--- /dev/null
+From 1d87b88ba26eabd4745e158ecfd87c93a9b51dc2 Mon Sep 17 00:00:00 2001
+From: Szymon Janc <szymon.janc@codecoup.pl>
+Date: Wed, 19 Jun 2019 00:47:47 +0200
+Subject: Bluetooth: Add SMP workaround Microsoft Surface Precision Mouse bug
+
+From: Szymon Janc <szymon.janc@codecoup.pl>
+
+commit 1d87b88ba26eabd4745e158ecfd87c93a9b51dc2 upstream.
+
+Microsoft Surface Precision Mouse provides bogus identity address when
+pairing. It connects with Static Random address but provides Public
+Address in SMP Identity Address Information PDU. Address has same
+value but type is different. Workaround this by dropping IRK if ID
+address discrepancy is detected.
+
+> HCI Event: LE Meta Event (0x3e) plen 19
+ LE Connection Complete (0x01)
+ Status: Success (0x00)
+ Handle: 75
+ Role: Master (0x00)
+ Peer address type: Random (0x01)
+ Peer address: E0:52:33:93:3B:21 (Static)
+ Connection interval: 50.00 msec (0x0028)
+ Connection latency: 0 (0x0000)
+ Supervision timeout: 420 msec (0x002a)
+ Master clock accuracy: 0x00
+
+....
+
+> ACL Data RX: Handle 75 flags 0x02 dlen 12
+ SMP: Identity Address Information (0x09) len 7
+ Address type: Public (0x00)
+ Address: E0:52:33:93:3B:21
+
+Signed-off-by: Szymon Janc <szymon.janc@codecoup.pl>
+Tested-by: Maarten Fonville <maarten.fonville@gmail.com>
+Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=199461
+Cc: stable@vger.kernel.org
+Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/bluetooth/smp.c | 13 +++++++++++++
+ 1 file changed, 13 insertions(+)
+
+--- a/net/bluetooth/smp.c
++++ b/net/bluetooth/smp.c
+@@ -2580,6 +2580,19 @@ static int smp_cmd_ident_addr_info(struc
+ goto distribute;
+ }
+
++ /* Drop IRK if peer is using identity address during pairing but is
++ * providing different address as identity information.
++ *
++ * Microsoft Surface Precision Mouse is known to have this bug.
++ */
++ if (hci_is_identity_address(&hcon->dst, hcon->dst_type) &&
++ (bacmp(&info->bdaddr, &hcon->dst) ||
++ info->addr_type != hcon->dst_type)) {
++ bt_dev_err(hcon->hdev,
++ "ignoring IRK with invalid identity address");
++ goto distribute;
++ }
++
+ bacpy(&smp->id_addr, &info->bdaddr);
+ smp->id_addr_type = info->addr_type;
+
+++ /dev/null
-From aa53e3bfac7205fb3a8815ac1c937fd6ed01b41e Mon Sep 17 00:00:00 2001
-From: Johannes Thumshirn <jthumshirn@suse.de>
-Date: Thu, 6 Jun 2019 12:07:15 +0200
-Subject: btrfs: correctly validate compression type
-
-From: Johannes Thumshirn <jthumshirn@suse.de>
-
-commit aa53e3bfac7205fb3a8815ac1c937fd6ed01b41e upstream.
-
-Nikolay reported the following KASAN splat when running btrfs/048:
-
-[ 1843.470920] ==================================================================
-[ 1843.471971] BUG: KASAN: slab-out-of-bounds in strncmp+0x66/0xb0
-[ 1843.472775] Read of size 1 at addr ffff888111e369e2 by task btrfs/3979
-
-[ 1843.473904] CPU: 3 PID: 3979 Comm: btrfs Not tainted 5.2.0-rc3-default #536
-[ 1843.475009] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014
-[ 1843.476322] Call Trace:
-[ 1843.476674] dump_stack+0x7c/0xbb
-[ 1843.477132] ? strncmp+0x66/0xb0
-[ 1843.477587] print_address_description+0x114/0x320
-[ 1843.478256] ? strncmp+0x66/0xb0
-[ 1843.478740] ? strncmp+0x66/0xb0
-[ 1843.479185] __kasan_report+0x14e/0x192
-[ 1843.479759] ? strncmp+0x66/0xb0
-[ 1843.480209] kasan_report+0xe/0x20
-[ 1843.480679] strncmp+0x66/0xb0
-[ 1843.481105] prop_compression_validate+0x24/0x70
-[ 1843.481798] btrfs_xattr_handler_set_prop+0x65/0x160
-[ 1843.482509] __vfs_setxattr+0x71/0x90
-[ 1843.483012] __vfs_setxattr_noperm+0x84/0x130
-[ 1843.483606] vfs_setxattr+0xac/0xb0
-[ 1843.484085] setxattr+0x18c/0x230
-[ 1843.484546] ? vfs_setxattr+0xb0/0xb0
-[ 1843.485048] ? __mod_node_page_state+0x1f/0xa0
-[ 1843.485672] ? _raw_spin_unlock+0x24/0x40
-[ 1843.486233] ? __handle_mm_fault+0x988/0x1290
-[ 1843.486823] ? lock_acquire+0xb4/0x1e0
-[ 1843.487330] ? lock_acquire+0xb4/0x1e0
-[ 1843.487842] ? mnt_want_write_file+0x3c/0x80
-[ 1843.488442] ? debug_lockdep_rcu_enabled+0x22/0x40
-[ 1843.489089] ? rcu_sync_lockdep_assert+0xe/0x70
-[ 1843.489707] ? __sb_start_write+0x158/0x200
-[ 1843.490278] ? mnt_want_write_file+0x3c/0x80
-[ 1843.490855] ? __mnt_want_write+0x98/0xe0
-[ 1843.491397] __x64_sys_fsetxattr+0xba/0xe0
-[ 1843.492201] ? trace_hardirqs_off_thunk+0x1a/0x1c
-[ 1843.493201] do_syscall_64+0x6c/0x230
-[ 1843.493988] entry_SYSCALL_64_after_hwframe+0x49/0xbe
-[ 1843.495041] RIP: 0033:0x7fa7a8a7707a
-[ 1843.495819] Code: 48 8b 0d 21 de 2b 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 49 89 ca b8 be 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d ee dd 2b 00 f7 d8 64 89 01 48
-[ 1843.499203] RSP: 002b:00007ffcb73bca38 EFLAGS: 00000202 ORIG_RAX: 00000000000000be
-[ 1843.500210] RAX: ffffffffffffffda RBX: 00007ffcb73bda9d RCX: 00007fa7a8a7707a
-[ 1843.501170] RDX: 00007ffcb73bda9d RSI: 00000000006dc050 RDI: 0000000000000003
-[ 1843.502152] RBP: 00000000006dc050 R08: 0000000000000000 R09: 0000000000000000
-[ 1843.503109] R10: 0000000000000002 R11: 0000000000000202 R12: 00007ffcb73bda91
-[ 1843.504055] R13: 0000000000000003 R14: 00007ffcb73bda82 R15: ffffffffffffffff
-
-[ 1843.505268] Allocated by task 3979:
-[ 1843.505771] save_stack+0x19/0x80
-[ 1843.506211] __kasan_kmalloc.constprop.5+0xa0/0xd0
-[ 1843.506836] setxattr+0xeb/0x230
-[ 1843.507264] __x64_sys_fsetxattr+0xba/0xe0
-[ 1843.507886] do_syscall_64+0x6c/0x230
-[ 1843.508429] entry_SYSCALL_64_after_hwframe+0x49/0xbe
-
-[ 1843.509558] Freed by task 0:
-[ 1843.510188] (stack is not available)
-
-[ 1843.511309] The buggy address belongs to the object at ffff888111e369e0
- which belongs to the cache kmalloc-8 of size 8
-[ 1843.514095] The buggy address is located 2 bytes inside of
- 8-byte region [ffff888111e369e0, ffff888111e369e8)
-[ 1843.516524] The buggy address belongs to the page:
-[ 1843.517561] page:ffff88813f478d80 refcount:1 mapcount:0 mapping:ffff88811940c300 index:0xffff888111e373b8 compound_mapcount: 0
-[ 1843.519993] flags: 0x4404000010200(slab|head)
-[ 1843.520951] raw: 0004404000010200 ffff88813f48b008 ffff888119403d50 ffff88811940c300
-[ 1843.522616] raw: ffff888111e373b8 000000000016000f 00000001ffffffff 0000000000000000
-[ 1843.524281] page dumped because: kasan: bad access detected
-
-[ 1843.525936] Memory state around the buggy address:
-[ 1843.526975] ffff888111e36880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
-[ 1843.528479] ffff888111e36900: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
-[ 1843.530138] >ffff888111e36980: fc fc fc fc fc fc fc fc fc fc fc fc 02 fc fc fc
-[ 1843.531877] ^
-[ 1843.533287] ffff888111e36a00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
-[ 1843.534874] ffff888111e36a80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
-[ 1843.536468] ==================================================================
-
-This is caused by supplying a too short compression value ('lz') in the
-test-case and comparing it to 'lzo' with strncmp() and a length of 3.
