more 3.18 patches

17 files changed, 1131 insertions, 0 deletions

diff --git a/alsa-hda-hdmi-consider-eld_valid-when-reporting-jack-event.patch b/alsa-hda-hdmi-consider-eld_valid-when-reporting-jack-event.patch
new file mode 100644
index 0000000..f2dfd64
--- /dev/null
+++ b/alsa-hda-hdmi-consider-eld_valid-when-reporting-jack-event.patch
@@ -0,0 +1,58 @@
+From 7f641e26a6df9269cb25dd7a4b0a91d6586ed441 Mon Sep 17 00:00:00 2001
+From: Hui Wang <hui.wang@canonical.com>
+Date: Mon, 6 May 2019 22:09:32 +0800
+Subject: ALSA: hda/hdmi - Consider eld_valid when reporting jack event
+
+From: Hui Wang <hui.wang@canonical.com>
+
+commit 7f641e26a6df9269cb25dd7a4b0a91d6586ed441 upstream.
+
+On the machines with AMD GPU or Nvidia GPU, we often meet this issue:
+after s3, there are 4 HDMI/DP audio devices in the gnome-sound-setting
+even there is no any monitors plugged.
+
+When this problem happens, we check the /proc/asound/cardX/eld#N.M, we
+will find the monitor_present=1, eld_valid=0.
+
+The root cause is BIOS or GPU driver makes the PRESENCE valid even no
+monitor plugged, and of course the driver will not get the valid
+eld_data subsequently.
+
+In this situation, we should not report the jack_plugged event, to do
+so, let us change the function hdmi_present_sense_via_verbs(). In this
+function, it reads the pin_sense via snd_hda_pin_sense(), after
+calling this function, the jack_dirty is 0, and before exiting
+via_verbs(), we change the shadow pin_sense according to both
+monitor_present and eld_valid, then in the snd_hda_jack_report_sync(),
+since the jack_dirty is still 0, it will report jack event according
+to this modified shadow pin_sense.
+
+After this change, the driver will not report Jack_is_plugged event
+through hdmi_present_sense_via_verbs() if monitor_present is 1 and
+eld_valid is 0.
+
+Signed-off-by: Hui Wang <hui.wang@canonical.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/pci/hda/patch_hdmi.c |    6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/sound/pci/hda/patch_hdmi.c
++++ b/sound/pci/hda/patch_hdmi.c
+@@ -1635,9 +1635,11 @@ static bool hdmi_present_sense(struct hd
+ 	ret = !repoll || !pin_eld->monitor_present || pin_eld->eld_valid;
+ 
+ 	jack = snd_hda_jack_tbl_get(codec, pin_nid);
+-	if (jack)
++	if (jack) {
+ 		jack->block_report = !ret;
+-
++		jack->pin_sense = (eld->monitor_present && eld->eld_valid) ?
++			AC_PINSENSE_PRESENCE : 0;
++	}
+ 	mutex_unlock(&per_pin->lock);
+ 	snd_hda_power_down(codec);
+ 	return ret;
diff --git a/alsa-hda-realtek-eapd-turn-on-later.patch b/alsa-hda-realtek-eapd-turn-on-later.patch
new file mode 100644
index 0000000..c894f07
--- /dev/null
+++ b/alsa-hda-realtek-eapd-turn-on-later.patch
@@ -0,0 +1,40 @@
+From 607ca3bd220f4022e6f5356026b19dafc363863a Mon Sep 17 00:00:00 2001
+From: Kailang Yang <kailang@realtek.com>
+Date: Fri, 26 Apr 2019 16:35:41 +0800
+Subject: ALSA: hda/realtek - EAPD turn on later
+
+From: Kailang Yang <kailang@realtek.com>
+
+commit 607ca3bd220f4022e6f5356026b19dafc363863a upstream.
+
+Let EAPD turn on after set pin output.
+
+[ NOTE: This change is supposed to reduce the possible click noises at
+  (runtime) PM resume.  The functionality should be same (i.e. the
+  verbs are executed correctly) no matter which order is, so this
+  should be safe to apply for all codecs -- tiwai ]
+
+Signed-off-by: Kailang Yang <kailang@realtek.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/pci/hda/patch_realtek.c |    3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/sound/pci/hda/patch_realtek.c
++++ b/sound/pci/hda/patch_realtek.c
+@@ -755,11 +755,10 @@ static int alc_init(struct hda_codec *co
+ 	if (spec->init_hook)
+ 		spec->init_hook(codec);
+ 
++	snd_hda_gen_init(codec);
+ 	alc_fix_pll(codec);
+ 	alc_auto_init_amp(codec, spec->init_amp);
+ 
+-	snd_hda_gen_init(codec);
+-
+ 	snd_hda_apply_fixup(codec, HDA_FIXUP_ACT_INIT);
+ 
+ 	return 0;
diff --git a/alsa-hda-realtek-fix-for-lenovo-b50-70-inverted-internal-microphone-bug.patch b/alsa-hda-realtek-fix-for-lenovo-b50-70-inverted-internal-microphone-bug.patch
new file mode 100644
index 0000000..42fe459
--- /dev/null
+++ b/alsa-hda-realtek-fix-for-lenovo-b50-70-inverted-internal-microphone-bug.patch
@@ -0,0 +1,41 @@
+From 56df90b631fc027fe28b70d41352d820797239bb Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Micha=C5=82=20Wadowski?= <wadosm@gmail.com>
+Date: Tue, 14 May 2019 16:58:00 +0200
+Subject: ALSA: hda/realtek - Fix for Lenovo B50-70 inverted internal microphone bug
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Michał Wadowski <wadosm@gmail.com>
+
+commit 56df90b631fc027fe28b70d41352d820797239bb upstream.
+
+Add patch for realtek codec in Lenovo B50-70 that fixes inverted
+internal microphone channel.
+Device IdeaPad Y410P has the same PCI SSID as Lenovo B50-70,
+but first one is about fix the noise and it didn't seem help in a
+later kernel version.
+So I replaced IdeaPad Y410P device description with B50-70 and apply
+inverted microphone fix.
+
+Bugzilla: https://bugs.launchpad.net/ubuntu/+source/alsa-driver/+bug/1524215
+Signed-off-by: Michał Wadowski <wadosm@gmail.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/pci/hda/patch_realtek.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/sound/pci/hda/patch_realtek.c
++++ b/sound/pci/hda/patch_realtek.c
+@@ -5471,7 +5471,7 @@ static const struct snd_pci_quirk alc269
+ 	SND_PCI_QUIRK(0x17aa, 0x30e2, "ThinkCentre AIO", ALC233_FIXUP_LENOVO_LINE2_MIC_HOTKEY),
+ 	SND_PCI_QUIRK(0x17aa, 0x3902, "Lenovo E50-80", ALC269_FIXUP_DMIC_THINKPAD_ACPI),
+ 	SND_PCI_QUIRK(0x17aa, 0x3977, "IdeaPad S210", ALC283_FIXUP_INT_MIC),
+-	SND_PCI_QUIRK(0x17aa, 0x3978, "IdeaPad Y410P", ALC269_FIXUP_NO_SHUTUP),
++	SND_PCI_QUIRK(0x17aa, 0x3978, "Lenovo B50-70", ALC269_FIXUP_DMIC_THINKPAD_ACPI),
+ 	SND_PCI_QUIRK(0x17aa, 0x5013, "Thinkpad", ALC269_FIXUP_LIMIT_INT_MIC_BOOST),
+ 	SND_PCI_QUIRK(0x17aa, 0x501a, "Thinkpad", ALC283_FIXUP_INT_MIC),
+ 	SND_PCI_QUIRK(0x17aa, 0x501e, "Thinkpad L440", ALC292_FIXUP_TPT440_DOCK),
diff --git a/alsa-usb-audio-fix-a-memory-leak-bug.patch b/alsa-usb-audio-fix-a-memory-leak-bug.patch
new file mode 100644
index 0000000..30f4dd5
--- /dev/null
+++ b/alsa-usb-audio-fix-a-memory-leak-bug.patch
@@ -0,0 +1,40 @@
+From cb5173594d50c72b7bfa14113dfc5084b4d2f726 Mon Sep 17 00:00:00 2001
+From: Wenwen Wang <wang6495@umn.edu>
+Date: Sat, 27 Apr 2019 01:06:46 -0500
+Subject: ALSA: usb-audio: Fix a memory leak bug
+
+From: Wenwen Wang <wang6495@umn.edu>
+
+commit cb5173594d50c72b7bfa14113dfc5084b4d2f726 upstream.
