Home Home > GIT Browse
summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorKernel Build Daemon <kbuild@suse.de>2019-05-24 07:05:23 +0200
committerKernel Build Daemon <kbuild@suse.de>2019-05-24 07:05:23 +0200
commit7616721c04938dd9862052e1df9334dae8c35e65 (patch)
tree306c06eaa0b73349a7dd5150571b3f821650ff5a
parent910dd3d7ee6850e8017dab6875ac98de23d68ce5 (diff)
parentfbf32ade743761f6fbeb4c81da24ee03beff8c90 (diff)
Merge branch 'SLE15' into SLE15-AZURE
-rw-r--r--blacklist.conf4
-rw-r--r--patches.arch/s390-qdio-clear-intparm-during-shutdown44
-rw-r--r--patches.arch/s390-sles15-kmsg-update-2019-03-08.patch319
-rw-r--r--patches.drivers/iw_cxgb4-only-allow-1-flush-on-user-qps.patch60
-rw-r--r--patches.drivers/mac8390-Fix-mmio-access-size-probe.patch74
-rw-r--r--patches.drm/drm-i915-Disable-LP3-watermarks-on-all-SNB-machines.patch1
-rw-r--r--patches.fixes/9p-locks-add-mount-option-for-lock-retry-interval.patch123
-rw-r--r--patches.fixes/9p-locks-fix-glock.client_id-leak-in-do_lock.patch12
-rw-r--r--patches.fixes/MD-fix-invalid-stored-role-for-a-disk.patch47
-rw-r--r--patches.fixes/crypto-vmx-CTR-always-increment-IV-as-quadword.patch61
-rw-r--r--patches.fixes/dccp-Fix-memleak-in-__feat_register_sp.patch43
-rw-r--r--patches.fixes/debugfs-fix-use-after-free-on-symlink-traversal.patch51
-rw-r--r--patches.fixes/ipconfig-Correctly-initialise-ic_nameservers.patch85
-rw-r--r--patches.fixes/ipvlan-Add-the-skb-mark-as-flow4-s-member-to-lookup-.patch34
-rw-r--r--patches.fixes/ipvlan-fix-ipv6-outbound-device.patch36
-rw-r--r--patches.fixes/ipvlan-use-ETH_MAX_MTU-as-max-mtu.patch35
-rw-r--r--patches.fixes/ipvs-Fix-signed-integer-overflow-when-setsockopt-tim.patch93
-rw-r--r--patches.fixes/ipvs-fix-race-between-ip_vs_conn_new-and-ip_vs_del_d.patch87
-rw-r--r--patches.fixes/l2tp-cleanup-l2tp_tunnel_delete-calls.patch58
-rw-r--r--patches.fixes/l2tp-revert-l2tp-fix-missing-print-session-offset-in.patch35
-rw-r--r--patches.fixes/mm-mincore-c-make-mincore-more-conservative.patch91
-rw-r--r--series.conf18
22 files changed, 1405 insertions, 6 deletions
diff --git a/blacklist.conf b/blacklist.conf
index 7f745bdd04..5b4957c265 100644
--- a/blacklist.conf
+++ b/blacklist.conf
@@ -1124,3 +1124,7 @@ ed180abba7f1fc3cf04ffa27767b1bcc8e8c842a # sound/hda: breaks kABI
e2771deb5dece1acde9a406538e4f7ef9262d5cd # recently dropped: drm/sun4i: rgb: Change the pixel clock validation check
75fdb811d93c8aa4a9f73b63db032b1e6a8668ef # Duplicate of 1e8b15a1988ed3c7429402017d589422628cdf47: drm/i915/gvt: Add in context mmio 0x20D8 to gen9 mmio list
6fcc44d1d77fea3c7230e4d109b37f6977aa675a # Duplicate of 2c88e3c7ec32d7a40cc7c9b4a487cf90e4671bdd: block: fix use-after-free on gendisk
+c8ea3663f7a8e6996d44500ee818c9330ac4fd88 # virt/fsl: no supported platform
+6a024330650e24556b8a18cc654ad00cfecf6c6c # virt/fsl: no supported platform
+92ff42645028fa6f9b8aa767718457b9264316b4 # ipvlan: reverted in below
+918150cbd6103199fe326e8b1462a7f0d81475e4 # ipvlan: reverting the above
diff --git a/patches.arch/s390-qdio-clear-intparm-during-shutdown b/patches.arch/s390-qdio-clear-intparm-during-shutdown
new file mode 100644
index 0000000000..90ed02ec15
--- /dev/null
+++ b/patches.arch/s390-qdio-clear-intparm-during-shutdown
@@ -0,0 +1,44 @@
+From: Julian Wiedmann <jwi@linux.vnet.ibm.com>
+Date: Wed, 21 Mar 2018 17:14:00 +0100
+Subject: s390/qdio: clear intparm during shutdown
+Git-commit: 89286320a236d245834075fa13adb0bdd827ecaa
+Patch-mainline: v4.17-rc1
+References: bsc#1134597 LTC#177516
+
+During shutdown, qdio returns its ccw device back to control by the
+upper-layer driver. But there is a remote chance that by the time where the
+IRQ handler gets switched back, the interrupt for the preceding
+ccw_device_{clear,halt} hasn't been presented yet.
+Upper-layer drivers would then need to handle this IRQ - and since the IO
+is issued with an intparm, it could very well be confused with whatever
+intparm mechanism the driver uses itself (eg intparm == request address).
+
+So when switching over the IRQ handler, also clear the intparm and have
+upper-layer drivers deal with any such delayed interrupt as if it was
+unsolicited.
+
+Suggested-by: Sebastian Ott <sebott@linux.vnet.ibm.com>
+Signed-off-by: Julian Wiedmann <jwi@linux.vnet.ibm.com>
+Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
+Acked-by: Petr Tesarik <ptesarik@suse.com>
+---
+ drivers/s390/cio/qdio_main.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/s390/cio/qdio_main.c b/drivers/s390/cio/qdio_main.c
+index a337281337a7..f4ca72dd862f 100644
+--- a/drivers/s390/cio/qdio_main.c
++++ b/drivers/s390/cio/qdio_main.c
+@@ -1207,8 +1207,10 @@ int qdio_shutdown(struct ccw_device *cdev, int how)
+ qdio_shutdown_thinint(irq_ptr);
+
+ /* restore interrupt handler */
+- if ((void *)cdev->handler == (void *)qdio_int_handler)
++ if ((void *)cdev->handler == (void *)qdio_int_handler) {
+ cdev->handler = irq_ptr->orig_handler;
++ cdev->private->intparm = 0;
++ }
+ spin_unlock_irq(get_ccwdev_lock(cdev));
+
+ qdio_set_state(irq_ptr, QDIO_IRQ_STATE_INACTIVE);
+
diff --git a/patches.arch/s390-sles15-kmsg-update-2019-03-08.patch b/patches.arch/s390-sles15-kmsg-update-2019-03-08.patch
new file mode 100644
index 0000000000..a8fe0ba845
--- /dev/null
+++ b/patches.arch/s390-sles15-kmsg-update-2019-03-08.patch
@@ -0,0 +1,319 @@
+From: Michael Holzheu <holzheu@linux.ibm.com>
+Subject: kmsg: Update message catalog to latest IBM level (2019/03/08)
+Patch-mainline: never, S/390 specific
+References: bsc#1128904 LTC#176078
+
+Description: kmsg: Update message catalog to latest IBM level (2019/03/08)
+Symptom: Man pages in the "kernel-default-man" rpm are missing or are
+ not correct.
+Problem: Source for man pages is not up-to-date because added patches
+ introduced new messages or updated existing ones.
+Solution: Update messages to latest internal IBM level.
+Reproduction: 1) Build kernel with selected config, e.g.:
+ $ make defconfig && make
+ 2) Make kmsg-doc executable:
+ $ chmod a+x scripts/kmsg-doc
+ 3) Check messages:
+ $ make D=1
+ 4) Build messages:
+ $ make D=2
+ 5) Check built man pages, e.g.:
+ $ man man/cpu.643eaf.9
+ Note: To check a subdirectory use "make D=1 SUBDIRS=arch/s390"
+
+
+Signed-off-by: Michael Holzheu <holzheu@linux.ibm.com>
+Acked-by: Petr Tesarik <ptesarik@suse.com>
+---
+ Documentation/kmsg/IPVS | 3 ++
+ Documentation/kmsg/ism | 2 +
+ Documentation/kmsg/s390/aes_s390 | 1
+ Documentation/kmsg/s390/af_iucv | 1
+ Documentation/kmsg/s390/appldata | 1
+ Documentation/kmsg/s390/bpf_jit | 1
+ Documentation/kmsg/s390/cio | 1
+ Documentation/kmsg/s390/cpcmd | 1
+ Documentation/kmsg/s390/cpu | 1
+ Documentation/kmsg/s390/crc32-vx | 1
+ Documentation/kmsg/s390/ctcm | 1
+ Documentation/kmsg/s390/dasd | 1
+ Documentation/kmsg/s390/dasd-eckd | 42 ++++++++++++++++++++++++++++++++++++
+ Documentation/kmsg/s390/diag288_wdt | 1
+ Documentation/kmsg/s390/extmem | 1
+ Documentation/kmsg/s390/hmcdrv | 1
+ Documentation/kmsg/s390/hugetlb | 1
+ Documentation/kmsg/s390/hypfs | 1
+ Documentation/kmsg/s390/lcs | 1
+ Documentation/kmsg/s390/monwriter | 1
+ Documentation/kmsg/s390/netiucv | 1
+ Documentation/kmsg/s390/paes_s390 | 3 +-
+ Documentation/kmsg/s390/perf | 1
+ Documentation/kmsg/s390/qeth | 1
+ Documentation/kmsg/s390/setup | 1
+ Documentation/kmsg/s390/vmur | 1
+ Documentation/kmsg/s390/zfcp | 2 +
+ Documentation/kmsg/s390/zpci | 1
+ Documentation/kmsg/s390/zram | 2 +
+ Documentation/kmsg/sbp_target | 3 +-
+ Documentation/kmsg/smc | 1
+ 31 files changed, 79 insertions(+), 2 deletions(-)
+
+--- a/Documentation/kmsg/IPVS
++++ b/Documentation/kmsg/IPVS
+@@ -79,3 +79,6 @@
+ /*? Text: "%s selects TX queue %d, but real number of TX queues is %d\n" */
+ /*? Text: "Unknown mcast interface: %s\n" */
+ /*? Text: "%s: %d output lines suppressed due to ratelimiting\n" */
++/*? Text: "%s: SME is active, device will require DMA bounce buffers\n" */
++/*? Text: "%s(): request for already hashed, called from %pS\n" */
++/*? Text: "%s(): request for unhash flagged, called from %pS\n" */
+--- /dev/null
++++ b/Documentation/kmsg/ism
+@@ -0,0 +1,2 @@
++/*? Text: "%s: %d output lines suppressed due to ratelimiting\n" */
++/*? Text: "%s: SME is active, device will require DMA bounce buffers\n" */
+--- a/Documentation/kmsg/s390/aes_s390
++++ b/Documentation/kmsg/s390/aes_s390
+@@ -43,3 +43,4 @@
+ * None.
