Commit Graph

1750 Commits

Author SHA1 Message Date
Ivaylo Georgiev
d46ff52af6 Merge android-4.19.110 (1984fff) into msm-4.19
* refs/heads/tmp-1984fff:
  Revert "ANDROID: staging: android: ion: enable modularizing the ion driver"
  Revert "BACKPORT: sched/rt: Make RT capacity-aware"
  Revert "ANDROID: GKI: Add devm_thermal_of_virtual_sensor_register API."
  Linux 4.19.110
  KVM: SVM: fix up incorrect backport
  ANDROID: gki_defconfig: Enable USB_CONFIGFS_MASS_STORAGE
  UPSTREAM: arm64: memory: Add missing brackets to untagged_addr() macro
  UPSTREAM: mm: Avoid creating virtual address aliases in brk()/mmap()/mremap()
  ANDROID: Add TPM support and the vTPM proxy to Cuttlefish.
  Revert "ANDROID: tty: serdev: Fix broken serial console input"
  ANDROID: serdev: restrict claim of platform devices
  ANDROID: update the ABI xml representation
  ANDROID: GKI: add a USB TypeC vendor field for ABI compat
  UPSTREAM: usb: typec: mux: Switch to use fwnode_property_count_uXX()
  UPSTREAM: usb: typec: Make sure an alt mode exist before getting its partner
  UPSTREAM: usb: typec: Registering real device entries for the muxes
  UPSTREAM: usb: typec: mux: remove redundant check on variable match
  UPSTREAM: usb: typec: mux: Fix unsigned comparison with less than zero
  UPSTREAM: usb: typec: mux: Find the muxes by also matching against the device node
  UPSTREAM: usb: typec: Find the ports by also matching against the device node
  UPSTREAM: usb: typec: Rationalize the API for the muxes
  UPSTREAM: device property: Add helpers to count items in an array
  UPSTREAM: platform/x86: intel_cht_int33fe: Remove old style mux connections
  UPSTREAM: platform/x86: intel_cht_int33fe: Prepare for better mux naming scheme
  UPSTREAM: usb: typec: Prepare alt mode enter/exit reporting for UCSI alt mode support
  ANDROID: GKI: Update ABI
  ANDROID: GKI: drivers: of: Add API to find ddr device type
  UPSTREAM: Input: reset device timestamp on sync
  UPSTREAM: Input: allow drivers specify timestamp for input events
  ANDROID: GKI: usb: dwc3: Add USB_DR_MODE_DRD as dual role mode
  ANDROID: GKI: Add devm_thermal_of_virtual_sensor_register API.
  UPSTREAM: crypto: skcipher - Introduce crypto_sync_skcipher
  ANDROID: GKI: cfg80211: Add AP stopped interface
  UPSTREAM: device connection: Add fwnode member to struct device_connection
  FROMGIT: kallsyms: unexport kallsyms_lookup_name() and kallsyms_on_each_symbol()
  FROMGIT: samples/hw_breakpoint: drop use of kallsyms_lookup_name()
  FROMGIT: samples/hw_breakpoint: drop HW_BREAKPOINT_R when reporting writes
  UPSTREAM: fscrypt: don't evict dirty inodes after removing key
  ANDROID: gki_defconfig: Enable CONFIG_VM_EVENT_COUNTERS
  ANDROID: gki_defconfig: Enable CONFIG_CLEANCACHE
  ANDROID: Update ABI representation
  ANDROID: gki_defconfig: disable CONFIG_DEBUG_DEVRES
  Linux 4.19.109
  scsi: pm80xx: Fixed kernel panic during error recovery for SATA drive
  dm integrity: fix a deadlock due to offloading to an incorrect workqueue
  efi/x86: Handle by-ref arguments covering multiple pages in mixed mode
  efi/x86: Align GUIDs to their size in the mixed mode runtime wrapper
  powerpc: fix hardware PMU exception bug on PowerVM compatibility mode systems
  dmaengine: coh901318: Fix a double lock bug in dma_tc_handle()
  hwmon: (adt7462) Fix an error return in ADT7462_REG_VOLT()
  ARM: dts: imx7-colibri: Fix frequency for sd/mmc
  ARM: dts: am437x-idk-evm: Fix incorrect OPP node names
  ARM: imx: build v7_cpu_resume() unconditionally
  IB/hfi1, qib: Ensure RCU is locked when accessing list
  RMDA/cm: Fix missing ib_cm_destroy_id() in ib_cm_insert_listen()
  RDMA/iwcm: Fix iwcm work deallocation
  ARM: dts: imx6: phycore-som: fix emmc supply
  phy: mapphone-mdm6600: Fix write timeouts with shorter GPIO toggle interval
  phy: mapphone-mdm6600: Fix timeouts by adding wake-up handling
  drm/sun4i: de2/de3: Remove unsupported VI layer formats
  drm/sun4i: Fix DE2 VI layer format support
  ASoC: dapm: Correct DAPM handling of active widgets during shutdown
  ASoC: pcm512x: Fix unbalanced regulator enable call in probe error path
  ASoC: pcm: Fix possible buffer overflow in dpcm state sysfs output
  dmaengine: imx-sdma: remove dma_slave_config direction usage and leave sdma_event_enable()
  ASoC: intel: skl: Fix possible buffer overflow in debug outputs
  ASoC: intel: skl: Fix pin debug prints
  ASoC: topology: Fix memleak in soc_tplg_manifest_load()
  ASoC: topology: Fix memleak in soc_tplg_link_elems_load()
  spi: bcm63xx-hsspi: Really keep pll clk enabled
  ARM: dts: ls1021a: Restore MDIO compatible to gianfar
  dm writecache: verify watermark during resume
  dm: report suspended device during destroy
  dm cache: fix a crash due to incorrect work item cancelling
  dmaengine: tegra-apb: Prevent race conditions of tasklet vs free list
  dmaengine: tegra-apb: Fix use-after-free
  x86/pkeys: Manually set X86_FEATURE_OSPKE to preserve existing changes
  media: v4l2-mem2mem.c: fix broken links
  vt: selection, push sel_lock up
  vt: selection, push console lock down
  vt: selection, close sel_buffer race
  serial: 8250_exar: add support for ACCES cards
  tty:serial:mvebu-uart:fix a wrong return
  arm: dts: dra76x: Fix mmc3 max-frequency
  fat: fix uninit-memory access for partial initialized inode
  mm: fix possible PMD dirty bit lost in set_pmd_migration_entry()
  mm, numa: fix bad pmd by atomically check for pmd_trans_huge when marking page tables prot_numa
  vgacon: Fix a UAF in vgacon_invert_region
  usb: core: port: do error out if usb_autopm_get_interface() fails
  usb: core: hub: do error out if usb_autopm_get_interface() fails
  usb: core: hub: fix unhandled return by employing a void function
  usb: dwc3: gadget: Update chain bit correctly when using sg list
  usb: quirks: add NO_LPM quirk for Logitech Screen Share
  usb: storage: Add quirk for Samsung Fit flash
  cifs: don't leak -EAGAIN for stat() during reconnect
  ALSA: hda/realtek - Fix silent output on Gigabyte X570 Aorus Master
  ALSA: hda/realtek - Add Headset Mic supported
  net: thunderx: workaround BGX TX Underflow issue
  x86/xen: Distribute switch variables for initialization
  ice: Don't tell the OS that link is going down
  nvme: Fix uninitialized-variable warning
  s390/qdio: fill SL with absolute addresses
  x86/boot/compressed: Don't declare __force_order in kaslr_64.c
  s390: make 'install' not depend on vmlinux
  s390/cio: cio_ignore_proc_seq_next should increase position index
  watchdog: da9062: do not ping the hw during stop()
  net: ks8851-ml: Fix 16-bit IO operation
  net: ks8851-ml: Fix 16-bit data access
  net: ks8851-ml: Remove 8-bit bus accessors
  net: dsa: b53: Ensure the default VID is untagged
  selftests: forwarding: use proto icmp for {gretap, ip6gretap}_mac testing
  drm/msm/dsi/pll: call vco set rate explicitly
  drm/msm/dsi: save pll state before dsi host is powered off
  scsi: megaraid_sas: silence a warning
  drm: msm: Fix return type of dsi_mgr_connector_mode_valid for kCFI
  drm/msm/mdp5: rate limit pp done timeout warnings
  usb: gadget: serial: fix Tx stall after buffer overflow
  usb: gadget: ffs: ffs_aio_cancel(): Save/restore IRQ flags
  usb: gadget: composite: Support more than 500mA MaxPower
  selftests: fix too long argument
  serial: ar933x_uart: set UART_CS_{RX,TX}_READY_ORIDE
  ALSA: hda: do not override bus codec_mask in link_get()
  kprobes: Fix optimize_kprobe()/unoptimize_kprobe() cancellation logic
  RDMA/core: Fix use of logical OR in get_new_pps
  RDMA/core: Fix pkey and port assignment in get_new_pps
  net: dsa: bcm_sf2: Forcibly configure IMP port for 1Gb/sec
  ALSA: hda/realtek - Fix a regression for mute led on Lenovo Carbon X1
  EDAC/amd64: Set grain per DIMM
  ANDROID: Fix kernelci build-break for arm32
  ANDROID: enable CONFIG_WATCHDOG_CORE=y
  ANDROID: kbuild: align UNUSED_KSYMS_WHITELIST with upstream
  FROMLIST: f2fs: fix wrong check on F2FS_IOC_FSSETXATTR
  FROMGIT: driver core: Reevaluate dev->links.need_for_probe as suppliers are added
  FROMGIT: driver core: Call sync_state() even if supplier has no consumers
  FROMGIT: of: property: Add device link support for power-domains and hwlocks
  UPSTREAM: binder: prevent UAF for binderfs devices II
  UPSTREAM: binder: prevent UAF for binderfs devices
  ANDROID: GKI: enable PM_GENERIC_DOMAINS by default
  ANDROID: GKI: pci: framework: disable auto suspend link
  ANDROID: GKI: gpio: Add support for hierarchical IRQ domains
  ANDROID: GKI: of: property: Add device links support for pinctrl-[0-3]
  ANDROID: GKI: of: property: Ignore properties that start with "qcom,"
  ANDROID: GKI: of: property: Add support for parsing qcom,msm-bus,name property
  ANDROID: GKI: genirq: Export symbols to compile irqchip drivers as modules
  ANDROID: GKI: of: irq: add helper to remap interrupts to another irqdomain
  ANDROID: GKI: genirq/irqdomain: add export symbols for modularizing
  ANDROID: GKI: genirq: Introduce irq_chip_get/set_parent_state calls
  ANDROID: Update ABI representation
  ANDROID: arm64: gki_defconfig: disable CONFIG_ZONE_DMA32
  ANDROID: GKI: drivers: thermal: Fix ABI diff for struct thermal_cooling_device
  ANDROID: GKI: drivers: thermal: Indicate in DT the trips are for temperature falling
  ANDROID: Update ABI representation
  ANDROID: Update ABI whitelist for qcom SoCs
  ANDROID: gki_defconfig: enable CONFIG_TYPEC
  ANDROID: Fix kernelci build-break on !CONFIG_CMA builds
  ANDROID: GKI: mm: fix cma accounting in zone_watermark_ok
  ANDROID: CC_FLAGS_CFI add -fno-sanitize-blacklist
  FROMLIST: lib: test_stackinit.c: XFAIL switch variable init tests
  Linux 4.19.108
  audit: always check the netlink payload length in audit_receive_msg()
  mm, thp: fix defrag setting if newline is not used
  mm/huge_memory.c: use head to check huge zero page
  netfilter: nf_flowtable: fix documentation
  netfilter: nft_tunnel: no need to call htons() when dumping ports
  thermal: brcmstb_thermal: Do not use DT coefficients
  KVM: x86: Remove spurious clearing of async #PF MSR
  KVM: x86: Remove spurious kvm_mmu_unload() from vcpu destruction path
  perf hists browser: Restore ESC as "Zoom out" of DSO/thread/etc
  pwm: omap-dmtimer: put_device() after of_find_device_by_node()
  kprobes: Set unoptimized flag after unoptimizing code
  drivers: net: xgene: Fix the order of the arguments of 'alloc_etherdev_mqs()'
  perf stat: Fix shadow stats for clock events
  perf stat: Use perf_evsel__is_clocki() for clock events
  sched/fair: Fix O(nr_cgroups) in the load balancing path
  sched/fair: Optimize update_blocked_averages()
  KVM: Check for a bad hva before dropping into the ghc slow path
  KVM: SVM: Override default MMIO mask if memory encryption is enabled
  mwifiex: delete unused mwifiex_get_intf_num()
  mwifiex: drop most magic numbers from mwifiex_process_tdls_action_frame()
  namei: only return -ECHILD from follow_dotdot_rcu()
  net: ena: make ena rxfh support ETH_RSS_HASH_NO_CHANGE
  net/smc: no peer ID in CLC decline for SMCD
  net: atlantic: fix potential error handling
  net: atlantic: fix use after free kasan warn
  net: netlink: cap max groups which will be considered in netlink_bind()
  s390/qeth: vnicc Fix EOPNOTSUPP precedence
  usb: charger: assign specific number for enum value
  hv_netvsc: Fix unwanted wakeup in netvsc_attach()
  drm/i915/gvt: Separate display reset from ALL_ENGINES reset
  drm/i915/gvt: Fix orphan vgpu dmabuf_objs' lifetime
  i2c: jz4780: silence log flood on txabrt
  i2c: altera: Fix potential integer overflow
  MIPS: VPE: Fix a double free and a memory leak in 'release_vpe()'
  HID: hiddev: Fix race in in hiddev_disconnect()
  HID: alps: Fix an error handling path in 'alps_input_configured()'
  vhost: Check docket sk_family instead of call getname
  amdgpu/gmc_v9: save/restore sdpif regs during S3
  Revert "PM / devfreq: Modify the device name as devfreq(X) for sysfs"
  tracing: Disable trace_printk() on post poned tests
  macintosh: therm_windtunnel: fix regression when instantiating devices
  HID: core: increase HID report buffer size to 8KiB
  HID: core: fix off-by-one memset in hid_report_raw_event()
  HID: ite: Only bind to keyboard USB interface on Acer SW5-012 keyboard dock
  KVM: VMX: check descriptor table exits on instruction emulation
  ACPI: watchdog: Fix gas->access_width usage
  ACPICA: Introduce ACPI_ACCESS_BYTE_WIDTH() macro
  audit: fix error handling in audit_data_to_entry()
  ext4: potential crash on allocation error in ext4_alloc_flex_bg_array()
  net/tls: Fix to avoid gettig invalid tls record
  qede: Fix race between rdma destroy workqueue and link change event
  ipv6: Fix nlmsg_flags when splitting a multipath route
  ipv6: Fix route replacement with dev-only route
  sctp: move the format error check out of __sctp_sf_do_9_1_abort
  nfc: pn544: Fix occasional HW initialization failure
  net: sched: correct flower port blocking
  net: phy: restore mdio regs in the iproc mdio driver
  net: mscc: fix in frame extraction
  net: fib_rules: Correctly set table field when table number exceeds 8 bits
  sysrq: Remove duplicated sysrq message
  sysrq: Restore original console_loglevel when sysrq disabled
  cfg80211: add missing policy for NL80211_ATTR_STATUS_CODE
  cifs: Fix mode output in debugging statements
  net: ena: ena-com.c: prevent NULL pointer dereference
  net: ena: ethtool: use correct value for crc32 hash
  net: ena: fix incorrectly saving queue numbers when setting RSS indirection table
  net: ena: rss: store hash function as values and not bits
  net: ena: rss: fix failure to get indirection table
  net: ena: fix incorrect default RSS key
  net: ena: add missing ethtool TX timestamping indication
  net: ena: fix uses of round_jiffies()
  net: ena: fix potential crash when rxfh key is NULL
  soc/tegra: fuse: Fix build with Tegra194 configuration
  ARM: dts: sti: fixup sound frame-inversion for stihxxx-b2120.dtsi
  qmi_wwan: unconditionally reject 2 ep interfaces
  qmi_wwan: re-add DW5821e pre-production variant
  s390/zcrypt: fix card and queue total counter wrap
  cfg80211: check wiphy driver existence for drvinfo report
  mac80211: consider more elements in parsing CRC
  dax: pass NOWAIT flag to iomap_apply
  drm/msm: Set dma maximum segment size for mdss
  ipmi:ssif: Handle a possible NULL pointer reference
  iwlwifi: pcie: fix rb_allocator workqueue allocation
  irqchip/gic-v3-its: Fix misuse of GENMASK macro
  ANDROID: Update ABI representation
  ANDROID: abi_gki_aarch64_whitelist: add module_layout and task_struct
  ANDROID: gki_defconfig: disable KPROBES, update ABI
  ANDROID: GKI: mm: add cma pcp list
  ANDROID: GKI: cma: redirect page allocation to CMA
  BACKPORT: mm, compaction: be selective about what pageblocks to clear skip hints
  BACKPORT: mm: reclaim small amounts of memory when an external fragmentation event occurs
  BACKPORT: mm: move zone watermark accesses behind an accessor
  UPSTREAM: mm: use alloc_flags to record if kswapd can wake
  UPSTREAM: mm, page_alloc: spread allocations across zones before introducing fragmentation
  ANDROID: GKI: update abi for ufshcd changes
  ANDROID: Unconditionally create bridge tracepoints
  ANDROID: gki_defconfig: Enable MFD_SYSCON on x86
  ANDROID: scsi: ufs: allow ufs variants to override sg entry size
  ANDROID: Re-add default y for VIRTIO_PCI_LEGACY
  ANDROID: GKI: build in HVC_DRIVER
  ANDROID: Removed default m for virtual sw crypto device
  ANDROID: Remove default y on BRIDGE_IGMP_SNOOPING
  ANDROID: GKI: Added missing SND configs
  FROMLIST: ufs: fix a bug on printing PRDT
  UPSTREAM: sched/uclamp: Reject negative values in cpu_uclamp_write()
  ANDROID: gki_defconfig: Disable CONFIG_RT_GROUP_SCHED
  ANDROID: GKI: Remove CONFIG_BRIDGE from arm64 config
  ANDROID: Add ABI Whitelist for qcom
  ANDROID: Enable HID_NINTENDO as y
  FROMLIST: HID: nintendo: add nintendo switch controller driver
  UPSTREAM: regulator/of_get_regulator: add child path to find the regulator supplier
  ANDROID: gki_defconfig: Remove 'BRIDGE_NETFILTER is not set'
  BACKPORT: net: disable BRIDGE_NETFILTER by default
  ANDROID: kbuild: fix UNUSED_KSYMS_WHITELIST backport
  Linux 4.19.107
  Revert "char/random: silence a lockdep splat with printk()"
  s390/mm: Explicitly compare PAGE_DEFAULT_KEY against zero in storage_key_init_range
  xen: Enable interrupts when calling _cond_resched()
  ata: ahci: Add shutdown to freeze hardware resources of ahci
  rxrpc: Fix call RCU cleanup using non-bh-safe locks
  netfilter: xt_hashlimit: limit the max size of hashtable
  ALSA: seq: Fix concurrent access to queue current tick/time
  ALSA: seq: Avoid concurrent access to queue flags
  ALSA: rawmidi: Avoid bit fields for state flags
  bpf, offload: Replace bitwise AND by logical AND in bpf_prog_offload_info_fill
  genirq/proc: Reject invalid affinity masks (again)
  iommu/vt-d: Fix compile warning from intel-svm.h
  ecryptfs: replace BUG_ON with error handling code
  staging: greybus: use after free in gb_audio_manager_remove_all()
  staging: rtl8723bs: fix copy of overlapping memory
  usb: dwc2: Fix in ISOC request length checking
  usb: gadget: composite: Fix bMaxPower for SuperSpeedPlus
  scsi: Revert "target: iscsi: Wait for all commands to finish before freeing a session"
  scsi: Revert "RDMA/isert: Fix a recently introduced regression related to logout"
  Revert "dmaengine: imx-sdma: Fix memory leak"
  Btrfs: fix btrfs_wait_ordered_range() so that it waits for all ordered extents
  btrfs: do not check delayed items are empty for single transaction cleanup
  btrfs: reset fs_root to NULL on error in open_ctree
  btrfs: fix bytes_may_use underflow in prealloc error condtition
  KVM: apic: avoid calculating pending eoi from an uninitialized val
  KVM: nVMX: handle nested posted interrupts when apicv is disabled for L1
  KVM: nVMX: Check IO instruction VM-exit conditions
  KVM: nVMX: Refactor IO bitmap checks into helper function
  ext4: fix race between writepages and enabling EXT4_EXTENTS_FL
  ext4: rename s_journal_flag_rwsem to s_writepages_rwsem
  ext4: fix mount failure with quota configured as module
  ext4: fix potential race between s_flex_groups online resizing and access
  ext4: fix potential race between s_group_info online resizing and access
  ext4: fix potential race between online resizing and write operations
  ext4: add cond_resched() to __ext4_find_entry()
  ext4: fix a data race in EXT4_I(inode)->i_disksize
  drm/nouveau/kms/gv100-: Re-set LUT after clearing for modesets
  lib/stackdepot.c: fix global out-of-bounds in stack_slabs
  tty: serial: qcom_geni_serial: Fix RX cancel command failure
  tty: serial: qcom_geni_serial: Remove xfer_mode variable
  tty: serial: qcom_geni_serial: Remove set_rfr_wm() and related variables
  tty: serial: qcom_geni_serial: Remove use of *_relaxed() and mb()
  tty: serial: qcom_geni_serial: Remove interrupt storm
  tty: serial: qcom_geni_serial: Fix UART hang
  KVM: x86: don't notify userspace IOAPIC on edge-triggered interrupt EOI
  KVM: nVMX: Don't emulate instructions in guest mode
  xhci: apply XHCI_PME_STUCK_QUIRK to Intel Comet Lake platforms
  drm/amdgpu/soc15: fix xclk for raven
  mm/vmscan.c: don't round up scan size for online memory cgroup
  genirq/irqdomain: Make sure all irq domain flags are distinct
  nvme-multipath: Fix memory leak with ana_log_buf
  mm/memcontrol.c: lost css_put in memcg_expand_shrinker_maps()
  Revert "ipc,sem: remove uneeded sem_undo_list lock usage in exit_sem()"
  MAINTAINERS: Update drm/i915 bug filing URL
  serdev: ttyport: restore client ops on deregistration
  tty: serial: imx: setup the correct sg entry for tx dma
  tty/serial: atmel: manage shutdown in case of RS485 or ISO7816 mode
  serial: 8250: Check UPF_IRQ_SHARED in advance
  x86/cpu/amd: Enable the fixed Instructions Retired counter IRPERF
  x86/mce/amd: Fix kobject lifetime
  x86/mce/amd: Publish the bank pointer only after setup has succeeded
  jbd2: fix ocfs2 corrupt when clearing block group bits
  powerpc/tm: Fix clearing MSR[TS] in current when reclaiming on signal delivery
  staging: rtl8723bs: Fix potential overuse of kernel memory
  staging: rtl8723bs: Fix potential security hole
  staging: rtl8188eu: Fix potential overuse of kernel memory
  staging: rtl8188eu: Fix potential security hole
  usb: dwc3: gadget: Check for IOC/LST bit in TRB->ctrl fields
  usb: dwc2: Fix SET/CLEAR_FEATURE and GET_STATUS flows
  USB: hub: Fix the broken detection of USB3 device in SMSC hub
  USB: hub: Don't record a connect-change event during reset-resume
  USB: Fix novation SourceControl XL after suspend
  usb: uas: fix a plug & unplug racing
  USB: quirks: blacklist duplicate ep on Sound Devices USBPre2
  USB: core: add endpoint-blacklist quirk
  usb: host: xhci: update event ring dequeue pointer on purpose
  xhci: Fix memory leak when caching protocol extended capability PSI tables - take 2
  xhci: fix runtime pm enabling for quirky Intel hosts
  xhci: Force Maximum Packet size for Full-speed bulk devices to valid range.
  staging: vt6656: fix sign of rx_dbm to bb_pre_ed_rssi.
  staging: android: ashmem: Disallow ashmem memory from being remapped
  vt: vt_ioctl: fix race in VT_RESIZEX
  vt: selection, handle pending signals in paste_selection
  vt: fix scrollback flushing on background consoles
  floppy: check FDC index for errors before assigning it
  USB: misc: iowarrior: add support for the 100 device
  USB: misc: iowarrior: add support for the 28 and 28L devices
  USB: misc: iowarrior: add support for 2 OEMed devices
  thunderbolt: Prevent crash if non-active NVMem file is read
  ecryptfs: fix a memory leak bug in ecryptfs_init_messaging()
  ecryptfs: fix a memory leak bug in parse_tag_1_packet()
  ASoC: sun8i-codec: Fix setting DAI data format
  ALSA: hda/realtek - Apply quirk for yet another MSI laptop
  ALSA: hda/realtek - Apply quirk for MSI GP63, too
  ALSA: hda: Use scnprintf() for printing texts for sysfs/procfs
  iommu/qcom: Fix bogus detach logic
  UPSTREAM: sched/psi: Fix OOB write when writing 0 bytes to PSI files
  UPSTREAM: psi: Fix a division error in psi poll()
  UPSTREAM: sched/psi: Fix sampling error and rare div0 crashes with cgroups and high uptime
  UPSTREAM: sched/psi: Correct overly pessimistic size calculation
  ANDROID: build.config.gki.aarch64: enable symbol trimming
  FROMLIST: f2fs: Handle casefolding with Encryption
  FROMLIST: fscrypt: Have filesystems handle their d_ops
  FROMLIST: ext4: Use generic casefolding support
  FROMLIST: f2fs: Use generic casefolding support
  FROMLIST: Add standard casefolding support
  FROMLIST: unicode: Add utf8_casefold_hash
  ANDROID: sdcardfs: fix -ENOENT lookup race issue
  ANDROID: gki_defconfig: Enable CONFIG_RD_LZ4
  ANDROID: gki: Enable BINFMT_MISC as part of GKI
  ANDROID: gki_defconfig: disable CONFIG_CRYPTO_MD4
  ANDROID: dm: Add wrapped key support in dm-default-key
  ANDROID: dm: add support for passing through derive_raw_secret
  ANDROID: block: Prevent crypto fallback for wrapped keys
  BACKPORT: FROMLIST: kbuild: generate autoksyms.h early
  BACKPORT: FROMLIST: kbuild: split adjust_autoksyms.sh in two parts
  BACKPORT: FROMLIST: kbuild: allow symbol whitelisting with TRIM_UNUSED_KSYMS
  ANDROID: kbuild: use modules.order in adjust_autoksyms.sh
  UPSTREAM: kbuild: source include/config/auto.conf instead of ${KCONFIG_CONFIG}
  ANDROID: Disable wq fp check in CFI builds
  ANDROID: increase limit on sched-tune boost groups
  BACKPORT: nvmem: core: fix regression in of_nvmem_cell_get()
  BACKPORT: nvmem: hide unused nvmem_find_cell_by_index function
  BACKPORT: nvmem: resolve cells from DT at registration time
  Linux 4.19.106
  drm/amdgpu/display: handle multiple numbers of fclks in dcn_calcs.c (v2)
  mlxsw: spectrum_dpipe: Add missing error path
  virtio_balloon: prevent pfn array overflow
  cifs: log warning message (once) if out of disk space
  help_next should increase position index
  NFS: Fix memory leaks
  drm/amdgpu/smu10: fix smu10_get_clock_by_type_with_voltage
  drm/amdgpu/smu10: fix smu10_get_clock_by_type_with_latency
  brd: check and limit max_part par
  microblaze: Prevent the overflow of the start
  iwlwifi: mvm: Fix thermal zone registration
  irqchip/gic-v3-its: Reference to its_invall_cmd descriptor when building INVALL
  bcache: explicity type cast in bset_bkey_last()
  reiserfs: prevent NULL pointer dereference in reiserfs_insert_item()
  lib/scatterlist.c: adjust indentation in __sg_alloc_table
  ocfs2: fix a NULL pointer dereference when call ocfs2_update_inode_fsync_trans()
  radeon: insert 10ms sleep in dce5_crtc_load_lut
  trigger_next should increase position index
  ftrace: fpid_next() should increase position index
  drm/nouveau/disp/nv50-: prevent oops when no channel method map provided
  irqchip/gic-v3: Only provision redistributors that are enabled in ACPI
  rbd: work around -Wuninitialized warning
  ceph: check availability of mds cluster on mount after wait timeout
  bpf: map_seq_next should always increase position index
  cifs: fix NULL dereference in match_prepath
  iwlegacy: ensure loop counter addr does not wrap and cause an infinite loop
  hostap: Adjust indentation in prism2_hostapd_add_sta
  ARM: 8951/1: Fix Kexec compilation issue.
  jbd2: make sure ESHUTDOWN to be recorded in the journal superblock
  jbd2: switch to use jbd2_journal_abort() when failed to submit the commit record
  selftests: bpf: Reset global state between reuseport test runs
  iommu/vt-d: Remove unnecessary WARN_ON_ONCE()
  bcache: cached_dev_free needs to put the sb page
  powerpc/sriov: Remove VF eeh_dev state when disabling SR-IOV
  drm/nouveau/mmu: fix comptag memory leak
  ALSA: hda - Add docking station support for Lenovo Thinkpad T420s
  driver core: platform: fix u32 greater or equal to zero comparison
  s390/ftrace: generate traced function stack frame
  s390: adjust -mpacked-stack support check for clang 10
  x86/decoder: Add TEST opcode to Group3-2
  kbuild: use -S instead of -E for precise cc-option test in Kconfig
  ALSA: hda/hdmi - add retry logic to parse_intel_hdmi()
  irqchip/mbigen: Set driver .suppress_bind_attrs to avoid remove problems
  remoteproc: Initialize rproc_class before use
  module: avoid setting info->name early in case we can fall back to info->mod->name
  btrfs: device stats, log when stats are zeroed
  btrfs: safely advance counter when looking up bio csums
  btrfs: fix possible NULL-pointer dereference in integrity checks
  pwm: Remove set but not set variable 'pwm'
  ide: serverworks: potential overflow in svwks_set_pio_mode()
  cmd64x: potential buffer overflow in cmd64x_program_timings()
  pwm: omap-dmtimer: Remove PWM chip in .remove before making it unfunctional
  x86/mm: Fix NX bit clearing issue in kernel_map_pages_in_pgd
  f2fs: fix memleak of kobject
  watchdog/softlockup: Enforce that timestamp is valid on boot
  drm/amd/display: fixup DML dependencies
  arm64: fix alternatives with LLVM's integrated assembler
  scsi: iscsi: Don't destroy session if there are outstanding connections
  f2fs: free sysfs kobject
  f2fs: set I_LINKABLE early to avoid wrong access by vfs
  iommu/arm-smmu-v3: Use WRITE_ONCE() when changing validity of an STE
  usb: musb: omap2430: Get rid of musb .set_vbus for omap2430 glue
  drm/vmwgfx: prevent memory leak in vmw_cmdbuf_res_add
  drm/nouveau/fault/gv100-: fix memory leak on module unload
  drm/nouveau/drm/ttm: Remove set but not used variable 'mem'
  drm/nouveau: Fix copy-paste error in nouveau_fence_wait_uevent_handler
  drm/nouveau/gr/gk20a,gm200-: add terminators to method lists read from fw
  drm/nouveau/secboot/gm20b: initialize pointer in gm20b_secboot_new()
  vme: bridges: reduce stack usage
  bpf: Return -EBADRQC for invalid map type in __bpf_tx_xdp_map
  driver core: Print device when resources present in really_probe()
  driver core: platform: Prevent resouce overflow from causing infinite loops
  visorbus: fix uninitialized variable access
  tty: synclink_gt: Adjust indentation in several functions
  tty: synclinkmp: Adjust indentation in several functions
  ASoC: atmel: fix build error with CONFIG_SND_ATMEL_SOC_DMA=m
  wan: ixp4xx_hss: fix compile-testing on 64-bit
  x86/nmi: Remove irq_work from the long duration NMI handler
  Input: edt-ft5x06 - work around first register access error
  rcu: Use WRITE_ONCE() for assignments to ->pprev for hlist_nulls
  efi/x86: Don't panic or BUG() on non-critical error conditions
  soc/tegra: fuse: Correct straps' address for older Tegra124 device trees
  IB/hfi1: Add software counter for ctxt0 seq drop
  staging: rtl8188: avoid excessive stack usage
  udf: Fix free space reporting for metadata and virtual partitions
  usbip: Fix unsafe unaligned pointer usage
  ARM: dts: stm32: Add power-supply for DSI panel on stm32f469-disco
  drm: remove the newline for CRC source name.
  mlx5: work around high stack usage with gcc
  ACPI: button: Add DMI quirk for Razer Blade Stealth 13 late 2019 lid switch
  tools lib api fs: Fix gcc9 stringop-truncation compilation error
  ALSA: sh: Fix compile warning wrt const
  clk: uniphier: Add SCSSI clock gate for each channel
  ALSA: sh: Fix unused variable warnings
  clk: sunxi-ng: add mux and pll notifiers for A64 CPU clock
  RDMA/rxe: Fix error type of mmap_offset
  reset: uniphier: Add SCSSI reset control for each channel
  pinctrl: sh-pfc: sh7269: Fix CAN function GPIOs
  PM / devfreq: rk3399_dmc: Add COMPILE_TEST and HAVE_ARM_SMCCC dependency
  x86/vdso: Provide missing include file
  crypto: chtls - Fixed memory leak
  dmaengine: imx-sdma: Fix memory leak
  dmaengine: Store module owner in dma_device struct
  selinux: ensure we cleanup the internal AVC counters on error in avc_update()
  ARM: dts: r8a7779: Add device node for ARM global timer
  drm/mediatek: handle events when enabling/disabling crtc
  scsi: aic7xxx: Adjust indentation in ahc_find_syncrate
  scsi: ufs: Complete pending requests in host reset and restore path
  ACPICA: Disassembler: create buffer fields in ACPI_PARSE_LOAD_PASS1
  orinoco: avoid assertion in case of NULL pointer
  rtlwifi: rtl_pci: Fix -Wcast-function-type
  iwlegacy: Fix -Wcast-function-type
  ipw2x00: Fix -Wcast-function-type
  b43legacy: Fix -Wcast-function-type
  ALSA: usx2y: Adjust indentation in snd_usX2Y_hwdep_dsp_status
  netfilter: nft_tunnel: add the missing ERSPAN_VERSION nla_policy
  fore200e: Fix incorrect checks of NULL pointer dereference
  r8169: check that Realtek PHY driver module is loaded
  reiserfs: Fix spurious unlock in reiserfs_fill_super() error handling
  media: v4l2-device.h: Explicitly compare grp{id,mask} to zero in v4l2_device macros
  PCI: Increase D3 delay for AMD Ryzen5/7 XHCI controllers
  PCI: Add generic quirk for increasing D3hot delay
  media: cx23885: Add support for AVerMedia CE310B
  PCI: iproc: Apply quirk_paxc_bridge() for module as well as built-in
  ARM: dts: imx6: rdu2: Limit USBH1 to Full Speed
  ARM: dts: imx6: rdu2: Disable WP for USDHC2 and USDHC3
  arm64: dts: qcom: msm8996: Disable USB2 PHY suspend by core
  selinux: ensure we cleanup the internal AVC counters on error in avc_insert()
  arm: dts: allwinner: H3: Add PMU node
  arm64: dts: allwinner: H6: Add PMU mode
  selinux: fall back to ref-walk if audit is required
  NFC: port100: Convert cpu_to_le16(le16_to_cpu(E1) + E2) to use le16_add_cpu().
  net/wan/fsl_ucc_hdlc: reject muram offsets above 64K
  regulator: rk808: Lower log level on optional GPIOs being not available
  drm/amdgpu: Ensure ret is always initialized when using SOC15_WAIT_ON_RREG
  drm/amdgpu: remove 4 set but not used variable in amdgpu_atombios_get_connector_info_from_object_table
  clk: qcom: rcg2: Don't crash if our parent can't be found; return an error
  kconfig: fix broken dependency in randconfig-generated .config
  KVM: s390: ENOTSUPP -> EOPNOTSUPP fixups
  nbd: add a flush_workqueue in nbd_start_device
  drm/amd/display: Retrain dongles when SINK_COUNT becomes non-zero
  ath10k: Correct the DMA direction for management tx buffers
  ext4, jbd2: ensure panic when aborting with zero errno
  ARM: 8952/1: Disable kmemleak on XIP kernels
  tracing: Fix very unlikely race of registering two stat tracers
  tracing: Fix tracing_stat return values in error handling paths
