--- /dev/null
+From 1e31927aa64545ee97a2a41db9984c9931afc50a Mon Sep 17 00:00:00 2001
+From: Sean Wang <sean.wang@mediatek.com>
+Date: Fri, 20 Apr 2018 16:58:05 +0800
+Subject: arm64: defconfig: Enable CONFIG_PINCTRL_MT7622 by default
+
+From: Sean Wang <sean.wang@mediatek.com>
+
+commit 1e31927aa64545ee97a2a41db9984c9931afc50a upstream.
+
+Recently kernelCI reported the board mt7622-rfb1 has a fail test with
+kernel: ERROR: did not start booting whose details could be seen at [1].
+
+The cause is that UART0 can't output anything when it's missing a proper
+pin setup with current DTS, so the essential driver is always getting
+enabled to fix up the issue.
+
+[1] https://kernelci.org/boot/id/5ad7d62759b51461bfb1f829/
+
+Cc: Kevin Hilman <khilman@baylibre.com>
+Cc: stable@vger.kernel.org
+Fixes: ae457b7679c4 ("arm64: dts: mt7622: add SoC and peripheral related device nodes")
+Signed-off-by: Sean Wang <sean.wang@mediatek.com>
+Signed-off-by: Matthias Brugger <matthias.bgg@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm64/configs/defconfig | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/arch/arm64/configs/defconfig
++++ b/arch/arm64/configs/defconfig
+@@ -320,6 +320,7 @@ CONFIG_PINCTRL_MAX77620=y
+ CONFIG_PINCTRL_MSM8916=y
+ CONFIG_PINCTRL_MSM8994=y
+ CONFIG_PINCTRL_MSM8996=y
++CONFIG_PINCTRL_MT7622=y
+ CONFIG_PINCTRL_QDF2XXX=y
+ CONFIG_PINCTRL_QCOM_SPMI_PMIC=y
+ CONFIG_GPIO_DWAPB=y
--- /dev/null
+From 281a58c8326ca62ca6341f9d2cc2eb08044670e8 Mon Sep 17 00:00:00 2001
+From: Gilad Ben-Yossef <gilad@benyossef.com>
+Date: Thu, 24 May 2018 15:19:06 +0100
+Subject: crypto: ccree - correct host regs offset
+
+From: Gilad Ben-Yossef <gilad@benyossef.com>
+
+commit 281a58c8326ca62ca6341f9d2cc2eb08044670e8 upstream.
+
+The product signature and HW revision register have different offset on the
+older HW revisions.
+This fixes the problem of the driver failing sanity check on silicon
+despite working on the FPGA emulation systems.
+
+Fixes: 27b3b22dd98c ("crypto: ccree - add support for older HW revs")
+Cc: stable@vger.kernel.org
+Signed-off-by: Gilad Ben-Yossef <gilad@benyossef.com>
+Reviewed-by: Simon Horman <horms+renesas@verge.net.au>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/crypto/ccree/cc_debugfs.c | 7 +++++--
+ drivers/crypto/ccree/cc_driver.c | 8 ++++++--
+ drivers/crypto/ccree/cc_driver.h | 2 ++
+ drivers/crypto/ccree/cc_host_regs.h | 6 ++++--
+ 4 files changed, 17 insertions(+), 6 deletions(-)
+
+--- a/drivers/crypto/ccree/cc_debugfs.c
++++ b/drivers/crypto/ccree/cc_debugfs.c
+@@ -26,7 +26,8 @@ struct cc_debugfs_ctx {
+ static struct dentry *cc_debugfs_dir;
+
+ static struct debugfs_reg32 debug_regs[] = {
+- CC_DEBUG_REG(HOST_SIGNATURE),
++ { .name = "SIGNATURE" }, /* Must be 0th */
++ { .name = "VERSION" }, /* Must be 1st */
+ CC_DEBUG_REG(HOST_IRR),
+ CC_DEBUG_REG(HOST_POWER_DOWN_EN),
+ CC_DEBUG_REG(AXIM_MON_ERR),
+@@ -34,7 +35,6 @@ static struct debugfs_reg32 debug_regs[]
+ CC_DEBUG_REG(HOST_IMR),
+ CC_DEBUG_REG(AXIM_CFG),
+ CC_DEBUG_REG(AXIM_CACHE_PARAMS),
+- CC_DEBUG_REG(HOST_VERSION),
+ CC_DEBUG_REG(GPR_HOST),
+ CC_DEBUG_REG(AXIM_MON_COMP),
+ };
+@@ -58,6 +58,9 @@ int cc_debugfs_init(struct cc_drvdata *d
+ struct debugfs_regset32 *regset;
+ struct dentry *file;
+
++ debug_regs[0].offset = drvdata->sig_offset;
++ debug_regs[1].offset = drvdata->ver_offset;
++
+ ctx = devm_kzalloc(dev, sizeof(*ctx), GFP_KERNEL);
+ if (!ctx)
+ return -ENOMEM;
+--- a/drivers/crypto/ccree/cc_driver.c
++++ b/drivers/crypto/ccree/cc_driver.c
+@@ -207,9 +207,13 @@ static int init_cc_resources(struct plat
+ if (hw_rev->rev >= CC_HW_REV_712) {
+ new_drvdata->hash_len_sz = HASH_LEN_SIZE_712;
+ new_drvdata->axim_mon_offset = CC_REG(AXIM_MON_COMP);
++ new_drvdata->sig_offset = CC_REG(HOST_SIGNATURE_712);
++ new_drvdata->ver_offset = CC_REG(HOST_VERSION_712);
+ } else {
+ new_drvdata->hash_len_sz = HASH_LEN_SIZE_630;
+ new_drvdata->axim_mon_offset = CC_REG(AXIM_MON_COMP8);
++ new_drvdata->sig_offset = CC_REG(HOST_SIGNATURE_630);
++ new_drvdata->ver_offset = CC_REG(HOST_VERSION_630);
+ }
+
+ platform_set_drvdata(plat_dev, new_drvdata);
+@@ -276,7 +280,7 @@ static int init_cc_resources(struct plat
+ }
+
+ /* Verify correct mapping */
+- signature_val = cc_ioread(new_drvdata, CC_REG(HOST_SIGNATURE));
++ signature_val = cc_ioread(new_drvdata, new_drvdata->sig_offset);
+ if (signature_val != hw_rev->sig) {
+ dev_err(dev, "Invalid CC signature: SIGNATURE=0x%08X != expected=0x%08X\n",
+ signature_val, hw_rev->sig);
+@@ -287,7 +291,7 @@ static int init_cc_resources(struct plat
+
+ /* Display HW versions */
+ dev_info(dev, "ARM CryptoCell %s Driver: HW version 0x%08X, Driver version %s\n",
+- hw_rev->name, cc_ioread(new_drvdata, CC_REG(HOST_VERSION)),
++ hw_rev->name, cc_ioread(new_drvdata, new_drvdata->ver_offset),
+ DRV_MODULE_VERSION);
+
+ rc = init_cc_regs(new_drvdata, true);
+--- a/drivers/crypto/ccree/cc_driver.h
++++ b/drivers/crypto/ccree/cc_driver.h
+@@ -129,6 +129,8 @@ struct cc_drvdata {
+ enum cc_hw_rev hw_rev;
+ u32 hash_len_sz;
+ u32 axim_mon_offset;
++ u32 sig_offset;
++ u32 ver_offset;
+ };
+
+ struct cc_crypto_alg {
+--- a/drivers/crypto/ccree/cc_host_regs.h
++++ b/drivers/crypto/ccree/cc_host_regs.h
+@@ -45,7 +45,8 @@
+ #define CC_HOST_ICR_DSCRPTR_WATERMARK_QUEUE0_CLEAR_BIT_SIZE 0x1UL
+ #define CC_HOST_ICR_AXIM_COMP_INT_CLEAR_BIT_SHIFT 0x17UL
+ #define CC_HOST_ICR_AXIM_COMP_INT_CLEAR_BIT_SIZE 0x1UL
+-#define CC_HOST_SIGNATURE_REG_OFFSET 0xA24UL
++#define CC_HOST_SIGNATURE_712_REG_OFFSET 0xA24UL
++#define CC_HOST_SIGNATURE_630_REG_OFFSET 0xAC8UL
+ #define CC_HOST_SIGNATURE_VALUE_BIT_SHIFT 0x0UL
+ #define CC_HOST_SIGNATURE_VALUE_BIT_SIZE 0x20UL
+ #define CC_HOST_BOOT_REG_OFFSET 0xA28UL
+@@ -105,7 +106,8 @@
+ #define CC_HOST_BOOT_ONLY_ENCRYPT_LOCAL_BIT_SIZE 0x1UL
+ #define CC_HOST_BOOT_AES_EXISTS_LOCAL_BIT_SHIFT 0x1EUL
+ #define CC_HOST_BOOT_AES_EXISTS_LOCAL_BIT_SIZE 0x1UL
+-#define CC_HOST_VERSION_REG_OFFSET 0xA40UL
++#define CC_HOST_VERSION_712_REG_OFFSET 0xA40UL
++#define CC_HOST_VERSION_630_REG_OFFSET 0xAD8UL
+ #define CC_HOST_VERSION_VALUE_BIT_SHIFT 0x0UL
+ #define CC_HOST_VERSION_VALUE_BIT_SIZE 0x20UL
+ #define CC_HOST_KFDE0_VALID_REG_OFFSET 0xA60UL
--- /dev/null
+From f59acbc5e0f7f90452efd4c3318d5e5ec042c3e0 Mon Sep 17 00:00:00 2001
+From: Stephen Hemminger <stephen@networkplumber.org>
+Date: Sat, 12 May 2018 01:45:29 -0700
+Subject: doc: fix sysfs ABI documentation
+
+From: Stephen Hemminger <stephen@networkplumber.org>
+
+commit f59acbc5e0f7f90452efd4c3318d5e5ec042c3e0 upstream.
+
+In 4.9 kernel, the sysfs files for Hyper-V VMBus changed name but
+the documentation files were not updated. The current sysfs file
+names are /sys/bus/vmbus/devices/<UUID>/...
+
+See commit 9a56e5d6a0ba ("Drivers: hv: make VMBus bus ids persistent")
+and commit f6b2db084b65 ("vmbus: make sysfs names consistent with PCI")
+
+Reported-by: Michael Kelley <mikelley@microsoft.com>
+Signed-off-by: Stephen Hemminger <sthemmin@microsoft.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: K. Y. Srinivasan <kys@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ Documentation/ABI/stable/sysfs-bus-vmbus | 40 +++++++++++++++----------------
+ 1 file changed, 20 insertions(+), 20 deletions(-)
+
+--- a/Documentation/ABI/stable/sysfs-bus-vmbus
++++ b/Documentation/ABI/stable/sysfs-bus-vmbus
+@@ -1,25 +1,25 @@
+-What: /sys/bus/vmbus/devices/vmbus_*/id
++What: /sys/bus/vmbus/devices/<UUID>/id
+ Date: Jul 2009
+ KernelVersion: 2.6.31
+ Contact: K. Y. Srinivasan <kys@microsoft.com>
+ Description: The VMBus child_relid of the device's primary channel
+ Users: tools/hv/lsvmbus
+
+-What: /sys/bus/vmbus/devices/vmbus_*/class_id
++What: /sys/bus/vmbus/devices/<UUID>/class_id
+ Date: Jul 2009
+ KernelVersion: 2.6.31
+ Contact: K. Y. Srinivasan <kys@microsoft.com>
+ Description: The VMBus interface type GUID of the device
+ Users: tools/hv/lsvmbus
+
+-What: /sys/bus/vmbus/devices/vmbus_*/device_id
++What: /sys/bus/vmbus/devices/<UUID>/device_id
+ Date: Jul 2009
+ KernelVersion: 2.6.31
+ Contact: K. Y. Srinivasan <kys@microsoft.com>
+ Description: The VMBus interface instance GUID of the device
+ Users: tools/hv/lsvmbus
+
+-What: /sys/bus/vmbus/devices/vmbus_*/channel_vp_mapping
++What: /sys/bus/vmbus/devices/<UUID>/channel_vp_mapping
+ Date: Jul 2015
+ KernelVersion: 4.2.0
+ Contact: K. Y. Srinivasan <kys@microsoft.com>
+@@ -28,112 +28,112 @@ Description: The mapping of which primar
+ Format: <channel's child_relid:the bound cpu's number>
+ Users: tools/hv/lsvmbus
+
+-What: /sys/bus/vmbus/devices/vmbus_*/device
++What: /sys/bus/vmbus/devices/<UUID>/device
+ Date: Dec. 2015
+ KernelVersion: 4.5
+ Contact: K. Y. Srinivasan <kys@microsoft.com>
+ Description: The 16 bit device ID of the device
+ Users: tools/hv/lsvmbus and user level RDMA libraries
+
+-What: /sys/bus/vmbus/devices/vmbus_*/vendor
++What: /sys/bus/vmbus/devices/<UUID>/vendor
+ Date: Dec. 2015
+ KernelVersion: 4.5
+ Contact: K. Y. Srinivasan <kys@microsoft.com>
+ Description: The 16 bit vendor ID of the device
+ Users: tools/hv/lsvmbus and user level RDMA libraries
+
+-What: /sys/bus/vmbus/devices/vmbus_*/channels/NN
++What: /sys/bus/vmbus/devices/<UUID>/channels/<N>
+ Date: September. 2017
+ KernelVersion: 4.14
+ Contact: Stephen Hemminger <sthemmin@microsoft.com>
+ Description: Directory for per-channel information
+ NN is the VMBUS relid associtated with the channel.
