--- /dev/null
+From f52bb98f5aded4c43e52f5ce19fb83f7261e9e73 Mon Sep 17 00:00:00 2001
+From: James Morse <james.morse@arm.com>
+Date: Thu, 30 Aug 2018 16:05:32 +0100
+Subject: arm64: mm: always enable CONFIG_HOLES_IN_ZONE
+
+From: James Morse <james.morse@arm.com>
+
+commit f52bb98f5aded4c43e52f5ce19fb83f7261e9e73 upstream.
+
+Commit 6d526ee26ccd ("arm64: mm: enable CONFIG_HOLES_IN_ZONE for NUMA")
+only enabled HOLES_IN_ZONE for NUMA systems because the NUMA code was
+choking on the missing zone for nomap pages. This problem doesn't just
+apply to NUMA systems.
+
+If the architecture doesn't set HAVE_ARCH_PFN_VALID, pfn_valid() will
+return true if the pfn is part of a valid sparsemem section.
+
+When working with multiple pages, the mm code uses pfn_valid_within()
+to test each page it uses within the sparsemem section is valid. On
+most systems memory comes in MAX_ORDER_NR_PAGES chunks which all
+have valid/initialised struct pages. In this case pfn_valid_within()
+is optimised out.
+
+Systems where this isn't true (e.g. due to nomap) should set
+HOLES_IN_ZONE and provide HAVE_ARCH_PFN_VALID so that mm tests each
+page as it works with it.
+
+Currently non-NUMA arm64 systems can't enable HOLES_IN_ZONE, leading to
+a VM_BUG_ON():
+
+| page:fffffdff802e1780 is uninitialized and poisoned
+| raw: ffffffffffffffff ffffffffffffffff ffffffffffffffff ffffffffffffffff
+| raw: ffffffffffffffff ffffffffffffffff ffffffffffffffff ffffffffffffffff
+| page dumped because: VM_BUG_ON_PAGE(PagePoisoned(p))
+| ------------[ cut here ]------------
+| kernel BUG at include/linux/mm.h:978!
+| Internal error: Oops - BUG: 0 [#1] PREEMPT SMP
+[...]
+| CPU: 1 PID: 25236 Comm: dd Not tainted 4.18.0 #7
+| Hardware name: QEMU KVM Virtual Machine, BIOS 0.0.0 02/06/2015
+| pstate: 40000085 (nZcv daIf -PAN -UAO)
+| pc : move_freepages_block+0x144/0x248
+| lr : move_freepages_block+0x144/0x248
+| sp : fffffe0071177680
+[...]
+| Process dd (pid: 25236, stack limit = 0x0000000094cc07fb)
+| Call trace:
+| move_freepages_block+0x144/0x248
+| steal_suitable_fallback+0x100/0x16c
+| get_page_from_freelist+0x440/0xb20
+| __alloc_pages_nodemask+0xe8/0x838
+| new_slab+0xd4/0x418
+| ___slab_alloc.constprop.27+0x380/0x4a8
+| __slab_alloc.isra.21.constprop.26+0x24/0x34
+| kmem_cache_alloc+0xa8/0x180
+| alloc_buffer_head+0x1c/0x90
+| alloc_page_buffers+0x68/0xb0
+| create_empty_buffers+0x20/0x1ec
+| create_page_buffers+0xb0/0xf0
+| __block_write_begin_int+0xc4/0x564
+| __block_write_begin+0x10/0x18
+| block_write_begin+0x48/0xd0
+| blkdev_write_begin+0x28/0x30
+| generic_perform_write+0x98/0x16c
+| __generic_file_write_iter+0x138/0x168
+| blkdev_write_iter+0x80/0xf0
+| __vfs_write+0xe4/0x10c
+| vfs_write+0xb4/0x168
+| ksys_write+0x44/0x88
+| sys_write+0xc/0x14
+| el0_svc_naked+0x30/0x34
+| Code: aa1303e0 90001a01 91296421 94008902 (d4210000)
+| ---[ end trace 1601ba47f6e883fe ]---
+
+Remove the NUMA dependency.
+
+Link: https://www.spinics.net/lists/arm-kernel/msg671851.html
+Cc: <stable@vger.kernel.org>
+Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+Reported-by: Mikulas Patocka <mpatocka@redhat.com>
+Reviewed-by: Pavel Tatashin <pavel.tatashin@microsoft.com>
+Tested-by: Mikulas Patocka <mpatocka@redhat.com>
+Signed-off-by: James Morse <james.morse@arm.com>
+Signed-off-by: Will Deacon <will.deacon@arm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm64/Kconfig | 1 -
+ 1 file changed, 1 deletion(-)
+
+--- a/arch/arm64/Kconfig
++++ b/arch/arm64/Kconfig
+@@ -754,7 +754,6 @@ config NEED_PER_CPU_EMBED_FIRST_CHUNK
+
+ config HOLES_IN_ZONE
+ def_bool y
+- depends on NUMA
+
+ source kernel/Kconfig.preempt
+ source kernel/Kconfig.hz
--- /dev/null
+From 3943b040f11ed0cc6d4585fd286a623ca8634547 Mon Sep 17 00:00:00 2001
+From: Shan Hai <shan.hai@oracle.com>
+Date: Thu, 23 Aug 2018 02:02:56 +0800
+Subject: bcache: release dc->writeback_lock properly in bch_writeback_thread()
+
+From: Shan Hai <shan.hai@oracle.com>
+
+commit 3943b040f11ed0cc6d4585fd286a623ca8634547 upstream.
+
+The writeback thread would exit with a lock held when the cache device
+is detached via sysfs interface, fix it by releasing the held lock
+before exiting the while-loop.
+
+Fixes: fadd94e05c02 (bcache: quit dc->writeback_thread when BCACHE_DEV_DETACHING is set)
+Signed-off-by: Shan Hai <shan.hai@oracle.com>
+Signed-off-by: Coly Li <colyli@suse.de>
+Tested-by: Shenghui Wang <shhuiw@foxmail.com>
+Cc: stable@vger.kernel.org #4.17+
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/md/bcache/writeback.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/md/bcache/writeback.c
++++ b/drivers/md/bcache/writeback.c
+@@ -645,8 +645,10 @@ static int bch_writeback_thread(void *ar
+ * data on cache. BCACHE_DEV_DETACHING flag is set in
+ * bch_cached_dev_detach().
+ */
+- if (test_bit(BCACHE_DEV_DETACHING, &dc->disk.flags))
++ if (test_bit(BCACHE_DEV_DETACHING, &dc->disk.flags)) {
++ up_write(&dc->writeback_lock);
+ break;
++ }
+ }
+
+ up_write(&dc->writeback_lock);
--- /dev/null
+From 355139a8dba446cc11a424cddbf7afebc3041ba1 Mon Sep 17 00:00:00 2001
+From: "Eddie.Horng" <eddie.horng@mediatek.com>
+Date: Fri, 20 Jul 2018 15:30:00 +0800
+Subject: cap_inode_getsecurity: use d_find_any_alias() instead of d_find_alias()
+
+From: Eddie.Horng <eddie.horng@mediatek.com>
+
+commit 355139a8dba446cc11a424cddbf7afebc3041ba1 upstream.
+
+The code in cap_inode_getsecurity(), introduced by commit 8db6c34f1dbc
+("Introduce v3 namespaced file capabilities"), should use
+d_find_any_alias() instead of d_find_alias() do handle unhashed dentry
+correctly. This is needed, for example, if execveat() is called with an
+open but unlinked overlayfs file, because overlayfs unhashes dentry on
+unlink.
+This is a regression of real life application, first reported at
+https://www.spinics.net/lists/linux-unionfs/msg05363.html
+
+Below reproducer and setup can reproduce the case.
+ const char* exec="echo";
+ const char *newargv[] = { "echo", "hello", NULL};
+ const char *newenviron[] = { NULL };
+ int fd, err;
+
+ fd = open(exec, O_PATH);
+ unlink(exec);
+ err = syscall(322/*SYS_execveat*/, fd, "", newargv, newenviron,
+AT_EMPTY_PATH);
+ if(err<0)
+ fprintf(stderr, "execveat: %s\n", strerror(errno));
+
+gcc compile into ~/test/a.out
+mount -t overlay -orw,lowerdir=/mnt/l,upperdir=/mnt/u,workdir=/mnt/w
+none /mnt/m
+cd /mnt/m
+cp /bin/echo .
+~/test/a.out
+
+Expected result:
+hello
+Actually result:
+execveat: Invalid argument
+dmesg:
+Invalid argument reading file caps for /dev/fd/3
+
+The 2nd reproducer and setup emulates similar case but for
+regular filesystem:
+ const char* exec="echo";
+ int fd, err;
+ char buf[256];
+
+ fd = open(exec, O_RDONLY);
+ unlink(exec);
+ err = fgetxattr(fd, "security.capability", buf, 256);
+ if(err<0)
+ fprintf(stderr, "fgetxattr: %s\n", strerror(errno));
+
+gcc compile into ~/test_fgetxattr
+
+cd /tmp
+cp /bin/echo .
+~/test_fgetxattr
+
+Result:
+fgetxattr: Invalid argument
+
+On regular filesystem, for example, ext4 read xattr from
+disk and return to execveat(), will not trigger this issue, however,
+the overlay attr handler pass real dentry to vfs_getxattr() will.
+This reproducer calls fgetxattr() with an unlinked fd, involkes
+vfs_getxattr() then reproduced the case that d_find_alias() in
+cap_inode_getsecurity() can't find the unlinked dentry.
+
+Suggested-by: Amir Goldstein <amir73il@gmail.com>
+Acked-by: Amir Goldstein <amir73il@gmail.com>
+Acked-by: Serge E. Hallyn <serge@hallyn.com>
+Fixes: 8db6c34f1dbc ("Introduce v3 namespaced file capabilities")
+Cc: <stable@vger.kernel.org> # v4.14
+Signed-off-by: Eddie Horng <eddie.horng@mediatek.com>
+Signed-off-by: Eric W. Biederman <ebiederm@xmission.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ security/commoncap.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/security/commoncap.c
++++ b/security/commoncap.c
+@@ -388,7 +388,7 @@ int cap_inode_getsecurity(struct inode *
+ if (strcmp(name, "capability") != 0)
+ return -EOPNOTSUPP;
+
+- dentry = d_find_alias(inode);
++ dentry = d_find_any_alias(inode);
+ if (!dentry)
+ return -EINVAL;
+
--- /dev/null
+From 757ab15c3f4968b5a29caf3fe8b67660ce84c3cd Mon Sep 17 00:00:00 2001
+From: "Rafael J. Wysocki" <rafael.j.wysocki@intel.com>
+Date: Tue, 21 Aug 2018 10:44:10 +0200
+Subject: cpuidle: menu: Retain tick when shallow state is selected
+
+From: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+
+commit 757ab15c3f4968b5a29caf3fe8b67660ce84c3cd upstream.
+
+The case addressed by commit 5ef499cd571c (cpuidle: menu: Handle
+stopped tick more aggressively) in the stopped tick case is present
+when the tick has not been stopped yet too. Namely, if only two CPU
+idle states, shallow state A with target residency significantly
+below the tick boundary and deep state B with target residency
+significantly above it, are available and the predicted idle
+duration is above the tick boundary, but below the target residency
+of state B, state A will be selected and the CPU may spend indefinite
+amount of time in it, which is not quite energy-efficient.
+
+However, if the tick has not been stopped yet and the governor is
+about to select a shallow idle state for the CPU even though the idle
+duration predicted by it is above the tick boundary, it should be
+fine to wake up the CPU early, so the tick can be retained then and
+the governor will have a chance to select a deeper state when it runs
+next time.
+
+[Note that when this really happens, it will make the idle duration
+ predictor believe that the CPU might be idle longer than predicted,
+ which will make it more likely to predict longer idle durations going
+ forward, but that will also cause deeper idle states to be selected
+ going forward, on average, which is what's needed here.]
+
+Fixes: 87c9fe6ee495 (cpuidle: menu: Avoid selecting shallow states with stopped tick)
+Reported-by: Leo Yan <leo.yan@linaro.org>
+Cc: 4.17+ <stable@vger.kernel.org> # 4.17+: 5ef499cd571c (cpuidle: menu: Handle ...)
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/cpuidle/governors/menu.c | 13 ++++++++++++-
+ 1 file changed, 12 insertions(+), 1 deletion(-)
+
+--- a/drivers/cpuidle/governors/menu.c
++++ b/drivers/cpuidle/governors/menu.c
+@@ -380,9 +380,20 @@ static int menu_select(struct cpuidle_dr
+ if (idx == -1)
+ idx = i; /* first enabled state */
+ if (s->target_residency > data->predicted_us) {
+- if (!tick_nohz_tick_stopped())
++ if (data->predicted_us < TICK_USEC)
+ break;
+
++ if (!tick_nohz_tick_stopped()) {
++ /*
++ * If the state selected so far is shallow,
++ * waking up early won't hurt, so retain the
++ * tick in that case and let the governor run
++ * again in the next iteration of the loop.
++ */
++ expected_interval = drv->states[idx].target_residency;
++ break;
++ }
++
+ /*
+ * If the state selected so far is shallow and this
+ * state's target residency matches the time till the
--- /dev/null
+From e5b954e8d11fdde55eed35017370a3a0d8837754 Mon Sep 17 00:00:00 2001
+From: Dave Watson <davejwatson@fb.com>
+Date: Wed, 15 Aug 2018 10:29:42 -0700
+Subject: crypto: aesni - Use unaligned loads from gcm_context_data
+
+From: Dave Watson <davejwatson@fb.com>
+
+commit e5b954e8d11fdde55eed35017370a3a0d8837754 upstream.
+
+A regression was reported bisecting to 1476db2d12
+"Move HashKey computation from stack to gcm_context". That diff
+moved HashKey computation from the stack, which was explicitly aligned
+in the asm, to a struct provided from the C code, depending on
+AESNI_ALIGN_ATTR for alignment. It appears some compilers may not
+align this struct correctly, resulting in a crash on the movdqa
+instruction when attempting to encrypt or decrypt data.
+
+Fix by using unaligned loads for the HashKeys. On modern
+hardware there is no perf difference between the unaligned and
+aligned loads. All other accesses to gcm_context_data already use
+unaligned loads.
+
+Reported-by: Mauro Rossi <issor.oruam@gmail.com>
+Fixes: 1476db2d12 ("Move HashKey computation from stack to gcm_context")
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Dave Watson <davejwatson@fb.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/crypto/aesni-intel_asm.S | 66 +++++++++++++++++++-------------------
+ 1 file changed, 33 insertions(+), 33 deletions(-)
+
+--- a/arch/x86/crypto/aesni-intel_asm.S
++++ b/arch/x86/crypto/aesni-intel_asm.S
+@@ -223,34 +223,34 @@ ALL_F: .octa 0xffffffffffffffffffff
+ pcmpeqd TWOONE(%rip), \TMP2
+ pand POLY(%rip), \TMP2
+ pxor \TMP2, \TMP3
+- movdqa \TMP3, HashKey(%arg2)
++ movdqu \TMP3, HashKey(%arg2)
+
+ movdqa \TMP3, \TMP5
+ pshufd $78, \TMP3, \TMP1
+ pxor \TMP3, \TMP1
+- movdqa \TMP1, HashKey_k(%arg2)
++ movdqu \TMP1, HashKey_k(%arg2)
+
+ GHASH_MUL \TMP5, \TMP3, \TMP1, \TMP2, \TMP4, \TMP6, \TMP7
+ # TMP5 = HashKey^2<<1 (mod poly)
+- movdqa \TMP5, HashKey_2(%arg2)
++ movdqu \TMP5, HashKey_2(%arg2)
+ # HashKey_2 = HashKey^2<<1 (mod poly)
+ pshufd $78, \TMP5, \TMP1
+ pxor \TMP5, \TMP1
+- movdqa \TMP1, HashKey_2_k(%arg2)
++ movdqu \TMP1, HashKey_2_k(%arg2)
+
+ GHASH_MUL \TMP5, \TMP3, \TMP1, \TMP2, \TMP4, \TMP6, \TMP7
+ # TMP5 = HashKey^3<<1 (mod poly)
+- movdqa \TMP5, HashKey_3(%arg2)
++ movdqu \TMP5, HashKey_3(%arg2)
+ pshufd $78, \TMP5, \TMP1
+ pxor \TMP5, \TMP1
+- movdqa \TMP1, HashKey_3_k(%arg2)
++ movdqu \TMP1, HashKey_3_k(%arg2)
+
+ GHASH_MUL \TMP5, \TMP3, \TMP1, \TMP2, \TMP4, \TMP6, \TMP7
+ # TMP5 = HashKey^3<<1 (mod poly)
+- movdqa \TMP5, HashKey_4(%arg2)
++ movdqu \TMP5, HashKey_4(%arg2)
+ pshufd $78, \TMP5, \TMP1
+ pxor \TMP5, \TMP1
+- movdqa \TMP1, HashKey_4_k(%arg2)
++ movdqu \TMP1, HashKey_4_k(%arg2)
+ .endm
+
+ # GCM_INIT initializes a gcm_context struct to prepare for encoding/decoding.
