--- /dev/null
+From 9ea61cac0b1ad0c09022f39fd97e9b99a2cfc2dc Mon Sep 17 00:00:00 2001
+From: Douglas Anderson <dianders@chromium.org>
+Date: Thu, 17 Nov 2016 11:24:20 -0800
+Subject: dm bufio: avoid sleeping while holding the dm_bufio lock
+
+From: Douglas Anderson <dianders@chromium.org>
+
+commit 9ea61cac0b1ad0c09022f39fd97e9b99a2cfc2dc upstream.
+
+We've seen in-field reports showing _lots_ (18 in one case, 41 in
+another) of tasks all sitting there blocked on:
+
+ mutex_lock+0x4c/0x68
+ dm_bufio_shrink_count+0x38/0x78
+ shrink_slab.part.54.constprop.65+0x100/0x464
+ shrink_zone+0xa8/0x198
+
+In the two cases analyzed, we see one task that looks like this:
+
+ Workqueue: kverityd verity_prefetch_io
+
+ __switch_to+0x9c/0xa8
+ __schedule+0x440/0x6d8
+ schedule+0x94/0xb4
+ schedule_timeout+0x204/0x27c
+ schedule_timeout_uninterruptible+0x44/0x50
+ wait_iff_congested+0x9c/0x1f0
+ shrink_inactive_list+0x3a0/0x4cc
+ shrink_lruvec+0x418/0x5cc
+ shrink_zone+0x88/0x198
+ try_to_free_pages+0x51c/0x588
+ __alloc_pages_nodemask+0x648/0xa88
+ __get_free_pages+0x34/0x7c
+ alloc_buffer+0xa4/0x144
+ __bufio_new+0x84/0x278
+ dm_bufio_prefetch+0x9c/0x154
+ verity_prefetch_io+0xe8/0x10c
+ process_one_work+0x240/0x424
+ worker_thread+0x2fc/0x424
+ kthread+0x10c/0x114
+
+...and that looks to be the one holding the mutex.
+
+The problem has been reproduced on fairly easily:
+0. Be running Chrome OS w/ verity enabled on the root filesystem
+1. Pick test patch: http://crosreview.com/412360
+2. Install launchBalloons.sh and balloon.arm from
+ http://crbug.com/468342
+ ...that's just a memory stress test app.
+3. On a 4GB rk3399 machine, run
+ nice ./launchBalloons.sh 4 900 100000
+ ...that tries to eat 4 * 900 MB of memory and keep accessing.
+4. Login to the Chrome web browser and restore many tabs
+
+With that, I've seen printouts like:
+ DOUG: long bufio 90758 ms
+...and stack trace always show's we're in dm_bufio_prefetch().
+
+The problem is that we try to allocate memory with GFP_NOIO while
+we're holding the dm_bufio lock. Instead we should be using
+GFP_NOWAIT. Using GFP_NOIO can cause us to sleep while holding the
+lock and that causes the above problems.
+
+The current behavior explained by David Rientjes:
+
+ It will still try reclaim initially because __GFP_WAIT (or
+ __GFP_KSWAPD_RECLAIM) is set by GFP_NOIO. This is the cause of
+ contention on dm_bufio_lock() that the thread holds. You want to
+ pass GFP_NOWAIT instead of GFP_NOIO to alloc_buffer() when holding a
+ mutex that can be contended by a concurrent slab shrinker (if
+ count_objects didn't use a trylock, this pattern would trivially
+ deadlock).
+
+This change significantly increases responsiveness of the system while
+in this state. It makes a real difference because it unblocks kswapd.
+In the bug report analyzed, kswapd was hung:
+
+ kswapd0 D ffffffc000204fd8 0 72 2 0x00000000
+ Call trace:
+ [<ffffffc000204fd8>] __switch_to+0x9c/0xa8
+ [<ffffffc00090b794>] __schedule+0x440/0x6d8
+ [<ffffffc00090bac0>] schedule+0x94/0xb4
+ [<ffffffc00090be44>] schedule_preempt_disabled+0x28/0x44
+ [<ffffffc00090d900>] __mutex_lock_slowpath+0x120/0x1ac
+ [<ffffffc00090d9d8>] mutex_lock+0x4c/0x68
+ [<ffffffc000708e7c>] dm_bufio_shrink_count+0x38/0x78
+ [<ffffffc00030b268>] shrink_slab.part.54.constprop.65+0x100/0x464
+ [<ffffffc00030dbd8>] shrink_zone+0xa8/0x198
+ [<ffffffc00030e578>] balance_pgdat+0x328/0x508
+ [<ffffffc00030eb7c>] kswapd+0x424/0x51c
+ [<ffffffc00023f06c>] kthread+0x10c/0x114
+ [<ffffffc000203dd0>] ret_from_fork+0x10/0x40
+
+By unblocking kswapd memory pressure should be reduced.
+
+Suggested-by: David Rientjes <rientjes@google.com>
+Reviewed-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Douglas Anderson <dianders@chromium.org>
+Signed-off-by: Mike Snitzer <snitzer@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/md/dm-bufio.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/drivers/md/dm-bufio.c
++++ b/drivers/md/dm-bufio.c
+@@ -824,7 +824,8 @@ static struct dm_buffer *__alloc_buffer_
+ * dm-bufio is resistant to allocation failures (it just keeps
+ * one buffer reserved in cases all the allocations fail).
