--- /dev/null
+From a00cebf51d5ceed8ba9f6fac5fb189b38cd5a7c2 Mon Sep 17 00:00:00 2001
+From: Peter Rosin <peda@axentia.se>
+Date: Wed, 31 May 2017 14:32:33 +0200
+Subject: ASoC: atmel: tse850: fix off-by-one in the "ANA" enumeration count
+
+From: Peter Rosin <peda@axentia.se>
+
+commit a00cebf51d5ceed8ba9f6fac5fb189b38cd5a7c2 upstream.
+
+At some point I added the "Low" entry at the beginning of the array
+without bumping the enumeration count from 9 to 10. Fix this. While at
+it, fix the anti-pattern for the other enumeration (used by MUX{1,2}).
+
+Fixes: aa43112445f0 ("ASoC: atmel: tse850: add ASoC driver for the Axentia TSE-850")
+Signed-off-by: Peter Rosin <peda@axentia.se>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/soc/atmel/tse850-pcm5142.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/sound/soc/atmel/tse850-pcm5142.c
++++ b/sound/soc/atmel/tse850-pcm5142.c
+@@ -227,7 +227,7 @@ int tse850_put_ana(struct snd_kcontrol *
+ static const char * const mux_text[] = { "Mixer", "Loop" };
+
+ static const struct soc_enum mux_enum =
+- SOC_ENUM_SINGLE(SND_SOC_NOPM, 0, 2, mux_text);
++ SOC_ENUM_SINGLE(SND_SOC_NOPM, 0, ARRAY_SIZE(mux_text), mux_text);
+
+ static const struct snd_kcontrol_new mux1 =
+ SOC_DAPM_ENUM_EXT("MUX1", mux_enum, tse850_get_mux1, tse850_put_mux1);
+@@ -252,7 +252,7 @@ static const char * const ana_text[] = {
+ };
+
+ static const struct soc_enum ana_enum =
+- SOC_ENUM_SINGLE(SND_SOC_NOPM, 0, 9, ana_text);
++ SOC_ENUM_SINGLE(SND_SOC_NOPM, 0, ARRAY_SIZE(ana_text), ana_text);
+
+ static const struct snd_kcontrol_new out =
+ SOC_DAPM_ENUM_EXT("ANA", ana_enum, tse850_get_ana, tse850_put_ana);
--- /dev/null
+From 01b8cedfd0422326caae308641dcadaa85e0ca72 Mon Sep 17 00:00:00 2001
+From: Satish Babu Patakokila <sbpata@codeaurora.org>
+Date: Fri, 16 Jun 2017 17:33:40 -0700
+Subject: ASoC: compress: Derive substream from stream based on direction
+
+From: Satish Babu Patakokila <sbpata@codeaurora.org>
+
+commit 01b8cedfd0422326caae308641dcadaa85e0ca72 upstream.
+
+Currently compress driver hardcodes direction as playback to get
+substream from the stream. This results in getting the incorrect
+substream for compressed capture usecase.
+To fix this, remove the hardcoding and derive substream based on
+the stream direction.
+
+Signed-off-by: Satish Babu Patakokila <sbpata@codeaurora.org>
+Signed-off-by: Banajit Goswami <bgoswami@codeaurora.org>
+Acked-By: Vinod Koul <vinod.koul@intel.com>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/soc/soc-compress.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/sound/soc/soc-compress.c
++++ b/sound/soc/soc-compress.c
+@@ -81,7 +81,8 @@ out:
+ static int soc_compr_open_fe(struct snd_compr_stream *cstream)
+ {
+ struct snd_soc_pcm_runtime *fe = cstream->private_data;
+- struct snd_pcm_substream *fe_substream = fe->pcm->streams[0].substream;
++ struct snd_pcm_substream *fe_substream =
++ fe->pcm->streams[cstream->direction].substream;
+ struct snd_soc_platform *platform = fe->platform;
+ struct snd_soc_dai *cpu_dai = fe->cpu_dai;
+ struct snd_soc_dpcm *dpcm;
+@@ -467,7 +468,8 @@ static int soc_compr_set_params_fe(struc
+ struct snd_compr_params *params)
+ {
+ struct snd_soc_pcm_runtime *fe = cstream->private_data;
+- struct snd_pcm_substream *fe_substream = fe->pcm->streams[0].substream;
++ struct snd_pcm_substream *fe_substream =
++ fe->pcm->streams[cstream->direction].substream;
+ struct snd_soc_platform *platform = fe->platform;
+ struct snd_soc_dai *cpu_dai = fe->cpu_dai;
+ int ret = 0, stream;
--- /dev/null
+From a205c159f9e2db586a5ea475f4d22fa22e78fed8 Mon Sep 17 00:00:00 2001
+From: Shawn Guo <shawn.guo@linaro.org>
+Date: Sat, 17 Jun 2017 22:25:28 +0800
+Subject: ASoC: zx-i2s: flip I2S master/slave mode
+
+From: Shawn Guo <shawn.guo@linaro.org>
+
+commit a205c159f9e2db586a5ea475f4d22fa22e78fed8 upstream.
+
+The SND_SOC_DAIFMT_MASTER bits are defined to specify the master/slave
+mode for Codec, not I2S. So the I2S master/slave mode should be flipped
+according to SND_SOC_DAIFMT_MASTER bits.
+
+Signed-off-by: Shawn Guo <shawn.guo@linaro.org>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/soc/zte/zx-i2s.c | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+--- a/sound/soc/zte/zx-i2s.c
++++ b/sound/soc/zte/zx-i2s.c
+@@ -203,13 +203,15 @@ static int zx_i2s_set_fmt(struct snd_soc
+
+ switch (fmt & SND_SOC_DAIFMT_MASTER_MASK) {
+ case SND_SOC_DAIFMT_CBM_CFM:
+- i2s->master = 1;
+- val |= ZX_I2S_TIMING_MAST;
+- break;
+- case SND_SOC_DAIFMT_CBS_CFS:
++ /* Codec is master, and I2S is slave. */
+ i2s->master = 0;
+ val |= ZX_I2S_TIMING_SLAVE;
+ break;
++ case SND_SOC_DAIFMT_CBS_CFS:
++ /* Codec is slave, and I2S is master. */
++ i2s->master = 1;
++ val |= ZX_I2S_TIMING_MAST;
++ break;
+ default:
+ dev_err(cpu_dai->dev, "Unknown master/slave format\n");
+ return -EINVAL;
--- /dev/null
+From 138d351eefb727ab9e41a3dc5f112ceb4f6e59f2 Mon Sep 17 00:00:00 2001
+From: Nicholas Bellinger <nab@linux-iscsi.org>
+Date: Fri, 7 Jul 2017 14:45:49 -0700
+Subject: iscsi-target: Add login_keys_workaround attribute for non RFC initiators
+
+From: Nicholas Bellinger <nab@linux-iscsi.org>
+
+commit 138d351eefb727ab9e41a3dc5f112ceb4f6e59f2 upstream.
+
+This patch re-introduces part of a long standing login workaround that
+was recently dropped by:
+
+ commit 1c99de981f30b3e7868b8d20ce5479fa1c0fea46
+ Author: Nicholas Bellinger <nab@linux-iscsi.org>
+ Date: Sun Apr 2 13:36:44 2017 -0700
+
+ iscsi-target: Drop work-around for legacy GlobalSAN initiator
+
+Namely, the workaround for FirstBurstLength ended up being required by
+Mellanox Flexboot PXE boot ROMs as reported by Robert.
+
+So this patch re-adds the work-around for FirstBurstLength within
+iscsi_check_proposer_for_optional_reply(), and makes the key optional
+to respond when the initiator does not propose, nor respond to it.
+
+Also as requested by Arun, this patch introduces a new TPG attribute
+named 'login_keys_workaround' that controls the use of both the
+FirstBurstLength workaround, as well as the two other existing
+workarounds for gPXE iSCSI boot client.
+
+By default, the workaround is enabled with login_keys_workaround=1,
+since Mellanox FlexBoot requires it, and Arun has verified the Qlogic
+MSFT initiator already proposes FirstBurstLength, so it's uneffected
+by this re-adding this part of the original work-around.
