Recent optimizations in MMU code broke nested SVM with NPT in L1
completely: when we do nested_svm_{,un}init_mmu_context() we want
to switch from TDP MMU to shadow MMU, both init_kvm_tdp_mmu() and
kvm_init_shadow_mmu() check if re-configuration is needed by looking
at cache source data. The data, however, doesn't change - it's only
the type of the MMU which changes. We end up not re-initializing
guest MMU as shadow and everything goes off the rails.

The issue could have been fixed by putting MMU type into extended MMU
role but this is not really needed. We can just split root and guest MMUs
the exact same way we did for nVMX, their types never change in the
lifetime of a vCPU.

There is still room for improvement: currently, we reset all MMU roots
when switching from L1 to L2 and back and this is not needed.

Fixes: 7dcd5755 ("x86/kvm/mmu: check if tdp/shadow MMU reconfiguration is needed")
Signed-off-by: NVitaly Kuznetsov <vkuznets@redhat.com>
Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>

Some guests OSes (including Windows 10) write to MSR 0xc001102c
on some cases (possibly while trying to apply a CPU errata).
Make KVM ignore reads and writes to that MSR, so the guest won't
crash.

The MSR is documented as "Execution Unit Configuration (EX_CFG)",
at AMD's "BIOS and Kernel Developer's Guide (BKDG) for AMD Family
15h Models 00h-0Fh Processors".

Cc: stable@vger.kernel.org
Signed-off-by: NEduardo Habkost <ehabkost@redhat.com>
Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>

Reported by syzkaller:

    CPU: 1 PID: 5962 Comm: syz-executor118 Not tainted 4.20.0-rc6+ #374
    Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
    RIP: 0010:kvm_apic_hw_enabled arch/x86/kvm/lapic.h:169 [inline]
    RIP: 0010:vcpu_scan_ioapic arch/x86/kvm/x86.c:7449 [inline]
    RIP: 0010:vcpu_enter_guest arch/x86/kvm/x86.c:7602 [inline]
    RIP: 0010:vcpu_run arch/x86/kvm/x86.c:7874 [inline]
    RIP: 0010:kvm_arch_vcpu_ioctl_run+0x5296/0x7320 arch/x86/kvm/x86.c:8074
    Call Trace:
	 kvm_vcpu_ioctl+0x5c8/0x1150 arch/x86/kvm/../../../virt/kvm/kvm_main.c:2596
	 vfs_ioctl fs/ioctl.c:46 [inline]
	 file_ioctl fs/ioctl.c:509 [inline]
	 do_vfs_ioctl+0x1de/0x1790 fs/ioctl.c:696
	 ksys_ioctl+0xa9/0xd0 fs/ioctl.c:713
	 __do_sys_ioctl fs/ioctl.c:720 [inline]
	 __se_sys_ioctl fs/ioctl.c:718 [inline]
	 __x64_sys_ioctl+0x73/0xb0 fs/ioctl.c:718
	 do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290
	 entry_SYSCALL_64_after_hwframe+0x49/0xbe

The reason is that the testcase writes hyperv synic HV_X64_MSR_SINT14 msr
and triggers scan ioapic logic to load synic vectors into EOI exit bitmap.
However, irqchip is not initialized by this simple testcase, ioapic/apic
objects should not be accessed.

This patch fixes it by also considering whether or not apic is present.

Reported-by: syzbot+39810e6c400efadfef71@syzkaller.appspotmail.com
Cc: stable@vger.kernel.org
Cc: Paolo Bonzini <pbonzini@redhat.com>
Cc: Radim Krčmář <rkrcmar@redhat.com>
Signed-off-by: NWanpeng Li <wanpengli@tencent.com>
Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>

nested_get_vmcs12_pages() processes the posted_intr address in vmcs12. It
caches the kmap()ed page object and pointer, however, it doesn't handle
errors correctly: it's possible to cache a valid pointer, then release
the page and later dereference the dangling pointer.

I was able to reproduce with the following steps:

1. Call vmlaunch with valid posted_intr_desc_addr but an invalid
MSR_EFER. This causes nested_get_vmcs12_pages() to cache the kmap()ed
pi_desc_page and pi_desc. Later the invalid EFER value fails
check_vmentry_postreqs() which fails the first vmlaunch.

