--- /dev/null
+From bfc913682464f45bc4d6044084e370f9048de9d5 Mon Sep 17 00:00:00 2001
+From: Meelis Roos <mroos@linux.ee>
+Date: Fri, 12 Oct 2018 12:27:51 +0300
+Subject: alpha: Fix Eiger NR_IRQS to 128
+
+From: Meelis Roos <mroos@linux.ee>
+
+commit bfc913682464f45bc4d6044084e370f9048de9d5 upstream.
+
+Eiger machine vector definition has nr_irqs 128, and working 2.6.26
+boot shows SCSI getting IRQ-s 64 and 65. Current kernel boot fails
+because Symbios SCSI fails to request IRQ-s and does not find the disks.
+It has been broken at least since 3.18 - the earliest I could test with
+my gcc-5.
+
+The headers have moved around and possibly another order of defines has
+worked in the past - but since 128 seems to be correct and used, fix
+arch/alpha/include/asm/irq.h to have NR_IRQS=128 for Eiger.
+
+This fixes 4.19-rc7 boot on my Force Flexor A264 (Eiger subarch).
+
+Cc: stable@vger.kernel.org # v3.18+
+Signed-off-by: Meelis Roos <mroos@linux.ee>
+Signed-off-by: Matt Turner <mattst88@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/alpha/include/asm/irq.h | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/arch/alpha/include/asm/irq.h
++++ b/arch/alpha/include/asm/irq.h
+@@ -56,15 +56,15 @@
+
+ #elif defined(CONFIG_ALPHA_DP264) || \
+ defined(CONFIG_ALPHA_LYNX) || \
+- defined(CONFIG_ALPHA_SHARK) || \
+- defined(CONFIG_ALPHA_EIGER)
++ defined(CONFIG_ALPHA_SHARK)
+ # define NR_IRQS 64
+
+ #elif defined(CONFIG_ALPHA_TITAN)
+ #define NR_IRQS 80
+
+ #elif defined(CONFIG_ALPHA_RAWHIDE) || \
+- defined(CONFIG_ALPHA_TAKARA)
++ defined(CONFIG_ALPHA_TAKARA) || \
++ defined(CONFIG_ALPHA_EIGER)
+ # define NR_IRQS 128
+
+ #elif defined(CONFIG_ALPHA_WILDFIRE)
--- /dev/null
+From 491af60ffb848b59e82f7c9145833222e0bf27a5 Mon Sep 17 00:00:00 2001
+From: Sergei Trofimovich <slyfox@gentoo.org>
+Date: Mon, 31 Dec 2018 11:53:55 +0000
+Subject: alpha: fix page fault handling for r16-r18 targets
+
+From: Sergei Trofimovich <slyfox@gentoo.org>
+
+commit 491af60ffb848b59e82f7c9145833222e0bf27a5 upstream.
+
+Fix page fault handling code to fixup r16-r18 registers.
+Before the patch code had off-by-two registers bug.
+This bug caused overwriting of ps,pc,gp registers instead
+of fixing intended r16,r17,r18 (see `struct pt_regs`).
+
+More details:
+
+Initially Dmitry noticed a kernel bug as a failure
+on strace test suite. Test passes unmapped userspace
+pointer to io_submit:
+
+```c
+ #include <err.h>
+ #include <unistd.h>
+ #include <sys/mman.h>
+ #include <asm/unistd.h>
+ int main(void)
+ {
+ unsigned long ctx = 0;
+ if (syscall(__NR_io_setup, 1, &ctx))
+ err(1, "io_setup");
+ const size_t page_size = sysconf(_SC_PAGESIZE);
+ const size_t size = page_size * 2;
+ void *ptr = mmap(NULL, size, PROT_READ | PROT_WRITE,
+ MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
+ if (MAP_FAILED == ptr)
+ err(1, "mmap(%zu)", size);
+ if (munmap(ptr, size))
+ err(1, "munmap");
+ syscall(__NR_io_submit, ctx, 1, ptr + page_size);
+ syscall(__NR_io_destroy, ctx);
+ return 0;
+ }
+```
+
+Running this test causes kernel to crash when handling page fault:
+
+```
+ Unable to handle kernel paging request at virtual address ffffffffffff9468
+ CPU 3
+ aio(26027): Oops 0
+ pc = [<fffffc00004eddf8>] ra = [<fffffc00004edd5c>] ps = 0000 Not tainted
+ pc is at sys_io_submit+0x108/0x200
+ ra is at sys_io_submit+0x6c/0x200
+ v0 = fffffc00c58e6300 t0 = fffffffffffffff2 t1 = 000002000025e000
+ t2 = fffffc01f159fef8 t3 = fffffc0001009640 t4 = fffffc0000e0f6e0
+ t5 = 0000020001002e9e t6 = 4c41564e49452031 t7 = fffffc01f159c000
+ s0 = 0000000000000002 s1 = 000002000025e000 s2 = 0000000000000000
+ s3 = 0000000000000000 s4 = 0000000000000000 s5 = fffffffffffffff2
+ s6 = fffffc00c58e6300
+ a0 = fffffc00c58e6300 a1 = 0000000000000000 a2 = 000002000025e000
+ a3 = 00000200001ac260 a4 = 00000200001ac1e8 a5 = 0000000000000001
+ t8 = 0000000000000008 t9 = 000000011f8bce30 t10= 00000200001ac440
+ t11= 0000000000000000 pv = fffffc00006fd320 at = 0000000000000000
+ gp = 0000000000000000 sp = 00000000265fd174
+ Disabling lock debugging due to kernel taint
+ Trace:
+ [<fffffc0000311404>] entSys+0xa4/0xc0
+```
+
+Here `gp` has invalid value. `gp is s overwritten by a fixup for the
+following page fault handler in `io_submit` syscall handler:
+
+```
+ __se_sys_io_submit
+ ...
+ ldq a1,0(t1)
+ bne t0,4280 <__se_sys_io_submit+0x180>
+```
+
+After a page fault `t0` should contain -EFALUT and `a1` is 0.
+Instead `gp` was overwritten in place of `a1`.
+
+This happens due to a off-by-two bug in `dpf_reg()` for `r16-r18`
+(aka `a0-a2`).
+
+I think the bug went unnoticed for a long time as `gp` is one
+of scratch registers. Any kernel function call would re-calculate `gp`.
+
+Dmitry tracked down the bug origin back to 2.1.32 kernel version
+where trap_a{0,1,2} fields were inserted into struct pt_regs.
+And even before that `dpf_reg()` contained off-by-one error.
+
+Cc: Richard Henderson <rth@twiddle.net>
+Cc: Ivan Kokshaysky <ink@jurassic.park.msu.ru>
+Cc: linux-alpha@vger.kernel.org
+Cc: linux-kernel@vger.kernel.org
+Reported-and-reviewed-by: "Dmitry V. Levin" <ldv@altlinux.org>
+Cc: stable@vger.kernel.org # v2.1.32+
+Bug: https://bugs.gentoo.org/672040
+Signed-off-by: Sergei Trofimovich <slyfox@gentoo.org>
+Signed-off-by: Matt Turner <mattst88@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/alpha/mm/fault.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/alpha/mm/fault.c
++++ b/arch/alpha/mm/fault.c
+@@ -78,7 +78,7 @@ __load_new_mm_context(struct mm_struct *
+ /* Macro for exception fixup code to access integer registers. */
+ #define dpf_reg(r) \
+ (((unsigned long *)regs)[(r) <= 8 ? (r) : (r) <= 15 ? (r)-16 : \
+- (r) <= 18 ? (r)+8 : (r)-10])
++ (r) <= 18 ? (r)+10 : (r)-10])
+
+ asmlinkage void
+ do_page_fault(unsigned long address, unsigned long mmcsr,
--- /dev/null
+From 4cd3016ce996494f78fdfd87ea35c8ca5d0b413e Mon Sep 17 00:00:00 2001
+From: Jurica Vukadin <jurica.vukadin@rt-rk.com>
+Date: Thu, 7 Feb 2019 16:29:37 +0100
+Subject: ALSA: hda - Add quirk for HP EliteBook 840 G5
+
+From: Jurica Vukadin <jurica.vukadin@rt-rk.com>
+
+commit 4cd3016ce996494f78fdfd87ea35c8ca5d0b413e upstream.
+
+This enables mute LED support and fixes switching jacks when the laptop
+is docked.
+
+Signed-off-by: Jurica Vukadin <jurica.vukadin@rt-rk.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/pci/hda/patch_conexant.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/sound/pci/hda/patch_conexant.c
++++ b/sound/pci/hda/patch_conexant.c
+@@ -924,6 +924,7 @@ static const struct snd_pci_quirk cxt506
+ SND_PCI_QUIRK(0x103c, 0x807C, "HP EliteBook 820 G3", CXT_FIXUP_HP_DOCK),
+ SND_PCI_QUIRK(0x103c, 0x80FD, "HP ProBook 640 G2", CXT_FIXUP_HP_DOCK),
+ SND_PCI_QUIRK(0x103c, 0x828c, "HP EliteBook 840 G4", CXT_FIXUP_HP_DOCK),
++ SND_PCI_QUIRK(0x103c, 0x83b2, "HP EliteBook 840 G5", CXT_FIXUP_HP_DOCK),
+ SND_PCI_QUIRK(0x103c, 0x83b3, "HP EliteBook 830 G5", CXT_FIXUP_HP_DOCK),
+ SND_PCI_QUIRK(0x103c, 0x83d3, "HP ProBook 640 G4", CXT_FIXUP_HP_DOCK),
+ SND_PCI_QUIRK(0x103c, 0x8174, "HP Spectre x360", CXT_FIXUP_HP_SPECTRE),
--- /dev/null
+From 2bc16b9f3223d049b57202ee702fcb5b9b507019 Mon Sep 17 00:00:00 2001
+From: Manuel Reinhardt <manuel.rhdt@gmail.com>
+Date: Thu, 31 Jan 2019 15:32:35 +0100
+Subject: ALSA: usb-audio: Fix implicit fb endpoint setup by quirk
+
+From: Manuel Reinhardt <manuel.rhdt@gmail.com>
+
+commit 2bc16b9f3223d049b57202ee702fcb5b9b507019 upstream.
+
+The commit a60945fd08e4 ("ALSA: usb-audio: move implicit fb quirks to
+separate function") introduced an error in the handling of quirks for
+implicit feedback endpoints. This commit fixes this.
+
+If a quirk successfully sets up an implicit feedback endpoint, usb-audio
+no longer tries to find the implicit fb endpoint itself.
+
+Fixes: a60945fd08e4 ("ALSA: usb-audio: move implicit fb quirks to separate function")
+Signed-off-by: Manuel Reinhardt <manuel.rhdt@gmail.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/usb/pcm.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+--- a/sound/usb/pcm.c
++++ b/sound/usb/pcm.c
+@@ -314,6 +314,9 @@ static int search_roland_implicit_fb(str
+ return 0;
+ }
+
++/* Setup an implicit feedback endpoint from a quirk. Returns 0 if no quirk
++ * applies. Returns 1 if a quirk was found.
++ */
+ static int set_sync_ep_implicit_fb_quirk(struct snd_usb_substream *subs,
+ struct usb_device *dev,
+ struct usb_interface_descriptor *altsd,
+@@ -384,7 +387,7 @@ add_sync_ep:
+
+ subs->data_endpoint->sync_master = subs->sync_endpoint;
+
+- return 0;
++ return 1;
+ }
+
+ static int set_sync_endpoint(struct snd_usb_substream *subs,
+@@ -423,6 +426,10 @@ static int set_sync_endpoint(struct snd_
+ if (err < 0)
+ return err;
+
++ /* endpoint set by quirk */
++ if (err > 0)
++ return 0;
++
+ if (altsd->bNumEndpoints < 2)
+ return 0;
+
--- /dev/null
+From d0243693fbf6fbd48b4efb2ba7210765983b03e3 Mon Sep 17 00:00:00 2001
+From: Tony Lindgren <tony@atomide.com>
+Date: Tue, 15 Jan 2019 10:09:38 -0800
+Subject: ARM: OMAP5+: Fix inverted nirq pin interrupts with irq_set_type
+
+From: Tony Lindgren <tony@atomide.com>
+
+commit d0243693fbf6fbd48b4efb2ba7210765983b03e3 upstream.
+
+Commit 83a86fbb5b56 ("irqchip/gic: Loudly complain about the use of
+IRQ_TYPE_NONE") started warning about incorrect dts usage for irqs.
+ARM GIC only supports active-high interrupts for SPI (Shared Peripheral
+Interrupts), and the Palmas PMIC by default is active-low.
+
+Palmas PMIC allows changing the interrupt polarity using register
+PALMAS_POLARITY_CTRL_INT_POLARITY, but configuring sys_nirq1 with
+a pull-down and setting PALMAS_POLARITY_CTRL_INT_POLARITY made the
+Palmas RTC interrupts stop working. This can be easily tested with
+kernel tools rtctest.c.
+
+Turns out the SoC inverts the sys_nirq pins for GIC as they do not go
+through a peripheral device but go directly to the MPUSS wakeupgen.
+I've verified this by muxing the interrupt line temporarily to gpio_wk16
+instead of sys_nirq1. with a gpio, the interrupt works fine both
+active-low and active-high with the SoC internal pull configured and
+palmas polarity configured. But as sys_nirq1, the interrupt only works
+when configured ACTIVE_LOW for palmas, and ACTIVE_HIGH for GIC.
+
+Note that there was a similar issue earlier with tegra114 and palmas
+interrupt polarity that got fixed by commit df545d1cd01a ("mfd: palmas:
+Provide irq flags through DT/platform data"). However, the difference
+between omap5 and tegra114 is that tegra inverts the palmas interrupt
+twice, once when entering tegra PMC, and again when exiting tegra PMC
+to GIC.
+
+Let's fix the issue by adding a custom wakeupgen_irq_set_type() for
+wakeupgen and invert any interrupts with wrong polarity. Let's also
+warn about any non-sysnirq pins using wrong polarity. Note that we
+also need to update the dts for the level as IRQ_TYPE_NONE never
+has irq_set_type() called, and let's add some comments and use proper
+pin nameing to avoid more confusion later on.
