--- /dev/null
+From 744889b7cbb56a64f957e65ade7cb65fe3f35714 Mon Sep 17 00:00:00 2001
+From: Ming Lei <ming.lei@redhat.com>
+Date: Fri, 12 Oct 2018 15:53:10 +0800
+Subject: block: don't deal with discard limit in blkdev_issue_discard()
+
+From: Ming Lei <ming.lei@redhat.com>
+
+commit 744889b7cbb56a64f957e65ade7cb65fe3f35714 upstream.
+
+blk_queue_split() does respect this limit via bio splitting, so no
+need to do that in blkdev_issue_discard(), then we can align to
+normal bio submit(bio_add_page() & submit_bio()).
+
+More importantly, this patch fixes one issue introduced in a22c4d7e34402cc
+("block: re-add discard_granularity and alignment checks"), in which
+zero discard bio may be generated in case of zero alignment.
+
+Fixes: a22c4d7e34402ccdf3 ("block: re-add discard_granularity and alignment checks")
+Cc: stable@vger.kernel.org
+Cc: Ming Lin <ming.l@ssi.samsung.com>
+Cc: Mike Snitzer <snitzer@redhat.com>
+Cc: Christoph Hellwig <hch@lst.de>
+Cc: Xiao Ni <xni@redhat.com>
+Tested-by: Mariusz Dabrowski <mariusz.dabrowski@intel.com>
+Signed-off-by: Ming Lei <ming.lei@redhat.com>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ block/blk-lib.c | 28 ++--------------------------
+ 1 file changed, 2 insertions(+), 26 deletions(-)
+
+--- a/block/blk-lib.c
++++ b/block/blk-lib.c
+@@ -29,9 +29,7 @@ int __blkdev_issue_discard(struct block_
+ {
+ struct request_queue *q = bdev_get_queue(bdev);
+ struct bio *bio = *biop;
+- unsigned int granularity;
+ unsigned int op;
+- int alignment;
+ sector_t bs_mask;
+
+ if (!q)
+@@ -54,38 +52,16 @@ int __blkdev_issue_discard(struct block_
+ if ((sector | nr_sects) & bs_mask)
+ return -EINVAL;
+
+- /* Zero-sector (unknown) and one-sector granularities are the same. */
+- granularity = max(q->limits.discard_granularity >> 9, 1U);
+- alignment = (bdev_discard_alignment(bdev) >> 9) % granularity;
+-
+ while (nr_sects) {
+- unsigned int req_sects;
+- sector_t end_sect, tmp;
++ unsigned int req_sects = nr_sects;
++ sector_t end_sect;
+
+- /*
+- * Issue in chunks of the user defined max discard setting,
+- * ensuring that bi_size doesn't overflow
+- */
+- req_sects = min_t(sector_t, nr_sects,
+- q->limits.max_discard_sectors);
+ if (!req_sects)
+ goto fail;
+ if (req_sects > UINT_MAX >> 9)
+ req_sects = UINT_MAX >> 9;
+
+- /*
+- * If splitting a request, and the next starting sector would be
+- * misaligned, stop the discard at the previous aligned sector.
+- */
+ end_sect = sector + req_sects;
+- tmp = end_sect;
+- if (req_sects < nr_sects &&
+- sector_div(tmp, granularity) != alignment) {
+- end_sect = end_sect - alignment;
+- sector_div(end_sect, granularity);
+- end_sect = end_sect * granularity + alignment;
+- req_sects = end_sect - sector;
+- }
+
+ bio = next_bio(bio, 0, gfp_mask);
+ bio->bi_iter.bi_sector = sector;
--- /dev/null
+From 169b803397499be85bdd1e3d07d6f5e3d4bd669e Mon Sep 17 00:00:00 2001
+From: Al Viro <viro@zeniv.linux.org.uk>
+Date: Wed, 17 Oct 2018 15:23:26 +0100
+Subject: cachefiles: fix the race between cachefiles_bury_object() and rmdir(2)
+
+From: Al Viro <viro@zeniv.linux.org.uk>
+
+commit 169b803397499be85bdd1e3d07d6f5e3d4bd669e upstream.
+
+the victim might've been rmdir'ed just before the lock_rename();
+unlike the normal callers, we do not look the source up after the
+parents are locked - we know it beforehand and just recheck that it's
+still the child of what used to be its parent. Unfortunately,
+the check is too weak - we don't spot a dead directory since its
+->d_parent is unchanged, dentry is positive, etc. So we sail all
+the way to ->rename(), with hosting filesystems _not_ expecting
+to be asked renaming an rmdir'ed subdirectory.
+
+The fix is easy, fortunately - the lock on parent is sufficient for
+making IS_DEADDIR() on child safe.
+
+Cc: stable@vger.kernel.org
+Fixes: 9ae326a69004 (CacheFiles: A cache that backs onto a mounted filesystem)
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: David Howells <dhowells@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/cachefiles/namei.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/cachefiles/namei.c
++++ b/fs/cachefiles/namei.c
+@@ -343,7 +343,7 @@ try_again:
+ trap = lock_rename(cache->graveyard, dir);
+
+ /* do some checks before getting the grave dentry */
+- if (rep->d_parent != dir) {
++ if (rep->d_parent != dir || IS_DEADDIR(d_inode(rep))) {
+ /* the entry was probably culled when we dropped the parent dir
+ * lock */
+ unlock_rename(cache->graveyard, dir);
--- /dev/null
+From f976d0e5747ca65ccd0fb2a4118b193d70aa1836 Mon Sep 17 00:00:00 2001
+From: Tobias Herzog <t-herzog@gmx.de>
+Date: Sat, 22 Sep 2018 22:11:11 +0200
+Subject: cdc-acm: correct counting of UART states in serial state notification
+
+From: Tobias Herzog <t-herzog@gmx.de>
+
+commit f976d0e5747ca65ccd0fb2a4118b193d70aa1836 upstream.
+
+The usb standard ("Universal Serial Bus Class Definitions for Communication
+Devices") distiguishes between "consistent signals" (DSR, DCD), and
+"irregular signals" (break, ring, parity error, framing error, overrun).
+The bits of "irregular signals" are set, if this error/event occurred on
+the device side and are immeadeatly unset, if the serial state notification
+was sent.
+Like other drivers of real serial ports do, just the occurence of those
+events should be counted in serial_icounter_struct (but no 1->0
+transitions).
+
+Signed-off-by: Tobias Herzog <t-herzog@gmx.de>
+Acked-by: Oliver Neukum <oneukum@suse.com>
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/class/cdc-acm.c | 14 +++++++-------
+ 1 file changed, 7 insertions(+), 7 deletions(-)
+
+--- a/drivers/usb/class/cdc-acm.c
++++ b/drivers/usb/class/cdc-acm.c
+@@ -309,17 +309,17 @@ static void acm_process_notification(str
+
+ if (difference & ACM_CTRL_DSR)
+ acm->iocount.dsr++;
+- if (difference & ACM_CTRL_BRK)
+- acm->iocount.brk++;
+- if (difference & ACM_CTRL_RI)
+- acm->iocount.rng++;
+ if (difference & ACM_CTRL_DCD)
+ acm->iocount.dcd++;
+- if (difference & ACM_CTRL_FRAMING)
++ if (newctrl & ACM_CTRL_BRK)
++ acm->iocount.brk++;
++ if (newctrl & ACM_CTRL_RI)
++ acm->iocount.rng++;
++ if (newctrl & ACM_CTRL_FRAMING)
+ acm->iocount.frame++;
+- if (difference & ACM_CTRL_PARITY)
++ if (newctrl & ACM_CTRL_PARITY)
+ acm->iocount.parity++;
+- if (difference & ACM_CTRL_OVERRUN)
++ if (newctrl & ACM_CTRL_OVERRUN)
+ acm->iocount.overrun++;
+ spin_unlock(&acm->read_lock);
+
--- /dev/null
+From dae3ddba36f8c337fb59cef07d564da6fc9b7551 Mon Sep 17 00:00:00 2001
+From: Tobias Herzog <t-herzog@gmx.de>
+Date: Sat, 22 Sep 2018 22:11:10 +0200
+Subject: cdc-acm: do not reset notification buffer index upon urb unlinking
+
+From: Tobias Herzog <t-herzog@gmx.de>
+
+commit dae3ddba36f8c337fb59cef07d564da6fc9b7551 upstream.
+
+Resetting the write index of the notification buffer on urb unlink (e.g.
+closing a cdc-acm device from userspace) may lead to wrong interpretation
+of further received notifications, in case the index is not 0 when urb
+unlink happens (i.e. when parts of a notification already have been
+transferred). On the device side there is no "reset" of the notification
+transimission and thus we would get out of sync with the device.
+
+Signed-off-by: Tobias Herzog <t-herzog@gmx.de>
+Acked-by: Oliver Neukum <oneukum@suse.com>
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/class/cdc-acm.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+--- a/drivers/usb/class/cdc-acm.c
++++ b/drivers/usb/class/cdc-acm.c
+@@ -354,7 +354,6 @@ static void acm_ctrl_irq(struct urb *urb
+ case -ENOENT:
+ case -ESHUTDOWN:
+ /* this urb is terminated, clean up */
+- acm->nb_index = 0;
+ dev_dbg(&acm->control->dev,
+ "%s - urb shutting down with status: %d\n",
+ __func__, status);
--- /dev/null
+From 9397940ed812b942c520e0c25ed4b2c64d57e8b9 Mon Sep 17 00:00:00 2001
+From: Oliver Neukum <oneukum@suse.com>
+Date: Thu, 4 Oct 2018 15:49:06 +0200
+Subject: cdc-acm: fix race between reset and control messaging
+
+From: Oliver Neukum <oneukum@suse.com>
+
+commit 9397940ed812b942c520e0c25ed4b2c64d57e8b9 upstream.
+
+If a device splits up a control message and a reset() happens
+between the parts, the message is lost and already recieved parts
+must be dropped.
+
+Signed-off-by: Oliver Neukum <oneukum@suse.com>
+Fixes: 1aba579f3cf51 ("cdc-acm: handle read pipe errors")
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/class/cdc-acm.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/usb/class/cdc-acm.c
++++ b/drivers/usb/class/cdc-acm.c
+@@ -1641,6 +1641,7 @@ static int acm_pre_reset(struct usb_inte
+ struct acm *acm = usb_get_intfdata(intf);
+
+ clear_bit(EVENT_RX_STALL, &acm->flags);
++ acm->nb_index = 0; /* pending control transfers are lost */
+
+ return 0;
+ }
--- /dev/null
+From 80a6ec7d5e1653208eb53f6738620dab98f6f50e Mon Sep 17 00:00:00 2001
+From: Chen-Yu Tsai <wens@csie.org>
+Date: Thu, 6 Sep 2018 21:25:37 +0800
+Subject: clk: sunxi-ng: sun4i: Set VCO and PLL bias current to lowest setting
+
+From: Chen-Yu Tsai <wens@csie.org>
+
+commit 80a6ec7d5e1653208eb53f6738620dab98f6f50e upstream.
+
+The default mid-level PLL bias current setting interferes with sigma
+delta modulation. This manifests as decreased audio quality at lower
+sampling rates, which sounds like radio broadcast quality, and
+distortion noises at sampling rates at 48 kHz or above.
+
+Changing the bias current settings to the lowest gets rid of the
+noise.
