevant calculations use 64-bit arithmetic rather
+than 32-bit. Note that most of the carries already used 64-bit
+arithmetic, but the d4 -> h0 carry was different for some reason.
+
+To be safe I also made the same change to the corresponding SSE2 code,
+though that only operates on 1 or 2 blocks at a time. I don't think
+it's really needed for poly1305_block_sse2(), but it doesn't hurt
+because it's already x86_64 code. It *might* be needed for
+poly1305_2block_sse2(), but overflows aren't easy to reproduce there.
+
+This bug was originally detected by my patches that improve testmgr to
+fuzz algorithms against their generic implementation. But also add a
+test vector which reproduces it directly (in the AVX2 case).
+
+Fixes: b1ccc8f4b631 ("crypto: poly1305 - Add a four block AVX2 variant for x86_64")
+Fixes: c70f4abef07a ("crypto: poly1305 - Add a SSE2 SIMD variant for x86_64")
+Cc: <stable@vger.kernel.org> # v4.3+
+Cc: Martin Willi <martin@strongswan.org>
+Cc: Jason A. Donenfeld <Jason@zx2c4.com>
+Signed-off-by: Eric Biggers <ebiggers@google.com>
+Reviewed-by: Martin Willi <martin@strongswan.org>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ arch/x86/crypto/poly1305-avx2-x86_64.S | 14 +++++++---
+ arch/x86/crypto/poly1305-sse2-x86_64.S | 22 ++++++++++------
+ crypto/testmgr.h | 44 ++++++++++++++++++++++++++++++++-
+ 3 files changed, 67 insertions(+), 13 deletions(-)
+
+--- a/arch/x86/crypto/poly1305-avx2-x86_64.S
++++ b/arch/x86/crypto/poly1305-avx2-x86_64.S
+@@ -323,6 +323,12 @@ ENTRY(poly1305_4block_avx2)
+ vpaddq t2,t1,t1
+ vmovq t1x,d4
+
++ # Now do a partial reduction mod (2^130)-5, carrying h0 -> h1 -> h2 ->
++ # h3 -> h4 -> h0 -> h1 to get h0,h2,h3,h4 < 2^26 and h1 < 2^26 + a small
++ # amount. Careful: we must not assume the carry bits 'd0 >> 26',
++ # 'd1 >> 26', 'd2 >> 26', 'd3 >> 26', and '(d4 >> 26) * 5' fit in 32-bit
++ # integers. It's true in a single-block implementation, but not here.
++
+ # d1 += d0 >> 26
+ mov d0,%rax
+ shr $26,%rax
+@@ -361,16 +367,16 @@ ENTRY(poly1305_4block_avx2)
+ # h0 += (d4 >> 26) * 5
+ mov d4,%rax
+ shr $26,%rax
+- lea (%eax,%eax,4),%eax
+- add %eax,%ebx
++ lea (%rax,%rax,4),%rax
++ add %rax,%rbx
+ # h4 = d4 & 0x3ffffff
+ mov d4,%rax
+ and $0x3ffffff,%eax
+ mov %eax,h4
+
+ # h1 += h0 >> 26
+- mov %ebx,%eax
+- shr $26,%eax
++ mov %rbx,%rax
++ shr $26,%rax
+ add %eax,h1
+ # h0 = h0 & 0x3ffffff
+ andl $0x3ffffff,%ebx
+--- a/arch/x86/crypto/poly1305-sse2-x86_64.S
++++ b/arch/x86/crypto/poly1305-sse2-x86_64.S
+@@ -253,16 +253,16 @@ ENTRY(poly1305_block_sse2)
+ # h0 += (d4 >> 26) * 5
+ mov d4,%rax
+ shr $26,%rax
+- lea (%eax,%eax,4),%eax
+- add %eax,%ebx
++ lea (%rax,%rax,4),%rax
++ add %rax,%rbx
+ # h4 = d4 & 0x3ffffff
+ mov d4,%rax
+ and $0x3ffffff,%eax
+ mov %eax,h4
+
+ # h1 += h0 >> 26
+- mov %ebx,%eax
+- shr $26,%eax
++ mov %rbx,%rax
++ shr $26,%rax
+ add %eax,h1
+ # h0 = h0 & 0x3ffffff
+ andl $0x3ffffff,%ebx
+@@ -520,6 +520,12 @@ ENTRY(poly1305_2block_sse2)
+ paddq t2,t1
+ movq t1,d4
+
++ # Now do a partial reduction mod (2^130)-5, carrying h0 -> h1 -> h2 ->
++ # h3 -> h4 -> h0 -> h1 to get h0,h2,h3,h4 < 2^26 and h1 < 2^26 + a small
++ # amount. Careful: we must not assume the carry bits 'd0 >> 26',
++ # 'd1 >> 26', 'd2 >> 26', 'd3 >> 26', and '(d4 >> 26) * 5' fit in 32-bit
++ # integers. It's true in a single-block implementation, but not here.
