--- /dev/null
+From 76ed0b803a2ab793a1b27d1dfe0de7955282cd34 Mon Sep 17 00:00:00 2001
+From: David Rivshin <DRivshin@allworx.com>
+Date: Wed, 25 Apr 2018 21:15:01 +0100
+Subject: ARM: 8764/1: kgdb: fix NUMREGBYTES so that gdb_regs[] is the correct size
+
+From: David Rivshin <DRivshin@allworx.com>
+
+commit 76ed0b803a2ab793a1b27d1dfe0de7955282cd34 upstream.
+
+NUMREGBYTES (which is used as the size for gdb_regs[]) is incorrectly
+based on DBG_MAX_REG_NUM instead of GDB_MAX_REGS. DBG_MAX_REG_NUM
+is the number of total registers, while GDB_MAX_REGS is the number
+of 'unsigned longs' it takes to serialize those registers. Since
+FP registers require 3 'unsigned longs' each, DBG_MAX_REG_NUM is
+smaller than GDB_MAX_REGS.
+
+This causes GDB 8.0 give the following error on connect:
+"Truncated register 19 in remote 'g' packet"
+
+This also causes the register serialization/deserialization logic
+to overflow gdb_regs[], overwriting whatever follows.
+
+Fixes: 834b2964b7ab ("kgdb,arm: fix register dump")
+Cc: <stable@vger.kernel.org> # 2.6.37+
+Signed-off-by: David Rivshin <drivshin@allworx.com>
+Acked-by: Rabin Vincent <rabin@rab.in>
+Tested-by: Daniel Thompson <daniel.thompson@linaro.org>
+Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm/include/asm/kgdb.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/arm/include/asm/kgdb.h
++++ b/arch/arm/include/asm/kgdb.h
+@@ -76,7 +76,7 @@ extern int kgdb_fault_expected;
+
+ #define KGDB_MAX_NO_CPUS 1
+ #define BUFMAX 400
+-#define NUMREGBYTES (DBG_MAX_REG_NUM << 2)
++#define NUMREGBYTES (GDB_MAX_REGS << 2)
+ #define NUMCRITREGBYTES (32 << 2)
+
+ #define _R0 0
--- /dev/null
+From 7dc5fe0814c35ec4e7d2e8fa30abab72e0e6a172 Mon Sep 17 00:00:00 2001
+From: Amit Pundir <amit.pundir@linaro.org>
+Date: Mon, 16 Apr 2018 12:10:24 +0530
+Subject: Bluetooth: hci_qca: Avoid missing rampatch failure with userspace fw loader
+
+From: Amit Pundir <amit.pundir@linaro.org>
+
+commit 7dc5fe0814c35ec4e7d2e8fa30abab72e0e6a172 upstream.
+
+AOSP use userspace firmware loader to load firmwares, which will
+return -EAGAIN in case qca/rampatch_00440302.bin is not found.
+Since there is no rampatch for dragonboard820c QCA controller
+revision, just make it work as is.
+
+CC: Loic Poulain <loic.poulain@linaro.org>
+CC: Nicolas Dechesne <nicolas.dechesne@linaro.org>
+CC: Marcel Holtmann <marcel@holtmann.org>
+CC: Johan Hedberg <johan.hedberg@gmail.com>
+CC: Stable <stable@vger.kernel.org>
+Signed-off-by: Amit Pundir <amit.pundir@linaro.org>
+Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/bluetooth/hci_qca.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/drivers/bluetooth/hci_qca.c
++++ b/drivers/bluetooth/hci_qca.c
+@@ -939,6 +939,12 @@ static int qca_setup(struct hci_uart *hu
+ } else if (ret == -ENOENT) {
+ /* No patch/nvm-config found, run with original fw/config */
+ ret = 0;
++ } else if (ret == -EAGAIN) {
++ /*
++ * Userspace firmware loader will return -EAGAIN in case no
++ * patch/nvm-config is found, so run with original fw/config.
++ */
++ ret = 0;
+ }
+
+ /* Setup bdaddr */
--- /dev/null
+From 2026d35741f2c3ece73c11eb7e4a15d7c2df9ebe Mon Sep 17 00:00:00 2001
+From: Mikulas Patocka <mpatocka@redhat.com>
+Date: Wed, 30 May 2018 08:19:22 -0400
+Subject: branch-check: fix long->int truncation when profiling branches
+
+From: Mikulas Patocka <mpatocka@redhat.com>
+
+commit 2026d35741f2c3ece73c11eb7e4a15d7c2df9ebe upstream.
+
+The function __builtin_expect returns long type (see the gcc
+documentation), and so do macros likely and unlikely. Unfortunatelly, when
+CONFIG_PROFILE_ANNOTATED_BRANCHES is selected, the macros likely and
+unlikely expand to __branch_check__ and __branch_check__ truncates the
+long type to int. This unintended truncation may cause bugs in various
+kernel code (we found a bug in dm-writecache because of it), so it's
+better to fix __branch_check__ to return long.
+
+Link: http://lkml.kernel.org/r/alpine.LRH.2.02.1805300818140.24812@file01.intranet.prod.int.rdu2.redhat.com
+
+Cc: Ingo Molnar <mingo@redhat.com>
+Cc: stable@vger.kernel.org
+Fixes: 1f0d69a9fc815 ("tracing: profile likely and unlikely annotations")
+Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
+Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ include/linux/compiler.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/include/linux/compiler.h
++++ b/include/linux/compiler.h
+@@ -111,7 +111,7 @@ void ftrace_likely_update(struct ftrace_
+ #define unlikely_notrace(x) __builtin_expect(!!(x), 0)
+
+ #define __branch_check__(x, expect) ({ \
+- int ______r; \
++ long ______r; \
+ static struct ftrace_branch_data \
+ __attribute__((__aligned__(4))) \
+ __attribute__((section("_ftrace_annotated_branch"))) \
--- /dev/null
+From 0a4ec6aa035a52c422eceb2ed51ed88392a3d6c2 Mon Sep 17 00:00:00 2001
+From: "Gautham R. Shenoy" <ego@linux.vnet.ibm.com>
+Date: Thu, 31 May 2018 17:45:09 +0530
+Subject: cpuidle: powernv: Fix promotion from snooze if next state disabled
+
+From: Gautham R. Shenoy <ego@linux.vnet.ibm.com>
+
+commit 0a4ec6aa035a52c422eceb2ed51ed88392a3d6c2 upstream.
+
+The commit 78eaa10f027c ("cpuidle: powernv/pseries: Auto-promotion of
+snooze to deeper idle state") introduced a timeout for the snooze idle
+state so that it could be eventually be promoted to a deeper idle
+state. The snooze timeout value is static and set to the target
+residency of the next idle state, which would train the cpuidle
+governor to pick the next idle state eventually.
+
+The unfortunate side-effect of this is that if the next idle state(s)
+is disabled, the CPU will forever remain in snooze, despite the fact
+that the system is completely idle, and other deeper idle states are
+available.
+
+This patch fixes the issue by dynamically setting the snooze timeout
+to the target residency of the next enabled state on the device.
+
+Before Patch:
+ POWER8 : Only nap disabled.
+ $ cpupower monitor sleep 30
+ sleep took 30.01297 seconds and exited with status 0
+ |Idle_Stats
+ PKG |CORE|CPU | snoo | Nap | Fast
+ 0| 8| 0| 96.41| 0.00| 0.00
+ 0| 8| 1| 96.43| 0.00| 0.00
+ 0| 8| 2| 96.47| 0.00| 0.00
+ 0| 8| 3| 96.35| 0.00| 0.00
+ 0| 8| 4| 96.37| 0.00| 0.00
+ 0| 8| 5| 96.37| 0.00| 0.00
+ 0| 8| 6| 96.47| 0.00| 0.00
+ 0| 8| 7| 96.47| 0.00| 0.00
+
+ POWER9: Shallow states (stop0lite, stop1lite, stop2lite, stop0, stop1,
+ stop2) disabled:
+ $ cpupower monitor sleep 30
+ sleep took 30.05033 seconds and exited with status 0
+ |Idle_Stats
+ PKG |CORE|CPU | snoo | stop | stop | stop | stop | stop | stop | stop | stop
+ 0| 16| 0| 89.79| 0.00| 0.00| 0.00| 0.00| 0.00| 0.00| 0.00| 0.00
+ 0| 16| 1| 90.12| 0.00| 0.00| 0.00| 0.00| 0.00| 0.00| 0.00| 0.00
+ 0| 16| 2| 90.21| 0.00| 0.00| 0.00| 0.00| 0.00| 0.00| 0.00| 0.00
+ 0| 16| 3| 90.29| 0.00| 0.00| 0.00| 0.00| 0.00| 0.00| 0.00| 0.00
+
+After Patch:
+ POWER8 : Only nap disabled.
