--- /dev/null
+From 891afcf2462d2cc4ef7caf94215358ca61fa32cb Mon Sep 17 00:00:00 2001
+From: Jeremy Soller <jeremy@system76.com>
+Date: Fri, 10 May 2019 10:15:07 -0400
+Subject: ALSA: hda/realtek - Corrected fixup for System76 Gazelle (gaze14)
+
+From: Jeremy Soller <jeremy@system76.com>
+
+commit 891afcf2462d2cc4ef7caf94215358ca61fa32cb upstream.
+
+A mistake was made in the identification of the four variants of the
+System76 Gazelle (gaze14). This patch corrects the PCI ID of the
+17-inch, GTX 1660 Ti variant from 0x8560 to 0x8551. This patch also
+adds the correct fixups for the 15-inch and 17-inch GTX 1650 variants
+with PCI IDs 0x8560 and 0x8561.
+
+Tests were done on all four variants ensuring full audio capability.
+
+Fixes: 80a5052db751 ("ALSA: hdea/realtek - Headset fixup for System76 Gazelle (gaze14)")
+Signed-off-by: Jeremy Soller <jeremy@system76.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/pci/hda/patch_realtek.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/sound/pci/hda/patch_realtek.c
++++ b/sound/pci/hda/patch_realtek.c
+@@ -6933,7 +6933,9 @@ static const struct snd_pci_quirk alc269
+ SND_PCI_QUIRK(0x1462, 0xb171, "Cubi N 8GL (MS-B171)", ALC283_FIXUP_HEADSET_MIC),
+ SND_PCI_QUIRK(0x1558, 0x1325, "System76 Darter Pro (darp5)", ALC293_FIXUP_SYSTEM76_MIC_NO_PRESENCE),
+ SND_PCI_QUIRK(0x1558, 0x8550, "System76 Gazelle (gaze14)", ALC293_FIXUP_SYSTEM76_MIC_NO_PRESENCE),
+- SND_PCI_QUIRK(0x1558, 0x8560, "System76 Gazelle (gaze14)", ALC293_FIXUP_SYSTEM76_MIC_NO_PRESENCE),
++ SND_PCI_QUIRK(0x1558, 0x8551, "System76 Gazelle (gaze14)", ALC293_FIXUP_SYSTEM76_MIC_NO_PRESENCE),
++ SND_PCI_QUIRK(0x1558, 0x8560, "System76 Gazelle (gaze14)", ALC269_FIXUP_HEADSET_MIC),
++ SND_PCI_QUIRK(0x1558, 0x8561, "System76 Gazelle (gaze14)", ALC269_FIXUP_HEADSET_MIC),
+ SND_PCI_QUIRK(0x17aa, 0x1036, "Lenovo P520", ALC233_FIXUP_LENOVO_MULTI_CODECS),
+ SND_PCI_QUIRK(0x17aa, 0x20f2, "Thinkpad SL410/510", ALC269_FIXUP_SKU_IGNORE),
+ SND_PCI_QUIRK(0x17aa, 0x215e, "Thinkpad L512", ALC269_FIXUP_SKU_IGNORE),
--- /dev/null
+From 56df90b631fc027fe28b70d41352d820797239bb Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Micha=C5=82=20Wadowski?= <wadosm@gmail.com>
+Date: Tue, 14 May 2019 16:58:00 +0200
+Subject: ALSA: hda/realtek - Fix for Lenovo B50-70 inverted internal microphone bug
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Michał Wadowski <wadosm@gmail.com>
+
+commit 56df90b631fc027fe28b70d41352d820797239bb upstream.
+
+Add patch for realtek codec in Lenovo B50-70 that fixes inverted
+internal microphone channel.
+Device IdeaPad Y410P has the same PCI SSID as Lenovo B50-70,
+but first one is about fix the noise and it didn't seem help in a
+later kernel version.
+So I replaced IdeaPad Y410P device description with B50-70 and apply
+inverted microphone fix.
+
+Bugzilla: https://bugs.launchpad.net/ubuntu/+source/alsa-driver/+bug/1524215
+Signed-off-by: Michał Wadowski <wadosm@gmail.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/pci/hda/patch_realtek.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/sound/pci/hda/patch_realtek.c
++++ b/sound/pci/hda/patch_realtek.c
+@@ -6990,7 +6990,7 @@ static const struct snd_pci_quirk alc269
+ SND_PCI_QUIRK(0x17aa, 0x313c, "ThinkCentre Station", ALC294_FIXUP_LENOVO_MIC_LOCATION),
+ SND_PCI_QUIRK(0x17aa, 0x3902, "Lenovo E50-80", ALC269_FIXUP_DMIC_THINKPAD_ACPI),
+ SND_PCI_QUIRK(0x17aa, 0x3977, "IdeaPad S210", ALC283_FIXUP_INT_MIC),
+- SND_PCI_QUIRK(0x17aa, 0x3978, "IdeaPad Y410P", ALC269_FIXUP_NO_SHUTUP),
++ SND_PCI_QUIRK(0x17aa, 0x3978, "Lenovo B50-70", ALC269_FIXUP_DMIC_THINKPAD_ACPI),
+ SND_PCI_QUIRK(0x17aa, 0x5013, "Thinkpad", ALC269_FIXUP_LIMIT_INT_MIC_BOOST),
+ SND_PCI_QUIRK(0x17aa, 0x501a, "Thinkpad", ALC283_FIXUP_INT_MIC),
+ SND_PCI_QUIRK(0x17aa, 0x501e, "Thinkpad L440", ALC292_FIXUP_TPT440_DOCK),
--- /dev/null
+From dad3197da7a3817f27bb24f7fd3c135ffa707202 Mon Sep 17 00:00:00 2001
+From: Kailang Yang <kailang@realtek.com>
+Date: Fri, 10 May 2019 16:28:57 +0800
+Subject: ALSA: hda/realtek - Fixup headphone noise via runtime suspend
+
+From: Kailang Yang <kailang@realtek.com>
+
+commit dad3197da7a3817f27bb24f7fd3c135ffa707202 upstream.
+
+Dell platform with ALC298.
+system enter to runtime suspend. Headphone had noise.
+Let Headset Mic not shutup will solve this issue.