++
+ # d1 += d0 >> 26
+ mov d0,%rax
+ shr $26,%rax
+@@ -558,16 +564,16 @@ ENTRY(poly1305_2block_sse2)
+ # h0 += (d4 >> 26) * 5
+ mov d4,%rax
+ shr $26,%rax
+- lea (%eax,%eax,4),%eax
+- add %eax,%ebx
++ lea (%rax,%rax,4),%rax
++ add %rax,%rbx
+ # h4 = d4 & 0x3ffffff
+ mov d4,%rax
+ and $0x3ffffff,%eax
+ mov %eax,h4
+
+ # h1 += h0 >> 26
+- mov %ebx,%eax
+- shr $26,%eax
++ mov %rbx,%rax
++ shr $26,%rax
+ add %eax,h1
+ # h0 = h0 & 0x3ffffff
+ andl $0x3ffffff,%ebx
+--- a/crypto/testmgr.h
++++ b/crypto/testmgr.h
+@@ -4517,7 +4517,49 @@ static const struct hash_testvec poly130
+ .psize = 80,
+ .digest = "\x13\x00\x00\x00\x00\x00\x00\x00"
+ "\x00\x00\x00\x00\x00\x00\x00\x00",
+- },
++ }, { /* Regression test for overflow in AVX2 implementation */
++ .plaintext = "\xff\xff\xff\xff\xff\xff\xff\xff"
++ "\xff\xff\xff\xff\xff\xff\xff\xff"
++ "\xff\xff\xff\xff\xff\xff\xff\xff"
++ "\xff\xff\xff\xff\xff\xff\xff\xff"
++ "\xff\xff\xff\xff\xff\xff\xff\xff"
++ "\xff\xff\xff\xff\xff\xff\xff\xff"
++ "\xff\xff\xff\xff\xff\xff\xff\xff"
++ "\xff\xff\xff\xff\xff\xff\xff\xff"
++ "\xff\xff\xff\xff\xff\xff\xff\xff"
++ "\xff\xff\xff\xff\xff\xff\xff\xff"
++ "\xff\xff\xff\xff\xff\xff\xff\xff"
++ "\xff\xff\xff\xff\xff\xff\xff\xff"
++ "\xff\xff\xff\xff\xff\xff\xff\xff"
++ "\xff\xff\xff\xff\xff\xff\xff\xff"
++ "\xff\xff\xff\xff\xff\xff\xff\xff"
++ "\xff\xff\xff\xff\xff\xff\xff\xff"
++ "\xff\xff\xff\xff\xff\xff\xff\xff"
++ "\xff\xff\xff\xff\xff\xff\xff\xff"
++ "\xff\xff\xff\xff\xff\xff\xff\xff"
++ "\xff\xff\xff\xff\xff\xff\xff\xff"
++ "\xff\xff\xff\xff\xff\xff\xff\xff"
++ "\xff\xff\xff\xff\xff\xff\xff\xff"
++ "\xff\xff\xff\xff\xff\xff\xff\xff"
++ "\xff\xff\xff\xff\xff\xff\xff\xff"
++ "\xff\xff\xff\xff\xff\xff\xff\xff"
++ "\xff\xff\xff\xff\xff\xff\xff\xff"
++ "\xff\xff\xff\xff\xff\xff\xff\xff"
++ "\xff\xff\xff\xff\xff\xff\xff\xff"
++ "\xff\xff\xff\xff\xff\xff\xff\xff"
++ "\xff\xff\xff\xff\xff\xff\xff\xff"
++ "\xff\xff\xff\xff\xff\xff\xff\xff"
++ "\xff\xff\xff\xff\xff\xff\xff\xff"
++ "\xff\xff\xff\xff\xff\xff\xff\xff"
++ "\xff\xff\xff\xff\xff\xff\xff\xff"
++ "\xff\xff\xff\xff\xff\xff\xff\xff"
++ "\xff\xff\xff\xff\xff\xff\xff\xff"
++ "\xff\xff\xff\xff\xff\xff\xff\xff"
++ "\xff\xff\xff\xff",
++ .psize = 300,
++ .digest = "\xfb\x5e\x96\xd8\x61\xd5\xc7\xc8"
++ "\x78\xe5\x87\xcc\x2d\x5a\x22\xe1",
++ }
+ };
+
+ /*
diff --git a/patches.suse/bonding-fix-PACKET_ORIGDEV-regression.patch b/patches.suse/bonding-fix-PACKET_ORIGDEV-regression.patch
new file mode 100644
index 0000000000..3f51d716b1
--- /dev/null
+++ b/patches.suse/bonding-fix-PACKET_ORIGDEV-regression.patch
@@ -0,0 +1,96 @@
+From: Michal Soltys <soltys@ziu.info>
+Date: Mon, 18 Feb 2019 17:55:28 +0100
+Subject: bonding: fix PACKET_ORIGDEV regression
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+Git-commit: 3c963a3306eada999be5ebf4f293dfa3d3945487
+Patch-mainline: v5.0-rc8
+References: git-fixes
+
+This patch fixes a subtle PACKET_ORIGDEV regression which was a side
+effect of fixes introduced by:
+
+6a9e461f6fe4 bonding: pass link-local packets to bonding master also.
