--- /dev/null
+From 7c2e07130090ae001a97a6b65597830d6815e93e Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?David=20M=C3=BCller?= <dave.mueller@gmx.ch>
+Date: Mon, 8 Apr 2019 15:33:54 +0200
+Subject: clk: x86: Add system specific quirk to mark clocks as critical
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: David Müller <dave.mueller@gmx.ch>
+
+commit 7c2e07130090ae001a97a6b65597830d6815e93e upstream.
+
+Since commit 648e921888ad ("clk: x86: Stop marking clocks as
+CLK_IS_CRITICAL"), the pmc_plt_clocks of the Bay Trail SoC are
+unconditionally gated off. Unfortunately this will break systems where these
+clocks are used for external purposes beyond the kernel's knowledge. Fix it
+by implementing a system specific quirk to mark the necessary pmc_plt_clks as
+critical.
+
+Fixes: 648e921888ad ("clk: x86: Stop marking clocks as CLK_IS_CRITICAL")
+Signed-off-by: David Müller <dave.mueller@gmx.ch>
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Reviewed-by: Andy Shevchenko <andy.shevchenko@gmail.com>
+Signed-off-by: Stephen Boyd <sboyd@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/clk/x86/clk-pmc-atom.c | 14 +++++++++++---
+ drivers/platform/x86/pmc_atom.c | 21 +++++++++++++++++++++
+ include/linux/platform_data/x86/clk-pmc-atom.h | 3 +++
+ 3 files changed, 35 insertions(+), 3 deletions(-)
+
+--- a/drivers/clk/x86/clk-pmc-atom.c
++++ b/drivers/clk/x86/clk-pmc-atom.c
+@@ -165,7 +165,7 @@ static const struct clk_ops plt_clk_ops
+ };
+
+ static struct clk_plt *plt_clk_register(struct platform_device *pdev, int id,
+- void __iomem *base,
++ const struct pmc_clk_data *pmc_data,
+ const char **parent_names,
+ int num_parents)
+ {
+@@ -184,9 +184,17 @@ static struct clk_plt *plt_clk_register(
+ init.num_parents = num_parents;
+
+ pclk->hw.init = &init;
+- pclk->reg = base + PMC_CLK_CTL_OFFSET + id * PMC_CLK_CTL_SIZE;
++ pclk->reg = pmc_data->base + PMC_CLK_CTL_OFFSET + id * PMC_CLK_CTL_SIZE;
+ spin_lock_init(&pclk->lock);
+
++ /*
++ * On some systems, the pmc_plt_clocks already enabled by the
++ * firmware are being marked as critical to avoid them being
++ * gated by the clock framework.
++ */
++ if (pmc_data->critical && plt_clk_is_enabled(&pclk->hw))
++ init.flags |= CLK_IS_CRITICAL;
++
+ ret = devm_clk_hw_register(&pdev->dev, &pclk->hw);
+ if (ret) {
+ pclk = ERR_PTR(ret);
+@@ -332,7 +340,7 @@ static int plt_clk_probe(struct platform
+ return PTR_ERR(parent_names);
+
+ for (i = 0; i < PMC_CLK_NUM; i++) {
+- data->clks[i] = plt_clk_register(pdev, i, pmc_data->base,
++ data->clks[i] = plt_clk_register(pdev, i, pmc_data,
+ parent_names, data->nparents);
+ if (IS_ERR(data->clks[i])) {
+ err = PTR_ERR(data->clks[i]);
+--- a/drivers/platform/x86/pmc_atom.c
++++ b/drivers/platform/x86/pmc_atom.c
+@@ -17,6 +17,7 @@
+
+ #include <linux/debugfs.h>
+ #include <linux/device.h>
++#include <linux/dmi.h>
+ #include <linux/init.h>
+ #include <linux/io.h>
+ #include <linux/platform_data/x86/clk-pmc-atom.h>
+@@ -391,11 +392,27 @@ static int pmc_dbgfs_register(struct pmc
+ }
+ #endif /* CONFIG_DEBUG_FS */
+
++/*
++ * Some systems need one or more of their pmc_plt_clks to be
++ * marked as critical.
++ */
++static const struct dmi_system_id critclk_systems[] __initconst = {
++ {
++ .ident = "MPL CEC1x",
++ .matches = {
++ DMI_MATCH(DMI_SYS_VENDOR, "MPL AG"),
++ DMI_MATCH(DMI_PRODUCT_NAME, "CEC10 Family"),
++ },
++ },
++ { /*sentinel*/ }
++};
++
+ static int pmc_setup_clks(struct pci_dev *pdev, void __iomem *pmc_regmap,
+ const struct pmc_data *pmc_data)
+ {
+ struct platform_device *clkdev;
+ struct pmc_clk_data *clk_data;
++ const struct dmi_system_id *d = dmi_first_match(critclk_systems);
+
+ clk_data = kzalloc(sizeof(*clk_data), GFP_KERNEL);
+ if (!clk_data)
+@@ -403,6 +420,10 @@ static int pmc_setup_clks(struct pci_dev
+
+ clk_data->base = pmc_regmap; /* offset is added by client */
+ clk_data->clks = pmc_data->clks;
++ if (d) {
++ clk_data->critical = true;
++ pr_info("%s critclks quirk enabled\n", d->ident);
++ }
+
+ clkdev = platform_device_register_data(&pdev->dev, "clk-pmc-atom",
+ PLATFORM_DEVID_NONE,
+--- a/include/linux/platform_data/x86/clk-pmc-atom.h
++++ b/include/linux/platform_data/x86/clk-pmc-atom.h
+@@ -35,10 +35,13 @@ struct pmc_clk {
+ *
+ * @base: PMC clock register base offset
+ * @clks: pointer to set of registered clocks, typically 0..5
++ * @critical: flag to indicate if firmware enabled pmc_plt_clks
++ * should be marked as critial or not
+ */
+ struct pmc_clk_data {
+ void __iomem *base;
+ const struct pmc_clk *clks;
++ bool critical;
+ };
+
+ #endif /* __PLATFORM_DATA_X86_CLK_PMC_ATOM_H */
--- /dev/null
+From a329bbe707cee2cf8c660890ef2ad0d00ec7e8a3 Mon Sep 17 00:00:00 2001
+From: Anson Huang <anson.huang@nxp.com>
+Date: Sat, 23 Feb 2019 03:18:25 +0000
+Subject: gpio: mxc: add check to return defer probe if clock tree NOT ready
+
+From: Anson Huang <anson.huang@nxp.com>
+
+commit a329bbe707cee2cf8c660890ef2ad0d00ec7e8a3 upstream.
+
+On i.MX8MQ platform, clock driver uses platform driver
+model and it is probed after GPIO driver, so when GPIO
+driver fails to get clock, it should check the error type
+to decide whether to return defer probe or just ignore
+the clock operation.
