--- /dev/null
+From a538e3ff9dabcdf6c3f477a373c629213d1c3066 Mon Sep 17 00:00:00 2001
+From: Jeff Moyer <jmoyer@redhat.com>
+Date: Tue, 11 Dec 2018 12:37:49 -0500
+Subject: aio: fix spectre gadget in lookup_ioctx
+
+From: Jeff Moyer <jmoyer@redhat.com>
+
+commit a538e3ff9dabcdf6c3f477a373c629213d1c3066 upstream.
+
+Matthew pointed out that the ioctx_table is susceptible to spectre v1,
+because the index can be controlled by an attacker. The below patch
+should mitigate the attack for all of the aio system calls.
+
+Cc: stable@vger.kernel.org
+Reported-by: Matthew Wilcox <willy@infradead.org>
+Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Jeff Moyer <jmoyer@redhat.com>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/aio.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/fs/aio.c
++++ b/fs/aio.c
+@@ -43,6 +43,7 @@
+
+ #include <asm/kmap_types.h>
+ #include <linux/uaccess.h>
++#include <linux/nospec.h>
+
+ #include "internal.h"
+
+@@ -1084,6 +1085,7 @@ static struct kioctx *lookup_ioctx(unsig
+ if (!table || id >= table->nr)
+ goto out;
+
++ id = array_index_nospec(id, table->nr);
+ ctx = rcu_dereference(table->table[id]);
+ if (ctx && ctx->user_id == ctx_id) {
+ if (percpu_ref_tryget_live(&ctx->users))
--- /dev/null
+From 76f4e2c3b6a560cdd7a75b87df543e04d05a9e5f Mon Sep 17 00:00:00 2001
+From: Lubomir Rintel <lkundrak@v3.sk>
+Date: Sun, 2 Dec 2018 12:12:24 +0100
+Subject: ARM: mmp/mmp2: fix cpu_is_mmp2() on mmp2-dt
+
+From: Lubomir Rintel <lkundrak@v3.sk>
+
+commit 76f4e2c3b6a560cdd7a75b87df543e04d05a9e5f upstream.
+
+cpu_is_mmp2() was equivalent to cpu_is_pj4(), wouldn't be correct for
+multiplatform kernels. Fix it by also considering mmp_chip_id, as is
+done for cpu_is_pxa168() and cpu_is_pxa910() above.
+
+Moreover, it is only available with CONFIG_CPU_MMP2 and thus doesn't work
+on DT-based MMP2 machines. Enable it on CONFIG_MACH_MMP2_DT too.
+
+Note: CONFIG_CPU_MMP2 is only used for machines that use board files
+instead of DT. It should perhaps be renamed. I'm not doing it now, because
+I don't have a better idea.
+
+Signed-off-by: Lubomir Rintel <lkundrak@v3.sk>
+Acked-by: Arnd Bergmann <arnd@arndb.de>
+Cc: stable@vger.kernel.org
+Signed-off-by: Olof Johansson <olof@lixom.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm/mach-mmp/cputype.h | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/arch/arm/mach-mmp/cputype.h
++++ b/arch/arm/mach-mmp/cputype.h
+@@ -44,10 +44,12 @@ static inline int cpu_is_pxa910(void)
+ #define cpu_is_pxa910() (0)
+ #endif
+
+-#ifdef CONFIG_CPU_MMP2
++#if defined(CONFIG_CPU_MMP2) || defined(CONFIG_MACH_MMP2_DT)
+ static inline int cpu_is_mmp2(void)
+ {
+- return (((read_cpuid_id() >> 8) & 0xff) == 0x58);
++ return (((read_cpuid_id() >> 8) & 0xff) == 0x58) &&
++ (((mmp_chip_id & 0xfff) == 0x410) ||
++ ((mmp_chip_id & 0xfff) == 0x610));
+ }
+ #else
+ #define cpu_is_mmp2() (0)
--- /dev/null
+From 3238c359acee4ab57f15abb5a82b8ab38a661ee7 Mon Sep 17 00:00:00 2001
+From: Robin Murphy <robin.murphy@arm.com>
+Date: Mon, 10 Dec 2018 19:33:31 +0000
+Subject: arm64: dma-mapping: Fix FORCE_CONTIGUOUS buffer clearing
+
+From: Robin Murphy <robin.murphy@arm.com>
+
+commit 3238c359acee4ab57f15abb5a82b8ab38a661ee7 upstream.
+
+We need to invalidate the caches *before* clearing the buffer via the
+non-cacheable alias, else in the worst case __dma_flush_area() may
+write back dirty lines over the top of our nice new zeros.
+
+Fixes: dd65a941f6ba ("arm64: dma-mapping: clear buffers allocated with FORCE_CONTIGUOUS flag")
+Cc: <stable@vger.kernel.org> # 4.18.x-
+Acked-by: Will Deacon <will.deacon@arm.com>
+Signed-off-by: Robin Murphy <robin.murphy@arm.com>
+Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm64/mm/dma-mapping.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/arm64/mm/dma-mapping.c
++++ b/arch/arm64/mm/dma-mapping.c
+@@ -633,9 +633,9 @@ static void *__iommu_alloc_attrs(struct
+ prot,
+ __builtin_return_address(0));
+ if (addr) {
+- memset(addr, 0, size);
+ if (!coherent)
+ __dma_flush_area(page_to_virt(page), iosize);
++ memset(addr, 0, size);
+ } else {
+ iommu_dma_unmap_page(dev, *handle, iosize, 0, attrs);
+ dma_release_from_contiguous(dev, page,
--- /dev/null
+From 687cf4412a343a63928a5c9d91bdc0f522939d43 Mon Sep 17 00:00:00 2001
+From: Mike Snitzer <snitzer@redhat.com>
+Date: Fri, 9 Nov 2018 11:56:03 -0500
+Subject: dm cache metadata: verify cache has blocks in blocks_are_clean_separate_dirty()
+
+From: Mike Snitzer <snitzer@redhat.com>
+
+commit 687cf4412a343a63928a5c9d91bdc0f522939d43 upstream.
+
+Otherwise dm_bitset_cursor_begin() return -ENODATA. Other calls to
+dm_bitset_cursor_begin() have similar negative checks.
+
+Fixes inability to create a cache in passthrough mode (even though doing
+so makes no sense).
