--- /dev/null
+From 499ed50f603b4c9834197b2411ba3bd9aaa624d4 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Beno=C3=AEt=20Th=C3=A9baudeau?=
+ <benoit.thebaudeau.dev@gmail.com>
+Date: Sun, 14 Jan 2018 19:43:05 +0100
+Subject: mmc: sdhci-esdhc-imx: Fix i.MX53 eSDHCv3 clock
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Benoît Thébaudeau <benoit.thebaudeau.dev@gmail.com>
+
+commit 499ed50f603b4c9834197b2411ba3bd9aaa624d4 upstream.
+
+Commit 5143c953a786 ("mmc: sdhci-esdhc-imx: Allow all supported
+prescaler values") made it possible to set SYSCTL.SDCLKFS to 0 in SDR
+mode, thus bypassing the SD clock frequency prescaler, in order to be
+able to get higher SD clock frequencies in some contexts. However, that
+commit missed the fact that this value is illegal on the eSDHCv3
+instance of the i.MX53. This seems to be the only exception on i.MX,
+this value being legal even for the eSDHCv2 instances of the i.MX53.
+
+Fix this issue by changing the minimum prescaler value if the i.MX53
+eSDHCv3 is detected. According to the i.MX53 reference manual, if
+DLLCTRL[10] can be set, then the controller is eSDHCv3, else it is
+eSDHCv2.
+
+This commit fixes the following issue, which was preventing the i.MX53
+Loco (IMX53QSB) board from booting Linux 4.15.0-rc5:
+[ 1.882668] mmcblk1: error -84 transferring data, sector 2048, nr 8, cmd response 0x900, card status 0xc00
+[ 2.002255] mmcblk1: error -84 transferring data, sector 2050, nr 6, cmd response 0x900, card status 0xc00
+[ 12.645056] mmc1: Timeout waiting for hardware interrupt.
+[ 12.650473] mmc1: sdhci: ============ SDHCI REGISTER DUMP ===========
+[ 12.656921] mmc1: sdhci: Sys addr: 0x00000000 | Version: 0x00001201
+[ 12.663366] mmc1: sdhci: Blk size: 0x00000004 | Blk cnt: 0x00000000
+[ 12.669813] mmc1: sdhci: Argument: 0x00000000 | Trn mode: 0x00000013
+[ 12.676258] mmc1: sdhci: Present: 0x01f8028f | Host ctl: 0x00000013
+[ 12.682703] mmc1: sdhci: Power: 0x00000002 | Blk gap: 0x00000000
+[ 12.689148] mmc1: sdhci: Wake-up: 0x00000000 | Clock: 0x0000003f
+[ 12.695594] mmc1: sdhci: Timeout: 0x0000008e | Int stat: 0x00000000
+[ 12.702039] mmc1: sdhci: Int enab: 0x107f004b | Sig enab: 0x107f004b
+[ 12.708485] mmc1: sdhci: AC12 err: 0x00000000 | Slot int: 0x00001201
+[ 12.714930] mmc1: sdhci: Caps: 0x07eb0000 | Caps_1: 0x08100810
+[ 12.721375] mmc1: sdhci: Cmd: 0x0000163a | Max curr: 0x00000000
+[ 12.727821] mmc1: sdhci: Resp[0]: 0x00000920 | Resp[1]: 0x00000000
+[ 12.734265] mmc1: sdhci: Resp[2]: 0x00000000 | Resp[3]: 0x00000000
+[ 12.740709] mmc1: sdhci: Host ctl2: 0x00000000
+[ 12.745157] mmc1: sdhci: ADMA Err: 0x00000001 | ADMA Ptr: 0xc8049200
+[ 12.751601] mmc1: sdhci: ============================================
+[ 12.758110] print_req_error: I/O error, dev mmcblk1, sector 2050
+[ 12.764135] Buffer I/O error on dev mmcblk1p1, logical block 0, lost sync page write
+[ 12.775163] EXT4-fs (mmcblk1p1): mounted filesystem without journal. Opts: (null)
+[ 12.782746] VFS: Mounted root (ext4 filesystem) on device 179:9.
+[ 12.789151] mmcblk1: response CRC error sending SET_BLOCK_COUNT command, card status 0x900
+
+Signed-off-by: Benoît Thébaudeau <benoit.thebaudeau.dev@gmail.com>
+Reported-by: Wladimir J. van der Laan <laanwj@gmail.com>
+Tested-by: Wladimir J. van der Laan <laanwj@gmail.com>
+Fixes: 5143c953a786 ("mmc: sdhci-esdhc-imx: Allow all supported prescaler values")
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/mmc/host/sdhci-esdhc-imx.c | 14 ++++++++++++++
+ 1 file changed, 14 insertions(+)
+
+--- a/drivers/mmc/host/sdhci-esdhc-imx.c
++++ b/drivers/mmc/host/sdhci-esdhc-imx.c
+@@ -687,6 +687,20 @@ static inline void esdhc_pltfm_set_clock
+ return;
+ }
+
++ /* For i.MX53 eSDHCv3, SYSCTL.SDCLKFS may not be set to 0. */
++ if (is_imx53_esdhc(imx_data)) {
++ /*
++ * According to the i.MX53 reference manual, if DLLCTRL[10] can
++ * be set, then the controller is eSDHCv3, else it is eSDHCv2.
++ */
++ val = readl(host->ioaddr + ESDHC_DLL_CTRL);
++ writel(val | BIT(10), host->ioaddr + ESDHC_DLL_CTRL);
++ temp = readl(host->ioaddr + ESDHC_DLL_CTRL);
++ writel(val, host->ioaddr + ESDHC_DLL_CTRL);
++ if (temp & BIT(10))
++ pre_div = 2;
++ }
++
+ temp = sdhci_readl(host, ESDHC_SYSTEM_CONTROL);
+ temp &= ~(ESDHC_CLOCK_IPGEN | ESDHC_CLOCK_HCKEN | ESDHC_CLOCK_PEREN
+ | ESDHC_CLOCK_MASK);
--- /dev/null
+From 6cfb521ac0d5b97470883ff9b7facae264b7ab12 Mon Sep 17 00:00:00 2001
+From: Andi Kleen <ak@linux.intel.com>
+Date: Tue, 16 Jan 2018 12:52:28 -0800
+Subject: module: Add retpoline tag to VERMAGIC
+
+From: Andi Kleen <ak@linux.intel.com>
+
+commit 6cfb521ac0d5b97470883ff9b7facae264b7ab12 upstream.
