--- /dev/null
+From d1f0301b3333eef5efbfa1fe0f0edbea01863d5d Mon Sep 17 00:00:00 2001
+From: Thomas Gleixner <tglx@linutronix.de>
+Date: Fri, 3 Aug 2018 14:44:59 +0200
+Subject: genirq: Make force irq threading setup more robust
+
+From: Thomas Gleixner <tglx@linutronix.de>
+
+commit d1f0301b3333eef5efbfa1fe0f0edbea01863d5d upstream.
+
+The support of force threading interrupts which are set up with both a
+primary and a threaded handler wreckaged the setup of regular requested
+threaded interrupts (primary handler == NULL).
+
+The reason is that it does not check whether the primary handler is set to
+the default handler which wakes the handler thread. Instead it replaces the
+thread handler with the primary handler as it would do with force threaded
+interrupts which have been requested via request_irq(). So both the primary
+and the thread handler become the same which then triggers the warnon that
+the thread handler tries to wakeup a not configured secondary thread.
+
+Fortunately this only happens when the driver omits the IRQF_ONESHOT flag
+when requesting the threaded interrupt, which is normaly caught by the
+sanity checks when force irq threading is disabled.
+
+Fix it by skipping the force threading setup when a regular threaded
+interrupt is requested. As a consequence the interrupt request which lacks
+the IRQ_ONESHOT flag is rejected correctly instead of silently wreckaging
+it.
+
+Fixes: 2a1d3ab8986d ("genirq: Handle force threading of irqs with primary and thread handler")
+Reported-by: Kurt Kanzenbach <kurt.kanzenbach@linutronix.de>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Tested-by: Kurt Kanzenbach <kurt.kanzenbach@linutronix.de>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/irq/manage.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+--- a/kernel/irq/manage.c
++++ b/kernel/irq/manage.c
+@@ -1067,6 +1067,13 @@ static int irq_setup_forced_threading(st
+ if (new->flags & (IRQF_NO_THREAD | IRQF_PERCPU | IRQF_ONESHOT))
+ return 0;
+
++ /*
++ * No further action required for interrupts which are requested as
++ * threaded interrupts already
++ */
++ if (new->handler == irq_default_primary_handler)
++ return 0;
++
+ new->flags |= IRQF_ONESHOT;
+
+ /*
+@@ -1074,7 +1081,7 @@ static int irq_setup_forced_threading(st
+ * thread handler. We force thread them as well by creating a
+ * secondary action.
+ */
+- if (new->handler != irq_default_primary_handler && new->thread_fn) {
++ if (new->handler && new->thread_fn) {
+ /* Allocate the secondary action */
+ new->secondary = kzalloc(sizeof(struct irqaction), GFP_KERNEL);
+ if (!new->secondary)
--- /dev/null
+From 961b33c244e5ba1543ae26270a1ba29f29c2db83 Mon Sep 17 00:00:00 2001
+From: Kees Cook <keescook@chromium.org>
+Date: Fri, 3 Aug 2018 12:52:58 -0700
+Subject: jfs: Fix usercopy whitelist for inline inode data
+
+From: Kees Cook <keescook@chromium.org>
+
+commit 961b33c244e5ba1543ae26270a1ba29f29c2db83 upstream.
+
+Bart Massey reported what turned out to be a usercopy whitelist false
+positive in JFS when symlink contents exceeded 128 bytes. The inline
+inode data (i_inline) is actually designed to overflow into the "extended
+area" following it (i_inline_ea) when needed. So the whitelist needed to
+be expanded to include both i_inline and i_inline_ea (the whole size
+of which is calculated internally using IDATASIZE, 256, instead of
+sizeof(i_inline), 128).
+
+$ cd /mnt/jfs
+$ touch $(perl -e 'print "B" x 250')
+$ ln -s B* b
+$ ls -l >/dev/null
+
+[ 249.436410] Bad or missing usercopy whitelist? Kernel memory exposure attempt detected from SLUB object 'jfs_ip' (offset 616, size 250)!
+
+Reported-by: Bart Massey <bart.massey@gmail.com>
+Fixes: 8d2704d382a9 ("jfs: Define usercopy region in jfs_ip slab cache")
+Cc: Dave Kleikamp <shaggy@kernel.org>
+Cc: jfs-discussion@lists.sourceforge.net
+Cc: stable@vger.kernel.org
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/jfs/jfs_dinode.h | 7 +++++++
+ fs/jfs/jfs_incore.h | 1 +
+ fs/jfs/super.c | 3 +--
+ 3 files changed, 9 insertions(+), 2 deletions(-)
+
+--- a/fs/jfs/jfs_dinode.h
++++ b/fs/jfs/jfs_dinode.h
+@@ -115,6 +115,13 @@ struct dinode {
+ dxd_t _dxd; /* 16: */
+ union {
+ __le32 _rdev; /* 4: */
++ /*
++ * The fast symlink area
++ * is expected to overflow
++ * into _inlineea when
++ * needed (which will clear
++ * INLINEEA).
