--- /dev/null
+From 854f31ccdd7964c9c2e68da234a3a8aedb51cf6b Mon Sep 17 00:00:00 2001
+From: Damien Le Moal <damien.lemoal@wdc.com>
+Date: Thu, 27 Sep 2018 10:55:13 +0900
+Subject: block: fix deadline elevator drain for zoned block devices
+
+From: Damien Le Moal <damien.lemoal@wdc.com>
+
+commit 854f31ccdd7964c9c2e68da234a3a8aedb51cf6b upstream.
+
+When the deadline scheduler is used with a zoned block device, writes
+to a zone will be dispatched one at a time. This causes the warning
+message:
+
+deadline: forced dispatching is broken (nr_sorted=X), please report this
+
+to be displayed when switching to another elevator with the legacy I/O
+path while write requests to a zone are being retained in the scheduler
+queue.
+
+Prevent this message from being displayed when executing
+elv_drain_elevator() for a zoned block device. __blk_drain_queue() will
+loop until all writes are dispatched and completed, resulting in the
+desired elevator queue drain without extensive modifications to the
+deadline code itself to handle forced-dispatch calls.
+
+Signed-off-by: Damien Le Moal <damien.lemoal@wdc.com>
+Fixes: 8dc8146f9c92 ("deadline-iosched: Introduce zone locking support")
+Cc: stable@vger.kernel.org
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ block/elevator.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/block/elevator.c
++++ b/block/elevator.c
+@@ -609,7 +609,7 @@ void elv_drain_elevator(struct request_q
+
+ while (e->type->ops.sq.elevator_dispatch_fn(q, 1))
+ ;
+- if (q->nr_sorted && printed++ < 10) {
++ if (q->nr_sorted && !blk_queue_is_zoned(q) && printed++ < 10 ) {
+ printk(KERN_ERR "%s: forced dispatching is broken "
+ "(nr_sorted=%u), please report this\n",
+ q->elevator->type->elevator_name, q->nr_sorted);
--- /dev/null
+From 65eea8edc315589d6c993cf12dbb5d0e9ef1fe4e Mon Sep 17 00:00:00 2001
+From: Andy Whitcroft <apw@canonical.com>
+Date: Thu, 20 Sep 2018 09:09:48 -0600
+Subject: floppy: Do not copy a kernel pointer to user memory in FDGETPRM ioctl
+
+From: Andy Whitcroft <apw@canonical.com>
+
+commit 65eea8edc315589d6c993cf12dbb5d0e9ef1fe4e upstream.
+
+The final field of a floppy_struct is the field "name", which is a pointer
+to a string in kernel memory. The kernel pointer should not be copied to
+user memory. The FDGETPRM ioctl copies a floppy_struct to user memory,
+including this "name" field. This pointer cannot be used by the user
+and it will leak a kernel address to user-space, which will reveal the
+location of kernel code and data and undermine KASLR protection.
+
+Model this code after the compat ioctl which copies the returned data
+to a previously cleared temporary structure on the stack (excluding the
+name pointer) and copy out to userspace from there. As we already have
+an inparam union with an appropriate member and that memory is already
+cleared even for read only calls make use of that as a temporary store.
+
+Based on an initial patch by Brian Belleville.
+
+CVE-2018-7755
+Signed-off-by: Andy Whitcroft <apw@canonical.com>
+Broke up long line.
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/block/floppy.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/block/floppy.c
++++ b/drivers/block/floppy.c
+@@ -3470,6 +3470,9 @@ static int fd_locked_ioctl(struct block_
+ (struct floppy_struct **)&outparam);
+ if (ret)
+ return ret;
++ memcpy(&inparam.g, outparam,
++ offsetof(struct floppy_struct, name));
++ outparam = &inparam.g;
+ break;
+ case FDMSGON:
+ UDP->flags |= FTD_MSG;
--- /dev/null
+From 8801922cd94c918e4dc3a108ecaa500c4d40583f Mon Sep 17 00:00:00 2001
+From: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Date: Tue, 18 Sep 2018 16:10:47 +0300
+Subject: intel_th: Fix device removal logic
+
+From: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+
+commit 8801922cd94c918e4dc3a108ecaa500c4d40583f upstream.
+
+Commit a753bfcfdb1f ("intel_th: Make the switch allocate its subdevices")
+brings in new subdevice addition/removal logic that's broken for "host
+mode": the SWITCH device has no children to begin with, which is not
+handled in the code. This results in a null dereference bug later down
+the path.
+
+This patch fixes the subdevice removal code to handle host mode correctly.
+
+Signed-off-by: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Fixes: a753bfcfdb1f ("intel_th: Make the switch allocate its subdevices")
+CC: stable@vger.kernel.org # v4.14+
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/hwtracing/intel_th/core.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/hwtracing/intel_th/core.c
++++ b/drivers/hwtracing/intel_th/core.c
+@@ -139,7 +139,8 @@ static int intel_th_remove(struct device
+ th->thdev[i] = NULL;
+ }
+
+- th->num_thdevs = lowest;
++ if (lowest >= 0)
++ th->num_thdevs = lowest;
+ }
+
+ if (thdrv->attr_group)
--- /dev/null
+From ebe4582281d6e90972f057318a6edea14810ea48 Mon Sep 17 00:00:00 2001
+From: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Date: Tue, 18 Sep 2018 16:10:48 +0300
+Subject: intel_th: Fix resource handling for ACPI glue layer
+
+From: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+
+commit ebe4582281d6e90972f057318a6edea14810ea48 upstream.
+
+The core of the driver expects the resource array from the glue layer
+to be indexed by even numbers, as is the case for 64-bit PCI resources.
+This doesn't hold true for others, ACPI in this instance, which leads
+to an out-of-bounds access and an ioremap() on whatever address that
+access fetches.
+
+This patch fixes the problem by reading resource array differently based
+on whether the 64-bit flag is set, which would indicate PCI glue layer.