+
+Reported-by: Robert LeBlanc <robert@leblancnet.us>
+Cc: Robert LeBlanc <robert@leblancnet.us>
+Reviewed-by: Arun Easi <arun.easi@cavium.com>
+Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/target/iscsi/iscsi_target_configfs.c | 2 +
+ drivers/target/iscsi/iscsi_target_nego.c | 6 ++-
+ drivers/target/iscsi/iscsi_target_parameters.c | 41 +++++++++++++++++--------
+ drivers/target/iscsi/iscsi_target_parameters.h | 2 -
+ drivers/target/iscsi/iscsi_target_tpg.c | 19 +++++++++++
+ drivers/target/iscsi/iscsi_target_tpg.h | 1
+ include/target/iscsi/iscsi_target_core.h | 9 +++++
+ 7 files changed, 64 insertions(+), 16 deletions(-)
+
+--- a/drivers/target/iscsi/iscsi_target_configfs.c
++++ b/drivers/target/iscsi/iscsi_target_configfs.c
+@@ -781,6 +781,7 @@ DEF_TPG_ATTRIB(default_erl);
+ DEF_TPG_ATTRIB(t10_pi);
+ DEF_TPG_ATTRIB(fabric_prot_type);
+ DEF_TPG_ATTRIB(tpg_enabled_sendtargets);
++DEF_TPG_ATTRIB(login_keys_workaround);
+
+ static struct configfs_attribute *lio_target_tpg_attrib_attrs[] = {
+ &iscsi_tpg_attrib_attr_authentication,
+@@ -796,6 +797,7 @@ static struct configfs_attribute *lio_ta
+ &iscsi_tpg_attrib_attr_t10_pi,
+ &iscsi_tpg_attrib_attr_fabric_prot_type,
+ &iscsi_tpg_attrib_attr_tpg_enabled_sendtargets,
++ &iscsi_tpg_attrib_attr_login_keys_workaround,
+ NULL,
+ };
+
+--- a/drivers/target/iscsi/iscsi_target_nego.c
++++ b/drivers/target/iscsi/iscsi_target_nego.c
+@@ -886,7 +886,8 @@ static int iscsi_target_handle_csg_zero(
+ SENDER_TARGET,
+ login->rsp_buf,
+ &login->rsp_length,
+- conn->param_list);
++ conn->param_list,
++ conn->tpg->tpg_attrib.login_keys_workaround);
+ if (ret < 0)
+ return -1;
+
+@@ -956,7 +957,8 @@ static int iscsi_target_handle_csg_one(s
+ SENDER_TARGET,
+ login->rsp_buf,
+ &login->rsp_length,
+- conn->param_list);
++ conn->param_list,
++ conn->tpg->tpg_attrib.login_keys_workaround);
+ if (ret < 0) {
+ iscsit_tx_login_rsp(conn, ISCSI_STATUS_CLS_INITIATOR_ERR,
+ ISCSI_LOGIN_STATUS_INIT_ERR);
+--- a/drivers/target/iscsi/iscsi_target_parameters.c
++++ b/drivers/target/iscsi/iscsi_target_parameters.c
+@@ -765,7 +765,8 @@ static int iscsi_check_for_auth_key(char
+ return 0;
+ }
+
+-static void iscsi_check_proposer_for_optional_reply(struct iscsi_param *param)
++static void iscsi_check_proposer_for_optional_reply(struct iscsi_param *param,
++ bool keys_workaround)
+ {
+ if (IS_TYPE_BOOL_AND(param)) {
+ if (!strcmp(param->value, NO))
+@@ -773,19 +774,31 @@ static void iscsi_check_proposer_for_opt
+ } else if (IS_TYPE_BOOL_OR(param)) {
+ if (!strcmp(param->value, YES))
+ SET_PSTATE_REPLY_OPTIONAL(param);
+- /*
+- * Required for gPXE iSCSI boot client
+- */
+- if (!strcmp(param->name, IMMEDIATEDATA))
+- SET_PSTATE_REPLY_OPTIONAL(param);
++
++ if (keys_workaround) {
++ /*
++ * Required for gPXE iSCSI boot client
++ */
++ if (!strcmp(param->name, IMMEDIATEDATA))
++ SET_PSTATE_REPLY_OPTIONAL(param);
++ }
+ } else if (IS_TYPE_NUMBER(param)) {
+ if (!strcmp(param->name, MAXRECVDATASEGMENTLENGTH))
+ SET_PSTATE_REPLY_OPTIONAL(param);
+- /*
+- * Required for gPXE iSCSI boot client
+- */
+- if (!strcmp(param->name, MAXCONNECTIONS))
+- SET_PSTATE_REPLY_OPTIONAL(param);
++
++ if (keys_workaround) {
++ /*
++ * Required for Mellanox Flexboot PXE boot ROM
++ */
++ if (!strcmp(param->name, FIRSTBURSTLENGTH))
++ SET_PSTATE_REPLY_OPTIONAL(param);
++
++ /*
++ * Required for gPXE iSCSI boot client
++ */
++ if (!strcmp(param->name, MAXCONNECTIONS))
++ SET_PSTATE_REPLY_OPTIONAL(param);
++ }
+ } else if (IS_PHASE_DECLARATIVE(param))
+ SET_PSTATE_REPLY_OPTIONAL(param);
+ }
+@@ -1422,7 +1435,8 @@ int iscsi_encode_text_output(
+ u8 sender,
+ char *textbuf,
+ u32 *length,
+- struct iscsi_param_list *param_list)
++ struct iscsi_param_list *param_list,
++ bool keys_workaround)
+ {
+ char *output_buf = NULL;
+ struct iscsi_extra_response *er;
+@@ -1458,7 +1472,8 @@ int iscsi_encode_text_output(
+ *length += 1;
+ output_buf = textbuf + *length;
+ SET_PSTATE_PROPOSER(param);
+- iscsi_check_proposer_for_optional_reply(param);
++ iscsi_check_proposer_for_optional_reply(param,
++ keys_workaround);
+ pr_debug("Sending key: %s=%s\n",
+ param->name, param->value);
+ }
+--- a/drivers/target/iscsi/iscsi_target_parameters.h
++++ b/drivers/target/iscsi/iscsi_target_parameters.h
+@@ -46,7 +46,7 @@ extern int iscsi_extract_key_value(char
+ extern int iscsi_update_param_value(struct iscsi_param *, char *);
+ extern int iscsi_decode_text_input(u8, u8, char *, u32, struct iscsi_conn *);
+ extern int iscsi_encode_text_output(u8, u8, char *, u32 *,
+- struct iscsi_param_list *);
++ struct iscsi_param_list *, bool);
+ extern int iscsi_check_negotiated_keys(struct iscsi_param_list *);
+ extern void iscsi_set_connection_parameters(struct iscsi_conn_ops *,
+ struct iscsi_param_list *);
+--- a/drivers/target/iscsi/iscsi_target_tpg.c
++++ b/drivers/target/iscsi/iscsi_target_tpg.c
+@@ -227,6 +227,7 @@ static void iscsit_set_default_tpg_attri
+ a->t10_pi = TA_DEFAULT_T10_PI;
+ a->fabric_prot_type = TA_DEFAULT_FABRIC_PROT_TYPE;
+ a->tpg_enabled_sendtargets = TA_DEFAULT_TPG_ENABLED_SENDTARGETS;
++ a->login_keys_workaround = TA_DEFAULT_LOGIN_KEYS_WORKAROUND;
+ }
+
+ int iscsit_tpg_add_portal_group(struct iscsi_tiqn *tiqn, struct iscsi_portal_group *tpg)
+@@ -899,3 +900,21 @@ int iscsit_ta_tpg_enabled_sendtargets(
+
+ return 0;
+ }
++
++int iscsit_ta_login_keys_workaround(
++ struct iscsi_portal_group *tpg,
++ u32 flag)
++{
++ struct iscsi_tpg_attrib *a = &tpg->tpg_attrib;
++
++ if ((flag != 0) && (flag != 1)) {
++ pr_err("Illegal value %d\n", flag);
++ return -EINVAL;
++ }
++
++ a->login_keys_workaround = flag;
++ pr_debug("iSCSI_TPG[%hu] - TPG enabled bit for login keys workaround: %s ",
++ tpg->tpgt, (a->login_keys_workaround) ? "ON" : "OFF");
++
++ return 0;
++}
+--- a/drivers/target/iscsi/iscsi_target_tpg.h
++++ b/drivers/target/iscsi/iscsi_target_tpg.h
+@@ -48,5 +48,6 @@ extern int iscsit_ta_default_erl(struct
+ extern int iscsit_ta_t10_pi(struct iscsi_portal_group *, u32);
+ extern int iscsit_ta_fabric_prot_type(struct iscsi_portal_group *, u32);
+ extern int iscsit_ta_tpg_enabled_sendtargets(struct iscsi_portal_group *, u32);
++extern int iscsit_ta_login_keys_workaround(struct iscsi_portal_group *, u32);
+
+ #endif /* ISCSI_TARGET_TPG_H */
+--- a/include/target/iscsi/iscsi_target_core.h
++++ b/include/target/iscsi/iscsi_target_core.h
+@@ -66,6 +66,14 @@ struct sock;
+ #define TA_DEFAULT_FABRIC_PROT_TYPE 0
+ /* TPG status needs to be enabled to return sendtargets discovery endpoint info */
+ #define TA_DEFAULT_TPG_ENABLED_SENDTARGETS 1
++/*
++ * Used to control the sending of keys with optional to respond state bit,
++ * as a workaround for non RFC compliant initiators,that do not propose,
++ * nor respond to specific keys required for login to complete.
++ *
++ * See iscsi_check_proposer_for_optional_reply() for more details.
++ */
++#define TA_DEFAULT_LOGIN_KEYS_WORKAROUND 1
+
+ #define ISCSI_IOV_DATA_BUFFER 5
+
+@@ -769,6 +777,7 @@ struct iscsi_tpg_attrib {
+ u8 t10_pi;
+ u32 fabric_prot_type;
+ u32 tpg_enabled_sendtargets;
++ u32 login_keys_workaround;
+ struct iscsi_portal_group *tpg;
+ };
+
--- /dev/null
+From c6e83cac3eda5f7dd32ee1453df2f7abb5c6cd46 Mon Sep 17 00:00:00 2001
+From: Krzysztof Kozlowski <krzk@kernel.org>
+Date: Wed, 28 Jun 2017 16:56:18 +0200
+Subject: PM / Domains: Fix unsafe iteration over modified list of device links
+
+From: Krzysztof Kozlowski <krzk@kernel.org>
+
+commit c6e83cac3eda5f7dd32ee1453df2f7abb5c6cd46 upstream.
+
+pm_genpd_remove_subdomain() iterates over domain's master_links list and
+removes matching element thus it has to use safe version of list
+iteration.
