--- /dev/null
+From 76ed0b803a2ab793a1b27d1dfe0de7955282cd34 Mon Sep 17 00:00:00 2001
+From: David Rivshin <DRivshin@allworx.com>
+Date: Wed, 25 Apr 2018 21:15:01 +0100
+Subject: ARM: 8764/1: kgdb: fix NUMREGBYTES so that gdb_regs[] is the correct size
+
+From: David Rivshin <DRivshin@allworx.com>
+
+commit 76ed0b803a2ab793a1b27d1dfe0de7955282cd34 upstream.
+
+NUMREGBYTES (which is used as the size for gdb_regs[]) is incorrectly
+based on DBG_MAX_REG_NUM instead of GDB_MAX_REGS. DBG_MAX_REG_NUM
+is the number of total registers, while GDB_MAX_REGS is the number
+of 'unsigned longs' it takes to serialize those registers. Since
+FP registers require 3 'unsigned longs' each, DBG_MAX_REG_NUM is
+smaller than GDB_MAX_REGS.
+
+This causes GDB 8.0 give the following error on connect:
+"Truncated register 19 in remote 'g' packet"
+
+This also causes the register serialization/deserialization logic
+to overflow gdb_regs[], overwriting whatever follows.
+
+Fixes: 834b2964b7ab ("kgdb,arm: fix register dump")
+Cc: <stable@vger.kernel.org> # 2.6.37+
+Signed-off-by: David Rivshin <drivshin@allworx.com>
+Acked-by: Rabin Vincent <rabin@rab.in>
+Tested-by: Daniel Thompson <daniel.thompson@linaro.org>
+Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm/include/asm/kgdb.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/arm/include/asm/kgdb.h
++++ b/arch/arm/include/asm/kgdb.h
+@@ -77,7 +77,7 @@ extern int kgdb_fault_expected;
+
+ #define KGDB_MAX_NO_CPUS 1
+ #define BUFMAX 400
+-#define NUMREGBYTES (DBG_MAX_REG_NUM << 2)
++#define NUMREGBYTES (GDB_MAX_REGS << 2)
+ #define NUMCRITREGBYTES (32 << 2)
+
+ #define _R0 0
--- /dev/null
+From 975ba94c2c3aca4d9f1ae26f3916d7787495ce86 Mon Sep 17 00:00:00 2001
+From: Thor Thayer <thor.thayer@linux.intel.com>
+Date: Fri, 22 Jun 2018 13:37:34 -0500
+Subject: ARM: dts: Fix SPI node for Arria10
+
+From: Thor Thayer <thor.thayer@linux.intel.com>
+
+commit 975ba94c2c3aca4d9f1ae26f3916d7787495ce86 upstream.
+
+Remove the unused bus-num node and change num-chipselect
+to num-cs to match SPI bindings.
+
+Cc: stable@vger.kernel.org
+Fixes: f2d6f8f817814 ("ARM: dts: socfpga: Add SPI Master1 for Arria10 SR chip")
+Signed-off-by: Thor Thayer <thor.thayer@linux.intel.com>
+Signed-off-by: Dinh Nguyen <dinguyen@kernel.org>
+Signed-off-by: Olof Johansson <olof@lixom.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm/boot/dts/socfpga_arria10.dtsi | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/arch/arm/boot/dts/socfpga_arria10.dtsi
++++ b/arch/arm/boot/dts/socfpga_arria10.dtsi
+@@ -593,8 +593,7 @@
+ #size-cells = <0>;
+ reg = <0xffda5000 0x100>;
+ interrupts = <0 102 4>;
+- num-chipselect = <4>;
+- bus-num = <0>;
++ num-cs = <4>;
+ /*32bit_access;*/
+ tx-dma-channel = <&pdma 16>;
+ rx-dma-channel = <&pdma 17>;
--- /dev/null
+From 4eda9b766b042ea38d84df91581b03f6145a2ab0 Mon Sep 17 00:00:00 2001
+From: Marek Vasut <marex@denx.de>
+Date: Thu, 10 May 2018 16:37:26 +0200
+Subject: ARM: dts: socfpga: Fix NAND controller clock supply
+
+From: Marek Vasut <marex@denx.de>
+
+commit 4eda9b766b042ea38d84df91581b03f6145a2ab0 upstream.
+
+The Denali NAND x-clock should be supplied by nand_x_clk, not by
+nand_clk. Fix this, otherwise the Denali driver gets incorrect
+clock frequency information and incorrectly configures the NAND
+timing.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Marek Vasut <marex@denx.de>
+Fixes: d837a80d19 ("ARM: dts: socfpga: add nand controller nodes")
+Cc: Steffen Trumtrar <s.trumtrar@pengutronix.de>
+Signed-off-by: Dinh Nguyen <dinguyen@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm/boot/dts/socfpga.dtsi | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/arm/boot/dts/socfpga.dtsi
++++ b/arch/arm/boot/dts/socfpga.dtsi
+@@ -750,7 +750,7 @@
+ reg-names = "nand_data", "denali_reg";
+ interrupts = <0x0 0x90 0x4>;
+ dma-mask = <0xffffffff>;
+- clocks = <&nand_clk>;
++ clocks = <&nand_x_clk>;
+ status = "disabled";
+ };
+
--- /dev/null
+From 3877ef7a1ccecaae378c497e1dcddbc2dccb664c Mon Sep 17 00:00:00 2001
+From: Dinh Nguyen <dinguyen@kernel.org>
+Date: Mon, 14 May 2018 10:15:19 -0500
+Subject: ARM: dts: socfpga: Fix NAND controller node compatible for Arria10
+
+From: Dinh Nguyen <dinguyen@kernel.org>
+
+commit 3877ef7a1ccecaae378c497e1dcddbc2dccb664c upstream.
+
+The NAND compatible "denali,denal-nand-dt" property has never been used and
+is obsolete. Remove it.
+
+Cc: stable@vger.kernel.org
+Fixes: f549af06e9b6("ARM: dts: socfpga: Add NAND device tree for Arria10")
+Signed-off-by: Dinh Nguyen <dinguyen@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm/boot/dts/socfpga_arria10.dtsi | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/arm/boot/dts/socfpga_arria10.dtsi
++++ b/arch/arm/boot/dts/socfpga_arria10.dtsi
+@@ -632,7 +632,7 @@
+ nand: nand@ffb90000 {
+ #address-cells = <1>;
+ #size-cells = <1>;
+- compatible = "denali,denali-nand-dt", "altr,socfpga-denali-nand";
++ compatible = "altr,socfpga-denali-nand";
+ reg = <0xffb90000 0x72000>,
+ <0xffb80000 0x10000>;
+ reg-names = "nand_data", "denali_reg";
--- /dev/null
+From d9a695f3c8098ac9684689774a151cff30d8aa25 Mon Sep 17 00:00:00 2001
+From: Marek Vasut <marex@denx.de>
+Date: Thu, 10 May 2018 14:52:23 +0200
+Subject: ARM: dts: socfpga: Fix NAND controller node compatible
+
+From: Marek Vasut <marex@denx.de>
+
+commit d9a695f3c8098ac9684689774a151cff30d8aa25 upstream.
+
+The compatible string for the Denali NAND controller is incorrect,
+fix it by replacing it with one matching the DT bindings and the
+driver.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Marek Vasut <marex@denx.de>
+Fixes: d837a80d19 ("ARM: dts: socfpga: add nand controller nodes")
+Cc: Steffen Trumtrar <s.trumtrar@pengutronix.de>
+Signed-off-by: Dinh Nguyen <dinguyen@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm/boot/dts/socfpga.dtsi | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/arm/boot/dts/socfpga.dtsi
++++ b/arch/arm/boot/dts/socfpga.dtsi
+@@ -744,7 +744,7 @@
+ nand0: nand@ff900000 {
+ #address-cells = <0x1>;
+ #size-cells = <0x1>;
+- compatible = "denali,denali-nand-dt";
++ compatible = "altr,socfpga-denali-nand";
+ reg = <0xff900000 0x100000>,
+ <0xffb80000 0x10000>;
+ reg-names = "nand_data", "denali_reg";
--- /dev/null
+From d5b4885b1dff72ac670b518cfeaac719d768bd4d Mon Sep 17 00:00:00 2001
+From: Jerome Brunet <jbrunet@baylibre.com>
+Date: Thu, 26 Apr 2018 12:50:46 +0200
+Subject: ARM64: dts: meson: disable sd-uhs modes on the libretech-cc
+
+From: Jerome Brunet <jbrunet@baylibre.com>
+
+commit d5b4885b1dff72ac670b518cfeaac719d768bd4d upstream.
+
+There is a problem with the sd-uhs mode when doing a soft reboot.
+Switching back from 1.8v to 3.3v messes with the card, which no longer
+respond (timeout errors). According to the specification, we should
+perform a card reset (power cycling the card) but this is something we
+cannot control on this design.
+
+Then the only solution to restore the communication with the card is an
+"unplug-plug" which is not acceptable
+
+Until we find a solution, if any, disable the sd-uhs modes on this design.
+For the people using uhs at the moment, there will a performance drop as
+a result.
+
+Fixes: 3cde63ebc85c ("ARM64: dts: meson-gxl: libretech-cc: enable high speed modes")
+Signed-off-by: Jerome Brunet <jbrunet@baylibre.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Kevin Hilman <khilman@baylibre.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm64/boot/dts/amlogic/meson-gxl-s905x-libretech-cc.dts | 3 ---
+ 1 file changed, 3 deletions(-)
+
+--- a/arch/arm64/boot/dts/amlogic/meson-gxl-s905x-libretech-cc.dts
++++ b/arch/arm64/boot/dts/amlogic/meson-gxl-s905x-libretech-cc.dts
+@@ -205,9 +205,6 @@
+
+ bus-width = <4>;
+ cap-sd-highspeed;
+- sd-uhs-sdr12;
+- sd-uhs-sdr25;
+- sd-uhs-sdr50;
+ max-frequency = <100000000>;
+ disable-wp;
+
--- /dev/null
+From 0fe42512b2f03f9e5a20b9f55ef1013a68b4cd48 Mon Sep 17 00:00:00 2001
+From: Dave Martin <Dave.Martin@arm.com>
+Date: Thu, 7 Jun 2018 12:32:05 +0100
+Subject: arm64: Fix syscall restarting around signal suppressed by tracer
+
+From: Dave Martin <Dave.Martin@arm.com>
+
+commit 0fe42512b2f03f9e5a20b9f55ef1013a68b4cd48 upstream.
+
+Commit 17c2895 ("arm64: Abstract syscallno manipulation") abstracts
+out the pt_regs.syscallno value for a syscall cancelled by a tracer
+as NO_SYSCALL, and provides helpers to set and check for this
+condition. However, the way this was implemented has the
+unintended side-effect of disabling part of the syscall restart
+logic.
+
+This comes about because the second in_syscall() check in
+do_signal() re-evaluates the "in a syscall" condition based on the
+updated pt_regs instead of the original pt_regs. forget_syscall()
+is explicitly called prior to the second check in order to prevent
+restart logic in the ret_to_user path being spuriously triggered,
+which means that the second in_syscall() check always yields false.
+
+This triggers a failure in
+tools/testing/selftests/seccomp/seccomp_bpf.c, when using ptrace to
+suppress a signal that interrups a nanosleep() syscall.
+
+Misbehaviour of this type is only expected in the case where a
+tracer suppresses a signal and the target process is either being
+single-stepped or the interrupted syscall attempts to restart via
+-ERESTARTBLOCK.
+
+This patch restores the old behaviour by performing the
+in_syscall() check only once at the start of the function.
+
+Fixes: 17c289586009 ("arm64: Abstract syscallno manipulation")
+Signed-off-by: Dave Martin <Dave.Martin@arm.com>
+Reported-by: Sumit Semwal <sumit.semwal@linaro.org>
+Cc: Will Deacon <will.deacon@arm.com>
+Cc: <stable@vger.kernel.org> # 4.14.x-
+Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm64/kernel/signal.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/arch/arm64/kernel/signal.c
++++ b/arch/arm64/kernel/signal.c
+@@ -676,11 +676,12 @@ static void do_signal(struct pt_regs *re
+ unsigned long continue_addr = 0, restart_addr = 0;
+ int retval = 0;
+ struct ksignal ksig;
++ bool syscall = in_syscall(regs);
+
+ /*
+ * If we were from a system call, check for system call restarting...
+ */
+- if (in_syscall(regs)) {
++ if (syscall) {
+ continue_addr = regs->pc;
+ restart_addr = continue_addr - (compat_thumb_mode(regs) ? 2 : 4);
+ retval = regs->regs[0];
+@@ -732,7 +733,7 @@ static void do_signal(struct pt_regs *re
+ * Handle restarting a different system call. As above, if a debugger
+ * has chosen to restart at a different PC, ignore the restart.
+ */
+- if (in_syscall(regs) && regs->pc == restart_addr) {
++ if (syscall && regs->pc == restart_addr) {
+ if (retval == -ERESTART_RESTARTBLOCK)
+ setup_restart_syscall(regs);
+ user_rewind_single_step(current);
--- /dev/null
+From b5b7dd647f2d21b93f734ce890671cd908e69b0a Mon Sep 17 00:00:00 2001
+From: Will Deacon <will.deacon@arm.com>
+Date: Fri, 22 Jun 2018 10:25:25 +0100
+Subject: arm64: kpti: Use early_param for kpti= command-line option
+
+From: Will Deacon <will.deacon@arm.com>
+
+commit b5b7dd647f2d21b93f734ce890671cd908e69b0a upstream.
+
+We inspect __kpti_forced early on as part of the cpufeature enable
+callback which remaps the swapper page table using non-global entries.
+
+Ensure that __kpti_forced has been updated to reflect the kpti=
+command-line option before we start using it.
+
+Fixes: ea1e3de85e94 ("arm64: entry: Add fake CPU feature for unmapping the kernel at EL0")
+Cc: <stable@vger.kernel.org> # 4.16.x-
+Reported-by: Wei Xu <xuwei5@hisilicon.com>
+Tested-by: Sudeep Holla <sudeep.holla@arm.com>
+Tested-by: Wei Xu <xuwei5@hisilicon.com>
+Signed-off-by: Will Deacon <will.deacon@arm.com>
+Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm64/kernel/cpufeature.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/arm64/kernel/cpufeature.c
++++ b/arch/arm64/kernel/cpufeature.c
+@@ -877,7 +877,7 @@ static int __init parse_kpti(char *str)
+ __kpti_forced = enabled ? 1 : -1;
+ return 0;
+ }
+-__setup("kpti=", parse_kpti);
++early_param("kpti", parse_kpti);
+ #endif /* CONFIG_UNMAP_KERNEL_AT_EL0 */
+
+ static const struct arm64_cpu_capabilities arm64_features[] = {
--- /dev/null
+From 71c8fc0c96abf8e53e74ed4d891d671e585f9076 Mon Sep 17 00:00:00 2001
+From: Will Deacon <will.deacon@arm.com>
+Date: Fri, 22 Jun 2018 16:23:45 +0100
+Subject: arm64: mm: Ensure writes to swapper are ordered wrt subsequent cache maintenance
+
+From: Will Deacon <will.deacon@arm.com>
+
+commit 71c8fc0c96abf8e53e74ed4d891d671e585f9076 upstream.
+
+When rewriting swapper using nG mappings, we must performance cache
+maintenance around each page table access in order to avoid coherency
+problems with the host's cacheable alias under KVM. To ensure correct
+ordering of the maintenance with respect to Device memory accesses made
+with the Stage-1 MMU disabled, DMBs need to be added between the
+maintenance and the corresponding memory access.
+
+This patch adds a missing DMB between writing a new page table entry and
+performing a clean+invalidate on the same line.
+
+Fixes: f992b4dfd58b ("arm64: kpti: Add ->enable callback to remap swapper using nG mappings")
+Cc: <stable@vger.kernel.org> # 4.16.x-
+Acked-by: Mark Rutland <mark.rutland@arm.com>
+Signed-off-by: Will Deacon <will.deacon@arm.com>
+Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm64/mm/proc.S | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/arch/arm64/mm/proc.S
++++ b/arch/arm64/mm/proc.S
+@@ -196,8 +196,9 @@ ENDPROC(idmap_cpu_replace_ttbr1)
+
+ .macro __idmap_kpti_put_pgtable_ent_ng, type
+ orr \type, \type, #PTE_NG // Same bit for blocks and pages
+- str \type, [cur_\()\type\()p] // Update the entry and ensure it
+- dc civac, cur_\()\type\()p // is visible to all CPUs.
++ str \type, [cur_\()\type\()p] // Update the entry and ensure
++ dmb sy // that it is visible to all
++ dc civac, cur_\()\type\()p // CPUs.
+ .endm
+
+ /*
--- /dev/null
+From 7dc5fe0814c35ec4e7d2e8fa30abab72e0e6a172 Mon Sep 17 00:00:00 2001
+From: Amit Pundir <amit.pundir@linaro.org>
+Date: Mon, 16 Apr 2018 12:10:24 +0530
+Subject: Bluetooth: hci_qca: Avoid missing rampatch failure with userspace fw loader
+
+From: Amit Pundir <amit.pundir@linaro.org>
+
+commit 7dc5fe0814c35ec4e7d2e8fa30abab72e0e6a172 upstream.
+
+AOSP use userspace firmware loader to load firmwares, which will
+return -EAGAIN in case qca/rampatch_00440302.bin is not found.
+Since there is no rampatch for dragonboard820c QCA controller
+revision, just make it work as is.
+
+CC: Loic Poulain <loic.poulain@linaro.org>
+CC: Nicolas Dechesne <nicolas.dechesne@linaro.org>
+CC: Marcel Holtmann <marcel@holtmann.org>
+CC: Johan Hedberg <johan.hedberg@gmail.com>
+CC: Stable <stable@vger.kernel.org>
+Signed-off-by: Amit Pundir <amit.pundir@linaro.org>
+Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/bluetooth/hci_qca.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/drivers/bluetooth/hci_qca.c
++++ b/drivers/bluetooth/hci_qca.c
+@@ -936,6 +936,12 @@ static int qca_setup(struct hci_uart *hu
+ } else if (ret == -ENOENT) {
+ /* No patch/nvm-config found, run with original fw/config */
+ ret = 0;
++ } else if (ret == -EAGAIN) {
++ /*
++ * Userspace firmware loader will return -EAGAIN in case no
++ * patch/nvm-config is found, so run with original fw/config.
++ */
++ ret = 0;
+ }
+
+ /* Setup bdaddr */
--- /dev/null
+From 2026d35741f2c3ece73c11eb7e4a15d7c2df9ebe Mon Sep 17 00:00:00 2001
+From: Mikulas Patocka <mpatocka@redhat.com>
+Date: Wed, 30 May 2018 08:19:22 -0400
+Subject: branch-check: fix long->int truncation when profiling branches
+
+From: Mikulas Patocka <mpatocka@redhat.com>
+
+commit 2026d35741f2c3ece73c11eb7e4a15d7c2df9ebe upstream.
+
+The function __builtin_expect returns long type (see the gcc
+documentation), and so do macros likely and unlikely. Unfortunatelly, when
+CONFIG_PROFILE_ANNOTATED_BRANCHES is selected, the macros likely and
+unlikely expand to __branch_check__ and __branch_check__ truncates the
+long type to int. This unintended truncation may cause bugs in various
+kernel code (we found a bug in dm-writecache because of it), so it's
+better to fix __branch_check__ to return long.
+
+Link: http://lkml.kernel.org/r/alpine.LRH.2.02.1805300818140.24812@file01.intranet.prod.int.rdu2.redhat.com
+
+Cc: Ingo Molnar <mingo@redhat.com>
+Cc: stable@vger.kernel.org
+Fixes: 1f0d69a9fc815 ("tracing: profile likely and unlikely annotations")
+Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
+Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ include/linux/compiler.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/include/linux/compiler.h
++++ b/include/linux/compiler.h
+@@ -21,7 +21,7 @@ void ftrace_likely_update(struct ftrace_
+ #define unlikely_notrace(x) __builtin_expect(!!(x), 0)
+
+ #define __branch_check__(x, expect, is_constant) ({ \
+- int ______r; \
++ long ______r; \
+ static struct ftrace_likely_data \
+ __attribute__((__aligned__(4))) \
+ __attribute__((section("_ftrace_annotated_branch"))) \
--- /dev/null
+From 0a4ec6aa035a52c422eceb2ed51ed88392a3d6c2 Mon Sep 17 00:00:00 2001
+From: "Gautham R. Shenoy" <ego@linux.vnet.ibm.com>
+Date: Thu, 31 May 2018 17:45:09 +0530
+Subject: cpuidle: powernv: Fix promotion from snooze if next state disabled
+
+From: Gautham R. Shenoy <ego@linux.vnet.ibm.com>
+
+commit 0a4ec6aa035a52c422eceb2ed51ed88392a3d6c2 upstream.
+
+The commit 78eaa10f027c ("cpuidle: powernv/pseries: Auto-promotion of
+snooze to deeper idle state") introduced a timeout for the snooze idle
+state so that it could be eventually be promoted to a deeper idle
+state. The snooze timeout value is static and set to the target
+residency of the next idle state, which would train the cpuidle
+governor to pick the next idle state eventually.
+
+The unfortunate side-effect of this is that if the next idle state(s)
+is disabled, the CPU will forever remain in snooze, despite the fact
+that the system is completely idle, and other deeper idle states are
+available.
+
+This patch fixes the issue by dynamically setting the snooze timeout
+to the target residency of the next enabled state on the device.
+
+Before Patch:
+ POWER8 : Only nap disabled.
+ $ cpupower monitor sleep 30
+ sleep took 30.01297 seconds and exited with status 0
+ |Idle_Stats
+ PKG |CORE|CPU | snoo | Nap | Fast
+ 0| 8| 0| 96.41| 0.00| 0.00
+ 0| 8| 1| 96.43| 0.00| 0.00
+ 0| 8| 2| 96.47| 0.00| 0.00
+ 0| 8| 3| 96.35| 0.00| 0.00
+ 0| 8| 4| 96.37| 0.00| 0.00
+ 0| 8| 5| 96.37| 0.00| 0.00
+ 0| 8| 6| 96.47| 0.00| 0.00
+ 0| 8| 7| 96.47| 0.00| 0.00
+
+ POWER9: Shallow states (stop0lite, stop1lite, stop2lite, stop0, stop1,
+ stop2) disabled:
+ $ cpupower monitor sleep 30
+ sleep took 30.05033 seconds and exited with status 0
+ |Idle_Stats
+ PKG |CORE|CPU | snoo | stop | stop | stop | stop | stop | stop | stop | stop
+ 0| 16| 0| 89.79| 0.00| 0.00| 0.00| 0.00| 0.00| 0.00| 0.00| 0.00
+ 0| 16| 1| 90.12| 0.00| 0.00| 0.00| 0.00| 0.00| 0.00| 0.00| 0.00
+ 0| 16| 2| 90.21| 0.00| 0.00| 0.00| 0.00| 0.00| 0.00| 0.00| 0.00
+ 0| 16| 3| 90.29| 0.00| 0.00| 0.00| 0.00| 0.00| 0.00| 0.00| 0.00
+
+After Patch:
+ POWER8 : Only nap disabled.
