--- /dev/null
+From 1d87b88ba26eabd4745e158ecfd87c93a9b51dc2 Mon Sep 17 00:00:00 2001
+From: Szymon Janc <szymon.janc@codecoup.pl>
+Date: Wed, 19 Jun 2019 00:47:47 +0200
+Subject: Bluetooth: Add SMP workaround Microsoft Surface Precision Mouse bug
+
+From: Szymon Janc <szymon.janc@codecoup.pl>
+
+commit 1d87b88ba26eabd4745e158ecfd87c93a9b51dc2 upstream.
+
+Microsoft Surface Precision Mouse provides bogus identity address when
+pairing. It connects with Static Random address but provides Public
+Address in SMP Identity Address Information PDU. Address has same
+value but type is different. Workaround this by dropping IRK if ID
+address discrepancy is detected.
+
+> HCI Event: LE Meta Event (0x3e) plen 19
+ LE Connection Complete (0x01)
+ Status: Success (0x00)
+ Handle: 75
+ Role: Master (0x00)
+ Peer address type: Random (0x01)
+ Peer address: E0:52:33:93:3B:21 (Static)
+ Connection interval: 50.00 msec (0x0028)
+ Connection latency: 0 (0x0000)
+ Supervision timeout: 420 msec (0x002a)
+ Master clock accuracy: 0x00
+
+....
+
+> ACL Data RX: Handle 75 flags 0x02 dlen 12
+ SMP: Identity Address Information (0x09) len 7
+ Address type: Public (0x00)
+ Address: E0:52:33:93:3B:21
+
+Signed-off-by: Szymon Janc <szymon.janc@codecoup.pl>
+Tested-by: Maarten Fonville <maarten.fonville@gmail.com>
+Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=199461
+Cc: stable@vger.kernel.org
+Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/bluetooth/smp.c | 13 +++++++++++++
+ 1 file changed, 13 insertions(+)
+
+--- a/net/bluetooth/smp.c
++++ b/net/bluetooth/smp.c
+@@ -2532,6 +2532,19 @@ static int smp_cmd_ident_addr_info(struc
+ goto distribute;
+ }
+
++ /* Drop IRK if peer is using identity address during pairing but is
++ * providing different address as identity information.
++ *
++ * Microsoft Surface Precision Mouse is known to have this bug.
++ */
++ if (hci_is_identity_address(&hcon->dst, hcon->dst_type) &&
++ (bacmp(&info->bdaddr, &hcon->dst) ||
++ info->addr_type != hcon->dst_type)) {
++ bt_dev_err(hcon->hdev,
++ "ignoring IRK with invalid identity address");
++ goto distribute;
++ }
++
+ bacpy(&smp->id_addr, &info->bdaddr);
+ smp->id_addr_type = info->addr_type;
+
--- /dev/null
+From 7fa0a1da3dadfd9216df7745a1331fdaa0940d1c Mon Sep 17 00:00:00 2001
+From: Jan Harkes <jaharkes@cs.cmu.edu>
+Date: Tue, 16 Jul 2019 16:28:04 -0700
+Subject: coda: pass the host file in vma->vm_file on mmap
+
+From: Jan Harkes <jaharkes@cs.cmu.edu>
+
+commit 7fa0a1da3dadfd9216df7745a1331fdaa0940d1c upstream.
+
+Patch series "Coda updates".
+
+The following patch series is a collection of various fixes for Coda,
+most of which were collected from linux-fsdevel or linux-kernel but
+which have as yet not found their way upstream.
+
+This patch (of 22):
+
+Various file systems expect that vma->vm_file points at their own file
+handle, several use file_inode(vma->vm_file) to get at their inode or
+use vma->vm_file->private_data. However the way Coda wrapped mmap on a
+host file broke this assumption, vm_file was still pointing at the Coda
+file and the host file systems would scribble over Coda's inode and
+private file data.
+
+This patch fixes the incorrect expectation and wraps vm_ops->open and
+vm_ops->close to allow Coda to track when the vm_area_struct is
+destroyed so we still release the reference on the Coda file handle at
+the right time.
+
+[This patch differs from the original upstream patch because older stable
+ kernels do not have the call_mmap vfs helper so we call f_ops->mmap
+ directly.]