+
+Signed-off-by: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Fixes: ebc57e399b8e ("intel_th: Add ACPI glue layer")
+CC: stable@vger.kernel.org # v4.17+
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/hwtracing/intel_th/core.c | 13 +++++++++++--
+ 1 file changed, 11 insertions(+), 2 deletions(-)
+
+--- a/drivers/hwtracing/intel_th/core.c
++++ b/drivers/hwtracing/intel_th/core.c
+@@ -488,7 +488,7 @@ static const struct intel_th_subdevice {
+ .flags = IORESOURCE_MEM,
+ },
+ {
+- .start = TH_MMIO_SW,
++ .start = 1, /* use resource[1] */
+ .end = 0,
+ .flags = IORESOURCE_MEM,
+ },
+@@ -581,6 +581,7 @@ intel_th_subdevice_alloc(struct intel_th
+ struct intel_th_device *thdev;
+ struct resource res[3];
+ unsigned int req = 0;
++ bool is64bit = false;
+ int r, err;
+
+ thdev = intel_th_device_alloc(th, subdev->type, subdev->name,
+@@ -590,12 +591,18 @@ intel_th_subdevice_alloc(struct intel_th
+
+ thdev->drvdata = th->drvdata;
+
++ for (r = 0; r < th->num_resources; r++)
++ if (th->resource[r].flags & IORESOURCE_MEM_64) {
++ is64bit = true;
++ break;
++ }
++
+ memcpy(res, subdev->res,
+ sizeof(struct resource) * subdev->nres);
+
+ for (r = 0; r < subdev->nres; r++) {
+ struct resource *devres = th->resource;
+- int bar = TH_MMIO_CONFIG;
++ int bar = 0; /* cut subdevices' MMIO from resource[0] */
+
+ /*
+ * Take .end == 0 to mean 'take the whole bar',
+@@ -604,6 +611,8 @@ intel_th_subdevice_alloc(struct intel_th
+ */
+ if (!res[r].end && res[r].flags == IORESOURCE_MEM) {
+ bar = res[r].start;
++ if (is64bit)
++ bar *= 2;
+ res[r].start = 0;
+ res[r].end = resource_size(&devres[bar]) - 1;
+ }
--- /dev/null
+From fb6de923ca3358a91525552b4907d4cb38730bdd Mon Sep 17 00:00:00 2001
+From: Yu Zhao <yuzhao@google.com>
+Date: Wed, 19 Sep 2018 15:30:51 -0600
+Subject: regulator: fix crash caused by null driver data
+
+From: Yu Zhao <yuzhao@google.com>
+
+commit fb6de923ca3358a91525552b4907d4cb38730bdd upstream.
+
+dev_set_drvdata() needs to be called before device_register()
+exposes device to userspace. Otherwise kernel crashes after it
+gets null pointer from dev_get_drvdata() when userspace tries
+to access sysfs entries.
+
+[Removed backtrace for length -- broonie]
+
+Signed-off-by: Yu Zhao <yuzhao@google.com>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/regulator/core.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/regulator/core.c
++++ b/drivers/regulator/core.c
+@@ -4381,13 +4381,13 @@ regulator_register(const struct regulato
+ !rdev->desc->fixed_uV)
+ rdev->is_switch = true;
+
++ dev_set_drvdata(&rdev->dev, rdev);
+ ret = device_register(&rdev->dev);
+ if (ret != 0) {
+ put_device(&rdev->dev);
+ goto unset_supplies;
+ }
+
+- dev_set_drvdata(&rdev->dev, rdev);
+ rdev_init_debugfs(rdev);
+
+ /* try to resolve regulators supply since a new one was registered */
--- /dev/null
+From 3edd79cf5a44b12dbb13bc320f5788aed6562b36 Mon Sep 17 00:00:00 2001
+From: Marek Szyprowski <m.szyprowski@samsung.com>
+Date: Mon, 3 Sep 2018 16:49:37 +0200
+Subject: regulator: Fix 'do-nothing' value for regulators without suspend state
+
+From: Marek Szyprowski <m.szyprowski@samsung.com>
+
+commit 3edd79cf5a44b12dbb13bc320f5788aed6562b36 upstream.
+
+Some regulators don't have all states defined and in such cases regulator
+core should not assume anything. However in current implementation
+of of_get_regulation_constraints() DO_NOTHING_IN_SUSPEND enable value was
+set only for regulators which had suspend node defined, otherwise the
+default 0 value was used, what means DISABLE_IN_SUSPEND. This lead to
+broken system suspend/resume on boards, which had simple regulator
+constraints definition (without suspend state nodes).
+
+To avoid further mismatches between the default and uninitialized values
+of the suspend enabled/disabled states, change the values of the them,
+so default '0' means DO_NOTHING_IN_SUSPEND.
+
+Fixes: 72069f9957a1: regulator: leave one item to record whether regulator is enabled
+Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/regulator/core.c | 2 +-
+ drivers/regulator/of_regulator.c | 2 --
+ include/linux/regulator/machine.h | 6 +++---
+ 3 files changed, 4 insertions(+), 6 deletions(-)
+
+--- a/drivers/regulator/core.c
++++ b/drivers/regulator/core.c
+@@ -3147,7 +3147,7 @@ static inline int regulator_suspend_togg
+ if (!rstate->changeable)
+ return -EPERM;
+
+- rstate->enabled = en;
++ rstate->enabled = (en) ? ENABLE_IN_SUSPEND : DISABLE_IN_SUSPEND;
+
+ return 0;
+ }
+--- a/drivers/regulator/of_regulator.c
++++ b/drivers/regulator/of_regulator.c
+@@ -213,8 +213,6 @@ static void of_get_regulation_constraint
+ else if (of_property_read_bool(suspend_np,
+ "regulator-off-in-suspend"))
+ suspend_state->enabled = DISABLE_IN_SUSPEND;
+- else
+- suspend_state->enabled = DO_NOTHING_IN_SUSPEND;
+
+ if (!of_property_read_u32(np, "regulator-suspend-min-microvolt",
+ &pval))
+--- a/include/linux/regulator/machine.h
++++ b/include/linux/regulator/machine.h
+@@ -48,9 +48,9 @@ struct regulator;
+ * DISABLE_IN_SUSPEND - turn off regulator in suspend states
+ * ENABLE_IN_SUSPEND - keep regulator on in suspend states
+ */
+-#define DO_NOTHING_IN_SUSPEND (-1)
+-#define DISABLE_IN_SUSPEND 0
+-#define ENABLE_IN_SUSPEND 1
++#define DO_NOTHING_IN_SUSPEND 0
++#define DISABLE_IN_SUSPEND 1
++#define ENABLE_IN_SUSPEND 2
+
+ /* Regulator active discharge flags */
+ enum regulator_active_discharge {
--- /dev/null
+From be28c1e3ca29887e207f0cbcd294cefe5074bab6 Mon Sep 17 00:00:00 2001
+From: Christophe Leroy <christophe.leroy@c-s.fr>
+Date: Fri, 14 Sep 2018 10:32:50 +0000
+Subject: serial: cpm_uart: return immediately from console poll
+
+From: Christophe Leroy <christophe.leroy@c-s.fr>
+
+commit be28c1e3ca29887e207f0cbcd294cefe5074bab6 upstream.
+
+kgdb expects poll function to return immediately and
+returning NO_POLL_CHAR when no character is available.
+
+Fixes: f5316b4aea024 ("kgdb,8250,pl011: Return immediately from console poll")
+Cc: Jason Wessel <jason.wessel@windriver.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Christophe Leroy <christophe.leroy@c-s.fr>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/tty/serial/cpm_uart/cpm_uart_core.c | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+--- a/drivers/tty/serial/cpm_uart/cpm_uart_core.c
++++ b/drivers/tty/serial/cpm_uart/cpm_uart_core.c
+@@ -1054,8 +1054,8 @@ static int poll_wait_key(char *obuf, str
+ /* Get the address of the host memory buffer.
