Commit b434e4bc authored Jan 28, 2020 by Ivaylo Georgiev

Merge android-4.19-q.84 (314ab78f) into msm-4.19



* refs/heads/tmp-314ab78f:
  Linux 4.19.84
  kvm: x86: mmu: Recovery of shattered NX large pages
  kvm: Add helper function for creating VM worker threads
  kvm: mmu: ITLB_MULTIHIT mitigation
  KVM: vmx, svm: always run with EFER.NXE=1 when shadow paging is active
  KVM: x86: add tracepoints around __direct_map and FNAME(fetch)
  KVM: x86: change kvm_mmu_page_get_gfn BUG_ON to WARN_ON
  KVM: x86: remove now unneeded hugepage gfn adjustment
  KVM: x86: make FNAME(fetch) and __direct_map more similar
  kvm: mmu: Do not release the page inside mmu_set_spte()
  kvm: Convert kvm_lock to a mutex
  kvm: x86, powerpc: do not allow clearing largepages debugfs entry
  Documentation: Add ITLB_MULTIHIT documentation
  cpu/speculation: Uninline and export CPU mitigations helpers
  x86/cpu: Add Tremont to the cpu vulnerability whitelist
  x86/bugs: Add ITLB_MULTIHIT bug infrastructure
  x86/speculation/taa: Fix printing of TAA_MSG_SMT on IBRS_ALL CPUs
  x86/tsx: Add config options to set tsx=on|off|auto
  x86/speculation/taa: Add documentation for TSX Async Abort
  x86/tsx: Add "auto" option to the tsx= cmdline parameter
  kvm/x86: Export MDS_NO=0 to guests when TSX is enabled
  x86/speculation/taa: Add sysfs reporting for TSX Async Abort
  x86/speculation/taa: Add mitigation for TSX Async Abort
  x86/cpu: Add a "tsx=" cmdline option with TSX disabled by default
  x86/cpu: Add a helper function x86_read_arch_cap_msr()
  x86/msr: Add the IA32_TSX_CTRL MSR
  KVM: x86: use Intel speculation bugs and features as derived in generic x86 code
  drm/i915/cmdparser: Fix jump whitelist clearing
  drm/i915/gen8+: Add RC6 CTX corruption WA
  drm/i915: Lower RM timeout to avoid DSI hard hangs
  drm/i915/cmdparser: Ignore Length operands during command matching
  drm/i915/cmdparser: Add support for backward jumps
  drm/i915/cmdparser: Use explicit goto for error paths
  drm/i915: Add gen9 BCS cmdparsing
  drm/i915: Allow parsing of unsized batches
  drm/i915: Support ro ppgtt mapped cmdparser shadow buffers
  drm/i915: Add support for mandatory cmdparsing
  drm/i915: Remove Master tables from cmdparser
  drm/i915: Disable Secure Batches for gen6+
  drm/i915: Rename gen7 cmdparser tables
  vsock/virtio: fix sock refcnt holding during the shutdown
  iio: imu: mpu6050: Fix FIFO layout for ICM20602
  net: prevent load/store tearing on sk->sk_stamp
  netfilter: ipset: Copy the right MAC address in hash:ip,mac IPv6 sets
  usbip: Fix free of unallocated memory in vhci tx
  cgroup,writeback: don't switch wbs immediately on dead wbs if the memcg is dead
  mm/filemap.c: don't initiate writeback if mapping has no dirty pages
  iio: imu: inv_mpu6050: fix no data on MPU6050
  iio: imu: mpu6050: Add support for the ICM 20602 IMU
  blkcg: make blkcg_print_stat() print stats only for online blkgs
  pinctrl: cherryview: Fix irq_valid_mask calculation
  ocfs2: protect extent tree in ocfs2_prepare_inode_for_write()
  pinctrl: intel: Avoid potential glitches if pin is in GPIO mode
  e1000: fix memory leaks
  igb: Fix constant media auto sense switching when no cable is connected
  net: ethernet: arc: add the missed clk_disable_unprepare
  NFSv4: Don't allow a cached open with a revoked delegation
  usb: dwc3: gadget: fix race when disabling ep with cancelled xfers
  hv_netvsc: Fix error handling in netvsc_attach()
  drm/amd/display: Passive DP->HDMI dongle detection fix
  drm/amdgpu: If amdgpu_ib_schedule fails return back the error.
  iommu/amd: Apply the same IVRS IOAPIC workaround to Acer Aspire A315-41
  net: mscc: ocelot: refuse to overwrite the port's native vlan
  net: mscc: ocelot: fix vlan_filtering when enslaving to bridge before link is up
  net: hisilicon: Fix "Trying to free already-free IRQ"
  fjes: Handle workqueue allocation failure
  nvme-multipath: fix possible io hang after ctrl reconnect
  scsi: qla2xxx: stop timer in shutdown path
  RDMA/hns: Prevent memory leaks of eq->buf_list
  RDMA/iw_cxgb4: Avoid freeing skb twice in arp failure case
  usbip: tools: Fix read_usb_vudc_device() error path handling
  USB: ldusb: use unsigned size format specifiers
  USB: Skip endpoints with 0 maxpacket length
  perf/x86/uncore: Fix event group support
  perf/x86/amd/ibs: Handle erratum #420 only on the affected CPU family (10h)
  perf/x86/amd/ibs: Fix reading of the IBS OpData register and thus precise RIP validity
  usb: dwc3: remove the call trace of USBx_GFLADJ
  usb: gadget: configfs: fix concurrent issue between composite APIs
  usb: dwc3: pci: prevent memory leak in dwc3_pci_probe
  usb: gadget: composite: Fix possible double free memory bug
  usb: gadget: udc: atmel: Fix interrupt storm in FIFO mode.
  usb: fsl: Check memory resource before releasing it
  macsec: fix refcnt leak in module exit routine
  bonding: fix unexpected IFF_BONDING bit unset
  ipvs: move old_secure_tcp into struct netns_ipvs
  ipvs: don't ignore errors in case refcounting ip_vs module fails
  netfilter: nf_flow_table: set timeout before insertion into hashes
  scsi: qla2xxx: Initialized mailbox to prevent driver load failure
  scsi: lpfc: Honor module parameter lpfc_use_adisc
  net: openvswitch: free vport unless register_netdevice() succeeds
  RDMA/uverbs: Prevent potential underflow
  scsi: qla2xxx: fixup incorrect usage of host_byte
  net/mlx5: prevent memory leak in mlx5_fpga_conn_create_cq
  net/mlx5e: TX, Fix consumer index of error cqe dump
  RDMA/qedr: Fix reported firmware version
  iw_cxgb4: fix ECN check on the passive accept
  RDMA/mlx5: Clear old rate limit when closing QP
  HID: intel-ish-hid: fix wrong error handling in ishtp_cl_alloc_tx_ring()
  dmaengine: sprd: Fix the possible memory leak issue
