--- /dev/null
+From 7f3dc0088b98533f17128058fac73cd8b2752ef1 Mon Sep 17 00:00:00 2001
+From: Todd Kjos <tkjos@android.com>
+Date: Mon, 27 Nov 2017 09:32:33 -0800
+Subject: binder: fix proc->files use-after-free
+
+From: Todd Kjos <tkjos@android.com>
+
+commit 7f3dc0088b98533f17128058fac73cd8b2752ef1 upstream.
+
+proc->files cleanup is initiated by binder_vma_close. Therefore
+a reference on the binder_proc is not enough to prevent the
+files_struct from being released while the binder_proc still has
+a reference. This can lead to an attempt to dereference the
+stale pointer obtained from proc->files prior to proc->files
+cleanup. This has been seen once in task_get_unused_fd_flags()
+when __alloc_fd() is called with a stale "files".
+
+The fix is to protect proc->files with a mutex to prevent cleanup
+while in use.
+
+Signed-off-by: Todd Kjos <tkjos@google.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/android/binder.c | 44 +++++++++++++++++++++++++++++++-------------
+ 1 file changed, 31 insertions(+), 13 deletions(-)
+
+--- a/drivers/android/binder.c
++++ b/drivers/android/binder.c
+@@ -482,7 +482,8 @@ enum binder_deferred_state {
+ * @tsk task_struct for group_leader of process
+ * (invariant after initialized)
+ * @files files_struct for process
+- * (invariant after initialized)
++ * (protected by @files_lock)
++ * @files_lock mutex to protect @files
+ * @deferred_work_node: element for binder_deferred_list
+ * (protected by binder_deferred_lock)
+ * @deferred_work: bitmap of deferred work to perform
+@@ -530,6 +531,7 @@ struct binder_proc {
+ int pid;
+ struct task_struct *tsk;
+ struct files_struct *files;
++ struct mutex files_lock;
+ struct hlist_node deferred_work_node;
+ int deferred_work;
+ bool is_dead;
+@@ -877,20 +879,26 @@ static void binder_inc_node_tmpref_ilock
+
+ static int task_get_unused_fd_flags(struct binder_proc *proc, int flags)
+ {
+- struct files_struct *files = proc->files;
+ unsigned long rlim_cur;
+ unsigned long irqs;
++ int ret;
+
+- if (files == NULL)
+- return -ESRCH;
+-
+- if (!lock_task_sighand(proc->tsk, &irqs))
+- return -EMFILE;
+-
++ mutex_lock(&proc->files_lock);
++ if (proc->files == NULL) {
++ ret = -ESRCH;
++ goto err;
++ }
++ if (!lock_task_sighand(proc->tsk, &irqs)) {
++ ret = -EMFILE;
++ goto err;
++ }
+ rlim_cur = task_rlimit(proc->tsk, RLIMIT_NOFILE);
+ unlock_task_sighand(proc->tsk, &irqs);
+
+- return __alloc_fd(files, 0, rlim_cur, flags);
++ ret = __alloc_fd(proc->files, 0, rlim_cur, flags);
++err:
++ mutex_unlock(&proc->files_lock);
++ return ret;
+ }
+
+ /*
+@@ -899,8 +907,10 @@ static int task_get_unused_fd_flags(stru
+ static void task_fd_install(
+ struct binder_proc *proc, unsigned int fd, struct file *file)
+ {
++ mutex_lock(&proc->files_lock);
+ if (proc->files)
+ __fd_install(proc->files, fd, file);
++ mutex_unlock(&proc->files_lock);
+ }
+
+ /*
+@@ -910,9 +920,11 @@ static long task_close_fd(struct binder_
+ {
+ int retval;
+
+- if (proc->files == NULL)
+- return -ESRCH;
+-
++ mutex_lock(&proc->files_lock);
++ if (proc->files == NULL) {
++ retval = -ESRCH;
++ goto err;
++ }
+ retval = __close_fd(proc->files, fd);
+ /* can't restart close syscall because file table entry was cleared */
+ if (unlikely(retval == -ERESTARTSYS ||
+@@ -920,7 +932,8 @@ static long task_close_fd(struct binder_
+ retval == -ERESTARTNOHAND ||
+ retval == -ERESTART_RESTARTBLOCK))
+ retval = -EINTR;
+-
++err:
++ mutex_unlock(&proc->files_lock);
+ return retval;
+ }
+
+@@ -4627,7 +4640,9 @@ static int binder_mmap(struct file *filp
+ ret = binder_alloc_mmap_handler(&proc->alloc, vma);
+ if (ret)
+ return ret;
++ mutex_lock(&proc->files_lock);
+ proc->files = get_files_struct(current);
++ mutex_unlock(&proc->files_lock);
+ return 0;
+
+ err_bad_arg:
+@@ -4651,6 +4666,7 @@ static int binder_open(struct inode *nod
+ spin_lock_init(&proc->outer_lock);
+ get_task_struct(current->group_leader);
+ proc->tsk = current->group_leader;
++ mutex_init(&proc->files_lock);
+ INIT_LIST_HEAD(&proc->todo);
+ proc->default_priority = task_nice(current);
+ binder_dev = container_of(filp->private_data, struct binder_device,
+@@ -4903,9 +4919,11 @@ static void binder_deferred_func(struct
+
+ files = NULL;
+ if (defer & BINDER_DEFERRED_PUT_FILES) {
++ mutex_lock(&proc->files_lock);
+ files = proc->files;
+ if (files)
+ proc->files = NULL;
++ mutex_unlock(&proc->files_lock);
+ }
+
+ if (defer & BINDER_DEFERRED_FLUSH)
--- /dev/null
+From f57ab9a01a36ef3454333251cc57e3a9948b17bf Mon Sep 17 00:00:00 2001
+From: Sudeep Holla <sudeep.holla@arm.com>
+Date: Fri, 17 Nov 2017 11:56:41 +0000
+Subject: drivers: base: cacheinfo: fix cache type for non-architected system cache
+
+From: Sudeep Holla <sudeep.holla@arm.com>
+
+commit f57ab9a01a36ef3454333251cc57e3a9948b17bf upstream.
+
+Commit dfea747d2aba ("drivers: base: cacheinfo: support DT overrides for
+cache properties") doesn't initialise the cache type if it's present
+only in DT and the architecture is not aware of it. They are unified
+system level cache which are generally transparent.
+
+This patch check if the cache type is set to NOCACHE but the DT node
+indicates that it's unified cache and sets the cache type accordingly.
+
+Fixes: dfea747d2aba ("drivers: base: cacheinfo: support DT overrides for cache properties")
+Reported-and-tested-by: Tan Xiaojun <tanxiaojun@huawei.com>
+Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sudeep Holla <sudeep.holla@arm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/base/cacheinfo.c | 13 +++++++++++++
+ 1 file changed, 13 insertions(+)
+
+--- a/drivers/base/cacheinfo.c
++++ b/drivers/base/cacheinfo.c
+@@ -186,6 +186,11 @@ static void cache_associativity(struct c
+ this_leaf->ways_of_associativity = (size / nr_sets) / line_size;
+ }
+
++static bool cache_node_is_unified(struct cacheinfo *this_leaf)
++{
++ return of_property_read_bool(this_leaf->of_node, "cache-unified");
++}
++
+ static void cache_of_override_properties(unsigned int cpu)
+ {
+ int index;
+@@ -194,6 +199,14 @@ static void cache_of_override_properties
+
+ for (index = 0; index < cache_leaves(cpu); index++) {
+ this_leaf = this_cpu_ci->info_list + index;
++ /*
++ * init_cache_level must setup the cache level correctly
++ * overriding the architecturally specified levels, so
++ * if type is NONE at this stage, it should be unified
++ */
++ if (this_leaf->type == CACHE_TYPE_NOCACHE &&
++ cache_node_is_unified(this_leaf))
++ this_leaf->type = CACHE_TYPE_UNIFIED;
+ cache_size(this_leaf);
+ cache_get_line_size(this_leaf);
+ cache_nr_sets(this_leaf);
--- /dev/null
+From 5d62c183f9e9df1deeea0906d099a94e8a43047a Mon Sep 17 00:00:00 2001
+From: Thomas Gleixner <tglx@linutronix.de>
+Date: Fri, 22 Dec 2017 15:51:13 +0100
+Subject: nohz: Prevent a timer interrupt storm in tick_nohz_stop_sched_tick()
+
+From: Thomas Gleixner <tglx@linutronix.de>
+
+commit 5d62c183f9e9df1deeea0906d099a94e8a43047a upstream.
