--- /dev/null
+From 9ea61cac0b1ad0c09022f39fd97e9b99a2cfc2dc Mon Sep 17 00:00:00 2001
+From: Douglas Anderson <dianders@chromium.org>
+Date: Thu, 17 Nov 2016 11:24:20 -0800
+Subject: dm bufio: avoid sleeping while holding the dm_bufio lock
+
+From: Douglas Anderson <dianders@chromium.org>
+
+commit 9ea61cac0b1ad0c09022f39fd97e9b99a2cfc2dc upstream.
+
+We've seen in-field reports showing _lots_ (18 in one case, 41 in
+another) of tasks all sitting there blocked on:
+
+ mutex_lock+0x4c/0x68
+ dm_bufio_shrink_count+0x38/0x78
+ shrink_slab.part.54.constprop.65+0x100/0x464
+ shrink_zone+0xa8/0x198
+
+In the two cases analyzed, we see one task that looks like this:
+
+ Workqueue: kverityd verity_prefetch_io
+
+ __switch_to+0x9c/0xa8
+ __schedule+0x440/0x6d8
+ schedule+0x94/0xb4
+ schedule_timeout+0x204/0x27c
+ schedule_timeout_uninterruptible+0x44/0x50
+ wait_iff_congested+0x9c/0x1f0
+ shrink_inactive_list+0x3a0/0x4cc
+ shrink_lruvec+0x418/0x5cc
+ shrink_zone+0x88/0x198
+ try_to_free_pages+0x51c/0x588
+ __alloc_pages_nodemask+0x648/0xa88
+ __get_free_pages+0x34/0x7c
+ alloc_buffer+0xa4/0x144
+ __bufio_new+0x84/0x278
+ dm_bufio_prefetch+0x9c/0x154
+ verity_prefetch_io+0xe8/0x10c
+ process_one_work+0x240/0x424
+ worker_thread+0x2fc/0x424
+ kthread+0x10c/0x114
+
+...and that looks to be the one holding the mutex.
+
+The problem has been reproduced on fairly easily:
+0. Be running Chrome OS w/ verity enabled on the root filesystem
+1. Pick test patch: http://crosreview.com/412360
+2. Install launchBalloons.sh and balloon.arm from
+ http://crbug.com/468342
+ ...that's just a memory stress test app.
+3. On a 4GB rk3399 machine, run
+ nice ./launchBalloons.sh 4 900 100000
+ ...that tries to eat 4 * 900 MB of memory and keep accessing.
+4. Login to the Chrome web browser and restore many tabs
+
+With that, I've seen printouts like:
+ DOUG: long bufio 90758 ms
+...and stack trace always show's we're in dm_bufio_prefetch().
+
+The problem is that we try to allocate memory with GFP_NOIO while
+we're holding the dm_bufio lock. Instead we should be using
+GFP_NOWAIT. Using GFP_NOIO can cause us to sleep while holding the
+lock and that causes the above problems.
+
+The current behavior explained by David Rientjes:
+
+ It will still try reclaim initially because __GFP_WAIT (or
+ __GFP_KSWAPD_RECLAIM) is set by GFP_NOIO. This is the cause of
+ contention on dm_bufio_lock() that the thread holds. You want to
+ pass GFP_NOWAIT instead of GFP_NOIO to alloc_buffer() when holding a
+ mutex that can be contended by a concurrent slab shrinker (if
+ count_objects didn't use a trylock, this pattern would trivially
+ deadlock).
+
+This change significantly increases responsiveness of the system while
+in this state. It makes a real difference because it unblocks kswapd.
+In the bug report analyzed, kswapd was hung:
+
+ kswapd0 D ffffffc000204fd8 0 72 2 0x00000000
+ Call trace:
+ [<ffffffc000204fd8>] __switch_to+0x9c/0xa8
+ [<ffffffc00090b794>] __schedule+0x440/0x6d8
+ [<ffffffc00090bac0>] schedule+0x94/0xb4
+ [<ffffffc00090be44>] schedule_preempt_disabled+0x28/0x44
+ [<ffffffc00090d900>] __mutex_lock_slowpath+0x120/0x1ac
+ [<ffffffc00090d9d8>] mutex_lock+0x4c/0x68
+ [<ffffffc000708e7c>] dm_bufio_shrink_count+0x38/0x78
+ [<ffffffc00030b268>] shrink_slab.part.54.constprop.65+0x100/0x464
+ [<ffffffc00030dbd8>] shrink_zone+0xa8/0x198
+ [<ffffffc00030e578>] balance_pgdat+0x328/0x508
+ [<ffffffc00030eb7c>] kswapd+0x424/0x51c
+ [<ffffffc00023f06c>] kthread+0x10c/0x114
+ [<ffffffc000203dd0>] ret_from_fork+0x10/0x40
+
+By unblocking kswapd memory pressure should be reduced.
