--- /dev/null
+From 7b0eb6b41a08fa1fa0d04b1c53becd62b5fbfaee Mon Sep 17 00:00:00 2001
+From: Johannes Weiner <hannes@cmpxchg.org>
+Date: Mon, 23 Jul 2018 10:18:23 -0400
+Subject: arm64: fix vmemmap BUILD_BUG_ON() triggering on !vmemmap setups
+
+From: Johannes Weiner <hannes@cmpxchg.org>
+
+commit 7b0eb6b41a08fa1fa0d04b1c53becd62b5fbfaee upstream.
+
+Arnd reports the following arm64 randconfig build error with the PSI
+patches that add another page flag:
+
+ /git/arm-soc/arch/arm64/mm/init.c: In function 'mem_init':
+ /git/arm-soc/include/linux/compiler.h:357:38: error: call to
+ '__compiletime_assert_618' declared with attribute error: BUILD_BUG_ON
+ failed: sizeof(struct page) > (1 << STRUCT_PAGE_MAX_SHIFT)
+
+The additional page flag causes other information stored in
+page->flags to get bumped into their own struct page member:
+
+ #if SECTIONS_WIDTH+ZONES_WIDTH+NODES_SHIFT+LAST_CPUPID_SHIFT <=
+ BITS_PER_LONG - NR_PAGEFLAGS
+ #define LAST_CPUPID_WIDTH LAST_CPUPID_SHIFT
+ #else
+ #define LAST_CPUPID_WIDTH 0
+ #endif
+
+ #if defined(CONFIG_NUMA_BALANCING) && LAST_CPUPID_WIDTH == 0
+ #define LAST_CPUPID_NOT_IN_PAGE_FLAGS
+ #endif
+
+which in turn causes the struct page size to exceed the size set in
+STRUCT_PAGE_MAX_SHIFT. This value is an an estimate used to size the
+VMEMMAP page array according to address space and struct page size.
+
+However, the check is performed - and triggers here - on a !VMEMMAP
+config, which consumes an additional 22 page bits for the sparse
+section id. When VMEMMAP is enabled, those bits are returned, cpupid
+doesn't need its own member, and the page passes the VMEMMAP check.
+
+Restrict that check to the situation it was meant to check: that we
+are sizing the VMEMMAP page array correctly.
+
+Says Arnd:
+
+ Further experiments show that the build error already existed before,
+ but was only triggered with larger values of CONFIG_NR_CPU and/or
+ CONFIG_NODES_SHIFT that might be used in actual configurations but
+ not in randconfig builds.
+
+ With longer CPU and node masks, I could recreate the problem with
+ kernels as old as linux-4.7 when arm64 NUMA support got added.
+
+Reported-by: Arnd Bergmann <arnd@arndb.de>
+Tested-by: Arnd Bergmann <arnd@arndb.de>
+Cc: stable@vger.kernel.org
+Fixes: 1a2db300348b ("arm64, numa: Add NUMA support for arm64 platforms.")
+Fixes: 3e1907d5bf5a ("arm64: mm: move vmemmap region right below the linear region")
+Signed-off-by: Johannes Weiner <hannes@cmpxchg.org>
+Signed-off-by: Will Deacon <will.deacon@arm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm64/mm/init.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/arch/arm64/mm/init.c
++++ b/arch/arm64/mm/init.c
+@@ -651,11 +651,13 @@ void __init mem_init(void)
+ BUILD_BUG_ON(TASK_SIZE_32 > TASK_SIZE_64);
+ #endif
+
++#ifdef CONFIG_SPARSEMEM_VMEMMAP
+ /*
+ * Make sure we chose the upper bound of sizeof(struct page)
+- * correctly.
++ * correctly when sizing the VMEMMAP array.
+ */
+ BUILD_BUG_ON(sizeof(struct page) > (1 << STRUCT_PAGE_MAX_SHIFT));
++#endif
+
+ if (PAGE_SIZE >= 16384 && get_num_physpages() <= 128) {
+ extern int sysctl_overcommit_memory;
--- /dev/null
+From b512719f771a82180211c9a315b8a7f628832b3d Mon Sep 17 00:00:00 2001
+From: Tejun Heo <tj@kernel.org>
+Date: Thu, 26 Jul 2018 16:37:08 -0700
+Subject: delayacct: fix crash in delayacct_blkio_end() after delayacct init failure
+
+From: Tejun Heo <tj@kernel.org>
+
+commit b512719f771a82180211c9a315b8a7f628832b3d upstream.
+
+While forking, if delayacct init fails due to memory shortage, it
+continues expecting all delayacct users to check task->delays pointer
+against NULL before dereferencing it, which all of them used to do.
+
+Commit c96f5471ce7d ("delayacct: Account blkio completion on the correct
+task"), while updating delayacct_blkio_end() to take the target task
+instead of always using %current, made the function test NULL on
+%current->delays and then continue to operated on @p->delays. If
+%current succeeded init while @p didn't, it leads to the following
+crash.
