--- /dev/null
+From 88960068f25fcc3759455d85460234dcc9d43fef Mon Sep 17 00:00:00 2001
+From: Martin Blumenstingl <martin.blumenstingl@googlemail.com>
+Date: Sat, 22 Dec 2018 11:22:26 +0100
+Subject: f2fs: fix validation of the block count in sanity_check_raw_super
+
+From: Martin Blumenstingl <martin.blumenstingl@googlemail.com>
+
+commit 88960068f25fcc3759455d85460234dcc9d43fef upstream.
+
+Treat "block_count" from struct f2fs_super_block as 64-bit little endian
+value in sanity_check_raw_super() because struct f2fs_super_block
+declares "block_count" as "__le64".
+
+This fixes a bug where the superblock validation fails on big endian
+devices with the following error:
+ F2FS-fs (sda1): Wrong segment_count / block_count (61439 > 0)
+ F2FS-fs (sda1): Can't find valid F2FS filesystem in 1th superblock
+ F2FS-fs (sda1): Wrong segment_count / block_count (61439 > 0)
+ F2FS-fs (sda1): Can't find valid F2FS filesystem in 2th superblock
+As result of this the partition cannot be mounted.
+
+With this patch applied the superblock validation works fine and the
+partition can be mounted again:
+ F2FS-fs (sda1): Mounted with checkpoint version = 7c84
+
+My little endian x86-64 hardware was able to mount the partition without
+this fix.
+To confirm that mounting f2fs filesystems works on big endian machines
+again I tested this on a 32-bit MIPS big endian (lantiq) device.
+
+Fixes: 0cfe75c5b01199 ("f2fs: enhance sanity_check_raw_super() to avoid potential overflows")
+Cc: stable@vger.kernel.org
+Signed-off-by: Martin Blumenstingl <martin.blumenstingl@googlemail.com>
+Reviewed-by: Chao Yu <yuchao0@huawei.com>
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/f2fs/super.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/fs/f2fs/super.c
++++ b/fs/f2fs/super.c
+@@ -2267,10 +2267,10 @@ static int sanity_check_raw_super(struct
+ return 1;
+ }
+
+- if (segment_count > (le32_to_cpu(raw_super->block_count) >> 9)) {
++ if (segment_count > (le64_to_cpu(raw_super->block_count) >> 9)) {
+ f2fs_msg(sb, KERN_INFO,
+- "Wrong segment_count / block_count (%u > %u)",
+- segment_count, le32_to_cpu(raw_super->block_count));
++ "Wrong segment_count / block_count (%u > %llu)",
++ segment_count, le64_to_cpu(raw_super->block_count));
+ return 1;
+ }
+
--- /dev/null
+From 0ea295dd853e0879a9a30ab61f923c26be35b902 Mon Sep 17 00:00:00 2001
+From: Pan Bian <bianpan2016@163.com>
+Date: Thu, 22 Nov 2018 18:58:46 +0800
+Subject: f2fs: read page index before freeing
+
+From: Pan Bian <bianpan2016@163.com>
+
+commit 0ea295dd853e0879a9a30ab61f923c26be35b902 upstream.
+
+The function truncate_node frees the page with f2fs_put_page. However,
+the page index is read after that. So, the patch reads the index before
+freeing the page.
+
+Fixes: bf39c00a9a7f ("f2fs: drop obsolete node page when it is truncated")
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Pan Bian <bianpan2016@163.com>
+Reviewed-by: Chao Yu <yuchao0@huawei.com>
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/f2fs/node.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/fs/f2fs/node.c
++++ b/fs/f2fs/node.c
+@@ -827,6 +827,7 @@ static int truncate_node(struct dnode_of
+ struct f2fs_sb_info *sbi = F2FS_I_SB(dn->inode);
+ struct node_info ni;
+ int err;
++ pgoff_t index;
+
+ err = f2fs_get_node_info(sbi, dn->nid, &ni);
+ if (err)
+@@ -846,10 +847,11 @@ static int truncate_node(struct dnode_of
+ clear_node_page_dirty(dn->node_page);
+ set_sbi_flag(sbi, SBI_IS_DIRTY);
+
++ index = dn->node_page->index;
+ f2fs_put_page(dn->node_page, 1);
+
+ invalidate_mapping_pages(NODE_MAPPING(sbi),
+- dn->node_page->index, dn->node_page->index);
++ index, index);
+
+ dn->node_page = NULL;
+ trace_f2fs_truncate_node(dn->inode, dn->nid, ni.blk_addr);
--- /dev/null
+From 64beba0558fce7b59e9a8a7afd77290e82a22163 Mon Sep 17 00:00:00 2001
+From: Jaegeuk Kim <jaegeuk@kernel.org>
+Date: Wed, 26 Dec 2018 19:54:07 -0800
+Subject: f2fs: sanity check of xattr entry size
+
+From: Jaegeuk Kim <jaegeuk@kernel.org>
+
+commit 64beba0558fce7b59e9a8a7afd77290e82a22163 upstream.
+
+There is a security report where f2fs_getxattr() has a hole to expose wrong
+memory region when the image is malformed like this.