+ $ cpupower monitor sleep 30
+ sleep took 30.01200 seconds and exited with status 0
+ |Idle_Stats
+ PKG |CORE|CPU | snoo | Nap | Fast
+ 0| 8| 0| 16.58| 0.00| 77.21
+ 0| 8| 1| 18.42| 0.00| 75.38
+ 0| 8| 2| 4.70| 0.00| 94.09
+ 0| 8| 3| 17.06| 0.00| 81.73
+ 0| 8| 4| 3.06| 0.00| 95.73
+ 0| 8| 5| 7.00| 0.00| 96.80
+ 0| 8| 6| 1.00| 0.00| 98.79
+ 0| 8| 7| 5.62| 0.00| 94.17
+
+ POWER9: Shallow states (stop0lite, stop1lite, stop2lite, stop0, stop1,
+ stop2) disabled:
+
+ $ cpupower monitor sleep 30
+ sleep took 30.02110 seconds and exited with status 0
+ |Idle_Stats
+ PKG |CORE|CPU | snoo | stop | stop | stop | stop | stop | stop | stop | stop
+ 0| 0| 0| 0.69| 0.00| 0.00| 0.00| 0.00| 0.00| 0.00| 9.39| 89.70
+ 0| 0| 1| 0.00| 0.00| 0.00| 0.00| 0.00| 0.00| 0.00| 0.05| 93.21
+ 0| 0| 2| 0.00| 0.00| 0.00| 0.00| 0.00| 0.00| 0.00| 0.00| 89.93
+ 0| 0| 3| 0.00| 0.00| 0.00| 0.00| 0.00| 0.00| 0.00| 0.00| 93.26
+
+Fixes: 78eaa10f027c ("cpuidle: powernv/pseries: Auto-promotion of snooze to deeper idle state")
+Cc: stable@vger.kernel.org # v4.2+
+Signed-off-by: Gautham R. Shenoy <ego@linux.vnet.ibm.com>
+Reviewed-by: Balbir Singh <bsingharora@gmail.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/cpuidle/cpuidle-powernv.c | 32 ++++++++++++++++++++++++++------
+ 1 file changed, 26 insertions(+), 6 deletions(-)
+
+--- a/drivers/cpuidle/cpuidle-powernv.c
++++ b/drivers/cpuidle/cpuidle-powernv.c
+@@ -43,9 +43,31 @@ struct stop_psscr_table {
+
+ static struct stop_psscr_table stop_psscr_table[CPUIDLE_STATE_MAX] __read_mostly;
+
+-static u64 snooze_timeout __read_mostly;
++static u64 default_snooze_timeout __read_mostly;
+ static bool snooze_timeout_en __read_mostly;
+
++static u64 get_snooze_timeout(struct cpuidle_device *dev,
++ struct cpuidle_driver *drv,
++ int index)
++{
++ int i;
++
++ if (unlikely(!snooze_timeout_en))
++ return default_snooze_timeout;
++
++ for (i = index + 1; i < drv->state_count; i++) {
++ struct cpuidle_state *s = &drv->states[i];
++ struct cpuidle_state_usage *su = &dev->states_usage[i];
++
++ if (s->disabled || su->disable)
++ continue;
++
++ return s->target_residency * tb_ticks_per_usec;
++ }
++
++ return default_snooze_timeout;
++}
++
+ static int snooze_loop(struct cpuidle_device *dev,
+ struct cpuidle_driver *drv,
+ int index)
+@@ -56,7 +78,7 @@ static int snooze_loop(struct cpuidle_de
+
+ local_irq_enable();
+
+- snooze_exit_time = get_tb() + snooze_timeout;
++ snooze_exit_time = get_tb() + get_snooze_timeout(dev, drv, index);
+ ppc64_runlatch_off();
+ HMT_very_low();
+ while (!need_resched()) {
+@@ -463,11 +485,9 @@ static int powernv_idle_probe(void)
+ cpuidle_state_table = powernv_states;
+ /* Device tree can indicate more idle states */
+ max_idle_state = powernv_add_idle_states();
+- if (max_idle_state > 1) {
++ default_snooze_timeout = TICK_USEC * tb_ticks_per_usec;
++ if (max_idle_state > 1)
+ snooze_timeout_en = true;
+- snooze_timeout = powernv_states[1].target_residency *
+- tb_ticks_per_usec;
+- }
+ } else
+ return -ENODEV;
+
--- /dev/null
+From b6c84ba22ff3a198eb8d5552cf9b8fda1d792e54 Mon Sep 17 00:00:00 2001
+From: Vaibhav Jain <vaibhav@linux.ibm.com>
+Date: Fri, 18 May 2018 15:12:23 +0530
+Subject: cxl: Disable prefault_mode in Radix mode
+
+From: Vaibhav Jain <vaibhav@linux.ibm.com>
+
+commit b6c84ba22ff3a198eb8d5552cf9b8fda1d792e54 upstream.
+
+Currently we see a kernel-oops reported on Power-9 while attaching a
+context to an AFU, with radix-mode and sysfs attr 'prefault_mode' set
+to anything other than 'none'. The backtrace of the oops is of this
+form:
+
+ Unable to handle kernel paging request for data at address 0x00000080
+ Faulting instruction address: 0xc00800000bcf3b20
+ cpu 0x1: Vector: 300 (Data Access) at [c00000037f003800]
+ pc: c00800000bcf3b20: cxl_load_segment+0x178/0x290 [cxl]
+ lr: c00800000bcf39f0: cxl_load_segment+0x48/0x290 [cxl]
+ sp: c00000037f003a80
+ msr: 9000000000009033
+ dar: 80
+ dsisr: 40000000
+ current = 0xc00000037f280000
+ paca = 0xc0000003ffffe600 softe: 3 irq_happened: 0x01
+ pid = 3529, comm = afp_no_int
+ <snip>
+ cxl_prefault+0xfc/0x248 [cxl]
+ process_element_entry_psl9+0xd8/0x1a0 [cxl]
+ cxl_attach_dedicated_process_psl9+0x44/0x130 [cxl]
+ native_attach_process+0xc0/0x130 [cxl]
+ afu_ioctl+0x3f4/0x5e0 [cxl]
+ do_vfs_ioctl+0xdc/0x890
+ ksys_ioctl+0x68/0xf0
+ sys_ioctl+0x40/0xa0
+ system_call+0x58/0x6c
+
+The issue is caused as on Power-8 the AFU attr 'prefault_mode' was
+used to improve initial storage fault performance by prefaulting
+process segments. However on Power-9 with radix mode we don't have
+Storage-Segments that we can prefault. Also prefaulting process Pages
+will be too costly and fine-grained.
+
+Hence, since the prefaulting mechanism doesn't makes sense of
+radix-mode, this patch updates prefault_mode_store() to not allow any
+other value apart from CXL_PREFAULT_NONE when radix mode is enabled.
+
+Fixes: f24be42aab37 ("cxl: Add psl9 specific code")
+Cc: stable@vger.kernel.org # v4.12+
+Signed-off-by: Vaibhav Jain <vaibhav@linux.ibm.com>
+Acked-by: Frederic Barrat <fbarrat@linux.vnet.ibm.com>
+Acked-by: Andrew Donnellan <andrew.donnellan@au1.ibm.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ Documentation/ABI/testing/sysfs-class-cxl | 4 +++-
+ drivers/misc/cxl/sysfs.c | 16 ++++++++++++----
+ 2 files changed, 15 insertions(+), 5 deletions(-)
+
+--- a/Documentation/ABI/testing/sysfs-class-cxl
++++ b/Documentation/ABI/testing/sysfs-class-cxl
+@@ -69,7 +69,9 @@ Date: September 2014
+ Contact: linuxppc-dev@lists.ozlabs.org
+ Description: read/write
+ Set the mode for prefaulting in segments into the segment table
+- when performing the START_WORK ioctl. Possible values:
++ when performing the START_WORK ioctl. Only applicable when
++ running under hashed page table mmu.
++ Possible values:
+ none: No prefaulting (default)
+ work_element_descriptor: Treat the work element
+ descriptor as an effective address and
+--- a/drivers/misc/cxl/sysfs.c
++++ b/drivers/misc/cxl/sysfs.c
+@@ -331,12 +331,20 @@ static ssize_t prefault_mode_store(struc
+ struct cxl_afu *afu = to_cxl_afu(device);
+ enum prefault_modes mode = -1;
+
+- if (!strncmp(buf, "work_element_descriptor", 23))
+- mode = CXL_PREFAULT_WED;
+- if (!strncmp(buf, "all", 3))
+- mode = CXL_PREFAULT_ALL;
+ if (!strncmp(buf, "none", 4))
+ mode = CXL_PREFAULT_NONE;
++ else {
++ if (!radix_enabled()) {
++
++ /* only allowed when not in radix mode */
++ if (!strncmp(buf, "work_element_descriptor", 23))
++ mode = CXL_PREFAULT_WED;
++ if (!strncmp(buf, "all", 3))
++ mode = CXL_PREFAULT_ALL;
++ } else {
++ dev_err(device, "Cannot prefault with radix enabled\n");
++ }
++ }
+
+ if (mode == -1)
+ return -EINVAL;
--- /dev/null
+From df0e91d488276086bc07da2e389986cae0048c37 Mon Sep 17 00:00:00 2001
+From: Miklos Szeredi <mszeredi@redhat.com>
+Date: Thu, 8 Feb 2018 15:17:38 +0100
+Subject: fuse: atomic_o_trunc should truncate pagecache
+
+From: Miklos Szeredi <mszeredi@redhat.com>
+
+commit df0e91d488276086bc07da2e389986cae0048c37 upstream.
+
+Fuse has an "atomic_o_trunc" mode, where userspace filesystem uses the
+O_TRUNC flag in the OPEN request to truncate the file atomically with the
+open.
+
+In this mode there's no need to send a SETATTR request to userspace after
+the open, so fuse_do_setattr() checks this mode and returns. But this
+misses the important step of truncating the pagecache.
+
+Add the missing parts of truncation to the ATTR_OPEN branch.
+
+Reported-by: Chad Austin <chadaustin@fb.com>
+Fixes: 6ff958edbf39 ("fuse: add atomic open+truncate support")
+Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/fuse/dir.c | 13 ++++++++++++-
+ 1 file changed, 12 insertions(+), 1 deletion(-)
+
+--- a/fs/fuse/dir.c
++++ b/fs/fuse/dir.c
+@@ -1629,8 +1629,19 @@ int fuse_do_setattr(struct dentry *dentr
+ return err;
+
+ if (attr->ia_valid & ATTR_OPEN) {
+- if (fc->atomic_o_trunc)
++ /* This is coming from open(..., ... | O_TRUNC); */
++ WARN_ON(!(attr->ia_valid & ATTR_SIZE));
++ WARN_ON(attr->ia_size != 0);
++ if (fc->atomic_o_trunc) {
++ /*
++ * No need to send request to userspace, since actual
++ * truncation has already been done by OPEN. But still
++ * need to truncate page cache.
++ */
++ i_size_write(inode, 0);
++ truncate_pagecache(inode, 0);
+ return 0;
++ }
+ file = NULL;
+ }
+
--- /dev/null
+From 543b8f8662fe6d21f19958b666ab0051af9db21a Mon Sep 17 00:00:00 2001
+From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+Date: Tue, 1 May 2018 13:12:14 +0900
+Subject: fuse: don't keep dead fuse_conn at fuse_fill_super().
+
+From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+
+commit 543b8f8662fe6d21f19958b666ab0051af9db21a upstream.
+
+syzbot is reporting use-after-free at fuse_kill_sb_blk() [1].
+Since sb->s_fs_info field is not cleared after fc was released by
+fuse_conn_put() when initialization failed, fuse_kill_sb_blk() finds
+already released fc and tries to hold the lock. Fix this by clearing
+sb->s_fs_info field after calling fuse_conn_put().
+
+[1] https://syzkaller.appspot.com/bug?id=a07a680ed0a9290585ca424546860464dd9658db
+
+Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+Reported-by: syzbot <syzbot+ec3986119086fe4eec97@syzkaller.appspotmail.com>
+Fixes: 3b463ae0c626 ("fuse: invalidation reverse calls")
+Cc: John Muir <john@jmuir.com>
+Cc: Csaba Henk <csaba@gluster.com>
+Cc: Anand Avati <avati@redhat.com>
+Cc: <stable@vger.kernel.org> # v2.6.31
+Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/fuse/inode.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/fs/fuse/inode.c
++++ b/fs/fuse/inode.c
+@@ -1176,6 +1176,7 @@ static int fuse_fill_super(struct super_
+ fuse_dev_free(fud);
+ err_put_conn:
+ fuse_conn_put(fc);
++ sb->s_fs_info = NULL;
+ err_fput:
+ fput(file);
+ err:
--- /dev/null
+From 8a301eb16d99983a4961f884690ec97b92e7dcfe Mon Sep 17 00:00:00 2001
+From: Tejun Heo <tj@kernel.org>
+Date: Fri, 2 Feb 2018 09:54:14 -0800
+Subject: fuse: fix congested state leak on aborted connections
+
+From: Tejun Heo <tj@kernel.org>
+
+commit 8a301eb16d99983a4961f884690ec97b92e7dcfe upstream.
+
+If a connection gets aborted while congested, FUSE can leave
+nr_wb_congested[] stuck until reboot causing wait_iff_congested() to
+wait spuriously which can lead to severe performance degradation.
+
+The leak is caused by gating congestion state clearing with
+fc->connected test in request_end(). This was added way back in 2009
+by 26c3679101db ("fuse: destroy bdi on umount"). While the commit
+description doesn't explain why the test was added, it most likely was
+to avoid dereferencing bdi after it got destroyed.
+
+Since then, bdi lifetime rules have changed many times and now we're
+always guaranteed to have access to the bdi while the superblock is
+alive (fc->sb).
+
+Drop fc->connected conditional to avoid leaking congestion states.
+
+Signed-off-by: Tejun Heo <tj@kernel.org>
+Reported-by: Joshua Miller <joshmiller@fb.com>
+Cc: Johannes Weiner <hannes@cmpxchg.org>
+Cc: stable@vger.kernel.org # v2.6.29+
+Acked-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/fuse/dev.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/fs/fuse/dev.c
++++ b/fs/fuse/dev.c
+@@ -381,8 +381,7 @@ static void request_end(struct fuse_conn
+ if (!fc->blocked && waitqueue_active(&fc->blocked_waitq))
+ wake_up(&fc->blocked_waitq);
+
+- if (fc->num_background == fc->congestion_threshold &&
+- fc->connected && fc->sb) {
++ if (fc->num_background == fc->congestion_threshold && fc->sb) {
+ clear_bdi_congested(fc->sb->s_bdi, BLK_RW_SYNC);
+ clear_bdi_congested(fc->sb->s_bdi, BLK_RW_ASYNC);
+ }
--- /dev/null
+From 6becdb601bae2a043d7fb9762c4d48699528ea6e Mon Sep 17 00:00:00 2001
+From: Miklos Szeredi <mszeredi@redhat.com>
+Date: Thu, 31 May 2018 12:26:10 +0200
+Subject: fuse: fix control dir setup and teardown
+
+From: Miklos Szeredi <mszeredi@redhat.com>
+
+commit 6becdb601bae2a043d7fb9762c4d48699528ea6e upstream.
+
+syzbot is reporting NULL pointer dereference at fuse_ctl_remove_conn() [1].
+Since fc->ctl_ndents is incremented by fuse_ctl_add_conn() when new_inode()
+failed, fuse_ctl_remove_conn() reaches an inode-less dentry and tries to
+clear d_inode(dentry)->i_private field.
+
+Fix by only adding the dentry to the array after being fully set up.
+
+When tearing down the control directory, do d_invalidate() on it to get rid
+of any mounts that might have been added.
+
+[1] https://syzkaller.appspot.com/bug?id=f396d863067238959c91c0b7cfc10b163638cac6
+Reported-by: syzbot <syzbot+32c236387d66c4516827@syzkaller.appspotmail.com>
+Fixes: bafa96541b25 ("[PATCH] fuse: add control filesystem")
+Cc: <stable@vger.kernel.org> # v2.6.18
+Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/fuse/control.c | 13 ++++++++++---
+ 1 file changed, 10 insertions(+), 3 deletions(-)
+
+--- a/fs/fuse/control.c
++++ b/fs/fuse/control.c
+@@ -211,10 +211,11 @@ static struct dentry *fuse_ctl_add_dentr
+ if (!dentry)
+ return NULL;
+
+- fc->ctl_dentry[fc->ctl_ndents++] = dentry;
+ inode = new_inode(fuse_control_sb);
+- if (!inode)
++ if (!inode) {
++ dput(dentry);
+ return NULL;
++ }
+
+ inode->i_ino = get_next_ino();
+ inode->i_mode = mode;
+@@ -228,6 +229,9 @@ static struct dentry *fuse_ctl_add_dentr
+ set_nlink(inode, nlink);
+ inode->i_private = fc;
+ d_add(dentry, inode);
++
++ fc->ctl_dentry[fc->ctl_ndents++] = dentry;
++
+ return dentry;
+ }
+
+@@ -284,7 +288,10 @@ void fuse_ctl_remove_conn(struct fuse_co
+ for (i = fc->ctl_ndents - 1; i >= 0; i--) {
+ struct dentry *dentry = fc->ctl_dentry[i];
+ d_inode(dentry)->i_private = NULL;
+- d_drop(dentry);
++ if (!i) {
++ /* Get rid of submounts: */
++ d_invalidate(dentry);
++ }
+ dput(dentry);
+ }
+ drop_nlink(d_inode(fuse_control_sb->s_root));
--- /dev/null
+From 08bb558ac11ab944e0539e78619d7b4c356278bd Mon Sep 17 00:00:00 2001
+From: Jack Morgenstein <jackm@dev.mellanox.co.il>
+Date: Wed, 23 May 2018 15:30:30 +0300
+Subject: IB/core: Make testing MR flags for writability a static inline function
+
+From: Jack Morgenstein <jackm@dev.mellanox.co.il>
+
+commit 08bb558ac11ab944e0539e78619d7b4c356278bd upstream.
+
+Make the MR writability flags check, which is performed in umem.c,
+a static inline function in file ib_verbs.h
+
+This allows the function to be used by low-level infiniband drivers.
+
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
+Signed-off-by: Jack Morgenstein <jackm@dev.mellanox.co.il>
+Signed-off-by: Leon Romanovsky <leonro@mellanox.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/infiniband/core/umem.c | 11 +----------
+ include/rdma/ib_verbs.h | 14 ++++++++++++++
+ 2 files changed, 15 insertions(+), 10 deletions(-)
+
+--- a/drivers/infiniband/core/umem.c
++++ b/drivers/infiniband/core/umem.c
+@@ -119,16 +119,7 @@ struct ib_umem *ib_umem_get(struct ib_uc
+ umem->length = size;
+ umem->address = addr;
+ umem->page_shift = PAGE_SHIFT;
+- /*
+- * We ask for writable memory if any of the following
+- * access flags are set. "Local write" and "remote write"
+- * obviously require write access. "Remote atomic" can do
+- * things like fetch and add, which will modify memory, and
+- * "MW bind" can change permissions by binding a window.
+- */
+- umem->writable = !!(access &
+- (IB_ACCESS_LOCAL_WRITE | IB_ACCESS_REMOTE_WRITE |
+- IB_ACCESS_REMOTE_ATOMIC | IB_ACCESS_MW_BIND));
++ umem->writable = ib_access_writable(access);
+
+ if (access & IB_ACCESS_ON_DEMAND) {
+ ret = ib_umem_odp_get(context, umem, access);
+--- a/include/rdma/ib_verbs.h
++++ b/include/rdma/ib_verbs.h
+@@ -3558,6 +3558,20 @@ static inline int ib_check_mr_access(int
+ return 0;
+ }
+
++static inline bool ib_access_writable(int access_flags)
++{
++ /*
++ * We have writable memory backing the MR if any of the following
++ * access flags are set. "Local write" and "remote write" obviously
++ * require write access. "Remote atomic" can do things like fetch and
++ * add, which will modify memory, and "MW bind" can change permissions
++ * by binding a window.
++ */
++ return access_flags &
++ (IB_ACCESS_LOCAL_WRITE | IB_ACCESS_REMOTE_WRITE |
++ IB_ACCESS_REMOTE_ATOMIC | IB_ACCESS_MW_BIND);
++}
++
+ /**
+ * ib_check_mr_status: lightweight check of MR status.
+ * This routine may provide status checks on a selected
--- /dev/null
+From 8c79d8223bb11b2f005695a32ddd3985de97727c Mon Sep 17 00:00:00 2001
+From: Mike Marciniszyn <mike.marciniszyn@intel.com>
+Date: Wed, 2 May 2018 06:42:44 -0700
+Subject: IB/hfi1: Fix fault injection init/exit issues
+
+From: Mike Marciniszyn <mike.marciniszyn@intel.com>
+
+commit 8c79d8223bb11b2f005695a32ddd3985de97727c upstream.
+
+There are config dependent code paths that expose panics in unload
+paths both in this file and in debugfs_remove_recursive() because
+CONFIG_FAULT_INJECTION and CONFIG_FAULT_INJECTION_DEBUG_FS can be
+set independently.
+
+Having CONFIG_FAULT_INJECTION set and CONFIG_FAULT_INJECTION_DEBUG_FS
+reset causes fault_create_debugfs_attr() to return an error.
+
+The debugfs.c routines tolerate failures, but the module unload panics
+dereferencing a NULL in the two exit routines. If that is fixed, the
+dir passed to debugfs_remove_recursive comes from a memory location
+that was freed and potentially reused causing a segfault or corrupting
+memory.