+
+ BUG: unable to handle kernel NULL pointer dereference at 0000000000000004
+ IP: __delayacct_blkio_end+0xc/0x40
+ PGD 8000001fd07e1067 P4D 8000001fd07e1067 PUD 1fcffbb067 PMD 0
+ Oops: 0000 [#1] SMP PTI
+ CPU: 4 PID: 25774 Comm: QIOThread0 Not tainted 4.16.0-9_fbk1_rc2_1180_g6b593215b4d7 #9
+ RIP: 0010:__delayacct_blkio_end+0xc/0x40
+ Call Trace:
+ try_to_wake_up+0x2c0/0x600
+ autoremove_wake_function+0xe/0x30
+ __wake_up_common+0x74/0x120
+ wake_up_page_bit+0x9c/0xe0
+ mpage_end_io+0x27/0x70
+ blk_update_request+0x78/0x2c0
+ scsi_end_request+0x2c/0x1e0
+ scsi_io_completion+0x20b/0x5f0
+ blk_mq_complete_request+0xa2/0x100
+ ata_scsi_qc_complete+0x79/0x400
+ ata_qc_complete_multiple+0x86/0xd0
+ ahci_handle_port_interrupt+0xc9/0x5c0
+ ahci_handle_port_intr+0x54/0xb0
+ ahci_single_level_irq_intr+0x3b/0x60
+ __handle_irq_event_percpu+0x43/0x190
+ handle_irq_event_percpu+0x20/0x50
+ handle_irq_event+0x2a/0x50
+ handle_edge_irq+0x80/0x1c0
+ handle_irq+0xaf/0x120
+ do_IRQ+0x41/0xc0
+ common_interrupt+0xf/0xf
+
+Fix it by updating delayacct_blkio_end() check @p->delays instead.
+
+Link: http://lkml.kernel.org/r/20180724175542.GP1934745@devbig577.frc2.facebook.com
+Fixes: c96f5471ce7d ("delayacct: Account blkio completion on the correct task")
+Signed-off-by: Tejun Heo <tj@kernel.org>
+Reported-by: Dave Jones <dsj@fb.com>
+Debugged-by: Dave Jones <dsj@fb.com>
+Reviewed-by: Andrew Morton <akpm@linux-foundation.org>
+Cc: Josh Snyder <joshs@netflix.com>
+Cc: <stable@vger.kernel.org> [4.15+]
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ include/linux/delayacct.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/include/linux/delayacct.h
++++ b/include/linux/delayacct.h
+@@ -124,7 +124,7 @@ static inline void delayacct_blkio_start
+
+ static inline void delayacct_blkio_end(struct task_struct *p)
+ {
+- if (current->delays)
++ if (p->delays)
+ __delayacct_blkio_end(p);
+ delayacct_clear_flag(DELAYACCT_PF_BLKIO);
+ }
--- /dev/null
+From 0ca9488193e61ec5f31a631d8147f74525629e8a Mon Sep 17 00:00:00 2001
+From: Clint Taylor <clinton.a.taylor@intel.com>
+Date: Tue, 10 Jul 2018 13:02:05 -0700
+Subject: drm/i915/glk: Add Quirk for GLK NUC HDMI port issues.
+
+From: Clint Taylor <clinton.a.taylor@intel.com>
+
+commit 0ca9488193e61ec5f31a631d8147f74525629e8a upstream.
+
+On GLK NUC platforms the HDMI retiming buffer needs additional disabled
+time to correctly sync to a faster incoming signal.
+
+When measured on a scope the highspeed lines of the HDMI clock turn off
+ for ~400uS during a normal resolution change. The HDMI retimer on the
+ GLK NUC appears to require at least a full frame of quiet time before a
+new faster clock can be correctly sync'd. Wait 100ms due to msleep
+inaccuracies while waiting for a completed frame. Add a quirk to the
+driver for GLK boards that use ITE66317 HDMI retimers.
+
+V2: Add more devices to the quirk list
+V3: Delay increased to 100ms, check to confirm crtc type is HDMI.
+V4: crtc type check extended to include _DDI and whitespace fixes
+v5: Fix white spaces, remove the macro for delay. Revert the crtc type
+ check introduced in v4.