+@@ -271,7 +271,7 @@ ALL_F: .octa 0xffffffffffffffffffff
+ movdqu %xmm0, CurCount(%arg2) # ctx_data.current_counter = iv
+
+ PRECOMPUTE \SUBKEY, %xmm1, %xmm2, %xmm3, %xmm4, %xmm5, %xmm6, %xmm7,
+- movdqa HashKey(%arg2), %xmm13
++ movdqu HashKey(%arg2), %xmm13
+
+ CALC_AAD_HASH %xmm13, \AAD, \AADLEN, %xmm0, %xmm1, %xmm2, %xmm3, \
+ %xmm4, %xmm5, %xmm6
+@@ -997,7 +997,7 @@ TMP6 XMM0 XMM1 XMM2 XMM3 XMM4 XMM5 XMM6
+ pshufd $78, \XMM5, \TMP6
+ pxor \XMM5, \TMP6
+ paddd ONE(%rip), \XMM0 # INCR CNT
+- movdqa HashKey_4(%arg2), \TMP5
++ movdqu HashKey_4(%arg2), \TMP5
+ PCLMULQDQ 0x11, \TMP5, \TMP4 # TMP4 = a1*b1
+ movdqa \XMM0, \XMM1
+ paddd ONE(%rip), \XMM0 # INCR CNT
+@@ -1016,7 +1016,7 @@ TMP6 XMM0 XMM1 XMM2 XMM3 XMM4 XMM5 XMM6
+ pxor (%arg1), \XMM2
+ pxor (%arg1), \XMM3
+ pxor (%arg1), \XMM4
+- movdqa HashKey_4_k(%arg2), \TMP5
++ movdqu HashKey_4_k(%arg2), \TMP5
+ PCLMULQDQ 0x00, \TMP5, \TMP6 # TMP6 = (a1+a0)*(b1+b0)
+ movaps 0x10(%arg1), \TMP1
+ AESENC \TMP1, \XMM1 # Round 1
+@@ -1031,7 +1031,7 @@ TMP6 XMM0 XMM1 XMM2 XMM3 XMM4 XMM5 XMM6
+ movdqa \XMM6, \TMP1
+ pshufd $78, \XMM6, \TMP2
+ pxor \XMM6, \TMP2
+- movdqa HashKey_3(%arg2), \TMP5
++ movdqu HashKey_3(%arg2), \TMP5
+ PCLMULQDQ 0x11, \TMP5, \TMP1 # TMP1 = a1 * b1
+ movaps 0x30(%arg1), \TMP3
+ AESENC \TMP3, \XMM1 # Round 3
+@@ -1044,7 +1044,7 @@ TMP6 XMM0 XMM1 XMM2 XMM3 XMM4 XMM5 XMM6
+ AESENC \TMP3, \XMM2
+ AESENC \TMP3, \XMM3
+ AESENC \TMP3, \XMM4
+- movdqa HashKey_3_k(%arg2), \TMP5
++ movdqu HashKey_3_k(%arg2), \TMP5
+ PCLMULQDQ 0x00, \TMP5, \TMP2 # TMP2 = (a1+a0)*(b1+b0)
+ movaps 0x50(%arg1), \TMP3
+ AESENC \TMP3, \XMM1 # Round 5
+@@ -1058,7 +1058,7 @@ TMP6 XMM0 XMM1 XMM2 XMM3 XMM4 XMM5 XMM6
+ movdqa \XMM7, \TMP1
+ pshufd $78, \XMM7, \TMP2
+ pxor \XMM7, \TMP2
+- movdqa HashKey_2(%arg2), \TMP5
++ movdqu HashKey_2(%arg2), \TMP5
+
+ # Multiply TMP5 * HashKey using karatsuba
+
+@@ -1074,7 +1074,7 @@ TMP6 XMM0 XMM1 XMM2 XMM3 XMM4 XMM5 XMM6
+ AESENC \TMP3, \XMM2
+ AESENC \TMP3, \XMM3
+ AESENC \TMP3, \XMM4
+- movdqa HashKey_2_k(%arg2), \TMP5
++ movdqu HashKey_2_k(%arg2), \TMP5
+ PCLMULQDQ 0x00, \TMP5, \TMP2 # TMP2 = (a1+a0)*(b1+b0)
+ movaps 0x80(%arg1), \TMP3
+ AESENC \TMP3, \XMM1 # Round 8
+@@ -1092,7 +1092,7 @@ TMP6 XMM0 XMM1 XMM2 XMM3 XMM4 XMM5 XMM6
+ movdqa \XMM8, \TMP1
+ pshufd $78, \XMM8, \TMP2
+ pxor \XMM8, \TMP2
+- movdqa HashKey(%arg2), \TMP5
++ movdqu HashKey(%arg2), \TMP5
+ PCLMULQDQ 0x11, \TMP5, \TMP1 # TMP1 = a1*b1
+ movaps 0x90(%arg1), \TMP3
+ AESENC \TMP3, \XMM1 # Round 9
+@@ -1121,7 +1121,7 @@ aes_loop_par_enc_done\@:
+ AESENCLAST \TMP3, \XMM2
+ AESENCLAST \TMP3, \XMM3
+ AESENCLAST \TMP3, \XMM4
+- movdqa HashKey_k(%arg2), \TMP5
++ movdqu HashKey_k(%arg2), \TMP5
+ PCLMULQDQ 0x00, \TMP5, \TMP2 # TMP2 = (a1+a0)*(b1+b0)
+ movdqu (%arg4,%r11,1), \TMP3
+ pxor \TMP3, \XMM1 # Ciphertext/Plaintext XOR EK
+@@ -1205,7 +1205,7 @@ TMP6 XMM0 XMM1 XMM2 XMM3 XMM4 XMM5 XMM6
+ pshufd $78, \XMM5, \TMP6
+ pxor \XMM5, \TMP6
+ paddd ONE(%rip), \XMM0 # INCR CNT
+- movdqa HashKey_4(%arg2), \TMP5
++ movdqu HashKey_4(%arg2), \TMP5
+ PCLMULQDQ 0x11, \TMP5, \TMP4 # TMP4 = a1*b1
+ movdqa \XMM0, \XMM1
+ paddd ONE(%rip), \XMM0 # INCR CNT
+@@ -1224,7 +1224,7 @@ TMP6 XMM0 XMM1 XMM2 XMM3 XMM4 XMM5 XMM6
+ pxor (%arg1), \XMM2
+ pxor (%arg1), \XMM3
+ pxor (%arg1), \XMM4
+- movdqa HashKey_4_k(%arg2), \TMP5
++ movdqu HashKey_4_k(%arg2), \TMP5
+ PCLMULQDQ 0x00, \TMP5, \TMP6 # TMP6 = (a1+a0)*(b1+b0)
+ movaps 0x10(%arg1), \TMP1
+ AESENC \TMP1, \XMM1 # Round 1
+@@ -1239,7 +1239,7 @@ TMP6 XMM0 XMM1 XMM2 XMM3 XMM4 XMM5 XMM6
+ movdqa \XMM6, \TMP1
+ pshufd $78, \XMM6, \TMP2
+ pxor \XMM6, \TMP2
+- movdqa HashKey_3(%arg2), \TMP5
++ movdqu HashKey_3(%arg2), \TMP5
+ PCLMULQDQ 0x11, \TMP5, \TMP1 # TMP1 = a1 * b1
+ movaps 0x30(%arg1), \TMP3
+ AESENC \TMP3, \XMM1 # Round 3
+@@ -1252,7 +1252,7 @@ TMP6 XMM0 XMM1 XMM2 XMM3 XMM4 XMM5 XMM6
+ AESENC \TMP3, \XMM2
+ AESENC \TMP3, \XMM3
+ AESENC \TMP3, \XMM4
+- movdqa HashKey_3_k(%arg2), \TMP5
++ movdqu HashKey_3_k(%arg2), \TMP5
+ PCLMULQDQ 0x00, \TMP5, \TMP2 # TMP2 = (a1+a0)*(b1+b0)
+ movaps 0x50(%arg1), \TMP3
+ AESENC \TMP3, \XMM1 # Round 5
+@@ -1266,7 +1266,7 @@ TMP6 XMM0 XMM1 XMM2 XMM3 XMM4 XMM5 XMM6
+ movdqa \XMM7, \TMP1
+ pshufd $78, \XMM7, \TMP2
+ pxor \XMM7, \TMP2
+- movdqa HashKey_2(%arg2), \TMP5
++ movdqu HashKey_2(%arg2), \TMP5
+
+ # Multiply TMP5 * HashKey using karatsuba
+
+@@ -1282,7 +1282,7 @@ TMP6 XMM0 XMM1 XMM2 XMM3 XMM4 XMM5 XMM6
+ AESENC \TMP3, \XMM2
+ AESENC \TMP3, \XMM3
+ AESENC \TMP3, \XMM4
+- movdqa HashKey_2_k(%arg2), \TMP5
++ movdqu HashKey_2_k(%arg2), \TMP5
+ PCLMULQDQ 0x00, \TMP5, \TMP2 # TMP2 = (a1+a0)*(b1+b0)
+ movaps 0x80(%arg1), \TMP3
+ AESENC \TMP3, \XMM1 # Round 8
+@@ -1300,7 +1300,7 @@ TMP6 XMM0 XMM1 XMM2 XMM3 XMM4 XMM5 XMM6
+ movdqa \XMM8, \TMP1
+ pshufd $78, \XMM8, \TMP2
+ pxor \XMM8, \TMP2
+- movdqa HashKey(%arg2), \TMP5
++ movdqu HashKey(%arg2), \TMP5
+ PCLMULQDQ 0x11, \TMP5, \TMP1 # TMP1 = a1*b1
+ movaps 0x90(%arg1), \TMP3
+ AESENC \TMP3, \XMM1 # Round 9
+@@ -1329,7 +1329,7 @@ aes_loop_par_dec_done\@:
+ AESENCLAST \TMP3, \XMM2
+ AESENCLAST \TMP3, \XMM3
+ AESENCLAST \TMP3, \XMM4
+- movdqa HashKey_k(%arg2), \TMP5
++ movdqu HashKey_k(%arg2), \TMP5
+ PCLMULQDQ 0x00, \TMP5, \TMP2 # TMP2 = (a1+a0)*(b1+b0)
+ movdqu (%arg4,%r11,1), \TMP3
+ pxor \TMP3, \XMM1 # Ciphertext/Plaintext XOR EK
+@@ -1405,10 +1405,10 @@ TMP7 XMM1 XMM2 XMM3 XMM4 XMMDst
+ movdqa \XMM1, \TMP6
+ pshufd $78, \XMM1, \TMP2
+ pxor \XMM1, \TMP2
+- movdqa HashKey_4(%arg2), \TMP5
++ movdqu HashKey_4(%arg2), \TMP5
+ PCLMULQDQ 0x11, \TMP5, \TMP6 # TMP6 = a1*b1
+ PCLMULQDQ 0x00, \TMP5, \XMM1 # XMM1 = a0*b0
+- movdqa HashKey_4_k(%arg2), \TMP4
++ movdqu HashKey_4_k(%arg2), \TMP4
+ PCLMULQDQ 0x00, \TMP4, \TMP2 # TMP2 = (a1+a0)*(b1+b0)
+ movdqa \XMM1, \XMMDst
+ movdqa \TMP2, \XMM1 # result in TMP6, XMMDst, XMM1
+@@ -1418,10 +1418,10 @@ TMP7 XMM1 XMM2 XMM3 XMM4 XMMDst
+ movdqa \XMM2, \TMP1
+ pshufd $78, \XMM2, \TMP2
+ pxor \XMM2, \TMP2
+- movdqa HashKey_3(%arg2), \TMP5
++ movdqu HashKey_3(%arg2), \TMP5
+ PCLMULQDQ 0x11, \TMP5, \TMP1 # TMP1 = a1*b1
+ PCLMULQDQ 0x00, \TMP5, \XMM2 # XMM2 = a0*b0
+- movdqa HashKey_3_k(%arg2), \TMP4
++ movdqu HashKey_3_k(%arg2), \TMP4
+ PCLMULQDQ 0x00, \TMP4, \TMP2 # TMP2 = (a1+a0)*(b1+b0)
+ pxor \TMP1, \TMP6
+ pxor \XMM2, \XMMDst
+@@ -1433,10 +1433,10 @@ TMP7 XMM1 XMM2 XMM3 XMM4 XMMDst
+ movdqa \XMM3, \TMP1
+ pshufd $78, \XMM3, \TMP2
+ pxor \XMM3, \TMP2
+- movdqa HashKey_2(%arg2), \TMP5
++ movdqu HashKey_2(%arg2), \TMP5
+ PCLMULQDQ 0x11, \TMP5, \TMP1 # TMP1 = a1*b1
+ PCLMULQDQ 0x00, \TMP5, \XMM3 # XMM3 = a0*b0
+- movdqa HashKey_2_k(%arg2), \TMP4
++ movdqu HashKey_2_k(%arg2), \TMP4
+ PCLMULQDQ 0x00, \TMP4, \TMP2 # TMP2 = (a1+a0)*(b1+b0)
+ pxor \TMP1, \TMP6
+ pxor \XMM3, \XMMDst
+@@ -1446,10 +1446,10 @@ TMP7 XMM1 XMM2 XMM3 XMM4 XMMDst
+ movdqa \XMM4, \TMP1
+ pshufd $78, \XMM4, \TMP2
+ pxor \XMM4, \TMP2
+- movdqa HashKey(%arg2), \TMP5
++ movdqu HashKey(%arg2), \TMP5
+ PCLMULQDQ 0x11, \TMP5, \TMP1 # TMP1 = a1*b1
+ PCLMULQDQ 0x00, \TMP5, \XMM4 # XMM4 = a0*b0
+- movdqa HashKey_k(%arg2), \TMP4
++ movdqu HashKey_k(%arg2), \TMP4
+ PCLMULQDQ 0x00, \TMP4, \TMP2 # TMP2 = (a1+a0)*(b1+b0)
+ pxor \TMP1, \TMP6
+ pxor \XMM4, \XMMDst
--- /dev/null
+From 7fa885e2a22fd0f91a2c23d9275f5021f618ff5a Mon Sep 17 00:00:00 2001
+From: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+Date: Tue, 7 Aug 2018 23:18:36 +0200
+Subject: crypto: arm64/sm4-ce - check for the right CPU feature bit
+
+From: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+
+commit 7fa885e2a22fd0f91a2c23d9275f5021f618ff5a upstream.
+
+ARMv8.2 specifies special instructions for the SM3 cryptographic hash
+and the SM4 symmetric cipher. While it is unlikely that a core would
+implement one and not the other, we should only use SM4 instructions
+if the SM4 CPU feature bit is set, and we currently check the SM3
+feature bit instead. So fix that.
+
+Fixes: e99ce921c468 ("crypto: arm64 - add support for SM4...")
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm64/crypto/sm4-ce-glue.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/arm64/crypto/sm4-ce-glue.c
++++ b/arch/arm64/crypto/sm4-ce-glue.c
+@@ -69,5 +69,5 @@ static void __exit sm4_ce_mod_fini(void)
+ crypto_unregister_alg(&sm4_ce_alg);
+ }
+
+-module_cpu_feature_match(SM3, sm4_ce_mod_init);
++module_cpu_feature_match(SM4, sm4_ce_mod_init);
+ module_exit(sm4_ce_mod_fini);
--- /dev/null
+From f1bf9e60a0779ec97de9ecdc353e1d01cdd73f43 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Horia=20Geant=C4=83?= <horia.geanta@nxp.com>
+Date: Mon, 6 Aug 2018 15:29:55 +0300
+Subject: crypto: caam - fix DMA mapping direction for RSA forms 2 & 3
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Horia Geantă <horia.geanta@nxp.com>
+
+commit f1bf9e60a0779ec97de9ecdc353e1d01cdd73f43 upstream.
+
+Crypto engine needs some temporary locations in external memory for
+running RSA decrypt forms 2 and 3 (CRT).
+These are named "tmp1" and "tmp2" in the PDB.
+
+Update DMA mapping direction of tmp1 and tmp2 from TO_DEVICE to
+BIDIRECTIONAL, since engine needs r/w access.
+
+Cc: <stable@vger.kernel.org> # 4.13+
+Fixes: 52e26d77b8b3 ("crypto: caam - add support for RSA key form 2")
+Fixes: 4a651b122adb ("crypto: caam - add support for RSA key form 3")
+Signed-off-by: Horia Geantă <horia.geanta@nxp.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/crypto/caam/caampkc.c | 20 ++++++++++----------
+ 1 file changed, 10 insertions(+), 10 deletions(-)
+
+--- a/drivers/crypto/caam/caampkc.c
++++ b/drivers/crypto/caam/caampkc.c
+@@ -71,8 +71,8 @@ static void rsa_priv_f2_unmap(struct dev
+ dma_unmap_single(dev, pdb->d_dma, key->d_sz, DMA_TO_DEVICE);
+ dma_unmap_single(dev, pdb->p_dma, p_sz, DMA_TO_DEVICE);
+ dma_unmap_single(dev, pdb->q_dma, q_sz, DMA_TO_DEVICE);
+- dma_unmap_single(dev, pdb->tmp1_dma, p_sz, DMA_TO_DEVICE);
+- dma_unmap_single(dev, pdb->tmp2_dma, q_sz, DMA_TO_DEVICE);
++ dma_unmap_single(dev, pdb->tmp1_dma, p_sz, DMA_BIDIRECTIONAL);
++ dma_unmap_single(dev, pdb->tmp2_dma, q_sz, DMA_BIDIRECTIONAL);
+ }
+
+ static void rsa_priv_f3_unmap(struct device *dev, struct rsa_edesc *edesc,
+@@ -90,8 +90,8 @@ static void rsa_priv_f3_unmap(struct dev
+ dma_unmap_single(dev, pdb->dp_dma, p_sz, DMA_TO_DEVICE);
+ dma_unmap_single(dev, pdb->dq_dma, q_sz, DMA_TO_DEVICE);
+ dma_unmap_single(dev, pdb->c_dma, p_sz, DMA_TO_DEVICE);
+- dma_unmap_single(dev, pdb->tmp1_dma, p_sz, DMA_TO_DEVICE);
+- dma_unmap_single(dev, pdb->tmp2_dma, q_sz, DMA_TO_DEVICE);
++ dma_unmap_single(dev, pdb->tmp1_dma, p_sz, DMA_BIDIRECTIONAL);
++ dma_unmap_single(dev, pdb->tmp2_dma, q_sz, DMA_BIDIRECTIONAL);
+ }
+
+ /* RSA Job Completion handler */
+@@ -417,13 +417,13 @@ static int set_rsa_priv_f2_pdb(struct ak
+ goto unmap_p;
+ }
+
+- pdb->tmp1_dma = dma_map_single(dev, key->tmp1, p_sz, DMA_TO_DEVICE);
++ pdb->tmp1_dma = dma_map_single(dev, key->tmp1, p_sz, DMA_BIDIRECTIONAL);
+ if (dma_mapping_error(dev, pdb->tmp1_dma)) {
+ dev_err(dev, "Unable to map RSA tmp1 memory\n");
+ goto unmap_q;
+ }
+
+- pdb->tmp2_dma = dma_map_single(dev, key->tmp2, q_sz, DMA_TO_DEVICE);
++ pdb->tmp2_dma = dma_map_single(dev, key->tmp2, q_sz, DMA_BIDIRECTIONAL);
+ if (dma_mapping_error(dev, pdb->tmp2_dma)) {
+ dev_err(dev, "Unable to map RSA tmp2 memory\n");
+ goto unmap_tmp1;
+@@ -451,7 +451,7 @@ static int set_rsa_priv_f2_pdb(struct ak
+ return 0;
+
+ unmap_tmp1:
+- dma_unmap_single(dev, pdb->tmp1_dma, p_sz, DMA_TO_DEVICE);
++ dma_unmap_single(dev, pdb->tmp1_dma, p_sz, DMA_BIDIRECTIONAL);
+ unmap_q:
+ dma_unmap_single(dev, pdb->q_dma, q_sz, DMA_TO_DEVICE);
+ unmap_p:
+@@ -504,13 +504,13 @@ static int set_rsa_priv_f3_pdb(struct ak
+ goto unmap_dq;
+ }
+
+- pdb->tmp1_dma = dma_map_single(dev, key->tmp1, p_sz, DMA_TO_DEVICE);
++ pdb->tmp1_dma = dma_map_single(dev, key->tmp1, p_sz, DMA_BIDIRECTIONAL);
+ if (dma_mapping_error(dev, pdb->tmp1_dma)) {
+ dev_err(dev, "Unable to map RSA tmp1 memory\n");
+ goto unmap_qinv;
+ }
+
+- pdb->tmp2_dma = dma_map_single(dev, key->tmp2, q_sz, DMA_TO_DEVICE);
++ pdb->tmp2_dma = dma_map_single(dev, key->tmp2, q_sz, DMA_BIDIRECTIONAL);
+ if (dma_mapping_error(dev, pdb->tmp2_dma)) {
+ dev_err(dev, "Unable to map RSA tmp2 memory\n");
+ goto unmap_tmp1;
+@@ -538,7 +538,7 @@ static int set_rsa_priv_f3_pdb(struct ak
+ return 0;
+
+ unmap_tmp1:
+- dma_unmap_single(dev, pdb->tmp1_dma, p_sz, DMA_TO_DEVICE);
++ dma_unmap_single(dev, pdb->tmp1_dma, p_sz, DMA_BIDIRECTIONAL);
+ unmap_qinv:
+ dma_unmap_single(dev, pdb->c_dma, p_sz, DMA_TO_DEVICE);
+ unmap_dq:
--- /dev/null
+From cc98963dbaaea93d17608641b8d6942a5327fc31 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Horia=20Geant=C4=83?= <horia.geanta@nxp.com>
+Date: Mon, 6 Aug 2018 15:29:09 +0300
+Subject: crypto: caam/jr - fix descriptor DMA unmapping
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Horia Geantă <horia.geanta@nxp.com>
+
+commit cc98963dbaaea93d17608641b8d6942a5327fc31 upstream.
+
+Descriptor address needs to be swapped to CPU endianness before being
+DMA unmapped.
+
+Cc: <stable@vger.kernel.org> # 4.8+
+Fixes: 261ea058f016 ("crypto: caam - handle core endianness != caam endianness")
+Reported-by: Laurentiu Tudor <laurentiu.tudor@nxp.com>
+Signed-off-by: Horia Geantă <horia.geanta@nxp.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/crypto/caam/jr.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/crypto/caam/jr.c
++++ b/drivers/crypto/caam/jr.c
+@@ -190,7 +190,8 @@ static void caam_jr_dequeue(unsigned lon
+ BUG_ON(CIRC_CNT(head, tail + i, JOBR_DEPTH) <= 0);
+
+ /* Unmap just-run descriptor so we can post-process */
+- dma_unmap_single(dev, jrp->outring[hw_idx].desc,
++ dma_unmap_single(dev,
++ caam_dma_to_cpu(jrp->outring[hw_idx].desc),
+ jrp->entinfo[sw_idx].desc_size,
+ DMA_TO_DEVICE);
+
--- /dev/null
+From ad876a18048f43b1f66f5d474b7598538668c5de Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Horia=20Geant=C4=83?= <horia.geanta@nxp.com>
+Date: Mon, 6 Aug 2018 15:29:39 +0300
+Subject: crypto: caam/qi - fix error path in xts setkey
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Horia Geantă <horia.geanta@nxp.com>
+
+commit ad876a18048f43b1f66f5d474b7598538668c5de upstream.