+
+Cc: Belisko Marek <marek.belisko@gmail.com>
+Cc: Dmitry Lifshitz <lifshitz@compulab.co.il>
+Cc: "Dr. H. Nikolaus Schaller" <hns@goldelico.com>
+Cc: Jon Hunter <jonathanh@nvidia.com>
+Cc: Keerthy <j-keerthy@ti.com>
+Cc: Laxman Dewangan <ldewangan@nvidia.com>
+Cc: Nishanth Menon <nm@ti.com>
+Cc: Peter Ujfalusi <peter.ujfalusi@ti.com>
+Cc: Richard Woodruff <r-woodruff2@ti.com>
+Cc: Santosh Shilimkar <ssantosh@kernel.org>
+Cc: Tero Kristo <t-kristo@ti.com>
+Cc: Thierry Reding <treding@nvidia.com>
+Cc: stable@vger.kernel.org # v4.17+
+Reported-by: Belisko Marek <marek.belisko@gmail.com>
+Signed-off-by: Tony Lindgren <tony@atomide.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm/boot/dts/omap5-board-common.dtsi | 9 +++++--
+ arch/arm/boot/dts/omap5-cm-t54.dts | 12 +++++++++-
+ arch/arm/mach-omap2/omap-wakeupgen.c | 36 +++++++++++++++++++++++++++++-
+ 3 files changed, 52 insertions(+), 5 deletions(-)
+
+--- a/arch/arm/boot/dts/omap5-board-common.dtsi
++++ b/arch/arm/boot/dts/omap5-board-common.dtsi
+@@ -317,7 +317,8 @@
+
+ palmas_sys_nirq_pins: pinmux_palmas_sys_nirq_pins {
+ pinctrl-single,pins = <
+- OMAP5_IOPAD(0x068, PIN_INPUT_PULLUP | MUX_MODE0) /* sys_nirq1 */
++ /* sys_nirq1 is pulled down as the SoC is inverting it for GIC */
++ OMAP5_IOPAD(0x068, PIN_INPUT_PULLUP | MUX_MODE0)
+ >;
+ };
+
+@@ -385,7 +386,8 @@
+
+ palmas: palmas@48 {
+ compatible = "ti,palmas";
+- interrupts = <GIC_SPI 7 IRQ_TYPE_NONE>; /* IRQ_SYS_1N */
++ /* sys_nirq/ext_sys_irq pins get inverted at mpuss wakeupgen */
++ interrupts = <GIC_SPI 7 IRQ_TYPE_LEVEL_LOW>;
+ reg = <0x48>;
+ interrupt-controller;
+ #interrupt-cells = <2>;
+@@ -651,7 +653,8 @@
+ pinctrl-names = "default";
+ pinctrl-0 = <&twl6040_pins>;
+
+- interrupts = <GIC_SPI 119 IRQ_TYPE_NONE>; /* IRQ_SYS_2N cascaded to gic */
++ /* sys_nirq/ext_sys_irq pins get inverted at mpuss wakeupgen */
++ interrupts = <GIC_SPI 119 IRQ_TYPE_LEVEL_LOW>;
+
+ /* audpwron gpio defined in the board specific dts */
+
+--- a/arch/arm/boot/dts/omap5-cm-t54.dts
++++ b/arch/arm/boot/dts/omap5-cm-t54.dts
+@@ -181,6 +181,13 @@
+ OMAP5_IOPAD(0x0042, PIN_INPUT_PULLDOWN | MUX_MODE6) /* llib_wakereqin.gpio1_wk15 */
+ >;
+ };
++
++ palmas_sys_nirq_pins: pinmux_palmas_sys_nirq_pins {
++ pinctrl-single,pins = <
++ /* sys_nirq1 is pulled down as the SoC is inverting it for GIC */
++ OMAP5_IOPAD(0x068, PIN_INPUT_PULLUP | MUX_MODE0)
++ >;
++ };
+ };
+
+ &omap5_pmx_core {
+@@ -414,8 +421,11 @@
+
+ palmas: palmas@48 {
+ compatible = "ti,palmas";
+- interrupts = <GIC_SPI 7 IRQ_TYPE_NONE>; /* IRQ_SYS_1N */
+ reg = <0x48>;
++ pinctrl-0 = <&palmas_sys_nirq_pins>;
++ pinctrl-names = "default";
++ /* sys_nirq/ext_sys_irq pins get inverted at mpuss wakeupgen */
++ interrupts = <GIC_SPI 7 IRQ_TYPE_LEVEL_LOW>;
+ interrupt-controller;
+ #interrupt-cells = <2>;
+ ti,system-power-controller;
+--- a/arch/arm/mach-omap2/omap-wakeupgen.c
++++ b/arch/arm/mach-omap2/omap-wakeupgen.c
+@@ -50,6 +50,9 @@
+ #define OMAP4_NR_BANKS 4
+ #define OMAP4_NR_IRQS 128
+
++#define SYS_NIRQ1_EXT_SYS_IRQ_1 7
++#define SYS_NIRQ2_EXT_SYS_IRQ_2 119
++
+ static void __iomem *wakeupgen_base;
+ static void __iomem *sar_base;
+ static DEFINE_RAW_SPINLOCK(wakeupgen_lock);
+@@ -153,6 +156,37 @@ static void wakeupgen_unmask(struct irq_
+ irq_chip_unmask_parent(d);
+ }
+
++/*
++ * The sys_nirq pins bypass peripheral modules and are wired directly
++ * to MPUSS wakeupgen. They get automatically inverted for GIC.
++ */
++static int wakeupgen_irq_set_type(struct irq_data *d, unsigned int type)
++{
++ bool inverted = false;
++
++ switch (type) {
++ case IRQ_TYPE_LEVEL_LOW:
++ type &= ~IRQ_TYPE_LEVEL_MASK;
++ type |= IRQ_TYPE_LEVEL_HIGH;
++ inverted = true;
++ break;
++ case IRQ_TYPE_EDGE_FALLING:
++ type &= ~IRQ_TYPE_EDGE_BOTH;
++ type |= IRQ_TYPE_EDGE_RISING;
++ inverted = true;
++ break;
++ default:
++ break;
++ }
++
++ if (inverted && d->hwirq != SYS_NIRQ1_EXT_SYS_IRQ_1 &&
++ d->hwirq != SYS_NIRQ2_EXT_SYS_IRQ_2)
++ pr_warn("wakeupgen: irq%li polarity inverted in dts\n",
++ d->hwirq);
++
++ return irq_chip_set_type_parent(d, type);
++}
++
+ #ifdef CONFIG_HOTPLUG_CPU
+ static DEFINE_PER_CPU(u32 [MAX_NR_REG_BANKS], irqmasks);
+
+@@ -446,7 +480,7 @@ static struct irq_chip wakeupgen_chip =
+ .irq_mask = wakeupgen_mask,
+ .irq_unmask = wakeupgen_unmask,
+ .irq_retrigger = irq_chip_retrigger_hierarchy,
+- .irq_set_type = irq_chip_set_type_parent,
++ .irq_set_type = wakeupgen_irq_set_type,
+ .flags = IRQCHIP_SKIP_SET_WAKE | IRQCHIP_MASK_ON_SUSPEND,
+ #ifdef CONFIG_SMP
+ .irq_set_affinity = irq_chip_set_affinity_parent,
--- /dev/null
+From 0ce23d6d42147a692768e6baaaa3db75c44f4235 Mon Sep 17 00:00:00 2001
+From: Russell King <rmk+kernel@armlinux.org.uk>
+Date: Thu, 17 Jan 2019 17:32:05 +0000
+Subject: ASoC: hdmi-codec: fix oops on re-probe
+
+From: Russell King <rmk+kernel@armlinux.org.uk>
+
+commit 0ce23d6d42147a692768e6baaaa3db75c44f4235 upstream.
+
+hdmi-codec oopses the kernel when it is unbound from a successfully
+bound audio subsystem, and is then rebound:
+
+Unable to handle kernel NULL pointer dereference at virtual address 0000001c
+pgd = ee3f0000
+[0000001c] *pgd=3cc59831
+Internal error: Oops: 817 [#1] PREEMPT ARM
+Modules linked in: ext2 snd_soc_spdif_tx vmeta dove_thermal snd_soc_kirkwood ofpart marvell_cesa m25p80 orion_wdt mtd spi_nor des_generic gpio_ir_recv snd_soc_kirkwood_spdif bmm_dmabuf auth_rpcgss nfsd autofs4 etnaviv thermal_sys hwmon gpu_sched tda9950
+CPU: 0 PID: 1005 Comm: bash Not tainted 4.20.0+ #1762
+Hardware name: Marvell Dove (Cubox)
+PC is at hdmi_dai_probe+0x68/0x80
+LR is at find_held_lock+0x20/0x94
+pc : [<c04c7de0>] lr : [<c0063bf4>] psr: 600f0013
+sp : ee15bd28 ip : eebd8b1c fp : c093b488
+r10: ee048000 r9 : eebdab18 r8 : ee048600
+r7 : 00000001 r6 : 00000000 r5 : 00000000 r4 : ee82c100
+r3 : 00000006 r2 : 00000001 r1 : c067e38c r0 : ee82c100
+Flags: nZCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment none[ 297.318599] Control: 10c5387d Table: 2e3f0019 DAC: 00000051
+Process bash (pid: 1005, stack limit = 0xee15a248)
+...
+[<c04c7de0>] (hdmi_dai_probe) from [<c04b7060>] (soc_probe_dai.part.9+0x34/0x70)
+[<c04b7060>] (soc_probe_dai.part.9) from [<c04b81a8>] (snd_soc_instantiate_card+0x734/0xc9c)
+[<c04b81a8>] (snd_soc_instantiate_card) from [<c04b8b6c>] (snd_soc_add_component+0x29c/0x378)
+[<c04b8b6c>] (snd_soc_add_component) from [<c04b8c8c>] (snd_soc_register_component+0x44/0x54)
+[<c04b8c8c>] (snd_soc_register_component) from [<c04c64b4>] (devm_snd_soc_register_component+0x48/0x84)
+[<c04c64b4>] (devm_snd_soc_register_component) from [<c04c7be8>] (hdmi_codec_probe+0x150/0x260)
+[<c04c7be8>] (hdmi_codec_probe) from [<c0373124>] (platform_drv_probe+0x48/0x98)
+
+This happens because hdmi_dai_probe() attempts to access the HDMI
+codec private data, but this has not been assigned by hdmi_dai_probe()
+before it calls devm_snd_soc_register_component(). Move the call to
+dev_set_drvdata() before devm_snd_soc_register_component() to avoid
+this oops.
+
+Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/soc/codecs/hdmi-codec.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/sound/soc/codecs/hdmi-codec.c
++++ b/sound/soc/codecs/hdmi-codec.c
+@@ -795,6 +795,8 @@ static int hdmi_codec_probe(struct platf
+ if (hcd->spdif)
+ hcp->daidrv[i] = hdmi_spdif_dai;
+
++ dev_set_drvdata(dev, hcp);
++
+ ret = devm_snd_soc_register_component(dev, &hdmi_driver, hcp->daidrv,
+ dai_count);
+ if (ret) {
+@@ -802,8 +804,6 @@ static int hdmi_codec_probe(struct platf
+ __func__, ret);
+ return ret;
+ }
+-
+- dev_set_drvdata(dev, hcp);
+ return 0;
+ }
+
--- /dev/null
+From ff0c129d3b5ecb3df7c8f5e2236582bf745b6c5f Mon Sep 17 00:00:00 2001
+From: Mikulas Patocka <mpatocka@redhat.com>
+Date: Fri, 8 Feb 2019 10:52:07 -0500
+Subject: dm crypt: don't overallocate the integrity tag space
+
+From: Mikulas Patocka <mpatocka@redhat.com>
+
+commit ff0c129d3b5ecb3df7c8f5e2236582bf745b6c5f upstream.
+
+bio_sectors() returns the value in the units of 512-byte sectors (no
+matter what the real sector size of the device). dm-crypt multiplies
+bio_sectors() by on_disk_tag_size to calculate the space allocated for
+integrity tags. If dm-crypt is running with sector size larger than
+512b, it allocates more data than is needed.
+
+Device Mapper trims the extra space when passing the bio to
+dm-integrity, so this bug didn't result in any visible misbehavior.
+But it must be fixed to avoid wasteful memory allocation for the block
+integrity payload.
+
+Fixes: ef43aa38063a6 ("dm crypt: add cryptographic data integrity protection (authenticated encryption)")
+Cc: stable@vger.kernel.org # 4.12+
+Reported-by: Milan Broz <mbroz@redhat.com>
+Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
+Signed-off-by: Mike Snitzer <snitzer@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/md/dm-crypt.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/md/dm-crypt.c
++++ b/drivers/md/dm-crypt.c
+@@ -932,7 +932,7 @@ static int dm_crypt_integrity_io_alloc(s
+ if (IS_ERR(bip))
+ return PTR_ERR(bip);
+
+- tag_len = io->cc->on_disk_tag_size * bio_sectors(bio);
++ tag_len = io->cc->on_disk_tag_size * (bio_sectors(bio) >> io->cc->sector_shift);
+
+ bip->bip_iter.bi_size = tag_len;
+ bip->bip_iter.bi_sector = io->cc->start + io->sector;
--- /dev/null
+From 4ae280b4ee3463fa57bbe6eede26b97daff8a0f1 Mon Sep 17 00:00:00 2001
+From: Nikos Tsironis <ntsironis@arrikto.com>
+Date: Thu, 14 Feb 2019 20:38:47 +0200
+Subject: dm thin: fix bug where bio that overwrites thin block ignores FUA
+
+From: Nikos Tsironis <ntsironis@arrikto.com>
+
+commit 4ae280b4ee3463fa57bbe6eede26b97daff8a0f1 upstream.
+
+When provisioning a new data block for a virtual block, either because
+the block was previously unallocated or because we are breaking sharing,
+if the whole block of data is being overwritten the bio that triggered
+the provisioning is issued immediately, skipping copying or zeroing of
+the data block.
+
+When this bio completes the new mapping is inserted in to the pool's
+metadata by process_prepared_mapping(), where the bio completion is
+signaled to the upper layers.
+
+This completion is signaled without first committing the metadata. If
+the bio in question has the REQ_FUA flag set and the system crashes
+right after its completion and before the next metadata commit, then the
+write is lost despite the REQ_FUA flag requiring that I/O completion for
+this request must only be signaled after the data has been committed to
+non-volatile storage.
+
+Fix this by deferring the completion of overwrite bios, with the REQ_FUA
+flag set, until after the metadata has been committed.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Nikos Tsironis <ntsironis@arrikto.com>
+Acked-by: Joe Thornber <ejt@redhat.com>
+Acked-by: Mikulas Patocka <mpatocka@redhat.com>
+Signed-off-by: Mike Snitzer <snitzer@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/md/dm-thin.c | 55 ++++++++++++++++++++++++++++++++++++++++++++++-----
+ 1 file changed, 50 insertions(+), 5 deletions(-)
+
+--- a/drivers/md/dm-thin.c
++++ b/drivers/md/dm-thin.c
+@@ -257,6 +257,7 @@ struct pool {
+
+ spinlock_t lock;
+ struct bio_list deferred_flush_bios;
++ struct bio_list deferred_flush_completions;
+ struct list_head prepared_mappings;
+ struct list_head prepared_discards;
+ struct list_head prepared_discards_pt2;
+@@ -956,6 +957,39 @@ static void process_prepared_mapping_fai
+ mempool_free(m, &m->tc->pool->mapping_pool);
+ }
+
++static void complete_overwrite_bio(struct thin_c *tc, struct bio *bio)
++{
++ struct pool *pool = tc->pool;
++ unsigned long flags;
++
++ /*
++ * If the bio has the REQ_FUA flag set we must commit the metadata
++ * before signaling its completion.
++ */
++ if (!bio_triggers_commit(tc, bio)) {
++ bio_endio(bio);
++ return;
++ }
++
++ /*
++ * Complete bio with an error if earlier I/O caused changes to the
++ * metadata that can't be committed, e.g, due to I/O errors on the
++ * metadata device.
++ */
++ if (dm_thin_aborted_changes(tc->td)) {
++ bio_io_error(bio);
++ return;
++ }
++
++ /*
++ * Batch together any bios that trigger commits and then issue a
++ * single commit for them in process_deferred_bios().
++ */
++ spin_lock_irqsave(&pool->lock, flags);
++ bio_list_add(&pool->deferred_flush_completions, bio);
++ spin_unlock_irqrestore(&pool->lock, flags);
++}
++
+ static void process_prepared_mapping(struct dm_thin_new_mapping *m)
+ {
+ struct thin_c *tc = m->tc;
+@@ -988,7 +1022,7 @@ static void process_prepared_mapping(str
+ */
+ if (bio) {
+ inc_remap_and_issue_cell(tc, m->cell, m->data_block);
+- bio_endio(bio);
++ complete_overwrite_bio(tc, bio);
+ } else {
+ inc_all_io_entry(tc->pool, m->cell->holder);
+ remap_and_issue(tc, m->cell->holder, m->data_block);
+@@ -2317,7 +2351,7 @@ static void process_deferred_bios(struct
+ {
+ unsigned long flags;
+ struct bio *bio;
+- struct bio_list bios;
++ struct bio_list bios, bio_completions;
+ struct thin_c *tc;
+
+ tc = get_first_thin(pool);
+@@ -2328,26 +2362,36 @@ static void process_deferred_bios(struct
+ }
+
+ /*
+- * If there are any deferred flush bios, we must commit
+- * the metadata before issuing them.
++ * If there are any deferred flush bios, we must commit the metadata
++ * before issuing them or signaling their completion.