+
+... to:
+
+b89f04c61efe bonding: deliver link-local packets with skb->dev set to link that packets arrived on
+
+While 6a9e461f6fe4 restored pre-b89f04c61efe presence of link-local
+packets on bonding masters (which is required e.g. by linux bridges
+participating in spanning tree or needed for lab-like setups created
+with group_fwd_mask) it also caused the originating device
+information to be lost due to cloning.
+
+Maciej Żenczykowski proposed another solution that doesn't require
+packet cloning and retains original device information - instead of
+returning RX_HANDLER_PASS for all link-local packets it's now limited
+only to packets from inactive slaves.
+
+At the same time, packets passed to bonding masters retain correct
+information about the originating device and PACKET_ORIGDEV can be used
+to determine it.
+
+This elegantly solves all issues so far:
+
+- link-local packets that were removed from bonding masters
+- LLDP daemons being forced to explicitly bind to slave interfaces
+- PACKET_ORIGDEV having no effect on bond interfaces
+
+Fixes: 6a9e461f6fe4 (bonding: pass link-local packets to bonding master also.)
+Reported-by: Vincent Bernat <vincent@bernat.ch>
+Signed-off-by: Michal Soltys <soltys@ziu.info>
+Signed-off-by: Maciej Żenczykowski <maze@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/net/bonding/bond_main.c | 35 ++++++++++++++---------------------
+ 1 file changed, 14 insertions(+), 21 deletions(-)
+
+--- a/drivers/net/bonding/bond_main.c
++++ b/drivers/net/bonding/bond_main.c
+@@ -1177,29 +1177,22 @@ static rx_handler_result_t bond_handle_f
+ }
+ }
+
+- /* Link-local multicast packets should be passed to the
+- * stack on the link they arrive as well as pass them to the
+- * bond-master device. These packets are mostly usable when
+- * stack receives it with the link on which they arrive
+- * (e.g. LLDP) they also must be available on master. Some of
+- * the use cases include (but are not limited to): LLDP agents
+- * that must be able to operate both on enslaved interfaces as
+- * well as on bonds themselves; linux bridges that must be able
+- * to process/pass BPDUs from attached bonds when any kind of
+- * STP version is enabled on the network.
++ /*
++ * For packets determined by bond_should_deliver_exact_match() call to
++ * be suppressed we want to make an exception for link-local packets.
++ * This is necessary for e.g. LLDP daemons to be able to monitor
++ * inactive slave links without being forced to bind to them
++ * explicitly.
++ *
++ * At the same time, packets that are passed to the bonding master
++ * (including link-local ones) can have their originating interface
++ * determined via PACKET_ORIGDEV socket option.
+ */
+- if (is_link_local_ether_addr(eth_hdr(skb)->h_dest)) {
+- struct sk_buff *nskb = skb_clone(skb, GFP_ATOMIC);
+-
+- if (nskb) {
+- nskb->dev = bond->dev;
+- nskb->queue_mapping = 0;
+- netif_rx(nskb);
+- }
+- return RX_HANDLER_PASS;
+- }
+- if (bond_should_deliver_exact_match(skb, slave, bond))
++ if (bond_should_deliver_exact_match(skb, slave, bond)) {
++ if (is_link_local_ether_addr(eth_hdr(skb)->h_dest))
++ return RX_HANDLER_PASS;
+ return RX_HANDLER_EXACT;
++ }
+
+ skb->dev = bond->dev;
+
diff --git a/patches.suse/bridge-do-not-add-port-to-router-list-when-receives-.patch b/patches.suse/bridge-do-not-add-port-to-router-list-when-receives-.patch
deleted file mode 100644
index 3a761784fc..0000000000
--- a/patches.suse/bridge-do-not-add-port-to-router-list-when-receives-.patch
+++ /dev/null
@@ -1,55 +0,0 @@
-From: Hangbin Liu <liuhangbin@gmail.com>
-Date: Fri, 26 Oct 2018 10:28:43 +0800
-Subject: bridge: do not add port to router list when receives query with
- source 0.0.0.0
-Git-commit: 5a2de63fd1a59c30c02526d427bc014b98adf508
-Patch-mainline: v4.20-rc1
-References: networking-stable-18_11_02
-
-Based on RFC 4541, 2.1.1. IGMP Forwarding Rules
-
- The switch supporting IGMP snooping must maintain a list of
- multicast routers and the ports on which they are attached. This
- list can be constructed in any combination of the following ways:
-
- a) This list should be built by the snooping switch sending
- Multicast Router Solicitation messages as described in IGMP
- Multicast Router Discovery [MRDISC]. It may also snoop
- Multicast Router Advertisement messages sent by and to other
- nodes.