-strncmp() read past the 'lz' when looking for the 'o' and thus caused an
-out-of-bounds read.
-
-Introduce a new check 'btrfs_compress_is_valid_type()' which not only
-checks the user-supplied value against known compression types, but also
-employs checks for too short values.
-
-Reported-by: Nikolay Borisov <nborisov@suse.com>
-Fixes: 272e5326c783 ("btrfs: prop: fix vanished compression property after failed set")
-CC: stable@vger.kernel.org # 5.1+
-Reviewed-by: Nikolay Borisov <nborisov@suse.com>
-Signed-off-by: Johannes Thumshirn <jthumshirn@suse.de>
-Reviewed-by: David Sterba <dsterba@suse.com>
-Signed-off-by: David Sterba <dsterba@suse.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-
----
- fs/btrfs/compression.c | 16 ++++++++++++++++
- fs/btrfs/compression.h | 1 +
- fs/btrfs/props.c | 6 +-----
- 3 files changed, 18 insertions(+), 5 deletions(-)
-
---- a/fs/btrfs/compression.c
-+++ b/fs/btrfs/compression.c
-@@ -42,6 +42,22 @@ const char* btrfs_compress_type2str(enum
- return NULL;
- }
-
-+bool btrfs_compress_is_valid_type(const char *str, size_t len)
-+{
-+ int i;
-+
-+ for (i = 1; i < ARRAY_SIZE(btrfs_compress_types); i++) {
-+ size_t comp_len = strlen(btrfs_compress_types[i]);
-+
-+ if (len < comp_len)
-+ continue;
-+
-+ if (!strncmp(btrfs_compress_types[i], str, comp_len))
-+ return true;
-+ }
-+ return false;
-+}
-+
- static int btrfs_decompress_bio(struct compressed_bio *cb);
-
- static inline int compressed_bio_size(struct btrfs_fs_info *fs_info,
---- a/fs/btrfs/compression.h
-+++ b/fs/btrfs/compression.h
-@@ -127,6 +127,7 @@ extern const struct btrfs_compress_op bt
- extern const struct btrfs_compress_op btrfs_zstd_compress;
-
- const char* btrfs_compress_type2str(enum btrfs_compression_type type);
-+bool btrfs_compress_is_valid_type(const char *str, size_t len);
-
- int btrfs_compress_heuristic(struct inode *inode, u64 start, u64 end);
-
---- a/fs/btrfs/props.c
-+++ b/fs/btrfs/props.c
-@@ -366,11 +366,7 @@ int btrfs_subvol_inherit_props(struct bt
-
- static int prop_compression_validate(const char *value, size_t len)
- {
-- if (!strncmp("lzo", value, 3))
-- return 0;
-- else if (!strncmp("zlib", value, 4))
-- return 0;
-- else if (!strncmp("zstd", value, 4))
-+ if (btrfs_compression_is_valid_type(value, len))
- return 0;
-
- return -EINVAL;
--- /dev/null
+From ed527b13d800dd515a9e6c582f0a73eca65b2e1b Mon Sep 17 00:00:00 2001
+From: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+Date: Fri, 31 May 2019 10:13:06 +0200
+Subject: crypto: caam - limit output IV to CBC to work around CTR mode DMA issue
+
+From: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+
+commit ed527b13d800dd515a9e6c582f0a73eca65b2e1b upstream.
+
+The CAAM driver currently violates an undocumented and slightly
+controversial requirement imposed by the crypto stack that a buffer
+referred to by the request structure via its virtual address may not
+be modified while any scatterlists passed via the same request
+structure are mapped for inbound DMA.
+
+This may result in errors like
+
+ alg: aead: decryption failed on test 1 for gcm_base(ctr-aes-caam,ghash-generic): ret=74
+ alg: aead: Failed to load transform for gcm(aes): -2
+
+on non-cache coherent systems, due to the fact that the GCM driver
+passes an IV buffer by virtual address which shares a cacheline with
+the auth_tag buffer passed via a scatterlist, resulting in corruption
+of the auth_tag when the IV is updated while the DMA mapping is live.
+
+Since the IV that is returned to the caller is only valid for CBC mode,
+and given that the in-kernel users of CBC (such as CTS) don't trigger the
+same issue as the GCM driver, let's just disable the output IV generation
+for all modes except CBC for the time being.
+
+Fixes: 854b06f76879 ("crypto: caam - properly set IV after {en,de}crypt")
+Cc: Horia Geanta <horia.geanta@nxp.com>
+Cc: Iuliana Prodan <iuliana.prodan@nxp.com>
+Reported-by: Sascha Hauer <s.hauer@pengutronix.de>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+Reviewed-by: Horia Geanta <horia.geanta@nxp.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+[ Horia: backported to 4.14, 4.19 ]
+Signed-off-by: Horia Geantă <horia.geanta@nxp.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/crypto/caam/caamalg.c | 15 +++++++++------
+ 1 file changed, 9 insertions(+), 6 deletions(-)
+
+--- a/drivers/crypto/caam/caamalg.c
++++ b/drivers/crypto/caam/caamalg.c
+@@ -887,6 +887,7 @@ static void ablkcipher_encrypt_done(stru
+ struct ablkcipher_request *req = context;
+ struct ablkcipher_edesc *edesc;
+ struct crypto_ablkcipher *ablkcipher = crypto_ablkcipher_reqtfm(req);
++ struct caam_ctx *ctx = crypto_ablkcipher_ctx(ablkcipher);
+ int ivsize = crypto_ablkcipher_ivsize(ablkcipher);
+
+ #ifdef DEBUG
+@@ -911,10 +912,11 @@ static void ablkcipher_encrypt_done(stru
+
+ /*
+ * The crypto API expects us to set the IV (req->info) to the last
+- * ciphertext block. This is used e.g. by the CTS mode.
++ * ciphertext block when running in CBC mode.
