From mboxrd@z Thu Jan 1 00:00:00 1970
Return-Path: <gentoo-commits+bounces-1057155-garchives=archives.gentoo.org@lists.gentoo.org>
Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(No client certificate requested)
by finch.gentoo.org (Postfix) with ESMTPS id 6000C138334
for <garchives@archives.gentoo.org>; Wed, 14 Nov 2018 13:16:04 +0000 (UTC)
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
by pigeon.gentoo.org (Postfix) with SMTP id 5C30CE0BA3;
Wed, 14 Nov 2018 13:16:00 +0000 (UTC)
Received: from smtp.gentoo.org (dev.gentoo.org [IPv6:2001:470:ea4a:1:5054:ff:fec7:86e4])
(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
(No client certificate requested)
by pigeon.gentoo.org (Postfix) with ESMTPS id 1D5BDE0BA3
for <gentoo-commits@lists.gentoo.org>; Wed, 14 Nov 2018 13:16:00 +0000 (UTC)
Received: from oystercatcher.gentoo.org (unknown [IPv6:2a01:4f8:202:4333:225:90ff:fed9:fc84])
(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
(No client certificate requested)
by smtp.gentoo.org (Postfix) with ESMTPS id 71623335C29
for <gentoo-commits@lists.gentoo.org>; Wed, 14 Nov 2018 13:15:58 +0000 (UTC)
Received: from localhost.localdomain (localhost [IPv6:::1])
by oystercatcher.gentoo.org (Postfix) with ESMTP id 374ED472
for <gentoo-commits@lists.gentoo.org>; Wed, 14 Nov 2018 13:15:55 +0000 (UTC)
From: "Mike Pagano" <mpagano@gentoo.org>
To: gentoo-commits@lists.gentoo.org
Content-Transfer-Encoding: 8bit
Content-type: text/plain; charset=UTF-8
Reply-To: gentoo-dev@lists.gentoo.org, "Mike Pagano" <mpagano@gentoo.org>
Message-ID: <1542201339.9d152ea4454cd6ccffcb5738f232da5974d6a081.mpagano@gentoo>
Subject: [gentoo-commits] proj/linux-patches:4.18 commit in: /
X-VCS-Repository: proj/linux-patches
X-VCS-Files: 0000_README 1004_linux-4.18.5.patch
X-VCS-Directories: /
X-VCS-Committer: mpagano
X-VCS-Committer-Name: Mike Pagano
X-VCS-Revision: 9d152ea4454cd6ccffcb5738f232da5974d6a081
X-VCS-Branch: 4.18
Date: Wed, 14 Nov 2018 13:15:55 +0000 (UTC)
Precedence: bulk
List-Post: <mailto:gentoo-commits@lists.gentoo.org>
List-Help: <mailto:gentoo-commits+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-commits+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-commits+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-commits.gentoo.org>
X-BeenThere: gentoo-commits@lists.gentoo.org
X-Archives-Salt: db3e141b-50bc-418e-ae53-8d38d9c9a13a
X-Archives-Hash: b08377516f2a83e5f5624f8cb809ed7a
commit: 9d152ea4454cd6ccffcb5738f232da5974d6a081
Author: Mike Pagano <mpagano <AT> gentoo <DOT> org>
AuthorDate: Fri Aug 24 11:46:20 2018 +0000
Commit: Mike Pagano <mpagano <AT> gentoo <DOT> org>
CommitDate: Wed Nov 14 13:15:39 2018 +0000
URL: https://gitweb.gentoo.org/proj/linux-patches.git/commit/?id=9d152ea4
Linux patch 4.18.5
Signed-off-by: Mike Pagano <mpagano <AT> gentoo.org>
0000_README | 4 +
1004_linux-4.18.5.patch | 742 ++++++++++++++++++++++++++++++++++++++++++++++++
2 files changed, 746 insertions(+)
diff --git a/0000_README b/0000_README
index c7d6cc0..8da0979 100644
--- a/0000_README
+++ b/0000_README
@@ -59,6 +59,10 @@ Patch: 1003_linux-4.18.4.patch
From: http://www.kernel.org
Desc: Linux 4.18.4
+Patch: 1004_linux-4.18.5.patch
+From: http://www.kernel.org
+Desc: Linux 4.18.5
+
Patch: 1500_XATTR_USER_PREFIX.patch
From: https://bugs.gentoo.org/show_bug.cgi?id=470644
Desc: Support for namespace user.pax.* on tmpfs.