+ */
+ bio_list_init(&bios);
++ bio_list_init(&bio_completions);
++
+ spin_lock_irqsave(&pool->lock, flags);
+ bio_list_merge(&bios, &pool->deferred_flush_bios);
+ bio_list_init(&pool->deferred_flush_bios);
++
++ bio_list_merge(&bio_completions, &pool->deferred_flush_completions);
++ bio_list_init(&pool->deferred_flush_completions);
+ spin_unlock_irqrestore(&pool->lock, flags);
+
+- if (bio_list_empty(&bios) &&
++ if (bio_list_empty(&bios) && bio_list_empty(&bio_completions) &&
+ !(dm_pool_changed_this_transaction(pool->pmd) && need_commit_due_to_time(pool)))
+ return;
+
+ if (commit(pool)) {
++ bio_list_merge(&bios, &bio_completions);
++
+ while ((bio = bio_list_pop(&bios)))
+ bio_io_error(bio);
+ return;
+ }
+ pool->last_commit_jiffies = jiffies;
+
++ while ((bio = bio_list_pop(&bio_completions)))
++ bio_endio(bio);
++
+ while ((bio = bio_list_pop(&bios)))
+ generic_make_request(bio);
+ }
+@@ -2954,6 +2998,7 @@ static struct pool *pool_create(struct m
+ INIT_DELAYED_WORK(&pool->no_space_timeout, do_no_space_timeout);
+ spin_lock_init(&pool->lock);
+ bio_list_init(&pool->deferred_flush_bios);
++ bio_list_init(&pool->deferred_flush_completions);
+ INIT_LIST_HEAD(&pool->prepared_mappings);
+ INIT_LIST_HEAD(&pool->prepared_discards);
+ INIT_LIST_HEAD(&pool->prepared_discards_pt2);
--- /dev/null
+From e8a8fedd57fdcebf0e4f24ef0fc7e29323df8e66 Mon Sep 17 00:00:00 2001
+From: Lyude Paul <lyude@redhat.com>
+Date: Tue, 29 Jan 2019 14:09:59 -0500
+Subject: drm/i915: Block fbdev HPD processing during suspend
+
+From: Lyude Paul <lyude@redhat.com>
+
+commit e8a8fedd57fdcebf0e4f24ef0fc7e29323df8e66 upstream.
+
+When resuming, we check whether or not any previously connected
+MST topologies are still present and if so, attempt to resume them. If
+this fails, we disable said MST topologies and fire off a hotplug event
+so that userspace knows to reprobe.
+
+However, sending a hotplug event involves calling
+drm_fb_helper_hotplug_event(), which in turn results in fbcon doing a
+connector reprobe in the caller's thread - something we can't do at the
+point in which i915 calls drm_dp_mst_topology_mgr_resume() since
+hotplugging hasn't been fully initialized yet.
+
+This currently causes some rather subtle but fatal issues. For example,
+on my T480s the laptop dock connected to it usually disappears during a
+suspend cycle, and comes back up a short while after the system has been
+resumed. This guarantees pretty much every suspend and resume cycle,
+drm_dp_mst_topology_mgr_set_mst(mgr, false); will be caused and in turn,
+a connector hotplug will occur. Now it's Rute Goldberg time: when the
+connector hotplug occurs, i915 reprobes /all/ of the connectors,
+including eDP. However, eDP probing requires that we power on the panel
+VDD which in turn, grabs a wakeref to the appropriate power domain on
+the GPU (on my T480s, this is the PORT_DDI_A_IO domain). This is where
+things start breaking, since this all happens before
+intel_power_domains_enable() is called we end up leaking the wakeref
+that was acquired and never releasing it later. Come next suspend/resume
+cycle, this causes us to fail to shut down the GPU properly, which
+causes it not to resume properly and die a horrible complicated death.
+
+(as a note: this only happens when there's both an eDP panel and MST
+topology connected which is removed mid-suspend. One or the other seems
+to always be OK).
+
+We could try to fix the VDD wakeref leak, but this doesn't seem like
+it's worth it at all since we aren't able to handle hotplug detection
+while resuming anyway. So, let's go with a more robust solution inspired
+by nouveau: block fbdev from handling hotplug events until we resume
+fbdev. This allows us to still send sysfs hotplug events to be handled
+later by user space while we're resuming, while also preventing us from
+actually processing any hotplug events we receive until it's safe.
+
+This fixes the wakeref leak observed on the T480s and as such, also
+fixes suspend/resume with MST topologies connected on this machine.
+
+Changes since v2:
+* Don't call drm_fb_helper_hotplug_event() under lock, do it after lock
+ (Chris Wilson)
+* Don't call drm_fb_helper_hotplug_event() in
+ intel_fbdev_output_poll_changed() under lock (Chris Wilson)
+* Always set ifbdev->hpd_waiting (Chris Wilson)
+
+Signed-off-by: Lyude Paul <lyude@redhat.com>
+Fixes: 0e32b39ceed6 ("drm/i915: add DP 1.2 MST support (v0.7)")
+Cc: Todd Previte <tprevite@gmail.com>
+Cc: Dave Airlie <airlied@redhat.com>
+Cc: Jani Nikula <jani.nikula@linux.intel.com>
+Cc: Joonas Lahtinen <joonas.lahtinen@linux.intel.com>
+Cc: Rodrigo Vivi <rodrigo.vivi@intel.com>
+Cc: Imre Deak <imre.deak@intel.com>
+Cc: intel-gfx@lists.freedesktop.org
+Cc: <stable@vger.kernel.org> # v3.17+
+Reviewed-by: Chris Wilson <chris@chris-wilson.co.uk>
+Link: https://patchwork.freedesktop.org/patch/msgid/20190129191001.442-2-lyude@redhat.com
+(cherry picked from commit fe5ec65668cdaa4348631d8ce1766eed43b33c10)
+Signed-off-by: Jani Nikula <jani.nikula@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/i915/intel_drv.h | 10 ++++++++++
+ drivers/gpu/drm/i915/intel_fbdev.c | 33 ++++++++++++++++++++++++++++++++-
+ 2 files changed, 42 insertions(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/i915/intel_drv.h
++++ b/drivers/gpu/drm/i915/intel_drv.h
+@@ -209,6 +209,16 @@ struct intel_fbdev {
+ unsigned long vma_flags;
+ async_cookie_t cookie;
+ int preferred_bpp;
++
++ /* Whether or not fbdev hpd processing is temporarily suspended */
++ bool hpd_suspended : 1;
++ /* Set when a hotplug was received while HPD processing was
++ * suspended
++ */
++ bool hpd_waiting : 1;
++
++ /* Protects hpd_suspended */
++ struct mutex hpd_lock;
+ };
+
+ struct intel_encoder {
+--- a/drivers/gpu/drm/i915/intel_fbdev.c
++++ b/drivers/gpu/drm/i915/intel_fbdev.c
+@@ -677,6 +677,7 @@ int intel_fbdev_init(struct drm_device *
+ if (ifbdev == NULL)
+ return -ENOMEM;
+
++ mutex_init(&ifbdev->hpd_lock);
+ drm_fb_helper_prepare(dev, &ifbdev->helper, &intel_fb_helper_funcs);
+
+ if (!intel_fbdev_init_bios(dev, ifbdev))
+@@ -750,6 +751,26 @@ void intel_fbdev_fini(struct drm_i915_pr
+ intel_fbdev_destroy(ifbdev);
+ }
+
++/* Suspends/resumes fbdev processing of incoming HPD events. When resuming HPD
++ * processing, fbdev will perform a full connector reprobe if a hotplug event
++ * was received while HPD was suspended.
++ */
++static void intel_fbdev_hpd_set_suspend(struct intel_fbdev *ifbdev, int state)
++{
++ bool send_hpd = false;
++
++ mutex_lock(&ifbdev->hpd_lock);
++ ifbdev->hpd_suspended = state == FBINFO_STATE_SUSPENDED;
++ send_hpd = !ifbdev->hpd_suspended && ifbdev->hpd_waiting;
++ ifbdev->hpd_waiting = false;
++ mutex_unlock(&ifbdev->hpd_lock);
++
++ if (send_hpd) {
++ DRM_DEBUG_KMS("Handling delayed fbcon HPD event\n");
++ drm_fb_helper_hotplug_event(&ifbdev->helper);
++ }
++}
++
+ void intel_fbdev_set_suspend(struct drm_device *dev, int state, bool synchronous)
+ {
+ struct drm_i915_private *dev_priv = to_i915(dev);
+@@ -771,6 +792,7 @@ void intel_fbdev_set_suspend(struct drm_
+ */
+ if (state != FBINFO_STATE_RUNNING)
+ flush_work(&dev_priv->fbdev_suspend_work);
++
+ console_lock();
+ } else {
+ /*
+@@ -798,17 +820,26 @@ void intel_fbdev_set_suspend(struct drm_
+
+ drm_fb_helper_set_suspend(&ifbdev->helper, state);
+ console_unlock();
++
++ intel_fbdev_hpd_set_suspend(ifbdev, state);
+ }
+
+ void intel_fbdev_output_poll_changed(struct drm_device *dev)
+ {
+ struct intel_fbdev *ifbdev = to_i915(dev)->fbdev;
++ bool send_hpd;
+
+ if (!ifbdev)
+ return;
+
+ intel_fbdev_sync(ifbdev);
+- if (ifbdev->vma || ifbdev->helper.deferred_setup)
++
++ mutex_lock(&ifbdev->hpd_lock);
++ send_hpd = !ifbdev->hpd_suspended;
++ ifbdev->hpd_waiting = true;
++ mutex_unlock(&ifbdev->hpd_lock);
++
++ if (send_hpd && (ifbdev->vma || ifbdev->helper.deferred_setup))
+ drm_fb_helper_hotplug_event(&ifbdev->helper);
+ }
+
--- /dev/null
+From 2e7bd10e05afb866b5fb13eda25095c35d7a27cc Mon Sep 17 00:00:00 2001
+From: Joonas Lahtinen <joonas.lahtinen@linux.intel.com>
+Date: Thu, 7 Feb 2019 10:54:53 +0200
+Subject: drm/i915: Prevent a race during I915_GEM_MMAP ioctl with WC set
+
+From: Joonas Lahtinen <joonas.lahtinen@linux.intel.com>
+
+commit 2e7bd10e05afb866b5fb13eda25095c35d7a27cc upstream.
+
+Make sure the underlying VMA in the process address space is the
+same as it was during vm_mmap to avoid applying WC to wrong VMA.
+
+A more long-term solution would be to have vm_mmap_locked variant
+in linux/mmap.h for when caller wants to hold mmap_sem for an
+extended duration.
+
+v2:
+- Refactor the compare function
+
+Fixes: 1816f9236303 ("drm/i915: Support creation of unbound wc user mappings for objects")
+Reported-by: Adam Zabrocki <adamza@microsoft.com>
+Suggested-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Joonas Lahtinen <joonas.lahtinen@linux.intel.com>
+Cc: <stable@vger.kernel.org> # v4.0+
+Cc: Akash Goel <akash.goel@intel.com>
+Cc: Chris Wilson <chris@chris-wilson.co.uk>
+Cc: Tvrtko Ursulin <tvrtko.ursulin@linux.intel.com>
+Cc: Adam Zabrocki <adamza@microsoft.com>
+Reviewed-by: Chris Wilson <chris@chris-wilson.co.uk>
+Reviewed-by: Tvrtko Ursulin <tvrtko.ursulin@intel.com> #v1
+Link: https://patchwork.freedesktop.org/patch/msgid/20190207085454.10598-1-joonas.lahtinen@linux.intel.com
+(cherry picked from commit 5c4604e757ba9b193b09768d75a7d2105a5b883f)
+Signed-off-by: Jani Nikula <jani.nikula@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/i915/i915_gem.c | 12 +++++++++++-
+ 1 file changed, 11 insertions(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/i915/i915_gem.c
++++ b/drivers/gpu/drm/i915/i915_gem.c
+@@ -1821,6 +1821,16 @@ i915_gem_sw_finish_ioctl(struct drm_devi
+ return 0;
+ }
+
++static inline bool
++__vma_matches(struct vm_area_struct *vma, struct file *filp,
++ unsigned long addr, unsigned long size)
++{
++ if (vma->vm_file != filp)
++ return false;
++
++ return vma->vm_start == addr && (vma->vm_end - vma->vm_start) == size;
++}
++
+ /**
+ * i915_gem_mmap_ioctl - Maps the contents of an object, returning the address
+ * it is mapped to.
+@@ -1879,7 +1889,7 @@ i915_gem_mmap_ioctl(struct drm_device *d
+ return -EINTR;
+ }
+ vma = find_vma(mm, addr);
+- if (vma)
++ if (vma && __vma_matches(vma, obj->base.filp, addr, args->size))
+ vma->vm_page_prot =
+ pgprot_writecombine(vm_get_page_prot(vma->vm_flags));
+ else
--- /dev/null
+From 69ef943dbc14b21987c79f8399ffea08f9a1b446 Mon Sep 17 00:00:00 2001
+From: Matthew Wilcox <willy@infradead.org>
+Date: Thu, 14 Feb 2019 11:03:48 -0800
+Subject: drm: Use array_size() when creating lease
+
+From: Matthew Wilcox <willy@infradead.org>
+
+commit 69ef943dbc14b21987c79f8399ffea08f9a1b446 upstream.
+
+Passing an object_count of sufficient size will make
+object_count * 4 wrap around to be very small, then a later function
+will happily iterate off the end of the object_ids array. Using
+array_size() will saturate at SIZE_MAX, the kmalloc() will fail and
+we'll return an -ENOMEM to the norty userspace.
+
+Fixes: 62884cd386b8 ("drm: Add four ioctls for managing drm mode object leases [v7]")
+Signed-off-by: Matthew Wilcox <willy@infradead.org>
+Acked-by: Kees Cook <keescook@chromium.org>
+Acked-by: Daniel Vetter <daniel.vetter@ffwll.ch>
+Cc: <stable@vger.kernel.org> # v4.15+
+Signed-off-by: Dave Airlie <airlied@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/drm_lease.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/drm_lease.c
++++ b/drivers/gpu/drm/drm_lease.c
+@@ -521,7 +521,8 @@ int drm_mode_create_lease_ioctl(struct d
+
+ object_count = cl->object_count;
+
+- object_ids = memdup_user(u64_to_user_ptr(cl->object_ids), object_count * sizeof(__u32));
++ object_ids = memdup_user(u64_to_user_ptr(cl->object_ids),
++ array_size(object_count, sizeof(__u32)));
+ if (IS_ERR(object_ids))
+ return PTR_ERR(object_ids);
+
--- /dev/null
+From 7fd56e0260a22c0cfaf9adb94a2427b76e239dd0 Mon Sep 17 00:00:00 2001
+From: Rodrigo Siqueira <rodrigosiqueiramelo@gmail.com>
+Date: Wed, 6 Feb 2019 12:01:16 -0200
+Subject: drm/vkms: Fix license inconsistent
+
+From: Rodrigo Siqueira <rodrigosiqueiramelo@gmail.com>
+
+commit 7fd56e0260a22c0cfaf9adb94a2427b76e239dd0 upstream.
+
+Fixes license inconsistent related to the VKMS driver and remove the
+redundant boilerplate comment.
+
+Fixes: 854502fa0a38 ("drm/vkms: Add basic CRTC initialization")
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Rodrigo Siqueira <rodrigosiqueiramelo@gmail.com>
+Acked-by: Daniel Vetter <daniel.vetter@ffwll.ch>
+Link: https://patchwork.freedesktop.org/patch/msgid/20190206140116.7qvy2lpwbcd7wds6@smtp.gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/vkms/vkms_crtc.c | 8 +-------
+ drivers/gpu/drm/vkms/vkms_drv.c | 7 +------
+ drivers/gpu/drm/vkms/vkms_drv.h | 2 ++
+ drivers/gpu/drm/vkms/vkms_gem.c | 8 +-------
+ drivers/gpu/drm/vkms/vkms_output.c | 8 +-------
+ drivers/gpu/drm/vkms/vkms_plane.c | 8 +-------
+ 6 files changed, 7 insertions(+), 34 deletions(-)
+
+--- a/drivers/gpu/drm/vkms/vkms_crtc.c
++++ b/drivers/gpu/drm/vkms/vkms_crtc.c
+@@ -1,10 +1,4 @@
+-// SPDX-License-Identifier: GPL-2.0
+-/*
+- * This program is free software; you can redistribute it and/or modify
+- * it under the terms of the GNU General Public License as published by
+- * the Free Software Foundation; either version 2 of the License, or
+- * (at your option) any later version.