-
- b) The arrival port for IGMP Queries (sent by multicast routers)
- where the source address is not 0.0.0.0.
-
-We should not add the port to router list when receives query with source
-0.0.0.0.
-
-Reported-by: Ying Xu <yinxu@redhat.com>
-Signed-off-by: Hangbin Liu <liuhangbin@gmail.com>
-Acked-by: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>
-Acked-by: Roopa Prabhu <roopa@cumulusnetworks.com>
-Signed-off-by: David S. Miller <davem@davemloft.net>
-Signed-off-by: Jiri Slaby <jslaby@suse.cz>
----
- net/bridge/br_multicast.c | 10 +++++++++-
- 1 file changed, 9 insertions(+), 1 deletion(-)
-
---- a/net/bridge/br_multicast.c
-+++ b/net/bridge/br_multicast.c
-@@ -1390,7 +1390,15 @@ static void br_multicast_query_received(
- return;
-
- br_multicast_update_query_timer(br, query, max_delay);
-- br_multicast_mark_router(br, port);
-+
-+ /* Based on RFC4541, section 2.1.1 IGMP Forwarding Rules,
-+ * the arrival port for IGMP Queries where the source address
-+ * is 0.0.0.0 should not be added to router port list.
-+ */
-+ if ((saddr->proto == htons(ETH_P_IP) && saddr->u.ip4) ||
-+ (saddr->proto == htons(ETH_P_IPV6) &&
-+ !ipv6_addr_any(&saddr->u.ip6)))
-+ br_multicast_mark_router(br, port);
- }
-
- static int br_ip4_multicast_query(struct net_bridge *br,
diff --git a/patches.suse/net-bridge-remove-ipv6-zero-address-check-in-mcast-q.patch b/patches.suse/net-bridge-remove-ipv6-zero-address-check-in-mcast-q.patch
deleted file mode 100644
index eb9683a522..0000000000
--- a/patches.suse/net-bridge-remove-ipv6-zero-address-check-in-mcast-q.patch
+++ /dev/null
@@ -1,48 +0,0 @@
-From: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>
-Date: Sat, 27 Oct 2018 12:07:47 +0300
-Subject: net: bridge: remove ipv6 zero address check in mcast queries
-Git-commit: 0fe5119e267f3e3d8ac206895f5922195ec55a8a
-Patch-mainline: v4.20-rc1
-References: git-fixes
-
-Recently a check was added which prevents marking of routers with zero
-source address, but for IPv6 that cannot happen as the relevant RFCs
-actually forbid such packets:
-RFC 2710 (MLDv1):
-"To be valid, the Query message MUST
- come from a link-local IPv6 Source Address, be at least 24 octets
- long, and have a correct MLD checksum."
-
-Same goes for RFC 3810.
-
-And also it can be seen as a requirement in ipv6_mc_check_mld_query()
-which is used by the bridge to validate the message before processing
-it. Thus any queries with :: source address won't be processed anyway.
-So just remove the check for zero IPv6 source address from the query
-processing function.
-
-Fixes: 5a2de63fd1a5 ("bridge: do not add port to router list when receives query with source 0.0.0.0")
-Signed-off-by: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>
-Signed-off-by: David S. Miller <davem@davemloft.net>
-Signed-off-by: Jiri Slaby <jslaby@suse.cz>
----
- net/bridge/br_multicast.c | 3 +--
- 1 file changed, 1 insertion(+), 2 deletions(-)
-
-diff --git a/net/bridge/br_multicast.c b/net/bridge/br_multicast.c
-index 41cdafbf2ebe..6bac0d6b7b94 100644
---- a/net/bridge/br_multicast.c
-+++ b/net/bridge/br_multicast.c
-@@ -1428,8 +1428,7 @@ static void br_multicast_query_received(struct net_bridge *br,
- * is 0.0.0.0 should not be added to router port list.