+ $ cpupower monitor sleep 30
+ sleep took 30.01200 seconds and exited with status 0
+ |Idle_Stats
+ PKG |CORE|CPU | snoo | Nap | Fast
+ 0| 8| 0| 16.58| 0.00| 77.21
+ 0| 8| 1| 18.42| 0.00| 75.38
+ 0| 8| 2| 4.70| 0.00| 94.09
+ 0| 8| 3| 17.06| 0.00| 81.73
+ 0| 8| 4| 3.06| 0.00| 95.73
+ 0| 8| 5| 7.00| 0.00| 96.80
+ 0| 8| 6| 1.00| 0.00| 98.79
+ 0| 8| 7| 5.62| 0.00| 94.17
+
+ POWER9: Shallow states (stop0lite, stop1lite, stop2lite, stop0, stop1,
+ stop2) disabled:
+
+ $ cpupower monitor sleep 30
+ sleep took 30.02110 seconds and exited with status 0
+ |Idle_Stats
+ PKG |CORE|CPU | snoo | stop | stop | stop | stop | stop | stop | stop | stop
+ 0| 0| 0| 0.69| 0.00| 0.00| 0.00| 0.00| 0.00| 0.00| 9.39| 89.70
+ 0| 0| 1| 0.00| 0.00| 0.00| 0.00| 0.00| 0.00| 0.00| 0.05| 93.21
+ 0| 0| 2| 0.00| 0.00| 0.00| 0.00| 0.00| 0.00| 0.00| 0.00| 89.93
+ 0| 0| 3| 0.00| 0.00| 0.00| 0.00| 0.00| 0.00| 0.00| 0.00| 93.26
+
+Fixes: 78eaa10f027c ("cpuidle: powernv/pseries: Auto-promotion of snooze to deeper idle state")
+Cc: stable@vger.kernel.org # v4.2+
+Signed-off-by: Gautham R. Shenoy <ego@linux.vnet.ibm.com>
+Reviewed-by: Balbir Singh <bsingharora@gmail.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+
+---
+ drivers/cpuidle/cpuidle-powernv.c | 32 ++++++++++++++++++++++++++------
+ 1 file changed, 26 insertions(+), 6 deletions(-)
+
+--- a/drivers/cpuidle/cpuidle-powernv.c
++++ b/drivers/cpuidle/cpuidle-powernv.c
+@@ -29,9 +29,31 @@ struct cpuidle_driver powernv_idle_drive
+
+ static int max_idle_state;
+ static struct cpuidle_state *cpuidle_state_table;
+-static u64 snooze_timeout;
++static u64 default_snooze_timeout;
+ static bool snooze_timeout_en;
+
++static u64 get_snooze_timeout(struct cpuidle_device *dev,
++ struct cpuidle_driver *drv,
++ int index)
++{
++ int i;
++
++ if (unlikely(!snooze_timeout_en))
++ return default_snooze_timeout;
++
++ for (i = index + 1; i < drv->state_count; i++) {
++ struct cpuidle_state *s = &drv->states[i];
++ struct cpuidle_state_usage *su = &dev->states_usage[i];
++
++ if (s->disabled || su->disable)
++ continue;
++
++ return s->target_residency * tb_ticks_per_usec;
++ }
++
++ return default_snooze_timeout;
++}
++
+ static int snooze_loop(struct cpuidle_device *dev,
+ struct cpuidle_driver *drv,
+ int index)
+@@ -41,7 +63,7 @@ static int snooze_loop(struct cpuidle_de
+ local_irq_enable();
+ set_thread_flag(TIF_POLLING_NRFLAG);
+
+- snooze_exit_time = get_tb() + snooze_timeout;
++ snooze_exit_time = get_tb() + get_snooze_timeout(dev, drv, index);
+ ppc64_runlatch_off();
+ while (!need_resched()) {
+ HMT_low();
+@@ -286,11 +308,9 @@ static int powernv_idle_probe(void)
+ cpuidle_state_table = powernv_states;
+ /* Device tree can indicate more idle states */
+ max_idle_state = powernv_add_idle_states();
+- if (max_idle_state > 1) {
++ default_snooze_timeout = TICK_USEC * tb_ticks_per_usec;
++ if (max_idle_state > 1)
+ snooze_timeout_en = true;
+- snooze_timeout = powernv_states[1].target_residency *
+- tb_ticks_per_usec;
+- }
+ } else
+ return -ENODEV;
+
--- /dev/null
+From df0e91d488276086bc07da2e389986cae0048c37 Mon Sep 17 00:00:00 2001
+From: Miklos Szeredi <mszeredi@redhat.com>
+Date: Thu, 8 Feb 2018 15:17:38 +0100
+Subject: fuse: atomic_o_trunc should truncate pagecache
+
+From: Miklos Szeredi <mszeredi@redhat.com>
+
+commit df0e91d488276086bc07da2e389986cae0048c37 upstream.
+
+Fuse has an "atomic_o_trunc" mode, where userspace filesystem uses the
+O_TRUNC flag in the OPEN request to truncate the file atomically with the
+open.
+
+In this mode there's no need to send a SETATTR request to userspace after
+the open, so fuse_do_setattr() checks this mode and returns. But this
+misses the important step of truncating the pagecache.
+
+Add the missing parts of truncation to the ATTR_OPEN branch.
+
+Reported-by: Chad Austin <chadaustin@fb.com>
+Fixes: 6ff958edbf39 ("fuse: add atomic open+truncate support")
+Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/fuse/dir.c | 13 ++++++++++++-
+ 1 file changed, 12 insertions(+), 1 deletion(-)
+
+--- a/fs/fuse/dir.c
++++ b/fs/fuse/dir.c
+@@ -1609,8 +1609,19 @@ int fuse_do_setattr(struct inode *inode,
+ return err;
+
+ if (attr->ia_valid & ATTR_OPEN) {
+- if (fc->atomic_o_trunc)
++ /* This is coming from open(..., ... | O_TRUNC); */
++ WARN_ON(!(attr->ia_valid & ATTR_SIZE));
++ WARN_ON(attr->ia_size != 0);
++ if (fc->atomic_o_trunc) {
++ /*
++ * No need to send request to userspace, since actual
++ * truncation has already been done by OPEN. But still
++ * need to truncate page cache.
++ */
++ i_size_write(inode, 0);
++ truncate_pagecache(inode, 0);
+ return 0;
++ }
+ file = NULL;
+ }
+
--- /dev/null
+From 543b8f8662fe6d21f19958b666ab0051af9db21a Mon Sep 17 00:00:00 2001
+From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+Date: Tue, 1 May 2018 13:12:14 +0900
+Subject: fuse: don't keep dead fuse_conn at fuse_fill_super().
+
+From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+
+commit 543b8f8662fe6d21f19958b666ab0051af9db21a upstream.
+
+syzbot is reporting use-after-free at fuse_kill_sb_blk() [1].
+Since sb->s_fs_info field is not cleared after fc was released by
+fuse_conn_put() when initialization failed, fuse_kill_sb_blk() finds
+already released fc and tries to hold the lock. Fix this by clearing
+sb->s_fs_info field after calling fuse_conn_put().
+
+[1] https://syzkaller.appspot.com/bug?id=a07a680ed0a9290585ca424546860464dd9658db
+
+Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+Reported-by: syzbot <syzbot+ec3986119086fe4eec97@syzkaller.appspotmail.com>
+Fixes: 3b463ae0c626 ("fuse: invalidation reverse calls")
+Cc: John Muir <john@jmuir.com>
+Cc: Csaba Henk <csaba@gluster.com>
+Cc: Anand Avati <avati@redhat.com>
+Cc: <stable@vger.kernel.org> # v2.6.31
+Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/fuse/inode.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/fs/fuse/inode.c
++++ b/fs/fuse/inode.c
+@@ -1158,6 +1158,7 @@ static int fuse_fill_super(struct super_
+ err_put_conn:
+ fuse_bdi_destroy(fc);
+ fuse_conn_put(fc);
++ sb->s_fs_info = NULL;
+ err_fput:
+ fput(file);
+ err:
--- /dev/null
+From 6becdb601bae2a043d7fb9762c4d48699528ea6e Mon Sep 17 00:00:00 2001
+From: Miklos Szeredi <mszeredi@redhat.com>
+Date: Thu, 31 May 2018 12:26:10 +0200
+Subject: fuse: fix control dir setup and teardown
+
+From: Miklos Szeredi <mszeredi@redhat.com>
+
+commit 6becdb601bae2a043d7fb9762c4d48699528ea6e upstream.
+
+syzbot is reporting NULL pointer dereference at fuse_ctl_remove_conn() [1].
+Since fc->ctl_ndents is incremented by fuse_ctl_add_conn() when new_inode()
+failed, fuse_ctl_remove_conn() reaches an inode-less dentry and tries to
+clear d_inode(dentry)->i_private field.
+
+Fix by only adding the dentry to the array after being fully set up.
+
+When tearing down the control directory, do d_invalidate() on it to get rid
+of any mounts that might have been added.
+
+[1] https://syzkaller.appspot.com/bug?id=f396d863067238959c91c0b7cfc10b163638cac6
+Reported-by: syzbot <syzbot+32c236387d66c4516827@syzkaller.appspotmail.com>
+Fixes: bafa96541b25 ("[PATCH] fuse: add control filesystem")
+Cc: <stable@vger.kernel.org> # v2.6.18
+Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/fuse/control.c | 13 ++++++++++---
+ 1 file changed, 10 insertions(+), 3 deletions(-)
+
+--- a/fs/fuse/control.c
++++ b/fs/fuse/control.c
+@@ -211,10 +211,11 @@ static struct dentry *fuse_ctl_add_dentr
+ if (!dentry)
+ return NULL;
+
+- fc->ctl_dentry[fc->ctl_ndents++] = dentry;
+ inode = new_inode(fuse_control_sb);
+- if (!inode)
++ if (!inode) {
++ dput(dentry);
+ return NULL;
++ }
+
+ inode->i_ino = get_next_ino();
+ inode->i_mode = mode;
+@@ -228,6 +229,9 @@ static struct dentry *fuse_ctl_add_dentr
+ set_nlink(inode, nlink);
+ inode->i_private = fc;
+ d_add(dentry, inode);
++
++ fc->ctl_dentry[fc->ctl_ndents++] = dentry;
++
+ return dentry;
+ }
+
+@@ -284,7 +288,10 @@ void fuse_ctl_remove_conn(struct fuse_co
+ for (i = fc->ctl_ndents - 1; i >= 0; i--) {
+ struct dentry *dentry = fc->ctl_dentry[i];
+ d_inode(dentry)->i_private = NULL;
+- d_drop(dentry);
++ if (!i) {
++ /* Get rid of submounts: */
++ d_invalidate(dentry);
++ }
+ dput(dentry);
+ }
+ drop_nlink(d_inode(fuse_control_sb->s_root));
--- /dev/null
+From 763b69654bfb88ea3230d015e7d755ee8339f8ee Mon Sep 17 00:00:00 2001
+From: Alex Estrin <alex.estrin@intel.com>
+Date: Tue, 15 May 2018 18:31:39 -0700
+Subject: IB/isert: Fix for lib/dma_debug check_sync warning
+
+From: Alex Estrin <alex.estrin@intel.com>
+
+commit 763b69654bfb88ea3230d015e7d755ee8339f8ee upstream.
