--- /dev/null
+From ebe9f6f19d80d8978d16078dff3d5bd93ad8d102 Mon Sep 17 00:00:00 2001
+From: Dan Williams <dan.j.williams@intel.com>
+Date: Thu, 7 Feb 2019 14:56:50 -0800
+Subject: acpi/nfit: Fix bus command validation
+
+From: Dan Williams <dan.j.williams@intel.com>
+
+commit ebe9f6f19d80d8978d16078dff3d5bd93ad8d102 upstream.
+
+Commit 11189c1089da "acpi/nfit: Fix command-supported detection" broke
+ND_CMD_CALL for bus-level commands. The "func = cmd" assumption is only
+valid for:
+
+ ND_CMD_ARS_CAP
+ ND_CMD_ARS_START
+ ND_CMD_ARS_STATUS
+ ND_CMD_CLEAR_ERROR
+
+The function number otherwise needs to be pulled from the command
+payload for:
+
+ NFIT_CMD_TRANSLATE_SPA
+ NFIT_CMD_ARS_INJECT_SET
+ NFIT_CMD_ARS_INJECT_CLEAR
+ NFIT_CMD_ARS_INJECT_GET
+
+Update cmd_to_func() for the bus case and call it in the common path.
+
+Fixes: 11189c1089da ("acpi/nfit: Fix command-supported detection")
+Cc: <stable@vger.kernel.org>
+Reviewed-by: Vishal Verma <vishal.l.verma@intel.com>
+Reported-by: Grzegorz Burzynski <grzegorz.burzynski@intel.com>
+Tested-by: Jeff Moyer <jmoyer@redhat.com>
+Signed-off-by: Dan Williams <dan.j.williams@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/acpi/nfit/core.c | 22 ++++++++++++----------
+ 1 file changed, 12 insertions(+), 10 deletions(-)
+
+--- a/drivers/acpi/nfit/core.c
++++ b/drivers/acpi/nfit/core.c
+@@ -415,7 +415,7 @@ static int cmd_to_func(struct nfit_mem *
+ if (call_pkg) {
+ int i;
+
+- if (nfit_mem->family != call_pkg->nd_family)
++ if (nfit_mem && nfit_mem->family != call_pkg->nd_family)
+ return -ENOTTY;
+
+ for (i = 0; i < ARRAY_SIZE(call_pkg->nd_reserved2); i++)
+@@ -424,6 +424,10 @@ static int cmd_to_func(struct nfit_mem *
+ return call_pkg->nd_command;
+ }
+
++ /* In the !call_pkg case, bus commands == bus functions */
++ if (!nfit_mem)
++ return cmd;
++
+ /* Linux ND commands == NVDIMM_FAMILY_INTEL function numbers */
+ if (nfit_mem->family == NVDIMM_FAMILY_INTEL)
+ return cmd;
+@@ -454,17 +458,18 @@ int acpi_nfit_ctl(struct nvdimm_bus_desc
+ if (cmd_rc)
+ *cmd_rc = -EINVAL;
+
++ if (cmd == ND_CMD_CALL)
++ call_pkg = buf;
++ func = cmd_to_func(nfit_mem, cmd, call_pkg);
++ if (func < 0)
++ return func;
++
+ if (nvdimm) {
+ struct acpi_device *adev = nfit_mem->adev;
+
+ if (!adev)
+ return -ENOTTY;
+
+- if (cmd == ND_CMD_CALL)
+- call_pkg = buf;
+- func = cmd_to_func(nfit_mem, cmd, call_pkg);
+- if (func < 0)
+- return func;
+ dimm_name = nvdimm_name(nvdimm);
+ cmd_name = nvdimm_cmd_name(cmd);
+ cmd_mask = nvdimm_cmd_mask(nvdimm);
+@@ -475,12 +480,9 @@ int acpi_nfit_ctl(struct nvdimm_bus_desc
+ } else {
+ struct acpi_device *adev = to_acpi_dev(acpi_desc);
+
+- func = cmd;
+ cmd_name = nvdimm_bus_cmd_name(cmd);
+ cmd_mask = nd_desc->cmd_mask;
+- dsm_mask = cmd_mask;
+- if (cmd == ND_CMD_CALL)
+- dsm_mask = nd_desc->bus_dsm_mask;
++ dsm_mask = nd_desc->bus_dsm_mask;
+ desc = nd_cmd_bus_desc(cmd);
+ guid = to_nfit_uuid(NFIT_DEV_BUS);
+ handle = adev->handle;
--- /dev/null
+From e4b3448bc346fedf36db64124a664a959995b085 Mon Sep 17 00:00:00 2001
+From: Matthew Wilcox <willy@infradead.org>
+Date: Fri, 1 Mar 2019 11:12:41 -0800
+Subject: dax: Flush partial PMDs correctly
+
+From: Matthew Wilcox <willy@infradead.org>
+
+commit e4b3448bc346fedf36db64124a664a959995b085 upstream.
