--- /dev/null
+From 1bcfe0564044be578841744faea1c2f46adc8178 Mon Sep 17 00:00:00 2001
+From: Oleksij Rempel <o.rempel@pengutronix.de>
+Date: Fri, 15 Jun 2018 09:41:29 +0200
+Subject: ARM: dts: imx6sx: fix irq for pcie bridge
+
+From: Oleksij Rempel <o.rempel@pengutronix.de>
+
+commit 1bcfe0564044be578841744faea1c2f46adc8178 upstream.
+
+Use the correct IRQ line for the MSI controller in the PCIe host
+controller. Apparently a different IRQ line is used compared to other
+i.MX6 variants. Without this change MSI IRQs aren't properly propagated
+to the upstream interrupt controller.
+
+Signed-off-by: Oleksij Rempel <o.rempel@pengutronix.de>
+Reviewed-by: Lucas Stach <l.stach@pengutronix.de>
+Fixes: b1d17f68e5c5 ("ARM: dts: imx: add initial imx6sx device tree source")
+Signed-off-by: Shawn Guo <shawnguo@kernel.org>
+Signed-off-by: Amit Pundir <amit.pundir@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm/boot/dts/imx6sx.dtsi | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/arm/boot/dts/imx6sx.dtsi
++++ b/arch/arm/boot/dts/imx6sx.dtsi
+@@ -1250,7 +1250,7 @@
+ /* non-prefetchable memory */
+ 0x82000000 0 0x08000000 0x08000000 0 0x00f00000>;
+ num-lanes = <1>;
+- interrupts = <GIC_SPI 123 IRQ_TYPE_LEVEL_HIGH>;
++ interrupts = <GIC_SPI 120 IRQ_TYPE_LEVEL_HIGH>;
+ clocks = <&clks IMX6SX_CLK_PCIE_REF_125M>,
+ <&clks IMX6SX_CLK_PCIE_AXI>,
+ <&clks IMX6SX_CLK_LVDS1_OUT>,
--- /dev/null
+From 08bb558ac11ab944e0539e78619d7b4c356278bd Mon Sep 17 00:00:00 2001
+From: Jack Morgenstein <jackm@dev.mellanox.co.il>
+Date: Wed, 23 May 2018 15:30:30 +0300
+Subject: IB/core: Make testing MR flags for writability a static inline function
+
+From: Jack Morgenstein <jackm@dev.mellanox.co.il>
+
+commit 08bb558ac11ab944e0539e78619d7b4c356278bd upstream.
+
+Make the MR writability flags check, which is performed in umem.c,
+a static inline function in file ib_verbs.h
+
+This allows the function to be used by low-level infiniband drivers.
+
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
+Signed-off-by: Jack Morgenstein <jackm@dev.mellanox.co.il>
+Signed-off-by: Leon Romanovsky <leonro@mellanox.com>
+Signed-off-by: Sudip Mukherjee <sudipm.mukherjee@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/infiniband/core/umem.c | 11 +----------
+ include/rdma/ib_verbs.h | 14 ++++++++++++++
+ 2 files changed, 15 insertions(+), 10 deletions(-)
+
+--- a/drivers/infiniband/core/umem.c
++++ b/drivers/infiniband/core/umem.c
+@@ -122,16 +122,7 @@ struct ib_umem *ib_umem_get(struct ib_uc
+ umem->address = addr;
+ umem->page_size = PAGE_SIZE;
+ umem->pid = get_task_pid(current, PIDTYPE_PID);
+- /*
+- * We ask for writable memory if any of the following
+- * access flags are set. "Local write" and "remote write"
+- * obviously require write access. "Remote atomic" can do
+- * things like fetch and add, which will modify memory, and
+- * "MW bind" can change permissions by binding a window.
+- */
+- umem->writable = !!(access &
+- (IB_ACCESS_LOCAL_WRITE | IB_ACCESS_REMOTE_WRITE |
+- IB_ACCESS_REMOTE_ATOMIC | IB_ACCESS_MW_BIND));
++ umem->writable = ib_access_writable(access);
+
+ if (access & IB_ACCESS_ON_DEMAND) {
+ put_pid(umem->pid);
+--- a/include/rdma/ib_verbs.h
++++ b/include/rdma/ib_verbs.h
+@@ -3007,6 +3007,20 @@ static inline int ib_check_mr_access(int
+ return 0;
+ }
+
++static inline bool ib_access_writable(int access_flags)
++{
++ /*
++ * We have writable memory backing the MR if any of the following
++ * access flags are set. "Local write" and "remote write" obviously
++ * require write access. "Remote atomic" can do things like fetch and
++ * add, which will modify memory, and "MW bind" can change permissions
++ * by binding a window.