+
+Link: http://lkml.kernel.org/r/0e850c6e59c0b147dc2dcd51a3af004c948c3697.1558117389.git.jaharkes@cs.cmu.edu
+Signed-off-by: Jan Harkes <jaharkes@cs.cmu.edu>
+Cc: Arnd Bergmann <arnd@arndb.de>
+Cc: Colin Ian King <colin.king@canonical.com>
+Cc: Dan Carpenter <dan.carpenter@oracle.com>
+Cc: David Howells <dhowells@redhat.com>
+Cc: Fabian Frederick <fabf@skynet.be>
+Cc: Mikko Rapeli <mikko.rapeli@iki.fi>
+Cc: Sam Protsenko <semen.protsenko@linaro.org>
+Cc: Yann Droneaud <ydroneaud@opteya.com>
+Cc: Zhouyang Jia <jiazhouyang09@gmail.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Jan Harkes <jaharkes@cs.cmu.edu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/coda/file.c | 69 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++-
+ 1 file changed, 68 insertions(+), 1 deletion(-)
+
+--- a/fs/coda/file.c
++++ b/fs/coda/file.c
+@@ -81,6 +81,41 @@ coda_file_write_iter(struct kiocb *iocb,
+ return ret;
+ }
+
++struct coda_vm_ops {
++ atomic_t refcnt;
++ struct file *coda_file;
++ const struct vm_operations_struct *host_vm_ops;
++ struct vm_operations_struct vm_ops;
++};
++
++static void
++coda_vm_open(struct vm_area_struct *vma)
++{
++ struct coda_vm_ops *cvm_ops =
++ container_of(vma->vm_ops, struct coda_vm_ops, vm_ops);
++
++ atomic_inc(&cvm_ops->refcnt);
++
++ if (cvm_ops->host_vm_ops && cvm_ops->host_vm_ops->open)
++ cvm_ops->host_vm_ops->open(vma);
++}
++
++static void
++coda_vm_close(struct vm_area_struct *vma)
++{
++ struct coda_vm_ops *cvm_ops =
++ container_of(vma->vm_ops, struct coda_vm_ops, vm_ops);
++
++ if (cvm_ops->host_vm_ops && cvm_ops->host_vm_ops->close)
++ cvm_ops->host_vm_ops->close(vma);
++
++ if (atomic_dec_and_test(&cvm_ops->refcnt)) {
++ vma->vm_ops = cvm_ops->host_vm_ops;
++ fput(cvm_ops->coda_file);
++ kfree(cvm_ops);
++ }
++}
++
+ static int
+ coda_file_mmap(struct file *coda_file, struct vm_area_struct *vma)
+ {
+@@ -88,6 +123,8 @@ coda_file_mmap(struct file *coda_file, s
+ struct coda_inode_info *cii;
+ struct file *host_file;
+ struct inode *coda_inode, *host_inode;
++ struct coda_vm_ops *cvm_ops;
++ int ret;
+
+ cfi = CODA_FTOC(coda_file);
+ BUG_ON(!cfi || cfi->cfi_magic != CODA_MAGIC);
+@@ -96,6 +133,13 @@ coda_file_mmap(struct file *coda_file, s
+ if (!host_file->f_op->mmap)
+ return -ENODEV;
+
++ if (WARN_ON(coda_file != vma->vm_file))
++ return -EIO;
++
++ cvm_ops = kmalloc(sizeof(struct coda_vm_ops), GFP_KERNEL);
++ if (!cvm_ops)
++ return -ENOMEM;
++
+ coda_inode = file_inode(coda_file);
+ host_inode = file_inode(host_file);
+
+@@ -109,6 +153,7 @@ coda_file_mmap(struct file *coda_file, s
+ * the container file on us! */
+ else if (coda_inode->i_mapping != host_inode->i_mapping) {
+ spin_unlock(&cii->c_lock);
++ kfree(cvm_ops);
+ return -EBUSY;
+ }
+
+@@ -117,7 +162,29 @@ coda_file_mmap(struct file *coda_file, s
+ cfi->cfi_mapcount++;
+ spin_unlock(&cii->c_lock);
+
+- return host_file->f_op->mmap(host_file, vma);
++ vma->vm_file = get_file(host_file);
++ ret = host_file->f_op->mmap(host_file, vma);
++
++ if (ret) {
++ /* if call_mmap fails, our caller will put coda_file so we
++ * should drop the reference to the host_file that we got.
++ */
++ fput(host_file);
++ kfree(cvm_ops);
++ } else {
++ /* here we add redirects for the open/close vm_operations */
++ cvm_ops->host_vm_ops = vma->vm_ops;
++ if (vma->vm_ops)
++ cvm_ops->vm_ops = *vma->vm_ops;
++
++ cvm_ops->vm_ops.open = coda_vm_open;
++ cvm_ops->vm_ops.close = coda_vm_close;
++ cvm_ops->coda_file = coda_file;
++ atomic_set(&cvm_ops->refcnt, 1);
++
++ vma->vm_ops = &cvm_ops->vm_ops;
++ }
++ return ret;
+ }
+
+ int coda_open(struct inode *coda_inode, struct file *coda_file)
--- /dev/null
+From 0bdf8a8245fdea6f075a5fede833a5fcf1b3466c Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Wed, 4 Jul 2018 12:35:56 +0300
+Subject: eCryptfs: fix a couple type promotion bugs
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+commit 0bdf8a8245fdea6f075a5fede833a5fcf1b3466c upstream.