+
+Here is an example of the NULL deref panic:
+
+[66866.286829] BUG: unable to handle kernel NULL pointer dereference at 0000000000000088
+[66866.295602] IP: hfi1_dbg_ibdev_exit+0x2a/0x80 [hfi1]
+[66866.301138] PGD 858496067 P4D 858496067 PUD 8433a7067 PMD 0
+[66866.307452] Oops: 0000 [#1] SMP
+[66866.310953] Modules linked in: hfi1(-) rdmavt rdma_ucm ib_ucm ib_uverbs ib_umad rdma_cm iw_cm ib_cm ib_core rpcsec_gss_krb5 nfsv4 dns_resolver nfsv3 nfs fscache sb_edac x86_pkg_temp_thermal intel_powerclamp vfat fat coretemp kvm irqbypass crct10dif_pclmul crc32_pclmul ghash_clmulni_intel pcbc aesni_intel iTCO_wdt iTCO_vendor_support crypto_simd mei_me glue_helper cryptd mxm_wmi ipmi_si pcspkr lpc_ich sg mei ioatdma ipmi_devintf i2c_i801 mfd_core shpchp ipmi_msghandler wmi acpi_power_meter acpi_cpufreq nfsd auth_rpcgss nfs_acl lockd grace sunrpc ip_tables ext4 mbcache jbd2 sd_mod mgag200 drm_kms_helper syscopyarea sysfillrect sysimgblt igb fb_sys_fops ttm ahci ptp crc32c_intel libahci pps_core drm dca libata i2c_algo_bit i2c_core [last unloaded: opa_vnic]
+[66866.385551] CPU: 8 PID: 7470 Comm: rmmod Not tainted 4.14.0-mam-tid-rdma #2
+[66866.393317] Hardware name: Intel Corporation S2600WT2/S2600WT2, BIOS SE5C610.86B.01.01.0018.C4.072020161249 07/20/2016
+[66866.405252] task: ffff88084f28c380 task.stack: ffffc90008454000
+[66866.411866] RIP: 0010:hfi1_dbg_ibdev_exit+0x2a/0x80 [hfi1]
+[66866.417984] RSP: 0018:ffffc90008457da0 EFLAGS: 00010202
+[66866.423812] RAX: 0000000000000000 RBX: ffff880857de0000 RCX: 0000000180040001
+[66866.431773] RDX: 0000000180040002 RSI: ffffea0021088200 RDI: 0000000040000000
+[66866.439734] RBP: ffffc90008457da8 R08: ffff88084220e000 R09: 0000000180040001
+[66866.447696] R10: 000000004220e001 R11: ffff88084220e000 R12: ffff88085a31c000
+[66866.455657] R13: ffffffffa07c9820 R14: ffffffffa07c9890 R15: ffff881059d78100
+[66866.463618] FS: 00007f6876047740(0000) GS:ffff88085f800000(0000) knlGS:0000000000000000
+[66866.472644] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[66866.479053] CR2: 0000000000000088 CR3: 0000000856357006 CR4: 00000000001606e0
+[66866.487013] Call Trace:
+[66866.489747] remove_one+0x1f/0x220 [hfi1]
+[66866.494221] pci_device_remove+0x39/0xc0
+[66866.498596] device_release_driver_internal+0x141/0x210
+[66866.504424] driver_detach+0x3f/0x80
+[66866.508409] bus_remove_driver+0x55/0xd0
+[66866.512784] driver_unregister+0x2c/0x50
+[66866.517164] pci_unregister_driver+0x2a/0xa0
+[66866.521934] hfi1_mod_cleanup+0x10/0xaa2 [hfi1]
+[66866.526988] SyS_delete_module+0x171/0x250
+[66866.531558] do_syscall_64+0x67/0x1b0
+[66866.535644] entry_SYSCALL64_slow_path+0x25/0x25
+[66866.540792] RIP: 0033:0x7f6875525c27
+[66866.544777] RSP: 002b:00007ffd48528e78 EFLAGS: 00000206 ORIG_RAX: 00000000000000b0
+[66866.553224] RAX: ffffffffffffffda RBX: 0000000001cc01d0 RCX: 00007f6875525c27
+[66866.561185] RDX: 00007f6875596000 RSI: 0000000000000800 RDI: 0000000001cc0238
+[66866.569146] RBP: 0000000000000000 R08: 00007f68757e9060 R09: 00007f6875596000
+[66866.577120] R10: 00007ffd48528c00 R11: 0000000000000206 R12: 00007ffd48529db4
+[66866.585080] R13: 0000000000000000 R14: 0000000001cc01d0 R15: 0000000001cc0010
+[66866.593040] Code: 90 0f 1f 44 00 00 48 83 3d a3 8b 03 00 00 55 48 89 e5 53 48 89 fb 74 4e 48 8d bf 18 0c 00 00 e8 9d f2 ff ff 48 8b 83 20 0c 00 00 <48> 8b b8 88 00 00 00 e8 2a 21 b3 e0 48 8b bb 20 0c 00 00 e8 0e
+[66866.614127] RIP: hfi1_dbg_ibdev_exit+0x2a/0x80 [hfi1] RSP: ffffc90008457da0
+[66866.621885] CR2: 0000000000000088
+[66866.625618] ---[ end trace c4817425783fb092 ]---
+
+Fix by insuring that upon failure from fault_create_debugfs_attr() the
+parent pointer for the routines is always set to NULL and guards added
+in the exit routines to insure that debugfs_remove_recursive() is not
+called when when the parent pointer is NULL.
+
+Fixes: 0181ce31b260 ("IB/hfi1: Add receive fault injection feature")
+Cc: <stable@vger.kernel.org> # 4.14.x
+Reviewed-by: Michael J. Ruhl <michael.j.ruhl@intel.com>
+Signed-off-by: Mike Marciniszyn <mike.marciniszyn@intel.com>
+Signed-off-by: Dennis Dalessandro <dennis.dalessandro@intel.com>
+Signed-off-by: Doug Ledford <dledford@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/infiniband/hw/hfi1/debugfs.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+--- a/drivers/infiniband/hw/hfi1/debugfs.c
++++ b/drivers/infiniband/hw/hfi1/debugfs.c
+@@ -1179,7 +1179,8 @@ DEBUGFS_FILE_OPS(fault_stats);
+
+ static void fault_exit_opcode_debugfs(struct hfi1_ibdev *ibd)
+ {
+- debugfs_remove_recursive(ibd->fault_opcode->dir);
++ if (ibd->fault_opcode)
++ debugfs_remove_recursive(ibd->fault_opcode->dir);
+ kfree(ibd->fault_opcode);
+ ibd->fault_opcode = NULL;
+ }
+@@ -1207,6 +1208,7 @@ static int fault_init_opcode_debugfs(str
+ &ibd->fault_opcode->attr);
+ if (IS_ERR(ibd->fault_opcode->dir)) {
+ kfree(ibd->fault_opcode);
++ ibd->fault_opcode = NULL;
+ return -ENOENT;
+ }
+
+@@ -1230,7 +1232,8 @@ fail:
+
+ static void fault_exit_packet_debugfs(struct hfi1_ibdev *ibd)
+ {
+- debugfs_remove_recursive(ibd->fault_packet->dir);
++ if (ibd->fault_packet)
++ debugfs_remove_recursive(ibd->fault_packet->dir);
+ kfree(ibd->fault_packet);
+ ibd->fault_packet = NULL;
+ }
+@@ -1256,6 +1259,7 @@ static int fault_init_packet_debugfs(str
+ &ibd->fault_opcode->attr);
+ if (IS_ERR(ibd->fault_packet->dir)) {
+ kfree(ibd->fault_packet);
++ ibd->fault_packet = NULL;
+ return -ENOENT;
+ }
+
--- /dev/null
+From 1bc0299d976e000ececc6acd76e33b4582646cb7 Mon Sep 17 00:00:00 2001
+From: Mike Marciniszyn <mike.marciniszyn@intel.com>
+Date: Thu, 31 May 2018 11:30:09 -0700
+Subject: IB/hfi1: Fix user context tail allocation for DMA_RTAIL
+
+From: Mike Marciniszyn <mike.marciniszyn@intel.com>
+
+commit 1bc0299d976e000ececc6acd76e33b4582646cb7 upstream.
+
+The following code fails to allocate a buffer for the
+tail address that the hardware DMAs into when the user
+context DMA_RTAIL is set.
+
+if (HFI1_CAP_KGET_MASK(rcd->flags, DMA_RTAIL)) {
+ rcd->rcvhdrtail_kvaddr = dma_zalloc_coherent(
+ &dd->pcidev->dev, PAGE_SIZE, &dma_hdrqtail,
+ gfp_flags);
+ if (!rcd->rcvhdrtail_kvaddr)
+ goto bail_free;
+ rcd->rcvhdrqtailaddr_dma = dma_hdrqtail;
+}
+
+So the rcvhdrtail_kvaddr would then be NULL.
+
+The mmap logic fails to check for a NULL rcvhdrtail_kvaddr.
+
+The fix is to test for both user and kernel DMA_TAIL options
+during the allocation as well as testing for a NULL
+rcvhdrtail_kvaddr during the mmap processing.
+
+Additionally, all downstream testing of the capmask for DMA_RTAIL
+have been eliminated in favor of testing rcvhdrtail_kvaddr.
+
+Cc: <stable@vger.kernel.org> # 4.9.x
+Reviewed-by: Michael J. Ruhl <michael.j.ruhl@intel.com>
+Signed-off-by: Mike Marciniszyn <mike.marciniszyn@intel.com>
+Signed-off-by: Dennis Dalessandro <dennis.dalessandro@intel.com>
+Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/infiniband/hw/hfi1/chip.c | 8 ++++----
+ drivers/infiniband/hw/hfi1/file_ops.c | 2 +-
+ drivers/infiniband/hw/hfi1/init.c | 9 ++++-----
+ 3 files changed, 9 insertions(+), 10 deletions(-)
+
+--- a/drivers/infiniband/hw/hfi1/chip.c
++++ b/drivers/infiniband/hw/hfi1/chip.c
+@@ -6829,7 +6829,7 @@ static void rxe_kernel_unfreeze(struct h
+ }
+ rcvmask = HFI1_RCVCTRL_CTXT_ENB;
+ /* HFI1_RCVCTRL_TAILUPD_[ENB|DIS] needs to be set explicitly */
+- rcvmask |= HFI1_CAP_KGET_MASK(rcd->flags, DMA_RTAIL) ?
++ rcvmask |= rcd->rcvhdrtail_kvaddr ?
+ HFI1_RCVCTRL_TAILUPD_ENB : HFI1_RCVCTRL_TAILUPD_DIS;
+ hfi1_rcvctrl(dd, rcvmask, rcd);
+ hfi1_rcd_put(rcd);
+@@ -8341,7 +8341,7 @@ static inline int check_packet_present(s
+ u32 tail;
+ int present;
+
+- if (!HFI1_CAP_IS_KSET(DMA_RTAIL))
++ if (!rcd->rcvhdrtail_kvaddr)
+ present = (rcd->seq_cnt ==
+ rhf_rcv_seq(rhf_to_cpu(get_rhf_addr(rcd))));
+ else /* is RDMA rtail */
+@@ -11813,7 +11813,7 @@ void hfi1_rcvctrl(struct hfi1_devdata *d
+ /* reset the tail and hdr addresses, and sequence count */
+ write_kctxt_csr(dd, ctxt, RCV_HDR_ADDR,
+ rcd->rcvhdrq_dma);
+- if (HFI1_CAP_KGET_MASK(rcd->flags, DMA_RTAIL))
++ if (rcd->rcvhdrtail_kvaddr)
+ write_kctxt_csr(dd, ctxt, RCV_HDR_TAIL_ADDR,
+ rcd->rcvhdrqtailaddr_dma);
+ rcd->seq_cnt = 1;
+@@ -11893,7 +11893,7 @@ void hfi1_rcvctrl(struct hfi1_devdata *d
+ rcvctrl |= RCV_CTXT_CTRL_INTR_AVAIL_SMASK;
+ if (op & HFI1_RCVCTRL_INTRAVAIL_DIS)
+ rcvctrl &= ~RCV_CTXT_CTRL_INTR_AVAIL_SMASK;
+- if (op & HFI1_RCVCTRL_TAILUPD_ENB && rcd->rcvhdrqtailaddr_dma)
++ if ((op & HFI1_RCVCTRL_TAILUPD_ENB) && rcd->rcvhdrtail_kvaddr)
+ rcvctrl |= RCV_CTXT_CTRL_TAIL_UPD_SMASK;
+ if (op & HFI1_RCVCTRL_TAILUPD_DIS) {
+ /* See comment on RcvCtxtCtrl.TailUpd above */
+--- a/drivers/infiniband/hw/hfi1/file_ops.c
++++ b/drivers/infiniband/hw/hfi1/file_ops.c
+@@ -622,7 +622,7 @@ static int hfi1_file_mmap(struct file *f
+ ret = -EINVAL;
+ goto done;
+ }
+- if (flags & VM_WRITE) {
++ if ((flags & VM_WRITE) || !uctxt->rcvhdrtail_kvaddr) {
+ ret = -EPERM;
+ goto done;
+ }
+--- a/drivers/infiniband/hw/hfi1/init.c
++++ b/drivers/infiniband/hw/hfi1/init.c
+@@ -1808,7 +1808,6 @@ int hfi1_create_rcvhdrq(struct hfi1_devd
+ u64 reg;
+
+ if (!rcd->rcvhdrq) {
+- dma_addr_t dma_hdrqtail;
+ gfp_t gfp_flags;
+
+ /*
+@@ -1834,13 +1833,13 @@ int hfi1_create_rcvhdrq(struct hfi1_devd
+ goto bail;
+ }
+
+- if (HFI1_CAP_KGET_MASK(rcd->flags, DMA_RTAIL)) {
++ if (HFI1_CAP_KGET_MASK(rcd->flags, DMA_RTAIL) ||
++ HFI1_CAP_UGET_MASK(rcd->flags, DMA_RTAIL)) {
+ rcd->rcvhdrtail_kvaddr = dma_zalloc_coherent(
+- &dd->pcidev->dev, PAGE_SIZE, &dma_hdrqtail,
+- gfp_flags);
++ &dd->pcidev->dev, PAGE_SIZE,
++ &rcd->rcvhdrqtailaddr_dma, gfp_flags);
+ if (!rcd->rcvhdrtail_kvaddr)
+ goto bail_free;
+- rcd->rcvhdrqtailaddr_dma = dma_hdrqtail;
+ }
+
+ rcd->rcvhdrq_size = amt;
--- /dev/null
+From af8aab71370a692eaf7e7969ba5b1a455ac20113 Mon Sep 17 00:00:00 2001
+From: Sebastian Sanchez <sebastian.sanchez@intel.com>
+Date: Wed, 2 May 2018 06:43:39 -0700
+Subject: IB/hfi1: Optimize kthread pointer locking when queuing CQ entries
+
+From: Sebastian Sanchez <sebastian.sanchez@intel.com>
+
+commit af8aab71370a692eaf7e7969ba5b1a455ac20113 upstream.
+
+All threads queuing CQ entries on different CQs are unnecessarily
+synchronized by a spin lock to check if the CQ kthread worker hasn't
+been destroyed before queuing an CQ entry.
+
+The lock used in 6efaf10f163d ("IB/rdmavt: Avoid queuing work into a
+destroyed cq kthread worker") is a device global lock and will have
+poor performance at scale as completions are entered from a large
+number of CPUs.
+
+Convert to use RCU where the read side of RCU is rvt_cq_enter() to
+determine that the worker is alive prior to triggering the
+completion event.
+Apply write side RCU semantics in rvt_driver_cq_init() and
+rvt_cq_exit().
+
+Fixes: 6efaf10f163d ("IB/rdmavt: Avoid queuing work into a destroyed cq kthread worker")
+Cc: <stable@vger.kernel.org> # 4.14.x
+Reviewed-by: Mike Marciniszyn <mike.marciniszyn@intel.com>
+Signed-off-by: Sebastian Sanchez <sebastian.sanchez@intel.com>
+Signed-off-by: Dennis Dalessandro <dennis.dalessandro@intel.com>
+Signed-off-by: Doug Ledford <dledford@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/infiniband/sw/rdmavt/cq.c | 31 +++++++++++++++++++------------
+ include/rdma/rdma_vt.h | 2 +-
+ 2 files changed, 20 insertions(+), 13 deletions(-)
+
+--- a/drivers/infiniband/sw/rdmavt/cq.c
++++ b/drivers/infiniband/sw/rdmavt/cq.c
+@@ -121,17 +121,20 @@ void rvt_cq_enter(struct rvt_cq *cq, str
+ if (cq->notify == IB_CQ_NEXT_COMP ||
+ (cq->notify == IB_CQ_SOLICITED &&
+ (solicited || entry->status != IB_WC_SUCCESS))) {
++ struct kthread_worker *worker;
++
+ /*
+ * This will cause send_complete() to be called in
+ * another thread.
+ */
+- spin_lock(&cq->rdi->n_cqs_lock);
+- if (likely(cq->rdi->worker)) {
++ rcu_read_lock();
++ worker = rcu_dereference(cq->rdi->worker);
++ if (likely(worker)) {
+ cq->notify = RVT_CQ_NONE;
+ cq->triggered++;
+- kthread_queue_work(cq->rdi->worker, &cq->comptask);
++ kthread_queue_work(worker, &cq->comptask);
+ }
+- spin_unlock(&cq->rdi->n_cqs_lock);
++ rcu_read_unlock();
+ }
+
+ spin_unlock_irqrestore(&cq->lock, flags);
+@@ -513,7 +516,7 @@ int rvt_driver_cq_init(struct rvt_dev_in
+ int cpu;
+ struct kthread_worker *worker;
+
+- if (rdi->worker)
++ if (rcu_access_pointer(rdi->worker))
+ return 0;
+
+ spin_lock_init(&rdi->n_cqs_lock);
+@@ -525,7 +528,7 @@ int rvt_driver_cq_init(struct rvt_dev_in
+ return PTR_ERR(worker);
+
+ set_user_nice(worker->task, MIN_NICE);
+- rdi->worker = worker;
++ RCU_INIT_POINTER(rdi->worker, worker);
+ return 0;
+ }
+
+@@ -537,15 +540,19 @@ void rvt_cq_exit(struct rvt_dev_info *rd
+ {
+ struct kthread_worker *worker;
+
+- /* block future queuing from send_complete() */
+- spin_lock_irq(&rdi->n_cqs_lock);
+- worker = rdi->worker;
++ if (!rcu_access_pointer(rdi->worker))
++ return;
++
++ spin_lock(&rdi->n_cqs_lock);
++ worker = rcu_dereference_protected(rdi->worker,
++ lockdep_is_held(&rdi->n_cqs_lock));
+ if (!worker) {
+- spin_unlock_irq(&rdi->n_cqs_lock);
++ spin_unlock(&rdi->n_cqs_lock);
+ return;
+ }
+- rdi->worker = NULL;
+- spin_unlock_irq(&rdi->n_cqs_lock);
++ RCU_INIT_POINTER(rdi->worker, NULL);
++ spin_unlock(&rdi->n_cqs_lock);
++ synchronize_rcu();
+
+ kthread_destroy_worker(worker);
+ }
+--- a/include/rdma/rdma_vt.h
++++ b/include/rdma/rdma_vt.h
+@@ -409,7 +409,7 @@ struct rvt_dev_info {
+ spinlock_t pending_lock; /* protect pending mmap list */
+
+ /* CQ */
+- struct kthread_worker *worker; /* per device cq worker */
++ struct kthread_worker __rcu *worker; /* per device cq worker */
+ u32 n_cqs_allocated; /* number of CQs allocated for device */
+ spinlock_t n_cqs_lock; /* protect count of in use cqs */
+
--- /dev/null
+From 8d3e71136a080d007620472f50c7b3e63ba0f5cf Mon Sep 17 00:00:00 2001
+From: Alex Estrin <alex.estrin@intel.com>
+Date: Wed, 2 May 2018 06:43:15 -0700
+Subject: IB/{hfi1, qib}: Add handling of kernel restart
+
+From: Alex Estrin <alex.estrin@intel.com>
+
+commit 8d3e71136a080d007620472f50c7b3e63ba0f5cf upstream.
+
+A warm restart will fail to unload the driver, leaving link state
+potentially flapping up to the point the BIOS resets the adapter.
+Correct the issue by hooking the shutdown pci method,
+which will bring port down.
+
+Cc: <stable@vger.kernel.org> # 4.9.x
+Reviewed-by: Mike Marciniszyn <mike.marciniszyn@intel.com>
+Signed-off-by: Alex Estrin <alex.estrin@intel.com>
+Signed-off-by: Dennis Dalessandro <dennis.dalessandro@intel.com>
+Signed-off-by: Doug Ledford <dledford@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/infiniband/hw/hfi1/hfi.h | 1 +
+ drivers/infiniband/hw/hfi1/init.c | 13 +++++++++++++
+ drivers/infiniband/hw/qib/qib.h | 1 +
+ drivers/infiniband/hw/qib/qib_init.c | 13 +++++++++++++
+ 4 files changed, 28 insertions(+)
+
+--- a/drivers/infiniband/hw/hfi1/hfi.h
++++ b/drivers/infiniband/hw/hfi1/hfi.h
+@@ -1851,6 +1851,7 @@ struct cc_state *get_cc_state_protected(
+ #define HFI1_HAS_SDMA_TIMEOUT 0x8
+ #define HFI1_HAS_SEND_DMA 0x10 /* Supports Send DMA */
+ #define HFI1_FORCED_FREEZE 0x80 /* driver forced freeze mode */
++#define HFI1_SHUTDOWN 0x100 /* device is shutting down */
+
+ /* IB dword length mask in PBC (lower 11 bits); same for all chips */
+ #define HFI1_PBC_LENGTH_MASK ((1 << 11) - 1)
+--- a/drivers/infiniband/hw/hfi1/init.c
++++ b/drivers/infiniband/hw/hfi1/init.c
+@@ -1029,6 +1029,10 @@ static void shutdown_device(struct hfi1_
+ unsigned pidx;
+ int i;
+
++ if (dd->flags & HFI1_SHUTDOWN)
++ return;
++ dd->flags |= HFI1_SHUTDOWN;
++
+ for (pidx = 0; pidx < dd->num_pports; ++pidx) {
+ ppd = dd->pport + pidx;
+
+@@ -1353,6 +1357,7 @@ void hfi1_disable_after_error(struct hfi
+
+ static void remove_one(struct pci_dev *);
+ static int init_one(struct pci_dev *, const struct pci_device_id *);
++static void shutdown_one(struct pci_dev *);
+
+ #define DRIVER_LOAD_MSG "Intel " DRIVER_NAME " loaded: "
+ #define PFX DRIVER_NAME ": "
+@@ -1369,6 +1374,7 @@ static struct pci_driver hfi1_pci_driver
+ .name = DRIVER_NAME,
+ .probe = init_one,
+ .remove = remove_one,
++ .shutdown = shutdown_one,
+ .id_table = hfi1_pci_tbl,
+ .err_handler = &hfi1_pci_err_handler,
+ };
+@@ -1780,6 +1786,13 @@ static void remove_one(struct pci_dev *p
+ postinit_cleanup(dd);
+ }
+
++static void shutdown_one(struct pci_dev *pdev)
++{
++ struct hfi1_devdata *dd = pci_get_drvdata(pdev);
++
++ shutdown_device(dd);
++}
++
+ /**
+ * hfi1_create_rcvhdrq - create a receive header queue
+ * @dd: the hfi1_ib device
+--- a/drivers/infiniband/hw/qib/qib.h
++++ b/drivers/infiniband/hw/qib/qib.h
+@@ -1250,6 +1250,7 @@ static inline struct qib_ibport *to_ipor
+ #define QIB_BADINTR 0x8000 /* severe interrupt problems */
+ #define QIB_DCA_ENABLED 0x10000 /* Direct Cache Access enabled */
+ #define QIB_HAS_QSFP 0x20000 /* device (card instance) has QSFP */
++#define QIB_SHUTDOWN 0x40000 /* device is shutting down */
+
+ /*
+ * values for ppd->lflags (_ib_port_ related flags)
+--- a/drivers/infiniband/hw/qib/qib_init.c
++++ b/drivers/infiniband/hw/qib/qib_init.c
+@@ -850,6 +850,10 @@ static void qib_shutdown_device(struct q
+ struct qib_pportdata *ppd;
+ unsigned pidx;
+
++ if (dd->flags & QIB_SHUTDOWN)
++ return;
++ dd->flags |= QIB_SHUTDOWN;
++
+ for (pidx = 0; pidx < dd->num_pports; ++pidx) {
+ ppd = dd->pport + pidx;
+
+@@ -1189,6 +1193,7 @@ void qib_disable_after_error(struct qib_
+
+ static void qib_remove_one(struct pci_dev *);
+ static int qib_init_one(struct pci_dev *, const struct pci_device_id *);
++static void qib_shutdown_one(struct pci_dev *);
+
+ #define DRIVER_LOAD_MSG "Intel " QIB_DRV_NAME " loaded: "
+ #define PFX QIB_DRV_NAME ": "
+@@ -1206,6 +1211,7 @@ static struct pci_driver qib_driver = {
+ .name = QIB_DRV_NAME,
+ .probe = qib_init_one,
+ .remove = qib_remove_one,
++ .shutdown = qib_shutdown_one,
+ .id_table = qib_pci_tbl,
+ .err_handler = &qib_pci_err_handler,
+ };
+@@ -1556,6 +1562,13 @@ static void qib_remove_one(struct pci_de
+ qib_postinit_cleanup(dd);
+ }
+
++static void qib_shutdown_one(struct pci_dev *pdev)
++{
++ struct qib_devdata *dd = pci_get_drvdata(pdev);
++
++ qib_shutdown_device(dd);
++}
++
+ /**
+ * qib_create_rcvhdrq - create a receive header queue
+ * @dd: the qlogic_ib device
--- /dev/null
+From a93a0a31111231bb1949f4a83b17238f0fa32d6a Mon Sep 17 00:00:00 2001
+From: "Michael J. Ruhl" <michael.j.ruhl@intel.com>
+Date: Wed, 2 May 2018 06:43:07 -0700
+Subject: IB/hfi1: Reorder incorrect send context disable
+
+From: Michael J. Ruhl <michael.j.ruhl@intel.com>
+
+commit a93a0a31111231bb1949f4a83b17238f0fa32d6a upstream.