+
+The conditions in irq_exit() to invoke tick_nohz_irq_exit() which
+subsequently invokes tick_nohz_stop_sched_tick() are:
+
+ if ((idle_cpu(cpu) && !need_resched()) || tick_nohz_full_cpu(cpu))
+
+If need_resched() is not set, but a timer softirq is pending then this is
+an indication that the softirq code punted and delegated the execution to
+softirqd. need_resched() is not true because the current interrupted task
+takes precedence over softirqd.
+
+Invoking tick_nohz_irq_exit() in this case can cause an endless loop of
+timer interrupts because the timer wheel contains an expired timer, but
+softirqs are not yet executed. So it returns an immediate expiry request,
+which causes the timer to fire immediately again. Lather, rinse and
+repeat....
+
+Prevent that by adding a check for a pending timer soft interrupt to the
+conditions in tick_nohz_stop_sched_tick() which avoid calling
+get_next_timer_interrupt(). That keeps the tick sched timer on the tick and
+prevents a repetitive programming of an already expired timer.
+
+Reported-by: Sebastian Siewior <bigeasy@linutronix.d>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Acked-by: Frederic Weisbecker <fweisbec@gmail.com>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Paul McKenney <paulmck@linux.vnet.ibm.com>
+Cc: Anna-Maria Gleixner <anna-maria@linutronix.de>
+Cc: Sebastian Siewior <bigeasy@linutronix.de>
+Link: https://lkml.kernel.org/r/alpine.DEB.2.20.1712272156050.2431@nanos
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/time/tick-sched.c | 19 +++++++++++++++++--
+ 1 file changed, 17 insertions(+), 2 deletions(-)
+
+--- a/kernel/time/tick-sched.c
++++ b/kernel/time/tick-sched.c
+@@ -674,6 +674,11 @@ static void tick_nohz_restart(struct tic
+ ts->next_tick = 0;
+ }
+
++static inline bool local_timer_softirq_pending(void)
++{
++ return local_softirq_pending() & TIMER_SOFTIRQ;
++}
++
+ static ktime_t tick_nohz_stop_sched_tick(struct tick_sched *ts,
+ ktime_t now, int cpu)
+ {
+@@ -690,8 +695,18 @@ static ktime_t tick_nohz_stop_sched_tick
+ } while (read_seqretry(&jiffies_lock, seq));
+ ts->last_jiffies = basejiff;
+
+- if (rcu_needs_cpu(basemono, &next_rcu) ||
+- arch_needs_cpu() || irq_work_needs_cpu()) {
++ /*
++ * Keep the periodic tick, when RCU, architecture or irq_work
++ * requests it.
++ * Aside of that check whether the local timer softirq is
++ * pending. If so its a bad idea to call get_next_timer_interrupt()
++ * because there is an already expired timer, so it will request
++ * immeditate expiry, which rearms the hardware timer with a
++ * minimal delta which brings us back to this place
++ * immediately. Lather, rinse and repeat...
++ */
++ if (rcu_needs_cpu(basemono, &next_rcu) || arch_needs_cpu() ||
++ irq_work_needs_cpu() || local_timer_softirq_pending()) {
+ next_tick = basemono + TICK_NSEC;
+ } else {
+ /*
--- /dev/null
+From 046046737bd35bed047460f080ea47e186be731e Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Wed, 15 Nov 2017 10:43:16 +0100
+Subject: phy: tegra: fix device-tree node lookups
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 046046737bd35bed047460f080ea47e186be731e upstream.
+
+Fix child-node lookups during probe, which ended up searching the whole
+device tree depth-first starting at the parents rather than just
+matching on their children.
+
+To make things worse, some parent nodes could end up being being
+prematurely freed (by tegra_xusb_pad_register()) as
+of_find_node_by_name() drops a reference to its first argument.
+
+Fixes: 53d2a715c240 ("phy: Add Tegra XUSB pad controller support")
+Cc: Thierry Reding <treding@nvidia.com>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Kishon Vijay Abraham I <kishon@ti.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/phy/tegra/xusb.c | 60 +++++++++++++++++++++++------------------------
+ 1 file changed, 30 insertions(+), 30 deletions(-)
+
+--- a/drivers/phy/tegra/xusb.c
++++ b/drivers/phy/tegra/xusb.c
+@@ -75,14 +75,14 @@ MODULE_DEVICE_TABLE(of, tegra_xusb_padct
+ static struct device_node *
+ tegra_xusb_find_pad_node(struct tegra_xusb_padctl *padctl, const char *name)
+ {
+- /*
+- * of_find_node_by_name() drops a reference, so make sure to grab one.
+- */
+- struct device_node *np = of_node_get(padctl->dev->of_node);
++ struct device_node *pads, *np;
+
+- np = of_find_node_by_name(np, "pads");
+- if (np)
+- np = of_find_node_by_name(np, name);
++ pads = of_get_child_by_name(padctl->dev->of_node, "pads");
++ if (!pads)
++ return NULL;
++
++ np = of_get_child_by_name(pads, name);
++ of_node_put(pads);
+
+ return np;
+ }
+@@ -90,16 +90,16 @@ tegra_xusb_find_pad_node(struct tegra_xu
+ static struct device_node *
+ tegra_xusb_pad_find_phy_node(struct tegra_xusb_pad *pad, unsigned int index)
+ {
+- /*
+- * of_find_node_by_name() drops a reference, so make sure to grab one.
+- */
+- struct device_node *np = of_node_get(pad->dev.of_node);
++ struct device_node *np, *lanes;
+
+- np = of_find_node_by_name(np, "lanes");
+- if (!np)
++ lanes = of_get_child_by_name(pad->dev.of_node, "lanes");
++ if (!lanes)
+ return NULL;
+
+- return of_find_node_by_name(np, pad->soc->lanes[index].name);
++ np = of_get_child_by_name(lanes, pad->soc->lanes[index].name);
++ of_node_put(lanes);
++
++ return np;
+ }
+
+ static int
+@@ -195,7 +195,7 @@ int tegra_xusb_pad_register(struct tegra
+ unsigned int i;
+ int err;
+
+- children = of_find_node_by_name(pad->dev.of_node, "lanes");
++ children = of_get_child_by_name(pad->dev.of_node, "lanes");
+ if (!children)
+ return -ENODEV;
+
+@@ -444,21 +444,21 @@ static struct device_node *
+ tegra_xusb_find_port_node(struct tegra_xusb_padctl *padctl, const char *type,
+ unsigned int index)
+ {
+- /*
+- * of_find_node_by_name() drops a reference, so make sure to grab one.
