--- /dev/null
+From 1d87b88ba26eabd4745e158ecfd87c93a9b51dc2 Mon Sep 17 00:00:00 2001
+From: Szymon Janc <szymon.janc@codecoup.pl>
+Date: Wed, 19 Jun 2019 00:47:47 +0200
+Subject: Bluetooth: Add SMP workaround Microsoft Surface Precision Mouse bug
+
+From: Szymon Janc <szymon.janc@codecoup.pl>
+
+commit 1d87b88ba26eabd4745e158ecfd87c93a9b51dc2 upstream.
+
+Microsoft Surface Precision Mouse provides bogus identity address when
+pairing. It connects with Static Random address but provides Public
+Address in SMP Identity Address Information PDU. Address has same
+value but type is different. Workaround this by dropping IRK if ID
+address discrepancy is detected.
+
+> HCI Event: LE Meta Event (0x3e) plen 19
+ LE Connection Complete (0x01)
+ Status: Success (0x00)
+ Handle: 75
+ Role: Master (0x00)
+ Peer address type: Random (0x01)
+ Peer address: E0:52:33:93:3B:21 (Static)
+ Connection interval: 50.00 msec (0x0028)
+ Connection latency: 0 (0x0000)
+ Supervision timeout: 420 msec (0x002a)
+ Master clock accuracy: 0x00
+
+....
+
+> ACL Data RX: Handle 75 flags 0x02 dlen 12
+ SMP: Identity Address Information (0x09) len 7
+ Address type: Public (0x00)
+ Address: E0:52:33:93:3B:21
+
+Signed-off-by: Szymon Janc <szymon.janc@codecoup.pl>
+Tested-by: Maarten Fonville <maarten.fonville@gmail.com>
+Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=199461
+Cc: stable@vger.kernel.org
+Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/bluetooth/smp.c | 13 +++++++++++++
+ 1 file changed, 13 insertions(+)
+
+--- a/net/bluetooth/smp.c
++++ b/net/bluetooth/smp.c
+@@ -2579,6 +2579,19 @@ static int smp_cmd_ident_addr_info(struc
+ goto distribute;
+ }
+
++ /* Drop IRK if peer is using identity address during pairing but is
++ * providing different address as identity information.
++ *
++ * Microsoft Surface Precision Mouse is known to have this bug.
++ */
++ if (hci_is_identity_address(&hcon->dst, hcon->dst_type) &&
++ (bacmp(&info->bdaddr, &hcon->dst) ||
++ info->addr_type != hcon->dst_type)) {
++ bt_dev_err(hcon->hdev,
++ "ignoring IRK with invalid identity address");
++ goto distribute;
++ }
++
+ bacpy(&smp->id_addr, &info->bdaddr);
+ smp->id_addr_type = info->addr_type;
+
--- /dev/null
+From 0bdf8a8245fdea6f075a5fede833a5fcf1b3466c Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Wed, 4 Jul 2018 12:35:56 +0300
+Subject: eCryptfs: fix a couple type promotion bugs
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+commit 0bdf8a8245fdea6f075a5fede833a5fcf1b3466c upstream.
+
+ECRYPTFS_SIZE_AND_MARKER_BYTES is type size_t, so if "rc" is negative
+that gets type promoted to a high positive value and treated as success.
+
+Fixes: 778aeb42a708 ("eCryptfs: Cleanup and optimize ecryptfs_lookup_interpose()")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+[tyhicks: Use "if/else if" rather than "if/if"]
+Cc: stable@vger.kernel.org
+Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ecryptfs/crypto.c | 12 ++++++++----
+ 1 file changed, 8 insertions(+), 4 deletions(-)
+
+--- a/fs/ecryptfs/crypto.c
++++ b/fs/ecryptfs/crypto.c
+@@ -1004,8 +1004,10 @@ int ecryptfs_read_and_validate_header_re
+
+ rc = ecryptfs_read_lower(file_size, 0, ECRYPTFS_SIZE_AND_MARKER_BYTES,
+ inode);
+- if (rc < ECRYPTFS_SIZE_AND_MARKER_BYTES)
+- return rc >= 0 ? -EINVAL : rc;
++ if (rc < 0)
++ return rc;
++ else if (rc < ECRYPTFS_SIZE_AND_MARKER_BYTES)
++ return -EINVAL;
+ rc = ecryptfs_validate_marker(marker);
+ if (!rc)
+ ecryptfs_i_size_init(file_size, inode);
+@@ -1367,8 +1369,10 @@ int ecryptfs_read_and_validate_xattr_reg
+ ecryptfs_inode_to_lower(inode),
+ ECRYPTFS_XATTR_NAME, file_size,
+ ECRYPTFS_SIZE_AND_MARKER_BYTES);
+- if (rc < ECRYPTFS_SIZE_AND_MARKER_BYTES)
+- return rc >= 0 ? -EINVAL : rc;
++ if (rc < 0)
++ return rc;
++ else if (rc < ECRYPTFS_SIZE_AND_MARKER_BYTES)
++ return -EINVAL;
+ rc = ecryptfs_validate_marker(marker);
+ if (!rc)
+ ecryptfs_i_size_init(file_size, inode);
--- /dev/null
+From 3d1f62c686acdedf5ed9642b763f3808d6a47d1e Mon Sep 17 00:00:00 2001
+From: Steve Longerbeam <slongerbeam@gmail.com>
+Date: Tue, 21 May 2019 18:03:13 -0700
+Subject: gpu: ipu-v3: ipu-ic: Fix saturation bit offset in TPMEM
+
+From: Steve Longerbeam <slongerbeam@gmail.com>
+
+commit 3d1f62c686acdedf5ed9642b763f3808d6a47d1e upstream.
+
+The saturation bit was being set at bit 9 in the second 32-bit word
+of the TPMEM CSC. This isn't correct, the saturation bit is bit 42,
+which is bit 10 of the second word.
+
+Fixes: 1aa8ea0d2bd5d ("gpu: ipu-v3: Add Image Converter unit")
+
+Signed-off-by: Steve Longerbeam <slongerbeam@gmail.com>
+Reviewed-by: Philipp Zabel <p.zabel@pengutronix.de>
+Cc: stable@vger.kernel.org
+Signed-off-by: Philipp Zabel <p.zabel@pengutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/ipu-v3/ipu-ic.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/gpu/ipu-v3/ipu-ic.c
++++ b/drivers/gpu/ipu-v3/ipu-ic.c
+@@ -251,7 +251,7 @@ static int init_csc(struct ipu_ic *ic,
+ writel(param, base++);
+
+ param = ((a[0] & 0x1fe0) >> 5) | (params->scale << 8) |
+- (params->sat << 9);
++ (params->sat << 10);
+ writel(param, base++);
+
+ param = ((a[1] & 0x1f) << 27) | ((c[0][1] & 0x1ff) << 18) |
--- /dev/null
+From 918b8646497b5dba6ae82d4a7325f01b258972b9 Mon Sep 17 00:00:00 2001
+From: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Date: Fri, 21 Jun 2019 19:19:29 +0300
+Subject: intel_th: msu: Fix single mode with disabled IOMMU
+
+From: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+
+commit 918b8646497b5dba6ae82d4a7325f01b258972b9 upstream.
+
+Commit 4e0eaf239fb3 ("intel_th: msu: Fix single mode with IOMMU") switched
+the single mode code to use dma mapping pages obtained from the page
+allocator, but with IOMMU disabled, that may lead to using SWIOTLB bounce
+buffers and without additional sync'ing, produces empty trace buffers.
+
+Fix this by using a DMA32 GFP flag to the page allocation in single mode,
+as the device supports full 32-bit DMA addressing.