+
+Suggested-by: David Rientjes <rientjes@google.com>
+Reviewed-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Douglas Anderson <dianders@chromium.org>
+Signed-off-by: Mike Snitzer <snitzer@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/md/dm-bufio.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/drivers/md/dm-bufio.c
++++ b/drivers/md/dm-bufio.c
+@@ -818,7 +818,8 @@ static struct dm_buffer *__alloc_buffer_
+ * dm-bufio is resistant to allocation failures (it just keeps
+ * one buffer reserved in cases all the allocations fail).
+ * So set flags to not try too hard:
+- * GFP_NOIO: don't recurse into the I/O layer
++ * GFP_NOWAIT: don't wait; if we need to sleep we'll release our
++ * mutex and wait ourselves.
+ * __GFP_NORETRY: don't retry and rather return failure
+ * __GFP_NOMEMALLOC: don't use emergency reserves
+ * __GFP_NOWARN: don't print a warning in case of failure
+@@ -828,7 +829,7 @@ static struct dm_buffer *__alloc_buffer_
+ */
+ while (1) {
+ if (dm_bufio_cache_size_latch != 1) {
+- b = alloc_buffer(c, GFP_NOIO | __GFP_NORETRY | __GFP_NOMEMALLOC | __GFP_NOWARN);
++ b = alloc_buffer(c, GFP_NOWAIT | __GFP_NORETRY | __GFP_NOMEMALLOC | __GFP_NOWARN);
+ if (b)
+ return b;
+ }
--- /dev/null
+From d12067f428c037b4575aaeb2be00847fc214c24a Mon Sep 17 00:00:00 2001
+From: Mikulas Patocka <mpatocka@redhat.com>
+Date: Wed, 23 Nov 2016 16:52:01 -0500
+Subject: dm bufio: don't take the lock in dm_bufio_shrink_count
+
+From: Mikulas Patocka <mpatocka@redhat.com>
+
+commit d12067f428c037b4575aaeb2be00847fc214c24a upstream.
+
+dm_bufio_shrink_count() is called from do_shrink_slab to find out how many
+freeable objects are there. The reported value doesn't have to be precise,
+so we don't need to take the dm-bufio lock.
+
+Suggested-by: David Rientjes <rientjes@google.com>
+Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
+Signed-off-by: Mike Snitzer <snitzer@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/md/dm-bufio.c | 16 ++++------------
+ 1 file changed, 4 insertions(+), 12 deletions(-)
+
+--- a/drivers/md/dm-bufio.c
++++ b/drivers/md/dm-bufio.c
+@@ -1574,19 +1574,11 @@ dm_bufio_shrink_scan(struct shrinker *sh
+ static unsigned long
+ dm_bufio_shrink_count(struct shrinker *shrink, struct shrink_control *sc)
+ {
+- struct dm_bufio_client *c;
+- unsigned long count;
+- unsigned long retain_target;
++ struct dm_bufio_client *c = container_of(shrink, struct dm_bufio_client, shrinker);
++ unsigned long count = READ_ONCE(c->n_buffers[LIST_CLEAN]) +
++ READ_ONCE(c->n_buffers[LIST_DIRTY]);
++ unsigned long retain_target = get_retain_buffers(c);
+
+- c = container_of(shrink, struct dm_bufio_client, shrinker);
+- if (sc->gfp_mask & __GFP_FS)
+- dm_bufio_lock(c);
+- else if (!dm_bufio_trylock(c))
+- return 0;
+-
+- count = c->n_buffers[LIST_CLEAN] + c->n_buffers[LIST_DIRTY];
+- retain_target = get_retain_buffers(c);
+- dm_bufio_unlock(c);
+ return (count < retain_target) ? 0 : (count - retain_target);
+ }
+
--- /dev/null
+From 41c73a49df31151f4ff868f28fe4f129f113fa2c Mon Sep 17 00:00:00 2001
+From: Mikulas Patocka <mpatocka@redhat.com>
+Date: Wed, 23 Nov 2016 17:04:00 -0500
+Subject: dm bufio: drop the lock when doing GFP_NOIO allocation
+
+From: Mikulas Patocka <mpatocka@redhat.com>
+
+commit 41c73a49df31151f4ff868f28fe4f129f113fa2c upstream.
+
+If the first allocation attempt using GFP_NOWAIT fails, drop the lock
+and retry using GFP_NOIO allocation (lock is dropped because the
+allocation can take some time).
+
+Note that we won't do GFP_NOIO allocation when we loop for the second
+time, because the lock shouldn't be dropped between __wait_for_free_buffer
+and __get_unclaimed_buffer.