+ */
+- scatterwalk_map_and_copy(req->info, req->dst, req->nbytes - ivsize,
+- ivsize, 0);
++ if ((ctx->cdata.algtype & OP_ALG_AAI_MASK) == OP_ALG_AAI_CBC)
++ scatterwalk_map_and_copy(req->info, req->dst, req->nbytes -
++ ivsize, ivsize, 0);
+
+ /* In case initial IV was generated, copy it in GIVCIPHER request */
+ if (edesc->iv_dir == DMA_FROM_DEVICE) {
+@@ -1651,10 +1653,11 @@ static int ablkcipher_decrypt(struct abl
+
+ /*
+ * The crypto API expects us to set the IV (req->info) to the last
+- * ciphertext block.
++ * ciphertext block when running in CBC mode.
+ */
+- scatterwalk_map_and_copy(req->info, req->src, req->nbytes - ivsize,
+- ivsize, 0);
++ if ((ctx->cdata.algtype & OP_ALG_AAI_MASK) == OP_ALG_AAI_CBC)
++ scatterwalk_map_and_copy(req->info, req->src, req->nbytes -
++ ivsize, ivsize, 0);
+
+ /* Create and submit job descriptor*/
+ init_ablkcipher_job(ctx->sh_desc_dec, ctx->sh_desc_dec_dma, edesc, req);
--- /dev/null
+From 0bdf8a8245fdea6f075a5fede833a5fcf1b3466c Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Wed, 4 Jul 2018 12:35:56 +0300
+Subject: eCryptfs: fix a couple type promotion bugs
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+commit 0bdf8a8245fdea6f075a5fede833a5fcf1b3466c upstream.
+
+ECRYPTFS_SIZE_AND_MARKER_BYTES is type size_t, so if "rc" is negative
+that gets type promoted to a high positive value and treated as success.
+
+Fixes: 778aeb42a708 ("eCryptfs: Cleanup and optimize ecryptfs_lookup_interpose()")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+[tyhicks: Use "if/else if" rather than "if/if"]
+Cc: stable@vger.kernel.org
+Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ecryptfs/crypto.c | 12 ++++++++----
+ 1 file changed, 8 insertions(+), 4 deletions(-)
+
+--- a/fs/ecryptfs/crypto.c
++++ b/fs/ecryptfs/crypto.c
+@@ -1018,8 +1018,10 @@ int ecryptfs_read_and_validate_header_re
+
+ rc = ecryptfs_read_lower(file_size, 0, ECRYPTFS_SIZE_AND_MARKER_BYTES,
+ inode);
+- if (rc < ECRYPTFS_SIZE_AND_MARKER_BYTES)
+- return rc >= 0 ? -EINVAL : rc;
++ if (rc < 0)
++ return rc;
++ else if (rc < ECRYPTFS_SIZE_AND_MARKER_BYTES)
++ return -EINVAL;
+ rc = ecryptfs_validate_marker(marker);
+ if (!rc)
+ ecryptfs_i_size_init(file_size, inode);
+@@ -1381,8 +1383,10 @@ int ecryptfs_read_and_validate_xattr_reg
+ ecryptfs_inode_to_lower(inode),
+ ECRYPTFS_XATTR_NAME, file_size,
+ ECRYPTFS_SIZE_AND_MARKER_BYTES);
+- if (rc < ECRYPTFS_SIZE_AND_MARKER_BYTES)
+- return rc >= 0 ? -EINVAL : rc;
++ if (rc < 0)
++ return rc;
++ else if (rc < ECRYPTFS_SIZE_AND_MARKER_BYTES)
++ return -EINVAL;
+ rc = ecryptfs_validate_marker(marker);
+ if (!rc)
+ ecryptfs_i_size_init(file_size, inode);
--- /dev/null
+From 3d1f62c686acdedf5ed9642b763f3808d6a47d1e Mon Sep 17 00:00:00 2001
+From: Steve Longerbeam <slongerbeam@gmail.com>
+Date: Tue, 21 May 2019 18:03:13 -0700
+Subject: gpu: ipu-v3: ipu-ic: Fix saturation bit offset in TPMEM
+
+From: Steve Longerbeam <slongerbeam@gmail.com>
+
+commit 3d1f62c686acdedf5ed9642b763f3808d6a47d1e upstream.
+
+The saturation bit was being set at bit 9 in the second 32-bit word
+of the TPMEM CSC. This isn't correct, the saturation bit is bit 42,
+which is bit 10 of the second word.
+
+Fixes: 1aa8ea0d2bd5d ("gpu: ipu-v3: Add Image Converter unit")
+
+Signed-off-by: Steve Longerbeam <slongerbeam@gmail.com>
+Reviewed-by: Philipp Zabel <p.zabel@pengutronix.de>
+Cc: stable@vger.kernel.org
+Signed-off-by: Philipp Zabel <p.zabel@pengutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/ipu-v3/ipu-ic.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/gpu/ipu-v3/ipu-ic.c
++++ b/drivers/gpu/ipu-v3/ipu-ic.c
+@@ -257,7 +257,7 @@ static int init_csc(struct ipu_ic *ic,
+ writel(param, base++);
+
+ param = ((a[0] & 0x1fe0) >> 5) | (params->scale << 8) |
+- (params->sat << 9);
++ (params->sat << 10);
+ writel(param, base++);
+
+ param = ((a[1] & 0x1f) << 27) | ((c[0][1] & 0x1ff) << 18) |
--- /dev/null
+From 918b8646497b5dba6ae82d4a7325f01b258972b9 Mon Sep 17 00:00:00 2001
+From: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Date: Fri, 21 Jun 2019 19:19:29 +0300
+Subject: intel_th: msu: Fix single mode with disabled IOMMU
+
+From: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+
+commit 918b8646497b5dba6ae82d4a7325f01b258972b9 upstream.
+
+Commit 4e0eaf239fb3 ("intel_th: msu: Fix single mode with IOMMU") switched
+the single mode code to use dma mapping pages obtained from the page
+allocator, but with IOMMU disabled, that may lead to using SWIOTLB bounce
+buffers and without additional sync'ing, produces empty trace buffers.
+
+Fix this by using a DMA32 GFP flag to the page allocation in single mode,
+as the device supports full 32-bit DMA addressing.
+
+Signed-off-by: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Fixes: 4e0eaf239fb3 ("intel_th: msu: Fix single mode with IOMMU")
+Reviewed-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Reported-by: Ammy Yi <ammy.yi@intel.com>
+Cc: stable <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20190621161930.60785-4-alexander.shishkin@linux.intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/hwtracing/intel_th/msu.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/hwtracing/intel_th/msu.c
++++ b/drivers/hwtracing/intel_th/msu.c
+@@ -632,7 +632,7 @@ static int msc_buffer_contig_alloc(struc
+ goto err_out;
+
+ ret = -ENOMEM;
+- page = alloc_pages(GFP_KERNEL | __GFP_ZERO, order);
++ page = alloc_pages(GFP_KERNEL | __GFP_ZERO | GFP_DMA32, order);
+ if (!page)
+ goto err_free_sgt;
+
--- /dev/null
+From 5e6b6651d22de109ebf48ca00d0373bc2c0cc080 Mon Sep 17 00:00:00 2001
+From: Jorge Ramirez-Ortiz <jorge.ramirez-ortiz@linaro.org>
+Date: Mon, 1 Jul 2019 17:01:25 +0200
+Subject: mmc: sdhci-msm: fix mutex while in spinlock
+
+From: Jorge Ramirez-Ortiz <jorge.ramirez-ortiz@linaro.org>
+
+commit 5e6b6651d22de109ebf48ca00d0373bc2c0cc080 upstream.
+
+mutexes can sleep and therefore should not be taken while holding a
+spinlock. move clk_get_rate (can sleep) outside the spinlock protected
+region.
