--- /dev/null
+From 874bfc6e5422d2421f7e4d5ea318d30e91679dfe Mon Sep 17 00:00:00 2001
+From: Masami Hiramatsu <mhiramat@kernel.org>
+Date: Thu, 29 Nov 2018 14:39:33 +0900
+Subject: arm64: ftrace: Fix to enable syscall events on arm64
+
+From: Masami Hiramatsu <mhiramat@kernel.org>
+
+commit 874bfc6e5422d2421f7e4d5ea318d30e91679dfe upstream.
+
+Since commit 4378a7d4be30 ("arm64: implement syscall wrappers")
+introduced "__arm64_" prefix to all syscall wrapper symbols in
+sys_call_table, syscall tracer can not find corresponding
+metadata from syscall name. In the result, we have no syscall
+ftrace events on arm64 kernel, and some bpf testcases are failed
+on arm64.
+
+To fix this issue, this introduces custom
+arch_syscall_match_sym_name() which skips first 8 bytes when
+comparing the syscall and symbol names.
+
+Fixes: 4378a7d4be30 ("arm64: implement syscall wrappers")
+Reported-by: Naresh Kamboju <naresh.kamboju@linaro.org>
+Signed-off-by: Masami Hiramatsu <mhiramat@kernel.org>
+Acked-by: Will Deacon <will.deacon@arm.com>
+Tested-by: Naresh Kamboju <naresh.kamboju@linaro.org>
+Cc: stable@vger.kernel.org
+Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm64/include/asm/ftrace.h | 13 +++++++++++++
+ 1 file changed, 13 insertions(+)
+
+--- a/arch/arm64/include/asm/ftrace.h
++++ b/arch/arm64/include/asm/ftrace.h
+@@ -56,6 +56,19 @@ static inline bool arch_trace_is_compat_
+ {
+ return is_compat_task();
+ }
++
++#define ARCH_HAS_SYSCALL_MATCH_SYM_NAME
++
++static inline bool arch_syscall_match_sym_name(const char *sym,
++ const char *name)
++{
++ /*
++ * Since all syscall functions have __arm64_ prefix, we must skip it.
++ * However, as we described above, we decided to ignore compat
++ * syscalls, so we don't care about __arm64_compat_ prefix here.
++ */
++ return !strcmp(sym + 8, name);
++}
+ #endif /* ifndef __ASSEMBLY__ */
+
+ #endif /* __ASM_FTRACE_H */
--- /dev/null
+From c9e0ab86b2e03154bb898cd2f851827783224727 Mon Sep 17 00:00:00 2001
+From: Lyude Paul <lyude@redhat.com>
+Date: Mon, 19 Nov 2018 15:00:10 +0000
+Subject: drm/amd/dm: Don't forget to attach MST encoders
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Lyude Paul <lyude@redhat.com>
+
+commit c9e0ab86b2e03154bb898cd2f851827783224727 upstream.
+
+The change fixed huge delay in SST daisy chain and S3 soft hang
+observed in 4.19 kernel rebase.
+
+Regression point in drm:
+drm/fb-helper: Eliminate the .best_encoder() usage
+
+The aux sequence is altered due to the failure in
+drm_connector_for_each_possible_encoder(). The failure is
+caused by missing attached encoder in the process of adding
+MST connector.
+
+drm_dp_send_enum_path_resources() aux transaction is pushed after
+mode probe, which causes conflict to drm_dp_mst_i2c_xfer(),
+leading to the transaction timeout.
+
+Signed-off-by: Lyude Paul <lyude@redhat.com>
+Reviewed-by: Jerry (Fangzhi) Zuo <Jerry.Zuo@amd.com>
+Cc: Stable <stable@vger.kernel.org>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_mst_types.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_mst_types.c
++++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_mst_types.c
+@@ -374,6 +374,8 @@ dm_dp_add_mst_connector(struct drm_dp_ms
+ master->connector_id);
+
+ aconnector->mst_encoder = dm_dp_create_fake_mst_encoder(master);
++ drm_connector_attach_encoder(&aconnector->base,
++ &aconnector->mst_encoder->base);
+
+ /*
+ * TODO: understand why this one is needed
--- /dev/null
+From 04ac4b0ed412f65230b456fcd9aa07e13befff89 Mon Sep 17 00:00:00 2001
+From: Lyude Paul <lyude@redhat.com>
+Date: Mon, 19 Nov 2018 19:44:55 +0000
+Subject: drm/amd/dm: Understand why attaching path/tile properties are needed
+
+From: Lyude Paul <lyude@redhat.com>
+
+commit 04ac4b0ed412f65230b456fcd9aa07e13befff89 upstream.
+
+Path property is used for userspace to know what MST connector goes to what actual DRM DisplayPort connector, the tiling property is for tiling configurations. Not sure what else there is to figure out.
+
+Signed-off-by: Lyude Paul <lyude@redhat.com>
+Reviewed-by: Jerry (Fangzhi) Zuo <Jerry.Zuo@amd.com>
+Cc: Stable <stable@vger.kernel.org>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_mst_types.c | 3 ---
+ 1 file changed, 3 deletions(-)
+
+--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_mst_types.c
++++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_mst_types.c
+@@ -377,9 +377,6 @@ dm_dp_add_mst_connector(struct drm_dp_ms
+ drm_connector_attach_encoder(&aconnector->base,
+ &aconnector->mst_encoder->base);
+
+- /*
+- * TODO: understand why this one is needed
+- */
+ drm_object_attach_property(
+ &connector->base,
+ dev->mode_config.path_property,
--- /dev/null
+From dc25ab067645eabd037f1a23d49a666f9e0b8c68 Mon Sep 17 00:00:00 2001
+From: Sam Bobroff <sbobroff@linux.ibm.com>
+Date: Mon, 5 Nov 2018 16:57:47 +1100
+Subject: drm/ast: Fix incorrect free on ioregs
+
+From: Sam Bobroff <sbobroff@linux.ibm.com>
+
+commit dc25ab067645eabd037f1a23d49a666f9e0b8c68 upstream.
+
+If the platform has no IO space, ioregs is placed next to the already
+allocated regs. In this case, it should not be separately freed.
+
+This prevents a kernel warning from __vunmap "Trying to vfree()
+nonexistent vm area" when unloading the driver.
+
+Fixes: 0dd68309b9c5 ("drm/ast: Try to use MMIO registers when PIO isn't supported")
+
+Signed-off-by: Sam Bobroff <sbobroff@linux.ibm.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Dave Airlie <airlied@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/ast/ast_main.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/ast/ast_main.c
++++ b/drivers/gpu/drm/ast/ast_main.c
+@@ -583,7 +583,8 @@ void ast_driver_unload(struct drm_device
+ drm_mode_config_cleanup(dev);
+
+ ast_mm_fini(ast);
+- pci_iounmap(dev->pdev, ast->ioregs);
++ if (ast->ioregs != ast->regs + AST_IO_MM_OFFSET)
++ pci_iounmap(dev->pdev, ast->ioregs);
+ pci_iounmap(dev->pdev, ast->regs);
+ kfree(ast);
+ }
--- /dev/null
+From 995b278e4723b26f8ebf0e7c119286d16c712747 Mon Sep 17 00:00:00 2001
+From: Lyude Paul <lyude@redhat.com>
+Date: Sat, 24 Nov 2018 14:12:38 -0500
+Subject: drm/meson: Enable fast_io in meson_dw_hdmi_regmap_config
+
+From: Lyude Paul <lyude@redhat.com>
+
+commit 995b278e4723b26f8ebf0e7c119286d16c712747 upstream.
+
+Seeing as we use this registermap in the context of our IRQ handlers, we
+need to be using spinlocks for reading/writing registers so that we can
+still read them from IRQ handlers without having to grab any mutexes and
+accidentally sleep. We don't currently do this, as pointed out by
+lockdep:
+
+[ 18.403770] BUG: sleeping function called from invalid context at kernel/locking/mutex.c:908
+[ 18.406744] in_atomic(): 1, irqs_disabled(): 128, pid: 68, name: kworker/u17:0
+[ 18.413864] INFO: lockdep is turned off.
+[ 18.417675] irq event stamp: 12
+[ 18.420778] hardirqs last enabled at (11): [<ffff000008a4f57c>] _raw_spin_unlock_irq+0x2c/0x60
+[ 18.429510] hardirqs last disabled at (12): [<ffff000008a48914>] __schedule+0xc4/0xa60
+[ 18.437345] softirqs last enabled at (0): [<ffff0000080b55e0>] copy_process.isra.4.part.5+0x4d8/0x1c50
+[ 18.446684] softirqs last disabled at (0): [<0000000000000000>] (null)
+[ 18.453979] CPU: 0 PID: 68 Comm: kworker/u17:0 Tainted: G W O 4.20.0-rc3Lyude-Test+ #9
+[ 18.469839] Hardware name: amlogic khadas-vim2/khadas-vim2, BIOS 2018.07-rc2-armbian 09/11/2018
+[ 18.480037] Workqueue: hci0 hci_power_on [bluetooth]
+[ 18.487138] Call trace:
+[ 18.494192] dump_backtrace+0x0/0x1b8
+[ 18.501280] show_stack+0x14/0x20
+[ 18.508361] dump_stack+0xbc/0xf4
+[ 18.515427] ___might_sleep+0x140/0x1d8
+[ 18.522515] __might_sleep+0x50/0x88
+[ 18.529582] __mutex_lock+0x60/0x870
+[ 18.536621] mutex_lock_nested+0x1c/0x28
+[ 18.543660] regmap_lock_mutex+0x10/0x18
+[ 18.550696] regmap_read+0x38/0x70
+[ 18.557727] dw_hdmi_hardirq+0x58/0x138 [dw_hdmi]
+[ 18.564804] __handle_irq_event_percpu+0xac/0x410
+[ 18.571891] handle_irq_event_percpu+0x34/0x88
+[ 18.578982] handle_irq_event+0x48/0x78
+[ 18.586051] handle_fasteoi_irq+0xac/0x160
+[ 18.593061] generic_handle_irq+0x24/0x38
+[ 18.599989] __handle_domain_irq+0x60/0xb8
+[ 18.606857] gic_handle_irq+0x50/0xa0
+[ 18.613659] el1_irq+0xb4/0x130
+[ 18.620394] debug_lockdep_rcu_enabled+0x2c/0x30
+[ 18.627111] schedule+0x38/0xa0
+[ 18.633781] schedule_timeout+0x3a8/0x510
+[ 18.640389] wait_for_common+0x15c/0x180
+[ 18.646905] wait_for_completion+0x14/0x20
+[ 18.653319] mmc_wait_for_req_done+0x28/0x168
+[ 18.659693] mmc_wait_for_req+0xa8/0xe8
+[ 18.665978] mmc_wait_for_cmd+0x64/0x98
+[ 18.672180] mmc_io_rw_direct_host+0x94/0x130
+[ 18.678385] mmc_io_rw_direct+0x10/0x18
+[ 18.684516] sdio_enable_func+0xe8/0x1d0
+[ 18.690627] btsdio_open+0x24/0xc0 [btsdio]