+
+Fixes: 2808801aab8a ("gpio: mxc: add clock operation")
+Signed-off-by: Anson Huang <Anson.Huang@nxp.com>
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpio/gpio-mxc.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/drivers/gpio/gpio-mxc.c
++++ b/drivers/gpio/gpio-mxc.c
+@@ -438,8 +438,11 @@ static int mxc_gpio_probe(struct platfor
+
+ /* the controller clock is optional */
+ port->clk = devm_clk_get(&pdev->dev, NULL);
+- if (IS_ERR(port->clk))
++ if (IS_ERR(port->clk)) {
++ if (PTR_ERR(port->clk) == -EPROBE_DEFER)
++ return -EPROBE_DEFER;
+ port->clk = NULL;
++ }
+
+ err = clk_prepare_enable(port->clk);
+ if (err) {
--- /dev/null
+From c86da50cfd840edf223a242580913692acddbcf6 Mon Sep 17 00:00:00 2001
+From: Nicolas Le Bayon <nicolas.le.bayon@st.com>
+Date: Wed, 6 Mar 2019 15:12:16 +0000
+Subject: i2c: i2c-stm32f7: Fix SDADEL minimum formula
+
+From: Nicolas Le Bayon <nicolas.le.bayon@st.com>
+
+commit c86da50cfd840edf223a242580913692acddbcf6 upstream.
+
+It conforms with Reference Manual I2C timing section.
+
+Fixes: aeb068c57214 ("i2c: i2c-stm32f7: add driver")
+Signed-off-by: Nicolas Le Bayon <nicolas.le.bayon@st.com>
+Signed-off-by: Bich Hemon <bich.hemon@st.com>
+Reviewed-by: Pierre-Yves MORDRET <pierre-yves.mordret@st.com>
+Signed-off-by: Wolfram Sang <wsa@the-dreams.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/i2c/busses/i2c-stm32f7.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/i2c/busses/i2c-stm32f7.c
++++ b/drivers/i2c/busses/i2c-stm32f7.c
+@@ -432,7 +432,7 @@ static int stm32f7_i2c_compute_timing(st
+ STM32F7_I2C_ANALOG_FILTER_DELAY_MAX : 0);
+ dnf_delay = setup->dnf * i2cclk;
+
+- sdadel_min = setup->fall_time - i2c_specs[setup->speed].hddat_min -
++ sdadel_min = i2c_specs[setup->speed].hddat_min + setup->fall_time -
+ af_delay_min - (setup->dnf + 3) * i2cclk;
+
+ sdadel_max = i2c_specs[setup->speed].vddat_max - setup->rise_time -
--- /dev/null
+From e814e688413aabd7b0d75e2a8ed1caa472951dec Mon Sep 17 00:00:00 2001
+From: Thierry Reding <treding@nvidia.com>
+Date: Fri, 25 Jan 2019 14:11:42 +0100
+Subject: i2c: of: Try to find an I2C adapter matching the parent
+
+From: Thierry Reding <treding@nvidia.com>
+
+commit e814e688413aabd7b0d75e2a8ed1caa472951dec upstream.
+
+If an I2C adapter doesn't match the provided device tree node, also try
+matching the parent's device tree node. This allows finding an adapter
+based on the device node of the parent device that was used to register
+it.
+
+This fixes a regression on Tegra124-based Chromebooks (Nyan) where the
+eDP controller registers an I2C adapter that is used to read to EDID.
+After commit 993a815dcbb2 ("dt-bindings: panel: Add missing .txt
+suffix") this stopped working because the I2C adapter could no longer
+be found. The approach in this patch fixes the regression without
+introducing the issues that the above commit solved.
+
+Fixes: 17ab7806de0c ("drm: don't link DP aux i2c adapter to the hardware device node")
+Signed-off-by: Thierry Reding <treding@nvidia.com>
+Tested-by: Tristan Bastian <tristan-c.bastian@gmx.de>
+Signed-off-by: Wolfram Sang <wsa@the-dreams.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/i2c/i2c-core-of.c | 14 +++++++++++++-
+ 1 file changed, 13 insertions(+), 1 deletion(-)
+
+--- a/drivers/i2c/i2c-core-of.c
++++ b/drivers/i2c/i2c-core-of.c
+@@ -132,13 +132,25 @@ static int of_dev_or_parent_node_match(s
+ return 0;
+ }
+
++static int of_dev_or_parent_node_match(struct device *dev, void *data)
++{
++ if (dev->of_node == data)
++ return 1;
++
++ if (dev->parent)
++ return dev->parent->of_node == data;
++
++ return 0;
++}
++
+ /* must call put_device() when done with returned i2c_client device */
+ struct i2c_client *of_find_i2c_device_by_node(struct device_node *node)
+ {
+ struct device *dev;
+ struct i2c_client *client;
+
+- dev = bus_find_device(&i2c_bus_type, NULL, node, of_dev_node_match);
++ dev = bus_find_device(&i2c_bus_type, NULL, node,
++ of_dev_or_parent_node_match);
+ if (!dev)
+ return NULL;
+
--- /dev/null
+From 535005ca8e5e71918d64074032f4b9d4fef8981e Mon Sep 17 00:00:00 2001
+From: Yuval Avnery <yuvalav@mellanox.com>
+Date: Tue, 22 Jan 2019 09:02:05 +0200
+Subject: IB/core: Destroy QP if XRC QP fails
+
+From: Yuval Avnery <yuvalav@mellanox.com>
+
+commit 535005ca8e5e71918d64074032f4b9d4fef8981e upstream.
+
+The open-coded variant missed destroy of SELinux created QP, reuse already
+existing ib_detroy_qp() call and use this opportunity to clean
+ib_create_qp() from double prints and unclear exit paths.