+
+Fixes: f721889ff65a ("PM / Domains: Support for generic I/O PM domains (v8)")
+Signed-off-by: Krzysztof Kozlowski <krzk@kernel.org>
+Acked-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/base/power/domain.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/base/power/domain.c
++++ b/drivers/base/power/domain.c
+@@ -1393,7 +1393,7 @@ EXPORT_SYMBOL_GPL(pm_genpd_add_subdomain
+ int pm_genpd_remove_subdomain(struct generic_pm_domain *genpd,
+ struct generic_pm_domain *subdomain)
+ {
+- struct gpd_link *link;
++ struct gpd_link *l, *link;
+ int ret = -EINVAL;
+
+ if (IS_ERR_OR_NULL(genpd) || IS_ERR_OR_NULL(subdomain))
+@@ -1409,7 +1409,7 @@ int pm_genpd_remove_subdomain(struct gen
+ goto out;
+ }
+
+- list_for_each_entry(link, &genpd->master_links, master_node) {
++ list_for_each_entry_safe(link, l, &genpd->master_links, master_node) {
+ if (link->slave != subdomain)
+ continue;
+
--- /dev/null
+From b556b15dc04e9b9b98790f04c21acf5e24f994b2 Mon Sep 17 00:00:00 2001
+From: Krzysztof Kozlowski <krzk@kernel.org>
+Date: Wed, 28 Jun 2017 16:56:19 +0200
+Subject: PM / Domains: Fix unsafe iteration over modified list of domain providers
+
+From: Krzysztof Kozlowski <krzk@kernel.org>
+
+commit b556b15dc04e9b9b98790f04c21acf5e24f994b2 upstream.
+
+of_genpd_del_provider() iterates over list of domain provides and
+removes matching element thus it has to use safe version of list
+iteration.
+
+Fixes: aa42240ab254 (PM / Domains: Add generic OF-based PM domain look-up)
+Signed-off-by: Krzysztof Kozlowski <krzk@kernel.org>
+Acked-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/base/power/domain.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/base/power/domain.c
++++ b/drivers/base/power/domain.c
+@@ -1780,12 +1780,12 @@ EXPORT_SYMBOL_GPL(of_genpd_add_provider_
+ */
+ void of_genpd_del_provider(struct device_node *np)
+ {
+- struct of_genpd_provider *cp;
++ struct of_genpd_provider *cp, *tmp;
+ struct generic_pm_domain *gpd;
+
+ mutex_lock(&gpd_list_lock);
+ mutex_lock(&of_genpd_mutex);
+- list_for_each_entry(cp, &of_genpd_providers, link) {
++ list_for_each_entry_safe(cp, tmp, &of_genpd_providers, link) {
+ if (cp->node == np) {
+ /*
+ * For each PM domain associated with the
--- /dev/null
+From a7e2d1bce4c1db471f1cbc0c4666a3112bbf0994 Mon Sep 17 00:00:00 2001
+From: Krzysztof Kozlowski <krzk@kernel.org>
+Date: Wed, 28 Jun 2017 16:56:20 +0200
+Subject: PM / Domains: Fix unsafe iteration over modified list of domains
+
+From: Krzysztof Kozlowski <krzk@kernel.org>
+
+commit a7e2d1bce4c1db471f1cbc0c4666a3112bbf0994 upstream.
+
+of_genpd_remove_last() iterates over list of domains and removes
+matching element thus it has to use safe version of list iteration.
+
+Fixes: 17926551c98a (PM / Domains: Add support for removing nested PM domains by provider)
+Signed-off-by: Krzysztof Kozlowski <krzk@kernel.org>
+Acked-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/base/power/domain.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/base/power/domain.c
++++ b/drivers/base/power/domain.c
+@@ -1925,14 +1925,14 @@ EXPORT_SYMBOL_GPL(of_genpd_add_subdomain
+ */
+ struct generic_pm_domain *of_genpd_remove_last(struct device_node *np)
+ {
+- struct generic_pm_domain *gpd, *genpd = ERR_PTR(-ENOENT);
++ struct generic_pm_domain *gpd, *tmp, *genpd = ERR_PTR(-ENOENT);
+ int ret;
+
+ if (IS_ERR_OR_NULL(np))
+ return ERR_PTR(-EINVAL);
+
+ mutex_lock(&gpd_list_lock);
+- list_for_each_entry(gpd, &gpd_list, gpd_list_node) {
++ list_for_each_entry_safe(gpd, tmp, &gpd_list, gpd_list_node) {
+ if (gpd->provider == &np->fwnode) {
+ ret = genpd_remove(gpd);
+ genpd = ret ? ERR_PTR(ret) : gpd;
--- /dev/null
+From 01e6a61aceb82e13bec29502a8eb70d9574f97ad Mon Sep 17 00:00:00 2001
+From: Michael Ellerman <mpe@ellerman.id.au>
+Date: Tue, 11 Jul 2017 22:10:54 +1000
+Subject: powerpc/64: Fix atomic64_inc_not_zero() to return an int
+
+From: Michael Ellerman <mpe@ellerman.id.au>
+
+commit 01e6a61aceb82e13bec29502a8eb70d9574f97ad upstream.
+
+Although it's not documented anywhere, there is an expectation that
+atomic64_inc_not_zero() returns a result which fits in an int. This is
+the behaviour implemented on all arches except powerpc.
+
+This has caused at least one bug in practice, in the percpu-refcount
+code, where the long result from our atomic64_inc_not_zero() was
+truncated to an int leading to lost references and stuck systems. That
+was worked around in that code in commit 966d2b04e070 ("percpu-refcount:
+fix reference leak during percpu-atomic transition").
+
+To the best of my grepping abilities there are no other callers
+in-tree which truncate the value, but we should fix it anyway. Because
+the breakage is subtle and potentially very harmful I'm also tagging
+it for stable.
+
+Code generation is largely unaffected because in most cases the
+callers are just using the result for a test anyway. In particular the
+case of fget() that was mentioned in commit a6cf7ed5119f
+("powerpc/atomic: Implement atomic*_inc_not_zero") generates exactly
+the same code.
+
+Fixes: a6cf7ed5119f ("powerpc/atomic: Implement atomic*_inc_not_zero")
+Noticed-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/powerpc/include/asm/atomic.h | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/arch/powerpc/include/asm/atomic.h
++++ b/arch/powerpc/include/asm/atomic.h
+@@ -560,7 +560,7 @@ static __inline__ int atomic64_add_unles
+ * Atomically increments @v by 1, so long as @v is non-zero.
+ * Returns non-zero if @v was non-zero, and zero otherwise.
+ */
+-static __inline__ long atomic64_inc_not_zero(atomic64_t *v)
++static __inline__ int atomic64_inc_not_zero(atomic64_t *v)
+ {
+ long t1, t2;
+
+@@ -579,7 +579,7 @@ static __inline__ long atomic64_inc_not_
+ : "r" (&v->counter)
+ : "cc", "xer", "memory");
+
+- return t1;
++ return t1 != 0;
+ }
+
+ #endif /* __powerpc64__ */
--- /dev/null
+From 2400fd822f467cb4c886c879d8ad99feac9cf319 Mon Sep 17 00:00:00 2001
+From: Oliver O'Halloran <oohall@gmail.com>
+Date: Thu, 6 Jul 2017 18:46:43 +1000
+Subject: powerpc/asm: Mark cr0 as clobbered in mftb()
+
+From: Oliver O'Halloran <oohall@gmail.com>
+
+commit 2400fd822f467cb4c886c879d8ad99feac9cf319 upstream.
+
+The workaround for the CELL timebase bug does not correctly mark cr0 as
+being clobbered. This means GCC doesn't know that the asm block changes cr0 and
+might leave the result of an unrelated comparison in cr0 across the block, which
+we then trash, leading to basically random behaviour.
+
+Fixes: 859deea949c3 ("[POWERPC] Cell timebase bug workaround")
+Signed-off-by: Oliver O'Halloran <oohall@gmail.com>
+[mpe: Tweak change log and flag for stable]
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/powerpc/include/asm/reg.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/powerpc/include/asm/reg.h
++++ b/arch/powerpc/include/asm/reg.h
+@@ -1303,7 +1303,7 @@ static inline void msr_check_and_clear(u
+ " .llong 0\n" \
+ ".previous" \
+ : "=r" (rval) \
+- : "i" (CPU_FTR_CELL_TB_BUG), "i" (SPRN_TBRL)); \
++ : "i" (CPU_FTR_CELL_TB_BUG), "i" (SPRN_TBRL) : "cr0"); \
+ rval;})
+ #else
+ #define mftb() ({unsigned long rval; \
--- /dev/null
+From 87c4b83e0fe234a1f0eed131ab6fa232036860d5 Mon Sep 17 00:00:00 2001
+From: Anton Blanchard <anton@samba.org>
+Date: Thu, 15 Jun 2017 09:46:38 +1000
+Subject: powerpc: Fix emulation of mcrf in emulate_step()
+
+From: Anton Blanchard <anton@samba.org>
+
+commit 87c4b83e0fe234a1f0eed131ab6fa232036860d5 upstream.
+
+The mcrf emulation code was using the CR field number directly as the shift
+value, without taking into account that CR fields are numbered from 0-7 starting
+at the high bits. That meant it was looking at the CR fields in the reverse
+order.
+
+Fixes: cf87c3f6b647 ("powerpc: Emulate icbi, mcrf and conditional-trap instructions")
+Signed-off-by: Anton Blanchard <anton@samba.org>
+Acked-by: Naveen N. Rao <naveen.n.rao@linux.vnet.ibm.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/powerpc/lib/sstep.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/arch/powerpc/lib/sstep.c
++++ b/arch/powerpc/lib/sstep.c
+@@ -683,8 +683,10 @@ int analyse_instr(struct instruction_op
+ case 19:
+ switch ((instr >> 1) & 0x3ff) {
+ case 0: /* mcrf */
+- rd = (instr >> 21) & 0x1c;
+- ra = (instr >> 16) & 0x1c;
++ rd = 7 - ((instr >> 23) & 0x7);
++ ra = 7 - ((instr >> 18) & 0x7);
++ rd *= 4;
++ ra *= 4;
+ val = (regs->ccr >> ra) & 0xf;
+ regs->ccr = (regs->ccr & ~(0xfUL << rd)) | (val << rd);
+ goto instr_done;
--- /dev/null
+From 64e756c55aa46fc18fd53e8f3598b73b528d8637 Mon Sep 17 00:00:00 2001
+From: Anton Blanchard <anton@samba.org>
+Date: Thu, 15 Jun 2017 09:46:39 +1000
+Subject: powerpc: Fix emulation of mfocrf in emulate_step()
+
+From: Anton Blanchard <anton@samba.org>
+
+commit 64e756c55aa46fc18fd53e8f3598b73b528d8637 upstream.