+ */
+ /*? Text: "%s: %d output lines suppressed due to ratelimiting\n" */
++/*? Text: "%s: SME is active, device will require DMA bounce buffers\n" */
+--- a/Documentation/kmsg/s390/af_iucv
++++ b/Documentation/kmsg/s390/af_iucv
+@@ -21,3 +21,4 @@
+ /*? Text: "flen=%u proglen=%u pass=%u image=%pK from=%s pid=%d\n" */
+ /*? Text: "%s selects TX queue %d, but real number of TX queues is %d\n" */
+ /*? Text: "%s: %d output lines suppressed due to ratelimiting\n" */
++/*? Text: "%s: SME is active, device will require DMA bounce buffers\n" */
+--- a/Documentation/kmsg/s390/appldata
++++ b/Documentation/kmsg/s390/appldata
+@@ -89,3 +89,4 @@
+ /*? Text: "netif_stop_queue() cannot be called before register_netdev()\n" */
+ /*? Text: "%s selects TX queue %d, but real number of TX queues is %d\n" */
+ /*? Text: "%s: %d output lines suppressed due to ratelimiting\n" */
++/*? Text: "%s: SME is active, device will require DMA bounce buffers\n" */
+--- a/Documentation/kmsg/s390/bpf_jit
++++ b/Documentation/kmsg/s390/bpf_jit
+@@ -14,3 +14,4 @@
+ * Report this problem and the error message to your support organization.
+ */
+ /*? Text: "%s: %d output lines suppressed due to ratelimiting\n" */
++/*? Text: "%s: SME is active, device will require DMA bounce buffers\n" */
+--- a/Documentation/kmsg/s390/cio
++++ b/Documentation/kmsg/s390/cio
+@@ -245,3 +245,4 @@
+ * Report the problem to your support organization.
+ */
+ /*? Text: "%s: %d output lines suppressed due to ratelimiting\n" */
++/*? Text: "%s: SME is active, device will require DMA bounce buffers\n" */
+--- a/Documentation/kmsg/s390/cpcmd
++++ b/Documentation/kmsg/s390/cpcmd
+@@ -15,3 +15,4 @@
+ * machine.
+ */
+ /*? Text: "%s: %d output lines suppressed due to ratelimiting\n" */
++/*? Text: "%s: SME is active, device will require DMA bounce buffers\n" */
+--- a/Documentation/kmsg/s390/cpu
++++ b/Documentation/kmsg/s390/cpu
+@@ -52,3 +52,4 @@
+ * does not include all CPU information.
+ */
+ /*? Text: "%s: %d output lines suppressed due to ratelimiting\n" */
++/*? Text: "%s: SME is active, device will require DMA bounce buffers\n" */
+--- a/Documentation/kmsg/s390/crc32-vx
++++ b/Documentation/kmsg/s390/crc32-vx
+@@ -1 +1,2 @@
+ /*? Text: "%s: %d output lines suppressed due to ratelimiting\n" */
++/*? Text: "%s: SME is active, device will require DMA bounce buffers\n" */
+--- a/Documentation/kmsg/s390/ctcm
++++ b/Documentation/kmsg/s390/ctcm
+@@ -200,3 +200,4 @@
+ /*? Text: "flen=%u proglen=%u pass=%u image=%pK from=%s pid=%d\n" */
+ /*? Text: "%s selects TX queue %d, but real number of TX queues is %d\n" */
+ /*? Text: "%s: %d output lines suppressed due to ratelimiting\n" */
++/*? Text: "%s: SME is active, device will require DMA bounce buffers\n" */
+--- a/Documentation/kmsg/s390/dasd
++++ b/Documentation/kmsg/s390/dasd
+@@ -691,3 +691,4 @@
+ * or set the sysfs 'use_diag' attribute of the DASD to 0 to switch off DIAG.
+ */
+ /*? Text: "%s: %d output lines suppressed due to ratelimiting\n" */
++/*? Text: "%s: SME is active, device will require DMA bounce buffers\n" */
+--- a/Documentation/kmsg/s390/dasd-eckd
++++ b/Documentation/kmsg/s390/dasd-eckd
+@@ -2163,4 +2163,46 @@
+ * to the path_reset sysfs attribute of the device.
+ * If the problem persists, report it to your support organization.
+ */
++
+ /*? Text: "%s: %d output lines suppressed due to ratelimiting\n" */
++
++/*?
++ * Text: "%s: Path %x.%02x (pathmask %02x) is operational despite excessive IFCCs\n"
++ * Severity: Error
++ * Parameter:
++ * @1: bus ID of the DASD
++ * @2: cssid
++ * @3: chpid
++ * @4: logical path mask
++ * Description:
++ * The threshold value for interface or channel control checks (IFCCs) for the
++ * channel path was exceeded.
++ * The channel path remains operational because the autodisable feature for
++ * defective channel paths is not active.
++ * Defective channel paths can adversely affect performance.
++ * User action:
++ * Ensure that the cabling between the storage server and the mainframe
++ * system is securely in place.
++ * If you observe performance impacts, consider setting the channel path offline.
++ * By default, the DASD device driver disables defective channel paths for you.
++ * You can restore this default, for example, by writing '1' to the
++ * path_autodisable sysfs attribute.
++ * If the problem persists, report it to your support organization.
++ */
++
++/*?
++ * Text: "%s: Last path %x.%02x (pathmask %02x) is operational despite excessive IFCCs\n"
++ * Severity: Error
++ * Parameter:
++ * @1: bus ID of the DASD
++ * @2: cssid
++ * @3: chpid
++ * @4: logical path mask
++ * Description:
++ * The threshold value for interface or channel control checks (IFCCs) for the channel path was exceeded.
++ * The channel path was not removed from regular operations because it is the last remaining channel path for the DASD.
++ * User action:
++ * Ensure that the cabling between the storage server and the mainframe
++ * system is securely in place.
++ * If the problem persists, report it to your support organization.
++ */
+--- a/Documentation/kmsg/s390/diag288_wdt
++++ b/Documentation/kmsg/s390/diag288_wdt
+@@ -64,3 +64,4 @@
+ * contact your support organization.
+ */
+ /*? Text: "%s: %d output lines suppressed due to ratelimiting\n" */
++/*? Text: "%s: SME is active, device will require DMA bounce buffers\n" */
+--- a/Documentation/kmsg/s390/extmem
++++ b/Documentation/kmsg/s390/extmem
+@@ -292,3 +292,4 @@
+ * Ensure that the DCSS range is defined below the kernel mapping range.
+ */
+ /*? Text: "%s: %d output lines suppressed due to ratelimiting\n" */
++/*? Text: "%s: SME is active, device will require DMA bounce buffers\n" */
+--- a/Documentation/kmsg/s390/hmcdrv
++++ b/Documentation/kmsg/s390/hmcdrv
+@@ -20,3 +20,4 @@
+ * the cache size specification.
+ */
+ /*? Text: "%s: %d output lines suppressed due to ratelimiting\n" */
++/*? Text: "%s: SME is active, device will require DMA bounce buffers\n" */
+--- a/Documentation/kmsg/s390/hugetlb
++++ b/Documentation/kmsg/s390/hugetlb
+@@ -11,3 +11,4 @@
+ * Specify "2G" for 2 GB huge pages. These are supported as of zEC12
+ * and zBC12 machines.
+ */
++/*? Text: "%s: %d output lines suppressed due to ratelimiting\n" */
+--- a/Documentation/kmsg/s390/hypfs
++++ b/Documentation/kmsg/s390/hypfs
+@@ -55,3 +55,4 @@
+
+ /*? Text: "Hypervisor filesystem mounted\n" */
+ /*? Text: "%s: %d output lines suppressed due to ratelimiting\n" */
++/*? Text: "%s: SME is active, device will require DMA bounce buffers\n" */
+--- a/Documentation/kmsg/s390/lcs
++++ b/Documentation/kmsg/s390/lcs
+@@ -167,3 +167,4 @@
+ /*? Text: "flen=%u proglen=%u pass=%u image=%pK from=%s pid=%d\n" */
+ /*? Text: "%s selects TX queue %d, but real number of TX queues is %d\n" */
+ /*? Text: "%s: %d output lines suppressed due to ratelimiting\n" */
++/*? Text: "%s: SME is active, device will require DMA bounce buffers\n" */
+--- a/Documentation/kmsg/s390/monwriter
++++ b/Documentation/kmsg/s390/monwriter
+@@ -15,3 +15,4 @@
+ * in "z/VM CP Programming Services".
+ */
+ /*? Text: "%s: %d output lines suppressed due to ratelimiting\n" */
++/*? Text: "%s: SME is active, device will require DMA bounce buffers\n" */
+--- a/Documentation/kmsg/s390/netiucv
++++ b/Documentation/kmsg/s390/netiucv
+@@ -154,3 +154,4 @@
+ /*? Text: "flen=%u proglen=%u pass=%u image=%pK from=%s pid=%d\n" */
+ /*? Text: "%s selects TX queue %d, but real number of TX queues is %d\n" */
+ /*? Text: "%s: %d output lines suppressed due to ratelimiting\n" */
++/*? Text: "%s: SME is active, device will require DMA bounce buffers\n" */
+--- a/Documentation/kmsg/s390/paes_s390
++++ b/Documentation/kmsg/s390/paes_s390
+@@ -1 +1,2 @@
+-/*? Text: "%s: %d output lines suppressed due to ratelimiting\n" */
+\ No newline at end of file
++/*? Text: "%s: %d output lines suppressed due to ratelimiting\n" */
++/*? Text: "%s: SME is active, device will require DMA bounce buffers\n" */
+--- a/Documentation/kmsg/s390/perf
++++ b/Documentation/kmsg/s390/perf
+@@ -88,3 +88,4 @@
+ * process has ended.
+ */
+ /*? Text: "%s: %d output lines suppressed due to ratelimiting\n" */
++/*? Text: "%s: SME is active, device will require DMA bounce buffers\n" */
+--- a/Documentation/kmsg/s390/qeth
++++ b/Documentation/kmsg/s390/qeth
+@@ -966,3 +966,4 @@
+ * sysfs attribute of the device.
+ */
+ /*? Text: "%s: %d output lines suppressed due to ratelimiting\n" */
++/*? Text: "%s: SME is active, device will require DMA bounce buffers\n" */
+--- a/Documentation/kmsg/s390/setup
++++ b/Documentation/kmsg/s390/setup
+@@ -163,3 +163,4 @@
+ * None.
+ */
+ /*? Text: "%s: %d output lines suppressed due to ratelimiting\n" */
++/*? Text: "%s: SME is active, device will require DMA bounce buffers\n" */
+--- a/Documentation/kmsg/s390/vmur
++++ b/Documentation/kmsg/s390/vmur
+@@ -46,3 +46,4 @@
+ /*? Text: "%s loaded.\n" */
+ /*? Text: "%s unloaded.\n" */
+ /*? Text: "%s: %d output lines suppressed due to ratelimiting\n" */
++/*? Text: "%s: SME is active, device will require DMA bounce buffers\n" */
+--- a/Documentation/kmsg/s390/zfcp
++++ b/Documentation/kmsg/s390/zfcp
+@@ -707,3 +707,5 @@
+ * support organization of the storage system.