+
+-What: /sys/bus/vmbus/devices/vmbus_*/channels/NN/cpu
++What: /sys/bus/vmbus/devices/<UUID>/channels/<N>/cpu
+ Date: September. 2017
+ KernelVersion: 4.14
+ Contact: Stephen Hemminger <sthemmin@microsoft.com>
+ Description: VCPU (sub)channel is affinitized to
+ Users: tools/hv/lsvmbus and other debugging tools
+
+-What: /sys/bus/vmbus/devices/vmbus_*/channels/NN/cpu
++What: /sys/bus/vmbus/devices/<UUID>/channels/<N>/cpu
+ Date: September. 2017
+ KernelVersion: 4.14
+ Contact: Stephen Hemminger <sthemmin@microsoft.com>
+ Description: VCPU (sub)channel is affinitized to
+ Users: tools/hv/lsvmbus and other debugging tools
+
+-What: /sys/bus/vmbus/devices/vmbus_*/channels/NN/in_mask
++What: /sys/bus/vmbus/devices/<UUID>/channels/<N>/in_mask
+ Date: September. 2017
+ KernelVersion: 4.14
+ Contact: Stephen Hemminger <sthemmin@microsoft.com>
+ Description: Host to guest channel interrupt mask
+ Users: Debugging tools
+
+-What: /sys/bus/vmbus/devices/vmbus_*/channels/NN/latency
++What: /sys/bus/vmbus/devices/<UUID>/channels/<N>/latency
+ Date: September. 2017
+ KernelVersion: 4.14
+ Contact: Stephen Hemminger <sthemmin@microsoft.com>
+ Description: Channel signaling latency
+ Users: Debugging tools
+
+-What: /sys/bus/vmbus/devices/vmbus_*/channels/NN/out_mask
++What: /sys/bus/vmbus/devices/<UUID>/channels/<N>/out_mask
+ Date: September. 2017
+ KernelVersion: 4.14
+ Contact: Stephen Hemminger <sthemmin@microsoft.com>
+ Description: Guest to host channel interrupt mask
+ Users: Debugging tools
+
+-What: /sys/bus/vmbus/devices/vmbus_*/channels/NN/pending
++What: /sys/bus/vmbus/devices/<UUID>/channels/<N>/pending
+ Date: September. 2017
+ KernelVersion: 4.14
+ Contact: Stephen Hemminger <sthemmin@microsoft.com>
+ Description: Channel interrupt pending state
+ Users: Debugging tools
+
+-What: /sys/bus/vmbus/devices/vmbus_*/channels/NN/read_avail
++What: /sys/bus/vmbus/devices/<UUID>/channels/<N>/read_avail
+ Date: September. 2017
+ KernelVersion: 4.14
+ Contact: Stephen Hemminger <sthemmin@microsoft.com>
+ Description: Bytes available to read
+ Users: Debugging tools
+
+-What: /sys/bus/vmbus/devices/vmbus_*/channels/NN/write_avail
++What: /sys/bus/vmbus/devices/<UUID>/channels/<N>/write_avail
+ Date: September. 2017
+ KernelVersion: 4.14
+ Contact: Stephen Hemminger <sthemmin@microsoft.com>
+ Description: Bytes available to write
+ Users: Debugging tools
+
+-What: /sys/bus/vmbus/devices/vmbus_*/channels/NN/events
++What: /sys/bus/vmbus/devices/<UUID>/channels/<N>/events
+ Date: September. 2017
+ KernelVersion: 4.14
+ Contact: Stephen Hemminger <sthemmin@microsoft.com>
+ Description: Number of times we have signaled the host
+ Users: Debugging tools
+
+-What: /sys/bus/vmbus/devices/vmbus_*/channels/NN/interrupts
++What: /sys/bus/vmbus/devices/<UUID>/channels/<N>/interrupts
+ Date: September. 2017
+ KernelVersion: 4.14
+ Contact: Stephen Hemminger <sthemmin@microsoft.com>
+ Description: Number of times we have taken an interrupt (incoming)
+ Users: Debugging tools
+
+-What: /sys/bus/vmbus/devices/vmbus_*/channels/NN/subchannel_id
++What: /sys/bus/vmbus/devices/<UUID>/channels/<N>/subchannel_id
+ Date: January. 2018
+ KernelVersion: 4.16
+ Contact: Stephen Hemminger <sthemmin@microsoft.com>
+ Description: Subchannel ID associated with VMBUS channel
+ Users: Debugging tools and userspace drivers
+
+-What: /sys/bus/vmbus/devices/vmbus_*/channels/NN/monitor_id
++What: /sys/bus/vmbus/devices/<UUID>/channels/<N>/monitor_id
+ Date: January. 2018
+ KernelVersion: 4.16
+ Contact: Stephen Hemminger <sthemmin@microsoft.com>
+ Description: Monitor bit associated with channel
+ Users: Debugging tools and userspace drivers
+
+-What: /sys/bus/vmbus/devices/vmbus_*/channels/NN/ring
++What: /sys/bus/vmbus/devices/<UUID>/channels/<N>/ring
+ Date: January. 2018
+ KernelVersion: 4.16
+ Contact: Stephen Hemminger <sthemmin@microsoft.com>
--- /dev/null
+From c1ba08390a8bb13c927e699330896adc15b78205 Mon Sep 17 00:00:00 2001
+From: Ethan Lee <flibitijibibo@gmail.com>
+Date: Fri, 1 Jun 2018 11:46:08 -0700
+Subject: Input: xpad - add GPD Win 2 Controller USB IDs
+
+From: Ethan Lee <flibitijibibo@gmail.com>
+
+commit c1ba08390a8bb13c927e699330896adc15b78205 upstream.
+
+GPD Win 2 Website: http://www.gpd.hk/gpdwin2.asp
+
+Tested on a unit from the first production run sent to Indiegogo backers
+
+Signed-off-by: Ethan Lee <flibitijibibo@gmail.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/input/joystick/xpad.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/input/joystick/xpad.c
++++ b/drivers/input/joystick/xpad.c
+@@ -123,6 +123,7 @@ static const struct xpad_device {
+ u8 mapping;
+ u8 xtype;
+ } xpad_device[] = {
++ { 0x0079, 0x18d4, "GPD Win 2 Controller", 0, XTYPE_XBOX360 },
+ { 0x044f, 0x0f00, "Thrustmaster Wheel", 0, XTYPE_XBOX },
+ { 0x044f, 0x0f03, "Thrustmaster Wheel", 0, XTYPE_XBOX },
+ { 0x044f, 0x0f07, "Thrustmaster, Inc. Controller", 0, XTYPE_XBOX },
+@@ -409,6 +410,7 @@ static const signed short xpad_abs_trigg
+
+ static const struct usb_device_id xpad_table[] = {
+ { USB_INTERFACE_INFO('X', 'B', 0) }, /* X-Box USB-IF not approved class */
++ XPAD_XBOX360_VENDOR(0x0079), /* GPD Win 2 Controller */
+ XPAD_XBOX360_VENDOR(0x044f), /* Thrustmaster X-Box 360 controllers */
+ XPAD_XBOX360_VENDOR(0x045e), /* Microsoft X-Box 360 controllers */
+ XPAD_XBOXONE_VENDOR(0x045e), /* Microsoft X-Box One controllers */
--- /dev/null
+From 766d3571d8e50d3a73b77043dc632226f9e6b389 Mon Sep 17 00:00:00 2001
+From: "Michael S. Tsirkin" <mst@redhat.com>
+Date: Fri, 8 Jun 2018 02:19:53 +0300
+Subject: kvm: fix typo in flag name
+
+From: Michael S. Tsirkin <mst@redhat.com>
+
+commit 766d3571d8e50d3a73b77043dc632226f9e6b389 upstream.
+
+KVM_X86_DISABLE_EXITS_HTL really refers to exit on halt.
+Obviously a typo: should be named KVM_X86_DISABLE_EXITS_HLT.
+
+Fixes: caa057a2cad ("KVM: X86: Provide a capability to disable HLT intercepts")
+Cc: stable@vger.kernel.org
+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kvm/x86.c | 4 ++--
+ include/uapi/linux/kvm.h | 4 ++--
+ tools/include/uapi/linux/kvm.h | 4 ++--
+ 3 files changed, 6 insertions(+), 6 deletions(-)
+
+--- a/arch/x86/kvm/x86.c
++++ b/arch/x86/kvm/x86.c
+@@ -2894,7 +2894,7 @@ int kvm_vm_ioctl_check_extension(struct
+ r = KVM_CLOCK_TSC_STABLE;
+ break;
+ case KVM_CAP_X86_DISABLE_EXITS:
+- r |= KVM_X86_DISABLE_EXITS_HTL | KVM_X86_DISABLE_EXITS_PAUSE;
++ r |= KVM_X86_DISABLE_EXITS_HLT | KVM_X86_DISABLE_EXITS_PAUSE;
+ if(kvm_can_mwait_in_guest())
+ r |= KVM_X86_DISABLE_EXITS_MWAIT;
+ break;
+@@ -4248,7 +4248,7 @@ split_irqchip_unlock:
+ if ((cap->args[0] & KVM_X86_DISABLE_EXITS_MWAIT) &&
+ kvm_can_mwait_in_guest())
+ kvm->arch.mwait_in_guest = true;
+- if (cap->args[0] & KVM_X86_DISABLE_EXITS_HTL)
++ if (cap->args[0] & KVM_X86_DISABLE_EXITS_HLT)
+ kvm->arch.hlt_in_guest = true;
+ if (cap->args[0] & KVM_X86_DISABLE_EXITS_PAUSE)
+ kvm->arch.pause_in_guest = true;
+--- a/include/uapi/linux/kvm.h
++++ b/include/uapi/linux/kvm.h
+@@ -677,10 +677,10 @@ struct kvm_ioeventfd {
+ };
+
+ #define KVM_X86_DISABLE_EXITS_MWAIT (1 << 0)
+-#define KVM_X86_DISABLE_EXITS_HTL (1 << 1)
++#define KVM_X86_DISABLE_EXITS_HLT (1 << 1)
+ #define KVM_X86_DISABLE_EXITS_PAUSE (1 << 2)
+ #define KVM_X86_DISABLE_VALID_EXITS (KVM_X86_DISABLE_EXITS_MWAIT | \
+- KVM_X86_DISABLE_EXITS_HTL | \
++ KVM_X86_DISABLE_EXITS_HLT | \
+ KVM_X86_DISABLE_EXITS_PAUSE)
+
+ /* for KVM_ENABLE_CAP */
+--- a/tools/include/uapi/linux/kvm.h
++++ b/tools/include/uapi/linux/kvm.h
+@@ -677,10 +677,10 @@ struct kvm_ioeventfd {
+ };
+
+ #define KVM_X86_DISABLE_EXITS_MWAIT (1 << 0)
+-#define KVM_X86_DISABLE_EXITS_HTL (1 << 1)
++#define KVM_X86_DISABLE_EXITS_HLT (1 << 1)
+ #define KVM_X86_DISABLE_EXITS_PAUSE (1 << 2)
+ #define KVM_X86_DISABLE_VALID_EXITS (KVM_X86_DISABLE_EXITS_MWAIT | \
+- KVM_X86_DISABLE_EXITS_HTL | \
++ KVM_X86_DISABLE_EXITS_HLT | \
+ KVM_X86_DISABLE_EXITS_PAUSE)
+
+ /* for KVM_ENABLE_CAP */
--- /dev/null
+From 727ba748e110b4de50d142edca9d6a9b7e6111d8 Mon Sep 17 00:00:00 2001
+From: Felix Wilhelm <fwilhelm@google.com>
+Date: Mon, 11 Jun 2018 09:43:44 +0200
+Subject: kvm: nVMX: Enforce cpl=0 for VMX instructions
+
+From: Felix Wilhelm <fwilhelm@google.com>
+
+commit 727ba748e110b4de50d142edca9d6a9b7e6111d8 upstream.
+
+VMX instructions executed inside a L1 VM will always trigger a VM exit
+even when executed with cpl 3. This means we must perform the
+privilege check in software.
+
+Fixes: 70f3aac964ae("kvm: nVMX: Remove superfluous VMX instruction fault checks")
+Cc: stable@vger.kernel.org
+Signed-off-by: Felix Wilhelm <fwilhelm@google.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kvm/vmx.c | 15 +++++++++++++--
+ 1 file changed, 13 insertions(+), 2 deletions(-)
+
+--- a/arch/x86/kvm/vmx.c
++++ b/arch/x86/kvm/vmx.c
+@@ -7670,6 +7670,12 @@ static int handle_vmon(struct kvm_vcpu *
+ return 1;
+ }
+
++ /* CPL=0 must be checked manually. */
++ if (vmx_get_cpl(vcpu)) {
++ kvm_queue_exception(vcpu, UD_VECTOR);
++ return 1;
++ }
++
+ if (vmx->nested.vmxon) {
+ nested_vmx_failValid(vcpu, VMXERR_VMXON_IN_VMX_ROOT_OPERATION);
+ return kvm_skip_emulated_instruction(vcpu);
+@@ -7729,6 +7735,11 @@ static int handle_vmon(struct kvm_vcpu *
+ */
+ static int nested_vmx_check_permission(struct kvm_vcpu *vcpu)
+ {
++ if (vmx_get_cpl(vcpu)) {
++ kvm_queue_exception(vcpu, UD_VECTOR);
++ return 0;
++ }
++
+ if (!to_vmx(vcpu)->nested.vmxon) {
+ kvm_queue_exception(vcpu, UD_VECTOR);
+ return 0;
+@@ -8029,7 +8040,7 @@ static int handle_vmread(struct kvm_vcpu
+ if (get_vmx_mem_address(vcpu, exit_qualification,
+ vmx_instruction_info, true, &gva))
+ return 1;
+- /* _system ok, as hardware has verified cpl=0 */
++ /* _system ok, nested_vmx_check_permission has verified cpl=0 */
+ kvm_write_guest_virt_system(&vcpu->arch.emulate_ctxt, gva,
+ &field_value, (is_long_mode(vcpu) ? 8 : 4), NULL);
+ }
+@@ -8189,7 +8200,7 @@ static int handle_vmptrst(struct kvm_vcp
+ if (get_vmx_mem_address(vcpu, exit_qualification,
+ vmx_instruction_info, true, &vmcs_gva))
+ return 1;
+- /* ok to use *_system, as hardware has verified cpl=0 */
++ /* *_system ok, nested_vmx_check_permission has verified cpl=0 */
+ if (kvm_write_guest_virt_system(&vcpu->arch.emulate_ctxt, vmcs_gva,
+ (void *)&to_vmx(vcpu)->nested.current_vmptr,
+ sizeof(u64), &e)) {
--- /dev/null
+From a780a3ea628268b2ad0ed43d7f28d90db0ff18be Mon Sep 17 00:00:00 2001
+From: Wanpeng Li <wanpengli@tencent.com>
+Date: Sun, 13 May 2018 02:24:47 -0700
+Subject: KVM: X86: Fix reserved bits check for MOV to CR3
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Wanpeng Li <wanpengli@tencent.com>
+
+commit a780a3ea628268b2ad0ed43d7f28d90db0ff18be upstream.
+
+MSB of CR3 is a reserved bit if the PCIDE bit is not set in CR4.
+It should be checked when PCIDE bit is not set, however commit
+'d1cd3ce900441 ("KVM: MMU: check guest CR3 reserved bits based on
+its physical address width")' removes the bit 63 checking
+unconditionally. This patch fixes it by checking bit 63 of CR3
+when PCIDE bit is not set in CR4.