+
+Cc: Imre Deak <imre.deak@intel.com>
+Cc: <stable@vger.kernel.org> # v4.14+
+Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=105887
+Signed-off-by: Clint Taylor <clinton.a.taylor@intel.com>
+Tested-by: Daniel Scheller <d.scheller.oss@gmail.com>
+Signed-off-by: Radhakrishna Sripada <radhakrishna.sripada@intel.com>
+Signed-off-by: Imre Deak <imre.deak@intel.com>
+Reviewed-by: Imre Deak <imre.deak@intel.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20180710200205.1478-1-radhakrishna.sripada@intel.com
+(cherry picked from commit 90c3e2198777aaa355b6994a31a79c636c8d4306)
+Signed-off-by: Rodrigo Vivi <rodrigo.vivi@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/i915/i915_drv.h | 1 +
+ drivers/gpu/drm/i915/intel_ddi.c | 13 +++++++++++--
+ drivers/gpu/drm/i915/intel_display.c | 21 ++++++++++++++++++++-
+ drivers/gpu/drm/i915/intel_drv.h | 3 +--
+ 4 files changed, 33 insertions(+), 5 deletions(-)
+
+--- a/drivers/gpu/drm/i915/i915_drv.h
++++ b/drivers/gpu/drm/i915/i915_drv.h
+@@ -1183,6 +1183,7 @@ enum intel_sbi_destination {
+ #define QUIRK_BACKLIGHT_PRESENT (1<<3)
+ #define QUIRK_PIN_SWIZZLED_PAGES (1<<5)
+ #define QUIRK_INCREASE_T12_DELAY (1<<6)
++#define QUIRK_INCREASE_DDI_DISABLED_TIME (1<<7)
+
+ struct intel_fbdev;
+ struct intel_fbc_work;
+--- a/drivers/gpu/drm/i915/intel_ddi.c
++++ b/drivers/gpu/drm/i915/intel_ddi.c
+@@ -1522,15 +1522,24 @@ void intel_ddi_enable_transcoder_func(co
+ I915_WRITE(TRANS_DDI_FUNC_CTL(cpu_transcoder), temp);
+ }
+
+-void intel_ddi_disable_transcoder_func(struct drm_i915_private *dev_priv,
+- enum transcoder cpu_transcoder)
++void intel_ddi_disable_transcoder_func(const struct intel_crtc_state *crtc_state)
+ {
++ struct intel_crtc *crtc = to_intel_crtc(crtc_state->base.crtc);
++ struct drm_i915_private *dev_priv = to_i915(crtc->base.dev);
++ enum transcoder cpu_transcoder = crtc_state->cpu_transcoder;
+ i915_reg_t reg = TRANS_DDI_FUNC_CTL(cpu_transcoder);
+ uint32_t val = I915_READ(reg);
+
+ val &= ~(TRANS_DDI_FUNC_ENABLE | TRANS_DDI_PORT_MASK | TRANS_DDI_DP_VC_PAYLOAD_ALLOC);
+ val |= TRANS_DDI_PORT_NONE;
+ I915_WRITE(reg, val);
++
++ if (dev_priv->quirks & QUIRK_INCREASE_DDI_DISABLED_TIME &&
++ intel_crtc_has_type(crtc_state, INTEL_OUTPUT_HDMI)) {
++ DRM_DEBUG_KMS("Quirk Increase DDI disabled time\n");
++ /* Quirk time at 100ms for reliable operation */
++ msleep(100);
++ }
+ }
+
+ bool intel_ddi_connector_get_hw_state(struct intel_connector *intel_connector)
+--- a/drivers/gpu/drm/i915/intel_display.c
++++ b/drivers/gpu/drm/i915/intel_display.c
+@@ -5653,7 +5653,7 @@ static void haswell_crtc_disable(struct
+ intel_ddi_set_vc_payload_alloc(intel_crtc->config, false);
+
+ if (!transcoder_is_dsi(cpu_transcoder))
+- intel_ddi_disable_transcoder_func(dev_priv, cpu_transcoder);
++ intel_ddi_disable_transcoder_func(old_crtc_state);
+
+ if (INTEL_GEN(dev_priv) >= 9)
+ skylake_scaler_disable(intel_crtc);
+@@ -14286,6 +14286,18 @@ static void quirk_increase_t12_delay(str
+ DRM_INFO("Applying T12 delay quirk\n");
+ }
+
++/*
++ * GeminiLake NUC HDMI outputs require additional off time
++ * this allows the onboard retimer to correctly sync to signal
++ */
++static void quirk_increase_ddi_disabled_time(struct drm_device *dev)
++{
++ struct drm_i915_private *dev_priv = to_i915(dev);
++
++ dev_priv->quirks |= QUIRK_INCREASE_DDI_DISABLED_TIME;
++ DRM_INFO("Applying Increase DDI Disabled quirk\n");
++}
++
+ struct intel_quirk {
+ int device;
+ int subsystem_vendor;
+@@ -14372,6 +14384,13 @@ static struct intel_quirk intel_quirks[]
+
+ /* Toshiba Satellite P50-C-18C */
+ { 0x191B, 0x1179, 0xF840, quirk_increase_t12_delay },
++
++ /* GeminiLake NUC */
++ { 0x3185, 0x8086, 0x2072, quirk_increase_ddi_disabled_time },
++ { 0x3184, 0x8086, 0x2072, quirk_increase_ddi_disabled_time },
++ /* ASRock ITX*/
++ { 0x3185, 0x1849, 0x2212, quirk_increase_ddi_disabled_time },
++ { 0x3184, 0x1849, 0x2212, quirk_increase_ddi_disabled_time },
+ };
+
+ static void intel_init_quirks(struct drm_device *dev)
+--- a/drivers/gpu/drm/i915/intel_drv.h
++++ b/drivers/gpu/drm/i915/intel_drv.h
+@@ -1254,8 +1254,7 @@ void intel_ddi_init(struct drm_i915_priv
+ enum port intel_ddi_get_encoder_port(struct intel_encoder *intel_encoder);
+ bool intel_ddi_get_hw_state(struct intel_encoder *encoder, enum pipe *pipe);
+ void intel_ddi_enable_transcoder_func(const struct intel_crtc_state *crtc_state);
+-void intel_ddi_disable_transcoder_func(struct drm_i915_private *dev_priv,
+- enum transcoder cpu_transcoder);
++void intel_ddi_disable_transcoder_func(const struct intel_crtc_state *crtc_state);
+ void intel_ddi_enable_pipe_clock(const struct intel_crtc_state *crtc_state);
+ void intel_ddi_disable_pipe_clock(const struct intel_crtc_state *crtc_state);
+ struct intel_encoder *
--- /dev/null
+From 938f45008d8bc391593c97508bc798cc95a52b9b Mon Sep 17 00:00:00 2001
+From: Donald Shanty III <dshanty@protonmail.com>
+Date: Wed, 4 Jul 2018 15:50:47 +0000
+Subject: Input: elan_i2c - add ACPI ID for lenovo ideapad 330
+
+From: Donald Shanty III <dshanty@protonmail.com>
+
+commit 938f45008d8bc391593c97508bc798cc95a52b9b upstream.