+
+In parse_audio_selector_unit(), the string array 'namelist' is allocated
+through kmalloc_array(), and each string pointer in this array, i.e.,
+'namelist[]', is allocated through kmalloc() in the following for loop.
+Then, a control instance 'kctl' is created by invoking snd_ctl_new1(). If
+an error occurs during the creation process, the string array 'namelist',
+including all string pointers in the array 'namelist[]', should be freed,
+before the error code ENOMEM is returned. However, the current code does
+not free 'namelist[]', resulting in memory leaks.
+
+To fix the above issue, free all string pointers 'namelist[]' in a loop.
+
+Signed-off-by: Wenwen Wang <wang6495@umn.edu>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/usb/mixer.c |    2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/sound/usb/mixer.c
++++ b/sound/usb/mixer.c
+@@ -2103,6 +2103,8 @@ static int parse_audio_selector_unit(str
+ 	kctl = snd_ctl_new1(&mixer_selectunit_ctl, cval);
+ 	if (! kctl) {
+ 		usb_audio_err(state->chip, "cannot malloc kcontrol\n");
++		for (i = 0; i < desc->bNrInPins; i++)
++			kfree(namelist[i]);
+ 		kfree(namelist);
+ 		kfree(cval);
+ 		return -ENOMEM;
diff --git a/asoc-max98090-fix-restore-of-dapm-muxes.patch b/asoc-max98090-fix-restore-of-dapm-muxes.patch
new file mode 100644
index 0000000..cf4f32e
--- /dev/null
+++ b/asoc-max98090-fix-restore-of-dapm-muxes.patch
@@ -0,0 +1,53 @@
+From ecb2795c08bc825ebd604997e5be440b060c5b18 Mon Sep 17 00:00:00 2001
+From: Jon Hunter <jonathanh@nvidia.com>
+Date: Wed, 1 May 2019 15:29:38 +0100
+Subject: ASoC: max98090: Fix restore of DAPM Muxes
+
+From: Jon Hunter <jonathanh@nvidia.com>
+
+commit ecb2795c08bc825ebd604997e5be440b060c5b18 upstream.
+
+The max98090 driver defines 3 DAPM muxes; one for the right line output
+(LINMOD Mux), one for the left headphone mixer source (MIXHPLSEL Mux)
+and one for the right headphone mixer source (MIXHPRSEL Mux). The same
+bit is used for the mux as well as the DAPM enable, and although the mux
+can be correctly configured, after playback has completed, the mux will
+be reset during the disable phase. This is preventing the state of these
+muxes from being saved and restored correctly on system reboot. Fix this
+by marking these muxes as SND_SOC_NOPM.
+
+Note this has been verified this on the Tegra124 Nyan Big which features
+the MAX98090 codec.
+
+Signed-off-by: Jon Hunter <jonathanh@nvidia.com>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/soc/codecs/max98090.c |   12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+--- a/sound/soc/codecs/max98090.c
++++ b/sound/soc/codecs/max98090.c
+@@ -1265,14 +1265,14 @@ static const struct snd_soc_dapm_widget
+ 		&max98090_right_rcv_mixer_controls[0],
+ 		ARRAY_SIZE(max98090_right_rcv_mixer_controls)),
+ 
+-	SND_SOC_DAPM_MUX("LINMOD Mux", M98090_REG_LOUTR_MIXER,
+-		M98090_LINMOD_SHIFT, 0, &max98090_linmod_mux),
++	SND_SOC_DAPM_MUX("LINMOD Mux", SND_SOC_NOPM, 0, 0,
++		&max98090_linmod_mux),
+ 
+-	SND_SOC_DAPM_MUX("MIXHPLSEL Mux", M98090_REG_HP_CONTROL,
+-		M98090_MIXHPLSEL_SHIFT, 0, &max98090_mixhplsel_mux),
++	SND_SOC_DAPM_MUX("MIXHPLSEL Mux", SND_SOC_NOPM, 0, 0,
++		&max98090_mixhplsel_mux),
+ 
+-	SND_SOC_DAPM_MUX("MIXHPRSEL Mux", M98090_REG_HP_CONTROL,
+-		M98090_MIXHPRSEL_SHIFT, 0, &max98090_mixhprsel_mux),
++	SND_SOC_DAPM_MUX("MIXHPRSEL Mux", SND_SOC_NOPM, 0, 0,
++		&max98090_mixhprsel_mux),
+ 
+ 	SND_SOC_DAPM_PGA("HP Left Out", M98090_REG_OUTPUT_ENABLE,
+ 		M98090_HPLEN_SHIFT, 0, NULL, 0),
diff --git a/bcache-fix-a-race-between-cache-register-and-cacheset-unregister.patch b/bcache-fix-a-race-between-cache-register-and-cacheset-unregister.patch
new file mode 100644
index 0000000..7a57c10
--- /dev/null
+++ b/bcache-fix-a-race-between-cache-register-and-cacheset-unregister.patch
@@ -0,0 +1,81 @@
+From a4b732a248d12cbdb46999daf0bf288c011335eb Mon Sep 17 00:00:00 2001
+From: Liang Chen <liangchen.linux@gmail.com>
+Date: Thu, 25 Apr 2019 00:48:31 +0800
+Subject: bcache: fix a race between cache register and cacheset unregister
+
+From: Liang Chen <liangchen.linux@gmail.com>
+
+commit a4b732a248d12cbdb46999daf0bf288c011335eb upstream.
+
+There is a race between cache device register and cache set unregister.
+For an already registered cache device, register_bcache will call
+bch_is_open to iterate through all cachesets and check every cache
+there. The race occurs if cache_set_free executes at the same time and
+clears the caches right before ca is dereferenced in bch_is_open_cache.
+To close the race, let's make sure the clean up work is protected by
+the bch_register_lock as well.