+
+Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
+Signed-off-by: Mike Snitzer <snitzer@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/md/dm-bufio.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+--- a/drivers/md/dm-bufio.c
++++ b/drivers/md/dm-bufio.c
+@@ -813,6 +813,7 @@ enum new_flag {
+ static struct dm_buffer *__alloc_buffer_wait_no_callback(struct dm_bufio_client *c, enum new_flag nf)
+ {
+ struct dm_buffer *b;
++ bool tried_noio_alloc = false;
+
+ /*
+ * dm-bufio is resistant to allocation failures (it just keeps
+@@ -837,6 +838,15 @@ static struct dm_buffer *__alloc_buffer_
+ if (nf == NF_PREFETCH)
+ return NULL;
+
++ if (dm_bufio_cache_size_latch != 1 && !tried_noio_alloc) {
++ dm_bufio_unlock(c);
++ b = alloc_buffer(c, GFP_NOIO | __GFP_NORETRY | __GFP_NOMEMALLOC | __GFP_NOWARN);
++ dm_bufio_lock(c);
++ if (b)
++ return b;
++ tried_noio_alloc = true;
++ }
++
+ if (!list_empty(&c->reserved_buffers)) {
+ b = list_entry(c->reserved_buffers.next,
+ struct dm_buffer, lru_list);
--- /dev/null
+From 717adfdaf14704fd3ec7fa2c04520c0723247eac Mon Sep 17 00:00:00 2001
+From: Daniel Rosenberg <drosen@google.com>
+Date: Mon, 2 Jul 2018 16:59:37 -0700
+Subject: HID: debug: check length before copy_to_user()
+
+From: Daniel Rosenberg <drosen@google.com>
+
+commit 717adfdaf14704fd3ec7fa2c04520c0723247eac upstream.
+
+If our length is greater than the size of the buffer, we
+overflow the buffer
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Daniel Rosenberg <drosen@google.com>
+Reviewed-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/hid/hid-debug.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+--- a/drivers/hid/hid-debug.c
++++ b/drivers/hid/hid-debug.c
+@@ -1152,6 +1152,8 @@ copy_rest:
+ goto out;
+ if (list->tail > list->head) {
+ len = list->tail - list->head;
++ if (len > count)
++ len = count;
+
+ if (copy_to_user(buffer + ret, &list->hid_debug_buf[list->head], len)) {
+ ret = -EFAULT;
+@@ -1161,6 +1163,8 @@ copy_rest:
+ list->head += len;
+ } else {
+ len = HID_DEBUG_BUFSIZE - list->head;
++ if (len > count)
++ len = count;
+
+ if (copy_to_user(buffer, &list->hid_debug_buf[list->head], len)) {
+ ret = -EFAULT;
+@@ -1168,7 +1172,9 @@ copy_rest:
+ }
+ list->head = 0;
+ ret += len;
+- goto copy_rest;
++ count -= len;
++ if (count > 0)
++ goto copy_rest;
+ }
+
+ }
--- /dev/null
+From 4f65245f2d178b9cba48350620d76faa4a098841 Mon Sep 17 00:00:00 2001
+From: "Gustavo A. R. Silva" <gustavo@embeddedor.com>
+Date: Fri, 29 Jun 2018 17:08:44 -0500
+Subject: HID: hiddev: fix potential Spectre v1
+
+From: Gustavo A. R. Silva <gustavo@embeddedor.com>
+
+commit 4f65245f2d178b9cba48350620d76faa4a098841 upstream.
+
+uref->field_index, uref->usage_index, finfo.field_index and cinfo.index can be
+indirectly controlled by user-space, hence leading to a potential exploitation
+of the Spectre variant 1 vulnerability.
+
+This issue was detected with the help of Smatch:
+
+drivers/hid/usbhid/hiddev.c:473 hiddev_ioctl_usage() warn: potential spectre issue 'report->field' (local cap)
+drivers/hid/usbhid/hiddev.c:477 hiddev_ioctl_usage() warn: potential spectre issue 'field->usage' (local cap)
+drivers/hid/usbhid/hiddev.c:757 hiddev_ioctl() warn: potential spectre issue 'report->field' (local cap)
+drivers/hid/usbhid/hiddev.c:801 hiddev_ioctl() warn: potential spectre issue 'hid->collection' (local cap)
+
+Fix this by sanitizing such structure fields before using them to index
+report->field, field->usage and hid->collection
+
+Notice that given that speculation windows are large, the policy is
+to kill the speculation on the first load and not worry if it can be
+completed with a dependent load/store [1].