+
+The radix tree would rewind the index in an iterator to the lowest index
+of a multi-slot entry. The XArray iterators instead leave the index
+unchanged, but I overlooked that when converting DAX from the radix tree
+to the XArray. Adjust the index that we use for flushing to the start
+of the PMD range.
+
+Fixes: c1901cd33cf4 ("page cache: Convert find_get_entries_tag to XArray")
+Cc: <stable@vger.kernel.org>
+Reported-by: Piotr Balcer <piotr.balcer@intel.com>
+Tested-by: Dan Williams <dan.j.williams@intel.com>
+Reviewed-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Matthew Wilcox <willy@infradead.org>
+Signed-off-by: Dan Williams <dan.j.williams@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/dax.c | 19 +++++++++----------
+ 1 file changed, 9 insertions(+), 10 deletions(-)
+
+--- a/fs/dax.c
++++ b/fs/dax.c
+@@ -843,9 +843,8 @@ unlock_pte:
+ static int dax_writeback_one(struct xa_state *xas, struct dax_device *dax_dev,
+ struct address_space *mapping, void *entry)
+ {
+- unsigned long pfn;
++ unsigned long pfn, index, count;
+ long ret = 0;
+- size_t size;
+
+ /*
+ * A page got tagged dirty in DAX mapping? Something is seriously
+@@ -894,17 +893,18 @@ static int dax_writeback_one(struct xa_s
+ xas_unlock_irq(xas);
+
+ /*
+- * Even if dax_writeback_mapping_range() was given a wbc->range_start
+- * in the middle of a PMD, the 'index' we are given will be aligned to
+- * the start index of the PMD, as will the pfn we pull from 'entry'.
++ * If dax_writeback_mapping_range() was given a wbc->range_start
++ * in the middle of a PMD, the 'index' we use needs to be
++ * aligned to the start of the PMD.
+ * This allows us to flush for PMD_SIZE and not have to worry about
+ * partial PMD writebacks.
+ */
+ pfn = dax_to_pfn(entry);
+- size = PAGE_SIZE << dax_entry_order(entry);
++ count = 1UL << dax_entry_order(entry);
++ index = xas->xa_index & ~(count - 1);
+
+- dax_entry_mkclean(mapping, xas->xa_index, pfn);
+- dax_flush(dax_dev, page_address(pfn_to_page(pfn)), size);
++ dax_entry_mkclean(mapping, index, pfn);
++ dax_flush(dax_dev, page_address(pfn_to_page(pfn)), count * PAGE_SIZE);
+ /*
+ * After we have flushed the cache, we can clear the dirty tag. There
+ * cannot be new dirty data in the pfn after the flush has completed as
+@@ -917,8 +917,7 @@ static int dax_writeback_one(struct xa_s
+ xas_clear_mark(xas, PAGECACHE_TAG_DIRTY);
+ dax_wake_entry(xas, entry, false);
+
+- trace_dax_writeback_one(mapping->host, xas->xa_index,
+- size >> PAGE_SHIFT);
++ trace_dax_writeback_one(mapping->host, index, count);
+ return ret;
+
+ put_unlocked:
--- /dev/null
+From 399504e21a10be16dd1408ba0147367d9d82a10c Mon Sep 17 00:00:00 2001
+From: Al Viro <viro@zeniv.linux.org.uk>
+Date: Sun, 6 Jan 2019 11:41:29 -0500
+Subject: fix cgroup_do_mount() handling of failure exits
+
+From: Al Viro <viro@zeniv.linux.org.uk>
+
+commit 399504e21a10be16dd1408ba0147367d9d82a10c upstream.
+
+same story as with last May fixes in sysfs (7b745a4e4051
+"unfuck sysfs_mount()"); new_sb is left uninitialized
+in case of early errors in kernfs_mount_ns() and papering
+over it by treating any error from kernfs_mount_ns() as
+equivalent to !new_ns ends up conflating the cases when
+objects had never been transferred to a superblock with
+ones when that has happened and resulting new superblock
+had been dropped. Easily fixed (same way as in sysfs
+case). Additionally, there's a superblock leak on
+kernfs_node_dentry() failure *and* a dentry leak inside
+kernfs_node_dentry() itself - the latter on probably
+impossible errors, but the former not impossible to trigger
+(as the matter of fact, injecting allocation failures
+at that point *does* trigger it).