+
+User send context integrity bits are cleared before the context is
+disabled. If the send context is still processing data, any packets
+that need those integrity bits will cause an error and halt the send
+context.
+
+During the disable handling, the driver waits for the context to drain.
+If the context is halted, the driver will eventually timeout because
+the context won't drain and then incorrectly bounce the link.
+
+Reorder the bit clearing and the context disable.
+
+Examine the software state and send context status as well as the
+egress status to determine if a send context is in the halted state.
+
+Promote the check macros to static functions for consistency with the
+new check and to follow kernel style.
+
+Remove an unused define that refers to the egress timeout.
+
+Cc: <stable@vger.kernel.org> # 4.9.x
+Reviewed-by: Mitko Haralanov <mitko.haralanov@intel.com>
+Reviewed-by: Mike Marciniszyn <mike.marciniszyn@intel.com>
+Signed-off-by: Michael J. Ruhl <michael.j.ruhl@intel.com>
+Signed-off-by: Dennis Dalessandro <dennis.dalessandro@intel.com>
+Signed-off-by: Doug Ledford <dledford@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/infiniband/hw/hfi1/file_ops.c | 2 -
+ drivers/infiniband/hw/hfi1/pio.c | 44 ++++++++++++++++++++++++++--------
+ 2 files changed, 35 insertions(+), 11 deletions(-)
+
+--- a/drivers/infiniband/hw/hfi1/file_ops.c
++++ b/drivers/infiniband/hw/hfi1/file_ops.c
+@@ -807,8 +807,8 @@ static int hfi1_file_close(struct inode
+ * checks to default and disable the send context.
+ */
+ if (uctxt->sc) {
+- set_pio_integrity(uctxt->sc);
+ sc_disable(uctxt->sc);
++ set_pio_integrity(uctxt->sc);
+ }
+
+ hfi1_free_ctxt_rcv_groups(uctxt);
+--- a/drivers/infiniband/hw/hfi1/pio.c
++++ b/drivers/infiniband/hw/hfi1/pio.c
+@@ -50,8 +50,6 @@
+ #include "qp.h"
+ #include "trace.h"
+
+-#define SC_CTXT_PACKET_EGRESS_TIMEOUT 350 /* in chip cycles */
+-
+ #define SC(name) SEND_CTXT_##name
+ /*
+ * Send Context functions
+@@ -977,15 +975,40 @@ void sc_disable(struct send_context *sc)
+ }
+
+ /* return SendEgressCtxtStatus.PacketOccupancy */
+-#define packet_occupancy(r) \
+- (((r) & SEND_EGRESS_CTXT_STATUS_CTXT_EGRESS_PACKET_OCCUPANCY_SMASK)\
+- >> SEND_EGRESS_CTXT_STATUS_CTXT_EGRESS_PACKET_OCCUPANCY_SHIFT)
++static u64 packet_occupancy(u64 reg)
++{
++ return (reg &
++ SEND_EGRESS_CTXT_STATUS_CTXT_EGRESS_PACKET_OCCUPANCY_SMASK)
++ >> SEND_EGRESS_CTXT_STATUS_CTXT_EGRESS_PACKET_OCCUPANCY_SHIFT;
++}
+
+ /* is egress halted on the context? */
+-#define egress_halted(r) \
+- ((r) & SEND_EGRESS_CTXT_STATUS_CTXT_EGRESS_HALT_STATUS_SMASK)
++static bool egress_halted(u64 reg)
++{
++ return !!(reg & SEND_EGRESS_CTXT_STATUS_CTXT_EGRESS_HALT_STATUS_SMASK);
++}
++
++/* is the send context halted? */
++static bool is_sc_halted(struct hfi1_devdata *dd, u32 hw_context)
++{
++ return !!(read_kctxt_csr(dd, hw_context, SC(STATUS)) &
++ SC(STATUS_CTXT_HALTED_SMASK));
++}
+
+-/* wait for packet egress, optionally pause for credit return */
++/**
++ * sc_wait_for_packet_egress
++ * @sc: valid send context
++ * @pause: wait for credit return
++ *
++ * Wait for packet egress, optionally pause for credit return
++ *
++ * Egress halt and Context halt are not necessarily the same thing, so
++ * check for both.
++ *
++ * NOTE: The context halt bit may not be set immediately. Because of this,
++ * it is necessary to check the SW SFC_HALTED bit (set in the IRQ) and the HW
++ * context bit to determine if the context is halted.
++ */
+ static void sc_wait_for_packet_egress(struct send_context *sc, int pause)
+ {
+ struct hfi1_devdata *dd = sc->dd;
+@@ -997,8 +1020,9 @@ static void sc_wait_for_packet_egress(st
+ reg_prev = reg;
+ reg = read_csr(dd, sc->hw_context * 8 +
+ SEND_EGRESS_CTXT_STATUS);
+- /* done if egress is stopped */
+- if (egress_halted(reg))
++ /* done if any halt bits, SW or HW are set */
++ if (sc->flags & SCF_HALTED ||
++ is_sc_halted(dd, sc->hw_context) || egress_halted(reg))
+ break;
+ reg = packet_occupancy(reg);
+ if (reg == 0)
--- /dev/null
+From 763b69654bfb88ea3230d015e7d755ee8339f8ee Mon Sep 17 00:00:00 2001
+From: Alex Estrin <alex.estrin@intel.com>
+Date: Tue, 15 May 2018 18:31:39 -0700
+Subject: IB/isert: Fix for lib/dma_debug check_sync warning
+
+From: Alex Estrin <alex.estrin@intel.com>
+
+commit 763b69654bfb88ea3230d015e7d755ee8339f8ee upstream.
+
+The following error message occurs on a target host in a debug build
+during session login:
+
+[ 3524.411874] WARNING: CPU: 5 PID: 12063 at lib/dma-debug.c:1207 check_sync+0x4ec/0x5b0
+[ 3524.421057] infiniband hfi1_0: DMA-API: device driver tries to sync DMA memory it has not allocated [device address=0x0000000000000000] [size=76 bytes]
+......snip .....
+
+[ 3524.535846] CPU: 5 PID: 12063 Comm: iscsi_np Kdump: loaded Not tainted 3.10.0-862.el7.x86_64.debug #1
+[ 3524.546764] Hardware name: Dell Inc. PowerEdge R430/03XKDV, BIOS 1.2.6 06/08/2015
+[ 3524.555740] Call Trace:
+[ 3524.559102] [<ffffffffa5fe915b>] dump_stack+0x19/0x1b
+[ 3524.565477] [<ffffffffa58a2f58>] __warn+0xd8/0x100
+[ 3524.571557] [<ffffffffa58a2fdf>] warn_slowpath_fmt+0x5f/0x80
+[ 3524.578610] [<ffffffffa5bf5b8c>] check_sync+0x4ec/0x5b0
+[ 3524.585177] [<ffffffffa58efc3f>] ? set_cpus_allowed_ptr+0x5f/0x1c0
+[ 3524.592812] [<ffffffffa5bf5cd0>] debug_dma_sync_single_for_cpu+0x80/0x90
+[ 3524.601029] [<ffffffffa586add3>] ? x2apic_send_IPI_mask+0x13/0x20
+[ 3524.608574] [<ffffffffa585ee1b>] ? native_smp_send_reschedule+0x5b/0x80
+[ 3524.616699] [<ffffffffa58e9b76>] ? resched_curr+0xf6/0x140
+[ 3524.623567] [<ffffffffc0879af0>] isert_create_send_desc.isra.26+0xe0/0x110 [ib_isert]
+[ 3524.633060] [<ffffffffc087af95>] isert_put_login_tx+0x55/0x8b0 [ib_isert]
+[ 3524.641383] [<ffffffffa58ef114>] ? try_to_wake_up+0x1a4/0x430
+[ 3524.648561] [<ffffffffc098cfed>] iscsi_target_do_tx_login_io+0xdd/0x230 [iscsi_target_mod]
+[ 3524.658557] [<ffffffffc098d827>] iscsi_target_do_login+0x1a7/0x600 [iscsi_target_mod]
+[ 3524.668084] [<ffffffffa59f9bc9>] ? kstrdup+0x49/0x60
+[ 3524.674420] [<ffffffffc098e976>] iscsi_target_start_negotiation+0x56/0xc0 [iscsi_target_mod]
+[ 3524.684656] [<ffffffffc098c2ee>] __iscsi_target_login_thread+0x90e/0x1070 [iscsi_target_mod]
+[ 3524.694901] [<ffffffffc098ca50>] ? __iscsi_target_login_thread+0x1070/0x1070 [iscsi_target_mod]
+[ 3524.705446] [<ffffffffc098ca50>] ? __iscsi_target_login_thread+0x1070/0x1070 [iscsi_target_mod]
+[ 3524.715976] [<ffffffffc098ca78>] iscsi_target_login_thread+0x28/0x60 [iscsi_target_mod]
+[ 3524.725739] [<ffffffffa58d60ff>] kthread+0xef/0x100
+[ 3524.732007] [<ffffffffa58d6010>] ? insert_kthread_work+0x80/0x80
+[ 3524.739540] [<ffffffffa5fff1b7>] ret_from_fork_nospec_begin+0x21/0x21
+[ 3524.747558] [<ffffffffa58d6010>] ? insert_kthread_work+0x80/0x80
+[ 3524.755088] ---[ end trace 23f8bf9238bd1ed8 ]---
+[ 3595.510822] iSCSI/iqn.1994-05.com.redhat:537fa56299: Unsupported SCSI Opcode 0xa3, sending CHECK_CONDITION.
+
+The code calls dma_sync on login_tx_desc->dma_addr prior to initializing it
+with dma-mapped address.
+login_tx_desc is a part of iser_conn structure and is used only once
+during login negotiation, so the issue is fixed by eliminating
+dma_sync call for this buffer using a special case routine.
+
+Cc: <stable@vger.kernel.org>
+Reviewed-by: Mike Marciniszyn <mike.marciniszyn@intel.com>
+Reviewed-by: Don Dutile <ddutile@redhat.com>
+Signed-off-by: Alex Estrin <alex.estrin@intel.com>
+Signed-off-by: Dennis Dalessandro <dennis.dalessandro@intel.com>
+Signed-off-by: Doug Ledford <dledford@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/infiniband/ulp/isert/ib_isert.c | 26 +++++++++++++++++---------
+ 1 file changed, 17 insertions(+), 9 deletions(-)
+
+--- a/drivers/infiniband/ulp/isert/ib_isert.c
++++ b/drivers/infiniband/ulp/isert/ib_isert.c
+@@ -885,15 +885,9 @@ isert_login_post_send(struct isert_conn
+ }
+
+ static void
+-isert_create_send_desc(struct isert_conn *isert_conn,
+- struct isert_cmd *isert_cmd,
+- struct iser_tx_desc *tx_desc)
++__isert_create_send_desc(struct isert_device *device,
++ struct iser_tx_desc *tx_desc)
+ {
+- struct isert_device *device = isert_conn->device;
+- struct ib_device *ib_dev = device->ib_device;
+-
+- ib_dma_sync_single_for_cpu(ib_dev, tx_desc->dma_addr,
+- ISER_HEADERS_LEN, DMA_TO_DEVICE);
+
+ memset(&tx_desc->iser_header, 0, sizeof(struct iser_ctrl));
+ tx_desc->iser_header.flags = ISCSI_CTRL;
+@@ -906,6 +900,20 @@ isert_create_send_desc(struct isert_conn
+ }
+ }
+
++static void
++isert_create_send_desc(struct isert_conn *isert_conn,
++ struct isert_cmd *isert_cmd,
++ struct iser_tx_desc *tx_desc)
++{
++ struct isert_device *device = isert_conn->device;
++ struct ib_device *ib_dev = device->ib_device;
++
++ ib_dma_sync_single_for_cpu(ib_dev, tx_desc->dma_addr,
++ ISER_HEADERS_LEN, DMA_TO_DEVICE);
++
++ __isert_create_send_desc(device, tx_desc);
++}
++
+ static int
+ isert_init_tx_hdrs(struct isert_conn *isert_conn,
+ struct iser_tx_desc *tx_desc)
+@@ -993,7 +1001,7 @@ isert_put_login_tx(struct iscsi_conn *co
+ struct iser_tx_desc *tx_desc = &isert_conn->login_tx_desc;
+ int ret;
+
+- isert_create_send_desc(isert_conn, NULL, tx_desc);
++ __isert_create_send_desc(device, tx_desc);
+
+ memcpy(&tx_desc->iscsi_header, &login->rsp[0],
+ sizeof(struct iscsi_hdr));
--- /dev/null
+From 0e12af84cdd3056460f928adc164f9e87f4b303b Mon Sep 17 00:00:00 2001
+From: Max Gurtovoy <maxg@mellanox.com>
+Date: Thu, 31 May 2018 11:05:23 +0300
+Subject: IB/isert: fix T10-pi check mask setting
+
+From: Max Gurtovoy <maxg@mellanox.com>
+
+commit 0e12af84cdd3056460f928adc164f9e87f4b303b upstream.
+
+A copy/paste bug (probably) caused setting of an app_tag check mask
+in case where a ref_tag check was needed.
+
+Fixes: 38a2d0d429f1 ("IB/isert: convert to the generic RDMA READ/WRITE API")
+Fixes: 9e961ae73c2c ("IB/isert: Support T10-PI protected transactions")
+Cc: stable@vger.kernel.org
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Reviewed-by: Sagi Grimberg <sagi@grimberg.me>
+Reviewed-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Max Gurtovoy <maxg@mellanox.com>
+Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/infiniband/ulp/isert/ib_isert.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/infiniband/ulp/isert/ib_isert.c
++++ b/drivers/infiniband/ulp/isert/ib_isert.c
+@@ -2116,7 +2116,7 @@ isert_set_sig_attrs(struct se_cmd *se_cm
+
+ sig_attrs->check_mask =
+ (se_cmd->prot_checks & TARGET_DIF_CHECK_GUARD ? 0xc0 : 0) |
+- (se_cmd->prot_checks & TARGET_DIF_CHECK_REFTAG ? 0x30 : 0) |
++ (se_cmd->prot_checks & TARGET_DIF_CHECK_APPTAG ? 0x30 : 0) |
+ (se_cmd->prot_checks & TARGET_DIF_CHECK_REFTAG ? 0x0f : 0);
+ return 0;
+ }
--- /dev/null
+From d8f9cc328c8888369880e2527e9186d745f2bbf6 Mon Sep 17 00:00:00 2001
+From: Jack Morgenstein <jackm@dev.mellanox.co.il>
+Date: Wed, 23 May 2018 15:30:31 +0300
+Subject: IB/mlx4: Mark user MR as writable if actual virtual memory is writable
+
+From: Jack Morgenstein <jackm@dev.mellanox.co.il>
+
+commit d8f9cc328c8888369880e2527e9186d745f2bbf6 upstream.
+
+To allow rereg_user_mr to modify the MR from read-only to writable without
+using get_user_pages again, we needed to define the initial MR as writable.
+However, this was originally done unconditionally, without taking into
+account the writability of the underlying virtual memory.
+
+As a result, any attempt to register a read-only MR over read-only
+virtual memory failed.
+
+To fix this, do not add the writable flag bit when the user virtual memory
+is not writable (e.g. const memory).
+
+However, when the underlying memory is NOT writable (and we therefore
+do not define the initial MR as writable), the IB core adds a
+"force writable" flag to its user-pages request. If this succeeds,
+the reg_user_mr caller gets a writable copy of the original pages.
+
+If the user-space caller then does a rereg_user_mr operation to enable
+writability, this will succeed. This should not be allowed, since
+the original virtual memory was not writable.
+
+Cc: <stable@vger.kernel.org>
+Fixes: 9376932d0c26 ("IB/mlx4_ib: Add support for user MR re-registration")
+Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
+Signed-off-by: Jack Morgenstein <jackm@dev.mellanox.co.il>
+Signed-off-by: Leon Romanovsky <leonro@mellanox.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/infiniband/hw/mlx4/mr.c | 50 +++++++++++++++++++++++++++++++++-------
+ 1 file changed, 42 insertions(+), 8 deletions(-)
+
+--- a/drivers/infiniband/hw/mlx4/mr.c
++++ b/drivers/infiniband/hw/mlx4/mr.c
+@@ -131,6 +131,40 @@ out:
+ return err;
+ }
+
++static struct ib_umem *mlx4_get_umem_mr(struct ib_ucontext *context, u64 start,
++ u64 length, u64 virt_addr,
++ int access_flags)
++{
++ /*
++ * Force registering the memory as writable if the underlying pages
++ * are writable. This is so rereg can change the access permissions
++ * from readable to writable without having to run through ib_umem_get
++ * again
++ */
++ if (!ib_access_writable(access_flags)) {
++ struct vm_area_struct *vma;
++
++ down_read(¤t->mm->mmap_sem);
++ /*
++ * FIXME: Ideally this would iterate over all the vmas that
++ * cover the memory, but for now it requires a single vma to
++ * entirely cover the MR to support RO mappings.
++ */
++ vma = find_vma(current->mm, start);
++ if (vma && vma->vm_end >= start + length &&
++ vma->vm_start <= start) {
++ if (vma->vm_flags & VM_WRITE)
++ access_flags |= IB_ACCESS_LOCAL_WRITE;
++ } else {
++ access_flags |= IB_ACCESS_LOCAL_WRITE;
++ }
++
++ up_read(¤t->mm->mmap_sem);
++ }
++
++ return ib_umem_get(context, start, length, access_flags, 0);
++}
++
+ struct ib_mr *mlx4_ib_reg_user_mr(struct ib_pd *pd, u64 start, u64 length,
+ u64 virt_addr, int access_flags,
+ struct ib_udata *udata)
+@@ -145,10 +179,8 @@ struct ib_mr *mlx4_ib_reg_user_mr(struct
+ if (!mr)
+ return ERR_PTR(-ENOMEM);
+
+- /* Force registering the memory as writable. */
+- /* Used for memory re-registeration. HCA protects the access */
+- mr->umem = ib_umem_get(pd->uobject->context, start, length,
+- access_flags | IB_ACCESS_LOCAL_WRITE, 0);
++ mr->umem = mlx4_get_umem_mr(pd->uobject->context, start, length,
++ virt_addr, access_flags);
+ if (IS_ERR(mr->umem)) {
+ err = PTR_ERR(mr->umem);
+ goto err_free;
+@@ -215,6 +247,9 @@ int mlx4_ib_rereg_user_mr(struct ib_mr *
+ }
+
+ if (flags & IB_MR_REREG_ACCESS) {
++ if (ib_access_writable(mr_access_flags) && !mmr->umem->writable)
++ return -EPERM;
++
+ err = mlx4_mr_hw_change_access(dev->dev, *pmpt_entry,
+ convert_access(mr_access_flags));
+
+@@ -228,10 +263,9 @@ int mlx4_ib_rereg_user_mr(struct ib_mr *
+
+ mlx4_mr_rereg_mem_cleanup(dev->dev, &mmr->mmr);
+ ib_umem_release(mmr->umem);
+- mmr->umem = ib_umem_get(mr->uobject->context, start, length,
+- mr_access_flags |
+- IB_ACCESS_LOCAL_WRITE,
+- 0);
++ mmr->umem =
++ mlx4_get_umem_mr(mr->uobject->context, start, length,
++ virt_addr, mr_access_flags);
+ if (IS_ERR(mmr->umem)) {
+ err = PTR_ERR(mmr->umem);
+ /* Prevent mlx4_ib_dereg_mr from free'ing invalid pointer */
--- /dev/null
+From 7b74a83cf54a3747e22c57e25712bd70eef8acee Mon Sep 17 00:00:00 2001
+From: Erez Shitrit <erezsh@mellanox.com>
+Date: Mon, 21 May 2018 11:41:01 +0300
+Subject: IB/mlx5: Fetch soft WQE's on fatal error state
+
+From: Erez Shitrit <erezsh@mellanox.com>
+
+commit 7b74a83cf54a3747e22c57e25712bd70eef8acee upstream.
+
+On fatal error the driver simulates CQE's for ULPs that rely on
+completion of all their posted work-request.
+
+For the GSI traffic, the mlx5 has its own mechanism that sends the
+completions via software CQE's directly to the relevant CQ.