2. Call vmlanuch with a valid EFER but an invalid posted_intr_desc_addr
(I set it to 2G - 0x80). The second time we call nested_get_vmcs12_pages
pi_desc_page is unmapped and released and pi_desc_page is set to NULL
(the "shouldn't happen" clause). Due to the invalid
posted_intr_desc_addr, kvm_vcpu_gpa_to_page() fails and
nested_get_vmcs12_pages() returns. It doesn't return an error value so
vmlaunch proceeds. Note that at this time we have a dangling pointer in
vmx->nested.pi_desc and POSTED_INTR_DESC_ADDR in L0's vmcs.

3. Issue an IPI in L2 guest code. This triggers a call to
vmx_complete_nested_posted_interrupt() and pi_test_and_clear_on() which
dereferences the dangling pointer.

Vulnerable code requires nested and enable_apicv variables to be set to
true. The host CPU must also support posted interrupts.

Fixes: 5e2f30b7 "KVM: nVMX: get rid of nested_get_page()"
Cc: stable@vger.kernel.org
Reviewed-by: NAndy Honig <ahonig@google.com>
Signed-off-by: NCfir Cohen <cfir@google.com>
Reviewed-by: NLiran Alon <liran.alon@oracle.com>
Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>

If you register a kvm_coalesced_mmio_zone with '.pio = 0' but then
unregister it with '.pio = 1', KVM_UNREGISTER_COALESCED_MMIO will try to
unregister it from KVM_PIO_BUS rather than KVM_MMIO_BUS, which is a
no-op.  But it frees the kvm_coalesced_mmio_dev anyway, causing a
use-after-free.

Fix it by only unregistering and freeing the zone if the correct value
of 'pio' is provided.

Reported-by: syzbot+f87f60bb6f13f39b54e3@syzkaller.appspotmail.com
Fixes: 0804c849 ("kvm/x86 : add coalesced pio support")
Signed-off-by: NEric Biggers <ebiggers@google.com>
Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>

Merge misc fixes from Andrew Morton:
 "11 fixes"

* emailed patches from Andrew Morton <akpm@linux-foundation.org>:
  scripts/spdxcheck.py: always open files in binary mode
  checkstack.pl: fix for aarch64
  userfaultfd: check VM_MAYWRITE was set after verifying the uffd is registered
  fs/iomap.c: get/put the page in iomap_page_create/release()
  hugetlbfs: call VM_BUG_ON_PAGE earlier in free_huge_page()
  memblock: annotate memblock_is_reserved() with __init_memblock
  psi: fix reference to kernel commandline enable
  arch/sh/include/asm/io.h: provide prototypes for PCI I/O mapping in asm/io.h
  mm/sparse: add common helper to mark all memblocks present
  mm: introduce common STRUCT_PAGE_MAX_SHIFT define
  alpha: fix hang caused by the bootmem removal

The spdxcheck script currently falls over when confronted with a binary
file (such as Documentation/logo.gif).  To avoid that, always open files
in binary mode and decode line-by-line, ignoring encoding errors.

One tricky case is when piping data into the script and reading it from
standard input.  By default, standard input will be opened in text mode,
so we need to reopen it in binary mode.

The breakage only happens with python3 and results in a
UnicodeDecodeError (according to Uwe).

Link: http://lkml.kernel.org/r/20181212131210.28024-1-thierry.reding@gmail.com
Fixes: 6f4d29df ("scripts/spdxcheck.py: make python3 compliant")
Signed-off-by: NThierry Reding <treding@nvidia.com>
Reviewed-by: NJeremy Cline <jcline@redhat.com>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Jonathan Corbet <corbet@lwn.net>
Cc: Joe Perches <joe@perches.com>
Cc: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
Cc: <stable@vger.kernel.org>
Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>

There is actually a space after "sp," like this,

    ffff2000080813c8:       a9bb7bfd        stp     x29, x30, [sp, #-80]!

Right now, checkstack.pl isn't able to print anything on aarch64,
because it won't be able to match the stating objdump line of a function
due to this missing space.  Hence, it displays every stack as zero-size.