+
+f2fs_getxattr: entry->e_name_len: 4, size: 12288, buffer_size: 16384, len: 4
+
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/f2fs/xattr.c | 18 +++++++++++++-----
+ 1 file changed, 13 insertions(+), 5 deletions(-)
+
+--- a/fs/f2fs/xattr.c
++++ b/fs/f2fs/xattr.c
+@@ -291,7 +291,7 @@ static int read_xattr_block(struct inode
+ static int lookup_all_xattrs(struct inode *inode, struct page *ipage,
+ unsigned int index, unsigned int len,
+ const char *name, struct f2fs_xattr_entry **xe,
+- void **base_addr)
++ void **base_addr, int *base_size)
+ {
+ void *cur_addr, *txattr_addr, *last_addr = NULL;
+ nid_t xnid = F2FS_I(inode)->i_xattr_nid;
+@@ -302,8 +302,8 @@ static int lookup_all_xattrs(struct inod
+ if (!size && !inline_size)
+ return -ENODATA;
+
+- txattr_addr = f2fs_kzalloc(F2FS_I_SB(inode),
+- inline_size + size + XATTR_PADDING_SIZE, GFP_NOFS);
++ *base_size = inline_size + size + XATTR_PADDING_SIZE;
++ txattr_addr = f2fs_kzalloc(F2FS_I_SB(inode), *base_size, GFP_NOFS);
+ if (!txattr_addr)
+ return -ENOMEM;
+
+@@ -315,8 +315,10 @@ static int lookup_all_xattrs(struct inod
+
+ *xe = __find_inline_xattr(inode, txattr_addr, &last_addr,
+ index, len, name);
+- if (*xe)
++ if (*xe) {
++ *base_size = inline_size;
+ goto check;
++ }
+ }
+
+ /* read from xattr node block */
+@@ -477,6 +479,7 @@ int f2fs_getxattr(struct inode *inode, i
+ int error = 0;
+ unsigned int size, len;
+ void *base_addr = NULL;
++ int base_size;
+
+ if (name == NULL)
+ return -EINVAL;
+@@ -487,7 +490,7 @@ int f2fs_getxattr(struct inode *inode, i
+
+ down_read(&F2FS_I(inode)->i_xattr_sem);
+ error = lookup_all_xattrs(inode, ipage, index, len, name,
+- &entry, &base_addr);
++ &entry, &base_addr, &base_size);
+ up_read(&F2FS_I(inode)->i_xattr_sem);
+ if (error)
+ return error;
+@@ -501,6 +504,11 @@ int f2fs_getxattr(struct inode *inode, i
+
+ if (buffer) {
+ char *pval = entry->e_name + entry->e_name_len;
++
++ if (base_size - (pval - (char *)base_addr) < size) {
++ error = -ERANGE;
++ goto out;
++ }
+ memcpy(buffer, pval, size);
+ }
+ error = size;
--- /dev/null
+From 32804fcb612bf867034a093f459415e485cf044b Mon Sep 17 00:00:00 2001
+From: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Date: Fri, 19 Oct 2018 03:55:34 -0400
+Subject: media: cec: keep track of outstanding transmits
+
+From: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+
+commit 32804fcb612bf867034a093f459415e485cf044b upstream.
+
+I noticed that repeatedly running 'cec-ctl --playback' would occasionally
+select 'Playback Device 2' instead of 'Playback Device 1', even though there
+were no other Playback devices in the HDMI topology. This happened both with
+'real' hardware and with the vivid CEC emulation, suggesting that this was an
+issue in the core code that claims a logical address.
+
+What 'cec-ctl --playback' does is to first clear all existing logical addresses,
+and immediately after that configure the new desired device type.
+
+The core code will poll the logical addresses trying to find a free address.
+When found it will issue a few standard messages as per the CEC spec and return.
+Those messages are queued up and will be transmitted asynchronously.
+
+What happens is that if you run two 'cec-ctl --playback' commands in quick
+succession, there is still a message of the first cec-ctl command being transmitted
+when you reconfigure the adapter again in the second cec-ctl command.
+
+When the logical addresses are cleared, then all information about outstanding
+transmits inside the CEC core is also cleared, and the core is no longer aware
+that there is still a transmit in flight.
+
+When the hardware finishes the transmit it calls transmit_done and the CEC core
+thinks it is actually in response of a POLL messages that is trying to find a
+free logical address. The result of all this is that the core thinks that the
+logical address for Playback Device 1 is in use, when it is really an earlier
+transmit that ended.
+
+The main transmit thread looks at adap->transmitting to check if a transmit
+is in progress, but that is set to NULL when the adapter is unconfigured.
+adap->transmitting represents the view of userspace, not that of the hardware.
+So when unconfiguring the adapter the message is marked aborted from the point
+of view of userspace, but seen from the PoV of the hardware it is still ongoing.
+
+So introduce a new bool transmit_in_progress that represents the hardware state
+and use that instead of adap->transmitting. Now the CEC core waits until the
+hardware finishes the transmit before starting a new transmit.
+
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Cc: <stable@vger.kernel.org> # for v4.18 and up
+Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/media/cec/cec-adap.c | 27 ++++++++++++++++++---------
+ include/media/cec.h | 1 +
+ 2 files changed, 19 insertions(+), 9 deletions(-)
+
+--- a/drivers/media/cec/cec-adap.c
++++ b/drivers/media/cec/cec-adap.c
+@@ -442,7 +442,7 @@ int cec_thread_func(void *_adap)
+ (adap->needs_hpd &&
+ (!adap->is_configured && !adap->is_configuring)) ||
+ kthread_should_stop() ||
+- (!adap->transmitting &&
++ (!adap->transmit_in_progress &&
+ !list_empty(&adap->transmit_queue)),
+ msecs_to_jiffies(CEC_XFER_TIMEOUT_MS));
+ timeout = err == 0;
+@@ -450,7 +450,7 @@ int cec_thread_func(void *_adap)
+ /* Otherwise we just wait for something to happen. */
+ wait_event_interruptible(adap->kthread_waitq,
+ kthread_should_stop() ||
+- (!adap->transmitting &&
++ (!adap->transmit_in_progress &&
+ !list_empty(&adap->transmit_queue)));
+ }
+
+@@ -475,6 +475,7 @@ int cec_thread_func(void *_adap)
+ pr_warn("cec-%s: message %*ph timed out\n", adap->name,
+ adap->transmitting->msg.len,
+ adap->transmitting->msg.msg);
++ adap->transmit_in_progress = false;
+ adap->tx_timeouts++;
+ /* Just give up on this. */
+ cec_data_cancel(adap->transmitting,
+@@ -486,7 +487,7 @@ int cec_thread_func(void *_adap)
+ * If we are still transmitting, or there is nothing new to
+ * transmit, then just continue waiting.