+
+Fixes: 83736352e0ca ("mmc: sdhci-msm: Update DLL reset sequence")
+Cc: stable@vger.kernel.org
+Signed-off-by: Jorge Ramirez-Ortiz <jorge.ramirez-ortiz@linaro.org>
+Reviewed-by: Bjorn Andersson <bjorn.andersson@linaro.org>
+Reviewed-by: Vinod Koul <vkoul@kernel.org>
+Acked-by: Adrian Hunter <adrian.hunter@intel.com>
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/mmc/host/sdhci-msm.c | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+--- a/drivers/mmc/host/sdhci-msm.c
++++ b/drivers/mmc/host/sdhci-msm.c
+@@ -582,11 +582,14 @@ static int msm_init_cm_dll(struct sdhci_
+ struct sdhci_pltfm_host *pltfm_host = sdhci_priv(host);
+ struct sdhci_msm_host *msm_host = sdhci_pltfm_priv(pltfm_host);
+ int wait_cnt = 50;
+- unsigned long flags;
++ unsigned long flags, xo_clk = 0;
+ u32 config;
+ const struct sdhci_msm_offset *msm_offset =
+ msm_host->offset;
+
++ if (msm_host->use_14lpp_dll_reset && !IS_ERR_OR_NULL(msm_host->xo_clk))
++ xo_clk = clk_get_rate(msm_host->xo_clk);
++
+ spin_lock_irqsave(&host->lock, flags);
+
+ /*
+@@ -634,10 +637,10 @@ static int msm_init_cm_dll(struct sdhci_
+ config &= CORE_FLL_CYCLE_CNT;
+ if (config)
+ mclk_freq = DIV_ROUND_CLOSEST_ULL((host->clock * 8),
+- clk_get_rate(msm_host->xo_clk));
++ xo_clk);
+ else
+ mclk_freq = DIV_ROUND_CLOSEST_ULL((host->clock * 4),
+- clk_get_rate(msm_host->xo_clk));
++ xo_clk);
+
+ config = readl_relaxed(host->ioaddr +
+ msm_offset->core_dll_config_2);
--- /dev/null
+From e1884ffddacc0424d7e785e6f8087bd12f7196db Mon Sep 17 00:00:00 2001
+From: Xiaolei Li <xiaolei.li@mediatek.com>
+Date: Tue, 7 May 2019 18:25:38 +0800
+Subject: mtd: rawnand: mtk: Correct low level time calculation of r/w cycle
+
+From: Xiaolei Li <xiaolei.li@mediatek.com>
+
+commit e1884ffddacc0424d7e785e6f8087bd12f7196db upstream.
+
+At present, the flow of calculating AC timing of read/write cycle in SDR
+mode is that:
+At first, calculate high hold time which is valid for both read and write
+cycle using the max value between tREH_min and tWH_min.
+Secondly, calculate WE# pulse width using tWP_min.
+Thridly, calculate RE# pulse width using the bigger one between tREA_max
+and tRP_min.
+
+But NAND SPEC shows that Controller should also meet write/read cycle time.
+That is write cycle time should be more than tWC_min and read cycle should
+be more than tRC_min. Obviously, we do not achieve that now.
+
+This patch corrects the low level time calculation to meet minimum
+read/write cycle time required. After getting the high hold time, WE# low
+level time will be promised to meet tWP_min and tWC_min requirement,
+and RE# low level time will be promised to meet tREA_max, tRP_min and
+tRC_min requirement.
+
+Fixes: edfee3619c49 ("mtd: nand: mtk: add ->setup_data_interface() hook")
+Cc: stable@vger.kernel.org # v4.17+
+Signed-off-by: Xiaolei Li <xiaolei.li@mediatek.com>
+Reviewed-by: Miquel Raynal <miquel.raynal@bootlin.com>
+Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/mtd/nand/raw/mtk_nand.c | 24 +++++++++++++++++++++---
+ 1 file changed, 21 insertions(+), 3 deletions(-)
+
+--- a/drivers/mtd/nand/raw/mtk_nand.c
++++ b/drivers/mtd/nand/raw/mtk_nand.c
+@@ -509,7 +509,8 @@ static int mtk_nfc_setup_data_interface(
+ {
+ struct mtk_nfc *nfc = nand_get_controller_data(mtd_to_nand(mtd));
+ const struct nand_sdr_timings *timings;
+- u32 rate, tpoecs, tprecs, tc2r, tw2r, twh, twst, trlt;
++ u32 rate, tpoecs, tprecs, tc2r, tw2r, twh, twst = 0, trlt = 0;
++ u32 thold;
+
+ timings = nand_get_sdr_timings(conf);
+ if (IS_ERR(timings))
+@@ -545,11 +546,28 @@ static int mtk_nfc_setup_data_interface(
+ twh = DIV_ROUND_UP(twh * rate, 1000000) - 1;
+ twh &= 0xf;
+
+- twst = timings->tWP_min / 1000;
++ /* Calculate real WE#/RE# hold time in nanosecond */
++ thold = (twh + 1) * 1000000 / rate;
++ /* nanosecond to picosecond */
++ thold *= 1000;
++
++ /*
++ * WE# low level time should be expaned to meet WE# pulse time
++ * and WE# cycle time at the same time.
++ */
++ if (thold < timings->tWC_min)
++ twst = timings->tWC_min - thold;
++ twst = max(timings->tWP_min, twst) / 1000;
+ twst = DIV_ROUND_UP(twst * rate, 1000000) - 1;
+ twst &= 0xf;
+
+- trlt = max(timings->tREA_max, timings->tRP_min) / 1000;
++ /*
++ * RE# low level time should be expaned to meet RE# pulse time,
++ * RE# access time and RE# cycle time at the same time.
++ */
++ if (thold < timings->tRC_min)
++ trlt = timings->tRC_min - thold;
++ trlt = max3(trlt, timings->tREA_max, timings->tRP_min) / 1000;
+ trlt = DIV_ROUND_UP(trlt * rate, 1000000) - 1;
+ trlt &= 0xf;
+
--- /dev/null
+From b83408b580eccf8d2797cd6cb9ae42c2a28656a7 Mon Sep 17 00:00:00 2001
+From: liaoweixiong <liaoweixiong@allwinnertech.com>
+Date: Fri, 28 Jun 2019 12:14:46 +0800
+Subject: mtd: spinand: read returns badly if the last page has bitflips
+
+From: liaoweixiong <liaoweixiong@allwinnertech.com>
+
+commit b83408b580eccf8d2797cd6cb9ae42c2a28656a7 upstream.
+
+In case of the last page containing bitflips (ret > 0),
+spinand_mtd_read() will return that number of bitflips for the last
+page while it should instead return max_bitflips like it does when the
+last page read returns with 0.
+
+Signed-off-by: Weixiong Liao <liaoweixiong@allwinnertech.com>
+Reviewed-by: Boris Brezillon <boris.brezillon@collabora.com>
+Reviewed-by: Frieder Schrempf <frieder.schrempf@kontron.de>
+Cc: stable@vger.kernel.org
+Fixes: 7529df465248 ("mtd: nand: Add core infrastructure to support SPI NANDs")
+Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/mtd/nand/spi/core.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/mtd/nand/spi/core.c
++++ b/drivers/mtd/nand/spi/core.c
+@@ -572,12 +572,12 @@ static int spinand_mtd_read(struct mtd_i
+ if (ret == -EBADMSG) {
+ ecc_failed = true;
+ mtd->ecc_stats.failed++;
+- ret = 0;
+ } else {
+ mtd->ecc_stats.corrected += ret;
+ max_bitflips = max_t(unsigned int, max_bitflips, ret);
+ }
+
++ ret = 0;
+ ops->retlen += iter.req.datalen;
+ ops->oobretlen += iter.req.ooblen;
+ }
--- /dev/null
+From 34c32fc603311a72cb558e5e337555434f64c27b Mon Sep 17 00:00:00 2001
+From: Helge Deller <deller@gmx.de>
+Date: Thu, 4 Jul 2019 03:44:17 +0200
+Subject: parisc: Ensure userspace privilege for ptraced processes in regset functions
+
+From: Helge Deller <deller@gmx.de>
+
+commit 34c32fc603311a72cb558e5e337555434f64c27b upstream.