+
+Reported-by: Parav Pandit <parav@mellanox.com>
+Fixes: d291f1a65232 ("IB/core: Enforce PKey security on QPs")
+Signed-off-by: Yuval Avnery <yuvalav@mellanox.com>
+Reviewed-by: Parav Pandit <parav@mellanox.com>
+Reviewed-by: Daniel Jurgens <danielj@mellanox.com>
+Signed-off-by: Leon Romanovsky <leonro@mellanox.com>
+Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/infiniband/core/verbs.c | 41 +++++++++++++++++++++++-----------------
+ 1 file changed, 24 insertions(+), 17 deletions(-)
+
+--- a/drivers/infiniband/core/verbs.c
++++ b/drivers/infiniband/core/verbs.c
+@@ -1106,8 +1106,8 @@ struct ib_qp *ib_open_qp(struct ib_xrcd
+ }
+ EXPORT_SYMBOL(ib_open_qp);
+
+-static struct ib_qp *ib_create_xrc_qp(struct ib_qp *qp,
+- struct ib_qp_init_attr *qp_init_attr)
++static struct ib_qp *create_xrc_qp(struct ib_qp *qp,
++ struct ib_qp_init_attr *qp_init_attr)
+ {
+ struct ib_qp *real_qp = qp;
+
+@@ -1122,10 +1122,10 @@ static struct ib_qp *ib_create_xrc_qp(st
+
+ qp = __ib_open_qp(real_qp, qp_init_attr->event_handler,
+ qp_init_attr->qp_context);
+- if (!IS_ERR(qp))
+- __ib_insert_xrcd_qp(qp_init_attr->xrcd, real_qp);
+- else
+- real_qp->device->ops.destroy_qp(real_qp);
++ if (IS_ERR(qp))
++ return qp;
++
++ __ib_insert_xrcd_qp(qp_init_attr->xrcd, real_qp);
+ return qp;
+ }
+
+@@ -1156,10 +1156,8 @@ struct ib_qp *ib_create_qp(struct ib_pd
+ return qp;
+
+ ret = ib_create_qp_security(qp, device);
+- if (ret) {
+- ib_destroy_qp(qp);
+- return ERR_PTR(ret);
+- }
++ if (ret)
++ goto err;
+
+ qp->real_qp = qp;
+ qp->qp_type = qp_init_attr->qp_type;
+@@ -1172,8 +1170,15 @@ struct ib_qp *ib_create_qp(struct ib_pd
+ INIT_LIST_HEAD(&qp->sig_mrs);
+ qp->port = 0;
+
+- if (qp_init_attr->qp_type == IB_QPT_XRC_TGT)
+- return ib_create_xrc_qp(qp, qp_init_attr);
++ if (qp_init_attr->qp_type == IB_QPT_XRC_TGT) {
++ struct ib_qp *xrc_qp = create_xrc_qp(qp, qp_init_attr);
++
++ if (IS_ERR(xrc_qp)) {
++ ret = PTR_ERR(xrc_qp);
++ goto err;
++ }
++ return xrc_qp;
++ }
+
+ qp->event_handler = qp_init_attr->event_handler;
+ qp->qp_context = qp_init_attr->qp_context;
+@@ -1200,11 +1205,8 @@ struct ib_qp *ib_create_qp(struct ib_pd
+
+ if (qp_init_attr->cap.max_rdma_ctxs) {
+ ret = rdma_rw_init_mrs(qp, qp_init_attr);
+- if (ret) {
+- pr_err("failed to init MR pool ret= %d\n", ret);
+- ib_destroy_qp(qp);
+- return ERR_PTR(ret);
+- }
++ if (ret)
++ goto err;
+ }
+
+ /*
+@@ -1217,6 +1219,11 @@ struct ib_qp *ib_create_qp(struct ib_pd
+ device->attrs.max_sge_rd);
+
+ return qp;
++
++err:
++ ib_destroy_qp(qp);
++ return ERR_PTR(ret);
++
+ }
+ EXPORT_SYMBOL(ib_create_qp);
+
--- /dev/null
+From 6e88e672b69f0e627acdae74a527b730ea224b6b Mon Sep 17 00:00:00 2001
+From: Daniel Jurgens <danielj@mellanox.com>
+Date: Sat, 2 Feb 2019 11:09:43 +0200
+Subject: IB/core: Fix potential memory leak while creating MAD agents
+
+From: Daniel Jurgens <danielj@mellanox.com>
+
+commit 6e88e672b69f0e627acdae74a527b730ea224b6b upstream.
+
+If the MAD agents isn't allowed to manage the subnet, or fails to register
+for the LSM notifier, the security context is leaked. Free the context in
+these cases.
+
+Fixes: 47a2b338fe63 ("IB/core: Enforce security on management datagrams")
+Signed-off-by: Daniel Jurgens <danielj@mellanox.com>
+Reviewed-by: Parav Pandit <parav@mellanox.com>
+Reported-by: Parav Pandit <parav@mellanox.com>
+Signed-off-by: Leon Romanovsky <leonro@mellanox.com>
+Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/infiniband/core/security.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+--- a/drivers/infiniband/core/security.c
++++ b/drivers/infiniband/core/security.c
+@@ -710,16 +710,20 @@ int ib_mad_agent_security_setup(struct i
+ dev_name(&agent->device->dev),
+ agent->port_num);
+ if (ret)
+- return ret;
++ goto free_security;
+
+ agent->lsm_nb.notifier_call = ib_mad_agent_security_change;
+ ret = register_lsm_notifier(&agent->lsm_nb);
+ if (ret)
+- return ret;
++ goto free_security;
+
+ agent->smp_allowed = true;
+ agent->lsm_nb_reg = true;
+ return 0;
++
++free_security:
++ security_ib_free_security(agent->security);
++ return ret;
+ }
+
+ void ib_mad_agent_security_cleanup(struct ib_mad_agent *agent)
--- /dev/null
+From d60667fc398ed34b3c7456b020481c55c760e503 Mon Sep 17 00:00:00 2001
+From: Daniel Jurgens <danielj@mellanox.com>
+Date: Sat, 2 Feb 2019 11:09:42 +0200
+Subject: IB/core: Unregister notifier before freeing MAD security
+
+From: Daniel Jurgens <danielj@mellanox.com>
+
+commit d60667fc398ed34b3c7456b020481c55c760e503 upstream.
+
+If the notifier runs after the security context is freed an access of
+freed memory can occur.
+
+Fixes: 47a2b338fe63 ("IB/core: Enforce security on management datagrams")
+Signed-off-by: Daniel Jurgens <danielj@mellanox.com>
+Reviewed-by: Parav Pandit <parav@mellanox.com>
+Signed-off-by: Leon Romanovsky <leonro@mellanox.com>
+Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/infiniband/core/security.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/infiniband/core/security.c
++++ b/drivers/infiniband/core/security.c
+@@ -727,9 +727,10 @@ void ib_mad_agent_security_cleanup(struc
+ if (!rdma_protocol_ib(agent->device, agent->port_num))
+ return;
+
+- security_ib_free_security(agent->security);
+ if (agent->lsm_nb_reg)
+ unregister_lsm_notifier(&agent->lsm_nb);
++
++ security_ib_free_security(agent->security);
+ }
+
+ int ib_mad_enforce_security(struct ib_mad_agent_private *map, u16 pkey_index)
--- /dev/null
+From bf2a7ca39fd3ab47ef71c621a7ee69d1813b1f97 Mon Sep 17 00:00:00 2001
+From: Anson Huang <anson.huang@nxp.com>
+Date: Wed, 3 Apr 2019 15:14:44 -0700
+Subject: Input: snvs_pwrkey - initialize necessary driver data before enabling IRQ
+
+From: Anson Huang <anson.huang@nxp.com>
+
+commit bf2a7ca39fd3ab47ef71c621a7ee69d1813b1f97 upstream.
+
+SNVS IRQ is requested before necessary driver data initialized,
+if there is a pending IRQ during driver probe phase, kernel
+NULL pointer panic will occur in IRQ handler. To avoid such
+scenario, just initialize necessary driver data before enabling
+IRQ. This patch is inspired by NXP's internal kernel tree.
+
+Fixes: d3dc6e232215 ("input: keyboard: imx: add snvs power key driver")
+Signed-off-by: Anson Huang <Anson.Huang@nxp.com>
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/input/keyboard/snvs_pwrkey.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/drivers/input/keyboard/snvs_pwrkey.c
++++ b/drivers/input/keyboard/snvs_pwrkey.c
+@@ -148,6 +148,9 @@ static int imx_snvs_pwrkey_probe(struct
+ return error;
+ }
+
++ pdata->input = input;
++ platform_set_drvdata(pdev, pdata);
++
+ error = devm_request_irq(&pdev->dev, pdata->irq,
+ imx_snvs_pwrkey_interrupt,
+ 0, pdev->name, pdev);
+@@ -163,9 +166,6 @@ static int imx_snvs_pwrkey_probe(struct
+ return error;
+ }
+
+- pdata->input = input;
+- platform_set_drvdata(pdev, pdata);
+-
+ device_init_wakeup(&pdev->dev, pdata->wakeup);
+
+ return 0;
--- /dev/null
+From 937c4e552fd1174784045684740edfcea536159d Mon Sep 17 00:00:00 2001
+From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Date: Tue, 5 Feb 2019 14:40:40 -0800
+Subject: Input: stmfts - acknowledge that setting brightness is a blocking call
+
+From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+
+commit 937c4e552fd1174784045684740edfcea536159d upstream.