+
+Fixes: de3448519194 ("clk: sunxi-ng: sun4i: Use sigma-delta modulation
+ for audio PLL")
+Cc: <stable@vger.kernel.org> # 4.15.x
+Signed-off-by: Chen-Yu Tsai <wens@csie.org>
+Signed-off-by: Maxime Ripard <maxime.ripard@bootlin.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/clk/sunxi-ng/ccu-sun4i-a10.c | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+--- a/drivers/clk/sunxi-ng/ccu-sun4i-a10.c
++++ b/drivers/clk/sunxi-ng/ccu-sun4i-a10.c
+@@ -1434,8 +1434,16 @@ static void __init sun4i_ccu_init(struct
+ return;
+ }
+
+- /* Force the PLL-Audio-1x divider to 1 */
+ val = readl(reg + SUN4I_PLL_AUDIO_REG);
++
++ /*
++ * Force VCO and PLL bias current to lowest setting. Higher
++ * settings interfere with sigma-delta modulation and result
++ * in audible noise and distortions when using SPDIF or I2S.
++ */
++ val &= ~GENMASK(25, 16);
++
++ /* Force the PLL-Audio-1x divider to 1 */
+ val &= ~GENMASK(29, 26);
+ writel(val | (1 << 26), reg + SUN4I_PLL_AUDIO_REG);
+
--- /dev/null
+From 0711a43b6d84ff9189adfbf83c8bbf56eef794bf Mon Sep 17 00:00:00 2001
+From: Kai-Heng Feng <kai.heng.feng@canonical.com>
+Date: Tue, 2 Oct 2018 23:29:11 +0800
+Subject: drm/edid: Add 6 bpc quirk for BOE panel in HP Pavilion 15-n233sl
+
+From: Kai-Heng Feng <kai.heng.feng@canonical.com>
+
+commit 0711a43b6d84ff9189adfbf83c8bbf56eef794bf upstream.
+
+There's another panel that reports "DFP 1.x compliant TMDS" but it
+supports 6bpc instead of 8 bpc.
+
+Apply 6 bpc quirk for the panel to fix it.
+
+BugLink: https://bugs.launchpad.net/bugs/1794387
+Cc: <stable@vger.kernel.org> # v4.8+
+Signed-off-by: Kai-Heng Feng <kai.heng.feng@canonical.com>
+Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
+Link: https://patchwork.freedesktop.org/patch/msgid/20181002152911.4370-1-kai.heng.feng@canonical.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/drm_edid.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/gpu/drm/drm_edid.c
++++ b/drivers/gpu/drm/drm_edid.c
+@@ -113,6 +113,9 @@ static const struct edid_quirk {
+ /* AEO model 0 reports 8 bpc, but is a 6 bpc panel */
+ { "AEO", 0, EDID_QUIRK_FORCE_6BPC },
+
++ /* BOE model on HP Pavilion 15-n233sl reports 8 bpc, but is a 6 bpc panel */
++ { "BOE", 0x78b, EDID_QUIRK_FORCE_6BPC },
++
+ /* CPT panel of Asus UX303LA reports 8 bpc, but is a 6 bpc panel */
+ { "CPT", 0x17df, EDID_QUIRK_FORCE_6BPC },
+
--- /dev/null
+From 9068e02f58740778d8270840657f1e250a2cc60f Mon Sep 17 00:00:00 2001
+From: Clint Taylor <clinton.a.taylor@intel.com>
+Date: Fri, 5 Oct 2018 14:52:15 -0700
+Subject: drm/edid: VSDB yCBCr420 Deep Color mode bit definitions
+
+From: Clint Taylor <clinton.a.taylor@intel.com>
+
+commit 9068e02f58740778d8270840657f1e250a2cc60f upstream.
+
+HDMI Forum VSDB YCBCR420 deep color capability bits are 2:0. Correct
+definitions in the header for the mask to work correctly.
+
+Fixes: e6a9a2c3dc43 ("drm/edid: parse ycbcr 420 deep color information")
+Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=107893
+Cc: <stable@vger.kernel.org> # v4.14+
+Signed-off-by: Clint Taylor <clinton.a.taylor@intel.com>
+Reviewed-by: Jani Nikula <jani.nikula@intel.com>
+Reviewed-by: Shashank Sharma <shashank.sharma@intel.com>
+Signed-off-by: Jani Nikula <jani.nikula@intel.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/1538776335-12569-1-git-send-email-clinton.a.taylor@intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/drm_edid.c | 2 +-
+ include/drm/drm_edid.h | 6 +++---
+ 2 files changed, 4 insertions(+), 4 deletions(-)
+
+--- a/drivers/gpu/drm/drm_edid.c
++++ b/drivers/gpu/drm/drm_edid.c
+@@ -4282,7 +4282,7 @@ static void drm_parse_ycbcr420_deep_colo
+ struct drm_hdmi_info *hdmi = &connector->display_info.hdmi;
+
+ dc_mask = db[7] & DRM_EDID_YCBCR420_DC_MASK;
+- hdmi->y420_dc_modes |= dc_mask;
++ hdmi->y420_dc_modes = dc_mask;
+ }
+
+ static void drm_parse_hdmi_forum_vsdb(struct drm_connector *connector,
+--- a/include/drm/drm_edid.h
++++ b/include/drm/drm_edid.h
+@@ -214,9 +214,9 @@ struct detailed_timing {
+ #define DRM_EDID_HDMI_DC_Y444 (1 << 3)
+
+ /* YCBCR 420 deep color modes */
+-#define DRM_EDID_YCBCR420_DC_48 (1 << 6)
+-#define DRM_EDID_YCBCR420_DC_36 (1 << 5)
+-#define DRM_EDID_YCBCR420_DC_30 (1 << 4)
++#define DRM_EDID_YCBCR420_DC_48 (1 << 2)
++#define DRM_EDID_YCBCR420_DC_36 (1 << 1)
++#define DRM_EDID_YCBCR420_DC_30 (1 << 0)
+ #define DRM_EDID_YCBCR420_DC_MASK (DRM_EDID_YCBCR420_DC_48 | \
+ DRM_EDID_YCBCR420_DC_36 | \
+ DRM_EDID_YCBCR420_DC_30)
--- /dev/null
+From db05c481977599236f12a85e55de9f5ab37b0a2c Mon Sep 17 00:00:00 2001
+From: Eugeniy Paltsev <Eugeniy.Paltsev@synopsys.com>
+Date: Wed, 3 Oct 2018 19:45:38 +0300
+Subject: drm: fb-helper: Reject all pixel format changing requests
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Eugeniy Paltsev <Eugeniy.Paltsev@synopsys.com>
+
+commit db05c481977599236f12a85e55de9f5ab37b0a2c upstream.
+
+drm fbdev emulation doesn't support changing the pixel format at all,
+so reject all pixel format changing requests.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Eugeniy Paltsev <Eugeniy.Paltsev@synopsys.com>
+Reviewed-by: Ville Syrjälä <ville.syrjala@linux.intel.com>
+Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
+Link: https://patchwork.freedesktop.org/patch/msgid/20181003164538.5534-1-Eugeniy.Paltsev@synopsys.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/drm_fb_helper.c | 91 +++++++++++-----------------------------
+ 1 file changed, 26 insertions(+), 65 deletions(-)
+
+--- a/drivers/gpu/drm/drm_fb_helper.c
++++ b/drivers/gpu/drm/drm_fb_helper.c
+@@ -1561,6 +1561,25 @@ unlock:
+ }
+ EXPORT_SYMBOL(drm_fb_helper_ioctl);
+
++static bool drm_fb_pixel_format_equal(const struct fb_var_screeninfo *var_1,
++ const struct fb_var_screeninfo *var_2)
++{
++ return var_1->bits_per_pixel == var_2->bits_per_pixel &&
++ var_1->grayscale == var_2->grayscale &&
++ var_1->red.offset == var_2->red.offset &&
++ var_1->red.length == var_2->red.length &&
++ var_1->red.msb_right == var_2->red.msb_right &&
++ var_1->green.offset == var_2->green.offset &&
++ var_1->green.length == var_2->green.length &&
++ var_1->green.msb_right == var_2->green.msb_right &&
++ var_1->blue.offset == var_2->blue.offset &&
++ var_1->blue.length == var_2->blue.length &&
++ var_1->blue.msb_right == var_2->blue.msb_right &&
++ var_1->transp.offset == var_2->transp.offset &&
++ var_1->transp.length == var_2->transp.length &&
++ var_1->transp.msb_right == var_2->transp.msb_right;
++}
++
+ /**
+ * drm_fb_helper_check_var - implementation for &fb_ops.fb_check_var
+ * @var: screeninfo to check
+@@ -1571,7 +1590,6 @@ int drm_fb_helper_check_var(struct fb_va
+ {
+ struct drm_fb_helper *fb_helper = info->par;
+ struct drm_framebuffer *fb = fb_helper->fb;
+- int depth;
+
+ if (var->pixclock != 0 || in_dbg_master())
+ return -EINVAL;
+@@ -1591,72 +1609,15 @@ int drm_fb_helper_check_var(struct fb_va
+ return -EINVAL;
+ }
+
+- switch (var->bits_per_pixel) {
+- case 16:
+- depth = (var->green.length == 6) ? 16 : 15;
+- break;
+- case 32:
+- depth = (var->transp.length > 0) ? 32 : 24;
+- break;
+- default:
+- depth = var->bits_per_pixel;
+- break;
+- }
+-
+- switch (depth) {
+- case 8:
+- var->red.offset = 0;
+- var->green.offset = 0;
+- var->blue.offset = 0;
+- var->red.length = 8;
+- var->green.length = 8;
+- var->blue.length = 8;
+- var->transp.length = 0;
+- var->transp.offset = 0;
+- break;
+- case 15:
+- var->red.offset = 10;
+- var->green.offset = 5;
+- var->blue.offset = 0;
+- var->red.length = 5;
+- var->green.length = 5;
+- var->blue.length = 5;
+- var->transp.length = 1;
+- var->transp.offset = 15;
+- break;
+- case 16:
+- var->red.offset = 11;
+- var->green.offset = 5;
+- var->blue.offset = 0;
+- var->red.length = 5;
+- var->green.length = 6;
+- var->blue.length = 5;
+- var->transp.length = 0;
+- var->transp.offset = 0;
+- break;
+- case 24:
+- var->red.offset = 16;
+- var->green.offset = 8;
+- var->blue.offset = 0;
+- var->red.length = 8;
+- var->green.length = 8;
+- var->blue.length = 8;
+- var->transp.length = 0;
+- var->transp.offset = 0;
+- break;
+- case 32:
+- var->red.offset = 16;
+- var->green.offset = 8;
+- var->blue.offset = 0;
+- var->red.length = 8;
+- var->green.length = 8;
+- var->blue.length = 8;
+- var->transp.length = 8;
+- var->transp.offset = 24;
+- break;
+- default:
++ /*
++ * drm fbdev emulation doesn't support changing the pixel format at all,
++ * so reject all pixel format changing requests.
++ */
++ if (!drm_fb_pixel_format_equal(var, &info->var)) {
++ DRM_DEBUG("fbdev emulation doesn't support changing the pixel format\n");
+ return -EINVAL;
+ }
++
+ return 0;
+ }
+ EXPORT_SYMBOL(drm_fb_helper_check_var);
--- /dev/null
+From e84cb605e02f1b3d0aee8d7157419cd8aaa06038 Mon Sep 17 00:00:00 2001
+From: Boris Brezillon <boris.brezillon@bootlin.com>
+Date: Thu, 18 Oct 2018 12:02:50 +0200
+Subject: drm/sun4i: Fix an ulong overflow in the dotclock driver
+
+From: Boris Brezillon <boris.brezillon@bootlin.com>
+
+commit e84cb605e02f1b3d0aee8d7157419cd8aaa06038 upstream.
