--- /dev/null
+From 00377277166bac6939d8f72b429301369acaf2d8 Mon Sep 17 00:00:00 2001
+From: Catalin Marinas <catalin.marinas@arm.com>
+Date: Tue, 28 May 2019 12:39:34 +0100
+Subject: arm64: Fix the arm64_personality() syscall wrapper redirection
+
+From: Catalin Marinas <catalin.marinas@arm.com>
+
+commit 00377277166bac6939d8f72b429301369acaf2d8 upstream.
+
+Following commit 4378a7d4be30 ("arm64: implement syscall wrappers"), the
+syscall function names gained the '__arm64_' prefix. Ensure that we
+have the correct #define for redirecting a default syscall through a
+wrapper.
+
+Fixes: 4378a7d4be30 ("arm64: implement syscall wrappers")
+Cc: <stable@vger.kernel.org> # 4.19.x-
+Acked-by: Mark Rutland <mark.rutland@arm.com>
+Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
+Signed-off-by: Will Deacon <will.deacon@arm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm64/kernel/sys.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/arm64/kernel/sys.c
++++ b/arch/arm64/kernel/sys.c
+@@ -50,7 +50,7 @@ SYSCALL_DEFINE1(arm64_personality, unsig
+ /*
+ * Wrappers to pass the pt_regs argument.
+ */
+-#define sys_personality sys_arm64_personality
++#define __arm64_sys_personality __arm64_sys_arm64_personality
+
+ asmlinkage long sys_ni_syscall(const struct pt_regs *);
+ #define __arm64_sys_ni_syscall sys_ni_syscall
--- /dev/null
+From 31fad7d41e73731f05b8053d17078638cf850fa6 Mon Sep 17 00:00:00 2001
+From: Roberto Bergantinos Corpas <rbergant@redhat.com>
+Date: Tue, 28 May 2019 09:38:14 +0200
+Subject: CIFS: cifs_read_allocate_pages: don't iterate through whole page array on ENOMEM
+
+From: Roberto Bergantinos Corpas <rbergant@redhat.com>
+
+commit 31fad7d41e73731f05b8053d17078638cf850fa6 upstream.
+
+ In cifs_read_allocate_pages, in case of ENOMEM, we go through
+whole rdata->pages array but we have failed the allocation before
+nr_pages, therefore we may end up calling put_page with NULL
+pointer, causing oops
+
+Signed-off-by: Roberto Bergantinos Corpas <rbergant@redhat.com>
+Acked-by: Pavel Shilovsky <pshilov@microsoft.com>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+CC: Stable <stable@vger.kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/cifs/file.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/fs/cifs/file.c
++++ b/fs/cifs/file.c
+@@ -3221,7 +3221,9 @@ cifs_read_allocate_pages(struct cifs_rea
+ }
+
+ if (rc) {
+- for (i = 0; i < nr_pages; i++) {
++ unsigned int nr_page_failed = i;
++
++ for (i = 0; i < nr_page_failed; i++) {
+ put_page(rdata->pages[i]);
+ rdata->pages[i] = NULL;
+ }
--- /dev/null
+From 210782038b54ec8e9059a3c12d6f6ae173efa3a9 Mon Sep 17 00:00:00 2001
+From: Colin Ian King <colin.king@canonical.com>
+Date: Fri, 17 May 2019 09:12:33 +0100
+Subject: cifs: fix memory leak of pneg_inbuf on -EOPNOTSUPP ioctl case
+
+From: Colin Ian King <colin.king@canonical.com>
+
+commit 210782038b54ec8e9059a3c12d6f6ae173efa3a9 upstream.
+
+Currently in the case where SMB2_ioctl returns the -EOPNOTSUPP error
+there is a memory leak of pneg_inbuf. Fix this by returning via
+the out_free_inbuf exit path that will perform the relevant kfree.
+
+Addresses-Coverity: ("Resource leak")
+Fixes: 969ae8e8d4ee ("cifs: Accept validate negotiate if server return NT_STATUS_NOT_SUPPORTED")
+CC: Stable <stable@vger.kernel.org> # v5.1+
+Signed-off-by: Colin Ian King <colin.king@canonical.com>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/cifs/smb2pdu.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/fs/cifs/smb2pdu.c
++++ b/fs/cifs/smb2pdu.c
+@@ -1013,7 +1013,8 @@ int smb3_validate_negotiate(const unsign
+ * not supported error. Client should accept it.
+ */
+ cifs_dbg(VFS, "Server does not support validate negotiate\n");
+- return 0;
++ rc = 0;
++ goto out_free_inbuf;
+ } else if (rc != 0) {
+ cifs_dbg(VFS, "validate protocol negotiate failed: %d\n", rc);
+ rc = -EIO;
--- /dev/null
+From b3fddd5b100e4aee4f7ec58360435024971dea47 Mon Sep 17 00:00:00 2001
+From: Peng Fan <peng.fan@nxp.com>
+Date: Mon, 20 May 2019 02:03:19 +0000
+Subject: clk: imx: imx8mm: fix int pll clk gate
+
+From: Peng Fan <peng.fan@nxp.com>
+
+commit b3fddd5b100e4aee4f7ec58360435024971dea47 upstream.
+
+To Frac pll, the gate shift is 13, however to Int PLL the gate shift
+is 11.
+
+Cc: <stable@vger.kernel.org>
+Fixes: ba5625c3e27 ("clk: imx: Add clock driver support for imx8mm")
+Signed-off-by: Peng Fan <peng.fan@nxp.com>
+Reviewed-by: Fabio Estevam <festevam@gmail.com>
+Reviewed-by: Jacky Bai <ping.bai@nxp.com>
+Signed-off-by: Stephen Boyd <sboyd@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/clk/imx/clk-imx8mm.c | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+--- a/drivers/clk/imx/clk-imx8mm.c
++++ b/drivers/clk/imx/clk-imx8mm.c
+@@ -449,12 +449,12 @@ static int __init imx8mm_clocks_init(str
+ clks[IMX8MM_AUDIO_PLL2_OUT] = imx_clk_gate("audio_pll2_out", "audio_pll2_bypass", base + 0x14, 13);
+ clks[IMX8MM_VIDEO_PLL1_OUT] = imx_clk_gate("video_pll1_out", "video_pll1_bypass", base + 0x28, 13);
+ clks[IMX8MM_DRAM_PLL_OUT] = imx_clk_gate("dram_pll_out", "dram_pll_bypass", base + 0x50, 13);
+- clks[IMX8MM_GPU_PLL_OUT] = imx_clk_gate("gpu_pll_out", "gpu_pll_bypass", base + 0x64, 13);
+- clks[IMX8MM_VPU_PLL_OUT] = imx_clk_gate("vpu_pll_out", "vpu_pll_bypass", base + 0x74, 13);
+- clks[IMX8MM_ARM_PLL_OUT] = imx_clk_gate("arm_pll_out", "arm_pll_bypass", base + 0x84, 13);
+- clks[IMX8MM_SYS_PLL1_OUT] = imx_clk_gate("sys_pll1_out", "sys_pll1_bypass", base + 0x94, 13);
+- clks[IMX8MM_SYS_PLL2_OUT] = imx_clk_gate("sys_pll2_out", "sys_pll2_bypass", base + 0x104, 13);
+- clks[IMX8MM_SYS_PLL3_OUT] = imx_clk_gate("sys_pll3_out", "sys_pll3_bypass", base + 0x114, 13);
++ clks[IMX8MM_GPU_PLL_OUT] = imx_clk_gate("gpu_pll_out", "gpu_pll_bypass", base + 0x64, 11);
++ clks[IMX8MM_VPU_PLL_OUT] = imx_clk_gate("vpu_pll_out", "vpu_pll_bypass", base + 0x74, 11);
++ clks[IMX8MM_ARM_PLL_OUT] = imx_clk_gate("arm_pll_out", "arm_pll_bypass", base + 0x84, 11);
++ clks[IMX8MM_SYS_PLL1_OUT] = imx_clk_gate("sys_pll1_out", "sys_pll1_bypass", base + 0x94, 11);
++ clks[IMX8MM_SYS_PLL2_OUT] = imx_clk_gate("sys_pll2_out", "sys_pll2_bypass", base + 0x104, 11);
++ clks[IMX8MM_SYS_PLL3_OUT] = imx_clk_gate("sys_pll3_out", "sys_pll3_bypass", base + 0x114, 11);
+
+ /* SYS PLL fixed output */
+ clks[IMX8MM_SYS_PLL1_40M] = imx_clk_fixed_factor("sys_pll1_40m", "sys_pll1_out", 1, 20);
--- /dev/null
+From 096ea522e84ea68f8e6c41e5e7294731a81e29bc Mon Sep 17 00:00:00 2001
+From: Jonathan Corbet <corbet@lwn.net>
+Date: Tue, 21 May 2019 14:23:43 -0600
+Subject: doc: Cope with Sphinx logging deprecations
+
+From: Jonathan Corbet <corbet@lwn.net>
+
+commit 096ea522e84ea68f8e6c41e5e7294731a81e29bc upstream.
+
+Recent versions of sphinx will emit messages like:
+
+ Documentation/sphinx/kerneldoc.py:103:
+ RemovedInSphinx20Warning: app.warning() is now deprecated.
+ Use sphinx.util.logging instead.
+
+Switch to sphinx.util.logging to make this unsightly message go away.
+Alas, that interface was only added in version 1.6, so we have to add a
+version check to keep things working with older sphinxes.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Jonathan Corbet <corbet@lwn.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ Documentation/sphinx/kerneldoc.py | 12 +++++++----
+ Documentation/sphinx/kernellog.py | 28 ++++++++++++++++++++++++++
+ Documentation/sphinx/kfigure.py | 40 +++++++++++++++++++++-----------------
+ 3 files changed, 59 insertions(+), 21 deletions(-)
+
+--- a/Documentation/sphinx/kerneldoc.py
++++ b/Documentation/sphinx/kerneldoc.py
+@@ -49,6 +49,8 @@ if Use_SSI:
+ else:
+ from sphinx.ext.autodoc import AutodocReporter
+
++import kernellog
++
+ __version__ = '1.0'
+
+ class KernelDocDirective(Directive):
+@@ -100,7 +102,8 @@ class KernelDocDirective(Directive):
+ cmd += [filename]
+
+ try:
+- env.app.verbose('calling kernel-doc \'%s\'' % (" ".join(cmd)))
++ kernellog.verbose(env.app,
++ 'calling kernel-doc \'%s\'' % (" ".join(cmd)))
+
+ p = subprocess.Popen(cmd, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
+ out, err = p.communicate()
+@@ -110,7 +113,8 @@ class KernelDocDirective(Directive):
+ if p.returncode != 0:
+ sys.stderr.write(err)
+
+- env.app.warn('kernel-doc \'%s\' failed with return code %d' % (" ".join(cmd), p.returncode))
++ kernellog.warn(env.app,
++ 'kernel-doc \'%s\' failed with return code %d' % (" ".join(cmd), p.returncode))
+ return [nodes.error(None, nodes.paragraph(text = "kernel-doc missing"))]
+ elif env.config.kerneldoc_verbosity > 0:
+ sys.stderr.write(err)
+@@ -136,8 +140,8 @@ class KernelDocDirective(Directive):
+ return node.children
+
+ except Exception as e: # pylint: disable=W0703
+- env.app.warn('kernel-doc \'%s\' processing failed with: %s' %
+- (" ".join(cmd), str(e)))
++ kernellog.warn(env.app, 'kernel-doc \'%s\' processing failed with: %s' %
++ (" ".join(cmd), str(e)))
+ return [nodes.error(None, nodes.paragraph(text = "kernel-doc missing"))]
+
+ def do_parse(self, result, node):
+--- /dev/null
++++ b/Documentation/sphinx/kernellog.py
+@@ -0,0 +1,28 @@
++# SPDX-License-Identifier: GPL-2.0
++#
++# Sphinx has deprecated its older logging interface, but the replacement
++# only goes back to 1.6. So here's a wrapper layer to keep around for
++# as long as we support 1.4.