  dmaengine: xilinx_dma: Fix control reg update in vdma_channel_set_config
  HID: google: add magnemite/masterball USB ids
  PCI: tegra: Enable Relaxed Ordering only for Tegra20 & Tegra30
  usbip: Implement SG support to vhci-hcd and stub driver
  usbip: Fix vhci_urb_enqueue() URB null transfer buffer error path
  sched/fair: Fix -Wunused-but-set-variable warnings
  sched/fair: Fix low cpu usage with high throttling by removing expiration of cpu-local slices
  ALSA: usb-audio: Fix copy&paste error in the validator
  ALSA: usb-audio: remove some dead code
  ALSA: usb-audio: Fix possible NULL dereference at create_yamaha_midi_quirk()
  ALSA: usb-audio: Clean up check_input_term()
  ALSA: usb-audio: Remove superfluous bLength checks
  ALSA: usb-audio: Unify the release of usb_mixer_elem_info objects
  ALSA: usb-audio: Simplify parse_audio_unit()
  ALSA: usb-audio: More validations of descriptor units
  configfs: fix a deadlock in configfs_symlink()
  configfs: provide exclusion between IO and removals
  configfs: new object reprsenting tree fragments
  configfs_register_group() shouldn't be (and isn't) called in rmdirable parts
  configfs: stash the data we need into configfs_buffer at open time
  can: peak_usb: fix slab info leak
  can: mcba_usb: fix use-after-free on disconnect
  can: dev: add missing of_node_put() after calling of_get_child_by_name()
  can: gs_usb: gs_can_open(): prevent memory leak
  can: rx-offload: can_rx_offload_queue_sorted(): fix error handling, avoid skb mem leak
  can: peak_usb: fix a potential out-of-sync while decoding packets
  can: c_can: c_can_poll(): only read status register after status IRQ
  can: flexcan: disable completely the ECC mechanism
  can: usb_8dev: fix use-after-free on disconnect
  SMB3: Fix persistent handles reconnect
  x86/apic/32: Avoid bogus LDR warnings
  intel_th: pci: Add Jasper Lake PCH support
  intel_th: pci: Add Comet Lake PCH support
  netfilter: ipset: Fix an error code in ip_set_sockfn_get()
  netfilter: nf_tables: Align nft_expr private data to 64-bit
  ARM: sunxi: Fix CPU powerdown on A83T
  iio: srf04: fix wrong limitation in distance measuring
  iio: imu: adis16480: make sure provided frequency is positive
  iio: adc: stm32-adc: fix stopping dma
  ceph: add missing check in d_revalidate snapdir handling
  ceph: fix use-after-free in __ceph_remove_cap()
  arm64: Do not mask out PTE_RDONLY in pte_same()
  soundwire: bus: set initial value to port_status
  soundwire: depend on ACPI
  HID: wacom: generic: Treat serial number and related fields as unsigned
  drm/radeon: fix si_enable_smc_cac() failed issue
  perf tools: Fix time sorting
  tools: gpio: Use !building_out_of_srctree to determine srctree
  dump_stack: avoid the livelock of the dump_lock
  mm, vmstat: hide /proc/pagetypeinfo from normal users
  mm: thp: handle page cache THP correctly in PageTransCompoundMap
  mm, meminit: recalculate pcpu batch and high limits after init completes
  mm: memcontrol: fix network errors from failing __GFP_ATOMIC charges
  ALSA: hda/ca0132 - Fix possible workqueue stall
  ALSA: bebob: fix to detect configured source of sampling clock for Focusrite Saffire Pro i/o series
  ALSA: timer: Fix incorrectly assigned timer instance
  net: hns: Fix the stray netpoll locks causing deadlock in NAPI path
  ipv6: fixes rt6_probe() and fib6_nh->last_probe init
  net: mscc: ocelot: fix NULL pointer on LAG slave removal
  net: mscc: ocelot: don't handle netdev events for other netdevs
  qede: fix NULL pointer deref in __qede_remove()
  NFC: st21nfca: fix double free
  nfc: netlink: fix double device reference drop
  NFC: fdp: fix incorrect free object
  net: usb: qmi_wwan: add support for DW5821e with eSIM support
  net: qualcomm: rmnet: Fix potential UAF when unregistering
  net: fix data-race in neigh_event_send()
  net: ethernet: octeon_mgmt: Account for second possible VLAN header
  ipv4: Fix table id reference in fib_sync_down_addr
  CDC-NCM: handle incomplete transfer of MTU
  bonding: fix state transition issue in link monitoring
  Linux 4.19.83
  usb: gadget: udc: core: Fix segfault if udc_bind_to_driver() for pending driver fails
  arm64: dts: ti: k3-am65-main: Fix gic-its node unit-address
  ASoC: pcm3168a: The codec does not support S32_LE
  selftests/powerpc: Fix compile error on tlbie_test due to newer gcc
  selftests/powerpc: Add test case for tlbie vs mtpidr ordering issue
  powerpc/mm: Fixup tlbie vs mtpidr/mtlpidr ordering issue on POWER9
  platform/x86: pmc_atom: Add Siemens SIMATIC IPC227E to critclk_systems DMI table
  wireless: Skip directory when generating certificates
  net/flow_dissector: switch to siphash
  r8152: add device id for Lenovo ThinkPad USB-C Dock Gen 2
  net: dsa: fix switch tree list
  net: usb: lan78xx: Connect PHY before registering MAC
  net: bcmgenet: reset 40nm EPHY on energy detect
  net: phy: bcm7xxx: define soft_reset for 40nm EPHY
  net: bcmgenet: don't set phydev->link from MAC
  net: dsa: b53: Do not clear existing mirrored port mask
  net/mlx5e: Fix ethtool self test: link speed
  r8169: fix wrong PHY ID issue with RTL8168dp
  net/mlx5e: Fix handling of compressed CQEs in case of low NAPI budget
  selftests: fib_tests: add more tests for metric update
  ipv4: fix route update on metric change.
  net: add READ_ONCE() annotation in __skb_wait_for_more_packets()
  net: use skb_queue_empty_lockless() in busy poll contexts
  net: use skb_queue_empty_lockless() in poll() handlers
  udp: use skb_queue_empty_lockless()
  net: add skb_queue_empty_lockless()
  vxlan: check tun_info options_len properly
  udp: fix data-race in udp_set_dev_scratch()
  selftests: net: reuseport_dualstack: fix uninitalized parameter