+
+This allows Elan driver to bind to the touchpad found in Lenovo Ideapad 330
+series laptops.
+
+Signed-off-by: Donald Shanty III <dshanty@protonmail.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/input/mouse/elan_i2c_core.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/input/mouse/elan_i2c_core.c
++++ b/drivers/input/mouse/elan_i2c_core.c
+@@ -1262,6 +1262,7 @@ static const struct acpi_device_id elan_
+ { "ELAN0611", 0 },
+ { "ELAN0612", 0 },
+ { "ELAN0618", 0 },
++ { "ELAN061D", 0 },
+ { "ELAN1000", 0 },
+ { }
+ };
--- /dev/null
+From 6f88a6439da5d94de334a341503bc2c7f4a7ea7f Mon Sep 17 00:00:00 2001
+From: KT Liao <kt.liao@emc.com.tw>
+Date: Mon, 16 Jul 2018 12:10:03 +0000
+Subject: Input: elan_i2c - add another ACPI ID for Lenovo Ideapad 330-15AST
+
+From: KT Liao <kt.liao@emc.com.tw>
+
+commit 6f88a6439da5d94de334a341503bc2c7f4a7ea7f upstream.
+
+Add ELAN0622 to ACPI mapping table to support Elan touchpad found in
+Ideapad 330-15AST.
+
+Signed-off-by: KT Liao <kt.liao@emc.com.tw>
+Reported-by: Anant Shende <anantshende@gmail.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/input/mouse/elan_i2c_core.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/input/mouse/elan_i2c_core.c
++++ b/drivers/input/mouse/elan_i2c_core.c
+@@ -1263,6 +1263,7 @@ static const struct acpi_device_id elan_
+ { "ELAN0612", 0 },
+ { "ELAN0618", 0 },
+ { "ELAN061D", 0 },
++ { "ELAN0622", 0 },
+ { "ELAN1000", 0 },
+ { }
+ };
--- /dev/null
+From 384cf4285b34e08917e3e66603382f2b0c4f6e1b Mon Sep 17 00:00:00 2001
+From: Chen-Yu Tsai <wens@csie.org>
+Date: Wed, 18 Jul 2018 17:24:35 +0000
+Subject: Input: i8042 - add Lenovo LaVie Z to the i8042 reset list
+
+From: Chen-Yu Tsai <wens@csie.org>
+
+commit 384cf4285b34e08917e3e66603382f2b0c4f6e1b upstream.
+
+The Lenovo LaVie Z laptop requires i8042 to be reset in order to
+consistently detect its Elantech touchpad. The nomux and kbdreset
+quirks are not sufficient.
+
+It's possible the other LaVie Z models from NEC require this as well.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Chen-Yu Tsai <wens@csie.org>
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/input/serio/i8042-x86ia64io.h | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/drivers/input/serio/i8042-x86ia64io.h
++++ b/drivers/input/serio/i8042-x86ia64io.h
+@@ -527,6 +527,13 @@ static const struct dmi_system_id __init
+ DMI_MATCH(DMI_PRODUCT_NAME, "N24_25BU"),
+ },
+ },
++ {
++ /* Lenovo LaVie Z */
++ .matches = {
++ DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"),
++ DMI_MATCH(DMI_PRODUCT_VERSION, "Lenovo LaVie Z"),
++ },
++ },
+ { }
+ };
+
--- /dev/null
+From 3e536e222f2930534c252c1cc7ae799c725c5ff9 Mon Sep 17 00:00:00 2001
+From: Snild Dolkow <snild@sony.com>
+Date: Thu, 26 Jul 2018 09:15:39 +0200
+Subject: kthread, tracing: Don't expose half-written comm when creating kthreads
+
+From: Snild Dolkow <snild@sony.com>
+
+commit 3e536e222f2930534c252c1cc7ae799c725c5ff9 upstream.
+
+There is a window for racing when printing directly to task->comm,
+allowing other threads to see a non-terminated string. The vsnprintf
+function fills the buffer, counts the truncated chars, then finally
+writes the \0 at the end.