+
+The following error message occurs on a target host in a debug build
+during session login:
+
+[ 3524.411874] WARNING: CPU: 5 PID: 12063 at lib/dma-debug.c:1207 check_sync+0x4ec/0x5b0
+[ 3524.421057] infiniband hfi1_0: DMA-API: device driver tries to sync DMA memory it has not allocated [device address=0x0000000000000000] [size=76 bytes]
+......snip .....
+
+[ 3524.535846] CPU: 5 PID: 12063 Comm: iscsi_np Kdump: loaded Not tainted 3.10.0-862.el7.x86_64.debug #1
+[ 3524.546764] Hardware name: Dell Inc. PowerEdge R430/03XKDV, BIOS 1.2.6 06/08/2015
+[ 3524.555740] Call Trace:
+[ 3524.559102] [<ffffffffa5fe915b>] dump_stack+0x19/0x1b
+[ 3524.565477] [<ffffffffa58a2f58>] __warn+0xd8/0x100
+[ 3524.571557] [<ffffffffa58a2fdf>] warn_slowpath_fmt+0x5f/0x80
+[ 3524.578610] [<ffffffffa5bf5b8c>] check_sync+0x4ec/0x5b0
+[ 3524.585177] [<ffffffffa58efc3f>] ? set_cpus_allowed_ptr+0x5f/0x1c0
+[ 3524.592812] [<ffffffffa5bf5cd0>] debug_dma_sync_single_for_cpu+0x80/0x90
+[ 3524.601029] [<ffffffffa586add3>] ? x2apic_send_IPI_mask+0x13/0x20
+[ 3524.608574] [<ffffffffa585ee1b>] ? native_smp_send_reschedule+0x5b/0x80
+[ 3524.616699] [<ffffffffa58e9b76>] ? resched_curr+0xf6/0x140
+[ 3524.623567] [<ffffffffc0879af0>] isert_create_send_desc.isra.26+0xe0/0x110 [ib_isert]
+[ 3524.633060] [<ffffffffc087af95>] isert_put_login_tx+0x55/0x8b0 [ib_isert]
+[ 3524.641383] [<ffffffffa58ef114>] ? try_to_wake_up+0x1a4/0x430
+[ 3524.648561] [<ffffffffc098cfed>] iscsi_target_do_tx_login_io+0xdd/0x230 [iscsi_target_mod]
+[ 3524.658557] [<ffffffffc098d827>] iscsi_target_do_login+0x1a7/0x600 [iscsi_target_mod]
+[ 3524.668084] [<ffffffffa59f9bc9>] ? kstrdup+0x49/0x60
+[ 3524.674420] [<ffffffffc098e976>] iscsi_target_start_negotiation+0x56/0xc0 [iscsi_target_mod]
+[ 3524.684656] [<ffffffffc098c2ee>] __iscsi_target_login_thread+0x90e/0x1070 [iscsi_target_mod]
+[ 3524.694901] [<ffffffffc098ca50>] ? __iscsi_target_login_thread+0x1070/0x1070 [iscsi_target_mod]
+[ 3524.705446] [<ffffffffc098ca50>] ? __iscsi_target_login_thread+0x1070/0x1070 [iscsi_target_mod]
+[ 3524.715976] [<ffffffffc098ca78>] iscsi_target_login_thread+0x28/0x60 [iscsi_target_mod]
+[ 3524.725739] [<ffffffffa58d60ff>] kthread+0xef/0x100
+[ 3524.732007] [<ffffffffa58d6010>] ? insert_kthread_work+0x80/0x80
+[ 3524.739540] [<ffffffffa5fff1b7>] ret_from_fork_nospec_begin+0x21/0x21
+[ 3524.747558] [<ffffffffa58d6010>] ? insert_kthread_work+0x80/0x80
+[ 3524.755088] ---[ end trace 23f8bf9238bd1ed8 ]---
+[ 3595.510822] iSCSI/iqn.1994-05.com.redhat:537fa56299: Unsupported SCSI Opcode 0xa3, sending CHECK_CONDITION.
+
+The code calls dma_sync on login_tx_desc->dma_addr prior to initializing it
+with dma-mapped address.
+login_tx_desc is a part of iser_conn structure and is used only once
+during login negotiation, so the issue is fixed by eliminating
+dma_sync call for this buffer using a special case routine.
+
+Cc: <stable@vger.kernel.org>
+Reviewed-by: Mike Marciniszyn <mike.marciniszyn@intel.com>
+Reviewed-by: Don Dutile <ddutile@redhat.com>
+Signed-off-by: Alex Estrin <alex.estrin@intel.com>
+Signed-off-by: Dennis Dalessandro <dennis.dalessandro@intel.com>
+Signed-off-by: Doug Ledford <dledford@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/infiniband/ulp/isert/ib_isert.c | 26 +++++++++++++++++---------
+ 1 file changed, 17 insertions(+), 9 deletions(-)
+
+--- a/drivers/infiniband/ulp/isert/ib_isert.c
++++ b/drivers/infiniband/ulp/isert/ib_isert.c
+@@ -1043,15 +1043,9 @@ isert_post_send(struct isert_conn *isert
+ }
+
+ static void
+-isert_create_send_desc(struct isert_conn *isert_conn,
+- struct isert_cmd *isert_cmd,
+- struct iser_tx_desc *tx_desc)
++__isert_create_send_desc(struct isert_device *device,
++ struct iser_tx_desc *tx_desc)
+ {
+- struct isert_device *device = isert_conn->device;
+- struct ib_device *ib_dev = device->ib_device;
+-
+- ib_dma_sync_single_for_cpu(ib_dev, tx_desc->dma_addr,
+- ISER_HEADERS_LEN, DMA_TO_DEVICE);
+
+ memset(&tx_desc->iser_header, 0, sizeof(struct iser_hdr));
+ tx_desc->iser_header.flags = ISER_VER;
+@@ -1065,6 +1059,20 @@ isert_create_send_desc(struct isert_conn
+ }
+ }
+
++static void
++isert_create_send_desc(struct isert_conn *isert_conn,
++ struct isert_cmd *isert_cmd,
++ struct iser_tx_desc *tx_desc)
++{
++ struct isert_device *device = isert_conn->device;
++ struct ib_device *ib_dev = device->ib_device;
++
++ ib_dma_sync_single_for_cpu(ib_dev, tx_desc->dma_addr,
++ ISER_HEADERS_LEN, DMA_TO_DEVICE);
++
++ __isert_create_send_desc(device, tx_desc);
++}
++
+ static int
+ isert_init_tx_hdrs(struct isert_conn *isert_conn,
+ struct iser_tx_desc *tx_desc)
+@@ -1143,7 +1151,7 @@ isert_put_login_tx(struct iscsi_conn *co
+ struct iser_tx_desc *tx_desc = &isert_conn->login_tx_desc;
+ int ret;
+
+- isert_create_send_desc(isert_conn, NULL, tx_desc);
++ __isert_create_send_desc(device, tx_desc);
+
+ memcpy(&tx_desc->iscsi_header, &login->rsp[0],
+ sizeof(struct iscsi_hdr));
--- /dev/null
+From d8f9cc328c8888369880e2527e9186d745f2bbf6 Mon Sep 17 00:00:00 2001
+From: Jack Morgenstein <jackm@dev.mellanox.co.il>
+Date: Wed, 23 May 2018 15:30:31 +0300
+Subject: IB/mlx4: Mark user MR as writable if actual virtual memory is writable
+
+From: Jack Morgenstein <jackm@dev.mellanox.co.il>
+
+commit d8f9cc328c8888369880e2527e9186d745f2bbf6 upstream.
+
+To allow rereg_user_mr to modify the MR from read-only to writable without
+using get_user_pages again, we needed to define the initial MR as writable.
+However, this was originally done unconditionally, without taking into
+account the writability of the underlying virtual memory.
+
+As a result, any attempt to register a read-only MR over read-only
+virtual memory failed.
+
+To fix this, do not add the writable flag bit when the user virtual memory
+is not writable (e.g. const memory).
+
+However, when the underlying memory is NOT writable (and we therefore
+do not define the initial MR as writable), the IB core adds a
+"force writable" flag to its user-pages request. If this succeeds,
+the reg_user_mr caller gets a writable copy of the original pages.
+
+If the user-space caller then does a rereg_user_mr operation to enable
+writability, this will succeed. This should not be allowed, since
+the original virtual memory was not writable.
+
+Cc: <stable@vger.kernel.org>
+Fixes: 9376932d0c26 ("IB/mlx4_ib: Add support for user MR re-registration")
+Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
+Signed-off-by: Jack Morgenstein <jackm@dev.mellanox.co.il>
+Signed-off-by: Leon Romanovsky <leonro@mellanox.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/infiniband/hw/mlx4/mr.c | 50 +++++++++++++++++++++++++++++++++-------
+ 1 file changed, 42 insertions(+), 8 deletions(-)
+
+--- a/drivers/infiniband/hw/mlx4/mr.c
++++ b/drivers/infiniband/hw/mlx4/mr.c
+@@ -130,6 +130,40 @@ out:
+ return err;
+ }
+
++static struct ib_umem *mlx4_get_umem_mr(struct ib_ucontext *context, u64 start,
++ u64 length, u64 virt_addr,
++ int access_flags)
++{
++ /*
++ * Force registering the memory as writable if the underlying pages
++ * are writable. This is so rereg can change the access permissions
++ * from readable to writable without having to run through ib_umem_get
++ * again
++ */
++ if (!ib_access_writable(access_flags)) {
++ struct vm_area_struct *vma;
++
++ down_read(¤t->mm->mmap_sem);
++ /*
++ * FIXME: Ideally this would iterate over all the vmas that
++ * cover the memory, but for now it requires a single vma to
++ * entirely cover the MR to support RO mappings.