+ * So set flags to not try too hard:
+- * GFP_NOIO: don't recurse into the I/O layer
++ * GFP_NOWAIT: don't wait; if we need to sleep we'll release our
++ * mutex and wait ourselves.
+ * __GFP_NORETRY: don't retry and rather return failure
+ * __GFP_NOMEMALLOC: don't use emergency reserves
+ * __GFP_NOWARN: don't print a warning in case of failure
+@@ -834,7 +835,7 @@ static struct dm_buffer *__alloc_buffer_
+ */
+ while (1) {
+ if (dm_bufio_cache_size_latch != 1) {
+- b = alloc_buffer(c, GFP_NOIO | __GFP_NORETRY | __GFP_NOMEMALLOC | __GFP_NOWARN);
++ b = alloc_buffer(c, GFP_NOWAIT | __GFP_NORETRY | __GFP_NOMEMALLOC | __GFP_NOWARN);
+ if (b)
+ return b;
+ }
--- /dev/null
+From d12067f428c037b4575aaeb2be00847fc214c24a Mon Sep 17 00:00:00 2001
+From: Mikulas Patocka <mpatocka@redhat.com>
+Date: Wed, 23 Nov 2016 16:52:01 -0500
+Subject: dm bufio: don't take the lock in dm_bufio_shrink_count
+
+From: Mikulas Patocka <mpatocka@redhat.com>
+
+commit d12067f428c037b4575aaeb2be00847fc214c24a upstream.
+
+dm_bufio_shrink_count() is called from do_shrink_slab to find out how many
+freeable objects are there. The reported value doesn't have to be precise,
+so we don't need to take the dm-bufio lock.
+
+Suggested-by: David Rientjes <rientjes@google.com>
+Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
+Signed-off-by: Mike Snitzer <snitzer@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/md/dm-bufio.c | 16 ++++------------
+ 1 file changed, 4 insertions(+), 12 deletions(-)
+
+--- a/drivers/md/dm-bufio.c
++++ b/drivers/md/dm-bufio.c
+@@ -1598,19 +1598,11 @@ dm_bufio_shrink_scan(struct shrinker *sh
+ static unsigned long
+ dm_bufio_shrink_count(struct shrinker *shrink, struct shrink_control *sc)
+ {
+- struct dm_bufio_client *c;
+- unsigned long count;
+- unsigned long retain_target;
++ struct dm_bufio_client *c = container_of(shrink, struct dm_bufio_client, shrinker);
++ unsigned long count = READ_ONCE(c->n_buffers[LIST_CLEAN]) +
++ READ_ONCE(c->n_buffers[LIST_DIRTY]);
++ unsigned long retain_target = get_retain_buffers(c);
+
+- c = container_of(shrink, struct dm_bufio_client, shrinker);
+- if (sc->gfp_mask & __GFP_FS)
+- dm_bufio_lock(c);
+- else if (!dm_bufio_trylock(c))
+- return 0;
+-
+- count = c->n_buffers[LIST_CLEAN] + c->n_buffers[LIST_DIRTY];
+- retain_target = get_retain_buffers(c);
+- dm_bufio_unlock(c);
+ return (count < retain_target) ? 0 : (count - retain_target);
+ }
+
--- /dev/null
+From 41c73a49df31151f4ff868f28fe4f129f113fa2c Mon Sep 17 00:00:00 2001
+From: Mikulas Patocka <mpatocka@redhat.com>
+Date: Wed, 23 Nov 2016 17:04:00 -0500
+Subject: dm bufio: drop the lock when doing GFP_NOIO allocation
+
+From: Mikulas Patocka <mpatocka@redhat.com>
+
+commit 41c73a49df31151f4ff868f28fe4f129f113fa2c upstream.
+
+If the first allocation attempt using GFP_NOWAIT fails, drop the lock
+and retry using GFP_NOIO allocation (lock is dropped because the
+allocation can take some time).
+
+Note that we won't do GFP_NOIO allocation when we loop for the second
+time, because the lock shouldn't be dropped between __wait_for_free_buffer
+and __get_unclaimed_buffer.
+
+Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
+Signed-off-by: Mike Snitzer <snitzer@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/md/dm-bufio.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+--- a/drivers/md/dm-bufio.c
++++ b/drivers/md/dm-bufio.c
+@@ -819,6 +819,7 @@ enum new_flag {
+ static struct dm_buffer *__alloc_buffer_wait_no_callback(struct dm_bufio_client *c, enum new_flag nf)
+ {
+ struct dm_buffer *b;
++ bool tried_noio_alloc = false;
+
+ /*
+ * dm-bufio is resistant to allocation failures (it just keeps
+@@ -843,6 +844,15 @@ static struct dm_buffer *__alloc_buffer_
+ if (nf == NF_PREFETCH)
+ return NULL;
+
++ if (dm_bufio_cache_size_latch != 1 && !tried_noio_alloc) {
++ dm_bufio_unlock(c);
++ b = alloc_buffer(c, GFP_NOIO | __GFP_NORETRY | __GFP_NOMEMALLOC | __GFP_NOWARN);
++ dm_bufio_lock(c);
++ if (b)
++ return b;
++ tried_noio_alloc = true;
++ }
++
+ if (!list_empty(&c->reserved_buffers)) {
+ b = list_entry(c->reserved_buffers.next,
+ struct dm_buffer, lru_list);
--- /dev/null
+From 717adfdaf14704fd3ec7fa2c04520c0723247eac Mon Sep 17 00:00:00 2001
+From: Daniel Rosenberg <drosen@google.com>
+Date: Mon, 2 Jul 2018 16:59:37 -0700
+Subject: HID: debug: check length before copy_to_user()
+
+From: Daniel Rosenberg <drosen@google.com>
+
+commit 717adfdaf14704fd3ec7fa2c04520c0723247eac upstream.