+[ 18.696821] hci_dev_do_open+0x64/0x598 [bluetooth]
+[ 18.703025] hci_power_on+0x50/0x270 [bluetooth]
+[ 18.709163] process_one_work+0x2a0/0x6e0
+[ 18.715252] worker_thread+0x40/0x448
+[ 18.721310] kthread+0x12c/0x130
+[ 18.727326] ret_from_fork+0x10/0x1c
+[ 18.735555] ------------[ cut here ]------------
+[ 18.741430] do not call blocking ops when !TASK_RUNNING; state=2 set at [<000000006265ec59>] wait_for_common+0x140/0x180
+[ 18.752417] WARNING: CPU: 0 PID: 68 at kernel/sched/core.c:6096 __might_sleep+0x7c/0x88
+[ 18.760553] Modules linked in: dm_mirror dm_region_hash dm_log dm_mod
+btsdio bluetooth snd_soc_hdmi_codec dw_hdmi_i2s_audio ecdh_generic
+brcmfmac brcmutil cfg80211 rfkill ir_nec_decoder meson_dw_hdmi(O)
+dw_hdmi rc_geekbox meson_rng meson_ir ao_cec rng_core rc_core cec
+leds_pwm efivars nfsd ip_tables x_tables crc32_generic f2fs uas
+meson_gxbb_wdt pwm_meson efivarfs ipv6
+[ 18.799469] CPU: 0 PID: 68 Comm: kworker/u17:0 Tainted: G W O 4.20.0-rc3Lyude-Test+ #9
+[ 18.808858] Hardware name: amlogic khadas-vim2/khadas-vim2, BIOS 2018.07-rc2-armbian 09/11/2018
+[ 18.818045] Workqueue: hci0 hci_power_on [bluetooth]
+[ 18.824088] pstate: 80000085 (Nzcv daIf -PAN -UAO)
+[ 18.829891] pc : __might_sleep+0x7c/0x88
+[ 18.835722] lr : __might_sleep+0x7c/0x88
+[ 18.841256] sp : ffff000008003cb0
+[ 18.846751] x29: ffff000008003cb0 x28: 0000000000000000
+[ 18.852269] x27: ffff00000938e000 x26: ffff800010283000
+[ 18.857726] x25: ffff800010353280 x24: ffff00000868ef50
+[ 18.863166] x23: 0000000000000000 x22: 0000000000000000
+[ 18.868551] x21: 0000000000000000 x20: 000000000000038c
+[ 18.873850] x19: ffff000008cd08c0 x18: 0000000000000010
+[ 18.879081] x17: ffff000008a68cb0 x16: 0000000000000000
+[ 18.884197] x15: 0000000000aaaaaa x14: 0e200e200e200e20
+[ 18.889239] x13: 0000000000000001 x12: 00000000ffffffff
+[ 18.894261] x11: ffff000008adfa48 x10: 0000000000000001
+[ 18.899517] x9 : ffff0000092a0158 x8 : 0000000000000000
+[ 18.904674] x7 : ffff00000812136c x6 : 0000000000000000
+[ 18.909895] x5 : 0000000000000000 x4 : 0000000000000001
+[ 18.915080] x3 : 0000000000000007 x2 : 0000000000000007
+[ 18.920269] x1 : 99ab8e9ebb6c8500 x0 : 0000000000000000
+[ 18.925443] Call trace:
+[ 18.929904] __might_sleep+0x7c/0x88
+[ 18.934311] __mutex_lock+0x60/0x870
+[ 18.938687] mutex_lock_nested+0x1c/0x28
+[ 18.943076] regmap_lock_mutex+0x10/0x18
+[ 18.947453] regmap_read+0x38/0x70
+[ 18.951842] dw_hdmi_hardirq+0x58/0x138 [dw_hdmi]
+[ 18.956269] __handle_irq_event_percpu+0xac/0x410
+[ 18.960712] handle_irq_event_percpu+0x34/0x88
+[ 18.965176] handle_irq_event+0x48/0x78
+[ 18.969612] handle_fasteoi_irq+0xac/0x160
+[ 18.974058] generic_handle_irq+0x24/0x38
+[ 18.978501] __handle_domain_irq+0x60/0xb8
+[ 18.982938] gic_handle_irq+0x50/0xa0
+[ 18.987351] el1_irq+0xb4/0x130
+[ 18.991734] debug_lockdep_rcu_enabled+0x2c/0x30
+[ 18.996180] schedule+0x38/0xa0
+[ 19.000609] schedule_timeout+0x3a8/0x510
+[ 19.005064] wait_for_common+0x15c/0x180
+[ 19.009513] wait_for_completion+0x14/0x20
+[ 19.013951] mmc_wait_for_req_done+0x28/0x168
+[ 19.018402] mmc_wait_for_req+0xa8/0xe8
+[ 19.022809] mmc_wait_for_cmd+0x64/0x98
+[ 19.027177] mmc_io_rw_direct_host+0x94/0x130
+[ 19.031563] mmc_io_rw_direct+0x10/0x18
+[ 19.035922] sdio_enable_func+0xe8/0x1d0
+[ 19.040294] btsdio_open+0x24/0xc0 [btsdio]
+[ 19.044742] hci_dev_do_open+0x64/0x598 [bluetooth]
+[ 19.049228] hci_power_on+0x50/0x270 [bluetooth]
+[ 19.053687] process_one_work+0x2a0/0x6e0
+[ 19.058143] worker_thread+0x40/0x448
+[ 19.062608] kthread+0x12c/0x130
+[ 19.067064] ret_from_fork+0x10/0x1c
+[ 19.071513] irq event stamp: 12
+[ 19.075937] hardirqs last enabled at (11): [<ffff000008a4f57c>] _raw_spin_unlock_irq+0x2c/0x60
+[ 19.083560] hardirqs last disabled at (12): [<ffff000008a48914>] __schedule+0xc4/0xa60
+[ 19.091401] softirqs last enabled at (0): [<ffff0000080b55e0>] copy_process.isra.4.part.5+0x4d8/0x1c50
+[ 19.100801] softirqs last disabled at (0): [<0000000000000000>] (null)
+[ 19.108135] ---[ end trace 38c4920787b88c75 ]---
+
+So, fix this by enabling the fast_io option in our regmap config so that
+regmap uses spinlocks for locking instead of mutexes.
+
+Signed-off-by: Lyude Paul <lyude@redhat.com>
+Fixes: 3f68be7d8e96 ("drm/meson: Add support for HDMI encoder and DW-HDMI bridge + PHY")
+Cc: Daniel Vetter <daniel.vetter@ffwll.ch>
+Cc: Neil Armstrong <narmstrong@baylibre.com>
+Cc: Carlo Caione <carlo@caione.org>
+Cc: Kevin Hilman <khilman@baylibre.com>
+Cc: dri-devel@lists.freedesktop.org
+Cc: linux-amlogic@lists.infradead.org
+Cc: linux-arm-kernel@lists.infradead.org
+Cc: <stable@vger.kernel.org> # v4.12+
+Acked-by: Neil Armstrong <narmstrong@baylibre.com>
+Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20181124191238.28276-1-lyude@redhat.com
+Signed-off-by: Sean Paul <seanpaul@chromium.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/meson/meson_dw_hdmi.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/gpu/drm/meson/meson_dw_hdmi.c
++++ b/drivers/gpu/drm/meson/meson_dw_hdmi.c
+@@ -706,6 +706,7 @@ static const struct regmap_config meson_
+ .reg_read = meson_dw_hdmi_reg_read,
+ .reg_write = meson_dw_hdmi_reg_write,
+ .max_register = 0x10000,
++ .fast_io = true,
+ };
+
+ static bool meson_hdmi_connector_is_available(struct device *dev)
--- /dev/null
+From 97b2a3180a559a33852ac0cd77904166069484fd Mon Sep 17 00:00:00 2001
+From: Lyude Paul <lyude@redhat.com>
+Date: Sat, 24 Nov 2018 20:21:17 -0500
+Subject: drm/meson: Fix OOB memory accesses in meson_viu_set_osd_lut()
+
+From: Lyude Paul <lyude@redhat.com>
+
+commit 97b2a3180a559a33852ac0cd77904166069484fd upstream.
+
+Currently on driver bringup with KASAN enabled, meson triggers an OOB
+memory access as shown below:
+
+[ 117.904528] ==================================================================
+[ 117.904560] BUG: KASAN: global-out-of-bounds in meson_viu_set_osd_lut+0x7a0/0x890
+[ 117.904588] Read of size 4 at addr ffff20000a63ce24 by task systemd-udevd/498
+[ 117.904601]
+[ 118.083372] CPU: 4 PID: 498 Comm: systemd-udevd Not tainted 4.20.0-rc3Lyude-Test+ #20
+[ 118.091143] Hardware name: amlogic khadas-vim2/khadas-vim2, BIOS 2018.07-rc2-armbian 09/11/2018
+[ 118.099768] Call trace:
+[ 118.102181] dump_backtrace+0x0/0x3e8
+[ 118.105796] show_stack+0x14/0x20
+[ 118.109083] dump_stack+0x130/0x1c4
+[ 118.112539] print_address_description+0x60/0x25c
+[ 118.117214] kasan_report+0x1b4/0x368
+[ 118.120851] __asan_report_load4_noabort+0x18/0x20
+[ 118.125566] meson_viu_set_osd_lut+0x7a0/0x890
+[ 118.129953] meson_viu_init+0x10c/0x290
+[ 118.133741] meson_drv_bind_master+0x474/0x748
+[ 118.138141] meson_drv_bind+0x10/0x18
+[ 118.141760] try_to_bring_up_master+0x3d8/0x768
+[ 118.146249] component_add+0x214/0x570
+[ 118.149978] meson_dw_hdmi_probe+0x18/0x20 [meson_dw_hdmi]
+[ 118.155404] platform_drv_probe+0x98/0x138
+[ 118.159455] really_probe+0x2a0/0xa70
+[ 118.163070] driver_probe_device+0x1b4/0x2d8
+[ 118.167299] __driver_attach+0x200/0x280
+[ 118.171189] bus_for_each_dev+0x10c/0x1a8
+[ 118.175144] driver_attach+0x38/0x50
+[ 118.178681] bus_add_driver+0x330/0x608
+[ 118.182471] driver_register+0x140/0x388
+[ 118.186361] __platform_driver_register+0xc8/0x108
+[ 118.191117] meson_dw_hdmi_platform_driver_init+0x1c/0x1000 [meson_dw_hdmi]
+[ 118.198022] do_one_initcall+0x12c/0x3bc
+[ 118.201883] do_init_module+0x1fc/0x638
+[ 118.205673] load_module+0x4b4c/0x6808
+[ 118.209387] __se_sys_init_module+0x2e8/0x3c0
+[ 118.213699] __arm64_sys_init_module+0x68/0x98
+[ 118.218100] el0_svc_common+0x104/0x210
+[ 118.221893] el0_svc_handler+0x48/0xb8
+[ 118.225594] el0_svc+0x8/0xc
+[ 118.228429]
+[ 118.229887] The buggy address belongs to the variable:
+[ 118.235007] eotf_33_linear_mapping+0x84/0xc0
+[ 118.239301]
+[ 118.240752] Memory state around the buggy address:
+[ 118.245522] ffff20000a63cd00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+[ 118.252695] ffff20000a63cd80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+[ 118.259850] >ffff20000a63ce00: 00 00 00 00 04 fa fa fa fa fa fa fa 00 00 00 00
+[ 118.267000] ^
+[ 118.271222] ffff20000a63ce80: 00 fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
+[ 118.278393] ffff20000a63cf00: 00 00 00 00 00 00 00 00 00 00 00 00 04 fa fa fa
+[ 118.285542] ==================================================================
+[ 118.292699] Disabling lock debugging due to kernel taint
+
+It seems that when looping through the OSD EOTF LUT maps, we use the
+same max iterator for OETF: 20. This is wrong though, since 20*2 is 40,
+which means that we'll stop out of bounds on the EOTF maps.
+
+But, this whole thing is already confusing enough to read through as-is,
+so let's just replace all of the hardcoded sizes with
+OSD_(OETF/EOTF)_LUT_SIZE / 2.