+
+[ Fixed minor coding style issues by tiwai ]
+
+Signed-off-by: Kailang Yang <kailang@realtek.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/pci/hda/patch_realtek.c | 59 ++++++++++++++++++++++++------------------
+ 1 file changed, 35 insertions(+), 24 deletions(-)
+
+--- a/sound/pci/hda/patch_realtek.c
++++ b/sound/pci/hda/patch_realtek.c
+@@ -477,12 +477,45 @@ static void alc_auto_setup_eapd(struct h
+ set_eapd(codec, *p, on);
+ }
+
++static int find_ext_mic_pin(struct hda_codec *codec);
++
++static void alc_headset_mic_no_shutup(struct hda_codec *codec)
++{
++ const struct hda_pincfg *pin;
++ int mic_pin = find_ext_mic_pin(codec);
++ int i;
++
++ /* don't shut up pins when unloading the driver; otherwise it breaks
++ * the default pin setup at the next load of the driver
++ */
++ if (codec->bus->shutdown)
++ return;
++
++ snd_array_for_each(&codec->init_pins, i, pin) {
++ /* use read here for syncing after issuing each verb */
++ if (pin->nid != mic_pin)
++ snd_hda_codec_read(codec, pin->nid, 0,
++ AC_VERB_SET_PIN_WIDGET_CONTROL, 0);
++ }
++
++ codec->pins_shutup = 1;
++}
++
+ static void alc_shutup_pins(struct hda_codec *codec)
+ {
+ struct alc_spec *spec = codec->spec;
+
+- if (!spec->no_shutup_pins)
+- snd_hda_shutup_pins(codec);
++ switch (codec->core.vendor_id) {
++ case 0x10ec0286:
++ case 0x10ec0288:
++ case 0x10ec0298:
++ alc_headset_mic_no_shutup(codec);
++ break;
++ default:
++ if (!spec->no_shutup_pins)
++ snd_hda_shutup_pins(codec);
++ break;
++ }
+ }
+
+ /* generic shutup callback;
+@@ -2923,27 +2956,6 @@ static int alc269_parse_auto_config(stru
+ return alc_parse_auto_config(codec, alc269_ignore, ssids);
+ }
+
+-static int find_ext_mic_pin(struct hda_codec *codec);
+-
+-static void alc286_shutup(struct hda_codec *codec)
+-{
+- const struct hda_pincfg *pin;
+- int i;
+- int mic_pin = find_ext_mic_pin(codec);
+- /* don't shut up pins when unloading the driver; otherwise it breaks
+- * the default pin setup at the next load of the driver
+- */
+- if (codec->bus->shutdown)
+- return;
+- snd_array_for_each(&codec->init_pins, i, pin) {
+- /* use read here for syncing after issuing each verb */
+- if (pin->nid != mic_pin)
+- snd_hda_codec_read(codec, pin->nid, 0,
+- AC_VERB_SET_PIN_WIDGET_CONTROL, 0);
+- }
+- codec->pins_shutup = 1;
+-}
+-
+ static void alc269vb_toggle_power_output(struct hda_codec *codec, int power_up)
+ {
+ alc_update_coef_idx(codec, 0x04, 1 << 11, power_up ? (1 << 11) : 0);
+@@ -7707,7 +7719,6 @@ static int patch_alc269(struct hda_codec
+ case 0x10ec0286:
+ case 0x10ec0288:
+ spec->codec_variant = ALC269_TYPE_ALC286;
+- spec->shutup = alc286_shutup;
+ break;
+ case 0x10ec0298:
+ spec->codec_variant = ALC269_TYPE_ALC298;
--- /dev/null
+From 2c1d0e3631e5732dba98ef49ac0bec1388776793 Mon Sep 17 00:00:00 2001
+From: Jan Kara <jack@suse.cz>
+Date: Fri, 17 May 2019 17:37:18 -0400
+Subject: ext4: avoid panic during forced reboot due to aborted journal
+
+From: Jan Kara <jack@suse.cz>
+
+commit 2c1d0e3631e5732dba98ef49ac0bec1388776793 upstream.
+
+Handling of aborted journal is a special code path different from
+standard ext4_error() one and it can call panic() as well. Commit
+1dc1097ff60e ("ext4: avoid panic during forced reboot") forgot to update
+this path so fix that omission.
+
+Fixes: 1dc1097ff60e ("ext4: avoid panic during forced reboot")
+Signed-off-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Cc: stable@kernel.org # 5.1
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ext4/super.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/ext4/super.c
++++ b/fs/ext4/super.c
+@@ -698,7 +698,7 @@ void __ext4_abort(struct super_block *sb
+ jbd2_journal_abort(EXT4_SB(sb)->s_journal, -EIO);
+ save_error_info(sb, function, line);
+ }
+- if (test_opt(sb, ERRORS_PANIC)) {
++ if (test_opt(sb, ERRORS_PANIC) && !system_going_down()) {
+ if (EXT4_SB(sb)->s_journal &&
+ !(EXT4_SB(sb)->s_journal->j_flags & JBD2_REC_ERR))
+ return;
--- /dev/null
+From 57a0da28ced8707cb9f79f071a016b9d005caf5a Mon Sep 17 00:00:00 2001
+From: Lukas Czerner <lczerner@redhat.com>
+Date: Fri, 10 May 2019 21:45:33 -0400
+Subject: ext4: fix data corruption caused by overlapping unaligned and aligned IO
+
+From: Lukas Czerner <lczerner@redhat.com>
+
+commit 57a0da28ced8707cb9f79f071a016b9d005caf5a upstream.
+
+Unaligned AIO must be serialized because the zeroing of partial blocks
+of unaligned AIO can result in data corruption in case it's overlapping
+another in flight IO.
+
+Currently we wait for all unwritten extents before we submit unaligned
+AIO which protects data in case of unaligned AIO is following overlapping
+IO. However if a unaligned AIO is followed by overlapping aligned AIO we
+can still end up corrupting data.
+
+To fix this, we must make sure that the unaligned AIO is the only IO in
+flight by waiting for unwritten extents conversion not just before the
+IO submission, but right after it as well.
+
+This problem can be reproduced by xfstest generic/538
+
+Signed-off-by: Lukas Czerner <lczerner@redhat.com>
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Cc: stable@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ext4/file.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/fs/ext4/file.c
++++ b/fs/ext4/file.c
+@@ -264,6 +264,13 @@ ext4_file_write_iter(struct kiocb *iocb,
+ }
+
+ ret = __generic_file_write_iter(iocb, from);
++ /*
++ * Unaligned direct AIO must be the only IO in flight. Otherwise
++ * overlapping aligned IO after unaligned might result in data
++ * corruption.
++ */
++ if (ret == -EIOCBQUEUED && unaligned_aio)
++ ext4_unwritten_wait(inode);
+ inode_unlock(inode);
+
+ if (ret > 0)
--- /dev/null
+From 08fc98a4d6424af66eb3ac4e2cedd2fc927ed436 Mon Sep 17 00:00:00 2001
+From: Sahitya Tummala <stummala@codeaurora.org>
+Date: Fri, 10 May 2019 22:00:33 -0400
+Subject: ext4: fix use-after-free in dx_release()
+
+From: Sahitya Tummala <stummala@codeaurora.org>
+
+commit 08fc98a4d6424af66eb3ac4e2cedd2fc927ed436 upstream.