  net: Zeroing the structure ethtool_wolinfo in ethtool_get_wol()
  net: usb: lan78xx: Disable interrupts before calling generic_handle_irq()
  netns: fix GFP flags in rtnl_net_notifyid()
  net/mlx4_core: Dynamically set guaranteed amount of counters per VF
  net: hisilicon: Fix ping latency when deal with high throughput
  net: fix sk_page_frag() recursion from memory reclaim
  net: ethernet: ftgmac100: Fix DMA coherency issue with SW checksum
  net: dsa: bcm_sf2: Fix IMP setup for port different than 8
  net: annotate lockless accesses to sk->sk_napi_id
  net: annotate accesses to sk->sk_incoming_cpu
  inet: stop leaking jiffies on the wire
  erspan: fix the tun_info options_len check for erspan
  dccp: do not leak jiffies on the wire
  cxgb4: fix panic when attaching to ULD fail
  nbd: handle racing with error'ed out commands
  nbd: protect cmd->status with cmd->lock
  cifs: Fix cifsInodeInfo lock_sem deadlock when reconnect occurs
  i2c: stm32f7: remove warning when compiling with W=1
  i2c: stm32f7: fix a race in slave mode with arbitration loss irq
  i2c: stm32f7: fix first byte to send in slave mode
  irqchip/gic-v3-its: Use the exact ITSList for VMOVP
  MIPS: bmips: mark exception vectors as char arrays
  of: unittest: fix memory leak in unittest_data_add
  ARM: 8926/1: v7m: remove register save to stack before svc
  tracing: Fix "gfp_t" format for synthetic events
  scsi: target: core: Do not overwrite CDB byte 1
  drm/amdgpu: fix potential VM faults
  ARM: davinci: dm365: Fix McBSP dma_slave_map entry
  perf kmem: Fix memory leak in compact_gfp_flags()
  8250-men-mcb: fix error checking when get_num_ports returns -ENODEV
  perf c2c: Fix memory leak in build_cl_output()
  ARM: dts: imx7s: Correct GPT's ipg clock source
  scsi: fix kconfig dependency warning related to 53C700_LE_ON_BE
  scsi: sni_53c710: fix compilation error
  scsi: scsi_dh_alua: handle RTPG sense code correctly during state transitions
  scsi: qla2xxx: fix a potential NULL pointer dereference
  ARM: mm: fix alignment handler faults under memory pressure
  pinctrl: ns2: Fix off by one bugs in ns2_pinmux_enable()
  ARM: dts: logicpd-torpedo-som: Remove twl_keypad
  ASoc: rockchip: i2s: Fix RPM imbalance
  ASoC: wm_adsp: Don't generate kcontrols without READ flags
  regulator: pfuze100-regulator: Variable "val" in pfuze100_regulator_probe() could be uninitialized
  ASoC: rt5682: add NULL handler to set_jack function
  regulator: ti-abb: Fix timeout in ti_abb_wait_txdone/ti_abb_clear_all_txdone
  arm64: dts: Fix gpio to pinmux mapping
  arm64: dts: allwinner: a64: sopine-baseboard: Add PHY regulator delay
  arm64: dts: allwinner: a64: pine64-plus: Add PHY regulator delay
  ASoC: wm8994: Do not register inapplicable controls for WM1811
  regulator: of: fix suspend-min/max-voltage parsing
  kbuild: add -fcf-protection=none when using retpoline flags
  Linux 4.19.82
  Revert "ALSA: hda: Flush interrupts on disabling"
  powerpc/powernv: Fix CPU idle to be called with IRQs disabled
  ALSA: usb-audio: Add DSD support for Gustard U16/X26 USB Interface
  ALSA: usb-audio: Update DSD support quirks for Oppo and Rotel
  ALSA: usb-audio: DSD auto-detection for Playback Designs
  ALSA: timer: Fix mutex deadlock at releasing card
  ALSA: timer: Simplify error path in snd_timer_open()
  sch_netem: fix rcu splat in netem_enqueue()
  net: usb: sr9800: fix uninitialized local variable
  bonding: fix potential NULL deref in bond_update_slave_arr
  NFC: pn533: fix use-after-free and memleaks
  rxrpc: Fix trace-after-put looking at the put peer record
  rxrpc: rxrpc_peer needs to hold a ref on the rxrpc_local record
  rxrpc: Fix call ref leak
  llc: fix sk_buff leak in llc_conn_service()
  llc: fix sk_buff leak in llc_sap_state_process()
  batman-adv: Avoid free/alloc race when handling OGM buffer
  NFS: Fix an RCU lock leak in nfs4_refresh_delegation_stateid()
  drm/amdgpu/powerplay/vega10: allow undervolting in p7
  dmaengine: cppi41: Fix cppi41_dma_prep_slave_sg() when idle
  dmaengine: qcom: bam_dma: Fix resource leak
  rtlwifi: Fix potential overflow on P2P code
  arm64: Ensure VM_WRITE|VM_SHARED ptes are clean by default
  s390/idle: fix cpu idle time calculation
  s390/cmm: fix information leak in cmm_timeout_handler()
  nl80211: fix validation of mesh path nexthop
  HID: fix error message in hid_open_report()
  HID: Fix assumption that devices have inputs
  HID: i2c-hid: add Trekstor Primebook C11B to descriptor override
  scsi: target: cxgbit: Fix cxgbit_fw4_ack()
  USB: serial: whiteheat: fix line-speed endianness
  USB: serial: whiteheat: fix potential slab corruption
  usb: xhci: fix __le32/__le64 accessors in debugfs code
  USB: ldusb: fix control-message timeout
  USB: ldusb: fix ring-buffer locking
  usb-storage: Revert commit 747668dbc061 ("usb-storage: Set virt_boundary_mask to avoid SG overflows")
  USB: gadget: Reject endpoints with 0 maxpacket value
  UAS: Revert commit 3ae62a42090f ("UAS: fix alignment of scatter/gather segments")
  ALSA: hda/realtek - Add support for ALC623
  ALSA: hda/realtek - Fix 2 front mics of codec 0x623
  ALSA: bebob: Fix prototype of helper function to return negative value
  fuse: truncate pending writes on O_TRUNC
  fuse: flush dirty data/metadata before non-truncate setattr
  ath6kl: fix a NULL-ptr-deref bug in ath6kl_usb_alloc_urb_from_pipe()
  thunderbolt: Use 32-bit writes when writing ring producer/consumer
  USB: legousbtower: fix a signedness bug in tower_probe()
  nbd: verify socket is supported during setup
  iwlwifi: exclude GEO SAR support for 3168
  ALSA: hda/realtek: Reduce the Headphone static noise on XPS 9350/9360
  ARM: 8914/1: NOMMU: Fix exc_ret for XIP
  tracing: Initialize iter->seq after zeroing in tracing_read_pipe()
  s390/uaccess: avoid (false positive) compiler warnings
