Home Home > GIT Browse
summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorKernel Build Daemon <kbuild@suse.de>2019-05-23 07:05:12 +0200
committerKernel Build Daemon <kbuild@suse.de>2019-05-23 07:05:12 +0200
commit910dd3d7ee6850e8017dab6875ac98de23d68ce5 (patch)
tree55299c9bf86239b79c4fec41fd9fb8e4e7db1b5b
parent707a4f87bcbfe012b4614f8b4e3b6554f42fe5f0 (diff)
parentb095074a0a1d757e55076f58576eea9ab76bcb21 (diff)
Merge branch 'SLE15' into SLE15-AZURE
-rw-r--r--config/ppc64le/debug2
-rw-r--r--config/x86_64/debug2
-rw-r--r--patches.arch/ARM-8824-1-fix-a-migrating-irq-bug-when-hotplug-cpu.patch158
-rw-r--r--patches.arch/ARM-8833-1-Ensure-that-NEON-code-always-compiles-wit.patch113
-rw-r--r--patches.arch/ARM-8839-1-kprobe-make-patch_lock-a-raw_spinlock_t.patch69
-rw-r--r--patches.arch/ARM-8840-1-use-a-raw_spinlock_t-in-unwind.patch94
-rw-r--r--patches.arch/ARM-OMAP2-Variable-reg-in-function-omap4_dsi_mux_pad.patch49
-rw-r--r--patches.arch/ARM-OMAP2-fix-lack-of-timer-interrupts-on-CPU1-after.patch81
-rw-r--r--patches.arch/ARM-avoid-Cortex-A9-livelock-on-tight-dmb-loops.patch194
-rw-r--r--patches.arch/ARM-imx6q-cpuidle-fix-bug-that-CPU-might-not-wake-up.patch80
-rw-r--r--patches.arch/ARM-pxa-ssp-unneeded-to-free-devm_-allocated-data.patch46
-rw-r--r--patches.arch/ARM-s3c24xx-Fix-boolean-expressions-in-osiris_dvs_no.patch52
-rw-r--r--patches.arch/ARM-samsung-Limit-SAMSUNG_PM_CHECK-config-option-to-.patch60
-rw-r--r--patches.fixes/0001-netfilter-nf_log-fix-uninit-read-in-nf_log_proc_dost.patch37
-rw-r--r--patches.fixes/0001-tools-lib-traceevent-Fix-missing-equality-check-for-.patch60
-rw-r--r--patches.fixes/0001-x86-speculation-mds-Fix-documentation-typo.patch34
-rw-r--r--patches.fixes/0002-netfilter-nf_log-don-t-hold-nf_log_mutex-during-user.patch52
-rw-r--r--patches.fixes/0003-xfrm_user-prevent-leaking-2-bytes-of-kernel-memory.patch116
-rw-r--r--patches.fixes/0004-xfrm-fix-missing-dst_release-after-policy-blocking-l.patch70
-rw-r--r--patches.fixes/0005-net-socket-fix-potential-spectre-v1-gadget-in-socket.patch47
-rw-r--r--patches.fixes/0006-packet-refine-ring-v3-block-size-test-to-hold-one-fr.patch68
-rw-r--r--patches.fixes/0007-net-ipv6-fix-addrconf_sysctl_addr_gen_mode.patch99
-rw-r--r--patches.fixes/0008-net-ipv6-don-t-reinitialize-ndev-cnf.addr_gen_mode-o.patch36
-rw-r--r--patches.fixes/0009-net-ipv6-reserve-room-for-IFLA_INET6_ADDR_GEN_MODE.patch38
-rw-r--r--patches.fixes/0010-net-ipv6-propagate-net.ipv6.conf.all.addr_gen_mode-t.patch45
-rw-r--r--patches.fixes/0011-xfrm-fix-passing-zero-to-ERR_PTR-warning.patch41
-rw-r--r--patches.fixes/0012-ip6_tunnel-collect_md-xmit-Use-ip_tunnel_key-s-provi.patch62
-rw-r--r--patches.fixes/0013-ipv6-fix-cleanup-ordering-for-ip6_mr-failure.patch65
-rw-r--r--patches.fixes/0014-ipv6-fix-cleanup-ordering-for-pingv6-registration.patch58
-rw-r--r--patches.fixes/0015-igmp-fix-incorrect-unsolicit-report-count-when-join-.patch39
-rw-r--r--patches.fixes/0016-netfilter-nf_tables-release-chain-in-flushing-set.patch79
-rw-r--r--patches.fixes/0017-netfilter-bridge-Don-t-sabotage-nf_hook-calls-from-a.patch56
-rw-r--r--patches.fixes/0018-xfrm-Validate-address-prefix-lengths-in-the-xfrm-sel.patch64
-rw-r--r--patches.fixes/0019-xfrm6-call-kfree_skb-when-skb-is-toobig.patch46
-rw-r--r--patches.fixes/0020-xfrm-reset-transport-header-back-to-network-header-a.patch99
-rw-r--r--patches.fixes/0021-xfrm-reset-crypto_done-when-iterating-over-multiple-.patch37
-rw-r--r--patches.fixes/ext4-zero-out-the-unused-memory-region-in-the-extent.patch87
-rw-r--r--series.conf35
38 files changed, 2468 insertions, 2 deletions
diff --git a/config/ppc64le/debug b/config/ppc64le/debug
index f1fcdc3611..37619721fb 100644
--- a/config/ppc64le/debug
+++ b/config/ppc64le/debug
@@ -52,9 +52,9 @@ CONFIG_REISERFS_PROC_INFO=y
CONFIG_RT2X00_DEBUG=y
CONFIG_RT2X00_LIB_DEBUGFS=y
CONFIG_SCSI_LPFC_DEBUG_FS=y
+# CONFIG_SUSE_KERNEL_SUPPORTED is not set
# CONFIG_SYSTEM_DATA_VERIFICATION is not set
CONFIG_TCM_QLA2XXX_DEBUG=y
CONFIG_TTY_PRINTK=y
CONFIG_UNINLINE_SPIN_UNLOCK=y
CONFIG_MODULES=y
-CONFIG_SUSE_KERNEL_SUPPORTED=y
diff --git a/config/x86_64/debug b/config/x86_64/debug
index 5b6c931017..6208a90016 100644
--- a/config/x86_64/debug
+++ b/config/x86_64/debug
@@ -70,6 +70,7 @@ CONFIG_RT2X00_LIB_DEBUGFS=y
CONFIG_RTC_DRV_TEST=m
CONFIG_SND_DEBUG_VERBOSE=y
CONFIG_SSB_DEBUG=y
+# CONFIG_SUSE_KERNEL_SUPPORTED is not set
# CONFIG_SYSTEM_DATA_VERIFICATION is not set
CONFIG_TCM_QLA2XXX_DEBUG=y
CONFIG_THINKPAD_ACPI_DEBUG=y
@@ -80,5 +81,4 @@ CONFIG_UNINLINE_SPIN_UNLOCK=y
CONFIG_USB_STORAGE_DEBUG=y
CONFIG_XFS_DEBUG=y
CONFIG_MODULES=y
-CONFIG_SUSE_KERNEL_SUPPORTED=y
CONFIG_EFI_STUB=y
diff --git a/patches.arch/ARM-8824-1-fix-a-migrating-irq-bug-when-hotplug-cpu.patch b/patches.arch/ARM-8824-1-fix-a-migrating-irq-bug-when-hotplug-cpu.patch
new file mode 100644
index 0000000000..04477fa20f
--- /dev/null
+++ b/patches.arch/ARM-8824-1-fix-a-migrating-irq-bug-when-hotplug-cpu.patch
@@ -0,0 +1,158 @@
+From 1b5ba350784242eb1f899bcffd95d2c7cff61e84 Mon Sep 17 00:00:00 2001
+From: Dietmar Eggemann <dietmar.eggemann@arm.com>
+Date: Mon, 21 Jan 2019 14:42:42 +0100
+Subject: [PATCH] ARM: 8824/1: fix a migrating irq bug when hotplug cpu
+Git-commit: 1b5ba350784242eb1f899bcffd95d2c7cff61e84
+Patch-mainline: v5.0-rc8
+References: bsc#1051510
+
+Arm TC2 fails cpu hotplug stress test.
+
+This issue was tracked down to a missing copy of the new affinity
+cpumask for the vexpress-spc interrupt into struct
+irq_common_data.affinity when the interrupt is migrated in
+migrate_one_irq().
+
+Fix it by replacing the arm specific hotplug cpu migration with the
+generic irq code.
+
+This is the counterpart implementation to commit 217d453d473c ("arm64:
+fix a migrating irq bug when hotplug cpu").
+
+Tested with cpu hotplug stress test on Arm TC2 (multi_v7_defconfig plus
+CONFIG_ARM_BIG_LITTLE_CPUFREQ=y and CONFIG_ARM_VEXPRESS_SPC_CPUFREQ=y).
+The vexpress-spc interrupt (irq=22) on this board is affine to CPU0.
+Its affinity cpumask now changes correctly e.g. from 0 to 1-4 when
+CPU0 is hotplugged out.
+
+Suggested-by: Marc Zyngier <marc.zyngier@arm.com>
+Signed-off-by: Dietmar Eggemann <dietmar.eggemann@arm.com>
+Acked-by: Marc Zyngier <marc.zyngier@arm.com>
+Reviewed-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ arch/arm/Kconfig | 1 +
+ arch/arm/include/asm/irq.h | 1 -
+ arch/arm/kernel/irq.c | 62 ----------------------------------------------
+ arch/arm/kernel/smp.c | 2 +-
+ 4 files changed, 2 insertions(+), 64 deletions(-)
+
+diff --git a/arch/arm/Kconfig b/arch/arm/Kconfig
+index 664e918e2624..26524b75970a 100644
+--- a/arch/arm/Kconfig
++++ b/arch/arm/Kconfig
+@@ -1400,6 +1400,7 @@ config NR_CPUS
+ config HOTPLUG_CPU
+ bool "Support for hot-pluggable CPUs"
+ depends on SMP
++ select GENERIC_IRQ_MIGRATION
+ help
+ Say Y here to experiment with turning CPUs off and on. CPUs
+ can be controlled through /sys/devices/system/cpu.
+diff --git a/arch/arm/include/asm/irq.h b/arch/arm/include/asm/irq.h
+index c883fcbe93b6..46d41140df27 100644
+--- a/arch/arm/include/asm/irq.h
++++ b/arch/arm/include/asm/irq.h
+@@ -25,7 +25,6 @@
+ #ifndef __ASSEMBLY__
+ struct irqaction;
+ struct pt_regs;
+-extern void migrate_irqs(void);
+
+ extern void asm_do_IRQ(unsigned int, struct pt_regs *);
+ void handle_IRQ(unsigned int, struct pt_regs *);
+diff --git a/arch/arm/kernel/irq.c b/arch/arm/kernel/irq.c
+index 9908dacf9229..844861368cd5 100644
+--- a/arch/arm/kernel/irq.c
++++ b/arch/arm/kernel/irq.c
+@@ -31,7 +31,6 @@
+ #include <linux/smp.h>
+ #include <linux/init.h>
+ #include <linux/seq_file.h>
+-#include <linux/ratelimit.h>
+ #include <linux/errno.h>
+ #include <linux/list.h>
+ #include <linux/kallsyms.h>
+@@ -109,64 +108,3 @@ int __init arch_probe_nr_irqs(void)
+ return nr_irqs;
+ }
+ #endif
+-
+-#ifdef CONFIG_HOTPLUG_CPU
+-static bool migrate_one_irq(struct irq_desc *desc)
+-{
+- struct irq_data *d = irq_desc_get_irq_data(desc);
+- const struct cpumask *affinity = irq_data_get_affinity_mask(d);
+- struct irq_chip *c;
+- bool ret = false;
+-
+- /*
+- * If this is a per-CPU interrupt, or the affinity does not
+- * include this CPU, then we have nothing to do.
+- */
+- if (irqd_is_per_cpu(d) || !cpumask_test_cpu(smp_processor_id(), affinity))
+- return false;
+-
+- if (cpumask_any_and(affinity, cpu_online_mask) >= nr_cpu_ids) {
+- affinity = cpu_online_mask;
+- ret = true;
+- }
+-
+- c = irq_data_get_irq_chip(d);
+- if (!c->irq_set_affinity)
+- pr_debug("IRQ%u: unable to set affinity\n", d->irq);
+- else if (c->irq_set_affinity(d, affinity, false) == IRQ_SET_MASK_OK && ret)
+- cpumask_copy(irq_data_get_affinity_mask(d), affinity);
+-
+- return ret;
+-}
+-
+-/*
+- * The current CPU has been marked offline. Migrate IRQs off this CPU.
+- * If the affinity settings do not allow other CPUs, force them onto any
+- * available CPU.
+- *
+- * Note: we must iterate over all IRQs, whether they have an attached
+- * action structure or not, as we need to get chained interrupts too.
+- */
+-void migrate_irqs(void)
+-{
+- unsigned int i;
+- struct irq_desc *desc;
+- unsigned long flags;
+-
+- local_irq_save(flags);
+-
+- for_each_irq_desc(i, desc) {
+- bool affinity_broken;
+-
+- raw_spin_lock(&desc->lock);
+- affinity_broken = migrate_one_irq(desc);
+- raw_spin_unlock(&desc->lock);
+-
+- if (affinity_broken)
+- pr_warn_ratelimited("IRQ%u no longer affine to CPU%u\n",
+- i, smp_processor_id());
+- }
+-
+- local_irq_restore(flags);
+-}
+-#endif /* CONFIG_HOTPLUG_CPU */
+diff --git a/arch/arm/kernel/smp.c b/arch/arm/kernel/smp.c
+index 3bf82232b1be..1d6f5ea522f4 100644
+--- a/arch/arm/kernel/smp.c
++++ b/arch/arm/kernel/smp.c
+@@ -254,7 +254,7 @@ int __cpu_disable(void)
+ /*
+ * OK - migrate IRQs away from this CPU
+ */
+- migrate_irqs();
++ irq_migrate_all_off_this_cpu();
+
+ /*
+ * Flush user cache and TLB mappings, and then remove this CPU
+--
+2.16.4
+
diff --git a/patches.arch/ARM-8833-1-Ensure-that-NEON-code-always-compiles-wit.patch b/patches.arch/ARM-8833-1-Ensure-that-NEON-code-always-compiles-wit.patch
new file mode 100644
index 0000000000..be2709021a
--- /dev/null
+++ b/patches.arch/ARM-8833-1-Ensure-that-NEON-code-always-compiles-wit.patch
@@ -0,0 +1,113 @@
+From de9c0d49d85dc563549972edc5589d195cd5e859 Mon Sep 17 00:00:00 2001
+From: Nathan Chancellor <natechancellor@gmail.com>
+Date: Sat, 2 Feb 2019 03:34:36 +0100
+Subject: [PATCH] ARM: 8833/1: Ensure that NEON code always compiles with Clang
+Git-commit: de9c0d49d85dc563549972edc5589d195cd5e859
+Patch-mainline: v5.1-rc1
+References: bsc#1051510
+
+While building arm32 allyesconfig, I ran into the following errors:
+
+ arch/arm/lib/xor-neon.c:17:2: error: You should compile this file with
+ '-mfloat-abi=softfp -mfpu=neon'
+
+ In file included from lib/raid6/neon1.c:27:
+ /home/nathan/cbl/prebuilt/lib/clang/8.0.0/include/arm_neon.h:28:2:
+ error: "NEON support not enabled"
+
+Building V=1 showed NEON_FLAGS getting passed along to Clang but
+__ARM_NEON__ was not getting defined. Ultimately, it boils down to Clang
+only defining __ARM_NEON__ when targeting armv7, rather than armv6k,
+which is the '-march' value for allyesconfig.
+
+>From lib/Basic/Targets/ARM.cpp in the Clang source:
+
+ // This only gets set when Neon instructions are actually available, unlike
+ // the VFP define, hence the soft float and arch check. This is subtly
+ // different from gcc, we follow the intent which was that it should be set
+ // when Neon instructions are actually available.
+ if ((FPU & NeonFPU) && !SoftFloat && ArchVersion >= 7) {
+ Builder.defineMacro("__ARM_NEON", "1");
+ Builder.defineMacro("__ARM_NEON__");
+ // current AArch32 NEON implementations do not support double-precision
+ // floating-point even when it is present in VFP.
+ Builder.defineMacro("__ARM_NEON_FP",
+ "0x" + Twine::utohexstr(HW_FP & ~HW_FP_DP));
+ }
+
+Ard Biesheuvel recommended explicitly adding '-march=armv7-a' at the
+beginning of the NEON_FLAGS definitions so that __ARM_NEON__ always gets
+definined by Clang. This doesn't functionally change anything because
+that code will only run where NEON is supported, which is implicitly
+armv7.
+
+Link: https://github.com/ClangBuiltLinux/linux/issues/287
+
+Suggested-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+Signed-off-by: Nathan Chancellor <natechancellor@gmail.com>
+Acked-by: Nicolas Pitre <nico@linaro.org>
+Reviewed-by: Nick Desaulniers <ndesaulniers@google.com>
+Reviewed-by: Stefan Agner <stefan@agner.ch>
+Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ Documentation/arm/kernel_mode_neon.txt | 4 ++--
+ arch/arm/lib/Makefile | 2 +-
+ arch/arm/lib/xor-neon.c | 2 +-
+ lib/raid6/Makefile | 2 +-
+ 4 files changed, 5 insertions(+), 5 deletions(-)
+
+--- a/Documentation/arm/kernel_mode_neon.txt
++++ b/Documentation/arm/kernel_mode_neon.txt
+@@ -6,7 +6,7 @@ TL;DR summary
+ * Use only NEON instructions, or VFP instructions that don't rely on support
+ code
+ * Isolate your NEON code in a separate compilation unit, and compile it with
+- '-mfpu=neon -mfloat-abi=softfp'
++ '-march=armv7-a -mfpu=neon -mfloat-abi=softfp'
+ * Put kernel_neon_begin() and kernel_neon_end() calls around the calls into your
+ NEON code
+ * Don't sleep in your NEON code, and be aware that it will be executed with
+@@ -87,7 +87,7 @@ instructions appearing in unexpected pla
+ Therefore, the recommended and only supported way of using NEON/VFP in the
+ kernel is by adhering to the following rules:
+ * isolate the NEON code in a separate compilation unit and compile it with
+- '-mfpu=neon -mfloat-abi=softfp';
++ '-march=armv7-a -mfpu=neon -mfloat-abi=softfp';
+ * issue the calls to kernel_neon_begin(), kernel_neon_end() as well as the calls
+ into the unit containing the NEON code from a compilation unit which is *not*
+ built with the GCC flag '-mfpu=neon' set.