+
+The buffer_head (frames[0].bh) and it's corresping page can be
+potentially free'd once brelse() is done inside the for loop
+but before the for loop exits in dx_release(). It can be free'd
+in another context, when the page cache is flushed via
+drop_caches_sysctl_handler(). This results into below data abort
+when accessing info->indirect_levels in dx_release().
+
+Unable to handle kernel paging request at virtual address ffffffc17ac3e01e
+Call trace:
+ dx_release+0x70/0x90
+ ext4_htree_fill_tree+0x2d4/0x300
+ ext4_readdir+0x244/0x6f8
+ iterate_dir+0xbc/0x160
+ SyS_getdents64+0x94/0x174
+
+Signed-off-by: Sahitya Tummala <stummala@codeaurora.org>
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Reviewed-by: Andreas Dilger <adilger@dilger.ca>
+Cc: stable@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ext4/namei.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/fs/ext4/namei.c
++++ b/fs/ext4/namei.c
+@@ -871,12 +871,15 @@ static void dx_release(struct dx_frame *
+ {
+ struct dx_root_info *info;
+ int i;
++ unsigned int indirect_levels;
+
+ if (frames[0].bh == NULL)
+ return;
+
+ info = &((struct dx_root *)frames[0].bh->b_data)->info;
+- for (i = 0; i <= info->indirect_levels; i++) {
++ /* save local copy, "info" may be freed after brelse() */
++ indirect_levels = info->indirect_levels;
++ for (i = 0; i <= indirect_levels; i++) {
+ if (frames[i].bh == NULL)
+ break;
+ brelse(frames[i].bh);
--- /dev/null
+From 592acbf16821288ecdc4192c47e3774a4c48bb64 Mon Sep 17 00:00:00 2001
+From: Sriram Rajagopalan <sriramr@arista.com>
+Date: Fri, 10 May 2019 19:28:06 -0400
+Subject: ext4: zero out the unused memory region in the extent tree block
+
+From: Sriram Rajagopalan <sriramr@arista.com>
+
+commit 592acbf16821288ecdc4192c47e3774a4c48bb64 upstream.
+
+This commit zeroes out the unused memory region in the buffer_head
+corresponding to the extent metablock after writing the extent header
+and the corresponding extent node entries.
+
+This is done to prevent random uninitialized data from getting into
+the filesystem when the extent block is synced.
+
+This fixes CVE-2019-11833.
+
+Signed-off-by: Sriram Rajagopalan <sriramr@arista.com>
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Cc: stable@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ext4/extents.c | 17 +++++++++++++++--
+ 1 file changed, 15 insertions(+), 2 deletions(-)
+
+--- a/fs/ext4/extents.c
++++ b/fs/ext4/extents.c
+@@ -1035,6 +1035,7 @@ static int ext4_ext_split(handle_t *hand
+ __le32 border;
+ ext4_fsblk_t *ablocks = NULL; /* array of allocated blocks */
+ int err = 0;
++ size_t ext_size = 0;
+
+ /* make decision: where to split? */
+ /* FIXME: now decision is simplest: at current extent */
+@@ -1126,6 +1127,10 @@ static int ext4_ext_split(handle_t *hand
+ le16_add_cpu(&neh->eh_entries, m);
+ }
+
++ /* zero out unused area in the extent block */
++ ext_size = sizeof(struct ext4_extent_header) +
++ sizeof(struct ext4_extent) * le16_to_cpu(neh->eh_entries);
++ memset(bh->b_data + ext_size, 0, inode->i_sb->s_blocksize - ext_size);
+ ext4_extent_block_csum_set(inode, neh);
+ set_buffer_uptodate(bh);
+ unlock_buffer(bh);
+@@ -1205,6 +1210,11 @@ static int ext4_ext_split(handle_t *hand
+ sizeof(struct ext4_extent_idx) * m);
+ le16_add_cpu(&neh->eh_entries, m);
+ }
++ /* zero out unused area in the extent block */
++ ext_size = sizeof(struct ext4_extent_header) +
++ (sizeof(struct ext4_extent) * le16_to_cpu(neh->eh_entries));
++ memset(bh->b_data + ext_size, 0,
++ inode->i_sb->s_blocksize - ext_size);
+ ext4_extent_block_csum_set(inode, neh);
+ set_buffer_uptodate(bh);
+ unlock_buffer(bh);
+@@ -1270,6 +1280,7 @@ static int ext4_ext_grow_indepth(handle_
+ ext4_fsblk_t newblock, goal = 0;
+ struct ext4_super_block *es = EXT4_SB(inode->i_sb)->s_es;
+ int err = 0;
++ size_t ext_size = 0;
+
+ /* Try to prepend new index to old one */
+ if (ext_depth(inode))
+@@ -1295,9 +1306,11 @@ static int ext4_ext_grow_indepth(handle_
+ goto out;
+ }
+
++ ext_size = sizeof(EXT4_I(inode)->i_data);
+ /* move top-level index/leaf into new block */
+- memmove(bh->b_data, EXT4_I(inode)->i_data,
+- sizeof(EXT4_I(inode)->i_data));
++ memmove(bh->b_data, EXT4_I(inode)->i_data, ext_size);
++ /* zero out unused area in the extent block */
++ memset(bh->b_data + ext_size, 0, inode->i_sb->s_blocksize - ext_size);
+
+ /* set size of new block */
+ neh = ext_block_hdr(bh);
--- /dev/null
+From ec084de929e419e51bcdafaafe567d9e7d0273b7 Mon Sep 17 00:00:00 2001
+From: Jiufei Xue <jiufei.xue@linux.alibaba.com>
+Date: Fri, 17 May 2019 14:31:44 -0700
+Subject: fs/writeback.c: use rcu_barrier() to wait for inflight wb switches going into workqueue when umount
+
+From: Jiufei Xue <jiufei.xue@linux.alibaba.com>
+
+commit ec084de929e419e51bcdafaafe567d9e7d0273b7 upstream.
+
+synchronize_rcu() didn't wait for call_rcu() callbacks, so inode wb
+switch may not go to the workqueue after synchronize_rcu(). Thus
+previous scheduled switches was not finished even flushing the
+workqueue, which will cause a NULL pointer dereferenced followed below.
+
+ VFS: Busy inodes after unmount of vdd. Self-destruct in 5 seconds. Have a nice day...