+
+From POWER4 onwards, mfocrf() only places the specified CR field into
+the destination GPR, and the rest of it is set to 0. The PowerPC AS
+from version 3.0 now requires this behaviour.
+
+The emulation code currently puts the entire CR into the destination GPR.
+Fix it.
+
+Fixes: 6888199f7fe5 ("[POWERPC] Emulate more instructions in software")
+Signed-off-by: Anton Blanchard <anton@samba.org>
+Acked-by: Naveen N. Rao <naveen.n.rao@linux.vnet.ibm.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/powerpc/lib/sstep.c | 13 +++++++++++++
+ 1 file changed, 13 insertions(+)
+
+--- a/arch/powerpc/lib/sstep.c
++++ b/arch/powerpc/lib/sstep.c
+@@ -966,6 +966,19 @@ int analyse_instr(struct instruction_op
+ #endif
+
+ case 19: /* mfcr */
++ if ((instr >> 20) & 1) {
++ imm = 0xf0000000UL;
++ for (sh = 0; sh < 8; ++sh) {
++ if (instr & (0x80000 >> sh)) {
++ regs->gpr[rd] = regs->ccr & imm;
++ break;
++ }
++ imm >>= 4;
++ }
++
++ goto instr_done;
++ }
++
+ regs->gpr[rd] = regs->ccr;
+ regs->gpr[rd] &= 0xffffffffUL;
+ goto instr_done;
--- /dev/null
+From 7f6d498ed3354740cfd100e4aa99e388f1a95be7 Mon Sep 17 00:00:00 2001
+From: Balbir Singh <bsingharora@gmail.com>
+Date: Thu, 29 Jun 2017 03:04:10 +1000
+Subject: powerpc/mm/radix: Fix execute permissions for interrupt_vectors
+
+From: Balbir Singh <bsingharora@gmail.com>
+
+commit 7f6d498ed3354740cfd100e4aa99e388f1a95be7 upstream.
+
+Commit 9abcc981de97 ("powerpc/mm/radix: Only add X for pages
+overlapping kernel text") changed the linear mapping on Radix to only
+mark the kernel text executable.
+
+However if the kernel is run relocated, for example as a kdump kernel,
+then the exception vectors are split from the kernel text, ie. they
+remain at real address 0.
+
+We tend to get away with it, because the kernel itself will usually be
+below 1G, which means the 1G page at 0-1G is marked executable and
+everything works OK. However if the kernel is loaded above 1G, or the
+system has less than 1G in total (meaning we can't use a 1G page),
+then the exception vectors will not be marked executable and the
+kernel will fail to boot.
+
+Fix it by also checking if the address range overlaps the exception
+vectors when deciding if we should add PAGE_KERNEL_X.
+
+Fixes: 9abcc981de97 ("powerpc/mm/radix: Only add X for pages overlapping kernel text")
+Signed-off-by: Balbir Singh <bsingharora@gmail.com>
+[mpe: Combine with the existing check, rewrite change log]
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/powerpc/mm/pgtable-radix.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/arch/powerpc/mm/pgtable-radix.c
++++ b/arch/powerpc/mm/pgtable-radix.c
+@@ -149,7 +149,8 @@ static int __meminit create_physical_map
+
+ vaddr = (unsigned long)__va(addr);
+
+- if (overlaps_kernel_text(vaddr, vaddr + mapping_size))
++ if (overlaps_kernel_text(vaddr, vaddr + mapping_size) ||
++ overlaps_interrupt_vector_text(vaddr, vaddr + mapping_size))
+ prot = PAGE_KERNEL_X;
+ else
+ prot = PAGE_KERNEL;
--- /dev/null
+From 9abcc981de9775659a0f6e4a52a3448ea72e59da Mon Sep 17 00:00:00 2001
+From: Michael Ellerman <mpe@ellerman.id.au>
+Date: Tue, 6 Jun 2017 15:48:57 +1000
+Subject: powerpc/mm/radix: Only add X for pages overlapping kernel text
+
+From: Michael Ellerman <mpe@ellerman.id.au>
+
+commit 9abcc981de9775659a0f6e4a52a3448ea72e59da upstream.
+
+Currently we map the whole linear mapping with PAGE_KERNEL_X. Instead we
+should check if the page overlaps the kernel text and only then add
+PAGE_KERNEL_X.
+
+Note that we still use 1G pages if they're available, so this will
+typically still result in a 1G executable page at KERNELBASE. So this fix is
+primarily useful for catching stray branches to high linear mapping addresses.
+
+Without this patch, we can execute at 1G in xmon using:
+
+ 0:mon> m c000000040000000
+ c000000040000000 00 l
+ c000000040000000 00000000 01006038
+ c000000040000004 00000000 2000804e
+ c000000040000008 00000000 x
+ 0:mon> di c000000040000000
+ c000000040000000 38600001 li r3,1
+ c000000040000004 4e800020 blr
+ 0:mon> p c000000040000000
+ return value is 0x1
+
+After we get a 400 as expected:
+
+ 0:mon> p c000000040000000
+ *** 400 exception occurred
+
+Fixes: 2bfd65e45e87 ("powerpc/mm/radix: Add radix callbacks for early init routines")
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Reviewed-by: Aneesh Kumar K.V <aneesh.kumar@linux.vnet.ibm.com>
+Acked-by: Balbir Singh <bsingharora@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/powerpc/mm/pgtable-radix.c | 14 +++++++++++---
+ 1 file changed, 11 insertions(+), 3 deletions(-)
+
+--- a/arch/powerpc/mm/pgtable-radix.c
++++ b/arch/powerpc/mm/pgtable-radix.c
+@@ -19,6 +19,7 @@
+ #include <asm/mmu.h>
+ #include <asm/firmware.h>
+ #include <asm/powernv.h>
++#include <asm/sections.h>
+
+ #include <trace/events/thp.h>
+
+@@ -121,7 +122,8 @@ static inline void __meminit print_mappi
+ static int __meminit create_physical_mapping(unsigned long start,
+ unsigned long end)
+ {
+- unsigned long addr, mapping_size = 0;
++ unsigned long vaddr, addr, mapping_size = 0;
++ pgprot_t prot;
+
+ start = _ALIGN_UP(start, PAGE_SIZE);
+ for (addr = start; addr < end; addr += mapping_size) {
+@@ -145,8 +147,14 @@ static int __meminit create_physical_map
+ start = addr;
+ }
+
+- rc = radix__map_kernel_page((unsigned long)__va(addr), addr,
+- PAGE_KERNEL_X, mapping_size);
++ vaddr = (unsigned long)__va(addr);
++
++ if (overlaps_kernel_text(vaddr, vaddr + mapping_size))
++ prot = PAGE_KERNEL_X;
++ else
++ prot = PAGE_KERNEL;
++
++ rc = radix__map_kernel_page(vaddr, addr, prot, mapping_size);
+ if (rc)
+ return rc;
+ }
--- /dev/null
+From c6bb0b8d426a8cf865ca9c8a532cc3a2927cfceb Mon Sep 17 00:00:00 2001
+From: Benjamin Herrenschmidt <benh@kernel.crashing.org>
+Date: Sat, 8 Jul 2017 07:45:32 -0500
+Subject: powerpc/mm/radix: Properly clear process table entry
+
+From: Benjamin Herrenschmidt <benh@kernel.crashing.org>
+
+commit c6bb0b8d426a8cf865ca9c8a532cc3a2927cfceb upstream.
+
+On radix, the process table entry we want to clear when destroying a
+context is entry 0, not entry 1. This has no *immediate* consequence
+on Power9, but it can cause other bugs to become worse.
+
+Fixes: 7e381c0ff618 ("powerpc/mm/radix: Add mmu context handling callback for radix")
+Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
+Reviewed-by: Aneesh Kumar K.V <aneesh.kumar@linux.vnet.ibm.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/powerpc/mm/mmu_context_book3s64.c | 12 +++++++++---
+ 1 file changed, 9 insertions(+), 3 deletions(-)
+
+--- a/arch/powerpc/mm/mmu_context_book3s64.c
++++ b/arch/powerpc/mm/mmu_context_book3s64.c
+@@ -223,9 +223,15 @@ void destroy_context(struct mm_struct *m
+ mm->context.cop_lockp = NULL;
+ #endif /* CONFIG_PPC_ICSWX */
+
+- if (radix_enabled())
+- process_tb[mm->context.id].prtb1 = 0;
+- else
++ if (radix_enabled()) {
++ /*
++ * Radix doesn't have a valid bit in the process table
++ * entries. However we know that at least P9 implementation
++ * will avoid caching an entry with an invalid RTS field,
++ * and 0 is invalid. So this will do.
++ */
++ process_tb[mm->context.id].prtb0 = 0;
++ } else
+ subpage_prot_free(mm);
+ destroy_pagetable_page(mm);
+ __destroy_context(mm->context.id);
--- /dev/null
+From 20dd4c624d25156d5ec3345bbb690b98175ef879 Mon Sep 17 00:00:00 2001
+From: Madhavan Srinivasan <maddy@linux.vnet.ibm.com>
+Date: Tue, 11 Jul 2017 16:27:49 +0530
+Subject: powerpc/perf: Fix SDAR_MODE value for continous sampling on Power9
+
+From: Madhavan Srinivasan <maddy@linux.vnet.ibm.com>
+
+commit 20dd4c624d25156d5ec3345bbb690b98175ef879 upstream.