+
+ECRYPTFS_SIZE_AND_MARKER_BYTES is type size_t, so if "rc" is negative
+that gets type promoted to a high positive value and treated as success.
+
+Fixes: 778aeb42a708 ("eCryptfs: Cleanup and optimize ecryptfs_lookup_interpose()")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+[tyhicks: Use "if/else if" rather than "if/if"]
+Cc: stable@vger.kernel.org
+Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ecryptfs/crypto.c | 12 ++++++++----
+ 1 file changed, 8 insertions(+), 4 deletions(-)
+
+--- a/fs/ecryptfs/crypto.c
++++ b/fs/ecryptfs/crypto.c
+@@ -1041,8 +1041,10 @@ int ecryptfs_read_and_validate_header_re
+
+ rc = ecryptfs_read_lower(file_size, 0, ECRYPTFS_SIZE_AND_MARKER_BYTES,
+ inode);
+- if (rc < ECRYPTFS_SIZE_AND_MARKER_BYTES)
+- return rc >= 0 ? -EINVAL : rc;
++ if (rc < 0)
++ return rc;
++ else if (rc < ECRYPTFS_SIZE_AND_MARKER_BYTES)
++ return -EINVAL;
+ rc = ecryptfs_validate_marker(marker);
+ if (!rc)
+ ecryptfs_i_size_init(file_size, inode);
+@@ -1400,8 +1402,10 @@ int ecryptfs_read_and_validate_xattr_reg
+ rc = ecryptfs_getxattr_lower(ecryptfs_dentry_to_lower(dentry),
+ ECRYPTFS_XATTR_NAME, file_size,
+ ECRYPTFS_SIZE_AND_MARKER_BYTES);
+- if (rc < ECRYPTFS_SIZE_AND_MARKER_BYTES)
+- return rc >= 0 ? -EINVAL : rc;
++ if (rc < 0)
++ return rc;
++ else if (rc < ECRYPTFS_SIZE_AND_MARKER_BYTES)
++ return -EINVAL;
+ rc = ecryptfs_validate_marker(marker);
+ if (!rc)
+ ecryptfs_i_size_init(file_size, inode);
--- /dev/null
+From 3d1f62c686acdedf5ed9642b763f3808d6a47d1e Mon Sep 17 00:00:00 2001
+From: Steve Longerbeam <slongerbeam@gmail.com>
+Date: Tue, 21 May 2019 18:03:13 -0700
+Subject: gpu: ipu-v3: ipu-ic: Fix saturation bit offset in TPMEM
+
+From: Steve Longerbeam <slongerbeam@gmail.com>
+
+commit 3d1f62c686acdedf5ed9642b763f3808d6a47d1e upstream.
+
+The saturation bit was being set at bit 9 in the second 32-bit word
+of the TPMEM CSC. This isn't correct, the saturation bit is bit 42,
+which is bit 10 of the second word.
+
+Fixes: 1aa8ea0d2bd5d ("gpu: ipu-v3: Add Image Converter unit")
+
+Signed-off-by: Steve Longerbeam <slongerbeam@gmail.com>
+Reviewed-by: Philipp Zabel <p.zabel@pengutronix.de>
+Cc: stable@vger.kernel.org
+Signed-off-by: Philipp Zabel <p.zabel@pengutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/ipu-v3/ipu-ic.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/gpu/ipu-v3/ipu-ic.c
++++ b/drivers/gpu/ipu-v3/ipu-ic.c
+@@ -255,7 +255,7 @@ static int init_csc(struct ipu_ic *ic,
+ writel(param, base++);
+
+ param = ((a[0] & 0x1fe0) >> 5) | (params->scale << 8) |
+- (params->sat << 9);
++ (params->sat << 10);
+ writel(param, base++);
+
+ param = ((a[1] & 0x1f) << 27) | ((c[0][1] & 0x1ff) << 18) |
--- /dev/null
+From 918b8646497b5dba6ae82d4a7325f01b258972b9 Mon Sep 17 00:00:00 2001
+From: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Date: Fri, 21 Jun 2019 19:19:29 +0300
+Subject: intel_th: msu: Fix single mode with disabled IOMMU
+
+From: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+
+commit 918b8646497b5dba6ae82d4a7325f01b258972b9 upstream.
+
+Commit 4e0eaf239fb3 ("intel_th: msu: Fix single mode with IOMMU") switched
+the single mode code to use dma mapping pages obtained from the page
+allocator, but with IOMMU disabled, that may lead to using SWIOTLB bounce
+buffers and without additional sync'ing, produces empty trace buffers.
+
+Fix this by using a DMA32 GFP flag to the page allocation in single mode,
+as the device supports full 32-bit DMA addressing.