+ BUG: unable to handle kernel NULL pointer dereference at 0000000000000278
+ evict+0xb3/0x180
+ iput+0x1b0/0x230
+ inode_switch_wbs_work_fn+0x3c0/0x6a0
+ worker_thread+0x4e/0x490
+ ? process_one_work+0x410/0x410
+ kthread+0xe6/0x100
+ ret_from_fork+0x39/0x50
+
+Replace the synchronize_rcu() call with a rcu_barrier() to wait for all
+pending callbacks to finish. And inc isw_nr_in_flight after call_rcu()
+in inode_switch_wbs() to make more sense.
+
+Link: http://lkml.kernel.org/r/20190429024108.54150-1-jiufei.xue@linux.alibaba.com
+Signed-off-by: Jiufei Xue <jiufei.xue@linux.alibaba.com>
+Acked-by: Tejun Heo <tj@kernel.org>
+Suggested-by: Tejun Heo <tj@kernel.org>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/fs-writeback.c | 11 ++++++++---
+ 1 file changed, 8 insertions(+), 3 deletions(-)
+
+--- a/fs/fs-writeback.c
++++ b/fs/fs-writeback.c
+@@ -523,8 +523,6 @@ static void inode_switch_wbs(struct inod
+
+ isw->inode = inode;
+
+- atomic_inc(&isw_nr_in_flight);
+-
+ /*
+ * In addition to synchronizing among switchers, I_WB_SWITCH tells
+ * the RCU protected stat update paths to grab the i_page
+@@ -532,6 +530,9 @@ static void inode_switch_wbs(struct inod
+ * Let's continue after I_WB_SWITCH is guaranteed to be visible.
+ */
+ call_rcu(&isw->rcu_head, inode_switch_wbs_rcu_fn);
++
++ atomic_inc(&isw_nr_in_flight);
++
+ goto out_unlock;
+
+ out_free:
+@@ -901,7 +902,11 @@ restart:
+ void cgroup_writeback_umount(void)
+ {
+ if (atomic_read(&isw_nr_in_flight)) {
+- synchronize_rcu();
++ /*
++ * Use rcu_barrier() to wait for all pending callbacks to
++ * ensure that all in-flight wb switches are in the workqueue.
++ */
++ rcu_barrier();
+ flush_workqueue(isw_wq);
+ }
+ }
--- /dev/null
+From 0d52154bb0a700abb459a2cbce0a30fc2549b67e Mon Sep 17 00:00:00 2001
+From: Chengguang Xu <cgxu519@gmail.com>
+Date: Fri, 10 May 2019 21:15:47 -0400
+Subject: jbd2: fix potential double free
+
+From: Chengguang Xu <cgxu519@gmail.com>
+
+commit 0d52154bb0a700abb459a2cbce0a30fc2549b67e upstream.
+
+When failing from creating cache jbd2_inode_cache, we will destroy the
+previously created cache jbd2_handle_cache twice. This patch fixes
+this by moving each cache initialization/destruction to its own
+separate, individual function.
+
+Signed-off-by: Chengguang Xu <cgxu519@gmail.com>
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Cc: stable@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/jbd2/journal.c | 49 +++++++++++++++++++++++++++++++------------------
+ fs/jbd2/revoke.c | 32 ++++++++++++++++++++------------
+ fs/jbd2/transaction.c | 8 +++++---
+ include/linux/jbd2.h | 8 +++++---
+ 4 files changed, 61 insertions(+), 36 deletions(-)
+
+--- a/fs/jbd2/journal.c
++++ b/fs/jbd2/journal.c
+@@ -2375,22 +2375,19 @@ static struct kmem_cache *jbd2_journal_h
+ static atomic_t nr_journal_heads = ATOMIC_INIT(0);
+ #endif
+
+-static int jbd2_journal_init_journal_head_cache(void)
++static int __init jbd2_journal_init_journal_head_cache(void)
+ {
+- int retval;
+-
+- J_ASSERT(jbd2_journal_head_cache == NULL);
++ J_ASSERT(!jbd2_journal_head_cache);
+ jbd2_journal_head_cache = kmem_cache_create("jbd2_journal_head",
+ sizeof(struct journal_head),
+ 0, /* offset */
+ SLAB_TEMPORARY | SLAB_TYPESAFE_BY_RCU,
+ NULL); /* ctor */
+- retval = 0;
+ if (!jbd2_journal_head_cache) {
+- retval = -ENOMEM;
+ printk(KERN_EMERG "JBD2: no memory for journal_head cache\n");
++ return -ENOMEM;
+ }
+- return retval;
++ return 0;
+ }
+
+ static void jbd2_journal_destroy_journal_head_cache(void)
+@@ -2636,28 +2633,38 @@ static void __exit jbd2_remove_jbd_stats
+
+ struct kmem_cache *jbd2_handle_cache, *jbd2_inode_cache;
+
++static int __init jbd2_journal_init_inode_cache(void)
++{
++ J_ASSERT(!jbd2_inode_cache);
++ jbd2_inode_cache = KMEM_CACHE(jbd2_inode, 0);
++ if (!jbd2_inode_cache) {
++ pr_emerg("JBD2: failed to create inode cache\n");
++ return -ENOMEM;
++ }
++ return 0;
++}
++
+ static int __init jbd2_journal_init_handle_cache(void)
+ {
++ J_ASSERT(!jbd2_handle_cache);
+ jbd2_handle_cache = KMEM_CACHE(jbd2_journal_handle, SLAB_TEMPORARY);
+- if (jbd2_handle_cache == NULL) {
++ if (!jbd2_handle_cache) {
+ printk(KERN_EMERG "JBD2: failed to create handle cache\n");
+ return -ENOMEM;
+ }
+- jbd2_inode_cache = KMEM_CACHE(jbd2_inode, 0);
+- if (jbd2_inode_cache == NULL) {
+- printk(KERN_EMERG "JBD2: failed to create inode cache\n");
+- kmem_cache_destroy(jbd2_handle_cache);
+- return -ENOMEM;
+- }
+ return 0;
+ }
+
++static void jbd2_journal_destroy_inode_cache(void)
++{
++ kmem_cache_destroy(jbd2_inode_cache);
++ jbd2_inode_cache = NULL;
++}
++
+ static void jbd2_journal_destroy_handle_cache(void)
+ {