+ */
+- if (adap->transmitting || list_empty(&adap->transmit_queue))
++ if (adap->transmit_in_progress || list_empty(&adap->transmit_queue))
+ goto unlock;
+
+ /* Get a new message to transmit */
+@@ -532,6 +533,8 @@ int cec_thread_func(void *_adap)
+ if (adap->ops->adap_transmit(adap, data->attempts,
+ signal_free_time, &data->msg))
+ cec_data_cancel(data, CEC_TX_STATUS_ABORTED);
++ else
++ adap->transmit_in_progress = true;
+
+ unlock:
+ mutex_unlock(&adap->lock);
+@@ -562,14 +565,17 @@ void cec_transmit_done_ts(struct cec_ada
+ data = adap->transmitting;
+ if (!data) {
+ /*
+- * This can happen if a transmit was issued and the cable is
++ * This might happen if a transmit was issued and the cable is
+ * unplugged while the transmit is ongoing. Ignore this
+ * transmit in that case.
+ */
+- dprintk(1, "%s was called without an ongoing transmit!\n",
+- __func__);
+- goto unlock;
++ if (!adap->transmit_in_progress)
++ dprintk(1, "%s was called without an ongoing transmit!\n",
++ __func__);
++ adap->transmit_in_progress = false;
++ goto wake_thread;
+ }
++ adap->transmit_in_progress = false;
+
+ msg = &data->msg;
+
+@@ -635,7 +641,6 @@ wake_thread:
+ * for transmitting or to retry the current message.
+ */
+ wake_up_interruptible(&adap->kthread_waitq);
+-unlock:
+ mutex_unlock(&adap->lock);
+ }
+ EXPORT_SYMBOL_GPL(cec_transmit_done_ts);
+@@ -1483,8 +1488,11 @@ void __cec_s_phys_addr(struct cec_adapte
+ if (adap->monitor_all_cnt)
+ WARN_ON(call_op(adap, adap_monitor_all_enable, false));
+ mutex_lock(&adap->devnode.lock);
+- if (adap->needs_hpd || list_empty(&adap->devnode.fhs))
++ if (adap->needs_hpd || list_empty(&adap->devnode.fhs)) {
+ WARN_ON(adap->ops->adap_enable(adap, false));
++ adap->transmit_in_progress = false;
++ wake_up_interruptible(&adap->kthread_waitq);
++ }
+ mutex_unlock(&adap->devnode.lock);
+ if (phys_addr == CEC_PHYS_ADDR_INVALID)
+ return;
+@@ -1492,6 +1500,7 @@ void __cec_s_phys_addr(struct cec_adapte
+
+ mutex_lock(&adap->devnode.lock);
+ adap->last_initiator = 0xff;
++ adap->transmit_in_progress = false;
+
+ if ((adap->needs_hpd || list_empty(&adap->devnode.fhs)) &&
+ adap->ops->adap_enable(adap, true)) {
+--- a/include/media/cec.h
++++ b/include/media/cec.h
+@@ -155,6 +155,7 @@ struct cec_adapter {
+ unsigned int transmit_queue_sz;
+ struct list_head wait_queue;
+ struct cec_data *transmitting;
++ bool transmit_in_progress;
+
+ struct task_struct *kthread_config;
+ struct completion config_completion;
--- /dev/null
+From ac791f19a273a7fe254a7596f193af6534582a9f Mon Sep 17 00:00:00 2001
+From: Hans Verkuil <hverkuil@xs4all.nl>
+Date: Wed, 14 Nov 2018 03:37:53 -0500
+Subject: media: cec-pin: fix broken tx_ignore_nack_until_eom error injection
+
+From: Hans Verkuil <hverkuil@xs4all.nl>
+
+commit ac791f19a273a7fe254a7596f193af6534582a9f upstream.
+
+If the tx_ignore_nack_until_eom error injection was activated,
+then tx_nacked was never set instead of setting it when the last
+byte of the message was transmitted.
+
+As a result the transmit was marked as OK, when it should have
+been NACKed.
+
+Modify the condition so that it always sets tx_nacked when the
+last byte of the message was transmitted.
+
+Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com>
+Cc: <stable@vger.kernel.org> # for v4.17 and up
+Signed-off-by: Hans Verkuil <hansverk@cisco.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/media/cec/cec-pin.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/drivers/media/cec/cec-pin.c
++++ b/drivers/media/cec/cec-pin.c
+@@ -601,8 +601,9 @@ static void cec_pin_tx_states(struct cec
+ break;
+ /* Was the message ACKed? */
+ ack = cec_msg_is_broadcast(&pin->tx_msg) ? v : !v;
+- if (!ack && !pin->tx_ignore_nack_until_eom &&
+- pin->tx_bit / 10 < pin->tx_msg.len && !pin->tx_post_eom) {
++ if (!ack && (!pin->tx_ignore_nack_until_eom ||
++ pin->tx_bit / 10 == pin->tx_msg.len - 1) &&
++ !pin->tx_post_eom) {
+ /*
+ * Note: the CEC spec is ambiguous regarding
+ * what action to take when a NACK appears
--- /dev/null
+From cea8c0077d6cf3a0cea2f18a8e914af78d46b2ff Mon Sep 17 00:00:00 2001
+From: Luca Ceresoli <luca@lucaceresoli.net>
+Date: Mon, 26 Nov 2018 11:35:07 -0500
+Subject: media: imx274: fix stack corruption in imx274_read_reg
+
+From: Luca Ceresoli <luca@lucaceresoli.net>
+
+commit cea8c0077d6cf3a0cea2f18a8e914af78d46b2ff upstream.
+
+imx274_read_reg() takes a u8 pointer ("reg") and casts it to pass it
+to regmap_read(), which takes an unsigned int pointer. This results in
+a corrupted stack and random crashes.