+
+This should be kept in fatal error too, so the driver should simulate
+such CQE's with the specified error state in order to complete GSI QP
+work requests.
+
+Without the fix the next deadlock might appears:
+ schedule_timeout+0x274/0x350
+ wait_for_common+0xec/0x240
+ mcast_remove_one+0xd0/0x120 [ib_core]
+ ib_unregister_device+0x12c/0x230 [ib_core]
+ mlx5_ib_remove+0xc4/0x270 [mlx5_ib]
+ mlx5_detach_device+0x184/0x1a0 [mlx5_core]
+ mlx5_unload_one+0x308/0x340 [mlx5_core]
+ mlx5_pci_err_detected+0x74/0xe0 [mlx5_core]
+
+Cc: <stable@vger.kernel.org> # 4.7
+Fixes: 89ea94a7b6c4 ("IB/mlx5: Reset flow support for IB kernel ULPs")
+Signed-off-by: Erez Shitrit <erezsh@mellanox.com>
+Signed-off-by: Leon Romanovsky <leonro@mellanox.com>
+Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/infiniband/hw/mlx5/cq.c | 15 ++++++++++++---
+ 1 file changed, 12 insertions(+), 3 deletions(-)
+
+--- a/drivers/infiniband/hw/mlx5/cq.c
++++ b/drivers/infiniband/hw/mlx5/cq.c
+@@ -646,7 +646,7 @@ repoll:
+ }
+
+ static int poll_soft_wc(struct mlx5_ib_cq *cq, int num_entries,
+- struct ib_wc *wc)
++ struct ib_wc *wc, bool is_fatal_err)
+ {
+ struct mlx5_ib_dev *dev = to_mdev(cq->ibcq.device);
+ struct mlx5_ib_wc *soft_wc, *next;
+@@ -659,6 +659,10 @@ static int poll_soft_wc(struct mlx5_ib_c
+ mlx5_ib_dbg(dev, "polled software generated completion on CQ 0x%x\n",
+ cq->mcq.cqn);
+
++ if (unlikely(is_fatal_err)) {
++ soft_wc->wc.status = IB_WC_WR_FLUSH_ERR;
++ soft_wc->wc.vendor_err = MLX5_CQE_SYNDROME_WR_FLUSH_ERR;
++ }
+ wc[npolled++] = soft_wc->wc;
+ list_del(&soft_wc->list);
+ kfree(soft_wc);
+@@ -679,12 +683,17 @@ int mlx5_ib_poll_cq(struct ib_cq *ibcq,
+
+ spin_lock_irqsave(&cq->lock, flags);
+ if (mdev->state == MLX5_DEVICE_STATE_INTERNAL_ERROR) {
+- mlx5_ib_poll_sw_comp(cq, num_entries, wc, &npolled);
++ /* make sure no soft wqe's are waiting */
++ if (unlikely(!list_empty(&cq->wc_list)))
++ soft_polled = poll_soft_wc(cq, num_entries, wc, true);
++
++ mlx5_ib_poll_sw_comp(cq, num_entries - soft_polled,
++ wc + soft_polled, &npolled);
+ goto out;
+ }
+
+ if (unlikely(!list_empty(&cq->wc_list)))
+- soft_polled = poll_soft_wc(cq, num_entries, wc);
++ soft_polled = poll_soft_wc(cq, num_entries, wc, false);
+
+ for (npolled = 0; npolled < num_entries - soft_polled; npolled++) {
+ if (mlx5_poll_one(cq, &cur_qp, wc + soft_polled + npolled))
--- /dev/null
+From 0252f73334f9ef68868e4684200bea3565a4fcee Mon Sep 17 00:00:00 2001
+From: Mike Marciniszyn <mike.marciniszyn@intel.com>
+Date: Fri, 18 May 2018 17:07:01 -0700
+Subject: IB/qib: Fix DMA api warning with debug kernel
+
+From: Mike Marciniszyn <mike.marciniszyn@intel.com>
+
+commit 0252f73334f9ef68868e4684200bea3565a4fcee upstream.
+
+The following error occurs in a debug build when running MPI PSM:
+
+[ 307.415911] WARNING: CPU: 4 PID: 23867 at lib/dma-debug.c:1158
+check_unmap+0x4ee/0xa20
+[ 307.455661] ib_qib 0000:05:00.0: DMA-API: device driver failed to check map
+error[device address=0x00000000df82b000] [size=4096 bytes] [mapped as page]
+[ 307.517494] Modules linked in:
+[ 307.531584] ib_isert iscsi_target_mod ib_srpt target_core_mod rpcrdma
+sunrpc ib_srp scsi_transport_srp scsi_tgt ib_iser libiscsi ib_ipoib
+scsi_transport_iscsi rdma_ucm ib_ucm ib_uverbs ib_umad rdma_cm ib_cm iw_cm
+ib_qib intel_powerclamp coretemp rdmavt intel_rapl iosf_mbi kvm_intel kvm
+irqbypass crc32_pclmul ghash_clmulni_intel ipmi_ssif ib_core aesni_intel sg
+ipmi_si lrw gf128mul dca glue_helper ipmi_devintf iTCO_wdt gpio_ich hpwdt
+iTCO_vendor_support ablk_helper hpilo acpi_power_meter cryptd ipmi_msghandler
+ie31200_edac shpchp pcc_cpufreq lpc_ich pcspkr ip_tables xfs libcrc32c sd_mod
+crc_t10dif crct10dif_generic mgag200 i2c_algo_bit drm_kms_helper syscopyarea
+sysfillrect sysimgblt fb_sys_fops ttm ahci crct10dif_pclmul crct10dif_common
+drm crc32c_intel libahci tg3 libata serio_raw ptp i2c_core
+[ 307.846113] pps_core dm_mirror dm_region_hash dm_log dm_mod
+[ 307.866505] CPU: 4 PID: 23867 Comm: mpitests-IMB-MP Kdump: loaded Not
+tainted 3.10.0-862.el7.x86_64.debug #1
+[ 307.911178] Hardware name: HP ProLiant DL320e Gen8, BIOS J05 11/09/2013
+[ 307.944206] Call Trace:
+[ 307.956973] [<ffffffffbd9e915b>] dump_stack+0x19/0x1b
+[ 307.982201] [<ffffffffbd2a2f58>] __warn+0xd8/0x100
+[ 308.005999] [<ffffffffbd2a2fdf>] warn_slowpath_fmt+0x5f/0x80
+[ 308.034260] [<ffffffffbd5f667e>] check_unmap+0x4ee/0xa20
+[ 308.060801] [<ffffffffbd41acaa>] ? page_add_file_rmap+0x2a/0x1d0
+[ 308.090689] [<ffffffffbd5f6c4d>] debug_dma_unmap_page+0x9d/0xb0
+[ 308.120155] [<ffffffffbd4082e0>] ? might_fault+0xa0/0xb0
+[ 308.146656] [<ffffffffc07761a5>] qib_tid_free.isra.14+0x215/0x2a0 [ib_qib]
+[ 308.180739] [<ffffffffc0776bf4>] qib_write+0x894/0x1280 [ib_qib]
+[ 308.210733] [<ffffffffbd540b00>] ? __inode_security_revalidate+0x70/0x80
+[ 308.244837] [<ffffffffbd53c2b7>] ? security_file_permission+0x27/0xb0
+[ 308.266025] qib_ib0.8006: multicast join failed for
+ff12:401b:8006:0000:0000:0000:ffff:ffff, status -22
+[ 308.323421] [<ffffffffbd46f5d3>] vfs_write+0xc3/0x1f0
+[ 308.347077] [<ffffffffbd492a5c>] ? fget_light+0xfc/0x510
+[ 308.372533] [<ffffffffbd47045a>] SyS_write+0x8a/0x100
+[ 308.396456] [<ffffffffbd9ff355>] system_call_fastpath+0x1c/0x21
+
+The code calls a qib_map_page() which has never correctly tested for a
+mapping error.
+
+Fix by testing for pci_dma_mapping_error() in all cases and properly
+handling the failure in the caller.
+
+Additionally, streamline qib_map_page() arguments to satisfy just
+the single caller.
+
+Cc: <stable@vger.kernel.org>
+Reviewed-by: Alex Estrin <alex.estrin@intel.com>
+Tested-by: Don Dutile <ddutile@redhat.com>
+Reviewed-by: Don Dutile <ddutile@redhat.com>
+Signed-off-by: Mike Marciniszyn <mike.marciniszyn@intel.com>
+Signed-off-by: Dennis Dalessandro <dennis.dalessandro@intel.com>
+Signed-off-by: Doug Ledford <dledford@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/infiniband/hw/qib/qib.h | 3 +--
+ drivers/infiniband/hw/qib/qib_file_ops.c | 10 +++++++---
+ drivers/infiniband/hw/qib/qib_user_pages.c | 20 ++++++++++++--------
+ 3 files changed, 20 insertions(+), 13 deletions(-)
+
+--- a/drivers/infiniband/hw/qib/qib.h
++++ b/drivers/infiniband/hw/qib/qib.h
+@@ -1448,8 +1448,7 @@ u64 qib_sps_ints(void);
+ /*
+ * dma_addr wrappers - all 0's invalid for hw
+ */
+-dma_addr_t qib_map_page(struct pci_dev *, struct page *, unsigned long,
+- size_t, int);
++int qib_map_page(struct pci_dev *d, struct page *p, dma_addr_t *daddr);
+ const char *qib_get_unit_name(int unit);
+ const char *qib_get_card_name(struct rvt_dev_info *rdi);
+ struct pci_dev *qib_get_pci_dev(struct rvt_dev_info *rdi);
+--- a/drivers/infiniband/hw/qib/qib_file_ops.c
++++ b/drivers/infiniband/hw/qib/qib_file_ops.c
+@@ -364,6 +364,8 @@ static int qib_tid_update(struct qib_ctx
+ goto done;
+ }
+ for (i = 0; i < cnt; i++, vaddr += PAGE_SIZE) {
++ dma_addr_t daddr;
++
+ for (; ntids--; tid++) {
+ if (tid == tidcnt)
+ tid = 0;
+@@ -380,12 +382,14 @@ static int qib_tid_update(struct qib_ctx
+ ret = -ENOMEM;
+ break;
+ }
++ ret = qib_map_page(dd->pcidev, pagep[i], &daddr);
++ if (ret)
++ break;
++
+ tidlist[i] = tid + tidoff;
+ /* we "know" system pages and TID pages are same size */
+ dd->pageshadow[ctxttid + tid] = pagep[i];
+- dd->physshadow[ctxttid + tid] =
+- qib_map_page(dd->pcidev, pagep[i], 0, PAGE_SIZE,
+- PCI_DMA_FROMDEVICE);
++ dd->physshadow[ctxttid + tid] = daddr;
+ /*
+ * don't need atomic or it's overhead
+ */
+--- a/drivers/infiniband/hw/qib/qib_user_pages.c
++++ b/drivers/infiniband/hw/qib/qib_user_pages.c
+@@ -99,23 +99,27 @@ bail:
+ *
+ * I'm sure we won't be so lucky with other iommu's, so FIXME.
+ */
+-dma_addr_t qib_map_page(struct pci_dev *hwdev, struct page *page,
+- unsigned long offset, size_t size, int direction)
++int qib_map_page(struct pci_dev *hwdev, struct page *page, dma_addr_t *daddr)
+ {
+ dma_addr_t phys;
+
+- phys = pci_map_page(hwdev, page, offset, size, direction);
++ phys = pci_map_page(hwdev, page, 0, PAGE_SIZE, PCI_DMA_FROMDEVICE);
++ if (pci_dma_mapping_error(hwdev, phys))
++ return -ENOMEM;
+
+- if (phys == 0) {
+- pci_unmap_page(hwdev, phys, size, direction);
+- phys = pci_map_page(hwdev, page, offset, size, direction);
++ if (!phys) {
++ pci_unmap_page(hwdev, phys, PAGE_SIZE, PCI_DMA_FROMDEVICE);
++ phys = pci_map_page(hwdev, page, 0, PAGE_SIZE,
++ PCI_DMA_FROMDEVICE);
++ if (pci_dma_mapping_error(hwdev, phys))
++ return -ENOMEM;
+ /*
+ * FIXME: If we get 0 again, we should keep this page,
+ * map another, then free the 0 page.
+ */
+ }
+-
+- return phys;
++ *daddr = phys;
++ return 0;
+ }
+
+ /**
--- /dev/null
+From fe50a7d0393a552e4539da2d31261a59d6415950 Mon Sep 17 00:00:00 2001
+From: Corey Minyard <cminyard@mvista.com>
+Date: Tue, 22 May 2018 08:14:51 -0500
+Subject: ipmi:bt: Set the timeout before doing a capabilities check
+
+From: Corey Minyard <cminyard@mvista.com>
+
+commit fe50a7d0393a552e4539da2d31261a59d6415950 upstream.
+
+There was one place where the timeout value for an operation was
+not being set, if a capabilities request was done from idle. Move
+the timeout value setting to before where that change might be
+requested.
+
+IMHO the cause here is the invisible returns in the macros. Maybe
+that's a job for later, though.
+
+Reported-by: Nordmark Claes <Claes.Nordmark@tieto.com>
+Signed-off-by: Corey Minyard <cminyard@mvista.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/char/ipmi/ipmi_bt_sm.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/char/ipmi/ipmi_bt_sm.c
++++ b/drivers/char/ipmi/ipmi_bt_sm.c
+@@ -522,11 +522,12 @@ static enum si_sm_result bt_event(struct
+ if (status & BT_H_BUSY) /* clear a leftover H_BUSY */
+ BT_CONTROL(BT_H_BUSY);
+
++ bt->timeout = bt->BT_CAP_req2rsp;
++
+ /* Read BT capabilities if it hasn't been done yet */
+ if (!bt->BT_CAP_outreqs)
+ BT_STATE_CHANGE(BT_STATE_CAPABILITIES_BEGIN,
+ SI_SM_CALL_WITHOUT_DELAY);
+- bt->timeout = bt->BT_CAP_req2rsp;
+ BT_SI_SM_RETURN(SI_SM_IDLE);
+
+ case BT_STATE_XACTION_START:
--- /dev/null
+From 2a027b47dba6b77ab8c8e47b589ae9bbc5ac6175 Mon Sep 17 00:00:00 2001
+From: Tokunori Ikegami <ikegami@allied-telesis.co.jp>
+Date: Sun, 3 Jun 2018 23:02:01 +0900
+Subject: MIPS: BCM47XX: Enable 74K Core ExternalSync for PCIe erratum
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Tokunori Ikegami <ikegami@allied-telesis.co.jp>
+
+commit 2a027b47dba6b77ab8c8e47b589ae9bbc5ac6175 upstream.
+
+The erratum and workaround are described by BCM5300X-ES300-RDS.pdf as
+below.
+
+ R10: PCIe Transactions Periodically Fail
+
+ Description: The BCM5300X PCIe does not maintain transaction ordering.
+ This may cause PCIe transaction failure.
+ Fix Comment: Add a dummy PCIe configuration read after a PCIe
+ configuration write to ensure PCIe configuration access
+ ordering. Set ES bit of CP0 configu7 register to enable
+ sync function so that the sync instruction is functional.
+ Resolution: hndpci.c: extpci_write_config()
+ hndmips.c: si_mips_init()
+ mipsinc.h CONF7_ES
+
+This is fixed by the CFE MIPS bcmsi chipset driver also for BCM47XX.
+Also the dummy PCIe configuration read is already implemented in the
+Linux BCMA driver.
+
+Enable ExternalSync in Config7 when CONFIG_BCMA_DRIVER_PCI_HOSTMODE=y
+too so that the sync instruction is externalised.
+
+Signed-off-by: Tokunori Ikegami <ikegami@allied-telesis.co.jp>
+Reviewed-by: Paul Burton <paul.burton@mips.com>
+Acked-by: Hauke Mehrtens <hauke@hauke-m.de>
+Cc: Chris Packham <chris.packham@alliedtelesis.co.nz>
+Cc: Rafał Miłecki <zajec5@gmail.com>
+Cc: linux-mips@linux-mips.org
+Cc: stable@vger.kernel.org
+Patchwork: https://patchwork.linux-mips.org/patch/19461/
+Signed-off-by: James Hogan <jhogan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/mips/bcm47xx/setup.c | 6 ++++++
+ arch/mips/include/asm/mipsregs.h | 3 +++
+ 2 files changed, 9 insertions(+)
+
+--- a/arch/mips/bcm47xx/setup.c
++++ b/arch/mips/bcm47xx/setup.c
+@@ -212,6 +212,12 @@ static int __init bcm47xx_cpu_fixes(void
+ */
+ if (bcm47xx_bus.bcma.bus.chipinfo.id == BCMA_CHIP_ID_BCM4706)
+ cpu_wait = NULL;
++
++ /*
++ * BCM47XX Erratum "R10: PCIe Transactions Periodically Fail"
++ * Enable ExternalSync for sync instruction to take effect
++ */
++ set_c0_config7(MIPS_CONF7_ES);
+ break;
+ #endif
+ }
+--- a/arch/mips/include/asm/mipsregs.h
++++ b/arch/mips/include/asm/mipsregs.h
+@@ -680,6 +680,8 @@
+ #define MIPS_CONF7_WII (_ULCAST_(1) << 31)
+
+ #define MIPS_CONF7_RPS (_ULCAST_(1) << 2)
++/* ExternalSync */
++#define MIPS_CONF7_ES (_ULCAST_(1) << 8)
+
+ #define MIPS_CONF7_IAR (_ULCAST_(1) << 10)
+ #define MIPS_CONF7_AR (_ULCAST_(1) << 16)
+@@ -2745,6 +2747,7 @@ __BUILD_SET_C0(status)
+ __BUILD_SET_C0(cause)
+ __BUILD_SET_C0(config)
+ __BUILD_SET_C0(config5)
++__BUILD_SET_C0(config7)
+ __BUILD_SET_C0(intcontrol)
+ __BUILD_SET_C0(intctl)
+ __BUILD_SET_C0(srsmap)
--- /dev/null
+From f1ce87f6080b1dda7e7b1eda3da332add19d87b9 Mon Sep 17 00:00:00 2001
+From: Joakim Tjernlund <joakim.tjernlund@infinera.com>
+Date: Wed, 6 Jun 2018 12:13:30 +0200
+Subject: mtd: cfi_cmdset_0002: Avoid walking all chips when unlocking.
+
+From: Joakim Tjernlund <joakim.tjernlund@infinera.com>
+
+commit f1ce87f6080b1dda7e7b1eda3da332add19d87b9 upstream.
+
+cfi_ppb_unlock() walks all flash chips when unlocking sectors,
+avoid walking chips unaffected by the unlock operation.
+
+Fixes: 1648eaaa1575 ("mtd: cfi_cmdset_0002: Support Persistent Protection Bits (PPB) locking")
+Cc: stable@vger.kernel.org
+Signed-off-by: Joakim Tjernlund <joakim.tjernlund@infinera.com>
+Signed-off-by: Boris Brezillon <boris.brezillon@bootlin.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/mtd/chips/cfi_cmdset_0002.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/mtd/chips/cfi_cmdset_0002.c
++++ b/drivers/mtd/chips/cfi_cmdset_0002.c
+@@ -2695,6 +2695,8 @@ static int __maybe_unused cfi_ppb_unlock
+ i++;
+
+ if (adr >> cfi->chipshift) {
++ if (offset >= (ofs + len))
++ break;
+ adr = 0;
+ chipnum++;
+
--- /dev/null
+From 45f75b8a919a4255f52df454f1ffdee0e42443b2 Mon Sep 17 00:00:00 2001
+From: Tokunori Ikegami <ikegami@allied-telesis.co.jp>
+Date: Wed, 30 May 2018 18:32:28 +0900
+Subject: mtd: cfi_cmdset_0002: Change erase functions to retry for error
+
+From: Tokunori Ikegami <ikegami@allied-telesis.co.jp>
+
+commit 45f75b8a919a4255f52df454f1ffdee0e42443b2 upstream.
+
+For the word write functions it is retried for error.
+But it is not implemented to retry for the erase functions.
+To make sure for the erase functions change to retry as same.
+
+This is needed to prevent the flash erase error caused only once.
+It was caused by the error case of chip_good() in the do_erase_oneblock().
+Also it was confirmed on the MACRONIX flash device MX29GL512FHT2I-11G.
+But the error issue behavior is not able to reproduce at this moment.
+The flash controller is parallel Flash interface integrated on BCM53003.
+
+Signed-off-by: Tokunori Ikegami <ikegami@allied-telesis.co.jp>
+Reviewed-by: Joakim Tjernlund <Joakim.Tjernlund@infinera.com>
+Cc: Chris Packham <chris.packham@alliedtelesis.co.nz>
+Cc: Brian Norris <computersforpeace@gmail.com>
+Cc: David Woodhouse <dwmw2@infradead.org>
+Cc: Boris Brezillon <boris.brezillon@free-electrons.com>
+Cc: Marek Vasut <marek.vasut@gmail.com>
+Cc: Richard Weinberger <richard@nod.at>
+Cc: Cyrille Pitchen <cyrille.pitchen@wedev4u.fr>
+Cc: linux-mtd@lists.infradead.org
+Cc: stable@vger.kernel.org
+Signed-off-by: Boris Brezillon <boris.brezillon@bootlin.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/mtd/chips/cfi_cmdset_0002.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+--- a/drivers/mtd/chips/cfi_cmdset_0002.c
++++ b/drivers/mtd/chips/cfi_cmdset_0002.c
+@@ -2241,6 +2241,7 @@ static int __xipram do_erase_chip(struct
+ unsigned long int adr;
+ DECLARE_WAITQUEUE(wait, current);
+ int ret = 0;
++ int retry_cnt = 0;
+
+ adr = cfi->addr_unlock1;
+
+@@ -2258,6 +2259,7 @@ static int __xipram do_erase_chip(struct
+ ENABLE_VPP(map);
+ xip_disable(map, chip, adr);
+
++ retry:
+ cfi_send_gen_cmd(0xAA, cfi->addr_unlock1, chip->start, map, cfi, cfi->device_type, NULL);
+ cfi_send_gen_cmd(0x55, cfi->addr_unlock2, chip->start, map, cfi, cfi->device_type, NULL);
+ cfi_send_gen_cmd(0x80, cfi->addr_unlock1, chip->start, map, cfi, cfi->device_type, NULL);
+@@ -2312,6 +2314,9 @@ static int __xipram do_erase_chip(struct
+ map_write( map, CMD(0xF0), chip->start );
+ /* FIXME - should have reset delay before continuing */
+
++ if (++retry_cnt <= MAX_RETRIES)
++ goto retry;
++
+ ret = -EIO;
+ }
+
+@@ -2331,6 +2336,7 @@ static int __xipram do_erase_oneblock(st
+ unsigned long timeo = jiffies + HZ;
+ DECLARE_WAITQUEUE(wait, current);
+ int ret = 0;
++ int retry_cnt = 0;
+
+ adr += chip->start;
+
+@@ -2348,6 +2354,7 @@ static int __xipram do_erase_oneblock(st
+ ENABLE_VPP(map);
+ xip_disable(map, chip, adr);
+
++ retry:
+ cfi_send_gen_cmd(0xAA, cfi->addr_unlock1, chip->start, map, cfi, cfi->device_type, NULL);
+ cfi_send_gen_cmd(0x55, cfi->addr_unlock2, chip->start, map, cfi, cfi->device_type, NULL);
+ cfi_send_gen_cmd(0x80, cfi->addr_unlock1, chip->start, map, cfi, cfi->device_type, NULL);
+@@ -2405,6 +2412,9 @@ static int __xipram do_erase_oneblock(st
+ map_write( map, CMD(0xF0), chip->start );
+ /* FIXME - should have reset delay before continuing */
+
++ if (++retry_cnt <= MAX_RETRIES)
++ goto retry;
++
+ ret = -EIO;
+ }
+
--- /dev/null
+From dfeae1073583dc35c33b32150e18b7048bbb37e6 Mon Sep 17 00:00:00 2001
+From: Tokunori Ikegami <ikegami@allied-telesis.co.jp>
+Date: Wed, 30 May 2018 18:32:26 +0900
+Subject: mtd: cfi_cmdset_0002: Change write buffer to check correct value
+
+From: Tokunori Ikegami <ikegami@allied-telesis.co.jp>
+
+commit dfeae1073583dc35c33b32150e18b7048bbb37e6 upstream.