  NFSv4: Fix leak of clp->cl_acceptor string
  nbd: fix possible sysfs duplicate warning
  virt: vbox: fix memory leak in hgcm_call_preprocess_linaddr
  MIPS: fw: sni: Fix out of bounds init of o32 stack
  MIPS: include: Mark __xchg as __always_inline
  iio: imu: adis16400: release allocated memory on failure
  drm/amdgpu: fix memory leak
  perf/x86/amd: Change/fix NMI latency mitigation to use a timestamp
  sched/vtime: Fix guest/system mis-accounting on task switch
  x86/cpu: Add Comet Lake to the Intel CPU models header
  arm64: armv8_deprecated: Checking return value for memory allocation
  fs: ocfs2: fix a possible null-pointer dereference in ocfs2_info_scan_inode_alloc()
  fs: ocfs2: fix a possible null-pointer dereference in ocfs2_write_end_nolock()
  fs: ocfs2: fix possible null-pointer dereferences in ocfs2_xa_prepare_entry()
  ocfs2: clear zero in unaligned direct IO
  x86/xen: Return from panic notifier
  MIPS: include: Mark __cmpxchg as __always_inline
  efi/x86: Do not clean dummy variable in kexec path
  efi/cper: Fix endianness of PCIe class code
  serial: mctrl_gpio: Check for NULL pointer
  fs: cifs: mute -Wunused-const-variable message
  gpio: max77620: Use correct unit for debounce times
  tty: n_hdlc: fix build on SPARC
  tty: serial: owl: Fix the link time qualifier of 'owl_uart_exit()'
  arm64: ftrace: Ensure synchronisation in PLT setup for Neoverse-N1 #1542419
  nfs: Fix nfsi->nrequests count error on nfs_inode_remove_request
  HID: hyperv: Use in-place iterator API in the channel callback
  RDMA/iwcm: Fix a lock inversion issue
  RDMA/hfi1: Prevent memory leak in sdma_init
  staging: rtl8188eu: fix null dereference when kzalloc fails
  perf annotate: Return appropriate error code for allocation failures
  perf annotate: Propagate the symbol__annotate() error return
  perf annotate: Fix the signedness of failure returns
  perf annotate: Propagate perf_env__arch() error
  perf tools: Propagate get_cpuid() error
  perf jevents: Fix period for Intel fixed counters
  perf script brstackinsn: Fix recovery from LBR/binary mismatch
  perf map: Fix overlapped map handling
  perf tests: Avoid raising SEGV using an obvious NULL dereference
  libsubcmd: Make _FORTIFY_SOURCE defines dependent on the feature
  iio: fix center temperature of bmc150-accel-core
  iio: adc: meson_saradc: Fix memory allocation order
  power: supply: max14656: fix potential use-after-free
  drm/amd/display: fix odm combine pipe reset
  PCI/PME: Fix possible use-after-free on remove
  net: dsa: mv88e6xxx: Release lock while requesting IRQ
  exec: load_script: Do not exec truncated interpreter path
  ext4: disallow files with EXT4_JOURNAL_DATA_FL from EXT4_IOC_SWAP_BOOT
  media: vimc: Remove unused but set variables
  ALSA: hda/realtek - Apply ALC294 hp init also for S4 resume
  cifs: add credits from unmatched responses/messages
  CIFS: Respect SMB2 hdr preamble size in read responses
  scsi: lpfc: Correct localport timeout duration error
  mlxsw: spectrum: Set LAG port collector only when active
  arm64: kpti: Whitelist HiSilicon Taishan v110 CPUs
  arm64: Add MIDR encoding for HiSilicon Taishan CPUs
  rtc: pcf8523: set xtal load capacitance from DT
  usb: handle warm-reset port requests on hub resume
  ALSA: usb-audio: Cleanup DSD whitelist
  usb: dwc3: gadget: clear DWC3_EP_TRANSFER_STARTED on cmd complete
  usb: dwc3: gadget: early giveback if End Transfer already completed
  samples: bpf: fix: seg fault with NULL pointer arg
  HID: steam: fix deadlock with input devices.
  HID: steam: fix boot loop with bluetooth firmware
  NFSv4: Ensure that the state manager exits the loop on SIGKILL
  HID: Add ASUS T100CHI keyboard dock battery quirks
  staging: mt7621-pinctrl: use pinconf-generic for 'dt_node_to_map' and 'dt_free_map'
  scripts/setlocalversion: Improve -dirty check with git-status --no-optional-locks
  clk: boston: unregister clks on failure in clk_boston_setup()
  ath10k: assign 'n_cipher_suites = 11' for WCN3990 to enable WPA3
  platform/x86: Fix config space access for intel_atomisp2_pm
  platform/x86: Add the VLV ISP PCI ID to atomisp2_pm
  HID: i2c-hid: Add Odys Winbook 13 to descriptor override
  HID: i2c-hid: Ignore input report if there's no data present on Elan touchpanels
  HID: i2c-hid: Disable runtime PM for LG touchscreen
  netfilter: ipset: Make invalid MAC address checks consistent
  Btrfs: fix deadlock on tree root leaf when finding free extent
  PCI: Fix Switchtec DMA aliasing quirk dmesg noise
  bcache: fix input overflow to writeback_rate_minimum
  drm/msm/dpu: handle failures while initializing displays
  x86/cpu: Add Atom Tremont (Jacobsville)
  tools/power turbostat: fix goldmont C-state limit decoding
  usb: dwc2: fix unbalanced use of external vbus-supply
  HID: i2c-hid: add Direkt-Tek DTLAPY133-1 to descriptor override
  f2fs: fix to recover inode->i_flags of inode block during POR
  f2fs: fix to recover inode's i_gc_failures during POR
  powerpc/powernv: hold device_hotplug_lock when calling memtrace_offline_pages()
  sc16is7xx: Fix for "Unexpected interrupt: 8"
  scsi: lpfc: Fix a duplicate 0711 log message number.
  f2fs: flush quota blocks after turnning it off
  wil6210: fix freeing of rx buffers in EDMA mode
  btrfs: tracepoints: Fix wrong parameter order for qgroup events
  btrfs: qgroup: Always free PREALLOC META reserve in btrfs_delalloc_release_extents()
  Btrfs: fix memory leak due to concurrent append writes with fiemap
  Btrfs: fix inode cache block reserve leak on failure to allocate data space
  dm snapshot: rework COW throttling to fix deadlock
  dm snapshot: introduce account_start_copy() and account_end_copy()
  zram: fix race between backing_dev_show and backing_dev_store