  powerpc/iov: Move VF pdev fixup into pcibios_fixup_iov()
  s390/pci: Fix possible deadlock in recover_store()
  pwm: omap-dmtimer: Simplify error handling
  x86/sysfb: Fix check for bad VRAM size
  jbd2: clear JBD2_ABORT flag before journal_reset to update log tail info when load journal
  kselftest: Minimise dependency of get_size on C library interfaces
  clocksource/drivers/bcm2835_timer: Fix memory leak of timer
  usb: dwc2: Fix IN FIFO allocation
  usb: gadget: udc: fix possible sleep-in-atomic-context bugs in gr_probe()
  uio: fix a sleep-in-atomic-context bug in uio_dmem_genirq_irqcontrol()
  sparc: Add .exit.data section.
  MIPS: Loongson: Fix potential NULL dereference in loongson3_platform_init()
  efi/x86: Map the entire EFI vendor string before copying it
  pinctrl: baytrail: Do not clear IRQ flags on direct-irq enabled pins
  media: sti: bdisp: fix a possible sleep-in-atomic-context bug in bdisp_device_run()
  char/random: silence a lockdep splat with printk()
  iommu/vt-d: Fix off-by-one in PASID allocation
  gpio: gpio-grgpio: fix possible sleep-in-atomic-context bugs in grgpio_irq_map/unmap()
  powerpc/powernv/iov: Ensure the pdn for VFs always contains a valid PE number
  media: i2c: mt9v032: fix enum mbus codes and frame sizes
  pxa168fb: Fix the function used to release some memory in an error handling path
  pinctrl: sh-pfc: sh7264: Fix CAN function GPIOs
  gianfar: Fix TX timestamping with a stacked DSA driver
  ALSA: ctl: allow TLV read operation for callback type of element in locked case
  ext4: fix ext4_dax_read/write inode locking sequence for IOCB_NOWAIT
  leds: pca963x: Fix open-drain initialization
  brcmfmac: Fix use after free in brcmf_sdio_readframes()
  cpu/hotplug, stop_machine: Fix stop_machine vs hotplug order
  drm/gma500: Fixup fbdev stolen size usage evaluation
  KVM: nVMX: Use correct root level for nested EPT shadow page tables
  Revert "KVM: VMX: Add non-canonical check on writes to RTIT address MSRs"
  Revert "KVM: nVMX: Use correct root level for nested EPT shadow page tables"
  net/sched: flower: add missing validation of TCA_FLOWER_FLAGS
  net/sched: matchall: add missing validation of TCA_MATCHALL_FLAGS
  net: dsa: tag_qca: Make sure there is headroom for tag
  net/smc: fix leak of kernel memory to user space
  enic: prevent waking up stopped tx queues over watchdog reset
  core: Don't skip generic XDP program execution for cloned SKBs
  ANDROID: arm64: update the abi with the new gki_defconfig
  ANDROID: arm64: gki_defconfig: disable CONFIG_DEBUG_PREEMPT
  ANDROID: GKI: arm64: gki_defconfig: follow-up to removing DRM_MSM driver
  ANDROID: drm/msm: Remove Kconfig default
  ANDROID: GKI: arm64: gki_defconfig: remove qcom,cmd-db driver
  ANDROID: GKI: drivers: qcom: cmd-db: Allow compiling qcom,cmd-db driver as module
  ANDROID: GKI: arm64: gki_defconfig: remove qcom,rpmh-rsc driver
  ANDROID: GKI: drivers: qcom: rpmh-rsc: Add tristate support for qcom,rpmh-rsc driver
  ANDROID: ufs, block: fix crypto power management and move into block layer
  ANDROID: rtc: class: support hctosys from modular RTC drivers
  ANDROID: Incremental fs: Support xattrs
  ANDROID: abi update for 4.19.105
  UPSTREAM: random: ignore GRND_RANDOM in getentropy(2)
  UPSTREAM: random: add GRND_INSECURE to return best-effort non-cryptographic bytes
  UPSTREAM: linux/random.h: Mark CONFIG_ARCH_RANDOM functions __must_check
  UPSTREAM: linux/random.h: Use false with bool
  UPSTREAM: linux/random.h: Remove arch_has_random, arch_has_random_seed
  UPSTREAM: random: remove some dead code of poolinfo
  UPSTREAM: random: fix typo in add_timer_randomness()
  UPSTREAM: random: Add and use pr_fmt()
  UPSTREAM: random: convert to ENTROPY_BITS for better code readability
  UPSTREAM: random: remove unnecessary unlikely()
  UPSTREAM: random: remove kernel.random.read_wakeup_threshold
  UPSTREAM: random: delete code to pull data into pools
  UPSTREAM: random: remove the blocking pool
  UPSTREAM: random: make /dev/random be almost like /dev/urandom
  UPSTREAM: random: Add a urandom_read_nowait() for random APIs that don't warn
  UPSTREAM: random: Don't wake crng_init_wait when crng_init == 1
  UPSTREAM: char/random: silence a lockdep splat with printk()
  BACKPORT: fdt: add support for rng-seed
  BACKPORT: arm64: map FDT as RW for early_init_dt_scan()
  UPSTREAM: random: fix soft lockup when trying to read from an uninitialized blocking pool
  UPSTREAM: random: document get_random_int() family
  UPSTREAM: random: move rand_initialize() earlier
  UPSTREAM: random: only read from /dev/random after its pool has received 128 bits
  UPSTREAM: drivers/char/random.c: make primary_crng static
  UPSTREAM: drivers/char/random.c: remove unused stuct poolinfo::poolbits
  UPSTREAM: drivers/char/random.c: constify poolinfo_table
  ANDROID: clang: update to 10.0.4
  Linux 4.19.105
  KVM: x86/mmu: Fix struct guest_walker arrays for 5-level paging
  jbd2: do not clear the BH_Mapped flag when forgetting a metadata buffer
  jbd2: move the clearing of b_modified flag to the journal_unmap_buffer()
  NFSv4.1 make cachethis=no for writes
  hwmon: (pmbus/ltc2978) Fix PMBus polling of MFR_COMMON definitions.
  perf/x86/intel: Fix inaccurate period in context switch for auto-reload
  s390/time: Fix clk type in get_tod_clock
  RDMA/core: Fix protection fault in get_pkey_idx_qp_list
  RDMA/rxe: Fix soft lockup problem due to using tasklets in softirq
  RDMA/hfi1: Fix memory leak in _dev_comp_vect_mappings_create
  RDMA/core: Fix invalid memory access in spec_filter_size
  IB/rdmavt: Reset all QPs when the device is shut down
  IB/hfi1: Close window for pq and request coliding
  IB/hfi1: Acquire lock to release TID entries when user file is closed
  nvme: fix the parameter order for nvme_get_log in nvme_get_fw_slot_info
  perf/x86/amd: Add missing L2 misses event spec to AMD Family 17h's event map
  KVM: nVMX: Use correct root level for nested EPT shadow page tables
  arm64: ssbs: Fix context-switch when SSBS is present on all CPUs
  ARM: npcm: Bring back GPIOLIB support
  btrfs: log message when rw remount is attempted with unclean tree-log
  btrfs: print message when tree-log replay starts
  btrfs: ref-verify: fix memory leaks
  Btrfs: fix race between using extent maps and merging them
  ext4: improve explanation of a mount failure caused by a misconfigured kernel
  ext4: add cond_resched() to ext4_protect_reserved_inode
  ext4: fix checksum errors with indexed dirs
  ext4: fix support for inode sizes > 1024 bytes
  ext4: don't assume that mmp_nodename/bdevname have NUL
  ALSA: usb-audio: Add clock validity quirk for Denon MC7000/MCX8000
  ALSA: usb-audio: sound: usb: usb true/false for bool return type
  arm64: nofpsmid: Handle TIF_FOREIGN_FPSTATE flag cleanly
  arm64: cpufeature: Set the FP/SIMD compat HWCAP bits properly
  ALSA: usb-audio: Apply sample rate quirk for Audioengine D1
  ALSA: hda/realtek - Fix silent output on MSI-GL73
  ALSA: usb-audio: Fix UAC2/3 effect unit parsing
  Input: synaptics - remove the LEN0049 dmi id from topbuttonpad list
  Input: synaptics - enable SMBus on ThinkPad L470
  Input: synaptics - switch T470s to RMI4 by default
  ANDROID: Fix ABI representation after enabling CONFIG_NET_NS
  ANDROID: gki_defconfig: Enable CONFIG_NET_NS
  ANDROID: gki_defconfig: Enable XDP_SOCKETS
  UPSTREAM: sched/topology: Introduce a sysctl for Energy Aware Scheduling
  ANDROID: gki_defconfig: Enable MAC80211_RC_MINSTREL
  ANDROID: f2fs: remove unused function
  ANDROID: virtio: virtio_input: pass _DIRECT only if the device advertises _DIRECT
  ANDROID: cf build: Use merge_configs
  ANDROID: net: bpf: Allow TC programs to call BPF_FUNC_skb_change_head
  ANDROID: gki_defconfig: Disable SDCARD_FS
  Linux 4.19.104
  padata: fix null pointer deref of pd->pinst
  serial: uartps: Move the spinlock after the read of the tx empty
  x86/stackframe, x86/ftrace: Add pt_regs frame annotations
  x86/stackframe: Move ENCODE_FRAME_POINTER to asm/frame.h
  scsi: megaraid_sas: Do not initiate OCR if controller is not in ready state
  libertas: make lbs_ibss_join_existing() return error code on rates overflow
  libertas: don't exit from lbs_ibss_join_existing() with RCU read lock held
  mwifiex: Fix possible buffer overflows in mwifiex_cmd_append_vsie_tlv()
  mwifiex: Fix possible buffer overflows in mwifiex_ret_wmm_get_status()
  pinctrl: sh-pfc: r8a7778: Fix duplicate SDSELF_B and SD1_CLK_B
  media: i2c: adv748x: Fix unsafe macros
  crypto: atmel-sha - fix error handling when setting hmac key
  crypto: artpec6 - return correct error code for failed setkey()
  mtd: sharpslpart: Fix unsigned comparison to zero
  mtd: onenand_base: Adjust indentation in onenand_read_ops_nolock
  KVM: arm64: pmu: Don't increment SW_INCR if PMCR.E is unset
  KVM: arm: Make inject_abt32() inject an external abort instead
  KVM: arm: Fix DFSR setting for non-LPAE aarch32 guests
  KVM: arm/arm64: Fix young bit from mmu notifier
  arm64: ptrace: nofpsimd: Fail FP/SIMD regset operations
  arm64: cpufeature: Fix the type of no FP/SIMD capability
  ARM: 8949/1: mm: mark free_memmap as __init
  KVM: arm/arm64: vgic-its: Fix restoration of unmapped collections
  iommu/arm-smmu-v3: Populate VMID field for CMDQ_OP_TLBI_NH_VA
  powerpc/pseries: Allow not having ibm, hypertas-functions::hcall-multi-tce for DDW
  powerpc/pseries/vio: Fix iommu_table use-after-free refcount warning
  tools/power/acpi: fix compilation error
  ARM: dts: at91: sama5d3: define clock rate range for tcb1
  ARM: dts: at91: sama5d3: fix maximum peripheral clock rates
  ARM: dts: am43xx: add support for clkout1 clock
  ARM: dts: at91: Reenable UART TX pull-ups
  platform/x86: intel_mid_powerbtn: Take a copy of ddata
  ARC: [plat-axs10x]: Add missing multicast filter number to GMAC node
  rtc: cmos: Stop using shared IRQ
  rtc: hym8563: Return -EINVAL if the time is known to be invalid
  spi: spi-mem: Fix inverted logic in op sanity check
  spi: spi-mem: Add extra sanity checks on the op param
  gpio: zynq: Report gpio direction at boot
  serial: uartps: Add a timeout to the tx empty wait
  NFSv4: try lease recovery on NFS4ERR_EXPIRED
  NFS/pnfs: Fix pnfs_generic_prepare_to_resend_writes()
  NFS: Revalidate the file size on a fatal write error
  nfs: NFS_SWAP should depend on SWAP
  PCI: Don't disable bridge BARs when assigning bus resources
  PCI/switchtec: Fix vep_vector_number ioread width
  ath10k: pci: Only dump ATH10K_MEM_REGION_TYPE_IOREG when safe
  PCI/IOV: Fix memory leak in pci_iov_add_virtfn()
  scsi: ufs: Fix ufshcd_probe_hba() reture value in case ufshcd_scsi_add_wlus() fails
  RDMA/uverbs: Verify MR access flags
  RDMA/core: Fix locking in ib_uverbs_event_read
  RDMA/netlink: Do not always generate an ACK for some netlink operations
  IB/mlx4: Fix memory leak in add_gid error flow
  hv_sock: Remove the accept port restriction
  ASoC: pcm: update FE/BE trigger order based on the command
  ANDROID: gki_defconfig: Add CONFIG_UNICODE
  ANDROID: added memory initialization tests to cuttlefish config
  ANDROID: gki_defconfig: enable CONFIG_RUNTIME_TESTING_MENU
  fs-verity: use u64_to_user_ptr()
  fs-verity: use mempool for hash requests
  fs-verity: implement readahead of Merkle tree pages
  fs-verity: implement readahead for FS_IOC_ENABLE_VERITY
  fscrypt: improve format of no-key names
  ubifs: allow both hash and disk name to be provided in no-key names
  ubifs: don't trigger assertion on invalid no-key filename
  fscrypt: clarify what is meant by a per-file key
  fscrypt: derive dirhash key for casefolded directories
  fscrypt: don't allow v1 policies with casefolding
  fscrypt: add "fscrypt_" prefix to fname_encrypt()
  fscrypt: don't print name of busy file when removing key
  fscrypt: document gfp_flags for bounce page allocation
  fscrypt: optimize fscrypt_zeroout_range()
  fscrypt: remove redundant bi_status check
  fscrypt: Allow modular crypto algorithms
  FROMLIST: rename missed uaccess .fixup section
  ANDROID: f2fs: fix missing blk-crypto changes
  ANDROID: gki_defconfig: enable heap and stack initialization.
  UPSTREAM: lib/test_stackinit: Handle Clang auto-initialization pattern
  UPSTREAM: lib: Introduce test_stackinit module
  fscrypt: include <linux/ioctl.h> in UAPI header
  fscrypt: don't check for ENOKEY from fscrypt_get_encryption_info()
  fscrypt: remove fscrypt_is_direct_key_policy()
  fscrypt: move fscrypt_valid_enc_modes() to policy.c
  fscrypt: check for appropriate use of DIRECT_KEY flag earlier
  fscrypt: split up fscrypt_supported_policy() by policy version
  fscrypt: introduce fscrypt_needs_contents_encryption()
  fscrypt: move fscrypt_d_revalidate() to fname.c
  fscrypt: constify inode parameter to filename encryption functions
  fscrypt: constify struct fscrypt_hkdf parameter to fscrypt_hkdf_expand()
  fscrypt: verify that the crypto_skcipher has the correct ivsize
  fscrypt: use crypto_skcipher_driver_name()
  fscrypt: support passing a keyring key to FS_IOC_ADD_ENCRYPTION_KEY
  keys: Export lookup_user_key to external users
  UPSTREAM: dynamic_debug: allow to work if debugfs is disabled
  UPSTREAM: lib: dynamic_debug: no need to check return value of debugfs_create functions
  ANDROID: ABI/Whitelist: update for Cuttlefish
  ANDROID: update ABI representation and GKI whitelist
  ANDROID: gki_defconfig: Set CONFIG_ANDROID_BINDERFS=y
  Linux 4.19.103
  rxrpc: Fix service call disconnection
  perf/core: Fix mlock accounting in perf_mmap()
  clocksource: Prevent double add_timer_on() for watchdog_timer
  x86/apic/msi: Plug non-maskable MSI affinity race
  cifs: fail i/o on soft mounts if sessionsetup errors out
  mm/page_alloc.c: fix uninitialized memmaps on a partially populated last section
  mm: return zero_resv_unavail optimization
  mm: zero remaining unavailable struct pages
  KVM: Play nice with read-only memslots when querying host page size
  KVM: Use vcpu-specific gva->hva translation when querying host page size
  KVM: nVMX: vmread should not set rflags to specify success in case of #PF
  KVM: VMX: Add non-canonical check on writes to RTIT address MSRs
  KVM: x86: Use gpa_t for cr2/gpa to fix TDP support on 32-bit KVM
  KVM: x86/mmu: Apply max PA check for MMIO sptes to 32-bit KVM
  btrfs: flush write bio if we loop in extent_write_cache_pages
  drm/dp_mst: Remove VCPI while disabling topology mgr
  drm: atmel-hlcdc: enable clock before configuring timing engine
  btrfs: free block groups after free'ing fs trees
  btrfs: use bool argument in free_root_pointers()
  ext4: fix deadlock allocating crypto bounce page from mempool
  net: dsa: b53: Always use dev->vlan_enabled in b53_configure_vlan()
  net: macb: Limit maximum GEM TX length in TSO
  net: macb: Remove unnecessary alignment check for TSO
  net/mlx5: IPsec, fix memory leak at mlx5_fpga_ipsec_delete_sa_ctx
  net/mlx5: IPsec, Fix esp modify function attribute
  net: systemport: Avoid RBUF stuck in Wake-on-LAN mode
  net_sched: fix a resource leak in tcindex_set_parms()
  net: mvneta: move rx_dropped and rx_errors in per-cpu stats
  net: dsa: bcm_sf2: Only 7278 supports 2Gb/sec IMP port
  bonding/alb: properly access headers in bond_alb_xmit()
  mfd: rn5t618: Mark ADC control register volatile
  mfd: da9062: Fix watchdog compatible string
  ubi: Fix an error pointer dereference in error handling code
  ubi: fastmap: Fix inverted logic in seen selfcheck
  nfsd: Return the correct number of bytes written to the file
  nfsd: fix jiffies/time_t mixup in LRU list
  nfsd: fix delay timer on 32-bit architectures
  IB/core: Fix ODP get user pages flow
  IB/mlx5: Fix outstanding_pi index for GSI qps
  net: tulip: Adjust indentation in {dmfe, uli526x}_init_module
  net: smc911x: Adjust indentation in smc911x_phy_configure
  ppp: Adjust indentation into ppp_async_input
  NFC: pn544: Adjust indentation in pn544_hci_check_presence
  drm: msm: mdp4: Adjust indentation in mdp4_dsi_encoder_enable
  powerpc/44x: Adjust indentation in ibm4xx_denali_fixup_memsize
  ext2: Adjust indentation in ext2_fill_super
  phy: qualcomm: Adjust indentation in read_poll_timeout
  scsi: ufs: Recheck bkops level if bkops is disabled
  scsi: qla4xxx: Adjust indentation in qla4xxx_mem_free
  scsi: csiostor: Adjust indentation in csio_device_reset
  scsi: qla2xxx: Fix the endianness of the qla82xx_get_fw_size() return type
  percpu: Separate decrypted varaibles anytime encryption can be enabled
  drm/amd/dm/mst: Ignore payload update failures
  clk: tegra: Mark fuse clock as critical
  KVM: s390: do not clobber registers during guest reset/store status
  KVM: x86: Free wbinvd_dirty_mask if vCPU creation fails
  KVM: x86: Don't let userspace set host-reserved cr4 bits
  x86/kvm: Be careful not to clear KVM_VCPU_FLUSH_TLB bit
  KVM: PPC: Book3S PR: Free shared page if mmu initialization fails
  KVM: PPC: Book3S HV: Uninit vCPU if vcore creation fails
  KVM: x86: Fix potential put_fpu() w/o load_fpu() on MPX platform
  KVM: x86: Protect MSR-based index computations in fixed_msr_to_seg_unit() from Spectre-v1/L1TF attacks
  KVM: x86: Protect x86_decode_insn from Spectre-v1/L1TF attacks
  KVM: x86: Protect MSR-based index computations from Spectre-v1/L1TF attacks in x86.c
  KVM: x86: Protect ioapic_read_indirect() from Spectre-v1/L1TF attacks
  KVM: x86: Protect MSR-based index computations in pmu.h from Spectre-v1/L1TF attacks
  KVM: x86: Protect ioapic_write_indirect() from Spectre-v1/L1TF attacks
  KVM: x86: Protect kvm_hv_msr_[get|set]_crash_data() from Spectre-v1/L1TF attacks
  KVM: x86: Protect kvm_lapic_reg_write() from Spectre-v1/L1TF attacks
  KVM: x86: Protect DR-based index computations from Spectre-v1/L1TF attacks
  KVM: x86: Protect pmu_intel.c from Spectre-v1/L1TF attacks
  KVM: x86: Refactor prefix decoding to prevent Spectre-v1/L1TF attacks
  KVM: x86: Refactor picdev_write() to prevent Spectre-v1/L1TF attacks
  aio: prevent potential eventfd recursion on poll
  eventfd: track eventfd_signal() recursion depth
  bcache: add readahead cache policy options via sysfs interface
  watchdog: fix UAF in reboot notifier handling in watchdog core code
  xen/balloon: Support xend-based toolstack take two
  tools/kvm_stat: Fix kvm_exit filter name
  media: rc: ensure lirc is initialized before registering input device
  drm/rect: Avoid division by zero
  gfs2: fix O_SYNC write handling
  gfs2: move setting current->backing_dev_info
  sunrpc: expiry_time should be seconds not timeval
  mwifiex: fix unbalanced locking in mwifiex_process_country_ie()
  iwlwifi: don't throw error when trying to remove IGTK
  ARM: tegra: Enable PLLP bypass during Tegra124 LP1
  Btrfs: fix race between adding and putting tree mod seq elements and nodes
  btrfs: set trans->drity in btrfs_commit_transaction
  Btrfs: fix missing hole after hole punching and fsync when using NO_HOLES
  jbd2_seq_info_next should increase position index
  NFS: Directory page cache pages need to be locked when read
  NFS: Fix memory leaks and corruption in readdir
  scsi: qla2xxx: Fix unbound NVME response length
  crypto: picoxcell - adjust the position of tasklet_init and fix missed tasklet_kill
  crypto: api - Fix race condition in crypto_spawn_alg
  crypto: atmel-aes - Fix counter overflow in CTR mode
  crypto: pcrypt - Do not clear MAY_SLEEP flag in original request
  crypto: ccp - set max RSA modulus size for v3 platform devices as well
  samples/bpf: Don't try to remove user's homedir on clean
  ftrace: Protect ftrace_graph_hash with ftrace_sync
  ftrace: Add comment to why rcu_dereference_sched() is open coded
  tracing: Annotate ftrace_graph_notrace_hash pointer with __rcu
  tracing: Annotate ftrace_graph_hash pointer with __rcu
  padata: Remove broken queue flushing
  dm writecache: fix incorrect flush sequence when doing SSD mode commit
  dm: fix potential for q->make_request_fn NULL pointer
  dm crypt: fix benbi IV constructor crash if used in authenticated mode
  dm space map common: fix to ensure new block isn't already in use
  dm zoned: support zone sizes smaller than 128MiB
  of: Add OF_DMA_DEFAULT_COHERENT & select it on powerpc
  PM: core: Fix handling of devices deleted during system-wide resume
  f2fs: code cleanup for f2fs_statfs_project()
  f2fs: fix miscounted block limit in f2fs_statfs_project()
  f2fs: choose hardlimit when softlimit is larger than hardlimit in f2fs_statfs_project()
  ovl: fix wrong WARN_ON() in ovl_cache_update_ino()
  power: supply: ltc2941-battery-gauge: fix use-after-free
  scsi: qla2xxx: Fix mtcp dump collection failure
  scripts/find-unused-docs: Fix massive false positives
  crypto: ccree - fix PM race condition
  crypto: ccree - fix pm wrongful error reporting
  crypto: ccree - fix backlog memory leak
  crypto: api - Check spawn->alg under lock in crypto_drop_spawn
  mfd: axp20x: Mark AXP20X_VBUS_IPSOUT_MGMT as volatile
  hv_balloon: Balloon up according to request page number
  mmc: sdhci-of-at91: fix memleak on clk_get failure
  PCI: keystone: Fix link training retries initiation
  crypto: geode-aes - convert to skcipher API and make thread-safe
  ubifs: Fix deadlock in concurrent bulk-read and writepage
  ubifs: Fix FS_IOC_SETFLAGS unexpectedly clearing encrypt flag
  ubifs: don't trigger assertion on invalid no-key filename
  ubifs: Reject unsupported ioctl flags explicitly
  alarmtimer: Unregister wakeup source when module get fails
  ACPI / battery: Deal better with neither design nor full capacity not being reported
  ACPI / battery: Use design-cap for capacity calculations if full-cap is not available
  ACPI / battery: Deal with design or full capacity being reported as -1
  ACPI: video: Do not export a non working backlight interface on MSI MS-7721 boards
  mmc: spi: Toggle SPI polarity, do not hardcode it
  PCI: tegra: Fix return value check of pm_runtime_get_sync()
  smb3: fix signing verification of large reads
  powerpc/pseries: Advance pfn if section is not present in lmb_is_removable()
  powerpc/xmon: don't access ASDR in VMs
  s390/mm: fix dynamic pagetable upgrade for hugetlbfs
  MIPS: boot: fix typo in 'vmlinux.lzma.its' target
  MIPS: fix indentation of the 'RELOCS' message
  KVM: arm64: Only sign-extend MMIO up to register width
  KVM: arm/arm64: Correct AArch32 SPSR on exception entry
  KVM: arm/arm64: Correct CPSR on exception entry
  KVM: arm64: Correct PSTATE on exception entry
  ALSA: hda: Add Clevo W65_67SB the power_save blacklist
  platform/x86: intel_scu_ipc: Fix interrupt support
  irqdomain: Fix a memory leak in irq_domain_push_irq()
  lib/test_kasan.c: fix memory leak in kmalloc_oob_krealloc_more()
  media: v4l2-rect.h: fix v4l2_rect_map_inside() top/left adjustments
  media: v4l2-core: compat: ignore native command codes
  media/v4l2-core: set pages dirty upon releasing DMA buffers
  mm: move_pages: report the number of non-attempted pages
  mm/memory_hotplug: fix remove_memory() lockdep splat
  ALSA: dummy: Fix PCM format loop in proc output
  ALSA: usb-audio: Fix endianess in descriptor validation
  usb: gadget: f_ecm: Use atomic_t to track in-flight request
  usb: gadget: f_ncm: Use atomic_t to track in-flight request
  usb: gadget: legacy: set max_speed to super-speed
  usb: typec: tcpci: mask event interrupts when remove driver
  brcmfmac: Fix memory leak in brcmf_usbdev_qinit
  rcu: Avoid data-race in rcu_gp_fqs_check_wake()
  tracing: Fix sched switch start/stop refcount racy updates
  ipc/msg.c: consolidate all xxxctl_down() functions
  mfd: dln2: More sanity checking for endpoints
  media: uvcvideo: Avoid cyclic entity chains due to malformed USB descriptors
  rxrpc: Fix NULL pointer deref due to call->conn being cleared on disconnect
  rxrpc: Fix missing active use pinning of rxrpc_local object
  rxrpc: Fix insufficient receive notification generation
  rxrpc: Fix use-after-free in rxrpc_put_local()
  tcp: clear tp->segs_{in|out} in tcp_disconnect()
  tcp: clear tp->data_segs{in|out} in tcp_disconnect()
  tcp: clear tp->delivered in tcp_disconnect()
  tcp: clear tp->total_retrans in tcp_disconnect()
  bnxt_en: Fix TC queue mapping.
  net: stmmac: Delete txtimer in suspend()
  net_sched: fix an OOB access in cls_tcindex
  net: hsr: fix possible NULL deref in hsr_handle_frame()
  l2tp: Allow duplicate session creation with UDP
  gtp: use __GFP_NOWARN to avoid memalloc warning
  cls_rsvp: fix rsvp_policy
  sparc32: fix struct ipc64_perm type definition
  iwlwifi: mvm: fix NVM check for 3168 devices
  printk: fix exclusive_console replaying
  udf: Allow writing to 'Rewritable' partitions
  x86/cpu: Update cached HLE state on write to TSX_CTRL_CPUID_CLEAR
  ocfs2: fix oops when writing cloned file
  media: iguanair: fix endpoint sanity check
  kernel/module: Fix memleak in module_add_modinfo_attrs()
  ovl: fix lseek overflow on 32bit
  Revert "drm/sun4i: dsi: Change the start delay calculation"
  ANDROID: Revert "ANDROID: gki_defconfig: removed CONFIG_PM_WAKELOCKS"
  ANDROID: dm: prevent default-key from being enabled without needed hooks
  ANDROID: gki: x86: Enable PCI_MSI, WATCHDOG, HPET
  ANDROID: Incremental fs: Fix crash on failed lookup
  ANDROID: Incremental fs: Make files writeable
  ANDROID: update abi for 4.19.102
  ANDROID: Incremental fs: Remove C++-style comments
  Linux 4.19.102
  mm/migrate.c: also overwrite error when it is bigger than zero
  perf report: Fix no libunwind compiled warning break s390 issue
  btrfs: do not zero f_bavail if we have available space
  net: Fix skb->csum update in inet_proto_csum_replace16().
  l2t_seq_next should increase position index
  seq_tab_next() should increase position index
  net: fsl/fman: rename IF_MODE_XGMII to IF_MODE_10G
  net/fsl: treat fsl,erratum-a011043
  powerpc/fsl/dts: add fsl,erratum-a011043
  qlcnic: Fix CPU soft lockup while collecting firmware dump
  ARM: dts: am43x-epos-evm: set data pin directions for spi0 and spi1
  r8152: get default setting of WOL before initializing
  airo: Add missing CAP_NET_ADMIN check in AIROOLDIOCTL/SIOCDEVPRIVATE
  airo: Fix possible info leak in AIROOLDIOCTL/SIOCDEVPRIVATE
  tee: optee: Fix compilation issue with nommu
  ARM: 8955/1: virt: Relax arch timer version check during early boot
  scsi: fnic: do not queue commands during fwreset
  xfrm: interface: do not confirm neighbor when do pmtu update
  xfrm interface: fix packet tx through bpf_redirect()
  vti[6]: fix packet tx through bpf_redirect()
  ARM: dts: am335x-boneblack-common: fix memory size
  iwlwifi: Don't ignore the cap field upon mcc update
  riscv: delete temporary files
  bnxt_en: Fix ipv6 RFS filter matching logic.
  net: dsa: bcm_sf2: Configure IMP port for 2Gb/sec
  netfilter: nft_tunnel: ERSPAN_VERSION must not be null
  wireless: wext: avoid gcc -O3 warning
  mac80211: Fix TKIP replay protection immediately after key setup
  cfg80211: Fix radar event during another phy CAC
  wireless: fix enabling channel 12 for custom regulatory domain
  parisc: Use proper printk format for resource_size_t
  qmi_wwan: Add support for Quectel RM500Q
  ASoC: sti: fix possible sleep-in-atomic
  platform/x86: GPD pocket fan: Allow somewhat lower/higher temperature limits
  igb: Fix SGMII SFP module discovery for 100FX/LX.
  ixgbe: Fix calculation of queue with VFs and flow director on interface flap
  ixgbevf: Remove limit of 10 entries for unicast filter list
  ASoC: rt5640: Fix NULL dereference on module unload
  clk: mmp2: Fix the order of timer mux parents
  mac80211: mesh: restrict airtime metric to peered established plinks
  clk: sunxi-ng: h6-r: Fix AR100/R_APB2 parent order
  rseq: Unregister rseq for clone CLONE_VM
  tools lib traceevent: Fix memory leakage in filter_event
  soc: ti: wkup_m3_ipc: Fix race condition with rproc_boot
  ARM: dts: beagle-x15-common: Model 5V0 regulator
  ARM: dts: am57xx-beagle-x15/am57xx-idk: Remove "gpios" for endpoint dt nodes
  ARM: dts: sun8i: a83t: Correct USB3503 GPIOs polarity
  media: si470x-i2c: Move free() past last use of 'radio'
  cgroup: Prevent double killing of css when enabling threaded cgroup
  Bluetooth: Fix race condition in hci_release_sock()
  ttyprintk: fix a potential deadlock in interrupt context issue
  tomoyo: Use atomic_t for statistics counter
  media: dvb-usb/dvb-usb-urb.c: initialize actlen to 0
  media: gspca: zero usb_buf
  media: vp7045: do not read uninitialized values if usb transfer fails
  media: af9005: uninitialized variable printked
  media: digitv: don't continue if remote control state can't be read
  reiserfs: Fix memory leak of journal device string
  mm/mempolicy.c: fix out of bounds write in mpol_parse_str()
  ext4: validate the debug_want_extra_isize mount option at parse time
  arm64: kbuild: remove compressed images on 'make ARCH=arm64 (dist)clean'
  tools lib: Fix builds when glibc contains strlcpy()
  PM / devfreq: Add new name attribute for sysfs
  perf c2c: Fix return type for histogram sorting comparision functions
  rsi: fix use-after-free on failed probe and unbind
  rsi: add hci detach for hibernation and poweroff
  crypto: pcrypt - Fix user-after-free on module unload
  x86/resctrl: Fix a deadlock due to inaccurate reference
  x86/resctrl: Fix use-after-free due to inaccurate refcount of rdtgroup
  x86/resctrl: Fix use-after-free when deleting resource groups
  vfs: fix do_last() regression
  ANDROID: update abi definitions
  BACKPORT: clk: core: clarify the check for runtime PM
  UPSTREAM: sched/fair/util_est: Implement faster ramp-up EWMA on utilization increases
  ANDROID: Re-use SUGOV_RT_MAX_FREQ to control uclamp rt behavior
  BACKPORT: sched/fair: Make EAS wakeup placement consider uclamp restrictions
  BACKPORT: sched/fair: Make task_fits_capacity() consider uclamp restrictions
  ANDROID: sched/core: Move SchedTune task API into UtilClamp wrappers
  ANDROID: sched/core: Add a latency-sensitive flag to uclamp
  ANDROID: sched/tune: Move SchedTune cpu API into UtilClamp wrappers
  ANDROID: init: kconfig: Only allow sched tune if !uclamp
  FROMGIT: sched/core: Fix size of rq::uclamp initialization
  FROMGIT: sched/uclamp: Fix a bug in propagating uclamp value in new cgroups
  FROMGIT: sched/uclamp: Rename uclamp_util_with() into uclamp_rq_util_with()
  FROMGIT: sched/uclamp: Make uclamp util helpers use and return UL values
  FROMGIT: sched/uclamp: Remove uclamp_util()
  BACKPORT: sched/rt: Make RT capacity-aware
  UPSTREAM: tools headers UAPI: Sync sched.h with the kernel
  UPSTREAM: sched/uclamp: Fix overzealous type replacement
  UPSTREAM: sched/uclamp: Fix incorrect condition
  UPSTREAM: sched/core: Fix compilation error when cgroup not selected
  UPSTREAM: sched/core: Fix uclamp ABI bug, clean up and robustify sched_read_attr() ABI logic and code
  UPSTREAM: sched/uclamp: Always use 'enum uclamp_id' for clamp_id values
  UPSTREAM: sched/uclamp: Update CPU's refcount on TG's clamp changes
  UPSTREAM: sched/uclamp: Use TG's clamps to restrict TASK's clamps
  UPSTREAM: sched/uclamp: Propagate system defaults to the root group
  UPSTREAM: sched/uclamp: Propagate parent clamps
  UPSTREAM: sched/uclamp: Extend CPU's cgroup controller
  BACKPORT: sched/uclamp: Add uclamp support to energy_compute()
  UPSTREAM: sched/uclamp: Add uclamp_util_with()
  BACKPORT: sched/cpufreq, sched/uclamp: Add clamps for FAIR and RT tasks
  UPSTREAM: sched/uclamp: Set default clamps for RT tasks
  UPSTREAM: sched/uclamp: Reset uclamp values on RESET_ON_FORK
  UPSTREAM: sched/uclamp: Extend sched_setattr() to support utilization clamping
  UPSTREAM: sched/core: Allow sched_setattr() to use the current policy
  UPSTREAM: sched/uclamp: Add system default clamps
  UPSTREAM: sched/uclamp: Enforce last task's UCLAMP_MAX
  UPSTREAM: sched/uclamp: Add bucket local max tracking
  UPSTREAM: sched/uclamp: Add CPU's clamp buckets refcounting
  UPSTREAM: cgroup: add cgroup_parse_float()
  Linux 4.19.101
  KVM: arm64: Write arch.mdcr_el2 changes since last vcpu_load on VHE
  block: fix 32 bit overflow in __blkdev_issue_discard()
  block: cleanup __blkdev_issue_discard()
  random: try to actively add entropy rather than passively wait for it
  crypto: af_alg - Use bh_lock_sock in sk_destruct
  rsi: fix non-atomic allocation in completion handler
  rsi: fix memory leak on failed URB submission
  rsi: fix use-after-free on probe errors
