--- /dev/null
+From f909a60412ccbb897e6d99a89e8fd631f6038bd4 Mon Sep 17 00:00:00 2001
+From: Russell King <rmk+kernel@armlinux.org.uk>
+Date: Thu, 19 Jul 2018 12:17:38 +0100
+Subject: ARM: add PROC_VTABLE and PROC_TABLE macros
+
+[ Upstream commit e209950fdd065d2cc46e6338e47e52841b830cba ]
+
+Allow the way we access members of the processor vtable to be changed
+at compile time. We will need to move to per-CPU vtables to fix the
+Spectre variant 2 issues on big.Little systems.
+
+However, we have a couple of calls that do not need the vtable
+treatment, and indeed cause a kernel warning due to the (later) use
+of smp_processor_id(), so also introduce the PROC_TABLE macro for
+these which always use CPU 0's function pointers.
+
+Reviewed-by: Julien Thierry <julien.thierry@arm.com>
+Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/include/asm/proc-fns.h | 39 ++++++++++++++++++++++-----------
+ arch/arm/kernel/setup.c | 4 +---
+ 2 files changed, 27 insertions(+), 16 deletions(-)
+
+diff --git a/arch/arm/include/asm/proc-fns.h b/arch/arm/include/asm/proc-fns.h
+index 30c499146320..c259cc49c641 100644
+--- a/arch/arm/include/asm/proc-fns.h
++++ b/arch/arm/include/asm/proc-fns.h
+@@ -23,7 +23,7 @@ struct mm_struct;
+ /*
+ * Don't change this structure - ASM code relies on it.
+ */
+-extern struct processor {
++struct processor {
+ /* MISC
+ * get data abort address/flags
+ */
+@@ -79,9 +79,13 @@ extern struct processor {
+ unsigned int suspend_size;
+ void (*do_suspend)(void *);
+ void (*do_resume)(void *);
+-} processor;
++};
+
+ #ifndef MULTI_CPU
++static inline void init_proc_vtable(const struct processor *p)
++{
++}
++
+ extern void cpu_proc_init(void);
+ extern void cpu_proc_fin(void);
+ extern int cpu_do_idle(void);
+@@ -98,18 +102,27 @@ extern void cpu_reset(unsigned long addr, bool hvc) __attribute__((noreturn));
+ extern void cpu_do_suspend(void *);
+ extern void cpu_do_resume(void *);
+ #else
+-#define cpu_proc_init processor._proc_init
+-#define cpu_check_bugs processor.check_bugs
+-#define cpu_proc_fin processor._proc_fin
+-#define cpu_reset processor.reset
+-#define cpu_do_idle processor._do_idle
+-#define cpu_dcache_clean_area processor.dcache_clean_area
+-#define cpu_set_pte_ext processor.set_pte_ext
+-#define cpu_do_switch_mm processor.switch_mm
+
+-/* These three are private to arch/arm/kernel/suspend.c */
+-#define cpu_do_suspend processor.do_suspend
+-#define cpu_do_resume processor.do_resume
++extern struct processor processor;
++#define PROC_VTABLE(f) processor.f
++#define PROC_TABLE(f) processor.f
++static inline void init_proc_vtable(const struct processor *p)
++{
++ processor = *p;
++}
++
++#define cpu_proc_init PROC_VTABLE(_proc_init)
++#define cpu_check_bugs PROC_VTABLE(check_bugs)
++#define cpu_proc_fin PROC_VTABLE(_proc_fin)
++#define cpu_reset PROC_VTABLE(reset)
++#define cpu_do_idle PROC_VTABLE(_do_idle)
++#define cpu_dcache_clean_area PROC_TABLE(dcache_clean_area)
++#define cpu_set_pte_ext PROC_TABLE(set_pte_ext)
++#define cpu_do_switch_mm PROC_VTABLE(switch_mm)
++
++/* These two are private to arch/arm/kernel/suspend.c */
++#define cpu_do_suspend PROC_VTABLE(do_suspend)
++#define cpu_do_resume PROC_VTABLE(do_resume)
+ #endif
+
+ extern void cpu_resume(void);
+diff --git a/arch/arm/kernel/setup.c b/arch/arm/kernel/setup.c
+index 8e9a3e40d949..753e26960e6f 100644
+--- a/arch/arm/kernel/setup.c
++++ b/arch/arm/kernel/setup.c
+@@ -686,9 +686,7 @@ static void __init setup_processor(void)
+ cpu_name = list->cpu_name;
+ __cpu_architecture = __get_cpu_architecture();
+
+-#ifdef MULTI_CPU
+- processor = *list->proc;
+-#endif
++ init_proc_vtable(list->proc);
+ #ifdef MULTI_TLB
+ cpu_tlb = *list->tlb;
+ #endif
+--
+2.17.1
+
--- /dev/null
+From a1532514df66413e1f503540ea2f9a3d017d1030 Mon Sep 17 00:00:00 2001
+From: Russell King <rmk+kernel@armlinux.org.uk>
+Date: Thu, 19 Jul 2018 12:43:03 +0100
+Subject: ARM: clean up per-processor check_bugs method call
+
+[ Upstream commit 945aceb1db8885d3a35790cf2e810f681db52756 ]
+
+Call the per-processor type check_bugs() method in the same way as we
+do other per-processor functions - move the "processor." detail into
+proc-fns.h.
+
+Reviewed-by: Julien Thierry <julien.thierry@arm.com>
+Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/include/asm/proc-fns.h | 1 +
+ arch/arm/kernel/bugs.c | 4 ++--
+ 2 files changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/arch/arm/include/asm/proc-fns.h b/arch/arm/include/asm/proc-fns.h
+index e25f4392e1b2..30c499146320 100644
+--- a/arch/arm/include/asm/proc-fns.h
++++ b/arch/arm/include/asm/proc-fns.h
+@@ -99,6 +99,7 @@ extern void cpu_do_suspend(void *);
+ extern void cpu_do_resume(void *);
+ #else
+ #define cpu_proc_init processor._proc_init
++#define cpu_check_bugs processor.check_bugs
+ #define cpu_proc_fin processor._proc_fin
+ #define cpu_reset processor.reset
+ #define cpu_do_idle processor._do_idle
+diff --git a/arch/arm/kernel/bugs.c b/arch/arm/kernel/bugs.c
+index 7be511310191..d41d3598e5e5 100644
+--- a/arch/arm/kernel/bugs.c
++++ b/arch/arm/kernel/bugs.c
+@@ -6,8 +6,8 @@
+ void check_other_bugs(void)
+ {
+ #ifdef MULTI_CPU
+- if (processor.check_bugs)
+- processor.check_bugs();
++ if (cpu_check_bugs)
++ cpu_check_bugs();
+ #endif
+ }
+
+--
+2.17.1
+
--- /dev/null
+From c637b4995c1bad0913b487eb357a79be98a8f56f Mon Sep 17 00:00:00 2001
+From: Russell King <rmk+kernel@armlinux.org.uk>
+Date: Thu, 19 Jul 2018 11:42:36 +0100
+Subject: ARM: make lookup_processor_type() non-__init
+
+[ Upstream commit 899a42f836678a595f7d2bc36a5a0c2b03d08cbc ]
+
+Move lookup_processor_type() out of the __init section so it is callable
+from (eg) the secondary startup code during hotplug.
+
+Reviewed-by: Julien Thierry <julien.thierry@arm.com>
+Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/kernel/head-common.S | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/arch/arm/kernel/head-common.S b/arch/arm/kernel/head-common.S
+index 8733012d231f..7e662bdd5cb3 100644
+--- a/arch/arm/kernel/head-common.S
++++ b/arch/arm/kernel/head-common.S
+@@ -122,6 +122,9 @@ __mmap_switched_data:
+ .long init_thread_union + THREAD_START_SP @ sp
+ .size __mmap_switched_data, . - __mmap_switched_data
+
++ __FINIT
++ .text
++
+ /*
+ * This provides a C-API version of __lookup_processor_type
+ */
+@@ -133,9 +136,6 @@ ENTRY(lookup_processor_type)
+ ldmfd sp!, {r4 - r6, r9, pc}
+ ENDPROC(lookup_processor_type)
+
+- __FINIT
+- .text
+-
+ /*
+ * Read processor ID register (CP#15, CR0), and look up in the linker-built
+ * supported processor list. Note that we can't use the absolute addresses
+--
+2.17.1
+
--- /dev/null
+From f838ff9f7826b2e2228752fbb598cc29274c8d1c Mon Sep 17 00:00:00 2001
+From: Russell King <rmk+kernel@armlinux.org.uk>
+Date: Thu, 19 Jul 2018 12:21:31 +0100
+Subject: ARM: spectre-v2: per-CPU vtables to work around big.Little systems
+
+[ Upstream commit 383fb3ee8024d596f488d2dbaf45e572897acbdb ]
+
+In big.Little systems, some CPUs require the Spectre workarounds in
+paths such as the context switch, but other CPUs do not. In order
+to handle these differences, we need per-CPU vtables.
+
+We are unable to use the kernel's per-CPU variables to support this
+as per-CPU is not initialised at times when we need access to the
+vtables, so we have to use an array indexed by logical CPU number.
+
+We use an array-of-pointers to avoid having function pointers in
+the kernel's read/write .data section.
+
+Reviewed-by: Julien Thierry <julien.thierry@arm.com>
+Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/include/asm/proc-fns.h | 23 +++++++++++++++++++++++
+ arch/arm/kernel/setup.c | 5 +++++
+ arch/arm/kernel/smp.c | 31 +++++++++++++++++++++++++++++++
+ arch/arm/mm/proc-v7-bugs.c | 17 ++---------------
+ 4 files changed, 61 insertions(+), 15 deletions(-)
+
+diff --git a/arch/arm/include/asm/proc-fns.h b/arch/arm/include/asm/proc-fns.h
+index c259cc49c641..e1b6f280ab08 100644
+--- a/arch/arm/include/asm/proc-fns.h
++++ b/arch/arm/include/asm/proc-fns.h
+@@ -104,12 +104,35 @@ extern void cpu_do_resume(void *);
+ #else
+
+ extern struct processor processor;
++#if defined(CONFIG_BIG_LITTLE) && defined(CONFIG_HARDEN_BRANCH_PREDICTOR)
++#include <linux/smp.h>
++/*
++ * This can't be a per-cpu variable because we need to access it before
++ * per-cpu has been initialised. We have a couple of functions that are
++ * called in a pre-emptible context, and so can't use smp_processor_id()
++ * there, hence PROC_TABLE(). We insist in init_proc_vtable() that the
++ * function pointers for these are identical across all CPUs.
++ */
++extern struct processor *cpu_vtable[];
++#define PROC_VTABLE(f) cpu_vtable[smp_processor_id()]->f
++#define PROC_TABLE(f) cpu_vtable[0]->f
++static inline void init_proc_vtable(const struct processor *p)
++{
++ unsigned int cpu = smp_processor_id();
++ *cpu_vtable[cpu] = *p;
++ WARN_ON_ONCE(cpu_vtable[cpu]->dcache_clean_area !=
++ cpu_vtable[0]->dcache_clean_area);
++ WARN_ON_ONCE(cpu_vtable[cpu]->set_pte_ext !=
++ cpu_vtable[0]->set_pte_ext);
++}
++#else
+ #define PROC_VTABLE(f) processor.f
+ #define PROC_TABLE(f) processor.f
+ static inline void init_proc_vtable(const struct processor *p)
+ {
+ processor = *p;
+ }
++#endif
+
+ #define cpu_proc_init PROC_VTABLE(_proc_init)
+ #define cpu_check_bugs PROC_VTABLE(check_bugs)
+diff --git a/arch/arm/kernel/setup.c b/arch/arm/kernel/setup.c
+index 753e26960e6f..9f4c55b83b32 100644
+--- a/arch/arm/kernel/setup.c
++++ b/arch/arm/kernel/setup.c
+@@ -115,6 +115,11 @@ EXPORT_SYMBOL(elf_hwcap2);
+
+ #ifdef MULTI_CPU
+ struct processor processor __ro_after_init;
++#if defined(CONFIG_BIG_LITTLE) && defined(CONFIG_HARDEN_BRANCH_PREDICTOR)
++struct processor *cpu_vtable[NR_CPUS] = {
++ [0] = &processor,
++};
++#endif
+ #endif
+ #ifdef MULTI_TLB
+ struct cpu_tlb_fns cpu_tlb __ro_after_init;
+diff --git a/arch/arm/kernel/smp.c b/arch/arm/kernel/smp.c
+index e61af0600133..f6b1c9d2e178 100644
+--- a/arch/arm/kernel/smp.c
++++ b/arch/arm/kernel/smp.c
+@@ -42,6 +42,7 @@
+ #include <asm/mmu_context.h>
+ #include <asm/pgtable.h>
+ #include <asm/pgalloc.h>
++#include <asm/procinfo.h>
+ #include <asm/processor.h>
+ #include <asm/sections.h>
+ #include <asm/tlbflush.h>
+@@ -102,6 +103,30 @@ static unsigned long get_arch_pgd(pgd_t *pgd)
+ #endif
+ }
+
++#if defined(CONFIG_BIG_LITTLE) && defined(CONFIG_HARDEN_BRANCH_PREDICTOR)
++static int secondary_biglittle_prepare(unsigned int cpu)
++{
++ if (!cpu_vtable[cpu])
++ cpu_vtable[cpu] = kzalloc(sizeof(*cpu_vtable[cpu]), GFP_KERNEL);
++
++ return cpu_vtable[cpu] ? 0 : -ENOMEM;
++}
++
++static void secondary_biglittle_init(void)
++{
++ init_proc_vtable(lookup_processor(read_cpuid_id())->proc);
++}
++#else
++static int secondary_biglittle_prepare(unsigned int cpu)
++{
++ return 0;
++}
++
++static void secondary_biglittle_init(void)
++{
++}
++#endif
++
+ int __cpu_up(unsigned int cpu, struct task_struct *idle)
+ {
+ int ret;
+@@ -109,6 +134,10 @@ int __cpu_up(unsigned int cpu, struct task_struct *idle)
+ if (!smp_ops.smp_boot_secondary)
+ return -ENOSYS;
+
++ ret = secondary_biglittle_prepare(cpu);
++ if (ret)
++ return ret;
++
+ /*
+ * We need to tell the secondary core where to find
+ * its stack and the page tables.