+
+The calculated ideal rate can easily overflow an unsigned long, thus
+making the best div selection buggy as soon as no ideal match is found
+before the overflow occurs.
+
+Fixes: 4731a72df273 ("drm/sun4i: request exact rates to our parents")
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Boris Brezillon <boris.brezillon@bootlin.com>
+Acked-by: Maxime Ripard <maxime.ripard@bootlin.com>
+Signed-off-by: Maxime Ripard <maxime.ripard@bootlin.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20181018100250.12565-1-boris.brezillon@bootlin.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/sun4i/sun4i_dotclock.c | 12 +++++++++++-
+ 1 file changed, 11 insertions(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/sun4i/sun4i_dotclock.c
++++ b/drivers/gpu/drm/sun4i/sun4i_dotclock.c
+@@ -81,9 +81,19 @@ static long sun4i_dclk_round_rate(struct
+ int i;
+
+ for (i = tcon->dclk_min_div; i <= tcon->dclk_max_div; i++) {
+- unsigned long ideal = rate * i;
++ u64 ideal = (u64)rate * i;
+ unsigned long rounded;
+
++ /*
++ * ideal has overflowed the max value that can be stored in an
++ * unsigned long, and every clk operation we might do on a
++ * truncated u64 value will give us incorrect results.
++ * Let's just stop there since bigger dividers will result in
++ * the same overflow issue.
++ */
++ if (ideal > ULONG_MAX)
++ goto out;
++
+ rounded = clk_hw_round_rate(clk_hw_get_parent(hw),
+ ideal);
+
--- /dev/null
+From 1ff22883b0b2f7a73eb2609ffe879c9fd96f6328 Mon Sep 17 00:00:00 2001
+From: David Howells <dhowells@redhat.com>
+Date: Wed, 17 Oct 2018 15:23:45 +0100
+Subject: fscache: Fix incomplete initialisation of inline key space
+
+From: David Howells <dhowells@redhat.com>
+
+commit 1ff22883b0b2f7a73eb2609ffe879c9fd96f6328 upstream.
+
+The inline key in struct rxrpc_cookie is insufficiently initialized,
+zeroing only 3 of the 4 slots, therefore an index_key_len between 13 and 15
+bytes will end up hashing uninitialized memory because the memcpy only
+partially fills the last buf[] element.
+
+Fix this by clearing fscache_cookie objects on allocation rather than using
+the slab constructor to initialise them. We're going to pretty much fill
+in the entire struct anyway, so bringing it into our dcache writably
+shouldn't incur much overhead.
+
+This removes the need to do clearance in fscache_set_key() (where we aren't
+doing it correctly anyway).
+
+Also, we don't need to set cookie->key_len in fscache_set_key() as we
+already did it in the only caller, so remove that.
+
+Fixes: ec0328e46d6e ("fscache: Maintain a catalogue of allocated cookies")
+Reported-by: syzbot+a95b989b2dde8e806af8@syzkaller.appspotmail.com
+Reported-by: Eric Sandeen <sandeen@redhat.com>
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: David Howells <dhowells@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/fscache/cookie.c | 23 ++++-------------------
+ fs/fscache/internal.h | 1 -
+ fs/fscache/main.c | 4 +---
+ 3 files changed, 5 insertions(+), 23 deletions(-)
+
+--- a/fs/fscache/cookie.c
++++ b/fs/fscache/cookie.c
+@@ -70,19 +70,6 @@ void fscache_free_cookie(struct fscache_
+ }
+
+ /*
+- * initialise an cookie jar slab element prior to any use
+- */
+-void fscache_cookie_init_once(void *_cookie)
+-{
+- struct fscache_cookie *cookie = _cookie;
+-
+- memset(cookie, 0, sizeof(*cookie));
+- spin_lock_init(&cookie->lock);
+- spin_lock_init(&cookie->stores_lock);
+- INIT_HLIST_HEAD(&cookie->backing_objects);
+-}
+-
+-/*
+ * Set the index key in a cookie. The cookie struct has space for a 12-byte
+ * key plus length and hash, but if that's not big enough, it's instead a
+ * pointer to a buffer containing 3 bytes of hash, 1 byte of length and then
+@@ -95,8 +82,6 @@ static int fscache_set_key(struct fscach
+ u32 *buf;
+ int i;
+
+- cookie->key_len = index_key_len;
+-
+ if (index_key_len > sizeof(cookie->inline_key)) {
+ buf = kzalloc(index_key_len, GFP_KERNEL);
+ if (!buf)
+@@ -104,9 +89,6 @@ static int fscache_set_key(struct fscach
+ cookie->key = buf;
+ } else {
+ buf = (u32 *)cookie->inline_key;
+- buf[0] = 0;
+- buf[1] = 0;
+- buf[2] = 0;
+ }
+
+ memcpy(buf, index_key, index_key_len);
+@@ -161,7 +143,7 @@ struct fscache_cookie *fscache_alloc_coo
+ struct fscache_cookie *cookie;
+
+ /* allocate and initialise a cookie */
+- cookie = kmem_cache_alloc(fscache_cookie_jar, GFP_KERNEL);
++ cookie = kmem_cache_zalloc(fscache_cookie_jar, GFP_KERNEL);
+ if (!cookie)
+ return NULL;
+
+@@ -192,6 +174,9 @@ struct fscache_cookie *fscache_alloc_coo
+ cookie->netfs_data = netfs_data;
+ cookie->flags = (1 << FSCACHE_COOKIE_NO_DATA_YET);
+ cookie->type = def->type;
++ spin_lock_init(&cookie->lock);
++ spin_lock_init(&cookie->stores_lock);
++ INIT_HLIST_HEAD(&cookie->backing_objects);
+
+ /* radix tree insertion won't use the preallocation pool unless it's
+ * told it may not wait */
+--- a/fs/fscache/internal.h
++++ b/fs/fscache/internal.h
+@@ -51,7 +51,6 @@ extern struct fscache_cache *fscache_sel
+ extern struct kmem_cache *fscache_cookie_jar;
+
+ extern void fscache_free_cookie(struct fscache_cookie *);
+-extern void fscache_cookie_init_once(void *);
+ extern struct fscache_cookie *fscache_alloc_cookie(struct fscache_cookie *,
+ const struct fscache_cookie_def *,
+ const void *, size_t,
+--- a/fs/fscache/main.c
++++ b/fs/fscache/main.c
+@@ -143,9 +143,7 @@ static int __init fscache_init(void)
+
+ fscache_cookie_jar = kmem_cache_create("fscache_cookie_jar",
+ sizeof(struct fscache_cookie),
+- 0,
+- 0,
+- fscache_cookie_init_once);
++ 0, 0, NULL);
+ if (!fscache_cookie_jar) {
+ pr_notice("Failed to allocate a cookie jar\n");
+ ret = -ENOMEM;
--- /dev/null
+From fa520c47eaa15b9baa8ad66ac18da4a31679693b Mon Sep 17 00:00:00 2001
+From: Eric Sandeen <sandeen@redhat.com>
+Date: Wed, 17 Oct 2018 15:23:59 +0100
+Subject: fscache: Fix out of bound read in long cookie keys
+
+From: Eric Sandeen <sandeen@redhat.com>
+
+commit fa520c47eaa15b9baa8ad66ac18da4a31679693b upstream.
+
+fscache_set_key() can incur an out-of-bounds read, reported by KASAN:
+
+ BUG: KASAN: slab-out-of-bounds in fscache_alloc_cookie+0x5b3/0x680 [fscache]
+ Read of size 4 at addr ffff88084ff056d4 by task mount.nfs/32615
+
+and also reported by syzbot at https://lkml.org/lkml/2018/7/8/236
+
+ BUG: KASAN: slab-out-of-bounds in fscache_set_key fs/fscache/cookie.c:120 [inline]
+ BUG: KASAN: slab-out-of-bounds in fscache_alloc_cookie+0x7a9/0x880 fs/fscache/cookie.c:171
+ Read of size 4 at addr ffff8801d3cc8bb4 by task syz-executor907/4466
+
+This happens for any index_key_len which is not divisible by 4 and is
+larger than the size of the inline key, because the code allocates exactly
+index_key_len for the key buffer, but the hashing loop is stepping through
+it 4 bytes (u32) at a time in the buf[] array.
+
+Fix this by calculating how many u32 buffers we'll need by using
+DIV_ROUND_UP, and then using kcalloc() to allocate a precleared allocation
+buffer to hold the index_key, then using that same count as the hashing
+index limit.
+
+Fixes: ec0328e46d6e ("fscache: Maintain a catalogue of allocated cookies")
+Reported-by: syzbot+a95b989b2dde8e806af8@syzkaller.appspotmail.com
+Signed-off-by: Eric Sandeen <sandeen@redhat.com>
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: David Howells <dhowells@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/fscache/cookie.c | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+--- a/fs/fscache/cookie.c
++++ b/fs/fscache/cookie.c
+@@ -70,7 +70,7 @@ void fscache_free_cookie(struct fscache_
+ }
+
+ /*
+- * Set the index key in a cookie. The cookie struct has space for a 12-byte
++ * Set the index key in a cookie. The cookie struct has space for a 16-byte
+ * key plus length and hash, but if that's not big enough, it's instead a
+ * pointer to a buffer containing 3 bytes of hash, 1 byte of length and then
+ * the key data.
+@@ -80,10 +80,13 @@ static int fscache_set_key(struct fscach
+ {
+ unsigned long long h;
+ u32 *buf;
++ int bufs;
+ int i;
+
++ bufs = DIV_ROUND_UP(index_key_len, sizeof(*buf));
++
+ if (index_key_len > sizeof(cookie->inline_key)) {
+- buf = kzalloc(index_key_len, GFP_KERNEL);
++ buf = kcalloc(bufs, sizeof(*buf), GFP_KERNEL);
+ if (!buf)
+ return -ENOMEM;
+ cookie->key = buf;
+@@ -98,7 +101,8 @@ static int fscache_set_key(struct fscach
+ */
+ h = (unsigned long)cookie->parent;
+ h += index_key_len + cookie->type;
+- for (i = 0; i < (index_key_len + sizeof(u32) - 1) / sizeof(u32); i++)
++
++ for (i = 0; i < bufs; i++)
+ h += buf[i];
+
+ cookie->key_hash = h ^ (h >> 32);
--- /dev/null
+From 0295e39595e1146522f2722715dba7f7fba42217 Mon Sep 17 00:00:00 2001
+From: "Gustavo A. R. Silva" <gustavo@embeddedor.com>
+Date: Tue, 16 Oct 2018 16:32:40 +0200
+Subject: IB/ucm: Fix Spectre v1 vulnerability
+
+From: Gustavo A. R. Silva <gustavo@embeddedor.com>
+
+commit 0295e39595e1146522f2722715dba7f7fba42217 upstream.
+
+hdr.cmd can be indirectly controlled by user-space, hence leading to
+a potential exploitation of the Spectre variant 1 vulnerability.
+
+This issue was detected with the help of Smatch:
+
+drivers/infiniband/core/ucm.c:1127 ib_ucm_write() warn: potential
+spectre issue 'ucm_cmd_table' [r] (local cap)
+
+Fix this by sanitizing hdr.cmd before using it to index
+ucm_cmd_table.
+
+Notice that given that speculation windows are large, the policy is
+to kill the speculation on the first load and not worry if it can be
+completed with a dependent load/store [1].
