--- /dev/null
+From a538e3ff9dabcdf6c3f477a373c629213d1c3066 Mon Sep 17 00:00:00 2001
+From: Jeff Moyer <jmoyer@redhat.com>
+Date: Tue, 11 Dec 2018 12:37:49 -0500
+Subject: aio: fix spectre gadget in lookup_ioctx
+
+From: Jeff Moyer <jmoyer@redhat.com>
+
+commit a538e3ff9dabcdf6c3f477a373c629213d1c3066 upstream.
+
+Matthew pointed out that the ioctx_table is susceptible to spectre v1,
+because the index can be controlled by an attacker. The below patch
+should mitigate the attack for all of the aio system calls.
+
+Cc: stable@vger.kernel.org
+Reported-by: Matthew Wilcox <willy@infradead.org>
+Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Jeff Moyer <jmoyer@redhat.com>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/aio.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/fs/aio.c
++++ b/fs/aio.c
+@@ -45,6 +45,7 @@
+
+ #include <asm/kmap_types.h>
+ #include <linux/uaccess.h>
++#include <linux/nospec.h>
+
+ #include "internal.h"
+
+@@ -1038,6 +1039,7 @@ static struct kioctx *lookup_ioctx(unsig
+ if (!table || id >= table->nr)
+ goto out;
+
++ id = array_index_nospec(id, table->nr);
+ ctx = rcu_dereference(table->table[id]);
+ if (ctx && ctx->user_id == ctx_id) {
+ if (percpu_ref_tryget_live(&ctx->users))
--- /dev/null
+From e25b6783c7b1bb79103d4617336879423f86b05e Mon Sep 17 00:00:00 2001
+From: Stefan Wahren <stefan.wahren@i2se.com>
+Date: Mon, 3 Dec 2018 19:37:08 +0100
+Subject: ARM: dts: bcm2837: Fix polarity of wifi reset GPIOs
+
+From: Stefan Wahren <stefan.wahren@i2se.com>
+
+commit e25b6783c7b1bb79103d4617336879423f86b05e upstream.
+
+The commit b1b8f45b3130 ("ARM: dts: bcm2837: Add missing GPIOs of Expander")
+introduced a wifi power sequence. Unfortunately the polarity of the reset
+GPIOs were wrong and broke the wifi support on Raspberry Pi 3 B and
+later in 3 B+. This wasn't discovered before since the power sequence
+takes only effect in case the relevant MMC driver is compiled as a module.
+
+Fixes: b1b8f45b3130 ("ARM: dts: bcm2837: Add missing GPIOs of Expander")
+Cc: stable@vger.kernel.org
+Reported-by: Matthias Lueschner <lueschem@gmail.com>
+Link: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=911443
+Signed-off-by: Stefan Wahren <stefan.wahren@i2se.com>
+Reviewed-by: Eric Anholt <eric@anholt.net>
+Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm/boot/dts/bcm2837-rpi-3-b-plus.dts | 2 +-
+ arch/arm/boot/dts/bcm2837-rpi-3-b.dts | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+--- a/arch/arm/boot/dts/bcm2837-rpi-3-b-plus.dts
++++ b/arch/arm/boot/dts/bcm2837-rpi-3-b-plus.dts
+@@ -31,7 +31,7 @@
+
+ wifi_pwrseq: wifi-pwrseq {
+ compatible = "mmc-pwrseq-simple";
+- reset-gpios = <&expgpio 1 GPIO_ACTIVE_HIGH>;
++ reset-gpios = <&expgpio 1 GPIO_ACTIVE_LOW>;
+ };
+ };
+
+--- a/arch/arm/boot/dts/bcm2837-rpi-3-b.dts
++++ b/arch/arm/boot/dts/bcm2837-rpi-3-b.dts
+@@ -26,7 +26,7 @@
+
+ wifi_pwrseq: wifi-pwrseq {
+ compatible = "mmc-pwrseq-simple";
+- reset-gpios = <&expgpio 1 GPIO_ACTIVE_HIGH>;
++ reset-gpios = <&expgpio 1 GPIO_ACTIVE_LOW>;
+ };
+ };
+
--- /dev/null
+From 76f4e2c3b6a560cdd7a75b87df543e04d05a9e5f Mon Sep 17 00:00:00 2001
+From: Lubomir Rintel <lkundrak@v3.sk>
+Date: Sun, 2 Dec 2018 12:12:24 +0100
+Subject: ARM: mmp/mmp2: fix cpu_is_mmp2() on mmp2-dt
+
+From: Lubomir Rintel <lkundrak@v3.sk>
+
+commit 76f4e2c3b6a560cdd7a75b87df543e04d05a9e5f upstream.
+
+cpu_is_mmp2() was equivalent to cpu_is_pj4(), wouldn't be correct for
+multiplatform kernels. Fix it by also considering mmp_chip_id, as is
+done for cpu_is_pxa168() and cpu_is_pxa910() above.
+
+Moreover, it is only available with CONFIG_CPU_MMP2 and thus doesn't work
+on DT-based MMP2 machines. Enable it on CONFIG_MACH_MMP2_DT too.
+
+Note: CONFIG_CPU_MMP2 is only used for machines that use board files
+instead of DT. It should perhaps be renamed. I'm not doing it now, because
+I don't have a better idea.
+
+Signed-off-by: Lubomir Rintel <lkundrak@v3.sk>
+Acked-by: Arnd Bergmann <arnd@arndb.de>
+Cc: stable@vger.kernel.org
+Signed-off-by: Olof Johansson <olof@lixom.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm/mach-mmp/cputype.h | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/arch/arm/mach-mmp/cputype.h
++++ b/arch/arm/mach-mmp/cputype.h
+@@ -44,10 +44,12 @@ static inline int cpu_is_pxa910(void)
+ #define cpu_is_pxa910() (0)
+ #endif
+
+-#ifdef CONFIG_CPU_MMP2
++#if defined(CONFIG_CPU_MMP2) || defined(CONFIG_MACH_MMP2_DT)
+ static inline int cpu_is_mmp2(void)
+ {
+- return (((read_cpuid_id() >> 8) & 0xff) == 0x58);
++ return (((read_cpuid_id() >> 8) & 0xff) == 0x58) &&
++ (((mmp_chip_id & 0xfff) == 0x410) ||
++ ((mmp_chip_id & 0xfff) == 0x610));
+ }
+ #else
+ #define cpu_is_mmp2() (0)
--- /dev/null
+From 3238c359acee4ab57f15abb5a82b8ab38a661ee7 Mon Sep 17 00:00:00 2001
+From: Robin Murphy <robin.murphy@arm.com>
+Date: Mon, 10 Dec 2018 19:33:31 +0000
+Subject: arm64: dma-mapping: Fix FORCE_CONTIGUOUS buffer clearing
+
+From: Robin Murphy <robin.murphy@arm.com>
+
+commit 3238c359acee4ab57f15abb5a82b8ab38a661ee7 upstream.
+
+We need to invalidate the caches *before* clearing the buffer via the
+non-cacheable alias, else in the worst case __dma_flush_area() may
+write back dirty lines over the top of our nice new zeros.
+
+Fixes: dd65a941f6ba ("arm64: dma-mapping: clear buffers allocated with FORCE_CONTIGUOUS flag")
+Cc: <stable@vger.kernel.org> # 4.18.x-
+Acked-by: Will Deacon <will.deacon@arm.com>
+Signed-off-by: Robin Murphy <robin.murphy@arm.com>
+Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm64/mm/dma-mapping.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/arm64/mm/dma-mapping.c
++++ b/arch/arm64/mm/dma-mapping.c
+@@ -587,9 +587,9 @@ static void *__iommu_alloc_attrs(struct
+ prot,
+ __builtin_return_address(0));
+ if (addr) {
+- memset(addr, 0, size);
+ if (!coherent)
+ __dma_flush_area(page_to_virt(page), iosize);
++ memset(addr, 0, size);
+ } else {
+ iommu_dma_unmap_page(dev, *handle, iosize, 0, attrs);
+ dma_release_from_contiguous(dev, page,
--- /dev/null
+From f55adad601c6a97c8c9628195453e0fb23b4a0ae Mon Sep 17 00:00:00 2001
+From: Keith Busch <keith.busch@intel.com>
+Date: Mon, 10 Dec 2018 08:44:42 -0700
+Subject: block/bio: Do not zero user pages
+
+From: Keith Busch <keith.busch@intel.com>
+
+commit f55adad601c6a97c8c9628195453e0fb23b4a0ae upstream.
+
+We don't need to zero fill the bio if not using kernel allocated pages.
+
+Fixes: f3587d76da05 ("block: Clear kernel memory before copying to user") # v4.20-rc2
+Reported-by: Todd Aiken <taiken@mvtech.ca>
+Cc: Laurence Oberman <loberman@redhat.com>
+Cc: stable@vger.kernel.org
+Cc: Bart Van Assche <bvanassche@acm.org>
+Tested-by: Laurence Oberman <loberman@redhat.com>
+Signed-off-by: Keith Busch <keith.busch@intel.com>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ block/bio.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/block/bio.c
++++ b/block/bio.c
+@@ -1262,7 +1262,8 @@ struct bio *bio_copy_user_iov(struct req
+ if (ret)
+ goto cleanup;
+ } else {
+- zero_fill_bio(bio);
++ if (bmd->is_our_pages)
++ zero_fill_bio(bio);
+ iov_iter_advance(iter, bio->bi_iter.bi_size);
+ }
+
--- /dev/null
+From 687cf4412a343a63928a5c9d91bdc0f522939d43 Mon Sep 17 00:00:00 2001
+From: Mike Snitzer <snitzer@redhat.com>
+Date: Fri, 9 Nov 2018 11:56:03 -0500
+Subject: dm cache metadata: verify cache has blocks in blocks_are_clean_separate_dirty()
+
+From: Mike Snitzer <snitzer@redhat.com>
+
+commit 687cf4412a343a63928a5c9d91bdc0f522939d43 upstream.
+
+Otherwise dm_bitset_cursor_begin() return -ENODATA. Other calls to
+dm_bitset_cursor_begin() have similar negative checks.
+
+Fixes inability to create a cache in passthrough mode (even though doing
+so makes no sense).
+
+Fixes: 0d963b6e65 ("dm cache metadata: fix metadata2 format's blocks_are_clean_separate_dirty")
+Cc: stable@vger.kernel.org
+Reported-by: David Teigland <teigland@redhat.com>
+Signed-off-by: Mike Snitzer <snitzer@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/md/dm-cache-metadata.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/md/dm-cache-metadata.c
++++ b/drivers/md/dm-cache-metadata.c
+@@ -930,6 +930,10 @@ static int blocks_are_clean_separate_dir
+ bool dirty_flag;
+ *result = true;
+
++ if (from_cblock(cmd->cache_blocks) == 0)
++ /* Nothing to do */
++ return 0;
++
+ r = dm_bitset_cursor_begin(&cmd->dirty_info, cmd->dirty_root,
+ from_cblock(cmd->cache_blocks), &cmd->dirty_cursor);
+ if (r) {
--- /dev/null
+From 89f5fa47476eda56402e29fff3c5097f5c2a1e19 Mon Sep 17 00:00:00 2001
+From: Mike Snitzer <snitzer@redhat.com>
+Date: Mon, 3 Dec 2018 16:47:21 -0500
+Subject: dm: call blk_queue_split() to impose device limits on bios
+
+From: Mike Snitzer <snitzer@redhat.com>
+
+commit 89f5fa47476eda56402e29fff3c5097f5c2a1e19 upstream.
+
+Otherwise the incoming bios, of various types, won't be shaped based on
+the DM device's advertised limits.
+
+Depends-on: af67c31fba ("blk: remove bio_set arg from blk_queue_split()")
+Fixes: 744889b7cb ("block: don't deal with discard limit in blkdev_issue_discard()")
+Cc: stable@vger.kernel.org
+Signed-off-by: Mike Snitzer <snitzer@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/md/dm.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/md/dm.c
++++ b/drivers/md/dm.c
+@@ -1592,6 +1592,8 @@ static blk_qc_t __split_and_process_bio(
+ return ret;
+ }
+
++ blk_queue_split(md->queue, &bio);
++
+ init_clone_info(&ci, md, map, bio);
+
+ if (bio->bi_opf & REQ_PREFLUSH) {
--- /dev/null
+From f6c367585d0d851349d3a9e607c43e5bea993fa1 Mon Sep 17 00:00:00 2001
+From: Mike Snitzer <snitzer@redhat.com>
+Date: Tue, 11 Dec 2018 13:31:40 -0500
+Subject: dm thin: send event about thin-pool state change _after_ making it
+
+From: Mike Snitzer <snitzer@redhat.com>
+
+commit f6c367585d0d851349d3a9e607c43e5bea993fa1 upstream.