Conflicts:
	arch/arm64/include/asm/cputype.h
	drivers/net/ethernet/qualcomm/rmnet/rmnet_config.c
	drivers/net/wireless/ath/wil6210/txrx_edma.c
	drivers/usb/dwc3/gadget.c
	include/linux/cpu.h
	kernel/cpu.c

Following USB commits were reverted on importing android-4.19.57
into msm-4.19 due to BootTimeRunner failure. android-4.19-q.82
introduced new usb changes [1] that fixed the regression, hence it
is safe to restore the reverts. It is done in this merge.

  9c423fd8("usb: dwc3: Reset num_trbs after skipping")
  385cacd9("usb: dwc3: gadget: Clear req->needs_extra_trb flag on cleanup")
  6edcdd0e("usb: dwc3: gadget: remove wait_end_transfer")
  d7ff2e3f("usb: dwc3: gadget: move requests to cancelled_list")
  bba5f987("usb: dwc3: gadget: introduce cancelled_list")
  65e1f340("usb: dwc3: gadget: extract dwc3_gadget_ep_skip_trbs()")
  56092bd5("usb: dwc3: gadget: use num_trbs when skipping TRBs on->dequeue()")
  2a2b1c4d("usb: dwc3: gadget: track number of TRBs per request")
  420b1237("usb: dwc3: gadget: combine unaligned and zero flags")
  62805d31("Revert "usb: dwc3: gadget: Clear req->needs_extra_trb flag on cleanup"")

[1]
  a0608eec("usb: dwc3: gadget: clear DWC3_EP_TRANSFER_STARTED on cmd complete")
  d0e8b35e("usb: dwc3: gadget: early giveback if End Transfer already completed")

Change-Id: I77c3490d2c1cf7c8233a7e797c6f217f737621a2
Signed-off-by: Ivaylo Georgiev <irgeorgiev@codeaurora.org>

parents b27b7814 314ab78f

Documentation/ABI/testing/sysfs-devices-system-cpu

+2 −0

Original line number	Diff line number	Diff line
		@@ -478,6 +478,8 @@ What: /sys/devices/system/cpu/vulnerabilities
		/sys/devices/system/cpu/vulnerabilities/spec_store_bypass
		/sys/devices/system/cpu/vulnerabilities/l1tf
		/sys/devices/system/cpu/vulnerabilities/mds
		/sys/devices/system/cpu/vulnerabilities/tsx_async_abort
		/sys/devices/system/cpu/vulnerabilities/itlb_multihit
		Date: January 2018
		Contact: Linux kernel mailing list <linux-kernel@vger.kernel.org>
		Description: Information about CPU vulnerabilities

Documentation/admin-guide/hw-vuln/index.rst

+2 −0

Original line number	Diff line number	Diff line
		@@ -12,3 +12,5 @@ are configurable at compile, boot or run time.
		spectre
		l1tf
		mds
		tsx_async_abort
		multihit.rst

Documentation/admin-guide/hw-vuln/multihit.rst

0 → 100644

+163 −0

Original line number	Diff line number	Diff line
		iTLB multihit
		=============

		iTLB multihit is an erratum where some processors may incur a machine check
		error, possibly resulting in an unrecoverable CPU lockup, when an
		instruction fetch hits multiple entries in the instruction TLB. This can
		occur when the page size is changed along with either the physical address
		or cache type. A malicious guest running on a virtualized system can
		exploit this erratum to perform a denial of service attack.


		Affected processors
		-------------------

		Variations of this erratum are present on most Intel Core and Xeon processor
		models. The erratum is not present on:

		- non-Intel processors

		- Some Atoms (Airmont, Bonnell, Goldmont, GoldmontPlus, Saltwell, Silvermont)

		- Intel processors that have the PSCHANGE_MC_NO bit set in the
		IA32_ARCH_CAPABILITIES MSR.


		Related CVEs
		------------

		The following CVE entry is related to this issue:

		============== =================================================
		CVE-2018-12207 Machine Check Error Avoidance on Page Size Change
		============== =================================================


		Problem
		-------

		Privileged software, including OS and virtual machine managers (VMM), are in
		charge of memory management. A key component in memory management is the control
		of the page tables. Modern processors use virtual memory, a technique that creates
		the illusion of a very large memory for processors. This virtual space is split
		into pages of a given size. Page tables translate virtual addresses to physical
		addresses.

		To reduce latency when performing a virtual to physical address translation,
		processors include a structure, called TLB, that caches recent translations.
		There are separate TLBs for instruction (iTLB) and data (dTLB).