+
+If our length is greater than the size of the buffer, we
+overflow the buffer
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Daniel Rosenberg <drosen@google.com>
+Reviewed-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/hid/hid-debug.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+--- a/drivers/hid/hid-debug.c
++++ b/drivers/hid/hid-debug.c
+@@ -1152,6 +1152,8 @@ copy_rest:
+ goto out;
+ if (list->tail > list->head) {
+ len = list->tail - list->head;
++ if (len > count)
++ len = count;
+
+ if (copy_to_user(buffer + ret, &list->hid_debug_buf[list->head], len)) {
+ ret = -EFAULT;
+@@ -1161,6 +1163,8 @@ copy_rest:
+ list->head += len;
+ } else {
+ len = HID_DEBUG_BUFSIZE - list->head;
++ if (len > count)
++ len = count;
+
+ if (copy_to_user(buffer, &list->hid_debug_buf[list->head], len)) {
+ ret = -EFAULT;
+@@ -1168,7 +1172,9 @@ copy_rest:
+ }
+ list->head = 0;
+ ret += len;
+- goto copy_rest;
++ count -= len;
++ if (count > 0)
++ goto copy_rest;
+ }
+
+ }
--- /dev/null
+From 4f65245f2d178b9cba48350620d76faa4a098841 Mon Sep 17 00:00:00 2001
+From: "Gustavo A. R. Silva" <gustavo@embeddedor.com>
+Date: Fri, 29 Jun 2018 17:08:44 -0500
+Subject: HID: hiddev: fix potential Spectre v1
+
+From: Gustavo A. R. Silva <gustavo@embeddedor.com>
+
+commit 4f65245f2d178b9cba48350620d76faa4a098841 upstream.
+
+uref->field_index, uref->usage_index, finfo.field_index and cinfo.index can be
+indirectly controlled by user-space, hence leading to a potential exploitation
+of the Spectre variant 1 vulnerability.
+
+This issue was detected with the help of Smatch:
+
+drivers/hid/usbhid/hiddev.c:473 hiddev_ioctl_usage() warn: potential spectre issue 'report->field' (local cap)
+drivers/hid/usbhid/hiddev.c:477 hiddev_ioctl_usage() warn: potential spectre issue 'field->usage' (local cap)
+drivers/hid/usbhid/hiddev.c:757 hiddev_ioctl() warn: potential spectre issue 'report->field' (local cap)
+drivers/hid/usbhid/hiddev.c:801 hiddev_ioctl() warn: potential spectre issue 'hid->collection' (local cap)
+
+Fix this by sanitizing such structure fields before using them to index
+report->field, field->usage and hid->collection
+
+Notice that given that speculation windows are large, the policy is
+to kill the speculation on the first load and not worry if it can be
+completed with a dependent load/store [1].
+
+[1] https://marc.info/?l=linux-kernel&m=152449131114778&w=2
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/hid/usbhid/hiddev.c | 11 +++++++++++
+ 1 file changed, 11 insertions(+)
+
+--- a/drivers/hid/usbhid/hiddev.c
++++ b/drivers/hid/usbhid/hiddev.c
+@@ -35,6 +35,7 @@
+ #include <linux/hiddev.h>
+ #include <linux/compat.h>
+ #include <linux/vmalloc.h>
++#include <linux/nospec.h>
+ #include "usbhid.h"
+
+ #ifdef CONFIG_USB_DYNAMIC_MINORS
+@@ -478,10 +479,14 @@ static noinline int hiddev_ioctl_usage(s
+
+ if (uref->field_index >= report->maxfield)
+ goto inval;
++ uref->field_index = array_index_nospec(uref->field_index,
++ report->maxfield);
+
+ field = report->field[uref->field_index];
+ if (uref->usage_index >= field->maxusage)
+ goto inval;
++ uref->usage_index = array_index_nospec(uref->usage_index,
++ field->maxusage);
+
+ uref->usage_code = field->usage[uref->usage_index].hid;
+
+@@ -508,6 +513,8 @@ static noinline int hiddev_ioctl_usage(s
+
+ if (uref->field_index >= report->maxfield)
+ goto inval;
++ uref->field_index = array_index_nospec(uref->field_index,
++ report->maxfield);
+
+ field = report->field[uref->field_index];
+
+@@ -761,6 +768,8 @@ static long hiddev_ioctl(struct file *fi
+
+ if (finfo.field_index >= report->maxfield)
+ break;
++ finfo.field_index = array_index_nospec(finfo.field_index,
++ report->maxfield);
+
+ field = report->field[finfo.field_index];
+ memset(&finfo, 0, sizeof(finfo));
+@@ -801,6 +810,8 @@ static long hiddev_ioctl(struct file *fi
+
+ if (cinfo.index >= hid->maxcollection)
+ break;
++ cinfo.index = array_index_nospec(cinfo.index,
++ hid->maxcollection);
+
+ cinfo.type = hid->collection[cinfo.index].type;
+ cinfo.usage = hid->collection[cinfo.index].usage;
--- /dev/null
+From ef6eaf27274c0351f7059163918f3795da13199c Mon Sep 17 00:00:00 2001
+From: Jason Andryuk <jandryuk@gmail.com>
+Date: Fri, 22 Jun 2018 12:25:49 -0400
+Subject: HID: i2c-hid: Fix "incomplete report" noise
+
+From: Jason Andryuk <jandryuk@gmail.com>
+
+commit ef6eaf27274c0351f7059163918f3795da13199c upstream.