+
+We need to turn regulators on and off when switching brightness, and
+that may block, therefore we have to set stmfts_brightness_set() as
+LED's brightness_set_blocking() method.
+
+Fixes: 78bcac7b2ae1 ("Input: add support for the STMicroelectronics FingerTip touchscreen")
+Acked-by: Andi Shyti <andi@etezian.org>
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/input/touchscreen/stmfts.c | 30 ++++++++++++++++--------------
+ 1 file changed, 16 insertions(+), 14 deletions(-)
+
+--- a/drivers/input/touchscreen/stmfts.c
++++ b/drivers/input/touchscreen/stmfts.c
+@@ -106,27 +106,29 @@ struct stmfts_data {
+ bool running;
+ };
+
+-static void stmfts_brightness_set(struct led_classdev *led_cdev,
++static int stmfts_brightness_set(struct led_classdev *led_cdev,
+ enum led_brightness value)
+ {
+ struct stmfts_data *sdata = container_of(led_cdev,
+ struct stmfts_data, led_cdev);
+ int err;
+
+- if (value == sdata->led_status || !sdata->ledvdd)
+- return;
+-
+- if (!value) {
+- regulator_disable(sdata->ledvdd);
+- } else {
+- err = regulator_enable(sdata->ledvdd);
+- if (err)
+- dev_warn(&sdata->client->dev,
+- "failed to disable ledvdd regulator: %d\n",
+- err);
++ if (value != sdata->led_status && sdata->ledvdd) {
++ if (!value) {
++ regulator_disable(sdata->ledvdd);
++ } else {
++ err = regulator_enable(sdata->ledvdd);
++ if (err) {
++ dev_warn(&sdata->client->dev,
++ "failed to disable ledvdd regulator: %d\n",
++ err);
++ return err;
++ }
++ }
++ sdata->led_status = value;
+ }
+
+- sdata->led_status = value;
++ return 0;
+ }
+
+ static enum led_brightness stmfts_brightness_get(struct led_classdev *led_cdev)
+@@ -608,7 +610,7 @@ static int stmfts_enable_led(struct stmf
+ sdata->led_cdev.name = STMFTS_DEV_NAME;
+ sdata->led_cdev.max_brightness = LED_ON;
+ sdata->led_cdev.brightness = LED_OFF;
+- sdata->led_cdev.brightness_set = stmfts_brightness_set;
++ sdata->led_cdev.brightness_set_blocking = stmfts_brightness_set;
+ sdata->led_cdev.brightness_get = stmfts_brightness_get;
+
+ err = devm_led_classdev_register(&sdata->client->dev, &sdata->led_cdev);
--- /dev/null
+From 78ad2341521d5ea96cb936244ed4c4c4ef9ec13b Mon Sep 17 00:00:00 2001
+From: Alexander Wetzel <alexander@wetzel-home.de>
+Date: Sat, 9 Feb 2019 15:01:38 +0100
+Subject: mac80211: Honor SW_CRYPTO_CONTROL for unicast keys in AP VLAN mode
+
+From: Alexander Wetzel <alexander@wetzel-home.de>
+
+commit 78ad2341521d5ea96cb936244ed4c4c4ef9ec13b upstream.
+
+Restore SW_CRYPTO_CONTROL operation on AP_VLAN interfaces for unicast
+keys, the original override was intended to be done for group keys as
+those are treated specially by mac80211 and would always have been
+rejected.
+
+Now the situation is that AP_VLAN support must be enabled by the driver
+if it can support it (meaning it can support software crypto GTK TX).
+
+Thus, also simplify the code - if we get here with AP_VLAN and non-
+pairwise key, software crypto must be used (driver doesn't know about
+the interface) and can be used (driver must've advertised AP_VLAN if
+it also uses SW_CRYPTO_CONTROL).
+
+Fixes: db3bdcb9c3ff ("mac80211: allow AP_VLAN operation on crypto controlled devices")
+Signed-off-by: Alexander Wetzel <alexander@wetzel-home.de>
+[rewrite commit message]
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/mac80211/key.c | 9 ++++-----
+ 1 file changed, 4 insertions(+), 5 deletions(-)
+
+--- a/net/mac80211/key.c
++++ b/net/mac80211/key.c
+@@ -167,8 +167,10 @@ static int ieee80211_key_enable_hw_accel
+ * The driver doesn't know anything about VLAN interfaces.
+ * Hence, don't send GTKs for VLAN interfaces to the driver.
+ */
+- if (!(key->conf.flags & IEEE80211_KEY_FLAG_PAIRWISE))
++ if (!(key->conf.flags & IEEE80211_KEY_FLAG_PAIRWISE)) {
++ ret = 1;
+ goto out_unsupported;
++ }
+ }
+
+ ret = drv_set_key(key->local, SET_KEY, sdata,
+@@ -213,11 +215,8 @@ static int ieee80211_key_enable_hw_accel
+ /* all of these we can do in software - if driver can */
+ if (ret == 1)
+ return 0;
+- if (ieee80211_hw_check(&key->local->hw, SW_CRYPTO_CONTROL)) {
+- if (sdata->vif.type == NL80211_IFTYPE_AP_VLAN)
+- return 0;
++ if (ieee80211_hw_check(&key->local->hw, SW_CRYPTO_CONTROL))
+ return -EINVAL;
+- }
+ return 0;
+ default:
+ return -EINVAL;
--- /dev/null
+From 61da76beef1e4f0b6ba7be4f8d0cf0dac7ce1f55 Mon Sep 17 00:00:00 2001
+From: Jacopo Mondi <jacopo+renesas@jmondi.org>
+Date: Fri, 29 Dec 2017 07:22:26 -0500
+Subject: media: v4l2: i2c: ov7670: Fix PLL bypass register values
+
+From: Jacopo Mondi <jacopo+renesas@jmondi.org>
+
+commit 61da76beef1e4f0b6ba7be4f8d0cf0dac7ce1f55 upstream.
+
+The following commits:
+commit f6dd927f34d6 ("[media] media: ov7670: calculate framerate properly for ov7675")
+commit 04ee6d92047e ("[media] media: ov7670: add possibility to bypass pll for ov7675")
+introduced the ability to bypass PLL multiplier and use input clock (xvclk)
+as pixel clock output frequency for ov7675 sensor.
+
+PLL is bypassed using register DBLV[7:6], according to ov7670 and ov7675
+sensor manuals. Macros used to set DBLV register seem wrong in the
+driver, as their values do not match what reported in the datasheet.
+
+Fix by changing DBLV_* macros to use bits [7:6] and set bits [3:0] to
+default 0x0a reserved value (according to datasheets).