+ kmem_cache_destroy(jbd2_handle_cache);
+ jbd2_handle_cache = NULL;
+- kmem_cache_destroy(jbd2_inode_cache);
+- jbd2_inode_cache = NULL;
+ }
+
+ /*
+@@ -2668,21 +2675,27 @@ static int __init journal_init_caches(vo
+ {
+ int ret;
+
+- ret = jbd2_journal_init_revoke_caches();
++ ret = jbd2_journal_init_revoke_record_cache();
++ if (ret == 0)
++ ret = jbd2_journal_init_revoke_table_cache();
+ if (ret == 0)
+ ret = jbd2_journal_init_journal_head_cache();
+ if (ret == 0)
+ ret = jbd2_journal_init_handle_cache();
+ if (ret == 0)
++ ret = jbd2_journal_init_inode_cache();
++ if (ret == 0)
+ ret = jbd2_journal_init_transaction_cache();
+ return ret;
+ }
+
+ static void jbd2_journal_destroy_caches(void)
+ {
+- jbd2_journal_destroy_revoke_caches();
++ jbd2_journal_destroy_revoke_record_cache();
++ jbd2_journal_destroy_revoke_table_cache();
+ jbd2_journal_destroy_journal_head_cache();
+ jbd2_journal_destroy_handle_cache();
++ jbd2_journal_destroy_inode_cache();
+ jbd2_journal_destroy_transaction_cache();
+ jbd2_journal_destroy_slabs();
+ }
+--- a/fs/jbd2/revoke.c
++++ b/fs/jbd2/revoke.c
+@@ -178,33 +178,41 @@ static struct jbd2_revoke_record_s *find
+ return NULL;
+ }
+
+-void jbd2_journal_destroy_revoke_caches(void)
++void jbd2_journal_destroy_revoke_record_cache(void)
+ {
+ kmem_cache_destroy(jbd2_revoke_record_cache);
+ jbd2_revoke_record_cache = NULL;
++}
++
++void jbd2_journal_destroy_revoke_table_cache(void)
++{
+ kmem_cache_destroy(jbd2_revoke_table_cache);
+ jbd2_revoke_table_cache = NULL;
+ }
+
+-int __init jbd2_journal_init_revoke_caches(void)
++int __init jbd2_journal_init_revoke_record_cache(void)
+ {
+ J_ASSERT(!jbd2_revoke_record_cache);
+- J_ASSERT(!jbd2_revoke_table_cache);
+-
+ jbd2_revoke_record_cache = KMEM_CACHE(jbd2_revoke_record_s,
+ SLAB_HWCACHE_ALIGN|SLAB_TEMPORARY);
+- if (!jbd2_revoke_record_cache)
+- goto record_cache_failure;
+
++ if (!jbd2_revoke_record_cache) {
++ pr_emerg("JBD2: failed to create revoke_record cache\n");
++ return -ENOMEM;
++ }
++ return 0;
++}
++
++int __init jbd2_journal_init_revoke_table_cache(void)
++{
++ J_ASSERT(!jbd2_revoke_table_cache);
+ jbd2_revoke_table_cache = KMEM_CACHE(jbd2_revoke_table_s,
+ SLAB_TEMPORARY);
+- if (!jbd2_revoke_table_cache)
+- goto table_cache_failure;
+- return 0;
+-table_cache_failure:
+- jbd2_journal_destroy_revoke_caches();
+-record_cache_failure:
++ if (!jbd2_revoke_table_cache) {
++ pr_emerg("JBD2: failed to create revoke_table cache\n");
+ return -ENOMEM;
++ }
++ return 0;
+ }
+
+ static struct jbd2_revoke_table_s *jbd2_journal_init_revoke_table(int hash_size)
+--- a/fs/jbd2/transaction.c
++++ b/fs/jbd2/transaction.c
+@@ -42,9 +42,11 @@ int __init jbd2_journal_init_transaction
+ 0,
+ SLAB_HWCACHE_ALIGN|SLAB_TEMPORARY,
+ NULL);
+- if (transaction_cache)
+- return 0;
+- return -ENOMEM;
++ if (!transaction_cache) {
++ pr_emerg("JBD2: failed to create transaction cache\n");
++ return -ENOMEM;
++ }
++ return 0;
+ }
+
+ void jbd2_journal_destroy_transaction_cache(void)
+--- a/include/linux/jbd2.h
++++ b/include/linux/jbd2.h
+@@ -1318,7 +1318,7 @@ extern void __wait_on_journal (journal_
+
+ /* Transaction cache support */
+ extern void jbd2_journal_destroy_transaction_cache(void);
+-extern int jbd2_journal_init_transaction_cache(void);
++extern int __init jbd2_journal_init_transaction_cache(void);
+ extern void jbd2_journal_free_transaction(transaction_t *);
+
+ /*
+@@ -1446,8 +1446,10 @@ static inline void jbd2_free_inode(struc
+ /* Primary revoke support */
+ #define JOURNAL_REVOKE_DEFAULT_HASH 256
+ extern int jbd2_journal_init_revoke(journal_t *, int);
+-extern void jbd2_journal_destroy_revoke_caches(void);
+-extern int jbd2_journal_init_revoke_caches(void);
++extern void jbd2_journal_destroy_revoke_record_cache(void);
++extern void jbd2_journal_destroy_revoke_table_cache(void);
++extern int __init jbd2_journal_init_revoke_record_cache(void);
++extern int __init jbd2_journal_init_revoke_table_cache(void);
+
+ extern void jbd2_journal_destroy_revoke(journal_t *);
+ extern int jbd2_journal_revoke (handle_t *, unsigned long long, struct buffer_head *);
--- /dev/null
+From 4ddc9204572c33f2eb91fbdb1d99d8078388b67d Mon Sep 17 00:00:00 2001
+From: Peter Xu <peterx@redhat.com>
+Date: Wed, 8 May 2019 17:15:45 +0800
+Subject: KVM: Fix the bitmap range to copy during clear dirty
+
+From: Peter Xu <peterx@redhat.com>
+
+commit 4ddc9204572c33f2eb91fbdb1d99d8078388b67d upstream.
+
+kvm_dirty_bitmap_bytes() will return the size of the dirty bitmap of
+the memslot rather than the size of bitmap passed over from the ioctl.
+Here for KVM_CLEAR_DIRTY_LOG we should only copy exactly the size of
+bitmap that covers kvm_clear_dirty_log.num_pages.