+- */
+- struct device_node *np = of_node_get(padctl->dev->of_node);
++ struct device_node *ports, *np;
++ char *name;
++
++ ports = of_get_child_by_name(padctl->dev->of_node, "ports");
++ if (!ports)
++ return NULL;
+
+- np = of_find_node_by_name(np, "ports");
+- if (np) {
+- char *name;
+-
+- name = kasprintf(GFP_KERNEL, "%s-%u", type, index);
+- if (!name)
+- return ERR_PTR(-ENOMEM);
+- np = of_find_node_by_name(np, name);
+- kfree(name);
++ name = kasprintf(GFP_KERNEL, "%s-%u", type, index);
++ if (!name) {
++ of_node_put(ports);
++ return ERR_PTR(-ENOMEM);
+ }
++ np = of_get_child_by_name(ports, name);
++ kfree(name);
++ of_node_put(ports);
+
+ return np;
+ }
+@@ -847,7 +847,7 @@ static void tegra_xusb_remove_ports(stru
+
+ static int tegra_xusb_padctl_probe(struct platform_device *pdev)
+ {
+- struct device_node *np = of_node_get(pdev->dev.of_node);
++ struct device_node *np = pdev->dev.of_node;
+ const struct tegra_xusb_padctl_soc *soc;
+ struct tegra_xusb_padctl *padctl;
+ const struct of_device_id *match;
+@@ -855,7 +855,7 @@ static int tegra_xusb_padctl_probe(struc
+ int err;
+
+ /* for backwards compatibility with old device trees */
+- np = of_find_node_by_name(np, "pads");
++ np = of_get_child_by_name(np, "pads");
+ if (!np) {
+ dev_warn(&pdev->dev, "deprecated DT, using legacy driver\n");
+ return tegra_xusb_padctl_legacy_probe(pdev);
usbip-prevent-leaking-socket-pointer-address-in-messages.patch
usbip-stub-stop-printing-kernel-pointer-addresses-in-messages.patch
usbip-vhci-stop-printing-kernel-pointer-addresses-in-messages.patch
+usb-chipidea-msm-fix-ulpi-node-lookup.patch
+usb-serial-ftdi_sio-add-id-for-airbus-ds-p8gr.patch
+usb-serial-qcserial-add-sierra-wireless-em7565.patch
+usb-serial-option-add-support-for-telit-me910-pid-0x1101.patch
+usb-serial-option-adding-support-for-yuga-clm920-nc5.patch
+usb-add-device-quirk-for-logitech-hd-pro-webcam-c925e.patch
+usb-add-reset_resume-for-elsa-microlink-56k.patch
+usb-fix-off-by-one-in-type-specific-length-check-of-bos-ssp-capability.patch
+usb-xhci-add-xhci_trust_tx_length-for-renesas-upd720201.patch
+timers-use-deferrable-base-independent-of-base-nohz_active.patch
+timers-invoke-timer_start_debug-where-it-makes-sense.patch
+timers-reinitialize-per-cpu-bases-on-hotplug.patch
+binder-fix-proc-files-use-after-free.patch
+phy-tegra-fix-device-tree-node-lookups.patch
+drivers-base-cacheinfo-fix-cache-type-for-non-architected-system-cache.patch
+staging-android-ion-fix-dma-direction-for-dma_sync_sg_for_cpu-device.patch
+nohz-prevent-a-timer-interrupt-storm-in-tick_nohz_stop_sched_tick.patch
+x86-smpboot-remove-stale-tlb-flush-invocations.patch
+x86-mm-remove-preempt_disable-enable-from-__native_flush_tlb.patch
+x86-32-fix-kexec-with-stack-canary-config_cc_stackprotector.patch
+x86-espfix-64-fix-espfix-double-fault-handling-on-5-level-systems.patch
+x86-ldt-plug-memory-leak-in-error-path.patch
+x86-ldt-make-ldt-pgtable-free-conditional.patch
--- /dev/null
+From d6b246bb7a29703f53aa4c050b8b3205d749caee Mon Sep 17 00:00:00 2001
+From: Sushmita Susheelendra <ssusheel@codeaurora.org>
+Date: Fri, 15 Dec 2017 13:59:13 -0700
+Subject: staging: android: ion: Fix dma direction for dma_sync_sg_for_cpu/device
+
+From: Sushmita Susheelendra <ssusheel@codeaurora.org>
+
+commit d6b246bb7a29703f53aa4c050b8b3205d749caee upstream.
+
+Use the direction argument passed into begin_cpu_access
+and end_cpu_access when calling the dma_sync_sg_for_cpu/device.
+The actual cache primitive called depends on the direction
+passed in.
+
+Signed-off-by: Sushmita Susheelendra <ssusheel@codeaurora.org>
+Acked-by: Laura Abbott <labbott@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/staging/android/ion/ion.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/staging/android/ion/ion.c
++++ b/drivers/staging/android/ion/ion.c
+@@ -348,7 +348,7 @@ static int ion_dma_buf_begin_cpu_access(
+ mutex_lock(&buffer->lock);
+ list_for_each_entry(a, &buffer->attachments, list) {
+ dma_sync_sg_for_cpu(a->dev, a->table->sgl, a->table->nents,
+- DMA_BIDIRECTIONAL);
++ direction);
+ }
+ mutex_unlock(&buffer->lock);
+
+@@ -370,7 +370,7 @@ static int ion_dma_buf_end_cpu_access(st
+ mutex_lock(&buffer->lock);
+ list_for_each_entry(a, &buffer->attachments, list) {
+ dma_sync_sg_for_device(a->dev, a->table->sgl, a->table->nents,
+- DMA_BIDIRECTIONAL);
++ direction);
+ }
+ mutex_unlock(&buffer->lock);
+
--- /dev/null
+From fd45bb77ad682be728d1002431d77b8c73342836 Mon Sep 17 00:00:00 2001
+From: Thomas Gleixner <tglx@linutronix.de>
+Date: Fri, 22 Dec 2017 15:51:14 +0100
+Subject: timers: Invoke timer_start_debug() where it makes sense
+
+From: Thomas Gleixner <tglx@linutronix.de>
+
+commit fd45bb77ad682be728d1002431d77b8c73342836 upstream.
+
+The timer start debug function is called before the proper timer base is
+set. As a consequence the trace data contains the stale CPU and flags
+values.
+
+Call the debug function after setting the new base and flags.
+
+Fixes: 500462a9de65 ("timers: Switch to a non-cascading wheel")
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Frederic Weisbecker <fweisbec@gmail.com>
+Cc: Sebastian Siewior <bigeasy@linutronix.de>
+Cc: rt@linutronix.de
+Cc: Paul McKenney <paulmck@linux.vnet.ibm.com>
+Cc: Anna-Maria Gleixner <anna-maria@linutronix.de>
+Link: https://lkml.kernel.org/r/20171222145337.792907137@linutronix.de
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/time/timer.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/kernel/time/timer.c
++++ b/kernel/time/timer.c
+@@ -982,8 +982,6 @@ __mod_timer(struct timer_list *timer, un
+ if (!ret && pending_only)
+ goto out_unlock;
+
+- debug_activate(timer, expires);
+-
+ new_base = get_target_base(base, timer->flags);
+
+ if (base != new_base) {
+@@ -1007,6 +1005,8 @@ __mod_timer(struct timer_list *timer, un
+ }
+ }
+
++ debug_activate(timer, expires);
++
+ timer->expires = expires;
+ /*
+ * If 'idx' was calculated above and the base time did not advance
--- /dev/null
+From 26456f87aca7157c057de65c9414b37f1ab881d1 Mon Sep 17 00:00:00 2001
+From: Thomas Gleixner <tglx@linutronix.de>
+Date: Wed, 27 Dec 2017 21:37:25 +0100
+Subject: timers: Reinitialize per cpu bases on hotplug
+
+From: Thomas Gleixner <tglx@linutronix.de>
+
+commit 26456f87aca7157c057de65c9414b37f1ab881d1 upstream.
+
+The timer wheel bases are not (re)initialized on CPU hotplug. That leaves
+them with a potentially stale clk and next_expiry valuem, which can cause
+trouble then the CPU is plugged.
+
+Add a prepare callback which forwards the clock, sets next_expiry to far in
+the future and reset the control flags to a known state.
+
+Set base->must_forward_clk so the first timer which is queued will try to
+forward the clock to current jiffies.
+
+Fixes: 500462a9de65 ("timers: Switch to a non-cascading wheel")
+Reported-by: Paul E. McKenney <paulmck@linux.vnet.ibm.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Frederic Weisbecker <fweisbec@gmail.com>
+Cc: Sebastian Siewior <bigeasy@linutronix.de>
+Cc: Anna-Maria Gleixner <anna-maria@linutronix.de>
+Link: https://lkml.kernel.org/r/alpine.DEB.2.20.1712272152200.2431@nanos
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ include/linux/cpuhotplug.h | 2 +-
+ include/linux/timer.h | 4 +++-
+ kernel/cpu.c | 4 ++--
+ kernel/time/timer.c | 15 +++++++++++++++
+ 4 files changed, 21 insertions(+), 4 deletions(-)
+
+--- a/include/linux/cpuhotplug.h
++++ b/include/linux/cpuhotplug.h
+@@ -86,7 +86,7 @@ enum cpuhp_state {
+ CPUHP_MM_ZSWP_POOL_PREPARE,
+ CPUHP_KVM_PPC_BOOK3S_PREPARE,
+ CPUHP_ZCOMP_PREPARE,
+- CPUHP_TIMERS_DEAD,
++ CPUHP_TIMERS_PREPARE,
+ CPUHP_MIPS_SOC_PREPARE,
+ CPUHP_BP_PREPARE_DYN,
+ CPUHP_BP_PREPARE_DYN_END = CPUHP_BP_PREPARE_DYN + 20,
+--- a/include/linux/timer.h
++++ b/include/linux/timer.h
+@@ -246,9 +246,11 @@ unsigned long round_jiffies_up(unsigned
+ unsigned long round_jiffies_up_relative(unsigned long j);
+
+ #ifdef CONFIG_HOTPLUG_CPU
++int timers_prepare_cpu(unsigned int cpu);
+ int timers_dead_cpu(unsigned int cpu);
+ #else
+-#define timers_dead_cpu NULL
++#define timers_prepare_cpu NULL
++#define timers_dead_cpu NULL
+ #endif
+
+ #endif
+--- a/kernel/cpu.c
++++ b/kernel/cpu.c
+@@ -1277,9 +1277,9 @@ static struct cpuhp_step cpuhp_bp_states
+ * before blk_mq_queue_reinit_notify() from notify_dead(),
+ * otherwise a RCU stall occurs.
