drop patches with post-4.12 "Fixes:" commit IDs

Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>

18 files changed, 0 insertions, 1258 deletions

diff --git a/queue/ALSA-hda-realtek-Fix-Dell-AIO-LineOut-issue.patch b/queue/ALSA-hda-realtek-Fix-Dell-AIO-LineOut-issue.patch
deleted file mode 100644
index 175bf95..0000000
--- a/queue/ALSA-hda-realtek-Fix-Dell-AIO-LineOut-issue.patch
+++ /dev/null
@@ -1,94 +0,0 @@
-From 9226665159f0367ad08bc7d5dd194aeadb90316f Mon Sep 17 00:00:00 2001
-From: Kailang Yang <kailang@realtek.com>
-Date: Thu, 14 Dec 2017 15:28:58 +0800
-Subject: [PATCH] ALSA: hda/realtek - Fix Dell AIO LineOut issue
-
-commit 9226665159f0367ad08bc7d5dd194aeadb90316f upstream.
-
-Dell AIO had LineOut jack.
-Add LineOut verb into this patch.
-
-[ Additional notes:
-  the ALC274 codec seems requiring the fixed pin / DAC connections for
-  HP / line-out pins for enabling EQ for speakers; i.e. the HP / LO
-  pins expect to be connected with NID 0x03 while keeping the speaker
-  with NID 0x02.  However, by adding a new line-out pin, the
-  auto-parser assigns the NID 0x02 for HP/LO pins as primary outputs.
-  As an easy workaround, we provide the preferred_pairs[] to map
-  forcibly for these pins. -- tiwai ]
-
-Fixes: 75ee94b20b46 ("ALSA: hda - fix headset mic problem for Dell machines with alc274")
-Signed-off-by: Kailang Yang <kailang@realtek.com>
-Cc: <stable@vger.kernel.org>
-Signed-off-by: Takashi Iwai <tiwai@suse.de>
-
-diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c
-index 4b21f71d685c..6a4db00511ab 100644
---- a/sound/pci/hda/patch_realtek.c
-+++ b/sound/pci/hda/patch_realtek.c
-@@ -5185,6 +5185,22 @@ static void alc233_alc662_fixup_lenovo_dual_codecs(struct hda_codec *codec,
- 	}
- }
- 
-+/* Forcibly assign NID 0x03 to HP/LO while NID 0x02 to SPK for EQ */
-+static void alc274_fixup_bind_dacs(struct hda_codec *codec,
-+				    const struct hda_fixup *fix, int action)
-+{
-+	struct alc_spec *spec = codec->spec;
-+	static hda_nid_t preferred_pairs[] = {
-+		0x21, 0x03, 0x1b, 0x03, 0x16, 0x02,
-+		0
-+	};
-+
-+	if (action != HDA_FIXUP_ACT_PRE_PROBE)
-+		return;
-+
-+	spec->gen.preferred_dacs = preferred_pairs;
-+}
-+
- /* for hda_fixup_thinkpad_acpi() */
- #include "thinkpad_helper.c"
- 
-@@ -5302,6 +5318,8 @@ enum {
- 	ALC233_FIXUP_LENOVO_MULTI_CODECS,
- 	ALC294_FIXUP_LENOVO_MIC_LOCATION,
- 	ALC700_FIXUP_INTEL_REFERENCE,
-+	ALC274_FIXUP_DELL_BIND_DACS,
-+	ALC274_FIXUP_DELL_AIO_LINEOUT_VERB,
- };
- 
- static const struct hda_fixup alc269_fixups[] = {
-@@ -6112,6 +6130,21 @@ static const struct hda_fixup alc269_fixups[] = {
- 			{}
- 		}
- 	},
-+	[ALC274_FIXUP_DELL_BIND_DACS] = {
-+		.type = HDA_FIXUP_FUNC,
-+		.v.func = alc274_fixup_bind_dacs,
-+		.chained = true,
-+		.chain_id = ALC269_FIXUP_DELL1_MIC_NO_PRESENCE
-+	},
-+	[ALC274_FIXUP_DELL_AIO_LINEOUT_VERB] = {
-+		.type = HDA_FIXUP_PINS,
-+		.v.pins = (const struct hda_pintbl[]) {
-+			{ 0x1b, 0x0401102f },
-+			{ }
-+		},
-+		.chained = true,
-+		.chain_id = ALC274_FIXUP_DELL_BIND_DACS
-+	},
- };
- 
- static const struct snd_pci_quirk alc269_fixup_tbl[] = {
-@@ -6578,7 +6611,7 @@ static const struct snd_hda_pin_quirk alc269_pin_fixup_tbl[] = {
- 		{0x14, 0x90170110},
- 		{0x1b, 0x90a70130},
- 		{0x21, 0x03211020}),
--	SND_HDA_PIN_QUIRK(0x10ec0274, 0x1028, "Dell", ALC269_FIXUP_DELL1_MIC_NO_PRESENCE,
-+	SND_HDA_PIN_QUIRK(0x10ec0274, 0x1028, "Dell", ALC274_FIXUP_DELL_AIO_LINEOUT_VERB,
- 		{0x12, 0xb7a60130},
- 		{0x13, 0xb8a61140},
- 		{0x16, 0x90170110},
--- 
-2.15.0
-
diff --git a/queue/KVM-MMU-Fix-infinite-loop-when-there-is-no-available.patch b/queue/KVM-MMU-Fix-infinite-loop-when-there-is-no-available.patch
deleted file mode 100644
index 2e9b1db..0000000
--- a/queue/KVM-MMU-Fix-infinite-loop-when-there-is-no-available.patch
+++ /dev/null
@@ -1,97 +0,0 @@
-From ed52870f4676489124d8697fd00e6ae6c504e586 Mon Sep 17 00:00:00 2001
-From: Wanpeng Li <wanpeng.li@hotmail.com>
-Date: Mon, 4 Dec 2017 22:21:30 -0800
-Subject: [PATCH] KVM: MMU: Fix infinite loop when there is no available mmu
- page
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-commit ed52870f4676489124d8697fd00e6ae6c504e586 upstream.
-
-The below test case can cause infinite loop in kvm when ept=0.
-
-    #include <unistd.h>
-    #include <sys/syscall.h>
-    #include <string.h>
-    #include <stdint.h>
-    #include <linux/kvm.h>
-    #include <fcntl.h>
-    #include <sys/ioctl.h>
-
-    long r[5];
-    int main()
-    {
-    	r[2] = open("/dev/kvm", O_RDONLY);
-    	r[3] = ioctl(r[2], KVM_CREATE_VM, 0);
-    	r[4] = ioctl(r[3], KVM_CREATE_VCPU, 7);
-    	ioctl(r[4], KVM_RUN, 0);
-    }
-
-It doesn't setup the memory regions, mmu_alloc_shadow/direct_roots() in
-kvm return 1 when kvm fails to allocate root page table which can result
-in beblow infinite loop:
-
-    vcpu_run() {
-    	for (;;) {
-	    	r = vcpu_enter_guest()::kvm_mmu_reload() returns 1
-	    	if (r <= 0)
-	    		break;
-	    	if (need_resched())
-	    		cond_resched();
-      }
-    }
-
-This patch fixes it by returning -ENOSPC when there is no available kvm mmu
-page for root page table.