+
+Add a marker for retpoline to the module VERMAGIC. This catches the case
+when a non RETPOLINE compiled module gets loaded into a retpoline kernel,
+making it insecure.
+
+It doesn't handle the case when retpoline has been runtime disabled. Even
+in this case the match of the retcompile status will be enforced. This
+implies that even with retpoline run time disabled all modules loaded need
+to be recompiled.
+
+Signed-off-by: Andi Kleen <ak@linux.intel.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Acked-by: David Woodhouse <dwmw@amazon.co.uk>
+Cc: rusty@rustcorp.com.au
+Cc: arjan.van.de.ven@intel.com
+Cc: jeyu@kernel.org
+Cc: torvalds@linux-foundation.org
+Link: https://lkml.kernel.org/r/20180116205228.4890-1-andi@firstfloor.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ include/linux/vermagic.h | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+--- a/include/linux/vermagic.h
++++ b/include/linux/vermagic.h
+@@ -31,11 +31,17 @@
+ #else
+ #define MODULE_RANDSTRUCT_PLUGIN
+ #endif
++#ifdef RETPOLINE
++#define MODULE_VERMAGIC_RETPOLINE "retpoline "
++#else
++#define MODULE_VERMAGIC_RETPOLINE ""
++#endif
+
+ #define VERMAGIC_STRING \
+ UTS_RELEASE " " \
+ MODULE_VERMAGIC_SMP MODULE_VERMAGIC_PREEMPT \
+ MODULE_VERMAGIC_MODULE_UNLOAD MODULE_VERMAGIC_MODVERSIONS \
+ MODULE_ARCH_VERMAGIC \
+- MODULE_RANDSTRUCT_PLUGIN
++ MODULE_RANDSTRUCT_PLUGIN \
++ MODULE_VERMAGIC_RETPOLINE
+
--- /dev/null
+From 385d11b152c4eb638eeb769edcb3249533bb9a00 Mon Sep 17 00:00:00 2001
+From: Josh Poimboeuf <jpoimboe@redhat.com>
+Date: Mon, 15 Jan 2018 08:17:08 -0600
+Subject: objtool: Improve error message for bad file argument
+
+From: Josh Poimboeuf <jpoimboe@redhat.com>
+
+commit 385d11b152c4eb638eeb769edcb3249533bb9a00 upstream.
+
+If a nonexistent file is supplied to objtool, it complains with a
+non-helpful error:
+
+ open: No such file or directory
+
+Improve it to:
+
+ objtool: Can't open 'foo': No such file or directory
+
+Reported-by: Markus <M4rkusXXL@web.de>
+Signed-off-by: Josh Poimboeuf <jpoimboe@redhat.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Link: http://lkml.kernel.org/r/406a3d00a21225eee2819844048e17f68523ccf6.1516025651.git.jpoimboe@redhat.com
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ tools/objtool/elf.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/tools/objtool/elf.c
++++ b/tools/objtool/elf.c
+@@ -26,6 +26,7 @@
+ #include <stdlib.h>
+ #include <string.h>
+ #include <unistd.h>
++#include <errno.h>
+
+ #include "elf.h"
+ #include "warn.h"
+@@ -358,7 +359,8 @@ struct elf *elf_open(const char *name, i
+
+ elf->fd = open(name, flags);
+ if (elf->fd == -1) {
+- perror("open");
++ fprintf(stderr, "objtool: Can't open '%s': %s\n",
++ name, strerror(errno));
+ goto err;
+ }
+
iser-target-fix-possible-use-after-free-in-connection-establishment-error.patch
delayacct-account-blkio-completion-on-the-correct-task.patch
objtool-fix-seg-fault-with-gold-linker.patch
+mmc-sdhci-esdhc-imx-fix-i.mx53-esdhcv3-clock.patch
+x86-kasan-panic-if-there-is-not-enough-memory-to-boot.patch
+x86-retpoline-fill-rsb-on-context-switch-for-affected-cpus.patch
+x86-retpoline-add-lfence-to-the-retpoline-rsb-filling-rsb-macros.patch
+objtool-improve-error-message-for-bad-file-argument.patch
+x86-cpufeature-move-processor-tracing-out-of-scattered-features.patch
+module-add-retpoline-tag-to-vermagic.patch
+x86-intel_rdt-cqm-prevent-use-after-free.patch
+x86-mm-pkeys-fix-fill_sig_info_pkey.patch
+x86-idt-mark-idt-tables-__initconst.patch
+x86-tsc-future-proof-native_calibrate_tsc.patch
+x86-tsc-fix-erroneous-tsc-rate-on-skylake-xeon.patch
--- /dev/null
+From 4fdec2034b7540dda461c6ba33325dfcff345c64 Mon Sep 17 00:00:00 2001
+From: Paolo Bonzini <pbonzini@redhat.com>
+Date: Tue, 16 Jan 2018 16:42:25 +0100
+Subject: x86/cpufeature: Move processor tracing out of scattered features
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Paolo Bonzini <pbonzini@redhat.com>
+
+commit 4fdec2034b7540dda461c6ba33325dfcff345c64 upstream.
+
+Processor tracing is already enumerated in word 9 (CPUID[7,0].EBX),
+so do not duplicate it in the scattered features word.
+
+Besides being more tidy, this will be useful for KVM when it presents
+processor tracing to the guests. KVM selects host features that are
+supported by both the host kernel (depending on command line options,
+CPU errata, or whatever) and KVM. Whenever a full feature word exists,
+KVM's code is written in the expectation that the CPUID bit number
+matches the X86_FEATURE_* bit number, but this is not the case for
+X86_FEATURE_INTEL_PT.