+
+Cc: stable@kernel.org
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/kernfs/mount.c | 8 ++++++--
+ kernel/cgroup/cgroup.c | 9 ++++++---
+ 2 files changed, 12 insertions(+), 5 deletions(-)
+
+--- a/fs/kernfs/mount.c
++++ b/fs/kernfs/mount.c
+@@ -196,8 +196,10 @@ struct dentry *kernfs_node_dentry(struct
+ return dentry;
+
+ knparent = find_next_ancestor(kn, NULL);
+- if (WARN_ON(!knparent))
++ if (WARN_ON(!knparent)) {
++ dput(dentry);
+ return ERR_PTR(-EINVAL);
++ }
+
+ do {
+ struct dentry *dtmp;
+@@ -206,8 +208,10 @@ struct dentry *kernfs_node_dentry(struct
+ if (kn == knparent)
+ return dentry;
+ kntmp = find_next_ancestor(kn, knparent);
+- if (WARN_ON(!kntmp))
++ if (WARN_ON(!kntmp)) {
++ dput(dentry);
+ return ERR_PTR(-EINVAL);
++ }
+ dtmp = lookup_one_len_unlocked(kntmp->name, dentry,
+ strlen(kntmp->name));
+ dput(dentry);
+--- a/kernel/cgroup/cgroup.c
++++ b/kernel/cgroup/cgroup.c
+@@ -2033,7 +2033,7 @@ struct dentry *cgroup_do_mount(struct fi
+ struct cgroup_namespace *ns)
+ {
+ struct dentry *dentry;
+- bool new_sb;
++ bool new_sb = false;
+
+ dentry = kernfs_mount(fs_type, flags, root->kf_root, magic, &new_sb);
+
+@@ -2043,6 +2043,7 @@ struct dentry *cgroup_do_mount(struct fi
+ */
+ if (!IS_ERR(dentry) && ns != &init_cgroup_ns) {
+ struct dentry *nsdentry;
++ struct super_block *sb = dentry->d_sb;
+ struct cgroup *cgrp;
+
+ mutex_lock(&cgroup_mutex);
+@@ -2053,12 +2054,14 @@ struct dentry *cgroup_do_mount(struct fi
+ spin_unlock_irq(&css_set_lock);
+ mutex_unlock(&cgroup_mutex);
+
+- nsdentry = kernfs_node_dentry(cgrp->kn, dentry->d_sb);
++ nsdentry = kernfs_node_dentry(cgrp->kn, sb);
+ dput(dentry);
++ if (IS_ERR(nsdentry))
++ deactivate_locked_super(sb);
+ dentry = nsdentry;
+ }
+
+- if (IS_ERR(dentry) || !new_sb)
++ if (!new_sb)
+ cgroup_put(&root->cgrp);
+
+ return dentry;
--- /dev/null
+From 07464e88365e9236febaca9ed1a2e2006d8bc952 Mon Sep 17 00:00:00 2001
+From: Oliver O'Halloran <oohall@gmail.com>
+Date: Wed, 6 Feb 2019 13:04:53 +1100
+Subject: libnvdimm: Fix altmap reservation size calculation
+
+From: Oliver O'Halloran <oohall@gmail.com>
+
+commit 07464e88365e9236febaca9ed1a2e2006d8bc952 upstream.
+
+Libnvdimm reserves the first 8K of pfn and devicedax namespaces to
+store a superblock describing the namespace. This 8K reservation
+is contained within the altmap area which the kernel uses for the
+vmemmap backing for the pages within the namespace. The altmap
+allows for some pages at the start of the altmap area to be reserved
+and that mechanism is used to protect the superblock from being
+re-used as vmemmap backing.
+
+The number of PFNs to reserve is calculated using:
+
+ PHYS_PFN(SZ_8K)
+
+Which is implemented as:
+
+ #define PHYS_PFN(x) ((unsigned long)((x) >> PAGE_SHIFT))
+
+So on systems where PAGE_SIZE is greater than 8K the reservation
+size is truncated to zero and the superblock area is re-used as
+vmemmap backing. As a result all the namespace information stored
+in the superblock (i.e. if it's a PFN or DAX namespace) is lost
+and the namespace needs to be re-created to get access to the
+contents.
+
+This patch fixes this by using PFN_UP() rather than PHYS_PFN() to ensure
+that at least one page is reserved. On systems with a 4K pages size this
+patch should have no effect.
