Home Home > GIT Browse
summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorOlaf Hering <ohering@suse.de>2019-08-01 13:02:14 +0200
committerOlaf Hering <ohering@suse.de>2019-08-01 13:02:14 +0200
commite897213acb1be0a17efcb0e7b6b2f351f49ba3c1 (patch)
tree4649aacc9cfcf91a644dd757b83a2f07381902e7
parent890dad3f28e6126545188caadb0fb4e5ad874df0 (diff)
parent94efca711f264d439f548ba0e249be6551588325 (diff)
Merge remote-tracking branch 'kerncvs/SLE15-AZURE' into SLE15-AZURE_EMBARGO
-rw-r--r--blacklist.conf16
-rw-r--r--patches.arch/ARM-KVM-Add-SMCCC_ARCH_WORKAROUND_1-fast-handling.patch61
-rw-r--r--patches.arch/ARM-KVM-report-support-for-SMCCC_ARCH_WORKAROUND_1.patch49
-rw-r--r--patches.arch/KVM-Eventfd-Avoid-crash-when-assign-and-deassign-spe.patch65
-rw-r--r--patches.arch/KVM-Reject-device-ioctls-from-processes-other-than-t.patch75
-rw-r--r--patches.arch/KVM-arm-arm64-Close-VMID-generation-race.patch89
-rw-r--r--patches.arch/KVM-arm-arm64-Convert-kvm_host_cpu_state-to-a-static.patch80
-rw-r--r--patches.arch/KVM-arm-arm64-Drop-resource-size-check-for-GICV-wind.patch49
-rw-r--r--patches.arch/KVM-arm-arm64-Fix-VMID-alloc-race-by-reverting-to-lo.patch117
-rw-r--r--patches.arch/KVM-arm-arm64-Fix-lost-IRQs-from-emulated-physcial-t.patch51
-rw-r--r--patches.arch/KVM-arm-arm64-Handle-CPU_PM_ENTER_FAILED.patch41
-rw-r--r--patches.arch/KVM-arm-arm64-Reduce-verbosity-of-KVM-init-log.patch76
-rw-r--r--patches.arch/KVM-arm-arm64-Set-dist-spis-to-NULL-after-kfree.patch37
-rw-r--r--patches.arch/KVM-arm-arm64-Skip-updating-PMD-entry-if-no-change.patch83
-rw-r--r--patches.arch/KVM-arm-arm64-Skip-updating-PTE-entry-if-no-change.patch38
-rw-r--r--patches.arch/KVM-arm-arm64-vgic-Add-missing-irq_lock-to-vgic_mmio.patch47
-rw-r--r--patches.arch/KVM-arm-arm64-vgic-Fix-kvm_device-leak-in-vgic_its_d.patch40
-rw-r--r--patches.arch/KVM-arm-arm64-vgic-its-Fix-potential-overrun-in-vgic.patch74
-rw-r--r--patches.arch/KVM-arm64-Fix-caching-of-host-MDCR_EL2-value.patch54
-rw-r--r--patches.arch/KVM-mmu-Fix-overlap-between-public-and-private-memsl.patch114
-rw-r--r--patches.arch/arm64-KVM-Fix-architecturally-invalid-reset-value-fo.patch41
-rw-r--r--patches.arch/kvm-Disallow-wraparound-in-kvm_gfn_to_hva_cache_init.patch86
-rw-r--r--patches.arch/kvm-arm-arm64-vgic-v3-Tighten-synchronization-for-gu.patch44
-rw-r--r--patches.arch/kvm-make-vm-ioctl-do-valloc-for-some-archs20
-rw-r--r--patches.drivers/Bluetooth-6lowpan-search-for-destination-address-in-.patch59
-rw-r--r--patches.drivers/Bluetooth-Add-SMP-workaround-Microsoft-Surface-Preci.patch71
-rw-r--r--patches.drivers/Bluetooth-Check-state-in-l2cap_disconnect_rsp.patch222
-rw-r--r--patches.drivers/Bluetooth-hci_bcsp-Fix-memory-leak-in-rx_skb.patch41
-rw-r--r--patches.drivers/Bluetooth-validate-BLE-connection-interval-updates.patch94
-rw-r--r--patches.drivers/Input-alps-don-t-handle-ALPS-cs19-trackpoint-only-de.patch105
-rw-r--r--patches.drivers/Input-alps-fix-a-mismatch-between-a-condition-check-.patch42
-rw-r--r--patches.drivers/Input-synaptics-whitelist-Lenovo-T580-SMBus-intertou.patch31
-rw-r--r--patches.drivers/Input-trackpoint-only-expose-supported-controls-for-.patch490
-rw-r--r--patches.drivers/dma-buf-balance-refcount-inbalance.patch46
-rw-r--r--patches.drivers/firmware-ti_sci-Always-request-response-from-firmwar.patch58
-rw-r--r--patches.drivers/gpio-omap-ensure-irq-is-enabled-before-wakeup.patch87
-rw-r--r--patches.drivers/hwmon-nct6775-Fix-register-address-and-added-missed-.patch44
-rw-r--r--patches.drivers/intel_th-pci-Add-Ice-Lake-NNPI-support.patch40
-rw-r--r--patches.drivers/mailbox-handle-failed-named-mailbox-channel-request.patch46
-rw-r--r--patches.drivers/media-coda-Remove-unbalanced-and-unneeded-mutex-unlo.patch40
-rw-r--r--patches.drivers/media-coda-fix-last-buffer-handling-in-V4L2_ENC_CMD_.patch43
-rw-r--r--patches.drivers/media-coda-fix-mpeg2-sequence-number-handling.patch43
-rw-r--r--patches.drivers/media-coda-increment-sequence-offset-for-the-last-re.patch39
-rw-r--r--patches.drivers/media-dvb-usb-fix-use-after-free-in-dvb_usb_device_e.patch46
-rw-r--r--patches.drivers/media-hdpvr-fix-locking-and-a-missing-msleep.patch83
-rw-r--r--patches.drivers/media-media_device_enum_links32-clean-a-reserved-fie.patch57
-rw-r--r--patches.drivers/media-spi-IR-LED-add-missing-of-table-registration.patch44
-rw-r--r--patches.drivers/media-staging-media-davinci_vpfe-Fix-for-memory-leak.patch37
-rw-r--r--patches.drivers/media-vpss-fix-a-potential-NULL-pointer-dereference.patch40
-rw-r--r--patches.drivers/media-wl128x-Fix-some-error-handling-in-fm_v4l2_init.patch102
-rw-r--r--patches.drivers/nfc-fix-potential-illegal-memory-access.patch36
-rw-r--r--patches.drivers/pinctrl-pistachio-fix-leaked-of_node-references.patch49
-rw-r--r--patches.drivers/pinctrl-rockchip-fix-leaked-of_node-references.patch44
-rw-r--r--patches.drivers/serial-8250-Fix-TX-interrupt-handling-condition.patch43
-rw-r--r--patches.drivers/tty-ldsem-locking-rwsem-Add-missing-ACQUIRE-to-read_.patch76
-rw-r--r--patches.drivers/tty-max310x-Fix-invalid-baudrate-divisors-calculator.patch114
-rw-r--r--patches.drivers/tty-serial-digicolor-Fix-digicolor-usart-already-reg.patch46
-rw-r--r--patches.drivers/tty-serial-msm_serial-avoid-system-lockup-condition.patch45
-rw-r--r--patches.drivers/tua6100-Avoid-build-warnings.patch96
-rw-r--r--patches.drivers/usb-Handle-USB3-remote-wakeup-for-LPM-enabled-device.patch64
-rw-r--r--patches.drivers/usb-core-hub-Disable-hub-initiated-U1-U2.patch83
-rw-r--r--patches.drivers/usb-wusbcore-fix-unbalanced-get-put-cluster_id.patch66
-rw-r--r--patches.drm/drm-bridge-sii902x-pixel-clock-unit-is-10kHz-instead.patch44
-rw-r--r--patches.drm/drm-bridge-tc358767-read-display_props-in-get_modes.patch46
-rw-r--r--patches.drm/drm-crc-debugfs-User-irqsafe-spinlock-in-drm_crtc_ad.patch52
-rw-r--r--patches.drm/drm-msm-Depopulate-platform-on-probe-failure.patch62
-rw-r--r--patches.drm/drm-panel-simple-Fix-panel_simple_dsi_probe.patch43
-rw-r--r--patches.drm/drm-virtio-Add-memory-barriers-for-capset-cache.patch45
-rw-r--r--patches.fixes/0001-KVM-arm-arm64-Properly-protect-VGIC-locks-from-IRQs.patch44
-rw-r--r--patches.fixes/0001-PCI-qcom-Ensure-that-PERST-is-asserted-for-at-least-.patch47
-rw-r--r--patches.fixes/0001-PCI-xilinx-nwl-Fix-Multi-MSI-data-programming.patch98
-rw-r--r--patches.fixes/9p-acl-fix-uninitialized-iattr-access.patch37
-rw-r--r--patches.fixes/9p-p9dirent_read-check-network-provided-name-length.patch54
-rw-r--r--patches.fixes/9p-pass-the-correct-prototype-to-read_cache_page.patch53
-rw-r--r--patches.fixes/9p-rdma-do-not-disconnect-on-down_interruptible-EAGA.patch47
-rw-r--r--patches.fixes/9p-rdma-remove-useless-check-in-cm_event_handler.patch38
-rw-r--r--patches.fixes/9p-virtio-Add-cleanup-path-in-p9_virtio_init.patch94
-rw-r--r--patches.fixes/9p-xen-Add-cleanup-path-in-p9_trans_xen_init.patch50
-rw-r--r--patches.fixes/9p-xen-fix-check-for-xenbus_read-error-in-front_prob.patch45
-rw-r--r--patches.fixes/ACPI-IORT-Fix-off-by-one-check-in-iort_dev_find_its_.patch50
-rw-r--r--patches.fixes/Documentation-Add-nospectre_v1-parameter.patch31
-rw-r--r--patches.fixes/Documentation-networking-fix-default_ttl-typo-in-mpl.patch37
-rw-r--r--patches.fixes/acpi-arm64-ignore-5.1-FADTs-that-are-reported-as-5.0.patch54
-rw-r--r--patches.fixes/af_key-fix-leaks-in-key_pol_get_resp-and-dump_sp.patch52
-rw-r--r--patches.fixes/crypto-talitos-fix-skcipher-failure-due-to-wrong-out.patch52
-rw-r--r--patches.fixes/driver_core-Fix_use-after-free_and_double_free_on_glue.patch168
-rw-r--r--patches.fixes/eCryptfs-fix-a-couple-type-promotion-bugs.patch55
-rw-r--r--patches.fixes/efi-bgrt-Drop-BGRT-status-field-reserved-bits-check.patch47
-rw-r--r--patches.fixes/hci_uart-check-for-missing-tty-operations.patch149
-rw-r--r--patches.fixes/hpet-Fix-division-by-zero-in-hpet_time_div.patch72
-rw-r--r--patches.fixes/iio-iio-utils-Fix-possible-incorrect-mask-calculatio.patch55
-rw-r--r--patches.fixes/lib-bitmap.c-make-bitmap_parselist-thread-safe-and-m.patch96
-rw-r--r--patches.fixes/libata-don-t-request-sense-data-on-ZAC-ATA-devices.patch70
-rw-r--r--patches.fixes/macsec-fix-checksumming-after-decryption.patch33
-rw-r--r--patches.fixes/macsec-fix-use-after-free-of-skb-during-RX.patch39
-rw-r--r--patches.fixes/macsec-let-the-administrator-set-UP-state-even-if-lo.patch43
-rw-r--r--patches.fixes/macsec-update-operstate-when-lower-device-changes.patch70
-rw-r--r--patches.fixes/net-9p-include-trans_common.h-to-fix-missing-prototy.patch32
-rw-r--r--patches.fixes/regmap-fix-bulk-writes-on-paged-registers.patch44
-rw-r--r--patches.fixes/s390-zcrypt-fix-wrong-dispatching-for-control-domain-cprbs166
-rw-r--r--patches.suse/btrfs-scrub-add-memalloc_nofs-protection-around-init_ipath.patch60
-rw-r--r--patches.suse/btrfs-use-gfp_kernel-in-init_ipath.patch84
-rw-r--r--series.conf99
103 files changed, 6780 insertions, 36 deletions
diff --git a/blacklist.conf b/blacklist.conf
index 85bf67f820..00ba8565fa 100644
--- a/blacklist.conf
+++ b/blacklist.conf
@@ -1287,3 +1287,19 @@ ad408a1596b45868e38d0504f2ec1d5fb06f17d4 # cosmetic change
7a625549ea8c14be70bc7cfaf30215401bba6da0 # breaks kABI
5c14a4d05f68415af9e41a4e667d1748d41d1baf # optimization
b4c3fbe6360178dc2181b7b43b7ae793a192b282 # optimization, breaks kABI
+8c3590de0a378c2449fc1aec127cc693632458e4 # ASoC: rt274: not applicable
+c16e12010060c6c7a31f08b4a99513064cb53b7d # ASoC: dapm: breaks kABI
+2757970f6d0d0a112247600b23d38c0c728ceeb3 # ASoC: fsl: not applicable
+44662f90cda7ce0b65e77a7f1eefe45fb9053a4e # ASoC: simple-card: not applicable
+6246f283d5e02ac757bd8d9bacde8fdc54c4582d # ASoC: dpcm: not applicable
+4bcdec39c454c4e8f9512115bdcc3efec1ba5f55 # ASoC: intel: not applicable
+c85064435fe7a216ec0f0238ef2b8f7cd850a450 # ASoC: rockchip: not applicable
+d6ba3f815bc5f3c4249d15c8bc5fbb012651b4a4 # ASoC: intel: not applicable
+f47b9ad927c6370b80922af434dda98764a43804 # ASoC: core: not applicable
+8ca5104715cfd14254ea5aecc390ae583b707607 # ASoC: davinci: not applicable
+ea751227c813ab833609afecfeedaf0aa26f327e # ASoC: imx: superfluous, kconfig
+cbc0fa7b6e8c6180c18fd951d28197281a526330 # ASoC: da7219: superfluous, kconfig
+7e46169a5f35762f335898a75d1b8a242f2ae0f5 # ASoC: sun4i: not applicable
+f9927000cb35f250051f0f1878db12ee2626eea1 # ASoC: sun4i: not applicable
+83ee240aad9147ed5dac5a7c7b4c559d134072e7 # ASoC: cx2072x: superfluous
+fd14f4436fd47d5418023c90e933e66d3645552e # ASoC: davinci: not applicable
diff --git a/patches.arch/ARM-KVM-Add-SMCCC_ARCH_WORKAROUND_1-fast-handling.patch b/patches.arch/ARM-KVM-Add-SMCCC_ARCH_WORKAROUND_1-fast-handling.patch
new file mode 100644
index 0000000000..7ec0e66a17
--- /dev/null
+++ b/patches.arch/ARM-KVM-Add-SMCCC_ARCH_WORKAROUND_1-fast-handling.patch
@@ -0,0 +1,61 @@
+From: Russell King <rmk+kernel@armlinux.org.uk>
+Date: Tue, 15 May 2018 17:04:10 +0100
+Subject: ARM: KVM: Add SMCCC_ARCH_WORKAROUND_1 fast handling
+Patch-mainline: v4.18-rc1
+Git-commit: b800acfc70d9fb81fbd6df70f2cf5e20f70023d0
+References: bsc#1133021
+
+We want SMCCC_ARCH_WORKAROUND_1 to be fast. As fast as possible.
+So let's intercept it as early as we can by testing for the
+function call number as soon as we've identified a HVC call
+coming from the guest.
+
+Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk>
+Boot-tested-by: Tony Lindgren <tony@atomide.com>
+Reviewed-by: Tony Lindgren <tony@atomide.com>
+Reviewed-by: Marc Zyngier <marc.zyngier@arm.com>
+Acked-by: Liang Yan <lyan@suse.com>
+---
+ arch/arm/kvm/hyp/hyp-entry.S | 17 ++++++++++++++++-
+ 1 file changed, 16 insertions(+), 1 deletion(-)
+
+--- a/arch/arm/kvm/hyp/hyp-entry.S
++++ b/arch/arm/kvm/hyp/hyp-entry.S
+@@ -16,6 +16,7 @@
+ * Foundation, 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
+ */
+
++#include <linux/arm-smccc.h>
+ #include <linux/linkage.h>
+ #include <asm/kvm_arm.h>
+ #include <asm/kvm_asm.h>
+@@ -118,7 +119,7 @@ hyp_hvc:
+ lsr r2, r2, #16
+ and r2, r2, #0xff
+ cmp r2, #0
+- bne guest_trap @ Guest called HVC
++ bne guest_hvc_trap @ Guest called HVC
+
+ /*
+ * Getting here means host called HVC, we shift parameters and branch
+@@ -162,6 +163,20 @@ THUMB( orr lr, #1)
+ pop {lr}
+ eret
+
++guest_hvc_trap:
++ movw r2, #:lower16:ARM_SMCCC_ARCH_WORKAROUND_1
++ movt r2, #:upper16:ARM_SMCCC_ARCH_WORKAROUND_1
++ ldr r0, [sp] @ Guest's r0
++ teq r0, r2
++ bne guest_trap
++ add sp, sp, #12
++ @ Returns:
++ @ r0 = 0
++ @ r1 = HSR value (perfectly predictable)
++ @ r2 = ARM_SMCCC_ARCH_WORKAROUND_1
++ mov r0, #0
++ eret
++
+ guest_trap:
+ load_vcpu r0 @ Load VCPU pointer to r0
+
diff --git a/patches.arch/ARM-KVM-report-support-for-SMCCC_ARCH_WORKAROUND_1.patch b/patches.arch/ARM-KVM-report-support-for-SMCCC_ARCH_WORKAROUND_1.patch
new file mode 100644
index 0000000000..bb66daa018
--- /dev/null
+++ b/patches.arch/ARM-KVM-report-support-for-SMCCC_ARCH_WORKAROUND_1.patch
@@ -0,0 +1,49 @@
+From: Russell King <rmk+kernel@armlinux.org.uk>
+Date: Wed, 16 May 2018 11:29:30 +0100
+Subject: ARM: KVM: report support for SMCCC_ARCH_WORKAROUND_1
+Patch-mainline: v4.18-rc1
+Git-commit: add5609877c6785cc002c6ed7e008b1d61064439
+References: bsc#1133021
+
+Report support for SMCCC_ARCH_WORKAROUND_1 to KVM guests for affected
+CPUs.
+
+Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk>
+Boot-tested-by: Tony Lindgren <tony@atomide.com>
+Reviewed-by: Tony Lindgren <tony@atomide.com>
+Reviewed-by: Marc Zyngier <marc.zyngier@arm.com>
+Acked-by: Liang Yan <lyan@suse.com>
+---
+ arch/arm/include/asm/kvm_host.h | 14 ++++++++++++--
+ 1 file changed, 12 insertions(+), 2 deletions(-)
+
+--- a/arch/arm/include/asm/kvm_host.h
++++ b/arch/arm/include/asm/kvm_host.h
+@@ -21,6 +21,7 @@
+
+ #include <linux/types.h>
+ #include <linux/kvm_types.h>
++#include <asm/cputype.h>
+ #include <asm/kvm.h>
+ #include <asm/kvm_asm.h>
+ #include <asm/kvm_mmio.h>
+@@ -306,8 +307,17 @@ int kvm_arm_vcpu_arch_has_attr(struct kv
+
+ static inline bool kvm_arm_harden_branch_predictor(void)
+ {
+- /* No way to detect it yet, pretend it is not there. */
+- return false;
++ switch(read_cpuid_part()) {
++#ifdef CONFIG_HARDEN_BRANCH_PREDICTOR
++ case ARM_CPU_PART_BRAHMA_B15:
++ case ARM_CPU_PART_CORTEX_A12:
++ case ARM_CPU_PART_CORTEX_A15:
++ case ARM_CPU_PART_CORTEX_A17:
++ return true;
++#endif
++ default:
++ return false;
++ }
+ }
+
+ #endif /* __ARM_KVM_HOST_H__ */
diff --git a/patches.arch/KVM-Eventfd-Avoid-crash-when-assign-and-deassign-spe.patch b/patches.arch/KVM-Eventfd-Avoid-crash-when-assign-and-deassign-spe.patch
new file mode 100644
index 0000000000..59723bdb11
--- /dev/null
+++ b/patches.arch/KVM-Eventfd-Avoid-crash-when-assign-and-deassign-spe.patch
@@ -0,0 +1,65 @@
+From: Lan Tianyu <tianyu.lan@intel.com>
+Date: Thu, 21 Dec 2017 21:10:36 -0500
+Subject: KVM/Eventfd: Avoid crash when assign and deassign specific eventfd in
+ parallel.
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+Patch-mainline: v4.18-rc6
+Git-commit: b5020a8e6b54d2ece80b1e7dedb33c79a40ebd47
+References: bsc#1133021
+
+Syzbot reports crashes in kvm_irqfd_assign(), caused by use-after-free
+when kvm_irqfd_assign() and kvm_irqfd_deassign() run in parallel
+for one specific eventfd. When the assign path hasn't finished but irqfd
+has been added to kvm->irqfds.items list, another thead may deassign the
+eventfd and free struct kvm_kernel_irqfd(). The assign path then uses
+the struct kvm_kernel_irqfd that has been freed by deassign path. To avoid
+such issue, keep irqfd under kvm->irq_srcu protection after the irqfd
+has been added to kvm->irqfds.items list, and call synchronize_srcu()
+in irq_shutdown() to make sure that irqfd has been fully initialized in
+the assign path.
+
+Reported-by: Dmitry Vyukov <dvyukov@google.com>
+Cc: Paolo Bonzini <pbonzini@redhat.com>
+Cc: Radim Krčmář <rkrcmar@redhat.com>
+Cc: Dmitry Vyukov <dvyukov@google.com>
+Signed-off-by: Tianyu Lan <tianyu.lan@intel.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Acked-by: Liang Yan <lyan@suse.com>
+---
+ virt/kvm/eventfd.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/virt/kvm/eventfd.c
++++ b/virt/kvm/eventfd.c
+@@ -119,8 +119,12 @@ irqfd_shutdown(struct work_struct *work)
+ {
+ struct kvm_kernel_irqfd *irqfd =
+ container_of(work, struct kvm_kernel_irqfd, shutdown);
++ struct kvm *kvm = irqfd->kvm;
+ u64 cnt;
+
++ /* Make sure irqfd has been initalized in assign path. */
++ synchronize_srcu(&kvm->irq_srcu);
++
+ /*
+ * Synchronize with the wait-queue and unhook ourselves to prevent
+ * further events.
+@@ -387,7 +391,6 @@ kvm_irqfd_assign(struct kvm *kvm, struct
+
+ idx = srcu_read_lock(&kvm->irq_srcu);
+ irqfd_update(kvm, irqfd);
+- srcu_read_unlock(&kvm->irq_srcu, idx);
+
+ list_add_tail(&irqfd->list, &kvm->irqfds.items);
+
+@@ -421,6 +424,7 @@ kvm_irqfd_assign(struct kvm *kvm, struct
+ }
+ #endif
+
++ srcu_read_unlock(&kvm->irq_srcu, idx);
+ return 0;
+
+ fail:
diff --git a/patches.arch/KVM-Reject-device-ioctls-from-processes-other-than-t.patch b/patches.arch/KVM-Reject-device-ioctls-from-processes-other-than-t.patch
new file mode 100644
index 0000000000..c85a132ab8
--- /dev/null
+++ b/patches.arch/KVM-Reject-device-ioctls-from-processes-other-than-t.patch
@@ -0,0 +1,75 @@
+From: Sean Christopherson <sean.j.christopherson@intel.com>
+Date: Fri, 15 Feb 2019 12:48:39 -0800
+Subject: KVM: Reject device ioctls from processes other than the VM's creator
+Patch-mainline: v5.1-rc3
+Git-commit: ddba91801aeb5c160b660caed1800eb3aef403f8
+References: bsc#1133021
+
+KVM's API requires thats ioctls must be issued from the same process
+that created the VM. In other words, userspace can play games with a
+VM's file descriptors, e.g. fork(), SCM_RIGHTS, etc..., but only the
+creator can do anything useful. Explicitly reject device ioctls that
+are issued by a process other than the VM's creator, and update KVM's
+API documentation to extend its requirements to device ioctls.
+
+Fixes: 852b6d57dc7f ("kvm: add device control API")
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Sean Christopherson <sean.j.christopherson@intel.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Acked-by: Liang Yan <lyan@suse.com>
+---
+ Documentation/virtual/kvm/api.txt | 16 +++++++++++-----
+ virt/kvm/kvm_main.c | 3 +++
+ 2 files changed, 14 insertions(+), 5 deletions(-)
+
+--- a/Documentation/virtual/kvm/api.txt
++++ b/Documentation/virtual/kvm/api.txt
+@@ -13,7 +13,7 @@ of a virtual machine. The ioctls belong
+
+ - VM ioctls: These query and set attributes that affect an entire virtual
+ machine, for example memory layout. In addition a VM ioctl is used to
+- create virtual cpus (vcpus).
++ create virtual cpus (vcpus) and devices.
+
+ Only run VM ioctls from the same process (address space) that was used
+ to create the VM.
+@@ -24,6 +24,11 @@ of a virtual machine. The ioctls belong
+ Only run vcpu ioctls from the same thread that was used to create the
+ vcpu.
+
++ - device ioctls: These query and set attributes that control the operation
++ of a single device.
++
++ device ioctls must be issued from the same process (address space) that
++ was used to create the VM.
+
+ 2. File descriptors
+ -------------------
+@@ -32,10 +37,11 @@ The kvm API is centered around file desc
+ open("/dev/kvm") obtains a handle to the kvm subsystem; this handle
+ can be used to issue system ioctls. A KVM_CREATE_VM ioctl on this
+ handle will create a VM file descriptor which can be used to issue VM
+-ioctls. A KVM_CREATE_VCPU ioctl on a VM fd will create a virtual cpu
+-and return a file descriptor pointing to it. Finally, ioctls on a vcpu
+-fd can be used to control the vcpu, including the important task of
+-actually running guest code.
++ioctls. A KVM_CREATE_VCPU or KVM_CREATE_DEVICE ioctl on a VM fd will
++create a virtual cpu or device and return a file descriptor pointing to
++the new resource. Finally, ioctls on a vcpu or device fd can be used
++to control the vcpu or device. For vcpus, this includes the important
++task of actually running guest code.
+
+ In general file descriptors can be migrated among processes by means
+ of fork() and the SCM_RIGHTS facility of unix domain socket. These
+--- a/virt/kvm/kvm_main.c
++++ b/virt/kvm/kvm_main.c
+@@ -2854,6 +2854,9 @@ static long kvm_device_ioctl(struct file
+ {
+ struct kvm_device *dev = filp->private_data;
+
++ if (dev->kvm->mm != current->mm)
++ return -EIO;
++
+ switch (ioctl) {
+ case KVM_SET_DEVICE_ATTR:
+ return kvm_device_ioctl_attr(dev, dev->ops->set_attr, arg);
diff --git a/patches.arch/KVM-arm-arm64-Close-VMID-generation-race.patch b/patches.arch/KVM-arm-arm64-Close-VMID-generation-race.patch
new file mode 100644
index 0000000000..477a9f5319
--- /dev/null
+++ b/patches.arch/KVM-arm-arm64-Close-VMID-generation-race.patch
@@ -0,0 +1,89 @@
+From: Marc Zyngier <marc.zyngier@arm.com>
+Date: Wed, 4 Apr 2018 14:48:24 +0100
+Subject: KVM: arm/arm64: Close VMID generation race
+Patch-mainline: v4.17-rc3
+Git-commit: f0cf47d939d0b4b4f660c5aaa4276fa3488f3391
+References: bsc#1133021
+
+Before entering the guest, we check whether our VMID is still
+part of the current generation. In order to avoid taking a lock,
+we start with checking that the generation is still current, and
+only if not current do we take the lock, recheck, and update the
+generation and VMID.
+
+This leaves open a small race: A vcpu can bump up the global
+generation number as well as the VM's, but has not updated
+the VMID itself yet.
+
+At that point another vcpu from the same VM comes in, checks
+the generation (and finds it not needing anything), and jumps
+into the guest. At this point, we end-up with two vcpus belonging
+to the same VM running with two different VMIDs. Eventually, the
+VMID used by the second vcpu will get reassigned, and things will
+really go wrong...
+
+A simple solution would be to drop this initial check, and always take
+the lock. This is likely to cause performance issues. A middle ground
+is to convert the spinlock to a rwlock, and only take the read lock
+on the fast path. If the check fails at that point, drop it and
+acquire the write lock, rechecking the condition.
+
+This ensures that the above scenario doesn't occur.
+
+Cc: stable@vger.kernel.org
+Reported-by: Mark Rutland <mark.rutland@arm.com>
+Tested-by: Shannon Zhao <zhaoshenglong@huawei.com>
+Signed-off-by: Marc Zyngier <marc.zyngier@arm.com>
+Acked-by: Liang Yan <lyan@suse.com>
+---
+ virt/kvm/arm/arm.c | 15 ++++++++++-----
+ 1 file changed, 10 insertions(+), 5 deletions(-)
+
+--- a/virt/kvm/arm/arm.c
++++ b/virt/kvm/arm/arm.c
+@@ -63,7 +63,7 @@ static DEFINE_PER_CPU(struct kvm_vcpu *,
+ static atomic64_t kvm_vmid_gen = ATOMIC64_INIT(1);
+ static u32 kvm_next_vmid;
+ static unsigned int kvm_vmid_bits __read_mostly;
+-static DEFINE_SPINLOCK(kvm_vmid_lock);
++static DEFINE_RWLOCK(kvm_vmid_lock);
+
+ static bool vgic_present;
+
+@@ -465,11 +465,16 @@ static void update_vttbr(struct kvm *kvm
+ {
+ phys_addr_t pgd_phys;
+ u64 vmid;
++ bool new_gen;
+
+- if (!need_new_vmid_gen(kvm))
++ read_lock(&kvm_vmid_lock);
++ new_gen = need_new_vmid_gen(kvm);
++ read_unlock(&kvm_vmid_lock);
++
++ if (!new_gen)
+ return;
+
+- spin_lock(&kvm_vmid_lock);
++ write_lock(&kvm_vmid_lock);
+
+ /*
+ * We need to re-check the vmid_gen here to ensure that if another vcpu
+@@ -477,7 +482,7 @@ static void update_vttbr(struct kvm *kvm
+ * use the same vmid.
+ */
+ if (!need_new_vmid_gen(kvm)) {
+- spin_unlock(&kvm_vmid_lock);
++ write_unlock(&kvm_vmid_lock);
+ return;
+ }
+
+@@ -511,7 +516,7 @@ static void update_vttbr(struct kvm *kvm
+ vmid = ((u64)(kvm->arch.vmid) << VTTBR_VMID_SHIFT) & VTTBR_VMID_MASK(kvm_vmid_bits);
+ kvm->arch.vttbr = kvm_phys_to_vttbr(pgd_phys) | vmid;
+
+- spin_unlock(&kvm_vmid_lock);
++ write_unlock(&kvm_vmid_lock);
+ }
+
+ static int kvm_vcpu_first_run_init(struct kvm_vcpu *vcpu)
diff --git a/patches.arch/KVM-arm-arm64-Convert-kvm_host_cpu_state-to-a-static.patch b/patches.arch/KVM-arm-arm64-Convert-kvm_host_cpu_state-to-a-static.patch
new file mode 100644
index 0000000000..50a1a9a5b1
--- /dev/null
+++ b/patches.arch/KVM-arm-arm64-Convert-kvm_host_cpu_state-to-a-static.patch
@@ -0,0 +1,80 @@
+From: James Morse <james.morse@arm.com>
+Date: Mon, 8 Jan 2018 15:38:04 +0000
+Subject: KVM: arm/arm64: Convert kvm_host_cpu_state to a static per-cpu
+ allocation
+Patch-mainline: v4.16-rc1
+Git-commit: 36989e7fd386a9a5822c48691473863f8fbb404d
+References: bsc#1133021
+
+kvm_host_cpu_state is a per-cpu allocation made from kvm_arch_init()
+used to store the host EL1 registers when KVM switches to a guest.
+
+Make it easier for ASM to generate pointers into this per-cpu memory
+by making it a static allocation.
+
+Signed-off-by: James Morse <james.morse@arm.com>
+Acked-by: Christoffer Dall <cdall@linaro.org>
+Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
+Acked-by: Liang Yan <lyan@suse.com>
+---
+ virt/kvm/arm/arm.c | 18 +++---------------
+ 1 file changed, 3 insertions(+), 15 deletions(-)
+
+--- a/virt/kvm/arm/arm.c
++++ b/virt/kvm/arm/arm.c
+@@ -53,8 +53,8 @@
+ __asm__(".arch_extension virt");
+ #endif
+
++DEFINE_PER_CPU(kvm_cpu_context_t, kvm_host_cpu_state);
+ static DEFINE_PER_CPU(unsigned long, kvm_arm_hyp_stack_page);
+-static kvm_cpu_context_t __percpu *kvm_host_cpu_state;
+
+ /* Per-CPU variable containing the currently running vcpu. */
+ static DEFINE_PER_CPU(struct kvm_vcpu *, kvm_arm_running_vcpu);
+@@ -354,7 +354,7 @@ void kvm_arch_vcpu_load(struct kvm_vcpu
+ }
+
+ vcpu->cpu = cpu;
+- vcpu->arch.host_cpu_context = this_cpu_ptr(kvm_host_cpu_state);
++ vcpu->arch.host_cpu_context = this_cpu_ptr(&kvm_host_cpu_state);
+
+ kvm_arm_set_running_vcpu(vcpu);
+ kvm_vgic_load(vcpu);
+@@ -1269,19 +1269,8 @@ static inline void hyp_cpu_pm_exit(void)
+ }
+ #endif
+
+-static void teardown_common_resources(void)
+-{
+- free_percpu(kvm_host_cpu_state);
+-}
+-
+ static int init_common_resources(void)
+ {
+- kvm_host_cpu_state = alloc_percpu(kvm_cpu_context_t);
+- if (!kvm_host_cpu_state) {
+- kvm_err("Cannot allocate host CPU state\n");
+- return -ENOMEM;
+- }
+-
+ /* set size of VMID supported by CPU */
+ kvm_vmid_bits = kvm_get_vmid_bits();
+ kvm_info("%d-bit VMID\n", kvm_vmid_bits);
+@@ -1423,7 +1412,7 @@ static int init_hyp_mode(void)
+ for_each_possible_cpu(cpu) {
+ kvm_cpu_context_t *cpu_ctxt;
+
+- cpu_ctxt = per_cpu_ptr(kvm_host_cpu_state, cpu);
++ cpu_ctxt = per_cpu_ptr(&kvm_host_cpu_state, cpu);
+ err = create_hyp_mappings(cpu_ctxt, cpu_ctxt + 1, PAGE_HYP);
+
+ if (err) {
+@@ -1547,7 +1536,6 @@ out_hyp:
+ if (!in_hyp_mode)
+ teardown_hyp_mode();
+ out_err:
+- teardown_common_resources();
+ return err;
+ }
+
diff --git a/patches.arch/KVM-arm-arm64-Drop-resource-size-check-for-GICV-wind.patch b/patches.arch/KVM-arm-arm64-Drop-resource-size-check-for-GICV-wind.patch
new file mode 100644
index 0000000000..4b1099ffa6
--- /dev/null
+++ b/patches.arch/KVM-arm-arm64-Drop-resource-size-check-for-GICV-wind.patch
@@ -0,0 +1,49 @@
+From: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+Date: Fri, 1 Jun 2018 17:06:28 +0200
+Subject: KVM: arm/arm64: Drop resource size check for GICV window
+Patch-mainline: v4.18-rc2
+Git-commit: ba56bc3a0786992755e6804fbcbdc60ef6cfc24c
+References: bsc#1133021
+
+When booting a 64 KB pages kernel on a ACPI GICv3 system that
+implements support for v2 emulation, the following warning is
+produced
+
+ GICV size 0x2000 not a multiple of page size 0x10000
+
+and support for v2 emulation is disabled, preventing GICv2 VMs
+from being able to run on such hosts.
+
+The reason is that vgic_v3_probe() performs a sanity check on the
+size of the window (it should be a multiple of the page size),
+while the ACPI MADT parsing code hardcodes the size of the window
+to 8 KB. This makes sense, considering that ACPI does not bother
+to describe the size in the first place, under the assumption that
+platforms implementing ACPI will follow the architecture and not
+put anything else in the same 64 KB window.
+
+So let's just drop the sanity check altogether, and assume that
+the window is at least 64 KB in size.
+
+Fixes: 909777324588 ("KVM: arm/arm64: vgic-new: vgic_init: implement kvm_vgic_hyp_init")
+Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+Signed-off-by: Marc Zyngier <marc.zyngier@arm.com>
+Acked-by: Liang Yan <lyan@suse.com>
+---
+ virt/kvm/arm/vgic/vgic-v3.c | 5 -----
+ 1 file changed, 5 deletions(-)
+
+--- a/virt/kvm/arm/vgic/vgic-v3.c
++++ b/virt/kvm/arm/vgic/vgic-v3.c
+@@ -501,11 +501,6 @@ int vgic_v3_probe(const struct gic_kvm_i
+ pr_warn("GICV physical address 0x%llx not page aligned\n",
+ (unsigned long long)info->vcpu.start);
+ kvm_vgic_global_state.vcpu_base = 0;
+- } else if (!PAGE_ALIGNED(resource_size(&info->vcpu))) {
+- pr_warn("GICV size 0x%llx not a multiple of page size 0x%lx\n",
+- (unsigned long long)resource_size(&info->vcpu),
+- PAGE_SIZE);
+- kvm_vgic_global_state.vcpu_base = 0;
+ } else {
+ kvm_vgic_global_state.vcpu_base = info->vcpu.start;
+ kvm_vgic_global_state.can_emulate_gicv2 = true;
diff --git a/patches.arch/KVM-arm-arm64-Fix-VMID-alloc-race-by-reverting-to-lo.patch b/patches.arch/KVM-arm-arm64-Fix-VMID-alloc-race-by-reverting-to-lo.patch
new file mode 100644
index 0000000000..e95917d8a1
--- /dev/null
+++ b/patches.arch/KVM-arm-arm64-Fix-VMID-alloc-race-by-reverting-to-lo.patch
@@ -0,0 +1,117 @@
+From: Christoffer Dall <christoffer.dall@arm.com>
+Date: Tue, 11 Dec 2018 13:23:57 +0100
+Subject: KVM: arm/arm64: Fix VMID alloc race by reverting to lock-less
+Patch-mainline: v5.0-rc1
+Git-commit: fb544d1ca65a89f7a3895f7531221ceeed74ada7
+References: bsc#1133021
+
+We recently addressed a VMID generation race by introducing a read/write
+lock around accesses and updates to the vmid generation values.
+
+However, kvm_arch_vcpu_ioctl_run() also calls need_new_vmid_gen() but
+does so without taking the read lock.
+
+As far as I can tell, this can lead to the same kind of race:
+
+ VM 0, VCPU 0 VM 0, VCPU 1
+ ------------ ------------
+ update_vttbr (vmid 254)
+ update_vttbr (vmid 1) // roll over
+ read_lock(kvm_vmid_lock);
+ force_vm_exit()
+ local_irq_disable
+ need_new_vmid_gen == false //because vmid gen matches
+
+ enter_guest (vmid 254)
+ kvm_arch.vttbr = <PGD>:<VMID 1>
+ read_unlock(kvm_vmid_lock);
+
+ enter_guest (vmid 1)
+
+Which results in running two VCPUs in the same VM with different VMIDs
+and (even worse) other VCPUs from other VMs could now allocate clashing
+VMID 254 from the new generation as long as VCPU 0 is not exiting.
+
+Attempt to solve this by making sure vttbr is updated before another CPU
+can observe the updated VMID generation.
+
+Cc: stable@vger.kernel.org
+Fixes: f0cf47d939d0 "KVM: arm/arm64: Close VMID generation race"
+Reviewed-by: Julien Thierry <julien.thierry@arm.com>
+Signed-off-by: Christoffer Dall <christoffer.dall@arm.com>
+Signed-off-by: Marc Zyngier <marc.zyngier@arm.com>
+Acked-by: Liang Yan <lyan@suse.com>
+---
+ virt/kvm/arm/arm.c | 23 +++++++++++------------
+ 1 file changed, 11 insertions(+), 12 deletions(-)
+
+--- a/virt/kvm/arm/arm.c
++++ b/virt/kvm/arm/arm.c
+@@ -63,7 +63,7 @@ static DEFINE_PER_CPU(struct kvm_vcpu *,
+ static atomic64_t kvm_vmid_gen = ATOMIC64_INIT(1);
+ static u32 kvm_next_vmid;
+ static unsigned int kvm_vmid_bits __read_mostly;
+-static DEFINE_RWLOCK(kvm_vmid_lock);
++static DEFINE_SPINLOCK(kvm_vmid_lock);
+
+ static bool vgic_present;
+
+@@ -465,7 +465,9 @@ void force_vm_exit(const cpumask_t *mask
+ */
+ static bool need_new_vmid_gen(struct kvm *kvm)
+ {
+- return unlikely(kvm->arch.vmid_gen != atomic64_read(&kvm_vmid_gen));
++ u64 current_vmid_gen = atomic64_read(&kvm_vmid_gen);
++ smp_rmb(); /* Orders read of kvm_vmid_gen and kvm->arch.vmid */
++ return unlikely(READ_ONCE(kvm->arch.vmid_gen) != current_vmid_gen);
+ }
+
+ /**
+@@ -480,16 +482,11 @@ static void update_vttbr(struct kvm *kvm
+ {
+ phys_addr_t pgd_phys;
+ u64 vmid;
+- bool new_gen;
+
+- read_lock(&kvm_vmid_lock);
+- new_gen = need_new_vmid_gen(kvm);
+- read_unlock(&kvm_vmid_lock);
+-
+- if (!new_gen)
++ if (!need_new_vmid_gen(kvm))
+ return;
+
+- write_lock(&kvm_vmid_lock);
++ spin_lock(&kvm_vmid_lock);
+
+ /*
+ * We need to re-check the vmid_gen here to ensure that if another vcpu
+@@ -497,7 +494,7 @@ static void update_vttbr(struct kvm *kvm
+ * use the same vmid.
+ */
+ if (!need_new_vmid_gen(kvm)) {
+- write_unlock(&kvm_vmid_lock);
++ spin_unlock(&kvm_vmid_lock);
+ return;
+ }
+
+@@ -520,7 +517,6 @@ static void update_vttbr(struct kvm *kvm
+ kvm_call_hyp(__kvm_flush_vm_context);
+ }
+
+- kvm->arch.vmid_gen = atomic64_read(&kvm_vmid_gen);
+ kvm->arch.vmid = kvm_next_vmid;
+ kvm_next_vmid++;
+ kvm_next_vmid &= (1 << kvm_vmid_bits) - 1;
+@@ -531,7 +527,10 @@ static void update_vttbr(struct kvm *kvm
+ vmid = ((u64)(kvm->arch.vmid) << VTTBR_VMID_SHIFT) & VTTBR_VMID_MASK(kvm_vmid_bits);
+ kvm->arch.vttbr = kvm_phys_to_vttbr(pgd_phys) | vmid;
+
+- write_unlock(&kvm_vmid_lock);
++ smp_wmb();
++ WRITE_ONCE(kvm->arch.vmid_gen, atomic64_read(&kvm_vmid_gen));
++
++ spin_unlock(&kvm_vmid_lock);
+ }
+
+ static int kvm_vcpu_first_run_init(struct kvm_vcpu *vcpu)
diff --git a/patches.arch/KVM-arm-arm64-Fix-lost-IRQs-from-emulated-physcial-t.patch b/patches.arch/KVM-arm-arm64-Fix-lost-IRQs-from-emulated-physcial-t.patch
new file mode 100644
index 0000000000..c1b31b68fe
--- /dev/null
+++ b/patches.arch/KVM-arm-arm64-Fix-lost-IRQs-from-emulated-physcial-t.patch
@@ -0,0 +1,51 @@
+From: Christoffer Dall <christoffer.dall@arm.com>
+Date: Wed, 25 Jul 2018 10:21:28 +0100
+Subject: KVM: arm/arm64: Fix lost IRQs from emulated physcial timer when
+ blocked
+Patch-mainline: v4.19-rc1
+Git-commit: 245715cbe83ca934af5d20e078fd85175c62995e
+References: bsc#1133021
+
+When the VCPU is blocked (for example from WFI) we don't inject the
+physical timer interrupt if it should fire while the CPU is blocked, but
+instead we just wake up the VCPU and expect kvm_timer_vcpu_load to take
+care of injecting the interrupt.
+
+Unfortunately, kvm_timer_vcpu_load() doesn't actually do that, it only
+has support to schedule a soft timer if the emulated phys timer is
+expected to fire in the future.
+
+Follow the same pattern as kvm_timer_update_state() and update the irq
+state after potentially scheduling a soft timer.
+
+Reported-by: Andre Przywara <andre.przywara@arm.com>
+Cc: Stable <stable@vger.kernel.org> # 4.15+
+Fixes: bbdd52cfcba29 ("KVM: arm/arm64: Avoid phys timer emulation in vcpu entry/exit")
+Signed-off-by: Christoffer Dall <christoffer.dall@arm.com>
+Signed-off-by: Marc Zyngier <marc.zyngier@arm.com>
+Acked-by: Liang Yan <lyan@suse.com>
+---
+ virt/kvm/arm/arch_timer.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/virt/kvm/arm/arch_timer.c
++++ b/virt/kvm/arm/arch_timer.c
+@@ -474,6 +474,7 @@ void kvm_timer_vcpu_load(struct kvm_vcpu
+ {
+ struct arch_timer_cpu *timer = &vcpu->arch.timer_cpu;
+ struct arch_timer_context *vtimer = vcpu_vtimer(vcpu);
++ struct arch_timer_context *ptimer = vcpu_ptimer(vcpu);
+
+ if (unlikely(!timer->enabled))
+ return;
+@@ -489,6 +490,10 @@ void kvm_timer_vcpu_load(struct kvm_vcpu
+
+ /* Set the background timer for the physical timer emulation. */
+ phys_timer_emulate(vcpu);
++
++ /* If the timer fired while we weren't running, inject it now */
++ if (kvm_timer_should_fire(ptimer) != ptimer->irq.level)
++ kvm_timer_update_irq(vcpu, !ptimer->irq.level, ptimer);
+ }
+
+ bool kvm_timer_should_notify_user(struct kvm_vcpu *vcpu)
diff --git a/patches.arch/KVM-arm-arm64-Handle-CPU_PM_ENTER_FAILED.patch b/patches.arch/KVM-arm-arm64-Handle-CPU_PM_ENTER_FAILED.patch
new file mode 100644
index 0000000000..f18ac63d01
--- /dev/null
+++ b/patches.arch/KVM-arm-arm64-Handle-CPU_PM_ENTER_FAILED.patch
@@ -0,0 +1,41 @@
+From: James Morse <james.morse@arm.com>
+Date: Mon, 22 Jan 2018 18:19:06 +0000
+Subject: KVM: arm/arm64: Handle CPU_PM_ENTER_FAILED
+Patch-mainline: v4.16-rc1
+Git-commit: 58d6b15e9da5042a99c9c30ad725792e4569150e
+References: bsc#1133021
+
+cpu_pm_enter() calls the pm notifier chain with CPU_PM_ENTER, then if
+there is a failure: CPU_PM_ENTER_FAILED.
+
+When KVM receives CPU_PM_ENTER it calls cpu_hyp_reset() which will
+return us to the hyp-stub. If we subsequently get a CPU_PM_ENTER_FAILED,
+KVM does nothing, leaving the CPU running with the hyp-stub, at odds
+with kvm_arm_hardware_enabled.
+
+Add CPU_PM_ENTER_FAILED as a fallthrough for CPU_PM_EXIT, this reloads
+KVM based on kvm_arm_hardware_enabled. This is safe even if CPU_PM_ENTER
+never gets as far as KVM, as cpu_hyp_reinit() calls cpu_hyp_reset()
+to make sure the hyp-stub is loaded before reloading KVM.