+ */
+ /*? Text: "%s: %d output lines suppressed due to ratelimiting\n" */
++/*? Text: "%s: SME is active, device will require DMA bounce buffers\n" */
++/*? Text: "Invalid address limit on user-mode return" */
+--- a/Documentation/kmsg/s390/zpci
++++ b/Documentation/kmsg/s390/zpci
+@@ -40,3 +40,4 @@
+ * If the problem persists, contact your support organization.
+ */
+ /*? Text: "%s: %d output lines suppressed due to ratelimiting\n" */
++/*? Text: "%s: SME is active, device will require DMA bounce buffers\n" */
+--- /dev/null
++++ b/Documentation/kmsg/s390/zram
+@@ -0,0 +1,2 @@
++/*? Text: "Can't setup backing device for initialized device\n" */
++/*? Text: "setup backing device %s\n" */
+--- a/Documentation/kmsg/sbp_target
++++ b/Documentation/kmsg/sbp_target
+@@ -46,4 +46,5 @@
+ /*? Text: "unlink LUN: failed to update unit directory\n" */
+ /*? Text: "flen=%u proglen=%u pass=%u image=%pK from=%s pid=%d\n" */
+ /*? Text: "%s selects TX queue %d, but real number of TX queues is %d\n" */
+-/*? Text: "%s: %d output lines suppressed due to ratelimiting\n" */
+\ No newline at end of file
++/*? Text: "%s: %d output lines suppressed due to ratelimiting\n" */
++/*? Text: "%s: SME is active, device will require DMA bounce buffers\n" */
+--- a/Documentation/kmsg/smc
++++ b/Documentation/kmsg/smc
+@@ -6,3 +6,4 @@
+ /*? Text: "%s selects TX queue %d, but real number of TX queues is %d\n" */
+ /*? Text: "%s: sock_register fails with %d\n" */
+ /*? Text: "%s: ib_register fails with %d\n" */
++/*? Text: "%s: SME is active, device will require DMA bounce buffers\n" */
diff --git a/patches.drivers/iw_cxgb4-only-allow-1-flush-on-user-qps.patch b/patches.drivers/iw_cxgb4-only-allow-1-flush-on-user-qps.patch
new file mode 100644
index 0000000000..615a0f40a3
--- /dev/null
+++ b/patches.drivers/iw_cxgb4-only-allow-1-flush-on-user-qps.patch
@@ -0,0 +1,60 @@
+From 308aa2b8f7b7db3332a7d41099fd37851fb793b2 Mon Sep 17 00:00:00 2001
+From: Steve Wise <swise@opengridcomputing.com>
+Date: Fri, 31 Aug 2018 07:15:56 -0700
+Subject: [PATCH] iw_cxgb4: only allow 1 flush on user qps
+Git-commit: 308aa2b8f7b7db3332a7d41099fd37851fb793b2
+Patch-mainline: v4.19-rc4
+References: bsc#1051510
+
+Once the qp has been flushed, it cannot be flushed again. The user qp
+flush logic wasn't enforcing it however. The bug can cause
+touch-after-free crashes like:
+
+Unable to handle kernel paging request for data at address 0x000001ec
+Faulting instruction address: 0xc008000016069100
+Oops: Kernel access of bad area, sig: 11 [#1]
+...
+NIP [c008000016069100] flush_qp+0x80/0x480 [iw_cxgb4]
+LR [c00800001606cd6c] c4iw_modify_qp+0x71c/0x11d0 [iw_cxgb4]
+Call Trace:
+[c00800001606cd6c] c4iw_modify_qp+0x71c/0x11d0 [iw_cxgb4]
+[c00800001606e868] c4iw_ib_modify_qp+0x118/0x200 [iw_cxgb4]
+[c0080000119eae80] ib_security_modify_qp+0xd0/0x3d0 [ib_core]
+[c0080000119c4e24] ib_modify_qp+0xc4/0x2c0 [ib_core]
+[c008000011df0284] iwcm_modify_qp_err+0x44/0x70 [iw_cm]
+[c008000011df0fec] destroy_cm_id+0xcc/0x370 [iw_cm]
+[c008000011ed4358] rdma_destroy_id+0x3c8/0x520 [rdma_cm]
+[c0080000134b0540] ucma_close+0x90/0x1b0 [rdma_ucm]
+[c000000000444da4] __fput+0xe4/0x2f0
+
+So fix flush_qp() to only flush the wq once.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Steve Wise <swise@opengridcomputing.com>
+Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/infiniband/hw/cxgb4/qp.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/drivers/infiniband/hw/cxgb4/qp.c b/drivers/infiniband/hw/cxgb4/qp.c
+index b3203afa3b1d..347fe18b1a41 100644
+--- a/drivers/infiniband/hw/cxgb4/qp.c
++++ b/drivers/infiniband/hw/cxgb4/qp.c
+@@ -1685,6 +1685,12 @@ static void flush_qp(struct c4iw_qp *qhp)
+ schp = to_c4iw_cq(qhp->ibqp.send_cq);
+
+ if (qhp->ibqp.uobject) {
++
++ /* for user qps, qhp->wq.flushed is protected by qhp->mutex */
++ if (qhp->wq.flushed)
++ return;
++
++ qhp->wq.flushed = 1;
+ t4_set_wq_in_error(&qhp->wq, 0);
+ t4_set_cq_in_error(&rchp->cq);
+ spin_lock_irqsave(&rchp->comp_handler_lock, flag);
+--
+2.16.4
+
diff --git a/patches.drivers/mac8390-Fix-mmio-access-size-probe.patch b/patches.drivers/mac8390-Fix-mmio-access-size-probe.patch
new file mode 100644
index 0000000000..47b238ce12
--- /dev/null
+++ b/patches.drivers/mac8390-Fix-mmio-access-size-probe.patch
@@ -0,0 +1,74 @@
+From bb9e5c5bcd76f4474eac3baf643d7a39f7bac7bb Mon Sep 17 00:00:00 2001
+From: Finn Thain <fthain@telegraphics.com.au>
+Date: Sat, 16 Mar 2019 14:21:19 +1100
+Subject: [PATCH] mac8390: Fix mmio access size probe
+Git-commit: bb9e5c5bcd76f4474eac3baf643d7a39f7bac7bb
+Patch-mainline: v5.1-rc3
+References: bsc#1051510
+
+The bug that Stan reported is as follows. After a restart, a 16-bit NIC
+may be incorrectly identified as a 32-bit NIC and stop working.
+
+mac8390 slot.E: Memory length resource not found, probing
+mac8390 slot.E: Farallon EtherMac II-C (type farallon)
+mac8390 slot.E: MAC 00:00:c5:30:c2:99, IRQ 61, 32 KB shared memory at 0xfeed0000, 32-bit access.
+
+The bug never arises after a cold start and only intermittently after a
+warm start. (I didn't investigate why the bug is intermittent.)
+
+It turns out that memcpy_toio() is deprecated and memcmp_withio() also
+has issues. Replacing these calls with mmio accessors fixes the problem.
+
+Reported-and-tested-by: Stan Johnson <userm57@yahoo.com>
+Fixes: 2964db0f5904 ("m68k: Mac DP8390 update")
+Signed-off-by: Finn Thain <fthain@telegraphics.com.au>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/net/ethernet/8390/mac8390.c | 19 ++++++++++++-------
+ 1 file changed, 12 insertions(+), 7 deletions(-)
+
+--- a/drivers/net/ethernet/8390/mac8390.c
++++ b/drivers/net/ethernet/8390/mac8390.c
+@@ -156,8 +156,6 @@ static void dayna_block_output(struct ne
+ #define memcpy_fromio(a, b, c) memcpy((a), (void *)(b), (c))
+ #define memcpy_toio(a, b, c) memcpy((void *)(a), (b), (c))
+
+-#define memcmp_withio(a, b, c) memcmp((a), (void *)(b), (c))
+-
+ /* Slow Sane (16-bit chunk memory read/write) Cabletron uses this */
+ static void slow_sane_get_8390_hdr(struct net_device *dev,
+ struct e8390_pkt_hdr *hdr, int ring_page);
+@@ -237,19 +235,26 @@ static enum mac8390_type __init mac8390_
+
+ static enum mac8390_access __init mac8390_testio(volatile unsigned long membase)
+ {
+- unsigned long outdata = 0xA5A0B5B0;
+- unsigned long indata = 0x00000000;
++ u32 outdata = 0xA5A0B5B0;
++ u32 indata = 0;
++
+ /* Try writing 32 bits */
+- memcpy_toio(membase, &outdata, 4);
+- /* Now compare them */
+- if (memcmp_withio(&outdata, membase, 4) == 0)
++ nubus_writel(outdata, membase);
++ /* Now read it back */
++ indata = nubus_readl(membase);
++ if (outdata == indata)
+ return ACCESS_32;
++
++ outdata = 0xC5C0D5D0;
++ indata = 0;
++
+ /* Write 16 bit output */
+ word_memcpy_tocard(membase, &outdata, 4);
+ /* Now read it back */
+ word_memcpy_fromcard(&indata, membase, 4);
+ if (outdata == indata)
+ return ACCESS_16;
++
+ return ACCESS_UNKNOWN;
+ }
+
diff --git a/patches.drm/drm-i915-Disable-LP3-watermarks-on-all-SNB-machines.patch b/patches.drm/drm-i915-Disable-LP3-watermarks-on-all-SNB-machines.patch
index 2bcc793cb0..583c8df452 100644
--- a/patches.drm/drm-i915-Disable-LP3-watermarks-on-all-SNB-machines.patch
+++ b/patches.drm/drm-i915-Disable-LP3-watermarks-on-all-SNB-machines.patch
@@ -6,6 +6,7 @@ Mime-version: 1.0
Content-type: text/plain; charset=UTF-8
Content-transfer-encoding: 8bit
Git-commit: 03981c6ebec4fc7056b9b45f847393aeac90d060
+No-fix: 21556350ade3cb5d7afecc8b3544e56431d21695
Patch-mainline: v5.0-rc1
References: bsc#1051510
diff --git a/patches.fixes/9p-locks-add-mount-option-for-lock-retry-interval.patch b/patches.fixes/9p-locks-add-mount-option-for-lock-retry-interval.patch
new file mode 100644
index 0000000000..b16e7d6bcb
--- /dev/null
+++ b/patches.fixes/9p-locks-add-mount-option-for-lock-retry-interval.patch
@@ -0,0 +1,123 @@
+From 5e172f75e51e3de1b4274146d9b990f803cb5c2a Mon Sep 17 00:00:00 2001
+From: Dinu-Razvan Chis-Serban <justcsdr@gmail.com>
+Date: Wed, 5 Sep 2018 16:44:12 +0900
+Subject: [PATCH] 9p locks: add mount option for lock retry interval
+Git-commit: 5e172f75e51e3de1b4274146d9b990f803cb5c2a
+Patch-mainline: v4.20-rc1
+References: bsc#1051510
+
+The default P9_LOCK_TIMEOUT can be too long for some users exporting
+a local file system to a guest VM (30s), make this configurable at
+mount time.