+
+Cc: stable@vger.kernel.org
+Cc: Dan Williams <dan.j.williams@intel.com>
+Fixes: ac515c084be9 ("libnvdimm, pmem, pfn: move pfn setup to the core")
+Signed-off-by: Oliver O'Halloran <oohall@gmail.com>
+Reviewed-by: Vishal Verma <vishal.l.verma@intel.com>
+Signed-off-by: Dan Williams <dan.j.williams@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/nvdimm/pfn_devs.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/nvdimm/pfn_devs.c
++++ b/drivers/nvdimm/pfn_devs.c
+@@ -593,7 +593,7 @@ static unsigned long init_altmap_base(re
+
+ static unsigned long init_altmap_reserve(resource_size_t base)
+ {
+- unsigned long reserve = PHYS_PFN(SZ_8K);
++ unsigned long reserve = PFN_UP(SZ_8K);
+ unsigned long base_pfn = PHYS_PFN(base);
+
+ reserve += base_pfn - PFN_SECTION_ALIGN_DOWN(base_pfn);
--- /dev/null
+From 966d23a006ca7b44ac8cf4d0c96b19785e0c3da0 Mon Sep 17 00:00:00 2001
+From: Dan Williams <dan.j.williams@intel.com>
+Date: Tue, 15 Jan 2019 10:47:00 -0800
+Subject: libnvdimm/label: Clear 'updating' flag after label-set update
+
+From: Dan Williams <dan.j.williams@intel.com>
+
+commit 966d23a006ca7b44ac8cf4d0c96b19785e0c3da0 upstream.
+
+The UEFI 2.7 specification sets expectations that the 'updating' flag is
+eventually cleared. To date, the libnvdimm core has never adhered to
+that protocol. The policy of the core matches the policy of other
+multi-device info-block formats like MD-Software-RAID that expect
+administrator intervention on inconsistent info-blocks, not automatic
+invalidation.
+
+However, some pre-boot environments may unfortunately attempt to "clean
+up" the labels and invalidate a set when it fails to find at least one
+"non-updating" label in the set. Clear the updating flag after set
+updates to minimize the window of vulnerability to aggressive pre-boot
+environments.
+
+Ideally implementations would not write to the label area outside of
+creating namespaces.
+
+Note that this only minimizes the window, it does not close it as the
+system can still crash while clearing the flag and the set can be
+subsequently deleted / invalidated by the pre-boot environment.
+
+Fixes: f524bf271a5c ("libnvdimm: write pmem label set")
+Cc: <stable@vger.kernel.org>
+Cc: Kelly Couch <kelly.j.couch@intel.com>
+Signed-off-by: Dan Williams <dan.j.williams@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/nvdimm/label.c | 23 ++++++++++++++++++-----
+ 1 file changed, 18 insertions(+), 5 deletions(-)
+
+--- a/drivers/nvdimm/label.c
++++ b/drivers/nvdimm/label.c
+@@ -755,7 +755,7 @@ static const guid_t *to_abstraction_guid
+
+ static int __pmem_label_update(struct nd_region *nd_region,
+ struct nd_mapping *nd_mapping, struct nd_namespace_pmem *nspm,
+- int pos)
++ int pos, unsigned long flags)
+ {
+ struct nd_namespace_common *ndns = &nspm->nsio.common;
+ struct nd_interleave_set *nd_set = nd_region->nd_set;
+@@ -796,7 +796,7 @@ static int __pmem_label_update(struct nd
+ memcpy(nd_label->uuid, nspm->uuid, NSLABEL_UUID_LEN);
+ if (nspm->alt_name)
+ memcpy(nd_label->name, nspm->alt_name, NSLABEL_NAME_LEN);
+- nd_label->flags = __cpu_to_le32(NSLABEL_FLAG_UPDATING);
++ nd_label->flags = __cpu_to_le32(flags);
+ nd_label->nlabel = __cpu_to_le16(nd_region->ndr_mappings);
+ nd_label->position = __cpu_to_le16(pos);
+ nd_label->isetcookie = __cpu_to_le64(cookie);
+@@ -1249,13 +1249,13 @@ static int del_labels(struct nd_mapping
+ int nd_pmem_namespace_label_update(struct nd_region *nd_region,
+ struct nd_namespace_pmem *nspm, resource_size_t size)
+ {
+- int i;
++ int i, rc;
+
+ for (i = 0; i < nd_region->ndr_mappings; i++) {
+ struct nd_mapping *nd_mapping = &nd_region->mapping[i];
+ struct nvdimm_drvdata *ndd = to_ndd(nd_mapping);
+ struct resource *res;
+- int rc, count = 0;
++ int count = 0;
+
+ if (size == 0) {
+ rc = del_labels(nd_mapping, nspm->uuid);
+@@ -1273,7 +1273,20 @@ int nd_pmem_namespace_label_update(struc
+ if (rc < 0)