+
+Fixes: 0985dd306f72 ("media: imx274: V4l2 driver for Sony imx274 CMOS sensor")
+
+Cc: stable@vger.kernel.org # for 4.15 and up
+Signed-off-by: Luca Ceresoli <luca@lucaceresoli.net>
+Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/media/i2c/imx274.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+--- a/drivers/media/i2c/imx274.c
++++ b/drivers/media/i2c/imx274.c
+@@ -636,16 +636,19 @@ static int imx274_write_table(struct sti
+
+ static inline int imx274_read_reg(struct stimx274 *priv, u16 addr, u8 *val)
+ {
++ unsigned int uint_val;
+ int err;
+
+- err = regmap_read(priv->regmap, addr, (unsigned int *)val);
++ err = regmap_read(priv->regmap, addr, &uint_val);
+ if (err)
+ dev_err(&priv->client->dev,
+ "%s : i2c read failed, addr = %x\n", __func__, addr);
+ else
+ dev_dbg(&priv->client->dev,
+ "%s : addr 0x%x, val=0x%x\n", __func__,
+- addr, *val);
++ addr, uint_val);
++
++ *val = uint_val;
+ return err;
+ }
+
--- /dev/null
+From e5bb9d3d755f128956ed467ae50b41d22bb680c6 Mon Sep 17 00:00:00 2001
+From: Sean Young <sean@mess.org>
+Date: Mon, 22 Oct 2018 05:01:50 -0400
+Subject: media: rc: cec devices do not have a lirc chardev
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Sean Young <sean@mess.org>
+
+commit e5bb9d3d755f128956ed467ae50b41d22bb680c6 upstream.
+
+This fixes an oops in ir_lirc_scancode_event().
+
+BUG: unable to handle kernel NULL pointer dereference at 0000000000000038
+PGD 0 P4D 0
+Oops: 0000 [#1] SMP PTI
+CPU: 9 PID: 27687 Comm: kworker/9:2 Tainted: PÂ Â Â Â Â Â Â Â Â Â OE 4.18.12-200.fc28.x86_64 #1
+Hardware name: Supermicro C7X99-OCE-F/C7X99-OCE-F, BIOS 2.1a 06/15/2018
+Workqueue: events pulse8_irq_work_handler [pulse8_cec]
+RIP: 0010:ir_lirc_scancode_event+0x3d/0xb0 [rc_core]
+Code: 8d ae b4 07 00 00 49 81 c6 b8 07 00 00 53 e8 4a df c3 d5 48 89 ef 49 89 45 00 e8 4e 84 41 d6 49 8b 1e 49 89 c4 4c 39 f3 74 58 <8b> 43 38 8b 53 40 89 c1 2b 4b 3c 39 ca 72 41 21 d0 49 8b 7d 00 49
+RSP: 0018:ffffaa10e3c07d58 EFLAGS: 00010017
+RAX: 0000000000000002 RBX: 0000000000000000 RCX: 0000000000000018
+RDX: 0000000000000001 RSI: 00316245397fa93c RDI: ffff966d31c8d7b4
+RBP: ffff966d31c8d7b4 R08: 0000000000000000 R09: 0000000000000000
+R10: 0000000000000003 R11: ffffaa10e3c07e28 R12: 0000000000000002
+R13: ffffaa10e3c07d88 R14: ffff966d31c8d7b8 R15: 0000000000000073
+FS:Â 0000000000000000(0000) GS:ffff966d3f440000(0000) knlGS:0000000000000000
+CS:Â 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 0000000000000038 CR3: 00000009d820a003 CR4: 00000000003606e0
+DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+Call Trace:
+Â ir_do_keydown+0x75/0x260 [rc_core]
+Â rc_keydown+0x54/0xc0 [rc_core]
+Â cec_received_msg_ts+0xaa8/0xaf0 [cec]
+Â process_one_work+0x1a1/0x350
+Â worker_thread+0x30/0x380
+Â ? pwq_unbound_release_workfn+0xd0/0xd0
+Â kthread+0x112/0x130
+Â ? kthread_create_worker_on_cpu+0x70/0x70
+Â ret_from_fork+0x35/0x40
+Modules linked in: rc_tt_1500 dvb_usb_dvbsky dvb_usb_v2 uas usb_storage fuse vhost_net vhost tap xt_CHECKSUM iptable_mangle ip6t_REJECT nf_reject_ipv6 tun 8021q garp mrp xt_nat macvlan xfs devlink ebta
+Â si2157 si2168 cx25840 cx23885 kvm altera_ci tda18271 joydev ir_rc6_decoder rc_rc6_mce crct10dif_pclmul crc32_pclmul ghash_clmulni_intel intel_cstate intel_uncore altera_stapl m88ds3103 tveeprom cx2341
+Â mxm_wmi igb crc32c_intel megaraid_sas dca i2c_algo_bit wmi vfio_pci irqbypass vfio_virqfd vfio_iommu_type1 vfio i2c_dev
+CR2: 0000000000000038
+
+Cc: <stable@vger.kernel.org> # v4.16+
+Signed-off-by: Sean Young <sean@mess.org>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/media/rc/rc-main.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/drivers/media/rc/rc-main.c
++++ b/drivers/media/rc/rc-main.c
+@@ -707,7 +707,8 @@ void rc_repeat(struct rc_dev *dev)
+ (dev->last_toggle ? LIRC_SCANCODE_FLAG_TOGGLE : 0)
+ };
+
+- ir_lirc_scancode_event(dev, &sc);
++ if (dev->allowed_protocols != RC_PROTO_BIT_CEC)
++ ir_lirc_scancode_event(dev, &sc);
+
+ spin_lock_irqsave(&dev->keylock, flags);
+
+@@ -747,7 +748,8 @@ static void ir_do_keydown(struct rc_dev
+ .keycode = keycode
+ };
+
+- ir_lirc_scancode_event(dev, &sc);
++ if (dev->allowed_protocols != RC_PROTO_BIT_CEC)
++ ir_lirc_scancode_event(dev, &sc);
+
+ if (new_event && dev->keypressed)
+ ir_do_keyup(dev, false);
--- /dev/null
+From e5f71a27fa12c1a1b02ad478a568e76260f1815e Mon Sep 17 00:00:00 2001
+From: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Date: Thu, 8 Nov 2018 11:12:47 -0500
+Subject: media: v4l2-tpg: array index could become negative
+
+From: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+
+commit e5f71a27fa12c1a1b02ad478a568e76260f1815e upstream.