++ */
+ u8 _fastsymlink[128];
+ } _u;
+ u8 _inlineea[128];
+--- a/fs/jfs/jfs_incore.h
++++ b/fs/jfs/jfs_incore.h
+@@ -87,6 +87,7 @@ struct jfs_inode_info {
+ struct {
+ unchar _unused[16]; /* 16: */
+ dxd_t _dxd; /* 16: */
++ /* _inline may overflow into _inline_ea when needed */
+ unchar _inline[128]; /* 128: inline symlink */
+ /* _inline_ea may overlay the last part of
+ * file._xtroot if maxentry = XTROOTINITSLOT
+--- a/fs/jfs/super.c
++++ b/fs/jfs/super.c
+@@ -967,8 +967,7 @@ static int __init init_jfs_fs(void)
+ jfs_inode_cachep =
+ kmem_cache_create_usercopy("jfs_ip", sizeof(struct jfs_inode_info),
+ 0, SLAB_RECLAIM_ACCOUNT|SLAB_MEM_SPREAD|SLAB_ACCOUNT,
+- offsetof(struct jfs_inode_info, i_inline),
+- sizeof_field(struct jfs_inode_info, i_inline),
++ offsetof(struct jfs_inode_info, i_inline), IDATASIZE,
+ init_once);
+ if (jfs_inode_cachep == NULL)
+ return -ENOMEM;
--- /dev/null
+From 91874ecf32e41b5d86a4cb9d60e0bee50d828058 Mon Sep 17 00:00:00 2001
+From: Dmitry Safonov <dima@arista.com>
+Date: Sun, 5 Aug 2018 01:35:53 +0100
+Subject: netlink: Don't shift on 64 for ngroups
+
+From: Dmitry Safonov <dima@arista.com>
+
+commit 91874ecf32e41b5d86a4cb9d60e0bee50d828058 upstream.
+
+It's legal to have 64 groups for netlink_sock.
+
+As user-supplied nladdr->nl_groups is __u32, it's possible to subscribe
+only to first 32 groups.
+
+The check for correctness of .bind() userspace supplied parameter
+is done by applying mask made from ngroups shift. Which broke Android
+as they have 64 groups and the shift for mask resulted in an overflow.
+
+Fixes: 61f4b23769f0 ("netlink: Don't shift with UB on nlk->ngroups")
+Cc: "David S. Miller" <davem@davemloft.net>
+Cc: Herbert Xu <herbert@gondor.apana.org.au>
+Cc: Steffen Klassert <steffen.klassert@secunet.com>
+Cc: netdev@vger.kernel.org
+Cc: stable@vger.kernel.org
+Reported-and-Tested-by: Nathan Chancellor <natechancellor@gmail.com>
+Signed-off-by: Dmitry Safonov <dima@arista.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/netlink/af_netlink.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/net/netlink/af_netlink.c
++++ b/net/netlink/af_netlink.c
+@@ -1013,8 +1013,8 @@ static int netlink_bind(struct socket *s
+
+ if (nlk->ngroups == 0)
+ groups = 0;
+- else
+- groups &= (1ULL << nlk->ngroups) - 1;
++ else if (nlk->ngroups < 8*sizeof(groups))
++ groups &= (1UL << nlk->ngroups) - 1;
+
+ bound = nlk->bound;
+ if (bound) {
--- /dev/null
+From 80d20d35af1edd632a5e7a3b9c0ab7ceff92769e Mon Sep 17 00:00:00 2001
+From: Anna-Maria Gleixner <anna-maria@linutronix.de>
+Date: Tue, 31 Jul 2018 18:13:58 +0200
+Subject: nohz: Fix local_timer_softirq_pending()
+
+From: Anna-Maria Gleixner <anna-maria@linutronix.de>
+
+commit 80d20d35af1edd632a5e7a3b9c0ab7ceff92769e upstream.
+
+local_timer_softirq_pending() checks whether the timer softirq is
+pending with: local_softirq_pending() & TIMER_SOFTIRQ.
+
+This is wrong because TIMER_SOFTIRQ is the softirq number and not a
+bitmask. So the test checks for the wrong bit.
+
+Use BIT(TIMER_SOFTIRQ) instead.