+
+Sending a DM event before a thin-pool state change is about to happen is
+a bug. It wasn't realized until it became clear that userspace response
+to the event raced with the actual state change that the event was
+meant to notify about.
+
+Fix this by first updating internal thin-pool state to reflect what the
+DM event is being issued about. This fixes a long-standing racey/buggy
+userspace device-mapper-test-suite 'resize_io' test that would get an
+event but not find the state it was looking for -- so it would just go
+on to hang because no other events caused the test to reevaluate the
+thin-pool's state.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Mike Snitzer <snitzer@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/md/dm-thin.c | 68 ++++++++++++++++++++++++++-------------------------
+ 1 file changed, 35 insertions(+), 33 deletions(-)
+
+--- a/drivers/md/dm-thin.c
++++ b/drivers/md/dm-thin.c
+@@ -195,7 +195,7 @@ static void throttle_unlock(struct throt
+ struct dm_thin_new_mapping;
+
+ /*
+- * The pool runs in 4 modes. Ordered in degraded order for comparisons.
++ * The pool runs in various modes. Ordered in degraded order for comparisons.
+ */
+ enum pool_mode {
+ PM_WRITE, /* metadata may be changed */
+@@ -282,9 +282,38 @@ struct pool {
+ mempool_t mapping_pool;
+ };
+
+-static enum pool_mode get_pool_mode(struct pool *pool);
+ static void metadata_operation_failed(struct pool *pool, const char *op, int r);
+
++static enum pool_mode get_pool_mode(struct pool *pool)
++{
++ return pool->pf.mode;
++}
++
++static void notify_of_pool_mode_change(struct pool *pool)
++{
++ const char *descs[] = {
++ "write",
++ "out-of-data-space",
++ "read-only",
++ "read-only",
++ "fail"
++ };
++ const char *extra_desc = NULL;
++ enum pool_mode mode = get_pool_mode(pool);
++
++ if (mode == PM_OUT_OF_DATA_SPACE) {
++ if (!pool->pf.error_if_no_space)
++ extra_desc = " (queue IO)";
++ else
++ extra_desc = " (error IO)";
++ }
++
++ dm_table_event(pool->ti->table);
++ DMINFO("%s: switching pool to %s%s mode",
++ dm_device_name(pool->pool_md),
++ descs[(int)mode], extra_desc ? : "");
++}
++
+ /*
+ * Target context for a pool.
+ */
+@@ -2351,8 +2380,6 @@ static void do_waker(struct work_struct
+ queue_delayed_work(pool->wq, &pool->waker, COMMIT_PERIOD);
+ }
+
+-static void notify_of_pool_mode_change_to_oods(struct pool *pool);
+-
+ /*
+ * We're holding onto IO to allow userland time to react. After the
+ * timeout either the pool will have been resized (and thus back in
+@@ -2365,7 +2392,7 @@ static void do_no_space_timeout(struct w
+
+ if (get_pool_mode(pool) == PM_OUT_OF_DATA_SPACE && !pool->pf.error_if_no_space) {
+ pool->pf.error_if_no_space = true;
+- notify_of_pool_mode_change_to_oods(pool);
++ notify_of_pool_mode_change(pool);
+ error_retry_list_with_code(pool, BLK_STS_NOSPC);
+ }
+ }
+@@ -2433,26 +2460,6 @@ static void noflush_work(struct thin_c *
+
+ /*----------------------------------------------------------------*/
+
+-static enum pool_mode get_pool_mode(struct pool *pool)
+-{
+- return pool->pf.mode;
+-}
+-
+-static void notify_of_pool_mode_change(struct pool *pool, const char *new_mode)
+-{
+- dm_table_event(pool->ti->table);
+- DMINFO("%s: switching pool to %s mode",
+- dm_device_name(pool->pool_md), new_mode);
+-}
+-
+-static void notify_of_pool_mode_change_to_oods(struct pool *pool)
+-{
+- if (!pool->pf.error_if_no_space)
+- notify_of_pool_mode_change(pool, "out-of-data-space (queue IO)");
+- else
+- notify_of_pool_mode_change(pool, "out-of-data-space (error IO)");
+-}
+-
+ static bool passdown_enabled(struct pool_c *pt)
+ {
+ return pt->adjusted_pf.discard_passdown;
+@@ -2501,8 +2508,6 @@ static void set_pool_mode(struct pool *p
+
+ switch (new_mode) {
+ case PM_FAIL:
+- if (old_mode != new_mode)
+- notify_of_pool_mode_change(pool, "failure");
+ dm_pool_metadata_read_only(pool->pmd);
+ pool->process_bio = process_bio_fail;
+ pool->process_discard = process_bio_fail;
+@@ -2516,8 +2521,6 @@ static void set_pool_mode(struct pool *p
+
+ case PM_OUT_OF_METADATA_SPACE:
+ case PM_READ_ONLY:
+- if (!is_read_only_pool_mode(old_mode))
+- notify_of_pool_mode_change(pool, "read-only");
+ dm_pool_metadata_read_only(pool->pmd);
+ pool->process_bio = process_bio_read_only;
+ pool->process_discard = process_bio_success;
+@@ -2538,8 +2541,6 @@ static void set_pool_mode(struct pool *p
+ * alarming rate. Adjust your low water mark if you're
+ * frequently seeing this mode.
+ */
+- if (old_mode != new_mode)
+- notify_of_pool_mode_change_to_oods(pool);
+ pool->out_of_data_space = true;
+ pool->process_bio = process_bio_read_only;
+ pool->process_discard = process_discard_bio;
+@@ -2552,8 +2553,6 @@ static void set_pool_mode(struct pool *p
+ break;
+
+ case PM_WRITE:
+- if (old_mode != new_mode)
+- notify_of_pool_mode_change(pool, "write");
+ if (old_mode == PM_OUT_OF_DATA_SPACE)
+ cancel_delayed_work_sync(&pool->no_space_timeout);
+ pool->out_of_data_space = false;
+@@ -2573,6 +2572,9 @@ static void set_pool_mode(struct pool *p
+ * doesn't cause an unexpected mode transition on resume.
+ */
+ pt->adjusted_pf.mode = new_mode;
++
++ if (old_mode != new_mode)
++ notify_of_pool_mode_change(pool);
+ }
+
+ static void abort_transaction(struct pool *pool)
--- /dev/null
+From 2244b5887c6865b9e9cf14ee12a312b776aeeb58 Mon Sep 17 00:00:00 2001
+From: Alex Deucher <alexander.deucher@amd.com>
+Date: Fri, 7 Dec 2018 15:58:23 -0500
+Subject: drm/amdgpu: add some additional vega10 pci ids
+
+From: Alex Deucher <alexander.deucher@amd.com>
+
+commit 2244b5887c6865b9e9cf14ee12a312b776aeeb58 upstream.
+
+New vega ids.
+
+Reviewed-by: Felix Kuehling <Felix.Kuehling@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c
+@@ -761,7 +761,13 @@ static const struct pci_device_id pciidl
+ {0x1002, 0x6864, PCI_ANY_ID, PCI_ANY_ID, 0, 0, CHIP_VEGA10},
+ {0x1002, 0x6867, PCI_ANY_ID, PCI_ANY_ID, 0, 0, CHIP_VEGA10},
+ {0x1002, 0x6868, PCI_ANY_ID, PCI_ANY_ID, 0, 0, CHIP_VEGA10},
++ {0x1002, 0x6869, PCI_ANY_ID, PCI_ANY_ID, 0, 0, CHIP_VEGA10},
++ {0x1002, 0x686a, PCI_ANY_ID, PCI_ANY_ID, 0, 0, CHIP_VEGA10},
++ {0x1002, 0x686b, PCI_ANY_ID, PCI_ANY_ID, 0, 0, CHIP_VEGA10},
+ {0x1002, 0x686c, PCI_ANY_ID, PCI_ANY_ID, 0, 0, CHIP_VEGA10},
++ {0x1002, 0x686d, PCI_ANY_ID, PCI_ANY_ID, 0, 0, CHIP_VEGA10},
++ {0x1002, 0x686e, PCI_ANY_ID, PCI_ANY_ID, 0, 0, CHIP_VEGA10},
++ {0x1002, 0x686f, PCI_ANY_ID, PCI_ANY_ID, 0, 0, CHIP_VEGA10},
+ {0x1002, 0x687f, PCI_ANY_ID, PCI_ANY_ID, 0, 0, CHIP_VEGA10},
+ /* Vega 12 */
+ {0x1002, 0x69A0, PCI_ANY_ID, PCI_ANY_ID, 0, 0, CHIP_VEGA12},
--- /dev/null
+From cf4197ed5796234a53beb71228198c7d1e678947 Mon Sep 17 00:00:00 2001
+From: Kenneth Feng <kenneth.feng@amd.com>
+Date: Thu, 6 Dec 2018 11:56:14 +0800
+Subject: drm/amdgpu/powerplay: Apply avfs cks-off voltages on VI
+
+From: Kenneth Feng <kenneth.feng@amd.com>
+
+commit cf4197ed5796234a53beb71228198c7d1e678947 upstream.
+
+Instead of EVV cks-off voltages, avfs cks-off voltages can avoid
+the overshoot voltages when switching sclk.
+
+Signed-off-by: Kenneth Feng <kenneth.feng@amd.com>
+Acked-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/amd/powerplay/inc/smu7_ppsmc.h | 2 ++
+ drivers/gpu/drm/amd/powerplay/smumgr/polaris10_smumgr.c | 6 ++++++
+ 2 files changed, 8 insertions(+)
+
+--- a/drivers/gpu/drm/amd/powerplay/inc/smu7_ppsmc.h
++++ b/drivers/gpu/drm/amd/powerplay/inc/smu7_ppsmc.h
+@@ -386,6 +386,8 @@ typedef uint16_t PPSMC_Result;
+ #define PPSMC_MSG_AgmResetPsm ((uint16_t) 0x403)
+ #define PPSMC_MSG_ReadVftCell ((uint16_t) 0x404)
+
++#define PPSMC_MSG_ApplyAvfsCksOffVoltage ((uint16_t) 0x415)
++
+ #define PPSMC_MSG_GFX_CU_PG_ENABLE ((uint16_t) 0x280)
+ #define PPSMC_MSG_GFX_CU_PG_DISABLE ((uint16_t) 0x281)
+ #define PPSMC_MSG_GetCurrPkgPwr ((uint16_t) 0x282)
+--- a/drivers/gpu/drm/amd/powerplay/smumgr/polaris10_smumgr.c
++++ b/drivers/gpu/drm/amd/powerplay/smumgr/polaris10_smumgr.c
+@@ -1984,6 +1984,12 @@ int polaris10_thermal_avfs_enable(struct
+
+ smum_send_msg_to_smc(hwmgr, PPSMC_MSG_EnableAvfs);
+
++ /* Apply avfs cks-off voltages to avoid the overshoot
++ * when switching to the highest sclk frequency
++ */
++ if (data->apply_avfs_cks_off_voltage)
++ smum_send_msg_to_smc(hwmgr, PPSMC_MSG_ApplyAvfsCksOffVoltage);
++
+ return 0;
+ }
+
--- /dev/null
+From d55d8be0747c96db28a1d08fc24d22ccd9b448ac Mon Sep 17 00:00:00 2001
+From: Junwei Zhang <Jerry.Zhang@amd.com>
+Date: Fri, 7 Dec 2018 15:15:03 +0800
+Subject: drm/amdgpu: update SMC firmware image for polaris10 variants
+
+From: Junwei Zhang <Jerry.Zhang@amd.com>
+
+commit d55d8be0747c96db28a1d08fc24d22ccd9b448ac upstream.
+
+Some new variants require different firmwares.