++ */
++ vma = find_vma(current->mm, start);
++ if (vma && vma->vm_end >= start + length &&
++ vma->vm_start <= start) {
++ if (vma->vm_flags & VM_WRITE)
++ access_flags |= IB_ACCESS_LOCAL_WRITE;
++ } else {
++ access_flags |= IB_ACCESS_LOCAL_WRITE;
++ }
++
++ up_read(¤t->mm->mmap_sem);
++ }
++
++ return ib_umem_get(context, start, length, access_flags, 0);
++}
++
+ struct ib_mr *mlx4_ib_reg_user_mr(struct ib_pd *pd, u64 start, u64 length,
+ u64 virt_addr, int access_flags,
+ struct ib_udata *udata)
+@@ -144,10 +178,8 @@ struct ib_mr *mlx4_ib_reg_user_mr(struct
+ if (!mr)
+ return ERR_PTR(-ENOMEM);
+
+- /* Force registering the memory as writable. */
+- /* Used for memory re-registeration. HCA protects the access */
+- mr->umem = ib_umem_get(pd->uobject->context, start, length,
+- access_flags | IB_ACCESS_LOCAL_WRITE, 0);
++ mr->umem = mlx4_get_umem_mr(pd->uobject->context, start, length,
++ virt_addr, access_flags);
+ if (IS_ERR(mr->umem)) {
+ err = PTR_ERR(mr->umem);
+ goto err_free;
+@@ -214,6 +246,9 @@ int mlx4_ib_rereg_user_mr(struct ib_mr *
+ }
+
+ if (flags & IB_MR_REREG_ACCESS) {
++ if (ib_access_writable(mr_access_flags) && !mmr->umem->writable)
++ return -EPERM;
++
+ err = mlx4_mr_hw_change_access(dev->dev, *pmpt_entry,
+ convert_access(mr_access_flags));
+
+@@ -227,10 +262,9 @@ int mlx4_ib_rereg_user_mr(struct ib_mr *
+
+ mlx4_mr_rereg_mem_cleanup(dev->dev, &mmr->mmr);
+ ib_umem_release(mmr->umem);
+- mmr->umem = ib_umem_get(mr->uobject->context, start, length,
+- mr_access_flags |
+- IB_ACCESS_LOCAL_WRITE,
+- 0);
++ mmr->umem =
++ mlx4_get_umem_mr(mr->uobject->context, start, length,
++ virt_addr, mr_access_flags);
+ if (IS_ERR(mmr->umem)) {
+ err = PTR_ERR(mmr->umem);
+ /* Prevent mlx4_ib_dereg_mr from free'ing invalid pointer */
--- /dev/null
+From 0252f73334f9ef68868e4684200bea3565a4fcee Mon Sep 17 00:00:00 2001
+From: Mike Marciniszyn <mike.marciniszyn@intel.com>
+Date: Fri, 18 May 2018 17:07:01 -0700
+Subject: IB/qib: Fix DMA api warning with debug kernel
+
+From: Mike Marciniszyn <mike.marciniszyn@intel.com>
+
+commit 0252f73334f9ef68868e4684200bea3565a4fcee upstream.
+
+The following error occurs in a debug build when running MPI PSM:
+
+[ 307.415911] WARNING: CPU: 4 PID: 23867 at lib/dma-debug.c:1158
+check_unmap+0x4ee/0xa20
+[ 307.455661] ib_qib 0000:05:00.0: DMA-API: device driver failed to check map
+error[device address=0x00000000df82b000] [size=4096 bytes] [mapped as page]
+[ 307.517494] Modules linked in:
+[ 307.531584] ib_isert iscsi_target_mod ib_srpt target_core_mod rpcrdma
+sunrpc ib_srp scsi_transport_srp scsi_tgt ib_iser libiscsi ib_ipoib
+scsi_transport_iscsi rdma_ucm ib_ucm ib_uverbs ib_umad rdma_cm ib_cm iw_cm
+ib_qib intel_powerclamp coretemp rdmavt intel_rapl iosf_mbi kvm_intel kvm
+irqbypass crc32_pclmul ghash_clmulni_intel ipmi_ssif ib_core aesni_intel sg
+ipmi_si lrw gf128mul dca glue_helper ipmi_devintf iTCO_wdt gpio_ich hpwdt
+iTCO_vendor_support ablk_helper hpilo acpi_power_meter cryptd ipmi_msghandler
+ie31200_edac shpchp pcc_cpufreq lpc_ich pcspkr ip_tables xfs libcrc32c sd_mod
+crc_t10dif crct10dif_generic mgag200 i2c_algo_bit drm_kms_helper syscopyarea
+sysfillrect sysimgblt fb_sys_fops ttm ahci crct10dif_pclmul crct10dif_common
+drm crc32c_intel libahci tg3 libata serio_raw ptp i2c_core
+[ 307.846113] pps_core dm_mirror dm_region_hash dm_log dm_mod
+[ 307.866505] CPU: 4 PID: 23867 Comm: mpitests-IMB-MP Kdump: loaded Not
+tainted 3.10.0-862.el7.x86_64.debug #1
+[ 307.911178] Hardware name: HP ProLiant DL320e Gen8, BIOS J05 11/09/2013
+[ 307.944206] Call Trace:
+[ 307.956973] [<ffffffffbd9e915b>] dump_stack+0x19/0x1b
+[ 307.982201] [<ffffffffbd2a2f58>] __warn+0xd8/0x100
+[ 308.005999] [<ffffffffbd2a2fdf>] warn_slowpath_fmt+0x5f/0x80
+[ 308.034260] [<ffffffffbd5f667e>] check_unmap+0x4ee/0xa20
+[ 308.060801] [<ffffffffbd41acaa>] ? page_add_file_rmap+0x2a/0x1d0
+[ 308.090689] [<ffffffffbd5f6c4d>] debug_dma_unmap_page+0x9d/0xb0
+[ 308.120155] [<ffffffffbd4082e0>] ? might_fault+0xa0/0xb0
+[ 308.146656] [<ffffffffc07761a5>] qib_tid_free.isra.14+0x215/0x2a0 [ib_qib]
+[ 308.180739] [<ffffffffc0776bf4>] qib_write+0x894/0x1280 [ib_qib]
+[ 308.210733] [<ffffffffbd540b00>] ? __inode_security_revalidate+0x70/0x80
+[ 308.244837] [<ffffffffbd53c2b7>] ? security_file_permission+0x27/0xb0
+[ 308.266025] qib_ib0.8006: multicast join failed for
+ff12:401b:8006:0000:0000:0000:ffff:ffff, status -22
+[ 308.323421] [<ffffffffbd46f5d3>] vfs_write+0xc3/0x1f0
+[ 308.347077] [<ffffffffbd492a5c>] ? fget_light+0xfc/0x510
+[ 308.372533] [<ffffffffbd47045a>] SyS_write+0x8a/0x100
+[ 308.396456] [<ffffffffbd9ff355>] system_call_fastpath+0x1c/0x21
+
+The code calls a qib_map_page() which has never correctly tested for a
+mapping error.
+
+Fix by testing for pci_dma_mapping_error() in all cases and properly
+handling the failure in the caller.
+
+Additionally, streamline qib_map_page() arguments to satisfy just
+the single caller.
+
+Cc: <stable@vger.kernel.org>
+Reviewed-by: Alex Estrin <alex.estrin@intel.com>
+Tested-by: Don Dutile <ddutile@redhat.com>
+Reviewed-by: Don Dutile <ddutile@redhat.com>
+Signed-off-by: Mike Marciniszyn <mike.marciniszyn@intel.com>
+Signed-off-by: Dennis Dalessandro <dennis.dalessandro@intel.com>
+Signed-off-by: Doug Ledford <dledford@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/infiniband/hw/qib/qib.h | 3 +--
+ drivers/infiniband/hw/qib/qib_file_ops.c | 10 +++++++---
+ drivers/infiniband/hw/qib/qib_user_pages.c | 20 ++++++++++++--------
+ 3 files changed, 20 insertions(+), 13 deletions(-)
+
+--- a/drivers/infiniband/hw/qib/qib.h
++++ b/drivers/infiniband/hw/qib/qib.h
+@@ -1451,8 +1451,7 @@ u64 qib_sps_ints(void);
+ /*
+ * dma_addr wrappers - all 0's invalid for hw
+ */
+-dma_addr_t qib_map_page(struct pci_dev *, struct page *, unsigned long,
+- size_t, int);
++int qib_map_page(struct pci_dev *d, struct page *p, dma_addr_t *daddr);
+ const char *qib_get_unit_name(int unit);
+
+ /*
+--- a/drivers/infiniband/hw/qib/qib_file_ops.c
++++ b/drivers/infiniband/hw/qib/qib_file_ops.c
+@@ -364,6 +364,8 @@ static int qib_tid_update(struct qib_ctx
+ goto done;
+ }
+ for (i = 0; i < cnt; i++, vaddr += PAGE_SIZE) {
++ dma_addr_t daddr;
++
+ for (; ntids--; tid++) {
+ if (tid == tidcnt)
+ tid = 0;
+@@ -380,12 +382,14 @@ static int qib_tid_update(struct qib_ctx
+ ret = -ENOMEM;
+ break;
+ }
++ ret = qib_map_page(dd->pcidev, pagep[i], &daddr);
++ if (ret)
++ break;
++
+ tidlist[i] = tid + tidoff;
+ /* we "know" system pages and TID pages are same size */
+ dd->pageshadow[ctxttid + tid] = pagep[i];
+- dd->physshadow[ctxttid + tid] =
+- qib_map_page(dd->pcidev, pagep[i], 0, PAGE_SIZE,
+- PCI_DMA_FROMDEVICE);
++ dd->physshadow[ctxttid + tid] = daddr;
+ /*
+ * don't need atomic or it's overhead
+ */
+--- a/drivers/infiniband/hw/qib/qib_user_pages.c
++++ b/drivers/infiniband/hw/qib/qib_user_pages.c
+@@ -98,23 +98,27 @@ bail:
+ *
+ * I'm sure we won't be so lucky with other iommu's, so FIXME.