+
+This issue can be reproduced as follows,
+while true; do echo /dev/XXX> /sys/fs/bcache/register ; done&
+while true; do echo 1> /sys/block/XXX/bcache/set/unregister ; done &
+
+and results in the following oops,
+
+[  +0.000053] BUG: unable to handle kernel NULL pointer dereference at 0000000000000998
+[  +0.000457] #PF error: [normal kernel read fault]
+[  +0.000464] PGD 800000003ca9d067 P4D 800000003ca9d067 PUD 3ca9c067 PMD 0
+[  +0.000388] Oops: 0000 [#1] SMP PTI
+[  +0.000269] CPU: 1 PID: 3266 Comm: bash Not tainted 5.0.0+ #6
+[  +0.000346] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.11.0-2.fc28 04/01/2014
+[  +0.000472] RIP: 0010:register_bcache+0x1829/0x1990 [bcache]
+[  +0.000344] Code: b0 48 83 e8 50 48 81 fa e0 e1 10 c0 0f 84 a9 00 00 00 48 89 c6 48 89 ca 0f b7 ba 54 04 00 00 4c 8b 82 60 0c 00 00 85 ff 74 2f <49> 3b a8 98 09 00 00 74 4e 44 8d 47 ff 31 ff 49 c1 e0 03 eb 0d
+[  +0.000839] RSP: 0018:ffff92ee804cbd88 EFLAGS: 00010202
+[  +0.000328] RAX: ffffffffc010e190 RBX: ffff918b5c6b5000 RCX: ffff918b7d8e0000
+[  +0.000399] RDX: ffff918b7d8e0000 RSI: ffffffffc010e190 RDI: 0000000000000001
+[  +0.000398] RBP: ffff918b7d318340 R08: 0000000000000000 R09: ffffffffb9bd2d7a
+[  +0.000385] R10: ffff918b7eb253c0 R11: ffffb95980f51200 R12: ffffffffc010e1a0
+[  +0.000411] R13: fffffffffffffff2 R14: 000000000000000b R15: ffff918b7e232620
+[  +0.000384] FS:  00007f955bec2740(0000) GS:ffff918b7eb00000(0000) knlGS:0000000000000000
+[  +0.000420] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[  +0.000801] CR2: 0000000000000998 CR3: 000000003cad6000 CR4: 00000000001406e0
+[  +0.000837] Call Trace:
+[  +0.000682]  ? _cond_resched+0x10/0x20
+[  +0.000691]  ? __kmalloc+0x131/0x1b0
+[  +0.000710]  kernfs_fop_write+0xfa/0x170
+[  +0.000733]  __vfs_write+0x2e/0x190
+[  +0.000688]  ? inode_security+0x10/0x30
+[  +0.000698]  ? selinux_file_permission+0xd2/0x120
+[  +0.000752]  ? security_file_permission+0x2b/0x100
+[  +0.000753]  vfs_write+0xa8/0x1a0
+[  +0.000676]  ksys_write+0x4d/0xb0
+[  +0.000699]  do_syscall_64+0x3a/0xf0
+[  +0.000692]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
+
+Signed-off-by: Liang Chen <liangchen.linux@gmail.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Coly Li <colyli@suse.de>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/md/bcache/super.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/md/bcache/super.c
++++ b/drivers/md/bcache/super.c
+@@ -1375,6 +1375,7 @@ static void cache_set_free(struct closur
+ 	bch_btree_cache_free(c);
+ 	bch_journal_free(c);
+ 
++	mutex_lock(&bch_register_lock);
+ 	for_each_cache(ca, c, i)
+ 		if (ca) {
+ 			ca->set = NULL;
+@@ -1397,7 +1398,6 @@ static void cache_set_free(struct closur
+ 		mempool_destroy(c->search);
+ 	kfree(c->devices);
+ 
+-	mutex_lock(&bch_register_lock);
+ 	list_del(&c->list);
+ 	mutex_unlock(&bch_register_lock);
+ 
diff --git a/bcache-never-set-key_ptrs-of-journal-key-to-0-in-journal_reclaim.patch b/bcache-never-set-key_ptrs-of-journal-key-to-0-in-journal_reclaim.patch
new file mode 100644
index 0000000..14ba611
--- /dev/null
+++ b/bcache-never-set-key_ptrs-of-journal-key-to-0-in-journal_reclaim.patch
@@ -0,0 +1,96 @@
+From 1bee2addc0c8470c8aaa65ef0599eeae96dd88bc Mon Sep 17 00:00:00 2001
+From: Coly Li <colyli@suse.de>
+Date: Thu, 25 Apr 2019 00:48:33 +0800
+Subject: bcache: never set KEY_PTRS of journal key to 0 in journal_reclaim()
+
+From: Coly Li <colyli@suse.de>
+
+commit 1bee2addc0c8470c8aaa65ef0599eeae96dd88bc upstream.
+
+In journal_reclaim() ja->cur_idx of each cache will be update to
+reclaim available journal buckets. Variable 'int n' is used to count how
+many cache is successfully reclaimed, then n is set to c->journal.key
+by SET_KEY_PTRS(). Later in journal_write_unlocked(), a for_each_cache()
+loop will write the jset data onto each cache.
+
+The problem is, if all jouranl buckets on each cache is full, the
+following code in journal_reclaim(),
+
+529 for_each_cache(ca, c, iter) {
+530       struct journal_device *ja = &ca->journal;
+531       unsigned int next = (ja->cur_idx + 1) % ca->sb.njournal_buckets;
+532
+533       /* No space available on this device */
+534       if (next == ja->discard_idx)
+535               continue;
+536
+537       ja->cur_idx = next;
+538       k->ptr[n++] = MAKE_PTR(0,
+539                         bucket_to_sector(c, ca->sb.d[ja->cur_idx]),
+540                         ca->sb.nr_this_dev);
+541 }
+542
+543 bkey_init(k);
+544 SET_KEY_PTRS(k, n);
+
+If there is no available bucket to reclaim, the if() condition at line
+534 will always true, and n remains 0. Then at line 544, SET_KEY_PTRS()
+will set KEY_PTRS field of c->journal.key to 0.
+
+Setting KEY_PTRS field of c->journal.key to 0 is wrong. Because in
+journal_write_unlocked() the journal data is written in following loop,
+
+649	for (i = 0; i < KEY_PTRS(k); i++) {
+650-671		submit journal data to cache device
+672	}
+
+If KEY_PTRS field is set to 0 in jouranl_reclaim(), the journal data
+won't be written to cache device here. If system crahed or rebooted
+before bkeys of the lost journal entries written into btree nodes, data
+corruption will be reported during bcache reload after rebooting the
+system.
+
+Indeed there is only one cache in a cache set, there is no need to set
+KEY_PTRS field in journal_reclaim() at all. But in order to keep the
+for_each_cache() logic consistent for now, this patch fixes the above
+problem by not setting 0 KEY_PTRS of journal key, if there is no bucket
+available to reclaim.
+
+Signed-off-by: Coly Li <colyli@suse.de>
+Reviewed-by: Hannes Reinecke <hare@suse.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/md/bcache/journal.c |   11 +++++++----
+ 1 file changed, 7 insertions(+), 4 deletions(-)
+
+--- a/drivers/md/bcache/journal.c
++++ b/drivers/md/bcache/journal.c
+@@ -513,11 +513,11 @@ static void journal_reclaim(struct cache
+ 				  ca->sb.nr_this_dev);
+ 	}
+ 
+-	bkey_init(k);
+-	SET_KEY_PTRS(k, n);
+-
+-	if (n)
++	if (n) {
++		bkey_init(k);
++		SET_KEY_PTRS(k, n);
+ 		c->journal.blocks_free = c->sb.bucket_size >> c->block_bits;
++	}
+ out:
+ 	if (!journal_full(&c->journal))
+ 		__closure_wake_up(&c->journal.wait);
+@@ -639,6 +639,9 @@ static void journal_write_unlocked(struc
+ 		ca->journal.seq[ca->journal.cur_idx] = w->data->seq;
+ 	}
+ 
++	/* If KEY_PTRS(k) == 0, this jset gets lost in air */
++	BUG_ON(i == 0);
++
+ 	atomic_dec_bug(&fifo_back(&c->journal.pin));
+ 	bch_journal_next(&c->journal);
+ 	journal_reclaim(c);
diff --git a/crypto-arm-aes-neonbs-don-t-access-already-freed-walk.iv.patch b/crypto-arm-aes-neonbs-don-t-access-already-freed-walk.iv.patch
new file mode 100644
index 0000000..6ebfc20
--- /dev/null
+++ b/crypto-arm-aes-neonbs-don-t-access-already-freed-walk.iv.patch
@@ -0,0 +1,52 @@
+From 767f015ea0b7ab9d60432ff6cd06b664fd71f50f Mon Sep 17 00:00:00 2001
+From: Eric Biggers <ebiggers@google.com>
+Date: Tue, 9 Apr 2019 23:46:31 -0700
+Subject: crypto: arm/aes-neonbs - don't access already-freed walk.iv
+
+From: Eric Biggers <ebiggers@google.com>
+
+commit 767f015ea0b7ab9d60432ff6cd06b664fd71f50f upstream.