  sched/fair: Fix insertion in rq->leaf_cfs_rq_list
  sched/fair: Add tmp_alone_branch assertion
  usb-storage: Disable UAS on JMicron SATA enclosure
  ARM: OMAP2+: SmartReflex: add omap_sr_pdata definition
  iommu/amd: Support multiple PCI DMA aliases in IRQ Remapping
  PCI: Add DMA alias quirk for Intel VCA NTB
  platform/x86: dell-laptop: disable kbd backlight on Inspiron 10xx
  HID: steam: Fix input device disappearing
  atm: eni: fix uninitialized variable warning
  gpio: max77620: Add missing dependency on GPIOLIB_IRQCHIP
  net: wan: sdla: Fix cast from pointer to integer of different size
  drivers/net/b44: Change to non-atomic bit operations on pwol_mask
  spi: spi-dw: Add lock protect dw_spi rx/tx to prevent concurrent calls
  watchdog: rn5t618_wdt: fix module aliases
  watchdog: max77620_wdt: fix potential build errors
  phy: cpcap-usb: Prevent USB line glitches from waking up modem
  phy: qcom-qmp: Increase PHY ready timeout
  drivers/hid/hid-multitouch.c: fix a possible null pointer access.
  HID: Add quirk for incorrect input length on Lenovo Y720
  HID: ite: Add USB id match for Acer SW5-012 keyboard dock
  HID: Add quirk for Xin-Mo Dual Controller
  arc: eznps: fix allmodconfig kconfig warning
  HID: multitouch: Add LG MELF0410 I2C touchscreen support
  net_sched: fix ops->bind_class() implementations
  net_sched: ematch: reject invalid TCF_EM_SIMPLE
  zd1211rw: fix storage endpoint lookup
  rtl8xxxu: fix interface sanity check
  brcmfmac: fix interface sanity check
  ath9k: fix storage endpoint lookup
  cifs: Fix memory allocation in __smb2_handle_cancelled_cmd()
  crypto: chelsio - fix writing tfm flags to wrong place
  iio: st_gyro: Correct data for LSM9DS0 gyro
  mei: me: add comet point (lake) H device ids
  component: do not dereference opaque pointer in debugfs
  serial: 8250_bcm2835aux: Fix line mismatch on driver unbind
  staging: vt6656: Fix false Tx excessive retries reporting.
  staging: vt6656: use NULLFUCTION stack on mac80211
  staging: vt6656: correct packet types for CTS protect, mode.
  staging: wlan-ng: ensure error return is actually returned
  staging: most: net: fix buffer overflow
  usb: dwc3: turn off VBUS when leaving host mode
  USB: serial: ir-usb: fix IrLAP framing
  USB: serial: ir-usb: fix link-speed handling
  USB: serial: ir-usb: add missing endpoint sanity check
  usb: dwc3: pci: add ID for the Intel Comet Lake -V variant
  rsi_91x_usb: fix interface sanity check
  orinoco_usb: fix interface sanity check
  ANDROID: gki: Removed cf modules from gki_defconfig
  ANDROID: Remove default y for VIRTIO_PCI_LEGACY
  ANDROID: gki_defconfig: Remove SND_8X0
  ANDROID: gki: Fixed some typos in Kconfig.gki
  ANDROID: modularize BLK_MQ_VIRTIO
  ANDROID: kallsyms: strip hashes from function names with ThinLTO
  ANDROID: Incremental fs: Remove unneeded compatibility typedef
  ANDROID: Incremental fs: Enable incrementalfs in GKI
  ANDROID: Incremental fs: Fix sparse errors
  ANDROID: Fixing incremental fs style issues
  ANDROID: Make incfs selftests pass
  ANDROID: Initial commit of Incremental FS
  ANDROID: gki_defconfig: Enable req modules in GKI
  ANDROID: gki_defconfig: Set IKHEADERS back to =y
  UPSTREAM: UAPI: ndctl: Remove use of PAGE_SIZE
  Linux 4.19.100
  mm/memory_hotplug: shrink zones when offlining memory
  mm/memory_hotplug: fix try_offline_node()
  mm/memunmap: don't access uninitialized memmap in memunmap_pages()
  drivers/base/node.c: simplify unregister_memory_block_under_nodes()
  mm/hotplug: kill is_dev_zone() usage in __remove_pages()
  mm/memory_hotplug: remove "zone" parameter from sparse_remove_one_section
  mm/memory_hotplug: make unregister_memory_block_under_nodes() never fail
  mm/memory_hotplug: remove memory block devices before arch_remove_memory()
  mm/memory_hotplug: create memory block devices after arch_add_memory()
  drivers/base/memory: pass a block_id to init_memory_block()
  mm/memory_hotplug: allow arch_remove_memory() without CONFIG_MEMORY_HOTREMOVE
  s390x/mm: implement arch_remove_memory()
  mm/memory_hotplug: make __remove_pages() and arch_remove_memory() never fail
  powerpc/mm: Fix section mismatch warning
  mm/memory_hotplug: make __remove_section() never fail
  mm/memory_hotplug: make unregister_memory_section() never fail
  mm, memory_hotplug: update a comment in unregister_memory()
  drivers/base/memory.c: clean up relics in function parameters
  mm/memory_hotplug: release memory resource after arch_remove_memory()
  mm, memory_hotplug: add nid parameter to arch_remove_memory
  drivers/base/memory.c: remove an unnecessary check on NR_MEM_SECTIONS
  mm, sparse: pass nid instead of pgdat to sparse_add_one_section()
  mm, sparse: drop pgdat_resize_lock in sparse_add/remove_one_section()
  mm/memory_hotplug: make remove_memory() take the device_hotplug_lock
  net/x25: fix nonblocking connect
  netfilter: nf_tables: add __nft_chain_type_get()
  netfilter: ipset: use bitmap infrastructure completely
  scsi: iscsi: Avoid potential deadlock in iscsi_if_rx func
  media: v4l2-ioctl.c: zero reserved fields for S/TRY_FMT
  libertas: Fix two buffer overflows at parsing bss descriptor
  coresight: tmc-etf: Do not call smp_processor_id from preemptible
  coresight: etb10: Do not call smp_processor_id from preemptible
  crypto: geode-aes - switch to skcipher for cbc(aes) fallback
  sd: Fix REQ_OP_ZONE_REPORT completion handling
  tracing: Fix histogram code when expression has same var as value
  tracing: Remove open-coding of hist trigger var_ref management
  tracing: Use hist trigger's var_ref array to destroy var_refs
  net/sonic: Prevent tx watchdog timeout
  net/sonic: Fix CAM initialization
  net/sonic: Fix command register usage
  net/sonic: Quiesce SONIC before re-initializing descriptor memory
  net/sonic: Fix receive buffer replenishment
  net/sonic: Improve receive descriptor status flag check
  net/sonic: Avoid needless receive descriptor EOL flag updates
  net/sonic: Fix receive buffer handling
  net/sonic: Fix interface error stats collection
  net/sonic: Use MMIO accessors
  net/sonic: Clear interrupt flags immediately
  net/sonic: Add mutual exclusion for accessing shared state
  do_last(): fetch directory ->i_mode and ->i_uid before it's too late
  tracing: xen: Ordered comparison of function pointers
  scsi: RDMA/isert: Fix a recently introduced regression related to logout
  hwmon: (nct7802) Fix voltage limits to wrong registers
  netfilter: nft_osf: add missing check for DREG attribute
  Input: sun4i-ts - add a check for devm_thermal_zone_of_sensor_register
  Input: pegasus_notetaker - fix endpoint sanity check
  Input: aiptek - fix endpoint sanity check
  Input: gtco - fix endpoint sanity check
  Input: sur40 - fix interface sanity checks
  Input: pm8xxx-vib - fix handling of separate enable register
  Documentation: Document arm64 kpti control
  mmc: sdhci: fix minimum clock rate for v3 controller
  mmc: tegra: fix SDR50 tuning override
  ARM: 8950/1: ftrace/recordmcount: filter relocation types
  Revert "Input: synaptics-rmi4 - don't increment rmiaddr for SMBus transfers"
  Input: keyspan-remote - fix control-message timeouts
  tracing: trigger: Replace unneeded RCU-list traversals
  PCI: Mark AMD Navi14 GPU rev 0xc5 ATS as broken
  hwmon: (core) Do not use device managed functions for memory allocations
  hwmon: (adt7475) Make volt2reg return same reg as reg2volt input
  afs: Fix characters allowed into cell names
  tun: add mutex_unlock() call and napi.skb clearing in tun_get_user()
  tcp: do not leave dangling pointers in tp->highest_sack
  tcp_bbr: improve arithmetic division in bbr_update_bw()
  Revert "udp: do rmem bulk free even if the rx sk queue is empty"
  net: usb: lan78xx: Add .ndo_features_check
  net-sysfs: Fix reference count leak
  net-sysfs: Call dev_hold always in rx_queue_add_kobject
  net-sysfs: Call dev_hold always in netdev_queue_add_kobject
  net-sysfs: fix netdev_queue_add_kobject() breakage
  net-sysfs: Fix reference count leak in rx|netdev_queue_add_kobject
  net_sched: fix datalen for ematch
  net: rtnetlink: validate IFLA_MTU attribute in rtnl_create_link()
  net, ip_tunnel: fix namespaces move
  net, ip6_tunnel: fix namespaces move
  net: ip6_gre: fix moving ip6gre between namespaces
  net: cxgb3_main: Add CAP_NET_ADMIN check to CHELSIO_GET_MEM
  net: bcmgenet: Use netif_tx_napi_add() for TX NAPI
  ipv6: sr: remove SKB_GSO_IPXIP6 on End.D* actions
  gtp: make sure only SOCK_DGRAM UDP sockets are accepted
  firestream: fix memory leaks
  can, slip: Protect tty->disc_data in write_wakeup and close with RCU
  ANDROID: update abi definitions
  UPSTREAM: staging: most: net: fix buffer overflow
  ANDROID: gki_defconfig: Enable CONFIG_BTT
  ANDROID: gki_defconfig: Temporarily disable CFI
  f2fs: fix race conditions in ->d_compare() and ->d_hash()
  f2fs: fix dcache lookup of !casefolded directories
  f2fs: Add f2fs stats to sysfs
  f2fs: delete duplicate information on sysfs nodes
  f2fs: change to use rwsem for gc_mutex
  f2fs: update f2fs document regarding to fsync_mode
  f2fs: add a way to turn off ipu bio cache
  f2fs: code cleanup for f2fs_statfs_project()
  f2fs: fix miscounted block limit in f2fs_statfs_project()
  f2fs: show the CP_PAUSE reason in checkpoint traces
  f2fs: fix deadlock allocating bio_post_read_ctx from mempool
  f2fs: remove unneeded check for error allocating bio_post_read_ctx
  f2fs: convert inline_dir early before starting rename
  f2fs: fix memleak of kobject
  f2fs: fix to add swap extent correctly
  mm: export add_swap_extent()
  f2fs: run fsck when getting bad inode during GC
  f2fs: support data compression
  f2fs: free sysfs kobject
  f2fs: declare nested quota_sem and remove unnecessary sems
  f2fs: don't put new_page twice in f2fs_rename
  f2fs: set I_LINKABLE early to avoid wrong access by vfs
  f2fs: don't keep META_MAPPING pages used for moving verity file blocks
  f2fs: introduce private bioset
  f2fs: cleanup duplicate stats for atomic files
  f2fs: set GFP_NOFS when moving inline dentries
  f2fs: should avoid recursive filesystem ops
  f2fs: keep quota data on write_begin failure
  f2fs: call f2fs_balance_fs outside of locked page
  f2fs: preallocate DIO blocks when forcing buffered_io
  Linux 4.19.99
  m68k: Call timer_interrupt() with interrupts disabled
  arm64: dts: meson-gxm-khadas-vim2: fix uart_A bluetooth node
  serial: stm32: fix clearing interrupt error flags
  IB/iser: Fix dma_nents type definition
  usb: dwc3: Allow building USB_DWC3_QCOM without EXTCON
  samples/bpf: Fix broken xdp_rxq_info due to map order assumptions
  arm64: dts: juno: Fix UART frequency
  drm/radeon: fix bad DMA from INTERRUPT_CNTL2
  dmaengine: ti: edma: fix missed failure handling
  afs: Remove set but not used variables 'before', 'after'
  affs: fix a memory leak in affs_remount
  mmc: core: fix wl1251 sdio quirks
  mmc: sdio: fix wl1251 vendor id
  i2c: stm32f7: report dma error during probe
  packet: fix data-race in fanout_flow_is_huge()
  net: neigh: use long type to store jiffies delta
  hv_netvsc: flag software created hash value
  MIPS: Loongson: Fix return value of loongson_hwmon_init
  dpaa_eth: avoid timestamp read on error paths
  dpaa_eth: perform DMA unmapping before read
  hwrng: omap3-rom - Fix missing clock by probing with device tree
  drm: panel-lvds: Potential Oops in probe error handling
  afs: Fix large file support
  hv_netvsc: Fix send_table offset in case of a host bug
  hv_netvsc: Fix offset usage in netvsc_send_table()
  net: qca_spi: Move reset_count to struct qcaspi
  afs: Fix missing timeout reset
  bpf, offload: Unlock on error in bpf_offload_dev_create()
  xsk: Fix registration of Rx-only sockets
  net: netem: correct the parent's backlog when corrupted packet was dropped
  net: netem: fix error path for corrupted GSO frames
  arm64: hibernate: check pgd table allocation
  firmware: dmi: Fix unlikely out-of-bounds read in save_mem_devices
  dmaengine: imx-sdma: fix size check for sdma script_number
  vhost/test: stop device before reset
  drm/msm/dsi: Implement reset correctly
  net/smc: receive pending data after RCV_SHUTDOWN
  net/smc: receive returns without data
  tcp: annotate lockless access to tcp_memory_pressure
  net: add {READ|WRITE}_ONCE() annotations on ->rskq_accept_head
  net: avoid possible false sharing in sk_leave_memory_pressure()
  act_mirred: Fix mirred_init_module error handling
  s390/qeth: Fix initialization of vnicc cmd masks during set online
  s390/qeth: Fix error handling during VNICC initialization
  sctp: add chunks to sk_backlog when the newsk sk_socket is not set
  net: stmmac: fix disabling flexible PPS output
  net: stmmac: fix length of PTP clock's name string
  ip6erspan: remove the incorrect mtu limit for ip6erspan
  llc: fix sk_buff refcounting in llc_conn_state_process()
  llc: fix another potential sk_buff leak in llc_ui_sendmsg()
  mac80211: accept deauth frames in IBSS mode
  rxrpc: Fix trace-after-put looking at the put connection record
  net: stmmac: gmac4+: Not all Unicast addresses may be available
  nvme: retain split access workaround for capability reads
  net: sched: cbs: Avoid division by zero when calculating the port rate
  net: ethernet: stmmac: Fix signedness bug in ipq806x_gmac_of_parse()
  net: nixge: Fix a signedness bug in nixge_probe()
  of: mdio: Fix a signedness bug in of_phy_get_and_connect()
  net: axienet: fix a signedness bug in probe
  net: stmmac: dwmac-meson8b: Fix signedness bug in probe
  net: socionext: Fix a signedness bug in ave_probe()
  net: netsec: Fix signedness bug in netsec_probe()
  net: broadcom/bcmsysport: Fix signedness in bcm_sysport_probe()
  net: hisilicon: Fix signedness bug in hix5hd2_dev_probe()
  cxgb4: Signedness bug in init_one()
  net: aquantia: Fix aq_vec_isr_legacy() return value
  iommu/amd: Wait for completion of IOTLB flush in attach_device
  crypto: hisilicon - Matching the dma address for dma_pool_free()
  bpf: fix BTF limits
  powerpc/mm/mce: Keep irqs disabled during lockless page table walk
  clk: actions: Fix factor clk struct member access
  mailbox: qcom-apcs: fix max_register value
  f2fs: fix to avoid accessing uninitialized field of inode page in is_alive()
  bnxt_en: Increase timeout for HWRM_DBG_COREDUMP_XX commands
  um: Fix off by one error in IRQ enumeration
  net/rds: Fix 'ib_evt_handler_call' element in 'rds_ib_stat_names'
  RDMA/cma: Fix false error message
  ath10k: adjust skb length in ath10k_sdio_mbox_rx_packet
  gpio/aspeed: Fix incorrect number of banks
  pinctrl: iproc-gpio: Fix incorrect pinconf configurations
  net: sonic: replace dev_kfree_skb in sonic_send_packet
  hwmon: (shtc1) fix shtc1 and shtw1 id mask
  ixgbe: sync the first fragment unconditionally
  btrfs: use correct count in btrfs_file_write_iter()
  Btrfs: fix inode cache waiters hanging on path allocation failure
  Btrfs: fix inode cache waiters hanging on failure to start caching thread
  Btrfs: fix hang when loading existing inode cache off disk
  scsi: fnic: fix msix interrupt allocation
  f2fs: fix error path of f2fs_convert_inline_page()
  f2fs: fix wrong error injection path in inc_valid_block_count()
  ARM: dts: logicpd-som-lv: Fix i2c2 and i2c3 Pin mux
  rtlwifi: Fix file release memory leak
  net: hns3: fix error VF index when setting VLAN offload
  net: sonic: return NETDEV_TX_OK if failed to map buffer
  led: triggers: Fix dereferencing of null pointer
  xsk: avoid store-tearing when assigning umem
  xsk: avoid store-tearing when assigning queues
  ARM: dts: aspeed-g5: Fixe gpio-ranges upper limit
  tty: serial: fsl_lpuart: Use appropriate lpuart32_* I/O funcs
  wcn36xx: use dynamic allocation for large variables
  ath9k: dynack: fix possible deadlock in ath_dynack_node_{de}init
  netfilter: ctnetlink: honor IPS_OFFLOAD flag
  iio: dac: ad5380: fix incorrect assignment to val
  bcache: Fix an error code in bch_dump_read()
  usb: typec: tps6598x: Fix build error without CONFIG_REGMAP_I2C
  bcma: fix incorrect update of BCMA_CORE_PCI_MDIO_DATA
  irqdomain: Add the missing assignment of domain->fwnode for named fwnode
  staging: greybus: light: fix a couple double frees
  x86, perf: Fix the dependency of the x86 insn decoder selftest
  power: supply: Init device wakeup after device_add()
  net/sched: cbs: Set default link speed to 10 Mbps in cbs_set_port_rate
  hwmon: (lm75) Fix write operations for negative temperatures
  Partially revert "kfifo: fix kfifo_alloc() and kfifo_init()"
  rxrpc: Fix lack of conn cleanup when local endpoint is cleaned up [ver #2]
  ahci: Do not export local variable ahci_em_messages
  iommu/mediatek: Fix iova_to_phys PA start for 4GB mode
  media: em28xx: Fix exception handling in em28xx_alloc_urbs()
  mips: avoid explicit UB in assignment of mips_io_port_base
  rtc: pcf2127: bugfix: read rtc disables watchdog
  ARM: 8896/1: VDSO: Don't leak kernel addresses
  media: atmel: atmel-isi: fix timeout value for stop streaming
  i40e: reduce stack usage in i40e_set_fc
  mac80211: minstrel_ht: fix per-group max throughput rate initialization
  rtc: rv3029: revert error handling patch to rv3029_eeprom_write()
  dmaengine: dw: platform: Switch to acpi_dma_controller_register()
  ASoC: sun4i-i2s: RX and TX counter registers are swapped
  powerpc/64s/radix: Fix memory hot-unplug page table split
  signal: Allow cifs and drbd to receive their terminating signals
  bnxt_en: Fix handling FRAG_ERR when NVM_INSTALL_UPDATE cmd fails
  drm: rcar-du: lvds: Fix bridge_to_rcar_lvds
  tools: bpftool: fix format strings and arguments for jsonw_printf()
  tools: bpftool: fix arguments for p_err() in do_event_pipe()
  net/rds: Add a few missing rds_stat_names entries
  ASoC: wm8737: Fix copy-paste error in wm8737_snd_controls
  ASoC: cs4349: Use PM ops 'cs4349_runtime_pm'
  ASoC: es8328: Fix copy-paste error in es8328_right_line_controls
  RDMA/hns: bugfix for slab-out-of-bounds when loading hip08 driver
  RDMA/hns: Bugfix for slab-out-of-bounds when unloading hip08 driver
  ext4: set error return correctly when ext4_htree_store_dirent fails
  crypto: caam - free resources in case caam_rng registration failed
  cxgb4: smt: Add lock for atomic_dec_and_test
  spi: bcm-qspi: Fix BSPI QUAD and DUAL mode support when using flex mode
  net: fix bpf_xdp_adjust_head regression for generic-XDP
  iio: tsl2772: Use devm_add_action_or_reset for tsl2772_chip_off
  cifs: fix rmmod regression in cifs.ko caused by force_sig changes
  net/mlx5: Fix mlx5_ifc_query_lag_out_bits
  ARM: dts: stm32: add missing vdda-supply to adc on stm32h743i-eval
  tipc: reduce risk of wakeup queue starvation
  arm64: dts: renesas: r8a77995: Fix register range of display node
  ALSA: aoa: onyx: always initialize register read value
  crypto: ccp - Reduce maximum stack usage
  x86/kgbd: Use NMI_VECTOR not APIC_DM_NMI
  mic: avoid statically declaring a 'struct device'.
  media: rcar-vin: Clean up correct notifier in error path
  usb: host: xhci-hub: fix extra endianness conversion
  qed: reduce maximum stack frame size
  libertas_tf: Use correct channel range in lbtf_geo_init
  PM: sleep: Fix possible overflow in pm_system_cancel_wakeup()
  clk: sunxi-ng: v3s: add the missing PLL_DDR1
  drm/panel: make drm_panel.h self-contained
  xfrm interface: ifname may be wrong in logs
  scsi: libfc: fix null pointer dereference on a null lport
  ARM: stm32: use "depends on" instead of "if" after prompt
  xdp: fix possible cq entry leak
  x86/pgtable/32: Fix LOWMEM_PAGES constant
  net/tls: fix socket wmem accounting on fallback with netem
  net: pasemi: fix an use-after-free in pasemi_mac_phy_init()
  ceph: fix "ceph.dir.rctime" vxattr value
  PCI: mobiveil: Fix the valid check for inbound and outbound windows
  PCI: mobiveil: Fix devfn check in mobiveil_pcie_valid_device()
  PCI: mobiveil: Remove the flag MSI_FLAG_MULTI_PCI_MSI
  RDMA/hns: Fixs hw access invalid dma memory error
  fsi: sbefifo: Don't fail operations when in SBE IPL state
  devres: allow const resource arguments
  fsi/core: Fix error paths on CFAM init
  ACPI: PM: Introduce "poweroff" callbacks for ACPI PM domain and LPSS
  ACPI: PM: Simplify and fix PM domain hibernation callbacks
  PM: ACPI/PCI: Resume all devices during hibernation
  um: Fix IRQ controller regression on console read
  xprtrdma: Fix use-after-free in rpcrdma_post_recvs
  rxrpc: Fix uninitialized error code in rxrpc_send_data_packet()
  mfd: intel-lpss: Release IDA resources
  iommu/amd: Make iommu_disable safer
  bnxt_en: Suppress error messages when querying DSCP DCB capabilities.
  bnxt_en: Fix ethtool selftest crash under error conditions.
  fork,memcg: alloc_thread_stack_node needs to set tsk->stack
  backlight: pwm_bl: Fix heuristic to determine number of brightness levels
  tools: bpftool: use correct argument in cgroup errors
  nvmem: imx-ocotp: Change TIMING calculation to u-boot algorithm
  nvmem: imx-ocotp: Ensure WAIT bits are preserved when setting timing
  clk: qcom: Fix -Wunused-const-variable
  dmaengine: hsu: Revert "set HSU_CH_MTSR to memory width"
  perf/ioctl: Add check for the sample_period value
  ip6_fib: Don't discard nodes with valid routing information in fib6_locate_1()
  drm/msm/a3xx: remove TPL1 regs from snapshot
  arm64: dts: allwinner: h6: Pine H64: Add interrupt line for RTC
  net/sched: cbs: Fix error path of cbs_module_init
  ARM: dts: iwg20d-q7-common: Fix SDHI1 VccQ regularor
  rtc: pcf8563: Clear event flags and disable interrupts before requesting irq
  rtc: pcf8563: Fix interrupt trigger method
  ASoC: ti: davinci-mcasp: Fix slot mask settings when using multiple AXRs
  net/af_iucv: always register net_device notifier
  net/af_iucv: build proper skbs for HiperTransport
  net/udp_gso: Allow TX timestamp with UDP GSO
  net: netem: fix backlog accounting for corrupted GSO frames
  drm/msm/mdp5: Fix mdp5_cfg_init error return
  IB/hfi1: Handle port down properly in pio
  bpf: fix the check that forwarding is enabled in bpf_ipv6_fib_lookup
  powerpc/pseries/mobility: rebuild cacheinfo hierarchy post-migration
  powerpc/cacheinfo: add cacheinfo_teardown, cacheinfo_rebuild
  qed: iWARP - fix uninitialized callback
  qed: iWARP - Use READ_ONCE and smp_store_release to access ep->state
  ASoC: meson: axg-tdmout: right_j is not supported
  ASoC: meson: axg-tdmin: right_j is not supported
  ntb_hw_switchtec: potential shift wrapping bug in switchtec_ntb_init_sndev()
  firmware: arm_scmi: update rate_discrete in clock_describe_rates_get
  firmware: arm_scmi: fix bitfield definitions for SENSOR_DESC attributes
  phy: usb: phy-brcm-usb: Remove sysfs attributes upon driver removal
  iommu/vt-d: Duplicate iommu_resv_region objects per device list
  arm64: dts: meson-gxm-khadas-vim2: fix Bluetooth support
  arm64: dts: meson-gxm-khadas-vim2: fix gpio-keys-polled node
  serial: stm32: fix a recursive locking in stm32_config_rs485
  mpls: fix warning with multi-label encap
  arm64: dts: renesas: ebisu: Remove renesas, no-ether-link property
  crypto: inside-secure - fix queued len computation
  crypto: inside-secure - fix zeroing of the request in ahash_exit_inv
  media: vivid: fix incorrect assignment operation when setting video mode
  clk: sunxi-ng: sun50i-h6-r: Fix incorrect W1 clock gate register
  cpufreq: brcmstb-avs-cpufreq: Fix types for voltage/frequency
  cpufreq: brcmstb-avs-cpufreq: Fix initial command check
  phy: qcom-qusb2: fix missing assignment of ret when calling clk_prepare_enable
  net: don't clear sock->sk early to avoid trouble in strparser
  RDMA/uverbs: check for allocation failure in uapi_add_elm()
  net: core: support XDP generic on stacked devices.
  netvsc: unshare skb in VF rx handler
  crypto: talitos - fix AEAD processing.
  net: hns3: fix a memory leak issue for hclge_map_unmap_ring_to_vf_vector
  inet: frags: call inet_frags_fini() after unregister_pernet_subsys()
  signal/cifs: Fix cifs_put_tcp_session to call send_sig instead of force_sig
  signal/bpfilter: Fix bpfilter_kernl to use send_sig not force_sig
  iommu: Use right function to get group for device
  iommu: Add missing new line for dma type
  misc: sgi-xp: Properly initialize buf in xpc_get_rsvd_page_pa
  serial: stm32: fix wakeup source initialization
  serial: stm32: Add support of TC bit status check
  serial: stm32: fix transmit_chars when tx is stopped
  serial: stm32: fix rx data length when parity enabled
  serial: stm32: fix rx error handling
  serial: stm32: fix word length configuration
  crypto: ccp - Fix 3DES complaint from ccp-crypto module
  crypto: ccp - fix AES CFB error exposed by new test vectors
  spi: spi-fsl-spi: call spi_finalize_current_message() at the end
  RDMA/qedr: Fix incorrect device rate.
  arm64: dts: meson: libretech-cc: set eMMC as removable
  dmaengine: tegra210-adma: Fix crash during probe
  clk: meson: axg: spread spectrum is on mpll2
  clk: meson: gxbb: no spread spectrum on mpll0
  ARM: dts: sun8i-h3: Fix wifi in Beelink X2 DT
  afs: Fix double inc of vnode->cb_break
  afs: Fix lock-wait/callback-break double locking
  afs: Don't invalidate callback if AFS_VNODE_DIR_VALID not set
  afs: Fix key leak in afs_release() and afs_evict_inode()
  EDAC/mc: Fix edac_mc_find() in case no device is found
  thermal: cpu_cooling: Actually trace CPU load in thermal_power_cpu_get_power
  thermal: rcar_gen3_thermal: fix interrupt type
  backlight: lm3630a: Return 0 on success in update_status functions
  netfilter: nf_tables: correct NFT_LOGLEVEL_MAX value
  kdb: do a sanity check on the cpu in kdb_per_cpu()
  nfp: bpf: fix static check error through tightening shift amount adjustment
  ARM: riscpc: fix lack of keyboard interrupts after irq conversion
  pwm: meson: Don't disable PWM when setting duty repeatedly
  pwm: meson: Consider 128 a valid pre-divider
  netfilter: ebtables: CONFIG_COMPAT: reject trailing data after last rule
  crypto: caam - fix caam_dump_sg that iterates through scatterlist
  platform/x86: alienware-wmi: printing the wrong error code
  media: davinci/vpbe: array underflow in vpbe_enum_outputs()
  media: omap_vout: potential buffer overflow in vidioc_dqbuf()
  ALSA: aica: Fix a long-time build breakage
  l2tp: Fix possible NULL pointer dereference
  vfio/mdev: Fix aborting mdev child device removal if one fails
  vfio/mdev: Follow correct remove sequence
  vfio/mdev: Avoid release parent reference during error path
  afs: Fix the afs.cell and afs.volume xattr handlers
  ath10k: Fix encoding for protected management frames
  lightnvm: pblk: fix lock order in pblk_rb_tear_down_check
  mmc: core: fix possible use after free of host
  watchdog: rtd119x_wdt: Fix remove function
  dmaengine: tegra210-adma: restore channel status
  net: ena: fix ena_com_fill_hash_function() implementation
  net: ena: fix incorrect test of supported hash function
  net: ena: fix: Free napi resources when ena_up() fails
  net: ena: fix swapped parameters when calling ena_com_indirect_table_fill_entry
  iommu/vt-d: Make kernel parameter igfx_off work with vIOMMU
  RDMA/rxe: Consider skb reserve space based on netdev of GID
  IB/mlx5: Add missing XRC options to QP optional params mask
  dwc2: gadget: Fix completed transfer size calculation in DDMA
  usb: gadget: fsl: fix link error against usb-gadget module
  ASoC: fix valid stream condition
  packet: in recvmsg msg_name return at least sizeof sockaddr_ll
  ARM: dts: logicpd-som-lv: Fix MMC1 card detect
  PCI: iproc: Enable iProc config read for PAXBv2
  netfilter: nft_flow_offload: add entry to flowtable after confirmation
  KVM: PPC: Book3S HV: Fix lockdep warning when entering the guest
  scsi: qla2xxx: Avoid that qlt_send_resp_ctio() corrupts memory
  scsi: qla2xxx: Fix error handling in qlt_alloc_qfull_cmd()
  scsi: qla2xxx: Fix a format specifier
  irqchip/gic-v3-its: fix some definitions of inner cacheability attributes
  s390/kexec_file: Fix potential segment overlap in ELF loader
  coresight: catu: fix clang build warning
  NFS: Don't interrupt file writeout due to fatal errors
  afs: Further fix file locking
  afs: Fix AFS file locking to allow fine grained locks
  ALSA: usb-audio: Handle the error from snd_usb_mixer_apply_create_quirk()
  dmaengine: axi-dmac: Don't check the number of frames for alignment
  6lowpan: Off by one handling ->nexthdr
  media: ov2659: fix unbalanced mutex_lock/unlock
  ARM: dts: ls1021: Fix SGMII PCS link remaining down after PHY disconnect
  powerpc: vdso: Make vdso32 installation conditional in vdso_install
  net: hns3: fix loop condition of hns3_get_tx_timeo_queue_info()
  selftests/ipc: Fix msgque compiler warnings
  usb: typec: tcpm: Notify the tcpc to start connection-detection for SRPs
  tipc: set sysctl_tipc_rmem and named_timeout right range
  platform/x86: alienware-wmi: fix kfree on potentially uninitialized pointer
  soc: amlogic: meson-gx-pwrc-vpu: Fix power on/off register bitmask
  PCI: dwc: Fix dw_pcie_ep_find_capability() to return correct capability offset
  staging: android: vsoc: fix copy_from_user overrun
  perf/core: Fix the address filtering fix
  hwmon: (w83627hf) Use request_muxed_region for Super-IO accesses
  net: hns3: fix for vport->bw_limit overflow problem
  PCI: rockchip: Fix rockchip_pcie_ep_assert_intx() bitwise operations
  ARM: pxa: ssp: Fix "WARNING: invalid free of devm_ allocated data"
  brcmfmac: fix leak of mypkt on error return path
  scsi: target/core: Fix a race condition in the LUN lookup code
  rxrpc: Fix detection of out of order acks
  firmware: arm_scmi: fix of_node leak in scmi_mailbox_check
  ACPI: button: reinitialize button state upon resume
  clk: qcom: Skip halt checks on gcc_pcie_0_pipe_clk for 8998
  net/sched: cbs: fix port_rate miscalculation
  of: use correct function prototype for of_overlay_fdt_apply()
  scsi: qla2xxx: Unregister chrdev if module initialization fails
  drm/vmwgfx: Remove set but not used variable 'restart'
  bpf: Add missed newline in verifier verbose log
  ehea: Fix a copy-paste err in ehea_init_port_res
  rtc: mt6397: Don't call irq_dispose_mapping.
  rtc: Fix timestamp value for RTC_TIMESTAMP_BEGIN_1900
  arm64/vdso: don't leak kernel addresses
  drm/fb-helper: generic: Call drm_client_add() after setup is done
  spi: bcm2835aux: fix driver to not allow 65535 (=-1) cs-gpios
  soc/fsl/qe: Fix an error code in qe_pin_request()
  bus: ti-sysc: Fix sysc_unprepare() when no clocks have been allocated
  spi: tegra114: configure dma burst size to fifo trig level
  spi: tegra114: flush fifos
  spi: tegra114: terminate dma and reset on transfer timeout
  spi: tegra114: fix for unpacked mode transfers
  spi: tegra114: clear packed bit for unpacked mode
  media: tw5864: Fix possible NULL pointer dereference in tw5864_handle_frame
  media: davinci-isif: avoid uninitialized variable use
  soc: qcom: cmd-db: Fix an error code in cmd_db_dev_probe()
  net: dsa: Avoid null pointer when failing to connect to PHY
  ARM: OMAP2+: Fix potentially uninitialized return value for _setup_reset()
  net: phy: don't clear BMCR in genphy_soft_reset
  ARM: dts: sun9i: optimus: Fix fixed-regulators
  arm64: dts: allwinner: a64: Add missing PIO clocks
  ARM: dts: sun8i: a33: Reintroduce default pinctrl muxing
  m68k: mac: Fix VIA timer counter accesses
  tipc: tipc clang warning
  jfs: fix bogus variable self-initialization
  crypto: ccree - reduce kernel stack usage with clang
  regulator: tps65086: Fix tps65086_ldoa1_ranges for selector 0xB
  media: cx23885: check allocation return
  media: wl128x: Fix an error code in fm_download_firmware()
  media: cx18: update *pos correctly in cx18_read_pos()
  media: ivtv: update *pos correctly in ivtv_read_pos()
  soc: amlogic: gx-socinfo: Add mask for each SoC packages
  regulator: lp87565: Fix missing register for LP87565_BUCK_0
  net: sh_eth: fix a missing check of of_get_phy_mode
  net/mlx5e: IPoIB, Fix RX checksum statistics update
  net/mlx5: Fix multiple updates of steering rules in parallel
  xen, cpu_hotplug: Prevent an out of bounds access
  drivers/rapidio/rio_cm.c: fix potential oops in riocm_ch_listen()
  nfp: fix simple vNIC mailbox length
  scsi: megaraid_sas: reduce module load time
  x86/mm: Remove unused variable 'cpu'
  nios2: ksyms: Add missing symbol exports
  PCI: Fix "try" semantics of bus and slot reset