+
+Commit ac75a041048b ("HID: i2c-hid: fix size check and type usage") started
+writing messages when the ret_size is <= 2 from i2c_master_recv. However, my
+device i2c-DLL07D1 returns 2 for a short period of time (~0.5s) after I stop
+moving the pointing stick or touchpad. It varies, but you get ~50 messages
+each time which spams the log hard.
+
+[ 95.925055] i2c_hid i2c-DLL07D1:01: i2c_hid_get_input: incomplete report (83/2)
+
+This has also been observed with a i2c-ALP0017.
+
+[ 1781.266353] i2c_hid i2c-ALP0017:00: i2c_hid_get_input: incomplete report (30/2)
+
+Only print the message when ret_size is totally invalid and less than 2 to cut
+down on the log spam.
+
+Fixes: ac75a041048b ("HID: i2c-hid: fix size check and type usage")
+Reported-by: John Smith <john-s-84@gmx.net>
+Cc: stable@vger.kernel.org
+Signed-off-by: Jason Andryuk <jandryuk@gmail.com>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/hid/i2c-hid/i2c-hid.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/hid/i2c-hid/i2c-hid.c
++++ b/drivers/hid/i2c-hid/i2c-hid.c
+@@ -477,7 +477,7 @@ static void i2c_hid_get_input(struct i2c
+ return;
+ }
+
+- if ((ret_size > size) || (ret_size <= 2)) {
++ if ((ret_size > size) || (ret_size < 2)) {
+ dev_err(&ihid->client->dev, "%s: incomplete report (%d/%d)\n",
+ __func__, size, ret_size);
+ return;
--- /dev/null
+From 9564a8cf422d7b58f6e857e3546d346fa970191e Mon Sep 17 00:00:00 2001
+From: Rasmus Villemoes <linux@rasmusvillemoes.dk>
+Date: Sun, 8 Apr 2018 23:35:28 +0200
+Subject: Kbuild: fix # escaping in .cmd files for future Make
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Rasmus Villemoes <linux@rasmusvillemoes.dk>
+
+commit 9564a8cf422d7b58f6e857e3546d346fa970191e upstream.
+
+I tried building using a freshly built Make (4.2.1-69-g8a731d1), but
+already the objtool build broke with
+
+orc_dump.c: In function ‘orc_dump’:
+orc_dump.c:106:2: error: ‘elf_getshnum’ is deprecated [-Werror=deprecated-declarations]
+ if (elf_getshdrnum(elf, &nr_sections)) {
+
+Turns out that with that new Make, the backslash was not removed, so cpp
+didn't see a #include directive, grep found nothing, and
+-DLIBELF_USE_DEPRECATED was wrongly put in CFLAGS.
+
+Now, that new Make behaviour is documented in their NEWS file:
+
+ * WARNING: Backward-incompatibility!
+ Number signs (#) appearing inside a macro reference or function invocation
+ no longer introduce comments and should not be escaped with backslashes:
+ thus a call such as:
+ foo := $(shell echo '#')
+ is legal. Previously the number sign needed to be escaped, for example:
+ foo := $(shell echo '\#')
+ Now this latter will resolve to "\#". If you want to write makefiles
+ portable to both versions, assign the number sign to a variable:
+ C := \#
+ foo := $(shell echo '$C')
+ This was claimed to be fixed in 3.81, but wasn't, for some reason.
+ To detect this change search for 'nocomment' in the .FEATURES variable.
+
+This also fixes up the two make-cmd instances to replace # with $(pound)
+rather than with \#. There might very well be other places that need
+similar fixup in preparation for whatever future Make release contains
+the above change, but at least this builds an x86_64 defconfig with the
+new make.
+
+Link: https://bugzilla.kernel.org/show_bug.cgi?id=197847
+Cc: Randy Dunlap <rdunlap@infradead.org>
+Signed-off-by: Rasmus Villemoes <linux@rasmusvillemoes.dk>
+Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+
+---
+ scripts/Kbuild.include | 5 +++--
+ tools/build/Build.include | 5 +++--
+ tools/objtool/Makefile | 2 +-
+ tools/scripts/Makefile.include | 2 ++
+ 4 files changed, 9 insertions(+), 5 deletions(-)
+
+--- a/scripts/Kbuild.include
++++ b/scripts/Kbuild.include
+@@ -8,6 +8,7 @@ squote := '
+ empty :=
+ space := $(empty) $(empty)
+ space_escape := _-_SPACE_-_
++pound := \#
+
+ ###
+ # Name of target with a '.' as filename prefix. foo/bar.o => foo/.bar.o
+@@ -241,11 +242,11 @@ endif
+
+ # Replace >$< with >$$< to preserve $ when reloading the .cmd file
+ # (needed for make)
+-# Replace >#< with >\#< to avoid starting a comment in the .cmd file
++# Replace >#< with >$(pound)< to avoid starting a comment in the .cmd file
+ # (needed for make)
+ # Replace >'< with >'\''< to be able to enclose the whole string in '...'