-
-Cc: Paolo Bonzini <pbonzini@redhat.com>
-Cc: Radim Krčmář <rkrcmar@redhat.com>
-Cc: stable@vger.kernel.org
-Fixes: 26eeb53cf0f (KVM: MMU: Bail out immediately if there is no available mmu page)
-Signed-off-by: Wanpeng Li <wanpeng.li@hotmail.com>
-Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
-
-diff --git a/arch/x86/kvm/mmu.c b/arch/x86/kvm/mmu.c
-index e5e66e5c6640..c4deb1f34faa 100644
---- a/arch/x86/kvm/mmu.c
-+++ b/arch/x86/kvm/mmu.c
-@@ -3395,7 +3395,7 @@ static int mmu_alloc_direct_roots(struct kvm_vcpu *vcpu)
- 		spin_lock(&vcpu->kvm->mmu_lock);
- 		if(make_mmu_pages_available(vcpu) < 0) {
- 			spin_unlock(&vcpu->kvm->mmu_lock);
--			return 1;
-+			return -ENOSPC;
- 		}
- 		sp = kvm_mmu_get_page(vcpu, 0, 0,
- 				vcpu->arch.mmu.shadow_root_level, 1, ACC_ALL);
-@@ -3410,7 +3410,7 @@ static int mmu_alloc_direct_roots(struct kvm_vcpu *vcpu)
- 			spin_lock(&vcpu->kvm->mmu_lock);
- 			if (make_mmu_pages_available(vcpu) < 0) {
- 				spin_unlock(&vcpu->kvm->mmu_lock);
--				return 1;
-+				return -ENOSPC;
- 			}
- 			sp = kvm_mmu_get_page(vcpu, i << (30 - PAGE_SHIFT),
- 					i << 30, PT32_ROOT_LEVEL, 1, ACC_ALL);
-@@ -3450,7 +3450,7 @@ static int mmu_alloc_shadow_roots(struct kvm_vcpu *vcpu)
- 		spin_lock(&vcpu->kvm->mmu_lock);
- 		if (make_mmu_pages_available(vcpu) < 0) {
- 			spin_unlock(&vcpu->kvm->mmu_lock);
--			return 1;
-+			return -ENOSPC;
- 		}
- 		sp = kvm_mmu_get_page(vcpu, root_gfn, 0,
- 				vcpu->arch.mmu.shadow_root_level, 0, ACC_ALL);
-@@ -3487,7 +3487,7 @@ static int mmu_alloc_shadow_roots(struct kvm_vcpu *vcpu)
- 		spin_lock(&vcpu->kvm->mmu_lock);
- 		if (make_mmu_pages_available(vcpu) < 0) {
- 			spin_unlock(&vcpu->kvm->mmu_lock);
--			return 1;
-+			return -ENOSPC;
- 		}
- 		sp = kvm_mmu_get_page(vcpu, root_gfn, i << 30, PT32_ROOT_LEVEL,
- 				      0, ACC_ALL);
--- 
-2.15.0
-
diff --git a/queue/PCI-PM-Force-devices-to-D0-in-pci_pm_thaw_noirq.patch b/queue/PCI-PM-Force-devices-to-D0-in-pci_pm_thaw_noirq.patch
deleted file mode 100644
index 91da6d3..0000000
--- a/queue/PCI-PM-Force-devices-to-D0-in-pci_pm_thaw_noirq.patch
+++ /dev/null
@@ -1,46 +0,0 @@
-From 5839ee7389e893a31e4e3c9cf17b50d14103c902 Mon Sep 17 00:00:00 2001
-From: "Rafael J. Wysocki" <rafael.j.wysocki@intel.com>
-Date: Fri, 15 Dec 2017 03:07:18 +0100
-Subject: [PATCH] PCI / PM: Force devices to D0 in pci_pm_thaw_noirq()
-
-commit 5839ee7389e893a31e4e3c9cf17b50d14103c902 upstream.
-
-It is incorrect to call pci_restore_state() for devices in low-power
-states (D1-D3), as that involves the restoration of MSI setup which
-requires MMIO to be operational and that is only the case in D0.
-
-However, pci_pm_thaw_noirq() may do that if the driver's "freeze"
-callbacks put the device into a low-power state, so fix it by making
-it force devices into D0 via pci_set_power_state() instead of trying
-to "update" their power state which is pointless.
-
-Fixes: e60514bd4485 (PCI/PM: Restore the status of PCI devices across hibernation)
-Cc: 4.13+ <stable@vger.kernel.org> # 4.13+
-Reported-by: Thomas Gleixner <tglx@linutronix.de>
-Reported-by: Maarten Lankhorst <dev@mblankhorst.nl>
-Tested-by: Thomas Gleixner <tglx@linutronix.de>
-Tested-by: Maarten Lankhorst <dev@mblankhorst.nl>
-Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
-Acked-by: Bjorn Helgaas <bhelgaas@google.com>
-
-diff --git a/drivers/pci/pci-driver.c b/drivers/pci/pci-driver.c
-index 945099d49f8f..14fd865a5120 100644
---- a/drivers/pci/pci-driver.c
-+++ b/drivers/pci/pci-driver.c
-@@ -1012,7 +1012,12 @@ static int pci_pm_thaw_noirq(struct device *dev)
- 	if (pci_has_legacy_pm_support(pci_dev))
- 		return pci_legacy_resume_early(dev);
- 
--	pci_update_current_state(pci_dev, PCI_D0);
-+	/*
-+	 * pci_restore_state() requires the device to be in D0 (because of MSI
-+	 * restoration among other things), so force it into D0 in case the
-+	 * driver's "freeze" callbacks put it into a low-power state directly.
-+	 */
-+	pci_set_power_state(pci_dev, PCI_D0);
- 	pci_restore_state(pci_dev);
- 
- 	if (drv && drv->pm && drv->pm->thaw_noirq)
--- 
-2.15.0
-
diff --git a/queue/block-unalign-call_single_data-in-struct-request.patch b/queue/block-unalign-call_single_data-in-struct-request.patch
deleted file mode 100644
index 1aa8717..0000000
--- a/queue/block-unalign-call_single_data-in-struct-request.patch
+++ /dev/null
@@ -1,33 +0,0 @@
-From 4ccafe032005e9b96acbef2e389a4de5b1254add Mon Sep 17 00:00:00 2001
-From: Jens Axboe <axboe@kernel.dk>
-Date: Wed, 20 Dec 2017 13:13:58 -0700
-Subject: [PATCH] block: unalign call_single_data in struct request
-
-commit 4ccafe032005e9b96acbef2e389a4de5b1254add upstream.
-
-A previous change blindly added massive alignment to the
-call_single_data structure in struct request. This ballooned it in size
-from 296 to 320 bytes on my setup, for no valid reason at all.
-
-Use the unaligned struct __call_single_data variant instead.
-
-Fixes: 966a967116e69 ("smp: Avoid using two cache lines for struct call_single_data")
-Cc: stable@vger.kernel.org # v4.14
-Signed-off-by: Jens Axboe <axboe@kernel.dk>
-
-diff --git a/include/linux/blkdev.h b/include/linux/blkdev.h
-index 100d0df38026..0ce8a372d506 100644
---- a/include/linux/blkdev.h
-+++ b/include/linux/blkdev.h
-@@ -135,7 +135,7 @@ typedef __u32 __bitwise req_flags_t;
- struct request {
- 	struct list_head queuelist;
- 	union {
--		call_single_data_t csd;
-+		struct __call_single_data csd;
- 		u64 fifo_time;
- 	};
- 
--- 
-2.15.0
-
diff --git a/queue/bpf-don-t-prune-branches-when-a-scalar-is-replaced-w.patch b/queue/bpf-don-t-prune-branches-when-a-scalar-is-replaced-w.patch
deleted file mode 100644
index a472206..0000000
--- a/queue/bpf-don-t-prune-branches-when-a-scalar-is-replaced-w.patch
+++ /dev/null
@@ -1,48 +0,0 @@
-From 179d1c5602997fef5a940c6ddcf31212cbfebd14 Mon Sep 17 00:00:00 2001
-From: Jann Horn <jannh@google.com>
-Date: Mon, 18 Dec 2017 20:11:59 -0800
-Subject: [PATCH] bpf: don't prune branches when a scalar is replaced with a
- pointer
-
-commit 179d1c5602997fef5a940c6ddcf31212cbfebd14 upstream.
-
-This could be made safe by passing through a reference to env and checking
-for env->allow_ptr_leaks, but it would only work one way and is probably
-not worth the hassle - not doing it will not directly lead to program
-rejection.
-
-Fixes: f1174f77b50c ("bpf/verifier: rework value tracking")
-Signed-off-by: Jann Horn <jannh@google.com>
-Signed-off-by: Alexei Starovoitov <ast@kernel.org>
-Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
-
-diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
-index 102c519836f6..982bd9ec721a 100644
---- a/kernel/bpf/verifier.c
-+++ b/kernel/bpf/verifier.c
-@@ -3467,15 +3467,14 @@ static bool regsafe(struct bpf_reg_state *rold, struct bpf_reg_state *rcur,
- 			return range_within(rold, rcur) &&
- 			       tnum_in(rold->var_off, rcur->var_off);
- 		} else {
--			/* if we knew anything about the old value, we're not
--			 * equal, because we can't know anything about the
--			 * scalar value of the pointer in the new value.
-+			/* We're trying to use a pointer in place of a scalar.
-+			 * Even if the scalar was unbounded, this could lead to
-+			 * pointer leaks because scalars are allowed to leak
-+			 * while pointers are not. We could make this safe in
-+			 * special cases if root is calling us, but it's
-+			 * probably not worth the hassle.