After this patch, checkpatch.pl is able to match the start of a
function's objdump, and is then able to calculate each function's stack
correctly.

Link: http://lkml.kernel.org/r/20181207195843.38528-1-cai@lca.pwSigned-off-by: NQian Cai <cai@lca.pw>
Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>

Calling UFFDIO_UNREGISTER on virtual ranges not yet registered in uffd
could trigger an harmless false positive WARN_ON.  Check the vma is
already registered before checking VM_MAYWRITE to shut off the false
positive warning.

Link: http://lkml.kernel.org/r/20181206212028.18726-2-aarcange@redhat.com
Cc: <stable@vger.kernel.org>
Fixes: 29ec9066 ("userfaultfd: shmem/hugetlbfs: only allow to register VM_MAYWRITE vmas")
Signed-off-by: NAndrea Arcangeli <aarcange@redhat.com>
Reported-by: syzbot+06c7092e7d71218a2c16@syzkaller.appspotmail.com
Acked-by: NMike Rapoport <rppt@linux.ibm.com>
Acked-by: NHugh Dickins <hughd@google.com>
Acked-by: NPeter Xu <peterx@redhat.com>
Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>

migrate_page_move_mapping() expects pages with private data set to have
a page_count elevated by 1.  This is what used to happen for xfs through
the buffer_heads code before the switch to iomap in commit 82cb1417
("xfs: add support for sub-pagesize writeback without buffer_heads").
Not having the count elevated causes move_pages() to fail on memory
mapped files coming from xfs.

Make iomap compatible with the migrate_page_move_mapping() assumption by
elevating the page count as part of iomap_page_create() and lowering it
in iomap_page_release().

It causes the move_pages() syscall to misbehave on memory mapped files
from xfs.  It does not not move any pages, which I suppose is "just" a
perf issue, but it also ends up returning a positive number which is out
of spec for the syscall.  Talking to Michal Hocko, it sounds like
returning positive numbers might be a necessary update to move_pages()
anyway though
(https://lkml.kernel.org/r/20181116114955.GJ14706@dhcp22.suse.cz).

I only hit this in tests that verify that move_pages() actually moved
the pages.  The test also got confused by the positive return from
move_pages() (it got treated as a success as positive numbers were not
expected and not handled) making it a bit harder to track down what's
going on.

Link: http://lkml.kernel.org/r/20181115184140.1388751-1-pjaroszynski@nvidia.com
Fixes: 82cb1417 ("xfs: add support for sub-pagesize writeback without buffer_heads")
Signed-off-by: NPiotr Jaroszynski <pjaroszynski@nvidia.com>
Reviewed-by: NChristoph Hellwig <hch@lst.de>
Cc: William Kucharski <william.kucharski@oracle.com>
Cc: Darrick J. Wong <darrick.wong@oracle.com>
Cc: Brian Foster <bfoster@redhat.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>

A stack trace was triggered by VM_BUG_ON_PAGE(page_mapcount(page), page)
in free_huge_page().  Unfortunately, the page->mapping field was set to
NULL before this test.  This made it more difficult to determine the
root cause of the problem.

Move the VM_BUG_ON_PAGE tests earlier in the function so that if they do
trigger more information is present in the page struct.

Link: http://lkml.kernel.org/r/1543491843-23438-1-git-send-email-nic_w@163.comSigned-off-by: Yongkai Wu <nic_w@163.com>
Acked-by: NMichal Hocko <mhocko@suse.com>
Acked-by: NMike Kravetz <mike.kravetz@oracle.com>
Reviewed-by: NWilliam Kucharski <william.kucharski@oracle.com>
Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>

Found warning:

  WARNING: EXPORT symbol "gsi_write_channel_scratch" [vmlinux] version generation failed, symbol will not be versioned.
  WARNING: vmlinux.o(.text+0x1e0a0): Section mismatch in reference from the function valid_phys_addr_range() to the function .init.text:memblock_is_reserved()
  The function valid_phys_addr_range() references
  the function __init memblock_is_reserved().
  This is often because valid_phys_addr_range lacks a __init
  annotation or the annotation of memblock_is_reserved is wrong.