+
+Signed-off-by: Peter Xu <peterx@redhat.com>
+Cc: stable@vger.kernel.org
+Fixes: 2a31b9db153530df4aa02dac8c32837bf5f47019
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ virt/kvm/kvm_main.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/virt/kvm/kvm_main.c
++++ b/virt/kvm/kvm_main.c
+@@ -1250,7 +1250,7 @@ int kvm_clear_dirty_log_protect(struct k
+ if (!dirty_bitmap)
+ return -ENOENT;
+
+- n = kvm_dirty_bitmap_bytes(memslot);
++ n = ALIGN(log->num_pages, BITS_PER_LONG) / 8;
+
+ if (log->first_page > memslot->npages ||
+ log->num_pages > memslot->npages - log->first_page ||
--- /dev/null
+From ee66e453db13d4837a0dcf9d43efa7a88603161b Mon Sep 17 00:00:00 2001
+From: Sean Christopherson <sean.j.christopherson@intel.com>
+Date: Tue, 16 Apr 2019 13:32:44 -0700
+Subject: KVM: lapic: Busy wait for timer to expire when using hv_timer
+
+From: Sean Christopherson <sean.j.christopherson@intel.com>
+
+commit ee66e453db13d4837a0dcf9d43efa7a88603161b upstream.
+
+...now that VMX's preemption timer, i.e. the hv_timer, also adjusts its
+programmed time based on lapic_timer_advance_ns. Without the delay, a
+guest can see a timer interrupt arrive before the requested time when
+KVM is using the hv_timer to emulate the guest's interrupt.
+
+Fixes: c5ce8235cffa0 ("KVM: VMX: Optimize tscdeadline timer latency")
+Cc: <stable@vger.kernel.org>
+Cc: Wanpeng Li <wanpengli@tencent.com>
+Reviewed-by: Liran Alon <liran.alon@oracle.com>
+Signed-off-by: Sean Christopherson <sean.j.christopherson@intel.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kvm/lapic.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/x86/kvm/lapic.c
++++ b/arch/x86/kvm/lapic.c
+@@ -1454,7 +1454,7 @@ static void apic_timer_expired(struct kv
+ if (swait_active(q))
+ swake_up_one(q);
+
+- if (apic_lvtt_tscdeadline(apic))
++ if (apic_lvtt_tscdeadline(apic) || ktimer->hv_timer_in_use)
+ ktimer->expired_tscdeadline = ktimer->tscdeadline;
+ }
+
--- /dev/null
+From 11988499e62b310f3bf6f6d0a807a06d3f9ccc96 Mon Sep 17 00:00:00 2001
+From: Sean Christopherson <sean.j.christopherson@intel.com>
+Date: Tue, 2 Apr 2019 08:19:15 -0700
+Subject: KVM: x86: Skip EFER vs. guest CPUID checks for host-initiated writes
+
+From: Sean Christopherson <sean.j.christopherson@intel.com>
+
+commit 11988499e62b310f3bf6f6d0a807a06d3f9ccc96 upstream.
+
+KVM allows userspace to violate consistency checks related to the
+guest's CPUID model to some degree. Generally speaking, userspace has
+carte blanche when it comes to guest state so long as jamming invalid
+state won't negatively affect the host.
+
+Currently this is seems to be a non-issue as most of the interesting
+EFER checks are missing, e.g. NX and LME, but those will be added
+shortly. Proactively exempt userspace from the CPUID checks so as not
+to break userspace.
+
+Note, the efer_reserved_bits check still applies to userspace writes as
+that mask reflects the host's capabilities, e.g. KVM shouldn't allow a
+guest to run with NX=1 if it has been disabled in the host.
+
+Fixes: d80174745ba39 ("KVM: SVM: Only allow setting of EFER_SVME when CPUID SVM is set")
+Cc: stable@vger.kernel.org
+Signed-off-by: Sean Christopherson <sean.j.christopherson@intel.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kvm/x86.c | 37 ++++++++++++++++++++++++-------------
+ 1 file changed, 24 insertions(+), 13 deletions(-)
+
+--- a/arch/x86/kvm/x86.c
++++ b/arch/x86/kvm/x86.c
+@@ -1262,31 +1262,42 @@ static int do_get_msr_feature(struct kvm
+ return 0;
+ }
+
+-bool kvm_valid_efer(struct kvm_vcpu *vcpu, u64 efer)
++static bool __kvm_valid_efer(struct kvm_vcpu *vcpu, u64 efer)
+ {
+- if (efer & efer_reserved_bits)
+- return false;
+-
+ if (efer & EFER_FFXSR && !guest_cpuid_has(vcpu, X86_FEATURE_FXSR_OPT))
+- return false;
++ return false;
+
+ if (efer & EFER_SVME && !guest_cpuid_has(vcpu, X86_FEATURE_SVM))
+- return false;
++ return false;
+
+ return true;
++
++}
++bool kvm_valid_efer(struct kvm_vcpu *vcpu, u64 efer)
++{
++ if (efer & efer_reserved_bits)
++ return false;
++
++ return __kvm_valid_efer(vcpu, efer);
+ }
+ EXPORT_SYMBOL_GPL(kvm_valid_efer);
+
+-static int set_efer(struct kvm_vcpu *vcpu, u64 efer)
++static int set_efer(struct kvm_vcpu *vcpu, struct msr_data *msr_info)
+ {
+ u64 old_efer = vcpu->arch.efer;
++ u64 efer = msr_info->data;
+
+- if (!kvm_valid_efer(vcpu, efer))
+- return 1;
++ if (efer & efer_reserved_bits)
++ return false;
+
+- if (is_paging(vcpu)
+- && (vcpu->arch.efer & EFER_LME) != (efer & EFER_LME))
+- return 1;
++ if (!msr_info->host_initiated) {
++ if (!__kvm_valid_efer(vcpu, efer))
++ return 1;
++
++ if (is_paging(vcpu) &&
++ (vcpu->arch.efer & EFER_LME) != (efer & EFER_LME))
++ return 1;
++ }
+
+ efer &= ~EFER_LMA;
+ efer |= vcpu->arch.efer & EFER_LMA;
+@@ -2456,7 +2467,7 @@ int kvm_set_msr_common(struct kvm_vcpu *
+ vcpu->arch.arch_capabilities = data;
+ break;
+ case MSR_EFER:
+- return set_efer(vcpu, data);
++ return set_efer(vcpu, msr_info);
+ case MSR_K7_HWCR:
+ data &= ~(u64)0x40; /* ignore flush filter disable */
+ data &= ~(u64)0x100; /* ignore ignne emulation enable */
--- /dev/null
+From 60fce36afa9c77c7ccbf980c4f670f3be3651fce Mon Sep 17 00:00:00 2001
+From: Mel Gorman <mgorman@techsingularity.net>
+Date: Fri, 17 May 2019 14:31:41 -0700
+Subject: mm/compaction.c: correct zone boundary handling when isolating pages from a pageblock
+
+From: Mel Gorman <mgorman@techsingularity.net>
+
+commit 60fce36afa9c77c7ccbf980c4f670f3be3651fce upstream.