+
+text[s] is a signed char, so using that as index into the font8x16 array
+can result in negative indices. Cast it to u8 to be safe.
+
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Reported-by: syzbot+ccf0a61ed12f2a7313ee@syzkaller.appspotmail.com
+Cc: <stable@vger.kernel.org> # for v4.7 and up
+Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/media/common/v4l2-tpg/v4l2-tpg-core.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/media/common/v4l2-tpg/v4l2-tpg-core.c
++++ b/drivers/media/common/v4l2-tpg/v4l2-tpg-core.c
+@@ -1738,7 +1738,7 @@ typedef struct { u16 __; u8 _; } __packe
+ unsigned s; \
+ \
+ for (s = 0; s < len; s++) { \
+- u8 chr = font8x16[text[s] * 16 + line]; \
++ u8 chr = font8x16[(u8)text[s] * 16 + line]; \
+ \
+ if (hdiv == 2 && tpg->hflip) { \
+ pos[3] = (chr & (0x01 << 6) ? fg : bg); \
--- /dev/null
+From 62dcb4f41836bd3c44b5b651bb6df07ea4cb1551 Mon Sep 17 00:00:00 2001
+From: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Date: Thu, 8 Nov 2018 07:23:37 -0500
+Subject: media: vb2: check memory model for VIDIOC_CREATE_BUFS
+
+From: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+
+commit 62dcb4f41836bd3c44b5b651bb6df07ea4cb1551 upstream.
+
+vb2_core_create_bufs did not check if the memory model for newly added
+buffers is the same as for already existing buffers. It should return an
+error if they aren't the same.
+
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Reported-by: syzbot+e1fb118a2ebb88031d21@syzkaller.appspotmail.com
+Cc: <stable@vger.kernel.org> # for v4.16 and up
+Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/media/common/videobuf2/videobuf2-core.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/media/common/videobuf2/videobuf2-core.c
++++ b/drivers/media/common/videobuf2/videobuf2-core.c
+@@ -800,6 +800,9 @@ int vb2_core_create_bufs(struct vb2_queu
+ memset(q->alloc_devs, 0, sizeof(q->alloc_devs));
+ q->memory = memory;
+ q->waiting_for_buffers = !q->is_output;
++ } else if (q->memory != memory) {
++ dprintk(1, "memory model mismatch\n");
++ return -EINVAL;
+ }
+
+ num_buffers = min(*count, VB2_MAX_FRAME - q->num_buffers);
--- /dev/null
+From 560ccb75c2caa6b1039dec1a53cd2ef526f5bf03 Mon Sep 17 00:00:00 2001
+From: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Date: Fri, 9 Nov 2018 08:37:44 -0500
+Subject: media: vivid: free bitmap_cap when updating std/timings/etc.
+
+From: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+
+commit 560ccb75c2caa6b1039dec1a53cd2ef526f5bf03 upstream.
+
+When vivid_update_format_cap() is called it should free any overlay
+bitmap since the compose size will change.
+
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Reported-by: syzbot+0cc8e3cc63ca373722c6@syzkaller.appspotmail.com
+Cc: <stable@vger.kernel.org> # for v3.18 and up
+Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/media/platform/vivid/vivid-vid-cap.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/media/platform/vivid/vivid-vid-cap.c
++++ b/drivers/media/platform/vivid/vivid-vid-cap.c
+@@ -438,6 +438,8 @@ void vivid_update_format_cap(struct vivi
+ tpg_s_rgb_range(&dev->tpg, v4l2_ctrl_g_ctrl(dev->rgb_range_cap));
+ break;
+ }
++ vfree(dev->bitmap_cap);
++ dev->bitmap_cap = NULL;
+ vivid_update_quality(dev);
+ tpg_reset_source(&dev->tpg, dev->src_rect.width, dev->src_rect.height, dev->field_cap);
+ dev->crop_cap = dev->src_rect;
--- /dev/null
+From bec0de4cfad21bd284dbddee016ed1767a5d2823 Mon Sep 17 00:00:00 2001
+From: Huacai Chen <chenhc@lemote.com>
+Date: Thu, 15 Nov 2018 15:53:56 +0800
+Subject: MIPS: Align kernel load address to 64KB
+
+From: Huacai Chen <chenhc@lemote.com>
+
+commit bec0de4cfad21bd284dbddee016ed1767a5d2823 upstream.
+
+KEXEC needs the new kernel's load address to be aligned on a page
+boundary (see sanity_check_segment_list()), but on MIPS the default
+vmlinuz load address is only explicitly aligned to 16 bytes.
+
+Since the largest PAGE_SIZE supported by MIPS kernels is 64KB, increase
+the alignment calculated by calc_vmlinuz_load_addr to 64KB.
+
+Signed-off-by: Huacai Chen <chenhc@lemote.com>
+Signed-off-by: Paul Burton <paul.burton@mips.com>
+Patchwork: https://patchwork.linux-mips.org/patch/21131/
+Cc: Ralf Baechle <ralf@linux-mips.org>
+Cc: James Hogan <james.hogan@mips.com>
+Cc: Steven J . Hill <Steven.Hill@cavium.com>
+Cc: linux-mips@linux-mips.org
+Cc: Fuxin Zhang <zhangfx@lemote.com>
+Cc: Zhangjin Wu <wuzhangjin@gmail.com>
+Cc: <stable@vger.kernel.org> # 2.6.36+
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/mips/boot/compressed/calc_vmlinuz_load_addr.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+--- a/arch/mips/boot/compressed/calc_vmlinuz_load_addr.c
++++ b/arch/mips/boot/compressed/calc_vmlinuz_load_addr.c
+@@ -13,6 +13,7 @@
+ #include <stdint.h>
+ #include <stdio.h>
+ #include <stdlib.h>
++#include "../../../../include/linux/sizes.h"
+
+ int main(int argc, char *argv[])
+ {
+@@ -45,11 +46,11 @@ int main(int argc, char *argv[])
+ vmlinuz_load_addr = vmlinux_load_addr + vmlinux_size;
+
+ /*
+- * Align with 16 bytes: "greater than that used for any standard data
+- * types by a MIPS compiler." -- See MIPS Run Linux (Second Edition).