+
+[1] https://marc.info/?l=linux-kernel&m=152449131114778&w=2
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com>
+Signed-off-by: Doug Ledford <dledford@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/infiniband/core/ucm.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/infiniband/core/ucm.c
++++ b/drivers/infiniband/core/ucm.c
+@@ -46,6 +46,8 @@
+ #include <linux/mutex.h>
+ #include <linux/slab.h>
+
++#include <linux/nospec.h>
++
+ #include <linux/uaccess.h>
+
+ #include <rdma/ib.h>
+@@ -1123,6 +1125,7 @@ static ssize_t ib_ucm_write(struct file
+
+ if (hdr.cmd >= ARRAY_SIZE(ucm_cmd_table))
+ return -EINVAL;
++ hdr.cmd = array_index_nospec(hdr.cmd, ARRAY_SIZE(ucm_cmd_table));
+
+ if (hdr.in + sizeof(hdr) > len)
+ return -EINVAL;
--- /dev/null
+From 13c1c5e4d7f887cba36c5e3df3faa22071c1469f Mon Sep 17 00:00:00 2001
+From: Mikhail Nikiforov <jackxviichaos@gmail.com>
+Date: Mon, 15 Oct 2018 11:17:56 -0700
+Subject: Input: elan_i2c - add ACPI ID for Lenovo IdeaPad 330-15IGM
+
+From: Mikhail Nikiforov <jackxviichaos@gmail.com>
+
+commit 13c1c5e4d7f887cba36c5e3df3faa22071c1469f upstream.
+
+Add ELAN061C to the ACPI table to support Elan touchpad found in Lenovo
+IdeaPad 330-15IGM.
+
+Signed-off-by: Mikhail Nikiforov <jackxviichaos@gmail.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/input/mouse/elan_i2c_core.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/input/mouse/elan_i2c_core.c
++++ b/drivers/input/mouse/elan_i2c_core.c
+@@ -1346,6 +1346,7 @@ static const struct acpi_device_id elan_
+ { "ELAN0611", 0 },
+ { "ELAN0612", 0 },
+ { "ELAN0618", 0 },
++ { "ELAN061C", 0 },
+ { "ELAN061D", 0 },
+ { "ELAN0622", 0 },
+ { "ELAN1000", 0 },
--- /dev/null
+From efa61c8cf2950ab5c0e66cff3cabe2a2b24e81ba Mon Sep 17 00:00:00 2001
+From: "Gustavo A. R. Silva" <gustavo@embeddedor.com>
+Date: Tue, 16 Oct 2018 15:06:41 +0200
+Subject: ptp: fix Spectre v1 vulnerability
+
+From: Gustavo A. R. Silva <gustavo@embeddedor.com>
+
+commit efa61c8cf2950ab5c0e66cff3cabe2a2b24e81ba upstream.
+
+pin_index can be indirectly controlled by user-space, hence leading
+to a potential exploitation of the Spectre variant 1 vulnerability.
+
+This issue was detected with the help of Smatch:
+
+drivers/ptp/ptp_chardev.c:253 ptp_ioctl() warn: potential spectre issue
+'ops->pin_config' [r] (local cap)
+
+Fix this by sanitizing pin_index before using it to index
+ops->pin_config, and before passing it as an argument to
+function ptp_set_pinfunc(), in which it is used to index
+info->pin_config.
+
+Notice that given that speculation windows are large, the policy is
+to kill the speculation on the first load and not worry if it can be
+completed with a dependent load/store [1].
+
+[1] https://marc.info/?l=linux-kernel&m=152449131114778&w=2
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com>
+Acked-by: Richard Cochran <richardcochran@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/ptp/ptp_chardev.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/ptp/ptp_chardev.c
++++ b/drivers/ptp/ptp_chardev.c
+@@ -24,6 +24,8 @@
+ #include <linux/slab.h>
+ #include <linux/timekeeping.h>
+
++#include <linux/nospec.h>
++
+ #include "ptp_private.h"
+
+ static int ptp_disable_pinfunc(struct ptp_clock_info *ops,
+@@ -248,6 +250,7 @@ long ptp_ioctl(struct posix_clock *pc, u
+ err = -EINVAL;
+ break;
+ }
++ pin_index = array_index_nospec(pin_index, ops->n_pins);
+ if (mutex_lock_interruptible(&ptp->pincfg_mux))
+ return -ERESTARTSYS;
+ pd = ops->pin_config[pin_index];
+@@ -266,6 +269,7 @@ long ptp_ioctl(struct posix_clock *pc, u
+ err = -EINVAL;
+ break;
+ }
++ pin_index = array_index_nospec(pin_index, ops->n_pins);
+ if (mutex_lock_interruptible(&ptp->pincfg_mux))
+ return -ERESTARTSYS;
+ err = ptp_set_pinfunc(ptp, pin_index, pd.func, pd.chan);
--- /dev/null
+From a3671a4f973ee9d9621d60166cc3b037c397d604 Mon Sep 17 00:00:00 2001
+From: "Gustavo A. R. Silva" <gustavo@embeddedor.com>
+Date: Tue, 16 Oct 2018 16:59:01 +0200
+Subject: RDMA/ucma: Fix Spectre v1 vulnerability
+
+From: Gustavo A. R. Silva <gustavo@embeddedor.com>
+
+commit a3671a4f973ee9d9621d60166cc3b037c397d604 upstream.
+
+hdr.cmd can be indirectly controlled by user-space, hence leading to
+a potential exploitation of the Spectre variant 1 vulnerability.
+
+This issue was detected with the help of Smatch:
+
+drivers/infiniband/core/ucma.c:1686 ucma_write() warn: potential
+spectre issue 'ucma_cmd_table' [r] (local cap)
+
+Fix this by sanitizing hdr.cmd before using it to index
+ucm_cmd_table.
+
+Notice that given that speculation windows are large, the policy is
+to kill the speculation on the first load and not worry if it can be
+completed with a dependent load/store [1].
+
+[1] https://marc.info/?l=linux-kernel&m=152449131114778&w=2
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com>
+Signed-off-by: Doug Ledford <dledford@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/infiniband/core/ucma.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/infiniband/core/ucma.c
++++ b/drivers/infiniband/core/ucma.c
+@@ -44,6 +44,8 @@
+ #include <linux/module.h>
+ #include <linux/nsproxy.h>
+
++#include <linux/nospec.h>
++
+ #include <rdma/rdma_user_cm.h>
+ #include <rdma/ib_marshall.h>
+ #include <rdma/rdma_cm.h>
+@@ -1676,6 +1678,7 @@ static ssize_t ucma_write(struct file *f
+
+ if (hdr.cmd >= ARRAY_SIZE(ucma_cmd_table))
+ return -EINVAL;
++ hdr.cmd = array_index_nospec(hdr.cmd, ARRAY_SIZE(ucma_cmd_table));
+
+ if (hdr.in + sizeof(hdr) > len)
+ return -EINVAL;
--- /dev/null
+From baa9be4ffb55876923dc9716abc0a448e510ba30 Mon Sep 17 00:00:00 2001
+From: Phil Auld <pauld@redhat.com>
+Date: Mon, 8 Oct 2018 10:36:40 -0400
+Subject: sched/fair: Fix throttle_list starvation with low CFS quota
+
+From: Phil Auld <pauld@redhat.com>
+
+commit baa9be4ffb55876923dc9716abc0a448e510ba30 upstream.
+
+With a very low cpu.cfs_quota_us setting, such as the minimum of 1000,
+distribute_cfs_runtime may not empty the throttled_list before it runs
+out of runtime to distribute. In that case, due to the change from
+c06f04c7048 to put throttled entries at the head of the list, later entries
+on the list will starve. Essentially, the same X processes will get pulled
+off the list, given CPU time and then, when expired, get put back on the
+head of the list where distribute_cfs_runtime will give runtime to the same
+set of processes leaving the rest.
+
+Fix the issue by setting a bit in struct cfs_bandwidth when
+distribute_cfs_runtime is running, so that the code in throttle_cfs_rq can
+decide to put the throttled entry on the tail or the head of the list. The
+bit is set/cleared by the callers of distribute_cfs_runtime while they hold
+cfs_bandwidth->lock.
+
+This is easy to reproduce with a handful of CPU consumers. I use 'crash' on
+the live system. In some cases you can simply look at the throttled list and
+see the later entries are not changing:
+
+ crash> list cfs_rq.throttled_list -H 0xffff90b54f6ade40 -s cfs_rq.runtime_remaining | paste - - | awk '{print $1" "$4}' | pr -t -n3
+ 1 ffff90b56cb2d200 -976050
+ 2 ffff90b56cb2cc00 -484925
+ 3 ffff90b56cb2bc00 -658814
+ 4 ffff90b56cb2ba00 -275365
+ 5 ffff90b166a45600 -135138
+ 6 ffff90b56cb2da00 -282505
+ 7 ffff90b56cb2e000 -148065
+ 8 ffff90b56cb2fa00 -872591
+ 9 ffff90b56cb2c000 -84687
+ 10 ffff90b56cb2f000 -87237
+ 11 ffff90b166a40a00 -164582
+
+ crash> list cfs_rq.throttled_list -H 0xffff90b54f6ade40 -s cfs_rq.runtime_remaining | paste - - | awk '{print $1" "$4}' | pr -t -n3
+ 1 ffff90b56cb2d200 -994147
+ 2 ffff90b56cb2cc00 -306051
+ 3 ffff90b56cb2bc00 -961321
+ 4 ffff90b56cb2ba00 -24490
+ 5 ffff90b166a45600 -135138
+ 6 ffff90b56cb2da00 -282505
+ 7 ffff90b56cb2e000 -148065
+ 8 ffff90b56cb2fa00 -872591
+ 9 ffff90b56cb2c000 -84687
+ 10 ffff90b56cb2f000 -87237
+ 11 ffff90b166a40a00 -164582
+
+Sometimes it is easier to see by finding a process getting starved and looking
+at the sched_info:
+
+ crash> task ffff8eb765994500 sched_info
+ PID: 7800 TASK: ffff8eb765994500 CPU: 16 COMMAND: "cputest"
+ sched_info = {
+ pcount = 8,
+ run_delay = 697094208,
+ last_arrival = 240260125039,
+ last_queued = 240260327513
+ },
+ crash> task ffff8eb765994500 sched_info
+ PID: 7800 TASK: ffff8eb765994500 CPU: 16 COMMAND: "cputest"
+ sched_info = {
+ pcount = 8,
+ run_delay = 697094208,
+ last_arrival = 240260125039,
+ last_queued = 240260327513
+ },
+
+Signed-off-by: Phil Auld <pauld@redhat.com>
+Reviewed-by: Ben Segall <bsegall@google.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: stable@vger.kernel.org
+Fixes: c06f04c70489 ("sched: Fix potential near-infinite distribute_cfs_runtime() loop")
+Link: http://lkml.kernel.org/r/20181008143639.GA4019@pauld.bos.csb
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/sched/fair.c | 22 +++++++++++++++++++---
+ kernel/sched/sched.h | 2 ++
+ 2 files changed, 21 insertions(+), 3 deletions(-)
+
+--- a/kernel/sched/fair.c
++++ b/kernel/sched/fair.c
+@@ -4797,9 +4797,13 @@ static void throttle_cfs_rq(struct cfs_r
+
+ /*
+ * Add to the _head_ of the list, so that an already-started
+- * distribute_cfs_runtime will not see us
++ * distribute_cfs_runtime will not see us. If disribute_cfs_runtime is
++ * not running add to the tail so that later runqueues don't get starved.
