--- /dev/null
+From 6c3b047fa2d2286d5e438bcb470c7b1a49f415f6 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Thu, 21 Sep 2017 05:40:18 -0300
+Subject: [media] cx231xx-cards: fix NULL-deref on missing association descriptor
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 6c3b047fa2d2286d5e438bcb470c7b1a49f415f6 upstream.
+
+Make sure to check that we actually have an Interface Association
+Descriptor before dereferencing it during probe to avoid dereferencing a
+NULL-pointer.
+
+Fixes: e0d3bafd0258 ("V4L/DVB (10954): Add cx231xx USB driver")
+Reported-by: Andrey Konovalov <andreyknvl@google.com>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Tested-by: Andrey Konovalov <andreyknvl@google.com>
+Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/media/usb/cx231xx/cx231xx-cards.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/media/usb/cx231xx/cx231xx-cards.c
++++ b/drivers/media/usb/cx231xx/cx231xx-cards.c
+@@ -1684,7 +1684,7 @@ static int cx231xx_usb_probe(struct usb_
+ nr = dev->devno;
+
+ assoc_desc = udev->actconfig->intf_assoc[0];
+- if (assoc_desc->bFirstInterface != ifnum) {
++ if (!assoc_desc || assoc_desc->bFirstInterface != ifnum) {
+ dev_err(d, "Not found matching IAD interface\n");
+ retval = -ENODEV;
+ goto err_if;
--- /dev/null
+From 7b8edcc685b5e2c3c37aa13dc50a88e84a5bfef8 Mon Sep 17 00:00:00 2001
+From: Brian King <brking@linux.vnet.ibm.com>
+Date: Fri, 17 Nov 2017 11:05:48 -0600
+Subject: fm10k: Use smp_rmb rather than read_barrier_depends
+
+From: Brian King <brking@linux.vnet.ibm.com>
+
+commit 7b8edcc685b5e2c3c37aa13dc50a88e84a5bfef8 upstream.
+
+The original issue being fixed in this patch was seen with the ixgbe
+driver, but the same issue exists with fm10k as well, as the code is
+very similar. read_barrier_depends is not sufficient to ensure
+loads following it are not speculatively loaded out of order
+by the CPU, which can result in stale data being loaded, causing
+potential system crashes.
+
+Signed-off-by: Brian King <brking@linux.vnet.ibm.com>
+Acked-by: Jesse Brandeburg <jesse.brandeburg@intel.com>
+Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/ethernet/intel/fm10k/fm10k_main.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/intel/fm10k/fm10k_main.c
++++ b/drivers/net/ethernet/intel/fm10k/fm10k_main.c
+@@ -1229,7 +1229,7 @@ static bool fm10k_clean_tx_irq(struct fm
+ break;
+
+ /* prevent any other reads prior to eop_desc */
+- read_barrier_depends();
++ smp_rmb();
+
+ /* if DD is not set pending work has not been completed */
+ if (!(eop_desc->flags & FM10K_TXD_FLAG_DONE))
--- /dev/null
+From 52c6912fde0133981ee50ba08808f257829c4c93 Mon Sep 17 00:00:00 2001
+From: Brian King <brking@linux.vnet.ibm.com>
+Date: Fri, 17 Nov 2017 11:05:44 -0600
+Subject: i40e: Use smp_rmb rather than read_barrier_depends
+
+From: Brian King <brking@linux.vnet.ibm.com>
+
+commit 52c6912fde0133981ee50ba08808f257829c4c93 upstream.
+
+The original issue being fixed in this patch was seen with the ixgbe
+driver, but the same issue exists with i40e as well, as the code is
+very similar. read_barrier_depends is not sufficient to ensure
+loads following it are not speculatively loaded out of order
+by the CPU, which can result in stale data being loaded, causing
+potential system crashes.
+
+Signed-off-by: Brian King <brking@linux.vnet.ibm.com>
+Acked-by: Jesse Brandeburg <jesse.brandeburg@intel.com>
+Tested-by: Andrew Bowers <andrewx.bowers@intel.com>
+Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/ethernet/intel/i40e/i40e_main.c | 2 +-
+ drivers/net/ethernet/intel/i40e/i40e_txrx.c | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/ethernet/intel/i40e/i40e_main.c
++++ b/drivers/net/ethernet/intel/i40e/i40e_main.c
+@@ -3760,7 +3760,7 @@ static bool i40e_clean_fdir_tx_irq(struc
+ break;
+
+ /* prevent any other reads prior to eop_desc */
+- read_barrier_depends();
++ smp_rmb();
+
+ /* if the descriptor isn't done, no work yet to do */
+ if (!(eop_desc->cmd_type_offset_bsz &
+--- a/drivers/net/ethernet/intel/i40e/i40e_txrx.c
++++ b/drivers/net/ethernet/intel/i40e/i40e_txrx.c
+@@ -759,7 +759,7 @@ static bool i40e_clean_tx_irq(struct i40
+ break;
+
+ /* prevent any other reads prior to eop_desc */
+- read_barrier_depends();
++ smp_rmb();
+
+ i40e_trace(clean_tx_irq, tx_ring, tx_desc, tx_buf);
+ /* we have caught up to head, no work left to do */
--- /dev/null
+From f72271e2a0ae4277d53c4053f5eed8bb346ba38a Mon Sep 17 00:00:00 2001
+From: Brian King <brking@linux.vnet.ibm.com>
+Date: Fri, 17 Nov 2017 11:05:49 -0600
+Subject: i40evf: Use smp_rmb rather than read_barrier_depends
+
+From: Brian King <brking@linux.vnet.ibm.com>
+
+commit f72271e2a0ae4277d53c4053f5eed8bb346ba38a upstream.
+
+The original issue being fixed in this patch was seen with the ixgbe
+driver, but the same issue exists with i40evf as well, as the code is
+very similar. read_barrier_depends is not sufficient to ensure
+loads following it are not speculatively loaded out of order
+by the CPU, which can result in stale data being loaded, causing
+potential system crashes.
+
+Signed-off-by: Brian King <brking@linux.vnet.ibm.com>
+Acked-by: Jesse Brandeburg <jesse.brandeburg@intel.com>
+Tested-by: Andrew Bowers <andrewx.bowers@intel.com>
+Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/ethernet/intel/i40evf/i40e_txrx.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/intel/i40evf/i40e_txrx.c
++++ b/drivers/net/ethernet/intel/i40evf/i40e_txrx.c
+@@ -179,7 +179,7 @@ static bool i40e_clean_tx_irq(struct i40
+ break;
+
+ /* prevent any other reads prior to eop_desc */
+- read_barrier_depends();
++ smp_rmb();
+
+ i40e_trace(clean_tx_irq, tx_ring, tx_desc, tx_buf);
+ /* if the descriptor isn't done, no work yet to do */
--- /dev/null
+From c4cb99185b4cc96c0a1c70104dc21ae14d7e7f28 Mon Sep 17 00:00:00 2001
+From: Brian King <brking@linux.vnet.ibm.com>
+Date: Fri, 17 Nov 2017 11:05:47 -0600
+Subject: igb: Use smp_rmb rather than read_barrier_depends
+
+From: Brian King <brking@linux.vnet.ibm.com>
+
+commit c4cb99185b4cc96c0a1c70104dc21ae14d7e7f28 upstream.
+
+The original issue being fixed in this patch was seen with the ixgbe
+driver, but the same issue exists with igb as well, as the code is
+very similar. read_barrier_depends is not sufficient to ensure
+loads following it are not speculatively loaded out of order
+by the CPU, which can result in stale data being loaded, causing
+potential system crashes.
+
+Signed-off-by: Brian King <brking@linux.vnet.ibm.com>
+Acked-by: Jesse Brandeburg <jesse.brandeburg@intel.com>
+Tested-by: Aaron Brown <aaron.f.brown@intel.com>
+Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/ethernet/intel/igb/igb_main.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/intel/igb/igb_main.c
++++ b/drivers/net/ethernet/intel/igb/igb_main.c
+@@ -6970,7 +6970,7 @@ static bool igb_clean_tx_irq(struct igb_
+ break;
+
+ /* prevent any other reads prior to eop_desc */
+- read_barrier_depends();
++ smp_rmb();
+
+ /* if DD is not set pending work has not been completed */
+ if (!(eop_desc->wb.status & cpu_to_le32(E1000_TXD_STAT_DD)))
--- /dev/null
+From 1e1f9ca546556e508d021545861f6b5fc75a95fe Mon Sep 17 00:00:00 2001
+From: Brian King <brking@linux.vnet.ibm.com>
+Date: Fri, 17 Nov 2017 11:05:46 -0600
+Subject: igbvf: Use smp_rmb rather than read_barrier_depends
+
+From: Brian King <brking@linux.vnet.ibm.com>
+
+commit 1e1f9ca546556e508d021545861f6b5fc75a95fe upstream.
+
+The original issue being fixed in this patch was seen with the ixgbe
+driver, but the same issue exists with igbvf as well, as the code is
+very similar. read_barrier_depends is not sufficient to ensure
+loads following it are not speculatively loaded out of order
+by the CPU, which can result in stale data being loaded, causing
+potential system crashes.
+
+Signed-off-by: Brian King <brking@linux.vnet.ibm.com>
+Acked-by: Jesse Brandeburg <jesse.brandeburg@intel.com>
+Tested-by: Aaron Brown <aaron.f.brown@intel.com>
+Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/ethernet/intel/igbvf/netdev.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/intel/igbvf/netdev.c
++++ b/drivers/net/ethernet/intel/igbvf/netdev.c
+@@ -810,7 +810,7 @@ static bool igbvf_clean_tx_irq(struct ig
+ break;
+
+ /* prevent any other reads prior to eop_desc */
+- read_barrier_depends();
++ smp_rmb();
+
+ /* if DD is not set pending work has not been completed */
+ if (!(eop_desc->wb.status & cpu_to_le32(E1000_TXD_STAT_DD)))
--- /dev/null
+From 0a9a17e3bb4564caf4bfe2a6783ae1287667d188 Mon Sep 17 00:00:00 2001
+From: Brian King <brking@linux.vnet.ibm.com>
+Date: Fri, 17 Nov 2017 11:05:43 -0600
+Subject: ixgbe: Fix skb list corruption on Power systems
+
+From: Brian King <brking@linux.vnet.ibm.com>
+
+commit 0a9a17e3bb4564caf4bfe2a6783ae1287667d188 upstream.