+
+For the word write it is checked if the chip has the correct value.
+But it is not checked for the write buffer as only checked if ready.
+To make sure for the write buffer change to check the value.
+
+It is enough as this patch is only checking the last written word.
+Since it is described by data sheets to check the operation status.
+
+Signed-off-by: Tokunori Ikegami <ikegami@allied-telesis.co.jp>
+Reviewed-by: Joakim Tjernlund <Joakim.Tjernlund@infinera.com>
+Cc: Chris Packham <chris.packham@alliedtelesis.co.nz>
+Cc: Brian Norris <computersforpeace@gmail.com>
+Cc: David Woodhouse <dwmw2@infradead.org>
+Cc: Boris Brezillon <boris.brezillon@free-electrons.com>
+Cc: Marek Vasut <marek.vasut@gmail.com>
+Cc: Richard Weinberger <richard@nod.at>
+Cc: Cyrille Pitchen <cyrille.pitchen@wedev4u.fr>
+Cc: linux-mtd@lists.infradead.org
+Cc: stable@vger.kernel.org
+Signed-off-by: Boris Brezillon <boris.brezillon@bootlin.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/mtd/chips/cfi_cmdset_0002.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/mtd/chips/cfi_cmdset_0002.c
++++ b/drivers/mtd/chips/cfi_cmdset_0002.c
+@@ -1880,7 +1880,7 @@ static int __xipram do_write_buffer(stru
+ if (time_after(jiffies, timeo) && !chip_ready(map, adr))
+ break;
+
+- if (chip_ready(map, adr)) {
++ if (chip_good(map, adr, datum)) {
+ xip_enable(map, chip, adr);
+ goto op_done;
+ }
--- /dev/null
+From 5fdfc3dbad099281bf027a353d5786c09408a8e5 Mon Sep 17 00:00:00 2001
+From: Joakim Tjernlund <joakim.tjernlund@infinera.com>
+Date: Wed, 6 Jun 2018 12:13:28 +0200
+Subject: mtd: cfi_cmdset_0002: fix SEGV unlocking multiple chips
+
+From: Joakim Tjernlund <joakim.tjernlund@infinera.com>
+
+commit 5fdfc3dbad099281bf027a353d5786c09408a8e5 upstream.
+
+cfi_ppb_unlock() tries to relock all sectors that were locked before
+unlocking the whole chip.
+This locking used the chip start address + the FULL offset from the
+first flash chip, thereby forming an illegal address. Fix that by using
+the chip offset(adr).
+
+Fixes: 1648eaaa1575 ("mtd: cfi_cmdset_0002: Support Persistent Protection Bits (PPB) locking")
+Cc: stable@vger.kernel.org
+Signed-off-by: Joakim Tjernlund <joakim.tjernlund@infinera.com>
+Signed-off-by: Boris Brezillon <boris.brezillon@bootlin.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/mtd/chips/cfi_cmdset_0002.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/drivers/mtd/chips/cfi_cmdset_0002.c
++++ b/drivers/mtd/chips/cfi_cmdset_0002.c
+@@ -2545,7 +2545,7 @@ static int cfi_atmel_unlock(struct mtd_i
+
+ struct ppb_lock {
+ struct flchip *chip;
+- loff_t offset;
++ unsigned long adr;
+ int locked;
+ };
+
+@@ -2681,7 +2681,7 @@ static int __maybe_unused cfi_ppb_unlock
+ */
+ if ((adr < ofs) || (adr >= (ofs + len))) {
+ sect[sectors].chip = &cfi->chips[chipnum];
+- sect[sectors].offset = offset;
++ sect[sectors].adr = adr;
+ sect[sectors].locked = do_ppb_xxlock(
+ map, &cfi->chips[chipnum], adr, 0,
+ DO_XXLOCK_ONEBLOCK_GETLOCK);
+@@ -2725,7 +2725,7 @@ static int __maybe_unused cfi_ppb_unlock
+ */
+ for (i = 0; i < sectors; i++) {
+ if (sect[i].locked)
+- do_ppb_xxlock(map, sect[i].chip, sect[i].offset, 0,
++ do_ppb_xxlock(map, sect[i].chip, sect[i].adr, 0,
+ DO_XXLOCK_ONEBLOCK_LOCK);
+ }
+
--- /dev/null
+From 0cd8116f172eed018907303dbff5c112690eeb91 Mon Sep 17 00:00:00 2001
+From: Joakim Tjernlund <joakim.tjernlund@infinera.com>
+Date: Wed, 6 Jun 2018 12:13:29 +0200
+Subject: mtd: cfi_cmdset_0002: Fix unlocking requests crossing a chip boudary
+
+From: Joakim Tjernlund <joakim.tjernlund@infinera.com>
+
+commit 0cd8116f172eed018907303dbff5c112690eeb91 upstream.
+
+The "sector is in requested range" test used to determine whether
+sectors should be re-locked or not is done on a variable that is reset
+everytime we cross a chip boundary, which can lead to some blocks being
+re-locked while the caller expect them to be unlocked.
+Fix the check to make sure this cannot happen.
+
+Fixes: 1648eaaa1575 ("mtd: cfi_cmdset_0002: Support Persistent Protection Bits (PPB) locking")
+Cc: stable@vger.kernel.org
+Signed-off-by: Joakim Tjernlund <joakim.tjernlund@infinera.com>
+Signed-off-by: Boris Brezillon <boris.brezillon@bootlin.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/mtd/chips/cfi_cmdset_0002.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/mtd/chips/cfi_cmdset_0002.c
++++ b/drivers/mtd/chips/cfi_cmdset_0002.c
+@@ -2679,7 +2679,7 @@ static int __maybe_unused cfi_ppb_unlock
+ * sectors shall be unlocked, so lets keep their locking
+ * status at "unlocked" (locked=0) for the final re-locking.
+ */
+- if ((adr < ofs) || (adr >= (ofs + len))) {
++ if ((offset < ofs) || (offset >= (ofs + len))) {
+ sect[sectors].chip = &cfi->chips[chipnum];
+ sect[sectors].adr = adr;
+ sect[sectors].locked = do_ppb_xxlock(
--- /dev/null
+From f93aa8c4de307069c270b2d81741961162bead6c Mon Sep 17 00:00:00 2001
+From: Joakim Tjernlund <joakim.tjernlund@infinera.com>
+Date: Wed, 6 Jun 2018 12:13:27 +0200
+Subject: mtd: cfi_cmdset_0002: Use right chip in do_ppb_xxlock()
+
+From: Joakim Tjernlund <joakim.tjernlund@infinera.com>
+
+commit f93aa8c4de307069c270b2d81741961162bead6c upstream.
+
+do_ppb_xxlock() fails to add chip->start when querying for lock status
+(and chip_ready test), which caused false status reports.
+Fix that by adding adr += chip->start and adjust call sites
+accordingly.
+
+Fixes: 1648eaaa1575 ("mtd: cfi_cmdset_0002: Support Persistent Protection Bits (PPB) locking")
+Cc: stable@vger.kernel.org
+Signed-off-by: Joakim Tjernlund <joakim.tjernlund@infinera.com>
+Signed-off-by: Boris Brezillon <boris.brezillon@bootlin.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/mtd/chips/cfi_cmdset_0002.c | 9 +++++----
+ 1 file changed, 5 insertions(+), 4 deletions(-)
+
+--- a/drivers/mtd/chips/cfi_cmdset_0002.c
++++ b/drivers/mtd/chips/cfi_cmdset_0002.c
+@@ -2563,8 +2563,9 @@ static int __maybe_unused do_ppb_xxlock(
+ unsigned long timeo;
+ int ret;
+
++ adr += chip->start;
+ mutex_lock(&chip->mutex);
+- ret = get_chip(map, chip, adr + chip->start, FL_LOCKING);
++ ret = get_chip(map, chip, adr, FL_LOCKING);
+ if (ret) {
+ mutex_unlock(&chip->mutex);
+ return ret;
+@@ -2582,8 +2583,8 @@ static int __maybe_unused do_ppb_xxlock(
+
+ if (thunk == DO_XXLOCK_ONEBLOCK_LOCK) {
+ chip->state = FL_LOCKING;
+- map_write(map, CMD(0xA0), chip->start + adr);
+- map_write(map, CMD(0x00), chip->start + adr);
++ map_write(map, CMD(0xA0), adr);
++ map_write(map, CMD(0x00), adr);
+ } else if (thunk == DO_XXLOCK_ONEBLOCK_UNLOCK) {
+ /*
+ * Unlocking of one specific sector is not supported, so we
+@@ -2621,7 +2622,7 @@ static int __maybe_unused do_ppb_xxlock(
+ map_write(map, CMD(0x00), chip->start);
+
+ chip->state = FL_READY;
+- put_chip(map, chip, adr + chip->start);
++ put_chip(map, chip, adr);
+ mutex_unlock(&chip->mutex);
+
+ return ret;
--- /dev/null
+From 482137bf2aecd887ebfa8756456764a2f6a0e545 Mon Sep 17 00:00:00 2001
+From: Frank Rowand <frank.rowand@sony.com>
+Date: Wed, 16 May 2018 21:19:51 -0700
+Subject: of: overlay: validate offset from property fixups
+
+From: Frank Rowand <frank.rowand@sony.com>
+
+commit 482137bf2aecd887ebfa8756456764a2f6a0e545 upstream.
+
+The smatch static checker marks the data in offset as untrusted,
+leading it to warn:
+
+ drivers/of/resolver.c:125 update_usages_of_a_phandle_reference()
+ error: buffer underflow 'prop->value' 's32min-s32max'
+
+Add check to verify that offset is within the property data.
+
+Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Frank Rowand <frank.rowand@sony.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Rob Herring <robh@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/of/resolver.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/drivers/of/resolver.c
++++ b/drivers/of/resolver.c
+@@ -129,6 +129,11 @@ static int update_usages_of_a_phandle_re
+ goto err_fail;
+ }
+
++ if (offset < 0 || offset + sizeof(__be32) > prop->length) {
++ err = -EINVAL;
++ goto err_fail;
++ }
++
+ *(__be32 *)(prop->value + offset) = cpu_to_be32(phandle);
+ }
+
--- /dev/null
+From 522811e944ed9b36806faa019faec10f9d259cca Mon Sep 17 00:00:00 2001
+From: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
+Date: Mon, 4 Jun 2018 15:14:08 +0100
+Subject: of: platform: stop accessing invalid dev in of_platform_device_destroy
+
+From: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
+
+commit 522811e944ed9b36806faa019faec10f9d259cca upstream.
+
+Immediately after the platform_device_unregister() the device will be
+cleaned up. Accessing the freed pointer immediately after that will
+crash the system.
+
+Found this bug when kernel is built with CONFIG_PAGE_POISONING and testing
+loading/unloading audio drivers in a loop on Qcom platforms.
+
+Fix this by moving of_node_clear_flag() just before the unregister calls.
+
+Below is the crash trace:
+
+Unable to handle kernel paging request at virtual address 6b6b6b6b6b6c03
+Mem abort info:
+ ESR = 0x96000021
+ Exception class = DABT (current EL), IL = 32 bits
+ SET = 0, FnV = 0
+ EA = 0, S1PTW = 0
+Data abort info:
+ ISV = 0, ISS = 0x00000021
+ CM = 0, WnR = 0
+[006b6b6b6b6b6c03] address between user and kernel address ranges
+Internal error: Oops: 96000021 [#1] PREEMPT SMP
+Modules linked in:
+CPU: 2 PID: 1784 Comm: sh Tainted: G W 4.17.0-rc7-02230-ge3a63a7ef641-dirty #204
+Hardware name: Qualcomm Technologies, Inc. APQ 8016 SBC (DT)
+pstate: 80000005 (Nzcv daif -PAN -UAO)
+pc : clear_bit+0x18/0x2c
+lr : of_platform_device_destroy+0x64/0xb8
+sp : ffff00000c9c3930
+x29: ffff00000c9c3930 x28: ffff80003d39b200
+x27: ffff000008bb1000 x26: 0000000000000040
+x25: 0000000000000124 x24: ffff80003a9a3080
+x23: 0000000000000060 x22: ffff00000939f518
+x21: ffff80003aa79e98 x20: ffff80003aa3dae0
+x19: ffff80003aa3c890 x18: ffff800009feb794
+x17: 0000000000000000 x16: 0000000000000000
+x15: ffff800009feb790 x14: 0000000000000000
+x13: ffff80003a058778 x12: ffff80003a058728
+x11: ffff80003a058750 x10: 0000000000000000
+x9 : 0000000000000006 x8 : ffff80003a825988
+x7 : bbbbbbbbbbbbbbbb x6 : 0000000000000001
+x5 : 0000000000000000 x4 : 0000000000000001
+x3 : 0000000000000008 x2 : 0000000000000001
+x1 : 6b6b6b6b6b6b6c03 x0 : 0000000000000000
+Process sh (pid: 1784, stack limit = 0x (ptrval))
+Call trace:
+ clear_bit+0x18/0x2c
+ q6afe_remove+0x20/0x38
+ apr_device_remove+0x30/0x70
+ device_release_driver_internal+0x170/0x208
+ device_release_driver+0x14/0x20
+ bus_remove_device+0xcc/0x150
+ device_del+0x10c/0x310
+ device_unregister+0x1c/0x70
+ apr_remove_device+0xc/0x18
+ device_for_each_child+0x50/0x80
+ apr_remove+0x18/0x20
+ rpmsg_dev_remove+0x38/0x68
+ device_release_driver_internal+0x170/0x208
+ device_release_driver+0x14/0x20
+ bus_remove_device+0xcc/0x150
+ device_del+0x10c/0x310
+ device_unregister+0x1c/0x70
+ qcom_smd_remove_device+0xc/0x18
+ device_for_each_child+0x50/0x80
+ qcom_smd_unregister_edge+0x3c/0x70
+ smd_subdev_remove+0x18/0x28
+ rproc_stop+0x48/0xd8
+ rproc_shutdown+0x60/0xe8
+ state_store+0xbc/0xf8
+ dev_attr_store+0x18/0x28
+ sysfs_kf_write+0x3c/0x50
+ kernfs_fop_write+0x118/0x1e0
+ __vfs_write+0x18/0x110
+ vfs_write+0xa4/0x1a8
+ ksys_write+0x48/0xb0
+ sys_write+0xc/0x18
+ el0_svc_naked+0x30/0x34
+Code: d2800022 8b400c21 f9800031 9ac32043 (c85f7c22)
+---[ end trace 32020935775616a2 ]---
+
+Signed-off-by: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
+Cc: stable@vger.kernel.org
+Signed-off-by: Rob Herring <robh@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/of/platform.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/drivers/of/platform.c
++++ b/drivers/of/platform.c
+@@ -533,6 +533,9 @@ int of_platform_device_destroy(struct de
+ if (of_node_check_flag(dev->of_node, OF_POPULATED_BUS))
+ device_for_each_child(dev, NULL, of_platform_device_destroy);
+
++ of_node_clear_flag(dev->of_node, OF_POPULATED);
++ of_node_clear_flag(dev->of_node, OF_POPULATED_BUS);
++
+ if (dev->bus == &platform_bus_type)
+ platform_device_unregister(to_platform_device(dev));
+ #ifdef CONFIG_ARM_AMBA
+@@ -540,8 +543,6 @@ int of_platform_device_destroy(struct de
+ amba_device_unregister(to_amba_device(dev));
+ #endif
+
+- of_node_clear_flag(dev->of_node, OF_POPULATED);
+- of_node_clear_flag(dev->of_node, OF_POPULATED_BUS);
+ return 0;
+ }
+ EXPORT_SYMBOL_GPL(of_platform_device_destroy);
--- /dev/null
+From 3b9cf7905fe3ab35ab437b5072c883e609d3498d Mon Sep 17 00:00:00 2001
+From: Stefan M Schaeckeler <sschaeck@cisco.com>
+Date: Mon, 21 May 2018 16:26:14 -0700
+Subject: of: unittest: for strings, account for trailing \0 in property length field
+
+From: Stefan M Schaeckeler <sschaeck@cisco.com>
+
+commit 3b9cf7905fe3ab35ab437b5072c883e609d3498d upstream.
+
+For strings, account for trailing \0 in property length field:
+
+This is consistent with how dtc builds string properties.
+
+Function __of_prop_dup() would misbehave on such properties as it duplicates
+properties based on the property length field creating new string values
+without trailing \0s.
+
+Signed-off-by: Stefan M Schaeckeler <sschaeck@cisco.com>
+Reviewed-by: Frank Rowand <frank.rowand@sony.com>
+Tested-by: Frank Rowand <frank.rowand@sony.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Rob Herring <robh@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/of/unittest.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/drivers/of/unittest.c
++++ b/drivers/of/unittest.c
+@@ -164,20 +164,20 @@ static void __init of_unittest_dynamic(v
+ /* Add a new property - should pass*/
+ prop->name = "new-property";
+ prop->value = "new-property-data";
+- prop->length = strlen(prop->value);
++ prop->length = strlen(prop->value) + 1;
+ unittest(of_add_property(np, prop) == 0, "Adding a new property failed\n");
+
+ /* Try to add an existing property - should fail */
+ prop++;
+ prop->name = "new-property";
+ prop->value = "new-property-data-should-fail";
+- prop->length = strlen(prop->value);
++ prop->length = strlen(prop->value) + 1;
+ unittest(of_add_property(np, prop) != 0,
+ "Adding an existing property should have failed\n");
+
+ /* Try to modify an existing property - should pass */
+ prop->value = "modify-property-data-should-pass";
+- prop->length = strlen(prop->value);
++ prop->length = strlen(prop->value) + 1;
+ unittest(of_update_property(np, prop) == 0,
+ "Updating an existing property should have passed\n");
+
+@@ -185,7 +185,7 @@ static void __init of_unittest_dynamic(v
+ prop++;
+ prop->name = "modify-property";
+ prop->value = "modify-missing-property-data-should-pass";
+- prop->length = strlen(prop->value);
++ prop->length = strlen(prop->value) + 1;
+ unittest(of_update_property(np, prop) == 0,
+ "Updating a missing property should have passed\n");
+
--- /dev/null
+From f154a718e6cc0d834f5ac4dc4c3b174e65f3659e Mon Sep 17 00:00:00 2001
+From: Mika Westerberg <mika.westerberg@linux.intel.com>
+Date: Fri, 27 Apr 2018 13:06:30 -0500
+Subject: PCI: Add ACS quirk for Intel 300 series
+
+From: Mika Westerberg <mika.westerberg@linux.intel.com>
+
+commit f154a718e6cc0d834f5ac4dc4c3b174e65f3659e upstream.
+
+Intel 300 series chipset still has the same ACS issue as the previous
+generations so extend the ACS quirk to cover it as well.
+
+Signed-off-by: Mika Westerberg <mika.westerberg@linux.intel.com>
+Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
+CC: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/pci/quirks.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/drivers/pci/quirks.c
++++ b/drivers/pci/quirks.c
+@@ -4388,6 +4388,11 @@ static int pci_quirk_qcom_rp_acs(struct
+ *
+ * 0x9d10-0x9d1b PCI Express Root port #{1-12}
+ *
++ * The 300 series chipset suffers from the same bug so include those root
++ * ports here as well.
++ *
++ * 0xa32c-0xa343 PCI Express Root port #{0-24}
++ *
+ * [1] http://www.intel.com/content/www/us/en/chipsets/100-series-chipset-datasheet-vol-2.html
+ * [2] http://www.intel.com/content/www/us/en/chipsets/100-series-chipset-datasheet-vol-1.html
+ * [3] http://www.intel.com/content/www/us/en/chipsets/100-series-chipset-spec-update.html
+@@ -4405,6 +4410,7 @@ static bool pci_quirk_intel_spt_pch_acs_
+ case 0xa110 ... 0xa11f: case 0xa167 ... 0xa16a: /* Sunrise Point */
+ case 0xa290 ... 0xa29f: case 0xa2e7 ... 0xa2ee: /* Union Point */
+ case 0x9d10 ... 0x9d1b: /* 7th & 8th Gen Mobile */
++ case 0xa32c ... 0xa343: /* 300 series */
+ return true;
+ }
+
--- /dev/null
+From e8440f4bfedc623bee40c84797ac78d9303d0db6 Mon Sep 17 00:00:00 2001
+From: Alex Williamson <alex.williamson@redhat.com>
+Date: Wed, 25 Apr 2018 14:27:37 -0600
+Subject: PCI: Add ACS quirk for Intel 7th & 8th Gen mobile
+
+From: Alex Williamson <alex.williamson@redhat.com>
+
+commit e8440f4bfedc623bee40c84797ac78d9303d0db6 upstream.
+
+The specification update indicates these have the same errata for
+implementing non-standard ACS capabilities.