+
+Signed-off-by: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Fixes: 4e0eaf239fb3 ("intel_th: msu: Fix single mode with IOMMU")
+Reviewed-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Reported-by: Ammy Yi <ammy.yi@intel.com>
+Cc: stable <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20190621161930.60785-4-alexander.shishkin@linux.intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/hwtracing/intel_th/msu.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/hwtracing/intel_th/msu.c
++++ b/drivers/hwtracing/intel_th/msu.c
+@@ -667,7 +667,7 @@ static int msc_buffer_contig_alloc(struc
+ goto err_out;
+
+ ret = -ENOMEM;
+- page = alloc_pages(GFP_KERNEL | __GFP_ZERO, order);
++ page = alloc_pages(GFP_KERNEL | __GFP_ZERO | GFP_DMA32, order);
+ if (!page)
+ goto err_free_sgt;
+
--- /dev/null
+From 9800db282dff675dd700d5985d90b605c34b5ccd Mon Sep 17 00:00:00 2001
+From: YueHaibing <yuehaibing@huawei.com>
+Date: Fri, 21 Jun 2019 19:19:28 +0300
+Subject: intel_th: msu: Remove set but not used variable 'last'
+
+From: YueHaibing <yuehaibing@huawei.com>
+
+commit 9800db282dff675dd700d5985d90b605c34b5ccd upstream.
+
+Commit aad14ad3cf3a ("intel_th: msu: Add current window tracking") added
+the following gcc warning:
+
+> drivers/hwtracing/intel_th/msu.c: In function msc_win_switch:
+> drivers/hwtracing/intel_th/msu.c:1389:21: warning: variable last set but
+> not used [-Wunused-but-set-variable]
+
+Fix it by removing the variable.
+
+Signed-off-by: YueHaibing <yuehaibing@huawei.com>
+Fixes: aad14ad3cf3a ("intel_th: msu: Add current window tracking")
+Reviewed-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Signed-off-by: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Cc: stable <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20190621161930.60785-3-alexander.shishkin@linux.intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/hwtracing/intel_th/msu.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/drivers/hwtracing/intel_th/msu.c
++++ b/drivers/hwtracing/intel_th/msu.c
+@@ -1400,10 +1400,9 @@ static int intel_th_msc_init(struct msc
+
+ static void msc_win_switch(struct msc *msc)
+ {
+- struct msc_window *last, *first;
++ struct msc_window *first;
+
+ first = list_first_entry(&msc->win_list, struct msc_window, entry);
+- last = list_last_entry(&msc->win_list, struct msc_window, entry);
+
+ if (msc_is_last_win(msc->cur_win))
+ msc->cur_win = first;
--- /dev/null
+From 5e6b6651d22de109ebf48ca00d0373bc2c0cc080 Mon Sep 17 00:00:00 2001
+From: Jorge Ramirez-Ortiz <jorge.ramirez-ortiz@linaro.org>
+Date: Mon, 1 Jul 2019 17:01:25 +0200
+Subject: mmc: sdhci-msm: fix mutex while in spinlock
+
+From: Jorge Ramirez-Ortiz <jorge.ramirez-ortiz@linaro.org>
+
+commit 5e6b6651d22de109ebf48ca00d0373bc2c0cc080 upstream.
+
+mutexes can sleep and therefore should not be taken while holding a
+spinlock. move clk_get_rate (can sleep) outside the spinlock protected
+region.
+
+Fixes: 83736352e0ca ("mmc: sdhci-msm: Update DLL reset sequence")
+Cc: stable@vger.kernel.org
+Signed-off-by: Jorge Ramirez-Ortiz <jorge.ramirez-ortiz@linaro.org>
+Reviewed-by: Bjorn Andersson <bjorn.andersson@linaro.org>
+Reviewed-by: Vinod Koul <vkoul@kernel.org>
+Acked-by: Adrian Hunter <adrian.hunter@intel.com>
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/mmc/host/sdhci-msm.c | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+--- a/drivers/mmc/host/sdhci-msm.c
++++ b/drivers/mmc/host/sdhci-msm.c
+@@ -575,11 +575,14 @@ static int msm_init_cm_dll(struct sdhci_
+ struct sdhci_pltfm_host *pltfm_host = sdhci_priv(host);
+ struct sdhci_msm_host *msm_host = sdhci_pltfm_priv(pltfm_host);
+ int wait_cnt = 50;
+- unsigned long flags;
++ unsigned long flags, xo_clk = 0;
+ u32 config;
+ const struct sdhci_msm_offset *msm_offset =
+ msm_host->offset;
+
++ if (msm_host->use_14lpp_dll_reset && !IS_ERR_OR_NULL(msm_host->xo_clk))
++ xo_clk = clk_get_rate(msm_host->xo_clk);
++
+ spin_lock_irqsave(&host->lock, flags);
+
+ /*
+@@ -627,10 +630,10 @@ static int msm_init_cm_dll(struct sdhci_
+ config &= CORE_FLL_CYCLE_CNT;
+ if (config)
+ mclk_freq = DIV_ROUND_CLOSEST_ULL((host->clock * 8),
+- clk_get_rate(msm_host->xo_clk));
++ xo_clk);
+ else
+ mclk_freq = DIV_ROUND_CLOSEST_ULL((host->clock * 4),
+- clk_get_rate(msm_host->xo_clk));
++ xo_clk);
+
+ config = readl_relaxed(host->ioaddr +
+ msm_offset->core_dll_config_2);
--- /dev/null
+From e1884ffddacc0424d7e785e6f8087bd12f7196db Mon Sep 17 00:00:00 2001
+From: Xiaolei Li <xiaolei.li@mediatek.com>
+Date: Tue, 7 May 2019 18:25:38 +0800
+Subject: mtd: rawnand: mtk: Correct low level time calculation of r/w cycle
+
+From: Xiaolei Li <xiaolei.li@mediatek.com>
+
+commit e1884ffddacc0424d7e785e6f8087bd12f7196db upstream.
+
+At present, the flow of calculating AC timing of read/write cycle in SDR
+mode is that:
+At first, calculate high hold time which is valid for both read and write
+cycle using the max value between tREH_min and tWH_min.
+Secondly, calculate WE# pulse width using tWP_min.
+Thridly, calculate RE# pulse width using the bigger one between tREA_max
+and tRP_min.
+
+But NAND SPEC shows that Controller should also meet write/read cycle time.
+That is write cycle time should be more than tWC_min and read cycle should
+be more than tRC_min. Obviously, we do not achieve that now.
+
+This patch corrects the low level time calculation to meet minimum
+read/write cycle time required. After getting the high hold time, WE# low
+level time will be promised to meet tWP_min and tWC_min requirement,
+and RE# low level time will be promised to meet tREA_max, tRP_min and
+tRC_min requirement.
+
+Fixes: edfee3619c49 ("mtd: nand: mtk: add ->setup_data_interface() hook")
+Cc: stable@vger.kernel.org # v4.17+
+Signed-off-by: Xiaolei Li <xiaolei.li@mediatek.com>
+Reviewed-by: Miquel Raynal <miquel.raynal@bootlin.com>
+Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/mtd/nand/raw/mtk_nand.c | 24 +++++++++++++++++++++---
+ 1 file changed, 21 insertions(+), 3 deletions(-)
+
+--- a/drivers/mtd/nand/raw/mtk_nand.c
++++ b/drivers/mtd/nand/raw/mtk_nand.c
+@@ -500,7 +500,8 @@ static int mtk_nfc_setup_data_interface(
+ {
+ struct mtk_nfc *nfc = nand_get_controller_data(chip);
+ const struct nand_sdr_timings *timings;
+- u32 rate, tpoecs, tprecs, tc2r, tw2r, twh, twst, trlt;
++ u32 rate, tpoecs, tprecs, tc2r, tw2r, twh, twst = 0, trlt = 0;
++ u32 thold;
+
+ timings = nand_get_sdr_timings(conf);
+ if (IS_ERR(timings))
+@@ -536,11 +537,28 @@ static int mtk_nfc_setup_data_interface(
+ twh = DIV_ROUND_UP(twh * rate, 1000000) - 1;
+ twh &= 0xf;
+
+- twst = timings->tWP_min / 1000;
++ /* Calculate real WE#/RE# hold time in nanosecond */
++ thold = (twh + 1) * 1000000 / rate;
++ /* nanosecond to picosecond */
++ thold *= 1000;
++
++ /*
++ * WE# low level time should be expaned to meet WE# pulse time
++ * and WE# cycle time at the same time.
++ */
++ if (thold < timings->tWC_min)
++ twst = timings->tWC_min - thold;
++ twst = max(timings->tWP_min, twst) / 1000;
+ twst = DIV_ROUND_UP(twst * rate, 1000000) - 1;
+ twst &= 0xf;
+
+- trlt = max(timings->tREA_max, timings->tRP_min) / 1000;
++ /*
++ * RE# low level time should be expaned to meet RE# pulse time,
++ * RE# access time and RE# cycle time at the same time.