diff --git a/1004_linux-4.18.5.patch b/1004_linux-4.18.5.patch
new file mode 100644
index 0000000..abf70a2
--- /dev/null
+++ b/1004_linux-4.18.5.patch
@@ -0,0 +1,742 @@
+diff --git a/Makefile b/Makefile
+index ef0dd566c104..a41692c5827a 100644
+--- a/Makefile
++++ b/Makefile
+@@ -1,7 +1,7 @@
+ # SPDX-License-Identifier: GPL-2.0
+ VERSION = 4
+ PATCHLEVEL = 18
+-SUBLEVEL = 4
++SUBLEVEL = 5
+ EXTRAVERSION =
+ NAME = Merciless Moray
+
+diff --git a/arch/parisc/include/asm/spinlock.h b/arch/parisc/include/asm/spinlock.h
+index 6f84b6acc86e..8a63515f03bf 100644
+--- a/arch/parisc/include/asm/spinlock.h
++++ b/arch/parisc/include/asm/spinlock.h
+@@ -20,7 +20,6 @@ static inline void arch_spin_lock_flags(arch_spinlock_t *x,
+ {
+ volatile unsigned int *a;
+
+- mb();
+ a = __ldcw_align(x);
+ while (__ldcw(a) == 0)
+ while (*a == 0)
+@@ -30,17 +29,16 @@ static inline void arch_spin_lock_flags(arch_spinlock_t *x,
+ local_irq_disable();
+ } else
+ cpu_relax();
+- mb();
+ }
+ #define arch_spin_lock_flags arch_spin_lock_flags
+
+ static inline void arch_spin_unlock(arch_spinlock_t *x)
+ {
+ volatile unsigned int *a;
+- mb();
++
+ a = __ldcw_align(x);
+- *a = 1;
+ mb();
++ *a = 1;
+ }
+
+ static inline int arch_spin_trylock(arch_spinlock_t *x)
+@@ -48,10 +46,8 @@ static inline int arch_spin_trylock(arch_spinlock_t *x)
+ volatile unsigned int *a;
+ int ret;
+
+- mb();
+ a = __ldcw_align(x);
+ ret = __ldcw(a) != 0;
+- mb();
+
+ return ret;
+ }
+diff --git a/arch/parisc/kernel/syscall.S b/arch/parisc/kernel/syscall.S
+index 4886a6db42e9..5f7e57fcaeef 100644
+--- a/arch/parisc/kernel/syscall.S
++++ b/arch/parisc/kernel/syscall.S
+@@ -629,12 +629,12 @@ cas_action:
+ stw %r1, 4(%sr2,%r20)
+ #endif
+ /* The load and store could fail */
+-1: ldw,ma 0(%r26), %r28
++1: ldw 0(%r26), %r28
+ sub,<> %r28, %r25, %r0
+-2: stw,ma %r24, 0(%r26)
++2: stw %r24, 0(%r26)
+ /* Free lock */
+ sync
+- stw,ma %r20, 0(%sr2,%r20)
++ stw %r20, 0(%sr2,%r20)
+ #if ENABLE_LWS_DEBUG
+ /* Clear thread register indicator */
+ stw %r0, 4(%sr2,%r20)
+@@ -798,30 +798,30 @@ cas2_action:
+ ldo 1(%r0),%r28
+
+ /* 8bit CAS */
+-13: ldb,ma 0(%r26), %r29
++13: ldb 0(%r26), %r29
+ sub,= %r29, %r25, %r0
+ b,n cas2_end
+-14: stb,ma %r24, 0(%r26)
++14: stb %r24, 0(%r26)
+ b cas2_end
+ copy %r0, %r28
+ nop
+ nop
+
+ /* 16bit CAS */
+-15: ldh,ma 0(%r26), %r29
++15: ldh 0(%r26), %r29
+ sub,= %r29, %r25, %r0
+ b,n cas2_end
+-16: sth,ma %r24, 0(%r26)
++16: sth %r24, 0(%r26)
+ b cas2_end
+ copy %r0, %r28
+ nop
+ nop
+
+ /* 32bit CAS */
+-17: ldw,ma 0(%r26), %r29
++17: ldw 0(%r26), %r29
+ sub,= %r29, %r25, %r0
+ b,n cas2_end
+-18: stw,ma %r24, 0(%r26)
++18: stw %r24, 0(%r26)
+ b cas2_end
+ copy %r0, %r28
+ nop
+@@ -829,10 +829,10 @@ cas2_action:
+
+ /* 64bit CAS */
+ #ifdef CONFIG_64BIT
+-19: ldd,ma 0(%r26), %r29
++19: ldd 0(%r26), %r29
+ sub,*= %r29, %r25, %r0
+ b,n cas2_end
+-20: std,ma %r24, 0(%r26)
++20: std %r24, 0(%r26)
+ copy %r0, %r28
+ #else
+ /* Compare first word */
+@@ -851,7 +851,7 @@ cas2_action:
+ cas2_end:
+ /* Free lock */
+ sync
+- stw,ma %r20, 0(%sr2,%r20)
++ stw %r20, 0(%sr2,%r20)
+ /* Enable interrupts */
+ ssm PSW_SM_I, %r0
+ /* Return to userspace, set no error */
+diff --git a/arch/powerpc/kernel/security.c b/arch/powerpc/kernel/security.c
+index a8b277362931..4cb8f1f7b593 100644
+--- a/arch/powerpc/kernel/security.c
++++ b/arch/powerpc/kernel/security.c
+@@ -117,25 +117,35 @@ ssize_t cpu_show_meltdown(struct device *dev, struct device_attribute *attr, cha
+
+ ssize_t cpu_show_spectre_v1(struct device *dev, struct device_attribute *attr, char *buf)