  rbd: clear ->xferred on error from rbd_obj_issue_copyup()
  media: dvb/earth-pt1: fix wrong initialization for demod blocks
  powerpc/mm: Check secondary hash page table
  net: aquantia: fixed instack structure overflow
  NFSv4/flexfiles: Fix invalid deref in FF_LAYOUT_DEVID_NODE()
  NFS: Add missing encode / decode sequence_maxsz to v4.2 operations
  iommu/vt-d: Fix NULL pointer reference in intel_svm_bind_mm()
  hwrng: bcm2835 - fix probe as platform device
  net: sched: act_csum: Fix csum calc for tagged packets
  netfilter: nft_set_hash: bogus element self comparison from deactivation path
  netfilter: nft_set_hash: fix lookups with fixed size hash on big endian
  ath10k: Fix length of wmi tlv command for protected mgmt frames
  regulator: wm831x-dcdc: Fix list of wm831x_dcdc_ilim from mA to uA
  ARM: 8849/1: NOMMU: Fix encodings for PMSAv8's PRBAR4/PRLAR4
  ARM: 8848/1: virt: Align GIC version check with arm64 counterpart
  ARM: 8847/1: pm: fix HYP/SVC mode mismatch when MCPM is used
  iommu: Fix IOMMU debugfs fallout
  mmc: sdhci-brcmstb: handle mmc_of_parse() errors during probe
  NFS/pnfs: Bulk destroy of layouts needs to be safe w.r.t. umount
  platform/x86: wmi: fix potential null pointer dereference
  clocksource/drivers/exynos_mct: Fix error path in timer resources initialization
  clocksource/drivers/sun5i: Fail gracefully when clock rate is unavailable
  perf, pt, coresight: Fix address filters for vmas with non-zero offset
  perf: Copy parent's address filter offsets on clone
  NFS: Fix a soft lockup in the delegation recovery code
  powerpc/64s: Fix logic when handling unknown CPU features
  staging: rtlwifi: Use proper enum for return in halmac_parse_psd_data_88xx
  fs/nfs: Fix nfs_parse_devname to not modify it's argument
  net: dsa: fix unintended change of bridge interface STP state
  ASoC: qcom: Fix of-node refcount unbalance in apq8016_sbc_parse_of()
  driver core: Fix PM-runtime for links added during consumer probe
  drm/nouveau: fix missing break in switch statement
  drm/nouveau/pmu: don't print reply values if exec is false
  drm/nouveau/bios/ramcfg: fix missing parentheses when calculating RON
  net/mlx5: Delete unused FPGA QPN variable
  net: dsa: qca8k: Enable delay for RGMII_ID mode
  regulator: pv88090: Fix array out-of-bounds access
  regulator: pv88080: Fix array out-of-bounds access
  regulator: pv88060: Fix array out-of-bounds access
  brcmfmac: create debugfs files for bus-specific layer
  cdc-wdm: pass return value of recover_from_urb_loss
  dmaengine: mv_xor: Use correct device for DMA API
  staging: r8822be: check kzalloc return or bail
  KVM: PPC: Release all hardware TCE tables attached to a group
  mdio_bus: Fix PTR_ERR() usage after initialization to constant
  hwmon: (pmbus/tps53679) Fix driver info initialization in probe routine
  vfio_pci: Enable memory accesses before calling pci_map_rom
  media: sh: migor: Include missing dma-mapping header
  mt76: usb: fix possible memory leak in mt76u_buf_free
  net: dsa: b53: Do not program CPU port's PVID
  net: dsa: b53: Properly account for VLAN filtering
  net: dsa: b53: Fix default VLAN ID
  keys: Timestamp new keys
  block: don't use bio->bi_vcnt to figure out segment number
  usb: phy: twl6030-usb: fix possible use-after-free on remove
  PCI: endpoint: functions: Use memcpy_fromio()/memcpy_toio()
  driver core: Fix possible supplier PM-usage counter imbalance
  RDMA/mlx5: Fix memory leak in case we fail to add an IB device
  pinctrl: sh-pfc: sh73a0: Fix fsic_spdif pin groups
  pinctrl: sh-pfc: r8a7792: Fix vin1_data18_b pin group
  pinctrl: sh-pfc: r8a7791: Fix scifb2_data_c pin group
  pinctrl: sh-pfc: emev2: Add missing pinmux functions
  ntb_hw_switchtec: NT req id mapping table register entry number should be 512
  ntb_hw_switchtec: debug print 64bit aligned crosslink BAR Numbers
  drm/etnaviv: potential NULL dereference
  xsk: add missing smp_rmb() in xsk_mmap
  ipmi: kcs_bmc: handle devm_kasprintf() failure case
  iw_cxgb4: use tos when finding ipv6 routes
  iw_cxgb4: use tos when importing the endpoint
  fbdev: chipsfb: remove set but not used variable 'size'
  rtc: pm8xxx: fix unintended sign extension
  rtc: 88pm80x: fix unintended sign extension
  rtc: 88pm860x: fix unintended sign extension
  net/smc: original socket family in inet_sock_diag
  rtc: ds1307: rx8130: Fix alarm handling
  net: phy: fixed_phy: Fix fixed_phy not checking GPIO
  ath10k: fix dma unmap direction for management frames
  arm64: dts: msm8916: remove bogus argument to the cpu clock
  thermal: mediatek: fix register index error
  rtc: ds1672: fix unintended sign extension
  clk: ingenic: jz4740: Fix gating of UDC clock
  staging: most: cdev: add missing check for cdev_add failure
  iwlwifi: mvm: fix RSS config command
  drm/xen-front: Fix mmap attributes for display buffers
  ARM: dts: lpc32xx: phy3250: fix SD card regulator voltage
  ARM: dts: lpc32xx: fix ARM PrimeCell LCD controller clocks property
  ARM: dts: lpc32xx: fix ARM PrimeCell LCD controller variant
  ARM: dts: lpc32xx: reparent keypad controller to SIC1
  ARM: dts: lpc32xx: add required clocks property to keypad device node
  driver core: Do not call rpm_put_suppliers() in pm_runtime_drop_link()
  driver core: Fix handling of runtime PM flags in device_link_add()
  driver core: Do not resume suppliers under device_links_write_lock()
  driver core: Avoid careless re-use of existing device links
  driver core: Fix DL_FLAG_AUTOREMOVE_SUPPLIER device link flag handling
  crypto: crypto4xx - Fix wrong ppc4xx_trng_probe()/ppc4xx_trng_remove() arguments
  driver: uio: fix possible use-after-free in __uio_register_device
  driver: uio: fix possible memory leak in __uio_register_device
  tty: ipwireless: Fix potential NULL pointer dereference
  bus: ti-sysc: Fix timer handling with drop pm_runtime_irq_safe()
  iwlwifi: mvm: fix A-MPDU reference assignment
  arm64: dts: allwinner: h6: Move GIC device node fix base address ordering
  ip_tunnel: Fix route fl4 init in ip_md_tunnel_xmit
  net/mlx5: Take lock with IRQs disabled to avoid deadlock
  iwlwifi: mvm: avoid possible access out of array.
  clk: sunxi-ng: sun8i-a23: Enable PLL-MIPI LDOs when ungating it
  ARM: dts: sun8i-a23-a33: Move NAND controller device node to sort by address
  net: hns3: fix bug of ethtool_ops.get_channels for VF
  spi/topcliff_pch: Fix potential NULL dereference on allocation error
  rtc: cmos: ignore bogus century byte
  IB/mlx5: Don't override existing ip_protocol
  media: tw9910: Unregister subdevice with v4l2-async
  net: hns3: fix wrong combined count returned by ethtool -l
  IB/iser: Pass the correct number of entries for dma mapped SGL
  ASoC: imx-sgtl5000: put of nodes if finding codec fails
  crypto: tgr192 - fix unaligned memory access
  crypto: brcm - Fix some set-but-not-used warning
  kbuild: mark prepare0 as PHONY to fix external module build
  media: s5p-jpeg: Correct step and max values for V4L2_CID_JPEG_RESTART_INTERVAL
  drm/etnaviv: NULL vs IS_ERR() buf in etnaviv_core_dump()
  memory: tegra: Don't invoke Tegra30+ specific memory timing setup on Tegra20
  net: phy: micrel: set soft_reset callback to genphy_soft_reset for KSZ9031
  RDMA/iw_cxgb4: Fix the unchecked ep dereference
  spi: cadence: Correct initialisation of runtime PM
  arm64: dts: apq8016-sbc: Increase load on l11 for SDCARD
  drm/shmob: Fix return value check in shmob_drm_probe
  RDMA/qedr: Fix out of bounds index check in query pkey
  RDMA/ocrdma: Fix out of bounds index check in query pkey
  IB/usnic: Fix out of bounds index check in query pkey
  fork, memcg: fix cached_stacks case
  drm/fb-helper: generic: Fix setup error path
  drm/etnaviv: fix some off by one bugs
  ARM: dts: r8a7743: Remove generic compatible string from iic3
  drm: Fix error handling in drm_legacy_addctx
  remoteproc: qcom: q6v5-mss: Add missing regulator for MSM8996
  remoteproc: qcom: q6v5-mss: Add missing clocks for MSM8996
  arm64: defconfig: Re-enable bcm2835-thermal driver
  MIPS: BCM63XX: drop unused and broken DSP platform device
  clk: dove: fix refcount leak in dove_clk_init()
  clk: mv98dx3236: fix refcount leak in mv98dx3236_clk_init()
  clk: armada-xp: fix refcount leak in axp_clk_init()
  clk: kirkwood: fix refcount leak in kirkwood_clk_init()
  clk: armada-370: fix refcount leak in a370_clk_init()
  clk: vf610: fix refcount leak in vf610_clocks_init()
  clk: imx7d: fix refcount leak in imx7d_clocks_init()
  clk: imx6sx: fix refcount leak in imx6sx_clocks_init()
  clk: imx6q: fix refcount leak in imx6q_clocks_init()
  clk: samsung: exynos4: fix refcount leak in exynos4_get_xom()
  clk: socfpga: fix refcount leak
  clk: ti: fix refcount leak in ti_dt_clocks_register()
  clk: qoriq: fix refcount leak in clockgen_init()
  clk: highbank: fix refcount leak in hb_clk_init()
  fork,memcg: fix crash in free_thread_stack on memcg charge fail
  Input: nomadik-ske-keypad - fix a loop timeout test
  vxlan: changelink: Fix handling of default remotes
  net: hns3: fix error handling int the hns3_get_vector_ring_chain
  pinctrl: sh-pfc: sh7734: Remove bogus IPSR10 value
  pinctrl: sh-pfc: sh7269: Add missing PCIOR0 field
  pinctrl: sh-pfc: r8a77995: Remove bogus SEL_PWM[0-3]_3 configurations
  pinctrl: sh-pfc: sh7734: Add missing IPSR11 field
  pinctrl: sh-pfc: r8a77980: Add missing MOD_SEL0 field
  pinctrl: sh-pfc: r8a77970: Add missing MOD_SEL0 field
  pinctrl: sh-pfc: r8a7794: Remove bogus IPSR9 field
  pinctrl: sh-pfc: sh73a0: Add missing TO pin to tpu4_to3 group
  pinctrl: sh-pfc: r8a7791: Remove bogus marks from vin1_b_data18 group
  pinctrl: sh-pfc: r8a7791: Remove bogus ctrl marks from qspi_data4_b group
  pinctrl: sh-pfc: r8a7740: Add missing LCD0 marks to lcd0_data24_1 group
  pinctrl: sh-pfc: r8a7740: Add missing REF125CK pin to gether_gmii group
  ipv6: add missing tx timestamping on IPPROTO_RAW
  switchtec: Remove immediate status check after submitting MRPC command
  staging: bcm2835-camera: fix module autoloading
  staging: bcm2835-camera: Abort probe if there is no camera
  mailbox: ti-msgmgr: Off by one in ti_msgmgr_of_xlate()
  IB/rxe: Fix incorrect cache cleanup in error flow
  OPP: Fix missing debugfs supply directory for OPPs
  IB/hfi1: Correctly process FECN and BECN in packets
  net: phy: Fix not to call phy_resume() if PHY is not attached
  arm64: dts: renesas: r8a7795-es1: Add missing power domains to IPMMU nodes
  arm64: dts: meson-gx: Add hdmi_5v regulator as hdmi tx supply
  drm/dp_mst: Skip validating ports during destruction, just ref
  net: always initialize pagedlen
  drm: rcar-du: Fix vblank initialization
  drm: rcar-du: Fix the return value in case of error in 'rcar_du_crtc_set_crc_source()'
  exportfs: fix 'passing zero to ERR_PTR()' warning
  bus: ti-sysc: Add mcasp optional clocks flag
  pinctrl: meson-gxl: remove invalid GPIOX tsin_a pins
  ASoC: sun8i-codec: add missing route for ADC
  pcrypt: use format specifier in kobject_add
  ARM: dts: bcm283x: Correct mailbox register sizes
  ASoC: wm97xx: fix uninitialized regmap pointer problem
  NTB: ntb_hw_idt: replace IS_ERR_OR_NULL with regular NULL checks
  mlxsw: spectrum: Set minimum shaper on MC TCs
  mlxsw: reg: QEEC: Add minimum shaper fields
  net: hns3: add error handler for hns3_nic_init_vector_data()
  drm/sun4i: hdmi: Fix double flag assignation
  net: socionext: Add dummy PHY register read in phy_write()
  tipc: eliminate message disordering during binding table update
  powerpc/kgdb: add kgdb_arch_set/remove_breakpoint()
  netfilter: nf_flow_table: do not remove offload when other netns's interface is down
  RDMA/bnxt_re: Add missing spin lock initialization
  rtlwifi: rtl8821ae: replace _rtl8821ae_mrate_idx_to_arfr_id with generic version
  powerpc/pseries/memory-hotplug: Fix return value type of find_aa_index
  pwm: lpss: Release runtime-pm reference from the driver's remove callback
  netfilter: nft_osf: usage from output path is not valid
  staging: comedi: ni_mio_common: protect register write overflow
  iwlwifi: nvm: get num of hw addresses from firmware
  ALSA: usb-audio: update quirk for B&W PX to remove microphone
  of: Fix property name in of_node_get_device_type
  drm/msm: fix unsigned comparison with less than zero
  mei: replace POLL* with EPOLL* for write queues.
  cfg80211: regulatory: make initialization more robust
  usb: gadget: fsl_udc_core: check allocation return value and cleanup on failure
  usb: dwc3: add EXTCON dependency for qcom
  genirq/debugfs: Reinstate full OF path for domain name
  IB/hfi1: Add mtu check for operational data VLs
  IB/rxe: replace kvfree with vfree
  mailbox: mediatek: Add check for possible failure of kzalloc
  ASoC: wm9712: fix unused variable warning
  signal/ia64: Use the force_sig(SIGSEGV,...) in ia64_rt_sigreturn
  signal/ia64: Use the generic force_sigsegv in setup_frame
  drm/hisilicon: hibmc: Don't overwrite fb helper surface depth
  bridge: br_arp_nd_proxy: set icmp6_router if neigh has NTF_ROUTER
  PCI: iproc: Remove PAXC slot check to allow VF support
  firmware: coreboot: Let OF core populate platform device
  ARM: qcom_defconfig: Enable MAILBOX
  apparmor: don't try to replace stale label in ptrace access check
  ALSA: hda: fix unused variable warning
  apparmor: Fix network performance issue in aa_label_sk_perm
  iio: fix position relative kernel version
  drm/virtio: fix bounds check in virtio_gpu_cmd_get_capset()
  ixgbe: don't clear IPsec sa counters on HW clearing
  ARM: dts: at91: nattis: make the SD-card slot work
  ARM: dts: at91: nattis: set the PRLUD and HIPOW signals low
  drm/sti: do not remove the drm_bridge that was never added
  ipmi: Fix memory leak in __ipmi_bmc_register
  watchdog: sprd: Fix the incorrect pointer getting from driver data
  soc: aspeed: Fix snoop_file_poll()'s return type
  perf map: No need to adjust the long name of modules
  crypto: sun4i-ss - fix big endian issues
  mt7601u: fix bbp version check in mt7601u_wait_bbp_ready
  tipc: fix wrong timeout input for tipc_wait_for_cond()
  tipc: update mon's self addr when node addr generated
  powerpc/archrandom: fix arch_get_random_seed_int()
  powerpc/pseries: Enable support for ibm,drc-info property
  SUNRPC: Fix svcauth_gss_proxy_init()
  mfd: intel-lpss: Add default I2C device properties for Gemini Lake
  i2c: i2c-stm32f7: fix 10-bits check in slave free id search loop
  i2c: stm32f7: rework slave_id allocation
  xfs: Sanity check flags of Q_XQUOTARM call
  Revert "efi: Fix debugobjects warning on 'efi_rts_work'"
  FROMGIT: ext4: Add EXT4_IOC_FSGETXATTR/EXT4_IOC_FSSETXATTR to compat_ioctl.
  ANDROID: gki_defconfig: Set IKHEADERS back to =m
  ANDROID: gki_defconfig: enable NVDIMM/PMEM options
  UPSTREAM: virtio-pmem: Add virtio pmem driver
  UPSTREAM: libnvdimm: nd_region flush callback support
  UPSTREAM: libnvdimm/of_pmem: Provide a unique name for bus provider
  UPSTREAM: libnvdimm/of_pmem: Fix platform_no_drv_owner.cocci warnings
  ANDROID: x86: gki_defconfig: enable LTO and CFI
  ANDROID: x86: map CFI jump tables in pti_clone_entry_text
  ANDROID: BACKPORT: x86, module: Ignore __typeid__ relocations
  ANDROID: BACKPORT: x86, relocs: Ignore __typeid__ relocations
  ANDROID: BACKPORT: x86/extable: Do not mark exception callback as CFI
  FROMLIST: crypto, x86/sha: Eliminate casts on asm implementations
  UPSTREAM: crypto: x86 - Rename functions to avoid conflict with crypto/sha256.h
  UPSTREAM: x86/vmlinux: Actually use _etext for the end of the text segment
  ANDROID: update ABI following inline crypto changes
  ANDROID: gki_defconfig: enable dm-default-key
  ANDROID: dm: add dm-default-key target for metadata encryption
  ANDROID: dm: enable may_passthrough_inline_crypto on some targets
  ANDROID: dm: add support for passing through inline crypto support
  ANDROID: block: Introduce passthrough keyslot manager
  ANDROID: ext4, f2fs: enable direct I/O with inline encryption
  FROMLIST: scsi: ufs: add program_key() variant op
  ANDROID: block: export symbols needed for modules to use inline crypto
  ANDROID: block: fix some inline crypto bugs
  UPSTREAM: mm/page_io.c: annotate refault stalls from swap_readpage
  UPSTREAM: lib/test_meminit.c: add bulk alloc/free tests
  UPSTREAM: lib/test_meminit: add a kmem_cache_alloc_bulk() test
  UPSTREAM: mm/slub.c: init_on_free=1 should wipe freelist ptr for bulk allocations
  ANDROID: mm/cma.c: Export symbols
  ANDROID: gki_defconfig: Set CONFIG_ION=m
  ANDROID: lib/plist: Export symbol plist_add
  ANDROID: staging: android: ion: enable modularizing the ion driver
  Revert "ANDROID: security,perf: Allow further restriction of perf_event_open"
  ANDROID: selinux: modify RTM_GETLINK permission
  FROMLIST: security: selinux: allow per-file labelling for binderfs
  BACKPORT: tracing: Remove unnecessary DEBUG_FS dependency
  BACKPORT: debugfs: Fix !DEBUG_FS debugfs_create_automount
  ANDROID: update abi for 4.19.98
  Linux 4.19.98
  hwmon: (pmbus/ibm-cffps) Switch LEDs to blocking brightness call
  regulator: ab8500: Remove SYSCLKREQ from enum ab8505_regulator_id
  clk: sprd: Use IS_ERR() to validate the return value of syscon_regmap_lookup_by_phandle()
  perf probe: Fix wrong address verification
  scsi: core: scsi_trace: Use get_unaligned_be*()
  scsi: qla2xxx: fix rports not being mark as lost in sync fabric scan
  scsi: qla2xxx: Fix qla2x00_request_irqs() for MSI
  scsi: target: core: Fix a pr_debug() argument
  scsi: bnx2i: fix potential use after free
  scsi: qla4xxx: fix double free bug
  scsi: esas2r: unlock on error in esas2r_nvram_read_direct()
  reiserfs: fix handling of -EOPNOTSUPP in reiserfs_for_each_xattr
  drm/nouveau/mmu: qualify vmm during dtor
  drm/nouveau/bar/gf100: ensure BAR is mapped
  drm/nouveau/bar/nv50: check bar1 vmm return value
  mtd: devices: fix mchp23k256 read and write
  Revert "arm64: dts: juno: add dma-ranges property"
  arm64: dts: marvell: Fix CP110 NAND controller node multi-line comment alignment
  tick/sched: Annotate lockless access to last_jiffies_update
  cfg80211: check for set_wiphy_params
  arm64: dts: meson-gxl-s905x-khadas-vim: fix gpio-keys-polled node
  cw1200: Fix a signedness bug in cw1200_load_firmware()
  irqchip: Place CONFIG_SIFIVE_PLIC into the menu
  tcp: refine rule to allow EPOLLOUT generation under mem pressure
  xen/blkfront: Adjust indentation in xlvbd_alloc_gendisk
  mlxsw: spectrum_qdisc: Include MC TCs in Qdisc counters
  mlxsw: spectrum: Wipe xstats.backlog of down ports
  sh_eth: check sh_eth_cpu_data::dual_port when dumping registers
  tcp: fix marked lost packets not being retransmitted
  r8152: add missing endpoint sanity check
  ptp: free ptp device pin descriptors properly
  net/wan/fsl_ucc_hdlc: fix out of bounds write on array utdm_info
  net: usb: lan78xx: limit size of local TSO packets
  net: hns: fix soft lockup when there is not enough memory
  net: dsa: tag_qca: fix doubled Tx statistics
  hv_netvsc: Fix memory leak when removing rndis device
  macvlan: use skb_reset_mac_header() in macvlan_queue_xmit()
  batman-adv: Fix DAT candidate selection on little endian systems
  NFC: pn533: fix bulk-message timeout
  netfilter: nf_tables: fix flowtable list del corruption
  netfilter: nf_tables: store transaction list locally while requesting module
  netfilter: nf_tables: remove WARN and add NLA_STRING upper limits
  netfilter: nft_tunnel: fix null-attribute check
  netfilter: arp_tables: init netns pointer in xt_tgdtor_param struct
  netfilter: fix a use-after-free in mtype_destroy()
  cfg80211: fix page refcount issue in A-MSDU decap
  cfg80211: fix memory leak in cfg80211_cqm_rssi_update
  cfg80211: fix deadlocks in autodisconnect work
  bpf: Fix incorrect verifier simulation of ARSH under ALU32
  arm64: dts: agilex/stratix10: fix pmu interrupt numbers
  mm/huge_memory.c: thp: fix conflict of above-47bit hint address and PMD alignment
  mm/huge_memory.c: make __thp_get_unmapped_area static
  net: stmmac: Enable 16KB buffer size
  net: stmmac: 16KB buffer must be 16 byte aligned
  ARM: dts: imx7: Fix Toradex Colibri iMX7S 256MB NAND flash support
  ARM: dts: imx6q-icore-mipi: Use 1.5 version of i.Core MX6DL
  ARM: dts: imx6qdl: Add Engicam i.Core 1.5 MX6
  mm/page-writeback.c: avoid potential division by zero in wb_min_max_ratio()
  btrfs: fix memory leak in qgroup accounting
  btrfs: do not delete mismatched root refs
  btrfs: fix invalid removal of root ref
  btrfs: rework arguments of btrfs_unlink_subvol
  mm: memcg/slab: call flush_memcg_workqueue() only if memcg workqueue is valid
  mm/shmem.c: thp, shmem: fix conflict of above-47bit hint address and PMD alignment
  perf report: Fix incorrectly added dimensions as switch perf data file
  perf hists: Fix variable name's inconsistency in hists__for_each() macro
  x86/resctrl: Fix potential memory leak
  drm/i915: Add missing include file <linux/math64.h>
  x86/efistub: Disable paging at mixed mode entry
  x86/CPU/AMD: Ensure clearing of SME/SEV features is maintained
  x86/resctrl: Fix an imbalance in domain_remove_cpu()
  usb: core: hub: Improved device recognition on remote wakeup
  ptrace: reintroduce usage of subjective credentials in ptrace_has_cap()
  LSM: generalize flag passing to security_capable
  ARM: dts: am571x-idk: Fix gpios property to have the correct gpio number
  block: fix an integer overflow in logical block size
  Fix built-in early-load Intel microcode alignment
  arm64: dts: allwinner: a64: olinuxino: Fix SDIO supply regulator
  ALSA: usb-audio: fix sync-ep altsetting sanity check
  ALSA: seq: Fix racy access for queue timer in proc read
  ALSA: dice: fix fallback from protocol extension into limited functionality
  ARM: dts: imx6q-dhcom: Fix SGTL5000 VDDIO regulator connection
  ASoC: msm8916-wcd-analog: Fix MIC BIAS Internal1
  ASoC: msm8916-wcd-analog: Fix selected events for MIC BIAS External1
  scsi: mptfusion: Fix double fetch bug in ioctl
  scsi: fnic: fix invalid stack access
  USB: serial: quatech2: handle unbound ports
  USB: serial: keyspan: handle unbound ports
  USB: serial: io_edgeport: add missing active-port sanity check
  USB: serial: io_edgeport: handle unbound ports on URB completion
  USB: serial: ch341: handle unbound port at reset_resume
  USB: serial: suppress driver bind attributes
  USB: serial: option: add support for Quectel RM500Q in QDL mode
  USB: serial: opticon: fix control-message timeouts
  USB: serial: option: Add support for Quectel RM500Q
  USB: serial: simple: Add Motorola Solutions TETRA MTP3xxx and MTP85xx
  iio: buffer: align the size of scan bytes to size of the largest element
  ASoC: msm8916-wcd-digital: Reset RX interpolation path after use
  clk: Don't try to enable critical clocks if prepare failed
  ARM: dts: imx6q-dhcom: fix rtc compatible
  dt-bindings: reset: meson8b: fix duplicate reset IDs
  clk: qcom: gcc-sdm845: Add missing flag to votable GDSCs
  ARM: dts: meson8: fix the size of the PMU registers
  ANDROID: gki: Make GKI specific modules builtins
  ANDROID: fscrypt: add support for hardware-wrapped keys
  ANDROID: block: add KSM op to derive software secret from wrapped key
  ANDROID: block: provide key size as input to inline crypto APIs
  ANDROID: ufshcd-crypto: export cap find API
  ANDROID: build config for cuttlefish ramdisk
  ANDROID: Update ABI representation and whitelist
  Linux 4.19.97
  ocfs2: call journal flush to mark journal as empty after journal recovery when mount
  hexagon: work around compiler crash
  hexagon: parenthesize registers in asm predicates
  ioat: ioat_alloc_ring() failure handling.
  dmaengine: k3dma: Avoid null pointer traversal
  drm/arm/mali: make malidp_mw_connector_helper_funcs static
  MIPS: Prevent link failure with kcov instrumentation
  mips: cacheinfo: report shared CPU map
  rseq/selftests: Turn off timeout setting
  selftests: firmware: Fix it to do root uid check and skip
  scsi: libcxgbi: fix NULL pointer dereference in cxgbi_device_destroy()
  gpio: mpc8xxx: Add platform device to gpiochip->parent
  rtc: brcmstb-waketimer: add missed clk_disable_unprepare
  rtc: msm6242: Fix reading of 10-hour digit
  f2fs: fix potential overflow
  rtlwifi: Remove unnecessary NULL check in rtl_regd_init
  spi: atmel: fix handling of cs_change set on non-last xfer
  mtd: spi-nor: fix silent truncation in spi_nor_read_raw()
  mtd: spi-nor: fix silent truncation in spi_nor_read()
  iommu/mediatek: Correct the flush_iotlb_all callback
  media: exynos4-is: Fix recursive locking in isp_video_release()
  media: v4l: cadence: Fix how unsued lanes are handled in 'csi2rx_start()'
  media: rcar-vin: Fix incorrect return statement in rvin_try_format()
  media: ov6650: Fix .get_fmt() V4L2_SUBDEV_FORMAT_TRY support
  media: ov6650: Fix some format attributes not under control
  media: ov6650: Fix incorrect use of JPEG colorspace
  tty: serial: pch_uart: correct usage of dma_unmap_sg
  tty: serial: imx: use the sg count from dma_map_sg
  powerpc/powernv: Disable native PCIe port management
  PCI/PTM: Remove spurious "d" from granularity message
  PCI: dwc: Fix find_next_bit() usage
  compat_ioctl: handle SIOCOUTQNSD
  af_unix: add compat_ioctl support
  arm64: dts: apq8096-db820c: Increase load on l21 for SDCARD
  scsi: sd: enable compat ioctls for sed-opal
  pinctrl: lewisburg: Update pin list according to v1.1v6
  pinctl: ti: iodelay: fix error checking on pinctrl_count_index_with_args call
  clk: samsung: exynos5420: Preserve CPU clocks configuration during suspend/resume
  mei: fix modalias documentation
  iio: imu: adis16480: assign bias value only if operation succeeded
  NFSv4.x: Drop the slot if nfs4_delegreturn_prepare waits for layoutreturn
  NFSv2: Fix a typo in encode_sattr()
  crypto: virtio - implement missing support for output IVs
  xprtrdma: Fix completion wait during device removal
  platform/x86: GPD pocket fan: Use default values when wrong modparams are given
  platform/x86: asus-wmi: Fix keyboard brightness cannot be set to 0
  scsi: sd: Clear sdkp->protection_type if disk is reformatted without PI
  scsi: enclosure: Fix stale device oops with hot replug
  RDMA/srpt: Report the SCSI residual to the initiator
  RDMA/mlx5: Return proper error value
  btrfs: simplify inode locking for RWF_NOWAIT
  drm/ttm: fix incrementing the page pointer for huge pages
  drm/ttm: fix start page for huge page check in ttm_put_pages()
  afs: Fix missing cell comparison in afs_test_super()
  cifs: Adjust indentation in smb2_open_file
  s390/qeth: Fix vnicc_is_in_use if rx_bcast not set
  s390/qeth: fix false reporting of VNIC CHAR config failure
  hsr: reset network header when supervision frame is created
  gpio: Fix error message on out-of-range GPIO in lookup table
  iommu: Remove device link to group on failure
  gpio: zynq: Fix for bug in zynq_gpio_restore_context API
  mtd: onenand: omap2: Pass correct flags for prep_dma_memcpy
  ASoC: stm32: spdifrx: fix race condition in irq handler
  ASoC: stm32: spdifrx: fix inconsistent lock state
  ASoC: soc-core: Set dpcm_playback / dpcm_capture
  RDMA/bnxt_re: Fix Send Work Entry state check while polling completions
  RDMA/bnxt_re: Avoid freeing MR resources if dereg fails
  rtc: mt6397: fix alarm register overwrite
  drm/i915: Fix use-after-free when destroying GEM context
  dccp: Fix memleak in __feat_register_sp
  RDMA: Fix goto target to release the allocated memory
  iwlwifi: pcie: fix memory leaks in iwl_pcie_ctxt_info_gen3_init
  iwlwifi: dbg_ini: fix memory leak in alloc_sgtable
  media: usb:zr364xx:Fix KASAN:null-ptr-deref Read in zr364xx_vidioc_querycap
  f2fs: check if file namelen exceeds max value
  f2fs: check memory boundary by insane namelen
  f2fs: Move err variable to function scope in f2fs_fill_dentries()
  mac80211: Do not send Layer 2 Update frame before authorization
  cfg80211/mac80211: make ieee80211_send_layer2_update a public function
  fs/select: avoid clang stack usage warning
  ethtool: reduce stack usage with clang
  HID: hidraw, uhid: Always report EPOLLOUT
  HID: hidraw: Fix returning EPOLLOUT from hidraw_poll
  hidraw: Return EPOLLOUT from hidraw_poll
  ANDROID: update ABI whitelist
  ANDROID: update kernel ABI for CONFIG_DUMMY
  GKI: enable CONFIG_DUMMY=y
  UPSTREAM: kcov: fix struct layout for kcov_remote_arg
  UPSTREAM: vhost, kcov: collect coverage from vhost_worker
  UPSTREAM: usb, kcov: collect coverage from hub_event
  ANDROID: update kernel ABI for kcov changes
  UPSTREAM: kcov: remote coverage support
  UPSTREAM: kcov: improve CONFIG_ARCH_HAS_KCOV help text
  UPSTREAM: kcov: convert kcov.refcount to refcount_t
  UPSTREAM: kcov: no need to check return value of debugfs_create functions
  GKI: enable CONFIG_NETFILTER_XT_MATCH_QUOTA2_LOG=y
  Linux 4.19.96
  drm/i915/gen9: Clear residual context state on context switch
  netfilter: ipset: avoid null deref when IPSET_ATTR_LINENO is present
  netfilter: conntrack: dccp, sctp: handle null timeout argument
  netfilter: arp_tables: init netns pointer in xt_tgchk_param struct
  phy: cpcap-usb: Fix flakey host idling and enumerating of devices
  phy: cpcap-usb: Fix error path when no host driver is loaded
  USB: Fix: Don't skip endpoint descriptors with maxpacket=0
  HID: hiddev: fix mess in hiddev_open()
  ath10k: fix memory leak
  rtl8xxxu: prevent leaking urb
  scsi: bfa: release allocated memory in case of error
  mwifiex: pcie: Fix memory leak in mwifiex_pcie_alloc_cmdrsp_buf
  mwifiex: fix possible heap overflow in mwifiex_process_country_ie()
  tty: always relink the port
  tty: link tty and port before configuring it as console
  serdev: Don't claim unsupported ACPI serial devices
  staging: rtl8188eu: Add device code for TP-Link TL-WN727N v5.21
  staging: comedi: adv_pci1710: fix AI channels 16-31 for PCI-1713
  usb: musb: dma: Correct parameter passed to IRQ handler
  usb: musb: Disable pullup at init
  usb: musb: fix idling for suspend after disconnect interrupt
  USB: serial: option: add ZLP support for 0x1bc7/0x9010
  staging: vt6656: set usb_set_intfdata on driver fail.
  gpiolib: acpi: Add honor_wakeup module-option + quirk mechanism
  gpiolib: acpi: Turn dmi_system_id table into a generic quirk table
  can: can_dropped_invalid_skb(): ensure an initialized headroom in outgoing CAN sk_buffs
  can: mscan: mscan_rx_poll(): fix rx path lockup when returning from polling to irq mode
  can: gs_usb: gs_usb_probe(): use descriptors of current altsetting
  can: kvaser_usb: fix interface sanity check
  drm/dp_mst: correct the shifting in DP_REMOTE_I2C_READ
  drm/fb-helper: Round up bits_per_pixel if possible
  drm/sun4i: tcon: Set RGB DCLK min. divider based on hardware model
  Input: input_event - fix struct padding on sparc64
  Input: add safety guards to input_set_keycode()
  HID: hid-input: clear unmapped usages
  HID: uhid: Fix returning EPOLLOUT from uhid_char_poll
  HID: Fix slab-out-of-bounds read in hid_field_extract
  tracing: Change offset type to s32 in preempt/irq tracepoints
  tracing: Have stack tracer compile when MCOUNT_INSN_SIZE is not defined
  kernel/trace: Fix do not unregister tracepoints when register sched_migrate_task fail
  ALSA: hda/realtek - Add quirk for the bass speaker on Lenovo Yoga X1 7th gen
  ALSA: hda/realtek - Set EAPD control to default for ALC222
  ALSA: hda/realtek - Add new codec supported for ALCS1200A
  ALSA: usb-audio: Apply the sample rate quirk for Bose Companion 5
  usb: chipidea: host: Disable port power only if previously enabled
  i2c: fix bus recovery stop mode timing
  chardev: Avoid potential use-after-free in 'chrdev_open()'
  ANDROID: Enable HID_STEAM, HID_SONY, JOYSTICK_XPAD as y
  ANDROID: gki_defconfig: Enable blk-crypto fallback
  BACKPORT: FROMLIST: Update Inline Encryption from v5 to v6 of patch series
  docs: fs-verity: mention statx() support
  f2fs: support STATX_ATTR_VERITY
  ext4: support STATX_ATTR_VERITY
  statx: define STATX_ATTR_VERITY
  docs: fs-verity: document first supported kernel version
  f2fs: add support for IV_INO_LBLK_64 encryption policies
  ext4: add support for IV_INO_LBLK_64 encryption policies
  fscrypt: add support for IV_INO_LBLK_64 policies
  fscrypt: avoid data race on fscrypt_mode::logged_impl_name
  fscrypt: zeroize fscrypt_info before freeing
  fscrypt: remove struct fscrypt_ctx
  fscrypt: invoke crypto API for ESSIV handling