+ # (needed for the shell)
+-make-cmd = $(call escsq,$(subst \#,\\\#,$(subst $$,$$$$,$(cmd_$(1)))))
++make-cmd = $(call escsq,$(subst $(pound),$$(pound),$(subst $$,$$$$,$(cmd_$(1)))))
+
+ # Find any prerequisites that is newer than target or that does not exist.
+ # PHONY targets skipped in both cases.
+--- a/tools/build/Build.include
++++ b/tools/build/Build.include
+@@ -12,6 +12,7 @@
+ # Convenient variables
+ comma := ,
+ squote := '
++pound := \#
+
+ ###
+ # Name of target with a '.' as filename prefix. foo/bar.o => foo/.bar.o
+@@ -43,11 +44,11 @@ echo-cmd = $(if $($(quiet)cmd_$(1)),\
+ ###
+ # Replace >$< with >$$< to preserve $ when reloading the .cmd file
+ # (needed for make)
+-# Replace >#< with >\#< to avoid starting a comment in the .cmd file
++# Replace >#< with >$(pound)< to avoid starting a comment in the .cmd file
+ # (needed for make)
+ # Replace >'< with >'\''< to be able to enclose the whole string in '...'
+ # (needed for the shell)
+-make-cmd = $(call escsq,$(subst \#,\\\#,$(subst $$,$$$$,$(cmd_$(1)))))
++make-cmd = $(call escsq,$(subst $(pound),$$(pound),$(subst $$,$$$$,$(cmd_$(1)))))
+
+ ###
+ # Find any prerequisites that is newer than target or that does not exist.
+--- a/tools/objtool/Makefile
++++ b/tools/objtool/Makefile
+@@ -35,7 +35,7 @@ CFLAGS += -Wall -Werror $(WARNINGS) -f
+ LDFLAGS += -lelf $(LIBSUBCMD)
+
+ # Allow old libelf to be used:
+-elfshdr := $(shell echo '\#include <libelf.h>' | $(CC) $(CFLAGS) -x c -E - | grep elf_getshdr)
++elfshdr := $(shell echo '$(pound)include <libelf.h>' | $(CC) $(CFLAGS) -x c -E - | grep elf_getshdr)
+ CFLAGS += $(if $(elfshdr),,-DLIBELF_USE_DEPRECATED)
+
+ AWK = awk
+--- a/tools/scripts/Makefile.include
++++ b/tools/scripts/Makefile.include
+@@ -92,3 +92,5 @@ ifneq ($(silent),1)
+ QUIET_INSTALL = @printf ' INSTALL %s\n' $1;
+ endif
+ endif
++
++pound := \#
--- /dev/null
+From 3ee9bc12342cf546313d300808ff47d7dbb8e7db Mon Sep 17 00:00:00 2001
+From: Brad Love <brad@nextdimension.cc>
+Date: Tue, 6 Mar 2018 14:15:34 -0500
+Subject: media: cx25840: Use subdev host data for PLL override
+
+From: Brad Love <brad@nextdimension.cc>
+
+commit 3ee9bc12342cf546313d300808ff47d7dbb8e7db upstream.
+
+The cx25840 driver currently configures 885, 887, and 888 using
+default divisors for each chip. This check to see if the cx23885
+driver has passed the cx25840 a non-default clock rate for a
+specific chip. If a cx23885 board has left clk_freq at 0, the
+clock default values will be used to configure the PLLs.
+
+This patch only has effect on 888 boards who set clk_freq to 25M.