+
+Link: http://lkml.kernel.org/r/1536295827-3181-1-git-send-email-asmadeus@codewreck.org
+Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=195727
+Signed-off-by: Dinu-Razvan Chis-Serban <justcsdr@gmail.com>
+Signed-off-by: Dominique Martinet <dominique.martinet@cea.fr>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ fs/9p/v9fs.c | 21 +++++++++++++++++++++
+ fs/9p/v9fs.h | 1 +
+ fs/9p/vfs_file.c | 6 +++++-
+ 3 files changed, 27 insertions(+), 1 deletion(-)
+
+diff --git a/fs/9p/v9fs.c b/fs/9p/v9fs.c
+index 89bac3d2f05b..619128b55837 100644
+--- a/fs/9p/v9fs.c
++++ b/fs/9p/v9fs.c
+@@ -61,6 +61,8 @@ enum {
+ Opt_cache_loose, Opt_fscache, Opt_mmap,
+ /* Access options */
+ Opt_access, Opt_posixacl,
++ /* Lock timeout option */
++ Opt_locktimeout,
+ /* Error token */
+ Opt_err
+ };
+@@ -80,6 +82,7 @@ static const match_table_t tokens = {
+ {Opt_cachetag, "cachetag=%s"},
+ {Opt_access, "access=%s"},
+ {Opt_posixacl, "posixacl"},
++ {Opt_locktimeout, "locktimeout=%u"},
+ {Opt_err, NULL}
+ };
+
+@@ -187,6 +190,7 @@ static int v9fs_parse_options(struct v9fs_session_info *v9ses, char *opts)
+ #ifdef CONFIG_9P_FSCACHE
+ v9ses->cachetag = NULL;
+ #endif
++ v9ses->session_lock_timeout = P9_LOCK_TIMEOUT;
+
+ if (!opts)
+ return 0;
+@@ -359,6 +363,23 @@ static int v9fs_parse_options(struct v9fs_session_info *v9ses, char *opts)
+ #endif
+ break;
+
++ case Opt_locktimeout:
++ r = match_int(&args[0], &option);
++ if (r < 0) {
++ p9_debug(P9_DEBUG_ERROR,
++ "integer field, but no integer?\n");
++ ret = r;
++ continue;
++ }
++ if (option < 1) {
++ p9_debug(P9_DEBUG_ERROR,
++ "locktimeout must be a greater than zero integer.\n");
++ ret = -EINVAL;
++ continue;
++ }
++ v9ses->session_lock_timeout = (long)option * HZ;
++ break;
++
+ default:
+ continue;
+ }
+diff --git a/fs/9p/v9fs.h b/fs/9p/v9fs.h
+index 982e017acadb..129e5243a6bf 100644
+--- a/fs/9p/v9fs.h
++++ b/fs/9p/v9fs.h
+@@ -116,6 +116,7 @@ struct v9fs_session_info {
+ struct p9_client *clnt; /* 9p client */
+ struct list_head slist; /* list of sessions registered with v9fs */
+ struct rw_semaphore rename_sem;
++ long session_lock_timeout; /* retry interval for blocking locks */
+ };
+
+ /* cache_validity flags */
+diff --git a/fs/9p/vfs_file.c b/fs/9p/vfs_file.c
+index 374bc1c72048..73857ebaedfb 100644
+--- a/fs/9p/vfs_file.c
++++ b/fs/9p/vfs_file.c
+@@ -154,6 +154,7 @@ static int v9fs_file_do_lock(struct file *filp, int cmd, struct file_lock *fl)
+ uint8_t status = P9_LOCK_ERROR;
+ int res = 0;
+ unsigned char fl_type;
++ struct v9fs_session_info *v9ses;
+
+ fid = filp->private_data;
+ BUG_ON(fid == NULL);
+@@ -189,6 +190,8 @@ static int v9fs_file_do_lock(struct file *filp, int cmd, struct file_lock *fl)
+ if (IS_SETLKW(cmd))
+ flock.flags = P9_LOCK_FLAGS_BLOCK;
+
++ v9ses = v9fs_inode2v9ses(file_inode(filp));
++
+ /*
+ * if its a blocked request and we get P9_LOCK_BLOCKED as the status
+ * for lock request, keep on trying
+@@ -202,7 +205,8 @@ static int v9fs_file_do_lock(struct file *filp, int cmd, struct file_lock *fl)
+ break;
+ if (status == P9_LOCK_BLOCKED && !IS_SETLKW(cmd))
+ break;
+- if (schedule_timeout_interruptible(P9_LOCK_TIMEOUT) != 0)
++ if (schedule_timeout_interruptible(v9ses->session_lock_timeout)
++ != 0)
+ break;
+ }
+
+--
+2.16.4
+
diff --git a/patches.fixes/9p-locks-fix-glock.client_id-leak-in-do_lock.patch b/patches.fixes/9p-locks-fix-glock.client_id-leak-in-do_lock.patch
index cc0d63583c..f55828c93d 100644
--- a/patches.fixes/9p-locks-fix-glock.client_id-leak-in-do_lock.patch
+++ b/patches.fixes/9p-locks-fix-glock.client_id-leak-in-do_lock.patch
@@ -27,9 +27,9 @@ Acked-by: Takashi Iwai <tiwai@suse.de>
--- a/fs/9p/vfs_file.c
+++ b/fs/9p/vfs_file.c
-@@ -204,6 +204,14 @@ static int v9fs_file_do_lock(struct file
- break;
- if (schedule_timeout_interruptible(P9_LOCK_TIMEOUT) != 0)
+@@ -208,6 +208,14 @@ static int v9fs_file_do_lock(struct file
+ if (schedule_timeout_interruptible(v9ses->session_lock_timeout)
+ != 0)
break;
+ /*
+ * p9_client_lock_dotl overwrites flock.client_id with the
@@ -42,7 +42,7 @@ Acked-by: Takashi Iwai <tiwai@suse.de>
}
/* map 9p status to VFS status */
-@@ -235,6 +243,8 @@ out_unlock:
+@@ -239,6 +247,8 @@ out_unlock:
locks_lock_file_wait(filp, fl);
fl->fl_type = fl_type;
}
@@ -51,7 +51,7 @@ Acked-by: Takashi Iwai <tiwai@suse.de>
out:
return res;
}
-@@ -269,7 +279,7 @@ static int v9fs_file_getlock(struct file
+@@ -273,7 +283,7 @@ static int v9fs_file_getlock(struct file
res = p9_client_getlock_dotl(fid, &glock);
if (res < 0)
@@ -60,7 +60,7 @@ Acked-by: Takashi Iwai <tiwai@suse.de>
/* map 9p lock type to os lock type */
switch (glock.type) {
case P9_LOCK_TYPE_RDLCK:
-@@ -290,7 +300,9 @@ static int v9fs_file_getlock(struct file
+@@ -294,7 +304,9 @@ static int v9fs_file_getlock(struct file
fl->fl_end = glock.start + glock.length - 1;
fl->fl_pid = glock.proc_id;
}
diff --git a/patches.fixes/MD-fix-invalid-stored-role-for-a-disk.patch b/patches.fixes/MD-fix-invalid-stored-role-for-a-disk.patch
new file mode 100644
index 0000000000..bf361ee1c2
--- /dev/null
+++ b/patches.fixes/MD-fix-invalid-stored-role-for-a-disk.patch
@@ -0,0 +1,47 @@
+From d595567dc4f0c1d90685ec1e2e296e2cad2643ac Mon Sep 17 00:00:00 2001
+From: Shaohua Li <shli@fb.com>
+Date: Mon, 1 Oct 2018 18:36:36 -0700
+Subject: [PATCH] MD: fix invalid stored role for a disk
+Git-commit: d595567dc4f0c1d90685ec1e2e296e2cad2643ac
+Patch-mainline: v4.20-rc1
+References: bsc#1051510
+
+If we change the number of array's device after device is removed from array,
+then add the device back to array, we can see that device is added as active
+role instead of spare which we expected.
+
+Please see the below link for details:
+https://marc.info/?l=linux-raid&m=153736982015076&w=2
+
+This is caused by that we prefer to use device's previous role which is
+recorded by saved_raid_disk, but we should respect the new number of
+conf->raid_disks since it could be changed after device is removed.
+
+Reported-by: Gioh Kim <gi-oh.kim@profitbricks.com>
+Tested-by: Gioh Kim <gi-oh.kim@profitbricks.com>
+Acked-by: Guoqing Jiang <gqjiang@suse.com>
+Signed-off-by: Shaohua Li <shli@fb.com>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/md/md.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/md/md.c b/drivers/md/md.c
+index 63ceabb4e020..a25ebf81b266 100644
+--- a/drivers/md/md.c
++++ b/drivers/md/md.c
+@@ -1774,6 +1774,10 @@ static int super_1_validate(struct mddev *mddev, struct md_rdev *rdev)
+ } else
+ set_bit(In_sync, &rdev->flags);
+ rdev->raid_disk = role;
++ if (role >= mddev->raid_disks) {
++ rdev->saved_raid_disk = -1;
++ rdev->raid_disk = -1;
++ }
+ break;
+ }
+ if (sb->devflags & WriteMostly1)
+--
+2.16.4
+
diff --git a/patches.fixes/crypto-vmx-CTR-always-increment-IV-as-quadword.patch b/patches.fixes/crypto-vmx-CTR-always-increment-IV-as-quadword.patch
new file mode 100644
index 0000000000..a51ff9617e
--- /dev/null
+++ b/patches.fixes/crypto-vmx-CTR-always-increment-IV-as-quadword.patch
@@ -0,0 +1,61 @@
+From 009b30ac7444c17fae34c4f435ebce8e8e2b3250 Mon Sep 17 00:00:00 2001
+From: Daniel Axtens <dja@axtens.net>
+Date: Wed, 15 May 2019 20:24:50 +1000
+Subject: [PATCH] crypto: vmx - CTR: always increment IV as quadword
+Git-commit: 009b30ac7444c17fae34c4f435ebce8e8e2b3250
+Patch-mainline: v5.2-rc2
+References: bsc#1051510
+
+The kernel self-tests picked up an issue with CTR mode:
+Alg: skcipher: p8_aes_ctr encryption test failed (wrong result) on test vector 3, cfg="uneven misaligned splits, may sleep"
+
+Test vector 3 has an IV of FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFD, so
+after 3 increments it should wrap around to 0.
+
+In the aesp8-ppc code from OpenSSL, there are two paths that
+increment IVs: the bulk (8 at a time) path, and the individual
+path which is used when there are fewer than 8 AES blocks to
+process.
+
+In the bulk path, the IV is incremented with vadduqm: "Vector
+Add Unsigned Quadword Modulo", which does 128-bit addition.
+
+In the individual path, however, the IV is incremented with
+Vadduwm: "Vector Add Unsigned Word Modulo", which instead
+does 4 32-bit additions. Thus the IV would instead become
+FFFFFFFFFFFFFFFFFFFFFFFF00000000, throwing off the result.
+
+Use vadduqm.
+
+This was probably a typo originally, what with q and w being
+adjacent. It is a pretty narrow edge case: I am really
+impressed by the quality of the kernel self-tests!