++ * Align with 64KB: KEXEC needs load sections to be aligned to PAGE_SIZE,
++ * which may be as large as 64KB depending on the kernel configuration.
+ */
+
+- vmlinuz_load_addr += (16 - vmlinux_size % 16);
++ vmlinuz_load_addr += (SZ_64K - vmlinux_size % SZ_64K);
+
+ printf("0x%llx\n", vmlinuz_load_addr);
+
--- /dev/null
+From bb53fdf395eed103f85061bfff3b116cee123895 Mon Sep 17 00:00:00 2001
+From: Huacai Chen <chenhc@lemote.com>
+Date: Thu, 15 Nov 2018 15:53:53 +0800
+Subject: MIPS: c-r4k: Add r4k_blast_scache_node for Loongson-3
+
+From: Huacai Chen <chenhc@lemote.com>
+
+commit bb53fdf395eed103f85061bfff3b116cee123895 upstream.
+
+For multi-node Loongson-3 (NUMA configuration), r4k_blast_scache() can
+only flush Node-0's scache. So we add r4k_blast_scache_node() by using
+(CAC_BASE | (node_id << NODE_ADDRSPACE_SHIFT)) instead of CKSEG0 as the
+start address.
+
+Signed-off-by: Huacai Chen <chenhc@lemote.com>
+[paul.burton@mips.com: Include asm/mmzone.h from asm/r4kcache.h for
+ nid_to_addrbase(). Add asm/mach-generic/mmzone.h
+ to allow inclusion for all platforms.]
+Signed-off-by: Paul Burton <paul.burton@mips.com>
+Patchwork: https://patchwork.linux-mips.org/patch/21129/
+Cc: Ralf Baechle <ralf@linux-mips.org>
+Cc: James Hogan <james.hogan@mips.com>
+Cc: Steven J . Hill <Steven.Hill@cavium.com>
+Cc: linux-mips@linux-mips.org
+Cc: Fuxin Zhang <zhangfx@lemote.com>
+Cc: Zhangjin Wu <wuzhangjin@gmail.com>
+Cc: <stable@vger.kernel.org> # 3.15+
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/mips/include/asm/mach-generic/mmzone.h | 2 +
+ arch/mips/include/asm/mach-loongson64/mmzone.h | 1
+ arch/mips/include/asm/mmzone.h | 8 ++++
+ arch/mips/include/asm/r4kcache.h | 22 ++++++++++++
+ arch/mips/mm/c-r4k.c | 44 +++++++++++++++++++++----
+ 5 files changed, 70 insertions(+), 7 deletions(-)
+
+--- /dev/null
++++ b/arch/mips/include/asm/mach-generic/mmzone.h
+@@ -0,0 +1,2 @@
++// SPDX-License-Identifier: GPL-2.0
++/* Intentionally empty */
+--- a/arch/mips/include/asm/mach-loongson64/mmzone.h
++++ b/arch/mips/include/asm/mach-loongson64/mmzone.h
+@@ -21,6 +21,7 @@
+ #define NODE3_ADDRSPACE_OFFSET 0x300000000000UL
+
+ #define pa_to_nid(addr) (((addr) & 0xf00000000000) >> NODE_ADDRSPACE_SHIFT)
++#define nid_to_addrbase(nid) ((nid) << NODE_ADDRSPACE_SHIFT)
+
+ #define LEVELS_PER_SLICE 128
+
+--- a/arch/mips/include/asm/mmzone.h
++++ b/arch/mips/include/asm/mmzone.h
+@@ -9,6 +9,14 @@
+ #include <asm/page.h>
+ #include <mmzone.h>
+
++#ifndef pa_to_nid
++#define pa_to_nid(addr) 0
++#endif
++
++#ifndef nid_to_addrbase
++#define nid_to_addrbase(nid) 0
++#endif
++
+ #ifdef CONFIG_DISCONTIGMEM
+
+ #define pfn_to_nid(pfn) pa_to_nid((pfn) << PAGE_SHIFT)
+--- a/arch/mips/include/asm/r4kcache.h
++++ b/arch/mips/include/asm/r4kcache.h
+@@ -20,6 +20,7 @@
+ #include <asm/cpu-features.h>
+ #include <asm/cpu-type.h>
+ #include <asm/mipsmtregs.h>
++#include <asm/mmzone.h>
+ #include <linux/uaccess.h> /* for uaccess_kernel() */
+
+ extern void (*r4k_blast_dcache)(void);
+@@ -747,4 +748,25 @@ __BUILD_BLAST_CACHE_RANGE(s, scache, Hit
+ __BUILD_BLAST_CACHE_RANGE(inv_d, dcache, Hit_Invalidate_D, , )
+ __BUILD_BLAST_CACHE_RANGE(inv_s, scache, Hit_Invalidate_SD, , )
+
++/* Currently, this is very specific to Loongson-3 */
++#define __BUILD_BLAST_CACHE_NODE(pfx, desc, indexop, hitop, lsize) \
++static inline void blast_##pfx##cache##lsize##_node(long node) \
++{ \
++ unsigned long start = CAC_BASE | nid_to_addrbase(node); \
++ unsigned long end = start + current_cpu_data.desc.waysize; \
++ unsigned long ws_inc = 1UL << current_cpu_data.desc.waybit; \