+--- a/arch/arm/lib/Makefile
++++ b/arch/arm/lib/Makefile
+@@ -38,7 +38,7 @@ $(obj)/csumpartialcopy.o: $(obj)/csumpar
+ $(obj)/csumpartialcopyuser.o: $(obj)/csumpartialcopygeneric.S
+
+ ifeq ($(CONFIG_KERNEL_MODE_NEON),y)
+- NEON_FLAGS := -mfloat-abi=softfp -mfpu=neon
++ NEON_FLAGS := -march=armv7-a -mfloat-abi=softfp -mfpu=neon
+ CFLAGS_xor-neon.o += $(NEON_FLAGS)
+ obj-$(CONFIG_XOR_BLOCKS) += xor-neon.o
+ endif
+--- a/arch/arm/lib/xor-neon.c
++++ b/arch/arm/lib/xor-neon.c
+@@ -14,7 +14,7 @@
+ MODULE_LICENSE("GPL");
+
+ #ifndef __ARM_NEON__
+-#error You should compile this file with '-mfloat-abi=softfp -mfpu=neon'
++#error You should compile this file with '-march=armv7-a -mfloat-abi=softfp -mfpu=neon'
+ #endif
+
+ /*
+--- a/lib/raid6/Makefile
++++ b/lib/raid6/Makefile
+@@ -23,7 +23,7 @@ endif
+ ifeq ($(CONFIG_KERNEL_MODE_NEON),y)
+ NEON_FLAGS := -ffreestanding
+ ifeq ($(ARCH),arm)
+-NEON_FLAGS += -mfloat-abi=softfp -mfpu=neon
++NEON_FLAGS += -march=armv7-a -mfloat-abi=softfp -mfpu=neon
+ endif
+ ifeq ($(ARCH),arm64)
+ CFLAGS_REMOVE_neon1.o += -mgeneral-regs-only
diff --git a/patches.arch/ARM-8839-1-kprobe-make-patch_lock-a-raw_spinlock_t.patch b/patches.arch/ARM-8839-1-kprobe-make-patch_lock-a-raw_spinlock_t.patch
new file mode 100644
index 0000000000..202e544be1
--- /dev/null
+++ b/patches.arch/ARM-8839-1-kprobe-make-patch_lock-a-raw_spinlock_t.patch
@@ -0,0 +1,69 @@
+From 143c2a89e0e5fda6c6fd08d7bc1126438c19ae90 Mon Sep 17 00:00:00 2001
+From: Yang Shi <yang.shi@linaro.org>
+Date: Wed, 13 Feb 2019 17:14:23 +0100
+Subject: [PATCH] ARM: 8839/1: kprobe: make patch_lock a raw_spinlock_t
+Git-commit: 143c2a89e0e5fda6c6fd08d7bc1126438c19ae90
+Patch-mainline: v5.1-rc1
+References: bsc#1051510
+
+When running kprobe on -rt kernel, the below bug is caught:
+
+|bug: sleeping function called from invalid context at kernel/locking/rtmutex.c:931
+|in_atomic(): 1, irqs_disabled(): 128, pid: 14, name: migration/0
+|Preemption disabled at:[<802f2b98>] cpu_stopper_thread+0xc0/0x140
+|cpu: 0 PID: 14 Comm: migration/0 Tainted: G O 4.8.3-rt2 #1
+|Hardware name: Freescale LS1021A
+|[<8025a43c>] (___might_sleep)
+|[<80b5b324>] (rt_spin_lock)
+|[<80b5c31c>] (__patch_text_real)
+|[<80b5c3ac>] (patch_text_stop_machine)
+|[<802f2920>] (multi_cpu_stop)
+
+Since patch_text_stop_machine() is called in stop_machine() which
+disables IRQ, sleepable lock should be not used in this atomic context,
+ so replace patch_lock to raw lock.
+
+Signed-off-by: Yang Shi <yang.shi@linaro.org>
+Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
+Reviewed-by: Arnd Bergmann <arnd@arndb.de>
+Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ arch/arm/kernel/patch.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/arch/arm/kernel/patch.c b/arch/arm/kernel/patch.c
+index a50dc00d79a2..d0a05a3bdb96 100644
+--- a/arch/arm/kernel/patch.c
++++ b/arch/arm/kernel/patch.c
+@@ -16,7 +16,7 @@ struct patch {
+ unsigned int insn;
+ };
+
+-static DEFINE_SPINLOCK(patch_lock);
++static DEFINE_RAW_SPINLOCK(patch_lock);
+
+ static void __kprobes *patch_map(void *addr, int fixmap, unsigned long *flags)
+ __acquires(&patch_lock)
+@@ -33,7 +33,7 @@ static void __kprobes *patch_map(void *addr, int fixmap, unsigned long *flags)
+ return addr;
+
+ if (flags)
+- spin_lock_irqsave(&patch_lock, *flags);
++ raw_spin_lock_irqsave(&patch_lock, *flags);
+ else
+ __acquire(&patch_lock);
+
+@@ -48,7 +48,7 @@ static void __kprobes patch_unmap(int fixmap, unsigned long *flags)
+ clear_fixmap(fixmap);
+
+ if (flags)
+- spin_unlock_irqrestore(&patch_lock, *flags);
++ raw_spin_unlock_irqrestore(&patch_lock, *flags);
+ else
+ __release(&patch_lock);
+ }
+--
+2.16.4
+
diff --git a/patches.arch/ARM-8840-1-use-a-raw_spinlock_t-in-unwind.patch b/patches.arch/ARM-8840-1-use-a-raw_spinlock_t-in-unwind.patch
new file mode 100644
index 0000000000..7becf9ba4b
--- /dev/null
+++ b/patches.arch/ARM-8840-1-use-a-raw_spinlock_t-in-unwind.patch
@@ -0,0 +1,94 @@
+From 74ffe79ae538283bbf7c155e62339f1e5c87b55a Mon Sep 17 00:00:00 2001
+From: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
+Date: Wed, 13 Feb 2019 17:14:42 +0100
+Subject: [PATCH] ARM: 8840/1: use a raw_spinlock_t in unwind
+Git-commit: 74ffe79ae538283bbf7c155e62339f1e5c87b55a
+Patch-mainline: v5.1-rc1
+References: bsc#1051510
+
+Mostly unwind is done with irqs enabled however SLUB may call it with
+irqs disabled while creating a new SLUB cache.
+
+I had system freeze while loading a module which called
+kmem_cache_create() on init. That means SLUB's __slab_alloc() disabled
+interrupts and then
+
+->new_slab_objects()
+ ->new_slab()
+ ->setup_object()
+ ->setup_object_debug()
+ ->init_tracking()
+ ->set_track()
+ ->save_stack_trace()
+ ->save_stack_trace_tsk()
+ ->walk_stackframe()
+ ->unwind_frame()
+ ->unwind_find_idx()
+ =>spin_lock_irqsave(&unwind_lock);
+
+Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
+Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ arch/arm/kernel/unwind.c | 14 +++++++-------
+ 1 file changed, 7 insertions(+), 7 deletions(-)
+
+diff --git a/arch/arm/kernel/unwind.c b/arch/arm/kernel/unwind.c
+index 0bee233fef9a..314cfb232a63 100644
+--- a/arch/arm/kernel/unwind.c
++++ b/arch/arm/kernel/unwind.c
+@@ -93,7 +93,7 @@ extern const struct unwind_idx __start_unwind_idx[];
+ static const struct unwind_idx *__origin_unwind_idx;
+ extern const struct unwind_idx __stop_unwind_idx[];
+
+-static DEFINE_SPINLOCK(unwind_lock);
++static DEFINE_RAW_SPINLOCK(unwind_lock);
+ static LIST_HEAD(unwind_tables);
+
+ /* Convert a prel31 symbol to an absolute address */
+@@ -201,7 +201,7 @@ static const struct unwind_idx *unwind_find_idx(unsigned long addr)
+ /* module unwind tables */
+ struct unwind_table *table;
+
+- spin_lock_irqsave(&unwind_lock, flags);
++ raw_spin_lock_irqsave(&unwind_lock, flags);
+ list_for_each_entry(table, &unwind_tables, list) {
+ if (addr >= table->begin_addr &&
+ addr < table->end_addr) {
+@@ -213,7 +213,7 @@ static const struct unwind_idx *unwind_find_idx(unsigned long addr)
+ break;
+ }
+ }
+- spin_unlock_irqrestore(&unwind_lock, flags);
++ raw_spin_unlock_irqrestore(&unwind_lock, flags);
+ }
+
+ pr_debug("%s: idx = %p\n", __func__, idx);
+@@ -529,9 +529,9 @@ struct unwind_table *unwind_table_add(unsigned long start, unsigned long size,
+ tab->begin_addr = text_addr;
+ tab->end_addr = text_addr + text_size;
+
+- spin_lock_irqsave(&unwind_lock, flags);
++ raw_spin_lock_irqsave(&unwind_lock, flags);
+ list_add_tail(&tab->list, &unwind_tables);
+- spin_unlock_irqrestore(&unwind_lock, flags);
++ raw_spin_unlock_irqrestore(&unwind_lock, flags);
+
+ return tab;
+ }
+@@ -543,9 +543,9 @@ void unwind_table_del(struct unwind_table *tab)
+ if (!tab)
+ return;
+
+- spin_lock_irqsave(&unwind_lock, flags);
++ raw_spin_lock_irqsave(&unwind_lock, flags);
+ list_del(&tab->list);
+- spin_unlock_irqrestore(&unwind_lock, flags);
++ raw_spin_unlock_irqrestore(&unwind_lock, flags);
+
+ kfree(tab);
+ }
+--
+2.16.4
+
diff --git a/patches.arch/ARM-OMAP2-Variable-reg-in-function-omap4_dsi_mux_pad.patch b/patches.arch/ARM-OMAP2-Variable-reg-in-function-omap4_dsi_mux_pad.patch
new file mode 100644
index 0000000000..9471c70785
--- /dev/null
+++ b/patches.arch/ARM-OMAP2-Variable-reg-in-function-omap4_dsi_mux_pad.patch
@@ -0,0 +1,49 @@
+From dc30e70391376ba3987aeb856ae6d9c0706534f1 Mon Sep 17 00:00:00 2001
+From: Yizhuo <yzhai003@ucr.edu>
+Date: Fri, 25 Jan 2019 22:32:20 -0800
+Subject: [PATCH] ARM: OMAP2+: Variable "reg" in function omap4_dsi_mux_pads() could be uninitialized
+Git-commit: dc30e70391376ba3987aeb856ae6d9c0706534f1
+Patch-mainline: v5.0-rc7
+References: bsc#1051510
+
+In function omap4_dsi_mux_pads(), local variable "reg" could
+be uninitialized if function regmap_read() returns -EINVAL.
+However, it will be used directly in the later context, which
+is potentially unsafe.
+
+Signed-off-by: Yizhuo <yzhai003@ucr.edu>
+Signed-off-by: Tony Lindgren <tony@atomide.com>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ arch/arm/mach-omap2/display.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/arch/arm/mach-omap2/display.c b/arch/arm/mach-omap2/display.c
+index f86b72d1d59e..1444b4b4bd9f 100644
+--- a/arch/arm/mach-omap2/display.c
++++ b/arch/arm/mach-omap2/display.c
+@@ -83,6 +83,7 @@ static int omap4_dsi_mux_pads(int dsi_id, unsigned lanes)
+ u32 enable_mask, enable_shift;
+ u32 pipd_mask, pipd_shift;
+ u32 reg;
++ int ret;
+
+ if (dsi_id == 0) {
+ enable_mask = OMAP4_DSI1_LANEENABLE_MASK;
+@@ -98,7 +99,11 @@ static int omap4_dsi_mux_pads(int dsi_id, unsigned lanes)
+ return -ENODEV;
+ }
+
+- regmap_read(omap4_dsi_mux_syscon, OMAP4_DSIPHY_SYSCON_OFFSET, &reg);
++ ret = regmap_read(omap4_dsi_mux_syscon,
++ OMAP4_DSIPHY_SYSCON_OFFSET,
++ &reg);
++ if (ret)
++ return ret;
+
+ reg &= ~enable_mask;
+ reg &= ~pipd_mask;
+--
+2.16.4
+
diff --git a/patches.arch/ARM-OMAP2-fix-lack-of-timer-interrupts-on-CPU1-after.patch b/patches.arch/ARM-OMAP2-fix-lack-of-timer-interrupts-on-CPU1-after.patch
new file mode 100644
index 0000000000..019c5ac314
--- /dev/null
+++ b/patches.arch/ARM-OMAP2-fix-lack-of-timer-interrupts-on-CPU1-after.patch
@@ -0,0 +1,81 @@
+From 50d6b3cf9403879911e06d69c7ef41e43f8f7b4b Mon Sep 17 00:00:00 2001
+From: Russell King <rmk+kernel@armlinux.org.uk>
+Date: Wed, 12 Dec 2018 11:49:47 +0000
+Subject: [PATCH] ARM: OMAP2+: fix lack of timer interrupts on CPU1 after hotplug
+Git-commit: 50d6b3cf9403879911e06d69c7ef41e43f8f7b4b
+Patch-mainline: v5.0-rc7
+References: bsc#1051510
+
+If we have a kernel configured for periodic timer interrupts, and we
+have cpuidle enabled, then we end up with CPU1 losing timer interupts
+after a hotplug.
+
+This can manifest itself in RCU stall warnings, or userspace becoming
+unresponsive.
+
+The problem is that the kernel initially wants to use the TWD timer
+for interrupts, but the TWD loses context when we enter the C3 cpuidle
+state. Nothing reprograms the TWD after idle.
+
+We have solved this in the past by switching to broadcast timer ticks,
+and cpuidle44xx switches to that mode at boot time. However, there is
+nothing to switch from periodic mode local timers after a hotplug
+operation.
+
+We call tick_broadcast_enter() in omap_enter_idle_coupled(), which one
+would expect would take care of the issue, but internally this only
+deals with one-shot local timers - tick_broadcast_enable() on the other
+hand only deals with periodic local timers. So, we need to call both.
+
+Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk>
+[tony@atomide.com: just standardized the subject line]
+Signed-off-by: Tony Lindgren <tony@atomide.com>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ arch/arm/mach-omap2/cpuidle44xx.c | 16 ++++------------
+ 1 file changed, 4 insertions(+), 12 deletions(-)
+
+diff --git a/arch/arm/mach-omap2/cpuidle44xx.c b/arch/arm/mach-omap2/cpuidle44xx.c
+index a8b291f00109..dae514c8276a 100644
+--- a/arch/arm/mach-omap2/cpuidle44xx.c
++++ b/arch/arm/mach-omap2/cpuidle44xx.c
+@@ -152,6 +152,10 @@ static int omap_enter_idle_coupled(struct cpuidle_device *dev,
+ mpuss_can_lose_context = (cx->mpu_state == PWRDM_POWER_RET) &&
+ (cx->mpu_logic_state == PWRDM_POWER_OFF);
+
++ /* Enter broadcast mode for periodic timers */
++ tick_broadcast_enable();
++
++ /* Enter broadcast mode for one-shot timers */
+ tick_broadcast_enter();
+
+ /*
+@@ -218,15 +222,6 @@ static int omap_enter_idle_coupled(struct cpuidle_device *dev,
+ return index;
+ }
+
+-/*
+- * For each cpu, setup the broadcast timer because local timers
+- * stops for the states above C1.
+- */
+-static void omap_setup_broadcast_timer(void *arg)
+-{
+- tick_broadcast_enable();
+-}
+-
+ static struct cpuidle_driver omap4_idle_driver = {
+ .name = "omap4_idle",
+ .owner = THIS_MODULE,
+@@ -319,8 +314,5 @@ int __init omap4_idle_init(void)
+ if (!cpu_clkdm[0] || !cpu_clkdm[1])
+ return -ENODEV;
+
+- /* Configure the broadcast timer on each cpu */
+- on_each_cpu(omap_setup_broadcast_timer, NULL, 1);
+-
+ return cpuidle_register(idle_driver, cpu_online_mask);
+ }
+--
+2.16.4
+
diff --git a/patches.arch/ARM-avoid-Cortex-A9-livelock-on-tight-dmb-loops.patch b/patches.arch/ARM-avoid-Cortex-A9-livelock-on-tight-dmb-loops.patch
new file mode 100644
index 0000000000..900fb560ff
--- /dev/null
+++ b/patches.arch/ARM-avoid-Cortex-A9-livelock-on-tight-dmb-loops.patch
@@ -0,0 +1,194 @@
+From 5388a5b82199facacd3d7ac0d05aca6e8f902fed Mon Sep 17 00:00:00 2001
+From: Russell King <rmk+kernel@armlinux.org.uk>
+Date: Tue, 10 Apr 2018 11:35:36 +0100
+Subject: [PATCH] ARM: avoid Cortex-A9 livelock on tight dmb loops
+Git-commit: 5388a5b82199facacd3d7ac0d05aca6e8f902fed
+Patch-mainline: v5.1-rc1
+References: bsc#1051510
+
+machine_crash_nonpanic_core() does this:
+
+ while (1)
+ cpu_relax();
+
+because the kernel has crashed, and we have no known safe way to deal
+with the CPU. So, we place the CPU into an infinite loop which we
+expect it to never exit - at least not until the system as a whole is
+reset by some method.
+
+In the absence of erratum 754327, this code assembles to:
+
+ b .
+
+In other words, an infinite loop. When erratum 754327 is enabled,
+this becomes:
+
+1: dmb b 1b
+
+It has been observed that on some systems (eg, OMAP4) where, if a
+crash is triggered, the system tries to kexec into the panic kernel,
+but fails after taking the secondary CPU down - placing it into one
+of these loops. This causes the system to livelock, and the most
+noticable effect is the system stops after issuing:
+
+ Loading crashdump kernel...
+
+to the system console.
+
+The tested as working solution I came up with was to add wfe() to
+these infinite loops thusly:
+
+ while (1) {
+ cpu_relax();
+ wfe();
+ }
+
+which, without 754327 builds to:
+
+1: wfe b 1b
+
+or with 754327 is enabled:
+
+1: dmb wfe b 1b
+
+Adding "wfe" does two things depending on the environment we're running
+Under:
+- where we're running on bare metal, and the processor implements
+ "wfe", it stops us spinning endlessly in a loop where we're never
+ going to do any useful work.