Use __init_memblock instead of __init.

Link: http://lkml.kernel.org/r/BLUPR13MB02893411BF12EACB61888E80DFAE0@BLUPR13MB0289.namprd13.prod.outlook.comSigned-off-by: NYueyi Li <liyueyi@live.com>
Acked-by: NMichal Hocko <mhocko@suse.com>
Reviewed-by: NDavid Hildenbrand <david@redhat.com>
Acked-by: NMike Rapoport <rppt@linux.ibm.com>
Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>

The kernel commandline parameter named in CONFIG_PSI_DEFAULT_DISABLED
help text contradicts the documentation in kernel-parameters.txt, and
the code.  Fix that.

Link: http://lkml.kernel.org/r/20181203213416.GA12627@cmpxchg.org
Fixes: e0c27447 ("psi: make disabling/enabling easier for vendor kernels")
Signed-off-by: NBaruch Siach <baruch@tkos.co.il>
Acked-by: NJohannes Weiner <hannes@cmpxchg.org>
Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>

Most architectures provide prototypes for the PCI I/O mapping operations
when asm/io.h is included but SH doesn't currently do that, leading to
for example warnings in sound/pci/hda/patch_ca0132.c when pci_iomap() is
used on current -next.  Make SH more consistent with other architectures
by including asm-generic/pci_iomap.h in asm/io.h.

Link: http://lkml.kernel.org/r/20181106175142.27988-1-broonie@kernel.orgSigned-off-by: NMark Brown <broonie@kernel.org>
Reported-by: Nkbuild test robot <lkp@intel.com>
Cc: Geert Uytterhoeven <geert@linux-m68k.org>
Cc: Yoshinori Sato <ysato@users.sourceforge.jp>
Cc: Rich Felker <dalias@libc.org>
Cc: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>

Presently the arches arm64, arm and sh have a function which loops
through each memblock and calls memory present.  riscv will require a
similar function.

Introduce a common memblocks_present() function that can be used by all
the arches.  Subsequent patches will cleanup the arches that make use of
this.

Link: http://lkml.kernel.org/r/20181107205433.3875-3-logang@deltatee.comSigned-off-by: NLogan Gunthorpe <logang@deltatee.com>
Acked-by: NAndrew Morton <akpm@linux-foundation.org>
Cc: Michal Hocko <mhocko@suse.com>
Cc: Vlastimil Babka <vbabka@suse.cz>
Cc: Oscar Salvador <osalvador@suse.de>
Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>

This define is used by arm64 to calculate the size of the vmemmap
region.  It is defined as the log2 of the upper bound on the size of a
struct page.

We move it into mm_types.h so it can be defined properly instead of set
and checked with a build bug.  This also allows us to use the same
define for riscv.

Link: http://lkml.kernel.org/r/20181107205433.3875-2-logang@deltatee.comSigned-off-by: NLogan Gunthorpe <logang@deltatee.com>
Acked-by: NWill Deacon <will.deacon@arm.com>
Acked-by: NAndrew Morton <akpm@linux-foundation.org>
Acked-by: NArd Biesheuvel <ard.biesheuvel@linaro.org>
Acked-by: NCatalin Marinas <catalin.marinas@arm.com>
Cc: Arnd Bergmann <arnd@arndb.de>
Cc: Christoph Hellwig <hch@lst.de>
Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>

The conversion of alpha to memblock as the early memory manager caused
boot to hang as described at [1].

The issue is caused because for CONFIG_DISCTONTIGMEM=y case,
memblock_add() is called using memory start PFN that had been rounded
down to the nearest 8Mb and it caused memblock to see more memory that
is actually present in the system.

Besides, memblock allocates memory from high addresses while bootmem was
using low memory, which broke the assumption that early allocations are
always accessible by the hardware.

This patch ensures that memblock_add() is using the correct PFN for the
memory start and forces memblock to use bottom-up allocations.