+
+[1] https://marc.info/?l=linux-kernel&m=152449131114778&w=2
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/hid/usbhid/hiddev.c | 11 +++++++++++
+ 1 file changed, 11 insertions(+)
+
+--- a/drivers/hid/usbhid/hiddev.c
++++ b/drivers/hid/usbhid/hiddev.c
+@@ -35,6 +35,7 @@
+ #include <linux/hiddev.h>
+ #include <linux/compat.h>
+ #include <linux/vmalloc.h>
++#include <linux/nospec.h>
+ #include "usbhid.h"
+
+ #ifdef CONFIG_USB_DYNAMIC_MINORS
+@@ -478,10 +479,14 @@ static noinline int hiddev_ioctl_usage(s
+
+ if (uref->field_index >= report->maxfield)
+ goto inval;
++ uref->field_index = array_index_nospec(uref->field_index,
++ report->maxfield);
+
+ field = report->field[uref->field_index];
+ if (uref->usage_index >= field->maxusage)
+ goto inval;
++ uref->usage_index = array_index_nospec(uref->usage_index,
++ field->maxusage);
+
+ uref->usage_code = field->usage[uref->usage_index].hid;
+
+@@ -508,6 +513,8 @@ static noinline int hiddev_ioctl_usage(s
+
+ if (uref->field_index >= report->maxfield)
+ goto inval;
++ uref->field_index = array_index_nospec(uref->field_index,
++ report->maxfield);
+
+ field = report->field[uref->field_index];
+
+@@ -761,6 +768,8 @@ static long hiddev_ioctl(struct file *fi
+
+ if (finfo.field_index >= report->maxfield)
+ break;
++ finfo.field_index = array_index_nospec(finfo.field_index,
++ report->maxfield);
+
+ field = report->field[finfo.field_index];
+ memset(&finfo, 0, sizeof(finfo));
+@@ -801,6 +810,8 @@ static long hiddev_ioctl(struct file *fi
+
+ if (cinfo.index >= hid->maxcollection)
+ break;
++ cinfo.index = array_index_nospec(cinfo.index,
++ hid->maxcollection);
+
+ cinfo.type = hid->collection[cinfo.index].type;
+ cinfo.usage = hid->collection[cinfo.index].usage;
--- /dev/null
+From ef6eaf27274c0351f7059163918f3795da13199c Mon Sep 17 00:00:00 2001
+From: Jason Andryuk <jandryuk@gmail.com>
+Date: Fri, 22 Jun 2018 12:25:49 -0400
+Subject: HID: i2c-hid: Fix "incomplete report" noise
+
+From: Jason Andryuk <jandryuk@gmail.com>
+
+commit ef6eaf27274c0351f7059163918f3795da13199c upstream.
+
+Commit ac75a041048b ("HID: i2c-hid: fix size check and type usage") started
+writing messages when the ret_size is <= 2 from i2c_master_recv. However, my
+device i2c-DLL07D1 returns 2 for a short period of time (~0.5s) after I stop
+moving the pointing stick or touchpad. It varies, but you get ~50 messages
+each time which spams the log hard.
+
+[ 95.925055] i2c_hid i2c-DLL07D1:01: i2c_hid_get_input: incomplete report (83/2)
+
+This has also been observed with a i2c-ALP0017.
+
+[ 1781.266353] i2c_hid i2c-ALP0017:00: i2c_hid_get_input: incomplete report (30/2)
+
+Only print the message when ret_size is totally invalid and less than 2 to cut
+down on the log spam.
+
+Fixes: ac75a041048b ("HID: i2c-hid: fix size check and type usage")
+Reported-by: John Smith <john-s-84@gmx.net>
+Cc: stable@vger.kernel.org
+Signed-off-by: Jason Andryuk <jandryuk@gmail.com>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/hid/i2c-hid/i2c-hid.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/hid/i2c-hid/i2c-hid.c
++++ b/drivers/hid/i2c-hid/i2c-hid.c
+@@ -413,7 +413,7 @@ static void i2c_hid_get_input(struct i2c
+ return;
+ }
+
+- if ((ret_size > size) || (ret_size <= 2)) {
++ if ((ret_size > size) || (ret_size < 2)) {
+ dev_err(&ihid->client->dev, "%s: incomplete report (%d/%d)\n",
+ __func__, size, ret_size);
+ return;
--- /dev/null
+From 3ee9bc12342cf546313d300808ff47d7dbb8e7db Mon Sep 17 00:00:00 2001
+From: Brad Love <brad@nextdimension.cc>
+Date: Tue, 6 Mar 2018 14:15:34 -0500
+Subject: media: cx25840: Use subdev host data for PLL override
+
+From: Brad Love <brad@nextdimension.cc>
+
+commit 3ee9bc12342cf546313d300808ff47d7dbb8e7db upstream.
+
+The cx25840 driver currently configures 885, 887, and 888 using
+default divisors for each chip. This check to see if the cx23885
+driver has passed the cx25840 a non-default clock rate for a
+specific chip. If a cx23885 board has left clk_freq at 0, the
+clock default values will be used to configure the PLLs.
+
+This patch only has effect on 888 boards who set clk_freq to 25M.