+
+Fixes: 5d62c183f9e9 ("nohz: Prevent a timer interrupt storm in tick_nohz_stop_sched_tick()")
+Signed-off-by: Anna-Maria Gleixner <anna-maria@linutronix.de>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Reviewed-by: Paul E. McKenney <paulmck@linux.vnet.ibm.com>
+Reviewed-by: Daniel Bristot de Oliveira <bristot@redhat.com>
+Acked-by: Frederic Weisbecker <frederic@kernel.org>
+Cc: bigeasy@linutronix.de
+Cc: peterz@infradead.org
+Cc: stable@vger.kernel.org
+Link: https://lkml.kernel.org/r/20180731161358.29472-1-anna-maria@linutronix.de
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/time/tick-sched.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/kernel/time/tick-sched.c
++++ b/kernel/time/tick-sched.c
+@@ -642,7 +642,7 @@ static void tick_nohz_restart(struct tic
+
+ static inline bool local_timer_softirq_pending(void)
+ {
+- return local_softirq_pending() & TIMER_SOFTIRQ;
++ return local_softirq_pending() & BIT(TIMER_SOFTIRQ);
+ }
+
+ static ktime_t tick_nohz_next_event(struct tick_sched *ts, int cpu)
--- /dev/null
+From 0a0e0829f990120cef165bbb804237f400953ec2 Mon Sep 17 00:00:00 2001
+From: Frederic Weisbecker <frederic@kernel.org>
+Date: Fri, 3 Aug 2018 15:31:34 +0200
+Subject: nohz: Fix missing tick reprogram when interrupting an inline softirq
+
+From: Frederic Weisbecker <frederic@kernel.org>
+
+commit 0a0e0829f990120cef165bbb804237f400953ec2 upstream.
+
+The full nohz tick is reprogrammed in irq_exit() only if the exit is not in
+a nesting interrupt. This stands as an optimization: whether a hardirq or a
+softirq is interrupted, the tick is going to be reprogrammed when necessary
+at the end of the inner interrupt, with even potential new updates on the
+timer queue.
+
+When soft interrupts are interrupted, it's assumed that they are executing
+on the tail of an interrupt return. In that case tick_nohz_irq_exit() is
+called after softirq processing to take care of the tick reprogramming.
+
+But the assumption is wrong: softirqs can be processed inline as well, ie:
+outside of an interrupt, like in a call to local_bh_enable() or from
+ksoftirqd.
+
+Inline softirqs don't reprogram the tick once they are done, as opposed to
+interrupt tail softirq processing. So if a tick interrupts an inline
+softirq processing, the next timer will neither be reprogrammed from the
+interrupting tick's irq_exit() nor after the interrupted softirq
+processing. This situation may leave the tick unprogrammed while timers are
+armed.
+
+To fix this, simply keep reprogramming the tick even if a softirq has been
+interrupted. That can be optimized further, but for now correctness is more
+important.
+
+Note that new timers enqueued in nohz_full mode after a softirq gets
+interrupted will still be handled just fine through self-IPIs triggered by
+the timer code.
+
+Reported-by: Anna-Maria Gleixner <anna-maria@linutronix.de>
+Signed-off-by: Frederic Weisbecker <frederic@kernel.org>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Tested-by: Anna-Maria Gleixner <anna-maria@linutronix.de>
+Cc: stable@vger.kernel.org # 4.14+
+Link: https://lkml.kernel.org/r/1533303094-15855-1-git-send-email-frederic@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/softirq.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/kernel/softirq.c
++++ b/kernel/softirq.c
+@@ -387,7 +387,7 @@ static inline void tick_irq_exit(void)
+
+ /* Make sure that timer wheel updates are propagated */
+ if ((idle_cpu(cpu) && !need_resched()) || tick_nohz_full_cpu(cpu)) {
+- if (!in_interrupt())
++ if (!in_irq())
+ tick_nohz_irq_exit();
+ }
+ #endif
--- /dev/null
+From 156c8b58ef5cfd97245928c95669fd4cb0f9c388 Mon Sep 17 00:00:00 2001
+From: Kan Liang <kan.liang@linux.intel.com>
+Date: Mon, 30 Jul 2018 08:28:08 -0400
+Subject: perf/x86/intel/uncore: Fix hardcoded index of Broadwell extra PCI devices
+
+From: Kan Liang <kan.liang@linux.intel.com>
+
+commit 156c8b58ef5cfd97245928c95669fd4cb0f9c388 upstream.
+
+Masayoshi Mizuma reported that a warning message is shown while a CPU is
+hot-removed on Broadwell servers:
+
+ WARNING: CPU: 126 PID: 6 at arch/x86/events/intel/uncore.c:988
+ uncore_pci_remove+0x10b/0x150
+ Call Trace:
+ pci_device_remove+0x42/0xd0
+ device_release_driver_internal+0x148/0x220
+ pci_stop_bus_device+0x76/0xa0
+ pci_stop_root_bus+0x44/0x60
+ acpi_pci_root_remove+0x1f/0x80
+ acpi_bus_trim+0x57/0x90
+ acpi_bus_trim+0x2e/0x90
+ acpi_device_hotplug+0x2bc/0x4b0
+ acpi_hotplug_work_fn+0x1a/0x30
+ process_one_work+0x174/0x3a0
+ worker_thread+0x4c/0x3d0
+ kthread+0xf8/0x130
+
+This bug was introduced by:
+
+ commit 15a3e845b01c ("perf/x86/intel/uncore: Fix SBOX support for Broadwell CPUs")
+
+The index of "QPI Port 2 filter" was hardcode to 2, but this conflicts with the
+index of "PCU.3" which is "HSWEP_PCI_PCU_3", which equals to 2 as well.