++#
++import sphinx
++
++if sphinx.__version__[:3] >= '1.6':
++ UseLogging = True
++ from sphinx.util import logging
++ logger = logging.getLogger('kerneldoc')
++else:
++ UseLogging = False
++
++def warn(app, message):
++ if UseLogging:
++ logger.warning(message)
++ else:
++ app.warn(message)
++
++def verbose(app, message):
++ if UseLogging:
++ logger.verbose(message)
++ else:
++ app.verbose(message)
++
++
+--- a/Documentation/sphinx/kfigure.py
++++ b/Documentation/sphinx/kfigure.py
+@@ -60,6 +60,8 @@ import sphinx
+ from sphinx.util.nodes import clean_astext
+ from six import iteritems
+
++import kernellog
++
+ PY3 = sys.version_info[0] == 3
+
+ if PY3:
+@@ -171,20 +173,20 @@ def setupTools(app):
+ This function is called once, when the builder is initiated.
+ """
+ global dot_cmd, convert_cmd # pylint: disable=W0603
+- app.verbose("kfigure: check installed tools ...")
++ kernellog.verbose(app, "kfigure: check installed tools ...")
+
+ dot_cmd = which('dot')
+ convert_cmd = which('convert')
+
+ if dot_cmd:
+- app.verbose("use dot(1) from: " + dot_cmd)
++ kernellog.verbose(app, "use dot(1) from: " + dot_cmd)
+ else:
+- app.warn("dot(1) not found, for better output quality install "
+- "graphviz from http://www.graphviz.org")
++ kernellog.warn(app, "dot(1) not found, for better output quality install "
++ "graphviz from http://www.graphviz.org")
+ if convert_cmd:
+- app.verbose("use convert(1) from: " + convert_cmd)
++ kernellog.verbose(app, "use convert(1) from: " + convert_cmd)
+ else:
+- app.warn(
++ kernellog.warn(app,
+ "convert(1) not found, for SVG to PDF conversion install "
+ "ImageMagick (https://www.imagemagick.org)")
+
+@@ -220,12 +222,13 @@ def convert_image(img_node, translator,
+
+ # in kernel builds, use 'make SPHINXOPTS=-v' to see verbose messages
+
+- app.verbose('assert best format for: ' + img_node['uri'])
++ kernellog.verbose(app, 'assert best format for: ' + img_node['uri'])
+
+ if in_ext == '.dot':
+
+ if not dot_cmd:
+- app.verbose("dot from graphviz not available / include DOT raw.")
++ kernellog.verbose(app,
++ "dot from graphviz not available / include DOT raw.")
+ img_node.replace_self(file2literal(src_fname))
+
+ elif translator.builder.format == 'latex':
+@@ -252,7 +255,8 @@ def convert_image(img_node, translator,
+
+ if translator.builder.format == 'latex':
+ if convert_cmd is None:
+- app.verbose("no SVG to PDF conversion available / include SVG raw.")
++ kernellog.verbose(app,
++ "no SVG to PDF conversion available / include SVG raw.")
+ img_node.replace_self(file2literal(src_fname))
+ else:
+ dst_fname = path.join(translator.builder.outdir, fname + '.pdf')
+@@ -265,18 +269,19 @@ def convert_image(img_node, translator,
+ _name = dst_fname[len(translator.builder.outdir) + 1:]
+
+ if isNewer(dst_fname, src_fname):
+- app.verbose("convert: {out}/%s already exists and is newer" % _name)
++ kernellog.verbose(app,
++ "convert: {out}/%s already exists and is newer" % _name)
+
+ else:
+ ok = False
+ mkdir(path.dirname(dst_fname))
+
+ if in_ext == '.dot':
+- app.verbose('convert DOT to: {out}/' + _name)
++ kernellog.verbose(app, 'convert DOT to: {out}/' + _name)
+ ok = dot2format(app, src_fname, dst_fname)
+
+ elif in_ext == '.svg':
+- app.verbose('convert SVG to: {out}/' + _name)
++ kernellog.verbose(app, 'convert SVG to: {out}/' + _name)
+ ok = svg2pdf(app, src_fname, dst_fname)
+
+ if not ok:
+@@ -305,7 +310,8 @@ def dot2format(app, dot_fname, out_fname
+ with open(out_fname, "w") as out:
+ exit_code = subprocess.call(cmd, stdout = out)
+ if exit_code != 0:
+- app.warn("Error #%d when calling: %s" % (exit_code, " ".join(cmd)))
++ kernellog.warn(app,
++ "Error #%d when calling: %s" % (exit_code, " ".join(cmd)))
+ return bool(exit_code == 0)
+
+ def svg2pdf(app, svg_fname, pdf_fname):
+@@ -322,7 +328,7 @@ def svg2pdf(app, svg_fname, pdf_fname):
+ # use stdout and stderr from parent
+ exit_code = subprocess.call(cmd)
+ if exit_code != 0:
+- app.warn("Error #%d when calling: %s" % (exit_code, " ".join(cmd)))
++ kernellog.warn(app, "Error #%d when calling: %s" % (exit_code, " ".join(cmd)))
+ return bool(exit_code == 0)
+
+
+@@ -415,15 +421,15 @@ def visit_kernel_render(self, node):
+ app = self.builder.app
+ srclang = node.get('srclang')
+
+- app.verbose('visit kernel-render node lang: "%s"' % (srclang))
++ kernellog.verbose(app, 'visit kernel-render node lang: "%s"' % (srclang))
+
+ tmp_ext = RENDER_MARKUP_EXT.get(srclang, None)
+ if tmp_ext is None:
+- app.warn('kernel-render: "%s" unknown / include raw.' % (srclang))
++ kernellog.warn(app, 'kernel-render: "%s" unknown / include raw.' % (srclang))
+ return
+
+ if not dot_cmd and tmp_ext == '.dot':
+- app.verbose("dot from graphviz not available / include raw.")
++ kernellog.verbose(app, "dot from graphviz not available / include raw.")
+ return
+
+ literal_block = node[0]
--- /dev/null
+From 2404dad1f67f8917e30fc22a85e0dbcc85b99955 Mon Sep 17 00:00:00 2001
+From: Jonathan Corbet <corbet@lwn.net>
+Date: Tue, 21 May 2019 14:42:34 -0600
+Subject: doc: Cope with the deprecation of AutoReporter
+
+From: Jonathan Corbet <corbet@lwn.net>
+
+commit 2404dad1f67f8917e30fc22a85e0dbcc85b99955 upstream.
+
+AutoReporter is going away; recent versions of sphinx emit a warning like:
+
+ Documentation/sphinx/kerneldoc.py:125:
+ RemovedInSphinx20Warning: AutodocReporter is now deprecated.
+ Use sphinx.util.docutils.switch_source_input() instead.
+
+Make the switch. But switch_source_input() only showed up in 1.7, so we
+have to do ugly version checks to keep things working in older versions.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Jonathan Corbet <corbet@lwn.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ Documentation/sphinx/kerneldoc.py | 34 ++++++++++++++++++++++++++--------
+ 1 file changed, 26 insertions(+), 8 deletions(-)
+
+--- a/Documentation/sphinx/kerneldoc.py
++++ b/Documentation/sphinx/kerneldoc.py
+@@ -37,7 +37,17 @@ import glob
+ from docutils import nodes, statemachine
+ from docutils.statemachine import ViewList
+ from docutils.parsers.rst import directives, Directive
+-from sphinx.ext.autodoc import AutodocReporter
++
++#
++# AutodocReporter is only good up to Sphinx 1.7
++#
++import sphinx
++
++Use_SSI = sphinx.__version__[:3] >= '1.7'
++if Use_SSI:
++ from sphinx.util.docutils import switch_source_input
++else:
++ from sphinx.ext.autodoc import AutodocReporter
+
+ __version__ = '1.0'
+
+@@ -121,13 +131,7 @@ class KernelDocDirective(Directive):
+ lineoffset += 1
+
+ node = nodes.section()
+- buf = self.state.memo.title_styles, self.state.memo.section_level, self.state.memo.reporter
+- self.state.memo.reporter = AutodocReporter(result, self.state.memo.reporter)
+- self.state.memo.title_styles, self.state.memo.section_level = [], 0
+- try:
+- self.state.nested_parse(result, 0, node, match_titles=1)
+- finally:
+- self.state.memo.title_styles, self.state.memo.section_level, self.state.memo.reporter = buf
++ self.do_parse(result, node)
+
+ return node.children
+
+@@ -136,6 +140,20 @@ class KernelDocDirective(Directive):
+ (" ".join(cmd), str(e)))
+ return [nodes.error(None, nodes.paragraph(text = "kernel-doc missing"))]
+
++ def do_parse(self, result, node):
++ if Use_SSI:
++ with switch_source_input(self.state, result):
++ self.state.nested_parse(result, 0, node, match_titles=1)
++ else:
++ save = self.state.memo.title_styles, self.state.memo.section_level, self.state.memo.reporter
++ self.state.memo.reporter = AutodocReporter(result, self.state.memo.reporter)
++ self.state.memo.title_styles, self.state.memo.section_level = [], 0
++ try:
++ self.state.nested_parse(result, 0, node, match_titles=1)
++ finally:
++ self.state.memo.title_styles, self.state.memo.section_level, self.state.memo.reporter = save
++
++
+ def setup(app):
+ app.add_config_value('kerneldoc_bin', None, 'env')
+ app.add_config_value('kerneldoc_srctree', None, 'env')
--- /dev/null
+From 3bc8088464712fdcb078eefb68837ccfcc413c88 Mon Sep 17 00:00:00 2001
+From: Jonathan Corbet <corbet@lwn.net>
+Date: Wed, 22 May 2019 14:30:45 -0600
+Subject: docs: Fix conf.py for Sphinx 2.0
+
+From: Jonathan Corbet <corbet@lwn.net>
+
+commit 3bc8088464712fdcb078eefb68837ccfcc413c88 upstream.
+
+Our version check in Documentation/conf.py never envisioned a world where
+Sphinx moved beyond 1.x. Now that the unthinkable has happened, fix our
+version check to handle higher version numbers correctly.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Jonathan Corbet <corbet@lwn.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ Documentation/conf.py | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/Documentation/conf.py
++++ b/Documentation/conf.py
+@@ -37,7 +37,7 @@ needs_sphinx = '1.3'
+ extensions = ['kerneldoc', 'rstFlatTable', 'kernel_include', 'cdomain', 'kfigure', 'sphinx.ext.ifconfig']
+
+ # The name of the math extension changed on Sphinx 1.4
+-if major == 1 and minor > 3:
++if (major == 1 and minor > 3) or (major > 1):
+ extensions.append("sphinx.ext.imgmath")
+ else:
+ extensions.append("sphinx.ext.pngmath")
--- /dev/null
+From 342406e4fbba9a174125fbfe6aeac3d64ef90f76 Mon Sep 17 00:00:00 2001
+From: Lyude Paul <lyude@redhat.com>
+Date: Tue, 9 Apr 2019 16:23:30 -0400
+Subject: drm/nouveau/i2c: Disable i2c bus access after ->fini()
+
+From: Lyude Paul <lyude@redhat.com>
+
+commit 342406e4fbba9a174125fbfe6aeac3d64ef90f76 upstream.
+
+For a while, we've had the problem of i2c bus access not grabbing
+a runtime PM ref when it's being used in userspace by i2c-dev, resulting
+in nouveau spamming the kernel log with errors if anything attempts to
+access the i2c bus while the GPU is in runtime suspend. An example:
+
+[ 130.078386] nouveau 0000:01:00.0: i2c: aux 000d: begin idle timeout ffffffff
+
+Since the GPU is in runtime suspend, the MMIO region that the i2c bus is
+on isn't accessible. On x86, the standard behavior for accessing an
+unavailable MMIO region is to just return ~0.