+
+Fixes: 5c380d623ed3 ("crypto: vmx - Add support for VMS instructions by ASM")
+Cc: stable@vger.kernel.org
+Signed-off-by: Daniel Axtens <dja@axtens.net>
+Acked-by: Nayna Jain <nayna@linux.ibm.com>
+Tested-by: Nayna Jain <nayna@linux.ibm.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/crypto/vmx/aesp8-ppc.pl | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/crypto/vmx/aesp8-ppc.pl b/drivers/crypto/vmx/aesp8-ppc.pl
+index de78282b8f44..9c6b5c1d6a1a 100644
+--- a/drivers/crypto/vmx/aesp8-ppc.pl
++++ b/drivers/crypto/vmx/aesp8-ppc.pl
+@@ -1357,7 +1357,7 @@ Loop_ctr32_enc:
+ addi $idx,$idx,16
+ bdnz Loop_ctr32_enc
+
+- vadduwm $ivec,$ivec,$one
++ vadduqm $ivec,$ivec,$one
+ vmr $dat,$inptail
+ lvx $inptail,0,$inp
+ addi $inp,$inp,16
+--
+2.16.4
+
diff --git a/patches.fixes/dccp-Fix-memleak-in-__feat_register_sp.patch b/patches.fixes/dccp-Fix-memleak-in-__feat_register_sp.patch
new file mode 100644
index 0000000000..741eaaeb8c
--- /dev/null
+++ b/patches.fixes/dccp-Fix-memleak-in-__feat_register_sp.patch
@@ -0,0 +1,43 @@
+From 1d3ff0950e2b40dc861b1739029649d03f591820 Mon Sep 17 00:00:00 2001
+From: YueHaibing <yuehaibing@huawei.com>
+Date: Mon, 1 Apr 2019 09:35:54 +0800
+Subject: [PATCH] dccp: Fix memleak in __feat_register_sp
+Git-commit: 1d3ff0950e2b40dc861b1739029649d03f591820
+Patch-mainline: v5.1-rc4
+References: bsc#1051510
+
+If dccp_feat_push_change fails, we forget free the mem
+which is alloced by kmemdup in dccp_feat_clone_sp_val.
+
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Fixes: e8ef967a54f4 ("dccp: Registration routines for changing feature values")
+Reviewed-by: Mukesh Ojha <mojha@codeaurora.org>
+Signed-off-by: YueHaibing <yuehaibing@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ net/dccp/feat.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/net/dccp/feat.c b/net/dccp/feat.c
+index f227f002c73d..db87d9f58019 100644
+--- a/net/dccp/feat.c
++++ b/net/dccp/feat.c
+@@ -738,7 +738,12 @@ static int __feat_register_sp(struct list_head *fn, u8 feat, u8 is_local,
+ if (dccp_feat_clone_sp_val(&fval, sp_val, sp_len))
+ return -ENOMEM;
+
+- return dccp_feat_push_change(fn, feat, is_local, mandatory, &fval);
++ if (dccp_feat_push_change(fn, feat, is_local, mandatory, &fval)) {
++ kfree(fval.sp.vec);
++ return -ENOMEM;
++ }
++
++ return 0;
+ }
+
+ /**
+--
+2.16.4
+
diff --git a/patches.fixes/debugfs-fix-use-after-free-on-symlink-traversal.patch b/patches.fixes/debugfs-fix-use-after-free-on-symlink-traversal.patch
new file mode 100644
index 0000000000..ca58a3562e
--- /dev/null
+++ b/patches.fixes/debugfs-fix-use-after-free-on-symlink-traversal.patch
@@ -0,0 +1,51 @@
+From 93b919da64c15b90953f96a536e5e61df896ca57 Mon Sep 17 00:00:00 2001
+From: Al Viro <viro@zeniv.linux.org.uk>
+Date: Tue, 26 Mar 2019 01:43:37 +0000
+Subject: [PATCH] debugfs: fix use-after-free on symlink traversal
+Git-commit: 93b919da64c15b90953f96a536e5e61df896ca57
+Patch-mainline: v5.1-rc4
+References: bsc#1051510
+
+symlink body shouldn't be freed without an RCU delay. Switch debugfs to
+->destroy_inode() and use of call_rcu(); free both the inode and symlink
+body in the callback. Similar to solution for bpf, only here it's even
+more obvious that ->evict_inode() can be dropped.
+
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ fs/debugfs/inode.c | 13 +++++++++----
+ 1 file changed, 9 insertions(+), 4 deletions(-)
+
+--- a/fs/debugfs/inode.c
++++ b/fs/debugfs/inode.c
+@@ -170,19 +170,24 @@ static int debugfs_show_options(struct s
+ return 0;
+ }
+
+-static void debugfs_evict_inode(struct inode *inode)
++static void debugfs_i_callback(struct rcu_head *head)
+ {
+- truncate_inode_pages_final(&inode->i_data);
+- clear_inode(inode);
++ struct inode *inode = container_of(head, struct inode, i_rcu);
+ if (S_ISLNK(inode->i_mode))
+ kfree(inode->i_link);
++ free_inode_nonrcu(inode);
++}
++
++static void debugfs_destroy_inode(struct inode *inode)
++{
++ call_rcu(&inode->i_rcu, debugfs_i_callback);
+ }
+
+ static const struct super_operations debugfs_super_operations = {
+ .statfs = simple_statfs,
+ .remount_fs = debugfs_remount,
+ .show_options = debugfs_show_options,
+- .evict_inode = debugfs_evict_inode,
++ .destroy_inode = debugfs_destroy_inode,
+ };
+
+ static struct vfsmount *debugfs_automount(struct path *path)
diff --git a/patches.fixes/ipconfig-Correctly-initialise-ic_nameservers.patch b/patches.fixes/ipconfig-Correctly-initialise-ic_nameservers.patch
new file mode 100644
index 0000000000..583e980b7c
--- /dev/null
+++ b/patches.fixes/ipconfig-Correctly-initialise-ic_nameservers.patch
@@ -0,0 +1,85 @@
+From 300eec7c0a2495f771709c7642aa15f7cc148b83 Mon Sep 17 00:00:00 2001
+From: Chris Novakovic <chris@chrisn.me.uk>
+Date: Tue, 24 Apr 2018 03:56:37 +0100
+Subject: [PATCH] ipconfig: Correctly initialise ic_nameservers
+Git-commit: 300eec7c0a2495f771709c7642aa15f7cc148b83
+Patch-mainline: v4.18-rc1
+References: bsc#1051510
+
+ic_nameservers, which stores the list of name servers discovered by
+ipconfig, is initialised (i.e. has all of its elements set to NONE, or
+0xffffffff) by ic_nameservers_predef() in the following scenarios:
+
+ - before the "ip=" and "nfsaddrs=" kernel command line parameters are
+ parsed (in ip_auto_config_setup());
+ - before autoconfiguring via DHCP or BOOTP (in ic_bootp_init()), in
+ order to clear any values that may have been set after parsing "ip="
+ or "nfsaddrs=" and are no longer needed.
+
+This means that ic_nameservers_predef() is not called when neither "ip="
+nor "nfsaddrs=" is specified on the kernel command line. In this
+scenario, every element in ic_nameservers remains set to 0x00000000,
+which is indistinguishable from ANY and causes pnp_seq_show() to write
+the following (bogus) information to /proc/net/pnp:
+
+ #MANUAL
+ nameserver 0.0.0.0
+ nameserver 0.0.0.0
+ nameserver 0.0.0.0
+
+This is potentially problematic for systems that blindly link
+/etc/resolv.conf to /proc/net/pnp.
+
+Ensure that ic_nameservers is also initialised when neither "ip=" nor
+"nfsaddrs=" are specified by calling ic_nameservers_predef() in
+ip_auto_config(), but only when ip_auto_config_setup() was not called
+earlier. This causes the following to be written to /proc/net/pnp, and
+is consistent with what gets written when ipconfig is configured
+manually but no name servers are specified on the kernel command line:
+
+ #MANUAL
+
+Signed-off-by: Chris Novakovic <chris@chrisn.me.uk>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ net/ipv4/ipconfig.c | 13 +++++++++++++
+ 1 file changed, 13 insertions(+)
+
+--- a/net/ipv4/ipconfig.c
++++ b/net/ipv4/ipconfig.c
+@@ -780,6 +780,11 @@ static void __init ic_bootp_init_ext(u8
+ */
+ static inline void __init ic_bootp_init(void)
+ {
++ /* Re-initialise all name servers to NONE, in case any were set via the
++ * "ip=" or "nfsaddrs=" kernel command line parameters: any IP addresses
++ * specified there will already have been decoded but are no longer
++ * needed
++ */
+ ic_nameservers_predef();
+
+ dev_add_pack(&bootp_packet_type);
+@@ -1401,6 +1406,13 @@ static int __init ip_auto_config(void)
+ int err;
+ unsigned int i;
+
++ /* Initialise all name servers to NONE (but only if the "ip=" or
++ * "nfsaddrs=" kernel command line parameters weren't decoded, otherwise
++ * we'll overwrite the IP addresses specified there)
++ */
++ if (ic_set_manually == 0)
++ ic_nameservers_predef();
++
+ #ifdef CONFIG_PROC_FS
+ proc_create("pnp", S_IRUGO, init_net.proc_net, &pnp_seq_fops);
+ #endif /* CONFIG_PROC_FS */
+@@ -1621,6 +1633,7 @@ static int __init ip_auto_config_setup(c
+ return 1;
+ }
+
++ /* Initialise all name servers to NONE */
+ ic_nameservers_predef();
+
+ /* Parse string for static IP assignment. */
diff --git a/patches.fixes/ipvlan-Add-the-skb-mark-as-flow4-s-member-to-lookup-.patch b/patches.fixes/ipvlan-Add-the-skb-mark-as-flow4-s-member-to-lookup-.patch
new file mode 100644
index 0000000000..34590bb5fc
--- /dev/null
+++ b/patches.fixes/ipvlan-Add-the-skb-mark-as-flow4-s-member-to-lookup-.patch
@@ -0,0 +1,34 @@
+From a98a4ebc8c61d20f0150d6be66e0e65223a347af Mon Sep 17 00:00:00 2001
+From: Gao Feng <gfree.wind@vip.163.com>
+Date: Fri, 1 Dec 2017 09:58:42 +0800
+Subject: [PATCH] ipvlan: Add the skb->mark as flow4's member to lookup route
+Git-commit: a98a4ebc8c61d20f0150d6be66e0e65223a347af
+Patch-mainline: v4.15-rc3
+References: bsc#1051510
+
+Current codes don't use skb->mark to assign flowi4_mark, it would
+make the policy route rule with fwmark doesn't work as expected.