++ */
++ if (thold < timings->tRC_min)
++ trlt = timings->tRC_min - thold;
++ trlt = max3(trlt, timings->tREA_max, timings->tRP_min) / 1000;
+ trlt = DIV_ROUND_UP(trlt * rate, 1000000) - 1;
+ trlt &= 0xf;
+
--- /dev/null
+From b83408b580eccf8d2797cd6cb9ae42c2a28656a7 Mon Sep 17 00:00:00 2001
+From: liaoweixiong <liaoweixiong@allwinnertech.com>
+Date: Fri, 28 Jun 2019 12:14:46 +0800
+Subject: mtd: spinand: read returns badly if the last page has bitflips
+
+From: liaoweixiong <liaoweixiong@allwinnertech.com>
+
+commit b83408b580eccf8d2797cd6cb9ae42c2a28656a7 upstream.
+
+In case of the last page containing bitflips (ret > 0),
+spinand_mtd_read() will return that number of bitflips for the last
+page while it should instead return max_bitflips like it does when the
+last page read returns with 0.
+
+Signed-off-by: Weixiong Liao <liaoweixiong@allwinnertech.com>
+Reviewed-by: Boris Brezillon <boris.brezillon@collabora.com>
+Reviewed-by: Frieder Schrempf <frieder.schrempf@kontron.de>
+Cc: stable@vger.kernel.org
+Fixes: 7529df465248 ("mtd: nand: Add core infrastructure to support SPI NANDs")
+Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/mtd/nand/spi/core.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/mtd/nand/spi/core.c
++++ b/drivers/mtd/nand/spi/core.c
+@@ -511,12 +511,12 @@ static int spinand_mtd_read(struct mtd_i
+ if (ret == -EBADMSG) {
+ ecc_failed = true;
+ mtd->ecc_stats.failed++;
+- ret = 0;
+ } else {
+ mtd->ecc_stats.corrected += ret;
+ max_bitflips = max_t(unsigned int, max_bitflips, ret);
+ }
+
++ ret = 0;
+ ops->retlen += iter.req.datalen;
+ ops->oobretlen += iter.req.ooblen;
+ }
--- /dev/null
+From 59a783dbc0d5fd6792aabff933055373b6dcbf2a Mon Sep 17 00:00:00 2001
+From: Helge Deller <deller@gmx.de>
+Date: Tue, 16 Jul 2019 21:16:26 +0200
+Subject: parisc: Avoid kernel panic triggered by invalid kprobe
+
+From: Helge Deller <deller@gmx.de>
+
+commit 59a783dbc0d5fd6792aabff933055373b6dcbf2a upstream.
+
+When running gdb I was able to trigger this kernel panic:
+
+ Kernel Fault: Code=26 (Data memory access rights trap) at addr 0000000000000060
+ CPU: 0 PID: 1401 Comm: gdb-crash Not tainted 5.2.0-rc7-64bit+ #1053
+
+ YZrvWESTHLNXBCVMcbcbcbcbOGFRQPDI
+ PSW: 00001000000001000000000000001111 Not tainted
+ r00-03 000000000804000f 0000000040dee1a0 0000000040c78cf0 00000000b8d50160
+ r04-07 0000000040d2b1a0 000000004360a098 00000000bbbe87b8 0000000000000003
+ r08-11 00000000fac20a70 00000000fac24160 00000000fac1bbe0 0000000000000000
+ r12-15 00000000fabfb79a 00000000fac244a4 0000000000010000 0000000000000001
+ r16-19 00000000bbbe87b8 00000000f8f02910 0000000000010034 0000000000000000
+ r20-23 00000000fac24630 00000000fac24630 000000006474e552 00000000fac1aa52
+ r24-27 0000000000000028 00000000bbbe87b8 00000000bbbe87b8 0000000040d2b1a0
+ r28-31 0000000000000000 00000000b8d501c0 00000000b8d501f0 0000000003424000
+ sr00-03 0000000000423000 0000000000000000 0000000000000000 0000000000423000
+ sr04-07 0000000000000000 0000000000000000 0000000000000000 0000000000000000
+
+ IASQ: 0000000000000000 0000000000000000 IAOQ: 0000000040c78cf0 0000000040c78cf4
+ IIR: 539f00c0 ISR: 0000000000000000 IOR: 0000000000000060
+ CPU: 0 CR30: 00000000b8d50000 CR31: 00000000d22345e2
+ ORIG_R28: 0000000040250798
+ IAOQ[0]: parisc_kprobe_ss_handler+0x58/0x170
+ IAOQ[1]: parisc_kprobe_ss_handler+0x5c/0x170
+ RP(r2): parisc_kprobe_ss_handler+0x58/0x170
+ Backtrace:
+ [<0000000040206ff8>] handle_interruption+0x178/0xbb8
+ Kernel panic - not syncing: Kernel Fault
+
+Avoid this panic by checking the return value of kprobe_running() and
+skip kprobe if none is currently active.
+
+Cc: <stable@vger.kernel.org> # v5.2
+Acked-by: Sven Schnelle <svens@stackframe.org>
+Tested-by: Rolf Eike Beer <eike-kernel@sf-tec.de>
+Signed-off-by: Helge Deller <deller@gmx.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/parisc/kernel/kprobes.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/arch/parisc/kernel/kprobes.c
++++ b/arch/parisc/kernel/kprobes.c
+@@ -133,6 +133,9 @@ int __kprobes parisc_kprobe_ss_handler(s
+ struct kprobe_ctlblk *kcb = get_kprobe_ctlblk();
+ struct kprobe *p = kprobe_running();
+
++ if (!p)
++ return 0;
++
+ if (regs->iaoq[0] != (unsigned long)p->ainsn.insn+4)
+ return 0;
+
--- /dev/null
+From 34c32fc603311a72cb558e5e337555434f64c27b Mon Sep 17 00:00:00 2001
+From: Helge Deller <deller@gmx.de>
+Date: Thu, 4 Jul 2019 03:44:17 +0200
+Subject: parisc: Ensure userspace privilege for ptraced processes in regset functions
+
+From: Helge Deller <deller@gmx.de>
+
+commit 34c32fc603311a72cb558e5e337555434f64c27b upstream.
+
+On parisc the privilege level of a process is stored in the lowest two bits of
+the instruction pointers (IAOQ0 and IAOQ1). On Linux we use privilege level 0
+for the kernel and privilege level 3 for user-space. So userspace should not be
+allowed to modify IAOQ0 or IAOQ1 of a ptraced process to change it's privilege
+level to e.g. 0 to try to gain kernel privileges.
+
+This patch prevents such modifications in the regset support functions by
+always setting the two lowest bits to one (which relates to privilege level 3
+for user-space) if IAOQ0 or IAOQ1 are modified via ptrace regset calls.
+
+Link: https://bugs.gentoo.org/481768
+Cc: <stable@vger.kernel.org> # v4.7+
+Tested-by: Rolf Eike Beer <eike-kernel@sf-tec.de>
+Signed-off-by: Helge Deller <deller@gmx.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/parisc/kernel/ptrace.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/arch/parisc/kernel/ptrace.c
++++ b/arch/parisc/kernel/ptrace.c
+@@ -496,7 +496,8 @@ static void set_reg(struct pt_regs *regs
+ return;
+ case RI(iaoq[0]):
+ case RI(iaoq[1]):
+- regs->iaoq[num - RI(iaoq[0])] = val;
++ /* set 2 lowest bits to ensure userspace privilege: */
++ regs->iaoq[num - RI(iaoq[0])] = val | 3;
+ return;
+ case RI(sar): regs->sar = val;
+ return;
--- /dev/null
+From 10835c854685393a921b68f529bf740fa7c9984d Mon Sep 17 00:00:00 2001
+From: Helge Deller <deller@gmx.de>
+Date: Tue, 16 Jul 2019 21:43:11 +0200
+Subject: parisc: Fix kernel panic due invalid values in IAOQ0 or IAOQ1
+
+From: Helge Deller <deller@gmx.de>
+
+commit 10835c854685393a921b68f529bf740fa7c9984d upstream.