+
+Fixes: d1cd3ce900441 (KVM: MMU: check guest CR3 reserved bits based on its physical address width)
+Cc: Paolo Bonzini <pbonzini@redhat.com>
+Cc: Radim Krčmář <rkrcmar@redhat.com>
+Cc: Liran Alon <liran.alon@oracle.com>
+Cc: stable@vger.kernel.org
+Reviewed-by: Junaid Shahid <junaids@google.com>
+Signed-off-by: Wanpeng Li <wanpengli@tencent.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kvm/emulate.c | 4 +++-
+ arch/x86/kvm/x86.c | 2 +-
+ 2 files changed, 4 insertions(+), 2 deletions(-)
+
+--- a/arch/x86/kvm/emulate.c
++++ b/arch/x86/kvm/emulate.c
+@@ -4189,7 +4189,9 @@ static int check_cr_write(struct x86_emu
+ maxphyaddr = eax & 0xff;
+ else
+ maxphyaddr = 36;
+- rsvd = rsvd_bits(maxphyaddr, 62);
++ rsvd = rsvd_bits(maxphyaddr, 63);
++ if (ctxt->ops->get_cr(ctxt, 4) & X86_CR4_PCIDE)
++ rsvd &= ~CR3_PCID_INVD;
+ }
+
+ if (new_val & rsvd)
+--- a/arch/x86/kvm/x86.c
++++ b/arch/x86/kvm/x86.c
+@@ -856,7 +856,7 @@ int kvm_set_cr3(struct kvm_vcpu *vcpu, u
+ }
+
+ if (is_long_mode(vcpu) &&
+- (cr3 & rsvd_bits(cpuid_maxphyaddr(vcpu), 62)))
++ (cr3 & rsvd_bits(cpuid_maxphyaddr(vcpu), 63)))
+ return 1;
+ else if (is_pae(vcpu) && is_paging(vcpu) &&
+ !load_pdptrs(vcpu, vcpu->arch.walk_mmu, cr3))
--- /dev/null
+From 79367a65743975e5cac8d24d08eccc7fdae832b0 Mon Sep 17 00:00:00 2001
+From: Paolo Bonzini <pbonzini@redhat.com>
+Date: Wed, 6 Jun 2018 16:43:02 +0200
+Subject: KVM: x86: introduce linear_{read,write}_system
+
+From: Paolo Bonzini <pbonzini@redhat.com>
+
+commit 79367a65743975e5cac8d24d08eccc7fdae832b0 upstream.
+
+Wrap the common invocation of ctxt->ops->read_std and ctxt->ops->write_std, so
+as to have a smaller patch when the functions grow another argument.
+
+Fixes: 129a72a0d3c8 ("KVM: x86: Introduce segmented_write_std", 2017-01-12)
+Cc: stable@vger.kernel.org
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kvm/emulate.c | 64 ++++++++++++++++++++++++-------------------------
+ 1 file changed, 32 insertions(+), 32 deletions(-)
+
+--- a/arch/x86/kvm/emulate.c
++++ b/arch/x86/kvm/emulate.c
+@@ -812,6 +812,19 @@ static inline int jmp_rel(struct x86_emu
+ return assign_eip_near(ctxt, ctxt->_eip + rel);
+ }
+
++static int linear_read_system(struct x86_emulate_ctxt *ctxt, ulong linear,
++ void *data, unsigned size)
++{
++ return ctxt->ops->read_std(ctxt, linear, data, size, &ctxt->exception);
++}
++
++static int linear_write_system(struct x86_emulate_ctxt *ctxt,
++ ulong linear, void *data,
++ unsigned int size)
++{
++ return ctxt->ops->write_std(ctxt, linear, data, size, &ctxt->exception);
++}
++
+ static int segmented_read_std(struct x86_emulate_ctxt *ctxt,
+ struct segmented_address addr,
+ void *data,
+@@ -1496,8 +1509,7 @@ static int read_interrupt_descriptor(str
+ return emulate_gp(ctxt, index << 3 | 0x2);
+
+ addr = dt.address + index * 8;
+- return ctxt->ops->read_std(ctxt, addr, desc, sizeof *desc,
+- &ctxt->exception);
++ return linear_read_system(ctxt, addr, desc, sizeof *desc);
+ }
+
+ static void get_descriptor_table_ptr(struct x86_emulate_ctxt *ctxt,
+@@ -1560,8 +1572,7 @@ static int read_segment_descriptor(struc
+ if (rc != X86EMUL_CONTINUE)
+ return rc;
+
+- return ctxt->ops->read_std(ctxt, *desc_addr_p, desc, sizeof(*desc),
+- &ctxt->exception);
++ return linear_read_system(ctxt, *desc_addr_p, desc, sizeof(*desc));
+ }
+
+ /* allowed just for 8 bytes segments */
+@@ -1575,8 +1586,7 @@ static int write_segment_descriptor(stru
+ if (rc != X86EMUL_CONTINUE)
+ return rc;
+
+- return ctxt->ops->write_std(ctxt, addr, desc, sizeof *desc,
+- &ctxt->exception);
++ return linear_write_system(ctxt, addr, desc, sizeof *desc);
+ }
+
+ static int __load_segment_descriptor(struct x86_emulate_ctxt *ctxt,
+@@ -1737,8 +1747,7 @@ static int __load_segment_descriptor(str
+ return ret;
+ }
+ } else if (ctxt->mode == X86EMUL_MODE_PROT64) {
+- ret = ctxt->ops->read_std(ctxt, desc_addr+8, &base3,
+- sizeof(base3), &ctxt->exception);
++ ret = linear_read_system(ctxt, desc_addr+8, &base3, sizeof(base3));
+ if (ret != X86EMUL_CONTINUE)
+ return ret;
+ if (emul_is_noncanonical_address(get_desc_base(&seg_desc) |
+@@ -2051,11 +2060,11 @@ static int __emulate_int_real(struct x86
+ eip_addr = dt.address + (irq << 2);
+ cs_addr = dt.address + (irq << 2) + 2;
+
+- rc = ops->read_std(ctxt, cs_addr, &cs, 2, &ctxt->exception);
++ rc = linear_read_system(ctxt, cs_addr, &cs, 2);
+ if (rc != X86EMUL_CONTINUE)
+ return rc;
+
+- rc = ops->read_std(ctxt, eip_addr, &eip, 2, &ctxt->exception);
++ rc = linear_read_system(ctxt, eip_addr, &eip, 2);
+ if (rc != X86EMUL_CONTINUE)
+ return rc;
+
+@@ -3053,35 +3062,30 @@ static int task_switch_16(struct x86_emu
+ u16 tss_selector, u16 old_tss_sel,
+ ulong old_tss_base, struct desc_struct *new_desc)
+ {
+- const struct x86_emulate_ops *ops = ctxt->ops;
+ struct tss_segment_16 tss_seg;
+ int ret;
+ u32 new_tss_base = get_desc_base(new_desc);
+
+- ret = ops->read_std(ctxt, old_tss_base, &tss_seg, sizeof tss_seg,
+- &ctxt->exception);
++ ret = linear_read_system(ctxt, old_tss_base, &tss_seg, sizeof tss_seg);
+ if (ret != X86EMUL_CONTINUE)
+ return ret;
+
+ save_state_to_tss16(ctxt, &tss_seg);
+
+- ret = ops->write_std(ctxt, old_tss_base, &tss_seg, sizeof tss_seg,
+- &ctxt->exception);
++ ret = linear_write_system(ctxt, old_tss_base, &tss_seg, sizeof tss_seg);
+ if (ret != X86EMUL_CONTINUE)
+ return ret;
+
+- ret = ops->read_std(ctxt, new_tss_base, &tss_seg, sizeof tss_seg,
+- &ctxt->exception);
++ ret = linear_read_system(ctxt, new_tss_base, &tss_seg, sizeof tss_seg);
+ if (ret != X86EMUL_CONTINUE)
+ return ret;
+
+ if (old_tss_sel != 0xffff) {
+ tss_seg.prev_task_link = old_tss_sel;
+
+- ret = ops->write_std(ctxt, new_tss_base,
+- &tss_seg.prev_task_link,
+- sizeof tss_seg.prev_task_link,
+- &ctxt->exception);
++ ret = linear_write_system(ctxt, new_tss_base,
++ &tss_seg.prev_task_link,
++ sizeof tss_seg.prev_task_link);
+ if (ret != X86EMUL_CONTINUE)
+ return ret;
+ }
+@@ -3197,38 +3201,34 @@ static int task_switch_32(struct x86_emu
+ u16 tss_selector, u16 old_tss_sel,
+ ulong old_tss_base, struct desc_struct *new_desc)
+ {
+- const struct x86_emulate_ops *ops = ctxt->ops;
+ struct tss_segment_32 tss_seg;
+ int ret;
+ u32 new_tss_base = get_desc_base(new_desc);
+ u32 eip_offset = offsetof(struct tss_segment_32, eip);
+ u32 ldt_sel_offset = offsetof(struct tss_segment_32, ldt_selector);
+
+- ret = ops->read_std(ctxt, old_tss_base, &tss_seg, sizeof tss_seg,
+- &ctxt->exception);
++ ret = linear_read_system(ctxt, old_tss_base, &tss_seg, sizeof tss_seg);
+ if (ret != X86EMUL_CONTINUE)
+ return ret;
+
+ save_state_to_tss32(ctxt, &tss_seg);
+
+ /* Only GP registers and segment selectors are saved */
+- ret = ops->write_std(ctxt, old_tss_base + eip_offset, &tss_seg.eip,
+- ldt_sel_offset - eip_offset, &ctxt->exception);
++ ret = linear_write_system(ctxt, old_tss_base + eip_offset, &tss_seg.eip,
++ ldt_sel_offset - eip_offset);
+ if (ret != X86EMUL_CONTINUE)
+ return ret;
+
+- ret = ops->read_std(ctxt, new_tss_base, &tss_seg, sizeof tss_seg,
+- &ctxt->exception);
++ ret = linear_read_system(ctxt, new_tss_base, &tss_seg, sizeof tss_seg);
+ if (ret != X86EMUL_CONTINUE)
+ return ret;
+
+ if (old_tss_sel != 0xffff) {
+ tss_seg.prev_task_link = old_tss_sel;
+
+- ret = ops->write_std(ctxt, new_tss_base,
+- &tss_seg.prev_task_link,
+- sizeof tss_seg.prev_task_link,
+- &ctxt->exception);
++ ret = linear_write_system(ctxt, new_tss_base,
++ &tss_seg.prev_task_link,
++ sizeof tss_seg.prev_task_link);
+ if (ret != X86EMUL_CONTINUE)
+ return ret;
+ }
--- /dev/null
+From ce14e868a54edeb2e30cb7a7b104a2fc4b9d76ca Mon Sep 17 00:00:00 2001
+From: Paolo Bonzini <pbonzini@redhat.com>
+Date: Wed, 6 Jun 2018 17:37:49 +0200
+Subject: KVM: x86: pass kvm_vcpu to kvm_read_guest_virt and kvm_write_guest_virt_system
+
+From: Paolo Bonzini <pbonzini@redhat.com>
+
+commit ce14e868a54edeb2e30cb7a7b104a2fc4b9d76ca upstream.
+
+Int the next patch the emulator's .read_std and .write_std callbacks will
+grow another argument, which is not needed in kvm_read_guest_virt and
+kvm_write_guest_virt_system's callers. Since we have to make separate
+functions, let's give the currently existing names a nicer interface, too.