+
+xts setkey callback returns 0 on some error paths.
+Fix this by returning -EINVAL.
+
+Cc: <stable@vger.kernel.org> # 4.12+
+Fixes: b189817cf789 ("crypto: caam/qi - add ablkcipher and authenc algorithms")
+Signed-off-by: Horia Geantă <horia.geanta@nxp.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/crypto/caam/caamalg_qi.c | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+--- a/drivers/crypto/caam/caamalg_qi.c
++++ b/drivers/crypto/caam/caamalg_qi.c
+@@ -679,10 +679,8 @@ static int xts_ablkcipher_setkey(struct
+ int ret = 0;
+
+ if (keylen != 2 * AES_MIN_KEY_SIZE && keylen != 2 * AES_MAX_KEY_SIZE) {
+- crypto_ablkcipher_set_flags(ablkcipher,
+- CRYPTO_TFM_RES_BAD_KEY_LEN);
+ dev_err(jrdev, "key size mismatch\n");
+- return -EINVAL;
++ goto badkey;
+ }
+
+ ctx->cdata.keylen = keylen;
+@@ -715,7 +713,7 @@ static int xts_ablkcipher_setkey(struct
+ return ret;
+ badkey:
+ crypto_ablkcipher_set_flags(ablkcipher, CRYPTO_TFM_RES_BAD_KEY_LEN);
+- return 0;
++ return -EINVAL;
+ }
+
+ /*
--- /dev/null
+From 0522236d4f9c5ab2e79889cb020d1acbe5da416e Mon Sep 17 00:00:00 2001
+From: Ondrej Mosnacek <omosnace@redhat.com>
+Date: Wed, 22 Aug 2018 08:26:31 +0200
+Subject: crypto: vmx - Fix sleep-in-atomic bugs
+
+From: Ondrej Mosnacek <omosnace@redhat.com>
+
+commit 0522236d4f9c5ab2e79889cb020d1acbe5da416e upstream.
+
+This patch fixes sleep-in-atomic bugs in AES-CBC and AES-XTS VMX
+implementations. The problem is that the blkcipher_* functions should
+not be called in atomic context.
+
+The bugs can be reproduced via the AF_ALG interface by trying to
+encrypt/decrypt sufficiently large buffers (at least 64 KiB) using the
+VMX implementations of 'cbc(aes)' or 'xts(aes)'. Such operations then
+trigger BUG in crypto_yield():
+
+[ 891.863680] BUG: sleeping function called from invalid context at include/crypto/algapi.h:424
+[ 891.864622] in_atomic(): 1, irqs_disabled(): 0, pid: 12347, name: kcapi-enc
+[ 891.864739] 1 lock held by kcapi-enc/12347:
+[ 891.864811] #0: 00000000f5d42c46 (sk_lock-AF_ALG){+.+.}, at: skcipher_recvmsg+0x50/0x530
+[ 891.865076] CPU: 5 PID: 12347 Comm: kcapi-enc Not tainted 4.19.0-0.rc0.git3.1.fc30.ppc64le #1
+[ 891.865251] Call Trace:
+[ 891.865340] [c0000003387578c0] [c000000000d67ea4] dump_stack+0xe8/0x164 (unreliable)
+[ 891.865511] [c000000338757910] [c000000000172a58] ___might_sleep+0x2f8/0x310
+[ 891.865679] [c000000338757990] [c0000000006bff74] blkcipher_walk_done+0x374/0x4a0
+[ 891.865825] [c0000003387579e0] [d000000007e73e70] p8_aes_cbc_encrypt+0x1c8/0x260 [vmx_crypto]
+[ 891.865993] [c000000338757ad0] [c0000000006c0ee0] skcipher_encrypt_blkcipher+0x60/0x80
+[ 891.866128] [c000000338757b10] [c0000000006ec504] skcipher_recvmsg+0x424/0x530
+[ 891.866283] [c000000338757bd0] [c000000000b00654] sock_recvmsg+0x74/0xa0
+[ 891.866403] [c000000338757c10] [c000000000b00f64] ___sys_recvmsg+0xf4/0x2f0
+[ 891.866515] [c000000338757d90] [c000000000b02bb8] __sys_recvmsg+0x68/0xe0
+[ 891.866631] [c000000338757e30] [c00000000000bbe4] system_call+0x5c/0x70
+
+Fixes: 8c755ace357c ("crypto: vmx - Adding CBC routines for VMX module")
+Fixes: c07f5d3da643 ("crypto: vmx - Adding support for XTS")
+Cc: stable@vger.kernel.org
+Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/crypto/vmx/aes_cbc.c | 30 ++++++++++++++----------------
+ drivers/crypto/vmx/aes_xts.c | 21 ++++++++++++++-------
+ 2 files changed, 28 insertions(+), 23 deletions(-)
+
+--- a/drivers/crypto/vmx/aes_cbc.c
++++ b/drivers/crypto/vmx/aes_cbc.c
+@@ -107,24 +107,23 @@ static int p8_aes_cbc_encrypt(struct blk
+ ret = crypto_skcipher_encrypt(req);
+ skcipher_request_zero(req);
+ } else {
+- preempt_disable();
+- pagefault_disable();
+- enable_kernel_vsx();
+-
+ blkcipher_walk_init(&walk, dst, src, nbytes);
+ ret = blkcipher_walk_virt(desc, &walk);
+ while ((nbytes = walk.nbytes)) {
++ preempt_disable();
++ pagefault_disable();
++ enable_kernel_vsx();
+ aes_p8_cbc_encrypt(walk.src.virt.addr,
+ walk.dst.virt.addr,
+ nbytes & AES_BLOCK_MASK,
+ &ctx->enc_key, walk.iv, 1);
++ disable_kernel_vsx();
++ pagefault_enable();
++ preempt_enable();
++
+ nbytes &= AES_BLOCK_SIZE - 1;
+ ret = blkcipher_walk_done(desc, &walk, nbytes);
+ }
+-
+- disable_kernel_vsx();
+- pagefault_enable();
+- preempt_enable();
+ }
+
+ return ret;
+@@ -147,24 +146,23 @@ static int p8_aes_cbc_decrypt(struct blk
+ ret = crypto_skcipher_decrypt(req);
+ skcipher_request_zero(req);
+ } else {
+- preempt_disable();
+- pagefault_disable();
+- enable_kernel_vsx();
+-
+ blkcipher_walk_init(&walk, dst, src, nbytes);
+ ret = blkcipher_walk_virt(desc, &walk);
+ while ((nbytes = walk.nbytes)) {
++ preempt_disable();
++ pagefault_disable();
++ enable_kernel_vsx();
+ aes_p8_cbc_encrypt(walk.src.virt.addr,
+ walk.dst.virt.addr,
+ nbytes & AES_BLOCK_MASK,
+ &ctx->dec_key, walk.iv, 0);
++ disable_kernel_vsx();
++ pagefault_enable();
++ preempt_enable();
++
+ nbytes &= AES_BLOCK_SIZE - 1;
+ ret = blkcipher_walk_done(desc, &walk, nbytes);
+ }
+-
+- disable_kernel_vsx();
+- pagefault_enable();
+- preempt_enable();
+ }
+
+ return ret;
+--- a/drivers/crypto/vmx/aes_xts.c
++++ b/drivers/crypto/vmx/aes_xts.c
+@@ -116,32 +116,39 @@ static int p8_aes_xts_crypt(struct blkci
+ ret = enc? crypto_skcipher_encrypt(req) : crypto_skcipher_decrypt(req);
+ skcipher_request_zero(req);
+ } else {
++ blkcipher_walk_init(&walk, dst, src, nbytes);
++
++ ret = blkcipher_walk_virt(desc, &walk);
++
+ preempt_disable();
+ pagefault_disable();
+ enable_kernel_vsx();
+
+- blkcipher_walk_init(&walk, dst, src, nbytes);
+-
+- ret = blkcipher_walk_virt(desc, &walk);
+ iv = walk.iv;
+ memset(tweak, 0, AES_BLOCK_SIZE);
+ aes_p8_encrypt(iv, tweak, &ctx->tweak_key);
+
++ disable_kernel_vsx();
++ pagefault_enable();
++ preempt_enable();
++
+ while ((nbytes = walk.nbytes)) {
++ preempt_disable();
++ pagefault_disable();
++ enable_kernel_vsx();
+ if (enc)
+ aes_p8_xts_encrypt(walk.src.virt.addr, walk.dst.virt.addr,
+ nbytes & AES_BLOCK_MASK, &ctx->enc_key, NULL, tweak);
+ else
+ aes_p8_xts_decrypt(walk.src.virt.addr, walk.dst.virt.addr,
+ nbytes & AES_BLOCK_MASK, &ctx->dec_key, NULL, tweak);
++ disable_kernel_vsx();
++ pagefault_enable();
++ preempt_enable();
+
+ nbytes &= AES_BLOCK_SIZE - 1;
+ ret = blkcipher_walk_done(desc, &walk, nbytes);
+ }
+-
+- disable_kernel_vsx();
+- pagefault_enable();
+- preempt_enable();
+ }
+ return ret;
+ }
--- /dev/null
+From 8c5b044299951acd91e830a688dd920477ea1eda Mon Sep 17 00:00:00 2001
+From: Mikulas Patocka <mpatocka@redhat.com>
+Date: Wed, 25 Jul 2018 15:41:54 +0200
+Subject: fb: fix lost console when the user unplugs a USB adapter
+
+From: Mikulas Patocka <mpatocka@redhat.com>
+
+commit 8c5b044299951acd91e830a688dd920477ea1eda upstream.
+
+I have a USB display adapter using the udlfb driver and I use it on an ARM
+board that doesn't have any graphics card. When I plug the adapter in, the
+console is properly displayed, however when I unplug and re-plug the
+adapter, the console is not displayed and I can't access it until I reboot
+the board.
+
+The reason is this:
+When the adapter is unplugged, dlfb_usb_disconnect calls
+unlink_framebuffer, then it waits until the reference count drops to zero
+and then it deallocates the framebuffer. However, the console that is
+attached to the framebuffer device keeps the reference count non-zero, so
+the framebuffer device is never destroyed. When the USB adapter is plugged
+again, it creates a new device /dev/fb1 and the console is not attached to
+it.
+
+This patch fixes the bug by unbinding the console from unlink_framebuffer.
+The code to unbind the console is moved from do_unregister_framebuffer to
+a function unbind_console. When the console is unbound, the reference
+count drops to zero and the udlfb driver frees the framebuffer. When the
+adapter is plugged back, a new framebuffer is created and the console is
+attached to it.
+
+Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
+Cc: Dave Airlie <airlied@redhat.com>
+Cc: Bernie Thompson <bernie@plugable.com>
+Cc: Ladislav Michl <ladis@linux-mips.org>
+Cc: stable@vger.kernel.org
+[b.zolnierkie: preserve old behavior for do_unregister_framebuffer()]
+Signed-off-by: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/video/fbdev/core/fbmem.c | 38 ++++++++++++++++++++++++++++++++------
+ 1 file changed, 32 insertions(+), 6 deletions(-)
+
+--- a/drivers/video/fbdev/core/fbmem.c
++++ b/drivers/video/fbdev/core/fbmem.c
+@@ -1704,12 +1704,12 @@ static int do_register_framebuffer(struc
+ return 0;
+ }
+
+-static int do_unregister_framebuffer(struct fb_info *fb_info)
++static int unbind_console(struct fb_info *fb_info)
+ {
+ struct fb_event event;
+- int i, ret = 0;
++ int ret;
++ int i = fb_info->node;
+
+- i = fb_info->node;
+ if (i < 0 || i >= FB_MAX || registered_fb[i] != fb_info)
+ return -EINVAL;
+
+@@ -1724,17 +1724,29 @@ static int do_unregister_framebuffer(str
+ unlock_fb_info(fb_info);
+ console_unlock();
+
++ return ret;
++}
++
++static int __unlink_framebuffer(struct fb_info *fb_info);
++
++static int do_unregister_framebuffer(struct fb_info *fb_info)
++{
++ struct fb_event event;
++ int ret;
++
++ ret = unbind_console(fb_info);
++
+ if (ret)
+ return -EINVAL;
+
+ pm_vt_switch_unregister(fb_info->dev);
+
+- unlink_framebuffer(fb_info);
++ __unlink_framebuffer(fb_info);
+ if (fb_info->pixmap.addr &&
+ (fb_info->pixmap.flags & FB_PIXMAP_DEFAULT))
+ kfree(fb_info->pixmap.addr);
+ fb_destroy_modelist(&fb_info->modelist);
+- registered_fb[i] = NULL;
++ registered_fb[fb_info->node] = NULL;
+ num_registered_fb--;
+ fb_cleanup_device(fb_info);
+ event.info = fb_info;
+@@ -1747,7 +1759,7 @@ static int do_unregister_framebuffer(str
+ return 0;
+ }
+
+-int unlink_framebuffer(struct fb_info *fb_info)
++static int __unlink_framebuffer(struct fb_info *fb_info)
+ {
+ int i;
+
+@@ -1759,6 +1771,20 @@ int unlink_framebuffer(struct fb_info *f
+ device_destroy(fb_class, MKDEV(FB_MAJOR, i));
+ fb_info->dev = NULL;
+ }
++
++ return 0;
++}
++
++int unlink_framebuffer(struct fb_info *fb_info)
++{
++ int ret;
++
++ ret = __unlink_framebuffer(fb_info);
++ if (ret)
++ return ret;
++
++ unbind_console(fb_info);
++
+ return 0;
+ }
+ EXPORT_SYMBOL(unlink_framebuffer);
--- /dev/null
+From 7b6924d94a60c6b8c1279ca003e8744e6cd9e8b1 Mon Sep 17 00:00:00 2001
+From: Jeremy Cline <jcline@redhat.com>
+Date: Tue, 31 Jul 2018 01:37:31 +0000
+Subject: fs/quota: Fix spectre gadget in do_quotactl
+
+From: Jeremy Cline <jcline@redhat.com>
+
+commit 7b6924d94a60c6b8c1279ca003e8744e6cd9e8b1 upstream.
+
+'type' is user-controlled, so sanitize it after the bounds check to
+avoid using it in speculative execution. This covers the following
+potential gadgets detected with the help of smatch:
+
+* fs/ext4/super.c:5741 ext4_quota_read() warn: potential spectre issue
+ 'sb_dqopt(sb)->files' [r]
+* fs/ext4/super.c:5778 ext4_quota_write() warn: potential spectre issue
+ 'sb_dqopt(sb)->files' [r]
+* fs/f2fs/super.c:1552 f2fs_quota_read() warn: potential spectre issue
+ 'sb_dqopt(sb)->files' [r]
+* fs/f2fs/super.c:1608 f2fs_quota_write() warn: potential spectre issue
+ 'sb_dqopt(sb)->files' [r]
+* fs/quota/dquot.c:412 mark_info_dirty() warn: potential spectre issue
+ 'sb_dqopt(sb)->info' [w]
+* fs/quota/dquot.c:933 dqinit_needed() warn: potential spectre issue
+ 'dquots' [r]
+* fs/quota/dquot.c:2112 dquot_commit_info() warn: potential spectre
+ issue 'dqopt->ops' [r]
+* fs/quota/dquot.c:2362 vfs_load_quota_inode() warn: potential spectre
+ issue 'dqopt->files' [w] (local cap)
+* fs/quota/dquot.c:2369 vfs_load_quota_inode() warn: potential spectre
+ issue 'dqopt->ops' [w] (local cap)
+* fs/quota/dquot.c:2370 vfs_load_quota_inode() warn: potential spectre
+ issue 'dqopt->info' [w] (local cap)
+* fs/quota/quota.c:110 quota_getfmt() warn: potential spectre issue
+ 'sb_dqopt(sb)->info' [r]
+* fs/quota/quota_v2.c:84 v2_check_quota_file() warn: potential spectre
+ issue 'quota_magics' [w]
+* fs/quota/quota_v2.c:85 v2_check_quota_file() warn: potential spectre
+ issue 'quota_versions' [w]
+* fs/quota/quota_v2.c:96 v2_read_file_info() warn: potential spectre
+ issue 'dqopt->info' [r]
+* fs/quota/quota_v2.c:172 v2_write_file_info() warn: potential spectre
+ issue 'dqopt->info' [r]
+
+Additionally, a quick inspection indicates there are array accesses with
+'type' in quota_on() and quota_off() functions which are also addressed
+by this.
+
+Cc: Josh Poimboeuf <jpoimboe@redhat.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Jeremy Cline <jcline@redhat.com>
+Signed-off-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/quota/quota.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/fs/quota/quota.c
++++ b/fs/quota/quota.c
+@@ -18,6 +18,7 @@
+ #include <linux/quotaops.h>
+ #include <linux/types.h>
+ #include <linux/writeback.h>
++#include <linux/nospec.h>
+
+ static int check_quotactl_permission(struct super_block *sb, int type, int cmd,
+ qid_t id)
+@@ -703,6 +704,7 @@ static int do_quotactl(struct super_bloc
+
+ if (type >= (XQM_COMMAND(cmd) ? XQM_MAXQUOTAS : MAXQUOTAS))
+ return -EINVAL;
++ type = array_index_nospec(type, MAXQUOTAS);
+ /*
+ * Quota not supported on this fs? Check this before s_quota_types
+ * since they needn't be set if quota is not supported at all.
--- /dev/null
+From 82c9a927bc5df6e06b72d206d24a9d10cced4eb5 Mon Sep 17 00:00:00 2001
+From: Christian Brauner <christian@brauner.io>
+Date: Thu, 7 Jun 2018 13:43:48 +0200
+Subject: getxattr: use correct xattr length
+
+From: Christian Brauner <christian@brauner.io>
+
+commit 82c9a927bc5df6e06b72d206d24a9d10cced4eb5 upstream.
+
+When running in a container with a user namespace, if you call getxattr
+with name = "system.posix_acl_access" and size % 8 != 4, then getxattr
+silently skips the user namespace fixup that it normally does resulting in
+un-fixed-up data being returned.
+This is caused by posix_acl_fix_xattr_to_user() being passed the total
+buffer size and not the actual size of the xattr as returned by
+vfs_getxattr().
+This commit passes the actual length of the xattr as returned by
+vfs_getxattr() down.