+- if we're running in a VM, it allows the CPU to be given back to the
+ hypervisor and rescheduled for other purposes (maybe a different VM)
+ rather than wasting CPU cycles inside a crashed VM.
+
+However, in light of erratum 794072, Will Deacon wanted to see 10 nops
+as well - which is reasonable to cover the case where we have erratum
+754327 enabled _and_ we have a processor that doesn't implement the
+wfe hint.
+
+So, we now end up with:
+
+1: wfe b 1b
+
+when erratum 754327 is disabled, or:
+
+1: dmb nop nop nop nop nop nop nop nop nop nop wfe b 1b
+
+when erratum 754327 is enabled. We also get the dmb + 10 nop
+sequence elsewhere in the kernel, in terminating loops.
+
+This is reasonable - it means we get the workaround for erratum
+794072 when erratum 754327 is enabled, but still relinquish the dead
+processor - either by placing it in a lower power mode when wfe is
+implemented as such or by returning it to the hypervisior, or in the
+case where wfe is a no-op, we use the workaround specified in erratum
+794072 to avoid the problem.
+
+These as two entirely orthogonal problems - the 10 nops addresses
+erratum 794072, and the wfe is an optimisation that makes the system
+more efficient when crashed either in terms of power consumption or
+by allowing the host/other VMs to make use of the CPU.
+
+I don't see any reason not to use kexec() inside a VM - it has the
+potential to provide automated recovery from a failure of the VMs
+kernel with the opportunity for saving a crashdump of the failure.
+A panic() with a reboot timeout won't do that, and reading the
+libvirt documentation, setting on_reboot to "preserve" won't either
+(the documentation states "The preserve action for an on_reboot event
+is treated as a destroy".) Surely it has to be a good thing to
+avoiding having CPUs spinning inside a VM that is doing no useful
+work.
+
+Acked-by: Will Deacon <will.deacon@arm.com>
+Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ arch/arm/include/asm/barrier.h | 2 ++
+ arch/arm/include/asm/processor.h | 6 +++++-
+ arch/arm/kernel/machine_kexec.c | 5 ++++-
+ arch/arm/kernel/smp.c | 4 +++-
+ arch/arm/mach-omap2/prm_common.c | 4 +++-
+ 5 files changed, 17 insertions(+), 4 deletions(-)
+
+diff --git a/arch/arm/include/asm/barrier.h b/arch/arm/include/asm/barrier.h
+index 69772e742a0a..83ae97c049d9 100644
+--- a/arch/arm/include/asm/barrier.h
++++ b/arch/arm/include/asm/barrier.h
+@@ -11,6 +11,8 @@
+ #define sev() __asm__ __volatile__ ("sev" : : : "memory")
+ #define wfe() __asm__ __volatile__ ("wfe" : : : "memory")
+ #define wfi() __asm__ __volatile__ ("wfi" : : : "memory")
++#else
++#define wfe() do { } while (0)
+ #endif
+
+ #if __LINUX_ARM_ARCH__ >= 7
+diff --git a/arch/arm/include/asm/processor.h b/arch/arm/include/asm/processor.h
+index 120f4c9bbfde..57fe73ea0f72 100644
+--- a/arch/arm/include/asm/processor.h
++++ b/arch/arm/include/asm/processor.h
+@@ -89,7 +89,11 @@ extern void release_thread(struct task_struct *);
+ unsigned long get_wchan(struct task_struct *p);
+
+ #if __LINUX_ARM_ARCH__ == 6 || defined(CONFIG_ARM_ERRATA_754327)
+-#define cpu_relax() smp_mb()
++#define cpu_relax() \
++ do { \
++ smp_mb(); \
++ __asm__ __volatile__("nop; nop; nop; nop; nop; nop; nop; nop; nop; nop;"); \
++ } while (0)
+ #else
+ #define cpu_relax() barrier()
+ #endif
+diff --git a/arch/arm/kernel/machine_kexec.c b/arch/arm/kernel/machine_kexec.c
+index dd2eb5f76b9f..76300f3813e8 100644
+--- a/arch/arm/kernel/machine_kexec.c
++++ b/arch/arm/kernel/machine_kexec.c
+@@ -91,8 +91,11 @@ void machine_crash_nonpanic_core(void *unused)
+
+ set_cpu_online(smp_processor_id(), false);
+ atomic_dec(&waiting_for_crash_ipi);
+- while (1)
++
++ while (1) {
+ cpu_relax();
++ wfe();
++ }
+ }
+
+ void crash_smp_send_stop(void)
+diff --git a/arch/arm/kernel/smp.c b/arch/arm/kernel/smp.c
+index 3bf82232b1be..7f0b99e1fff3 100644
+--- a/arch/arm/kernel/smp.c
++++ b/arch/arm/kernel/smp.c
+@@ -604,8 +604,10 @@ static void ipi_cpu_stop(unsigned int cpu)
+ local_fiq_disable();
+ local_irq_disable();
+
+- while (1)
++ while (1) {
+ cpu_relax();
++ wfe();
++ }
+ }
+
+ static DEFINE_PER_CPU(struct completion *, cpu_completion);
+diff --git a/arch/arm/mach-omap2/prm_common.c b/arch/arm/mach-omap2/prm_common.c
+index 058a37e6d11c..fd6e0671f957 100644
+--- a/arch/arm/mach-omap2/prm_common.c
++++ b/arch/arm/mach-omap2/prm_common.c
+@@ -523,8 +523,10 @@ void omap_prm_reset_system(void)
+
+ prm_ll_data->reset_system();
+
+- while (1)
++ while (1) {
+ cpu_relax();
++ wfe();
++ }
+ }
+
+ /**
+--
+2.16.4
+
diff --git a/patches.arch/ARM-imx6q-cpuidle-fix-bug-that-CPU-might-not-wake-up.patch b/patches.arch/ARM-imx6q-cpuidle-fix-bug-that-CPU-might-not-wake-up.patch
new file mode 100644
index 0000000000..7bf87e1631
--- /dev/null
+++ b/patches.arch/ARM-imx6q-cpuidle-fix-bug-that-CPU-might-not-wake-up.patch
@@ -0,0 +1,80 @@
+From 91740fc8242b4f260cfa4d4536d8551804777fae Mon Sep 17 00:00:00 2001
+From: Kohji Okuno <okuno.kohji@jp.panasonic.com>
+Date: Tue, 26 Feb 2019 11:34:13 +0900
+Subject: [PATCH] ARM: imx6q: cpuidle: fix bug that CPU might not wake up at expected time
+Git-commit: 91740fc8242b4f260cfa4d4536d8551804777fae
+Patch-mainline: v5.1-rc3
+References: bsc#1051510
+
+In the current cpuidle implementation for i.MX6q, the CPU that sets
+'WAIT_UNCLOCKED' and the CPU that returns to 'WAIT_CLOCKED' are always
+the same. While the CPU that sets 'WAIT_UNCLOCKED' is in IDLE state of
+"WAIT", if the other CPU wakes up and enters IDLE state of "WFI"
+istead of "WAIT", this CPU can not wake up at expired time.
+ Because, in the case of "WFI", the CPU must be waked up by the local
+timer interrupt. But, while 'WAIT_UNCLOCKED' is set, the local timer
+is stopped, when all CPUs execute "wfi" instruction. As a result, the
+local timer interrupt is not fired.
+ In this situation, this CPU will wake up by IRQ different from local
+timer. (e.g. broacast timer)
+
+So, this fix changes CPU to return to 'WAIT_CLOCKED'.
+
+Signed-off-by: Kohji Okuno <okuno.kohji@jp.panasonic.com>
+Fixes: e5f9dec8ff5f ("ARM: imx6q: support WAIT mode using cpuidle")
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Shawn Guo <shawnguo@kernel.org>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ arch/arm/mach-imx/cpuidle-imx6q.c | 27 ++++++++++-----------------
+ 1 file changed, 10 insertions(+), 17 deletions(-)
+
+diff --git a/arch/arm/mach-imx/cpuidle-imx6q.c b/arch/arm/mach-imx/cpuidle-imx6q.c
+index bfeb25aaf9a2..326e870d7123 100644
+--- a/arch/arm/mach-imx/cpuidle-imx6q.c
++++ b/arch/arm/mach-imx/cpuidle-imx6q.c
+@@ -16,30 +16,23 @@
+ #include "cpuidle.h"
+ #include "hardware.h"
+
+-static atomic_t master = ATOMIC_INIT(0);
+-static DEFINE_SPINLOCK(master_lock);
++static int num_idle_cpus = 0;
++static DEFINE_SPINLOCK(cpuidle_lock);
+
+ static int imx6q_enter_wait(struct cpuidle_device *dev,
+ struct cpuidle_driver *drv, int index)
+ {
+- if (atomic_inc_return(&master) == num_online_cpus()) {
+- /*
+- * With this lock, we prevent other cpu to exit and enter
+- * this function again and become the master.
+- */
+- if (!spin_trylock(&master_lock))
+- goto idle;
++ spin_lock(&cpuidle_lock);
++ if (++num_idle_cpus == num_online_cpus())
+ imx6_set_lpm(WAIT_UNCLOCKED);
+- cpu_do_idle();
+- imx6_set_lpm(WAIT_CLOCKED);
+- spin_unlock(&master_lock);
+- goto done;
+- }
++ spin_unlock(&cpuidle_lock);
+
+-idle:
+ cpu_do_idle();
+-done:
+- atomic_dec(&master);
++
++ spin_lock(&cpuidle_lock);
++ if (num_idle_cpus-- == num_online_cpus())
++ imx6_set_lpm(WAIT_CLOCKED);
++ spin_unlock(&cpuidle_lock);
+
+ return index;
+ }
+--
+2.16.4
+
diff --git a/patches.arch/ARM-pxa-ssp-unneeded-to-free-devm_-allocated-data.patch b/patches.arch/ARM-pxa-ssp-unneeded-to-free-devm_-allocated-data.patch
new file mode 100644
index 0000000000..6dd365306a
--- /dev/null
+++ b/patches.arch/ARM-pxa-ssp-unneeded-to-free-devm_-allocated-data.patch
@@ -0,0 +1,46 @@
+From ba16adeb346387eb2d1ada69003588be96f098fa Mon Sep 17 00:00:00 2001
+From: Peng Hao <peng.hao2@zte.com.cn>
+Date: Sat, 29 Dec 2018 13:10:06 +0800
+Subject: [PATCH] ARM: pxa: ssp: unneeded to free devm_ allocated data
+Git-commit: ba16adeb346387eb2d1ada69003588be96f098fa
+Patch-mainline: v5.0-rc6
+References: bsc#1051510
+
+devm_ allocated data will be automatically freed. The free
+of devm_ allocated data is invalid.
+
+Fixes: 1c459de1e645 ("ARM: pxa: ssp: use devm_ functions")
+Signed-off-by: Peng Hao <peng.hao2@zte.com.cn>
+[title's prefix changed]
+
+Signed-off-by: Robert Jarzmik <robert.jarzmik@free.fr>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ arch/arm/plat-pxa/ssp.c | 3 ---
+ 1 file changed, 3 deletions(-)
+
+diff --git a/arch/arm/plat-pxa/ssp.c b/arch/arm/plat-pxa/ssp.c
+index ed36dcab80f1..f51919974183 100644
+--- a/arch/arm/plat-pxa/ssp.c
++++ b/arch/arm/plat-pxa/ssp.c
+@@ -190,8 +190,6 @@ static int pxa_ssp_remove(struct platform_device *pdev)
+ if (ssp == NULL)
+ return -ENODEV;
+
+- iounmap(ssp->mmio_base);
+-
+ res = platform_get_resource(pdev, IORESOURCE_MEM, 0);
+ release_mem_region(res->start, resource_size(res));
+
+@@ -201,7 +199,6 @@ static int pxa_ssp_remove(struct platform_device *pdev)
+ list_del(&ssp->node);
+ mutex_unlock(&ssp_lock);
+
+- kfree(ssp);
+ return 0;
+ }
+
+--
+2.16.4
+
diff --git a/patches.arch/ARM-s3c24xx-Fix-boolean-expressions-in-osiris_dvs_no.patch b/patches.arch/ARM-s3c24xx-Fix-boolean-expressions-in-osiris_dvs_no.patch
new file mode 100644
index 0000000000..64795704fa
--- /dev/null
+++ b/patches.arch/ARM-s3c24xx-Fix-boolean-expressions-in-osiris_dvs_no.patch
@@ -0,0 +1,52 @@
+From e2477233145f2156434afb799583bccd878f3e9f Mon Sep 17 00:00:00 2001
+From: "Gustavo A. R. Silva" <gustavo@embeddedor.com>
+Date: Thu, 3 Jan 2019 14:14:08 -0600
+Subject: [PATCH] ARM: s3c24xx: Fix boolean expressions in osiris_dvs_notify
+Git-commit: e2477233145f2156434afb799583bccd878f3e9f
+Patch-mainline: v5.1-rc1
+References: bsc#1051510
+
+Fix boolean expressions by using logical AND operator '&&' instead of
+bitwise operator '&'.
+
+This issue was detected with the help of Coccinelle.
+
+Fixes: 4fa084af28ca ("ARM: OSIRIS: DVS (Dynamic Voltage Scaling) supoort.")
+Cc: stable@vger.kernel.org
+Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com>
+[krzk: Fix -Wparentheses warning]
+Signed-off-by: Krzysztof Kozlowski <krzk@kernel.org>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ arch/arm/mach-s3c24xx/mach-osiris-dvs.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/arch/arm/mach-s3c24xx/mach-osiris-dvs.c b/arch/arm/mach-s3c24xx/mach-osiris-dvs.c
+index 058ce73137e8..5d819b6ea428 100644
+--- a/arch/arm/mach-s3c24xx/mach-osiris-dvs.c
++++ b/arch/arm/mach-s3c24xx/mach-osiris-dvs.c
+@@ -65,16 +65,16 @@ static int osiris_dvs_notify(struct notifier_block *nb,
+
+ switch (val) {
+ case CPUFREQ_PRECHANGE:
+- if (old_dvs & !new_dvs ||
+- cur_dvs & !new_dvs) {
++ if ((old_dvs && !new_dvs) ||
++ (cur_dvs && !new_dvs)) {
+ pr_debug("%s: exiting dvs\n", __func__);
+ cur_dvs = false;
+ gpio_set_value(OSIRIS_GPIO_DVS, 1);
+ }
+ break;
+ case CPUFREQ_POSTCHANGE:
+- if (!old_dvs & new_dvs ||
+- !cur_dvs & new_dvs) {
++ if ((!old_dvs && new_dvs) ||
++ (!cur_dvs && new_dvs)) {
+ pr_debug("entering dvs\n");
+ cur_dvs = true;
+ gpio_set_value(OSIRIS_GPIO_DVS, 0);
+--
+2.16.4
+
diff --git a/patches.arch/ARM-samsung-Limit-SAMSUNG_PM_CHECK-config-option-to-.patch b/patches.arch/ARM-samsung-Limit-SAMSUNG_PM_CHECK-config-option-to-.patch
new file mode 100644
index 0000000000..5329980ef9
--- /dev/null
+++ b/patches.arch/ARM-samsung-Limit-SAMSUNG_PM_CHECK-config-option-to-.patch
@@ -0,0 +1,60 @@
+From 6862fdf2201ab67cd962dbf0643d37db909f4860 Mon Sep 17 00:00:00 2001
+From: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>
+Date: Fri, 28 Sep 2018 15:32:46 +0200
+Subject: [PATCH] ARM: samsung: Limit SAMSUNG_PM_CHECK config option to non-Exynos platforms
+Git-commit: 6862fdf2201ab67cd962dbf0643d37db909f4860
+Patch-mainline: v4.20-rc1
+References: bsc#1051510
+
+"S3C2410 PM Suspend Memory CRC" feature (controlled by
+SAMSUNG_PM_CHECK config option) is incompatible with highmem
+(uses phys_to_virt() instead of proper mapping) which is used by
+the majority of Exynos boards. The issue manifests itself in OOPS
+on affected boards, i.e. on Odroid-U3 I got the following one:
+
+Unable to handle kernel paging request at virtual address f0000000
+pgd = 1c0f9bb4
+[f0000000] *pgd=00000000
+Internal error: Oops: 5 [#1] PREEMPT SMP ARM
+[<c0458034>] (crc32_le) from [<c0121f8c>] (s3c_pm_makecheck+0x34/0x54)
+[<c0121f8c>] (s3c_pm_makecheck) from [<c0121efc>] (s3c_pm_run_res+0x74/0x8c)
+[<c0121efc>] (s3c_pm_run_res) from [<c0121ecc>] (s3c_pm_run_res+0x44/0x8c)
+[<c0121ecc>] (s3c_pm_run_res) from [<c01210b8>] (exynos_suspend_enter+0x64/0x148)
+[<c01210b8>] (exynos_suspend_enter) from [<c018893c>] (suspend_devices_and_enter+0x9ec/0xe74)
+[<c018893c>] (suspend_devices_and_enter) from [<c0189534>] (pm_suspend+0x770/0xc04)
+[<c0189534>] (pm_suspend) from [<c0186ce8>] (state_store+0x6c/0xcc)
+[<c0186ce8>] (state_store) from [<c09db434>] (kobj_attr_store+0x14/0x20)
+[<c09db434>] (kobj_attr_store) from [<c02fa63c>] (sysfs_kf_write+0x4c/0x50)
+[<c02fa63c>] (sysfs_kf_write) from [<c02f97a4>] (kernfs_fop_write+0xfc/0x1e4)
+[<c02f97a4>] (kernfs_fop_write) from [<c027b198>] (__vfs_write+0x2c/0x140)
+[<c027b198>] (__vfs_write) from [<c027b418>] (vfs_write+0xa4/0x160)
+[<c027b418>] (vfs_write) from [<c027b5d8>] (ksys_write+0x40/0x8c)
+[<c027b5d8>] (ksys_write) from [<c0101000>] (ret_fast_syscall+0x0/0x28)
+
+Add PLAT_S3C24XX, ARCH_S3C64XX and ARCH_S5PV210 dependencies to
+SAMSUNG_PM_CHECK config option to hide it on Exynos platforms.