Conflicts:
	Documentation/devicetree/bindings
	Documentation/devicetree/bindings/bus/ti-sysc.txt
	Documentation/devicetree/bindings/thermal/thermal.txt
	Documentation/sysctl/vm.txt
	arch/arm64/mm/mmu.c
	block/blk-crypto-fallback.c
	block/blk-merge.c
	block/keyslot-manager.c
	drivers/char/Kconfig
	drivers/clk/qcom/clk-rcg2.c
	drivers/gpio/gpiolib.c
	drivers/hid/hid-quirks.c
	drivers/irqchip/Kconfig
	drivers/md/Kconfig
	drivers/md/dm-default-key.c
	drivers/md/dm.c
	drivers/nvmem/core.c
	drivers/of/Kconfig
	drivers/of/fdt.c
	drivers/of/irq.c
	drivers/scsi/ufs/ufshcd-crypto.c
	drivers/scsi/ufs/ufshcd.c
	drivers/scsi/ufs/ufshcd.h
	drivers/scsi/ufs/ufshci.h
	drivers/usb/dwc3/gadget.c
	drivers/usb/gadget/composite.c
	drivers/usb/gadget/function/f_fs.c
	fs/crypto/bio.c
	fs/crypto/fname.c
	fs/crypto/fscrypt_private.h
	fs/crypto/keyring.c
	fs/crypto/keysetup.c
	fs/f2fs/data.c
	fs/f2fs/file.c
	include/crypto/skcipher.h
	include/linux/gfp.h
	include/linux/keyslot-manager.h
	include/linux/of_fdt.h
	include/sound/soc.h
	kernel/sched/cpufreq_schedutil.c
	kernel/sched/fair.c
	kernel/sched/psi.c
	kernel/sched/rt.c
	kernel/sched/sched.h
	kernel/sched/topology.c
	kernel/sched/tune.h
	kernel/sysctl.c
	mm/compaction.c
	mm/page_alloc.c
	mm/vmscan.c
	security/commoncap.c
	security/selinux/avc.c