+
+Signed-off-by: Brad Love <brad@nextdimension.cc>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
+Cc: Ben Hutchings <ben.hutchings@codethink.co.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/media/i2c/cx25840/cx25840-core.c | 28 ++++++++++++++++++++++------
+ 1 file changed, 22 insertions(+), 6 deletions(-)
+
+--- a/drivers/media/i2c/cx25840/cx25840-core.c
++++ b/drivers/media/i2c/cx25840/cx25840-core.c
+@@ -467,8 +467,13 @@ static void cx23885_initialize(struct i2
+ {
+ DEFINE_WAIT(wait);
+ struct cx25840_state *state = to_state(i2c_get_clientdata(client));
++ u32 clk_freq = 0;
+ struct workqueue_struct *q;
+
++ /* cx23885 sets hostdata to clk_freq pointer */
++ if (v4l2_get_subdev_hostdata(&state->sd))
++ clk_freq = *((u32 *)v4l2_get_subdev_hostdata(&state->sd));
++
+ /*
+ * Come out of digital power down
+ * The CX23888, at least, needs this, otherwise registers aside from
+@@ -504,8 +509,13 @@ static void cx23885_initialize(struct i2
+ * 50.0 MHz * (0xb + 0xe8ba26/0x2000000)/4 = 5 * 28.636363 MHz
+ * 572.73 MHz before post divide
+ */
+- /* HVR1850 or 50MHz xtal */
+- cx25840_write(client, 0x2, 0x71);
++ if (clk_freq == 25000000) {
++ /* 888/ImpactVCBe or 25Mhz xtal */
++ ; /* nothing to do */
++ } else {
++ /* HVR1850 or 50MHz xtal */
++ cx25840_write(client, 0x2, 0x71);
++ }
+ cx25840_write4(client, 0x11c, 0x01d1744c);
+ cx25840_write4(client, 0x118, 0x00000416);
+ cx25840_write4(client, 0x404, 0x0010253e);
+@@ -548,9 +558,15 @@ static void cx23885_initialize(struct i2
+ /* HVR1850 */
+ switch (state->id) {
+ case CX23888_AV:
+- /* 888/HVR1250 specific */
+- cx25840_write4(client, 0x10c, 0x13333333);
+- cx25840_write4(client, 0x108, 0x00000515);
++ if (clk_freq == 25000000) {
++ /* 888/ImpactVCBe or 25MHz xtal */
++ cx25840_write4(client, 0x10c, 0x01b6db7b);
++ cx25840_write4(client, 0x108, 0x00000512);
++ } else {
++ /* 888/HVR1250 or 50MHz xtal */
++ cx25840_write4(client, 0x10c, 0x13333333);
++ cx25840_write4(client, 0x108, 0x00000515);
++ }
+ break;
+ default:
+ cx25840_write4(client, 0x10c, 0x002be2c9);
+@@ -577,7 +593,7 @@ static void cx23885_initialize(struct i2
+ * 368.64 MHz before post divide
+ * 122.88 MHz / 0xa = 12.288 MHz
+ */
+- /* HVR1850 or 50MHz xtal */
++ /* HVR1850 or 50MHz xtal or 25MHz xtal */
+ cx25840_write4(client, 0x114, 0x017dbf48);
+ cx25840_write4(client, 0x110, 0x000a030e);
+ break;
--- /dev/null
+From 7810e6781e0fcbca78b91cf65053f895bf59e85f Mon Sep 17 00:00:00 2001
+From: Vlastimil Babka <vbabka@suse.cz>
+Date: Thu, 7 Jun 2018 17:09:29 -0700
+Subject: mm, page_alloc: do not break __GFP_THISNODE by zonelist reset
+
+From: Vlastimil Babka <vbabka@suse.cz>
+
+commit 7810e6781e0fcbca78b91cf65053f895bf59e85f upstream.
+
+In __alloc_pages_slowpath() we reset zonelist and preferred_zoneref for
+allocations that can ignore memory policies. The zonelist is obtained
+from current CPU's node. This is a problem for __GFP_THISNODE
+allocations that want to allocate on a different node, e.g. because the
+allocating thread has been migrated to a different CPU.
+
+This has been observed to break SLAB in our 4.4-based kernel, because
+there it relies on __GFP_THISNODE working as intended. If a slab page
+is put on wrong node's list, then further list manipulations may corrupt
+the list because page_to_nid() is used to determine which node's
+list_lock should be locked and thus we may take a wrong lock and race.
+
+Current SLAB implementation seems to be immune by luck thanks to commit
+511e3a058812 ("mm/slab: make cache_grow() handle the page allocated on
+arbitrary node") but there may be others assuming that __GFP_THISNODE
+works as promised.
+
+We can fix it by simply removing the zonelist reset completely. There
+is actually no reason to reset it, because memory policies and cpusets
+don't affect the zonelist choice in the first place. This was different
+when commit 183f6371aac2 ("mm: ignore mempolicies when using
+ALLOC_NO_WATERMARK") introduced the code, as mempolicies provided their
+own restricted zonelists.
+
+We might consider this for 4.17 although I don't know if there's
+anything currently broken.
+
+SLAB is currently not affected, but in kernels older than 4.7 that don't
+yet have 511e3a058812 ("mm/slab: make cache_grow() handle the page
+allocated on arbitrary node") it is. That's at least 4.4 LTS. Older
+ones I'll have to check.