+
+Signed-off-by: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>
+Signed-off-by: Krzysztof Kozlowski <krzk@kernel.org>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ arch/arm/plat-samsung/Kconfig | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/arm/plat-samsung/Kconfig b/arch/arm/plat-samsung/Kconfig
+index b600e38364eb..377ff9cda667 100644
+--- a/arch/arm/plat-samsung/Kconfig
++++ b/arch/arm/plat-samsung/Kconfig
+@@ -256,7 +256,7 @@ config S3C_PM_DEBUG_LED_SMDK
+
+ config SAMSUNG_PM_CHECK
+ bool "S3C2410 PM Suspend Memory CRC"
+- depends on PM
++ depends on PM && (PLAT_S3C24XX || ARCH_S3C64XX || ARCH_S5PV210)
+ select CRC32
+ help
+ Enable the PM code's memory area checksum over sleep. This option
+--
+2.16.4
+
diff --git a/patches.fixes/0001-netfilter-nf_log-fix-uninit-read-in-nf_log_proc_dost.patch b/patches.fixes/0001-netfilter-nf_log-fix-uninit-read-in-nf_log_proc_dost.patch
new file mode 100644
index 0000000000..047cf3ba05
--- /dev/null
+++ b/patches.fixes/0001-netfilter-nf_log-fix-uninit-read-in-nf_log_proc_dost.patch
@@ -0,0 +1,37 @@
+From: Jann Horn <jannh@google.com>
+Subject: netfilter: nf_log: fix uninit read in
+ nf_log_proc_dostring
+Patch-mainline: v4.18-rc4
+Git-commit: dffd22aed2aa1e804bccf19b30a421e89ee2ae61
+References: git-fixes
+
+When proc_dostring() is called with a non-zero offset in strict mode, it
+doesn't just write to the ->data buffer, it also reads. Make sure it
+doesn't read uninitialized data.
+
+Fixes: c6ac37d8d884 ("netfilter: nf_log: fix error on write NONE to [...]")
+Signed-off-by: Jann Horn <jannh@google.com>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Acked-by: Denis Kirjanov <dkirjanov@suse.com>
+---
+ net/netfilter/nf_log.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/net/netfilter/nf_log.c b/net/netfilter/nf_log.c
+index 8bb152a7cca4..91dad1afab05 100644
+--- a/net/netfilter/nf_log.c
++++ b/net/netfilter/nf_log.c
+@@ -440,6 +440,10 @@ static int nf_log_proc_dostring(struct ctl_table *table, int write,
+ if (write) {
+ struct ctl_table tmp = *table;
+
++ /* proc_dostring() can append to existing strings, so we need to
++ * initialize it as an empty string.
++ */
++ buf[0] = '\0';
+ tmp.data = buf;
+ r = proc_dostring(&tmp, write, buffer, lenp, ppos);
+ if (r)
+--
+2.12.3
+
diff --git a/patches.fixes/0001-tools-lib-traceevent-Fix-missing-equality-check-for-.patch b/patches.fixes/0001-tools-lib-traceevent-Fix-missing-equality-check-for-.patch
new file mode 100644
index 0000000000..9cbd9afd6c
--- /dev/null
+++ b/patches.fixes/0001-tools-lib-traceevent-Fix-missing-equality-check-for-.patch
@@ -0,0 +1,60 @@
+From f32c2877bcb068a718bb70094cd59ccc29d4d082 Mon Sep 17 00:00:00 2001
+From: Rikard Falkeborn <rikard.falkeborn@gmail.com>
+Date: Tue, 9 Apr 2019 11:15:29 +0200
+Subject: [PATCH] tools lib traceevent: Fix missing equality check for strcmp
+Git-commit: f32c2877bcb068a718bb70094cd59ccc29d4d082
+Patch-mainline: v5.1
+References: bsc#1129770
+
+There was a missing comparison with 0 when checking if type is "s64" or
+"u64". Therefore, the body of the if-statement was entered if "type" was
+"u64" or not "s64", which made the first strcmp() redundant since if
+type is "u64", it's not "s64".
+
+If type is "s64", the body of the if-statement is not entered but since
+the remainder of the function consists of if-statements which will not
+be entered if type is "s64", we will just return "val", which is
+correct, albeit at the cost of a few more calls to strcmp(), i.e., it
+will behave just as if the if-statement was entered.
+
+If type is neither "s64" or "u64", the body of the if-statement will be
+entered incorrectly and "val" returned. This means that any type that is
+checked after "s64" and "u64" is handled the same way as "s64" and
+"u64", i.e., the limiting of "val" to fit in for example "s8" is never
+reached.
+
+This was introduced in the kernel tree when the sources were copied from
+trace-cmd in commit f7d82350e597 ("tools/events: Add files to create
+libtraceevent.a"), and in the trace-cmd repo in 1cdbae6035cei
+("Implement typecasting in parser") when the function was introduced,
+i.e., it has always behaved the wrong way.
+
+Detected by cppcheck.
+
+Signed-off-by: Rikard Falkeborn <rikard.falkeborn@gmail.com>
+Reviewed-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
+Cc: Tzvetomir Stoyanov <tstoyanov@vmware.com>
+Fixes: f7d82350e597 ("tools/events: Add files to create libtraceevent.a")
+Link: http://lkml.kernel.org/r/20190409091529.2686-1-rikard.falkeborn@gmail.com
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Reviewed-by: Fabian Baumanis <fabian.baumanis@suse.com>
+---
+ tools/lib/traceevent/event-parse.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tools/lib/traceevent/event-parse.c b/tools/lib/traceevent/event-parse.c
+index 87494c7c619d..981c6ce2da2c 100644
+--- a/tools/lib/traceevent/event-parse.c
++++ b/tools/lib/traceevent/event-parse.c
+@@ -2233,7 +2233,7 @@ eval_type_str(unsigned long long val, const char *type, int pointer)
+ return val & 0xffffffff;
+
+ if (strcmp(type, "u64") == 0 ||
+- strcmp(type, "s64"))
++ strcmp(type, "s64") == 0)
+ return val;
+
+ if (strcmp(type, "s8") == 0)
+--
+2.16.4
+
diff --git a/patches.fixes/0001-x86-speculation-mds-Fix-documentation-typo.patch b/patches.fixes/0001-x86-speculation-mds-Fix-documentation-typo.patch
new file mode 100644
index 0000000000..ad682831da
--- /dev/null
+++ b/patches.fixes/0001-x86-speculation-mds-Fix-documentation-typo.patch
@@ -0,0 +1,34 @@
+From 95310e348a321b45fb746c176961d4da72344282 Mon Sep 17 00:00:00 2001
+From: Josh Poimboeuf <jpoimboe@redhat.com>
+Date: Tue, 7 May 2019 15:05:22 -0500
+Subject: [PATCH] x86/speculation/mds: Fix documentation typo
+Git-commit: 95310e348a321b45fb746c176961d4da72344282
+Patch-mainline: v5.2-rc1
+References: bsc#1135642
+
+Fix a minor typo in the MDS documentation: "eanbled" -> "enabled".
+
+Reported-by: Jeff Bastian <jbastian@redhat.com>
+Signed-off-by: Josh Poimboeuf <jpoimboe@redhat.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Reviewed-by: Fabian Baumanis <fabian.baumanis@suse.com>
+---
+ Documentation/x86/mds.rst | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/Documentation/x86/mds.rst b/Documentation/x86/mds.rst
+index 979945be257a..534e9baa4e1d 100644
+--- a/Documentation/x86/mds.rst
++++ b/Documentation/x86/mds.rst
+@@ -116,7 +116,7 @@ Kernel internal mitigation modes
+ off Mitigation is disabled. Either the CPU is not affected or
+ mds=off is supplied on the kernel command line
+
+- full Mitigation is eanbled. CPU is affected and MD_CLEAR is
++ full Mitigation is enabled. CPU is affected and MD_CLEAR is
+ advertised in CPUID.
+
+ vmwerv Mitigation is enabled. CPU is affected and MD_CLEAR is not
+--
+2.16.4
+
diff --git a/patches.fixes/0002-netfilter-nf_log-don-t-hold-nf_log_mutex-during-user.patch b/patches.fixes/0002-netfilter-nf_log-don-t-hold-nf_log_mutex-during-user.patch
new file mode 100644
index 0000000000..7a3835aa28
--- /dev/null
+++ b/patches.fixes/0002-netfilter-nf_log-don-t-hold-nf_log_mutex-during-user.patch
@@ -0,0 +1,52 @@
+From: Jann Horn <jannh@google.com>
+Subject: netfilter: nf_log: don't hold nf_log_mutex during user
+ access
+Patch-mainline: v4.18-rc4
+Git-commit: ce00bf07cc95a57cd20b208e02b3c2604e532ae8
+References: git-fixes
+
+
+The old code would indefinitely block other users of nf_log_mutex if
+a userspace access in proc_dostring() blocked e.g. due to a userfaultfd
+region. Fix it by moving proc_dostring() out of the locked region.
+
+This is a followup to commit 266d07cb1c9a ("netfilter: nf_log: fix
+sleeping function called from invalid context"), which changed this code
+from using rcu_read_lock() to taking nf_log_mutex.
+
+Fixes: 266d07cb1c9a ("netfilter: nf_log: fix sleeping function calle[...]")
+Signed-off-by: Jann Horn <jannh@google.com>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Acked-by: Denis Kirjanov <dkirjanov@suse.com>
+---
+ net/netfilter/nf_log.c | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+diff --git a/net/netfilter/nf_log.c b/net/netfilter/nf_log.c
+index 91dad1afab05..cdc744aa5889 100644
+--- a/net/netfilter/nf_log.c
++++ b/net/netfilter/nf_log.c
+@@ -462,14 +462,17 @@ static int nf_log_proc_dostring(struct ctl_table *table, int write,
+ rcu_assign_pointer(net->nf.nf_loggers[tindex], logger);
+ mutex_unlock(&nf_log_mutex);
+ } else {
++ struct ctl_table tmp = *table;
++
++ tmp.data = buf;
+ mutex_lock(&nf_log_mutex);
+ logger = nft_log_dereference(net->nf.nf_loggers[tindex]);
+ if (!logger)
+- table->data = "NONE";
++ strlcpy(buf, "NONE", sizeof(buf));
+ else
+- table->data = logger->name;
+- r = proc_dostring(table, write, buffer, lenp, ppos);
++ strlcpy(buf, logger->name, sizeof(buf));
+ mutex_unlock(&nf_log_mutex);
++ r = proc_dostring(&tmp, write, buffer, lenp, ppos);
+ }
+
+ return r;
+--
+2.12.3
+
diff --git a/patches.fixes/0003-xfrm_user-prevent-leaking-2-bytes-of-kernel-memory.patch b/patches.fixes/0003-xfrm_user-prevent-leaking-2-bytes-of-kernel-memory.patch
new file mode 100644
index 0000000000..b84a27b9a0
--- /dev/null
+++ b/patches.fixes/0003-xfrm_user-prevent-leaking-2-bytes-of-kernel-memory.patch
@@ -0,0 +1,116 @@
+From: Eric Dumazet <edumazet@google.com>
+Subject: xfrm_user: prevent leaking 2 bytes of kernel memory
+Patch-mainline: v4.18-rc8
+Git-commit: 45c180bc29babbedd6b8c01b975780ef44d9d09c
+References: git-fixes
+
+struct xfrm_userpolicy_type has two holes, so we should not
+use C99 style initializer.
+
+KMSAN report:
+
+BUG: KMSAN: kernel-infoleak in copyout lib/iov_iter.c:140 [inline]
+BUG: KMSAN: kernel-infoleak in _copy_to_iter+0x1b14/0x2800 lib/iov_iter.c:571
+CPU: 1 PID: 4520 Comm: syz-executor841 Not tainted 4.17.0+ #5
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+Call Trace:
+ __dump_stack lib/dump_stack.c:77 [inline]
+ dump_stack+0x185/0x1d0 lib/dump_stack.c:113
+ kmsan_report+0x188/0x2a0 mm/kmsan/kmsan.c:1117
+ kmsan_internal_check_memory+0x138/0x1f0 mm/kmsan/kmsan.c:1211
+ kmsan_copy_to_user+0x7a/0x160 mm/kmsan/kmsan.c:1253
+ copyout lib/iov_iter.c:140 [inline]
+ _copy_to_iter+0x1b14/0x2800 lib/iov_iter.c:571
+ copy_to_iter include/linux/uio.h:106 [inline]
+ skb_copy_datagram_iter+0x422/0xfa0 net/core/datagram.c:431
+ skb_copy_datagram_msg include/linux/skbuff.h:3268 [inline]
+ netlink_recvmsg+0x6f1/0x1900 net/netlink/af_netlink.c:1959
+ sock_recvmsg_nosec net/socket.c:802 [inline]
+ sock_recvmsg+0x1d6/0x230 net/socket.c:809
+ ___sys_recvmsg+0x3fe/0x810 net/socket.c:2279
+ __sys_recvmmsg+0x58e/0xe30 net/socket.c:2391
+ do_sys_recvmmsg+0x2a6/0x3e0 net/socket.c:2472
+ __do_sys_recvmmsg net/socket.c:2485 [inline]
+ __se_sys_recvmmsg net/socket.c:2481 [inline]
+ __x64_sys_recvmmsg+0x15d/0x1c0 net/socket.c:2481
+ do_syscall_64+0x15b/0x230 arch/x86/entry/common.c:287
+ entry_SYSCALL_64_after_hwframe+0x44/0xa9
+RIP: 0033:0x446ce9
+RSP: 002b:00007fc307918db8 EFLAGS: 00000293 ORIG_RAX: 000000000000012b
+RAX: ffffffffffffffda RBX: 00000000006dbc24 RCX: 0000000000446ce9
+RDX: 000000000000000a RSI: 0000000020005040 RDI: 0000000000000003
+RBP: 00000000006dbc20 R08: 0000000020004e40 R09: 0000000000000000
+R10: 0000000040000000 R11: 0000000000000293 R12: 0000000000000000
+R13: 00007ffc8d2df32f R14: 00007fc3079199c0 R15: 0000000000000001
+
+Uninit was stored to memory at:
+ kmsan_save_stack_with_flags mm/kmsan/kmsan.c:279 [inline]
+ kmsan_save_stack mm/kmsan/kmsan.c:294 [inline]
+ kmsan_internal_chain_origin+0x12b/0x210 mm/kmsan/kmsan.c:685
+ kmsan_memcpy_origins+0x11d/0x170 mm/kmsan/kmsan.c:527
+ __msan_memcpy+0x109/0x160 mm/kmsan/kmsan_instr.c:413
+ __nla_put lib/nlattr.c:569 [inline]
+ nla_put+0x276/0x340 lib/nlattr.c:627
+ copy_to_user_policy_type net/xfrm/xfrm_user.c:1678 [inline]
+ dump_one_policy+0xbe1/0x1090 net/xfrm/xfrm_user.c:1708
+ xfrm_policy_walk+0x45a/0xd00 net/xfrm/xfrm_policy.c:1013
+ xfrm_dump_policy+0x1c0/0x2a0 net/xfrm/xfrm_user.c:1749
+ netlink_dump+0x9b5/0x1550 net/netlink/af_netlink.c:2226
+ __netlink_dump_start+0x1131/0x1270 net/netlink/af_netlink.c:2323
+ netlink_dump_start include/linux/netlink.h:214 [inline]
+ xfrm_user_rcv_msg+0x8a3/0x9b0 net/xfrm/xfrm_user.c:2577
+ netlink_rcv_skb+0x37e/0x600 net/netlink/af_netlink.c:2448
+ xfrm_netlink_rcv+0xb2/0xf0 net/xfrm/xfrm_user.c:2598
+ netlink_unicast_kernel net/netlink/af_netlink.c:1310 [inline]
+ netlink_unicast+0x1680/0x1750 net/netlink/af_netlink.c:1336
+ netlink_sendmsg+0x104f/0x1350 net/netlink/af_netlink.c:1901
+ sock_sendmsg_nosec net/socket.c:629 [inline]
+ sock_sendmsg net/socket.c:639 [inline]
+ ___sys_sendmsg+0xec8/0x1320 net/socket.c:2117
+ __sys_sendmsg net/socket.c:2155 [inline]
+ __do_sys_sendmsg net/socket.c:2164 [inline]
+ __se_sys_sendmsg net/socket.c:2162 [inline]
+ __x64_sys_sendmsg+0x331/0x460 net/socket.c:2162
+ do_syscall_64+0x15b/0x230 arch/x86/entry/common.c:287
+ entry_SYSCALL_64_after_hwframe+0x44/0xa9
+Local variable description: ----upt.i@dump_one_policy
+Variable was created at:
+ dump_one_policy+0x78/0x1090 net/xfrm/xfrm_user.c:1689
+ xfrm_policy_walk+0x45a/0xd00 net/xfrm/xfrm_policy.c:1013
+
+Byte 130 of 137 is uninitialized
+Memory access starts at ffff88019550407f
+
+Fixes: c0144beaeca42 ("[XFRM] netlink: Use nla_put()/NLA_PUT() variantes")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Cc: Steffen Klassert <steffen.klassert@secunet.com>
+Cc: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Acked-by: Denis Kirjanov <dkirjanov@suse.com>
+---
+ net/xfrm/xfrm_user.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
+index e2287bc70691..5e8f4f3fbe6b 100644
+--- a/net/xfrm/xfrm_user.c
++++ b/net/xfrm/xfrm_user.c
+@@ -1642,9 +1642,11 @@ static inline size_t userpolicy_type_attrsize(void)
+ #ifdef CONFIG_XFRM_SUB_POLICY
+ static int copy_to_user_policy_type(u8 type, struct sk_buff *skb)
+ {
+- struct xfrm_userpolicy_type upt = {
+- .type = type,
+- };
++ struct xfrm_userpolicy_type upt;
++
++ /* Sadly there are two holes in struct xfrm_userpolicy_type */
++ memset(&upt, 0, sizeof(upt));
++ upt.type = type;
+
+ return nla_put(skb, XFRMA_POLICY_TYPE, sizeof(upt), &upt);
+ }
+--
+2.12.3
+
diff --git a/patches.fixes/0004-xfrm-fix-missing-dst_release-after-policy-blocking-l.patch b/patches.fixes/0004-xfrm-fix-missing-dst_release-after-policy-blocking-l.patch
new file mode 100644
index 0000000000..1b96095957
--- /dev/null
+++ b/patches.fixes/0004-xfrm-fix-missing-dst_release-after-policy-blocking-l.patch
@@ -0,0 +1,70 @@
+From: Tommi Rantala <tommi.t.rantala@nokia.com>
+Subject: xfrm: fix missing dst_release() after policy blocking
+ lbcast and multicast
+Patch-mainline: v4.18-rc8
+Git-commit: 8cc88773855f988d6a3bbf102bbd9dd9c828eb81
+References: git-fixes
+
+
+Fix missing dst_release() when local broadcast or multicast traffic is
+xfrm policy blocked.