+
+Fixes: 67f691976662 ("arm64: kvm: allows kvm cpu hotplug")
+Cc: <stable@vger.kernel.org> # v4.7+
+CC: Lorenzo Pieralisi <lorenzo.pieralisi@arm.com>
+Reviewed-by: Christoffer Dall <christoffer.dall@linaro.org>
+Signed-off-by: James Morse <james.morse@arm.com>
+Signed-off-by: Christoffer Dall <christoffer.dall@linaro.org>
+Acked-by: Liang Yan <lyan@suse.com>
+---
+ virt/kvm/arm/arm.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/virt/kvm/arm/arm.c
++++ b/virt/kvm/arm/arm.c
+@@ -1236,6 +1236,7 @@ static int hyp_init_cpu_pm_notifier(stru
+ cpu_hyp_reset();
+
+ return NOTIFY_OK;
++ case CPU_PM_ENTER_FAILED:
+ case CPU_PM_EXIT:
+ if (__this_cpu_read(kvm_arm_hardware_enabled))
+ /* The hardware was enabled before suspend. */
diff --git a/patches.arch/KVM-arm-arm64-Reduce-verbosity-of-KVM-init-log.patch b/patches.arch/KVM-arm-arm64-Reduce-verbosity-of-KVM-init-log.patch
new file mode 100644
index 0000000000..48b2bf27e5
--- /dev/null
+++ b/patches.arch/KVM-arm-arm64-Reduce-verbosity-of-KVM-init-log.patch
@@ -0,0 +1,76 @@
+From: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+Date: Fri, 2 Mar 2018 08:16:30 +0000
+Subject: KVM: arm/arm64: Reduce verbosity of KVM init log
+Patch-mainline: v4.16-rc6
+Git-commit: 76600428c3677659e3c3633bb4f2ea302220a275
+References: bsc#1133021
+
+On my GICv3 system, the following is printed to the kernel log at boot:
+
+ kvm [1]: 8-bit VMID
+ kvm [1]: IDMAP page: d20e35000
+ kvm [1]: HYP VA range: 800000000000:ffffffffffff
+ kvm [1]: vgic-v2@2c020000
+ kvm [1]: GIC system register CPU interface enabled
+ kvm [1]: vgic interrupt IRQ1
+ kvm [1]: virtual timer IRQ4
+ kvm [1]: Hyp mode initialized successfully
+
+The KVM IDMAP is a mapping of a statically allocated kernel structure,
+and so printing its physical address leaks the physical placement of
+the kernel when physical KASLR in effect. So change the kvm_info() to
+kvm_debug() to remove it from the log output.
+
+While at it, trim the output a bit more: IRQ numbers can be found in
+/proc/interrupts, and the HYP VA and vgic-v2 lines are not highly
+informational either.
+
+Cc: <stable@vger.kernel.org>
+Acked-by: Will Deacon <will.deacon@arm.com>
+Acked-by: Christoffer Dall <cdall@kernel.org>
+Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+Signed-off-by: Marc Zyngier <marc.zyngier@arm.com>
+Acked-by: Liang Yan <lyan@suse.com>
+---
+ virt/kvm/arm/arch_timer.c | 2 +-
+ virt/kvm/arm/mmu.c | 6 +++---
+ virt/kvm/arm/vgic/vgic-v2.c | 2 +-
+ 3 files changed, 5 insertions(+), 5 deletions(-)
+
+--- a/virt/kvm/arm/arch_timer.c
++++ b/virt/kvm/arm/arch_timer.c
+@@ -773,7 +773,7 @@ int kvm_timer_hyp_init(bool has_gic)
+ }
+ }
+
+- kvm_info("virtual timer IRQ%d\n", host_vtimer_irq);
++ kvm_debug("virtual timer IRQ%d\n", host_vtimer_irq);
+
+ cpuhp_setup_state(CPUHP_AP_KVM_ARM_TIMER_STARTING,
+ "kvm/arm/timer:starting", kvm_timer_starting_cpu,
+--- a/virt/kvm/arm/mmu.c
++++ b/virt/kvm/arm/mmu.c
+@@ -1760,9 +1760,9 @@ int kvm_mmu_init(void)
+ */
+ BUG_ON((hyp_idmap_start ^ (hyp_idmap_end - 1)) & PAGE_MASK);
+
+- kvm_info("IDMAP page: %lx\n", hyp_idmap_start);
+- kvm_info("HYP VA range: %lx:%lx\n",
+- kern_hyp_va(PAGE_OFFSET), kern_hyp_va(~0UL));
++ kvm_debug("IDMAP page: %lx\n", hyp_idmap_start);
++ kvm_debug("HYP VA range: %lx:%lx\n",
++ kern_hyp_va(PAGE_OFFSET), kern_hyp_va(~0UL));
+
+ if (hyp_idmap_start >= kern_hyp_va(PAGE_OFFSET) &&
+ hyp_idmap_start < kern_hyp_va(~0UL) &&
+--- a/virt/kvm/arm/vgic/vgic-v2.c
++++ b/virt/kvm/arm/vgic/vgic-v2.c
+@@ -381,7 +381,7 @@ int vgic_v2_probe(const struct gic_kvm_i
+ kvm_vgic_global_state.type = VGIC_V2;
+ kvm_vgic_global_state.max_gic_vcpus = VGIC_V2_MAX_CPUS;
+
+- kvm_info("vgic-v2@%llx\n", info->vctrl.start);
++ kvm_debug("vgic-v2@%llx\n", info->vctrl.start);
+
+ return 0;
+ out:
diff --git a/patches.arch/KVM-arm-arm64-Set-dist-spis-to-NULL-after-kfree.patch b/patches.arch/KVM-arm-arm64-Set-dist-spis-to-NULL-after-kfree.patch
new file mode 100644
index 0000000000..af1ad86638
--- /dev/null
+++ b/patches.arch/KVM-arm-arm64-Set-dist-spis-to-NULL-after-kfree.patch
@@ -0,0 +1,37 @@
+From: Eric Auger <eric.auger@redhat.com>
+Date: Tue, 22 May 2018 09:55:06 +0200
+Subject: KVM: arm/arm64: Set dist->spis to NULL after kfree
+Patch-mainline: v4.18-rc1
+Git-commit: 9153ab724ea1f47840cab0cedb12683b37272067
+References: bsc#1133021
+
+in case kvm_vgic_map_resources() fails, typically if the vgic
+distributor is not defined, __kvm_vgic_destroy will be called
+several times. Indeed kvm_vgic_map_resources() is called on
+first vcpu run. As a result dist->spis is freeed more than once
+and on the second time it causes a "kernel BUG at mm/slub.c:3912!"
+
+Set dist->spis to NULL to avoid the crash.
+
+Fixes: ad275b8bb1e6 ("KVM: arm/arm64: vgic-new: vgic_init: implement
+vgic_init")
+
+Signed-off-by: Eric Auger <eric.auger@redhat.com>
+Reviewed-by: Marc Zyngier <marc.zyngier@arm.com>
+Reviewed-by: Christoffer Dall <christoffer.dall@arm.com>
+Signed-off-by: Marc Zyngier <marc.zyngier@arm.com>
+Acked-by: Liang Yan <lyan@suse.com>
+---
+ virt/kvm/arm/vgic/vgic-init.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/virt/kvm/arm/vgic/vgic-init.c
++++ b/virt/kvm/arm/vgic/vgic-init.c
+@@ -325,6 +325,7 @@ static void kvm_vgic_dist_destroy(struct
+ dist->initialized = false;
+
+ kfree(dist->spis);
++ dist->spis = NULL;
+ dist->nr_spis = 0;
+
+ if (vgic_supports_direct_msis(kvm))
diff --git a/patches.arch/KVM-arm-arm64-Skip-updating-PMD-entry-if-no-change.patch b/patches.arch/KVM-arm-arm64-Skip-updating-PMD-entry-if-no-change.patch
new file mode 100644
index 0000000000..b7576ccdd6
--- /dev/null
+++ b/patches.arch/KVM-arm-arm64-Skip-updating-PMD-entry-if-no-change.patch
@@ -0,0 +1,83 @@
+From: Punit Agrawal <punit.agrawal@arm.com>
+Date: Mon, 13 Aug 2018 11:43:50 +0100
+Subject: KVM: arm/arm64: Skip updating PMD entry if no change
+Patch-mainline: v4.19-rc1
+Git-commit: 86658b819cd0a9aa584cd84453ed268a6f013770
+References: bsc#1133021
+
+Contention on updating a PMD entry by a large number of vcpus can lead
+to duplicate work when handling stage 2 page faults. As the page table
+update follows the break-before-make requirement of the architecture,
+it can lead to repeated refaults due to clearing the entry and
+flushing the tlbs.
+
+This problem is more likely when -
+
+* there are large number of vcpus
+* the mapping is large block mapping
+
+such as when using PMD hugepages (512MB) with 64k pages.
+
+Fix this by skipping the page table update if there is no change in
+the entry being updated.
+
+Cc: stable@vger.kernel.org
+Fixes: ad361f093c1e ("KVM: ARM: Support hugetlbfs backed huge pages")
+Reviewed-by: Suzuki Poulose <suzuki.poulose@arm.com>
+Acked-by: Christoffer Dall <christoffer.dall@arm.com>
+Signed-off-by: Punit Agrawal <punit.agrawal@arm.com>
+Signed-off-by: Marc Zyngier <marc.zyngier@arm.com>
+Acked-by: Liang Yan <lyan@suse.com>
+---
+ virt/kvm/arm/mmu.c | 38 +++++++++++++++++++++++++++-----------
+ 1 file changed, 27 insertions(+), 11 deletions(-)
+
+--- a/virt/kvm/arm/mmu.c
++++ b/virt/kvm/arm/mmu.c
+@@ -917,19 +917,35 @@ static int stage2_set_pmd_huge(struct kv
+ pmd = stage2_get_pmd(kvm, cache, addr);
+ VM_BUG_ON(!pmd);
+
+- /*
+- * Mapping in huge pages should only happen through a fault. If a
+- * page is merged into a transparent huge page, the individual
+- * subpages of that huge page should be unmapped through MMU
+- * notifiers before we get here.
+- *
+- * Merging of CompoundPages is not supported; they should become
+- * splitting first, unmapped, merged, and mapped back in on-demand.
+- */
+- VM_BUG_ON(pmd_present(*pmd) && pmd_pfn(*pmd) != pmd_pfn(*new_pmd));
+-
+ old_pmd = *pmd;
+ if (pmd_present(old_pmd)) {
++ /*
++ * Multiple vcpus faulting on the same PMD entry, can
++ * lead to them sequentially updating the PMD with the
++ * same value. Following the break-before-make
++ * (pmd_clear() followed by tlb_flush()) process can
++ * hinder forward progress due to refaults generated
++ * on missing translations.
++ *
++ * Skip updating the page table if the entry is
++ * unchanged.
++ */
++ if (pmd_val(old_pmd) == pmd_val(*new_pmd))
++ return 0;
++
++ /*
++ * Mapping in huge pages should only happen through a
++ * fault. If a page is merged into a transparent huge
++ * page, the individual subpages of that huge page
++ * should be unmapped through MMU notifiers before we
++ * get here.
++ *
++ * Merging of CompoundPages is not supported; they
++ * should become splitting first, unmapped, merged,
++ * and mapped back in on-demand.
++ */
++ VM_BUG_ON(pmd_pfn(old_pmd) != pmd_pfn(*new_pmd));
++
+ pmd_clear(pmd);
+ kvm_tlb_flush_vmid_ipa(kvm, addr);
+ } else {
diff --git a/patches.arch/KVM-arm-arm64-Skip-updating-PTE-entry-if-no-change.patch b/patches.arch/KVM-arm-arm64-Skip-updating-PTE-entry-if-no-change.patch
new file mode 100644
index 0000000000..08993730b9
--- /dev/null
+++ b/patches.arch/KVM-arm-arm64-Skip-updating-PTE-entry-if-no-change.patch
@@ -0,0 +1,38 @@
+From: Punit Agrawal <punit.agrawal@arm.com>
+Date: Mon, 13 Aug 2018 11:43:51 +0100
+Subject: KVM: arm/arm64: Skip updating PTE entry if no change
+Patch-mainline: v4.19-rc1
+Git-commit: 976d34e2dab10ece5ea8fe7090b7692913f89084
+References: bsc#1133021
+
+When there is contention on faulting in a particular page table entry
+at stage 2, the break-before-make requirement of the architecture can
+lead to additional refaulting due to TLB invalidation.
+
+Avoid this by skipping a page table update if the new value of the PTE
+matches the previous value.
+
+Cc: stable@vger.kernel.org
+Fixes: d5d8184d35c9 ("KVM: ARM: Memory virtualization setup")
+Reviewed-by: Suzuki Poulose <suzuki.poulose@arm.com>
+Acked-by: Christoffer Dall <christoffer.dall@arm.com>
+Signed-off-by: Punit Agrawal <punit.agrawal@arm.com>
+Signed-off-by: Marc Zyngier <marc.zyngier@arm.com>
+Acked-by: Liang Yan <lyan@suse.com>
+---
+ virt/kvm/arm/mmu.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/virt/kvm/arm/mmu.c
++++ b/virt/kvm/arm/mmu.c
+@@ -1001,6 +1001,10 @@ static int stage2_set_pte(struct kvm *kv
+ /* Create 2nd stage page table mapping - Level 3 */
+ old_pte = *pte;
+ if (pte_present(old_pte)) {
++ /* Skip page table update if there is no change */
++ if (pte_val(old_pte) == pte_val(*new_pte))
++ return 0;
++
+ kvm_set_pte(pte, __pte(0));
+ kvm_tlb_flush_vmid_ipa(kvm, addr);
+ } else {
diff --git a/patches.arch/KVM-arm-arm64-vgic-Add-missing-irq_lock-to-vgic_mmio.patch b/patches.arch/KVM-arm-arm64-vgic-Add-missing-irq_lock-to-vgic_mmio.patch
new file mode 100644
index 0000000000..89f5de83e3
--- /dev/null
+++ b/patches.arch/KVM-arm-arm64-vgic-Add-missing-irq_lock-to-vgic_mmio.patch
@@ -0,0 +1,47 @@
+From: Andre Przywara <andre.przywara@arm.com>
+Date: Tue, 6 Mar 2018 09:21:06 +0000
+Subject: KVM: arm/arm64: vgic: Add missing irq_lock to vgic_mmio_read_pending
+Patch-mainline: v4.16-rc6
+Git-commit: 62b06f8f429cd233e4e2e7bbd21081ad60c9018f
+References: bsc#1133021
+
+Our irq_is_pending() helper function accesses multiple members of the
+vgic_irq struct, so we need to hold the lock when calling it.
+Add that requirement as a comment to the definition and take the lock
+around the call in vgic_mmio_read_pending(), where we were missing it
+before.
+
+Fixes: 96b298000db4 ("KVM: arm/arm64: vgic-new: Add PENDING registers handlers")
+Signed-off-by: Andre Przywara <andre.przywara@arm.com>
+Signed-off-by: Marc Zyngier <marc.zyngier@arm.com>
+Acked-by: Liang Yan <lyan@suse.com>
+---
+ virt/kvm/arm/vgic/vgic-mmio.c | 3 +++
+ virt/kvm/arm/vgic/vgic.h | 1 +
+ 2 files changed, 4 insertions(+)
+
+--- a/virt/kvm/arm/vgic/vgic-mmio.c
++++ b/virt/kvm/arm/vgic/vgic-mmio.c
+@@ -112,9 +112,12 @@ unsigned long vgic_mmio_read_pending(str
+ /* Loop over all IRQs affected by this read */
+ for (i = 0; i < len * 8; i++) {
+ struct vgic_irq *irq = vgic_get_irq(vcpu->kvm, vcpu, intid + i);
++ unsigned long flags;
+
++ spin_lock_irqsave(&irq->irq_lock, flags);
+ if (irq_is_pending(irq))
+ value |= (1U << i);
++ spin_unlock_irqrestore(&irq->irq_lock, flags);
+
+ vgic_put_irq(vcpu->kvm, irq);
+ }
+--- a/virt/kvm/arm/vgic/vgic.h
++++ b/virt/kvm/arm/vgic/vgic.h
+@@ -96,6 +96,7 @@
+ /* we only support 64 kB translation table page size */
+ #define KVM_ITS_L1E_ADDR_MASK GENMASK_ULL(51, 16)
+
++/* Requires the irq_lock to be held by the caller. */
+ static inline bool irq_is_pending(struct vgic_irq *irq)
+ {
+ if (irq->config == VGIC_CONFIG_EDGE)
diff --git a/patches.arch/KVM-arm-arm64-vgic-Fix-kvm_device-leak-in-vgic_its_d.patch b/patches.arch/KVM-arm-arm64-vgic-Fix-kvm_device-leak-in-vgic_its_d.patch
new file mode 100644
index 0000000000..5b40c44116
--- /dev/null
+++ b/patches.arch/KVM-arm-arm64-vgic-Fix-kvm_device-leak-in-vgic_its_d.patch
@@ -0,0 +1,40 @@
+From: Dave Martin <Dave.Martin@arm.com>
+Date: Thu, 6 Jun 2019 11:58:07 +0100
+Subject: KVM: arm/arm64: vgic: Fix kvm_device leak in vgic_its_destroy
+Patch-mainline: v5.2-rc6
+Git-commit: 4729ec8c1e1145234aeeebad5d96d77f4ccbb00a
+References: bsc#1133021
+
+kvm_device->destroy() seems to be supposed to free its kvm_device
+struct, but vgic_its_destroy() is not currently doing this,
+resulting in a memory leak, resulting in kmemleak reports such as
+the following:
+
+unreferenced object 0xffff800aeddfe280 (size 128):
+ comm "qemu-system-aar", pid 13799, jiffies 4299827317 (age 1569.844s)
+ [...]
+ backtrace:
+ [<00000000a08b80e2>] kmem_cache_alloc+0x178/0x208
+ [<00000000dcad2bd3>] kvm_vm_ioctl+0x350/0xbc0
+
+Fix it.
+
+Cc: Andre Przywara <andre.przywara@arm.com>
+Fixes: 1085fdc68c60 ("KVM: arm64: vgic-its: Introduce new KVM ITS device")
+Signed-off-by: Dave Martin <Dave.Martin@arm.com>
+Signed-off-by: Marc Zyngier <marc.zyngier@arm.com>
+Acked-by: Liang Yan <lyan@suse.com>
+---
+ virt/kvm/arm/vgic/vgic-its.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/virt/kvm/arm/vgic/vgic-its.c
++++ b/virt/kvm/arm/vgic/vgic-its.c
+@@ -1745,6 +1745,7 @@ static void vgic_its_destroy(struct kvm_
+
+ mutex_unlock(&its->its_lock);
+ kfree(its);
++ kfree(kvm_dev);/* alloc by kvm_ioctl_create_device, free by .destroy */
+ }
+
+ int vgic_its_has_attr_regs(struct kvm_device *dev,
diff --git a/patches.arch/KVM-arm-arm64-vgic-its-Fix-potential-overrun-in-vgic.patch b/patches.arch/KVM-arm-arm64-vgic-its-Fix-potential-overrun-in-vgic.patch
new file mode 100644
index 0000000000..7931248fd5
--- /dev/null
+++ b/patches.arch/KVM-arm-arm64-vgic-its-Fix-potential-overrun-in-vgic.patch
@@ -0,0 +1,74 @@
+From: Marc Zyngier <marc.zyngier@arm.com>
+Date: Fri, 23 Mar 2018 14:57:09 +0000
+Subject: KVM: arm/arm64: vgic-its: Fix potential overrun in vgic_copy_lpi_list
+Patch-mainline: v4.17-rc1
+Git-commit: 7d8b44c54e0c7c8f688e3a07f17e6083f849f01f
+References: bsc#1133021
+
+vgic_copy_lpi_list() parses the LPI list and picks LPIs targeting
+a given vcpu. We allocate the array containing the intids before taking
+the lpi_list_lock, which means we can have an array size that is not
+equal to the number of LPIs.
+
+This is particularly obvious when looking at the path coming from
+vgic_enable_lpis, which is not a command, and thus can run in parallel
+with commands:
+
+vcpu 0: vcpu 1:
+vgic_enable_lpis
+ its_sync_lpi_pending_table
+ vgic_copy_lpi_list
+ intids = kmalloc_array(irq_count)
+ MAPI(lpi targeting vcpu 0)
+ list_for_each_entry(lpi_list_head)
+ intids[i++] = irq->intid;
+
+At that stage, we will happily overrun the intids array. Boo. An easy
+fix is is to break once the array is full. The MAPI command will update
+the config anyway, and we won't miss a thing. We also make sure that
+lpi_list_count is read exactly once, so that further updates of that
+value will not affect the array bound check.
+
+Cc: stable@vger.kernel.org
+Fixes: ccb1d791ab9e ("KVM: arm64: vgic-its: Fix pending table sync")
+Reviewed-by: Andre Przywara <andre.przywara@arm.com>
+Reviewed-by: Eric Auger <eric.auger@redhat.com>
+Signed-off-by: Marc Zyngier <marc.zyngier@arm.com>
+Acked-by: Liang Yan <lyan@suse.com>
+---
+ virt/kvm/arm/vgic/vgic-its.c | 15 +++++++++------
+ 1 file changed, 9 insertions(+), 6 deletions(-)
+
+--- a/virt/kvm/arm/vgic/vgic-its.c
++++ b/virt/kvm/arm/vgic/vgic-its.c
+@@ -316,21 +316,24 @@ static int vgic_copy_lpi_list(struct kvm
+ struct vgic_dist *dist = &vcpu->kvm->arch.vgic;
+ struct vgic_irq *irq;
+ u32 *intids;
+- int irq_count = dist->lpi_list_count, i = 0;
++ int irq_count, i = 0;
+
+ /*
+- * We use the current value of the list length, which may change
+- * after the kmalloc. We don't care, because the guest shouldn't
+- * change anything while the command handling is still running,
+- * and in the worst case we would miss a new IRQ, which one wouldn't
+- * expect to be covered by this command anyway.
++ * There is an obvious race between allocating the array and LPIs
++ * being mapped/unmapped. If we ended up here as a result of a
++ * command, we're safe (locks are held, preventing another
++ * command). If coming from another path (such as enabling LPIs),
++ * we must be careful not to overrun the array.
+ */
++ irq_count = READ_ONCE(dist->lpi_list_count);
+ intids = kmalloc_array(irq_count, sizeof(intids[0]), GFP_KERNEL);
+ if (!intids)
+ return -ENOMEM;
+
+ spin_lock(&dist->lpi_list_lock);
+ list_for_each_entry(irq, &dist->lpi_list_head, lpi_list) {
++ if (i == irq_count)
++ break;
+ /* We don't need to "get" the IRQ, as we hold the list lock. */
+ if (irq->target_vcpu != vcpu)
+ continue;
diff --git a/patches.arch/KVM-arm64-Fix-caching-of-host-MDCR_EL2-value.patch b/patches.arch/KVM-arm64-Fix-caching-of-host-MDCR_EL2-value.patch
new file mode 100644
index 0000000000..e87a8954ba
--- /dev/null
+++ b/patches.arch/KVM-arm64-Fix-caching-of-host-MDCR_EL2-value.patch
@@ -0,0 +1,54 @@
+From: Mark Rutland <mark.rutland@arm.com>
+Date: Wed, 17 Oct 2018 17:42:10 +0100
+Subject: KVM: arm64: Fix caching of host MDCR_EL2 value
+Patch-mainline: v4.20-rc1
+Git-commit: da5a3ce66b8bb51b0ea8a89f42aac153903f90fb
+References: bsc#1133021
+
+At boot time, KVM stashes the host MDCR_EL2 value, but only does this
+when the kernel is not running in hyp mode (i.e. is non-VHE). In these
+cases, the stashed value of MDCR_EL2.HPMN happens to be zero, which can
+lead to CONSTRAINED UNPREDICTABLE behaviour.
+
+Since we use this value to derive the MDCR_EL2 value when switching
+to/from a guest, after a guest have been run, the performance counters
+do not behave as expected. This has been observed to result in accesses
+via PMXEVTYPER_EL0 and PMXEVCNTR_EL0 not affecting the relevant
+counters, resulting in events not being counted. In these cases, only
+the fixed-purpose cycle counter appears to work as expected.
+
+Fix this by always stashing the host MDCR_EL2 value, regardless of VHE.
+
+Cc: Christopher Dall <christoffer.dall@arm.com>
+Cc: James Morse <james.morse@arm.com>
+Cc: Will Deacon <will.deacon@arm.com>
+Cc: stable@vger.kernel.org
+Fixes: 1e947bad0b63b351 ("arm64: KVM: Skip HYP setup when already running in HYP")
+Tested-by: Robin Murphy <robin.murphy@arm.com>
+Signed-off-by: Mark Rutland <mark.rutland@arm.com>
+Signed-off-by: Marc Zyngier <marc.zyngier@arm.com>
+Acked-by: Liang Yan <lyan@suse.com>
+---
+ virt/kvm/arm/arm.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/virt/kvm/arm/arm.c
++++ b/virt/kvm/arm/arm.c
+@@ -1179,8 +1179,6 @@ static void cpu_init_hyp_mode(void *dumm
+
+ __cpu_init_hyp_mode(pgd_ptr, hyp_stack_ptr, vector_ptr);
+ __cpu_init_stage2();
+-
+- kvm_arm_init_debug();
+ }
+
+ static void cpu_hyp_reset(void)
+@@ -1204,6 +1202,8 @@ static void cpu_hyp_reinit(void)
+ cpu_init_hyp_mode(NULL);
+ }
+
++ kvm_arm_init_debug();
++
+ if (vgic_present)
+ kvm_vgic_init_cpu_hardware();
+ }
diff --git a/patches.arch/KVM-mmu-Fix-overlap-between-public-and-private-memsl.patch b/patches.arch/KVM-mmu-Fix-overlap-between-public-and-private-memsl.patch
new file mode 100644
index 0000000000..a7bd60a79c
--- /dev/null
+++ b/patches.arch/KVM-mmu-Fix-overlap-between-public-and-private-memsl.patch
@@ -0,0 +1,114 @@
+From: Wanpeng Li <wanpeng.li@hotmail.com>
+Date: Tue, 13 Feb 2018 15:36:00 +0100
+Subject: KVM: mmu: Fix overlap between public and private memslots
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+Patch-mainline: v4.16-rc4
+Git-commit: b28676bb8ae4569cced423dc2a88f7cb319d5379
+References: bsc#1133021
+
+Reported by syzkaller:
+
+ pte_list_remove: ffff9714eb1f8078 0->BUG
+ ------------[ cut here ]------------
+ kernel BUG at arch/x86/kvm/mmu.c:1157!
+ invalid opcode: 0000 [#1] SMP
+ RIP: 0010:pte_list_remove+0x11b/0x120 [kvm]
+ Call Trace:
+ drop_spte+0x83/0xb0 [kvm]
+ mmu_page_zap_pte+0xcc/0xe0 [kvm]
+ kvm_mmu_prepare_zap_page+0x81/0x4a0 [kvm]
+ kvm_mmu_invalidate_zap_all_pages+0x159/0x220 [kvm]
+ kvm_arch_flush_shadow_all+0xe/0x10 [kvm]
+ kvm_mmu_notifier_release+0x6c/0xa0 [kvm]
+ ? kvm_mmu_notifier_release+0x5/0xa0 [kvm]
+ __mmu_notifier_release+0x79/0x110
+ ? __mmu_notifier_release+0x5/0x110
+ exit_mmap+0x15a/0x170
+ ? do_exit+0x281/0xcb0
+ mmput+0x66/0x160
+ do_exit+0x2c9/0xcb0
+ ? __context_tracking_exit.part.5+0x4a/0x150
+ do_group_exit+0x50/0xd0
+ SyS_exit_group+0x14/0x20
+ do_syscall_64+0x73/0x1f0
+ entry_SYSCALL64_slow_path+0x25/0x25
+
+The reason is that when creates new memslot, there is no guarantee for new
+memslot not overlap with private memslots. This can be triggered by the
+following program:
+
+ #include <fcntl.h>
+ #include <pthread.h>
+ #include <setjmp.h>
+ #include <signal.h>
+ #include <stddef.h>
+ #include <stdint.h>
+ #include <stdio.h>
+ #include <stdlib.h>
+ #include <string.h>
+ #include <sys/ioctl.h>
+ #include <sys/stat.h>
+ #include <sys/syscall.h>
+ #include <sys/types.h>
+ #include <unistd.h>
+ #include <linux/kvm.h>
+
+ long r[16];
+
+ int main()
+ {
+ void *p = valloc(0x4000);
+
+ r[2] = open("/dev/kvm", 0);
+ r[3] = ioctl(r[2], KVM_CREATE_VM, 0x0ul);
+
+ uint64_t addr = 0xf000;
+ ioctl(r[3], KVM_SET_IDENTITY_MAP_ADDR, &addr);
+ r[6] = ioctl(r[3], KVM_CREATE_VCPU, 0x0ul);
+ ioctl(r[3], KVM_SET_TSS_ADDR, 0x0ul);
+ ioctl(r[6], KVM_RUN, 0);
+ ioctl(r[6], KVM_RUN, 0);
+
+ struct kvm_userspace_memory_region mr = {
+ .slot = 0,
+ .flags = KVM_MEM_LOG_DIRTY_PAGES,
+ .guest_phys_addr = 0xf000,
+ .memory_size = 0x4000,
+ .userspace_addr = (uintptr_t) p
+ };
+ ioctl(r[3], KVM_SET_USER_MEMORY_REGION, &mr);
+ return 0;
+ }
+
+This patch fixes the bug by not adding a new memslot even if it
+overlaps with private memslots.
+
+Reported-by: Dmitry Vyukov <dvyukov@google.com>
+Cc: Paolo Bonzini <pbonzini@redhat.com>
+Cc: Radim Krčmář <rkrcmar@redhat.com>
+Cc: Dmitry Vyukov <dvyukov@google.com>
+Cc: Eric Biggers <ebiggers3@gmail.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Wanpeng Li <wanpeng.li@hotmail.com>
+Acked-by: Liang Yan <lyan@suse.com>
+---
+ virt/kvm/kvm_main.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+---
+ virt/kvm/kvm_main.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/virt/kvm/kvm_main.c
++++ b/virt/kvm/kvm_main.c
+@@ -1016,8 +1016,7 @@ int __kvm_set_memory_region(struct kvm *
+ /* Check for overlaps */
+ r = -EEXIST;
+ kvm_for_each_memslot(slot, __kvm_memslots(kvm, as_id)) {
+- if ((slot->id >= KVM_USER_MEM_SLOTS) ||
+- (slot->id == id))
++ if (slot->id == id)
+ continue;
+ if (!((base_gfn + npages <= slot->base_gfn) ||
+ (base_gfn >= slot->base_gfn + slot->npages)))
diff --git a/patches.arch/arm64-KVM-Fix-architecturally-invalid-reset-value-fo.patch b/patches.arch/arm64-KVM-Fix-architecturally-invalid-reset-value-fo.patch
new file mode 100644
index 0000000000..b2a2d51d84
--- /dev/null
+++ b/patches.arch/arm64-KVM-Fix-architecturally-invalid-reset-value-fo.patch
@@ -0,0 +1,41 @@
+From: Dave Martin <Dave.Martin@arm.com>
+Date: Thu, 21 Feb 2019 11:42:32 +0000
+Subject: arm64: KVM: Fix architecturally invalid reset value for FPEXC32_EL2
+Patch-mainline: v5.1-rc1
+Git-commit: c88b093693ccbe41991ef2e9b1d251945e6e54ed
+References: bsc#1133021
+
+Due to what looks like a typo dating back to the original addition
+of FPEXC32_EL2 handling, KVM currently initialises this register to
+an architecturally invalid value.
+
+As a result, the VECITR field (RES1) in bits [10:8] is initialised
+with 0, and the two reserved (RES0) bits [6:5] are initialised with
+1. (In the Common VFP Subarchitecture as specified by ARMv7-A,
+these two bits were IMP DEF. ARMv8-A removes them.)
+
+This patch changes the reset value from 0x70 to 0x700, which
+reflects the architectural constraints and is presumably what was
+originally intended.
+
+Cc: <stable@vger.kernel.org> # 4.12.x-
+Cc: Christoffer Dall <christoffer.dall@arm.com>
+Fixes: 62a89c44954f ("arm64: KVM: 32bit handling of coprocessor traps")
+Signed-off-by: Dave Martin <Dave.Martin@arm.com>
+Signed-off-by: Marc Zyngier <marc.zyngier@arm.com>
+Acked-by: Liang Yan <lyan@suse.com>
+---
+ arch/arm64/kvm/sys_regs.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/arm64/kvm/sys_regs.c
++++ b/arch/arm64/kvm/sys_regs.c
+@@ -1285,7 +1285,7 @@ static const struct sys_reg_desc sys_reg
+
+ { SYS_DESC(SYS_DACR32_EL2), NULL, reset_unknown, DACR32_EL2 },
+ { SYS_DESC(SYS_IFSR32_EL2), NULL, reset_unknown, IFSR32_EL2 },
+- { SYS_DESC(SYS_FPEXC32_EL2), NULL, reset_val, FPEXC32_EL2, 0x70 },
++ { SYS_DESC(SYS_FPEXC32_EL2), NULL, reset_val, FPEXC32_EL2, 0x700 },
+ };
+
+ static bool trap_dbgidr(struct kvm_vcpu *vcpu,
diff --git a/patches.arch/kvm-Disallow-wraparound-in-kvm_gfn_to_hva_cache_init.patch b/patches.arch/kvm-Disallow-wraparound-in-kvm_gfn_to_hva_cache_init.patch
new file mode 100644
index 0000000000..4db5a0cf76
--- /dev/null
+++ b/patches.arch/kvm-Disallow-wraparound-in-kvm_gfn_to_hva_cache_init.patch
@@ -0,0 +1,86 @@
+From: Jim Mattson <jmattson@google.com>
+Date: Mon, 17 Dec 2018 13:53:33 -0800
+Subject: kvm: Disallow wraparound in kvm_gfn_to_hva_cache_init
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+Patch-mainline: v5.0-rc1
+Git-commit: f1b9dd5eb86cec1fcf66aad17e7701d98d024a9a
+References: bsc#1133021
+
+Previously, in the case where (gpa + len) wrapped around, the entire
+region was not validated, as the comment claimed. It doesn't actually
+seem that wraparound should be allowed here at all.
+
+Furthermore, since some callers don't check the return code from this
+function, it seems prudent to clear ghc->memslot in the event of an
+error.
+
+Fixes: 8f964525a121f ("KVM: Allow cross page reads and writes from cached translations.")
+Reported-by: Cfir Cohen <cfir@google.com>
+Signed-off-by: Jim Mattson <jmattson@google.com>
+Reviewed-by: Cfir Cohen <cfir@google.com>
+Reviewed-by: Marc Orr <marcorr@google.com>
+Cc: Andrew Honig <ahonig@google.com>
+Signed-off-by: Radim Krčmář <rkrcmar@redhat.com>
+Acked-by: Liang Yan <lyan@suse.com>
+---
+ virt/kvm/kvm_main.c | 41 +++++++++++++++++++++--------------------
+ 1 file changed, 21 insertions(+), 20 deletions(-)
+
+--- a/virt/kvm/kvm_main.c
++++ b/virt/kvm/kvm_main.c
+@@ -1969,32 +1969,33 @@ static int __kvm_gfn_to_hva_cache_init(s
+ gfn_t end_gfn = (gpa + len - 1) >> PAGE_SHIFT;
+ gfn_t nr_pages_needed = end_gfn - start_gfn + 1;
+ gfn_t nr_pages_avail;
++ int r = start_gfn <= end_gfn ? 0 : -EINVAL;
+
+ ghc->gpa = gpa;
+ ghc->generation = slots->generation;
+ ghc->len = len;
+- ghc->memslot = __gfn_to_memslot(slots, start_gfn);
+- ghc->hva = gfn_to_hva_many(ghc->memslot, start_gfn, NULL);
+- if (!kvm_is_error_hva(ghc->hva) && nr_pages_needed <= 1) {
++ ghc->hva = KVM_HVA_ERR_BAD;
++
++ /*
++ * If the requested region crosses two memslots, we still
++ * verify that the entire region is valid here.
++ */
++ while (!r && start_gfn <= end_gfn) {
++ ghc->memslot = __gfn_to_memslot(slots, start_gfn);
++ ghc->hva = gfn_to_hva_many(ghc->memslot, start_gfn,
++ &nr_pages_avail);
++ if (kvm_is_error_hva(ghc->hva))
++ r = -EFAULT;
++ start_gfn += nr_pages_avail;
++ }
++
++ /* Use the slow path for cross page reads and writes. */
++ if (!r && nr_pages_needed == 1)
+ ghc->hva += offset;
+- } else {
+- /*
+- * If the requested region crosses two memslots, we still
+- * verify that the entire region is valid here.
+- */
+- while (start_gfn <= end_gfn) {
+- nr_pages_avail = 0;
+- ghc->memslot = __gfn_to_memslot(slots, start_gfn);
+- ghc->hva = gfn_to_hva_many(ghc->memslot, start_gfn,
+- &nr_pages_avail);
+- if (kvm_is_error_hva(ghc->hva))
+- return -EFAULT;
+- start_gfn += nr_pages_avail;
+- }
+- /* Use the slow path for cross page reads and writes. */
++ else
+ ghc->memslot = NULL;
+- }
+- return 0;
++
++ return r;
+ }
+
+ int kvm_gfn_to_hva_cache_init(struct kvm *kvm, struct gfn_to_hva_cache *ghc,
diff --git a/patches.arch/kvm-arm-arm64-vgic-v3-Tighten-synchronization-for-gu.patch b/patches.arch/kvm-arm-arm64-vgic-v3-Tighten-synchronization-for-gu.patch
new file mode 100644
index 0000000000..398209a0c5
--- /dev/null
+++ b/patches.arch/kvm-arm-arm64-vgic-v3-Tighten-synchronization-for-gu.patch
@@ -0,0 +1,44 @@
+From: Marc Zyngier <marc.zyngier@arm.com>
+Date: Tue, 6 Mar 2018 21:44:37 +0000
+Subject: kvm: arm/arm64: vgic-v3: Tighten synchronization for guests using v2
+ on v3
+Patch-mainline: v4.16-rc6
+Git-commit: 27e91ad1e746e341ca2312f29bccb9736be7b476
+References: bsc#1133021
+
+On guest exit, and when using GICv2 on GICv3, we use a dsb(st) to
+force synchronization between the memory-mapped guest view and
+the system-register view that the hypervisor uses.
+
+This is incorrect, as the spec calls out the need for "a DSB whose
+required access type is both loads and stores with any Shareability
+attribute", while we're only synchronizing stores.
+
+We also lack an isb after the dsb to ensure that the latter has
+actually been executed before we start reading stuff from the sysregs.
+
+The fix is pretty easy: turn dsb(st) into dsb(sy), and slap an isb()
+just after.
+
+Cc: stable@vger.kernel.org
+Fixes: f68d2b1b73cc ("arm64: KVM: Implement vgic-v3 save/restore")
+Acked-by: Christoffer Dall <cdall@kernel.org>
+Reviewed-by: Andre Przywara <andre.przywara@arm.com>
+Signed-off-by: Marc Zyngier <marc.zyngier@arm.com>
+Acked-by: Liang Yan <lyan@suse.com>
+---
+ virt/kvm/arm/hyp/vgic-v3-sr.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/virt/kvm/arm/hyp/vgic-v3-sr.c
++++ b/virt/kvm/arm/hyp/vgic-v3-sr.c
+@@ -215,7 +215,8 @@ void __hyp_text __vgic_v3_save_state(str
+ * are now visible to the system register interface.
+ */
+ if (!cpu_if->vgic_sre) {
+- dsb(st);
++ dsb(sy);
++ isb();
+ cpu_if->vgic_vmcr = read_gicreg(ICH_VMCR_EL2);
+ }
+
diff --git a/patches.arch/kvm-make-vm-ioctl-do-valloc-for-some-archs b/patches.arch/kvm-make-vm-ioctl-do-valloc-for-some-archs
index b1218e5d63..158c6dcc92 100644
--- a/patches.arch/kvm-make-vm-ioctl-do-valloc-for-some-archs
+++ b/patches.arch/kvm-make-vm-ioctl-do-valloc-for-some-archs
@@ -21,18 +21,18 @@ Reviewed-by: Marc Zyngier <marc.zyngier@arm.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Acked-by: Joerg Roedel <jroedel@suse.de>
---
- arch/arm/include/asm/kvm_host.h | 4 ++++
- arch/arm64/include/asm/kvm_host.h | 4 ++++
- arch/x86/kvm/svm.c | 4 ++--
- arch/x86/kvm/vmx.c | 4 ++--
- include/linux/kvm_host.h | 5 +++++
- virt/kvm/arm/arm.c | 15 +++++++++++++++
+ arch/arm/include/asm/kvm_host.h | 4 ++++
+ arch/arm64/include/asm/kvm_host.h | 4 ++++
+ arch/x86/kvm/svm.c | 4 ++--
+ arch/x86/kvm/vmx.c | 4 ++--
+ include/linux/kvm_host.h | 5 +++++
+ virt/kvm/arm/arm.c | 15 +++++++++++++++
6 files changed, 32 insertions(+), 4 deletions(-)
--- a/arch/arm/include/asm/kvm_host.h
+++ b/arch/arm/include/asm/kvm_host.h
-@@ -310,4 +310,8 @@ static inline bool kvm_arm_harden_branch
- return false;
+@@ -320,4 +320,8 @@ static inline bool kvm_arm_harden_branch
+ }
}
+#define __KVM_HAVE_ARCH_VM_ALLOC
@@ -53,7 +53,7 @@ Acked-by: Joerg Roedel <jroedel@suse.de>
#endif /* __ARM64_KVM_HOST_H__ */
--- a/arch/x86/kvm/svm.c
+++ b/arch/x86/kvm/svm.c
-@@ -1799,12 +1799,12 @@ static void __unregister_enc_region_lock
+@@ -1807,12 +1807,12 @@ static void __unregister_enc_region_lock
static struct kvm *svm_vm_alloc(void)
{
@@ -70,7 +70,7 @@ Acked-by: Joerg Roedel <jroedel@suse.de>
static void sev_vm_destroy(struct kvm *kvm)
--- a/arch/x86/kvm/vmx.c
+++ b/arch/x86/kvm/vmx.c
-@@ -9632,12 +9632,12 @@ STACK_FRAME_NON_STANDARD(vmx_vcpu_run);
+@@ -9644,12 +9644,12 @@ STACK_FRAME_NON_STANDARD(vmx_vcpu_run);
static struct kvm *vmx_vm_alloc(void)
{
diff --git a/patches.drivers/Bluetooth-6lowpan-search-for-destination-address-in-.patch b/patches.drivers/Bluetooth-6lowpan-search-for-destination-address-in-.patch
new file mode 100644
index 0000000000..5e0c1656a1
--- /dev/null
+++ b/patches.drivers/Bluetooth-6lowpan-search-for-destination-address-in-.patch
@@ -0,0 +1,59 @@
+From b188b03270b7f8568fc714101ce82fbf5e811c5a Mon Sep 17 00:00:00 2001
+From: Josua Mayer <josua.mayer@jm0.eu>
+Date: Sat, 6 Jul 2019 17:54:46 +0200
+Subject: [PATCH] Bluetooth: 6lowpan: search for destination address in all peers
+Git-commit: b188b03270b7f8568fc714101ce82fbf5e811c5a
+Patch-mainline: v5.3-rc1
+References: bsc#1051510
+
+Handle overlooked case where the target address is assigned to a peer
+and neither route nor gateway exist.
+
+For one peer, no checks are performed to see if it is meant to receive
+packets for a given address.
+
+As soon as there is a second peer however, checks are performed
+to deal with routes and gateways for handling complex setups with
+multiple hops to a target address.
+This logic assumed that no route and no gateway imply that the
+destination address can not be reached, which is false in case of a
+direct peer.
+
+Acked-by: Jukka Rissanen <jukka.rissanen@linux.intel.com>
+Tested-by: Michael Scott <mike@foundries.io>
+Signed-off-by: Josua Mayer <josua.mayer@jm0.eu>
+Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ net/bluetooth/6lowpan.c | 14 ++++++++++----
+ 1 file changed, 10 insertions(+), 4 deletions(-)
+
+diff --git a/net/bluetooth/6lowpan.c b/net/bluetooth/6lowpan.c
+index 1555b0c6f7ec..9001bf331d56 100644
+--- a/net/bluetooth/6lowpan.c
++++ b/net/bluetooth/6lowpan.c
+@@ -180,10 +180,16 @@ static inline struct lowpan_peer *peer_lookup_dst(struct lowpan_btle_dev *dev,
+ }
+
+ if (!rt) {
+- nexthop = &lowpan_cb(skb)->gw;
+-
+- if (ipv6_addr_any(nexthop))
+- return NULL;
++ if (ipv6_addr_any(&lowpan_cb(skb)->gw)) {
++ /* There is neither route nor gateway,
++ * probably the destination is a direct peer.
++ */
++ nexthop = daddr;
++ } else {
++ /* There is a known gateway
++ */
++ nexthop = &lowpan_cb(skb)->gw;
++ }
+ } else {
+ nexthop = rt6_nexthop(rt, daddr);
+
+--
+2.16.4
+
diff --git a/patches.drivers/Bluetooth-Add-SMP-workaround-Microsoft-Surface-Preci.patch b/patches.drivers/Bluetooth-Add-SMP-workaround-Microsoft-Surface-Preci.patch
new file mode 100644
index 0000000000..dd9b4587f7
--- /dev/null
+++ b/patches.drivers/Bluetooth-Add-SMP-workaround-Microsoft-Surface-Preci.patch
@@ -0,0 +1,71 @@
+From 1d87b88ba26eabd4745e158ecfd87c93a9b51dc2 Mon Sep 17 00:00:00 2001
+From: Szymon Janc <szymon.janc@codecoup.pl>
+Date: Wed, 19 Jun 2019 00:47:47 +0200
+Subject: [PATCH] Bluetooth: Add SMP workaround Microsoft Surface Precision Mouse bug
+Git-commit: 1d87b88ba26eabd4745e158ecfd87c93a9b51dc2
+Patch-mainline: v5.3-rc1
+References: bsc#1051510
+
+Microsoft Surface Precision Mouse provides bogus identity address when
+pairing. It connects with Static Random address but provides Public
+Address in SMP Identity Address Information PDU. Address has same
+value but type is different. Workaround this by dropping IRK if ID
+address discrepancy is detected.
+
+> HCI Event: LE Meta Event (0x3e) plen 19
+ LE Connection Complete (0x01)
+ Status: Success (0x00)
+ Handle: 75
+ Role: Master (0x00)
+ Peer address type: Random (0x01)
+ Peer address: E0:52:33:93:3B:21 (Static)
+ Connection interval: 50.00 msec (0x0028)
+ Connection latency: 0 (0x0000)
+ Supervision timeout: 420 msec (0x002a)
+ Master clock accuracy: 0x00
+
+....
+
+> ACL Data RX: Handle 75 flags 0x02 dlen 12
+ SMP: Identity Address Information (0x09) len 7
+ Address type: Public (0x00)
+ Address: E0:52:33:93:3B:21
+
+Signed-off-by: Szymon Janc <szymon.janc@codecoup.pl>
+Tested-by: Maarten Fonville <maarten.fonville@gmail.com>
+Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=199461
+Cc: stable@vger.kernel.org
+Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ net/bluetooth/smp.c | 13 +++++++++++++
+ 1 file changed, 13 insertions(+)
+
+diff --git a/net/bluetooth/smp.c b/net/bluetooth/smp.c
+index e68c715f8d37..6c2b4e6e87ba 100644
+--- a/net/bluetooth/smp.c
++++ b/net/bluetooth/smp.c
+@@ -2579,6 +2579,19 @@ static int smp_cmd_ident_addr_info(struct l2cap_conn *conn,
+ goto distribute;
+ }
+
++ /* Drop IRK if peer is using identity address during pairing but is
++ * providing different address as identity information.
++ *
++ * Microsoft Surface Precision Mouse is known to have this bug.
++ */
++ if (hci_is_identity_address(&hcon->dst, hcon->dst_type) &&
++ (bacmp(&info->bdaddr, &hcon->dst) ||
++ info->addr_type != hcon->dst_type)) {
++ bt_dev_err(hcon->hdev,
++ "ignoring IRK with invalid identity address");
++ goto distribute;
++ }
++
+ bacpy(&smp->id_addr, &info->bdaddr);
+ smp->id_addr_type = info->addr_type;
+
+--
+2.16.4
+
diff --git a/patches.drivers/Bluetooth-Check-state-in-l2cap_disconnect_rsp.patch b/patches.drivers/Bluetooth-Check-state-in-l2cap_disconnect_rsp.patch
new file mode 100644
index 0000000000..8b4f7a57e8
--- /dev/null
+++ b/patches.drivers/Bluetooth-Check-state-in-l2cap_disconnect_rsp.patch
@@ -0,0 +1,222 @@
+From 28261da8a26f4915aa257d12d506c6ba179d961f Mon Sep 17 00:00:00 2001
+From: Matias Karhumaa <matias.karhumaa@gmail.com>
+Date: Tue, 21 May 2019 13:07:22 +0300
+Subject: [PATCH] Bluetooth: Check state in l2cap_disconnect_rsp
+Git-commit: 28261da8a26f4915aa257d12d506c6ba179d961f
+Patch-mainline: v5.3-rc1
+References: bsc#1051510
+
+Because of both sides doing L2CAP disconnection at the same time, it
+was possible to receive L2CAP Disconnection Response with CID that was
+already freed. That caused problems if CID was already reused and L2CAP
+Connection Request with same CID was sent out. Before this patch kernel
+deleted channel context regardless of the state of the channel.