+
+On parisc the privilege level of a process is stored in the lowest two bits of
+the instruction pointers (IAOQ0 and IAOQ1). On Linux we use privilege level 0
+for the kernel and privilege level 3 for user-space. So userspace should not be
+allowed to modify IAOQ0 or IAOQ1 of a ptraced process to change it's privilege
+level to e.g. 0 to try to gain kernel privileges.
+
+This patch prevents such modifications by always setting the two lowest bits to
+one (which relates to privilege level 3 for user-space) if IAOQ0 or IAOQ1 are
+modified via ptrace calls in the native and compat ptrace paths.
+
+Link: https://bugs.gentoo.org/481768
+Reported-by: Jeroen Roovers <jer@gentoo.org>
+Cc: <stable@vger.kernel.org>
+Tested-by: Rolf Eike Beer <eike-kernel@sf-tec.de>
+Signed-off-by: Helge Deller <deller@gmx.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/parisc/kernel/ptrace.c | 28 ++++++++++++++++++----------
+ 1 file changed, 18 insertions(+), 10 deletions(-)
+
+--- a/arch/parisc/kernel/ptrace.c
++++ b/arch/parisc/kernel/ptrace.c
+@@ -167,6 +167,9 @@ long arch_ptrace(struct task_struct *chi
+ if ((addr & (sizeof(unsigned long)-1)) ||
+ addr >= sizeof(struct pt_regs))
+ break;
++ if (addr == PT_IAOQ0 || addr == PT_IAOQ1) {
++ data |= 3; /* ensure userspace privilege */
++ }
+ if ((addr >= PT_GR1 && addr <= PT_GR31) ||
+ addr == PT_IAOQ0 || addr == PT_IAOQ1 ||
+ (addr >= PT_FR0 && addr <= PT_FR31 + 4) ||
+@@ -228,16 +231,18 @@ long arch_ptrace(struct task_struct *chi
+
+ static compat_ulong_t translate_usr_offset(compat_ulong_t offset)
+ {
+- if (offset < 0)
+- return sizeof(struct pt_regs);
+- else if (offset <= 32*4) /* gr[0..31] */
+- return offset * 2 + 4;
+- else if (offset <= 32*4+32*8) /* gr[0..31] + fr[0..31] */
+- return offset + 32*4;
+- else if (offset < sizeof(struct pt_regs)/2 + 32*4)
+- return offset * 2 + 4 - 32*8;
++ compat_ulong_t pos;
++
++ if (offset < 32*4) /* gr[0..31] */
++ pos = offset * 2 + 4;
++ else if (offset < 32*4+32*8) /* fr[0] ... fr[31] */
++ pos = (offset - 32*4) + PT_FR0;
++ else if (offset < sizeof(struct pt_regs)/2 + 32*4) /* sr[0] ... ipsw */
++ pos = (offset - 32*4 - 32*8) * 2 + PT_SR0 + 4;
+ else
+- return sizeof(struct pt_regs);
++ pos = sizeof(struct pt_regs);
++
++ return pos;
+ }
+
+ long compat_arch_ptrace(struct task_struct *child, compat_long_t request,
+@@ -281,9 +286,12 @@ long compat_arch_ptrace(struct task_stru
+ addr = translate_usr_offset(addr);
+ if (addr >= sizeof(struct pt_regs))
+ break;
++ if (addr == PT_IAOQ0+4 || addr == PT_IAOQ1+4) {
++ data |= 3; /* ensure userspace privilege */
++ }
+ if (addr >= PT_FR0 && addr <= PT_FR31 + 4) {
+ /* Special case, fp regs are 64 bits anyway */
+- *(__u64 *) ((char *) task_regs(child) + addr) = data;
++ *(__u32 *) ((char *) task_regs(child) + addr) = data;
+ ret = 0;
+ }
+ else if ((addr >= PT_GR1+4 && addr <= PT_GR31+4) ||
--- /dev/null
+From 6ecb78ef56e08d2119d337ae23cb951a640dc52d Mon Sep 17 00:00:00 2001
+From: Christophe Leroy <christophe.leroy@c-s.fr>
+Date: Mon, 17 Jun 2019 21:42:14 +0000
+Subject: powerpc/32s: fix suspend/resume when IBATs 4-7 are used
+
+From: Christophe Leroy <christophe.leroy@c-s.fr>
+
+commit 6ecb78ef56e08d2119d337ae23cb951a640dc52d upstream.
+
+Previously, only IBAT1 and IBAT2 were used to map kernel linear mem.
+Since commit 63b2bc619565 ("powerpc/mm/32s: Use BATs for
+STRICT_KERNEL_RWX"), we may have all 8 BATs used for mapping
+kernel text. But the suspend/restore functions only save/restore
+BATs 0 to 3, and clears BATs 4 to 7.
+
+Make suspend and restore functions respectively save and reload
+the 8 BATs on CPUs having MMU_FTR_USE_HIGH_BATS feature.
+
+Reported-by: Andreas Schwab <schwab@linux-m68k.org>
+Cc: stable@vger.kernel.org
+Signed-off-by: Christophe Leroy <christophe.leroy@c-s.fr>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/powerpc/kernel/swsusp_32.S | 73 ++++++++++++++++++++++++++++----
+ arch/powerpc/platforms/powermac/sleep.S | 68 +++++++++++++++++++++++++++--
+ 2 files changed, 128 insertions(+), 13 deletions(-)
+
+--- a/arch/powerpc/kernel/swsusp_32.S
++++ b/arch/powerpc/kernel/swsusp_32.S
+@@ -25,11 +25,19 @@
+ #define SL_IBAT2 0x48
+ #define SL_DBAT3 0x50
+ #define SL_IBAT3 0x58
+-#define SL_TB 0x60
+-#define SL_R2 0x68
+-#define SL_CR 0x6c
+-#define SL_LR 0x70
+-#define SL_R12 0x74 /* r12 to r31 */
++#define SL_DBAT4 0x60
++#define SL_IBAT4 0x68
++#define SL_DBAT5 0x70
++#define SL_IBAT5 0x78
++#define SL_DBAT6 0x80
++#define SL_IBAT6 0x88
++#define SL_DBAT7 0x90
++#define SL_IBAT7 0x98
++#define SL_TB 0xa0
++#define SL_R2 0xa8
++#define SL_CR 0xac
++#define SL_LR 0xb0
++#define SL_R12 0xb4 /* r12 to r31 */
+ #define SL_SIZE (SL_R12 + 80)
+
+ .section .data
+@@ -114,6 +122,41 @@ _GLOBAL(swsusp_arch_suspend)
+ mfibatl r4,3
+ stw r4,SL_IBAT3+4(r11)
+
++BEGIN_MMU_FTR_SECTION
++ mfspr r4,SPRN_DBAT4U