+
+ creator other
+ vsnprintf:
+ fill (not terminated)
+ count the rest trace_sched_waking(p):
+ ... memcpy(comm, p->comm, TASK_COMM_LEN)
+ write \0
+
+The consequences depend on how 'other' uses the string. In our case,
+it was copied into the tracing system's saved cmdlines, a buffer of
+adjacent TASK_COMM_LEN-byte buffers (note the 'n' where 0 should be):
+
+ crash-arm64> x/1024s savedcmd->saved_cmdlines | grep 'evenk'
+ 0xffffffd5b3818640: "irq/497-pwr_evenkworker/u16:12"
+
+...and a strcpy out of there would cause stack corruption:
+
+ [224761.522292] Kernel panic - not syncing: stack-protector:
+ Kernel stack is corrupted in: ffffff9bf9783c78
+
+ crash-arm64> kbt | grep 'comm\|trace_print_context'
+ #6 0xffffff9bf9783c78 in trace_print_context+0x18c(+396)
+ comm (char [16]) = "irq/497-pwr_even"
+
+ crash-arm64> rd 0xffffffd4d0e17d14 8
+ ffffffd4d0e17d14: 2f71726900000000 5f7277702d373934 ....irq/497-pwr_
+ ffffffd4d0e17d24: 726f776b6e657665 3a3631752f72656b evenkworker/u16:
+ ffffffd4d0e17d34: f9780248ff003231 cede60e0ffffff9b 12..H.x......`..
+ ffffffd4d0e17d44: cede60c8ffffffd4 00000fffffffffd4 .....`..........
+
+The workaround in e09e28671 (use strlcpy in __trace_find_cmdline) was
+likely needed because of this same bug.
+
+Solved by vsnprintf:ing to a local buffer, then using set_task_comm().
+This way, there won't be a window where comm is not terminated.
+
+Link: http://lkml.kernel.org/r/20180726071539.188015-1-snild@sony.com
+
+Cc: stable@vger.kernel.org
+Fixes: bc0c38d139ec7 ("ftrace: latency tracer infrastructure")
+Reviewed-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
+Signed-off-by: Snild Dolkow <snild@sony.com>
+Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/kthread.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+--- a/kernel/kthread.c
++++ b/kernel/kthread.c
+@@ -311,8 +311,14 @@ struct task_struct *__kthread_create_on_
+ task = create->result;
+ if (!IS_ERR(task)) {
+ static const struct sched_param param = { .sched_priority = 0 };
++ char name[TASK_COMM_LEN];
+
+- vsnprintf(task->comm, sizeof(task->comm), namefmt, args);
++ /*
++ * task is already visible to other tasks, so updating
++ * COMM must be protected.
++ */
++ vsnprintf(name, sizeof(name), namefmt, args);
++ set_task_comm(task, name);
+ /*
+ * root may have changed our (kthreadd's) priority or CPU mask.
+ * The kernel thread should not inherit these properties.
--- /dev/null
+From d97e5e6160c0e0a23963ec198c7cb1c69e6bf9e8 Mon Sep 17 00:00:00 2001
+From: Shakeel Butt <shakeelb@google.com>
+Date: Thu, 26 Jul 2018 16:37:45 -0700
+Subject: kvm, mm: account shadow page tables to kmemcg
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Shakeel Butt <shakeelb@google.com>
+
+commit d97e5e6160c0e0a23963ec198c7cb1c69e6bf9e8 upstream.
+
+The size of kvm's shadow page tables corresponds to the size of the
+guest virtual machines on the system. Large VMs can spend a significant
+amount of memory as shadow page tables which can not be left as system
+memory overhead. So, account shadow page tables to the kmemcg.
+
+[shakeelb@google.com: replace (GFP_KERNEL|__GFP_ACCOUNT) with GFP_KERNEL_ACCOUNT]
+ Link: http://lkml.kernel.org/r/20180629140224.205849-1-shakeelb@google.com
+Link: http://lkml.kernel.org/r/20180627181349.149778-1-shakeelb@google.com
+Signed-off-by: Shakeel Butt <shakeelb@google.com>
+Cc: Michal Hocko <mhocko@kernel.org>
+Cc: Johannes Weiner <hannes@cmpxchg.org>
+Cc: Vladimir Davydov <vdavydov.dev@gmail.com>
+Cc: Paolo Bonzini <pbonzini@redhat.com>
+Cc: Greg Thelen <gthelen@google.com>
+Cc: Radim Krčmář <rkrcmar@redhat.com>
+Cc: Peter Feiner <pfeiner@google.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kvm/mmu.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/x86/kvm/mmu.c
++++ b/arch/x86/kvm/mmu.c
+@@ -890,7 +890,7 @@ static int mmu_topup_memory_cache_page(s
+ if (cache->nobjs >= min)
+ return 0;
+ while (cache->nobjs < ARRAY_SIZE(cache->objects)) {
+- page = (void *)__get_free_page(GFP_KERNEL);
++ page = (void *)__get_free_page(GFP_KERNEL_ACCOUNT);
+ if (!page)
+ return -ENOMEM;
+ cache->objects[cache->nobjs++] = page;
ib-srpt-fix-an-out-of-bounds-stack-access-in-srpt_zerolength_write.patch