+
+Example where leftover Disconnection Response (frame #402) causes local
+device to delete L2CAP channel which was not yet connected. This in
+turn confuses remote device's stack because same CID is re-used without
+properly disconnecting.
+
+Btmon capture before patch:
+** snip **
+> ACL Data RX: Handle 43 flags 0x02 dlen 8 #394 [hci1] 10.748949
+ Channel: 65 len 4 [PSM 3 mode 0] {chan 2}
+ RFCOMM: Disconnect (DISC) (0x43)
+ Address: 0x03 cr 1 dlci 0x00
+ Control: 0x53 poll/final 1
+ Length: 0
+ FCS: 0xfd
+< ACL Data TX: Handle 43 flags 0x00 dlen 8 #395 [hci1] 10.749062
+ Channel: 65 len 4 [PSM 3 mode 0] {chan 2}
+ RFCOMM: Unnumbered Ack (UA) (0x63)
+ Address: 0x03 cr 1 dlci 0x00
+ Control: 0x73 poll/final 1
+ Length: 0
+ FCS: 0xd7
+< ACL Data TX: Handle 43 flags 0x00 dlen 12 #396 [hci1] 10.749073
+ L2CAP: Disconnection Request (0x06) ident 17 len 4
+ Destination CID: 65
+ Source CID: 65
+> HCI Event: Number of Completed Packets (0x13) plen 5 #397 [hci1] 10.752391
+ Num handles: 1
+ Handle: 43
+ Count: 1
+> HCI Event: Number of Completed Packets (0x13) plen 5 #398 [hci1] 10.753394
+ Num handles: 1
+ Handle: 43
+ Count: 1
+> ACL Data RX: Handle 43 flags 0x02 dlen 12 #399 [hci1] 10.756499
+ L2CAP: Disconnection Request (0x06) ident 26 len 4
+ Destination CID: 65
+ Source CID: 65
+< ACL Data TX: Handle 43 flags 0x00 dlen 12 #400 [hci1] 10.756548
+ L2CAP: Disconnection Response (0x07) ident 26 len 4
+ Destination CID: 65
+ Source CID: 65
+< ACL Data TX: Handle 43 flags 0x00 dlen 12 #401 [hci1] 10.757459
+ L2CAP: Connection Request (0x02) ident 18 len 4
+ PSM: 1 (0x0001)
+ Source CID: 65
+> ACL Data RX: Handle 43 flags 0x02 dlen 12 #402 [hci1] 10.759148
+ L2CAP: Disconnection Response (0x07) ident 17 len 4
+ Destination CID: 65
+ Source CID: 65
+= bluetoothd: 00:1E:AB:4C:56:54: error updating services: Input/o.. 10.759447
+> HCI Event: Number of Completed Packets (0x13) plen 5 #403 [hci1] 10.759386
+ Num handles: 1
+ Handle: 43
+ Count: 1
+> ACL Data RX: Handle 43 flags 0x02 dlen 12 #404 [hci1] 10.760397
+ L2CAP: Connection Request (0x02) ident 27 len 4
+ PSM: 3 (0x0003)
+ Source CID: 65
+< ACL Data TX: Handle 43 flags 0x00 dlen 16 #405 [hci1] 10.760441
+ L2CAP: Connection Response (0x03) ident 27 len 8
+ Destination CID: 65
+ Source CID: 65
+ Result: Connection successful (0x0000)
+ Status: No further information available (0x0000)
+< ACL Data TX: Handle 43 flags 0x00 dlen 27 #406 [hci1] 10.760449
+ L2CAP: Configure Request (0x04) ident 19 len 19
+ Destination CID: 65
+ Flags: 0x0000
+ Option: Maximum Transmission Unit (0x01) [mandatory]
+ MTU: 1013
+ Option: Retransmission and Flow Control (0x04) [mandatory]
+ Mode: Basic (0x00)
+ TX window size: 0
+ Max transmit: 0
+ Retransmission timeout: 0
+ Monitor timeout: 0
+ Maximum PDU size: 0
+> HCI Event: Number of Completed Packets (0x13) plen 5 #407 [hci1] 10.761399
+ Num handles: 1
+ Handle: 43
+ Count: 1
+> ACL Data RX: Handle 43 flags 0x02 dlen 16 #408 [hci1] 10.762942
+ L2CAP: Connection Response (0x03) ident 18 len 8
+ Destination CID: 66
+ Source CID: 65
+ Result: Connection successful (0x0000)
+ Status: No further information available (0x0000)
+*snip*
+
+Similar case after the patch:
+*snip*
+> ACL Data RX: Handle 43 flags 0x02 dlen 8 #22702 [hci0] 1664.411056
+ Channel: 65 len 4 [PSM 3 mode 0] {chan 3}
+ RFCOMM: Disconnect (DISC) (0x43)
+ Address: 0x03 cr 1 dlci 0x00
+ Control: 0x53 poll/final 1
+ Length: 0
+ FCS: 0xfd
+< ACL Data TX: Handle 43 flags 0x00 dlen 8 #22703 [hci0] 1664.411136
+ Channel: 65 len 4 [PSM 3 mode 0] {chan 3}
+ RFCOMM: Unnumbered Ack (UA) (0x63)
+ Address: 0x03 cr 1 dlci 0x00
+ Control: 0x73 poll/final 1
+ Length: 0
+ FCS: 0xd7
+< ACL Data TX: Handle 43 flags 0x00 dlen 12 #22704 [hci0] 1664.411143
+ L2CAP: Disconnection Request (0x06) ident 11 len 4
+ Destination CID: 65
+ Source CID: 65
+> HCI Event: Number of Completed Pac.. (0x13) plen 5 #22705 [hci0] 1664.414009
+ Num handles: 1
+ Handle: 43
+ Count: 1
+> HCI Event: Number of Completed Pac.. (0x13) plen 5 #22706 [hci0] 1664.415007
+ Num handles: 1
+ Handle: 43
+ Count: 1
+> ACL Data RX: Handle 43 flags 0x02 dlen 12 #22707 [hci0] 1664.418674
+ L2CAP: Disconnection Request (0x06) ident 17 len 4
+ Destination CID: 65
+ Source CID: 65
+< ACL Data TX: Handle 43 flags 0x00 dlen 12 #22708 [hci0] 1664.418762
+ L2CAP: Disconnection Response (0x07) ident 17 len 4
+ Destination CID: 65
+ Source CID: 65
+< ACL Data TX: Handle 43 flags 0x00 dlen 12 #22709 [hci0] 1664.421073
+ L2CAP: Connection Request (0x02) ident 12 len 4
+ PSM: 1 (0x0001)
+ Source CID: 65
+> ACL Data RX: Handle 43 flags 0x02 dlen 12 #22710 [hci0] 1664.421371
+ L2CAP: Disconnection Response (0x07) ident 11 len 4
+ Destination CID: 65
+ Source CID: 65
+> HCI Event: Number of Completed Pac.. (0x13) plen 5 #22711 [hci0] 1664.424082
+ Num handles: 1
+ Handle: 43
+ Count: 1
+> HCI Event: Number of Completed Pac.. (0x13) plen 5 #22712 [hci0] 1664.425040
+ Num handles: 1
+ Handle: 43
+ Count: 1
+> ACL Data RX: Handle 43 flags 0x02 dlen 12 #22713 [hci0] 1664.426103
+ L2CAP: Connection Request (0x02) ident 18 len 4
+ PSM: 3 (0x0003)
+ Source CID: 65
+< ACL Data TX: Handle 43 flags 0x00 dlen 16 #22714 [hci0] 1664.426186
+ L2CAP: Connection Response (0x03) ident 18 len 8
+ Destination CID: 66
+ Source CID: 65
+ Result: Connection successful (0x0000)
+ Status: No further information available (0x0000)
+< ACL Data TX: Handle 43 flags 0x00 dlen 27 #22715 [hci0] 1664.426196
+ L2CAP: Configure Request (0x04) ident 13 len 19
+ Destination CID: 65
+ Flags: 0x0000
+ Option: Maximum Transmission Unit (0x01) [mandatory]
+ MTU: 1013
+ Option: Retransmission and Flow Control (0x04) [mandatory]
+ Mode: Basic (0x00)
+ TX window size: 0
+ Max transmit: 0
+ Retransmission timeout: 0
+ Monitor timeout: 0
+ Maximum PDU size: 0
+> ACL Data RX: Handle 43 flags 0x02 dlen 16 #22716 [hci0] 1664.428804
+ L2CAP: Connection Response (0x03) ident 12 len 8
+ Destination CID: 66
+ Source CID: 65
+ Result: Connection successful (0x0000)
+ Status: No further information available (0x0000)
+*snip*
+
+Fix is to check that channel is in state BT_DISCONN before deleting the
+channel.
+
+This bug was found while fuzzing Bluez's OBEX implementation using
+Synopsys Defensics.
+
+Reported-by: Matti Kamunen <matti.kamunen@synopsys.com>
+Reported-by: Ari Timonen <ari.timonen@synopsys.com>
+Signed-off-by: Matias Karhumaa <matias.karhumaa@gmail.com>
+Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ net/bluetooth/l2cap_core.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
+index 9f77432dbe38..0bd80277a1e9 100644
+--- a/net/bluetooth/l2cap_core.c
++++ b/net/bluetooth/l2cap_core.c
+@@ -4394,6 +4394,12 @@ static inline int l2cap_disconnect_rsp(struct l2cap_conn *conn,
+
+ l2cap_chan_lock(chan);
+
++ if (chan->state != BT_DISCONN) {
++ l2cap_chan_unlock(chan);
++ mutex_unlock(&conn->chan_lock);
++ return 0;
++ }
++
+ l2cap_chan_hold(chan);
+ l2cap_chan_del(chan, 0);
+
+--
+2.16.4
+
diff --git a/patches.drivers/Bluetooth-hci_bcsp-Fix-memory-leak-in-rx_skb.patch b/patches.drivers/Bluetooth-hci_bcsp-Fix-memory-leak-in-rx_skb.patch
new file mode 100644
index 0000000000..75990174d0
--- /dev/null
+++ b/patches.drivers/Bluetooth-hci_bcsp-Fix-memory-leak-in-rx_skb.patch
@@ -0,0 +1,41 @@
+From 4ce9146e0370fcd573f0372d9b4e5a211112567c Mon Sep 17 00:00:00 2001
+From: Tomas Bortoli <tomasbortoli@gmail.com>
+Date: Tue, 28 May 2019 15:42:58 +0200
+Subject: [PATCH] Bluetooth: hci_bcsp: Fix memory leak in rx_skb
+Git-commit: 4ce9146e0370fcd573f0372d9b4e5a211112567c
+Patch-mainline: v5.3-rc1
+References: bsc#1051510
+
+Syzkaller found that it is possible to provoke a memory leak by
+never freeing rx_skb in struct bcsp_struct.
+
+Fix by freeing in bcsp_close()
+
+Signed-off-by: Tomas Bortoli <tomasbortoli@gmail.com>
+Reported-by: syzbot+98162c885993b72f19c4@syzkaller.appspotmail.com
+Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/bluetooth/hci_bcsp.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/drivers/bluetooth/hci_bcsp.c b/drivers/bluetooth/hci_bcsp.c
+index 82b13faa9422..fe2e307009f4 100644
+--- a/drivers/bluetooth/hci_bcsp.c
++++ b/drivers/bluetooth/hci_bcsp.c
+@@ -744,6 +744,11 @@ static int bcsp_close(struct hci_uart *hu)
+ skb_queue_purge(&bcsp->rel);
+ skb_queue_purge(&bcsp->unrel);
+
++ if (bcsp->rx_skb) {
++ kfree_skb(bcsp->rx_skb);
++ bcsp->rx_skb = NULL;
++ }
++
+ kfree(bcsp);
+ return 0;
+ }
+--
+2.16.4
+
diff --git a/patches.drivers/Bluetooth-validate-BLE-connection-interval-updates.patch b/patches.drivers/Bluetooth-validate-BLE-connection-interval-updates.patch
new file mode 100644
index 0000000000..2d7661f5f0
--- /dev/null
+++ b/patches.drivers/Bluetooth-validate-BLE-connection-interval-updates.patch
@@ -0,0 +1,94 @@
+From c49a8682fc5d298d44e8d911f4fa14690ea9485e Mon Sep 17 00:00:00 2001
+From: csonsino <csonsino@gmail.com>
+Date: Wed, 12 Jun 2019 15:00:52 -0600
+Subject: [PATCH] Bluetooth: validate BLE connection interval updates
+Git-commit: c49a8682fc5d298d44e8d911f4fa14690ea9485e
+Patch-mainline: v5.3-rc1
+References: bsc#1051510
+
+Problem: The Linux Bluetooth stack yields complete control over the BLE
+connection interval to the remote device.
+
+The Linux Bluetooth stack provides access to the BLE connection interval
+min and max values through /sys/kernel/debug/bluetooth/hci0/
+conn_min_interval and /sys/kernel/debug/bluetooth/hci0/conn_max_interval.
+These values are used for initial BLE connections, but the remote device
+has the ability to request a connection parameter update. In the event
+that the remote side requests to change the connection interval, the Linux
+kernel currently only validates that the desired value is within the
+acceptable range in the Bluetooth specification (6 - 3200, corresponding to
+7.5ms - 4000ms). There is currently no validation that the desired value
+requested by the remote device is within the min/max limits specified in
+the conn_min_interval/conn_max_interval configurations. This essentially
+leads to Linux yielding complete control over the connection interval to
+the remote device.
+
+The proposed patch adds a verification step to the connection parameter
+update mechanism, ensuring that the desired value is within the min/max
+bounds of the current connection. If the desired value is outside of the
+current connection min/max values, then the connection parameter update
+request is rejected and the negative response is returned to the remote
+device. Recall that the initial connection is established using the local
+conn_min_interval/conn_max_interval values, so this allows the Linux
+administrator to retain control over the BLE connection interval.
+
+The one downside that I see is that the current default Linux values for
+conn_min_interval and conn_max_interval typically correspond to 30ms and
+50ms respectively. If this change were accepted, then it is feasible that
+some devices would no longer be able to negotiate to their desired
+connection interval values. This might be remedied by setting the default
+Linux conn_min_interval and conn_max_interval values to the widest
+supported range (6 - 3200 / 7.5ms - 4000ms). This could lead to the same
+behavior as the current implementation, where the remote device could
+request to change the connection interval value to any value that is
+permitted by the Bluetooth specification, and Linux would accept the
+desired value.
+
+Signed-off-by: Carey Sonsino <csonsino@gmail.com>
+Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ net/bluetooth/hci_event.c | 5 +++++
+ net/bluetooth/l2cap_core.c | 9 ++++++++-
+ 2 files changed, 13 insertions(+), 1 deletion(-)
+
+diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c
+index c1d3a303d97f..cdb00c2ef242 100644
+--- a/net/bluetooth/hci_event.c
++++ b/net/bluetooth/hci_event.c
+@@ -5660,6 +5660,11 @@ static void hci_le_remote_conn_param_req_evt(struct hci_dev *hdev,
+ return send_conn_param_neg_reply(hdev, handle,
+ HCI_ERROR_UNKNOWN_CONN_ID);
+
++ if (min < hcon->le_conn_min_interval ||
++ max > hcon->le_conn_max_interval)
++ return send_conn_param_neg_reply(hdev, handle,
++ HCI_ERROR_INVALID_LL_PARAMS);
++
+ if (hci_check_conn_params(min, max, latency, timeout))
+ return send_conn_param_neg_reply(hdev, handle,
+ HCI_ERROR_INVALID_LL_PARAMS);
+diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
+index 0bd80277a1e9..7068eded66c3 100644
+--- a/net/bluetooth/l2cap_core.c
++++ b/net/bluetooth/l2cap_core.c
+@@ -5297,7 +5297,14 @@ static inline int l2cap_conn_param_update_req(struct l2cap_conn *conn,
+
+ memset(&rsp, 0, sizeof(rsp));
+
+- err = hci_check_conn_params(min, max, latency, to_multiplier);
++ if (min < hcon->le_conn_min_interval ||
++ max > hcon->le_conn_max_interval) {
++ BT_DBG("requested connection interval exceeds current bounds.");
++ err = -EINVAL;
++ } else {
++ err = hci_check_conn_params(min, max, latency, to_multiplier);
++ }
++
+ if (err)
+ rsp.result = cpu_to_le16(L2CAP_CONN_PARAM_REJECTED);
+ else
+--
+2.16.4
+
diff --git a/patches.drivers/Input-alps-don-t-handle-ALPS-cs19-trackpoint-only-de.patch b/patches.drivers/Input-alps-don-t-handle-ALPS-cs19-trackpoint-only-de.patch
new file mode 100644
index 0000000000..78647a9d56
--- /dev/null
+++ b/patches.drivers/Input-alps-don-t-handle-ALPS-cs19-trackpoint-only-de.patch
@@ -0,0 +1,105 @@
+From 7e4935ccc3236751e5fe4bd6846f86e46bb2e427 Mon Sep 17 00:00:00 2001
+From: Hui Wang <hui.wang@canonical.com>
+Date: Mon, 15 Jul 2019 10:00:58 -0700
+Subject: [PATCH] Input: alps - don't handle ALPS cs19 trackpoint-only device
+Mime-version: 1.0
+Content-type: text/plain; charset=UTF-8
+Content-transfer-encoding: 8bit
+Git-commit: 7e4935ccc3236751e5fe4bd6846f86e46bb2e427
+Patch-mainline: v5.3-rc1
+References: bsc#1051510
+
+On a latest Lenovo laptop, the trackpoint and 3 buttons below it
+don't work at all, when we move the trackpoint or press those 3
+buttons, the kernel will print out:
+"Rejected trackstick packet from non DualPoint device"
+
+This device is identified as an alps touchpad but the packet has
+trackpoint format, so the alps.c drops the packet and prints out
+the message above.
+
+According to XiaoXiao's explanation, this device is named cs19 and
+is trackpoint-only device, its firmware is only for trackpoint, it
+is independent of touchpad and is a device completely different from
+DualPoint ones.
+
+To drive this device with mininal changes to the existing driver, we
+just let the alps driver not handle this device, then the trackpoint.c
+will be the driver of this device if the trackpoint driver is enabled.
+(if not, this device will fallback to a bare PS/2 device)
+
+With the trackpoint.c, this trackpoint and 3 buttons all work well,
+they have all features that the trackpoint should have, like
+scrolling-screen, drag-and-drop and frame-selection.
+
+Signed-off-by: XiaoXiao Liu <sliuuxiaonxiao@gmail.com>
+Signed-off-by: Hui Wang <hui.wang@canonical.com>
+Reviewed-by: Pali Rohár <pali.rohar@gmail.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/input/mouse/alps.c | 32 ++++++++++++++++++++++++++++++++
+ 1 file changed, 32 insertions(+)
+
+diff --git a/drivers/input/mouse/alps.c b/drivers/input/mouse/alps.c
+index 8996323ce8d9..62ffea00902a 100644
+--- a/drivers/input/mouse/alps.c
++++ b/drivers/input/mouse/alps.c
+@@ -21,6 +21,7 @@
+
+ #include "psmouse.h"
+ #include "alps.h"
++#include "trackpoint.h"
+
+ /*
+ * Definitions for ALPS version 3 and 4 command mode protocol
+@@ -2861,6 +2862,23 @@ static const struct alps_protocol_info *alps_match_table(unsigned char *e7,
+ return NULL;
+ }
+
++static bool alps_is_cs19_trackpoint(struct psmouse *psmouse)
++{
++ u8 param[2] = { 0 };
++
++ if (ps2_command(&psmouse->ps2dev,
++ param, MAKE_PS2_CMD(0, 2, TP_READ_ID)))
++ return false;
++
++ /*
++ * param[0] contains the trackpoint device variant_id while
++ * param[1] contains the firmware_id. So far all alps
++ * trackpoint-only devices have their variant_ids equal
++ * TP_VARIANT_ALPS and their firmware_ids are in 0x20~0x2f range.
++ */
++ return param[0] == TP_VARIANT_ALPS && (param[1] & 0x20);
++}
++
+ static int alps_identify(struct psmouse *psmouse, struct alps_data *priv)
+ {
+ const struct alps_protocol_info *protocol;
+@@ -3161,6 +3179,20 @@ int alps_detect(struct psmouse *psmouse, bool set_properties)
+ if (error)
+ return error;
+
++ /*
++ * ALPS cs19 is a trackpoint-only device, and uses different
++ * protocol than DualPoint ones, so we return -EINVAL here and let
++ * trackpoint.c drive this device. If the trackpoint driver is not
++ * enabled, the device will fall back to a bare PS/2 mouse.
++ * If ps2_command() fails here, we depend on the immediately
++ * followed psmouse_reset() to reset the device to normal state.
++ */
++ if (alps_is_cs19_trackpoint(psmouse)) {
++ psmouse_dbg(psmouse,
++ "ALPS CS19 trackpoint-only device detected, ignoring\n");
++ return -EINVAL;
++ }
++
+ /*
+ * Reset the device to make sure it is fully operational:
+ * on some laptops, like certain Dell Latitudes, we may
+--
+2.16.4
+
diff --git a/patches.drivers/Input-alps-fix-a-mismatch-between-a-condition-check-.patch b/patches.drivers/Input-alps-fix-a-mismatch-between-a-condition-check-.patch
new file mode 100644
index 0000000000..a7200211c8
--- /dev/null
+++ b/patches.drivers/Input-alps-fix-a-mismatch-between-a-condition-check-.patch
@@ -0,0 +1,42 @@
+From 771a081e44a9baa1991ef011cc453ef425591740 Mon Sep 17 00:00:00 2001
+From: Hui Wang <hui.wang@canonical.com>
+Date: Fri, 19 Jul 2019 12:38:58 +0300
+Subject: [PATCH] Input: alps - fix a mismatch between a condition check and its comment
+Git-commit: 771a081e44a9baa1991ef011cc453ef425591740
+Patch-mainline: v5.3-rc1
+References: bsc#1051510
+
+In the function alps_is_cs19_trackpoint(), we check if the param[1] is
+in the 0x20~0x2f range, but the code we wrote for this checking is not
+Correct:
+(param[1] & 0x20) does not mean param[1] is in the range of 0x20~0x2f,
+it also means the param[1] is in the range of 0x30~0x3f, 0x60~0x6f...
+
+Now fix it with a new condition checking ((param[1] & 0xf0) == 0x20).
+
+Fixes: 7e4935ccc323 ("Input: alps - don't handle ALPS cs19 trackpoint-only device")
+Cc: stable@vger.kernel.org
+Signed-off-by: Hui Wang <hui.wang@canonical.com>
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/input/mouse/alps.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/input/mouse/alps.c b/drivers/input/mouse/alps.c
+index 62ffea00902a..34700eda0429 100644
+--- a/drivers/input/mouse/alps.c
++++ b/drivers/input/mouse/alps.c
+@@ -2876,7 +2876,7 @@ static bool alps_is_cs19_trackpoint(struct psmouse *psmouse)
+ * trackpoint-only devices have their variant_ids equal
+ * TP_VARIANT_ALPS and their firmware_ids are in 0x20~0x2f range.
+ */
+- return param[0] == TP_VARIANT_ALPS && (param[1] & 0x20);
++ return param[0] == TP_VARIANT_ALPS && ((param[1] & 0xf0) == 0x20);
+ }
+
+ static int alps_identify(struct psmouse *psmouse, struct alps_data *priv)
+--
+2.16.4
+
diff --git a/patches.drivers/Input-synaptics-whitelist-Lenovo-T580-SMBus-intertou.patch b/patches.drivers/Input-synaptics-whitelist-Lenovo-T580-SMBus-intertou.patch
new file mode 100644
index 0000000000..51a6e89ea3
--- /dev/null
+++ b/patches.drivers/Input-synaptics-whitelist-Lenovo-T580-SMBus-intertou.patch
@@ -0,0 +1,31 @@
+From 1976d7d200c5a32e72293a2ada36b7b7c9d6dd6e Mon Sep 17 00:00:00 2001
+From: Nick Black <dankamongmen@gmail.com>
+Date: Thu, 11 Jul 2019 23:42:03 -0700
+Subject: [PATCH] Input: synaptics - whitelist Lenovo T580 SMBus intertouch
+Git-commit: 1976d7d200c5a32e72293a2ada36b7b7c9d6dd6e
+Patch-mainline: v5.3-rc1
+References: bsc#1051510
+
+Adds the Lenovo T580 to the SMBus intertouch list for Synaptics
+touchpads. I've tested with this for a week now, and it seems a great
+improvement. It's also nice to have the complaint gone from dmesg.
+
+Signed-off-by: Nick Black <dankamongmen@gmail.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/input/mouse/synaptics.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/input/mouse/synaptics.c
++++ b/drivers/input/mouse/synaptics.c
+@@ -179,6 +179,7 @@ static const char * const smbus_pnp_ids[
+ "LEN0093", /* T480 */
+ "LEN0096", /* X280 */
+ "LEN0097", /* X280 -> ALPS trackpoint */
++ "LEN009b", /* T580 */
+ "LEN200f", /* T450s */
+ "LEN2054", /* E480 */
+ "LEN2055", /* E580 */
diff --git a/patches.drivers/Input-trackpoint-only-expose-supported-controls-for-.patch b/patches.drivers/Input-trackpoint-only-expose-supported-controls-for-.patch
new file mode 100644
index 0000000000..72b30920d6
--- /dev/null
+++ b/patches.drivers/Input-trackpoint-only-expose-supported-controls-for-.patch
@@ -0,0 +1,490 @@
+From 2a924d71794c530e55e73d0ce2cc77233307eaa9 Mon Sep 17 00:00:00 2001
+From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Date: Fri, 5 Jan 2018 13:28:47 -0800
+Subject: [PATCH] Input: trackpoint - only expose supported controls for Elan, ALPS and NXP
+Git-commit: 2a924d71794c530e55e73d0ce2cc77233307eaa9
+Patch-mainline: v4.15
+References: bsc#1051510
+
+[ backport note: replaced device_add_group() and device_remove_group() with
+ sysfs_add_group() and sysfs_remove_group() like the old code -- tiwai ]
+
+The newer trackpoints from ALPS, Elan and NXP implement a very limited
+subset of extended commands and controls that the original trackpoints
+implemented, so we should not be exposing not working controls in sysfs.
+The newer trackpoints also do not implement "Power On Reset" or "Read
+Extended Button Status", so we should not be using these commands during
+initialization.
+
+While we are at it, let's change "unsigned char" to u8 for byte data or
+bool for booleans and use better suited error codes instead of -1.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/input/mouse/trackpoint.c | 243 +++++++++++++++++++++++----------------
+ drivers/input/mouse/trackpoint.h | 34 +++--
+ 2 files changed, 169 insertions(+), 108 deletions(-)
+
+--- a/drivers/input/mouse/trackpoint.c
++++ b/drivers/input/mouse/trackpoint.c
+@@ -19,6 +19,13 @@
+ #include "psmouse.h"
+ #include "trackpoint.h"
+
++static const char * const trackpoint_variants[] = {
++ [TP_VARIANT_IBM] = "IBM",
++ [TP_VARIANT_ALPS] = "ALPS",
++ [TP_VARIANT_ELAN] = "Elan",
++ [TP_VARIANT_NXP] = "NXP",
++};
++
+ /*
+ * Power-on Reset: Resets all trackpoint parameters, including RAM values,
+ * to defaults.
+@@ -26,7 +33,7 @@
+ */
+ static int trackpoint_power_on_reset(struct ps2dev *ps2dev)
+ {
+- unsigned char results[2];
++ u8 results[2];
+ int tries = 0;
+
+ /* Issue POR command, and repeat up to once if 0xFC00 received */
+@@ -38,7 +45,7 @@ static int trackpoint_power_on_reset(str
+
+ /* Check for success response -- 0xAA00 */
+ if (results[0] != 0xAA || results[1] != 0x00)
+- return -1;
++ return -ENODEV;
+
+ return 0;
+ }
+@@ -46,8 +53,7 @@ static int trackpoint_power_on_reset(str
+ /*
+ * Device IO: read, write and toggle bit
+ */
+-static int trackpoint_read(struct ps2dev *ps2dev,
+- unsigned char loc, unsigned char *results)
++static int trackpoint_read(struct ps2dev *ps2dev, u8 loc, u8 *results)
+ {
+ if (ps2_command(ps2dev, NULL, MAKE_PS2_CMD(0, 0, TP_COMMAND)) ||
+ ps2_command(ps2dev, results, MAKE_PS2_CMD(0, 1, loc))) {
+@@ -57,8 +63,7 @@ static int trackpoint_read(struct ps2dev
+ return 0;
+ }
+
+-static int trackpoint_write(struct ps2dev *ps2dev,
+- unsigned char loc, unsigned char val)
++static int trackpoint_write(struct ps2dev *ps2dev, u8 loc, u8 val)
+ {
+ if (ps2_command(ps2dev, NULL, MAKE_PS2_CMD(0, 0, TP_COMMAND)) ||
+ ps2_command(ps2dev, NULL, MAKE_PS2_CMD(0, 0, TP_WRITE_MEM)) ||
+@@ -70,8 +75,7 @@ static int trackpoint_write(struct ps2de
+ return 0;
+ }
+
+-static int trackpoint_toggle_bit(struct ps2dev *ps2dev,
+- unsigned char loc, unsigned char mask)
++static int trackpoint_toggle_bit(struct ps2dev *ps2dev, u8 loc, u8 mask)
+ {
+ /* Bad things will happen if the loc param isn't in this range */
+ if (loc < 0x20 || loc >= 0x2F)
+@@ -87,11 +91,11 @@ static int trackpoint_toggle_bit(struct
+ return 0;
+ }
+
+-static int trackpoint_update_bit(struct ps2dev *ps2dev, unsigned char loc,
+- unsigned char mask, unsigned char value)
++static int trackpoint_update_bit(struct ps2dev *ps2dev,
++ u8 loc, u8 mask, u8 value)
+ {
+ int retval = 0;
+- unsigned char data;
++ u8 data;
+
+ trackpoint_read(ps2dev, loc, &data);
+ if (((data & mask) == mask) != !!value)
+@@ -105,17 +109,18 @@ static int trackpoint_update_bit(struct
+ */
+ struct trackpoint_attr_data {
+ size_t field_offset;
+- unsigned char command;
+- unsigned char mask;
+- unsigned char inverted;
+- unsigned char power_on_default;
++ u8 command;
++ u8 mask;
++ bool inverted;
++ u8 power_on_default;
+ };
+
+-static ssize_t trackpoint_show_int_attr(struct psmouse *psmouse, void *data, char *buf)
++static ssize_t trackpoint_show_int_attr(struct psmouse *psmouse,
++ void *data, char *buf)
+ {
+ struct trackpoint_data *tp = psmouse->private;
+ struct trackpoint_attr_data *attr = data;
+- unsigned char value = *(unsigned char *)((char *)tp + attr->field_offset);
++ u8 value = *(u8 *)((void *)tp + attr->field_offset);
+
+ if (attr->inverted)
+ value = !value;
+@@ -128,8 +133,8 @@ static ssize_t trackpoint_set_int_attr(s
+ {
+ struct trackpoint_data *tp = psmouse->private;
+ struct trackpoint_attr_data *attr = data;
+- unsigned char *field = (unsigned char *)((char *)tp + attr->field_offset);
+- unsigned char value;
++ u8 *field = (void *)tp + attr->field_offset;
++ u8 value;
+ int err;
+
+ err = kstrtou8(buf, 10, &value);
+@@ -157,17 +162,14 @@ static ssize_t trackpoint_set_bit_attr(s
+ {
+ struct trackpoint_data *tp = psmouse->private;
+ struct trackpoint_attr_data *attr = data;
+- unsigned char *field = (unsigned char *)((char *)tp + attr->field_offset);
+- unsigned int value;
++ bool *field = (void *)tp + attr->field_offset;
++ bool value;
+ int err;
+
+- err = kstrtouint(buf, 10, &value);
++ err = kstrtobool(buf, &value);
+ if (err)
+ return err;
+
+- if (value > 1)
+- return -EINVAL;
+-
+ if (attr->inverted)
+ value = !value;
+
+@@ -193,30 +195,6 @@ PSMOUSE_DEFINE_ATTR(_name, S_IWUSR | S_I
+ &trackpoint_attr_##_name, \
+ trackpoint_show_int_attr, trackpoint_set_bit_attr)
+
+-#define TRACKPOINT_UPDATE_BIT(_psmouse, _tp, _name) \
+-do { \
+- struct trackpoint_attr_data *_attr = &trackpoint_attr_##_name; \
+- \
+- trackpoint_update_bit(&_psmouse->ps2dev, \
+- _attr->command, _attr->mask, _tp->_name); \
+-} while (0)
+-
+-#define TRACKPOINT_UPDATE(_power_on, _psmouse, _tp, _name) \
+-do { \
+- if (!_power_on || \
+- _tp->_name != trackpoint_attr_##_name.power_on_default) { \
+- if (!trackpoint_attr_##_name.mask) \
+- trackpoint_write(&_psmouse->ps2dev, \
+- trackpoint_attr_##_name.command, \
+- _tp->_name); \
+- else \
+- TRACKPOINT_UPDATE_BIT(_psmouse, _tp, _name); \
+- } \
+-} while (0)
+-
+-#define TRACKPOINT_SET_POWER_ON_DEFAULT(_tp, _name) \
+- (_tp->_name = trackpoint_attr_##_name.power_on_default)
+-
+ TRACKPOINT_INT_ATTR(sensitivity, TP_SENS, TP_DEF_SENS);
+ TRACKPOINT_INT_ATTR(speed, TP_SPEED, TP_DEF_SPEED);
+ TRACKPOINT_INT_ATTR(inertia, TP_INERTIA, TP_DEF_INERTIA);
+@@ -229,13 +207,33 @@ TRACKPOINT_INT_ATTR(ztime, TP_Z_TIME, TP
+ TRACKPOINT_INT_ATTR(jenks, TP_JENKS_CURV, TP_DEF_JENKS_CURV);
+ TRACKPOINT_INT_ATTR(drift_time, TP_DRIFT_TIME, TP_DEF_DRIFT_TIME);
+
+-TRACKPOINT_BIT_ATTR(press_to_select, TP_TOGGLE_PTSON, TP_MASK_PTSON, 0,
++TRACKPOINT_BIT_ATTR(press_to_select, TP_TOGGLE_PTSON, TP_MASK_PTSON, false,
+ TP_DEF_PTSON);
+-TRACKPOINT_BIT_ATTR(skipback, TP_TOGGLE_SKIPBACK, TP_MASK_SKIPBACK, 0,
++TRACKPOINT_BIT_ATTR(skipback, TP_TOGGLE_SKIPBACK, TP_MASK_SKIPBACK, false,
+ TP_DEF_SKIPBACK);
+-TRACKPOINT_BIT_ATTR(ext_dev, TP_TOGGLE_EXT_DEV, TP_MASK_EXT_DEV, 1,
++TRACKPOINT_BIT_ATTR(ext_dev, TP_TOGGLE_EXT_DEV, TP_MASK_EXT_DEV, true,
+ TP_DEF_EXT_DEV);
+
++static bool trackpoint_is_attr_available(struct psmouse *psmouse,
++ struct attribute *attr)
++{
++ struct trackpoint_data *tp = psmouse->private;
++
++ return tp->variant_id == TP_VARIANT_IBM ||
++ attr == &psmouse_attr_sensitivity.dattr.attr ||
++ attr == &psmouse_attr_press_to_select.dattr.attr;
++}
++
++static umode_t trackpoint_is_attr_visible(struct kobject *kobj,
++ struct attribute *attr, int n)
++{
++ struct device *dev = container_of(kobj, struct device, kobj);
++ struct serio *serio = to_serio_port(dev);
++ struct psmouse *psmouse = serio_get_drvdata(serio);
++
++ return trackpoint_is_attr_available(psmouse, attr) ? attr->mode : 0;
++}
++
+ static struct attribute *trackpoint_attrs[] = {
+ &psmouse_attr_sensitivity.dattr.attr,
+ &psmouse_attr_speed.dattr.attr,
+@@ -255,24 +253,56 @@ static struct attribute *trackpoint_attr
+ };
+
+ static struct attribute_group trackpoint_attr_group = {
+- .attrs = trackpoint_attrs,
++ .is_visible = trackpoint_is_attr_visible,
++ .attrs = trackpoint_attrs,
+ };
+
+-static int trackpoint_start_protocol(struct psmouse *psmouse, unsigned char *firmware_id)
+-{
+- unsigned char param[2] = { 0 };
++#define TRACKPOINT_UPDATE(_power_on, _psmouse, _tp, _name) \
++do { \
++ struct trackpoint_attr_data *_attr = &trackpoint_attr_##_name; \
++ \
++ if ((!_power_on || _tp->_name != _attr->power_on_default) && \
++ trackpoint_is_attr_available(_psmouse, \
++ &psmouse_attr_##_name.dattr.attr)) { \
++ if (!_attr->mask) \
++ trackpoint_write(&_psmouse->ps2dev, \
++ _attr->command, _tp->_name); \
++ else \
++ trackpoint_update_bit(&_psmouse->ps2dev, \
++ _attr->command, _attr->mask, \
++ _tp->_name); \
++ } \
++} while (0)
+
+- if (ps2_command(&psmouse->ps2dev, param, MAKE_PS2_CMD(0, 2, TP_READ_ID)))
+- return -1;
++#define TRACKPOINT_SET_POWER_ON_DEFAULT(_tp, _name) \
++do { \
++ _tp->_name = trackpoint_attr_##_name.power_on_default; \
++} while (0)
+
+- /* add new TP ID. */
+- if (!(param[0] & TP_MAGIC_IDENT))
+- return -1;
++static int trackpoint_start_protocol(struct psmouse *psmouse,
++ u8 *variant_id, u8 *firmware_id)
++{
++ u8 param[2] = { 0 };
++ int error;
+
+- if (firmware_id)
+- *firmware_id = param[1];
++ error = ps2_command(&psmouse->ps2dev,
++ param, MAKE_PS2_CMD(0, 2, TP_READ_ID));
++ if (error)
++ return error;
+
+- return 0;
++ switch (param[0]) {
++ case TP_VARIANT_IBM:
++ case TP_VARIANT_ALPS:
++ case TP_VARIANT_ELAN:
++ case TP_VARIANT_NXP:
++ if (variant_id)
++ *variant_id = param[0];
++ if (firmware_id)
++ *firmware_id = param[1];
++ return 0;
++ }
++
++ return -ENODEV;
+ }
+
+ /*
+@@ -285,7 +315,7 @@ static int trackpoint_sync(struct psmous
+ {
+ struct trackpoint_data *tp = psmouse->private;
+
+- if (!in_power_on_state) {
++ if (!in_power_on_state && tp->variant_id == TP_VARIANT_IBM) {
+ /*
+ * Disable features that may make device unusable
+ * with this driver.
+@@ -355,14 +385,20 @@ static void trackpoint_disconnect(struct
+
+ static int trackpoint_reconnect(struct psmouse *psmouse)
+ {
+- int reset_fail;
++ struct trackpoint_data *tp = psmouse->private;
++ int error;
++ bool was_reset;
+
+- if (trackpoint_start_protocol(psmouse, NULL))
+- return -1;
++ error = trackpoint_start_protocol(psmouse, NULL, NULL);
++ if (error)
++ return error;
+
+- reset_fail = trackpoint_power_on_reset(&psmouse->ps2dev);
+- if (trackpoint_sync(psmouse, !reset_fail))
+- return -1;
++ was_reset = tp->variant_id == TP_VARIANT_IBM &&
++ trackpoint_power_on_reset(&psmouse->ps2dev) == 0;
++
++ error = trackpoint_sync(psmouse, was_reset);
++ if (error)
++ return error;
+
+ return 0;
+ }
+@@ -370,47 +406,64 @@ static int trackpoint_reconnect(struct p
+ int trackpoint_detect(struct psmouse *psmouse, bool set_properties)
+ {
+ struct ps2dev *ps2dev = &psmouse->ps2dev;
+- unsigned char firmware_id;
+- unsigned char button_info;
++ struct trackpoint_data *tp;
++ u8 variant_id;
++ u8 firmware_id;
++ u8 button_info;
+ int error;
+
+- if (trackpoint_start_protocol(psmouse, &firmware_id))
+- return -1;
++ error = trackpoint_start_protocol(psmouse, &variant_id, &firmware_id);
++ if (error)
++ return error;
+
+ if (!set_properties)
+ return 0;
+
+- if (trackpoint_read(ps2dev, TP_EXT_BTN, &button_info)) {
+- psmouse_warn(psmouse, "failed to get extended button data, assuming 3 buttons\n");
+- button_info = 0x33;
+- } else if (!button_info) {
+- psmouse_warn(psmouse, "got 0 in extended button data, assuming 3 buttons\n");
+- button_info = 0x33;
+- }
+-
+- psmouse->private = kzalloc(sizeof(struct trackpoint_data), GFP_KERNEL);
+- if (!psmouse->private)
++ tp = kzalloc(sizeof(*tp), GFP_KERNEL);
++ if (!tp)
+ return -ENOMEM;
+
+- psmouse->vendor = "IBM";
++ trackpoint_defaults(tp);
++ tp->variant_id = variant_id;
++ tp->firmware_id = firmware_id;
++
++ psmouse->private = tp;
++
++ psmouse->vendor = trackpoint_variants[variant_id];
+ psmouse->name = "TrackPoint";
+
+ psmouse->reconnect = trackpoint_reconnect;
+ psmouse->disconnect = trackpoint_disconnect;
+
++ if (variant_id != TP_VARIANT_IBM) {
++ /* Newer variants do not support extended button query. */
++ button_info = 0x33;
++ } else {
++ error = trackpoint_read(ps2dev, TP_EXT_BTN, &button_info);
++ if (error) {
++ psmouse_warn(psmouse,
++ "failed to get extended button data, assuming 3 buttons\n");
++ button_info = 0x33;
++ } else if (!button_info) {
++ psmouse_warn(psmouse,
++ "got 0 in extended button data, assuming 3 buttons\n");
++ button_info = 0x33;
++ }
++ }
++
+ if ((button_info & 0x0f) >= 3)
+- __set_bit(BTN_MIDDLE, psmouse->dev->keybit);
++ input_set_capability(psmouse->dev, EV_KEY, BTN_MIDDLE);
+
+ __set_bit(INPUT_PROP_POINTER, psmouse->dev->propbit);
+ __set_bit(INPUT_PROP_POINTING_STICK, psmouse->dev->propbit);
+
+- trackpoint_defaults(psmouse->private);
+-
+- error = trackpoint_power_on_reset(ps2dev);
+-
+- /* Write defaults to TP only if reset fails. */
+- if (error)
++ if (variant_id != TP_VARIANT_IBM ||
++ trackpoint_power_on_reset(ps2dev) != 0) {
++ /*
++ * Write defaults to TP if we did not reset the trackpoint.
++ */
+ trackpoint_sync(psmouse, false);
++ }
+
+ error = sysfs_create_group(&ps2dev->serio->dev.kobj, &trackpoint_attr_group);
+ if (error) {
+@@ -423,8 +476,8 @@ int trackpoint_detect(struct psmouse *ps
+ }
+
+ psmouse_info(psmouse,
+- "IBM TrackPoint firmware: 0x%02x, buttons: %d/%d\n",
+- firmware_id,
++ "%s TrackPoint firmware: 0x%02x, buttons: %d/%d\n",
++ psmouse->vendor, firmware_id,
+ (button_info & 0xf0) >> 4, button_info & 0x0f);
+
+ return 0;
+--- a/drivers/input/mouse/trackpoint.h
++++ b/drivers/input/mouse/trackpoint.h
+@@ -21,10 +21,16 @@
+ #define TP_COMMAND 0xE2 /* Commands start with this */
+
+ #define TP_READ_ID 0xE1 /* Sent for device identification */
+-#define TP_MAGIC_IDENT 0x03 /* Sent after a TP_READ_ID followed */
+- /* by the firmware ID */
+- /* Firmware ID includes 0x1, 0x2, 0x3 */
+
++/*
++ * Valid first byte responses to the "Read Secondary ID" (0xE1) command.
++ * 0x01 was the original IBM trackpoint, others implement very limited
++ * subset of trackpoint features.
++ */
++#define TP_VARIANT_IBM 0x01
++#define TP_VARIANT_ALPS 0x02
++#define TP_VARIANT_ELAN 0x03
++#define TP_VARIANT_NXP 0x04
+
+ /*
+ * Commands
+@@ -136,18 +142,20 @@
+
+ #define MAKE_PS2_CMD(params, results, cmd) ((params<<12) | (results<<8) | (cmd))
+
+-struct trackpoint_data
+-{
+- unsigned char sensitivity, speed, inertia, reach;
+- unsigned char draghys, mindrag;
+- unsigned char thresh, upthresh;
+- unsigned char ztime, jenks;
+- unsigned char drift_time;
++struct trackpoint_data {
++ u8 variant_id;
++ u8 firmware_id;
++
++ u8 sensitivity, speed, inertia, reach;
++ u8 draghys, mindrag;
++ u8 thresh, upthresh;
++ u8 ztime, jenks;
++ u8 drift_time;
+
+ /* toggles */
+- unsigned char press_to_select;
+- unsigned char skipback;
+- unsigned char ext_dev;
++ bool press_to_select;
++ bool skipback;
++ bool ext_dev;
+ };
+
+ #ifdef CONFIG_MOUSE_PS2_TRACKPOINT
diff --git a/patches.drivers/dma-buf-balance-refcount-inbalance.patch b/patches.drivers/dma-buf-balance-refcount-inbalance.patch
new file mode 100644
index 0000000000..ef2ac85222
--- /dev/null
+++ b/patches.drivers/dma-buf-balance-refcount-inbalance.patch
@@ -0,0 +1,46 @@
+From 5e383a9798990c69fc759a4930de224bb497e62c Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?J=C3=A9r=C3=B4me=20Glisse?= <jglisse@redhat.com>
+Date: Thu, 6 Dec 2018 11:18:40 -0500
+Subject: [PATCH] dma-buf: balance refcount inbalance
+Mime-version: 1.0
+Content-type: text/plain; charset=UTF-8
+Content-transfer-encoding: 8bit
+Git-commit: 5e383a9798990c69fc759a4930de224bb497e62c
+Patch-mainline: v5.3-rc1
+References: bsc#1051510
+
+The debugfs take reference on fence without dropping them.
+
+Signed-off-by: Jérôme Glisse <jglisse@redhat.com>
+Cc: Christian König <christian.koenig@amd.com>
+Cc: Daniel Vetter <daniel.vetter@ffwll.ch>
+Cc: Sumit Semwal <sumit.semwal@linaro.org>
+Cc: linux-media@vger.kernel.org
+Cc: dri-devel@lists.freedesktop.org
+Cc: linaro-mm-sig@lists.linaro.org
+Cc: Stéphane Marchesin <marcheu@chromium.org>
+Cc: stable@vger.kernel.org
+Reviewed-by: Christian König <christian.koenig@amd.com>
+Signed-off-by: Sumit Semwal <sumit.semwal@linaro.org>
+Link: https://patchwork.freedesktop.org/patch/msgid/20181206161840.6578-1-jglisse@redhat.com
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/dma-buf/dma-buf.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/dma-buf/dma-buf.c b/drivers/dma-buf/dma-buf.c
+index 7c858020d14b..efd5d09d56ad 100644
+--- a/drivers/dma-buf/dma-buf.c
++++ b/drivers/dma-buf/dma-buf.c
+@@ -1068,6 +1068,7 @@ static int dma_buf_debug_show(struct seq_file *s, void *unused)
+ fence->ops->get_driver_name(fence),
+ fence->ops->get_timeline_name(fence),
+ dma_fence_is_signaled(fence) ? "" : "un");
++ dma_fence_put(fence);
+ }
+ rcu_read_unlock();
+
+--
+2.16.4
+
diff --git a/patches.drivers/firmware-ti_sci-Always-request-response-from-firmwar.patch b/patches.drivers/firmware-ti_sci-Always-request-response-from-firmwar.patch
new file mode 100644
index 0000000000..febb7655cb
--- /dev/null
+++ b/patches.drivers/firmware-ti_sci-Always-request-response-from-firmwar.patch
@@ -0,0 +1,58 @@
+From 66f030eac257a572fbedab3d9646d87d647351fd Mon Sep 17 00:00:00 2001
+From: "Andrew F. Davis" <afd@ti.com>
+Date: Tue, 28 May 2019 11:55:10 -0400
+Subject: [PATCH] firmware: ti_sci: Always request response from firmware
+Git-commit: 66f030eac257a572fbedab3d9646d87d647351fd
+Patch-mainline: v5.3-rc1
+References: bsc#1051510
+
+TI-SCI firmware will only respond to messages when the
+TI_SCI_FLAG_REQ_ACK_ON_PROCESSED flag is set. Most messages already do
+this, set this for the ones that do not.
+
+This will be enforced in future firmware that better match the TI-SCI
+specifications, this patch will not break users of existing firmware.