+ {
+- if (!security_ftr_enabled(SEC_FTR_BNDS_CHK_SPEC_BAR))
+- return sprintf(buf, "Not affected\n");
++ struct seq_buf s;
++
++ seq_buf_init(&s, buf, PAGE_SIZE - 1);
+
+- if (barrier_nospec_enabled)
+- return sprintf(buf, "Mitigation: __user pointer sanitization\n");
++ if (security_ftr_enabled(SEC_FTR_BNDS_CHK_SPEC_BAR)) {
++ if (barrier_nospec_enabled)
++ seq_buf_printf(&s, "Mitigation: __user pointer sanitization");
++ else
++ seq_buf_printf(&s, "Vulnerable");
+
+- return sprintf(buf, "Vulnerable\n");
++ if (security_ftr_enabled(SEC_FTR_SPEC_BAR_ORI31))
++ seq_buf_printf(&s, ", ori31 speculation barrier enabled");
++
++ seq_buf_printf(&s, "\n");
++ } else
++ seq_buf_printf(&s, "Not affected\n");
++
++ return s.len;
+ }
+
+ ssize_t cpu_show_spectre_v2(struct device *dev, struct device_attribute *attr, char *buf)
+ {
+- bool bcs, ccd, ori;
+ struct seq_buf s;
++ bool bcs, ccd;
+
+ seq_buf_init(&s, buf, PAGE_SIZE - 1);
+
+ bcs = security_ftr_enabled(SEC_FTR_BCCTRL_SERIALISED);
+ ccd = security_ftr_enabled(SEC_FTR_COUNT_CACHE_DISABLED);
+- ori = security_ftr_enabled(SEC_FTR_SPEC_BAR_ORI31);
+
+ if (bcs || ccd) {
+ seq_buf_printf(&s, "Mitigation: ");
+@@ -151,9 +161,6 @@ ssize_t cpu_show_spectre_v2(struct device *dev, struct device_attribute *attr, c
+ } else
+ seq_buf_printf(&s, "Vulnerable");
+
+- if (ori)
+- seq_buf_printf(&s, ", ori31 speculation barrier enabled");
+-
+ seq_buf_printf(&s, "\n");
+
+ return s.len;
+diff --git a/arch/x86/include/asm/processor.h b/arch/x86/include/asm/processor.h
+index 79e409974ccc..682286aca881 100644
+--- a/arch/x86/include/asm/processor.h
++++ b/arch/x86/include/asm/processor.h
+@@ -971,6 +971,7 @@ static inline uint32_t hypervisor_cpuid_base(const char *sig, uint32_t leaves)
+
+ extern unsigned long arch_align_stack(unsigned long sp);
+ extern void free_init_pages(char *what, unsigned long begin, unsigned long end);
++extern void free_kernel_image_pages(void *begin, void *end);
+
+ void default_idle(void);
+ #ifdef CONFIG_XEN
+diff --git a/arch/x86/include/asm/set_memory.h b/arch/x86/include/asm/set_memory.h
+index bd090367236c..34cffcef7375 100644
+--- a/arch/x86/include/asm/set_memory.h
++++ b/arch/x86/include/asm/set_memory.h
+@@ -46,6 +46,7 @@ int set_memory_np(unsigned long addr, int numpages);
+ int set_memory_4k(unsigned long addr, int numpages);
+ int set_memory_encrypted(unsigned long addr, int numpages);
+ int set_memory_decrypted(unsigned long addr, int numpages);
++int set_memory_np_noalias(unsigned long addr, int numpages);
+
+ int set_memory_array_uc(unsigned long *addr, int addrinarray);
+ int set_memory_array_wc(unsigned long *addr, int addrinarray);
+diff --git a/arch/x86/mm/init.c b/arch/x86/mm/init.c
+index 83241eb71cd4..acfab322fbe0 100644
+--- a/arch/x86/mm/init.c
++++ b/arch/x86/mm/init.c
+@@ -775,13 +775,44 @@ void free_init_pages(char *what, unsigned long begin, unsigned long end)
+ }
+ }
+
++/*
++ * begin/end can be in the direct map or the "high kernel mapping"
++ * used for the kernel image only. free_init_pages() will do the
++ * right thing for either kind of address.
++ */
++void free_kernel_image_pages(void *begin, void *end)
++{
++ unsigned long begin_ul = (unsigned long)begin;
++ unsigned long end_ul = (unsigned long)end;
++ unsigned long len_pages = (end_ul - begin_ul) >> PAGE_SHIFT;
++
++
++ free_init_pages("unused kernel image", begin_ul, end_ul);
++
++ /*
++ * PTI maps some of the kernel into userspace. For performance,
++ * this includes some kernel areas that do not contain secrets.