- 			 */
--			return rold->umin_value == 0 &&
--			       rold->umax_value == U64_MAX &&
--			       rold->smin_value == S64_MIN &&
--			       rold->smax_value == S64_MAX &&
--			       tnum_is_unknown(rold->var_off);
-+			return false;
- 		}
- 	case PTR_TO_MAP_VALUE:
- 		/* If the new min/max/var_off satisfy the old ones and
--- 
-2.15.0
-
diff --git a/queue/bpf-fix-32-bit-ALU-op-verification.patch b/queue/bpf-fix-32-bit-ALU-op-verification.patch
deleted file mode 100644
index 3c7d210..0000000
--- a/queue/bpf-fix-32-bit-ALU-op-verification.patch
+++ /dev/null
@@ -1,86 +0,0 @@
-From 468f6eafa6c44cb2c5d8aad35e12f06c240a812a Mon Sep 17 00:00:00 2001
-From: Jann Horn <jannh@google.com>
-Date: Mon, 18 Dec 2017 20:11:56 -0800
-Subject: [PATCH] bpf: fix 32-bit ALU op verification
-
-commit 468f6eafa6c44cb2c5d8aad35e12f06c240a812a upstream.
-
-32-bit ALU ops operate on 32-bit values and have 32-bit outputs.
-Adjust the verifier accordingly.
-
-Fixes: f1174f77b50c ("bpf/verifier: rework value tracking")
-Signed-off-by: Jann Horn <jannh@google.com>
-Signed-off-by: Alexei Starovoitov <ast@kernel.org>
-Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
-
-diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
-index f716bdf29dd0..ecdc265244ca 100644
---- a/kernel/bpf/verifier.c
-+++ b/kernel/bpf/verifier.c
-@@ -2017,6 +2017,10 @@ static int adjust_ptr_min_max_vals(struct bpf_verifier_env *env,
- 	return 0;
- }
- 
-+/* WARNING: This function does calculations on 64-bit values, but the actual
-+ * execution may occur on 32-bit values. Therefore, things like bitshifts
-+ * need extra checks in the 32-bit case.
-+ */
- static int adjust_scalar_min_max_vals(struct bpf_verifier_env *env,
- 				      struct bpf_insn *insn,
- 				      struct bpf_reg_state *dst_reg,
-@@ -2027,12 +2031,8 @@ static int adjust_scalar_min_max_vals(struct bpf_verifier_env *env,
- 	bool src_known, dst_known;
- 	s64 smin_val, smax_val;
- 	u64 umin_val, umax_val;
-+	u64 insn_bitness = (BPF_CLASS(insn->code) == BPF_ALU64) ? 64 : 32;
- 
--	if (BPF_CLASS(insn->code) != BPF_ALU64) {
--		/* 32-bit ALU ops are (32,32)->64 */
--		coerce_reg_to_size(dst_reg, 4);
--		coerce_reg_to_size(&src_reg, 4);
--	}
- 	smin_val = src_reg.smin_value;
- 	smax_val = src_reg.smax_value;
- 	umin_val = src_reg.umin_value;
-@@ -2168,9 +2168,9 @@ static int adjust_scalar_min_max_vals(struct bpf_verifier_env *env,
- 		__update_reg_bounds(dst_reg);
- 		break;
- 	case BPF_LSH:
--		if (umax_val > 63) {
--			/* Shifts greater than 63 are undefined.  This includes
--			 * shifts by a negative number.
-+		if (umax_val >= insn_bitness) {
-+			/* Shifts greater than 31 or 63 are undefined.
-+			 * This includes shifts by a negative number.
- 			 */
- 			mark_reg_unknown(env, regs, insn->dst_reg);
- 			break;
-@@ -2196,9 +2196,9 @@ static int adjust_scalar_min_max_vals(struct bpf_verifier_env *env,
- 		__update_reg_bounds(dst_reg);
- 		break;
- 	case BPF_RSH:
--		if (umax_val > 63) {
--			/* Shifts greater than 63 are undefined.  This includes
--			 * shifts by a negative number.
-+		if (umax_val >= insn_bitness) {
-+			/* Shifts greater than 31 or 63 are undefined.
-+			 * This includes shifts by a negative number.
- 			 */
- 			mark_reg_unknown(env, regs, insn->dst_reg);
- 			break;
-@@ -2234,6 +2234,12 @@ static int adjust_scalar_min_max_vals(struct bpf_verifier_env *env,
- 		break;
- 	}
- 
-+	if (BPF_CLASS(insn->code) != BPF_ALU64) {
-+		/* 32-bit ALU ops are (32,32)->32 */
-+		coerce_reg_to_size(dst_reg, 4);
-+		coerce_reg_to_size(&src_reg, 4);
-+	}
-+
- 	__reg_deduce_bounds(dst_reg);
- 	__reg_bound_offset(dst_reg);
- 	return 0;
--- 
-2.15.0
-
diff --git a/queue/bpf-fix-build-issues-on-um-due-to-mising-bpf_perf_ev.patch b/queue/bpf-fix-build-issues-on-um-due-to-mising-bpf_perf_ev.patch
deleted file mode 100644
index 9c2dbfa..0000000
--- a/queue/bpf-fix-build-issues-on-um-due-to-mising-bpf_perf_ev.patch
+++ /dev/null
@@ -1,57 +0,0 @@
-From ab95477e7cb35557ecfc837687007b646bab9a9f Mon Sep 17 00:00:00 2001
-From: Daniel Borkmann <daniel@iogearbox.net>
-Date: Tue, 12 Dec 2017 02:25:31 +0100
-Subject: [PATCH] bpf: fix build issues on um due to mising bpf_perf_event.h
-
-commit ab95477e7cb35557ecfc837687007b646bab9a9f upstream.
-
-[ Note, this is a Git cherry-pick of the following commit:
-
-    a23f06f06dbe ("bpf: fix build issues on um due to mising bpf_perf_event.h")
-
-  ... for easier x86 PTI code testing and back-porting. ]
-
-Since c895f6f703ad ("bpf: correct broken uapi for
-BPF_PROG_TYPE_PERF_EVENT program type") um (uml) won't build
-on i386 or x86_64:
-
-  [...]
-    CC      init/main.o
-  In file included from ../include/linux/perf_event.h:18:0,
-                   from ../include/linux/trace_events.h:10,
-                   from ../include/trace/syscall.h:7,
-                   from ../include/linux/syscalls.h:82,
-                   from ../init/main.c:20:
-  ../include/uapi/linux/bpf_perf_event.h:11:32: fatal error:
-  asm/bpf_perf_event.h: No such file or directory #include
-  <asm/bpf_perf_event.h>
-  [...]
-
-Lets add missing bpf_perf_event.h also to um arch. This seems
-to be the only one still missing.
-
-Fixes: c895f6f703ad ("bpf: correct broken uapi for BPF_PROG_TYPE_PERF_EVENT program type")
-Reported-by: Randy Dunlap <rdunlap@infradead.org>
-Suggested-by: Richard Weinberger <richard@sigma-star.at>
-Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
-Tested-by: Randy Dunlap <rdunlap@infradead.org>
-Cc: Hendrik Brueckner <brueckner@linux.vnet.ibm.com>
-Cc: Richard Weinberger <richard@sigma-star.at>
-Acked-by: Alexei Starovoitov <ast@kernel.org>
-Acked-by: Richard Weinberger <richard@nod.at>
-Signed-off-by: Alexei Starovoitov <ast@kernel.org>
-Signed-off-by: Ingo Molnar <mingo@kernel.org>
-
-diff --git a/arch/um/include/asm/Kbuild b/arch/um/include/asm/Kbuild
-index 50a32c33d729..73c57f614c9e 100644
---- a/arch/um/include/asm/Kbuild
-+++ b/arch/um/include/asm/Kbuild
-@@ -1,4 +1,5 @@
- generic-y += barrier.h
-+generic-y += bpf_perf_event.h
- generic-y += bug.h
- generic-y += clkdev.h
- generic-y += current.h
--- 
-2.15.0
-
diff --git a/queue/bpf-fix-corruption-on-concurrent-perf_event_output-c.patch b/queue/bpf-fix-corruption-on-concurrent-perf_event_output-c.patch
deleted file mode 100644
index 70c786d..0000000
--- a/queue/bpf-fix-corruption-on-concurrent-perf_event_output-c.patch
+++ /dev/null
@@ -1,108 +0,0 @@
-From 283ca526a9bd75aed7350220d7b1f8027d99c3fd Mon Sep 17 00:00:00 2001
-From: Daniel Borkmann <daniel@iogearbox.net>
-Date: Tue, 12 Dec 2017 02:25:30 +0100
-Subject: [PATCH] bpf: fix corruption on concurrent perf_event_output calls
-
-commit 283ca526a9bd75aed7350220d7b1f8027d99c3fd upstream.
-
-When tracing and networking programs are both attached in the
-system and both use event-output helpers that eventually call
-into perf_event_output(), then we could end up in a situation
-where the tracing attached program runs in user context while
-a cls_bpf program is triggered on that same CPU out of softirq
-context.