[1] https://lkml.org/lkml/2018/11/22/1032

Link: http://lkml.kernel.org/r/1543233216-25833-1-git-send-email-rppt@linux.ibm.comReported-by: NMeelis Roos <mroos@linux.ee>
Signed-off-by: NMike Rapoport <rppt@linux.ibm.com>
Tested-by: NMeelis Roos <mroos@linux.ee>
Cc: Richard Henderson <rth@twiddle.net>
Cc: Ivan Kokshaysky <ink@jurassic.park.msu.ru>
Cc: Matt Turner <mattst88@gmail.com>
Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>

Pull block fixes from Jens Axboe:
 "Three small fixes for this week. contains:

   - spectre indexing fix for aio (Jeff)

   - fix for the previous zeroing bio fix, we don't need it for user
     mapped pages, and in fact it breaks some applications if we do
     (Keith)

   - allocation failure fix for null_blk with zoned (Shin'ichiro)"

* tag 'for-linus-20181214' of git://git.kernel.dk/linux-block:
  block: Fix null_blk_zoned creation failure with small number of zones
  aio: fix spectre gadget in lookup_ioctx
  block/bio: Do not zero user pages

Pull clk fix from Stephen Boyd:
 "One fix for the qcom QCS404 clk driver that was merged for this
  release.

  It specified the wrong parent for a PLL so a part of the clk tree
  wasn't rooted correctly. This fixes it by using the right name"

* tag 'clk-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/clk/linux:
  clk: qcom: qcs404: Fix gpll0_out_main parent

Pull arm64 fix from Catalin Marinas:
 "Invalidate the caches before clearing the DMA buffer via the
  non-cacheable alias in the FORCE_CONTIGUOUS case"

* tag 'arm64-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux:
  arm64: dma-mapping: Fix FORCE_CONTIGUOUS buffer clearing

Pull powerpc fixes from Michael Ellerman:
 "One notable fix for our change to split pt_regs between user/kernel,
  we forgot to update BPF to use the user-visible type which was an ABI
  break for BPF programs.

  A slightly ugly but minimal fix to do_syscall_trace_enter() so that we
  use tracehook_report_syscall_entry() properly. We'll rework the code
  in next to avoid the empty if body.

  Seven commits fixing bugs in the new papr_scm (Storage Class Memory)
  driver. The driver was finally able to be tested on the other
  hypervisor which exposed several bugs. The fixes are all fairly
  minimal at least.

  Fix a crash in our MSI code if an MSI-capable device is plugged into a
  non-MSI capable PHB, only seen on older hardware (MPC8378).

  Fix our legacy serial code to look for "stdout-path" since the device
  trees were updated to use that instead of "linux,stdout-path".

  A change to the COFF zImage code to fix booting old powermacs.

  A couple of minor build fixes.

  Thanks to: Benjamin Herrenschmidt, Daniel Axtens, Dmitry V. Levin,
  Elvira Khabirova, Oliver O'Halloran, Paul Mackerras, Radu Rendec, Rob
  Herring, Sandipan Das"

* tag 'powerpc-4.20-4' of git://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux:
  powerpc/ptrace: replace ptrace_report_syscall() with a tracehook call
  powerpc/mm: Fallback to RAM if the altmap is unusable
  powerpc/papr_scm: Use ibm,unit-guid as the iset cookie
  powerpc/papr_scm: Fix DIMM device registration race
  powerpc/papr_scm: Remove endian conversions
  powerpc/papr_scm: Update DT properties
  powerpc/papr_scm: Fix resource end address
  powerpc/papr_scm: Use depend instead of select
  powerpc/bpf: Fix broken uapi for BPF_PROG_TYPE_PERF_EVENT
  powerpc/boot: Fix build failures with -j 1
  powerpc: Look for "stdout-path" when setting up legacy consoles
  powerpc/msi: Fix NULL pointer access in teardown code
  powerpc/mm: Fix linux page tables build with some configs
  powerpc: Fix COFF zImage booting on old powermacs

Pull ceph fix from Ilya Dryomov:
 "Luis discovered a problem with the new copyfrom offload on the server
  side. Disable it for now"

* tag 'ceph-for-4.20-rc7' of https://github.com/ceph/ceph-client:
  ceph: make 'nocopyfrom' a default mount option

Pull pin control fixes from Linus Walleij:
 "Three pin control fixes for the v4.20 series. Just odd drivers, so
  nothing particularly interesting:

   - Set the tile property on Qualcomm SDM60.