+
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Cc: Borislav Petkov <bp@suse.de>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Luwei Kang <luwei.kang@intel.com>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Radim Krčmář <rkrcmar@redhat.com>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: kvm@vger.kernel.org
+Link: http://lkml.kernel.org/r/1516117345-34561-1-git-send-email-pbonzini@redhat.com
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/include/asm/cpufeatures.h | 2 +-
+ arch/x86/kernel/cpu/scattered.c | 1 -
+ 2 files changed, 1 insertion(+), 2 deletions(-)
+
+--- a/arch/x86/include/asm/cpufeatures.h
++++ b/arch/x86/include/asm/cpufeatures.h
+@@ -206,7 +206,6 @@
+ #define X86_FEATURE_RETPOLINE ( 7*32+12) /* Generic Retpoline mitigation for Spectre variant 2 */
+ #define X86_FEATURE_RETPOLINE_AMD ( 7*32+13) /* AMD Retpoline mitigation for Spectre variant 2 */
+ #define X86_FEATURE_INTEL_PPIN ( 7*32+14) /* Intel Processor Inventory Number */
+-#define X86_FEATURE_INTEL_PT ( 7*32+15) /* Intel Processor Trace */
+ #define X86_FEATURE_AVX512_4VNNIW ( 7*32+16) /* AVX-512 Neural Network Instructions */
+ #define X86_FEATURE_AVX512_4FMAPS ( 7*32+17) /* AVX-512 Multiply Accumulation Single precision */
+
+@@ -246,6 +245,7 @@
+ #define X86_FEATURE_AVX512IFMA ( 9*32+21) /* AVX-512 Integer Fused Multiply-Add instructions */
+ #define X86_FEATURE_CLFLUSHOPT ( 9*32+23) /* CLFLUSHOPT instruction */
+ #define X86_FEATURE_CLWB ( 9*32+24) /* CLWB instruction */
++#define X86_FEATURE_INTEL_PT ( 9*32+25) /* Intel Processor Trace */
+ #define X86_FEATURE_AVX512PF ( 9*32+26) /* AVX-512 Prefetch */
+ #define X86_FEATURE_AVX512ER ( 9*32+27) /* AVX-512 Exponential and Reciprocal */
+ #define X86_FEATURE_AVX512CD ( 9*32+28) /* AVX-512 Conflict Detection */
+--- a/arch/x86/kernel/cpu/scattered.c
++++ b/arch/x86/kernel/cpu/scattered.c
+@@ -21,7 +21,6 @@ struct cpuid_bit {
+ static const struct cpuid_bit cpuid_bits[] = {
+ { X86_FEATURE_APERFMPERF, CPUID_ECX, 0, 0x00000006, 0 },
+ { X86_FEATURE_EPB, CPUID_ECX, 3, 0x00000006, 0 },
+- { X86_FEATURE_INTEL_PT, CPUID_EBX, 25, 0x00000007, 0 },
+ { X86_FEATURE_AVX512_4VNNIW, CPUID_EDX, 2, 0x00000007, 0 },
+ { X86_FEATURE_AVX512_4FMAPS, CPUID_EDX, 3, 0x00000007, 0 },
+ { X86_FEATURE_CAT_L3, CPUID_EBX, 1, 0x00000010, 0 },
--- /dev/null
+From 327867faa4d66628fcd92a843adb3345736a5313 Mon Sep 17 00:00:00 2001
+From: Andi Kleen <ak@linux.intel.com>
+Date: Thu, 21 Dec 2017 16:18:21 -0800
+Subject: x86/idt: Mark IDT tables __initconst
+
+From: Andi Kleen <ak@linux.intel.com>
+
+commit 327867faa4d66628fcd92a843adb3345736a5313 upstream.
+
+const variables must use __initconst, not __initdata.
+
+Fix this up for the IDT tables, which got it consistently wrong.
+
+Fixes: 16bc18d895ce ("x86/idt: Move 32-bit idt_descr to C code")
+Signed-off-by: Andi Kleen <ak@linux.intel.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Link: https://lkml.kernel.org/r/20171222001821.2157-7-andi@firstfloor.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kernel/idt.c | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+--- a/arch/x86/kernel/idt.c
++++ b/arch/x86/kernel/idt.c
+@@ -56,7 +56,7 @@ struct idt_data {
+ * Early traps running on the DEFAULT_STACK because the other interrupt
+ * stacks work only after cpu_init().
+ */
+-static const __initdata struct idt_data early_idts[] = {
++static const __initconst struct idt_data early_idts[] = {
+ INTG(X86_TRAP_DB, debug),
+ SYSG(X86_TRAP_BP, int3),
+ #ifdef CONFIG_X86_32
+@@ -70,7 +70,7 @@ static const __initdata struct idt_data
+ * the traps which use them are reinitialized with IST after cpu_init() has
+ * set up TSS.
+ */
+-static const __initdata struct idt_data def_idts[] = {
++static const __initconst struct idt_data def_idts[] = {
+ INTG(X86_TRAP_DE, divide_error),
+ INTG(X86_TRAP_NMI, nmi),
+ INTG(X86_TRAP_BR, bounds),
+@@ -108,7 +108,7 @@ static const __initdata struct idt_data
+ /*
+ * The APIC and SMP idt entries
+ */
+-static const __initdata struct idt_data apic_idts[] = {
++static const __initconst struct idt_data apic_idts[] = {
+ #ifdef CONFIG_SMP
+ INTG(RESCHEDULE_VECTOR, reschedule_interrupt),
+ INTG(CALL_FUNCTION_VECTOR, call_function_interrupt),
+@@ -150,7 +150,7 @@ static const __initdata struct idt_data
+ * Early traps running on the DEFAULT_STACK because the other interrupt
+ * stacks work only after cpu_init().