+
+Fixes: aa276781a64a ("firmware: Add basic support for TI System Control Interface (TI-SCI) protocol")
+Signed-off-by: Andrew F. Davis <afd@ti.com>
+Acked-by: Nishanth Menon <nm@ti.com>
+Tested-by: Alejandro Hernandez <ajhernandez@ti.com>
+Signed-off-by: Tero Kristo <t-kristo@ti.com>
+Signed-off-by: Santosh Shilimkar <santosh.shilimkar@oracle.com>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/firmware/ti_sci.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/firmware/ti_sci.c b/drivers/firmware/ti_sci.c
+index ef93406ace1b..36ce11a67235 100644
+--- a/drivers/firmware/ti_sci.c
++++ b/drivers/firmware/ti_sci.c
+@@ -466,9 +466,9 @@ static int ti_sci_cmd_get_revision(struct ti_sci_info *info)
+ struct ti_sci_xfer *xfer;
+ int ret;
+
+- /* No need to setup flags since it is expected to respond */
+ xfer = ti_sci_get_one_xfer(info, TI_SCI_MSG_VERSION,
+- 0x0, sizeof(struct ti_sci_msg_hdr),
++ TI_SCI_FLAG_REQ_ACK_ON_PROCESSED,
++ sizeof(struct ti_sci_msg_hdr),
+ sizeof(*rev_info));
+ if (IS_ERR(xfer)) {
+ ret = PTR_ERR(xfer);
+@@ -596,9 +596,9 @@ static int ti_sci_get_device_state(const struct ti_sci_handle *handle,
+ info = handle_to_ti_sci_info(handle);
+ dev = info->dev;
+
+- /* Response is expected, so need of any flags */
+ xfer = ti_sci_get_one_xfer(info, TI_SCI_MSG_GET_DEVICE_STATE,
+- 0, sizeof(*req), sizeof(*resp));
++ TI_SCI_FLAG_REQ_ACK_ON_PROCESSED,
++ sizeof(*req), sizeof(*resp));
+ if (IS_ERR(xfer)) {
+ ret = PTR_ERR(xfer);
+ dev_err(dev, "Message alloc failed(%d)\n", ret);
+--
+2.16.4
+
diff --git a/patches.drivers/gpio-omap-ensure-irq-is-enabled-before-wakeup.patch b/patches.drivers/gpio-omap-ensure-irq-is-enabled-before-wakeup.patch
new file mode 100644
index 0000000000..fb5ddcdcd8
--- /dev/null
+++ b/patches.drivers/gpio-omap-ensure-irq-is-enabled-before-wakeup.patch
@@ -0,0 +1,87 @@
+From c859e0d479b3b4f6132fc12637c51e01492f31f6 Mon Sep 17 00:00:00 2001
+From: Russell King <rmk+kernel@armlinux.org.uk>
+Date: Mon, 10 Jun 2019 20:10:44 +0300
+Subject: [PATCH] gpio: omap: ensure irq is enabled before wakeup
+Git-commit: c859e0d479b3b4f6132fc12637c51e01492f31f6
+Patch-mainline: v5.3-rc1
+References: bsc#1051510
+
+Documentation states:
+
+ NOTE: There must be a correlation between the wake-up enable and
+ interrupt-enable registers. If a GPIO pin has a wake-up configured
+ on it, it must also have the corresponding interrupt enabled (on
+ one of the two interrupt lines).
+
+Ensure that this condition is always satisfied by enabling the detection
+events after enabling the interrupt, and disabling the detection before
+disabling the interrupt. This ensures interrupt/wakeup events can not
+happen until both the wakeup and interrupt enables correlate.
+
+If we do any clearing, clear between the interrupt enable/disable and
+trigger setting.
+
+Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk>
+Signed-off-by: Grygorii Strashko <grygorii.strashko@ti.com>
+Tested-by: Tony Lindgren <tony@atomide.com>
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/gpio/gpio-omap.c | 15 ++++++++-------
+ 1 file changed, 8 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/gpio/gpio-omap.c b/drivers/gpio/gpio-omap.c
+index 16289bafa001..2c6d46396834 100644
+--- a/drivers/gpio/gpio-omap.c
++++ b/drivers/gpio/gpio-omap.c
+@@ -832,9 +832,9 @@ static void omap_gpio_irq_shutdown(struct irq_data *d)
+
+ raw_spin_lock_irqsave(&bank->lock, flags);
+ bank->irq_usage &= ~(BIT(offset));
+- omap_set_gpio_irqenable(bank, offset, 0);
+- omap_clear_gpio_irqstatus(bank, offset);
+ omap_set_gpio_triggering(bank, offset, IRQ_TYPE_NONE);
++ omap_clear_gpio_irqstatus(bank, offset);
++ omap_set_gpio_irqenable(bank, offset, 0);
+ if (!LINE_USED(bank->mod_usage, offset))
+ omap_clear_gpio_debounce(bank, offset);
+ omap_disable_gpio_module(bank, offset);
+@@ -870,8 +870,8 @@ static void omap_gpio_mask_irq(struct irq_data *d)
+ unsigned long flags;
+
+ raw_spin_lock_irqsave(&bank->lock, flags);
+- omap_set_gpio_irqenable(bank, offset, 0);
+ omap_set_gpio_triggering(bank, offset, IRQ_TYPE_NONE);
++ omap_set_gpio_irqenable(bank, offset, 0);
+ raw_spin_unlock_irqrestore(&bank->lock, flags);
+ }
+
+@@ -883,9 +883,6 @@ static void omap_gpio_unmask_irq(struct irq_data *d)
+ unsigned long flags;
+
+ raw_spin_lock_irqsave(&bank->lock, flags);
+- if (trigger)
+- omap_set_gpio_triggering(bank, offset, trigger);
+-
+ omap_set_gpio_irqenable(bank, offset, 1);
+
+ /*
+@@ -893,9 +890,13 @@ static void omap_gpio_unmask_irq(struct irq_data *d)
+ * is cleared, thus after the handler has run. OMAP4 needs this done
+ * after enabing the interrupt to clear the wakeup status.
+ */
+- if (bank->level_mask & BIT(offset))
++ if (bank->regs->leveldetect0 && bank->regs->wkup_en &&
++ trigger & (IRQ_TYPE_LEVEL_HIGH | IRQ_TYPE_LEVEL_LOW))
+ omap_clear_gpio_irqstatus(bank, offset);
+
++ if (trigger)
++ omap_set_gpio_triggering(bank, offset, trigger);
++
+ raw_spin_unlock_irqrestore(&bank->lock, flags);
+ }
+
+--
+2.16.4
+
diff --git a/patches.drivers/hwmon-nct6775-Fix-register-address-and-added-missed-.patch b/patches.drivers/hwmon-nct6775-Fix-register-address-and-added-missed-.patch
new file mode 100644
index 0000000000..1cb0b7b675
--- /dev/null
+++ b/patches.drivers/hwmon-nct6775-Fix-register-address-and-added-missed-.patch
@@ -0,0 +1,44 @@
+From f3d43e2e45fd9d44ba52d20debd12cd4ee9c89bf Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Bj=C3=B6rn=20Gerhart?= <gerhart@posteo.de>
+Date: Mon, 15 Jul 2019 18:33:55 +0200
+Subject: [PATCH] hwmon: (nct6775) Fix register address and added missed tolerance for nct6106
+Git-commit: f3d43e2e45fd9d44ba52d20debd12cd4ee9c89bf
+Patch-mainline: v5.3-rc2
+References: bsc#1051510
+
+Fixed address of third NCT6106_REG_WEIGHT_DUTY_STEP, and
+added missed NCT6106_REG_TOLERANCE_H.
+
+Fixes: 6c009501ff200 ("hwmon: (nct6775) Add support for NCT6102D/6106D")
+Signed-off-by: Bjoern Gerhart <gerhart@posteo.de>
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/hwmon/nct6775.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/hwmon/nct6775.c b/drivers/hwmon/nct6775.c
+index e7dff5febe16..d42bc0883a32 100644
+--- a/drivers/hwmon/nct6775.c
++++ b/drivers/hwmon/nct6775.c
+@@ -852,7 +852,7 @@ static const u16 NCT6106_REG_TARGET[] = { 0x111, 0x121, 0x131 };
+ static const u16 NCT6106_REG_WEIGHT_TEMP_SEL[] = { 0x168, 0x178, 0x188 };
+ static const u16 NCT6106_REG_WEIGHT_TEMP_STEP[] = { 0x169, 0x179, 0x189 };
+ static const u16 NCT6106_REG_WEIGHT_TEMP_STEP_TOL[] = { 0x16a, 0x17a, 0x18a };
+-static const u16 NCT6106_REG_WEIGHT_DUTY_STEP[] = { 0x16b, 0x17b, 0x17c };
++static const u16 NCT6106_REG_WEIGHT_DUTY_STEP[] = { 0x16b, 0x17b, 0x18b };
+ static const u16 NCT6106_REG_WEIGHT_TEMP_BASE[] = { 0x16c, 0x17c, 0x18c };
+ static const u16 NCT6106_REG_WEIGHT_DUTY_BASE[] = { 0x16d, 0x17d, 0x18d };
+
+@@ -3764,6 +3764,7 @@ static int nct6775_probe(struct platform_device *pdev)
+ data->REG_FAN_TIME[0] = NCT6106_REG_FAN_STOP_TIME;
+ data->REG_FAN_TIME[1] = NCT6106_REG_FAN_STEP_UP_TIME;
+ data->REG_FAN_TIME[2] = NCT6106_REG_FAN_STEP_DOWN_TIME;
++ data->REG_TOLERANCE_H = NCT6106_REG_TOLERANCE_H;
+ data->REG_PWM[0] = NCT6106_REG_PWM;
+ data->REG_PWM[1] = NCT6106_REG_FAN_START_OUTPUT;
+ data->REG_PWM[2] = NCT6106_REG_FAN_STOP_OUTPUT;
+--
+2.16.4
+
diff --git a/patches.drivers/intel_th-pci-Add-Ice-Lake-NNPI-support.patch b/patches.drivers/intel_th-pci-Add-Ice-Lake-NNPI-support.patch
new file mode 100644
index 0000000000..013bec1cab
--- /dev/null
+++ b/patches.drivers/intel_th-pci-Add-Ice-Lake-NNPI-support.patch
@@ -0,0 +1,40 @@
+From 4aa5aed2b6f267592705a526f57518a5d715b769 Mon Sep 17 00:00:00 2001
+From: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Date: Fri, 21 Jun 2019 19:19:30 +0300
+Subject: [PATCH] intel_th: pci: Add Ice Lake NNPI support
+Git-commit: 4aa5aed2b6f267592705a526f57518a5d715b769
+Patch-mainline: v5.3-rc1
+References: bsc#1051510
+
+This adds Ice Lake NNPI support to the Intel(R) Trace Hub.
+
+Signed-off-by: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Reviewed-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Cc: stable <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20190621161930.60785-5-alexander.shishkin@linux.intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/hwtracing/intel_th/pci.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/drivers/hwtracing/intel_th/pci.c b/drivers/hwtracing/intel_th/pci.c
+index f1228708f2a2..c0378c3de9a4 100644
+--- a/drivers/hwtracing/intel_th/pci.c
++++ b/drivers/hwtracing/intel_th/pci.c
+@@ -194,6 +194,11 @@ static const struct pci_device_id intel_th_pci_id_table[] = {
+ PCI_DEVICE(PCI_VENDOR_ID_INTEL, 0x02a6),
+ .driver_data = (kernel_ulong_t)&intel_th_2x,
+ },
++ {
++ /* Ice Lake NNPI */
++ PCI_DEVICE(PCI_VENDOR_ID_INTEL, 0x45c5),
++ .driver_data = (kernel_ulong_t)&intel_th_2x,
++ },
+ { 0 },
+ };
+
+--
+2.16.4
+
diff --git a/patches.drivers/mailbox-handle-failed-named-mailbox-channel-request.patch b/patches.drivers/mailbox-handle-failed-named-mailbox-channel-request.patch
new file mode 100644
index 0000000000..c25b40b593
--- /dev/null
+++ b/patches.drivers/mailbox-handle-failed-named-mailbox-channel-request.patch
@@ -0,0 +1,46 @@
+From 25777e5784a7b417967460d4fcf9660d05a0c320 Mon Sep 17 00:00:00 2001
+From: morten petersen <morten_bp@live.dk>
+Date: Mon, 8 Jul 2019 11:41:54 +0000
+Subject: [PATCH] mailbox: handle failed named mailbox channel request
+Git-commit: 25777e5784a7b417967460d4fcf9660d05a0c320
+Patch-mainline: v5.3-rc1
+References: bsc#1051510
+
+Previously, if mbox_request_channel_byname was used with a name
+which did not exist in the "mbox-names" property of a mailbox
+client, the mailbox corresponding to the last entry in the
+"mbox-names" list would be incorrectly selected.
+With this patch, -EINVAL is returned if the named mailbox is
+not found.
+
+Signed-off-by: Morten Borup Petersen <morten_bp@live.dk>
+Signed-off-by: Jassi Brar <jaswinder.singh@linaro.org>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/mailbox/mailbox.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/mailbox/mailbox.c b/drivers/mailbox/mailbox.c
+index f4b1950d35f3..0b821a5b2db8 100644
+--- a/drivers/mailbox/mailbox.c
++++ b/drivers/mailbox/mailbox.c
+@@ -418,11 +418,13 @@ struct mbox_chan *mbox_request_channel_byname(struct mbox_client *cl,
+
+ of_property_for_each_string(np, "mbox-names", prop, mbox_name) {
+ if (!strncmp(name, mbox_name, strlen(name)))
+- break;
++ return mbox_request_channel(cl, index);
+ index++;
+ }
+
+- return mbox_request_channel(cl, index);
++ dev_err(cl->dev, "%s() could not locate channel named \"%s\"\n",
++ __func__, name);
++ return ERR_PTR(-EINVAL);
+ }
+ EXPORT_SYMBOL_GPL(mbox_request_channel_byname);
+
+--
+2.16.4
+
diff --git a/patches.drivers/media-coda-Remove-unbalanced-and-unneeded-mutex-unlo.patch b/patches.drivers/media-coda-Remove-unbalanced-and-unneeded-mutex-unlo.patch
new file mode 100644
index 0000000000..76c3915380
--- /dev/null
+++ b/patches.drivers/media-coda-Remove-unbalanced-and-unneeded-mutex-unlo.patch
@@ -0,0 +1,40 @@
+From 766b9b168f6c75c350dd87c3e0bc6a9b322f0013 Mon Sep 17 00:00:00 2001
+From: Ezequiel Garcia <ezequiel@collabora.com>
+Date: Thu, 2 May 2019 18:00:43 -0400
+Subject: [PATCH] media: coda: Remove unbalanced and unneeded mutex unlock
+Git-commit: 766b9b168f6c75c350dd87c3e0bc6a9b322f0013
+Patch-mainline: v5.3-rc1
+References: bsc#1051510
+
+The mutex unlock in the threaded interrupt handler is not paired
+with any mutex lock. Remove it.
+
+This bug has been here for a really long time, so it applies
+to any stable repo.
+
+Reviewed-by: Philipp Zabel <p.zabel@pengutronix.de>
+Signed-off-by: Ezequiel Garcia <ezequiel@collabora.com>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Cc: stable@vger.kernel.org
+Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/media/platform/coda/coda-bit.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/drivers/media/platform/coda/coda-bit.c b/drivers/media/platform/coda/coda-bit.c
+index a25f3742ecde..19055c6488cc 100644
+--- a/drivers/media/platform/coda/coda-bit.c
++++ b/drivers/media/platform/coda/coda-bit.c
+@@ -2348,7 +2348,6 @@ irqreturn_t coda_irq_handler(int irq, void *data)
+ if (ctx == NULL) {
+ v4l2_err(&dev->v4l2_dev,
+ "Instance released before the end of transaction\n");
+- mutex_unlock(&dev->coda_mutex);
+ return IRQ_HANDLED;
+ }
+
+--
+2.16.4
+
diff --git a/patches.drivers/media-coda-fix-last-buffer-handling-in-V4L2_ENC_CMD_.patch b/patches.drivers/media-coda-fix-last-buffer-handling-in-V4L2_ENC_CMD_.patch
new file mode 100644
index 0000000000..c7abd4a712
--- /dev/null
+++ b/patches.drivers/media-coda-fix-last-buffer-handling-in-V4L2_ENC_CMD_.patch
@@ -0,0 +1,43 @@
+From f3775f89852d167990b0d718587774cf00d22ac2 Mon Sep 17 00:00:00 2001
+From: Marco Felsch <m.felsch@pengutronix.de>
+Date: Tue, 18 Jun 2019 12:45:11 -0400
+Subject: [PATCH] media: coda: fix last buffer handling in V4L2_ENC_CMD_STOP
+Git-commit: f3775f89852d167990b0d718587774cf00d22ac2
+Patch-mainline: v5.3-rc1
+References: bsc#1051510
+
+coda_encoder_cmd() is racy, as the last scheduled picture run worker can
+still be in-flight while the ENC_CMD_STOP command is issued. Depending
+on the exact timing the sequence numbers might already be changed, but
+the last buffer might not have been put on the destination queue yet.
+
+In this case the current implementation would prematurely wake the
+destination queue with last_buffer_dequeued=true, causing userspace to
+call streamoff before the last buffer is handled.
+
+Close this race window by synchronizing with the pic_run_worker before
+doing the sequence check.
+
+Signed-off-by: Marco Felsch <m.felsch@pengutronix.de>
+[l.stach@pengutronix.de: switch to flush_work, reword commit message]
+Signed-off-by: Lucas Stach <l.stach@pengutronix.de>
+Signed-off-by: Philipp Zabel <p.zabel@pengutronix.de>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/media/platform/coda/coda-common.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/media/platform/coda/coda-common.c
++++ b/drivers/media/platform/coda/coda-common.c
+@@ -917,6 +917,8 @@ static int coda_encoder_cmd(struct file
+ /* Set the stream-end flag on this context */
+ ctx->bit_stream_param |= CODA_BIT_STREAM_END_FLAG;
+
++ flush_work(&ctx->pic_run_work);
++
+ /* If there is no buffer in flight, wake up */
+ if (ctx->qsequence == ctx->osequence) {
+ dst_vq = v4l2_m2m_get_vq(ctx->fh.m2m_ctx,
diff --git a/patches.drivers/media-coda-fix-mpeg2-sequence-number-handling.patch b/patches.drivers/media-coda-fix-mpeg2-sequence-number-handling.patch
new file mode 100644
index 0000000000..c25e7691dc
--- /dev/null
+++ b/patches.drivers/media-coda-fix-mpeg2-sequence-number-handling.patch
@@ -0,0 +1,43 @@
+From 56d159a4ec6d8da7313aac6fcbb95d8fffe689ba Mon Sep 17 00:00:00 2001
+From: Philipp Zabel <p.zabel@pengutronix.de>
+Date: Tue, 18 Jun 2019 12:45:10 -0400
+Subject: [PATCH] media: coda: fix mpeg2 sequence number handling
+Git-commit: 56d159a4ec6d8da7313aac6fcbb95d8fffe689ba
+Patch-mainline: v5.3-rc1
+References: bsc#1051510
+
+Sequence number handling assumed that the BIT processor frame number
+starts counting at 1, but this is not true for the MPEG-2 decoder,
+which starts at 0. Fix the sequence counter offset detection to handle
+this.
+
+Signed-off-by: Philipp Zabel <p.zabel@pengutronix.de>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/media/platform/coda/coda-bit.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/drivers/media/platform/coda/coda-bit.c
++++ b/drivers/media/platform/coda/coda-bit.c
+@@ -1667,6 +1667,7 @@ static int __coda_start_decoding(struct
+ coda_write(dev, 0, CODA_REG_BIT_BIT_STREAM_PARAM);
+ return -ETIMEDOUT;
+ }
++ ctx->sequence_offset = ~0U;
+ ctx->initialized = 1;
+
+ /* Update kfifo out pointer from coda bitstream read pointer */
+@@ -2085,7 +2086,9 @@ static void coda_finish_decode(struct co
+ v4l2_err(&dev->v4l2_dev,
+ "decoded frame index out of range: %d\n", decoded_idx);
+ } else {
+- val = coda_read(dev, CODA_RET_DEC_PIC_FRAME_NUM) - 1;
++ val = coda_read(dev, CODA_RET_DEC_PIC_FRAME_NUM);
++ if (ctx->sequence_offset == -1)
++ ctx->sequence_offset = val;
+ val -= ctx->sequence_offset;
+ spin_lock_irqsave(&ctx->buffer_meta_lock, flags);
+ if (!list_empty(&ctx->buffer_meta_list)) {
diff --git a/patches.drivers/media-coda-increment-sequence-offset-for-the-last-re.patch b/patches.drivers/media-coda-increment-sequence-offset-for-the-last-re.patch
new file mode 100644
index 0000000000..6f262b9846
--- /dev/null
+++ b/patches.drivers/media-coda-increment-sequence-offset-for-the-last-re.patch
@@ -0,0 +1,39 @@
+From b3b7d96817cdb8b6fc353867705275dce8f41ccc Mon Sep 17 00:00:00 2001
+From: Philipp Zabel <p.zabel@pengutronix.de>
+Date: Tue, 18 Jun 2019 12:45:22 -0400
+Subject: [PATCH] media: coda: increment sequence offset for the last returned frame
+Git-commit: b3b7d96817cdb8b6fc353867705275dce8f41ccc
+Patch-mainline: v5.3-rc1
+References: bsc#1051510
+
+If no more frames are decoded in bitstream end mode, and a previously
+decoded frame has been returned, the firmware still increments the frame
+number. To avoid a sequence number mismatch after decoder restart,
+increment the sequence_offset correction parameter.
+
+Signed-off-by: Philipp Zabel <p.zabel@pengutronix.de>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/media/platform/coda/coda-bit.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/media/platform/coda/coda-bit.c b/drivers/media/platform/coda/coda-bit.c
+index 843f92312f47..bfe6019e68a8 100644
+--- a/drivers/media/platform/coda/coda-bit.c
++++ b/drivers/media/platform/coda/coda-bit.c
+@@ -2280,6 +2280,9 @@ static void coda_finish_decode(struct coda_ctx *ctx)
+ else if (ctx->display_idx < 0)
+ ctx->hold = true;
+ } else if (decoded_idx == -2) {
++ if (ctx->display_idx >= 0 &&
++ ctx->display_idx < ctx->num_internal_frames)
++ ctx->sequence_offset++;
+ /* no frame was decoded, we still return remaining buffers */
+ } else if (decoded_idx < 0 || decoded_idx >= ctx->num_internal_frames) {
+ v4l2_err(&dev->v4l2_dev,
+--
+2.16.4
+
diff --git a/patches.drivers/media-dvb-usb-fix-use-after-free-in-dvb_usb_device_e.patch b/patches.drivers/media-dvb-usb-fix-use-after-free-in-dvb_usb_device_e.patch
new file mode 100644
index 0000000000..6d514e8729
--- /dev/null
+++ b/patches.drivers/media-dvb-usb-fix-use-after-free-in-dvb_usb_device_e.patch
@@ -0,0 +1,46 @@
+From 6cf97230cd5f36b7665099083272595c55d72be7 Mon Sep 17 00:00:00 2001
+From: Oliver Neukum <oneukum@suse.com>
+Date: Tue, 30 Apr 2019 09:07:36 -0400
+Subject: [PATCH] media: dvb: usb: fix use after free in dvb_usb_device_exit
+Git-commit: 6cf97230cd5f36b7665099083272595c55d72be7
+Patch-mainline: v5.3-rc1
+References: bsc#1051510
+
+dvb_usb_device_exit() frees and uses the device name in that order.
+Fix by storing the name in a buffer before freeing it.
+
+Signed-off-by: Oliver Neukum <oneukum@suse.com>
+Reported-by: syzbot+26ec41e9f788b3eba396@syzkaller.appspotmail.com
+Signed-off-by: Sean Young <sean@mess.org>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/media/usb/dvb-usb/dvb-usb-init.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/media/usb/dvb-usb/dvb-usb-init.c b/drivers/media/usb/dvb-usb/dvb-usb-init.c
+index 99951e02a880..dd063a736df5 100644
+--- a/drivers/media/usb/dvb-usb/dvb-usb-init.c
++++ b/drivers/media/usb/dvb-usb/dvb-usb-init.c
+@@ -287,12 +287,15 @@ EXPORT_SYMBOL(dvb_usb_device_init);
+ void dvb_usb_device_exit(struct usb_interface *intf)
+ {
+ struct dvb_usb_device *d = usb_get_intfdata(intf);
+- const char *name = "generic DVB-USB module";
++ const char *default_name = "generic DVB-USB module";
++ char name[40];
+
+ usb_set_intfdata(intf, NULL);
+ if (d != NULL && d->desc != NULL) {
+- name = d->desc->name;
++ strscpy(name, d->desc->name, sizeof(name));
+ dvb_usb_exit(d);
++ } else {
++ strscpy(name, default_name, sizeof(name));
+ }
+ info("%s successfully deinitialized and disconnected.", name);
+
+--
+2.16.4
+
diff --git a/patches.drivers/media-hdpvr-fix-locking-and-a-missing-msleep.patch b/patches.drivers/media-hdpvr-fix-locking-and-a-missing-msleep.patch
new file mode 100644
index 0000000000..8922037728
--- /dev/null
+++ b/patches.drivers/media-hdpvr-fix-locking-and-a-missing-msleep.patch
@@ -0,0 +1,83 @@
+From 6bc5a4a1927556ff9adce1aa95ea408c95453225 Mon Sep 17 00:00:00 2001
+From: Hans Verkuil <hverkuil@xs4all.nl>
+Date: Thu, 20 Jun 2019 07:43:41 -0400
+Subject: [PATCH] media: hdpvr: fix locking and a missing msleep
+Git-commit: 6bc5a4a1927556ff9adce1aa95ea408c95453225
+Patch-mainline: v5.3-rc1
+References: bsc#1051510
+
+This driver has three locking issues:
+
+- The wait_event_interruptible() condition calls hdpvr_get_next_buffer(dev)
+ which uses a mutex, which is not allowed. Rewrite with list_empty_careful()
+ that doesn't need locking.
+
+- In hdpvr_read() the call to hdpvr_stop_streaming() didn't lock io_mutex,
+ but it should have since stop_streaming expects that.
+
+- In hdpvr_device_release() io_mutex was locked when calling flush_work(),
+ but there it shouldn't take that mutex since the work done by flush_work()
+ also wants to lock that mutex.
+
+There are also two other changes (suggested by Keith):
+
+- msecs_to_jiffies(4000); (a NOP) should have been msleep(4000).
+- Change v4l2_dbg to v4l2_info to always log if streaming had to be restarted.
+
+Reported-by: Keith Pyle <kpyle@austin.rr.com>
+Suggested-by: Keith Pyle <kpyle@austin.rr.com>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/media/usb/hdpvr/hdpvr-video.c | 17 +++++++++++------
+ 1 file changed, 11 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/media/usb/hdpvr/hdpvr-video.c b/drivers/media/usb/hdpvr/hdpvr-video.c
+index 3786ddcc0d18..5b3e67b80627 100644
+--- a/drivers/media/usb/hdpvr/hdpvr-video.c
++++ b/drivers/media/usb/hdpvr/hdpvr-video.c
+@@ -435,7 +435,7 @@ static ssize_t hdpvr_read(struct file *file, char __user *buffer, size_t count,
+ /* wait for the first buffer */
+ if (!(file->f_flags & O_NONBLOCK)) {
+ if (wait_event_interruptible(dev->wait_data,
+- hdpvr_get_next_buffer(dev)))
++ !list_empty_careful(&dev->rec_buff_list)))
+ return -ERESTARTSYS;
+ }
+
+@@ -461,10 +461,17 @@ static ssize_t hdpvr_read(struct file *file, char __user *buffer, size_t count,
+ goto err;
+ }
+ if (!err) {
+- v4l2_dbg(MSG_INFO, hdpvr_debug, &dev->v4l2_dev,
+- "timeout: restart streaming\n");
++ v4l2_info(&dev->v4l2_dev,
++ "timeout: restart streaming\n");
++ mutex_lock(&dev->io_mutex);
+ hdpvr_stop_streaming(dev);
+- msecs_to_jiffies(4000);
++ mutex_unlock(&dev->io_mutex);
++ /*
++ * The FW needs about 4 seconds after streaming
++ * stopped before it is ready to restart
++ * streaming.
++ */
++ msleep(4000);
+ err = hdpvr_start_streaming(dev);
+ if (err) {
+ ret = err;
+@@ -1124,9 +1131,7 @@ static void hdpvr_device_release(struct video_device *vdev)
+ struct hdpvr_device *dev = video_get_drvdata(vdev);
+
+ hdpvr_delete(dev);
+- mutex_lock(&dev->io_mutex);
+ flush_work(&dev->worker);
+- mutex_unlock(&dev->io_mutex);
+
+ v4l2_device_unregister(&dev->v4l2_dev);
+ v4l2_ctrl_handler_free(&dev->hdl);
+--
+2.16.4
+
diff --git a/patches.drivers/media-media_device_enum_links32-clean-a-reserved-fie.patch b/patches.drivers/media-media_device_enum_links32-clean-a-reserved-fie.patch
new file mode 100644
index 0000000000..902c3b7002
--- /dev/null
+++ b/patches.drivers/media-media_device_enum_links32-clean-a-reserved-fie.patch
@@ -0,0 +1,57 @@
+From f49308878d7202e07d8761238e01bd0e5fce2750 Mon Sep 17 00:00:00 2001
+From: Jungo Lin <jungo.lin@mediatek.com>
+Date: Tue, 2 Apr 2019 21:44:27 -0400
+Subject: [PATCH] media: media_device_enum_links32: clean a reserved field
+Git-commit: f49308878d7202e07d8761238e01bd0e5fce2750
+Patch-mainline: v5.3-rc1
+References: bsc#1051510
+
+In v4l2-compliance utility, test MEDIA_IOC_ENUM_ENTITIES
+will check whether reserved field of media_links_enum filled
+with zero.
+
+However, for 32 bit program, the reserved field is missing
+copy from kernel space to user space in media_device_enum_links32
+function.
+
+This patch adds the cleaning a reserved field logic in
+media_device_enum_links32 function.
+
+Signed-off-by: Jungo Lin <jungo.lin@mediatek.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/media/media-device.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/media/media-device.c b/drivers/media/media-device.c
+index b8ec88612df7..6893843edada 100644
+--- a/drivers/media/media-device.c
++++ b/drivers/media/media-device.c
+@@ -502,6 +502,7 @@ static long media_device_enum_links32(struct media_device *mdev,
+ {
+ struct media_links_enum links;
+ compat_uptr_t pads_ptr, links_ptr;
++ int ret;
+
+ memset(&links, 0, sizeof(links));
+
+@@ -513,7 +514,13 @@ static long media_device_enum_links32(struct media_device *mdev,
+ links.pads = compat_ptr(pads_ptr);
+ links.links = compat_ptr(links_ptr);
+
+- return media_device_enum_links(mdev, &links);
++ ret = media_device_enum_links(mdev, &links);
++ if (ret)
++ return ret;
++
++ memset(ulinks->reserved, 0, sizeof(ulinks->reserved));
++
++ return 0;
+ }
+
+ #define MEDIA_IOC_ENUM_LINKS32 _IOWR('|', 0x02, struct media_links_enum32)
+--
+2.16.4
+
diff --git a/patches.drivers/media-spi-IR-LED-add-missing-of-table-registration.patch b/patches.drivers/media-spi-IR-LED-add-missing-of-table-registration.patch
new file mode 100644
index 0000000000..df48b0fcb5
--- /dev/null
+++ b/patches.drivers/media-spi-IR-LED-add-missing-of-table-registration.patch
@@ -0,0 +1,44 @@
+From 24e4cf770371df6ad49ed873f21618d9878f64c8 Mon Sep 17 00:00:00 2001
+From: Daniel Gomez <dagmcr@gmail.com>
+Date: Mon, 22 Apr 2019 15:10:20 -0400
+Subject: [PATCH] media: spi: IR LED: add missing of table registration
+Git-commit: 24e4cf770371df6ad49ed873f21618d9878f64c8
+Patch-mainline: v5.3-rc1
+References: bsc#1051510
+
+MODULE_DEVICE_TABLE(of, <of_match_table> should be called to complete DT
+OF mathing mechanism and register it.
+
+Before this patch:
+modinfo drivers/media/rc/ir-spi.ko | grep alias
+
+After this patch:
+modinfo drivers/media/rc/ir-spi.ko | grep alias
+Alias: of:N*T*Cir-spi-ledC*
+Alias: of:N*T*Cir-spi-led
+
+Reported-by: Javier Martinez Canillas <javier@dowhile0.org>
+Signed-off-by: Daniel Gomez <dagmcr@gmail.com>
+Signed-off-by: Sean Young <sean@mess.org>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/media/rc/ir-spi.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/media/rc/ir-spi.c b/drivers/media/rc/ir-spi.c
+index 66334e8d63ba..c58f2d38a458 100644
+--- a/drivers/media/rc/ir-spi.c
++++ b/drivers/media/rc/ir-spi.c
+@@ -161,6 +161,7 @@ static const struct of_device_id ir_spi_of_match[] = {
+ { .compatible = "ir-spi-led" },
+ {},
+ };
++MODULE_DEVICE_TABLE(of, ir_spi_of_match);
+
+ static struct spi_driver ir_spi_driver = {
+ .probe = ir_spi_probe,
+--
+2.16.4
+
diff --git a/patches.drivers/media-staging-media-davinci_vpfe-Fix-for-memory-leak.patch b/patches.drivers/media-staging-media-davinci_vpfe-Fix-for-memory-leak.patch
new file mode 100644
index 0000000000..fb558a0486
--- /dev/null
+++ b/patches.drivers/media-staging-media-davinci_vpfe-Fix-for-memory-leak.patch
@@ -0,0 +1,37 @@
+From 6995a659101bd4effa41cebb067f9dc18d77520d Mon Sep 17 00:00:00 2001
+From: Shailendra Verma <shailendra.v@samsung.com>
+Date: Thu, 24 Nov 2016 23:57:34 -0500
+Subject: [PATCH] media: staging: media: davinci_vpfe: - Fix for memory leak if decoder initialization fails.
+Git-commit: 6995a659101bd4effa41cebb067f9dc18d77520d
+Patch-mainline: v5.3-rc1
+References: bsc#1051510
+
+Fix to avoid possible memory leak if the decoder initialization
+got failed.Free the allocated memory for file handle object
+before return in case decoder initialization fails.
+
+Signed-off-by: Shailendra Verma <shailendra.v@samsung.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/staging/media/davinci_vpfe/vpfe_video.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/staging/media/davinci_vpfe/vpfe_video.c b/drivers/staging/media/davinci_vpfe/vpfe_video.c
+index 510202a3b091..84cca18e3e9d 100644
+--- a/drivers/staging/media/davinci_vpfe/vpfe_video.c
++++ b/drivers/staging/media/davinci_vpfe/vpfe_video.c
+@@ -419,6 +419,9 @@ static int vpfe_open(struct file *file)
+ /* If decoder is not initialized. initialize it */
+ if (!video->initialized && vpfe_update_pipe_state(video)) {
+ mutex_unlock(&video->lock);
++ v4l2_fh_del(&handle->vfh);
++ v4l2_fh_exit(&handle->vfh);
++ kfree(handle);
+ return -ENODEV;
+ }
+ /* Increment device users counter */
+--
+2.16.4
+
diff --git a/patches.drivers/media-vpss-fix-a-potential-NULL-pointer-dereference.patch b/patches.drivers/media-vpss-fix-a-potential-NULL-pointer-dereference.patch
new file mode 100644
index 0000000000..fe4c2f557a
--- /dev/null
+++ b/patches.drivers/media-vpss-fix-a-potential-NULL-pointer-dereference.patch
@@ -0,0 +1,40 @@
+From e08f0761234def47961d3252eac09ccedfe4c6a0 Mon Sep 17 00:00:00 2001
+From: Kangjie Lu <kjlu@umn.edu>
+Date: Fri, 22 Mar 2019 22:51:06 -0400
+Subject: [PATCH] media: vpss: fix a potential NULL pointer dereference
+Git-commit: e08f0761234def47961d3252eac09ccedfe4c6a0
+Patch-mainline: v5.3-rc1
+References: bsc#1051510
+
+In case ioremap fails, the fix returns -ENOMEM to avoid NULL
+pointer dereference.
+
+Signed-off-by: Kangjie Lu <kjlu@umn.edu>
+Acked-by: Lad, Prabhakar <prabhakar.csengg@gmail.com>
+Reviewed-by: Mukesh Ojha <mojha@codeaurora.org>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/media/platform/davinci/vpss.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/drivers/media/platform/davinci/vpss.c b/drivers/media/platform/davinci/vpss.c
+index 19cf6853411e..89a86c19579b 100644
+--- a/drivers/media/platform/davinci/vpss.c
++++ b/drivers/media/platform/davinci/vpss.c
+@@ -518,6 +518,11 @@ static int __init vpss_init(void)
+ return -EBUSY;
+
+ oper_cfg.vpss_regs_base2 = ioremap(VPSS_CLK_CTRL, 4);
++ if (unlikely(!oper_cfg.vpss_regs_base2)) {
++ release_mem_region(VPSS_CLK_CTRL, 4);
++ return -ENOMEM;
++ }
++
+ writel(VPSS_CLK_CTRL_VENCCLKEN |
+ VPSS_CLK_CTRL_DACCLKEN, oper_cfg.vpss_regs_base2);
+
+--
+2.16.4
+
diff --git a/patches.drivers/media-wl128x-Fix-some-error-handling-in-fm_v4l2_init.patch b/patches.drivers/media-wl128x-Fix-some-error-handling-in-fm_v4l2_init.patch
new file mode 100644
index 0000000000..58b4e96e4c
--- /dev/null
+++ b/patches.drivers/media-wl128x-Fix-some-error-handling-in-fm_v4l2_init.patch
@@ -0,0 +1,102 @@
+From 69fbb3f47327d959830c94bf31893972b8c8f700 Mon Sep 17 00:00:00 2001
+From: Kefeng Wang <wangkefeng.wang@huawei.com>
+Date: Thu, 30 May 2019 03:25:49 -0400
+Subject: [PATCH] media: wl128x: Fix some error handling in fm_v4l2_init_video_device()
+Git-commit: 69fbb3f47327d959830c94bf31893972b8c8f700
+Patch-mainline: v5.3-rc1
+References: bsc#1051510
+
+X-originating-ip: [10.175.113.25]
+X-cfilter-loop: Reflected
+The fm_v4l2_init_video_device() forget to unregister v4l2/video device
+in the error path, it could lead to UAF issue, eg,
+
+ BUG: KASAN: use-after-free in atomic64_read include/asm-generic/atomic-instrumented.h:836 [inline]
+ BUG: KASAN: use-after-free in atomic_long_read include/asm-generic/atomic-long.h:28 [inline]
+ BUG: KASAN: use-after-free in __mutex_unlock_slowpath+0x92/0x690 kernel/locking/mutex.c:1206
+ Read of size 8 at addr ffff8881e84a7c70 by task v4l_id/3659
+
+ CPU: 1 PID: 3659 Comm: v4l_id Not tainted 5.1.0 #8
+ Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014
+ Call Trace:
+ __dump_stack lib/dump_stack.c:77 [inline]
+ dump_stack+0xa9/0x10e lib/dump_stack.c:113
+ print_address_description+0x65/0x270 mm/kasan/report.c:187
+ kasan_report+0x149/0x18d mm/kasan/report.c:317
+ atomic64_read include/asm-generic/atomic-instrumented.h:836 [inline]
+ atomic_long_read include/asm-generic/atomic-long.h:28 [inline]
+ __mutex_unlock_slowpath+0x92/0x690 kernel/locking/mutex.c:1206
+ fm_v4l2_fops_open+0xac/0x120 [fm_drv]
+ v4l2_open+0x191/0x390 [videodev]
+ chrdev_open+0x20d/0x570 fs/char_dev.c:417
+ do_dentry_open+0x700/0xf30 fs/open.c:777
+ do_last fs/namei.c:3416 [inline]
+ path_openat+0x7c4/0x2a90 fs/namei.c:3532
+ do_filp_open+0x1a5/0x2b0 fs/namei.c:3563
+ do_sys_open+0x302/0x490 fs/open.c:1069
+ do_syscall_64+0x9f/0x450 arch/x86/entry/common.c:290
+ entry_SYSCALL_64_after_hwframe+0x49/0xbe
+ RIP: 0033:0x7f8180c17c8e
+ ...
+ Allocated by task 3642:
+ set_track mm/kasan/common.c:87 [inline]
+ __kasan_kmalloc.constprop.3+0xa0/0xd0 mm/kasan/common.c:497
+ fm_drv_init+0x13/0x1000 [fm_drv]
+ do_one_initcall+0xbc/0x47d init/main.c:901
+ do_init_module+0x1b5/0x547 kernel/module.c:3456
+ load_module+0x6405/0x8c10 kernel/module.c:3804
+ __do_sys_finit_module+0x162/0x190 kernel/module.c:3898
+ do_syscall_64+0x9f/0x450 arch/x86/entry/common.c:290
+ entry_SYSCALL_64_after_hwframe+0x49/0xbe
+
+ Freed by task 3642:
+ set_track mm/kasan/common.c:87 [inline]
+ __kasan_slab_free+0x130/0x180 mm/kasan/common.c:459
+ slab_free_hook mm/slub.c:1429 [inline]
+ slab_free_freelist_hook mm/slub.c:1456 [inline]
+ slab_free mm/slub.c:3003 [inline]
+ kfree+0xe1/0x270 mm/slub.c:3958
+ fm_drv_init+0x1e6/0x1000 [fm_drv]
+ do_one_initcall+0xbc/0x47d init/main.c:901
+ do_init_module+0x1b5/0x547 kernel/module.c:3456
+ load_module+0x6405/0x8c10 kernel/module.c:3804
+ __do_sys_finit_module+0x162/0x190 kernel/module.c:3898
+ do_syscall_64+0x9f/0x450 arch/x86/entry/common.c:290
+ entry_SYSCALL_64_after_hwframe+0x49/0xbe
+
+Add relevant unregister functions to fix it.
+
+Cc: Hans Verkuil <hans.verkuil@cisco.com>
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Signed-off-by: Kefeng Wang <wangkefeng.wang@huawei.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/media/radio/wl128x/fmdrv_v4l2.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/media/radio/wl128x/fmdrv_v4l2.c b/drivers/media/radio/wl128x/fmdrv_v4l2.c
+index e25fd4d4d280..a1eaea19a81c 100644
+--- a/drivers/media/radio/wl128x/fmdrv_v4l2.c
++++ b/drivers/media/radio/wl128x/fmdrv_v4l2.c
+@@ -550,6 +550,7 @@ int fm_v4l2_init_video_device(struct fmdev *fmdev, int radio_nr)
+
+ /* Register with V4L2 subsystem as RADIO device */
+ if (video_register_device(&gradio_dev, VFL_TYPE_RADIO, radio_nr)) {
++ v4l2_device_unregister(&fmdev->v4l2_dev);
+ fmerr("Could not register video device\n");
+ return -ENOMEM;
+ }
+@@ -563,6 +564,8 @@ int fm_v4l2_init_video_device(struct fmdev *fmdev, int radio_nr)
+ if (ret < 0) {
+ fmerr("(fmdev): Can't init ctrl handler\n");
+ v4l2_ctrl_handler_free(&fmdev->ctrl_handler);
++ video_unregister_device(fmdev->radio_dev);
++ v4l2_device_unregister(&fmdev->v4l2_dev);
+ return -EBUSY;
+ }
+
+--
+2.16.4
+
diff --git a/patches.drivers/nfc-fix-potential-illegal-memory-access.patch b/patches.drivers/nfc-fix-potential-illegal-memory-access.patch
new file mode 100644
index 0000000000..27f67a8de5
--- /dev/null
+++ b/patches.drivers/nfc-fix-potential-illegal-memory-access.patch
@@ -0,0 +1,36 @@
+From dd006fc434e107ef90f7de0db9907cbc1c521645 Mon Sep 17 00:00:00 2001
+From: Yang Wei <albin_yang@163.com>
+Date: Mon, 8 Jul 2019 22:57:39 +0800
+Subject: [PATCH] nfc: fix potential illegal memory access
+Git-commit: dd006fc434e107ef90f7de0db9907cbc1c521645
+Patch-mainline: v5.3-rc1
+References: bsc#1051510
+
+The frags_q is not properly initialized, it may result in illegal memory
+access when conn_info is NULL.
+The "goto free_exit" should be replaced by "goto exit".
+
+Signed-off-by: Yang Wei <albin_yang@163.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ net/nfc/nci/data.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/nfc/nci/data.c b/net/nfc/nci/data.c
+index 0a0c265baaa4..ce3382be937f 100644
+--- a/net/nfc/nci/data.c
++++ b/net/nfc/nci/data.c
+@@ -107,7 +107,7 @@ static int nci_queue_tx_data_frags(struct nci_dev *ndev,
+ conn_info = nci_get_conn_info_by_conn_id(ndev, conn_id);
+ if (!conn_info) {
+ rc = -EPROTO;
+- goto free_exit;
++ goto exit;
+ }
+
+ __skb_queue_head_init(&frags_q);
+--
+2.16.4
+
diff --git a/patches.drivers/pinctrl-pistachio-fix-leaked-of_node-references.patch b/patches.drivers/pinctrl-pistachio-fix-leaked-of_node-references.patch
new file mode 100644
index 0000000000..890cc1e0ab
--- /dev/null
+++ b/patches.drivers/pinctrl-pistachio-fix-leaked-of_node-references.patch
@@ -0,0 +1,49 @@
+From 44a4455ac2c6b0981eace683a2b6eccf47689022 Mon Sep 17 00:00:00 2001
+From: Wen Yang <wen.yang99@zte.com.cn>
+Date: Fri, 12 Apr 2019 14:02:19 +0800
+Subject: [PATCH] pinctrl: pistachio: fix leaked of_node references
+Git-commit: 44a4455ac2c6b0981eace683a2b6eccf47689022
+Patch-mainline: v5.2-rc1
+References: bsc#1051510
+
+The call to of_get_child_by_name returns a node pointer with refcount
+incremented thus it must be explicitly decremented after the last
+usage.
+
+Detected by coccinelle with the following warnings:
+./drivers/pinctrl/pinctrl-pistachio.c:1422:1-7: ERROR: missing of_node_put; acquired a node pointer with refcount incremented on line 1360, but without a corresponding object release within this function.
+
+Signed-off-by: Wen Yang <wen.yang99@zte.com.cn>
+Cc: Linus Walleij <linus.walleij@linaro.org>
+Cc: linux-gpio@vger.kernel.org
+Cc: linux-kernel@vger.kernel.org
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/pinctrl/pinctrl-pistachio.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/pinctrl/pinctrl-pistachio.c b/drivers/pinctrl/pinctrl-pistachio.c
+index aa5f949ef219..5b0678f310e5 100644
+--- a/drivers/pinctrl/pinctrl-pistachio.c
++++ b/drivers/pinctrl/pinctrl-pistachio.c
+@@ -1367,6 +1367,7 @@ static int pistachio_gpio_register(struct pistachio_pinctrl *pctl)
+ if (!of_find_property(child, "gpio-controller", NULL)) {
+ dev_err(pctl->dev,
+ "No gpio-controller property for bank %u\n", i);
++ of_node_put(child);
+ ret = -ENODEV;
+ goto err;
+ }
+@@ -1374,6 +1375,7 @@ static int pistachio_gpio_register(struct pistachio_pinctrl *pctl)
+ irq = irq_of_parse_and_map(child, 0);
+ if (irq < 0) {
+ dev_err(pctl->dev, "No IRQ for bank %u: %d\n", i, irq);
++ of_node_put(child);
+ ret = irq;
+ goto err;
+ }
+--
+2.16.4
+
diff --git a/patches.drivers/pinctrl-rockchip-fix-leaked-of_node-references.patch b/patches.drivers/pinctrl-rockchip-fix-leaked-of_node-references.patch
new file mode 100644
index 0000000000..c298b3a85b
--- /dev/null
+++ b/patches.drivers/pinctrl-rockchip-fix-leaked-of_node-references.patch
@@ -0,0 +1,44 @@
+From 3c89c70634bb0b6f48512de873e7a45c7e1fbaa5 Mon Sep 17 00:00:00 2001
+From: Wen Yang <wen.yang99@zte.com.cn>
+Date: Mon, 15 Apr 2019 14:24:02 +0800
+Subject: [PATCH] pinctrl: rockchip: fix leaked of_node references
+Git-commit: 3c89c70634bb0b6f48512de873e7a45c7e1fbaa5
+Patch-mainline: v5.3-rc1
+References: bsc#1051510
+
+The call to of_parse_phandle returns a node pointer with refcount
+incremented thus it must be explicitly decremented after the last
+usage.