+
+While at there, remove a write to DBLV register in
+"ov7675_set_framerate()" that over-writes the previous one to the same
+register that takes "info->pll_bypass" flag into account instead of setting PLL
+multiplier to 4x unconditionally.
+
+And, while at there, since "info->pll_bypass" is only used in
+set/get_framerate() functions used by ov7675 only, it is not necessary
+to check for the device id at probe time to make sure that when using
+ov7670 "info->pll_bypass" is set to false.
+
+Fixes: f6dd927f34d6 ("[media] media: ov7670: calculate framerate properly for ov7675")
+
+Signed-off-by: Jacopo Mondi <jacopo+renesas@jmondi.org>
+Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/media/i2c/ov7670.c | 16 ++++++----------
+ 1 file changed, 6 insertions(+), 10 deletions(-)
+
+--- a/drivers/media/i2c/ov7670.c
++++ b/drivers/media/i2c/ov7670.c
+@@ -160,10 +160,10 @@ MODULE_PARM_DESC(debug, "Debug level (0-
+ #define REG_GFIX 0x69 /* Fix gain control */
+
+ #define REG_DBLV 0x6b /* PLL control an debugging */
+-#define DBLV_BYPASS 0x00 /* Bypass PLL */
+-#define DBLV_X4 0x01 /* clock x4 */
+-#define DBLV_X6 0x10 /* clock x6 */
+-#define DBLV_X8 0x11 /* clock x8 */
++#define DBLV_BYPASS 0x0a /* Bypass PLL */
++#define DBLV_X4 0x4a /* clock x4 */
++#define DBLV_X6 0x8a /* clock x6 */
++#define DBLV_X8 0xca /* clock x8 */
+
+ #define REG_SCALING_XSC 0x70 /* Test pattern and horizontal scale factor */
+ #define TEST_PATTTERN_0 0x80
+@@ -863,7 +863,7 @@ static int ov7675_set_framerate(struct v
+ if (ret < 0)
+ return ret;
+
+- return ov7670_write(sd, REG_DBLV, DBLV_X4);
++ return 0;
+ }
+
+ static void ov7670_get_framerate_legacy(struct v4l2_subdev *sd,
+@@ -1801,11 +1801,7 @@ static int ov7670_probe(struct i2c_clien
+ if (config->clock_speed)
+ info->clock_speed = config->clock_speed;
+
+- /*
+- * It should be allowed for ov7670 too when it is migrated to
+- * the new frame rate formula.
+- */
+- if (config->pll_bypass && id->driver_data != MODEL_OV7670)
++ if (config->pll_bypass)
+ info->pll_bypass = true;
+
+ if (config->pclk_hb_disable)
--- /dev/null
+From 3b4d07d2674f6b4a9281031f99d1f7efd325b16d Mon Sep 17 00:00:00 2001
+From: "Aneesh Kumar K.V" <aneesh.kumar@linux.ibm.com>
+Date: Tue, 26 Feb 2019 10:09:35 +0530
+Subject: powerpc/mm/hash: Handle mmap_min_addr correctly in get_unmapped_area topdown search
+
+From: Aneesh Kumar K.V <aneesh.kumar@linux.ibm.com>
+
+commit 3b4d07d2674f6b4a9281031f99d1f7efd325b16d upstream.
+
+When doing top-down search the low_limit is not PAGE_SIZE but rather
+max(PAGE_SIZE, mmap_min_addr). This handle cases in which mmap_min_addr >
+PAGE_SIZE.
+
+Fixes: fba2369e6ceb ("mm: use vm_unmapped_area() on powerpc architecture")
+Reviewed-by: Laurent Dufour <ldufour@linux.vnet.ibm.com>
+Signed-off-by: Aneesh Kumar K.V <aneesh.kumar@linux.ibm.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/powerpc/mm/slice.c | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+--- a/arch/powerpc/mm/slice.c
++++ b/arch/powerpc/mm/slice.c
+@@ -32,6 +32,7 @@
+ #include <linux/export.h>
+ #include <linux/hugetlb.h>
+ #include <linux/sched/mm.h>
++#include <linux/security.h>
+ #include <asm/mman.h>
+ #include <asm/mmu.h>
+ #include <asm/copro.h>
+@@ -377,6 +378,7 @@ static unsigned long slice_find_area_top
+ int pshift = max_t(int, mmu_psize_defs[psize].shift, PAGE_SHIFT);
+ unsigned long addr, found, prev;
+ struct vm_unmapped_area_info info;
++ unsigned long min_addr = max(PAGE_SIZE, mmap_min_addr);
+
+ info.flags = VM_UNMAPPED_AREA_TOPDOWN;
+ info.length = len;
+@@ -393,7 +395,7 @@ static unsigned long slice_find_area_top
+ if (high_limit > DEFAULT_MAP_WINDOW)
+ addr += mm->context.slb_addr_limit - DEFAULT_MAP_WINDOW;
+
+- while (addr > PAGE_SIZE) {
++ while (addr > min_addr) {
+ info.high_limit = addr;
+ if (!slice_scan_available(addr - 1, available, 0, &addr))
+ continue;
+@@ -405,8 +407,8 @@ static unsigned long slice_find_area_top
+ * Check if we need to reduce the range, or if we can
+ * extend it to cover the previous available slice.
+ */
+- if (addr < PAGE_SIZE)
+- addr = PAGE_SIZE;
++ if (addr < min_addr)
++ addr = min_addr;
+ else if (slice_scan_available(addr - 1, available, 0, &prev)) {
+ addr = prev;
+ goto prev_slice;
+@@ -528,7 +530,7 @@ unsigned long slice_get_unmapped_area(un
+ addr = _ALIGN_UP(addr, page_size);
+ slice_dbg(" aligned addr=%lx\n", addr);
+ /* Ignore hint if it's too large or overlaps a VMA */
+- if (addr > high_limit - len ||
++ if (addr > high_limit - len || addr < mmap_min_addr ||
+ !slice_area_is_free(mm, addr, len))
+ addr = 0;
+ }
--- /dev/null
+From 3a28cff3bd4bf43f02be0c4e7933aebf3dc8197e Mon Sep 17 00:00:00 2001
+From: Stephen Smalley <sds@tycho.nsa.gov>
+Date: Wed, 12 Dec 2018 10:10:55 -0500
+Subject: selinux: avoid silent denials in permissive mode under RCU walk
+
+From: Stephen Smalley <sds@tycho.nsa.gov>
+
+commit 3a28cff3bd4bf43f02be0c4e7933aebf3dc8197e upstream.
+
+commit 0dc1ba24f7fff6 ("SELINUX: Make selinux cache VFS RCU walks safe")
+results in no audit messages at all if in permissive mode because the
+cache is updated during the rcu walk and thus no denial occurs on
+the subsequent ref walk. Fix this by not updating the cache when
+performing a non-blocking permission check. This only affects search
+and symlink read checks during rcu walk.