+ */
+- [CPUHP_TIMERS_DEAD] = {
++ [CPUHP_TIMERS_PREPARE] = {
+ .name = "timers:dead",
+- .startup.single = NULL,
++ .startup.single = timers_prepare_cpu,
+ .teardown.single = timers_dead_cpu,
+ },
+ /* Kicks the plugged cpu into life */
+--- a/kernel/time/timer.c
++++ b/kernel/time/timer.c
+@@ -1801,6 +1801,21 @@ static void migrate_timer_list(struct ti
+ }
+ }
+
++int timers_prepare_cpu(unsigned int cpu)
++{
++ struct timer_base *base;
++ int b;
++
++ for (b = 0; b < NR_BASES; b++) {
++ base = per_cpu_ptr(&timer_bases[b], cpu);
++ base->clk = jiffies;
++ base->next_expiry = base->clk + NEXT_TIMER_MAX_DELTA;
++ base->is_idle = false;
++ base->must_forward_clk = true;
++ }
++ return 0;
++}
++
+ int timers_dead_cpu(unsigned int cpu)
+ {
+ struct timer_base *old_base;
--- /dev/null
+From ced6d5c11d3e7b342f1a80f908e6756ebd4b8ddd Mon Sep 17 00:00:00 2001
+From: Anna-Maria Gleixner <anna-maria@linutronix.de>
+Date: Fri, 22 Dec 2017 15:51:12 +0100
+Subject: timers: Use deferrable base independent of base::nohz_active
+
+From: Anna-Maria Gleixner <anna-maria@linutronix.de>
+
+commit ced6d5c11d3e7b342f1a80f908e6756ebd4b8ddd upstream.
+
+During boot and before base::nohz_active is set in the timer bases, deferrable
+timers are enqueued into the standard timer base. This works correctly as
+long as base::nohz_active is false.
+
+Once it base::nohz_active is set and a timer which was enqueued before that
+is accessed the lock selector code choses the lock of the deferred
+base. This causes unlocked access to the standard base and in case the
+timer is removed it does not clear the pending flag in the standard base
+bitmap which causes get_next_timer_interrupt() to return bogus values.
+
+To prevent that, the deferrable timers must be enqueued in the deferrable
+base, even when base::nohz_active is not set. Those deferrable timers also
+need to be expired unconditional.
+
+Fixes: 500462a9de65 ("timers: Switch to a non-cascading wheel")
+Signed-off-by: Anna-Maria Gleixner <anna-maria@linutronix.de>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Reviewed-by: Frederic Weisbecker <fweisbec@gmail.com>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Sebastian Siewior <bigeasy@linutronix.de>
+Cc: rt@linutronix.de
+Cc: Paul McKenney <paulmck@linux.vnet.ibm.com>
+Link: https://lkml.kernel.org/r/20171222145337.633328378@linutronix.de
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/time/timer.c | 16 +++++++---------
+ 1 file changed, 7 insertions(+), 9 deletions(-)
+
+--- a/kernel/time/timer.c
++++ b/kernel/time/timer.c
+@@ -814,11 +814,10 @@ static inline struct timer_base *get_tim
+ struct timer_base *base = per_cpu_ptr(&timer_bases[BASE_STD], cpu);
+
+ /*
+- * If the timer is deferrable and nohz is active then we need to use
+- * the deferrable base.
++ * If the timer is deferrable and NO_HZ_COMMON is set then we need
++ * to use the deferrable base.
+ */
+- if (IS_ENABLED(CONFIG_NO_HZ_COMMON) && base->nohz_active &&
+- (tflags & TIMER_DEFERRABLE))
++ if (IS_ENABLED(CONFIG_NO_HZ_COMMON) && (tflags & TIMER_DEFERRABLE))
+ base = per_cpu_ptr(&timer_bases[BASE_DEF], cpu);
+ return base;
+ }
+@@ -828,11 +827,10 @@ static inline struct timer_base *get_tim
+ struct timer_base *base = this_cpu_ptr(&timer_bases[BASE_STD]);
+
+ /*
+- * If the timer is deferrable and nohz is active then we need to use
+- * the deferrable base.
++ * If the timer is deferrable and NO_HZ_COMMON is set then we need
++ * to use the deferrable base.
+ */
+- if (IS_ENABLED(CONFIG_NO_HZ_COMMON) && base->nohz_active &&
+- (tflags & TIMER_DEFERRABLE))
++ if (IS_ENABLED(CONFIG_NO_HZ_COMMON) && (tflags & TIMER_DEFERRABLE))
+ base = this_cpu_ptr(&timer_bases[BASE_DEF]);
+ return base;
+ }
+@@ -1644,7 +1642,7 @@ static __latent_entropy void run_timer_s
+ base->must_forward_clk = false;
+
+ __run_timers(base);
+- if (IS_ENABLED(CONFIG_NO_HZ_COMMON) && base->nohz_active)
++ if (IS_ENABLED(CONFIG_NO_HZ_COMMON))
+ __run_timers(this_cpu_ptr(&timer_bases[BASE_DEF]));
+ }
+
--- /dev/null
+From 7f038d256c723dd390d2fca942919573995f4cfd Mon Sep 17 00:00:00 2001
+From: Dmitry Fleytman Dmitry Fleytman <dmitry.fleytman@gmail.com>
+Date: Tue, 19 Dec 2017 06:02:04 +0200
+Subject: usb: Add device quirk for Logitech HD Pro Webcam C925e
+
+From: Dmitry Fleytman Dmitry Fleytman <dmitry.fleytman@gmail.com>
+
+commit 7f038d256c723dd390d2fca942919573995f4cfd upstream.
+
+Commit e0429362ab15
+("usb: Add device quirk for Logitech HD Pro Webcams C920 and C930e")
+introduced quirk to workaround an issue with some Logitech webcams.
+
+There is one more model that has the same issue - C925e, so applying
+the same quirk as well.
+
+See aforementioned commit message for detailed explanation of the problem.
+
+Signed-off-by: Dmitry Fleytman <dmitry.fleytman@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/core/quirks.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/usb/core/quirks.c
++++ b/drivers/usb/core/quirks.c
+@@ -57,10 +57,11 @@ static const struct usb_device_id usb_qu
+ /* Microsoft LifeCam-VX700 v2.0 */
+ { USB_DEVICE(0x045e, 0x0770), .driver_info = USB_QUIRK_RESET_RESUME },
+
+- /* Logitech HD Pro Webcams C920, C920-C and C930e */
++ /* Logitech HD Pro Webcams C920, C920-C, C925e and C930e */
+ { USB_DEVICE(0x046d, 0x082d), .driver_info = USB_QUIRK_DELAY_INIT },
+ { USB_DEVICE(0x046d, 0x0841), .driver_info = USB_QUIRK_DELAY_INIT },
+ { USB_DEVICE(0x046d, 0x0843), .driver_info = USB_QUIRK_DELAY_INIT },
++ { USB_DEVICE(0x046d, 0x085b), .driver_info = USB_QUIRK_DELAY_INIT },
+
+ /* Logitech ConferenceCam CC3000e */
+ { USB_DEVICE(0x046d, 0x0847), .driver_info = USB_QUIRK_DELAY_INIT },
--- /dev/null
+From b9096d9f15c142574ebebe8fbb137012bb9d99c2 Mon Sep 17 00:00:00 2001
+From: Oliver Neukum <oneukum@suse.com>
+Date: Tue, 12 Dec 2017 16:11:30 +0100
+Subject: usb: add RESET_RESUME for ELSA MicroLink 56K
+
+From: Oliver Neukum <oneukum@suse.com>
+
+commit b9096d9f15c142574ebebe8fbb137012bb9d99c2 upstream.