+
+Signed-off-by: Lyude Paul <lyude@redhat.com>
+Fixes: bbbe775ec5b5 ("drm: Add support for Amlogic Meson Graphic Controller")
+Cc: Neil Armstrong <narmstrong@baylibre.com>
+Cc: Maxime Ripard <maxime.ripard@bootlin.com>
+Cc: Carlo Caione <carlo@caione.org>
+Cc: Kevin Hilman <khilman@baylibre.com>
+Cc: dri-devel@lists.freedesktop.org
+Cc: linux-amlogic@lists.infradead.org
+Cc: linux-arm-kernel@lists.infradead.org
+Cc: <stable@vger.kernel.org> # v4.10+
+Acked-by: Neil Armstrong <narmstrong@baylibre.com>
+Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20181125012117.31915-1-lyude@redhat.com
+Signed-off-by: Sean Paul <seanpaul@chromium.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/meson/meson_viu.c | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+--- a/drivers/gpu/drm/meson/meson_viu.c
++++ b/drivers/gpu/drm/meson/meson_viu.c
+@@ -184,18 +184,18 @@ void meson_viu_set_osd_lut(struct meson_
+ if (lut_sel == VIU_LUT_OSD_OETF) {
+ writel(0, priv->io_base + _REG(addr_port));
+
+- for (i = 0; i < 20; i++)
++ for (i = 0; i < (OSD_OETF_LUT_SIZE / 2); i++)
+ writel(r_map[i * 2] | (r_map[i * 2 + 1] << 16),
+ priv->io_base + _REG(data_port));
+
+ writel(r_map[OSD_OETF_LUT_SIZE - 1] | (g_map[0] << 16),
+ priv->io_base + _REG(data_port));
+
+- for (i = 0; i < 20; i++)
++ for (i = 0; i < (OSD_OETF_LUT_SIZE / 2); i++)
+ writel(g_map[i * 2 + 1] | (g_map[i * 2 + 2] << 16),
+ priv->io_base + _REG(data_port));
+
+- for (i = 0; i < 20; i++)
++ for (i = 0; i < (OSD_OETF_LUT_SIZE / 2); i++)
+ writel(b_map[i * 2] | (b_map[i * 2 + 1] << 16),
+ priv->io_base + _REG(data_port));
+
+@@ -211,18 +211,18 @@ void meson_viu_set_osd_lut(struct meson_
+ } else if (lut_sel == VIU_LUT_OSD_EOTF) {
+ writel(0, priv->io_base + _REG(addr_port));
+
+- for (i = 0; i < 20; i++)
++ for (i = 0; i < (OSD_EOTF_LUT_SIZE / 2); i++)
+ writel(r_map[i * 2] | (r_map[i * 2 + 1] << 16),
+ priv->io_base + _REG(data_port));
+
+ writel(r_map[OSD_EOTF_LUT_SIZE - 1] | (g_map[0] << 16),
+ priv->io_base + _REG(data_port));
+
+- for (i = 0; i < 20; i++)
++ for (i = 0; i < (OSD_EOTF_LUT_SIZE / 2); i++)
+ writel(g_map[i * 2 + 1] | (g_map[i * 2 + 2] << 16),
+ priv->io_base + _REG(data_port));
+
+- for (i = 0; i < 20; i++)
++ for (i = 0; i < (OSD_EOTF_LUT_SIZE / 2); i++)
+ writel(b_map[i * 2] | (b_map[i * 2 + 1] << 16),
+ priv->io_base + _REG(data_port));
+
--- /dev/null
+From 2bcd3ecab773f73211c45bb1430bb52ac641f271 Mon Sep 17 00:00:00 2001
+From: Neil Armstrong <narmstrong@baylibre.com>
+Date: Thu, 22 Nov 2018 17:01:03 +0100
+Subject: drm/meson: Fixes for drm_crtc_vblank_on/off support
+
+From: Neil Armstrong <narmstrong@baylibre.com>
+
+commit 2bcd3ecab773f73211c45bb1430bb52ac641f271 upstream.
+
+Since Linux 4.17, calls to drm_crtc_vblank_on/off are mandatory, and we get
+a warning when ctrc is disabled :
+" driver forgot to call drm_crtc_vblank_off()"
+
+But, the vsync IRQ was not totally disabled due the transient hardware
+state and specific interrupt line, thus adding proper IRQ masking from
+the HHI system control registers.
+
+The last change fixes a race condition introduced by calling the added
+drm_crtc_vblank_on/off when an HPD event occurs from the HDMI connector,
+triggering a WARN_ON() in the _atomic_begin() callback when the CRTC
+is disabled, thus also triggering a WARN_ON() in drm_vblank_put() :
+
+WARNING: CPU: 0 PID: 1185 at drivers/gpu/drm/meson/meson_crtc.c:157 meson_crtc_atomic_begin+0x78/0x80
+[...]
+Call trace:
+ meson_crtc_atomic_begin+0x78/0x80
+ drm_atomic_helper_commit_planes+0x140/0x218
+ drm_atomic_helper_commit_tail+0x38/0x80
+ commit_tail+0x7c/0x80
+ drm_atomic_helper_commit+0xdc/0x150
+ drm_atomic_commit+0x54/0x60
+ restore_fbdev_mode_atomic+0x198/0x238
+ restore_fbdev_mode+0x6c/0x1c0
+ drm_fb_helper_restore_fbdev_mode_unlocked+0x7c/0xf0
+ drm_fb_helper_set_par+0x34/0x60
+ drm_fb_helper_hotplug_event.part.28+0xb8/0xc8
+ drm_fbdev_client_hotplug+0xa4/0xe0
+ drm_client_dev_hotplug+0x90/0xe0
+ drm_kms_helper_hotplug_event+0x3c/0x48
+ drm_helper_hpd_irq_event+0x134/0x168
+ dw_hdmi_top_thread_irq+0x3c/0x50
+[...]
+WARNING: CPU: 0 PID: 1185 at drivers/gpu/drm/drm_vblank.c:1026 drm_vblank_put+0xb4/0xc8
+[...]
+ Call trace:
+ drm_vblank_put+0xb4/0xc8
+ drm_crtc_vblank_put+0x24/0x30
+ drm_atomic_helper_wait_for_vblanks.part.9+0x130/0x2b8
+ drm_atomic_helper_commit_tail+0x68/0x80
+[...]
+
+The issue is that vblank need to be enabled in any occurrence of :
+- atomic_enable()
+- atomic_begin() and state->enable == true, which was not the case
+
+Moving the CRTC enable code to a common function and calling in one of
+these occurrence solves this race condition and makes sure vblank is
+enabled in each call to _atomic_begin() from the HPD event leading to
+drm_atomic_helper_commit_planes().
+
+To Summarize :
+- Make sure that the CRTC code will call the drm_crtc_vblank_on()/off()
+- *Really* mask the Vsync IRQ
+- Initialize and enable vblank at the first
+ atomic_begin()/_atomic_enable()
+
+Cc: stable@vger.kernel.org # 4.17+
+Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
+Reviewed-by: Lyude Paul <lyude@redhat.com>
+[fixed typos+added cc for stable]
+Signed-off-by: Lyude Paul <lyude@redhat.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20181122160103.10993-1-narmstrong@baylibre.com
+Signed-off-by: Sean Paul <seanpaul@chromium.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/meson/meson_crtc.c | 27 +++++++++++++++++++++++++--
+ drivers/gpu/drm/meson/meson_venc.c | 3 +++
+ 2 files changed, 28 insertions(+), 2 deletions(-)
+
+--- a/drivers/gpu/drm/meson/meson_crtc.c
++++ b/drivers/gpu/drm/meson/meson_crtc.c
+@@ -45,6 +45,7 @@ struct meson_crtc {
+ struct drm_crtc base;
+ struct drm_pending_vblank_event *event;
+ struct meson_drm *priv;
++ bool enabled;
+ };
+ #define to_meson_crtc(x) container_of(x, struct meson_crtc, base)
+
+@@ -80,8 +81,7 @@ static const struct drm_crtc_funcs meson
+
+ };
+
+-static void meson_crtc_atomic_enable(struct drm_crtc *crtc,
+- struct drm_crtc_state *old_state)
++static void meson_crtc_enable(struct drm_crtc *crtc)
+ {
+ struct meson_crtc *meson_crtc = to_meson_crtc(crtc);
+ struct drm_crtc_state *crtc_state = crtc->state;
+@@ -101,6 +101,22 @@ static void meson_crtc_atomic_enable(str
+ writel_bits_relaxed(VPP_POSTBLEND_ENABLE, VPP_POSTBLEND_ENABLE,
+ priv->io_base + _REG(VPP_MISC));
+
++ drm_crtc_vblank_on(crtc);
++
++ meson_crtc->enabled = true;
++}
++
++static void meson_crtc_atomic_enable(struct drm_crtc *crtc,
++ struct drm_crtc_state *old_state)
++{
++ struct meson_crtc *meson_crtc = to_meson_crtc(crtc);
++ struct meson_drm *priv = meson_crtc->priv;
++
++ DRM_DEBUG_DRIVER("\n");
++
++ if (!meson_crtc->enabled)
++ meson_crtc_enable(crtc);
++
+ priv->viu.osd1_enabled = true;
+ }
+
+@@ -110,6 +126,8 @@ static void meson_crtc_atomic_disable(st
+ struct meson_crtc *meson_crtc = to_meson_crtc(crtc);
+ struct meson_drm *priv = meson_crtc->priv;
+
++ drm_crtc_vblank_off(crtc);
++
+ priv->viu.osd1_enabled = false;
+ priv->viu.osd1_commit = false;
+
+@@ -124,6 +142,8 @@ static void meson_crtc_atomic_disable(st
+
+ crtc->state->event = NULL;
+ }
++
++ meson_crtc->enabled = false;
+ }
+
+ static void meson_crtc_atomic_begin(struct drm_crtc *crtc,
+@@ -132,6 +152,9 @@ static void meson_crtc_atomic_begin(stru
+ struct meson_crtc *meson_crtc = to_meson_crtc(crtc);
+ unsigned long flags;
+
++ if (crtc->state->enable && !meson_crtc->enabled)
++ meson_crtc_enable(crtc);
++
+ if (crtc->state->event) {
+ WARN_ON(drm_crtc_vblank_get(crtc) != 0);
+
+--- a/drivers/gpu/drm/meson/meson_venc.c
++++ b/drivers/gpu/drm/meson/meson_venc.c
+@@ -71,6 +71,7 @@
+ */
+
+ /* HHI Registers */
++#define HHI_GCLK_MPEG2 0x148 /* 0x52 offset in data sheet */
+ #define HHI_VDAC_CNTL0 0x2F4 /* 0xbd offset in data sheet */
+ #define HHI_VDAC_CNTL1 0x2F8 /* 0xbe offset in data sheet */
+ #define HHI_HDMI_PHY_CNTL0 0x3a0 /* 0xe8 offset in data sheet */
+@@ -1529,10 +1530,12 @@ unsigned int meson_venci_get_field(struc
+ void meson_venc_enable_vsync(struct meson_drm *priv)
+ {
+ writel_relaxed(2, priv->io_base + _REG(VENC_INTCTRL));
++ regmap_update_bits(priv->hhi, HHI_GCLK_MPEG2, BIT(25), BIT(25));
+ }
+
+ void meson_venc_disable_vsync(struct meson_drm *priv)
+ {
++ regmap_update_bits(priv->hhi, HHI_GCLK_MPEG2, BIT(25), 0);
+ writel_relaxed(0, priv->io_base + _REG(VENC_INTCTRL));
+ }
+
--- /dev/null
+From 23a336b34258aba3b50ea6863cca4e81b5ef6384 Mon Sep 17 00:00:00 2001
+From: Sergio Correia <sergio@correia.cc>
+Date: Thu, 22 Nov 2018 02:33:29 -0300
+Subject: drm: set is_master to 0 upon drm_new_set_master() failure
+
+From: Sergio Correia <sergio@correia.cc>
+
+commit 23a336b34258aba3b50ea6863cca4e81b5ef6384 upstream.
+
+When drm_new_set_master() fails, set is_master to 0, to prevent a
+possible NULL pointer deref.