+
+To fix the conflict, the hardcoded index needs to be cleaned up:
+
+ - introduce a new enumerator "BDX_PCI_QPI_PORT2_FILTER" for "QPI Port 2
+ filter" on Broadwell,
+ - increase UNCORE_EXTRA_PCI_DEV_MAX by one,
+ - clean up the hardcoded index.
+
+Debugged-by: Masayoshi Mizuma <m.mizuma@jp.fujitsu.com>
+Suggested-by: Ingo Molnar <mingo@kernel.org>
+Reported-by: Masayoshi Mizuma <m.mizuma@jp.fujitsu.com>
+Tested-by: Masayoshi Mizuma <m.mizuma@jp.fujitsu.com>
+Signed-off-by: Kan Liang <kan.liang@linux.intel.com>
+Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Cc: Arnaldo Carvalho de Melo <acme@redhat.com>
+Cc: Jiri Olsa <jolsa@redhat.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Stephane Eranian <eranian@google.com>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: Vince Weaver <vincent.weaver@maine.edu>
+Cc: msys.mizuma@gmail.com
+Cc: stable@vger.kernel.org
+Fixes: 15a3e845b01c ("perf/x86/intel/uncore: Fix SBOX support for Broadwell CPUs")
+Link: http://lkml.kernel.org/r/1532953688-15008-1-git-send-email-kan.liang@linux.intel.com
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/events/intel/uncore.h | 2 +-
+ arch/x86/events/intel/uncore_snbep.c | 10 +++++++---
+ 2 files changed, 8 insertions(+), 4 deletions(-)
+
+--- a/arch/x86/events/intel/uncore.h
++++ b/arch/x86/events/intel/uncore.h
+@@ -23,7 +23,7 @@
+ #define UNCORE_PCI_DEV_TYPE(data) ((data >> 8) & 0xff)
+ #define UNCORE_PCI_DEV_IDX(data) (data & 0xff)
+ #define UNCORE_EXTRA_PCI_DEV 0xff
+-#define UNCORE_EXTRA_PCI_DEV_MAX 3
++#define UNCORE_EXTRA_PCI_DEV_MAX 4
+
+ #define UNCORE_EVENT_CONSTRAINT(c, n) EVENT_CONSTRAINT(c, n, 0xff)
+
+--- a/arch/x86/events/intel/uncore_snbep.c
++++ b/arch/x86/events/intel/uncore_snbep.c
+@@ -1029,6 +1029,7 @@ void snbep_uncore_cpu_init(void)
+ enum {
+ SNBEP_PCI_QPI_PORT0_FILTER,
+ SNBEP_PCI_QPI_PORT1_FILTER,
++ BDX_PCI_QPI_PORT2_FILTER,
+ HSWEP_PCI_PCU_3,
+ };
+
+@@ -3286,15 +3287,18 @@ static const struct pci_device_id bdx_un
+ },
+ { /* QPI Port 0 filter */
+ PCI_DEVICE(PCI_VENDOR_ID_INTEL, 0x6f86),
+- .driver_data = UNCORE_PCI_DEV_DATA(UNCORE_EXTRA_PCI_DEV, 0),
++ .driver_data = UNCORE_PCI_DEV_DATA(UNCORE_EXTRA_PCI_DEV,
++ SNBEP_PCI_QPI_PORT0_FILTER),
+ },
+ { /* QPI Port 1 filter */
+ PCI_DEVICE(PCI_VENDOR_ID_INTEL, 0x6f96),
+- .driver_data = UNCORE_PCI_DEV_DATA(UNCORE_EXTRA_PCI_DEV, 1),
++ .driver_data = UNCORE_PCI_DEV_DATA(UNCORE_EXTRA_PCI_DEV,
++ SNBEP_PCI_QPI_PORT1_FILTER),
+ },
+ { /* QPI Port 2 filter */
+ PCI_DEVICE(PCI_VENDOR_ID_INTEL, 0x6f46),
+- .driver_data = UNCORE_PCI_DEV_DATA(UNCORE_EXTRA_PCI_DEV, 2),
++ .driver_data = UNCORE_PCI_DEV_DATA(UNCORE_EXTRA_PCI_DEV,
++ BDX_PCI_QPI_PORT2_FILTER),
+ },
+ { /* PCU.3 (for Capability registers) */
+ PCI_DEVICE(PCI_VENDOR_ID_INTEL, 0x6fc0),
--- /dev/null
+From 45235022da9925b2b070c0139629233173e50089 Mon Sep 17 00:00:00 2001
+From: Quinn Tran <quinn.tran@cavium.com>
+Date: Wed, 18 Jul 2018 14:29:53 -0700
+Subject: scsi: qla2xxx: Fix driver unload by shutting down chip
+
+From: Quinn Tran <quinn.tran@cavium.com>
+
+commit 45235022da9925b2b070c0139629233173e50089 upstream.