+
+Signed-off-by: Junwei Zhang <Jerry.Zhang@amd.com>
+Reviewed-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/amd/amdgpu/amdgpu_cgs.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_cgs.c
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_cgs.c
+@@ -381,7 +381,8 @@ static int amdgpu_cgs_get_firmware_info(
+ (adev->pdev->revision == 0xe7) ||
+ (adev->pdev->revision == 0xef))) ||
+ ((adev->pdev->device == 0x6fdf) &&
+- (adev->pdev->revision == 0xef))) {
++ ((adev->pdev->revision == 0xef) ||
++ (adev->pdev->revision == 0xff)))) {
+ info->is_kicker = true;
+ strcpy(fw_name, "amdgpu/polaris10_k_smc.bin");
+ } else if ((adev->pdev->device == 0x67df) &&
--- /dev/null
+From 153573d8870e1c173721bdc1ced72b3ad0d85de4 Mon Sep 17 00:00:00 2001
+From: Alex Deucher <alexander.deucher@amd.com>
+Date: Wed, 17 Oct 2018 11:24:26 -0500
+Subject: drm/amdgpu: update smu firmware images for VI variants (v2)
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Alex Deucher <alexander.deucher@amd.com>
+
+commit 153573d8870e1c173721bdc1ced72b3ad0d85de4 upstream.
+
+Some new variants require updated firmware.
+
+V2: add MODULE_FIRMWARE for new firmwares
+
+Reviewed-by: Huang Rui <ray.huang@amd.com> (v1)
+Reviewed-by: Christian König <christian.koenig@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/amd/amdgpu/amdgpu_cgs.c | 33 ++++++++++++++++++++++----
+ drivers/gpu/drm/amd/powerplay/smumgr/smumgr.c | 3 ++
+ 2 files changed, 31 insertions(+), 5 deletions(-)
+
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_cgs.c
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_cgs.c
+@@ -330,7 +330,9 @@ static int amdgpu_cgs_get_firmware_info(
+ case CHIP_TOPAZ:
+ if (((adev->pdev->device == 0x6900) && (adev->pdev->revision == 0x81)) ||
+ ((adev->pdev->device == 0x6900) && (adev->pdev->revision == 0x83)) ||
+- ((adev->pdev->device == 0x6907) && (adev->pdev->revision == 0x87))) {
++ ((adev->pdev->device == 0x6907) && (adev->pdev->revision == 0x87)) ||
++ ((adev->pdev->device == 0x6900) && (adev->pdev->revision == 0xD1)) ||
++ ((adev->pdev->device == 0x6900) && (adev->pdev->revision == 0xD3))) {
+ info->is_kicker = true;
+ strcpy(fw_name, "amdgpu/topaz_k_smc.bin");
+ } else
+@@ -351,7 +353,6 @@ static int amdgpu_cgs_get_firmware_info(
+ if (type == CGS_UCODE_ID_SMU) {
+ if (((adev->pdev->device == 0x67ef) &&
+ ((adev->pdev->revision == 0xe0) ||
+- (adev->pdev->revision == 0xe2) ||
+ (adev->pdev->revision == 0xe5))) ||
+ ((adev->pdev->device == 0x67ff) &&
+ ((adev->pdev->revision == 0xcf) ||
+@@ -359,8 +360,13 @@ static int amdgpu_cgs_get_firmware_info(
+ (adev->pdev->revision == 0xff)))) {
+ info->is_kicker = true;
+ strcpy(fw_name, "amdgpu/polaris11_k_smc.bin");
+- } else
++ } else if ((adev->pdev->device == 0x67ef) &&
++ (adev->pdev->revision == 0xe2)) {
++ info->is_kicker = true;
++ strcpy(fw_name, "amdgpu/polaris11_k2_smc.bin");
++ } else {
+ strcpy(fw_name, "amdgpu/polaris11_smc.bin");
++ }
+ } else if (type == CGS_UCODE_ID_SMU_SK) {
+ strcpy(fw_name, "amdgpu/polaris11_smc_sk.bin");
+ }
+@@ -378,14 +384,31 @@ static int amdgpu_cgs_get_firmware_info(
+ (adev->pdev->revision == 0xef))) {
+ info->is_kicker = true;
+ strcpy(fw_name, "amdgpu/polaris10_k_smc.bin");
+- } else
++ } else if ((adev->pdev->device == 0x67df) &&
++ ((adev->pdev->revision == 0xe1) ||
++ (adev->pdev->revision == 0xf7))) {
++ info->is_kicker = true;
++ strcpy(fw_name, "amdgpu/polaris10_k2_smc.bin");
++ } else {
+ strcpy(fw_name, "amdgpu/polaris10_smc.bin");
++ }
+ } else if (type == CGS_UCODE_ID_SMU_SK) {
+ strcpy(fw_name, "amdgpu/polaris10_smc_sk.bin");
+ }
+ break;
+ case CHIP_POLARIS12:
+- strcpy(fw_name, "amdgpu/polaris12_smc.bin");
++ if (((adev->pdev->device == 0x6987) &&
++ ((adev->pdev->revision == 0xc0) ||
++ (adev->pdev->revision == 0xc3))) ||
++ ((adev->pdev->device == 0x6981) &&
++ ((adev->pdev->revision == 0x00) ||
++ (adev->pdev->revision == 0x01) ||
++ (adev->pdev->revision == 0x10)))) {
++ info->is_kicker = true;
++ strcpy(fw_name, "amdgpu/polaris12_k_smc.bin");
++ } else {
++ strcpy(fw_name, "amdgpu/polaris12_smc.bin");
++ }
+ break;
+ case CHIP_VEGAM:
+ strcpy(fw_name, "amdgpu/vegam_smc.bin");
+--- a/drivers/gpu/drm/amd/powerplay/smumgr/smumgr.c
++++ b/drivers/gpu/drm/amd/powerplay/smumgr/smumgr.c
+@@ -37,10 +37,13 @@ MODULE_FIRMWARE("amdgpu/fiji_smc.bin");
+ MODULE_FIRMWARE("amdgpu/polaris10_smc.bin");
+ MODULE_FIRMWARE("amdgpu/polaris10_smc_sk.bin");
+ MODULE_FIRMWARE("amdgpu/polaris10_k_smc.bin");
++MODULE_FIRMWARE("amdgpu/polaris10_k2_smc.bin");
+ MODULE_FIRMWARE("amdgpu/polaris11_smc.bin");
+ MODULE_FIRMWARE("amdgpu/polaris11_smc_sk.bin");
+ MODULE_FIRMWARE("amdgpu/polaris11_k_smc.bin");
++MODULE_FIRMWARE("amdgpu/polaris11_k2_smc.bin");
+ MODULE_FIRMWARE("amdgpu/polaris12_smc.bin");
++MODULE_FIRMWARE("amdgpu/polaris12_k_smc.bin");
+ MODULE_FIRMWARE("amdgpu/vegam_smc.bin");
+ MODULE_FIRMWARE("amdgpu/vega10_smc.bin");
+ MODULE_FIRMWARE("amdgpu/vega10_acg_smc.bin");
--- /dev/null
+From 756e16bf79f2815e7c83a04881b5545b55a99fd3 Mon Sep 17 00:00:00 2001
+From: Alex Deucher <alexander.deucher@amd.com>
+Date: Fri, 7 Dec 2018 16:23:19 -0500
+Subject: drm/amdkfd: add new vega10 pci ids
+
+From: Alex Deucher <alexander.deucher@amd.com>
+
+commit 756e16bf79f2815e7c83a04881b5545b55a99fd3 upstream.
+
+New vega10 ids.
+
+Reviewed-by: Felix Kuehling <Felix.Kuehling@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/amd/amdkfd/kfd_device.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/drivers/gpu/drm/amd/amdkfd/kfd_device.c
++++ b/drivers/gpu/drm/amd/amdkfd/kfd_device.c
+@@ -326,7 +326,13 @@ static const struct kfd_deviceid support
+ { 0x6864, &vega10_device_info }, /* Vega10 */
+ { 0x6867, &vega10_device_info }, /* Vega10 */
+ { 0x6868, &vega10_device_info }, /* Vega10 */
++ { 0x6869, &vega10_device_info }, /* Vega10 */
++ { 0x686A, &vega10_device_info }, /* Vega10 */
++ { 0x686B, &vega10_device_info }, /* Vega10 */
+ { 0x686C, &vega10_vf_device_info }, /* Vega10 vf*/
++ { 0x686D, &vega10_device_info }, /* Vega10 */
++ { 0x686E, &vega10_device_info }, /* Vega10 */
++ { 0x686F, &vega10_device_info }, /* Vega10 */
+ { 0x687F, &vega10_device_info }, /* Vega10 */
+ };
+
--- /dev/null
+From cf66b8a0ba142fbd1bf10ac8f3ae92d1b0cb7b8f Mon Sep 17 00:00:00 2001
+From: Chris Wilson <chris@chris-wilson.co.uk>
+Date: Thu, 6 Dec 2018 08:44:31 +0000
+Subject: drm/i915/execlists: Apply a full mb before execution for Braswell
+
+From: Chris Wilson <chris@chris-wilson.co.uk>
+
+commit cf66b8a0ba142fbd1bf10ac8f3ae92d1b0cb7b8f upstream.
+
+Braswell is really picky about having our writes posted to memory before
+we execute or else the GPU may see stale values. A wmb() is insufficient
+as it only ensures the writes are visible to other cores, we need a full
+mb() to ensure the writes are in memory and visible to the GPU.
+
+The most frequent failure in flushing before execution is that we see
+stale PTE values and execute the wrong pages.
+
+References: 987abd5c62f9 ("drm/i915/execlists: Force write serialisation into context image vs execution")
+Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
+Cc: Mika Kuoppala <mika.kuoppala@linux.intel.com>
+Cc: Tvrtko Ursulin <tvrtko.ursulin@intel.com>
+Cc: Joonas Lahtinen <joonas.lahtinen@linux.intel.com>
+Cc: stable@vger.kernel.org
+Reviewed-by: Tvrtko Ursulin <tvrtko.ursulin@intel.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20181206084431.9805-3-chris@chris-wilson.co.uk
+(cherry picked from commit 490b8c65b9db45896769e1095e78725775f47b3e)
+Signed-off-by: Joonas Lahtinen <joonas.lahtinen@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/i915/intel_lrc.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/i915/intel_lrc.c
++++ b/drivers/gpu/drm/i915/intel_lrc.c
+@@ -442,8 +442,13 @@ static u64 execlists_update_context(stru
+ * may not be visible to the HW prior to the completion of the UC
+ * register write and that we may begin execution from the context
+ * before its image is complete leading to invalid PD chasing.
++ *
++ * Furthermore, Braswell, at least, wants a full mb to be sure that
++ * the writes are coherent in memory (visible to the GPU) prior to
++ * execution, and not just visible to other CPUs (as is the result of
++ * wmb).
+ */
+- wmb();
++ mb();
+ return ce->lrc_desc;
+ }
+
--- /dev/null
+From a40fa231bb64b33e2cd54cf8ef44a9f89875fa11 Mon Sep 17 00:00:00 2001
+From: Tina Zhang <tina.zhang@intel.com>
+Date: Mon, 3 Dec 2018 16:29:23 +0800
+Subject: drm/i915/gvt: Fix tiled memory decoding bug on BDW
+
+From: Tina Zhang <tina.zhang@intel.com>
+
+commit a40fa231bb64b33e2cd54cf8ef44a9f89875fa11 upstream.
+
+Commit b244ffa15c8b ("drm/i915/gvt: Fix drm_format_mod value for vGPU
+plane") introduced a regression issue to the tiled memory decoding on BDW.
+
+This patch can fix this issue.
+
+Here is the issue detail: https://github.com/intel/gvt-linux/issues/61
+
+v1->v2:
+- Refine the commit message. (Zhenyu)
+
+Fixes: b244ffa15c8b("drm/i915/gvt: Fix drm_format_mod value for vGPU plane")
+Signed-off-by: Tina Zhang <tina.zhang@intel.com>
+Cc: stable@vger.kernel.org # v4.19+
+Cc: Zhenyu Wang <zhenyuw@linux.intel.com>
+Signed-off-by: Zhenyu Wang <zhenyuw@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/i915/gvt/fb_decoder.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/i915/gvt/fb_decoder.c
++++ b/drivers/gpu/drm/i915/gvt/fb_decoder.c
+@@ -235,7 +235,7 @@ int intel_vgpu_decode_primary_plane(stru
+ plane->bpp = skl_pixel_formats[fmt].bpp;
+ plane->drm_format = skl_pixel_formats[fmt].drm_format;
+ } else {
+- plane->tiled = !!(val & DISPPLANE_TILED);
++ plane->tiled = val & DISPPLANE_TILED;
+ fmt = bdw_format_to_drm(val & DISPPLANE_PIXFORMAT_MASK);
+ plane->bpp = bdw_pixel_formats[fmt].bpp;
+ plane->drm_format = bdw_pixel_formats[fmt].drm_format;
--- /dev/null
+From 24199c5436f267399afed0c4f1f57663c0408f57 Mon Sep 17 00:00:00 2001
+From: Lyude Paul <lyude@redhat.com>
+Date: Tue, 11 Dec 2018 18:56:20 -0500
+Subject: drm/nouveau/kms: Fix memory leak in nv50_mstm_del()
+
+From: Lyude Paul <lyude@redhat.com>
+
+commit 24199c5436f267399afed0c4f1f57663c0408f57 upstream.