+- */
++// SPDX-License-Identifier: GPL-2.0+
+
+ #include "vkms_drv.h"
+ #include <drm/drm_atomic_helper.h>
+--- a/drivers/gpu/drm/vkms/vkms_drv.c
++++ b/drivers/gpu/drm/vkms/vkms_drv.c
+@@ -1,9 +1,4 @@
+-/*
+- * This program is free software; you can redistribute it and/or modify
+- * it under the terms of the GNU General Public License as published by
+- * the Free Software Foundation; either version 2 of the License, or
+- * (at your option) any later version.
+- */
++// SPDX-License-Identifier: GPL-2.0+
+
+ #include <linux/module.h>
+ #include <drm/drm_gem.h>
+--- a/drivers/gpu/drm/vkms/vkms_drv.h
++++ b/drivers/gpu/drm/vkms/vkms_drv.h
+@@ -1,3 +1,5 @@
++/* SPDX-License-Identifier: GPL-2.0+ */
++
+ #ifndef _VKMS_DRV_H_
+ #define _VKMS_DRV_H_
+
+--- a/drivers/gpu/drm/vkms/vkms_gem.c
++++ b/drivers/gpu/drm/vkms/vkms_gem.c
+@@ -1,10 +1,4 @@
+-// SPDX-License-Identifier: GPL-2.0
+-/*
+- * This program is free software; you can redistribute it and/or modify
+- * it under the terms of the GNU General Public License as published by
+- * the Free Software Foundation; either version 2 of the License, or
+- * (at your option) any later version.
+- */
++// SPDX-License-Identifier: GPL-2.0+
+
+ #include <linux/shmem_fs.h>
+
+--- a/drivers/gpu/drm/vkms/vkms_output.c
++++ b/drivers/gpu/drm/vkms/vkms_output.c
+@@ -1,10 +1,4 @@
+-// SPDX-License-Identifier: GPL-2.0
+-/*
+- * This program is free software; you can redistribute it and/or modify
+- * it under the terms of the GNU General Public License as published by
+- * the Free Software Foundation; either version 2 of the License, or
+- * (at your option) any later version.
+- */
++// SPDX-License-Identifier: GPL-2.0+
+
+ #include "vkms_drv.h"
+ #include <drm/drm_crtc_helper.h>
+--- a/drivers/gpu/drm/vkms/vkms_plane.c
++++ b/drivers/gpu/drm/vkms/vkms_plane.c
+@@ -1,10 +1,4 @@
+-// SPDX-License-Identifier: GPL-2.0
+-/*
+- * This program is free software; you can redistribute it and/or modify
+- * it under the terms of the GNU General Public License as published by
+- * the Free Software Foundation; either version 2 of the License, or
+- * (at your option) any later version.
+- */
++// SPDX-License-Identifier: GPL-2.0+
+
+ #include "vkms_drv.h"
+ #include <drm/drm_plane_helper.h>
--- /dev/null
+From 90cc55f067f6ca0e64e5e52883ece47d8af7b67b Mon Sep 17 00:00:00 2001
+From: Jonathan Bakker <xc-racer2@live.ca>
+Date: Wed, 6 Feb 2019 10:45:37 -0800
+Subject: Input: bma150 - register input device after setting private data
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Jonathan Bakker <xc-racer2@live.ca>
+
+commit 90cc55f067f6ca0e64e5e52883ece47d8af7b67b upstream.
+
+Otherwise we introduce a race condition where userspace can request input
+before we're ready leading to null pointer dereference such as
+
+input: bma150 as /devices/platform/i2c-gpio-2/i2c-5/5-0038/input/input3
+Unable to handle kernel NULL pointer dereference at virtual address 00000018
+pgd = (ptrval)
+[00000018] *pgd=55dac831, *pte=00000000, *ppte=00000000
+Internal error: Oops: 17 [#1] PREEMPT ARM
+Modules linked in: bma150 input_polldev [last unloaded: bma150]
+CPU: 0 PID: 2870 Comm: accelerometer Not tainted 5.0.0-rc3-dirty #46
+Hardware name: Samsung S5PC110/S5PV210-based board
+PC is at input_event+0x8/0x60
+LR is at bma150_report_xyz+0x9c/0xe0 [bma150]
+pc : [<80450f70>] lr : [<7f0a614c>] psr: 800d0013
+sp : a4c1fd78 ip : 00000081 fp : 00020000
+r10: 00000000 r9 : a5e2944c r8 : a7455000
+r7 : 00000016 r6 : 00000101 r5 : a7617940 r4 : 80909048
+r3 : fffffff2 r2 : 00000000 r1 : 00000003 r0 : 00000000
+Flags: Nzcv IRQs on FIQs on Mode SVC_32 ISA ARM Segment none
+Control: 10c5387d Table: 54e34019 DAC: 00000051
+Process accelerometer (pid: 2870, stack limit = 0x(ptrval))
+Stackck: (0xa4c1fd78 to 0xa4c20000)
+fd60: fffffff3 fc813f6c
+fd80: 40410581 d7530ce3 a5e2817c a7617f00 a5e29404 a5e2817c 00000000 7f008324
+fda0: a5e28000 8044f59c a5fdd9d0 a5e2945c a46a4a00 a5e29668 a7455000 80454f10
+fdc0: 80909048 a5e29668 a5fdd9d0 a46a4a00 806316d0 00000000 a46a4a00 801df5f0
+fde0: 00000000 d7530ce3 a4c1fec0 a46a4a00 00000000 a5fdd9d0 a46a4a08 801df53c
+fe00: 00000000 801d74bc a4c1fec0 00000000 a4c1ff70 00000000 a7038da8 00000000
+fe20: a46a4a00 801e91fc a411bbe0 801f2e88 00000004 00000000 80909048 00000041
+fe40: 00000000 00020000 00000000 dead4ead a6a88da0 00000000 ffffe000 806fcae8
+fe60: a4c1fec8 00000000 80909048 00000002 a5fdd9d0 a7660110 a411bab0 00000001
+fe80: dead4ead ffffffff ffffffff a4c1fe8c a4c1fe8c d7530ce3 20000013 80909048
+fea0: 80909048 a4c1ff70 00000001 fffff000 a4c1e000 00000005 00026038 801eabd8
+fec0: a7660110 a411bab0 b9394901 00000006 a696201b 76fb3000 00000000 a7039720
+fee0: a5fdd9d0 00000101 00000002 00000096 00000000 00000000 00000000 a4c1ff00
+ff00: a6b310f4 805cb174 a6b310f4 00000010 00000fe0 00000010 a4c1e000 d7530ce3
+ff20: 00000003 a5f41400 a5f41424 00000000 a6962000 00000000 00000003 00000002
+ff40: ffffff9c 000a0000 80909048 d7530ce3 a6962000 00000003 80909048 ffffff9c
+ff60: a6962000 801d890c 00000000 00000000 00020000 a7590000 00000004 00000100
+ff80: 00000001 d7530ce3 000288b8 00026320 000288b8 00000005 80101204 a4c1e000
+ffa0: 00000005 80101000 000288b8 00026320 000288b8 000a0000 00000000 00000000
+ffc0: 000288b8 00026320 000288b8 00000005 7eef3bac 000264e8 00028ad8 00026038
+ffe0: 00000005 7eef3300 76f76e91 76f78546 800d0030 000288b8 00000000 00000000
+[<80450f70>] (input_event) from [<a5e2817c>] (0xa5e2817c)
+Code: e1a08148 eaffffa8 e351001f 812fff1e (e590c018)
+---[ end trace 1c691ee85f2ff243 ]---
+
+Signed-off-by: Jonathan Bakker <xc-racer2@live.ca>
+Signed-off-by: Paweł Chmiel <pawel.mikolaj.chmiel@gmail.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/input/misc/bma150.c | 9 +++++----
+ 1 file changed, 5 insertions(+), 4 deletions(-)
+
+--- a/drivers/input/misc/bma150.c
++++ b/drivers/input/misc/bma150.c
+@@ -481,13 +481,14 @@ static int bma150_register_input_device(
+ idev->close = bma150_irq_close;
+ input_set_drvdata(idev, bma150);
+
++ bma150->input = idev;
++
+ error = input_register_device(idev);
+ if (error) {
+ input_free_device(idev);
+ return error;
+ }
+
+- bma150->input = idev;
+ return 0;
+ }
+
+@@ -510,15 +511,15 @@ static int bma150_register_polled_device
+
+ bma150_init_input_device(bma150, ipoll_dev->input);
+
++ bma150->input_polled = ipoll_dev;
++ bma150->input = ipoll_dev->input;
++
+ error = input_register_polled_device(ipoll_dev);
+ if (error) {
+ input_free_polled_device(ipoll_dev);
+ return error;
+ }
+
+- bma150->input_polled = ipoll_dev;
+- bma150->input = ipoll_dev->input;
+-
+ return 0;
+ }
+
--- /dev/null
+From 7ad222b3aed350adfc27ee7eec4587ffe55dfdce Mon Sep 17 00:00:00 2001
+From: Mauro Ciancio <mauro@acadeu.com>
+Date: Mon, 14 Jan 2019 10:24:53 -0300
+Subject: Input: elan_i2c - add ACPI ID for touchpad in Lenovo V330-15ISK
+
+From: Mauro Ciancio <mauro@acadeu.com>
+
+commit 7ad222b3aed350adfc27ee7eec4587ffe55dfdce upstream.
+
+This adds ELAN0617 to the ACPI table to support Elan touchpad found in
+Lenovo V330-15ISK.
+
+Signed-off-by: Mauro Ciancio <mauro@acadeu.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/input/mouse/elan_i2c_core.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/input/mouse/elan_i2c_core.c
++++ b/drivers/input/mouse/elan_i2c_core.c
+@@ -1345,6 +1345,7 @@ static const struct acpi_device_id elan_
+ { "ELAN060C", 0 },
+ { "ELAN0611", 0 },
+ { "ELAN0612", 0 },
++ { "ELAN0617", 0 },
+ { "ELAN0618", 0 },
+ { "ELAN061C", 0 },
+ { "ELAN061D", 0 },
--- /dev/null
+From e8b22d0a329f0fb5c7ef95406872d268f01ee3b1 Mon Sep 17 00:00:00 2001
+From: Matti Kurkela <Matti.Kurkela@iki.fi>
+Date: Thu, 7 Feb 2019 23:49:23 -0800
+Subject: Input: elantech - enable 3rd button support on Fujitsu CELSIUS H780
+
+From: Matti Kurkela <Matti.Kurkela@iki.fi>
+
+commit e8b22d0a329f0fb5c7ef95406872d268f01ee3b1 upstream.
+
+Like Fujitsu CELSIUS H760, the H780 also has a three-button Elantech
+touchpad, but the driver needs to be told so to enable the middle touchpad
+button.
+
+The elantech_dmi_force_crc_enabled quirk was not necessary with the H780.
+
+Also document the fw_version and caps values detected for both H760 and
+H780 models.
+
+Signed-off-by: Matti Kurkela <Matti.Kurkela@iki.fi>
+Cc: stable@vger.kernel.org
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/input/mouse/elantech.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+--- a/drivers/input/mouse/elantech.c
++++ b/drivers/input/mouse/elantech.c
+@@ -1119,6 +1119,8 @@ static int elantech_get_resolution_v4(st
+ * Asus UX31 0x361f00 20, 15, 0e clickpad
+ * Asus UX32VD 0x361f02 00, 15, 0e clickpad
+ * Avatar AVIU-145A2 0x361f00 ? clickpad
++ * Fujitsu CELSIUS H760 0x570f02 40, 14, 0c 3 hw buttons (**)
++ * Fujitsu CELSIUS H780 0x5d0f02 41, 16, 0d 3 hw buttons (**)
+ * Fujitsu LIFEBOOK E544 0x470f00 d0, 12, 09 2 hw buttons
+ * Fujitsu LIFEBOOK E546 0x470f00 50, 12, 09 2 hw buttons
+ * Fujitsu LIFEBOOK E547 0x470f00 50, 12, 09 2 hw buttons
+@@ -1171,6 +1173,13 @@ static const struct dmi_system_id elante
+ DMI_MATCH(DMI_PRODUCT_NAME, "CELSIUS H760"),
+ },
+ },
++ {
++ /* Fujitsu H780 also has a middle button */
++ .matches = {
++ DMI_MATCH(DMI_SYS_VENDOR, "FUJITSU"),
++ DMI_MATCH(DMI_PRODUCT_NAME, "CELSIUS H780"),
++ },
++ },
+ #endif
+ { }
+ };
--- /dev/null
+From 98ae70cc476e833332a2c6bb72f941a25f0de226 Mon Sep 17 00:00:00 2001
+From: Xiaoyao Li <xiaoyao.li@linux.intel.com>
+Date: Thu, 14 Feb 2019 12:08:58 +0800
+Subject: kvm: vmx: Fix entry number check for add_atomic_switch_msr()
+
+From: Xiaoyao Li <xiaoyao.li@linux.intel.com>
+
+commit 98ae70cc476e833332a2c6bb72f941a25f0de226 upstream.
+
+Commit ca83b4a7f2d068da79a0 ("x86/KVM/VMX: Add find_msr() helper function")
+introduces the helper function find_msr(), which returns -ENOENT when
+not find the msr in vmx->msr_autoload.guest/host. Correct checking contion
+of no more available entry in vmx->msr_autoload.
+
+Fixes: ca83b4a7f2d0 ("x86/KVM/VMX: Add find_msr() helper function")
+Cc: stable@vger.kernel.org
+Signed-off-by: Xiaoyao Li <xiaoyao.li@linux.intel.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kvm/vmx.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/arch/x86/kvm/vmx.c
++++ b/arch/x86/kvm/vmx.c
+@@ -2757,7 +2757,8 @@ static void add_atomic_switch_msr(struct
+ if (!entry_only)
+ j = find_msr(&m->host, msr);
+
+- if (i == NR_AUTOLOAD_MSRS || j == NR_AUTOLOAD_MSRS) {
++ if ((i < 0 && m->guest.nr == NR_AUTOLOAD_MSRS) ||
++ (j < 0 && m->host.nr == NR_AUTOLOAD_MSRS)) {
+ printk_once(KERN_WARNING "Not enough msr switch entries. "
+ "Can't add msr %x\n", msr);
+ return;
--- /dev/null
+From dfcc34c99f3ebc16b787b118763bf9cb6b1efc7a Mon Sep 17 00:00:00 2001
+From: Nate Dailey <nate.dailey@stratus.com>
+Date: Thu, 7 Feb 2019 14:19:01 -0500
+Subject: md/raid1: don't clear bitmap bits on interrupted recovery.
+
+From: Nate Dailey <nate.dailey@stratus.com>
+
+commit dfcc34c99f3ebc16b787b118763bf9cb6b1efc7a upstream.
+
+sync_request_write no longer submits writes to a Faulty device. This has
+the unfortunate side effect that bitmap bits can be incorrectly cleared
+if a recovery is interrupted (previously, end_sync_write would have
+prevented this). This means the next recovery may not copy everything
+it should, potentially corrupting data.
+
+Add a function for doing the proper md_bitmap_end_sync, called from
+end_sync_write and the Faulty case in sync_request_write.
+
+backport note to 4.14: s/md_bitmap_end_sync/bitmap_end_sync
+Cc: stable@vger.kernel.org 4.14+
+Fixes: 0c9d5b127f69 ("md/raid1: avoid reusing a resync bio after error handling.")