++ unsigned long ws_end = current_cpu_data.desc.ways << \
++ current_cpu_data.desc.waybit; \
++ unsigned long ws, addr; \
++ \
++ for (ws = 0; ws < ws_end; ws += ws_inc) \
++ for (addr = start; addr < end; addr += lsize * 32) \
++ cache##lsize##_unroll32(addr|ws, indexop); \
++}
++
++__BUILD_BLAST_CACHE_NODE(s, scache, Index_Writeback_Inv_SD, Hit_Writeback_Inv_SD, 16)
++__BUILD_BLAST_CACHE_NODE(s, scache, Index_Writeback_Inv_SD, Hit_Writeback_Inv_SD, 32)
++__BUILD_BLAST_CACHE_NODE(s, scache, Index_Writeback_Inv_SD, Hit_Writeback_Inv_SD, 64)
++__BUILD_BLAST_CACHE_NODE(s, scache, Index_Writeback_Inv_SD, Hit_Writeback_Inv_SD, 128)
++
+ #endif /* _ASM_R4KCACHE_H */
+--- a/arch/mips/mm/c-r4k.c
++++ b/arch/mips/mm/c-r4k.c
+@@ -459,11 +459,28 @@ static void r4k_blast_scache_setup(void)
+ r4k_blast_scache = blast_scache128;
+ }
+
++static void (*r4k_blast_scache_node)(long node);
++
++static void r4k_blast_scache_node_setup(void)
++{
++ unsigned long sc_lsize = cpu_scache_line_size();
++
++ if (current_cpu_type() != CPU_LOONGSON3)
++ r4k_blast_scache_node = (void *)cache_noop;
++ else if (sc_lsize == 16)
++ r4k_blast_scache_node = blast_scache16_node;
++ else if (sc_lsize == 32)
++ r4k_blast_scache_node = blast_scache32_node;
++ else if (sc_lsize == 64)
++ r4k_blast_scache_node = blast_scache64_node;
++ else if (sc_lsize == 128)
++ r4k_blast_scache_node = blast_scache128_node;
++}
++
+ static inline void local_r4k___flush_cache_all(void * args)
+ {
+ switch (current_cpu_type()) {
+ case CPU_LOONGSON2:
+- case CPU_LOONGSON3:
+ case CPU_R4000SC:
+ case CPU_R4000MC:
+ case CPU_R4400SC:
+@@ -480,6 +497,11 @@ static inline void local_r4k___flush_cac
+ r4k_blast_scache();
+ break;
+
++ case CPU_LOONGSON3:
++ /* Use get_ebase_cpunum() for both NUMA=y/n */
++ r4k_blast_scache_node(get_ebase_cpunum() >> 2);
++ break;
++
+ case CPU_BMIPS5000:
+ r4k_blast_scache();
+ __sync();
+@@ -840,10 +862,14 @@ static void r4k_dma_cache_wback_inv(unsi
+
+ preempt_disable();
+ if (cpu_has_inclusive_pcaches) {
+- if (size >= scache_size)
+- r4k_blast_scache();
+- else
++ if (size >= scache_size) {
++ if (current_cpu_type() != CPU_LOONGSON3)
++ r4k_blast_scache();
++ else
++ r4k_blast_scache_node(pa_to_nid(addr));
++ } else {
+ blast_scache_range(addr, addr + size);
++ }
+ preempt_enable();
+ __sync();
+ return;
+@@ -877,9 +903,12 @@ static void r4k_dma_cache_inv(unsigned l
+
+ preempt_disable();
+ if (cpu_has_inclusive_pcaches) {
+- if (size >= scache_size)
+- r4k_blast_scache();
+- else {
++ if (size >= scache_size) {
++ if (current_cpu_type() != CPU_LOONGSON3)
++ r4k_blast_scache();
++ else
++ r4k_blast_scache_node(pa_to_nid(addr));
++ } else {
+ /*
+ * There is no clearly documented alignment requirement
+ * for the cache instruction on MIPS processors and
+@@ -1918,6 +1947,7 @@ void r4k_cache_init(void)
+ r4k_blast_scache_page_setup();
+ r4k_blast_scache_page_indexed_setup();
+ r4k_blast_scache_setup();
++ r4k_blast_scache_node_setup();
+ #ifdef CONFIG_EVA
+ r4k_blast_dcache_user_page_setup();
+ r4k_blast_icache_user_page_setup();
--- /dev/null
+From 92aa0718c9fa5160ad2f0e7b5bffb52f1ea1e51a Mon Sep 17 00:00:00 2001
+From: Huacai Chen <chenhc@lemote.com>
+Date: Thu, 15 Nov 2018 15:53:54 +0800
+Subject: MIPS: Ensure pmd_present() returns false after pmd_mknotpresent()
+
+From: Huacai Chen <chenhc@lemote.com>
+
+commit 92aa0718c9fa5160ad2f0e7b5bffb52f1ea1e51a upstream.
+
+This patch is borrowed from ARM64 to ensure pmd_present() returns false
+after pmd_mknotpresent(). This is needed for THP.