++ * Those areas might be adjacent to the parts of the kernel image
++ * being freed, which may contain secrets. Remove the "high kernel
++ * image mapping" for these freed areas, ensuring they are not even
++ * potentially vulnerable to Meltdown regardless of the specific
++ * optimizations PTI is currently using.
++ *
++ * The "noalias" prevents unmapping the direct map alias which is
++ * needed to access the freed pages.
++ *
++ * This is only valid for 64bit kernels. 32bit has only one mapping
++ * which can't be treated in this way for obvious reasons.
++ */
++ if (IS_ENABLED(CONFIG_X86_64) && cpu_feature_enabled(X86_FEATURE_PTI))
++ set_memory_np_noalias(begin_ul, len_pages);
++}
++
+ void __ref free_initmem(void)
+ {
+ e820__reallocate_tables();
+
+- free_init_pages("unused kernel",
+- (unsigned long)(&__init_begin),
+- (unsigned long)(&__init_end));
++ free_kernel_image_pages(&__init_begin, &__init_end);
+ }
+
+ #ifdef CONFIG_BLK_DEV_INITRD
+diff --git a/arch/x86/mm/init_64.c b/arch/x86/mm/init_64.c
+index a688617c727e..68c292cb1ebf 100644
+--- a/arch/x86/mm/init_64.c
++++ b/arch/x86/mm/init_64.c
+@@ -1283,12 +1283,8 @@ void mark_rodata_ro(void)
+ set_memory_ro(start, (end-start) >> PAGE_SHIFT);
+ #endif
+
+- free_init_pages("unused kernel",
+- (unsigned long) __va(__pa_symbol(text_end)),
+- (unsigned long) __va(__pa_symbol(rodata_start)));
+- free_init_pages("unused kernel",
+- (unsigned long) __va(__pa_symbol(rodata_end)),
+- (unsigned long) __va(__pa_symbol(_sdata)));
++ free_kernel_image_pages((void *)text_end, (void *)rodata_start);
++ free_kernel_image_pages((void *)rodata_end, (void *)_sdata);
+
+ debug_checkwx();
+
+diff --git a/arch/x86/mm/pageattr.c b/arch/x86/mm/pageattr.c
+index 29505724202a..8d6c34fe49be 100644
+--- a/arch/x86/mm/pageattr.c
++++ b/arch/x86/mm/pageattr.c
+@@ -53,6 +53,7 @@ static DEFINE_SPINLOCK(cpa_lock);
+ #define CPA_FLUSHTLB 1
+ #define CPA_ARRAY 2
+ #define CPA_PAGES_ARRAY 4
++#define CPA_NO_CHECK_ALIAS 8 /* Do not search for aliases */
+
+ #ifdef CONFIG_PROC_FS
+ static unsigned long direct_pages_count[PG_LEVEL_NUM];
+@@ -1486,6 +1487,9 @@ static int change_page_attr_set_clr(unsigned long *addr, int numpages,
+
+ /* No alias checking for _NX bit modifications */
+ checkalias = (pgprot_val(mask_set) | pgprot_val(mask_clr)) != _PAGE_NX;
++ /* Has caller explicitly disabled alias checking? */
++ if (in_flag & CPA_NO_CHECK_ALIAS)
++ checkalias = 0;
+
+ ret = __change_page_attr_set_clr(&cpa, checkalias);
+
+@@ -1772,6 +1776,15 @@ int set_memory_np(unsigned long addr, int numpages)
+ return change_page_attr_clear(&addr, numpages, __pgprot(_PAGE_PRESENT), 0);
+ }
+
++int set_memory_np_noalias(unsigned long addr, int numpages)
++{
++ int cpa_flags = CPA_NO_CHECK_ALIAS;
++
++ return change_page_attr_set_clr(&addr, numpages, __pgprot(0),
++ __pgprot(_PAGE_PRESENT), 0,
++ cpa_flags, NULL);
++}
++
+ int set_memory_4k(unsigned long addr, int numpages)
+ {
+ return change_page_attr_set_clr(&addr, numpages, __pgprot(0),
+diff --git a/drivers/edac/edac_mc.c b/drivers/edac/edac_mc.c
+index 3bb82e511eca..7d3edd713932 100644
+--- a/drivers/edac/edac_mc.c
++++ b/drivers/edac/edac_mc.c
+@@ -215,6 +215,7 @@ const char * const edac_mem_types[] = {
+ [MEM_LRDDR3] = "Load-Reduced-DDR3-RAM",
+ [MEM_DDR4] = "Unbuffered-DDR4",
+ [MEM_RDDR4] = "Registered-DDR4",
++ [MEM_LRDDR4] = "Load-Reduced-DDR4-RAM",
+ [MEM_NVDIMM] = "Non-volatile-RAM",