+
+This patch fixes an issue seen on Power systems with ixgbe which results
+in skb list corruption and an eventual kernel oops. The following is what
+was observed:
+
+CPU 1 CPU2
+============================ ============================
+1: ixgbe_xmit_frame_ring ixgbe_clean_tx_irq
+2: first->skb = skb eop_desc = tx_buffer->next_to_watch
+3: ixgbe_tx_map read_barrier_depends()
+4: wmb check adapter written status bit
+5: first->next_to_watch = tx_desc napi_consume_skb(tx_buffer->skb ..);
+6: writel(i, tx_ring->tail);
+
+The read_barrier_depends is insufficient to ensure that tx_buffer->skb does not
+get loaded prior to tx_buffer->next_to_watch, which then results in loading
+a stale skb pointer. This patch replaces the read_barrier_depends with
+smp_rmb to ensure loads are ordered with respect to the load of
+tx_buffer->next_to_watch.
+
+Signed-off-by: Brian King <brking@linux.vnet.ibm.com>
+Acked-by: Jesse Brandeburg <jesse.brandeburg@intel.com>
+Tested-by: Andrew Bowers <andrewx.bowers@intel.com>
+Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/ethernet/intel/ixgbe/ixgbe_main.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c
++++ b/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c
+@@ -1192,7 +1192,7 @@ static bool ixgbe_clean_tx_irq(struct ix
+ break;
+
+ /* prevent any other reads prior to eop_desc */
+- read_barrier_depends();
++ smp_rmb();
+
+ /* if DD is not set pending work has not been completed */
+ if (!(eop_desc->wb.status & cpu_to_le32(IXGBE_TXD_STAT_DD)))
--- /dev/null
+From ae0c585d93dfaf923d2c7eb44b2c3ab92854ea9b Mon Sep 17 00:00:00 2001
+From: Brian King <brking@linux.vnet.ibm.com>
+Date: Fri, 17 Nov 2017 11:05:45 -0600
+Subject: ixgbevf: Use smp_rmb rather than read_barrier_depends
+
+From: Brian King <brking@linux.vnet.ibm.com>
+
+commit ae0c585d93dfaf923d2c7eb44b2c3ab92854ea9b upstream.
+
+The original issue being fixed in this patch was seen with the ixgbe
+driver, but the same issue exists with ixgbevf as well, as the code is
+very similar. read_barrier_depends is not sufficient to ensure
+loads following it are not speculatively loaded out of order
+by the CPU, which can result in stale data being loaded, causing
+potential system crashes.
+
+Signed-off-by: Brian King <brking@linux.vnet.ibm.com>
+Acked-by: Jesse Brandeburg <jesse.brandeburg@intel.com>
+Tested-by: Andrew Bowers <andrewx.bowers@intel.com>
+Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/ethernet/intel/ixgbevf/ixgbevf_main.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/intel/ixgbevf/ixgbevf_main.c
++++ b/drivers/net/ethernet/intel/ixgbevf/ixgbevf_main.c
+@@ -326,7 +326,7 @@ static bool ixgbevf_clean_tx_irq(struct
+ break;
+
+ /* prevent any other reads prior to eop_desc */
+- read_barrier_depends();
++ smp_rmb();
+
+ /* if DD is not set pending work has not been completed */
+ if (!(eop_desc->wb.status & cpu_to_le32(IXGBE_TXD_STAT_DD)))
--- /dev/null
+From b3120d2cc447ee77b9d69bf4ad7b452c9adb4d39 Mon Sep 17 00:00:00 2001
+From: Michele Baldessari <michele@acksyn.org>
+Date: Mon, 6 Nov 2017 08:50:22 -0500
+Subject: media: Don't do DMA on stack for firmware upload in the AS102 driver
+
+From: Michele Baldessari <michele@acksyn.org>
+
+commit b3120d2cc447ee77b9d69bf4ad7b452c9adb4d39 upstream.
+
+Firmware load on AS102 is using the stack which is not allowed any
+longer. We currently fail with:
+
+kernel: transfer buffer not dma capable
+kernel: ------------[ cut here ]------------
+kernel: WARNING: CPU: 0 PID: 598 at drivers/usb/core/hcd.c:1595 usb_hcd_map_urb_for_dma+0x41d/0x620
+kernel: Modules linked in: amd64_edac_mod(-) edac_mce_amd as102_fe dvb_as102(+) kvm_amd kvm snd_hda_codec_realtek dvb_core snd_hda_codec_generic snd_hda_codec_hdmi snd_hda_intel snd_hda_codec irqbypass crct10dif_pclmul crc32_pclmul snd_hda_core snd_hwdep snd_seq ghash_clmulni_intel sp5100_tco fam15h_power wmi k10temp i2c_piix4 snd_seq_device snd_pcm snd_timer parport_pc parport tpm_infineon snd tpm_tis soundcore tpm_tis_core tpm shpchp acpi_cpufreq xfs libcrc32c amdgpu amdkfd amd_iommu_v2 radeon hid_logitech_hidpp i2c_algo_bit drm_kms_helper crc32c_intel ttm drm r8169 mii hid_logitech_dj
+kernel: CPU: 0 PID: 598 Comm: systemd-udevd Not tainted 4.13.10-200.fc26.x86_64 #1
+kernel: Hardware name: ASUS All Series/AM1I-A, BIOS 0505 03/13/2014
+kernel: task: ffff979933b24c80 task.stack: ffffaf83413a4000
+kernel: RIP: 0010:usb_hcd_map_urb_for_dma+0x41d/0x620
+systemd-fsck[659]: /dev/sda2: clean, 49/128016 files, 268609/512000 blocks
+kernel: RSP: 0018:ffffaf83413a7728 EFLAGS: 00010282
+systemd-udevd[604]: link_config: autonegotiation is unset or enabled, the speed and duplex are not writable.
+kernel: RAX: 000000000000001f RBX: ffff979930bce780 RCX: 0000000000000000
+kernel: RDX: 0000000000000000 RSI: ffff97993ec0e118 RDI: ffff97993ec0e118
+kernel: RBP: ffffaf83413a7768 R08: 000000000000039a R09: 0000000000000000
+kernel: R10: 0000000000000001 R11: 00000000ffffffff R12: 00000000fffffff5
+kernel: R13: 0000000001400000 R14: 0000000000000001 R15: ffff979930806800
+kernel: FS: 00007effaca5c8c0(0000) GS:ffff97993ec00000(0000) knlGS:0000000000000000
+kernel: CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+kernel: CR2: 00007effa9fca962 CR3: 0000000233089000 CR4: 00000000000406f0
+kernel: Call Trace:
+kernel: usb_hcd_submit_urb+0x493/0xb40
+kernel: ? page_cache_tree_insert+0x100/0x100
+kernel: ? xfs_iunlock+0xd5/0x100 [xfs]
+kernel: ? xfs_file_buffered_aio_read+0x57/0xc0 [xfs]
+kernel: usb_submit_urb+0x22d/0x560
+kernel: usb_start_wait_urb+0x6e/0x180
+kernel: usb_bulk_msg+0xb8/0x160
+kernel: as102_send_ep1+0x49/0xe0 [dvb_as102]
+kernel: ? devres_add+0x3f/0x50
+kernel: as102_firmware_upload.isra.0+0x1dc/0x210 [dvb_as102]
+kernel: as102_fw_upload+0xb6/0x1f0 [dvb_as102]
+kernel: as102_dvb_register+0x2af/0x2d0 [dvb_as102]
+kernel: as102_usb_probe+0x1f3/0x260 [dvb_as102]
+kernel: usb_probe_interface+0x124/0x300
+kernel: driver_probe_device+0x2ff/0x450
+kernel: __driver_attach+0xa4/0xe0
+kernel: ? driver_probe_device+0x450/0x450
+kernel: bus_for_each_dev+0x6e/0xb0
+kernel: driver_attach+0x1e/0x20
+kernel: bus_add_driver+0x1c7/0x270
+kernel: driver_register+0x60/0xe0
+kernel: usb_register_driver+0x81/0x150
+kernel: ? 0xffffffffc0807000
+kernel: as102_usb_driver_init+0x1e/0x1000 [dvb_as102]
+kernel: do_one_initcall+0x50/0x190
+kernel: ? __vunmap+0x81/0xb0
+kernel: ? kfree+0x154/0x170
+kernel: ? kmem_cache_alloc_trace+0x15f/0x1c0
+kernel: ? do_init_module+0x27/0x1e9
+kernel: do_init_module+0x5f/0x1e9
+kernel: load_module+0x2602/0x2c30
+kernel: SYSC_init_module+0x170/0x1a0
+kernel: ? SYSC_init_module+0x170/0x1a0
+kernel: SyS_init_module+0xe/0x10
+kernel: do_syscall_64+0x67/0x140
+kernel: entry_SYSCALL64_slow_path+0x25/0x25
+kernel: RIP: 0033:0x7effab6cf3ea
+kernel: RSP: 002b:00007fff5cfcbbc8 EFLAGS: 00000246 ORIG_RAX: 00000000000000af
+kernel: RAX: ffffffffffffffda RBX: 00005569e0b83760 RCX: 00007effab6cf3ea
+kernel: RDX: 00007effac2099c5 RSI: 0000000000009a13 RDI: 00005569e0b98c50