+Reviewed-by: Jack Wang <jinpu.wang@cloud.ionos.com>
+Tested-by: Jack Wang <jinpu.wang@cloud.ionos.com>
+Signed-off-by: Nate Dailey <nate.dailey@stratus.com>
+Signed-off-by: Song Liu <songliubraving@fb.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/md/raid1.c | 28 ++++++++++++++++++----------
+ 1 file changed, 18 insertions(+), 10 deletions(-)
+
+--- a/drivers/md/raid1.c
++++ b/drivers/md/raid1.c
+@@ -1863,6 +1863,20 @@ static void end_sync_read(struct bio *bi
+ reschedule_retry(r1_bio);
+ }
+
++static void abort_sync_write(struct mddev *mddev, struct r1bio *r1_bio)
++{
++ sector_t sync_blocks = 0;
++ sector_t s = r1_bio->sector;
++ long sectors_to_go = r1_bio->sectors;
++
++ /* make sure these bits don't get cleared. */
++ do {
++ md_bitmap_end_sync(mddev->bitmap, s, &sync_blocks, 1);
++ s += sync_blocks;
++ sectors_to_go -= sync_blocks;
++ } while (sectors_to_go > 0);
++}
++
+ static void end_sync_write(struct bio *bio)
+ {
+ int uptodate = !bio->bi_status;
+@@ -1874,15 +1888,7 @@ static void end_sync_write(struct bio *b
+ struct md_rdev *rdev = conf->mirrors[find_bio_disk(r1_bio, bio)].rdev;
+
+ if (!uptodate) {
+- sector_t sync_blocks = 0;
+- sector_t s = r1_bio->sector;
+- long sectors_to_go = r1_bio->sectors;
+- /* make sure these bits doesn't get cleared. */
+- do {
+- md_bitmap_end_sync(mddev->bitmap, s, &sync_blocks, 1);
+- s += sync_blocks;
+- sectors_to_go -= sync_blocks;
+- } while (sectors_to_go > 0);
++ abort_sync_write(mddev, r1_bio);
+ set_bit(WriteErrorSeen, &rdev->flags);
+ if (!test_and_set_bit(WantReplacement, &rdev->flags))
+ set_bit(MD_RECOVERY_NEEDED, &
+@@ -2172,8 +2178,10 @@ static void sync_request_write(struct md
+ (i == r1_bio->read_disk ||
+ !test_bit(MD_RECOVERY_SYNC, &mddev->recovery))))
+ continue;
+- if (test_bit(Faulty, &conf->mirrors[i].rdev->flags))
++ if (test_bit(Faulty, &conf->mirrors[i].rdev->flags)) {
++ abort_sync_write(mddev, r1_bio);
+ continue;
++ }
+
+ bio_set_op_attrs(wbio, REQ_OP_WRITE, 0);
+ if (test_bit(FailFast, &conf->mirrors[i].rdev->flags))
--- /dev/null
+From 27dd768ed8db48beefc4d9e006c58e7a00342bde Mon Sep 17 00:00:00 2001
+From: Sandeep Patil <sspatil@android.com>
+Date: Tue, 12 Feb 2019 15:36:11 -0800
+Subject: mm: proc: smaps_rollup: fix pss_locked calculation
+
+From: Sandeep Patil <sspatil@android.com>
+
+commit 27dd768ed8db48beefc4d9e006c58e7a00342bde upstream.
+
+The 'pss_locked' field of smaps_rollup was being calculated incorrectly.
+It accumulated the current pss everytime a locked VMA was found. Fix
+that by adding to 'pss_locked' the same time as that of 'pss' if the vma
+being walked is locked.
+
+Link: http://lkml.kernel.org/r/20190203065425.14650-1-sspatil@android.com
+Fixes: 493b0e9d945f ("mm: add /proc/pid/smaps_rollup")
+Signed-off-by: Sandeep Patil <sspatil@android.com>
+Acked-by: Vlastimil Babka <vbabka@suse.cz>
+Reviewed-by: Joel Fernandes (Google) <joel@joelfernandes.org>
+Cc: Alexey Dobriyan <adobriyan@gmail.com>
+Cc: Daniel Colascione <dancol@google.com>
+Cc: <stable@vger.kernel.org> [4.14.x, 4.19.x]
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/proc/task_mmu.c | 22 ++++++++++++++--------
+ 1 file changed, 14 insertions(+), 8 deletions(-)
+
+--- a/fs/proc/task_mmu.c
++++ b/fs/proc/task_mmu.c
+@@ -423,7 +423,7 @@ struct mem_size_stats {
+ };
+
+ static void smaps_account(struct mem_size_stats *mss, struct page *page,
+- bool compound, bool young, bool dirty)
++ bool compound, bool young, bool dirty, bool locked)
+ {
+ int i, nr = compound ? 1 << compound_order(page) : 1;
+ unsigned long size = nr * PAGE_SIZE;
+@@ -450,24 +450,31 @@ static void smaps_account(struct mem_siz
+ else
+ mss->private_clean += size;
+ mss->pss += (u64)size << PSS_SHIFT;
++ if (locked)
++ mss->pss_locked += (u64)size << PSS_SHIFT;
+ return;
+ }
+
+ for (i = 0; i < nr; i++, page++) {
+ int mapcount = page_mapcount(page);
++ unsigned long pss = (PAGE_SIZE << PSS_SHIFT);
+
+ if (mapcount >= 2) {
+ if (dirty || PageDirty(page))
+ mss->shared_dirty += PAGE_SIZE;
+ else
+ mss->shared_clean += PAGE_SIZE;
+- mss->pss += (PAGE_SIZE << PSS_SHIFT) / mapcount;
++ mss->pss += pss / mapcount;
++ if (locked)
++ mss->pss_locked += pss / mapcount;
+ } else {
+ if (dirty || PageDirty(page))
+ mss->private_dirty += PAGE_SIZE;
+ else
+ mss->private_clean += PAGE_SIZE;
+- mss->pss += PAGE_SIZE << PSS_SHIFT;
++ mss->pss += pss;
++ if (locked)
++ mss->pss_locked += pss;
+ }
+ }
+ }
+@@ -490,6 +497,7 @@ static void smaps_pte_entry(pte_t *pte,
+ {
+ struct mem_size_stats *mss = walk->private;
+ struct vm_area_struct *vma = walk->vma;
++ bool locked = !!(vma->vm_flags & VM_LOCKED);
+ struct page *page = NULL;
+
+ if (pte_present(*pte)) {
+@@ -532,7 +540,7 @@ static void smaps_pte_entry(pte_t *pte,
+ if (!page)
+ return;
+
+- smaps_account(mss, page, false, pte_young(*pte), pte_dirty(*pte));
++ smaps_account(mss, page, false, pte_young(*pte), pte_dirty(*pte), locked);
+ }
+
+ #ifdef CONFIG_TRANSPARENT_HUGEPAGE
+@@ -541,6 +549,7 @@ static void smaps_pmd_entry(pmd_t *pmd,
+ {
+ struct mem_size_stats *mss = walk->private;
+ struct vm_area_struct *vma = walk->vma;
++ bool locked = !!(vma->vm_flags & VM_LOCKED);
+ struct page *page;
+
+ /* FOLL_DUMP will return -EFAULT on huge zero page */
+@@ -555,7 +564,7 @@ static void smaps_pmd_entry(pmd_t *pmd,
+ /* pass */;
+ else
+ VM_BUG_ON_PAGE(1, page);
+- smaps_account(mss, page, true, pmd_young(*pmd), pmd_dirty(*pmd));
++ smaps_account(mss, page, true, pmd_young(*pmd), pmd_dirty(*pmd), locked);
+ }
+ #else
+ static void smaps_pmd_entry(pmd_t *pmd, unsigned long addr,
+@@ -737,11 +746,8 @@ static void smap_gather_stats(struct vm_
+ }
+ }
+ #endif
+-
+ /* mmap_sem is held in m_start */
+ walk_page_vma(vma, &smaps_walk);
+- if (vma->vm_flags & VM_LOCKED)
+- mss->pss_locked += mss->pss;
+ }
+
+ #define SEQ_PUT_DEC(str, val) \
--- /dev/null
+From dcf6e2e38a1c7ccbc535de5e1d9b14998847499d Mon Sep 17 00:00:00 2001
+From: Zachary Hays <zhays@lexmark.com>
+Date: Thu, 7 Feb 2019 10:03:08 -0500
+Subject: mmc: block: handle complete_work on separate workqueue
+
+From: Zachary Hays <zhays@lexmark.com>
+
+commit dcf6e2e38a1c7ccbc535de5e1d9b14998847499d upstream.
+
+The kblockd workqueue is created with the WQ_MEM_RECLAIM flag set.
+This generates a rescuer thread for that queue that will trigger when
+the CPU is under heavy load and collect the uncompleted work.
+
+In the case of mmc, this creates the possibility of a deadlock when
+there are multiple partitions on the device as other blk-mq work is
+also run on the same queue. For example:
+
+- worker 0 claims the mmc host to work on partition 1
+- worker 1 attempts to claim the host for partition 2 but has to wait
+ for worker 0 to finish
+- worker 0 schedules complete_work to release the host
+- rescuer thread is triggered after time-out and collects the dangling
+ work
+- rescuer thread attempts to complete the work in order starting with
+ claim host
+- the task to release host is now blocked by a task to claim it and
+ will never be called
+
+The above results in multiple hung tasks that lead to failures to
+mount partitions.
+
+Handling complete_work on a separate workqueue avoids this by keeping
+the work completion tasks separate from the other blk-mq work. This
+allows the host to be released without getting blocked by other tasks
+attempting to claim the host.
+
+Signed-off-by: Zachary Hays <zhays@lexmark.com>
+Fixes: 81196976ed94 ("mmc: block: Add blk-mq support")
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/mmc/core/block.c | 10 +++++++++-
+ include/linux/mmc/card.h | 1 +
+ 2 files changed, 10 insertions(+), 1 deletion(-)
+
+--- a/drivers/mmc/core/block.c
++++ b/drivers/mmc/core/block.c
+@@ -2114,7 +2114,7 @@ static void mmc_blk_mq_req_done(struct m
+ if (waiting)
+ wake_up(&mq->wait);
+ else
+- kblockd_schedule_work(&mq->complete_work);
++ queue_work(mq->card->complete_wq, &mq->complete_work);
+
+ return;
+ }
+@@ -2928,6 +2928,13 @@ static int mmc_blk_probe(struct mmc_card
+
+ mmc_fixup_device(card, mmc_blk_fixups);
+
++ card->complete_wq = alloc_workqueue("mmc_complete",
++ WQ_MEM_RECLAIM | WQ_HIGHPRI, 0);
++ if (unlikely(!card->complete_wq)) {
++ pr_err("Failed to create mmc completion workqueue");
++ return -ENOMEM;
++ }
++
+ md = mmc_blk_alloc(card);
+ if (IS_ERR(md))
+ return PTR_ERR(md);
+@@ -2991,6 +2998,7 @@ static void mmc_blk_remove(struct mmc_ca
+ pm_runtime_put_noidle(&card->dev);
+ mmc_blk_remove_req(md);
+ dev_set_drvdata(&card->dev, NULL);
++ destroy_workqueue(card->complete_wq);
+ }
+
+ static int _mmc_blk_suspend(struct mmc_card *card)
+--- a/include/linux/mmc/card.h
++++ b/include/linux/mmc/card.h
+@@ -308,6 +308,7 @@ struct mmc_card {
+ unsigned int nr_parts;
+
+ unsigned int bouncesz; /* Bounce buffer size */
++ struct workqueue_struct *complete_wq; /* Private workqueue */
+ };
+
+ static inline bool mmc_large_sector(struct mmc_card *card)
--- /dev/null
+From d6f11e7d91f2ac85f66194fe3ef8789b49901d64 Mon Sep 17 00:00:00 2001
+From: Chen-Yu Tsai <wens@csie.org>
+Date: Tue, 5 Feb 2019 23:42:24 +0800
+Subject: mmc: sunxi: Filter out unsupported modes declared in the device tree
+
+From: Chen-Yu Tsai <wens@csie.org>
+
+commit d6f11e7d91f2ac85f66194fe3ef8789b49901d64 upstream.
+
+The MMC device tree bindings include properties used to signal various
+signalling speed modes. Until now the sunxi driver was accepting them
+without any further filtering, while the sunxi device trees were not
+actually using them.
+
+Since some of the H5 boards can not run at higher speed modes stably,
+we are resorting to declaring the higher speed modes per-board.
+
+Regardless, having boards declare modes and blindly following them,
+even without proper support in the driver, is generally a bad thing.
+
+Filter out all unsupported modes from the capabilities mask after
+the device tree properties have been parsed.
+
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Chen-Yu Tsai <wens@csie.org>
+Acked-by: Maxime Ripard <maxime.ripard@bootlin.com>
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/mmc/host/sunxi-mmc.c | 15 +++++++++++++++
+ 1 file changed, 15 insertions(+)
+
+--- a/drivers/mmc/host/sunxi-mmc.c
++++ b/drivers/mmc/host/sunxi-mmc.c
+@@ -1394,6 +1394,21 @@ static int sunxi_mmc_probe(struct platfo
+ if (ret)
+ goto error_free_dma;
+
++ /*
++ * If we don't support delay chains in the SoC, we can't use any
++ * of the higher speed modes. Mask them out in case the device
++ * tree specifies the properties for them, which gets added to
++ * the caps by mmc_of_parse() above.
++ */
++ if (!(host->cfg->clk_delays || host->use_new_timings)) {
++ mmc->caps &= ~(MMC_CAP_3_3V_DDR | MMC_CAP_1_8V_DDR |
++ MMC_CAP_1_2V_DDR | MMC_CAP_UHS);
++ mmc->caps2 &= ~MMC_CAP2_HS200;
++ }
++
++ /* TODO: This driver doesn't support HS400 mode yet */
++ mmc->caps2 &= ~MMC_CAP2_HS400;
++
+ ret = sunxi_mmc_init_host(host);
+ if (ret)
+ goto error_free_dma;
--- /dev/null
+From 528871b456026e6127d95b1b2bd8e3a003dc1614 Mon Sep 17 00:00:00 2001
+From: Ingo Molnar <mingo@kernel.org>
+Date: Wed, 13 Feb 2019 07:57:02 +0100
+Subject: perf/core: Fix impossible ring-buffer sizes warning
+
+From: Ingo Molnar <mingo@kernel.org>
+
+commit 528871b456026e6127d95b1b2bd8e3a003dc1614 upstream.
+
+The following commit:
+
+ 9dff0aa95a32 ("perf/core: Don't WARN() for impossible ring-buffer sizes")
+
+results in perf recording failures with larger mmap areas:
+
+ root@skl:/tmp# perf record -g -a
+ failed to mmap with 12 (Cannot allocate memory)
+
+The root cause is that the following condition is buggy:
+
+ if (order_base_2(size) >= MAX_ORDER)
+ goto fail;
+
+The problem is that @size is in bytes and MAX_ORDER is in pages,
+so the right test is:
+
+ if (order_base_2(size) >= PAGE_SHIFT+MAX_ORDER)
+ goto fail;
+
+Fix it.
+
+Reported-by: "Jin, Yao" <yao.jin@linux.intel.com>
+Bisected-by: Borislav Petkov <bp@alien8.de>
+Analyzed-by: Peter Zijlstra <peterz@infradead.org>
+Cc: Julien Thierry <julien.thierry@arm.com>
+Cc: Mark Rutland <mark.rutland@arm.com>
+Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Cc: Arnaldo Carvalho de Melo <acme@redhat.com>
+Cc: Jiri Olsa <jolsa@redhat.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Namhyung Kim <namhyung@kernel.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Cc: <stable@vger.kernel.org>
+Fixes: 9dff0aa95a32 ("perf/core: Don't WARN() for impossible ring-buffer sizes")
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/events/ring_buffer.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/kernel/events/ring_buffer.c
++++ b/kernel/events/ring_buffer.c
+@@ -724,7 +724,7 @@ struct ring_buffer *rb_alloc(int nr_page
+ size = sizeof(struct ring_buffer);
+ size += nr_pages * sizeof(void *);
+
+- if (order_base_2(size) >= MAX_ORDER)
++ if (order_base_2(size) >= PAGE_SHIFT+MAX_ORDER)
+ goto fail;
+
+ rb = kzalloc(size, GFP_KERNEL);
--- /dev/null
+From 81ec3f3c4c4d78f2d3b6689c9816bfbdf7417dbb Mon Sep 17 00:00:00 2001
+From: Jiri Olsa <jolsa@redhat.com>
+Date: Mon, 4 Feb 2019 13:35:32 +0100
+Subject: perf/x86: Add check_period PMU callback
+
+From: Jiri Olsa <jolsa@redhat.com>
+
+commit 81ec3f3c4c4d78f2d3b6689c9816bfbdf7417dbb upstream.