+ };
+ EXPORT_SYMBOL_GPL(edac_mem_types);
+diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_pm.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_pm.c
+index fc818b4d849c..a44c3d58fef4 100644
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_pm.c
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_pm.c
+@@ -31,7 +31,7 @@
+ #include <linux/power_supply.h>
+ #include <linux/hwmon.h>
+ #include <linux/hwmon-sysfs.h>
+-
++#include <linux/nospec.h>
+
+ static int amdgpu_debugfs_pm_init(struct amdgpu_device *adev);
+
+@@ -393,6 +393,7 @@ static ssize_t amdgpu_set_pp_force_state(struct device *dev,
+ count = -EINVAL;
+ goto fail;
+ }
++ idx = array_index_nospec(idx, ARRAY_SIZE(data.states));
+
+ amdgpu_dpm_get_pp_num_states(adev, &data);
+ state = data.states[idx];
+diff --git a/drivers/gpu/drm/i915/gvt/kvmgt.c b/drivers/gpu/drm/i915/gvt/kvmgt.c
+index df4e4a07db3d..14dce5c201d5 100644
+--- a/drivers/gpu/drm/i915/gvt/kvmgt.c
++++ b/drivers/gpu/drm/i915/gvt/kvmgt.c
+@@ -43,6 +43,8 @@
+ #include <linux/mdev.h>
+ #include <linux/debugfs.h>
+
++#include <linux/nospec.h>
++
+ #include "i915_drv.h"
+ #include "gvt.h"
+
+@@ -1084,7 +1086,8 @@ static long intel_vgpu_ioctl(struct mdev_device *mdev, unsigned int cmd,
+ } else if (cmd == VFIO_DEVICE_GET_REGION_INFO) {
+ struct vfio_region_info info;
+ struct vfio_info_cap caps = { .buf = NULL, .size = 0 };
+- int i, ret;
++ unsigned int i;
++ int ret;
+ struct vfio_region_info_cap_sparse_mmap *sparse = NULL;
+ size_t size;
+ int nr_areas = 1;
+@@ -1169,6 +1172,10 @@ static long intel_vgpu_ioctl(struct mdev_device *mdev, unsigned int cmd,
+ if (info.index >= VFIO_PCI_NUM_REGIONS +
+ vgpu->vdev.num_regions)
+ return -EINVAL;
++ info.index =
++ array_index_nospec(info.index,
++ VFIO_PCI_NUM_REGIONS +
++ vgpu->vdev.num_regions);
+
+ i = info.index - VFIO_PCI_NUM_REGIONS;
+
+diff --git a/drivers/i2c/busses/i2c-imx.c b/drivers/i2c/busses/i2c-imx.c
+index 498c5e891649..ad6adefb64da 100644
+--- a/drivers/i2c/busses/i2c-imx.c
++++ b/drivers/i2c/busses/i2c-imx.c
+@@ -668,9 +668,6 @@ static int i2c_imx_dma_read(struct imx_i2c_struct *i2c_imx,
+ struct imx_i2c_dma *dma = i2c_imx->dma;
+ struct device *dev = &i2c_imx->adapter.dev;
+
+- temp = imx_i2c_read_reg(i2c_imx, IMX_I2C_I2CR);
+- temp |= I2CR_DMAEN;
+- imx_i2c_write_reg(temp, i2c_imx, IMX_I2C_I2CR);
+
+ dma->chan_using = dma->chan_rx;
+ dma->dma_transfer_dir = DMA_DEV_TO_MEM;
+@@ -783,6 +780,7 @@ static int i2c_imx_read(struct imx_i2c_struct *i2c_imx, struct i2c_msg *msgs, bo
+ int i, result;
+ unsigned int temp;
+ int block_data = msgs->flags & I2C_M_RECV_LEN;
++ int use_dma = i2c_imx->dma && msgs->len >= DMA_THRESHOLD && !block_data;
+
+ dev_dbg(&i2c_imx->adapter.dev,
+ "<%s> write slave address: addr=0x%x\n",
+@@ -809,12 +807,14 @@ static int i2c_imx_read(struct imx_i2c_struct *i2c_imx, struct i2c_msg *msgs, bo
+ */
+ if ((msgs->len - 1) || block_data)
+ temp &= ~I2CR_TXAK;
++ if (use_dma)
++ temp |= I2CR_DMAEN;
+ imx_i2c_write_reg(temp, i2c_imx, IMX_I2C_I2CR);
+ imx_i2c_read_reg(i2c_imx, IMX_I2C_I2DR); /* dummy read */
+
+ dev_dbg(&i2c_imx->adapter.dev, "<%s> read data\n", __func__);
+
+- if (i2c_imx->dma && msgs->len >= DMA_THRESHOLD && !block_data)
++ if (use_dma)
+ return i2c_imx_dma_read(i2c_imx, msgs, is_lastmsg);
+
+ /* read data */
+diff --git a/drivers/i2c/i2c-core-acpi.c b/drivers/i2c/i2c-core-acpi.c
+index 7c3b4740b94b..b8f303dea305 100644