+
+Except, that turned out to be a lie. While computers with a clean
+concious will return ~0 in this scenario, some machines will actually
+completely hang a CPU on certian bad MMIO accesses. This was witnessed
+with someone's Lenovo ThinkPad P50, where sensors-detect attempting to
+access the i2c bus while the GPU was suspended would result in a CPU
+hang:
+
+ CPU: 5 PID: 12438 Comm: sensors-detect Not tainted 5.0.0-0.rc4.git3.1.fc30.x86_64 #1
+ Hardware name: LENOVO 20EQS64N17/20EQS64N17, BIOS N1EET74W (1.47 ) 11/21/2017
+ RIP: 0010:ioread32+0x2b/0x30
+ Code: 81 ff ff ff 03 00 77 20 48 81 ff 00 00 01 00 76 05 0f b7 d7 ed c3
+ 48 c7 c6 e1 0c 36 96 e8 2d ff ff ff b8 ff ff ff ff c3 8b 07 <c3> 0f 1f
+ 40 00 49 89 f0 48 81 fe ff ff 03 00 76 04 40 88 3e c3 48
+ RSP: 0018:ffffaac3c5007b48 EFLAGS: 00000292 ORIG_RAX: ffffffffffffff13
+ RAX: 0000000001111000 RBX: 0000000001111000 RCX: 0000043017a97186
+ RDX: 0000000000000aaa RSI: 0000000000000005 RDI: ffffaac3c400e4e4
+ RBP: ffff9e6443902c00 R08: ffffaac3c400e4e4 R09: ffffaac3c5007be7
+ R10: 0000000000000004 R11: 0000000000000001 R12: ffff9e6445dd0000
+ R13: 000000000000e4e4 R14: 00000000000003c4 R15: 0000000000000000
+ FS: 00007f253155a740(0000) GS:ffff9e644f600000(0000) knlGS:0000000000000000
+ CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+ CR2: 00005630d1500358 CR3: 0000000417c44006 CR4: 00000000003606e0
+ DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+ DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+ Call Trace:
+ g94_i2c_aux_xfer+0x326/0x850 [nouveau]
+ nvkm_i2c_aux_i2c_xfer+0x9e/0x140 [nouveau]
+ __i2c_transfer+0x14b/0x620
+ i2c_smbus_xfer_emulated+0x159/0x680
+ ? _raw_spin_unlock_irqrestore+0x1/0x60
+ ? rt_mutex_slowlock.constprop.0+0x13d/0x1e0
+ ? __lock_is_held+0x59/0xa0
+ __i2c_smbus_xfer+0x138/0x5a0
+ i2c_smbus_xfer+0x4f/0x80
+ i2cdev_ioctl_smbus+0x162/0x2d0 [i2c_dev]
+ i2cdev_ioctl+0x1db/0x2c0 [i2c_dev]
+ do_vfs_ioctl+0x408/0x750
+ ksys_ioctl+0x5e/0x90
+ __x64_sys_ioctl+0x16/0x20
+ do_syscall_64+0x60/0x1e0
+ entry_SYSCALL_64_after_hwframe+0x49/0xbe
+ RIP: 0033:0x7f25317f546b
+ Code: 0f 1e fa 48 8b 05 1d da 0c 00 64 c7 00 26 00 00 00 48 c7 c0 ff ff
+ ff ff c3 66 0f 1f 44 00 00 f3 0f 1e fa b8 10 00 00 00 0f 05 <48> 3d 01
+ f0 ff ff 73 01 c3 48 8b 0d ed d9 0c 00 f7 d8 64 89 01 48
+ RSP: 002b:00007ffc88caab68 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
+ RAX: ffffffffffffffda RBX: 00005630d0fe7260 RCX: 00007f25317f546b
+ RDX: 00005630d1598e80 RSI: 0000000000000720 RDI: 0000000000000003
+ RBP: 00005630d155b968 R08: 0000000000000001 R09: 00005630d15a1da0
+ R10: 0000000000000070 R11: 0000000000000246 R12: 00005630d1598e80
+ R13: 00005630d12f3d28 R14: 0000000000000720 R15: 00005630d12f3ce0
+ watchdog: BUG: soft lockup - CPU#5 stuck for 23s! [sensors-detect:12438]
+
+Yikes! While I wanted to try to make it so that accessing an i2c bus on
+nouveau would wake up the GPU as needed, airlied pointed out that pretty
+much any usecase for userspace accessing an i2c bus on a GPU (mainly for
+the DDC brightness control that some displays have) is going to only be
+useful while there's at least one display enabled on the GPU anyway, and
+the GPU never sleeps while there's displays running.
+
+Since teaching the i2c bus to wake up the GPU on userspace accesses is a
+good deal more difficult than it might seem, mostly due to the fact that
+we have to use the i2c bus during runtime resume of the GPU, we instead
+opt for the easiest solution: don't let userspace access i2c busses on
+the GPU at all while it's in runtime suspend.
+
+Changes since v1:
+* Also disable i2c busses that run over DP AUX
+
+Signed-off-by: Lyude Paul <lyude@redhat.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Ben Skeggs <bskeggs@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/nouveau/include/nvkm/subdev/i2c.h | 2 +
+ drivers/gpu/drm/nouveau/nvkm/subdev/i2c/aux.c | 26 +++++++++++++++++++++-
+ drivers/gpu/drm/nouveau/nvkm/subdev/i2c/aux.h | 2 +
+ drivers/gpu/drm/nouveau/nvkm/subdev/i2c/base.c | 15 ++++++++++++
+ drivers/gpu/drm/nouveau/nvkm/subdev/i2c/bus.c | 21 ++++++++++++++++-
+ drivers/gpu/drm/nouveau/nvkm/subdev/i2c/bus.h | 1
+ 6 files changed, 65 insertions(+), 2 deletions(-)
+
+--- a/drivers/gpu/drm/nouveau/include/nvkm/subdev/i2c.h
++++ b/drivers/gpu/drm/nouveau/include/nvkm/subdev/i2c.h
+@@ -38,6 +38,7 @@ struct nvkm_i2c_bus {
+ struct mutex mutex;
+ struct list_head head;
+ struct i2c_adapter i2c;
++ u8 enabled;
+ };
+
+ int nvkm_i2c_bus_acquire(struct nvkm_i2c_bus *);
+@@ -57,6 +58,7 @@ struct nvkm_i2c_aux {
+ struct mutex mutex;
+ struct list_head head;
+ struct i2c_adapter i2c;
++ u8 enabled;
+
+ u32 intr;
+ };
+--- a/drivers/gpu/drm/nouveau/nvkm/subdev/i2c/aux.c
++++ b/drivers/gpu/drm/nouveau/nvkm/subdev/i2c/aux.c
+@@ -105,9 +105,15 @@ nvkm_i2c_aux_acquire(struct nvkm_i2c_aux
+ {
+ struct nvkm_i2c_pad *pad = aux->pad;
+ int ret;
++
+ AUX_TRACE(aux, "acquire");
+ mutex_lock(&aux->mutex);
+- ret = nvkm_i2c_pad_acquire(pad, NVKM_I2C_PAD_AUX);
++
++ if (aux->enabled)
++ ret = nvkm_i2c_pad_acquire(pad, NVKM_I2C_PAD_AUX);
++ else
++ ret = -EIO;
++
+ if (ret)
+ mutex_unlock(&aux->mutex);
+ return ret;
+@@ -145,6 +151,24 @@ nvkm_i2c_aux_del(struct nvkm_i2c_aux **p
+ }
+ }
+
++void
++nvkm_i2c_aux_init(struct nvkm_i2c_aux *aux)
++{
++ AUX_TRACE(aux, "init");
++ mutex_lock(&aux->mutex);
++ aux->enabled = true;
++ mutex_unlock(&aux->mutex);
++}
++
++void
++nvkm_i2c_aux_fini(struct nvkm_i2c_aux *aux)
++{
++ AUX_TRACE(aux, "fini");
++ mutex_lock(&aux->mutex);
++ aux->enabled = false;
++ mutex_unlock(&aux->mutex);
++}
++
+ int
+ nvkm_i2c_aux_ctor(const struct nvkm_i2c_aux_func *func,
+ struct nvkm_i2c_pad *pad, int id,
+--- a/drivers/gpu/drm/nouveau/nvkm/subdev/i2c/aux.h
++++ b/drivers/gpu/drm/nouveau/nvkm/subdev/i2c/aux.h
+@@ -16,6 +16,8 @@ int nvkm_i2c_aux_ctor(const struct nvkm_
+ int nvkm_i2c_aux_new_(const struct nvkm_i2c_aux_func *, struct nvkm_i2c_pad *,
+ int id, struct nvkm_i2c_aux **);
+ void nvkm_i2c_aux_del(struct nvkm_i2c_aux **);
++void nvkm_i2c_aux_init(struct nvkm_i2c_aux *);
++void nvkm_i2c_aux_fini(struct nvkm_i2c_aux *);
+ int nvkm_i2c_aux_xfer(struct nvkm_i2c_aux *, bool retry, u8 type,
+ u32 addr, u8 *data, u8 *size);
+
+--- a/drivers/gpu/drm/nouveau/nvkm/subdev/i2c/base.c
++++ b/drivers/gpu/drm/nouveau/nvkm/subdev/i2c/base.c
+@@ -160,8 +160,18 @@ nvkm_i2c_fini(struct nvkm_subdev *subdev
+ {
+ struct nvkm_i2c *i2c = nvkm_i2c(subdev);
+ struct nvkm_i2c_pad *pad;
++ struct nvkm_i2c_bus *bus;
++ struct nvkm_i2c_aux *aux;
+ u32 mask;
+
++ list_for_each_entry(aux, &i2c->aux, head) {
++ nvkm_i2c_aux_fini(aux);
++ }
++
++ list_for_each_entry(bus, &i2c->bus, head) {
++ nvkm_i2c_bus_fini(bus);
++ }
++
+ if ((mask = (1 << i2c->func->aux) - 1), i2c->func->aux_stat) {
+ i2c->func->aux_mask(i2c, NVKM_I2C_ANY, mask, 0);
+ i2c->func->aux_stat(i2c, &mask, &mask, &mask, &mask);
+@@ -180,6 +190,7 @@ nvkm_i2c_init(struct nvkm_subdev *subdev
+ struct nvkm_i2c *i2c = nvkm_i2c(subdev);
+ struct nvkm_i2c_bus *bus;
+ struct nvkm_i2c_pad *pad;
++ struct nvkm_i2c_aux *aux;
+
+ list_for_each_entry(pad, &i2c->pad, head) {
+ nvkm_i2c_pad_init(pad);
+@@ -189,6 +200,10 @@ nvkm_i2c_init(struct nvkm_subdev *subdev
+ nvkm_i2c_bus_init(bus);
+ }
+
++ list_for_each_entry(aux, &i2c->aux, head) {
++ nvkm_i2c_aux_init(aux);
++ }
++
+ return 0;
+ }
+
+--- a/drivers/gpu/drm/nouveau/nvkm/subdev/i2c/bus.c
++++ b/drivers/gpu/drm/nouveau/nvkm/subdev/i2c/bus.c
+@@ -110,6 +110,19 @@ nvkm_i2c_bus_init(struct nvkm_i2c_bus *b
+ BUS_TRACE(bus, "init");
+ if (bus->func->init)
+ bus->func->init(bus);
++
++ mutex_lock(&bus->mutex);
++ bus->enabled = true;
++ mutex_unlock(&bus->mutex);
++}
++
++void
++nvkm_i2c_bus_fini(struct nvkm_i2c_bus *bus)
++{
++ BUS_TRACE(bus, "fini");
++ mutex_lock(&bus->mutex);
++ bus->enabled = false;
++ mutex_unlock(&bus->mutex);
+ }
+
+ void
+@@ -126,9 +139,15 @@ nvkm_i2c_bus_acquire(struct nvkm_i2c_bus
+ {
+ struct nvkm_i2c_pad *pad = bus->pad;
+ int ret;
++
+ BUS_TRACE(bus, "acquire");
+ mutex_lock(&bus->mutex);
+- ret = nvkm_i2c_pad_acquire(pad, NVKM_I2C_PAD_I2C);
++
++ if (bus->enabled)
++ ret = nvkm_i2c_pad_acquire(pad, NVKM_I2C_PAD_I2C);
++ else
++ ret = -EIO;
++
+ if (ret)
+ mutex_unlock(&bus->mutex);
+ return ret;
+--- a/drivers/gpu/drm/nouveau/nvkm/subdev/i2c/bus.h
++++ b/drivers/gpu/drm/nouveau/nvkm/subdev/i2c/bus.h
+@@ -18,6 +18,7 @@ int nvkm_i2c_bus_new_(const struct nvkm_
+ int id, struct nvkm_i2c_bus **);
+ void nvkm_i2c_bus_del(struct nvkm_i2c_bus **);
+ void nvkm_i2c_bus_init(struct nvkm_i2c_bus *);
++void nvkm_i2c_bus_fini(struct nvkm_i2c_bus *);
+
+ int nvkm_i2c_bit_xfer(struct nvkm_i2c_bus *, struct i2c_msg *, int);
+
--- /dev/null
+From 221be106d75c1b511973301542f47d6000d0b63e Mon Sep 17 00:00:00 2001
+From: Roberto Sassu <roberto.sassu@huawei.com>
+Date: Wed, 29 May 2019 15:30:33 +0200
+Subject: evm: check hash algorithm passed to init_desc()
+
+From: Roberto Sassu <roberto.sassu@huawei.com>
+
+commit 221be106d75c1b511973301542f47d6000d0b63e upstream.