+
+Fixes: 0d963b6e65 ("dm cache metadata: fix metadata2 format's blocks_are_clean_separate_dirty")
+Cc: stable@vger.kernel.org
+Reported-by: David Teigland <teigland@redhat.com>
+Signed-off-by: Mike Snitzer <snitzer@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/md/dm-cache-metadata.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/md/dm-cache-metadata.c
++++ b/drivers/md/dm-cache-metadata.c
+@@ -929,6 +929,10 @@ static int blocks_are_clean_separate_dir
+ bool dirty_flag;
+ *result = true;
+
++ if (from_cblock(cmd->cache_blocks) == 0)
++ /* Nothing to do */
++ return 0;
++
+ r = dm_bitset_cursor_begin(&cmd->dirty_info, cmd->dirty_root,
+ from_cblock(cmd->cache_blocks), &cmd->dirty_cursor);
+ if (r) {
--- /dev/null
+From f6c367585d0d851349d3a9e607c43e5bea993fa1 Mon Sep 17 00:00:00 2001
+From: Mike Snitzer <snitzer@redhat.com>
+Date: Tue, 11 Dec 2018 13:31:40 -0500
+Subject: dm thin: send event about thin-pool state change _after_ making it
+
+From: Mike Snitzer <snitzer@redhat.com>
+
+commit f6c367585d0d851349d3a9e607c43e5bea993fa1 upstream.
+
+Sending a DM event before a thin-pool state change is about to happen is
+a bug. It wasn't realized until it became clear that userspace response
+to the event raced with the actual state change that the event was
+meant to notify about.
+
+Fix this by first updating internal thin-pool state to reflect what the
+DM event is being issued about. This fixes a long-standing racey/buggy
+userspace device-mapper-test-suite 'resize_io' test that would get an
+event but not find the state it was looking for -- so it would just go
+on to hang because no other events caused the test to reevaluate the
+thin-pool's state.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Mike Snitzer <snitzer@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/md/dm-thin.c | 68 ++++++++++++++++++++++++++-------------------------
+ 1 file changed, 35 insertions(+), 33 deletions(-)
+
+--- a/drivers/md/dm-thin.c
++++ b/drivers/md/dm-thin.c
+@@ -195,7 +195,7 @@ static void throttle_unlock(struct throt
+ struct dm_thin_new_mapping;
+
+ /*
+- * The pool runs in 4 modes. Ordered in degraded order for comparisons.
++ * The pool runs in various modes. Ordered in degraded order for comparisons.
+ */
+ enum pool_mode {
+ PM_WRITE, /* metadata may be changed */
+@@ -281,9 +281,38 @@ struct pool {
+ struct dm_bio_prison_cell **cell_sort_array;
+ };
+
+-static enum pool_mode get_pool_mode(struct pool *pool);
+ static void metadata_operation_failed(struct pool *pool, const char *op, int r);
+
++static enum pool_mode get_pool_mode(struct pool *pool)
++{
++ return pool->pf.mode;
++}
++
++static void notify_of_pool_mode_change(struct pool *pool)
++{
++ const char *descs[] = {
++ "write",
++ "out-of-data-space",
++ "read-only",
++ "read-only",
++ "fail"
++ };
++ const char *extra_desc = NULL;
++ enum pool_mode mode = get_pool_mode(pool);
++
++ if (mode == PM_OUT_OF_DATA_SPACE) {
++ if (!pool->pf.error_if_no_space)
++ extra_desc = " (queue IO)";
++ else
++ extra_desc = " (error IO)";
++ }
++
++ dm_table_event(pool->ti->table);
++ DMINFO("%s: switching pool to %s%s mode",
++ dm_device_name(pool->pool_md),
++ descs[(int)mode], extra_desc ? : "");
++}
++
+ /*
+ * Target context for a pool.
+ */
+@@ -2362,8 +2391,6 @@ static void do_waker(struct work_struct
+ queue_delayed_work(pool->wq, &pool->waker, COMMIT_PERIOD);
+ }
+
+-static void notify_of_pool_mode_change_to_oods(struct pool *pool);
+-
+ /*
+ * We're holding onto IO to allow userland time to react. After the
+ * timeout either the pool will have been resized (and thus back in
+@@ -2376,7 +2403,7 @@ static void do_no_space_timeout(struct w
+
+ if (get_pool_mode(pool) == PM_OUT_OF_DATA_SPACE && !pool->pf.error_if_no_space) {
+ pool->pf.error_if_no_space = true;
+- notify_of_pool_mode_change_to_oods(pool);
++ notify_of_pool_mode_change(pool);
+ error_retry_list_with_code(pool, BLK_STS_NOSPC);
+ }
+ }
+@@ -2444,26 +2471,6 @@ static void noflush_work(struct thin_c *
+
+ /*----------------------------------------------------------------*/
+
+-static enum pool_mode get_pool_mode(struct pool *pool)
+-{
+- return pool->pf.mode;
+-}
+-
+-static void notify_of_pool_mode_change(struct pool *pool, const char *new_mode)
+-{
+- dm_table_event(pool->ti->table);
+- DMINFO("%s: switching pool to %s mode",
+- dm_device_name(pool->pool_md), new_mode);
+-}
+-
+-static void notify_of_pool_mode_change_to_oods(struct pool *pool)
+-{
+- if (!pool->pf.error_if_no_space)
+- notify_of_pool_mode_change(pool, "out-of-data-space (queue IO)");
+- else
+- notify_of_pool_mode_change(pool, "out-of-data-space (error IO)");
+-}
+-
+ static bool passdown_enabled(struct pool_c *pt)
+ {
+ return pt->adjusted_pf.discard_passdown;
+@@ -2512,8 +2519,6 @@ static void set_pool_mode(struct pool *p
+
+ switch (new_mode) {
+ case PM_FAIL:
+- if (old_mode != new_mode)
+- notify_of_pool_mode_change(pool, "failure");
+ dm_pool_metadata_read_only(pool->pmd);
+ pool->process_bio = process_bio_fail;
+ pool->process_discard = process_bio_fail;
+@@ -2527,8 +2532,6 @@ static void set_pool_mode(struct pool *p
+
+ case PM_OUT_OF_METADATA_SPACE:
+ case PM_READ_ONLY:
+- if (!is_read_only_pool_mode(old_mode))
+- notify_of_pool_mode_change(pool, "read-only");
+ dm_pool_metadata_read_only(pool->pmd);
+ pool->process_bio = process_bio_read_only;
+ pool->process_discard = process_bio_success;
+@@ -2549,8 +2552,6 @@ static void set_pool_mode(struct pool *p
+ * alarming rate. Adjust your low water mark if you're
+ * frequently seeing this mode.
+ */
+- if (old_mode != new_mode)
+- notify_of_pool_mode_change_to_oods(pool);
+ pool->out_of_data_space = true;
+ pool->process_bio = process_bio_read_only;
+ pool->process_discard = process_discard_bio;
+@@ -2563,8 +2564,6 @@ static void set_pool_mode(struct pool *p
+ break;
+
+ case PM_WRITE:
+- if (old_mode != new_mode)
+- notify_of_pool_mode_change(pool, "write");
+ if (old_mode == PM_OUT_OF_DATA_SPACE)
+ cancel_delayed_work_sync(&pool->no_space_timeout);
+ pool->out_of_data_space = false;
+@@ -2584,6 +2583,9 @@ static void set_pool_mode(struct pool *p
+ * doesn't cause an unexpected mode transition on resume.
