Merge 4.19.35 into android-4.19-q

Changes in 4.19.35
	kvm: nVMX: NMI-window and interrupt-window exiting should wake L2 from HLT
	drm/i915/gvt: do not let pin count of shadow mm go negative
	powerpc/tm: Limit TM code inside PPC_TRANSACTIONAL_MEM
	hv_netvsc: Fix unwanted wakeup after tx_disable
	ibmvnic: Fix completion structure initialization
	ip6_tunnel: Match to ARPHRD_TUNNEL6 for dev type
	ipv6: Fix dangling pointer when ipv6 fragment
	ipv6: sit: reset ip header pointer in ipip6_rcv
	kcm: switch order of device registration to fix a crash
	net: ethtool: not call vzalloc for zero sized memory request
	net-gro: Fix GRO flush when receiving a GSO packet.
	net/mlx5: Decrease default mr cache size
	netns: provide pure entropy for net_hash_mix()
	net: rds: force to destroy connection if t_sock is NULL in rds_tcp_kill_sock().
	net/sched: act_sample: fix divide by zero in the traffic path
	net/sched: fix ->get helper of the matchall cls
	openvswitch: fix flow actions reallocation
	qmi_wwan: add Olicard 600
	r8169: disable ASPM again
	sctp: initialize _pad of sockaddr_in before copying to user memory
	tcp: Ensure DCTCP reacts to losses
	tcp: fix a potential NULL pointer dereference in tcp_sk_exit
	vrf: check accept_source_route on the original netdevice
	net/mlx5e: Fix error handling when refreshing TIRs
	net/mlx5e: Add a lock on tir list
	nfp: validate the return code from dev_queue_xmit()
	nfp: disable netpoll on representors
	bnxt_en: Improve RX consumer index validity check.
	bnxt_en: Reset device on RX buffer errors.
	net: ip_gre: fix possible use-after-free in erspan_rcv
	net: ip6_gre: fix possible use-after-free in ip6erspan_rcv
	net: core: netif_receive_skb_list: unlist skb before passing to pt->func
	r8169: disable default rx interrupt coalescing on RTL8168
	net: mlx5: Add a missing check on idr_find, free buf
	net/mlx5e: Update xoff formula
	net/mlx5e: Update xon formula
	kbuild: deb-pkg: fix bindeb-pkg breakage when O= is used
	kbuild: clang: choose GCC_TOOLCHAIN_DIR not on LD
	x86/vdso: Drop implicit common-page-size linker flag
	lib/string.c: implement a basic bcmp
	Revert "clk: meson: clean-up clock registration"
	netfilter: nfnetlink_cttimeout: pass default timeout policy to obj_to_nlattr
	netfilter: nfnetlink_cttimeout: fetch timeouts for udplite and gre, too
	arm64: kaslr: Reserve size of ARM64_MEMSTART_ALIGN in linear region
	tty: mark Siemens R3964 line discipline as BROKEN
	tty: ldisc: add sysctl to prevent autoloading of ldiscs
	hwmon: (w83773g) Select REGMAP_I2C to fix build error
	ACPICA: Clear status of GPEs before enabling them
	ACPICA: Namespace: remove address node from global list after method termination
	ALSA: seq: Fix OOB-reads from strlcpy
	ALSA: hda/realtek: Enable headset MIC of Acer TravelMate B114-21 with ALC233
	ALSA: hda/realtek - Add quirk for Tuxedo XC 1509
	ALSA: hda - Add two more machines to the power_save_blacklist
	mm/huge_memory.c: fix modifying of page protection by insert_pfn_pmd()
	arm64: dts: rockchip: fix rk3328 sdmmc0 write errors
	parisc: Detect QEMU earlier in boot process
	parisc: regs_return_value() should return gpr28
	parisc: also set iaoq_b in instruction_pointer_set()
	alarmtimer: Return correct remaining time
	drm/i915/gvt: do not deliver a workload if its creation fails
	drm/udl: add a release method and delay modeset teardown
	kvm: svm: fix potential get_num_contig_pages overflow
	include/linux/bitrev.h: fix constant bitrev
	mm: writeback: use exact memcg dirty counts
	ASoC: intel: Fix crash at suspend/resume after failed codec registration
	ASoC: fsl_esai: fix channel swap issue when stream starts
	Btrfs: do not allow trimming when a fs is mounted with the nologreplay option
	btrfs: prop: fix zstd compression parameter validation
	btrfs: prop: fix vanished compression property after failed set
	riscv: Fix syscall_get_arguments() and syscall_set_arguments()
	block: do not leak memory in bio_copy_user_iov()
	block: fix the return errno for direct IO
	genirq: Respect IRQCHIP_SKIP_SET_WAKE in irq_chip_set_wake_parent()
	genirq: Initialize request_mutex if CONFIG_SPARSE_IRQ=n
	virtio: Honour 'may_reduce_num' in vring_create_virtqueue
	ARM: dts: rockchip: fix rk3288 cpu opp node reference
	ARM: dts: am335x-evmsk: Correct the regulators for the audio codec
	ARM: dts: am335x-evm: Correct the regulators for the audio codec
	ARM: dts: at91: Fix typo in ISC_D0 on PC9
	arm64: futex: Fix FUTEX_WAKE_OP atomic ops with non-zero result value
	arm64: dts: rockchip: fix rk3328 rgmii high tx error rate
	arm64: backtrace: Don't bother trying to unwind the userspace stack
	xen: Prevent buffer overflow in privcmd ioctl
	sched/fair: Do not re-read ->h_load_next during hierarchical load calculation
	xtensa: fix return_address
	x86/asm: Remove dead __GNUC__ conditionals
	x86/asm: Use stricter assembly constraints in bitops
	x86/perf/amd: Resolve race condition when disabling PMC
	x86/perf/amd: Resolve NMI latency issues for active PMCs
	x86/perf/amd: Remove need to check "running" bit in NMI handler
	PCI: Add function 1 DMA alias quirk for Marvell 9170 SATA controller
	PCI: pciehp: Ignore Link State Changes after powering off a slot
	dm integrity: change memcmp to strncmp in dm_integrity_ctr
	dm: revert 8f50e35815 ("dm: limit the max bio size as BIO_MAX_PAGES * PAGE_SIZE")
	dm table: propagate BDI_CAP_STABLE_WRITES to fix sporadic checksum errors
	dm integrity: fix deadlock with overlapping I/O
	arm64: dts: rockchip: fix vcc_host1_5v pin assign on rk3328-rock64
	arm64: dts: rockchip: Fix vcc_host1_5v GPIO polarity on rk3328-rock64
	ACPICA: AML interpreter: add region addresses in global list during initialization
	KVM: x86: nVMX: close leak of L0's x2APIC MSRs (CVE-2019-3887)
	KVM: x86: nVMX: fix x2APIC VTPR read intercept
	Linux 4.19.35

Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>

mm/huge_memory.c

@@ -734,6 +734,21 @@ static void insert_pfn_pmd(struct vm_area_struct *vma, unsigned long addr,
 	spinlock_t *ptl;
 
 	ptl = pmd_lock(mm, pmd);
+	if (!pmd_none(*pmd)) {
+		if (write) {
+			if (pmd_pfn(*pmd) != pfn_t_to_pfn(pfn)) {
+				WARN_ON_ONCE(!is_huge_zero_pmd(*pmd));
+				goto out_unlock;
+			}
+			entry = pmd_mkyoung(*pmd);
+			entry = maybe_pmd_mkwrite(pmd_mkdirty(entry), vma);
+			if (pmdp_set_access_flags(vma, addr, pmd, entry, 1))
+				update_mmu_cache_pmd(vma, addr, pmd);
+		}
+
+		goto out_unlock;
+	}
+
 	entry = pmd_mkhuge(pfn_t_pmd(pfn, prot));
 	if (pfn_t_devmap(pfn))
 		entry = pmd_mkdevmap(entry);
@@ -745,11 +760,16 @@ static void insert_pfn_pmd(struct vm_area_struct *vma, unsigned long addr,
 	if (pgtable) {
 		pgtable_trans_huge_deposit(mm, pmd, pgtable);
 		mm_inc_nr_ptes(mm);
+		pgtable = NULL;
 	}
 
 	set_pmd_at(mm, addr, pmd, entry);
 	update_mmu_cache_pmd(vma, addr, pmd);
+
+out_unlock:
 	spin_unlock(ptl);
+	if (pgtable)
+		pte_free(mm, pgtable);
 }
 
 vm_fault_t vmf_insert_pfn_pmd(struct vm_area_struct *vma, unsigned long addr,
@@ -800,6 +820,20 @@ static void insert_pfn_pud(struct vm_area_struct *vma, unsigned long addr,
 	spinlock_t *ptl;
 
 	ptl = pud_lock(mm, pud);
+	if (!pud_none(*pud)) {
+		if (write) {
+			if (pud_pfn(*pud) != pfn_t_to_pfn(pfn)) {
+				WARN_ON_ONCE(!is_huge_zero_pud(*pud));
+				goto out_unlock;
+			}
+			entry = pud_mkyoung(*pud);
+			entry = maybe_pud_mkwrite(pud_mkdirty(entry), vma);
+			if (pudp_set_access_flags(vma, addr, pud, entry, 1))
+				update_mmu_cache_pud(vma, addr, pud);
+		}
+		goto out_unlock;
+	}
+
 	entry = pud_mkhuge(pfn_t_pud(pfn, prot));
 	if (pfn_t_devmap(pfn))
 		entry = pud_mkdevmap(entry);
@@ -809,6 +843,8 @@ static void insert_pfn_pud(struct vm_area_struct *vma, unsigned long addr,
 	}
 	set_pud_at(mm, addr, pud, entry);
 	update_mmu_cache_pud(vma, addr, pud);
+
+out_unlock:
 	spin_unlock(ptl);
 }