+--- a/drivers/i2c/i2c-core-acpi.c
++++ b/drivers/i2c/i2c-core-acpi.c
+@@ -482,11 +482,16 @@ static int acpi_gsb_i2c_write_bytes(struct i2c_client *client,
+ msgs[0].buf = buffer;
+
+ ret = i2c_transfer(client->adapter, msgs, ARRAY_SIZE(msgs));
+- if (ret < 0)
+- dev_err(&client->adapter->dev, "i2c write failed\n");
+
+ kfree(buffer);
+- return ret;
++
++ if (ret < 0) {
++ dev_err(&client->adapter->dev, "i2c write failed: %d\n", ret);
++ return ret;
++ }
++
++ /* 1 transfer must have completed successfully */
++ return (ret == 1) ? 0 : -EIO;
+ }
+
+ static acpi_status
+diff --git a/drivers/pci/controller/pci-aardvark.c b/drivers/pci/controller/pci-aardvark.c
+index 0fae816fba39..44604af23b3a 100644
+--- a/drivers/pci/controller/pci-aardvark.c
++++ b/drivers/pci/controller/pci-aardvark.c
+@@ -952,6 +952,7 @@ static int advk_pcie_probe(struct platform_device *pdev)
+
+ bus = bridge->bus;
+
++ pci_bus_size_bridges(bus);
+ pci_bus_assign_resources(bus);
+
+ list_for_each_entry(child, &bus->children, node)
+diff --git a/drivers/pci/hotplug/pci_hotplug_core.c b/drivers/pci/hotplug/pci_hotplug_core.c
+index af92fed46ab7..fd93783a87b0 100644
+--- a/drivers/pci/hotplug/pci_hotplug_core.c
++++ b/drivers/pci/hotplug/pci_hotplug_core.c
+@@ -438,8 +438,17 @@ int __pci_hp_register(struct hotplug_slot *slot, struct pci_bus *bus,
+ list_add(&slot->slot_list, &pci_hotplug_slot_list);
+
+ result = fs_add_slot(pci_slot);
++ if (result)
++ goto err_list_del;
++
+ kobject_uevent(&pci_slot->kobj, KOBJ_ADD);
+ dbg("Added slot %s to the list\n", name);
++ goto out;
++
++err_list_del:
++ list_del(&slot->slot_list);
++ pci_slot->hotplug = NULL;
++ pci_destroy_slot(pci_slot);
+ out:
+ mutex_unlock(&pci_hp_mutex);
+ return result;
+diff --git a/drivers/pci/hotplug/pciehp.h b/drivers/pci/hotplug/pciehp.h
+index 5f892065585e..fca87a1a2b22 100644
+--- a/drivers/pci/hotplug/pciehp.h
++++ b/drivers/pci/hotplug/pciehp.h
+@@ -119,6 +119,7 @@ int pciehp_unconfigure_device(struct slot *p_slot);
+ void pciehp_queue_pushbutton_work(struct work_struct *work);
+ struct controller *pcie_init(struct pcie_device *dev);
+ int pcie_init_notification(struct controller *ctrl);
++void pcie_shutdown_notification(struct controller *ctrl);
+ int pciehp_enable_slot(struct slot *p_slot);
+ int pciehp_disable_slot(struct slot *p_slot);
+ void pcie_reenable_notification(struct controller *ctrl);
+diff --git a/drivers/pci/hotplug/pciehp_core.c b/drivers/pci/hotplug/pciehp_core.c
+index 44a6a63802d5..2ba59fc94827 100644
+--- a/drivers/pci/hotplug/pciehp_core.c
++++ b/drivers/pci/hotplug/pciehp_core.c
+@@ -62,6 +62,12 @@ static int reset_slot(struct hotplug_slot *slot, int probe);
+ */
+ static void release_slot(struct hotplug_slot *hotplug_slot)
+ {
++ struct slot *slot = hotplug_slot->private;
++
++ /* queued work needs hotplug_slot name */
++ cancel_delayed_work(&slot->work);
++ drain_workqueue(slot->wq);
++
+ kfree(hotplug_slot->ops);
+ kfree(hotplug_slot->info);
+ kfree(hotplug_slot);
+@@ -264,6 +270,7 @@ static void pciehp_remove(struct pcie_device *dev)
+ {
+ struct controller *ctrl = get_service_data(dev);
+
++ pcie_shutdown_notification(ctrl);
+ cleanup_slot(ctrl);
+ pciehp_release_ctrl(ctrl);
+ }
+diff --git a/drivers/pci/hotplug/pciehp_hpc.c b/drivers/pci/hotplug/pciehp_hpc.c
+index 718b6073afad..aff191b4552c 100644
+--- a/drivers/pci/hotplug/pciehp_hpc.c
++++ b/drivers/pci/hotplug/pciehp_hpc.c