++ stw r4,SL_DBAT4(r11)
++ mfspr r4,SPRN_DBAT4L
++ stw r4,SL_DBAT4+4(r11)
++ mfspr r4,SPRN_DBAT5U
++ stw r4,SL_DBAT5(r11)
++ mfspr r4,SPRN_DBAT5L
++ stw r4,SL_DBAT5+4(r11)
++ mfspr r4,SPRN_DBAT6U
++ stw r4,SL_DBAT6(r11)
++ mfspr r4,SPRN_DBAT6L
++ stw r4,SL_DBAT6+4(r11)
++ mfspr r4,SPRN_DBAT7U
++ stw r4,SL_DBAT7(r11)
++ mfspr r4,SPRN_DBAT7L
++ stw r4,SL_DBAT7+4(r11)
++ mfspr r4,SPRN_IBAT4U
++ stw r4,SL_IBAT4(r11)
++ mfspr r4,SPRN_IBAT4L
++ stw r4,SL_IBAT4+4(r11)
++ mfspr r4,SPRN_IBAT5U
++ stw r4,SL_IBAT5(r11)
++ mfspr r4,SPRN_IBAT5L
++ stw r4,SL_IBAT5+4(r11)
++ mfspr r4,SPRN_IBAT6U
++ stw r4,SL_IBAT6(r11)
++ mfspr r4,SPRN_IBAT6L
++ stw r4,SL_IBAT6+4(r11)
++ mfspr r4,SPRN_IBAT7U
++ stw r4,SL_IBAT7(r11)
++ mfspr r4,SPRN_IBAT7L
++ stw r4,SL_IBAT7+4(r11)
++END_MMU_FTR_SECTION_IFSET(MMU_FTR_USE_HIGH_BATS)
++
+ #if 0
+ /* Backup various CPU config stuffs */
+ bl __save_cpu_setup
+@@ -279,27 +322,41 @@ END_FTR_SECTION_IFSET(CPU_FTR_ALTIVEC)
+ mtibatu 3,r4
+ lwz r4,SL_IBAT3+4(r11)
+ mtibatl 3,r4
+-#endif
+-
+ BEGIN_MMU_FTR_SECTION
+- li r4,0
++ lwz r4,SL_DBAT4(r11)
+ mtspr SPRN_DBAT4U,r4
++ lwz r4,SL_DBAT4+4(r11)
+ mtspr SPRN_DBAT4L,r4
++ lwz r4,SL_DBAT5(r11)
+ mtspr SPRN_DBAT5U,r4
++ lwz r4,SL_DBAT5+4(r11)
+ mtspr SPRN_DBAT5L,r4
++ lwz r4,SL_DBAT6(r11)
+ mtspr SPRN_DBAT6U,r4
++ lwz r4,SL_DBAT6+4(r11)
+ mtspr SPRN_DBAT6L,r4
++ lwz r4,SL_DBAT7(r11)
+ mtspr SPRN_DBAT7U,r4
++ lwz r4,SL_DBAT7+4(r11)
+ mtspr SPRN_DBAT7L,r4
++ lwz r4,SL_IBAT4(r11)
+ mtspr SPRN_IBAT4U,r4
++ lwz r4,SL_IBAT4+4(r11)
+ mtspr SPRN_IBAT4L,r4
++ lwz r4,SL_IBAT5(r11)
+ mtspr SPRN_IBAT5U,r4
++ lwz r4,SL_IBAT5+4(r11)
+ mtspr SPRN_IBAT5L,r4
++ lwz r4,SL_IBAT6(r11)
+ mtspr SPRN_IBAT6U,r4
++ lwz r4,SL_IBAT6+4(r11)
+ mtspr SPRN_IBAT6L,r4
++ lwz r4,SL_IBAT7(r11)
+ mtspr SPRN_IBAT7U,r4
++ lwz r4,SL_IBAT7+4(r11)
+ mtspr SPRN_IBAT7L,r4
+ END_MMU_FTR_SECTION_IFSET(MMU_FTR_USE_HIGH_BATS)
++#endif
+
+ /* Flush all TLBs */
+ lis r4,0x1000
+--- a/arch/powerpc/platforms/powermac/sleep.S
++++ b/arch/powerpc/platforms/powermac/sleep.S
+@@ -33,10 +33,18 @@
+ #define SL_IBAT2 0x48
+ #define SL_DBAT3 0x50
+ #define SL_IBAT3 0x58
+-#define SL_TB 0x60
+-#define SL_R2 0x68
+-#define SL_CR 0x6c
+-#define SL_R12 0x70 /* r12 to r31 */
++#define SL_DBAT4 0x60
++#define SL_IBAT4 0x68
++#define SL_DBAT5 0x70
++#define SL_IBAT5 0x78
++#define SL_DBAT6 0x80
++#define SL_IBAT6 0x88
++#define SL_DBAT7 0x90
++#define SL_IBAT7 0x98
++#define SL_TB 0xa0
++#define SL_R2 0xa8
++#define SL_CR 0xac
++#define SL_R12 0xb0 /* r12 to r31 */
+ #define SL_SIZE (SL_R12 + 80)
+
+ .section .text
+@@ -121,6 +129,41 @@ _GLOBAL(low_sleep_handler)
+ mfibatl r4,3
+ stw r4,SL_IBAT3+4(r1)
+
++BEGIN_MMU_FTR_SECTION
++ mfspr r4,SPRN_DBAT4U
++ stw r4,SL_DBAT4(r1)
++ mfspr r4,SPRN_DBAT4L
++ stw r4,SL_DBAT4+4(r1)
++ mfspr r4,SPRN_DBAT5U
++ stw r4,SL_DBAT5(r1)
++ mfspr r4,SPRN_DBAT5L
++ stw r4,SL_DBAT5+4(r1)
++ mfspr r4,SPRN_DBAT6U
++ stw r4,SL_DBAT6(r1)
++ mfspr r4,SPRN_DBAT6L
++ stw r4,SL_DBAT6+4(r1)
++ mfspr r4,SPRN_DBAT7U
++ stw r4,SL_DBAT7(r1)
++ mfspr r4,SPRN_DBAT7L
++ stw r4,SL_DBAT7+4(r1)
++ mfspr r4,SPRN_IBAT4U
++ stw r4,SL_IBAT4(r1)
++ mfspr r4,SPRN_IBAT4L
++ stw r4,SL_IBAT4+4(r1)
++ mfspr r4,SPRN_IBAT5U
++ stw r4,SL_IBAT5(r1)
++ mfspr r4,SPRN_IBAT5L
++ stw r4,SL_IBAT5+4(r1)
++ mfspr r4,SPRN_IBAT6U
++ stw r4,SL_IBAT6(r1)
++ mfspr r4,SPRN_IBAT6L
++ stw r4,SL_IBAT6+4(r1)
++ mfspr r4,SPRN_IBAT7U
++ stw r4,SL_IBAT7(r1)
++ mfspr r4,SPRN_IBAT7L
++ stw r4,SL_IBAT7+4(r1)
++END_MMU_FTR_SECTION_IFSET(MMU_FTR_USE_HIGH_BATS)
++
+ /* Backup various CPU config stuffs */
+ bl __save_cpu_setup
+
+@@ -321,22 +364,37 @@ grackle_wake_up:
+ mtibatl 3,r4
+
+ BEGIN_MMU_FTR_SECTION
+- li r4,0
++ lwz r4,SL_DBAT4(r1)
+ mtspr SPRN_DBAT4U,r4
++ lwz r4,SL_DBAT4+4(r1)
+ mtspr SPRN_DBAT4L,r4
++ lwz r4,SL_DBAT5(r1)
+ mtspr SPRN_DBAT5U,r4
++ lwz r4,SL_DBAT5+4(r1)
+ mtspr SPRN_DBAT5L,r4
++ lwz r4,SL_DBAT6(r1)
+ mtspr SPRN_DBAT6U,r4
++ lwz r4,SL_DBAT6+4(r1)
+ mtspr SPRN_DBAT6L,r4
++ lwz r4,SL_DBAT7(r1)
+ mtspr SPRN_DBAT7U,r4
++ lwz r4,SL_DBAT7+4(r1)
+ mtspr SPRN_DBAT7L,r4
++ lwz r4,SL_IBAT4(r1)
+ mtspr SPRN_IBAT4U,r4
++ lwz r4,SL_IBAT4+4(r1)
+ mtspr SPRN_IBAT4L,r4
++ lwz r4,SL_IBAT5(r1)
+ mtspr SPRN_IBAT5U,r4
++ lwz r4,SL_IBAT5+4(r1)
+ mtspr SPRN_IBAT5L,r4
++ lwz r4,SL_IBAT6(r1)
+ mtspr SPRN_IBAT6U,r4
++ lwz r4,SL_IBAT6+4(r1)
+ mtspr SPRN_IBAT6L,r4
++ lwz r4,SL_IBAT7(r1)
+ mtspr SPRN_IBAT7U,r4
++ lwz r4,SL_IBAT7+4(r1)
+ mtspr SPRN_IBAT7L,r4
+ END_MMU_FTR_SECTION_IFSET(MMU_FTR_USE_HIGH_BATS)
+
--- /dev/null
+From 46c2478af610efb3212b8b08f74389d69899ef70 Mon Sep 17 00:00:00 2001
+From: Andreas Schwab <schwab@linux-m68k.org>
+Date: Mon, 17 Jun 2019 23:22:20 +0200
+Subject: powerpc/mm/32s: fix condition that is always true
+
+From: Andreas Schwab <schwab@linux-m68k.org>
+
+commit 46c2478af610efb3212b8b08f74389d69899ef70 upstream.
+
+Move a misplaced paren that makes the condition always true.