Change-Id: I9a08175c4892e533ecde8da847f75dc4874b303a
Signed-off-by: Ivaylo Georgiev <irgeorgiev@codeaurora.org>
2020-05-23 05:08:22 -07:00
Sean Christopherson
1489d1713c KVM: Check for a bad hva before dropping into the ghc slow path
commit fcfbc617547fc6d9552cb6c1c563b6a90ee98085 upstream.

When reading/writing using the guest/host cache, check for a bad hva
before checking for a NULL memslot, which triggers the slow path for
handing cross-page accesses.  Because the memslot is nullified on error
by __kvm_gfn_to_hva_cache_init(), if the bad hva is encountered after
crossing into a new page, then the kvm_{read,write}_guest() slow path
could potentially write/access the first chunk prior to detecting the
bad hva.

Arguably, performing a partial access is semantically correct from an
architectural perspective, but that behavior is certainly not intended.
In the original implementation, memslot was not explicitly nullified
and therefore the partial access behavior varied based on whether the
memslot itself was null, or if the hva was simply bad.  The current
behavior was introduced as a seemingly unintentional side effect in
commit f1b9dd5eb86c ("kvm: Disallow wraparound in
kvm_gfn_to_hva_cache_init"), which justified the change with "since some
callers don't check the return code from this function, it sit seems
prudent to clear ghc->memslot in the event of an error".

Regardless of intent, the partial access is dependent on _not_ checking
the result of the cache initialization, which is arguably a bug in its
own right, at best simply weird.

Fixes: 8f964525a1 ("KVM: Allow cross page reads and writes from cached translations.")
Cc: Jim Mattson <jmattson@google.com>
Cc: Andrew Honig <ahonig@google.com>
Signed-off-by: Sean Christopherson <sean.j.christopherson@intel.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2020-03-05 16:42:21 +01:00
Eric Auger
b818a55bc4 KVM: arm64: pmu: Don't increment SW_INCR if PMCR.E is unset
commit 3837407c1aa1101ed5e214c7d6041e7a23335c6e upstream.

The specification says PMSWINC increments PMEVCNTR<n>_EL1 by 1
if PMEVCNTR<n>_EL0 is enabled and configured to count SW_INCR.

For PMEVCNTR<n>_EL0 to be enabled, we need both PMCNTENSET to
be set for the corresponding event counter but we also need
the PMCR.E bit to be set.

Fixes: 7a0adc7064 ("arm64: KVM: Add access handler for PMSWINC register")
Signed-off-by: Eric Auger <eric.auger@redhat.com>
Signed-off-by: Marc Zyngier <maz@kernel.org>
Reviewed-by: Andrew Murray <andrew.murray@arm.com>
Acked-by: Marc Zyngier <maz@kernel.org>
Link: https://lore.kernel.org/r/20200124142535.29386-2-eric.auger@redhat.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2020-02-14 16:33:26 -05:00
James Morse
f8d4dfffbb KVM: arm: Make inject_abt32() inject an external abort instead
commit 21aecdbd7f3ab02c9b82597dc733ee759fb8b274 upstream.

KVM's inject_abt64() injects an external-abort into an aarch64 guest.
The KVM_CAP_ARM_INJECT_EXT_DABT is intended to do exactly this, but
for an aarch32 guest inject_abt32() injects an implementation-defined
exception, 'Lockdown fault'.

Change this to external abort. For non-LPAE we now get the documented:
| Unhandled fault: external abort on non-linefetch (0x008) at 0x9c800f00
and for LPAE:
| Unhandled fault: synchronous external abort (0x210) at 0x9c800f00

Fixes: 74a64a9816 ("KVM: arm/arm64: Unify 32bit fault injection")
Reported-by: Beata Michalska <beata.michalska@linaro.org>
Signed-off-by: James Morse <james.morse@arm.com>
Signed-off-by: Marc Zyngier <maz@kernel.org>
Link: https://lore.kernel.org/r/20200121123356.203000-3-james.morse@arm.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2020-02-14 16:33:26 -05:00
James Morse
8ea83328b2 KVM: arm: Fix DFSR setting for non-LPAE aarch32 guests
commit 018f22f95e8a6c3e27188b7317ef2c70a34cb2cd upstream.

Beata reports that KVM_SET_VCPU_EVENTS doesn't inject the expected
exception to a non-LPAE aarch32 guest.

The host intends to inject DFSR.FS=0x14 "IMPLEMENTATION DEFINED fault
(Lockdown fault)", but the guest receives DFSR.FS=0x04 "Fault on
instruction cache maintenance". This fault is hooked by
do_translation_fault() since ARMv6, which goes on to silently 'handle'
the exception, and restart the faulting instruction.

It turns out, when TTBCR.EAE is clear DFSR is split, and FS[4] has
to shuffle up to DFSR[10].

As KVM only does this in one place, fix up the static values. We
now get the expected:
| Unhandled fault: lock abort (0x404) at 0x9c800f00

Fixes: 74a64a9816 ("KVM: arm/arm64: Unify 32bit fault injection")
Reported-by: Beata Michalska <beata.michalska@linaro.org>
Signed-off-by: James Morse <james.morse@arm.com>
Signed-off-by: Marc Zyngier <maz@kernel.org>
Link: https://lore.kernel.org/r/20200121123356.203000-2-james.morse@arm.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2020-02-14 16:33:26 -05:00
Gavin Shan
5b63ffb30b KVM: arm/arm64: Fix young bit from mmu notifier
commit cf2d23e0bac9f6b5cd1cba8898f5f05ead40e530 upstream.

kvm_test_age_hva() is called upon mmu_notifier_test_young(), but wrong
address range has been passed to handle_hva_to_gpa(). With the wrong
address range, no young bits will be checked in handle_hva_to_gpa().
It means zero is always returned from mmu_notifier_test_young().

This fixes the issue by passing correct address range to the underly
function handle_hva_to_gpa(), so that the hardware young (access) bit
will be visited.

Fixes: 35307b9a5f ("arm/arm64: KVM: Implement Stage-2 page aging")
Signed-off-by: Gavin Shan <gshan@redhat.com>
Signed-off-by: Marc Zyngier <maz@kernel.org>
Link: https://lore.kernel.org/r/20200121055659.19560-1-gshan@redhat.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2020-02-14 16:33:26 -05:00
Eric Auger
092c84fdac KVM: arm/arm64: vgic-its: Fix restoration of unmapped collections
commit 8c58be34494b7f1b2adb446e2d8beeb90e5de65b upstream.