+kernel: RBP: 00007effac2099c5 R08: 00005569e0b83ed0 R09: 0000000000001d80
+kernel: R10: 00007effab98db00 R11: 0000000000000246 R12: 00005569e0b98c50
+kernel: R13: 00005569e0b81c60 R14: 0000000000020000 R15: 00005569dfadfdf7
+kernel: Code: 48 39 c8 73 30 80 3d 59 60 9d 00 00 41 bc f5 ff ff ff 0f 85 26 ff ff ff 48 c7 c7 b8 6b d0 92 c6 05 3f 60 9d 00 01 e8 24 3d ad ff <0f> ff 8b 53 64 e9 09 ff ff ff 65 48 8b 0c 25 00 d3 00 00 48 8b
+kernel: ---[ end trace c4cae366180e70ec ]---
+kernel: as10x_usb: error during firmware upload part1
+
+Let's allocate the the structure dynamically so we can get the firmware
+loaded correctly:
+[ 14.243057] as10x_usb: firmware: as102_data1_st.hex loaded with success
+[ 14.500777] as10x_usb: firmware: as102_data2_st.hex loaded with success
+
+Signed-off-by: Michele Baldessari <michele@acksyn.org>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/media/usb/as102/as102_fw.c | 28 +++++++++++++++++-----------
+ 1 file changed, 17 insertions(+), 11 deletions(-)
+
+--- a/drivers/media/usb/as102/as102_fw.c
++++ b/drivers/media/usb/as102/as102_fw.c
+@@ -101,18 +101,23 @@ static int as102_firmware_upload(struct
+ unsigned char *cmd,
+ const struct firmware *firmware) {
+
+- struct as10x_fw_pkt_t fw_pkt;
++ struct as10x_fw_pkt_t *fw_pkt;
+ int total_read_bytes = 0, errno = 0;
+ unsigned char addr_has_changed = 0;
+
++ fw_pkt = kmalloc(sizeof(*fw_pkt), GFP_KERNEL);
++ if (!fw_pkt)
++ return -ENOMEM;
++
++
+ for (total_read_bytes = 0; total_read_bytes < firmware->size; ) {
+ int read_bytes = 0, data_len = 0;
+
+ /* parse intel hex line */
+ read_bytes = parse_hex_line(
+ (u8 *) (firmware->data + total_read_bytes),
+- fw_pkt.raw.address,
+- fw_pkt.raw.data,
++ fw_pkt->raw.address,
++ fw_pkt->raw.data,
+ &data_len,
+ &addr_has_changed);
+
+@@ -122,28 +127,28 @@ static int as102_firmware_upload(struct
+ /* detect the end of file */
+ total_read_bytes += read_bytes;
+ if (total_read_bytes == firmware->size) {
+- fw_pkt.u.request[0] = 0x00;
+- fw_pkt.u.request[1] = 0x03;
++ fw_pkt->u.request[0] = 0x00;
++ fw_pkt->u.request[1] = 0x03;
+
+ /* send EOF command */
+ errno = bus_adap->ops->upload_fw_pkt(bus_adap,
+ (uint8_t *)
+- &fw_pkt, 2, 0);
++ fw_pkt, 2, 0);
+ if (errno < 0)
+ goto error;
+ } else {
+ if (!addr_has_changed) {
+ /* prepare command to send */
+- fw_pkt.u.request[0] = 0x00;
+- fw_pkt.u.request[1] = 0x01;
++ fw_pkt->u.request[0] = 0x00;
++ fw_pkt->u.request[1] = 0x01;
+
+- data_len += sizeof(fw_pkt.u.request);
+- data_len += sizeof(fw_pkt.raw.address);
++ data_len += sizeof(fw_pkt->u.request);
++ data_len += sizeof(fw_pkt->raw.address);
+
+ /* send cmd to device */
+ errno = bus_adap->ops->upload_fw_pkt(bus_adap,
+ (uint8_t *)
+- &fw_pkt,
++ fw_pkt,
+ data_len,
+ 0);
+ if (errno < 0)
+@@ -152,6 +157,7 @@ static int as102_firmware_upload(struct
+ }
+ }
+ error:
++ kfree(fw_pkt);
+ return (errno == 0) ? total_read_bytes : errno;
+ }
+
--- /dev/null
+From 3e45067f94bbd61dec0619b1c32744eb0de480c8 Mon Sep 17 00:00:00 2001
+From: Sean Young <sean@mess.org>
+Date: Sun, 8 Oct 2017 14:18:52 -0400
+Subject: media: rc: check for integer overflow
+
+From: Sean Young <sean@mess.org>
+
+commit 3e45067f94bbd61dec0619b1c32744eb0de480c8 upstream.
+
+The ioctl LIRC_SET_REC_TIMEOUT would set a timeout of 704ns if called
+with a timeout of 4294968us.
+
+Signed-off-by: Sean Young <sean@mess.org>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/media/rc/ir-lirc-codec.c | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+--- a/drivers/media/rc/ir-lirc-codec.c
++++ b/drivers/media/rc/ir-lirc-codec.c
+@@ -298,11 +298,14 @@ static long ir_lirc_ioctl(struct file *f
+ if (!dev->max_timeout)
+ return -ENOTTY;
+
++ /* Check for multiply overflow */
++ if (val > U32_MAX / 1000)
++ return -EINVAL;
++
+ tmp = val * 1000;
+
+- if (tmp < dev->min_timeout ||
+- tmp > dev->max_timeout)
+- return -EINVAL;
++ if (tmp < dev->min_timeout || tmp > dev->max_timeout)
++ return -EINVAL;
+
+ if (dev->s_timeout)
+ ret = dev->s_timeout(dev, tmp);
--- /dev/null
+From 829bbf268894d0866bb9dd2b1e430cfa5c5f0779 Mon Sep 17 00:00:00 2001
+From: Sean Young <sean@mess.org>
+Date: Sun, 1 Oct 2017 16:38:29 -0400
+Subject: media: rc: nec decoder should not send both repeat and keycode
+
+From: Sean Young <sean@mess.org>
+
+commit 829bbf268894d0866bb9dd2b1e430cfa5c5f0779 upstream.
+
+When receiving an nec repeat, rc_repeat() is called and then rc_keydown()
+with the last decoded scancode. That last call is redundant.
+
+Fixes: 265a2988d202 ("media: rc-core: consistent use of rc_repeat()")
+
+Signed-off-by: Sean Young <sean@mess.org>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/media/rc/ir-nec-decoder.c | 31 ++++++++++++++++++-------------
+ 1 file changed, 18 insertions(+), 13 deletions(-)
+
+--- a/drivers/media/rc/ir-nec-decoder.c
++++ b/drivers/media/rc/ir-nec-decoder.c
+@@ -87,8 +87,6 @@ static int ir_nec_decode(struct rc_dev *
+ data->state = STATE_BIT_PULSE;
+ return 0;
+ } else if (eq_margin(ev.duration, NEC_REPEAT_SPACE, NEC_UNIT / 2)) {
+- rc_repeat(dev);
+- IR_dprintk(1, "Repeat last key\n");
+ data->state = STATE_TRAILER_PULSE;
+ return 0;
+ }
+@@ -151,19 +149,26 @@ static int ir_nec_decode(struct rc_dev *
+ if (!geq_margin(ev.duration, NEC_TRAILER_SPACE, NEC_UNIT / 2))
+ break;
+
+- address = bitrev8((data->bits >> 24) & 0xff);
+- not_address = bitrev8((data->bits >> 16) & 0xff);
+- command = bitrev8((data->bits >> 8) & 0xff);
+- not_command = bitrev8((data->bits >> 0) & 0xff);
+-
+- scancode = ir_nec_bytes_to_scancode(address, not_address,
+- command, not_command,
+- &rc_proto);
++ if (data->count == NEC_NBITS) {
++ address = bitrev8((data->bits >> 24) & 0xff);
++ not_address = bitrev8((data->bits >> 16) & 0xff);
++ command = bitrev8((data->bits >> 8) & 0xff);
++ not_command = bitrev8((data->bits >> 0) & 0xff);
++
++ scancode = ir_nec_bytes_to_scancode(address,
++ not_address,
++ command,
++ not_command,
++ &rc_proto);
++
++ if (data->is_nec_x)
++ data->necx_repeat = true;
+
+- if (data->is_nec_x)
+- data->necx_repeat = true;
++ rc_keydown(dev, rc_proto, scancode, 0);
++ } else {
++ rc_repeat(dev);
++ }
+
+- rc_keydown(dev, rc_proto, scancode, 0);
+ data->state = STATE_INACTIVE;
+ return 0;
+ }
--- /dev/null
+From 9cac9d2fb2fe0e0cadacdb94415b3fe49e3f724f Mon Sep 17 00:00:00 2001
+From: Ricardo Ribalda <ricardo.ribalda@gmail.com>
+Date: Tue, 17 Oct 2017 11:48:50 -0400
+Subject: media: v4l2-ctrl: Fix flags field on Control events
+
+From: Ricardo Ribalda Delgado <ricardo.ribalda@gmail.com>
+
+commit 9cac9d2fb2fe0e0cadacdb94415b3fe49e3f724f upstream.
+
+VIDIOC_DQEVENT and VIDIOC_QUERY_EXT_CTRL should give the same output for
+the control flags field.
+
+This patch creates a new function user_flags(), that calculates the user
+exported flags value (which is different than the kernel internal flags
+structure). This function is then used by all the code that exports the
+internal flags to userspace.