+
+Detected by coccinelle with the following warnings:
+./drivers/pinctrl/pinctrl-rockchip.c:3221:2-8: ERROR: missing of_node_put; acquired a node pointer with refcount incremented on line 3196, but without a corresponding object release within this function.
+./drivers/pinctrl/pinctrl-rockchip.c:3223:1-7: ERROR: missing of_node_put; acquired a node pointer with refcount incremented on line 3196, but without a corresponding object release within this function.
+
+Signed-off-by: Wen Yang <wen.yang99@zte.com.cn>
+Cc: Linus Walleij <linus.walleij@linaro.org>
+Cc: Heiko Stuebner <heiko@sntech.de>
+Cc: linux-gpio@vger.kernel.org
+Cc: linux-rockchip@lists.infradead.org
+Cc: linux-kernel@vger.kernel.org
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/pinctrl/pinctrl-rockchip.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/pinctrl/pinctrl-rockchip.c b/drivers/pinctrl/pinctrl-rockchip.c
+index 16bf21bf69a2..64363363fe27 100644
+--- a/drivers/pinctrl/pinctrl-rockchip.c
++++ b/drivers/pinctrl/pinctrl-rockchip.c
+@@ -3212,6 +3212,7 @@ static int rockchip_get_bank_data(struct rockchip_pin_bank *bank,
+ base,
+ &rockchip_regmap_config);
+ }
++ of_node_put(node);
+ }
+
+ bank->irq = irq_of_parse_and_map(bank->of_node, 0);
+--
+2.16.4
+
diff --git a/patches.drivers/serial-8250-Fix-TX-interrupt-handling-condition.patch b/patches.drivers/serial-8250-Fix-TX-interrupt-handling-condition.patch
new file mode 100644
index 0000000000..4463adbbe1
--- /dev/null
+++ b/patches.drivers/serial-8250-Fix-TX-interrupt-handling-condition.patch
@@ -0,0 +1,43 @@
+From db1b5bc047b3cadaedab3826bba82c3d9e023c4b Mon Sep 17 00:00:00 2001
+From: Rautkoski Kimmo EXT <ext-kimmo.rautkoski@vaisala.com>
+Date: Fri, 24 May 2019 09:19:22 +0000
+Subject: [PATCH] serial: 8250: Fix TX interrupt handling condition
+Git-commit: db1b5bc047b3cadaedab3826bba82c3d9e023c4b
+Patch-mainline: v5.3-rc1
+References: bsc#1051510
+
+Interrupt handler checked THRE bit (transmitter holding register
+empty) in LSR to detect if TX fifo is empty.
+In case when there is only receive interrupts the TX handling
+got called because THRE bit in LSR is set when there is no
+transmission (FIFO empty). TX handling caused TX stop, which in
+RS-485 half-duplex mode actually resets receiver FIFO. This is not
+desired during reception because of possible data loss.
+
+The fix is to check if THRI is set in IER in addition of the TX
+fifo status. THRI in IER is set when TX is started and cleared
+when TX is stopped.
+This ensures that TX handling is only called when there is really
+transmission on going and an interrupt for THRE and not when there
+are only RX interrupts.
+
+Signed-off-by: Kimmo Rautkoski <ext-kimmo.rautkoski@vaisala.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/tty/serial/8250/8250_port.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/tty/serial/8250/8250_port.c
++++ b/drivers/tty/serial/8250/8250_port.c
+@@ -1836,7 +1836,8 @@ int serial8250_handle_irq(struct uart_po
+ status = serial8250_rx_chars(up, status);
+ }
+ serial8250_modem_status(up);
+- if ((!up->dma || up->dma->tx_err) && (status & UART_LSR_THRE))
++ if ((!up->dma || up->dma->tx_err) && (status & UART_LSR_THRE) &&
++ (up->ier & UART_IER_THRI))
+ serial8250_tx_chars(up);
+
+ spin_unlock_irqrestore(&port->lock, flags);
diff --git a/patches.drivers/tty-ldsem-locking-rwsem-Add-missing-ACQUIRE-to-read_.patch b/patches.drivers/tty-ldsem-locking-rwsem-Add-missing-ACQUIRE-to-read_.patch
new file mode 100644
index 0000000000..b3d46d7e14
--- /dev/null
+++ b/patches.drivers/tty-ldsem-locking-rwsem-Add-missing-ACQUIRE-to-read_.patch
@@ -0,0 +1,76 @@
+From 952041a8639a7a3a73a2b6573cb8aa8518bc39f8 Mon Sep 17 00:00:00 2001
+From: Peter Zijlstra <peterz@infradead.org>
+Date: Thu, 18 Jul 2019 15:03:15 +0200
+Subject: [PATCH] tty/ldsem, locking/rwsem: Add missing ACQUIRE to read_failed sleep loop
+Git-commit: 952041a8639a7a3a73a2b6573cb8aa8518bc39f8
+Patch-mainline: v5.3-rc2
+References: bsc#1051510
+
+While reviewing rwsem down_slowpath, Will noticed ldsem had a copy of
+a bug we just found for rwsem.
+
+ X = 0;
+
+ CPU0 CPU1
+
+ rwsem_down_read()
+ for (;;) {
+ set_current_state(TASK_UNINTERRUPTIBLE);
+
+ X = 1;
+ rwsem_up_write();
+ rwsem_mark_wake()
+ atomic_long_add(adjustment, &sem->count);
+ smp_store_release(&waiter->task, NULL);
+
+ if (!waiter.task)
+ break;
+
+ ...
+ }
+
+ r = X;
+
+Allows 'r == 0'.
+
+Reported-by: Will Deacon <will@kernel.org>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Acked-by: Will Deacon <will@kernel.org>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Peter Hurley <peter@hurleysoftware.com>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Fixes: 4898e640caf0 ("tty: Add timed, writer-prioritized rw semaphore")
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/tty/tty_ldsem.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/tty/tty_ldsem.c b/drivers/tty/tty_ldsem.c
+index 717292c1c0df..60ff236a3d63 100644
+--- a/drivers/tty/tty_ldsem.c
++++ b/drivers/tty/tty_ldsem.c
+@@ -93,8 +93,7 @@ static void __ldsem_wake_readers(struct ld_semaphore *sem)
+
+ list_for_each_entry_safe(waiter, next, &sem->read_wait, list) {
+ tsk = waiter->task;
+- smp_mb();
+- waiter->task = NULL;
++ smp_store_release(&waiter->task, NULL);
+ wake_up_process(tsk);
+ put_task_struct(tsk);
+ }
+@@ -194,7 +193,7 @@ down_read_failed(struct ld_semaphore *sem, long count, long timeout)
+ for (;;) {
+ set_current_state(TASK_UNINTERRUPTIBLE);
+
+- if (!waiter.task)
++ if (!smp_load_acquire(&waiter.task))
+ break;
+ if (!timeout)
+ break;
+--
+2.16.4
+
diff --git a/patches.drivers/tty-max310x-Fix-invalid-baudrate-divisors-calculator.patch b/patches.drivers/tty-max310x-Fix-invalid-baudrate-divisors-calculator.patch
new file mode 100644
index 0000000000..4bf20c8031
--- /dev/null
+++ b/patches.drivers/tty-max310x-Fix-invalid-baudrate-divisors-calculator.patch
@@ -0,0 +1,114 @@
+From 35240ba26a932b279a513f66fa4cabfd7af55221 Mon Sep 17 00:00:00 2001
+From: Serge Semin <fancer.lancer@gmail.com>
+Date: Tue, 14 May 2019 13:14:12 +0300
+Subject: [PATCH] tty: max310x: Fix invalid baudrate divisors calculator
+Git-commit: 35240ba26a932b279a513f66fa4cabfd7af55221
+Patch-mainline: v5.3-rc1
+References: bsc#1051510
+
+Current calculator doesn't do it' job quite correct. First of all the
+max310x baud-rates generator supports the divisor being less than 16.
+In this case the x2/x4 modes can be used to double or quadruple
+the reference frequency. But the current baud-rate setter function
+just filters all these modes out by the first condition and setups
+these modes only if there is a clocks-baud division remainder. The former
+doesn't seem right at all, since enabling the x2/x4 modes causes the line
+noise tolerance reduction and should be only used as a last resort to
+enable a requested too high baud-rate.
+
+Finally the fraction is supposed to be calculated from D = Fref/(c*baud)
+formulae, but not from D % 16, which causes the precision loss. So to speak
+the current baud-rate calculator code works well only if the baud perfectly
+fits to the uart reference input frequency.
+
+Lets fix the calculator by implementing the algo fully compliant with
+the fractional baud-rate generator described in the datasheet:
+D = Fref / (c*baud), where c={16,8,4} is the x1/x2/x4 rate mode
+respectively, Fref - reference input frequency. The divisor fraction is
+calculated from the same formulae, but making sure it is found with a
+resolution of 0.0625 (four bits).
+
+Signed-off-by: Serge Semin <fancer.lancer@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/tty/serial/max310x.c | 51 +++++++++++++++++++++++++++-----------------
+ 1 file changed, 31 insertions(+), 20 deletions(-)
+
+diff --git a/drivers/tty/serial/max310x.c b/drivers/tty/serial/max310x.c
+index 0e3dc89c459b..ca044f96c5cc 100644
+--- a/drivers/tty/serial/max310x.c
++++ b/drivers/tty/serial/max310x.c
+@@ -501,37 +501,48 @@ static bool max310x_reg_precious(struct device *dev, unsigned int reg)
+
+ static int max310x_set_baud(struct uart_port *port, int baud)
+ {
+- unsigned int mode = 0, clk = port->uartclk, div = clk / baud;
++ unsigned int mode = 0, div = 0, frac = 0, c = 0, F = 0;
+
+- /* Check for minimal value for divider */
+- if (div < 16)
+- div = 16;
+-
+- if (clk % baud && (div / 16) < 0x8000) {
++ /*
++ * Calculate the integer divisor first. Select a proper mode
++ * in case if the requested baud is too high for the pre-defined
++ * clocks frequency.
++ */
++ div = port->uartclk / baud;
++ if (div < 8) {
++ /* Mode x4 */
++ c = 4;
++ mode = MAX310X_BRGCFG_4XMODE_BIT;
++ } else if (div < 16) {
+ /* Mode x2 */
++ c = 8;
+ mode = MAX310X_BRGCFG_2XMODE_BIT;
+- clk = port->uartclk * 2;
+- div = clk / baud;
+-
+- if (clk % baud && (div / 16) < 0x8000) {
+- /* Mode x4 */
+- mode = MAX310X_BRGCFG_4XMODE_BIT;
+- clk = port->uartclk * 4;
+- div = clk / baud;
+- }
++ } else {
++ c = 16;
+ }
+
+- max310x_port_write(port, MAX310X_BRGDIVMSB_REG, (div / 16) >> 8);
+- max310x_port_write(port, MAX310X_BRGDIVLSB_REG, div / 16);
+- max310x_port_write(port, MAX310X_BRGCFG_REG, (div % 16) | mode);
++ /* Calculate the divisor in accordance with the fraction coefficient */
++ div /= c;
++ F = c*baud;
++
++ /* Calculate the baud rate fraction */
++ if (div > 0)
++ frac = (16*(port->uartclk % F)) / F;
++ else
++ div = 1;
++
++ max310x_port_write(port, MAX310X_BRGDIVMSB_REG, div >> 8);
++ max310x_port_write(port, MAX310X_BRGDIVLSB_REG, div);
++ max310x_port_write(port, MAX310X_BRGCFG_REG, frac | mode);
+
+- return DIV_ROUND_CLOSEST(clk, div);
++ /* Return the actual baud rate we just programmed */
++ return (16*port->uartclk) / (c*(16*div + frac));
+ }
+
+ static int max310x_update_best_err(unsigned long f, long *besterr)
+ {
+ /* Use baudrate 115200 for calculate error */
+- long err = f % (115200 * 16);
++ long err = f % (460800 * 16);
+
+ if ((*besterr < 0) || (*besterr > err)) {
+ *besterr = err;
+--
+2.16.4
+
diff --git a/patches.drivers/tty-serial-digicolor-Fix-digicolor-usart-already-reg.patch b/patches.drivers/tty-serial-digicolor-Fix-digicolor-usart-already-reg.patch
new file mode 100644
index 0000000000..80005b2f6b
--- /dev/null
+++ b/patches.drivers/tty-serial-digicolor-Fix-digicolor-usart-already-reg.patch
@@ -0,0 +1,46 @@
+From c7ad9ba0611c53cfe194223db02e3bca015f0674 Mon Sep 17 00:00:00 2001
+From: Kefeng Wang <wangkefeng.wang@huawei.com>
+Date: Fri, 31 May 2019 21:37:33 +0800
+Subject: [PATCH] tty/serial: digicolor: Fix digicolor-usart already registered warning
+Git-commit: c7ad9ba0611c53cfe194223db02e3bca015f0674
+Patch-mainline: v5.3-rc1
+References: bsc#1051510
+
+When modprobe/rmmod/modprobe module, if platform_driver_register() fails,
+the kernel complained,
+
+ proc_dir_entry 'driver/digicolor-usart' already registered
+ WARNING: CPU: 1 PID: 5636 at fs/proc/generic.c:360 proc_register+0x19d/0x270
+
+Fix this by adding uart_unregister_driver() when platform_driver_register() fails.
+
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Signed-off-by: Kefeng Wang <wangkefeng.wang@huawei.com>
+Acked-by: Baruch Siach <baruch@tkos.co.il>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/tty/serial/digicolor-usart.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/tty/serial/digicolor-usart.c b/drivers/tty/serial/digicolor-usart.c
+index f460cca139e2..13ac36e2da4f 100644
+--- a/drivers/tty/serial/digicolor-usart.c
++++ b/drivers/tty/serial/digicolor-usart.c
+@@ -541,7 +541,11 @@ static int __init digicolor_uart_init(void)
+ if (ret)
+ return ret;
+
+- return platform_driver_register(&digicolor_uart_platform);
++ ret = platform_driver_register(&digicolor_uart_platform);
++ if (ret)
++ uart_unregister_driver(&digicolor_uart);
++
++ return ret;
+ }
+ module_init(digicolor_uart_init);
+
+--
+2.16.4
+
diff --git a/patches.drivers/tty-serial-msm_serial-avoid-system-lockup-condition.patch b/patches.drivers/tty-serial-msm_serial-avoid-system-lockup-condition.patch
new file mode 100644
index 0000000000..a56c360910
--- /dev/null
+++ b/patches.drivers/tty-serial-msm_serial-avoid-system-lockup-condition.patch
@@ -0,0 +1,45 @@
+From ba3684f99f1b25d2a30b6956d02d339d7acb9799 Mon Sep 17 00:00:00 2001
+From: Jorge Ramirez-Ortiz <jorge.ramirez-ortiz@linaro.org>
+Date: Mon, 10 Jun 2019 19:23:08 +0200
+Subject: [PATCH] tty: serial: msm_serial: avoid system lockup condition
+Git-commit: ba3684f99f1b25d2a30b6956d02d339d7acb9799
+Patch-mainline: v5.3-rc1
+References: bsc#1051510
+
+The function msm_wait_for_xmitr can be taken with interrupts
+disabled. In order to avoid a potential system lockup - demonstrated
+under stress testing conditions on SoC QCS404/5 - make sure we wait
+for a bounded amount of time.
+
+Tested on SoC QCS404.
+
+Signed-off-by: Jorge Ramirez-Ortiz <jorge.ramirez-ortiz@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/tty/serial/msm_serial.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/tty/serial/msm_serial.c b/drivers/tty/serial/msm_serial.c
+index 23833ad952ba..3657a24913fc 100644
+--- a/drivers/tty/serial/msm_serial.c
++++ b/drivers/tty/serial/msm_serial.c
+@@ -383,10 +383,14 @@ static void msm_request_rx_dma(struct msm_port *msm_port, resource_size_t base)
+
+ static inline void msm_wait_for_xmitr(struct uart_port *port)
+ {
++ unsigned int timeout = 500000;
++
+ while (!(msm_read(port, UART_SR) & UART_SR_TX_EMPTY)) {
+ if (msm_read(port, UART_ISR) & UART_ISR_TX_READY)
+ break;
+ udelay(1);
++ if (!timeout--)
++ break;
+ }
+ msm_write(port, UART_CR_CMD_RESET_TX_READY, UART_CR);
+ }
+--
+2.16.4
+
diff --git a/patches.drivers/tua6100-Avoid-build-warnings.patch b/patches.drivers/tua6100-Avoid-build-warnings.patch
new file mode 100644
index 0000000000..5699a11e4e
--- /dev/null
+++ b/patches.drivers/tua6100-Avoid-build-warnings.patch
@@ -0,0 +1,96 @@
+From 621ccc6cc5f8d6730b740d31d4818227866c93c9 Mon Sep 17 00:00:00 2001
+From: "David S. Miller" <davem@davemloft.net>
+Date: Thu, 30 May 2019 11:36:15 -0700
+Subject: [PATCH] tua6100: Avoid build warnings.
+Mime-version: 1.0
+Content-type: text/plain; charset=UTF-8
+Content-transfer-encoding: 8bit
+Git-commit: 621ccc6cc5f8d6730b740d31d4818227866c93c9
+Patch-mainline: v5.3-rc1
+References: bsc#1051510
+
+Rename _P to _P_VAL and _R to _R_VAL to avoid global
+namespace conflicts:
+
+Drivers/media/dvb-frontends/tua6100.c: In function ‘tua6100_set_params’:
+drivers/media/dvb-frontends/tua6100.c:79: warning: "_P" redefined
+ #define _P 32
+
+In file included from ./include/acpi/platform/aclinux.h:54,
+ from ./include/acpi/platform/acenv.h:152,
+ from ./include/acpi/acpi.h:22,
+ from ./include/linux/acpi.h:34,
+ from ./include/linux/i2c.h:17,
+ from drivers/media/dvb-frontends/tua6100.h:30,
+ from drivers/media/dvb-frontends/tua6100.c:32:
+./include/linux/ctype.h:14: note: this is the location of the previous definition
+ #define _P 0x10 /* punct */
+
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/media/dvb-frontends/tua6100.c | 22 +++++++++++-----------
+ 1 file changed, 11 insertions(+), 11 deletions(-)
+
+diff --git a/drivers/media/dvb-frontends/tua6100.c b/drivers/media/dvb-frontends/tua6100.c
+index b233b7be0b84..e6aaf4973aef 100644
+--- a/drivers/media/dvb-frontends/tua6100.c
++++ b/drivers/media/dvb-frontends/tua6100.c
+@@ -75,8 +75,8 @@ static int tua6100_set_params(struct dvb_frontend *fe)
+ struct i2c_msg msg1 = { .addr = priv->i2c_address, .flags = 0, .buf = reg1, .len = 4 };
+ struct i2c_msg msg2 = { .addr = priv->i2c_address, .flags = 0, .buf = reg2, .len = 3 };
+
+-#define _R 4
+-#define _P 32
++#define _R_VAL 4
++#define _P_VAL 32
+ #define _ri 4000000
+
+ // setup register 0
+@@ -91,14 +91,14 @@ static int tua6100_set_params(struct dvb_frontend *fe)
+ else
+ reg1[1] = 0x0c;
+
+- if (_P == 64)
++ if (_P_VAL == 64)
+ reg1[1] |= 0x40;
+ if (c->frequency >= 1525000)
+ reg1[1] |= 0x80;
+
+ // register 2
+- reg2[1] = (_R >> 8) & 0x03;
+- reg2[2] = _R;
++ reg2[1] = (_R_VAL >> 8) & 0x03;
++ reg2[2] = _R_VAL;
+ if (c->frequency < 1455000)
+ reg2[1] |= 0x1c;
+ else if (c->frequency < 1630000)
+@@ -110,18 +110,18 @@ static int tua6100_set_params(struct dvb_frontend *fe)
+ * The N divisor ratio (note: c->frequency is in kHz, but we
+ * need it in Hz)
+ */
+- prediv = (c->frequency * _R) / (_ri / 1000);
+- div = prediv / _P;
++ prediv = (c->frequency * _R_VAL) / (_ri / 1000);
++ div = prediv / _P_VAL;
+ reg1[1] |= (div >> 9) & 0x03;
+ reg1[2] = div >> 1;
+ reg1[3] = (div << 7);
+- priv->frequency = ((div * _P) * (_ri / 1000)) / _R;
++ priv->frequency = ((div * _P_VAL) * (_ri / 1000)) / _R_VAL;
+
+ // Finally, calculate and store the value for A
+- reg1[3] |= (prediv - (div*_P)) & 0x7f;
++ reg1[3] |= (prediv - (div*_P_VAL)) & 0x7f;
+
+-#undef _R
+-#undef _P
++#undef _R_VAL
++#undef _P_VAL
+ #undef _ri
+
+ if (fe->ops.i2c_gate_ctrl)
+--
+2.16.4
+
diff --git a/patches.drivers/usb-Handle-USB3-remote-wakeup-for-LPM-enabled-device.patch b/patches.drivers/usb-Handle-USB3-remote-wakeup-for-LPM-enabled-device.patch
new file mode 100644
index 0000000000..f8c3ab7902
--- /dev/null
+++ b/patches.drivers/usb-Handle-USB3-remote-wakeup-for-LPM-enabled-device.patch
@@ -0,0 +1,64 @@
+From e244c4699f859cf7149b0781b1894c7996a8a1df Mon Sep 17 00:00:00 2001
+From: "Lee, Chiasheng" <chiasheng.lee@intel.com>
+Date: Thu, 20 Jun 2019 10:56:04 +0300
+Subject: [PATCH] usb: Handle USB3 remote wakeup for LPM enabled devices correctly
+Git-commit: e244c4699f859cf7149b0781b1894c7996a8a1df
+Patch-mainline: v5.3-rc1
+References: bsc#1051510
+
+With Link Power Management (LPM) enabled USB3 links transition to low
+power U1/U2 link states from U0 state automatically.
+
+Current hub code detects USB3 remote wakeups by checking if the software
+state still shows suspended, but the link has transitioned from suspended
+U3 to enabled U0 state.
+
+As it takes some time before the hub thread reads the port link state
+after a USB3 wake notification, the link may have transitioned from U0
+to U1/U2, and wake is not detected by hub code.
+
+Fix this by handling U1/U2 states in the same way as U0 in USB3 wakeup
+handling
+
+This patch should be added to stable kernels since 4.13 where LPM was
+kept enabled during suspend/resume
+
+Cc: <stable@vger.kernel.org> # v4.13+
+Signed-off-by: Lee, Chiasheng <chiasheng.lee@intel.com>
+Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/usb/core/hub.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/usb/core/hub.c b/drivers/usb/core/hub.c
+index a59e1573b43b..236313f41f4a 100644
+--- a/drivers/usb/core/hub.c
++++ b/drivers/usb/core/hub.c
+@@ -3619,6 +3619,7 @@ static int hub_handle_remote_wakeup(struct usb_hub *hub, unsigned int port,
+ struct usb_device *hdev;
+ struct usb_device *udev;
+ int connect_change = 0;
++ u16 link_state;
+ int ret;
+
+ hdev = hub->hdev;
+@@ -3628,9 +3629,11 @@ static int hub_handle_remote_wakeup(struct usb_hub *hub, unsigned int port,
+ return 0;
+ usb_clear_port_feature(hdev, port, USB_PORT_FEAT_C_SUSPEND);
+ } else {
++ link_state = portstatus & USB_PORT_STAT_LINK_STATE;
+ if (!udev || udev->state != USB_STATE_SUSPENDED ||
+- (portstatus & USB_PORT_STAT_LINK_STATE) !=
+- USB_SS_PORT_LS_U0)
++ (link_state != USB_SS_PORT_LS_U0 &&
++ link_state != USB_SS_PORT_LS_U1 &&
++ link_state != USB_SS_PORT_LS_U2))
+ return 0;
+ }
+
+--
+2.16.4
+
diff --git a/patches.drivers/usb-core-hub-Disable-hub-initiated-U1-U2.patch b/patches.drivers/usb-core-hub-Disable-hub-initiated-U1-U2.patch
new file mode 100644
index 0000000000..9629ef4ca7
--- /dev/null
+++ b/patches.drivers/usb-core-hub-Disable-hub-initiated-U1-U2.patch
@@ -0,0 +1,83 @@
+From 561759292774707b71ee61aecc07724905bb7ef1 Mon Sep 17 00:00:00 2001
+From: Thinh Nguyen <Thinh.Nguyen@synopsys.com>
+Date: Tue, 14 May 2019 14:38:38 -0700
+Subject: [PATCH] usb: core: hub: Disable hub-initiated U1/U2
+Git-commit: 561759292774707b71ee61aecc07724905bb7ef1
+Patch-mainline: v5.3-rc1
+References: bsc#1051510
+
+If the device rejects the control transfer to enable device-initiated
+U1/U2 entry, then the device will not initiate U1/U2 transition. To
+improve the performance, the downstream port should not initate
+transition to U1/U2 to avoid the delay from the device link command
+response (no packet can be transmitted while waiting for a response from
+the device). If the device has some quirks and does not implement U1/U2,
+it may reject all the link state change requests, and the downstream
+port may resend and flood the bus with more requests. This will affect
+the device performance even further. This patch disables the
+hub-initated U1/U2 if the device-initiated U1/U2 entry fails.
+
+Reference: USB 3.2 spec 7.2.4.2.3
+
+Signed-off-by: Thinh Nguyen <thinhn@synopsys.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/usb/core/hub.c | 28 ++++++++++++++++------------
+ 1 file changed, 16 insertions(+), 12 deletions(-)
+
+diff --git a/drivers/usb/core/hub.c b/drivers/usb/core/hub.c
+index 026b652d4f38..572e8c26a129 100644
+--- a/drivers/usb/core/hub.c
++++ b/drivers/usb/core/hub.c
+@@ -3999,6 +3999,9 @@ static int usb_set_lpm_timeout(struct usb_device *udev,
+ * control transfers to set the hub timeout or enable device-initiated U1/U2
+ * will be successful.
+ *
++ * If the control transfer to enable device-initiated U1/U2 entry fails, then
++ * hub-initiated U1/U2 will be disabled.
++ *
+ * If we cannot set the parent hub U1/U2 timeout, we attempt to let the xHCI
+ * driver know about it. If that call fails, it should be harmless, and just
+ * take up more slightly more bus bandwidth for unnecessary U1/U2 exit latency.
+@@ -4053,23 +4056,24 @@ static void usb_enable_link_state(struct usb_hcd *hcd, struct usb_device *udev,
+ * host know that this link state won't be enabled.
+ */
+ hcd->driver->disable_usb3_lpm_timeout(hcd, udev, state);
+- } else {
+- /* Only a configured device will accept the Set Feature
+- * U1/U2_ENABLE
+- */
+- if (udev->actconfig)
+- usb_set_device_initiated_lpm(udev, state, true);
++ return;
++ }
+
+- /* As soon as usb_set_lpm_timeout(timeout) returns 0, the
+- * hub-initiated LPM is enabled. Thus, LPM is enabled no
+- * matter the result of usb_set_device_initiated_lpm().
+- * The only difference is whether device is able to initiate
+- * LPM.
+- */
++ /* Only a configured device will accept the Set Feature
++ * U1/U2_ENABLE
++ */
++ if (udev->actconfig &&
++ usb_set_device_initiated_lpm(udev, state, true) == 0) {
+ if (state == USB3_LPM_U1)
+ udev->usb3_lpm_u1_enabled = 1;
+ else if (state == USB3_LPM_U2)
+ udev->usb3_lpm_u2_enabled = 1;
++ } else {
++ /* Don't request U1/U2 entry if the device
++ * cannot transition to U1/U2.
++ */
++ usb_set_lpm_timeout(udev, state, 0);
++ hcd->driver->disable_usb3_lpm_timeout(hcd, udev, state);
+ }
+ }
+
+--
+2.16.4
+
diff --git a/patches.drivers/usb-wusbcore-fix-unbalanced-get-put-cluster_id.patch b/patches.drivers/usb-wusbcore-fix-unbalanced-get-put-cluster_id.patch
new file mode 100644
index 0000000000..07c5053356
--- /dev/null
+++ b/patches.drivers/usb-wusbcore-fix-unbalanced-get-put-cluster_id.patch
@@ -0,0 +1,66 @@
+From f90bf1ece48a736097ea224430578fe586a9544c Mon Sep 17 00:00:00 2001
+From: Phong Tran <tranmanphong@gmail.com>
+Date: Wed, 24 Jul 2019 09:06:01 +0700
+Subject: [PATCH] usb: wusbcore: fix unbalanced get/put cluster_id
+Git-commit: f90bf1ece48a736097ea224430578fe586a9544c
+Patch-mainline: v5.3-rc2
+References: bsc#1051510
+
+syzboot reported that
+https://syzkaller.appspot.com/bug?extid=fd2bd7df88c606eea4ef
+
+There is not consitency parameter in cluste_id_get/put calling.
+In case of getting the id with result is failure, the wusbhc->cluster_id
+will not be updated and this can not be used for wusb_cluster_id_put().
+
+Tested report
+https://groups.google.com/d/msg/syzkaller-bugs/0znZopp3-9k/oxOrhLkLEgAJ
+
+Reproduce and gdb got the details:
+
+139 addr = wusb_cluster_id_get();
+(gdb) n
+140 if (addr == 0)
+(gdb) print addr
+$1 = 254 '\376'
+(gdb) n
+142 result = __hwahc_set_cluster_id(hwahc, addr);
+(gdb) print result
+$2 = -71
+(gdb) break wusb_cluster_id_put
+Breakpoint 3 at 0xffffffff836e3f20: file drivers/usb/wusbcore/wusbhc.c, line 384.
+(gdb) s
+Thread 2 hit Breakpoint 3, wusb_cluster_id_put (id=0 '\000') at drivers/usb/wusbcore/wusbhc.c:384
+384 id = 0xff - id;
+(gdb) n
+385 BUG_ON(id >= CLUSTER_IDS);
+(gdb) print id
+$3 = 255 '\377'
+
+Reported-by: syzbot+fd2bd7df88c606eea4ef@syzkaller.appspotmail.com
+Signed-off-by: Phong Tran <tranmanphong@gmail.com>
+Cc: stable <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20190724020601.15257-1-tranmanphong@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/usb/host/hwa-hc.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/usb/host/hwa-hc.c b/drivers/usb/host/hwa-hc.c
+index 09a8ebd95588..6968b9f2b76b 100644
+--- a/drivers/usb/host/hwa-hc.c
++++ b/drivers/usb/host/hwa-hc.c
+@@ -159,7 +159,7 @@ static int hwahc_op_start(struct usb_hcd *usb_hcd)
+ return result;
+
+ error_set_cluster_id:
+- wusb_cluster_id_put(wusbhc->cluster_id);
++ wusb_cluster_id_put(addr);
+ error_cluster_id_get:
+ goto out;
+
+--
+2.16.4
+
diff --git a/patches.drm/drm-bridge-sii902x-pixel-clock-unit-is-10kHz-instead.patch b/patches.drm/drm-bridge-sii902x-pixel-clock-unit-is-10kHz-instead.patch
new file mode 100644
index 0000000000..16760908ea
--- /dev/null
+++ b/patches.drm/drm-bridge-sii902x-pixel-clock-unit-is-10kHz-instead.patch
@@ -0,0 +1,44 @@
+From 8dbfc5b65023b67397aca28e8adb25c819f6398c Mon Sep 17 00:00:00 2001
+From: Jyri Sarha <jsarha@ti.com>
+Date: Mon, 27 May 2019 16:47:54 +0300
+Subject: [PATCH] drm/bridge: sii902x: pixel clock unit is 10kHz instead of 1kHz
+Git-commit: 8dbfc5b65023b67397aca28e8adb25c819f6398c
+Patch-mainline: v5.3-rc1
+References: bsc#1051510
+
+The pixel clock unit in the first two registers (0x00 and 0x01) of
+sii9022 is 10kHz, not 1kHz as in struct drm_display_mode. Division by
+10 fixes the issue.
+
+Signed-off-by: Jyri Sarha <jsarha@ti.com>
+Reviewed-by: Andrzej Hajda <a.hajda@samsung.com>
+Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
+Signed-off-by: Andrzej Hajda <a.hajda@samsung.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/1a2a8eae0b9d6333e7a5841026bf7fd65c9ccd09.1558964241.git.jsarha@ti.com
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/gpu/drm/bridge/sii902x.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/gpu/drm/bridge/sii902x.c b/drivers/gpu/drm/bridge/sii902x.c
+index 2ced4f404cae..beb200141d1d 100644
+--- a/drivers/gpu/drm/bridge/sii902x.c
++++ b/drivers/gpu/drm/bridge/sii902x.c
+@@ -249,10 +249,11 @@ static void sii902x_bridge_mode_set(struct drm_bridge *bridge,
+ struct regmap *regmap = sii902x->regmap;
+ u8 buf[HDMI_INFOFRAME_SIZE(AVI)];
+ struct hdmi_avi_infoframe frame;
++ u16 pixel_clock_10kHz = adj->clock / 10;
+ int ret;
+
+- buf[0] = adj->clock;
+- buf[1] = adj->clock >> 8;
++ buf[0] = pixel_clock_10kHz & 0xff;
++ buf[1] = pixel_clock_10kHz >> 8;
+ buf[2] = adj->vrefresh;
+ buf[3] = 0x00;
+ buf[4] = adj->hdisplay;
+--
+2.16.4
+
diff --git a/patches.drm/drm-bridge-tc358767-read-display_props-in-get_modes.patch b/patches.drm/drm-bridge-tc358767-read-display_props-in-get_modes.patch
new file mode 100644
index 0000000000..4e93d469b1
--- /dev/null
+++ b/patches.drm/drm-bridge-tc358767-read-display_props-in-get_modes.patch
@@ -0,0 +1,46 @@
+From 3231573065ad4f4ecc5c9147b24f29f846dc0c2f Mon Sep 17 00:00:00 2001
+From: Tomi Valkeinen <tomi.valkeinen@ti.com>
+Date: Tue, 28 May 2019 11:27:44 +0300
+Subject: [PATCH] drm/bridge: tc358767: read display_props in get_modes()
+Git-commit: 3231573065ad4f4ecc5c9147b24f29f846dc0c2f
+Patch-mainline: v5.3-rc1
+References: bsc#1051510
+
+We need to know the link bandwidth to filter out modes we cannot
+support, so we need to have read the display props before doing the
+filtering.
+
+To ensure we have up to date display props, call tc_get_display_props()
+in the beginning of tc_connector_get_modes().
+
+Signed-off-by: Tomi Valkeinen <tomi.valkeinen@ti.com>
+Reviewed-by: Andrzej Hajda <a.hajda@samsung.com>
+Signed-off-by: Andrzej Hajda <a.hajda@samsung.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20190528082747.3631-22-tomi.valkeinen@ti.com
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/gpu/drm/bridge/tc358767.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/drivers/gpu/drm/bridge/tc358767.c b/drivers/gpu/drm/bridge/tc358767.c
+index ffcbecf69d40..2b9d6046d76e 100644
+--- a/drivers/gpu/drm/bridge/tc358767.c
++++ b/drivers/gpu/drm/bridge/tc358767.c
+@@ -1188,6 +1188,13 @@ static int tc_connector_get_modes(struct drm_connector *connector)
+ struct tc_data *tc = connector_to_tc(connector);
+ struct edid *edid;
+ unsigned int count;
++ int ret;
++
++ ret = tc_get_display_props(tc);
++ if (ret < 0) {
++ dev_err(tc->dev, "failed to read display props: %d\n", ret);
++ return 0;
++ }
+
+ if (tc->panel && tc->panel->funcs && tc->panel->funcs->get_modes) {
+ count = tc->panel->funcs->get_modes(tc->panel);
+--
+2.16.4
+
diff --git a/patches.drm/drm-crc-debugfs-User-irqsafe-spinlock-in-drm_crtc_ad.patch b/patches.drm/drm-crc-debugfs-User-irqsafe-spinlock-in-drm_crtc_ad.patch
new file mode 100644
index 0000000000..34f3a1fec6
--- /dev/null
+++ b/patches.drm/drm-crc-debugfs-User-irqsafe-spinlock-in-drm_crtc_ad.patch
@@ -0,0 +1,52 @@
+From 1882018a70e06376234133e69ede9dd743b4dbd9 Mon Sep 17 00:00:00 2001
+From: Daniel Vetter <daniel.vetter@ffwll.ch>
+Date: Wed, 5 Jun 2019 21:45:56 +0200
+Subject: [PATCH] drm/crc-debugfs: User irqsafe spinlock in drm_crtc_add_crc_entry
+Mime-version: 1.0
+Content-type: text/plain; charset=UTF-8
+Content-transfer-encoding: 8bit
+Git-commit: 1882018a70e06376234133e69ede9dd743b4dbd9
+Patch-mainline: v5.3-rc1
+References: bsc#1051510
+
+We can be called from any context, we need to be prepared.
+
+Noticed this while hacking on vkms, which calls this function from a
+normal worker. Which really upsets lockdep.
+
+Cc: Rodrigo Siqueira <rodrigosiqueiramelo@gmail.com>
+Cc: Tomeu Vizoso <tomeu.vizoso@collabora.com>
+Cc: Emil Velikov <emil.velikov@collabora.com>
+Cc: Benjamin Gaignard <benjamin.gaignard@linaro.org>
+Reviewed-by: Benjamin Gaignard <benjamin.gaignard@linaro.org>
+Reviewed-by: Ville Syrjälä <ville.syrjala@linux.intel.com>
+Signed-off-by: Daniel Vetter <daniel.vetter@intel.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20190605194556.16744-1-daniel.vetter@ffwll.ch
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/gpu/drm/drm_debugfs_crc.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/drivers/gpu/drm/drm_debugfs_crc.c
++++ b/drivers/gpu/drm/drm_debugfs_crc.c
+@@ -343,8 +343,9 @@ int drm_crtc_add_crc_entry(struct drm_cr
+ struct drm_crtc_crc *crc = &crtc->crc;
+ struct drm_crtc_crc_entry *entry;
+ int head, tail;
++ unsigned long flags;
+
+- spin_lock(&crc->lock);
++ spin_lock_irqsave(&crc->lock, flags);
+
+ /* Caller may not have noticed yet that userspace has stopped reading */
+ if (!crc->opened) {
+@@ -369,7 +370,7 @@ int drm_crtc_add_crc_entry(struct drm_cr
+ head = (head + 1) & (DRM_CRC_ENTRIES_NR - 1);
+ crc->head = head;
+
+- spin_unlock(&crc->lock);
++ spin_unlock_irqrestore(&crc->lock, flags);
+
+ wake_up_interruptible(&crc->wq);
+
diff --git a/patches.drm/drm-msm-Depopulate-platform-on-probe-failure.patch b/patches.drm/drm-msm-Depopulate-platform-on-probe-failure.patch
new file mode 100644
index 0000000000..383b7510f8
--- /dev/null
+++ b/patches.drm/drm-msm-Depopulate-platform-on-probe-failure.patch
@@ -0,0 +1,62 @@
+From 4368a1539c6b41ac3cddc06f5a5117952998804c Mon Sep 17 00:00:00 2001
+From: Sean Paul <seanpaul@chromium.org>
+Date: Mon, 17 Jun 2019 16:12:51 -0400
+Subject: [PATCH] drm/msm: Depopulate platform on probe failure
+Git-commit: 4368a1539c6b41ac3cddc06f5a5117952998804c
+Patch-mainline: v5.3-rc1
+References: bsc#1051510
+
+add_display_components() calls of_platform_populate, and we depopluate
+on pdev remove, but not when probe fails. So if we get a probe deferral
+in one of the components, we won't depopulate the platform. This causes
+the core to keep references to devices which should be destroyed, which
+causes issues when those same devices try to re-initialize on the next
+probe attempt.
+
+I think this is the reason we had issues with the gmu's device-managed
+resources on deferral (worked around in commit 94e3a17f33a5).
+
+Reviewed-by: Rob Clark <robdclark@chromium.org>
+Signed-off-by: Sean Paul <seanpaul@chromium.org>
+Link: https://patchwork.freedesktop.org/patch/msgid/20190617201301.133275-3-sean@poorly.run
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/gpu/drm/msm/msm_drv.c | 14 +++++++++++---
+ 1 file changed, 11 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/gpu/drm/msm/msm_drv.c b/drivers/gpu/drm/msm/msm_drv.c
+index 4c51063531f1..72139ddcede6 100644
+--- a/drivers/gpu/drm/msm/msm_drv.c
++++ b/drivers/gpu/drm/msm/msm_drv.c
+@@ -1319,16 +1319,24 @@ static int msm_pdev_probe(struct platform_device *pdev)
+
+ ret = add_gpu_components(&pdev->dev, &match);
+ if (ret)
+- return ret;
++ goto fail;
+
+ /* on all devices that I am aware of, iommu's which can map
+ * any address the cpu can see are used:
+ */
+ ret = dma_set_mask_and_coherent(&pdev->dev, ~0);
+ if (ret)
+- return ret;
++ goto fail;
++
++ ret = component_master_add_with_match(&pdev->dev, &msm_drm_ops, match);
++ if (ret)
++ goto fail;
+
+- return component_master_add_with_match(&pdev->dev, &msm_drm_ops, match);
++ return 0;
++
++fail:
++ of_platform_depopulate(&pdev->dev);
++ return ret;
+ }
+
+ static int msm_pdev_remove(struct platform_device *pdev)
+--
+2.16.4
+
diff --git a/patches.drm/drm-panel-simple-Fix-panel_simple_dsi_probe.patch b/patches.drm/drm-panel-simple-Fix-panel_simple_dsi_probe.patch
new file mode 100644
index 0000000000..e0adb160c8
--- /dev/null
+++ b/patches.drm/drm-panel-simple-Fix-panel_simple_dsi_probe.patch
@@ -0,0 +1,43 @@
+From 7ad9db66fafb0f0ad53fd2a66217105da5ddeffe Mon Sep 17 00:00:00 2001
+From: Peter Ujfalusi <peter.ujfalusi@ti.com>
+Date: Tue, 26 Feb 2019 10:11:53 +0200
+Subject: [PATCH] drm/panel: simple: Fix panel_simple_dsi_probe
+Git-commit: 7ad9db66fafb0f0ad53fd2a66217105da5ddeffe
+Patch-mainline: v5.3-rc1
+References: bsc#1051510
+
+In case mipi_dsi_attach() fails remove the registered panel to avoid added
+panel without corresponding device.
+
+Signed-off-by: Peter Ujfalusi <peter.ujfalusi@ti.com>
+Signed-off-by: Thierry Reding <treding@nvidia.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20190226081153.31334-1-peter.ujfalusi@ti.com
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/gpu/drm/panel/panel-simple.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/panel/panel-simple.c b/drivers/gpu/drm/panel/panel-simple.c
+index 265d6ca44bbb..0865f4f42115 100644
+--- a/drivers/gpu/drm/panel/panel-simple.c
++++ b/drivers/gpu/drm/panel/panel-simple.c
+@@ -3161,7 +3161,14 @@ static int panel_simple_dsi_probe(struct mipi_dsi_device *dsi)
+ dsi->format = desc->format;
+ dsi->lanes = desc->lanes;
+
+- return mipi_dsi_attach(dsi);
++ err = mipi_dsi_attach(dsi);
++ if (err) {
++ struct panel_simple *panel = dev_get_drvdata(&dsi->dev);
++
++ drm_panel_remove(&panel->base);
++ }
++
++ return err;
+ }
+
+ static int panel_simple_dsi_remove(struct mipi_dsi_device *dsi)
+--
+2.16.4
+
diff --git a/patches.drm/drm-virtio-Add-memory-barriers-for-capset-cache.patch b/patches.drm/drm-virtio-Add-memory-barriers-for-capset-cache.patch
new file mode 100644
index 0000000000..0ca5a3a275
--- /dev/null
+++ b/patches.drm/drm-virtio-Add-memory-barriers-for-capset-cache.patch
@@ -0,0 +1,45 @@
+From 9ff3a5c88e1f1ab17a31402b96d45abe14aab9d7 Mon Sep 17 00:00:00 2001
+From: David Riley <davidriley@chromium.org>
+Date: Mon, 10 Jun 2019 14:18:10 -0700
+Subject: [PATCH] drm/virtio: Add memory barriers for capset cache.
+Git-commit: 9ff3a5c88e1f1ab17a31402b96d45abe14aab9d7
+Patch-mainline: v5.3-rc1
+References: bsc#1051510
+
+After data is copied to the cache entry, atomic_set is used indicate
+that the data is the entry is valid without appropriate memory barriers.
+Similarly the read side was missing the corresponding memory barriers.
+
+Signed-off-by: David Riley <davidriley@chromium.org>
+Link: http://patchwork.freedesktop.org/patch/msgid/20190610211810.253227-5-davidriley@chromium.org
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/gpu/drm/virtio/virtgpu_ioctl.c | 3 +++
+ drivers/gpu/drm/virtio/virtgpu_vq.c | 2 ++
+ 2 files changed, 5 insertions(+)
+
+--- a/drivers/gpu/drm/virtio/virtgpu_ioctl.c
++++ b/drivers/gpu/drm/virtio/virtgpu_ioctl.c
+@@ -521,6 +521,9 @@ static int virtio_gpu_get_caps_ioctl(str
+ ret = wait_event_timeout(vgdev->resp_wq,
+ atomic_read(&cache_ent->is_valid), 5 * HZ);
+
++ /* is_valid check must proceed before copy of the cache entry. */
++ smp_rmb();
++
+ ptr = cache_ent->caps_cache;
+
+ copy_exit:
+--- a/drivers/gpu/drm/virtio/virtgpu_vq.c
++++ b/drivers/gpu/drm/virtio/virtgpu_vq.c
+@@ -585,6 +585,8 @@ static void virtio_gpu_cmd_capset_cb(str
+ cache_ent->id == le32_to_cpu(cmd->capset_id)) {
+ memcpy(cache_ent->caps_cache, resp->capset_data,
+ cache_ent->size);
++ /* Copy must occur before is_valid is signalled. */
++ smp_wmb();
+ atomic_set(&cache_ent->is_valid, 1);
+ break;
+ }
diff --git a/patches.fixes/0001-KVM-arm-arm64-Properly-protect-VGIC-locks-from-IRQs.patch b/patches.fixes/0001-KVM-arm-arm64-Properly-protect-VGIC-locks-from-IRQs.patch
index 089ad5f535..3db1c44f09 100644
--- a/patches.fixes/0001-KVM-arm-arm64-Properly-protect-VGIC-locks-from-IRQs.patch
+++ b/patches.fixes/0001-KVM-arm-arm64-Properly-protect-VGIC-locks-from-IRQs.patch
@@ -29,16 +29,14 @@ Signed-off-by: Andre Przywara <andre.przywara@arm.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Acked-by: Liang Yan <lyan@suse.com>
---
- virt/kvm/arm/vgic/vgic-debug.c | 5 +++--
- virt/kvm/arm/vgic/vgic-its.c | 10 ++++++----
- virt/kvm/arm/vgic/vgic.c | 22 ++++++++++++++--------
+ virt/kvm/arm/vgic/vgic-debug.c | 5 +++--
+ virt/kvm/arm/vgic/vgic-its.c | 10 ++++++----
+ virt/kvm/arm/vgic/vgic.c | 22 ++++++++++++++--------
3 files changed, 23 insertions(+), 14 deletions(-)
-diff --git a/virt/kvm/arm/vgic/vgic-debug.c b/virt/kvm/arm/vgic/vgic-debug.c
-index 10b38178cff2..4ffc0b5e6105 100644
--- a/virt/kvm/arm/vgic/vgic-debug.c
+++ b/virt/kvm/arm/vgic/vgic-debug.c
-@@ -211,6 +211,7 @@ static int vgic_debug_show(struct seq_file *s, void *v)
+@@ -211,6 +211,7 @@ static int vgic_debug_show(struct seq_fi
struct vgic_state_iter *iter = (struct vgic_state_iter *)v;
struct vgic_irq *irq;
struct kvm_vcpu *vcpu = NULL;
@@ -46,7 +44,7 @@ index 10b38178cff2..4ffc0b5e6105 100644
if (iter->dist_id == 0) {
print_dist_state(s, &kvm->arch.vgic);
-@@ -227,9 +228,9 @@ static int vgic_debug_show(struct seq_file *s, void *v)
+@@ -227,9 +228,9 @@ static int vgic_debug_show(struct seq_fi
irq = &kvm->arch.vgic.spis[iter->intid - VGIC_NR_PRIVATE_IRQS];
}
@@ -58,11 +56,9 @@ index 10b38178cff2..4ffc0b5e6105 100644
return 0;
}
-diff --git a/virt/kvm/arm/vgic/vgic-its.c b/virt/kvm/arm/vgic/vgic-its.c
-index 8e633bd9cc1e..396cf598c78f 100644
--- a/virt/kvm/arm/vgic/vgic-its.c
+++ b/virt/kvm/arm/vgic/vgic-its.c
-@@ -52,6 +52,7 @@ static struct vgic_irq *vgic_add_lpi(struct kvm *kvm, u32 intid,
+@@ -52,6 +52,7 @@ static struct vgic_irq *vgic_add_lpi(str
{
struct vgic_dist *dist = &kvm->arch.vgic;
struct vgic_irq *irq = vgic_get_irq(kvm, NULL, intid), *oldirq;
@@ -70,7 +66,7 @@ index 8e633bd9cc1e..396cf598c78f 100644
int ret;
/* In this case there is no put, since we keep the reference. */
-@@ -71,7 +72,7 @@ static struct vgic_irq *vgic_add_lpi(struct kvm *kvm, u32 intid,
+@@ -71,7 +72,7 @@ static struct vgic_irq *vgic_add_lpi(str
irq->intid = intid;
irq->target_vcpu = vcpu;
@@ -79,7 +75,7 @@ index 8e633bd9cc1e..396cf598c78f 100644
/*
* There could be a race with another vgic_add_lpi(), so we need to
-@@ -99,7 +100,7 @@ static struct vgic_irq *vgic_add_lpi(struct kvm *kvm, u32 intid,
+@@ -99,7 +100,7 @@ static struct vgic_irq *vgic_add_lpi(str
dist->lpi_list_count++;
out_unlock:
@@ -88,23 +84,24 @@ index 8e633bd9cc1e..396cf598c78f 100644
/*
* We "cache" the configuration table entries in our struct vgic_irq's.