+
+Signed-off-by: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Fixes: 4e0eaf239fb3 ("intel_th: msu: Fix single mode with IOMMU")
+Reviewed-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Reported-by: Ammy Yi <ammy.yi@intel.com>
+Cc: stable <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20190621161930.60785-4-alexander.shishkin@linux.intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/hwtracing/intel_th/msu.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/hwtracing/intel_th/msu.c
++++ b/drivers/hwtracing/intel_th/msu.c
+@@ -625,7 +625,7 @@ static int msc_buffer_contig_alloc(struc
+ goto err_out;
+
+ ret = -ENOMEM;
+- page = alloc_pages(GFP_KERNEL | __GFP_ZERO, order);
++ page = alloc_pages(GFP_KERNEL | __GFP_ZERO | GFP_DMA32, order);
+ if (!page)
+ goto err_free_sgt;
+
--- /dev/null
+From 10835c854685393a921b68f529bf740fa7c9984d Mon Sep 17 00:00:00 2001
+From: Helge Deller <deller@gmx.de>
+Date: Tue, 16 Jul 2019 21:43:11 +0200
+Subject: parisc: Fix kernel panic due invalid values in IAOQ0 or IAOQ1
+
+From: Helge Deller <deller@gmx.de>
+
+commit 10835c854685393a921b68f529bf740fa7c9984d upstream.
+
+On parisc the privilege level of a process is stored in the lowest two bits of
+the instruction pointers (IAOQ0 and IAOQ1). On Linux we use privilege level 0
+for the kernel and privilege level 3 for user-space. So userspace should not be
+allowed to modify IAOQ0 or IAOQ1 of a ptraced process to change it's privilege
+level to e.g. 0 to try to gain kernel privileges.
+
+This patch prevents such modifications by always setting the two lowest bits to
+one (which relates to privilege level 3 for user-space) if IAOQ0 or IAOQ1 are
+modified via ptrace calls in the native and compat ptrace paths.
+
+Link: https://bugs.gentoo.org/481768
+Reported-by: Jeroen Roovers <jer@gentoo.org>
+Cc: <stable@vger.kernel.org>
+Tested-by: Rolf Eike Beer <eike-kernel@sf-tec.de>
+Signed-off-by: Helge Deller <deller@gmx.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/parisc/kernel/ptrace.c | 28 ++++++++++++++++++----------
+ 1 file changed, 18 insertions(+), 10 deletions(-)
+
+--- a/arch/parisc/kernel/ptrace.c
++++ b/arch/parisc/kernel/ptrace.c
+@@ -156,6 +156,9 @@ long arch_ptrace(struct task_struct *chi
+ if ((addr & (sizeof(unsigned long)-1)) ||
+ addr >= sizeof(struct pt_regs))
+ break;
++ if (addr == PT_IAOQ0 || addr == PT_IAOQ1) {
++ data |= 3; /* ensure userspace privilege */
++ }
+ if ((addr >= PT_GR1 && addr <= PT_GR31) ||
+ addr == PT_IAOQ0 || addr == PT_IAOQ1 ||
+ (addr >= PT_FR0 && addr <= PT_FR31 + 4) ||
+@@ -189,16 +192,18 @@ long arch_ptrace(struct task_struct *chi
+
+ static compat_ulong_t translate_usr_offset(compat_ulong_t offset)
+ {
+- if (offset < 0)
+- return sizeof(struct pt_regs);
+- else if (offset <= 32*4) /* gr[0..31] */
+- return offset * 2 + 4;
+- else if (offset <= 32*4+32*8) /* gr[0..31] + fr[0..31] */
+- return offset + 32*4;
+- else if (offset < sizeof(struct pt_regs)/2 + 32*4)
+- return offset * 2 + 4 - 32*8;
++ compat_ulong_t pos;
++
++ if (offset < 32*4) /* gr[0..31] */
++ pos = offset * 2 + 4;
++ else if (offset < 32*4+32*8) /* fr[0] ... fr[31] */
++ pos = (offset - 32*4) + PT_FR0;
++ else if (offset < sizeof(struct pt_regs)/2 + 32*4) /* sr[0] ... ipsw */
++ pos = (offset - 32*4 - 32*8) * 2 + PT_SR0 + 4;
+ else
+- return sizeof(struct pt_regs);
++ pos = sizeof(struct pt_regs);
++
++ return pos;
+ }
+
+ long compat_arch_ptrace(struct task_struct *child, compat_long_t request,
+@@ -242,9 +247,12 @@ long compat_arch_ptrace(struct task_stru
+ addr = translate_usr_offset(addr);
+ if (addr >= sizeof(struct pt_regs))
+ break;
++ if (addr == PT_IAOQ0+4 || addr == PT_IAOQ1+4) {
++ data |= 3; /* ensure userspace privilege */
++ }
+ if (addr >= PT_FR0 && addr <= PT_FR31 + 4) {
+ /* Special case, fp regs are 64 bits anyway */
+- *(__u64 *) ((char *) task_regs(child) + addr) = data;
++ *(__u32 *) ((char *) task_regs(child) + addr) = data;
+ ret = 0;
+ }
+ else if ((addr >= PT_GR1+4 && addr <= PT_GR31+4) ||
--- /dev/null
+From 6ecb78ef56e08d2119d337ae23cb951a640dc52d Mon Sep 17 00:00:00 2001
+From: Christophe Leroy <christophe.leroy@c-s.fr>
+Date: Mon, 17 Jun 2019 21:42:14 +0000
+Subject: powerpc/32s: fix suspend/resume when IBATs 4-7 are used
+
+From: Christophe Leroy <christophe.leroy@c-s.fr>
+
+commit 6ecb78ef56e08d2119d337ae23cb951a640dc52d upstream.