+
+This patch prevents memory access beyond the evm_tfm array by checking the
+validity of the index (hash algorithm) passed to init_desc(). The hash
+algorithm can be arbitrarily set if the security.ima xattr type is not
+EVM_XATTR_HMAC.
+
+Fixes: 5feeb61183dde ("evm: Allow non-SHA1 digital signatures")
+Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ security/integrity/evm/evm_crypto.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/security/integrity/evm/evm_crypto.c
++++ b/security/integrity/evm/evm_crypto.c
+@@ -89,6 +89,9 @@ static struct shash_desc *init_desc(char
+ tfm = &hmac_tfm;
+ algo = evm_hmac;
+ } else {
++ if (hash_algo >= HASH_ALGO__LAST)
++ return ERR_PTR(-EINVAL);
++
+ tfm = &evm_tfm[hash_algo];
+ algo = hash_algo_name[hash_algo];
+ }
--- /dev/null
+From 7210e060155b9cf557fb13128353c3e494fa5ed3 Mon Sep 17 00:00:00 2001
+From: Kees Cook <keescook@chromium.org>
+Date: Mon, 20 May 2019 11:50:42 -0700
+Subject: gcc-plugins: Fix build failures under Darwin host
+
+From: Kees Cook <keescook@chromium.org>
+
+commit 7210e060155b9cf557fb13128353c3e494fa5ed3 upstream.
+
+The gcc-common.h file did not take into account certain macros that
+might have already been defined in the build environment. This updates
+the header to avoid redefining the macros, as seen on a Darwin host
+using gcc 4.9.2:
+
+ HOSTCXX -fPIC scripts/gcc-plugins/arm_ssp_per_task_plugin.o - due to: scripts/gcc-plugins/gcc-common.h
+In file included from scripts/gcc-plugins/arm_ssp_per_task_plugin.c:3:0:
+scripts/gcc-plugins/gcc-common.h:153:0: warning: "__unused" redefined
+^
+In file included from /usr/include/stdio.h:64:0,
+ from /Users/hns/Documents/Projects/QuantumSTEP/System/Library/Frameworks/System.framework/Versions-jessie/x86_64-apple-darwin15.0.0/gcc/arm-linux-gnueabi/bin/../lib/gcc/arm-linux-gnueabi/4.9.2/plugin/include/system.h:40,
+ from /Users/hns/Documents/Projects/QuantumSTEP/System/Library/Frameworks/System.framework/Versions-jessie/x86_64-apple-darwin15.0.0/gcc/arm-linux-gnueabi/bin/../lib/gcc/arm-linux-gnueabi/4.9.2/plugin/include/gcc-plugin.h:28,
+ from /Users/hns/Documents/Projects/QuantumSTEP/System/Library/Frameworks/System.framework/Versions-jessie/x86_64-apple-darwin15.0.0/gcc/arm-linux-gnueabi/bin/../lib/gcc/arm-linux-gnueabi/4.9.2/plugin/include/plugin.h:23,
+ from scripts/gcc-plugins/gcc-common.h:9,
+ from scripts/gcc-plugins/arm_ssp_per_task_plugin.c:3:
+/usr/include/sys/cdefs.h:161:0: note: this is the location of the previous definition
+^
+
+Reported-and-tested-by: "H. Nikolaus Schaller" <hns@goldelico.com>
+Fixes: 189af4657186 ("ARM: smp: add support for per-task stack canaries")
+Cc: stable@vger.kernel.org
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ scripts/gcc-plugins/gcc-common.h | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/scripts/gcc-plugins/gcc-common.h
++++ b/scripts/gcc-plugins/gcc-common.h
+@@ -150,8 +150,12 @@ void print_gimple_expr(FILE *, gimple, i
+ void dump_gimple_stmt(pretty_printer *, gimple, int, int);
+ #endif
+
++#ifndef __unused
+ #define __unused __attribute__((__unused__))
++#endif
++#ifndef __visible
+ #define __visible __attribute__((visibility("default")))
++#endif
+
+ #define DECL_NAME_POINTER(node) IDENTIFIER_POINTER(DECL_NAME(node))
+ #define DECL_NAME_LENGTH(node) IDENTIFIER_LENGTH(DECL_NAME(node))
--- /dev/null
+From 13067ef73f337336e3149f5bb9f3fd05fe7f87a0 Mon Sep 17 00:00:00 2001
+From: Vadim Pasternak <vadimp@mellanox.com>
+Date: Thu, 16 May 2019 17:15:41 +0000
+Subject: i2c: mlxcpld: Fix wrong initialization order in probe
+
+From: Vadim Pasternak <vadimp@mellanox.com>
+
+commit 13067ef73f337336e3149f5bb9f3fd05fe7f87a0 upstream.
+
+Fix wrong order in probing routine initialization - field `base_addr'
+is used before it's initialized. Move assignment of 'priv->base_addr`
+to the beginning, prior the call to mlxcpld_i2c_read_comm().
+Wrong order caused the first read of capability register to be executed
+at wrong offset 0x0 instead of 0x2000. By chance it was a "good
+garbage" at 0x0 offset.
+
+Fixes: 313ce648b5a4 ("i2c: mlxcpld: Add support for extended transaction length for i2c-mlxcpld")
+Signed-off-by: Vadim Pasternak <vadimp@mellanox.com>
+Signed-off-by: Wolfram Sang <wsa@the-dreams.de>
+Cc: stable@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/i2c/busses/i2c-mlxcpld.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/i2c/busses/i2c-mlxcpld.c
++++ b/drivers/i2c/busses/i2c-mlxcpld.c
+@@ -503,6 +503,7 @@ static int mlxcpld_i2c_probe(struct plat
+ platform_set_drvdata(pdev, priv);
+
+ priv->dev = &pdev->dev;
++ priv->base_addr = MLXPLAT_CPLD_LPC_I2C_BASE_ADDR;
+
+ /* Register with i2c layer */
+ mlxcpld_i2c_adapter.timeout = usecs_to_jiffies(MLXCPLD_I2C_XFER_TO);
+@@ -518,7 +519,6 @@ static int mlxcpld_i2c_probe(struct plat
+ mlxcpld_i2c_adapter.nr = pdev->id;
+ priv->adap = mlxcpld_i2c_adapter;
+ priv->adap.dev.parent = &pdev->dev;
+- priv->base_addr = MLXPLAT_CPLD_LPC_I2C_BASE_ADDR;
+ i2c_set_adapdata(&priv->adap, priv);
+
+ err = i2c_add_numbered_adapter(&priv->adap);
--- /dev/null
+From ff9378904d9d7a3fcb8406604e089e535e357b1d Mon Sep 17 00:00:00 2001
+From: Masahisa Kojima <masahisa.kojima@linaro.org>
+Date: Tue, 21 May 2019 10:33:50 +0900
+Subject: i2c: synquacer: fix synquacer_i2c_doxfer() return value
+
+From: Masahisa Kojima <masahisa.kojima@linaro.org>
+
+commit ff9378904d9d7a3fcb8406604e089e535e357b1d upstream.
+
+master_xfer should return the number of messages successfully
+processed.
+
+Fixes: 0d676a6c4390 ("i2c: add support for Socionext SynQuacer I2C controller")
+Cc: <stable@vger.kernel.org> # v4.19+
+Signed-off-by: Okamoto Satoru <okamoto.satoru@socionext.com>
+Signed-off-by: Masahisa Kojima <masahisa.kojima@linaro.org>
+Acked-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+Signed-off-by: Wolfram Sang <wsa@the-dreams.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/i2c/busses/i2c-synquacer.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/i2c/busses/i2c-synquacer.c
++++ b/drivers/i2c/busses/i2c-synquacer.c
+@@ -351,7 +351,7 @@ static int synquacer_i2c_doxfer(struct s
+ /* wait 2 clock periods to ensure the stop has been through the bus */
+ udelay(DIV_ROUND_UP(2 * 1000, i2c->speed_khz));
+
+- return 0;
++ return ret;
+ }
+
+ static irqreturn_t synquacer_i2c_isr(int irq, void *dev_id)
--- /dev/null
+From f40019475bbbe9b455e7fd4385fcf13896c492ca Mon Sep 17 00:00:00 2001
+From: Petr Vorel <pvorel@suse.cz>
+Date: Wed, 15 May 2019 08:18:07 +0200
+Subject: ima: fix wrong signed policy requirement when not appraising
+
+From: Petr Vorel <pvorel@suse.cz>
+
+commit f40019475bbbe9b455e7fd4385fcf13896c492ca upstream.
+
+Kernel booted just with ima_policy=tcb (not with
+ima_policy=appraise_tcb) shouldn't require signed policy.
+
+Regression found with LTP test ima_policy.sh.
+
+Fixes: c52657d93b05 ("ima: refactor ima_init_policy()")
+Cc: stable@vger.kernel.org (linux-5.0)
+Signed-off-by: Petr Vorel <pvorel@suse.cz>
+Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ security/integrity/ima/ima_policy.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+--- a/security/integrity/ima/ima_policy.c
++++ b/security/integrity/ima/ima_policy.c
+@@ -498,10 +498,11 @@ static void add_rules(struct ima_rule_en
+
+ list_add_tail(&entry->list, &ima_policy_rules);
+ }
+- if (entries[i].action == APPRAISE)
++ if (entries[i].action == APPRAISE) {
+ temp_ima_appraise |= ima_appraise_flag(entries[i].func);
+- if (entries[i].func == POLICY_CHECK)
+- temp_ima_appraise |= IMA_APPRAISE_POLICY;
++ if (entries[i].func == POLICY_CHECK)
++ temp_ima_appraise |= IMA_APPRAISE_POLICY;
++ }
+ }
+ }
+
--- /dev/null
+From 8cdc23a3d9ec0944000ad43bad588e36afdc38cd Mon Sep 17 00:00:00 2001
+From: Roberto Sassu <roberto.sassu@huawei.com>
+Date: Wed, 29 May 2019 15:30:35 +0200
+Subject: ima: show rules with IMA_INMASK correctly
+
+From: Roberto Sassu <roberto.sassu@huawei.com>
+
+commit 8cdc23a3d9ec0944000ad43bad588e36afdc38cd upstream.