   - Fix up enable register calculation for the Meson

   - Fix an IRQ offset on the Sunxi (Allwinner)"

* tag 'pinctrl-v4.20-3' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-pinctrl:
  pinctrl: sunxi: a83t: Fix IRQ offset typo for PH11
  pinctrl: meson: fix pull enable register calculation
  pinctrl: sdm660: Set tile property for pingroups

Pull drm fixes from Dave Airlie:
 "While I hoped things would calm down, the world hasn't joined with me,
  but it's a few things scattered over a wide area. The i915 workarounds
  regression fix is probably the largest, the rest are more usual sized.
  We also get some new AMD PCI IDs.

  There is also a patch in here to MAINTAINERS to added Daniel as an
  official DRM toplevel co-maintainer, he's decided he wants to step up
  and share the glory, and he'll likely process next weeks fixes while
  I'm away on holidays.

  Summary:

  amdgpu:

   - some new PCI IDs

   - fixed firmware image updates

   - power management fixes

   - locking warning fix

  nouveau:

   - framebuffer flushing fix

   - memory leak fix

   - tegra device init regression fix

  vmwgfx:

   - OOM kernel memory fix

   - excess return in function fix

  i915:

   - the biggest fix is a regression fix where workarounds weren't
     getting reapplied after a gpu hang causing further crashing, this
     fixes the workaround application to make it happen again

   - GPU hang fixes for Braswell and some GEN3 GPUs

   - GVT fix for broadwell tiling

  rockchip:

   - revert to fix a regression causing a WARN on shutdown

  mediatek:

   - avoid crash attaching to non-existant bridges"

* tag 'drm-fixes-2018-12-14' of git://anongit.freedesktop.org/drm/drm: (23 commits)
  drm/vmwgfx: Protect from excessive execbuf kernel memory allocations v3
  MAINTAINERS: Daniel for drm co-maintainer
  drm/amdgpu: drop fclk/gfxclk ratio setting
  drm/vmwgfx: remove redundant return ret statement
  drm/i915: Flush GPU relocs harder for gen3
  drm/i915: Allocate a common scratch page
  drm/i915/execlists: Apply a full mb before execution for Braswell
  drm/nouveau/kms: Fix memory leak in nv50_mstm_del()
  drm/nouveau/kms/nv50-: also flush fb writes when rewinding push buffer
  drm/amdgpu: Fix DEBUG_LOCKS_WARN_ON(depth <= 0) in amdgpu_ctx.lock
  Revert "drm/rockchip: Allow driver to be shutdown on reboot/kexec"
  drm/nouveau/drm/nouveau: tegra: Call nouveau_drm_device_init()
  drm/amdgpu/powerplay: Apply avfs cks-off voltages on VI
  drm/amdgpu: update SMC firmware image for polaris10 variants
  drm/amdkfd: add new vega20 pci id
  drm/amdkfd: add new vega10 pci ids
  drm/amdgpu: add some additional vega20 pci ids
  drm/amdgpu: add some additional vega10 pci ids
  drm/amdgpu: update smu firmware images for VI variants (v2)
  drm/i915: Introduce per-engine workarounds
  ...

Pull XArray fixes from Matthew Wilcox:
 "Two bugfixes, each with test-suite updates, two improvements to the
  test-suite without associated bugs, and one patch adding a missing
  API"

* tag 'xarray-4.20-rc7' of git://git.infradead.org/users/willy/linux-dax:
  XArray: Fix xa_alloc when id exceeds max
  XArray tests: Check iterating over multiorder entries
  XArray tests: Handle larger indices more elegantly
  XArray: Add xa_cmpxchg_irq and xa_cmpxchg_bh
  radix tree: Don't return retry entries from lookup

Merge tag 'linux-kselftest-4.20-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/shuah/linux-kselftest

Pull Kselftest fix from Shuah Khan:
 "A single fix for a seccomp test from Kees Cook."