+
+Previously, only IBAT1 and IBAT2 were used to map kernel linear mem.
+Since commit 63b2bc619565 ("powerpc/mm/32s: Use BATs for
+STRICT_KERNEL_RWX"), we may have all 8 BATs used for mapping
+kernel text. But the suspend/restore functions only save/restore
+BATs 0 to 3, and clears BATs 4 to 7.
+
+Make suspend and restore functions respectively save and reload
+the 8 BATs on CPUs having MMU_FTR_USE_HIGH_BATS feature.
+
+Reported-by: Andreas Schwab <schwab@linux-m68k.org>
+Cc: stable@vger.kernel.org
+Signed-off-by: Christophe Leroy <christophe.leroy@c-s.fr>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/powerpc/kernel/swsusp_32.S | 73 ++++++++++++++++++++++++++++----
+ arch/powerpc/platforms/powermac/sleep.S | 68 +++++++++++++++++++++++++++--
+ 2 files changed, 128 insertions(+), 13 deletions(-)
+
+--- a/arch/powerpc/kernel/swsusp_32.S
++++ b/arch/powerpc/kernel/swsusp_32.S
+@@ -23,11 +23,19 @@
+ #define SL_IBAT2 0x48
+ #define SL_DBAT3 0x50
+ #define SL_IBAT3 0x58
+-#define SL_TB 0x60
+-#define SL_R2 0x68
+-#define SL_CR 0x6c
+-#define SL_LR 0x70
+-#define SL_R12 0x74 /* r12 to r31 */
++#define SL_DBAT4 0x60
++#define SL_IBAT4 0x68
++#define SL_DBAT5 0x70
++#define SL_IBAT5 0x78
++#define SL_DBAT6 0x80
++#define SL_IBAT6 0x88
++#define SL_DBAT7 0x90
++#define SL_IBAT7 0x98
++#define SL_TB 0xa0
++#define SL_R2 0xa8
++#define SL_CR 0xac
++#define SL_LR 0xb0
++#define SL_R12 0xb4 /* r12 to r31 */
+ #define SL_SIZE (SL_R12 + 80)
+
+ .section .data
+@@ -112,6 +120,41 @@ _GLOBAL(swsusp_arch_suspend)
+ mfibatl r4,3
+ stw r4,SL_IBAT3+4(r11)
+
++BEGIN_MMU_FTR_SECTION
++ mfspr r4,SPRN_DBAT4U
++ stw r4,SL_DBAT4(r11)
++ mfspr r4,SPRN_DBAT4L
++ stw r4,SL_DBAT4+4(r11)
++ mfspr r4,SPRN_DBAT5U
++ stw r4,SL_DBAT5(r11)
++ mfspr r4,SPRN_DBAT5L
++ stw r4,SL_DBAT5+4(r11)
++ mfspr r4,SPRN_DBAT6U
++ stw r4,SL_DBAT6(r11)
++ mfspr r4,SPRN_DBAT6L
++ stw r4,SL_DBAT6+4(r11)
++ mfspr r4,SPRN_DBAT7U
++ stw r4,SL_DBAT7(r11)
++ mfspr r4,SPRN_DBAT7L
++ stw r4,SL_DBAT7+4(r11)
++ mfspr r4,SPRN_IBAT4U
++ stw r4,SL_IBAT4(r11)
++ mfspr r4,SPRN_IBAT4L
++ stw r4,SL_IBAT4+4(r11)
++ mfspr r4,SPRN_IBAT5U
++ stw r4,SL_IBAT5(r11)
++ mfspr r4,SPRN_IBAT5L
++ stw r4,SL_IBAT5+4(r11)
++ mfspr r4,SPRN_IBAT6U
++ stw r4,SL_IBAT6(r11)
++ mfspr r4,SPRN_IBAT6L
++ stw r4,SL_IBAT6+4(r11)
++ mfspr r4,SPRN_IBAT7U
++ stw r4,SL_IBAT7(r11)
++ mfspr r4,SPRN_IBAT7L
++ stw r4,SL_IBAT7+4(r11)
++END_MMU_FTR_SECTION_IFSET(MMU_FTR_USE_HIGH_BATS)
++
+ #if 0
+ /* Backup various CPU config stuffs */