-
-Since both rely on the same per-cpu perf_sample_data, we could
-potentially corrupt it. This can only ever happen in a combination
-of the two types; all tracing programs use a bpf_prog_active
-counter to bail out in case a program is already running on
-that CPU out of a different context. XDP and cls_bpf programs
-by themselves don't have this issue as they run in the same
-context only. Therefore, split both perf_sample_data so they
-cannot be accessed from each other.
-
-Fixes: 20b9d7ac4852 ("bpf: avoid excessive stack usage for perf_sample_data")
-Reported-by: Alexei Starovoitov <ast@fb.com>
-Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
-Tested-by: Song Liu <songliubraving@fb.com>
-Acked-by: Alexei Starovoitov <ast@kernel.org>
-Signed-off-by: Alexei Starovoitov <ast@kernel.org>
-
-diff --git a/kernel/trace/bpf_trace.c b/kernel/trace/bpf_trace.c
-index 0ce99c379c30..40207c2a4113 100644
---- a/kernel/trace/bpf_trace.c
-+++ b/kernel/trace/bpf_trace.c
-@@ -343,14 +343,13 @@ static const struct bpf_func_proto bpf_perf_event_read_value_proto = {
- 	.arg4_type	= ARG_CONST_SIZE,
- };
- 
--static DEFINE_PER_CPU(struct perf_sample_data, bpf_sd);
-+static DEFINE_PER_CPU(struct perf_sample_data, bpf_trace_sd);
- 
- static __always_inline u64
- __bpf_perf_event_output(struct pt_regs *regs, struct bpf_map *map,
--			u64 flags, struct perf_raw_record *raw)
-+			u64 flags, struct perf_sample_data *sd)
- {
- 	struct bpf_array *array = container_of(map, struct bpf_array, map);
--	struct perf_sample_data *sd = this_cpu_ptr(&bpf_sd);
- 	unsigned int cpu = smp_processor_id();
- 	u64 index = flags & BPF_F_INDEX_MASK;
- 	struct bpf_event_entry *ee;
-@@ -373,8 +372,6 @@ __bpf_perf_event_output(struct pt_regs *regs, struct bpf_map *map,
- 	if (unlikely(event->oncpu != cpu))
- 		return -EOPNOTSUPP;
- 
--	perf_sample_data_init(sd, 0, 0);
--	sd->raw = raw;
- 	perf_event_output(event, sd, regs);
- 	return 0;
- }
-@@ -382,6 +379,7 @@ __bpf_perf_event_output(struct pt_regs *regs, struct bpf_map *map,
- BPF_CALL_5(bpf_perf_event_output, struct pt_regs *, regs, struct bpf_map *, map,
- 	   u64, flags, void *, data, u64, size)
- {
-+	struct perf_sample_data *sd = this_cpu_ptr(&bpf_trace_sd);
- 	struct perf_raw_record raw = {
- 		.frag = {
- 			.size = size,
-@@ -392,7 +390,10 @@ BPF_CALL_5(bpf_perf_event_output, struct pt_regs *, regs, struct bpf_map *, map,
- 	if (unlikely(flags & ~(BPF_F_INDEX_MASK)))
- 		return -EINVAL;
- 
--	return __bpf_perf_event_output(regs, map, flags, &raw);
-+	perf_sample_data_init(sd, 0, 0);
-+	sd->raw = &raw;
-+
-+	return __bpf_perf_event_output(regs, map, flags, sd);
- }
- 
- static const struct bpf_func_proto bpf_perf_event_output_proto = {
-@@ -407,10 +408,12 @@ static const struct bpf_func_proto bpf_perf_event_output_proto = {
- };
- 
- static DEFINE_PER_CPU(struct pt_regs, bpf_pt_regs);
-+static DEFINE_PER_CPU(struct perf_sample_data, bpf_misc_sd);
- 
- u64 bpf_event_output(struct bpf_map *map, u64 flags, void *meta, u64 meta_size,
- 		     void *ctx, u64 ctx_size, bpf_ctx_copy_t ctx_copy)
- {
-+	struct perf_sample_data *sd = this_cpu_ptr(&bpf_misc_sd);
- 	struct pt_regs *regs = this_cpu_ptr(&bpf_pt_regs);
- 	struct perf_raw_frag frag = {
- 		.copy		= ctx_copy,
-@@ -428,8 +431,10 @@ u64 bpf_event_output(struct bpf_map *map, u64 flags, void *meta, u64 meta_size,
- 	};
- 
- 	perf_fetch_caller_regs(regs);
-+	perf_sample_data_init(sd, 0, 0);
-+	sd->raw = &raw;
- 
--	return __bpf_perf_event_output(regs, map, flags, &raw);
-+	return __bpf_perf_event_output(regs, map, flags, sd);
- }
- 
- BPF_CALL_0(bpf_get_current_task)
--- 
-2.15.0
-
diff --git a/queue/bpf-fix-incorrect-tracking-of-register-size-truncati.patch b/queue/bpf-fix-incorrect-tracking-of-register-size-truncati.patch
deleted file mode 100644
index 2013381..0000000
--- a/queue/bpf-fix-incorrect-tracking-of-register-size-truncati.patch
+++ /dev/null
@@ -1,122 +0,0 @@
-From 0c17d1d2c61936401f4702e1846e2c19b200f958 Mon Sep 17 00:00:00 2001
-From: Jann Horn <jannh@google.com>
-Date: Mon, 18 Dec 2017 20:11:55 -0800
-Subject: [PATCH] bpf: fix incorrect tracking of register size truncation
-
-commit 0c17d1d2c61936401f4702e1846e2c19b200f958 upstream.
-
-Properly handle register truncation to a smaller size.
-
-The old code first mirrors the clearing of the high 32 bits in the bitwise
-tristate representation, which is correct. But then, it computes the new
-arithmetic bounds as the intersection between the old arithmetic bounds and
-the bounds resulting from the bitwise tristate representation. Therefore,
-when coerce_reg_to_32() is called on a number with bounds
-[0xffff'fff8, 0x1'0000'0007], the verifier computes
-[0xffff'fff8, 0xffff'ffff] as bounds of the truncated number.
-This is incorrect: The truncated number could also be in the range [0, 7],
-and no meaningful arithmetic bounds can be computed in that case apart from
-the obvious [0, 0xffff'ffff].
-
-Starting with v4.14, this is exploitable by unprivileged users as long as
-the unprivileged_bpf_disabled sysctl isn't set.
-
-Debian assigned CVE-2017-16996 for this issue.