++ */
++ return access_flags &
++ (IB_ACCESS_LOCAL_WRITE | IB_ACCESS_REMOTE_WRITE |
++ IB_ACCESS_REMOTE_ATOMIC | IB_ACCESS_MW_BIND);
++}
++
+ /**
+ * ib_check_mr_status: lightweight check of MR status.
+ * This routine may provide status checks on a selected
--- /dev/null
+From d8f9cc328c8888369880e2527e9186d745f2bbf6 Mon Sep 17 00:00:00 2001
+From: Jack Morgenstein <jackm@dev.mellanox.co.il>
+Date: Wed, 23 May 2018 15:30:31 +0300
+Subject: IB/mlx4: Mark user MR as writable if actual virtual memory is writable
+
+From: Jack Morgenstein <jackm@dev.mellanox.co.il>
+
+commit d8f9cc328c8888369880e2527e9186d745f2bbf6 upstream.
+
+To allow rereg_user_mr to modify the MR from read-only to writable without
+using get_user_pages again, we needed to define the initial MR as writable.
+However, this was originally done unconditionally, without taking into
+account the writability of the underlying virtual memory.
+
+As a result, any attempt to register a read-only MR over read-only
+virtual memory failed.
+
+To fix this, do not add the writable flag bit when the user virtual memory
+is not writable (e.g. const memory).
+
+However, when the underlying memory is NOT writable (and we therefore
+do not define the initial MR as writable), the IB core adds a
+"force writable" flag to its user-pages request. If this succeeds,
+the reg_user_mr caller gets a writable copy of the original pages.
+
+If the user-space caller then does a rereg_user_mr operation to enable
+writability, this will succeed. This should not be allowed, since
+the original virtual memory was not writable.
+
+Cc: <stable@vger.kernel.org>
+Fixes: 9376932d0c26 ("IB/mlx4_ib: Add support for user MR re-registration")
+Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
+Signed-off-by: Jack Morgenstein <jackm@dev.mellanox.co.il>
+Signed-off-by: Leon Romanovsky <leonro@mellanox.com>
+Signed-off-by: Sudip Mukherjee <sudipm.mukherjee@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/infiniband/hw/mlx4/mr.c | 50 +++++++++++++++++++++++++++++++++-------
+ 1 file changed, 42 insertions(+), 8 deletions(-)
+
+--- a/drivers/infiniband/hw/mlx4/mr.c
++++ b/drivers/infiniband/hw/mlx4/mr.c
+@@ -130,6 +130,40 @@ out:
+ return err;
+ }
+
++static struct ib_umem *mlx4_get_umem_mr(struct ib_ucontext *context, u64 start,
++ u64 length, u64 virt_addr,
++ int access_flags)
++{
++ /*
++ * Force registering the memory as writable if the underlying pages
++ * are writable. This is so rereg can change the access permissions
++ * from readable to writable without having to run through ib_umem_get
++ * again
++ */
++ if (!ib_access_writable(access_flags)) {
++ struct vm_area_struct *vma;
++
++ down_read(¤t->mm->mmap_sem);
++ /*
++ * FIXME: Ideally this would iterate over all the vmas that
++ * cover the memory, but for now it requires a single vma to
++ * entirely cover the MR to support RO mappings.