+
+Show the '^' character when a policy rule has flag IMA_INMASK.
+
+Fixes: 80eae209d63ac ("IMA: allow reading back the current IMA policy")
+Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ security/integrity/ima/ima_policy.c | 21 ++++++++++++---------
+ 1 file changed, 12 insertions(+), 9 deletions(-)
+
+--- a/security/integrity/ima/ima_policy.c
++++ b/security/integrity/ima/ima_policy.c
+@@ -1147,10 +1147,10 @@ enum {
+ };
+
+ static const char *const mask_tokens[] = {
+- "MAY_EXEC",
+- "MAY_WRITE",
+- "MAY_READ",
+- "MAY_APPEND"
++ "^MAY_EXEC",
++ "^MAY_WRITE",
++ "^MAY_READ",
++ "^MAY_APPEND"
+ };
+
+ #define __ima_hook_stringify(str) (#str),
+@@ -1210,6 +1210,7 @@ int ima_policy_show(struct seq_file *m,
+ struct ima_rule_entry *entry = v;
+ int i;
+ char tbuf[64] = {0,};
++ int offset = 0;
+
+ rcu_read_lock();
+
+@@ -1233,15 +1234,17 @@ int ima_policy_show(struct seq_file *m,
+ if (entry->flags & IMA_FUNC)
+ policy_func_show(m, entry->func);
+
+- if (entry->flags & IMA_MASK) {
++ if ((entry->flags & IMA_MASK) || (entry->flags & IMA_INMASK)) {
++ if (entry->flags & IMA_MASK)
++ offset = 1;
+ if (entry->mask & MAY_EXEC)
+- seq_printf(m, pt(Opt_mask), mt(mask_exec));
++ seq_printf(m, pt(Opt_mask), mt(mask_exec) + offset);
+ if (entry->mask & MAY_WRITE)
+- seq_printf(m, pt(Opt_mask), mt(mask_write));
++ seq_printf(m, pt(Opt_mask), mt(mask_write) + offset);
+ if (entry->mask & MAY_READ)
+- seq_printf(m, pt(Opt_mask), mt(mask_read));
++ seq_printf(m, pt(Opt_mask), mt(mask_read) + offset);
+ if (entry->mask & MAY_APPEND)
+- seq_printf(m, pt(Opt_mask), mt(mask_append));
++ seq_printf(m, pt(Opt_mask), mt(mask_append) + offset);
+ seq_puts(m, " ");
+ }
+
--- /dev/null
+From 0600597c854e53d2f9b7a6a718c1da2b8b4cb4db Mon Sep 17 00:00:00 2001
+From: Nathan Chancellor <natechancellor@gmail.com>
+Date: Fri, 31 May 2019 22:30:42 -0700
+Subject: kasan: initialize tag to 0xff in __kasan_kmalloc
+
+From: Nathan Chancellor <natechancellor@gmail.com>
+
+commit 0600597c854e53d2f9b7a6a718c1da2b8b4cb4db upstream.
+
+When building with -Wuninitialized and CONFIG_KASAN_SW_TAGS unset, Clang
+warns:
+
+mm/kasan/common.c:484:40: warning: variable 'tag' is uninitialized when
+used here [-Wuninitialized]
+ kasan_unpoison_shadow(set_tag(object, tag), size);
+ ^~~
+
+set_tag ignores tag in this configuration but clang doesn't realize it at
+this point in its pipeline, as it points to arch_kasan_set_tag as being
+the point where it is used, which will later be expanded to (void
+*)(object) without a use of tag. Initialize tag to 0xff, as it removes
+this warning and doesn't change the meaning of the code.
+
+Link: https://github.com/ClangBuiltLinux/linux/issues/465
+Link: http://lkml.kernel.org/r/20190502163057.6603-1-natechancellor@gmail.com
+Fixes: 7f94ffbc4c6a ("kasan: add hooks implementation for tag-based mode")
+Signed-off-by: Nathan Chancellor <natechancellor@gmail.com>
+Reviewed-by: Andrey Konovalov <andreyknvl@google.com>
+Reviewed-by: Andrey Ryabinin <aryabinin@virtuozzo.com>
+Cc: Alexander Potapenko <glider@google.com>
+Cc: Dmitry Vyukov <dvyukov@google.com>
+Cc: Nick Desaulniers <ndesaulniers@google.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ mm/kasan/common.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/mm/kasan/common.c
++++ b/mm/kasan/common.c
+@@ -472,7 +472,7 @@ static void *__kasan_kmalloc(struct kmem
+ {
+ unsigned long redzone_start;
+ unsigned long redzone_end;
+- u8 tag;
++ u8 tag = 0xff;
+
+ if (gfpflags_allow_blocking(flags))
+ quarantine_reduce();
--- /dev/null
+From 98af37d624ed8c83f1953b1b6b2f6866011fc064 Mon Sep 17 00:00:00 2001
+From: Zhenliang Wei <weizhenliang@huawei.com>
+Date: Fri, 31 May 2019 22:30:52 -0700
+Subject: kernel/signal.c: trace_signal_deliver when signal_group_exit
+
+From: Zhenliang Wei <weizhenliang@huawei.com>
+
+commit 98af37d624ed8c83f1953b1b6b2f6866011fc064 upstream.
+
+In the fixes commit, removing SIGKILL from each thread signal mask and
+executing "goto fatal" directly will skip the call to
+"trace_signal_deliver". At this point, the delivery tracking of the
+SIGKILL signal will be inaccurate.
+
+Therefore, we need to add trace_signal_deliver before "goto fatal" after
+executing sigdelset.
+
+Note: SEND_SIG_NOINFO matches the fact that SIGKILL doesn't have any info.
+
+Link: http://lkml.kernel.org/r/20190425025812.91424-1-weizhenliang@huawei.com
+Fixes: cf43a757fd4944 ("signal: Restore the stop PTRACE_EVENT_EXIT")
+Signed-off-by: Zhenliang Wei <weizhenliang@huawei.com>
+Reviewed-by: Christian Brauner <christian@brauner.io>
+Reviewed-by: Oleg Nesterov <oleg@redhat.com>
+Cc: Eric W. Biederman <ebiederm@xmission.com>
+Cc: Ivan Delalande <colona@arista.com>
+Cc: Arnd Bergmann <arnd@arndb.de>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: Deepa Dinamani <deepa.kernel@gmail.com>
+Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/signal.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/kernel/signal.c
++++ b/kernel/signal.c
+@@ -2441,6 +2441,8 @@ relock:
+ if (signal_group_exit(signal)) {
+ ksig->info.si_signo = signr = SIGKILL;
+ sigdelset(¤t->pending.signal, SIGKILL);
++ trace_signal_deliver(SIGKILL, SEND_SIG_NOINFO,
++ &sighand->action[SIGKILL - 1]);
+ recalc_sigpending();
+ goto fatal;
+ }
--- /dev/null
+From 3e8589963773a5c23e2f1fe4bcad0e9a90b7f471 Mon Sep 17 00:00:00 2001
+From: Jiri Slaby <jslaby@suse.cz>
+Date: Fri, 31 May 2019 22:30:26 -0700
+Subject: memcg: make it work on sparse non-0-node systems
+
+From: Jiri Slaby <jslaby@suse.cz>
+
+commit 3e8589963773a5c23e2f1fe4bcad0e9a90b7f471 upstream.
+
+We have a single node system with node 0 disabled:
+ Scanning NUMA topology in Northbridge 24
+ Number of physical nodes 2
+ Skipping disabled node 0
+ Node 1 MemBase 0000000000000000 Limit 00000000fbff0000
+ NODE_DATA(1) allocated [mem 0xfbfda000-0xfbfeffff]
+
+This causes crashes in memcg when system boots:
+ BUG: unable to handle kernel NULL pointer dereference at 0000000000000008
+ #PF error: [normal kernel read fault]
+...
+ RIP: 0010:list_lru_add+0x94/0x170
+...
+ Call Trace:
+ d_lru_add+0x44/0x50
+ dput.part.34+0xfc/0x110
+ __fput+0x108/0x230
+ task_work_run+0x9f/0xc0
+ exit_to_usermode_loop+0xf5/0x100
+
+It is reproducible as far as 4.12. I did not try older kernels. You have
+to have a new enough systemd, e.g. 241 (the reason is unknown -- was not
+investigated). Cannot be reproduced with systemd 234.
+
+The system crashes because the size of lru array is never updated in
+memcg_update_all_list_lrus and the reads are past the zero-sized array,
+causing dereferences of random memory.
+
+The root cause are list_lru_memcg_aware checks in the list_lru code. The
+test in list_lru_memcg_aware is broken: it assumes node 0 is always
+present, but it is not true on some systems as can be seen above.
+
+So fix this by avoiding checks on node 0. Remember the memcg-awareness by
+a bool flag in struct list_lru.
+
+Link: http://lkml.kernel.org/r/20190522091940.3615-1-jslaby@suse.cz
+Fixes: 60d3fd32a7a9 ("list_lru: introduce per-memcg lists")
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+Acked-by: Michal Hocko <mhocko@suse.com>
+Suggested-by: Vladimir Davydov <vdavydov.dev@gmail.com>
+Acked-by: Vladimir Davydov <vdavydov.dev@gmail.com>
+Reviewed-by: Shakeel Butt <shakeelb@google.com>
+Cc: Johannes Weiner <hannes@cmpxchg.org>
+Cc: Raghavendra K T <raghavendra.kt@linux.vnet.ibm.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ include/linux/list_lru.h | 1 +
+ mm/list_lru.c | 8 +++-----
+ 2 files changed, 4 insertions(+), 5 deletions(-)
+
+--- a/include/linux/list_lru.h
++++ b/include/linux/list_lru.h
+@@ -54,6 +54,7 @@ struct list_lru {
+ #ifdef CONFIG_MEMCG_KMEM
+ struct list_head list;
+ int shrinker_id;
++ bool memcg_aware;
+ #endif
+ };
+
+--- a/mm/list_lru.c
++++ b/mm/list_lru.c
+@@ -37,11 +37,7 @@ static int lru_shrinker_id(struct list_l
+
+ static inline bool list_lru_memcg_aware(struct list_lru *lru)
+ {
+- /*
+- * This needs node 0 to be always present, even
+- * in the systems supporting sparse numa ids.
+- */
+- return !!lru->node[0].memcg_lrus;
++ return lru->memcg_aware;
+ }
+
+ static inline struct list_lru_one *
+@@ -451,6 +447,8 @@ static int memcg_init_list_lru(struct li
+ {
+ int i;
+
++ lru->memcg_aware = memcg_aware;
++
+ if (!memcg_aware)
+ return 0;
+
--- /dev/null
+From e577c8b64d58fe307ea4d5149d31615df2d90861 Mon Sep 17 00:00:00 2001
+From: Suzuki K Poulose <suzuki.poulose@arm.com>
+Date: Fri, 31 May 2019 22:30:59 -0700
+Subject: mm, compaction: make sure we isolate a valid PFN
+
+From: Suzuki K Poulose <suzuki.poulose@arm.com>
+
+commit e577c8b64d58fe307ea4d5149d31615df2d90861 upstream.
+
+When we have holes in a normal memory zone, we could endup having
+cached_migrate_pfns which may not necessarily be valid, under heavy memory
+pressure with swapping enabled ( via __reset_isolation_suitable(),
+triggered by kswapd).
+
+Later if we fail to find a page via fast_isolate_freepages(), we may end
+up using the migrate_pfn we started the search with, as valid page. This
+could lead to accessing NULL pointer derefernces like below, due to an
+invalid mem_section pointer.
+
+Unable to handle kernel NULL pointer dereference at virtual address 0000000000000008 [47/1825]
+ Mem abort info:
+ ESR = 0x96000004
+ Exception class = DABT (current EL), IL = 32 bits
+ SET = 0, FnV = 0
+ EA = 0, S1PTW = 0
+ Data abort info:
+ ISV = 0, ISS = 0x00000004
+ CM = 0, WnR = 0
+ user pgtable: 4k pages, 48-bit VAs, pgdp = 0000000082f94ae9
+ [0000000000000008] pgd=0000000000000000
+ Internal error: Oops: 96000004 [#1] SMP
+ ...