+
+Fixes: 129a72a0d3c8 ("KVM: x86: Introduce segmented_write_std", 2017-01-12)
+Cc: stable@vger.kernel.org
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kvm/vmx.c | 23 ++++++++++-------------
+ arch/x86/kvm/x86.c | 39 ++++++++++++++++++++++++++-------------
+ arch/x86/kvm/x86.h | 4 ++--
+ 3 files changed, 38 insertions(+), 28 deletions(-)
+
+--- a/arch/x86/kvm/vmx.c
++++ b/arch/x86/kvm/vmx.c
+@@ -7588,8 +7588,7 @@ static int nested_vmx_get_vmptr(struct k
+ vmcs_read32(VMX_INSTRUCTION_INFO), false, &gva))
+ return 1;
+
+- if (kvm_read_guest_virt(&vcpu->arch.emulate_ctxt, gva, vmpointer,
+- sizeof(*vmpointer), &e)) {
++ if (kvm_read_guest_virt(vcpu, gva, vmpointer, sizeof(*vmpointer), &e)) {
+ kvm_inject_page_fault(vcpu, &e);
+ return 1;
+ }
+@@ -8041,8 +8040,8 @@ static int handle_vmread(struct kvm_vcpu
+ vmx_instruction_info, true, &gva))
+ return 1;
+ /* _system ok, nested_vmx_check_permission has verified cpl=0 */
+- kvm_write_guest_virt_system(&vcpu->arch.emulate_ctxt, gva,
+- &field_value, (is_long_mode(vcpu) ? 8 : 4), NULL);
++ kvm_write_guest_virt_system(vcpu, gva, &field_value,
++ (is_long_mode(vcpu) ? 8 : 4), NULL);
+ }
+
+ nested_vmx_succeed(vcpu);
+@@ -8080,8 +8079,8 @@ static int handle_vmwrite(struct kvm_vcp
+ if (get_vmx_mem_address(vcpu, exit_qualification,
+ vmx_instruction_info, false, &gva))
+ return 1;
+- if (kvm_read_guest_virt(&vcpu->arch.emulate_ctxt, gva,
+- &field_value, (is_64_bit_mode(vcpu) ? 8 : 4), &e)) {
++ if (kvm_read_guest_virt(vcpu, gva, &field_value,
++ (is_64_bit_mode(vcpu) ? 8 : 4), &e)) {
+ kvm_inject_page_fault(vcpu, &e);
+ return 1;
+ }
+@@ -8201,9 +8200,9 @@ static int handle_vmptrst(struct kvm_vcp
+ vmx_instruction_info, true, &vmcs_gva))
+ return 1;
+ /* *_system ok, nested_vmx_check_permission has verified cpl=0 */
+- if (kvm_write_guest_virt_system(&vcpu->arch.emulate_ctxt, vmcs_gva,
+- (void *)&to_vmx(vcpu)->nested.current_vmptr,
+- sizeof(u64), &e)) {
++ if (kvm_write_guest_virt_system(vcpu, vmcs_gva,
++ (void *)&to_vmx(vcpu)->nested.current_vmptr,
++ sizeof(u64), &e)) {
+ kvm_inject_page_fault(vcpu, &e);
+ return 1;
+ }
+@@ -8250,8 +8249,7 @@ static int handle_invept(struct kvm_vcpu
+ if (get_vmx_mem_address(vcpu, vmcs_readl(EXIT_QUALIFICATION),
+ vmx_instruction_info, false, &gva))
+ return 1;
+- if (kvm_read_guest_virt(&vcpu->arch.emulate_ctxt, gva, &operand,
+- sizeof(operand), &e)) {
++ if (kvm_read_guest_virt(vcpu, gva, &operand, sizeof(operand), &e)) {
+ kvm_inject_page_fault(vcpu, &e);
+ return 1;
+ }
+@@ -8315,8 +8313,7 @@ static int handle_invvpid(struct kvm_vcp
+ if (get_vmx_mem_address(vcpu, vmcs_readl(EXIT_QUALIFICATION),
+ vmx_instruction_info, false, &gva))
+ return 1;
+- if (kvm_read_guest_virt(&vcpu->arch.emulate_ctxt, gva, &operand,
+- sizeof(operand), &e)) {
++ if (kvm_read_guest_virt(vcpu, gva, &operand, sizeof(operand), &e)) {
+ kvm_inject_page_fault(vcpu, &e);
+ return 1;
+ }
+--- a/arch/x86/kvm/x86.c
++++ b/arch/x86/kvm/x86.c
+@@ -4787,11 +4787,10 @@ static int kvm_fetch_guest_virt(struct x
+ return X86EMUL_CONTINUE;
+ }
+
+-int kvm_read_guest_virt(struct x86_emulate_ctxt *ctxt,
++int kvm_read_guest_virt(struct kvm_vcpu *vcpu,
+ gva_t addr, void *val, unsigned int bytes,
+ struct x86_exception *exception)
+ {
+- struct kvm_vcpu *vcpu = emul_to_vcpu(ctxt);
+ u32 access = (kvm_x86_ops->get_cpl(vcpu) == 3) ? PFERR_USER_MASK : 0;
+
+ return kvm_read_guest_virt_helper(addr, val, bytes, vcpu, access,
+@@ -4799,9 +4798,9 @@ int kvm_read_guest_virt(struct x86_emula
+ }
+ EXPORT_SYMBOL_GPL(kvm_read_guest_virt);
+
+-static int kvm_read_guest_virt_system(struct x86_emulate_ctxt *ctxt,
+- gva_t addr, void *val, unsigned int bytes,
+- struct x86_exception *exception)
++static int emulator_read_std(struct x86_emulate_ctxt *ctxt,
++ gva_t addr, void *val, unsigned int bytes,
++ struct x86_exception *exception)
+ {
+ struct kvm_vcpu *vcpu = emul_to_vcpu(ctxt);
+ return kvm_read_guest_virt_helper(addr, val, bytes, vcpu, 0, exception);
+@@ -4816,18 +4815,16 @@ static int kvm_read_guest_phys_system(st
+ return r < 0 ? X86EMUL_IO_NEEDED : X86EMUL_CONTINUE;
+ }
+
+-int kvm_write_guest_virt_system(struct x86_emulate_ctxt *ctxt,
+- gva_t addr, void *val,
+- unsigned int bytes,
+- struct x86_exception *exception)
++static int kvm_write_guest_virt_helper(gva_t addr, void *val, unsigned int bytes,
++ struct kvm_vcpu *vcpu, u32 access,
++ struct x86_exception *exception)
+ {
+- struct kvm_vcpu *vcpu = emul_to_vcpu(ctxt);
+ void *data = val;
+ int r = X86EMUL_CONTINUE;
+
+ while (bytes) {
+ gpa_t gpa = vcpu->arch.walk_mmu->gva_to_gpa(vcpu, addr,
+- PFERR_WRITE_MASK,
++ access,
+ exception);
+ unsigned offset = addr & (PAGE_SIZE-1);
+ unsigned towrite = min(bytes, (unsigned)PAGE_SIZE - offset);
+@@ -4848,6 +4845,22 @@ int kvm_write_guest_virt_system(struct x
+ out:
+ return r;
+ }
++
++static int emulator_write_std(struct x86_emulate_ctxt *ctxt, gva_t addr, void *val,
++ unsigned int bytes, struct x86_exception *exception)
++{
++ struct kvm_vcpu *vcpu = emul_to_vcpu(ctxt);
++
++ return kvm_write_guest_virt_helper(addr, val, bytes, vcpu,
++ PFERR_WRITE_MASK, exception);
++}
++
++int kvm_write_guest_virt_system(struct kvm_vcpu *vcpu, gva_t addr, void *val,
++ unsigned int bytes, struct x86_exception *exception)
++{
++ return kvm_write_guest_virt_helper(addr, val, bytes, vcpu,
++ PFERR_WRITE_MASK, exception);
++}
+ EXPORT_SYMBOL_GPL(kvm_write_guest_virt_system);
+
+ int handle_ud(struct kvm_vcpu *vcpu)
+@@ -5600,8 +5613,8 @@ static int emulator_pre_leave_smm(struct
+ static const struct x86_emulate_ops emulate_ops = {
+ .read_gpr = emulator_read_gpr,
+ .write_gpr = emulator_write_gpr,
+- .read_std = kvm_read_guest_virt_system,
+- .write_std = kvm_write_guest_virt_system,
++ .read_std = emulator_read_std,
++ .write_std = emulator_write_std,
+ .read_phys = kvm_read_guest_phys_system,
+ .fetch = kvm_fetch_guest_virt,
+ .read_emulated = emulator_read_emulated,
+--- a/arch/x86/kvm/x86.h
++++ b/arch/x86/kvm/x86.h
+@@ -247,11 +247,11 @@ int kvm_inject_realmode_interrupt(struct
+ void kvm_write_tsc(struct kvm_vcpu *vcpu, struct msr_data *msr);
+ u64 get_kvmclock_ns(struct kvm *kvm);
+
+-int kvm_read_guest_virt(struct x86_emulate_ctxt *ctxt,
++int kvm_read_guest_virt(struct kvm_vcpu *vcpu,
+ gva_t addr, void *val, unsigned int bytes,
+ struct x86_exception *exception);
+
+-int kvm_write_guest_virt_system(struct x86_emulate_ctxt *ctxt,
++int kvm_write_guest_virt_system(struct kvm_vcpu *vcpu,
+ gva_t addr, void *val, unsigned int bytes,
+ struct x86_exception *exception);
+
--- /dev/null
+From dbafc28955fa6779dc23d1607a0fee5e509a278b Mon Sep 17 00:00:00 2001
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Date: Sun, 20 May 2018 15:19:46 +0200
+Subject: NFC: pn533: don't send USB data off of the stack
+
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+commit dbafc28955fa6779dc23d1607a0fee5e509a278b upstream.
+
+It's amazing that this driver ever worked, but now that x86 doesn't
+allow USB data to be sent off of the stack, it really does not work at
+all. Fix this up by properly allocating the data for the small
+"commands" that get sent to the device off of the stack.
+
+We do this for one command by having a whole urb just for ack messages,
+as they can be submitted in interrupt context, so we can not use
+usb_bulk_msg(). But the poweron command can sleep (and does), so use
+usb_bulk_msg() for that transfer.
+
+Reported-by: Carlos Manuel Santos <cmmpsantos@gmail.com>
+Cc: Samuel Ortiz <sameo@linux.intel.com>
+Cc: Stephen Hemminger <stephen@networkplumber.org>
+Cc: stable <stable@vger.kernel.org>
+Reviewed-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/nfc/pn533/usb.c | 42 ++++++++++++++++++++++++++++++------------
+ 1 file changed, 30 insertions(+), 12 deletions(-)
+
+--- a/drivers/nfc/pn533/usb.c
++++ b/drivers/nfc/pn533/usb.c
+@@ -62,6 +62,9 @@ struct pn533_usb_phy {
+ struct urb *out_urb;
+ struct urb *in_urb;
+
++ struct urb *ack_urb;
++ u8 *ack_buffer;
++
+ struct pn533 *priv;
+ };
+
+@@ -150,13 +153,16 @@ static int pn533_usb_send_ack(struct pn5
+ struct pn533_usb_phy *phy = dev->phy;
+ static const u8 ack[6] = {0x00, 0x00, 0xff, 0x00, 0xff, 0x00};
+ /* spec 7.1.1.3: Preamble, SoPC (2), ACK Code (2), Postamble */
+- int rc;
+
+- phy->out_urb->transfer_buffer = (u8 *)ack;
+- phy->out_urb->transfer_buffer_length = sizeof(ack);
+- rc = usb_submit_urb(phy->out_urb, flags);
++ if (!phy->ack_buffer) {
++ phy->ack_buffer = kmemdup(ack, sizeof(ack), flags);
++ if (!phy->ack_buffer)
++ return -ENOMEM;
++ }
+
+- return rc;
++ phy->ack_urb->transfer_buffer = phy->ack_buffer;
++ phy->ack_urb->transfer_buffer_length = sizeof(ack);
++ return usb_submit_urb(phy->ack_urb, flags);
+ }
+
+ static int pn533_usb_send_frame(struct pn533 *dev,
+@@ -375,26 +381,31 @@ static int pn533_acr122_poweron_rdr(stru
+ /* Power on th reader (CCID cmd) */
+ u8 cmd[10] = {PN533_ACR122_PC_TO_RDR_ICCPOWERON,
+ 0, 0, 0, 0, 0, 0, 3, 0, 0};
++ char *buffer;
++ int transferred;
+ int rc;
+ void *cntx;
+ struct pn533_acr122_poweron_rdr_arg arg;
+
+ dev_dbg(&phy->udev->dev, "%s\n", __func__);
+
++ buffer = kmemdup(cmd, sizeof(cmd), GFP_KERNEL);
++ if (!buffer)
++ return -ENOMEM;
++
+ init_completion(&arg.done);
+ cntx = phy->in_urb->context; /* backup context */
+
+ phy->in_urb->complete = pn533_acr122_poweron_rdr_resp;
+ phy->in_urb->context = &arg;
+
+- phy->out_urb->transfer_buffer = cmd;
+- phy->out_urb->transfer_buffer_length = sizeof(cmd);
+-
+ print_hex_dump_debug("ACR122 TX: ", DUMP_PREFIX_NONE, 16, 1,
+ cmd, sizeof(cmd), false);
+
+- rc = usb_submit_urb(phy->out_urb, GFP_KERNEL);
+- if (rc) {
++ rc = usb_bulk_msg(phy->udev, phy->out_urb->pipe, buffer, sizeof(cmd),
++ &transferred, 0);
++ kfree(buffer);
++ if (rc || (transferred != sizeof(cmd))) {
+ nfc_err(&phy->udev->dev,
+ "Reader power on cmd error %d\n", rc);
+ return rc;
+@@ -490,8 +501,9 @@ static int pn533_usb_probe(struct usb_in
+
+ phy->in_urb = usb_alloc_urb(0, GFP_KERNEL);
+ phy->out_urb = usb_alloc_urb(0, GFP_KERNEL);
++ phy->ack_urb = usb_alloc_urb(0, GFP_KERNEL);
+
+- if (!phy->in_urb || !phy->out_urb)
++ if (!phy->in_urb || !phy->out_urb || !phy->ack_urb)
+ goto error;
+
+ usb_fill_bulk_urb(phy->in_urb, phy->udev,
+@@ -501,7 +513,9 @@ static int pn533_usb_probe(struct usb_in
+ usb_fill_bulk_urb(phy->out_urb, phy->udev,
+ usb_sndbulkpipe(phy->udev, out_endpoint),
+ NULL, 0, pn533_send_complete, phy);
+-
++ usb_fill_bulk_urb(phy->ack_urb, phy->udev,
++ usb_sndbulkpipe(phy->udev, out_endpoint),
++ NULL, 0, pn533_send_complete, phy);
+
+ switch (id->driver_info) {
+ case PN533_DEVICE_STD:
+@@ -554,6 +568,7 @@ static int pn533_usb_probe(struct usb_in
+ error:
+ usb_free_urb(phy->in_urb);
+ usb_free_urb(phy->out_urb);
++ usb_free_urb(phy->ack_urb);
+ usb_put_dev(phy->udev);
+ kfree(in_buf);
+
+@@ -573,10 +588,13 @@ static void pn533_usb_disconnect(struct
+
+ usb_kill_urb(phy->in_urb);
+ usb_kill_urb(phy->out_urb);
++ usb_kill_urb(phy->ack_urb);
+
+ kfree(phy->in_urb->transfer_buffer);
+ usb_free_urb(phy->in_urb);
+ usb_free_urb(phy->out_urb);
++ usb_free_urb(phy->ack_urb);
++ kfree(phy->ack_buffer);
+
+ nfc_info(&interface->dev, "NXP PN533 NFC device disconnected\n");
+ }
--- /dev/null
+From 0b4555e776ba0712c6fafb98b226b21fd05d2427 Mon Sep 17 00:00:00 2001
+From: Manu Gautam <mgautam@codeaurora.org>
+Date: Thu, 3 May 2018 02:36:10 +0530
+Subject: phy: qcom-qusb2: Fix crash if nvmem cell not specified
+
+From: Manu Gautam <mgautam@codeaurora.org>
+
+commit 0b4555e776ba0712c6fafb98b226b21fd05d2427 upstream.
+
+Driver currently crashes due to NULL pointer deference
+while updating PHY tune register if nvmem cell is NULL.
+Since, fused value for Tune1/2 register is optional,
+we'd rather bail out.
+
+Fixes: ca04d9d3e1b1 ("phy: qcom-qusb2: New driver for QUSB2 PHY on Qcom chips")
+Reviewed-by: Vivek Gautam <vivek.gautam@codeaurora.org>
+Reviewed-by: Evan Green <evgreen@chromium.org>
+Cc: stable <stable@vger.kernel.org> # 4.14+
+Signed-off-by: Manu Gautam <mgautam@codeaurora.org>
+Signed-off-by: Kishon Vijay Abraham I <kishon@ti.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/phy/qualcomm/phy-qcom-qusb2.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/phy/qualcomm/phy-qcom-qusb2.c
++++ b/drivers/phy/qualcomm/phy-qcom-qusb2.c
+@@ -315,6 +315,10 @@ static void qusb2_phy_set_tune2_param(st
+ const struct qusb2_phy_cfg *cfg = qphy->cfg;
+ u8 *val;
+
++ /* efuse register is optional */
++ if (!qphy->cell)
++ return;
++
+ /*
+ * Read efuse register having TUNE2/1 parameter's high nibble.