+
+If the user-provided IV needs to be aligned to the algorithm's
+alignmask, then skcipher_walk_virt() copies the IV into a new aligned
+buffer walk.iv.  But skcipher_walk_virt() can fail afterwards, and then
+if the caller unconditionally accesses walk.iv, it's a use-after-free.
+
+arm32 xts-aes-neonbs doesn't set an alignmask, so currently it isn't
+affected by this despite unconditionally accessing walk.iv.  However
+this is more subtle than desired, and it was actually broken prior to
+the alignmask being removed by commit cc477bf64573 ("crypto: arm/aes -
+replace bit-sliced OpenSSL NEON code").  Thus, update xts-aes-neonbs to
+start checking the return value of skcipher_walk_virt().
+
+Fixes: e4e7f10bfc40 ("ARM: add support for bit sliced AES using NEON instructions")
+Cc: <stable@vger.kernel.org> # v3.13+
+Signed-off-by: Eric Biggers <ebiggers@google.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+
+---
+ arch/arm/crypto/aesbs-glue.c |    4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/arch/arm/crypto/aesbs-glue.c
++++ b/arch/arm/crypto/aesbs-glue.c
+@@ -259,6 +259,8 @@ static int aesbs_xts_encrypt(struct blkc
+ 
+ 	blkcipher_walk_init(&walk, dst, src, nbytes);
+ 	err = blkcipher_walk_virt_block(desc, &walk, 8 * AES_BLOCK_SIZE);
++	if (err)
++		return err;
+ 
+ 	/* generate the initial tweak */
+ 	AES_encrypt(walk.iv, walk.iv, &ctx->twkey);
+@@ -283,6 +285,8 @@ static int aesbs_xts_decrypt(struct blkc
+ 
+ 	blkcipher_walk_init(&walk, dst, src, nbytes);
+ 	err = blkcipher_walk_virt_block(desc, &walk, 8 * AES_BLOCK_SIZE);
++	if (err)
++		return err;
+ 
+ 	/* generate the initial tweak */
+ 	AES_encrypt(walk.iv, walk.iv, &ctx->twkey);
diff --git a/crypto-gcm-fix-error-return-code-in-crypto_gcm_create_common.patch b/crypto-gcm-fix-error-return-code-in-crypto_gcm_create_common.patch
new file mode 100644
index 0000000..4666e4b
--- /dev/null
+++ b/crypto-gcm-fix-error-return-code-in-crypto_gcm_create_common.patch
@@ -0,0 +1,36 @@
+From 9b40f79c08e81234d759f188b233980d7e81df6c Mon Sep 17 00:00:00 2001
+From: Wei Yongjun <weiyongjun1@huawei.com>
+Date: Mon, 17 Oct 2016 15:10:06 +0000
+Subject: crypto: gcm - Fix error return code in crypto_gcm_create_common()
+
+From: Wei Yongjun <weiyongjun1@huawei.com>
+
+commit 9b40f79c08e81234d759f188b233980d7e81df6c upstream.
+
+Fix to return error code -EINVAL from the invalid alg ivsize error
+handling case instead of 0, as done elsewhere in this function.
+
+Signed-off-by: Wei Yongjun <weiyongjun1@huawei.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Eric Biggers <ebiggers@google.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ crypto/gcm.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/crypto/gcm.c
++++ b/crypto/gcm.c
+@@ -742,11 +742,11 @@ static struct crypto_instance *crypto_gc
+ 	ctr = crypto_skcipher_spawn_alg(&ctx->ctr);
+ 
+ 	/* We only support 16-byte blocks. */
++	err = -EINVAL;
+ 	if (ctr->cra_ablkcipher.ivsize != 16)
+ 		goto out_put_ctr;
+ 
+ 	/* Not a stream cipher? */
+-	err = -EINVAL;
+ 	if (ctr->cra_blocksize != 1)
+ 		goto out_put_ctr;
+ 
diff --git a/crypto-gcm-fix-incompatibility-between-gcm-and-gcm_base.patch b/crypto-gcm-fix-incompatibility-between-gcm-and-gcm_base.patch
new file mode 100644
index 0000000..023c521
--- /dev/null
+++ b/crypto-gcm-fix-incompatibility-between-gcm-and-gcm_base.patch
@@ -0,0 +1,139 @@
+From f699594d436960160f6d5ba84ed4a222f20d11cd Mon Sep 17 00:00:00 2001
+From: Eric Biggers <ebiggers@google.com>
+Date: Thu, 18 Apr 2019 14:43:02 -0700
+Subject: crypto: gcm - fix incompatibility between "gcm" and "gcm_base"
+
+From: Eric Biggers <ebiggers@google.com>
+
+commit f699594d436960160f6d5ba84ed4a222f20d11cd upstream.
+
+GCM instances can be created by either the "gcm" template, which only
+allows choosing the block cipher, e.g. "gcm(aes)"; or by "gcm_base",
+which allows choosing the ctr and ghash implementations, e.g.
+"gcm_base(ctr(aes-generic),ghash-generic)".
+
+However, a "gcm_base" instance prevents a "gcm" instance from being
+registered using the same implementations.  Nor will the instance be
+found by lookups of "gcm".  This can be used as a denial of service.
+Moreover, "gcm_base" instances are never tested by the crypto
+self-tests, even if there are compatible "gcm" tests.
+
+The root cause of these problems is that instances of the two templates
+use different cra_names.  Therefore, fix these problems by making
+"gcm_base" instances set the same cra_name as "gcm" instances, e.g.
+"gcm(aes)" instead of "gcm_base(ctr(aes-generic),ghash-generic)".
+
+This requires extracting the block cipher name from the name of the ctr
+algorithm.  It also requires starting to verify that the algorithms are
+really ctr and ghash, not something else entirely.  But it would be
+bizarre if anyone were actually using non-gcm-compatible algorithms with
+gcm_base, so this shouldn't break anyone in practice.