+ bl __save_cpu_setup
+@@ -277,27 +320,41 @@ END_FTR_SECTION_IFSET(CPU_FTR_ALTIVEC)
+ mtibatu 3,r4
+ lwz r4,SL_IBAT3+4(r11)
+ mtibatl 3,r4
+-#endif
+-
+ BEGIN_MMU_FTR_SECTION
+- li r4,0
++ lwz r4,SL_DBAT4(r11)
+ mtspr SPRN_DBAT4U,r4
++ lwz r4,SL_DBAT4+4(r11)
+ mtspr SPRN_DBAT4L,r4
++ lwz r4,SL_DBAT5(r11)
+ mtspr SPRN_DBAT5U,r4
++ lwz r4,SL_DBAT5+4(r11)
+ mtspr SPRN_DBAT5L,r4
++ lwz r4,SL_DBAT6(r11)
+ mtspr SPRN_DBAT6U,r4
++ lwz r4,SL_DBAT6+4(r11)
+ mtspr SPRN_DBAT6L,r4
++ lwz r4,SL_DBAT7(r11)
+ mtspr SPRN_DBAT7U,r4
++ lwz r4,SL_DBAT7+4(r11)
+ mtspr SPRN_DBAT7L,r4
++ lwz r4,SL_IBAT4(r11)
+ mtspr SPRN_IBAT4U,r4
++ lwz r4,SL_IBAT4+4(r11)
+ mtspr SPRN_IBAT4L,r4
++ lwz r4,SL_IBAT5(r11)
+ mtspr SPRN_IBAT5U,r4
++ lwz r4,SL_IBAT5+4(r11)
+ mtspr SPRN_IBAT5L,r4
++ lwz r4,SL_IBAT6(r11)
+ mtspr SPRN_IBAT6U,r4
++ lwz r4,SL_IBAT6+4(r11)
+ mtspr SPRN_IBAT6L,r4
++ lwz r4,SL_IBAT7(r11)
+ mtspr SPRN_IBAT7U,r4
++ lwz r4,SL_IBAT7+4(r11)
+ mtspr SPRN_IBAT7L,r4
+ END_MMU_FTR_SECTION_IFSET(MMU_FTR_USE_HIGH_BATS)
++#endif
+
+ /* Flush all TLBs */
+ lis r4,0x1000
+--- a/arch/powerpc/platforms/powermac/sleep.S
++++ b/arch/powerpc/platforms/powermac/sleep.S
+@@ -37,10 +37,18 @@
+ #define SL_IBAT2 0x48
+ #define SL_DBAT3 0x50
+ #define SL_IBAT3 0x58
+-#define SL_TB 0x60
+-#define SL_R2 0x68
+-#define SL_CR 0x6c
+-#define SL_R12 0x70 /* r12 to r31 */
++#define SL_DBAT4 0x60
++#define SL_IBAT4 0x68
++#define SL_DBAT5 0x70
++#define SL_IBAT5 0x78
++#define SL_DBAT6 0x80
++#define SL_IBAT6 0x88
++#define SL_DBAT7 0x90
++#define SL_IBAT7 0x98
++#define SL_TB 0xa0
++#define SL_R2 0xa8
++#define SL_CR 0xac
++#define SL_R12 0xb0 /* r12 to r31 */
+ #define SL_SIZE (SL_R12 + 80)
+
+ .section .text
+@@ -125,6 +133,41 @@ _GLOBAL(low_sleep_handler)
+ mfibatl r4,3
+ stw r4,SL_IBAT3+4(r1)
+
++BEGIN_MMU_FTR_SECTION
++ mfspr r4,SPRN_DBAT4U
++ stw r4,SL_DBAT4(r1)
++ mfspr r4,SPRN_DBAT4L
++ stw r4,SL_DBAT4+4(r1)
++ mfspr r4,SPRN_DBAT5U
++ stw r4,SL_DBAT5(r1)
++ mfspr r4,SPRN_DBAT5L
++ stw r4,SL_DBAT5+4(r1)
++ mfspr r4,SPRN_DBAT6U
++ stw r4,SL_DBAT6(r1)
++ mfspr r4,SPRN_DBAT6L
++ stw r4,SL_DBAT6+4(r1)
++ mfspr r4,SPRN_DBAT7U
++ stw r4,SL_DBAT7(r1)
++ mfspr r4,SPRN_DBAT7L
++ stw r4,SL_DBAT7+4(r1)
++ mfspr r4,SPRN_IBAT4U
++ stw r4,SL_IBAT4(r1)
++ mfspr r4,SPRN_IBAT4L
++ stw r4,SL_IBAT4+4(r1)
++ mfspr r4,SPRN_IBAT5U
++ stw r4,SL_IBAT5(r1)
++ mfspr r4,SPRN_IBAT5L
++ stw r4,SL_IBAT5+4(r1)
++ mfspr r4,SPRN_IBAT6U
++ stw r4,SL_IBAT6(r1)
++ mfspr r4,SPRN_IBAT6L