-@@ -315,6 +316,7 @@ static int vgic_copy_lpi_list(struct kvm_vcpu *vcpu, u32 **intid_ptr)
+@@ -315,6 +316,7 @@ static int vgic_copy_lpi_list(struct kvm
{
struct vgic_dist *dist = &vcpu->kvm->arch.vgic;
struct vgic_irq *irq;
+ unsigned long flags;
u32 *intids;
- int irq_count = dist->lpi_list_count, i = 0;
+ int irq_count, i = 0;
-@@ -329,14 +331,14 @@ static int vgic_copy_lpi_list(struct kvm_vcpu *vcpu, u32 **intid_ptr)
+@@ -330,7 +332,7 @@ static int vgic_copy_lpi_list(struct kvm
if (!intids)
return -ENOMEM;
- spin_lock(&dist->lpi_list_lock);
+ spin_lock_irqsave(&dist->lpi_list_lock, flags);
list_for_each_entry(irq, &dist->lpi_list_head, lpi_list) {
- /* We don't need to "get" the IRQ, as we hold the list lock. */
- if (irq->target_vcpu != vcpu)
+ if (i == irq_count)
+ break;
+@@ -339,7 +341,7 @@ static int vgic_copy_lpi_list(struct kvm
continue;
intids[i++] = irq->intid;
}
@@ -113,11 +110,9 @@ index 8e633bd9cc1e..396cf598c78f 100644
*intid_ptr = intids;
return i;
-diff --git a/virt/kvm/arm/vgic/vgic.c b/virt/kvm/arm/vgic/vgic.c
-index ecb8e25f5fe5..d7c9198e33bd 100644
--- a/virt/kvm/arm/vgic/vgic.c
+++ b/virt/kvm/arm/vgic/vgic.c
-@@ -40,9 +40,13 @@ struct vgic_global kvm_vgic_global_state __ro_after_init = {
+@@ -40,9 +40,13 @@ struct vgic_global kvm_vgic_global_state
* kvm->lock (mutex)
* its->cmd_lock (mutex)
* its->its_lock (mutex)
@@ -134,7 +129,7 @@ index ecb8e25f5fe5..d7c9198e33bd 100644
*
* If you need to take multiple locks, always take the upper lock first,
* then the lower ones, e.g. first take the its_lock, then the irq_lock.
-@@ -69,8 +73,9 @@ static struct vgic_irq *vgic_get_lpi(struct kvm *kvm, u32 intid)
+@@ -69,8 +73,9 @@ static struct vgic_irq *vgic_get_lpi(str
{
struct vgic_dist *dist = &kvm->arch.vgic;
struct vgic_irq *irq = NULL;
@@ -145,7 +140,7 @@ index ecb8e25f5fe5..d7c9198e33bd 100644
list_for_each_entry(irq, &dist->lpi_list_head, lpi_list) {
if (irq->intid != intid)
-@@ -86,7 +91,7 @@ static struct vgic_irq *vgic_get_lpi(struct kvm *kvm, u32 intid)
+@@ -86,7 +91,7 @@ static struct vgic_irq *vgic_get_lpi(str
irq = NULL;
out_unlock:
@@ -154,7 +149,7 @@ index ecb8e25f5fe5..d7c9198e33bd 100644
return irq;
}
-@@ -127,19 +132,20 @@ static void vgic_irq_release(struct kref *ref)
+@@ -127,19 +132,20 @@ static void vgic_irq_release(struct kref
void vgic_put_irq(struct kvm *kvm, struct vgic_irq *irq)
{
struct vgic_dist *dist = &kvm->arch.vgic;
@@ -178,6 +173,3 @@ index ecb8e25f5fe5..d7c9198e33bd 100644
kfree(irq);
}
---
-2.20.1
-
diff --git a/patches.fixes/0001-PCI-qcom-Ensure-that-PERST-is-asserted-for-at-least-.patch b/patches.fixes/0001-PCI-qcom-Ensure-that-PERST-is-asserted-for-at-least-.patch
new file mode 100644
index 0000000000..4936815218
--- /dev/null
+++ b/patches.fixes/0001-PCI-qcom-Ensure-that-PERST-is-asserted-for-at-least-.patch
@@ -0,0 +1,47 @@
+From 64adde31c8e996a6db6f7a1a4131180e363aa9f2 Mon Sep 17 00:00:00 2001
+From: Niklas Cassel <niklas.cassel@linaro.org>
+Date: Wed, 29 May 2019 11:43:52 +0200
+Subject: [PATCH] PCI: qcom: Ensure that PERST is asserted for at least 100 ms
+Git-commit: 64adde31c8e996a6db6f7a1a4131180e363aa9f2
+Patch-mainline: v5.3-rc1
+References: bsc#1142635
+
+Currently, there is only a 1 ms sleep after asserting PERST.
+
+Reading the datasheets for different endpoints, some require PERST to be
+asserted for 10 ms in order for the endpoint to perform a reset, others
+require it to be asserted for 50 ms.
+
+Several SoCs using this driver uses PCIe Mini Card, where we don't know
+what endpoint will be plugged in.
+
+The PCI Express Card Electromechanical Specification r2.0, section
+2.2, "PERST# Signal" specifies:
+
+"On power up, the deassertion of PERST# is delayed 100 ms (TPVPERL) from
+the power rails achieving specified operating limits."
+
+Add a sleep of 100 ms before deasserting PERST, in order to ensure that
+we are compliant with the spec.
+
+Fixes: 82a823833f4e ("PCI: qcom: Add Qualcomm PCIe controller driver")
+Signed-off-by: Niklas Cassel <niklas.cassel@linaro.org>
+Signed-off-by: Lorenzo Pieralisi <lorenzo.pieralisi@arm.com>
+Acked-by: Stanimir Varbanov <svarbanov@mm-sol.com>
+Cc: stable@vger.kernel.org # 4.5+
+Signed-off-by: Oliver Neukum <oneukum@suse.com>
+---
+ drivers/pci/dwc/pcie-qcom.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/pci/dwc/pcie-qcom.c
++++ b/drivers/pci/dwc/pcie-qcom.c
+@@ -122,6 +122,8 @@ static void qcom_ep_reset_assert(struct
+
+ static void qcom_ep_reset_deassert(struct qcom_pcie *pcie)
+ {
++ /* Ensure that PERST has been asserted for at least 100 ms */
++ msleep(100);
+ gpiod_set_value(pcie->reset, 0);
+ usleep_range(PERST_DELAY_US, PERST_DELAY_US + 500);
+ }
diff --git a/patches.fixes/0001-PCI-xilinx-nwl-Fix-Multi-MSI-data-programming.patch b/patches.fixes/0001-PCI-xilinx-nwl-Fix-Multi-MSI-data-programming.patch
new file mode 100644
index 0000000000..edab937937
--- /dev/null
+++ b/patches.fixes/0001-PCI-xilinx-nwl-Fix-Multi-MSI-data-programming.patch
@@ -0,0 +1,98 @@
+From 181fa434d0514e40ebf6e9721f2b72700287b6e2 Mon Sep 17 00:00:00 2001
+From: Bharat Kumar Gogada <bharat.kumar.gogada@xilinx.com>
+Date: Wed, 12 Jun 2019 15:47:59 +0530
+Subject: [PATCH] PCI: xilinx-nwl: Fix Multi MSI data programming
+Git-commit: 181fa434d0514e40ebf6e9721f2b72700287b6e2
+Patch-mainline: v5.3-rc1
+References: bsc#1142635
+
+According to the PCI Local Bus specification Revision 3.0,
+section 6.8.1.3 (Message Control for MSI), endpoints that
+are Multiple Message Capable as defined by bits [3:1] in
+the Message Control for MSI can request a number of vectors
+that is power of two aligned.
+
+As specified in section 6.8.1.6 "Message data for MSI", the Multiple
+Message Enable field (bits [6:4] of the Message Control register)
+defines the number of low order message data bits the function is
+permitted to modify to generate its system software allocated
+vectors.
+
+The MSI controller in the Xilinx NWL PCIe controller supports a number
+of MSI vectors specified through a bitmap and the hwirq number for an
+MSI, that is the value written in the MSI data TLP is determined by
+the bitmap allocation.
+
+For instance, in a situation where two endpoints sitting on
+the PCI bus request the following MSI configuration, with
+the current PCI Xilinx bitmap allocation code (that does not
+align MSI vector allocation on a power of two boundary):
+
+Endpoint #1: Requesting 1 MSI vector - allocated bitmap bits 0
+Endpoint #2: Requesting 2 MSI vectors - allocated bitmap bits [1,2]
+
+The bitmap value(s) corresponds to the hwirq number that is programmed
+into the Message Data for MSI field in the endpoint MSI capability
+and is detected by the root complex to fire the corresponding
+MSI irqs. The value written in Message Data for MSI field corresponds
+to the first bit allocated in the bitmap for Multi MSI vectors.
+
+The current Xilinx NWL MSI allocation code allows a bitmap allocation
+that is not a power of two boundaries, so endpoint #2, is allowed to
+toggle Message Data bit[0] to differentiate between its two vectors
+(meaning that the MSI data will be respectively 0x0 and 0x1 for the two
+vectors allocated to endpoint #2).
+
+This clearly aliases with the Endpoint #1 vector allocation, resulting
+in a broken Multi MSI implementation.
+
+Update the code to allocate MSI bitmap ranges with a power of two
+alignment, fixing the bug.
+
+Fixes: ab597d35ef11 ("PCI: xilinx-nwl: Add support for Xilinx NWL PCIe Host Controller")
+Suggested-by: Marc Zyngier <marc.zyngier@arm.com>
+Signed-off-by: Bharat Kumar Gogada <bharat.kumar.gogada@xilinx.com>
+[lorenzo.pieralisi@arm.com: updated commit log]
+Signed-off-by: Lorenzo Pieralisi <lorenzo.pieralisi@arm.com>
+Acked-by: Marc Zyngier <marc.zyngier@arm.com>
+Signed-off-by: Oliver Neukum <oneukum@suse.com>
+---
+ drivers/pci/controller/pcie-xilinx-nwl.c | 11 +++++------
+ 1 file changed, 5 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/pci/controller/pcie-xilinx-nwl.c b/drivers/pci/controller/pcie-xilinx-nwl.c
+index 3b031f00a94a..45c0f344ccd1 100644
+--- a/drivers/pci/host/pcie-xilinx-nwl.c
++++ b/drivers/pci/host/pcie-xilinx-nwl.c
+@@ -482,15 +482,13 @@ static int nwl_irq_domain_alloc(struct irq_domain *domain, unsigned int virq,
+ int i;
+
+ mutex_lock(&msi->lock);
+- bit = bitmap_find_next_zero_area(msi->bitmap, INT_PCI_MSI_NR, 0,
+- nr_irqs, 0);
+- if (bit >= INT_PCI_MSI_NR) {
++ bit = bitmap_find_free_region(msi->bitmap, INT_PCI_MSI_NR,
++ get_count_order(nr_irqs));
++ if (bit < 0) {
+ mutex_unlock(&msi->lock);
+ return -ENOSPC;
+ }
+
+- bitmap_set(msi->bitmap, bit, nr_irqs);
+-
+ for (i = 0; i < nr_irqs; i++) {
+ irq_domain_set_info(domain, virq + i, bit + i, &nwl_irq_chip,
+ domain->host_data, handle_simple_irq,
+@@ -508,7 +506,8 @@ static void nwl_irq_domain_free(struct irq_domain *domain, unsigned int virq,
+ struct nwl_msi *msi = &pcie->msi;
+
+ mutex_lock(&msi->lock);
+- bitmap_clear(msi->bitmap, data->hwirq, nr_irqs);
++ bitmap_release_region(msi->bitmap, data->hwirq,
++ get_count_order(nr_irqs));
+ mutex_unlock(&msi->lock);
+ }
+
+--
+2.16.4
+
diff --git a/patches.fixes/9p-acl-fix-uninitialized-iattr-access.patch b/patches.fixes/9p-acl-fix-uninitialized-iattr-access.patch
new file mode 100644
index 0000000000..36e07e4bda
--- /dev/null
+++ b/patches.fixes/9p-acl-fix-uninitialized-iattr-access.patch
@@ -0,0 +1,37 @@
+From e02a53d92e197706cad1627bd84705d4aa20a145 Mon Sep 17 00:00:00 2001
+From: Dominique Martinet <dominique.martinet@cea.fr>
+Date: Sat, 8 Sep 2018 00:10:57 +0900
+Subject: [PATCH] 9p: acl: fix uninitialized iattr access
+Git-commit: e02a53d92e197706cad1627bd84705d4aa20a145
+Patch-mainline: v4.20-rc1
+References: bsc#1051510
+
+iattr is passed to v9fs_vfs_setattr_dotl which does send various
+values from iattr over the wire, even if it tells the server to
+only look at iattr.ia_valid fields this could leak some stack data.
+
+Link: http://lkml.kernel.org/r/1536339057-21974-2-git-send-email-asmadeus@codewreck.org
+Addresses-coverity-id: 1195601 ("Uninitalized scalar variable")
+Signed-off-by: Dominique Martinet <dominique.martinet@cea.fr>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ fs/9p/acl.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/9p/acl.c b/fs/9p/acl.c
+index 082d227fa56b..6261719f6f2a 100644
+--- a/fs/9p/acl.c
++++ b/fs/9p/acl.c
+@@ -276,7 +276,7 @@ static int v9fs_xattr_set_acl(const struct xattr_handler *handler,
+ switch (handler->flags) {
+ case ACL_TYPE_ACCESS:
+ if (acl) {
+- struct iattr iattr;
++ struct iattr iattr = { 0 };
+ struct posix_acl *old_acl = acl;
+
+ retval = posix_acl_update_mode(inode, &iattr.ia_mode, &acl);
+--
+2.16.4
+
diff --git a/patches.fixes/9p-p9dirent_read-check-network-provided-name-length.patch b/patches.fixes/9p-p9dirent_read-check-network-provided-name-length.patch
new file mode 100644
index 0000000000..527a95bc3c
--- /dev/null
+++ b/patches.fixes/9p-p9dirent_read-check-network-provided-name-length.patch
@@ -0,0 +1,54 @@
+From ef5305f1f72eb1cfcda25c382bb0368509c0385b Mon Sep 17 00:00:00 2001
+From: Dominique Martinet <dominique.martinet@cea.fr>
+Date: Sat, 8 Sep 2018 00:36:08 +0900
+Subject: [PATCH] 9p: p9dirent_read: check network-provided name length
+Git-commit: ef5305f1f72eb1cfcda25c382bb0368509c0385b
+Patch-mainline: v4.20-rc1
+References: bsc#1051510
+
+strcpy to dirent->d_name could overflow the buffer, use strscpy to check
+the provided string length and error out if the size was too big.
+
+While we are here, make the function return an error when the pdu
+parsing failed, instead of returning the pdu offset as if it had been a
+success...
+
+Link: http://lkml.kernel.org/r/1536339057-21974-4-git-send-email-asmadeus@codewreck.org
+Addresses-coverity-id: 139133 ("Copy into fixed size buffer")
+Signed-off-by: Dominique Martinet <dominique.martinet@cea.fr>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ net/9p/protocol.c | 12 +++++++++---
+ 1 file changed, 9 insertions(+), 3 deletions(-)
+
+diff --git a/net/9p/protocol.c b/net/9p/protocol.c
+index b4d80c533f89..462ba144cb39 100644
+--- a/net/9p/protocol.c
++++ b/net/9p/protocol.c
+@@ -623,13 +623,19 @@ int p9dirent_read(struct p9_client *clnt, char *buf, int len,
+ if (ret) {
+ p9_debug(P9_DEBUG_9P, "<<< p9dirent_read failed: %d\n", ret);
+ trace_9p_protocol_dump(clnt, &fake_pdu);
+- goto out;
++ return ret;
+ }
+
+- strcpy(dirent->d_name, nameptr);
++ ret = strscpy(dirent->d_name, nameptr, sizeof(dirent->d_name));
++ if (ret < 0) {
++ p9_debug(P9_DEBUG_ERROR,
++ "On the wire dirent name too long: %s\n",
++ nameptr);
++ kfree(nameptr);
++ return ret;
++ }
+ kfree(nameptr);
+
+-out:
+ return fake_pdu.offset;
+ }
+ EXPORT_SYMBOL(p9dirent_read);
+--
+2.16.4
+
diff --git a/patches.fixes/9p-pass-the-correct-prototype-to-read_cache_page.patch b/patches.fixes/9p-pass-the-correct-prototype-to-read_cache_page.patch
new file mode 100644
index 0000000000..21d0d45685
--- /dev/null
+++ b/patches.fixes/9p-pass-the-correct-prototype-to-read_cache_page.patch
@@ -0,0 +1,53 @@
+From f053cbd4366051d7eb6ba1b8d529d20f719c2963 Mon Sep 17 00:00:00 2001
+From: Christoph Hellwig <hch@lst.de>
+Date: Thu, 11 Jul 2019 20:55:26 -0700
+Subject: [PATCH] 9p: pass the correct prototype to read_cache_page
+Git-commit: f053cbd4366051d7eb6ba1b8d529d20f719c2963
+Patch-mainline: v5.3-rc1
+References: bsc#1051510
+
+Fix the callback 9p passes to read_cache_page to actually have the
+proper type expected. Casting around function pointers can easily
+hide typing bugs, and defeats control flow protection.
+
+Link: http://lkml.kernel.org/r/20190520055731.24538-5-hch@lst.de
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Reviewed-by: Kees Cook <keescook@chromium.org>
+Cc: Sami Tolvanen <samitolvanen@google.com>
+Cc: Nick Desaulniers <ndesaulniers@google.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ fs/9p/vfs_addr.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/fs/9p/vfs_addr.c b/fs/9p/vfs_addr.c
+index bc57ae9e2963..cce9ace651a2 100644
+--- a/fs/9p/vfs_addr.c
++++ b/fs/9p/vfs_addr.c
+@@ -35,8 +35,9 @@
+ * @page: structure to page
+ *
+ */
+-static int v9fs_fid_readpage(struct p9_fid *fid, struct page *page)
++static int v9fs_fid_readpage(void *data, struct page *page)
+ {
++ struct p9_fid *fid = data;
+ struct inode *inode = page->mapping->host;
+ struct bio_vec bvec = {.bv_page = page, .bv_len = PAGE_SIZE};
+ struct iov_iter to;
+@@ -107,7 +108,8 @@ static int v9fs_vfs_readpages(struct file *filp, struct address_space *mapping,
+ if (ret == 0)
+ return ret;
+
+- ret = read_cache_pages(mapping, pages, (void *)v9fs_vfs_readpage, filp);
++ ret = read_cache_pages(mapping, pages, v9fs_fid_readpage,
++ filp->private_data);
+ p9_debug(P9_DEBUG_VFS, " = %d\n", ret);
+ return ret;
+ }
+--
+2.16.4
+
diff --git a/patches.fixes/9p-rdma-do-not-disconnect-on-down_interruptible-EAGA.patch b/patches.fixes/9p-rdma-do-not-disconnect-on-down_interruptible-EAGA.patch
new file mode 100644
index 0000000000..0fcf6554af
--- /dev/null
+++ b/patches.fixes/9p-rdma-do-not-disconnect-on-down_interruptible-EAGA.patch
@@ -0,0 +1,47 @@
+From 8b894adb2b7e1d1e64b8954569c761eaf3d51ab5 Mon Sep 17 00:00:00 2001
+From: Dominique Martinet <dominique.martinet@cea.fr>
+Date: Thu, 30 Aug 2018 19:29:36 +0900
+Subject: [PATCH] 9p/rdma: do not disconnect on down_interruptible EAGAIN
+Git-commit: 8b894adb2b7e1d1e64b8954569c761eaf3d51ab5
+Patch-mainline: v4.20-rc1
+References: bsc#1051510
+
+9p/rdma would sometimes drop the connection and display errors in
+recv_done when the user does ^C.
+The errors were caused by recv buffers that were posted at the time
+of disconnect, and we just do not want to disconnect when
+down_interruptible is... interrupted.
+
+Link: http://lkml.kernel.org/r/1535625307-18019-1-git-send-email-asmadeus@codewreck.org
+Signed-off-by: Dominique Martinet <dominique.martinet@cea.fr>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ net/9p/trans_rdma.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/net/9p/trans_rdma.c b/net/9p/trans_rdma.c
+index 9cc9b3a19ee7..9719bc4d9424 100644
+--- a/net/9p/trans_rdma.c
++++ b/net/9p/trans_rdma.c
+@@ -477,7 +477,7 @@ static int rdma_request(struct p9_client *client, struct p9_req_t *req)
+
+ err = post_recv(client, rpl_context);
+ if (err) {
+- p9_debug(P9_DEBUG_FCALL, "POST RECV failed\n");
++ p9_debug(P9_DEBUG_ERROR, "POST RECV failed: %d\n", err);
+ goto recv_error;
+ }
+ /* remove posted receive buffer from request structure */
+@@ -546,7 +546,7 @@ static int rdma_request(struct p9_client *client, struct p9_req_t *req)
+ recv_error:
+ kfree(rpl_context);
+ spin_lock_irqsave(&rdma->req_lock, flags);
+- if (rdma->state < P9_RDMA_CLOSING) {
++ if (err != -EINTR && rdma->state < P9_RDMA_CLOSING) {
+ rdma->state = P9_RDMA_CLOSING;
+ spin_unlock_irqrestore(&rdma->req_lock, flags);
+ rdma_disconnect(rdma->cm_id);
+--
+2.16.4
+
diff --git a/patches.fixes/9p-rdma-remove-useless-check-in-cm_event_handler.patch b/patches.fixes/9p-rdma-remove-useless-check-in-cm_event_handler.patch
new file mode 100644
index 0000000000..11ce18f7bd
--- /dev/null
+++ b/patches.fixes/9p-rdma-remove-useless-check-in-cm_event_handler.patch
@@ -0,0 +1,38 @@
+From 473c7dd1d7b59ff8f88a5154737e3eac78a96e5b Mon Sep 17 00:00:00 2001
+From: Dominique Martinet <dominique.martinet@cea.fr>
+Date: Sat, 8 Sep 2018 00:26:50 +0900
+Subject: [PATCH] 9p/rdma: remove useless check in cm_event_handler
+Git-commit: 473c7dd1d7b59ff8f88a5154737e3eac78a96e5b
+Patch-mainline: v4.20-rc1
+References: bsc#1051510
+
+the client c is always dereferenced to get the rdma struct, so c has to
+be a valid pointer at this point.
+Gcc would optimize that away but let's make coverity happy...
+
+Link: http://lkml.kernel.org/r/1536339057-21974-3-git-send-email-asmadeus@codewreck.org
+Addresses-coverity-id: 102778 ("Dereference before null check")
+Signed-off-by: Dominique Martinet <dominique.martinet@cea.fr>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ net/9p/trans_rdma.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/net/9p/trans_rdma.c b/net/9p/trans_rdma.c
+index 9719bc4d9424..119103bfa82e 100644
+--- a/net/9p/trans_rdma.c
++++ b/net/9p/trans_rdma.c
+@@ -274,8 +274,7 @@ p9_cm_event_handler(struct rdma_cm_id *id, struct rdma_cm_event *event)
+ case RDMA_CM_EVENT_DISCONNECTED:
+ if (rdma)
+ rdma->state = P9_RDMA_CLOSED;
+- if (c)
+- c->status = Disconnected;
++ c->status = Disconnected;
+ break;
+
+ case RDMA_CM_EVENT_TIMEWAIT_EXIT:
+--
+2.16.4
+
diff --git a/patches.fixes/9p-virtio-Add-cleanup-path-in-p9_virtio_init.patch b/patches.fixes/9p-virtio-Add-cleanup-path-in-p9_virtio_init.patch
new file mode 100644
index 0000000000..c3e2fd2ff1
--- /dev/null
+++ b/patches.fixes/9p-virtio-Add-cleanup-path-in-p9_virtio_init.patch
@@ -0,0 +1,94 @@
+From d4548543fc4ece56c6f04b8586f435fb4fd84c20 Mon Sep 17 00:00:00 2001
+From: YueHaibing <yuehaibing@huawei.com>
+Date: Tue, 30 Apr 2019 19:59:42 +0800
+Subject: [PATCH] 9p/virtio: Add cleanup path in p9_virtio_init
+Git-commit: d4548543fc4ece56c6f04b8586f435fb4fd84c20
+Patch-mainline: v5.3-rc1
+References: bsc#1051510
+
+KASAN report this:
+
+Bug: unable to handle kernel paging request at ffffffffa0097000
+PGD 3870067 P4D 3870067 PUD 3871063 PMD 2326e2067 PTE 0
+Oops: 0000 [#1
+Cpu: 0 PID: 5340 Comm: modprobe Not tainted 5.1.0-rc7+ #25
+Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.9.3-0-ge2fc41e-prebuilt.qemu-project.org 04/01/2014
+Rip: 0010:__list_add_valid+0x10/0x70
+Code: c3 48 8b 06 55 48 89 e5 5d 48 39 07 0f 94 c0 0f b6 c0 c3 90 90 90 90 90 90 90 55 48 89 d0 48 8b 52 08 48 89 e5 48 39 f2 75 19 <48> 8b 32 48 39 f0 75 3a
+
+Rsp: 0018:ffffc90000e23c68 EFLAGS: 00010246
+Rax: ffffffffa00ad000 RBX: ffffffffa009d000 RCX: 0000000000000000
+Rdx: ffffffffa0097000 RSI: ffffffffa0097000 RDI: ffffffffa009d000
+Rbp: ffffc90000e23c68 R08: 0000000000000001 R09: 0000000000000000
+R10: 0000000000000000 R11: 0000000000000000 R12: ffffffffa0097000
+R13: ffff888231797180 R14: 0000000000000000 R15: ffffc90000e23e78
+Fs: 00007fb215285540(0000) GS:ffff888237a00000(0000) knlGS:0000000000000000
+Cs: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+Cr2: ffffffffa0097000 CR3: 000000022f144000 CR4: 00000000000006f0
+Call Trace:
+ v9fs_register_trans+0x2f/0x60 [9pnet
+ ? 0xffffffffa0087000
+ p9_virtio_init+0x25/0x1000 [9pnet_virtio
+ do_one_initcall+0x6c/0x3cc
+ ? kmem_cache_alloc_trace+0x248/0x3b0
+ do_init_module+0x5b/0x1f1
+ load_module+0x1db1/0x2690
+ ? m_show+0x1d0/0x1d0
+ __do_sys_finit_module+0xc5/0xd0
+ __x64_sys_finit_module+0x15/0x20
+ do_syscall_64+0x6b/0x1d0
+ entry_SYSCALL_64_after_hwframe+0x49/0xbe
+Rip: 0033:0x7fb214d8e839
+Code: 00 f3 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01
+
+Rsp: 002b:00007ffc96554278 EFLAGS: 00000246 ORIG_RAX: 0000000000000139
+Rax: ffffffffffffffda RBX: 000055e67eed2aa0 RCX: 00007fb214d8e839
+Rdx: 0000000000000000 RSI: 000055e67ce95c2e RDI: 0000000000000003
+Rbp: 000055e67ce95c2e R08: 0000000000000000 R09: 000055e67eed2aa0
+R10: 0000000000000003 R11: 0000000000000246 R12: 0000000000000000
+R13: 000055e67eeda500 R14: 0000000000040000 R15: 000055e67eed2aa0
+Modules linked in: 9pnet_virtio(+) 9pnet gre rfkill vmw_vsock_virtio_transport_common vsock [last unloaded: 9pnet_virtio
+
+Cr2: ffffffffa0097000
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---[ end trace 4a52bb13ff07b761
+
+If register_virtio_driver() fails in p9_virtio_init,
+we should call v9fs_unregister_trans() to do cleanup.
+
+Link: http://lkml.kernel.org/r/20190430115942.41840-1-yuehaibing@huawei.com
+Cc: stable@vger.kernel.org
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Fixes: b530cc794024 ("9p: add virtio transport")
+Signed-off-by: YueHaibing <yuehaibing@huawei.com>
+Signed-off-by: Dominique Martinet <dominique.martinet@cea.fr>
+---
+ net/9p/trans_virtio.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/net/9p/trans_virtio.c b/net/9p/trans_virtio.c
+index b1d39cabf125..6753ee9326b8 100644
+--- a/net/9p/trans_virtio.c
++++ b/net/9p/trans_virtio.c
+@@ -782,10 +782,16 @@ static struct p9_trans_module p9_virtio_trans = {
+ /* The standard init function */
+ static int __init p9_virtio_init(void)
+ {
++ int rc;
++
+ INIT_LIST_HEAD(&virtio_chan_list);
+
+ v9fs_register_trans(&p9_virtio_trans);
+- return register_virtio_driver(&p9_virtio_drv);
++ rc = register_virtio_driver(&p9_virtio_drv);
++ if (rc)
++ v9fs_unregister_trans(&p9_virtio_trans);
++
++ return rc;
+ }
+
+ static void __exit p9_virtio_cleanup(void)
+--
+2.16.4
+
diff --git a/patches.fixes/9p-xen-Add-cleanup-path-in-p9_trans_xen_init.patch b/patches.fixes/9p-xen-Add-cleanup-path-in-p9_trans_xen_init.patch
new file mode 100644
index 0000000000..6bdef66af2
--- /dev/null
+++ b/patches.fixes/9p-xen-Add-cleanup-path-in-p9_trans_xen_init.patch
@@ -0,0 +1,50 @@
+From 80a316ff16276b36d0392a8f8b2f63259857ae98 Mon Sep 17 00:00:00 2001
+From: YueHaibing <yuehaibing@huawei.com>
+Date: Tue, 30 Apr 2019 22:39:33 +0800
+Subject: [PATCH] 9p/xen: Add cleanup path in p9_trans_xen_init
+Git-commit: 80a316ff16276b36d0392a8f8b2f63259857ae98
+Patch-mainline: v5.3-rc1
+References: bsc#1051510
+
+If xenbus_register_frontend() fails in p9_trans_xen_init,
+we should call v9fs_unregister_trans() to do cleanup.
+
+Link: http://lkml.kernel.org/r/20190430143933.19368-1-yuehaibing@huawei.com
+Cc: stable@vger.kernel.org
+Fixes: 868eb122739a ("xen/9pfs: introduce Xen 9pfs transport driver")
+Signed-off-by: YueHaibing <yuehaibing@huawei.com>
+Signed-off-by: Dominique Martinet <dominique.martinet@cea.fr>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ net/9p/trans_xen.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/net/9p/trans_xen.c b/net/9p/trans_xen.c
+index e2fbf3677b9b..9daab0dd833b 100644
+--- a/net/9p/trans_xen.c
++++ b/net/9p/trans_xen.c
+@@ -530,13 +530,19 @@ static struct xenbus_driver xen_9pfs_front_driver = {
+
+ static int p9_trans_xen_init(void)
+ {
++ int rc;
++
+ if (!xen_domain())
+ return -ENODEV;
+
+ pr_info("Initialising Xen transport for 9pfs\n");
+
+ v9fs_register_trans(&p9_xen_trans);
+- return xenbus_register_frontend(&xen_9pfs_front_driver);
++ rc = xenbus_register_frontend(&xen_9pfs_front_driver);
++ if (rc)
++ v9fs_unregister_trans(&p9_xen_trans);
++
++ return rc;
+ }
+ module_init(p9_trans_xen_init);
+
+--
+2.16.4
+
diff --git a/patches.fixes/9p-xen-fix-check-for-xenbus_read-error-in-front_prob.patch b/patches.fixes/9p-xen-fix-check-for-xenbus_read-error-in-front_prob.patch
new file mode 100644
index 0000000000..3d85812831
--- /dev/null
+++ b/patches.fixes/9p-xen-fix-check-for-xenbus_read-error-in-front_prob.patch
@@ -0,0 +1,45 @@
+From 2f9ad0ac947ccbe3ffe7c6229c9330f2a7755f64 Mon Sep 17 00:00:00 2001
+From: Dominique Martinet <dominique.martinet@cea.fr>
+Date: Tue, 14 Aug 2018 02:43:48 +0000
+Subject: [PATCH] 9p/xen: fix check for xenbus_read error in front_probe
+Git-commit: 2f9ad0ac947ccbe3ffe7c6229c9330f2a7755f64
+Patch-mainline: v4.20-rc1
+References: bsc#1051510
+
+If the xen bus exists but does not expose the proper interface, it is
+possible to get a non-zero length but still some error, leading to
+strcmp failing trying to load invalid memory addresses e.g.
+fffffffffffffffe.
+
+There is then no need to check length when there is no error, as the
+xenbus driver guarantees that the string is nul-terminated.
+
+Link: http://lkml.kernel.org/r/1534236007-10170-1-git-send-email-asmadeus@codewreck.org
+Signed-off-by: Dominique Martinet <dominique.martinet@cea.fr>
+Reviewed-by: Stefano Stabellini <sstabellini@kernel.org>
+Cc: Eric Van Hensbergen <ericvh@gmail.com>
+Cc: Latchesar Ionkov <lucho@ionkov.net>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ net/9p/trans_xen.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/net/9p/trans_xen.c b/net/9p/trans_xen.c
+index c2d54ac76bfd..843cb823d9b9 100644
+--- a/net/9p/trans_xen.c
++++ b/net/9p/trans_xen.c
+@@ -391,8 +391,8 @@ static int xen_9pfs_front_probe(struct xenbus_device *dev,
+ unsigned int max_rings, max_ring_order, len = 0;
+
+ versions = xenbus_read(XBT_NIL, dev->otherend, "versions", &len);
+- if (!len)
+- return -EINVAL;
++ if (IS_ERR(versions))
++ return PTR_ERR(versions);
+ if (strcmp(versions, "1")) {
+ kfree(versions);
+ return -EINVAL;
+--
+2.16.4
+
diff --git a/patches.fixes/ACPI-IORT-Fix-off-by-one-check-in-iort_dev_find_its_.patch b/patches.fixes/ACPI-IORT-Fix-off-by-one-check-in-iort_dev_find_its_.patch
new file mode 100644
index 0000000000..9f9b6e92e5
--- /dev/null
+++ b/patches.fixes/ACPI-IORT-Fix-off-by-one-check-in-iort_dev_find_its_.patch
@@ -0,0 +1,50 @@
+From 5a46d3f71d5e5a9f82eabc682f996f1281705ac7 Mon Sep 17 00:00:00 2001
+From: Lorenzo Pieralisi <lorenzo.pieralisi@arm.com>
+Date: Mon, 22 Jul 2019 17:25:48 +0100
+Subject: [PATCH] ACPI/IORT: Fix off-by-one check in iort_dev_find_its_id()
+Git-commit: 5a46d3f71d5e5a9f82eabc682f996f1281705ac7
+Patch-mainline: v5.3-rc2
+References: bsc#1051510
+
+Static analysis identified that index comparison against ITS entries in
+iort_dev_find_its_id() is off by one.
+
+Update the comparison condition and clarify the resulting error
+message.
+
+Fixes: 4bf2efd26d76 ("ACPI: Add new IORT functions to support MSI domain handling")
+Link: https://lore.kernel.org/linux-arm-kernel/20190613065410.GB16334@mwanda/
+Reviewed-by: Hanjun Guo <guohanjun@huawei.com>
+Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Lorenzo Pieralisi <lorenzo.pieralisi@arm.com>
+Cc: Dan Carpenter <dan.carpenter@oracle.com>
+Cc: Will Deacon <will@kernel.org>
+Cc: Hanjun Guo <guohanjun@huawei.com>
+Cc: Sudeep Holla <sudeep.holla@arm.com>
+Cc: Catalin Marinas <catalin.marinas@arm.com>
+Cc: Robin Murphy <robin.murphy@arm.com>
+Signed-off-by: Will Deacon <will@kernel.org>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/acpi/arm64/iort.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/acpi/arm64/iort.c b/drivers/acpi/arm64/iort.c
+index d4551e33fa71..8569b79e8b58 100644
+--- a/drivers/acpi/arm64/iort.c
++++ b/drivers/acpi/arm64/iort.c
+@@ -611,8 +611,8 @@ static int iort_dev_find_its_id(struct device *dev, u32 req_id,
+
+ /* Move to ITS specific data */
+ its = (struct acpi_iort_its_group *)node->node_data;
+- if (idx > its->its_count) {
+- dev_err(dev, "requested ITS ID index [%d] is greater than available [%d]\n",
++ if (idx >= its->its_count) {
++ dev_err(dev, "requested ITS ID index [%d] overruns ITS entries [%d]\n",
+ idx, its->its_count);
+ return -ENXIO;
+ }
+--
+2.16.4
+
diff --git a/patches.fixes/Documentation-Add-nospectre_v1-parameter.patch b/patches.fixes/Documentation-Add-nospectre_v1-parameter.patch
new file mode 100644
index 0000000000..2035a06ea5
--- /dev/null
+++ b/patches.fixes/Documentation-Add-nospectre_v1-parameter.patch
@@ -0,0 +1,31 @@
+From 26cb1f36c43ee6e89d2a9f48a5a7500d5248f836 Mon Sep 17 00:00:00 2001
+From: Diana Craciun <diana.craciun@nxp.com>
+Date: Sat, 28 Jul 2018 09:06:39 +1000
+Subject: [PATCH] Documentation: Add nospectre_v1 parameter
+Git-commit: 26cb1f36c43ee6e89d2a9f48a5a7500d5248f836
+Patch-mainline: v4.19-rc1
+References: bsc#1051510
+
+Currently only supported on powerpc.
+
+Signed-off-by: Diana Craciun <diana.craciun@nxp.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ Documentation/admin-guide/kernel-parameters.txt | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/Documentation/admin-guide/kernel-parameters.txt
++++ b/Documentation/admin-guide/kernel-parameters.txt
+@@ -2736,6 +2736,10 @@
+ cannot be undone. Depending on the CPU
+ type this might have a performance impact.
+
++ nospectre_v1 [PPC] Disable mitigations for Spectre Variant 1 (bounds
++ check bypass). With this option data leaks are possible
++ in the system.
++
+ nospectre_v2 [X86] Disable all mitigations for the Spectre variant 2
+ (indirect branch prediction) vulnerability. System may
+ allow data leaks with this option, which is equivalent
diff --git a/patches.fixes/Documentation-networking-fix-default_ttl-typo-in-mpl.patch b/patches.fixes/Documentation-networking-fix-default_ttl-typo-in-mpl.patch
new file mode 100644
index 0000000000..e024b34768
--- /dev/null
+++ b/patches.fixes/Documentation-networking-fix-default_ttl-typo-in-mpl.patch
@@ -0,0 +1,37 @@
+From dca895b65d634f9e6506d5385ed58a8b9abd4900 Mon Sep 17 00:00:00 2001
+From: Hangbin Liu <liuhangbin@gmail.com>
+Date: Mon, 1 Jul 2019 16:45:28 +0800
+Subject: [PATCH] Documentation/networking: fix default_ttl typo in mpls-sysctl
+Git-commit: dca895b65d634f9e6506d5385ed58a8b9abd4900
+Patch-mainline: v5.3-rc1
+References: bsc#1051510
+
+default_ttl should be integer instead of bool
+
+Reported-by: Ying Xu <yinxu@redhat.com>
+Fixes: a59166e47086 ("mpls: allow TTL propagation from IP packets to be configured")
+Signed-off-by: Hangbin Liu <liuhangbin@gmail.com>
+Reviewed-by: David Ahern <dsahern@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ Documentation/networking/mpls-sysctl.txt | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/Documentation/networking/mpls-sysctl.txt b/Documentation/networking/mpls-sysctl.txt
+index 2f24a1912a48..025cc9b96992 100644
+--- a/Documentation/networking/mpls-sysctl.txt
++++ b/Documentation/networking/mpls-sysctl.txt
+@@ -30,7 +30,7 @@ ip_ttl_propagate - BOOL
+ 0 - disabled / RFC 3443 [Short] Pipe Model
+ 1 - enabled / RFC 3443 Uniform Model (default)
+
+-default_ttl - BOOL
++default_ttl - INTEGER
+ Default TTL value to use for MPLS packets where it cannot be
+ propagated from an IP header, either because one isn't present
+ or ip_ttl_propagate has been disabled.
+--
+2.16.4
+
diff --git a/patches.fixes/acpi-arm64-ignore-5.1-FADTs-that-are-reported-as-5.0.patch b/patches.fixes/acpi-arm64-ignore-5.1-FADTs-that-are-reported-as-5.0.patch
new file mode 100644
index 0000000000..56c544da53
--- /dev/null
+++ b/patches.fixes/acpi-arm64-ignore-5.1-FADTs-that-are-reported-as-5.0.patch
@@ -0,0 +1,54 @@
+From 2af22f3ec3ca452f1e79b967f634708ff01ced8a Mon Sep 17 00:00:00 2001
+From: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+Date: Wed, 19 Jun 2019 14:18:31 +0200
+Subject: [PATCH] acpi/arm64: ignore 5.1 FADTs that are reported as 5.0
+Git-commit: 2af22f3ec3ca452f1e79b967f634708ff01ced8a
+Patch-mainline: v5.3-rc1
+References: bsc#1051510
+
+Some Qualcomm Snapdragon based laptops built to run Microsoft Windows
+are clearly ACPI 5.1 based, given that that is the first ACPI revision
+that supports ARM, and introduced the FADT 'arm_boot_flags' field,
+which has a non-zero field on those systems.
+
+So in these cases, infer from the ARM boot flags that the FADT must be
+5.1 or later, and treat it as 5.1.
+
+Acked-by: Sudeep Holla <sudeep.holla@arm.com>
+Tested-by: Lee Jones <lee.jones@linaro.org>
+Reviewed-by: Graeme Gregory <graeme.gregory@linaro.org>
+Acked-by: Lorenzo Pieralisi <lorenzo.pieralisi@arm.com>
+Acked-by: Hanjun Guo <guohanjun@huawei.com>
+Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ arch/arm64/kernel/acpi.c | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+diff --git a/arch/arm64/kernel/acpi.c b/arch/arm64/kernel/acpi.c
+index 803f0494dd3e..7722e85fb69c 100644
+--- a/arch/arm64/kernel/acpi.c
++++ b/arch/arm64/kernel/acpi.c
+@@ -155,10 +155,14 @@ static int __init acpi_fadt_sanity_check(void)
+ */
+ if (table->revision < 5 ||
+ (table->revision == 5 && fadt->minor_revision < 1)) {
+- pr_err("Unsupported FADT revision %d.%d, should be 5.1+\n",
++ pr_err(FW_BUG "Unsupported FADT revision %d.%d, should be 5.1+\n",
+ table->revision, fadt->minor_revision);
+- ret = -EINVAL;
+- goto out;
++
++ if (!fadt->arm_boot_flags) {
++ ret = -EINVAL;
++ goto out;
++ }
++ pr_err("FADT has ARM boot flags set, assuming 5.1\n");
+ }
+
+ if (!(fadt->flags & ACPI_FADT_HW_REDUCED)) {
+--
+2.16.4
+
diff --git a/patches.fixes/af_key-fix-leaks-in-key_pol_get_resp-and-dump_sp.patch b/patches.fixes/af_key-fix-leaks-in-key_pol_get_resp-and-dump_sp.patch
new file mode 100644
index 0000000000..71b60d2631
--- /dev/null
+++ b/patches.fixes/af_key-fix-leaks-in-key_pol_get_resp-and-dump_sp.patch
@@ -0,0 +1,52 @@
+From 7c80eb1c7e2b8420477fbc998971d62a648035d9 Mon Sep 17 00:00:00 2001
+From: Jeremy Sowden <jeremy@azazel.net>
+Date: Sat, 25 May 2019 19:09:35 +0100
+Subject: [PATCH] af_key: fix leaks in key_pol_get_resp and dump_sp.
+Git-commit: 7c80eb1c7e2b8420477fbc998971d62a648035d9
+Patch-mainline: v5.3-rc1
+References: bsc#1051510
+
+In both functions, if pfkey_xfrm_policy2msg failed we leaked the newly
+allocated sk_buff. Free it on error.
+
+Fixes: 55569ce256ce ("Fix conversion between IPSEC_MODE_xxx and XFRM_MODE_xxx.")
+Reported-by: syzbot+4f0529365f7f2208d9f0@syzkaller.appspotmail.com
+Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ net/key/af_key.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/net/key/af_key.c b/net/key/af_key.c
+index 4af1e1d60b9f..51c0f10bb131 100644
+--- a/net/key/af_key.c
++++ b/net/key/af_key.c
+@@ -2442,8 +2442,10 @@ static int key_pol_get_resp(struct sock *sk, struct xfrm_policy *xp, const struc
+ goto out;
+ }
+ err = pfkey_xfrm_policy2msg(out_skb, xp, dir);
+- if (err < 0)
++ if (err < 0) {
++ kfree_skb(out_skb);
+ goto out;
++ }
+
+ out_hdr = (struct sadb_msg *) out_skb->data;
+ out_hdr->sadb_msg_version = hdr->sadb_msg_version;
+@@ -2694,8 +2696,10 @@ static int dump_sp(struct xfrm_policy *xp, int dir, int count, void *ptr)
+ return PTR_ERR(out_skb);
+
+ err = pfkey_xfrm_policy2msg(out_skb, xp, dir);
+- if (err < 0)
++ if (err < 0) {
++ kfree_skb(out_skb);
+ return err;
++ }
+
+ out_hdr = (struct sadb_msg *) out_skb->data;
+ out_hdr->sadb_msg_version = pfk->dump.msg_version;
+--
+2.16.4
+
diff --git a/patches.fixes/crypto-talitos-fix-skcipher-failure-due-to-wrong-out.patch b/patches.fixes/crypto-talitos-fix-skcipher-failure-due-to-wrong-out.patch
new file mode 100644
index 0000000000..273d0f69c9
--- /dev/null
+++ b/patches.fixes/crypto-talitos-fix-skcipher-failure-due-to-wrong-out.patch
@@ -0,0 +1,52 @@
+From 3e03e792865ae48b8cfc69a0b4d65f02f467389f Mon Sep 17 00:00:00 2001
+From: Christophe Leroy <christophe.leroy@c-s.fr>
+Date: Wed, 15 May 2019 12:29:03 +0000
+Subject: [PATCH] crypto: talitos - fix skcipher failure due to wrong output IV
+Mime-version: 1.0
+Content-type: text/plain; charset=UTF-8
+Content-transfer-encoding: 8bit
+Git-commit: 3e03e792865ae48b8cfc69a0b4d65f02f467389f
+Patch-mainline: v5.3-rc1
+References: bsc#1051510
+
+Selftests report the following:
+
+[ 2.984845] alg: skcipher: cbc-aes-talitos encryption test failed (wrong output IV) on test vector 0, cfg="in-place"
+[ 2.995377] 00000000: 3d af ba 42 9d 9e b4 30 b4 22 da 80 2c 9f ac 41
+[ 3.032673] alg: skcipher: cbc-des-talitos encryption test failed (wrong output IV) on test vector 0, cfg="in-place"
+[ 3.043185] 00000000: fe dc ba 98 76 54 32 10
+[ 3.063238] alg: skcipher: cbc-3des-talitos encryption test failed (wrong output IV) on test vector 0, cfg="in-place"
+[ 3.073818] 00000000: 7d 33 88 93 0f 93 b2 42
+
+This above dumps show that the actual output IV is indeed the input IV.
+This is due to the IV not being copied back into the request.
+
+This patch fixes that.