+
+On parisc the privilege level of a process is stored in the lowest two bits of
+the instruction pointers (IAOQ0 and IAOQ1). On Linux we use privilege level 0
+for the kernel and privilege level 3 for user-space. So userspace should not be
+allowed to modify IAOQ0 or IAOQ1 of a ptraced process to change it's privilege
+level to e.g. 0 to try to gain kernel privileges.
+
+This patch prevents such modifications in the regset support functions by
+always setting the two lowest bits to one (which relates to privilege level 3
+for user-space) if IAOQ0 or IAOQ1 are modified via ptrace regset calls.
+
+Link: https://bugs.gentoo.org/481768
+Cc: <stable@vger.kernel.org> # v4.7+
+Tested-by: Rolf Eike Beer <eike-kernel@sf-tec.de>
+Signed-off-by: Helge Deller <deller@gmx.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/parisc/kernel/ptrace.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/arch/parisc/kernel/ptrace.c
++++ b/arch/parisc/kernel/ptrace.c
+@@ -496,7 +496,8 @@ static void set_reg(struct pt_regs *regs
+ return;
+ case RI(iaoq[0]):
+ case RI(iaoq[1]):
+- regs->iaoq[num - RI(iaoq[0])] = val;
++ /* set 2 lowest bits to ensure userspace privilege: */
++ regs->iaoq[num - RI(iaoq[0])] = val | 3;
+ return;
+ case RI(sar): regs->sar = val;
+ return;
--- /dev/null
+From 10835c854685393a921b68f529bf740fa7c9984d Mon Sep 17 00:00:00 2001
+From: Helge Deller <deller@gmx.de>
+Date: Tue, 16 Jul 2019 21:43:11 +0200
+Subject: parisc: Fix kernel panic due invalid values in IAOQ0 or IAOQ1
+
+From: Helge Deller <deller@gmx.de>
+
+commit 10835c854685393a921b68f529bf740fa7c9984d upstream.
+
+On parisc the privilege level of a process is stored in the lowest two bits of
+the instruction pointers (IAOQ0 and IAOQ1). On Linux we use privilege level 0
+for the kernel and privilege level 3 for user-space. So userspace should not be
+allowed to modify IAOQ0 or IAOQ1 of a ptraced process to change it's privilege
+level to e.g. 0 to try to gain kernel privileges.
+
+This patch prevents such modifications by always setting the two lowest bits to
+one (which relates to privilege level 3 for user-space) if IAOQ0 or IAOQ1 are
+modified via ptrace calls in the native and compat ptrace paths.
+
+Link: https://bugs.gentoo.org/481768
+Reported-by: Jeroen Roovers <jer@gentoo.org>
+Cc: <stable@vger.kernel.org>
+Tested-by: Rolf Eike Beer <eike-kernel@sf-tec.de>
+Signed-off-by: Helge Deller <deller@gmx.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/parisc/kernel/ptrace.c | 28 ++++++++++++++++++----------
+ 1 file changed, 18 insertions(+), 10 deletions(-)
+
+--- a/arch/parisc/kernel/ptrace.c
++++ b/arch/parisc/kernel/ptrace.c
+@@ -167,6 +167,9 @@ long arch_ptrace(struct task_struct *chi
+ if ((addr & (sizeof(unsigned long)-1)) ||
+ addr >= sizeof(struct pt_regs))
+ break;
++ if (addr == PT_IAOQ0 || addr == PT_IAOQ1) {
++ data |= 3; /* ensure userspace privilege */
++ }
+ if ((addr >= PT_GR1 && addr <= PT_GR31) ||
+ addr == PT_IAOQ0 || addr == PT_IAOQ1 ||
+ (addr >= PT_FR0 && addr <= PT_FR31 + 4) ||
+@@ -228,16 +231,18 @@ long arch_ptrace(struct task_struct *chi
+
+ static compat_ulong_t translate_usr_offset(compat_ulong_t offset)
+ {
+- if (offset < 0)
+- return sizeof(struct pt_regs);
+- else if (offset <= 32*4) /* gr[0..31] */
+- return offset * 2 + 4;
+- else if (offset <= 32*4+32*8) /* gr[0..31] + fr[0..31] */
+- return offset + 32*4;
+- else if (offset < sizeof(struct pt_regs)/2 + 32*4)
+- return offset * 2 + 4 - 32*8;
++ compat_ulong_t pos;
++
++ if (offset < 32*4) /* gr[0..31] */
++ pos = offset * 2 + 4;
++ else if (offset < 32*4+32*8) /* fr[0] ... fr[31] */
++ pos = (offset - 32*4) + PT_FR0;
++ else if (offset < sizeof(struct pt_regs)/2 + 32*4) /* sr[0] ... ipsw */
++ pos = (offset - 32*4 - 32*8) * 2 + PT_SR0 + 4;
+ else
+- return sizeof(struct pt_regs);
++ pos = sizeof(struct pt_regs);
++
++ return pos;
+ }
+
+ long compat_arch_ptrace(struct task_struct *child, compat_long_t request,
+@@ -281,9 +286,12 @@ long compat_arch_ptrace(struct task_stru
+ addr = translate_usr_offset(addr);
+ if (addr >= sizeof(struct pt_regs))
+ break;
++ if (addr == PT_IAOQ0+4 || addr == PT_IAOQ1+4) {
++ data |= 3; /* ensure userspace privilege */
++ }
+ if (addr >= PT_FR0 && addr <= PT_FR31 + 4) {
+ /* Special case, fp regs are 64 bits anyway */
+- *(__u64 *) ((char *) task_regs(child) + addr) = data;
++ *(__u32 *) ((char *) task_regs(child) + addr) = data;
+ ret = 0;
+ }
+ else if ((addr >= PT_GR1+4 && addr <= PT_GR31+4) ||
--- /dev/null
+From 6ecb78ef56e08d2119d337ae23cb951a640dc52d Mon Sep 17 00:00:00 2001
+From: Christophe Leroy <christophe.leroy@c-s.fr>
+Date: Mon, 17 Jun 2019 21:42:14 +0000
+Subject: powerpc/32s: fix suspend/resume when IBATs 4-7 are used
+
+From: Christophe Leroy <christophe.leroy@c-s.fr>
+
+commit 6ecb78ef56e08d2119d337ae23cb951a640dc52d upstream.
+
+Previously, only IBAT1 and IBAT2 were used to map kernel linear mem.
+Since commit 63b2bc619565 ("powerpc/mm/32s: Use BATs for
+STRICT_KERNEL_RWX"), we may have all 8 BATs used for mapping
+kernel text. But the suspend/restore functions only save/restore
+BATs 0 to 3, and clears BATs 4 to 7.
+
+Make suspend and restore functions respectively save and reload
+the 8 BATs on CPUs having MMU_FTR_USE_HIGH_BATS feature.