+
+Signed-off-by: Gao Feng <gfree.wind@vip.163.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/net/ipvlan/ipvlan_core.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/net/ipvlan/ipvlan_core.c b/drivers/net/ipvlan/ipvlan_core.c
+index 11c1e7950fe5..77cc4fbaeace 100644
+--- a/drivers/net/ipvlan/ipvlan_core.c
++++ b/drivers/net/ipvlan/ipvlan_core.c
+@@ -393,6 +393,7 @@ static int ipvlan_process_v4_outbound(struct sk_buff *skb)
+ .flowi4_oif = dev->ifindex,
+ .flowi4_tos = RT_TOS(ip4h->tos),
+ .flowi4_flags = FLOWI_FLAG_ANYSRC,
++ .flowi4_mark = skb->mark,
+ .daddr = ip4h->daddr,
+ .saddr = ip4h->saddr,
+ };
+--
+2.16.4
+
diff --git a/patches.fixes/ipvlan-fix-ipv6-outbound-device.patch b/patches.fixes/ipvlan-fix-ipv6-outbound-device.patch
new file mode 100644
index 0000000000..d8545b8e1e
--- /dev/null
+++ b/patches.fixes/ipvlan-fix-ipv6-outbound-device.patch
@@ -0,0 +1,36 @@
+From ca29fd7cce5a6444d57fb86517589a1a31c759e1 Mon Sep 17 00:00:00 2001
+From: Keefe Liu <liuqifa@huawei.com>
+Date: Thu, 9 Nov 2017 20:09:31 +0800
+Subject: [PATCH] ipvlan: fix ipv6 outbound device
+Git-commit: ca29fd7cce5a6444d57fb86517589a1a31c759e1
+Patch-mainline: v4.15-rc1
+References: bsc#1051510
+
+When process the outbound packet of ipv6, we should assign the master
+device to output device other than input device.
+
+Signed-off-by: Keefe Liu <liuqifa@huawei.com>
+Acked-by: Mahesh Bandewar <maheshb@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/net/ipvlan/ipvlan_core.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ipvlan/ipvlan_core.c b/drivers/net/ipvlan/ipvlan_core.c
+index 034ae4c57196..f2a7e929316e 100644
+--- a/drivers/net/ipvlan/ipvlan_core.c
++++ b/drivers/net/ipvlan/ipvlan_core.c
+@@ -409,7 +409,7 @@ static int ipvlan_process_v6_outbound(struct sk_buff *skb)
+ struct dst_entry *dst;
+ int err, ret = NET_XMIT_DROP;
+ struct flowi6 fl6 = {
+- .flowi6_iif = dev->ifindex,
++ .flowi6_oif = dev->ifindex,
+ .daddr = ip6h->daddr,
+ .saddr = ip6h->saddr,
+ .flowi6_flags = FLOWI_FLAG_ANYSRC,
+--
+2.16.4
+
diff --git a/patches.fixes/ipvlan-use-ETH_MAX_MTU-as-max-mtu.patch b/patches.fixes/ipvlan-use-ETH_MAX_MTU-as-max-mtu.patch
new file mode 100644
index 0000000000..c23b3eca8a
--- /dev/null
+++ b/patches.fixes/ipvlan-use-ETH_MAX_MTU-as-max-mtu.patch
@@ -0,0 +1,35 @@
+From 548feb33c598dfaf9f8e066b842441ac49b84a8a Mon Sep 17 00:00:00 2001
+From: Xin Long <lucien.xin@gmail.com>
+Date: Mon, 18 Jun 2018 16:15:57 +0800
+Subject: [PATCH] ipvlan: use ETH_MAX_MTU as max mtu
+Git-commit: 548feb33c598dfaf9f8e066b842441ac49b84a8a
+Patch-mainline: v4.18-rc2
+References: bsc#1051510
+
+Similar to the fixes on team and bonding, this restores the ability
+to set an ipvlan device's mtu to anything higher than 1500.
+
+Fixes: 91572088e3fd ("net: use core MTU range checking in core net infra")
+Signed-off-by: Xin Long <lucien.xin@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/net/ipvlan/ipvlan_main.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/net/ipvlan/ipvlan_main.c b/drivers/net/ipvlan/ipvlan_main.c
+index 4377c26f714d..d02f0a7c534e 100644
+--- a/drivers/net/ipvlan/ipvlan_main.c
++++ b/drivers/net/ipvlan/ipvlan_main.c
+@@ -693,6 +693,7 @@ void ipvlan_link_setup(struct net_device *dev)
+ {
+ ether_setup(dev);
+
++ dev->max_mtu = ETH_MAX_MTU;
+ dev->priv_flags &= ~(IFF_XMIT_DST_RELEASE | IFF_TX_SKB_SHARING);
+ dev->priv_flags |= IFF_UNICAST_FLT | IFF_NO_QUEUE;
+ dev->netdev_ops = &ipvlan_netdev_ops;
+--
+2.16.4
+
diff --git a/patches.fixes/ipvs-Fix-signed-integer-overflow-when-setsockopt-tim.patch b/patches.fixes/ipvs-Fix-signed-integer-overflow-when-setsockopt-tim.patch
new file mode 100644
index 0000000000..b197288a02
--- /dev/null
+++ b/patches.fixes/ipvs-Fix-signed-integer-overflow-when-setsockopt-tim.patch
@@ -0,0 +1,93 @@
+From 53ab60baa1ac4f20b080a22c13b77b6373922fd7 Mon Sep 17 00:00:00 2001
+From: ZhangXiaoxu <zhangxiaoxu5@huawei.com>
+Date: Thu, 10 Jan 2019 16:39:06 +0800
+Subject: [PATCH] ipvs: Fix signed integer overflow when setsockopt timeout
+Git-commit: 53ab60baa1ac4f20b080a22c13b77b6373922fd7
+Patch-mainline: v5.0-rc5
+References: bsc#1051510
+
+There is a UBSAN bug report as below:
+Ubsan: Undefined behaviour in net/netfilter/ipvs/ip_vs_ctl.c:2227:21
+signed integer overflow:
+-2147483647 * 1000 cannot be represented in type 'int'
+
+Reproduce program:
+ #include <stdio.h>
+ #include <sys/types.h>
+ #include <sys/socket.h>
+
+ #define IPPROTO_IP 0
+ #define IPPROTO_RAW 255
+
+ #define IP_VS_BASE_CTL (64+1024+64)
+ #define IP_VS_SO_SET_TIMEOUT (IP_VS_BASE_CTL+10)
+
+ /* The argument to IP_VS_SO_GET_TIMEOUT */
+ struct ipvs_timeout_t {
+ int tcp_timeout;
+ int tcp_fin_timeout;
+ int udp_timeout;
+ };
+
+ int main() {
+ int ret = -1;
+ int sockfd = -1;
+ struct ipvs_timeout_t to;
+
+ sockfd = socket(AF_INET, SOCK_RAW, IPPROTO_RAW);
+ if (sockfd == -1) {
+ printf("socket init error\n");
+ return -1;
+ }
+
+ to.tcp_timeout = -2147483647;
+ to.tcp_fin_timeout = -2147483647;
+ to.udp_timeout = -2147483647;
+
+ ret = setsockopt(sockfd,
+ IPPROTO_IP,
+ IP_VS_SO_SET_TIMEOUT,
+ (char *)(&to),
+ sizeof(to));
+
+ printf("setsockopt return %d\n", ret);
+ return ret;
+ }
+
+Return -EINVAL if the timeout value is negative or max than 'INT_MAX / HZ'.
+
+Signed-off-by: ZhangXiaoxu <zhangxiaoxu5@huawei.com>
+Acked-by: Simon Horman <horms@verge.net.au>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ net/netfilter/ipvs/ip_vs_ctl.c | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+diff --git a/net/netfilter/ipvs/ip_vs_ctl.c b/net/netfilter/ipvs/ip_vs_ctl.c
+index 432141f04af3..7d6318664eb2 100644
+--- a/net/netfilter/ipvs/ip_vs_ctl.c
++++ b/net/netfilter/ipvs/ip_vs_ctl.c
+@@ -2220,6 +2220,18 @@ static int ip_vs_set_timeout(struct netns_ipvs *ipvs, struct ip_vs_timeout_user
+ u->tcp_fin_timeout,
+ u->udp_timeout);
+
++#ifdef CONFIG_IP_VS_PROTO_TCP
++ if (u->tcp_timeout < 0 || u->tcp_timeout > (INT_MAX / HZ) ||
++ u->tcp_fin_timeout < 0 || u->tcp_fin_timeout > (INT_MAX / HZ)) {
++ return -EINVAL;
++ }
++#endif
++
++#ifdef CONFIG_IP_VS_PROTO_UDP
++ if (u->udp_timeout < 0 || u->udp_timeout > (INT_MAX / HZ))
++ return -EINVAL;
++#endif
++
+ #ifdef CONFIG_IP_VS_PROTO_TCP
+ if (u->tcp_timeout) {
+ pd = ip_vs_proto_data_get(ipvs, IPPROTO_TCP);
+--
+2.16.4
+
diff --git a/patches.fixes/ipvs-fix-race-between-ip_vs_conn_new-and-ip_vs_del_d.patch b/patches.fixes/ipvs-fix-race-between-ip_vs_conn_new-and-ip_vs_del_d.patch
new file mode 100644
index 0000000000..83547a5100
--- /dev/null
+++ b/patches.fixes/ipvs-fix-race-between-ip_vs_conn_new-and-ip_vs_del_d.patch
@@ -0,0 +1,87 @@
+From a53b42c11815d2357e31a9403ae3950517525894 Mon Sep 17 00:00:00 2001
+From: Tan Hu <tan.hu@zte.com.cn>
+Date: Wed, 25 Jul 2018 15:23:07 +0800
+Subject: [PATCH] ipvs: fix race between ip_vs_conn_new() and ip_vs_del_dest()
+Git-commit: a53b42c11815d2357e31a9403ae3950517525894
+Patch-mainline: v4.19-rc1
+References: bsc#1051510
+
+We came across infinite loop in ipvs when using ipvs in docker
+env.
+
+When ipvs receives new packets and cannot find an ipvs connection,
+it will create a new connection, then if the dest is unavailable
+(i.e. IP_VS_DEST_F_AVAILABLE), the packet will be dropped sliently.
+
+But if the dropped packet is the first packet of this connection,
+the connection control timer never has a chance to start and the
+ipvs connection cannot be released. This will lead to memory leak, or
+infinite loop in cleanup_net() when net namespace is released like
+This:
+
+ ip_vs_conn_net_cleanup at ffffffffa0a9f31a [ip_vs]
+ __ip_vs_cleanup at ffffffffa0a9f60a [ip_vs]
+ ops_exit_list at ffffffff81567a49
+ cleanup_net at ffffffff81568b40
+ process_one_work at ffffffff810a851b
+ worker_thread at ffffffff810a9356
+ kthread at ffffffff810b0b6f
+ ret_from_fork at ffffffff81697a18
+
+race condition:
+ CPU1 CPU2
+ ip_vs_in()
+ ip_vs_conn_new()
+ ip_vs_del_dest()
+ __ip_vs_unlink_dest()
+ ~IP_VS_DEST_F_AVAILABLE
+ cp->dest && !IP_VS_DEST_F_AVAILABLE
+ __ip_vs_conn_put
+ ...
+ cleanup_net ---> infinite looping
+
+Fix this by checking whether the timer already started.