+ */
+ pt->adjusted_pf.mode = new_mode;
++
++ if (old_mode != new_mode)
++ notify_of_pool_mode_change(pool);
+ }
+
+ static void abort_transaction(struct pool *pool)
--- /dev/null
+From cf4197ed5796234a53beb71228198c7d1e678947 Mon Sep 17 00:00:00 2001
+From: Kenneth Feng <kenneth.feng@amd.com>
+Date: Thu, 6 Dec 2018 11:56:14 +0800
+Subject: drm/amdgpu/powerplay: Apply avfs cks-off voltages on VI
+
+From: Kenneth Feng <kenneth.feng@amd.com>
+
+commit cf4197ed5796234a53beb71228198c7d1e678947 upstream.
+
+Instead of EVV cks-off voltages, avfs cks-off voltages can avoid
+the overshoot voltages when switching sclk.
+
+Signed-off-by: Kenneth Feng <kenneth.feng@amd.com>
+Acked-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/amd/powerplay/inc/smu7_ppsmc.h | 2 ++
+ drivers/gpu/drm/amd/powerplay/smumgr/polaris10_smumgr.c | 6 ++++++
+ 2 files changed, 8 insertions(+)
+
+--- a/drivers/gpu/drm/amd/powerplay/inc/smu7_ppsmc.h
++++ b/drivers/gpu/drm/amd/powerplay/inc/smu7_ppsmc.h
+@@ -386,6 +386,8 @@ typedef uint16_t PPSMC_Result;
+ #define PPSMC_MSG_AgmResetPsm ((uint16_t) 0x403)
+ #define PPSMC_MSG_ReadVftCell ((uint16_t) 0x404)
+
++#define PPSMC_MSG_ApplyAvfsCksOffVoltage ((uint16_t) 0x415)
++
+ #define PPSMC_MSG_GFX_CU_PG_ENABLE ((uint16_t) 0x280)
+ #define PPSMC_MSG_GFX_CU_PG_DISABLE ((uint16_t) 0x281)
+ #define PPSMC_MSG_GetCurrPkgPwr ((uint16_t) 0x282)
+--- a/drivers/gpu/drm/amd/powerplay/smumgr/polaris10_smumgr.c
++++ b/drivers/gpu/drm/amd/powerplay/smumgr/polaris10_smumgr.c
+@@ -379,6 +379,12 @@ static int polaris10_smu_init(struct pp_
+ for (i = 0; i < SMU74_MAX_LEVELS_GRAPHICS; i++)
+ smu_data->activity_target[i] = PPPOLARIS10_TARGETACTIVITY_DFLT;
+
++ /* Apply avfs cks-off voltages to avoid the overshoot
++ * when switching to the highest sclk frequency
++ */
++ if (data->apply_avfs_cks_off_voltage)
++ smum_send_msg_to_smc(hwmgr, PPSMC_MSG_ApplyAvfsCksOffVoltage);
++
+ return 0;
+ }
+
--- /dev/null
+From d55d8be0747c96db28a1d08fc24d22ccd9b448ac Mon Sep 17 00:00:00 2001
+From: Junwei Zhang <Jerry.Zhang@amd.com>
+Date: Fri, 7 Dec 2018 15:15:03 +0800
+Subject: drm/amdgpu: update SMC firmware image for polaris10 variants
+
+From: Junwei Zhang <Jerry.Zhang@amd.com>
+
+commit d55d8be0747c96db28a1d08fc24d22ccd9b448ac upstream.
+
+Some new variants require different firmwares.
+
+Signed-off-by: Junwei Zhang <Jerry.Zhang@amd.com>
+Reviewed-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/amd/amdgpu/amdgpu_cgs.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_cgs.c
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_cgs.c
+@@ -723,7 +723,8 @@ static int amdgpu_cgs_get_firmware_info(
+ (adev->pdev->revision == 0xe7) ||
+ (adev->pdev->revision == 0xef))) ||
+ ((adev->pdev->device == 0x6fdf) &&
+- (adev->pdev->revision == 0xef))) {
++ ((adev->pdev->revision == 0xef) ||
++ (adev->pdev->revision == 0xff)))) {
+ info->is_kicker = true;
+ strcpy(fw_name, "amdgpu/polaris10_k_smc.bin");
+ } else
--- /dev/null
+From cf66b8a0ba142fbd1bf10ac8f3ae92d1b0cb7b8f Mon Sep 17 00:00:00 2001
+From: Chris Wilson <chris@chris-wilson.co.uk>
+Date: Thu, 6 Dec 2018 08:44:31 +0000
+Subject: drm/i915/execlists: Apply a full mb before execution for Braswell
+
+From: Chris Wilson <chris@chris-wilson.co.uk>
+
+commit cf66b8a0ba142fbd1bf10ac8f3ae92d1b0cb7b8f upstream.
+
+Braswell is really picky about having our writes posted to memory before
+we execute or else the GPU may see stale values. A wmb() is insufficient
+as it only ensures the writes are visible to other cores, we need a full
+mb() to ensure the writes are in memory and visible to the GPU.
+
+The most frequent failure in flushing before execution is that we see
+stale PTE values and execute the wrong pages.
+
+References: 987abd5c62f9 ("drm/i915/execlists: Force write serialisation into context image vs execution")
+Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
+Cc: Mika Kuoppala <mika.kuoppala@linux.intel.com>
+Cc: Tvrtko Ursulin <tvrtko.ursulin@intel.com>
+Cc: Joonas Lahtinen <joonas.lahtinen@linux.intel.com>
+Cc: stable@vger.kernel.org
+Reviewed-by: Tvrtko Ursulin <tvrtko.ursulin@intel.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20181206084431.9805-3-chris@chris-wilson.co.uk
+(cherry picked from commit 490b8c65b9db45896769e1095e78725775f47b3e)
+Signed-off-by: Joonas Lahtinen <joonas.lahtinen@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/i915/intel_lrc.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/i915/intel_lrc.c
++++ b/drivers/gpu/drm/i915/intel_lrc.c
+@@ -343,8 +343,13 @@ static u64 execlists_update_context(stru
+ * may not be visible to the HW prior to the completion of the UC
+ * register write and that we may begin execution from the context
+ * before its image is complete leading to invalid PD chasing.
++ *
++ * Furthermore, Braswell, at least, wants a full mb to be sure that
++ * the writes are coherent in memory (visible to the GPU) prior to
++ * execution, and not just visible to other CPUs (as is the result of
++ * wmb).
+ */
+- wmb();
++ mb();
+ return ce->lrc_desc;
+ }
+
--- /dev/null
+From 24199c5436f267399afed0c4f1f57663c0408f57 Mon Sep 17 00:00:00 2001
+From: Lyude Paul <lyude@redhat.com>
+Date: Tue, 11 Dec 2018 18:56:20 -0500
+Subject: drm/nouveau/kms: Fix memory leak in nv50_mstm_del()
+
+From: Lyude Paul <lyude@redhat.com>
+
+commit 24199c5436f267399afed0c4f1f57663c0408f57 upstream.