+
+Fixes: 0dc1ba24f7fff6 ("SELINUX: Make selinux cache VFS RCU walks safe")
+Reported-by: BMK <bmktuwien@gmail.com>
+Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
+Signed-off-by: Paul Moore <paul@paul-moore.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ security/selinux/avc.c | 23 +++++++++++++++++++++--
+ security/selinux/hooks.c | 4 +++-
+ security/selinux/include/avc.h | 1 +
+ 3 files changed, 25 insertions(+), 3 deletions(-)
+
+--- a/security/selinux/avc.c
++++ b/security/selinux/avc.c
+@@ -838,6 +838,7 @@ out:
+ * @ssid,@tsid,@tclass : identifier of an AVC entry
+ * @seqno : sequence number when decision was made
+ * @xpd: extended_perms_decision to be added to the node
++ * @flags: the AVC_* flags, e.g. AVC_NONBLOCKING, AVC_EXTENDED_PERMS, or 0.
+ *
+ * if a valid AVC entry doesn't exist,this function returns -ENOENT.
+ * if kmalloc() called internal returns NULL, this function returns -ENOMEM.
+@@ -856,6 +857,23 @@ static int avc_update_node(struct selinu
+ struct hlist_head *head;
+ spinlock_t *lock;
+
++ /*
++ * If we are in a non-blocking code path, e.g. VFS RCU walk,
++ * then we must not add permissions to a cache entry
++ * because we cannot safely audit the denial. Otherwise,
++ * during the subsequent blocking retry (e.g. VFS ref walk), we
++ * will find the permissions already granted in the cache entry
++ * and won't audit anything at all, leading to silent denials in
++ * permissive mode that only appear when in enforcing mode.
++ *
++ * See the corresponding handling in slow_avc_audit(), and the
++ * logic in selinux_inode_follow_link and selinux_inode_permission
++ * for the VFS MAY_NOT_BLOCK flag, which is transliterated into
++ * AVC_NONBLOCKING for avc_has_perm_noaudit().
++ */
++ if (flags & AVC_NONBLOCKING)
++ return 0;
++
+ node = avc_alloc_node(avc);
+ if (!node) {
+ rc = -ENOMEM;
+@@ -1115,7 +1133,7 @@ decision:
+ * @tsid: target security identifier
+ * @tclass: target security class
+ * @requested: requested permissions, interpreted based on @tclass
+- * @flags: AVC_STRICT or 0
++ * @flags: AVC_STRICT, AVC_NONBLOCKING, or 0
+ * @avd: access vector decisions
+ *
+ * Check the AVC to determine whether the @requested permissions are granted
+@@ -1199,7 +1217,8 @@ int avc_has_perm_flags(struct selinux_st
+ struct av_decision avd;
+ int rc, rc2;
+
+- rc = avc_has_perm_noaudit(state, ssid, tsid, tclass, requested, 0,
++ rc = avc_has_perm_noaudit(state, ssid, tsid, tclass, requested,
++ (flags & MAY_NOT_BLOCK) ? AVC_NONBLOCKING : 0,
+ &avd);
+
+ rc2 = avc_audit(state, ssid, tsid, tclass, requested, &avd, rc,
+--- a/security/selinux/hooks.c
++++ b/security/selinux/hooks.c
+@@ -2985,7 +2985,9 @@ static int selinux_inode_permission(stru
+ return PTR_ERR(isec);
+
+ rc = avc_has_perm_noaudit(&selinux_state,
+- sid, isec->sid, isec->sclass, perms, 0, &avd);
++ sid, isec->sid, isec->sclass, perms,
++ (flags & MAY_NOT_BLOCK) ? AVC_NONBLOCKING : 0,
++ &avd);
+ audited = avc_audit_required(perms, &avd, rc,
+ from_access ? FILE__AUDIT_ACCESS : 0,
+ &denied);
+--- a/security/selinux/include/avc.h
++++ b/security/selinux/include/avc.h
+@@ -142,6 +142,7 @@ static inline int avc_audit(struct selin
+
+ #define AVC_STRICT 1 /* Ignore permissive mode. */
+ #define AVC_EXTENDED_PERMS 2 /* update extended permissions */
++#define AVC_NONBLOCKING 4 /* non blocking */
+ int avc_has_perm_noaudit(struct selinux_state *state,
+ u32 ssid, u32 tsid,
+ u16 tclass, u32 requested,
--- /dev/null
+From a83d6ddaebe541570291205cb538e35ad4ff94f9 Mon Sep 17 00:00:00 2001
+From: Ondrej Mosnacek <omosnace@redhat.com>
+Date: Fri, 21 Dec 2018 21:18:52 +0100
+Subject: selinux: never allow relabeling on context mounts
+
+From: Ondrej Mosnacek <omosnace@redhat.com>
+
+commit a83d6ddaebe541570291205cb538e35ad4ff94f9 upstream.
+
+In the SECURITY_FS_USE_MNTPOINT case we never want to allow relabeling
+files/directories, so we should never set the SBLABEL_MNT flag. The
+'special handling' in selinux_is_sblabel_mnt() is only intended for when
+the behavior is set to SECURITY_FS_USE_GENFS.
+
+While there, make the logic in selinux_is_sblabel_mnt() more explicit
+and add a BUILD_BUG_ON() to make sure that introducing a new
+SECURITY_FS_USE_* forces a review of the logic.
+
+Fixes: d5f3a5f6e7e7 ("selinux: add security in-core xattr support for pstore and debugfs")
+Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
+Reviewed-by: Stephen Smalley <sds@tycho.nsa.gov>
+Signed-off-by: Paul Moore <paul@paul-moore.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ security/selinux/hooks.c | 40 +++++++++++++++++++++++++++++++---------
+ 1 file changed, 31 insertions(+), 9 deletions(-)
+
+--- a/security/selinux/hooks.c
++++ b/security/selinux/hooks.c
+@@ -534,16 +534,10 @@ static int may_context_mount_inode_relab
+ return rc;
+ }
+
+-static int selinux_is_sblabel_mnt(struct super_block *sb)
++static int selinux_is_genfs_special_handling(struct super_block *sb)
+ {
+- struct superblock_security_struct *sbsec = sb->s_security;
+-
+- return sbsec->behavior == SECURITY_FS_USE_XATTR ||
+- sbsec->behavior == SECURITY_FS_USE_TRANS ||
+- sbsec->behavior == SECURITY_FS_USE_TASK ||
+- sbsec->behavior == SECURITY_FS_USE_NATIVE ||
+- /* Special handling. Genfs but also in-core setxattr handler */
+- !strcmp(sb->s_type->name, "sysfs") ||
++ /* Special handling. Genfs but also in-core setxattr handler */
++ return !strcmp(sb->s_type->name, "sysfs") ||
+ !strcmp(sb->s_type->name, "pstore") ||
+ !strcmp(sb->s_type->name, "debugfs") ||
+ !strcmp(sb->s_type->name, "tracefs") ||
+@@ -553,6 +547,34 @@ static int selinux_is_sblabel_mnt(struct
+ !strcmp(sb->s_type->name, "cgroup2")));
+ }
+
++static int selinux_is_sblabel_mnt(struct super_block *sb)
++{
++ struct superblock_security_struct *sbsec = sb->s_security;
++
++ /*
++ * IMPORTANT: Double-check logic in this function when adding a new
++ * SECURITY_FS_USE_* definition!