+
+Signed-off-by: Tan Hu <tan.hu@zte.com.cn>
+Reviewed-by: Jiang Biao <jiang.biao2@zte.com.cn>
+Acked-by: Julian Anastasov <ja@ssi.bg>
+Acked-by: Simon Horman <horms@verge.net.au>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ net/netfilter/ipvs/ip_vs_core.c | 15 +++++++++++----
+ 1 file changed, 11 insertions(+), 4 deletions(-)
+
+diff --git a/net/netfilter/ipvs/ip_vs_core.c b/net/netfilter/ipvs/ip_vs_core.c
+index 0679dd101e72..7ca926a03b81 100644
+--- a/net/netfilter/ipvs/ip_vs_core.c
++++ b/net/netfilter/ipvs/ip_vs_core.c
+@@ -1972,13 +1972,20 @@ ip_vs_in(struct netns_ipvs *ipvs, unsigned int hooknum, struct sk_buff *skb, int
+ if (cp->dest && !(cp->dest->flags & IP_VS_DEST_F_AVAILABLE)) {
+ /* the destination server is not available */
+
+- if (sysctl_expire_nodest_conn(ipvs)) {
++ __u32 flags = cp->flags;
++
++ /* when timer already started, silently drop the packet.*/
++ if (timer_pending(&cp->timer))
++ __ip_vs_conn_put(cp);
++ else
++ ip_vs_conn_put(cp);
++
++ if (sysctl_expire_nodest_conn(ipvs) &&
++ !(flags & IP_VS_CONN_F_ONE_PACKET)) {
+ /* try to expire the connection immediately */
+ ip_vs_conn_expire_now(cp);
+ }
+- /* don't restart its timer, and silently
+- drop the packet. */
+- __ip_vs_conn_put(cp);
++
+ return NF_DROP;
+ }
+
+--
+2.16.4
+
diff --git a/patches.fixes/l2tp-cleanup-l2tp_tunnel_delete-calls.patch b/patches.fixes/l2tp-cleanup-l2tp_tunnel_delete-calls.patch
new file mode 100644
index 0000000000..6b5c8e4b05
--- /dev/null
+++ b/patches.fixes/l2tp-cleanup-l2tp_tunnel_delete-calls.patch
@@ -0,0 +1,58 @@
+From 4dc12ffeaeac939097a3f55c881d3dc3523dff0c Mon Sep 17 00:00:00 2001
+From: Jiri Slaby <jslaby@suse.cz>
+Date: Wed, 25 Oct 2017 15:57:55 +0200
+Subject: [PATCH] l2tp: cleanup l2tp_tunnel_delete calls
+Git-commit: 4dc12ffeaeac939097a3f55c881d3dc3523dff0c
+Patch-mainline: v4.15-rc1
+References: bsc#1051510
+
+l2tp_tunnel_delete does not return anything since commit 62b982eeb458
+("l2tp: fix race condition in l2tp_tunnel_delete"). But call sites of
+l2tp_tunnel_delete still do casts to void to avoid unused return value
+warnings.
+
+Kill these now useless casts.
+
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+Cc: Sabrina Dubroca <sd@queasysnail.net>
+Cc: Guillaume Nault <g.nault@alphalink.fr>
+Cc: David S. Miller <davem@davemloft.net>
+Cc: netdev@vger.kernel.org
+Acked-by: Guillaume Nault <g.nault@alphalink.fr>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ net/l2tp/l2tp_core.c | 2 +-
+ net/l2tp/l2tp_netlink.c | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/net/l2tp/l2tp_core.c b/net/l2tp/l2tp_core.c
+index 02d61101b108..af22aa8ae35b 100644
+--- a/net/l2tp/l2tp_core.c
++++ b/net/l2tp/l2tp_core.c
+@@ -1891,7 +1891,7 @@ static __net_exit void l2tp_exit_net(struct net *net)
+
+ rcu_read_lock_bh();
+ list_for_each_entry_rcu(tunnel, &pn->l2tp_tunnel_list, list) {
+- (void)l2tp_tunnel_delete(tunnel);
++ l2tp_tunnel_delete(tunnel);
+ }
+ rcu_read_unlock_bh();
+
+diff --git a/net/l2tp/l2tp_netlink.c b/net/l2tp/l2tp_netlink.c
+index f5179424eaf1..f04fb347d251 100644
+--- a/net/l2tp/l2tp_netlink.c
++++ b/net/l2tp/l2tp_netlink.c
+@@ -282,7 +282,7 @@ static int l2tp_nl_cmd_tunnel_delete(struct sk_buff *skb, struct genl_info *info
+ l2tp_tunnel_notify(&l2tp_nl_family, info,
+ tunnel, L2TP_CMD_TUNNEL_DELETE);
+
+- (void) l2tp_tunnel_delete(tunnel);
++ l2tp_tunnel_delete(tunnel);
+
+ l2tp_tunnel_dec_refcount(tunnel);
+
+--
+2.16.4
+
diff --git a/patches.fixes/l2tp-revert-l2tp-fix-missing-print-session-offset-in.patch b/patches.fixes/l2tp-revert-l2tp-fix-missing-print-session-offset-in.patch
new file mode 100644
index 0000000000..31f822167d
--- /dev/null
+++ b/patches.fixes/l2tp-revert-l2tp-fix-missing-print-session-offset-in.patch
@@ -0,0 +1,35 @@
+From de3b58bc359a861d5132300f53f95e83f71954b3 Mon Sep 17 00:00:00 2001
+From: James Chapman <jchapman@katalix.com>
+Date: Wed, 3 Jan 2018 22:48:05 +0000
+Subject: [PATCH] l2tp: revert "l2tp: fix missing print session offset info"
+Git-commit: de3b58bc359a861d5132300f53f95e83f71954b3
+Patch-mainline: v4.16-rc1
+References: bsc#1051510
+
+Revert commit 820da5357572 ("l2tp: fix missing print session offset
+info"). The peer_offset parameter is removed.
+
+Signed-off-by: James Chapman <jchapman@katalix.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ net/l2tp/l2tp_netlink.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+diff --git a/net/l2tp/l2tp_netlink.c b/net/l2tp/l2tp_netlink.c
+index 7e9c50125556..a1f24fb2be98 100644
+--- a/net/l2tp/l2tp_netlink.c
++++ b/net/l2tp/l2tp_netlink.c
+@@ -761,8 +761,6 @@ static int l2tp_nl_session_send(struct sk_buff *skb, u32 portid, u32 seq, int fl
+
+ if ((session->ifname[0] &&
+ nla_put_string(skb, L2TP_ATTR_IFNAME, session->ifname)) ||
+- (session->offset &&
+- nla_put_u16(skb, L2TP_ATTR_OFFSET, session->offset)) ||
+ (session->cookie_len &&
+ nla_put(skb, L2TP_ATTR_COOKIE, session->cookie_len,
+ &session->cookie[0])) ||
+--
+2.16.4
+
diff --git a/patches.fixes/mm-mincore-c-make-mincore-more-conservative.patch b/patches.fixes/mm-mincore-c-make-mincore-more-conservative.patch
new file mode 100644
index 0000000000..071d84b737
--- /dev/null
+++ b/patches.fixes/mm-mincore-c-make-mincore-more-conservative.patch
@@ -0,0 +1,91 @@
+From: Jiri Kosina <jkosina@suse.cz>
+Date: Tue, 14 May 2019 15:41:38 -0700
+Subject: mm/mincore.c: make mincore() more conservative
+Git-commit: 134fca9063ad4851de767d1768180e5dede9a881
+Patch-mainline: v5.2-rc1
+References: CVE-2019-5489, bsc#1120843
+
+The semantics of what mincore() considers to be resident is not
+completely clear, but Linux has always (since 2.3.52, which is when
+mincore() was initially done) treated it as "page is available in page
+cache".
+
+That's potentially a problem, as that [in]directly exposes
+meta-information about pagecache / memory mapping state even about
+memory not strictly belonging to the process executing the syscall,
+opening possibilities for sidechannel attacks.
+
+Change the semantics of mincore() so that it only reveals pagecache
+information for non-anonymous mappings that belog to files that the
+calling process could (if it tried to) successfully open for writing;
+otherwise we'd be including shared non-exclusive mappings, which
+
+ - is the sidechannel
+
+ - is not the usecase for mincore(), as that's primarily used for data,
+ not (shared) text
+
+[jkosina@suse.cz: v2]
+ Link: http://lkml.kernel.org/r/20190312141708.6652-2-vbabka@suse.cz
+[mhocko@suse.com: restructure can_do_mincore() conditions]
+Link: http://lkml.kernel.org/r/nycvar.YFH.7.76.1903062342020.19912@cbobk.fhfr.pm
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Vlastimil Babka <vbabka@suse.cz>
+Acked-by: Josh Snyder <joshs@netflix.com>
+Acked-by: Michal Hocko <mhocko@suse.com>
+Originally-by: Linus Torvalds <torvalds@linux-foundation.org>
+Originally-by: Dominique Martinet <asmadeus@codewreck.org>
+Cc: Andy Lutomirski <luto@amacapital.net>
+Cc: Dave Chinner <david@fromorbit.com>
+Cc: Kevin Easton <kevin@guarana.org>
+Cc: Matthew Wilcox <willy@infradead.org>
+Cc: Cyril Hrubis <chrubis@suse.cz>
+Cc: Tejun Heo <tj@kernel.org>
+Cc: Kirill A. Shutemov <kirill@shutemov.name>
+Cc: Daniel Gruss <daniel@gruss.cc>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+---
+ mm/mincore.c | 23 ++++++++++++++++++++++-
+ 1 file changed, 22 insertions(+), 1 deletion(-)
+
+--- a/mm/mincore.c
++++ b/mm/mincore.c
+@@ -168,6 +168,22 @@ out:
+ return 0;
+ }
+
++static inline bool can_do_mincore(struct vm_area_struct *vma)
++{
++ if (vma_is_anonymous(vma))
++ return true;
++ if (!vma->vm_file)
++ return false;
++ /*
++ * Reveal pagecache information only for non-anonymous mappings that
++ * correspond to the files the calling process could (if tried) open
++ * for writing; otherwise we'd be including shared non-exclusive
++ * mappings, which opens a side channel.