+
+Reported-by: Andreas Schwab <schwab@linux-m68k.org>
+Cc: stable@vger.kernel.org
+Signed-off-by: Christophe Leroy <christophe.leroy@c-s.fr>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/powerpc/kernel/swsusp_32.S | 73 ++++++++++++++++++++++++++++----
+ arch/powerpc/platforms/powermac/sleep.S | 68 +++++++++++++++++++++++++++--
+ 2 files changed, 128 insertions(+), 13 deletions(-)
+
+--- a/arch/powerpc/kernel/swsusp_32.S
++++ b/arch/powerpc/kernel/swsusp_32.S
+@@ -25,11 +25,19 @@
+ #define SL_IBAT2 0x48
+ #define SL_DBAT3 0x50
+ #define SL_IBAT3 0x58
+-#define SL_TB 0x60
+-#define SL_R2 0x68
+-#define SL_CR 0x6c
+-#define SL_LR 0x70
+-#define SL_R12 0x74 /* r12 to r31 */
++#define SL_DBAT4 0x60
++#define SL_IBAT4 0x68
++#define SL_DBAT5 0x70
++#define SL_IBAT5 0x78
++#define SL_DBAT6 0x80
++#define SL_IBAT6 0x88
++#define SL_DBAT7 0x90
++#define SL_IBAT7 0x98
++#define SL_TB 0xa0
++#define SL_R2 0xa8
++#define SL_CR 0xac
++#define SL_LR 0xb0
++#define SL_R12 0xb4 /* r12 to r31 */
+ #define SL_SIZE (SL_R12 + 80)
+
+ .section .data
+@@ -114,6 +122,41 @@ _GLOBAL(swsusp_arch_suspend)
+ mfibatl r4,3
+ stw r4,SL_IBAT3+4(r11)
+
++BEGIN_MMU_FTR_SECTION
++ mfspr r4,SPRN_DBAT4U
++ stw r4,SL_DBAT4(r11)
++ mfspr r4,SPRN_DBAT4L
++ stw r4,SL_DBAT4+4(r11)
++ mfspr r4,SPRN_DBAT5U
++ stw r4,SL_DBAT5(r11)
++ mfspr r4,SPRN_DBAT5L
++ stw r4,SL_DBAT5+4(r11)
++ mfspr r4,SPRN_DBAT6U
++ stw r4,SL_DBAT6(r11)
++ mfspr r4,SPRN_DBAT6L
++ stw r4,SL_DBAT6+4(r11)
++ mfspr r4,SPRN_DBAT7U
++ stw r4,SL_DBAT7(r11)
++ mfspr r4,SPRN_DBAT7L
++ stw r4,SL_DBAT7+4(r11)
++ mfspr r4,SPRN_IBAT4U
++ stw r4,SL_IBAT4(r11)
++ mfspr r4,SPRN_IBAT4L
++ stw r4,SL_IBAT4+4(r11)
++ mfspr r4,SPRN_IBAT5U
++ stw r4,SL_IBAT5(r11)
++ mfspr r4,SPRN_IBAT5L
++ stw r4,SL_IBAT5+4(r11)
++ mfspr r4,SPRN_IBAT6U
++ stw r4,SL_IBAT6(r11)
++ mfspr r4,SPRN_IBAT6L
++ stw r4,SL_IBAT6+4(r11)
++ mfspr r4,SPRN_IBAT7U
++ stw r4,SL_IBAT7(r11)
++ mfspr r4,SPRN_IBAT7L
++ stw r4,SL_IBAT7+4(r11)
++END_MMU_FTR_SECTION_IFSET(MMU_FTR_USE_HIGH_BATS)
++
+ #if 0
+ /* Backup various CPU config stuffs */
+ bl __save_cpu_setup
+@@ -279,27 +322,41 @@ END_FTR_SECTION_IFSET(CPU_FTR_ALTIVEC)
+ mtibatu 3,r4
+ lwz r4,SL_IBAT3+4(r11)
+ mtibatl 3,r4
+-#endif
+-
+ BEGIN_MMU_FTR_SECTION
+- li r4,0
++ lwz r4,SL_DBAT4(r11)
+ mtspr SPRN_DBAT4U,r4
++ lwz r4,SL_DBAT4+4(r11)
+ mtspr SPRN_DBAT4L,r4
++ lwz r4,SL_DBAT5(r11)
+ mtspr SPRN_DBAT5U,r4
++ lwz r4,SL_DBAT5+4(r11)
+ mtspr SPRN_DBAT5L,r4
++ lwz r4,SL_DBAT6(r11)
+ mtspr SPRN_DBAT6U,r4
++ lwz r4,SL_DBAT6+4(r11)
+ mtspr SPRN_DBAT6L,r4
++ lwz r4,SL_DBAT7(r11)
+ mtspr SPRN_DBAT7U,r4
++ lwz r4,SL_DBAT7+4(r11)
+ mtspr SPRN_DBAT7L,r4
++ lwz r4,SL_IBAT4(r11)
+ mtspr SPRN_IBAT4U,r4
++ lwz r4,SL_IBAT4+4(r11)
+ mtspr SPRN_IBAT4L,r4
++ lwz r4,SL_IBAT5(r11)
+ mtspr SPRN_IBAT5U,r4
++ lwz r4,SL_IBAT5+4(r11)
+ mtspr SPRN_IBAT5L,r4
++ lwz r4,SL_IBAT6(r11)
+ mtspr SPRN_IBAT6U,r4
++ lwz r4,SL_IBAT6+4(r11)
+ mtspr SPRN_IBAT6L,r4
++ lwz r4,SL_IBAT7(r11)
+ mtspr SPRN_IBAT7U,r4
++ lwz r4,SL_IBAT7+4(r11)
+ mtspr SPRN_IBAT7L,r4
+ END_MMU_FTR_SECTION_IFSET(MMU_FTR_USE_HIGH_BATS)
++#endif
+
+ /* Flush all TLBs */
+ lis r4,0x1000
+--- a/arch/powerpc/platforms/powermac/sleep.S
++++ b/arch/powerpc/platforms/powermac/sleep.S
+@@ -38,10 +38,18 @@
+ #define SL_IBAT2 0x48
+ #define SL_DBAT3 0x50
+ #define SL_IBAT3 0x58
+-#define SL_TB 0x60
+-#define SL_R2 0x68
+-#define SL_CR 0x6c
+-#define SL_R12 0x70 /* r12 to r31 */
++#define SL_DBAT4 0x60
++#define SL_IBAT4 0x68
++#define SL_DBAT5 0x70
++#define SL_IBAT5 0x78
++#define SL_DBAT6 0x80
++#define SL_IBAT6 0x88
++#define SL_DBAT7 0x90
++#define SL_IBAT7 0x98
++#define SL_TB 0xa0
++#define SL_R2 0xa8
++#define SL_CR 0xac
++#define SL_R12 0xb0 /* r12 to r31 */
+ #define SL_SIZE (SL_R12 + 80)
+
+ .section .text
+@@ -126,6 +134,41 @@ _GLOBAL(low_sleep_handler)
+ mfibatl r4,3
+ stw r4,SL_IBAT3+4(r1)
+
++BEGIN_MMU_FTR_SECTION
++ mfspr r4,SPRN_DBAT4U
++ stw r4,SL_DBAT4(r1)
++ mfspr r4,SPRN_DBAT4L
++ stw r4,SL_DBAT4+4(r1)
++ mfspr r4,SPRN_DBAT5U
++ stw r4,SL_DBAT5(r1)
++ mfspr r4,SPRN_DBAT5L
++ stw r4,SL_DBAT5+4(r1)
++ mfspr r4,SPRN_DBAT6U
++ stw r4,SL_DBAT6(r1)
++ mfspr r4,SPRN_DBAT6L
++ stw r4,SL_DBAT6+4(r1)
++ mfspr r4,SPRN_DBAT7U
++ stw r4,SL_DBAT7(r1)
++ mfspr r4,SPRN_DBAT7L
++ stw r4,SL_DBAT7+4(r1)
++ mfspr r4,SPRN_IBAT4U
++ stw r4,SL_IBAT4(r1)
++ mfspr r4,SPRN_IBAT4L
++ stw r4,SL_IBAT4+4(r1)
++ mfspr r4,SPRN_IBAT5U
++ stw r4,SL_IBAT5(r1)
++ mfspr r4,SPRN_IBAT5L
++ stw r4,SL_IBAT5+4(r1)
++ mfspr r4,SPRN_IBAT6U
++ stw r4,SL_IBAT6(r1)
++ mfspr r4,SPRN_IBAT6L
++ stw r4,SL_IBAT6+4(r1)
++ mfspr r4,SPRN_IBAT7U
++ stw r4,SL_IBAT7(r1)