+
+Noticed this while working on redoing the reference counting scheme in
+the DP MST helpers. Nouveau doesn't attempt to call
+drm_dp_mst_topology_mgr_destroy() at all, which leaves it leaking all of
+the resources for drm_dp_mst_topology_mgr and it's children mstbs+ports.
+
+Fixes: f479c0ba4a17 ("drm/nouveau/kms/nv50: initial support for DP 1.2 multi-stream")
+Signed-off-by: Lyude Paul <lyude@redhat.com>
+Cc: <stable@vger.kernel.org> # v4.10+
+Signed-off-by: Ben Skeggs <bskeggs@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/nouveau/dispnv50/disp.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/gpu/drm/nouveau/dispnv50/disp.c
++++ b/drivers/gpu/drm/nouveau/dispnv50/disp.c
+@@ -1226,6 +1226,7 @@ nv50_mstm_del(struct nv50_mstm **pmstm)
+ {
+ struct nv50_mstm *mstm = *pmstm;
+ if (mstm) {
++ drm_dp_mst_topology_mgr_destroy(&mstm->mgr);
+ kfree(*pmstm);
+ *pmstm = NULL;
+ }
--- /dev/null
+From 970a5ee41c72df46e3b0f307528c7d8ef7734a2e Mon Sep 17 00:00:00 2001
+From: Ben Skeggs <bskeggs@redhat.com>
+Date: Wed, 12 Dec 2018 16:51:17 +1000
+Subject: drm/nouveau/kms/nv50-: also flush fb writes when rewinding push buffer
+
+From: Ben Skeggs <bskeggs@redhat.com>
+
+commit 970a5ee41c72df46e3b0f307528c7d8ef7734a2e upstream.
+
+Should hopefully fix a regression some people have been seeing since EVO
+push buffers were moved to VRAM by default on Pascal GPUs.
+
+Fixes: d00ddd9da ("drm/nouveau/kms/nv50-: allocate push buffers in vidmem on pascal")
+Signed-off-by: Ben Skeggs <bskeggs@redhat.com>
+Cc: <stable@vger.kernel.org> # 4.19+
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/nouveau/dispnv50/disp.c | 29 ++++++++++++++++++-----------
+ 1 file changed, 18 insertions(+), 11 deletions(-)
+
+--- a/drivers/gpu/drm/nouveau/dispnv50/disp.c
++++ b/drivers/gpu/drm/nouveau/dispnv50/disp.c
+@@ -197,6 +197,22 @@ nv50_dmac_create(struct nvif_device *dev
+ /******************************************************************************
+ * EVO channel helpers
+ *****************************************************************************/
++static void
++evo_flush(struct nv50_dmac *dmac)
++{
++ /* Push buffer fetches are not coherent with BAR1, we need to ensure
++ * writes have been flushed right through to VRAM before writing PUT.
++ */
++ if (dmac->push.type & NVIF_MEM_VRAM) {
++ struct nvif_device *device = dmac->base.device;
++ nvif_wr32(&device->object, 0x070000, 0x00000001);
++ nvif_msec(device, 2000,
++ if (!(nvif_rd32(&device->object, 0x070000) & 0x00000002))
++ break;
++ );
++ }
++}
++
+ u32 *
+ evo_wait(struct nv50_dmac *evoc, int nr)
+ {
+@@ -207,6 +223,7 @@ evo_wait(struct nv50_dmac *evoc, int nr)
+ mutex_lock(&dmac->lock);
+ if (put + nr >= (PAGE_SIZE / 4) - 8) {
+ dmac->ptr[put] = 0x20000000;
++ evo_flush(dmac);
+
+ nvif_wr32(&dmac->base.user, 0x0000, 0x00000000);
+ if (nvif_msec(device, 2000,
+@@ -229,17 +246,7 @@ evo_kick(u32 *push, struct nv50_dmac *ev
+ {
+ struct nv50_dmac *dmac = evoc;
+
+- /* Push buffer fetches are not coherent with BAR1, we need to ensure
+- * writes have been flushed right through to VRAM before writing PUT.
+- */
+- if (dmac->push.type & NVIF_MEM_VRAM) {
+- struct nvif_device *device = dmac->base.device;
+- nvif_wr32(&device->object, 0x070000, 0x00000001);
+- nvif_msec(device, 2000,
+- if (!(nvif_rd32(&device->object, 0x070000) & 0x00000002))
+- break;
+- );
+- }
++ evo_flush(dmac);
+
+ nvif_wr32(&dmac->base.user, 0x0000, (push - dmac->ptr) << 2);
+ mutex_unlock(&dmac->lock);
--- /dev/null
+From 61c6de667263184125d5ca75e894fcad632b0dd3 Mon Sep 17 00:00:00 2001
+From: Piotr Jaroszynski <pjaroszynski@nvidia.com>
+Date: Fri, 14 Dec 2018 14:17:14 -0800
+Subject: fs/iomap.c: get/put the page in iomap_page_create/release()
+
+From: Piotr Jaroszynski <pjaroszynski@nvidia.com>
+
+commit 61c6de667263184125d5ca75e894fcad632b0dd3 upstream.
+
+migrate_page_move_mapping() expects pages with private data set to have
+a page_count elevated by 1. This is what used to happen for xfs through
+the buffer_heads code before the switch to iomap in commit 82cb14175e7d
+("xfs: add support for sub-pagesize writeback without buffer_heads").
+Not having the count elevated causes move_pages() to fail on memory
+mapped files coming from xfs.
+
+Make iomap compatible with the migrate_page_move_mapping() assumption by
+elevating the page count as part of iomap_page_create() and lowering it
+in iomap_page_release().
+
+It causes the move_pages() syscall to misbehave on memory mapped files
+from xfs. It does not not move any pages, which I suppose is "just" a
+perf issue, but it also ends up returning a positive number which is out
+of spec for the syscall. Talking to Michal Hocko, it sounds like
+returning positive numbers might be a necessary update to move_pages()
+anyway though
+(https://lkml.kernel.org/r/20181116114955.GJ14706@dhcp22.suse.cz).
+
+I only hit this in tests that verify that move_pages() actually moved
+the pages. The test also got confused by the positive return from
+move_pages() (it got treated as a success as positive numbers were not
+expected and not handled) making it a bit harder to track down what's
+going on.
+
+Link: http://lkml.kernel.org/r/20181115184140.1388751-1-pjaroszynski@nvidia.com
+Fixes: 82cb14175e7d ("xfs: add support for sub-pagesize writeback without buffer_heads")
+Signed-off-by: Piotr Jaroszynski <pjaroszynski@nvidia.com>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Cc: William Kucharski <william.kucharski@oracle.com>
+Cc: Darrick J. Wong <darrick.wong@oracle.com>
+Cc: Brian Foster <bfoster@redhat.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/iomap.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/fs/iomap.c
++++ b/fs/iomap.c
+@@ -117,6 +117,12 @@ iomap_page_create(struct inode *inode, s
+ atomic_set(&iop->read_count, 0);
+ atomic_set(&iop->write_count, 0);
+ bitmap_zero(iop->uptodate, PAGE_SIZE / SECTOR_SIZE);
++
++ /*
++ * migrate_page_move_mapping() assumes that pages with private data have
++ * their count elevated by 1.
++ */
++ get_page(page);
+ set_page_private(page, (unsigned long)iop);
+ SetPagePrivate(page);
+ return iop;
+@@ -133,6 +139,7 @@ iomap_page_release(struct page *page)
+ WARN_ON_ONCE(atomic_read(&iop->write_count));
+ ClearPagePrivate(page);
+ set_page_private(page, 0);
++ put_page(page);
+ kfree(iop);
+ }
+
--- /dev/null
+From 2e64ff154ce6ce9a8dc0f9556463916efa6ff460 Mon Sep 17 00:00:00 2001
+From: Chad Austin <chadaustin@fb.com>
+Date: Mon, 10 Dec 2018 10:54:52 -0800
+Subject: fuse: continue to send FUSE_RELEASEDIR when FUSE_OPEN returns ENOSYS
+
+From: Chad Austin <chadaustin@fb.com>
+
+commit 2e64ff154ce6ce9a8dc0f9556463916efa6ff460 upstream.
+
+When FUSE_OPEN returns ENOSYS, the no_open bit is set on the connection.
+
+Because the FUSE_RELEASE and FUSE_RELEASEDIR paths share code, this
+incorrectly caused the FUSE_RELEASEDIR request to be dropped and never sent
+to userspace.
+
+Pass an isdir bool to distinguish between FUSE_RELEASE and FUSE_RELEASEDIR
+inside of fuse_file_put.
+
+Fixes: 7678ac50615d ("fuse: support clients that don't implement 'open'")
+Cc: <stable@vger.kernel.org> # v3.14
+Signed-off-by: Chad Austin <chadaustin@fb.com>
+Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/fuse/dir.c | 2 +-
+ fs/fuse/file.c | 21 +++++++++++----------
+ fs/fuse/fuse_i.h | 2 +-
+ 3 files changed, 13 insertions(+), 12 deletions(-)
+
+--- a/fs/fuse/dir.c
++++ b/fs/fuse/dir.c
+@@ -1439,7 +1439,7 @@ static int fuse_dir_open(struct inode *i
+
+ static int fuse_dir_release(struct inode *inode, struct file *file)
+ {
+- fuse_release_common(file, FUSE_RELEASEDIR);
++ fuse_release_common(file, true);
+
+ return 0;
+ }
+--- a/fs/fuse/file.c
++++ b/fs/fuse/file.c
+@@ -87,12 +87,12 @@ static void fuse_release_end(struct fuse
+ iput(req->misc.release.inode);
+ }
+
+-static void fuse_file_put(struct fuse_file *ff, bool sync)
++static void fuse_file_put(struct fuse_file *ff, bool sync, bool isdir)
+ {
+ if (refcount_dec_and_test(&ff->count)) {
+ struct fuse_req *req = ff->reserved_req;
+
+- if (ff->fc->no_open) {
++ if (ff->fc->no_open && !isdir) {
+ /*
+ * Drop the release request when client does not
+ * implement 'open'
+@@ -245,10 +245,11 @@ static void fuse_prepare_release(struct
+ req->in.args[0].value = inarg;
+ }
+
+-void fuse_release_common(struct file *file, int opcode)
++void fuse_release_common(struct file *file, bool isdir)
+ {
+ struct fuse_file *ff = file->private_data;
+ struct fuse_req *req = ff->reserved_req;
++ int opcode = isdir ? FUSE_RELEASEDIR : FUSE_RELEASE;
+
+ fuse_prepare_release(ff, file->f_flags, opcode);
+
+@@ -270,7 +271,7 @@ void fuse_release_common(struct file *fi
+ * synchronous RELEASE is allowed (and desirable) in this case
+ * because the server can be trusted not to screw up.