+
+A reproducer for the issue is:
+
+ touch acl_posix
+
+ setfacl -m user:0:rwx acl_posix
+
+and the compile:
+
+ #define _GNU_SOURCE
+ #include <errno.h>
+ #include <stdio.h>
+ #include <stdlib.h>
+ #include <string.h>
+ #include <sys/types.h>
+ #include <unistd.h>
+ #include <attr/xattr.h>
+
+ /* Run in user namespace with nsuid 0 mapped to uid != 0 on the host. */
+ int main(int argc, void **argv)
+ {
+ ssize_t ret1, ret2;
+ char buf1[128], buf2[132];
+ int fret = EXIT_SUCCESS;
+ char *file;
+
+ if (argc < 2) {
+ fprintf(stderr,
+ "Please specify a file with "
+ "\"system.posix_acl_access\" permissions set\n");
+ _exit(EXIT_FAILURE);
+ }
+ file = argv[1];
+
+ ret1 = getxattr(file, "system.posix_acl_access",
+ buf1, sizeof(buf1));
+ if (ret1 < 0) {
+ fprintf(stderr, "%s - Failed to retrieve "
+ "\"system.posix_acl_access\" "
+ "from \"%s\"\n", strerror(errno), file);
+ _exit(EXIT_FAILURE);
+ }
+
+ ret2 = getxattr(file, "system.posix_acl_access",
+ buf2, sizeof(buf2));
+ if (ret2 < 0) {
+ fprintf(stderr, "%s - Failed to retrieve "
+ "\"system.posix_acl_access\" "
+ "from \"%s\"\n", strerror(errno), file);
+ _exit(EXIT_FAILURE);
+ }
+
+ if (ret1 != ret2) {
+ fprintf(stderr, "The value of \"system.posix_acl_"
+ "access\" for file \"%s\" changed "
+ "between two successive calls\n", file);
+ _exit(EXIT_FAILURE);
+ }
+
+ for (ssize_t i = 0; i < ret2; i++) {
+ if (buf1[i] == buf2[i])
+ continue;
+
+ fprintf(stderr,
+ "Unexpected different in byte %zd: "
+ "%02x != %02x\n", i, buf1[i], buf2[i]);
+ fret = EXIT_FAILURE;
+ }
+
+ if (fret == EXIT_SUCCESS)
+ fprintf(stderr, "Test passed\n");
+ else
+ fprintf(stderr, "Test failed\n");
+
+ _exit(fret);
+ }
+and run:
+
+ ./tester acl_posix
+
+On a non-fixed up kernel this should return something like:
+
+ root@c1:/# ./t
+ Unexpected different in byte 16: ffffffa0 != 00
+ Unexpected different in byte 17: ffffff86 != 00
+ Unexpected different in byte 18: 01 != 00
+
+and on a fixed kernel:
+
+ root@c1:~# ./t
+ Test passed
+
+Cc: stable@vger.kernel.org
+Fixes: 2f6f0654ab61 ("userns: Convert vfs posix_acl support to use kuids and kgids")
+Link: https://bugzilla.kernel.org/show_bug.cgi?id=199945
+Reported-by: Colin Watson <cjwatson@ubuntu.com>
+Signed-off-by: Christian Brauner <christian@brauner.io>
+Acked-by: Serge Hallyn <serge@hallyn.com>
+Signed-off-by: Eric W. Biederman <ebiederm@xmission.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/xattr.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/xattr.c
++++ b/fs/xattr.c
+@@ -539,7 +539,7 @@ getxattr(struct dentry *d, const char __
+ if (error > 0) {
+ if ((strcmp(kname, XATTR_NAME_POSIX_ACL_ACCESS) == 0) ||
+ (strcmp(kname, XATTR_NAME_POSIX_ACL_DEFAULT) == 0))
+- posix_acl_fix_xattr_to_user(kvalue, size);
++ posix_acl_fix_xattr_to_user(kvalue, error);
+ if (size && copy_to_user(value, kvalue, error))
+ error = -EFAULT;
+ } else if (error == -ERANGE && size >= XATTR_SIZE_MAX) {
--- /dev/null
+From 5c5c87411488af3cd082221e567498d813d0fe83 Mon Sep 17 00:00:00 2001
+From: Dmitry Osipenko <digetx@gmail.com>
+Date: Fri, 27 Jul 2018 00:19:16 +0300
+Subject: iommu/ipmmu-vmsa: Don't register as BUS IOMMU if machine doesn't have IPMMU-VMSA
+
+From: Dmitry Osipenko <digetx@gmail.com>
+
+commit 5c5c87411488af3cd082221e567498d813d0fe83 upstream.
+
+This fixes kernel crashing on NVIDIA Tegra if kernel is compiled in
+a multiplatform configuration and IPMMU-VMSA driver is enabled.
+
+Cc: <stable@vger.kernel.org> # v3.20+
+Signed-off-by: Dmitry Osipenko <digetx@gmail.com>
+Signed-off-by: Joerg Roedel <jroedel@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/iommu/ipmmu-vmsa.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/drivers/iommu/ipmmu-vmsa.c
++++ b/drivers/iommu/ipmmu-vmsa.c
+@@ -1081,12 +1081,19 @@ static struct platform_driver ipmmu_driv
+
+ static int __init ipmmu_init(void)
+ {
++ struct device_node *np;
+ static bool setup_done;
+ int ret;
+
+ if (setup_done)
+ return 0;
+
++ np = of_find_matching_node(NULL, ipmmu_of_ids);
++ if (!np)
++ return 0;
++
++ of_node_put(np);
++
+ ret = platform_driver_register(&ipmmu_driver);
+ if (ret < 0)
+ return ret;
--- /dev/null
+From 0f725561e168485eff7277d683405c05b192f537 Mon Sep 17 00:00:00 2001
+From: Jacob Pan <jacob.jun.pan@linux.intel.com>
+Date: Thu, 7 Jun 2018 09:56:59 -0700
+Subject: iommu/vt-d: Add definitions for PFSID
+
+From: Jacob Pan <jacob.jun.pan@linux.intel.com>
+
+commit 0f725561e168485eff7277d683405c05b192f537 upstream.
+
+When SRIOV VF device IOTLB is invalidated, we need to provide
+the PF source ID such that IOMMU hardware can gauge the depth
+of invalidation queue which is shared among VFs. This is needed
+when device invalidation throttle (DIT) capability is supported.
+
+This patch adds bit definitions for checking and tracking PFSID.
+
+Signed-off-by: Jacob Pan <jacob.jun.pan@linux.intel.com>
+Cc: stable@vger.kernel.org
+Cc: "Ashok Raj" <ashok.raj@intel.com>
+Cc: "Lu Baolu" <baolu.lu@linux.intel.com>
+Signed-off-by: Joerg Roedel <jroedel@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/iommu/intel-iommu.c | 1 +
+ include/linux/intel-iommu.h | 3 +++
+ 2 files changed, 4 insertions(+)
+
+--- a/drivers/iommu/intel-iommu.c
++++ b/drivers/iommu/intel-iommu.c
+@@ -421,6 +421,7 @@ struct device_domain_info {
+ struct list_head global; /* link to global list */
+ u8 bus; /* PCI bus number */
+ u8 devfn; /* PCI devfn number */
++ u16 pfsid; /* SRIOV physical function source ID */
+ u8 pasid_supported:3;
+ u8 pasid_enabled:1;
+ u8 pri_supported:1;
+--- a/include/linux/intel-iommu.h
++++ b/include/linux/intel-iommu.h
+@@ -114,6 +114,7 @@
+ * Extended Capability Register
+ */
+
++#define ecap_dit(e) ((e >> 41) & 0x1)
+ #define ecap_pasid(e) ((e >> 40) & 0x1)
+ #define ecap_pss(e) ((e >> 35) & 0x1f)
+ #define ecap_eafs(e) ((e >> 34) & 0x1)
+@@ -284,6 +285,7 @@ enum {
+ #define QI_DEV_IOTLB_SID(sid) ((u64)((sid) & 0xffff) << 32)
+ #define QI_DEV_IOTLB_QDEP(qdep) (((qdep) & 0x1f) << 16)
+ #define QI_DEV_IOTLB_ADDR(addr) ((u64)(addr) & VTD_PAGE_MASK)
++#define QI_DEV_IOTLB_PFSID(pfsid) (((u64)(pfsid & 0xf) << 12) | ((u64)(pfsid & 0xfff) << 52))
+ #define QI_DEV_IOTLB_SIZE 1
+ #define QI_DEV_IOTLB_MAX_INVS 32
+
+@@ -308,6 +310,7 @@ enum {
+ #define QI_DEV_EIOTLB_PASID(p) (((u64)p) << 32)
+ #define QI_DEV_EIOTLB_SID(sid) ((u64)((sid) & 0xffff) << 16)
+ #define QI_DEV_EIOTLB_QDEP(qd) ((u64)((qd) & 0x1f) << 4)
++#define QI_DEV_EIOTLB_PFSID(pfsid) (((u64)(pfsid & 0xf) << 12) | ((u64)(pfsid & 0xfff) << 52))
+ #define QI_DEV_EIOTLB_MAX_INVS 32
+
+ #define QI_PGRP_IDX(idx) (((u64)(idx)) << 55)
--- /dev/null
+From 1c48db44924298ad0cb5a6386b88017539be8822 Mon Sep 17 00:00:00 2001
+From: Jacob Pan <jacob.jun.pan@linux.intel.com>
+Date: Thu, 7 Jun 2018 09:57:00 -0700
+Subject: iommu/vt-d: Fix dev iotlb pfsid use
+
+From: Jacob Pan <jacob.jun.pan@linux.intel.com>
+
+commit 1c48db44924298ad0cb5a6386b88017539be8822 upstream.
+
+PFSID should be used in the invalidation descriptor for flushing
+device IOTLBs on SRIOV VFs.
+
+Signed-off-by: Jacob Pan <jacob.jun.pan@linux.intel.com>
+Cc: stable@vger.kernel.org
+Cc: "Ashok Raj" <ashok.raj@intel.com>
+Cc: "Lu Baolu" <baolu.lu@linux.intel.com>
+Signed-off-by: Joerg Roedel <jroedel@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/iommu/dmar.c | 6 +++---
+ drivers/iommu/intel-iommu.c | 17 ++++++++++++++++-
+ include/linux/intel-iommu.h | 5 ++---
+ 3 files changed, 21 insertions(+), 7 deletions(-)
+
+--- a/drivers/iommu/dmar.c
++++ b/drivers/iommu/dmar.c
+@@ -1339,8 +1339,8 @@ void qi_flush_iotlb(struct intel_iommu *
+ qi_submit_sync(&desc, iommu);
+ }
+
+-void qi_flush_dev_iotlb(struct intel_iommu *iommu, u16 sid, u16 qdep,
+- u64 addr, unsigned mask)
++void qi_flush_dev_iotlb(struct intel_iommu *iommu, u16 sid, u16 pfsid,
++ u16 qdep, u64 addr, unsigned mask)
+ {
+ struct qi_desc desc;
+
+@@ -1355,7 +1355,7 @@ void qi_flush_dev_iotlb(struct intel_iom
+ qdep = 0;
+
+ desc.low = QI_DEV_IOTLB_SID(sid) | QI_DEV_IOTLB_QDEP(qdep) |
+- QI_DIOTLB_TYPE;
++ QI_DIOTLB_TYPE | QI_DEV_IOTLB_PFSID(pfsid);
+
+ qi_submit_sync(&desc, iommu);
+ }
+--- a/drivers/iommu/intel-iommu.c
++++ b/drivers/iommu/intel-iommu.c
+@@ -1502,6 +1502,20 @@ static void iommu_enable_dev_iotlb(struc
+ return;
+
+ pdev = to_pci_dev(info->dev);
++ /* For IOMMU that supports device IOTLB throttling (DIT), we assign
++ * PFSID to the invalidation desc of a VF such that IOMMU HW can gauge
++ * queue depth at PF level. If DIT is not set, PFSID will be treated as
++ * reserved, which should be set to 0.
++ */
++ if (!ecap_dit(info->iommu->ecap))
++ info->pfsid = 0;
++ else {
++ struct pci_dev *pf_pdev;
++
++ /* pdev will be returned if device is not a vf */
++ pf_pdev = pci_physfn(pdev);
++ info->pfsid = PCI_DEVID(pf_pdev->bus->number, pf_pdev->devfn);
++ }
+
+ #ifdef CONFIG_INTEL_IOMMU_SVM
+ /* The PCIe spec, in its wisdom, declares that the behaviour of
+@@ -1567,7 +1581,8 @@ static void iommu_flush_dev_iotlb(struct
+
+ sid = info->bus << 8 | info->devfn;
+ qdep = info->ats_qdep;
+- qi_flush_dev_iotlb(info->iommu, sid, qdep, addr, mask);
++ qi_flush_dev_iotlb(info->iommu, sid, info->pfsid,
++ qdep, addr, mask);
+ }
+ spin_unlock_irqrestore(&device_domain_lock, flags);
+ }
+--- a/include/linux/intel-iommu.h
++++ b/include/linux/intel-iommu.h
+@@ -456,9 +456,8 @@ extern void qi_flush_context(struct inte
+ u8 fm, u64 type);
+ extern void qi_flush_iotlb(struct intel_iommu *iommu, u16 did, u64 addr,
+ unsigned int size_order, u64 type);
+-extern void qi_flush_dev_iotlb(struct intel_iommu *iommu, u16 sid, u16 qdep,
+- u64 addr, unsigned mask);
+-
++extern void qi_flush_dev_iotlb(struct intel_iommu *iommu, u16 sid, u16 pfsid,
++ u16 qdep, u64 addr, unsigned mask);
+ extern int qi_submit_sync(struct qi_desc *desc, struct intel_iommu *iommu);
+
+ extern int dmar_ir_support(void);
--- /dev/null
+From 98a4afbfafd226636cd6bb6a1208b3693daff2b1 Mon Sep 17 00:00:00 2001
+From: Masahiro Yamada <yamada.masahiro@socionext.com>
+Date: Thu, 16 Aug 2018 13:36:48 +0900
+Subject: kconfig: fix "Can't open ..." in parallel build
+
+From: Masahiro Yamada <yamada.masahiro@socionext.com>
+
+commit 98a4afbfafd226636cd6bb6a1208b3693daff2b1 upstream.
+
+If you run "make menuconfig" or "make nconfig" with -j<N> option in a
+fresh source tree, you will see several "Can't open ..." messages:
+
+ $ make -j8 menuconfig
+ HOSTCC scripts/basic/fixdep
+ YACC scripts/kconfig/zconf.tab.c
+ LEX scripts/kconfig/zconf.lex.c
+ /bin/sh: 1: .: Can't open scripts/kconfig/.mconf-cfg
+ /bin/sh: 1: .: Can't open scripts/kconfig/.mconf-cfg
+ /bin/sh: 1: .: Can't open scripts/kconfig/.mconf-cfg
+ /bin/sh: 1: .: HOSTCC scripts/kconfig/lxdialog/checklist.o
+ Can't open scripts/kconfig/.mconf-cfg
+ /bin/sh: 1: .: Can't open scripts/kconfig/.mconf-cfg
+ /bin/sh: 1: .: Can't open scripts/kconfig/.mconf-cfg
+ /bin/sh: 1: .: Can't open scripts/kconfig/.mconf-cfg
+ HOSTCC scripts/kconfig/lxdialog/inputbox.o
+ /bin/sh: 1: .: Can't open scripts/kconfig/.mconf-cfg
+ /bin/sh: 1: .: Can't open scripts/kconfig/.mconf-cfg
+ /bin/sh: 1: .: Can't open scripts/kconfig/.mconf-cfg
+ UPD scripts/kconfig/.mconf-cfg
+ /bin/sh: 1: .: Can't open scripts/kconfig/.mconf-cfg
+ HOSTCC scripts/kconfig/lxdialog/menubox.o
+ HOSTCC scripts/kconfig/lxdialog/textbox.o
+ HOSTCC scripts/kconfig/lxdialog/util.o
+ HOSTCC scripts/kconfig/lxdialog/yesno.o
+ HOSTCC scripts/kconfig/mconf.o
+ HOSTCC scripts/kconfig/zconf.tab.o
+ HOSTLD scripts/kconfig/mconf
+
+Correct dependencies to fix this problem.
+
+Fixes: 1c5af5cf9308 ("kconfig: refactor ncurses package checks for building mconf and nconf")
+Cc: linux-stable <stable@vger.kernel.org> # v4.18
+Reported-by: Borislav Petkov <bp@suse.de>
+Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>
+Tested-by: Borislav Petkov <bp@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ scripts/kconfig/Makefile | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/scripts/kconfig/Makefile
++++ b/scripts/kconfig/Makefile
+@@ -173,7 +173,7 @@ HOSTLOADLIBES_nconf = $(shell . $(obj)/.
+ HOSTCFLAGS_nconf.o = $(shell . $(obj)/.nconf-cfg && echo $$cflags)
+ HOSTCFLAGS_nconf.gui.o = $(shell . $(obj)/.nconf-cfg && echo $$cflags)
+
+-$(obj)/nconf.o: $(obj)/.nconf-cfg
++$(obj)/nconf.o $(obj)/nconf.gui.o: $(obj)/.nconf-cfg
+
+ # mconf: Used for the menuconfig target based on lxdialog
+ hostprogs-y += mconf
+@@ -184,7 +184,8 @@ HOSTLOADLIBES_mconf = $(shell . $(obj)/.
+ $(foreach f, mconf.o $(lxdialog), \
+ $(eval HOSTCFLAGS_$f = $$(shell . $(obj)/.mconf-cfg && echo $$$$cflags)))
+
+-$(addprefix $(obj)/, mconf.o $(lxdialog)): $(obj)/.mconf-cfg
++$(obj)/mconf.o: $(obj)/.mconf-cfg
++$(addprefix $(obj)/lxdialog/, $(lxdialog)): $(obj)/.mconf-cfg
+
+ # qconf: Used for the xconfig target based on Qt
+ hostprogs-y += qconf
--- /dev/null
+From 286e87718103acdf85f4ed323a37e4839a8a7c05 Mon Sep 17 00:00:00 2001
+From: Vishal Verma <vishal.l.verma@intel.com>
+Date: Fri, 10 Aug 2018 13:23:15 -0600
+Subject: libnvdimm: fix ars_status output length calculation
+
+From: Vishal Verma <vishal.l.verma@intel.com>
+
+commit 286e87718103acdf85f4ed323a37e4839a8a7c05 upstream.
+
+Commit efda1b5d87cb ("acpi, nfit, libnvdimm: fix / harden ars_status output length handling")
+Introduced additional hardening for ambiguity in the ACPI spec for
+ars_status output sizing. However, it had a couple of cases mixed up.
+Where it should have been checking for (and returning) "out_field[1] -
+4" it was using "out_field[1] - 8" and vice versa.
+
+This caused a four byte discrepancy in the buffer size passed on to
+the command handler, and in some cases, this caused memory corruption
+like:
+
+ ./daxdev-errors.sh: line 76: 24104 Aborted (core dumped) ./daxdev-errors $busdev $region
+ malloc(): memory corruption
+ Program received signal SIGABRT, Aborted.
+ [...]
+ #5 0x00007ffff7865a2e in calloc () from /lib64/libc.so.6
+ #6 0x00007ffff7bc2970 in ndctl_bus_cmd_new_ars_status (ars_cap=ars_cap@entry=0x6153b0) at ars.c:136
+ #7 0x0000000000401644 in check_ars_status (check=0x7fffffffdeb0, bus=0x604c20) at daxdev-errors.c:144
+ #8 test_daxdev_clear_error (region_name=<optimized out>, bus_name=<optimized out>)
+ at daxdev-errors.c:332
+
+Cc: <stable@vger.kernel.org>
+Cc: Dave Jiang <dave.jiang@intel.com>
+Cc: Keith Busch <keith.busch@intel.com>
+Cc: Lukasz Dorau <lukasz.dorau@intel.com>
+Cc: Dan Williams <dan.j.williams@intel.com>
+Fixes: efda1b5d87cb ("acpi, nfit, libnvdimm: fix / harden ars_status output length handling")
+Signed-off-by: Vishal Verma <vishal.l.verma@intel.com>
+Reviewed-by: Keith Busch <keith.busch@intel.com>
+Signed-of-by: Dave Jiang <dave.jiang@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/nvdimm/bus.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/nvdimm/bus.c
++++ b/drivers/nvdimm/bus.c
+@@ -812,9 +812,9 @@ u32 nd_cmd_out_size(struct nvdimm *nvdim
+ * overshoots the remainder by 4 bytes, assume it was
+ * including 'status'.
+ */
+- if (out_field[1] - 8 == remainder)
++ if (out_field[1] - 4 == remainder)
+ return remainder;
+- return out_field[1] - 4;
++ return out_field[1] - 8;
+ } else if (cmd == ND_CMD_CALL) {
+ struct nd_cmd_pkg *pkg = (struct nd_cmd_pkg *) in_field;
+
--- /dev/null
+From 12e3129e29b406c41bc89231092a20d79dbf802c Mon Sep 17 00:00:00 2001
+From: Keith Busch <keith.busch@intel.com>
+Date: Tue, 24 Jul 2018 15:07:57 -0600
+Subject: libnvdimm: Use max contiguous area for namespace size
+
+From: Keith Busch <keith.busch@intel.com>
+
+commit 12e3129e29b406c41bc89231092a20d79dbf802c upstream.