- */
- if ((saddr->proto == htons(ETH_P_IP) && saddr->u.ip4) ||
-- (saddr->proto == htons(ETH_P_IPV6) &&
-- !ipv6_addr_any(&saddr->u.ip6)))
-+ saddr->proto == htons(ETH_P_IPV6))
- br_multicast_mark_router(br, port);
- }
-
---
-2.19.2
-
diff --git a/patches.suse/rds-fix-refcount-bug-in-rds_sock_addref.patch b/patches.suse/rds-fix-refcount-bug-in-rds_sock_addref.patch
new file mode 100644
index 0000000000..4c7aaa91f1
--- /dev/null
+++ b/patches.suse/rds-fix-refcount-bug-in-rds_sock_addref.patch
@@ -0,0 +1,98 @@
+From: Eric Dumazet <edumazet@google.com>
+Date: Thu, 31 Jan 2019 08:47:10 -0800
+Subject: rds: fix refcount bug in rds_sock_addref
+Git-commit: 6fa19f5637a6c22bc0999596bcc83bdcac8a4fa6
+Patch-mainline: v5.0-rc6
+References: git-fixes
+
+syzbot was able to catch a bug in rds [1]
+
+The issue here is that the socket might be found in a hash table
+but that its refcount has already be set to 0 by another cpu.
+
+We need to use refcount_inc_not_zero() to be safe here.
+
+[1]
+
+refcount_t: increment on 0; use-after-free.
+WARNING: CPU: 1 PID: 23129 at lib/refcount.c:153 refcount_inc_checked lib/refcount.c:153 [inline]
+WARNING: CPU: 1 PID: 23129 at lib/refcount.c:153 refcount_inc_checked+0x61/0x70 lib/refcount.c:151
+Kernel panic - not syncing: panic_on_warn set ...
+CPU: 1 PID: 23129 Comm: syz-executor3 Not tainted 5.0.0-rc4+ #53
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+Call Trace:
+ __dump_stack lib/dump_stack.c:77 [inline]
+ dump_stack+0x1db/0x2d0 lib/dump_stack.c:113
+ panic+0x2cb/0x65c kernel/panic.c:214
+ __warn.cold+0x20/0x48 kernel/panic.c:571
+ report_bug+0x263/0x2b0 lib/bug.c:186
+ fixup_bug arch/x86/kernel/traps.c:178 [inline]
+ fixup_bug arch/x86/kernel/traps.c:173 [inline]
+ do_error_trap+0x11b/0x200 arch/x86/kernel/traps.c:271
+ do_invalid_op+0x37/0x50 arch/x86/kernel/traps.c:290
+ invalid_op+0x14/0x20 arch/x86/entry/entry_64.S:973
+RIP: 0010:refcount_inc_checked lib/refcount.c:153 [inline]
+RIP: 0010:refcount_inc_checked+0x61/0x70 lib/refcount.c:151
+Code: 1d 51 63 c8 06 31 ff 89 de e8 eb 1b f2 fd 84 db 75 dd e8 a2 1a f2 fd 48 c7 c7 60 9f 81 88 c6 05 31 63 c8 06 01 e8 af 65 bb fd <0f> 0b eb c1 90 66 2e 0f 1f 84 00 00 00 00 00 55 48 89 e5 41 54 49
+RSP: 0018:ffff8880a0cbf1e8 EFLAGS: 00010282
+RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffc90006113000
+RDX: 000000000001047d RSI: ffffffff81685776 RDI: 0000000000000005
+RBP: ffff8880a0cbf1f8 R08: ffff888097c9e100 R09: ffffed1015ce5021
+R10: ffffed1015ce5020 R11: ffff8880ae728107 R12: ffff8880723c20c0
+R13: ffff8880723c24b0 R14: dffffc0000000000 R15: ffffed1014197e64
+ sock_hold include/net/sock.h:647 [inline]
+ rds_sock_addref+0x19/0x20 net/rds/af_rds.c:675
+ rds_find_bound+0x97c/0x1080 net/rds/bind.c:82
+ rds_recv_incoming+0x3be/0x1430 net/rds/recv.c:362
+ rds_loop_xmit+0xf3/0x2a0 net/rds/loop.c:96
+ rds_send_xmit+0x1355/0x2a10 net/rds/send.c:355
+ rds_sendmsg+0x323c/0x44e0 net/rds/send.c:1368
+ sock_sendmsg_nosec net/socket.c:621 [inline]
+ sock_sendmsg+0xdd/0x130 net/socket.c:631
+ __sys_sendto+0x387/0x5f0 net/socket.c:1788
+ __do_sys_sendto net/socket.c:1800 [inline]
+ __se_sys_sendto net/socket.c:1796 [inline]
+ __x64_sys_sendto+0xe1/0x1a0 net/socket.c:1796
+ do_syscall_64+0x1a3/0x800 arch/x86/entry/common.c:290
+ entry_SYSCALL_64_after_hwframe+0x49/0xbe
+RIP: 0033:0x458089
+Code: 6d b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 3b b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00
+RSP: 002b:00007fc266df8c78 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
+RAX: ffffffffffffffda RBX: 0000000000000006 RCX: 0000000000458089
+RDX: 0000000000000000 RSI: 00000000204b3fff RDI: 0000000000000005
+RBP: 000000000073bf00 R08: 00000000202b4000 R09: 0000000000000010
+R10: 0000000000000000 R11: 0000000000000246 R12: 00007fc266df96d4
+R13: 00000000004c56e4 R14: 00000000004d94a8 R15: 00000000ffffffff
+
+[js] sk_refcnt is atomic_t in 4.12 yet, not refcount.