+ */
+-static const __initdata struct idt_data early_pf_idts[] = {
++static const __initconst struct idt_data early_pf_idts[] = {
+ INTG(X86_TRAP_PF, page_fault),
+ };
+
+@@ -158,7 +158,7 @@ static const __initdata struct idt_data
+ * Override for the debug_idt. Same as the default, but with interrupt
+ * stack set to DEFAULT_STACK (0). Required for NMI trap handling.
+ */
+-static const __initdata struct idt_data dbg_idts[] = {
++static const __initconst struct idt_data dbg_idts[] = {
+ INTG(X86_TRAP_DB, debug),
+ INTG(X86_TRAP_BP, int3),
+ };
+@@ -180,7 +180,7 @@ gate_desc debug_idt_table[IDT_ENTRIES] _
+ * The exceptions which use Interrupt stacks. They are setup after
+ * cpu_init() when the TSS has been initialized.
+ */
+-static const __initdata struct idt_data ist_idts[] = {
++static const __initconst struct idt_data ist_idts[] = {
+ ISTG(X86_TRAP_DB, debug, DEBUG_STACK),
+ ISTG(X86_TRAP_NMI, nmi, NMI_STACK),
+ SISTG(X86_TRAP_BP, int3, DEBUG_STACK),
--- /dev/null
+From d47924417319e3b6a728c0b690f183e75bc2a702 Mon Sep 17 00:00:00 2001
+From: Thomas Gleixner <tglx@linutronix.de>
+Date: Tue, 16 Jan 2018 19:59:59 +0100
+Subject: x86/intel_rdt/cqm: Prevent use after free
+
+From: Thomas Gleixner <tglx@linutronix.de>
+
+commit d47924417319e3b6a728c0b690f183e75bc2a702 upstream.
+
+intel_rdt_iffline_cpu() -> domain_remove_cpu() frees memory first and then
+proceeds accessing it.
+
+ BUG: KASAN: use-after-free in find_first_bit+0x1f/0x80
+ Read of size 8 at addr ffff883ff7c1e780 by task cpuhp/31/195
+ find_first_bit+0x1f/0x80
+ has_busy_rmid+0x47/0x70
+ intel_rdt_offline_cpu+0x4b4/0x510
+
+ Freed by task 195:
+ kfree+0x94/0x1a0
+ intel_rdt_offline_cpu+0x17d/0x510
+
+Do the teardown first and then free memory.
+
+Fixes: 24247aeeabe9 ("x86/intel_rdt/cqm: Improve limbo list processing")
+Reported-by: Joseph Salisbury <joseph.salisbury@canonical.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Cc: Ravi Shankar <ravi.v.shankar@intel.com>
+Cc: Peter Zilstra <peterz@infradead.org>
+Cc: Stephane Eranian <eranian@google.com>
+Cc: Vikas Shivappa <vikas.shivappa@linux.intel.com>
+Cc: Andi Kleen <ak@linux.intel.com>
+Cc: "Roderick W. Smith" <rod.smith@canonical.com>
+Cc: 1733662@bugs.launchpad.net
+Cc: Fenghua Yu <fenghua.yu@intel.com>
+Cc: Tony Luck <tony.luck@intel.com>
+Link: https://lkml.kernel.org/r/alpine.DEB.2.20.1801161957510.2366@nanos
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kernel/cpu/intel_rdt.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/arch/x86/kernel/cpu/intel_rdt.c
++++ b/arch/x86/kernel/cpu/intel_rdt.c
+@@ -525,10 +525,6 @@ static void domain_remove_cpu(int cpu, s
+ */
+ if (static_branch_unlikely(&rdt_mon_enable_key))
+ rmdir_mondata_subdir_allrdtgrp(r, d->id);
+- kfree(d->ctrl_val);
+- kfree(d->rmid_busy_llc);
+- kfree(d->mbm_total);
+- kfree(d->mbm_local);
+ list_del(&d->list);
+ if (is_mbm_enabled())
+ cancel_delayed_work(&d->mbm_over);
+@@ -545,6 +541,10 @@ static void domain_remove_cpu(int cpu, s
+ cancel_delayed_work(&d->cqm_limbo);
+ }
+
++ kfree(d->ctrl_val);
++ kfree(d->rmid_busy_llc);
++ kfree(d->mbm_total);
++ kfree(d->mbm_local);
+ kfree(d);
+ return;
+ }
--- /dev/null
+From 0d39e2669d7b0fefd2d8f9e7868ae669b364d9ba Mon Sep 17 00:00:00 2001
+From: Andrey Ryabinin <aryabinin@virtuozzo.com>
+Date: Wed, 10 Jan 2018 18:36:02 +0300
+Subject: x86/kasan: Panic if there is not enough memory to boot
+
+From: Andrey Ryabinin <aryabinin@virtuozzo.com>
+
+commit 0d39e2669d7b0fefd2d8f9e7868ae669b364d9ba upstream.
+
+Currently KASAN doesn't panic in case it don't have enough memory
+to boot. Instead, it crashes in some random place:
+
+ kernel BUG at arch/x86/mm/physaddr.c:27!
+
+ RIP: 0010:__phys_addr+0x268/0x276
+ Call Trace:
+ kasan_populate_shadow+0x3f2/0x497
+ kasan_init+0x12e/0x2b2
+ setup_arch+0x2825/0x2a2c
+ start_kernel+0xc8/0x15f4
+ x86_64_start_reservations+0x2a/0x2c
+ x86_64_start_kernel+0x72/0x75
+ secondary_startup_64+0xa5/0xb0
+
+Use memblock_virt_alloc_try_nid() for allocations without failure
+fallback. It will panic with an out of memory message.