+ return rc;
+
+- rc = __pmem_label_update(nd_region, nd_mapping, nspm, i);
++ rc = __pmem_label_update(nd_region, nd_mapping, nspm, i,
++ NSLABEL_FLAG_UPDATING);
++ if (rc)
++ return rc;
++ }
++
++ if (size == 0)
++ return 0;
++
++ /* Clear the UPDATING flag per UEFI 2.7 expectations */
++ for (i = 0; i < nd_region->ndr_mappings; i++) {
++ struct nd_mapping *nd_mapping = &nd_region->mapping[i];
++
++ rc = __pmem_label_update(nd_region, nd_mapping, nspm, i, 0);
+ if (rc)
+ return rc;
+ }
--- /dev/null
+From f101ada7da6551127d192c2f1742c1e9e0f62799 Mon Sep 17 00:00:00 2001
+From: Wei Yang <richardw.yang@linux.intel.com>
+Date: Tue, 22 Jan 2019 10:48:09 +0800
+Subject: libnvdimm, pfn: Fix over-trim in trim_pfn_device()
+
+From: Wei Yang <richardw.yang@linux.intel.com>
+
+commit f101ada7da6551127d192c2f1742c1e9e0f62799 upstream.
+
+When trying to see whether current nd_region intersects with others,
+trim_pfn_device() has already calculated the *size* to be expanded to
+SECTION size.
+
+Do not double append 'adjust' to 'size' when calculating whether the end
+of a region collides with the next pmem region.
+
+Fixes: ae86cbfef381 "libnvdimm, pfn: Pad pfn namespaces relative to other regions"
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Wei Yang <richardw.yang@linux.intel.com>
+Signed-off-by: Dan Williams <dan.j.williams@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/nvdimm/pfn_devs.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/nvdimm/pfn_devs.c
++++ b/drivers/nvdimm/pfn_devs.c
+@@ -678,7 +678,7 @@ static void trim_pfn_device(struct nd_pf
+ if (region_intersects(start, size, IORESOURCE_SYSTEM_RAM,
+ IORES_DESC_NONE) == REGION_MIXED
+ || !IS_ALIGNED(end, nd_pfn->align)
+- || nd_region_conflict(nd_region, start, size + adjust))
++ || nd_region_conflict(nd_region, start, size))
+ *end_trunc = end - phys_pmem_align_down(nd_pfn, end);
+ }
+
--- /dev/null
+From fa7d2e639cd90442d868dfc6ca1d4cc9d8bf206e Mon Sep 17 00:00:00 2001
+From: Dan Williams <dan.j.williams@intel.com>
+Date: Thu, 24 Jan 2019 17:33:06 -0800
+Subject: libnvdimm/pmem: Honor force_raw for legacy pmem regions
+
+From: Dan Williams <dan.j.williams@intel.com>
+
+commit fa7d2e639cd90442d868dfc6ca1d4cc9d8bf206e upstream.
+
+For recovery, where non-dax access is needed to a given physical address
+range, and testing, allow the 'force_raw' attribute to override the
+default establishment of a dev_pagemap.
+
+Otherwise without this capability it is possible to end up with a
+namespace that can not be activated due to corrupted info-block, and one
+that can not be repaired due to a section collision.
+
+Cc: <stable@vger.kernel.org>
+Fixes: 004f1afbe199 ("libnvdimm, pmem: direct map legacy pmem by default")
+Signed-off-by: Dan Williams <dan.j.williams@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/nvdimm/namespace_devs.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/nvdimm/namespace_devs.c
++++ b/drivers/nvdimm/namespace_devs.c
+@@ -138,6 +138,7 @@ bool nd_is_uuid_unique(struct device *de
+ bool pmem_should_map_pages(struct device *dev)
+ {
+ struct nd_region *nd_region = to_nd_region(dev->parent);
++ struct nd_namespace_common *ndns = to_ndns(dev);
+ struct nd_namespace_io *nsio;
+
+ if (!IS_ENABLED(CONFIG_ZONE_DEVICE))
+@@ -149,6 +150,9 @@ bool pmem_should_map_pages(struct device
+ if (is_nd_pfn(dev) || is_nd_btt(dev))
+ return false;
+
++ if (ndns->force_raw)
++ return false;
++
+ nsio = to_nd_namespace_io(dev);
+ if (region_intersects(nsio->res.start, resource_size(&nsio->res),
+ IORESOURCE_SYSTEM_RAM,
--- /dev/null
+From 43f89877f26671c6309cd87d7364b1a3e66e71cf Mon Sep 17 00:00:00 2001
+From: Dexuan Cui <decui@microsoft.com>
+Date: Wed, 30 Jan 2019 01:23:01 +0000
+Subject: nfit: acpi_nfit_ctl(): Check out_obj->type in the right place
+
+From: Dexuan Cui <decui@microsoft.com>
+
+commit 43f89877f26671c6309cd87d7364b1a3e66e71cf upstream.