+ */
+- fuse_file_put(ff, ff->fc->destroy_req != NULL);
++ fuse_file_put(ff, ff->fc->destroy_req != NULL, isdir);
+ }
+
+ static int fuse_open(struct inode *inode, struct file *file)
+@@ -286,7 +287,7 @@ static int fuse_release(struct inode *in
+ if (fc->writeback_cache)
+ write_inode_now(inode, 1);
+
+- fuse_release_common(file, FUSE_RELEASE);
++ fuse_release_common(file, false);
+
+ /* return value is ignored by VFS */
+ return 0;
+@@ -300,7 +301,7 @@ void fuse_sync_release(struct fuse_file
+ * iput(NULL) is a no-op and since the refcount is 1 and everything's
+ * synchronous, we are fine with not doing igrab() here"
+ */
+- fuse_file_put(ff, true);
++ fuse_file_put(ff, true, false);
+ }
+ EXPORT_SYMBOL_GPL(fuse_sync_release);
+
+@@ -805,7 +806,7 @@ static void fuse_readpages_end(struct fu
+ put_page(page);
+ }
+ if (req->ff)
+- fuse_file_put(req->ff, false);
++ fuse_file_put(req->ff, false, false);
+ }
+
+ static void fuse_send_readpages(struct fuse_req *req, struct file *file)
+@@ -1459,7 +1460,7 @@ static void fuse_writepage_free(struct f
+ __free_page(req->pages[i]);
+
+ if (req->ff)
+- fuse_file_put(req->ff, false);
++ fuse_file_put(req->ff, false, false);
+ }
+
+ static void fuse_writepage_finish(struct fuse_conn *fc, struct fuse_req *req)
+@@ -1616,7 +1617,7 @@ int fuse_write_inode(struct inode *inode
+ ff = __fuse_write_file_get(fc, fi);
+ err = fuse_flush_times(inode, ff);
+ if (ff)
+- fuse_file_put(ff, 0);
++ fuse_file_put(ff, false, false);
+
+ return err;
+ }
+@@ -1930,7 +1931,7 @@ static int fuse_writepages(struct addres
+ err = 0;
+ }
+ if (data.ff)
+- fuse_file_put(data.ff, false);
++ fuse_file_put(data.ff, false, false);
+
+ kfree(data.orig_pages);
+ out:
+--- a/fs/fuse/fuse_i.h
++++ b/fs/fuse/fuse_i.h
+@@ -749,7 +749,7 @@ void fuse_sync_release(struct fuse_file
+ /**
+ * Send RELEASE or RELEASEDIR request
+ */
+-void fuse_release_common(struct file *file, int opcode);
++void fuse_release_common(struct file *file, bool isdir);
+
+ /**
+ * Send FSYNC or FSYNCDIR request
--- /dev/null
+From 04990215dec43c424daff00d1f622167b8aafd1f Mon Sep 17 00:00:00 2001
+From: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Date: Wed, 28 Nov 2018 03:37:43 -0500
+Subject: media: vb2: don't call __vb2_queue_cancel if vb2_start_streaming failed
+
+From: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+
+commit 04990215dec43c424daff00d1f622167b8aafd1f upstream.
+
+vb2_start_streaming() already rolls back the buffers, so there is no
+need to call __vb2_queue_cancel(). Especially since __vb2_queue_cancel()
+does too much, such as zeroing the q->queued_count value, causing vb2
+to think that no buffers have been queued.
+
+It appears that this call to __vb2_queue_cancel() is a left-over from
+before commit b3379c6201bb3.
+
+Fixes: b3379c6201bb3 ('vb2: only call start_streaming if sufficient buffers are queued')
+
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Cc: <stable@vger.kernel.org> # for v4.16 and up
+Acked-by: Sakari Ailus <sakari.ailus@linux.intel.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/media/common/videobuf2/videobuf2-core.c | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+--- a/drivers/media/common/videobuf2/videobuf2-core.c
++++ b/drivers/media/common/videobuf2/videobuf2-core.c
+@@ -1755,10 +1755,8 @@ int vb2_core_streamon(struct vb2_queue *
+ if (ret)
+ return ret;
+ ret = vb2_start_streaming(q);
+- if (ret) {
+- __vb2_queue_cancel(q);
++ if (ret)
+ return ret;
+- }
+ }
+
+ q->streaming = 1;
--- /dev/null
+From a44f7cb937321d4961bfc8f28912126b06e701c5 Mon Sep 17 00:00:00 2001
+From: Wolfram Sang <wsa+renesas@sang-engineering.com>
+Date: Mon, 26 Nov 2018 14:38:13 +0100
+Subject: mmc: core: use mrq->sbc when sending CMD23 for RPMB
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Wolfram Sang <wsa+renesas@sang-engineering.com>
+
+commit a44f7cb937321d4961bfc8f28912126b06e701c5 upstream.
+
+When sending out CMD23 in the blk preparation, the comment there
+rightfully says:
+
+ * However, it is not sufficient to just send CMD23,
+ * and avoid the final CMD12, as on an error condition
+ * CMD12 (stop) needs to be sent anyway. This, coupled
+ * with Auto-CMD23 enhancements provided by some
+ * hosts, means that the complexity of dealing
+ * with this is best left to the host. If CMD23 is
+ * supported by card and host, we'll fill sbc in and let
+ * the host deal with handling it correctly.
+
+Let's do this behaviour for RPMB as well, and not send CMD23
+independently. Otherwise IP cores (like Renesas SDHI) may timeout
+because of automatic CMD23/CMD12 handling.
+
+Reported-by: Masaharu Hayakawa <masaharu.hayakawa.ry@renesas.com>
+Signed-off-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
+Tested-by: Clément Péron <peron.clem@gmail.com>
+Reviewed-by: Avri Altman <avri.altman@wdc.com>
+Reviewed-by: Niklas Söderlund <niklas.soderlund+renesas@ragnatech.se>
+Cc: stable@vger.kernel.org
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/mmc/core/block.c | 15 ++++++++++-----
+ 1 file changed, 10 insertions(+), 5 deletions(-)
+
+--- a/drivers/mmc/core/block.c
++++ b/drivers/mmc/core/block.c
+@@ -472,7 +472,7 @@ out:
+ static int __mmc_blk_ioctl_cmd(struct mmc_card *card, struct mmc_blk_data *md,
+ struct mmc_blk_ioc_data *idata)
+ {
+- struct mmc_command cmd = {};
++ struct mmc_command cmd = {}, sbc = {};
+ struct mmc_data data = {};
+ struct mmc_request mrq = {};
+ struct scatterlist sg;
+@@ -550,10 +550,15 @@ static int __mmc_blk_ioctl_cmd(struct mm
+ }
+
+ if (idata->rpmb) {
+- err = mmc_set_blockcount(card, data.blocks,
+- idata->ic.write_flag & (1 << 31));
+- if (err)
+- return err;
++ sbc.opcode = MMC_SET_BLOCK_COUNT;
++ /*
++ * We don't do any blockcount validation because the max size
++ * may be increased by a future standard. We just copy the
++ * 'Reliable Write' bit here.
++ */
++ sbc.arg = data.blocks | (idata->ic.write_flag & BIT(31));
++ sbc.flags = MMC_RSP_R1 | MMC_CMD_AC;
++ mrq.sbc = &sbc;
+ }
+
+ if ((MMC_EXTRACT_INDEX_FROM_ARG(cmd.arg) == EXT_CSD_SANITIZE_START) &&
--- /dev/null
+From e8cde625bfe8a714a856e1366bcbb259d7346095 Mon Sep 17 00:00:00 2001
+From: Aaro Koskinen <aaro.koskinen@iki.fi>
+Date: Tue, 20 Nov 2018 01:14:00 +0200
+Subject: MMC: OMAP: fix broken MMC on OMAP15XX/OMAP5910/OMAP310
+
+From: Aaro Koskinen <aaro.koskinen@iki.fi>
+
+commit e8cde625bfe8a714a856e1366bcbb259d7346095 upstream.
+
+Since v2.6.22 or so there has been reports [1] about OMAP MMC being
+broken on OMAP15XX based hardware (OMAP5910 and OMAP310). The breakage
+seems to have been caused by commit 46a6730e3ff9 ("mmc-omap: Fix
+omap to use MMC_POWER_ON") that changed clock enabling to be done
+on MMC_POWER_ON. This can happen multiple times in a row, and on 15XX
+the hardware doesn't seem to like it and the MMC just stops responding.
+Fix by memorizing the power mode and do the init only when necessary.
+
+Before the patch (on Palm TE):
+
+ mmc0: new SD card at address b368
+ mmcblk0: mmc0:b368 SDC 977 MiB
+ mmci-omap mmci-omap.0: command timeout (CMD18)
+ mmci-omap mmci-omap.0: command timeout (CMD13)
+ mmci-omap mmci-omap.0: command timeout (CMD13)
+ mmci-omap mmci-omap.0: command timeout (CMD12) [x 6]
+ mmci-omap mmci-omap.0: command timeout (CMD13) [x 6]
+ mmcblk0: error -110 requesting status
+ mmci-omap mmci-omap.0: command timeout (CMD8)
+ mmci-omap mmci-omap.0: command timeout (CMD18)
+ mmci-omap mmci-omap.0: command timeout (CMD13)
+ mmci-omap mmci-omap.0: command timeout (CMD13)
+ mmci-omap mmci-omap.0: command timeout (CMD12) [x 6]
+ mmci-omap mmci-omap.0: command timeout (CMD13) [x 6]
+ mmcblk0: error -110 requesting status
+ mmcblk0: recovery failed!
+ print_req_error: I/O error, dev mmcblk0, sector 0
+ Buffer I/O error on dev mmcblk0, logical block 0, async page read
+ mmcblk0: unable to read partition table
+
+After the patch:
+
+ mmc0: new SD card at address b368
+ mmcblk0: mmc0:b368 SDC 977 MiB
+ mmcblk0: p1
+
+The patch is based on a fix and analysis done by Ladislav Michl.
+
+Tested on OMAP15XX/OMAP310 (Palm TE), OMAP1710 (Nokia 770)
+and OMAP2420 (Nokia N810).
+
+[1] https://marc.info/?t=123175197000003&r=1&w=2
+
+Fixes: 46a6730e3ff9 ("mmc-omap: Fix omap to use MMC_POWER_ON")
+Reported-by: Ladislav Michl <ladis@linux-mips.org>
+Reported-by: Andrzej Zaborowski <balrogg@gmail.com>
+Tested-by: Ladislav Michl <ladis@linux-mips.org>
+Acked-by: Tony Lindgren <tony@atomide.com>
+Signed-off-by: Aaro Koskinen <aaro.koskinen@iki.fi>
+Cc: stable@vger.kernel.org
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/mmc/host/omap.c | 11 +++++++++--
+ 1 file changed, 9 insertions(+), 2 deletions(-)
+
+--- a/drivers/mmc/host/omap.c
++++ b/drivers/mmc/host/omap.c
+@@ -104,6 +104,7 @@ struct mmc_omap_slot {
+ unsigned int vdd;
+ u16 saved_con;
+ u16 bus_mode;
++ u16 power_mode;
+ unsigned int fclk_freq;
+
+ struct tasklet_struct cover_tasklet;
+@@ -1157,7 +1158,7 @@ static void mmc_omap_set_ios(struct mmc_
+ struct mmc_omap_slot *slot = mmc_priv(mmc);
+ struct mmc_omap_host *host = slot->host;
+ int i, dsor;
+- int clk_enabled;
++ int clk_enabled, init_stream;
+
+ mmc_omap_select_slot(slot, 0);
+
+@@ -1167,6 +1168,7 @@ static void mmc_omap_set_ios(struct mmc_
+ slot->vdd = ios->vdd;
+
+ clk_enabled = 0;
++ init_stream = 0;
+ switch (ios->power_mode) {
+ case MMC_POWER_OFF:
+ mmc_omap_set_power(slot, 0, ios->vdd);
+@@ -1174,13 +1176,17 @@ static void mmc_omap_set_ios(struct mmc_
+ case MMC_POWER_UP:
+ /* Cannot touch dsor yet, just power up MMC */
+ mmc_omap_set_power(slot, 1, ios->vdd);
++ slot->power_mode = ios->power_mode;
+ goto exit;
+ case MMC_POWER_ON:
+ mmc_omap_fclk_enable(host, 1);
+ clk_enabled = 1;
+ dsor |= 1 << 11;
++ if (slot->power_mode != MMC_POWER_ON)
++ init_stream = 1;
+ break;
+ }
++ slot->power_mode = ios->power_mode;
+
+ if (slot->bus_mode != ios->bus_mode) {
+ if (slot->pdata->set_bus_mode != NULL)
+@@ -1196,7 +1202,7 @@ static void mmc_omap_set_ios(struct mmc_
+ for (i = 0; i < 2; i++)
+ OMAP_MMC_WRITE(host, CON, dsor);
+ slot->saved_con = dsor;
+- if (ios->power_mode == MMC_POWER_ON) {
++ if (init_stream) {
+ /* worst case at 400kHz, 80 cycles makes 200 microsecs */
+ int usecs = 250;
+
+@@ -1234,6 +1240,7 @@ static int mmc_omap_new_slot(struct mmc_
+ slot->host = host;
+ slot->mmc = mmc;
+ slot->id = id;
++ slot->power_mode = MMC_POWER_UNDEFINED;
+ slot->pdata = &host->pdata->slots[id];
+
+ host->slots[id] = slot;
--- /dev/null
+From b704441e38f645dcfba1348ca3cc1ba43d1a9f31 Mon Sep 17 00:00:00 2001
+From: Alek Du <alek.du@intel.com>
+Date: Thu, 6 Dec 2018 17:24:59 +0800
+Subject: mmc: sdhci: fix the timeout check window for clock and reset
+
+From: Alek Du <alek.du@intel.com>
+
+commit b704441e38f645dcfba1348ca3cc1ba43d1a9f31 upstream.