+
+Use chip shutdown at the start of unload to stop all DMA + traffic and
+bring down the laser. This prevents any link activities from triggering the
+driver to be re-engaged.
+
+Fixes: 4b60c82736d0 ("scsi: qla2xxx: Add fw_started flags to qpair")
+Cc: <stable@vger.kernel.org> #4.16
+Signed-off-by: Quinn Tran <quinn.tran@cavium.com>
+Signed-off-by: Himanshu Madhani <himanshu.madhani@cavium.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/scsi/qla2xxx/qla_isr.c | 3 ++
+ drivers/scsi/qla2xxx/qla_mbx.c | 6 +++++
+ drivers/scsi/qla2xxx/qla_mid.c | 6 +++--
+ drivers/scsi/qla2xxx/qla_os.c | 44 ++++++++++++++++-------------------------
+ drivers/scsi/qla2xxx/qla_sup.c | 3 ++
+ 5 files changed, 34 insertions(+), 28 deletions(-)
+
+--- a/drivers/scsi/qla2xxx/qla_isr.c
++++ b/drivers/scsi/qla2xxx/qla_isr.c
+@@ -631,6 +631,9 @@ qla2x00_async_event(scsi_qla_host_t *vha
+ unsigned long flags;
+ fc_port_t *fcport = NULL;
+
++ if (!vha->hw->flags.fw_started)
++ return;
++
+ /* Setup to process RIO completion. */
+ handle_cnt = 0;
+ if (IS_CNA_CAPABLE(ha))
+--- a/drivers/scsi/qla2xxx/qla_mbx.c
++++ b/drivers/scsi/qla2xxx/qla_mbx.c
+@@ -4212,6 +4212,9 @@ qla25xx_init_req_que(struct scsi_qla_hos
+ mbx_cmd_t *mcp = &mc;
+ struct qla_hw_data *ha = vha->hw;
+
++ if (!ha->flags.fw_started)
++ return QLA_SUCCESS;
++
+ ql_dbg(ql_dbg_mbx + ql_dbg_verbose, vha, 0x10d3,
+ "Entered %s.\n", __func__);
+
+@@ -4281,6 +4284,9 @@ qla25xx_init_rsp_que(struct scsi_qla_hos
+ mbx_cmd_t *mcp = &mc;
+ struct qla_hw_data *ha = vha->hw;
+
++ if (!ha->flags.fw_started)
++ return QLA_SUCCESS;
++
+ ql_dbg(ql_dbg_mbx + ql_dbg_verbose, vha, 0x10d6,
+ "Entered %s.\n", __func__);
+
+--- a/drivers/scsi/qla2xxx/qla_mid.c
++++ b/drivers/scsi/qla2xxx/qla_mid.c
+@@ -152,10 +152,12 @@ int
+ qla24xx_disable_vp(scsi_qla_host_t *vha)
+ {
+ unsigned long flags;
+- int ret;
++ int ret = QLA_SUCCESS;
+ fc_port_t *fcport;
+
+- ret = qla24xx_control_vp(vha, VCE_COMMAND_DISABLE_VPS_LOGO_ALL);
++ if (vha->hw->flags.fw_started)
++ ret = qla24xx_control_vp(vha, VCE_COMMAND_DISABLE_VPS_LOGO_ALL);
++
+ atomic_set(&vha->loop_state, LOOP_DOWN);
+ atomic_set(&vha->loop_down_timer, LOOP_DOWN_TIME);
+ list_for_each_entry(fcport, &vha->vp_fcports, list)
+--- a/drivers/scsi/qla2xxx/qla_os.c
++++ b/drivers/scsi/qla2xxx/qla_os.c
+@@ -303,6 +303,7 @@ static void qla2x00_free_device(scsi_qla
+ static int qla2xxx_map_queues(struct Scsi_Host *shost);
+ static void qla2x00_destroy_deferred_work(struct qla_hw_data *);
+
++
+ struct scsi_host_template qla2xxx_driver_template = {
+ .module = THIS_MODULE,
+ .name = QLA2XXX_DRIVER_NAME,
+@@ -3603,6 +3604,8 @@ qla2x00_remove_one(struct pci_dev *pdev)
+
+ base_vha = pci_get_drvdata(pdev);
+ ha = base_vha->hw;