+
+Reported-by: kernel test robot <xiaolong.ye@intel.com>
+Signed-off-by: Andrey Ryabinin <aryabinin@virtuozzo.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Acked-by: Dmitry Vyukov <dvyukov@google.com>
+Cc: kasan-dev@googlegroups.com
+Cc: Alexander Potapenko <glider@google.com>
+Cc: lkp@01.org
+Link: https://lkml.kernel.org/r/20180110153602.18919-1-aryabinin@virtuozzo.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/mm/kasan_init_64.c | 24 ++++++++++++++----------
+ 1 file changed, 14 insertions(+), 10 deletions(-)
+
+--- a/arch/x86/mm/kasan_init_64.c
++++ b/arch/x86/mm/kasan_init_64.c
+@@ -21,10 +21,14 @@ extern struct range pfn_mapped[E820_MAX_
+
+ static p4d_t tmp_p4d_table[PTRS_PER_P4D] __initdata __aligned(PAGE_SIZE);
+
+-static __init void *early_alloc(size_t size, int nid)
++static __init void *early_alloc(size_t size, int nid, bool panic)
+ {
+- return memblock_virt_alloc_try_nid_nopanic(size, size,
+- __pa(MAX_DMA_ADDRESS), BOOTMEM_ALLOC_ACCESSIBLE, nid);
++ if (panic)
++ return memblock_virt_alloc_try_nid(size, size,
++ __pa(MAX_DMA_ADDRESS), BOOTMEM_ALLOC_ACCESSIBLE, nid);
++ else
++ return memblock_virt_alloc_try_nid_nopanic(size, size,
++ __pa(MAX_DMA_ADDRESS), BOOTMEM_ALLOC_ACCESSIBLE, nid);
+ }
+
+ static void __init kasan_populate_pmd(pmd_t *pmd, unsigned long addr,
+@@ -38,14 +42,14 @@ static void __init kasan_populate_pmd(pm
+ if (boot_cpu_has(X86_FEATURE_PSE) &&
+ ((end - addr) == PMD_SIZE) &&
+ IS_ALIGNED(addr, PMD_SIZE)) {
+- p = early_alloc(PMD_SIZE, nid);
++ p = early_alloc(PMD_SIZE, nid, false);
+ if (p && pmd_set_huge(pmd, __pa(p), PAGE_KERNEL))
+ return;
+ else if (p)
+ memblock_free(__pa(p), PMD_SIZE);
+ }
+
+- p = early_alloc(PAGE_SIZE, nid);
++ p = early_alloc(PAGE_SIZE, nid, true);
+ pmd_populate_kernel(&init_mm, pmd, p);
+ }
+
+@@ -57,7 +61,7 @@ static void __init kasan_populate_pmd(pm
+ if (!pte_none(*pte))
+ continue;
+
+- p = early_alloc(PAGE_SIZE, nid);
++ p = early_alloc(PAGE_SIZE, nid, true);
+ entry = pfn_pte(PFN_DOWN(__pa(p)), PAGE_KERNEL);
+ set_pte_at(&init_mm, addr, pte, entry);
+ } while (pte++, addr += PAGE_SIZE, addr != end);
+@@ -75,14 +79,14 @@ static void __init kasan_populate_pud(pu
+ if (boot_cpu_has(X86_FEATURE_GBPAGES) &&
+ ((end - addr) == PUD_SIZE) &&
+ IS_ALIGNED(addr, PUD_SIZE)) {
+- p = early_alloc(PUD_SIZE, nid);
++ p = early_alloc(PUD_SIZE, nid, false);
+ if (p && pud_set_huge(pud, __pa(p), PAGE_KERNEL))
+ return;
+ else if (p)
+ memblock_free(__pa(p), PUD_SIZE);
+ }
+
+- p = early_alloc(PAGE_SIZE, nid);
++ p = early_alloc(PAGE_SIZE, nid, true);
+ pud_populate(&init_mm, pud, p);
+ }
+
+@@ -101,7 +105,7 @@ static void __init kasan_populate_p4d(p4
+ unsigned long next;
+
+ if (p4d_none(*p4d)) {
+- void *p = early_alloc(PAGE_SIZE, nid);
++ void *p = early_alloc(PAGE_SIZE, nid, true);
+
+ p4d_populate(&init_mm, p4d, p);
+ }
+@@ -122,7 +126,7 @@ static void __init kasan_populate_pgd(pg
+ unsigned long next;
+
+ if (pgd_none(*pgd)) {
+- p = early_alloc(PAGE_SIZE, nid);
++ p = early_alloc(PAGE_SIZE, nid, true);
+ pgd_populate(&init_mm, pgd, p);
+ }
+
--- /dev/null
+From beacd6f7ed5e2915959442245b3b2480c2e37490 Mon Sep 17 00:00:00 2001
+From: "Eric W. Biederman" <ebiederm@xmission.com>
+Date: Fri, 12 Jan 2018 14:31:35 -0600
+Subject: x86/mm/pkeys: Fix fill_sig_info_pkey
+
+From: Eric W. Biederman <ebiederm@xmission.com>
+
+commit beacd6f7ed5e2915959442245b3b2480c2e37490 upstream.
+
+SEGV_PKUERR is a signal specific si_code which happens to have the same
+numeric value as several others: BUS_MCEERR_AR, ILL_ILLTRP, FPE_FLTOVF,
+TRAP_HWBKPT, CLD_TRAPPED, POLL_ERR, SEGV_THREAD_ID, as such it is not safe
+to just test the si_code the signal number must also be tested to prevent a
+false positive in fill_sig_info_pkey.
+
+This error was by inspection, and BUS_MCEERR_AR appears to be a real
+candidate for confusion. So pass in si_signo and check for SIG_SEGV to
+verify that it is actually a SEGV_PKUERR
+
+Fixes: 019132ff3daf ("x86/mm/pkeys: Fill in pkey field in siginfo")
+Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Cc: linux-arch@vger.kernel.org
+Cc: Dave Hansen <dave.hansen@linux.intel.com>
+Cc: Oleg Nesterov <oleg@redhat.com>
+Cc: Al Viro <viro@zeniv.linux.org.uk>
+Link: https://lkml.kernel.org/r/20180112203135.4669-2-ebiederm@xmission.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/mm/fault.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+--- a/arch/x86/mm/fault.c
++++ b/arch/x86/mm/fault.c
+@@ -173,14 +173,15 @@ is_prefetch(struct pt_regs *regs, unsign
+ * 6. T1 : reaches here, sees vma_pkey(vma)=5, when we really
+ * faulted on a pte with its pkey=4.