+
+Noticed this while working on redoing the reference counting scheme in
+the DP MST helpers. Nouveau doesn't attempt to call
+drm_dp_mst_topology_mgr_destroy() at all, which leaves it leaking all of
+the resources for drm_dp_mst_topology_mgr and it's children mstbs+ports.
+
+Fixes: f479c0ba4a17 ("drm/nouveau/kms/nv50: initial support for DP 1.2 multi-stream")
+Signed-off-by: Lyude Paul <lyude@redhat.com>
+Cc: <stable@vger.kernel.org> # v4.10+
+Signed-off-by: Ben Skeggs <bskeggs@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/nouveau/nv50_display.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/gpu/drm/nouveau/nv50_display.c
++++ b/drivers/gpu/drm/nouveau/nv50_display.c
+@@ -3378,6 +3378,7 @@ nv50_mstm_del(struct nv50_mstm **pmstm)
+ {
+ struct nv50_mstm *mstm = *pmstm;
+ if (mstm) {
++ drm_dp_mst_topology_mgr_destroy(&mstm->mgr);
+ kfree(*pmstm);
+ *pmstm = NULL;
+ }
--- /dev/null
+From 2e64ff154ce6ce9a8dc0f9556463916efa6ff460 Mon Sep 17 00:00:00 2001
+From: Chad Austin <chadaustin@fb.com>
+Date: Mon, 10 Dec 2018 10:54:52 -0800
+Subject: fuse: continue to send FUSE_RELEASEDIR when FUSE_OPEN returns ENOSYS
+
+From: Chad Austin <chadaustin@fb.com>
+
+commit 2e64ff154ce6ce9a8dc0f9556463916efa6ff460 upstream.
+
+When FUSE_OPEN returns ENOSYS, the no_open bit is set on the connection.
+
+Because the FUSE_RELEASE and FUSE_RELEASEDIR paths share code, this
+incorrectly caused the FUSE_RELEASEDIR request to be dropped and never sent
+to userspace.
+
+Pass an isdir bool to distinguish between FUSE_RELEASE and FUSE_RELEASEDIR
+inside of fuse_file_put.
+
+Fixes: 7678ac50615d ("fuse: support clients that don't implement 'open'")
+Cc: <stable@vger.kernel.org> # v3.14
+Signed-off-by: Chad Austin <chadaustin@fb.com>
+Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/fuse/dir.c | 2 +-
+ fs/fuse/file.c | 21 +++++++++++----------
+ fs/fuse/fuse_i.h | 2 +-
+ 3 files changed, 13 insertions(+), 12 deletions(-)
+
+--- a/fs/fuse/dir.c
++++ b/fs/fuse/dir.c
+@@ -1424,7 +1424,7 @@ static int fuse_dir_open(struct inode *i
+
+ static int fuse_dir_release(struct inode *inode, struct file *file)
+ {
+- fuse_release_common(file, FUSE_RELEASEDIR);
++ fuse_release_common(file, true);
+
+ return 0;
+ }
+--- a/fs/fuse/file.c
++++ b/fs/fuse/file.c
+@@ -86,12 +86,12 @@ static void fuse_release_end(struct fuse
+ iput(req->misc.release.inode);
+ }
+
+-static void fuse_file_put(struct fuse_file *ff, bool sync)
++static void fuse_file_put(struct fuse_file *ff, bool sync, bool isdir)
+ {
+ if (refcount_dec_and_test(&ff->count)) {
+ struct fuse_req *req = ff->reserved_req;
+
+- if (ff->fc->no_open) {
++ if (ff->fc->no_open && !isdir) {
+ /*
+ * Drop the release request when client does not
+ * implement 'open'
+@@ -244,10 +244,11 @@ static void fuse_prepare_release(struct
+ req->in.args[0].value = inarg;
+ }
+
+-void fuse_release_common(struct file *file, int opcode)
++void fuse_release_common(struct file *file, bool isdir)
+ {
+ struct fuse_file *ff = file->private_data;
+ struct fuse_req *req = ff->reserved_req;
++ int opcode = isdir ? FUSE_RELEASEDIR : FUSE_RELEASE;
+
+ fuse_prepare_release(ff, file->f_flags, opcode);
+
+@@ -269,7 +270,7 @@ void fuse_release_common(struct file *fi
+ * synchronous RELEASE is allowed (and desirable) in this case
+ * because the server can be trusted not to screw up.
+ */
+- fuse_file_put(ff, ff->fc->destroy_req != NULL);
++ fuse_file_put(ff, ff->fc->destroy_req != NULL, isdir);
+ }
+
+ static int fuse_open(struct inode *inode, struct file *file)
+@@ -285,7 +286,7 @@ static int fuse_release(struct inode *in
+ if (fc->writeback_cache)
+ write_inode_now(inode, 1);
+
+- fuse_release_common(file, FUSE_RELEASE);
++ fuse_release_common(file, false);
+
+ /* return value is ignored by VFS */
+ return 0;
+@@ -299,7 +300,7 @@ void fuse_sync_release(struct fuse_file
+ * iput(NULL) is a no-op and since the refcount is 1 and everything's
+ * synchronous, we are fine with not doing igrab() here"
+ */
+- fuse_file_put(ff, true);
++ fuse_file_put(ff, true, false);
+ }
+ EXPORT_SYMBOL_GPL(fuse_sync_release);
+
+@@ -804,7 +805,7 @@ static void fuse_readpages_end(struct fu
+ put_page(page);
+ }
+ if (req->ff)
+- fuse_file_put(req->ff, false);
++ fuse_file_put(req->ff, false, false);
+ }
+
+ static void fuse_send_readpages(struct fuse_req *req, struct file *file)
+@@ -1458,7 +1459,7 @@ static void fuse_writepage_free(struct f
+ __free_page(req->pages[i]);
+
+ if (req->ff)
+- fuse_file_put(req->ff, false);
++ fuse_file_put(req->ff, false, false);
+ }
+
+ static void fuse_writepage_finish(struct fuse_conn *fc, struct fuse_req *req)
+@@ -1615,7 +1616,7 @@ int fuse_write_inode(struct inode *inode
+ ff = __fuse_write_file_get(fc, fi);
+ err = fuse_flush_times(inode, ff);
+ if (ff)
+- fuse_file_put(ff, 0);
++ fuse_file_put(ff, false, false);
+
+ return err;
+ }
+@@ -1929,7 +1930,7 @@ static int fuse_writepages(struct addres
+ err = 0;
+ }
+ if (data.ff)
+- fuse_file_put(data.ff, false);
++ fuse_file_put(data.ff, false, false);
+
+ kfree(data.orig_pages);
+ out:
+--- a/fs/fuse/fuse_i.h
++++ b/fs/fuse/fuse_i.h
+@@ -739,7 +739,7 @@ void fuse_sync_release(struct fuse_file
+ /**
+ * Send RELEASE or RELEASEDIR request
+ */
+-void fuse_release_common(struct file *file, int opcode);
++void fuse_release_common(struct file *file, bool isdir);
+
+ /**
+ * Send FSYNC or FSYNCDIR request
--- /dev/null
+From e8cde625bfe8a714a856e1366bcbb259d7346095 Mon Sep 17 00:00:00 2001
+From: Aaro Koskinen <aaro.koskinen@iki.fi>
+Date: Tue, 20 Nov 2018 01:14:00 +0200
+Subject: MMC: OMAP: fix broken MMC on OMAP15XX/OMAP5910/OMAP310
+
+From: Aaro Koskinen <aaro.koskinen@iki.fi>
+
+commit e8cde625bfe8a714a856e1366bcbb259d7346095 upstream.