+ * If efuse register shows value as 0x0, or if we fail to find
--- /dev/null
+From 13dc04d0e5fdc25c8f713ad23fdce51cf2bf96ba Mon Sep 17 00:00:00 2001
+From: Tony Lindgren <tony@atomide.com>
+Date: Fri, 4 May 2018 10:44:09 -0700
+Subject: serial: 8250: omap: Fix idling of clocks for unused uarts
+
+From: Tony Lindgren <tony@atomide.com>
+
+commit 13dc04d0e5fdc25c8f713ad23fdce51cf2bf96ba upstream.
+
+I noticed that unused UARTs won't necessarily idle properly always
+unless at least one byte tx transfer is done first.
+
+After some debugging I narrowed down the problem to the scr register
+dma configuration bits that need to be set before softreset for the
+clocks to idle. Unless we do this, the module clkctrl idlest bits
+may be set to 1 instead of 3 meaning the clock will never idle and
+is blocking deeper idle states for the whole domain.
+
+This might be related to the configuration done by the bootloader
+or kexec booting where certain configurations cause the 8250 or
+the clkctrl clock to jam in a way where setting of the scr bits
+and reset is needed to clear it. I've tried diffing the 8250
+registers for the various modes, but did not see anything specific.
+So far I've only seen this on omap4 but I'm suspecting this might
+also happen on the other clkctrl using SoCs considering they
+already have a quirk enabled for UART_ERRATA_CLOCK_DISABLE.
+
+Let's fix the issue by configuring scr before reset for basic dma
+even if we don't use it. The scr register will be reset when we do
+softreset few lines after, and we restore scr on resume. We should
+do this for all the SoCs with UART_ERRATA_CLOCK_DISABLE quirk flag
+set since the ones with UART_ERRATA_CLOCK_DISABLE are all based
+using clkctrl similar to omap4.
+
+Looks like both OMAP_UART_SCR_DMAMODE_1 | OMAP_UART_SCR_DMAMODE_CTL
+bits are needed for the clkctrl to idle after a softreset.
+
+And we need to add omap4 to also use the UART_ERRATA_CLOCK_DISABLE
+for the related workaround to be enabled. This same compatible
+value will also be used for omap5.
+
+Fixes: cdb929e4452a ("serial: 8250_omap: workaround errata around idling UART after using DMA")
+Cc: Keerthy <j-keerthy@ti.com>
+Cc: Matthijs van Duin <matthijsvanduin@gmail.com>
+Cc: Sekhar Nori <nsekhar@ti.com>
+Cc: Tero Kristo <t-kristo@ti.com>
+Signed-off-by: Tony Lindgren <tony@atomide.com>
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/tty/serial/8250/8250_omap.c | 16 +++++++++++++++-
+ 1 file changed, 15 insertions(+), 1 deletion(-)
+
+--- a/drivers/tty/serial/8250/8250_omap.c
++++ b/drivers/tty/serial/8250/8250_omap.c
+@@ -1110,13 +1110,14 @@ static int omap8250_no_handle_irq(struct
+ return 0;
+ }
+
++static const u8 omap4_habit = UART_ERRATA_CLOCK_DISABLE;
+ static const u8 am3352_habit = OMAP_DMA_TX_KICK | UART_ERRATA_CLOCK_DISABLE;
+ static const u8 dra742_habit = UART_ERRATA_CLOCK_DISABLE;
+
+ static const struct of_device_id omap8250_dt_ids[] = {
+ { .compatible = "ti,omap2-uart" },
+ { .compatible = "ti,omap3-uart" },
+- { .compatible = "ti,omap4-uart" },
++ { .compatible = "ti,omap4-uart", .data = &omap4_habit, },
+ { .compatible = "ti,am3352-uart", .data = &am3352_habit, },
+ { .compatible = "ti,am4372-uart", .data = &am3352_habit, },
+ { .compatible = "ti,dra742-uart", .data = &dra742_habit, },
+@@ -1353,6 +1354,19 @@ static int omap8250_soft_reset(struct de
+ int sysc;
+ int syss;
+
++ /*
++ * At least on omap4, unused uarts may not idle after reset without
++ * a basic scr dma configuration even with no dma in use. The
++ * module clkctrl status bits will be 1 instead of 3 blocking idle
++ * for the whole clockdomain. The softreset below will clear scr,
++ * and we restore it on resume so this is safe to do on all SoCs
++ * needing omap8250_soft_reset() quirk. Do it in two writes as
++ * recommended in the comment for omap8250_update_scr().
++ */
++ serial_out(up, UART_OMAP_SCR, OMAP_UART_SCR_DMAMODE_1);
++ serial_out(up, UART_OMAP_SCR,
++ OMAP_UART_SCR_DMAMODE_1 | OMAP_UART_SCR_DMAMODE_CTL);
++
+ sysc = serial_in(up, UART_OMAP_SYSC);
+
+ /* softreset the UART */
--- /dev/null
+From aa2f80e752c75e593b3820f42c416ed9458fa73e Mon Sep 17 00:00:00 2001
+From: Marek Szyprowski <m.szyprowski@samsung.com>
+Date: Thu, 10 May 2018 08:41:13 +0200
+Subject: serial: samsung: fix maxburst parameter for DMA transactions
+
+From: Marek Szyprowski <m.szyprowski@samsung.com>
+
+commit aa2f80e752c75e593b3820f42c416ed9458fa73e upstream.
+
+The best granularity of residue that DMA engine can report is in the BURST
+units, so the serial driver must use MAXBURST = 1 and DMA_SLAVE_BUSWIDTH_1_BYTE
+if it relies on exact number of bytes transferred by DMA engine.
+
+Fixes: 62c37eedb74c ("serial: samsung: add dma reqest/release functions")
+Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com>
+Acked-by: Krzysztof Kozlowski <krzk@kernel.org>
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/tty/serial/samsung.c | 7 ++-----
+ 1 file changed, 2 insertions(+), 5 deletions(-)
+
+--- a/drivers/tty/serial/samsung.c
++++ b/drivers/tty/serial/samsung.c
+@@ -862,15 +862,12 @@ static int s3c24xx_serial_request_dma(st
+ dma->rx_conf.direction = DMA_DEV_TO_MEM;
+ dma->rx_conf.src_addr_width = DMA_SLAVE_BUSWIDTH_1_BYTE;
+ dma->rx_conf.src_addr = p->port.mapbase + S3C2410_URXH;
+- dma->rx_conf.src_maxburst = 16;
++ dma->rx_conf.src_maxburst = 1;
+
+ dma->tx_conf.direction = DMA_MEM_TO_DEV;
+ dma->tx_conf.dst_addr_width = DMA_SLAVE_BUSWIDTH_1_BYTE;
+ dma->tx_conf.dst_addr = p->port.mapbase + S3C2410_UTXH;
+- if (dma_get_cache_alignment() >= 16)
+- dma->tx_conf.dst_maxburst = 16;
+- else
+- dma->tx_conf.dst_maxburst = 1;
++ dma->tx_conf.dst_maxburst = 1;
+
+ dma->rx_chan = dma_request_chan(p->port.dev, "rx");
+
--- /dev/null
+From d63c16f8e1ab761775275adcf54f4bef7c330295 Mon Sep 17 00:00:00 2001
+From: Geert Uytterhoeven <geert+renesas@glider.be>
+Date: Fri, 1 Jun 2018 11:28:21 +0200
+Subject: serial: sh-sci: Stop using printk format %pCr
+
+From: Geert Uytterhoeven <geert+renesas@glider.be>
+
+commit d63c16f8e1ab761775275adcf54f4bef7c330295 upstream.
+
+Printk format "%pCr" will be removed soon, as clk_get_rate() must not be
+called in atomic context.
+
+Replace it by open-coding the operation. This is safe here, as the code
+runs in task context.
+
+Link: http://lkml.kernel.org/r/1527845302-12159-4-git-send-email-geert+renesas@glider.be
+To: Jia-Ju Bai <baijiaju1990@gmail.com>
+To: Jonathan Corbet <corbet@lwn.net>
+To: Michael Turquette <mturquette@baylibre.com>
+To: Stephen Boyd <sboyd@kernel.org>
+To: Zhang Rui <rui.zhang@intel.com>
+To: Eduardo Valentin <edubezval@gmail.com>
+To: Eric Anholt <eric@anholt.net>
+To: Stefan Wahren <stefan.wahren@i2se.com>
+To: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Cc: Sergey Senozhatsky <sergey.senozhatsky.work@gmail.com>
+Cc: Petr Mladek <pmladek@suse.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Steven Rostedt <rostedt@goodmis.org>
+Cc: linux-doc@vger.kernel.org
+Cc: linux-clk@vger.kernel.org
+Cc: linux-pm@vger.kernel.org
+Cc: linux-serial@vger.kernel.org
+Cc: linux-arm-kernel@lists.infradead.org
+Cc: linux-renesas-soc@vger.kernel.org
+Cc: linux-kernel@vger.kernel.org
+Cc: Geert Uytterhoeven <geert+renesas@glider.be>
+Cc: stable@vger.kernel.org # 4.5+
+Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Signed-off-by: Petr Mladek <pmladek@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/tty/serial/sh-sci.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/tty/serial/sh-sci.c
++++ b/drivers/tty/serial/sh-sci.c
+@@ -2704,8 +2704,8 @@ found:
+ dev_dbg(dev, "failed to get %s (%ld)\n", clk_names[i],
+ PTR_ERR(clk));
+ else
+- dev_dbg(dev, "clk %s is %pC rate %pCr\n", clk_names[i],
+- clk, clk);
++ dev_dbg(dev, "clk %s is %pC rate %lu\n", clk_names[i],
++ clk, clk_get_rate(clk));
+ sci_port->clks[i] = IS_ERR(clk) ? NULL : clk;
+ }
+ return 0;
crypto-chelsio-request-to-hw-should-wrap.patch
blkdev_report_zones_ioctl-use-vmalloc-to-allocate-large-buffers.patch
+kvm-x86-fix-reserved-bits-check-for-mov-to-cr3.patch
+kvm-x86-introduce-linear_-read-write-_system.patch
+kvm-fix-typo-in-flag-name.patch
+kvm-nvmx-enforce-cpl-0-for-vmx-instructions.patch
+kvm-x86-pass-kvm_vcpu-to-kvm_read_guest_virt-and-kvm_write_guest_virt_system.patch
+staging-android-ion-switch-to-pr_warn_once-in-ion_buffer_destroy.patch
+nfc-pn533-don-t-send-usb-data-off-of-the-stack.patch
+usbip-vhci_sysfs-fix-potential-spectre-v1.patch
+usb-storage-add-support-for-fl_always_sync-flag-in-the-uas-driver.patch
+usb-storage-add-compatibility-quirk-flags-for-g-technologies-g-drive.patch
+input-xpad-add-gpd-win-2-controller-usb-ids.patch
+phy-qcom-qusb2-fix-crash-if-nvmem-cell-not-specified.patch
+usb-core-message-remove-extra-endianness-conversion-in-usb_set_isoch_delay.patch
+usb-typec-wcove-remove-dependency-on-hw-fsm.patch
+usb-gadget-function-printer-avoid-wrong-list-handling-in-printer_write.patch
+usb-gadget-udc-renesas_usb3-fix-double-phy_put.patch
+usb-gadget-udc-renesas_usb3-should-remove-debugfs.patch
+usb-gadget-udc-renesas_usb3-should-call-pm_runtime_enable-before-add-udc.patch
+usb-gadget-udc-renesas_usb3-should-call-devm_phy_get-before-add-udc.patch
+usb-gadget-udc-renesas_usb3-should-fail-if-devm_phy_get-returns-error.patch
+usb-gadget-udc-renesas_usb3-disable-the-controller-s-irqs-for-reconnecting.patch
+serial-sh-sci-stop-using-printk-format-pcr.patch
+tty-serial-atmel-use-port-name-as-name-in-request_irq.patch
+serial-samsung-fix-maxburst-parameter-for-dma-transactions.patch
+serial-8250-omap-fix-idling-of-clocks-for-unused-uarts.patch
+vmw_balloon-fixing-double-free-when-batching-mode-is-off.patch
+doc-fix-sysfs-abi-documentation.patch
+arm64-defconfig-enable-config_pinctrl_mt7622-by-default.patch
+tty-pl011-avoid-spuriously-stuck-off-interrupts.patch
+crypto-ccree-correct-host-regs-offset.patch
--- /dev/null
+From 45ad559a29629cb1c64ee636563c69b71524f077 Mon Sep 17 00:00:00 2001
+From: Laura Abbott <labbott@redhat.com>
+Date: Mon, 14 May 2018 14:35:09 -0700
+Subject: staging: android: ion: Switch to pr_warn_once in ion_buffer_destroy
+
+From: Laura Abbott <labbott@redhat.com>
+
+commit 45ad559a29629cb1c64ee636563c69b71524f077 upstream.
+
+Syzbot reported yet another warning with Ion:
+
+WARNING: CPU: 0 PID: 1467 at drivers/staging/android/ion/ion.c:122
+ion_buffer_destroy+0xd4/0x190 drivers/staging/android/ion/ion.c:122
+Kernel panic - not syncing: panic_on_warn set ...
+
+This is catching that a buffer was freed with an existing kernel mapping
+still present. This can be easily be triggered from userspace by calling
+DMA_BUF_SYNC_START without calling DMA_BUF_SYNC_END. Switch to a single
+pr_warn_once to indicate the error without being disruptive.
+
+Reported-by: syzbot+cd8bcd40cb049efa2770@syzkaller.appspotmail.com
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: Laura Abbott <labbott@redhat.com>
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/staging/android/ion/ion.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/drivers/staging/android/ion/ion.c
++++ b/drivers/staging/android/ion/ion.c
+@@ -114,8 +114,11 @@ err2:
+
+ void ion_buffer_destroy(struct ion_buffer *buffer)
+ {
+- if (WARN_ON(buffer->kmap_cnt > 0))
++ if (buffer->kmap_cnt > 0) {
++ pr_warn_once("%s: buffer still mapped in the kernel\n",
++ __func__);
+ buffer->heap->ops->unmap_kernel(buffer->heap, buffer);
++ }
+ buffer->heap->ops->free(buffer);
+ kfree(buffer);
+ }
--- /dev/null
+From 4a7e625ce50412a7711efa0f2ef0b96ce3826759 Mon Sep 17 00:00:00 2001
+From: Dave Martin <Dave.Martin@arm.com>
+Date: Thu, 10 May 2018 18:08:23 +0100
+Subject: tty: pl011: Avoid spuriously stuck-off interrupts
+
+From: Dave Martin <Dave.Martin@arm.com>
+
+commit 4a7e625ce50412a7711efa0f2ef0b96ce3826759 upstream.