+@@ -360,6 +389,8 @@ asmlinkage void secondary_start_kernel(void)
+ struct mm_struct *mm = &init_mm;
+ unsigned int cpu;
+
++ secondary_biglittle_init();
++
+ /*
+ * The identity mapping is uncached (strongly ordered), so
+ * switch away from it before attempting any exclusive accesses.
+diff --git a/arch/arm/mm/proc-v7-bugs.c b/arch/arm/mm/proc-v7-bugs.c
+index 5544b82a2e7a..9a07916af8dd 100644
+--- a/arch/arm/mm/proc-v7-bugs.c
++++ b/arch/arm/mm/proc-v7-bugs.c
+@@ -52,8 +52,6 @@ static void cpu_v7_spectre_init(void)
+ case ARM_CPU_PART_CORTEX_A17:
+ case ARM_CPU_PART_CORTEX_A73:
+ case ARM_CPU_PART_CORTEX_A75:
+- if (processor.switch_mm != cpu_v7_bpiall_switch_mm)
+- goto bl_error;
+ per_cpu(harden_branch_predictor_fn, cpu) =
+ harden_branch_predictor_bpiall;
+ spectre_v2_method = "BPIALL";
+@@ -61,8 +59,6 @@ static void cpu_v7_spectre_init(void)
+
+ case ARM_CPU_PART_CORTEX_A15:
+ case ARM_CPU_PART_BRAHMA_B15:
+- if (processor.switch_mm != cpu_v7_iciallu_switch_mm)
+- goto bl_error;
+ per_cpu(harden_branch_predictor_fn, cpu) =
+ harden_branch_predictor_iciallu;
+ spectre_v2_method = "ICIALLU";
+@@ -88,11 +84,9 @@ static void cpu_v7_spectre_init(void)
+ ARM_SMCCC_ARCH_WORKAROUND_1, &res);
+ if ((int)res.a0 != 0)
+ break;
+- if (processor.switch_mm != cpu_v7_hvc_switch_mm && cpu)
+- goto bl_error;
+ per_cpu(harden_branch_predictor_fn, cpu) =
+ call_hvc_arch_workaround_1;
+- processor.switch_mm = cpu_v7_hvc_switch_mm;
++ cpu_do_switch_mm = cpu_v7_hvc_switch_mm;
+ spectre_v2_method = "hypervisor";
+ break;
+
+@@ -101,11 +95,9 @@ static void cpu_v7_spectre_init(void)
+ ARM_SMCCC_ARCH_WORKAROUND_1, &res);
+ if ((int)res.a0 != 0)
+ break;
+- if (processor.switch_mm != cpu_v7_smc_switch_mm && cpu)
+- goto bl_error;
+ per_cpu(harden_branch_predictor_fn, cpu) =
+ call_smc_arch_workaround_1;
+- processor.switch_mm = cpu_v7_smc_switch_mm;
++ cpu_do_switch_mm = cpu_v7_smc_switch_mm;
+ spectre_v2_method = "firmware";
+ break;
+
+@@ -119,11 +111,6 @@ static void cpu_v7_spectre_init(void)
+ if (spectre_v2_method)
+ pr_info("CPU%u: Spectre v2: using %s workaround\n",
+ smp_processor_id(), spectre_v2_method);
+- return;
+-
+-bl_error:
+- pr_err("CPU%u: Spectre v2: incorrect context switching function, system vulnerable\n",
+- cpu);
+ }
+ #else
+ static void cpu_v7_spectre_init(void)
+--
+2.17.1
+
--- /dev/null
+From 7d1a867a61019e2003cfd540c49d8d27dc62d3cc Mon Sep 17 00:00:00 2001
+From: Greg Hackmann <ghackmann@android.com>
+Date: Tue, 27 Nov 2018 11:15:20 -0800
+Subject: arm64: remove no-op -p linker flag
+
+(commit 1a381d4a0a9a0f999a13faaba22bf6b3fc80dcb9 upstream)
+
+Linking the ARM64 defconfig kernel with LLVM lld fails with the error:
+
+ ld.lld: error: unknown argument: -p
+ Makefile:1015: recipe for target 'vmlinux' failed
+
+Without this flag, the ARM64 defconfig kernel successfully links with
+lld and boots on Dragonboard 410c.
+
+After digging through binutils source and changelogs, it turns out that
+-p is only relevant to ancient binutils installations targeting 32-bit
+ARM. binutils accepts -p for AArch64 too, but it's always been
+undocumented and silently ignored. A comment in
+ld/emultempl/aarch64elf.em explains that it's "Only here for backwards
+compatibility".
+
+Since this flag is a no-op on ARM64, we can safely drop it.
+
+Acked-by: Will Deacon <will.deacon@arm.com>
+Reviewed-by: Nick Desaulniers <ndesaulniers@google.com>
+Signed-off-by: Greg Hackmann <ghackmann@google.com>
+Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
+Signed-off-by: Nick Desaulniers <ndesaulniers@google.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/Makefile | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/arm64/Makefile b/arch/arm64/Makefile
+index 7318165cfc90..48f2b3657507 100644
+--- a/arch/arm64/Makefile
++++ b/arch/arm64/Makefile
+@@ -10,7 +10,7 @@
+ #
+ # Copyright (C) 1995-2001 by Russell King
+
+-LDFLAGS_vmlinux :=-p --no-undefined -X
++LDFLAGS_vmlinux :=--no-undefined -X
+ CPPFLAGS_vmlinux.lds = -DTEXT_OFFSET=$(TEXT_OFFSET)
+ GZFLAGS :=-9
+
+--
+2.17.1
+
--- /dev/null
+From 461fd916356d5043e7997e3e8eb3f5a743a012bd Mon Sep 17 00:00:00 2001
+From: Anson Huang <anson.huang@nxp.com>
+Date: Mon, 5 Nov 2018 00:59:28 +0000
+Subject: cpufreq: imx6q: add return value check for voltage scale
+
+[ Upstream commit 6ef28a04d1ccf718eee069b72132ce4aa1e52ab9 ]
+
+Add return value check for voltage scale when ARM clock
+rate change fail.
+
+Signed-off-by: Anson Huang <Anson.Huang@nxp.com>
+Acked-by: Viresh Kumar <viresh.kumar@linaro.org>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/cpufreq/imx6q-cpufreq.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/cpufreq/imx6q-cpufreq.c b/drivers/cpufreq/imx6q-cpufreq.c
+index 14466a9b01c0..63d28323a29c 100644
+--- a/drivers/cpufreq/imx6q-cpufreq.c
++++ b/drivers/cpufreq/imx6q-cpufreq.c
+@@ -135,8 +135,13 @@ static int imx6q_set_target(struct cpufreq_policy *policy, unsigned int index)
+ /* Ensure the arm clock divider is what we expect */
+ ret = clk_set_rate(arm_clk, new_freq * 1000);
+ if (ret) {
++ int ret1;
++
+ dev_err(cpu_dev, "failed to set clock rate: %d\n", ret);
+- regulator_set_voltage_tol(arm_reg, volt_old, 0);
++ ret1 = regulator_set_voltage_tol(arm_reg, volt_old, 0);
++ if (ret1)
++ dev_warn(cpu_dev,
++ "failed to restore vddarm voltage: %d\n", ret1);
+ return ret;
+ }
+
+--
+2.17.1
+
--- /dev/null
+From 617c87f6cf60173124105b78c7b38fa6b5e4fecd Mon Sep 17 00:00:00 2001
+From: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+Date: Thu, 8 Nov 2018 23:55:16 +0100
+Subject: crypto: simd - correctly take reqsize of wrapped skcipher into
+ account
+
+[ Upstream commit 508a1c4df085a547187eed346f1bfe5e381797f1 ]
+
+The simd wrapper's skcipher request context structure consists
+of a single subrequest whose size is taken from the subordinate
+skcipher. However, in simd_skcipher_init(), the reqsize that is
+retrieved is not from the subordinate skcipher but from the
+cryptd request structure, whose size is completely unrelated to
+the actual wrapped skcipher.
+
+Reported-by: Qian Cai <cai@gmx.us>
+Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+Tested-by: Qian Cai <cai@gmx.us>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ crypto/simd.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/crypto/simd.c b/crypto/simd.c
+index 88203370a62f..894c62944106 100644
+--- a/crypto/simd.c
++++ b/crypto/simd.c
+@@ -126,8 +126,9 @@ static int simd_skcipher_init(struct crypto_skcipher *tfm)
+
+ ctx->cryptd_tfm = cryptd_tfm;
+
+- reqsize = sizeof(struct skcipher_request);
+- reqsize += crypto_skcipher_reqsize(&cryptd_tfm->base);
++ reqsize = crypto_skcipher_reqsize(cryptd_skcipher_child(cryptd_tfm));
++ reqsize = max(reqsize, crypto_skcipher_reqsize(&cryptd_tfm->base));
++ reqsize += sizeof(struct skcipher_request);
+
+ crypto_skcipher_set_reqsize(tfm, reqsize);
+
+--
+2.17.1
+
--- /dev/null
+From cc31d19ebd1c65eec10aeda8613a5b1ff9735e0e Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Mon, 27 Aug 2018 10:21:46 +0200
+Subject: drm/mediatek: fix OF sibling-node lookup
+
+[ Upstream commit ceff2f4dcd44abf35864d9a99f85ac619e89a01d ]
+
+Use the new of_get_compatible_child() helper to lookup the sibling
+instead of using of_find_compatible_node(), which searches the entire
+tree from a given start node and thus can return an unrelated (i.e.
+non-sibling) node.
+
+This also addresses a potential use-after-free (e.g. after probe
+deferral) as the tree-wide helper drops a reference to its first
+argument (i.e. the parent device node).
+
+While at it, also fix the related cec-node reference leak.