+
+Signed-off-by: Christophe Leroy <christophe.leroy@c-s.fr>
+Reviewed-by: Horia Geantă <horia.geanta@nxp.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/crypto/talitos.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/crypto/talitos.c
++++ b/drivers/crypto/talitos.c
+@@ -1560,11 +1560,15 @@ static void ablkcipher_done(struct devic
+ int err)
+ {
+ struct ablkcipher_request *areq = context;
++ struct crypto_ablkcipher *cipher = crypto_ablkcipher_reqtfm(areq);
++ struct talitos_ctx *ctx = crypto_ablkcipher_ctx(cipher);
++ unsigned int ivsize = crypto_ablkcipher_ivsize(cipher);
+ struct talitos_edesc *edesc;
+
+ edesc = container_of(desc, struct talitos_edesc, desc);
+
+ common_nonsnoop_unmap(dev, edesc, areq);
++ memcpy(areq->info, ctx->iv, ivsize);
+
+ kfree(edesc);
+
diff --git a/patches.fixes/driver_core-Fix_use-after-free_and_double_free_on_glue.patch b/patches.fixes/driver_core-Fix_use-after-free_and_double_free_on_glue.patch
new file mode 100644
index 0000000000..9a90cf0384
--- /dev/null
+++ b/patches.fixes/driver_core-Fix_use-after-free_and_double_free_on_glue.patch
@@ -0,0 +1,168 @@
+From: Muchun Song <smuchun@gmail.com>
+Date: Sat, 27 Jul 2019 11:21:22 +0800
+Subject: [PATCH] driver core: Fix use-after-free and double free on glue
+ directory
+Patch-mainline: Not yet, submitted https://lkml.org/lkml/2019/7/26/1461
+References: bsc#1131281
+
+There is a race condition between removing glue directory and adding a new
+device under the glue dir. It can be reproduced in following test:
+
+CPU1: CPU2:
+
+device_add()
+ get_device_parent()
+ class_dir_create_and_add()
+ kobject_add_internal()
+ create_dir() // create glue_dir
+
+ device_add()
+ get_device_parent()
+ kobject_get() // get glue_dir
+
+device_del()
+ cleanup_glue_dir()
+ kobject_del(glue_dir)
+
+ kobject_add()
+ kobject_add_internal()
+ create_dir() // in glue_dir
+ sysfs_create_dir_ns()
+ kernfs_create_dir_ns(sd)
+
+ sysfs_remove_dir() // glue_dir->sd=NULL
+ sysfs_put() // free glue_dir->sd
+
+ // sd is freed
+ kernfs_new_node(sd)
+ kernfs_get(glue_dir)
+ kernfs_add_one()
+ kernfs_put()
+
+Before CPU1 remove last child device under glue dir, if CPU2 add a new
+device under glue dir, the glue_dir kobject reference count will be
+increase to 2 via kobject_get() in get_device_parent(). And CPU2 has
+been called kernfs_create_dir_ns(), but not call kernfs_new_node().
+Meanwhile, CPU1 call sysfs_remove_dir() and sysfs_put(). This result in
+glue_dir->sd is freed and it's reference count will be 0. Then CPU2 call
+kernfs_get(glue_dir) will trigger a warning in kernfs_get() and increase
+it's reference count to 1. Because glue_dir->sd is freed by CPU1, the next
+call kernfs_add_one() by CPU2 will fail(This is also use-after-free)
+and call kernfs_put() to decrease reference count. Because the reference
+count is decremented to 0, it will also call kmem_cache_free() to free
+the glue_dir->sd again. This will result in double free.
+
+In order to avoid this happening, we also should make sure that kernfs_node
+for glue_dir is released in CPU1 only when refcount for glue_dir kobj is
+1 to fix this race.
+
+The following calltrace is captured in kernel 4.14 with the following patch
+applied:
+
+commit 726e41097920 ("drivers: core: Remove glue dirs from sysfs earlier")
+
+--------------------------------------------------------------------------
+[ 3.633703] WARNING: CPU: 4 PID: 513 at .../fs/kernfs/dir.c:494
+ Here is WARN_ON(!atomic_read(&kn->count) in kernfs_get().
+....
+[ 3.633986] Call trace:
+[ 3.633991] kernfs_create_dir_ns+0xa8/0xb0
+[ 3.633994] sysfs_create_dir_ns+0x54/0xe8
+[ 3.634001] kobject_add_internal+0x22c/0x3f0
+[ 3.634005] kobject_add+0xe4/0x118
+[ 3.634011] device_add+0x200/0x870
+[ 3.634017] _request_firmware+0x958/0xc38
+[ 3.634020] request_firmware_into_buf+0x4c/0x70
+....
+[ 3.634064] kernel BUG at .../mm/slub.c:294!
+ Here is BUG_ON(object == fp) in set_freepointer().
+....
+[ 3.634346] Call trace:
+[ 3.634351] kmem_cache_free+0x504/0x6b8
+[ 3.634355] kernfs_put+0x14c/0x1d8
+[ 3.634359] kernfs_create_dir_ns+0x88/0xb0
+[ 3.634362] sysfs_create_dir_ns+0x54/0xe8
+[ 3.634366] kobject_add_internal+0x22c/0x3f0
+[ 3.634370] kobject_add+0xe4/0x118
+[ 3.634374] device_add+0x200/0x870
+[ 3.634378] _request_firmware+0x958/0xc38
+[ 3.634381] request_firmware_into_buf+0x4c/0x70
+--------------------------------------------------------------------------
+
+Fixes: 726e41097920 ("drivers: core: Remove glue dirs from sysfs earlier")
+Signed-off-by: Muchun Song <smuchun@gmail.com>
+Reviewed-by: Mukesh Ojha <mojha@codeaurora.org>
+Signed-off-by: Prateek Sood <prsood@codeaurora.org>
+Link: https://lore.kernel.org/r/20190727032122.24639-1-smuchun@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Acked-by: Cho, Yu-Chen <acho@suse.com>
+---
+ drivers/base/core.c | 53 +++++++++++++++++++++++++++++++++++++++++++++++++++-
+ 1 file changed, 52 insertions(+), 1 deletion(-)
+--- a/drivers/base/core.c
++++ b/drivers/base/core.c
+@@ -1445,12 +1445,63 @@ static inline struct kobject *get_glue_d
+ */
+ static void cleanup_glue_dir(struct device *dev, struct kobject *glue_dir)
+ {
++ unsigned int ref;
++
+ /* see if we live in a "glue" directory */
+ if (!live_in_glue_dir(glue_dir, dev))
+ return;
+
+ mutex_lock(&gdp_mutex);
+- if (!kobject_has_children(glue_dir))
++ /**
++ * There is a race condition between removing glue directory
++ * and adding a new device under the glue directory.
++ *
++ * CPU1: CPU2:
++ *
++ * device_add()
++ * get_device_parent()
++ * class_dir_create_and_add()
++ * kobject_add_internal()
++ * create_dir() // create glue_dir
++ *
++ * device_add()
++ * get_device_parent()
++ * kobject_get() // get glue_dir
++ *
++ * device_del()
++ * cleanup_glue_dir()
++ * kobject_del(glue_dir)
++ *
++ * kobject_add()
++ * kobject_add_internal()
++ * create_dir() // in glue_dir
++ * sysfs_create_dir_ns()
++ * kernfs_create_dir_ns(sd)
++ *
++ * sysfs_remove_dir() // glue_dir->sd=NULL
++ * sysfs_put() // free glue_dir->sd
++ *
++ * // sd is freed
++ * kernfs_new_node(sd)
++ * kernfs_get(glue_dir)
++ * kernfs_add_one()
++ * kernfs_put()
++ *
++ * Before CPU1 remove last child device under glue dir, if CPU2 add
++ * a new device under glue dir, the glue_dir kobject reference count
++ * will be increase to 2 in kobject_get(k). And CPU2 has been called
++ * kernfs_create_dir_ns(). Meanwhile, CPU1 call sysfs_remove_dir()
++ * and sysfs_put(). This result in glue_dir->sd is freed.
++ *
++ * Then the CPU2 will see a stale "empty" but still potentially used
++ * glue dir around in kernfs_new_node().
++ *
++ * In order to avoid this happening, we also should make sure that
++ * kernfs_node for glue_dir is released in CPU1 only when refcount
++ * for glue_dir kobj is 1.
++ */
++ ref = kref_read(&glue_dir->kref);
++ if (!kobject_has_children(glue_dir) && !--ref)
+ kobject_del(glue_dir);
+ kobject_put(glue_dir);
+ mutex_unlock(&gdp_mutex);
diff --git a/patches.fixes/eCryptfs-fix-a-couple-type-promotion-bugs.patch b/patches.fixes/eCryptfs-fix-a-couple-type-promotion-bugs.patch
new file mode 100644
index 0000000000..002d69dd11
--- /dev/null
+++ b/patches.fixes/eCryptfs-fix-a-couple-type-promotion-bugs.patch
@@ -0,0 +1,55 @@
+From 0bdf8a8245fdea6f075a5fede833a5fcf1b3466c Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Wed, 4 Jul 2018 12:35:56 +0300
+Subject: [PATCH] eCryptfs: fix a couple type promotion bugs
+Git-commit: 0bdf8a8245fdea6f075a5fede833a5fcf1b3466c
+Patch-mainline: v5.3-rc1
+References: bsc#1051510
+
+ECRYPTFS_SIZE_AND_MARKER_BYTES is type size_t, so if "rc" is negative
+that gets type promoted to a high positive value and treated as success.
+
+Fixes: 778aeb42a708 ("eCryptfs: Cleanup and optimize ecryptfs_lookup_interpose()")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+[tyhicks: Use "if/else if" rather than "if/if"]
+Cc: stable@vger.kernel.org
+Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ fs/ecryptfs/crypto.c | 12 ++++++++----
+ 1 file changed, 8 insertions(+), 4 deletions(-)
+
+diff --git a/fs/ecryptfs/crypto.c b/fs/ecryptfs/crypto.c
+index 4dd842f72846..708f931c36f1 100644
+--- a/fs/ecryptfs/crypto.c
++++ b/fs/ecryptfs/crypto.c
+@@ -1018,8 +1018,10 @@ int ecryptfs_read_and_validate_header_region(struct inode *inode)
+
+ rc = ecryptfs_read_lower(file_size, 0, ECRYPTFS_SIZE_AND_MARKER_BYTES,
+ inode);
+- if (rc < ECRYPTFS_SIZE_AND_MARKER_BYTES)
+- return rc >= 0 ? -EINVAL : rc;
++ if (rc < 0)
++ return rc;
++ else if (rc < ECRYPTFS_SIZE_AND_MARKER_BYTES)
++ return -EINVAL;
+ rc = ecryptfs_validate_marker(marker);
+ if (!rc)
+ ecryptfs_i_size_init(file_size, inode);
+@@ -1381,8 +1383,10 @@ int ecryptfs_read_and_validate_xattr_region(struct dentry *dentry,
+ ecryptfs_inode_to_lower(inode),
+ ECRYPTFS_XATTR_NAME, file_size,
+ ECRYPTFS_SIZE_AND_MARKER_BYTES);
+- if (rc < ECRYPTFS_SIZE_AND_MARKER_BYTES)
+- return rc >= 0 ? -EINVAL : rc;
++ if (rc < 0)
++ return rc;
++ else if (rc < ECRYPTFS_SIZE_AND_MARKER_BYTES)
++ return -EINVAL;
+ rc = ecryptfs_validate_marker(marker);
+ if (!rc)
+ ecryptfs_i_size_init(file_size, inode);
+--
+2.16.4
+
diff --git a/patches.fixes/efi-bgrt-Drop-BGRT-status-field-reserved-bits-check.patch b/patches.fixes/efi-bgrt-Drop-BGRT-status-field-reserved-bits-check.patch
new file mode 100644
index 0000000000..d18d718bba
--- /dev/null
+++ b/patches.fixes/efi-bgrt-Drop-BGRT-status-field-reserved-bits-check.patch
@@ -0,0 +1,47 @@
+From a483fcab38b43fb34a7f12ab1daadd3907f150e2 Mon Sep 17 00:00:00 2001
+From: Hans de Goede <hdegoede@redhat.com>
+Date: Wed, 29 May 2019 15:28:28 +0200
+Subject: [PATCH] efi/bgrt: Drop BGRT status field reserved bits check
+Git-commit: a483fcab38b43fb34a7f12ab1daadd3907f150e2
+Patch-mainline: v5.2-rc7
+References: bsc#1051510
+
+Starting with ACPI 6.2 bits 1 and 2 of the BGRT status field are no longer
+reserved. These bits are now used to indicate if the image needs to be
+rotated before being displayed.
+
+The first device using these bits has now shown up (the GPD MicroPC) and
+the reserved bits check causes us to reject the valid BGRT table on this
+device.
+
+Rather then changing the reserved bits check, allowing only the 2 new bits,
+instead just completely remove it so that we do not end up with a similar
+problem when more bits are added in the future.
+
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/firmware/efi/efi-bgrt.c | 5 -----
+ 1 file changed, 5 deletions(-)
+
+diff --git a/drivers/firmware/efi/efi-bgrt.c b/drivers/firmware/efi/efi-bgrt.c
+index a2384184a7de..b07c17643210 100644
+--- a/drivers/firmware/efi/efi-bgrt.c
++++ b/drivers/firmware/efi/efi-bgrt.c
+@@ -47,11 +47,6 @@ void __init efi_bgrt_init(struct acpi_table_header *table)
+ bgrt->version);
+ goto out;
+ }
+- if (bgrt->status & 0xfe) {
+- pr_notice("Ignoring BGRT: reserved status bits are non-zero %u\n",
+- bgrt->status);
+- goto out;
+- }
+ if (bgrt->image_type != 0) {
+ pr_notice("Ignoring BGRT: invalid image type %u (expected 0)\n",
+ bgrt->image_type);
+--
+2.16.4
+
diff --git a/patches.fixes/hci_uart-check-for-missing-tty-operations.patch b/patches.fixes/hci_uart-check-for-missing-tty-operations.patch
new file mode 100644
index 0000000000..90ef60ab7d
--- /dev/null
+++ b/patches.fixes/hci_uart-check-for-missing-tty-operations.patch
@@ -0,0 +1,149 @@
+From: "Cho, Yu-Chen" <acho@suse.com>
+Date: Wed, 31 Jul 2019 10:54:05 +0800
+Subject: [PATCH] Bluetooth: hci_uart: check for missing tty operations
+Git-commit: b36a1552d7319bbfd5cf7f08726c23c5c66d4f73
+Patch-mainline: v5.3-rc3
+References: CVE-2019-10207 bsc#1142857 bsc#1123959
+
+From: Vladis Dronov <vdronov@redhat.com>
+
+Certain ttys operations (pty_unix98_ops) lack tiocmget() and tiocmset()
+functions which are called by the certain HCI UART protocols (hci_ath,
+hci_bcm, hci_intel, hci_mrvl, hci_qca) via hci_uart_set_flow_control()
+or directly. This leads to an execution at NULL and can be triggered by
+an unprivileged user. Fix this by adding a helper function and a check
+for the missing tty operations in the protocols code.
+
+This fixes CVE-2019-10207. The Fixes: lines list commits where calls to
+tiocm[gs]et() or hci_uart_set_flow_control() were added to the HCI UART
+protocols.
+
+Link: https://syzkaller.appspot.com/bug?id=1b42faa2848963564a5b1b7f8c837ea7b55ffa50
+Reported-by: syzbot+79337b501d6aa974d0f6@syzkaller.appspotmail.com
+Cc: stable@vger.kernel.org # v2.6.36+
+Fixes: b3190df62861 ("Bluetooth: Support for Atheros AR300x serial chip")
+Fixes: 118612fb9165 ("Bluetooth: hci_bcm: Add suspend/resume PM functions")
+Fixes: ff2895592f0f ("Bluetooth: hci_intel: Add Intel baudrate configuration support")
+Fixes: 162f812f23ba ("Bluetooth: hci_uart: Add Marvell support")
+Fixes: fa9ad876b8e0 ("Bluetooth: hci_qca: Add support for Qualcomm Bluetooth chip wcn3990")
+Signed-off-by: Vladis Dronov <vdronov@redhat.com>
+Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
+---
+ drivers/bluetooth/hci_ath.c | 3 +++
+ drivers/bluetooth/hci_bcm.c | 3 +++
+ drivers/bluetooth/hci_intel.c | 3 +++
+ drivers/bluetooth/hci_ldisc.c | 13 +++++++++++++
+ drivers/bluetooth/hci_mrvl.c | 3 +++
+ drivers/bluetooth/hci_qca.c | 3 +++
+ drivers/bluetooth/hci_uart.h | 1 +
+ 7 files changed, 29 insertions(+)
+
+diff --git a/drivers/bluetooth/hci_ath.c b/drivers/bluetooth/hci_ath.c
+index 0ccf6bf01ed4..c50b68bbecdc 100644
+--- a/drivers/bluetooth/hci_ath.c
++++ b/drivers/bluetooth/hci_ath.c
+@@ -101,6 +101,9 @@ static int ath_open(struct hci_uart *hu)
+
+ BT_DBG("hu %p", hu);
+
++ if (!hci_uart_has_flow_control(hu))
++ return -EOPNOTSUPP;
++
+ ath = kzalloc(sizeof(*ath), GFP_KERNEL);
+ if (!ath)
+ return -ENOMEM;
+diff --git a/drivers/bluetooth/hci_bcm.c b/drivers/bluetooth/hci_bcm.c
+index 323388d601d2..cd36918ca02f 100644
+--- a/drivers/bluetooth/hci_bcm.c
++++ b/drivers/bluetooth/hci_bcm.c
+@@ -286,6 +286,9 @@ static int bcm_open(struct hci_uart *hu)
+
+ bt_dev_dbg(hu->hdev, "hu %p", hu);
+
++ if (!hci_uart_has_flow_control(hu))
++ return -EOPNOTSUPP;
++
+ bcm = kzalloc(sizeof(*bcm), GFP_KERNEL);
+ if (!bcm)
+ return -ENOMEM;
+diff --git a/drivers/bluetooth/hci_intel.c b/drivers/bluetooth/hci_intel.c
+index 75d440ea6c23..3e67b54deb26 100644
+--- a/drivers/bluetooth/hci_intel.c
++++ b/drivers/bluetooth/hci_intel.c
+@@ -406,6 +406,9 @@ static int intel_open(struct hci_uart *hu)
+
+ BT_DBG("hu %p", hu);
+
++ if (!hci_uart_has_flow_control(hu))
++ return -EOPNOTSUPP;
++
+ intel = kzalloc(sizeof(*intel), GFP_KERNEL);
+ if (!intel)
+ return -ENOMEM;
+diff --git a/drivers/bluetooth/hci_ldisc.c b/drivers/bluetooth/hci_ldisc.c
+index 01008b727611..492fff0c97ea 100644
+--- a/drivers/bluetooth/hci_ldisc.c
++++ b/drivers/bluetooth/hci_ldisc.c
+@@ -290,6 +290,19 @@ static int hci_uart_send_frame(struct hci_dev *hdev, struct sk_buff *skb)
+ return 0;
+ }
+
++/* Check the underlying device or tty has flow control support */
++bool hci_uart_has_flow_control(struct hci_uart *hu)
++{
++ /* serdev nodes check if the needed operations are present */
++ if (hu->serdev)
++ return true;
++
++ if (hu->tty->driver->ops->tiocmget && hu->tty->driver->ops->tiocmset)
++ return true;
++
++ return false;
++}
++
+ /* Flow control or un-flow control the device */
+ void hci_uart_set_flow_control(struct hci_uart *hu, bool enable)
+ {
+diff --git a/drivers/bluetooth/hci_mrvl.c b/drivers/bluetooth/hci_mrvl.c
+index ffb00669346f..23791df081ba 100644
+--- a/drivers/bluetooth/hci_mrvl.c
++++ b/drivers/bluetooth/hci_mrvl.c
+@@ -66,6 +66,9 @@ static int mrvl_open(struct hci_uart *hu)
+
+ BT_DBG("hu %p", hu);
+
++ if (!hci_uart_has_flow_control(hu))
++ return -EOPNOTSUPP;
++
+ mrvl = kzalloc(sizeof(*mrvl), GFP_KERNEL);
+ if (!mrvl)
+ return -ENOMEM;
+diff --git a/drivers/bluetooth/hci_qca.c b/drivers/bluetooth/hci_qca.c
+index a6173ddfb5a7..954391fc200c 100644
+--- a/drivers/bluetooth/hci_qca.c
++++ b/drivers/bluetooth/hci_qca.c
+@@ -390,6 +390,9 @@ static int qca_open(struct hci_uart *hu)
+
+ BT_DBG("hu %p qca_open", hu);
+
++ if (!hci_uart_has_flow_control(hu))
++ return -EOPNOTSUPP;
++
+ qca = kzalloc(sizeof(struct qca_data), GFP_ATOMIC);
+ if (!qca)
+ return -ENOMEM;
+diff --git a/drivers/bluetooth/hci_uart.h b/drivers/bluetooth/hci_uart.h
+index c6e9e1cf63f8..353896da2ef6 100644
+--- a/drivers/bluetooth/hci_uart.h
++++ b/drivers/bluetooth/hci_uart.h
+@@ -116,6 +116,7 @@ int hci_uart_register_device(struct hci_uart *hu, const struct hci_uart_proto *p
+ int hci_uart_tx_wakeup(struct hci_uart *hu);
+ int hci_uart_init_ready(struct hci_uart *hu);
+ void hci_uart_set_baudrate(struct hci_uart *hu, unsigned int speed);
++bool hci_uart_has_flow_control(struct hci_uart *hu);
+ void hci_uart_set_flow_control(struct hci_uart *hu, bool enable);
+ void hci_uart_set_speeds(struct hci_uart *hu, unsigned int init_speed,
+ unsigned int oper_speed);
+--
+2.22.0
+
diff --git a/patches.fixes/hpet-Fix-division-by-zero-in-hpet_time_div.patch b/patches.fixes/hpet-Fix-division-by-zero-in-hpet_time_div.patch
new file mode 100644
index 0000000000..0147afacbe
--- /dev/null
+++ b/patches.fixes/hpet-Fix-division-by-zero-in-hpet_time_div.patch
@@ -0,0 +1,72 @@
+From 0c7d37f4d9b8446956e97b7c5e61173cdb7c8522 Mon Sep 17 00:00:00 2001
+From: Kefeng Wang <wangkefeng.wang@huawei.com>
+Date: Thu, 11 Jul 2019 21:27:57 +0800
+Subject: [PATCH] hpet: Fix division by zero in hpet_time_div()
+Git-commit: 0c7d37f4d9b8446956e97b7c5e61173cdb7c8522
+Patch-mainline: v5.3-rc2
+References: bsc#1051510
+
+The base value in do_div() called by hpet_time_div() is truncated from
+unsigned long to uint32_t, resulting in a divide-by-zero exception.
+
+Ubsan: Undefined behaviour in ../drivers/char/hpet.c:572:2
+division by zero
+Cpu: 1 PID: 23682 Comm: syz-executor.3 Not tainted 4.4.184.x86_64+ #4
+Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
+ 0000000000000000 b573382df1853d00 ffff8800a3287b98 ffffffff81ad7561
+ ffff8800a3287c00 ffffffff838b35b0 ffffffff838b3860 ffff8800a3287c20
+ 0000000000000000 ffff8800a3287bb0 ffffffff81b8f25e ffffffff838b35a0
+Call Trace:
+ [<ffffffff81ad7561>] __dump_stack lib/dump_stack.c:15 [inline]
+ [<ffffffff81ad7561>] dump_stack+0xc1/0x120 lib/dump_stack.c:51
+ [<ffffffff81b8f25e>] ubsan_epilogue+0x12/0x8d lib/ubsan.c:166
+ [<ffffffff81b900cb>] __ubsan_handle_divrem_overflow+0x282/0x2c8 lib/ubsan.c:262
+ [<ffffffff823560dd>] hpet_time_div drivers/char/hpet.c:572 [inline]
+ [<ffffffff823560dd>] hpet_ioctl_common drivers/char/hpet.c:663 [inline]
+ [<ffffffff823560dd>] hpet_ioctl_common.cold+0xa8/0xad drivers/char/hpet.c:577
+ [<ffffffff81e63d56>] hpet_ioctl+0xc6/0x180 drivers/char/hpet.c:676
+ [<ffffffff81711590>] vfs_ioctl fs/ioctl.c:43 [inline]
+ [<ffffffff81711590>] file_ioctl fs/ioctl.c:470 [inline]
+ [<ffffffff81711590>] do_vfs_ioctl+0x6e0/0xf70 fs/ioctl.c:605
+ [<ffffffff81711eb4>] SYSC_ioctl fs/ioctl.c:622 [inline]
+ [<ffffffff81711eb4>] SyS_ioctl+0x94/0xc0 fs/ioctl.c:613
+ [<ffffffff82846003>] tracesys_phase2+0x90/0x95
+
+The main C reproducer autogenerated by syzkaller,
+
+ syscall(__NR_mmap, 0x20000000, 0x1000000, 3, 0x32, -1, 0);
+ memcpy((void*)0x20000100, "/dev/hpet\000", 10);
+ syscall(__NR_openat, 0xffffffffffffff9c, 0x20000100, 0, 0);
+ syscall(__NR_ioctl, r[0], 0x40086806, 0x40000000000000);
+
+Fix it by using div64_ul().
+
+Signed-off-by: Kefeng Wang <wangkefeng.wang@huawei.com>
+Signed-off-by: Zhang HongJun <zhanghongjun2@huawei.com>
+Cc: stable <stable@vger.kernel.org>
+Reviewed-by: Arnd Bergmann <arnd@arndb.de>
+Link: https://lore.kernel.org/r/20190711132757.130092-1-wangkefeng.wang@huawei.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/char/hpet.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/drivers/char/hpet.c b/drivers/char/hpet.c
+index 5c39f20378b8..9ac6671bb514 100644
+--- a/drivers/char/hpet.c
++++ b/drivers/char/hpet.c
+@@ -567,8 +567,7 @@ static inline unsigned long hpet_time_div(struct hpets *hpets,
+ unsigned long long m;
+
+ m = hpets->hp_tick_freq + (dis >> 1);
+- do_div(m, dis);
+- return (unsigned long)m;
++ return div64_ul(m, dis);
+ }
+
+ static int
+--
+2.16.4
+
diff --git a/patches.fixes/iio-iio-utils-Fix-possible-incorrect-mask-calculatio.patch b/patches.fixes/iio-iio-utils-Fix-possible-incorrect-mask-calculatio.patch
new file mode 100644
index 0000000000..0d76938ea6
--- /dev/null
+++ b/patches.fixes/iio-iio-utils-Fix-possible-incorrect-mask-calculatio.patch
@@ -0,0 +1,55 @@
+From 208a68c8393d6041a90862992222f3d7943d44d6 Mon Sep 17 00:00:00 2001
+From: Bastien Nocera <hadess@hadess.net>
+Date: Thu, 27 Jun 2019 09:20:45 +0200
+Subject: [PATCH] iio: iio-utils: Fix possible incorrect mask calculation
+Git-commit: 208a68c8393d6041a90862992222f3d7943d44d6
+Patch-mainline: v5.3-rc1
+References: bsc#1051510
+
+On some machines, iio-sensor-proxy was returning all 0's for IIO sensor
+values. It turns out that the bits_used for this sensor is 32, which makes
+the mask calculation:
+
+*mask = (1 << 32) - 1;
+
+If the compiler interprets the 1 literals as 32-bit ints, it generates
+undefined behavior depending on compiler version and optimization level.
+On my system, it optimizes out the shift, so the mask value becomes
+
+*mask = (1) - 1;
+
+With a mask value of 0, iio-sensor-proxy will always return 0 for every axis.
+
+Avoid incorrect 0 values caused by compiler optimization.
+
+See original fix by Brett Dutro <brett.dutro@gmail.com> in
+Iio-sensor-proxy:
+https://github.com/hadess/iio-sensor-proxy/commit/9615ceac7c134d838660e209726cd86aa2064fd3
+
+Signed-off-by: Bastien Nocera <hadess@hadess.net>
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ tools/iio/iio_utils.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/tools/iio/iio_utils.c b/tools/iio/iio_utils.c
+index 7a6d61c6c012..55272fef3b50 100644
+--- a/tools/iio/iio_utils.c
++++ b/tools/iio/iio_utils.c
+@@ -159,9 +159,9 @@ int iioutils_get_type(unsigned *is_signed, unsigned *bytes, unsigned *bits_used,
+ *be = (endianchar == 'b');
+ *bytes = padint / 8;
+ if (*bits_used == 64)
+- *mask = ~0;
++ *mask = ~(0ULL);
+ else
+- *mask = (1ULL << *bits_used) - 1;
++ *mask = (1ULL << *bits_used) - 1ULL;
+
+ *is_signed = (signchar == 's');
+ if (fclose(sysfsfp)) {
+--
+2.16.4
+
diff --git a/patches.fixes/lib-bitmap.c-make-bitmap_parselist-thread-safe-and-m.patch b/patches.fixes/lib-bitmap.c-make-bitmap_parselist-thread-safe-and-m.patch
new file mode 100644
index 0000000000..00964020a8
--- /dev/null
+++ b/patches.fixes/lib-bitmap.c-make-bitmap_parselist-thread-safe-and-m.patch
@@ -0,0 +1,96 @@
+From 0a5ce0831d04382aa9e2420e33dff958ddade542 Mon Sep 17 00:00:00 2001
+From: Yury Norov <ynorov@caviumnetworks.com>
+Date: Fri, 8 Sep 2017 16:15:34 -0700
+Subject: [PATCH] lib/bitmap.c: make bitmap_parselist() thread-safe and much faster
+Git-commit: 0a5ce0831d04382aa9e2420e33dff958ddade542
+Patch-mainline: v4.14-rc1
+References: bsc#1143507
+
+Current implementation of bitmap_parselist() uses a static variable to
+save local state while setting bits in the bitmap. It is obviously wrong
+if we assume execution in multiprocessor environment. Fortunately, it's
+possible to rewrite this portion of code to avoid using the static
+variable.
+
+It is also possible to set bits in the mask per-range with bitmap_set(),
+not per-bit, as it is implemented now, with set_bit(); which is way
+faster.
+
+The important side effect of this change is that setting bits in this
+function from now is not per-bit atomic and less memory-ordered. This is
+because set_bit() guarantees the order of memory accesses, while
+bitmap_set() does not. I think that it is the advantage of the new
+approach, because the bitmap_parselist() is intended to initialise bit
+arrays, and user should protect the whole bitmap during initialisation if
+needed. So protecting individual bits looks expensive and useless. Also,
+other range-oriented functions in lib/bitmap.c don't worry much about
+atomicity.
+
+With all that, setting 2k bits in map with the pattern like 0-2047:128/256
+becomes ~50 times faster after applying the patch in my testing
+environment (arm64 hosted on qemu).
+
+The second patch of the series adds the test for bitmap_parselist(). It's
+not intended to cover all tricky cases, just to make sure that I didn't
+screw up during rework.
+
+Link: http://lkml.kernel.org/r/20170807225438.16161-1-ynorov@caviumnetworks.com
+Signed-off-by: Yury Norov <ynorov@caviumnetworks.com>
+Cc: Noam Camus <noamca@mellanox.com>
+Cc: Rasmus Villemoes <linux@rasmusvillemoes.dk>
+Cc: Matthew Wilcox <mawilcox@microsoft.com>
+Cc: Mauro Carvalho Chehab <mchehab@kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ lib/bitmap.c | 18 ++++++------------
+ 1 file changed, 6 insertions(+), 12 deletions(-)
+
+diff --git a/lib/bitmap.c b/lib/bitmap.c
+index 9a532805364b..c82c61b66e16 100644
+--- a/lib/bitmap.c
++++ b/lib/bitmap.c
+@@ -513,7 +513,7 @@ static int __bitmap_parselist(const char *buf, unsigned int buflen,
+ int nmaskbits)
+ {
+ unsigned int a, b, old_a, old_b;
+- unsigned int group_size, used_size;
++ unsigned int group_size, used_size, off;
+ int c, old_c, totaldigits, ndigits;
+ const char __user __force *ubuf = (const char __user __force *)buf;
+ int at_start, in_range, in_partial_range;
+@@ -599,6 +599,8 @@ static int __bitmap_parselist(const char *buf, unsigned int buflen,
+ a = old_a;
+ b = old_b;
+ old_a = old_b = 0;
++ } else {
++ used_size = group_size = b - a + 1;
+ }
+ /* if no digit is after '-', it's wrong*/
+ if (at_start && in_range)
+@@ -608,17 +610,9 @@ static int __bitmap_parselist(const char *buf, unsigned int buflen,
+ if (b >= nmaskbits)
+ return -ERANGE;
+ while (a <= b) {
+- if (in_partial_range) {
+- static int pos_in_group = 1;
+-
+- if (pos_in_group <= used_size)
+- set_bit(a, maskp);
+-
+- if (a == b || ++pos_in_group > group_size)
+- pos_in_group = 1;
+- } else
+- set_bit(a, maskp);
+- a++;
++ off = min(b - a + 1, used_size);
++ bitmap_set(maskp, a, off);
++ a += group_size;
+ }
+ } while (buflen && c == ',');
+ return 0;
+--
+2.16.4
+
diff --git a/patches.fixes/libata-don-t-request-sense-data-on-ZAC-ATA-devices.patch b/patches.fixes/libata-don-t-request-sense-data-on-ZAC-ATA-devices.patch
new file mode 100644
index 0000000000..e289290e8e
--- /dev/null
+++ b/patches.fixes/libata-don-t-request-sense-data-on-ZAC-ATA-devices.patch
@@ -0,0 +1,70 @@
+From ca156e006add67e4beea7896be395160735e09b0 Mon Sep 17 00:00:00 2001
+From: Tejun Heo <tj@kernel.org>
+Date: Mon, 24 Jun 2019 09:32:50 -0700
+Subject: [PATCH] libata: don't request sense data on !ZAC ATA devices
+Git-commit: ca156e006add67e4beea7896be395160735e09b0
+Patch-mainline: v5.3-rc1
+References: bsc#1051510
+
+ZAC support added sense data requesting on error for both ZAC and ATA
+devices. This seems to cause erratic error handling behaviors on some
+SSDs where the device reports sense data availability and then
+delivers the wrong content making EH take the wrong actions. The
+failure mode was sporadic on a LITE-ON ssd and couldn't be reliably
+reproduced.
+
+There is no value in requesting sense data from non-ZAC ATA devices
+while there's a significant risk of introducing EH misbehaviors which
+are difficult to reproduce and fix. Let's do the sense data dancing
+only for ZAC devices.
+
+Reviewed-by: Hannes Reinecke <hare@suse.com>
+Tested-by: Masato Suzuki <masato.suzuki@wdc.com>
+Reviewed-by: Damien Le Moal <damien.lemoal@wdc.com>
+Signed-off-by: Tejun Heo <tj@kernel.org>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/ata/libata-eh.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/ata/libata-eh.c b/drivers/ata/libata-eh.c
+index 9d687e1d4325..3bfd9da58473 100644
+--- a/drivers/ata/libata-eh.c
++++ b/drivers/ata/libata-eh.c
+@@ -1469,7 +1469,7 @@ static int ata_eh_read_log_10h(struct ata_device *dev,
+ tf->hob_lbah = buf[10];
+ tf->nsect = buf[12];
+ tf->hob_nsect = buf[13];
+- if (ata_id_has_ncq_autosense(dev->id))
++ if (dev->class == ATA_DEV_ZAC && ata_id_has_ncq_autosense(dev->id))
+ tf->auxiliary = buf[14] << 16 | buf[15] << 8 | buf[16];
+
+ return 0;
+@@ -1716,7 +1716,8 @@ void ata_eh_analyze_ncq_error(struct ata_link *link)
+ memcpy(&qc->result_tf, &tf, sizeof(tf));
+ qc->result_tf.flags = ATA_TFLAG_ISADDR | ATA_TFLAG_LBA | ATA_TFLAG_LBA48;
+ qc->err_mask |= AC_ERR_DEV | AC_ERR_NCQ;
+- if ((qc->result_tf.command & ATA_SENSE) || qc->result_tf.auxiliary) {
++ if (dev->class == ATA_DEV_ZAC &&
++ ((qc->result_tf.command & ATA_SENSE) || qc->result_tf.auxiliary)) {
+ char sense_key, asc, ascq;
+
+ sense_key = (qc->result_tf.auxiliary >> 16) & 0xff;
+@@ -1770,10 +1771,11 @@ static unsigned int ata_eh_analyze_tf(struct ata_queued_cmd *qc,
+ }
+
+ switch (qc->dev->class) {
+- case ATA_DEV_ATA:
+ case ATA_DEV_ZAC:
+ if (stat & ATA_SENSE)
+ ata_eh_request_sense(qc, qc->scsicmd);
++ /* fall through */
++ case ATA_DEV_ATA:
+ if (err & ATA_ICRC)
+ qc->err_mask |= AC_ERR_ATA_BUS;
+ if (err & (ATA_UNC | ATA_AMNF))
+--
+2.16.4
+
diff --git a/patches.fixes/macsec-fix-checksumming-after-decryption.patch b/patches.fixes/macsec-fix-checksumming-after-decryption.patch
new file mode 100644
index 0000000000..02db3183e5
--- /dev/null
+++ b/patches.fixes/macsec-fix-checksumming-after-decryption.patch
@@ -0,0 +1,33 @@
+From 7d8b16b9facb0dd81d1469808dd9a575fa1d525a Mon Sep 17 00:00:00 2001
+From: Andreas Steinmetz <ast@domdv.de>
+Date: Sun, 30 Jun 2019 22:46:45 +0200
+Subject: [PATCH] macsec: fix checksumming after decryption
+Git-commit: 7d8b16b9facb0dd81d1469808dd9a575fa1d525a
+Patch-mainline: v5.3-rc1
+References: bsc#1051510
+
+Fix checksumming after decryption.
+
+Signed-off-by: Andreas Steinmetz <ast@domdv.de>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/net/macsec.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/net/macsec.c b/drivers/net/macsec.c
+index 8ec73d677123..8f46aa1ddec0 100644
+--- a/drivers/net/macsec.c
++++ b/drivers/net/macsec.c
+@@ -865,6 +865,7 @@ static void macsec_reset_skb(struct sk_buff *skb, struct net_device *dev)
+
+ static void macsec_finalize_skb(struct sk_buff *skb, u8 icv_len, u8 hdr_len)
+ {
++ skb->ip_summed = CHECKSUM_NONE;
+ memmove(skb->data + hdr_len, skb->data, 2 * ETH_ALEN);
+ skb_pull(skb, hdr_len);
+ pskb_trim_unique(skb, skb->len - icv_len);
+--
+2.16.4
+
diff --git a/patches.fixes/macsec-fix-use-after-free-of-skb-during-RX.patch b/patches.fixes/macsec-fix-use-after-free-of-skb-during-RX.patch
new file mode 100644
index 0000000000..986e3cc19b
--- /dev/null
+++ b/patches.fixes/macsec-fix-use-after-free-of-skb-during-RX.patch
@@ -0,0 +1,39 @@
+From 095c02da80a41cf6d311c504d8955d6d1c2add10 Mon Sep 17 00:00:00 2001
+From: Andreas Steinmetz <ast@domdv.de>
+Date: Sun, 30 Jun 2019 22:46:42 +0200
+Subject: [PATCH] macsec: fix use-after-free of skb during RX
+Git-commit: 095c02da80a41cf6d311c504d8955d6d1c2add10
+Patch-mainline: v5.3-rc1
+References: bsc#1051510
+
+Fix use-after-free of skb when rx_handler returns RX_HANDLER_PASS.
+
+Signed-off-by: Andreas Steinmetz <ast@domdv.de>
+Acked-by: Willem de Bruijn <willemb@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/net/macsec.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/net/macsec.c b/drivers/net/macsec.c
+index 75aebf65cd09..8ec73d677123 100644
+--- a/drivers/net/macsec.c
++++ b/drivers/net/macsec.c
+@@ -1099,10 +1099,9 @@ static rx_handler_result_t macsec_handle_frame(struct sk_buff **pskb)
+ }
+
+ skb = skb_unshare(skb, GFP_ATOMIC);
+- if (!skb) {
+- *pskb = NULL;
++ *pskb = skb;
++ if (!skb)
+ return RX_HANDLER_CONSUMED;
+- }
+
+ pulled_sci = pskb_may_pull(skb, macsec_extra_len(true));
+ if (!pulled_sci) {
+--
+2.16.4
+
diff --git a/patches.fixes/macsec-let-the-administrator-set-UP-state-even-if-lo.patch b/patches.fixes/macsec-let-the-administrator-set-UP-state-even-if-lo.patch
new file mode 100644
index 0000000000..18dd3ab257
--- /dev/null
+++ b/patches.fixes/macsec-let-the-administrator-set-UP-state-even-if-lo.patch
@@ -0,0 +1,43 @@
+From 07bddef9839378bd6f95b393cf24c420529b4ef1 Mon Sep 17 00:00:00 2001
+From: Sabrina Dubroca <sd@queasysnail.net>
+Date: Sun, 28 Oct 2018 09:33:10 +0100
+Subject: [PATCH] macsec: let the administrator set UP state even if lowerdev is down
+Git-commit: 07bddef9839378bd6f95b393cf24c420529b4ef1
+Patch-mainline: v4.20-rc1
+References: bsc#1051510
+
+Currently, the kernel doesn't let the administrator set a macsec device
+up unless its lower device is currently up. This is inconsistent, as a
+macsec device that is up won't automatically go down when its lower
+device goes down.
+
+Now that linkstate propagation works, there's really no reason for this
+limitation, so let's remove it.
+
+Fixes: c09440f7dcb3 ("macsec: introduce IEEE 802.1AE driver")
+Reported-by: Radu Rendec <radu.rendec@gmail.com>
+Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/net/macsec.c | 3 ---
+ 1 file changed, 3 deletions(-)
+
+diff --git a/drivers/net/macsec.c b/drivers/net/macsec.c
+index 6195b8edafc0..64a982563d59 100644
+--- a/drivers/net/macsec.c
++++ b/drivers/net/macsec.c
+@@ -2812,9 +2812,6 @@ static int macsec_dev_open(struct net_device *dev)
+ struct net_device *real_dev = macsec->real_dev;
+ int err;
+
+- if (!(real_dev->flags & IFF_UP))
+- return -ENETDOWN;
+-
+ err = dev_uc_add(real_dev, dev->dev_addr);
+ if (err < 0)
+ return err;
+--
+2.16.4
+
diff --git a/patches.fixes/macsec-update-operstate-when-lower-device-changes.patch b/patches.fixes/macsec-update-operstate-when-lower-device-changes.patch
new file mode 100644
index 0000000000..f87893956d
--- /dev/null
+++ b/patches.fixes/macsec-update-operstate-when-lower-device-changes.patch
@@ -0,0 +1,70 @@
+From e6ac075882b2afcdf2d5ab328ce4ab42a1eb9593 Mon Sep 17 00:00:00 2001
+From: Sabrina Dubroca <sd@queasysnail.net>
+Date: Sun, 28 Oct 2018 09:33:09 +0100
+Subject: [PATCH] macsec: update operstate when lower device changes
+Git-commit: e6ac075882b2afcdf2d5ab328ce4ab42a1eb9593
+Patch-mainline: v4.20-rc1
+References: bsc#1051510
+
+Like all other virtual devices (macvlan, vlan), the operstate of a
+macsec device should match the state of its lower device. This is done
+by calling netif_stacked_transfer_operstate from its netdevice notifier.
+
+We also need to call netif_stacked_transfer_operstate when a new macsec
+device is created, so that its operstate is set properly. This is only
+relevant when we try to bring the device up directly when we create it.
+
+Radu Rendec proposed a similar patch, inspired from the 802.1q driver,
+that included changing the administrative state of the macsec device,
+instead of just the operstate. This version is similar to what the
+macvlan driver does, and updates only the operstate.
+
+Fixes: c09440f7dcb3 ("macsec: introduce IEEE 802.1AE driver")
+Reported-by: Radu Rendec <radu.rendec@gmail.com>
+Reported-by: Patrick Talbert <ptalbert@redhat.com>
+Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/net/macsec.c | 17 +++++++++++++++++
+ 1 file changed, 17 insertions(+)
+
+diff --git a/drivers/net/macsec.c b/drivers/net/macsec.c
+index 4bb90b6867a2..6195b8edafc0 100644
+--- a/drivers/net/macsec.c
++++ b/drivers/net/macsec.c
+@@ -3306,6 +3306,9 @@ static int macsec_newlink(struct net *net, struct net_device *dev,
+ if (err < 0)
+ goto del_dev;
+
++ netif_stacked_transfer_operstate(real_dev, dev);
++ linkwatch_fire_event(dev);
++
+ macsec_generation++;
+
+ return 0;
+@@ -3490,6 +3493,20 @@ static int macsec_notify(struct notifier_block *this, unsigned long event,
+ return NOTIFY_DONE;
+
+ switch (event) {
++ case NETDEV_DOWN:
++ case NETDEV_UP:
++ case NETDEV_CHANGE: {
++ struct macsec_dev *m, *n;
++ struct macsec_rxh_data *rxd;
++
++ rxd = macsec_data_rtnl(real_dev);
++ list_for_each_entry_safe(m, n, &rxd->secys, secys) {
++ struct net_device *dev = m->secy.netdev;
++
++ netif_stacked_transfer_operstate(real_dev, dev);
++ }
++ break;
++ }
+ case NETDEV_UNREGISTER: {
+ struct macsec_dev *m, *n;
+ struct macsec_rxh_data *rxd;
+--
+2.16.4
+
diff --git a/patches.fixes/net-9p-include-trans_common.h-to-fix-missing-prototy.patch b/patches.fixes/net-9p-include-trans_common.h-to-fix-missing-prototy.patch
new file mode 100644
index 0000000000..adb4502cdf
--- /dev/null
+++ b/patches.fixes/net-9p-include-trans_common.h-to-fix-missing-prototy.patch
@@ -0,0 +1,32 @@
+From 52ad259eaac0454c1ac7123e7148cf8d6e6f5301 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Adeodato=20Sim=C3=B3?= <dato@net.com.org.es>
+Date: Tue, 13 Nov 2018 03:28:53 -0300
+Subject: [PATCH] net/9p: include trans_common.h to fix missing prototype warning.
+Mime-version: 1.0
+Content-type: text/plain; charset=UTF-8
+Content-transfer-encoding: 8bit
+Git-commit: 52ad259eaac0454c1ac7123e7148cf8d6e6f5301
+Patch-mainline: v5.0-rc1
+References: bsc#1051510
+
+This silences -Wmissing-prototypes when defining p9_release_pages.
+
+Link: http://lkml.kernel.org/r/b1c4df8f21689b10d451c28fe38e860722d20e71.1542089696.git.dato@net.com.org.es
+Signed-off-by: Adeodato Simó <dato@net.com.org.es>
+Signed-off-by: Dominique Martinet <dominique.martinet@cea.fr>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ net/9p/trans_common.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/net/9p/trans_common.c
++++ b/net/9p/trans_common.c
+@@ -14,6 +14,7 @@
+
+ #include <linux/mm.h>
+ #include <linux/module.h>
++#include "trans_common.h"
+
+ /**
+ * p9_release_req_pages - Release pages after the transaction.
diff --git a/patches.fixes/regmap-fix-bulk-writes-on-paged-registers.patch b/patches.fixes/regmap-fix-bulk-writes-on-paged-registers.patch
new file mode 100644
index 0000000000..c375221747
--- /dev/null
+++ b/patches.fixes/regmap-fix-bulk-writes-on-paged-registers.patch
@@ -0,0 +1,44 @@
+From db057679de3e9e6a03c1bcd5aee09b0d25fd9f5b Mon Sep 17 00:00:00 2001
+From: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
+Date: Wed, 12 Jun 2019 12:03:43 +0100
+Subject: [PATCH] regmap: fix bulk writes on paged registers
+Git-commit: db057679de3e9e6a03c1bcd5aee09b0d25fd9f5b
+Patch-mainline: v5.3-rc1
+References: bsc#1051510
+
+On buses like SlimBus and SoundWire which does not support
+gather_writes yet in regmap, A bulk write on paged register
+would be silently ignored after programming page.
+This is because local variable 'ret' value in regmap_raw_write_impl()
+gets reset to 0 once page register is written successfully and the
+code below checks for 'ret' value to be -ENOTSUPP before linearising
+the write buffer to send to bus->write().
+
+Fix this by resetting the 'ret' value to -ENOTSUPP in cases where
+gather_writes() is not supported or single register write is
+not possible.