+
+For IPv4 this results to dst leak: ip_route_output_flow() allocates
+dst_entry via __ip_route_output_key() and passes it to
+xfrm_lookup_route(). xfrm_lookup returns ERR_PTR(-EPERM) that is
+propagated. The dst that was allocated is never released.
+
+IPv4 local broadcast testcase:
+ ping -b 192.168.1.255 &
+ sleep 1
+ ip xfrm policy add src 0.0.0.0/0 dst 192.168.1.255/32 dir out action block
+
+IPv4 multicast testcase:
+ ping 224.0.0.1 &
+ sleep 1
+ ip xfrm policy add src 0.0.0.0/0 dst 224.0.0.1/32 dir out action block
+
+For IPv6 the missing dst_release() causes trouble e.g. when used in netns:
+ ip netns add TEST
+ ip netns exec TEST ip link set lo up
+ ip link add dummy0 type dummy
+ ip link set dev dummy0 netns TEST
+ ip netns exec TEST ip addr add fd00::1111 dev dummy0
+ ip netns exec TEST ip link set dummy0 up
+ ip netns exec TEST ping -6 -c 5 ff02::1%dummy0 &
+ sleep 1
+ ip netns exec TEST ip xfrm policy add src ::/0 dst ff02::1 dir out action block
+ wait
+ ip netns del TEST
+
+After netns deletion we see:
+[ 258.239097] unregister_netdevice: waiting for lo to become free. Usage count = 2
+[ 268.279061] unregister_netdevice: waiting for lo to become free. Usage count = 2
+[ 278.367018] unregister_netdevice: waiting for lo to become free. Usage count = 2
+[ 288.375259] unregister_netdevice: waiting for lo to become free. Usage count = 2
+
+Fixes: ac37e2515c1a ("xfrm: release dst_orig in case of error in xfrm_lookup()")
+Signed-off-by: Tommi Rantala <tommi.t.rantala@nokia.com>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Acked-by: Denis Kirjanov <dkirjanov@suse.com>
+---
+ net/xfrm/xfrm_policy.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c
+index 736bddd6bf0d..e86a65292879 100644
+--- a/net/xfrm/xfrm_policy.c
++++ b/net/xfrm/xfrm_policy.c
+@@ -2350,6 +2350,9 @@ struct dst_entry *xfrm_lookup_route(struct net *net, struct dst_entry *dst_orig,
+ if (IS_ERR(dst) && PTR_ERR(dst) == -EREMOTE)
+ return make_blackhole(net, dst_orig->ops->family, dst_orig);
+
++ if (IS_ERR(dst))
++ dst_release(dst_orig);
++
+ return dst;
+ }
+ EXPORT_SYMBOL(xfrm_lookup_route);
+--
+2.12.3
+
diff --git a/patches.fixes/0005-net-socket-fix-potential-spectre-v1-gadget-in-socket.patch b/patches.fixes/0005-net-socket-fix-potential-spectre-v1-gadget-in-socket.patch
new file mode 100644
index 0000000000..1e08c72521
--- /dev/null
+++ b/patches.fixes/0005-net-socket-fix-potential-spectre-v1-gadget-in-socket.patch
@@ -0,0 +1,47 @@
+From: Jeremy Cline <jcline@redhat.com>
+Subject: net: socket: fix potential spectre v1 gadget in
+ socketcall
+Patch-mainline: v4.18-rc8
+Git-commit: c8e8cd579bb4265651df8223730105341e61a2d1
+References: git-fixes
+
+'call' is a user-controlled value, so sanitize the array index after the
+bounds check to avoid speculating past the bounds of the 'nargs' array.
+
+Found with the help of Smatch:
+
+net/socket.c:2508 __do_sys_socketcall() warn: potential spectre issue
+'nargs' [r] (local cap)
+
+Cc: Josh Poimboeuf <jpoimboe@redhat.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Jeremy Cline <jcline@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Acked-by: Denis Kirjanov <dkirjanov@suse.com>
+---
+ net/socket.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/net/socket.c b/net/socket.c
+index 24bb6684bdda..6a0427b79727 100644
+--- a/net/socket.c
++++ b/net/socket.c
+@@ -89,6 +89,7 @@
+ #include <linux/magic.h>
+ #include <linux/slab.h>
+ #include <linux/xattr.h>
++#include <linux/nospec.h>
+
+ #include <linux/uaccess.h>
+ #include <asm/unistd.h>
+@@ -2433,6 +2434,7 @@ SYSCALL_DEFINE2(socketcall, int, call, unsigned long __user *, args)
+
+ if (call < 1 || call > SYS_SENDMMSG)
+ return -EINVAL;
++ call = array_index_nospec(call, SYS_SENDMMSG + 1);
+
+ len = nargs[call];
+ if (len > sizeof(a))
+--
+2.12.3
+
diff --git a/patches.fixes/0006-packet-refine-ring-v3-block-size-test-to-hold-one-fr.patch b/patches.fixes/0006-packet-refine-ring-v3-block-size-test-to-hold-one-fr.patch
new file mode 100644
index 0000000000..7e241b76d4
--- /dev/null
+++ b/patches.fixes/0006-packet-refine-ring-v3-block-size-test-to-hold-one-fr.patch
@@ -0,0 +1,68 @@
+From: Willem de Bruijn <willemb@google.com>
+Subject: packet: refine ring v3 block size test to hold one
+ frame
+Patch-mainline: v4.18
+Git-commit: 4576cd469d980317c4edd9173f8b694aa71ea3a3
+References: git-fixes
+
+TPACKET_V3 stores variable length frames in fixed length blocks.
+Blocks must be able to store a block header, optional private space
+and at least one minimum sized frame.
+
+Frames, even for a zero snaplen packet, store metadata headers and
+optional reserved space.
+
+In the block size bounds check, ensure that the frame of the
+chosen configuration fits. This includes sockaddr_ll and optional
+tp_reserve.
+
+Syzbot was able to construct a ring with insuffient room for the
+sockaddr_ll in the header of a zero-length frame, triggering an
+out-of-bounds write in dev_parse_header.
+
+Convert the comparison to less than, as zero is a valid snap len.
+This matches the test for minimum tp_frame_size immediately below.
+
+Fixes: f6fb8f100b80 ("af-packet: TPACKET_V3 flexible buffer implementation.")
+Fixes: eb73190f4fbe ("net/packet: refine check for priv area size")
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: Willem de Bruijn <willemb@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Acked-by: Denis Kirjanov <dkirjanov@suse.com>
+---
+ net/packet/af_packet.c | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c
+index cf7652bb2218..aefda8127760 100644
+--- a/net/packet/af_packet.c
++++ b/net/packet/af_packet.c
+@@ -4285,6 +4285,8 @@ static int packet_set_ring(struct sock *sk, union tpacket_req_u *req_u,
+ }
+
+ if (req->tp_block_nr) {
++ unsigned int min_frame_size;
++
+ /* Sanity tests and some calculations */
+ err = -EBUSY;
+ if (unlikely(rb->pg_vec))
+@@ -4307,12 +4309,12 @@ static int packet_set_ring(struct sock *sk, union tpacket_req_u *req_u,
+ goto out;
+ if (unlikely(!PAGE_ALIGNED(req->tp_block_size)))
+ goto out;
++ min_frame_size = po->tp_hdrlen + po->tp_reserve;
+ if (po->tp_version >= TPACKET_V3 &&
+- req->tp_block_size <=
+- BLK_PLUS_PRIV((u64)req_u->req3.tp_sizeof_priv) + sizeof(struct tpacket3_hdr))
++ req->tp_block_size <
++ BLK_PLUS_PRIV((u64)req_u->req3.tp_sizeof_priv) + min_frame_size)
+ goto out;
+- if (unlikely(req->tp_frame_size < po->tp_hdrlen +
+- po->tp_reserve))
++ if (unlikely(req->tp_frame_size < min_frame_size))
+ goto out;
+ if (unlikely(req->tp_frame_size & (TPACKET_ALIGNMENT - 1)))
+ goto out;
+--
+2.12.3
+
diff --git a/patches.fixes/0007-net-ipv6-fix-addrconf_sysctl_addr_gen_mode.patch b/patches.fixes/0007-net-ipv6-fix-addrconf_sysctl_addr_gen_mode.patch
new file mode 100644
index 0000000000..c8eb608238
--- /dev/null
+++ b/patches.fixes/0007-net-ipv6-fix-addrconf_sysctl_addr_gen_mode.patch
@@ -0,0 +1,99 @@
+From: Sabrina Dubroca <sd@queasysnail.net>
+Subject: net/ipv6: fix addrconf_sysctl_addr_gen_mode
+Patch-mainline: v4.19-rc1
+Git-commit: c6dbf7aaa48289d2eeacbef06785c069869ed0c0
+References: git-fixes
+
+
+addrconf_sysctl_addr_gen_mode() has multiple problems. First, it ignores
+the errors returned by proc_dointvec().
+
+addrconf_sysctl_addr_gen_mode() calls proc_dointvec() directly, which
+writes the value to memory, and then checks if it's valid and may return
+EINVAL. If a bad value is given, the value displayed when reading
+net.ipv6.conf.foo.addr_gen_mode next time will be invalid. In case the
+value provided by the user was valid, addrconf_dev_config() won't be
+called since idev->cnf.addr_gen_mode has already been updated.
+
+Fix this in the usual way we deal with values that need to be checked
+after the proc_do*() helper has returned: define a local ctl_table and
+storage, call proc_dointvec() on that temporary area, then check and
+store.
+
+addrconf_sysctl_addr_gen_mode() also writes the new value to the global
+ipv6_devconf_dflt, when we're writing to some netns's default, so that
+new netns will inherit the value that was set by the change occuring in
+any netns. That doesn't make any sense, so let's drop this assignment.
+
+Finally, since addr_gen_mode is a __u32, switch to proc_douintvec().
+
+Fixes: d35a00b8e33d ("net/ipv6: allow sysctl to change link-local address generation mode")
+Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
+Reviewed-by: David Ahern <dsahern@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Acked-by: Denis Kirjanov <dkirjanov@suse.com>
+---
+ net/ipv6/addrconf.c | 27 ++++++++++++++-------------
+ 1 file changed, 14 insertions(+), 13 deletions(-)
+
+diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c
+index 4a21afaacc59..1e72d02dd061 100644
+--- a/net/ipv6/addrconf.c
++++ b/net/ipv6/addrconf.c
+@@ -5790,32 +5790,31 @@ static int addrconf_sysctl_addr_gen_mode(struct ctl_table *ctl, int write,
+ loff_t *ppos)
+ {
+ int ret = 0;
+- int new_val;
++ u32 new_val;
+ struct inet6_dev *idev = (struct inet6_dev *)ctl->extra1;
+ struct net *net = (struct net *)ctl->extra2;
++ struct ctl_table tmp = {
++ .data = &new_val,
++ .maxlen = sizeof(new_val),
++ .mode = ctl->mode,
++ };
+
+ if (!rtnl_trylock())
+ return restart_syscall();
+
+- ret = proc_dointvec(ctl, write, buffer, lenp, ppos);
++ new_val = *((u32 *)ctl->data);
+
+- if (write) {
+- new_val = *((int *)ctl->data);
++ ret = proc_douintvec(&tmp, write, buffer, lenp, ppos);
++ if (ret != 0)
++ goto out;
+
++ if (write) {
+ if (check_addr_gen_mode(new_val) < 0) {
+ ret = -EINVAL;
+ goto out;
+ }
+
+- /* request for default */
+- if (&net->ipv6.devconf_dflt->addr_gen_mode == ctl->data) {
+- ipv6_devconf_dflt.addr_gen_mode = new_val;
+-
+- /* request for individual net device */
+- } else {
+- if (!idev)
+- goto out;
+-
++ if (idev) {
+ if (check_stable_privacy(idev, net, new_val) < 0) {
+ ret = -EINVAL;
+ goto out;
+@@ -5826,6 +5825,8 @@ static int addrconf_sysctl_addr_gen_mode(struct ctl_table *ctl, int write,
+ addrconf_dev_config(idev->dev);
+ }
+ }
++
++ *((u32 *)ctl->data) = new_val;
+ }
+
+ out:
+--
+2.12.3
+
diff --git a/patches.fixes/0008-net-ipv6-don-t-reinitialize-ndev-cnf.addr_gen_mode-o.patch b/patches.fixes/0008-net-ipv6-don-t-reinitialize-ndev-cnf.addr_gen_mode-o.patch
new file mode 100644
index 0000000000..6ccd45d7b5
--- /dev/null
+++ b/patches.fixes/0008-net-ipv6-don-t-reinitialize-ndev-cnf.addr_gen_mode-o.patch
@@ -0,0 +1,36 @@
+From: Sabrina Dubroca <sd@queasysnail.net>
+Subject: net/ipv6: don't reinitialize ndev->cnf.addr_gen_mode on
+ new inet6_dev
+Patch-mainline: v4.19-rc1
+Git-commit: 70c30d76e580fe4aefe6facdf0f1edb1aa9a0e7a
+References: git-fixes
+
+
+The value has already been copied from this netns's devconf_dflt, it
+shouldn't be reset to the global kernel default.
+
+Fixes: d35a00b8e33d ("net/ipv6: allow sysctl to change link-local address generation mode")
+Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
+Reviewed-by: David Ahern <dsahern@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Acked-by: Denis Kirjanov <dkirjanov@suse.com>
+---
+ net/ipv6/addrconf.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c
+index 1e72d02dd061..8a8bb3eb9b1e 100644
+--- a/net/ipv6/addrconf.c
++++ b/net/ipv6/addrconf.c
+@@ -395,8 +395,6 @@ static struct inet6_dev *ipv6_add_dev(struct net_device *dev)
+
+ if (ndev->cnf.stable_secret.initialized)
+ ndev->cnf.addr_gen_mode = IN6_ADDR_GEN_MODE_STABLE_PRIVACY;
+- else
+- ndev->cnf.addr_gen_mode = ipv6_devconf_dflt.addr_gen_mode;
+
+ ndev->cnf.mtu6 = dev->mtu;
+ ndev->nd_parms = neigh_parms_alloc(dev, &nd_tbl);
+--
+2.12.3
+
diff --git a/patches.fixes/0009-net-ipv6-reserve-room-for-IFLA_INET6_ADDR_GEN_MODE.patch b/patches.fixes/0009-net-ipv6-reserve-room-for-IFLA_INET6_ADDR_GEN_MODE.patch
new file mode 100644
index 0000000000..9fd786f94f
--- /dev/null
+++ b/patches.fixes/0009-net-ipv6-reserve-room-for-IFLA_INET6_ADDR_GEN_MODE.patch
@@ -0,0 +1,38 @@
+From: Sabrina Dubroca <sd@queasysnail.net>
+Subject: net/ipv6: reserve room for IFLA_INET6_ADDR_GEN_MODE
+Patch-mainline: v4.19-rc1
+Git-commit: bdd72f41333d9f61a22e4c4494e95782e9731fdb
+References: git-fixes
+
+
+inet6_ifla6_size() is called to check how much space is needed by
+inet6_fill_link_af() and inet6_fill_ifinfo(), both of which include
+the IFLA_INET6_ADDR_GEN_MODE attribute. Reserve some room for it.
+
+Fixes: bc91b0f07ada ("ipv6: addrconf: implement address generation modes")
+Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
+Reviewed-by: David Ahern <dsahern@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Acked-by: Denis Kirjanov <dkirjanov@suse.com>
+---
+ net/ipv6/addrconf.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c
+index 8a8bb3eb9b1e..bbe616f991e9 100644
+--- a/net/ipv6/addrconf.c
++++ b/net/ipv6/addrconf.c
+@@ -5107,7 +5107,9 @@ static inline size_t inet6_ifla6_size(void)
+ + nla_total_size(DEVCONF_MAX * 4) /* IFLA_INET6_CONF */
+ + nla_total_size(IPSTATS_MIB_MAX * 8) /* IFLA_INET6_STATS */
+ + nla_total_size(ICMP6_MIB_MAX * 8) /* IFLA_INET6_ICMP6STATS */
+- + nla_total_size(sizeof(struct in6_addr)); /* IFLA_INET6_TOKEN */
++ + nla_total_size(sizeof(struct in6_addr)) /* IFLA_INET6_TOKEN */
++ + nla_total_size(1) /* IFLA_INET6_ADDR_GEN_MODE */
++ + 0;
+ }
+
+ static inline size_t inet6_if_nlmsg_size(void)
+--
+2.12.3
+
diff --git a/patches.fixes/0010-net-ipv6-propagate-net.ipv6.conf.all.addr_gen_mode-t.patch b/patches.fixes/0010-net-ipv6-propagate-net.ipv6.conf.all.addr_gen_mode-t.patch
new file mode 100644
index 0000000000..0ace619829
--- /dev/null
+++ b/patches.fixes/0010-net-ipv6-propagate-net.ipv6.conf.all.addr_gen_mode-t.patch
@@ -0,0 +1,45 @@
+From: Sabrina Dubroca <sd@queasysnail.net>
+Subject: net/ipv6: propagate net.ipv6.conf.all.addr_gen_mode to
+ devices
+Patch-mainline: v4.19-rc1
+Git-commit: f24c5987dddd28b23443e7b21b55d47549207755
+References: git-fixes
+
+This aligns the addr_gen_mode sysctl with the expected behavior of the
+"all" variant.