+
+Fixes: 8f83f26891e1 ("drm/mediatek: Add HDMI support")
+Cc: stable <stable@vger.kernel.org> # 4.8
+Cc: Junzhi Zhao <junzhi.zhao@mediatek.com>
+Cc: Philipp Zabel <p.zabel@pengutronix.de>
+Cc: CK Hu <ck.hu@mediatek.com>
+Cc: David Airlie <airlied@linux.ie>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Rob Herring <robh@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/mediatek/mtk_hdmi.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/gpu/drm/mediatek/mtk_hdmi.c b/drivers/gpu/drm/mediatek/mtk_hdmi.c
+index 690c67507cbc..aba27ea9cea5 100644
+--- a/drivers/gpu/drm/mediatek/mtk_hdmi.c
++++ b/drivers/gpu/drm/mediatek/mtk_hdmi.c
+@@ -1446,8 +1446,7 @@ static int mtk_hdmi_dt_parse_pdata(struct mtk_hdmi *hdmi,
+ }
+
+ /* The CEC module handles HDMI hotplug detection */
+- cec_np = of_find_compatible_node(np->parent, NULL,
+- "mediatek,mt8173-cec");
++ cec_np = of_get_compatible_child(np->parent, "mediatek,mt8173-cec");
+ if (!cec_np) {
+ dev_err(dev, "Failed to find CEC node\n");
+ return -EINVAL;
+@@ -1457,8 +1456,10 @@ static int mtk_hdmi_dt_parse_pdata(struct mtk_hdmi *hdmi,
+ if (!cec_pdev) {
+ dev_err(hdmi->dev, "Waiting for CEC device %pOF\n",
+ cec_np);
++ of_node_put(cec_np);
+ return -EPROBE_DEFER;
+ }
++ of_node_put(cec_np);
+ hdmi->cec_dev = &cec_pdev->dev;
+
+ /*
+--
+2.17.1
+
--- /dev/null
+From dfe85980157d5bedceb1073c1992b865b57b9360 Mon Sep 17 00:00:00 2001
+From: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+Date: Wed, 14 Nov 2018 09:55:41 -0800
+Subject: efi/arm: Revert deferred unmap of early memmap mapping
+
+[ Upstream commit 33412b8673135b18ea42beb7f5117ed0091798b6 ]
+
+Commit:
+
+ 3ea86495aef2 ("efi/arm: preserve early mapping of UEFI memory map longer for BGRT")
+
+deferred the unmap of the early mapping of the UEFI memory map to
+accommodate the ACPI BGRT code, which looks up the memory type that
+backs the BGRT table to validate it against the requirements of the UEFI spec.
+
+Unfortunately, this causes problems on ARM, which does not permit
+early mappings to persist after paging_init() is called, resulting
+in a WARN() splat. Since we don't support the BGRT table on ARM anway,
+let's revert ARM to the old behaviour, which is to take down the
+early mapping at the end of efi_init().
+
+Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: linux-efi@vger.kernel.org
+Fixes: 3ea86495aef2 ("efi/arm: preserve early mapping of UEFI memory ...")
+Link: http://lkml.kernel.org/r/20181114175544.12860-3-ard.biesheuvel@linaro.org
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/firmware/efi/arm-init.c | 4 ++++
+ drivers/firmware/efi/arm-runtime.c | 2 +-
+ drivers/firmware/efi/memmap.c | 3 +++
+ 3 files changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/firmware/efi/arm-init.c b/drivers/firmware/efi/arm-init.c
+index a7c522eac640..312f9f32e168 100644
+--- a/drivers/firmware/efi/arm-init.c
++++ b/drivers/firmware/efi/arm-init.c
+@@ -265,6 +265,10 @@ void __init efi_init(void)
+ (params.mmap & ~PAGE_MASK)));
+
+ init_screen_info();
++
++ /* ARM does not permit early mappings to persist across paging_init() */
++ if (IS_ENABLED(CONFIG_ARM))
++ efi_memmap_unmap();
+ }
+
+ static int __init register_gop_device(void)
+diff --git a/drivers/firmware/efi/arm-runtime.c b/drivers/firmware/efi/arm-runtime.c
+index 8995a48bd067..ad1530aff633 100644
+--- a/drivers/firmware/efi/arm-runtime.c
++++ b/drivers/firmware/efi/arm-runtime.c
+@@ -122,7 +122,7 @@ static int __init arm_enable_runtime_services(void)
+ {
+ u64 mapsize;
+
+- if (!efi_enabled(EFI_BOOT) || !efi_enabled(EFI_MEMMAP)) {
++ if (!efi_enabled(EFI_BOOT)) {
+ pr_info("EFI services will not be available.\n");
+ return 0;
+ }
+diff --git a/drivers/firmware/efi/memmap.c b/drivers/firmware/efi/memmap.c
+index 5fc70520e04c..1907db2b38d8 100644
+--- a/drivers/firmware/efi/memmap.c
++++ b/drivers/firmware/efi/memmap.c
+@@ -118,6 +118,9 @@ int __init efi_memmap_init_early(struct efi_memory_map_data *data)
+
+ void __init efi_memmap_unmap(void)
+ {
++ if (!efi_enabled(EFI_MEMMAP))
++ return;
++
+ if (!efi.memmap.late) {
+ unsigned long size;
+
+--
+2.17.1
+
--- /dev/null
+From 7a4ed5fd8e15d2e4f7e70dbd7f901a6e9510334f Mon Sep 17 00:00:00 2001
+From: Jens Axboe <axboe@kernel.dk>
+Date: Fri, 9 Nov 2018 15:58:40 -0700
+Subject: floppy: fix race condition in __floppy_read_block_0()
+
+[ Upstream commit de7b75d82f70c5469675b99ad632983c50b6f7e7 ]
+
+LKP recently reported a hang at bootup in the floppy code:
+
+[ 245.678853] INFO: task mount:580 blocked for more than 120 seconds.
+[ 245.679906] Tainted: G T 4.19.0-rc6-00172-ga9f38e1 #1
+[ 245.680959] "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
+[ 245.682181] mount D 6372 580 1 0x00000004
+[ 245.683023] Call Trace:
+[ 245.683425] __schedule+0x2df/0x570
+[ 245.683975] schedule+0x2d/0x80
+[ 245.684476] schedule_timeout+0x19d/0x330
+[ 245.685090] ? wait_for_common+0xa5/0x170
+[ 245.685735] wait_for_common+0xac/0x170
+[ 245.686339] ? do_sched_yield+0x90/0x90
+[ 245.686935] wait_for_completion+0x12/0x20
+[ 245.687571] __floppy_read_block_0+0xfb/0x150
+[ 245.688244] ? floppy_resume+0x40/0x40
+[ 245.688844] floppy_revalidate+0x20f/0x240
+[ 245.689486] check_disk_change+0x43/0x60
+[ 245.690087] floppy_open+0x1ea/0x360
+[ 245.690653] __blkdev_get+0xb4/0x4d0
+[ 245.691212] ? blkdev_get+0x1db/0x370
+[ 245.691777] blkdev_get+0x1f3/0x370
+[ 245.692351] ? path_put+0x15/0x20
+[ 245.692871] ? lookup_bdev+0x4b/0x90
+[ 245.693539] blkdev_get_by_path+0x3d/0x80
+[ 245.694165] mount_bdev+0x2a/0x190
+[ 245.694695] squashfs_mount+0x10/0x20
+[ 245.695271] ? squashfs_alloc_inode+0x30/0x30
+[ 245.695960] mount_fs+0xf/0x90
+[ 245.696451] vfs_kern_mount+0x43/0x130
+[ 245.697036] do_mount+0x187/0xc40
+[ 245.697563] ? memdup_user+0x28/0x50
+[ 245.698124] ksys_mount+0x60/0xc0
+[ 245.698639] sys_mount+0x19/0x20
+[ 245.699167] do_int80_syscall_32+0x61/0x130
+[ 245.699813] entry_INT80_32+0xc7/0xc7
+
+showing that we never complete that read request. The reason is that
+the completion setup is racy - it initializes the completion event
+AFTER submitting the IO, which means that the IO could complete
+before/during the init. If it does, we are passing garbage to
+complete() and we may sleep forever waiting for the event to
+occur.
+
+Fixes: 7b7b68bba5ef ("floppy: bail out in open() if drive is not responding to block0 read")
+Reviewed-by: Omar Sandoval <osandov@fb.com>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/block/floppy.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/block/floppy.c b/drivers/block/floppy.c
+index 3d0287e212fe..a7f212ea17bf 100644
+--- a/drivers/block/floppy.c
++++ b/drivers/block/floppy.c
+@@ -4146,10 +4146,11 @@ static int __floppy_read_block_0(struct block_device *bdev, int drive)
+ bio.bi_end_io = floppy_rb0_cb;
+ bio_set_op_attrs(&bio, REQ_OP_READ, 0);
+
++ init_completion(&cbdata.complete);
++
+ submit_bio(&bio);
+ process_fd_request();
+
+- init_completion(&cbdata.complete);
+ wait_for_completion(&cbdata.complete);
+
+ __free_page(page);
+--
+2.17.1
+
--- /dev/null
+From ef27ec66c47690a2b254b5064fc2bf9df5fbf60d Mon Sep 17 00:00:00 2001
+From: Prarit Bhargava <prarit@redhat.com>
+Date: Thu, 20 Sep 2018 08:59:14 -0400
+Subject: kdb: Use strscpy with destination buffer size
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+[ Upstream commit c2b94c72d93d0929f48157eef128c4f9d2e603ce ]
+
+gcc 8.1.0 warns with:
+
+kernel/debug/kdb/kdb_support.c: In function ‘kallsyms_symbol_next’:
+kernel/debug/kdb/kdb_support.c:239:4: warning: ‘strncpy’ specified bound depends on the length of the source argument [-Wstringop-overflow=]
+ strncpy(prefix_name, name, strlen(name)+1);
+ ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+kernel/debug/kdb/kdb_support.c:239:31: note: length computed here
+
+Use strscpy() with the destination buffer size, and use ellipses when
+displaying truncated symbols.
+
+v2: Use strscpy()
+
+Signed-off-by: Prarit Bhargava <prarit@redhat.com>
+Cc: Jonathan Toppins <jtoppins@redhat.com>
+Cc: Jason Wessel <jason.wessel@windriver.com>
+Cc: Daniel Thompson <daniel.thompson@linaro.org>
+Cc: kgdb-bugreport@lists.sourceforge.net
+Reviewed-by: Daniel Thompson <daniel.thompson@linaro.org>
+Signed-off-by: Daniel Thompson <daniel.thompson@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/debug/kdb/kdb_io.c | 15 +++++++++------
+ kernel/debug/kdb/kdb_private.h | 2 +-
+ kernel/debug/kdb/kdb_support.c | 10 +++++-----
+ 3 files changed, 15 insertions(+), 12 deletions(-)
+
+diff --git a/kernel/debug/kdb/kdb_io.c b/kernel/debug/kdb/kdb_io.c
+index ed5d34925ad0..6a4b41484afe 100644
+--- a/kernel/debug/kdb/kdb_io.c
++++ b/kernel/debug/kdb/kdb_io.c
+@@ -216,7 +216,7 @@ static char *kdb_read(char *buffer, size_t bufsize)
+ int count;
+ int i;
+ int diag, dtab_count;
+- int key;
++ int key, buf_size, ret;
+
+
+ diag = kdbgetintenv("DTABCOUNT", &dtab_count);
+@@ -336,9 +336,8 @@ poll_again:
+ else
+ p_tmp = tmpbuffer;
+ len = strlen(p_tmp);
+- count = kallsyms_symbol_complete(p_tmp,
+- sizeof(tmpbuffer) -
+- (p_tmp - tmpbuffer));
++ buf_size = sizeof(tmpbuffer) - (p_tmp - tmpbuffer);
++ count = kallsyms_symbol_complete(p_tmp, buf_size);
+ if (tab == 2 && count > 0) {
+ kdb_printf("\n%d symbols are found.", count);
+ if (count > dtab_count) {
+@@ -350,9 +349,13 @@ poll_again:
+ }
+ kdb_printf("\n");
+ for (i = 0; i < count; i++) {
+- if (WARN_ON(!kallsyms_symbol_next(p_tmp, i)))
++ ret = kallsyms_symbol_next(p_tmp, i, buf_size);
++ if (WARN_ON(!ret))
+ break;
+- kdb_printf("%s ", p_tmp);
++ if (ret != -E2BIG)
++ kdb_printf("%s ", p_tmp);
++ else
++ kdb_printf("%s... ", p_tmp);
+ *(p_tmp + len) = '\0';
+ }
+ if (i >= dtab_count)
+diff --git a/kernel/debug/kdb/kdb_private.h b/kernel/debug/kdb/kdb_private.h
+index fc224fbcf954..f2158e463a0f 100644
+--- a/kernel/debug/kdb/kdb_private.h
++++ b/kernel/debug/kdb/kdb_private.h
+@@ -83,7 +83,7 @@ typedef struct __ksymtab {
+ unsigned long sym_start;
+ unsigned long sym_end;
+ } kdb_symtab_t;
+-extern int kallsyms_symbol_next(char *prefix_name, int flag);
++extern int kallsyms_symbol_next(char *prefix_name, int flag, int buf_size);
+ extern int kallsyms_symbol_complete(char *prefix_name, int max_len);
+
+ /* Exported Symbols for kernel loadable modules to use. */
+diff --git a/kernel/debug/kdb/kdb_support.c b/kernel/debug/kdb/kdb_support.c
+index 84422d2b95c0..014f6fbb3832 100644
+--- a/kernel/debug/kdb/kdb_support.c
++++ b/kernel/debug/kdb/kdb_support.c
+@@ -221,11 +221,13 @@ int kallsyms_symbol_complete(char *prefix_name, int max_len)
+ * Parameters:
+ * prefix_name prefix of a symbol name to lookup
+ * flag 0 means search from the head, 1 means continue search.