		Under this errata, instructions are fetched from a linear address translated
		using a 4 KB translation cached in the iTLB. Privileged software modifies the
		paging structure so that the same linear address using large page size (2 MB, 4
		MB, 1 GB) with a different physical address or memory type. After the page
		structure modification but before the software invalidates any iTLB entries for
		the linear address, a code fetch that happens on the same linear address may
		cause a machine-check error which can result in a system hang or shutdown.


		Attack scenarios
		----------------

		Attacks against the iTLB multihit erratum can be mounted from malicious
		guests in a virtualized system.


		iTLB multihit system information
		--------------------------------

		The Linux kernel provides a sysfs interface to enumerate the current iTLB
		multihit status of the system:whether the system is vulnerable and which
		mitigations are active. The relevant sysfs file is:

		/sys/devices/system/cpu/vulnerabilities/itlb_multihit

		The possible values in this file are:

		.. list-table::

		* - Not affected
		- The processor is not vulnerable.
		* - KVM: Mitigation: Split huge pages
		- Software changes mitigate this issue.
		* - KVM: Vulnerable
		- The processor is vulnerable, but no mitigation enabled


		Enumeration of the erratum
		--------------------------------

		A new bit has been allocated in the IA32_ARCH_CAPABILITIES (PSCHANGE_MC_NO) msr
		and will be set on CPU's which are mitigated against this issue.

		======================================= =========== ===============================
		IA32_ARCH_CAPABILITIES MSR Not present Possibly vulnerable,check model
		IA32_ARCH_CAPABILITIES[PSCHANGE_MC_NO] '0' Likely vulnerable,check model
		IA32_ARCH_CAPABILITIES[PSCHANGE_MC_NO] '1' Not vulnerable
		======================================= =========== ===============================


		Mitigation mechanism
		-------------------------

		This erratum can be mitigated by restricting the use of large page sizes to
		non-executable pages. This forces all iTLB entries to be 4K, and removes
		the possibility of multiple hits.

		In order to mitigate the vulnerability, KVM initially marks all huge pages
		as non-executable. If the guest attempts to execute in one of those pages,
		the page is broken down into 4K pages, which are then marked executable.

		If EPT is disabled or not available on the host, KVM is in control of TLB
		flushes and the problematic situation cannot happen. However, the shadow
		EPT paging mechanism used by nested virtualization is vulnerable, because
		the nested guest can trigger multiple iTLB hits by modifying its own
		(non-nested) page tables. For simplicity, KVM will make large pages
		non-executable in all shadow paging modes.

		Mitigation control on the kernel command line and KVM - module parameter
		------------------------------------------------------------------------

		The KVM hypervisor mitigation mechanism for marking huge pages as
		non-executable can be controlled with a module parameter "nx_huge_pages=".
		The kernel command line allows to control the iTLB multihit mitigations at
		boot time with the option "kvm.nx_huge_pages=".

		The valid arguments for these options are:

		========== ================================================================
		force Mitigation is enabled. In this case, the mitigation implements
		non-executable huge pages in Linux kernel KVM module. All huge
		pages in the EPT are marked as non-executable.
		If a guest attempts to execute in one of those pages, the page is
		broken down into 4K pages, which are then marked executable.

		off Mitigation is disabled.

		auto Enable mitigation only if the platform is affected and the kernel
		was not booted with the "mitigations=off" command line parameter.
		This is the default option.
		========== ================================================================


		Mitigation selection guide
		--------------------------

		1. No virtualization in use
		^^^^^^^^^^^^^^^^^^^^^^^^^^^

		The system is protected by the kernel unconditionally and no further
		action is required.

		2. Virtualization with trusted guests
		^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

		If the guest comes from a trusted source, you may assume that the guest will
		not attempt to maliciously exploit these errata and no further action is
		required.

		3. Virtualization with untrusted guests
		^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
		If the guest comes from an untrusted source, the guest host kernel will need
		to apply iTLB multihit mitigation via the kernel command line or kvm
		module parameter.

Documentation/admin-guide/hw-vuln/tsx_async_abort.rst

0 → 100644

+276 −0

Original line number	Diff line number	Diff line
		.. SPDX-License-Identifier: GPL-2.0

		TAA - TSX Asynchronous Abort
		======================================

		TAA is a hardware vulnerability that allows unprivileged speculative access to
		data which is available in various CPU internal buffers by using asynchronous
		aborts within an Intel TSX transactional region.

		Affected processors
		-------------------

		This vulnerability only affects Intel processors that support Intel
		Transactional Synchronization Extensions (TSX) when the TAA_NO bit (bit 8)
		is 0 in the IA32_ARCH_CAPABILITIES MSR. On processors where the MDS_NO bit
		(bit 5) is 0 in the IA32_ARCH_CAPABILITIES MSR, the existing MDS mitigations
		also mitigate against TAA.

		Whether a processor is affected or not can be read out from the TAA
		vulnerability file in sysfs. See :ref:`tsx_async_abort_sys_info`.

		Related CVEs
		------------

		The following CVE entry is related to this TAA issue:

		============== ===== ===================================================
		CVE-2019-11135 TAA TSX Asynchronous Abort (TAA) condition on some
		microprocessors utilizing speculative execution may
		allow an authenticated user to potentially enable
		information disclosure via a side channel with
		local access.
		============== ===== ===================================================

		Problem
		-------

		When performing store, load or L1 refill operations, processors write
		data into temporary microarchitectural structures (buffers). The data in
		those buffers can be forwarded to load operations as an optimization.

		Intel TSX is an extension to the x86 instruction set architecture that adds
		hardware transactional memory support to improve performance of multi-threaded
		software. TSX lets the processor expose and exploit concurrency hidden in an
		application due to dynamically avoiding unnecessary synchronization.

		TSX supports atomic memory transactions that are either committed (success) or
		aborted. During an abort, operations that happened within the transactional region
		are rolled back. An asynchronous abort takes place, among other options, when a
		different thread accesses a cache line that is also used within the transactional
		region when that access might lead to a data race.

		Immediately after an uncompleted asynchronous abort, certain speculatively
		executed loads may read data from those internal buffers and pass it to dependent
		operations. This can be then used to infer the value via a cache side channel
		attack.

		Because the buffers are potentially shared between Hyper-Threads cross
		Hyper-Thread attacks are possible.