+
+Here is a problematic flow: we check is_master in drm_is_current_master(),
+then proceed to call drm_lease_owner() passing master. If we do not restore
+is_master status when drm_new_set_master() fails, we may have a situation
+in which is_master will be 1 and master itself, NULL, leading to the deref
+of a NULL pointer in drm_lease_owner().
+
+This fixes the following OOPS, observed on an ArchLinux running a 4.19.2
+kernel:
+
+[ 97.804282] BUG: unable to handle kernel NULL pointer dereference at 0000000000000080
+[ 97.807224] PGD 0 P4D 0
+[ 97.807224] Oops: 0000 [#1] PREEMPT SMP NOPTI
+[ 97.807224] CPU: 0 PID: 1348 Comm: xfwm4 Tainted: P OE 4.19.2-arch1-1-ARCH #1
+[ 97.807224] Hardware name: To Be Filled By O.E.M. To Be Filled By O.E.M./AB350 Pro4, BIOS P5.10 10/16/2018
+[ 97.807224] RIP: 0010:drm_lease_owner+0xd/0x20 [drm]
+[ 97.807224] Code: 83 c4 18 5b 5d c3 b8 ea ff ff ff eb e2 b8 ed ff ff ff eb db e8 b4 ca 68 fb 0f 1f 40 00 0f 1f 44 00 00 48 89 f8 eb 03 48 89 d0 <48> 8b 90 80 00 00 00 48 85 d2 75 f1 c3 66 0f 1f 44 00 00 0f 1f 44
+[ 97.807224] RSP: 0018:ffffb8cf08e07bb0 EFLAGS: 00010202
+[ 97.807224] RAX: 0000000000000000 RBX: ffff9cf0f2586c00 RCX: ffff9cf0f2586c88
+[ 97.807224] RDX: ffff9cf0ddbd8000 RSI: 0000000000000000 RDI: 0000000000000000
+[ 97.807224] RBP: ffff9cf1040e9800 R08: 0000000000000000 R09: 0000000000000000
+[ 97.807224] R10: ffffdeb30fd5d680 R11: ffffdeb30f5d6808 R12: ffff9cf1040e9888
+[ 97.807224] R13: 0000000000000000 R14: dead000000000200 R15: ffff9cf0f2586cc8
+[ 97.807224] FS: 00007f4145513180(0000) GS:ffff9cf10ea00000(0000) knlGS:0000000000000000
+[ 97.807224] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 97.807224] CR2: 0000000000000080 CR3: 00000003d7548000 CR4: 00000000003406f0
+[ 97.807224] Call Trace:
+[ 97.807224] drm_is_current_master+0x1a/0x30 [drm]
+[ 97.807224] drm_master_release+0x3e/0x130 [drm]
+[ 97.807224] drm_file_free.part.0+0x2be/0x2d0 [drm]
+[ 97.807224] drm_open+0x1ba/0x1e0 [drm]
+[ 97.807224] drm_stub_open+0xaf/0xe0 [drm]
+[ 97.807224] chrdev_open+0xa3/0x1b0
+[ 97.807224] ? cdev_put.part.0+0x20/0x20
+[ 97.807224] do_dentry_open+0x132/0x340
+[ 97.807224] path_openat+0x2d1/0x14e0
+[ 97.807224] ? mem_cgroup_commit_charge+0x7a/0x520
+[ 97.807224] do_filp_open+0x93/0x100
+[ 97.807224] ? __check_object_size+0x102/0x189
+[ 97.807224] ? _raw_spin_unlock+0x16/0x30
+[ 97.807224] do_sys_open+0x186/0x210
+[ 97.807224] do_syscall_64+0x5b/0x170
+[ 97.807224] entry_SYSCALL_64_after_hwframe+0x44/0xa9
+[ 97.807224] RIP: 0033:0x7f4147b07976
+[ 97.807224] Code: 89 54 24 08 e8 7b f4 ff ff 8b 74 24 0c 48 8b 3c 24 41 89 c0 44 8b 54 24 08 b8 01 01 00 00 89 f2 48 89 fe bf 9c ff ff ff 0f 05 <48> 3d 00 f0 ff ff 77 30 44 89 c7 89 44 24 08 e8 a6 f4 ff ff 8b 44
+[ 97.807224] RSP: 002b:00007ffcced96ca0 EFLAGS: 00000293 ORIG_RAX: 0000000000000101
+[ 97.807224] RAX: ffffffffffffffda RBX: 00005619d5037f80 RCX: 00007f4147b07976
+[ 97.807224] RDX: 0000000000000002 RSI: 00005619d46b969c RDI: 00000000ffffff9c
+[ 98.040039] RBP: 0000000000000024 R08: 0000000000000000 R09: 0000000000000000
+[ 98.040039] R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000024
+[ 98.040039] R13: 0000000000000012 R14: 00005619d5035950 R15: 0000000000000012
+[ 98.040039] Modules linked in: nct6775 hwmon_vid algif_skcipher af_alg nls_iso8859_1 nls_cp437 vfat fat uvcvideo videobuf2_vmalloc videobuf2_memops videobuf2_v4l2 videobuf2_common arc4 videodev media snd_usb_audio snd_hda_codec_hdmi snd_usbmidi_lib snd_rawmidi snd_seq_device mousedev input_leds iwlmvm mac80211 snd_hda_codec_realtek snd_hda_codec_generic snd_hda_intel snd_hda_codec edac_mce_amd kvm_amd snd_hda_core kvm iwlwifi snd_hwdep r8169 wmi_bmof cfg80211 snd_pcm irqbypass snd_timer snd libphy soundcore pinctrl_amd rfkill pcspkr sp5100_tco evdev gpio_amdpt k10temp mac_hid i2c_piix4 wmi pcc_cpufreq acpi_cpufreq vboxnetflt(OE) vboxnetadp(OE) vboxpci(OE) vboxdrv(OE) msr sg crypto_user ip_tables x_tables ext4 crc32c_generic crc16 mbcache jbd2 fscrypto uas usb_storage dm_crypt hid_generic usbhid hid
+[ 98.040039] dm_mod raid1 md_mod sd_mod crct10dif_pclmul crc32_pclmul crc32c_intel ghash_clmulni_intel pcbc ahci libahci aesni_intel aes_x86_64 libata crypto_simd cryptd glue_helper ccp xhci_pci rng_core scsi_mod xhci_hcd nvidia_drm(POE) drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops drm agpgart nvidia_uvm(POE) nvidia_modeset(POE) nvidia(POE) ipmi_devintf ipmi_msghandler
+[ 98.040039] CR2: 0000000000000080
+[ 98.040039] ---[ end trace 3b65093b6fe62b2f ]---
+[ 98.040039] RIP: 0010:drm_lease_owner+0xd/0x20 [drm]
+[ 98.040039] Code: 83 c4 18 5b 5d c3 b8 ea ff ff ff eb e2 b8 ed ff ff ff eb db e8 b4 ca 68 fb 0f 1f 40 00 0f 1f 44 00 00 48 89 f8 eb 03 48 89 d0 <48> 8b 90 80 00 00 00 48 85 d2 75 f1 c3 66 0f 1f 44 00 00 0f 1f 44
+[ 98.040039] RSP: 0018:ffffb8cf08e07bb0 EFLAGS: 00010202
+[ 98.040039] RAX: 0000000000000000 RBX: ffff9cf0f2586c00 RCX: ffff9cf0f2586c88
+[ 98.040039] RDX: ffff9cf0ddbd8000 RSI: 0000000000000000 RDI: 0000000000000000
+[ 98.040039] RBP: ffff9cf1040e9800 R08: 0000000000000000 R09: 0000000000000000
+[ 98.040039] R10: ffffdeb30fd5d680 R11: ffffdeb30f5d6808 R12: ffff9cf1040e9888
+[ 98.040039] R13: 0000000000000000 R14: dead000000000200 R15: ffff9cf0f2586cc8
+[ 98.040039] FS: 00007f4145513180(0000) GS:ffff9cf10ea00000(0000) knlGS:0000000000000000
+[ 98.040039] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 98.040039] CR2: 0000000000000080 CR3: 00000003d7548000 CR4: 00000000003406f0
+
+Signed-off-by: Sergio Correia <sergio@correia.cc>
+Cc: stable@vger.kernel.org
+Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
+Link: https://patchwork.freedesktop.org/patch/msgid/20181122053329.2692-1-sergio@correia.cc
+Signed-off-by: Sean Paul <seanpaul@chromium.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/drm_auth.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/gpu/drm/drm_auth.c
++++ b/drivers/gpu/drm/drm_auth.c
+@@ -142,6 +142,7 @@ static int drm_new_set_master(struct drm
+
+ lockdep_assert_held_once(&dev->master_mutex);
+
++ WARN_ON(fpriv->is_master);
+ old_master = fpriv->master;
+ fpriv->master = drm_master_create(dev);
+ if (!fpriv->master) {
+@@ -170,6 +171,7 @@ out_err:
+ /* drop references and restore old master on failure */
+ drm_master_put(&fpriv->master);
+ fpriv->master = old_master;
++ fpriv->is_master = 0;
+
+ return ret;
+ }
--- /dev/null
+From db7a691a1551a748cb92d9c89c6b190ea87e28d5 Mon Sep 17 00:00:00 2001
+From: Michael Guralnik <michaelgur@mellanox.com>
+Date: Wed, 21 Nov 2018 15:03:54 +0200
+Subject: IB/mlx5: Avoid load failure due to unknown link width
+
+From: Michael Guralnik <michaelgur@mellanox.com>
+
+commit db7a691a1551a748cb92d9c89c6b190ea87e28d5 upstream.
+
+If the firmware reports a connection width that is not 1x, 4x, 8x or 12x
+it causes the driver to fail during initialization.
+
+To prevent this failure every time a new width is introduced to the RDMA
+stack, we will set a default 4x width for these widths which ar unknown to
+the driver.
+
+This is needed to allow to run old kernels with new firmware.
+
+Cc: <stable@vger.kernel.org> # 4.1
+Fixes: 1b5daf11b015 ("IB/mlx5: Avoid using the MAD_IFC command under ISSI > 0 mode")
+Signed-off-by: Michael Guralnik <michaelgur@mellanox.com>
+Reviewed-by: Majd Dibbiny <majd@mellanox.com>
+Signed-off-by: Leon Romanovsky <leonro@mellanox.com>
+Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/infiniband/hw/mlx5/main.c | 29 +++++++++++------------------
+ 1 file changed, 11 insertions(+), 18 deletions(-)
+
+--- a/drivers/infiniband/hw/mlx5/main.c
++++ b/drivers/infiniband/hw/mlx5/main.c
+@@ -1094,31 +1094,26 @@ enum mlx5_ib_width {
+ MLX5_IB_WIDTH_12X = 1 << 4
+ };
+
+-static int translate_active_width(struct ib_device *ibdev, u8 active_width,
++static void translate_active_width(struct ib_device *ibdev, u8 active_width,
+ u8 *ib_width)
+ {
+ struct mlx5_ib_dev *dev = to_mdev(ibdev);
+- int err = 0;
+
+- if (active_width & MLX5_IB_WIDTH_1X) {
++ if (active_width & MLX5_IB_WIDTH_1X)
+ *ib_width = IB_WIDTH_1X;
+- } else if (active_width & MLX5_IB_WIDTH_2X) {
+- mlx5_ib_dbg(dev, "active_width %d is not supported by IB spec\n",
+- (int)active_width);
+- err = -EINVAL;
+- } else if (active_width & MLX5_IB_WIDTH_4X) {
++ else if (active_width & MLX5_IB_WIDTH_4X)
+ *ib_width = IB_WIDTH_4X;
+- } else if (active_width & MLX5_IB_WIDTH_8X) {
++ else if (active_width & MLX5_IB_WIDTH_8X)
+ *ib_width = IB_WIDTH_8X;
+- } else if (active_width & MLX5_IB_WIDTH_12X) {
++ else if (active_width & MLX5_IB_WIDTH_12X)
+ *ib_width = IB_WIDTH_12X;
+- } else {
+- mlx5_ib_dbg(dev, "Invalid active_width %d\n",
++ else {
++ mlx5_ib_dbg(dev, "Invalid active_width %d, setting width to default value: 4x\n",
+ (int)active_width);
+- err = -EINVAL;
++ *ib_width = IB_WIDTH_4X;
+ }
+
+- return err;
++ return;
+ }
+
+ static int mlx5_mtu_to_ib_mtu(int mtu)
+@@ -1225,10 +1220,8 @@ static int mlx5_query_hca_port(struct ib
+ if (err)
+ goto out;
+
+- err = translate_active_width(ibdev, ib_link_width_oper,
+- &props->active_width);
+- if (err)
+- goto out;
++ translate_active_width(ibdev, ib_link_width_oper, &props->active_width);
++
+ err = mlx5_query_port_ib_proto_oper(mdev, &props->active_speed, port);
+ if (err)
+ goto out;
--- /dev/null
+From 24c3456c8d5ee6fc1933ca40f7b4406130682668 Mon Sep 17 00:00:00 2001
+From: Sagi Grimberg <sagi@grimberg.me>
+Date: Wed, 14 Nov 2018 10:17:01 -0800
+Subject: iser: set sector for ambiguous mr status errors
+
+From: Sagi Grimberg <sagi@grimberg.me>
+
+commit 24c3456c8d5ee6fc1933ca40f7b4406130682668 upstream.