+
+syzbot reported the following error from a tree with a head commit of
+baf76f0c58ae ("slip: make slhc_free() silently accept an error pointer")
+
+ BUG: unable to handle kernel paging request at ffffea0003348000
+ #PF error: [normal kernel read fault]
+ PGD 12c3f9067 P4D 12c3f9067 PUD 12c3f8067 PMD 0
+ Oops: 0000 [#1] PREEMPT SMP KASAN
+ CPU: 1 PID: 28916 Comm: syz-executor.2 Not tainted 5.1.0-rc6+ #89
+ Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+ RIP: 0010:constant_test_bit arch/x86/include/asm/bitops.h:314 [inline]
+ RIP: 0010:PageCompound include/linux/page-flags.h:186 [inline]
+ RIP: 0010:isolate_freepages_block+0x1c0/0xd40 mm/compaction.c:579
+ Code: 01 d8 ff 4d 85 ed 0f 84 ef 07 00 00 e8 29 00 d8 ff 4c 89 e0 83 85 38 ff
+ ff ff 01 48 c1 e8 03 42 80 3c 38 00 0f 85 31 0a 00 00 <4d> 8b 2c 24 31 ff 49
+ c1 ed 10 41 83 e5 01 44 89 ee e8 3a 01 d8 ff
+ RSP: 0018:ffff88802b31eab8 EFLAGS: 00010246
+ RAX: 1ffffd4000669000 RBX: 00000000000cd200 RCX: ffffc9000a235000
+ RDX: 000000000001ca5e RSI: ffffffff81988cc7 RDI: 0000000000000001
+ RBP: ffff88802b31ebd8 R08: ffff88805af700c0 R09: 0000000000000000
+ R10: 0000000000000000 R11: 0000000000000000 R12: ffffea0003348000
+ R13: 0000000000000000 R14: ffff88802b31f030 R15: dffffc0000000000
+ FS: 00007f61648dc700(0000) GS:ffff8880ae900000(0000) knlGS:0000000000000000
+ CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+ CR2: ffffea0003348000 CR3: 0000000037c64000 CR4: 00000000001426e0
+ Call Trace:
+ fast_isolate_around mm/compaction.c:1243 [inline]
+ fast_isolate_freepages mm/compaction.c:1418 [inline]
+ isolate_freepages mm/compaction.c:1438 [inline]
+ compaction_alloc+0x1aee/0x22e0 mm/compaction.c:1550
+
+There is no reproducer and it is difficult to hit -- 1 crash every few
+days. The issue is very similar to the fix in commit 6b0868c820ff
+("mm/compaction.c: correct zone boundary handling when resetting pageblock
+skip hints"). When isolating free pages around a target pageblock, the
+boundary handling is off by one and can stray into the next pageblock.
+Triggering the syzbot error requires that the end of pageblock is section
+or zone aligned, and that the next section is unpopulated.
+
+A more subtle consequence of the bug is that pageblocks were being
+improperly used as migration targets which potentially hurts fragmentation
+avoidance in the long-term one page at a time.
+
+A debugging patch revealed that it's definitely possible to stray outside
+of a pageblock which is not intended. While syzbot cannot be used to
+verify this patch, it was confirmed that the debugging warning no longer
+triggers with this patch applied. It has also been confirmed that the THP
+allocation stress tests are not degraded by this patch.
+
+Link: http://lkml.kernel.org/r/20190510182124.GI18914@techsingularity.net
+Fixes: e332f741a8dd ("mm, compaction: be selective about what pageblocks to clear skip hints")
+Signed-off-by: Mel Gorman <mgorman@techsingularity.net>
+Reported-by: syzbot+d84c80f9fe26a0f7a734@syzkaller.appspotmail.com
+Cc: Dmitry Vyukov <dvyukov@google.com>
+Cc: Andrey Ryabinin <aryabinin@virtuozzo.com>
+Cc: Qian Cai <cai@lca.pw>
+Cc: Michal Hocko <mhocko@suse.com>
+Cc: Vlastimil Babka <vbabka@suse.cz>
+Cc: <stable@vger.kernel.org> # v5.1+
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ mm/compaction.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/mm/compaction.c
++++ b/mm/compaction.c
+@@ -1228,7 +1228,7 @@ fast_isolate_around(struct compact_contr
+
+ /* Pageblock boundaries */
+ start_pfn = pageblock_start_pfn(pfn);
+- end_pfn = min(start_pfn + pageblock_nr_pages, zone_end_pfn(cc->zone));
++ end_pfn = min(pageblock_end_pfn(pfn), zone_end_pfn(cc->zone)) - 1;
+
+ /* Scan before */
+ if (start_pfn != pfn) {
+@@ -1239,7 +1239,7 @@ fast_isolate_around(struct compact_contr
+
+ /* Scan after */
+ start_pfn = pfn + nr_isolated;
+- if (start_pfn != end_pfn)
++ if (start_pfn < end_pfn)
+ isolate_freepages_block(cc, &start_pfn, end_pfn, &cc->freepages, 1, false);
+
+ /* Skip this pageblock in the future as it's full or nearly full */
--- /dev/null
+From f93f7ede087f2edcc18e4b02310df5749a6b5a61 Mon Sep 17 00:00:00 2001
+From: Sean Christopherson <sean.j.christopherson@intel.com>
+Date: Wed, 8 May 2019 09:08:19 -0700
+Subject: Revert "KVM: nVMX: Expose RDPMC-exiting only when guest supports PMU"
+
+From: Sean Christopherson <sean.j.christopherson@intel.com>
+
+commit f93f7ede087f2edcc18e4b02310df5749a6b5a61 upstream.
+
+The RDPMC-exiting control is dependent on the existence of the RDPMC
+instruction itself, i.e. is not tied to the "Architectural Performance
+Monitoring" feature. For all intents and purposes, the control exists
+on all CPUs with VMX support since RDPMC also exists on all VCPUs with
+VMX supported. Per Intel's SDM:
+
+ The RDPMC instruction was introduced into the IA-32 Architecture in
+ the Pentium Pro processor and the Pentium processor with MMX technology.
+ The earlier Pentium processors have performance-monitoring counters, but
+ they must be read with the RDMSR instruction.
+
+Because RDPMC-exiting always exists, KVM requires the control and refuses
+to load if it's not available. As a result, hiding the PMU from a guest
+breaks nested virtualization if the guest attemts to use KVM.
+
+While it's not explicitly stated in the RDPMC pseudocode, the VM-Exit
+check for RDPMC-exiting follows standard fault vs. VM-Exit prioritization
+for privileged instructions, e.g. occurs after the CPL/CR0.PE/CR4.PCE
+checks, but before the counter referenced in ECX is checked for validity.