+
+Reported-by: Dimitrios Katsaros <patcherwork@gmail.com>
+Signed-off-by: Ricardo Ribalda Delgado <ricardo.ribalda@gmail.com>
+Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/media/v4l2-core/v4l2-ctrls.c | 16 ++++++++++++----
+ 1 file changed, 12 insertions(+), 4 deletions(-)
+
+--- a/drivers/media/v4l2-core/v4l2-ctrls.c
++++ b/drivers/media/v4l2-core/v4l2-ctrls.c
+@@ -1227,6 +1227,16 @@ void v4l2_ctrl_fill(u32 id, const char *
+ }
+ EXPORT_SYMBOL(v4l2_ctrl_fill);
+
++static u32 user_flags(const struct v4l2_ctrl *ctrl)
++{
++ u32 flags = ctrl->flags;
++
++ if (ctrl->is_ptr)
++ flags |= V4L2_CTRL_FLAG_HAS_PAYLOAD;
++
++ return flags;
++}
++
+ static void fill_event(struct v4l2_event *ev, struct v4l2_ctrl *ctrl, u32 changes)
+ {
+ memset(ev->reserved, 0, sizeof(ev->reserved));
+@@ -1234,7 +1244,7 @@ static void fill_event(struct v4l2_event
+ ev->id = ctrl->id;
+ ev->u.ctrl.changes = changes;
+ ev->u.ctrl.type = ctrl->type;
+- ev->u.ctrl.flags = ctrl->flags;
++ ev->u.ctrl.flags = user_flags(ctrl);
+ if (ctrl->is_ptr)
+ ev->u.ctrl.value64 = 0;
+ else
+@@ -2577,10 +2587,8 @@ int v4l2_query_ext_ctrl(struct v4l2_ctrl
+ else
+ qc->id = ctrl->id;
+ strlcpy(qc->name, ctrl->name, sizeof(qc->name));
+- qc->flags = ctrl->flags;
++ qc->flags = user_flags(ctrl);
+ qc->type = ctrl->type;
+- if (ctrl->is_ptr)
+- qc->flags |= V4L2_CTRL_FLAG_HAS_PAYLOAD;
+ qc->elem_size = ctrl->elem_size;
+ qc->elems = ctrl->elems;
+ qc->nr_of_dims = ctrl->nr_of_dims;
--- /dev/null
+From cd1a77e3c9cc6dbb57f02aa50e1740fc144d2dad Mon Sep 17 00:00:00 2001
+From: Stanimir Varbanov <stanimir.varbanov@linaro.org>
+Date: Mon, 9 Oct 2017 14:24:57 +0200
+Subject: media: venus: fix wrong size on dma_free
+
+From: Stanimir Varbanov <stanimir.varbanov@linaro.org>
+
+commit cd1a77e3c9cc6dbb57f02aa50e1740fc144d2dad upstream.
+
+This change will fix an issue with dma_free size found with
+DMA API debug enabled.
+
+Signed-off-by: Stanimir Varbanov <stanimir.varbanov@linaro.org>
+Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/media/platform/qcom/venus/hfi_venus.c | 12 ++++--------
+ 1 file changed, 4 insertions(+), 8 deletions(-)
+
+--- a/drivers/media/platform/qcom/venus/hfi_venus.c
++++ b/drivers/media/platform/qcom/venus/hfi_venus.c
+@@ -344,7 +344,7 @@ static int venus_alloc(struct venus_hfi_
+ desc->attrs = DMA_ATTR_WRITE_COMBINE;
+ desc->size = ALIGN(size, SZ_4K);
+
+- desc->kva = dma_alloc_attrs(dev, size, &desc->da, GFP_KERNEL,
++ desc->kva = dma_alloc_attrs(dev, desc->size, &desc->da, GFP_KERNEL,
+ desc->attrs);
+ if (!desc->kva)
+ return -ENOMEM;
+@@ -710,10 +710,8 @@ static int venus_interface_queues_init(s
+ if (ret)
+ return ret;
+
+- hdev->ifaceq_table.kva = desc.kva;
+- hdev->ifaceq_table.da = desc.da;
+- hdev->ifaceq_table.size = IFACEQ_TABLE_SIZE;
+- offset = hdev->ifaceq_table.size;
++ hdev->ifaceq_table = desc;
++ offset = IFACEQ_TABLE_SIZE;
+
+ for (i = 0; i < IFACEQ_NUM; i++) {
+ queue = &hdev->queues[i];
+@@ -755,9 +753,7 @@ static int venus_interface_queues_init(s
+ if (ret) {
+ hdev->sfr.da = 0;
+ } else {
+- hdev->sfr.da = desc.da;
+- hdev->sfr.kva = desc.kva;
+- hdev->sfr.size = ALIGNED_SFR_SIZE;
++ hdev->sfr = desc;
+ sfr = hdev->sfr.kva;
+ sfr->buf_size = ALIGNED_SFR_SIZE;
+ }
--- /dev/null
+From e69b987a97599456b95b5fef4aca8dcdb1505aea Mon Sep 17 00:00:00 2001
+From: Stanimir Varbanov <stanimir.varbanov@linaro.org>
+Date: Fri, 13 Oct 2017 16:13:17 +0200
+Subject: media: venus: reimplement decoder stop command
+
+From: Stanimir Varbanov <stanimir.varbanov@linaro.org>
+
+commit e69b987a97599456b95b5fef4aca8dcdb1505aea upstream.
+
+This addresses the wrong behavior of decoder stop command by
+rewriting it. These new implementation enqueue an empty buffer
+on the decoder input buffer queue to signal end-of-stream. The
+client should stop queuing buffers on the V4L2 Output queue
+and continue queuing/dequeuing buffers on Capture queue. This
+process will continue until the client receives a buffer with
+V4L2_BUF_FLAG_LAST flag raised, which means that this is last
+decoded buffer with data.
+
+Signed-off-by: Stanimir Varbanov <stanimir.varbanov@linaro.org>
+Tested-by: Nicolas Dufresne <nicolas.dufresne@collabora.com>
+Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/media/platform/qcom/venus/core.h | 2 -
+ drivers/media/platform/qcom/venus/helpers.c | 7 -----
+ drivers/media/platform/qcom/venus/hfi.c | 1
+ drivers/media/platform/qcom/venus/vdec.c | 34 ++++++++++++++++++----------
+ 4 files changed, 24 insertions(+), 20 deletions(-)
+
+--- a/drivers/media/platform/qcom/venus/core.h
++++ b/drivers/media/platform/qcom/venus/core.h
+@@ -194,7 +194,6 @@ struct venus_buffer {
+ * @fh: a holder of v4l file handle structure
+ * @streamon_cap: stream on flag for capture queue
+ * @streamon_out: stream on flag for output queue
+- * @cmd_stop: a flag to signal encoder/decoder commands
+ * @width: current capture width
+ * @height: current capture height
+ * @out_width: current output width
+@@ -258,7 +257,6 @@ struct venus_inst {
+ } controls;
+ struct v4l2_fh fh;
+ unsigned int streamon_cap, streamon_out;
+- bool cmd_stop;
+ u32 width;
+ u32 height;
+ u32 out_width;
+--- a/drivers/media/platform/qcom/venus/helpers.c
++++ b/drivers/media/platform/qcom/venus/helpers.c
+@@ -623,13 +623,6 @@ void venus_helper_vb2_buf_queue(struct v
+
+ mutex_lock(&inst->lock);
+
+- if (inst->cmd_stop) {
+- vbuf->flags |= V4L2_BUF_FLAG_LAST;
+- v4l2_m2m_buf_done(vbuf, VB2_BUF_STATE_DONE);
+- inst->cmd_stop = false;
+- goto unlock;
+- }
+-
+ v4l2_m2m_buf_queue(m2m_ctx, vbuf);
+
+ if (!(inst->streamon_out & inst->streamon_cap))
+--- a/drivers/media/platform/qcom/venus/hfi.c
++++ b/drivers/media/platform/qcom/venus/hfi.c
+@@ -484,6 +484,7 @@ int hfi_session_process_buf(struct venus
+
+ return -EINVAL;
+ }
++EXPORT_SYMBOL_GPL(hfi_session_process_buf);
+
+ irqreturn_t hfi_isr_thread(int irq, void *dev_id)
+ {
+--- a/drivers/media/platform/qcom/venus/vdec.c
++++ b/drivers/media/platform/qcom/venus/vdec.c
+@@ -469,8 +469,14 @@ static int vdec_subscribe_event(struct v
+ static int
+ vdec_try_decoder_cmd(struct file *file, void *fh, struct v4l2_decoder_cmd *cmd)
+ {
+- if (cmd->cmd != V4L2_DEC_CMD_STOP)
++ switch (cmd->cmd) {
++ case V4L2_DEC_CMD_STOP:
++ if (cmd->flags & V4L2_DEC_CMD_STOP_TO_BLACK)
++ return -EINVAL;
++ break;
++ default:
+ return -EINVAL;
++ }
+
+ return 0;
+ }
+@@ -479,6 +485,7 @@ static int
+ vdec_decoder_cmd(struct file *file, void *fh, struct v4l2_decoder_cmd *cmd)
+ {
+ struct venus_inst *inst = to_inst(file);
++ struct hfi_frame_data fdata = {0};
+ int ret;
+
+ ret = vdec_try_decoder_cmd(file, fh, cmd);
+@@ -486,12 +493,23 @@ vdec_decoder_cmd(struct file *file, void
+ return ret;
+
+ mutex_lock(&inst->lock);
+- inst->cmd_stop = true;
+- mutex_unlock(&inst->lock);
+
+- hfi_session_flush(inst);
++ /*
++ * Implement V4L2_DEC_CMD_STOP by enqueue an empty buffer on decoder
++ * input to signal EOS.