		The victim of a malicious actor does not need to make use of TSX. Only the
		attacker needs to begin a TSX transaction and raise an asynchronous abort
		which in turn potenitally leaks data stored in the buffers.

		More detailed technical information is available in the TAA specific x86
		architecture section: :ref:`Documentation/x86/tsx_async_abort.rst <tsx_async_abort>`.


		Attack scenarios
		----------------

		Attacks against the TAA vulnerability can be implemented from unprivileged
		applications running on hosts or guests.

		As for MDS, the attacker has no control over the memory addresses that can
		be leaked. Only the victim is responsible for bringing data to the CPU. As
		a result, the malicious actor has to sample as much data as possible and
		then postprocess it to try to infer any useful information from it.

		A potential attacker only has read access to the data. Also, there is no direct
		privilege escalation by using this technique.


		.. _tsx_async_abort_sys_info:

		TAA system information
		-----------------------

		The Linux kernel provides a sysfs interface to enumerate the current TAA status
		of mitigated systems. The relevant sysfs file is:

		/sys/devices/system/cpu/vulnerabilities/tsx_async_abort

		The possible values in this file are:

		.. list-table::

		* - 'Vulnerable'
		- The CPU is affected by this vulnerability and the microcode and kernel mitigation are not applied.
		* - 'Vulnerable: Clear CPU buffers attempted, no microcode'
		- The system tries to clear the buffers but the microcode might not support the operation.
		* - 'Mitigation: Clear CPU buffers'
		- The microcode has been updated to clear the buffers. TSX is still enabled.
		* - 'Mitigation: TSX disabled'
		- TSX is disabled.
		* - 'Not affected'
		- The CPU is not affected by this issue.

		.. _ucode_needed:

		Best effort mitigation mode
		^^^^^^^^^^^^^^^^^^^^^^^^^^^

		If the processor is vulnerable, but the availability of the microcode-based
		mitigation mechanism is not advertised via CPUID the kernel selects a best
		effort mitigation mode. This mode invokes the mitigation instructions
		without a guarantee that they clear the CPU buffers.

		This is done to address virtualization scenarios where the host has the
		microcode update applied, but the hypervisor is not yet updated to expose the
		CPUID to the guest. If the host has updated microcode the protection takes
		effect; otherwise a few CPU cycles are wasted pointlessly.

		The state in the tsx_async_abort sysfs file reflects this situation
		accordingly.


		Mitigation mechanism
		--------------------

		The kernel detects the affected CPUs and the presence of the microcode which is
		required. If a CPU is affected and the microcode is available, then the kernel
		enables the mitigation by default.


		The mitigation can be controlled at boot time via a kernel command line option.
		See :ref:`taa_mitigation_control_command_line`.

		.. _virt_mechanism:

		Virtualization mitigation
		^^^^^^^^^^^^^^^^^^^^^^^^^

		Affected systems where the host has TAA microcode and TAA is mitigated by
		having disabled TSX previously, are not vulnerable regardless of the status
		of the VMs.

		In all other cases, if the host either does not have the TAA microcode or
		the kernel is not mitigated, the system might be vulnerable.


		.. _taa_mitigation_control_command_line:

		Mitigation control on the kernel command line
		---------------------------------------------

		The kernel command line allows to control the TAA mitigations at boot time with
		the option "tsx_async_abort=". The valid arguments for this option are:

		============ =============================================================
		off This option disables the TAA mitigation on affected platforms.
		If the system has TSX enabled (see next parameter) and the CPU
		is affected, the system is vulnerable.

		full TAA mitigation is enabled. If TSX is enabled, on an affected
		system it will clear CPU buffers on ring transitions. On
		systems which are MDS-affected and deploy MDS mitigation,
		TAA is also mitigated. Specifying this option on those
		systems will have no effect.

		full,nosmt The same as tsx_async_abort=full, with SMT disabled on
		vulnerable CPUs that have TSX enabled. This is the complete
		mitigation. When TSX is disabled, SMT is not disabled because
		CPU is not vulnerable to cross-thread TAA attacks.
		============ =============================================================

		Not specifying this option is equivalent to "tsx_async_abort=full".

		The kernel command line also allows to control the TSX feature using the
		parameter "tsx=" on CPUs which support TSX control. MSR_IA32_TSX_CTRL is used
		to control the TSX feature and the enumeration of the TSX feature bits (RTM
		and HLE) in CPUID.

		The valid options are:

		============ =============================================================
		off Disables TSX on the system.

		Note that this option takes effect only on newer CPUs which are
		not vulnerable to MDS, i.e., have MSR_IA32_ARCH_CAPABILITIES.MDS_NO=1
		and which get the new IA32_TSX_CTRL MSR through a microcode
		update. This new MSR allows for the reliable deactivation of
		the TSX functionality.

		on Enables TSX.

		Although there are mitigations for all known security
		vulnerabilities, TSX has been known to be an accelerator for
		several previous speculation-related CVEs, and so there may be
		unknown security risks associated with leaving it enabled.

		auto Disables TSX if X86_BUG_TAA is present, otherwise enables TSX
		on the system.
		============ =============================================================

		Not specifying this option is equivalent to "tsx=off".

		The following combinations of the "tsx_async_abort" and "tsx" are possible. For
		affected platforms tsx=auto is equivalent to tsx=off and the result will be:

		========= ========================== =========================================
		tsx=on tsx_async_abort=full The system will use VERW to clear CPU
		buffers. Cross-thread attacks are still
		possible on SMT machines.
		tsx=on tsx_async_abort=full,nosmt As above, cross-thread attacks on SMT
		mitigated.
		tsx=on tsx_async_abort=off The system is vulnerable.
		tsx=off tsx_async_abort=full TSX might be disabled if microcode
		provides a TSX control MSR. If so,
		system is not vulnerable.
		tsx=off tsx_async_abort=full,nosmt Ditto
		tsx=off tsx_async_abort=off ditto
		========= ========================== =========================================


		For unaffected platforms "tsx=on" and "tsx_async_abort=full" does not clear CPU
		buffers. For platforms without TSX control (MSR_IA32_ARCH_CAPABILITIES.MDS_NO=0)
		"tsx" command line argument has no effect.