+
+Fixes: d00aa19b507b ("[CRYPTO] gcm: Allow block cipher parameter")
+Cc: stable@vger.kernel.org
+Signed-off-by: Eric Biggers <ebiggers@google.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+
+diff --git a/crypto/gcm.c b/crypto/gcm.c
+index f1c16589af8bb..9d3bffc0238f0 100644
+--- a/crypto/gcm.c
++++ b/crypto/gcm.c
+@@ -616,7 +616,6 @@ static void crypto_gcm_free(struct aead_instance *inst)
+ 
+ static int crypto_gcm_create_common(struct crypto_template *tmpl,
+ 				    struct rtattr **tb,
+-				    const char *full_name,
+ 				    const char *ctr_name,
+ 				    const char *ghash_name)
+ {
+@@ -657,7 +656,8 @@ static int crypto_gcm_create_common(struct crypto_template *tmpl,
+ 		goto err_free_inst;
+ 
+ 	err = -EINVAL;
+-	if (ghash->digestsize != 16)
++	if (strcmp(ghash->base.cra_name, "ghash") != 0 ||
++	    ghash->digestsize != 16)
+ 		goto err_drop_ghash;
+ 
+ 	crypto_set_skcipher_spawn(&ctx->ctr, aead_crypto_instance(inst));
+@@ -669,24 +669,24 @@ static int crypto_gcm_create_common(struct crypto_template *tmpl,
+ 
+ 	ctr = crypto_skcipher_spawn_alg(&ctx->ctr);
+ 
+-	/* We only support 16-byte blocks. */
++	/* The skcipher algorithm must be CTR mode, using 16-byte blocks. */
+ 	err = -EINVAL;
+-	if (ctr->cra_ablkcipher.ivsize != 16)
++	if (strncmp(ctr->cra_name, "ctr(", 4) != 0 ||
++	    ctr->cra_ablkcipher.ivsize != 16 ||
++	    ctr->cra_blocksize != 1)
+ 		goto out_put_ctr;
+ 
+-	/* Not a stream cipher? */
+-	if (ctr->cra_blocksize != 1)
++	err = -ENAMETOOLONG;
++	if (snprintf(inst->alg.base.cra_name, CRYPTO_MAX_ALG_NAME,
++		     "gcm(%s", ctr->cra_name + 4) >= CRYPTO_MAX_ALG_NAME)
+ 		goto out_put_ctr;
+ 
+-	err = -ENAMETOOLONG;
+ 	if (snprintf(inst->alg.base.cra_driver_name, CRYPTO_MAX_ALG_NAME,
+ 		     "gcm_base(%s,%s)", ctr->cra_driver_name,
+ 		     ghash_alg->cra_driver_name) >=
+ 	    CRYPTO_MAX_ALG_NAME)
+ 		goto out_put_ctr;
+ 
+-	memcpy(inst->alg.base.cra_name, full_name, CRYPTO_MAX_ALG_NAME);
+-
+ 	inst->alg.base.cra_flags = (ghash->base.cra_flags | ctr->cra_flags) &
+ 				   CRYPTO_ALG_ASYNC;
+ 	inst->alg.base.cra_priority = (ghash->base.cra_priority +
+@@ -727,7 +727,6 @@ static int crypto_gcm_create(struct crypto_template *tmpl, struct rtattr **tb)
+ {
+ 	const char *cipher_name;
+ 	char ctr_name[CRYPTO_MAX_ALG_NAME];
+-	char full_name[CRYPTO_MAX_ALG_NAME];
+ 
+ 	cipher_name = crypto_attr_alg_name(tb[1]);
+ 	if (IS_ERR(cipher_name))
+@@ -737,12 +736,7 @@ static int crypto_gcm_create(struct crypto_template *tmpl, struct rtattr **tb)
+ 	    CRYPTO_MAX_ALG_NAME)
+ 		return -ENAMETOOLONG;
+ 
+-	if (snprintf(full_name, CRYPTO_MAX_ALG_NAME, "gcm(%s)", cipher_name) >=
+-	    CRYPTO_MAX_ALG_NAME)
+-		return -ENAMETOOLONG;
+-
+-	return crypto_gcm_create_common(tmpl, tb, full_name,
+-					ctr_name, "ghash");
++	return crypto_gcm_create_common(tmpl, tb, ctr_name, "ghash");
+ }
+ 
+ static struct crypto_template crypto_gcm_tmpl = {
+@@ -756,7 +750,6 @@ static int crypto_gcm_base_create(struct crypto_template *tmpl,
+ {
+ 	const char *ctr_name;
+ 	const char *ghash_name;
+-	char full_name[CRYPTO_MAX_ALG_NAME];
+ 
+ 	ctr_name = crypto_attr_alg_name(tb[1]);
+ 	if (IS_ERR(ctr_name))
+@@ -766,12 +759,7 @@ static int crypto_gcm_base_create(struct crypto_template *tmpl,
+ 	if (IS_ERR(ghash_name))
+ 		return PTR_ERR(ghash_name);
+ 
+-	if (snprintf(full_name, CRYPTO_MAX_ALG_NAME, "gcm_base(%s,%s)",
+-		     ctr_name, ghash_name) >= CRYPTO_MAX_ALG_NAME)
+-		return -ENAMETOOLONG;
+-
+-	return crypto_gcm_create_common(tmpl, tb, full_name,
+-					ctr_name, ghash_name);
++	return crypto_gcm_create_common(tmpl, tb, ctr_name, ghash_name);
+ }
+ 
+ static struct crypto_template crypto_gcm_base_tmpl = {
+-- 
+2.21.0.1020.gf2820cf01a-goog
+
diff --git a/crypto-salsa20-don-t-access-already-freed-walk.iv.patch b/crypto-salsa20-don-t-access-already-freed-walk.iv.patch
new file mode 100644
index 0000000..2e94806
--- /dev/null
+++ b/crypto-salsa20-don-t-access-already-freed-walk.iv.patch
@@ -0,0 +1,45 @@
+From edaf28e996af69222b2cb40455dbb5459c2b875a Mon Sep 17 00:00:00 2001
+From: Eric Biggers <ebiggers@google.com>
+Date: Tue, 9 Apr 2019 23:46:30 -0700
+Subject: crypto: salsa20 - don't access already-freed walk.iv
+
+From: Eric Biggers <ebiggers@google.com>
+
+commit edaf28e996af69222b2cb40455dbb5459c2b875a upstream.
+
+If the user-provided IV needs to be aligned to the algorithm's
+alignmask, then skcipher_walk_virt() copies the IV into a new aligned
+buffer walk.iv.  But skcipher_walk_virt() can fail afterwards, and then
+if the caller unconditionally accesses walk.iv, it's a use-after-free.
+
+salsa20-generic doesn't set an alignmask, so currently it isn't affected
+by this despite unconditionally accessing walk.iv.  However this is more
+subtle than desired, and it was actually broken prior to the alignmask
+being removed by commit b62b3db76f73 ("crypto: salsa20-generic - cleanup
+and convert to skcipher API").
+
+Since salsa20-generic does not update the IV and does not need any IV
+alignment, update it to use req->iv instead of walk.iv.
+
+Fixes: 2407d60872dd ("[CRYPTO] salsa20: Salsa20 stream cipher")
+Cc: stable@vger.kernel.org
+Signed-off-by: Eric Biggers <ebiggers@google.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+
+---
+ crypto/salsa20_generic.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/crypto/salsa20_generic.c
++++ b/crypto/salsa20_generic.c
+@@ -186,7 +186,7 @@ static int encrypt(struct blkcipher_desc
+ 	blkcipher_walk_init(&walk, dst, src, nbytes);
+ 	err = blkcipher_walk_virt_block(desc, &walk, 64);
+ 
+-	salsa20_ivsetup(ctx, walk.iv);
++	salsa20_ivsetup(ctx, desc->info);
+ 
+ 	while (walk.nbytes >= 64) {
+ 		salsa20_encrypt_bytes(ctx, walk.dst.virt.addr,
diff --git a/ext4-actually-request-zeroing-of-inode-table-after-grow.patch b/ext4-actually-request-zeroing-of-inode-table-after-grow.patch
new file mode 100644
index 0000000..73740fc
--- /dev/null
+++ b/ext4-actually-request-zeroing-of-inode-table-after-grow.patch
@@ -0,0 +1,37 @@
+From 310a997fd74de778b9a4848a64be9cda9f18764a Mon Sep 17 00:00:00 2001
+From: Kirill Tkhai <ktkhai@virtuozzo.com>
+Date: Thu, 25 Apr 2019 13:06:18 -0400
+Subject: ext4: actually request zeroing of inode table after grow
+
+From: Kirill Tkhai <ktkhai@virtuozzo.com>
+
+commit 310a997fd74de778b9a4848a64be9cda9f18764a upstream.
+
+It is never possible, that number of block groups decreases,
+since only online grow is supported.
+
+But after a growing occured, we have to zero inode tables
+for just created new block groups.