+
+Signed-off-by: Brad Love <brad@nextdimension.cc>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
+Cc: Ben Hutchings <ben.hutchings@codethink.co.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/media/i2c/cx25840/cx25840-core.c | 28 ++++++++++++++++++++++------
+ 1 file changed, 22 insertions(+), 6 deletions(-)
+
+--- a/drivers/media/i2c/cx25840/cx25840-core.c
++++ b/drivers/media/i2c/cx25840/cx25840-core.c
+@@ -467,8 +467,13 @@ static void cx23885_initialize(struct i2
+ {
+ DEFINE_WAIT(wait);
+ struct cx25840_state *state = to_state(i2c_get_clientdata(client));
++ u32 clk_freq = 0;
+ struct workqueue_struct *q;
+
++ /* cx23885 sets hostdata to clk_freq pointer */
++ if (v4l2_get_subdev_hostdata(&state->sd))
++ clk_freq = *((u32 *)v4l2_get_subdev_hostdata(&state->sd));
++
+ /*
+ * Come out of digital power down
+ * The CX23888, at least, needs this, otherwise registers aside from
+@@ -504,8 +509,13 @@ static void cx23885_initialize(struct i2
+ * 50.0 MHz * (0xb + 0xe8ba26/0x2000000)/4 = 5 * 28.636363 MHz
+ * 572.73 MHz before post divide
+ */
+- /* HVR1850 or 50MHz xtal */
+- cx25840_write(client, 0x2, 0x71);
++ if (clk_freq == 25000000) {
++ /* 888/ImpactVCBe or 25Mhz xtal */
++ ; /* nothing to do */
++ } else {
++ /* HVR1850 or 50MHz xtal */
++ cx25840_write(client, 0x2, 0x71);
++ }
+ cx25840_write4(client, 0x11c, 0x01d1744c);
+ cx25840_write4(client, 0x118, 0x00000416);
+ cx25840_write4(client, 0x404, 0x0010253e);
+@@ -548,9 +558,15 @@ static void cx23885_initialize(struct i2
+ /* HVR1850 */
+ switch (state->id) {
+ case CX23888_AV:
+- /* 888/HVR1250 specific */
+- cx25840_write4(client, 0x10c, 0x13333333);
+- cx25840_write4(client, 0x108, 0x00000515);
++ if (clk_freq == 25000000) {
++ /* 888/ImpactVCBe or 25MHz xtal */
++ cx25840_write4(client, 0x10c, 0x01b6db7b);
++ cx25840_write4(client, 0x108, 0x00000512);
++ } else {
++ /* 888/HVR1250 or 50MHz xtal */
++ cx25840_write4(client, 0x10c, 0x13333333);
++ cx25840_write4(client, 0x108, 0x00000515);
++ }
+ break;
+ default:
+ cx25840_write4(client, 0x10c, 0x002be2c9);
+@@ -580,7 +596,7 @@ static void cx23885_initialize(struct i2
+ * 368.64 MHz before post divide
+ * 122.88 MHz / 0xa = 12.288 MHz
+ */
+- /* HVR1850 or 50MHz xtal */
++ /* HVR1850 or 50MHz xtal or 25MHz xtal */
+ cx25840_write4(client, 0x114, 0x017dbf48);
+ cx25840_write4(client, 0x110, 0x000a030e);
+ break;
--- /dev/null
+From 7810e6781e0fcbca78b91cf65053f895bf59e85f Mon Sep 17 00:00:00 2001
+From: Vlastimil Babka <vbabka@suse.cz>
+Date: Thu, 7 Jun 2018 17:09:29 -0700
+Subject: mm, page_alloc: do not break __GFP_THISNODE by zonelist reset
+
+From: Vlastimil Babka <vbabka@suse.cz>
+
+commit 7810e6781e0fcbca78b91cf65053f895bf59e85f upstream.
+
+In __alloc_pages_slowpath() we reset zonelist and preferred_zoneref for
+allocations that can ignore memory policies. The zonelist is obtained
+from current CPU's node. This is a problem for __GFP_THISNODE
+allocations that want to allocate on a different node, e.g. because the
+allocating thread has been migrated to a different CPU.
+
+This has been observed to break SLAB in our 4.4-based kernel, because
+there it relies on __GFP_THISNODE working as intended. If a slab page
+is put on wrong node's list, then further list manipulations may corrupt
+the list because page_to_nid() is used to determine which node's
+list_lock should be locked and thus we may take a wrong lock and race.
+
+Current SLAB implementation seems to be immune by luck thanks to commit
+511e3a058812 ("mm/slab: make cache_grow() handle the page allocated on
+arbitrary node") but there may be others assuming that __GFP_THISNODE
+works as promised.
+
+We can fix it by simply removing the zonelist reset completely. There
+is actually no reason to reset it, because memory policies and cpusets
+don't affect the zonelist choice in the first place. This was different
+when commit 183f6371aac2 ("mm: ignore mempolicies when using
+ALLOC_NO_WATERMARK") introduced the code, as mempolicies provided their
+own restricted zonelists.
+
+We might consider this for 4.17 although I don't know if there's
+anything currently broken.
+
+SLAB is currently not affected, but in kernels older than 4.7 that don't
+yet have 511e3a058812 ("mm/slab: make cache_grow() handle the page
+allocated on arbitrary node") it is. That's at least 4.4 LTS. Older
+ones I'll have to check.
+
+So stable backports should be more important, but will have to be
+reviewed carefully, as the code went through many changes. BTW I think
+that also the ac->preferred_zoneref reset is currently useless if we
+don't also reset ac->nodemask from a mempolicy to NULL first (which we
+probably should for the OOM victims etc?), but I would leave that for a
+separate patch.
+
+Link: http://lkml.kernel.org/r/20180525130853.13915-1-vbabka@suse.cz
+Signed-off-by: Vlastimil Babka <vbabka@suse.cz>
+Fixes: 183f6371aac2 ("mm: ignore mempolicies when using ALLOC_NO_WATERMARK")
+Acked-by: Mel Gorman <mgorman@techsingularity.net>
+Cc: Michal Hocko <mhocko@kernel.org>
+Cc: David Rientjes <rientjes@google.com>
+Cc: Joonsoo Kim <iamjoonsoo.kim@lge.com>
+Cc: Vlastimil Babka <vbabka@suse.cz>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ mm/page_alloc.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+--- a/mm/page_alloc.c
++++ b/mm/page_alloc.c
+@@ -3642,7 +3642,6 @@ retry:
+ * orientated.