+
+In case of continous sampling (non-marked), the code currently
+sets MMCRA[SDAR_MODE] to 0b01 (Update on TLB miss) for Power9 DD1.
+
+On DD2 and later it copies the sdar_mode value from the event code,
+which for most events is 0b00 (No updates).
+
+However we must set a non-zero value for SDAR_MODE when doing
+continuous sampling, so honor the event code, unless it's zero, in
+which case we use use 0b01 (Update on TLB miss).
+
+Fixes: 78b4416aa249 ("powerpc/perf: Handle sdar_mode for marked event in power9")
+Signed-off-by: Madhavan Srinivasan <maddy@linux.vnet.ibm.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/powerpc/perf/isa207-common.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/arch/powerpc/perf/isa207-common.c
++++ b/arch/powerpc/perf/isa207-common.c
+@@ -90,13 +90,15 @@ static void mmcra_sdar_mode(u64 event, u
+ * MMCRA[SDAR_MODE] will be set to 0b01
+ * For rest
+ * MMCRA[SDAR_MODE] will be set from event code.
++ * If sdar_mode from event is zero, default to 0b01. Hardware
++ * requires that we set a non-zero value.
+ */
+ if (cpu_has_feature(CPU_FTR_ARCH_300)) {
+ if (is_event_marked(event) || (*mmcra & MMCRA_SAMPLE_ENABLE))
+ *mmcra &= MMCRA_SDAR_MODE_NO_UPDATES;
+- else if (!cpu_has_feature(CPU_FTR_POWER9_DD1))
++ else if (!cpu_has_feature(CPU_FTR_POWER9_DD1) && p9_SDAR_MODE(event))
+ *mmcra |= p9_SDAR_MODE(event) << MMCRA_SDAR_MODE_SHIFT;
+- else if (cpu_has_feature(CPU_FTR_POWER9_DD1))
++ else
+ *mmcra |= MMCRA_SDAR_MODE_TLB;
+ } else
+ *mmcra |= MMCRA_SDAR_MODE_TLB;
--- /dev/null
+From e71ff982ae4c17d176e9f0132157d54973788377 Mon Sep 17 00:00:00 2001
+From: Balbir Singh <bsingharora@gmail.com>
+Date: Thu, 29 Jun 2017 03:04:07 +1000
+Subject: powerpc/pseries: Fix passing of pp0 in updatepp() and updateboltedpp()
+
+From: Balbir Singh <bsingharora@gmail.com>
+
+commit e71ff982ae4c17d176e9f0132157d54973788377 upstream.
+
+Once upon a time there were only two PP (page protection) bits. In ISA
+2.03 an additional PP bit was added, but because of the layout of the
+HPTE it could not be made contiguous with the existing PP bits.
+
+The result is that we now have three PP bits, named pp0, pp1, pp2,
+where pp0 occupies bit 63 of dword 1 of the HPTE and pp1 and pp2
+occupy bits 1 and 0 respectively. Until recently Linux hasn't used
+pp0, however with the addition of _PAGE_KERNEL_RO we started using it.
+
+The problem arises in the LPAR code, where we need to translate the PP
+bits into the argument for the H_PROTECT hypercall. Currently the code
+only passes bits 0-2 of newpp, which covers pp1, pp2 and N (no
+execute), meaning pp0 is not passed to the hypervisor at all.
+
+We can't simply pass it through in bit 63, as that would collide with a
+different field in the flags argument, as defined in PAPR. Instead we
+have to shift it down to bit 8 (IBM bit 55).
+
+Fixes: e58e87adc8bf ("powerpc/mm: Update _PAGE_KERNEL_RO")
+Signed-off-by: Balbir Singh <bsingharora@gmail.com>
+[mpe: Simplify the test, rework change log]
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/powerpc/platforms/pseries/lpar.c | 11 ++++++++++-
+ 1 file changed, 10 insertions(+), 1 deletion(-)
+
+--- a/arch/powerpc/platforms/pseries/lpar.c
++++ b/arch/powerpc/platforms/pseries/lpar.c
+@@ -301,7 +301,7 @@ static long pSeries_lpar_hpte_updatepp(u
+ int ssize, unsigned long inv_flags)
+ {
+ unsigned long lpar_rc;
+- unsigned long flags = (newpp & 7) | H_AVPN;
++ unsigned long flags;
+ unsigned long want_v;
+
+ want_v = hpte_encode_avpn(vpn, psize, ssize);
+@@ -309,6 +309,11 @@ static long pSeries_lpar_hpte_updatepp(u
+ pr_devel(" update: avpnv=%016lx, hash=%016lx, f=%lx, psize: %d ...",
+ want_v, slot, flags, psize);
+
++ flags = (newpp & 7) | H_AVPN;
++ if (mmu_has_feature(MMU_FTR_KERNEL_RO))
++ /* Move pp0 into bit 8 (IBM 55) */
++ flags |= (newpp & HPTE_R_PP0) >> 55;
++
+ lpar_rc = plpar_pte_protect(flags, slot, want_v);
+
+ if (lpar_rc == H_NOT_FOUND) {
+@@ -380,6 +385,10 @@ static void pSeries_lpar_hpte_updatebolt
+ BUG_ON(slot == -1);
+
+ flags = newpp & 7;
++ if (mmu_has_feature(MMU_FTR_KERNEL_RO))
++ /* Move pp0 into bit 8 (IBM 55) */
++ flags |= (newpp & HPTE_R_PP0) >> 55;
++
+ lpar_rc = plpar_pte_protect(flags, slot, 0);
+
+ BUG_ON(lpar_rc != H_SUCCESS);
--- /dev/null
+From f9279c968c257ee39b0d7bd2571a4d231a67bcc1 Mon Sep 17 00:00:00 2001
+From: "Ewan D. Milne" <emilne@redhat.com>
+Date: Tue, 27 Jun 2017 14:55:58 -0400
+Subject: scsi: Add STARGET_CREATED_REMOVE state to scsi_target_state
+
+From: Ewan D. Milne <emilne@redhat.com>
+
+commit f9279c968c257ee39b0d7bd2571a4d231a67bcc1 upstream.
+
+The addition of the STARGET_REMOVE state had the side effect of
+introducing a race condition that can cause a crash.
+
+scsi_target_reap_ref_release() checks the starget->state to
+see if it still in STARGET_CREATED, and if so, skips calling
+transport_remove_device() and device_del(), because the starget->state
+is only set to STARGET_RUNNING after scsi_target_add() has called
+device_add() and transport_add_device().
+
+However, if an rport loss occurs while a target is being scanned,
+it can happen that scsi_remove_target() will be called while the
+starget is still in the STARGET_CREATED state. In this case, the
+starget->state will be set to STARGET_REMOVE, and as a result,
+scsi_target_reap_ref_release() will take the wrong path. The end
+result is a panic:
+
+[ 1255.356653] Oops: 0000 [#1] SMP
+[ 1255.360154] Modules linked in: x86_pkg_temp_thermal kvm_intel kvm irqbypass crc32c_intel ghash_clmulni_i
+[ 1255.393234] CPU: 5 PID: 149 Comm: kworker/u96:4 Tainted: G W 4.11.0+ #8
+[ 1255.401879] Hardware name: Dell Inc. PowerEdge R320/08VT7V, BIOS 2.0.22 11/19/2013
+[ 1255.410327] Workqueue: scsi_wq_6 fc_scsi_scan_rport [scsi_transport_fc]
+[ 1255.417720] task: ffff88060ca8c8c0 task.stack: ffffc900048a8000
+[ 1255.424331] RIP: 0010:kernfs_find_ns+0x13/0xc0
+[ 1255.429287] RSP: 0018:ffffc900048abbf0 EFLAGS: 00010246
+[ 1255.435123] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000
+[ 1255.443083] RDX: 0000000000000000 RSI: ffffffff8188d659 RDI: 0000000000000000
+[ 1255.451043] RBP: ffffc900048abc10 R08: 0000000000000000 R09: 0000012433fe0025
+[ 1255.459005] R10: 0000000025e5a4b5 R11: 0000000025e5a4b5 R12: ffffffff8188d659
+[ 1255.466972] R13: 0000000000000000 R14: ffff8805f55e5088 R15: 0000000000000000
+[ 1255.474931] FS: 0000000000000000(0000) GS:ffff880616b40000(0000) knlGS:0000000000000000
+[ 1255.483959] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 1255.490370] CR2: 0000000000000068 CR3: 0000000001c09000 CR4: 00000000000406e0
+[ 1255.498332] Call Trace:
+[ 1255.501058] kernfs_find_and_get_ns+0x31/0x60
+[ 1255.505916] sysfs_unmerge_group+0x1d/0x60
+[ 1255.510498] dpm_sysfs_remove+0x22/0x60
+[ 1255.514783] device_del+0xf4/0x2e0
+[ 1255.518577] ? device_remove_file+0x19/0x20
+[ 1255.523241] attribute_container_class_device_del+0x1a/0x20
+[ 1255.529457] transport_remove_classdev+0x4e/0x60
+[ 1255.534607] ? transport_add_class_device+0x40/0x40
+[ 1255.540046] attribute_container_device_trigger+0xb0/0xc0
+[ 1255.546069] transport_remove_device+0x15/0x20
+[ 1255.551025] scsi_target_reap_ref_release+0x25/0x40
+[ 1255.556467] scsi_target_reap+0x2e/0x40
+[ 1255.560744] __scsi_scan_target+0xaa/0x5b0
+[ 1255.565312] scsi_scan_target+0xec/0x100
+[ 1255.569689] fc_scsi_scan_rport+0xb1/0xc0 [scsi_transport_fc]
+[ 1255.576099] process_one_work+0x14b/0x390
+[ 1255.580569] worker_thread+0x4b/0x390
+[ 1255.584651] kthread+0x109/0x140
+[ 1255.588251] ? rescuer_thread+0x330/0x330
+[ 1255.592730] ? kthread_park+0x60/0x60
+[ 1255.596815] ret_from_fork+0x29/0x40
+[ 1255.600801] Code: 24 08 48 83 42 40 01 5b 41 5c 5d c3 66 66 66 2e 0f 1f 84 00 00 00 00 00 66 66 66 66 90
+[ 1255.621876] RIP: kernfs_find_ns+0x13/0xc0 RSP: ffffc900048abbf0
+[ 1255.628479] CR2: 0000000000000068
+[ 1255.632756] ---[ end trace 34a69ba0477d036f ]---
+
+Fix this by adding another scsi_target state STARGET_CREATED_REMOVE
+to distinguish this case.