+
+Fixes: cc4dfb7f70a3 ("rds: fix two RCU related problems")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Cc: Sowmini Varadhan <sowmini.varadhan@oracle.com>
+Cc: Santosh Shilimkar <santosh.shilimkar@oracle.com>
+Cc: rds-devel@oss.oracle.com
+Cc: Cong Wang <xiyou.wangcong@gmail.com>
+Acked-by: Santosh Shilimkar <santosh.shilimkar@oracle.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ net/rds/bind.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/net/rds/bind.c
++++ b/net/rds/bind.c
+@@ -62,10 +62,10 @@ struct rds_sock *rds_find_bound(__be32 a
+
+ rcu_read_lock();
+ rs = rhashtable_lookup(&bind_hash_table, &key, ht_parms);
+- if (rs && !sock_flag(rds_rs_to_sk(rs), SOCK_DEAD))
+- rds_sock_addref(rs);
+- else
++ if (rs && (sock_flag(rds_rs_to_sk(rs), SOCK_DEAD) ||
++ !atomic_inc_not_zero(&rds_rs_to_sk(rs)->sk_refcnt)))
+ rs = NULL;
++
+ rcu_read_unlock();
+
+ rdsdebug("returning rs %p for %pI4:%u\n", rs, &addr,
diff --git a/series.conf b/series.conf
index fbf6e084a2..6580529dfd 100644
--- a/series.conf
+++ b/series.conf
@@ -16724,6 +16724,7 @@
patches.drivers/cxgb4-update-LE-TCAM-collection-for-T6.patch
patches.drivers/rsi-Fix-invalid-vdd-warning-in-mmc.patch
patches.drivers/mwifiex-pcie-tighten-a-check-in-mwifiex_pcie_process
+ patches.drivers/ath10k-avoid-possible-string-overflow.patch
patches.drivers/ath10k-correct-target-assert-problem-due-to-CE5-stuc
patches.drivers/ath10k-search-all-IEs-for-variant-before-falling-bac
patches.drivers/iwlwifi-fw-harden-page-loading-code
@@ -19355,6 +19356,7 @@
patches.drivers/ACPI-LPSS-Add-alternative-ACPI-HIDs-for-Cherry-Trail.patch
patches.drivers/ACPI-processor-Fix-the-return-value-of-acpi_processo.patch
patches.drivers/mailbox-PCC-handle-parse-error.patch
+ patches.fixes/ACPI-SBS-Fix-GPE-storm-on-recent-MacBookPro-s.patch
patches.fixes/0001-xen-swiotlb-use-actually-allocated-size-on-check-phy.patch
patches.arch/s390-sthyi-fix-machine-name-validity-indication
patches.fixes/s390-sles12sp4-pkey-move-pckmo-subfunction-available-checks-away-from-module-init.patch
@@ -19414,6 +19416,7 @@
patches.drivers/0001-iwlwifi-fix-LED-command-capability-bit.patch
patches.drivers/iwlwifi-mvm-Allow-TKIP-for-AP-mode.patch
patches.drivers/Bluetooth-btbcm-Add-entry-for-BCM4335C0-UART-bluetoo.patch
+ patches.fixes/0001-cxgb4-remove-the-unneeded-locks.patch
patches.fixes/0001-cxgb4-use-FW_PORT_ACTION_L1_CFG32-for-32-bit-capabil.patch
patches.drivers/net-hns3-Fix-for-rx-vlan-id-handle-to-support-Rev-0x.patch
patches.drivers/iwlwifi-mvm-check-for-n_profiles-validity-in-EWRD-AC.patch
@@ -19447,6 +19450,7 @@
patches.drivers/net-ena-Fix-Kconfig-dependency-on-X86.patch
patches.drivers/net-ena-enable-Low-Latency-Queues.patch
patches.fixes/xfrm-use-complete-IPv6-addresses-for-hash.patch
+ patches.fixes/0001-cxgb4-fix-the-error-path-of-cxgb4_uld_register.patch
patches.drivers/Bluetooth-btsdio-Do-not-bind-to-non-removable-BCM43430.patch
patches.drivers/net-ena-fix-compilation-error-in-xtensa-architecture.patch
patches.fixes/llc-do-not-use-sk_eat_skb.patch
@@ -19660,6 +19664,7 @@
patches.fixes/cifs-OFD-locks-do-not-conflict-with-eachothers.patch
patches.fixes/smb3-do-not-attempt-cifs-operation-in-smb3-query-inf.patch
patches.fixes/NFSv4.1-Fix-the-r-wsize-checking.patch