+ */
+-dma_addr_t qib_map_page(struct pci_dev *hwdev, struct page *page,
+- unsigned long offset, size_t size, int direction)
++int qib_map_page(struct pci_dev *hwdev, struct page *page, dma_addr_t *daddr)
+ {
+ dma_addr_t phys;
+
+- phys = pci_map_page(hwdev, page, offset, size, direction);
++ phys = pci_map_page(hwdev, page, 0, PAGE_SIZE, PCI_DMA_FROMDEVICE);
++ if (pci_dma_mapping_error(hwdev, phys))
++ return -ENOMEM;
+
+- if (phys == 0) {
+- pci_unmap_page(hwdev, phys, size, direction);
+- phys = pci_map_page(hwdev, page, offset, size, direction);
++ if (!phys) {
++ pci_unmap_page(hwdev, phys, PAGE_SIZE, PCI_DMA_FROMDEVICE);
++ phys = pci_map_page(hwdev, page, 0, PAGE_SIZE,
++ PCI_DMA_FROMDEVICE);
++ if (pci_dma_mapping_error(hwdev, phys))
++ return -ENOMEM;
+ /*
+ * FIXME: If we get 0 again, we should keep this page,
+ * map another, then free the 0 page.
+ */
+ }
+-
+- return phys;
++ *daddr = phys;
++ return 0;
+ }
+
+ /**
--- /dev/null
+From fe50a7d0393a552e4539da2d31261a59d6415950 Mon Sep 17 00:00:00 2001
+From: Corey Minyard <cminyard@mvista.com>
+Date: Tue, 22 May 2018 08:14:51 -0500
+Subject: ipmi:bt: Set the timeout before doing a capabilities check
+
+From: Corey Minyard <cminyard@mvista.com>
+
+commit fe50a7d0393a552e4539da2d31261a59d6415950 upstream.
+
+There was one place where the timeout value for an operation was
+not being set, if a capabilities request was done from idle. Move
+the timeout value setting to before where that change might be
+requested.
+
+IMHO the cause here is the invisible returns in the macros. Maybe
+that's a job for later, though.
+
+Reported-by: Nordmark Claes <Claes.Nordmark@tieto.com>
+Signed-off-by: Corey Minyard <cminyard@mvista.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/char/ipmi/ipmi_bt_sm.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/char/ipmi/ipmi_bt_sm.c
++++ b/drivers/char/ipmi/ipmi_bt_sm.c
+@@ -522,11 +522,12 @@ static enum si_sm_result bt_event(struct
+ if (status & BT_H_BUSY) /* clear a leftover H_BUSY */
+ BT_CONTROL(BT_H_BUSY);
+
++ bt->timeout = bt->BT_CAP_req2rsp;
++
+ /* Read BT capabilities if it hasn't been done yet */
+ if (!bt->BT_CAP_outreqs)
+ BT_STATE_CHANGE(BT_STATE_CAPABILITIES_BEGIN,
+ SI_SM_CALL_WITHOUT_DELAY);
+- bt->timeout = bt->BT_CAP_req2rsp;
+ BT_SI_SM_RETURN(SI_SM_IDLE);
+
+ case BT_STATE_XACTION_START:
--- /dev/null
+From 2a027b47dba6b77ab8c8e47b589ae9bbc5ac6175 Mon Sep 17 00:00:00 2001
+From: Tokunori Ikegami <ikegami@allied-telesis.co.jp>
+Date: Sun, 3 Jun 2018 23:02:01 +0900
+Subject: MIPS: BCM47XX: Enable 74K Core ExternalSync for PCIe erratum
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Tokunori Ikegami <ikegami@allied-telesis.co.jp>
+
+commit 2a027b47dba6b77ab8c8e47b589ae9bbc5ac6175 upstream.
+
+The erratum and workaround are described by BCM5300X-ES300-RDS.pdf as
+below.
+
+ R10: PCIe Transactions Periodically Fail
+
+ Description: The BCM5300X PCIe does not maintain transaction ordering.
+ This may cause PCIe transaction failure.
+ Fix Comment: Add a dummy PCIe configuration read after a PCIe
+ configuration write to ensure PCIe configuration access
+ ordering. Set ES bit of CP0 configu7 register to enable
+ sync function so that the sync instruction is functional.
+ Resolution: hndpci.c: extpci_write_config()
+ hndmips.c: si_mips_init()
+ mipsinc.h CONF7_ES
+
+This is fixed by the CFE MIPS bcmsi chipset driver also for BCM47XX.
+Also the dummy PCIe configuration read is already implemented in the
+Linux BCMA driver.
+
+Enable ExternalSync in Config7 when CONFIG_BCMA_DRIVER_PCI_HOSTMODE=y
+too so that the sync instruction is externalised.
+
+Signed-off-by: Tokunori Ikegami <ikegami@allied-telesis.co.jp>
+Reviewed-by: Paul Burton <paul.burton@mips.com>
+Acked-by: Hauke Mehrtens <hauke@hauke-m.de>
+Cc: Chris Packham <chris.packham@alliedtelesis.co.nz>
+Cc: Rafał Miłecki <zajec5@gmail.com>
+Cc: linux-mips@linux-mips.org
+Cc: stable@vger.kernel.org
+Patchwork: https://patchwork.linux-mips.org/patch/19461/
+Signed-off-by: James Hogan <jhogan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/mips/bcm47xx/setup.c | 6 ++++++
+ arch/mips/include/asm/mipsregs.h | 3 +++
+ 2 files changed, 9 insertions(+)
+
+--- a/arch/mips/bcm47xx/setup.c
++++ b/arch/mips/bcm47xx/setup.c
+@@ -249,6 +249,12 @@ static int __init bcm47xx_cpu_fixes(void
+ */
+ if (bcm47xx_bus.bcma.bus.chipinfo.id == BCMA_CHIP_ID_BCM4706)
+ cpu_wait = NULL;
++
++ /*
++ * BCM47XX Erratum "R10: PCIe Transactions Periodically Fail"
++ * Enable ExternalSync for sync instruction to take effect
++ */
++ set_c0_config7(MIPS_CONF7_ES);
+ break;
+ #endif
+ }
+--- a/arch/mips/include/asm/mipsregs.h
++++ b/arch/mips/include/asm/mipsregs.h
+@@ -605,6 +605,8 @@
+ #define MIPS_CONF7_WII (_ULCAST_(1) << 31)
+
+ #define MIPS_CONF7_RPS (_ULCAST_(1) << 2)
++/* ExternalSync */
++#define MIPS_CONF7_ES (_ULCAST_(1) << 8)
+
+ #define MIPS_CONF7_IAR (_ULCAST_(1) << 10)
+ #define MIPS_CONF7_AR (_ULCAST_(1) << 16)
+@@ -2012,6 +2014,7 @@ __BUILD_SET_C0(status)
+ __BUILD_SET_C0(cause)
+ __BUILD_SET_C0(config)
+ __BUILD_SET_C0(config5)
++__BUILD_SET_C0(config7)
+ __BUILD_SET_C0(intcontrol)
+ __BUILD_SET_C0(intctl)
+ __BUILD_SET_C0(srsmap)
--- /dev/null
+From f1ce87f6080b1dda7e7b1eda3da332add19d87b9 Mon Sep 17 00:00:00 2001
+From: Joakim Tjernlund <joakim.tjernlund@infinera.com>
+Date: Wed, 6 Jun 2018 12:13:30 +0200
+Subject: mtd: cfi_cmdset_0002: Avoid walking all chips when unlocking.
+
+From: Joakim Tjernlund <joakim.tjernlund@infinera.com>
+
+commit f1ce87f6080b1dda7e7b1eda3da332add19d87b9 upstream.
+
+cfi_ppb_unlock() walks all flash chips when unlocking sectors,
+avoid walking chips unaffected by the unlock operation.
+
+Fixes: 1648eaaa1575 ("mtd: cfi_cmdset_0002: Support Persistent Protection Bits (PPB) locking")
+Cc: stable@vger.kernel.org
+Signed-off-by: Joakim Tjernlund <joakim.tjernlund@infinera.com>
+Signed-off-by: Boris Brezillon <boris.brezillon@bootlin.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/mtd/chips/cfi_cmdset_0002.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/mtd/chips/cfi_cmdset_0002.c
++++ b/drivers/mtd/chips/cfi_cmdset_0002.c
+@@ -2693,6 +2693,8 @@ static int __maybe_unused cfi_ppb_unlock
+ i++;
+
+ if (adr >> cfi->chipshift) {
++ if (offset >= (ofs + len))
++ break;
+ adr = 0;
+ chipnum++;
+
--- /dev/null
+From 45f75b8a919a4255f52df454f1ffdee0e42443b2 Mon Sep 17 00:00:00 2001
+From: Tokunori Ikegami <ikegami@allied-telesis.co.jp>
+Date: Wed, 30 May 2018 18:32:28 +0900
+Subject: mtd: cfi_cmdset_0002: Change erase functions to retry for error
+
+From: Tokunori Ikegami <ikegami@allied-telesis.co.jp>
+
+commit 45f75b8a919a4255f52df454f1ffdee0e42443b2 upstream.
+
+For the word write functions it is retried for error.
+But it is not implemented to retry for the erase functions.
+To make sure for the erase functions change to retry as same.
+
+This is needed to prevent the flash erase error caused only once.
+It was caused by the error case of chip_good() in the do_erase_oneblock().
+Also it was confirmed on the MACRONIX flash device MX29GL512FHT2I-11G.
+But the error issue behavior is not able to reproduce at this moment.
+The flash controller is parallel Flash interface integrated on BCM53003.