++ stw r4,SL_IBAT6+4(r1)
++ mfspr r4,SPRN_IBAT7U
++ stw r4,SL_IBAT7(r1)
++ mfspr r4,SPRN_IBAT7L
++ stw r4,SL_IBAT7+4(r1)
++END_MMU_FTR_SECTION_IFSET(MMU_FTR_USE_HIGH_BATS)
++
+ /* Backup various CPU config stuffs */
+ bl __save_cpu_setup
+
+@@ -325,22 +368,37 @@ grackle_wake_up:
+ mtibatl 3,r4
+
+ BEGIN_MMU_FTR_SECTION
+- li r4,0
++ lwz r4,SL_DBAT4(r1)
+ mtspr SPRN_DBAT4U,r4
++ lwz r4,SL_DBAT4+4(r1)
+ mtspr SPRN_DBAT4L,r4
++ lwz r4,SL_DBAT5(r1)
+ mtspr SPRN_DBAT5U,r4
++ lwz r4,SL_DBAT5+4(r1)
+ mtspr SPRN_DBAT5L,r4
++ lwz r4,SL_DBAT6(r1)
+ mtspr SPRN_DBAT6U,r4
++ lwz r4,SL_DBAT6+4(r1)
+ mtspr SPRN_DBAT6L,r4
++ lwz r4,SL_DBAT7(r1)
+ mtspr SPRN_DBAT7U,r4
++ lwz r4,SL_DBAT7+4(r1)
+ mtspr SPRN_DBAT7L,r4
++ lwz r4,SL_IBAT4(r1)
+ mtspr SPRN_IBAT4U,r4
++ lwz r4,SL_IBAT4+4(r1)
+ mtspr SPRN_IBAT4L,r4
++ lwz r4,SL_IBAT5(r1)
+ mtspr SPRN_IBAT5U,r4
++ lwz r4,SL_IBAT5+4(r1)
+ mtspr SPRN_IBAT5L,r4
++ lwz r4,SL_IBAT6(r1)
+ mtspr SPRN_IBAT6U,r4
++ lwz r4,SL_IBAT6+4(r1)
+ mtspr SPRN_IBAT6L,r4
++ lwz r4,SL_IBAT7(r1)
+ mtspr SPRN_IBAT7U,r4
++ lwz r4,SL_IBAT7+4(r1)
+ mtspr SPRN_IBAT7L,r4
+ END_MMU_FTR_SECTION_IFSET(MMU_FTR_USE_HIGH_BATS)
+
--- /dev/null
+From f474c28fbcbe42faca4eb415172c07d76adcb819 Mon Sep 17 00:00:00 2001
+From: Ravi Bangoria <ravi.bangoria@linux.ibm.com>
+Date: Thu, 13 Jun 2019 09:00:14 +0530
+Subject: powerpc/watchpoint: Restore NV GPRs while returning from exception
+
+From: Ravi Bangoria <ravi.bangoria@linux.ibm.com>
+
+commit f474c28fbcbe42faca4eb415172c07d76adcb819 upstream.
+
+powerpc hardware triggers watchpoint before executing the instruction.
+To make trigger-after-execute behavior, kernel emulates the
+instruction. If the instruction is 'load something into non-volatile
+register', exception handler should restore emulated register state
+while returning back, otherwise there will be register state
+corruption. eg, adding a watchpoint on a list can corrput the list:
+
+ # cat /proc/kallsyms | grep kthread_create_list
+ c00000000121c8b8 d kthread_create_list
+
+Add watchpoint on kthread_create_list->prev:
+
+ # perf record -e mem:0xc00000000121c8c0
+
+Run some workload such that new kthread gets invoked. eg, I just
+logged out from console:
+
+ list_add corruption. next->prev should be prev (c000000001214e00), \
+ but was c00000000121c8b8. (next=c00000000121c8b8).
+ WARNING: CPU: 59 PID: 309 at lib/list_debug.c:25 __list_add_valid+0xb4/0xc0
+ CPU: 59 PID: 309 Comm: kworker/59:0 Kdump: loaded Not tainted 5.1.0-rc7+ #69
+ ...