++ * buf_size maximum length that can be written to prefix_name
++ * buffer
+ * Returns:
+ * 1 if a symbol matches the given prefix.
+ * 0 if no string found
+ */
+-int kallsyms_symbol_next(char *prefix_name, int flag)
++int kallsyms_symbol_next(char *prefix_name, int flag, int buf_size)
+ {
+ int prefix_len = strlen(prefix_name);
+ static loff_t pos;
+@@ -235,10 +237,8 @@ int kallsyms_symbol_next(char *prefix_name, int flag)
+ pos = 0;
+
+ while ((name = kdb_walk_kallsyms(&pos))) {
+- if (strncmp(name, prefix_name, prefix_len) == 0) {
+- strncpy(prefix_name, name, strlen(name)+1);
+- return 1;
+- }
++ if (!strncmp(name, prefix_name, prefix_len))
++ return strscpy(prefix_name, name, buf_size);
+ }
+ return 0;
+ }
+--
+2.17.1
+
--- /dev/null
+From 9f57ea0049c4e96a92c0fd2c67146c4e558d9efb Mon Sep 17 00:00:00 2001
+From: Scott Wood <oss@buserror.net>
+Date: Tue, 6 Nov 2018 19:49:34 -0600
+Subject: KVM: PPC: Move and undef TRACE_INCLUDE_PATH/FILE
+
+[ Upstream commit 28c5bcf74fa07c25d5bd118d1271920f51ce2a98 ]
+
+TRACE_INCLUDE_PATH and TRACE_INCLUDE_FILE are used by
+<trace/define_trace.h>, so like that #include, they should
+be outside #ifdef protection.
+
+They also need to be #undefed before defining, in case multiple trace
+headers are included by the same C file. This became the case on
+book3e after commit cf4a6085151a ("powerpc/mm: Add missing tracepoint for
+tlbie"), leading to the following build error:
+
+ CC arch/powerpc/kvm/powerpc.o
+In file included from arch/powerpc/kvm/powerpc.c:51:0:
+arch/powerpc/kvm/trace.h:9:0: error: "TRACE_INCLUDE_PATH" redefined
+[-Werror]
+ #define TRACE_INCLUDE_PATH .
+ ^
+In file included from arch/powerpc/kvm/../mm/mmu_decl.h:25:0,
+ from arch/powerpc/kvm/powerpc.c:48:
+./arch/powerpc/include/asm/trace.h:224:0: note: this is the location of
+the previous definition
+ #define TRACE_INCLUDE_PATH asm
+ ^
+cc1: all warnings being treated as errors
+
+Reported-by: Christian Zigotzky <chzigotzky@xenosoft.de>
+Signed-off-by: Scott Wood <oss@buserror.net>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/kvm/trace.h | 8 ++++++--
+ arch/powerpc/kvm/trace_booke.h | 9 +++++++--
+ arch/powerpc/kvm/trace_hv.h | 9 +++++++--
+ arch/powerpc/kvm/trace_pr.h | 9 +++++++--
+ 4 files changed, 27 insertions(+), 8 deletions(-)
+
+diff --git a/arch/powerpc/kvm/trace.h b/arch/powerpc/kvm/trace.h
+index 491b0f715d6b..ea1d7c808319 100644
+--- a/arch/powerpc/kvm/trace.h
++++ b/arch/powerpc/kvm/trace.h
+@@ -6,8 +6,6 @@
+
+ #undef TRACE_SYSTEM
+ #define TRACE_SYSTEM kvm
+-#define TRACE_INCLUDE_PATH .
+-#define TRACE_INCLUDE_FILE trace
+
+ /*
+ * Tracepoint for guest mode entry.
+@@ -120,4 +118,10 @@ TRACE_EVENT(kvm_check_requests,
+ #endif /* _TRACE_KVM_H */
+
+ /* This part must be outside protection */
++#undef TRACE_INCLUDE_PATH
++#undef TRACE_INCLUDE_FILE
++
++#define TRACE_INCLUDE_PATH .
++#define TRACE_INCLUDE_FILE trace
++
+ #include <trace/define_trace.h>
+diff --git a/arch/powerpc/kvm/trace_booke.h b/arch/powerpc/kvm/trace_booke.h
+index ac640e81fdc5..3837842986aa 100644
+--- a/arch/powerpc/kvm/trace_booke.h
++++ b/arch/powerpc/kvm/trace_booke.h
+@@ -6,8 +6,6 @@
+
+ #undef TRACE_SYSTEM
+ #define TRACE_SYSTEM kvm_booke
+-#define TRACE_INCLUDE_PATH .
+-#define TRACE_INCLUDE_FILE trace_booke
+
+ #define kvm_trace_symbol_exit \
+ {0, "CRITICAL"}, \
+@@ -218,4 +216,11 @@ TRACE_EVENT(kvm_booke_queue_irqprio,
+ #endif
+
+ /* This part must be outside protection */
++
++#undef TRACE_INCLUDE_PATH
++#undef TRACE_INCLUDE_FILE
++
++#define TRACE_INCLUDE_PATH .
++#define TRACE_INCLUDE_FILE trace_booke
++
+ #include <trace/define_trace.h>
+diff --git a/arch/powerpc/kvm/trace_hv.h b/arch/powerpc/kvm/trace_hv.h
+index bcfe8a987f6a..8a1e3b0047f1 100644
+--- a/arch/powerpc/kvm/trace_hv.h
++++ b/arch/powerpc/kvm/trace_hv.h
+@@ -9,8 +9,6 @@
+
+ #undef TRACE_SYSTEM
+ #define TRACE_SYSTEM kvm_hv
+-#define TRACE_INCLUDE_PATH .
+-#define TRACE_INCLUDE_FILE trace_hv
+
+ #define kvm_trace_symbol_hcall \
+ {H_REMOVE, "H_REMOVE"}, \
+@@ -497,4 +495,11 @@ TRACE_EVENT(kvmppc_run_vcpu_exit,
+ #endif /* _TRACE_KVM_HV_H */
+
+ /* This part must be outside protection */
++
++#undef TRACE_INCLUDE_PATH
++#undef TRACE_INCLUDE_FILE
++
++#define TRACE_INCLUDE_PATH .
++#define TRACE_INCLUDE_FILE trace_hv
++
+ #include <trace/define_trace.h>
+diff --git a/arch/powerpc/kvm/trace_pr.h b/arch/powerpc/kvm/trace_pr.h
+index 85785a370c0e..256530eb1354 100644
+--- a/arch/powerpc/kvm/trace_pr.h
++++ b/arch/powerpc/kvm/trace_pr.h
+@@ -8,8 +8,6 @@
+
+ #undef TRACE_SYSTEM
+ #define TRACE_SYSTEM kvm_pr
+-#define TRACE_INCLUDE_PATH .
+-#define TRACE_INCLUDE_FILE trace_pr
+
+ TRACE_EVENT(kvm_book3s_reenter,
+ TP_PROTO(int r, struct kvm_vcpu *vcpu),
+@@ -272,4 +270,11 @@ TRACE_EVENT(kvm_unmap_hva,
+ #endif /* _TRACE_KVM_H */
+
+ /* This part must be outside protection */
++
++#undef TRACE_INCLUDE_PATH
++#undef TRACE_INCLUDE_FILE
++
++#define TRACE_INCLUDE_PATH .
++#define TRACE_INCLUDE_FILE trace_pr
++
+ #include <trace/define_trace.h>
+--
+2.17.1
+
--- /dev/null
+From 36309183c526f55d70409ae01d4f760c358d21dc Mon Sep 17 00:00:00 2001
+From: Michal Hocko <mhocko@suse.com>
+Date: Fri, 16 Nov 2018 15:08:53 -0800
+Subject: mm, page_alloc: check for max order in hot path
+
+[ Upstream commit c63ae43ba53bc432b414fd73dd5f4b01fcb1ab43 ]
+
+Konstantin has noticed that kvmalloc might trigger the following
+warning:
+
+ WARNING: CPU: 0 PID: 6676 at mm/vmstat.c:986 __fragmentation_index+0x54/0x60
+ [...]
+ Call Trace:
+ fragmentation_index+0x76/0x90
+ compaction_suitable+0x4f/0xf0
+ shrink_node+0x295/0x310
+ node_reclaim+0x205/0x250
+ get_page_from_freelist+0x649/0xad0
+ __alloc_pages_nodemask+0x12a/0x2a0
+ kmalloc_large_node+0x47/0x90
+ __kmalloc_node+0x22b/0x2e0
+ kvmalloc_node+0x3e/0x70
+ xt_alloc_table_info+0x3a/0x80 [x_tables]
+ do_ip6t_set_ctl+0xcd/0x1c0 [ip6_tables]
+ nf_setsockopt+0x44/0x60
+ SyS_setsockopt+0x6f/0xc0
+ do_syscall_64+0x67/0x120
+ entry_SYSCALL_64_after_hwframe+0x3d/0xa2
+
+the problem is that we only check for an out of bound order in the slow
+path and the node reclaim might happen from the fast path already. This
+is fixable by making sure that kvmalloc doesn't ever use kmalloc for
+requests that are larger than KMALLOC_MAX_SIZE but this also shows that
+the code is rather fragile. A recent UBSAN report just underlines that
+by the following report
+
+ UBSAN: Undefined behaviour in mm/page_alloc.c:3117:19
+ shift exponent 51 is too large for 32-bit type 'int'
+ CPU: 0 PID: 6520 Comm: syz-executor1 Not tainted 4.19.0-rc2 #1
+ Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
+ Call Trace:
+ __dump_stack lib/dump_stack.c:77 [inline]
+ dump_stack+0xd2/0x148 lib/dump_stack.c:113
+ ubsan_epilogue+0x12/0x94 lib/ubsan.c:159
+ __ubsan_handle_shift_out_of_bounds+0x2b6/0x30b lib/ubsan.c:425
+ __zone_watermark_ok+0x2c7/0x400 mm/page_alloc.c:3117
+ zone_watermark_fast mm/page_alloc.c:3216 [inline]
+ get_page_from_freelist+0xc49/0x44c0 mm/page_alloc.c:3300
+ __alloc_pages_nodemask+0x21e/0x640 mm/page_alloc.c:4370
+ alloc_pages_current+0xcc/0x210 mm/mempolicy.c:2093
+ alloc_pages include/linux/gfp.h:509 [inline]
+ __get_free_pages+0x12/0x60 mm/page_alloc.c:4414
+ dma_mem_alloc+0x36/0x50 arch/x86/include/asm/floppy.h:156
+ raw_cmd_copyin drivers/block/floppy.c:3159 [inline]
+ raw_cmd_ioctl drivers/block/floppy.c:3206 [inline]
+ fd_locked_ioctl+0xa00/0x2c10 drivers/block/floppy.c:3544
+ fd_ioctl+0x40/0x60 drivers/block/floppy.c:3571
+ __blkdev_driver_ioctl block/ioctl.c:303 [inline]
+ blkdev_ioctl+0xb3c/0x1a30 block/ioctl.c:601
+ block_ioctl+0x105/0x150 fs/block_dev.c:1883
+ vfs_ioctl fs/ioctl.c:46 [inline]
+ do_vfs_ioctl+0x1c0/0x1150 fs/ioctl.c:687
+ ksys_ioctl+0x9e/0xb0 fs/ioctl.c:702
+ __do_sys_ioctl fs/ioctl.c:709 [inline]
+ __se_sys_ioctl fs/ioctl.c:707 [inline]
+ __x64_sys_ioctl+0x7e/0xc0 fs/ioctl.c:707
+ do_syscall_64+0xc4/0x510 arch/x86/entry/common.c:290
+ entry_SYSCALL_64_after_hwframe+0x49/0xbe
+
+Note that this is not a kvmalloc path. It is just that the fast path
+really depends on having sanitzed order as well. Therefore move the
+order check to the fast path.