+
+Signed-off-by: Tokunori Ikegami <ikegami@allied-telesis.co.jp>
+Reviewed-by: Joakim Tjernlund <Joakim.Tjernlund@infinera.com>
+Cc: Chris Packham <chris.packham@alliedtelesis.co.nz>
+Cc: Brian Norris <computersforpeace@gmail.com>
+Cc: David Woodhouse <dwmw2@infradead.org>
+Cc: Boris Brezillon <boris.brezillon@free-electrons.com>
+Cc: Marek Vasut <marek.vasut@gmail.com>
+Cc: Richard Weinberger <richard@nod.at>
+Cc: Cyrille Pitchen <cyrille.pitchen@wedev4u.fr>
+Cc: linux-mtd@lists.infradead.org
+Cc: stable@vger.kernel.org
+Signed-off-by: Boris Brezillon <boris.brezillon@bootlin.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/mtd/chips/cfi_cmdset_0002.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+--- a/drivers/mtd/chips/cfi_cmdset_0002.c
++++ b/drivers/mtd/chips/cfi_cmdset_0002.c
+@@ -2239,6 +2239,7 @@ static int __xipram do_erase_chip(struct
+ unsigned long int adr;
+ DECLARE_WAITQUEUE(wait, current);
+ int ret = 0;
++ int retry_cnt = 0;
+
+ adr = cfi->addr_unlock1;
+
+@@ -2256,6 +2257,7 @@ static int __xipram do_erase_chip(struct
+ ENABLE_VPP(map);
+ xip_disable(map, chip, adr);
+
++ retry:
+ cfi_send_gen_cmd(0xAA, cfi->addr_unlock1, chip->start, map, cfi, cfi->device_type, NULL);
+ cfi_send_gen_cmd(0x55, cfi->addr_unlock2, chip->start, map, cfi, cfi->device_type, NULL);
+ cfi_send_gen_cmd(0x80, cfi->addr_unlock1, chip->start, map, cfi, cfi->device_type, NULL);
+@@ -2310,6 +2312,9 @@ static int __xipram do_erase_chip(struct
+ map_write( map, CMD(0xF0), chip->start );
+ /* FIXME - should have reset delay before continuing */
+
++ if (++retry_cnt <= MAX_RETRIES)
++ goto retry;
++
+ ret = -EIO;
+ }
+
+@@ -2329,6 +2334,7 @@ static int __xipram do_erase_oneblock(st
+ unsigned long timeo = jiffies + HZ;
+ DECLARE_WAITQUEUE(wait, current);
+ int ret = 0;
++ int retry_cnt = 0;
+
+ adr += chip->start;
+
+@@ -2346,6 +2352,7 @@ static int __xipram do_erase_oneblock(st
+ ENABLE_VPP(map);
+ xip_disable(map, chip, adr);
+
++ retry:
+ cfi_send_gen_cmd(0xAA, cfi->addr_unlock1, chip->start, map, cfi, cfi->device_type, NULL);
+ cfi_send_gen_cmd(0x55, cfi->addr_unlock2, chip->start, map, cfi, cfi->device_type, NULL);
+ cfi_send_gen_cmd(0x80, cfi->addr_unlock1, chip->start, map, cfi, cfi->device_type, NULL);
+@@ -2403,6 +2410,9 @@ static int __xipram do_erase_oneblock(st
+ map_write( map, CMD(0xF0), chip->start );
+ /* FIXME - should have reset delay before continuing */
+
++ if (++retry_cnt <= MAX_RETRIES)
++ goto retry;
++
+ ret = -EIO;
+ }
+
--- /dev/null
+From dfeae1073583dc35c33b32150e18b7048bbb37e6 Mon Sep 17 00:00:00 2001
+From: Tokunori Ikegami <ikegami@allied-telesis.co.jp>
+Date: Wed, 30 May 2018 18:32:26 +0900
+Subject: mtd: cfi_cmdset_0002: Change write buffer to check correct value
+
+From: Tokunori Ikegami <ikegami@allied-telesis.co.jp>
+
+commit dfeae1073583dc35c33b32150e18b7048bbb37e6 upstream.
+
+For the word write it is checked if the chip has the correct value.
+But it is not checked for the write buffer as only checked if ready.
+To make sure for the write buffer change to check the value.
+
+It is enough as this patch is only checking the last written word.
+Since it is described by data sheets to check the operation status.
+
+Signed-off-by: Tokunori Ikegami <ikegami@allied-telesis.co.jp>
+Reviewed-by: Joakim Tjernlund <Joakim.Tjernlund@infinera.com>
+Cc: Chris Packham <chris.packham@alliedtelesis.co.nz>
+Cc: Brian Norris <computersforpeace@gmail.com>
+Cc: David Woodhouse <dwmw2@infradead.org>
+Cc: Boris Brezillon <boris.brezillon@free-electrons.com>
+Cc: Marek Vasut <marek.vasut@gmail.com>
+Cc: Richard Weinberger <richard@nod.at>
+Cc: Cyrille Pitchen <cyrille.pitchen@wedev4u.fr>
+Cc: linux-mtd@lists.infradead.org
+Cc: stable@vger.kernel.org
+Signed-off-by: Boris Brezillon <boris.brezillon@bootlin.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/mtd/chips/cfi_cmdset_0002.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/mtd/chips/cfi_cmdset_0002.c
++++ b/drivers/mtd/chips/cfi_cmdset_0002.c
+@@ -1878,7 +1878,7 @@ static int __xipram do_write_buffer(stru
+ if (time_after(jiffies, timeo) && !chip_ready(map, adr))
+ break;
+
+- if (chip_ready(map, adr)) {
++ if (chip_good(map, adr, datum)) {
+ xip_enable(map, chip, adr);
+ goto op_done;
+ }
--- /dev/null
+From 5fdfc3dbad099281bf027a353d5786c09408a8e5 Mon Sep 17 00:00:00 2001
+From: Joakim Tjernlund <joakim.tjernlund@infinera.com>
+Date: Wed, 6 Jun 2018 12:13:28 +0200
+Subject: mtd: cfi_cmdset_0002: fix SEGV unlocking multiple chips
+
+From: Joakim Tjernlund <joakim.tjernlund@infinera.com>
+
+commit 5fdfc3dbad099281bf027a353d5786c09408a8e5 upstream.
+
+cfi_ppb_unlock() tries to relock all sectors that were locked before
+unlocking the whole chip.
+This locking used the chip start address + the FULL offset from the
+first flash chip, thereby forming an illegal address. Fix that by using
+the chip offset(adr).
+
+Fixes: 1648eaaa1575 ("mtd: cfi_cmdset_0002: Support Persistent Protection Bits (PPB) locking")
+Cc: stable@vger.kernel.org
+Signed-off-by: Joakim Tjernlund <joakim.tjernlund@infinera.com>
+Signed-off-by: Boris Brezillon <boris.brezillon@bootlin.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/mtd/chips/cfi_cmdset_0002.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/drivers/mtd/chips/cfi_cmdset_0002.c
++++ b/drivers/mtd/chips/cfi_cmdset_0002.c
+@@ -2543,7 +2543,7 @@ static int cfi_atmel_unlock(struct mtd_i
+
+ struct ppb_lock {
+ struct flchip *chip;
+- loff_t offset;
++ unsigned long adr;
+ int locked;
+ };
+
+@@ -2679,7 +2679,7 @@ static int __maybe_unused cfi_ppb_unlock
+ */
+ if ((adr < ofs) || (adr >= (ofs + len))) {
+ sect[sectors].chip = &cfi->chips[chipnum];
+- sect[sectors].offset = offset;
++ sect[sectors].adr = adr;
+ sect[sectors].locked = do_ppb_xxlock(
+ map, &cfi->chips[chipnum], adr, 0,
+ DO_XXLOCK_ONEBLOCK_GETLOCK);
+@@ -2723,7 +2723,7 @@ static int __maybe_unused cfi_ppb_unlock
+ */
+ for (i = 0; i < sectors; i++) {
+ if (sect[i].locked)
+- do_ppb_xxlock(map, sect[i].chip, sect[i].offset, 0,
++ do_ppb_xxlock(map, sect[i].chip, sect[i].adr, 0,
+ DO_XXLOCK_ONEBLOCK_LOCK);
+ }
+
--- /dev/null
+From 0cd8116f172eed018907303dbff5c112690eeb91 Mon Sep 17 00:00:00 2001
+From: Joakim Tjernlund <joakim.tjernlund@infinera.com>
+Date: Wed, 6 Jun 2018 12:13:29 +0200
+Subject: mtd: cfi_cmdset_0002: Fix unlocking requests crossing a chip boudary
+
+From: Joakim Tjernlund <joakim.tjernlund@infinera.com>
+
+commit 0cd8116f172eed018907303dbff5c112690eeb91 upstream.
+
+The "sector is in requested range" test used to determine whether
+sectors should be re-locked or not is done on a variable that is reset
+everytime we cross a chip boundary, which can lead to some blocks being
+re-locked while the caller expect them to be unlocked.
+Fix the check to make sure this cannot happen.
+
+Fixes: 1648eaaa1575 ("mtd: cfi_cmdset_0002: Support Persistent Protection Bits (PPB) locking")
+Cc: stable@vger.kernel.org
+Signed-off-by: Joakim Tjernlund <joakim.tjernlund@infinera.com>
+Signed-off-by: Boris Brezillon <boris.brezillon@bootlin.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/mtd/chips/cfi_cmdset_0002.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/mtd/chips/cfi_cmdset_0002.c
++++ b/drivers/mtd/chips/cfi_cmdset_0002.c
+@@ -2677,7 +2677,7 @@ static int __maybe_unused cfi_ppb_unlock
+ * sectors shall be unlocked, so lets keep their locking
+ * status at "unlocked" (locked=0) for the final re-locking.
+ */
+- if ((adr < ofs) || (adr >= (ofs + len))) {
++ if ((offset < ofs) || (offset >= (ofs + len))) {
+ sect[sectors].chip = &cfi->chips[chipnum];
+ sect[sectors].adr = adr;
+ sect[sectors].locked = do_ppb_xxlock(
--- /dev/null
+From f93aa8c4de307069c270b2d81741961162bead6c Mon Sep 17 00:00:00 2001
+From: Joakim Tjernlund <joakim.tjernlund@infinera.com>
+Date: Wed, 6 Jun 2018 12:13:27 +0200
+Subject: mtd: cfi_cmdset_0002: Use right chip in do_ppb_xxlock()
+
+From: Joakim Tjernlund <joakim.tjernlund@infinera.com>
+
+commit f93aa8c4de307069c270b2d81741961162bead6c upstream.
+
+do_ppb_xxlock() fails to add chip->start when querying for lock status
+(and chip_ready test), which caused false status reports.
+Fix that by adding adr += chip->start and adjust call sites
+accordingly.