+
+Fixes: d35a00b8e33d ("net/ipv6: allow sysctl to change link-local address generation mode")
+Suggested-by: David Ahern <dsahern@gmail.com>
+Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Acked-by: Denis Kirjanov <dkirjanov@suse.com>
+---
+ net/ipv6/addrconf.c | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c
+index bbe616f991e9..106da7d7052b 100644
+--- a/net/ipv6/addrconf.c
++++ b/net/ipv6/addrconf.c
+@@ -5824,6 +5824,18 @@ static int addrconf_sysctl_addr_gen_mode(struct ctl_table *ctl, int write,
+ idev->cnf.addr_gen_mode = new_val;
+ addrconf_dev_config(idev->dev);
+ }
++ } else if (&net->ipv6.devconf_all->addr_gen_mode == ctl->data) {
++ struct net_device *dev;
++
++ net->ipv6.devconf_dflt->addr_gen_mode = new_val;
++ for_each_netdev(net, dev) {
++ idev = __in6_dev_get(dev);
++ if (idev &&
++ idev->cnf.addr_gen_mode != new_val) {
++ idev->cnf.addr_gen_mode = new_val;
++ addrconf_dev_config(idev->dev);
++ }
++ }
+ }
+
+ *((u32 *)ctl->data) = new_val;
+--
+2.12.3
+
diff --git a/patches.fixes/0011-xfrm-fix-passing-zero-to-ERR_PTR-warning.patch b/patches.fixes/0011-xfrm-fix-passing-zero-to-ERR_PTR-warning.patch
new file mode 100644
index 0000000000..a0cca58803
--- /dev/null
+++ b/patches.fixes/0011-xfrm-fix-passing-zero-to-ERR_PTR-warning.patch
@@ -0,0 +1,41 @@
+From: YueHaibing <yuehaibing@huawei.com>
+Subject: xfrm: fix 'passing zero to ERR_PTR()' warning
+Patch-mainline: v4.19-rc1
+Git-commit: 934ffce1343f22ed5e2d0bd6da4440f4848074de
+References: git-fixes
+
+
+Fix a static code checker warning:
+
+ net/xfrm/xfrm_policy.c:1836 xfrm_resolve_and_create_bundle() warn: passing zero to 'ERR_PTR'
+
+xfrm_tmpl_resolve return 0 just means no xdst found, return NULL
+instead of passing zero to ERR_PTR.
+
+Fixes: d809ec895505 ("xfrm: do not assume that template resolving always returns xfrms")
+Signed-off-by: YueHaibing <yuehaibing@huawei.com>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Acked-by: Denis Kirjanov <dkirjanov@suse.com>
+---
+ net/xfrm/xfrm_policy.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c
+index e86a65292879..c82c695fa3fd 100644
+--- a/net/xfrm/xfrm_policy.c
++++ b/net/xfrm/xfrm_policy.c
+@@ -1864,7 +1864,10 @@ xfrm_resolve_and_create_bundle(struct xfrm_policy **pols, int num_pols,
+ /* Try to instantiate a bundle */
+ err = xfrm_tmpl_resolve(pols, num_pols, fl, xfrm, family);
+ if (err <= 0) {
+- if (err != 0 && err != -EAGAIN)
++ if (err == 0)
++ return NULL;
++
++ if (err != -EAGAIN)
+ XFRM_INC_STATS(net, LINUX_MIB_XFRMOUTPOLERROR);
+ return ERR_PTR(err);
+ }
+--
+2.12.3
+
diff --git a/patches.fixes/0012-ip6_tunnel-collect_md-xmit-Use-ip_tunnel_key-s-provi.patch b/patches.fixes/0012-ip6_tunnel-collect_md-xmit-Use-ip_tunnel_key-s-provi.patch
new file mode 100644
index 0000000000..0fb0103115
--- /dev/null
+++ b/patches.fixes/0012-ip6_tunnel-collect_md-xmit-Use-ip_tunnel_key-s-provi.patch
@@ -0,0 +1,62 @@
+From: Shmulik Ladkani <shmulik@metanetworks.com>
+Subject: ip6_tunnel: collect_md xmit: Use ip_tunnel_key's
+ provided src address
+Patch-mainline: v4.19-rc1
+Git-commit: 3789cabaab1a939eb56edd76bbde2c2e49f081da
+References: git-fixes
+
+
+calculation purposes (flowi6 construction) and for assigning the
+packet's final ipv6h->saddr.
+
+This makes it impossible specifying a desired ipv6 local address in the
+encapsulating header (for example, when using tc action tunnel_key).
+
+This is also not aligned with behavior of ipip (ipv4) in collect_md
+mode, where the key->u.ipv4.src gets used.
+
+Fix, by assigning fl6.saddr with given key->u.ipv6.src.
+In case ipv6.src is not specified, ip6_tnl_xmit uses existing saddr
+selection code.
+
+Fixes: 8d79266bc48c ("ip6_tunnel: add collect_md mode to IPv6 tunnels")
+Signed-off-by: Shmulik Ladkani <shmulik.ladkani@gmail.com>
+Reviewed-by: Eyal Birger <eyal.birger@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Acked-by: Denis Kirjanov <dkirjanov@suse.com>
+---
+ net/ipv6/ip6_tunnel.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/net/ipv6/ip6_tunnel.c b/net/ipv6/ip6_tunnel.c
+index f626d3e5c8dc..92a0ff707023 100644
+--- a/net/ipv6/ip6_tunnel.c
++++ b/net/ipv6/ip6_tunnel.c
+@@ -1115,7 +1115,7 @@ int ip6_tnl_xmit(struct sk_buff *skb, struct net_device *dev, __u8 dsfield,
+ dst = NULL;
+ goto tx_err_link_failure;
+ }
+- if (t->parms.collect_md &&
++ if (t->parms.collect_md && ipv6_addr_any(&fl6->saddr) &&
+ ipv6_dev_get_saddr(net, ip6_dst_idev(dst)->dev,
+ &fl6->daddr, 0, &fl6->saddr))
+ goto tx_err_link_failure;
+@@ -1253,6 +1253,7 @@ ip4ip6_tnl_xmit(struct sk_buff *skb, struct net_device *dev)
+ key = &tun_info->key;
+ memset(&fl6, 0, sizeof(fl6));
+ fl6.flowi6_proto = IPPROTO_IPIP;
++ fl6.saddr = key->u.ipv6.src;
+ fl6.daddr = key->u.ipv6.dst;
+ fl6.flowlabel = key->label;
+ dsfield = key->tos;
+@@ -1325,6 +1326,7 @@ ip6ip6_tnl_xmit(struct sk_buff *skb, struct net_device *dev)
+ key = &tun_info->key;
+ memset(&fl6, 0, sizeof(fl6));
+ fl6.flowi6_proto = IPPROTO_IPV6;
++ fl6.saddr = key->u.ipv6.src;
+ fl6.daddr = key->u.ipv6.dst;
+ fl6.flowlabel = key->label;
+ dsfield = key->tos;
+--
+2.12.3
+
diff --git a/patches.fixes/0013-ipv6-fix-cleanup-ordering-for-ip6_mr-failure.patch b/patches.fixes/0013-ipv6-fix-cleanup-ordering-for-ip6_mr-failure.patch
new file mode 100644
index 0000000000..5afd71b135
--- /dev/null
+++ b/patches.fixes/0013-ipv6-fix-cleanup-ordering-for-ip6_mr-failure.patch
@@ -0,0 +1,65 @@
+From: Sabrina Dubroca <sd@queasysnail.net>
+Subject: ipv6: fix cleanup ordering for ip6_mr failure
+Patch-mainline: v4.19-rc3
+Git-commit: afe49de44c27a89e8e9631c44b5ffadf6ace65e2
+References: git-fixes
+
+
+Commit 15e668070a64 ("ipv6: reorder icmpv6_init() and ip6_mr_init()")
+moved the cleanup label for ipmr_fail, but should have changed the
+contents of the cleanup labels as well. Now we can end up cleaning up
+icmpv6 even though it hasn't been initialized (jump to icmp_fail or
+ipmr_fail).
+
+Simply undo things in the reverse order of their initialization.
+
+Example of panic (triggered by faking a failure of icmpv6_init):
+
+ kasan: GPF could be caused by NULL-ptr deref or user memory access
+ general protection fault: 0000 [#1] PREEMPT SMP KASAN PTI
+ [...]
+ RIP: 0010:__list_del_entry_valid+0x79/0x160
+ [...]
+ Call Trace:
+ ? lock_release+0x8a0/0x8a0
+ unregister_pernet_operations+0xd4/0x560
+ ? ops_free_list+0x480/0x480
+ ? down_write+0x91/0x130
+ ? unregister_pernet_subsys+0x15/0x30
+ ? down_read+0x1b0/0x1b0
+ ? up_read+0x110/0x110
+ ? kmem_cache_create_usercopy+0x1b4/0x240
+ unregister_pernet_subsys+0x1d/0x30
+ icmpv6_cleanup+0x1d/0x30
+ inet6_init+0x1b5/0x23f
+
+Fixes: 15e668070a64 ("ipv6: reorder icmpv6_init() and ip6_mr_init()")
+Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Acked-by: Denis Kirjanov <dkirjanov@suse.com>
+---
+ net/ipv6/af_inet6.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/net/ipv6/af_inet6.c b/net/ipv6/af_inet6.c
+index 94b0cf2c2829..45873b1025d4 100644
+--- a/net/ipv6/af_inet6.c
++++ b/net/ipv6/af_inet6.c
+@@ -1085,11 +1085,11 @@ static int __init inet6_init(void)
+ igmp_fail:
+ ndisc_cleanup();
+ ndisc_fail:
+- ip6_mr_cleanup();
++ icmpv6_cleanup();
+ icmp_fail:
+- unregister_pernet_subsys(&inet6_net_ops);
++ ip6_mr_cleanup();
+ ipmr_fail:
+- icmpv6_cleanup();
++ unregister_pernet_subsys(&inet6_net_ops);
+ register_pernet_fail:
+ sock_unregister(PF_INET6);
+ rtnl_unregister_all(PF_INET6);
+--
+2.12.3
+
diff --git a/patches.fixes/0014-ipv6-fix-cleanup-ordering-for-pingv6-registration.patch b/patches.fixes/0014-ipv6-fix-cleanup-ordering-for-pingv6-registration.patch
new file mode 100644
index 0000000000..af792c0fe8
--- /dev/null
+++ b/patches.fixes/0014-ipv6-fix-cleanup-ordering-for-pingv6-registration.patch
@@ -0,0 +1,58 @@
+From: Sabrina Dubroca <sd@queasysnail.net>
+Subject: ipv6: fix cleanup ordering for pingv6 registration
+Patch-mainline: v4.19-rc3
+Git-commit: a03dc36bdca6b614651fedfcd8559cf914d2d21d
+References: git-fixes
+
+
+Commit 6d0bfe226116 ("net: ipv6: Add IPv6 support to the ping socket.")
+contains an error in the cleanup path of inet6_init(): when
+proto_register(&pingv6_prot, 1) fails, we try to unregister
+&pingv6_prot. When rawv6_init() fails, we skip unregistering
+&pingv6_prot.
+
+Example of panic (triggered by faking a failure of
+ proto_register(&pingv6_prot, 1)):
+
+ general protection fault: 0000 [#1] PREEMPT SMP KASAN PTI
+ [...]
+ RIP: 0010:__list_del_entry_valid+0x79/0x160
+ [...]
+ Call Trace:
+ proto_unregister+0xbb/0x550
+ ? trace_preempt_on+0x6f0/0x6f0
+ ? sock_no_shutdown+0x10/0x10
+ inet6_init+0x153/0x1b8
+
+Fixes: 6d0bfe226116 ("net: ipv6: Add IPv6 support to the ping socket.")
+Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Acked-by: Denis Kirjanov <dkirjanov@suse.com>
+---
+ net/ipv6/af_inet6.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/net/ipv6/af_inet6.c b/net/ipv6/af_inet6.c
+index 45873b1025d4..7f6e15e03ef5 100644
+--- a/net/ipv6/af_inet6.c
++++ b/net/ipv6/af_inet6.c
+@@ -911,14 +911,14 @@ static int __init inet6_init(void)
+
+ err = proto_register(&pingv6_prot, 1);
+ if (err)
+- goto out_unregister_ping_proto;
++ goto out_unregister_raw_proto;
+
+ /* We MUST register RAW sockets before we create the ICMP6,
+ * IGMP6, or NDISC control sockets.
+ */
+ err = rawv6_init();
+ if (err)
+- goto out_unregister_raw_proto;
++ goto out_unregister_ping_proto;
+
+ /* Register the family here so that the init calls below will
+ * be able to create sockets. (?? is this dangerous ??)
+--
+2.12.3
+
diff --git a/patches.fixes/0015-igmp-fix-incorrect-unsolicit-report-count-when-join-.patch b/patches.fixes/0015-igmp-fix-incorrect-unsolicit-report-count-when-join-.patch
new file mode 100644
index 0000000000..64f8a446a1
--- /dev/null
+++ b/patches.fixes/0015-igmp-fix-incorrect-unsolicit-report-count-when-join-.patch
@@ -0,0 +1,39 @@
+From: Hangbin Liu <liuhangbin@gmail.com>
+Subject: igmp: fix incorrect unsolicit report count when join
+ group
+Patch-mainline: v4.19-rc3
+Git-commit: 4fb7253e4f9a8f06a986a3b317e2f79d9b43d552
+References: git-fixes
+
+We should not start timer if im->unsolicit_count equal to 0 after decrease.
+Or we will send one more unsolicit report message. i.e. 3 instead of 2 by
+default.
+
+Fixes: 1da177e4c3f41 ("Linux-2.6.12-rc2")
+Signed-off-by: Hangbin Liu <liuhangbin@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Acked-by: Denis Kirjanov <dkirjanov@suse.com>
+---
+ net/ipv4/igmp.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+diff --git a/net/ipv4/igmp.c b/net/ipv4/igmp.c
+index eaec888f3b6c..6afb20af0f93 100644
+--- a/net/ipv4/igmp.c
++++ b/net/ipv4/igmp.c
+@@ -820,10 +820,9 @@ static void igmp_timer_expire(unsigned long data)
+ spin_lock(&im->lock);
+ im->tm_running = 0;
+
+- if (im->unsolicit_count) {
+- im->unsolicit_count--;
++ if (im->unsolicit_count && --im->unsolicit_count)
+ igmp_start_timer(im, unsolicited_report_interval(in_dev));
+- }
++
+ im->reporter = 1;
+ spin_unlock(&im->lock);
+
+--
+2.12.3
+
diff --git a/patches.fixes/0016-netfilter-nf_tables-release-chain-in-flushing-set.patch b/patches.fixes/0016-netfilter-nf_tables-release-chain-in-flushing-set.patch
new file mode 100644
index 0000000000..5e4f5e883a
--- /dev/null
+++ b/patches.fixes/0016-netfilter-nf_tables-release-chain-in-flushing-set.patch
@@ -0,0 +1,79 @@
+From: Taehee Yoo <ap420073@gmail.com>
+Subject: netfilter: nf_tables: release chain in flushing set
+Patch-mainline: v4.19-rc4
+Git-commit: 7acfda539c0b9636a58bfee56abfb3aeee806d96
+References: git-fixes
+
+When element of verdict map is deleted, the delete routine should
+release chain. however, flush element of verdict map routine doesn't
+release chain.
+
+test commands:
+ %nft add table ip filter
+ %nft add chain ip filter c1
+ %nft add map ip filter map1 { type ipv4_addr : verdict \; }
+ %nft add element ip filter map1 { 1 : jump c1 }
+ %nft flush map ip filter map1
+ %nft flush ruleset
+
+splat looks like:
+[ 4895.170899] kernel BUG at net/netfilter/nf_tables_api.c:1415!
+[ 4895.178114] invalid opcode: 0000 [#1] SMP DEBUG_PAGEALLOC KASAN PTI
+[ 4895.178880] CPU: 0 PID: 1670 Comm: nft Not tainted 4.18.0+ #55
+[ 4895.178880] RIP: 0010:nf_tables_chain_destroy.isra.28+0x39/0x220 [nf_tables]
+[ 4895.178880] Code: fc ff df 53 48 89 fb 48 83 c7 50 48 89 fa 48 c1 ea 03 0f b6 04 02 84 c0 74 09 3c 03 7f 05 e8 3e 4c 25 e1 8b 43 50 85 c0 74 02 <0f> 0b 48 89 da 48 b8 00 00 00 00 00 fc ff df 48 c1 ea 03 80 3c 02
+[ 4895.228342] RSP: 0018:ffff88010b98f4c0 EFLAGS: 00010202
+[ 4895.234841] RAX: 0000000000000001 RBX: ffff8801131c6968 RCX: ffff8801146585b0
+[ 4895.234841] RDX: 1ffff10022638d37 RSI: ffff8801191a9348 RDI: ffff8801131c69b8
+[ 4895.234841] RBP: ffff8801146585a8 R08: 1ffff1002323526a R09: 0000000000000000
+[ 4895.234841] R10: 0000000000000000 R11: 0000000000000000 R12: dead000000000200
+[ 4895.234841] R13: dead000000000100 R14: ffffffffa3638af8 R15: dffffc0000000000
+[ 4895.234841] FS: 00007f6d188e6700(0000) GS:ffff88011b600000(0000) knlGS:0000000000000000
+[ 4895.234841] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 4895.234841] CR2: 00007ffe72b8df88 CR3: 000000010e2d4000 CR4: 00000000001006f0
+[ 4895.234841] Call Trace:
+[ 4895.234841] nf_tables_commit+0x2704/0x2c70 [nf_tables]
+[ 4895.234841] ? nfnetlink_rcv_batch+0xa4f/0x11b0 [nfnetlink]
+[ 4895.234841] ? nf_tables_setelem_notify.constprop.48+0x1a0/0x1a0 [nf_tables]
+[ 4895.323824] ? __lock_is_held+0x9d/0x130
+[ 4895.323824] ? kasan_unpoison_shadow+0x30/0x40
+[ 4895.333299] ? kasan_kmalloc+0xa9/0xc0
+[ 4895.333299] ? kmem_cache_alloc_trace+0x2c0/0x310
+[ 4895.333299] ? nfnetlink_rcv_batch+0xa4f/0x11b0 [nfnetlink]
+[ 4895.333299] nfnetlink_rcv_batch+0xdb9/0x11b0 [nfnetlink]
+[ 4895.333299] ? debug_show_all_locks+0x290/0x290
+[ 4895.333299] ? nfnetlink_net_init+0x150/0x150 [nfnetlink]
+[ 4895.333299] ? sched_clock_cpu+0xe5/0x170
+[ 4895.333299] ? sched_clock_local+0xff/0x130
+[ 4895.333299] ? sched_clock_cpu+0xe5/0x170
+[ 4895.333299] ? find_held_lock+0x39/0x1b0
+[ 4895.333299] ? sched_clock_local+0xff/0x130
+[ 4895.333299] ? memset+0x1f/0x40
+[ 4895.333299] ? nla_parse+0x33/0x260
+[ 4895.333299] ? ns_capable_common+0x6e/0x110
+[ 4895.333299] nfnetlink_rcv+0x2c0/0x310 [nfnetlink]
+[ ... ]
+
+Fixes: 591054469b3e ("netfilter: nf_tables: revisit chain/object refcounting from elements")
+Signed-off-by: Taehee Yoo <ap420073@gmail.com>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Acked-by: Denis Kirjanov <dkirjanov@suse.com>
+---
+ net/netfilter/nf_tables_api.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
+index 02b79bde519f..4d424069b5d8 100644
+--- a/net/netfilter/nf_tables_api.c
++++ b/net/netfilter/nf_tables_api.c
+@@ -4066,6 +4066,7 @@ static int nft_flush_set(const struct nft_ctx *ctx,
+ }
+ set->ndeact++;
+
++ nft_set_elem_deactivate(ctx->net, set, elem);
+ nft_trans_elem_set(trans) = set;
+ nft_trans_elem(trans) = *elem;
+ list_add_tail(&trans->list, &ctx->net->nft.commit_list);
+--
+2.12.3
+
diff --git a/patches.fixes/0017-netfilter-bridge-Don-t-sabotage-nf_hook-calls-from-a.patch b/patches.fixes/0017-netfilter-bridge-Don-t-sabotage-nf_hook-calls-from-a.patch
new file mode 100644
index 0000000000..08807b67fd
--- /dev/null
+++ b/patches.fixes/0017-netfilter-bridge-Don-t-sabotage-nf_hook-calls-from-a.patch
@@ -0,0 +1,56 @@
+From: David Ahern <dsahern@gmail.com>
+Subject: netfilter: bridge: Don't sabotage nf_hook calls from an
+ l3mdev
+Patch-mainline: v4.19-rc7
+Git-commit: a173f066c7cfc031acb8f541708041e009fc9812
+References: git-fixes
+
+
+For starters, the bridge netfilter code registers operations that
+are invoked any time nh_hook is called. Specifically, ip_sabotage_in
+watches for nested calls for NF_INET_PRE_ROUTING when a bridge is in
+the stack.