+
+If for some reason we failed to query the mr status, we need to make sure
+to provide sufficient information for an ambiguous error (guard error on
+sector 0).
+
+Fixes: 0a7a08ad6f5f ("IB/iser: Implement check_protection")
+Cc: <stable@vger.kernel.org>
+Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Sagi Grimberg <sagi@grimberg.me>
+Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/infiniband/ulp/iser/iser_verbs.c | 7 +++----
+ 1 file changed, 3 insertions(+), 4 deletions(-)
+
+--- a/drivers/infiniband/ulp/iser/iser_verbs.c
++++ b/drivers/infiniband/ulp/iser/iser_verbs.c
+@@ -1123,7 +1123,9 @@ u8 iser_check_task_pi_status(struct iscs
+ IB_MR_CHECK_SIG_STATUS, &mr_status);
+ if (ret) {
+ pr_err("ib_check_mr_status failed, ret %d\n", ret);
+- goto err;
++ /* Not a lot we can do, return ambiguous guard error */
++ *sector = 0;
++ return 0x1;
+ }
+
+ if (mr_status.fail_status & IB_MR_CHECK_SIG_STATUS) {
+@@ -1151,9 +1153,6 @@ u8 iser_check_task_pi_status(struct iscs
+ }
+
+ return 0;
+-err:
+- /* Not alot we can do here, return ambiguous guard error */
+- return 0x1;
+ }
+
+ void iser_err_comp(struct ib_wc *wc, const char *type)
--- /dev/null
+From c50cbd85cd7027d32ac5945bb60217936b4f7eaf Mon Sep 17 00:00:00 2001
+From: "Dmitry V. Levin" <ldv@altlinux.org>
+Date: Wed, 21 Nov 2018 22:14:39 +0300
+Subject: mips: fix mips_get_syscall_arg o32 check
+
+From: Dmitry V. Levin <ldv@altlinux.org>
+
+commit c50cbd85cd7027d32ac5945bb60217936b4f7eaf upstream.
+
+When checking for TIF_32BIT_REGS flag, mips_get_syscall_arg() should
+use the task specified as its argument instead of the current task.
+
+This potentially affects all syscall_get_arguments() users
+who specify tasks different from the current.
+
+Fixes: c0ff3c53d4f99 ("MIPS: Enable HAVE_ARCH_TRACEHOOK.")
+Signed-off-by: Dmitry V. Levin <ldv@altlinux.org>
+Signed-off-by: Paul Burton <paul.burton@mips.com>
+Patchwork: https://patchwork.linux-mips.org/patch/21185/
+Cc: Elvira Khabirova <lineprinter@altlinux.org>
+Cc: Ralf Baechle <ralf@linux-mips.org>
+Cc: James Hogan <jhogan@kernel.org>
+Cc: linux-mips@linux-mips.org
+Cc: linux-kernel@vger.kernel.org
+Cc: stable@vger.kernel.org # v3.13+
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/mips/include/asm/syscall.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/mips/include/asm/syscall.h
++++ b/arch/mips/include/asm/syscall.h
+@@ -73,7 +73,7 @@ static inline unsigned long mips_get_sys
+ #ifdef CONFIG_64BIT
+ case 4: case 5: case 6: case 7:
+ #ifdef CONFIG_MIPS32_O32
+- if (test_thread_flag(TIF_32BIT_REGS))
++ if (test_tsk_thread_flag(task, TIF_32BIT_REGS))
+ return get_user(*arg, (int *)usp + n);
+ else
+ #endif
--- /dev/null
+From 7d35baa4e9ec4b717bc0e58a39cdb6a1c50f5465 Mon Sep 17 00:00:00 2001
+From: Mathias Kresin <dev@kresin.me>
+Date: Mon, 26 Nov 2018 11:25:40 +0100
+Subject: MIPS: ralink: Fix mt7620 nd_sd pinmux
+
+From: Mathias Kresin <dev@kresin.me>
+
+commit 7d35baa4e9ec4b717bc0e58a39cdb6a1c50f5465 upstream.
+
+In case the nd_sd group is set to the sd-card function, Pins 45 + 46 are
+configured as GPIOs. If they are blocked by the sd function, they can't
+be used as GPIOs.
+
+Reported-by: Kristian Evensen <kristian.evensen@gmail.com>
+Signed-off-by: Mathias Kresin <dev@kresin.me>
+Signed-off-by: Paul Burton <paul.burton@mips.com>
+Fixes: f576fb6a0700 ("MIPS: ralink: cleanup the soc specific pinmux data")
+Patchwork: https://patchwork.linux-mips.org/patch/21220/
+Cc: John Crispin <john@phrozen.org>
+Cc: Ralf Baechle <ralf@linux-mips.org>
+Cc: James Hogan <jhogan@kernel.org>
+Cc: linux-mips@linux-mips.org
+Cc: linux-kernel@vger.kernel.org
+Cc: stable@vger.kernel.org # v3.18+
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/mips/ralink/mt7620.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/mips/ralink/mt7620.c
++++ b/arch/mips/ralink/mt7620.c
+@@ -84,7 +84,7 @@ static struct rt2880_pmx_func pcie_rst_g
+ };
+ static struct rt2880_pmx_func nd_sd_grp[] = {
+ FUNC("nand", MT7620_GPIO_MODE_NAND, 45, 15),
+- FUNC("sd", MT7620_GPIO_MODE_SD, 45, 15)
++ FUNC("sd", MT7620_GPIO_MODE_SD, 47, 13)
+ };
+
+ static struct rt2880_pmx_group mt7620a_pinmux_data[] = {
--- /dev/null
+From 40b412897ccb4b98b2cfb2a0aaabed58dd9e2086 Mon Sep 17 00:00:00 2001
+From: Frieder Schrempf <frieder.schrempf@kontron.de>
+Date: Tue, 27 Nov 2018 07:44:52 +0000
+Subject: mtd: nand: Fix memory allocation in nanddev_bbt_init()
+
+From: Frieder Schrempf <frieder.schrempf@kontron.de>
+
+commit 40b412897ccb4b98b2cfb2a0aaabed58dd9e2086 upstream.
+
+Fix the size of the buffer allocated to store the in-memory BBT.
+This bug was previously hidden by a different bug, that was fixed in
+commit d098093ba06e ("mtd: nand: Fix nanddev_neraseblocks()").
+
+Fixes: 9c3736a3de21 ("mtd: nand: Add core infrastructure to deal with NAND devices")
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Frieder Schrempf <frieder.schrempf@kontron.de>
+Acked-by: Miquel Raynal <miquel.raynal@bootlin.com>
+Signed-off-by: Boris Brezillon <boris.brezillon@bootlin.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/mtd/nand/bbt.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/mtd/nand/bbt.c
++++ b/drivers/mtd/nand/bbt.c
+@@ -27,7 +27,8 @@ int nanddev_bbt_init(struct nand_device
+ unsigned int nwords = DIV_ROUND_UP(nblocks * bits_per_block,
+ BITS_PER_LONG);
+
+- nand->bbt.cache = kzalloc(nwords, GFP_KERNEL);
++ nand->bbt.cache = kcalloc(nwords, sizeof(*nand->bbt.cache),
++ GFP_KERNEL);
+ if (!nand->bbt.cache)
+ return -ENOMEM;
+
--- /dev/null
+From 3054426dc68e5d63aa6a6e9b91ac4ec78e3f3805 Mon Sep 17 00:00:00 2001
+From: Pavankumar Kondeti <pkondeti@codeaurora.org>
+Date: Tue, 30 Oct 2018 12:24:33 +0530
+Subject: sched, trace: Fix prev_state output in sched_switch tracepoint
+
+From: Pavankumar Kondeti <pkondeti@codeaurora.org>
+
+commit 3054426dc68e5d63aa6a6e9b91ac4ec78e3f3805 upstream.
+
+commit 3f5fe9fef5b2 ("sched/debug: Fix task state recording/printout")
+tried to fix the problem introduced by a previous commit efb40f588b43
+("sched/tracing: Fix trace_sched_switch task-state printing"). However
+the prev_state output in sched_switch is still broken.
+
+task_state_index() uses fls() which considers the LSB as 1. Left
+shifting 1 by this value gives an incorrect mapping to the task state.
+Fix this by decrementing the value returned by __get_task_state()
+before shifting.
+
+Link: http://lkml.kernel.org/r/1540882473-1103-1-git-send-email-pkondeti@codeaurora.org
+
+Cc: stable@vger.kernel.org
+Fixes: 3f5fe9fef5b2 ("sched/debug: Fix task state recording/printout")
+Signed-off-by: Pavankumar Kondeti <pkondeti@codeaurora.org>
+Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ include/trace/events/sched.h | 12 +++++++++++-
+ 1 file changed, 11 insertions(+), 1 deletion(-)
+
+--- a/include/trace/events/sched.h
++++ b/include/trace/events/sched.h
+@@ -107,6 +107,8 @@ DEFINE_EVENT(sched_wakeup_template, sche
+ #ifdef CREATE_TRACE_POINTS
+ static inline long __trace_sched_switch_state(bool preempt, struct task_struct *p)
+ {
++ unsigned int state;
++
+ #ifdef CONFIG_SCHED_DEBUG
+ BUG_ON(p != current);
+ #endif /* CONFIG_SCHED_DEBUG */
+@@ -118,7 +120,15 @@ static inline long __trace_sched_switch_
+ if (preempt)
+ return TASK_REPORT_MAX;
+
+- return 1 << task_state_index(p);
++ /*
++ * task_state_index() uses fls() and returns a value from 0-8 range.
++ * Decrement it by 1 (except TASK_RUNNING state i.e 0) before using
++ * it for left shift operation to get the correct task->state
++ * mapping.