+ */
+-static void fill_sig_info_pkey(int si_code, siginfo_t *info, u32 *pkey)
++static void fill_sig_info_pkey(int si_signo, int si_code, siginfo_t *info,
++ u32 *pkey)
+ {
+ /* This is effectively an #ifdef */
+ if (!boot_cpu_has(X86_FEATURE_OSPKE))
+ return;
+
+ /* Fault not from Protection Keys: nothing to do */
+- if (si_code != SEGV_PKUERR)
++ if ((si_code != SEGV_PKUERR) || (si_signo != SIGSEGV))
+ return;
+ /*
+ * force_sig_info_fault() is called from a number of
+@@ -219,7 +220,7 @@ force_sig_info_fault(int si_signo, int s
+ lsb = PAGE_SHIFT;
+ info.si_addr_lsb = lsb;
+
+- fill_sig_info_pkey(si_code, &info, pkey);
++ fill_sig_info_pkey(si_signo, si_code, &info, pkey);
+
+ force_sig_info(si_signo, &info, tsk);
+ }
--- /dev/null
+From 28d437d550e1e39f805d99f9f8ac399c778827b7 Mon Sep 17 00:00:00 2001
+From: Tom Lendacky <thomas.lendacky@amd.com>
+Date: Sat, 13 Jan 2018 17:27:30 -0600
+Subject: x86/retpoline: Add LFENCE to the retpoline/RSB filling RSB macros
+
+From: Tom Lendacky <thomas.lendacky@amd.com>
+
+commit 28d437d550e1e39f805d99f9f8ac399c778827b7 upstream.
+
+The PAUSE instruction is currently used in the retpoline and RSB filling
+macros as a speculation trap. The use of PAUSE was originally suggested
+because it showed a very, very small difference in the amount of
+cycles/time used to execute the retpoline as compared to LFENCE. On AMD,
+the PAUSE instruction is not a serializing instruction, so the pause/jmp
+loop will use excess power as it is speculated over waiting for return
+to mispredict to the correct target.
+
+The RSB filling macro is applicable to AMD, and, if software is unable to
+verify that LFENCE is serializing on AMD (possible when running under a
+hypervisor), the generic retpoline support will be used and, so, is also
+applicable to AMD. Keep the current usage of PAUSE for Intel, but add an
+LFENCE instruction to the speculation trap for AMD.
+
+The same sequence has been adopted by GCC for the GCC generated retpolines.
+
+Signed-off-by: Tom Lendacky <thomas.lendacky@amd.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Reviewed-by: Borislav Petkov <bp@alien8.de>
+Acked-by: David Woodhouse <dwmw@amazon.co.uk>
+Acked-by: Arjan van de Ven <arjan@linux.intel.com>
+Cc: Rik van Riel <riel@redhat.com>
+Cc: Andi Kleen <ak@linux.intel.com>
+Cc: Paul Turner <pjt@google.com>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Tim Chen <tim.c.chen@linux.intel.com>
+Cc: Jiri Kosina <jikos@kernel.org>
+Cc: Dave Hansen <dave.hansen@intel.com>
+Cc: Andy Lutomirski <luto@kernel.org>
+Cc: Josh Poimboeuf <jpoimboe@redhat.com>
+Cc: Dan Williams <dan.j.williams@intel.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Greg Kroah-Hartman <gregkh@linux-foundation.org>
+Cc: Kees Cook <keescook@google.com>
+Link: https://lkml.kernel.org/r/20180113232730.31060.36287.stgit@tlendack-t1.amdoffice.net
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/include/asm/nospec-branch.h | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/arch/x86/include/asm/nospec-branch.h
++++ b/arch/x86/include/asm/nospec-branch.h
+@@ -11,7 +11,7 @@
+ * Fill the CPU return stack buffer.
+ *
+ * Each entry in the RSB, if used for a speculative 'ret', contains an
+- * infinite 'pause; jmp' loop to capture speculative execution.
++ * infinite 'pause; lfence; jmp' loop to capture speculative execution.
+ *
+ * This is required in various cases for retpoline and IBRS-based
+ * mitigations for the Spectre variant 2 vulnerability. Sometimes to
+@@ -38,11 +38,13 @@
+ call 772f; \
+ 773: /* speculation trap */ \
+ pause; \
++ lfence; \
+ jmp 773b; \
+ 772: \
+ call 774f; \
+ 775: /* speculation trap */ \
+ pause; \
++ lfence; \
+ jmp 775b; \
+ 774: \
+ dec reg; \
+@@ -73,6 +75,7 @@
+ call .Ldo_rop_\@
+ .Lspec_trap_\@:
+ pause
++ lfence
+ jmp .Lspec_trap_\@
+ .Ldo_rop_\@:
+ mov \reg, (%_ASM_SP)
+@@ -165,6 +168,7 @@
+ " .align 16\n" \
+ "901: call 903f;\n" \
+ "902: pause;\n" \
++ " lfence;\n" \
+ " jmp 902b;\n" \
+ " .align 16\n" \
+ "903: addl $4, %%esp;\n" \
--- /dev/null
+From c995efd5a740d9cbafbf58bde4973e8b50b4d761 Mon Sep 17 00:00:00 2001
+From: David Woodhouse <dwmw@amazon.co.uk>
+Date: Fri, 12 Jan 2018 17:49:25 +0000
+Subject: x86/retpoline: Fill RSB on context switch for affected CPUs
+
+From: David Woodhouse <dwmw@amazon.co.uk>
+
+commit c995efd5a740d9cbafbf58bde4973e8b50b4d761 upstream.
+
+On context switch from a shallow call stack to a deeper one, as the CPU
+does 'ret' up the deeper side it may encounter RSB entries (predictions for
+where the 'ret' goes to) which were populated in userspace.