+ CPU: 10 PID: 6080 Comm: qemu-system-aar Not tainted 510-rc1+ #6
+ Hardware name: AmpereComputing(R) OSPREY EV-883832-X3-0001/OSPREY, BIOS 4819 09/25/2018
+ pstate: 60000005 (nZCv daif -PAN -UAO)
+ pc : set_pfnblock_flags_mask+0x58/0xe8
+ lr : compaction_alloc+0x300/0x950
+ [...]
+ Process qemu-system-aar (pid: 6080, stack limit = 0x0000000095070da5)
+ Call trace:
+ set_pfnblock_flags_mask+0x58/0xe8
+ compaction_alloc+0x300/0x950
+ migrate_pages+0x1a4/0xbb0
+ compact_zone+0x750/0xde8
+ compact_zone_order+0xd8/0x118
+ try_to_compact_pages+0xb4/0x290
+ __alloc_pages_direct_compact+0x84/0x1e0
+ __alloc_pages_nodemask+0x5e0/0xe18
+ alloc_pages_vma+0x1cc/0x210
+ do_huge_pmd_anonymous_page+0x108/0x7c8
+ __handle_mm_fault+0xdd4/0x1190
+ handle_mm_fault+0x114/0x1c0
+ __get_user_pages+0x198/0x3c0
+ get_user_pages_unlocked+0xb4/0x1d8
+ __gfn_to_pfn_memslot+0x12c/0x3b8
+ gfn_to_pfn_prot+0x4c/0x60
+ kvm_handle_guest_abort+0x4b0/0xcd8
+ handle_exit+0x140/0x1b8
+ kvm_arch_vcpu_ioctl_run+0x260/0x768
+ kvm_vcpu_ioctl+0x490/0x898
+ do_vfs_ioctl+0xc4/0x898
+ ksys_ioctl+0x8c/0xa0
+ __arm64_sys_ioctl+0x28/0x38
+ el0_svc_common+0x74/0x118
+ el0_svc_handler+0x38/0x78
+ el0_svc+0x8/0xc
+ Code: f8607840 f100001f 8b011401 9a801020 (f9400400)
+ ---[ end trace af6a35219325a9b6 ]---
+
+The issue was reported on an arm64 server with 128GB with holes in the
+zone (e.g, [32GB@4GB, 96GB@544GB]), with a swap device enabled, while
+running 100 KVM guest instances.
+
+This patch fixes the issue by ensuring that the page belongs to a valid
+PFN when we fallback to using the lower limit of the scan range upon
+failure in fast_isolate_freepages().
+
+Link: http://lkml.kernel.org/r/1558711908-15688-1-git-send-email-suzuki.poulose@arm.com
+Fixes: 5a811889de10f1eb ("mm, compaction: use free lists to quickly locate a migration target")
+Signed-off-by: Suzuki K Poulose <suzuki.poulose@arm.com>
+Reported-by: Marc Zyngier <marc.zyngier@arm.com>
+Reviewed-by: Mel Gorman <mgorman@techsingularity.net>
+Reviewed-by: Anshuman Khandual <anshuman.khandual@arm.com>
+Cc: Michal Hocko <mhocko@suse.com>
+Cc: Qian Cai <cai@lca.pw>
+Cc: Marc Zyngier <marc.zyngier@arm.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ mm/compaction.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/mm/compaction.c
++++ b/mm/compaction.c
+@@ -1397,7 +1397,7 @@ fast_isolate_freepages(struct compact_co
+ page = pfn_to_page(highest);
+ cc->free_pfn = highest;
+ } else {
+- if (cc->direct_compaction) {
++ if (cc->direct_compaction && pfn_valid(min_pfn)) {
+ page = pfn_to_page(min_pfn);
+ cc->free_pfn = min_pfn;
+ }
--- /dev/null
+From 9852ae3fe5293264f01c49f2571ef7688f7823ce Mon Sep 17 00:00:00 2001
+From: Chris Down <chris@chrisdown.name>
+Date: Fri, 31 May 2019 22:30:22 -0700
+Subject: mm, memcg: consider subtrees in memory.events
+
+From: Chris Down <chris@chrisdown.name>
+
+commit 9852ae3fe5293264f01c49f2571ef7688f7823ce upstream.
+
+memory.stat and other files already consider subtrees in their output, and
+we should too in order to not present an inconsistent interface.
+
+The current situation is fairly confusing, because people interacting with
+cgroups expect hierarchical behaviour in the vein of memory.stat,
+cgroup.events, and other files. For example, this causes confusion when
+debugging reclaim events under low, as currently these always read "0" at
+non-leaf memcg nodes, which frequently causes people to misdiagnose breach
+behaviour. The same confusion applies to other counters in this file when
+debugging issues.
+
+Aggregation is done at write time instead of at read-time since these
+counters aren't hot (unlike memory.stat which is per-page, so it does it
+at read time), and it makes sense to bundle this with the file
+notifications.
+
+After this patch, events are propagated up the hierarchy:
+
+ [root@ktst ~]# cat /sys/fs/cgroup/system.slice/memory.events
+ low 0
+ high 0
+ max 0
+ oom 0
+ oom_kill 0
+ [root@ktst ~]# systemd-run -p MemoryMax=1 true
+ Running as unit: run-r251162a189fb4562b9dabfdc9b0422f5.service
+ [root@ktst ~]# cat /sys/fs/cgroup/system.slice/memory.events
+ low 0
+ high 0
+ max 7
+ oom 1
+ oom_kill 1
+
+As this is a change in behaviour, this can be reverted to the old
+behaviour by mounting with the `memory_localevents' flag set. However, we
+use the new behaviour by default as there's a lack of evidence that there
+are any current users of memory.events that would find this change
+undesirable.
+
+akpm: this is a behaviour change, so Cc:stable. THis is so that
+forthcoming distros which use cgroup v2 are more likely to pick up the
+revised behaviour.
+
+Link: http://lkml.kernel.org/r/20190208224419.GA24772@chrisdown.name
+Signed-off-by: Chris Down <chris@chrisdown.name>
+Acked-by: Johannes Weiner <hannes@cmpxchg.org>
+Reviewed-by: Shakeel Butt <shakeelb@google.com>
+Cc: Michal Hocko <mhocko@kernel.org>
+Cc: Tejun Heo <tj@kernel.org>
+Cc: Roman Gushchin <guro@fb.com>
+Cc: Dennis Zhou <dennis@kernel.org>
+Cc: Suren Baghdasaryan <surenb@google.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ Documentation/admin-guide/cgroup-v2.rst | 9 +++++++++
+ include/linux/cgroup-defs.h | 5 +++++
+ include/linux/memcontrol.h | 10 ++++++++--
+ kernel/cgroup/cgroup.c | 16 ++++++++++++++--
+ 4 files changed, 36 insertions(+), 4 deletions(-)
+
+--- a/Documentation/admin-guide/cgroup-v2.rst
++++ b/Documentation/admin-guide/cgroup-v2.rst
+@@ -177,6 +177,15 @@ cgroup v2 currently supports the followi
+ ignored on non-init namespace mounts. Please refer to the
+ Delegation section for details.
+
++ memory_localevents
++
++ Only populate memory.events with data for the current cgroup,
++ and not any subtrees. This is legacy behaviour, the default
++ behaviour without this option is to include subtree counts.
++ This option is system wide and can only be set on mount or
++ modified through remount from the init namespace. The mount
++ option is ignored on non-init namespace mounts.
++
+
+ Organizing Processes and Threads
+ --------------------------------
+--- a/include/linux/cgroup-defs.h
++++ b/include/linux/cgroup-defs.h
+@@ -83,6 +83,11 @@ enum {
+ * Enable cpuset controller in v1 cgroup to use v2 behavior.
+ */
+ CGRP_ROOT_CPUSET_V2_MODE = (1 << 4),
++
++ /*
++ * Enable legacy local memory.events.
++ */
++ CGRP_ROOT_MEMORY_LOCAL_EVENTS = (1 << 5),
+ };
+
+ /* cftype->flags */
+--- a/include/linux/memcontrol.h
++++ b/include/linux/memcontrol.h
+@@ -777,8 +777,14 @@ static inline void count_memcg_event_mm(
+ static inline void memcg_memory_event(struct mem_cgroup *memcg,
+ enum memcg_memory_event event)
+ {
+- atomic_long_inc(&memcg->memory_events[event]);
+- cgroup_file_notify(&memcg->events_file);
++ do {
++ atomic_long_inc(&memcg->memory_events[event]);
++ cgroup_file_notify(&memcg->events_file);
++
++ if (cgrp_dfl_root.flags & CGRP_ROOT_MEMORY_LOCAL_EVENTS)
++ break;
++ } while ((memcg = parent_mem_cgroup(memcg)) &&
++ !mem_cgroup_is_root(memcg));
+ }
+
+ static inline void memcg_memory_event_mm(struct mm_struct *mm,
+--- a/kernel/cgroup/cgroup.c
++++ b/kernel/cgroup/cgroup.c
+@@ -1775,11 +1775,13 @@ int cgroup_show_path(struct seq_file *sf
+
+ enum cgroup2_param {
+ Opt_nsdelegate,
++ Opt_memory_localevents,
+ nr__cgroup2_params
+ };
+
+ static const struct fs_parameter_spec cgroup2_param_specs[] = {
+- fsparam_flag ("nsdelegate", Opt_nsdelegate),
++ fsparam_flag("nsdelegate", Opt_nsdelegate),
++ fsparam_flag("memory_localevents", Opt_memory_localevents),
+ {}
+ };
+
+@@ -1802,6 +1804,9 @@ static int cgroup2_parse_param(struct fs
+ case Opt_nsdelegate:
+ ctx->flags |= CGRP_ROOT_NS_DELEGATE;
+ return 0;
++ case Opt_memory_localevents:
++ ctx->flags |= CGRP_ROOT_MEMORY_LOCAL_EVENTS;
++ return 0;
+ }
+ return -EINVAL;
+ }
+@@ -1813,6 +1818,11 @@ static void apply_cgroup_root_flags(unsi
+ cgrp_dfl_root.flags |= CGRP_ROOT_NS_DELEGATE;
+ else
+ cgrp_dfl_root.flags &= ~CGRP_ROOT_NS_DELEGATE;
++
++ if (root_flags & CGRP_ROOT_MEMORY_LOCAL_EVENTS)
++ cgrp_dfl_root.flags |= CGRP_ROOT_MEMORY_LOCAL_EVENTS;
++ else
++ cgrp_dfl_root.flags &= ~CGRP_ROOT_MEMORY_LOCAL_EVENTS;
+ }
+ }
+
+@@ -1820,6 +1830,8 @@ static int cgroup_show_options(struct se
+ {
+ if (cgrp_dfl_root.flags & CGRP_ROOT_NS_DELEGATE)
+ seq_puts(seq, ",nsdelegate");
++ if (cgrp_dfl_root.flags & CGRP_ROOT_MEMORY_LOCAL_EVENTS)
++ seq_puts(seq, ",memory_localevents");
+ return 0;
+ }
+
+@@ -6122,7 +6134,7 @@ static struct kobj_attribute cgroup_dele
+ static ssize_t features_show(struct kobject *kobj, struct kobj_attribute *attr,
+ char *buf)
+ {
+- return snprintf(buf, PAGE_SIZE, "nsdelegate\n");
++ return snprintf(buf, PAGE_SIZE, "nsdelegate\nmemory_localevents\n");
+ }
+ static struct kobj_attribute cgroup_features_attr = __ATTR_RO(features);
+
--- /dev/null
+From 141731d15d6eb2fd9aaefbf9b935ce86ae243074 Mon Sep 17 00:00:00 2001
+From: Benjamin Coddington <bcodding@redhat.com>
+Date: Mon, 20 May 2019 10:33:07 -0400
+Subject: Revert "lockd: Show pid of lockd for remote locks"
+
+From: Benjamin Coddington <bcodding@redhat.com>
+
+commit 141731d15d6eb2fd9aaefbf9b935ce86ae243074 upstream.