++ */
++ vma = find_vma(current->mm, start);
++ if (vma && vma->vm_end >= start + length &&
++ vma->vm_start <= start) {
++ if (vma->vm_flags & VM_WRITE)
++ access_flags |= IB_ACCESS_LOCAL_WRITE;
++ } else {
++ access_flags |= IB_ACCESS_LOCAL_WRITE;
++ }
++
++ up_read(¤t->mm->mmap_sem);
++ }
++
++ return ib_umem_get(context, start, length, access_flags, 0);
++}
++
+ struct ib_mr *mlx4_ib_reg_user_mr(struct ib_pd *pd, u64 start, u64 length,
+ u64 virt_addr, int access_flags,
+ struct ib_udata *udata)
+@@ -144,10 +178,8 @@ struct ib_mr *mlx4_ib_reg_user_mr(struct
+ if (!mr)
+ return ERR_PTR(-ENOMEM);
+
+- /* Force registering the memory as writable. */
+- /* Used for memory re-registeration. HCA protects the access */
+- mr->umem = ib_umem_get(pd->uobject->context, start, length,
+- access_flags | IB_ACCESS_LOCAL_WRITE, 0);
++ mr->umem = mlx4_get_umem_mr(pd->uobject->context, start, length,
++ virt_addr, access_flags);
+ if (IS_ERR(mr->umem)) {
+ err = PTR_ERR(mr->umem);
+ goto err_free;
+@@ -214,6 +246,9 @@ int mlx4_ib_rereg_user_mr(struct ib_mr *
+ }
+
+ if (flags & IB_MR_REREG_ACCESS) {
++ if (ib_access_writable(mr_access_flags) && !mmr->umem->writable)
++ return -EPERM;
++
+ err = mlx4_mr_hw_change_access(dev->dev, *pmpt_entry,
+ convert_access(mr_access_flags));
+
+@@ -227,10 +262,9 @@ int mlx4_ib_rereg_user_mr(struct ib_mr *
+
+ mlx4_mr_rereg_mem_cleanup(dev->dev, &mmr->mmr);
+ ib_umem_release(mmr->umem);
+- mmr->umem = ib_umem_get(mr->uobject->context, start, length,
+- mr_access_flags |
+- IB_ACCESS_LOCAL_WRITE,
+- 0);
++ mmr->umem =
++ mlx4_get_umem_mr(mr->uobject->context, start, length,
++ virt_addr, mr_access_flags);
+ if (IS_ERR(mmr->umem)) {
+ err = PTR_ERR(mmr->umem);
+ /* Prevent mlx4_ib_dereg_mr from free'ing invalid pointer */
--- /dev/null
+From 062d0f22a30c39840ea49b72cfcfc1aa4cc538fa Mon Sep 17 00:00:00 2001
+From: Michael Mera <dev@michaelmera.com>
+Date: Mon, 1 May 2017 15:41:16 +0900
+Subject: IB/ocrdma: fix out of bounds access to local buffer
+
+From: Michael Mera <dev@michaelmera.com>
+
+commit 062d0f22a30c39840ea49b72cfcfc1aa4cc538fa upstream.
+
+In write to debugfs file 'resource_stats' the local buffer 'tmp_str' is
+written at index 'count-1' where 'count' is the size of the write, so
+potentially 0.
+
+This patch filters odd values for the write size/position to avoid this
+type of problem.
+
+Signed-off-by: Michael Mera <dev@michaelmera.com>
+Reviewed-by: Leon Romanovsky <leonro@mellanox.com>
+Signed-off-by: Doug Ledford <dledford@redhat.com>
+Signed-off-by: Amit Pundir <amit.pundir@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/infiniband/hw/ocrdma/ocrdma_stats.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/infiniband/hw/ocrdma/ocrdma_stats.c
++++ b/drivers/infiniband/hw/ocrdma/ocrdma_stats.c
+@@ -643,7 +643,7 @@ static ssize_t ocrdma_dbgfs_ops_write(st
+ struct ocrdma_stats *pstats = filp->private_data;
+ struct ocrdma_dev *dev = pstats->dev;
+
+- if (count > 32)
++ if (*ppos != 0 || count == 0 || count > sizeof(tmp_str))
+ goto err;
+
+ if (copy_from_user(tmp_str, buffer, count))
root-dentries-need-rcu-delayed-freeing.patch
fix-mntput-mntput-race.patch
fix-__legitimize_mnt-mntput-race.patch
+ib-core-make-testing-mr-flags-for-writability-a-static-inline-function.patch
+ib-mlx4-mark-user-mr-as-writable-if-actual-virtual-memory-is-writable.patch
+ib-ocrdma-fix-out-of-bounds-access-to-local-buffer.patch
+arm-dts-imx6sx-fix-irq-for-pcie-bridge.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