-
-v2:
- - flip the mask during arithmetic bounds calculation (Ben Hutchings)
-v3:
- - add CVE number (Ben Hutchings)
-
-Fixes: b03c9f9fdc37 ("bpf/verifier: track signed and unsigned min/max values")
-Signed-off-by: Jann Horn <jannh@google.com>
-Acked-by: Edward Cree <ecree@solarflare.com>
-Signed-off-by: Alexei Starovoitov <ast@kernel.org>
-Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
-
-diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
-index c086010ae51e..f716bdf29dd0 100644
---- a/kernel/bpf/verifier.c
-+++ b/kernel/bpf/verifier.c
-@@ -1067,6 +1067,29 @@ static int check_ptr_alignment(struct bpf_verifier_env *env,
- 					   strict);
- }
- 
-+/* truncate register to smaller size (in bytes)
-+ * must be called with size < BPF_REG_SIZE
-+ */
-+static void coerce_reg_to_size(struct bpf_reg_state *reg, int size)
-+{
-+	u64 mask;
-+
-+	/* clear high bits in bit representation */
-+	reg->var_off = tnum_cast(reg->var_off, size);
-+
-+	/* fix arithmetic bounds */
-+	mask = ((u64)1 << (size * 8)) - 1;
-+	if ((reg->umin_value & ~mask) == (reg->umax_value & ~mask)) {
-+		reg->umin_value &= mask;
-+		reg->umax_value &= mask;
-+	} else {
-+		reg->umin_value = 0;
-+		reg->umax_value = mask;
-+	}
-+	reg->smin_value = reg->umin_value;
-+	reg->smax_value = reg->umax_value;
-+}
-+
- /* check whether memory at (regno + off) is accessible for t = (read | write)
-  * if t==write, value_regno is a register which value is stored into memory
-  * if t==read, value_regno is a register which will receive the value from memory
-@@ -1200,9 +1223,7 @@ static int check_mem_access(struct bpf_verifier_env *env, int insn_idx, u32 regn
- 	if (!err && size < BPF_REG_SIZE && value_regno >= 0 && t == BPF_READ &&
- 	    regs[value_regno].type == SCALAR_VALUE) {
- 		/* b/h/w load zero-extends, mark upper bits as known 0 */
--		regs[value_regno].var_off =
--			tnum_cast(regs[value_regno].var_off, size);
--		__update_reg_bounds(&regs[value_regno]);
-+		coerce_reg_to_size(&regs[value_regno], size);
- 	}
- 	return err;
- }
-@@ -1772,14 +1793,6 @@ static int check_call(struct bpf_verifier_env *env, int func_id, int insn_idx)
- 	return 0;
- }
- 
--static void coerce_reg_to_32(struct bpf_reg_state *reg)
--{
--	/* clear high 32 bits */
--	reg->var_off = tnum_cast(reg->var_off, 4);
--	/* Update bounds */
--	__update_reg_bounds(reg);
--}
--
- static bool signed_add_overflows(s64 a, s64 b)
- {
- 	/* Do the add in u64, where overflow is well-defined */
-@@ -2017,8 +2030,8 @@ static int adjust_scalar_min_max_vals(struct bpf_verifier_env *env,
- 
- 	if (BPF_CLASS(insn->code) != BPF_ALU64) {
- 		/* 32-bit ALU ops are (32,32)->64 */
--		coerce_reg_to_32(dst_reg);
--		coerce_reg_to_32(&src_reg);
-+		coerce_reg_to_size(dst_reg, 4);
-+		coerce_reg_to_size(&src_reg, 4);
- 	}
- 	smin_val = src_reg.smin_value;
- 	smax_val = src_reg.smax_value;
-@@ -2398,10 +2411,7 @@ static int check_alu_op(struct bpf_verifier_env *env, struct bpf_insn *insn)
- 					return -EACCES;
- 				}
- 				mark_reg_unknown(env, regs, insn->dst_reg);
--				/* high 32 bits are known zero. */
--				regs[insn->dst_reg].var_off = tnum_cast(
--						regs[insn->dst_reg].var_off, 4);
--				__update_reg_bounds(&regs[insn->dst_reg]);
-+				coerce_reg_to_size(&regs[insn->dst_reg], 4);
- 			}
- 		} else {
- 			/* case: R = imm
--- 
-2.15.0
-
diff --git a/queue/bpf-fix-integer-overflows.patch b/queue/bpf-fix-integer-overflows.patch
deleted file mode 100644
index f431312..0000000
--- a/queue/bpf-fix-integer-overflows.patch
+++ /dev/null
@@ -1,126 +0,0 @@
-From bb7f0f989ca7de1153bd128a40a71709e339fa03 Mon Sep 17 00:00:00 2001
-From: Alexei Starovoitov <ast@kernel.org>
-Date: Mon, 18 Dec 2017 20:12:00 -0800
-Subject: [PATCH] bpf: fix integer overflows
-
-commit bb7f0f989ca7de1153bd128a40a71709e339fa03 upstream.
-
-There were various issues related to the limited size of integers used in
-the verifier:
- - `off + size` overflow in __check_map_access()
- - `off + reg->off` overflow in check_mem_access()
- - `off + reg->var_off.value` overflow or 32-bit truncation of
-   `reg->var_off.value` in check_mem_access()
- - 32-bit truncation in check_stack_boundary()
-
-Make sure that any integer math cannot overflow by not allowing
-pointer math with large values.
-
-Also reduce the scope of "scalar op scalar" tracking.
-
-Fixes: f1174f77b50c ("bpf/verifier: rework value tracking")
-Reported-by: Jann Horn <jannh@google.com>
-Signed-off-by: Alexei Starovoitov <ast@kernel.org>
-Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
-
-diff --git a/include/linux/bpf_verifier.h b/include/linux/bpf_verifier.h
-index c561b986bab0..1632bb13ad8a 100644
---- a/include/linux/bpf_verifier.h
-+++ b/include/linux/bpf_verifier.h
-@@ -15,11 +15,11 @@
-  * In practice this is far bigger than any realistic pointer offset; this limit
-  * ensures that umax_value + (int)off + (int)size cannot overflow a u64.
-  */
--#define BPF_MAX_VAR_OFF	(1ULL << 31)
-+#define BPF_MAX_VAR_OFF	(1 << 29)
- /* Maximum variable size permitted for ARG_CONST_SIZE[_OR_ZERO].  This ensures
-  * that converting umax_value to int cannot overflow.
-  */
--#define BPF_MAX_VAR_SIZ	INT_MAX
-+#define BPF_MAX_VAR_SIZ	(1 << 29)
- 
- /* Liveness marks, used for registers and spilled-regs (in stack slots).
-  * Read marks propagate upwards until they find a write mark; they record that
-diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
-index 982bd9ec721a..86dfe6b5c243 100644
---- a/kernel/bpf/verifier.c
-+++ b/kernel/bpf/verifier.c
-@@ -1819,6 +1819,41 @@ static bool signed_sub_overflows(s64 a, s64 b)
- 	return res > a;
- }
- 
-+static bool check_reg_sane_offset(struct bpf_verifier_env *env,
-+				  const struct bpf_reg_state *reg,
-+				  enum bpf_reg_type type)
-+{
-+	bool known = tnum_is_const(reg->var_off);
-+	s64 val = reg->var_off.value;
-+	s64 smin = reg->smin_value;
-+
-+	if (known && (val >= BPF_MAX_VAR_OFF || val <= -BPF_MAX_VAR_OFF)) {
-+		verbose(env, "math between %s pointer and %lld is not allowed\n",
-+			reg_type_str[type], val);
-+		return false;
-+	}
-+
-+	if (reg->off >= BPF_MAX_VAR_OFF || reg->off <= -BPF_MAX_VAR_OFF) {
-+		verbose(env, "%s pointer offset %d is not allowed\n",
-+			reg_type_str[type], reg->off);
-+		return false;
-+	}
-+
-+	if (smin == S64_MIN) {
-+		verbose(env, "math between %s pointer and register with unbounded min value is not allowed\n",
-+			reg_type_str[type]);
-+		return false;
-+	}
-+
-+	if (smin >= BPF_MAX_VAR_OFF || smin <= -BPF_MAX_VAR_OFF) {
-+		verbose(env, "value %lld makes %s pointer be out of bounds\n",
-+			smin, reg_type_str[type]);
-+		return false;
-+	}
-+
-+	return true;
-+}
-+
- /* Handles arithmetic on a pointer and a scalar: computes new min/max and var_off.
-  * Caller should also handle BPF_MOV case separately.
-  * If we return -EACCES, caller may want to try again treating pointer as a
-@@ -1887,6 +1922,10 @@ static int adjust_ptr_min_max_vals(struct bpf_verifier_env *env,
- 	dst_reg->type = ptr_reg->type;
- 	dst_reg->id = ptr_reg->id;
- 
-+	if (!check_reg_sane_offset(env, off_reg, ptr_reg->type) ||
-+	    !check_reg_sane_offset(env, ptr_reg, ptr_reg->type))
-+		return -EINVAL;
-+
- 	switch (opcode) {
- 	case BPF_ADD:
- 		/* We can take a fixed offset as long as it doesn't overflow
-@@ -2017,6 +2056,9 @@ static int adjust_ptr_min_max_vals(struct bpf_verifier_env *env,
- 		return -EACCES;
- 	}
- 
-+	if (!check_reg_sane_offset(env, dst_reg, ptr_reg->type))
-+		return -EINVAL;
-+
- 	__update_reg_bounds(dst_reg);
- 	__reg_deduce_bounds(dst_reg);
- 	__reg_bound_offset(dst_reg);
-@@ -2046,6 +2088,12 @@ static int adjust_scalar_min_max_vals(struct bpf_verifier_env *env,
- 	src_known = tnum_is_const(src_reg.var_off);
- 	dst_known = tnum_is_const(dst_reg->var_off);
- 
-+	if (!src_known &&
-+	    opcode != BPF_ADD && opcode != BPF_SUB && opcode != BPF_AND) {
-+		__mark_reg_unknown(dst_reg);
-+		return 0;
-+	}
-+
- 	switch (opcode) {
- 	case BPF_ADD:
- 		if (signed_add_overflows(dst_reg->smin_value, smin_val) ||
--- 
-2.15.0
-
diff --git a/queue/bpf-force-strict-alignment-checks-for-stack-pointers.patch b/queue/bpf-force-strict-alignment-checks-for-stack-pointers.patch
deleted file mode 100644
index 717ef8b..0000000
--- a/queue/bpf-force-strict-alignment-checks-for-stack-pointers.patch
+++ /dev/null
@@ -1,35 +0,0 @@
-From a5ec6ae161d72f01411169a938fa5f8baea16e8f Mon Sep 17 00:00:00 2001
-From: Jann Horn <jannh@google.com>
-Date: Mon, 18 Dec 2017 20:11:58 -0800
-Subject: [PATCH] bpf: force strict alignment checks for stack pointers
-
-commit a5ec6ae161d72f01411169a938fa5f8baea16e8f upstream.
-
-Force strict alignment checks for stack pointers because the tracking of
-stack spills relies on it; unaligned stack accesses can lead to corruption
-of spilled registers, which is exploitable.