+ patches.fixes/NFS-Fix-dentry-revalidation-on-NFSv4-lookup.patch
patches.fixes/nfs-Fix-a-missed-page-unlock-after-pg_doio.patch
patches.fixes/sunrpc-safely-reallow-resvport-min-max-inversion.patch
patches.fixes/xprtrdma-Reset-credit-grant-properly-after-a-disconn.patch
@@ -19698,7 +19703,6 @@
patches.arch/powerpc-traps-restore-recoverability-of-machine_chec.patch
patches.suse/net-udp-fix-handling-of-CHECKSUM_COMPLETE-packets.patch
patches.suse/ipv6-ndisc-Preserve-IPv6-control-buffer-if-protocol-.patch
- patches.suse/bridge-do-not-add-port-to-router-list-when-receives-.patch
patches.fixes/include-linux-pfn_t.h-force-to-be-parsed-as-an-unary.patch
patches.suse/mm-don-t-warn-about-large-allocations-for-slab.patch
patches.fixes/0001-mm-rework-memcg-kernel-stack-accounting.patch
@@ -19722,10 +19726,10 @@
patches.drm/drm-i915-dp-Link-train-Fallback-on-eDP-only-if-fallb.patch
patches.drm/drm-i915-Large-page-offsets-for-pread-pwrite.patch
patches.drm/0001-drm-i915-gen9-Fix-initial-readout-for-Y-tiled-frameb.patch
- patches.suse/net-bridge-remove-ipv6-zero-address-check-in-mcast-q.patch
patches.suse/net-sched-gred-pass-the-right-attribute-to-gred_chan.patch
patches.fixes/v9fs_dir_readdir-fix-double-free-on-p9stat_read-erro.patch
patches.fixes/9p-clear-dangling-pointers-in-p9stat_free.patch
+ patches.fixes/9p-do-not-trust-pdu-content-for-stat-item-size.patch
patches.fixes/9p-locks-fix-glock.client_id-leak-in-do_lock.patch
patches.fixes/fsnotify-Fix-busy-inodes-during-unmount.patch
patches.drivers/staging-iio-ad7606-fix-voltage-scales.patch
@@ -20912,6 +20916,7 @@
patches.suse/l2tp-fix-reading-optional-fields-of-L2TPv3.patch
patches.suse/ipvlan-l3mdev-fix-broken-l3s-mode-wrt-local-routes.patch
patches.suse/l2tp-copy-4-more-bytes-to-linear-part-if-necessary.patch
+ patches.suse/rds-fix-refcount-bug-in-rds_sock_addref.patch
patches.drivers/skge-potential-memory-corruption-in-skge_get_regs.patch
patches.fixes/mac80211-ensure-that-mgmt-tx-skbs-have-tailroom-for-.patch
patches.drivers/batman-adv-Avoid-WARN-on-net_device-without-parent-i.patch
@@ -21009,6 +21014,7 @@
patches.drivers/pinctrl-meson-meson8b-fix-the-sdxc_a-data-1.3-pins.patch
patches.drivers/ALSA-hda-realtek-Headset-microphone-and-internal-spe.patch
patches.drivers/ALSA-hda-realtek-Disable-PC-beep-in-passthrough-on-a.patch
+ patches.drivers/ASoC-topology-free-created-components-in-tplg-load-e.patch
patches.fixes/libceph-handle-an-empty-authorize-reply.patch
patches.fixes/ceph-avoid-repeatedly-adding-inode-to-mdsc-snap_flush_list.patch
patches.drivers/clk-sunxi-ng-v3s-Fix-TCON-reset-de-assert-bit.patch
@@ -21021,6 +21027,7 @@
patches.drivers/scsi-libiscsi-fix-race-between-iscsi_xmit_task-and-iscsi_complete_task
patches.fixes/scsi-core-reset-host-byte-in-DID_NEXUS_FAILURE-case.patch
patches.suse/missing-barriers-in-some-of-unix_sock-addr-and-path-.patch
+ patches.suse/bonding-fix-PACKET_ORIGDEV-regression.patch
patches.suse/net-avoid-false-positives-in-untrusted-gso-validatio.patch
patches.suse/ipvlan-disallow-userns-cap_net_admin-to-change-globa.patch
patches.fixes/mac80211_hwsim-propagate-genlmsg_reply-return-code.patch
@@ -21032,6 +21039,8 @@
patches.fixes/0001-nfp-bpf-fix-ALU32-high-bits-clearance-bug.patch