++ */
++ state = task_state_index(p);
++
++ return state ? (1 << (state - 1)) : state;
+ }
+ #endif /* CREATE_TRACE_POINTS */
+
blk-mq-fix-corruption-with-direct-issue.patch
test_hexdump-use-memcpy-instead-of-strncpy.patch
unifdef-use-memcpy-instead-of-strncpy.patch
+iser-set-sector-for-ambiguous-mr-status-errors.patch
+uprobes-fix-handle_swbp-vs.-unregister-register-race-once-more.patch
+mtd-nand-fix-memory-allocation-in-nanddev_bbt_init.patch
+arm64-ftrace-fix-to-enable-syscall-events-on-arm64.patch
+sched-trace-fix-prev_state-output-in-sched_switch-tracepoint.patch
+tracepoint-use-__idx-instead-of-idx-in-do_trace-macro-to-make-it-unique.patch
+mips-ralink-fix-mt7620-nd_sd-pinmux.patch
+mips-fix-mips_get_syscall_arg-o32-check.patch
+ib-mlx5-avoid-load-failure-due-to-unknown-link-width.patch
+tracing-fgraph-fix-set_graph_function-from-showing-interrupts.patch
+drm-ast-fix-incorrect-free-on-ioregs.patch
+drm-amd-dm-don-t-forget-to-attach-mst-encoders.patch
+drm-amd-dm-understand-why-attaching-path-tile-properties-are-needed.patch
+drm-set-is_master-to-0-upon-drm_new_set_master-failure.patch
+drm-meson-fixes-for-drm_crtc_vblank_on-off-support.patch
+drm-meson-enable-fast_io-in-meson_dw_hdmi_regmap_config.patch
+drm-meson-fix-oob-memory-accesses-in-meson_viu_set_osd_lut.patch
+userfaultfd-use-enoent-instead-of-efault-if-the-atomic-copy-user-fails.patch
+userfaultfd-shmem-allocate-anonymous-memory-for-map_private-shmem.patch
+userfaultfd-shmem-add-i_size-checks.patch
+userfaultfd-shmem-uffdio_copy-set-the-page-dirty-if-vm_write-is-not-set.patch
--- /dev/null
+From 0c7a52e4d4b5c4d35b31f3c3ad32af814f1bf491 Mon Sep 17 00:00:00 2001
+From: Zenghui Yu <yuzenghui@huawei.com>
+Date: Wed, 28 Nov 2018 03:35:23 +0000
+Subject: tracepoint: Use __idx instead of idx in DO_TRACE macro to make it unique
+
+From: Zenghui Yu <yuzenghui@huawei.com>
+
+commit 0c7a52e4d4b5c4d35b31f3c3ad32af814f1bf491 upstream.
+
+After enabling KVM event tracing, almost all of trace_kvm_exit()'s
+printk shows
+
+ "kvm_exit: IRQ: ..."
+
+even if the actual exception_type is NOT IRQ. More specifically,
+trace_kvm_exit() is defined in virt/kvm/arm/trace.h by TRACE_EVENT.
+
+This slight problem may have existed after commit e6753f23d961
+("tracepoint: Make rcuidle tracepoint callers use SRCU"). There are
+two variables in trace_kvm_exit() and __DO_TRACE() which have the
+same name, *idx*. Thus the actual value of *idx* will be overwritten
+when tracing. Fix it by adding a simple prefix.
+
+Cc: Joel Fernandes <joel@joelfernandes.org>
+Cc: Wang Haibin <wanghaibin.wang@huawei.com>
+Cc: linux-trace-devel@vger.kernel.org
+Cc: stable@vger.kernel.org
+Fixes: e6753f23d961 ("tracepoint: Make rcuidle tracepoint callers use SRCU")
+Reviewed-by: Joel Fernandes (Google) <joel@joelfernandes.org>
+Signed-off-by: Zenghui Yu <yuzenghui@huawei.com>
+Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ include/linux/tracepoint.h | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/include/linux/tracepoint.h
++++ b/include/linux/tracepoint.h
+@@ -166,7 +166,7 @@ static inline struct tracepoint *tracepo
+ struct tracepoint_func *it_func_ptr; \
+ void *it_func; \
+ void *__data; \
+- int __maybe_unused idx = 0; \
++ int __maybe_unused __idx = 0; \
+ \
+ if (!(cond)) \
+ return; \
+@@ -182,7 +182,7 @@ static inline struct tracepoint *tracepo
+ * doesn't work from the idle path. \
+ */ \
+ if (rcuidle) { \
+- idx = srcu_read_lock_notrace(&tracepoint_srcu); \
++ __idx = srcu_read_lock_notrace(&tracepoint_srcu);\
+ rcu_irq_enter_irqson(); \
+ } \
+ \
+@@ -198,7 +198,7 @@ static inline struct tracepoint *tracepo
+ \
+ if (rcuidle) { \
+ rcu_irq_exit_irqson(); \
+- srcu_read_unlock_notrace(&tracepoint_srcu, idx);\
++ srcu_read_unlock_notrace(&tracepoint_srcu, __idx);\
+ } \
+ \
+ preempt_enable_notrace(); \
--- /dev/null
+From 5cf99a0f3161bc3ae2391269d134d6bf7e26f00e Mon Sep 17 00:00:00 2001
+From: "Steven Rostedt (VMware)" <rostedt@goodmis.org>
+Date: Thu, 29 Nov 2018 08:50:27 -0500
+Subject: tracing/fgraph: Fix set_graph_function from showing interrupts
+
+From: Steven Rostedt (VMware) <rostedt@goodmis.org>
+
+commit 5cf99a0f3161bc3ae2391269d134d6bf7e26f00e upstream.
+
+The tracefs file set_graph_function is used to only function graph functions
+that are listed in that file (or all functions if the file is empty). The
+way this is implemented is that the function graph tracer looks at every
+function, and if the current depth is zero and the function matches
+something in the file then it will trace that function. When other functions
+are called, the depth will be greater than zero (because the original
+function will be at depth zero), and all functions will be traced where the
+depth is greater than zero.
+
+The issue is that when a function is first entered, and the handler that
+checks this logic is called, the depth is set to zero. If an interrupt comes
+in and a function in the interrupt handler is traced, its depth will be
+greater than zero and it will automatically be traced, even if the original
+function was not. But because the logic only looks at depth it may trace
+interrupts when it should not be.
+
+The recent design change of the function graph tracer to fix other bugs
+caused the depth to be zero while the function graph callback handler is
+being called for a longer time, widening the race of this happening. This
+bug was actually there for a longer time, but because the race window was so
+small it seldom happened. The Fixes tag below is for the commit that widen
+the race window, because that commit belongs to a series that will also help
+fix the original bug.
+
+Cc: stable@kernel.org
+Fixes: 39eb456dacb5 ("function_graph: Use new curr_ret_depth to manage depth instead of curr_ret_stack")
+Reported-by: Joe Lawrence <joe.lawrence@redhat.com>
+Tested-by: Joe Lawrence <joe.lawrence@redhat.com>
+Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/trace/trace.h | 57 +++++++++++++++++++++++++++++++++--
+ kernel/trace/trace_functions_graph.c | 4 ++
+ kernel/trace/trace_irqsoff.c | 2 +
+ kernel/trace/trace_sched_wakeup.c | 2 +
+ 4 files changed, 62 insertions(+), 3 deletions(-)
+
+--- a/kernel/trace/trace.h
++++ b/kernel/trace/trace.h
+@@ -512,12 +512,44 @@ enum {
+ * can only be modified by current, we can reuse trace_recursion.
+ */
+ TRACE_IRQ_BIT,
++
++ /* Set if the function is in the set_graph_function file */
++ TRACE_GRAPH_BIT,
++
++ /*
++ * In the very unlikely case that an interrupt came in
++ * at a start of graph tracing, and we want to trace
++ * the function in that interrupt, the depth can be greater
++ * than zero, because of the preempted start of a previous
++ * trace. In an even more unlikely case, depth could be 2
++ * if a softirq interrupted the start of graph tracing,
++ * followed by an interrupt preempting a start of graph
++ * tracing in the softirq, and depth can even be 3
++ * if an NMI came in at the start of an interrupt function
++ * that preempted a softirq start of a function that
++ * preempted normal context!!!! Luckily, it can't be
++ * greater than 3, so the next two bits are a mask
++ * of what the depth is when we set TRACE_GRAPH_BIT
++ */
++
++ TRACE_GRAPH_DEPTH_START_BIT,
++ TRACE_GRAPH_DEPTH_END_BIT,
+ };
+
+ #define trace_recursion_set(bit) do { (current)->trace_recursion |= (1<<(bit)); } while (0)
+ #define trace_recursion_clear(bit) do { (current)->trace_recursion &= ~(1<<(bit)); } while (0)
+ #define trace_recursion_test(bit) ((current)->trace_recursion & (1<<(bit)))
+
++#define trace_recursion_depth() \
++ (((current)->trace_recursion >> TRACE_GRAPH_DEPTH_START_BIT) & 3)
++#define trace_recursion_set_depth(depth) \
++ do { \
++ current->trace_recursion &= \
++ ~(3 << TRACE_GRAPH_DEPTH_START_BIT); \
++ current->trace_recursion |= \
++ ((depth) & 3) << TRACE_GRAPH_DEPTH_START_BIT; \
++ } while (0)
++
+ #define TRACE_CONTEXT_BITS 4
+
+ #define TRACE_FTRACE_START TRACE_FTRACE_BIT
+@@ -843,8 +875,9 @@ extern void __trace_graph_return(struct
+ extern struct ftrace_hash *ftrace_graph_hash;
+ extern struct ftrace_hash *ftrace_graph_notrace_hash;
+
+-static inline int ftrace_graph_addr(unsigned long addr)
++static inline int ftrace_graph_addr(struct ftrace_graph_ent *trace)
+ {
++ unsigned long addr = trace->func;
+ int ret = 0;
+
+ preempt_disable_notrace();
+@@ -855,6 +888,14 @@ static inline int ftrace_graph_addr(unsi
+ }
+
+ if (ftrace_lookup_ip(ftrace_graph_hash, addr)) {
++
++ /*
++ * This needs to be cleared on the return functions
++ * when the depth is zero.
++ */
++ trace_recursion_set(TRACE_GRAPH_BIT);
++ trace_recursion_set_depth(trace->depth);
++
+ /*
+ * If no irqs are to be traced, but a set_graph_function
+ * is set, and called by an interrupt handler, we still
+@@ -872,6 +913,13 @@ out:
+ return ret;
+ }
+
++static inline void ftrace_graph_addr_finish(struct ftrace_graph_ret *trace)
++{
++ if (trace_recursion_test(TRACE_GRAPH_BIT) &&
++ trace->depth == trace_recursion_depth())
++ trace_recursion_clear(TRACE_GRAPH_BIT);
++}
++
+ static inline int ftrace_graph_notrace_addr(unsigned long addr)
+ {
+ int ret = 0;
+@@ -885,7 +933,7 @@ static inline int ftrace_graph_notrace_a
+ return ret;
+ }
+ #else
+-static inline int ftrace_graph_addr(unsigned long addr)
++static inline int ftrace_graph_addr(struct ftrace_graph_ent *trace)
+ {
+ return 1;
+ }
+@@ -894,6 +942,8 @@ static inline int ftrace_graph_notrace_a
+ {
+ return 0;
+ }
++static inline void ftrace_graph_addr_finish(struct ftrace_graph_ret *trace)
++{ }
+ #endif /* CONFIG_DYNAMIC_FTRACE */
+
+ extern unsigned int fgraph_max_depth;
+@@ -901,7 +951,8 @@ extern unsigned int fgraph_max_depth;
+ static inline bool ftrace_graph_ignore_func(struct ftrace_graph_ent *trace)
+ {
+ /* trace it when it is-nested-in or is a function enabled. */
+- return !(trace->depth || ftrace_graph_addr(trace->func)) ||
++ return !(trace_recursion_test(TRACE_GRAPH_BIT) ||
++ ftrace_graph_addr(trace)) ||
+ (trace->depth < 0) ||
+ (fgraph_max_depth && trace->depth >= fgraph_max_depth);
+ }
+--- a/kernel/trace/trace_functions_graph.c
++++ b/kernel/trace/trace_functions_graph.c
+@@ -509,6 +509,8 @@ void trace_graph_return(struct ftrace_gr
+ int cpu;
+ int pc;
+
++ ftrace_graph_addr_finish(trace);
++
+ local_irq_save(flags);
+ cpu = raw_smp_processor_id();
+ data = per_cpu_ptr(tr->trace_buffer.data, cpu);
+@@ -532,6 +534,8 @@ void set_graph_array(struct trace_array
+
+ static void trace_graph_thresh_return(struct ftrace_graph_ret *trace)
+ {
++ ftrace_graph_addr_finish(trace);
++
+ if (tracing_thresh &&
+ (trace->rettime - trace->calltime < tracing_thresh))
+ return;
+--- a/kernel/trace/trace_irqsoff.c
++++ b/kernel/trace/trace_irqsoff.c
+@@ -208,6 +208,8 @@ static void irqsoff_graph_return(struct
+ unsigned long flags;
+ int pc;
+
++ ftrace_graph_addr_finish(trace);
++
+ if (!func_prolog_dec(tr, &data, &flags))
+ return;
+
+--- a/kernel/trace/trace_sched_wakeup.c
++++ b/kernel/trace/trace_sched_wakeup.c
+@@ -270,6 +270,8 @@ static void wakeup_graph_return(struct f
+ unsigned long flags;
+ int pc;
+
++ ftrace_graph_addr_finish(trace);
++
+ if (!func_prolog_preempt_disable(tr, &data, &pc))
+ return;
+
--- /dev/null
+From 09d3f015d1e1b4fee7e9bbdcf54201d239393391 Mon Sep 17 00:00:00 2001
+From: Andrea Parri <andrea.parri@amarulasolutions.com>
+Date: Thu, 22 Nov 2018 17:10:31 +0100
+Subject: uprobes: Fix handle_swbp() vs. unregister() + register() race once more
+
+From: Andrea Parri <andrea.parri@amarulasolutions.com>
+
+commit 09d3f015d1e1b4fee7e9bbdcf54201d239393391 upstream.