+
+We observed some premature timeouts on a virtualization platform, the log
+is like this:
+
+case 1:
+[159525.255629] mmc1: Internal clock never stabilised.
+[159525.255818] mmc1: sdhci: ============ SDHCI REGISTER DUMP ===========
+[159525.256049] mmc1: sdhci: Sys addr: 0x00000000 | Version: 0x00001002
+...
+[159525.257205] mmc1: sdhci: Wake-up: 0x00000000 | Clock: 0x0000fa03
+From the clock control register dump, we are pretty sure the clock was
+stablized.
+
+case 2:
+[ 914.550127] mmc1: Reset 0x2 never completed.
+[ 914.550321] mmc1: sdhci: ============ SDHCI REGISTER DUMP ===========
+[ 914.550608] mmc1: sdhci: Sys addr: 0x00000010 | Version: 0x00001002
+
+After checking the sdhci code, we found the timeout check actually has a
+little window that the CPU can be scheduled out and when it comes back,
+the original time set or check is not valid.
+
+Fixes: 5a436cc0af62 ("mmc: sdhci: Optimize delay loops")
+Cc: stable@vger.kernel.org # v4.12+
+Signed-off-by: Alek Du <alek.du@intel.com>
+Acked-by: Adrian Hunter <adrian.hunter@intel.com>
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/mmc/host/sdhci.c | 18 +++++++++++++-----
+ 1 file changed, 13 insertions(+), 5 deletions(-)
+
+--- a/drivers/mmc/host/sdhci.c
++++ b/drivers/mmc/host/sdhci.c
+@@ -193,8 +193,12 @@ void sdhci_reset(struct sdhci_host *host
+ timeout = ktime_add_ms(ktime_get(), 100);
+
+ /* hw clears the bit when it's done */
+- while (sdhci_readb(host, SDHCI_SOFTWARE_RESET) & mask) {
+- if (ktime_after(ktime_get(), timeout)) {
++ while (1) {
++ bool timedout = ktime_after(ktime_get(), timeout);
++
++ if (!(sdhci_readb(host, SDHCI_SOFTWARE_RESET) & mask))
++ break;
++ if (timedout) {
+ pr_err("%s: Reset 0x%x never completed.\n",
+ mmc_hostname(host->mmc), (int)mask);
+ sdhci_dumpregs(host);
+@@ -1495,9 +1499,13 @@ void sdhci_enable_clk(struct sdhci_host
+
+ /* Wait max 20 ms */
+ timeout = ktime_add_ms(ktime_get(), 20);
+- while (!((clk = sdhci_readw(host, SDHCI_CLOCK_CONTROL))
+- & SDHCI_CLOCK_INT_STABLE)) {
+- if (ktime_after(ktime_get(), timeout)) {
++ while (1) {
++ bool timedout = ktime_after(ktime_get(), timeout);
++
++ clk = sdhci_readw(host, SDHCI_CLOCK_CONTROL);
++ if (clk & SDHCI_CLOCK_INT_STABLE)
++ break;
++ if (timedout) {
+ pr_err("%s: Internal clock never stabilised.\n",
+ mmc_hostname(host->mmc));
+ sdhci_dumpregs(host);
--- /dev/null
+From db2039fcfd5754d15986340152e4503737f68f8d Mon Sep 17 00:00:00 2001
+From: Faiz Abbas <faiz_abbas@ti.com>
+Date: Wed, 21 Nov 2018 16:03:55 +0530
+Subject: mmc: sdhci-omap: Fix DCRC error handling during tuning
+
+From: Faiz Abbas <faiz_abbas@ti.com>
+
+commit db2039fcfd5754d15986340152e4503737f68f8d upstream.
+
+Commit 7d33c3581536 ("mmc: sdhci-omap: Workaround for Errata i802")
+disabled DCRC interrupts during tuning. This write to the interrupt
+enable register gets overwritten in sdhci_prepare_data() and the
+interrupt is not in fact disabled. Fix this by disabling the interrupt
+in the host->ier variable.
+
+Fixes: 7d33c3581536 ("mmc: sdhci-omap: Workaround for Errata i802")
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Faiz Abbas <faiz_abbas@ti.com>
+Acked-by: Adrian Hunter <adrian.hunter@intel.com>
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/mmc/host/sdhci-omap.c | 12 ++++++++----
+ 1 file changed, 8 insertions(+), 4 deletions(-)
+
+--- a/drivers/mmc/host/sdhci-omap.c
++++ b/drivers/mmc/host/sdhci-omap.c
+@@ -288,9 +288,9 @@ static int sdhci_omap_execute_tuning(str
+ struct device *dev = omap_host->dev;
+ struct mmc_ios *ios = &mmc->ios;
+ u32 start_window = 0, max_window = 0;
++ bool dcrc_was_enabled = false;
+ u8 cur_match, prev_match = 0;
+ u32 length = 0, max_len = 0;
+- u32 ier = host->ier;
+ u32 phase_delay = 0;
+ int ret = 0;
+ u32 reg;
+@@ -317,9 +317,10 @@ static int sdhci_omap_execute_tuning(str
+ * during the tuning procedure. So disable it during the
+ * tuning procedure.
+ */
+- ier &= ~SDHCI_INT_DATA_CRC;
+- sdhci_writel(host, ier, SDHCI_INT_ENABLE);
+- sdhci_writel(host, ier, SDHCI_SIGNAL_ENABLE);
++ if (host->ier & SDHCI_INT_DATA_CRC) {
++ host->ier &= ~SDHCI_INT_DATA_CRC;
++ dcrc_was_enabled = true;
++ }
+
+ while (phase_delay <= MAX_PHASE_DELAY) {
+ sdhci_omap_set_dll(omap_host, phase_delay);
+@@ -366,6 +367,9 @@ tuning_error:
+
+ ret:
+ sdhci_reset(host, SDHCI_RESET_CMD | SDHCI_RESET_DATA);
++ /* Reenable forbidden interrupt */
++ if (dcrc_was_enabled)
++ host->ier |= SDHCI_INT_DATA_CRC;
+ sdhci_writel(host, host->ier, SDHCI_INT_ENABLE);
+ sdhci_writel(host, host->ier, SDHCI_SIGNAL_ENABLE);
+ return ret;
--- /dev/null
+From 155b8a0492a90a4c6e22f046a3568b92a6bc48da Mon Sep 17 00:00:00 2001
+From: Amir Goldstein <amir73il@gmail.com>
+Date: Mon, 5 Nov 2018 07:50:10 +0200
+Subject: ovl: fix decode of dir file handle with multi lower layers
+
+From: Amir Goldstein <amir73il@gmail.com>
+
+commit 155b8a0492a90a4c6e22f046a3568b92a6bc48da upstream.
+
+When decoding a lower file handle, we first call ovl_check_origin_fh()
+with connected=false to get any real lower dentry for overlay inode
+cache lookup.
+
+If the real dentry is a disconnected dir dentry, ovl_check_origin_fh()
+is called again with connected=true to get a connected real dentry
+and find the lower layer the real dentry belongs to.
+
+If the first call returned a connected real dentry, we use it to
+lookup an overlay connected dentry, but the first ovl_check_origin_fh()
+call with connected=false did not check that the found dentry is under
+the root of the layer (see ovl_acceptable()), it only checked that
+the found dentry super block matches the uuid of the lower file handle.
+
+In case there are multiple lower layers on the same fs and the found
+dentry is not from the top most lower layer, using the layer index
+returned from the first ovl_check_origin_fh() is wrong and we end
+up failing to decode the file handle.
+
+Fix this by always calling ovl_check_origin_fh() with connected=true
+if we got a directory dentry in the first call.
+
+Fixes: 8b58924ad55c ("ovl: lookup in inode cache first when decoding...")
+Cc: <stable@vger.kernel.org> # v4.17
+Signed-off-by: Amir Goldstein <amir73il@gmail.com>
+Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/overlayfs/export.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/fs/overlayfs/export.c
++++ b/fs/overlayfs/export.c
+@@ -754,9 +754,8 @@ static struct dentry *ovl_lower_fh_to_d(
+ goto out;
+ }
+
+- /* Otherwise, get a connected non-upper dir or disconnected non-dir */
+- if (d_is_dir(origin.dentry) &&
+- (origin.dentry->d_flags & DCACHE_DISCONNECTED)) {
++ /* Find origin.dentry again with ovl_acceptable() layer check */
++ if (d_is_dir(origin.dentry)) {
+ dput(origin.dentry);
+ origin.dentry = NULL;
+ err = ovl_check_origin_fh(ofs, fh, true, NULL, &stack);
+@@ -769,6 +768,7 @@ static struct dentry *ovl_lower_fh_to_d(
+ goto out_err;
+ }
+
++ /* Get a connected non-upper dir or disconnected non-dir */
+ dentry = ovl_get_dentry(sb, NULL, &origin, index);
+
+ out:
--- /dev/null
+From 91ff20f34e94424e586f57f4f593beae16504f86 Mon Sep 17 00:00:00 2001
+From: Amir Goldstein <amir73il@gmail.com>
+Date: Wed, 14 Nov 2018 16:01:34 +0200
+Subject: ovl: fix missing override creds in link of a metacopy upper
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Amir Goldstein <amir73il@gmail.com>
+
+commit 91ff20f34e94424e586f57f4f593beae16504f86 upstream.
+
+Theodore Ts'o reported a v4.19 regression with docker-dropbox:
+https://marc.info/?l=linux-fsdevel&m=154070089431116&w=2
+
+"I was rebuilding my dropbox Docker container, and it failed in 4.19
+ with the following error:
+ ...
+ dpkg: error: error creating new backup file \
+ '/var/lib/dpkg/status-old': Invalid cross-device link"
+
+The problem did not reproduce with metacopy feature disabled.
+The error was caused by insufficient credentials to set
+"trusted.overlay.redirect" xattr on link of a metacopy file.
+
+Reproducer:
+
+ echo Y > /sys/module/overlay/parameters/redirect_dir
+ echo Y > /sys/module/overlay/parameters/metacopy
+ cd /tmp
+ mkdir l u w m
+ chmod 777 l u
+ touch l/foo
+ ln l/foo l/link
+ chmod 666 l/foo
+ mount -t overlay none -olowerdir=l,upperdir=u,workdir=w m
+ su fsgqa
+ ln m/foo m/bar
+ [ 21.455823] overlayfs: failed to set redirect (-1)
+ ln: failed to create hard link 'm/bar' => 'm/foo':\
+ Invalid cross-device link
+
+Reported-by: Theodore Y. Ts'o <tytso@mit.edu>
+Reported-by: Maciej Zięba <maciekz82@gmail.com>
+Fixes: 4120fe64dce4 ("ovl: Set redirect on upper inode when it is linked")
+Cc: <stable@vger.kernel.org> # v4.19
+Signed-off-by: Amir Goldstein <amir73il@gmail.com>
+Acked-by: Vivek Goyal <vgoyal@redhat.com>
+Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/overlayfs/dir.c | 14 +++++++++++++-
+ 1 file changed, 13 insertions(+), 1 deletion(-)
+
+--- a/fs/overlayfs/dir.c
++++ b/fs/overlayfs/dir.c
+@@ -652,6 +652,18 @@ static int ovl_symlink(struct inode *dir
+ return ovl_create_object(dentry, S_IFLNK, 0, link);
+ }
+
++static int ovl_set_link_redirect(struct dentry *dentry)
++{
++ const struct cred *old_cred;
++ int err;
++
++ old_cred = ovl_override_creds(dentry->d_sb);
++ err = ovl_set_redirect(dentry, false);
++ revert_creds(old_cred);
++
++ return err;
++}
++
+ static int ovl_link(struct dentry *old, struct inode *newdir,
+ struct dentry *new)
+ {
+@@ -672,7 +684,7 @@ static int ovl_link(struct dentry *old,
+ goto out_drop_write;
+
+ if (ovl_is_metacopy_dentry(old)) {
+- err = ovl_set_redirect(old, false);
++ err = ovl_set_link_redirect(old);
+ if (err)
+ goto out_drop_write;
+ }
--- /dev/null
+From 478b6767ad26ab86d9ecc341027dd09a87b1f997 Mon Sep 17 00:00:00 2001
+From: Chen-Yu Tsai <wens@csie.org>
+Date: Tue, 4 Dec 2018 17:04:57 +0800
+Subject: pinctrl: sunxi: a83t: Fix IRQ offset typo for PH11
+
+From: Chen-Yu Tsai <wens@csie.org>
+
+commit 478b6767ad26ab86d9ecc341027dd09a87b1f997 upstream.