* tag 'linux-kselftest-4.20-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/shuah/linux-kselftest:
  selftests/seccomp: Remove SIGSTOP si_pid check

Pull thermal fixes from Eduardo Valentin:
 "Fixes for STM and HISI thermal drivers"

* 'fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/evalenti/linux-soc-thermal:
  thermal: stm32: Fix stm_thermal_read_factory_settings
  thermal: stm32: read factory settings inside stm_thermal_prepare
  thermal/drivers/hisi: Fix number of sensors on hi3660
  thermal/drivers/hisi: Fix wrong platform_get_irq_byname()

One regression fix for avoiding kernel OOM, one cleanup return fix.
Signed-off-by: NDave Airlie <airlied@redhat.com>
From: Thomas Hellstrom <thellstrom@vmware.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20181213122815.10581-1-thellstrom@vmware.com

Specifying a starting ID greater than the maximum ID isn't something
attempted very often, but it should fail.  It was succeeding due to
xas_find_marked() returning the wrong error state, so add tests for
both xa_alloc() and xas_find_marked().

Fixes: b803b428 ("xarray: Add XArray iterators")
Signed-off-by: NMatthew Wilcox <willy@infradead.org>

Pull rdma fixes from Doug Ledford:
 "We have 5 small fixes for this pull request. One is a performance
  regression, so not necessarily strictly a fix, but it was small and
  reasonable and claimed to avoid thrashing in the scheduler, so I took
  it. The remaining are all legitimate fixes that match the "we take
  fixes any time" criteria.

  Summary:

   - One performance regression for hfi1

   - One kasan fix for hfi1

   - A couple mlx5 fixes

   - A core oops fix"

* tag 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/rdma/rdma:
  IB/core: Fix oops in netdev_next_upper_dev_rcu()
  IB/mlx5: Block DEVX umem from the non applicable cases
  IB/mlx5: Fix implicit ODP interrupted page fault
  IB/hfi1: Fix an out-of-bounds access in get_hw_stats
  IB/hfi1: Fix a latency issue for small messages

Pull mmc fixes from Ulf Hansson:
 "MMC core:
   - Fixup RPMB requests to use mrq->sbc when sending CMD23

  MMC host:
   - omap: Fix broken MMC/SD on OMAP15XX/OMAP5910/OMAP310

   - sdhci-omap: Fix DCRC error handling during tuning

   - sdhci: Fixup the timeout check window for clock and reset"

* tag 'mmc-v4.20-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/ulfh/mmc:
  mmc: sdhci: fix the timeout check window for clock and reset
  mmc: sdhci-omap: Fix DCRC error handling during tuning
  MMC: OMAP: fix broken MMC on OMAP15XX/OMAP5910/OMAP310
  mmc: core: use mrq->sbc when sending CMD23 for RPMB

Pull sound fixes from Takashi Iwai:
 "Only usual suspects here: a few more fixups for Realtek HD-audio on
  various PCs, including a regression fix in the previous fix for Lenovo
  X1 Carbon, as well as a typo fix in the recent Fireface patch"

* tag 'sound-4.20-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound:
  ALSA: hda/realtek: Enable audio jacks of ASUS UX433FN/UX333FA with ALC294
  ALSA: hda/realtek: Enable audio jacks of ASUS UX533FD with ALC294
  ALSA: hda/realtek: ALC294 mic and headset-mode fixups for ASUS X542UN
  ALSA: fireface: fix reference to wrong register for clock configuration
  ALSA: hda/realtek - Fix the mute LED regresion on Lenovo X1 Carbon
  ALSA: hda/realtek - Fixed headphone issue for ALC700

With the new validation code, a malicious user-space app could
potentially submit command streams with enough buffer-object and resource
references in them to have the resulting allocated validion nodes and
relocations make the kernel run out of GFP_KERNEL memory.

Protect from this by having the validation code reserve TTM graphics
memory when allocating.
Signed-off-by: NThomas Hellstrom <thellstrom@vmware.com>
Reviewed-by: NDeepak Rawat <drawat@vmware.com>
---
v2: Removed leftover debug printouts

Merge tag 'for-4.20/dm-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/device-mapper/linux-dm

Pull device mapper fixes from Mike Snitzer:

 - Fix DM cache metadata to verify that a cache has block before trying
   to continue with operation that requires them.