++ ql_log(ql_log_info, base_vha, 0xb079,
++ "Removing driver\n");
+
+ /* Indicate device removal to prevent future board_disable and wait
+ * until any pending board_disable has completed. */
+@@ -3625,6 +3628,21 @@ qla2x00_remove_one(struct pci_dev *pdev)
+ }
+ qla2x00_wait_for_hba_ready(base_vha);
+
++ if (IS_QLA25XX(ha) || IS_QLA2031(ha) || IS_QLA27XX(ha)) {
++ if (ha->flags.fw_started)
++ qla2x00_abort_isp_cleanup(base_vha);
++ } else if (!IS_QLAFX00(ha)) {
++ if (IS_QLA8031(ha)) {
++ ql_dbg(ql_dbg_p3p, base_vha, 0xb07e,
++ "Clearing fcoe driver presence.\n");
++ if (qla83xx_clear_drv_presence(base_vha) != QLA_SUCCESS)
++ ql_dbg(ql_dbg_p3p, base_vha, 0xb079,
++ "Error while clearing DRV-Presence.\n");
++ }
++
++ qla2x00_try_to_stop_firmware(base_vha);
++ }
++
+ qla2x00_wait_for_sess_deletion(base_vha);
+
+ /*
+@@ -3648,14 +3666,6 @@ qla2x00_remove_one(struct pci_dev *pdev)
+
+ qla2x00_delete_all_vps(ha, base_vha);
+
+- if (IS_QLA8031(ha)) {
+- ql_dbg(ql_dbg_p3p, base_vha, 0xb07e,
+- "Clearing fcoe driver presence.\n");
+- if (qla83xx_clear_drv_presence(base_vha) != QLA_SUCCESS)
+- ql_dbg(ql_dbg_p3p, base_vha, 0xb079,
+- "Error while clearing DRV-Presence.\n");
+- }
+-
+ qla2x00_abort_all_cmds(base_vha, DID_NO_CONNECT << 16);
+
+ qla2x00_dfs_remove(base_vha);
+@@ -3715,24 +3725,6 @@ qla2x00_free_device(scsi_qla_host_t *vha
+ qla2x00_stop_timer(vha);
+
+ qla25xx_delete_queues(vha);
+-
+- if (ha->flags.fce_enabled)
+- qla2x00_disable_fce_trace(vha, NULL, NULL);
+-
+- if (ha->eft)
+- qla2x00_disable_eft_trace(vha);
+-
+- if (IS_QLA25XX(ha) || IS_QLA2031(ha) || IS_QLA27XX(ha)) {
+- if (ha->flags.fw_started)
+- qla2x00_abort_isp_cleanup(vha);
+- } else {
+- if (ha->flags.fw_started) {
+- /* Stop currently executing firmware. */
+- qla2x00_try_to_stop_firmware(vha);
+- ha->flags.fw_started = 0;
+- }
+- }
+-
+ vha->flags.online = 0;
+
+ /* turn-off interrupts on the card */
+--- a/drivers/scsi/qla2xxx/qla_sup.c
++++ b/drivers/scsi/qla2xxx/qla_sup.c
+@@ -1880,6 +1880,9 @@ qla24xx_beacon_off(struct scsi_qla_host
+ if (IS_P3P_TYPE(ha))
+ return QLA_SUCCESS;
+
++ if (!ha->flags.fw_started)
++ return QLA_SUCCESS;
++
+ ha->beacon_blink_led = 0;
+
+ if (IS_QLA2031(ha) || IS_QLA27XX(ha))
--- /dev/null
+From b08abbd9f5996309f021684f9ca74da30dcca36a Mon Sep 17 00:00:00 2001
+From: Quinn Tran <quinn.tran@cavium.com>
+Date: Wed, 18 Jul 2018 14:29:54 -0700
+Subject: scsi: qla2xxx: Fix ISP recovery on unload
+
+From: Quinn Tran <quinn.tran@cavium.com>
+
+commit b08abbd9f5996309f021684f9ca74da30dcca36a upstream.
+
+During unload process, the chip can encounter problem where a FW dump would
+be captured. For this case, the full reset sequence will be skip to bring
+the chip back to full operational state.