+
+Vince (and later on Ravi) reported crashes in the BTS code during
+fuzzing with the following backtrace:
+
+ general protection fault: 0000 [#1] SMP PTI
+ ...
+ RIP: 0010:perf_prepare_sample+0x8f/0x510
+ ...
+ Call Trace:
+ <IRQ>
+ ? intel_pmu_drain_bts_buffer+0x194/0x230
+ intel_pmu_drain_bts_buffer+0x160/0x230
+ ? tick_nohz_irq_exit+0x31/0x40
+ ? smp_call_function_single_interrupt+0x48/0xe0
+ ? call_function_single_interrupt+0xf/0x20
+ ? call_function_single_interrupt+0xa/0x20
+ ? x86_schedule_events+0x1a0/0x2f0
+ ? x86_pmu_commit_txn+0xb4/0x100
+ ? find_busiest_group+0x47/0x5d0
+ ? perf_event_set_state.part.42+0x12/0x50
+ ? perf_mux_hrtimer_restart+0x40/0xb0
+ intel_pmu_disable_event+0xae/0x100
+ ? intel_pmu_disable_event+0xae/0x100
+ x86_pmu_stop+0x7a/0xb0
+ x86_pmu_del+0x57/0x120
+ event_sched_out.isra.101+0x83/0x180
+ group_sched_out.part.103+0x57/0xe0
+ ctx_sched_out+0x188/0x240
+ ctx_resched+0xa8/0xd0
+ __perf_event_enable+0x193/0x1e0
+ event_function+0x8e/0xc0
+ remote_function+0x41/0x50
+ flush_smp_call_function_queue+0x68/0x100
+ generic_smp_call_function_single_interrupt+0x13/0x30
+ smp_call_function_single_interrupt+0x3e/0xe0
+ call_function_single_interrupt+0xf/0x20
+ </IRQ>
+
+The reason is that while event init code does several checks
+for BTS events and prevents several unwanted config bits for
+BTS event (like precise_ip), the PERF_EVENT_IOC_PERIOD allows
+to create BTS event without those checks being done.
+
+Following sequence will cause the crash:
+
+If we create an 'almost' BTS event with precise_ip and callchains,
+and it into a BTS event it will crash the perf_prepare_sample()
+function because precise_ip events are expected to come
+in with callchain data initialized, but that's not the
+case for intel_pmu_drain_bts_buffer() caller.
+
+Adding a check_period callback to be called before the period
+is changed via PERF_EVENT_IOC_PERIOD. It will deny the change
+if the event would become BTS. Plus adding also the limit_period
+check as well.
+
+Reported-by: Vince Weaver <vincent.weaver@maine.edu>
+Signed-off-by: Jiri Olsa <jolsa@kernel.org>
+Acked-by: Peter Zijlstra <peterz@infradead.org>
+Cc: <stable@vger.kernel.org>
+Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Cc: Arnaldo Carvalho de Melo <acme@kernel.org>
+Cc: Arnaldo Carvalho de Melo <acme@redhat.com>
+Cc: Jiri Olsa <jolsa@redhat.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Naveen N. Rao <naveen.n.rao@linux.vnet.ibm.com>
+Cc: Ravi Bangoria <ravi.bangoria@linux.ibm.com>
+Cc: Stephane Eranian <eranian@google.com>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Link: http://lkml.kernel.org/r/20190204123532.GA4794@krava
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/events/core.c | 14 ++++++++++++++
+ arch/x86/events/intel/core.c | 9 +++++++++
+ arch/x86/events/perf_event.h | 16 ++++++++++++++--
+ include/linux/perf_event.h | 5 +++++
+ kernel/events/core.c | 16 ++++++++++++++++
+ 5 files changed, 58 insertions(+), 2 deletions(-)
+
+--- a/arch/x86/events/core.c
++++ b/arch/x86/events/core.c
+@@ -2253,6 +2253,19 @@ void perf_check_microcode(void)
+ x86_pmu.check_microcode();
+ }
+
++static int x86_pmu_check_period(struct perf_event *event, u64 value)
++{
++ if (x86_pmu.check_period && x86_pmu.check_period(event, value))
++ return -EINVAL;
++
++ if (value && x86_pmu.limit_period) {
++ if (x86_pmu.limit_period(event, value) > value)
++ return -EINVAL;
++ }
++
++ return 0;
++}
++
+ static struct pmu pmu = {
+ .pmu_enable = x86_pmu_enable,
+ .pmu_disable = x86_pmu_disable,
+@@ -2277,6 +2290,7 @@ static struct pmu pmu = {
+ .event_idx = x86_pmu_event_idx,
+ .sched_task = x86_pmu_sched_task,
+ .task_ctx_size = sizeof(struct x86_perf_task_context),
++ .check_period = x86_pmu_check_period,
+ };
+
+ void arch_perf_update_userpage(struct perf_event *event,
+--- a/arch/x86/events/intel/core.c
++++ b/arch/x86/events/intel/core.c
+@@ -3465,6 +3465,11 @@ static void intel_pmu_sched_task(struct
+ intel_pmu_lbr_sched_task(ctx, sched_in);
+ }
+
++static int intel_pmu_check_period(struct perf_event *event, u64 value)
++{
++ return intel_pmu_has_bts_period(event, value) ? -EINVAL : 0;
++}
++
+ PMU_FORMAT_ATTR(offcore_rsp, "config1:0-63");
+
+ PMU_FORMAT_ATTR(ldlat, "config1:0-15");
+@@ -3545,6 +3550,8 @@ static __initconst const struct x86_pmu
+ .cpu_starting = intel_pmu_cpu_starting,
+ .cpu_dying = intel_pmu_cpu_dying,
+ .cpu_dead = intel_pmu_cpu_dead,
++
++ .check_period = intel_pmu_check_period,
+ };
+
+ static struct attribute *intel_pmu_attrs[];
+@@ -3589,6 +3596,8 @@ static __initconst const struct x86_pmu
+
+ .guest_get_msrs = intel_guest_get_msrs,
+ .sched_task = intel_pmu_sched_task,
++
++ .check_period = intel_pmu_check_period,
+ };
+
+ static __init void intel_clovertown_quirk(void)
+--- a/arch/x86/events/perf_event.h
++++ b/arch/x86/events/perf_event.h
+@@ -644,6 +644,11 @@ struct x86_pmu {
+ * Intel host/guest support (KVM)
+ */
+ struct perf_guest_switch_msr *(*guest_get_msrs)(int *nr);
++
++ /*
++ * Check period value for PERF_EVENT_IOC_PERIOD ioctl.
++ */
++ int (*check_period) (struct perf_event *event, u64 period);
+ };
+
+ struct x86_perf_task_context {
+@@ -855,7 +860,7 @@ static inline int amd_pmu_init(void)
+
+ #ifdef CONFIG_CPU_SUP_INTEL
+
+-static inline bool intel_pmu_has_bts(struct perf_event *event)
++static inline bool intel_pmu_has_bts_period(struct perf_event *event, u64 period)
+ {
+ struct hw_perf_event *hwc = &event->hw;
+ unsigned int hw_event, bts_event;
+@@ -866,7 +871,14 @@ static inline bool intel_pmu_has_bts(str
+ hw_event = hwc->config & INTEL_ARCH_EVENT_MASK;
+ bts_event = x86_pmu.event_map(PERF_COUNT_HW_BRANCH_INSTRUCTIONS);
+
+- return hw_event == bts_event && hwc->sample_period == 1;
++ return hw_event == bts_event && period == 1;
++}
++
++static inline bool intel_pmu_has_bts(struct perf_event *event)
++{
++ struct hw_perf_event *hwc = &event->hw;
++
++ return intel_pmu_has_bts_period(event, hwc->sample_period);
+ }
+
+ int intel_pmu_save_and_restart(struct perf_event *event);
+--- a/include/linux/perf_event.h
++++ b/include/linux/perf_event.h
+@@ -447,6 +447,11 @@ struct pmu {
+ * Filter events for PMU-specific reasons.
+ */
+ int (*filter_match) (struct perf_event *event); /* optional */
++
++ /*
++ * Check period value for PERF_EVENT_IOC_PERIOD ioctl.
++ */
++ int (*check_period) (struct perf_event *event, u64 value); /* optional */
+ };
+
+ enum perf_addr_filter_action_t {
+--- a/kernel/events/core.c
++++ b/kernel/events/core.c
+@@ -4963,6 +4963,11 @@ static void __perf_event_period(struct p
+ }
+ }
+
++static int perf_event_check_period(struct perf_event *event, u64 value)
++{
++ return event->pmu->check_period(event, value);
++}
++
+ static int perf_event_period(struct perf_event *event, u64 __user *arg)
+ {
+ u64 value;
+@@ -4979,6 +4984,9 @@ static int perf_event_period(struct perf
+ if (event->attr.freq && value > sysctl_perf_event_sample_rate)
+ return -EINVAL;
+
++ if (perf_event_check_period(event, value))
++ return -EINVAL;
++
+ event_function_call(event, __perf_event_period, &value);
+
+ return 0;
+@@ -9362,6 +9370,11 @@ static int perf_pmu_nop_int(struct pmu *
+ return 0;
+ }
+
++static int perf_event_nop_int(struct perf_event *event, u64 value)
++{
++ return 0;
++}
++
+ static DEFINE_PER_CPU(unsigned int, nop_txn_flags);
+
+ static void perf_pmu_start_txn(struct pmu *pmu, unsigned int flags)
+@@ -9662,6 +9675,9 @@ got_cpu_context:
+ pmu->pmu_disable = perf_pmu_nop_void;
+ }
+
++ if (!pmu->check_period)
++ pmu->check_period = perf_event_nop_int;
++
+ if (!pmu->event_idx)
+ pmu->event_idx = perf_event_idx_default;
+
--- /dev/null
+From f420c54e4b12c1361c6ed313002ee7bd7ac58362 Mon Sep 17 00:00:00 2001
+From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Date: Mon, 11 Feb 2019 14:32:40 -0800
+Subject: Revert "Input: elan_i2c - add ACPI ID for touchpad in ASUS Aspire F5-573G"
+
+From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+
+commit f420c54e4b12c1361c6ed313002ee7bd7ac58362 upstream.
+
+This reverts commit 7db54c89f0b30a101584e09d3729144e6170059d as it
+breaks Acer Aspire V-371 and other devices. According to Elan:
+
+"Acer Aspire F5-573G is MS Precision touchpad which should use hid
+ multitouch driver. ELAN0501 should not be added in elan_i2c."
+
+Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=202503
+Cc: stable@vger.kernel.org
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/input/mouse/elan_i2c_core.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+--- a/drivers/input/mouse/elan_i2c_core.c
++++ b/drivers/input/mouse/elan_i2c_core.c
+@@ -1336,7 +1336,6 @@ MODULE_DEVICE_TABLE(i2c, elan_id);
+ static const struct acpi_device_id elan_acpi_id[] = {
+ { "ELAN0000", 0 },
+ { "ELAN0100", 0 },
+- { "ELAN0501", 0 },
+ { "ELAN0600", 0 },
+ { "ELAN0602", 0 },
+ { "ELAN0605", 0 },
--- /dev/null
+From 69056ee6a8a3d576ed31e38b3b14c70d6c74edcc Mon Sep 17 00:00:00 2001
+From: Dave Chinner <dchinner@redhat.com>
+Date: Tue, 12 Feb 2019 15:35:51 -0800
+Subject: Revert "mm: don't reclaim inodes with many attached pages"
+
+From: Dave Chinner <dchinner@redhat.com>
+
+commit 69056ee6a8a3d576ed31e38b3b14c70d6c74edcc upstream.
+
+This reverts commit a76cf1a474d7d ("mm: don't reclaim inodes with many
+attached pages").
+
+This change causes serious changes to page cache and inode cache
+behaviour and balance, resulting in major performance regressions when
+combining worklaods such as large file copies and kernel compiles.
+
+ https://bugzilla.kernel.org/show_bug.cgi?id=202441
+
+This change is a hack to work around the problems introduced by changing
+how agressive shrinkers are on small caches in commit 172b06c32b94 ("mm:
+slowly shrink slabs with a relatively small number of objects"). It
+creates more problems than it solves, wasn't adequately reviewed or
+tested, so it needs to be reverted.
+
+Link: http://lkml.kernel.org/r/20190130041707.27750-2-david@fromorbit.com
+Fixes: a76cf1a474d7d ("mm: don't reclaim inodes with many attached pages")
+Signed-off-by: Dave Chinner <dchinner@redhat.com>
+Cc: Wolfgang Walter <linux@stwm.de>
+Cc: Roman Gushchin <guro@fb.com>
+Cc: Spock <dairinin@gmail.com>
+Cc: Rik van Riel <riel@surriel.com>
+Cc: Michal Hocko <mhocko@kernel.org>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/inode.c | 7 ++-----
+ 1 file changed, 2 insertions(+), 5 deletions(-)
+
+--- a/fs/inode.c
++++ b/fs/inode.c
+@@ -730,11 +730,8 @@ static enum lru_status inode_lru_isolate
+ return LRU_REMOVED;
+ }
+
+- /*
+- * Recently referenced inodes and inodes with many attached pages
+- * get one more pass.
+- */
+- if (inode->i_state & I_REFERENCED || inode->i_data.nrpages > 1) {
++ /* recently referenced inodes get one more pass */
++ if (inode->i_state & I_REFERENCED) {
+ inode->i_state &= ~I_REFERENCED;
+ spin_unlock(&inode->i_lock);
+ return LRU_ROTATE;
--- /dev/null
+From a9a238e83fbb0df31c3b9b67003f8f9d1d1b6c96 Mon Sep 17 00:00:00 2001
+From: Dave Chinner <dchinner@redhat.com>
+Date: Tue, 12 Feb 2019 15:35:55 -0800
+Subject: Revert "mm: slowly shrink slabs with a relatively small number of objects"
+
+From: Dave Chinner <dchinner@redhat.com>
+
+commit a9a238e83fbb0df31c3b9b67003f8f9d1d1b6c96 upstream.
+
+This reverts commit 172b06c32b9497 ("mm: slowly shrink slabs with a
+relatively small number of objects").
+
+This change changes the agressiveness of shrinker reclaim, causing small
+cache and low priority reclaim to greatly increase scanning pressure on
+small caches. As a result, light memory pressure has a disproportionate
+affect on small caches, and causes large caches to be reclaimed much
+faster than previously.
+
+As a result, it greatly perturbs the delicate balance of the VFS caches
+(dentry/inode vs file page cache) such that the inode/dentry caches are
+reclaimed much, much faster than the page cache and this drives us into
+several other caching imbalance related problems.
+
+As such, this is a bad change and needs to be reverted.
+
+[ Needs some massaging to retain the later seekless shrinker
+ modifications.]
+
+Link: http://lkml.kernel.org/r/20190130041707.27750-3-david@fromorbit.com
+Fixes: 172b06c32b9497 ("mm: slowly shrink slabs with a relatively small number of objects")
+Signed-off-by: Dave Chinner <dchinner@redhat.com>
+Cc: Wolfgang Walter <linux@stwm.de>
+Cc: Roman Gushchin <guro@fb.com>
+Cc: Spock <dairinin@gmail.com>
+Cc: Rik van Riel <riel@surriel.com>
+Cc: Michal Hocko <mhocko@kernel.org>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ mm/vmscan.c | 10 ----------
+ 1 file changed, 10 deletions(-)
+
+--- a/mm/vmscan.c
++++ b/mm/vmscan.c
+@@ -477,16 +477,6 @@ static unsigned long do_shrink_slab(stru
+ delta *= 4;
+ do_div(delta, shrinker->seeks);
+
+- /*
+- * Make sure we apply some minimal pressure on default priority
+- * even on small cgroups. Stale objects are not only consuming memory
+- * by themselves, but can also hold a reference to a dying cgroup,
+- * preventing it from being reclaimed. A dying cgroup with all
+- * corresponding structures like per-cpu stats and kmem caches
+- * can be really big, so it may lead to a significant waste of memory.