Saving/restoring an unmapped collection is a valid scenario. For
example this happens if a MAPTI command was sent, featuring an
unmapped collection. At the moment the CTE fails to be restored.
Only compare against the number of online vcpus if the rdist
base is set.

Fixes: ea1ad53e1e ("KVM: arm64: vgic-its: Collection table save/restore")
Signed-off-by: Eric Auger <eric.auger@redhat.com>
Signed-off-by: Marc Zyngier <maz@kernel.org>
Reviewed-by: Zenghui Yu <yuzenghui@huawei.com>
Link: https://lore.kernel.org/r/20191213094237.19627-1-eric.auger@redhat.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2020-02-14 16:33:26 -05:00
qctecmdr
6b72630f13 Merge "KVM: arm/arm64: Don't invoke defacto-CnP on first run" 2020-02-13 22:26:27 -08:00
Sean Christopherson
21b70d9bc1 KVM: Play nice with read-only memslots when querying host page size
[ Upstream commit 42cde48b2d39772dba47e680781a32a6c4b7dc33 ]

Avoid the "writable" check in __gfn_to_hva_many(), which will always fail
on read-only memslots due to gfn_to_hva() assuming writes.  Functionally,
this allows x86 to create large mappings for read-only memslots that
are backed by HugeTLB mappings.

Note, the changelog for commit 05da45583d ("KVM: MMU: large page
support") states "If the largepage contains write-protected pages, a
large pte is not used.", but "write-protected" refers to pages that are
temporarily read-only, e.g. read-only memslots didn't even exist at the
time.

Fixes: 4d8b81abc4 ("KVM: introduce readonly memslot")
Cc: stable@vger.kernel.org
Signed-off-by: Sean Christopherson <sean.j.christopherson@intel.com>
[Redone using kvm_vcpu_gfn_to_memslot_prot. - Paolo]
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
2020-02-11 04:34:17 -08:00
Sean Christopherson
dabf1a1096 KVM: Use vcpu-specific gva->hva translation when querying host page size
[ Upstream commit f9b84e19221efc5f493156ee0329df3142085f28 ]

Use kvm_vcpu_gfn_to_hva() when retrieving the host page size so that the
correct set of memslots is used when handling x86 page faults in SMM.

Fixes: 54bf36aac5 ("KVM: x86: use vcpu-specific functions to read/write/translate GFNs")
Cc: stable@vger.kernel.org
Signed-off-by: Sean Christopherson <sean.j.christopherson@intel.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
2020-02-11 04:34:17 -08:00
Sean Christopherson
9b376cb650 KVM: x86: Use gpa_t for cr2/gpa to fix TDP support on 32-bit KVM
[ Upstream commit 736c291c9f36b07f8889c61764c28edce20e715d ]

Convert a plethora of parameters and variables in the MMU and page fault
flows from type gva_t to gpa_t to properly handle TDP on 32-bit KVM.

Thanks to PSE and PAE paging, 32-bit kernels can access 64-bit physical
addresses.  When TDP is enabled, the fault address is a guest physical
address and thus can be a 64-bit value, even when both KVM and its guest
are using 32-bit virtual addressing, e.g. VMX's VMCS.GUEST_PHYSICAL is a
64-bit field, not a natural width field.

Using a gva_t for the fault address means KVM will incorrectly drop the
upper 32-bits of the GPA.  Ditto for gva_to_gpa() when it is used to
translate L2 GPAs to L1 GPAs.

Opportunistically rename variables and parameters to better reflect the
dual address modes, e.g. use "cr2_or_gpa" for fault addresses and plain
"addr" instead of "vaddr" when the address may be either a GVA or an L2
GPA.  Similarly, use "gpa" in the nonpaging_page_fault() flows to avoid
a confusing "gpa_t gva" declaration; this also sets the stage for a
future patch to combing nonpaging_page_fault() and tdp_page_fault() with
minimal churn.

Sprinkle in a few comments to document flows where an address is known
to be a GVA and thus can be safely truncated to a 32-bit value.  Add
WARNs in kvm_handle_page_fault() and FNAME(gva_to_gpa_nested)() to help
document such cases and detect bugs.

Cc: stable@vger.kernel.org
Signed-off-by: Sean Christopherson <sean.j.christopherson@intel.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
2020-02-11 04:34:17 -08:00
Christoffer Dall
ce94e646aa KVM: arm64: Only sign-extend MMIO up to register width
commit b6ae256afd32f96bec0117175b329d0dd617655e upstream.

On AArch64 you can do a sign-extended load to either a 32-bit or 64-bit
register, and we should only sign extend the register up to the width of
the register as specified in the operation (by using the 32-bit Wn or
64-bit Xn register specifier).

As it turns out, the architecture provides this decoding information in
the SF ("Sixty-Four" -- how cute...) bit.

Let's take advantage of this with the usual 32-bit/64-bit header file
dance and do the right thing on AArch64 hosts.

Signed-off-by: Christoffer Dall <christoffer.dall@arm.com>
Signed-off-by: Marc Zyngier <maz@kernel.org>
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/r/20191212195055.5541-1-christoffer.dall@arm.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2020-02-11 04:33:58 -08:00
Mark Rutland
c1ed734713 KVM: arm/arm64: Correct AArch32 SPSR on exception entry
commit 1cfbb484de158e378e8971ac40f3082e53ecca55 upstream.

Confusingly, there are three SPSR layouts that a kernel may need to deal
with:

(1) An AArch64 SPSR_ELx view of an AArch64 pstate
(2) An AArch64 SPSR_ELx view of an AArch32 pstate
(3) An AArch32 SPSR_* view of an AArch32 pstate

When the KVM AArch32 support code deals with SPSR_{EL2,HYP}, it's either
dealing with #2 or #3 consistently. On arm64 the PSR_AA32_* definitions
match the AArch64 SPSR_ELx view, and on arm the PSR_AA32_* definitions
match the AArch32 SPSR_* view.

However, when we inject an exception into an AArch32 guest, we have to
synthesize the AArch32 SPSR_* that the guest will see. Thus, an AArch64
host needs to synthesize layout #3 from layout #2.

This patch adds a new host_spsr_to_spsr32() helper for this, and makes
use of it in the KVM AArch32 support code. For arm64 we need to shuffle
the DIT bit around, and remove the SS bit, while for arm we can use the
value as-is.

I've open-coded the bit manipulation for now to avoid having to rework
the existing PSR_* definitions into PSR64_AA32_* and PSR32_AA32_*
definitions. I hope to perform a more thorough refactoring in future so
that we can handle pstate view manipulation more consistently across the
kernel tree.

Signed-off-by: Mark Rutland <mark.rutland@arm.com>
Signed-off-by: Marc Zyngier <maz@kernel.org>
Reviewed-by: Alexandru Elisei <alexandru.elisei@arm.com>
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/r/20200108134324.46500-4-mark.rutland@arm.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2020-02-11 04:33:58 -08:00
Mark Rutland
7a781ba151 KVM: arm/arm64: Correct CPSR on exception entry
commit 3c2483f15499b877ccb53250d88addb8c91da147 upstream.

When KVM injects an exception into a guest, it generates the CPSR value
from scratch, configuring CPSR.{M,A,I,T,E}, and setting all other
bits to zero.

This isn't correct, as the architecture specifies that some CPSR bits
are (conditionally) cleared or set upon an exception, and others are
unchanged from the original context.

This patch adds logic to match the architectural behaviour. To make this
simple to follow/audit/extend, documentation references are provided,
and bits are configured in order of their layout in SPSR_EL2. This
layout can be seen in the diagram on ARM DDI 0487E.a page C5-426.

Note that this code is used by both arm and arm64, and is intended to
fuction with the SPSR_EL2 and SPSR_HYP layouts.

Signed-off-by: Mark Rutland <mark.rutland@arm.com>
Signed-off-by: Marc Zyngier <maz@kernel.org>
Reviewed-by: Alexandru Elisei <alexandru.elisei@arm.com>
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/r/20200108134324.46500-3-mark.rutland@arm.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2020-02-11 04:33:57 -08:00
James Morse
5e3819687d KVM: arm/arm64: Don't invoke defacto-CnP on first run
When KVM finds itself switching between two vCPUs of the same VM
on one physical CPU it has to invalidate the TLB for this VMID
to avoid unintended sharing of TLB entries between vCPU.

This is done by tracking the 'last_vcpu_ran' as a percpu variable
for each vm.

kvm_arch_init_vm() is careful to initialise these to an impossible
vcpu id, but we never check for this. The first time
vm_arch_vcpu_load() is called on a new physical CPU, we will fail
the last_ran check and invalidate the TLB.

Now that we have an errata workaround in this path, it means we
trigger the workaround whenever a guest is migrated to a new CPU.

Check for the impossible vcpu id, and skip defacto-CnP.

Change-Id: Id2b1fb291ab925a59de2b8fd0e29892898eb4d20
Signed-off-by: James Morse <james.morse@arm.com>
Signed-off-by: Suzuki K Poulose <suzuki.poulose@arm.com>
Patch-mainline: linux-arm-kernel @ 11/14/19, 14:59
Signed-off-by: Srinivas Ramana <sramana@codeaurora.org>
2020-01-09 02:38:17 -08:00
James Morse
de4a5c6323 KVM: arm64: Workaround Cortex-A77 erratum 1542418 on VMID rollover
Cortex-A77's erratum 1542418 workaround needs to be applied for VMID
re-use too. This prevents the CPU correctly predicting a modified branch
based on a previous user of the VMID and ASID.

KVM doesn't use force_vm_exit or exit_vm_noop for anything other than
vmid rollover. Rename them, and use this to invoke the VMID workaround
on each CPU.

Another case where VMID and ASID may get reused is if the system is
over-provisioned and two vCPUs of the same VMID are scheduled on
one physical CPU. KVM invalidates the TLB to prevent ASID sharing
in this case, invoke the asid-rollover workaround too so we avoid
the ASID sharing tripping the erratum.

Change-Id: Ia7d82cfc785091c546b40a8a54584784a34c3e5a
Signed-off-by: James Morse <james.morse@arm.com>
Signed-off-by: Suzuki K Poulose <suzuki.poulose@arm.com>
Patch-mainline: linux-arm-kernel @ 11/14/19, 14:59
[sramana@codeaurora.org: Resolve trivial merge conflicts]
Signed-off-by: Srinivas Ramana <sramana@codeaurora.org>
2020-01-09 02:37:55 -08:00
Zenghui Yu
66f8ca55eb KVM: arm/arm64: vgic: Don't rely on the wrong pending table
commit ca185b260951d3b55108c0b95e188682d8a507b7 upstream.

It's possible that two LPIs locate in the same "byte_offset" but target
two different vcpus, where their pending status are indicated by two
different pending tables.  In such a scenario, using last_byte_offset
optimization will lead KVM relying on the wrong pending table entry.
Let us use last_ptr instead, which can be treated as a byte index into
a pending table and also, can be vcpu specific.

Fixes: 280771252c ("KVM: arm64: vgic-v3: KVM_DEV_ARM_VGIC_SAVE_PENDING_TABLES")
Cc: stable@vger.kernel.org
Signed-off-by: Zenghui Yu <yuzenghui@huawei.com>
Signed-off-by: Marc Zyngier <maz@kernel.org>
Acked-by: Eric Auger <eric.auger@redhat.com>
Link: https://lore.kernel.org/r/20191029071919.177-4-yuzenghui@huawei.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2019-12-13 08:52:45 +01:00
Greg Kroah-Hartman
9c458dd158 kvm: properly check debugfs dentry before using it
[ Upstream commit 8ed0579c12b2fe56a1fac2f712f58fc26c1dc49b ]

debugfs can now report an error code if something went wrong instead of
just NULL.  So if the return value is to be used as a "real" dentry, it
needs to be checked if it is an error before dereferencing it.

This is now happening because of ff9fb72bc077 ("debugfs: return error
values, not NULL").  syzbot has found a way to trigger multiple debugfs
files attempting to be created, which fails, and then the error code
gets passed to dentry_path_raw() which obviously does not like it.

Reported-by: Eric Biggers <ebiggers@kernel.org>
Reported-and-tested-by: syzbot+7857962b4d45e602b8ad@syzkaller.appspotmail.com
Cc: "Radim Krčmář" <rkrcmar@redhat.com>
Cc: kvm@vger.kernel.org
Acked-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
2019-12-05 09:21:14 +01:00
Sean Christopherson
4ae7392ab6 KVM: MMU: Do not treat ZONE_DEVICE pages as being reserved
commit a78986aae9b2988f8493f9f65a587ee433e83bc3 upstream.

Explicitly exempt ZONE_DEVICE pages from kvm_is_reserved_pfn() and
instead manually handle ZONE_DEVICE on a case-by-case basis.  For things
like page refcounts, KVM needs to treat ZONE_DEVICE pages like normal
pages, e.g. put pages grabbed via gup().  But for flows such as setting
A/D bits or shifting refcounts for transparent huge pages, KVM needs to
to avoid processing ZONE_DEVICE pages as the flows in question lack the
underlying machinery for proper handling of ZONE_DEVICE pages.

This fixes a hang reported by Adam Borowski[*] in dev_pagemap_cleanup()
when running a KVM guest backed with /dev/dax memory, as KVM straight up
doesn't put any references to ZONE_DEVICE pages acquired by gup().

Note, Dan Williams proposed an alternative solution of doing put_page()
on ZONE_DEVICE pages immediately after gup() in order to simplify the
auditing needed to ensure is_zone_device_page() is called if and only if
the backing device is pinned (via gup()).  But that approach would break
kvm_vcpu_{un}map() as KVM requires the page to be pinned from map() 'til
unmap() when accessing guest memory, unlike KVM's secondary MMU, which
coordinates with mmu_notifier invalidations to avoid creating stale
page references, i.e. doesn't rely on pages being pinned.

[*] http://lkml.kernel.org/r/20190919115547.GA17963@angband.pl

Reported-by: Adam Borowski <kilobyte@angband.pl>
Analyzed-by: David Hildenbrand <david@redhat.com>
Acked-by: Dan Williams <dan.j.williams@intel.com>
Cc: stable@vger.kernel.org
Fixes: 3565fce3a6 ("mm, x86: get_user_pages() for dax mappings")
Signed-off-by: Sean Christopherson <sean.j.christopherson@intel.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
[sean: backport to 4.x; resolve conflict in mmu.c]
Signed-off-by: Sean Christopherson <sean.j.christopherson@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2019-12-01 09:17:35 +01:00
Suzuki K Poulose
256a294807 kvm: arm/arm64: Fix stage2_flush_memslot for 4 level page table
[ Upstream commit d2db7773ba864df6b4e19643dfc54838550d8049 ]

So far we have only supported 3 level page table with fixed IPA of
40bits, where PUD is folded. With 4 level page tables, we need
to check if the PUD entry is valid or not. Fix stage2_flush_memslot()
to do this check, before walking down the table.

Acked-by: Christoffer Dall <cdall@kernel.org>
Acked-by: Marc Zyngier <marc.zyngier@arm.com>
Reviewed-by: Eric Auger <eric.auger@redhat.com>
Signed-off-by: Suzuki K Poulose <suzuki.poulose@arm.com>
Signed-off-by: Marc Zyngier <marc.zyngier@arm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
2019-11-24 08:19:31 +01:00
Junaid Shahid
46a4a014c4 kvm: x86: mmu: Recovery of shattered NX large pages
commit 1aa9b9572b10529c2e64e2b8f44025d86e124308 upstream.

The page table pages corresponding to broken down large pages are zapped in
FIFO order, so that the large page can potentially be recovered, if it is
not longer being used for execution.  This removes the performance penalty
for walking deeper EPT page tables.

By default, one large page will last about one hour once the guest
reaches a steady state.

Signed-off-by: Junaid Shahid <junaids@google.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2019-11-12 19:21:46 +01:00
Junaid Shahid
6082f2e288 kvm: Add helper function for creating VM worker threads
commit c57c80467f90e5504c8df9ad3555d2c78800bf94 upstream.

Add a function to create a kernel thread associated with a given VM. In
particular, it ensures that the worker thread inherits the priority and
cgroups of the calling thread.

Signed-off-by: Junaid Shahid <junaids@google.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2019-11-12 19:21:46 +01:00
Junaid Shahid
30d8d8d6cd kvm: Convert kvm_lock to a mutex
commit 0d9ce162cf46c99628cc5da9510b959c7976735b upstream.

It doesn't seem as if there is any particular need for kvm_lock to be a
spinlock, so convert the lock to a mutex so that sleepable functions (in
particular cond_resched()) can be called while holding it.

Signed-off-by: Junaid Shahid <junaids@google.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2019-11-12 19:21:40 +01:00
Paolo Bonzini
a991063ce5 kvm: x86, powerpc: do not allow clearing largepages debugfs entry
commit 833b45de69a6016c4b0cebe6765d526a31a81580 upstream.

The largepages debugfs entry is incremented/decremented as shadow
pages are created or destroyed.  Clearing it will result in an
underflow, which is harmless to KVM but ugly (and could be
misinterpreted by tools that use debugfs information), so make
this particular statistic read-only.

Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Cc: kvm-ppc@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2019-11-12 19:21:39 +01:00
Matt Delco
232a6462f4 KVM: coalesced_mmio: add bounds checking
commit b60fe990c6b07ef6d4df67bc0530c7c90a62623a upstream.

The first/last indexes are typically shared with a user app.
The app can change the 'last' index that the kernel uses
to store the next result.  This change sanity checks the index
before using it for writing to a potentially arbitrary address.

This fixes CVE-2019-14821.

Cc: stable@vger.kernel.org
Fixes: 5f94c1741b ("KVM: Add coalesced MMIO support (common part)")
Signed-off-by: Matt Delco <delco@chromium.org>
Signed-off-by: Jim Mattson <jmattson@google.com>
Reported-by: syzbot+983c866c3dd6efa3662a@syzkaller.appspotmail.com
[Use READ_ONCE. - Paolo]
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2019-09-21 07:16:44 +02:00
Peter Xu
d5f6539381 kvm: Check irqchip mode before assign irqfd
[ Upstream commit 654f1f13ea56b92bacade8ce2725aea0457f91c0 ]

When assigning kvm irqfd we didn't check the irqchip mode but we allow
KVM_IRQFD to succeed with all the irqchip modes.  However it does not
make much sense to create irqfd even without the kernel chips.  Let's
provide a arch-dependent helper to check whether a specific irqfd is
allowed by the arch.  At least for x86, it should make sense to check:

- when irqchip mode is NONE, all irqfds should be disallowed, and,

- when irqchip mode is SPLIT, irqfds that are with resamplefd should
  be disallowed.

For either of the case, previously we'll silently ignore the irq or
the irq ack event if the irqchip mode is incorrect.  However that can
cause misterious guest behaviors and it can be hard to triage.  Let's
fail KVM_IRQFD even earlier to detect these incorrect configurations.

CC: Paolo Bonzini <pbonzini@redhat.com>
CC: Radim Krčmář <rkrcmar@redhat.com>
CC: Alex Williamson <alex.williamson@redhat.com>
CC: Eduardo Habkost <ehabkost@redhat.com>
Signed-off-by: Peter Xu <peterx@redhat.com>
Cc: stable@vger.kernel.org
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
2019-09-16 08:22:15 +02:00
Andre Przywara
b8727dff55 KVM: arm/arm64: VGIC: Properly initialise private IRQ affinity
[ Upstream commit 2e16f3e926ed48373c98edea85c6ad0ef69425d1 ]

At the moment we initialise the target *mask* of a virtual IRQ to the
VCPU it belongs to, even though this mask is only defined for GICv2 and
quickly runs out of bits for many GICv3 guests.
This behaviour triggers an UBSAN complaint for more than 32 VCPUs:
------
[ 5659.462377] UBSAN: Undefined behaviour in virt/kvm/arm/vgic/vgic-init.c:223:21
[ 5659.471689] shift exponent 32 is too large for 32-bit type 'unsigned int'
------
Also for GICv3 guests the reporting of TARGET in the "vgic-state" debugfs
dump is wrong, due to this very same problem.

Because there is no requirement to create the VGIC device before the
VCPUs (and QEMU actually does it the other way round), we can't safely
initialise mpidr or targets in kvm_vgic_vcpu_init(). But since we touch
every private IRQ for each VCPU anyway later (in vgic_init()), we can
just move the initialisation of those fields into there, where we
definitely know the VGIC type.

On the way make sure we really have either a VGICv2 or a VGICv3 device,
since the existing code is just checking for "VGICv3 or not", silently
ignoring the uninitialised case.

Signed-off-by: Andre Przywara <andre.przywara@arm.com>
Reported-by: Dave Martin <dave.martin@arm.com>
Tested-by: Julien Grall <julien.grall@arm.com>
Signed-off-by: Marc Zyngier <maz@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
2019-09-10 10:33:53 +01:00
Andrew Jones
111d36b6fb KVM: arm/arm64: Only skip MMIO insn once
[ Upstream commit 2113c5f62b7423e4a72b890bd479704aa85c81ba ]

If after an MMIO exit to userspace a VCPU is immediately run with an
immediate_exit request, such as when a signal is delivered or an MMIO
emulation completion is needed, then the VCPU completes the MMIO
emulation and immediately returns to userspace. As the exit_reason
does not get changed from KVM_EXIT_MMIO in these cases we have to
be careful not to complete the MMIO emulation again, when the VCPU is
eventually run again, because the emulation does an instruction skip
(and doing too many skips would be a waste of guest code :-) We need
to use additional VCPU state to track if the emulation is complete.
As luck would have it, we already have 'mmio_needed', which even
appears to be used in this way by other architectures already.

Fixes: 0d640732dbeb ("arm64: KVM: Skip MMIO insn after emulation")
Acked-by: Mark Rutland <mark.rutland@arm.com>
Signed-off-by: Andrew Jones <drjones@redhat.com>
Signed-off-by: Marc Zyngier <maz@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
2019-09-10 10:33:52 +01:00
Marc Zyngier
79f1b33c53 KVM: arm/arm64: vgic-v2: Handle SGI bits in GICD_I{S,C}PENDR0 as WI
[ Upstream commit 82e40f558de566fdee214bec68096bbd5e64a6a4 ]

A guest is not allowed to inject a SGI (or clear its pending state)
by writing to GICD_ISPENDR0 (resp. GICD_ICPENDR0), as these bits are
defined as WI (as per ARM IHI 0048B 4.3.7 and 4.3.8).

Make sure we correctly emulate the architecture.

Fixes: 96b298000d ("KVM: arm/arm64: vgic-new: Add PENDING registers handlers")
Cc: stable@vger.kernel.org # 4.7+
Reported-by: Andre Przywara <andre.przywara@arm.com>
Signed-off-by: Marc Zyngier <maz@kernel.org>
Signed-off-by: Will Deacon <will@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
2019-09-06 10:22:22 +02:00
Heyi Guo
ab8ecc278d KVM: arm/arm64: vgic: Fix potential deadlock when ap_list is long
[ Upstream commit d4a8061a7c5f7c27a2dc002ee4cb89b3e6637e44 ]

If the ap_list is longer than 256 entries, merge_final() in list_sort()
will call the comparison callback with the same element twice, causing
a deadlock in vgic_irq_cmp().

Fix it by returning early when irqa == irqb.

Cc: stable@vger.kernel.org # 4.7+
Fixes: 8e44474579 ("KVM: arm/arm64: vgic-new: Add IRQ sorting")
Signed-off-by: Zenghui Yu <yuzenghui@huawei.com>
Signed-off-by: Heyi Guo <guoheyi@huawei.com>
[maz: massaged commit log and patch, added Fixes and Cc-stable]
Signed-off-by: Marc Zyngier <maz@kernel.org>
Signed-off-by: Will Deacon <will@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
2019-09-06 10:22:22 +02:00
Marc Zyngier
8c7053d162 KVM: arm/arm64: Sync ICH_VMCR_EL2 back when about to block
commit 5eeaf10eec394b28fad2c58f1f5c3a5da0e87d1c upstream.

Since commit commit 328e566479 ("KVM: arm/arm64: vgic: Defer
touching GICH_VMCR to vcpu_load/put"), we leave ICH_VMCR_EL2 (or
its GICv2 equivalent) loaded as long as we can, only syncing it
back when we're scheduled out.

There is a small snag with that though: kvm_vgic_vcpu_pending_irq(),
which is indirectly called from kvm_vcpu_check_block(), needs to
evaluate the guest's view of ICC_PMR_EL1. At the point were we
call kvm_vcpu_check_block(), the vcpu is still loaded, and whatever
changes to PMR is not visible in memory until we do a vcpu_put().

Things go really south if the guest does the following:

	mov x0, #0	// or any small value masking interrupts
	msr ICC_PMR_EL1, x0

	[vcpu preempted, then rescheduled, VMCR sampled]

	mov x0, #ff	// allow all interrupts
	msr ICC_PMR_EL1, x0
	wfi		// traps to EL2, so samping of VMCR

	[interrupt arrives just after WFI]

Here, the hypervisor's view of PMR is zero, while the guest has enabled
its interrupts. kvm_vgic_vcpu_pending_irq() will then say that no
interrupts are pending (despite an interrupt being received) and we'll
block for no reason. If the guest doesn't have a periodic interrupt
firing once it has blocked, it will stay there forever.

To avoid this unfortuante situation, let's resync VMCR from
kvm_arch_vcpu_blocking(), ensuring that a following kvm_vcpu_check_block()
will observe the latest value of PMR.

This has been found by booting an arm64 Linux guest with the pseudo NMI
feature, and thus using interrupt priorities to mask interrupts instead
of the usual PSTATE masking.