+@@ -539,8 +539,6 @@ static irqreturn_t pciehp_isr(int irq, void *dev_id)
+ {
+ struct controller *ctrl = (struct controller *)dev_id;
+ struct pci_dev *pdev = ctrl_dev(ctrl);
+- struct pci_bus *subordinate = pdev->subordinate;
+- struct pci_dev *dev;
+ struct slot *slot = ctrl->slot;
+ u16 status, events;
+ u8 present;
+@@ -588,14 +586,9 @@ static irqreturn_t pciehp_isr(int irq, void *dev_id)
+ wake_up(&ctrl->queue);
+ }
+
+- if (subordinate) {
+- list_for_each_entry(dev, &subordinate->devices, bus_list) {
+- if (dev->ignore_hotplug) {
+- ctrl_dbg(ctrl, "ignoring hotplug event %#06x (%s requested no hotplug)\n",
+- events, pci_name(dev));
+- return IRQ_HANDLED;
+- }
+- }
++ if (pdev->ignore_hotplug) {
++ ctrl_dbg(ctrl, "ignoring hotplug event %#06x\n", events);
++ return IRQ_HANDLED;
+ }
+
+ /* Check Attention Button Pressed */
+@@ -765,7 +758,7 @@ int pcie_init_notification(struct controller *ctrl)
+ return 0;
+ }
+
+-static void pcie_shutdown_notification(struct controller *ctrl)
++void pcie_shutdown_notification(struct controller *ctrl)
+ {
+ if (ctrl->notification_enabled) {
+ pcie_disable_notification(ctrl);
+@@ -800,7 +793,7 @@ abort:
+ static void pcie_cleanup_slot(struct controller *ctrl)
+ {
+ struct slot *slot = ctrl->slot;
+- cancel_delayed_work(&slot->work);
++
+ destroy_workqueue(slot->wq);
+ kfree(slot);
+ }
+@@ -893,7 +886,6 @@ abort:
+
+ void pciehp_release_ctrl(struct controller *ctrl)
+ {
+- pcie_shutdown_notification(ctrl);
+ pcie_cleanup_slot(ctrl);
+ kfree(ctrl);
+ }
+diff --git a/drivers/pci/pci-acpi.c b/drivers/pci/pci-acpi.c
+index 89ee6a2b6eb8..5d1698265da5 100644
+--- a/drivers/pci/pci-acpi.c
++++ b/drivers/pci/pci-acpi.c
+@@ -632,13 +632,11 @@ static bool acpi_pci_need_resume(struct pci_dev *dev)
+ /*
+ * In some cases (eg. Samsung 305V4A) leaving a bridge in suspend over
+ * system-wide suspend/resume confuses the platform firmware, so avoid
+- * doing that, unless the bridge has a driver that should take care of
+- * the PM handling. According to Section 16.1.6 of ACPI 6.2, endpoint
++ * doing that. According to Section 16.1.6 of ACPI 6.2, endpoint
+ * devices are expected to be in D3 before invoking the S3 entry path
+ * from the firmware, so they should not be affected by this issue.
+ */
+- if (pci_is_bridge(dev) && !dev->driver &&
+- acpi_target_system_state() != ACPI_STATE_S0)
++ if (pci_is_bridge(dev) && acpi_target_system_state() != ACPI_STATE_S0)
+ return true;
+
+ if (!adev || !acpi_device_power_manageable(adev))
+diff --git a/drivers/pci/pci.c b/drivers/pci/pci.c
+index 316496e99da9..0abe2865a3a5 100644
+--- a/drivers/pci/pci.c
++++ b/drivers/pci/pci.c
+@@ -1171,6 +1171,33 @@ static void pci_restore_config_space(struct pci_dev *pdev)
+ }
+ }
+
++static void pci_restore_rebar_state(struct pci_dev *pdev)
++{
++ unsigned int pos, nbars, i;
++ u32 ctrl;
++
++ pos = pci_find_ext_capability(pdev, PCI_EXT_CAP_ID_REBAR);
++ if (!pos)
++ return;
++
++ pci_read_config_dword(pdev, pos + PCI_REBAR_CTRL, &ctrl);
++ nbars = (ctrl & PCI_REBAR_CTRL_NBAR_MASK) >>
++ PCI_REBAR_CTRL_NBAR_SHIFT;
++
++ for (i = 0; i < nbars; i++, pos += 8) {
++ struct resource *res;
++ int bar_idx, size;
++
++ pci_read_config_dword(pdev, pos + PCI_REBAR_CTRL, &ctrl);
++ bar_idx = ctrl & PCI_REBAR_CTRL_BAR_IDX;
++ res = pdev->resource + bar_idx;
++ size = order_base_2((resource_size(res) >> 20) | 1) - 1;
++ ctrl &= ~PCI_REBAR_CTRL_BAR_SIZE;
++ ctrl |= size << 8;