+
+Commit:
+
+ 142b18ddc8143 ("uprobes: Fix handle_swbp() vs unregister() + register() race")
+
+added the UPROBE_COPY_INSN flag, and corresponding smp_wmb() and smp_rmb()
+memory barriers, to ensure that handle_swbp() uses fully-initialized
+uprobes only.
+
+However, the smp_rmb() is mis-placed: this barrier should be placed
+after handle_swbp() has tested for the flag, thus guaranteeing that
+(program-order) subsequent loads from the uprobe can see the initial
+stores performed by prepare_uprobe().
+
+Move the smp_rmb() accordingly. Also amend the comments associated
+to the two memory barriers to indicate their actual locations.
+
+Signed-off-by: Andrea Parri <andrea.parri@amarulasolutions.com>
+Acked-by: Oleg Nesterov <oleg@redhat.com>
+Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Cc: Andrew Morton <akpm@linux-foundation.org>
+Cc: Arnaldo Carvalho de Melo <acme@redhat.com>
+Cc: Jiri Olsa <jolsa@redhat.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Namhyung Kim <namhyung@kernel.org>
+Cc: Paul E. McKenney <paulmck@linux.vnet.ibm.com>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Stephane Eranian <eranian@google.com>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: Vince Weaver <vincent.weaver@maine.edu>
+Cc: stable@kernel.org
+Fixes: 142b18ddc8143 ("uprobes: Fix handle_swbp() vs unregister() + register() race")
+Link: http://lkml.kernel.org/r/20181122161031.15179-1-andrea.parri@amarulasolutions.com
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/events/uprobes.c | 12 ++++++++++--
+ 1 file changed, 10 insertions(+), 2 deletions(-)
+
+--- a/kernel/events/uprobes.c
++++ b/kernel/events/uprobes.c
+@@ -616,7 +616,7 @@ static int prepare_uprobe(struct uprobe
+ BUG_ON((uprobe->offset & ~PAGE_MASK) +
+ UPROBE_SWBP_INSN_SIZE > PAGE_SIZE);
+
+- smp_wmb(); /* pairs with rmb() in find_active_uprobe() */
++ smp_wmb(); /* pairs with the smp_rmb() in handle_swbp() */
+ set_bit(UPROBE_COPY_INSN, &uprobe->flags);
+
+ out:
+@@ -1914,10 +1914,18 @@ static void handle_swbp(struct pt_regs *
+ * After we hit the bp, _unregister + _register can install the
+ * new and not-yet-analyzed uprobe at the same address, restart.
+ */
+- smp_rmb(); /* pairs with wmb() in install_breakpoint() */
+ if (unlikely(!test_bit(UPROBE_COPY_INSN, &uprobe->flags)))
+ goto out;
+
++ /*
++ * Pairs with the smp_wmb() in prepare_uprobe().
++ *
++ * Guarantees that if we see the UPROBE_COPY_INSN bit set, then
++ * we must also see the stores to &uprobe->arch performed by the
++ * prepare_uprobe() call.
++ */
++ smp_rmb();
++
+ /* Tracing handlers use ->utask to communicate with fetch methods */
+ if (!get_utask())
+ goto out;
--- /dev/null
+From e2a50c1f64145a04959df2442305d57307e5395a Mon Sep 17 00:00:00 2001
+From: Andrea Arcangeli <aarcange@redhat.com>
+Date: Fri, 30 Nov 2018 14:09:37 -0800
+Subject: userfaultfd: shmem: add i_size checks
+
+From: Andrea Arcangeli <aarcange@redhat.com>
+
+commit e2a50c1f64145a04959df2442305d57307e5395a upstream.
+
+With MAP_SHARED: recheck the i_size after taking the PT lock, to
+serialize against truncate with the PT lock. Delete the page from the
+pagecache if the i_size_read check fails.
+
+With MAP_PRIVATE: check the i_size after the PT lock before mapping
+anonymous memory or zeropages into the MAP_PRIVATE shmem mapping.
+
+A mostly irrelevant cleanup: like we do the delete_from_page_cache()
+pagecache removal after dropping the PT lock, the PT lock is a spinlock
+so drop it before the sleepable page lock.
+
+Link: http://lkml.kernel.org/r/20181126173452.26955-5-aarcange@redhat.com
+Fixes: 4c27fe4c4c84 ("userfaultfd: shmem: add shmem_mcopy_atomic_pte for userfaultfd support")
+Signed-off-by: Andrea Arcangeli <aarcange@redhat.com>
+Reviewed-by: Mike Rapoport <rppt@linux.ibm.com>
+Reviewed-by: Hugh Dickins <hughd@google.com>
+Reported-by: Jann Horn <jannh@google.com>
+Cc: <stable@vger.kernel.org>
+Cc: "Dr. David Alan Gilbert" <dgilbert@redhat.com>
+Cc: Mike Kravetz <mike.kravetz@oracle.com>
+Cc: Peter Xu <peterx@redhat.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ mm/shmem.c | 18 ++++++++++++++++--
+ mm/userfaultfd.c | 26 ++++++++++++++++++++++++--
+ 2 files changed, 40 insertions(+), 4 deletions(-)
+
+--- a/mm/shmem.c
++++ b/mm/shmem.c
+@@ -2264,6 +2264,7 @@ static int shmem_mfill_atomic_pte(struct
+ struct page *page;
+ pte_t _dst_pte, *dst_pte;
+ int ret;
++ pgoff_t offset, max_off;
+
+ ret = -ENOMEM;
+ if (!shmem_inode_acct_block(inode, 1))
+@@ -2301,6 +2302,12 @@ static int shmem_mfill_atomic_pte(struct
+ __SetPageSwapBacked(page);
+ __SetPageUptodate(page);
+
++ ret = -EFAULT;
++ offset = linear_page_index(dst_vma, dst_addr);
++ max_off = DIV_ROUND_UP(i_size_read(inode), PAGE_SIZE);
++ if (unlikely(offset >= max_off))
++ goto out_release;
++
+ ret = mem_cgroup_try_charge_delay(page, dst_mm, gfp, &memcg, false);
+ if (ret)
+ goto out_release;
+@@ -2319,8 +2326,14 @@ static int shmem_mfill_atomic_pte(struct
+ if (dst_vma->vm_flags & VM_WRITE)
+ _dst_pte = pte_mkwrite(pte_mkdirty(_dst_pte));
+
+- ret = -EEXIST;
+ dst_pte = pte_offset_map_lock(dst_mm, dst_pmd, dst_addr, &ptl);
++
++ ret = -EFAULT;
++ max_off = DIV_ROUND_UP(i_size_read(inode), PAGE_SIZE);
++ if (unlikely(offset >= max_off))
++ goto out_release_uncharge_unlock;
++
++ ret = -EEXIST;
+ if (!pte_none(*dst_pte))
+ goto out_release_uncharge_unlock;
+
+@@ -2338,13 +2351,14 @@ static int shmem_mfill_atomic_pte(struct
+
+ /* No need to invalidate - it was non-present before */
+ update_mmu_cache(dst_vma, dst_addr, dst_pte);
+- unlock_page(page);
+ pte_unmap_unlock(dst_pte, ptl);
++ unlock_page(page);
+ ret = 0;
+ out:
+ return ret;
+ out_release_uncharge_unlock:
+ pte_unmap_unlock(dst_pte, ptl);
++ delete_from_page_cache(page);
+ out_release_uncharge:
+ mem_cgroup_cancel_charge(page, memcg, false);
+ out_release:
+--- a/mm/userfaultfd.c
++++ b/mm/userfaultfd.c
+@@ -33,6 +33,8 @@ static int mcopy_atomic_pte(struct mm_st
+ void *page_kaddr;
+ int ret;
+ struct page *page;
++ pgoff_t offset, max_off;
++ struct inode *inode;
+
+ if (!*pagep) {
+ ret = -ENOMEM;
+@@ -73,8 +75,17 @@ static int mcopy_atomic_pte(struct mm_st
+ if (dst_vma->vm_flags & VM_WRITE)
+ _dst_pte = pte_mkwrite(pte_mkdirty(_dst_pte));
+
+- ret = -EEXIST;
+ dst_pte = pte_offset_map_lock(dst_mm, dst_pmd, dst_addr, &ptl);
++ if (dst_vma->vm_file) {
++ /* the shmem MAP_PRIVATE case requires checking the i_size */
++ inode = dst_vma->vm_file->f_inode;
++ offset = linear_page_index(dst_vma, dst_addr);
++ max_off = DIV_ROUND_UP(i_size_read(inode), PAGE_SIZE);
++ ret = -EFAULT;
++ if (unlikely(offset >= max_off))
++ goto out_release_uncharge_unlock;
++ }
++ ret = -EEXIST;
+ if (!pte_none(*dst_pte))
+ goto out_release_uncharge_unlock;
+
+@@ -108,11 +119,22 @@ static int mfill_zeropage_pte(struct mm_
+ pte_t _dst_pte, *dst_pte;
+ spinlock_t *ptl;
+ int ret;
++ pgoff_t offset, max_off;
++ struct inode *inode;
+
+ _dst_pte = pte_mkspecial(pfn_pte(my_zero_pfn(dst_addr),
+ dst_vma->vm_page_prot));
+- ret = -EEXIST;
+ dst_pte = pte_offset_map_lock(dst_mm, dst_pmd, dst_addr, &ptl);
++ if (dst_vma->vm_file) {
++ /* the shmem MAP_PRIVATE case requires checking the i_size */
++ inode = dst_vma->vm_file->f_inode;
++ offset = linear_page_index(dst_vma, dst_addr);
++ max_off = DIV_ROUND_UP(i_size_read(inode), PAGE_SIZE);
++ ret = -EFAULT;
++ if (unlikely(offset >= max_off))
++ goto out_unlock;
++ }
++ ret = -EEXIST;
+ if (!pte_none(*dst_pte))
+ goto out_unlock;
+ set_pte_at(dst_mm, dst_addr, dst_pte, _dst_pte);
--- /dev/null
+From 5b51072e97d587186c2f5390c8c9c1fb7e179505 Mon Sep 17 00:00:00 2001
+From: Andrea Arcangeli <aarcange@redhat.com>
+Date: Fri, 30 Nov 2018 14:09:28 -0800
+Subject: userfaultfd: shmem: allocate anonymous memory for MAP_PRIVATE shmem
+
+From: Andrea Arcangeli <aarcange@redhat.com>
+
+commit 5b51072e97d587186c2f5390c8c9c1fb7e179505 upstream.