+ */
+ if (!(alloc_flags & ALLOC_CPUSET) || (alloc_flags & ALLOC_NO_WATERMARKS)) {
+- ac->zonelist = node_zonelist(numa_node_id(), gfp_mask);
+ ac->preferred_zoneref = first_zones_zonelist(ac->zonelist,
+ ac->high_zoneidx, ac->nodemask);
+ }
--- /dev/null
+From 3f77f244d8ec28e3a0a81240ffac7d626390060c Mon Sep 17 00:00:00 2001
+From: Martin Kaiser <martin@kaiser.cx>
+Date: Mon, 18 Jun 2018 22:41:03 +0200
+Subject: mtd: rawnand: mxc: set spare area size register explicitly
+
+From: Martin Kaiser <martin@kaiser.cx>
+
+commit 3f77f244d8ec28e3a0a81240ffac7d626390060c upstream.
+
+The v21 version of the NAND flash controller contains a Spare Area Size
+Register (SPAS) at offset 0x10. Its setting defaults to the maximum
+spare area size of 218 bytes. The size that is set in this register is
+used by the controller when it calculates the ECC bytes internally in
+hardware.
+
+Usually, this register is updated from settings in the IIM fuses when
+the system is booting from NAND flash. For other boot media, however,
+the SPAS register remains at the default setting, which may not work for
+the particular flash chip on the board. The same goes for flash chips
+whose configuration cannot be set in the IIM fuses (e.g. chips with 2k
+sector size and 128 bytes spare area size can't be configured in the IIM
+fuses on imx25 systems).
+
+Set the SPAS register explicitly during the preset operation. Derive the
+register value from mtd->oobsize that was detected during probe by
+decoding the flash chip's ID bytes.
+
+While at it, rename the define for the spare area register's offset to
+NFC_V21_RSLTSPARE_AREA. The register at offset 0x10 on v1 controllers is
+different from the register on v21 controllers.
+
+Fixes: d484018 ("mtd: mxc_nand: set NFC registers after reset")
+Cc: stable@vger.kernel.org
+Signed-off-by: Martin Kaiser <martin@kaiser.cx>
+Reviewed-by: Sascha Hauer <s.hauer@pengutronix.de>
+Reviewed-by: Miquel Raynal <miquel.raynal@bootlin.com>
+Signed-off-by: Boris Brezillon <boris.brezillon@bootlin.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+
+---
+ drivers/mtd/nand/mxc_nand.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/drivers/mtd/nand/mxc_nand.c
++++ b/drivers/mtd/nand/mxc_nand.c
+@@ -48,7 +48,7 @@
+ #define NFC_V1_V2_CONFIG (host->regs + 0x0a)
+ #define NFC_V1_V2_ECC_STATUS_RESULT (host->regs + 0x0c)
+ #define NFC_V1_V2_RSLTMAIN_AREA (host->regs + 0x0e)
+-#define NFC_V1_V2_RSLTSPARE_AREA (host->regs + 0x10)
++#define NFC_V21_RSLTSPARE_AREA (host->regs + 0x10)
+ #define NFC_V1_V2_WRPROT (host->regs + 0x12)
+ #define NFC_V1_UNLOCKSTART_BLKADDR (host->regs + 0x14)
+ #define NFC_V1_UNLOCKEND_BLKADDR (host->regs + 0x16)
+@@ -1121,6 +1121,9 @@ static void preset_v2(struct mtd_info *m
+ writew(config1, NFC_V1_V2_CONFIG1);
+ /* preset operation */
+
++ /* spare area size in 16-bit half-words */
++ writew(mtd->oobsize / 2, NFC_V21_RSLTSPARE_AREA);
++
+ /* Unlock the internal RAM Buffer */
+ writew(0x2, NFC_V1_V2_CONFIG);
+
--- /dev/null
+From c5c2a97b3ac7d1ec19e7cff9e38caca6afefc3de Mon Sep 17 00:00:00 2001
+From: Waldemar Rymarkiewicz <waldemar.rymarkiewicz@gmail.com>
+Date: Thu, 14 Jun 2018 15:56:08 +0200
+Subject: PM / OPP: Update voltage in case freq == old_freq
+
+From: Waldemar Rymarkiewicz <waldemar.rymarkiewicz@gmail.com>
+
+commit c5c2a97b3ac7d1ec19e7cff9e38caca6afefc3de upstream.
+
+This commit fixes a rare but possible case when the clk rate is updated
+without update of the regulator voltage.
+
+At boot up, CPUfreq checks if the system is running at the right freq. This
+is a sanity check in case a bootloader set clk rate that is outside of freq
+table present with cpufreq core. In such cases system can be unstable so
+better to change it to a freq that is preset in freq-table.
+
+The CPUfreq takes next freq that is >= policy->cur and this is our
+target_freq that needs to be set now.
+
+dev_pm_opp_set_rate(dev, target_freq) checks the target_freq and the
+old_freq (a current rate). If these are equal it returns early. If not,
+it searches for OPP (old_opp) that fits best to old_freq (not listed in
+the table) and updates old_freq (!).
+
+Here, we can end up with old_freq = old_opp.rate = target_freq, which
+is not handled in _generic_set_opp_regulator(). It's supposed to update
+voltage only when freq > old_freq || freq > old_freq.
+
+if (freq > old_freq) {
+ ret = _set_opp_voltage(dev, reg, new_supply);
+[...]
+if (freq < old_freq) {
+ ret = _set_opp_voltage(dev, reg, new_supply);
+ if (ret)
+
+It results in, no voltage update while clk rate is updated.