-
-Fixes: f1174f77b50c ("bpf/verifier: rework value tracking")
-Signed-off-by: Jann Horn <jannh@google.com>
-Signed-off-by: Alexei Starovoitov <ast@kernel.org>
-Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
-
-diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
-index 77e4b5223867..102c519836f6 100644
---- a/kernel/bpf/verifier.c
-+++ b/kernel/bpf/verifier.c
-@@ -1059,6 +1059,11 @@ static int check_ptr_alignment(struct bpf_verifier_env *env,
- 		break;
- 	case PTR_TO_STACK:
- 		pointer_desc = "stack ";
-+		/* The stack spill tracking logic in check_stack_write()
-+		 * and check_stack_read() relies on stack accesses being
-+		 * aligned.
-+		 */
-+		strict = true;
- 		break;
- 	default:
- 		break;
--- 
-2.15.0
-
diff --git a/queue/bpf-verifier-fix-bounds-calculation-on-BPF_RSH.patch b/queue/bpf-verifier-fix-bounds-calculation-on-BPF_RSH.patch
deleted file mode 100644
index b336f66..0000000
--- a/queue/bpf-verifier-fix-bounds-calculation-on-BPF_RSH.patch
+++ /dev/null
@@ -1,65 +0,0 @@
-From 4374f256ce8182019353c0c639bb8d0695b4c941 Mon Sep 17 00:00:00 2001
-From: Edward Cree <ecree@solarflare.com>
-Date: Mon, 18 Dec 2017 20:11:53 -0800
-Subject: [PATCH] bpf/verifier: fix bounds calculation on BPF_RSH
-
-commit 4374f256ce8182019353c0c639bb8d0695b4c941 upstream.
-
-Incorrect signed bounds were being computed.
-If the old upper signed bound was positive and the old lower signed bound was
-negative, this could cause the new upper signed bound to be too low,
-leading to security issues.
-
-Fixes: b03c9f9fdc37 ("bpf/verifier: track signed and unsigned min/max values")
-Reported-by: Jann Horn <jannh@google.com>
-Signed-off-by: Edward Cree <ecree@solarflare.com>
-Acked-by: Alexei Starovoitov <ast@kernel.org>
-[jannh@google.com: changed description to reflect bug impact]
-Signed-off-by: Jann Horn <jannh@google.com>
-Signed-off-by: Alexei Starovoitov <ast@kernel.org>
-Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
-
-diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
-index e39b01317b6f..625e358ca765 100644
---- a/kernel/bpf/verifier.c
-+++ b/kernel/bpf/verifier.c
-@@ -2190,20 +2190,22 @@ static int adjust_scalar_min_max_vals(struct bpf_verifier_env *env,
- 			mark_reg_unknown(env, regs, insn->dst_reg);
- 			break;
- 		}
--		/* BPF_RSH is an unsigned shift, so make the appropriate casts */
--		if (dst_reg->smin_value < 0) {
--			if (umin_val) {
--				/* Sign bit will be cleared */
--				dst_reg->smin_value = 0;
--			} else {
--				/* Lost sign bit information */
--				dst_reg->smin_value = S64_MIN;
--				dst_reg->smax_value = S64_MAX;
--			}
--		} else {
--			dst_reg->smin_value =
--				(u64)(dst_reg->smin_value) >> umax_val;
--		}
-+		/* BPF_RSH is an unsigned shift.  If the value in dst_reg might
-+		 * be negative, then either:
-+		 * 1) src_reg might be zero, so the sign bit of the result is
-+		 *    unknown, so we lose our signed bounds
-+		 * 2) it's known negative, thus the unsigned bounds capture the
-+		 *    signed bounds
-+		 * 3) the signed bounds cross zero, so they tell us nothing
-+		 *    about the result
-+		 * If the value in dst_reg is known nonnegative, then again the
-+		 * unsigned bounts capture the signed bounds.
-+		 * Thus, in all cases it suffices to blow away our signed bounds
-+		 * and rely on inferring new ones from the unsigned bounds and
-+		 * var_off of the result.
-+		 */
-+		dst_reg->smin_value = S64_MIN;
-+		dst_reg->smax_value = S64_MAX;
- 		if (src_known)
- 			dst_reg->var_off = tnum_rshift(dst_reg->var_off,
- 						       umin_val);
--- 
-2.15.0
-
diff --git a/queue/crypto-af_alg-fix-race-accessing-cipher-request.patch b/queue/crypto-af_alg-fix-race-accessing-cipher-request.patch
deleted file mode 100644
index 1b4e0eb..0000000
--- a/queue/crypto-af_alg-fix-race-accessing-cipher-request.patch
+++ /dev/null
@@ -1,87 +0,0 @@
-From d53c5135792319e095bb126bc43b2ee98586f7fe Mon Sep 17 00:00:00 2001
-From: Stephan Mueller <smueller@chronox.de>
-Date: Fri, 8 Dec 2017 11:50:37 +0100
-Subject: [PATCH] crypto: af_alg - fix race accessing cipher request
-
-commit d53c5135792319e095bb126bc43b2ee98586f7fe upstream.
-
-When invoking an asynchronous cipher operation, the invocation of the
-callback may be performed before the subsequent operations in the
-initial code path are invoked. The callback deletes the cipher request
-data structure which implies that after the invocation of the
-asynchronous cipher operation, this data structure must not be accessed
-any more.
-
-The setting of the return code size with the request data structure must
-therefore be moved before the invocation of the asynchronous cipher
-operation.
-
-Fixes: e870456d8e7c ("crypto: algif_skcipher - overhaul memory management")
-Fixes: d887c52d6ae4 ("crypto: algif_aead - overhaul memory management")
-Reported-by: syzbot <syzkaller@googlegroups.com>
-Cc: <stable@vger.kernel.org> # v4.14+
-Signed-off-by: Stephan Mueller <smueller@chronox.de>
-Acked-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
-Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
-
-diff --git a/crypto/algif_aead.c b/crypto/algif_aead.c
-index c8a32bef208a..b73db2b27656 100644
---- a/crypto/algif_aead.c
-+++ b/crypto/algif_aead.c
-@@ -291,6 +291,10 @@ static int _aead_recvmsg(struct socket *sock, struct msghdr *msg,
- 		/* AIO operation */
- 		sock_hold(sk);
- 		areq->iocb = msg->msg_iocb;
-+
-+		/* Remember output size that will be generated. */
-+		areq->outlen = outlen;
-+
- 		aead_request_set_callback(&areq->cra_u.aead_req,
- 					  CRYPTO_TFM_REQ_MAY_BACKLOG,
- 					  af_alg_async_cb, areq);
-@@ -298,12 +302,8 @@ static int _aead_recvmsg(struct socket *sock, struct msghdr *msg,
- 				 crypto_aead_decrypt(&areq->cra_u.aead_req);
- 
- 		/* AIO operation in progress */
--		if (err == -EINPROGRESS || err == -EBUSY) {
--			/* Remember output size that will be generated. */
--			areq->outlen = outlen;
--
-+		if (err == -EINPROGRESS || err == -EBUSY)
- 			return -EIOCBQUEUED;
--		}
- 
- 		sock_put(sk);
- 	} else {
-diff --git a/crypto/algif_skcipher.c b/crypto/algif_skcipher.c
-index 6fb595cd63ac..baef9bfccdda 100644
---- a/crypto/algif_skcipher.c
-+++ b/crypto/algif_skcipher.c
-@@ -125,6 +125,10 @@ static int _skcipher_recvmsg(struct socket *sock, struct msghdr *msg,
- 		/* AIO operation */
- 		sock_hold(sk);
- 		areq->iocb = msg->msg_iocb;
-+
-+		/* Remember output size that will be generated. */
-+		areq->outlen = len;
-+
- 		skcipher_request_set_callback(&areq->cra_u.skcipher_req,
- 					      CRYPTO_TFM_REQ_MAY_SLEEP,
- 					      af_alg_async_cb, areq);
-@@ -133,12 +137,8 @@ static int _skcipher_recvmsg(struct socket *sock, struct msghdr *msg,
- 			crypto_skcipher_decrypt(&areq->cra_u.skcipher_req);
- 
- 		/* AIO operation in progress */
--		if (err == -EINPROGRESS || err == -EBUSY) {
--			/* Remember output size that will be generated. */
--			areq->outlen = len;
--
-+		if (err == -EINPROGRESS || err == -EBUSY)
- 			return -EIOCBQUEUED;
--		}
- 
- 		sock_put(sk);
- 	} else {
--- 
-2.15.0
-
diff --git a/queue/crypto-af_alg-wait-for-data-at-beginning-of-recvmsg.patch b/queue/crypto-af_alg-wait-for-data-at-beginning-of-recvmsg.patch
deleted file mode 100644
index b732590..0000000
--- a/queue/crypto-af_alg-wait-for-data-at-beginning-of-recvmsg.patch
+++ /dev/null
@@ -1,76 +0,0 @@
-From 11edb555966ed2c66c533d17c604f9d7e580a829 Mon Sep 17 00:00:00 2001
-From: Stephan Mueller <smueller@chronox.de>
-Date: Wed, 29 Nov 2017 12:02:23 +0100
-Subject: [PATCH] crypto: af_alg - wait for data at beginning of recvmsg
-
-commit 11edb555966ed2c66c533d17c604f9d7e580a829 upstream.