+
+Fixes: 1648eaaa1575 ("mtd: cfi_cmdset_0002: Support Persistent Protection Bits (PPB) locking")
+Cc: stable@vger.kernel.org
+Signed-off-by: Joakim Tjernlund <joakim.tjernlund@infinera.com>
+Signed-off-by: Boris Brezillon <boris.brezillon@bootlin.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/mtd/chips/cfi_cmdset_0002.c | 9 +++++----
+ 1 file changed, 5 insertions(+), 4 deletions(-)
+
+--- a/drivers/mtd/chips/cfi_cmdset_0002.c
++++ b/drivers/mtd/chips/cfi_cmdset_0002.c
+@@ -2561,8 +2561,9 @@ static int __maybe_unused do_ppb_xxlock(
+ unsigned long timeo;
+ int ret;
+
++ adr += chip->start;
+ mutex_lock(&chip->mutex);
+- ret = get_chip(map, chip, adr + chip->start, FL_LOCKING);
++ ret = get_chip(map, chip, adr, FL_LOCKING);
+ if (ret) {
+ mutex_unlock(&chip->mutex);
+ return ret;
+@@ -2580,8 +2581,8 @@ static int __maybe_unused do_ppb_xxlock(
+
+ if (thunk == DO_XXLOCK_ONEBLOCK_LOCK) {
+ chip->state = FL_LOCKING;
+- map_write(map, CMD(0xA0), chip->start + adr);
+- map_write(map, CMD(0x00), chip->start + adr);
++ map_write(map, CMD(0xA0), adr);
++ map_write(map, CMD(0x00), adr);
+ } else if (thunk == DO_XXLOCK_ONEBLOCK_UNLOCK) {
+ /*
+ * Unlocking of one specific sector is not supported, so we
+@@ -2619,7 +2620,7 @@ static int __maybe_unused do_ppb_xxlock(
+ map_write(map, CMD(0x00), chip->start);
+
+ chip->state = FL_READY;
+- put_chip(map, chip, adr + chip->start);
++ put_chip(map, chip, adr);
+ mutex_unlock(&chip->mutex);
+
+ return ret;
--- /dev/null
+From 3b9cf7905fe3ab35ab437b5072c883e609d3498d Mon Sep 17 00:00:00 2001
+From: Stefan M Schaeckeler <sschaeck@cisco.com>
+Date: Mon, 21 May 2018 16:26:14 -0700
+Subject: of: unittest: for strings, account for trailing \0 in property length field
+
+From: Stefan M Schaeckeler <sschaeck@cisco.com>
+
+commit 3b9cf7905fe3ab35ab437b5072c883e609d3498d upstream.
+
+For strings, account for trailing \0 in property length field:
+
+This is consistent with how dtc builds string properties.
+
+Function __of_prop_dup() would misbehave on such properties as it duplicates
+properties based on the property length field creating new string values
+without trailing \0s.
+
+Signed-off-by: Stefan M Schaeckeler <sschaeck@cisco.com>
+Reviewed-by: Frank Rowand <frank.rowand@sony.com>
+Tested-by: Frank Rowand <frank.rowand@sony.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Rob Herring <robh@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/of/unittest.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/drivers/of/unittest.c
++++ b/drivers/of/unittest.c
+@@ -156,20 +156,20 @@ static void __init of_unittest_dynamic(v
+ /* Add a new property - should pass*/
+ prop->name = "new-property";
+ prop->value = "new-property-data";
+- prop->length = strlen(prop->value);
++ prop->length = strlen(prop->value) + 1;
+ unittest(of_add_property(np, prop) == 0, "Adding a new property failed\n");
+
+ /* Try to add an existing property - should fail */
+ prop++;
+ prop->name = "new-property";
+ prop->value = "new-property-data-should-fail";
+- prop->length = strlen(prop->value);
++ prop->length = strlen(prop->value) + 1;
+ unittest(of_add_property(np, prop) != 0,
+ "Adding an existing property should have failed\n");
+
+ /* Try to modify an existing property - should pass */
+ prop->value = "modify-property-data-should-pass";
+- prop->length = strlen(prop->value);
++ prop->length = strlen(prop->value) + 1;
+ unittest(of_update_property(np, prop) == 0,
+ "Updating an existing property should have passed\n");
+
+@@ -177,7 +177,7 @@ static void __init of_unittest_dynamic(v
+ prop++;
+ prop->name = "modify-property";
+ prop->value = "modify-missing-property-data-should-pass";
+- prop->length = strlen(prop->value);
++ prop->length = strlen(prop->value) + 1;
+ unittest(of_update_property(np, prop) == 0,
+ "Updating a missing property should have passed\n");
+
--- /dev/null
+From 13c65840feab8109194f9490c9870587173cb29d Mon Sep 17 00:00:00 2001
+From: Mika Westerberg <mika.westerberg@linux.intel.com>
+Date: Wed, 23 May 2018 17:14:39 -0500
+Subject: PCI: pciehp: Clear Presence Detect and Data Link Layer Status Changed on resume
+
+From: Mika Westerberg <mika.westerberg@linux.intel.com>
+
+commit 13c65840feab8109194f9490c9870587173cb29d upstream.
+
+After a suspend/resume cycle the Presence Detect or Data Link Layer Status
+Changed bits might be set. If we don't clear them those events will not
+fire anymore and nothing happens for instance when a device is now
+hot-unplugged.
+
+Fix this by clearing those bits in a newly introduced function
+pcie_reenable_notification(). This should be fine because immediately
+after, we check if the adapter is still present by reading directly from
+the status register.
+
+Signed-off-by: Mika Westerberg <mika.westerberg@linux.intel.com>
+Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
+Reviewed-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Reviewed-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/pci/hotplug/pciehp.h | 2 +-
+ drivers/pci/hotplug/pciehp_core.c | 2 +-
+ drivers/pci/hotplug/pciehp_hpc.c | 13 ++++++++++++-
+ 3 files changed, 14 insertions(+), 3 deletions(-)
+
+--- a/drivers/pci/hotplug/pciehp.h
++++ b/drivers/pci/hotplug/pciehp.h
+@@ -134,7 +134,7 @@ struct controller *pcie_init(struct pcie
+ int pcie_init_notification(struct controller *ctrl);
+ int pciehp_enable_slot(struct slot *p_slot);
+ int pciehp_disable_slot(struct slot *p_slot);
+-void pcie_enable_notification(struct controller *ctrl);
++void pcie_reenable_notification(struct controller *ctrl);
+ int pciehp_power_on_slot(struct slot *slot);
+ void pciehp_power_off_slot(struct slot *slot);
+ void pciehp_get_power_status(struct slot *slot, u8 *status);
+--- a/drivers/pci/hotplug/pciehp_core.c
++++ b/drivers/pci/hotplug/pciehp_core.c
+@@ -295,7 +295,7 @@ static int pciehp_resume(struct pcie_dev
+ ctrl = get_service_data(dev);
+
+ /* reinitialize the chipset's event detection logic */
+- pcie_enable_notification(ctrl);
++ pcie_reenable_notification(ctrl);
+
+ slot = ctrl->slot;
+
+--- a/drivers/pci/hotplug/pciehp_hpc.c
++++ b/drivers/pci/hotplug/pciehp_hpc.c
+@@ -628,7 +628,7 @@ static irqreturn_t pcie_isr(int irq, voi
+ return IRQ_HANDLED;
+ }
+
+-void pcie_enable_notification(struct controller *ctrl)
++static void pcie_enable_notification(struct controller *ctrl)
+ {
+ u16 cmd, mask;
+
+@@ -666,6 +666,17 @@ void pcie_enable_notification(struct con
+ pci_pcie_cap(ctrl->pcie->port) + PCI_EXP_SLTCTL, cmd);
+ }
+
++void pcie_reenable_notification(struct controller *ctrl)
++{
++ /*
++ * Clear both Presence and Data Link Layer Changed to make sure
++ * those events still fire after we have re-enabled them.
++ */
++ pcie_capability_write_word(ctrl->pcie->port, PCI_EXP_SLTSTA,
++ PCI_EXP_SLTSTA_PDC | PCI_EXP_SLTSTA_DLLSC);
++ pcie_enable_notification(ctrl);
++}
++
+ static void pcie_disable_notification(struct controller *ctrl)
+ {
+ u16 mask;
--- /dev/null
+From 722cde76d68e8cc4f3de42e71c82fd40dea4f7b9 Mon Sep 17 00:00:00 2001
+From: Mahesh Salgaonkar <mahesh@linux.vnet.ibm.com>
+Date: Fri, 27 Apr 2018 11:53:18 +0530
+Subject: powerpc/fadump: Unregister fadump on kexec down path.
+
+From: Mahesh Salgaonkar <mahesh@linux.vnet.ibm.com>
+
+commit 722cde76d68e8cc4f3de42e71c82fd40dea4f7b9 upstream.
+
+Unregister fadump on kexec down path otherwise the fadump registration
+in new kexec-ed kernel complains that fadump is already registered.
+This makes new kernel to continue using fadump registered by previous
+kernel which may lead to invalid vmcore generation. Hence this patch
+fixes this issue by un-registering fadump in fadump_cleanup() which is
+called during kexec path so that new kernel can register fadump with
+new valid values.
+
+Fixes: b500afff11f6 ("fadump: Invalidate registration and release reserved memory for general use.")
+Cc: stable@vger.kernel.org # v3.4+
+Signed-off-by: Mahesh Salgaonkar <mahesh@linux.vnet.ibm.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/powerpc/kernel/fadump.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/arch/powerpc/kernel/fadump.c
++++ b/arch/powerpc/kernel/fadump.c
+@@ -1025,6 +1025,9 @@ void fadump_cleanup(void)
+ init_fadump_mem_struct(&fdm,
+ be64_to_cpu(fdm_active->cpu_state_data.destination_address));
+ fadump_invalidate_dump(&fdm);
++ } else if (fw_dump.dump_registered) {
++ /* Un-register Firmware-assisted dump if it was registered. */
++ fadump_unregister_dump(&fdm);
+ }
+ }
+
--- /dev/null
+From 91d06971881f71d945910de128658038513d1b24 Mon Sep 17 00:00:00 2001
+From: "Aneesh Kumar K.V" <aneesh.kumar@linux.ibm.com>
+Date: Wed, 30 May 2018 18:48:04 +0530
+Subject: powerpc/mm/hash: Add missing isync prior to kernel stack SLB switch
+
+From: Aneesh Kumar K.V <aneesh.kumar@linux.ibm.com>
+
+commit 91d06971881f71d945910de128658038513d1b24 upstream.