+
+So stable backports should be more important, but will have to be
+reviewed carefully, as the code went through many changes. BTW I think
+that also the ac->preferred_zoneref reset is currently useless if we
+don't also reset ac->nodemask from a mempolicy to NULL first (which we
+probably should for the OOM victims etc?), but I would leave that for a
+separate patch.
+
+Link: http://lkml.kernel.org/r/20180525130853.13915-1-vbabka@suse.cz
+Signed-off-by: Vlastimil Babka <vbabka@suse.cz>
+Fixes: 183f6371aac2 ("mm: ignore mempolicies when using ALLOC_NO_WATERMARK")
+Acked-by: Mel Gorman <mgorman@techsingularity.net>
+Cc: Michal Hocko <mhocko@kernel.org>
+Cc: David Rientjes <rientjes@google.com>
+Cc: Joonsoo Kim <iamjoonsoo.kim@lge.com>
+Cc: Vlastimil Babka <vbabka@suse.cz>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ mm/page_alloc.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+--- a/mm/page_alloc.c
++++ b/mm/page_alloc.c
+@@ -3109,8 +3109,6 @@ retry:
+ * the allocation is high priority and these type of
+ * allocations are system rather than user orientated
+ */
+- ac->zonelist = node_zonelist(numa_node_id(), gfp_mask);
+-
+ page = __alloc_pages_high_priority(gfp_mask, order, ac);
+
+ if (page) {
--- /dev/null
+From 3f77f244d8ec28e3a0a81240ffac7d626390060c Mon Sep 17 00:00:00 2001
+From: Martin Kaiser <martin@kaiser.cx>
+Date: Mon, 18 Jun 2018 22:41:03 +0200
+Subject: mtd: rawnand: mxc: set spare area size register explicitly
+
+From: Martin Kaiser <martin@kaiser.cx>
+
+commit 3f77f244d8ec28e3a0a81240ffac7d626390060c upstream.
+
+The v21 version of the NAND flash controller contains a Spare Area Size
+Register (SPAS) at offset 0x10. Its setting defaults to the maximum
+spare area size of 218 bytes. The size that is set in this register is
+used by the controller when it calculates the ECC bytes internally in
+hardware.
+
+Usually, this register is updated from settings in the IIM fuses when
+the system is booting from NAND flash. For other boot media, however,
+the SPAS register remains at the default setting, which may not work for
+the particular flash chip on the board. The same goes for flash chips
+whose configuration cannot be set in the IIM fuses (e.g. chips with 2k
+sector size and 128 bytes spare area size can't be configured in the IIM
+fuses on imx25 systems).
+
+Set the SPAS register explicitly during the preset operation. Derive the
+register value from mtd->oobsize that was detected during probe by
+decoding the flash chip's ID bytes.
+
+While at it, rename the define for the spare area register's offset to
+NFC_V21_RSLTSPARE_AREA. The register at offset 0x10 on v1 controllers is
+different from the register on v21 controllers.
+
+Fixes: d484018 ("mtd: mxc_nand: set NFC registers after reset")
+Cc: stable@vger.kernel.org
+Signed-off-by: Martin Kaiser <martin@kaiser.cx>
+Reviewed-by: Sascha Hauer <s.hauer@pengutronix.de>
+Reviewed-by: Miquel Raynal <miquel.raynal@bootlin.com>
+Signed-off-by: Boris Brezillon <boris.brezillon@bootlin.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+
+---
+ drivers/mtd/nand/mxc_nand.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/drivers/mtd/nand/mxc_nand.c
++++ b/drivers/mtd/nand/mxc_nand.c
+@@ -49,7 +49,7 @@
+ #define NFC_V1_V2_CONFIG (host->regs + 0x0a)
+ #define NFC_V1_V2_ECC_STATUS_RESULT (host->regs + 0x0c)
+ #define NFC_V1_V2_RSLTMAIN_AREA (host->regs + 0x0e)
+-#define NFC_V1_V2_RSLTSPARE_AREA (host->regs + 0x10)
++#define NFC_V21_RSLTSPARE_AREA (host->regs + 0x10)
+ #define NFC_V1_V2_WRPROT (host->regs + 0x12)
+ #define NFC_V1_UNLOCKSTART_BLKADDR (host->regs + 0x14)
+ #define NFC_V1_UNLOCKEND_BLKADDR (host->regs + 0x16)
+@@ -1034,6 +1034,9 @@ static void preset_v2(struct mtd_info *m
+ writew(config1, NFC_V1_V2_CONFIG1);
+ /* preset operation */
+
++ /* spare area size in 16-bit half-words */