-
-The wait for data is a non-atomic operation that can sleep and therefore
-potentially release the socket lock. The release of the socket lock
-allows another thread to modify the context data structure. The waiting
-operation for new data therefore must be called at the beginning of
-recvmsg. This prevents a race condition where checks of the members of
-the context data structure are performed by recvmsg while there is a
-potential for modification of these values.
-
-Fixes: e870456d8e7c ("crypto: algif_skcipher - overhaul memory management")
-Fixes: d887c52d6ae4 ("crypto: algif_aead - overhaul memory management")
-Reported-by: syzbot <syzkaller@googlegroups.com>
-Cc: <stable@vger.kernel.org> # v4.14+
-Signed-off-by: Stephan Mueller <smueller@chronox.de>
-Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
-
-diff --git a/crypto/af_alg.c b/crypto/af_alg.c
-index 358749c38894..f1a2caf1b59b 100644
---- a/crypto/af_alg.c
-+++ b/crypto/af_alg.c
-@@ -1137,12 +1137,6 @@ int af_alg_get_rsgl(struct sock *sk, struct msghdr *msg, int flags,
- 		if (!af_alg_readable(sk))
- 			break;
- 
--		if (!ctx->used) {
--			err = af_alg_wait_for_data(sk, flags);
--			if (err)
--				return err;
--		}
--
- 		seglen = min_t(size_t, (maxsize - len),
- 			       msg_data_left(msg));
- 
-diff --git a/crypto/algif_aead.c b/crypto/algif_aead.c
-index 805f485ddf1b..c8a32bef208a 100644
---- a/crypto/algif_aead.c
-+++ b/crypto/algif_aead.c
-@@ -111,6 +111,12 @@ static int _aead_recvmsg(struct socket *sock, struct msghdr *msg,
- 	size_t usedpages = 0;		/* [in]  RX bufs to be used from user */
- 	size_t processed = 0;		/* [in]  TX bufs to be consumed */
- 
-+	if (!ctx->used) {
-+		err = af_alg_wait_for_data(sk, flags);
-+		if (err)
-+			return err;
-+	}
-+
- 	/*
- 	 * Data length provided by caller via sendmsg/sendpage that has not
- 	 * yet been processed.
-diff --git a/crypto/algif_skcipher.c b/crypto/algif_skcipher.c
-index 30cff827dd8f..6fb595cd63ac 100644
---- a/crypto/algif_skcipher.c
-+++ b/crypto/algif_skcipher.c
-@@ -72,6 +72,12 @@ static int _skcipher_recvmsg(struct socket *sock, struct msghdr *msg,
- 	int err = 0;
- 	size_t len = 0;
- 
-+	if (!ctx->used) {
-+		err = af_alg_wait_for_data(sk, flags);
-+		if (err)
-+			return err;
-+	}
-+
- 	/* Allocate cipher request for current operation. */
- 	areq = af_alg_alloc_areq(sk, sizeof(struct af_alg_async_req) +
- 				     crypto_skcipher_reqsize(tfm));
--- 
-2.15.0
-
diff --git a/queue/crypto-skcipher-set-walk.iv-for-zero-length-inputs.patch b/queue/crypto-skcipher-set-walk.iv-for-zero-length-inputs.patch
deleted file mode 100644
index 4795d22..0000000
--- a/queue/crypto-skcipher-set-walk.iv-for-zero-length-inputs.patch
+++ /dev/null
@@ -1,79 +0,0 @@
-From 2b4f27c36bcd46e820ddb9a8e6fe6a63fa4250b8 Mon Sep 17 00:00:00 2001
-From: Eric Biggers <ebiggers@google.com>
-Date: Wed, 29 Nov 2017 01:18:57 -0800
-Subject: [PATCH] crypto: skcipher - set walk.iv for zero-length inputs
-
-commit 2b4f27c36bcd46e820ddb9a8e6fe6a63fa4250b8 upstream.
-
-All the ChaCha20 algorithms as well as the ARM bit-sliced AES-XTS
-algorithms call skcipher_walk_virt(), then access the IV (walk.iv)
-before checking whether any bytes need to be processed (walk.nbytes).
-
-But if the input is empty, then skcipher_walk_virt() doesn't set the IV,
-and the algorithms crash trying to use the uninitialized IV pointer.
-
-Fix it by setting the IV earlier in skcipher_walk_virt().  Also fix it
-for the AEAD walk functions.
-
-This isn't a perfect solution because we can't actually align the IV to
-->cra_alignmask unless there are bytes to process, for one because the
-temporary buffer for the aligned IV is freed by skcipher_walk_done(),
-which is only called when there are bytes to process.  Thus, algorithms
-that require aligned IVs will still need to avoid accessing the IV when
-walk.nbytes == 0.  Still, many algorithms/architectures are fine with
-IVs having any alignment, and even for those that aren't, a misaligned
-pointer bug is much less severe than an uninitialized pointer bug.
-
-This change also matches the behavior of the older blkcipher_walk API.
-
-Fixes: 0cabf2af6f5a ("crypto: skcipher - Fix crash on zero-length input")
-Reported-by: syzbot <syzkaller@googlegroups.com>
-Cc: <stable@vger.kernel.org> # v4.14+
-Signed-off-by: Eric Biggers <ebiggers@google.com>
-Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
-
-diff --git a/crypto/skcipher.c b/crypto/skcipher.c
-index 778e0ff42bfa..11af5fd6a443 100644
---- a/crypto/skcipher.c
-+++ b/crypto/skcipher.c
-@@ -449,6 +449,8 @@ static int skcipher_walk_skcipher(struct skcipher_walk *walk,
- 
- 	walk->total = req->cryptlen;
- 	walk->nbytes = 0;
-+	walk->iv = req->iv;
-+	walk->oiv = req->iv;
- 
- 	if (unlikely(!walk->total))
- 		return 0;
-@@ -456,9 +458,6 @@ static int skcipher_walk_skcipher(struct skcipher_walk *walk,
- 	scatterwalk_start(&walk->in, req->src);
- 	scatterwalk_start(&walk->out, req->dst);
- 
--	walk->iv = req->iv;
--	walk->oiv = req->iv;
--
- 	walk->flags &= ~SKCIPHER_WALK_SLEEP;
- 	walk->flags |= req->base.flags & CRYPTO_TFM_REQ_MAY_SLEEP ?
- 		       SKCIPHER_WALK_SLEEP : 0;
-@@ -510,6 +509,8 @@ static int skcipher_walk_aead_common(struct skcipher_walk *walk,
- 	int err;
- 
- 	walk->nbytes = 0;
-+	walk->iv = req->iv;
-+	walk->oiv = req->iv;
- 
- 	if (unlikely(!walk->total))
- 		return 0;
-@@ -525,9 +526,6 @@ static int skcipher_walk_aead_common(struct skcipher_walk *walk,
- 	scatterwalk_done(&walk->in, 0, walk->total);
- 	scatterwalk_done(&walk->out, 0, walk->total);
- 
--	walk->iv = req->iv;
--	walk->oiv = req->iv;
--
- 	if (req->base.flags & CRYPTO_TFM_REQ_MAY_SLEEP)
- 		walk->flags |= SKCIPHER_WALK_SLEEP;
- 	else
--- 
-2.15.0
-
diff --git a/queue/ip_gre-check-packet-length-and-mtu-correctly-in-ersp.patch b/queue/ip_gre-check-packet-length-and-mtu-correctly-in-ersp.patch
deleted file mode 100644
index e608279..0000000
--- a/queue/ip_gre-check-packet-length-and-mtu-correctly-in-ersp.patch
+++ /dev/null
@@ -1,48 +0,0 @@
-From f192970de860d3ab90aa9e2a22853201a57bde78 Mon Sep 17 00:00:00 2001
-From: William Tu <u9012063@gmail.com>
-Date: Thu, 5 Oct 2017 12:07:12 -0700
-Subject: [PATCH] ip_gre: check packet length and mtu correctly in erspan tx
-
-commit f192970de860d3ab90aa9e2a22853201a57bde78 upstream.