+
+Commit 9b96fbacda34 ("serial: PL011: clear pending interrupts")
+clears the RX and receive timeout interrupts on pl011 startup, to
+avoid a screaming-interrupt scenario that can occur when the
+firmware or bootloader leaves these interrupts asserted.
+
+This has been noted as an issue when running Linux on qemu [1].
+
+Unfortunately, the above fix seems to lead to potential
+misbehaviour if the RX FIFO interrupt is asserted _non_ spuriously
+on driver startup, if the RX FIFO is also already full to the
+trigger level.
+
+Clearing the RX FIFO interrupt does not change the FIFO fill level.
+In this scenario, because the interrupt is now clear and because
+the FIFO is already full to the trigger level, no new assertion of
+the RX FIFO interrupt can occur unless the FIFO is drained back
+below the trigger level. This never occurs because the pl011
+driver is waiting for an RX FIFO interrupt to tell it that there is
+something to read, and does not read the FIFO at all until that
+interrupt occurs.
+
+Thus, simply clearing "spurious" interrupts on startup may be
+misguided, since there is no way to be sure that the interrupts are
+truly spurious, and things can go wrong if they are not.
+
+This patch instead clears the interrupt condition by draining the
+RX FIFO during UART startup, after clearing any potentially
+spurious interrupt. This should ensure that an interrupt will
+definitely be asserted if the RX FIFO subsequently becomes
+sufficiently full.
+
+The drain is done at the point of enabling interrupts only. This
+means that it will occur any time the UART is newly opened through
+the tty layer. It will not apply to polled-mode use of the UART by
+kgdboc: since that scenario cannot use interrupts by design, this
+should not matter. kgdboc will interact badly with "normal" use of
+the UART in any case: this patch makes no attempt to paper over
+such issues.
+
+This patch does not attempt to address the case where the RX FIFO
+fills faster than it can be drained: that is a pathological
+hardware design problem that is beyond the scope of the driver to
+work around. As a failsafe, the number of poll iterations for
+draining the FIFO is limited to twice the FIFO size. This will
+ensure that the kernel at least boots even if it is impossible to
+drain the FIFO for some reason.
+
+[1] [Qemu-devel] [Qemu-arm] [PATCH] pl011: do not put into fifo
+before enabled the interruption
+https://lists.gnu.org/archive/html/qemu-devel/2018-01/msg06446.html
+
+Reported-by: Wei Xu <xuwei5@hisilicon.com>
+Cc: Russell King <linux@armlinux.org.uk>
+Cc: Linus Walleij <linus.walleij@linaro.org>
+Cc: Peter Maydell <peter.maydell@linaro.org>
+Fixes: 9b96fbacda34 ("serial: PL011: clear pending interrupts")
+Signed-off-by: Dave Martin <Dave.Martin@arm.com>
+Cc: stable <stable@vger.kernel.org>
+Tested-by: Wei Xu <xuwei5@hisilicon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/tty/serial/amba-pl011.c | 16 ++++++++++++++++
+ 1 file changed, 16 insertions(+)
+
+--- a/drivers/tty/serial/amba-pl011.c
++++ b/drivers/tty/serial/amba-pl011.c
+@@ -1727,10 +1727,26 @@ static int pl011_allocate_irq(struct uar
+ */
+ static void pl011_enable_interrupts(struct uart_amba_port *uap)
+ {
++ unsigned int i;
++
+ spin_lock_irq(&uap->port.lock);
+
+ /* Clear out any spuriously appearing RX interrupts */
+ pl011_write(UART011_RTIS | UART011_RXIS, uap, REG_ICR);
++
++ /*
++ * RXIS is asserted only when the RX FIFO transitions from below
++ * to above the trigger threshold. If the RX FIFO is already
++ * full to the threshold this can't happen and RXIS will now be
++ * stuck off. Drain the RX FIFO explicitly to fix this:
++ */
++ for (i = 0; i < uap->fifosize * 2; ++i) {
++ if (pl011_read(uap, REG_FR) & UART01x_FR_RXFE)
++ break;
++
++ pl011_read(uap, REG_DR);
++ }
++
+ uap->im = UART011_RTIM;
+ if (!pl011_dma_rx_running(uap))
+ uap->im |= UART011_RXIM;
--- /dev/null
+From 9594b5be7ec110ed11acec58fa94f3f293668c85 Mon Sep 17 00:00:00 2001
+From: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
+Date: Mon, 7 May 2018 19:11:30 +0200
+Subject: tty/serial: atmel: use port->name as name in request_irq()
+
+From: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
+
+commit 9594b5be7ec110ed11acec58fa94f3f293668c85 upstream.
+
+I was puzzled while looking at /proc/interrupts and random things showed
+up between reboots. This occurred more often but I realised it later. The
+"correct" output should be:
+|38: 11861 atmel-aic5 2 Level ttyS0
+
+but I saw sometimes
+|38: 6426 atmel-aic5 2 Level tty1
+
+and accounted it wrongly as correct. This is use after free and the
+former example randomly got the "old" pointer which pointed to the same
+content. With SLAB_FREELIST_RANDOM and HARDENED I even got
+|38: 7067 atmel-aic5 2 Level E=Started User Manager for UID 0
+
+or other nonsense.
+As it turns out the tty, pointer that is accessed in atmel_startup(), is
+freed() before atmel_shutdown(). It seems to happen quite often that the
+tty for ttyS0 is allocated and freed while ->shutdown is not invoked. I
+don't do anything special - just a systemd boot :)
+
+Use dev_name(&pdev->dev) as the IRQ name for request_irq(). This exists
+as long as the driver is loaded so no use-after-free here.
+
+Cc: stable@vger.kernel.org
+Fixes: 761ed4a94582 ("tty: serial_core: convert uart_close to use tty_port_close")
+Acked-by: Richard Genoud <richard.genoud@gmail.com>
+Acked-by: Rob Herring <robh@kernel.org>
+Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/tty/serial/atmel_serial.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+--- a/drivers/tty/serial/atmel_serial.c
++++ b/drivers/tty/serial/atmel_serial.c
+@@ -1757,7 +1757,6 @@ static int atmel_startup(struct uart_por
+ {
+ struct platform_device *pdev = to_platform_device(port->dev);
+ struct atmel_uart_port *atmel_port = to_atmel_uart_port(port);
+- struct tty_struct *tty = port->state->port.tty;
+ int retval;
+
+ /*
+@@ -1772,8 +1771,8 @@ static int atmel_startup(struct uart_por
+ * Allocate the IRQ
+ */
+ retval = request_irq(port->irq, atmel_interrupt,
+- IRQF_SHARED | IRQF_COND_SUSPEND,
+- tty ? tty->name : "atmel_serial", port);
++ IRQF_SHARED | IRQF_COND_SUSPEND,
++ dev_name(&pdev->dev), port);
+ if (retval) {
+ dev_err(port->dev, "atmel_startup - Can't get irq\n");
+ return retval;
--- /dev/null
+From 48b73d0fa11aa8613d51f7be61d2fa7f0ab05fd3 Mon Sep 17 00:00:00 2001
+From: Ruslan Bilovol <ruslan.bilovol@gmail.com>
+Date: Fri, 25 May 2018 19:11:40 +0300
+Subject: usb: core: message: remove extra endianness conversion in usb_set_isoch_delay
+
+From: Ruslan Bilovol <ruslan.bilovol@gmail.com>
+
+commit 48b73d0fa11aa8613d51f7be61d2fa7f0ab05fd3 upstream.
+
+No need to do extra endianness conversion in
+usb_set_isoch_delay because it is already done
+in usb_control_msg()
+
+Fixes: 886ee36e7205 ("usb: core: add support for USB_REQ_SET_ISOCH_DELAY")
+Cc: Dmytro Panchenko <dmytro.panchenko@globallogic.com>
+Cc: Felipe Balbi <felipe.balbi@linux.intel.com>
+Cc: stable <stable@vger.kernel.org> # v4.16+
+Signed-off-by: Ruslan Bilovol <ruslan.bilovol@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/core/message.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/usb/core/message.c
++++ b/drivers/usb/core/message.c
+@@ -940,7 +940,7 @@ int usb_set_isoch_delay(struct usb_devic
+ return usb_control_msg(dev, usb_sndctrlpipe(dev, 0),
+ USB_REQ_SET_ISOCH_DELAY,
+ USB_DIR_OUT | USB_TYPE_STANDARD | USB_RECIP_DEVICE,
+- cpu_to_le16(dev->hub_delay), 0, NULL, 0,
++ dev->hub_delay, 0, NULL, 0,
+ USB_CTRL_SET_TIMEOUT);
+ }
+
--- /dev/null
+From 4a014a7339f441b0851ce012f469c0fadac61c81 Mon Sep 17 00:00:00 2001
+From: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
+Date: Mon, 21 May 2018 20:18:07 +0900
+Subject: usb: gadget: function: printer: avoid wrong list handling in printer_write()
+
+From: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
+
+commit 4a014a7339f441b0851ce012f469c0fadac61c81 upstream.
+
+When printer_write() calls usb_ep_queue(), a udc driver (e.g.
+renesas_usbhs driver) may call usb_gadget_giveback_request() in
+the udc .queue ops immediately. Then, printer_write() calls
+list_add(&req->list, &dev->tx_reqs_active) wrongly. After that,
+if we do unbind the printer driver, WARN_ON() happens in
+printer_func_unbind() because the list entry is not removed.
+
+So, this patch moves list_add(&req->list, &dev->tx_reqs_active)
+calling before usb_ep_queue().
+
+Signed-off-by: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
+Acked-by: Felipe Balbi <felipe.balbi@linux.intel.com>
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/gadget/function/f_printer.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/drivers/usb/gadget/function/f_printer.c
++++ b/drivers/usb/gadget/function/f_printer.c
+@@ -631,19 +631,19 @@ printer_write(struct file *fd, const cha
+ return -EAGAIN;
+ }
+
++ list_add(&req->list, &dev->tx_reqs_active);
++
+ /* here, we unlock, and only unlock, to avoid deadlock. */
+ spin_unlock(&dev->lock);
+ value = usb_ep_queue(dev->in_ep, req, GFP_ATOMIC);
+ spin_lock(&dev->lock);
+ if (value) {
++ list_del(&req->list);
+ list_add(&req->list, &dev->tx_reqs);
+ spin_unlock_irqrestore(&dev->lock, flags);
+ mutex_unlock(&dev->lock_printer_io);
+ return -EAGAIN;
+ }
+-
+- list_add(&req->list, &dev->tx_reqs_active);
+-
+ }
+
+ spin_unlock_irqrestore(&dev->lock, flags);
--- /dev/null
+From bd6bce004d78b867ba0c6d3712f1c5b50398af9a Mon Sep 17 00:00:00 2001
+From: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
+Date: Tue, 10 Apr 2018 14:38:54 +0900
+Subject: usb: gadget: udc: renesas_usb3: disable the controller's irqs for reconnecting
+
+From: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
+
+commit bd6bce004d78b867ba0c6d3712f1c5b50398af9a upstream.
+
+This patch fixes an issue that reconnection is possible to fail
+because unexpected state handling happens by the irqs. To fix the issue,
+the driver disables the controller's irqs when disconnected.
+
+Fixes: 746bfe63bba3 ("usb: gadget: renesas_usb3: add support for Renesas USB3.0 peripheral controller")
+Cc: <stable@vger.kernel.org> # v4.5+
+Reviewed-by: Simon Horman <horms+renesas@verge.net.au>
+Signed-off-by: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
+Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/gadget/udc/renesas_usb3.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/drivers/usb/gadget/udc/renesas_usb3.c
++++ b/drivers/usb/gadget/udc/renesas_usb3.c
+@@ -623,6 +623,13 @@ static void usb3_disconnect(struct renes
+ usb3_usb2_pullup(usb3, 0);
+ usb3_clear_bit(usb3, USB30_CON_B3_CONNECT, USB3_USB30_CON);
+ usb3_reset_epc(usb3);
++ usb3_disable_irq_1(usb3, USB_INT_1_B2_RSUM | USB_INT_1_B3_PLLWKUP |
++ USB_INT_1_B3_LUPSUCS | USB_INT_1_B3_DISABLE |
++ USB_INT_1_SPEED | USB_INT_1_B3_WRMRST |
++ USB_INT_1_B3_HOTRST | USB_INT_1_B2_SPND |
++ USB_INT_1_B2_L1SPND | USB_INT_1_B2_USBRST);
++ usb3_clear_bit(usb3, USB_COM_CON_SPD_MODE, USB3_USB_COM_CON);
++ usb3_init_epc_registers(usb3);
+
+ if (usb3->driver)
+ usb3->driver->disconnect(&usb3->gadget);
--- /dev/null
+From 8223b2f89ca63e203dcb54148e30d94979f17b0b Mon Sep 17 00:00:00 2001
+From: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
+Date: Mon, 2 Apr 2018 21:21:31 +0900
+Subject: usb: gadget: udc: renesas_usb3: fix double phy_put()
+
+From: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
+
+commit 8223b2f89ca63e203dcb54148e30d94979f17b0b upstream.
+
+This patch fixes an issue that this driver cause double phy_put()
+calling. This driver must not call phy_put() in the remove because
+the driver calls devm_phy_get() in the probe.
+
+Fixes: 279d4bc64060 ("usb: gadget: udc: renesas_usb3: add support for generic phy")
+Cc: <stable@vger.kernel.org> # v4.15+
+Reviewed-by: Simon Horman <horms+renesas@verge.net.au>
+Signed-off-by: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
+Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/gadget/udc/renesas_usb3.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+--- a/drivers/usb/gadget/udc/renesas_usb3.c
++++ b/drivers/usb/gadget/udc/renesas_usb3.c
+@@ -2408,8 +2408,6 @@ static int renesas_usb3_remove(struct pl
+ renesas_usb3_dma_free_prd(usb3, &pdev->dev);
+
+ __renesas_usb3_ep_free_request(usb3->ep0_req);
+- if (usb3->phy)
+- phy_put(usb3->phy);
+ pm_runtime_disable(&pdev->dev);
+
+ return 0;
--- /dev/null
+From 003bc1dee216b1fb8e02040a95672bea0f1fe797 Mon Sep 17 00:00:00 2001
+From: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
+Date: Tue, 10 Apr 2018 14:38:52 +0900
+Subject: usb: gadget: udc: renesas_usb3: should call devm_phy_get() before add udc
+
+From: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
+
+commit 003bc1dee216b1fb8e02040a95672bea0f1fe797 upstream.