+
+Packet wise, the bridge netfilter hook runs first. br_nf_pre_routing
+allocates nf_bridge, sets in_prerouting to 1 and calls NF_HOOK for
+NF_INET_PRE_ROUTING. It's finish function, br_nf_pre_routing_finish,
+then resets in_prerouting flag to 0 and the packet continues up the
+stack. The packet eventually makes it to the VRF driver and it invokes
+nf_hook for NF_INET_PRE_ROUTING in case any rules have been added against
+the vrf device.
+
+Because of the registered operations the call to nf_hook causes
+ip_sabotage_in to be invoked. That function sees the nf_bridge on the
+skb and that in_prerouting is not set. Thinking it is an invalid nested
+call it steals (drops) the packet.
+
+Update ip_sabotage_in to recognize that the bridge or one of its upper
+devices (e.g., vlan) can be enslaved to a VRF (L3 master device) and
+allow the packet to go through the nf_hook a second time.
+
+Fixes: 73e20b761acf ("net: vrf: Add support for PREROUTING rules on vrf device")
+Reported-by: D'Souza, Nelson <ndsouza@ciena.com>
+Signed-off-by: David Ahern <dsahern@gmail.com>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Acked-by: Denis Kirjanov <dkirjanov@suse.com>
+---
+ net/bridge/br_netfilter_hooks.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/net/bridge/br_netfilter_hooks.c b/net/bridge/br_netfilter_hooks.c
+index e13952d3c0b1..0a2771c13276 100644
+--- a/net/bridge/br_netfilter_hooks.c
++++ b/net/bridge/br_netfilter_hooks.c
+@@ -833,7 +833,8 @@ static unsigned int ip_sabotage_in(void *priv,
+ struct sk_buff *skb,
+ const struct nf_hook_state *state)
+ {
+- if (skb->nf_bridge && !skb->nf_bridge->in_prerouting) {
++ if (skb->nf_bridge && !skb->nf_bridge->in_prerouting &&
++ !netif_is_l3_master(skb->dev)) {
+ state->okfn(state->net, state->sk, skb);
+ return NF_STOLEN;
+ }
+--
+2.12.3
+
diff --git a/patches.fixes/0018-xfrm-Validate-address-prefix-lengths-in-the-xfrm-sel.patch b/patches.fixes/0018-xfrm-Validate-address-prefix-lengths-in-the-xfrm-sel.patch
new file mode 100644
index 0000000000..ff30ba6ee7
--- /dev/null
+++ b/patches.fixes/0018-xfrm-Validate-address-prefix-lengths-in-the-xfrm-sel.patch
@@ -0,0 +1,64 @@
+From: Steffen Klassert <steffen.klassert@secunet.com>
+Subject: xfrm: Validate address prefix lengths in the xfrm
+ selector
+Patch-mainline: v4.19-rc7
+Git-commit: 07bf7908950a8b14e81aa1807e3c667eab39287a
+References: git-fixes
+
+
+We don't validate the address prefix lengths in the xfrm
+selector we got from userspace. This can lead to undefined
+behaviour in the address matching functions if the prefix
+is too big for the given address family. Fix this by checking
+the prefixes and refuse SA/policy insertation when a prefix
+is invalid.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Reported-by: Air Icy <icytxw@gmail.com>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Acked-by: Denis Kirjanov <dkirjanov@suse.com>
+---
+ net/xfrm/xfrm_user.c | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
+index 5e8f4f3fbe6b..aff0fce28555 100644
+--- a/net/xfrm/xfrm_user.c
++++ b/net/xfrm/xfrm_user.c
+@@ -156,10 +156,16 @@ static int verify_newsa_info(struct xfrm_usersa_info *p,
+ err = -EINVAL;
+ switch (p->family) {
+ case AF_INET:
++ if (p->sel.prefixlen_d > 32 || p->sel.prefixlen_s > 32)
++ goto out;
++
+ break;
+
+ case AF_INET6:
+ #if IS_ENABLED(CONFIG_IPV6)
++ if (p->sel.prefixlen_d > 128 || p->sel.prefixlen_s > 128)
++ goto out;
++
+ break;
+ #else
+ err = -EAFNOSUPPORT;
+@@ -1352,10 +1358,16 @@ static int verify_newpolicy_info(struct xfrm_userpolicy_info *p)
+
+ switch (p->sel.family) {
+ case AF_INET:
++ if (p->sel.prefixlen_d > 32 || p->sel.prefixlen_s > 32)
++ return -EINVAL;
++
+ break;
+
+ case AF_INET6:
+ #if IS_ENABLED(CONFIG_IPV6)
++ if (p->sel.prefixlen_d > 128 || p->sel.prefixlen_s > 128)
++ return -EINVAL;
++
+ break;
+ #else
+ return -EAFNOSUPPORT;
+--
+2.12.3
+
diff --git a/patches.fixes/0019-xfrm6-call-kfree_skb-when-skb-is-toobig.patch b/patches.fixes/0019-xfrm6-call-kfree_skb-when-skb-is-toobig.patch
new file mode 100644
index 0000000000..0e43e4edac
--- /dev/null
+++ b/patches.fixes/0019-xfrm6-call-kfree_skb-when-skb-is-toobig.patch
@@ -0,0 +1,46 @@
+From: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
+Subject: xfrm6: call kfree_skb when skb is toobig
+Patch-mainline: v4.19-rc7
+Git-commit: 215ab0f021c9fea3c18b75e7d522400ee6a49990
+References: git-fixes
+
+
+After commit d6990976af7c5d8f55903bfb4289b6fb030bf754 ("vti6: fix PMTU caching
+and reporting on xmit"), some too big skbs might be potentially passed down to
+__xfrm6_output, causing it to fail to transmit but not free the skb, causing a
+leak of skb, and consequentially a leak of dst references.
+
+After running pmtu.sh, that shows as failure to unregister devices in a namespace:
+
+[ 311.397671] unregister_netdevice: waiting for veth_b to become free. Usage count = 1
+
+The fix is to call kfree_skb in case of transmit failures.
+
+Fixes: dd767856a36e ("xfrm6: Don't call icmpv6_send on local error")
+Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
+Reviewed-by: Sabrina Dubroca <sd@queasysnail.net>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Acked-by: Denis Kirjanov <dkirjanov@suse.com>
+---
+ net/ipv6/xfrm6_output.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/net/ipv6/xfrm6_output.c b/net/ipv6/xfrm6_output.c
+index 8ae87d4ec5ff..29dae7f2ff14 100644
+--- a/net/ipv6/xfrm6_output.c
++++ b/net/ipv6/xfrm6_output.c
+@@ -170,9 +170,11 @@ static int __xfrm6_output(struct net *net, struct sock *sk, struct sk_buff *skb)
+
+ if (toobig && xfrm6_local_dontfrag(skb)) {
+ xfrm6_local_rxpmtu(skb, mtu);
++ kfree_skb(skb);
+ return -EMSGSIZE;
+ } else if (!skb->ignore_df && toobig && skb->sk) {
+ xfrm_local_error(skb, mtu);
++ kfree_skb(skb);
+ return -EMSGSIZE;
+ }
+
+--
+2.12.3
+
diff --git a/patches.fixes/0020-xfrm-reset-transport-header-back-to-network-header-a.patch b/patches.fixes/0020-xfrm-reset-transport-header-back-to-network-header-a.patch
new file mode 100644
index 0000000000..44631019c5
--- /dev/null
+++ b/patches.fixes/0020-xfrm-reset-transport-header-back-to-network-header-a.patch
@@ -0,0 +1,99 @@
+From: Sowmini Varadhan <sowmini.varadhan@oracle.com>
+Subject: xfrm: reset transport header back to network header
+ after all input transforms ahave been applied
+Patch-mainline: v4.19-rc7
+Git-commit: bfc0698bebcb16d19ecfc89574ad4d696955e5d3
+References: git-fixes
+
+A policy may have been set up with multiple transforms (e.g., ESP
+and ipcomp). In this situation, the ingress IPsec processing
+iterates in xfrm_input() and applies each transform in turn,
+processing the nexthdr to find any additional xfrm that may apply.
+
+This patch resets the transport header back to network header
+only after the last transformation so that subsequent xfrms
+can find the correct transport header.
+
+Fixes: 7785bba299a8 ("esp: Add a software GRO codepath")
+Suggested-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Sowmini Varadhan <sowmini.varadhan@oracle.com>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Acked-by: Denis Kirjanov <dkirjanov@suse.com>
+---
+ net/ipv4/xfrm4_input.c | 1 +
+ net/ipv4/xfrm4_mode_transport.c | 4 +---
+ net/ipv6/xfrm6_input.c | 1 +
+ net/ipv6/xfrm6_mode_transport.c | 4 +---
+ 4 files changed, 4 insertions(+), 6 deletions(-)
+
+diff --git a/net/ipv4/xfrm4_input.c b/net/ipv4/xfrm4_input.c
+index c794a9aa15f5..38018229b9d1 100644
+--- a/net/ipv4/xfrm4_input.c
++++ b/net/ipv4/xfrm4_input.c
+@@ -66,6 +66,7 @@ int xfrm4_transport_finish(struct sk_buff *skb, int async)
+
+ if (xo && (xo->flags & XFRM_GRO)) {
+ skb_mac_header_rebuild(skb);
++ skb_reset_transport_header(skb);
+ return 0;
+ }
+
+diff --git a/net/ipv4/xfrm4_mode_transport.c b/net/ipv4/xfrm4_mode_transport.c
+index 3d36644890bb..1ad2c2c4e250 100644
+--- a/net/ipv4/xfrm4_mode_transport.c
++++ b/net/ipv4/xfrm4_mode_transport.c
+@@ -46,7 +46,6 @@ static int xfrm4_transport_output(struct xfrm_state *x, struct sk_buff *skb)
+ static int xfrm4_transport_input(struct xfrm_state *x, struct sk_buff *skb)
+ {
+ int ihl = skb->data - skb_transport_header(skb);
+- struct xfrm_offload *xo = xfrm_offload(skb);
+
+ if (skb->transport_header != skb->network_header) {
+ memmove(skb_transport_header(skb),
+@@ -54,8 +53,7 @@ static int xfrm4_transport_input(struct xfrm_state *x, struct sk_buff *skb)
+ skb->network_header = skb->transport_header;
+ }
+ ip_hdr(skb)->tot_len = htons(skb->len + ihl);
+- if (!xo || !(xo->flags & XFRM_GRO))
+- skb_reset_transport_header(skb);
++ skb_reset_transport_header(skb);
+ return 0;
+ }
+
+diff --git a/net/ipv6/xfrm6_input.c b/net/ipv6/xfrm6_input.c
+index 7c5e582b1af8..520e9592d402 100644
+--- a/net/ipv6/xfrm6_input.c
++++ b/net/ipv6/xfrm6_input.c
+@@ -56,6 +56,7 @@ int xfrm6_transport_finish(struct sk_buff *skb, int async)
+
+ if (xo && (xo->flags & XFRM_GRO)) {
+ skb_mac_header_rebuild(skb);
++ skb_reset_transport_header(skb);
+ return -1;
+ }
+
+diff --git a/net/ipv6/xfrm6_mode_transport.c b/net/ipv6/xfrm6_mode_transport.c
+index 9ad07a91708e..3c29da5defe6 100644
+--- a/net/ipv6/xfrm6_mode_transport.c
++++ b/net/ipv6/xfrm6_mode_transport.c
+@@ -51,7 +51,6 @@ static int xfrm6_transport_output(struct xfrm_state *x, struct sk_buff *skb)
+ static int xfrm6_transport_input(struct xfrm_state *x, struct sk_buff *skb)
+ {
+ int ihl = skb->data - skb_transport_header(skb);
+- struct xfrm_offload *xo = xfrm_offload(skb);
+
+ if (skb->transport_header != skb->network_header) {
+ memmove(skb_transport_header(skb),
+@@ -60,8 +59,7 @@ static int xfrm6_transport_input(struct xfrm_state *x, struct sk_buff *skb)
+ }
+ ipv6_hdr(skb)->payload_len = htons(skb->len + ihl -
+ sizeof(struct ipv6hdr));
+- if (!xo || !(xo->flags & XFRM_GRO))
+- skb_reset_transport_header(skb);
++ skb_reset_transport_header(skb);
+ return 0;
+ }
+
+--
+2.12.3
+
diff --git a/patches.fixes/0021-xfrm-reset-crypto_done-when-iterating-over-multiple-.patch b/patches.fixes/0021-xfrm-reset-crypto_done-when-iterating-over-multiple-.patch
new file mode 100644
index 0000000000..4f976d99f7
--- /dev/null
+++ b/patches.fixes/0021-xfrm-reset-crypto_done-when-iterating-over-multiple-.patch
@@ -0,0 +1,37 @@
+From: Sowmini Varadhan <sowmini.varadhan@oracle.com>
+Subject: xfrm: reset crypto_done when iterating over multiple
+ input xfrms
+Patch-mainline: v4.19-rc7
+Git-commit: 782710e333a526780d65918d669cb96646983ba2
+References: git-fixes
+
+
+We only support one offloaded xfrm (we do not have devices that
+can handle more than one offload), so reset crypto_done in
+xfrm_input() when iterating over multiple transforms in xfrm_input,
+so that we can invoke the appropriate x->type->input for the
+non-offloaded transforms
+
+Fixes: d77e38e612a0 ("xfrm: Add an IPsec hardware offloading API")
+Signed-off-by: Sowmini Varadhan <sowmini.varadhan@oracle.com>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Acked-by: Denis Kirjanov <dkirjanov@suse.com>
+---
+ net/xfrm/xfrm_input.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/net/xfrm/xfrm_input.c b/net/xfrm/xfrm_input.c
+index 2ad91eb793fc..d212a0308f33 100644
+--- a/net/xfrm/xfrm_input.c
++++ b/net/xfrm/xfrm_input.c
+@@ -441,6 +441,7 @@ int xfrm_input(struct sk_buff *skb, int nexthdr, __be32 spi, int encap_type)
+ XFRM_INC_STATS(net, LINUX_MIB_XFRMINHDRERROR);
+ goto drop;
+ }
++ crypto_done = false;
+ } while (!err);
+
+ err = xfrm_rcv_cb(skb, family, x->type->proto, 0);
+--
+2.12.3
+
diff --git a/patches.fixes/ext4-zero-out-the-unused-memory-region-in-the-extent.patch b/patches.fixes/ext4-zero-out-the-unused-memory-region-in-the-extent.patch
new file mode 100644
index 0000000000..cfdb379450
--- /dev/null
+++ b/patches.fixes/ext4-zero-out-the-unused-memory-region-in-the-extent.patch
@@ -0,0 +1,87 @@
+From 592acbf16821288ecdc4192c47e3774a4c48bb64 Mon Sep 17 00:00:00 2001
+From: Sriram Rajagopalan <sriramr@arista.com>
+Date: Fri, 10 May 2019 19:28:06 -0400
+Subject: [PATCH] ext4: zero out the unused memory region in the extent tree
+ block
+Git-commit: 592acbf16821288ecdc4192c47e3774a4c48bb64
+Patch-mainline: v5.2-rc1
+References: bsc#1135281 CVE-2019-11833
+
+This commit zeroes out the unused memory region in the buffer_head
+corresponding to the extent metablock after writing the extent header
+and the corresponding extent node entries.
+
+This is done to prevent random uninitialized data from getting into
+the filesystem when the extent block is synced.
+
+This fixes CVE-2019-11833.