+
+Signed-off-by: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/base/regmap/regmap.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/base/regmap/regmap.c b/drivers/base/regmap/regmap.c
+index f1025452bb39..19f57ccfbe1d 100644
+--- a/drivers/base/regmap/regmap.c
++++ b/drivers/base/regmap/regmap.c
+@@ -1637,6 +1637,8 @@ static int _regmap_raw_write_impl(struct regmap *map, unsigned int reg,
+ map->format.reg_bytes +
+ map->format.pad_bytes,
+ val, val_len);
++ else
++ ret = -ENOTSUPP;
+
+ /* If that didn't work fall back on linearising by hand. */
+ if (ret == -ENOTSUPP) {
+--
+2.16.4
+
diff --git a/patches.fixes/s390-zcrypt-fix-wrong-dispatching-for-control-domain-cprbs b/patches.fixes/s390-zcrypt-fix-wrong-dispatching-for-control-domain-cprbs
new file mode 100644
index 0000000000..42dabc7ed9
--- /dev/null
+++ b/patches.fixes/s390-zcrypt-fix-wrong-dispatching-for-control-domain-cprbs
@@ -0,0 +1,166 @@
+From: Harald Freudenberger <freude@linux.ibm.com>
+Date: Tue, 21 May 2019 13:50:09 +0200
+Subject: s390/zcrypt: Fix wrong dispatching for control domain CPRBs
+Git-commit: 7379e652797c0b9b5f6caea1576f2dff9ce6a708
+Patch-mainline: v5.2-rc1
+References: bsc#1137811 LTC#178088
+
+The zcrypt device driver does not handle CPRBs which address
+a control domain correctly. This fix introduces a workaround:
+The domain field of the request CPRB is checked if there is
+a valid domain value in there. If this is true and the value
+is a control only domain (a domain which is enabled in the
+crypto config ADM mask but disabled in the AQM mask) the
+CPRB is forwarded to the default usage domain. If there is
+no default domain, the request is rejected with an ENODEV.
+
+This fix is important for maintaining crypto adapters. For
+example one LPAR can use a crypto adapter domain ('Control
+and Usage') but another LPAR needs to be able to maintain
+this adapter domain ('Control'). Scenarios like this did
+not work properly and the patch enables this.
+
+Signed-off-by: Harald Freudenberger <freude@linux.ibm.com>
+Signed-off-by: Heiko Carstens <heiko.carstens@de.ibm.com>
+Acked-by: Petr Tesarik <ptesarik@suse.com>
+---
+ arch/s390/include/asm/ap.h | 4 ++--
+ drivers/s390/crypto/ap_bus.c | 28 +++++++++++++++++++++++-----
+ drivers/s390/crypto/ap_bus.h | 3 +++
+ drivers/s390/crypto/zcrypt_api.c | 17 ++++++++++++++---
+ 4 files changed, 42 insertions(+), 10 deletions(-)
+
+--- a/arch/s390/include/asm/ap.h
++++ b/arch/s390/include/asm/ap.h
+@@ -72,8 +72,8 @@ struct ap_config_info {
+ unsigned char Nd; /* max # of Domains - 1 */
+ unsigned char _reserved3[10];
+ unsigned int apm[8]; /* AP ID mask */
+- unsigned int aqm[8]; /* AP queue mask */
+- unsigned int adm[8]; /* AP domain mask */
++ unsigned int aqm[8]; /* AP (usage) queue mask */
++ unsigned int adm[8]; /* AP (control) domain mask */
+ unsigned char _reserved4[16];
+ } __aligned(8);
+
+--- a/drivers/s390/crypto/ap_bus.c
++++ b/drivers/s390/crypto/ap_bus.c
+@@ -256,19 +256,37 @@ static inline int ap_test_config_card_id
+ }
+
+ /*
+- * ap_test_config_domain(): Test, whether an AP usage domain is configured.
++ * ap_test_config_usage_domain(): Test, whether an AP usage domain
++ * is configured.
+ * @domain AP usage domain ID
+ *
+ * Returns 0 if the usage domain is not configured
+ * 1 if the usage domain is configured or
+ * if the configuration information is not available
+ */
+-static inline int ap_test_config_domain(unsigned int domain)
++int ap_test_config_usage_domain(unsigned int domain)
+ {
+ if (!ap_configuration) /* QCI not supported */
+ return domain < 16;
+ return ap_test_config(ap_configuration->aqm, domain);
+ }
++EXPORT_SYMBOL(ap_test_config_usage_domain);
++
++/*
++ * ap_test_config_ctrl_domain(): Test, whether an AP control domain
++ * is configured.
++ * @domain AP control domain ID
++ *
++ * Returns 1 if the control domain is configured
++ * 0 in all other cases
++ */
++int ap_test_config_ctrl_domain(unsigned int domain)
++{
++ if (!ap_configuration) /* QCI not supported */
++ return 0;
++ return ap_test_config(ap_configuration->adm, domain);
++}
++EXPORT_SYMBOL(ap_test_config_ctrl_domain);
+
+ /**
+ * ap_query_queue(): Check if an AP queue is available.
+@@ -960,7 +978,7 @@ static int ap_select_domain(void)
+ best_domain = -1;
+ max_count = 0;
+ for (i = 0; i < AP_DOMAINS; i++) {
+- if (!ap_test_config_domain(i))
++ if (!ap_test_config_usage_domain(i))
+ continue;
+ count = 0;
+ for (j = 0; j < AP_DEVICES; j++) {
+@@ -1056,7 +1074,7 @@ static void ap_scan_bus(struct work_stru
+ (void *)(long) qid,
+ __match_queue_device_with_qid);
+ aq = dev ? to_ap_queue(dev) : NULL;
+- if (!ap_test_config_domain(dom)) {
++ if (!ap_test_config_usage_domain(dom)) {
+ if (dev) {
+ /* Queue device exists but has been
+ * removed from configuration.
+@@ -1150,7 +1168,7 @@ static void ap_reset_all(void)
+ int i, j;
+
+ for (i = 0; i < AP_DOMAINS; i++) {
+- if (!ap_test_config_domain(i))
++ if (!ap_test_config_usage_domain(i))
+ continue;
+ for (j = 0; j < AP_DEVICES; j++) {
+ if (!ap_test_config_card_id(j))
+--- a/drivers/s390/crypto/ap_bus.h
++++ b/drivers/s390/crypto/ap_bus.h
+@@ -251,6 +251,9 @@ void ap_wait(enum ap_wait wait);
+ void ap_request_timeout(unsigned long data);
+ void ap_bus_force_rescan(void);
+
++int ap_test_config_usage_domain(unsigned int domain);
++int ap_test_config_ctrl_domain(unsigned int domain);
++
+ void ap_queue_init_reply(struct ap_queue *aq, struct ap_message *ap_msg);
+ struct ap_queue *ap_queue_create(ap_qid_t qid, int device_type);
+ void ap_queue_remove(struct ap_queue *aq);
+--- a/drivers/s390/crypto/zcrypt_api.c
++++ b/drivers/s390/crypto/zcrypt_api.c
+@@ -381,7 +381,7 @@ long zcrypt_send_cprb(struct ica_xcRB *x
+ struct ap_message ap_msg;
+ unsigned int weight, pref_weight;
+ unsigned int func_code;
+- unsigned short *domain;
++ unsigned short *domain, tdom;
+ int qid = 0, rc = -ENODEV;
+
+ trace_s390_zcrypt_req(xcRB, TB_ZSECSENDCPRB);
+@@ -391,6 +391,17 @@ long zcrypt_send_cprb(struct ica_xcRB *x
+ if (rc)
+ goto out;
+
++ /*
++ * If a valid target domain is set and this domain is NOT a usage
++ * domain but a control only domain, use the default domain as target.
++ */
++ tdom = *domain;
++ if (tdom >= 0 && tdom < AP_DOMAINS &&
++ !ap_test_config_usage_domain(tdom) &&
++ ap_test_config_ctrl_domain(tdom) &&
++ ap_domain_index >= 0)
++ tdom = ap_domain_index;
++
+ pref_zc = NULL;
+ pref_zq = NULL;
+ spin_lock(&zcrypt_list_lock);
+@@ -410,8 +421,8 @@ long zcrypt_send_cprb(struct ica_xcRB *x
+ /* check if device is online and eligible */
+ if (!zq->online ||
+ !zq->ops->send_cprb ||
+- ((*domain != (unsigned short) AUTOSELECT) &&
+- (*domain != AP_QID_QUEUE(zq->queue->qid))))
++ (tdom != (unsigned short) AUTOSELECT &&
++ tdom != AP_QID_QUEUE(zq->queue->qid)))
+ continue;
+ if (zcrypt_queue_compare(zq, pref_zq,
+ weight, pref_weight))
diff --git a/patches.suse/btrfs-scrub-add-memalloc_nofs-protection-around-init_ipath.patch b/patches.suse/btrfs-scrub-add-memalloc_nofs-protection-around-init_ipath.patch
new file mode 100644
index 0000000000..180e99289e
--- /dev/null
+++ b/patches.suse/btrfs-scrub-add-memalloc_nofs-protection-around-init_ipath.patch
@@ -0,0 +1,60 @@
+From: David Sterba <dsterba@suse.com>
+Date: Wed, 31 May 2017 19:21:38 +0200
+Subject: btrfs: scrub: add memalloc_nofs protection around init_ipath
+Git-commit: de2491fdefe7e599fa08a81a1b89d03c96c9cbc3
+Patch-mainline: v4.13-rc1
+References: bsc#1086103
+
+init_ipath is called from a safe ioctl context and from scrub when
+printing an error. The protection is added for three reasons:
+
+* init_data_container calls vmalloc and this does not work as expected
+ in the GFP_NOFS context, so this silently does GFP_KERNEL and might
+ deadlock in some cases
+* keep the context constraint of GFP_NOFS, used by scrub
+* we want to use GFP_KERNEL unconditionally inside init_ipath or its
+ callees
+
+Reviewed-by: Anand Jain <anand.jain@oracle.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Acked-by: Nikolay Borisov <nborisov@suse.com>
+---
+ fs/btrfs/scrub.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/fs/btrfs/scrub.c b/fs/btrfs/scrub.c
+index e99be644b19f..096e503e3ddc 100644
+--- a/fs/btrfs/scrub.c
++++ b/fs/btrfs/scrub.c
+@@ -18,6 +18,7 @@
+
+ #include <linux/blkdev.h>
+ #include <linux/ratelimit.h>
++#include <linux/sched/mm.h>
+ #include "ctree.h"
+ #include "volumes.h"
+ #include "disk-io.h"
+@@ -733,6 +734,7 @@ static int scrub_print_warning_inode(u64 inum, u64 offset, u64 root,
+ u32 nlink;
+ int ret;
+ int i;
++ unsigned nofs_flag;
+ struct extent_buffer *eb;
+ struct btrfs_inode_item *inode_item;
+ struct scrub_warning *swarn = warn_ctx;
+@@ -771,7 +773,14 @@ static int scrub_print_warning_inode(u64 inum, u64 offset, u64 root,
+ nlink = btrfs_inode_nlink(eb, inode_item);
+ btrfs_release_path(swarn->path);
+
++ /*
++ * init_path might indirectly call vmalloc, or use GFP_KERNEL. Scrub
++ * uses GFP_NOFS in this context, so we keep it consistent but it does
++ * not seem to be strictly necessary.
++ */
++ nofs_flag = memalloc_nofs_save();
+ ipath = init_ipath(4096, local_root, swarn->path);
++ memalloc_nofs_restore(nofs_flag);
+ if (IS_ERR(ipath)) {
+ ret = PTR_ERR(ipath);
+ ipath = NULL;
+
diff --git a/patches.suse/btrfs-use-gfp_kernel-in-init_ipath.patch b/patches.suse/btrfs-use-gfp_kernel-in-init_ipath.patch
new file mode 100644
index 0000000000..164e388d04
--- /dev/null
+++ b/patches.suse/btrfs-use-gfp_kernel-in-init_ipath.patch
@@ -0,0 +1,84 @@
+From: David Sterba <dsterba@suse.com>
+Date: Wed, 31 May 2017 19:32:09 +0200
+Subject: btrfs: use GFP_KERNEL in init_ipath
+Git-commit: f54de068dda73e337972481eabd103671859b2aa
+Patch-mainline: v4.13-rc1
+References: bsc#1086103
+
+Now that init_ipath is called either from a safe context or with
+memalloc_nofs protection, we can switch to GFP_KERNEL allocations in
+init_path and init_data_container.
+
+Reviewed-by: Anand Jain <anand.jain@oracle.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Acked-by: Nikolay Borisov <nborisov@suse.com>
+---
+ fs/btrfs/backref.c | 10 +++++-----
+ fs/btrfs/ioctl.c | 4 ++--
+ 2 files changed, 7 insertions(+), 7 deletions(-)
+
+diff --git a/fs/btrfs/backref.c b/fs/btrfs/backref.c
+index 24865da63d8f..f723c11bb763 100644
+--- a/fs/btrfs/backref.c
++++ b/fs/btrfs/backref.c
+@@ -16,7 +16,7 @@
+ * Boston, MA 021110-1307, USA.
+ */
+
+-#include <linux/vmalloc.h>
++#include <linux/mm.h>
+ #include <linux/rbtree.h>
+ #include "ctree.h"
+ #include "disk-io.h"
+@@ -2305,7 +2305,7 @@ struct btrfs_data_container *init_data_container(u32 total_bytes)
+ size_t alloc_bytes;
+
+ alloc_bytes = max_t(size_t, total_bytes, sizeof(*data));
+- data = vmalloc(alloc_bytes);
++ data = kvmalloc(alloc_bytes, GFP_KERNEL);
+ if (!data)
+ return ERR_PTR(-ENOMEM);
+
+@@ -2339,9 +2339,9 @@ struct inode_fs_paths *init_ipath(s32 total_bytes, struct btrfs_root *fs_root,
+ if (IS_ERR(fspath))
+ return (void *)fspath;
+
+- ifp = kmalloc(sizeof(*ifp), GFP_NOFS);
++ ifp = kmalloc(sizeof(*ifp), GFP_KERNEL);
+ if (!ifp) {
+- vfree(fspath);
++ kvfree(fspath);
+ return ERR_PTR(-ENOMEM);
+ }
+
+@@ -2356,6 +2356,6 @@ void free_ipath(struct inode_fs_paths *ipath)
+ {
+ if (!ipath)
+ return;
+- vfree(ipath->fspath);
++ kvfree(ipath->fspath);
+ kfree(ipath);
+ }
+diff --git a/fs/btrfs/ioctl.c b/fs/btrfs/ioctl.c
+index c9cdea8061bc..e4116f9248c2 100644
+--- a/fs/btrfs/ioctl.c
++++ b/fs/btrfs/ioctl.c
+@@ -37,7 +37,7 @@
+ #include <linux/bit_spinlock.h>
+ #include <linux/security.h>
+ #include <linux/xattr.h>
+-#include <linux/vmalloc.h>
++#include <linux/mm.h>
+ #include <linux/slab.h>
+ #include <linux/blkdev.h>
+ #include <linux/uuid.h>
+@@ -4588,7 +4588,7 @@ static long btrfs_ioctl_logical_to_ino(struct btrfs_fs_info *fs_info,
+
+ out:
+ btrfs_free_path(path);
+- vfree(inodes);
++ kvfree(inodes);
+ kfree(loi);
+
+ return ret;
+
diff --git a/series.conf b/series.conf
index b8c2b1bd89..904e710090 100644
--- a/series.conf
+++ b/series.conf
@@ -2340,6 +2340,8 @@
patches.suse/0001-Btrfs-skip-commit-transaction-if-we-don-t-have-enoug.patch
patches.suse/btrfs-separate-space_info-create-update.patch
patches.suse/btrfs-refactor-update_space_info.patch
+ patches.suse/btrfs-scrub-add-memalloc_nofs-protection-around-init_ipath.patch
+ patches.suse/btrfs-use-gfp_kernel-in-init_ipath.patch
patches.suse/btrfs-manually-implement-device_total_bytes-getter-setter.patch
patches.suse/btrfs-round-down-values-which-are-written-for-total_bytes_size.patch
patches.suse/btrfs-add-cond_resched-to-btrfs_qgroup_trace_leaf_items
@@ -6706,6 +6708,7 @@
patches.suse/0014-fs-epoll-use-faster-rb_first_cached.patch
patches.suse/0015-mem-memcg-cache-rightmost-node.patch
patches.suse/0016-block-cfq-cache-rightmost-rb_node.patch
+ patches.fixes/lib-bitmap.c-make-bitmap_parselist-thread-safe-and-m.patch
patches.fixes/checkpatch-add-6-missing-types-to-list-types
patches.suse/0001-ipc-sem-drop-sem_checkid-helper.patch
patches.suse/0002-ipc-sem-play-nicer-with-large-nsops-allocations.patch
@@ -11661,6 +11664,7 @@
patches.fixes/orangefs-fix-deadlock-do-not-write-i_size-in-read_it.patch
patches.drivers/Input-xpad-add-support-for-PDP-Xbox-One-controllers
patches.drivers/Input-trackpoint-force-3-buttons-if-0-button-is-repo
+ patches.drivers/Input-trackpoint-only-expose-supported-controls-for-.patch
patches.drm/drm-vc4-Flush-the-caches-before-the-bin-jobs-as-well
patches.drm/drm-vc4-Fix-NULL-pointer-dereference-in-vc4_save_han
patches.suse/net-tcp-close-sock-if-net-namespace-is-exiting.patch
@@ -11933,6 +11937,7 @@
patches.suse/0016-arm64-Implement-branch-predictor-hardening-for-affec.patch
patches.suse/0017-arm64-Implement-branch-predictor-hardening-for-Falko.patch
patches.suse/0018-arm64-cputype-Add-MIDR-values-for-Cavium-ThunderX2-C.patch
+ patches.arch/KVM-arm-arm64-Convert-kvm_host_cpu_state-to-a-static.patch
patches.arch/arm64-capabilities-Handle-duplicate-entries-for-a-ca.patch
patches.arch/0010-arm64-fix-ID-map-extension-to-52-bits.patch
patches.arch/0011-KVM-arm-arm64-fix-HYP-ID-map-extension-to-52-bits.patch
@@ -13668,6 +13673,7 @@
patches.fixes/KVM-s390-use-created_vcpus-in-more-places.patch
patches.suse/KVM-s390-diagnoses-are-instructions-as-well.patch
patches.suse/KVM-s390-add-vcpu-stat-counters-for-many-instruction.patch
+ patches.arch/KVM-arm-arm64-Handle-CPU_PM_ENTER_FAILED.patch
patches.fixes/x86-kvm-vmx-do-not-use-vm-exit-instruction-length-fo.patch
patches.suse/msft-hv-1588-x86-hyperv-Check-for-required-priviliges-in-hyperv_i.patch
patches.suse/msft-hv-1589-x86-hyperv-Add-a-function-to-read-both-TSC-and-TSC-p.patch
@@ -13992,6 +13998,7 @@
patches.arch/KVM-s390-provide-only-a-single-function-for-setting-.patch
patches.fixes/KVM-x86-move-LAPIC-initialization-after-VMCS-creatio.patch
patches.arch/kvm-x86-remove-warn_on-for-when-vm_munmap-fails
+ patches.arch/KVM-mmu-Fix-overlap-between-public-and-private-memsl.patch
patches.arch/kvm-nvmx-don-t-halt-vcpu-when-l1-is-injecting-events-to-l2
patches.suse/include-psp-sev-capitalize-invalid-length-enum.patch
patches.suse/kvm-svm-no-need-to-call-access_ok-in-launch_measure-command.patch
@@ -14304,6 +14311,9 @@
patches.drm/drm-i915-gvt-keep-oa-config-in-shadow-ctx
patches.drm/drm-i915-gvt-Correct-the-privilege-shadow-batch-buff
patches.suse/btrfs-add-missing-initialization-in-btrfs_check_shared.patch
+ patches.arch/KVM-arm-arm64-vgic-Add-missing-irq_lock-to-vgic_mmio.patch
+ patches.arch/KVM-arm-arm64-Reduce-verbosity-of-KVM-init-log.patch
+ patches.arch/kvm-arm-arm64-vgic-v3-Tighten-synchronization-for-gu.patch
patches.arch/KVM-PPC-Book3S-HV-Fix-trap-number-return-from-__kvmp.patch
patches.fixes/kvm-x86-fix-device-passthrough-when-sme-is-active.patch
patches.drivers/irqchip-gic-v3-its-Ensure-nr_ites-nr_lpis.patch
@@ -15559,6 +15569,7 @@
patches.arch/KVM-arm-arm64-Introduce-vcpu_el1_is_32bit.patch
patches.arch/0002-arm64-alternatives-Add-dynamic-patching-feature.patch
patches.drivers/0007-KVM-arm64-Fix-HYP-idmap-unmap-when-using-52bit-PA.patch
+ patches.arch/KVM-arm-arm64-vgic-its-Fix-potential-overrun-in-vgic.patch
patches.drivers/kvm-vmx-fix-the-module-parameters-for-vmx
patches.drivers/kvm-vmx-remove-ple_window_actual_max
patches.drivers/kvm-vmx-bring-the-common-code-to-header-file
@@ -16007,6 +16018,7 @@
patches.fixes/libceph-un-backoff-on-tick-when-we-have-a-authenticated-session.patch
patches.fixes/libceph-reschedule-a-tick-in-finish_hunting.patch
patches.fixes/libceph-validate-con-state-at-the-top-of-try_write.patch
+ patches.arch/KVM-arm-arm64-Close-VMID-generation-race.patch
patches.arch/powerpc-powernv-npu-Add-lock-to-prevent-race-in-conc.patch
patches.arch/powerpc-powernv-npu-Prevent-overwriting-of-pnv_npu2_.patch
patches.arch/powerpc-powernv-npu-Do-a-PID-GPU-TLB-flush-when-inva.patch
@@ -16797,6 +16809,8 @@
patches.drivers/ASoC-cs35l35-Add-use_single_rw-to-regmap-config
patches.fixes/kconfig-Avoid-format-overflow-warning-from-GCC-8.1
patches.fixes/ARM-8764-1-kgdb-fix-NUMREGBYTES-so-that-gdb_regs-is-.patch
+ patches.arch/ARM-KVM-Add-SMCCC_ARCH_WORKAROUND_1-fast-handling.patch
+ patches.arch/ARM-KVM-report-support-for-SMCCC_ARCH_WORKAROUND_1.patch
patches.drivers/ghes-edac-fix-ghes_edac-registration.patch
patches.drivers/EDAC-ghes-Add-DDR4-and-NVDIMM-memory-types.patch
patches.drivers/EDAC-skx-Fix-skx_edac-build-error-when-ACPI_NFIT-m.patch
@@ -17524,6 +17538,7 @@
patches.suse/msft-hv-1700-KVM-x86-hyperv-simplistic-HVCALL_FLUSH_VIRTUAL_ADDRE.patch
patches.suse/msft-hv-1701-KVM-x86-hyperv-simplistic-HVCALL_FLUSH_VIRTUAL_ADDRE.patch
patches.drivers/0010-arm64-fpsimd-Avoid-FPSIMD-context-leakage-for-the-in.patch
+ patches.arch/KVM-arm-arm64-Set-dist-spis-to-NULL-after-kfree.patch
patches.arch/kvm-make-vm-ioctl-do-valloc-for-some-archs
patches.arch/kvm-nvmx-enforce-cpl-0-for-vmx-instructions
patches.arch/kvm-x86-introduce-linear_-read-write-system
@@ -17663,6 +17678,7 @@
patches.drm/drm-bridge-sii8620-fix-display-of-packed-pixel-modes
patches.fixes/udf-Detect-incorrect-directory-size.patch
patches.fixes/0001-xen-Remove-unnecessary-BUG_ON-from-__unbind_from_irq.patch
+ patches.arch/KVM-arm-arm64-Drop-resource-size-check-for-GICV-wind.patch
patches.arch/kvm-enforce-error-in-ioctl-for-compat-tasks-when-kvm_compat
patches.drivers/0017-arm64-dma-mapping-clear-buffers-allocated-with-FORCE.patch
patches.drivers/0001-arm64-kpti-Use-early_param-for-kpti-command-line-opt.patch
@@ -17906,6 +17922,7 @@
patches.fixes/mark-hi-and-tasklet-softirq-synchronous.patch
patches.arch/kvm-vmx-support-msr_ia32_arch_capabilities-as-a-feature-msr
patches.fixes/xenclock-0007-x86-kvmclock-set-pvti_cpu0_va-after-enabling-kvmcloc.patch
+ patches.arch/KVM-Eventfd-Avoid-crash-when-assign-and-deassign-spe.patch
patches.arch/kvmclock-fix-tsc-calibration-for-nested-guests
patches.suse/btrfs-fix-use-after-free-of-cmp-workspace-pages.patch
patches.fixes/btrfs-scrub-Don-t-use-inode-page-cache-in-scrub_hand.patch
@@ -18783,6 +18800,7 @@
patches.arch/powerpc-64-Disable-the-speculation-barrier-from-the-.patch
patches.arch/powerpc-64-Make-stf-barrier-PPC_BOOK3S_64-specific.patch
patches.arch/powerpc-64-Call-setup_barrier_nospec-from-setup_arch.patch
+ patches.fixes/Documentation-Add-nospectre_v1-parameter.patch
patches.arch/powerpc-asm-Add-a-patch_site-macro-helpers-for-patch.patch
patches.arch/powerpc-64s-Add-new-security-feature-flags-for-count.patch
patches.arch/powerpc-64s-Add-support-for-software-count-cache-flu.patch
@@ -19021,6 +19039,9 @@
patches.fixes/tracing-blktrace-Fix-to-allow-setting-same-value.patch
patches.fixes/blk-mq-init-hctx-sched-after-update-ctx-and-hctx-map.patch
patches.fixes/blk-mq-sync-the-update-nr_hw_queues-with-blk_mq_queu.patch
+ patches.arch/KVM-arm-arm64-Fix-lost-IRQs-from-emulated-physcial-t.patch
+ patches.arch/KVM-arm-arm64-Skip-updating-PMD-entry-if-no-change.patch
+ patches.arch/KVM-arm-arm64-Skip-updating-PTE-entry-if-no-change.patch
patches.arch/x86-kvm-avoid-unused-variable-warning
patches.arch/kvm-x86-svm-call-x86_spec_ctrl_set_guest-host-with-interrupts-disabled.patch
patches.arch/kvm-vmx-fixes-for-vmentry_l1d_flush-module-parameter
@@ -20007,6 +20028,7 @@
patches.arch/kvm-nvmx-restore-host-state-in-nested_vmx_vmexit-for-vmfail
patches.arch/kvm-nvmx-always-reflect-nm-vm-exits-to-l1
patches.arch/kvm-nvmx-move-check_vmentry_postreqs-call-to-nested_vmx_enter_non_root_mode
+ patches.arch/KVM-arm64-Fix-caching-of-host-MDCR_EL2-value.patch
patches.fixes/arm-arm64-KVM-Rename-function-kvm_arch_dev_ioctl_che.patch
patches.drivers/IB-hfi1-Add-mtu-check-for-operational-data-VLs.patch
patches.drivers/RDMA-bnxt_re-Add-missing-spin-lock-initialization.patch
@@ -20120,10 +20142,17 @@
patches.drm/drm-i915-Large-page-offsets-for-pread-pwrite.patch
patches.drm/0001-drm-i915-gen9-Fix-initial-readout-for-Y-tiled-frameb.patch
patches.suse/net-sched-gred-pass-the-right-attribute-to-gred_chan.patch
+ patches.fixes/macsec-update-operstate-when-lower-device-changes.patch
+ patches.fixes/macsec-let-the-administrator-set-UP-state-even-if-lo.patch
+ patches.fixes/9p-xen-fix-check-for-xenbus_read-error-in-front_prob.patch
patches.fixes/v9fs_dir_readdir-fix-double-free-on-p9stat_read-erro.patch
patches.fixes/9p-clear-dangling-pointers-in-p9stat_free.patch
+ patches.fixes/9p-rdma-do-not-disconnect-on-down_interruptible-EAGA.patch
patches.fixes/9p-do-not-trust-pdu-content-for-stat-item-size.patch
patches.fixes/9p-locks-add-mount-option-for-lock-retry-interval.patch
+ patches.fixes/9p-acl-fix-uninitialized-iattr-access.patch
+ patches.fixes/9p-rdma-remove-useless-check-in-cm_event_handler.patch
+ patches.fixes/9p-p9dirent_read-check-network-provided-name-length.patch
patches.fixes/9p-locks-fix-glock.client_id-leak-in-do_lock.patch
patches.fixes/fsnotify-Fix-busy-inodes-during-unmount.patch
patches.drivers/staging-iio-ad7606-fix-voltage-scales.patch
@@ -20832,9 +20861,11 @@
patches.arch/kvm-nvmx-free-the-vmread-vmwrite-bitmaps-if-alloc_kvm_area-fails
patches.arch/kvm-vmx-set-ia32_tsc_aux-for-legacy-mode-guests
patches.arch/kvm-x86-report-stibp-on-get_supported_cpuid.patch
+ patches.arch/KVM-arm-arm64-Fix-VMID-alloc-race-by-reverting-to-lo.patch
patches.fixes/arm-arm64-KVM-vgic-Force-VM-halt-when-changing-the-a.patch
patches.arch/KVM-PPC-Book3S-HV-Fix-race-between-kvm_unmap_hva_ran.patch
patches.fixes/KVM-PPC-Book3S-PR-Set-hflag-to-indicate-that-POWER9-.patch
+ patches.arch/kvm-Disallow-wraparound-in-kvm_gfn_to_hva_cache_init.patch
patches.arch/kvm-nvmx-nmi-window-and-interrupt-window-exiting-should-wake-l2-from-hlt
patches.arch/kvm-x86-use-jmp-to-invoke-kvm_spurious_fault-from-fixup
patches.arch/x86-resctrl-fix-rdt_find_domain-return-value-and-checks.patch
@@ -21101,6 +21132,7 @@
patches.fixes/tpm-fix-kdoc-for-tpm2_flush_context_cmd.patch
patches.fixes/CIFS-Fix-error-mapping-for-SMB2_LOCK-command-which-c.patch
patches.suse/cifs-Always-resolve-hostname-before-reconnecting.patch
+ patches.fixes/net-9p-include-trans_common.h-to-fix-missing-prototy.patch
patches.fixes/9p-net-put-a-lower-bound-on-msize.patch
patches.fixes/sunrpc-use-SVC_NET-in-svcauth_gss_-functions.patch
patches.fixes/sunrpc-use-after-free-in-svc_process_common.patch
@@ -22012,6 +22044,7 @@
patches.arch/kvm-x86-mmu-detect-mmio-generation-wrap-in-any-address-space
patches.arch/kvm-x86-mmu-do-not-cache-mmio-accesses-while-memslots-are-in-flux
patches.arch/KVM-PPC-Release-all-hardware-TCE-tables-attached-to-.patch
+ patches.arch/arm64-KVM-Fix-architecturally-invalid-reset-value-fo.patch
patches.fixes/CIFS-fix-POSIX-lock-leak-and-invalid-ptr-deref.patch
patches.fixes/It-s-wrong-to-add-len-to-sector_nr-in-raid10-reshape.patch
patches.fixes/md-Fix-failed-allocation-of-md_register_thread.patch
@@ -22155,6 +22188,7 @@
patches.drivers/leds-pca9532-fix-a-potential-NULL-pointer-dereferenc.patch
patches.arch/powerpc-pseries-energy-Use-OF-accessor-functions-to-.patch
patches.arch/powerpc-pseries-mce-Fix-misleading-print-for-TLB-mut.patch
+ patches.arch/KVM-Reject-device-ioctls-from-processes-other-than-t.patch
patches.arch/kvm-svm-workaround-errata-1096-insn_len-maybe-zero-on-smap-violation
patches.arch/kvm-x86-emulate-msr_ia32_arch_capabilities-on-amd-hosts.patch
patches.suse/msft-hv-1857-x86-kvm-hyper-v-avoid-spurious-pending-stimer-on-vCP.patch
@@ -22545,6 +22579,7 @@
patches.drivers/scsi-qedf-fixup-bit-operations.patch
patches.fixes/scsi-qla2xxx-fix-incorrect-region-size-setting-in-optrom-sysfs.patch
patches.fixes/scsi-qla2xxx-fix-abort-handling-in-tcm_qla2xxx_write_pending.patch
+ patches.drivers/pinctrl-pistachio-fix-leaked-of_node-references.patch
patches.drivers/ipmi-ssif-compare-block-number-correctly-for-multi-p.patch
patches.drivers/media-cpia2-Fix-use-after-free-in-cpia2_exit.patch
patches.drivers/media-saa7146-avoid-high-stack-usage-with-clang.patch
@@ -22841,6 +22876,7 @@
patches.drivers/Staging-vc04_services-Fix-a-couple-error-codes.patch
patches.drivers/staging-vc04_services-prevent-integer-overflow-in-cr.patch
patches.fixes/PCI-PM-Avoid-possible-suspend-to-idle-issue.patch
+ patches.fixes/s390-zcrypt-fix-wrong-dispatching-for-control-domain-cprbs
patches.suse/memcg-make-it-work-on-sparse-non-0-node-systems.patch
patches.suse/kernel-signal.c-trace_signal_deliver-when-signal_gro.patch
patches.fixes/scsi-zfcp-fix-missing-zfcp_port-reference-put-on-ebusy-from-port_remove
@@ -22951,6 +22987,7 @@
patches.fixes/apparmor-enforce-nullbyte-at-end-of-tag-string.patch
patches.drivers/PCI-PM-Skip-devices-in-D0-for-suspend-to-idle.patch
patches.drivers/mmc-core-Prevent-processing-SDIO-IRQs-when-the-card-.patch
+ patches.arch/KVM-arm-arm64-vgic-Fix-kvm_device-leak-in-vgic_its_d.patch
patches.fixes/0001-usb-chipidea-udc-workaround-for-endpoint-conflict-is.patch
patches.drivers/staging-iio-ad7150-fix-threshold-mode-config-bit.patch
patches.drm/drm-i915-gvt-ignore-unexpected-pvinfo-write.patch
@@ -22963,6 +23000,7 @@
patches.suse/ipv4-Use-return-value-of-inet_iif-for-__raw_v4_looku.patch
patches.fixes/team-Always-enable-vlan-tx-offload.patch
patches.fixes/scsi-vmw_pscsi-Fix-use-after-free-in-pvscsi_queue_lc.patch
+ patches.fixes/efi-bgrt-Drop-BGRT-status-field-reserved-bits-check.patch
patches.fixes/Bluetooth-Fix-faulty-expression-for-minimum-encrypti.patch
patches.suse/ftrace-x86-remove-possible-deadlock-between-register_kprobe-and-ftrace_run_update_code.patch
patches.suse/tracing-snapshot-resize-spare-buffer-if-size-changed.patch
@@ -22980,9 +23018,11 @@
patches.drm/drm-amdgpu-gfx9-use-reset-default-for-PA_SC_FIFO_SIZ.patch
patches.fixes/scsi-target-iblock-fix-overrun-in-write-same-emulation
patches.drivers/dmaengine-imx-sdma-remove-BD_INTR-for-channel0.patch
+ patches.fixes/acpi-arm64-ignore-5.1-FADTs-that-are-reported-as-5.0.patch
patches.arch/s390-jump_label-replace-stop_machine-with-smp_call_f.patch
patches.fixes/crypto-ccp-fix-AES-CFB-error-exposed-by-new-test-vec.patch
patches.fixes/crypto-ccp-Fix-3DES-complaint-from-ccp-crypto-module.patch
+ patches.fixes/crypto-talitos-fix-skcipher-failure-due-to-wrong-out.patch
patches.fixes/crypto-talitos-rename-alternative-AEAD-algos.patch
patches.fixes/crypto-talitos-reduce-max-key-size-for-SEC1.patch
patches.fixes/crypto-talitos-fix-CTR-alg-blocksize.patch
@@ -22998,7 +23038,9 @@
patches.fixes/lib-scatterlist-Fix-mapping-iterator-when-sg-offset-.patch
patches.fixes/crypto-ccp-Validate-the-the-error-value-used-to-inde.patch
patches.drivers/pwm-stm32-Use-3-cells-of_xlate.patch
+ patches.drivers/gpio-omap-ensure-irq-is-enabled-before-wakeup.patch
patches.drivers/gpio-omap-fix-lack-of-irqstatus_raw0-for-OMAP4.patch
+ patches.fixes/regmap-fix-bulk-writes-on-paged-registers.patch
patches.drivers/regulator-s2mps11-Fix-buck7-and-buck8-wrong-voltages.patch
patches.drivers/iommu-vt-d-remove-unnecessary-rcu_read_locks
patches.drivers/iommu-fix-a-leak-in-iommu_insert_resv_region
@@ -23008,11 +23050,22 @@
patches.drivers/iommu-vt-d-handle-pci-bridge-rmrr-device-scopes-in-intel_iommu_get_resv_regions
patches.drivers/iommu-amd-make-iommu_disable-safer
patches.drivers/iommu-use-right-function-to-get-group-for-device
+ patches.drivers/media-spi-IR-LED-add-missing-of-table-registration.patch
+ patches.drivers/media-dvb-usb-fix-use-after-free-in-dvb_usb_device_e.patch
patches.drivers/media-marvell-ccic-fix-DMA-s-g-desc-number-calculati.patch
+ patches.drivers/media-vpss-fix-a-potential-NULL-pointer-dereference.patch
+ patches.drivers/media-media_device_enum_links32-clean-a-reserved-fie.patch
+ patches.drivers/media-coda-Remove-unbalanced-and-unneeded-mutex-unlo.patch
patches.fixes/0001-media-cpia2_usb-first-wake-up-then-free-in-disconnec.patch
+ patches.drivers/media-staging-media-davinci_vpfe-Fix-for-memory-leak.patch
+ patches.drivers/media-wl128x-Fix-some-error-handling-in-fm_v4l2_init.patch
patches.drivers/media-vivid-fix-incorrect-assignment-operation-when-.patch
patches.drivers/media-s5p-mfc-Make-additional-clocks-optional.patch
+ patches.drivers/media-coda-fix-mpeg2-sequence-number-handling.patch
+ patches.drivers/media-coda-fix-last-buffer-handling-in-V4L2_ENC_CMD_.patch
+ patches.drivers/media-coda-increment-sequence-offset-for-the-last-re.patch
patches.drivers/media-v4l2-Test-type-instead-of-cfg-type-in-v4l2_ctr.patch
+ patches.drivers/media-hdpvr-fix-locking-and-a-missing-msleep.patch
patches.drivers/ALSA-usb-audio-Enable-.product_name-override-for-Ema.patch
patches.drivers/ALSA-usb-audio-Sanity-checks-for-each-pipe-and-EP-ty.patch
patches.drivers/ALSA-hda-realtek-Headphone-Mic-can-t-record-after-S3.patch
@@ -23062,13 +23115,25 @@
patches.suse/0058-bcache-performance-improvement-for-btree_flush_write.patch
patches.suse/0059-bcache-add-reclaimed_journal_buckets-to-struct-cache.patch
patches.fixes/block-bfq-null-out-the-bic-when-it-s-no-longer-valid.patch
+ patches.fixes/libata-don-t-request-sense-data-on-ZAC-ATA-devices.patch
patches.drivers/documentation-dma-api-fix-a-function-name-of-max_mapping_size
patches.fixes/Revert-e1000e-fix-cyclic-resets-at-link-up-with-acti.patch
patches.fixes/e1000e-start-network-tx-queue-only-when-link-is-up.patch
+ patches.drivers/tua6100-Avoid-build-warnings.patch
patches.drivers/ath6kl-add-some-bounds-checking.patch
patches.drivers/wil6210-fix-potential-out-of-bounds-read.patch
+ patches.drivers/Bluetooth-hci_bcsp-Fix-memory-leak-in-rx_skb.patch
+ patches.drivers/Bluetooth-Check-state-in-l2cap_disconnect_rsp.patch
+ patches.drivers/Bluetooth-validate-BLE-connection-interval-updates.patch
+ patches.drivers/Bluetooth-Add-SMP-workaround-Microsoft-Surface-Preci.patch
+ patches.drivers/Bluetooth-6lowpan-search-for-destination-address-in-.patch
patches.fixes/mwifiex-Don-t-abort-on-small-spec-compliant-vendor-I.patch
patches.drivers/batman-adv-fix-for-leaked-TVLV-handler.patch
+ patches.fixes/Documentation-networking-fix-default_ttl-typo-in-mpl.patch
+ patches.fixes/macsec-fix-use-after-free-of-skb-during-RX.patch
+ patches.fixes/macsec-fix-checksumming-after-decryption.patch
+ patches.fixes/af_key-fix-leaks-in-key_pol_get_resp-and-dump_sp.patch
+ patches.drivers/nfc-fix-potential-illegal-memory-access.patch
patches.suse/livepatch-use-static-buffer-for-debugging-messages-under-rq-lock.patch
patches.suse/revert-livepatch-remove-reliable-stacktrace-check-in-klp_try_switch_task.patch
patches.suse/livepatch-remove-duplicate-warning-about-missing-reliable-stacktrace-support.patch
@@ -23078,39 +23143,62 @@
patches.drivers/HID-wacom-generic-read-HID_DG_CONTACTMAX-from-any-fe.patch
patches.drivers/VMCI-Fix-integer-overflow-in-VMCI-handle-arrays.patch
patches.drivers/intel_th-msu-Fix-single-mode-with-disabled-IOMMU.patch
+ patches.drivers/intel_th-pci-Add-Ice-Lake-NNPI-support.patch
patches.drivers/staging-rtl8712-reduce-stack-usage-again.patch
patches.drivers/staging-comedi-amplc_pci230-fix-null-pointer-deref-o.patch
patches.drivers/staging-comedi-dt282x-fix-a-null-pointer-deref-on-in.patch
+ patches.fixes/iio-iio-utils-Fix-possible-incorrect-mask-calculatio.patch
+ patches.drivers/tty-max310x-Fix-invalid-baudrate-divisors-calculator.patch
patches.drivers/tty-serial-cpm_uart-fix-init-when-SMC-is-relocated.patch
+ patches.drivers/tty-serial-digicolor-Fix-digicolor-usart-already-reg.patch
+ patches.drivers/serial-8250-Fix-TX-interrupt-handling-condition.patch
+ patches.drivers/tty-serial-msm_serial-avoid-system-lockup-condition.patch
patches.drivers/serial-uartps-Fix-multiple-line-dereference.patch
patches.drivers/serial-uartps-Fix-long-line-over-80-chars.patch
patches.drivers/serial-uartps-Do-not-add-a-trailing-semicolon-to-mac.patch
patches.drivers/serial-uartps-Remove-useless-return-from-cdns_uart_p.patch
patches.drivers/tty-serial_core-Set-port-active-bit-in-uart_port_act.patch
patches.drivers/Revert-serial-8250-Don-t-service-RX-FIFO-if-interrup.patch
+ patches.drivers/usb-core-hub-Disable-hub-initiated-U1-U2.patch
patches.drivers/usb-gadget-ether-Fix-race-between-gether_disconnect-.patch
patches.drivers/USB-serial-option-add-support-for-GosunCn-ME3630-RND.patch
patches.drivers/USB-serial-ftdi_sio-add-ID-for-isodebug-v1.patch
+ patches.drivers/usb-Handle-USB3-remote-wakeup-for-LPM-enabled-device.patch
patches.drivers/memstick-Fix-error-cleanup-path-of-memstick_init.patch
patches.fixes/0001-ocfs2-add-last-unlock-times-in-locking_state.patch
patches.fixes/0002-ocfs2-add-locking-filter-debugfs-file.patch
patches.fixes/0003-ocfs2-add-first-lock-wait-time-in-locking_state.patch
+ patches.fixes/9p-pass-the-correct-prototype-to-read_cache_page.patch
patches.arch/kvm-svm-avic-do-not-send-avic-doorbell-to-self
+ patches.fixes/9p-virtio-Add-cleanup-path-in-p9_virtio_init.patch
+ patches.fixes/9p-xen-Add-cleanup-path-in-p9_trans_xen_init.patch
patches.drivers/Input-synaptics-enable-SMBUS-on-T480-thinkpad-trackp.patch
+ patches.drivers/pinctrl-rockchip-fix-leaked-of_node-references.patch
patches.suse/sunhv-Fix-device-naming-inconsistency-between-sunhv_.patch
patches.arch/powerpc-watchpoint-Restore-NV-GPRs-while-returning-f.patch
patches.arch/powerpc-mm-drconf-Use-NUMA_NO_NODE-on-failures-inste.patch
patches.arch/powerpc-mm-Fix-node-look-up-with-numa-off-boot.patch
patches.arch/powerpc-mm-Consolidate-numa_enable-check-and-min_com.patch
+ patches.drivers/mailbox-handle-failed-named-mailbox-channel-request.patch
patches.drivers/platform-x86-asus-wmi-Only-Tell-EC-the-OS-will-handl.patch
patches.drivers/platform-x86-pmc_atom-Add-CB4063-Beckhoff-Automation.patch
+ patches.fixes/eCryptfs-fix-a-couple-type-promotion-bugs.patch
+ patches.drm/drm-panel-simple-Fix-panel_simple_dsi_probe.patch
+ patches.drivers/dma-buf-balance-refcount-inbalance.patch
+ patches.drm/drm-bridge-tc358767-read-display_props-in-get_modes.patch
+ patches.drm/drm-bridge-sii902x-pixel-clock-unit-is-10kHz-instead.patch
+ patches.drm/drm-crc-debugfs-User-irqsafe-spinlock-in-drm_crtc_ad.patch
patches.drm/drm-meson-Add-support-for-XBGR8888-ABGR8888-formats.patch
+ patches.drm/drm-virtio-Add-memory-barriers-for-capset-cache.patch
patches.drm/drm-rockchip-Properly-adjust-to-a-true-clock-in-adju.patch
+ patches.drm/drm-msm-Depopulate-platform-on-probe-failure.patch
patches.drm/drm-msm-a3xx-remove-TPL1-regs-from-snapshot.patch
patches.drivers/mfd-intel-lpss-Release-IDA-resources.patch
patches.drivers/PCI-Return-error-if-cannot-probe-VF.patch
patches.drivers/PCI-Always-allow-probing-with-driver_override.patch
patches.suse/msft-hv-1895-PCI-hv-Fix-a-use-after-free-bug-in-hv_eject_device_w.patch
+ patches.fixes/0001-PCI-qcom-Ensure-that-PERST-is-asserted-for-at-least-.patch
+ patches.fixes/0001-PCI-xilinx-nwl-Fix-Multi-MSI-data-programming.patch
patches.drivers/dmaengine-hsu-Revert-set-HSU_CH_MTSR-to-memory-width.patch
patches.drivers/clk-qcom-Fix-Wunused-const-variable.patch
patches.drivers/clk-tegra210-fix-PLLU-and-PLLU_OUT1.patch
@@ -23127,11 +23215,16 @@
patches.fixes/crypto-ccp-gcm-use-const-time-tag-comparison.patch
patches.fixes/crypto-ccp-Fix-SEV_VERSION_GREATER_OR_EQUAL.patch
patches.drm/drm-nouveau-i2c-Enable-i2c-pads-busses-during-preini.patch
+ patches.drivers/firmware-ti_sci-Always-request-response-from-firmwar.patch
patches.arch/kvm-svm-fix-detection-of-amd-errata-1096
+ patches.drivers/Input-synaptics-whitelist-Lenovo-T580-SMBus-intertou.patch
patches.drivers/Input-gtco-bounds-check-collection-indent-level.patch
+ patches.drivers/Input-alps-don-t-handle-ALPS-cs19-trackpoint-only-de.patch
patches.drivers/Input-psmouse-fix-build-error-of-multiple-definition.patch
+ patches.drivers/Input-alps-fix-a-mismatch-between-a-condition-check-.patch
patches.drivers/bnx2x-Prevent-load-reordering-in-tx-completion-proce.patch
patches.fixes/tcp-be-more-careful-in-tcp_fragment.patch
+ patches.drivers/hwmon-nct6775-Fix-register-address-and-added-missed-.patch
patches.drivers/ALSA-line6-Fix-wrong-altsetting-for-LINE6_PODHD500_1.patch
patches.drivers/ALSA-line6-Fix-a-typo.patch
patches.drivers/ALSA-compress-Fix-regression-on-compressed-capture-s.patch
@@ -23140,7 +23233,12 @@
patches.drivers/ALSA-compress-Be-more-restrictive-about-when-a-drain.patch
patches.drivers/ALSA-hda-Add-a-conexant-codec-entry-to-let-mute-led-.patch
patches.fixes/nvme-fix-memory-leak-caused-by-incorrect-subsystem-free.patch
+ patches.fixes/ACPI-IORT-Fix-off-by-one-check-in-iort_dev_find_its_.patch
+ patches.drivers/tty-ldsem-locking-rwsem-Add-missing-ACQUIRE-to-read_.patch
patches.drivers/usb-pci-quirks-Correct-AMD-PLL-quirk-detection.patch
+ patches.drivers/usb-wusbcore-fix-unbalanced-get-put-cluster_id.patch
+ patches.fixes/hpet-Fix-division-by-zero-in-hpet_time_div.patch
+ patches.fixes/hci_uart-check-for-missing-tty-operations.patch
# davem/net
patches.drivers/be2net-Synchronize-be_update_queues-with-dev_watchdo.patch
@@ -23465,6 +23563,7 @@
########################################################
patches.drivers/0001-module-warn-if-module-init-probe-takes-long.patch
patches.suse/irq-stub-affinity.patch
+ patches.fixes/driver_core-Fix_use-after-free_and_double_free_on_glue.patch
########################################################
# Device drivers