+
+This patch will find the max contiguous area to determine the largest
+pmem namespace size that can be created. If the requested size exceeds
+the largest available, ENOSPC error will be returned.
+
+This fixes the allocation underrun error and wrong error return code
+that have otherwise been observed as the following kernel warning:
+
+ WARNING: CPU: <CPU> PID: <PID> at drivers/nvdimm/namespace_devs.c:913 size_store
+
+Fixes: a1f3e4d6a0c3 ("libnvdimm, region: update nd_region_available_dpa() for multi-pmem support")
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Keith Busch <keith.busch@intel.com>
+Reviewed-by: Vishal Verma <vishal.l.verma@intel.com>
+Signed-off-by: Dave Jiang <dave.jiang@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/nvdimm/dimm_devs.c | 31 +++++++++++++++++++++++++++++++
+ drivers/nvdimm/namespace_devs.c | 6 +++---
+ drivers/nvdimm/nd-core.h | 8 ++++++++
+ drivers/nvdimm/region_devs.c | 24 ++++++++++++++++++++++++
+ 4 files changed, 66 insertions(+), 3 deletions(-)
+
+--- a/drivers/nvdimm/dimm_devs.c
++++ b/drivers/nvdimm/dimm_devs.c
+@@ -537,6 +537,37 @@ resource_size_t nd_blk_available_dpa(str
+ }
+
+ /**
++ * nd_pmem_max_contiguous_dpa - For the given dimm+region, return the max
++ * contiguous unallocated dpa range.
++ * @nd_region: constrain available space check to this reference region
++ * @nd_mapping: container of dpa-resource-root + labels
++ */
++resource_size_t nd_pmem_max_contiguous_dpa(struct nd_region *nd_region,
++ struct nd_mapping *nd_mapping)
++{
++ struct nvdimm_drvdata *ndd = to_ndd(nd_mapping);
++ struct nvdimm_bus *nvdimm_bus;
++ resource_size_t max = 0;
++ struct resource *res;
++
++ /* if a dimm is disabled the available capacity is zero */
++ if (!ndd)
++ return 0;
++
++ nvdimm_bus = walk_to_nvdimm_bus(ndd->dev);
++ if (__reserve_free_pmem(&nd_region->dev, nd_mapping->nvdimm))
++ return 0;
++ for_each_dpa_resource(ndd, res) {
++ if (strcmp(res->name, "pmem-reserve") != 0)
++ continue;
++ if (resource_size(res) > max)
++ max = resource_size(res);
++ }
++ release_free_pmem(nvdimm_bus, nd_mapping);
++ return max;
++}
++
++/**
+ * nd_pmem_available_dpa - for the given dimm+region account unallocated dpa
+ * @nd_mapping: container of dpa-resource-root + labels
+ * @nd_region: constrain available space check to this reference region
+--- a/drivers/nvdimm/namespace_devs.c
++++ b/drivers/nvdimm/namespace_devs.c
+@@ -799,7 +799,7 @@ static int merge_dpa(struct nd_region *n
+ return 0;
+ }
+
+-static int __reserve_free_pmem(struct device *dev, void *data)
++int __reserve_free_pmem(struct device *dev, void *data)
+ {
+ struct nvdimm *nvdimm = data;
+ struct nd_region *nd_region;
+@@ -836,7 +836,7 @@ static int __reserve_free_pmem(struct de
+ return 0;
+ }
+
+-static void release_free_pmem(struct nvdimm_bus *nvdimm_bus,
++void release_free_pmem(struct nvdimm_bus *nvdimm_bus,
+ struct nd_mapping *nd_mapping)
+ {
+ struct nvdimm_drvdata *ndd = to_ndd(nd_mapping);
+@@ -1032,7 +1032,7 @@ static ssize_t __size_store(struct devic
+
+ allocated += nvdimm_allocated_dpa(ndd, &label_id);
+ }
+- available = nd_region_available_dpa(nd_region);
++ available = nd_region_allocatable_dpa(nd_region);
+
+ if (val > available + allocated)
+ return -ENOSPC;
+--- a/drivers/nvdimm/nd-core.h
++++ b/drivers/nvdimm/nd-core.h
+@@ -100,6 +100,14 @@ struct nd_region;
+ struct nvdimm_drvdata;
+ struct nd_mapping;
+ void nd_mapping_free_labels(struct nd_mapping *nd_mapping);
++
++int __reserve_free_pmem(struct device *dev, void *data);
++void release_free_pmem(struct nvdimm_bus *nvdimm_bus,
++ struct nd_mapping *nd_mapping);
++
++resource_size_t nd_pmem_max_contiguous_dpa(struct nd_region *nd_region,
++ struct nd_mapping *nd_mapping);
++resource_size_t nd_region_allocatable_dpa(struct nd_region *nd_region);
+ resource_size_t nd_pmem_available_dpa(struct nd_region *nd_region,
+ struct nd_mapping *nd_mapping, resource_size_t *overlap);
+ resource_size_t nd_blk_available_dpa(struct nd_region *nd_region);
+--- a/drivers/nvdimm/region_devs.c
++++ b/drivers/nvdimm/region_devs.c
+@@ -389,6 +389,30 @@ resource_size_t nd_region_available_dpa(
+ return available;
+ }
+
++resource_size_t nd_region_allocatable_dpa(struct nd_region *nd_region)
++{
++ resource_size_t available = 0;
++ int i;
++
++ if (is_memory(&nd_region->dev))
++ available = PHYS_ADDR_MAX;
++
++ WARN_ON(!is_nvdimm_bus_locked(&nd_region->dev));
++ for (i = 0; i < nd_region->ndr_mappings; i++) {
++ struct nd_mapping *nd_mapping = &nd_region->mapping[i];
++
++ if (is_memory(&nd_region->dev))
++ available = min(available,
++ nd_pmem_max_contiguous_dpa(nd_region,
++ nd_mapping));
++ else if (is_nd_blk(&nd_region->dev))
++ available += nd_blk_available_dpa(nd_region);
++ }
++ if (is_memory(&nd_region->dev))
++ return available * nd_region->ndr_mappings;
++ return available;
++}
++
+ static ssize_t available_size_show(struct device *dev,
+ struct device_attribute *attr, char *buf)
+ {
--- /dev/null
+From 2fa147bdbf672c53386a8f5f2c7fe358004c3ef8 Mon Sep 17 00:00:00 2001
+From: Dan Williams <dan.j.williams@intel.com>
+Date: Fri, 13 Jul 2018 21:50:01 -0700
+Subject: mm, dev_pagemap: Do not clear ->mapping on final put
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Dan Williams <dan.j.williams@intel.com>
+
+commit 2fa147bdbf672c53386a8f5f2c7fe358004c3ef8 upstream.
+
+MEMORY_DEVICE_FS_DAX relies on typical page semantics whereby ->mapping
+is only ever cleared by truncation, not final put.
+
+Without this fix dax pages may forget their mapping association at the
+end of every page pin event.
+
+Move this atypical behavior that HMM wants into the HMM ->page_free()
+callback.
+
+Cc: <stable@vger.kernel.org>
+Cc: Jan Kara <jack@suse.cz>
+Cc: Jérôme Glisse <jglisse@redhat.com>
+Cc: Andrew Morton <akpm@linux-foundation.org>
+Cc: Ross Zwisler <ross.zwisler@linux.intel.com>
+Fixes: d2c997c0f145 ("fs, dax: use page->mapping...")
+Signed-off-by: Dan Williams <dan.j.williams@intel.com>
+Acked-by: Jérôme Glisse <jglisse@redhat.com>
+Signed-off-by: Dave Jiang <dave.jiang@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/memremap.c | 1 -
+ mm/hmm.c | 2 ++
+ 2 files changed, 2 insertions(+), 1 deletion(-)
+
+--- a/kernel/memremap.c
++++ b/kernel/memremap.c
+@@ -355,7 +355,6 @@ void __put_devmap_managed_page(struct pa
+ __ClearPageActive(page);
+ __ClearPageWaiters(page);
+
+- page->mapping = NULL;
+ mem_cgroup_uncharge(page);
+
+ page->pgmap->page_free(page, page->pgmap->data);
+--- a/mm/hmm.c
++++ b/mm/hmm.c
+@@ -963,6 +963,8 @@ static void hmm_devmem_free(struct page
+ {
+ struct hmm_devmem *devmem = data;
+
++ page->mapping = NULL;
++
+ devmem->ops->free(devmem, page);
+ }
+
--- /dev/null
+From a6f572084fbee8b30f91465f4a085d7a90901c57 Mon Sep 17 00:00:00 2001
+From: Peter Zijlstra <peterz@infradead.org>
+Date: Wed, 22 Aug 2018 17:30:14 +0200
+Subject: mm/tlb: Remove tlb_remove_table() non-concurrent condition
+
+From: Peter Zijlstra <peterz@infradead.org>
+
+commit a6f572084fbee8b30f91465f4a085d7a90901c57 upstream.
+
+Will noted that only checking mm_users is incorrect; we should also
+check mm_count in order to cover CPUs that have a lazy reference to
+this mm (and could do speculative TLB operations).
+
+If removing this turns out to be a performance issue, we can
+re-instate a more complete check, but in tlb_table_flush() eliding the
+call_rcu_sched().
+
+Fixes: 267239116987 ("mm, powerpc: move the RCU page-table freeing into generic code")
+Reported-by: Will Deacon <will.deacon@arm.com>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Acked-by: Rik van Riel <riel@surriel.com>
+Acked-by: Will Deacon <will.deacon@arm.com>
+Cc: Nicholas Piggin <npiggin@gmail.com>
+Cc: David Miller <davem@davemloft.net>
+Cc: Martin Schwidefsky <schwidefsky@de.ibm.com>
+Cc: Michael Ellerman <mpe@ellerman.id.au>
+Cc: stable@kernel.org
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ mm/memory.c | 9 ---------
+ 1 file changed, 9 deletions(-)
+
+--- a/mm/memory.c
++++ b/mm/memory.c
+@@ -391,15 +391,6 @@ void tlb_remove_table(struct mmu_gather
+ {
+ struct mmu_table_batch **batch = &tlb->batch;
+
+- /*
+- * When there's less then two users of this mm there cannot be a
+- * concurrent page-table walk.
+- */
+- if (atomic_read(&tlb->mm->mm_users) < 2) {
+- __tlb_remove_table(table);
+- return;
+- }
+-
+ if (*batch == NULL) {
+ *batch = (struct mmu_table_batch *)__get_free_page(GFP_NOWAIT | __GFP_NOWARN);
+ if (*batch == NULL) {
--- /dev/null
+From 99cbbe56eb8bede625f410ab62ba34673ffa7d21 Mon Sep 17 00:00:00 2001
+From: Adrian Hunter <adrian.hunter@intel.com>
+Date: Tue, 14 Aug 2018 11:46:08 +0300
+Subject: perf auxtrace: Fix queue resize
+
+From: Adrian Hunter <adrian.hunter@intel.com>
+
+commit 99cbbe56eb8bede625f410ab62ba34673ffa7d21 upstream.
+
+When the number of queues grows beyond 32, the array of queues is
+resized but not all members were being copied. Fix by also copying
+'tid', 'cpu' and 'set'.
+
+Signed-off-by: Adrian Hunter <adrian.hunter@intel.com>
+Cc: Jiri Olsa <jolsa@redhat.com>
+Cc: stable@vger.kernel.org
+Fixes: e502789302a6e ("perf auxtrace: Add helpers for queuing AUX area tracing data")
+Link: http://lkml.kernel.org/r/20180814084608.6563-1-adrian.hunter@intel.com
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ tools/perf/util/auxtrace.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/tools/perf/util/auxtrace.c
++++ b/tools/perf/util/auxtrace.c
+@@ -202,6 +202,9 @@ static int auxtrace_queues__grow(struct
+ for (i = 0; i < queues->nr_queues; i++) {
+ list_splice_tail(&queues->queue_array[i].head,
+ &queue_array[i].head);
++ queue_array[i].tid = queues->queue_array[i].tid;
++ queue_array[i].cpu = queues->queue_array[i].cpu;
++ queue_array[i].set = queues->queue_array[i].set;
+ queue_array[i].priv = queues->queue_array[i].priv;
+ }
+
--- /dev/null
+From 43725feb593127b16318b871e3a9bf89a96d66cb Mon Sep 17 00:00:00 2001
+From: David Rivshin <DRivshin@allworx.com>
+Date: Wed, 1 Aug 2018 10:17:29 -0400
+Subject: pwm: omap-dmtimer: Return -EPROBE_DEFER if no dmtimer platform data
+
+From: David Rivshin <DRivshin@allworx.com>
+
+commit 43725feb593127b16318b871e3a9bf89a96d66cb upstream.
+
+If a pwm-omap-dmtimer is probed before the dmtimer it uses, the platform
+data won't be set yet.
+
+Fixes: ac30751df953 ("ARM: OMAP: pdata-quirks: Remove unused timer pdata")
+Cc: <stable@vger.kernel.org> # 4.17+
+Signed-off-by: David Rivshin <drivshin@allworx.com>
+Acked-by: Pavel Machek <pavel@ucw.cz>
+Tested-by: Pavel Machek <pavel@ucw.cz>
+Acked-by: Ladislav Michl <ladis@linux-mips.org>
+Tested-by: Andreas Kemnade <andreas@kemnade.info>
+Signed-off-by: Thierry Reding <thierry.reding@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/pwm/pwm-omap-dmtimer.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/drivers/pwm/pwm-omap-dmtimer.c
++++ b/drivers/pwm/pwm-omap-dmtimer.c
+@@ -264,8 +264,9 @@ static int pwm_omap_dmtimer_probe(struct
+
+ timer_pdata = dev_get_platdata(&timer_pdev->dev);
+ if (!timer_pdata) {
+- dev_err(&pdev->dev, "dmtimer pdata structure NULL\n");
+- ret = -EINVAL;
++ dev_dbg(&pdev->dev,
++ "dmtimer pdata structure NULL, deferring probe\n");
++ ret = -EPROBE_DEFER;
+ goto put;
+ }
+
--- /dev/null
+From aa49d628f6e016bcec8c6f8e704b9b18ee697329 Mon Sep 17 00:00:00 2001
+From: Vignesh R <vigneshr@ti.com>
+Date: Mon, 11 Jun 2018 11:39:55 +0530
+Subject: pwm: tiehrpwm: Don't use emulation mode bits to control PWM output
+
+From: Vignesh R <vigneshr@ti.com>
+
+commit aa49d628f6e016bcec8c6f8e704b9b18ee697329 upstream.
+
+As per AM335x TRM SPRUH73P "15.2.2.11 ePWM Behavior During Emulation",
+TBCTL[15:14] only have effect during emulation suspend events (IOW,
+to stop PWM when debugging using a debugger). These bits have no effect
+on PWM output during normal running of system. Hence, remove code
+accessing these bits as they have no role in enabling/disabling PWMs.
+
+Fixes: 19891b20e7c2 ("pwm: pwm-tiehrpwm: PWM driver support for EHRPWM")
+Cc: stable@vger.kernel.org
+Signed-off-by: Vignesh R <vigneshr@ti.com>
+Signed-off-by: Thierry Reding <thierry.reding@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/pwm/pwm-tiehrpwm.c | 12 +-----------
+ 1 file changed, 1 insertion(+), 11 deletions(-)
+
+--- a/drivers/pwm/pwm-tiehrpwm.c
++++ b/drivers/pwm/pwm-tiehrpwm.c
+@@ -33,10 +33,6 @@
+ #define TBCTL 0x00
+ #define TBPRD 0x0A
+
+-#define TBCTL_RUN_MASK (BIT(15) | BIT(14))
+-#define TBCTL_STOP_NEXT 0
+-#define TBCTL_STOP_ON_CYCLE BIT(14)
+-#define TBCTL_FREE_RUN (BIT(15) | BIT(14))
+ #define TBCTL_PRDLD_MASK BIT(3)
+ #define TBCTL_PRDLD_SHDW 0
+ #define TBCTL_PRDLD_IMDT BIT(3)
+@@ -360,7 +356,7 @@ static int ehrpwm_pwm_enable(struct pwm_
+ /* Channels polarity can be configured from action qualifier module */
+ configure_polarity(pc, pwm->hwpwm);
+
+- /* Enable TBCLK before enabling PWM device */
++ /* Enable TBCLK */
+ ret = clk_enable(pc->tbclk);
+ if (ret) {
+ dev_err(chip->dev, "Failed to enable TBCLK for %s: %d\n",
+@@ -368,9 +364,6 @@ static int ehrpwm_pwm_enable(struct pwm_
+ return ret;
+ }
+
+- /* Enable time counter for free_run */
+- ehrpwm_modify(pc->mmio_base, TBCTL, TBCTL_RUN_MASK, TBCTL_FREE_RUN);
+-
+ return 0;
+ }
+
+@@ -400,9 +393,6 @@ static void ehrpwm_pwm_disable(struct pw
+ /* Disabling TBCLK on PWM disable */
+ clk_disable(pc->tbclk);
+
+- /* Stop Time base counter */
+- ehrpwm_modify(pc->mmio_base, TBCTL, TBCTL_RUN_MASK, TBCTL_STOP_NEXT);
+-
+ /* Disable clock on PWM disable */
+ pm_runtime_put_sync(chip->dev);
+ }
--- /dev/null
+From 38dabd91ff0bde33352ca3cc65ef515599b77a05 Mon Sep 17 00:00:00 2001
+From: Vignesh R <vigneshr@ti.com>
+Date: Mon, 11 Jun 2018 11:39:56 +0530
+Subject: pwm: tiehrpwm: Fix disabling of output of PWMs
+
+From: Vignesh R <vigneshr@ti.com>
+
+commit 38dabd91ff0bde33352ca3cc65ef515599b77a05 upstream.
+
+pwm-tiehrpwm driver disables PWM output by putting it in low output
+state via active AQCSFRC register in ehrpwm_pwm_disable(). But, the
+AQCSFRC shadow register is not updated. Therefore, when shadow AQCSFRC
+register is re-enabled in ehrpwm_pwm_enable() (say to enable second PWM
+output), previous settings are lost as shadow register value is loaded
+into active register. This results in things like PWMA getting enabled
+automatically, when PWMB is enabled and vice versa. Fix this by
+updating AQCSFRC shadow register as well during ehrpwm_pwm_disable().
+
+Fixes: 19891b20e7c2 ("pwm: pwm-tiehrpwm: PWM driver support for EHRPWM")
+Cc: stable@vger.kernel.org
+Signed-off-by: Vignesh R <vigneshr@ti.com>
+Signed-off-by: Thierry Reding <thierry.reding@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/pwm/pwm-tiehrpwm.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/pwm/pwm-tiehrpwm.c
++++ b/drivers/pwm/pwm-tiehrpwm.c
+@@ -381,6 +381,8 @@ static void ehrpwm_pwm_disable(struct pw
+ aqcsfrc_mask = AQCSFRC_CSFA_MASK;
+ }
+
++ /* Update shadow register first before modifying active register */
++ ehrpwm_modify(pc->mmio_base, AQCSFRC, aqcsfrc_mask, aqcsfrc_val);
+ /*
+ * Changes to immediate action on Action Qualifier. This puts
+ * Action Qualifier control on PWM output from next TBCLK
--- /dev/null
+From 08acbdd6fd736b90f8d725da5a0de4de2dd6de62 Mon Sep 17 00:00:00 2001
+From: Richard Weinberger <richard@nod.at>
+Date: Sun, 1 Jul 2018 23:20:50 +0200
+Subject: Revert "UBIFS: Fix potential integer overflow in allocation"
+
+From: Richard Weinberger <richard@nod.at>
+
+commit 08acbdd6fd736b90f8d725da5a0de4de2dd6de62 upstream.