+
+This modem needs this quirk to operate. It produces timeouts when
+resumed without reset.
+
+Signed-off-by: Oliver Neukum <oneukum@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/core/quirks.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/usb/core/quirks.c
++++ b/drivers/usb/core/quirks.c
+@@ -155,6 +155,9 @@ static const struct usb_device_id usb_qu
+ /* Genesys Logic hub, internally used by KY-688 USB 3.1 Type-C Hub */
+ { USB_DEVICE(0x05e3, 0x0612), .driver_info = USB_QUIRK_NO_LPM },
+
++ /* ELSA MicroLink 56K */
++ { USB_DEVICE(0x05cc, 0x2267), .driver_info = USB_QUIRK_RESET_RESUME },
++
+ /* Genesys Logic hub, internally used by Moshi USB to Ethernet Adapter */
+ { USB_DEVICE(0x05e3, 0x0616), .driver_info = USB_QUIRK_NO_LPM },
+
--- /dev/null
+From 964728f9f407eca0b417fdf8e784b7a76979490c Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Mon, 13 Nov 2017 11:12:58 +0100
+Subject: USB: chipidea: msm: fix ulpi-node lookup
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 964728f9f407eca0b417fdf8e784b7a76979490c upstream.
+
+Fix child-node lookup during probe, which ended up searching the whole
+device tree depth-first starting at the parent rather than just matching
+on its children.
+
+Note that the original premature free of the parent node has already
+been fixed separately, but that fix was apparently never backported to
+stable.
+
+Fixes: 47654a162081 ("usb: chipidea: msm: Restore wrapper settings after reset")
+Fixes: b74c43156c0c ("usb: chipidea: msm: ci_hdrc_msm_probe() missing of_node_get()")
+Cc: Stephen Boyd <stephen.boyd@linaro.org>
+Cc: Frank Rowand <frank.rowand@sony.com>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Peter Chen <peter.chen@nxp.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/chipidea/ci_hdrc_msm.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/usb/chipidea/ci_hdrc_msm.c
++++ b/drivers/usb/chipidea/ci_hdrc_msm.c
+@@ -251,7 +251,7 @@ static int ci_hdrc_msm_probe(struct plat
+ if (ret)
+ goto err_mux;
+
+- ulpi_node = of_find_node_by_name(of_node_get(pdev->dev.of_node), "ulpi");
++ ulpi_node = of_get_child_by_name(pdev->dev.of_node, "ulpi");
+ if (ulpi_node) {
+ phy_node = of_get_next_available_child(ulpi_node, NULL);
+ ci->hsic = of_device_is_compatible(phy_node, "qcom,usb-hsic-phy");
--- /dev/null
+From 07b9f12864d16c3a861aef4817eb1efccbc5d0e6 Mon Sep 17 00:00:00 2001
+From: Mathias Nyman <mathias.nyman@linux.intel.com>
+Date: Tue, 19 Dec 2017 11:14:42 +0200
+Subject: USB: Fix off by one in type-specific length check of BOS SSP capability
+
+From: Mathias Nyman <mathias.nyman@linux.intel.com>
+
+commit 07b9f12864d16c3a861aef4817eb1efccbc5d0e6 upstream.
+
+USB 3.1 devices are not detected as 3.1 capable since 4.15-rc3 due to a
+off by one in commit 81cf4a45360f ("USB: core: Add type-specific length
+check of BOS descriptors")
+
+It uses USB_DT_USB_SSP_CAP_SIZE() to get SSP capability size which takes
+the zero based SSAC as argument, not the actual count of sublink speed
+attributes.
+
+USB3 spec 9.6.2.5 says "The number of Sublink Speed Attributes = SSAC + 1."
+
+The type-specific length check patch was added to stable and needs to be
+fixed there as well
+
+Fixes: 81cf4a45360f ("USB: core: Add type-specific length check of BOS descriptors")
+CC: Masakazu Mokuno <masakazu.mokuno@gmail.com>
+Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/core/config.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/usb/core/config.c
++++ b/drivers/usb/core/config.c
+@@ -1007,7 +1007,7 @@ int usb_get_bos_descriptor(struct usb_de
+ case USB_SSP_CAP_TYPE:
+ ssp_cap = (struct usb_ssp_cap_descriptor *)buffer;
+ ssac = (le32_to_cpu(ssp_cap->bmAttributes) &
+- USB_SSP_SUBLINK_SPEED_ATTRIBS) + 1;
++ USB_SSP_SUBLINK_SPEED_ATTRIBS);
+ if (length >= USB_DT_USB_SSP_CAP_SIZE(ssac))
+ dev->bos->ssp_cap = ssp_cap;
+ break;
--- /dev/null
+From c6a36ad383559a60a249aa6016cebf3cb8b6c485 Mon Sep 17 00:00:00 2001
+From: Max Schulze <max.schulze@posteo.de>
+Date: Wed, 20 Dec 2017 20:47:44 +0100
+Subject: USB: serial: ftdi_sio: add id for Airbus DS P8GR
+
+From: Max Schulze <max.schulze@posteo.de>
+
+commit c6a36ad383559a60a249aa6016cebf3cb8b6c485 upstream.
+
+Add AIRBUS_DS_P8GR device IDs to ftdi_sio driver.
+
+Signed-off-by: Max Schulze <max.schulze@posteo.de>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/serial/ftdi_sio.c | 1 +
+ drivers/usb/serial/ftdi_sio_ids.h | 6 ++++++
+ 2 files changed, 7 insertions(+)
+
+--- a/drivers/usb/serial/ftdi_sio.c
++++ b/drivers/usb/serial/ftdi_sio.c
+@@ -1017,6 +1017,7 @@ static const struct usb_device_id id_tab
+ .driver_info = (kernel_ulong_t)&ftdi_jtag_quirk },
+ { USB_DEVICE(CYPRESS_VID, CYPRESS_WICED_BT_USB_PID) },
+ { USB_DEVICE(CYPRESS_VID, CYPRESS_WICED_WL_USB_PID) },
++ { USB_DEVICE(AIRBUS_DS_VID, AIRBUS_DS_P8GR) },
+ { } /* Terminating entry */
+ };
+
+--- a/drivers/usb/serial/ftdi_sio_ids.h
++++ b/drivers/usb/serial/ftdi_sio_ids.h
+@@ -915,6 +915,12 @@
+ #define ICPDAS_I7563U_PID 0x0105
+
+ /*
++ * Airbus Defence and Space
++ */
++#define AIRBUS_DS_VID 0x1e8e /* Vendor ID */
++#define AIRBUS_DS_P8GR 0x6001 /* Tetra P8GR */
++
++/*
+ * RT Systems programming cables for various ham radios
+ */
+ #define RTSYSTEMS_VID 0x2100 /* Vendor ID */
--- /dev/null
+From 08933099e6404f588f81c2050bfec7313e06eeaf Mon Sep 17 00:00:00 2001
+From: Daniele Palmas <dnlplm@gmail.com>
+Date: Thu, 14 Dec 2017 16:54:45 +0100
+Subject: USB: serial: option: add support for Telit ME910 PID 0x1101
+
+From: Daniele Palmas <dnlplm@gmail.com>
+
+commit 08933099e6404f588f81c2050bfec7313e06eeaf upstream.
+
+This patch adds support for PID 0x1101 of Telit ME910.