+
+Fixes: 63b2bc619565 ("powerpc/mm/32s: Use BATs for STRICT_KERNEL_RWX")
+Cc: stable@vger.kernel.org # v5.1+
+Signed-off-by: Andreas Schwab <schwab@linux-m68k.org>
+Reviewed-by: Christophe Leroy <christophe.leroy@c-s.fr>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/powerpc/mm/pgtable_32.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/powerpc/mm/pgtable_32.c
++++ b/arch/powerpc/mm/pgtable_32.c
+@@ -360,7 +360,7 @@ void mark_initmem_nx(void)
+ unsigned long numpages = PFN_UP((unsigned long)_einittext) -
+ PFN_DOWN((unsigned long)_sinittext);
+
+- if (v_block_mapped((unsigned long)_stext) + 1)
++ if (v_block_mapped((unsigned long)_stext + 1))
+ mmu_mark_initmem_nx();
+ else
+ change_page_attr(page, numpages, PAGE_KERNEL);
--- /dev/null
+From 5636427d087a55842c1a199dfb839e6545d30e5d Mon Sep 17 00:00:00 2001
+From: Alexey Kardashevskiy <aik@ozlabs.ru>
+Date: Fri, 28 Jun 2019 16:53:00 +1000
+Subject: powerpc/powernv: Fix stale iommu table base after VFIO
+
+From: Alexey Kardashevskiy <aik@ozlabs.ru>
+
+commit 5636427d087a55842c1a199dfb839e6545d30e5d upstream.
+
+The powernv platform uses @dma_iommu_ops for non-bypass DMA. These ops
+need an iommu_table pointer which is stored in
+dev->archdata.iommu_table_base. It is initialized during
+pcibios_setup_device() which handles boot time devices. However when a
+device is taken from the system in order to pass it through, the
+default IOMMU table is destroyed but the pointer in a device is not
+updated; also when a device is returned back to the system, a new
+table pointer is not stored in dev->archdata.iommu_table_base either.
+So when a just returned device tries using IOMMU, it crashes on
+accessing stale iommu_table or its members.
+
+This calls set_iommu_table_base() when the default window is created.
+Note it used to be there before but was wrongly removed (see "fixes").
+It did not appear before as these days most devices simply use bypass.
+
+This adds set_iommu_table_base(NULL) when a device is taken from the
+system to make it clear that IOMMU DMA cannot be used past that point.
+
+Fixes: c4e9d3c1e65a ("powerpc/powernv/pseries: Rework device adding to IOMMU groups")
+Cc: stable@vger.kernel.org # v5.0+
+Signed-off-by: Alexey Kardashevskiy <aik@ozlabs.ru>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/powerpc/platforms/powernv/pci-ioda.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+--- a/arch/powerpc/platforms/powernv/pci-ioda.c
++++ b/arch/powerpc/platforms/powernv/pci-ioda.c
+@@ -2456,6 +2456,14 @@ static long pnv_pci_ioda2_setup_default_
+ if (!pnv_iommu_bypass_disabled)
+ pnv_pci_ioda2_set_bypass(pe, true);
+
++ /*
++ * Set table base for the case of IOMMU DMA use. Usually this is done
++ * from dma_dev_setup() which is not called when a device is returned
++ * from VFIO so do it here.
++ */
++ if (pe->pdev)
++ set_iommu_table_base(&pe->pdev->dev, tbl);
++
+ return 0;
+ }
+
+@@ -2543,6 +2551,8 @@ static void pnv_ioda2_take_ownership(str
+ pnv_pci_ioda2_unset_window(&pe->table_group, 0);
+ if (pe->pbus)
+ pnv_ioda_setup_bus_dma(pe, pe->pbus);
++ else if (pe->pdev)
++ set_iommu_table_base(&pe->pdev->dev, NULL);
+ iommu_tce_table_put(tbl);
+ }
+
--- /dev/null
+From f5a9e488d62360c91c5770bd55a0b40e419a71ce Mon Sep 17 00:00:00 2001
+From: Athira Rajeev <atrajeev@linux.vnet.ibm.com>
+Date: Tue, 2 Jul 2019 16:28:36 +0530
+Subject: powerpc/powernv/idle: Fix restore of SPRN_LDBAR for POWER9 stop state.
+
+From: Athira Rajeev <atrajeev@linux.vnet.ibm.com>
+
+commit f5a9e488d62360c91c5770bd55a0b40e419a71ce upstream.
+
+commit 10d91611f426 ("powerpc/64s: Reimplement book3s idle code in C")
+reimplemented book3S code to pltform/powernv/idle.c. But when doing so
+missed to add the per-thread LDBAR update in the core_woken path of
+the power9_idle_stop(). Patch fixes the same.
+
+Fixes: 10d91611f426 ("powerpc/64s: Reimplement book3s idle code in C")
+Cc: stable@vger.kernel.org # v5.2+
+Signed-off-by: Athira Rajeev <atrajeev@linux.vnet.ibm.com>
+Signed-off-by: Madhavan Srinivasan <maddy@linux.vnet.ibm.com>
+Reviewed-by: Nicholas Piggin <npiggin@gmail.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://lore.kernel.org/r/20190702105836.26695-1-maddy@linux.vnet.ibm.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/powerpc/platforms/powernv/idle.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/powerpc/platforms/powernv/idle.c
++++ b/arch/powerpc/platforms/powernv/idle.c
+@@ -758,7 +758,6 @@ static unsigned long power9_idle_stop(un
+ mtspr(SPRN_PTCR, sprs.ptcr);
+ mtspr(SPRN_RPR, sprs.rpr);
+ mtspr(SPRN_TSCR, sprs.tscr);
+- mtspr(SPRN_LDBAR, sprs.ldbar);
+
+ if (pls >= pnv_first_tb_loss_level) {
+ /* TB loss */
+@@ -790,6 +789,7 @@ core_woken:
+ mtspr(SPRN_MMCR0, sprs.mmcr0);
+ mtspr(SPRN_MMCR1, sprs.mmcr1);
+ mtspr(SPRN_MMCR2, sprs.mmcr2);
++ mtspr(SPRN_LDBAR, sprs.ldbar);
+
+ mtspr(SPRN_SPRG3, local_paca->sprg_vdso);
+
--- /dev/null
+From 02c5f5394918b9b47ff4357b1b18335768cd867d Mon Sep 17 00:00:00 2001
+From: Greg Kurz <groug@kaod.org>
+Date: Fri, 19 Apr 2019 17:34:13 +0200
+Subject: powerpc/powernv/npu: Fix reference leak
+
+From: Greg Kurz <groug@kaod.org>
+
+commit 02c5f5394918b9b47ff4357b1b18335768cd867d upstream.
+
+Since 902bdc57451c, get_pci_dev() calls pci_get_domain_bus_and_slot(). This
+has the effect of incrementing the reference count of the PCI device, as
+explained in drivers/pci/search.c:
+
+ * Given a PCI domain, bus, and slot/function number, the desired PCI
+ * device is located in the list of PCI devices. If the device is
+ * found, its reference count is increased and this function returns a
+ * pointer to its data structure. The caller must decrement the
+ * reference count by calling pci_dev_put(). If no device is found,
+ * %NULL is returned.
+
+Nothing was done to call pci_dev_put() and the reference count of GPU and
+NPU PCI devices rockets up.
+
+A natural way to fix this would be to teach the callers about the change,
+so that they call pci_dev_put() when done with the pointer. This turns
+out to be quite intrusive, as it affects many paths in npu-dma.c,
+pci-ioda.c and vfio_pci_nvlink2.c. Also, the issue appeared in 4.16 and
+some affected code got moved around since then: it would be problematic
+to backport the fix to stable releases.
+
+All that code never cared for reference counting anyway. Call pci_dev_put()
+from get_pci_dev() to revert to the previous behavior.