+
+Currently we do not have an isync, or any other context synchronizing
+instruction prior to the slbie/slbmte in _switch() that updates the
+SLB entry for the kernel stack.
+
+However that is not correct as outlined in the ISA.
+
+From Power ISA Version 3.0B, Book III, Chapter 11, page 1133:
+
+ "Changing the contents of ... the contents of SLB entries ... can
+ have the side effect of altering the context in which data
+ addresses and instruction addresses are interpreted, and in which
+ instructions are executed and data accesses are performed.
+ ...
+ These side effects need not occur in program order, and therefore
+ may require explicit synchronization by software.
+ ...
+ The synchronizing instruction before the context-altering
+ instruction ensures that all instructions up to and including that
+ synchronizing instruction are fetched and executed in the context
+ that existed before the alteration."
+
+And page 1136:
+
+ "For data accesses, the context synchronizing instruction before the
+ slbie, slbieg, slbia, slbmte, tlbie, or tlbiel instruction ensures
+ that all preceding instructions that access data storage have
+ completed to a point at which they have reported all exceptions
+ they will cause."
+
+We're not aware of any bugs caused by this, but it should be fixed
+regardless.
+
+Add the missing isync when updating kernel stack SLB entry.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Aneesh Kumar K.V <aneesh.kumar@linux.ibm.com>
+[mpe: Flesh out change log with more ISA text & explanation]
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/powerpc/kernel/entry_64.S | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/arch/powerpc/kernel/entry_64.S
++++ b/arch/powerpc/kernel/entry_64.S
+@@ -574,6 +574,7 @@ END_MMU_FTR_SECTION_IFSET(MMU_FTR_1T_SEG
+ * actually hit this code path.
+ */
+
++ isync
+ slbie r6
+ slbie r6 /* Workaround POWER5 < DD2.1 issue */
+ slbmte r7,r0
--- /dev/null
+From cd6ef7eebf171bfcba7dc2df719c2a4958775040 Mon Sep 17 00:00:00 2001
+From: Michael Neuling <mikey@neuling.org>
+Date: Thu, 17 May 2018 15:37:14 +1000
+Subject: powerpc/ptrace: Fix enforcement of DAWR constraints
+
+From: Michael Neuling <mikey@neuling.org>
+
+commit cd6ef7eebf171bfcba7dc2df719c2a4958775040 upstream.
+
+Back when we first introduced the DAWR, in commit 4ae7ebe9522a
+("powerpc: Change hardware breakpoint to allow longer ranges"), we
+screwed up the constraint making it a 1024 byte boundary rather than a
+512. This makes the check overly permissive. Fortunately GDB is the
+only real user and it always did they right thing, so we never
+noticed.
+
+This fixes the constraint to 512 bytes.
+
+Fixes: 4ae7ebe9522a ("powerpc: Change hardware breakpoint to allow longer ranges")
+Cc: stable@vger.kernel.org # v3.9+
+Signed-off-by: Michael Neuling <mikey@neuling.org>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/powerpc/kernel/hw_breakpoint.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/arch/powerpc/kernel/hw_breakpoint.c
++++ b/arch/powerpc/kernel/hw_breakpoint.c
+@@ -174,8 +174,8 @@ int arch_validate_hwbkpt_settings(struct
+ if (cpu_has_feature(CPU_FTR_DAWR)) {
+ length_max = 512 ; /* 64 doublewords */
+ /* DAWR region can't cross 512 boundary */
+- if ((bp->attr.bp_addr >> 10) !=
+- ((bp->attr.bp_addr + bp->attr.bp_len - 1) >> 10))
++ if ((bp->attr.bp_addr >> 9) !=
++ ((bp->attr.bp_addr + bp->attr.bp_len - 1) >> 9))
+ return -EINVAL;
+ }
+ if (info->len >
--- /dev/null
+From 4f7c06e26ec9cf7fe9f0c54dc90079b6a4f4b2c3 Mon Sep 17 00:00:00 2001
+From: Michael Neuling <mikey@neuling.org>
+Date: Thu, 17 May 2018 15:37:15 +1000
+Subject: powerpc/ptrace: Fix setting 512B aligned breakpoints with PTRACE_SET_DEBUGREG
+
+From: Michael Neuling <mikey@neuling.org>
+
+commit 4f7c06e26ec9cf7fe9f0c54dc90079b6a4f4b2c3 upstream.
+
+In commit e2a800beaca1 ("powerpc/hw_brk: Fix off by one error when
+validating DAWR region end") we fixed setting the DAWR end point to
+its max value via PPC_PTRACE_SETHWDEBUG. Unfortunately we broke
+PTRACE_SET_DEBUGREG when setting a 512 byte aligned breakpoint.
+
+PTRACE_SET_DEBUGREG currently sets the length of the breakpoint to
+zero (memset() in hw_breakpoint_init()). This worked with
+arch_validate_hwbkpt_settings() before the above patch was applied but
+is now broken if the breakpoint is 512byte aligned.
+
+This sets the length of the breakpoint to 8 bytes when using
+PTRACE_SET_DEBUGREG.
+
+Fixes: e2a800beaca1 ("powerpc/hw_brk: Fix off by one error when validating DAWR region end")
+Cc: stable@vger.kernel.org # v3.11+
+Signed-off-by: Michael Neuling <mikey@neuling.org>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/powerpc/kernel/ptrace.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/arch/powerpc/kernel/ptrace.c
++++ b/arch/powerpc/kernel/ptrace.c
+@@ -1004,6 +1004,7 @@ static int ptrace_set_debugreg(struct ta
+ /* Create a new breakpoint request if one doesn't exist already */
+ hw_breakpoint_init(&attr);
+ attr.bp_addr = hw_brk.address;
++ attr.bp_len = 8;
+ arch_bp_generic_fields(hw_brk.type,
+ &attr.bp_type);
+
--- /dev/null
+From 6b1ca7ece15e94251d1d0d919f813943e4a58059 Mon Sep 17 00:00:00 2001
+From: Leon Romanovsky <leonro@mellanox.com>
+Date: Tue, 29 May 2018 14:56:14 +0300
+Subject: RDMA/mlx4: Discard unknown SQP work requests
+
+From: Leon Romanovsky <leonro@mellanox.com>
+
+commit 6b1ca7ece15e94251d1d0d919f813943e4a58059 upstream.
+
+There is no need to crash the machine if unknown work request was
+received in SQP MAD.
+
+Cc: <stable@vger.kernel.org> # 3.6
+Fixes: 37bfc7c1e83f ("IB/mlx4: SR-IOV multiplex and demultiplex MADs")
+Signed-off-by: Leon Romanovsky <leonro@mellanox.com>
+Signed-off-by: Doug Ledford <dledford@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/infiniband/hw/mlx4/mad.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+--- a/drivers/infiniband/hw/mlx4/mad.c
++++ b/drivers/infiniband/hw/mlx4/mad.c
+@@ -1780,7 +1780,6 @@ static void mlx4_ib_sqp_comp_worker(stru
+ "buf:%lld\n", wc.wr_id);
+ break;
+ default:
+- BUG_ON(1);
+ break;
+ }
+ } else {
asoc-cirrus-i2s-fix-tx-rx-linctrldata-setup.patch
lib-vsprintf-remove-atomic-unsafe-support-for-pcr.patch
mips-ftrace-fix-static-function-graph-tracing.patch
+branch-check-fix-long-int-truncation-when-profiling-branches.patch
+ipmi-bt-set-the-timeout-before-doing-a-capabilities-check.patch
+bluetooth-hci_qca-avoid-missing-rampatch-failure-with-userspace-fw-loader.patch
+fuse-atomic_o_trunc-should-truncate-pagecache.patch
+fuse-don-t-keep-dead-fuse_conn-at-fuse_fill_super.patch
+fuse-fix-control-dir-setup-and-teardown.patch
+powerpc-mm-hash-add-missing-isync-prior-to-kernel-stack-slb-switch.patch
+powerpc-ptrace-fix-setting-512b-aligned-breakpoints-with-ptrace_set_debugreg.patch
+powerpc-ptrace-fix-enforcement-of-dawr-constraints.patch
+cpuidle-powernv-fix-promotion-from-snooze-if-next-state-disabled.patch
+powerpc-fadump-unregister-fadump-on-kexec-down-path.patch
+arm-8764-1-kgdb-fix-numregbytes-so-that-gdb_regs-is-the-correct-size.patch
+of-unittest-for-strings-account-for-trailing-0-in-property-length-field.patch
+ib-qib-fix-dma-api-warning-with-debug-kernel.patch
+ib-mlx4-mark-user-mr-as-writable-if-actual-virtual-memory-is-writable.patch
+ib-isert-fix-for-lib-dma_debug-check_sync-warning.patch
+rdma-mlx4-discard-unknown-sqp-work-requests.patch
+mtd-cfi_cmdset_0002-change-write-buffer-to-check-correct-value.patch
+mtd-cfi_cmdset_0002-change-erase-functions-to-retry-for-error.patch
+mtd-cfi_cmdset_0002-use-right-chip-in-do_ppb_xxlock.patch
+mtd-cfi_cmdset_0002-fix-segv-unlocking-multiple-chips.patch
+mtd-cfi_cmdset_0002-fix-unlocking-requests-crossing-a-chip-boudary.patch
+mtd-cfi_cmdset_0002-avoid-walking-all-chips-when-unlocking.patch
+mips-bcm47xx-enable-74k-core-externalsync-for-pcie-erratum.patch
+pci-pciehp-clear-presence-detect-and-data-link-layer-status-changed-on-resume.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