+
+This reverts commit 353748a359f1821ee934afc579cf04572406b420.
+It bypassed the linux-mtd review process and fixes the issue not as it
+should.
+
+Cc: Kees Cook <keescook@chromium.org>
+Cc: Silvio Cesare <silvio.cesare@gmail.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Richard Weinberger <richard@nod.at>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ubifs/journal.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+--- a/fs/ubifs/journal.c
++++ b/fs/ubifs/journal.c
+@@ -1282,11 +1282,10 @@ static int truncate_data_node(const stru
+ int *new_len)
+ {
+ void *buf;
+- int err, compr_type;
+- u32 dlen, out_len, old_dlen;
++ int err, dlen, compr_type, out_len, old_dlen;
+
+ out_len = le32_to_cpu(dn->size);
+- buf = kmalloc_array(out_len, WORST_COMPR_FACTOR, GFP_NOFS);
++ buf = kmalloc(out_len * WORST_COMPR_FACTOR, GFP_NOFS);
+ if (!buf)
+ return -ENOMEM;
+
nfsv4-fix-a-sleep-in-atomic-context-in-nfs4_callback_sequence.patch
arm-tegra-fix-tegra30-cardhu-pca954x-reset.patch
arm-dts-am57xx-idk-enable-dual-role-for-usb2-port.patch
+pwm-omap-dmtimer-return-eprobe_defer-if-no-dmtimer-platform-data.patch
+mm-tlb-remove-tlb_remove_table-non-concurrent-condition.patch
+iommu-ipmmu-vmsa-don-t-register-as-bus-iommu-if-machine-doesn-t-have-ipmmu-vmsa.patch
+iommu-vt-d-add-definitions-for-pfsid.patch
+iommu-vt-d-fix-dev-iotlb-pfsid-use.patch
+sys-don-t-hold-uts_sem-while-accessing-userspace-memory.patch
+userns-move-user-access-out-of-the-mutex.patch
+ubifs-fix-memory-leak-in-lprobs-self-check.patch
+revert-ubifs-fix-potential-integer-overflow-in-allocation.patch
+ubifs-check-data-node-size-before-truncate.patch
+ubifs-xattr-don-t-operate-on-deleted-inodes.patch
+ubifs-fix-directory-size-calculation-for-symlinks.patch
+ubifs-fix-synced_i_size-calculation-for-xattr-inodes.patch
+pwm-tiehrpwm-don-t-use-emulation-mode-bits-to-control-pwm-output.patch
+pwm-tiehrpwm-fix-disabling-of-output-of-pwms.patch
+fb-fix-lost-console-when-the-user-unplugs-a-usb-adapter.patch
+udlfb-fix-semaphore-value-leak.patch
+udlfb-fix-display-corruption-of-the-last-line.patch
+udlfb-don-t-switch-if-we-are-switching-to-the-same-videomode.patch
+udlfb-set-optimal-write-delay.patch
+udlfb-make-a-local-copy-of-fb_ops.patch
+udlfb-handle-allocation-failure.patch
+udlfb-set-line_length-in-dlfb_ops_set_par.patch
+getxattr-use-correct-xattr-length.patch
+libnvdimm-use-max-contiguous-area-for-namespace-size.patch
+libnvdimm-fix-ars_status-output-length-calculation.patch
+bcache-release-dc-writeback_lock-properly-in-bch_writeback_thread.patch
+kconfig-fix-can-t-open-...-in-parallel-build.patch
+cap_inode_getsecurity-use-d_find_any_alias-instead-of-d_find_alias.patch
+mm-dev_pagemap-do-not-clear-mapping-on-final-put.patch
+perf-auxtrace-fix-queue-resize.patch
+crypto-vmx-fix-sleep-in-atomic-bugs.patch
+crypto-aesni-use-unaligned-loads-from-gcm_context_data.patch
+crypto-arm64-sm4-ce-check-for-the-right-cpu-feature-bit.patch
+crypto-caam-fix-dma-mapping-direction-for-rsa-forms-2-3.patch
+crypto-caam-jr-fix-descriptor-dma-unmapping.patch
+crypto-caam-qi-fix-error-path-in-xts-setkey.patch
+fs-quota-fix-spectre-gadget-in-do_quotactl.patch
+udf-fix-mounting-of-win7-created-udf-filesystems.patch
+cpuidle-menu-retain-tick-when-shallow-state-is-selected.patch
+arm64-mm-always-enable-config_holes_in_zone.patch
--- /dev/null
+From 42a0cc3478584d4d63f68f2f5af021ddbea771fa Mon Sep 17 00:00:00 2001
+From: Jann Horn <jannh@google.com>
+Date: Mon, 25 Jun 2018 18:34:10 +0200
+Subject: sys: don't hold uts_sem while accessing userspace memory
+
+From: Jann Horn <jannh@google.com>
+
+commit 42a0cc3478584d4d63f68f2f5af021ddbea771fa upstream.
+
+Holding uts_sem as a writer while accessing userspace memory allows a
+namespace admin to stall all processes that attempt to take uts_sem.
+Instead, move data through stack buffers and don't access userspace memory
+while uts_sem is held.
+
+Cc: stable@vger.kernel.org
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Jann Horn <jannh@google.com>
+Signed-off-by: Eric W. Biederman <ebiederm@xmission.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/alpha/kernel/osf_sys.c | 51 +++++++++-----------
+ arch/sparc/kernel/sys_sparc_32.c | 22 +++++----
+ arch/sparc/kernel/sys_sparc_64.c | 20 ++++----
+ kernel/sys.c | 95 ++++++++++++++++++---------------------
+ kernel/utsname_sysctl.c | 41 ++++++++++------
+ 5 files changed, 119 insertions(+), 110 deletions(-)
+
+--- a/arch/alpha/kernel/osf_sys.c
++++ b/arch/alpha/kernel/osf_sys.c
+@@ -530,24 +530,19 @@ SYSCALL_DEFINE4(osf_mount, unsigned long
+ SYSCALL_DEFINE1(osf_utsname, char __user *, name)
+ {
+ int error;
++ char tmp[5 * 32];
+
+ down_read(&uts_sem);
+- error = -EFAULT;
+- if (copy_to_user(name + 0, utsname()->sysname, 32))
+- goto out;
+- if (copy_to_user(name + 32, utsname()->nodename, 32))
+- goto out;
+- if (copy_to_user(name + 64, utsname()->release, 32))
+- goto out;
+- if (copy_to_user(name + 96, utsname()->version, 32))
+- goto out;
+- if (copy_to_user(name + 128, utsname()->machine, 32))
+- goto out;
++ memcpy(tmp + 0 * 32, utsname()->sysname, 32);
++ memcpy(tmp + 1 * 32, utsname()->nodename, 32);
++ memcpy(tmp + 2 * 32, utsname()->release, 32);
++ memcpy(tmp + 3 * 32, utsname()->version, 32);
++ memcpy(tmp + 4 * 32, utsname()->machine, 32);
++ up_read(&uts_sem);
+
+- error = 0;
+- out:
+- up_read(&uts_sem);
+- return error;
++ if (copy_to_user(name, tmp, sizeof(tmp)))
++ return -EFAULT;
++ return 0;
+ }
+
+ SYSCALL_DEFINE0(getpagesize)
+@@ -567,18 +562,21 @@ SYSCALL_DEFINE2(osf_getdomainname, char
+ {
+ int len, err = 0;
+ char *kname;
++ char tmp[32];
+
+- if (namelen > 32)
++ if (namelen < 0 || namelen > 32)
+ namelen = 32;
+
+ down_read(&uts_sem);
+ kname = utsname()->domainname;
+ len = strnlen(kname, namelen);
+- if (copy_to_user(name, kname, min(len + 1, namelen)))
+- err = -EFAULT;
++ len = min(len + 1, namelen);
++ memcpy(tmp, kname, len);
+ up_read(&uts_sem);
+
+- return err;
++ if (copy_to_user(name, tmp, len))
++ return -EFAULT;
++ return 0;
+ }
+
+ /*
+@@ -739,13 +737,14 @@ SYSCALL_DEFINE3(osf_sysinfo, int, comman
+ };
+ unsigned long offset;
+ const char *res;
+- long len, err = -EINVAL;
++ long len;
++ char tmp[__NEW_UTS_LEN + 1];
+
+ offset = command-1;
+ if (offset >= ARRAY_SIZE(sysinfo_table)) {
+ /* Digital UNIX has a few unpublished interfaces here */
+ printk("sysinfo(%d)", command);
+- goto out;
++ return -EINVAL;
+ }
+
+ down_read(&uts_sem);
+@@ -753,13 +752,11 @@ SYSCALL_DEFINE3(osf_sysinfo, int, comman
+ len = strlen(res)+1;
+ if ((unsigned long)len > (unsigned long)count)
+ len = count;
+- if (copy_to_user(buf, res, len))
+- err = -EFAULT;
+- else
+- err = 0;
++ memcpy(tmp, res, len);
+ up_read(&uts_sem);
+- out:
+- return err;
++ if (copy_to_user(buf, tmp, len))
++ return -EFAULT;
++ return 0;
+ }
+
+ SYSCALL_DEFINE5(osf_getsysinfo, unsigned long, op, void __user *, buffer,
+--- a/arch/sparc/kernel/sys_sparc_32.c
++++ b/arch/sparc/kernel/sys_sparc_32.c
+@@ -197,23 +197,27 @@ SYSCALL_DEFINE5(rt_sigaction, int, sig,
+
+ SYSCALL_DEFINE2(getdomainname, char __user *, name, int, len)
+ {
+- int nlen, err;
+-
++ int nlen, err;
++ char tmp[__NEW_UTS_LEN + 1];
++
+ if (len < 0)
+ return -EINVAL;
+
+- down_read(&uts_sem);
+-
++ down_read(&uts_sem);
++
+ nlen = strlen(utsname()->domainname) + 1;
+ err = -EINVAL;
+ if (nlen > len)
+- goto out;
++ goto out_unlock;
++ memcpy(tmp, utsname()->domainname, nlen);
++
++ up_read(&uts_sem);
+
+- err = -EFAULT;
+- if (!copy_to_user(name, utsname()->domainname, nlen))
+- err = 0;
++ if (copy_to_user(name, tmp, nlen))
++ return -EFAULT;
++ return 0;
+
+-out:
++out_unlock:
+ up_read(&uts_sem);
+ return err;
+ }
+--- a/arch/sparc/kernel/sys_sparc_64.c
++++ b/arch/sparc/kernel/sys_sparc_64.c
+@@ -519,23 +519,27 @@ asmlinkage void sparc_breakpoint(struct
+
+ SYSCALL_DEFINE2(getdomainname, char __user *, name, int, len)
+ {
+- int nlen, err;
++ int nlen, err;
++ char tmp[__NEW_UTS_LEN + 1];
+
+ if (len < 0)
+ return -EINVAL;
+
+- down_read(&uts_sem);
+-
++ down_read(&uts_sem);
++
+ nlen = strlen(utsname()->domainname) + 1;
+ err = -EINVAL;
+ if (nlen > len)
+- goto out;
++ goto out_unlock;
++ memcpy(tmp, utsname()->domainname, nlen);
++
++ up_read(&uts_sem);
+
+- err = -EFAULT;
+- if (!copy_to_user(name, utsname()->domainname, nlen))
+- err = 0;
++ if (copy_to_user(name, tmp, nlen))
++ return -EFAULT;
++ return 0;
+
+-out:
++out_unlock:
+ up_read(&uts_sem);
+ return err;
+ }
+--- a/kernel/sys.c
++++ b/kernel/sys.c
+@@ -1237,18 +1237,19 @@ static int override_release(char __user
+
+ SYSCALL_DEFINE1(newuname, struct new_utsname __user *, name)
+ {
+- int errno = 0;
++ struct new_utsname tmp;
+
+ down_read(&uts_sem);
+- if (copy_to_user(name, utsname(), sizeof *name))
+- errno = -EFAULT;
++ memcpy(&tmp, utsname(), sizeof(tmp));
+ up_read(&uts_sem);
++ if (copy_to_user(name, &tmp, sizeof(tmp)))
++ return -EFAULT;
+
+- if (!errno && override_release(name->release, sizeof(name->release)))
+- errno = -EFAULT;
+- if (!errno && override_architecture(name))
+- errno = -EFAULT;
+- return errno;
++ if (override_release(name->release, sizeof(name->release)))
++ return -EFAULT;
++ if (override_architecture(name))
++ return -EFAULT;
++ return 0;
+ }
+
+ #ifdef __ARCH_WANT_SYS_OLD_UNAME
+@@ -1257,55 +1258,46 @@ SYSCALL_DEFINE1(newuname, struct new_uts
+ */
+ SYSCALL_DEFINE1(uname, struct old_utsname __user *, name)
+ {
+- int error = 0;
++ struct old_utsname tmp;
+
+ if (!name)
+ return -EFAULT;
+
+ down_read(&uts_sem);
+- if (copy_to_user(name, utsname(), sizeof(*name)))
+- error = -EFAULT;
++ memcpy(&tmp, utsname(), sizeof(tmp));
+ up_read(&uts_sem);
++ if (copy_to_user(name, &tmp, sizeof(tmp)))
++ return -EFAULT;
+
+- if (!error && override_release(name->release, sizeof(name->release)))
+- error = -EFAULT;
+- if (!error && override_architecture(name))
+- error = -EFAULT;
+- return error;
++ if (override_release(name->release, sizeof(name->release)))
++ return -EFAULT;
++ if (override_architecture(name))
++ return -EFAULT;
++ return 0;
+ }
+
+ SYSCALL_DEFINE1(olduname, struct oldold_utsname __user *, name)
+ {
+- int error;
++ struct oldold_utsname tmp = {};
+
+ if (!name)
+ return -EFAULT;
+- if (!access_ok(VERIFY_WRITE, name, sizeof(struct oldold_utsname)))
+- return -EFAULT;
+
+ down_read(&uts_sem);
+- error = __copy_to_user(&name->sysname, &utsname()->sysname,
+- __OLD_UTS_LEN);
+- error |= __put_user(0, name->sysname + __OLD_UTS_LEN);
+- error |= __copy_to_user(&name->nodename, &utsname()->nodename,
+- __OLD_UTS_LEN);
+- error |= __put_user(0, name->nodename + __OLD_UTS_LEN);
+- error |= __copy_to_user(&name->release, &utsname()->release,
+- __OLD_UTS_LEN);
+- error |= __put_user(0, name->release + __OLD_UTS_LEN);
+- error |= __copy_to_user(&name->version, &utsname()->version,
+- __OLD_UTS_LEN);
+- error |= __put_user(0, name->version + __OLD_UTS_LEN);
+- error |= __copy_to_user(&name->machine, &utsname()->machine,
+- __OLD_UTS_LEN);
+- error |= __put_user(0, name->machine + __OLD_UTS_LEN);
++ memcpy(&tmp.sysname, &utsname()->sysname, __OLD_UTS_LEN);
++ memcpy(&tmp.nodename, &utsname()->nodename, __OLD_UTS_LEN);
++ memcpy(&tmp.release, &utsname()->release, __OLD_UTS_LEN);
++ memcpy(&tmp.version, &utsname()->version, __OLD_UTS_LEN);
++ memcpy(&tmp.machine, &utsname()->machine, __OLD_UTS_LEN);
+ up_read(&uts_sem);
++ if (copy_to_user(name, &tmp, sizeof(tmp)))
++ return -EFAULT;
+
+- if (!error && override_architecture(name))
+- error = -EFAULT;
+- if (!error && override_release(name->release, sizeof(name->release)))
+- error = -EFAULT;
+- return error ? -EFAULT : 0;
++ if (override_architecture(name))
++ return -EFAULT;
++ if (override_release(name->release, sizeof(name->release)))
++ return -EFAULT;
++ return 0;
+ }
+ #endif
+
+@@ -1319,17 +1311,18 @@ SYSCALL_DEFINE2(sethostname, char __user
+
+ if (len < 0 || len > __NEW_UTS_LEN)
+ return -EINVAL;
+- down_write(&uts_sem);
+ errno = -EFAULT;
+ if (!copy_from_user(tmp, name, len)) {
+- struct new_utsname *u = utsname();
++ struct new_utsname *u;
+
++ down_write(&uts_sem);
++ u = utsname();
+ memcpy(u->nodename, tmp, len);
+ memset(u->nodename + len, 0, sizeof(u->nodename) - len);
+ errno = 0;
+ uts_proc_notify(UTS_PROC_HOSTNAME);
++ up_write(&uts_sem);
+ }
+- up_write(&uts_sem);
+ return errno;
+ }
+
+@@ -1337,8 +1330,9 @@ SYSCALL_DEFINE2(sethostname, char __user
+
+ SYSCALL_DEFINE2(gethostname, char __user *, name, int, len)
+ {
+- int i, errno;
++ int i;
+ struct new_utsname *u;
++ char tmp[__NEW_UTS_LEN + 1];
+
+ if (len < 0)
+ return -EINVAL;
+@@ -1347,11 +1341,11 @@ SYSCALL_DEFINE2(gethostname, char __user
+ i = 1 + strlen(u->nodename);
+ if (i > len)
+ i = len;
+- errno = 0;
+- if (copy_to_user(name, u->nodename, i))
+- errno = -EFAULT;
++ memcpy(tmp, u->nodename, i);
+ up_read(&uts_sem);
+- return errno;
++ if (copy_to_user(name, tmp, i))
++ return -EFAULT;
++ return 0;
+ }
+
+ #endif
+@@ -1370,17 +1364,18 @@ SYSCALL_DEFINE2(setdomainname, char __us
+ if (len < 0 || len > __NEW_UTS_LEN)
+ return -EINVAL;
+
+- down_write(&uts_sem);
+ errno = -EFAULT;
+ if (!copy_from_user(tmp, name, len)) {
+- struct new_utsname *u = utsname();
++ struct new_utsname *u;
+
++ down_write(&uts_sem);
++ u = utsname();
+ memcpy(u->domainname, tmp, len);
+ memset(u->domainname + len, 0, sizeof(u->domainname) - len);
+ errno = 0;
+ uts_proc_notify(UTS_PROC_DOMAINNAME);
++ up_write(&uts_sem);
+ }
+- up_write(&uts_sem);
+ return errno;
+ }
+
+--- a/kernel/utsname_sysctl.c
++++ b/kernel/utsname_sysctl.c
+@@ -18,7 +18,7 @@
+
+ #ifdef CONFIG_PROC_SYSCTL
+
+-static void *get_uts(struct ctl_table *table, int write)
++static void *get_uts(struct ctl_table *table)
+ {
+ char *which = table->data;
+ struct uts_namespace *uts_ns;
+@@ -26,21 +26,9 @@ static void *get_uts(struct ctl_table *t
+ uts_ns = current->nsproxy->uts_ns;
+ which = (which - (char *)&init_uts_ns) + (char *)uts_ns;
+
+- if (!write)
+- down_read(&uts_sem);
+- else
+- down_write(&uts_sem);
+ return which;
+ }
+
+-static void put_uts(struct ctl_table *table, int write, void *which)
+-{
+- if (!write)
+- up_read(&uts_sem);
+- else
+- up_write(&uts_sem);
+-}
+-
+ /*
+ * Special case of dostring for the UTS structure. This has locks
+ * to observe. Should this be in kernel/sys.c ????
+@@ -50,13 +38,34 @@ static int proc_do_uts_string(struct ctl
+ {
+ struct ctl_table uts_table;
+ int r;
++ char tmp_data[__NEW_UTS_LEN + 1];
++
+ memcpy(&uts_table, table, sizeof(uts_table));
+- uts_table.data = get_uts(table, write);
++ uts_table.data = tmp_data;
++
++ /*
++ * Buffer the value in tmp_data so that proc_dostring() can be called
++ * without holding any locks.
++ * We also need to read the original value in the write==1 case to
++ * support partial writes.
++ */
++ down_read(&uts_sem);
++ memcpy(tmp_data, get_uts(table), sizeof(tmp_data));
++ up_read(&uts_sem);
+ r = proc_dostring(&uts_table, write, buffer, lenp, ppos);
+- put_uts(table, write, uts_table.data);
+
+- if (write)
++ if (write) {
++ /*
++ * Write back the new value.