++ */
++ if (!(inst->streamon_out & inst->streamon_cap))
++ goto unlock;
++
++ fdata.buffer_type = HFI_BUFFER_INPUT;
++ fdata.flags |= HFI_BUFFERFLAG_EOS;
++ fdata.device_addr = 0xdeadbeef;
+
+- return 0;
++ ret = hfi_session_process_buf(inst, &fdata);
++
++unlock:
++ mutex_unlock(&inst->lock);
++ return ret;
+ }
+
+ static const struct v4l2_ioctl_ops vdec_ioctl_ops = {
+@@ -718,7 +736,6 @@ static int vdec_start_streaming(struct v
+ inst->reconfig = false;
+ inst->sequence_cap = 0;
+ inst->sequence_out = 0;
+- inst->cmd_stop = false;
+
+ ret = vdec_init_session(inst);
+ if (ret)
+@@ -807,11 +824,6 @@ static void vdec_buf_done(struct venus_i
+ vb->timestamp = timestamp_us * NSEC_PER_USEC;
+ vbuf->sequence = inst->sequence_cap++;
+
+- if (inst->cmd_stop) {
+- vbuf->flags |= V4L2_BUF_FLAG_LAST;
+- inst->cmd_stop = false;
+- }
+-
+ if (vbuf->flags & V4L2_BUF_FLAG_LAST) {
+ const struct v4l2_event ev = { .type = V4L2_EVENT_EOS };
+
--- /dev/null
+From 5232c37ce244db04fd50d160b92e40d2df46a2e9 Mon Sep 17 00:00:00 2001
+From: Stanimir Varbanov <stanimir.varbanov@linaro.org>
+Date: Tue, 10 Oct 2017 09:52:36 +0200
+Subject: media: venus: venc: fix bytesused v4l2_plane field
+
+From: Stanimir Varbanov <stanimir.varbanov@linaro.org>
+
+commit 5232c37ce244db04fd50d160b92e40d2df46a2e9 upstream.
+
+This fixes wrongly filled bytesused field of v4l2_plane structure
+by include data_offset in the plane, Also fill data_offset and
+bytesused for capture type of buffers only.
+
+Signed-off-by: Stanimir Varbanov <stanimir.varbanov@linaro.org>
+Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/media/platform/qcom/venus/venc.c | 7 +++----
+ 1 file changed, 3 insertions(+), 4 deletions(-)
+
+--- a/drivers/media/platform/qcom/venus/venc.c
++++ b/drivers/media/platform/qcom/venus/venc.c
+@@ -963,13 +963,12 @@ static void venc_buf_done(struct venus_i
+ if (!vbuf)
+ return;
+
+- vb = &vbuf->vb2_buf;
+- vb->planes[0].bytesused = bytesused;
+- vb->planes[0].data_offset = data_offset;
+-
+ vbuf->flags = flags;
+
+ if (type == V4L2_BUF_TYPE_VIDEO_CAPTURE_MPLANE) {
++ vb = &vbuf->vb2_buf;
++ vb2_set_plane_payload(vb, 0, bytesused + data_offset);
++ vb->planes[0].data_offset = data_offset;
+ vb->timestamp = timestamp_us * NSEC_PER_USEC;
+ vbuf->sequence = inst->sequence_cap++;
+ } else {
--- /dev/null
+From 05f016d2ca7a4fab99d5d5472168506ddf95e74f Mon Sep 17 00:00:00 2001
+From: John David Anglin <dave.anglin@bell.net>
+Date: Sat, 11 Nov 2017 17:11:16 -0500
+Subject: parisc: Fix validity check of pointer size argument in new CAS implementation
+
+From: John David Anglin <dave.anglin@bell.net>
+
+commit 05f016d2ca7a4fab99d5d5472168506ddf95e74f upstream.
+
+As noted by Christoph Biedl, passing a pointer size of 4 in the new CAS
+implementation causes a kernel crash. The attached patch corrects the
+off by one error in the argument validity check.
+
+In reviewing the code, I noticed that we only perform word operations
+with the pointer size argument. The subi instruction intentionally uses
+a word condition on 64-bit kernels. Nullification was used instead of a
+cmpib instruction as the branch should never be taken. The shlw
+pseudo-operation generates a depw,z instruction and it clears the target
+before doing a shift left word deposit. Thus, we don't need to clip the
+upper 32 bits of this argument on 64-bit kernels.
+
+Tested with a gcc testsuite run with a 64-bit kernel. The gcc atomic
+code in libgcc is the only direct user of the new CAS implementation
+that I am aware of.
+
+Signed-off-by: John David Anglin <dave.anglin@bell.net>
+Signed-off-by: Helge Deller <deller@gmx.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/parisc/kernel/syscall.S | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/arch/parisc/kernel/syscall.S
++++ b/arch/parisc/kernel/syscall.S
+@@ -690,15 +690,15 @@ cas_action:
+ /* ELF32 Process entry path */
+ lws_compare_and_swap_2:
+ #ifdef CONFIG_64BIT
+- /* Clip the input registers */
++ /* Clip the input registers. We don't need to clip %r23 as we
++ only use it for word operations */
+ depdi 0, 31, 32, %r26
+ depdi 0, 31, 32, %r25
+ depdi 0, 31, 32, %r24
+- depdi 0, 31, 32, %r23
+ #endif
+
+ /* Check the validity of the size pointer */
+- subi,>>= 4, %r23, %r0
++ subi,>>= 3, %r23, %r0
+ b,n lws_exit_nosys
+
+ /* Jump to the functions which will load the old and new values into
--- /dev/null
+From 475b581ff57bc01437cbc680e281869918447763 Mon Sep 17 00:00:00 2001
+From: Michael Ellerman <mpe@ellerman.id.au>
+Date: Tue, 14 Nov 2017 15:48:47 +1100
+Subject: powerpc/64s: Fix masking of SRR1 bits on instruction fault
+
+From: Michael Ellerman <mpe@ellerman.id.au>
+
+commit 475b581ff57bc01437cbc680e281869918447763 upstream.
+
+On 64-bit Book3s, when we take an instruction fault the reason for the
+fault may be reported in SRR1. For data faults the reason is reported
+in DSISR (Data Storage Instruction Status Register).
+
+The reasons reported in each do not necessarily correspond, so we mask
+the SRR1 bits before copying them to the DSISR, which is then used by
+the page fault code.
+
+Prior to commit b4c001dc44f0 ("powerpc/mm: Use symbolic constants for
+filtering SRR1 bits on ISIs") we used a hard-coded mask of 0x58200000,
+which corresponds to:
+
+ DSISR_NOHPTE 0x40000000 /* no translation found */
+ DSISR_NOEXEC_OR_G 0x10000000 /* exec of no-exec or guarded */
+ DSISR_PROTFAULT 0x08000000 /* protection fault */
+ DSISR_KEYFAULT 0x00200000 /* Storage Key fault */
+
+That commit added a #define for the mask, DSISR_SRR1_MATCH_64S, but
+incorrectly used a different similarly named DSISR_BAD_FAULT_64S.
+
+This had the effect of changing the mask to 0xa43a0000, which omits
+everything but DSISR_KEYFAULT.
+
+Luckily this had no visible effect, because in practice we hardly use
+the DSISR bits. The lack of DSISR_NOHPTE means a TLB flush
+optimisation was missed in the native HPTE code, and DSISR_NOEXEC_OR_G
+and DSISR_PROTFAULT are both only used to trigger rare warnings.
+
+So we got lucky, but let's fix it. The new value only has bits between
+17 and 30 set, so we can continue to use andis.
+
+Fixes: b4c001dc44f0 ("powerpc/mm: Use symbolic constants for filtering SRR1 bits on ISIs")
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/powerpc/kernel/exceptions-64s.S | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/powerpc/kernel/exceptions-64s.S
++++ b/arch/powerpc/kernel/exceptions-64s.S
+@@ -542,7 +542,7 @@ EXC_COMMON_BEGIN(instruction_access_comm
+ RECONCILE_IRQ_STATE(r10, r11)
+ ld r12,_MSR(r1)
+ ld r3,_NIP(r1)
+- andis. r4,r12,DSISR_BAD_FAULT_64S@h
++ andis. r4,r12,DSISR_SRR1_MATCH_64S@h
+ li r5,0x400
+ std r3,_DAR(r1)
+ std r4,_DSISR(r1)
--- /dev/null
+From 35602f82d0c765f991420e319c8d3a596c921eb8 Mon Sep 17 00:00:00 2001
+From: Nicholas Piggin <npiggin@gmail.com>
+Date: Fri, 10 Nov 2017 04:27:38 +1100
+Subject: powerpc/64s/hash: Allow MAP_FIXED allocations to cross 128TB boundary
+
+From: Nicholas Piggin <npiggin@gmail.com>
+
+commit 35602f82d0c765f991420e319c8d3a596c921eb8 upstream.
+
+While mapping hints with a length that cross 128TB are disallowed,
+MAP_FIXED allocations that cross 128TB are allowed. These are failing
+on hash (on radix they succeed). Add an additional case for fixed
+mappings to expand the addr_limit when crossing 128TB.
+
+Fixes: f4ea6dcb08ea ("powerpc/mm: Enable mappings above 128TB")
+Signed-off-by: Nicholas Piggin <npiggin@gmail.com>
+Reviewed-by: Aneesh Kumar K.V <aneesh.kumar@linux.vnet.ibm.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/powerpc/mm/slice.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/powerpc/mm/slice.c
++++ b/arch/powerpc/mm/slice.c
+@@ -418,7 +418,7 @@ unsigned long slice_get_unmapped_area(un
+ unsigned long high_limit;
+
+ high_limit = DEFAULT_MAP_WINDOW;
+- if (addr >= high_limit)
++ if (addr >= high_limit || (fixed && (addr + len > high_limit)))
+ high_limit = TASK_SIZE;
+
+ if (len > high_limit)
--- /dev/null
+From 6a72dc038b615229a1b285829d6c8378d15c2347 Mon Sep 17 00:00:00 2001
+From: Nicholas Piggin <npiggin@gmail.com>
+Date: Fri, 10 Nov 2017 04:27:36 +1100
+Subject: powerpc/64s/hash: Fix 128TB-512TB virtual address boundary case allocation
+
+From: Nicholas Piggin <npiggin@gmail.com>
+
+commit 6a72dc038b615229a1b285829d6c8378d15c2347 upstream.
+
+When allocating VA space with a hint that crosses 128TB, the SLB
+addr_limit variable is not expanded if addr is not > 128TB, but the
+slice allocation looks at task_size, which is 512TB. This results in
+slice_check_fit() incorrectly succeeding because the slice_count
+truncates off bit 128 of the requested mask, so the comparison to the
+available mask succeeds.
+
+Fix this by using mm->context.addr_limit instead of mm->task_size for
+testing allocation limits. This causes such allocations to fail.