++ */
++ BUILD_BUG_ON(SECURITY_FS_USE_MAX != 7);
++
++ switch (sbsec->behavior) {
++ case SECURITY_FS_USE_XATTR:
++ case SECURITY_FS_USE_TRANS:
++ case SECURITY_FS_USE_TASK:
++ case SECURITY_FS_USE_NATIVE:
++ return 1;
++
++ case SECURITY_FS_USE_GENFS:
++ return selinux_is_genfs_special_handling(sb);
++
++ /* Never allow relabeling on context mounts */
++ case SECURITY_FS_USE_MNTPOINT:
++ case SECURITY_FS_USE_NONE:
++ default:
++ return 0;
++ }
++}
++
+ static int sb_finish_set_opts(struct super_block *sb)
+ {
+ struct superblock_security_struct *sbsec = sb->s_security;
kvm-lapic-check-for-in-kernel-lapic-before-deferencing-apic-pointer.patch
platform-x86-intel_pmc_core-fix-pch-ip-name.patch
platform-x86-intel_pmc_core-handle-cfl-regmap-properly.patch
+ib-core-unregister-notifier-before-freeing-mad-security.patch
+ib-core-fix-potential-memory-leak-while-creating-mad-agents.patch
+ib-core-destroy-qp-if-xrc-qp-fails.patch
+input-snvs_pwrkey-initialize-necessary-driver-data-before-enabling-irq.patch
+input-stmfts-acknowledge-that-setting-brightness-is-a-blocking-call.patch
+gpio-mxc-add-check-to-return-defer-probe-if-clock-tree-not-ready.patch
+selinux-avoid-silent-denials-in-permissive-mode-under-rcu-walk.patch
+selinux-never-allow-relabeling-on-context-mounts.patch
+mac80211-honor-sw_crypto_control-for-unicast-keys-in-ap-vlan-mode.patch
+powerpc-mm-hash-handle-mmap_min_addr-correctly-in-get_unmapped_area-topdown-search.patch
+x86-mce-improve-error-message-when-kernel-cannot-recover-p2.patch
+clk-x86-add-system-specific-quirk-to-mark-clocks-as-critical.patch
+x86-mm-kaslr-fix-the-size-of-the-direct-mapping-section.patch
+x86-mm-fix-a-crash-with-kmemleak_scan.patch
+x86-mm-tlb-revert-x86-mm-align-tlb-invalidation-info.patch
+i2c-i2c-stm32f7-fix-sdadel-minimum-formula.patch
+media-v4l2-i2c-ov7670-fix-pll-bypass-register-values.patch
+i2c-of-try-to-find-an-i2c-adapter-matching-the-parent.patch
--- /dev/null
+From 41f035a86b5b72a4f947c38e94239d20d595352a Mon Sep 17 00:00:00 2001
+From: Tony Luck <tony.luck@intel.com>
+Date: Mon, 25 Feb 2019 12:59:40 -0800
+Subject: x86/mce: Improve error message when kernel cannot recover, p2
+
+From: Tony Luck <tony.luck@intel.com>
+
+commit 41f035a86b5b72a4f947c38e94239d20d595352a upstream.
+
+In
+
+ c7d606f560e4 ("x86/mce: Improve error message when kernel cannot recover")
+
+a case was added for a machine check caused by a DATA access to poison
+memory from the kernel. A case should have been added also for an
+uncorrectable error during an instruction fetch in the kernel.
+
+Add that extra case so the error message now reads:
+
+ mce: [Hardware Error]: Machine check: Instruction fetch error in kernel
+
+Fixes: c7d606f560e4 ("x86/mce: Improve error message when kernel cannot recover")
+Signed-off-by: Tony Luck <tony.luck@intel.com>
+Signed-off-by: Borislav Petkov <bp@suse.de>
+Cc: "H. Peter Anvin" <hpa@zytor.com>
+Cc: Ingo Molnar <mingo@redhat.com>
+Cc: Pu Wen <puwen@hygon.cn>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: x86-ml <x86@kernel.org>
+Link: https://lkml.kernel.org/r/20190225205940.15226-1-tony.luck@intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kernel/cpu/mce/severity.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/arch/x86/kernel/cpu/mce/severity.c
++++ b/arch/x86/kernel/cpu/mce/severity.c
+@@ -165,6 +165,11 @@ static struct severity {
+ SER, MASK(MCI_STATUS_OVER|MCI_UC_SAR|MCI_ADDR|MCACOD, MCI_UC_SAR|MCI_ADDR|MCACOD_DATA),
+ KERNEL
+ ),
++ MCESEV(
++ PANIC, "Instruction fetch error in kernel",
++ SER, MASK(MCI_STATUS_OVER|MCI_UC_SAR|MCI_ADDR|MCACOD, MCI_UC_SAR|MCI_ADDR|MCACOD_INSTR),
++ KERNEL
++ ),
+ #endif
+ MCESEV(
+ PANIC, "Action required: unknown MCACOD",
--- /dev/null
+From 0d02113b31b2017dd349ec9df2314e798a90fa6e Mon Sep 17 00:00:00 2001
+From: Qian Cai <cai@lca.pw>
+Date: Tue, 23 Apr 2019 12:58:11 -0400
+Subject: x86/mm: Fix a crash with kmemleak_scan()
+
+From: Qian Cai <cai@lca.pw>
+
+commit 0d02113b31b2017dd349ec9df2314e798a90fa6e upstream.
+
+The first kmemleak_scan() call after boot would trigger the crash below
+because this callpath:
+
+ kernel_init
+ free_initmem
+ mem_encrypt_free_decrypted_mem
+ free_init_pages
+
+unmaps memory inside the .bss when DEBUG_PAGEALLOC=y.
+
+kmemleak_init() will register the .data/.bss sections and then
+kmemleak_scan() will scan those addresses and dereference them looking
+for pointer references. If free_init_pages() frees and unmaps pages in
+those sections, kmemleak_scan() will crash if referencing one of those
+addresses:
+
+ BUG: unable to handle kernel paging request at ffffffffbd402000
+ CPU: 12 PID: 325 Comm: kmemleak Not tainted 5.1.0-rc4+ #4
+ RIP: 0010:scan_block
+ Call Trace:
+ scan_gray_list
+ kmemleak_scan
+ kmemleak_scan_thread
+ kthread
+ ret_from_fork
+
+Since kmemleak_free_part() is tolerant to unknown objects (not tracked
+by kmemleak), it is fine to call it from free_init_pages() even if not
+all address ranges passed to this function are known to kmemleak.