-
-Similarly to early patch for erspan_xmit(), the ARPHDR_ETHER device
-is the length of the whole ether packet.  So skb->len should subtract
-the dev->hard_header_len.
-
-Fixes: 1a66a836da63 ("gre: add collect_md mode to ERSPAN tunnel")
-Fixes: 84e54fe0a5ea ("gre: introduce native tunnel support for ERSPAN")
-Signed-off-by: William Tu <u9012063@gmail.com>
-Cc: Xin Long <lucien.xin@gmail.com>
-Cc: David Laight <David.Laight@aculab.com>
-Reviewed-by: Xin Long <lucien.xin@gmail.com>
-Signed-off-by: David S. Miller <davem@davemloft.net>
-
-diff --git a/net/ipv4/ip_gre.c b/net/ipv4/ip_gre.c
-index dc2317776499..c105a315b1a3 100644
---- a/net/ipv4/ip_gre.c
-+++ b/net/ipv4/ip_gre.c
-@@ -579,8 +579,8 @@ static void erspan_fb_xmit(struct sk_buff *skb, struct net_device *dev,
- 	if (gre_handle_offloads(skb, false))
- 		goto err_free_rt;
- 
--	if (skb->len > dev->mtu) {
--		pskb_trim(skb, dev->mtu);
-+	if (skb->len > dev->mtu + dev->hard_header_len) {
-+		pskb_trim(skb, dev->mtu + dev->hard_header_len);
- 		truncate = true;
- 	}
- 
-@@ -731,8 +731,8 @@ static netdev_tx_t erspan_xmit(struct sk_buff *skb,
- 	if (skb_cow_head(skb, dev->needed_headroom))
- 		goto free_skb;
- 
--	if (skb->len - dev->hard_header_len > dev->mtu) {
--		pskb_trim(skb, dev->mtu);
-+	if (skb->len > dev->mtu + dev->hard_header_len) {
-+		pskb_trim(skb, dev->mtu + dev->hard_header_len);
- 		truncate = true;
- 	}
- 
--- 
-2.15.0
-
diff --git a/queue/parisc-Fix-indenting-in-puts.patch b/queue/parisc-Fix-indenting-in-puts.patch
deleted file mode 100644
index 1ac8ac1..0000000
--- a/queue/parisc-Fix-indenting-in-puts.patch
+++ /dev/null
@@ -1,34 +0,0 @@
-From 203c110b39a89b48156c7450504e454fedb7f7f6 Mon Sep 17 00:00:00 2001
-From: Helge Deller <deller@gmx.de>
-Date: Tue, 12 Dec 2017 21:32:16 +0100
-Subject: [PATCH] parisc: Fix indenting in puts()
-
-commit 203c110b39a89b48156c7450504e454fedb7f7f6 upstream.
-
-Static analysis tools complain that we intended to have curly braces
-around this indent block. In this case this assumption is wrong, so fix
-the indenting.
-
-Fixes: 2f3c7b8137ef ("parisc: Add core code for self-extracting kernel")
-Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
-Signed-off-by: Helge Deller <deller@gmx.de>
-Cc: <stable@vger.kernel.org> # v4.14+
-
-diff --git a/arch/parisc/boot/compressed/misc.c b/arch/parisc/boot/compressed/misc.c
-index 9345b44b86f0..f57118e1f6b4 100644
---- a/arch/parisc/boot/compressed/misc.c
-+++ b/arch/parisc/boot/compressed/misc.c
-@@ -123,8 +123,8 @@ int puts(const char *s)
- 	while ((nuline = strchr(s, '\n')) != NULL) {
- 		if (nuline != s)
- 			pdc_iodc_print(s, nuline - s);
--			pdc_iodc_print("\r\n", 2);
--			s = nuline + 1;
-+		pdc_iodc_print("\r\n", 2);
-+		s = nuline + 1;
- 	}
- 	if (*s != '\0')
- 		pdc_iodc_print(s, strlen(s));
--- 
-2.15.0
-
diff --git a/queue/series b/queue/series
index 6c25c23..d021abf 100644
--- a/queue/series
+++ b/queue/series
@@ -1,6 +1,5 @@
 ACPI-APEI-adjust-a-local-variable-type-in-ghes_iorem.patch
 x86-platform-UV-Convert-timers-to-use-timer_setup.patch
-bpf-fix-build-issues-on-um-due-to-mising-bpf_perf_ev.patch
 optee-fix-invalid-of_node_put-in-optee_driver_init.patch
 backlight-pwm_bl-Fix-overflow-condition.patch
 drm-Add-retries-for-lspcon-mode-detection.patch
@@ -22,7 +21,6 @@ ixgbe-fix-use-of-uninitialized-padding.patch
 IB-rxe-check-for-allocation-failure-on-elem.patch
 block-bfq-Disable-writeback-throttling.patch
 md-always-set-THREAD_WAKEUP-and-wake-up-wqueue-if-th.patch
-ip_gre-check-packet-length-and-mtu-correctly-in-ersp.patch
 leds-pca955x-Don-t-invert-requested-value-in-pca955x.patch
 Bluetooth-hci_uart_set_flow_control-Fix-NULL-deref-w.patch
 Bluetooth-hci_bcm-Fix-setting-of-irq-trigger-type.patch
@@ -60,45 +58,30 @@ thermal-drivers-hisi-Simplify-the-temperature-step-c.patch
 thermal-drivers-hisi-Fix-multiple-alarm-interrupts-f.patch
 platform-x86-asus-wireless-send-an-EV_SYN-SYN_REPORT.patch
 bpf-fix-branch-pruning-logic.patch
-bpf-fix-corruption-on-concurrent-perf_event_output-c.patch
 bpf-s390x-do-not-reload-skb-pointers-in-non-skb-cont.patch
 bpf-ppc64-do-not-reload-skb-pointers-in-non-skb-cont.patch
 bpf-sparc-fix-usage-of-wrong-reg-for-load_skb_regs-a.patch
-bpf-verifier-fix-bounds-calculation-on-BPF_RSH.patch
 bpf-fix-incorrect-sign-extension-in-check_alu_op.patch
-bpf-fix-incorrect-tracking-of-register-size-truncati.patch
-bpf-fix-32-bit-ALU-op-verification.patch
-bpf-force-strict-alignment-checks-for-stack-pointers.patch
-bpf-don-t-prune-branches-when-a-scalar-is-replaced-w.patch
-bpf-fix-integer-overflows.patch
 selftests-bpf-add-tests-for-recent-bugfixes.patch
 linux-compiler.h-Split-into-compiler.h-and-compiler_.patch
 tools-headers-Sync-objtool-UAPI-header.patch
 x86-insn-eval-Add-utility-functions-to-get-segment-s.patch
 ACPI-APEI-ERST-Fix-missing-error-handling-in-erst_re.patch
 acpi-nfit-fix-health-event-notification.patch
-crypto-skcipher-set-walk.iv-for-zero-length-inputs.patch
 crypto-mcryptd-protect-the-per-CPU-queue-with-a-lock.patch
-crypto-af_alg-wait-for-data-at-beginning-of-recvmsg.patch
-crypto-af_alg-fix-race-accessing-cipher-request.patch
 mfd-cros-ec-spi-Don-t-send-first-message-too-soon.patch
 mfd-twl4030-audio-Fix-sibling-node-lookup.patch
 mfd-twl6040-Fix-child-node-lookup.patch
 ALSA-rawmidi-Avoid-racy-info-ioctl-via-ctl-device.patch
-ALSA-hda-realtek-Fix-Dell-AIO-LineOut-issue.patch
 ALSA-hda-Add-vendor-id-for-Cannonlake-HDMI-codec.patch
 ALSA-usb-audio-Add-native-DSD-support-for-Esoteric-D.patch
-PCI-PM-Force-devices-to-D0-in-pci_pm_thaw_noirq.patch
-block-unalign-call_single_data-in-struct-request.patch
 block-throttle-avoid-double-charge.patch
 parisc-Align-os_hpmc_size-on-word-boundary.patch
-parisc-Fix-indenting-in-puts.patch
 parisc-Hide-Diva-built-in-serial-aux-and-graphics-ca.patch
 Revert-parisc-Re-enable-interrupts-early.patch
 spi-xilinx-Detect-stall-with-Unknown-commands.patch
 spi-a3700-Fix-clk-prescaling-for-coefficient-over-15.patch
 pinctrl-cherryview-Mask-all-interrupts-on-Intel_Stra.patch
-KVM-MMU-Fix-infinite-loop-when-there-is-no-available.patch
 clk-sunxi-sun9i-mmc-Implement-reset-callback-for-res.patch
 powerpc-perf-Dereference-BHRB-entries-safely.patch
 drm-i915-Flush-pending-GTT-writes-before-unbinding.patch