+ */
+ bdp = pinfo->rx_cur;
+- while (bdp->cbd_sc & BD_SC_EMPTY)
+- ;
++ if (bdp->cbd_sc & BD_SC_EMPTY)
++ return NO_POLL_CHAR;
+
+ /* If the buffer address is in the CPM DPRAM, don't
+ * convert it.
+@@ -1090,7 +1090,11 @@ static int cpm_get_poll_char(struct uart
+ poll_chars = 0;
+ }
+ if (poll_chars <= 0) {
+- poll_chars = poll_wait_key(poll_buf, pinfo);
++ int ret = poll_wait_key(poll_buf, pinfo);
++
++ if (ret == NO_POLL_CHAR)
++ return ret;
++ poll_chars = ret;
+ pollp = poll_buf;
+ }
+ poll_chars--;
--- /dev/null
+From 7e620984b62532783912312e334f3c48cdacbd5d Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Uwe=20Kleine-K=C3=B6nig?= <u.kleine-koenig@pengutronix.de>
+Date: Thu, 20 Sep 2018 14:11:17 +0200
+Subject: serial: imx: restore handshaking irq for imx1
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
+
+commit 7e620984b62532783912312e334f3c48cdacbd5d upstream.
+
+Back in 2015 when irda was dropped from the driver imx1 was broken. This
+change reintroduces the support for the third interrupt of the UART.
+
+Fixes: afe9cbb1a6ad ("serial: imx: drop support for IRDA")
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
+Reviewed-by: Leonard Crestez <leonard.crestez@nxp.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/tty/serial/imx.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+--- a/drivers/tty/serial/imx.c
++++ b/drivers/tty/serial/imx.c
+@@ -2350,6 +2350,14 @@ static int imx_uart_probe(struct platfor
+ ret);
+ return ret;
+ }
++
++ ret = devm_request_irq(&pdev->dev, rtsirq, imx_uart_rtsint, 0,
++ dev_name(&pdev->dev), sport);
++ if (ret) {
++ dev_err(&pdev->dev, "failed to request rts irq: %d\n",
++ ret);
++ return ret;
++ }
+ } else {
+ ret = devm_request_irq(&pdev->dev, rxirq, imx_uart_int, 0,
+ dev_name(&pdev->dev), sport);
--- /dev/null
+From e0bf2d4982fe7d9ddaf550dd023803ea286f47fc Mon Sep 17 00:00:00 2001
+From: Jan Kiszka <jan.kiszka@siemens.com>
+Date: Sun, 26 Aug 2018 19:49:32 +0200
+Subject: serial: mvebu-uart: Fix reporting of effective CSIZE to userspace
+
+From: Jan Kiszka <jan.kiszka@siemens.com>
+
+commit e0bf2d4982fe7d9ddaf550dd023803ea286f47fc upstream.
+
+Apparently, this driver (or the hardware) does not support character
+length settings. It's apparently running in 8-bit mode, but it makes
+userspace believe it's in 5-bit mode. That makes tcsetattr with CS8
+incorrectly fail, breaking e.g. getty from busybox, thus the login shell
+on ttyMVx.
+
+Fix by hard-wiring CS8 into c_cflag.
+
+Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
+Fixes: 30530791a7a0 ("serial: mvebu-uart: initial support for Armada-3700 serial port")
+Cc: stable <stable@vger.kernel.org> # 4.6+
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/tty/serial/mvebu-uart.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/tty/serial/mvebu-uart.c
++++ b/drivers/tty/serial/mvebu-uart.c
+@@ -511,6 +511,7 @@ static void mvebu_uart_set_termios(struc
+ termios->c_iflag |= old->c_iflag & ~(INPCK | IGNPAR);
+ termios->c_cflag &= CREAD | CBAUD;
+ termios->c_cflag |= old->c_cflag & ~(CREAD | CBAUD);
++ termios->c_cflag |= CS8;
+ }
+
+ spin_unlock_irqrestore(&port->lock, flags);
drm-vc4-plane-expand-the-lower-bits-by-repeating-the-higher-bits.patch
perf-tests-fix-indexing-when-invoking-subtests.patch
gpio-tegra-fix-tegra_gpio_irq_set_type.patch
+floppy-do-not-copy-a-kernel-pointer-to-user-memory-in-fdgetprm-ioctl.patch
+block-fix-deadline-elevator-drain-for-zoned-block-devices.patch
+x86-mm-expand-static-page-table-for-fixmap-space.patch
+tty-serial-lpuart-avoid-leaking-struct-tty_struct.patch
+serial-imx-restore-handshaking-irq-for-imx1.patch
+serial-mvebu-uart-fix-reporting-of-effective-csize-to-userspace.patch
+serial-cpm_uart-return-immediately-from-console-poll.patch
+intel_th-fix-device-removal-logic.patch
+intel_th-fix-resource-handling-for-acpi-glue-layer.patch
+spi-tegra20-slink-explicitly-enable-disable-clock.patch
+spi-sh-msiof-fix-invalid-spi-use-during-system-suspend.patch
+spi-sh-msiof-fix-handling-of-write-value-for-sistr-register.patch
+spi-rspi-fix-invalid-spi-use-during-system-suspend.patch
+spi-rspi-fix-interrupted-dma-transfers.patch
+regulator-fix-crash-caused-by-null-driver-data.patch
+regulator-fix-do-nothing-value-for-regulators-without-suspend-state.patch
+usb-fix-error-handling-in-usb_driver_claim_interface.patch
+usb-handle-null-config-in-usb_find_alt_setting.patch
+usb-roles-take-care-of-driver-module-reference-counting.patch
+usb-core-safely-deal-with-the-dynamic-quirk-lists.patch
+usb-musb-dsps-do-not-disable-cppi41-irq-in-driver-teardown.patch
--- /dev/null
+From 8dbbaa47b96f6ea5f09f922b4effff3c505cd8cf Mon Sep 17 00:00:00 2001
+From: Geert Uytterhoeven <geert+renesas@glider.be>
+Date: Wed, 5 Sep 2018 10:49:39 +0200
+Subject: spi: rspi: Fix interrupted DMA transfers
+
+From: Geert Uytterhoeven <geert+renesas@glider.be>
+
+commit 8dbbaa47b96f6ea5f09f922b4effff3c505cd8cf upstream.