+
+Fixes: 19c5246d2516 ("ext4: add new online resize interface")
+Signed-off-by: Kirill Tkhai <ktkhai@virtuozzo.com>
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Reviewed-by: Jan Kara <jack@suse.cz>
+Cc: stable@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ext4/ioctl.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/ext4/ioctl.c
++++ b/fs/ext4/ioctl.c
+@@ -577,7 +577,7 @@ group_add_out:
+ 		if (err == 0)
+ 			err = err2;
+ 		mnt_drop_write_file(filp);
+-		if (!err && (o_group > EXT4_SB(sb)->s_groups_count) &&
++		if (!err && (o_group < EXT4_SB(sb)->s_groups_count) &&
+ 		    ext4_has_group_desc_csum(sb) &&
+ 		    test_opt(sb, INIT_INODE_TABLE))
+ 			err = ext4_register_li_request(sb, o_group);
diff --git a/ext4-zero-out-the-unused-memory-region-in-the-extent-tree-block.patch b/ext4-zero-out-the-unused-memory-region-in-the-extent-tree-block.patch
new file mode 100644
index 0000000..e81ef9a
--- /dev/null
+++ b/ext4-zero-out-the-unused-memory-region-in-the-extent-tree-block.patch
@@ -0,0 +1,82 @@
+From 592acbf16821288ecdc4192c47e3774a4c48bb64 Mon Sep 17 00:00:00 2001
+From: Sriram Rajagopalan <sriramr@arista.com>
+Date: Fri, 10 May 2019 19:28:06 -0400
+Subject: ext4: zero out the unused memory region in the extent tree block
+
+From: Sriram Rajagopalan <sriramr@arista.com>
+
+commit 592acbf16821288ecdc4192c47e3774a4c48bb64 upstream.
+
+This commit zeroes out the unused memory region in the buffer_head
+corresponding to the extent metablock after writing the extent header
+and the corresponding extent node entries.
+
+This is done to prevent random uninitialized data from getting into
+the filesystem when the extent block is synced.
+
+This fixes CVE-2019-11833.
+
+Signed-off-by: Sriram Rajagopalan <sriramr@arista.com>
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Cc: stable@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ext4/extents.c |   17 +++++++++++++++--
+ 1 file changed, 15 insertions(+), 2 deletions(-)
+
+--- a/fs/ext4/extents.c
++++ b/fs/ext4/extents.c
+@@ -1043,6 +1043,7 @@ static int ext4_ext_split(handle_t *hand
+ 	__le32 border;
+ 	ext4_fsblk_t *ablocks = NULL; /* array of allocated blocks */
+ 	int err = 0;
++	size_t ext_size = 0;
+ 
+ 	/* make decision: where to split? */
+ 	/* FIXME: now decision is simplest: at current extent */
+@@ -1134,6 +1135,10 @@ static int ext4_ext_split(handle_t *hand
+ 		le16_add_cpu(&neh->eh_entries, m);
+ 	}
+ 
++	/* zero out unused area in the extent block */
++	ext_size = sizeof(struct ext4_extent_header) +
++		sizeof(struct ext4_extent) * le16_to_cpu(neh->eh_entries);
++	memset(bh->b_data + ext_size, 0, inode->i_sb->s_blocksize - ext_size);
+ 	ext4_extent_block_csum_set(inode, neh);
+ 	set_buffer_uptodate(bh);
+ 	unlock_buffer(bh);
+@@ -1213,6 +1218,11 @@ static int ext4_ext_split(handle_t *hand
+ 				sizeof(struct ext4_extent_idx) * m);
+ 			le16_add_cpu(&neh->eh_entries, m);
+ 		}
++		/* zero out unused area in the extent block */
++		ext_size = sizeof(struct ext4_extent_header) +
++		   (sizeof(struct ext4_extent) * le16_to_cpu(neh->eh_entries));
++		memset(bh->b_data + ext_size, 0,
++			inode->i_sb->s_blocksize - ext_size);
+ 		ext4_extent_block_csum_set(inode, neh);
+ 		set_buffer_uptodate(bh);
+ 		unlock_buffer(bh);
+@@ -1278,6 +1288,7 @@ static int ext4_ext_grow_indepth(handle_
+ 	ext4_fsblk_t newblock, goal = 0;
+ 	struct ext4_super_block *es = EXT4_SB(inode->i_sb)->s_es;
+ 	int err = 0;
++	size_t ext_size = 0;
+ 
+ 	/* Try to prepend new index to old one */
+ 	if (ext_depth(inode))
+@@ -1303,9 +1314,11 @@ static int ext4_ext_grow_indepth(handle_
+ 		goto out;
+ 	}
+ 
++	ext_size = sizeof(EXT4_I(inode)->i_data);
+ 	/* move top-level index/leaf into new block */
+-	memmove(bh->b_data, EXT4_I(inode)->i_data,
+-		sizeof(EXT4_I(inode)->i_data));
++	memmove(bh->b_data, EXT4_I(inode)->i_data, ext_size);
++	/* zero out unused area in the extent block */
++	memset(bh->b_data + ext_size, 0, inode->i_sb->s_blocksize - ext_size);
+ 
+ 	/* set size of new block */
+ 	neh = ext_block_hdr(bh);
diff --git a/kvm-x86-skip-efer-vs.-guest-cpuid-checks-for-host-initiated-writes.patch b/kvm-x86-skip-efer-vs.-guest-cpuid-checks-for-host-initiated-writes.patch
new file mode 100644
index 0000000..37942a9
--- /dev/null
+++ b/kvm-x86-skip-efer-vs.-guest-cpuid-checks-for-host-initiated-writes.patch
@@ -0,0 +1,97 @@
+From 11988499e62b310f3bf6f6d0a807a06d3f9ccc96 Mon Sep 17 00:00:00 2001
+From: Sean Christopherson <sean.j.christopherson@intel.com>
+Date: Tue, 2 Apr 2019 08:19:15 -0700
+Subject: KVM: x86: Skip EFER vs. guest CPUID checks for host-initiated writes
+
+From: Sean Christopherson <sean.j.christopherson@intel.com>
+
+commit 11988499e62b310f3bf6f6d0a807a06d3f9ccc96 upstream.
+
+KVM allows userspace to violate consistency checks related to the
+guest's CPUID model to some degree.  Generally speaking, userspace has
+carte blanche when it comes to guest state so long as jamming invalid
+state won't negatively affect the host.
+
+Currently this is seems to be a non-issue as most of the interesting
+EFER checks are missing, e.g. NX and LME, but those will be added
+shortly.  Proactively exempt userspace from the CPUID checks so as not
+to break userspace.
+
+Note, the efer_reserved_bits check still applies to userspace writes as
+that mask reflects the host's capabilities, e.g. KVM shouldn't allow a
+guest to run with NX=1 if it has been disabled in the host.