++ writew(mtd->oobsize / 2, NFC_V21_RSLTSPARE_AREA);
++
+ /* Unlock the internal RAM Buffer */
+ writew(0x2, NFC_V1_V2_CONFIG);
+
ext4-add-more-inode-number-paranoia-checks.patch
ext4-add-more-mount-time-checks-of-the-superblock.patch
ext4-check-superblock-mapped-prior-to-committing.patch
+hid-i2c-hid-fix-incomplete-report-noise.patch
+hid-hiddev-fix-potential-spectre-v1.patch
+hid-debug-check-length-before-copy_to_user.patch
+x86-mce-detect-local-mces-properly.patch
+x86-mce-fix-incorrect-machine-check-from-unknown-source-message.patch
+media-cx25840-use-subdev-host-data-for-pll-override.patch
+mm-page_alloc-do-not-break-__gfp_thisnode-by-zonelist-reset.patch
+dm-bufio-avoid-sleeping-while-holding-the-dm_bufio-lock.patch
+dm-bufio-drop-the-lock-when-doing-gfp_noio-allocation.patch
+mtd-rawnand-mxc-set-spare-area-size-register-explicitly.patch
+dm-bufio-don-t-take-the-lock-in-dm_bufio_shrink_count.patch
--- /dev/null
+From fead35c68926682c90c995f22b48f1c8d78865c1 Mon Sep 17 00:00:00 2001
+From: Yazen Ghannam <Yazen.Ghannam@amd.com>
+Date: Sat, 30 Apr 2016 14:33:57 +0200
+Subject: x86/mce: Detect local MCEs properly
+
+From: Yazen Ghannam <Yazen.Ghannam@amd.com>
+
+commit fead35c68926682c90c995f22b48f1c8d78865c1 upstream.
+
+Check the MCG_STATUS_LMCES bit on Intel to verify that current MCE is
+local. It is always local on AMD.
+
+Signed-off-by: Yazen Ghannam <Yazen.Ghannam@amd.com>
+[ Massaged it a bit. Reflowed comments. Shut up -Wmaybe-uninitialized. ]
+Signed-off-by: Borislav Petkov <bp@suse.de>
+Cc: Andy Lutomirski <luto@amacapital.net>
+Cc: Borislav Petkov <bp@alien8.de>
+Cc: Brian Gerst <brgerst@gmail.com>
+Cc: Denys Vlasenko <dvlasenk@redhat.com>
+Cc: H. Peter Anvin <hpa@zytor.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: Tony Luck <tony.luck@intel.com>
+Cc: linux-edac <linux-edac@vger.kernel.org>
+Link: http://lkml.kernel.org/r/1462019637-16474-8-git-send-email-bp@alien8.de
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kernel/cpu/mcheck/mce.c | 33 ++++++++++++++++++++-------------
+ 1 file changed, 20 insertions(+), 13 deletions(-)
+
+--- a/arch/x86/kernel/cpu/mcheck/mce.c
++++ b/arch/x86/kernel/cpu/mcheck/mce.c
+@@ -980,11 +980,12 @@ void do_machine_check(struct pt_regs *re
+ int i;
+ int worst = 0;
+ int severity;
++
+ /*
+ * Establish sequential order between the CPUs entering the machine
+ * check handler.
+ */
+- int order;
++ int order = -1;
+ /*
+ * If no_way_out gets set, there is no safe way to recover from this
+ * MCE. If mca_cfg.tolerant is cranked up, we'll try anyway.
+@@ -1000,7 +1001,12 @@ void do_machine_check(struct pt_regs *re
+ char *msg = "Unknown";
+ u64 recover_paddr = ~0ull;
+ int flags = MF_ACTION_REQUIRED;
+- int lmce = 0;
++
++ /*
++ * MCEs are always local on AMD. Same is determined by MCG_STATUS_LMCES
++ * on Intel.
++ */
++ int lmce = 1;
+
+ /* If this CPU is offline, just bail out. */
+ if (cpu_is_offline(smp_processor_id())) {
+@@ -1039,19 +1045,20 @@ void do_machine_check(struct pt_regs *re
+ kill_it = 1;
+
+ /*
+- * Check if this MCE is signaled to only this logical processor
++ * Check if this MCE is signaled to only this logical processor,
++ * on Intel only.
+ */
+- if (m.mcgstatus & MCG_STATUS_LMCES)
+- lmce = 1;
+- else {
+- /*
+- * Go through all the banks in exclusion of the other CPUs.
+- * This way we don't report duplicated events on shared banks
+- * because the first one to see it will clear it.
+- * If this is a Local MCE, then no need to perform rendezvous.
+- */
++ if (m.cpuvendor == X86_VENDOR_INTEL)
++ lmce = m.mcgstatus & MCG_STATUS_LMCES;
++
++ /*
++ * Go through all banks in exclusion of the other CPUs. This way we
++ * don't report duplicated events on shared banks because the first one
++ * to see it will clear it. If this is a Local MCE, then no need to
++ * perform rendezvous.