+
+Link: http://lkml.kernel.org/r/20181113094305.GM15120@dhcp22.suse.cz
+Signed-off-by: Michal Hocko <mhocko@suse.com>
+Reported-by: Konstantin Khlebnikov <khlebnikov@yandex-team.ru>
+Reported-by: Kyungtae Kim <kt0755@gmail.com>
+Acked-by: Vlastimil Babka <vbabka@suse.cz>
+Cc: Balbir Singh <bsingharora@gmail.com>
+Cc: Mel Gorman <mgorman@techsingularity.net>
+Cc: Pavel Tatashin <pavel.tatashin@microsoft.com>
+Cc: Oscar Salvador <osalvador@suse.de>
+Cc: Mike Rapoport <rppt@linux.vnet.ibm.com>
+Cc: Aaron Lu <aaron.lu@intel.com>
+Cc: Joonsoo Kim <iamjoonsoo.kim@lge.com>
+Cc: Byoungyoung Lee <lifeasageek@gmail.com>
+Cc: "Dae R. Jeong" <threeearcat@gmail.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ mm/page_alloc.c | 20 +++++++++-----------
+ 1 file changed, 9 insertions(+), 11 deletions(-)
+
+diff --git a/mm/page_alloc.c b/mm/page_alloc.c
+index a604b5da6755..2074f424dabf 100644
+--- a/mm/page_alloc.c
++++ b/mm/page_alloc.c
+@@ -3867,17 +3867,6 @@ __alloc_pages_slowpath(gfp_t gfp_mask, unsigned int order,
+ unsigned int cpuset_mems_cookie;
+ int reserve_flags;
+
+- /*
+- * In the slowpath, we sanity check order to avoid ever trying to
+- * reclaim >= MAX_ORDER areas which will never succeed. Callers may
+- * be using allocators in order of preference for an area that is
+- * too large.
+- */
+- if (order >= MAX_ORDER) {
+- WARN_ON_ONCE(!(gfp_mask & __GFP_NOWARN));
+- return NULL;
+- }
+-
+ /*
+ * We also sanity check to catch abuse of atomic reserves being used by
+ * callers that are not in atomic context.
+@@ -4179,6 +4168,15 @@ __alloc_pages_nodemask(gfp_t gfp_mask, unsigned int order, int preferred_nid,
+ gfp_t alloc_mask; /* The gfp_t that was actually used for allocation */
+ struct alloc_context ac = { };
+
++ /*
++ * There are several places where we assume that the order value is sane
++ * so bail out early if the request is out of bound.
++ */
++ if (unlikely(order >= MAX_ORDER)) {
++ WARN_ON_ONCE(!(gfp_mask & __GFP_NOWARN));
++ return NULL;
++ }
++
+ gfp_mask &= gfp_allowed_mask;
+ alloc_mask = gfp_mask;
+ if (!prepare_alloc_pages(gfp_mask, order, preferred_nid, nodemask, &ac, &alloc_mask, &alloc_flags))
+--
+2.17.1
+
--- /dev/null
+From 5e0123ee2fdb604deb6f9753eae5b7a8b34906f6 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Mon, 27 Aug 2018 10:21:50 +0200
+Subject: net: bcmgenet: fix OF child-node lookup
+
+[ Upstream commit d397dbe606120a1ea1b11b0020c3f7a3852da5ac ]
+
+Use the new of_get_compatible_child() helper to lookup the mdio child
+node instead of using of_find_compatible_node(), which searches the
+entire tree from a given start node and thus can return an unrelated
+(i.e. non-child) node.
+
+This also addresses a potential use-after-free (e.g. after probe
+deferral) as the tree-wide helper drops a reference to its first
+argument (i.e. the node of the device being probed).
+
+Fixes: aa09677cba42 ("net: bcmgenet: add MDIO routines")
+Cc: stable <stable@vger.kernel.org> # 3.15
+Cc: David S. Miller <davem@davemloft.net>
+Reviewed-by: Florian Fainelli <f.fainelli@gmail.com>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Rob Herring <robh@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/broadcom/genet/bcmmii.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/broadcom/genet/bcmmii.c b/drivers/net/ethernet/broadcom/genet/bcmmii.c
+index abbd2894f870..c421e2753c8c 100644
+--- a/drivers/net/ethernet/broadcom/genet/bcmmii.c
++++ b/drivers/net/ethernet/broadcom/genet/bcmmii.c
+@@ -360,7 +360,7 @@ static struct device_node *bcmgenet_mii_of_find_mdio(struct bcmgenet_priv *priv)
+ if (!compat)
+ return NULL;
+
+- priv->mdio_dn = of_find_compatible_node(dn, NULL, compat);
++ priv->mdio_dn = of_get_compatible_child(dn, compat);
+ kfree(compat);
+ if (!priv->mdio_dn) {
+ dev_err(kdev, "unable to find MDIO bus node\n");
+--
+2.17.1
+
--- /dev/null
+From 82531e1d8aa4ecaae0f6ae655c0392d2be21447b Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Mon, 27 Aug 2018 10:21:52 +0200
+Subject: NFC: nfcmrvl_uart: fix OF child-node lookup
+
+[ Upstream commit 5bf59773aaf36dd62117dc83d50e1bbf9ef432da ]
+
+Use the new of_get_compatible_child() helper to lookup the nfc child
+node instead of using of_find_compatible_node(), which searches the
+entire tree from a given start node and thus can return an unrelated
+(i.e. non-child) node.
+
+This also addresses a potential use-after-free (e.g. after probe
+deferral) as the tree-wide helper drops a reference to its first
+argument (i.e. the parent node).
+
+Fixes: e097dc624f78 ("NFC: nfcmrvl: add UART driver")
+Fixes: d8e018c0b321 ("NFC: nfcmrvl: update device tree bindings for Marvell NFC")
+Cc: stable <stable@vger.kernel.org> # 4.2
+Cc: Vincent Cuissard <cuissard@marvell.com>
+Cc: Samuel Ortiz <sameo@linux.intel.com>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Rob Herring <robh@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/nfc/nfcmrvl/uart.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/nfc/nfcmrvl/uart.c b/drivers/nfc/nfcmrvl/uart.c
+index 91162f8e0366..9a22056e8d9e 100644
+--- a/drivers/nfc/nfcmrvl/uart.c
++++ b/drivers/nfc/nfcmrvl/uart.c
+@@ -73,10 +73,9 @@ static int nfcmrvl_uart_parse_dt(struct device_node *node,
+ struct device_node *matched_node;
+ int ret;
+
+- matched_node = of_find_compatible_node(node, NULL, "marvell,nfc-uart");
++ matched_node = of_get_compatible_child(node, "marvell,nfc-uart");
+ if (!matched_node) {
+- matched_node = of_find_compatible_node(node, NULL,
+- "mrvl,nfc-uart");
++ matched_node = of_get_compatible_child(node, "mrvl,nfc-uart");
+ if (!matched_node)
+ return -ENODEV;
+ }
+--
+2.17.1
+
--- /dev/null
+From 0cb74c3d5efd6876d4b131fb9355e54bfee51ccd Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Mon, 27 Aug 2018 10:21:45 +0200
+Subject: of: add helper to lookup compatible child node
+
+[ Upstream commit 36156f9241cb0f9e37d998052873ca7501ad4b36 ]
+
+Add of_get_compatible_child() helper that can be used to lookup
+compatible child nodes.
+
+Several drivers currently use of_find_compatible_node() to lookup child
+nodes while failing to notice that the of_find_ functions search the
+entire tree depth-first (from a given start node) and therefore can
+match unrelated nodes. The fact that these functions also drop a
+reference to the node they start searching from (e.g. the parent node)
+is typically also overlooked, something which can lead to use-after-free
+bugs.
+
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Rob Herring <robh@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/of/base.c | 25 +++++++++++++++++++++++++
+ include/linux/of.h | 8 ++++++++
+ 2 files changed, 33 insertions(+)
+
+diff --git a/drivers/of/base.c b/drivers/of/base.c
+index 63897531cd75..ce8a6e0c9b6a 100644
+--- a/drivers/of/base.c
++++ b/drivers/of/base.c
+@@ -737,6 +737,31 @@ struct device_node *of_get_next_available_child(const struct device_node *node,
+ }
+ EXPORT_SYMBOL(of_get_next_available_child);
+
++/**
++ * of_get_compatible_child - Find compatible child node
++ * @parent: parent node
++ * @compatible: compatible string
++ *
++ * Lookup child node whose compatible property contains the given compatible
++ * string.
++ *
++ * Returns a node pointer with refcount incremented, use of_node_put() on it
++ * when done; or NULL if not found.
++ */
++struct device_node *of_get_compatible_child(const struct device_node *parent,
++ const char *compatible)
++{
++ struct device_node *child;
++
++ for_each_child_of_node(parent, child) {
++ if (of_device_is_compatible(child, compatible))
++ break;
++ }
++
++ return child;
++}
++EXPORT_SYMBOL(of_get_compatible_child);
++
+ /**
+ * of_get_child_by_name - Find the child node by name for a given parent
+ * @node: parent node
+diff --git a/include/linux/of.h b/include/linux/of.h
+index b240ed69dc96..70b7dacf9238 100644
+--- a/include/linux/of.h
++++ b/include/linux/of.h
+@@ -288,6 +288,8 @@ extern struct device_node *of_get_next_child(const struct device_node *node,
+ extern struct device_node *of_get_next_available_child(
+ const struct device_node *node, struct device_node *prev);
+
++extern struct device_node *of_get_compatible_child(const struct device_node *parent,
++ const char *compatible);
+ extern struct device_node *of_get_child_by_name(const struct device_node *node,
+ const char *name);
+
+@@ -625,6 +627,12 @@ static inline bool of_have_populated_dt(void)
+ return false;
+ }
+
++static inline struct device_node *of_get_compatible_child(const struct device_node *parent,
++ const char *compatible)
++{
++ return NULL;
++}
++
+ static inline struct device_node *of_get_child_by_name(
+ const struct device_node *node,
+ const char *name)
+--
+2.17.1
+
--- /dev/null
+From 635ec18c68f13f59046d968074fef35e692f272b Mon Sep 17 00:00:00 2001
+From: Kan Liang <kan.liang@linux.intel.com>
+Date: Fri, 19 Oct 2018 10:04:18 -0700
+Subject: perf/x86/intel/uncore: Add more IMC PCI IDs for KabyLake and
+ CoffeeLake CPUs
+
+[ Upstream commit c10a8de0d32e95b0b8c7c17b6dc09baea5a5a899 ]
+
+KabyLake and CoffeeLake CPUs have the same client uncore events as SkyLake.
+
+Add the PCI IDs for the KabyLake Y, U, S processor lines and CoffeeLake U,
+H, S processor lines.