+ NIP __list_add_valid+0xb4/0xc0
+ LR __list_add_valid+0xb0/0xc0
+ Call Trace:
+ __list_add_valid+0xb0/0xc0 (unreliable)
+ __kthread_create_on_node+0xe0/0x260
+ kthread_create_on_node+0x34/0x50
+ create_worker+0xe8/0x260
+ worker_thread+0x444/0x560
+ kthread+0x160/0x1a0
+ ret_from_kernel_thread+0x5c/0x70
+
+List corruption happened because it uses 'load into non-volatile
+register' instruction:
+
+Snippet from __kthread_create_on_node:
+
+ c000000000136be8: addis r29,r2,-19
+ c000000000136bec: ld r29,31424(r29)
+ if (!__list_add_valid(new, prev, next))
+ c000000000136bf0: mr r3,r30
+ c000000000136bf4: mr r5,r28
+ c000000000136bf8: mr r4,r29
+ c000000000136bfc: bl c00000000059a2f8 <__list_add_valid+0x8>
+
+Register state from WARN_ON():
+
+ GPR00: c00000000059a3a0 c000007ff23afb50 c000000001344e00 0000000000000075
+ GPR04: 0000000000000000 0000000000000000 0000001852af8bc1 0000000000000000
+ GPR08: 0000000000000001 0000000000000007 0000000000000006 00000000000004aa
+ GPR12: 0000000000000000 c000007ffffeb080 c000000000137038 c000005ff62aaa00
+ GPR16: 0000000000000000 0000000000000000 c000007fffbe7600 c000007fffbe7370
+ GPR20: c000007fffbe7320 c000007fffbe7300 c000000001373a00 0000000000000000
+ GPR24: fffffffffffffef7 c00000000012e320 c000007ff23afcb0 c000000000cb8628
+ GPR28: c00000000121c8b8 c000000001214e00 c000007fef5b17e8 c000007fef5b17c0
+
+Watchpoint hit at 0xc000000000136bec.
+
+ addis r29,r2,-19
+ => r29 = 0xc000000001344e00 + (-19 << 16)
+ => r29 = 0xc000000001214e00
+
+ ld r29,31424(r29)
+ => r29 = *(0xc000000001214e00 + 31424)
+ => r29 = *(0xc00000000121c8c0)
+
+0xc00000000121c8c0 is where we placed a watchpoint and thus this
+instruction was emulated by emulate_step. But because handle_dabr_fault
+did not restore emulated register state, r29 still contains stale
+value in above register state.
+
+Fixes: 5aae8a5370802 ("powerpc, hw_breakpoints: Implement hw_breakpoints for 64-bit server processors")
+Signed-off-by: Ravi Bangoria <ravi.bangoria@linux.ibm.com>
+Cc: stable@vger.kernel.org # 2.6.36+
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/powerpc/kernel/exceptions-64s.S | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+--- a/arch/powerpc/kernel/exceptions-64s.S
++++ b/arch/powerpc/kernel/exceptions-64s.S
+@@ -1719,7 +1719,7 @@ handle_page_fault:
+ addi r3,r1,STACK_FRAME_OVERHEAD
+ bl do_page_fault
+ cmpdi r3,0
+- beq+ 12f
++ beq+ ret_from_except_lite
+ bl save_nvgprs
+ mr r5,r3
+ addi r3,r1,STACK_FRAME_OVERHEAD
+@@ -1734,7 +1734,12 @@ handle_dabr_fault:
+ ld r5,_DSISR(r1)
+ addi r3,r1,STACK_FRAME_OVERHEAD
+ bl do_break
+-12: b ret_from_except_lite
++ /*
++ * do_break() may have changed the NV GPRS while handling a breakpoint.
++ * If so, we need to restore them with their updated values. Don't use
++ * ret_from_except_lite here.
++ */
++ b ret_from_except
+
+
+ /* We have a page fault that hash_page could handle but HV refused
floppy-fix-out-of-bounds-read-in-next_valid_format.patch
floppy-fix-invalid-pointer-dereference-in-drive_name.patch
floppy-fix-out-of-bounds-read-in-copy_buffer.patch
+coda-pass-the-host-file-in-vma-vm_file-on-mmap.patch
+gpu-ipu-v3-ipu-ic-fix-saturation-bit-offset-in-tpmem.patch
+parisc-fix-kernel-panic-due-invalid-values-in-iaoq0-or-iaoq1.patch
+powerpc-32s-fix-suspend-resume-when-ibats-4-7-are-used.patch
+powerpc-watchpoint-restore-nv-gprs-while-returning-from-exception.patch
+ecryptfs-fix-a-couple-type-promotion-bugs.patch
+intel_th-msu-fix-single-mode-with-disabled-iommu.patch
+bluetooth-add-smp-workaround-microsoft-surface-precision-mouse-bug.patch
+ mutex_lock(&floppy_mutex);
+
+ if (poll) {
-+ if (lock_fdc(drive))
++ if (lock_fdc(drive, true))
+ goto Eintr;
+ if (poll_drive(true, FD_RAW_NEED_DISK) == -EINTR)
+ goto Eintr;
projects / thirdparty / kernel / stable-queue.git / commitdiff