+
+Pin PH11 is used on various A83T board to detect a change in the OTG
+port's ID pin, as in when an OTG host cable is plugged in.
+
+The incorrect offset meant the gpiochip/irqchip was activating the wrong
+pin for interrupts.
+
+Fixes: 4730f33f0d82 ("pinctrl: sunxi: add allwinner A83T PIO controller support")
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Chen-Yu Tsai <wens@csie.org>
+Acked-by: Maxime Ripard <maxime.ripard@bootlin.com>
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/pinctrl/sunxi/pinctrl-sun8i-a83t.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/pinctrl/sunxi/pinctrl-sun8i-a83t.c
++++ b/drivers/pinctrl/sunxi/pinctrl-sun8i-a83t.c
+@@ -568,7 +568,7 @@ static const struct sunxi_desc_pin sun8i
+ SUNXI_PIN(SUNXI_PINCTRL_PIN(H, 11),
+ SUNXI_FUNCTION(0x0, "gpio_in"),
+ SUNXI_FUNCTION(0x1, "gpio_out"),
+- SUNXI_FUNCTION_IRQ_BANK(0x6, 2, 1)), /* PH_EINT11 */
++ SUNXI_FUNCTION_IRQ_BANK(0x6, 2, 11)), /* PH_EINT11 */
+ };
+
+ static const struct sunxi_pinctrl_desc sun8i_a83t_pinctrl_data = {
--- /dev/null
+From bf3d6afbb234156749b640b6c50f714967a85964 Mon Sep 17 00:00:00 2001
+From: Benjamin Herrenschmidt <benh@kernel.crashing.org>
+Date: Fri, 30 Nov 2018 14:54:09 +1100
+Subject: powerpc: Look for "stdout-path" when setting up legacy consoles
+
+From: Benjamin Herrenschmidt <benh@kernel.crashing.org>
+
+commit bf3d6afbb234156749b640b6c50f714967a85964 upstream.
+
+Commit 78e5dfea84dc ("powerpc: dts: replace 'linux,stdout-path' with
+'stdout-path'") broke the default console on a number of embedded
+PowerPC systems, because it failed to also update the code in
+arch/powerpc/kernel/legacy_serial.c to look for that property in
+addition to the old one.
+
+This fixes it.
+
+Fixes: 78e5dfea84dc ("powerpc: dts: replace 'linux,stdout-path' with 'stdout-path'")
+Cc: stable@vger.kernel.org # v4.17+
+Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
+Reviewed-by: Rob Herring <robh@kernel.org>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/powerpc/kernel/legacy_serial.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/arch/powerpc/kernel/legacy_serial.c
++++ b/arch/powerpc/kernel/legacy_serial.c
+@@ -372,6 +372,8 @@ void __init find_legacy_serial_ports(voi
+
+ /* Now find out if one of these is out firmware console */
+ path = of_get_property(of_chosen, "linux,stdout-path", NULL);
++ if (path == NULL)
++ path = of_get_property(of_chosen, "stdout-path", NULL);
+ if (path != NULL) {
+ stdout = of_find_node_by_path(path);
+ if (stdout)
+@@ -595,8 +597,10 @@ static int __init check_legacy_serial_co
+ /* We are getting a weird phandle from OF ... */
+ /* ... So use the full path instead */
+ name = of_get_property(of_chosen, "linux,stdout-path", NULL);
++ if (name == NULL)
++ name = of_get_property(of_chosen, "stdout-path", NULL);
+ if (name == NULL) {
+- DBG(" no linux,stdout-path !\n");
++ DBG(" no stdout-path !\n");
+ return -ENODEV;
+ }
+ prom_stdout = of_find_node_by_path(name);
--- /dev/null
+From 78e7b15e17ac175e7eed9e21c6f92d03d3b0a6fa Mon Sep 17 00:00:00 2001
+From: Radu Rendec <radu.rendec@gmail.com>
+Date: Tue, 27 Nov 2018 22:20:48 -0500
+Subject: powerpc/msi: Fix NULL pointer access in teardown code
+
+From: Radu Rendec <radu.rendec@gmail.com>
+
+commit 78e7b15e17ac175e7eed9e21c6f92d03d3b0a6fa upstream.
+
+The arch_teardown_msi_irqs() function assumes that controller ops
+pointers were already checked in arch_setup_msi_irqs(), but this
+assumption is wrong: arch_teardown_msi_irqs() can be called even when
+arch_setup_msi_irqs() returns an error (-ENOSYS).
+
+This can happen in the following scenario:
+ - msi_capability_init() calls pci_msi_setup_msi_irqs()
+ - pci_msi_setup_msi_irqs() returns -ENOSYS
+ - msi_capability_init() notices the error and calls free_msi_irqs()
+ - free_msi_irqs() calls pci_msi_teardown_msi_irqs()
+
+This is easier to see when CONFIG_PCI_MSI_IRQ_DOMAIN is not set and
+pci_msi_setup_msi_irqs() and pci_msi_teardown_msi_irqs() are just
+aliases to arch_setup_msi_irqs() and arch_teardown_msi_irqs().
+
+The call to free_msi_irqs() upon pci_msi_setup_msi_irqs() failure
+seems legit, as it does additional cleanup; e.g.
+list_del(&entry->list) and kfree(entry) inside free_msi_irqs() do
+happen (MSI descriptors are allocated before pci_msi_setup_msi_irqs()
+is called and need to be cleaned up if that fails).
+
+Fixes: 6b2fd7efeb88 ("PCI/MSI/PPC: Remove arch_msi_check_device()")
+Cc: stable@vger.kernel.org # v3.18+
+Signed-off-by: Radu Rendec <radu.rendec@gmail.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/powerpc/kernel/msi.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+--- a/arch/powerpc/kernel/msi.c
++++ b/arch/powerpc/kernel/msi.c
+@@ -34,5 +34,10 @@ void arch_teardown_msi_irqs(struct pci_d
+ {
+ struct pci_controller *phb = pci_bus_to_host(dev->bus);
+
+- phb->controller_ops.teardown_msi_irqs(dev);
++ /*
++ * We can be called even when arch_setup_msi_irqs() returns -ENOSYS,
++ * so check the pointer again.
++ */
++ if (phb->controller_ops.teardown_msi_irqs)
++ phb->controller_ops.teardown_msi_irqs(dev);
+ }
--- /dev/null
+From 63238173b2faf3d6b85a416f1c69af6c7be2413f Mon Sep 17 00:00:00 2001
+From: Brian Norris <briannorris@chromium.org>
+Date: Wed, 5 Dec 2018 10:16:57 -0800
+Subject: Revert "drm/rockchip: Allow driver to be shutdown on reboot/kexec"
+
+From: Brian Norris <briannorris@chromium.org>
+
+commit 63238173b2faf3d6b85a416f1c69af6c7be2413f upstream.
+
+This reverts commit 7f3ef5dedb146e3d5063b6845781ad1bb59b92b5.
+
+It causes new warnings [1] on shutdown when running the Google Kevin or
+Scarlet (RK3399) boards under Chrome OS. Presumably our usage of DRM is
+different than what Marc and Heiko test.
+
+We're looking at a different approach (e.g., [2]) to replace this, but
+IMO the revert should be taken first, as it already propagated to
+-stable.
+
+[1] Report here:
+http://lkml.kernel.org/lkml/20181205030127.GA200921@google.com
+
+WARNING: CPU: 4 PID: 2035 at drivers/gpu/drm/drm_mode_config.c:477 drm_mode_config_cleanup+0x1c4/0x294
+...
+ Call trace:
+ drm_mode_config_cleanup+0x1c4/0x294
+ rockchip_drm_unbind+0x4c/0x8c
+ component_master_del+0x88/0xb8
+ rockchip_drm_platform_remove+0x2c/0x44
+ rockchip_drm_platform_shutdown+0x20/0x2c
+ platform_drv_shutdown+0x2c/0x38
+ device_shutdown+0x164/0x1b8
+ kernel_restart_prepare+0x40/0x48
+ kernel_restart+0x20/0x68
+...
+ Memory manager not clean during takedown.
+ WARNING: CPU: 4 PID: 2035 at drivers/gpu/drm/drm_mm.c:950 drm_mm_takedown+0x34/0x44
+...
+ drm_mm_takedown+0x34/0x44
+ rockchip_drm_unbind+0x64/0x8c
+ component_master_del+0x88/0xb8
+ rockchip_drm_platform_remove+0x2c/0x44
+ rockchip_drm_platform_shutdown+0x20/0x2c
+ platform_drv_shutdown+0x2c/0x38
+ device_shutdown+0x164/0x1b8
+ kernel_restart_prepare+0x40/0x48
+ kernel_restart+0x20/0x68
+...
+
+[2] https://patchwork.kernel.org/patch/10556151/
+ https://www.spinics.net/lists/linux-rockchip/msg21342.html
+ [PATCH] drm/rockchip: shutdown drm subsystem on shutdown
+
+Fixes: 7f3ef5dedb14 ("drm/rockchip: Allow driver to be shutdown on reboot/kexec")
+Cc: Jeffy Chen <jeffy.chen@rock-chips.com>
+Cc: Robin Murphy <robin.murphy@arm.com>
+Cc: Vicente Bergas <vicencb@gmail.com>
+Cc: Marc Zyngier <marc.zyngier@arm.com>
+Cc: Heiko Stuebner <heiko@sntech.de>
+Cc: stable@vger.kernel.org
+Signed-off-by: Brian Norris <briannorris@chromium.org>
+Signed-off-by: Heiko Stuebner <heiko@sntech.de>
+Link: https://patchwork.freedesktop.org/patch/msgid/20181205181657.177703-1-briannorris@chromium.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/rockchip/rockchip_drm_drv.c | 6 ------
+ 1 file changed, 6 deletions(-)
+
+--- a/drivers/gpu/drm/rockchip/rockchip_drm_drv.c
++++ b/drivers/gpu/drm/rockchip/rockchip_drm_drv.c
+@@ -442,11 +442,6 @@ static int rockchip_drm_platform_remove(
+ return 0;
+ }
+
+-static void rockchip_drm_platform_shutdown(struct platform_device *pdev)
+-{
+- rockchip_drm_platform_remove(pdev);
+-}
+-
+ static const struct of_device_id rockchip_drm_dt_ids[] = {
+ { .compatible = "rockchip,display-subsystem", },
+ { /* sentinel */ },
+@@ -456,7 +451,6 @@ MODULE_DEVICE_TABLE(of, rockchip_drm_dt_
+ static struct platform_driver rockchip_drm_platform_driver = {
+ .probe = rockchip_drm_platform_probe,
+ .remove = rockchip_drm_platform_remove,
+- .shutdown = rockchip_drm_platform_shutdown,
+ .driver = {
+ .name = "rockchip-drm",
+ .of_match_table = rockchip_drm_dt_ids,
--- /dev/null
+From 3a6ab5c7dc114057fd67750e308e1745dafc0e6a Mon Sep 17 00:00:00 2001
+From: Thierry Reding <treding@nvidia.com>
+Date: Fri, 14 Dec 2018 14:17:24 -0800
+Subject: scripts/spdxcheck.py: always open files in binary mode
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Thierry Reding <treding@nvidia.com>
+
+commit 3a6ab5c7dc114057fd67750e308e1745dafc0e6a upstream.
+
+The spdxcheck script currently falls over when confronted with a binary
+file (such as Documentation/logo.gif). To avoid that, always open files
+in binary mode and decode line-by-line, ignoring encoding errors.