+
+When interrupted, wait_event_interruptible_timeout() returns
+-ERESTARTSYS, and the SPI transfer in progress will fail, as expected:
+
+ m25p80 spi0.0: SPI transfer failed: -512
+ spi_master spi0: failed to transfer one message from queue
+
+However, as the underlying DMA transfers may not have completed, all
+subsequent SPI transfers may start to fail:
+
+ spi_master spi0: receive timeout
+ qspi_transfer_out_in() returned -110
+ m25p80 spi0.0: SPI transfer failed: -110
+ spi_master spi0: failed to transfer one message from queue
+
+Fix this by calling dmaengine_terminate_all() not only for timeouts, but
+also for errors.
+
+This can be reproduced on r8a7991/koelsch, using "hd /dev/mtd0" followed
+by CTRL-C.
+
+Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/spi/spi-rspi.c | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+--- a/drivers/spi/spi-rspi.c
++++ b/drivers/spi/spi-rspi.c
+@@ -598,11 +598,13 @@ static int rspi_dma_transfer(struct rspi
+
+ ret = wait_event_interruptible_timeout(rspi->wait,
+ rspi->dma_callbacked, HZ);
+- if (ret > 0 && rspi->dma_callbacked)
++ if (ret > 0 && rspi->dma_callbacked) {
+ ret = 0;
+- else if (!ret) {
+- dev_err(&rspi->master->dev, "DMA timeout\n");
+- ret = -ETIMEDOUT;
++ } else {
++ if (!ret) {
++ dev_err(&rspi->master->dev, "DMA timeout\n");
++ ret = -ETIMEDOUT;
++ }
+ if (tx)
+ dmaengine_terminate_all(rspi->master->dma_tx);
+ if (rx)
--- /dev/null
+From c1ca59c22c56930b377a665fdd1b43351887830b Mon Sep 17 00:00:00 2001
+From: Geert Uytterhoeven <geert+renesas@glider.be>
+Date: Wed, 5 Sep 2018 10:49:38 +0200
+Subject: spi: rspi: Fix invalid SPI use during system suspend
+
+From: Geert Uytterhoeven <geert+renesas@glider.be>
+
+commit c1ca59c22c56930b377a665fdd1b43351887830b upstream.
+
+If the SPI queue is running during system suspend, the system may lock
+up.
+
+Fix this by stopping/restarting the queue during system suspend/resume,
+by calling spi_master_suspend()/spi_master_resume() from the PM
+callbacks. In-kernel users will receive an -ESHUTDOWN error while
+system suspend/resume is in progress.
+
+Based on a patch for sh-msiof by Gaku Inami.
+
+Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/spi/spi-rspi.c | 24 ++++++++++++++++++++++++
+ 1 file changed, 24 insertions(+)
+
+--- a/drivers/spi/spi-rspi.c
++++ b/drivers/spi/spi-rspi.c
+@@ -1350,12 +1350,36 @@ static const struct platform_device_id s
+
+ MODULE_DEVICE_TABLE(platform, spi_driver_ids);
+
++#ifdef CONFIG_PM_SLEEP
++static int rspi_suspend(struct device *dev)
++{
++ struct platform_device *pdev = to_platform_device(dev);
++ struct rspi_data *rspi = platform_get_drvdata(pdev);
++
++ return spi_master_suspend(rspi->master);
++}
++
++static int rspi_resume(struct device *dev)
++{
++ struct platform_device *pdev = to_platform_device(dev);
++ struct rspi_data *rspi = platform_get_drvdata(pdev);
++
++ return spi_master_resume(rspi->master);
++}
++
++static SIMPLE_DEV_PM_OPS(rspi_pm_ops, rspi_suspend, rspi_resume);
++#define DEV_PM_OPS &rspi_pm_ops
++#else
++#define DEV_PM_OPS NULL
++#endif /* CONFIG_PM_SLEEP */
++
+ static struct platform_driver rspi_driver = {
+ .probe = rspi_probe,
+ .remove = rspi_remove,
+ .id_table = spi_driver_ids,
+ .driver = {
+ .name = "renesas_spi",
++ .pm = DEV_PM_OPS,
+ .of_match_table = of_match_ptr(rspi_of_match),
+ },
+ };
--- /dev/null
+From 31a5fae4c5a009898da6d177901d5328051641ff Mon Sep 17 00:00:00 2001
+From: Hiromitsu Yamasaki <hiromitsu.yamasaki.ym@renesas.com>
+Date: Wed, 5 Sep 2018 10:49:37 +0200
+Subject: spi: sh-msiof: Fix handling of write value for SISTR register
+
+From: Hiromitsu Yamasaki <hiromitsu.yamasaki.ym@renesas.com>
+
+commit 31a5fae4c5a009898da6d177901d5328051641ff upstream.
+
+This patch changes writing to the SISTR register according to the H/W
+user's manual.
+
+The TDREQ bit and RDREQ bits of SISTR are read-only, and must be written
+their initial values of zero.
+
+Signed-off-by: Hiromitsu Yamasaki <hiromitsu.yamasaki.ym@renesas.com>
+[geert: reword]
+Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/spi/spi-sh-msiof.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/spi/spi-sh-msiof.c
++++ b/drivers/spi/spi-sh-msiof.c
+@@ -396,7 +396,8 @@ static void sh_msiof_spi_set_mode_regs(s
+
+ static void sh_msiof_reset_str(struct sh_msiof_spi_priv *p)
+ {
+- sh_msiof_write(p, STR, sh_msiof_read(p, STR));
++ sh_msiof_write(p, STR,
++ sh_msiof_read(p, STR) & ~(STR_TDREQ | STR_RDREQ));
+ }
+
+ static void sh_msiof_spi_write_fifo_8(struct sh_msiof_spi_priv *p,
--- /dev/null
+From ffa69d6a16f686efe45269342474e421f2aa58b2 Mon Sep 17 00:00:00 2001
+From: Gaku Inami <gaku.inami.xw@bp.renesas.com>
+Date: Wed, 5 Sep 2018 10:49:36 +0200
+Subject: spi: sh-msiof: Fix invalid SPI use during system suspend
+
+From: Gaku Inami <gaku.inami.xw@bp.renesas.com>
+
+commit ffa69d6a16f686efe45269342474e421f2aa58b2 upstream.
+
+If the SPI queue is running during system suspend, the system may lock
+up.
+
+Fix this by stopping/restarting the queue during system suspend/resume
+by calling spi_master_suspend()/spi_master_resume() from the PM
+callbacks. In-kernel users will receive an -ESHUTDOWN error while
+system suspend/resume is in progress.