+
+Since v2.6.22 or so there has been reports [1] about OMAP MMC being
+broken on OMAP15XX based hardware (OMAP5910 and OMAP310). The breakage
+seems to have been caused by commit 46a6730e3ff9 ("mmc-omap: Fix
+omap to use MMC_POWER_ON") that changed clock enabling to be done
+on MMC_POWER_ON. This can happen multiple times in a row, and on 15XX
+the hardware doesn't seem to like it and the MMC just stops responding.
+Fix by memorizing the power mode and do the init only when necessary.
+
+Before the patch (on Palm TE):
+
+ mmc0: new SD card at address b368
+ mmcblk0: mmc0:b368 SDC 977 MiB
+ mmci-omap mmci-omap.0: command timeout (CMD18)
+ mmci-omap mmci-omap.0: command timeout (CMD13)
+ mmci-omap mmci-omap.0: command timeout (CMD13)
+ mmci-omap mmci-omap.0: command timeout (CMD12) [x 6]
+ mmci-omap mmci-omap.0: command timeout (CMD13) [x 6]
+ mmcblk0: error -110 requesting status
+ mmci-omap mmci-omap.0: command timeout (CMD8)
+ mmci-omap mmci-omap.0: command timeout (CMD18)
+ mmci-omap mmci-omap.0: command timeout (CMD13)
+ mmci-omap mmci-omap.0: command timeout (CMD13)
+ mmci-omap mmci-omap.0: command timeout (CMD12) [x 6]
+ mmci-omap mmci-omap.0: command timeout (CMD13) [x 6]
+ mmcblk0: error -110 requesting status
+ mmcblk0: recovery failed!
+ print_req_error: I/O error, dev mmcblk0, sector 0
+ Buffer I/O error on dev mmcblk0, logical block 0, async page read
+ mmcblk0: unable to read partition table
+
+After the patch:
+
+ mmc0: new SD card at address b368
+ mmcblk0: mmc0:b368 SDC 977 MiB
+ mmcblk0: p1
+
+The patch is based on a fix and analysis done by Ladislav Michl.
+
+Tested on OMAP15XX/OMAP310 (Palm TE), OMAP1710 (Nokia 770)
+and OMAP2420 (Nokia N810).
+
+[1] https://marc.info/?t=123175197000003&r=1&w=2
+
+Fixes: 46a6730e3ff9 ("mmc-omap: Fix omap to use MMC_POWER_ON")
+Reported-by: Ladislav Michl <ladis@linux-mips.org>
+Reported-by: Andrzej Zaborowski <balrogg@gmail.com>
+Tested-by: Ladislav Michl <ladis@linux-mips.org>
+Acked-by: Tony Lindgren <tony@atomide.com>
+Signed-off-by: Aaro Koskinen <aaro.koskinen@iki.fi>
+Cc: stable@vger.kernel.org
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/mmc/host/omap.c | 11 +++++++++--
+ 1 file changed, 9 insertions(+), 2 deletions(-)
+
+--- a/drivers/mmc/host/omap.c
++++ b/drivers/mmc/host/omap.c
+@@ -104,6 +104,7 @@ struct mmc_omap_slot {
+ unsigned int vdd;
+ u16 saved_con;
+ u16 bus_mode;
++ u16 power_mode;
+ unsigned int fclk_freq;
+
+ struct tasklet_struct cover_tasklet;
+@@ -1157,7 +1158,7 @@ static void mmc_omap_set_ios(struct mmc_
+ struct mmc_omap_slot *slot = mmc_priv(mmc);
+ struct mmc_omap_host *host = slot->host;
+ int i, dsor;
+- int clk_enabled;
++ int clk_enabled, init_stream;
+
+ mmc_omap_select_slot(slot, 0);
+
+@@ -1167,6 +1168,7 @@ static void mmc_omap_set_ios(struct mmc_
+ slot->vdd = ios->vdd;
+
+ clk_enabled = 0;
++ init_stream = 0;
+ switch (ios->power_mode) {
+ case MMC_POWER_OFF:
+ mmc_omap_set_power(slot, 0, ios->vdd);
+@@ -1174,13 +1176,17 @@ static void mmc_omap_set_ios(struct mmc_
+ case MMC_POWER_UP:
+ /* Cannot touch dsor yet, just power up MMC */
+ mmc_omap_set_power(slot, 1, ios->vdd);
++ slot->power_mode = ios->power_mode;
+ goto exit;
+ case MMC_POWER_ON:
+ mmc_omap_fclk_enable(host, 1);
+ clk_enabled = 1;
+ dsor |= 1 << 11;
++ if (slot->power_mode != MMC_POWER_ON)
++ init_stream = 1;
+ break;
+ }
++ slot->power_mode = ios->power_mode;
+
+ if (slot->bus_mode != ios->bus_mode) {
+ if (slot->pdata->set_bus_mode != NULL)
+@@ -1196,7 +1202,7 @@ static void mmc_omap_set_ios(struct mmc_
+ for (i = 0; i < 2; i++)
+ OMAP_MMC_WRITE(host, CON, dsor);
+ slot->saved_con = dsor;
+- if (ios->power_mode == MMC_POWER_ON) {
++ if (init_stream) {
+ /* worst case at 400kHz, 80 cycles makes 200 microsecs */
+ int usecs = 250;
+
+@@ -1234,6 +1240,7 @@ static int mmc_omap_new_slot(struct mmc_
+ slot->host = host;
+ slot->mmc = mmc;
+ slot->id = id;
++ slot->power_mode = MMC_POWER_UNDEFINED;
+ slot->pdata = &host->pdata->slots[id];
+
+ host->slots[id] = slot;
--- /dev/null
+From b704441e38f645dcfba1348ca3cc1ba43d1a9f31 Mon Sep 17 00:00:00 2001
+From: Alek Du <alek.du@intel.com>
+Date: Thu, 6 Dec 2018 17:24:59 +0800
+Subject: mmc: sdhci: fix the timeout check window for clock and reset
+
+From: Alek Du <alek.du@intel.com>
+
+commit b704441e38f645dcfba1348ca3cc1ba43d1a9f31 upstream.