++ mfspr r4,SPRN_IBAT7L
++ stw r4,SL_IBAT7+4(r1)
++END_MMU_FTR_SECTION_IFSET(MMU_FTR_USE_HIGH_BATS)
++
+ /* Backup various CPU config stuffs */
+ bl __save_cpu_setup
+
+@@ -326,22 +369,37 @@ grackle_wake_up:
+ mtibatl 3,r4
+
+ BEGIN_MMU_FTR_SECTION
+- li r4,0
++ lwz r4,SL_DBAT4(r1)
+ mtspr SPRN_DBAT4U,r4
++ lwz r4,SL_DBAT4+4(r1)
+ mtspr SPRN_DBAT4L,r4
++ lwz r4,SL_DBAT5(r1)
+ mtspr SPRN_DBAT5U,r4
++ lwz r4,SL_DBAT5+4(r1)
+ mtspr SPRN_DBAT5L,r4
++ lwz r4,SL_DBAT6(r1)
+ mtspr SPRN_DBAT6U,r4
++ lwz r4,SL_DBAT6+4(r1)
+ mtspr SPRN_DBAT6L,r4
++ lwz r4,SL_DBAT7(r1)
+ mtspr SPRN_DBAT7U,r4
++ lwz r4,SL_DBAT7+4(r1)
+ mtspr SPRN_DBAT7L,r4
++ lwz r4,SL_IBAT4(r1)
+ mtspr SPRN_IBAT4U,r4
++ lwz r4,SL_IBAT4+4(r1)
+ mtspr SPRN_IBAT4L,r4
++ lwz r4,SL_IBAT5(r1)
+ mtspr SPRN_IBAT5U,r4
++ lwz r4,SL_IBAT5+4(r1)
+ mtspr SPRN_IBAT5L,r4
++ lwz r4,SL_IBAT6(r1)
+ mtspr SPRN_IBAT6U,r4
++ lwz r4,SL_IBAT6+4(r1)
+ mtspr SPRN_IBAT6L,r4
++ lwz r4,SL_IBAT7(r1)
+ mtspr SPRN_IBAT7U,r4
++ lwz r4,SL_IBAT7+4(r1)
+ mtspr SPRN_IBAT7L,r4
+ END_MMU_FTR_SECTION_IFSET(MMU_FTR_USE_HIGH_BATS)
+
--- /dev/null
+From 02c5f5394918b9b47ff4357b1b18335768cd867d Mon Sep 17 00:00:00 2001
+From: Greg Kurz <groug@kaod.org>
+Date: Fri, 19 Apr 2019 17:34:13 +0200
+Subject: powerpc/powernv/npu: Fix reference leak
+
+From: Greg Kurz <groug@kaod.org>
+
+commit 02c5f5394918b9b47ff4357b1b18335768cd867d upstream.
+
+Since 902bdc57451c, get_pci_dev() calls pci_get_domain_bus_and_slot(). This
+has the effect of incrementing the reference count of the PCI device, as
+explained in drivers/pci/search.c:
+
+ * Given a PCI domain, bus, and slot/function number, the desired PCI
+ * device is located in the list of PCI devices. If the device is
+ * found, its reference count is increased and this function returns a
+ * pointer to its data structure. The caller must decrement the
+ * reference count by calling pci_dev_put(). If no device is found,
+ * %NULL is returned.
+
+Nothing was done to call pci_dev_put() and the reference count of GPU and
+NPU PCI devices rockets up.
+
+A natural way to fix this would be to teach the callers about the change,
+so that they call pci_dev_put() when done with the pointer. This turns
+out to be quite intrusive, as it affects many paths in npu-dma.c,
+pci-ioda.c and vfio_pci_nvlink2.c. Also, the issue appeared in 4.16 and
+some affected code got moved around since then: it would be problematic
+to backport the fix to stable releases.
+
+All that code never cared for reference counting anyway. Call pci_dev_put()
+from get_pci_dev() to revert to the previous behavior.
+
+Fixes: 902bdc57451c ("powerpc/powernv/idoa: Remove unnecessary pcidev from pci_dn")
+Cc: stable@vger.kernel.org # v4.16
+Signed-off-by: Greg Kurz <groug@kaod.org>
+Reviewed-by: Alexey Kardashevskiy <aik@ozlabs.ru>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/powerpc/platforms/powernv/npu-dma.c | 15 ++++++++++++++-
+ 1 file changed, 14 insertions(+), 1 deletion(-)
+
+--- a/arch/powerpc/platforms/powernv/npu-dma.c
++++ b/arch/powerpc/platforms/powernv/npu-dma.c
+@@ -56,9 +56,22 @@ static struct dentry *atsd_threshold_den
+ static struct pci_dev *get_pci_dev(struct device_node *dn)
+ {
+ struct pci_dn *pdn = PCI_DN(dn);
++ struct pci_dev *pdev;
+
+- return pci_get_domain_bus_and_slot(pci_domain_nr(pdn->phb->bus),
++ pdev = pci_get_domain_bus_and_slot(pci_domain_nr(pdn->phb->bus),
+ pdn->busno, pdn->devfn);
++
++ /*
++ * pci_get_domain_bus_and_slot() increased the reference count of
++ * the PCI device, but callers don't need that actually as the PE
++ * already holds a reference to the device. Since callers aren't
++ * aware of the reference count change, call pci_dev_put() now to
++ * avoid leaks.
++ */
++ if (pdev)
++ pci_dev_put(pdev);
++
++ return pdev;
+ }
+
+ /* Given a NPU device get the associated PCI device. */
--- /dev/null
+From 0aa82c482ab2ece530a6f44897b63b274bb43c8e Mon Sep 17 00:00:00 2001
+From: Nathan Lynch <nathanl@linux.ibm.com>
+Date: Fri, 7 Jun 2019 00:04:07 -0500
+Subject: powerpc/pseries: Fix oops in hotplug memory notifier
+
+From: Nathan Lynch <nathanl@linux.ibm.com>
+
+commit 0aa82c482ab2ece530a6f44897b63b274bb43c8e upstream.
+
+During post-migration device tree updates, we can oops in
+pseries_update_drconf_memory() if the source device tree has an
+ibm,dynamic-memory-v2 property and the destination has a
+ibm,dynamic_memory (v1) property. The notifier processes an "update"
+for the ibm,dynamic-memory property but it's really an add in this
+scenario. So make sure the old property object is there before
+dereferencing it.