+
+Signed-off-by: Daniele Palmas <dnlplm@gmail.com>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/serial/option.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+--- a/drivers/usb/serial/option.c
++++ b/drivers/usb/serial/option.c
+@@ -283,6 +283,7 @@ static void option_instat_callback(struc
+ #define TELIT_PRODUCT_LE922_USBCFG3 0x1043
+ #define TELIT_PRODUCT_LE922_USBCFG5 0x1045
+ #define TELIT_PRODUCT_ME910 0x1100
++#define TELIT_PRODUCT_ME910_DUAL_MODEM 0x1101
+ #define TELIT_PRODUCT_LE920 0x1200
+ #define TELIT_PRODUCT_LE910 0x1201
+ #define TELIT_PRODUCT_LE910_USBCFG4 0x1206
+@@ -648,6 +649,11 @@ static const struct option_blacklist_inf
+ .reserved = BIT(1) | BIT(3),
+ };
+
++static const struct option_blacklist_info telit_me910_dual_modem_blacklist = {
++ .sendsetup = BIT(0),
++ .reserved = BIT(3),
++};
++
+ static const struct option_blacklist_info telit_le910_blacklist = {
+ .sendsetup = BIT(0),
+ .reserved = BIT(1) | BIT(2),
+@@ -1247,6 +1253,8 @@ static const struct usb_device_id option
+ .driver_info = (kernel_ulong_t)&telit_le922_blacklist_usbcfg0 },
+ { USB_DEVICE(TELIT_VENDOR_ID, TELIT_PRODUCT_ME910),
+ .driver_info = (kernel_ulong_t)&telit_me910_blacklist },
++ { USB_DEVICE(TELIT_VENDOR_ID, TELIT_PRODUCT_ME910_DUAL_MODEM),
++ .driver_info = (kernel_ulong_t)&telit_me910_dual_modem_blacklist },
+ { USB_DEVICE(TELIT_VENDOR_ID, TELIT_PRODUCT_LE910),
+ .driver_info = (kernel_ulong_t)&telit_le910_blacklist },
+ { USB_DEVICE(TELIT_VENDOR_ID, TELIT_PRODUCT_LE910_USBCFG4),
--- /dev/null
+From 3920bb713038810f25770e7545b79f204685c8f2 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?SZ=20Lin=20=28=E6=9E=97=E4=B8=8A=E6=99=BA=29?=
+ <sz.lin@moxa.com>
+Date: Tue, 19 Dec 2017 17:40:32 +0800
+Subject: USB: serial: option: adding support for YUGA CLM920-NC5
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: SZ Lin (林上智) <sz.lin@moxa.com>
+
+commit 3920bb713038810f25770e7545b79f204685c8f2 upstream.
+
+This patch adds support for YUGA CLM920-NC5 PID 0x9625 USB modem to option
+driver.
+
+Interface layout:
+0: QCDM/DIAG
+1: ADB
+2: MODEM
+3: AT
+4: RMNET
+
+Signed-off-by: Taiyi Wu <taiyity.wu@moxa.com>
+Signed-off-by: SZ Lin (林上智) <sz.lin@moxa.com>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/serial/option.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+--- a/drivers/usb/serial/option.c
++++ b/drivers/usb/serial/option.c
+@@ -236,6 +236,8 @@ static void option_instat_callback(struc
+ /* These Quectel products use Qualcomm's vendor ID */
+ #define QUECTEL_PRODUCT_UC20 0x9003
+ #define QUECTEL_PRODUCT_UC15 0x9090
++/* These Yuga products use Qualcomm's vendor ID */
++#define YUGA_PRODUCT_CLM920_NC5 0x9625
+
+ #define QUECTEL_VENDOR_ID 0x2c7c
+ /* These Quectel products use Quectel's vendor ID */
+@@ -683,6 +685,10 @@ static const struct option_blacklist_inf
+ .reserved = BIT(4) | BIT(5),
+ };
+
++static const struct option_blacklist_info yuga_clm920_nc5_blacklist = {
++ .reserved = BIT(1) | BIT(4),
++};
++
+ static const struct usb_device_id option_ids[] = {
+ { USB_DEVICE(OPTION_VENDOR_ID, OPTION_PRODUCT_COLT) },
+ { USB_DEVICE(OPTION_VENDOR_ID, OPTION_PRODUCT_RICOLA) },
+@@ -1187,6 +1193,9 @@ static const struct usb_device_id option
+ { USB_DEVICE(QUALCOMM_VENDOR_ID, QUECTEL_PRODUCT_UC15)},
+ { USB_DEVICE(QUALCOMM_VENDOR_ID, QUECTEL_PRODUCT_UC20),
+ .driver_info = (kernel_ulong_t)&net_intf4_blacklist },
++ /* Yuga products use Qualcomm vendor ID */
++ { USB_DEVICE(QUALCOMM_VENDOR_ID, YUGA_PRODUCT_CLM920_NC5),
++ .driver_info = (kernel_ulong_t)&yuga_clm920_nc5_blacklist },
+ /* Quectel products using Quectel vendor ID */
+ { USB_DEVICE(QUECTEL_VENDOR_ID, QUECTEL_PRODUCT_EC21),
+ .driver_info = (kernel_ulong_t)&net_intf4_blacklist },
--- /dev/null
+From 92a18a657fb2e2ffbfa0659af32cc18fd2346516 Mon Sep 17 00:00:00 2001
+From: Reinhard Speyerer <rspmn@arcor.de>
+Date: Fri, 15 Dec 2017 00:39:27 +0100
+Subject: USB: serial: qcserial: add Sierra Wireless EM7565
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Reinhard Speyerer <rspmn@arcor.de>
+
+commit 92a18a657fb2e2ffbfa0659af32cc18fd2346516 upstream.
+
+Sierra Wireless EM7565 devices use the QCSERIAL_SWI layout for their
+serial ports
+
+T: Bus=01 Lev=03 Prnt=29 Port=01 Cnt=02 Dev#= 31 Spd=480 MxCh= 0
+D: Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1
+P: Vendor=1199 ProdID=9091 Rev= 0.06
+S: Manufacturer=Sierra Wireless, Incorporated
+S: Product=Sierra Wireless EM7565 Qualcomm Snapdragon X16 LTE-A
+S: SerialNumber=xxxxxxxx
+C:* #Ifs= 4 Cfg#= 1 Atr=a0 MxPwr=500mA
+I:* If#= 0 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=qcserial
+E: Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E: Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+I:* If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=qcserial
+E: Ad=83(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
+E: Ad=82(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E: Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+I:* If#= 3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=qcserial
+E: Ad=85(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
+E: Ad=84(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E: Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+I:* If#= 8 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=ff Driver=qmi_wwan
+E: Ad=86(I) Atr=03(Int.) MxPS= 8 Ivl=32ms
+E: Ad=8e(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E: Ad=0f(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+
+but need sendsetup = true for the NMEA port to make it work properly.
+
+Simplify the patch compared to v1 as suggested by Bjørn Mork by taking
+advantage of the fact that existing devices work with sendsetup = true
+too.
+
+Use sendsetup = true for the NMEA interface of QCSERIAL_SWI and add
+DEVICE_SWI entries for the EM7565 PID 0x9091 and the EM7565 QDL PID
+0x9090.
+
+Tests with several MC73xx/MC74xx/MC77xx devices have been performed in
+order to verify backward compatibility.
+
+Signed-off-by: Reinhard Speyerer <rspmn@arcor.de>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/serial/qcserial.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/usb/serial/qcserial.c
++++ b/drivers/usb/serial/qcserial.c
+@@ -166,6 +166,8 @@ static const struct usb_device_id id_tab
+ {DEVICE_SWI(0x1199, 0x9079)}, /* Sierra Wireless EM74xx */
+ {DEVICE_SWI(0x1199, 0x907a)}, /* Sierra Wireless EM74xx QDL */
+ {DEVICE_SWI(0x1199, 0x907b)}, /* Sierra Wireless EM74xx */
++ {DEVICE_SWI(0x1199, 0x9090)}, /* Sierra Wireless EM7565 QDL */
++ {DEVICE_SWI(0x1199, 0x9091)}, /* Sierra Wireless EM7565 */
+ {DEVICE_SWI(0x413c, 0x81a2)}, /* Dell Wireless 5806 Gobi(TM) 4G LTE Mobile Broadband Card */
+ {DEVICE_SWI(0x413c, 0x81a3)}, /* Dell Wireless 5570 HSPA+ (42Mbps) Mobile Broadband Card */
+ {DEVICE_SWI(0x413c, 0x81a4)}, /* Dell Wireless 5570e HSPA+ (42Mbps) Mobile Broadband Card */
+@@ -346,6 +348,7 @@ static int qcprobe(struct usb_serial *se
+ break;
+ case 2:
+ dev_dbg(dev, "NMEA GPS interface found\n");
++ sendsetup = true;
+ break;
+ case 3:
+ dev_dbg(dev, "Modem port found\n");
--- /dev/null
+From da99706689481717998d1d48edd389f339eea979 Mon Sep 17 00:00:00 2001
+From: Daniel Thompson <daniel.thompson@linaro.org>
+Date: Thu, 21 Dec 2017 15:06:15 +0200
+Subject: usb: xhci: Add XHCI_TRUST_TX_LENGTH for Renesas uPD720201
+
+From: Daniel Thompson <daniel.thompson@linaro.org>
+
+commit da99706689481717998d1d48edd389f339eea979 upstream.