+
+Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
+Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
+CC: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/pci/quirks.c | 14 ++++++++++++++
+ 1 file changed, 14 insertions(+)
+
+--- a/drivers/pci/quirks.c
++++ b/drivers/pci/quirks.c
+@@ -4377,11 +4377,24 @@ static int pci_quirk_qcom_rp_acs(struct
+ * 0xa290-0xa29f PCI Express Root port #{0-16}
+ * 0xa2e7-0xa2ee PCI Express Root port #{17-24}
+ *
++ * Mobile chipsets are also affected, 7th & 8th Generation
++ * Specification update confirms ACS errata 22, status no fix: (7th Generation
++ * Intel Processor Family I/O for U/Y Platforms and 8th Generation Intel
++ * Processor Family I/O for U Quad Core Platforms Specification Update,
++ * August 2017, Revision 002, Document#: 334660-002)[6]
++ * Device IDs from I/O datasheet: (7th Generation Intel Processor Family I/O
++ * for U/Y Platforms and 8th Generation Intel ® Processor Family I/O for U
++ * Quad Core Platforms, Vol 1 of 2, August 2017, Document#: 334658-003)[7]
++ *
++ * 0x9d10-0x9d1b PCI Express Root port #{1-12}
++ *
+ * [1] http://www.intel.com/content/www/us/en/chipsets/100-series-chipset-datasheet-vol-2.html
+ * [2] http://www.intel.com/content/www/us/en/chipsets/100-series-chipset-datasheet-vol-1.html
+ * [3] http://www.intel.com/content/www/us/en/chipsets/100-series-chipset-spec-update.html
+ * [4] http://www.intel.com/content/www/us/en/chipsets/200-series-chipset-pch-spec-update.html
+ * [5] http://www.intel.com/content/www/us/en/chipsets/200-series-chipset-pch-datasheet-vol-1.html
++ * [6] https://www.intel.com/content/www/us/en/processors/core/7th-gen-core-family-mobile-u-y-processor-lines-i-o-spec-update.html
++ * [7] https://www.intel.com/content/www/us/en/processors/core/7th-gen-core-family-mobile-u-y-processor-lines-i-o-datasheet-vol-1.html
+ */
+ static bool pci_quirk_intel_spt_pch_acs_match(struct pci_dev *dev)
+ {
+@@ -4391,6 +4404,7 @@ static bool pci_quirk_intel_spt_pch_acs_
+ switch (dev->device) {
+ case 0xa110 ... 0xa11f: case 0xa167 ... 0xa16a: /* Sunrise Point */
+ case 0xa290 ... 0xa29f: case 0xa2e7 ... 0xa2ee: /* Union Point */
++ case 0x9d10 ... 0x9d1b: /* 7th & 8th Gen Mobile */
+ return true;
+ }
+
--- /dev/null
+From 29927dfb7f69bcf2ae7fd1cda10997e646a5189c Mon Sep 17 00:00:00 2001
+From: Sridhar Pitchai <Sridhar.Pitchai@microsoft.com>
+Date: Tue, 1 May 2018 17:56:32 +0000
+Subject: PCI: hv: Make sure the bus domain is really unique
+
+From: Sridhar Pitchai <Sridhar.Pitchai@microsoft.com>
+
+commit 29927dfb7f69bcf2ae7fd1cda10997e646a5189c upstream.
+
+When Linux runs as a guest VM in Hyper-V and Hyper-V adds the virtual PCI
+bus to the guest, Hyper-V always provides unique PCI domain.
+
+commit 4a9b0933bdfc ("PCI: hv: Use device serial number as PCI domain")
+overrode unique domain with the serial number of the first device added to
+the virtual PCI bus.
+
+The reason for that patch was to have a consistent and short name for the
+device, but Hyper-V doesn't provide unique serial numbers. Using non-unique
+serial numbers as domain IDs leads to duplicate device addresses, which
+causes PCI bus registration to fail.
+
+commit 0c195567a8f6 ("netvsc: transparent VF management") avoids the need
+for commit 4a9b0933bdfc ("PCI: hv: Use device serial number as PCI
+domain"). When scripts were used to configure VF devices, the name of
+the VF needed to be consistent and short, but with commit 0c195567a8f6
+("netvsc: transparent VF management") all the setup is done in the kernel,
+and we do not need to maintain consistent name.
+
+Revert commit 4a9b0933bdfc ("PCI: hv: Use device serial number as PCI
+domain") so we can reliably support multiple devices being assigned to
+a guest.
+
+Tag the patch for stable kernels containing commit 0c195567a8f6
+("netvsc: transparent VF management").
+
+Fixes: 4a9b0933bdfc ("PCI: hv: Use device serial number as PCI domain")
+Signed-off-by: Sridhar Pitchai <sridhar.pitchai@microsoft.com>
+[lorenzo.pieralisi@arm.com: trimmed commit log]
+Signed-off-by: Lorenzo Pieralisi <lorenzo.pieralisi@arm.com>
+Cc: stable@vger.kernel.org # v4.14+
+Reviewed-by: Bjorn Helgaas <bhelgaas@google.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/pci/host/pci-hyperv.c | 11 -----------
+ 1 file changed, 11 deletions(-)
+
+--- a/drivers/pci/host/pci-hyperv.c
++++ b/drivers/pci/host/pci-hyperv.c
+@@ -1610,17 +1610,6 @@ static struct hv_pci_dev *new_pcichild_d
+ get_pcichild(hpdev, hv_pcidev_ref_childlist);
+ spin_lock_irqsave(&hbus->device_list_lock, flags);
+
+- /*
+- * When a device is being added to the bus, we set the PCI domain
+- * number to be the device serial number, which is non-zero and
+- * unique on the same VM. The serial numbers start with 1, and
+- * increase by 1 for each device. So device names including this
+- * can have shorter names than based on the bus instance UUID.
+- * Only the first device serial number is used for domain, so the
+- * domain number will not change after the first device is added.
+- */
+- if (list_empty(&hbus->children))
+- hbus->sysdata.domain = desc->ser;
+ list_add_tail(&hpdev->list_entry, &hbus->children);
+ spin_unlock_irqrestore(&hbus->device_list_lock, flags);
+ return hpdev;
--- /dev/null
+From 13c65840feab8109194f9490c9870587173cb29d Mon Sep 17 00:00:00 2001
+From: Mika Westerberg <mika.westerberg@linux.intel.com>
+Date: Wed, 23 May 2018 17:14:39 -0500
+Subject: PCI: pciehp: Clear Presence Detect and Data Link Layer Status Changed on resume
+
+From: Mika Westerberg <mika.westerberg@linux.intel.com>
+
+commit 13c65840feab8109194f9490c9870587173cb29d upstream.
+
+After a suspend/resume cycle the Presence Detect or Data Link Layer Status
+Changed bits might be set. If we don't clear them those events will not
+fire anymore and nothing happens for instance when a device is now
+hot-unplugged.
+
+Fix this by clearing those bits in a newly introduced function
+pcie_reenable_notification(). This should be fine because immediately
+after, we check if the adapter is still present by reading directly from
+the status register.
+
+Signed-off-by: Mika Westerberg <mika.westerberg@linux.intel.com>
+Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
+Reviewed-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Reviewed-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/pci/hotplug/pciehp.h | 2 +-
+ drivers/pci/hotplug/pciehp_core.c | 2 +-
+ drivers/pci/hotplug/pciehp_hpc.c | 13 ++++++++++++-
+ 3 files changed, 14 insertions(+), 3 deletions(-)
+
+--- a/drivers/pci/hotplug/pciehp.h
++++ b/drivers/pci/hotplug/pciehp.h
+@@ -134,7 +134,7 @@ struct controller *pcie_init(struct pcie
+ int pcie_init_notification(struct controller *ctrl);
+ int pciehp_enable_slot(struct slot *p_slot);
+ int pciehp_disable_slot(struct slot *p_slot);
+-void pcie_enable_notification(struct controller *ctrl);
++void pcie_reenable_notification(struct controller *ctrl);
+ int pciehp_power_on_slot(struct slot *slot);
+ void pciehp_power_off_slot(struct slot *slot);
+ void pciehp_get_power_status(struct slot *slot, u8 *status);
+--- a/drivers/pci/hotplug/pciehp_core.c
++++ b/drivers/pci/hotplug/pciehp_core.c
+@@ -297,7 +297,7 @@ static int pciehp_resume(struct pcie_dev
+ ctrl = get_service_data(dev);
+
+ /* reinitialize the chipset's event detection logic */
+- pcie_enable_notification(ctrl);
++ pcie_reenable_notification(ctrl);
+
+ slot = ctrl->slot;
+
+--- a/drivers/pci/hotplug/pciehp_hpc.c
++++ b/drivers/pci/hotplug/pciehp_hpc.c
+@@ -676,7 +676,7 @@ static irqreturn_t pcie_isr(int irq, voi
+ return handled;
+ }
+
+-void pcie_enable_notification(struct controller *ctrl)
++static void pcie_enable_notification(struct controller *ctrl)
+ {
+ u16 cmd, mask;
+
+@@ -714,6 +714,17 @@ void pcie_enable_notification(struct con
+ pci_pcie_cap(ctrl->pcie->port) + PCI_EXP_SLTCTL, cmd);
+ }
+
++void pcie_reenable_notification(struct controller *ctrl)
++{
++ /*
++ * Clear both Presence and Data Link Layer Changed to make sure
++ * those events still fire after we have re-enabled them.
++ */
++ pcie_capability_write_word(ctrl->pcie->port, PCI_EXP_SLTSTA,
++ PCI_EXP_SLTSTA_PDC | PCI_EXP_SLTSTA_DLLSC);
++ pcie_enable_notification(ctrl);
++}
++
+ static void pcie_disable_notification(struct controller *ctrl)
+ {
+ u16 mask;
--- /dev/null
+From 722cde76d68e8cc4f3de42e71c82fd40dea4f7b9 Mon Sep 17 00:00:00 2001
+From: Mahesh Salgaonkar <mahesh@linux.vnet.ibm.com>
+Date: Fri, 27 Apr 2018 11:53:18 +0530
+Subject: powerpc/fadump: Unregister fadump on kexec down path.
+
+From: Mahesh Salgaonkar <mahesh@linux.vnet.ibm.com>
+
+commit 722cde76d68e8cc4f3de42e71c82fd40dea4f7b9 upstream.
+
+Unregister fadump on kexec down path otherwise the fadump registration
+in new kexec-ed kernel complains that fadump is already registered.
+This makes new kernel to continue using fadump registered by previous
+kernel which may lead to invalid vmcore generation. Hence this patch
+fixes this issue by un-registering fadump in fadump_cleanup() which is
+called during kexec path so that new kernel can register fadump with
+new valid values.
+
+Fixes: b500afff11f6 ("fadump: Invalidate registration and release reserved memory for general use.")
+Cc: stable@vger.kernel.org # v3.4+
+Signed-off-by: Mahesh Salgaonkar <mahesh@linux.vnet.ibm.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/powerpc/kernel/fadump.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/arch/powerpc/kernel/fadump.c
++++ b/arch/powerpc/kernel/fadump.c
+@@ -1155,6 +1155,9 @@ void fadump_cleanup(void)
+ init_fadump_mem_struct(&fdm,
+ be64_to_cpu(fdm_active->cpu_state_data.destination_address));
+ fadump_invalidate_dump(&fdm);
++ } else if (fw_dump.dump_registered) {
++ /* Un-register Firmware-assisted dump if it was registered. */
++ fadump_unregister_dump(&fdm);
+ }
+ }
+
--- /dev/null
+From 91d06971881f71d945910de128658038513d1b24 Mon Sep 17 00:00:00 2001
+From: "Aneesh Kumar K.V" <aneesh.kumar@linux.ibm.com>
+Date: Wed, 30 May 2018 18:48:04 +0530
+Subject: powerpc/mm/hash: Add missing isync prior to kernel stack SLB switch
+
+From: Aneesh Kumar K.V <aneesh.kumar@linux.ibm.com>
+
+commit 91d06971881f71d945910de128658038513d1b24 upstream.
+
+Currently we do not have an isync, or any other context synchronizing
+instruction prior to the slbie/slbmte in _switch() that updates the
+SLB entry for the kernel stack.
+
+However that is not correct as outlined in the ISA.
+
+From Power ISA Version 3.0B, Book III, Chapter 11, page 1133:
+
+ "Changing the contents of ... the contents of SLB entries ... can
+ have the side effect of altering the context in which data
+ addresses and instruction addresses are interpreted, and in which
+ instructions are executed and data accesses are performed.
+ ...
+ These side effects need not occur in program order, and therefore
+ may require explicit synchronization by software.
+ ...
+ The synchronizing instruction before the context-altering
+ instruction ensures that all instructions up to and including that
+ synchronizing instruction are fetched and executed in the context
+ that existed before the alteration."
+
+And page 1136:
+
+ "For data accesses, the context synchronizing instruction before the
+ slbie, slbieg, slbia, slbmte, tlbie, or tlbiel instruction ensures
+ that all preceding instructions that access data storage have
+ completed to a point at which they have reported all exceptions
+ they will cause."
+
+We're not aware of any bugs caused by this, but it should be fixed
+regardless.
+
+Add the missing isync when updating kernel stack SLB entry.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Aneesh Kumar K.V <aneesh.kumar@linux.ibm.com>
+[mpe: Flesh out change log with more ISA text & explanation]
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/powerpc/kernel/entry_64.S | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/arch/powerpc/kernel/entry_64.S
++++ b/arch/powerpc/kernel/entry_64.S
+@@ -597,6 +597,7 @@ END_MMU_FTR_SECTION_IFSET(MMU_FTR_1T_SEG
+ * actually hit this code path.
+ */
+
++ isync
+ slbie r6
+ slbie r6 /* Workaround POWER5 < DD2.1 issue */
+ slbmte r7,r0
--- /dev/null
+From d2032678e57fc508d7878307badde8f89b632ba3 Mon Sep 17 00:00:00 2001
+From: Anju T Sudhakar <anju@linux.vnet.ibm.com>
+Date: Wed, 16 May 2018 12:05:18 +0530
+Subject: powerpc/perf: Fix memory allocation for core-imc based on num_possible_cpus()
+
+From: Anju T Sudhakar <anju@linux.vnet.ibm.com>
+
+commit d2032678e57fc508d7878307badde8f89b632ba3 upstream.
+
+Currently memory is allocated for core-imc based on cpu_present_mask,
+which has bit 'cpu' set iff cpu is populated. We use (cpu number / threads
+per core) as the array index to access the memory.
+
+Under some circumstances firmware marks a CPU as GUARDed CPU and boot the
+system, until cleared of errors, these CPU's are unavailable for all
+subsequent boots. GUARDed CPUs are possible but not present from linux
+view, so it blows a hole when we assume the max length of our allocation
+is driven by our max present cpus, where as one of the cpus might be online
+and be beyond the max present cpus, due to the hole.
+So (cpu number / threads per core) value bounds the array index and leads
+to memory overflow.
+
+Call trace observed during a guard test:
+
+Faulting instruction address: 0xc000000000149f1c
+cpu 0x69: Vector: 380 (Data Access Out of Range) at [c000003fea303420]
+ pc:c000000000149f1c: prefetch_freepointer+0x14/0x30
+ lr:c00000000014e0f8: __kmalloc+0x1a8/0x1ac
+ sp:c000003fea3036a0
+ msr:9000000000009033
+ dar:c9c54b2c91dbf6b7
+ current = 0xc000003fea2c0000
+ paca = 0xc00000000fddd880 softe: 3 irq_happened: 0x01
+ pid = 1, comm = swapper/104
+Linux version 4.16.7-openpower1 (smc@smc-desktop) (gcc version 6.4.0
+(Buildroot 2018.02.1-00006-ga8d1126)) #2 SMP Fri May 4 16:44:54 PDT 2018
+enter ? for help
+call trace:
+ __kmalloc+0x1a8/0x1ac
+ (unreliable)
+ init_imc_pmu+0x7f4/0xbf0
+ opal_imc_counters_probe+0x3fc/0x43c
+ platform_drv_probe+0x48/0x80
+ driver_probe_device+0x22c/0x308
+ __driver_attach+0xa0/0xd8
+ bus_for_each_dev+0x88/0xb4
+ driver_attach+0x2c/0x40
+ bus_add_driver+0x1e8/0x228
+ driver_register+0xd0/0x114
+ __platform_driver_register+0x50/0x64
+ opal_imc_driver_init+0x24/0x38
+ do_one_initcall+0x150/0x15c
+ kernel_init_freeable+0x250/0x254
+ kernel_init+0x1c/0x150
+ ret_from_kernel_thread+0x5c/0xc8
+
+Allocating memory for core-imc based on cpu_possible_mask, which has
+bit 'cpu' set iff cpu is populatable, will fix this issue.
+
+Reported-by: Pridhiviraj Paidipeddi <ppaidipe@linux.vnet.ibm.com>
+Signed-off-by: Anju T Sudhakar <anju@linux.vnet.ibm.com>
+Reviewed-by: Balbir Singh <bsingharora@gmail.com>
+Tested-by: Pridhiviraj Paidipeddi <ppaidipe@linux.vnet.ibm.com>
+Fixes: 39a846db1d57 ("powerpc/perf: Add core IMC PMU support")
+Cc: stable@vger.kernel.org # v4.14+
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/powerpc/perf/imc-pmu.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/arch/powerpc/perf/imc-pmu.c
++++ b/arch/powerpc/perf/imc-pmu.c
+@@ -1131,7 +1131,7 @@ static int init_nest_pmu_ref(void)
+
+ static void cleanup_all_core_imc_memory(void)
+ {
+- int i, nr_cores = DIV_ROUND_UP(num_present_cpus(), threads_per_core);
++ int i, nr_cores = DIV_ROUND_UP(num_possible_cpus(), threads_per_core);
+ struct imc_mem_info *ptr = core_imc_pmu->mem_info;
+ int size = core_imc_pmu->counter_mem_size;
+
+@@ -1239,7 +1239,7 @@ static int imc_mem_init(struct imc_pmu *
+ if (!pmu_ptr->pmu.name)
+ return -ENOMEM;
+
+- nr_cores = DIV_ROUND_UP(num_present_cpus(), threads_per_core);
++ nr_cores = DIV_ROUND_UP(num_possible_cpus(), threads_per_core);
+ pmu_ptr->mem_info = kcalloc(nr_cores, sizeof(struct imc_mem_info),
+ GFP_KERNEL);
+
--- /dev/null
+From 75743649064ec0cf5ddd69f240ef23af66dde16e Mon Sep 17 00:00:00 2001
+From: Haren Myneni <haren@us.ibm.com>
+Date: Mon, 4 Jun 2018 18:33:38 +1000
+Subject: powerpc/powernv: copy/paste - Mask SO bit in CR
+
+From: Haren Myneni <haren@us.ibm.com>
+
+commit 75743649064ec0cf5ddd69f240ef23af66dde16e upstream.
+
+NX can set the 3rd bit in CR register for XER[SO] (Summary overflow)
+which is not related to paste request. The current paste function
+returns failure for a successful request when this bit is set. So mask
+this bit and check the proper return status.
+
+Fixes: 2392c8c8c045 ("powerpc/powernv/vas: Define copy/paste interfaces")
+Cc: stable@vger.kernel.org # v4.14+
+Signed-off-by: Haren Myneni <haren@us.ibm.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/powerpc/platforms/powernv/copy-paste.h | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/arch/powerpc/platforms/powernv/copy-paste.h
++++ b/arch/powerpc/platforms/powernv/copy-paste.h
+@@ -42,5 +42,6 @@ static inline int vas_paste(void *paste_
+ : "b" (offset), "b" (paste_address)
+ : "memory", "cr0");
+
+- return (cr >> CR0_SHIFT) & CR0_MASK;
++ /* We mask with 0xE to ignore SO */
++ return (cr >> CR0_SHIFT) & 0xE;
+ }
--- /dev/null
+From ac9816dcbab53c57bcf1d7b15370b08f1e284318 Mon Sep 17 00:00:00 2001
+From: Akshay Adiga <akshay.adiga@linux.vnet.ibm.com>
+Date: Wed, 16 May 2018 17:32:14 +0530
+Subject: powerpc/powernv/cpuidle: Init all present cpus for deep states
+
+From: Akshay Adiga <akshay.adiga@linux.vnet.ibm.com>
+
+commit ac9816dcbab53c57bcf1d7b15370b08f1e284318 upstream.
+
+Init all present cpus for deep states instead of "all possible" cpus.
+Init fails if a possible cpu is guarded. Resulting in making only
+non-deep states available for cpuidle/hotplug.
+
+Stewart says, this means that for single threaded workloads, if you
+guard out a CPU core you'll not get WoF (Workload Optimised
+Frequency), which means that performance goes down when you wouldn't
+expect it to.
+
+Fixes: 77b54e9f213f ("powernv/powerpc: Add winkle support for offline cpus")
+Cc: stable@vger.kernel.org # v3.19+
+Signed-off-by: Akshay Adiga <akshay.adiga@linux.vnet.ibm.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/powerpc/platforms/powernv/idle.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/arch/powerpc/platforms/powernv/idle.c
++++ b/arch/powerpc/platforms/powernv/idle.c
+@@ -78,7 +78,7 @@ static int pnv_save_sprs_for_deep_states
+ uint64_t msr_val = MSR_IDLE;
+ uint64_t psscr_val = pnv_deepest_stop_psscr_val;
+
+- for_each_possible_cpu(cpu) {
++ for_each_present_cpu(cpu) {
+ uint64_t pir = get_hard_smp_processor_id(cpu);
+ uint64_t hsprg0_val = (uint64_t)&paca[cpu];
+
+@@ -741,7 +741,7 @@ static int __init pnv_init_idle_states(v
+ int cpu;
+
+ pr_info("powernv: idle: Saving PACA pointers of all CPUs in their thread sibling PACA\n");
+- for_each_possible_cpu(cpu) {
++ for_each_present_cpu(cpu) {
+ int base_cpu = cpu_first_thread_sibling(cpu);
+ int idx = cpu_thread_in_core(cpu);
+ int i;
--- /dev/null
+From 98fd72fe82527fd26618062b60cfd329451f2329 Mon Sep 17 00:00:00 2001
+From: Alexey Kardashevskiy <aik@ozlabs.ru>
+Date: Wed, 30 May 2018 19:22:50 +1000
+Subject: powerpc/powernv/ioda2: Remove redundant free of TCE pages
+
+From: Alexey Kardashevskiy <aik@ozlabs.ru>
+
+commit 98fd72fe82527fd26618062b60cfd329451f2329 upstream.
+
+When IODA2 creates a PE, it creates an IOMMU table with it_ops::free
+set to pnv_ioda2_table_free() which calls pnv_pci_ioda2_table_free_pages().
+
+Since iommu_tce_table_put() calls it_ops::free when the last reference
+to the table is released, explicit call to pnv_pci_ioda2_table_free_pages()
+is not needed so let's remove it.
+
+This should fix double free in the case of PCI hotuplug as
+pnv_pci_ioda2_table_free_pages() does not reset neither
+iommu_table::it_base nor ::it_size.
+
+This was not exposed by SRIOV as it uses different code path via
+pnv_pcibios_sriov_disable().
+
+IODA1 does not inialize it_ops::free so it does not have this issue.