+
+Fixes: f05795d3d771 ("scsi: Add intermediate STARGET_REMOVE state to scsi_target_state")
+Reported-by: David Jeffery <djeffery@redhat.com>
+Signed-off-by: Ewan D. Milne <emilne@redhat.com>
+Reviewed-by: Laurence Oberman <loberman@redhat.com>
+Tested-by: Laurence Oberman <loberman@redhat.com>
+Reviewed-by: Johannes Thumshirn <jthumshirn@suse.de>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/scsi/scsi_scan.c | 5 +++--
+ drivers/scsi/scsi_sysfs.c | 8 ++++++--
+ include/scsi/scsi_device.h | 1 +
+ 3 files changed, 10 insertions(+), 4 deletions(-)
+
+--- a/drivers/scsi/scsi_scan.c
++++ b/drivers/scsi/scsi_scan.c
+@@ -384,11 +384,12 @@ static void scsi_target_reap_ref_release
+ = container_of(kref, struct scsi_target, reap_ref);
+
+ /*
+- * if we get here and the target is still in the CREATED state that
++ * if we get here and the target is still in a CREATED state that
+ * means it was allocated but never made visible (because a scan
+ * turned up no LUNs), so don't call device_del() on it.
+ */
+- if (starget->state != STARGET_CREATED) {
++ if ((starget->state != STARGET_CREATED) &&
++ (starget->state != STARGET_CREATED_REMOVE)) {
+ transport_remove_device(&starget->dev);
+ device_del(&starget->dev);
+ }
+--- a/drivers/scsi/scsi_sysfs.c
++++ b/drivers/scsi/scsi_sysfs.c
+@@ -1370,11 +1370,15 @@ restart:
+ spin_lock_irqsave(shost->host_lock, flags);
+ list_for_each_entry(starget, &shost->__targets, siblings) {
+ if (starget->state == STARGET_DEL ||
+- starget->state == STARGET_REMOVE)
++ starget->state == STARGET_REMOVE ||
++ starget->state == STARGET_CREATED_REMOVE)
+ continue;
+ if (starget->dev.parent == dev || &starget->dev == dev) {
+ kref_get(&starget->reap_ref);
+- starget->state = STARGET_REMOVE;
++ if (starget->state == STARGET_CREATED)
++ starget->state = STARGET_CREATED_REMOVE;
++ else
++ starget->state = STARGET_REMOVE;
+ spin_unlock_irqrestore(shost->host_lock, flags);
+ __scsi_remove_target(starget);
+ scsi_target_reap(starget);
+--- a/include/scsi/scsi_device.h
++++ b/include/scsi/scsi_device.h
+@@ -248,6 +248,7 @@ enum scsi_target_state {
+ STARGET_CREATED = 1,
+ STARGET_RUNNING,
+ STARGET_REMOVE,
++ STARGET_CREATED_REMOVE,
+ STARGET_DEL,
+ };
+
--- /dev/null
+From 8e6882545d8c06f99e9e117741cc87f3338b0bef Mon Sep 17 00:00:00 2001
+From: Bart Van Assche <bart.vanassche@sandisk.com>
+Date: Fri, 2 Jun 2017 14:21:52 -0700
+Subject: scsi: Avoid that scsi_exit_rq() triggers a use-after-free
+
+From: Bart Van Assche <bart.vanassche@sandisk.com>
+
+commit 8e6882545d8c06f99e9e117741cc87f3338b0bef upstream.
+
+Dereferencing shost from scsi_exit_rq() is not safe because the SCSI
+host may already have been freed when scsi_exit_rq() is called.
+Increasing the shost reference count in scsi_init_rq() and dropping that
+reference in scsi_exit_rq() is nontrivial since scsi_host_dev_release()
+may sleep and since scsi_exit_rq() may be called from interrupt
+context. Since scsi_exit_rq() only needs a single bit from shost, copy
+that bit into struct scsi_cmnd.
+
+Reported-by: Scott Bauer <scott.bauer@intel.com>
+Fixes: e9c787e65c0c ("scsi: allocate scsi_cmnd structures as part of struct request")
+Signed-off-by: Bart Van Assche <bart.vanassche@sandisk.com>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Cc: Hannes Reinecke <hare@suse.com>
+Cc: Scott Bauer <scott.bauer@intel.com>
+Cc: Jan Kara <jack@suse.cz>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/scsi/scsi_lib.c | 47 +++++++++++++++++++++++++++++------------------
+ include/scsi/scsi_cmnd.h | 1 +
+ 2 files changed, 30 insertions(+), 18 deletions(-)
+
+--- a/drivers/scsi/scsi_lib.c
++++ b/drivers/scsi/scsi_lib.c
+@@ -45,23 +45,23 @@ static struct kmem_cache *scsi_sense_isa
+ static DEFINE_MUTEX(scsi_sense_cache_mutex);
+
+ static inline struct kmem_cache *
+-scsi_select_sense_cache(struct Scsi_Host *shost)
++scsi_select_sense_cache(bool unchecked_isa_dma)
+ {
+- return shost->unchecked_isa_dma ?
+- scsi_sense_isadma_cache : scsi_sense_cache;
++ return unchecked_isa_dma ? scsi_sense_isadma_cache : scsi_sense_cache;
+ }
+
+-static void scsi_free_sense_buffer(struct Scsi_Host *shost,
+- unsigned char *sense_buffer)
++static void scsi_free_sense_buffer(bool unchecked_isa_dma,
++ unsigned char *sense_buffer)
+ {
+- kmem_cache_free(scsi_select_sense_cache(shost), sense_buffer);
++ kmem_cache_free(scsi_select_sense_cache(unchecked_isa_dma),
++ sense_buffer);
+ }
+
+-static unsigned char *scsi_alloc_sense_buffer(struct Scsi_Host *shost,
++static unsigned char *scsi_alloc_sense_buffer(bool unchecked_isa_dma,
+ gfp_t gfp_mask, int numa_node)
+ {
+- return kmem_cache_alloc_node(scsi_select_sense_cache(shost), gfp_mask,
+- numa_node);
++ return kmem_cache_alloc_node(scsi_select_sense_cache(unchecked_isa_dma),
++ gfp_mask, numa_node);
+ }
+
+ int scsi_init_sense_cache(struct Scsi_Host *shost)
+@@ -69,7 +69,7 @@ int scsi_init_sense_cache(struct Scsi_Ho
+ struct kmem_cache *cache;
+ int ret = 0;
+
+- cache = scsi_select_sense_cache(shost);
++ cache = scsi_select_sense_cache(shost->unchecked_isa_dma);
+ if (cache)
+ return 0;
+
+@@ -1138,6 +1138,7 @@ void scsi_init_command(struct scsi_devic
+ {
+ void *buf = cmd->sense_buffer;
+ void *prot = cmd->prot_sdb;
++ unsigned int unchecked_isa_dma = cmd->flags & SCMD_UNCHECKED_ISA_DMA;
+ unsigned long flags;
+
+ /* zero out the cmd, except for the embedded scsi_request */
+@@ -1147,6 +1148,7 @@ void scsi_init_command(struct scsi_devic
+ cmd->device = dev;
+ cmd->sense_buffer = buf;
+ cmd->prot_sdb = prot;
++ cmd->flags = unchecked_isa_dma;
+ INIT_DELAYED_WORK(&cmd->abort_work, scmd_eh_abort_handler);
+ cmd->jiffies_at_alloc = jiffies;
+
+@@ -1847,6 +1849,7 @@ static int scsi_mq_prep_fn(struct reques
+ struct scsi_device *sdev = req->q->queuedata;
+ struct Scsi_Host *shost = sdev->host;
+ unsigned char *sense_buf = cmd->sense_buffer;
++ unsigned int unchecked_isa_dma = cmd->flags & SCMD_UNCHECKED_ISA_DMA;
+ struct scatterlist *sg;
+
+ /* zero out the cmd, except for the embedded scsi_request */
+@@ -1858,6 +1861,7 @@ static int scsi_mq_prep_fn(struct reques
+ cmd->request = req;
+ cmd->device = sdev;
+ cmd->sense_buffer = sense_buf;
++ cmd->flags = unchecked_isa_dma;
+
+ cmd->tag = req->tag;
+
+@@ -2004,10 +2008,13 @@ static int scsi_init_request(struct blk_
+ unsigned int hctx_idx, unsigned int numa_node)
+ {
+ struct Scsi_Host *shost = set->driver_data;
++ const bool unchecked_isa_dma = shost->unchecked_isa_dma;
+ struct scsi_cmnd *cmd = blk_mq_rq_to_pdu(rq);
+
+- cmd->sense_buffer =
+- scsi_alloc_sense_buffer(shost, GFP_KERNEL, numa_node);
++ if (unchecked_isa_dma)
++ cmd->flags |= SCMD_UNCHECKED_ISA_DMA;
++ cmd->sense_buffer = scsi_alloc_sense_buffer(unchecked_isa_dma,
++ GFP_KERNEL, numa_node);
+ if (!cmd->sense_buffer)
+ return -ENOMEM;
+ cmd->req.sense = cmd->sense_buffer;
+@@ -2017,10 +2024,10 @@ static int scsi_init_request(struct blk_
+ static void scsi_exit_request(struct blk_mq_tag_set *set, struct request *rq,
+ unsigned int hctx_idx)