++ * Note that, since we dropped uts_sem, the result can
++ * theoretically be incorrect if there are two parallel writes
++ * at non-zero offsets to the same sysctl.
++ */
++ down_write(&uts_sem);
++ memcpy(get_uts(table), tmp_data, sizeof(tmp_data));
++ up_write(&uts_sem);
+ proc_sys_poll_notify(table->poll);
++ }
+
+ return r;
+ }
--- /dev/null
+From 95a22d2084d72ea067d8323cc85677dba5d97cae Mon Sep 17 00:00:00 2001
+From: Richard Weinberger <richard@nod.at>
+Date: Sun, 1 Jul 2018 23:20:51 +0200
+Subject: ubifs: Check data node size before truncate
+
+From: Richard Weinberger <richard@nod.at>
+
+commit 95a22d2084d72ea067d8323cc85677dba5d97cae upstream.
+
+Check whether the size is within bounds before using it.
+If the size is not correct, abort and dump the bad data node.
+
+Cc: Kees Cook <keescook@chromium.org>
+Cc: Silvio Cesare <silvio.cesare@gmail.com>
+Cc: stable@vger.kernel.org
+Fixes: 1e51764a3c2ac ("UBIFS: add new flash file system")
+Reported-by: Silvio Cesare <silvio.cesare@gmail.com>
+Signed-off-by: Richard Weinberger <richard@nod.at>
+Reviewed-by: Kees Cook <keescook@chromium.org>
+Signed-off-by: Richard Weinberger <richard@nod.at>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ubifs/journal.c | 11 ++++++++++-
+ 1 file changed, 10 insertions(+), 1 deletion(-)
+
+--- a/fs/ubifs/journal.c
++++ b/fs/ubifs/journal.c
+@@ -1387,7 +1387,16 @@ int ubifs_jnl_truncate(struct ubifs_info
+ else if (err)
+ goto out_free;
+ else {
+- if (le32_to_cpu(dn->size) <= dlen)
++ int dn_len = le32_to_cpu(dn->size);
++
++ if (dn_len <= 0 || dn_len > UBIFS_BLOCK_SIZE) {
++ ubifs_err(c, "bad data node (block %u, inode %lu)",
++ blk, inode->i_ino);
++ ubifs_dump_node(c, dn);
++ goto out_free;
++ }
++
++ if (dn_len <= dlen)
+ dlen = 0; /* Nothing to do */
+ else {
+ err = truncate_data_node(c, inode, blk, dn, &dlen);
--- /dev/null
+From 00ee8b60102862f4daf0814d12a2ea2744fc0b9b Mon Sep 17 00:00:00 2001
+From: Richard Weinberger <richard@nod.at>
+Date: Mon, 11 Jun 2018 23:41:09 +0200
+Subject: ubifs: Fix directory size calculation for symlinks
+
+From: Richard Weinberger <richard@nod.at>
+
+commit 00ee8b60102862f4daf0814d12a2ea2744fc0b9b upstream.
+
+We have to account the name of the symlink and not the target length.
+
+Fixes: ca7f85be8d6c ("ubifs: Add support for encrypted symlinks")
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Richard Weinberger <richard@nod.at>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ubifs/dir.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/fs/ubifs/dir.c
++++ b/fs/ubifs/dir.c
+@@ -1123,8 +1123,7 @@ static int ubifs_symlink(struct inode *d
+ struct ubifs_inode *ui;
+ struct ubifs_inode *dir_ui = ubifs_inode(dir);
+ struct ubifs_info *c = dir->i_sb->s_fs_info;
+- int err, len = strlen(symname);
+- int sz_change = CALC_DENT_SIZE(len);
++ int err, sz_change, len = strlen(symname);
+ struct fscrypt_str disk_link;
+ struct ubifs_budget_req req = { .new_ino = 1, .new_dent = 1,
+ .new_ino_d = ALIGN(len, 8),
+@@ -1151,6 +1150,8 @@ static int ubifs_symlink(struct inode *d
+ if (err)
+ goto out_budg;
+
++ sz_change = CALC_DENT_SIZE(fname_len(&nm));
++
+ inode = ubifs_new_inode(c, dir, S_IFLNK | S_IRWXUGO);
+ if (IS_ERR(inode)) {
+ err = PTR_ERR(inode);
--- /dev/null
+From eef19816ada3abd56d9f20c88794cc2fea83ebb2 Mon Sep 17 00:00:00 2001
+From: Richard Weinberger <richard@nod.at>
+Date: Tue, 12 Jun 2018 20:49:45 +0200
+Subject: ubifs: Fix memory leak in lprobs self-check
+
+From: Richard Weinberger <richard@nod.at>
+
+commit eef19816ada3abd56d9f20c88794cc2fea83ebb2 upstream.
+
+Allocate the buffer after we return early.
+Otherwise memory is being leaked.
+
+Cc: <stable@vger.kernel.org>
+Fixes: 1e51764a3c2a ("UBIFS: add new flash file system")
+Signed-off-by: Richard Weinberger <richard@nod.at>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ubifs/lprops.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/fs/ubifs/lprops.c
++++ b/fs/ubifs/lprops.c
+@@ -1089,10 +1089,6 @@ static int scan_check_cb(struct ubifs_in
+ }
+ }
+
+- buf = __vmalloc(c->leb_size, GFP_NOFS, PAGE_KERNEL);
+- if (!buf)
+- return -ENOMEM;
+-
+ /*
+ * After an unclean unmount, empty and freeable LEBs
+ * may contain garbage - do not scan them.
+@@ -1111,6 +1107,10 @@ static int scan_check_cb(struct ubifs_in
+ return LPT_SCAN_CONTINUE;
+ }
+
++ buf = __vmalloc(c->leb_size, GFP_NOFS, PAGE_KERNEL);
++ if (!buf)
++ return -ENOMEM;
++
+ sleb = ubifs_scan(c, lnum, 0, buf, 0);
+ if (IS_ERR(sleb)) {
+ ret = PTR_ERR(sleb);
--- /dev/null
+From 59965593205fa4044850d35ee3557cf0b7edcd14 Mon Sep 17 00:00:00 2001
+From: Richard Weinberger <richard@nod.at>
+Date: Tue, 12 Jun 2018 00:52:28 +0200
+Subject: ubifs: Fix synced_i_size calculation for xattr inodes
+
+From: Richard Weinberger <richard@nod.at>
+
+commit 59965593205fa4044850d35ee3557cf0b7edcd14 upstream.
+
+In ubifs_jnl_update() we sync parent and child inodes to the flash,
+in case of xattrs, the parent inode (AKA host inode) has a non-zero
+data_len. Therefore we need to adjust synced_i_size too.
+
+This issue was reported by ubifs self tests unter a xattr related work
+load.
+UBIFS error (ubi0:0 pid 1896): dbg_check_synced_i_size: ui_size is 4, synced_i_size is 0, but inode is clean
+UBIFS error (ubi0:0 pid 1896): dbg_check_synced_i_size: i_ino 65, i_mode 0x81a4, i_size 4
+
+Cc: <stable@vger.kernel.org>
+Fixes: 1e51764a3c2a ("UBIFS: add new flash file system")
+Signed-off-by: Richard Weinberger <richard@nod.at>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ubifs/journal.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/fs/ubifs/journal.c
++++ b/fs/ubifs/journal.c
+@@ -664,6 +664,11 @@ int ubifs_jnl_update(struct ubifs_info *
+ spin_lock(&ui->ui_lock);
+ ui->synced_i_size = ui->ui_size;
+ spin_unlock(&ui->ui_lock);
++ if (xent) {
++ spin_lock(&host_ui->ui_lock);
++ host_ui->synced_i_size = host_ui->ui_size;
++ spin_unlock(&host_ui->ui_lock);
++ }
+ mark_inode_clean(c, ui);
+ mark_inode_clean(c, host_ui);
+ return 0;
--- /dev/null
+From 11a6fc3dc743e22fb50f2196ec55bee5140d3c52 Mon Sep 17 00:00:00 2001
+From: Richard Weinberger <richard@nod.at>
+Date: Sun, 8 Jul 2018 23:33:25 +0200
+Subject: ubifs: xattr: Don't operate on deleted inodes
+
+From: Richard Weinberger <richard@nod.at>
+
+commit 11a6fc3dc743e22fb50f2196ec55bee5140d3c52 upstream.
+
+xattr operations can race with unlink and the following assert triggers:
+UBIFS assert failed in ubifs_jnl_change_xattr at 1606 (pid 6256)
+
+Fix this by checking i_nlink before working on the host inode.
+
+Cc: <stable@vger.kernel.org>
+Fixes: 1e51764a3c2a ("UBIFS: add new flash file system")
+Signed-off-by: Richard Weinberger <richard@nod.at>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ubifs/xattr.c | 24 ++++++++++++++++++++++++
+ 1 file changed, 24 insertions(+)
+
+--- a/fs/ubifs/xattr.c
++++ b/fs/ubifs/xattr.c
+@@ -152,6 +152,12 @@ static int create_xattr(struct ubifs_inf
+ ui->data_len = size;
+
+ mutex_lock(&host_ui->ui_mutex);
++
++ if (!host->i_nlink) {
++ err = -ENOENT;
++ goto out_noent;
++ }
++
+ host->i_ctime = current_time(host);
+ host_ui->xattr_cnt += 1;
+ host_ui->xattr_size += CALC_DENT_SIZE(fname_len(nm));
+@@ -184,6 +190,7 @@ out_cancel:
+ host_ui->xattr_size -= CALC_XATTR_BYTES(size);
+ host_ui->xattr_names -= fname_len(nm);
+ host_ui->flags &= ~UBIFS_CRYPT_FL;
++out_noent:
+ mutex_unlock(&host_ui->ui_mutex);
+ out_free:
+ make_bad_inode(inode);
+@@ -235,6 +242,12 @@ static int change_xattr(struct ubifs_inf
+ mutex_unlock(&ui->ui_mutex);
+
+ mutex_lock(&host_ui->ui_mutex);
++
++ if (!host->i_nlink) {
++ err = -ENOENT;
++ goto out_noent;
++ }
++
+ host->i_ctime = current_time(host);
+ host_ui->xattr_size -= CALC_XATTR_BYTES(old_size);
+ host_ui->xattr_size += CALC_XATTR_BYTES(size);
+@@ -256,6 +269,7 @@ static int change_xattr(struct ubifs_inf
+ out_cancel:
+ host_ui->xattr_size -= CALC_XATTR_BYTES(size);
+ host_ui->xattr_size += CALC_XATTR_BYTES(old_size);
++out_noent:
+ mutex_unlock(&host_ui->ui_mutex);
+ make_bad_inode(inode);
+ out_free:
+@@ -482,6 +496,12 @@ static int remove_xattr(struct ubifs_inf
+ return err;
+
+ mutex_lock(&host_ui->ui_mutex);
++
++ if (!host->i_nlink) {
++ err = -ENOENT;
++ goto out_noent;
++ }
++
+ host->i_ctime = current_time(host);
+ host_ui->xattr_cnt -= 1;
+ host_ui->xattr_size -= CALC_DENT_SIZE(fname_len(nm));
+@@ -501,6 +521,7 @@ out_cancel:
+ host_ui->xattr_size += CALC_DENT_SIZE(fname_len(nm));
+ host_ui->xattr_size += CALC_XATTR_BYTES(ui->data_len);
+ host_ui->xattr_names += fname_len(nm);
++out_noent:
+ mutex_unlock(&host_ui->ui_mutex);
+ ubifs_release_budget(c, &req);
+ make_bad_inode(inode);
+@@ -540,6 +561,9 @@ static int ubifs_xattr_remove(struct ino
+
+ ubifs_assert(inode_is_locked(host));
+
++ if (!host->i_nlink)
++ return -ENOENT;
++
+ if (fname_len(&nm) > UBIFS_MAX_NLEN)
+ return -ENAMETOOLONG;
+
--- /dev/null
+From ee4af50ca94f58afc3532662779b9cf80bbe27c8 Mon Sep 17 00:00:00 2001
+From: Jan Kara <jack@suse.cz>
+Date: Tue, 21 Aug 2018 14:52:34 +0200
+Subject: udf: Fix mounting of Win7 created UDF filesystems
+
+From: Jan Kara <jack@suse.cz>
+
+commit ee4af50ca94f58afc3532662779b9cf80bbe27c8 upstream.
+
+Win7 is creating UDF filesystems with single partition with number 8192.
+Current partition descriptor scanning code does not handle this well as
+it incorrectly assumes that partition numbers will form mostly contiguous
+space of small numbers. This results in unmountable media due to errors
+like:
+
+UDF-fs: error (device dm-1): udf_read_tagged: tag version 0x0000 != 0x0002 || 0x0003, block 0
+UDF-fs: warning (device dm-1): udf_fill_super: No fileset found
+
+Fix the problem by handling partition descriptors in a way that sparse
+partition numbering does not matter.
+
+Reported-and-tested-by: jean-luc malet <jeanluc.malet@gmail.com>
+CC: stable@vger.kernel.org
+Fixes: 7b78fd02fb19530fd101ae137a1f46aa466d9bb6
+Signed-off-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/udf/super.c | 31 +++++++++++++++++++------------
+ 1 file changed, 19 insertions(+), 12 deletions(-)
+
+--- a/fs/udf/super.c
++++ b/fs/udf/super.c
+@@ -1570,10 +1570,16 @@ static void udf_load_logicalvolint(struc
+ */
+ #define PART_DESC_ALLOC_STEP 32
+
++struct part_desc_seq_scan_data {
++ struct udf_vds_record rec;
++ u32 partnum;
++};
++
+ struct desc_seq_scan_data {
+ struct udf_vds_record vds[VDS_POS_LENGTH];
+ unsigned int size_part_descs;
+- struct udf_vds_record *part_descs_loc;
++ unsigned int num_part_descs;
++ struct part_desc_seq_scan_data *part_descs_loc;
+ };
+
+ static struct udf_vds_record *handle_partition_descriptor(
+@@ -1582,10 +1588,14 @@ static struct udf_vds_record *handle_par
+ {
+ struct partitionDesc *desc = (struct partitionDesc *)bh->b_data;
+ int partnum;
++ int i;
+
+ partnum = le16_to_cpu(desc->partitionNumber);
+- if (partnum >= data->size_part_descs) {
+- struct udf_vds_record *new_loc;
++ for (i = 0; i < data->num_part_descs; i++)
++ if (partnum == data->part_descs_loc[i].partnum)
++ return &(data->part_descs_loc[i].rec);
++ if (data->num_part_descs >= data->size_part_descs) {
++ struct part_desc_seq_scan_data *new_loc;
+ unsigned int new_size = ALIGN(partnum, PART_DESC_ALLOC_STEP);
+
+ new_loc = kcalloc(new_size, sizeof(*new_loc), GFP_KERNEL);
+@@ -1597,7 +1607,7 @@ static struct udf_vds_record *handle_par
+ data->part_descs_loc = new_loc;
+ data->size_part_descs = new_size;
+ }
+- return &(data->part_descs_loc[partnum]);
++ return &(data->part_descs_loc[data->num_part_descs++].rec);
+ }
+
+
+@@ -1647,6 +1657,7 @@ static noinline int udf_process_sequence
+
+ memset(data.vds, 0, sizeof(struct udf_vds_record) * VDS_POS_LENGTH);
+ data.size_part_descs = PART_DESC_ALLOC_STEP;
++ data.num_part_descs = 0;
+ data.part_descs_loc = kcalloc(data.size_part_descs,
+ sizeof(*data.part_descs_loc),
+ GFP_KERNEL);
+@@ -1658,7 +1669,6 @@ static noinline int udf_process_sequence
+ * are in it.
+ */
+ for (; (!done && block <= lastblock); block++) {
+-
+ bh = udf_read_tagged(sb, block, block, &ident);
+ if (!bh)
+ break;
+@@ -1730,13 +1740,10 @@ static noinline int udf_process_sequence
+ }
+
+ /* Now handle prevailing Partition Descriptors */
+- for (i = 0; i < data.size_part_descs; i++) {
+- if (data.part_descs_loc[i].block) {
+- ret = udf_load_partdesc(sb,
+- data.part_descs_loc[i].block);
+- if (ret < 0)
+- return ret;
+- }
++ for (i = 0; i < data.num_part_descs; i++) {
++ ret = udf_load_partdesc(sb, data.part_descs_loc[i].rec.block);
++ if (ret < 0)
++ return ret;
+ }
+
+ return 0;
--- /dev/null
+From 564f1807379298dfdb12ed0d5b25fcb89c238527 Mon Sep 17 00:00:00 2001
+From: Mikulas Patocka <mpatocka@redhat.com>
+Date: Wed, 25 Jul 2018 15:41:55 +0200
+Subject: udlfb: don't switch if we are switching to the same videomode
+
+From: Mikulas Patocka <mpatocka@redhat.com>
+
+commit 564f1807379298dfdb12ed0d5b25fcb89c238527 upstream.
+
+The udlfb driver reprograms the hardware everytime the user switches the
+console, that makes quite unusable when working on the console.
+
+This patch makes the driver remember the videomode we are in and avoid
+reprogramming the hardware if we switch to the same videomode.
+
+We mask the "activate" field and the "FB_VMODE_SMOOTH_XPAN" flag when
+comparing the videomode, because they cause spurious switches when
+switching to and from the Xserver.
+
+Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/video/fbdev/udlfb.c | 18 ++++++++++++++++--
+ include/video/udlfb.h | 1 +
+ 2 files changed, 17 insertions(+), 2 deletions(-)
+
+--- a/drivers/video/fbdev/udlfb.c
++++ b/drivers/video/fbdev/udlfb.c
+@@ -1041,10 +1041,24 @@ static int dlfb_ops_set_par(struct fb_in
+ int result;
+ u16 *pix_framebuffer;
+ int i;
++ struct fb_var_screeninfo fvs;
++
++ /* clear the activate field because it causes spurious miscompares */
++ fvs = info->var;
++ fvs.activate = 0;
++ fvs.vmode &= ~FB_VMODE_SMOOTH_XPAN;
++
++ if (!memcmp(&dlfb->current_mode, &fvs, sizeof(struct fb_var_screeninfo)))
++ return 0;
+
+ result = dlfb_set_video_mode(dlfb, &info->var);
+
+- if ((result == 0) && (dlfb->fb_count == 0)) {
++ if (result)
++ return result;
++
++ dlfb->current_mode = fvs;
++
++ if (dlfb->fb_count == 0) {
+
+ /* paint greenscreen */
+
+@@ -1056,7 +1070,7 @@ static int dlfb_ops_set_par(struct fb_in
+ info->screen_base);
+ }
+
+- return result;
++ return 0;
+ }
+
+ /* To fonzi the jukebox (e.g. make blanking changes take effect) */
+--- a/include/video/udlfb.h
++++ b/include/video/udlfb.h
+@@ -56,6 +56,7 @@ struct dlfb_data {
+ atomic_t bytes_identical; /* saved effort with backbuffer comparison */
+ atomic_t bytes_sent; /* to usb, after compression including overhead */
+ atomic_t cpu_kcycles_used; /* transpired during pixel processing */
++ struct fb_var_screeninfo current_mode;
+ };
+
+ #define NR_USB_REQUEST_I2C_SUB_IO 0x02
--- /dev/null
+From 4e705e17ce3409a1f492cfd5dadcf6a4f6075842 Mon Sep 17 00:00:00 2001
+From: Mikulas Patocka <mpatocka@redhat.com>
+Date: Wed, 25 Jul 2018 15:41:54 +0200
+Subject: udlfb: fix display corruption of the last line
+
+From: Mikulas Patocka <mpatocka@redhat.com>
+
+commit 4e705e17ce3409a1f492cfd5dadcf6a4f6075842 upstream.
+
+The displaylink hardware has such a peculiarity that it doesn't render a
+command until next command is received. This produces occasional
+corruption, such as when setting 22x11 font on the console, only the first
+line of the cursor will be blinking if the cursor is located at some
+specific columns.