+
+Signed-off-by: Gaku Inami <gaku.inami.xw@bp.renesas.com>
+Signed-off-by: Hiromitsu Yamasaki <hiromitsu.yamasaki.ym@renesas.com>
+[geert: Cleanup, reword]
+Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/spi/spi-sh-msiof.c | 25 +++++++++++++++++++++++++
+ 1 file changed, 25 insertions(+)
+
+--- a/drivers/spi/spi-sh-msiof.c
++++ b/drivers/spi/spi-sh-msiof.c
+@@ -1421,12 +1421,37 @@ static const struct platform_device_id s
+ };
+ MODULE_DEVICE_TABLE(platform, spi_driver_ids);
+
++#ifdef CONFIG_PM_SLEEP
++static int sh_msiof_spi_suspend(struct device *dev)
++{
++ struct platform_device *pdev = to_platform_device(dev);
++ struct sh_msiof_spi_priv *p = platform_get_drvdata(pdev);
++
++ return spi_master_suspend(p->master);
++}
++
++static int sh_msiof_spi_resume(struct device *dev)
++{
++ struct platform_device *pdev = to_platform_device(dev);
++ struct sh_msiof_spi_priv *p = platform_get_drvdata(pdev);
++
++ return spi_master_resume(p->master);
++}
++
++static SIMPLE_DEV_PM_OPS(sh_msiof_spi_pm_ops, sh_msiof_spi_suspend,
++ sh_msiof_spi_resume);
++#define DEV_PM_OPS &sh_msiof_spi_pm_ops
++#else
++#define DEV_PM_OPS NULL
++#endif /* CONFIG_PM_SLEEP */
++
+ static struct platform_driver sh_msiof_spi_drv = {
+ .probe = sh_msiof_spi_probe,
+ .remove = sh_msiof_spi_remove,
+ .id_table = spi_driver_ids,
+ .driver = {
+ .name = "spi_sh_msiof",
++ .pm = DEV_PM_OPS,
+ .of_match_table = of_match_ptr(sh_msiof_match),
+ },
+ };
--- /dev/null
+From 7001cab1dabc0b72b2b672ef58a90ab64f5e2343 Mon Sep 17 00:00:00 2001
+From: Marcel Ziswiler <marcel.ziswiler@toradex.com>
+Date: Wed, 29 Aug 2018 08:47:57 +0200
+Subject: spi: tegra20-slink: explicitly enable/disable clock
+
+From: Marcel Ziswiler <marcel.ziswiler@toradex.com>
+
+commit 7001cab1dabc0b72b2b672ef58a90ab64f5e2343 upstream.
+
+Depending on the SPI instance one may get an interrupt storm upon
+requesting resp. interrupt unless the clock is explicitly enabled
+beforehand. This has been observed trying to bring up instance 4 on
+T20.
+
+Signed-off-by: Marcel Ziswiler <marcel.ziswiler@toradex.com>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/spi/spi-tegra20-slink.c | 31 +++++++++++++++++++++++--------
+ 1 file changed, 23 insertions(+), 8 deletions(-)
+
+--- a/drivers/spi/spi-tegra20-slink.c
++++ b/drivers/spi/spi-tegra20-slink.c
+@@ -1063,6 +1063,24 @@ static int tegra_slink_probe(struct plat
+ goto exit_free_master;
+ }
+
++ /* disabled clock may cause interrupt storm upon request */
++ tspi->clk = devm_clk_get(&pdev->dev, NULL);
++ if (IS_ERR(tspi->clk)) {
++ ret = PTR_ERR(tspi->clk);
++ dev_err(&pdev->dev, "Can not get clock %d\n", ret);
++ goto exit_free_master;
++ }
++ ret = clk_prepare(tspi->clk);
++ if (ret < 0) {
++ dev_err(&pdev->dev, "Clock prepare failed %d\n", ret);
++ goto exit_free_master;
++ }
++ ret = clk_enable(tspi->clk);
++ if (ret < 0) {
++ dev_err(&pdev->dev, "Clock enable failed %d\n", ret);
++ goto exit_free_master;
++ }
++
+ spi_irq = platform_get_irq(pdev, 0);
+ tspi->irq = spi_irq;
+ ret = request_threaded_irq(tspi->irq, tegra_slink_isr,
+@@ -1071,14 +1089,7 @@ static int tegra_slink_probe(struct plat
+ if (ret < 0) {
+ dev_err(&pdev->dev, "Failed to register ISR for IRQ %d\n",
+ tspi->irq);
+- goto exit_free_master;
+- }
+-
+- tspi->clk = devm_clk_get(&pdev->dev, NULL);
+- if (IS_ERR(tspi->clk)) {
+- dev_err(&pdev->dev, "can not get clock\n");
+- ret = PTR_ERR(tspi->clk);
+- goto exit_free_irq;
++ goto exit_clk_disable;
+ }
+
+ tspi->rst = devm_reset_control_get_exclusive(&pdev->dev, "spi");
+@@ -1138,6 +1149,8 @@ exit_rx_dma_free:
+ tegra_slink_deinit_dma_param(tspi, true);
+ exit_free_irq:
+ free_irq(spi_irq, tspi);
++exit_clk_disable:
++ clk_disable(tspi->clk);
+ exit_free_master:
+ spi_master_put(master);
+ return ret;
+@@ -1150,6 +1163,8 @@ static int tegra_slink_remove(struct pla
+
+ free_irq(tspi->irq, tspi);
+
++ clk_disable(tspi->clk);
++
+ if (tspi->tx_dma_chan)
+ tegra_slink_deinit_dma_param(tspi, false);
+
--- /dev/null
+From 3216c622a24b0ebb9c159a8d1daf7f17a106b3f5 Mon Sep 17 00:00:00 2001
+From: Stefan Agner <stefan@agner.ch>
+Date: Tue, 28 Aug 2018 12:44:24 +0200
+Subject: tty: serial: lpuart: avoid leaking struct tty_struct
+
+From: Stefan Agner <stefan@agner.ch>
+
+commit 3216c622a24b0ebb9c159a8d1daf7f17a106b3f5 upstream.
+
+The function tty_port_tty_get() gets a reference to the tty. Since
+the code is not using tty_port_tty_set(), the reference is kept
+even after closing the tty.
+
+Avoid using tty_port_tty_get() by directly access the tty instance.
+Since lpuart_start_rx_dma() is called from the .startup() and
+.set_termios() callback, it is safe to assume the tty instance is
+valid.
+
+Cc: stable@vger.kernel.org # v4.9+
+Fixes: 5887ad43ee02 ("tty: serial: fsl_lpuart: Use cyclic DMA for Rx")
+Signed-off-by: Stefan Agner <stefan@agner.ch>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/tty/serial/fsl_lpuart.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/tty/serial/fsl_lpuart.c
++++ b/drivers/tty/serial/fsl_lpuart.c
+@@ -979,7 +979,8 @@ static inline int lpuart_start_rx_dma(st
+ struct circ_buf *ring = &sport->rx_ring;
+ int ret, nent;
+ int bits, baud;
+- struct tty_struct *tty = tty_port_tty_get(&sport->port.state->port);
++ struct tty_port *port = &sport->port.state->port;
++ struct tty_struct *tty = port->tty;
+ struct ktermios *termios = &tty->termios;
+
+ baud = tty_get_baud_rate(tty);
--- /dev/null
+From 16c4cb19fa85c648a803752eb63cac0ef69231c2 Mon Sep 17 00:00:00 2001
+From: Harry Pan <harry.pan@intel.com>
+Date: Fri, 14 Sep 2018 16:58:16 +0800
+Subject: usb: core: safely deal with the dynamic quirk lists
+
+From: Harry Pan <harry.pan@intel.com>
+
+commit 16c4cb19fa85c648a803752eb63cac0ef69231c2 upstream.