+- */
+- delta = max_t(unsigned long long, delta, min(freeable, batch_size));
+-
+ total_scan += delta;
+ if (total_scan < 0) {
+ pr_err("shrink_slab: %pF negative objects to delete nr=%ld\n",
--- /dev/null
+From 3bf6b57ec2ec945e5a6edf5c202a754f1e852ecd Mon Sep 17 00:00:00 2001
+From: "J. Bruce Fields" <bfields@redhat.com>
+Date: Thu, 14 Feb 2019 12:33:19 -0500
+Subject: Revert "nfsd4: return default lease period"
+
+From: J. Bruce Fields <bfields@redhat.com>
+
+commit 3bf6b57ec2ec945e5a6edf5c202a754f1e852ecd upstream.
+
+This reverts commit d6ebf5088f09472c1136cd506bdc27034a6763f8.
+
+I forgot that the kernel's default lease period should never be
+decreased!
+
+After a kernel upgrade, the kernel has no way of knowing on its own what
+the previous lease time was. Unless userspace tells it otherwise, it
+will assume the previous lease period was the same.
+
+So if we decrease this value in a kernel upgrade, we end up enforcing a
+grace period that's too short, and clients will fail to reclaim state in
+time. Symptoms may include EIO and log messages like "NFS:
+nfs4_reclaim_open_state: Lock reclaim failed!"
+
+There was no real justification for the lease period decrease anyway.
+
+Reported-by: Donald Buczek <buczek@molgen.mpg.de>
+Fixes: d6ebf5088f09 "nfsd4: return default lease period"
+Cc: stable@vger.kernel.org
+Signed-off-by: J. Bruce Fields <bfields@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/nfsd/nfsctl.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/fs/nfsd/nfsctl.c
++++ b/fs/nfsd/nfsctl.c
+@@ -1239,8 +1239,8 @@ static __net_init int nfsd_init_net(stru
+ retval = nfsd_idmap_init(net);
+ if (retval)
+ goto out_idmap_error;
+- nn->nfsd4_lease = 45; /* default lease time */
+- nn->nfsd4_grace = 45;
++ nn->nfsd4_lease = 90; /* default lease time */
++ nn->nfsd4_grace = 90;
+ nn->somebody_reclaimed = false;
+ nn->clverifier_counter = prandom_u32();
+ nn->clientid_counter = prandom_u32();
--- /dev/null
+From e3613bb8afc2a9474c9214d65c8326c5ac02135e Mon Sep 17 00:00:00 2001
+From: Stefan O'Rear <sorear2@gmail.com>
+Date: Sun, 16 Dec 2018 13:03:36 -0500
+Subject: riscv: Add pte bit to distinguish swap from invalid
+
+From: Stefan O'Rear <sorear2@gmail.com>
+
+commit e3613bb8afc2a9474c9214d65c8326c5ac02135e upstream.
+
+Previously, invalid PTEs and swap PTEs had the same binary
+representation, causing errors when attempting to unmap PROT_NONE
+mappings, including implicit unmap on exit.
+
+Typical error:
+
+swap_info_get: Bad swap file entry 40000000007a9879
+BUG: Bad page map in process a.out pte:3d4c3cc0 pmd:3e521401
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Stefan O'Rear <sorear2@gmail.com>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Palmer Dabbelt <palmer@sifive.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/riscv/include/asm/pgtable-bits.h | 6 ++++++
+ arch/riscv/include/asm/pgtable.h | 8 ++++----
+ 2 files changed, 10 insertions(+), 4 deletions(-)
+
+--- a/arch/riscv/include/asm/pgtable-bits.h
++++ b/arch/riscv/include/asm/pgtable-bits.h
+@@ -35,6 +35,12 @@
+ #define _PAGE_SPECIAL _PAGE_SOFT
+ #define _PAGE_TABLE _PAGE_PRESENT
+
++/*
++ * _PAGE_PROT_NONE is set on not-present pages (and ignored by the hardware) to
++ * distinguish them from swapped out pages
++ */
++#define _PAGE_PROT_NONE _PAGE_READ
++
+ #define _PAGE_PFN_SHIFT 10
+
+ /* Set of bits to preserve across pte_modify() */
+--- a/arch/riscv/include/asm/pgtable.h
++++ b/arch/riscv/include/asm/pgtable.h
+@@ -44,7 +44,7 @@
+ /* Page protection bits */
+ #define _PAGE_BASE (_PAGE_PRESENT | _PAGE_ACCESSED | _PAGE_USER)
+
+-#define PAGE_NONE __pgprot(0)
++#define PAGE_NONE __pgprot(_PAGE_PROT_NONE)
+ #define PAGE_READ __pgprot(_PAGE_BASE | _PAGE_READ)
+ #define PAGE_WRITE __pgprot(_PAGE_BASE | _PAGE_READ | _PAGE_WRITE)
+ #define PAGE_EXEC __pgprot(_PAGE_BASE | _PAGE_EXEC)
+@@ -98,7 +98,7 @@ extern unsigned long empty_zero_page[PAG
+
+ static inline int pmd_present(pmd_t pmd)
+ {
+- return (pmd_val(pmd) & _PAGE_PRESENT);
++ return (pmd_val(pmd) & (_PAGE_PRESENT | _PAGE_PROT_NONE));
+ }
+
+ static inline int pmd_none(pmd_t pmd)
+@@ -178,7 +178,7 @@ static inline pte_t *pte_offset_kernel(p
+
+ static inline int pte_present(pte_t pte)
+ {
+- return (pte_val(pte) & _PAGE_PRESENT);
++ return (pte_val(pte) & (_PAGE_PRESENT | _PAGE_PROT_NONE));
+ }
+
+ static inline int pte_none(pte_t pte)
+@@ -380,7 +380,7 @@ static inline int ptep_clear_flush_young
+ *
+ * Format of swap PTE:
+ * bit 0: _PAGE_PRESENT (zero)
+- * bit 1: reserved for future use (zero)
++ * bit 1: _PAGE_PROT_NONE (zero)
+ * bits 2 to 6: swap type
+ * bits 7 to XLEN-1: swap offset
+ */
--- /dev/null
+From 8f9aca0c45322a807a343fc32f95f2500f83b9ae Mon Sep 17 00:00:00 2001
+From: Harald Freudenberger <freude@linux.ibm.com>
+Date: Wed, 23 Jan 2019 13:41:35 +0100
+Subject: s390/zcrypt: fix specification exception on z196 during ap probe
+
+From: Harald Freudenberger <freude@linux.ibm.com>
+
+commit 8f9aca0c45322a807a343fc32f95f2500f83b9ae upstream.
+
+The older machines don't have the QCI instruction available.
+With support for up to 256 crypto cards the probing of each
+card has been extended to check card ids from 0 up to 255.
+For machines with QCI support there is a filter limiting the
+range of probed cards. The older machines (z196 and older)
+don't have this filter and so since support for 256 cards is
+in the driver all cards are probed. However, these machines
+also require to have the card id fit into 6 bits. Exceeding
+this limit results in a specification exception which happens
+on every kernel startup even when there is no crypto configured
+and used at all.
+
+This fix limits the range of probed crypto cards to 64 if
+there is no QCI instruction available to obey to the older
+ap architecture and so fixes the specification exceptions
+on z196 machines.
+
+Cc: stable@vger.kernel.org # v4.17+
+Fixes: af4a72276d49 ("s390/zcrypt: Support up to 256 crypto adapters.")
+Signed-off-by: Harald Freudenberger <freude@linux.ibm.com>
+Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/s390/crypto/ap_bus.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/s390/crypto/ap_bus.c
++++ b/drivers/s390/crypto/ap_bus.c
+@@ -249,7 +249,8 @@ static inline int ap_test_config(unsigne
+ static inline int ap_test_config_card_id(unsigned int id)
+ {
+ if (!ap_configuration) /* QCI not supported */
+- return 1;
++ /* only ids 0...3F may be probed */
++ return id < 0x40 ? 1 : 0;
+ return ap_test_config(ap_configuration->apm, id);
+ }
+
--- /dev/null
+From e4a056987c86f402f1286e050b1dee3f4ce7c7eb Mon Sep 17 00:00:00 2001
+From: James Bottomley <James.Bottomley@HansenPartnership.com>
+Date: Tue, 12 Feb 2019 08:05:25 -0800
+Subject: scsi: sd: fix entropy gathering for most rotational disks
+
+From: James Bottomley <James.Bottomley@HansenPartnership.com>
+
+commit e4a056987c86f402f1286e050b1dee3f4ce7c7eb upstream.
+
+The problem is that the default for MQ is not to gather entropy, whereas
+the default for the legacy queue was always to gather it. The original
+attempt to fix entropy gathering for rotational disks under MQ added an
+else branch in sd_read_block_characteristics(). Unfortunately, the entire
+check isn't reached if the device has no characteristics VPD page. Since
+this page was only introduced in SBC-3 and its optional anyway, most less
+expensive rotational disks don't have one, meaning they all stopped
+gathering entropy when we made MQ the default. In a wholly unrelated
+change, openssl and openssh won't function until the random number
+generator is initialised, meaning lots of people have been seeing large
+delays before they could log into systems with default MQ kernels due to
+this lack of entropy, because it now can take tens of minutes to initialise
+the kernel random number generator.
+
+The fix is to set the non-rotational and add-randomness flags
+unconditionally early on in the disk initialization path, so they can be
+reset only if the device actually reports being non-rotational via the VPD
+page.
+
+Reported-by: Mikael Pettersson <mikpelinux@gmail.com>
+Fixes: 83e32a591077 ("scsi: sd: Contribute to randomness when running rotational device")
+Cc: stable@vger.kernel.org
+Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
+Reviewed-by: Jens Axboe <axboe@kernel.dk>
+Reviewed-by: Xuewei Zhang <xueweiz@google.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/scsi/sd.c | 12 +++++++++---
+ 1 file changed, 9 insertions(+), 3 deletions(-)
+
+--- a/drivers/scsi/sd.c
++++ b/drivers/scsi/sd.c
+@@ -2970,9 +2970,6 @@ static void sd_read_block_characteristic
+ if (rot == 1) {
+ blk_queue_flag_set(QUEUE_FLAG_NONROT, q);
+ blk_queue_flag_clear(QUEUE_FLAG_ADD_RANDOM, q);
+- } else {
+- blk_queue_flag_clear(QUEUE_FLAG_NONROT, q);
+- blk_queue_flag_set(QUEUE_FLAG_ADD_RANDOM, q);
+ }
+
+ if (sdkp->device->type == TYPE_ZBC) {
+@@ -3109,6 +3106,15 @@ static int sd_revalidate_disk(struct gen
+ if (sdkp->media_present) {
+ sd_read_capacity(sdkp, buffer);
+
++ /*
++ * set the default to rotational. All non-rotational devices
++ * support the block characteristics VPD page, which will
++ * cause this to be updated correctly and any device which
++ * doesn't support it should be treated as rotational.
++ */
++ blk_queue_flag_clear(QUEUE_FLAG_NONROT, q);
++ blk_queue_flag_set(QUEUE_FLAG_ADD_RANDOM, q);
++
+ if (scsi_device_supports_vpd(sdp)) {
+ sd_read_block_provisioning(sdkp);
+ sd_read_block_limits(sdkp);
kvm-sev-fail-kvm_sev_init-if-already-initialized.patch
cifs-do-not-assume-one-credit-for-async-responses.patch
gpio-mxc-move-gpio-noirq-suspend-resume-to-syscore-p.patch
+revert-input-elan_i2c-add-acpi-id-for-touchpad-in-asus-aspire-f5-573g.patch
+input-elan_i2c-add-acpi-id-for-touchpad-in-lenovo-v330-15isk.patch
+arm-omap5-fix-inverted-nirq-pin-interrupts-with-irq_set_type.patch
+perf-core-fix-impossible-ring-buffer-sizes-warning.patch
+perf-x86-add-check_period-pmu-callback.patch
+alsa-hda-add-quirk-for-hp-elitebook-840-g5.patch
+alsa-usb-audio-fix-implicit-fb-endpoint-setup-by-quirk.patch
+asoc-hdmi-codec-fix-oops-on-re-probe.patch
+tools-uapi-fix-alpha-support.patch
+riscv-add-pte-bit-to-distinguish-swap-from-invalid.patch
+x86-kvm-nvmx-read-from-msr_ia32_vmx_procbased_ctls2-only-when-it-is-available.patch
+kvm-vmx-fix-entry-number-check-for-add_atomic_switch_msr.patch
+mmc-sunxi-filter-out-unsupported-modes-declared-in-the-device-tree.patch
+mmc-block-handle-complete_work-on-separate-workqueue.patch
+input-bma150-register-input-device-after-setting-private-data.patch
+input-elantech-enable-3rd-button-support-on-fujitsu-celsius-h780.patch
+revert-nfsd4-return-default-lease-period.patch
+revert-mm-don-t-reclaim-inodes-with-many-attached-pages.patch
+revert-mm-slowly-shrink-slabs-with-a-relatively-small-number-of-objects.patch
+alpha-fix-page-fault-handling-for-r16-r18-targets.patch
+alpha-fix-eiger-nr_irqs-to-128.patch
+s390-zcrypt-fix-specification-exception-on-z196-during-ap-probe.patch
+tracing-uprobes-fix-output-for-multiple-string-arguments.patch
+x86-platform-uv-use-efi_runtime_lock-to-serialise-bios-calls.patch
+scsi-sd-fix-entropy-gathering-for-most-rotational-disks.patch
+signal-restore-the-stop-ptrace_event_exit.patch
+md-raid1-don-t-clear-bitmap-bits-on-interrupted-recovery.patch
+x86-a.out-clear-the-dump-structure-initially.patch
+dm-crypt-don-t-overallocate-the-integrity-tag-space.patch
+dm-thin-fix-bug-where-bio-that-overwrites-thin-block-ignores-fua.patch
+drm-use-array_size-when-creating-lease.patch
+drm-vkms-fix-license-inconsistent.patch
+drm-i915-block-fbdev-hpd-processing-during-suspend.patch
+drm-i915-prevent-a-race-during-i915_gem_mmap-ioctl-with-wc-set.patch
+mm-proc-smaps_rollup-fix-pss_locked-calculation.patch
--- /dev/null
+From cf43a757fd49442bc38f76088b70c2299eed2c2f Mon Sep 17 00:00:00 2001
+From: "Eric W. Biederman" <ebiederm@xmission.com>
+Date: Mon, 11 Feb 2019 23:27:42 -0600
+Subject: signal: Restore the stop PTRACE_EVENT_EXIT
+
+From: Eric W. Biederman <ebiederm@xmission.com>
+
+commit cf43a757fd49442bc38f76088b70c2299eed2c2f upstream.
+
+In the middle of do_exit() there is there is a call
+"ptrace_event(PTRACE_EVENT_EXIT, code);" That call places the process
+in TACKED_TRACED aka "(TASK_WAKEKILL | __TASK_TRACED)" and waits for
+for the debugger to release the task or SIGKILL to be delivered.
+
+Skipping past dequeue_signal when we know a fatal signal has already
+been delivered resulted in SIGKILL remaining pending and
+TIF_SIGPENDING remaining set. This in turn caused the
+scheduler to not sleep in PTACE_EVENT_EXIT as it figured
+a fatal signal was pending. This also caused ptrace_freeze_traced
+in ptrace_check_attach to fail because it left a per thread
+SIGKILL pending which is what fatal_signal_pending tests for.