+
+When plugging in a USB webcam I see the following message:
+xhci_hcd 0000:04:00.0: WARN Successful completion on short TX: needs
+XHCI_TRUST_TX_LENGTH quirk?
+handle_tx_event: 913 callbacks suppressed
+
+All is quiet again with this patch (and I've done a fair but of soak
+testing with the camera since).
+
+Signed-off-by: Daniel Thompson <daniel.thompson@linaro.org>
+Acked-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/host/xhci-pci.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/usb/host/xhci-pci.c
++++ b/drivers/usb/host/xhci-pci.c
+@@ -190,6 +190,9 @@ static void xhci_pci_quirks(struct devic
+ xhci->quirks |= XHCI_BROKEN_STREAMS;
+ }
+ if (pdev->vendor == PCI_VENDOR_ID_RENESAS &&
++ pdev->device == 0x0014)
++ xhci->quirks |= XHCI_TRUST_TX_LENGTH;
++ if (pdev->vendor == PCI_VENDOR_ID_RENESAS &&
+ pdev->device == 0x0015)
+ xhci->quirks |= XHCI_RESET_ON_RESUME;
+ if (pdev->vendor == PCI_VENDOR_ID_VIA)
--- /dev/null
+From ac461122c88a10b7d775de2f56467f097c9e627a Mon Sep 17 00:00:00 2001
+From: Linus Torvalds <torvalds@linux-foundation.org>
+Date: Wed, 27 Dec 2017 11:48:50 -0800
+Subject: x86-32: Fix kexec with stack canary (CONFIG_CC_STACKPROTECTOR)
+
+From: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit ac461122c88a10b7d775de2f56467f097c9e627a upstream.
+
+Commit e802a51ede91 ("x86/idt: Consolidate IDT invalidation") cleaned up
+and unified the IDT invalidation that existed in a couple of places. It
+changed no actual real code.
+
+Despite not changing any actual real code, it _did_ change code generation:
+by implementing the common idt_invalidate() function in
+archx86/kernel/idt.c, it made the use of the function in
+arch/x86/kernel/machine_kexec_32.c be a real function call rather than an
+(accidental) inlining of the function.
+
+That, in turn, exposed two issues:
+
+ - in load_segments(), we had incorrectly reset all the segment
+ registers, which then made the stack canary load (which gcc does
+ using offset of %gs) cause a trap. Instead of %gs pointing to the
+ stack canary, it will be the normal zero-based kernel segment, and
+ the stack canary load will take a page fault at address 0x14.
+
+ - to make this even harder to debug, we had invalidated the GDT just
+ before calling idt_invalidate(), which meant that the fault happened
+ with an invalid GDT, which in turn causes a triple fault and
+ immediate reboot.
+
+Fix this by
+
+ (a) not reloading the special segments in load_segments(). We currently
+ don't do any percpu accesses (which would require %fs on x86-32) in
+ this area, but there's no reason to think that we might not want to
+ do them, and like %gs, it's pointless to break it.
+
+ (b) doing idt_invalidate() before invalidating the GDT, to keep things
+ at least _slightly_ more debuggable for a bit longer. Without a
+ IDT, traps will not work. Without a GDT, traps also will not work,
+ but neither will any segment loads etc. So in a very real sense,
+ the GDT is even more core than the IDT.
+
+Fixes: e802a51ede91 ("x86/idt: Consolidate IDT invalidation")
+Reported-and-tested-by: Alexandru Chirvasitu <achirvasub@gmail.com>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Cc: Denys Vlasenko <dvlasenk@redhat.com>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Brian Gerst <brgerst@gmail.com>
+Cc: Steven Rostedt <rostedt@goodmis.org>
+Cc: Borislav Petkov <bp@alien8.de>
+Cc: Andy Lutomirski <luto@kernel.org>
+Cc: Josh Poimboeuf <jpoimboe@redhat.com>
+Link: https://lkml.kernel.org/r/alpine.LFD.2.21.1712271143180.8572@i7.lan
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kernel/machine_kexec_32.c | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+--- a/arch/x86/kernel/machine_kexec_32.c
++++ b/arch/x86/kernel/machine_kexec_32.c
+@@ -48,8 +48,6 @@ static void load_segments(void)
+ "\tmovl $"STR(__KERNEL_DS)",%%eax\n"
+ "\tmovl %%eax,%%ds\n"
+ "\tmovl %%eax,%%es\n"
+- "\tmovl %%eax,%%fs\n"
+- "\tmovl %%eax,%%gs\n"
+ "\tmovl %%eax,%%ss\n"
+ : : : "eax", "memory");
+ #undef STR
+@@ -232,8 +230,8 @@ void machine_kexec(struct kimage *image)
+ * The gdt & idt are now invalid.
+ * If you want to load them you must set up your own idt & gdt.
+ */
+- set_gdt(phys_to_virt(0), 0);
+ idt_invalidate(phys_to_virt(0));
++ set_gdt(phys_to_virt(0), 0);
+
+ /* now call it */
+ image->start = relocate_kernel_ptr((unsigned long)image->head,
--- /dev/null
+From c739f930be1dd5fd949030e3475a884fe06dae9b Mon Sep 17 00:00:00 2001
+From: Andy Lutomirski <luto@kernel.org>
+Date: Tue, 12 Dec 2017 07:56:36 -0800
+Subject: x86/espfix/64: Fix espfix double-fault handling on 5-level systems
+
+From: Andy Lutomirski <luto@kernel.org>
+
+commit c739f930be1dd5fd949030e3475a884fe06dae9b upstream.
+
+Using PGDIR_SHIFT to identify espfix64 addresses on 5-level systems
+was wrong, and it resulted in panics due to unhandled double faults.
+Use P4D_SHIFT instead, which is correct on 4-level and 5-level
+machines.
+
+This fixes a panic when running x86 selftests on 5-level machines.
+
+Signed-off-by: Andy Lutomirski <luto@kernel.org>
+Acked-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
+Cc: Borislav Petkov <bp@alien8.de>
+Cc: Brian Gerst <brgerst@gmail.com>
+Cc: Dave Hansen <dave.hansen@intel.com>
+Cc: David Laight <David.Laight@aculab.com>
+Cc: Kees Cook <keescook@chromium.org>
+Cc: Kirill A. Shutemov <kirill@shutemov.name>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Fixes: 1d33b219563f ("x86/espfix: Add support for 5-level paging")
+Link: http://lkml.kernel.org/r/24c898b4f44fdf8c22d93703850fb384ef87cfdc.1513035461.git.luto@kernel.org
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kernel/traps.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/x86/kernel/traps.c
++++ b/arch/x86/kernel/traps.c
+@@ -361,7 +361,7 @@ dotraplinkage void do_double_fault(struc
+ *
+ * No need for ist_enter here because we don't use RCU.
+ */
+- if (((long)regs->sp >> PGDIR_SHIFT) == ESPFIX_PGD_ENTRY &&
++ if (((long)regs->sp >> P4D_SHIFT) == ESPFIX_PGD_ENTRY &&
+ regs->cs == __KERNEL_CS &&
+ regs->ip == (unsigned long)native_irq_return_iret)
+ {
--- /dev/null
+From 7f414195b0c3612acd12b4611a5fe75995cf10c7 Mon Sep 17 00:00:00 2001
+From: Thomas Gleixner <tglx@linutronix.de>
+Date: Sun, 31 Dec 2017 16:52:15 +0100
+Subject: x86/ldt: Make LDT pgtable free conditional
+
+From: Thomas Gleixner <tglx@linutronix.de>
+
+commit 7f414195b0c3612acd12b4611a5fe75995cf10c7 upstream.
+
+Andy prefers to be paranoid about the pagetable free in the error path of
+write_ldt(). Make it conditional and warn whenever the installment of a
+secondary LDT fails.
+
+Requested-by: Andy Lutomirski <luto@amacapital.net>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kernel/ldt.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/arch/x86/kernel/ldt.c
++++ b/arch/x86/kernel/ldt.c
+@@ -426,7 +426,8 @@ static int write_ldt(void __user *ptr, u
+ * already installed then the PTE page is already
+ * populated. Mop up a half populated page table.