drivers-infiniband-ulp-srpt-ib_srpt.c-fix-build-with-gcc-4.4.4.patch
spi-spi-s3c64xx-fix-system-resume-support.patch
+input-elan_i2c-add-acpi-id-for-lenovo-ideapad-330.patch
+input-i8042-add-lenovo-lavie-z-to-the-i8042-reset-list.patch
+input-elan_i2c-add-another-acpi-id-for-lenovo-ideapad-330-15ast.patch
+kvm-mm-account-shadow-page-tables-to-kmemcg.patch
+delayacct-fix-crash-in-delayacct_blkio_end-after-delayacct-init-failure.patch
+tracing-fix-double-free-of-event_trigger_data.patch
+tracing-fix-possible-double-free-in-event_enable_trigger_func.patch
+kthread-tracing-don-t-expose-half-written-comm-when-creating-kthreads.patch
+tracing-kprobes-fix-trace_probe-flags-on-enable_trace_kprobe-failure.patch
+tracing-quiet-gcc-warning-about-maybe-unused-link-variable.patch
+arm64-fix-vmemmap-build_bug_on-triggering-on-vmemmap-setups.patch
+drm-i915-glk-add-quirk-for-glk-nuc-hdmi-port-issues.patch
--- /dev/null
+From 1863c387259b629e4ebfb255495f67cd06aa229b Mon Sep 17 00:00:00 2001
+From: "Steven Rostedt (VMware)" <rostedt@goodmis.org>
+Date: Tue, 24 Jul 2018 19:13:31 -0400
+Subject: tracing: Fix double free of event_trigger_data
+
+From: Steven Rostedt (VMware) <rostedt@goodmis.org>
+
+commit 1863c387259b629e4ebfb255495f67cd06aa229b upstream.
+
+Running the following:
+
+ # cd /sys/kernel/debug/tracing
+ # echo 500000 > buffer_size_kb
+[ Or some other number that takes up most of memory ]
+ # echo snapshot > events/sched/sched_switch/trigger
+
+Triggers the following bug:
+
+ ------------[ cut here ]------------
+ kernel BUG at mm/slub.c:296!
+ invalid opcode: 0000 [#1] SMP DEBUG_PAGEALLOC PTI
+ CPU: 6 PID: 6878 Comm: bash Not tainted 4.18.0-rc6-test+ #1066
+ Hardware name: Hewlett-Packard HP Compaq Pro 6300 SFF/339A, BIOS K01 v03.03 07/14/2016
+ RIP: 0010:kfree+0x16c/0x180
+ Code: 05 41 0f b6 72 51 5b 5d 41 5c 4c 89 d7 e9 ac b3 f8 ff 48 89 d9 48 89 da 41 b8 01 00 00 00 5b 5d 41 5c 4c 89 d6 e9 f4 f3 ff ff <0f> 0b 0f 0b 48 8b 3d d9 d8 f9 00 e9 c1 fe ff ff 0f 1f 40 00 0f 1f
+ RSP: 0018:ffffb654436d3d88 EFLAGS: 00010246
+ RAX: ffff91a9d50f3d80 RBX: ffff91a9d50f3d80 RCX: ffff91a9d50f3d80
+ RDX: 00000000000006a4 RSI: ffff91a9de5a60e0 RDI: ffff91a9d9803500
+ RBP: ffffffff8d267c80 R08: 00000000000260e0 R09: ffffffff8c1a56be
+ R10: fffff0d404543cc0 R11: 0000000000000389 R12: ffffffff8c1a56be
+ R13: ffff91a9d9930e18 R14: ffff91a98c0c2890 R15: ffffffff8d267d00
+ FS: 00007f363ea64700(0000) GS:ffff91a9de580000(0000) knlGS:0000000000000000
+ CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+ CR2: 000055c1cacc8e10 CR3: 00000000d9b46003 CR4: 00000000001606e0
+ Call Trace:
+ event_trigger_callback+0xee/0x1d0
+ event_trigger_write+0xfc/0x1a0
+ __vfs_write+0x33/0x190
+ ? handle_mm_fault+0x115/0x230
+ ? _cond_resched+0x16/0x40
+ vfs_write+0xb0/0x190
+ ksys_write+0x52/0xc0
+ do_syscall_64+0x5a/0x160
+ entry_SYSCALL_64_after_hwframe+0x49/0xbe
+ RIP: 0033:0x7f363e16ab50
+ Code: 73 01 c3 48 8b 0d 38 83 2c 00 f7 d8 64 89 01 48 83 c8 ff c3 66 0f 1f 44 00 00 83 3d 79 db 2c 00 00 75 10 b8 01 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 31 c3 48 83 ec 08 e8 1e e3 01 00 48 89 04 24
+ RSP: 002b:00007fff9a4c6378 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
+ RAX: ffffffffffffffda RBX: 0000000000000009 RCX: 00007f363e16ab50
+ RDX: 0000000000000009 RSI: 000055c1cacc8e10 RDI: 0000000000000001
+ RBP: 000055c1cacc8e10 R08: 00007f363e435740 R09: 00007f363ea64700
+ R10: 0000000000000073 R11: 0000000000000246 R12: 0000000000000009
+ R13: 0000000000000001 R14: 00007f363e4345e0 R15: 00007f363e4303c0
+ Modules linked in: ip6table_filter ip6_tables snd_hda_codec_hdmi snd_hda_codec_realtek snd_hda_codec_generic snd_hda_intel snd_hda_codec snd_hwdep snd_hda_core snd_seq snd_seq_device i915 snd_pcm snd_timer i2c_i801 snd soundcore i2c_algo_bit drm_kms_helper
+86_pkg_temp_thermal video kvm_intel kvm irqbypass wmi e1000e
+ ---[ end trace d301afa879ddfa25 ]---
+
+The cause is because the register_snapshot_trigger() call failed to
+allocate the snapshot buffer, and then called unregister_trigger()
+which freed the data that was passed to it. Then on return to the
+function that called register_snapshot_trigger(), as it sees it
+failed to register, it frees the trigger_data again and causes
+a double free.