+
+ [ bp: Massage. ]
+
+Fixes: b3f0907c71e0 ("x86/mm: Add .bss..decrypted section to hold shared variables")
+Signed-off-by: Qian Cai <cai@lca.pw>
+Signed-off-by: Borislav Petkov <bp@suse.de>
+Reviewed-by: Catalin Marinas <catalin.marinas@arm.com>
+Cc: Andy Lutomirski <luto@kernel.org>
+Cc: Brijesh Singh <brijesh.singh@amd.com>
+Cc: Dave Hansen <dave.hansen@linux.intel.com>
+Cc: "H. Peter Anvin" <hpa@zytor.com>
+Cc: Ingo Molnar <mingo@redhat.com>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: x86-ml <x86@kernel.org>
+Link: https://lkml.kernel.org/r/20190423165811.36699-1-cai@lca.pw
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/mm/init.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/arch/x86/mm/init.c
++++ b/arch/x86/mm/init.c
+@@ -5,6 +5,7 @@
+ #include <linux/memblock.h>
+ #include <linux/swapfile.h>
+ #include <linux/swapops.h>
++#include <linux/kmemleak.h>
+
+ #include <asm/set_memory.h>
+ #include <asm/e820/api.h>
+@@ -766,6 +767,11 @@ void free_init_pages(const char *what, u
+ if (debug_pagealloc_enabled()) {
+ pr_info("debug: unmapping init [mem %#010lx-%#010lx]\n",
+ begin, end - 1);
++ /*
++ * Inform kmemleak about the hole in the memory since the
++ * corresponding pages will be unmapped.
++ */
++ kmemleak_free_part((void *)begin, end - begin);
+ set_memory_np(begin, (end - begin) >> PAGE_SHIFT);
+ } else {
+ /*
--- /dev/null
+From ec3937107ab43f3e8b2bc9dad95710043c462ff7 Mon Sep 17 00:00:00 2001
+From: Baoquan He <bhe@redhat.com>
+Date: Thu, 4 Apr 2019 10:03:13 +0800
+Subject: x86/mm/KASLR: Fix the size of the direct mapping section
+
+From: Baoquan He <bhe@redhat.com>
+
+commit ec3937107ab43f3e8b2bc9dad95710043c462ff7 upstream.
+
+kernel_randomize_memory() uses __PHYSICAL_MASK_SHIFT to calculate
+the maximum amount of system RAM supported. The size of the direct
+mapping section is obtained from the smaller one of the below two
+values:
+
+ (actual system RAM size + padding size) vs (max system RAM size supported)
+
+This calculation is wrong since commit
+
+ b83ce5ee9147 ("x86/mm/64: Make __PHYSICAL_MASK_SHIFT always 52").
+
+In it, __PHYSICAL_MASK_SHIFT was changed to be 52, regardless of whether
+the kernel is using 4-level or 5-level page tables. Thus, it will always
+use 4 PB as the maximum amount of system RAM, even in 4-level paging
+mode where it should actually be 64 TB.
+
+Thus, the size of the direct mapping section will always
+be the sum of the actual system RAM size plus the padding size.
+
+Even when the amount of system RAM is 64 TB, the following layout will
+still be used. Obviously KALSR will be weakened significantly.
+
+ |____|_______actual RAM_______|_padding_|______the rest_______|
+ 0 64TB ~120TB
+
+Instead, it should be like this:
+
+ |____|_______actual RAM_______|_________the rest______________|
+ 0 64TB ~120TB
+
+The size of padding region is controlled by
+CONFIG_RANDOMIZE_MEMORY_PHYSICAL_PADDING, which is 10 TB by default.
+
+The above issue only exists when
+CONFIG_RANDOMIZE_MEMORY_PHYSICAL_PADDING is set to a non-zero value,
+which is the case when CONFIG_MEMORY_HOTPLUG is enabled. Otherwise,
+using __PHYSICAL_MASK_SHIFT doesn't affect KASLR.
+
+Fix it by replacing __PHYSICAL_MASK_SHIFT with MAX_PHYSMEM_BITS.
+
+ [ bp: Massage commit message. ]
+
+Fixes: b83ce5ee9147 ("x86/mm/64: Make __PHYSICAL_MASK_SHIFT always 52")
+Signed-off-by: Baoquan He <bhe@redhat.com>
+Signed-off-by: Borislav Petkov <bp@suse.de>
+Reviewed-by: Thomas Garnier <thgarnie@google.com>
+Acked-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
+Cc: "H. Peter Anvin" <hpa@zytor.com>
+Cc: Andy Lutomirski <luto@kernel.org>
+Cc: Dave Hansen <dave.hansen@linux.intel.com>
+Cc: Ingo Molnar <mingo@kernel.org>
+Cc: Kees Cook <keescook@chromium.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: frank.ramsay@hpe.com
+Cc: herbert@gondor.apana.org.au
+Cc: kirill@shutemov.name
+Cc: mike.travis@hpe.com
+Cc: thgarnie@google.com
+Cc: x86-ml <x86@kernel.org>
+Cc: yamada.masahiro@socionext.com
+Link: https://lkml.kernel.org/r/20190417083536.GE7065@MiWiFi-R3L-srv
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/mm/kaslr.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/x86/mm/kaslr.c
++++ b/arch/x86/mm/kaslr.c
+@@ -94,7 +94,7 @@ void __init kernel_randomize_memory(void
+ if (!kaslr_memory_enabled())
+ return;
+
+- kaslr_regions[0].size_tb = 1 << (__PHYSICAL_MASK_SHIFT - TB_SHIFT);
++ kaslr_regions[0].size_tb = 1 << (MAX_PHYSMEM_BITS - TB_SHIFT);
+ kaslr_regions[1].size_tb = VMALLOC_SIZE_TB;
+
+ /*
--- /dev/null
+From 780e0106d468a2962b16b52fdf42898f2639e0a0 Mon Sep 17 00:00:00 2001
+From: Peter Zijlstra <peterz@infradead.org>
+Date: Tue, 16 Apr 2019 10:03:35 +0200
+Subject: x86/mm/tlb: Revert "x86/mm: Align TLB invalidation info"
+
+From: Peter Zijlstra <peterz@infradead.org>
+
+commit 780e0106d468a2962b16b52fdf42898f2639e0a0 upstream.
+
+Revert the following commit:
+
+ 515ab7c41306: ("x86/mm: Align TLB invalidation info")
+
+I found out (the hard way) that under some .config options (notably L1_CACHE_SHIFT=7)
+and compiler combinations this on-stack alignment leads to a 320 byte
+stack usage, which then triggers a KASAN stack warning elsewhere.
+
+Using 320 bytes of stack space for a 40 byte structure is ludicrous and
+clearly not right.
+
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Acked-by: Linus Torvalds <torvalds@linux-foundation.org>
+Acked-by: Nadav Amit <namit@vmware.com>
+Cc: Andy Lutomirski <luto@kernel.org>
+Cc: Borislav Petkov <bp@alien8.de>
+Cc: Dave Hansen <dave.hansen@intel.com>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Fixes: 515ab7c41306 ("x86/mm: Align TLB invalidation info")
+Link: http://lkml.kernel.org/r/20190416080335.GM7905@worktop.programming.kicks-ass.net
+[ Minor changelog edits. ]
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/mm/tlb.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/x86/mm/tlb.c
++++ b/arch/x86/mm/tlb.c
+@@ -731,7 +731,7 @@ void flush_tlb_mm_range(struct mm_struct
+ {
+ int cpu;
+
+- struct flush_tlb_info info __aligned(SMP_CACHE_BYTES) = {
++ struct flush_tlb_info info = {
+ .mm = mm,
+ .stride_shift = stride_shift,
+ .freed_tables = freed_tables,
projects / thirdparty / kernel / stable-queue.git / commitdiff