+ */
+- list_add_rcu(&cfs_rq->throttled_list, &cfs_b->throttled_cfs_rq);
++ if (cfs_b->distribute_running)
++ list_add_rcu(&cfs_rq->throttled_list, &cfs_b->throttled_cfs_rq);
++ else
++ list_add_tail_rcu(&cfs_rq->throttled_list, &cfs_b->throttled_cfs_rq);
+
+ /*
+ * If we're the first throttled task, make sure the bandwidth
+@@ -4943,14 +4947,16 @@ static int do_sched_cfs_period_timer(str
+ * in us over-using our runtime if it is all used during this loop, but
+ * only by limited amounts in that extreme case.
+ */
+- while (throttled && cfs_b->runtime > 0) {
++ while (throttled && cfs_b->runtime > 0 && !cfs_b->distribute_running) {
+ runtime = cfs_b->runtime;
++ cfs_b->distribute_running = 1;
+ raw_spin_unlock(&cfs_b->lock);
+ /* we can't nest cfs_b->lock while distributing bandwidth */
+ runtime = distribute_cfs_runtime(cfs_b, runtime,
+ runtime_expires);
+ raw_spin_lock(&cfs_b->lock);
+
++ cfs_b->distribute_running = 0;
+ throttled = !list_empty(&cfs_b->throttled_cfs_rq);
+
+ cfs_b->runtime -= min(runtime, cfs_b->runtime);
+@@ -5061,6 +5067,11 @@ static void do_sched_cfs_slack_timer(str
+
+ /* confirm we're still not at a refresh boundary */
+ raw_spin_lock(&cfs_b->lock);
++ if (cfs_b->distribute_running) {
++ raw_spin_unlock(&cfs_b->lock);
++ return;
++ }
++
+ if (runtime_refresh_within(cfs_b, min_bandwidth_expiration)) {
+ raw_spin_unlock(&cfs_b->lock);
+ return;
+@@ -5070,6 +5081,9 @@ static void do_sched_cfs_slack_timer(str
+ runtime = cfs_b->runtime;
+
+ expires = cfs_b->runtime_expires;
++ if (runtime)
++ cfs_b->distribute_running = 1;
++
+ raw_spin_unlock(&cfs_b->lock);
+
+ if (!runtime)
+@@ -5080,6 +5094,7 @@ static void do_sched_cfs_slack_timer(str
+ raw_spin_lock(&cfs_b->lock);
+ if (expires == cfs_b->runtime_expires)
+ cfs_b->runtime -= min(runtime, cfs_b->runtime);
++ cfs_b->distribute_running = 0;
+ raw_spin_unlock(&cfs_b->lock);
+ }
+
+@@ -5188,6 +5203,7 @@ void init_cfs_bandwidth(struct cfs_bandw
+ cfs_b->period_timer.function = sched_cfs_period_timer;
+ hrtimer_init(&cfs_b->slack_timer, CLOCK_MONOTONIC, HRTIMER_MODE_REL);
+ cfs_b->slack_timer.function = sched_cfs_slack_timer;
++ cfs_b->distribute_running = 0;
+ }
+
+ static void init_cfs_rq_runtime(struct cfs_rq *cfs_rq)
+--- a/kernel/sched/sched.h
++++ b/kernel/sched/sched.h
+@@ -346,6 +346,8 @@ struct cfs_bandwidth {
+ int nr_periods;
+ int nr_throttled;
+ u64 throttled_time;
++
++ bool distribute_running;
+ #endif
+ };
+
vfs-swap-names-of-do-vfs-_clone_file_range.patch
bpf-fix-partial-copy-of-map_ptr-when-dst-is-scalar.patch
gpio-mxs-get-rid-of-external-api-call.patch
+clk-sunxi-ng-sun4i-set-vco-and-pll-bias-current-to-lowest-setting.patch
+fscache-fix-incomplete-initialisation-of-inline-key-space.patch
+cachefiles-fix-the-race-between-cachefiles_bury_object-and-rmdir-2.patch
+fscache-fix-out-of-bound-read-in-long-cookie-keys.patch
+ptp-fix-spectre-v1-vulnerability.patch
+drm-edid-add-6-bpc-quirk-for-boe-panel-in-hp-pavilion-15-n233sl.patch
+drm-edid-vsdb-ycbcr420-deep-color-mode-bit-definitions.patch
+drm-fb-helper-reject-all-pixel-format-changing-requests.patch
+rdma-ucma-fix-spectre-v1-vulnerability.patch
+ib-ucm-fix-spectre-v1-vulnerability.patch
+cdc-acm-do-not-reset-notification-buffer-index-upon-urb-unlinking.patch
+cdc-acm-correct-counting-of-uart-states-in-serial-state-notification.patch
+cdc-acm-fix-race-between-reset-and-control-messaging.patch
+usb-usbip-fix-bug-kasan-slab-out-of-bounds-in-vhci_hub_control.patch
+usb-gadget-storage-fix-spectre-v1-vulnerability.patch
+usb-roles-intel_xhci-fix-unbalanced-pm_runtime_enable.patch
+usb-xhci-pci-enable-intel-usb-role-mux-on-apollo-lake-platforms.patch
+usb-fix-the-usbfs-flag-sanitization-for-control-transfers.patch
+block-don-t-deal-with-discard-limit-in-blkdev_issue_discard.patch
+tracing-fix-synthetic-event-to-accept-unsigned-modifier.patch
+tracing-fix-synthetic-event-to-allow-semicolon-at-end.patch
+input-elan_i2c-add-acpi-id-for-lenovo-ideapad-330-15igm.patch
+drm-sun4i-fix-an-ulong-overflow-in-the-dotclock-driver.patch
+sched-fair-fix-throttle_list-starvation-with-low-cfs-quota.patch
+x86-tsc-force-inlining-of-cyc2ns-bits.patch
+x86-hibernate-fix-nosave_regions-setup-for-hibernation.patch
+x86-percpu-fix-this_cpu_read.patch
+x86-time-correct-the-attribute-on-jiffies-definition.patch
+x86-swiotlb-enable-swiotlb-for-4gig-ram-on-32-bit-kernels.patch
+x86-fpu-fix-i486-no387-boot-crash-by-only-saving-fpu-registers-on-context-switch-if-there-is-an-fpu.patch
--- /dev/null
+From 282447ba6b00c64678ffdf964f44e5c8b1c68377 Mon Sep 17 00:00:00 2001
+From: Masami Hiramatsu <mhiramat@kernel.org>
+Date: Thu, 18 Oct 2018 22:12:05 +0900
+Subject: tracing: Fix synthetic event to accept unsigned modifier
+
+From: Masami Hiramatsu <mhiramat@kernel.org>
+
+commit 282447ba6b00c64678ffdf964f44e5c8b1c68377 upstream.
+
+Fix synthetic event to accept unsigned modifier for its field type
+correctly.
+
+Currently, synthetic_events interface returns error for "unsigned"
+modifiers as below;
+
+ # echo "myevent unsigned long var" >> synthetic_events
+ sh: write error: Invalid argument
+
+This is because argv_split() breaks "unsigned long" into "unsigned"
+and "long", but parse_synth_field() doesn't expected it.
+
+With this fix, synthetic_events can handle the "unsigned long"
+correctly like as below;
+
+ # echo "myevent unsigned long var" >> synthetic_events
+ # cat synthetic_events
+ myevent unsigned long var
+
+Link: http://lkml.kernel.org/r/153986832571.18251.8448135724590496531.stgit@devbox
+
+Cc: Shuah Khan <shuah@kernel.org>
+Cc: Tom Zanussi <tom.zanussi@linux.intel.com>
+Cc: stable@vger.kernel.org
+Fixes: commit 4b147936fa50 ("tracing: Add support for 'synthetic' events")
+Signed-off-by: Masami Hiramatsu <mhiramat@kernel.org>
+Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/trace/trace_events_hist.c | 30 ++++++++++++++++++++++++------
+ 1 file changed, 24 insertions(+), 6 deletions(-)
+
+--- a/kernel/trace/trace_events_hist.c
++++ b/kernel/trace/trace_events_hist.c
+@@ -747,16 +747,30 @@ static void free_synth_field(struct synt
+ kfree(field);
+ }
+
+-static struct synth_field *parse_synth_field(char *field_type,
+- char *field_name)
++static struct synth_field *parse_synth_field(int argc, char **argv,
++ int *consumed)
+ {
+ struct synth_field *field;
++ const char *prefix = NULL;
++ char *field_type = argv[0], *field_name;
+ int len, ret = 0;
+ char *array;
+
+ if (field_type[0] == ';')
+ field_type++;
+
++ if (!strcmp(field_type, "unsigned")) {
++ if (argc < 3)
++ return ERR_PTR(-EINVAL);
++ prefix = "unsigned ";
++ field_type = argv[1];
++ field_name = argv[2];
++ *consumed = 3;
++ } else {
++ field_name = argv[1];
++ *consumed = 2;
++ }
++
+ len = strlen(field_name);
+ if (field_name[len - 1] == ';')
+ field_name[len - 1] = '\0';
+@@ -769,11 +783,15 @@ static struct synth_field *parse_synth_f
+ array = strchr(field_name, '[');
+ if (array)
+ len += strlen(array);
++ if (prefix)
++ len += strlen(prefix);
+ field->type = kzalloc(len, GFP_KERNEL);
+ if (!field->type) {
+ ret = -ENOMEM;
+ goto free;
+ }
++ if (prefix)
++ strcat(field->type, prefix);
+ strcat(field->type, field_type);
+ if (array) {
+ strcat(field->type, array);
+@@ -1018,7 +1036,7 @@ static int create_synth_event(int argc,
+ struct synth_field *field, *fields[SYNTH_FIELDS_MAX];
+ struct synth_event *event = NULL;
+ bool delete_event = false;
+- int i, n_fields = 0, ret = 0;
++ int i, consumed = 0, n_fields = 0, ret = 0;
+ char *name;
+
+ mutex_lock(&synth_event_mutex);
+@@ -1070,13 +1088,13 @@ static int create_synth_event(int argc,
+ goto err;
+ }
+
+- field = parse_synth_field(argv[i], argv[i + 1]);
++ field = parse_synth_field(argc - i, &argv[i], &consumed);
+ if (IS_ERR(field)) {
+ ret = PTR_ERR(field);
+ goto err;
+ }
+- fields[n_fields] = field;
+- i++; n_fields++;
++ fields[n_fields++] = field;
++ i += consumed - 1;
+ }
+
+ if (i < argc) {
--- /dev/null
+From a360d9e4016c1fcf41553b37ad496870dc5723d0 Mon Sep 17 00:00:00 2001
+From: Masami Hiramatsu <mhiramat@kernel.org>
+Date: Thu, 18 Oct 2018 22:12:34 +0900
+Subject: tracing: Fix synthetic event to allow semicolon at end
+
+From: Masami Hiramatsu <mhiramat@kernel.org>
+
+commit a360d9e4016c1fcf41553b37ad496870dc5723d0 upstream.
+
+Fix synthetic event to allow independent semicolon at end.
+
+The synthetic_events interface accepts a semicolon after the
+last word if there is no space.
+
+ # echo "myevent u64 var;" >> synthetic_events
+
+But if there is a space, it returns an error.
+
+ # echo "myevent u64 var ;" > synthetic_events
+ sh: write error: Invalid argument
+
+This behavior is difficult for users to understand. Let's
+allow the last independent semicolon too.