+
+We observed some premature timeouts on a virtualization platform, the log
+is like this:
+
+case 1:
+[159525.255629] mmc1: Internal clock never stabilised.
+[159525.255818] mmc1: sdhci: ============ SDHCI REGISTER DUMP ===========
+[159525.256049] mmc1: sdhci: Sys addr: 0x00000000 | Version: 0x00001002
+...
+[159525.257205] mmc1: sdhci: Wake-up: 0x00000000 | Clock: 0x0000fa03
+From the clock control register dump, we are pretty sure the clock was
+stablized.
+
+case 2:
+[ 914.550127] mmc1: Reset 0x2 never completed.
+[ 914.550321] mmc1: sdhci: ============ SDHCI REGISTER DUMP ===========
+[ 914.550608] mmc1: sdhci: Sys addr: 0x00000010 | Version: 0x00001002
+
+After checking the sdhci code, we found the timeout check actually has a
+little window that the CPU can be scheduled out and when it comes back,
+the original time set or check is not valid.
+
+Fixes: 5a436cc0af62 ("mmc: sdhci: Optimize delay loops")
+Cc: stable@vger.kernel.org # v4.12+
+Signed-off-by: Alek Du <alek.du@intel.com>
+Acked-by: Adrian Hunter <adrian.hunter@intel.com>
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/mmc/host/sdhci.c | 18 +++++++++++++-----
+ 1 file changed, 13 insertions(+), 5 deletions(-)
+
+--- a/drivers/mmc/host/sdhci.c
++++ b/drivers/mmc/host/sdhci.c
+@@ -193,8 +193,12 @@ void sdhci_reset(struct sdhci_host *host
+ timeout = ktime_add_ms(ktime_get(), 100);
+
+ /* hw clears the bit when it's done */
+- while (sdhci_readb(host, SDHCI_SOFTWARE_RESET) & mask) {
+- if (ktime_after(ktime_get(), timeout)) {
++ while (1) {
++ bool timedout = ktime_after(ktime_get(), timeout);
++
++ if (!(sdhci_readb(host, SDHCI_SOFTWARE_RESET) & mask))
++ break;
++ if (timedout) {
+ pr_err("%s: Reset 0x%x never completed.\n",
+ mmc_hostname(host->mmc), (int)mask);
+ sdhci_dumpregs(host);
+@@ -1417,9 +1421,13 @@ void sdhci_enable_clk(struct sdhci_host
+
+ /* Wait max 20 ms */
+ timeout = ktime_add_ms(ktime_get(), 20);
+- while (!((clk = sdhci_readw(host, SDHCI_CLOCK_CONTROL))
+- & SDHCI_CLOCK_INT_STABLE)) {
+- if (ktime_after(ktime_get(), timeout)) {
++ while (1) {
++ bool timedout = ktime_after(ktime_get(), timeout);
++
++ clk = sdhci_readw(host, SDHCI_CLOCK_CONTROL);
++ if (clk & SDHCI_CLOCK_INT_STABLE)
++ break;
++ if (timedout) {
+ pr_err("%s: Internal clock never stabilised.\n",
+ mmc_hostname(host->mmc));
+ sdhci_dumpregs(host);
--- /dev/null
+From 478b6767ad26ab86d9ecc341027dd09a87b1f997 Mon Sep 17 00:00:00 2001
+From: Chen-Yu Tsai <wens@csie.org>
+Date: Tue, 4 Dec 2018 17:04:57 +0800
+Subject: pinctrl: sunxi: a83t: Fix IRQ offset typo for PH11
+
+From: Chen-Yu Tsai <wens@csie.org>
+
+commit 478b6767ad26ab86d9ecc341027dd09a87b1f997 upstream.
+
+Pin PH11 is used on various A83T board to detect a change in the OTG
+port's ID pin, as in when an OTG host cable is plugged in.
+
+The incorrect offset meant the gpiochip/irqchip was activating the wrong
+pin for interrupts.
+
+Fixes: 4730f33f0d82 ("pinctrl: sunxi: add allwinner A83T PIO controller support")
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Chen-Yu Tsai <wens@csie.org>
+Acked-by: Maxime Ripard <maxime.ripard@bootlin.com>
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/pinctrl/sunxi/pinctrl-sun8i-a83t.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/pinctrl/sunxi/pinctrl-sun8i-a83t.c
++++ b/drivers/pinctrl/sunxi/pinctrl-sun8i-a83t.c
+@@ -568,7 +568,7 @@ static const struct sunxi_desc_pin sun8i
+ SUNXI_PIN(SUNXI_PINCTRL_PIN(H, 11),
+ SUNXI_FUNCTION(0x0, "gpio_in"),
+ SUNXI_FUNCTION(0x1, "gpio_out"),
+- SUNXI_FUNCTION_IRQ_BANK(0x6, 2, 1)), /* PH_EINT11 */
++ SUNXI_FUNCTION_IRQ_BANK(0x6, 2, 11)), /* PH_EINT11 */
+ };
+
+ static const struct sunxi_pinctrl_desc sun8i_a83t_pinctrl_data = {
--- /dev/null
+From 78e7b15e17ac175e7eed9e21c6f92d03d3b0a6fa Mon Sep 17 00:00:00 2001
+From: Radu Rendec <radu.rendec@gmail.com>
+Date: Tue, 27 Nov 2018 22:20:48 -0500
+Subject: powerpc/msi: Fix NULL pointer access in teardown code
+
+From: Radu Rendec <radu.rendec@gmail.com>
+
+commit 78e7b15e17ac175e7eed9e21c6f92d03d3b0a6fa upstream.
+
+The arch_teardown_msi_irqs() function assumes that controller ops
+pointers were already checked in arch_setup_msi_irqs(), but this
+assumption is wrong: arch_teardown_msi_irqs() can be called even when
+arch_setup_msi_irqs() returns an error (-ENOSYS).
+
+This can happen in the following scenario:
+ - msi_capability_init() calls pci_msi_setup_msi_irqs()
+ - pci_msi_setup_msi_irqs() returns -ENOSYS
+ - msi_capability_init() notices the error and calls free_msi_irqs()
+ - free_msi_irqs() calls pci_msi_teardown_msi_irqs()
+
+This is easier to see when CONFIG_PCI_MSI_IRQ_DOMAIN is not set and
+pci_msi_setup_msi_irqs() and pci_msi_teardown_msi_irqs() are just
+aliases to arch_setup_msi_irqs() and arch_teardown_msi_irqs().
+
+The call to free_msi_irqs() upon pci_msi_setup_msi_irqs() failure
+seems legit, as it does additional cleanup; e.g.