+
+Example:
+freq-table = {
+ 1000MHz 1.15V
+ 666MHZ 1.10V
+ 333MHz 1.05V
+}
+boot-up-freq = 800MHz # not listed in freq-table
+freq = target_freq = 1GHz
+old_freq = 800Mhz
+old_opp = _find_freq_ceil(opp_table, &old_freq); #(old_freq is modified!)
+old_freq = 1GHz
+
+Fixes: 6a0712f6f199 ("PM / OPP: Add dev_pm_opp_set_rate()")
+Cc: 4.6+ <stable@vger.kernel.org> # v4.6+
+Signed-off-by: Waldemar Rymarkiewicz <waldemar.rymarkiewicz@gmail.com>
+Signed-off-by: Viresh Kumar <viresh.kumar@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/base/power/opp/core.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/base/power/opp/core.c
++++ b/drivers/base/power/opp/core.c
+@@ -651,7 +651,7 @@ int dev_pm_opp_set_rate(struct device *d
+ rcu_read_unlock();
+
+ /* Scaling up? Scale voltage before frequency */
+- if (freq > old_freq) {
++ if (freq >= old_freq) {
+ ret = _set_opp_voltage(dev, reg, u_volt, u_volt_min,
+ u_volt_max);
+ if (ret)
ext4-add-more-mount-time-checks-of-the-superblock.patch
ext4-check-superblock-mapped-prior-to-committing.patch
mlxsw-spectrum-forbid-linking-of-vlan-devices-to-devices-that-have-uppers.patch
+hid-i2c-hid-fix-incomplete-report-noise.patch
+hid-hiddev-fix-potential-spectre-v1.patch
+hid-debug-check-length-before-copy_to_user.patch
+pm-opp-update-voltage-in-case-freq-old_freq.patch
+kbuild-fix-escaping-in-.cmd-files-for-future-make.patch
+tools-build-build.include-fix-escaping-in-.cmd-files-for.patch
+media-cx25840-use-subdev-host-data-for-pll-override.patch
+mm-page_alloc-do-not-break-__gfp_thisnode-by-zonelist-reset.patch
+dm-bufio-avoid-sleeping-while-holding-the-dm_bufio-lock.patch
+dm-bufio-drop-the-lock-when-doing-gfp_noio-allocation.patch
+mtd-rawnand-mxc-set-spare-area-size-register-explicitly.patch
+dm-bufio-don-t-take-the-lock-in-dm_bufio_shrink_count.patch
--- /dev/null
+From cdfc04d354e38b4e727d4e513962310389847414 Mon Sep 17 00:00:00 2001
+From: Paul Menzel <pmenzel@molgen.mpg.de>
+Date: Tue, 5 Jun 2018 19:00:22 +0200
+Subject: tools/build/Build.include: fix # escaping in .cmd files for future Make
+
+From: Paul Menzel <pmenzel@molgen.mpg.de>
+
+In 2016 make made a backwards incompatible change to the way '#'
+characters were handled in Makefiles when used inside functions or
+macros:
+
+http://git.savannah.gnu.org/cgit/make.git/commit/?id=c6966b323811c37acedff05b57
+
+Due to this change, when attempting to run `make prepare' I get a
+spurious make syntax error:
+
+ /home/earnest/linux/tools/objtool/.fixdep.o.cmd:1: *** missing separator. Stop.
+
+When inspecting `.fixdep.o.cmd' it includes two lines which use
+unescaped comment characters at the top:
+
+ \# cannot find fixdep (/home/earnest/linux/tools/objtool//fixdep)
+ \# using basic dep data
+
+This is because `tools/build/Build.include' prints these '\#'
+characters:
+
+ printf '\# cannot find fixdep (%s)\n' $(fixdep) > $(dot-target).cmd; \
+ printf '\# using basic dep data\n\n' >> $(dot-target).cmd; \
+
+This completes commit 9564a8cf (Kbuild: fix # escaping in .cmd files for
+future Make).
+
+Link: https://bugzilla.kernel.org/show_bug.cgi?id=197847
+Cc: Randy Dunlap <rdunlap@infradead.org>
+Cc: Rasmus Villemoes <linux@rasmusvillemoes.dk>
+Cc: Masahiro Yamada <yamada.masahiro@socionext.com>
+Signed-off-by: Paul Menzel <pmenzel@molgen.mpg.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ tools/build/Build.include | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/tools/build/Build.include
++++ b/tools/build/Build.include
+@@ -63,8 +63,8 @@ dep-cmd = $(if $(wildcard $(fixdep)),
+ $(fixdep) $(depfile) $@ '$(make-cmd)' > $(dot-target).tmp; \
+ rm -f $(depfile); \
+ mv -f $(dot-target).tmp $(dot-target).cmd, \
+- printf '\# cannot find fixdep (%s)\n' $(fixdep) > $(dot-target).cmd; \
+- printf '\# using basic dep data\n\n' >> $(dot-target).cmd; \
++ printf '$(pound) cannot find fixdep (%s)\n' $(fixdep) > $(dot-target).cmd; \
++ printf '$(pound) using basic dep data\n\n' >> $(dot-target).cmd; \
+ cat $(depfile) >> $(dot-target).cmd; \
+ printf '%s\n' 'cmd_$@ := $(make-cmd)' >> $(dot-target).cmd)
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