++ pci_write_config_dword(pdev, pos + PCI_REBAR_CTRL, ctrl);
++ }
++}
++
+ /**
+ * pci_restore_state - Restore the saved state of a PCI device
+ * @dev: - PCI device that we're dealing with
+@@ -1186,6 +1213,7 @@ void pci_restore_state(struct pci_dev *dev)
+ pci_restore_pri_state(dev);
+ pci_restore_ats_state(dev);
+ pci_restore_vc_state(dev);
++ pci_restore_rebar_state(dev);
+
+ pci_cleanup_aer_error_status_regs(dev);
+
+diff --git a/drivers/pci/probe.c b/drivers/pci/probe.c
+index 611adcd9c169..b2857865c0aa 100644
+--- a/drivers/pci/probe.c
++++ b/drivers/pci/probe.c
+@@ -1730,6 +1730,10 @@ static void pci_configure_mps(struct pci_dev *dev)
+ if (!pci_is_pcie(dev) || !bridge || !pci_is_pcie(bridge))
+ return;
+
++ /* MPS and MRRS fields are of type 'RsvdP' for VFs, short-circuit out */
++ if (dev->is_virtfn)
++ return;
++
+ mps = pcie_get_mps(dev);
+ p_mps = pcie_get_mps(bridge);
+
+diff --git a/drivers/tty/pty.c b/drivers/tty/pty.c
+index b0e2c4847a5d..678406e0948b 100644
+--- a/drivers/tty/pty.c
++++ b/drivers/tty/pty.c
+@@ -625,7 +625,7 @@ int ptm_open_peer(struct file *master, struct tty_struct *tty, int flags)
+ if (tty->driver != ptm_driver)
+ return -EIO;
+
+- fd = get_unused_fd_flags(0);
++ fd = get_unused_fd_flags(flags);
+ if (fd < 0) {
+ retval = fd;
+ goto err;
+diff --git a/fs/ext4/mballoc.c b/fs/ext4/mballoc.c
+index f7ab34088162..8b24d3d42cb3 100644
+--- a/fs/ext4/mballoc.c
++++ b/fs/ext4/mballoc.c
+@@ -14,6 +14,7 @@
+ #include <linux/log2.h>
+ #include <linux/module.h>
+ #include <linux/slab.h>
++#include <linux/nospec.h>
+ #include <linux/backing-dev.h>
+ #include <trace/events/ext4.h>
+
+@@ -2140,7 +2141,8 @@ ext4_mb_regular_allocator(struct ext4_allocation_context *ac)
+ * This should tell if fe_len is exactly power of 2
+ */
+ if ((ac->ac_g_ex.fe_len & (~(1 << (i - 1)))) == 0)
+- ac->ac_2order = i - 1;
++ ac->ac_2order = array_index_nospec(i - 1,
++ sb->s_blocksize_bits + 2);
+ }
+
+ /* if stream allocation is enabled, use global goal */
+diff --git a/fs/reiserfs/xattr.c b/fs/reiserfs/xattr.c
+index ff94fad477e4..48cdfc81fe10 100644
+--- a/fs/reiserfs/xattr.c
++++ b/fs/reiserfs/xattr.c
+@@ -792,8 +792,10 @@ static int listxattr_filler(struct dir_context *ctx, const char *name,
+ return 0;
+ size = namelen + 1;
+ if (b->buf) {
+- if (size > b->size)
++ if (b->pos + size > b->size) {
++ b->pos = -ERANGE;
+ return -ERANGE;
++ }
+ memcpy(b->buf + b->pos, name, namelen);
+ b->buf[b->pos + namelen] = 0;
+ }
+diff --git a/mm/page_alloc.c b/mm/page_alloc.c
+index a790ef4be74e..3222193c46c6 100644
+--- a/mm/page_alloc.c
++++ b/mm/page_alloc.c
+@@ -6939,9 +6939,21 @@ unsigned long free_reserved_area(void *start, void *end, int poison, char *s)
+ start = (void *)PAGE_ALIGN((unsigned long)start);
+ end = (void *)((unsigned long)end & PAGE_MASK);
+ for (pos = start; pos < end; pos += PAGE_SIZE, pages++) {
++ struct page *page = virt_to_page(pos);
++ void *direct_map_addr;
++
++ /*
++ * 'direct_map_addr' might be different from 'pos'
++ * because some architectures' virt_to_page()
++ * work with aliases. Getting the direct map
++ * address ensures that we get a _writeable_
++ * alias for the memset().
++ */
++ direct_map_addr = page_address(page);
+ if ((unsigned int)poison <= 0xFF)
+- memset(pos, poison, PAGE_SIZE);
+- free_reserved_page(virt_to_page(pos));
++ memset(direct_map_addr, poison, PAGE_SIZE);
++
++ free_reserved_page(page);
+ }
+
+ if (pages && s)