+list_del(&entry->list) and kfree(entry) inside free_msi_irqs() do
+happen (MSI descriptors are allocated before pci_msi_setup_msi_irqs()
+is called and need to be cleaned up if that fails).
+
+Fixes: 6b2fd7efeb88 ("PCI/MSI/PPC: Remove arch_msi_check_device()")
+Cc: stable@vger.kernel.org # v3.18+
+Signed-off-by: Radu Rendec <radu.rendec@gmail.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/powerpc/kernel/msi.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+--- a/arch/powerpc/kernel/msi.c
++++ b/arch/powerpc/kernel/msi.c
+@@ -34,5 +34,10 @@ void arch_teardown_msi_irqs(struct pci_d
+ {
+ struct pci_controller *phb = pci_bus_to_host(dev->bus);
+
+- phb->controller_ops.teardown_msi_irqs(dev);
++ /*
++ * We can be called even when arch_setup_msi_irqs() returns -ENOSYS,
++ * so check the pointer again.
++ */
++ if (phb->controller_ops.teardown_msi_irqs)
++ phb->controller_ops.teardown_msi_irqs(dev);
+ }
--- /dev/null
+From 63238173b2faf3d6b85a416f1c69af6c7be2413f Mon Sep 17 00:00:00 2001
+From: Brian Norris <briannorris@chromium.org>
+Date: Wed, 5 Dec 2018 10:16:57 -0800
+Subject: Revert "drm/rockchip: Allow driver to be shutdown on reboot/kexec"
+
+From: Brian Norris <briannorris@chromium.org>
+
+commit 63238173b2faf3d6b85a416f1c69af6c7be2413f upstream.
+
+This reverts commit 7f3ef5dedb146e3d5063b6845781ad1bb59b92b5.
+
+It causes new warnings [1] on shutdown when running the Google Kevin or
+Scarlet (RK3399) boards under Chrome OS. Presumably our usage of DRM is
+different than what Marc and Heiko test.
+
+We're looking at a different approach (e.g., [2]) to replace this, but
+IMO the revert should be taken first, as it already propagated to
+-stable.
+
+[1] Report here:
+http://lkml.kernel.org/lkml/20181205030127.GA200921@google.com
+
+WARNING: CPU: 4 PID: 2035 at drivers/gpu/drm/drm_mode_config.c:477 drm_mode_config_cleanup+0x1c4/0x294
+...
+ Call trace:
+ drm_mode_config_cleanup+0x1c4/0x294
+ rockchip_drm_unbind+0x4c/0x8c
+ component_master_del+0x88/0xb8
+ rockchip_drm_platform_remove+0x2c/0x44
+ rockchip_drm_platform_shutdown+0x20/0x2c
+ platform_drv_shutdown+0x2c/0x38
+ device_shutdown+0x164/0x1b8
+ kernel_restart_prepare+0x40/0x48
+ kernel_restart+0x20/0x68
+...
+ Memory manager not clean during takedown.
+ WARNING: CPU: 4 PID: 2035 at drivers/gpu/drm/drm_mm.c:950 drm_mm_takedown+0x34/0x44
+...
+ drm_mm_takedown+0x34/0x44
+ rockchip_drm_unbind+0x64/0x8c
+ component_master_del+0x88/0xb8
+ rockchip_drm_platform_remove+0x2c/0x44
+ rockchip_drm_platform_shutdown+0x20/0x2c
+ platform_drv_shutdown+0x2c/0x38
+ device_shutdown+0x164/0x1b8
+ kernel_restart_prepare+0x40/0x48
+ kernel_restart+0x20/0x68
+...
+
+[2] https://patchwork.kernel.org/patch/10556151/
+ https://www.spinics.net/lists/linux-rockchip/msg21342.html
+ [PATCH] drm/rockchip: shutdown drm subsystem on shutdown
+
+Fixes: 7f3ef5dedb14 ("drm/rockchip: Allow driver to be shutdown on reboot/kexec")
+Cc: Jeffy Chen <jeffy.chen@rock-chips.com>
+Cc: Robin Murphy <robin.murphy@arm.com>
+Cc: Vicente Bergas <vicencb@gmail.com>
+Cc: Marc Zyngier <marc.zyngier@arm.com>
+Cc: Heiko Stuebner <heiko@sntech.de>
+Cc: stable@vger.kernel.org
+Signed-off-by: Brian Norris <briannorris@chromium.org>
+Signed-off-by: Heiko Stuebner <heiko@sntech.de>
+Link: https://patchwork.freedesktop.org/patch/msgid/20181205181657.177703-1-briannorris@chromium.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/rockchip/rockchip_drm_drv.c | 6 ------
+ 1 file changed, 6 deletions(-)
+
+--- a/drivers/gpu/drm/rockchip/rockchip_drm_drv.c
++++ b/drivers/gpu/drm/rockchip/rockchip_drm_drv.c
+@@ -425,11 +425,6 @@ static int rockchip_drm_platform_remove(
+ return 0;
+ }
+
+-static void rockchip_drm_platform_shutdown(struct platform_device *pdev)
+-{
+- rockchip_drm_platform_remove(pdev);
+-}
+-
+ static const struct of_device_id rockchip_drm_dt_ids[] = {
+ { .compatible = "rockchip,display-subsystem", },
+ { /* sentinel */ },
+@@ -439,7 +434,6 @@ MODULE_DEVICE_TABLE(of, rockchip_drm_dt_
+ static struct platform_driver rockchip_drm_platform_driver = {
+ .probe = rockchip_drm_platform_probe,
+ .remove = rockchip_drm_platform_remove,
+- .shutdown = rockchip_drm_platform_shutdown,
+ .driver = {
+ .name = "rockchip-drm",
+ .of_match_table = rockchip_drm_dt_ids,
timer-debug-change-proc-timer_list-from-0444-to-0400.patch
+pinctrl-sunxi-a83t-fix-irq-offset-typo-for-ph11.patch
+aio-fix-spectre-gadget-in-lookup_ioctx.patch
+userfaultfd-check-vm_maywrite-was-set-after-verifying-the-uffd-is-registered.patch
+arm64-dma-mapping-fix-force_contiguous-buffer-clearing.patch
+mmc-omap-fix-broken-mmc-on-omap15xx-omap5910-omap310.patch
+mmc-sdhci-fix-the-timeout-check-window-for-clock-and-reset.patch
+fuse-continue-to-send-fuse_releasedir-when-fuse_open-returns-enosys.patch
+arm-mmp-mmp2-fix-cpu_is_mmp2-on-mmp2-dt.patch
+dm-thin-send-event-about-thin-pool-state-change-_after_-making-it.patch
+dm-cache-metadata-verify-cache-has-blocks-in-blocks_are_clean_separate_dirty.patch
+tracing-fix-memory-leak-in-set_trigger_filter.patch
+tracing-fix-memory-leak-of-instance-function-hash-filters.patch
+powerpc-msi-fix-null-pointer-access-in-teardown-code.patch
+drm-nouveau-kms-fix-memory-leak-in-nv50_mstm_del.patch
+revert-drm-rockchip-allow-driver-to-be-shutdown-on-reboot-kexec.patch
+drm-i915-execlists-apply-a-full-mb-before-execution-for-braswell.patch
+drm-amdgpu-powerplay-apply-avfs-cks-off-voltages-on-vi.patch
+drm-amdgpu-update-smc-firmware-image-for-polaris10-variants.patch
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
- kernel/time/timer_list.c | 2 +-
+ kernel/time/timer_list.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
-diff --git a/kernel/time/timer_list.c b/kernel/time/timer_list.c
-index 0e7f5428a148..0ed768b56c60 100644
--- a/kernel/time/timer_list.c
+++ b/kernel/time/timer_list.c
-@@ -389,7 +389,7 @@ static int __init init_timer_list_procfs(void)
+@@ -389,7 +389,7 @@ static int __init init_timer_list_procfs
{
struct proc_dir_entry *pe;
if (!pe)
return -ENOMEM;
return 0;
---
-2.19.1
-
--- /dev/null
+From 3cec638b3d793b7cacdec5b8072364b41caeb0e1 Mon Sep 17 00:00:00 2001
+From: "Steven Rostedt (VMware)" <rostedt@goodmis.org>
+Date: Sun, 9 Dec 2018 21:17:30 -0500
+Subject: tracing: Fix memory leak in set_trigger_filter()
+
+From: Steven Rostedt (VMware) <rostedt@goodmis.org>
+
+commit 3cec638b3d793b7cacdec5b8072364b41caeb0e1 upstream.