+
+Link: http://lkml.kernel.org/r/153986835420.18251.2191216690677025744.stgit@devbox
+
+Cc: Shuah Khan <shuah@kernel.org>
+Cc: Tom Zanussi <tom.zanussi@linux.intel.com>
+Cc: stable@vger.kernel.org
+Fixes: commit 4b147936fa50 ("tracing: Add support for 'synthetic' events")
+Signed-off-by: Masami Hiramatsu <mhiramat@kernel.org>
+Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/trace/trace_events_hist.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/kernel/trace/trace_events_hist.c
++++ b/kernel/trace/trace_events_hist.c
+@@ -1097,7 +1097,7 @@ static int create_synth_event(int argc,
+ i += consumed - 1;
+ }
+
+- if (i < argc) {
++ if (i < argc && strcmp(argv[i], ";") != 0) {
+ ret = -EINVAL;
+ goto err;
+ }
--- /dev/null
+From 665c365a77fbfeabe52694aedf3446d5f2f1ce42 Mon Sep 17 00:00:00 2001
+From: Alan Stern <stern@rowland.harvard.edu>
+Date: Mon, 15 Oct 2018 16:55:04 -0400
+Subject: USB: fix the usbfs flag sanitization for control transfers
+
+From: Alan Stern <stern@rowland.harvard.edu>
+
+commit 665c365a77fbfeabe52694aedf3446d5f2f1ce42 upstream.
+
+Commit 7a68d9fb8510 ("USB: usbdevfs: sanitize flags more") checks the
+transfer flags for URBs submitted from userspace via usbfs. However,
+the check for whether the USBDEVFS_URB_SHORT_NOT_OK flag should be
+allowed for a control transfer was added in the wrong place, before
+the code has properly determined the direction of the control
+transfer. (Control transfers are special because for them, the
+direction is set by the bRequestType byte of the Setup packet rather
+than direction bit of the endpoint address.)
+
+This patch moves code which sets up the allow_short flag for control
+transfers down after is_in has been set to the correct value.
+
+Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
+Reported-and-tested-by: syzbot+24a30223a4b609bb802e@syzkaller.appspotmail.com
+Fixes: 7a68d9fb8510 ("USB: usbdevfs: sanitize flags more")
+CC: Oliver Neukum <oneukum@suse.com>
+CC: <stable@vger.kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/core/devio.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/usb/core/devio.c
++++ b/drivers/usb/core/devio.c
+@@ -1473,8 +1473,6 @@ static int proc_do_submiturb(struct usb_
+ u = 0;
+ switch (uurb->type) {
+ case USBDEVFS_URB_TYPE_CONTROL:
+- if (is_in)
+- allow_short = true;
+ if (!usb_endpoint_xfer_control(&ep->desc))
+ return -EINVAL;
+ /* min 8 byte setup packet */
+@@ -1504,6 +1502,8 @@ static int proc_do_submiturb(struct usb_
+ is_in = 0;
+ uurb->endpoint &= ~USB_DIR_IN;
+ }
++ if (is_in)
++ allow_short = true;
+ snoop(&ps->dev->dev, "control urb: bRequestType=%02x "
+ "bRequest=%02x wValue=%04x "
+ "wIndex=%04x wLength=%04x\n",
--- /dev/null
+From 9ae24af3669111d418242caec8dd4ebd9ba26860 Mon Sep 17 00:00:00 2001
+From: "Gustavo A. R. Silva" <gustavo@embeddedor.com>
+Date: Tue, 16 Oct 2018 12:16:45 +0200
+Subject: usb: gadget: storage: Fix Spectre v1 vulnerability
+
+From: Gustavo A. R. Silva <gustavo@embeddedor.com>
+
+commit 9ae24af3669111d418242caec8dd4ebd9ba26860 upstream.
+
+num can be indirectly controlled by user-space, hence leading to
+a potential exploitation of the Spectre variant 1 vulnerability.
+
+This issue was detected with the help of Smatch:
+
+drivers/usb/gadget/function/f_mass_storage.c:3177 fsg_lun_make() warn:
+potential spectre issue 'fsg_opts->common->luns' [r] (local cap)
+
+Fix this by sanitizing num before using it to index
+fsg_opts->common->luns
+
+Notice that given that speculation windows are large, the policy is
+to kill the speculation on the first load and not worry if it can be
+completed with a dependent load/store [1].
+
+[1] https://marc.info/?l=linux-kernel&m=152449131114778&w=2
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com>
+Acked-by: Felipe Balbi <felipe.balbi@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/gadget/function/f_mass_storage.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/usb/gadget/function/f_mass_storage.c
++++ b/drivers/usb/gadget/function/f_mass_storage.c
+@@ -222,6 +222,8 @@
+ #include <linux/usb/gadget.h>
+ #include <linux/usb/composite.h>
+
++#include <linux/nospec.h>
++
+ #include "configfs.h"
+
+
+@@ -3171,6 +3173,7 @@ static struct config_group *fsg_lun_make
+ fsg_opts = to_fsg_opts(&group->cg_item);
+ if (num >= FSG_MAX_LUNS)
+ return ERR_PTR(-ERANGE);
++ num = array_index_nospec(num, FSG_MAX_LUNS);
+
+ mutex_lock(&fsg_opts->lock);
+ if (fsg_opts->refcnt || fsg_opts->common->luns[num]) {
--- /dev/null
+From 009b1948e153ae448f62f1887e2b58d0e05db51b Mon Sep 17 00:00:00 2001
+From: Wan Ahmad Zainie <wan.ahmad.zainie.wan.mohamad@intel.com>
+Date: Tue, 9 Oct 2018 12:52:47 +0800
+Subject: usb: roles: intel_xhci: Fix Unbalanced pm_runtime_enable
+
+From: Wan Ahmad Zainie <wan.ahmad.zainie.wan.mohamad@intel.com>
+
+commit 009b1948e153ae448f62f1887e2b58d0e05db51b upstream.
+
+Add missing pm_runtime_disable() to remove(), in order to avoid
+an Unbalanced pm_runtime_enable when the module is removed and
+re-probed.
+
+Error log:
+root@intel-corei7-64:~# modprobe -r intel_xhci_usb_role_switch
+root@intel-corei7-64:~# modprobe intel_xhci_usb_role_switch
+intel_xhci_usb_sw intel_xhci_usb_sw: Unbalanced pm_runtime_enable!
+
+Fixes: cb2968468605 (usb: roles: intel_xhci: Enable runtime PM)
+Cc: <stable@vger.kernel.org>
+Reviewed-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
+Signed-off-by: Wan Ahmad Zainie <wan.ahmad.zainie.wan.mohamad@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/roles/intel-xhci-usb-role-switch.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/usb/roles/intel-xhci-usb-role-switch.c
++++ b/drivers/usb/roles/intel-xhci-usb-role-switch.c
+@@ -161,6 +161,8 @@ static int intel_xhci_usb_remove(struct
+ {
+ struct intel_xhci_usb_data *data = platform_get_drvdata(pdev);
+
++ pm_runtime_disable(&pdev->dev);
++
+ usb_role_switch_unregister(data->role_sw);
+ return 0;
+ }
--- /dev/null
+From 81f7567c51ad97668d1c3a48e8ecc482e64d4161 Mon Sep 17 00:00:00 2001
+From: "Shuah Khan (Samsung OSG)" <shuah@kernel.org>
+Date: Fri, 5 Oct 2018 16:17:44 -0600
+Subject: usb: usbip: Fix BUG: KASAN: slab-out-of-bounds in vhci_hub_control()
+
+From: Shuah Khan (Samsung OSG) <shuah@kernel.org>
+
+commit 81f7567c51ad97668d1c3a48e8ecc482e64d4161 upstream.
+
+vhci_hub_control() accesses port_status array with out of bounds port
+value. Fix it to reference port_status[] only with a valid rhport value
+when invalid_rhport flag is true.
+
+The invalid_rhport flag is set early on after detecting in port value
+is within the bounds or not.
+
+The following is used reproduce the problem and verify the fix:
+C reproducer: https://syzkaller.appspot.com/x/repro.c?x=14ed8ab6400000
+
+Reported-by: syzbot+bccc1fe10b70fadc78d0@syzkaller.appspotmail.com
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Shuah Khan (Samsung OSG) <shuah@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/usbip/vhci_hcd.c | 57 +++++++++++++++++++++++++++++++------------
+ 1 file changed, 42 insertions(+), 15 deletions(-)
+
+--- a/drivers/usb/usbip/vhci_hcd.c
++++ b/drivers/usb/usbip/vhci_hcd.c
+@@ -318,8 +318,9 @@ static int vhci_hub_control(struct usb_h
+ struct vhci_hcd *vhci_hcd;
+ struct vhci *vhci;
+ int retval = 0;
+- int rhport;
++ int rhport = -1;
+ unsigned long flags;
++ bool invalid_rhport = false;
+
+ u32 prev_port_status[VHCI_HC_PORTS];
+
+@@ -334,9 +335,19 @@ static int vhci_hub_control(struct usb_h
+ usbip_dbg_vhci_rh("typeReq %x wValue %x wIndex %x\n", typeReq, wValue,
+ wIndex);
+
+- if (wIndex > VHCI_HC_PORTS)
+- pr_err("invalid port number %d\n", wIndex);
+- rhport = wIndex - 1;
++ /*
++ * wIndex can be 0 for some request types (typeReq). rhport is
++ * in valid range when wIndex >= 1 and < VHCI_HC_PORTS.
++ *
++ * Reference port_status[] only with valid rhport when
++ * invalid_rhport is false.