+
+Fixes: 902bdc57451c ("powerpc/powernv/idoa: Remove unnecessary pcidev from pci_dn")
+Cc: stable@vger.kernel.org # v4.16
+Signed-off-by: Greg Kurz <groug@kaod.org>
+Reviewed-by: Alexey Kardashevskiy <aik@ozlabs.ru>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/powerpc/platforms/powernv/npu-dma.c | 15 ++++++++++++++-
+ 1 file changed, 14 insertions(+), 1 deletion(-)
+
+--- a/arch/powerpc/platforms/powernv/npu-dma.c
++++ b/arch/powerpc/platforms/powernv/npu-dma.c
+@@ -28,9 +28,22 @@ static DEFINE_SPINLOCK(npu_context_lock)
+ static struct pci_dev *get_pci_dev(struct device_node *dn)
+ {
+ struct pci_dn *pdn = PCI_DN(dn);
++ struct pci_dev *pdev;
+
+- return pci_get_domain_bus_and_slot(pci_domain_nr(pdn->phb->bus),
++ pdev = pci_get_domain_bus_and_slot(pci_domain_nr(pdn->phb->bus),
+ pdn->busno, pdn->devfn);
++
++ /*
++ * pci_get_domain_bus_and_slot() increased the reference count of
++ * the PCI device, but callers don't need that actually as the PE
++ * already holds a reference to the device. Since callers aren't
++ * aware of the reference count change, call pci_dev_put() now to
++ * avoid leaks.
++ */
++ if (pdev)
++ pci_dev_put(pdev);
++
++ return pdev;
+ }
+
+ /* Given a NPU device get the associated PCI device. */
--- /dev/null
+From 0aa82c482ab2ece530a6f44897b63b274bb43c8e Mon Sep 17 00:00:00 2001
+From: Nathan Lynch <nathanl@linux.ibm.com>
+Date: Fri, 7 Jun 2019 00:04:07 -0500
+Subject: powerpc/pseries: Fix oops in hotplug memory notifier
+
+From: Nathan Lynch <nathanl@linux.ibm.com>
+
+commit 0aa82c482ab2ece530a6f44897b63b274bb43c8e upstream.
+
+During post-migration device tree updates, we can oops in
+pseries_update_drconf_memory() if the source device tree has an
+ibm,dynamic-memory-v2 property and the destination has a
+ibm,dynamic_memory (v1) property. The notifier processes an "update"
+for the ibm,dynamic-memory property but it's really an add in this
+scenario. So make sure the old property object is there before
+dereferencing it.
+
+Fixes: 2b31e3aec1db ("powerpc/drmem: Add support for ibm, dynamic-memory-v2 property")
+Cc: stable@vger.kernel.org # v4.16+
+Signed-off-by: Nathan Lynch <nathanl@linux.ibm.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/powerpc/platforms/pseries/hotplug-memory.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/arch/powerpc/platforms/pseries/hotplug-memory.c
++++ b/arch/powerpc/platforms/pseries/hotplug-memory.c
+@@ -976,6 +976,9 @@ static int pseries_update_drconf_memory(
+ if (!memblock_size)
+ return -EINVAL;
+
++ if (!pr->old_prop)
++ return 0;
++
+ p = (__be32 *) pr->old_prop->value;
+ if (!p)
+ return -EINVAL;
--- /dev/null
+From a3bf9fbdad600b1e4335dd90979f8d6072e4f602 Mon Sep 17 00:00:00 2001
+From: Greg Kurz <groug@kaod.org>
+Date: Wed, 15 May 2019 12:05:01 +0200
+Subject: powerpc/pseries: Fix xive=off command line
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Greg Kurz <groug@kaod.org>
+
+commit a3bf9fbdad600b1e4335dd90979f8d6072e4f602 upstream.
+
+On POWER9, if the hypervisor supports XIVE exploitation mode, the
+guest OS will unconditionally requests for the XIVE interrupt mode
+even if XIVE was deactivated with the kernel command line xive=off.
+Later on, when the spapr XIVE init code handles xive=off, it disables
+XIVE and tries to fall back on the legacy mode XICS.
+
+This discrepency causes a kernel panic because the hypervisor is
+configured to provide the XIVE interrupt mode to the guest :
+
+ kernel BUG at arch/powerpc/sysdev/xics/xics-common.c:135!
+ ...
+ NIP xics_smp_probe+0x38/0x98
+ LR xics_smp_probe+0x2c/0x98
+ Call Trace:
+ xics_smp_probe+0x2c/0x98 (unreliable)
+ pSeries_smp_probe+0x40/0xa0
+ smp_prepare_cpus+0x62c/0x6ec
+ kernel_init_freeable+0x148/0x448
+ kernel_init+0x2c/0x148
+ ret_from_kernel_thread+0x5c/0x68
+
+Look for xive=off during prom_init and don't ask for XIVE in this
+case. One exception though: if the host only supports XIVE, we still
+want to boot so we ignore xive=off.
+
+Similarly, have the spapr XIVE init code to looking at the interrupt
+mode negotiated during CAS, and ignore xive=off if the hypervisor only
+supports XIVE.
+
+Fixes: eac1e731b59e ("powerpc/xive: guest exploitation of the XIVE interrupt controller")
+Cc: stable@vger.kernel.org # v4.20
+Reported-by: Pavithra R. Prakash <pavrampu@in.ibm.com>
+Signed-off-by: Greg Kurz <groug@kaod.org>
+Reviewed-by: Cédric Le Goater <clg@kaod.org>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/powerpc/kernel/prom_init.c | 16 +++++++++++-
+ arch/powerpc/sysdev/xive/spapr.c | 52 ++++++++++++++++++++++++++++++++++++++-
+ 2 files changed, 66 insertions(+), 2 deletions(-)
+
+--- a/arch/powerpc/kernel/prom_init.c
++++ b/arch/powerpc/kernel/prom_init.c
+@@ -168,6 +168,7 @@ static unsigned long __prombss prom_tce_
+
+ #ifdef CONFIG_PPC_PSERIES
+ static bool __prombss prom_radix_disable;
++static bool __prombss prom_xive_disable;
+ #endif
+
+ struct platform_support {
+@@ -804,6 +805,12 @@ static void __init early_cmdline_parse(v
+ }
+ if (prom_radix_disable)
+ prom_debug("Radix disabled from cmdline\n");
++
++ opt = prom_strstr(prom_cmd_line, "xive=off");
++ if (opt) {
++ prom_xive_disable = true;
++ prom_debug("XIVE disabled from cmdline\n");
++ }
+ #endif /* CONFIG_PPC_PSERIES */
+ }
+
+@@ -1212,10 +1219,17 @@ static void __init prom_parse_xive_model
+ switch (val) {
+ case OV5_FEAT(OV5_XIVE_EITHER): /* Either Available */
+ prom_debug("XIVE - either mode supported\n");
+- support->xive = true;
++ support->xive = !prom_xive_disable;
+ break;
+ case OV5_FEAT(OV5_XIVE_EXPLOIT): /* Only Exploitation mode */
+ prom_debug("XIVE - exploitation mode supported\n");
++ if (prom_xive_disable) {
++ /*
++ * If we __have__ to do XIVE, we're better off ignoring
++ * the command line rather than not booting.
++ */
++ prom_printf("WARNING: Ignoring cmdline option xive=off\n");
++ }
+ support->xive = true;
+ break;
+ case OV5_FEAT(OV5_XIVE_LEGACY): /* Only Legacy mode */
+--- a/arch/powerpc/sysdev/xive/spapr.c
++++ b/arch/powerpc/sysdev/xive/spapr.c
+@@ -16,6 +16,7 @@
+ #include <linux/cpumask.h>
+ #include <linux/mm.h>
+ #include <linux/delay.h>
++#include <linux/libfdt.h>
+
+ #include <asm/prom.h>
+ #include <asm/io.h>
+@@ -659,6 +660,55 @@ static bool xive_get_max_prio(u8 *max_pr
+ return true;
+ }
+
++static const u8 *get_vec5_feature(unsigned int index)
++{
++ unsigned long root, chosen;
++ int size;
++ const u8 *vec5;
++
++ root = of_get_flat_dt_root();
++ chosen = of_get_flat_dt_subnode_by_name(root, "chosen");
++ if (chosen == -FDT_ERR_NOTFOUND)
++ return NULL;
++
++ vec5 = of_get_flat_dt_prop(chosen, "ibm,architecture-vec-5", &size);
++ if (!vec5)
++ return NULL;
++
++ if (size <= index)
++ return NULL;
++
++ return vec5 + index;
++}
++
++static bool xive_spapr_disabled(void)
++{
++ const u8 *vec5_xive;
++
++ vec5_xive = get_vec5_feature(OV5_INDX(OV5_XIVE_SUPPORT));
++ if (vec5_xive) {
++ u8 val;
++
++ val = *vec5_xive & OV5_FEAT(OV5_XIVE_SUPPORT);
++ switch (val) {
++ case OV5_FEAT(OV5_XIVE_EITHER):
++ case OV5_FEAT(OV5_XIVE_LEGACY):
++ break;
++ case OV5_FEAT(OV5_XIVE_EXPLOIT):
++ /* Hypervisor only supports XIVE */
++ if (xive_cmdline_disabled)
++ pr_warn("WARNING: Ignoring cmdline option xive=off\n");
++ return false;
++ default:
++ pr_warn("%s: Unknown xive support option: 0x%x\n",
++ __func__, val);
++ break;
++ }
++ }
++
++ return xive_cmdline_disabled;
++}
++
+ bool __init xive_spapr_init(void)
+ {
+ struct device_node *np;
+@@ -671,7 +721,7 @@ bool __init xive_spapr_init(void)
+ const __be32 *reg;
+ int i;
+
+- if (xive_cmdline_disabled)
++ if (xive_spapr_disabled())
+ return false;
+
+ pr_devel("%s()\n", __func__);
--- /dev/null
+From f474c28fbcbe42faca4eb415172c07d76adcb819 Mon Sep 17 00:00:00 2001
+From: Ravi Bangoria <ravi.bangoria@linux.ibm.com>
+Date: Thu, 13 Jun 2019 09:00:14 +0530
+Subject: powerpc/watchpoint: Restore NV GPRs while returning from exception
+
+From: Ravi Bangoria <ravi.bangoria@linux.ibm.com>
+
+commit f474c28fbcbe42faca4eb415172c07d76adcb819 upstream.