+ {
+- struct Scsi_Host *shost = set->driver_data;
+ struct scsi_cmnd *cmd = blk_mq_rq_to_pdu(rq);
+
+- scsi_free_sense_buffer(shost, cmd->sense_buffer);
++ scsi_free_sense_buffer(cmd->flags & SCMD_UNCHECKED_ISA_DMA,
++ cmd->sense_buffer);
+ }
+
+ static int scsi_map_queues(struct blk_mq_tag_set *set)
+@@ -2093,11 +2100,15 @@ EXPORT_SYMBOL_GPL(__scsi_init_queue);
+ static int scsi_init_rq(struct request_queue *q, struct request *rq, gfp_t gfp)
+ {
+ struct Scsi_Host *shost = q->rq_alloc_data;
++ const bool unchecked_isa_dma = shost->unchecked_isa_dma;
+ struct scsi_cmnd *cmd = blk_mq_rq_to_pdu(rq);
+
+ memset(cmd, 0, sizeof(*cmd));
+
+- cmd->sense_buffer = scsi_alloc_sense_buffer(shost, gfp, NUMA_NO_NODE);
++ if (unchecked_isa_dma)
++ cmd->flags |= SCMD_UNCHECKED_ISA_DMA;
++ cmd->sense_buffer = scsi_alloc_sense_buffer(unchecked_isa_dma, gfp,
++ NUMA_NO_NODE);
+ if (!cmd->sense_buffer)
+ goto fail;
+ cmd->req.sense = cmd->sense_buffer;
+@@ -2111,19 +2122,19 @@ static int scsi_init_rq(struct request_q
+ return 0;
+
+ fail_free_sense:
+- scsi_free_sense_buffer(shost, cmd->sense_buffer);
++ scsi_free_sense_buffer(unchecked_isa_dma, cmd->sense_buffer);
+ fail:
+ return -ENOMEM;
+ }
+
+ static void scsi_exit_rq(struct request_queue *q, struct request *rq)
+ {
+- struct Scsi_Host *shost = q->rq_alloc_data;
+ struct scsi_cmnd *cmd = blk_mq_rq_to_pdu(rq);
+
+ if (cmd->prot_sdb)
+ kmem_cache_free(scsi_sdb_cache, cmd->prot_sdb);
+- scsi_free_sense_buffer(shost, cmd->sense_buffer);
++ scsi_free_sense_buffer(cmd->flags & SCMD_UNCHECKED_ISA_DMA,
++ cmd->sense_buffer);
+ }
+
+ struct request_queue *scsi_alloc_queue(struct scsi_device *sdev)
+--- a/include/scsi/scsi_cmnd.h
++++ b/include/scsi/scsi_cmnd.h
+@@ -56,6 +56,7 @@ struct scsi_pointer {
+
+ /* for scmd->flags */
+ #define SCMD_TAGGED (1 << 0)
++#define SCMD_UNCHECKED_ISA_DMA (1 << 1)
+
+ struct scsi_cmnd {
+ struct scsi_request req;
--- /dev/null
+From 3c4810ffdc8e4f34d387f59baf0abefcfa4ada6a Mon Sep 17 00:00:00 2001
+From: Quinn Tran <quinn.tran@cavium.com>
+Date: Fri, 2 Jun 2017 09:11:53 -0700
+Subject: scsi: qla2xxx: Allow ABTS, PURX, RIDA on ATIOQ for ISP83XX/27XX
+
+From: Quinn Tran <quinn.tran@cavium.com>
+
+commit 3c4810ffdc8e4f34d387f59baf0abefcfa4ada6a upstream.
+
+Driver added mechanism to move ABTS/PUREX/RIDA mailbox to
+ATIO queue as part of commit id 41dc529a4602ac737020f423f84686a81de38e6d
+("qla2xxx: Improve RSCN handling in driver").
+
+This patch adds a check to only allow ABTS/PURX/RIDA
+to be moved to ATIO Queue for ISP83XX and ISP27XX.
+
+Signed-off-by: Quinn Tran <quinn.tran@cavium.com>
+Signed-off-by: Himanshu Madhani <himanshu.madhani@cavium.com>
+Reviewed-by: Bart Van Assche <Bart.VanAssche@sandisk.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/scsi/qla2xxx/qla_init.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+--- a/drivers/scsi/qla2xxx/qla_init.c
++++ b/drivers/scsi/qla2xxx/qla_init.c
+@@ -2946,7 +2946,8 @@ qla24xx_update_fw_options(scsi_qla_host_
+ }
+
+ /* Move PUREX, ABTS RX & RIDA to ATIOQ */
+- if (ql2xmvasynctoatio) {
++ if (ql2xmvasynctoatio &&
++ (IS_QLA83XX(ha) || IS_QLA27XX(ha))) {
+ if (qla_tgt_mode_enabled(vha) ||
+ qla_dual_mode_enabled(vha))
+ ha->fw_options[2] |= BIT_11;
+@@ -2958,7 +2959,9 @@ qla24xx_update_fw_options(scsi_qla_host_
+ "%s, add FW options 1-3 = 0x%04x 0x%04x 0x%04x mode %x\n",
+ __func__, ha->fw_options[1], ha->fw_options[2],
+ ha->fw_options[3], vha->host->active_mode);
+- qla2x00_set_fw_options(vha, ha->fw_options);
++
++ if (ha->fw_options[1] || ha->fw_options[2] || ha->fw_options[3])
++ qla2x00_set_fw_options(vha, ha->fw_options);
+
+ /* Update Serial Link options. */
+ if ((le16_to_cpu(ha->fw_seriallink_options24[0]) & BIT_0) == 0)
--- /dev/null
+From 62e62ffd95539b9220894a7900a619e0f3ef4756 Mon Sep 17 00:00:00 2001
+From: Maurizio Lombardi <mlombard@redhat.com>
+Date: Tue, 27 Jun 2017 11:53:27 +0200
+Subject: scsi: ses: do not add a device to an enclosure if enclosure_add_links() fails.
+
+From: Maurizio Lombardi <mlombard@redhat.com>
+
+commit 62e62ffd95539b9220894a7900a619e0f3ef4756 upstream.
+
+The enclosure_add_device() function should fail if it can't create the
+relevant sysfs links.
+
+Signed-off-by: Maurizio Lombardi <mlombard@redhat.com>
+Tested-by: Douglas Miller <dougmill@linux.vnet.ibm.com>
+Acked-by: James Bottomley <jejb@linux.vnet.ibm.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/misc/enclosure.c | 14 ++++++++++----
+ 1 file changed, 10 insertions(+), 4 deletions(-)
+
+--- a/drivers/misc/enclosure.c
++++ b/drivers/misc/enclosure.c
+@@ -375,6 +375,7 @@ int enclosure_add_device(struct enclosur
+ struct device *dev)
+ {
+ struct enclosure_component *cdev;
++ int err;
+
+ if (!edev || component >= edev->components)
+ return -EINVAL;
+@@ -384,12 +385,17 @@ int enclosure_add_device(struct enclosur
+ if (cdev->dev == dev)
+ return -EEXIST;
+
+- if (cdev->dev)
++ if (cdev->dev) {
+ enclosure_remove_links(cdev);
+-
+- put_device(cdev->dev);
++ put_device(cdev->dev);
++ }
+ cdev->dev = get_device(dev);
+- return enclosure_add_links(cdev);
++ err = enclosure_add_links(cdev);
++ if (err) {
++ put_device(cdev->dev);
++ cdev->dev = NULL;
++ }
++ return err;
+ }
+ EXPORT_SYMBOL_GPL(enclosure_add_device);
+
--- /dev/null
+From a680f1d463aeaeb00d22af257a56e111967c2f18 Mon Sep 17 00:00:00 2001
+From: Paolo Bonzini <pbonzini@redhat.com>
+Date: Wed, 5 Jul 2017 10:30:56 +0200
+Subject: scsi: virtio_scsi: always read VPD pages for multiqueue too
+
+From: Paolo Bonzini <pbonzini@redhat.com>
+
+commit a680f1d463aeaeb00d22af257a56e111967c2f18 upstream.
+
+Multi-queue virtio-scsi uses a different scsi_host_template struct. Add
+the .device_alloc field there, too.
+
+Fixes: 25d1d50e23275e141e3a3fe06c25a99f4c4bf4e0
+Cc: David Gibson <david@gibson.dropbear.id.au>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Reviewed-by: Fam Zheng <famz@redhat.com>
+Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/scsi/virtio_scsi.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/scsi/virtio_scsi.c
++++ b/drivers/scsi/virtio_scsi.c
+@@ -838,6 +838,7 @@ static struct scsi_host_template virtscs
+ .eh_abort_handler = virtscsi_abort,
+ .eh_device_reset_handler = virtscsi_device_reset,
+ .eh_timed_out = virtscsi_eh_timed_out,
++ .slave_alloc = virtscsi_device_alloc,
+
+ .can_queue = 1024,
+ .dma_boundary = UINT_MAX,
--- /dev/null
+From e72c9a2a67a6400c8ef3d01d4c461dbbbfa0e1f0 Mon Sep 17 00:00:00 2001
+From: Paolo Bonzini <pbonzini@redhat.com>
+Date: Wed, 21 Jun 2017 16:35:46 +0200
+Subject: scsi: virtio_scsi: let host do exception handling
+
+From: Paolo Bonzini <pbonzini@redhat.com>
+
+commit e72c9a2a67a6400c8ef3d01d4c461dbbbfa0e1f0 upstream.
+
+virtio_scsi tries to do exception handling after the default 30 seconds
+timeout expires. However, it's better to let the host control the
+timeout, otherwise with a heavy I/O load it is likely that an abort will
+also timeout. This leads to fatal errors like filesystems going
+offline.