+
+This difference in signal state caused strace to report
+strace: Exit of unknown pid NNNNN ignored
+
+Therefore update the signal handling state like dequeue_signal
+would when removing a per thread SIGKILL, by removing SIGKILL
+from the per thread signal mask and clearing TIF_SIGPENDING.
+
+Acked-by: Oleg Nesterov <oleg@redhat.com>
+Reported-by: Oleg Nesterov <oleg@redhat.com>
+Reported-by: Ivan Delalande <colona@arista.com>
+Cc: stable@vger.kernel.org
+Fixes: 35634ffa1751 ("signal: Always notice exiting tasks")
+Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/signal.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+--- a/kernel/signal.c
++++ b/kernel/signal.c
+@@ -2433,9 +2433,12 @@ relock:
+ }
+
+ /* Has this task already been marked for death? */
+- ksig->info.si_signo = signr = SIGKILL;
+- if (signal_group_exit(signal))
++ if (signal_group_exit(signal)) {
++ ksig->info.si_signo = signr = SIGKILL;
++ sigdelset(¤t->pending.signal, SIGKILL);
++ recalc_sigpending();
+ goto fatal;
++ }
+
+ for (;;) {
+ struct k_sigaction *ka;
--- /dev/null
+From 842fc0f5dc5c9f9bd91f891554996d903c40cf35 Mon Sep 17 00:00:00 2001
+From: Bob Tracy <rct@frus.com>
+Date: Mon, 21 Jan 2019 21:09:14 -0800
+Subject: tools uapi: fix Alpha support
+
+From: Bob Tracy <rct@frus.com>
+
+commit 842fc0f5dc5c9f9bd91f891554996d903c40cf35 upstream.
+
+Cc: stable@vger.kernel.org # v4.18+
+Signed-off-by: Bob Tracy <rct@frus.com>
+Signed-off-by: Matt Turner <mattst88@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ tools/include/uapi/asm/bitsperlong.h | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/tools/include/uapi/asm/bitsperlong.h
++++ b/tools/include/uapi/asm/bitsperlong.h
+@@ -15,6 +15,8 @@
+ #include "../../arch/ia64/include/uapi/asm/bitsperlong.h"
+ #elif defined(__riscv)
+ #include "../../arch/riscv/include/uapi/asm/bitsperlong.h"
++#elif defined(__alpha__)
++#include "../../arch/alpha/include/uapi/asm/bitsperlong.h"
+ #else
+ #include <asm-generic/bitsperlong.h>
+ #endif
--- /dev/null
+From 0722069a5374b904ec1a67f91249f90e1cfae259 Mon Sep 17 00:00:00 2001
+From: Andreas Ziegler <andreas.ziegler@fau.de>
+Date: Wed, 16 Jan 2019 15:16:29 +0100
+Subject: tracing/uprobes: Fix output for multiple string arguments
+
+From: Andreas Ziegler <andreas.ziegler@fau.de>
+
+commit 0722069a5374b904ec1a67f91249f90e1cfae259 upstream.
+
+When printing multiple uprobe arguments as strings the output for the
+earlier arguments would also include all later string arguments.
+
+This is best explained in an example:
+
+Consider adding a uprobe to a function receiving two strings as
+parameters which is at offset 0xa0 in strlib.so and we want to print
+both parameters when the uprobe is hit (on x86_64):
+
+$ echo 'p:func /lib/strlib.so:0xa0 +0(%di):string +0(%si):string' > \
+ /sys/kernel/debug/tracing/uprobe_events
+
+When the function is called as func("foo", "bar") and we hit the probe,
+the trace file shows a line like the following:
+
+ [...] func: (0x7f7e683706a0) arg1="foobar" arg2="bar"
+
+Note the extra "bar" printed as part of arg1. This behaviour stacks up
+for additional string arguments.
+
+The strings are stored in a dynamically growing part of the uprobe
+buffer by fetch_store_string() after copying them from userspace via
+strncpy_from_user(). The return value of strncpy_from_user() is then
+directly used as the required size for the string. However, this does
+not take the terminating null byte into account as the documentation
+for strncpy_from_user() cleary states that it "[...] returns the
+length of the string (not including the trailing NUL)" even though the
+null byte will be copied to the destination.
+
+Therefore, subsequent calls to fetch_store_string() will overwrite
+the terminating null byte of the most recently fetched string with
+the first character of the current string, leading to the
+"accumulation" of strings in earlier arguments in the output.
+
+Fix this by incrementing the return value of strncpy_from_user() by
+one if we did not hit the maximum buffer size.
+
+Link: http://lkml.kernel.org/r/20190116141629.5752-1-andreas.ziegler@fau.de
+
+Cc: Ingo Molnar <mingo@redhat.com>
+Cc: stable@vger.kernel.org
+Fixes: 5baaa59ef09e ("tracing/probes: Implement 'memory' fetch method for uprobes")
+Acked-by: Masami Hiramatsu <mhiramat@kernel.org>
+Signed-off-by: Andreas Ziegler <andreas.ziegler@fau.de>
+Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
+Signed-off-by: Masami Hiramatsu <mhiramat@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/trace/trace_uprobe.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+--- a/kernel/trace/trace_uprobe.c
++++ b/kernel/trace/trace_uprobe.c
+@@ -141,7 +141,14 @@ static void FETCH_FUNC_NAME(memory, stri
+
+ ret = strncpy_from_user(dst, src, maxlen);
+ if (ret == maxlen)
+- dst[--ret] = '\0';
++ dst[ret - 1] = '\0';
++ else if (ret >= 0)
++ /*
++ * Include the terminating null byte. In this case it
++ * was copied by strncpy_from_user but not accounted
++ * for in ret.
++ */
++ ret++;
+
+ if (ret < 0) { /* Failed to fetch string */
+ ((u8 *)get_rloc_data(dest))[0] = '\0';
--- /dev/null
+From 10970e1b4be9c74fce8ab6e3c34a7d718f063f2c Mon Sep 17 00:00:00 2001
+From: Borislav Petkov <bp@suse.de>
+Date: Tue, 12 Feb 2019 14:28:03 +0100
+Subject: x86/a.out: Clear the dump structure initially
+
+From: Borislav Petkov <bp@suse.de>
+
+commit 10970e1b4be9c74fce8ab6e3c34a7d718f063f2c upstream.
+
+dump_thread32() in aout_core_dump() does not clear the user32 structure
+allocated on the stack as the first thing on function entry.
+
+As a result, the dump.u_comm, dump.u_ar0 and dump.signal which get
+assigned before the clearing, get overwritten.
+
+Rename that function to fill_dump() to make it clear what it does and
+call it first thing.
+
+This was caught while staring at a patch by Derek Robson
+<robsonde@gmail.com>.
+
+Signed-off-by: Borislav Petkov <bp@suse.de>
+Cc: Derek Robson <robsonde@gmail.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Michael Matz <matz@suse.de>
+Cc: x86@kernel.org
+Cc: <stable@vger.kernel.org>
+Link: https://lkml.kernel.org/r/20190202005512.3144-1-robsonde@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/ia32/ia32_aout.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/arch/x86/ia32/ia32_aout.c
++++ b/arch/x86/ia32/ia32_aout.c
+@@ -51,7 +51,7 @@ static unsigned long get_dr(int n)
+ /*
+ * fill in the user structure for a core dump..
+ */
+-static void dump_thread32(struct pt_regs *regs, struct user32 *dump)
++static void fill_dump(struct pt_regs *regs, struct user32 *dump)
+ {
+ u32 fs, gs;
+ memset(dump, 0, sizeof(*dump));
+@@ -157,10 +157,12 @@ static int aout_core_dump(struct coredum
+ fs = get_fs();
+ set_fs(KERNEL_DS);
+ has_dumped = 1;
++
++ fill_dump(cprm->regs, &dump);
++
+ strncpy(dump.u_comm, current->comm, sizeof(current->comm));
+ dump.u_ar0 = offsetof(struct user32, regs);
+ dump.signal = cprm->siginfo->si_signo;
+- dump_thread32(cprm->regs, &dump);
+
+ /*
+ * If the size of the dump file exceeds the rlimit, then see
--- /dev/null
+From 6b1971c694975e49af302229202c0043568b1791 Mon Sep 17 00:00:00 2001
+From: Vitaly Kuznetsov <vkuznets@redhat.com>
+Date: Thu, 7 Feb 2019 11:42:14 +0100
+Subject: x86/kvm/nVMX: read from MSR_IA32_VMX_PROCBASED_CTLS2 only when it is available
+
+From: Vitaly Kuznetsov <vkuznets@redhat.com>
+
+commit 6b1971c694975e49af302229202c0043568b1791 upstream.
+
+SDM says MSR_IA32_VMX_PROCBASED_CTLS2 is only available "If
+(CPUID.01H:ECX.[5] && IA32_VMX_PROCBASED_CTLS[63])". It was found that
+some old cpus (namely "Intel(R) Core(TM)2 CPU 6600 @ 2.40GHz (family: 0x6,
+model: 0xf, stepping: 0x6") don't have it. Add the missing check.
+
+Reported-by: Zdenek Kaspar <zkaspar82@gmail.com>
+Tested-by: Zdenek Kaspar <zkaspar82@gmail.com>
+Signed-off-by: Vitaly Kuznetsov <vkuznets@redhat.com>
+Reviewed-by: Jim Mattson <jmattson@google.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kvm/vmx.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+--- a/arch/x86/kvm/vmx.c
++++ b/arch/x86/kvm/vmx.c
+@@ -3601,9 +3601,11 @@ static void nested_vmx_setup_ctls_msrs(s
+ * secondary cpu-based controls. Do not include those that
+ * depend on CPUID bits, they are added later by vmx_cpuid_update.
+ */
+- rdmsr(MSR_IA32_VMX_PROCBASED_CTLS2,
+- msrs->secondary_ctls_low,
+- msrs->secondary_ctls_high);
++ if (msrs->procbased_ctls_high & CPU_BASED_ACTIVATE_SECONDARY_CONTROLS)
++ rdmsr(MSR_IA32_VMX_PROCBASED_CTLS2,
++ msrs->secondary_ctls_low,
++ msrs->secondary_ctls_high);
++
+ msrs->secondary_ctls_low = 0;
+ msrs->secondary_ctls_high &=
+ SECONDARY_EXEC_DESC |
--- /dev/null
+From f331e766c4be33f4338574f3c9f7f77e98ab4571 Mon Sep 17 00:00:00 2001
+From: Hedi Berriche <hedi.berriche@hpe.com>
+Date: Wed, 13 Feb 2019 19:34:13 +0000
+Subject: x86/platform/UV: Use efi_runtime_lock to serialise BIOS calls
+
+From: Hedi Berriche <hedi.berriche@hpe.com>
+
+commit f331e766c4be33f4338574f3c9f7f77e98ab4571 upstream.
+
+Calls into UV firmware must be protected against concurrency, expose the
+efi_runtime_lock to the UV platform, and use it to serialise UV BIOS
+calls.
+
+Signed-off-by: Hedi Berriche <hedi.berriche@hpe.com>
+Signed-off-by: Borislav Petkov <bp@suse.de>
+Reviewed-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+Reviewed-by: Russ Anderson <rja@hpe.com>
+Reviewed-by: Dimitri Sivanich <sivanich@hpe.com>
+Reviewed-by: Mike Travis <mike.travis@hpe.com>
+Cc: Andy Shevchenko <andy@infradead.org>
+Cc: Bhupesh Sharma <bhsharma@redhat.com>
+Cc: Darren Hart <dvhart@infradead.org>
+Cc: "H. Peter Anvin" <hpa@zytor.com>
+Cc: Ingo Molnar <mingo@redhat.com>
+Cc: linux-efi <linux-efi@vger.kernel.org>
+Cc: platform-driver-x86@vger.kernel.org
+Cc: stable@vger.kernel.org # v4.9+
+Cc: Steve Wahl <steve.wahl@hpe.com>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: x86-ml <x86@kernel.org>
+Link: https://lkml.kernel.org/r/20190213193413.25560-5-hedi.berriche@hpe.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/include/asm/uv/bios.h | 8 +++++++-
+ arch/x86/platform/uv/bios_uv.c | 23 +++++++++++++++++++++--
+ drivers/firmware/efi/runtime-wrappers.c | 7 +++++++
+ 3 files changed, 35 insertions(+), 3 deletions(-)
+
+--- a/arch/x86/include/asm/uv/bios.h
++++ b/arch/x86/include/asm/uv/bios.h
+@@ -48,7 +48,8 @@ enum {
+ BIOS_STATUS_SUCCESS = 0,
+ BIOS_STATUS_UNIMPLEMENTED = -ENOSYS,
+ BIOS_STATUS_EINVAL = -EINVAL,
+- BIOS_STATUS_UNAVAIL = -EBUSY
++ BIOS_STATUS_UNAVAIL = -EBUSY,
++ BIOS_STATUS_ABORT = -EINTR,
+ };
+
+ /* Address map parameters */
+@@ -167,4 +168,9 @@ extern long system_serial_number;
+
+ extern struct kobject *sgi_uv_kobj; /* /sys/firmware/sgi_uv */
+
++/*
++ * EFI runtime lock; cf. firmware/efi/runtime-wrappers.c for details
++ */
++extern struct semaphore __efi_uv_runtime_lock;
++
+ #endif /* _ASM_X86_UV_BIOS_H */
+--- a/arch/x86/platform/uv/bios_uv.c
++++ b/arch/x86/platform/uv/bios_uv.c
+@@ -29,7 +29,8 @@
+
+ struct uv_systab *uv_systab;
+
+-s64 uv_bios_call(enum uv_bios_cmd which, u64 a1, u64 a2, u64 a3, u64 a4, u64 a5)
++static s64 __uv_bios_call(enum uv_bios_cmd which, u64 a1, u64 a2, u64 a3,
++ u64 a4, u64 a5)
+ {
+ struct uv_systab *tab = uv_systab;
+ s64 ret;
+@@ -51,6 +52,19 @@ s64 uv_bios_call(enum uv_bios_cmd which,
+
+ return ret;
+ }
++
++s64 uv_bios_call(enum uv_bios_cmd which, u64 a1, u64 a2, u64 a3, u64 a4, u64 a5)
++{
++ s64 ret;
++
++ if (down_interruptible(&__efi_uv_runtime_lock))
++ return BIOS_STATUS_ABORT;
++
++ ret = __uv_bios_call(which, a1, a2, a3, a4, a5);
++ up(&__efi_uv_runtime_lock);
++
++ return ret;
++}
+ EXPORT_SYMBOL_GPL(uv_bios_call);
+
+ s64 uv_bios_call_irqsave(enum uv_bios_cmd which, u64 a1, u64 a2, u64 a3,
+@@ -59,10 +73,15 @@ s64 uv_bios_call_irqsave(enum uv_bios_cm
+ unsigned long bios_flags;
+ s64 ret;
+
++ if (down_interruptible(&__efi_uv_runtime_lock))
++ return BIOS_STATUS_ABORT;
++
+ local_irq_save(bios_flags);
+- ret = uv_bios_call(which, a1, a2, a3, a4, a5);
++ ret = __uv_bios_call(which, a1, a2, a3, a4, a5);
+ local_irq_restore(bios_flags);
+
++ up(&__efi_uv_runtime_lock);
++
+ return ret;
+ }
+
+--- a/drivers/firmware/efi/runtime-wrappers.c
++++ b/drivers/firmware/efi/runtime-wrappers.c
+@@ -173,6 +173,13 @@ void efi_call_virt_check_flags(unsigned
+ static DEFINE_SEMAPHORE(efi_runtime_lock);
+
+ /*
++ * Expose the EFI runtime lock to the UV platform
++ */
++#ifdef CONFIG_X86_UV
++extern struct semaphore __efi_uv_runtime_lock __alias(efi_runtime_lock);
++#endif
++
++/*
+ * Calls the appropriate efi_runtime_service() with the appropriate
+ * arguments.
+ *
projects / thirdparty / kernel / stable-queue.git / commitdiff