+
+This patch fixes an issue that this driver cannot call phy_init()
+if a gadget driver is alreadly loaded because usb_add_gadget_udc()
+might call renesas_usb3_start() via .udc_start.
+This patch also revises the typo (s/an optional/optional/).
+
+Fixes: 279d4bc64060 ("usb: gadget: udc: renesas_usb3: add support for generic phy")
+Cc: <stable@vger.kernel.org> # v4.15+
+Signed-off-by: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
+Reviewed-by: Simon Horman <horms+renesas@verge.net.au>
+Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/gadget/udc/renesas_usb3.c | 16 ++++++++--------
+ 1 file changed, 8 insertions(+), 8 deletions(-)
+
+--- a/drivers/usb/gadget/udc/renesas_usb3.c
++++ b/drivers/usb/gadget/udc/renesas_usb3.c
+@@ -2632,6 +2632,14 @@ static int renesas_usb3_probe(struct pla
+ if (ret < 0)
+ goto err_alloc_prd;
+
++ /*
++ * This is optional. So, if this driver cannot get a phy,
++ * this driver will not handle a phy anymore.
++ */
++ usb3->phy = devm_phy_get(&pdev->dev, "usb");
++ if (IS_ERR(usb3->phy))
++ usb3->phy = NULL;
++
+ pm_runtime_enable(&pdev->dev);
+ ret = usb_add_gadget_udc(&pdev->dev, &usb3->gadget);
+ if (ret < 0)
+@@ -2641,14 +2649,6 @@ static int renesas_usb3_probe(struct pla
+ if (ret < 0)
+ goto err_dev_create;
+
+- /*
+- * This is an optional. So, if this driver cannot get a phy,
+- * this driver will not handle a phy anymore.
+- */
+- usb3->phy = devm_phy_get(&pdev->dev, "usb");
+- if (IS_ERR(usb3->phy))
+- usb3->phy = NULL;
+-
+ usb3->workaround_for_vbus = priv->workaround_for_vbus;
+
+ renesas_usb3_debugfs_init(usb3, &pdev->dev);
--- /dev/null
+From d998844016b24a8d71b9aa5eae7e51d70f2de438 Mon Sep 17 00:00:00 2001
+From: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
+Date: Tue, 10 Apr 2018 14:38:51 +0900
+Subject: usb: gadget: udc: renesas_usb3: should call pm_runtime_enable() before add udc
+
+From: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
+
+commit d998844016b24a8d71b9aa5eae7e51d70f2de438 upstream.
+
+This patch fixes an issue that this driver causes panic if a gadget
+driver is already loaded because usb_add_gadget_udc() might call
+renesas_usb3_start() via .udc_start, and then pm_runtime_get_sync()
+in renesas_usb3_start() doesn't work correctly.
+Note that the usb3_to_dev() macro should not be called at this timing
+because the macro uses the gadget structure.
+
+Fixes: cf06df3fae28 ("usb: gadget: udc: renesas_usb3: move pm_runtime_{en,dis}able()")
+Cc: <stable@vger.kernel.org> # v4.15+
+Signed-off-by: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
+Reviewed-by: Simon Horman <horms+renesas@verge.net.au>
+Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/gadget/udc/renesas_usb3.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/usb/gadget/udc/renesas_usb3.c
++++ b/drivers/usb/gadget/udc/renesas_usb3.c
+@@ -2632,6 +2632,7 @@ static int renesas_usb3_probe(struct pla
+ if (ret < 0)
+ goto err_alloc_prd;
+
++ pm_runtime_enable(&pdev->dev);
+ ret = usb_add_gadget_udc(&pdev->dev, &usb3->gadget);
+ if (ret < 0)
+ goto err_add_udc;
+@@ -2653,7 +2654,6 @@ static int renesas_usb3_probe(struct pla
+ renesas_usb3_debugfs_init(usb3, &pdev->dev);
+
+ dev_info(&pdev->dev, "probed%s\n", usb3->phy ? " with phy" : "");
+- pm_runtime_enable(usb3_to_dev(usb3));
+
+ return 0;
+
--- /dev/null
+From 0259068f63f23a665ded28647f2f9cdb6b20dc72 Mon Sep 17 00:00:00 2001
+From: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
+Date: Tue, 10 Apr 2018 14:38:53 +0900
+Subject: usb: gadget: udc: renesas_usb3: should fail if devm_phy_get() returns error
+
+From: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
+
+commit 0259068f63f23a665ded28647f2f9cdb6b20dc72 upstream.
+
+This patch fixes an issue that this driver ignores errors other than
+the non-existence of the device, f.e. a memory allocation failure
+in devm_phy_get(). So, this patch replaces devm_phy_get() with
+devm_phy_optional_get().
+
+Reported-by: Simon Horman <horms+renesas@verge.net.au>
+Fixes: 279d4bc64060 ("usb: gadget: udc: renesas_usb3: add support for generic phy")
+Cc: <stable@vger.kernel.org> # v4.15+
+Reviewed-by: Simon Horman <horms+renesas@verge.net.au>
+Signed-off-by: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
+Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/gadget/udc/renesas_usb3.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+--- a/drivers/usb/gadget/udc/renesas_usb3.c
++++ b/drivers/usb/gadget/udc/renesas_usb3.c
+@@ -2636,9 +2636,11 @@ static int renesas_usb3_probe(struct pla
+ * This is optional. So, if this driver cannot get a phy,
+ * this driver will not handle a phy anymore.
+ */
+- usb3->phy = devm_phy_get(&pdev->dev, "usb");
+- if (IS_ERR(usb3->phy))
+- usb3->phy = NULL;
++ usb3->phy = devm_phy_optional_get(&pdev->dev, "usb");
++ if (IS_ERR(usb3->phy)) {
++ ret = PTR_ERR(usb3->phy);
++ goto err_add_udc;
++ }
+
+ pm_runtime_enable(&pdev->dev);
+ ret = usb_add_gadget_udc(&pdev->dev, &usb3->gadget);
--- /dev/null
+From 1990cf7c21ea185cec98c6d45a82c04481261e35 Mon Sep 17 00:00:00 2001
+From: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
+Date: Tue, 10 Apr 2018 14:38:50 +0900
+Subject: usb: gadget: udc: renesas_usb3: should remove debugfs
+
+From: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
+
+commit 1990cf7c21ea185cec98c6d45a82c04481261e35 upstream.
+
+This patch fixes an issue that this driver doesn't remove its debugfs.
+
+Fixes: 43ba968b00ea ("usb: gadget: udc: renesas_usb3: add debugfs to set the b-device mode")
+Cc: <stable@vger.kernel.org> # v4.14+
+Signed-off-by: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
+Reviewed-by: Simon Horman <horms+renesas@verge.net.au>
+Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/gadget/udc/renesas_usb3.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+--- a/drivers/usb/gadget/udc/renesas_usb3.c
++++ b/drivers/usb/gadget/udc/renesas_usb3.c
+@@ -333,6 +333,7 @@ struct renesas_usb3 {
+ struct extcon_dev *extcon;
+ struct work_struct extcon_work;
+ struct phy *phy;
++ struct dentry *dentry;
+
+ struct renesas_usb3_ep *usb3_ep;
+ int num_usb3_eps;
+@@ -2393,8 +2394,12 @@ static void renesas_usb3_debugfs_init(st
+
+ file = debugfs_create_file("b_device", 0644, root, usb3,
+ &renesas_usb3_b_device_fops);
+- if (!file)
++ if (!file) {
+ dev_info(dev, "%s: Can't create debugfs mode\n", __func__);
++ debugfs_remove_recursive(root);
++ } else {
++ usb3->dentry = root;
++ }
+ }
+
+ /*------- platform_driver ------------------------------------------------*/
+@@ -2402,6 +2407,7 @@ static int renesas_usb3_remove(struct pl
+ {
+ struct renesas_usb3 *usb3 = platform_get_drvdata(pdev);
+
++ debugfs_remove_recursive(usb3->dentry);
+ device_remove_file(&pdev->dev, &dev_attr_role);
+
+ usb_del_gadget_udc(&usb3->gadget);
--- /dev/null
+From ca7d9515d0e6825351ce106066cea1f60e40b1c8 Mon Sep 17 00:00:00 2001
+From: Alexander Kappner <agk@godking.net>
+Date: Fri, 18 May 2018 21:50:16 -0700
+Subject: usb-storage: Add compatibility quirk flags for G-Technologies G-Drive
+
+From: Alexander Kappner <agk@godking.net>
+
+commit ca7d9515d0e6825351ce106066cea1f60e40b1c8 upstream.
+
+The "G-Drive" (sold by G-Technology) external USB 3.0 drive
+ hangs on write access under UAS and usb-storage:
+
+[ 136.079121] sd 15:0:0:0: [sdi] tag#0 FAILED Result: hostbyte=DID_OK driverbyte=DRIVER_SENSE
+[ 136.079144] sd 15:0:0:0: [sdi] tag#0 Sense Key : Illegal Request [current]
+[ 136.079152] sd 15:0:0:0: [sdi] tag#0 Add. Sense: Invalid field in cdb
+[ 136.079176] sd 15:0:0:0: [sdi] tag#0 CDB: Write(16) 8a 08 00 00 00 00 00 00 00 00 00 00 00 08 00 00
+[ 136.079180] print_req_error: critical target error, dev sdi, sector 0
+[ 136.079183] Buffer I/O error on dev sdi, logical block 0, lost sync page write
+[ 136.173148] EXT4-fs (sdi): mounted filesystem with ordered data mode. Opts: (null)
+[ 140.583998] sd 15:0:0:0: [sdi] tag#0 FAILED Result: hostbyte=DID_OK driverbyte=DRIVER_SENSE
+[ 140.584010] sd 15:0:0:0: [sdi] tag#0 Sense Key : Illegal Request [current]
+[ 140.584016] sd 15:0:0:0: [sdi] tag#0 Add. Sense: Invalid field in cdb
+[ 140.584022] sd 15:0:0:0: [sdi] tag#0 CDB: Write(16) 8a 08 00 00 00 00 e8 c4 00 18 00 00 00 08 00 00
+[ 140.584025] print_req_error: critical target error, dev sdi, sector 3905159192
+[ 140.584044] print_req_error: critical target error, dev sdi, sector 3905159192
+[ 140.584052] Aborting journal on device sdi-8.
+
+The proposed patch adds compatibility quirks. Because the drive requires two
+quirks (one to work with UAS, and another to work with usb-storage), adding this
+under unusual_devs.h and not just unusual_uas.h so kernels compiled without UAS
+receive the quirk. With the patch, the drive works reliably on UAS and usb-
+storage.
+(tested on NEC Corporation uPD720200 USB 3.0 host controller).
+
+Signed-off-by: Alexander Kappner <agk@godking.net>
+Acked-by: Alan Stern <stern@rowland.harvard.edu>
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/storage/unusual_devs.h | 9 +++++++++
+ drivers/usb/storage/unusual_uas.h | 9 +++++++++
+ 2 files changed, 18 insertions(+)
+
+--- a/drivers/usb/storage/unusual_devs.h
++++ b/drivers/usb/storage/unusual_devs.h
+@@ -2321,6 +2321,15 @@ UNUSUAL_DEV( 0x4146, 0xba01, 0x0100, 0x
+ "Micro Mini 1GB",
+ USB_SC_DEVICE, USB_PR_DEVICE, NULL, US_FL_NOT_LOCKABLE ),
+
++/* "G-DRIVE" external HDD hangs on write without these.
++ * Patch submitted by Alexander Kappner <agk@godking.net>
++ */
++UNUSUAL_DEV(0x4971, 0x8024, 0x0000, 0x9999,
++ "SimpleTech",
++ "External HDD",
++ USB_SC_DEVICE, USB_PR_DEVICE, NULL,
++ US_FL_ALWAYS_SYNC),
++
+ /*
+ * Nick Bowler <nbowler@elliptictech.com>
+ * SCSI stack spams (otherwise harmless) error messages.
+--- a/drivers/usb/storage/unusual_uas.h
++++ b/drivers/usb/storage/unusual_uas.h
+@@ -107,3 +107,12 @@ UNUSUAL_DEV(0x4971, 0x8017, 0x0000, 0x99
+ "External HDD",
+ USB_SC_DEVICE, USB_PR_DEVICE, NULL,
+ US_FL_NO_REPORT_OPCODES),
++
++/* "G-DRIVE" external HDD hangs on write without these.
++ * Patch submitted by Alexander Kappner <agk@godking.net>
++ */
++UNUSUAL_DEV(0x4971, 0x8024, 0x0000, 0x9999,
++ "SimpleTech",
++ "External HDD",
++ USB_SC_DEVICE, USB_PR_DEVICE, NULL,
++ US_FL_ALWAYS_SYNC),
--- /dev/null
+From 8c4e97ddfe73a0958bb0abf7e6a3bc4cc3e04936 Mon Sep 17 00:00:00 2001
+From: Alexander Kappner <agk@godking.net>
+Date: Fri, 18 May 2018 21:50:15 -0700
+Subject: usb-storage: Add support for FL_ALWAYS_SYNC flag in the UAS driver
+
+From: Alexander Kappner <agk@godking.net>
+
+commit 8c4e97ddfe73a0958bb0abf7e6a3bc4cc3e04936 upstream.
+
+The ALWAYS_SYNC flag is currently honored by the usb-storage driver but not UAS
+and is required to work around devices that become unstable upon being
+queried for cache. This code is taken straight from:
+drivers/usb/storage/scsiglue.c:284
+
+Signed-off-by: Alexander Kappner <agk@godking.net>
+Acked-by: Alan Stern <stern@rowland.harvard.edu>
+Cc: stable <stable@vger.kernel.org>
+Acked-by: Oliver Neukum <oneukum@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/storage/uas.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/drivers/usb/storage/uas.c
++++ b/drivers/usb/storage/uas.c
+@@ -836,6 +836,12 @@ static int uas_slave_configure(struct sc
+ if (devinfo->flags & US_FL_BROKEN_FUA)
+ sdev->broken_fua = 1;
+
++ /* UAS also needs to support FL_ALWAYS_SYNC */
++ if (devinfo->flags & US_FL_ALWAYS_SYNC) {
++ sdev->skip_ms_page_3f = 1;
++ sdev->skip_ms_page_8 = 1;
++ sdev->wce_default_on = 1;
++ }
+ scsi_change_queue_depth(sdev, devinfo->qdepth - 2);
+ return 0;
+ }
--- /dev/null
+From 05826ff135ee083d28c006fbde6e810f17437166 Mon Sep 17 00:00:00 2001
+From: Heikki Krogerus <heikki.krogerus@linux.intel.com>
+Date: Thu, 24 May 2018 13:49:52 +0300
+Subject: usb: typec: wcove: Remove dependency on HW FSM
+
+From: Heikki Krogerus <heikki.krogerus@linux.intel.com>
+
+commit 05826ff135ee083d28c006fbde6e810f17437166 upstream.