+
+This reverts most of commit b8eee0e90f97 ("lockd: Show pid of lockd for
+remote locks"), which caused remote locks to not be differentiated between
+remote processes for NLM.
+
+We retain the fixup for setting the client's fl_pid to a negative value.
+
+Fixes: b8eee0e90f97 ("lockd: Show pid of lockd for remote locks")
+Cc: stable@vger.kernel.org
+
+Signed-off-by: Benjamin Coddington <bcodding@redhat.com>
+Reviewed-by: XueWei Zhang <xueweiz@google.com>
+Signed-off-by: J. Bruce Fields <bfields@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/lockd/xdr.c | 4 ++--
+ fs/lockd/xdr4.c | 4 ++--
+ 2 files changed, 4 insertions(+), 4 deletions(-)
+
+--- a/fs/lockd/xdr.c
++++ b/fs/lockd/xdr.c
+@@ -127,7 +127,7 @@ nlm_decode_lock(__be32 *p, struct nlm_lo
+
+ locks_init_lock(fl);
+ fl->fl_owner = current->files;
+- fl->fl_pid = current->tgid;
++ fl->fl_pid = (pid_t)lock->svid;
+ fl->fl_flags = FL_POSIX;
+ fl->fl_type = F_RDLCK; /* as good as anything else */
+ start = ntohl(*p++);
+@@ -269,7 +269,7 @@ nlmsvc_decode_shareargs(struct svc_rqst
+ memset(lock, 0, sizeof(*lock));
+ locks_init_lock(&lock->fl);
+ lock->svid = ~(u32) 0;
+- lock->fl.fl_pid = current->tgid;
++ lock->fl.fl_pid = (pid_t)lock->svid;
+
+ if (!(p = nlm_decode_cookie(p, &argp->cookie))
+ || !(p = xdr_decode_string_inplace(p, &lock->caller,
+--- a/fs/lockd/xdr4.c
++++ b/fs/lockd/xdr4.c
+@@ -119,7 +119,7 @@ nlm4_decode_lock(__be32 *p, struct nlm_l
+
+ locks_init_lock(fl);
+ fl->fl_owner = current->files;
+- fl->fl_pid = current->tgid;
++ fl->fl_pid = (pid_t)lock->svid;
+ fl->fl_flags = FL_POSIX;
+ fl->fl_type = F_RDLCK; /* as good as anything else */
+ p = xdr_decode_hyper(p, &start);
+@@ -266,7 +266,7 @@ nlm4svc_decode_shareargs(struct svc_rqst
+ memset(lock, 0, sizeof(*lock));
+ locks_init_lock(&lock->fl);
+ lock->svid = ~(u32) 0;
+- lock->fl.fl_pid = current->tgid;
++ lock->fl.fl_pid = (pid_t)lock->svid;
+
+ if (!(p = nlm4_decode_cookie(p, &argp->cookie))
+ || !(p = xdr_decode_string_inplace(p, &lock->caller,
--- /dev/null
+From 099506cbbc79c0bd52b19cb6b930f256dabc3950 Mon Sep 17 00:00:00 2001
+From: "George G. Davis" <george_davis@mentor.com>
+Date: Tue, 14 May 2019 23:29:34 -0400
+Subject: serial: sh-sci: disable DMA for uart_console
+
+From: George G. Davis <george_davis@mentor.com>
+
+commit 099506cbbc79c0bd52b19cb6b930f256dabc3950 upstream.
+
+As noted in commit 84b40e3b57ee ("serial: 8250: omap: Disable DMA for
+console UART"), UART console lines use low-level PIO only access functions
+which will conflict with use of the line when DMA is enabled, e.g. when
+the console line is also used for systemd messages. So disable DMA
+support for UART console lines.
+
+Reported-by: Michael Rodin <mrodin@de.adit-jv.com>
+Link: https://patchwork.kernel.org/patch/10929511/
+Tested-by: Eugeniu Rosca <erosca@de.adit-jv.com>
+Reviewed-by: Simon Horman <horms+renesas@verge.net.au>
+Reviewed-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
+Reviewed-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Cc: stable@vger.kernel.org
+Signed-off-by: George G. Davis <george_davis@mentor.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/tty/serial/sh-sci.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/drivers/tty/serial/sh-sci.c
++++ b/drivers/tty/serial/sh-sci.c
+@@ -1557,6 +1557,13 @@ static void sci_request_dma(struct uart_
+
+ dev_dbg(port->dev, "%s: port %d\n", __func__, port->line);
+
++ /*
++ * DMA on console may interfere with Kernel log messages which use
++ * plain putchar(). So, simply don't use it with a console.
++ */
++ if (uart_console(port))
++ return;
++
+ if (!port->dev->of_node)
+ return;
+
alsa-hda-realtek-set-default-power-save-node-to-0.patch
alsa-hda-realtek-improve-the-headset-mic-for-acer-aspire-laptops.patch
kvm-s390-do-not-report-unusabled-ids-via-kvm_cap_max_vcpu_id.patch
+drm-nouveau-i2c-disable-i2c-bus-access-after-fini.patch
+i2c-mlxcpld-fix-wrong-initialization-order-in-probe.patch
+i2c-synquacer-fix-synquacer_i2c_doxfer-return-value.patch
+tty-serial-msm_serial-fix-xon-xoff.patch
+tty-max310x-fix-external-crystal-register-setup.patch
+mm-memcg-consider-subtrees-in-memory.events.patch
+memcg-make-it-work-on-sparse-non-0-node-systems.patch
+kasan-initialize-tag-to-0xff-in-__kasan_kmalloc.patch
+kernel-signal.c-trace_signal_deliver-when-signal_group_exit.patch
+signal-arm64-use-force_sig-not-force_sig_fault-for-sigkill.patch
+mm-compaction-make-sure-we-isolate-a-valid-pfn.patch
+arm64-fix-the-arm64_personality-syscall-wrapper-redirection.patch
+docs-fix-conf.py-for-sphinx-2.0.patch
+doc-cope-with-the-deprecation-of-autoreporter.patch
+doc-cope-with-sphinx-logging-deprecations.patch
+x86-ima-check-efi_runtime_services-before-using.patch
+ima-fix-wrong-signed-policy-requirement-when-not-appraising.patch
+ima-show-rules-with-ima_inmask-correctly.patch
+evm-check-hash-algorithm-passed-to-init_desc.patch
+clk-imx-imx8mm-fix-int-pll-clk-gate.patch
+vt-fbcon-deinitialize-resources-in-visual_init-after-failed-memory-allocation.patch
+serial-sh-sci-disable-dma-for-uart_console.patch
+staging-vc04_services-prevent-integer-overflow-in-create_pagelist.patch
+staging-wlan-ng-fix-adapter-initialization-failure.patch
+cifs-fix-memory-leak-of-pneg_inbuf-on-eopnotsupp-ioctl-case.patch
+cifs-cifs_read_allocate_pages-don-t-iterate-through-whole-page-array-on-enomem.patch
+revert-lockd-show-pid-of-lockd-for-remote-locks.patch
+gcc-plugins-fix-build-failures-under-darwin-host.patch
--- /dev/null
+From d76cac67db40c172791ce07948367b96a758e45b Mon Sep 17 00:00:00 2001
+From: "Eric W. Biederman" <ebiederm@xmission.com>
+Date: Thu, 23 May 2019 11:11:19 -0500
+Subject: signal/arm64: Use force_sig not force_sig_fault for SIGKILL
+
+From: Eric W. Biederman <ebiederm@xmission.com>
+
+commit d76cac67db40c172791ce07948367b96a758e45b upstream.
+
+I don't think this is userspace visible but SIGKILL does not have
+any si_codes that use the fault member of the siginfo union. Correct
+this the simple way and call force_sig instead of force_sig_fault when
+the signal is SIGKILL.
+
+The two know places where synchronous SIGKILL are generated are
+do_bad_area and fpsimd_save. The call paths to force_sig_fault are:
+do_bad_area
+ arm64_force_sig_fault
+ force_sig_fault
+force_signal_inject
+ arm64_notify_die
+ arm64_force_sig_fault
+ force_sig_fault
+
+Which means correcting this in arm64_force_sig_fault is enough
+to ensure the arm64 code is not misusing the generic code, which
+could lead to maintenance problems later.
+
+Cc: stable@vger.kernel.org
+Cc: Dave Martin <Dave.Martin@arm.com>
+Cc: James Morse <james.morse@arm.com>
+Cc: Will Deacon <will.deacon@arm.com>
+Fixes: af40ff687bc9 ("arm64: signal: Ensure si_code is valid for all fault signals")
+Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
+Signed-off-by: Will Deacon <will.deacon@arm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm64/kernel/traps.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/arch/arm64/kernel/traps.c
++++ b/arch/arm64/kernel/traps.c
+@@ -256,7 +256,10 @@ void arm64_force_sig_fault(int signo, in
+ const char *str)
+ {
+ arm64_show_signal(signo, str);
+- force_sig_fault(signo, code, addr, current);
++ if (signo == SIGKILL)
++ force_sig(SIGKILL, current);
++ else
++ force_sig_fault(signo, code, addr, current);
+ }
+
+ void arm64_force_sig_mceerr(int code, void __user *addr, short lsb,
--- /dev/null
+From ca641bae6da977d638458e78cd1487b6160a2718 Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Wed, 15 May 2019 12:38:33 +0300
+Subject: staging: vc04_services: prevent integer overflow in create_pagelist()
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+commit ca641bae6da977d638458e78cd1487b6160a2718 upstream.
+
+The create_pagelist() "count" parameter comes from the user in
+vchiq_ioctl() and it could overflow. If you look at how create_page()
+is called in vchiq_prepare_bulk_data(), then the "size" variable is an
+int so it doesn't make sense to allow negatives or larger than INT_MAX.
+
+I don't know this code terribly well, but I believe that typical values
+of "count" are typically quite low and I don't think this check will
+affect normal valid uses at all.
+
+The "pagelist_size" calculation can also overflow on 32 bit systems, but
+not on 64 bit systems. I have added an integer overflow check for that
+as well.
+
+The Raspberry PI doesn't offer the same level of memory protection that
+x86 does so these sorts of bugs are probably not super critical to fix.
+
+Fixes: 71bad7f08641 ("staging: add bcm2708 vchiq driver")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/staging/vc04_services/interface/vchiq_arm/vchiq_2835_arm.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+--- a/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_2835_arm.c
++++ b/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_2835_arm.c
+@@ -398,9 +398,18 @@ create_pagelist(char __user *buf, size_t
+ int dma_buffers;
+ dma_addr_t dma_addr;
+
++ if (count >= INT_MAX - PAGE_SIZE)
++ return NULL;
++
+ offset = ((unsigned int)(unsigned long)buf & (PAGE_SIZE - 1));
+ num_pages = DIV_ROUND_UP(count + offset, PAGE_SIZE);
+
++ if (num_pages > (SIZE_MAX - sizeof(struct pagelist) -
++ sizeof(struct vchiq_pagelist_info)) /
++ (sizeof(u32) + sizeof(pages[0]) +
++ sizeof(struct scatterlist)))
++ return NULL;
++
+ pagelist_size = sizeof(struct pagelist) +
+ (num_pages * sizeof(u32)) +
+ (num_pages * sizeof(pages[0]) +
--- /dev/null
+From a67fedd788182764dc8ed59037c604b7e60349f1 Mon Sep 17 00:00:00 2001
+From: Tim Collier <osdevtc@gmail.com>
+Date: Sat, 11 May 2019 18:40:46 +0100
+Subject: staging: wlan-ng: fix adapter initialization failure
+
+From: Tim Collier <osdevtc@gmail.com>
+
+commit a67fedd788182764dc8ed59037c604b7e60349f1 upstream.