+
+One tricky case is when piping data into the script and reading it from
+standard input. By default, standard input will be opened in text mode,
+so we need to reopen it in binary mode.
+
+The breakage only happens with python3 and results in a
+UnicodeDecodeError (according to Uwe).
+
+Link: http://lkml.kernel.org/r/20181212131210.28024-1-thierry.reding@gmail.com
+Fixes: 6f4d29df66ac ("scripts/spdxcheck.py: make python3 compliant")
+Signed-off-by: Thierry Reding <treding@nvidia.com>
+Reviewed-by: Jeremy Cline <jcline@redhat.com>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: Jonathan Corbet <corbet@lwn.net>
+Cc: Joe Perches <joe@perches.com>
+Cc: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ scripts/spdxcheck.py | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/scripts/spdxcheck.py
++++ b/scripts/spdxcheck.py
+@@ -168,6 +168,7 @@ class id_parser(object):
+ self.curline = 0
+ try:
+ for line in fd:
++ line = line.decode(locale.getpreferredencoding(False), errors='ignore')
+ self.curline += 1
+ if self.curline > maxlines:
+ break
+@@ -249,12 +250,13 @@ if __name__ == '__main__':
+
+ try:
+ if len(args.path) and args.path[0] == '-':
+- parser.parse_lines(sys.stdin, args.maxlines, '-')
++ stdin = os.fdopen(sys.stdin.fileno(), 'rb')
++ parser.parse_lines(stdin, args.maxlines, '-')
+ else:
+ if args.path:
+ for p in args.path:
+ if os.path.isfile(p):
+- parser.parse_lines(open(p), args.maxlines, p)
++ parser.parse_lines(open(p, 'rb'), args.maxlines, p)
+ elif os.path.isdir(p):
+ scan_git_subtree(repo.head.reference.commit.tree, p)
+ else:
i2c-aspeed-fix-build-warning.patch
arm-dts-qcom-apq8064-arrow-sd-600eval-fix-graph_endp.patch
drm-msm-fix-address-space-warning.patch
+pinctrl-sunxi-a83t-fix-irq-offset-typo-for-ph11.patch
+aio-fix-spectre-gadget-in-lookup_ioctx.patch
+scripts-spdxcheck.py-always-open-files-in-binary-mode.patch
+fs-iomap.c-get-put-the-page-in-iomap_page_create-release.patch
+userfaultfd-check-vm_maywrite-was-set-after-verifying-the-uffd-is-registered.patch
+arm64-dma-mapping-fix-force_contiguous-buffer-clearing.patch
+block-bio-do-not-zero-user-pages.patch
+ovl-fix-decode-of-dir-file-handle-with-multi-lower-layers.patch
+ovl-fix-missing-override-creds-in-link-of-a-metacopy-upper.patch
+mmc-omap-fix-broken-mmc-on-omap15xx-omap5910-omap310.patch
+mmc-core-use-mrq-sbc-when-sending-cmd23-for-rpmb.patch
+mmc-sdhci-omap-fix-dcrc-error-handling-during-tuning.patch
+mmc-sdhci-fix-the-timeout-check-window-for-clock-and-reset.patch
+fuse-continue-to-send-fuse_releasedir-when-fuse_open-returns-enosys.patch
+arm-mmp-mmp2-fix-cpu_is_mmp2-on-mmp2-dt.patch
+arm-dts-bcm2837-fix-polarity-of-wifi-reset-gpios.patch
+dm-thin-send-event-about-thin-pool-state-change-_after_-making-it.patch
+dm-cache-metadata-verify-cache-has-blocks-in-blocks_are_clean_separate_dirty.patch
+dm-call-blk_queue_split-to-impose-device-limits-on-bios.patch
+tracing-fix-memory-leak-in-create_filter.patch
+tracing-fix-memory-leak-in-set_trigger_filter.patch
+tracing-fix-memory-leak-of-instance-function-hash-filters.patch
+media-vb2-don-t-call-__vb2_queue_cancel-if-vb2_start_streaming-failed.patch
+powerpc-msi-fix-null-pointer-access-in-teardown-code.patch
+powerpc-look-for-stdout-path-when-setting-up-legacy-consoles.patch
+drm-nouveau-kms-fix-memory-leak-in-nv50_mstm_del.patch
+drm-nouveau-kms-nv50-also-flush-fb-writes-when-rewinding-push-buffer.patch
+revert-drm-rockchip-allow-driver-to-be-shutdown-on-reboot-kexec.patch
+drm-i915-gvt-fix-tiled-memory-decoding-bug-on-bdw.patch
+drm-i915-execlists-apply-a-full-mb-before-execution-for-braswell.patch
+drm-amdgpu-powerplay-apply-avfs-cks-off-voltages-on-vi.patch
+drm-amdkfd-add-new-vega10-pci-ids.patch
+drm-amdgpu-add-some-additional-vega10-pci-ids.patch
+drm-amdgpu-update-smu-firmware-images-for-vi-variants-v2.patch
+drm-amdgpu-update-smc-firmware-image-for-polaris10-variants.patch
--- /dev/null
+From b61c19209c2c35ea2a2fe502d484703686eba98c Mon Sep 17 00:00:00 2001
+From: "Steven Rostedt (VMware)" <rostedt@goodmis.org>
+Date: Sat, 8 Dec 2018 21:10:04 -0500
+Subject: tracing: Fix memory leak in create_filter()
+
+From: Steven Rostedt (VMware) <rostedt@goodmis.org>
+
+commit b61c19209c2c35ea2a2fe502d484703686eba98c upstream.
+
+The create_filter() calls create_filter_start() which allocates a
+"parse_error" descriptor, but fails to call create_filter_finish() that
+frees it.
+
+The op_stack and inverts in predicate_parse() were also not freed.
+
+Found by kmemleak detector.
+
+Cc: stable@vger.kernel.org
+Fixes: 80765597bc587 ("tracing: Rewrite filter logic to be simpler and faster")
+Reviewed-by: Tom Zanussi <tom.zanussi@linux.intel.com>
+Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/trace/trace_events_filter.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/kernel/trace/trace_events_filter.c
++++ b/kernel/trace/trace_events_filter.c
+@@ -570,11 +570,13 @@ predicate_parse(const char *str, int nr_
+ }
+ }
+
++ kfree(op_stack);
++ kfree(inverts);
+ return prog;
+ out_free:
+ kfree(op_stack);
+- kfree(prog_stack);
+ kfree(inverts);
++ kfree(prog_stack);
+ return ERR_PTR(ret);
+ }
+
+@@ -1718,6 +1720,7 @@ static int create_filter(struct trace_ev
+ err = process_preds(call, filter_string, *filterp, pe);
+ if (err && set_str)
+ append_filter_err(pe, *filterp);
++ create_filter_finish(pe);
+
+ return err;
+ }
--- /dev/null
+From 3cec638b3d793b7cacdec5b8072364b41caeb0e1 Mon Sep 17 00:00:00 2001
+From: "Steven Rostedt (VMware)" <rostedt@goodmis.org>
+Date: Sun, 9 Dec 2018 21:17:30 -0500
+Subject: tracing: Fix memory leak in set_trigger_filter()
+
+From: Steven Rostedt (VMware) <rostedt@goodmis.org>
+
+commit 3cec638b3d793b7cacdec5b8072364b41caeb0e1 upstream.
+
+When create_event_filter() fails in set_trigger_filter(), the filter may
+still be allocated and needs to be freed. The caller expects the
+data->filter to be updated with the new filter, even if the new filter
+failed (we could add an error message by setting set_str parameter of
+create_event_filter(), but that's another update).
+
+But because the error would just exit, filter was left hanging and
+nothing could free it.
+
+Found by kmemleak detector.
+
+Cc: stable@vger.kernel.org
+Fixes: bac5fb97a173a ("tracing: Add and use generic set_trigger_filter() implementation")
+Reviewed-by: Tom Zanussi <tom.zanussi@linux.intel.com>
+Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/trace/trace_events_trigger.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/kernel/trace/trace_events_trigger.c
++++ b/kernel/trace/trace_events_trigger.c
+@@ -732,8 +732,10 @@ int set_trigger_filter(char *filter_str,
+
+ /* The filter is for the 'trigger' event, not the triggered event */
+ ret = create_event_filter(file->event_call, filter_str, false, &filter);
+- if (ret)
+- goto out;
++ /*
++ * If create_event_filter() fails, filter still needs to be freed.
++ * Which the calling code will do with data->filter.
++ */
+ assign:
+ tmp = rcu_access_pointer(data->filter);
+
--- /dev/null
+From 2840f84f74035e5a535959d5f17269c69fa6edc5 Mon Sep 17 00:00:00 2001
+From: "Steven Rostedt (VMware)" <rostedt@goodmis.org>
+Date: Mon, 10 Dec 2018 23:58:01 -0500
+Subject: tracing: Fix memory leak of instance function hash filters
+
+From: Steven Rostedt (VMware) <rostedt@goodmis.org>
+
+commit 2840f84f74035e5a535959d5f17269c69fa6edc5 upstream.
+
+The following commands will cause a memory leak:
+
+ # cd /sys/kernel/tracing
+ # mkdir instances/foo
+ # echo schedule > instance/foo/set_ftrace_filter
+ # rmdir instances/foo
+
+The reason is that the hashes that hold the filters to set_ftrace_filter and
+set_ftrace_notrace are not freed if they contain any data on the instance
+and the instance is removed.
+
+Found by kmemleak detector.
+
+Cc: stable@vger.kernel.org
+Fixes: 591dffdade9f ("ftrace: Allow for function tracing instance to filter functions")
+Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/trace/ftrace.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/kernel/trace/ftrace.c
++++ b/kernel/trace/ftrace.c
+@@ -5460,6 +5460,7 @@ void ftrace_destroy_filter_files(struct
+ if (ops->flags & FTRACE_OPS_FL_ENABLED)
+ ftrace_shutdown(ops, 0);
+ ops->flags |= FTRACE_OPS_FL_DELETED;
++ ftrace_free_filter(ops);
+ mutex_unlock(&ftrace_lock);
+ }
+
--- /dev/null
+From 01e881f5a1fca4677e82733061868c6d6ea05ca7 Mon Sep 17 00:00:00 2001
+From: Andrea Arcangeli <aarcange@redhat.com>
+Date: Fri, 14 Dec 2018 14:17:17 -0800
+Subject: userfaultfd: check VM_MAYWRITE was set after verifying the uffd is registered
+
+From: Andrea Arcangeli <aarcange@redhat.com>
+
+commit 01e881f5a1fca4677e82733061868c6d6ea05ca7 upstream.
+
+Calling UFFDIO_UNREGISTER on virtual ranges not yet registered in uffd
+could trigger an harmless false positive WARN_ON. Check the vma is
+already registered before checking VM_MAYWRITE to shut off the false
+positive warning.
+
+Link: http://lkml.kernel.org/r/20181206212028.18726-2-aarcange@redhat.com
+Cc: <stable@vger.kernel.org>
+Fixes: 29ec90660d68 ("userfaultfd: shmem/hugetlbfs: only allow to register VM_MAYWRITE vmas")
+Signed-off-by: Andrea Arcangeli <aarcange@redhat.com>
+Reported-by: syzbot+06c7092e7d71218a2c16@syzkaller.appspotmail.com
+Acked-by: Mike Rapoport <rppt@linux.ibm.com>
+Acked-by: Hugh Dickins <hughd@google.com>
+Acked-by: Peter Xu <peterx@redhat.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/userfaultfd.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/fs/userfaultfd.c
++++ b/fs/userfaultfd.c
+@@ -1566,7 +1566,6 @@ static int userfaultfd_unregister(struct
+ cond_resched();
+
+ BUG_ON(!vma_can_userfault(vma));
+- WARN_ON(!(vma->vm_flags & VM_MAYWRITE));
+
+ /*
+ * Nothing to do: this vma is already registered into this
+@@ -1575,6 +1574,8 @@ static int userfaultfd_unregister(struct
+ if (!vma->vm_userfaultfd_ctx.ctx)
+ goto skip;
+
++ WARN_ON(!(vma->vm_flags & VM_MAYWRITE));
++
+ if (vma->vm_start > start)
+ start = vma->vm_start;
+ vma_end = min(end, vma->vm_end);
projects / thirdparty / kernel / stable-queue.git / commitdiff