+
+Signed-off-by: Kan Liang <kan.liang@linux.intel.com>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Cc: Arnaldo Carvalho de Melo <acme@redhat.com>
+Cc: Jiri Olsa <jolsa@redhat.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Stephane Eranian <eranian@google.com>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: Vince Weaver <vincent.weaver@maine.edu>
+Link: http://lkml.kernel.org/r/20181019170419.378-1-kan.liang@linux.intel.com
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/events/intel/uncore_snb.c | 115 ++++++++++++++++++++++++++++-
+ 1 file changed, 114 insertions(+), 1 deletion(-)
+
+diff --git a/arch/x86/events/intel/uncore_snb.c b/arch/x86/events/intel/uncore_snb.c
+index aee5e8496be4..aa4e6f4e6a01 100644
+--- a/arch/x86/events/intel/uncore_snb.c
++++ b/arch/x86/events/intel/uncore_snb.c
+@@ -15,6 +15,25 @@
+ #define PCI_DEVICE_ID_INTEL_SKL_HQ_IMC 0x1910
+ #define PCI_DEVICE_ID_INTEL_SKL_SD_IMC 0x190f
+ #define PCI_DEVICE_ID_INTEL_SKL_SQ_IMC 0x191f
++#define PCI_DEVICE_ID_INTEL_KBL_Y_IMC 0x590c
++#define PCI_DEVICE_ID_INTEL_KBL_U_IMC 0x5904
++#define PCI_DEVICE_ID_INTEL_KBL_UQ_IMC 0x5914
++#define PCI_DEVICE_ID_INTEL_KBL_SD_IMC 0x590f
++#define PCI_DEVICE_ID_INTEL_KBL_SQ_IMC 0x591f
++#define PCI_DEVICE_ID_INTEL_CFL_2U_IMC 0x3ecc
++#define PCI_DEVICE_ID_INTEL_CFL_4U_IMC 0x3ed0
++#define PCI_DEVICE_ID_INTEL_CFL_4H_IMC 0x3e10
++#define PCI_DEVICE_ID_INTEL_CFL_6H_IMC 0x3ec4
++#define PCI_DEVICE_ID_INTEL_CFL_2S_D_IMC 0x3e0f
++#define PCI_DEVICE_ID_INTEL_CFL_4S_D_IMC 0x3e1f
++#define PCI_DEVICE_ID_INTEL_CFL_6S_D_IMC 0x3ec2
++#define PCI_DEVICE_ID_INTEL_CFL_8S_D_IMC 0x3e30
++#define PCI_DEVICE_ID_INTEL_CFL_4S_W_IMC 0x3e18
++#define PCI_DEVICE_ID_INTEL_CFL_6S_W_IMC 0x3ec6
++#define PCI_DEVICE_ID_INTEL_CFL_8S_W_IMC 0x3e31
++#define PCI_DEVICE_ID_INTEL_CFL_4S_S_IMC 0x3e33
++#define PCI_DEVICE_ID_INTEL_CFL_6S_S_IMC 0x3eca
++#define PCI_DEVICE_ID_INTEL_CFL_8S_S_IMC 0x3e32
+
+ /* SNB event control */
+ #define SNB_UNC_CTL_EV_SEL_MASK 0x000000ff
+@@ -632,7 +651,82 @@ static const struct pci_device_id skl_uncore_pci_ids[] = {
+ PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_SKL_SQ_IMC),
+ .driver_data = UNCORE_PCI_DEV_DATA(SNB_PCI_UNCORE_IMC, 0),
+ },
+-
++ { /* IMC */
++ PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_KBL_Y_IMC),
++ .driver_data = UNCORE_PCI_DEV_DATA(SNB_PCI_UNCORE_IMC, 0),
++ },
++ { /* IMC */
++ PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_KBL_U_IMC),
++ .driver_data = UNCORE_PCI_DEV_DATA(SNB_PCI_UNCORE_IMC, 0),
++ },
++ { /* IMC */
++ PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_KBL_UQ_IMC),
++ .driver_data = UNCORE_PCI_DEV_DATA(SNB_PCI_UNCORE_IMC, 0),
++ },
++ { /* IMC */
++ PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_KBL_SD_IMC),
++ .driver_data = UNCORE_PCI_DEV_DATA(SNB_PCI_UNCORE_IMC, 0),
++ },
++ { /* IMC */
++ PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_KBL_SQ_IMC),
++ .driver_data = UNCORE_PCI_DEV_DATA(SNB_PCI_UNCORE_IMC, 0),
++ },
++ { /* IMC */
++ PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_CFL_2U_IMC),
++ .driver_data = UNCORE_PCI_DEV_DATA(SNB_PCI_UNCORE_IMC, 0),
++ },
++ { /* IMC */
++ PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_CFL_4U_IMC),
++ .driver_data = UNCORE_PCI_DEV_DATA(SNB_PCI_UNCORE_IMC, 0),
++ },
++ { /* IMC */
++ PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_CFL_4H_IMC),
++ .driver_data = UNCORE_PCI_DEV_DATA(SNB_PCI_UNCORE_IMC, 0),
++ },
++ { /* IMC */
++ PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_CFL_6H_IMC),
++ .driver_data = UNCORE_PCI_DEV_DATA(SNB_PCI_UNCORE_IMC, 0),
++ },
++ { /* IMC */
++ PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_CFL_2S_D_IMC),
++ .driver_data = UNCORE_PCI_DEV_DATA(SNB_PCI_UNCORE_IMC, 0),
++ },
++ { /* IMC */
++ PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_CFL_4S_D_IMC),
++ .driver_data = UNCORE_PCI_DEV_DATA(SNB_PCI_UNCORE_IMC, 0),
++ },
++ { /* IMC */
++ PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_CFL_6S_D_IMC),
++ .driver_data = UNCORE_PCI_DEV_DATA(SNB_PCI_UNCORE_IMC, 0),
++ },
++ { /* IMC */
++ PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_CFL_8S_D_IMC),
++ .driver_data = UNCORE_PCI_DEV_DATA(SNB_PCI_UNCORE_IMC, 0),
++ },
++ { /* IMC */
++ PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_CFL_4S_W_IMC),
++ .driver_data = UNCORE_PCI_DEV_DATA(SNB_PCI_UNCORE_IMC, 0),
++ },
++ { /* IMC */
++ PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_CFL_6S_W_IMC),
++ .driver_data = UNCORE_PCI_DEV_DATA(SNB_PCI_UNCORE_IMC, 0),
++ },
++ { /* IMC */
++ PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_CFL_8S_W_IMC),
++ .driver_data = UNCORE_PCI_DEV_DATA(SNB_PCI_UNCORE_IMC, 0),
++ },
++ { /* IMC */
++ PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_CFL_4S_S_IMC),
++ .driver_data = UNCORE_PCI_DEV_DATA(SNB_PCI_UNCORE_IMC, 0),
++ },
++ { /* IMC */
++ PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_CFL_6S_S_IMC),
++ .driver_data = UNCORE_PCI_DEV_DATA(SNB_PCI_UNCORE_IMC, 0),
++ },
++ { /* IMC */
++ PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_CFL_8S_S_IMC),
++ .driver_data = UNCORE_PCI_DEV_DATA(SNB_PCI_UNCORE_IMC, 0),
++ },
+ { /* end: all zeroes */ },
+ };
+
+@@ -681,6 +775,25 @@ static const struct imc_uncore_pci_dev desktop_imc_pci_ids[] = {
+ IMC_DEV(SKL_HQ_IMC, &skl_uncore_pci_driver), /* 6th Gen Core H Quad Core */
+ IMC_DEV(SKL_SD_IMC, &skl_uncore_pci_driver), /* 6th Gen Core S Dual Core */
+ IMC_DEV(SKL_SQ_IMC, &skl_uncore_pci_driver), /* 6th Gen Core S Quad Core */
++ IMC_DEV(KBL_Y_IMC, &skl_uncore_pci_driver), /* 7th Gen Core Y */
++ IMC_DEV(KBL_U_IMC, &skl_uncore_pci_driver), /* 7th Gen Core U */
++ IMC_DEV(KBL_UQ_IMC, &skl_uncore_pci_driver), /* 7th Gen Core U Quad Core */
++ IMC_DEV(KBL_SD_IMC, &skl_uncore_pci_driver), /* 7th Gen Core S Dual Core */
++ IMC_DEV(KBL_SQ_IMC, &skl_uncore_pci_driver), /* 7th Gen Core S Quad Core */
++ IMC_DEV(CFL_2U_IMC, &skl_uncore_pci_driver), /* 8th Gen Core U 2 Cores */
++ IMC_DEV(CFL_4U_IMC, &skl_uncore_pci_driver), /* 8th Gen Core U 4 Cores */
++ IMC_DEV(CFL_4H_IMC, &skl_uncore_pci_driver), /* 8th Gen Core H 4 Cores */
++ IMC_DEV(CFL_6H_IMC, &skl_uncore_pci_driver), /* 8th Gen Core H 6 Cores */
++ IMC_DEV(CFL_2S_D_IMC, &skl_uncore_pci_driver), /* 8th Gen Core S 2 Cores Desktop */
++ IMC_DEV(CFL_4S_D_IMC, &skl_uncore_pci_driver), /* 8th Gen Core S 4 Cores Desktop */
++ IMC_DEV(CFL_6S_D_IMC, &skl_uncore_pci_driver), /* 8th Gen Core S 6 Cores Desktop */
++ IMC_DEV(CFL_8S_D_IMC, &skl_uncore_pci_driver), /* 8th Gen Core S 8 Cores Desktop */
++ IMC_DEV(CFL_4S_W_IMC, &skl_uncore_pci_driver), /* 8th Gen Core S 4 Cores Work Station */
++ IMC_DEV(CFL_6S_W_IMC, &skl_uncore_pci_driver), /* 8th Gen Core S 6 Cores Work Station */
++ IMC_DEV(CFL_8S_W_IMC, &skl_uncore_pci_driver), /* 8th Gen Core S 8 Cores Work Station */
++ IMC_DEV(CFL_4S_S_IMC, &skl_uncore_pci_driver), /* 8th Gen Core S 4 Cores Server */
++ IMC_DEV(CFL_6S_S_IMC, &skl_uncore_pci_driver), /* 8th Gen Core S 6 Cores Server */
++ IMC_DEV(CFL_8S_S_IMC, &skl_uncore_pci_driver), /* 8th Gen Core S 8 Cores Server */
+ { /* end marker */ }
+ };
+
+--
+2.17.1
+
--- /dev/null
+From 7ebf6f4e7e4d51e7799f9afe5ecdcbfca7704c8e Mon Sep 17 00:00:00 2001
+From: Jerome Brunet <jbrunet@baylibre.com>
+Date: Tue, 23 Oct 2018 18:03:19 +0200
+Subject: pinctrl: meson: fix pinconf bias disable
+
+[ Upstream commit e39f9dd8206ad66992ac0e6218ef1ba746f2cce9 ]
+
+If a bias is enabled on a pin of an Amlogic SoC, calling .pin_config_set()
+with PIN_CONFIG_BIAS_DISABLE will not disable the bias. Instead it will
+force a pull-down bias on the pin.
+
+Instead of the pull type register bank, the driver should access the pull
+enable register bank.
+
+Fixes: 6ac730951104 ("pinctrl: add driver for Amlogic Meson SoCs")
+Signed-off-by: Jerome Brunet <jbrunet@baylibre.com>
+Acked-by: Neil Armstrong <narmstrong@baylibre.com>
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pinctrl/meson/pinctrl-meson.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/pinctrl/meson/pinctrl-meson.c b/drivers/pinctrl/meson/pinctrl-meson.c
+index 66ed70c12733..6c43322dbb97 100644
+--- a/drivers/pinctrl/meson/pinctrl-meson.c
++++ b/drivers/pinctrl/meson/pinctrl-meson.c
+@@ -273,7 +273,7 @@ static int meson_pinconf_set(struct pinctrl_dev *pcdev, unsigned int pin,
+ dev_dbg(pc->dev, "pin %u: disable bias\n", pin);
+
+ meson_calc_reg_and_bit(bank, pin, REG_PULL, ®, &bit);
+- ret = regmap_update_bits(pc->reg_pull, reg,
++ ret = regmap_update_bits(pc->reg_pullen, reg,
+ BIT(bit), 0);
+ if (ret)
+ return ret;
+--
+2.17.1
+
--- /dev/null
+From f4d88152570fd5ab3de3d7d4924c70aee94d751f Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Mon, 27 Aug 2018 10:21:53 +0200
+Subject: power: supply: twl4030-charger: fix OF sibling-node lookup
+
+[ Upstream commit 9844fb2e351311210e6660a9a1c62d17424a6145 ]
+
+Use the new of_get_compatible_child() helper to lookup the usb sibling
+node instead of using of_find_compatible_node(), which searches the
+entire tree from a given start node and thus can return an unrelated
+(non-sibling) node.
+
+This also addresses a potential use-after-free (e.g. after probe
+deferral) as the tree-wide helper drops a reference to its first
+argument (i.e. the parent device node).
+
+While at it, also fix the related phy-node reference leak.
+
+Fixes: f5e4edb8c888 ("power: twl4030_charger: find associated phy by more reliable means.")
+Cc: stable <stable@vger.kernel.org> # 4.2
+Cc: NeilBrown <neilb@suse.de>
+Cc: Felipe Balbi <felipe.balbi@linux.intel.com>
+Cc: Sebastian Reichel <sre@kernel.org>
+Reviewed-by: Sebastian Reichel <sre@kernel.org>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Rob Herring <robh@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/power/supply/twl4030_charger.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/power/supply/twl4030_charger.c b/drivers/power/supply/twl4030_charger.c
+index a5915f498eea..0cc12bfe7b02 100644
+--- a/drivers/power/supply/twl4030_charger.c
++++ b/drivers/power/supply/twl4030_charger.c
+@@ -996,12 +996,13 @@ static int twl4030_bci_probe(struct platform_device *pdev)
+ if (bci->dev->of_node) {
+ struct device_node *phynode;
+
+- phynode = of_find_compatible_node(bci->dev->of_node->parent,
+- NULL, "ti,twl4030-usb");
++ phynode = of_get_compatible_child(bci->dev->of_node->parent,
++ "ti,twl4030-usb");
+ if (phynode) {
+ bci->usb_nb.notifier_call = twl4030_bci_usb_ncb;
+ bci->transceiver = devm_usb_get_phy_by_node(
+ bci->dev, phynode, &bci->usb_nb);
++ of_node_put(phynode);
+ if (IS_ERR(bci->transceiver)) {
+ ret = PTR_ERR(bci->transceiver);
+ if (ret == -EPROBE_DEFER)
+--
+2.17.1
+
--- /dev/null
+From eb3c9f3555f79e8b1dd77141f0ea29756a790ae8 Mon Sep 17 00:00:00 2001
+From: Michael Ellerman <mpe@ellerman.id.au>
+Date: Tue, 6 Nov 2018 23:37:58 +1100
+Subject: powerpc/io: Fix the IO workarounds code to work with Radix
+
+[ Upstream commit 43c6494fa1499912c8177e71450c0279041152a6 ]
+
+Back in 2006 Ben added some workarounds for a misbehaviour in the
+Spider IO bridge used on early Cell machines, see commit
+014da7ff47b5 ("[POWERPC] Cell "Spider" MMIO workarounds"). Later these
+were made to be generic, ie. not tied specifically to Spider.