Cc: stable@vger.kernel.org # 4.12
Fixes: 328e566479 ("KVM: arm/arm64: vgic: Defer touching GICH_VMCR to vcpu_load/put")
Signed-off-by: Marc Zyngier <maz@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2019-08-25 10:47:59 +02:00
Wanpeng Li
2bc73d9141 KVM: Fix leak vCPU's VMCS value into other pCPU
commit 17e433b54393a6269acbcb792da97791fe1592d8 upstream.

After commit d73eb57b80b (KVM: Boost vCPUs that are delivering interrupts), a
five years old bug is exposed. Running ebizzy benchmark in three 80 vCPUs VMs
on one 80 pCPUs Skylake server, a lot of rcu_sched stall warning splatting
in the VMs after stress testing:

 INFO: rcu_sched detected stalls on CPUs/tasks: { 4 41 57 62 77} (detected by 15, t=60004 jiffies, g=899, c=898, q=15073)
 Call Trace:
   flush_tlb_mm_range+0x68/0x140
   tlb_flush_mmu.part.75+0x37/0xe0
   tlb_finish_mmu+0x55/0x60
   zap_page_range+0x142/0x190
   SyS_madvise+0x3cd/0x9c0
   system_call_fastpath+0x1c/0x21

swait_active() sustains to be true before finish_swait() is called in
kvm_vcpu_block(), voluntarily preempted vCPUs are taken into account
by kvm_vcpu_on_spin() loop greatly increases the probability condition
kvm_arch_vcpu_runnable(vcpu) is checked and can be true, when APICv
is enabled the yield-candidate vCPU's VMCS RVI field leaks(by
vmx_sync_pir_to_irr()) into spinning-on-a-taken-lock vCPU's current
VMCS.

This patch fixes it by checking conservatively a subset of events.

Cc: Paolo Bonzini <pbonzini@redhat.com>
Cc: Radim Krčmář <rkrcmar@redhat.com>
Cc: Christian Borntraeger <borntraeger@de.ibm.com>
Cc: Marc Zyngier <Marc.Zyngier@arm.com>
Cc: stable@vger.kernel.org
Fixes: 98f4a1467 (KVM: add kvm_arch_vcpu_runnable() test to kvm_vcpu_on_spin() loop)
Signed-off-by: Wanpeng Li <wanpengli@tencent.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2019-08-16 10:12:53 +02:00
Dave Martin
512bbb114b KVM: arm/arm64: vgic: Fix kvm_device leak in vgic_its_destroy
[ Upstream commit 4729ec8c1e1145234aeeebad5d96d77f4ccbb00a ]

kvm_device->destroy() seems to be supposed to free its kvm_device
struct, but vgic_its_destroy() is not currently doing this,
resulting in a memory leak, resulting in kmemleak reports such as
the following:

unreferenced object 0xffff800aeddfe280 (size 128):
  comm "qemu-system-aar", pid 13799, jiffies 4299827317 (age 1569.844s)
  [...]
  backtrace:
    [<00000000a08b80e2>] kmem_cache_alloc+0x178/0x208
    [<00000000dcad2bd3>] kvm_vm_ioctl+0x350/0xbc0

Fix it.

Cc: Andre Przywara <andre.przywara@arm.com>
Fixes: 1085fdc68c ("KVM: arm64: vgic-its: Introduce new KVM ITS device")
Signed-off-by: Dave Martin <Dave.Martin@arm.com>
Signed-off-by: Marc Zyngier <marc.zyngier@arm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
2019-07-14 08:11:10 +02:00
James Morse
60b300975e KVM: arm/arm64: Move cc/it checks under hyp's Makefile to avoid instrumentation
[ Upstream commit 623e1528d4090bd1abaf93ec46f047dee9a6fb32 ]

KVM has helpers to handle the condition codes of trapped aarch32
instructions. These are marked __hyp_text and used from HYP, but they
aren't built by the 'hyp' Makefile, which has all the runes to avoid ASAN
and KCOV instrumentation.

Move this code to a new hyp/aarch32.c to avoid a hyp-panic when starting
an aarch32 guest on a host built with the ASAN/KCOV debug options.

Fixes: 021234ef37 ("KVM: arm64: Make kvm_condition_valid32() accessible from EL2")
Fixes: 8cebe750c4 ("arm64: KVM: Make kvm_skip_instr32 available to HYP")
Signed-off-by: James Morse <james.morse@arm.com>
Signed-off-by: Marc Zyngier <marc.zyngier@arm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
2019-06-19 08:18:04 +02:00
Thomas Huth
6a2fbec707 KVM: s390: Do not report unusabled IDs via KVM_CAP_MAX_VCPU_ID
commit a86cb413f4bf273a9d341a3ab2c2ca44e12eb317 upstream.

KVM_CAP_MAX_VCPU_ID is currently always reporting KVM_MAX_VCPU_ID on all
architectures. However, on s390x, the amount of usable CPUs is determined
during runtime - it is depending on the features of the machine the code
is running on. Since we are using the vcpu_id as an index into the SCA
structures that are defined by the hardware (see e.g. the sca_add_vcpu()
function), it is not only the amount of CPUs that is limited by the hard-
ware, but also the range of IDs that we can use.
Thus KVM_CAP_MAX_VCPU_ID must be determined during runtime on s390x, too.
So the handling of KVM_CAP_MAX_VCPU_ID has to be moved from the common
code into the architecture specific code, and on s390x we have to return
the same value here as for KVM_CAP_MAX_VCPUS.
This problem has been discovered with the kvm_create_max_vcpus selftest.
With this change applied, the selftest now passes on s390x, too.

Reviewed-by: Andrew Jones <drjones@redhat.com>
Reviewed-by: Cornelia Huck <cohuck@redhat.com>
Reviewed-by: David Hildenbrand <david@redhat.com>
Signed-off-by: Thomas Huth <thuth@redhat.com>
Message-Id: <20190523164309.13345-9-thuth@redhat.com>
Cc: stable@vger.kernel.org
Signed-off-by: Christian Borntraeger <borntraeger@de.ibm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2019-06-09 09:17:18 +02:00
Andrew Jones
a1251522a5 KVM: arm/arm64: Ensure vcpu target is unset on reset failure
[ Upstream commit 811328fc3222f7b55846de0cd0404339e2e1e6d7 ]

A failed KVM_ARM_VCPU_INIT should not set the vcpu target,
as the vcpu target is used by kvm_vcpu_initialized() to
determine if other vcpu ioctls may proceed. We need to set
the target before calling kvm_reset_vcpu(), but if that call
fails, we should then unset it and clear the feature bitmap
while we're at it.

Signed-off-by: Andrew Jones <drjones@redhat.com>
[maz: Simplified patch, completed commit message]
Signed-off-by: Marc Zyngier <marc.zyngier@arm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
2019-05-25 18:23:44 +02:00
Paolo Bonzini
d39f3cc713 KVM: fix spectrev1 gadgets
[ Upstream commit 1d487e9bf8ba66a7174c56a0029c54b1eca8f99c ]

These were found with smatch, and then generalized when applicable.

Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
2019-05-16 19:41:22 +02:00
Marc Zyngier
e4705ae727 KVM: arm/arm64: vgic-its: Take the srcu lock when parsing the memslots
[ Upstream commit 7494cec6cb3ba7385a6a223b81906384f15aae34 ]

Calling kvm_is_visible_gfn() implies that we're parsing the memslots,
and doing this without the srcu lock is frown upon:

[12704.164532] =============================
[12704.164544] WARNING: suspicious RCU usage
[12704.164560] 5.1.0-rc1-00008-g600025238f51-dirty #16 Tainted: G        W
[12704.164573] -----------------------------
[12704.164589] ./include/linux/kvm_host.h:605 suspicious rcu_dereference_check() usage!
[12704.164602] other info that might help us debug this:
[12704.164616] rcu_scheduler_active = 2, debug_locks = 1
[12704.164631] 6 locks held by qemu-system-aar/13968:
[12704.164644]  #0: 000000007ebdae4f (&kvm->lock){+.+.}, at: vgic_its_set_attr+0x244/0x3a0
[12704.164691]  #1: 000000007d751022 (&its->its_lock){+.+.}, at: vgic_its_set_attr+0x250/0x3a0
[12704.164726]  #2: 00000000219d2706 (&vcpu->mutex){+.+.}, at: lock_all_vcpus+0x64/0xd0
[12704.164761]  #3: 00000000a760aecd (&vcpu->mutex){+.+.}, at: lock_all_vcpus+0x64/0xd0
[12704.164794]  #4: 000000000ef8e31d (&vcpu->mutex){+.+.}, at: lock_all_vcpus+0x64/0xd0
[12704.164827]  #5: 000000007a872093 (&vcpu->mutex){+.+.}, at: lock_all_vcpus+0x64/0xd0
[12704.164861] stack backtrace:
[12704.164878] CPU: 2 PID: 13968 Comm: qemu-system-aar Tainted: G        W         5.1.0-rc1-00008-g600025238f51-dirty #16
[12704.164887] Hardware name: rockchip evb_rk3399/evb_rk3399, BIOS 2019.04-rc3-00124-g2feec69fb1 03/15/2019
[12704.164896] Call trace:
[12704.164910]  dump_backtrace+0x0/0x138
[12704.164920]  show_stack+0x24/0x30
[12704.164934]  dump_stack+0xbc/0x104
[12704.164946]  lockdep_rcu_suspicious+0xcc/0x110
[12704.164958]  gfn_to_memslot+0x174/0x190
[12704.164969]  kvm_is_visible_gfn+0x28/0x70
[12704.164980]  vgic_its_check_id.isra.0+0xec/0x1e8
[12704.164991]  vgic_its_save_tables_v0+0x1ac/0x330
[12704.165001]  vgic_its_set_attr+0x298/0x3a0
[12704.165012]  kvm_device_ioctl_attr+0x9c/0xd8
[12704.165022]  kvm_device_ioctl+0x8c/0xf8
[12704.165035]  do_vfs_ioctl+0xc8/0x960
[12704.165045]  ksys_ioctl+0x8c/0xa0
[12704.165055]  __arm64_sys_ioctl+0x28/0x38
[12704.165067]  el0_svc_common+0xd8/0x138
[12704.165078]  el0_svc_handler+0x38/0x78
[12704.165089]  el0_svc+0x8/0xc

Make sure the lock is taken when doing this.

Fixes: bf308242ab ("KVM: arm/arm64: VGIC/ITS: protect kvm_read_guest() calls with SRCU lock")
Reviewed-by: Eric Auger <eric.auger@redhat.com>
Signed-off-by: Marc Zyngier <marc.zyngier@arm.com>
Signed-off-by: Sasha Levin (Microsoft) <sashal@kernel.org>
2019-05-04 09:20:14 +02:00
Marc Zyngier
0371fa0337 KVM: arm/arm64: vgic-its: Take the srcu lock when writing to guest memory
[ Upstream commit a6ecfb11bf37743c1ac49b266595582b107b61d4 ]

When halting a guest, QEMU flushes the virtual ITS caches, which
amounts to writing to the various tables that the guest has allocated.

When doing this, we fail to take the srcu lock, and the kernel
shouts loudly if running a lockdep kernel:

[   69.680416] =============================
[   69.680819] WARNING: suspicious RCU usage
[   69.681526] 5.1.0-rc1-00008-g600025238f51-dirty #18 Not tainted
[   69.682096] -----------------------------
[   69.682501] ./include/linux/kvm_host.h:605 suspicious rcu_dereference_check() usage!
[   69.683225]
[   69.683225] other info that might help us debug this:
[   69.683225]
[   69.683975]
[   69.683975] rcu_scheduler_active = 2, debug_locks = 1
[   69.684598] 6 locks held by qemu-system-aar/4097:
[   69.685059]  #0: 0000000034196013 (&kvm->lock){+.+.}, at: vgic_its_set_attr+0x244/0x3a0
[   69.686087]  #1: 00000000f2ed935e (&its->its_lock){+.+.}, at: vgic_its_set_attr+0x250/0x3a0
[   69.686919]  #2: 000000005e71ea54 (&vcpu->mutex){+.+.}, at: lock_all_vcpus+0x64/0xd0
[   69.687698]  #3: 00000000c17e548d (&vcpu->mutex){+.+.}, at: lock_all_vcpus+0x64/0xd0
[   69.688475]  #4: 00000000ba386017 (&vcpu->mutex){+.+.}, at: lock_all_vcpus+0x64/0xd0
[   69.689978]  #5: 00000000c2c3c335 (&vcpu->mutex){+.+.}, at: lock_all_vcpus+0x64/0xd0
[   69.690729]
[   69.690729] stack backtrace:
[   69.691151] CPU: 2 PID: 4097 Comm: qemu-system-aar Not tainted 5.1.0-rc1-00008-g600025238f51-dirty #18
[   69.691984] Hardware name: rockchip evb_rk3399/evb_rk3399, BIOS 2019.04-rc3-00124-g2feec69fb1 03/15/2019
[   69.692831] Call trace:
[   69.694072]  lockdep_rcu_suspicious+0xcc/0x110
[   69.694490]  gfn_to_memslot+0x174/0x190
[   69.694853]  kvm_write_guest+0x50/0xb0
[   69.695209]  vgic_its_save_tables_v0+0x248/0x330
[   69.695639]  vgic_its_set_attr+0x298/0x3a0
[   69.696024]  kvm_device_ioctl_attr+0x9c/0xd8
[   69.696424]  kvm_device_ioctl+0x8c/0xf8
[   69.696788]  do_vfs_ioctl+0xc8/0x960
[   69.697128]  ksys_ioctl+0x8c/0xa0
[   69.697445]  __arm64_sys_ioctl+0x28/0x38
[   69.697817]  el0_svc_common+0xd8/0x138
[   69.698173]  el0_svc_handler+0x38/0x78
[   69.698528]  el0_svc+0x8/0xc

The fix is to obviously take the srcu lock, just like we do on the
read side of things since bf308242ab. One wonders why this wasn't
fixed at the same time, but hey...

Fixes: bf308242ab ("KVM: arm/arm64: VGIC/ITS: protect kvm_read_guest() calls with SRCU lock")
Signed-off-by: Marc Zyngier <marc.zyngier@arm.com>
Signed-off-by: Sasha Levin (Microsoft) <sashal@kernel.org>
2019-05-04 09:20:13 +02:00
Sean Christopherson
7ceedcefc2 KVM: Reject device ioctls from processes other than the VM's creator
commit ddba91801aeb5c160b660caed1800eb3aef403f8 upstream.

KVM's API requires thats ioctls must be issued from the same process
that created the VM.  In other words, userspace can play games with a
VM's file descriptors, e.g. fork(), SCM_RIGHTS, etc..., but only the
creator can do anything useful.  Explicitly reject device ioctls that
are issued by a process other than the VM's creator, and update KVM's
API documentation to extend its requirements to device ioctls.

Fixes: 852b6d57dc ("kvm: add device control API")
Cc: <stable@vger.kernel.org>
Signed-off-by: Sean Christopherson <sean.j.christopherson@intel.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2019-04-03 06:26:29 +02:00
Sean Christopherson
23ad135ae6 KVM: Call kvm_arch_memslots_updated() before updating memslots
commit 152482580a1b0accb60676063a1ac57b2d12daf6 upstream.

kvm_arch_memslots_updated() is at this point in time an x86-specific
hook for handling MMIO generation wraparound.  x86 stashes 19 bits of
the memslots generation number in its MMIO sptes in order to avoid
full page fault walks for repeat faults on emulated MMIO addresses.
Because only 19 bits are used, wrapping the MMIO generation number is
possible, if unlikely.  kvm_arch_memslots_updated() alerts x86 that
the generation has changed so that it can invalidate all MMIO sptes in
case the effective MMIO generation has wrapped so as to avoid using a
stale spte, e.g. a (very) old spte that was created with generation==0.

Given that the purpose of kvm_arch_memslots_updated() is to prevent
consuming stale entries, it needs to be called before the new generation
is propagated to memslots.  Invalidating the MMIO sptes after updating
memslots means that there is a window where a vCPU could dereference
the new memslots generation, e.g. 0, and incorrectly reuse an old MMIO
spte that was created with (pre-wrap) generation==0.

Fixes: e59dbe09f8 ("KVM: Introduce kvm_arch_memslots_updated()")
Cc: <stable@vger.kernel.org>
Signed-off-by: Sean Christopherson <sean.j.christopherson@intel.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2019-03-23 20:10:13 +01:00
Christoffer Dall
04131dfcb9 KVM: arm/arm64: vgic: Always initialize the group of private IRQs
[ Upstream commit ab2d5eb03dbb7b37a1c6356686fb48626ab0c93e ]

We currently initialize the group of private IRQs during
kvm_vgic_vcpu_init, and the value of the group depends on the GIC model
we are emulating.  However, CPUs created before creating (and
initializing) the VGIC might end up with the wrong group if the VGIC
is created as GICv3 later.

Since we have no enforced ordering of creating the VGIC and creating
VCPUs, we can end up with part the VCPUs being properly intialized and
the remaining incorrectly initialized.  That also means that we have no
single place to do the per-cpu data structure initialization which
depends on knowing the emulated GIC model (which is only the group
field).

This patch removes the incorrect comment from kvm_vgic_vcpu_init and
initializes the group of all previously created VCPUs's private
interrupts in vgic_init in addition to the existing initialization in
kvm_vgic_vcpu_init.

Signed-off-by: Christoffer Dall <christoffer.dall@arm.com>
Signed-off-by: Marc Zyngier <marc.zyngier@arm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
2019-03-23 20:09:43 +01:00
Marc Zyngier
b78379c337 arm/arm64: KVM: Allow a VCPU to fully reset itself
[ Upstream commit 358b28f09f0ab074d781df72b8a671edb1547789 ]

The current kvm_psci_vcpu_on implementation will directly try to
manipulate the state of the VCPU to reset it.  However, since this is
not done on the thread that runs the VCPU, we can end up in a strangely
corrupted state when the source and target VCPUs are running at the same
time.

Fix this by factoring out all reset logic from the PSCI implementation
and forwarding the required information along with a request to the
target VCPU.

Reviewed-by: Andrew Jones <drjones@redhat.com>
Signed-off-by: Marc Zyngier <marc.zyngier@arm.com>
Signed-off-by: Christoffer Dall <christoffer.dall@arm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
2019-03-23 20:09:43 +01:00
Julien Thierry
5f4a64b040 KVM: arm/arm64: vgic: Make vgic_dist->lpi_list_lock a raw_spinlock
[ Upstream commit fc3bc475231e12e9c0142f60100cf84d077c79e1 ]

vgic_dist->lpi_list_lock must always be taken with interrupts disabled as
it is used in interrupt context.

For configurations such as PREEMPT_RT_FULL, this means that it should
be a raw_spinlock since RT spinlocks are interruptible.

Signed-off-by: Julien Thierry <julien.thierry@arm.com>
Acked-by: Christoffer Dall <christoffer.dall@arm.com>
Acked-by: Marc Zyngier <marc.zyngier@arm.com>
Signed-off-by: Christoffer Dall <christoffer.dall@arm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
2019-03-23 20:09:42 +01:00
Jann Horn
24b027d2b1 kvm: fix kvm_ioctl_create_device() reference counting (CVE-2019-6974)
commit cfa39381173d5f969daf43582c95ad679189cbc9 upstream.

kvm_ioctl_create_device() does the following:

1. creates a device that holds a reference to the VM object (with a borrowed
   reference, the VM's refcount has not been bumped yet)
2. initializes the device
3. transfers the reference to the device to the caller's file descriptor table
4. calls kvm_get_kvm() to turn the borrowed reference to the VM into a real
   reference

The ownership transfer in step 3 must not happen before the reference to the VM
becomes a proper, non-borrowed reference, which only happens in step 4.
After step 3, an attacker can close the file descriptor and drop the borrowed
reference, which can cause the refcount of the kvm object to drop to zero.

This means that we need to grab a reference for the device before
anon_inode_getfd(), otherwise the VM can disappear from under us.

Fixes: 852b6d57dc ("kvm: add device control API")
Cc: stable@kernel.org
Signed-off-by: Jann Horn <jannh@google.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2019-02-12 19:47:25 +01:00
Jim Mattson
ad9241f24f kvm: Change offset in kvm_write_guest_offset_cached to unsigned
[ Upstream commit 7a86dab8cf2f0fdf508f3555dddfc236623bff60 ]

Since the offset is added directly to the hva from the
gfn_to_hva_cache, a negative offset could result in an out of bounds
write. The existing BUG_ON only checks for addresses beyond the end of
the gfn_to_hva_cache, not for addresses before the start of the
gfn_to_hva_cache.

Note that all current call sites have non-negative offsets.

Fixes: 4ec6e86362 ("kvm: Introduce kvm_write_guest_offset_cached()")
Reported-by: Cfir Cohen <cfir@google.com>
Signed-off-by: Jim Mattson <jmattson@google.com>
Reviewed-by: Cfir Cohen <cfir@google.com>
Reviewed-by: Peter Shier <pshier@google.com>
Reviewed-by: Krish Sadhukhan <krish.sadhukhan@oracle.com>
Reviewed-by: Sean Christopherson <sean.j.christopherson@intel.com>
Signed-off-by: Radim Krčmář <rkrcmar@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
2019-02-12 19:47:16 +01:00
Mark Rutland
c709eeb02c arm64: KVM: Skip MMIO insn after emulation
[ Upstream commit 0d640732dbebed0f10f18526de21652931f0b2f2 ]

When we emulate an MMIO instruction, we advance the CPU state within
decode_hsr(), before emulating the instruction effects.

Having this logic in decode_hsr() is opaque, and advancing the state
before emulation is problematic. It gets in the way of applying
consistent single-step logic, and it prevents us from being able to fail
an MMIO instruction with a synchronous exception.

Clean this up by only advancing the CPU state *after* the effects of the
instruction are emulated.

Cc: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Reviewed-by: Christoffer Dall <christoffer.dall@arm.com>
Signed-off-by: Mark Rutland <mark.rutland@arm.com>
Signed-off-by: Marc Zyngier <marc.zyngier@arm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
2019-02-12 19:47:12 +01:00
Christoffer Dall
4f14f446d1 KVM: arm/arm64: Fix VMID alloc race by reverting to lock-less
commit fb544d1ca65a89f7a3895f7531221ceeed74ada7 upstream.

We recently addressed a VMID generation race by introducing a read/write
lock around accesses and updates to the vmid generation values.

However, kvm_arch_vcpu_ioctl_run() also calls need_new_vmid_gen() but
does so without taking the read lock.

As far as I can tell, this can lead to the same kind of race:

  VM 0, VCPU 0			VM 0, VCPU 1
  ------------			------------
  update_vttbr (vmid 254)
  				update_vttbr (vmid 1) // roll over
				read_lock(kvm_vmid_lock);
				force_vm_exit()
  local_irq_disable
  need_new_vmid_gen == false //because vmid gen matches

  enter_guest (vmid 254)
  				kvm_arch.vttbr = <PGD>:<VMID 1>
				read_unlock(kvm_vmid_lock);

  				enter_guest (vmid 1)

Which results in running two VCPUs in the same VM with different VMIDs
and (even worse) other VCPUs from other VMs could now allocate clashing
VMID 254 from the new generation as long as VCPU 0 is not exiting.

Attempt to solve this by making sure vttbr is updated before another CPU
can observe the updated VMID generation.

Cc: stable@vger.kernel.org
Fixes: f0cf47d939 "KVM: arm/arm64: Close VMID generation race"
Reviewed-by: Julien Thierry <julien.thierry@arm.com>
Signed-off-by: Christoffer Dall <christoffer.dall@arm.com>
Signed-off-by: Marc Zyngier <marc.zyngier@arm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2019-01-16 22:04:37 +01:00
Gustavo A. R. Silva
f318d0cf26 KVM: arm/arm64: vgic: Fix off-by-one bug in vgic_get_irq()
commit c23b2e6fc4ca346018618266bcabd335c0a8a49e upstream.

When using the nospec API, it should be taken into account that:

"...if the CPU speculates past the bounds check then
 * array_index_nospec() will clamp the index within the range of [0,
 * size)."

The above is part of the header for macro array_index_nospec() in
linux/nospec.h

Now, in this particular case, if intid evaluates to exactly VGIC_MAX_SPI
or to exaclty VGIC_MAX_PRIVATE, the array_index_nospec() macro ends up
returning VGIC_MAX_SPI - 1 or VGIC_MAX_PRIVATE - 1 respectively, instead
of VGIC_MAX_SPI or VGIC_MAX_PRIVATE, which, based on the original logic:

	/* SGIs and PPIs */
	if (intid <= VGIC_MAX_PRIVATE)
 		return &vcpu->arch.vgic_cpu.private_irqs[intid];

 	/* SPIs */
	if (intid <= VGIC_MAX_SPI)
 		return &kvm->arch.vgic.spis[intid - VGIC_NR_PRIVATE_IRQS];

are valid values for intid.

Fix this by calling array_index_nospec() macro with VGIC_MAX_PRIVATE + 1
and VGIC_MAX_SPI + 1 as arguments for its parameter size.

Fixes: 41b87599c7 ("KVM: arm/arm64: vgic: fix possible spectre-v1 in vgic_get_irq()")
Cc: stable@vger.kernel.org
Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com>
[dropped the SPI part which was fixed separately]
Signed-off-by: Marc Zyngier <marc.zyngier@arm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2019-01-09 17:38:49 +01:00
Christoffer Dall
47ffaa7dec KVM: arm/arm64: vgic-v2: Set active_source to 0 when restoring state
commit 60c3ab30d8c2ff3a52606df03f05af2aae07dc6b upstream.

When restoring the active state from userspace, we don't know which CPU
was the source for the active state, and this is not architecturally
exposed in any of the register state.

Set the active_source to 0 in this case.  In the future, we can expand
on this and exposse the information as additional information to
userspace for GICv2 if anyone cares.

Cc: stable@vger.kernel.org
Signed-off-by: Christoffer Dall <christoffer.dall@arm.com>
Signed-off-by: Marc Zyngier <marc.zyngier@arm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2019-01-09 17:38:49 +01:00