		For the affected platforms below table indicates the mitigation status for the
		combinations of CPUID bit MD_CLEAR and IA32_ARCH_CAPABILITIES MSR bits MDS_NO
		and TSX_CTRL_MSR.

		======= ========= ============= ========================================
		MDS_NO MD_CLEAR TSX_CTRL_MSR Status
		======= ========= ============= ========================================
		0 0 0 Vulnerable (needs microcode)
		0 1 0 MDS and TAA mitigated via VERW
		1 1 0 MDS fixed, TAA vulnerable if TSX enabled
		because MD_CLEAR has no meaning and
		VERW is not guaranteed to clear buffers
		1 X 1 MDS fixed, TAA can be mitigated by
		VERW or TSX_CTRL_MSR
		======= ========= ============= ========================================

		Mitigation selection guide
		--------------------------

		1. Trusted userspace and guests
		^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

		If all user space applications are from a trusted source and do not execute
		untrusted code which is supplied externally, then the mitigation can be
		disabled. The same applies to virtualized environments with trusted guests.


		2. Untrusted userspace and guests
		^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

		If there are untrusted applications or guests on the system, enabling TSX
		might allow a malicious actor to leak data from the host or from other
		processes running on the same physical core.

		If the microcode is available and the TSX is disabled on the host, attacks
		are prevented in a virtualized environment as well, even if the VMs do not
		explicitly enable the mitigation.


		.. _taa_default_mitigations:

		Default mitigations
		-------------------

		The kernel's default action for vulnerable processors is:

		- Deploy TSX disable mitigation (tsx_async_abort=full tsx=off).

Documentation/admin-guide/kernel-parameters.txt

+96 −0

Original line number	Diff line number	Diff line
		@@ -1963,6 +1963,25 @@
		KVM MMU at runtime.
		Default is 0 (off)

		kvm.nx_huge_pages=
		[KVM] Controls the software workaround for the
		X86_BUG_ITLB_MULTIHIT bug.
		force : Always deploy workaround.
		off : Never deploy workaround.
		auto : Deploy workaround based on the presence of
		X86_BUG_ITLB_MULTIHIT.

		Default is 'auto'.

		If the software workaround is enabled for the host,
		guests do need not to enable it for nested guests.

		kvm.nx_huge_pages_recovery_ratio=
		[KVM] Controls how many 4KiB pages are periodically zapped
		back to huge pages. 0 disables the recovery, otherwise if
		the value is N KVM will zap 1/Nth of the 4KiB pages every
		minute. The default is 60.

		kvm-amd.nested= [KVM,AMD] Allow nested virtualization in KVM/SVM.
		Default is 1 (enabled)

		@@ -2530,6 +2549,13 @@
		ssbd=force-off [ARM64]
		l1tf=off [X86]
		mds=off [X86]
		tsx_async_abort=off [X86]
		kvm.nx_huge_pages=off [X86]

		Exceptions:
		This does not have any effect on
		kvm.nx_huge_pages when
		kvm.nx_huge_pages=force.

		auto (default)
		Mitigate all CPU vulnerabilities, but leave SMT
		@@ -2545,6 +2571,7 @@
		be fully mitigated, even if it means losing SMT.
		Equivalent to: l1tf=flush,nosmt [X86]
		mds=full,nosmt [X86]
		tsx_async_abort=full,nosmt [X86]

		mminit_loglevel=
		[KNL] When CONFIG_DEBUG_MEMORY_INIT is set, this
		@@ -4703,6 +4730,71 @@
		marks the TSC unconditionally unstable at bootup and
		avoids any further wobbles once the TSC watchdog notices.

		tsx= [X86] Control Transactional Synchronization
		Extensions (TSX) feature in Intel processors that
		support TSX control.

		This parameter controls the TSX feature. The options are:

		on - Enable TSX on the system. Although there are
		mitigations for all known security vulnerabilities,
		TSX has been known to be an accelerator for
		several previous speculation-related CVEs, and
		so there may be unknown security risks associated
		with leaving it enabled.

		off - Disable TSX on the system. (Note that this
		option takes effect only on newer CPUs which are
		not vulnerable to MDS, i.e., have
		MSR_IA32_ARCH_CAPABILITIES.MDS_NO=1 and which get
		the new IA32_TSX_CTRL MSR through a microcode
		update. This new MSR allows for the reliable
		deactivation of the TSX functionality.)

		auto - Disable TSX if X86_BUG_TAA is present,
		otherwise enable TSX on the system.

		Not specifying this option is equivalent to tsx=off.

		See Documentation/admin-guide/hw-vuln/tsx_async_abort.rst
		for more details.

		tsx_async_abort= [X86,INTEL] Control mitigation for the TSX Async
		Abort (TAA) vulnerability.

		Similar to Micro-architectural Data Sampling (MDS)
		certain CPUs that support Transactional
		Synchronization Extensions (TSX) are vulnerable to an
		exploit against CPU internal buffers which can forward
		information to a disclosure gadget under certain
		conditions.

		In vulnerable processors, the speculatively forwarded
		data can be used in a cache side channel attack, to
		access data to which the attacker does not have direct
		access.

		This parameter controls the TAA mitigation. The
		options are:

		full - Enable TAA mitigation on vulnerable CPUs
		if TSX is enabled.

		full,nosmt - Enable TAA mitigation and disable SMT on
		vulnerable CPUs. If TSX is disabled, SMT
		is not disabled because CPU is not
		vulnerable to cross-thread TAA attacks.
		off - Unconditionally disable TAA mitigation

		Not specifying this option is equivalent to
		tsx_async_abort=full. On CPUs which are MDS affected
		and deploy MDS mitigation, TAA mitigation is not
		required and doesn't provide any additional
		mitigation.

		For details see:
		Documentation/admin-guide/hw-vuln/tsx_async_abort.rst

		turbografx.map[2\|3]= [HW,JOY]
		TurboGraFX parallel port interface
		Format:
		@@ -5130,6 +5222,10 @@
		the unplug protocol
		never -- do not unplug even if version check succeeds

		xen_legacy_crash [X86,XEN]
		Crash from Xen panic notifier, without executing late
		panic() code such as dumping handler.

		xen_nopvspin [X86,XEN]
		Disables the ticketlock slowpath using Xen PV
		optimizations.