+
+The code stashes a token in the high bits (59-48) of virtual addresses
+used for IO (eg. returned from ioremap()). This works fine when using
+the Hash MMU, but when we're using the Radix MMU the bits used for the
+token overlap with some of the bits of the virtual address.
+
+This is because the maximum virtual address is larger with Radix, up
+to c00fffffffffffff, and in fact we use that high part of the address
+range for ioremap(), see RADIX_KERN_IO_START.
+
+As it happens the bits that are used overlap with the bits that
+differentiate an IO address vs a linear map address. If the resulting
+address lies outside the linear mapping we will crash (see below), if
+not we just corrupt memory.
+
+ virtio-pci 0000:00:00.0: Using 64-bit direct DMA at offset 800000000000000
+ Unable to handle kernel paging request for data at address 0xc000000080000014
+ ...
+ CFAR: c000000000626b98 DAR: c000000080000014 DSISR: 42000000 IRQMASK: 0
+ GPR00: c0000000006c54fc c00000003e523378 c0000000016de600 0000000000000000
+ GPR04: c00c000080000014 0000000000000007 0fffffff000affff 0000000000000030
+ ^^^^
+ ...
+ NIP [c000000000626c5c] .iowrite8+0xec/0x100
+ LR [c0000000006c992c] .vp_reset+0x2c/0x90
+ Call Trace:
+ .pci_bus_read_config_dword+0xc4/0x120 (unreliable)
+ .register_virtio_device+0x13c/0x1c0
+ .virtio_pci_probe+0x148/0x1f0
+ .local_pci_probe+0x68/0x140
+ .pci_device_probe+0x164/0x220
+ .really_probe+0x274/0x3b0
+ .driver_probe_device+0x80/0x170
+ .__driver_attach+0x14c/0x150
+ .bus_for_each_dev+0xb8/0x130
+ .driver_attach+0x34/0x50
+ .bus_add_driver+0x178/0x2f0
+ .driver_register+0x90/0x1a0
+ .__pci_register_driver+0x6c/0x90
+ .virtio_pci_driver_init+0x2c/0x40
+ .do_one_initcall+0x64/0x280
+ .kernel_init_freeable+0x36c/0x474
+ .kernel_init+0x24/0x160
+ .ret_from_kernel_thread+0x58/0x7c
+
+This hasn't been a problem because CONFIG_PPC_IO_WORKAROUNDS which
+enables this code is usually not enabled. It is only enabled when it's
+selected by PPC_CELL_NATIVE which is only selected by
+PPC_IBM_CELL_BLADE and that in turn depends on BIG_ENDIAN. So in order
+to hit the bug you need to build a big endian kernel, with IBM Cell
+Blade support enabled, as well as Radix MMU support, and then boot
+that on Power9 using Radix MMU.
+
+Still we can fix the bug, so let's do that. We simply use fewer bits
+for the token, taking the union of the restrictions on the address
+from both Hash and Radix, we end up with 8 bits we can use for the
+token. The only user of the token is iowa_mem_find_bus() which only
+supports 8 token values, so 8 bits is plenty for that.
+
+Fixes: 566ca99af026 ("powerpc/mm/radix: Add dummy radix_enabled()")
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/include/asm/io.h | 20 +++++++-------------
+ 1 file changed, 7 insertions(+), 13 deletions(-)
+
+diff --git a/arch/powerpc/include/asm/io.h b/arch/powerpc/include/asm/io.h
+index 422f99cf9924..e6d33eed8202 100644
+--- a/arch/powerpc/include/asm/io.h
++++ b/arch/powerpc/include/asm/io.h
+@@ -287,19 +287,13 @@ extern void _memcpy_toio(volatile void __iomem *dest, const void *src,
+ * their hooks, a bitfield is reserved for use by the platform near the
+ * top of MMIO addresses (not PIO, those have to cope the hard way).
+ *
+- * This bit field is 12 bits and is at the top of the IO virtual
+- * addresses PCI_IO_INDIRECT_TOKEN_MASK.
++ * The highest address in the kernel virtual space are:
+ *
+- * The kernel virtual space is thus:
++ * d0003fffffffffff # with Hash MMU
++ * c00fffffffffffff # with Radix MMU
+ *
+- * 0xD000000000000000 : vmalloc
+- * 0xD000080000000000 : PCI PHB IO space
+- * 0xD000080080000000 : ioremap
+- * 0xD0000fffffffffff : end of ioremap region
+- *
+- * Since the top 4 bits are reserved as the region ID, we use thus
+- * the next 12 bits and keep 4 bits available for the future if the
+- * virtual address space is ever to be extended.
++ * The top 4 bits are reserved as the region ID on hash, leaving us 8 bits
++ * that can be used for the field.
+ *
+ * The direct IO mapping operations will then mask off those bits
+ * before doing the actual access, though that only happen when
+@@ -311,8 +305,8 @@ extern void _memcpy_toio(volatile void __iomem *dest, const void *src,
+ */
+
+ #ifdef CONFIG_PPC_INDIRECT_MMIO
+-#define PCI_IO_IND_TOKEN_MASK 0x0fff000000000000ul
+-#define PCI_IO_IND_TOKEN_SHIFT 48
++#define PCI_IO_IND_TOKEN_SHIFT 52
++#define PCI_IO_IND_TOKEN_MASK (0xfful << PCI_IO_IND_TOKEN_SHIFT)
+ #define PCI_FIX_ADDR(addr) \
+ ((PCI_IO_ADDR)(((unsigned long)(addr)) & ~PCI_IO_IND_TOKEN_MASK))
+ #define PCI_GET_ADDR_TOKEN(addr) \
+--
+2.17.1
+
--- /dev/null
+From cd0ca78b526fca0519c612935efbab6ab4c4b3d4 Mon Sep 17 00:00:00 2001
+From: Satheesh Rajendran <sathnaga@linux.vnet.ibm.com>
+Date: Thu, 8 Nov 2018 10:47:56 +0530
+Subject: powerpc/numa: Suppress "VPHN is not supported" messages
+
+[ Upstream commit 437ccdc8ce629470babdda1a7086e2f477048cbd ]
+
+When VPHN function is not supported and during cpu hotplug event,
+kernel prints message 'VPHN function not supported. Disabling
+polling...'. Currently it prints on every hotplug event, it floods
+dmesg when a KVM guest tries to hotplug huge number of vcpus, let's
+just print once and suppress further kernel prints.
+
+Signed-off-by: Satheesh Rajendran <sathnaga@linux.vnet.ibm.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/mm/numa.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/powerpc/mm/numa.c b/arch/powerpc/mm/numa.c
+index 9fead0796364..40fb9a8835fe 100644
+--- a/arch/powerpc/mm/numa.c
++++ b/arch/powerpc/mm/numa.c
+@@ -1261,7 +1261,7 @@ static long vphn_get_associativity(unsigned long cpu,
+
+ switch (rc) {
+ case H_FUNCTION:
+- printk(KERN_INFO
++ printk_once(KERN_INFO
+ "VPHN is not supported. Disabling polling...\n");
+ stop_topology_update();
+ break;
+--
+2.17.1
+
--- /dev/null
+From 710fbe433c9fd18fe79ccf3ccca07e5f3d407c27 Mon Sep 17 00:00:00 2001
+From: Xulin Sun <xulin.sun@windriver.com>
+Date: Tue, 6 Nov 2018 16:42:19 +0800
+Subject: rtc: pcf2127: fix a kmemleak caused in pcf2127_i2c_gather_write
+
+[ Upstream commit 9bde0afb7a906f1dabdba37162551565740b862d ]
+
+pcf2127_i2c_gather_write() allocates memory as local variable
+for i2c_master_send(), after finishing the master transfer,
+the allocated memory should be freed. The kmemleak is reported:
+
+unreferenced object 0xffff80231e7dba80 (size 64):
+ comm "hwclock", pid 27762, jiffies 4296880075 (age 356.944s)
+ hex dump (first 32 bytes):
+ 03 00 12 03 19 02 11 13 00 80 98 18 00 00 ff ff ................
+ 00 50 00 00 00 00 00 00 02 00 00 00 00 00 00 00 .P..............
+ backtrace:
+ [<ffff000008221398>] create_object+0xf8/0x278
+ [<ffff000008a96264>] kmemleak_alloc+0x74/0xa0
+ [<ffff00000821070c>] __kmalloc+0x1ac/0x348
+ [<ffff0000087ed1dc>] pcf2127_i2c_gather_write+0x54/0xf8
+ [<ffff0000085fd9d4>] _regmap_raw_write+0x464/0x850
+ [<ffff0000085fe3f4>] regmap_bulk_write+0x1a4/0x348
+ [<ffff0000087ed32c>] pcf2127_rtc_set_time+0xac/0xe8
+ [<ffff0000087eaad8>] rtc_set_time+0x80/0x138
+ [<ffff0000087ebfb0>] rtc_dev_ioctl+0x398/0x610
+ [<ffff00000823f2c0>] do_vfs_ioctl+0xb0/0x848
+ [<ffff00000823fae4>] SyS_ioctl+0x8c/0xa8
+ [<ffff000008083ac0>] el0_svc_naked+0x34/0x38
+ [<ffffffffffffffff>] 0xffffffffffffffff
+
+Signed-off-by: Xulin Sun <xulin.sun@windriver.com>
+Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/rtc/rtc-pcf2127.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/rtc/rtc-pcf2127.c b/drivers/rtc/rtc-pcf2127.c
+index f33447c5db85..9f1b14bf91ae 100644
+--- a/drivers/rtc/rtc-pcf2127.c
++++ b/drivers/rtc/rtc-pcf2127.c
+@@ -248,6 +248,9 @@ static int pcf2127_i2c_gather_write(void *context,
+ memcpy(buf + 1, val, val_size);
+
+ ret = i2c_master_send(client, buf, val_size + 1);
++
++ kfree(buf);
++
+ if (ret != val_size + 1)
+ return ret < 0 ? ret : -EIO;
+
+--
+2.17.1
+
can-hi311x-use-level-triggered-interrupt.patch
acpica-aml-interpreter-add-region-addresses-in-global-list-during-initialization.patch
ib-hfi1-eliminate-races-in-the-sdma-send-error-path.patch
+pinctrl-meson-fix-pinconf-bias-disable.patch
+kvm-ppc-move-and-undef-trace_include_path-file.patch
+cpufreq-imx6q-add-return-value-check-for-voltage-sca.patch
+rtc-pcf2127-fix-a-kmemleak-caused-in-pcf2127_i2c_gat.patch
+crypto-simd-correctly-take-reqsize-of-wrapped-skciph.patch
+floppy-fix-race-condition-in-__floppy_read_block_0.patch
+powerpc-io-fix-the-io-workarounds-code-to-work-with-.patch
+perf-x86-intel-uncore-add-more-imc-pci-ids-for-kabyl.patch
+arm-make-lookup_processor_type-non-__init.patch
+arm-clean-up-per-processor-check_bugs-method-call.patch
+arm-add-proc_vtable-and-proc_table-macros.patch
+arm-spectre-v2-per-cpu-vtables-to-work-around-big.li.patch
+sunrpc-fix-a-bogus-get-put-in-generic_key_to_expire.patch
+kdb-use-strscpy-with-destination-buffer-size.patch
+powerpc-numa-suppress-vphn-is-not-supported-messages.patch
+efi-arm-revert-deferred-unmap-of-early-memmap-mappin.patch
+z3fold-fix-possible-reclaim-races.patch
+tmpfs-make-lseek-seek_data-sek_hole-return-enxio-wit.patch
+mm-page_alloc-check-for-max-order-in-hot-path.patch
+of-add-helper-to-lookup-compatible-child-node.patch
+nfc-nfcmrvl_uart-fix-of-child-node-lookup.patch
+net-bcmgenet-fix-of-child-node-lookup.patch
+drm-mediatek-fix-of-sibling-node-lookup.patch
+power-supply-twl4030-charger-fix-of-sibling-node-loo.patch
+arm64-remove-no-op-p-linker-flag.patch
--- /dev/null
+From 05a8b00bcfa2303f4ae8a098ade17dc4a928d662 Mon Sep 17 00:00:00 2001
+From: Trond Myklebust <trond.myklebust@hammerspace.com>
+Date: Mon, 12 Nov 2018 16:06:51 -0500
+Subject: SUNRPC: Fix a bogus get/put in generic_key_to_expire()
+
+[ Upstream commit e3d5e573a54dabdc0f9f3cb039d799323372b251 ]
+
+Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/sunrpc/auth_generic.c | 8 +-------
+ 1 file changed, 1 insertion(+), 7 deletions(-)
+
+diff --git a/net/sunrpc/auth_generic.c b/net/sunrpc/auth_generic.c
+index f1df9837f1ac..1ac08dcbf85d 100644
+--- a/net/sunrpc/auth_generic.c
++++ b/net/sunrpc/auth_generic.c
+@@ -281,13 +281,7 @@ static bool generic_key_to_expire(struct rpc_cred *cred)
+ {
+ struct auth_cred *acred = &container_of(cred, struct generic_cred,
+ gc_base)->acred;
+- bool ret;
+-
+- get_rpccred(cred);
+- ret = test_bit(RPC_CRED_KEY_EXPIRE_SOON, &acred->ac_flags);
+- put_rpccred(cred);
+-
+- return ret;
++ return test_bit(RPC_CRED_KEY_EXPIRE_SOON, &acred->ac_flags);
+ }
+
+ static const struct rpc_credops generic_credops = {
+--
+2.17.1
+
--- /dev/null
+From 6078987c5383dfb2d2cccdb9c7d47d250459de2c Mon Sep 17 00:00:00 2001
+From: Yufen Yu <yuyufen@huawei.com>
+Date: Fri, 16 Nov 2018 15:08:39 -0800
+Subject: tmpfs: make lseek(SEEK_DATA/SEK_HOLE) return ENXIO with a negative
+ offset
+
+[ Upstream commit 1a413646931cb14442065cfc17561e50f5b5bb44 ]
+
+Other filesystems such as ext4, f2fs and ubifs all return ENXIO when
+lseek (SEEK_DATA or SEEK_HOLE) requests a negative offset.