++ */
++ if (!lmce)
+ order = mce_start(&no_way_out);
+- }
+
+ for (i = 0; i < cfg->banks; i++) {
+ __clear_bit(i, toclear);
--- /dev/null
+From 40c36e2741d7fe1e66d6ec55477ba5fd19c9c5d2 Mon Sep 17 00:00:00 2001
+From: Tony Luck <tony.luck@intel.com>
+Date: Fri, 22 Jun 2018 11:54:23 +0200
+Subject: x86/mce: Fix incorrect "Machine check from unknown source" message
+
+From: Tony Luck <tony.luck@intel.com>
+
+commit 40c36e2741d7fe1e66d6ec55477ba5fd19c9c5d2 upstream.
+
+Some injection testing resulted in the following console log:
+
+ mce: [Hardware Error]: CPU 22: Machine Check Exception: f Bank 1: bd80000000100134
+ mce: [Hardware Error]: RIP 10:<ffffffffc05292dd> {pmem_do_bvec+0x11d/0x330 [nd_pmem]}
+ mce: [Hardware Error]: TSC c51a63035d52 ADDR 3234bc4000 MISC 88
+ mce: [Hardware Error]: PROCESSOR 0:50654 TIME 1526502199 SOCKET 0 APIC 38 microcode 2000043
+ mce: [Hardware Error]: Run the above through 'mcelog --ascii'
+ Kernel panic - not syncing: Machine check from unknown source
+
+This confused everybody because the first line quite clearly shows
+that we found a logged error in "Bank 1", while the last line says
+"unknown source".
+
+The problem is that the Linux code doesn't do the right thing
+for a local machine check that results in a fatal error.
+
+It turns out that we know very early in the handler whether the
+machine check is fatal. The call to mce_no_way_out() has checked
+all the banks for the CPU that took the local machine check. If
+it says we must crash, we can do so right away with the right
+messages.
+
+We do scan all the banks again. This means that we might initially
+not see a problem, but during the second scan find something fatal.
+If this happens we print a slightly different message (so I can
+see if it actually every happens).
+
+[ bp: Remove unneeded severity assignment. ]
+
+Signed-off-by: Tony Luck <tony.luck@intel.com>
+Signed-off-by: Borislav Petkov <bp@suse.de>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Cc: Ashok Raj <ashok.raj@intel.com>
+Cc: Dan Williams <dan.j.williams@intel.com>
+Cc: Qiuxu Zhuo <qiuxu.zhuo@intel.com>
+Cc: linux-edac <linux-edac@vger.kernel.org>
+Cc: stable@vger.kernel.org # 4.2
+Link: http://lkml.kernel.org/r/52e049a497e86fd0b71c529651def8871c804df0.1527283897.git.tony.luck@intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kernel/cpu/mcheck/mce.c | 26 ++++++++++++++++++--------
+ 1 file changed, 18 insertions(+), 8 deletions(-)
+
+--- a/arch/x86/kernel/cpu/mcheck/mce.c
++++ b/arch/x86/kernel/cpu/mcheck/mce.c
+@@ -1052,13 +1052,18 @@ void do_machine_check(struct pt_regs *re
+ lmce = m.mcgstatus & MCG_STATUS_LMCES;
+
+ /*
++ * Local machine check may already know that we have to panic.
++ * Broadcast machine check begins rendezvous in mce_start()
+ * Go through all banks in exclusion of the other CPUs. This way we
+ * don't report duplicated events on shared banks because the first one
+- * to see it will clear it. If this is a Local MCE, then no need to
+- * perform rendezvous.
++ * to see it will clear it.
+ */
+- if (!lmce)
++ if (lmce) {
++ if (no_way_out)
++ mce_panic("Fatal local machine check", &m, msg);
++ } else {
+ order = mce_start(&no_way_out);
++ }
+
+ for (i = 0; i < cfg->banks; i++) {
+ __clear_bit(i, toclear);
+@@ -1135,12 +1140,17 @@ void do_machine_check(struct pt_regs *re
+ no_way_out = worst >= MCE_PANIC_SEVERITY;
+ } else {
+ /*
+- * Local MCE skipped calling mce_reign()
+- * If we found a fatal error, we need to panic here.
++ * If there was a fatal machine check we should have
++ * already called mce_panic earlier in this function.
++ * Since we re-read the banks, we might have found
++ * something new. Check again to see if we found a
++ * fatal error. We call "mce_severity()" again to
++ * make sure we have the right "msg".
+ */
+- if (worst >= MCE_PANIC_SEVERITY && mca_cfg.tolerant < 3)
+- mce_panic("Machine check from unknown source",
+- NULL, NULL);
++ if (worst >= MCE_PANIC_SEVERITY && mca_cfg.tolerant < 3) {
++ mce_severity(&m, cfg->tolerant, &msg, true);
++ mce_panic("Local fatal machine check!", &m, msg);
++ }
+ }
+
+ /*
projects / thirdparty / kernel / stable-queue.git / commitdiff
