--- /dev/null
+From d1a2930d8a992fb6ac2529449f81a0056e1b98d1 Mon Sep 17 00:00:00 2001
+From: Paul Burton <paul.burton@mips.com>
+Date: Fri, 1 Mar 2019 22:58:09 +0000
+Subject: MIPS: eBPF: Fix icache flush end address
+
+From: Paul Burton <paul.burton@mips.com>
+
+commit d1a2930d8a992fb6ac2529449f81a0056e1b98d1 upstream.
+
+The MIPS eBPF JIT calls flush_icache_range() in order to ensure the
+icache observes the code that we just wrote. Unfortunately it gets the
+end address calculation wrong due to some bad pointer arithmetic.
+
+The struct jit_ctx target field is of type pointer to u32, and as such
+adding one to it will increment the address being pointed to by 4 bytes.
+Therefore in order to find the address of the end of the code we simply
+need to add the number of 4 byte instructions emitted, but we mistakenly
+add the number of instructions multiplied by 4. This results in the call
+to flush_icache_range() operating on a memory region 4x larger than
+intended, which is always wasteful and can cause crashes if we overrun
+into an unmapped page.
+
+Fix this by correcting the pointer arithmetic to remove the bogus
+multiplication, and use braces to remove the need for a set of brackets
+whilst also making it obvious that the target field is a pointer.
+
+Signed-off-by: Paul Burton <paul.burton@mips.com>
+Fixes: b6bd53f9c4e8 ("MIPS: Add missing file for eBPF JIT.")
+Cc: Alexei Starovoitov <ast@kernel.org>
+Cc: Daniel Borkmann <daniel@iogearbox.net>
+Cc: Martin KaFai Lau <kafai@fb.com>
+Cc: Song Liu <songliubraving@fb.com>
+Cc: Yonghong Song <yhs@fb.com>
+Cc: netdev@vger.kernel.org
+Cc: bpf@vger.kernel.org
+Cc: linux-mips@vger.kernel.org
+Cc: stable@vger.kernel.org # v4.13+
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/mips/net/ebpf_jit.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/mips/net/ebpf_jit.c
++++ b/arch/mips/net/ebpf_jit.c
+@@ -1971,7 +1971,7 @@ struct bpf_prog *bpf_int_jit_compile(str
+
+ /* Update the icache */
+ flush_icache_range((unsigned long)ctx.target,
+- (unsigned long)(ctx.target + ctx.idx * sizeof(u32)));
++ (unsigned long)&ctx.target[ctx.idx]);
+
+ if (bpf_jit_enable > 1)
+ /* Dump JIT code */