+
+Commit e895f00a8496 ("Staging: wlan-ng: hfa384x_usb.c Fixed too long
+code line warnings.") moved the retrieval of the transfer buffer from
+the URB from the top of function hfa384x_usbin_callback to a point
+after reposting of the URB via a call to submit_rx_urb. The reposting
+of the URB allocates a new transfer buffer so the new buffer is
+retrieved instead of the buffer containing the response passed into
+the callback. This results in failure to initialize the adapter with
+an error reported in the system log (something like "CTLX[1] error:
+state(Request failed)").
+
+This change moves the retrieval to just before the point where the URB
+is reposted so that the correct transfer buffer is retrieved and
+initialization of the device succeeds.
+
+Signed-off-by: Tim Collier <osdevtc@gmail.com>
+Fixes: e895f00a8496 ("Staging: wlan-ng: hfa384x_usb.c Fixed too long code line warnings.")
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/staging/wlan-ng/hfa384x_usb.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/staging/wlan-ng/hfa384x_usb.c
++++ b/drivers/staging/wlan-ng/hfa384x_usb.c
+@@ -3119,7 +3119,9 @@ static void hfa384x_usbin_callback(struc
+ break;
+ }
+
++ /* Save values from the RX URB before reposting overwrites it. */
+ urb_status = urb->status;
++ usbin = (union hfa384x_usbin *)urb->transfer_buffer;
+
+ if (action != ABORT) {
+ /* Repost the RX URB */
+@@ -3136,7 +3138,6 @@ static void hfa384x_usbin_callback(struc
+ /* Note: the check of the sw_support field, the type field doesn't
+ * have bit 12 set like the docs suggest.
+ */
+- usbin = (union hfa384x_usbin *)urb->transfer_buffer;
+ type = le16_to_cpu(usbin->type);
+ if (HFA384x_USB_ISRXFRM(type)) {
+ if (action == HANDLE) {
--- /dev/null
+From 5d24f455c182d5116dd5db8e1dc501115ecc9c2c Mon Sep 17 00:00:00 2001
+From: Joe Burmeister <joe.burmeister@devtank.co.uk>
+Date: Mon, 13 May 2019 11:23:57 +0100
+Subject: tty: max310x: Fix external crystal register setup
+
+From: Joe Burmeister <joe.burmeister@devtank.co.uk>
+
+commit 5d24f455c182d5116dd5db8e1dc501115ecc9c2c upstream.
+
+The datasheet states:
+
+ Bit 4: ClockEnSet the ClockEn bit high to enable an external clocking
+(crystal or clock generator at XIN). Set the ClockEn bit to 0 to disable
+clocking
+ Bit 1: CrystalEnSet the CrystalEn bit high to enable the crystal
+oscillator. When using an external clock source at XIN, CrystalEn must
+be set low.
+
+The bit 4, MAX310X_CLKSRC_EXTCLK_BIT, should be set and was not.
+
+This was required to make the MAX3107 with an external crystal on our
+board able to send or receive data.
+
+Signed-off-by: Joe Burmeister <joe.burmeister@devtank.co.uk>
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/tty/serial/max310x.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/tty/serial/max310x.c
++++ b/drivers/tty/serial/max310x.c
+@@ -581,7 +581,7 @@ static int max310x_set_ref_clk(struct de
+ }
+
+ /* Configure clock source */
+- clksrc = xtal ? MAX310X_CLKSRC_CRYST_BIT : MAX310X_CLKSRC_EXTCLK_BIT;
++ clksrc = MAX310X_CLKSRC_EXTCLK_BIT | (xtal ? MAX310X_CLKSRC_CRYST_BIT : 0);
+
+ /* Configure PLL */
+ if (pllcfg) {
--- /dev/null
+From 61c0e37950b88bad590056286c1d766b1f167f4e Mon Sep 17 00:00:00 2001
+From: Jorge Ramirez-Ortiz <jorge.ramirez-ortiz@linaro.org>
+Date: Mon, 20 May 2019 20:38:48 +0200
+Subject: tty: serial: msm_serial: Fix XON/XOFF
+
+From: Jorge Ramirez-Ortiz <jorge.ramirez-ortiz@linaro.org>
+
+commit 61c0e37950b88bad590056286c1d766b1f167f4e upstream.
+
+When the tty layer requests the uart to throttle, the current code
+executing in msm_serial will trigger "Bad mode in Error Handler" and
+generate an invalid stack frame in pstore before rebooting (that is if
+pstore is indeed configured: otherwise the user shall just notice a
+reboot with no further information dumped to the console).
+
+This patch replaces the PIO byte accessor with the word accessor
+already used in PIO mode.
+
+Fixes: 68252424a7c7 ("tty: serial: msm: Support big-endian CPUs")
+Cc: stable@vger.kernel.org
+Signed-off-by: Jorge Ramirez-Ortiz <jorge.ramirez-ortiz@linaro.org>
+Reviewed-by: Bjorn Andersson <bjorn.andersson@linaro.org>
+Reviewed-by: Stephen Boyd <swboyd@chromium.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/tty/serial/msm_serial.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/drivers/tty/serial/msm_serial.c
++++ b/drivers/tty/serial/msm_serial.c
+@@ -860,6 +860,7 @@ static void msm_handle_tx(struct uart_po
+ struct circ_buf *xmit = &msm_port->uart.state->xmit;
+ struct msm_dma *dma = &msm_port->tx_dma;
+ unsigned int pio_count, dma_count, dma_min;
++ char buf[4] = { 0 };
+ void __iomem *tf;
+ int err = 0;
+
+@@ -869,10 +870,12 @@ static void msm_handle_tx(struct uart_po
+ else
+ tf = port->membase + UART_TF;
+
++ buf[0] = port->x_char;
++
+ if (msm_port->is_uartdm)
+ msm_reset_dm_count(port, 1);
+
+- iowrite8_rep(tf, &port->x_char, 1);
++ iowrite32_rep(tf, buf, 1);
+ port->icount.tx++;
+ port->x_char = 0;
+ return;
--- /dev/null
+From a1ad1cc9704f64c169261a76e1aee1cf1ae51832 Mon Sep 17 00:00:00 2001
+From: Grzegorz Halat <ghalat@redhat.com>
+Date: Fri, 26 Apr 2019 16:59:46 +0200
+Subject: vt/fbcon: deinitialize resources in visual_init() after failed memory allocation
+
+From: Grzegorz Halat <ghalat@redhat.com>
+
+commit a1ad1cc9704f64c169261a76e1aee1cf1ae51832 upstream.
+
+After memory allocation failure vc_allocate() doesn't clean up data
+which has been initialized in visual_init(). In case of fbcon this
+leads to divide-by-0 in fbcon_init() on next open of the same tty.
+
+memory allocation in vc_allocate() may fail here:
+1097: vc->vc_screenbuf = kzalloc(vc->vc_screenbuf_size, GFP_KERNEL);
+
+on next open() fbcon_init() skips vc_font.data initialization:
+1088: if (!p->fontdata) {
+
+division by zero in fbcon_init() happens here:
+1149: new_cols /= vc->vc_font.width;
+
+Additional check is needed in fbcon_deinit() to prevent
+usage of uninitialized vc_screenbuf:
+
+1251: if (vc->vc_hi_font_mask && vc->vc_screenbuf)
+1252: set_vc_hi_font(vc, false);
+
+Crash:
+
+ #6 [ffffc90001eafa60] divide_error at ffffffff81a00be4
+ [exception RIP: fbcon_init+463]
+ RIP: ffffffff814b860f RSP: ffffc90001eafb18 RFLAGS: 00010246
+...
+ #7 [ffffc90001eafb60] visual_init at ffffffff8154c36e
+ #8 [ffffc90001eafb80] vc_allocate at ffffffff8154f53c
+ #9 [ffffc90001eafbc8] con_install at ffffffff8154f624
+...
+
+Signed-off-by: Grzegorz Halat <ghalat@redhat.com>
+Reviewed-by: Oleksandr Natalenko <oleksandr@redhat.com>
+Acked-by: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/tty/vt/vt.c | 11 +++++++++--
+ drivers/video/fbdev/core/fbcon.c | 2 +-
+ 2 files changed, 10 insertions(+), 3 deletions(-)
+
+--- a/drivers/tty/vt/vt.c
++++ b/drivers/tty/vt/vt.c
+@@ -1056,6 +1056,13 @@ static void visual_init(struct vc_data *
+ vc->vc_screenbuf_size = vc->vc_rows * vc->vc_size_row;
+ }
+
++
++static void visual_deinit(struct vc_data *vc)
++{
++ vc->vc_sw->con_deinit(vc);
++ module_put(vc->vc_sw->owner);
++}
++
+ int vc_allocate(unsigned int currcons) /* return 0 on success */
+ {
+ struct vt_notifier_param param;
+@@ -1103,6 +1110,7 @@ int vc_allocate(unsigned int currcons) /
+
+ return 0;
+ err_free:
++ visual_deinit(vc);
+ kfree(vc);
+ vc_cons[currcons].d = NULL;
+ return -ENOMEM;
+@@ -1331,9 +1339,8 @@ struct vc_data *vc_deallocate(unsigned i
+ param.vc = vc = vc_cons[currcons].d;
+ atomic_notifier_call_chain(&vt_notifier_list, VT_DEALLOCATE, ¶m);
+ vcs_remove_sysfs(currcons);
+- vc->vc_sw->con_deinit(vc);
++ visual_deinit(vc);
+ put_pid(vc->vt_pid);
+- module_put(vc->vc_sw->owner);
+ vc_uniscr_set(vc, NULL);
+ kfree(vc->vc_screenbuf);
+ vc_cons[currcons].d = NULL;
+--- a/drivers/video/fbdev/core/fbcon.c
++++ b/drivers/video/fbdev/core/fbcon.c
+@@ -1248,7 +1248,7 @@ finished:
+ if (free_font)
+ vc->vc_font.data = NULL;
+
+- if (vc->vc_hi_font_mask)
++ if (vc->vc_hi_font_mask && vc->vc_screenbuf)
+ set_vc_hi_font(vc, false);
+
+ if (!con_is_bound(&fb_con))
--- /dev/null
+From 558b523d46289f111d53d7c42211069063be5985 Mon Sep 17 00:00:00 2001
+From: Scott Wood <swood@redhat.com>
+Date: Tue, 23 Apr 2019 17:48:07 -0500
+Subject: x86/ima: Check EFI_RUNTIME_SERVICES before using
+
+From: Scott Wood <swood@redhat.com>
+
+commit 558b523d46289f111d53d7c42211069063be5985 upstream.
+
+Checking efi_enabled(EFI_BOOT) is not sufficient to ensure that
+EFI runtime services are available, e.g. if efi=noruntime is used.
+
+Without this, I get an oops on a PREEMPT_RT kernel where efi=noruntime is
+the default.
+
+Fixes: 399574c64eaf94e8 ("x86/ima: retry detecting secure boot mode")
+Cc: stable@vger.kernel.org (linux-5.0)
+Signed-off-by: Scott Wood <swood@redhat.com>
+Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kernel/ima_arch.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/arch/x86/kernel/ima_arch.c
++++ b/arch/x86/kernel/ima_arch.c
+@@ -17,6 +17,11 @@ static enum efi_secureboot_mode get_sb_m
+
+ size = sizeof(secboot);
+
++ if (!efi_enabled(EFI_RUNTIME_SERVICES)) {
++ pr_info("ima: secureboot mode unknown, no efi\n");
++ return efi_secureboot_mode_unknown;
++ }
++
+ /* Get variable contents into buffer */
+ status = efi.get_variable(efi_SecureBoot_name, &efi_variable_guid,
+ NULL, &size, &secboot);
projects / thirdparty / kernel / stable-queue.git / commitdiff