+
+In the case of ND_CMD_CALL, we should also check out_obj->type.
+
+The patch uses out_obj->type, which is a short alias to
+out_obj->package.type.
+
+Fixes: 31eca76ba2fc ("nfit, libnvdimm: limited/whitelisted dimm command marshaling mechanism")
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Dexuan Cui <decui@microsoft.com>
+Signed-off-by: Dan Williams <dan.j.williams@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/acpi/nfit/core.c | 14 +++++++-------
+ 1 file changed, 7 insertions(+), 7 deletions(-)
+
+--- a/drivers/acpi/nfit/core.c
++++ b/drivers/acpi/nfit/core.c
+@@ -554,6 +554,13 @@ int acpi_nfit_ctl(struct nvdimm_bus_desc
+ return -EINVAL;
+ }
+
++ if (out_obj->type != ACPI_TYPE_BUFFER) {
++ dev_dbg(dev, "%s unexpected output object type cmd: %s type: %d\n",
++ dimm_name, cmd_name, out_obj->type);
++ rc = -EINVAL;
++ goto out;
++ }
++
+ if (call_pkg) {
+ call_pkg->nd_fw_size = out_obj->buffer.length;
+ memcpy(call_pkg->nd_payload + call_pkg->nd_size_in,
+@@ -572,13 +579,6 @@ int acpi_nfit_ctl(struct nvdimm_bus_desc
+ return 0;
+ }
+
+- if (out_obj->package.type != ACPI_TYPE_BUFFER) {
+- dev_dbg(dev, "%s unexpected output object type cmd: %s type: %d\n",
+- dimm_name, cmd_name, out_obj->type);
+- rc = -EINVAL;
+- goto out;
+- }
+-
+ dev_dbg(dev, "%s cmd: %s output length: %d\n", dimm_name,
+ cmd_name, out_obj->buffer.length);
+ print_hex_dump_debug(cmd_name, DUMP_PREFIX_OFFSET, 4, 4,
--- /dev/null
+From c6c5df293bf1b488cf8459aac658aecfdccb13a9 Mon Sep 17 00:00:00 2001
+From: Dan Williams <dan.j.williams@intel.com>
+Date: Wed, 13 Feb 2019 08:58:40 -0800
+Subject: nfit/ars: Attempt a short-ARS whenever the ARS state is idle at boot
+
+From: Dan Williams <dan.j.williams@intel.com>
+
+commit c6c5df293bf1b488cf8459aac658aecfdccb13a9 upstream.
+
+If query-ARS reports that ARS has stopped and requires continuation
+attempt to retrieve short-ARS results before continuing the long
+operation.
+
+Fixes: bc6ba8085842 ("nfit, address-range-scrub: rework and simplify ARS...")
+Cc: <stable@vger.kernel.org>
+Reported-by: Krzysztof Rusocki <krzysztof.rusocki@intel.com>
+Reviewed-by: Toshi Kani <toshi.kani@hpe.com>
+Signed-off-by: Dan Williams <dan.j.williams@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/acpi/nfit/core.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/acpi/nfit/core.c
++++ b/drivers/acpi/nfit/core.c
+@@ -3021,6 +3021,7 @@ static int ars_register(struct acpi_nfit
+
+ switch (acpi_nfit_query_poison(acpi_desc)) {
+ case 0:
++ case -ENOSPC:
+ case -EAGAIN:
+ rc = ars_start(acpi_desc, nfit_spa, ARS_REQ_SHORT);
+ /* shouldn't happen, try again later */
+@@ -3045,7 +3046,6 @@ static int ars_register(struct acpi_nfit
+ break;
+ case -EBUSY:
+ case -ENOMEM:
+- case -ENOSPC:
+ /*
+ * BIOS was using ARS, wait for it to complete (or
+ * resources to become available) and then perform our
--- /dev/null
+From fa3ed4d981b1fc19acdd07fcb152a4bd3706892b Mon Sep 17 00:00:00 2001
+From: Dan Williams <dan.j.williams@intel.com>
+Date: Wed, 13 Feb 2019 09:01:13 -0800
+Subject: nfit/ars: Attempt short-ARS even in the no_init_ars case
+
+From: Dan Williams <dan.j.williams@intel.com>
+
+commit fa3ed4d981b1fc19acdd07fcb152a4bd3706892b upstream.