+
+Applying dynamic usbcore quirks in early booting when the slab is
+not yet ready would cause kernel panic of null pointer dereference
+because the quirk_count has been counted as 1 while the quirk_list
+was failed to allocate.
+
+i.e.,
+[ 1.044970] BUG: unable to handle kernel NULL pointer dereference at (null)
+[ 1.044995] IP: [<ffffffffb0953ec7>] usb_detect_quirks+0x88/0xd1
+[ 1.045016] PGD 0
+[ 1.045026] Oops: 0000 [#1] PREEMPT SMP
+[ 1.046986] gsmi: Log Shutdown Reason 0x03
+[ 1.046995] Modules linked in:
+[ 1.047008] CPU: 0 PID: 81 Comm: kworker/0:3 Not tainted 4.4.154 #28
+[ 1.047016] Hardware name: Google Coral/Coral, BIOS Google_Coral.10068.27.0 12/04/2017
+[ 1.047028] Workqueue: usb_hub_wq hub_event
+[ 1.047037] task: ffff88017a321c80 task.stack: ffff88017a384000
+[ 1.047044] RIP: 0010:[<ffffffffb0953ec7>] [<ffffffffb0953ec7>] usb_detect_quirks+0x88/0xd1
+
+To tackle this odd, let's balance the quirk_count to 0 when the kcalloc
+call fails, and defer the quirk setting into a lower level callback
+which ensures that the kernel memory management has been initialized.
+
+Fixes: 027bd6cafd9a ("usb: core: Add "quirks" parameter for usbcore")
+Signed-off-by: Harry Pan <harry.pan@intel.com>
+Acked-by: Kai-Heng Feng <kai.heng.feng@canonical.com>
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/core/quirks.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/usb/core/quirks.c
++++ b/drivers/usb/core/quirks.c
+@@ -58,6 +58,7 @@ static int quirks_param_set(const char *
+ quirk_list = kcalloc(quirk_count, sizeof(struct quirk_entry),
+ GFP_KERNEL);
+ if (!quirk_list) {
++ quirk_count = 0;
+ mutex_unlock(&quirk_mutex);
+ return -ENOMEM;
+ }
+@@ -154,7 +155,7 @@ static struct kparam_string quirks_param
+ .string = quirks_param,
+ };
+
+-module_param_cb(quirks, &quirks_param_ops, &quirks_param_string, 0644);
++device_param_cb(quirks, &quirks_param_ops, &quirks_param_string, 0644);
+ MODULE_PARM_DESC(quirks, "Add/modify USB quirks by specifying quirks=vendorID:productID:quirks");
+
+ /* Lists of quirky USB devices, split in device quirks and interface quirks.
--- /dev/null
+From bd729f9d67aa9a303d8925bb8c4f06af25f407d1 Mon Sep 17 00:00:00 2001
+From: Alan Stern <stern@rowland.harvard.edu>
+Date: Mon, 10 Sep 2018 13:59:59 -0400
+Subject: USB: fix error handling in usb_driver_claim_interface()
+
+From: Alan Stern <stern@rowland.harvard.edu>
+
+commit bd729f9d67aa9a303d8925bb8c4f06af25f407d1 upstream.
+
+The syzbot fuzzing project found a use-after-free bug in the USB
+core. The bug was caused by usbfs not unbinding from an interface
+when the USB device file was closed, which led another process to
+attempt the unbind later on, after the private data structure had been
+deallocated.
+
+The reason usbfs did not unbind the interface at the appropriate time
+was because it thought the interface had never been claimed in the
+first place. This was caused by the fact that
+usb_driver_claim_interface() does not clean up properly when
+device_bind_driver() returns an error. Although the error code gets
+passed back to the caller, the iface->dev.driver pointer remains set
+and iface->condition remains equal to USB_INTERFACE_BOUND.
+
+This patch adds proper error handling to usb_driver_claim_interface().
+
+Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
+Reported-by: syzbot+f84aa7209ccec829536f@syzkaller.appspotmail.com
+CC: <stable@vger.kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/core/driver.c | 15 +++++++++++++++
+ 1 file changed, 15 insertions(+)
+
+--- a/drivers/usb/core/driver.c
++++ b/drivers/usb/core/driver.c
+@@ -565,6 +565,21 @@ int usb_driver_claim_interface(struct us
+ if (!lpm_disable_error)
+ usb_unlocked_enable_lpm(udev);
+
++ if (retval) {
++ dev->driver = NULL;
++ usb_set_intfdata(iface, NULL);
++ iface->needs_remote_wakeup = 0;
++ iface->condition = USB_INTERFACE_UNBOUND;
++
++ /*
++ * Unbound interfaces are always runtime-PM-disabled
++ * and runtime-PM-suspended
++ */
++ if (driver->supports_autosuspend)
++ pm_runtime_disable(dev);
++ pm_runtime_set_suspended(dev);
++ }
++
+ return retval;
+ }
+ EXPORT_SYMBOL_GPL(usb_driver_claim_interface);
--- /dev/null
+From c9a4cb204e9eb7fa7dfbe3f7d3a674fa530aa193 Mon Sep 17 00:00:00 2001
+From: Alan Stern <stern@rowland.harvard.edu>
+Date: Mon, 10 Sep 2018 14:00:53 -0400
+Subject: USB: handle NULL config in usb_find_alt_setting()
+
+From: Alan Stern <stern@rowland.harvard.edu>
+
+commit c9a4cb204e9eb7fa7dfbe3f7d3a674fa530aa193 upstream.
+
+usb_find_alt_setting() takes a pointer to a struct usb_host_config as
+an argument; it searches for an interface with specified interface and
+alternate setting numbers in that config. However, it crashes if the
+usb_host_config pointer argument is NULL.
+
+Since this is a general-purpose routine, available for use in many
+places, we want to to be more robust. This patch makes it return NULL
+whenever the config argument is NULL.