+
+man 2 lseek says
+
+: EINVAL whence is not valid. Or: the resulting file offset would be
+: negative, or beyond the end of a seekable device.
+:
+: ENXIO whence is SEEK_DATA or SEEK_HOLE, and the file offset is beyond
+: the end of the file.
+
+Make tmpfs return ENXIO under these circumstances as well. After this,
+tmpfs also passes xfstests's generic/448.
+
+[akpm@linux-foundation.org: rewrite changelog]
+Link: http://lkml.kernel.org/r/1540434176-14349-1-git-send-email-yuyufen@huawei.com
+Signed-off-by: Yufen Yu <yuyufen@huawei.com>
+Reviewed-by: Andrew Morton <akpm@linux-foundation.org>
+Cc: Al Viro <viro@zeniv.linux.org.uk>
+Cc: Hugh Dickins <hughd@google.com>
+Cc: William Kucharski <william.kucharski@oracle.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ mm/shmem.c | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+diff --git a/mm/shmem.c b/mm/shmem.c
+index ea786a504e1b..fa08f56fd5e5 100644
+--- a/mm/shmem.c
++++ b/mm/shmem.c
+@@ -2590,9 +2590,7 @@ static loff_t shmem_file_llseek(struct file *file, loff_t offset, int whence)
+ inode_lock(inode);
+ /* We're holding i_mutex so we can access i_size directly */
+
+- if (offset < 0)
+- offset = -EINVAL;
+- else if (offset >= inode->i_size)
++ if (offset < 0 || offset >= inode->i_size)
+ offset = -ENXIO;
+ else {
+ start = offset >> PAGE_SHIFT;
+--
+2.17.1
+
--- /dev/null
+From c89882ad9d3d219d2cb8ffe74be9c23de1353b4e Mon Sep 17 00:00:00 2001
+From: Vitaly Wool <vitalywool@gmail.com>
+Date: Fri, 16 Nov 2018 15:07:56 -0800
+Subject: z3fold: fix possible reclaim races
+
+[ Upstream commit ca0246bb97c23da9d267c2107c07fb77e38205c9 ]
+
+Reclaim and free can race on an object which is basically fine but in
+order for reclaim to be able to map "freed" object we need to encode
+object length in the handle. handle_to_chunks() is then introduced to
+extract object length from a handle and use it during mapping.
+
+Moreover, to avoid racing on a z3fold "headless" page release, we should
+not try to free that page in z3fold_free() if the reclaim bit is set.
+Also, in the unlikely case of trying to reclaim a page being freed, we
+should not proceed with that page.
+
+While at it, fix the page accounting in reclaim function.
+
+This patch supersedes "[PATCH] z3fold: fix reclaim lock-ups".
+
+Link: http://lkml.kernel.org/r/20181105162225.74e8837d03583a9b707cf559@gmail.com
+Signed-off-by: Vitaly Wool <vitaly.vul@sony.com>
+Signed-off-by: Jongseok Kim <ks77sj@gmail.com>
+Reported-by-by: Jongseok Kim <ks77sj@gmail.com>
+Reviewed-by: Snild Dolkow <snild@sony.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ mm/z3fold.c | 101 ++++++++++++++++++++++++++++++++--------------------
+ 1 file changed, 62 insertions(+), 39 deletions(-)
+
+diff --git a/mm/z3fold.c b/mm/z3fold.c
+index f33403d718ac..2813cdfa46b9 100644
+--- a/mm/z3fold.c
++++ b/mm/z3fold.c
+@@ -99,6 +99,7 @@ struct z3fold_header {
+ #define NCHUNKS ((PAGE_SIZE - ZHDR_SIZE_ALIGNED) >> CHUNK_SHIFT)
+
+ #define BUDDY_MASK (0x3)
++#define BUDDY_SHIFT 2
+
+ /**
+ * struct z3fold_pool - stores metadata for each z3fold pool
+@@ -145,7 +146,7 @@ enum z3fold_page_flags {
+ MIDDLE_CHUNK_MAPPED,
+ NEEDS_COMPACTING,
+ PAGE_STALE,
+- UNDER_RECLAIM
++ PAGE_CLAIMED, /* by either reclaim or free */
+ };
+
+ /*****************
+@@ -174,7 +175,7 @@ static struct z3fold_header *init_z3fold_page(struct page *page,
+ clear_bit(MIDDLE_CHUNK_MAPPED, &page->private);
+ clear_bit(NEEDS_COMPACTING, &page->private);
+ clear_bit(PAGE_STALE, &page->private);
+- clear_bit(UNDER_RECLAIM, &page->private);
++ clear_bit(PAGE_CLAIMED, &page->private);
+
+ spin_lock_init(&zhdr->page_lock);
+ kref_init(&zhdr->refcount);
+@@ -223,8 +224,11 @@ static unsigned long encode_handle(struct z3fold_header *zhdr, enum buddy bud)
+ unsigned long handle;
+
+ handle = (unsigned long)zhdr;
+- if (bud != HEADLESS)
+- handle += (bud + zhdr->first_num) & BUDDY_MASK;
++ if (bud != HEADLESS) {
++ handle |= (bud + zhdr->first_num) & BUDDY_MASK;
++ if (bud == LAST)
++ handle |= (zhdr->last_chunks << BUDDY_SHIFT);
++ }
+ return handle;
+ }
+
+@@ -234,6 +238,12 @@ static struct z3fold_header *handle_to_z3fold_header(unsigned long handle)
+ return (struct z3fold_header *)(handle & PAGE_MASK);
+ }
+
++/* only for LAST bud, returns zero otherwise */
++static unsigned short handle_to_chunks(unsigned long handle)
++{
++ return (handle & ~PAGE_MASK) >> BUDDY_SHIFT;
++}
++
+ /*
+ * (handle & BUDDY_MASK) < zhdr->first_num is possible in encode_handle
+ * but that doesn't matter. because the masking will result in the
+@@ -717,37 +727,39 @@ static void z3fold_free(struct z3fold_pool *pool, unsigned long handle)
+ page = virt_to_page(zhdr);
+
+ if (test_bit(PAGE_HEADLESS, &page->private)) {
+- /* HEADLESS page stored */
+- bud = HEADLESS;
+- } else {
+- z3fold_page_lock(zhdr);
+- bud = handle_to_buddy(handle);
+-
+- switch (bud) {
+- case FIRST:
+- zhdr->first_chunks = 0;
+- break;
+- case MIDDLE:
+- zhdr->middle_chunks = 0;
+- zhdr->start_middle = 0;
+- break;
+- case LAST:
+- zhdr->last_chunks = 0;
+- break;
+- default:
+- pr_err("%s: unknown bud %d\n", __func__, bud);
+- WARN_ON(1);
+- z3fold_page_unlock(zhdr);
+- return;
++ /* if a headless page is under reclaim, just leave.
++ * NB: we use test_and_set_bit for a reason: if the bit
++ * has not been set before, we release this page
++ * immediately so we don't care about its value any more.
++ */
++ if (!test_and_set_bit(PAGE_CLAIMED, &page->private)) {
++ spin_lock(&pool->lock);
++ list_del(&page->lru);
++ spin_unlock(&pool->lock);
++ free_z3fold_page(page);
++ atomic64_dec(&pool->pages_nr);
+ }
++ return;
+ }
+
+- if (bud == HEADLESS) {
+- spin_lock(&pool->lock);
+- list_del(&page->lru);
+- spin_unlock(&pool->lock);
+- free_z3fold_page(page);
+- atomic64_dec(&pool->pages_nr);
++ /* Non-headless case */
++ z3fold_page_lock(zhdr);
++ bud = handle_to_buddy(handle);
++
++ switch (bud) {
++ case FIRST:
++ zhdr->first_chunks = 0;
++ break;
++ case MIDDLE:
++ zhdr->middle_chunks = 0;
++ break;
++ case LAST:
++ zhdr->last_chunks = 0;
++ break;
++ default:
++ pr_err("%s: unknown bud %d\n", __func__, bud);
++ WARN_ON(1);
++ z3fold_page_unlock(zhdr);
+ return;
+ }
+
+@@ -755,7 +767,7 @@ static void z3fold_free(struct z3fold_pool *pool, unsigned long handle)
+ atomic64_dec(&pool->pages_nr);
+ return;
+ }
+- if (test_bit(UNDER_RECLAIM, &page->private)) {
++ if (test_bit(PAGE_CLAIMED, &page->private)) {
+ z3fold_page_unlock(zhdr);
+ return;
+ }
+@@ -833,20 +845,30 @@ static int z3fold_reclaim_page(struct z3fold_pool *pool, unsigned int retries)
+ }
+ list_for_each_prev(pos, &pool->lru) {
+ page = list_entry(pos, struct page, lru);
++
++ /* this bit could have been set by free, in which case
++ * we pass over to the next page in the pool.
++ */
++ if (test_and_set_bit(PAGE_CLAIMED, &page->private))
++ continue;
++
++ zhdr = page_address(page);
+ if (test_bit(PAGE_HEADLESS, &page->private))
+- /* candidate found */
+ break;
+
+- zhdr = page_address(page);
+- if (!z3fold_page_trylock(zhdr))
++ if (!z3fold_page_trylock(zhdr)) {
++ zhdr = NULL;
+ continue; /* can't evict at this point */
++ }
+ kref_get(&zhdr->refcount);
+ list_del_init(&zhdr->buddy);
+ zhdr->cpu = -1;
+- set_bit(UNDER_RECLAIM, &page->private);
+ break;
+ }
+
++ if (!zhdr)
++ break;
++
+ list_del_init(&page->lru);
+ spin_unlock(&pool->lock);
+
+@@ -895,6 +917,7 @@ next:
+ if (test_bit(PAGE_HEADLESS, &page->private)) {
+ if (ret == 0) {
+ free_z3fold_page(page);
++ atomic64_dec(&pool->pages_nr);
+ return 0;
+ }
+ spin_lock(&pool->lock);
+@@ -902,7 +925,7 @@ next:
+ spin_unlock(&pool->lock);
+ } else {
+ z3fold_page_lock(zhdr);
+- clear_bit(UNDER_RECLAIM, &page->private);
++ clear_bit(PAGE_CLAIMED, &page->private);
+ if (kref_put(&zhdr->refcount,
+ release_z3fold_page_locked)) {
+ atomic64_dec(&pool->pages_nr);
+@@ -961,7 +984,7 @@ static void *z3fold_map(struct z3fold_pool *pool, unsigned long handle)
+ set_bit(MIDDLE_CHUNK_MAPPED, &page->private);
+ break;
+ case LAST:
+- addr += PAGE_SIZE - (zhdr->last_chunks << CHUNK_SHIFT);
++ addr += PAGE_SIZE - (handle_to_chunks(handle) << CHUNK_SHIFT);
+ break;
+ default:
+ pr_err("unknown buddy id %d\n", buddy);
+--
+2.17.1
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