+
+The no_init_ars option is meant to prevent long-ARS, but short-ARS
+should be allowed to grab any immediate results.
+
+Fixes: bc6ba8085842 ("nfit, address-range-scrub: rework and simplify ARS...")
+Cc: <stable@vger.kernel.org>
+Reported-by: Erwin Tsaur <erwin.tsaur@oracle.com>
+Reviewed-by: Toshi Kani <toshi.kani@hpe.com>
+Signed-off-by: Dan Williams <dan.j.williams@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/acpi/nfit/core.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/drivers/acpi/nfit/core.c
++++ b/drivers/acpi/nfit/core.c
+@@ -3013,11 +3013,12 @@ static int ars_register(struct acpi_nfit
+ {
+ int rc;
+
+- if (no_init_ars || test_bit(ARS_FAILED, &nfit_spa->ars_state))
++ if (test_bit(ARS_FAILED, &nfit_spa->ars_state))
+ return acpi_nfit_register_region(acpi_desc, nfit_spa);
+
+ set_bit(ARS_REQ_SHORT, &nfit_spa->ars_state);
+- set_bit(ARS_REQ_LONG, &nfit_spa->ars_state);
++ if (!no_init_ars)
++ set_bit(ARS_REQ_LONG, &nfit_spa->ars_state);
+
+ switch (acpi_nfit_query_poison(acpi_desc)) {
+ case 0:
--- /dev/null
+From f596c8844fe1d0022007ae6c7a377361fb653eff Mon Sep 17 00:00:00 2001
+From: Dan Williams <dan.j.williams@intel.com>
+Date: Tue, 29 Jan 2019 22:06:41 -0800
+Subject: nfit: Fix nfit_intel_shutdown_status() command submission
+
+From: Dan Williams <dan.j.williams@intel.com>
+
+commit f596c8844fe1d0022007ae6c7a377361fb653eff upstream.
+
+The implementation is broken in all the ways the unit test did not touch:
+
+1/ The local definition of in_buf and in_obj violated C99 initializer
+ expectations for zeroing. By only initializing 2 out of the three
+ struct members the compiler was free to zero-initialize the remaining
+ entry even though the aliased location in the union was initialized.
+
+2/ The implementation made assumptions about the state of the 'smart'
+ payload after command execution that are satisfied by
+ acpi_nfit_ctl(), but not acpi_evaluate_dsm().
+
+3/ populate_shutdown_status() is skipped on Intel NVDIMMs due to the early
+ return for skipping the common _LS{I,R,W} enabling.
+
+4/ The input length should be zero.
+
+This breakage was missed due to the unit test implementation only
+testing the case where nfit_intel_shutdown_status() returns a valid
+payload.
+
+Much of this complexity would be saved if acpi_nfit_ctl() could be used, but
+that currently requires a 'struct nvdimm *' argument and one is not created
+until later in the init process. The health result is needed before the device
+is created because the payload gates whether the nmemX/nfit/dirty_shutdown
+property is visible in sysfs.