+
+Fixes: f4ea6dcb08ea ("powerpc/mm: Enable mappings above 128TB")
+Reported-by: Florian Weimer <fweimer@redhat.com>
+Signed-off-by: Nicholas Piggin <npiggin@gmail.com>
+Reviewed-by: Aneesh Kumar K.V <aneesh.kumar@linux.vnet.ibm.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/powerpc/mm/slice.c | 50 +++++++++++++++++++++++-------------------------
+ 1 file changed, 24 insertions(+), 26 deletions(-)
+
+--- a/arch/powerpc/mm/slice.c
++++ b/arch/powerpc/mm/slice.c
+@@ -96,7 +96,7 @@ static int slice_area_is_free(struct mm_
+ {
+ struct vm_area_struct *vma;
+
+- if ((mm->task_size - len) < addr)
++ if ((mm->context.addr_limit - len) < addr)
+ return 0;
+ vma = find_vma(mm, addr);
+ return (!vma || (addr + len) <= vm_start_gap(vma));
+@@ -133,7 +133,7 @@ static void slice_mask_for_free(struct m
+ if (!slice_low_has_vma(mm, i))
+ ret->low_slices |= 1u << i;
+
+- if (mm->task_size <= SLICE_LOW_TOP)
++ if (mm->context.addr_limit <= SLICE_LOW_TOP)
+ return;
+
+ for (i = 0; i < GET_HIGH_SLICE_INDEX(mm->context.addr_limit); i++)
+@@ -412,25 +412,31 @@ unsigned long slice_get_unmapped_area(un
+ struct slice_mask compat_mask;
+ int fixed = (flags & MAP_FIXED);
+ int pshift = max_t(int, mmu_psize_defs[psize].shift, PAGE_SHIFT);
++ unsigned long page_size = 1UL << pshift;
+ struct mm_struct *mm = current->mm;
+ unsigned long newaddr;
+ unsigned long high_limit;
+
+- /*
+- * Check if we need to expland slice area.
+- */
+- if (unlikely(addr >= mm->context.addr_limit &&
+- mm->context.addr_limit != TASK_SIZE)) {
+- mm->context.addr_limit = TASK_SIZE;
++ high_limit = DEFAULT_MAP_WINDOW;
++ if (addr >= high_limit)
++ high_limit = TASK_SIZE;
++
++ if (len > high_limit)
++ return -ENOMEM;
++ if (len & (page_size - 1))
++ return -EINVAL;
++ if (fixed) {
++ if (addr & (page_size - 1))
++ return -EINVAL;
++ if (addr > high_limit - len)
++ return -ENOMEM;
++ }
++
++ if (high_limit > mm->context.addr_limit) {
++ mm->context.addr_limit = high_limit;
+ on_each_cpu(slice_flush_segments, mm, 1);
+ }
+- /*
+- * This mmap request can allocate upt to 512TB
+- */
+- if (addr >= DEFAULT_MAP_WINDOW)
+- high_limit = mm->context.addr_limit;
+- else
+- high_limit = DEFAULT_MAP_WINDOW;
++
+ /*
+ * init different masks
+ */
+@@ -446,27 +452,19 @@ unsigned long slice_get_unmapped_area(un
+
+ /* Sanity checks */
+ BUG_ON(mm->task_size == 0);
++ BUG_ON(mm->context.addr_limit == 0);
+ VM_BUG_ON(radix_enabled());
+
+ slice_dbg("slice_get_unmapped_area(mm=%p, psize=%d...\n", mm, psize);
+ slice_dbg(" addr=%lx, len=%lx, flags=%lx, topdown=%d\n",
+ addr, len, flags, topdown);
+
+- if (len > mm->task_size)
+- return -ENOMEM;
+- if (len & ((1ul << pshift) - 1))
+- return -EINVAL;
+- if (fixed && (addr & ((1ul << pshift) - 1)))
+- return -EINVAL;
+- if (fixed && addr > (mm->task_size - len))
+- return -ENOMEM;
+-
+ /* If hint, make sure it matches our alignment restrictions */
+ if (!fixed && addr) {
+- addr = _ALIGN_UP(addr, 1ul << pshift);
++ addr = _ALIGN_UP(addr, page_size);
+ slice_dbg(" aligned addr=%lx\n", addr);
+ /* Ignore hint if it's too large or overlaps a VMA */
+- if (addr > mm->task_size - len ||
++ if (addr > high_limit - len ||
+ !slice_area_is_free(mm, addr, len))
+ addr = 0;
+ }
--- /dev/null
+From 7ece370996b694ae263025e056ad785afc1be5ab Mon Sep 17 00:00:00 2001
+From: Michael Ellerman <mpe@ellerman.id.au>
+Date: Mon, 13 Nov 2017 23:17:28 +1100
+Subject: powerpc/64s/hash: Fix 512T hint detection to use >= 128T
+
+From: Michael Ellerman <mpe@ellerman.id.au>
+
+commit 7ece370996b694ae263025e056ad785afc1be5ab upstream.
+
+Currently userspace is able to request mmap() search between 128T-512T
+by specifying a hint address that is greater than 128T. But that means
+a hint of 128T exactly will return an address below 128T, which is
+confusing and wrong.
+
+So fix the logic to check the hint is greater than *or equal* to 128T.
+
+Fixes: f4ea6dcb08ea ("powerpc/mm: Enable mappings above 128TB")
+Suggested-by: Aneesh Kumar K.V <aneesh.kumar@linux.vnet.ibm.com>
+Suggested-by: Nicholas Piggin <npiggin@gmail.com>
+[mpe: Split out of Nick's bigger patch]
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/powerpc/mm/slice.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/arch/powerpc/mm/slice.c
++++ b/arch/powerpc/mm/slice.c
+@@ -419,7 +419,7 @@ unsigned long slice_get_unmapped_area(un
+ /*
+ * Check if we need to expland slice area.
+ */
+- if (unlikely(addr > mm->context.addr_limit &&
++ if (unlikely(addr >= mm->context.addr_limit &&
+ mm->context.addr_limit != TASK_SIZE)) {
+ mm->context.addr_limit = TASK_SIZE;
+ on_each_cpu(slice_flush_segments, mm, 1);
+@@ -427,7 +427,7 @@ unsigned long slice_get_unmapped_area(un
+ /*
+ * This mmap request can allocate upt to 512TB
+ */
+- if (addr > DEFAULT_MAP_WINDOW)
++ if (addr >= DEFAULT_MAP_WINDOW)
+ high_limit = mm->context.addr_limit;
+ else
+ high_limit = DEFAULT_MAP_WINDOW;
--- /dev/null
+From effc1b25088502fbd30305c79773de2d1f7470a6 Mon Sep 17 00:00:00 2001
+From: Nicholas Piggin <npiggin@gmail.com>
+Date: Fri, 10 Nov 2017 04:27:37 +1100
+Subject: powerpc/64s/hash: Fix fork() with 512TB process address space
+
+From: Nicholas Piggin <npiggin@gmail.com>
+
+commit effc1b25088502fbd30305c79773de2d1f7470a6 upstream.
+
+Hash unconditionally resets the addr_limit to default (128TB) when the
+mm context is initialised. If a process has > 128TB mappings when it
+forks, the child will not get the 512TB addr_limit, so accesses to
+valid > 128TB mappings will fail in the child.
+
+Fix this by only resetting the addr_limit to default if it was 0. Non
+zero indicates it was duplicated from the parent (0 means exec()).
+
+Fixes: f4ea6dcb08ea ("powerpc/mm: Enable mappings above 128TB")
+Signed-off-by: Nicholas Piggin <npiggin@gmail.com>
+Reviewed-by: Aneesh Kumar K.V <aneesh.kumar@linux.vnet.ibm.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/powerpc/mm/mmu_context_book3s64.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/arch/powerpc/mm/mmu_context_book3s64.c
++++ b/arch/powerpc/mm/mmu_context_book3s64.c
+@@ -93,11 +93,11 @@ static int hash__init_new_context(struct
+ return index;
+
+ /*
+- * We do switch_slb() early in fork, even before we setup the
+- * mm->context.addr_limit. Default to max task size so that we copy the
+- * default values to paca which will help us to handle slb miss early.
++ * In the case of exec, use the default limit,
++ * otherwise inherit it from the mm we are duplicating.
+ */
+- mm->context.addr_limit = DEFAULT_MAP_WINDOW_USER64;
++ if (!mm->context.addr_limit)
++ mm->context.addr_limit = DEFAULT_MAP_WINDOW_USER64;
+
+ /*
+ * The old code would re-promote on fork, we don't do that when using
--- /dev/null
+From 85e3f1adcb9d49300b0a943bb93f9604be375bfb Mon Sep 17 00:00:00 2001
+From: Nicholas Piggin <npiggin@gmail.com>
+Date: Fri, 10 Nov 2017 04:27:39 +1100
+Subject: powerpc/64s/radix: Fix 128TB-512TB virtual address boundary case allocation
+
+From: Nicholas Piggin <npiggin@gmail.com>
+
+commit 85e3f1adcb9d49300b0a943bb93f9604be375bfb upstream.
+
+Radix VA space allocations test addresses against mm->task_size which
+is 512TB, even in cases where the intention is to limit allocation to
+below 128TB.
+
+This results in mmap with a hint address below 128TB but address +
+length above 128TB succeeding when it should fail (as hash does after
+the previous patch).
+
+Set the high address limit to be considered up front, and base
+subsequent allocation checks on that consistently.