 - Fix bio-based DM core's dm_make_request() to properly impose device
   limits on individual bios by making use of blk_queue_split().

 - Fix long-standing race with how DM thinp notified userspace of
   thin-pool mode state changes before they were actually made.

 - Fix the zoned target's bio completion handling; this is a fairly
   invassive fix at this stage but it is localized to the zoned target.
   Any zoned target users will benefit from this fix.

* tag 'for-4.20/dm-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/device-mapper/linux-dm:
  dm thin: bump target version
  dm thin: send event about thin-pool state change _after_ making it
  dm zoned: Fix target BIO completion handling
  dm: call blk_queue_split() to impose device limits on bios
  dm cache metadata: verify cache has blocks in blocks_are_clean_separate_dirty()

Pull media fixes from Mauro Carvalho Chehab:

 - one regression at vsp1 driver

 - some last time changes for the upcoming request API logic and for
   stateless codec support. As the stateless codec "cedrus" driver is at
   staging, don't apply the MPEG controls as part of the main V4L2 API,
   as those may not be ready for production yet.

* tag 'media/v4.20-5' of git://git.kernel.org/pub/scm/linux/kernel/git/mchehab/linux-media:
  media: Add a Kconfig option for the Request API
  media: extended-controls.rst: add note to the MPEG2 state controls
  media: mpeg2-ctrls.h: move MPEG2 state controls to non-public header
  media: vicodec: set state resolution from raw format
  media: vivid: drop v4l2_ctrl_request_complete() from start_streaming
  media: vb2: don't unbind/put the object when going to state QUEUED
  media: vb2: keep a reference to the request until dqbuf
  media: vb2: skip request checks for VIDIOC_PREPARE_BUF
  media: vb2: don't call __vb2_queue_cancel if vb2_start_streaming failed
  media: cedrus: Fix a NULL vs IS_ERR() check
  media: vsp1: Fix LIF buffer thresholds

Pull overlayfs fixes from Miklos Szeredi:
 "Needed to revert a patch, because it possibly introduces a security
  hole. Since the patch is basically a conceptual cleanup, not a bug
  fix, it's safe to revert. I'm not giving up on this, and discussions
  seemed to have reached an agreement over how to move forward, but that
  can wait 'till the next release.

  The other two patches are fixes for bugs introduced in recent
  releases"

* tag 'ovl-fixes-4.20-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/mszeredi/vfs:
  Revert "ovl: relax permission checking on underlying layers"
  ovl: fix decode of dir file handle with multi lower layers
  ovl: fix missing override creds in link of a metacopy upper

Pull fuse fixes from Miklos Szeredi:
 "There's one patch fixing a minor but long lived bug, the others are
  fixing regressions introduced in this cycle"

* tag 'fuse-fixes-4.20-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/mszeredi/fuse:
  fuse: continue to send FUSE_RELEASEDIR when FUSE_OPEN returns ENOSYS
  fuse: Fix memory leak in fuse_dev_free()
  fuse: fix revalidation of attributes for permission check
  fuse: fix fsync on directory
  fuse: Add bad inode check in fuse_destroy_inode()

Pull tracing fixes from Steven Rostedt:
 "While running various ftrace tests on new development code, the
  kmemleak detector found some allocations that were not freed
  correctly.

  This fixes a couple of leaks in the event trigger code as well as in
  adding function trace filters in trace instances"

* tag 'trace-v4.20-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/rostedt/linux-trace:
  tracing: Fix memory leak of instance function hash filters
  tracing: Fix memory leak in set_trigger_filter()
  tracing: Fix memory leak in create_filter()

Merge branch 'mediatek-drm-fixes-4.20' of https://github.com/ckhu-mediatek/linux.git-tags into drm-fixes

Single bridge attachment fix.
Signed-off-by: NDave Airlie <airlied@redhat.com>
From: CK Hu <ck.hu@mediatek.com>
Link: https://patchwork.freedesktop.org/patch/msgid/1544407975.18825.3.camel@mtksdaap41