+
+The USB Type-C PHY in Intel WhiskeyCove PMIC has build-in
+USB Type-C state machine which we were relying on to
+configure the CC lines correctly. This patch removes that
+dependency and configures the CC line according to commands
+from the port manager (tcpm.c) in wcove_set_cc().
+
+This fixes an issue where USB devices attached to the USB
+Type-C port do not get enumerated. When acting as
+source/host, the HW FSM sometimes fails to configure the PHY
+correctly.
+
+Fixes: 3c4fb9f16921 ("usb: typec: wcove: start using tcpm for USB PD support")
+Cc: stable@vger.kernel.org
+Signed-off-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/typec/typec_wcove.c | 30 ++++++++++++++++++++++++++++--
+ 1 file changed, 28 insertions(+), 2 deletions(-)
+
+--- a/drivers/usb/typec/typec_wcove.c
++++ b/drivers/usb/typec/typec_wcove.c
+@@ -202,6 +202,10 @@ static int wcove_init(struct tcpc_dev *t
+ struct wcove_typec *wcove = tcpc_to_wcove(tcpc);
+ int ret;
+
++ ret = regmap_write(wcove->regmap, USBC_CONTROL1, 0);
++ if (ret)
++ return ret;
++
+ /* Unmask everything */
+ ret = regmap_write(wcove->regmap, USBC_IRQMASK1, 0);
+ if (ret)
+@@ -285,8 +289,30 @@ static int wcove_get_cc(struct tcpc_dev
+
+ static int wcove_set_cc(struct tcpc_dev *tcpc, enum typec_cc_status cc)
+ {
+- /* XXX: Relying on the HW FSM to configure things correctly for now */
+- return 0;
++ struct wcove_typec *wcove = tcpc_to_wcove(tcpc);
++ unsigned int ctrl;
++
++ switch (cc) {
++ case TYPEC_CC_RD:
++ ctrl = USBC_CONTROL1_MODE_SNK;
++ break;
++ case TYPEC_CC_RP_DEF:
++ ctrl = USBC_CONTROL1_CURSRC_UA_80 | USBC_CONTROL1_MODE_SRC;
++ break;
++ case TYPEC_CC_RP_1_5:
++ ctrl = USBC_CONTROL1_CURSRC_UA_180 | USBC_CONTROL1_MODE_SRC;
++ break;
++ case TYPEC_CC_RP_3_0:
++ ctrl = USBC_CONTROL1_CURSRC_UA_330 | USBC_CONTROL1_MODE_SRC;
++ break;
++ case TYPEC_CC_OPEN:
++ ctrl = 0;
++ break;
++ default:
++ return -EINVAL;
++ }
++
++ return regmap_write(wcove->regmap, USBC_CONTROL1, ctrl);
+ }
+
+ static int wcove_set_polarity(struct tcpc_dev *tcpc, enum typec_cc_polarity pol)
--- /dev/null
+From a0d6ec88090d7b1b008429c44532a388e29bb1bd Mon Sep 17 00:00:00 2001
+From: "Gustavo A. R. Silva" <gustavo@embeddedor.com>
+Date: Fri, 18 May 2018 20:13:42 -0500
+Subject: usbip: vhci_sysfs: fix potential Spectre v1
+
+From: Gustavo A. R. Silva <gustavo@embeddedor.com>
+
+commit a0d6ec88090d7b1b008429c44532a388e29bb1bd upstream.
+
+pdev_nr and rhport can be controlled by user-space, hence leading to
+a potential exploitation of the Spectre variant 1 vulnerability.
+
+This issue was detected with the help of Smatch:
+drivers/usb/usbip/vhci_sysfs.c:238 detach_store() warn: potential spectre issue 'vhcis'
+drivers/usb/usbip/vhci_sysfs.c:328 attach_store() warn: potential spectre issue 'vhcis'
+drivers/usb/usbip/vhci_sysfs.c:338 attach_store() warn: potential spectre issue 'vhci->vhci_hcd_ss->vdev'
+drivers/usb/usbip/vhci_sysfs.c:340 attach_store() warn: potential spectre issue 'vhci->vhci_hcd_hs->vdev'
+
+Fix this by sanitizing pdev_nr and rhport before using them to index
+vhcis and vhci->vhci_hcd_ss->vdev respectively.
+
+Notice that given that speculation windows are large, the policy is
+to kill the speculation on the first load and not worry if it can be
+completed with a dependent load/store [1].
+
+[1] https://marc.info/?l=linux-kernel&m=152449131114778&w=2
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com>
+Acked-by: Shuah Khan (Samsung OSG) <shuah@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/usbip/vhci_sysfs.c | 24 ++++++++++++++++--------
+ 1 file changed, 16 insertions(+), 8 deletions(-)
+
+--- a/drivers/usb/usbip/vhci_sysfs.c
++++ b/drivers/usb/usbip/vhci_sysfs.c
+@@ -10,6 +10,9 @@
+ #include <linux/platform_device.h>
+ #include <linux/slab.h>
+
++/* Hardening for Spectre-v1 */
++#include <linux/nospec.h>
++
+ #include "usbip_common.h"
+ #include "vhci.h"
+
+@@ -205,16 +208,20 @@ static int vhci_port_disconnect(struct v
+ return 0;
+ }
+
+-static int valid_port(__u32 pdev_nr, __u32 rhport)
++static int valid_port(__u32 *pdev_nr, __u32 *rhport)
+ {
+- if (pdev_nr >= vhci_num_controllers) {
+- pr_err("pdev %u\n", pdev_nr);
++ if (*pdev_nr >= vhci_num_controllers) {
++ pr_err("pdev %u\n", *pdev_nr);
+ return 0;
+ }
+- if (rhport >= VHCI_HC_PORTS) {
+- pr_err("rhport %u\n", rhport);
++ *pdev_nr = array_index_nospec(*pdev_nr, vhci_num_controllers);
++
++ if (*rhport >= VHCI_HC_PORTS) {
++ pr_err("rhport %u\n", *rhport);
+ return 0;
+ }
++ *rhport = array_index_nospec(*rhport, VHCI_HC_PORTS);
++
+ return 1;
+ }
+
+@@ -232,7 +239,7 @@ static ssize_t detach_store(struct devic
+ pdev_nr = port_to_pdev_nr(port);
+ rhport = port_to_rhport(port);
+
+- if (!valid_port(pdev_nr, rhport))
++ if (!valid_port(&pdev_nr, &rhport))
+ return -EINVAL;
+
+ hcd = platform_get_drvdata(vhcis[pdev_nr].pdev);
+@@ -258,7 +265,8 @@ static ssize_t detach_store(struct devic
+ }
+ static DEVICE_ATTR_WO(detach);
+
+-static int valid_args(__u32 pdev_nr, __u32 rhport, enum usb_device_speed speed)
++static int valid_args(__u32 *pdev_nr, __u32 *rhport,
++ enum usb_device_speed speed)
+ {
+ if (!valid_port(pdev_nr, rhport)) {
+ return 0;
+@@ -322,7 +330,7 @@ static ssize_t attach_store(struct devic
+ sockfd, devid, speed);
+
+ /* check received parameters */
+- if (!valid_args(pdev_nr, rhport, speed))
++ if (!valid_args(&pdev_nr, &rhport, speed))
+ return -EINVAL;
+
+ hcd = platform_get_drvdata(vhcis[pdev_nr].pdev);
--- /dev/null
+From b23220fe054e92f616b82450fae8cd3ab176cc60 Mon Sep 17 00:00:00 2001
+From: Gil Kupfer <gilkup@gmail.com>
+Date: Fri, 1 Jun 2018 00:47:47 -0700
+Subject: vmw_balloon: fixing double free when batching mode is off
+
+From: Gil Kupfer <gilkup@gmail.com>
+
+commit b23220fe054e92f616b82450fae8cd3ab176cc60 upstream.
+
+The balloon.page field is used for two different purposes if batching is
+on or off. If batching is on, the field point to the page which is used
+to communicate with with the hypervisor. If it is off, balloon.page
+points to the page that is about to be (un)locked.
+
+Unfortunately, this dual-purpose of the field introduced a bug: when the
+balloon is popped (e.g., when the machine is reset or the balloon driver
+is explicitly removed), the balloon driver frees, unconditionally, the
+page that is held in balloon.page. As a result, if batching is
+disabled, this leads to double freeing the last page that is sent to the
+hypervisor.
+
+The following error occurs during rmmod when kernel checkers are on, and
+the balloon is not empty:
+
+[ 42.307653] ------------[ cut here ]------------
+[ 42.307657] Kernel BUG at ffffffffba1e4b28 [verbose debug info unavailable]
+[ 42.307720] invalid opcode: 0000 [#1] SMP DEBUG_PAGEALLOC
+[ 42.312512] Modules linked in: vmw_vsock_vmci_transport vsock ppdev joydev vmw_balloon(-) input_leds serio_raw vmw_vmci parport_pc shpchp parport i2c_piix4 nfit mac_hid autofs4 vmwgfx drm_kms_helper hid_generic syscopyarea sysfillrect usbhid sysimgblt fb_sys_fops hid ttm mptspi scsi_transport_spi ahci mptscsih drm psmouse vmxnet3 libahci mptbase pata_acpi
+[ 42.312766] CPU: 10 PID: 1527 Comm: rmmod Not tainted 4.12.0+ #5
+[ 42.312803] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 09/30/2016
+[ 42.313042] task: ffff9bf9680f8000 task.stack: ffffbfefc1638000
+[ 42.313290] RIP: 0010:__free_pages+0x38/0x40
+[ 42.313510] RSP: 0018:ffffbfefc163be98 EFLAGS: 00010246
+[ 42.313731] RAX: 000000000000003e RBX: ffffffffc02b9720 RCX: 0000000000000006
+[ 42.313972] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff9bf97e08e0a0
+[ 42.314201] RBP: ffffbfefc163be98 R08: 0000000000000000 R09: 0000000000000000
+[ 42.314435] R10: 0000000000000000 R11: 0000000000000000 R12: ffffffffc02b97e4
+[ 42.314505] R13: ffffffffc02b9748 R14: ffffffffc02b9728 R15: 0000000000000200
+[ 42.314550] FS: 00007f3af5fec700(0000) GS:ffff9bf97e080000(0000) knlGS:0000000000000000
+[ 42.314599] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 42.314635] CR2: 00007f44f6f4ab24 CR3: 00000003a7d12000 CR4: 00000000000006e0
+[ 42.314864] Call Trace:
+[ 42.315774] vmballoon_pop+0x102/0x130 [vmw_balloon]
+[ 42.315816] vmballoon_exit+0x42/0xd64 [vmw_balloon]
+[ 42.315853] SyS_delete_module+0x1e2/0x250
+[ 42.315891] entry_SYSCALL_64_fastpath+0x23/0xc2
+[ 42.315924] RIP: 0033:0x7f3af5b0e8e7
+[ 42.315949] RSP: 002b:00007fffe6ce0148 EFLAGS: 00000206 ORIG_RAX: 00000000000000b0
+[ 42.315996] RAX: ffffffffffffffda RBX: 000055be676401e0 RCX: 00007f3af5b0e8e7
+[ 42.316951] RDX: 000000000000000a RSI: 0000000000000800 RDI: 000055be67640248
+[ 42.317887] RBP: 0000000000000003 R08: 0000000000000000 R09: 1999999999999999
+[ 42.318845] R10: 0000000000000883 R11: 0000000000000206 R12: 00007fffe6cdf130
+[ 42.319755] R13: 0000000000000000 R14: 0000000000000000 R15: 000055be676401e0
+[ 42.320606] Code: c0 74 1c f0 ff 4f 1c 74 02 5d c3 85 f6 74 07 e8 0f d8 ff ff 5d c3 31 f6 e8 c6 fb ff ff 5d c3 48 c7 c6 c8 0f c5 ba e8 58 be 02 00 <0f> 0b 66 0f 1f 44 00 00 66 66 66 66 90 48 85 ff 75 01 c3 55 48
+[ 42.323462] RIP: __free_pages+0x38/0x40 RSP: ffffbfefc163be98
+[ 42.325735] ---[ end trace 872e008e33f81508 ]---
+
+To solve the bug, we eliminate the dual purpose of balloon.page.
+
+Fixes: f220a80f0c2e ("VMware balloon: add batching to the vmw_balloon.")
+Cc: stable@vger.kernel.org
+Reported-by: Oleksandr Natalenko <onatalen@redhat.com>
+Signed-off-by: Gil Kupfer <gilkup@gmail.com>
+Signed-off-by: Nadav Amit <namit@vmware.com>
+Reviewed-by: Xavier Deguillard <xdeguillard@vmware.com>
+Tested-by: Oleksandr Natalenko <oleksandr@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/misc/vmw_balloon.c | 23 +++++++----------------
+ 1 file changed, 7 insertions(+), 16 deletions(-)
+
+--- a/drivers/misc/vmw_balloon.c
++++ b/drivers/misc/vmw_balloon.c
+@@ -576,15 +576,9 @@ static void vmballoon_pop(struct vmballo
+ }
+ }
+
+- if (b->batch_page) {
+- vunmap(b->batch_page);
+- b->batch_page = NULL;
+- }
+-
+- if (b->page) {
+- __free_page(b->page);
+- b->page = NULL;
+- }
++ /* Clearing the batch_page unconditionally has no adverse effect */
++ free_page((unsigned long)b->batch_page);
++ b->batch_page = NULL;
+ }
+
+ /*
+@@ -991,16 +985,13 @@ static const struct vmballoon_ops vmball
+
+ static bool vmballoon_init_batching(struct vmballoon *b)
+ {
+- b->page = alloc_page(VMW_PAGE_ALLOC_NOSLEEP);
+- if (!b->page)
+- return false;
++ struct page *page;
+
+- b->batch_page = vmap(&b->page, 1, VM_MAP, PAGE_KERNEL);
+- if (!b->batch_page) {
+- __free_page(b->page);
++ page = alloc_page(GFP_KERNEL | __GFP_ZERO);
++ if (!page)
+ return false;
+- }
+
++ b->batch_page = page_address(page);
+ return true;
+ }
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