+
+When we end up with a repeating pixel, the driver has a bug that it leaves
+one uninitialized byte after the command (and this byte is enough to flush
+the command and render it - thus it fixes the screen corruption), however
+whe we end up with a non-repeating pixel, there is no byte appended and
+this results in temporary screen corruption.
+
+This patch fixes the screen corruption by always appending a byte 0xAF at
+the end of URB. It also removes the uninitialized byte.
+
+Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/video/fbdev/udlfb.c | 30 ++++++++++++++++++++----------
+ 1 file changed, 20 insertions(+), 10 deletions(-)
+
+--- a/drivers/video/fbdev/udlfb.c
++++ b/drivers/video/fbdev/udlfb.c
+@@ -27,6 +27,7 @@
+ #include <linux/slab.h>
+ #include <linux/prefetch.h>
+ #include <linux/delay.h>
++#include <asm/unaligned.h>
+ #include <video/udlfb.h>
+ #include "edid.h"
+
+@@ -450,17 +451,17 @@ static void dlfb_compress_hline(
+ raw_pixels_count_byte = cmd++; /* we'll know this later */
+ raw_pixel_start = pixel;
+
+- cmd_pixel_end = pixel + min(MAX_CMD_PIXELS + 1,
+- min((int)(pixel_end - pixel),
+- (int)(cmd_buffer_end - cmd) / BPP));
++ cmd_pixel_end = pixel + min3(MAX_CMD_PIXELS + 1UL,
++ (unsigned long)(pixel_end - pixel),
++ (unsigned long)(cmd_buffer_end - 1 - cmd) / BPP);
+
+- prefetch_range((void *) pixel, (cmd_pixel_end - pixel) * BPP);
++ prefetch_range((void *) pixel, (u8 *)cmd_pixel_end - (u8 *)pixel);
+
+ while (pixel < cmd_pixel_end) {
+ const uint16_t * const repeating_pixel = pixel;
+
+- *cmd++ = *pixel >> 8;
+- *cmd++ = *pixel;
++ put_unaligned_be16(*pixel, cmd);
++ cmd += 2;
+ pixel++;
+
+ if (unlikely((pixel < cmd_pixel_end) &&
+@@ -486,13 +487,16 @@ static void dlfb_compress_hline(
+ if (pixel > raw_pixel_start) {
+ /* finalize last RAW span */
+ *raw_pixels_count_byte = (pixel-raw_pixel_start) & 0xFF;
++ } else {
++ /* undo unused byte */
++ cmd--;
+ }
+
+ *cmd_pixels_count_byte = (pixel - cmd_pixel_start) & 0xFF;
+- dev_addr += (pixel - cmd_pixel_start) * BPP;
++ dev_addr += (u8 *)pixel - (u8 *)cmd_pixel_start;
+ }
+
+- if (cmd_buffer_end <= MIN_RLX_CMD_BYTES + cmd) {
++ if (cmd_buffer_end - MIN_RLX_CMD_BYTES <= cmd) {
+ /* Fill leftover bytes with no-ops */
+ if (cmd_buffer_end > cmd)
+ memset(cmd, 0xAF, cmd_buffer_end - cmd);
+@@ -610,8 +614,11 @@ static int dlfb_handle_damage(struct dlf
+ }
+
+ if (cmd > (char *) urb->transfer_buffer) {
++ int len;
++ if (cmd < (char *) urb->transfer_buffer + urb->transfer_buffer_length)
++ *cmd++ = 0xAF;
+ /* Send partial buffer remaining before exiting */
+- int len = cmd - (char *) urb->transfer_buffer;
++ len = cmd - (char *) urb->transfer_buffer;
+ ret = dlfb_submit_urb(dlfb, urb, len);
+ bytes_sent += len;
+ } else
+@@ -735,8 +742,11 @@ static void dlfb_dpy_deferred_io(struct
+ }
+
+ if (cmd > (char *) urb->transfer_buffer) {
++ int len;
++ if (cmd < (char *) urb->transfer_buffer + urb->transfer_buffer_length)
++ *cmd++ = 0xAF;
+ /* Send partial buffer remaining before exiting */
+- int len = cmd - (char *) urb->transfer_buffer;
++ len = cmd - (char *) urb->transfer_buffer;
+ dlfb_submit_urb(dlfb, urb, len);
+ bytes_sent += len;
+ } else
--- /dev/null
+From 9d0aa601e4cd9c0892f90d36e8488d79b72f4073 Mon Sep 17 00:00:00 2001
+From: Mikulas Patocka <mpatocka@redhat.com>
+Date: Wed, 25 Jul 2018 15:41:54 +0200
+Subject: udlfb: fix semaphore value leak
+
+From: Mikulas Patocka <mpatocka@redhat.com>
+
+commit 9d0aa601e4cd9c0892f90d36e8488d79b72f4073 upstream.
+
+I observed that the performance of the udl fb driver degrades over time.
+On a freshly booted machine, it takes 6 seconds to do "ls -la /usr/bin";
+after some time of use, the same operation takes 14 seconds.
+
+The reason is that the value of "limit_sem" decays over time.
+
+The udl driver uses a semaphore "limit_set" to specify how many free urbs
+are there on dlfb->urbs.list. If the count is zero, the "down" operation
+will sleep until some urbs are added to the freelist.
+
+In order to avoid some hypothetical deadlock, the driver will not call
+"up" immediately, but it will offload it to a workqueue. The problem is
+that if we call "schedule_delayed_work" on the same work item multiple
+times, the work item may only be executed once.
+
+This is happening:
+* some urb completes
+* dlfb_urb_completion adds it to the free list
+* dlfb_urb_completion calls schedule_delayed_work to schedule the function
+ dlfb_release_urb_work to increase the semaphore count
+* as the urb is on the free list, some other task grabs it and submits it
+* the submitted urb completes, dlfb_urb_completion is called again
+* dlfb_urb_completion calls schedule_delayed_work, but the work is already
+ scheduled, so it does nothing
+* finally, dlfb_release_urb_work is called, it increases the semaphore
+ count by 1, although it should increase it by 2
+
+So, the semaphore count is decreasing over time, and this causes gradual
+performance degradation.
+
+Note that in the current kernel, the "up" function may be called from
+interrupt and it may race with the "down" function called by another
+thread, so we don't have to offload the call of "up" to a workqueue at
+all. This patch removes the workqueue code. The patch also changes
+"down_interruptible" to "down" in dlfb_free_urb_list, so that we will
+clean up the driver properly even if a signal arrives.
+
+With this patch, the performance of udlfb no longer degrades.
+
+Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
+Cc: stable@vger.kernel.org
+[b.zolnierkie: fix immediatelly -> immediately typo]
+Signed-off-by: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/video/fbdev/udlfb.c | 27 ++-------------------------
+ include/video/udlfb.h | 1 -
+ 2 files changed, 2 insertions(+), 26 deletions(-)
+
+--- a/drivers/video/fbdev/udlfb.c
++++ b/drivers/video/fbdev/udlfb.c
+@@ -922,14 +922,6 @@ static void dlfb_free(struct kref *kref)
+ kfree(dlfb);
+ }
+
+-static void dlfb_release_urb_work(struct work_struct *work)
+-{
+- struct urb_node *unode = container_of(work, struct urb_node,
+- release_urb_work.work);
+-
+- up(&unode->dlfb->urbs.limit_sem);
+-}
+-
+ static void dlfb_free_framebuffer(struct dlfb_data *dlfb)
+ {
+ struct fb_info *info = dlfb->info;
+@@ -1789,14 +1781,7 @@ static void dlfb_urb_completion(struct u
+ dlfb->urbs.available++;
+ spin_unlock_irqrestore(&dlfb->urbs.lock, flags);
+
+- /*
+- * When using fb_defio, we deadlock if up() is called
+- * while another is waiting. So queue to another process.
+- */
+- if (fb_defio)
+- schedule_delayed_work(&unode->release_urb_work, 0);
+- else
+- up(&dlfb->urbs.limit_sem);
++ up(&dlfb->urbs.limit_sem);
+ }
+
+ static void dlfb_free_urb_list(struct dlfb_data *dlfb)
+@@ -1805,16 +1790,11 @@ static void dlfb_free_urb_list(struct dl
+ struct list_head *node;
+ struct urb_node *unode;
+ struct urb *urb;
+- int ret;
+ unsigned long flags;
+
+ /* keep waiting and freeing, until we've got 'em all */
+ while (count--) {
+-
+- /* Getting interrupted means a leak, but ok at disconnect */
+- ret = down_interruptible(&dlfb->urbs.limit_sem);
+- if (ret)
+- break;
++ down(&dlfb->urbs.limit_sem);
+
+ spin_lock_irqsave(&dlfb->urbs.lock, flags);
+
+@@ -1854,9 +1834,6 @@ static int dlfb_alloc_urb_list(struct dl
+ break;
+ unode->dlfb = dlfb;
+
+- INIT_DELAYED_WORK(&unode->release_urb_work,
+- dlfb_release_urb_work);
+-
+ urb = usb_alloc_urb(0, GFP_KERNEL);
+ if (!urb) {
+ kfree(unode);
+--- a/include/video/udlfb.h
++++ b/include/video/udlfb.h
+@@ -20,7 +20,6 @@ struct dloarea {
+ struct urb_node {
+ struct list_head entry;
+ struct dlfb_data *dlfb;
+- struct delayed_work release_urb_work;
+ struct urb *urb;
+ };
+
--- /dev/null
+From 080fb5240bdcabed7387b814139c3ea172d59fc5 Mon Sep 17 00:00:00 2001
+From: Mikulas Patocka <mpatocka@redhat.com>
+Date: Wed, 25 Jul 2018 15:41:56 +0200
+Subject: udlfb: handle allocation failure
+
+From: Mikulas Patocka <mpatocka@redhat.com>
+
+commit 080fb5240bdcabed7387b814139c3ea172d59fc5 upstream.
+
+Allocations larger than PAGE_ALLOC_COSTLY_ORDER are unreliable and they
+may fail anytime. This patch fixes the udlfb driver so that when a large
+alloactions fails, it tries to do multiple smaller allocations.
+
+Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/video/fbdev/udlfb.c | 26 +++++++++++++++++---------
+ 1 file changed, 17 insertions(+), 9 deletions(-)
+
+--- a/drivers/video/fbdev/udlfb.c
++++ b/drivers/video/fbdev/udlfb.c
+@@ -1843,17 +1843,22 @@ static void dlfb_free_urb_list(struct dl
+
+ static int dlfb_alloc_urb_list(struct dlfb_data *dlfb, int count, size_t size)
+ {
+- int i = 0;
+ struct urb *urb;
+ struct urb_node *unode;
+ char *buf;
++ size_t wanted_size = count * size;
+
+ spin_lock_init(&dlfb->urbs.lock);
+
++retry:
+ dlfb->urbs.size = size;
+ INIT_LIST_HEAD(&dlfb->urbs.list);
+
+- while (i < count) {
++ sema_init(&dlfb->urbs.limit_sem, 0);
++ dlfb->urbs.count = 0;
++ dlfb->urbs.available = 0;
++
++ while (dlfb->urbs.count * size < wanted_size) {
+ unode = kzalloc(sizeof(*unode), GFP_KERNEL);
+ if (!unode)
+ break;
+@@ -1866,11 +1871,16 @@ static int dlfb_alloc_urb_list(struct dl
+ }
+ unode->urb = urb;
+
+- buf = usb_alloc_coherent(dlfb->udev, MAX_TRANSFER, GFP_KERNEL,
++ buf = usb_alloc_coherent(dlfb->udev, size, GFP_KERNEL,
+ &urb->transfer_dma);
+ if (!buf) {
+ kfree(unode);
+ usb_free_urb(urb);
++ if (size > PAGE_SIZE) {
++ size /= 2;
++ dlfb_free_urb_list(dlfb);
++ goto retry;
++ }
+ break;
+ }
+
+@@ -1881,14 +1891,12 @@ static int dlfb_alloc_urb_list(struct dl
+
+ list_add_tail(&unode->entry, &dlfb->urbs.list);
+
+- i++;
++ up(&dlfb->urbs.limit_sem);
++ dlfb->urbs.count++;
++ dlfb->urbs.available++;
+ }
+
+- sema_init(&dlfb->urbs.limit_sem, i);
+- dlfb->urbs.count = i;
+- dlfb->urbs.available = i;
+-
+- return i;
++ return dlfb->urbs.count;
+ }
+
+ static struct urb *dlfb_get_urb(struct dlfb_data *dlfb)
--- /dev/null
+From 2c29cfc3eaf11779176bf41475cfca49bccba11c Mon Sep 17 00:00:00 2001
+From: Mikulas Patocka <mpatocka@redhat.com>
+Date: Wed, 25 Jul 2018 15:41:55 +0200
+Subject: udlfb: make a local copy of fb_ops
+
+From: Mikulas Patocka <mpatocka@redhat.com>
+
+commit 2c29cfc3eaf11779176bf41475cfca49bccba11c upstream.
+
+The defio subsystem overwrites the method fb_osp->mmap. That method is
+stored in module's static data - and that means that if we have multiple
+diplaylink adapters, they will over write each other's method.
+
+In order to avoid interference between multiple adapters, we copy the
+fb_ops structure to a device-local memory.
+
+Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/video/fbdev/udlfb.c | 3 ++-
+ include/video/udlfb.h | 1 +
+ 2 files changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/video/fbdev/udlfb.c
++++ b/drivers/video/fbdev/udlfb.c
+@@ -1665,7 +1665,8 @@ static void dlfb_init_framebuffer_work(s
+ dlfb->info = info;
+ info->par = dlfb;
+ info->pseudo_palette = dlfb->pseudo_palette;
+- info->fbops = &dlfb_ops;
++ dlfb->ops = dlfb_ops;
++ info->fbops = &dlfb->ops;
+
+ retval = fb_alloc_cmap(&info->cmap, 256, 0);
+ if (retval < 0) {
+--- a/include/video/udlfb.h
++++ b/include/video/udlfb.h
+@@ -51,6 +51,7 @@ struct dlfb_data {
+ int base8;
+ u32 pseudo_palette[256];
+ int blank_mode; /*one of FB_BLANK_ */
++ struct fb_ops ops;
+ /* blit-only rendering path metrics, exposed through sysfs */
+ atomic_t bytes_rendered; /* raw pixel-bytes driver asked to render */
+ atomic_t bytes_identical; /* saved effort with backbuffer comparison */
--- /dev/null
+From 0ac319b7af1bb24a33365d0ec82a2f56a59b2a78 Mon Sep 17 00:00:00 2001
+From: Mikulas Patocka <mpatocka@redhat.com>
+Date: Wed, 25 Jul 2018 15:41:56 +0200
+Subject: udlfb: set line_length in dlfb_ops_set_par
+
+From: Mikulas Patocka <mpatocka@redhat.com>
+
+commit 0ac319b7af1bb24a33365d0ec82a2f56a59b2a78 upstream.
+
+Set the variable "line_length" in the function dlfb_ops_set_par. Without
+this, we get garbage if we select different videomode with fbset.
+
+Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/video/fbdev/udlfb.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/video/fbdev/udlfb.c
++++ b/drivers/video/fbdev/udlfb.c
+@@ -1057,6 +1057,7 @@ static int dlfb_ops_set_par(struct fb_in
+ return result;
+
+ dlfb->current_mode = fvs;
++ info->fix.line_length = info->var.xres * (info->var.bits_per_pixel / 8);
+
+ if (dlfb->fb_count == 0) {
+
--- /dev/null
+From bb24153a3f13dd0dbc1f8055ad97fe346d598f66 Mon Sep 17 00:00:00 2001
+From: Mikulas Patocka <mpatocka@redhat.com>
+Date: Wed, 25 Jul 2018 15:41:55 +0200
+Subject: udlfb: set optimal write delay
+
+From: Mikulas Patocka <mpatocka@redhat.com>
+
+commit bb24153a3f13dd0dbc1f8055ad97fe346d598f66 upstream.
+
+The default delay 5 jiffies is too much when the kernel is compiled with
+HZ=100 - it results in jumpy cursor in Xwindow.
+
+In order to find out the optimal delay, I benchmarked the driver on
+1280x720x30fps video. I found out that with HZ=1000, 10ms is acceptable,
+but with HZ=250 or HZ=300, we need 4ms, so that the video is played
+without any frame skips.
+
+This patch changes the delay to this value.
+
+Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ include/video/udlfb.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/include/video/udlfb.h
++++ b/include/video/udlfb.h
+@@ -87,7 +87,7 @@ struct dlfb_data {
+ #define MIN_RAW_PIX_BYTES 2
+ #define MIN_RAW_CMD_BYTES (RAW_HEADER_BYTES + MIN_RAW_PIX_BYTES)
+
+-#define DL_DEFIO_WRITE_DELAY 5 /* fb_deferred_io.delay in jiffies */
++#define DL_DEFIO_WRITE_DELAY msecs_to_jiffies(HZ <= 300 ? 4 : 10) /* optimal value for 720p video */
+ #define DL_DEFIO_WRITE_DISABLE (HZ*60) /* "disable" with long delay */
+
+ /* remove these once align.h patch is taken into kernel */
--- /dev/null
+From 5820f140edef111a9ea2ef414ab2428b8cb805b1 Mon Sep 17 00:00:00 2001
+From: Jann Horn <jannh@google.com>
+Date: Mon, 25 Jun 2018 18:34:19 +0200
+Subject: userns: move user access out of the mutex
+
+From: Jann Horn <jannh@google.com>
+
+commit 5820f140edef111a9ea2ef414ab2428b8cb805b1 upstream.
+
+The old code would hold the userns_state_mutex indefinitely if
+memdup_user_nul stalled due to e.g. a userfault region. Prevent that by
+moving the memdup_user_nul in front of the mutex_lock().
+
+Note: This changes the error precedence of invalid buf/count/*ppos vs
+map already written / capabilities missing.
+
+Fixes: 22d917d80e84 ("userns: Rework the user_namespace adding uid/gid...")
+Cc: stable@vger.kernel.org
+Signed-off-by: Jann Horn <jannh@google.com>
+Acked-by: Christian Brauner <christian@brauner.io>
+Acked-by: Serge Hallyn <serge@hallyn.com>
+Signed-off-by: Eric W. Biederman <ebiederm@xmission.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/user_namespace.c | 24 ++++++++++--------------
+ 1 file changed, 10 insertions(+), 14 deletions(-)
+
+--- a/kernel/user_namespace.c
++++ b/kernel/user_namespace.c
+@@ -859,7 +859,16 @@ static ssize_t map_write(struct file *fi
+ unsigned idx;
+ struct uid_gid_extent extent;
+ char *kbuf = NULL, *pos, *next_line;
+- ssize_t ret = -EINVAL;
++ ssize_t ret;
++
++ /* Only allow < page size writes at the beginning of the file */
++ if ((*ppos != 0) || (count >= PAGE_SIZE))
++ return -EINVAL;
++
++ /* Slurp in the user data */
++ kbuf = memdup_user_nul(buf, count);
++ if (IS_ERR(kbuf))
++ return PTR_ERR(kbuf);
+
+ /*
+ * The userns_state_mutex serializes all writes to any given map.
+@@ -895,19 +904,6 @@ static ssize_t map_write(struct file *fi
+ if (cap_valid(cap_setid) && !file_ns_capable(file, ns, CAP_SYS_ADMIN))
+ goto out;
+
+- /* Only allow < page size writes at the beginning of the file */
+- ret = -EINVAL;
+- if ((*ppos != 0) || (count >= PAGE_SIZE))
+- goto out;
+-
+- /* Slurp in the user data */
+- kbuf = memdup_user_nul(buf, count);
+- if (IS_ERR(kbuf)) {
+- ret = PTR_ERR(kbuf);
+- kbuf = NULL;
+- goto out;
+- }
+-
+ /* Parse the user data */
+ ret = -EINVAL;
+ pos = kbuf;
projects / thirdparty / kernel / stable-queue.git / commitdiff