+
+Fixes: c5f7700bbd2e ("powerpc/powernv: Dynamically release PE")
+Cc: stable@vger.kernel.org # v4.8+
+Signed-off-by: Alexey Kardashevskiy <aik@ozlabs.ru>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/powerpc/platforms/powernv/pci-ioda.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+--- a/arch/powerpc/platforms/powernv/pci-ioda.c
++++ b/arch/powerpc/platforms/powernv/pci-ioda.c
+@@ -3591,7 +3591,6 @@ static void pnv_pci_ioda2_release_pe_dma
+ WARN_ON(pe->table_group.group);
+ }
+
+- pnv_pci_ioda2_table_free_pages(tbl);
+ iommu_tce_table_put(tbl);
+ }
+
--- /dev/null
+From cd6ef7eebf171bfcba7dc2df719c2a4958775040 Mon Sep 17 00:00:00 2001
+From: Michael Neuling <mikey@neuling.org>
+Date: Thu, 17 May 2018 15:37:14 +1000
+Subject: powerpc/ptrace: Fix enforcement of DAWR constraints
+
+From: Michael Neuling <mikey@neuling.org>
+
+commit cd6ef7eebf171bfcba7dc2df719c2a4958775040 upstream.
+
+Back when we first introduced the DAWR, in commit 4ae7ebe9522a
+("powerpc: Change hardware breakpoint to allow longer ranges"), we
+screwed up the constraint making it a 1024 byte boundary rather than a
+512. This makes the check overly permissive. Fortunately GDB is the
+only real user and it always did they right thing, so we never
+noticed.
+
+This fixes the constraint to 512 bytes.
+
+Fixes: 4ae7ebe9522a ("powerpc: Change hardware breakpoint to allow longer ranges")
+Cc: stable@vger.kernel.org # v3.9+
+Signed-off-by: Michael Neuling <mikey@neuling.org>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/powerpc/kernel/hw_breakpoint.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/arch/powerpc/kernel/hw_breakpoint.c
++++ b/arch/powerpc/kernel/hw_breakpoint.c
+@@ -175,8 +175,8 @@ int arch_validate_hwbkpt_settings(struct
+ if (cpu_has_feature(CPU_FTR_DAWR)) {
+ length_max = 512 ; /* 64 doublewords */
+ /* DAWR region can't cross 512 boundary */
+- if ((bp->attr.bp_addr >> 10) !=
+- ((bp->attr.bp_addr + bp->attr.bp_len - 1) >> 10))
++ if ((bp->attr.bp_addr >> 9) !=
++ ((bp->attr.bp_addr + bp->attr.bp_len - 1) >> 9))
+ return -EINVAL;
+ }
+ if (info->len >
--- /dev/null
+From 4f7c06e26ec9cf7fe9f0c54dc90079b6a4f4b2c3 Mon Sep 17 00:00:00 2001
+From: Michael Neuling <mikey@neuling.org>
+Date: Thu, 17 May 2018 15:37:15 +1000
+Subject: powerpc/ptrace: Fix setting 512B aligned breakpoints with PTRACE_SET_DEBUGREG
+
+From: Michael Neuling <mikey@neuling.org>
+
+commit 4f7c06e26ec9cf7fe9f0c54dc90079b6a4f4b2c3 upstream.
+
+In commit e2a800beaca1 ("powerpc/hw_brk: Fix off by one error when
+validating DAWR region end") we fixed setting the DAWR end point to
+its max value via PPC_PTRACE_SETHWDEBUG. Unfortunately we broke
+PTRACE_SET_DEBUGREG when setting a 512 byte aligned breakpoint.
+
+PTRACE_SET_DEBUGREG currently sets the length of the breakpoint to
+zero (memset() in hw_breakpoint_init()). This worked with
+arch_validate_hwbkpt_settings() before the above patch was applied but
+is now broken if the breakpoint is 512byte aligned.
+
+This sets the length of the breakpoint to 8 bytes when using
+PTRACE_SET_DEBUGREG.
+
+Fixes: e2a800beaca1 ("powerpc/hw_brk: Fix off by one error when validating DAWR region end")
+Cc: stable@vger.kernel.org # v3.11+
+Signed-off-by: Michael Neuling <mikey@neuling.org>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/powerpc/kernel/ptrace.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/arch/powerpc/kernel/ptrace.c
++++ b/arch/powerpc/kernel/ptrace.c
+@@ -2362,6 +2362,7 @@ static int ptrace_set_debugreg(struct ta
+ /* Create a new breakpoint request if one doesn't exist already */
+ hw_breakpoint_init(&attr);
+ attr.bp_addr = hw_brk.address;
++ attr.bp_len = 8;
+ arch_bp_generic_fields(hw_brk.type,
+ &attr.bp_type);
+
--- /dev/null
+From 988a35f8da1dec5a8cd2788054d1e717be61bf25 Mon Sep 17 00:00:00 2001
+From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+Date: Fri, 11 May 2018 19:54:19 +0900
+Subject: printk: fix possible reuse of va_list variable
+
+From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+
+commit 988a35f8da1dec5a8cd2788054d1e717be61bf25 upstream.
+
+I noticed that there is a possibility that printk_safe_log_store() causes
+kernel oops because "args" parameter is passed to vsnprintf() again when
+atomic_cmpxchg() detected that we raced. Fix this by using va_copy().
+
+Link: http://lkml.kernel.org/r/201805112002.GIF21216.OFVHFOMLJtQFSO@I-love.SAKURA.ne.jp
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Steven Rostedt <rostedt@goodmis.org>
+Cc: dvyukov@google.com
+Cc: syzkaller@googlegroups.com
+Cc: fengguang.wu@intel.com
+Cc: linux-kernel@vger.kernel.org
+Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+Fixes: 42a0bb3f71383b45 ("printk/nmi: generic solution for safe printk in NMI")
+Cc: 4.7+ <stable@vger.kernel.org> # v4.7+
+Reviewed-by: Sergey Senozhatsky <sergey.senozhatsky@gmail.com>
+Signed-off-by: Petr Mladek <pmladek@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/printk/printk_safe.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/kernel/printk/printk_safe.c
++++ b/kernel/printk/printk_safe.c
+@@ -85,6 +85,7 @@ static __printf(2, 0) int printk_safe_lo
+ {
+ int add;
+ size_t len;
++ va_list ap;
+
+ again:
+ len = atomic_read(&s->len);
+@@ -103,7 +104,9 @@ again:
+ if (!len)
+ smp_rmb();
+
+- add = vscnprintf(s->buffer + len, sizeof(s->buffer) - len, fmt, args);
++ va_copy(ap, args);
++ add = vscnprintf(s->buffer + len, sizeof(s->buffer) - len, fmt, ap);
++ va_end(ap);
+ if (!add)
+ return 0;
+
--- /dev/null
+From 6b1ca7ece15e94251d1d0d919f813943e4a58059 Mon Sep 17 00:00:00 2001
+From: Leon Romanovsky <leonro@mellanox.com>
+Date: Tue, 29 May 2018 14:56:14 +0300
+Subject: RDMA/mlx4: Discard unknown SQP work requests
+
+From: Leon Romanovsky <leonro@mellanox.com>
+
+commit 6b1ca7ece15e94251d1d0d919f813943e4a58059 upstream.
+
+There is no need to crash the machine if unknown work request was
+received in SQP MAD.
+
+Cc: <stable@vger.kernel.org> # 3.6
+Fixes: 37bfc7c1e83f ("IB/mlx4: SR-IOV multiplex and demultiplex MADs")
+Signed-off-by: Leon Romanovsky <leonro@mellanox.com>
+Signed-off-by: Doug Ledford <dledford@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/infiniband/hw/mlx4/mad.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+--- a/drivers/infiniband/hw/mlx4/mad.c
++++ b/drivers/infiniband/hw/mlx4/mad.c
+@@ -1934,7 +1934,6 @@ static void mlx4_ib_sqp_comp_worker(stru
+ "buf:%lld\n", wc.wr_id);
+ break;
+ default:
+- BUG_ON(1);
+ break;
+ }
+ } else {
lib-vsprintf-remove-atomic-unsafe-support-for-pcr.patch
ftrace-selftest-have-the-reset_trigger-code-be-a-bit-more-careful.patch
mips-ftrace-fix-static-function-graph-tracing.patch
+branch-check-fix-long-int-truncation-when-profiling-branches.patch
+ipmi-bt-set-the-timeout-before-doing-a-capabilities-check.patch
+bluetooth-hci_qca-avoid-missing-rampatch-failure-with-userspace-fw-loader.patch
+printk-fix-possible-reuse-of-va_list-variable.patch
+fuse-fix-congested-state-leak-on-aborted-connections.patch
+fuse-atomic_o_trunc-should-truncate-pagecache.patch
+fuse-don-t-keep-dead-fuse_conn-at-fuse_fill_super.patch
+fuse-fix-control-dir-setup-and-teardown.patch
+powerpc-mm-hash-add-missing-isync-prior-to-kernel-stack-slb-switch.patch
+powerpc-ptrace-fix-setting-512b-aligned-breakpoints-with-ptrace_set_debugreg.patch
+powerpc-perf-fix-memory-allocation-for-core-imc-based-on-num_possible_cpus.patch
+powerpc-ptrace-fix-enforcement-of-dawr-constraints.patch
+powerpc-powernv-ioda2-remove-redundant-free-of-tce-pages.patch
+powerpc-powernv-copy-paste-mask-so-bit-in-cr.patch
+powerpc-powernv-cpuidle-init-all-present-cpus-for-deep-states.patch
+cpuidle-powernv-fix-promotion-from-snooze-if-next-state-disabled.patch
+powerpc-fadump-unregister-fadump-on-kexec-down-path.patch
+soc-rockchip-power-domain-fix-wrong-value-when-power-up-pd-with-writemask.patch
+cxl-disable-prefault_mode-in-radix-mode.patch
+arm-8764-1-kgdb-fix-numregbytes-so-that-gdb_regs-is-the-correct-size.patch
+arm-dts-fix-spi-node-for-arria10.patch
+arm-dts-socfpga-fix-nand-controller-node-compatible.patch
+arm-dts-socfpga-fix-nand-controller-clock-supply.patch
+arm-dts-socfpga-fix-nand-controller-node-compatible-for-arria10.patch
+arm64-fix-syscall-restarting-around-signal-suppressed-by-tracer.patch
+arm64-kpti-use-early_param-for-kpti-command-line-option.patch
+arm64-mm-ensure-writes-to-swapper-are-ordered-wrt-subsequent-cache-maintenance.patch
+arm64-dts-meson-disable-sd-uhs-modes-on-the-libretech-cc.patch
+of-overlay-validate-offset-from-property-fixups.patch
+of-unittest-for-strings-account-for-trailing-0-in-property-length-field.patch
+of-platform-stop-accessing-invalid-dev-in-of_platform_device_destroy.patch
+tpm-fix-use-after-free-in-tpm2_load_context.patch
+tpm-fix-race-condition-in-tpm_common_write.patch
+ib-qib-fix-dma-api-warning-with-debug-kernel.patch
+ib-hfi1-qib-add-handling-of-kernel-restart.patch
+ib-mlx4-mark-user-mr-as-writable-if-actual-virtual-memory-is-writable.patch
+ib-core-make-testing-mr-flags-for-writability-a-static-inline-function.patch
+ib-mlx5-fetch-soft-wqe-s-on-fatal-error-state.patch
+ib-isert-fix-for-lib-dma_debug-check_sync-warning.patch
+ib-isert-fix-t10-pi-check-mask-setting.patch
+ib-hfi1-fix-fault-injection-init-exit-issues.patch
+ib-hfi1-reorder-incorrect-send-context-disable.patch
+ib-hfi1-optimize-kthread-pointer-locking-when-queuing-cq-entries.patch
+ib-hfi1-fix-user-context-tail-allocation-for-dma_rtail.patch
+rdma-mlx4-discard-unknown-sqp-work-requests.patch
+xprtrdma-return-enobufs-when-no-pages-are-available.patch
+mtd-cfi_cmdset_0002-change-write-buffer-to-check-correct-value.patch
+mtd-cfi_cmdset_0002-change-erase-functions-to-retry-for-error.patch
+mtd-cfi_cmdset_0002-use-right-chip-in-do_ppb_xxlock.patch
+mtd-cfi_cmdset_0002-fix-segv-unlocking-multiple-chips.patch
+mtd-cfi_cmdset_0002-fix-unlocking-requests-crossing-a-chip-boudary.patch
+mtd-cfi_cmdset_0002-avoid-walking-all-chips-when-unlocking.patch
+mips-bcm47xx-enable-74k-core-externalsync-for-pcie-erratum.patch
+pci-hv-make-sure-the-bus-domain-is-really-unique.patch
+pci-add-acs-quirk-for-intel-7th-8th-gen-mobile.patch
+pci-add-acs-quirk-for-intel-300-series.patch
+pci-pciehp-clear-presence-detect-and-data-link-layer-status-changed-on-resume.patch
--- /dev/null
+From 9e59c5f66c624b43c766a9fe3b2430e0e976bf0e Mon Sep 17 00:00:00 2001
+From: Finley Xiao <finley.xiao@rock-chips.com>
+Date: Mon, 14 May 2018 11:29:38 +0800
+Subject: soc: rockchip: power-domain: Fix wrong value when power up pd with writemask
+
+From: Finley Xiao <finley.xiao@rock-chips.com>
+
+commit 9e59c5f66c624b43c766a9fe3b2430e0e976bf0e upstream.
+
+Solve the pd could only ever turn off but never turn them on again,
+if the pd registers have the writemask bits.
+
+So far this affects the rk3328 only.
+
+Fixes: 79bb17ce8edb ("soc: rockchip: power-domain: Support domain control in hiword-registers")
+Cc: stable@vger.kernel.org
+Signed-off-by: Finley Xiao <finley.xiao@rock-chips.com>
+Signed-off-by: Elaine Zhang <zhangqing@rock-chips.com>
+Reviewed-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Heiko Stuebner <heiko@sntech.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/soc/rockchip/pm_domains.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/soc/rockchip/pm_domains.c
++++ b/drivers/soc/rockchip/pm_domains.c
+@@ -255,7 +255,7 @@ static void rockchip_do_pmu_set_power_do
+ return;
+ else if (pd->info->pwr_w_mask)
+ regmap_write(pmu->regmap, pmu->info->pwr_offset,
+- on ? pd->info->pwr_mask :
++ on ? pd->info->pwr_w_mask :
+ (pd->info->pwr_mask | pd->info->pwr_w_mask));
+ else
+ regmap_update_bits(pmu->regmap, pmu->info->pwr_offset,
--- /dev/null
+From 3ab2011ea368ec3433ad49e1b9e1c7b70d2e65df Mon Sep 17 00:00:00 2001
+From: Tadeusz Struk <tadeusz.struk@intel.com>
+Date: Tue, 22 May 2018 14:37:18 -0700
+Subject: tpm: fix race condition in tpm_common_write()
+
+From: Tadeusz Struk <tadeusz.struk@intel.com>
+
+commit 3ab2011ea368ec3433ad49e1b9e1c7b70d2e65df upstream.
+
+There is a race condition in tpm_common_write function allowing
+two threads on the same /dev/tpm<N>, or two different applications
+on the same /dev/tpmrm<N> to overwrite each other commands/responses.
+Fixed this by taking the priv->buffer_mutex early in the function.
+
+Also converted the priv->data_pending from atomic to a regular size_t
+type. There is no need for it to be atomic since it is only touched
+under the protection of the priv->buffer_mutex.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Cc: stable@vger.kernel.org
+Signed-off-by: Tadeusz Struk <tadeusz.struk@intel.com>
+Reviewed-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
+Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/char/tpm/tpm-dev-common.c | 40 +++++++++++++++++---------------------
+ drivers/char/tpm/tpm-dev.h | 2 -
+ 2 files changed, 19 insertions(+), 23 deletions(-)
+
+--- a/drivers/char/tpm/tpm-dev-common.c
++++ b/drivers/char/tpm/tpm-dev-common.c
+@@ -37,7 +37,7 @@ static void timeout_work(struct work_str
+ struct file_priv *priv = container_of(work, struct file_priv, work);
+
+ mutex_lock(&priv->buffer_mutex);
+- atomic_set(&priv->data_pending, 0);
++ priv->data_pending = 0;
+ memset(priv->data_buffer, 0, sizeof(priv->data_buffer));
+ mutex_unlock(&priv->buffer_mutex);
+ }
+@@ -46,7 +46,6 @@ void tpm_common_open(struct file *file,
+ struct file_priv *priv)
+ {
+ priv->chip = chip;
+- atomic_set(&priv->data_pending, 0);
+ mutex_init(&priv->buffer_mutex);
+ setup_timer(&priv->user_read_timer, user_reader_timeout,
+ (unsigned long)priv);
+@@ -59,29 +58,24 @@ ssize_t tpm_common_read(struct file *fil
+ size_t size, loff_t *off)
+ {
+ struct file_priv *priv = file->private_data;
+- ssize_t ret_size;
+- ssize_t orig_ret_size;
++ ssize_t ret_size = 0;
+ int rc;
+
+ del_singleshot_timer_sync(&priv->user_read_timer);
+ flush_work(&priv->work);
+- ret_size = atomic_read(&priv->data_pending);
+- if (ret_size > 0) { /* relay data */
+- orig_ret_size = ret_size;
+- if (size < ret_size)
+- ret_size = size;
++ mutex_lock(&priv->buffer_mutex);
+
+- mutex_lock(&priv->buffer_mutex);
++ if (priv->data_pending) {
++ ret_size = min_t(ssize_t, size, priv->data_pending);
+ rc = copy_to_user(buf, priv->data_buffer, ret_size);
+- memset(priv->data_buffer, 0, orig_ret_size);
++ memset(priv->data_buffer, 0, priv->data_pending);
+ if (rc)
+ ret_size = -EFAULT;
+
+- mutex_unlock(&priv->buffer_mutex);
++ priv->data_pending = 0;
+ }
+
+- atomic_set(&priv->data_pending, 0);
+-
++ mutex_unlock(&priv->buffer_mutex);
+ return ret_size;
+ }
+
+@@ -92,17 +86,19 @@ ssize_t tpm_common_write(struct file *fi
+ size_t in_size = size;
+ ssize_t out_size;
+
++ if (in_size > TPM_BUFSIZE)
++ return -E2BIG;
++
++ mutex_lock(&priv->buffer_mutex);
++
+ /* Cannot perform a write until the read has cleared either via
+ * tpm_read or a user_read_timer timeout. This also prevents split
+ * buffered writes from blocking here.
+ */
+- if (atomic_read(&priv->data_pending) != 0)
++ if (priv->data_pending != 0) {
++ mutex_unlock(&priv->buffer_mutex);
+ return -EBUSY;
+-
+- if (in_size > TPM_BUFSIZE)
+- return -E2BIG;
+-
+- mutex_lock(&priv->buffer_mutex);
++ }
+
+ if (copy_from_user
+ (priv->data_buffer, (void __user *) buf, in_size)) {
+@@ -133,7 +129,7 @@ ssize_t tpm_common_write(struct file *fi
+ return out_size;
+ }
+
+- atomic_set(&priv->data_pending, out_size);
++ priv->data_pending = out_size;
+ mutex_unlock(&priv->buffer_mutex);
+
+ /* Set a timeout by which the reader must come claim the result */
+@@ -150,5 +146,5 @@ void tpm_common_release(struct file *fil
+ del_singleshot_timer_sync(&priv->user_read_timer);
+ flush_work(&priv->work);
+ file->private_data = NULL;
+- atomic_set(&priv->data_pending, 0);
++ priv->data_pending = 0;
+ }
+--- a/drivers/char/tpm/tpm-dev.h
++++ b/drivers/char/tpm/tpm-dev.h
+@@ -8,7 +8,7 @@ struct file_priv {
+ struct tpm_chip *chip;
+
+ /* Data passed to and from the tpm via the read/write calls */
+- atomic_t data_pending;
++ size_t data_pending;
+ struct mutex buffer_mutex;
+
+ struct timer_list user_read_timer; /* user needs to claim result */
--- /dev/null
+From 8c81c24758ffbf17cf06c6835d361ffa57be2f0e Mon Sep 17 00:00:00 2001
+From: Tadeusz Struk <tadeusz.struk@intel.com>
+Date: Wed, 9 May 2018 11:55:35 -0700
+Subject: tpm: fix use after free in tpm2_load_context()
+
+From: Tadeusz Struk <tadeusz.struk@intel.com>
+
+commit 8c81c24758ffbf17cf06c6835d361ffa57be2f0e upstream.
+
+If load context command returns with TPM2_RC_HANDLE or TPM2_RC_REFERENCE_H0
+then we have use after free in line 114 and double free in 117.
+
+Fixes: 4d57856a21ed2 ("tpm2: add session handle context saving and restoring to the space code")
+Cc: stable@vger.kernel.org
+Signed-off-by: Tadeusz Struk <tadeusz.struk@intel.com>
+Reviewed-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
+Signed-off--by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/char/tpm/tpm2-space.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/char/tpm/tpm2-space.c
++++ b/drivers/char/tpm/tpm2-space.c
+@@ -102,8 +102,9 @@ static int tpm2_load_context(struct tpm_
+ * TPM_RC_REFERENCE_H0 means the session has been
+ * flushed outside the space
+ */
+- rc = -ENOENT;
++ *handle = 0;
+ tpm_buf_destroy(&tbuf);
++ return -ENOENT;
+ } else if (rc > 0) {
+ dev_warn(&chip->dev, "%s: failed with a TPM error 0x%04X\n",
+ __func__, rc);
--- /dev/null
+From a8f688ec437dc2045cc8f0c89fe877d5803850da Mon Sep 17 00:00:00 2001
+From: Chuck Lever <chuck.lever@oracle.com>
+Date: Fri, 4 May 2018 15:35:46 -0400
+Subject: xprtrdma: Return -ENOBUFS when no pages are available
+
+From: Chuck Lever <chuck.lever@oracle.com>
+
+commit a8f688ec437dc2045cc8f0c89fe877d5803850da upstream.
+
+The use of -EAGAIN in rpcrdma_convert_iovs() is a latent bug: the
+transport never calls xprt_write_space() when more pages become
+available. -ENOBUFS will trigger the correct "delay briefly and call
+again" logic.
+
+Fixes: 7a89f9c626e3 ("xprtrdma: Honor ->send_request API contract")
+Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
+Cc: stable@vger.kernel.org # 4.8+
+Signed-off-by: Anna Schumaker <Anna.Schumaker@Netapp.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/sunrpc/xprtrdma/rpc_rdma.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/sunrpc/xprtrdma/rpc_rdma.c
++++ b/net/sunrpc/xprtrdma/rpc_rdma.c
+@@ -229,7 +229,7 @@ rpcrdma_convert_iovs(struct rpcrdma_xprt
+ */
+ *ppages = alloc_page(GFP_ATOMIC);
+ if (!*ppages)
+- return -EAGAIN;
++ return -ENOBUFS;
+ }
+ seg->mr_page = *ppages;
+ seg->mr_offset = (char *)page_base;
projects / thirdparty / kernel / stable-queue.git / commitdiff