+
+Fixes: e315cd28b9ef ("[SCSI] qla2xxx: Code changes for qla data structure refactoring")
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Quinn Tran <quinn.tran@cavium.com>
+Signed-off-by: Himanshu Madhani <himanshu.madhani@cavium.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/scsi/qla2xxx/qla_os.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/drivers/scsi/qla2xxx/qla_os.c
++++ b/drivers/scsi/qla2xxx/qla_os.c
+@@ -6014,8 +6014,9 @@ qla2x00_do_dpc(void *data)
+ set_bit(ISP_ABORT_NEEDED, &base_vha->dpc_flags);
+ }
+
+- if (test_and_clear_bit(ISP_ABORT_NEEDED,
+- &base_vha->dpc_flags)) {
++ if (test_and_clear_bit
++ (ISP_ABORT_NEEDED, &base_vha->dpc_flags) &&
++ !test_bit(UNLOADING, &base_vha->dpc_flags)) {
+
+ ql_dbg(ql_dbg_dpc, base_vha, 0x4007,
+ "ISP abort scheduled.\n");
--- /dev/null
+From efa93f48fa9d423fda166bc3b6c0cbb09682492e Mon Sep 17 00:00:00 2001
+From: Quinn Tran <quinn.tran@cavium.com>
+Date: Wed, 18 Jul 2018 14:29:52 -0700
+Subject: scsi: qla2xxx: Fix NPIV deletion by calling wait_for_sess_deletion
+
+From: Quinn Tran <quinn.tran@cavium.com>
+
+commit efa93f48fa9d423fda166bc3b6c0cbb09682492e upstream.
+
+Add wait for session deletion to finish before freeing an NPIV scsi host.
+
+Fixes: 726b85487067 ("qla2xxx: Add framework for async fabric discovery")
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Quinn Tran <quinn.tran@cavium.com>
+Signed-off-by: Himanshu Madhani <himanshu.madhani@cavium.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/scsi/qla2xxx/qla_attr.c | 1 +
+ drivers/scsi/qla2xxx/qla_gbl.h | 1 +
+ drivers/scsi/qla2xxx/qla_mid.c | 5 +++++
+ drivers/scsi/qla2xxx/qla_os.c | 2 +-
+ 4 files changed, 8 insertions(+), 1 deletion(-)
+
+--- a/drivers/scsi/qla2xxx/qla_attr.c
++++ b/drivers/scsi/qla2xxx/qla_attr.c
+@@ -2141,6 +2141,7 @@ qla24xx_vport_delete(struct fc_vport *fc
+ msleep(1000);
+
+ qla24xx_disable_vp(vha);
++ qla2x00_wait_for_sess_deletion(vha);
+
+ vha->flags.delete_progress = 1;
+
+--- a/drivers/scsi/qla2xxx/qla_gbl.h
++++ b/drivers/scsi/qla2xxx/qla_gbl.h
+@@ -213,6 +213,7 @@ void qla2x00_handle_login_done_event(str
+ int qla24xx_post_gnl_work(struct scsi_qla_host *, fc_port_t *);
+ int qla24xx_async_abort_cmd(srb_t *);
+ int qla24xx_post_relogin_work(struct scsi_qla_host *vha);
++void qla2x00_wait_for_sess_deletion(scsi_qla_host_t *);
+
+ /*
+ * Global Functions in qla_mid.c source file.
+--- a/drivers/scsi/qla2xxx/qla_mid.c
++++ b/drivers/scsi/qla2xxx/qla_mid.c
+@@ -153,10 +153,15 @@ qla24xx_disable_vp(scsi_qla_host_t *vha)
+ {
+ unsigned long flags;
+ int ret;
++ fc_port_t *fcport;
+
+ ret = qla24xx_control_vp(vha, VCE_COMMAND_DISABLE_VPS_LOGO_ALL);
+ atomic_set(&vha->loop_state, LOOP_DOWN);
+ atomic_set(&vha->loop_down_timer, LOOP_DOWN_TIME);
++ list_for_each_entry(fcport, &vha->vp_fcports, list)
++ fcport->logout_on_delete = 0;
++
++ qla2x00_mark_all_devices_lost(vha, 0);
+
+ /* Remove port id from vp target map */
+ spin_lock_irqsave(&vha->hw->hardware_lock, flags);
+--- a/drivers/scsi/qla2xxx/qla_os.c
++++ b/drivers/scsi/qla2xxx/qla_os.c
+@@ -1147,7 +1147,7 @@ static inline int test_fcport_count(scsi
+ * qla2x00_wait_for_sess_deletion can only be called from remove_one.
+ * it has dependency on UNLOADING flag to stop device discovery
+ */
+-static void
++void
+ qla2x00_wait_for_sess_deletion(scsi_qla_host_t *vha)
+ {
+ qla2x00_mark_all_devices_lost(vha, 0);
--- /dev/null
+From e3dde080ebbdbb4bda8eee35d770714fee8c59ac Mon Sep 17 00:00:00 2001
+From: Quinn Tran <quinn.tran@cavium.com>
+Date: Wed, 18 Jul 2018 14:29:51 -0700
+Subject: scsi: qla2xxx: Fix unintialized List head crash
+
+From: Quinn Tran <quinn.tran@cavium.com>
+
+commit e3dde080ebbdbb4bda8eee35d770714fee8c59ac upstream.