+
+Fixes: f4ea6dcb08ea ("powerpc/mm: Enable mappings above 128TB")
+Signed-off-by: Nicholas Piggin <npiggin@gmail.com>
+Reviewed-by: Aneesh Kumar K.V <aneesh.kumar@linux.vnet.ibm.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/powerpc/mm/hugetlbpage-radix.c | 26 +++++++++++------
+ arch/powerpc/mm/mmap.c | 55 +++++++++++++++++++++---------------
+ 2 files changed, 50 insertions(+), 31 deletions(-)
+
+--- a/arch/powerpc/mm/hugetlbpage-radix.c
++++ b/arch/powerpc/mm/hugetlbpage-radix.c
+@@ -49,17 +49,28 @@ radix__hugetlb_get_unmapped_area(struct
+ struct mm_struct *mm = current->mm;
+ struct vm_area_struct *vma;
+ struct hstate *h = hstate_file(file);
++ int fixed = (flags & MAP_FIXED);
++ unsigned long high_limit;
+ struct vm_unmapped_area_info info;
+
+- if (unlikely(addr > mm->context.addr_limit && addr < TASK_SIZE))
+- mm->context.addr_limit = TASK_SIZE;
++ high_limit = DEFAULT_MAP_WINDOW;
++ if (addr >= high_limit || (fixed && (addr + len > high_limit)))
++ high_limit = TASK_SIZE;
+
+ if (len & ~huge_page_mask(h))
+ return -EINVAL;
+- if (len > mm->task_size)
++ if (len > high_limit)
+ return -ENOMEM;
++ if (fixed) {
++ if (addr > high_limit - len)
++ return -ENOMEM;
++ }
+
+- if (flags & MAP_FIXED) {
++ if (unlikely(addr > mm->context.addr_limit &&
++ mm->context.addr_limit != TASK_SIZE))
++ mm->context.addr_limit = TASK_SIZE;
++
++ if (fixed) {
+ if (prepare_hugepage_range(file, addr, len))
+ return -EINVAL;
+ return addr;
+@@ -68,7 +79,7 @@ radix__hugetlb_get_unmapped_area(struct
+ if (addr) {
+ addr = ALIGN(addr, huge_page_size(h));
+ vma = find_vma(mm, addr);
+- if (mm->task_size - len >= addr &&
++ if (high_limit - len >= addr &&
+ (!vma || addr + len <= vm_start_gap(vma)))
+ return addr;
+ }
+@@ -79,12 +90,9 @@ radix__hugetlb_get_unmapped_area(struct
+ info.flags = VM_UNMAPPED_AREA_TOPDOWN;
+ info.length = len;
+ info.low_limit = PAGE_SIZE;
+- info.high_limit = current->mm->mmap_base;
++ info.high_limit = mm->mmap_base + (high_limit - DEFAULT_MAP_WINDOW);
+ info.align_mask = PAGE_MASK & ~huge_page_mask(h);
+ info.align_offset = 0;
+
+- if (addr > DEFAULT_MAP_WINDOW)
+- info.high_limit += mm->context.addr_limit - DEFAULT_MAP_WINDOW;
+-
+ return vm_unmapped_area(&info);
+ }
+--- a/arch/powerpc/mm/mmap.c
++++ b/arch/powerpc/mm/mmap.c
+@@ -106,22 +106,32 @@ radix__arch_get_unmapped_area(struct fil
+ {
+ struct mm_struct *mm = current->mm;
+ struct vm_area_struct *vma;
++ int fixed = (flags & MAP_FIXED);
++ unsigned long high_limit;
+ struct vm_unmapped_area_info info;
+
++ high_limit = DEFAULT_MAP_WINDOW;
++ if (addr >= high_limit || (fixed && (addr + len > high_limit)))
++ high_limit = TASK_SIZE;
++
++ if (len > high_limit)
++ return -ENOMEM;
++ if (fixed) {
++ if (addr > high_limit - len)
++ return -ENOMEM;
++ }
++
+ if (unlikely(addr > mm->context.addr_limit &&
+ mm->context.addr_limit != TASK_SIZE))
+ mm->context.addr_limit = TASK_SIZE;
+
+- if (len > mm->task_size - mmap_min_addr)
+- return -ENOMEM;
+-
+- if (flags & MAP_FIXED)
++ if (fixed)
+ return addr;
+
+ if (addr) {
+ addr = PAGE_ALIGN(addr);
+ vma = find_vma(mm, addr);
+- if (mm->task_size - len >= addr && addr >= mmap_min_addr &&
++ if (high_limit - len >= addr && addr >= mmap_min_addr &&
+ (!vma || addr + len <= vm_start_gap(vma)))
+ return addr;
+ }
+@@ -129,13 +139,9 @@ radix__arch_get_unmapped_area(struct fil
+ info.flags = 0;
+ info.length = len;
+ info.low_limit = mm->mmap_base;
++ info.high_limit = high_limit;
+ info.align_mask = 0;
+
+- if (unlikely(addr > DEFAULT_MAP_WINDOW))
+- info.high_limit = mm->context.addr_limit;
+- else
+- info.high_limit = DEFAULT_MAP_WINDOW;
+-
+ return vm_unmapped_area(&info);
+ }
+
+@@ -149,37 +155,42 @@ radix__arch_get_unmapped_area_topdown(st
+ struct vm_area_struct *vma;
+ struct mm_struct *mm = current->mm;
+ unsigned long addr = addr0;
++ int fixed = (flags & MAP_FIXED);
++ unsigned long high_limit;
+ struct vm_unmapped_area_info info;
+
++ high_limit = DEFAULT_MAP_WINDOW;
++ if (addr >= high_limit || (fixed && (addr + len > high_limit)))
++ high_limit = TASK_SIZE;
++
++ if (len > high_limit)
++ return -ENOMEM;
++ if (fixed) {
++ if (addr > high_limit - len)
++ return -ENOMEM;
++ }
++
+ if (unlikely(addr > mm->context.addr_limit &&
+ mm->context.addr_limit != TASK_SIZE))
+ mm->context.addr_limit = TASK_SIZE;
+
+- /* requested length too big for entire address space */
+- if (len > mm->task_size - mmap_min_addr)
+- return -ENOMEM;
+-
+- if (flags & MAP_FIXED)
++ if (fixed)
+ return addr;
+
+- /* requesting a specific address */
+ if (addr) {
+ addr = PAGE_ALIGN(addr);
+ vma = find_vma(mm, addr);
+- if (mm->task_size - len >= addr && addr >= mmap_min_addr &&
+- (!vma || addr + len <= vm_start_gap(vma)))
++ if (high_limit - len >= addr && addr >= mmap_min_addr &&
++ (!vma || addr + len <= vm_start_gap(vma)))
+ return addr;
+ }
+
+ info.flags = VM_UNMAPPED_AREA_TOPDOWN;
+ info.length = len;
+ info.low_limit = max(PAGE_SIZE, mmap_min_addr);
+- info.high_limit = mm->mmap_base;
++ info.high_limit = mm->mmap_base + (high_limit - DEFAULT_MAP_WINDOW);
+ info.align_mask = 0;
+
+- if (addr > DEFAULT_MAP_WINDOW)
+- info.high_limit += mm->context.addr_limit - DEFAULT_MAP_WINDOW;
+-
+ addr = vm_unmapped_area(&info);
+ if (!(addr & ~PAGE_MASK))
+ return addr;
--- /dev/null
+From 252eb55816a6f69ef9464cad303cdb3326cdc61d Mon Sep 17 00:00:00 2001
+From: Christophe Leroy <christophe.leroy@c-s.fr>
+Date: Tue, 21 Nov 2017 15:28:20 +0100
+Subject: powerpc: Fix boot on BOOK3S_32 with CONFIG_STRICT_KERNEL_RWX
+
+From: Christophe Leroy <christophe.leroy@c-s.fr>
+
+commit 252eb55816a6f69ef9464cad303cdb3326cdc61d upstream.
+
+On powerpc32, patch_instruction() is called by apply_feature_fixups()
+which is called from early_init()
+
+There is the following note in front of early_init():
+ * Note that the kernel may be running at an address which is different
+ * from the address that it was linked at, so we must use RELOC/PTRRELOC
+ * to access static data (including strings). -- paulus
+
+Therefore, slab_is_available() cannot be called yet, and
+text_poke_area must be addressed with PTRRELOC()
+
+Fixes: 95902e6c8864 ("powerpc/mm: Implement STRICT_KERNEL_RWX on PPC32")
+Reported-by: Meelis Roos <mroos@linux.ee>
+Signed-off-by: Christophe Leroy <christophe.leroy@c-s.fr>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/powerpc/lib/code-patching.c | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+--- a/arch/powerpc/lib/code-patching.c
++++ b/arch/powerpc/lib/code-patching.c
+@@ -21,6 +21,7 @@
+ #include <asm/tlbflush.h>
+ #include <asm/page.h>
+ #include <asm/code-patching.h>
++#include <asm/setup.h>
+
+ static int __patch_instruction(unsigned int *addr, unsigned int instr)
+ {
+@@ -146,11 +147,8 @@ int patch_instruction(unsigned int *addr
+ * During early early boot patch_instruction is called
+ * when text_poke_area is not ready, but we still need
+ * to allow patching. We just do the plain old patching
+- * We use slab_is_available and per cpu read * via this_cpu_read
+- * of text_poke_area. Per-CPU areas might not be up early
+- * this can create problems with just using this_cpu_read()
+ */
+- if (!slab_is_available() || !this_cpu_read(text_poke_area))
++ if (!this_cpu_read(*PTRRELOC(&text_poke_area)))
+ return __patch_instruction(addr, instr);
+
+ local_irq_save(flags);
--- /dev/null
+From f79ad50ea3c73fb1ea5b09e95c864e5bb263adfb Mon Sep 17 00:00:00 2001
+From: Balbir Singh <bsingharora@gmail.com>
+Date: Mon, 16 Oct 2017 16:21:35 +1100
+Subject: powerpc/mm/radix: Fix crashes on Power9 DD1 with radix MMU and STRICT_RWX
+
+From: Balbir Singh <bsingharora@gmail.com>
+
+commit f79ad50ea3c73fb1ea5b09e95c864e5bb263adfb upstream.
+
+When using the radix MMU on Power9 DD1, to work around a hardware
+problem, radix__pte_update() is required to do a two stage update of
+the PTE. First we write a zero value into the PTE, then we flush the
+TLB, and then we write the new PTE value.