+
+Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
+Reported-by: syzbot+19c3aaef85a89d451eac@syzkaller.appspotmail.com
+CC: <stable@vger.kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/core/usb.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/usb/core/usb.c
++++ b/drivers/usb/core/usb.c
+@@ -228,6 +228,8 @@ struct usb_host_interface *usb_find_alt_
+ struct usb_interface_cache *intf_cache = NULL;
+ int i;
+
++ if (!config)
++ return NULL;
+ for (i = 0; i < config->desc.bNumInterfaces; i++) {
+ if (config->intf_cache[i]->altsetting[0].desc.bInterfaceNumber
+ == iface_num) {
--- /dev/null
+From 783f3b4e9ec50491c21746e7e05ec6c39c21f563 Mon Sep 17 00:00:00 2001
+From: Bin Liu <b-liu@ti.com>
+Date: Mon, 17 Sep 2018 11:40:22 -0500
+Subject: usb: musb: dsps: do not disable CPPI41 irq in driver teardown
+
+From: Bin Liu <b-liu@ti.com>
+
+commit 783f3b4e9ec50491c21746e7e05ec6c39c21f563 upstream.
+
+TI AM335x CPPI 4.1 module uses a single register bit for CPPI interrupts
+in both musb controllers. So disabling the CPPI irq in one musb driver
+breaks the other musb module.
+
+Since musb is already disabled before tearing down dma controller in
+musb_remove(), it is safe to not disable CPPI irq in
+musb_dma_controller_destroy().
+
+Fixes: 255348289f71 ("usb: musb: dsps: Manage CPPI 4.1 DMA interrupt in DSPS")
+Cc: stable@vger.kernel.org
+Signed-off-by: Bin Liu <b-liu@ti.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/musb/musb_dsps.c | 12 +-----------
+ 1 file changed, 1 insertion(+), 11 deletions(-)
+
+--- a/drivers/usb/musb/musb_dsps.c
++++ b/drivers/usb/musb/musb_dsps.c
+@@ -658,16 +658,6 @@ dsps_dma_controller_create(struct musb *
+ return controller;
+ }
+
+-static void dsps_dma_controller_destroy(struct dma_controller *c)
+-{
+- struct musb *musb = c->musb;
+- struct dsps_glue *glue = dev_get_drvdata(musb->controller->parent);
+- void __iomem *usbss_base = glue->usbss_base;
+-
+- musb_writel(usbss_base, USBSS_IRQ_CLEARR, USBSS_IRQ_PD_COMP);
+- cppi41_dma_controller_destroy(c);
+-}
+-
+ #ifdef CONFIG_PM_SLEEP
+ static void dsps_dma_controller_suspend(struct dsps_glue *glue)
+ {
+@@ -697,7 +687,7 @@ static struct musb_platform_ops dsps_ops
+
+ #ifdef CONFIG_USB_TI_CPPI41_DMA
+ .dma_init = dsps_dma_controller_create,
+- .dma_exit = dsps_dma_controller_destroy,
++ .dma_exit = cppi41_dma_controller_destroy,
+ #endif
+ .enable = dsps_musb_enable,
+ .disable = dsps_musb_disable,
--- /dev/null
+From 5c54fcac9a9de559b444ac63ec3cd82f1d157a0b Mon Sep 17 00:00:00 2001
+From: Heikki Krogerus <heikki.krogerus@linux.intel.com>
+Date: Wed, 19 Sep 2018 10:58:05 +0300
+Subject: usb: roles: Take care of driver module reference counting
+
+From: Heikki Krogerus <heikki.krogerus@linux.intel.com>
+
+commit 5c54fcac9a9de559b444ac63ec3cd82f1d157a0b upstream.
+
+This fixes potential "BUG: unable to handle kernel paging
+request at ..." from happening.
+
+Cc: <stable@vger.kernel.org>
+Acked-by: Hans de Goede <hdegoede@redhat.com>
+Tested-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/common/roles.c | 15 ++++++++++++---
+ 1 file changed, 12 insertions(+), 3 deletions(-)
+
+--- a/drivers/usb/common/roles.c
++++ b/drivers/usb/common/roles.c
+@@ -109,8 +109,15 @@ static void *usb_role_switch_match(struc
+ */
+ struct usb_role_switch *usb_role_switch_get(struct device *dev)
+ {
+- return device_connection_find_match(dev, "usb-role-switch", NULL,
+- usb_role_switch_match);
++ struct usb_role_switch *sw;
++
++ sw = device_connection_find_match(dev, "usb-role-switch", NULL,
++ usb_role_switch_match);
++
++ if (!IS_ERR_OR_NULL(sw))
++ WARN_ON(!try_module_get(sw->dev.parent->driver->owner));
++
++ return sw;
+ }
+ EXPORT_SYMBOL_GPL(usb_role_switch_get);
+
+@@ -122,8 +129,10 @@ EXPORT_SYMBOL_GPL(usb_role_switch_get);
+ */
+ void usb_role_switch_put(struct usb_role_switch *sw)
+ {
+- if (!IS_ERR_OR_NULL(sw))
++ if (!IS_ERR_OR_NULL(sw)) {
+ put_device(&sw->dev);
++ module_put(sw->dev.parent->driver->owner);
++ }
+ }
+ EXPORT_SYMBOL_GPL(usb_role_switch_put);
+
--- /dev/null
+From 05ab1d8a4b36ee912b7087c6da127439ed0a903e Mon Sep 17 00:00:00 2001
+From: Feng Tang <feng.tang@intel.com>
+Date: Thu, 20 Sep 2018 10:58:28 +0800
+Subject: x86/mm: Expand static page table for fixmap space
+
+From: Feng Tang <feng.tang@intel.com>
+
+commit 05ab1d8a4b36ee912b7087c6da127439ed0a903e upstream.
+
+We met a kernel panic when enabling earlycon, which is due to the fixmap
+address of earlycon is not statically setup.
+
+Currently the static fixmap setup in head_64.S only covers 2M virtual
+address space, while it actually could be in 4M space with different
+kernel configurations, e.g. when VSYSCALL emulation is disabled.
+
+So increase the static space to 4M for now by defining FIXMAP_PMD_NUM to 2,
+and add a build time check to ensure that the fixmap is covered by the
+initial static page tables.
+
+Fixes: 1ad83c858c7d ("x86_64,vsyscall: Make vsyscall emulation configurable")
+Suggested-by: Thomas Gleixner <tglx@linutronix.de>
+Signed-off-by: Feng Tang <feng.tang@intel.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Tested-by: kernel test robot <rong.a.chen@intel.com>
+Reviewed-by: Juergen Gross <jgross@suse.com> (Xen parts)
+Cc: H Peter Anvin <hpa@linux.intel.com>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Michal Hocko <mhocko@kernel.org>
+Cc: Yinghai Lu <yinghai@kernel.org>
+Cc: Dave Hansen <dave.hansen@intel.com>
+Cc: Andi Kleen <ak@linux.intel.com>
+Cc: Andy Lutomirsky <luto@kernel.org>
+Cc: stable@vger.kernel.org
+Link: https://lkml.kernel.org/r/20180920025828.23699-1-feng.tang@intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/include/asm/fixmap.h | 10 ++++++++++
+ arch/x86/include/asm/pgtable_64.h | 3 ++-
+ arch/x86/kernel/head64.c | 4 +++-
+ arch/x86/kernel/head_64.S | 16 ++++++++++++----
+ arch/x86/mm/pgtable.c | 9 +++++++++
+ arch/x86/xen/mmu_pv.c | 8 ++++++--
+ 6 files changed, 42 insertions(+), 8 deletions(-)
+
+--- a/arch/x86/include/asm/fixmap.h
++++ b/arch/x86/include/asm/fixmap.h
+@@ -14,6 +14,16 @@
+ #ifndef _ASM_X86_FIXMAP_H
+ #define _ASM_X86_FIXMAP_H
+
++/*
++ * Exposed to assembly code for setting up initial page tables. Cannot be
++ * calculated in assembly code (fixmap entries are an enum), but is sanity
++ * checked in the actual fixmap C code to make sure that the fixmap is
++ * covered fully.