++ */
++ if (wIndex < 1 || wIndex > VHCI_HC_PORTS) {
++ invalid_rhport = true;
++ if (wIndex > VHCI_HC_PORTS)
++ pr_err("invalid port number %d\n", wIndex);
++ } else
++ rhport = wIndex - 1;
+
+ vhci_hcd = hcd_to_vhci_hcd(hcd);
+ vhci = vhci_hcd->vhci;
+@@ -345,8 +356,9 @@ static int vhci_hub_control(struct usb_h
+
+ /* store old status and compare now and old later */
+ if (usbip_dbg_flag_vhci_rh) {
+- memcpy(prev_port_status, vhci_hcd->port_status,
+- sizeof(prev_port_status));
++ if (!invalid_rhport)
++ memcpy(prev_port_status, vhci_hcd->port_status,
++ sizeof(prev_port_status));
+ }
+
+ switch (typeReq) {
+@@ -354,8 +366,10 @@ static int vhci_hub_control(struct usb_h
+ usbip_dbg_vhci_rh(" ClearHubFeature\n");
+ break;
+ case ClearPortFeature:
+- if (rhport < 0)
++ if (invalid_rhport) {
++ pr_err("invalid port number %d\n", wIndex);
+ goto error;
++ }
+ switch (wValue) {
+ case USB_PORT_FEAT_SUSPEND:
+ if (hcd->speed == HCD_USB3) {
+@@ -415,9 +429,10 @@ static int vhci_hub_control(struct usb_h
+ break;
+ case GetPortStatus:
+ usbip_dbg_vhci_rh(" GetPortStatus port %x\n", wIndex);
+- if (wIndex < 1) {
++ if (invalid_rhport) {
+ pr_err("invalid port number %d\n", wIndex);
+ retval = -EPIPE;
++ goto error;
+ }
+
+ /* we do not care about resume. */
+@@ -513,16 +528,20 @@ static int vhci_hub_control(struct usb_h
+ goto error;
+ }
+
+- if (rhport < 0)
++ if (invalid_rhport) {
++ pr_err("invalid port number %d\n", wIndex);
+ goto error;
++ }
+
+ vhci_hcd->port_status[rhport] |= USB_PORT_STAT_SUSPEND;
+ break;
+ case USB_PORT_FEAT_POWER:
+ usbip_dbg_vhci_rh(
+ " SetPortFeature: USB_PORT_FEAT_POWER\n");
+- if (rhport < 0)
++ if (invalid_rhport) {
++ pr_err("invalid port number %d\n", wIndex);
+ goto error;
++ }
+ if (hcd->speed == HCD_USB3)
+ vhci_hcd->port_status[rhport] |= USB_SS_PORT_STAT_POWER;
+ else
+@@ -531,8 +550,10 @@ static int vhci_hub_control(struct usb_h
+ case USB_PORT_FEAT_BH_PORT_RESET:
+ usbip_dbg_vhci_rh(
+ " SetPortFeature: USB_PORT_FEAT_BH_PORT_RESET\n");
+- if (rhport < 0)
++ if (invalid_rhport) {
++ pr_err("invalid port number %d\n", wIndex);
+ goto error;
++ }
+ /* Applicable only for USB3.0 hub */
+ if (hcd->speed != HCD_USB3) {
+ pr_err("USB_PORT_FEAT_BH_PORT_RESET req not "
+@@ -543,8 +564,10 @@ static int vhci_hub_control(struct usb_h
+ case USB_PORT_FEAT_RESET:
+ usbip_dbg_vhci_rh(
+ " SetPortFeature: USB_PORT_FEAT_RESET\n");
+- if (rhport < 0)
++ if (invalid_rhport) {
++ pr_err("invalid port number %d\n", wIndex);
+ goto error;
++ }
+ /* if it's already enabled, disable */
+ if (hcd->speed == HCD_USB3) {
+ vhci_hcd->port_status[rhport] = 0;
+@@ -565,8 +588,10 @@ static int vhci_hub_control(struct usb_h
+ default:
+ usbip_dbg_vhci_rh(" SetPortFeature: default %d\n",
+ wValue);
+- if (rhport < 0)
++ if (invalid_rhport) {
++ pr_err("invalid port number %d\n", wIndex);
+ goto error;
++ }
+ if (hcd->speed == HCD_USB3) {
+ if ((vhci_hcd->port_status[rhport] &
+ USB_SS_PORT_STAT_POWER) != 0) {
+@@ -608,7 +633,7 @@ error:
+ if (usbip_dbg_flag_vhci_rh) {
+ pr_debug("port %d\n", rhport);
+ /* Only dump valid port status */
+- if (rhport >= 0) {
++ if (!invalid_rhport) {
+ dump_port_status_diff(prev_port_status[rhport],
+ vhci_hcd->port_status[rhport],
+ hcd->speed == HCD_USB3);
+@@ -618,8 +643,10 @@ error:
+
+ spin_unlock_irqrestore(&vhci->lock, flags);
+
+- if ((vhci_hcd->port_status[rhport] & PORT_C_MASK) != 0)
++ if (!invalid_rhport &&
++ (vhci_hcd->port_status[rhport] & PORT_C_MASK) != 0) {
+ usb_hcd_poll_rh_status(hcd);
++ }
+
+ return retval;
+ }
--- /dev/null
+From c02588a352defaf985fc1816eb6232663159e1b8 Mon Sep 17 00:00:00 2001
+From: Heikki Krogerus <heikki.krogerus@linux.intel.com>
+Date: Mon, 1 Oct 2018 18:53:05 +0300
+Subject: usb: xhci: pci: Enable Intel USB role mux on Apollo Lake platforms
+
+From: Heikki Krogerus <heikki.krogerus@linux.intel.com>
+
+commit c02588a352defaf985fc1816eb6232663159e1b8 upstream.
+
+Intel Apollo Lake has the same internal USB role mux as
+Intel Cherry Trail.
+
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/host/xhci-pci.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/drivers/usb/host/xhci-pci.c
++++ b/drivers/usb/host/xhci-pci.c
+@@ -179,10 +179,12 @@ static void xhci_pci_quirks(struct devic
+ xhci->quirks |= XHCI_PME_STUCK_QUIRK;
+ }
+ if (pdev->vendor == PCI_VENDOR_ID_INTEL &&
+- pdev->device == PCI_DEVICE_ID_INTEL_CHERRYVIEW_XHCI) {
++ pdev->device == PCI_DEVICE_ID_INTEL_CHERRYVIEW_XHCI)
+ xhci->quirks |= XHCI_SSIC_PORT_UNUSED;
++ if (pdev->vendor == PCI_VENDOR_ID_INTEL &&
++ (pdev->device == PCI_DEVICE_ID_INTEL_CHERRYVIEW_XHCI ||
++ pdev->device == PCI_DEVICE_ID_INTEL_APL_XHCI))
+ xhci->quirks |= XHCI_INTEL_USB_ROLE_SW;
+- }
+ if (pdev->vendor == PCI_VENDOR_ID_INTEL &&
+ (pdev->device == PCI_DEVICE_ID_INTEL_CHERRYVIEW_XHCI ||
+ pdev->device == PCI_DEVICE_ID_INTEL_SUNRISEPOINT_LP_XHCI ||
--- /dev/null
+From 2224d616528194b02424c91c2ee254b3d29942c3 Mon Sep 17 00:00:00 2001
+From: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
+Date: Tue, 16 Oct 2018 22:25:25 +0200
+Subject: x86/fpu: Fix i486 + no387 boot crash by only saving FPU registers on context switch if there is an FPU
+
+From: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
+
+commit 2224d616528194b02424c91c2ee254b3d29942c3 upstream.
+
+Booting an i486 with "no387 nofxsr" ends with with the following crash:
+
+ math_emulate: 0060:c101987d
+ Kernel panic - not syncing: Math emulation needed in kernel
+
+on the first context switch in user land.
+
+The reason is that copy_fpregs_to_fpstate() tries FNSAVE which does not work
+as the FPU is turned off.
+
+This bug was introduced in:
+
+ f1c8cd0176078 ("x86/fpu: Change fpu->fpregs_active users to fpu->fpstate_active")
+
+Add a check for X86_FEATURE_FPU before trying to save FPU registers (we
+have such a check in switch_fpu_finish() already).
+
+Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
+Reviewed-by: Andy Lutomirski <luto@kernel.org>
+Cc: Borislav Petkov <bp@alien8.de>
+Cc: Dave Hansen <dave.hansen@linux.intel.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: stable@vger.kernel.org
+Fixes: f1c8cd0176078 ("x86/fpu: Change fpu->fpregs_active users to fpu->fpstate_active")
+Link: http://lkml.kernel.org/r/20181016202525.29437-4-bigeasy@linutronix.de
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/include/asm/fpu/internal.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/x86/include/asm/fpu/internal.h
++++ b/arch/x86/include/asm/fpu/internal.h
+@@ -528,7 +528,7 @@ static inline void fpregs_activate(struc
+ static inline void
+ switch_fpu_prepare(struct fpu *old_fpu, int cpu)
+ {
+- if (old_fpu->initialized) {
++ if (static_cpu_has(X86_FEATURE_FPU) && old_fpu->initialized) {
+ if (!copy_fpregs_to_fpstate(old_fpu))
+ old_fpu->last_cpu = -1;
+ else
--- /dev/null
+From cc55f7537db6af371e9c1c6a71161ee40f918824 Mon Sep 17 00:00:00 2001
+From: Zhimin Gu <kookoo.gu@intel.com>
+Date: Fri, 21 Sep 2018 14:26:24 +0800
+Subject: x86, hibernate: Fix nosave_regions setup for hibernation
+
+From: Zhimin Gu <kookoo.gu@intel.com>
+
+commit cc55f7537db6af371e9c1c6a71161ee40f918824 upstream.
+
+On 32bit systems, nosave_regions(non RAM areas) located between
+max_low_pfn and max_pfn are not excluded from hibernation snapshot
+currently, which may result in a machine check exception when
+trying to access these unsafe regions during hibernation:
+
+[ 612.800453] Disabling lock debugging due to kernel taint
+[ 612.805786] mce: [Hardware Error]: CPU 0: Machine Check Exception: 5 Bank 6: fe00000000801136
+[ 612.814344] mce: [Hardware Error]: RIP !INEXACT! 60:<00000000d90be566> {swsusp_save+0x436/0x560}
+[ 612.823167] mce: [Hardware Error]: TSC 1f5939fe276 ADDR dd000000 MISC 30e0000086
+[ 612.830677] mce: [Hardware Error]: PROCESSOR 0:306c3 TIME 1529487426 SOCKET 0 APIC 0 microcode 24
+[ 612.839581] mce: [Hardware Error]: Run the above through 'mcelog --ascii'
+[ 612.846394] mce: [Hardware Error]: Machine check: Processor context corrupt
+[ 612.853380] Kernel panic - not syncing: Fatal machine check
+[ 612.858978] Kernel Offset: 0x18000000 from 0xc1000000 (relocation range: 0xc0000000-0xf7ffdfff)
+
+This is because on 32bit systems, pages above max_low_pfn are regarded
+as high memeory, and accessing unsafe pages might cause expected MCE.
+On the problematic 32bit system, there are reserved memory above low
+memory, which triggered the MCE:
+
+e820 memory mapping:
+[ 0.000000] BIOS-e820: [mem 0x0000000000000000-0x000000000009d7ff] usable
+[ 0.000000] BIOS-e820: [mem 0x000000000009d800-0x000000000009ffff] reserved
+[ 0.000000] BIOS-e820: [mem 0x00000000000e0000-0x00000000000fffff] reserved
+[ 0.000000] BIOS-e820: [mem 0x0000000000100000-0x00000000d160cfff] usable
+[ 0.000000] BIOS-e820: [mem 0x00000000d160d000-0x00000000d1613fff] ACPI NVS
+[ 0.000000] BIOS-e820: [mem 0x00000000d1614000-0x00000000d1a44fff] usable
+[ 0.000000] BIOS-e820: [mem 0x00000000d1a45000-0x00000000d1ecffff] reserved
+[ 0.000000] BIOS-e820: [mem 0x00000000d1ed0000-0x00000000d7eeafff] usable
+[ 0.000000] BIOS-e820: [mem 0x00000000d7eeb000-0x00000000d7ffffff] reserved
+[ 0.000000] BIOS-e820: [mem 0x00000000d8000000-0x00000000d875ffff] usable
+[ 0.000000] BIOS-e820: [mem 0x00000000d8760000-0x00000000d87fffff] reserved
+[ 0.000000] BIOS-e820: [mem 0x00000000d8800000-0x00000000d8fadfff] usable
+[ 0.000000] BIOS-e820: [mem 0x00000000d8fae000-0x00000000d8ffffff] ACPI data
+[ 0.000000] BIOS-e820: [mem 0x00000000d9000000-0x00000000da71bfff] usable
+[ 0.000000] BIOS-e820: [mem 0x00000000da71c000-0x00000000da7fffff] ACPI NVS
+[ 0.000000] BIOS-e820: [mem 0x00000000da800000-0x00000000dbb8bfff] usable
+[ 0.000000] BIOS-e820: [mem 0x00000000dbb8c000-0x00000000dbffffff] reserved
+[ 0.000000] BIOS-e820: [mem 0x00000000dd000000-0x00000000df1fffff] reserved
+[ 0.000000] BIOS-e820: [mem 0x00000000f8000000-0x00000000fbffffff] reserved
+[ 0.000000] BIOS-e820: [mem 0x00000000fec00000-0x00000000fec00fff] reserved
+[ 0.000000] BIOS-e820: [mem 0x00000000fed00000-0x00000000fed03fff] reserved
+[ 0.000000] BIOS-e820: [mem 0x00000000fed1c000-0x00000000fed1ffff] reserved
+[ 0.000000] BIOS-e820: [mem 0x00000000fee00000-0x00000000fee00fff] reserved
+[ 0.000000] BIOS-e820: [mem 0x00000000ff000000-0x00000000ffffffff] reserved
+[ 0.000000] BIOS-e820: [mem 0x0000000100000000-0x000000041edfffff] usable
+
+Fix this problem by changing pfn limit from max_low_pfn to max_pfn.