+
+Fixes: d80174745ba39 ("KVM: SVM: Only allow setting of EFER_SVME when CPUID SVM is set")
+Cc: stable@vger.kernel.org
+Signed-off-by: Sean Christopherson <sean.j.christopherson@intel.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kvm/x86.c |   33 ++++++++++++++++++++++-----------
+ 1 file changed, 22 insertions(+), 11 deletions(-)
+
+--- a/arch/x86/kvm/x86.c
++++ b/arch/x86/kvm/x86.c
+@@ -935,11 +935,8 @@ static const u32 emulated_msrs[] = {
+ 	MSR_IA32_MCG_CTL,
+ };
+ 
+-bool kvm_valid_efer(struct kvm_vcpu *vcpu, u64 efer)
++static bool __kvm_valid_efer(struct kvm_vcpu *vcpu, u64 efer)
+ {
+-	if (efer & efer_reserved_bits)
+-		return false;
+-
+ 	if (efer & EFER_FFXSR) {
+ 		struct kvm_cpuid_entry2 *feat;
+ 
+@@ -957,19 +954,33 @@ bool kvm_valid_efer(struct kvm_vcpu *vcp
+ 	}
+ 
+ 	return true;
++
++}
++bool kvm_valid_efer(struct kvm_vcpu *vcpu, u64 efer)
++{
++	if (efer & efer_reserved_bits)
++		return false;
++
++	return __kvm_valid_efer(vcpu, efer);
+ }
+ EXPORT_SYMBOL_GPL(kvm_valid_efer);
+ 
+-static int set_efer(struct kvm_vcpu *vcpu, u64 efer)
++static int set_efer(struct kvm_vcpu *vcpu, struct msr_data *msr_info)
+ {
+ 	u64 old_efer = vcpu->arch.efer;
++	u64 efer = msr_info->data;
+ 
+-	if (!kvm_valid_efer(vcpu, efer))
+-		return 1;
++	if (efer & efer_reserved_bits)
++		return false;
+ 
+-	if (is_paging(vcpu)
+-	    && (vcpu->arch.efer & EFER_LME) != (efer & EFER_LME))
+-		return 1;
++	if (!msr_info->host_initiated) {
++		if (!__kvm_valid_efer(vcpu, efer))
++			return 1;
++
++		if (is_paging(vcpu) &&
++		    (vcpu->arch.efer & EFER_LME) != (efer & EFER_LME))
++			return 1;
++	}
+ 
+ 	efer &= ~EFER_LMA;
+ 	efer |= vcpu->arch.efer & EFER_LMA;
+@@ -2097,7 +2108,7 @@ int kvm_set_msr_common(struct kvm_vcpu *
+ 		break;
+ 
+ 	case MSR_EFER:
+-		return set_efer(vcpu, data);
++		return set_efer(vcpu, msr_info);
+ 	case MSR_K7_HWCR:
+ 		data &= ~(u64)0x40;	/* ignore flush filter disable */
+ 		data &= ~(u64)0x100;	/* ignore ignne emulation enable */
diff --git a/mfd-da9063-fix-otp-control-register-names-to-match-datasheets-for-da9063-63l.patch b/mfd-da9063-fix-otp-control-register-names-to-match-datasheets-for-da9063-63l.patch
new file mode 100644
index 0000000..e35cb17
--- /dev/null
+++ b/mfd-da9063-fix-otp-control-register-names-to-match-datasheets-for-da9063-63l.patch
@@ -0,0 +1,39 @@
+From 6b4814a9451add06d457e198be418bf6a3e6a990 Mon Sep 17 00:00:00 2001
+From: Steve Twiss <stwiss.opensource@diasemi.com>
+Date: Fri, 26 Apr 2019 14:33:35 +0100
+Subject: mfd: da9063: Fix OTP control register names to match datasheets for DA9063/63L
+
+From: Steve Twiss <stwiss.opensource@diasemi.com>
+
+commit 6b4814a9451add06d457e198be418bf6a3e6a990 upstream.
+
+Mismatch between what is found in the Datasheets for DA9063 and DA9063L
+provided by Dialog Semiconductor, and the register names provided in the
+MFD registers file. The changes are for the OTP (one-time-programming)
+control registers. The two naming errors are OPT instead of OTP, and
+COUNT instead of CONT (i.e. control).
+
+Cc: Stable <stable@vger.kernel.org>
+Signed-off-by: Steve Twiss <stwiss.opensource@diasemi.com>
+Signed-off-by: Lee Jones <lee.jones@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ include/linux/mfd/da9063/registers.h |    6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/include/linux/mfd/da9063/registers.h
++++ b/include/linux/mfd/da9063/registers.h
+@@ -215,9 +215,9 @@
+ 
+ /* DA9063 Configuration registers */
+ /* OTP */
+-#define	DA9063_REG_OPT_COUNT		0x101
+-#define	DA9063_REG_OPT_ADDR		0x102
+-#define	DA9063_REG_OPT_DATA		0x103
++#define	DA9063_REG_OTP_CONT		0x101
++#define	DA9063_REG_OTP_ADDR		0x102
++#define	DA9063_REG_OTP_DATA		0x103
+ 
+ /* Customer Trim and Configuration */
+ #define	DA9063_REG_T_OFFSET		0x104
diff --git a/series b/series
index 6f8d933..1df1eb0 100644
--- a/series
+++ b/series
@@ -4,3 +4,15 @@ alsa-usb-audio-fix-a-memory-leak-bug.patch
 alsa-hda-hdmi-consider-eld_valid-when-reporting-jack-event.patch
 alsa-hda-realtek-eapd-turn-on-later.patch
 asoc-max98090-fix-restore-of-dapm-muxes.patch
+mfd-da9063-fix-otp-control-register-names-to-match-datasheets-for-da9063-63l.patch
+tty-vt-fix-write-write-race-in-ioctl-kdskbsent-handler.patch
+ext4-actually-request-zeroing-of-inode-table-after-grow.patch
+bcache-fix-a-race-between-cache-register-and-cacheset-unregister.patch
+bcache-never-set-key_ptrs-of-journal-key-to-0-in-journal_reclaim.patch
+crypto-salsa20-don-t-access-already-freed-walk.iv.patch
+crypto-arm-aes-neonbs-don-t-access-already-freed-walk.iv.patch
+ext4-zero-out-the-unused-memory-region-in-the-extent-tree-block.patch
+alsa-hda-realtek-fix-for-lenovo-b50-70-inverted-internal-microphone-bug.patch
+kvm-x86-skip-efer-vs.-guest-cpuid-checks-for-host-initiated-writes.patch
+crypto-gcm-fix-error-return-code-in-crypto_gcm_create_common.patch
+crypto-gcm-fix-incompatibility-between-gcm-and-gcm_base.patch
diff --git a/tty-vt-fix-write-write-race-in-ioctl-kdskbsent-handler.patch b/tty-vt-fix-write-write-race-in-ioctl-kdskbsent-handler.patch
new file mode 100644
index 0000000..69382db
--- /dev/null
+++ b/tty-vt-fix-write-write-race-in-ioctl-kdskbsent-handler.patch
@@ -0,0 +1,183 @@
+From 46ca3f735f345c9d87383dd3a09fa5d43870770e Mon Sep 17 00:00:00 2001
+From: Sergei Trofimovich <slyfox@gentoo.org>
+Date: Sun, 10 Mar 2019 21:24:15 +0000
+Subject: tty/vt: fix write/write race in ioctl(KDSKBSENT) handler
+
+From: Sergei Trofimovich <slyfox@gentoo.org>
+
+commit 46ca3f735f345c9d87383dd3a09fa5d43870770e upstream.