+
+This is problematic if neither SMEP nor KPTI (the latter of which marks
+userspace pages as NX for the kernel) are active, as malicious code in
+userspace may then be executed speculatively.
+
+Overwrite the CPU's return prediction stack with calls which are predicted
+to return to an infinite loop, to "capture" speculation if this
+happens. This is required both for retpoline, and also in conjunction with
+IBRS for !SMEP && !KPTI.
+
+On Skylake+ the problem is slightly different, and an *underflow* of the
+RSB may cause errant branch predictions to occur. So there it's not so much
+overwrite, as *filling* the RSB to attempt to prevent it getting
+empty. This is only a partial solution for Skylake+ since there are many
+other conditions which may result in the RSB becoming empty. The full
+solution on Skylake+ is to use IBRS, which will prevent the problem even
+when the RSB becomes empty. With IBRS, the RSB-stuffing will not be
+required on context switch.
+
+[ tglx: Added missing vendor check and slighty massaged comments and
+ changelog ]
+
+Signed-off-by: David Woodhouse <dwmw@amazon.co.uk>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Acked-by: Arjan van de Ven <arjan@linux.intel.com>
+Cc: gnomes@lxorguk.ukuu.org.uk
+Cc: Rik van Riel <riel@redhat.com>
+Cc: Andi Kleen <ak@linux.intel.com>
+Cc: Josh Poimboeuf <jpoimboe@redhat.com>
+Cc: thomas.lendacky@amd.com
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Jiri Kosina <jikos@kernel.org>
+Cc: Andy Lutomirski <luto@amacapital.net>
+Cc: Dave Hansen <dave.hansen@intel.com>
+Cc: Kees Cook <keescook@google.com>
+Cc: Tim Chen <tim.c.chen@linux.intel.com>
+Cc: Greg Kroah-Hartman <gregkh@linux-foundation.org>
+Cc: Paul Turner <pjt@google.com>
+Link: https://lkml.kernel.org/r/1515779365-9032-1-git-send-email-dwmw@amazon.co.uk
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/entry/entry_32.S | 11 +++++++++++
+ arch/x86/entry/entry_64.S | 11 +++++++++++
+ arch/x86/include/asm/cpufeatures.h | 1 +
+ arch/x86/kernel/cpu/bugs.c | 36 ++++++++++++++++++++++++++++++++++++
+ 4 files changed, 59 insertions(+)
+
+--- a/arch/x86/entry/entry_32.S
++++ b/arch/x86/entry/entry_32.S
+@@ -244,6 +244,17 @@ ENTRY(__switch_to_asm)
+ movl %ebx, PER_CPU_VAR(stack_canary)+stack_canary_offset
+ #endif
+
++#ifdef CONFIG_RETPOLINE
++ /*
++ * When switching from a shallower to a deeper call stack
++ * the RSB may either underflow or use entries populated
++ * with userspace addresses. On CPUs where those concerns
++ * exist, overwrite the RSB with entries which capture
++ * speculative execution to prevent attack.
++ */
++ FILL_RETURN_BUFFER %ebx, RSB_CLEAR_LOOPS, X86_FEATURE_RSB_CTXSW
++#endif
++
+ /* restore callee-saved registers */
+ popl %esi
+ popl %edi
+--- a/arch/x86/entry/entry_64.S
++++ b/arch/x86/entry/entry_64.S
+@@ -487,6 +487,17 @@ ENTRY(__switch_to_asm)
+ movq %rbx, PER_CPU_VAR(irq_stack_union)+stack_canary_offset
+ #endif
+
++#ifdef CONFIG_RETPOLINE
++ /*
++ * When switching from a shallower to a deeper call stack
++ * the RSB may either underflow or use entries populated
++ * with userspace addresses. On CPUs where those concerns
++ * exist, overwrite the RSB with entries which capture
++ * speculative execution to prevent attack.
++ */
++ FILL_RETURN_BUFFER %r12, RSB_CLEAR_LOOPS, X86_FEATURE_RSB_CTXSW
++#endif
++
+ /* restore callee-saved registers */
+ popq %r15
+ popq %r14
+--- a/arch/x86/include/asm/cpufeatures.h
++++ b/arch/x86/include/asm/cpufeatures.h
+@@ -211,6 +211,7 @@
+ #define X86_FEATURE_AVX512_4FMAPS ( 7*32+17) /* AVX-512 Multiply Accumulation Single precision */
+
+ #define X86_FEATURE_MBA ( 7*32+18) /* Memory Bandwidth Allocation */
++#define X86_FEATURE_RSB_CTXSW ( 7*32+19) /* Fill RSB on context switches */
+
+ /* Virtualization flags: Linux defined, word 8 */
+ #define X86_FEATURE_TPR_SHADOW ( 8*32+ 0) /* Intel TPR Shadow */
+--- a/arch/x86/kernel/cpu/bugs.c
++++ b/arch/x86/kernel/cpu/bugs.c
+@@ -23,6 +23,7 @@
+ #include <asm/alternative.h>
+ #include <asm/pgtable.h>
+ #include <asm/set_memory.h>
++#include <asm/intel-family.h>
+
+ static void __init spectre_v2_select_mitigation(void);
+
+@@ -155,6 +156,23 @@ disable:
+ return SPECTRE_V2_CMD_NONE;
+ }
+
++/* Check for Skylake-like CPUs (for RSB handling) */
++static bool __init is_skylake_era(void)
++{
++ if (boot_cpu_data.x86_vendor == X86_VENDOR_INTEL &&
++ boot_cpu_data.x86 == 6) {
++ switch (boot_cpu_data.x86_model) {
++ case INTEL_FAM6_SKYLAKE_MOBILE:
++ case INTEL_FAM6_SKYLAKE_DESKTOP:
++ case INTEL_FAM6_SKYLAKE_X:
++ case INTEL_FAM6_KABYLAKE_MOBILE:
++ case INTEL_FAM6_KABYLAKE_DESKTOP:
++ return true;
++ }
++ }
++ return false;
++}
++
+ static void __init spectre_v2_select_mitigation(void)
+ {
+ enum spectre_v2_mitigation_cmd cmd = spectre_v2_parse_cmdline();
+@@ -213,6 +231,24 @@ retpoline_auto:
+
+ spectre_v2_enabled = mode;
+ pr_info("%s\n", spectre_v2_strings[mode]);
++
++ /*
++ * If neither SMEP or KPTI are available, there is a risk of
++ * hitting userspace addresses in the RSB after a context switch
++ * from a shallow call stack to a deeper one. To prevent this fill
++ * the entire RSB, even when using IBRS.