+
+In case of IOCB Queue full or system where memory is low and driver
+receives large number of RSCN storm, the stale sp pointer can stay on
+gpnid_list resulting in page_fault.
+
+This patch fixes this issue by initializing the sp->elem list head and
+removing sp->elem before memory is freed.
+
+Following stack trace is seen
+
+ 9 [ffff987b37d1bc60] page_fault at ffffffffad516768 [exception RIP: qla24xx_async_gpnid+496]
+10 [ffff987b37d1bd10] qla24xx_async_gpnid at ffffffffc039866d [qla2xxx]
+11 [ffff987b37d1bd80] qla2x00_do_work at ffffffffc036169c [qla2xxx]
+12 [ffff987b37d1be38] qla2x00_do_dpc_all_vps at ffffffffc03adfed [qla2xxx]
+13 [ffff987b37d1be78] qla2x00_do_dpc at ffffffffc036458a [qla2xxx]
+14 [ffff987b37d1bec8] kthread at ffffffffacebae31
+
+Fixes: 2d73ac6102d9 ("scsi: qla2xxx: Serialize GPNID for multiple RSCN")
+Cc: <stable@vger.kernel.org> # v4.17+
+Signed-off-by: Quinn Tran <quinn.tran@cavium.com>
+Signed-off-by: Himanshu Madhani <himanshu.madhani@cavium.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/scsi/qla2xxx/qla_gs.c | 4 ++++
+ drivers/scsi/qla2xxx/qla_inline.h | 2 ++
+ 2 files changed, 6 insertions(+)
+
+--- a/drivers/scsi/qla2xxx/qla_gs.c
++++ b/drivers/scsi/qla2xxx/qla_gs.c
+@@ -3712,6 +3712,10 @@ int qla24xx_async_gpnid(scsi_qla_host_t
+ return rval;
+
+ done_free_sp:
++ spin_lock_irqsave(&vha->hw->vport_slock, flags);
++ list_del(&sp->elem);
++ spin_unlock_irqrestore(&vha->hw->vport_slock, flags);
++
+ if (sp->u.iocb_cmd.u.ctarg.req) {
+ dma_free_coherent(&vha->hw->pdev->dev,
+ sizeof(struct ct_sns_pkt),
+--- a/drivers/scsi/qla2xxx/qla_inline.h
++++ b/drivers/scsi/qla2xxx/qla_inline.h
+@@ -222,6 +222,8 @@ qla2xxx_get_qpair_sp(struct qla_qpair *q
+ sp->fcport = fcport;
+ sp->iocbs = 1;
+ sp->vha = qpair->vha;
++ INIT_LIST_HEAD(&sp->elem);
++
+ done:
+ if (!sp)
+ QLA_QPAIR_MARK_NOT_BUSY(qpair);
--- /dev/null
+From b4146c4929ef61d5afca011474d59d0918a0cd82 Mon Sep 17 00:00:00 2001
+From: Anil Gurumurthy <anil.gurumurthy@cavium.com>
+Date: Wed, 18 Jul 2018 14:29:55 -0700
+Subject: scsi: qla2xxx: Return error when TMF returns
+
+From: Anil Gurumurthy <anil.gurumurthy@cavium.com>
+
+commit b4146c4929ef61d5afca011474d59d0918a0cd82 upstream.
+
+Propagate the task management completion status properly to avoid
+unnecessary waits for commands to complete.
+
+Fixes: faef62d13463 ("[SCSI] qla2xxx: Fix Task Management command asynchronous handling")
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Anil Gurumurthy <anil.gurumurthy@cavium.com>
+Signed-off-by: Himanshu Madhani <himanshu.madhani@cavium.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/scsi/qla2xxx/qla_init.c | 7 +++----
+ 1 file changed, 3 insertions(+), 4 deletions(-)
+
+--- a/drivers/scsi/qla2xxx/qla_init.c
++++ b/drivers/scsi/qla2xxx/qla_init.c
+@@ -1518,11 +1518,10 @@ qla2x00_async_tm_cmd(fc_port_t *fcport,
+
+ wait_for_completion(&tm_iocb->u.tmf.comp);
+
+- rval = tm_iocb->u.tmf.comp_status == CS_COMPLETE ?
+- QLA_SUCCESS : QLA_FUNCTION_FAILED;
++ rval = tm_iocb->u.tmf.data;
+
+- if ((rval != QLA_SUCCESS) || tm_iocb->u.tmf.data) {
+- ql_dbg(ql_dbg_taskm, vha, 0x8030,
++ if (rval != QLA_SUCCESS) {
++ ql_log(ql_log_warn, vha, 0x8030,
+ "TM IOCB failed (%x).\n", rval);
+ }
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