+ */
+- free_ldt_pgtables(mm);
++ if (!WARN_ON_ONCE(old_ldt))
++ free_ldt_pgtables(mm);
+ free_ldt_struct(new_ldt);
+ goto out_unlock;
+ }
--- /dev/null
+From a62d69857aab4caa43049e72fe0ed5c4a60518dd Mon Sep 17 00:00:00 2001
+From: Thomas Gleixner <tglx@linutronix.de>
+Date: Sun, 31 Dec 2017 11:24:34 +0100
+Subject: x86/ldt: Plug memory leak in error path
+
+From: Thomas Gleixner <tglx@linutronix.de>
+
+commit a62d69857aab4caa43049e72fe0ed5c4a60518dd upstream.
+
+The error path in write_ldt() tries to free 'old_ldt' instead of the newly
+allocated 'new_ldt', resulting in a memory leak. It also misses to clean up a
+half populated LDT pagetable, which is not a leak as it gets cleaned up
+when the process exits.
+
+Free both the potentially half populated LDT pagetable and the newly
+allocated LDT struct. This can be done unconditionally because once an LDT
+is mapped subsequent maps will succeed, because the PTE page is already
+populated and the two LDTs fit into that single page.
+
+Reported-by: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Cc: Andy Lutomirski <luto@kernel.org>
+Cc: Borislav Petkov <bp@alien8.de>
+Cc: Dave Hansen <dave.hansen@linux.intel.com>
+Cc: Dominik Brodowski <linux@dominikbrodowski.net>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Linus Torvalds <torvalds@linuxfoundation.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Fixes: f55f0501cbf6 ("x86/pti: Put the LDT in its own PGD if PTI is on")
+Link: http://lkml.kernel.org/r/alpine.DEB.2.20.1712311121340.1899@nanos
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kernel/ldt.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+--- a/arch/x86/kernel/ldt.c
++++ b/arch/x86/kernel/ldt.c
+@@ -421,7 +421,13 @@ static int write_ldt(void __user *ptr, u
+ */
+ error = map_ldt_struct(mm, new_ldt, old_ldt ? !old_ldt->slot : 0);
+ if (error) {
+- free_ldt_struct(old_ldt);
++ /*
++ * This only can fail for the first LDT setup. If an LDT is
++ * already installed then the PTE page is already
++ * populated. Mop up a half populated page table.
++ */
++ free_ldt_pgtables(mm);
++ free_ldt_struct(new_ldt);
+ goto out_unlock;
+ }
+
--- /dev/null
+From decab0888e6e14e11d53cefa85f8b3d3b45ce73c Mon Sep 17 00:00:00 2001
+From: Thomas Gleixner <tglx@linutronix.de>
+Date: Sat, 30 Dec 2017 22:13:54 +0100
+Subject: x86/mm: Remove preempt_disable/enable() from __native_flush_tlb()
+
+From: Thomas Gleixner <tglx@linutronix.de>
+
+commit decab0888e6e14e11d53cefa85f8b3d3b45ce73c upstream.
+
+The preempt_disable/enable() pair in __native_flush_tlb() was added in
+commit:
+
+ 5cf0791da5c1 ("x86/mm: Disable preemption during CR3 read+write")
+
+... to protect the UP variant of flush_tlb_mm_range().
+
+That preempt_disable/enable() pair should have been added to the UP variant
+of flush_tlb_mm_range() instead.
+
+The UP variant was removed with commit:
+
+ ce4a4e565f52 ("x86/mm: Remove the UP asm/tlbflush.h code, always use the (formerly) SMP code")
+
+... but the preempt_disable/enable() pair stayed around.
+
+The latest change to __native_flush_tlb() in commit:
+
+ 6fd166aae78c ("x86/mm: Use/Fix PCID to optimize user/kernel switches")
+
+... added an access to a per CPU variable outside the preempt disabled
+regions, which makes no sense at all. __native_flush_tlb() must always
+be called with at least preemption disabled.
+
+Remove the preempt_disable/enable() pair and add a WARN_ON_ONCE() to catch
+bad callers independent of the smp_processor_id() debugging.
+
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Cc: Andy Lutomirski <luto@kernel.org>
+Cc: Borislav Petkov <bp@alien8.de>
+Cc: Dave Hansen <dave.hansen@linux.intel.com>
+Cc: Dominik Brodowski <linux@dominikbrodowski.net>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Linus Torvalds <torvalds@linuxfoundation.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Link: http://lkml.kernel.org/r/20171230211829.679325424@linutronix.de
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/include/asm/tlbflush.h | 14 ++++++++------
+ 1 file changed, 8 insertions(+), 6 deletions(-)
+
+--- a/arch/x86/include/asm/tlbflush.h
++++ b/arch/x86/include/asm/tlbflush.h
+@@ -345,15 +345,17 @@ static inline void invalidate_user_asid(
+ */
+ static inline void __native_flush_tlb(void)
+ {
+- invalidate_user_asid(this_cpu_read(cpu_tlbstate.loaded_mm_asid));
+ /*
+- * If current->mm == NULL then we borrow a mm which may change
+- * during a task switch and therefore we must not be preempted
+- * while we write CR3 back:
++ * Preemption or interrupts must be disabled to protect the access
++ * to the per CPU variable and to prevent being preempted between
++ * read_cr3() and write_cr3().
+ */
+- preempt_disable();
++ WARN_ON_ONCE(preemptible());
++
++ invalidate_user_asid(this_cpu_read(cpu_tlbstate.loaded_mm_asid));
++
++ /* If current->mm == NULL then the read_cr3() "borrows" an mm */
+ native_write_cr3(__native_read_cr3());
+- preempt_enable();
+ }
+
+ /*
--- /dev/null
+From 322f8b8b340c824aef891342b0f5795d15e11562 Mon Sep 17 00:00:00 2001
+From: Thomas Gleixner <tglx@linutronix.de>
+Date: Sat, 30 Dec 2017 22:13:53 +0100
+Subject: x86/smpboot: Remove stale TLB flush invocations
+
+From: Thomas Gleixner <tglx@linutronix.de>
+
+commit 322f8b8b340c824aef891342b0f5795d15e11562 upstream.
+
+smpboot_setup_warm_reset_vector() and smpboot_restore_warm_reset_vector()
+invoke local_flush_tlb() for no obvious reason.
+
+Digging in history revealed that the original code in the 2.1 era added
+those because the code manipulated a swapper_pg_dir pagetable entry. The
+pagetable manipulation was removed long ago in the 2.3 timeframe, but the
+TLB flush invocations stayed around forever.
+
+Remove them along with the pointless pr_debug()s which come from the same 2.1
+change.
+
+Reported-by: Dominik Brodowski <linux@dominikbrodowski.net>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Cc: Andy Lutomirski <luto@kernel.org>
+Cc: Borislav Petkov <bp@alien8.de>
+Cc: Dave Hansen <dave.hansen@linux.intel.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Linus Torvalds <torvalds@linuxfoundation.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Link: http://lkml.kernel.org/r/20171230211829.586548655@linutronix.de
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kernel/smpboot.c | 9 ---------
+ 1 file changed, 9 deletions(-)
+
+--- a/arch/x86/kernel/smpboot.c
++++ b/arch/x86/kernel/smpboot.c
+@@ -128,14 +128,10 @@ static inline void smpboot_setup_warm_re
+ spin_lock_irqsave(&rtc_lock, flags);
+ CMOS_WRITE(0xa, 0xf);
+ spin_unlock_irqrestore(&rtc_lock, flags);
+- local_flush_tlb();
+- pr_debug("1.\n");
+ *((volatile unsigned short *)phys_to_virt(TRAMPOLINE_PHYS_HIGH)) =
+ start_eip >> 4;
+- pr_debug("2.\n");
+ *((volatile unsigned short *)phys_to_virt(TRAMPOLINE_PHYS_LOW)) =
+ start_eip & 0xf;
+- pr_debug("3.\n");
+ }
+
+ static inline void smpboot_restore_warm_reset_vector(void)
+@@ -143,11 +139,6 @@ static inline void smpboot_restore_warm_
+ unsigned long flags;
+
+ /*
+- * Install writable page 0 entry to set BIOS data area.
+- */
+- local_flush_tlb();
+-
+- /*
+ * Paranoid: Set warm reset code and vector here back
+ * to default values.
+ */
projects / thirdparty / kernel / stable-queue.git / commitdiff