++ */
++ return inode_owner_or_capable(file_inode(vma->vm_file)) ||
++ inode_permission(file_inode(vma->vm_file), MAY_WRITE) == 0;
++}
++
+ /*
+ * Do a chunk of "sys_mincore()". We've already checked
+ * all the arguments, we hold the mmap semaphore: we should
+@@ -188,8 +204,13 @@ static long do_mincore(unsigned long add
+ vma = find_vma(current->mm, addr);
+ if (!vma || addr < vma->vm_start)
+ return -ENOMEM;
+- mincore_walk.mm = vma->vm_mm;
+ end = min(vma->vm_end, addr + (pages << PAGE_SHIFT));
++ if (!can_do_mincore(vma)) {
++ unsigned long pages = DIV_ROUND_UP(end - addr, PAGE_SIZE);
++ memset(vec, 1, pages);
++ return pages;
++ }
++ mincore_walk.mm = vma->vm_mm;
+ err = walk_page_range(addr, end, &mincore_walk);
+ if (err < 0)
+ return err;
diff --git a/series.conf b/series.conf
index 500b2162b7..5e19011065 100644
--- a/series.conf
+++ b/series.conf
@@ -9155,6 +9155,7 @@
patches.drivers/net-hns3-fix-a-bug-in-hclge_uninit_client_instance.patch
patches.drivers/net-hns3-fix-the-bug-when-reuse-command-description-.patch
patches.drivers/cxgb4-fix-overflow-in-collecting-IBQ-and-OBQ-dump.patch
+ patches.fixes/l2tp-cleanup-l2tp_tunnel_delete-calls.patch
patches.drivers/cxgb4-collect-hardware-LA-dumps.patch
patches.drivers/cxgb4-collect-CIM-queue-configuration-dump.patch
patches.drivers/cxgb4-collect-RSS-dumps.patch
@@ -9255,6 +9256,7 @@
patches.drivers/ibmvnic-120-Add-vnic-client-data-to-login-buffer.patch
patches.fixes/l2tp-don-t-close-sessions-in-l2tp_tunnel_destruct.patch
patches.drivers/net-thunderx-fix-double-free-error.patch
+ patches.fixes/ipvlan-fix-ipv6-outbound-device.patch
patches.drivers/ieee802154-mrf24j40-fix-incorrect-mask-in-mrf24j40_s
patches.drivers/cxgb4-collect-vpd-info-directly-from-hardware.patch
patches.fixes/net-Remove-unused-skb_shared_info-member.patch
@@ -10677,6 +10679,7 @@
patches.drivers/s390-qeth-fix-thinko-in-IPv4-multicast-address-track.patch
patches.drivers/s390-qeth-fix-GSO-throughput-regression.patch
patches.drivers/s390-qeth-build-max-size-GSO-skbs-on-L2-devices.patch
+ patches.fixes/ipvlan-Add-the-skb-mark-as-flow4-s-member-to-lookup-.patch
patches.suse/stmmac-reset-last-TSO-segment-size-after-device-open.patch
patches.drivers/can-kvaser_usb-free-buf-in-error-paths
patches.drivers/can-kvaser_usb-Fix-comparison-bug-in-kvaser_usb_read
@@ -12429,6 +12432,7 @@
patches.drivers/mac80211_hwsim-enforce-PS_MANUAL_POLL-to-be-set-afte
patches.drivers/mac80211-remove-BUG-when-interface-type-is-invalid
patches.drivers/mac80211-Fix-setting-TX-power-on-monitor-interfaces
+ patches.fixes/l2tp-revert-l2tp-fix-missing-print-session-offset-in.patch
patches.drivers/net-hns3-Add-ethtool-interface-for-vlan-filter.patch
patches.drivers/net-hns3-Disable-VFs-change-rxvlan-offload-status.patch
patches.drivers/net-hns3-Unify-the-strings-display-of-packet-statist.patch
@@ -15640,6 +15644,7 @@
patches.drm/drm-amdgpu-Fix-PCIe-lane-width-calculation
patches.drm/drm-radeon-add-PX-quirk-for-Asus-K73TK
patches.arch/s390-crypto-Adjust-s390-aes-and-paes-cipher-prioriti.patch
+ patches.arch/s390-qdio-clear-intparm-during-shutdown
patches.arch/s390-ipl-ensure-loadparm-valid-flag-is-set.patch
patches.arch/s390-correct-nospec-auto-detection-init-order.patch
patches.drivers/i2c-i801-Save-register-SMBSLVCMD-value-only-once
@@ -16733,6 +16738,7 @@
patches.suse/msft-hv-1667-hv_netvsc-select-needed-ucs2_string-routine.patch
patches.drivers/qed-Delete-unused-parameter-p_ptt-from-mcp-APIs.patch
patches.drivers/qed-Add-configuration-information-to-register-dump-a.patch
+ patches.fixes/ipconfig-Correctly-initialise-ic_nameservers.patch
patches.drivers/qed-Fix-copying-2-strings.patch
patches.fixes/0018-sctp-fix-identification-of-new-acks-for-SFR-CACC.patch
patches.drivers/ixgbe-Drop-support-for-macvlan-specific-unicast-list.patch
@@ -17539,6 +17545,7 @@
patches.drivers/qed-Add-sanity-check-for-SIMD-fastpath-handler.patch
patches.drivers/qed-Do-not-advertise-DCBX_LLD_MANAGED-capability.patch
patches.drivers/enic-initialize-enic-rfs_h.lock-in-enic_probe.patch
+ patches.fixes/ipvlan-use-ETH_MAX_MTU-as-max-mtu.patch
patches.drivers/enic-do-not-overwrite-error-code.patch
patches.suse/net-sungem-fix-rx-checksum-support.patch
patches.suse/stmmac-fix-DMA-channel-hang-in-half-duplex-mode.patch
@@ -18804,6 +18811,7 @@
patches.arch/kvm-x86-set-highest-physical-address-bits-in-non-present-reserved-sptes
patches.suse/cls_matchall-fix-tcf_unbind_filter-missing.patch
patches.drivers/isdn-Disable-IIOCDBGVAR
+ patches.fixes/ipvs-fix-race-between-ip_vs_conn_new-and-ip_vs_del_d.patch
patches.suse/netfilter-ip6t_rpfilter-set-F_IFACE-for-linklocal-ad.patch
patches.drivers/EDAC-Add-missing-MEM_LRDDR4-entry-in-edac_mem_types.patch
patches.drivers/mfd-intel-lpss-Add-Ice-Lake-PCI-IDs.patch
@@ -19111,6 +19119,7 @@
patches.arch/x86-microcode-make-sure-boot_cpu_data-microcode-is-up-to-date
patches.arch/x86-microcode-update-the-new-microcode-revision-unconditionally
patches.arch/x86-process-don-t-mix-user-kernel-regs-in-64bit-_show_regs
+ patches.drivers/iw_cxgb4-only-allow-1-flush-on-user-qps.patch
patches.drivers/IB-ipoib-Avoid-a-race-condition-between-start_xmit-a.patch
patches.drivers/bnxt_re-Fix-couple-of-memory-leaks-that-could-lead-t.patch
patches.drivers/HID-add-support-for-Apple-Magic-Keyboards.patch
@@ -19868,6 +19877,7 @@
patches.fixes/0001-dm-ioctl-harden-copy_params-s-copy_from_user-from-ma.patch
patches.fixes/0001-dm-zoned-fix-metadata-block-ref-counting.patch
patches.fixes/0001-dm-zoned-fix-various-dmz_get_mblock-issues.patch
+ patches.fixes/MD-fix-invalid-stored-role-for-a-disk.patch
patches.fixes/md-allow-metadata-updates-while-suspending-an-array-.patch
patches.fixes/MD-fix-invalid-stored-role-for-a-disk-try2.patch
patches.fixes/smb3-allow-stats-which-track-session-and-share-recon.patch
@@ -19944,6 +19954,7 @@
patches.fixes/v9fs_dir_readdir-fix-double-free-on-p9stat_read-erro.patch
patches.fixes/9p-clear-dangling-pointers-in-p9stat_free.patch
patches.fixes/9p-do-not-trust-pdu-content-for-stat-item-size.patch
+ patches.fixes/9p-locks-add-mount-option-for-lock-retry-interval.patch
patches.fixes/9p-locks-fix-glock.client_id-leak-in-do_lock.patch
patches.fixes/fsnotify-Fix-busy-inodes-during-unmount.patch
patches.drivers/staging-iio-ad7606-fix-voltage-scales.patch
@@ -21102,6 +21113,7 @@
patches.fixes/netrom-switch-to-sock-timer-API.patch
patches.suse/net-rose-fix-NULL-ax25_cb-kernel-panic.patch
patches.suse/net-mlx5e-Allow-MAC-invalidation-while-spoofchk-is-O.patch
+ patches.fixes/ipvs-Fix-signed-integer-overflow-when-setsockopt-tim.patch
patches.suse/net-set-default-network-namespace-in-init_dummy_netd.patch
patches.drivers/gpio-pcf857x-Fix-interrupts-on-multiple-instances.patch
patches.drivers/gpio-altera-a10sr-Set-proper-output-level-for-direct.patch
@@ -21793,6 +21805,7 @@
patches.suse/tun-properly-test-for-IFF_UP.patch
patches.suse/tun-add-a-missing-rcu_read_unlock-in-error-path.patch
patches.suse/net-rose-fix-a-possible-stack-overflow.patch
+ patches.drivers/mac8390-Fix-mmio-access-size-probe.patch
patches.suse/net-aquantia-fix-rx-checksum-offload-for-UDP-TCP-ove.patch
patches.suse/vxlan-Don-t-call-gro_cells_destroy-before-device-is-.patch
patches.suse/packets-Always-register-packet-sk-in-the-same-order.patch
@@ -21868,6 +21881,7 @@
patches.arch/kvm-svm-workaround-errata-1096-insn_len-maybe-zero-on-smap-violation
patches.arch/kvm-x86-emulate-msr_ia32_arch_capabilities-on-amd-hosts.patch
patches.suse/msft-hv-1857-x86-kvm-hyper-v-avoid-spurious-pending-stimer-on-vCP.patch
+ patches.fixes/debugfs-fix-use-after-free-on-symlink-traversal.patch
patches.drivers/HID-logitech-check-the-return-value-of-create_single.patch
patches.drivers/HID-debug-fix-race-condition-with-between-rdesc_show.patch
patches.drivers/HID-input-add-mapping-for-Assistant-key.patch
@@ -21890,6 +21904,7 @@
patches.suse/net-sched-fix-get-helper-of-the-matchall-cls.patch
patches.suse/kcm-switch-order-of-device-registration-to-fix-a-cra.patch
patches.suse/sctp-initialize-_pad-of-sockaddr_in-before-copying-t.patch
+ patches.fixes/dccp-Fix-memleak-in-__feat_register_sp.patch
patches.suse/ip6_tunnel-Match-to-ARPHRD_TUNNEL6-for-dev-type.patch
patches.suse/net-gro-Fix-GRO-flush-when-receiving-a-GSO-packet.patch
patches.fixes/0001-ipv6-Fix-dangling-pointer-when-ipv6-fragment.patch
@@ -22200,6 +22215,7 @@
patches.drivers/PCI-Mark-AMD-Stoney-Radeon-R7-GPU-ATS-as-broken.patch
patches.drivers/PCI-Mark-Atheros-AR9462-to-avoid-bus-reset.patch
patches.drivers/backlight-lm3630a-Return-0-on-success-in-update_stat.patch
+ patches.fixes/mm-mincore-c-make-mincore-more-conservative.patch
patches.fixes/crypto-caam-fix-caam_dump_sg-that-iterates-through-s.patch
patches.drivers/power-supply-axp288_charger-Fix-unchecked-return-val.patch
patches.drivers/power-supply-axp20x_usb_power-Fix-typo-in-VBUS-curre.patch
@@ -22217,6 +22233,7 @@
patches.drivers/soc-fsl-qe-Fix-an-error-code-in-qe_pin_request.patch
patches.fixes/ext4-zero-out-the-unused-memory-region-in-the-extent.patch
patches.fixes/vsock-virtio-Initialize-core-virtio-vsock-before-reg.patch
+ patches.fixes/crypto-vmx-CTR-always-increment-IV-as-quadword.patch
# davem/net-next
patches.suse/msft-hv-1766-hv_netvsc-fix-vf-serial-matching-with-pci-slot-info.patch
@@ -22355,6 +22372,7 @@
patches.arch/s390-sles15-05-01-gmb.patch
patches.arch/s390-sles15-bpf-indirect-call.patch
patches.arch/s390-sles15-dasd-fix-deadlock-in-dasd_times_out.patch
+ patches.arch/s390-sles15-kmsg-update-2019-03-08.patch
########################################################
# VM/FS patches