+
+In the normal case that works OK, but it does not work if we're
+updating the PTE that maps the code we're executing, because the
+mapping is removed by the TLB flush and we can no longer execute from
+it. Unfortunately the STRICT_RWX code needs to do exactly that.
+
+The exact symptoms when we hit this case vary, sometimes we print an
+oops and then get stuck after that, but I've also seen a machine just
+get stuck continually page faulting with no oops printed. The variance
+is presumably due to the exact layout of the text and the page size
+used for the mappings. In all cases we are unable to boot to a shell.
+
+There are possible solutions such as creating a second mapping of the
+TLB flush code, executing from that, and then jumping back to the
+original. However we don't want to add that level of complexity for a
+DD1 work around.
+
+So just detect that we're running on Power9 DD1 and refrain from
+changing the permissions, effectively disabling STRICT_RWX on Power9
+DD1.
+
+Fixes: 7614ff3272a1 ("powerpc/mm/radix: Implement STRICT_RWX/mark_rodata_ro() for Radix")
+Reported-by: Andrew Jeffery <andrew@aj.id.au>
+[Changelog as suggested by Michael Ellerman <mpe@ellerman.id.au>]
+Signed-off-by: Balbir Singh <bsingharora@gmail.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/powerpc/mm/pgtable-radix.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+--- a/arch/powerpc/mm/pgtable-radix.c
++++ b/arch/powerpc/mm/pgtable-radix.c
+@@ -169,6 +169,16 @@ void radix__mark_rodata_ro(void)
+ {
+ unsigned long start, end;
+
++ /*
++ * mark_rodata_ro() will mark itself as !writable at some point.
++ * Due to DD1 workaround in radix__pte_update(), we'll end up with
++ * an invalid pte and the system will crash quite severly.
++ */
++ if (cpu_has_feature(CPU_FTR_POWER9_DD1)) {
++ pr_warn("Warning: Unable to mark rodata read only on P9 DD1\n");
++ return;
++ }
++
+ start = (unsigned long)_stext;
+ end = (unsigned long)__init_begin;
+
--- /dev/null
+From f3f1dfd600ff82b18b7ea73d80eb27f476a6aa97 Mon Sep 17 00:00:00 2001
+From: Michael Ellerman <mpe@ellerman.id.au>
+Date: Mon, 16 Oct 2017 00:13:41 +0530
+Subject: powerpc/perf/imc: Use cpu_to_node() not topology_physical_package_id()
+
+From: Michael Ellerman <mpe@ellerman.id.au>
+
+commit f3f1dfd600ff82b18b7ea73d80eb27f476a6aa97 upstream.
+
+init_imc_pmu() uses topology_physical_package_id() to detect the
+node id of the processor it is on to get local memory, but that's
+wrong, and can lead to crashes. Fix it to use cpu_to_node().
+
+Fixes: 885dcd709ba9 ("powerpc/perf: Add nest IMC PMU support")
+Reported-By: Rob Lippert <rlippert@google.com>
+Tested-By: Madhavan Srinivasan <maddy@linux.vnet.ibm.com>
+Signed-off-by: Madhavan Srinivasan <maddy@linux.vnet.ibm.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/powerpc/perf/imc-pmu.c | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+--- a/arch/powerpc/perf/imc-pmu.c
++++ b/arch/powerpc/perf/imc-pmu.c
+@@ -467,7 +467,7 @@ static int nest_imc_event_init(struct pe
+ * Nest HW counter memory resides in a per-chip reserve-memory (HOMER).
+ * Get the base memory addresss for this cpu.
+ */
+- chip_id = topology_physical_package_id(event->cpu);
++ chip_id = cpu_to_chip_id(event->cpu);
+ pcni = pmu->mem_info;
+ do {
+ if (pcni->id == chip_id) {
+@@ -524,19 +524,19 @@ static int nest_imc_event_init(struct pe
+ */
+ static int core_imc_mem_init(int cpu, int size)
+ {
+- int phys_id, rc = 0, core_id = (cpu / threads_per_core);
++ int nid, rc = 0, core_id = (cpu / threads_per_core);
+ struct imc_mem_info *mem_info;
+
+ /*
+ * alloc_pages_node() will allocate memory for core in the
+ * local node only.
+ */
+- phys_id = topology_physical_package_id(cpu);
++ nid = cpu_to_node(cpu);
+ mem_info = &core_imc_pmu->mem_info[core_id];
+ mem_info->id = core_id;
+
+ /* We need only vbase for core counters */
+- mem_info->vbase = page_address(alloc_pages_node(phys_id,
++ mem_info->vbase = page_address(alloc_pages_node(nid,
+ GFP_KERNEL | __GFP_ZERO | __GFP_THISNODE |
+ __GFP_NOWARN, get_order(size)));
+ if (!mem_info->vbase)
+@@ -797,14 +797,14 @@ static int core_imc_event_init(struct pe
+ static int thread_imc_mem_alloc(int cpu_id, int size)
+ {
+ u64 ldbar_value, *local_mem = per_cpu(thread_imc_mem, cpu_id);
+- int phys_id = topology_physical_package_id(cpu_id);
++ int nid = cpu_to_node(cpu_id);
+
+ if (!local_mem) {
+ /*
+ * This case could happen only once at start, since we dont
+ * free the memory in cpu offline path.
+ */
+- local_mem = page_address(alloc_pages_node(phys_id,
++ local_mem = page_address(alloc_pages_node(nid,
+ GFP_KERNEL | __GFP_ZERO | __GFP_THISNODE |
+ __GFP_NOWARN, get_order(size)));
+ if (!local_mem)
--- /dev/null
+From 46725b17f1c6c815a41429259b3f070c01e71bc1 Mon Sep 17 00:00:00 2001
+From: "Naveen N. Rao" <naveen.n.rao@linux.vnet.ibm.com>
+Date: Thu, 31 Aug 2017 21:55:57 +0530
+Subject: powerpc/signal: Properly handle return value from uprobe_deny_signal()
+
+From: Naveen N. Rao <naveen.n.rao@linux.vnet.ibm.com>
+
+commit 46725b17f1c6c815a41429259b3f070c01e71bc1 upstream.
+
+When a uprobe is installed on an instruction that we currently do not
+emulate, we copy the instruction into a xol buffer and single step
+that instruction. If that instruction generates a fault, we abort the
+single stepping before invoking the signal handler. Once the signal
+handler is done, the uprobe trap is hit again since the instruction is
+retried and the process repeats.
+
+We use uprobe_deny_signal() to detect if the xol instruction triggered
+a signal. If so, we clear TIF_SIGPENDING and set TIF_UPROBE so that the
+signal is not handled until after the single stepping is aborted. In
+this case, uprobe_deny_signal() returns true and get_signal() ends up
+returning 0. However, in do_signal(), we are not looking at the return
+value, but depending on ksig.sig for further action, all with an
+uninitialized ksig that is not touched in this scenario. Fix the same
+by initializing ksig.sig to 0.
+
+Fixes: 129b69df9c90 ("powerpc: Use get_signal() signal_setup_done()")
+Reported-by: Anton Blanchard <anton@samba.org>
+Signed-off-by: Naveen N. Rao <naveen.n.rao@linux.vnet.ibm.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/powerpc/kernel/signal.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/powerpc/kernel/signal.c
++++ b/arch/powerpc/kernel/signal.c
+@@ -103,7 +103,7 @@ static void check_syscall_restart(struct
+ static void do_signal(struct task_struct *tsk)
+ {
+ sigset_t *oldset = sigmask_to_save();
+- struct ksignal ksig;
++ struct ksignal ksig = { .sig = 0 };
+ int ret;
+ int is32 = is_32bit_task();
+
ib-core-only-maintain-real-qps-in-the-security-lists.patch
nfc-fix-device-allocation-error-return.patch
spi-nor-intel-spi-fix-broken-software-sequencing-codes.patch
+i40e-use-smp_rmb-rather-than-read_barrier_depends.patch
+igb-use-smp_rmb-rather-than-read_barrier_depends.patch
+igbvf-use-smp_rmb-rather-than-read_barrier_depends.patch
+ixgbevf-use-smp_rmb-rather-than-read_barrier_depends.patch
+i40evf-use-smp_rmb-rather-than-read_barrier_depends.patch
+fm10k-use-smp_rmb-rather-than-read_barrier_depends.patch
+ixgbe-fix-skb-list-corruption-on-power-systems.patch
+parisc-fix-validity-check-of-pointer-size-argument-in-new-cas-implementation.patch
+powerpc-fix-boot-on-book3s_32-with-config_strict_kernel_rwx.patch
+powerpc-mm-radix-fix-crashes-on-power9-dd1-with-radix-mmu-and-strict_rwx.patch
+powerpc-perf-imc-use-cpu_to_node-not-topology_physical_package_id.patch
+powerpc-signal-properly-handle-return-value-from-uprobe_deny_signal.patch
+powerpc-64s-fix-masking-of-srr1-bits-on-instruction-fault.patch
+powerpc-64s-radix-fix-128tb-512tb-virtual-address-boundary-case-allocation.patch
+powerpc-64s-hash-fix-512t-hint-detection-to-use-128t.patch
+powerpc-64s-hash-fix-128tb-512tb-virtual-address-boundary-case-allocation.patch
+powerpc-64s-hash-fix-fork-with-512tb-process-address-space.patch
+powerpc-64s-hash-allow-map_fixed-allocations-to-cross-128tb-boundary.patch
+media-don-t-do-dma-on-stack-for-firmware-upload-in-the-as102-driver.patch
+media-rc-check-for-integer-overflow.patch
+media-rc-nec-decoder-should-not-send-both-repeat-and-keycode.patch
+cx231xx-cards-fix-null-deref-on-missing-association-descriptor.patch
+media-v4l2-ctrl-fix-flags-field-on-control-events.patch
+media-venus-fix-wrong-size-on-dma_free.patch
+media-venus-venc-fix-bytesused-v4l2_plane-field.patch
+media-venus-reimplement-decoder-stop-command.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