++ */
++#define FIXMAP_PMD_NUM 2
++/* fixmap starts downwards from the 507th entry in level2_fixmap_pgt */
++#define FIXMAP_PMD_TOP 507
++
+ #ifndef __ASSEMBLY__
+ #include <linux/kernel.h>
+ #include <asm/acpi.h>
+--- a/arch/x86/include/asm/pgtable_64.h
++++ b/arch/x86/include/asm/pgtable_64.h
+@@ -14,6 +14,7 @@
+ #include <asm/processor.h>
+ #include <linux/bitops.h>
+ #include <linux/threads.h>
++#include <asm/fixmap.h>
+
+ extern p4d_t level4_kernel_pgt[512];
+ extern p4d_t level4_ident_pgt[512];
+@@ -22,7 +23,7 @@ extern pud_t level3_ident_pgt[512];
+ extern pmd_t level2_kernel_pgt[512];
+ extern pmd_t level2_fixmap_pgt[512];
+ extern pmd_t level2_ident_pgt[512];
+-extern pte_t level1_fixmap_pgt[512];
++extern pte_t level1_fixmap_pgt[512 * FIXMAP_PMD_NUM];
+ extern pgd_t init_top_pgt[];
+
+ #define swapper_pg_dir init_top_pgt
+--- a/arch/x86/kernel/head64.c
++++ b/arch/x86/kernel/head64.c
+@@ -35,6 +35,7 @@
+ #include <asm/bootparam_utils.h>
+ #include <asm/microcode.h>
+ #include <asm/kasan.h>
++#include <asm/fixmap.h>
+
+ /*
+ * Manage page tables very early on.
+@@ -165,7 +166,8 @@ unsigned long __head __startup_64(unsign
+ pud[511] += load_delta;
+
+ pmd = fixup_pointer(level2_fixmap_pgt, physaddr);
+- pmd[506] += load_delta;
++ for (i = FIXMAP_PMD_TOP; i > FIXMAP_PMD_TOP - FIXMAP_PMD_NUM; i--)
++ pmd[i] += load_delta;
+
+ /*
+ * Set up the identity mapping for the switchover. These
+--- a/arch/x86/kernel/head_64.S
++++ b/arch/x86/kernel/head_64.S
+@@ -24,6 +24,7 @@
+ #include "../entry/calling.h"
+ #include <asm/export.h>
+ #include <asm/nospec-branch.h>
++#include <asm/fixmap.h>
+
+ #ifdef CONFIG_PARAVIRT
+ #include <asm/asm-offsets.h>
+@@ -445,13 +446,20 @@ NEXT_PAGE(level2_kernel_pgt)
+ KERNEL_IMAGE_SIZE/PMD_SIZE)
+
+ NEXT_PAGE(level2_fixmap_pgt)
+- .fill 506,8,0
+- .quad level1_fixmap_pgt - __START_KERNEL_map + _PAGE_TABLE_NOENC
+- /* 8MB reserved for vsyscalls + a 2MB hole = 4 + 1 entries */
+- .fill 5,8,0
++ .fill (512 - 4 - FIXMAP_PMD_NUM),8,0
++ pgtno = 0
++ .rept (FIXMAP_PMD_NUM)
++ .quad level1_fixmap_pgt + (pgtno << PAGE_SHIFT) - __START_KERNEL_map \
++ + _PAGE_TABLE_NOENC;
++ pgtno = pgtno + 1
++ .endr
++ /* 6 MB reserved space + a 2MB hole */
++ .fill 4,8,0
+
+ NEXT_PAGE(level1_fixmap_pgt)
++ .rept (FIXMAP_PMD_NUM)
+ .fill 512,8,0
++ .endr
+
+ #undef PMDS
+
+--- a/arch/x86/mm/pgtable.c
++++ b/arch/x86/mm/pgtable.c
+@@ -577,6 +577,15 @@ void __native_set_fixmap(enum fixed_addr
+ {
+ unsigned long address = __fix_to_virt(idx);
+
++#ifdef CONFIG_X86_64
++ /*
++ * Ensure that the static initial page tables are covering the
++ * fixmap completely.
++ */
++ BUILD_BUG_ON(__end_of_permanent_fixed_addresses >
++ (FIXMAP_PMD_NUM * PTRS_PER_PTE));
++#endif
++
+ if (idx >= __end_of_fixed_addresses) {
+ BUG();
+ return;
+--- a/arch/x86/xen/mmu_pv.c
++++ b/arch/x86/xen/mmu_pv.c
+@@ -1908,7 +1908,7 @@ void __init xen_setup_kernel_pagetable(p
+ /* L3_k[511] -> level2_fixmap_pgt */
+ convert_pfn_mfn(level3_kernel_pgt);
+
+- /* L3_k[511][506] -> level1_fixmap_pgt */
++ /* L3_k[511][508-FIXMAP_PMD_NUM ... 507] -> level1_fixmap_pgt */
+ convert_pfn_mfn(level2_fixmap_pgt);
+
+ /* We get [511][511] and have Xen's version of level2_kernel_pgt */
+@@ -1953,7 +1953,11 @@ void __init xen_setup_kernel_pagetable(p
+ set_page_prot(level2_ident_pgt, PAGE_KERNEL_RO);
+ set_page_prot(level2_kernel_pgt, PAGE_KERNEL_RO);
+ set_page_prot(level2_fixmap_pgt, PAGE_KERNEL_RO);
+- set_page_prot(level1_fixmap_pgt, PAGE_KERNEL_RO);
++
++ for (i = 0; i < FIXMAP_PMD_NUM; i++) {
++ set_page_prot(level1_fixmap_pgt + i * PTRS_PER_PTE,
++ PAGE_KERNEL_RO);
++ }
+
+ /* Pin down new L4 */
+ pin_pagetable_pfn(MMUEXT_PIN_L4_TABLE,
projects / thirdparty / kernel / stable-queue.git / commitdiff