+
+By calling event_trigger_init() on the trigger_data (which only ups
+the reference counter for it), and then event_trigger_free() afterward,
+the trigger_data would not get freed by the registering trigger function
+as it would only up and lower the ref count for it. If the register
+trigger function fails, then the event_trigger_free() called after it
+will free the trigger data normally.
+
+Link: http://lkml.kernel.org/r/20180724191331.738eb819@gandalf.local.home
+
+Cc: stable@vger.kerne.org
+Fixes: 93e31ffbf417 ("tracing: Add 'snapshot' event trigger command")
+Reported-by: Masami Hiramatsu <mhiramat@kernel.org>
+Reviewed-by: Masami Hiramatsu <mhiramat@kernel.org>
+Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/trace/trace_events_trigger.c | 12 ++++++++----
+ 1 file changed, 8 insertions(+), 4 deletions(-)
+
+--- a/kernel/trace/trace_events_trigger.c
++++ b/kernel/trace/trace_events_trigger.c
+@@ -680,6 +680,8 @@ event_trigger_callback(struct event_comm
+ goto out_free;
+
+ out_reg:
++ /* Up the trigger_data count to make sure reg doesn't free it on failure */
++ event_trigger_init(trigger_ops, trigger_data);
+ ret = cmd_ops->reg(glob, trigger_ops, trigger_data, file);
+ /*
+ * The above returns on success the # of functions enabled,
+@@ -687,11 +689,13 @@ event_trigger_callback(struct event_comm
+ * Consider no functions a failure too.
+ */
+ if (!ret) {
++ cmd_ops->unreg(glob, trigger_ops, trigger_data, file);
+ ret = -ENOENT;
+- goto out_free;
+- } else if (ret < 0)
+- goto out_free;
+- ret = 0;
++ } else if (ret > 0)
++ ret = 0;
++
++ /* Down the counter of trigger_data or free it if not used anymore */
++ event_trigger_free(trigger_ops, trigger_data);
+ out:
+ return ret;
+
--- /dev/null
+From 15cc78644d0075e76d59476a4467e7143860f660 Mon Sep 17 00:00:00 2001
+From: "Steven Rostedt (VMware)" <rostedt@goodmis.org>
+Date: Wed, 25 Jul 2018 16:02:06 -0400
+Subject: tracing: Fix possible double free in event_enable_trigger_func()
+
+From: Steven Rostedt (VMware) <rostedt@goodmis.org>
+
+commit 15cc78644d0075e76d59476a4467e7143860f660 upstream.
+
+There was a case that triggered a double free in event_trigger_callback()
+due to the called reg() function freeing the trigger_data and then it
+getting freed again by the error return by the caller. The solution there
+was to up the trigger_data ref count.
+
+Code inspection found that event_enable_trigger_func() has the same issue,
+but is not as easy to trigger (requires harder to trigger failures). It
+needs to be solved slightly different as it needs more to clean up when the
+reg() function fails.
+
+Link: http://lkml.kernel.org/r/20180725124008.7008e586@gandalf.local.home
+
+Cc: stable@vger.kernel.org
+Fixes: 7862ad1846e99 ("tracing: Add 'enable_event' and 'disable_event' event trigger commands")
+Reivewed-by: Masami Hiramatsu <mhiramat@kernel.org>
+Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/trace/trace_events_trigger.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/kernel/trace/trace_events_trigger.c
++++ b/kernel/trace/trace_events_trigger.c
+@@ -1396,6 +1396,9 @@ int event_enable_trigger_func(struct eve
+ goto out;
+ }
+
++ /* Up the trigger_data count to make sure nothing frees it on failure */
++ event_trigger_init(trigger_ops, trigger_data);
++
+ if (trigger) {
+ number = strsep(&trigger, ":");
+
+@@ -1446,6 +1449,7 @@ int event_enable_trigger_func(struct eve
+ goto out_disable;
+ /* Just return zero, not the number of enabled functions */
+ ret = 0;
++ event_trigger_free(trigger_ops, trigger_data);
+ out:
+ return ret;
+
+@@ -1456,7 +1460,7 @@ int event_enable_trigger_func(struct eve
+ out_free:
+ if (cmd_ops->set_filter)
+ cmd_ops->set_filter(NULL, trigger_data, NULL);
+- kfree(trigger_data);
++ event_trigger_free(trigger_ops, trigger_data);
+ kfree(enable_data);
+ goto out;
+ }
--- /dev/null
+From 57ea2a34adf40f3a6e88409aafcf803b8945619a Mon Sep 17 00:00:00 2001
+From: Artem Savkov <asavkov@redhat.com>
+Date: Wed, 25 Jul 2018 16:20:38 +0200
+Subject: tracing/kprobes: Fix trace_probe flags on enable_trace_kprobe() failure
+
+From: Artem Savkov <asavkov@redhat.com>
+
+commit 57ea2a34adf40f3a6e88409aafcf803b8945619a upstream.