+
+Signed-off-by: Sriram Rajagopalan <sriramr@arista.com>
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Cc: stable@kernel.org
+Acked-by: Jan Kara <jack@suse.cz>
+
+---
+ fs/ext4/extents.c | 17 +++++++++++++++--
+ 1 file changed, 15 insertions(+), 2 deletions(-)
+
+diff --git a/fs/ext4/extents.c b/fs/ext4/extents.c
+index 0f89f5190cd7..f2c62e2a0c98 100644
+--- a/fs/ext4/extents.c
++++ b/fs/ext4/extents.c
+@@ -1035,6 +1035,7 @@ static int ext4_ext_split(handle_t *handle, struct inode *inode,
+ __le32 border;
+ ext4_fsblk_t *ablocks = NULL; /* array of allocated blocks */
+ int err = 0;
++ size_t ext_size = 0;
+
+ /* make decision: where to split? */
+ /* FIXME: now decision is simplest: at current extent */
+@@ -1126,6 +1127,10 @@ static int ext4_ext_split(handle_t *handle, struct inode *inode,
+ le16_add_cpu(&neh->eh_entries, m);
+ }
+
++ /* zero out unused area in the extent block */
++ ext_size = sizeof(struct ext4_extent_header) +
++ sizeof(struct ext4_extent) * le16_to_cpu(neh->eh_entries);
++ memset(bh->b_data + ext_size, 0, inode->i_sb->s_blocksize - ext_size);
+ ext4_extent_block_csum_set(inode, neh);
+ set_buffer_uptodate(bh);
+ unlock_buffer(bh);
+@@ -1205,6 +1210,11 @@ static int ext4_ext_split(handle_t *handle, struct inode *inode,
+ sizeof(struct ext4_extent_idx) * m);
+ le16_add_cpu(&neh->eh_entries, m);
+ }
++ /* zero out unused area in the extent block */
++ ext_size = sizeof(struct ext4_extent_header) +
++ (sizeof(struct ext4_extent) * le16_to_cpu(neh->eh_entries));
++ memset(bh->b_data + ext_size, 0,
++ inode->i_sb->s_blocksize - ext_size);
+ ext4_extent_block_csum_set(inode, neh);
+ set_buffer_uptodate(bh);
+ unlock_buffer(bh);
+@@ -1270,6 +1280,7 @@ static int ext4_ext_grow_indepth(handle_t *handle, struct inode *inode,
+ ext4_fsblk_t newblock, goal = 0;
+ struct ext4_super_block *es = EXT4_SB(inode->i_sb)->s_es;
+ int err = 0;
++ size_t ext_size = 0;
+
+ /* Try to prepend new index to old one */
+ if (ext_depth(inode))
+@@ -1295,9 +1306,11 @@ static int ext4_ext_grow_indepth(handle_t *handle, struct inode *inode,
+ goto out;
+ }
+
++ ext_size = sizeof(EXT4_I(inode)->i_data);
+ /* move top-level index/leaf into new block */
+- memmove(bh->b_data, EXT4_I(inode)->i_data,
+- sizeof(EXT4_I(inode)->i_data));
++ memmove(bh->b_data, EXT4_I(inode)->i_data, ext_size);
++ /* zero out unused area in the extent block */
++ memset(bh->b_data + ext_size, 0, inode->i_sb->s_blocksize - ext_size);
+
+ /* set size of new block */
+ neh = ext_block_hdr(bh);
+--
+2.16.4
+
diff --git a/series.conf b/series.conf
index 1b88251351..500b2162b7 100644
--- a/series.conf
+++ b/series.conf
@@ -17673,6 +17673,8 @@
patches.drivers/iio-buffer-fix-the-function-signature-to-match-imple
patches.suse/0001-btrfs-quota-Set-rescan-progress-to-u64-1-if-we-hit-l.patch
patches.drivers/r8152-napi-hangup-fix-after-disconnect
+ patches.fixes/0001-netfilter-nf_log-fix-uninit-read-in-nf_log_proc_dost.patch
+ patches.fixes/0002-netfilter-nf_log-don-t-hold-nf_log_mutex-during-user.patch
patches.drivers/net-mlx5e-Don-t-attempt-to-dereference-the-ppriv-str.patch
patches.suse/net-mlx5-E-Switch-Avoid-setup-attempt-if-not-being-e.patch
patches.suse/net-mlx5e-Avoid-dealing-with-vport-representors-if-n.patch
@@ -17990,12 +17992,15 @@
patches.suse/net-fix-amd-xgbe-flow-control-issue.patch
patches.suse/net-ena-Fix-use-of-uninitialized-DMA-address-bits-fi.patch
patches.fixes/vti6-fix-PMTU-caching-and-reporting-on-xmit.patch
+ patches.fixes/0003-xfrm_user-prevent-leaking-2-bytes-of-kernel-memory.patch
+ patches.fixes/0004-xfrm-fix-missing-dst_release-after-policy-blocking-l.patch
patches.fixes/esp6-fix-memleak-on-error-path-in-esp6_input.patch
patches.fixes/0001-net-lan78xx-fix-rx-handling-before-first-packet-is-s.patch
patches.drivers/enic-handle-mtu-change-for-vf-properly.patch
patches.suse/ipv4-remove-BUG_ON-from-fib_compute_spec_dst.patch
patches.suse/net-mdio-mux-bcm-iproc-fix-wrong-getter-and-setter-p.patch
patches.fixes/bpf-use-GFP_ATOMIC-instead-of-GFP_KERNEL-in-bpf_pars.patch
+ patches.fixes/0005-net-socket-fix-potential-spectre-v1-gadget-in-socket.patch
patches.suse/tcp_bbr-fix-bw-probing-to-raise-in-flight-data-for-v.patch
patches.suse/NET-stmmac-align-DMA-stuff-to-largest-cache-line-len.patch
patches.suse/netlink-Do-not-subscribe-to-non-existent-groups.patch
@@ -18043,6 +18048,7 @@
patches.fixes/nohz-Fix-local_timer_softirq_pending.patch
patches.drivers/gpiolib-acpi-make-sure-we-trigger-edge-events-at-lea.patch
patches.fixes/ip6_tunnel-use-the-right-value-for-ipv4-min-mtu-chec.patch
+ patches.fixes/0006-packet-refine-ring-v3-block-size-test-to-hold-one-fr.patch
patches.drivers/net-thunderx-check-for-failed-allocation-lmac-dmacs.patch
patches.suse/vsock-split-dwork-to-avoid-reinitializations.patch
patches.suse/dccp-fix-undefined-behavior-with-cwnd-shift-in-ccid2.patch
@@ -18355,6 +18361,10 @@
patches.drivers/net-hns3-Fix-warning-bug-when-doing-lp-selftest.patch
patches.drivers/net-hns3-Fix-get_vector-ops-in-hclgevf_main-module.patch
patches.drivers/net-hns3-Prevent-sending-command-during-global-or-co.patch
+ patches.fixes/0007-net-ipv6-fix-addrconf_sysctl_addr_gen_mode.patch
+ patches.fixes/0008-net-ipv6-don-t-reinitialize-ndev-cnf.addr_gen_mode-o.patch
+ patches.fixes/0009-net-ipv6-reserve-room-for-IFLA_INET6_ADDR_GEN_MODE.patch
+ patches.fixes/0010-net-ipv6-propagate-net.ipv6.conf.all.addr_gen_mode-t.patch
patches.fixes/Documentation-ip-sysctl.txt-document-addr_gen_mode
patches.drivers/cxgb4-specify-IQTYPE-in-fw_iq_cmd.patch
patches.drivers/be2net-remove-unused-old-AIC-info.patch
@@ -18382,6 +18392,7 @@
patches.drivers/cxgb4-move-Tx-Rx-free-pages-collection-to-common-cod.patch
patches.drivers/ixgbe-Reorder-Tx-Rx-shutdown-to-reduce-time-needed-t.patch
patches.drivers/ixgbe-Refactor-queue-disable-logic-to-take-completio.patch
+ patches.fixes/0011-xfrm-fix-passing-zero-to-ERR_PTR-warning.patch
patches.suse/net-ethernet-mvneta-Fix-napi-structure-mixup-on-arma.patch
patches.drivers/qed-remove-redundant-functions-qed_set_gft_event_id_.patch
patches.drivers/qed-remove-redundant-functions-qed_get_cm_pq_idx_rl.patch
@@ -18406,6 +18417,7 @@
patches.drivers/wlcore-Set-rx_status-boottime_ns-field-on-rx.patch
patches.drivers/iwlwifi-pcie-don-t-access-periphery-registers-when-n
patches.fixes/selftests-bpf-fix-a-typo-in-map-in-map-test.patch
+ patches.fixes/0012-ip6_tunnel-collect_md-xmit-Use-ip_tunnel_key-s-provi.patch
patches.drivers/ibmvnic-Remove-code-to-request-error-information.patch
patches.drivers/ibmvnic-Update-firmware-error-reporting-with-cause-s.patch
patches.drivers/cxgb4-add-support-to-display-DCB-info.patch
@@ -19028,11 +19040,14 @@
patches.drivers/net-hns-add-the-code-for-cleaning-pkt-in-chip.patch
patches.drivers/net-hns-add-netif_carrier_off-before-change-speed-an.patch
patches.suse/net-sched-act_pedit-fix-dump-of-extended-layered-op.patch
+ patches.fixes/0013-ipv6-fix-cleanup-ordering-for-ip6_mr-failure.patch
+ patches.fixes/0014-ipv6-fix-cleanup-ordering-for-pingv6-registration.patch
patches.suse/net-bcmgenet-use-MAC-link-status-for-fixed-phy.patch
patches.suse/nfp-wait-for-posted-reconfigs-when-disabling-the-dev.patch
patches.suse/msft-hv-1752-hv_netvsc-Fix-a-deadlock-by-getting-rtnl-lock-earlie.patch
patches.suse/tcp-do-not-restart-timewait-timer-on-rst-reception.patch
patches.drivers/ibmvnic-Include-missing-return-code-checks-in-reset-.patch
+ patches.fixes/0015-igmp-fix-incorrect-unsolicit-report-count-when-join-.patch
patches.drivers/r8169-add-support-for-NCube-8168-network-card.patch
patches.drivers/bnxt_en-Clean-up-unused-functions.patch
patches.drivers/bnxt_en-Do-not-adjust-max_cp_rings-by-the-ones-used-.patch
@@ -19118,6 +19133,7 @@
patches.drivers/net-ena-fix-missing-calls-to-READ_ONCE.patch
patches.drivers/net-ena-fix-incorrect-usage-of-memory-barriers.patch
patches.drivers/qmi_wwan-Support-dynamic-config-on-Quectel-EP06.patch
+ patches.fixes/0016-netfilter-nf_tables-release-chain-in-flushing-set.patch
patches.drivers/r8169-Clear-RTL_FLAG_TASK_-_PENDING-when-clearing-RT.patch
patches.suse/rds-fix-two-RCU-related-problems.patch
patches.arch/s390-sles15-15-03-qeth-use-vzalloc-for-QUERY-OAT-buffer.patch
@@ -19353,6 +19369,11 @@
patches.drivers/smsc75xx-Check-for-Wake-on-LAN-modes.patch
patches.drivers/smsc95xx-Check-for-Wake-on-LAN-modes.patch
patches.drivers/qlcnic-fix-Tx-descriptor-corruption-on-82xx-devices.patch
+ patches.fixes/0017-netfilter-bridge-Don-t-sabotage-nf_hook-calls-from-a.patch
+ patches.fixes/0018-xfrm-Validate-address-prefix-lengths-in-the-xfrm-sel.patch
+ patches.fixes/0019-xfrm6-call-kfree_skb-when-skb-is-toobig.patch
+ patches.fixes/0020-xfrm-reset-transport-header-back-to-network-header-a.patch
+ patches.fixes/0021-xfrm-reset-crypto_done-when-iterating-over-multiple-.patch
patches.fixes/Bluetooth-SMP-fix-crash-in-unpairing.patch
patches.fixes/Revert-openvswitch-Fix-template-leak-in-error-cases.patch
patches.drivers/declance-Fix-continuation-with-the-adapter-identific.patch
@@ -19953,6 +19974,7 @@
patches.drivers/media-cx231xx-fix-potential-sign-extension-overflow-.patch
patches.drivers/media-v4l2-tpg-fix-kernel-oops-when-enabling-HFLIP-a.patch
patches.drivers/soc-tegra-pmc-Fix-child-node-lookup.patch
+ patches.arch/ARM-samsung-Limit-SAMSUNG_PM_CHECK-config-option-to-.patch
patches.suse/btrfs-fix-null-pointer-dereference-on-compressed-wri.patch
patches.suse/0002-Btrfs-fix-assertion-on-fsync-of-regular-file-when-us.patch
patches.suse/btrfs-fix-deadlock-when-writing-out-free-space-cache.patch
@@ -21167,6 +21189,7 @@
patches.suse/sit-check-if-IPv6-enabled-before-calling-ip6_err_gen.patch
patches.fixes/scsi-target-make-the-pi_prot_format-ConfigFS-path-re.patch
patches.drivers/soc-fsl-qbman-avoid-race-in-clearing-QMan-interrupt.patch
+ patches.arch/ARM-pxa-ssp-unneeded-to-free-devm_-allocated-data.patch
patches.fixes/ARM-iop32x-n2100-fix-PCI-IRQ-mapping.patch
patches.fixes/ARM-tango-Improve-ARCH_MULTIPLATFORM-compatibility.patch
patches.fixes/nvme-lock-NS-list-changes-while-handling-command-eff.patch
@@ -21211,6 +21234,8 @@
patches.drivers/auxdisplay-ht16k33-fix-potential-user-after-free-on-.patch
patches.fixes/NFS-Don-t-use-page_file_mapping-after-removing-the-p.patch
patches.fixes/sunrpc-fix-4-more-call-sites-that-were-using-stack-m.patch
+ patches.arch/ARM-OMAP2-Variable-reg-in-function-omap4_dsi_mux_pad.patch
+ patches.arch/ARM-OMAP2-fix-lack-of-timer-interrupts-on-CPU1-after.patch
patches.drivers/Input-bma150-register-input-device-after-setting-pri.patch
patches.drivers/Input-elantech-enable-3rd-button-support-on-Fujitsu-.patch
patches.drivers/Input-cap11xx-switch-to-using-set_brightness_blockin.patch
@@ -21222,6 +21247,7 @@
patches.drivers/i2c-bcm2835-Clear-current-buffer-pointers-and-counts.patch
patches.arch/x86-a-out-clear-the-dump-structure-initially.patch
patches.arch/x86-platform-uv-use-efi_runtime_lock-to-serialise-bios-calls
+ patches.arch/ARM-8824-1-fix-a-migrating-irq-bug-when-hotplug-cpu.patch
patches.fixes/mailbox-bcm-flexrm-mailbox-Fix-FlexRM-ring-flush-tim.patch
patches.fixes/mac80211-Free-mpath-object-when-rhashtable-insertion.patch
patches.fixes/mac80211-Restore-vif-beacon-interval-if-start-ap-fai.patch
@@ -21382,6 +21408,7 @@
patches.drivers/clocksource-drivers-exynos_mct-Fix-error-path-in-tim.patch
patches.fixes/irqchip-gic-v3-its-Avoid-parsing-_indirect_-twice-fo.patch
patches.arch/x86-cpu-amd-set-the-cpb-bit-unconditionally-on-f17h.patch
+ patches.arch/ARM-s3c24xx-Fix-boolean-expressions-in-osiris_dvs_no.patch
patches.drivers/soc-tegra-fuse-Fix-illegal-free-of-IO-base-address.patch
patches.drivers/soc-qcom-gsbi-Fix-error-handling-in-gsbi_probe.patch
patches.fixes/mm-vmalloc-fix-size-check-for-remap_vmalloc_range_partial
@@ -21696,6 +21723,10 @@
patches.drivers/ALSA-hda-realtek-Add-support-headset-mode-for-New-DE.patch
patches.fixes/0001-fbdev-chipsfb-remove-set-but-not-used-variable-size.patch
patches.drm/fbdev-fbmem-fix-memory-access-if-logo-is-bigger-than.patch
+ patches.arch/ARM-8839-1-kprobe-make-patch_lock-a-raw_spinlock_t.patch
+ patches.arch/ARM-8840-1-use-a-raw_spinlock_t-in-unwind.patch
+ patches.arch/ARM-avoid-Cortex-A9-livelock-on-tight-dmb-loops.patch
+ patches.arch/ARM-8833-1-Ensure-that-NEON-code-always-compiles-wit.patch
patches.drivers/iommu-amd-fix-null-dereference-bug-in-match_hid_uid
patches.arch/kvm-vmx-compare-only-a-single-byte-for-vmcs-launched-in-vcpu-run
patches.arch/kvm-vmx-zero-out-all-general-purpose-registers-after-vm-exit
@@ -21775,6 +21806,7 @@
patches.fixes/0001-netfilter-bridge-set-skb-transport_header-before-ent.patch
patches.fixes/rhashtable-Still-do-rehash-when-we-get-EEXIST.patch
patches.fixes/bpf-do-not-restore-dst_reg-when-cur_state-is-freed.patch
+ patches.arch/ARM-imx6q-cpuidle-fix-bug-that-CPU-might-not-wake-up.patch
patches.drm/0001-drm-rockchip-vop-reset-scale-mode-when-win-is-disabl.patch
patches.drm/drm-meson-Fix-invalid-pointer-in-meson_drv_unbind.patch
patches.drm/drm-meson-Uninstall-IRQ-handler.patch
@@ -21951,6 +21983,7 @@
patches.drivers/sc16is7xx-put-err_spi-and-err_i2c-into-correct-ifdef.patch
patches.fixes/device_cgroup-fix-RCU-imbalance-in-error-case.patch
patches.arch/x86-speculation-prevent-deadlock-on-ssb_state-lock.patch
+ patches.fixes/0001-tools-lib-traceevent-Fix-missing-equality-check-for-.patch
patches.drivers/ALSA-hda-Initialize-power_state-field-properly.patch
patches.drivers/ALSA-info-Fix-racy-addition-deletion-of-nodes.patch
patches.drivers/ALSA-core-Fix-card-races-between-register-and-discon.patch
@@ -22162,6 +22195,7 @@
patches.arch/x86-speculation-mds-add-smt-warning-message.patch
patches.arch/x86-speculation-mds-print-smt-vulnerable-on-msbds-with-mitigations-off.patch
patches.arch/x86-speculation-mds-add-mitigations-support-for-mds.patch
+ patches.fixes/0001-x86-speculation-mds-Fix-documentation-typo.patch
patches.fixes/mm-huge_memory-fix-vmf_insert_pfn_-pmd-pud-crash-han.patch
patches.drivers/PCI-Mark-AMD-Stoney-Radeon-R7-GPU-ATS-as-broken.patch
patches.drivers/PCI-Mark-Atheros-AR9462-to-avoid-bus-reset.patch
@@ -22181,6 +22215,7 @@
patches.drivers/ALSA-hda-realtek-Corrected-fixup-for-System76-Gazell.patch
patches.drivers/ALSA-hda-realtek-Fix-for-Lenovo-B50-70-inverted-inte.patch
patches.drivers/soc-fsl-qe-Fix-an-error-code-in-qe_pin_request.patch
+ patches.fixes/ext4-zero-out-the-unused-memory-region-in-the-extent.patch
patches.fixes/vsock-virtio-Initialize-core-virtio-vsock-before-reg.patch
# davem/net-next