+
+Fixes: 2b31e3aec1db ("powerpc/drmem: Add support for ibm, dynamic-memory-v2 property")
+Cc: stable@vger.kernel.org # v4.16+
+Signed-off-by: Nathan Lynch <nathanl@linux.ibm.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/powerpc/platforms/pseries/hotplug-memory.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/arch/powerpc/platforms/pseries/hotplug-memory.c
++++ b/arch/powerpc/platforms/pseries/hotplug-memory.c
+@@ -1012,6 +1012,9 @@ static int pseries_update_drconf_memory(
+ if (!memblock_size)
+ return -EINVAL;
+
++ if (!pr->old_prop)
++ return 0;
++
+ p = (__be32 *) pr->old_prop->value;
+ if (!p)
+ return -EINVAL;
--- /dev/null
+From f474c28fbcbe42faca4eb415172c07d76adcb819 Mon Sep 17 00:00:00 2001
+From: Ravi Bangoria <ravi.bangoria@linux.ibm.com>
+Date: Thu, 13 Jun 2019 09:00:14 +0530
+Subject: powerpc/watchpoint: Restore NV GPRs while returning from exception
+
+From: Ravi Bangoria <ravi.bangoria@linux.ibm.com>
+
+commit f474c28fbcbe42faca4eb415172c07d76adcb819 upstream.
+
+powerpc hardware triggers watchpoint before executing the instruction.
+To make trigger-after-execute behavior, kernel emulates the
+instruction. If the instruction is 'load something into non-volatile
+register', exception handler should restore emulated register state
+while returning back, otherwise there will be register state
+corruption. eg, adding a watchpoint on a list can corrput the list:
+
+ # cat /proc/kallsyms | grep kthread_create_list
+ c00000000121c8b8 d kthread_create_list
+
+Add watchpoint on kthread_create_list->prev:
+
+ # perf record -e mem:0xc00000000121c8c0
+
+Run some workload such that new kthread gets invoked. eg, I just
+logged out from console:
+
+ list_add corruption. next->prev should be prev (c000000001214e00), \
+ but was c00000000121c8b8. (next=c00000000121c8b8).
+ WARNING: CPU: 59 PID: 309 at lib/list_debug.c:25 __list_add_valid+0xb4/0xc0
+ CPU: 59 PID: 309 Comm: kworker/59:0 Kdump: loaded Not tainted 5.1.0-rc7+ #69
+ ...
+ NIP __list_add_valid+0xb4/0xc0
+ LR __list_add_valid+0xb0/0xc0
+ Call Trace:
+ __list_add_valid+0xb0/0xc0 (unreliable)
+ __kthread_create_on_node+0xe0/0x260
+ kthread_create_on_node+0x34/0x50
+ create_worker+0xe8/0x260
+ worker_thread+0x444/0x560
+ kthread+0x160/0x1a0
+ ret_from_kernel_thread+0x5c/0x70
+
+List corruption happened because it uses 'load into non-volatile
+register' instruction:
+
+Snippet from __kthread_create_on_node:
+
+ c000000000136be8: addis r29,r2,-19
+ c000000000136bec: ld r29,31424(r29)
+ if (!__list_add_valid(new, prev, next))
+ c000000000136bf0: mr r3,r30
+ c000000000136bf4: mr r5,r28
+ c000000000136bf8: mr r4,r29
+ c000000000136bfc: bl c00000000059a2f8 <__list_add_valid+0x8>
+
+Register state from WARN_ON():
+
+ GPR00: c00000000059a3a0 c000007ff23afb50 c000000001344e00 0000000000000075
+ GPR04: 0000000000000000 0000000000000000 0000001852af8bc1 0000000000000000
+ GPR08: 0000000000000001 0000000000000007 0000000000000006 00000000000004aa
+ GPR12: 0000000000000000 c000007ffffeb080 c000000000137038 c000005ff62aaa00
+ GPR16: 0000000000000000 0000000000000000 c000007fffbe7600 c000007fffbe7370
+ GPR20: c000007fffbe7320 c000007fffbe7300 c000000001373a00 0000000000000000
+ GPR24: fffffffffffffef7 c00000000012e320 c000007ff23afcb0 c000000000cb8628
+ GPR28: c00000000121c8b8 c000000001214e00 c000007fef5b17e8 c000007fef5b17c0
+
+Watchpoint hit at 0xc000000000136bec.
+
+ addis r29,r2,-19
+ => r29 = 0xc000000001344e00 + (-19 << 16)
+ => r29 = 0xc000000001214e00
+
+ ld r29,31424(r29)
+ => r29 = *(0xc000000001214e00 + 31424)
+ => r29 = *(0xc00000000121c8c0)
+
+0xc00000000121c8c0 is where we placed a watchpoint and thus this
+instruction was emulated by emulate_step. But because handle_dabr_fault
+did not restore emulated register state, r29 still contains stale
+value in above register state.
+
+Fixes: 5aae8a5370802 ("powerpc, hw_breakpoints: Implement hw_breakpoints for 64-bit server processors")
+Signed-off-by: Ravi Bangoria <ravi.bangoria@linux.ibm.com>
+Cc: stable@vger.kernel.org # 2.6.36+
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/powerpc/kernel/exceptions-64s.S | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+--- a/arch/powerpc/kernel/exceptions-64s.S
++++ b/arch/powerpc/kernel/exceptions-64s.S
+@@ -1745,7 +1745,7 @@ handle_page_fault:
+ addi r3,r1,STACK_FRAME_OVERHEAD
+ bl do_page_fault
+ cmpdi r3,0
+- beq+ 12f
++ beq+ ret_from_except_lite
+ bl save_nvgprs
+ mr r5,r3
+ addi r3,r1,STACK_FRAME_OVERHEAD
+@@ -1760,7 +1760,12 @@ handle_dabr_fault:
+ ld r5,_DSISR(r1)
+ addi r3,r1,STACK_FRAME_OVERHEAD
+ bl do_break
+-12: b ret_from_except_lite
++ /*
++ * do_break() may have changed the NV GPRS while handling a breakpoint.
++ * If so, we need to restore them with their updated values. Don't use
++ * ret_from_except_lite here.
++ */
++ b ret_from_except
+
+
+ #ifdef CONFIG_PPC_BOOK3S_64
libnvdimm-pfn-fix-fsdax-mode-namespace-info-block-zero-fields.patch
coda-pass-the-host-file-in-vma-vm_file-on-mmap.patch
include-asm-generic-bug.h-fix-cut-here-for-warn_on-for-__warn_taint-architectures.patch
-btrfs-correctly-validate-compression-type.patch
xfs-fix-pagecache-truncation-prior-to-reflink.patch
xfs-flush-removing-page-cache-in-xfs_reflink_remap_p.patch
xfs-don-t-overflow-xattr-listent-buffer.patch
xfs-fix-reporting-supported-extra-file-attributes-fo.patch
xfs-serialize-unaligned-dio-writes-against-all-other.patch
xfs-abort-unaligned-nowait-directio-early.patch
+gpu-ipu-v3-ipu-ic-fix-saturation-bit-offset-in-tpmem.patch
+crypto-caam-limit-output-iv-to-cbc-to-work-around-ctr-mode-dma-issue.patch
+parisc-ensure-userspace-privilege-for-ptraced-processes-in-regset-functions.patch
+parisc-fix-kernel-panic-due-invalid-values-in-iaoq0-or-iaoq1.patch
+powerpc-32s-fix-suspend-resume-when-ibats-4-7-are-used.patch
+powerpc-watchpoint-restore-nv-gprs-while-returning-from-exception.patch
+powerpc-powernv-npu-fix-reference-leak.patch
+powerpc-pseries-fix-oops-in-hotplug-memory-notifier.patch
+mmc-sdhci-msm-fix-mutex-while-in-spinlock.patch
+ecryptfs-fix-a-couple-type-promotion-bugs.patch
+mtd-rawnand-mtk-correct-low-level-time-calculation-of-r-w-cycle.patch
+mtd-spinand-read-returns-badly-if-the-last-page-has-bitflips.patch
+intel_th-msu-fix-single-mode-with-disabled-iommu.patch
+bluetooth-add-smp-workaround-microsoft-surface-precision-mouse-bug.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