+
+If enable_trace_kprobe fails to enable the probe in enable_k(ret)probe
+it returns an error, but does not unset the tp flags it set previously.
+This results in a probe being considered enabled and failures like being
+unable to remove the probe through kprobe_events file since probes_open()
+expects every probe to be disabled.
+
+Link: http://lkml.kernel.org/r/20180725102826.8300-1-asavkov@redhat.com
+Link: http://lkml.kernel.org/r/20180725142038.4765-1-asavkov@redhat.com
+
+Cc: Ingo Molnar <mingo@redhat.com>
+Cc: stable@vger.kernel.org
+Fixes: 41a7dd420c57 ("tracing/kprobes: Support ftrace_event_file base multibuffer")
+Acked-by: Masami Hiramatsu <mhiramat@kernel.org>
+Reviewed-by: Josh Poimboeuf <jpoimboe@redhat.com>
+Signed-off-by: Artem Savkov <asavkov@redhat.com>
+Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/trace/trace_kprobe.c | 13 +++++++++++--
+ 1 file changed, 11 insertions(+), 2 deletions(-)
+
+--- a/kernel/trace/trace_kprobe.c
++++ b/kernel/trace/trace_kprobe.c
+@@ -376,11 +376,10 @@ static struct trace_kprobe *find_trace_k
+ static int
+ enable_trace_kprobe(struct trace_kprobe *tk, struct trace_event_file *file)
+ {
++ struct event_file_link *link;
+ int ret = 0;
+
+ if (file) {
+- struct event_file_link *link;
+-
+ link = kmalloc(sizeof(*link), GFP_KERNEL);
+ if (!link) {
+ ret = -ENOMEM;
+@@ -400,6 +399,16 @@ enable_trace_kprobe(struct trace_kprobe
+ else
+ ret = enable_kprobe(&tk->rp.kp);
+ }
++
++ if (ret) {
++ if (file) {
++ list_del_rcu(&link->list);
++ kfree(link);
++ tk->tp.flags &= ~TP_FLAG_TRACE;
++ } else {
++ tk->tp.flags &= ~TP_FLAG_PROFILE;
++ }
++ }
+ out:
+ return ret;
+ }
--- /dev/null
+From 2519c1bbe38d7acacc9aacba303ca6f97482ed53 Mon Sep 17 00:00:00 2001
+From: "Steven Rostedt (VMware)" <rostedt@goodmis.org>
+Date: Wed, 25 Jul 2018 22:28:56 -0400
+Subject: tracing: Quiet gcc warning about maybe unused link variable
+
+From: Steven Rostedt (VMware) <rostedt@goodmis.org>
+
+commit 2519c1bbe38d7acacc9aacba303ca6f97482ed53 upstream.
+
+Commit 57ea2a34adf4 ("tracing/kprobes: Fix trace_probe flags on
+enable_trace_kprobe() failure") added an if statement that depends on another
+if statement that gcc doesn't see will initialize the "link" variable and
+gives the warning:
+
+ "warning: 'link' may be used uninitialized in this function"
+
+It is really a false positive, but to quiet the warning, and also to make
+sure that it never actually is used uninitialized, initialize the "link"
+variable to NULL and add an if (!WARN_ON_ONCE(!link)) where the compiler
+thinks it could be used uninitialized.
+
+Cc: stable@vger.kernel.org
+Fixes: 57ea2a34adf4 ("tracing/kprobes: Fix trace_probe flags on enable_trace_kprobe() failure")
+Reported-by: kbuild test robot <lkp@intel.com>
+Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/trace/trace_kprobe.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/kernel/trace/trace_kprobe.c
++++ b/kernel/trace/trace_kprobe.c
+@@ -376,7 +376,7 @@ static struct trace_kprobe *find_trace_k
+ static int
+ enable_trace_kprobe(struct trace_kprobe *tk, struct trace_event_file *file)
+ {
+- struct event_file_link *link;
++ struct event_file_link *link = NULL;
+ int ret = 0;
+
+ if (file) {
+@@ -402,7 +402,9 @@ enable_trace_kprobe(struct trace_kprobe
+
+ if (ret) {
+ if (file) {
+- list_del_rcu(&link->list);
++ /* Notice the if is true on not WARN() */
++ if (!WARN_ON_ONCE(!link))
++ list_del_rcu(&link->list);
+ kfree(link);
+ tk->tp.flags &= ~TP_FLAG_TRACE;
+ } else {
projects / thirdparty / kernel / stable-queue.git / commitdiff