+
+The bug manifests as an attempt to access deallocated memory:
+
+    BUG: unable to handle kernel paging request at ffff9c8735448000
+    #PF error: [PROT] [WRITE]
+    PGD 288a05067 P4D 288a05067 PUD 288a07067 PMD 7f60c2063 PTE 80000007f5448161
+    Oops: 0003 [#1] PREEMPT SMP
+    CPU: 6 PID: 388 Comm: loadkeys Tainted: G         C        5.0.0-rc6-00153-g5ded5871030e #91
+    Hardware name: Gigabyte Technology Co., Ltd. To be filled by O.E.M./H77M-D3H, BIOS F12 11/14/2013
+    RIP: 0010:__memmove+0x81/0x1a0
+    Code: 4c 89 4f 10 4c 89 47 18 48 8d 7f 20 73 d4 48 83 c2 20 e9 a2 00 00 00 66 90 48 89 d1 4c 8b 5c 16 f8 4c 8d 54 17 f8 48 c1 e9 03 <f3> 48 a5 4d 89 1a e9 0c 01 00 00 0f 1f 40 00 48 89 d1 4c 8b 1e 49
+    RSP: 0018:ffffa1b9002d7d08 EFLAGS: 00010203
+    RAX: ffff9c873541af43 RBX: ffff9c873541af43 RCX: 00000c6f105cd6bf
+    RDX: 0000637882e986b6 RSI: ffff9c8735447ffb RDI: ffff9c8735447ffb
+    RBP: ffff9c8739cd3800 R08: ffff9c873b802f00 R09: 00000000fffff73b
+    R10: ffffffffb82b35f1 R11: 00505b1b004d5b1b R12: 0000000000000000
+    R13: ffff9c873541af3d R14: 000000000000000b R15: 000000000000000c
+    FS:  00007f450c390580(0000) GS:ffff9c873f180000(0000) knlGS:0000000000000000
+    CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+    CR2: ffff9c8735448000 CR3: 00000007e213c002 CR4: 00000000000606e0
+    Call Trace:
+     vt_do_kdgkb_ioctl+0x34d/0x440
+     vt_ioctl+0xba3/0x1190
+     ? __bpf_prog_run32+0x39/0x60
+     ? mem_cgroup_commit_charge+0x7b/0x4e0
+     tty_ioctl+0x23f/0x920
+     ? preempt_count_sub+0x98/0xe0
+     ? __seccomp_filter+0x67/0x600
+     do_vfs_ioctl+0xa2/0x6a0
+     ? syscall_trace_enter+0x192/0x2d0
+     ksys_ioctl+0x3a/0x70
+     __x64_sys_ioctl+0x16/0x20
+     do_syscall_64+0x54/0xe0
+     entry_SYSCALL_64_after_hwframe+0x49/0xbe
+
+The bug manifests on systemd systems with multiple vtcon devices:
+  # cat /sys/devices/virtual/vtconsole/vtcon0/name
+  (S) dummy device
+  # cat /sys/devices/virtual/vtconsole/vtcon1/name
+  (M) frame buffer device
+
+There systemd runs 'loadkeys' tool in tapallel for each vtcon
+instance. This causes two parallel ioctl(KDSKBSENT) calls to
+race into adding the same entry into 'func_table' array at:
+
+    drivers/tty/vt/keyboard.c:vt_do_kdgkb_ioctl()
+
+The function has no locking around writes to 'func_table'.
+
+The simplest reproducer is to have initrams with the following
+init on a 8-CPU machine x86_64:
+
+    #!/bin/sh
+
+    loadkeys -q windowkeys ru4 &
+    loadkeys -q windowkeys ru4 &
+    loadkeys -q windowkeys ru4 &
+    loadkeys -q windowkeys ru4 &
+
+    loadkeys -q windowkeys ru4 &
+    loadkeys -q windowkeys ru4 &
+    loadkeys -q windowkeys ru4 &
+    loadkeys -q windowkeys ru4 &
+    wait
+
+The change adds lock on write path only. Reads are still racy.
+
+CC: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+CC: Jiri Slaby <jslaby@suse.com>
+Link: https://lkml.org/lkml/2019/2/17/256
+Signed-off-by: Sergei Trofimovich <slyfox@gentoo.org>
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/tty/vt/keyboard.c |   33 +++++++++++++++++++++++++++------
+ 1 file changed, 27 insertions(+), 6 deletions(-)
+
+--- a/drivers/tty/vt/keyboard.c
++++ b/drivers/tty/vt/keyboard.c
+@@ -120,6 +120,7 @@ static const int NR_TYPES = ARRAY_SIZE(m
+ static struct input_handler kbd_handler;
+ static DEFINE_SPINLOCK(kbd_event_lock);
+ static DEFINE_SPINLOCK(led_lock);
++static DEFINE_SPINLOCK(func_buf_lock); /* guard 'func_buf'  and friends */
+ static unsigned long key_down[BITS_TO_LONGS(KEY_CNT)];	/* keyboard key bitmap */
+ static unsigned char shift_down[NR_SHIFT];		/* shift state counters.. */
+ static bool dead_key_next;
+@@ -1865,11 +1866,12 @@ int vt_do_kdgkb_ioctl(int cmd, struct kb
+ 	char *p;
+ 	u_char *q;
+ 	u_char __user *up;
+-	int sz;
++	int sz, fnw_sz;
+ 	int delta;
+ 	char *first_free, *fj, *fnw;
+ 	int i, j, k;
+ 	int ret;
++	unsigned long flags;
+ 
+ 	if (!capable(CAP_SYS_TTY_CONFIG))
+ 		perm = 0;
+@@ -1912,7 +1914,14 @@ int vt_do_kdgkb_ioctl(int cmd, struct kb
+ 			goto reterr;
+ 		}
+ 
++		fnw = NULL;
++		fnw_sz = 0;
++		/* race aginst other writers */
++		again:
++		spin_lock_irqsave(&func_buf_lock, flags);
+ 		q = func_table[i];
++
++		/* fj pointer to next entry after 'q' */
+ 		first_free = funcbufptr + (funcbufsize - funcbufleft);
+ 		for (j = i+1; j < MAX_NR_FUNC && !func_table[j]; j++)
+ 			;
+@@ -1920,10 +1929,12 @@ int vt_do_kdgkb_ioctl(int cmd, struct kb
+ 			fj = func_table[j];
+ 		else
+ 			fj = first_free;
+-
++		/* buffer usage increase by new entry */
+ 		delta = (q ? -strlen(q) : 1) + strlen(kbs->kb_string);
++
+ 		if (delta <= funcbufleft) { 	/* it fits in current buf */
+ 		    if (j < MAX_NR_FUNC) {
++			/* make enough space for new entry at 'fj' */
+ 			memmove(fj + delta, fj, first_free - fj);
+ 			for (k = j; k < MAX_NR_FUNC; k++)
+ 			    if (func_table[k])
+@@ -1936,20 +1947,28 @@ int vt_do_kdgkb_ioctl(int cmd, struct kb
+ 		    sz = 256;
+ 		    while (sz < funcbufsize - funcbufleft + delta)
+ 		      sz <<= 1;
+-		    fnw = kmalloc(sz, GFP_KERNEL);
+-		    if(!fnw) {
+-		      ret = -ENOMEM;
+-		      goto reterr;
++		    if (fnw_sz != sz) {
++		      spin_unlock_irqrestore(&func_buf_lock, flags);
++		      kfree(fnw);
++		      fnw = kmalloc(sz, GFP_KERNEL);
++		      fnw_sz = sz;
++		      if (!fnw) {
++			ret = -ENOMEM;
++			goto reterr;
++		      }
++		      goto again;
+ 		    }
+ 
+ 		    if (!q)
+ 		      func_table[i] = fj;
++		    /* copy data before insertion point to new location */
+ 		    if (fj > funcbufptr)
+ 			memmove(fnw, funcbufptr, fj - funcbufptr);
+ 		    for (k = 0; k < j; k++)
+ 		      if (func_table[k])
+ 			func_table[k] = fnw + (func_table[k] - funcbufptr);
+ 
++		    /* copy data after insertion point to new location */
+ 		    if (first_free > fj) {
+ 			memmove(fnw + (fj - funcbufptr) + delta, fj, first_free - fj);
+ 			for (k = j; k < MAX_NR_FUNC; k++)
+@@ -1962,7 +1981,9 @@ int vt_do_kdgkb_ioctl(int cmd, struct kb
+ 		    funcbufleft = funcbufleft - delta + sz - funcbufsize;
+ 		    funcbufsize = sz;
+ 		}
++		/* finally insert item itself */
+ 		strcpy(func_table[i], kbs->kb_string);
++		spin_unlock_irqrestore(&func_buf_lock, flags);
+ 		break;
+ 	}
+ 	ret = 0;