+This fix does not impact 64bit system because on 64bit max_low_pfn
+is the same as max_pfn.
+
+Signed-off-by: Zhimin Gu <kookoo.gu@intel.com>
+Acked-by: Pavel Machek <pavel@ucw.cz>
+Signed-off-by: Chen Yu <yu.c.chen@intel.com>
+Acked-by: Thomas Gleixner <tglx@linutronix.de>
+Cc: All applicable <stable@vger.kernel.org>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kernel/setup.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/x86/kernel/setup.c
++++ b/arch/x86/kernel/setup.c
+@@ -1258,7 +1258,7 @@ void __init setup_arch(char **cmdline_p)
+ x86_init.hyper.guest_late_init();
+
+ e820__reserve_resources();
+- e820__register_nosave_regions(max_low_pfn);
++ e820__register_nosave_regions(max_pfn);
+
+ x86_init.resources.reserve_resources();
+
--- /dev/null
+From b59167ac7bafd804c91e49ad53c6d33a7394d4c8 Mon Sep 17 00:00:00 2001
+From: Peter Zijlstra <peterz@infradead.org>
+Date: Thu, 11 Oct 2018 12:38:27 +0200
+Subject: x86/percpu: Fix this_cpu_read()
+
+From: Peter Zijlstra <peterz@infradead.org>
+
+commit b59167ac7bafd804c91e49ad53c6d33a7394d4c8 upstream.
+
+Eric reported that a sequence count loop using this_cpu_read() got
+optimized out. This is wrong, this_cpu_read() must imply READ_ONCE()
+because the interface is IRQ-safe, therefore an interrupt can have
+changed the per-cpu value.
+
+Fixes: 7c3576d261ce ("[PATCH] i386: Convert PDA into the percpu section")
+Reported-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Acked-by: Eric Dumazet <edumazet@google.com>
+Cc: hpa@zytor.com
+Cc: eric.dumazet@gmail.com
+Cc: bp@alien8.de
+Cc: stable@vger.kernel.org
+Link: https://lkml.kernel.org/r/20181011104019.748208519@infradead.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/include/asm/percpu.h | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/arch/x86/include/asm/percpu.h
++++ b/arch/x86/include/asm/percpu.h
+@@ -185,22 +185,22 @@ do { \
+ typeof(var) pfo_ret__; \
+ switch (sizeof(var)) { \
+ case 1: \
+- asm(op "b "__percpu_arg(1)",%0" \
++ asm volatile(op "b "__percpu_arg(1)",%0"\
+ : "=q" (pfo_ret__) \
+ : "m" (var)); \
+ break; \
+ case 2: \
+- asm(op "w "__percpu_arg(1)",%0" \
++ asm volatile(op "w "__percpu_arg(1)",%0"\
+ : "=r" (pfo_ret__) \
+ : "m" (var)); \
+ break; \
+ case 4: \
+- asm(op "l "__percpu_arg(1)",%0" \
++ asm volatile(op "l "__percpu_arg(1)",%0"\
+ : "=r" (pfo_ret__) \
+ : "m" (var)); \
+ break; \
+ case 8: \
+- asm(op "q "__percpu_arg(1)",%0" \
++ asm volatile(op "q "__percpu_arg(1)",%0"\
+ : "=r" (pfo_ret__) \
+ : "m" (var)); \
+ break; \
--- /dev/null
+From 485734f3fc77c1eb77ffe138c027b9a4bf0178f3 Mon Sep 17 00:00:00 2001
+From: Christoph Hellwig <hch@lst.de>
+Date: Sun, 14 Oct 2018 09:52:08 +0200
+Subject: x86/swiotlb: Enable swiotlb for > 4GiG RAM on 32-bit kernels
+
+From: Christoph Hellwig <hch@lst.de>
+
+commit 485734f3fc77c1eb77ffe138c027b9a4bf0178f3 upstream.
+
+We already build the swiotlb code for 32-bit kernels with PAE support,
+but the code to actually use swiotlb has only been enabled for 64-bit
+kernels for an unknown reason.
+
+Before Linux v4.18 we paper over this fact because the networking code,
+the SCSI layer and some random block drivers implemented their own
+bounce buffering scheme.
+
+[ mingo: Changelog fixes. ]
+
+Fixes: 21e07dba9fb1 ("scsi: reduce use of block bounce buffers")
+Fixes: ab74cfebafa3 ("net: remove the PCI_DMA_BUS_IS_PHYS check in illegal_highdma")
+Reported-by: Matthew Whitehead <tedheadster@gmail.com>
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Tested-by: Matthew Whitehead <tedheadster@gmail.com>
+Cc: konrad.wilk@oracle.com
+Cc: iommu@lists.linux-foundation.org
+Cc: stable@vger.kernel.org
+Link: https://lkml.kernel.org/r/20181014075208.2715-1-hch@lst.de
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kernel/pci-swiotlb.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+--- a/arch/x86/kernel/pci-swiotlb.c
++++ b/arch/x86/kernel/pci-swiotlb.c
+@@ -42,10 +42,8 @@ IOMMU_INIT_FINISH(pci_swiotlb_detect_ove
+ int __init pci_swiotlb_detect_4gb(void)
+ {
+ /* don't initialize swiotlb if iommu=off (no_iommu=1) */
+-#ifdef CONFIG_X86_64
+ if (!no_iommu && max_possible_pfn > MAX_DMA32_PFN)
+ swiotlb = 1;
+-#endif
+
+ /*
+ * If SME is active then swiotlb will be set to 1 so that bounce
--- /dev/null
+From 53c13ba8ed39e89f21a0b98f4c8a241bb44e483d Mon Sep 17 00:00:00 2001
+From: Nathan Chancellor <natechancellor@gmail.com>
+Date: Fri, 12 Oct 2018 17:53:12 -0700
+Subject: x86/time: Correct the attribute on jiffies' definition
+
+From: Nathan Chancellor <natechancellor@gmail.com>
+
+commit 53c13ba8ed39e89f21a0b98f4c8a241bb44e483d upstream.
+
+Clang warns that the declaration of jiffies in include/linux/jiffies.h
+doesn't match the definition in arch/x86/time/kernel.c:
+
+arch/x86/kernel/time.c:29:42: warning: section does not match previous declaration [-Wsection]
+__visible volatile unsigned long jiffies __cacheline_aligned = INITIAL_JIFFIES;
+ ^
+./include/linux/cache.h:49:4: note: expanded from macro '__cacheline_aligned'
+ __section__(".data..cacheline_aligned")))
+ ^
+./include/linux/jiffies.h:81:31: note: previous attribute is here
+extern unsigned long volatile __cacheline_aligned_in_smp __jiffy_arch_data jiffies;
+ ^
+./arch/x86/include/asm/cache.h:20:2: note: expanded from macro '__cacheline_aligned_in_smp'
+ __page_aligned_data
+ ^
+./include/linux/linkage.h:39:29: note: expanded from macro '__page_aligned_data'
+#define __page_aligned_data __section(.data..page_aligned) __aligned(PAGE_SIZE)
+ ^
+./include/linux/compiler_attributes.h:233:56: note: expanded from macro '__section'
+#define __section(S) __attribute__((__section__(#S)))
+ ^
+1 warning generated.
+
+The declaration was changed in commit 7c30f352c852 ("jiffies.h: declare
+jiffies and jiffies_64 with ____cacheline_aligned_in_smp") but wasn't
+updated here. Make them match so Clang no longer warns.
+
+Fixes: 7c30f352c852 ("jiffies.h: declare jiffies and jiffies_64 with ____cacheline_aligned_in_smp")
+Signed-off-by: Nathan Chancellor <natechancellor@gmail.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Cc: Borislav Petkov <bp@alien8.de>
+Cc: "H. Peter Anvin" <hpa@zytor.com>
+Cc: Nick Desaulniers <ndesaulniers@google.com>
+Cc: stable@vger.kernel.org
+Link: https://lkml.kernel.org/r/20181013005311.28617-1-natechancellor@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kernel/time.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/x86/kernel/time.c
++++ b/arch/x86/kernel/time.c
+@@ -25,7 +25,7 @@
+ #include <asm/time.h>
+
+ #ifdef CONFIG_X86_64
+-__visible volatile unsigned long jiffies __cacheline_aligned = INITIAL_JIFFIES;
++__visible volatile unsigned long jiffies __cacheline_aligned_in_smp = INITIAL_JIFFIES;
+ #endif
+
+ unsigned long profile_pc(struct pt_regs *regs)
--- /dev/null
+From 4907c68abd3f60f650f98d5a69d4ec77c0bde44f Mon Sep 17 00:00:00 2001
+From: Peter Zijlstra <peterz@infradead.org>
+Date: Thu, 11 Oct 2018 12:38:26 +0200
+Subject: x86/tsc: Force inlining of cyc2ns bits
+
+From: Peter Zijlstra <peterz@infradead.org>
+
+commit 4907c68abd3f60f650f98d5a69d4ec77c0bde44f upstream.
+
+Looking at the asm for native_sched_clock() I noticed we don't inline
+enough. Mostly caused by sharing code with cyc2ns_read_begin(), which
+we didn't used to do. So mark all that __force_inline to make it DTRT.
+
+Fixes: 59eaef78bfea ("x86/tsc: Remodel cyc2ns to use seqcount_latch()")
+Reported-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Cc: hpa@zytor.com
+Cc: eric.dumazet@gmail.com
+Cc: bp@alien8.de
+Cc: stable@vger.kernel.org
+Link: https://lkml.kernel.org/r/20181011104019.695196158@infradead.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kernel/tsc.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/arch/x86/kernel/tsc.c
++++ b/arch/x86/kernel/tsc.c
+@@ -60,7 +60,7 @@ struct cyc2ns {
+
+ static DEFINE_PER_CPU_ALIGNED(struct cyc2ns, cyc2ns);
+
+-void cyc2ns_read_begin(struct cyc2ns_data *data)
++void __always_inline cyc2ns_read_begin(struct cyc2ns_data *data)
+ {
+ int seq, idx;
+
+@@ -77,7 +77,7 @@ void cyc2ns_read_begin(struct cyc2ns_dat
+ } while (unlikely(seq != this_cpu_read(cyc2ns.seq.sequence)));
+ }
+
+-void cyc2ns_read_end(void)
++void __always_inline cyc2ns_read_end(void)
+ {
+ preempt_enable_notrace();
+ }
+@@ -123,7 +123,7 @@ static void __init cyc2ns_init(int cpu)
+ seqcount_init(&c2n->seq);
+ }
+
+-static inline unsigned long long cycles_2_ns(unsigned long long cyc)
++static __always_inline unsigned long long cycles_2_ns(unsigned long long cyc)
+ {
+ struct cyc2ns_data data;
+ unsigned long long ns;
projects / thirdparty / kernel / stable-queue.git / commitdiff