patches.suse/net-x25-fix-a-race-in-x25_bind.patch
patches.fixes/0001-mm-enforce-min-addr-even-if-capable-in-expand_downwa.patch
+ patches.fixes/crypto-sha256-arm-fix-crash-bug-in-Thumb2-build.patch
+ patches.fixes/crypto-sha512-arm-fix-crash-bug-in-Thumb2-build.patch
patches.drivers/mmc-spi-Fix-card-detection-during-probe.patch
patches.drivers/mmc-tmio_mmc_core-don-t-claim-spurious-interrupts.patch
patches.drm/drm-Block-fb-changes-for-async-plane-updates.patch
@@ -21224,6 +21233,7 @@
patches.drm/drm-Auto-set-allow_fb_modifiers-when-given-modifiers.patch
patches.drm/0003-drm-shmob-Fix-return-value-check-in-shmob_drm_probe.patch
patches.drm/drm-disable-uncached-DMA-optimization-for-ARM-and-ar.patch
+ patches.drm/drm-nouveau-volt-gf117-fix-speedo-readout-register.patch
patches.drm/0001-drm-nouveau-bios-ramcfg-fix-missing-parentheses-when.patch
patches.drm/0002-drm-nouveau-pmu-don-t-print-reply-values-if-exec-is-.patch
patches.drm/0003-drm-nouveau-Don-t-WARN_ON-VCPI-allocation-failures.patch
@@ -21437,6 +21447,7 @@
patches.drm/drm-i915-bios-assume-eDP-is-present-on-port-A-when-t.patch
patches.drm/0001-drm-vmwgfx-Don-t-double-free-the-mode-stored-in-par-.patch
patches.drivers/mmc-pxamci-fix-enum-type-confusion.patch
+ patches.drivers/mmc-davinci-remove-extraneous-__init-annotation.patch
patches.drivers/ALSA-echoaudio-add-a-check-for-ioremap_nocache.patch
patches.drivers/ALSA-sb8-add-a-check-for-request_region.patch
patches.drivers/ALSA-firewire-motu-use-version-field-of-unit-directo.patch
@@ -21528,6 +21539,7 @@
patches.fixes/batman-adv-Reduce-tt_local-hash-refcnt-only-for-remo.patch
patches.fixes/batman-adv-Reduce-tt_global-hash-refcnt-only-for-rem.patch
patches.drivers/fm10k-Fix-a-potential-NULL-pointer-dereference.patch
+ patches.fixes/bpf-fix-use-after-free-in-bpf_evict_inode.patch
patches.suse/kcm-switch-order-of-device-registration-to-fix-a-cra.patch
patches.drivers/ibmvnic-Fix-completion-structure-initialization.patch
patches.drm/drm-i915-gvt-do-not-deliver-a-workload-if-its-creati.patch
@@ -21544,10 +21556,17 @@
patches.drm/drm-i915-gvt-Annotate-iomem-usage.patch
patches.drivers/ALSA-seq-Fix-OOB-reads-from-strlcpy.patch
patches.drivers/ALSA-hda-Add-two-more-machines-to-the-power_save_bla.patch
+ patches.drivers/ASoC-fsl_esai-fix-channel-swap-issue-when-stream-sta.patch
patches.drivers/iommu-amd-set-exclusion-range-correctly
patches.arch/powerpc-vdso32-fix-CLOCK_MONOTONIC-on-PPC64.patch
+ patches.drivers/PCI-Add-function-1-DMA-alias-quirk-for-Marvell-9170-.patch
patches.fixes/0001-PCI-pciehp-Ignore-Link-State-Changes-after-powering-.patch
patches.arch/svm-avic-fix-invalidate-logical-apic-id-entry
+ patches.fixes/crypto-x86-poly1305-fix-overflow-during-partial-redu.patch
+ patches.drivers/Input-snvs_pwrkey-initialize-necessary-driver-data-b.patch
+ patches.drivers/iio-cros_ec-Fix-the-maths-for-gyro-scale-calculation.patch
+ patches.drivers/iio-ad_sigma_delta-select-channel-when-reading-regis.patch
+ patches.drivers/iio-core-fix-a-possible-circular-locking-dependency.patch
patches.arch/x86-speculation-prevent-deadlock-on-ssb_state-lock.patch
patches.drivers/ALSA-hda-Initialize-power_state-field-properly.patch
patches.drivers/ALSA-info-Fix-racy-addition-deletion-of-nodes.patch