+
+Userfaultfd did not create private memory when UFFDIO_COPY was invoked
+on a MAP_PRIVATE shmem mapping. Instead it wrote to the shmem file,
+even when that had not been opened for writing. Though, fortunately,
+that could only happen where there was a hole in the file.
+
+Fix the shmem-backed implementation of UFFDIO_COPY to create private
+memory for MAP_PRIVATE mappings. The hugetlbfs-backed implementation
+was already correct.
+
+This change is visible to userland, if userfaultfd has been used in
+unintended ways: so it introduces a small risk of incompatibility, but
+is necessary in order to respect file permissions.
+
+An app that uses UFFDIO_COPY for anything like postcopy live migration
+won't notice the difference, and in fact it'll run faster because there
+will be no copy-on-write and memory waste in the tmpfs pagecache
+anymore.
+
+Userfaults on MAP_PRIVATE shmem keep triggering only on file holes like
+before.
+
+The real zeropage can also be built on a MAP_PRIVATE shmem mapping
+through UFFDIO_ZEROPAGE and that's safe because the zeropage pte is
+never dirty, in turn even an mprotect upgrading the vma permission from
+PROT_READ to PROT_READ|PROT_WRITE won't make the zeropage pte writable.
+
+Link: http://lkml.kernel.org/r/20181126173452.26955-3-aarcange@redhat.com
+Fixes: 4c27fe4c4c84 ("userfaultfd: shmem: add shmem_mcopy_atomic_pte for userfaultfd support")
+Signed-off-by: Andrea Arcangeli <aarcange@redhat.com>
+Reported-by: Mike Rapoport <rppt@linux.ibm.com>
+Reviewed-by: Hugh Dickins <hughd@google.com>
+Cc: <stable@vger.kernel.org>
+Cc: "Dr. David Alan Gilbert" <dgilbert@redhat.com>
+Cc: Jann Horn <jannh@google.com>
+Cc: Mike Kravetz <mike.kravetz@oracle.com>
+Cc: Peter Xu <peterx@redhat.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ mm/userfaultfd.c | 15 +++++++++++++--
+ 1 file changed, 13 insertions(+), 2 deletions(-)
+
+--- a/mm/userfaultfd.c
++++ b/mm/userfaultfd.c
+@@ -381,7 +381,17 @@ static __always_inline ssize_t mfill_ato
+ {
+ ssize_t err;
+
+- if (vma_is_anonymous(dst_vma)) {
++ /*
++ * The normal page fault path for a shmem will invoke the
++ * fault, fill the hole in the file and COW it right away. The
++ * result generates plain anonymous memory. So when we are
++ * asked to fill an hole in a MAP_PRIVATE shmem mapping, we'll
++ * generate anonymous memory directly without actually filling
++ * the hole. For the MAP_PRIVATE case the robustness check
++ * only happens in the pagetable (to verify it's still none)
++ * and not in the radix tree.
++ */
++ if (!(dst_vma->vm_flags & VM_SHARED)) {
+ if (!zeropage)
+ err = mcopy_atomic_pte(dst_mm, dst_pmd, dst_vma,
+ dst_addr, src_addr, page);
+@@ -486,7 +496,8 @@ retry:
+ * dst_vma.
+ */
+ err = -ENOMEM;
+- if (vma_is_anonymous(dst_vma) && unlikely(anon_vma_prepare(dst_vma)))
++ if (!(dst_vma->vm_flags & VM_SHARED) &&
++ unlikely(anon_vma_prepare(dst_vma)))
+ goto out_unlock;
+
+ while (src_addr < src_start + len) {
--- /dev/null
+From dcf7fe9d89763a28e0f43975b422ff141fe79e43 Mon Sep 17 00:00:00 2001
+From: Andrea Arcangeli <aarcange@redhat.com>
+Date: Fri, 30 Nov 2018 14:09:43 -0800
+Subject: userfaultfd: shmem: UFFDIO_COPY: set the page dirty if VM_WRITE is not set
+
+From: Andrea Arcangeli <aarcange@redhat.com>
+
+commit dcf7fe9d89763a28e0f43975b422ff141fe79e43 upstream.
+
+Set the page dirty if VM_WRITE is not set because in such case the pte
+won't be marked dirty and the page would be reclaimed without writepage
+(i.e. swapout in the shmem case).
+
+This was found by source review. Most apps (certainly including QEMU)
+only use UFFDIO_COPY on PROT_READ|PROT_WRITE mappings or the app can't
+modify the memory in the first place. This is for correctness and it
+could help the non cooperative use case to avoid unexpected data loss.
+
+Link: http://lkml.kernel.org/r/20181126173452.26955-6-aarcange@redhat.com
+Reviewed-by: Hugh Dickins <hughd@google.com>
+Cc: stable@vger.kernel.org
+Fixes: 4c27fe4c4c84 ("userfaultfd: shmem: add shmem_mcopy_atomic_pte for userfaultfd support")
+Reported-by: Hugh Dickins <hughd@google.com>
+Signed-off-by: Andrea Arcangeli <aarcange@redhat.com>
+Cc: "Dr. David Alan Gilbert" <dgilbert@redhat.com>
+Cc: Jann Horn <jannh@google.com>
+Cc: Mike Kravetz <mike.kravetz@oracle.com>
+Cc: Mike Rapoport <rppt@linux.ibm.com>
+Cc: Peter Xu <peterx@redhat.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ mm/shmem.c | 11 +++++++++++
+ 1 file changed, 11 insertions(+)
+
+--- a/mm/shmem.c
++++ b/mm/shmem.c
+@@ -2325,6 +2325,16 @@ static int shmem_mfill_atomic_pte(struct
+ _dst_pte = mk_pte(page, dst_vma->vm_page_prot);
+ if (dst_vma->vm_flags & VM_WRITE)
+ _dst_pte = pte_mkwrite(pte_mkdirty(_dst_pte));
++ else {
++ /*
++ * We don't set the pte dirty if the vma has no
++ * VM_WRITE permission, so mark the page dirty or it
++ * could be freed from under us. We could do it
++ * unconditionally before unlock_page(), but doing it
++ * only if VM_WRITE is not set is faster.
++ */
++ set_page_dirty(page);
++ }
+
+ dst_pte = pte_offset_map_lock(dst_mm, dst_pmd, dst_addr, &ptl);
+
+@@ -2358,6 +2368,7 @@ out:
+ return ret;
+ out_release_uncharge_unlock:
+ pte_unmap_unlock(dst_pte, ptl);
++ ClearPageDirty(page);
+ delete_from_page_cache(page);
+ out_release_uncharge:
+ mem_cgroup_cancel_charge(page, memcg, false);
--- /dev/null
+From 9e368259ad988356c4c95150fafd1a06af095d98 Mon Sep 17 00:00:00 2001
+From: Andrea Arcangeli <aarcange@redhat.com>
+Date: Fri, 30 Nov 2018 14:09:25 -0800
+Subject: userfaultfd: use ENOENT instead of EFAULT if the atomic copy user fails
+
+From: Andrea Arcangeli <aarcange@redhat.com>
+
+commit 9e368259ad988356c4c95150fafd1a06af095d98 upstream.
+
+Patch series "userfaultfd shmem updates".
+
+Jann found two bugs in the userfaultfd shmem MAP_SHARED backend: the
+lack of the VM_MAYWRITE check and the lack of i_size checks.
+
+Then looking into the above we also fixed the MAP_PRIVATE case.
+
+Hugh by source review also found a data loss source if UFFDIO_COPY is
+used on shmem MAP_SHARED PROT_READ mappings (the production usages
+incidentally run with PROT_READ|PROT_WRITE, so the data loss couldn't
+happen in those production usages like with QEMU).
+
+The whole patchset is marked for stable.
+
+We verified QEMU postcopy live migration with guest running on shmem
+MAP_PRIVATE run as well as before after the fix of shmem MAP_PRIVATE.
+Regardless if it's shmem or hugetlbfs or MAP_PRIVATE or MAP_SHARED, QEMU
+unconditionally invokes a punch hole if the guest mapping is filebacked
+and a MADV_DONTNEED too (needed to get rid of the MAP_PRIVATE COWs and
+for the anon backend).
+
+This patch (of 5):
+
+We internally used EFAULT to communicate with the caller, switch to
+ENOENT, so EFAULT can be used as a non internal retval.
+
+Link: http://lkml.kernel.org/r/20181126173452.26955-2-aarcange@redhat.com
+Fixes: 4c27fe4c4c84 ("userfaultfd: shmem: add shmem_mcopy_atomic_pte for userfaultfd support")
+Signed-off-by: Andrea Arcangeli <aarcange@redhat.com>
+Reviewed-by: Mike Rapoport <rppt@linux.ibm.com>
+Reviewed-by: Hugh Dickins <hughd@google.com>
+Cc: Mike Kravetz <mike.kravetz@oracle.com>
+Cc: Jann Horn <jannh@google.com>
+Cc: Peter Xu <peterx@redhat.com>
+Cc: "Dr. David Alan Gilbert" <dgilbert@redhat.com>
+Cc: <stable@vger.kernel.org>
+Cc: stable@vger.kernel.org
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ mm/hugetlb.c | 2 +-
+ mm/shmem.c | 2 +-
+ mm/userfaultfd.c | 6 +++---
+ 3 files changed, 5 insertions(+), 5 deletions(-)
+
+--- a/mm/hugetlb.c
++++ b/mm/hugetlb.c
+@@ -4080,7 +4080,7 @@ int hugetlb_mcopy_atomic_pte(struct mm_s
+
+ /* fallback to copy_from_user outside mmap_sem */
+ if (unlikely(ret)) {
+- ret = -EFAULT;
++ ret = -ENOENT;
+ *pagep = page;
+ /* don't free the page */
+ goto out;
+--- a/mm/shmem.c
++++ b/mm/shmem.c
+@@ -2286,7 +2286,7 @@ static int shmem_mfill_atomic_pte(struct
+ *pagep = page;
+ shmem_inode_unacct_blocks(inode, 1);
+ /* don't free the page */
+- return -EFAULT;
++ return -ENOENT;
+ }
+ } else { /* mfill_zeropage_atomic */
+ clear_highpage(page);
+--- a/mm/userfaultfd.c
++++ b/mm/userfaultfd.c
+@@ -48,7 +48,7 @@ static int mcopy_atomic_pte(struct mm_st
+
+ /* fallback to copy_from_user outside mmap_sem */
+ if (unlikely(ret)) {
+- ret = -EFAULT;
++ ret = -ENOENT;
+ *pagep = page;
+ /* don't free the page */
+ goto out;
+@@ -275,7 +275,7 @@ retry:
+
+ cond_resched();
+
+- if (unlikely(err == -EFAULT)) {
++ if (unlikely(err == -ENOENT)) {
+ up_read(&dst_mm->mmap_sem);
+ BUG_ON(!page);
+
+@@ -527,7 +527,7 @@ retry:
+ src_addr, &page, zeropage);
+ cond_resched();
+
+- if (unlikely(err == -EFAULT)) {
++ if (unlikely(err == -ENOENT)) {
+ void *page_kaddr;
+
+ up_read(&dst_mm->mmap_sem);
projects / thirdparty / kernel / stable-queue.git / commitdiff