+
+When create_event_filter() fails in set_trigger_filter(), the filter may
+still be allocated and needs to be freed. The caller expects the
+data->filter to be updated with the new filter, even if the new filter
+failed (we could add an error message by setting set_str parameter of
+create_event_filter(), but that's another update).
+
+But because the error would just exit, filter was left hanging and
+nothing could free it.
+
+Found by kmemleak detector.
+
+Cc: stable@vger.kernel.org
+Fixes: bac5fb97a173a ("tracing: Add and use generic set_trigger_filter() implementation")
+Reviewed-by: Tom Zanussi <tom.zanussi@linux.intel.com>
+Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/trace/trace_events_trigger.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/kernel/trace/trace_events_trigger.c
++++ b/kernel/trace/trace_events_trigger.c
+@@ -744,8 +744,10 @@ int set_trigger_filter(char *filter_str,
+
+ /* The filter is for the 'trigger' event, not the triggered event */
+ ret = create_event_filter(file->event_call, filter_str, false, &filter);
+- if (ret)
+- goto out;
++ /*
++ * If create_event_filter() fails, filter still needs to be freed.
++ * Which the calling code will do with data->filter.
++ */
+ assign:
+ tmp = rcu_access_pointer(data->filter);
+
--- /dev/null
+From 2840f84f74035e5a535959d5f17269c69fa6edc5 Mon Sep 17 00:00:00 2001
+From: "Steven Rostedt (VMware)" <rostedt@goodmis.org>
+Date: Mon, 10 Dec 2018 23:58:01 -0500
+Subject: tracing: Fix memory leak of instance function hash filters
+
+From: Steven Rostedt (VMware) <rostedt@goodmis.org>
+
+commit 2840f84f74035e5a535959d5f17269c69fa6edc5 upstream.
+
+The following commands will cause a memory leak:
+
+ # cd /sys/kernel/tracing
+ # mkdir instances/foo
+ # echo schedule > instance/foo/set_ftrace_filter
+ # rmdir instances/foo
+
+The reason is that the hashes that hold the filters to set_ftrace_filter and
+set_ftrace_notrace are not freed if they contain any data on the instance
+and the instance is removed.
+
+Found by kmemleak detector.
+
+Cc: stable@vger.kernel.org
+Fixes: 591dffdade9f ("ftrace: Allow for function tracing instance to filter functions")
+Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/trace/ftrace.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/kernel/trace/ftrace.c
++++ b/kernel/trace/ftrace.c
+@@ -5534,6 +5534,7 @@ void ftrace_destroy_filter_files(struct
+ if (ops->flags & FTRACE_OPS_FL_ENABLED)
+ ftrace_shutdown(ops, 0);
+ ops->flags |= FTRACE_OPS_FL_DELETED;
++ ftrace_free_filter(ops);
+ mutex_unlock(&ftrace_lock);
+ }
+
--- /dev/null
+From 01e881f5a1fca4677e82733061868c6d6ea05ca7 Mon Sep 17 00:00:00 2001
+From: Andrea Arcangeli <aarcange@redhat.com>
+Date: Fri, 14 Dec 2018 14:17:17 -0800
+Subject: userfaultfd: check VM_MAYWRITE was set after verifying the uffd is registered
+
+From: Andrea Arcangeli <aarcange@redhat.com>
+
+commit 01e881f5a1fca4677e82733061868c6d6ea05ca7 upstream.
+
+Calling UFFDIO_UNREGISTER on virtual ranges not yet registered in uffd
+could trigger an harmless false positive WARN_ON. Check the vma is
+already registered before checking VM_MAYWRITE to shut off the false
+positive warning.
+
+Link: http://lkml.kernel.org/r/20181206212028.18726-2-aarcange@redhat.com
+Cc: <stable@vger.kernel.org>
+Fixes: 29ec90660d68 ("userfaultfd: shmem/hugetlbfs: only allow to register VM_MAYWRITE vmas")
+Signed-off-by: Andrea Arcangeli <aarcange@redhat.com>
+Reported-by: syzbot+06c7092e7d71218a2c16@syzkaller.appspotmail.com
+Acked-by: Mike Rapoport <rppt@linux.ibm.com>
+Acked-by: Hugh Dickins <hughd@google.com>
+Acked-by: Peter Xu <peterx@redhat.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/userfaultfd.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/fs/userfaultfd.c
++++ b/fs/userfaultfd.c
+@@ -1567,7 +1567,6 @@ static int userfaultfd_unregister(struct
+ cond_resched();
+
+ BUG_ON(!vma_can_userfault(vma));
+- WARN_ON(!(vma->vm_flags & VM_MAYWRITE));
+
+ /*
+ * Nothing to do: this vma is already registered into this
+@@ -1576,6 +1575,8 @@ static int userfaultfd_unregister(struct
+ if (!vma->vm_userfaultfd_ctx.ctx)
+ goto skip;
+
++ WARN_ON(!(vma->vm_flags & VM_MAYWRITE));
++
+ if (vma->vm_start > start)
+ start = vma->vm_start;
+ vma_end = min(end, vma->vm_end);
projects / thirdparty / kernel / stable-queue.git / commitdiff