+
+In other words, the original KVM behavior of injecting a #GP was correct,
+and the KVM unit test needs to be adjusted accordingly, e.g. eat the #GP
+when the unit test guest (L3 in this case) executes RDPMC without
+RDPMC-exiting set in the unit test host (L2).
+
+This reverts commit e51bfdb68725dc052d16241ace40ea3140f938aa.
+
+Fixes: e51bfdb68725 ("KVM: nVMX: Expose RDPMC-exiting only when guest supports PMU")
+Reported-by: David Hill <hilld@binarystorm.net>
+Cc: Saar Amar <saaramar@microsoft.com>
+Cc: Mihai Carabas <mihai.carabas@oracle.com>
+Cc: Jim Mattson <jmattson@google.com>
+Cc: Liran Alon <liran.alon@oracle.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Sean Christopherson <sean.j.christopherson@intel.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kvm/vmx/vmx.c | 25 -------------------------
+ 1 file changed, 25 deletions(-)
+
+--- a/arch/x86/kvm/vmx/vmx.c
++++ b/arch/x86/kvm/vmx/vmx.c
+@@ -6856,30 +6856,6 @@ static void nested_vmx_entry_exit_ctls_u
+ }
+ }
+
+-static bool guest_cpuid_has_pmu(struct kvm_vcpu *vcpu)
+-{
+- struct kvm_cpuid_entry2 *entry;
+- union cpuid10_eax eax;
+-
+- entry = kvm_find_cpuid_entry(vcpu, 0xa, 0);
+- if (!entry)
+- return false;
+-
+- eax.full = entry->eax;
+- return (eax.split.version_id > 0);
+-}
+-
+-static void nested_vmx_procbased_ctls_update(struct kvm_vcpu *vcpu)
+-{
+- struct vcpu_vmx *vmx = to_vmx(vcpu);
+- bool pmu_enabled = guest_cpuid_has_pmu(vcpu);
+-
+- if (pmu_enabled)
+- vmx->nested.msrs.procbased_ctls_high |= CPU_BASED_RDPMC_EXITING;
+- else
+- vmx->nested.msrs.procbased_ctls_high &= ~CPU_BASED_RDPMC_EXITING;
+-}
+-
+ static void update_intel_pt_cfg(struct kvm_vcpu *vcpu)
+ {
+ struct vcpu_vmx *vmx = to_vmx(vcpu);
+@@ -6968,7 +6944,6 @@ static void vmx_cpuid_update(struct kvm_
+ if (nested_vmx_allowed(vcpu)) {
+ nested_vmx_cr_fixed1_bits_update(vcpu);
+ nested_vmx_entry_exit_ctls_update(vcpu);
+- nested_vmx_procbased_ctls_update(vcpu);
+ }
+
+ if (boot_cpu_has(X86_FEATURE_INTEL_PT) &&
ipmi-add-the-i2c-addr-property-for-ssif-interfaces.patch
ipmi-ssif-compare-block-number-correctly-for-multi-part-return-messages.patch
arm-dts-imx-fix-the-ar803x-phy-mode.patch
+mm-compaction.c-correct-zone-boundary-handling-when-isolating-pages-from-a-pageblock.patch
+fs-writeback.c-use-rcu_barrier-to-wait-for-inflight-wb-switches-going-into-workqueue-when-umount.patch
+tty-don-t-force-riscv-sbi-console-as-preferred-console.patch
+ext4-zero-out-the-unused-memory-region-in-the-extent-tree-block.patch
+ext4-fix-data-corruption-caused-by-overlapping-unaligned-and-aligned-io.patch
+ext4-fix-use-after-free-in-dx_release.patch
+ext4-avoid-panic-during-forced-reboot-due-to-aborted-journal.patch
+alsa-hda-realtek-corrected-fixup-for-system76-gazelle-gaze14.patch
+alsa-hda-realtek-fixup-headphone-noise-via-runtime-suspend.patch
+alsa-hda-realtek-fix-for-lenovo-b50-70-inverted-internal-microphone-bug.patch
+jbd2-fix-potential-double-free.patch
+revert-kvm-nvmx-expose-rdpmc-exiting-only-when-guest-supports-pmu.patch
+kvm-fix-the-bitmap-range-to-copy-during-clear-dirty.patch
+kvm-x86-skip-efer-vs.-guest-cpuid-checks-for-host-initiated-writes.patch
+kvm-lapic-busy-wait-for-timer-to-expire-when-using-hv_timer.patch
--- /dev/null
+From f91253a3d005796404ae0e578b3394459b5f9b71 Mon Sep 17 00:00:00 2001
+From: Anup Patel <Anup.Patel@wdc.com>
+Date: Thu, 25 Apr 2019 06:35:06 -0700
+Subject: tty: Don't force RISCV SBI console as preferred console
+
+From: Anup Patel <Anup.Patel@wdc.com>
+
+commit f91253a3d005796404ae0e578b3394459b5f9b71 upstream.
+
+The Linux kernel will auto-disables all boot consoles whenever it
+gets a preferred real console.
+
+Currently on RISC-V systems, if we have a real console which is not
+RISCV SBI console then boot consoles (such as earlycon=sbi) are not
+auto-disabled when a real console (ttyS0 or ttySIF0) is available.
+This results in duplicate prints at boot-time after kernel starts
+using real console (i.e. ttyS0 or ttySIF0) if "earlycon=" kernel
+parameter was passed by bootloader.
+
+The reason for above issue is that RISCV SBI console always adds
+itself as preferred console which is causing other real consoles
+to be not used as preferred console.
+
+Ideally "console=" kernel parameter passed by bootloaders should
+be the one selecting a preferred real console.
+
+This patch fixes above issue by not forcing RISCV SBI console as
+preferred console.
+
+Fixes: afa6b1ccfad5 ("tty: New RISC-V SBI console driver")
+Cc: stable@vger.kernel.org
+Signed-off-by: Anup Patel <anup.patel@wdc.com>
+Reviewed-by: Atish Patra <atish.patra@wdc.com>
+Signed-off-by: Palmer Dabbelt <palmer@sifive.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/tty/hvc/hvc_riscv_sbi.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+--- a/drivers/tty/hvc/hvc_riscv_sbi.c
++++ b/drivers/tty/hvc/hvc_riscv_sbi.c
+@@ -53,7 +53,6 @@ device_initcall(hvc_sbi_init);
+ static int __init hvc_sbi_console_init(void)
+ {
+ hvc_instantiate(0, 0, &hvc_sbi_ops);
+- add_preferred_console("hvc", 0, NULL);
+
+ return 0;
+ }
projects / thirdparty / kernel / stable-queue.git / commitdiff