+
+Disable the 'sd' timeout and allow the host to do exception handling,
+following the precedent of the storvsc driver.
+
+Hannes has a proposal to introduce timeouts in virtio, but this provides
+an immediate solution for stable kernels too.
+
+[mkp: fixed typo]
+
+Reported-by: Douglas Miller <dougmill@linux.vnet.ibm.com>
+Cc: "James E.J. Bottomley" <jejb@linux.vnet.ibm.com>
+Cc: "Martin K. Petersen" <martin.petersen@oracle.com>
+Cc: Hannes Reinecke <hare@suse.de>
+Cc: linux-scsi@vger.kernel.org
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/scsi/virtio_scsi.c | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+--- a/drivers/scsi/virtio_scsi.c
++++ b/drivers/scsi/virtio_scsi.c
+@@ -796,6 +796,16 @@ static int virtscsi_map_queues(struct Sc
+ return blk_mq_virtio_map_queues(&shost->tag_set, vscsi->vdev, 2);
+ }
+
++/*
++ * The host guarantees to respond to each command, although I/O
++ * latencies might be higher than on bare metal. Reset the timer
++ * unconditionally to give the host a chance to perform EH.
++ */
++static enum blk_eh_timer_return virtscsi_eh_timed_out(struct scsi_cmnd *scmnd)
++{
++ return BLK_EH_RESET_TIMER;
++}
++
+ static struct scsi_host_template virtscsi_host_template_single = {
+ .module = THIS_MODULE,
+ .name = "Virtio SCSI HBA",
+@@ -806,6 +816,7 @@ static struct scsi_host_template virtscs
+ .change_queue_depth = virtscsi_change_queue_depth,
+ .eh_abort_handler = virtscsi_abort,
+ .eh_device_reset_handler = virtscsi_device_reset,
++ .eh_timed_out = virtscsi_eh_timed_out,
+ .slave_alloc = virtscsi_device_alloc,
+
+ .can_queue = 1024,
+@@ -826,6 +837,7 @@ static struct scsi_host_template virtscs
+ .change_queue_depth = virtscsi_change_queue_depth,
+ .eh_abort_handler = virtscsi_abort,
+ .eh_device_reset_handler = virtscsi_device_reset,
++ .eh_timed_out = virtscsi_eh_timed_out,
+
+ .can_queue = 1024,
+ .dma_boundary = UINT_MAX,
btrfs-incremental-send-fix-invalid-memory-access.patch
igb-explicitly-select-page-0-at-initialization.patch
spi-atmel-fix-corrupted-data-issue-on-sam9-family-socs.patch
+asoc-zx-i2s-flip-i2s-master-slave-mode.patch
+asoc-compress-derive-substream-from-stream-based-on-direction.patch
+asoc-atmel-tse850-fix-off-by-one-in-the-ana-enumeration-count.patch
+pm-domains-fix-unsafe-iteration-over-modified-list-of-device-links.patch
+pm-domains-fix-unsafe-iteration-over-modified-list-of-domain-providers.patch
+pm-domains-fix-unsafe-iteration-over-modified-list-of-domains.patch
+scsi-ses-do-not-add-a-device-to-an-enclosure-if-enclosure_add_links-fails.patch
+scsi-virtio_scsi-let-host-do-exception-handling.patch
+scsi-qla2xxx-allow-abts-purx-rida-on-atioq-for-isp83xx-27xx.patch
+scsi-add-starget_created_remove-state-to-scsi_target_state.patch
+scsi-avoid-that-scsi_exit_rq-triggers-a-use-after-free.patch
+iscsi-target-add-login_keys_workaround-attribute-for-non-rfc-initiators.patch
+xen-scsiback-fix-a-tmr-related-use-after-free.patch
+scsi-virtio_scsi-always-read-vpd-pages-for-multiqueue-too.patch
+powerpc-mm-radix-only-add-x-for-pages-overlapping-kernel-text.patch
+powerpc-pseries-fix-passing-of-pp0-in-updatepp-and-updateboltedpp.patch
+powerpc-mm-radix-fix-execute-permissions-for-interrupt_vectors.patch
+powerpc-64-fix-atomic64_inc_not_zero-to-return-an-int.patch
+powerpc-fix-emulation-of-mcrf-in-emulate_step.patch
+powerpc-fix-emulation-of-mfocrf-in-emulate_step.patch
+powerpc-asm-mark-cr0-as-clobbered-in-mftb.patch
+powerpc-mm-radix-properly-clear-process-table-entry.patch
+powerpc-perf-fix-sdar_mode-value-for-continous-sampling-on-power9.patch
--- /dev/null
+From 9f4ab18ac51dc87345a9cbd2527e6acf7a0a9335 Mon Sep 17 00:00:00 2001
+From: Bart Van Assche <bart.vanassche@sandisk.com>
+Date: Tue, 23 May 2017 16:48:36 -0700
+Subject: xen/scsiback: Fix a TMR related use-after-free
+
+From: Bart Van Assche <bart.vanassche@sandisk.com>
+
+commit 9f4ab18ac51dc87345a9cbd2527e6acf7a0a9335 upstream.
+
+scsiback_release_cmd() must not dereference se_cmd->se_tmr_req
+because that memory is freed by target_free_cmd_mem() before
+scsiback_release_cmd() is called. Fix this use-after-free by
+inlining struct scsiback_tmr into struct vscsibk_pend.
+
+Signed-off-by: Bart Van Assche <bart.vanassche@sandisk.com>
+Reviewed-by: Juergen Gross <jgross@suse.com>
+Cc: Christoph Hellwig <hch@lst.de>
+Cc: Hannes Reinecke <hare@suse.com>
+Cc: David Disseldorp <ddiss@suse.de>
+Cc: xen-devel@lists.xenproject.org
+Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/xen/xen-scsiback.c | 33 +++++++++------------------------
+ 1 file changed, 9 insertions(+), 24 deletions(-)
+
+--- a/drivers/xen/xen-scsiback.c
++++ b/drivers/xen/xen-scsiback.c
+@@ -134,9 +134,7 @@ struct vscsibk_pend {
+ struct page *pages[VSCSI_MAX_GRANTS];
+
+ struct se_cmd se_cmd;
+-};
+
+-struct scsiback_tmr {
+ atomic_t tmr_complete;
+ wait_queue_head_t tmr_wait;
+ };
+@@ -599,26 +597,20 @@ static void scsiback_device_action(struc
+ struct scsiback_tpg *tpg = pending_req->v2p->tpg;
+ struct scsiback_nexus *nexus = tpg->tpg_nexus;
+ struct se_cmd *se_cmd = &pending_req->se_cmd;
+- struct scsiback_tmr *tmr;
+ u64 unpacked_lun = pending_req->v2p->lun;
+ int rc, err = FAILED;
+
+- tmr = kzalloc(sizeof(struct scsiback_tmr), GFP_KERNEL);
+- if (!tmr) {
+- target_put_sess_cmd(se_cmd);
+- goto err;
+- }
+-
+- init_waitqueue_head(&tmr->tmr_wait);
++ init_waitqueue_head(&pending_req->tmr_wait);
+
+ rc = target_submit_tmr(&pending_req->se_cmd, nexus->tvn_se_sess,
+ &pending_req->sense_buffer[0],
+- unpacked_lun, tmr, act, GFP_KERNEL,
++ unpacked_lun, NULL, act, GFP_KERNEL,
+ tag, TARGET_SCF_ACK_KREF);
+ if (rc)
+ goto err;
+
+- wait_event(tmr->tmr_wait, atomic_read(&tmr->tmr_complete));
++ wait_event(pending_req->tmr_wait,
++ atomic_read(&pending_req->tmr_complete));
+
+ err = (se_cmd->se_tmr_req->response == TMR_FUNCTION_COMPLETE) ?
+ SUCCESS : FAILED;
+@@ -626,9 +618,8 @@ static void scsiback_device_action(struc
+ scsiback_do_resp_with_sense(NULL, err, 0, pending_req);
+ transport_generic_free_cmd(&pending_req->se_cmd, 1);
+ return;
++
+ err:
+- if (tmr)
+- kfree(tmr);
+ scsiback_do_resp_with_sense(NULL, err, 0, pending_req);
+ }
+
+@@ -1389,12 +1380,6 @@ static int scsiback_check_stop_free(stru
+ static void scsiback_release_cmd(struct se_cmd *se_cmd)
+ {
+ struct se_session *se_sess = se_cmd->se_sess;
+- struct se_tmr_req *se_tmr = se_cmd->se_tmr_req;
+-
+- if (se_tmr && se_cmd->se_cmd_flags & SCF_SCSI_TMR_CDB) {
+- struct scsiback_tmr *tmr = se_tmr->fabric_tmr_ptr;
+- kfree(tmr);
+- }
+
+ percpu_ida_free(&se_sess->sess_tag_pool, se_cmd->map_tag);
+ }
+@@ -1455,11 +1440,11 @@ static int scsiback_queue_status(struct
+
+ static void scsiback_queue_tm_rsp(struct se_cmd *se_cmd)
+ {
+- struct se_tmr_req *se_tmr = se_cmd->se_tmr_req;
+- struct scsiback_tmr *tmr = se_tmr->fabric_tmr_ptr;
++ struct vscsibk_pend *pending_req = container_of(se_cmd,
++ struct vscsibk_pend, se_cmd);
+
+- atomic_set(&tmr->tmr_complete, 1);
+- wake_up(&tmr->tmr_wait);
++ atomic_set(&pending_req->tmr_complete, 1);
++ wake_up(&pending_req->tmr_wait);
+ }
+
+ static void scsiback_aborted_task(struct se_cmd *se_cmd)
projects / thirdparty / kernel / stable-queue.git / commitdiff