+
+powerpc hardware triggers watchpoint before executing the instruction.
+To make trigger-after-execute behavior, kernel emulates the
+instruction. If the instruction is 'load something into non-volatile
+register', exception handler should restore emulated register state
+while returning back, otherwise there will be register state
+corruption. eg, adding a watchpoint on a list can corrput the list:
+
+ # cat /proc/kallsyms | grep kthread_create_list
+ c00000000121c8b8 d kthread_create_list
+
+Add watchpoint on kthread_create_list->prev:
+
+ # perf record -e mem:0xc00000000121c8c0
+
+Run some workload such that new kthread gets invoked. eg, I just
+logged out from console:
+
+ list_add corruption. next->prev should be prev (c000000001214e00), \
+ but was c00000000121c8b8. (next=c00000000121c8b8).
+ WARNING: CPU: 59 PID: 309 at lib/list_debug.c:25 __list_add_valid+0xb4/0xc0
+ CPU: 59 PID: 309 Comm: kworker/59:0 Kdump: loaded Not tainted 5.1.0-rc7+ #69
+ ...
+ NIP __list_add_valid+0xb4/0xc0
+ LR __list_add_valid+0xb0/0xc0
+ Call Trace:
+ __list_add_valid+0xb0/0xc0 (unreliable)
+ __kthread_create_on_node+0xe0/0x260
+ kthread_create_on_node+0x34/0x50
+ create_worker+0xe8/0x260
+ worker_thread+0x444/0x560
+ kthread+0x160/0x1a0
+ ret_from_kernel_thread+0x5c/0x70
+
+List corruption happened because it uses 'load into non-volatile
+register' instruction:
+
+Snippet from __kthread_create_on_node:
+
+ c000000000136be8: addis r29,r2,-19
+ c000000000136bec: ld r29,31424(r29)
+ if (!__list_add_valid(new, prev, next))
+ c000000000136bf0: mr r3,r30
+ c000000000136bf4: mr r5,r28
+ c000000000136bf8: mr r4,r29
+ c000000000136bfc: bl c00000000059a2f8 <__list_add_valid+0x8>
+
+Register state from WARN_ON():
+
+ GPR00: c00000000059a3a0 c000007ff23afb50 c000000001344e00 0000000000000075
+ GPR04: 0000000000000000 0000000000000000 0000001852af8bc1 0000000000000000
+ GPR08: 0000000000000001 0000000000000007 0000000000000006 00000000000004aa
+ GPR12: 0000000000000000 c000007ffffeb080 c000000000137038 c000005ff62aaa00
+ GPR16: 0000000000000000 0000000000000000 c000007fffbe7600 c000007fffbe7370
+ GPR20: c000007fffbe7320 c000007fffbe7300 c000000001373a00 0000000000000000
+ GPR24: fffffffffffffef7 c00000000012e320 c000007ff23afcb0 c000000000cb8628
+ GPR28: c00000000121c8b8 c000000001214e00 c000007fef5b17e8 c000007fef5b17c0
+
+Watchpoint hit at 0xc000000000136bec.
+
+ addis r29,r2,-19
+ => r29 = 0xc000000001344e00 + (-19 << 16)
+ => r29 = 0xc000000001214e00
+
+ ld r29,31424(r29)
+ => r29 = *(0xc000000001214e00 + 31424)
+ => r29 = *(0xc00000000121c8c0)
+
+0xc00000000121c8c0 is where we placed a watchpoint and thus this
+instruction was emulated by emulate_step. But because handle_dabr_fault
+did not restore emulated register state, r29 still contains stale
+value in above register state.
+
+Fixes: 5aae8a5370802 ("powerpc, hw_breakpoints: Implement hw_breakpoints for 64-bit server processors")
+Signed-off-by: Ravi Bangoria <ravi.bangoria@linux.ibm.com>
+Cc: stable@vger.kernel.org # 2.6.36+
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/powerpc/kernel/exceptions-64s.S | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+--- a/arch/powerpc/kernel/exceptions-64s.S
++++ b/arch/powerpc/kernel/exceptions-64s.S
+@@ -1746,7 +1746,7 @@ handle_page_fault:
+ addi r3,r1,STACK_FRAME_OVERHEAD
+ bl do_page_fault
+ cmpdi r3,0
+- beq+ 12f
++ beq+ ret_from_except_lite
+ bl save_nvgprs
+ mr r5,r3
+ addi r3,r1,STACK_FRAME_OVERHEAD
+@@ -1761,7 +1761,12 @@ handle_dabr_fault:
+ ld r5,_DSISR(r1)
+ addi r3,r1,STACK_FRAME_OVERHEAD
+ bl do_break
+-12: b ret_from_except_lite
++ /*
++ * do_break() may have changed the NV GPRS while handling a breakpoint.
++ * If so, we need to restore them with their updated values. Don't use
++ * ret_from_except_lite here.
++ */
++ b ret_from_except
+
+
+ #ifdef CONFIG_PPC_BOOK3S_64
coda-pass-the-host-file-in-vma-vm_file-on-mmap.patch
include-asm-generic-bug.h-fix-cut-here-for-warn_on-for-__warn_taint-architectures.patch
resource-fix-locking-in-find_next_iomem_res.patch
+gpu-ipu-v3-ipu-ic-fix-saturation-bit-offset-in-tpmem.patch
+parisc-ensure-userspace-privilege-for-ptraced-processes-in-regset-functions.patch
+parisc-avoid-kernel-panic-triggered-by-invalid-kprobe.patch
+parisc-fix-kernel-panic-due-invalid-values-in-iaoq0-or-iaoq1.patch
+powerpc-32s-fix-suspend-resume-when-ibats-4-7-are-used.patch
+powerpc-mm-32s-fix-condition-that-is-always-true.patch
+powerpc-watchpoint-restore-nv-gprs-while-returning-from-exception.patch
+powerpc-powernv-npu-fix-reference-leak.patch
+powerpc-powernv-idle-fix-restore-of-sprn_ldbar-for-power9-stop-state.patch
+powerpc-powernv-fix-stale-iommu-table-base-after-vfio.patch
+powerpc-pseries-fix-xive-off-command-line.patch
+powerpc-pseries-fix-oops-in-hotplug-memory-notifier.patch
+mmc-sdhci-msm-fix-mutex-while-in-spinlock.patch
+ecryptfs-fix-a-couple-type-promotion-bugs.patch
+mtd-rawnand-mtk-correct-low-level-time-calculation-of-r-w-cycle.patch
+mtd-spinand-read-returns-badly-if-the-last-page-has-bitflips.patch
+intel_th-msu-remove-set-but-not-used-variable-last.patch
+intel_th-msu-fix-single-mode-with-disabled-iommu.patch
+bluetooth-add-smp-workaround-microsoft-surface-precision-mouse-bug.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