++ *
++ * Skylake era CPUs have a separate issue with *underflow* of the
++ * RSB, when they will predict 'ret' targets from the generic BTB.
++ * The proper mitigation for this is IBRS. If IBRS is not supported
++ * or deactivated in favour of retpolines the RSB fill on context
++ * switch is required.
++ */
++ if ((!boot_cpu_has(X86_FEATURE_PTI) &&
++ !boot_cpu_has(X86_FEATURE_SMEP)) || is_skylake_era()) {
++ setup_force_cpu_cap(X86_FEATURE_RSB_CTXSW);
++ pr_info("Filling RSB on context switch\n");
++ }
+ }
+
+ #undef pr_fmt
--- /dev/null
+From b511203093489eb1829cb4de86e8214752205ac6 Mon Sep 17 00:00:00 2001
+From: Len Brown <len.brown@intel.com>
+Date: Fri, 22 Dec 2017 00:27:55 -0500
+Subject: x86/tsc: Fix erroneous TSC rate on Skylake Xeon
+
+From: Len Brown <len.brown@intel.com>
+
+commit b511203093489eb1829cb4de86e8214752205ac6 upstream.
+
+The INTEL_FAM6_SKYLAKE_X hardcoded crystal_khz value of 25MHZ is
+problematic:
+
+ - SKX workstations (with same model # as server variants) use a 24 MHz
+ crystal. This results in a -4.0% time drift rate on SKX workstations.
+
+ - SKX servers subject the crystal to an EMI reduction circuit that reduces its
+ actual frequency by (approximately) -0.25%. This results in -1 second per
+ 10 minute time drift as compared to network time.
+
+This issue can also trigger a timer and power problem, on configurations
+that use the LAPIC timer (versus the TSC deadline timer). Clock ticks
+scheduled with the LAPIC timer arrive a few usec before the time they are
+expected (according to the slow TSC). This causes Linux to poll-idle, when
+it should be in an idle power saving state. The idle and clock code do not
+graciously recover from this error, sometimes resulting in significant
+polling and measurable power impact.
+
+Stop using native_calibrate_tsc() for INTEL_FAM6_SKYLAKE_X.
+native_calibrate_tsc() will return 0, boot will run with tsc_khz = cpu_khz,
+and the TSC refined calibration will update tsc_khz to correct for the
+difference.
+
+[ tglx: Sanitized change log ]
+
+Fixes: 6baf3d61821f ("x86/tsc: Add additional Intel CPU models to the crystal quirk list")
+Signed-off-by: Len Brown <len.brown@intel.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Cc: peterz@infradead.org
+Cc: Prarit Bhargava <prarit@redhat.com>
+Link: https://lkml.kernel.org/r/ff6dcea166e8ff8f2f6a03c17beab2cb436aa779.1513920414.git.len.brown@intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kernel/tsc.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+--- a/arch/x86/kernel/tsc.c
++++ b/arch/x86/kernel/tsc.c
+@@ -602,7 +602,6 @@ unsigned long native_calibrate_tsc(void)
+ case INTEL_FAM6_KABYLAKE_DESKTOP:
+ crystal_khz = 24000; /* 24.0 MHz */
+ break;
+- case INTEL_FAM6_SKYLAKE_X:
+ case INTEL_FAM6_ATOM_DENVERTON:
+ crystal_khz = 25000; /* 25.0 MHz */
+ break;
--- /dev/null
+From da4ae6c4a0b8dee5a5377a385545d2250fa8cddb Mon Sep 17 00:00:00 2001
+From: Len Brown <len.brown@intel.com>
+Date: Fri, 22 Dec 2017 00:27:54 -0500
+Subject: x86/tsc: Future-proof native_calibrate_tsc()
+
+From: Len Brown <len.brown@intel.com>
+
+commit da4ae6c4a0b8dee5a5377a385545d2250fa8cddb upstream.
+
+If the crystal frequency cannot be determined via CPUID(15).crystal_khz or
+the built-in table then native_calibrate_tsc() will still set the
+X86_FEATURE_TSC_KNOWN_FREQ flag which prevents the refined TSC calibration.
+
+As a consequence such systems use cpu_khz for the TSC frequency which is
+incorrect when cpu_khz != tsc_khz resulting in time drift.
+
+Return early when the crystal frequency cannot be retrieved without setting
+the X86_FEATURE_TSC_KNOWN_FREQ flag. This ensures that the refined TSC
+calibration is invoked.
+
+[ tglx: Steam-blastered changelog. Sigh ]
+
+Fixes: 4ca4df0b7eb0 ("x86/tsc: Mark TSC frequency determined by CPUID as known")
+Signed-off-by: Len Brown <len.brown@intel.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Cc: peterz@infradead.org
+Cc: Bin Gao <bin.gao@intel.com>
+Link: https://lkml.kernel.org/r/0fe2503aa7d7fc69137141fc705541a78101d2b9.1513920414.git.len.brown@intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kernel/tsc.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/arch/x86/kernel/tsc.c
++++ b/arch/x86/kernel/tsc.c
+@@ -612,6 +612,8 @@ unsigned long native_calibrate_tsc(void)
+ }
+ }
+
++ if (crystal_khz == 0)
++ return 0;
+ /*
+ * TSC frequency determined by CPUID is a "hardware reported"
+ * frequency and is the most accurate one so far we have. This
projects / thirdparty / kernel / stable-queue.git / commitdiff