+
+Cc: <stable@vger.kernel.org>
+Fixes: 0ead11181fe0 ("acpi, nfit: Collect shutdown status")
+Reported-by: Dexuan Cui <decui@microsoft.com>
+Reviewed-by: Dexuan Cui <decui@microsoft.com>
+Signed-off-by: Dan Williams <dan.j.williams@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/acpi/nfit/core.c | 43 +++++++++++++++++++++++++------------------
+ 1 file changed, 25 insertions(+), 18 deletions(-)
+
+--- a/drivers/acpi/nfit/core.c
++++ b/drivers/acpi/nfit/core.c
+@@ -1759,14 +1759,14 @@ static bool acpi_nvdimm_has_method(struc
+
+ __weak void nfit_intel_shutdown_status(struct nfit_mem *nfit_mem)
+ {
++ struct device *dev = &nfit_mem->adev->dev;
+ struct nd_intel_smart smart = { 0 };
+ union acpi_object in_buf = {
+- .type = ACPI_TYPE_BUFFER,
+- .buffer.pointer = (char *) &smart,
+- .buffer.length = sizeof(smart),
++ .buffer.type = ACPI_TYPE_BUFFER,
++ .buffer.length = 0,
+ };
+ union acpi_object in_obj = {
+- .type = ACPI_TYPE_PACKAGE,
++ .package.type = ACPI_TYPE_PACKAGE,
+ .package.count = 1,
+ .package.elements = &in_buf,
+ };
+@@ -1781,8 +1781,15 @@ __weak void nfit_intel_shutdown_status(s
+ return;
+
+ out_obj = acpi_evaluate_dsm(handle, guid, revid, func, &in_obj);
+- if (!out_obj)
++ if (!out_obj || out_obj->type != ACPI_TYPE_BUFFER
++ || out_obj->buffer.length < sizeof(smart)) {
++ dev_dbg(dev->parent, "%s: failed to retrieve initial health\n",
++ dev_name(dev));
++ ACPI_FREE(out_obj);
+ return;
++ }
++ memcpy(&smart, out_obj->buffer.pointer, sizeof(smart));
++ ACPI_FREE(out_obj);
+
+ if (smart.flags & ND_INTEL_SMART_SHUTDOWN_VALID) {
+ if (smart.shutdown_state)
+@@ -1793,7 +1800,6 @@ __weak void nfit_intel_shutdown_status(s
+ set_bit(NFIT_MEM_DIRTY_COUNT, &nfit_mem->flags);
+ nfit_mem->dirty_shutdown = smart.shutdown_count;
+ }
+- ACPI_FREE(out_obj);
+ }
+
+ static void populate_shutdown_status(struct nfit_mem *nfit_mem)
+@@ -1915,18 +1921,19 @@ static int acpi_nfit_add_dimm(struct acp
+ | 1 << ND_CMD_SET_CONFIG_DATA;
+ if (family == NVDIMM_FAMILY_INTEL
+ && (dsm_mask & label_mask) == label_mask)
+- return 0;
+-
+- if (acpi_nvdimm_has_method(adev_dimm, "_LSI")
+- && acpi_nvdimm_has_method(adev_dimm, "_LSR")) {
+- dev_dbg(dev, "%s: has _LSR\n", dev_name(&adev_dimm->dev));
+- set_bit(NFIT_MEM_LSR, &nfit_mem->flags);
+- }
+-
+- if (test_bit(NFIT_MEM_LSR, &nfit_mem->flags)
+- && acpi_nvdimm_has_method(adev_dimm, "_LSW")) {
+- dev_dbg(dev, "%s: has _LSW\n", dev_name(&adev_dimm->dev));
+- set_bit(NFIT_MEM_LSW, &nfit_mem->flags);
++ /* skip _LS{I,R,W} enabling */;
++ else {
++ if (acpi_nvdimm_has_method(adev_dimm, "_LSI")
++ && acpi_nvdimm_has_method(adev_dimm, "_LSR")) {
++ dev_dbg(dev, "%s: has _LSR\n", dev_name(&adev_dimm->dev));
++ set_bit(NFIT_MEM_LSR, &nfit_mem->flags);
++ }
++
++ if (test_bit(NFIT_MEM_LSR, &nfit_mem->flags)
++ && acpi_nvdimm_has_method(adev_dimm, "_LSW")) {
++ dev_dbg(dev, "%s: has _LSW\n", dev_name(&adev_dimm->dev));
++ set_bit(NFIT_MEM_LSW, &nfit_mem->flags);
++ }
+ }
+
+ populate_shutdown_status(nfit_mem);
crypto-ahash-fix-another-early-termination-in-hash-walk.patch
crypto-rockchip-fix-scatterlist-nents-error.patch
crypto-rockchip-update-new-iv-to-device-in-multiple-operations.patch
+dax-flush-partial-pmds-correctly.patch
+nfit-fix-nfit_intel_shutdown_status-command-submission.patch
+nfit-acpi_nfit_ctl-check-out_obj-type-in-the-right-place.patch
+acpi-nfit-fix-bus-command-validation.patch
+nfit-ars-attempt-a-short-ars-whenever-the-ars-state-is-idle-at-boot.patch
+nfit-ars-attempt-short-ars-even-in-the-no_init_ars-case.patch
+libnvdimm-label-clear-updating-flag-after-label-set-update.patch
+libnvdimm-pfn-fix-over-trim-in-trim_pfn_device.patch
+libnvdimm-pmem-honor-force_raw-for-legacy-pmem-regions.patch
+libnvdimm-fix-altmap-reservation-size-calculation.patch
+fix-cgroup_do_mount-handling-of-failure-exits.patch