+
+References: 5bb1cc0ff9a6 ("arm64: Ensure pmd_present() returns false after pmd_mknotpresent()")
+Reviewed-by: James Hogan <jhogan@kernel.org>
+Signed-off-by: Huacai Chen <chenhc@lemote.com>
+Signed-off-by: Paul Burton <paul.burton@mips.com>
+Patchwork: https://patchwork.linux-mips.org/patch/21135/
+Cc: Ralf Baechle <ralf@linux-mips.org>
+Cc: James Hogan <james.hogan@mips.com>
+Cc: Steven J . Hill <Steven.Hill@cavium.com>
+Cc: linux-mips@linux-mips.org
+Cc: Fuxin Zhang <zhangfx@lemote.com>
+Cc: Zhangjin Wu <wuzhangjin@gmail.com>
+Cc: <stable@vger.kernel.org> # 3.8+
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/mips/include/asm/pgtable-64.h | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/arch/mips/include/asm/pgtable-64.h
++++ b/arch/mips/include/asm/pgtable-64.h
+@@ -265,6 +265,11 @@ static inline int pmd_bad(pmd_t pmd)
+
+ static inline int pmd_present(pmd_t pmd)
+ {
++#ifdef CONFIG_MIPS_HUGE_TLB_SUPPORT
++ if (unlikely(pmd_val(pmd) & _PAGE_HUGE))
++ return pmd_val(pmd) & _PAGE_PRESENT;
++#endif
++
+ return pmd_val(pmd) != (unsigned long) invalid_pte_table;
+ }
+
--- /dev/null
+From ff4dd232ec45a0e45ea69f28f069f2ab22b4908a Mon Sep 17 00:00:00 2001
+From: Paul Burton <paul.burton@mips.com>
+Date: Tue, 4 Dec 2018 23:44:12 +0000
+Subject: MIPS: Expand MIPS32 ASIDs to 64 bits
+
+From: Paul Burton <paul.burton@mips.com>
+
+commit ff4dd232ec45a0e45ea69f28f069f2ab22b4908a upstream.
+
+ASIDs have always been stored as unsigned longs, ie. 32 bits on MIPS32
+kernels. This is problematic because it is feasible for the ASID version
+to overflow & wrap around to zero.
+
+We currently attempt to handle this overflow by simply setting the ASID
+version to 1, using asid_first_version(), but we make no attempt to
+account for the fact that there may be mm_structs with stale ASIDs that
+have versions which we now reuse due to the overflow & wrap around.
+
+Encountering this requires that:
+
+ 1) A struct mm_struct X is active on CPU A using ASID (V,n).
+
+ 2) That mm is not used on CPU A for the length of time that it takes
+ for CPU A's asid_cache to overflow & wrap around to the same
+ version V that the mm had in step 1. During this time tasks using
+ the mm could either be sleeping or only scheduled on other CPUs.
+
+ 3) Some other mm Y becomes active on CPU A and is allocated the same
+ ASID (V,n).
+
+ 4) mm X now becomes active on CPU A again, and now incorrectly has the
+ same ASID as mm Y.
+
+Where struct mm_struct ASIDs are represented above in the format
+(version, EntryHi.ASID), and on a typical MIPS32 system version will be
+24 bits wide & EntryHi.ASID will be 8 bits wide.
+
+The length of time required in step 2 is highly dependent upon the CPU &
+workload, but for a hypothetical 2GHz CPU running a workload which
+generates a new ASID every 10000 cycles this period is around 248 days.
+Due to this long period of time & the fact that tasks need to be
+scheduled in just the right (or wrong, depending upon your inclination)
+way, this is obviously a difficult bug to encounter but it's entirely
+possible as evidenced by reports.
+
+In order to fix this, simply extend ASIDs to 64 bits even on MIPS32
+builds. This will extend the period of time required for the
+hypothetical system above to encounter the problem from 28 days to
+around 3 trillion years, which feels safely outside of the realms of
+possibility.
+
+The cost of this is slightly more generated code in some commonly
+executed paths, but this is pretty minimal:
+
+ | Code Size Gain | Percentage
+ -----------------------|----------------|-------------
+ decstation_defconfig | +270 | +0.00%
+ 32r2el_defconfig | +652 | +0.01%
+ 32r6el_defconfig | +1000 | +0.01%
+
+I have been unable to measure any change in performance of the LMbench
+lat_ctx or lat_proc tests resulting from the 64b ASIDs on either
+32r2el_defconfig+interAptiv or 32r6el_defconfig+I6500 systems.
+
+Signed-off-by: Paul Burton <paul.burton@mips.com>
+Suggested-by: James Hogan <jhogan@kernel.org>
+References: https://lore.kernel.org/linux-mips/80B78A8B8FEE6145A87579E8435D78C30205D5F3@fzex.ruijie.com.cn/
+References: https://lore.kernel.org/linux-mips/1488684260-18867-1-git-send-email-jiwei.sun@windriver.com/
+Cc: Jiwei Sun <jiwei.sun@windriver.com>
+Cc: Yu Huabing <yhb@ruijie.com.cn>
+Cc: stable@vger.kernel.org # 2.6.12+
+Cc: linux-mips@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/mips/include/asm/cpu-info.h | 2 +-
+ arch/mips/include/asm/mmu.h | 2 +-
+ arch/mips/include/asm/mmu_context.h | 10 ++++------
+ arch/mips/mm/c-r3k.c | 2 +-
+ 4 files changed, 7 insertions(+), 9 deletions(-)
+
+--- a/arch/mips/include/asm/cpu-info.h
++++ b/arch/mips/include/asm/cpu-info.h
+@@ -50,7 +50,7 @@ struct guest_info {
+ #define MIPS_CACHE_PINDEX 0x00000020 /* Physically indexed cache */
+
+ struct cpuinfo_mips {
+- unsigned long asid_cache;
++ u64 asid_cache;
+ #ifdef CONFIG_MIPS_ASID_BITS_VARIABLE
+ unsigned long asid_mask;
+ #endif
+--- a/arch/mips/include/asm/mmu.h
++++ b/arch/mips/include/asm/mmu.h
+@@ -7,7 +7,7 @@
+ #include <linux/wait.h>
+
+ typedef struct {
+- unsigned long asid[NR_CPUS];
++ u64 asid[NR_CPUS];
+ void *vdso;
+ atomic_t fp_mode_switching;
+
+--- a/arch/mips/include/asm/mmu_context.h
++++ b/arch/mips/include/asm/mmu_context.h
+@@ -76,14 +76,14 @@ extern unsigned long pgd_current[];
+ * All unused by hardware upper bits will be considered
+ * as a software asid extension.
+ */
+-static unsigned long asid_version_mask(unsigned int cpu)
++static inline u64 asid_version_mask(unsigned int cpu)
+ {
+ unsigned long asid_mask = cpu_asid_mask(&cpu_data[cpu]);
+
+- return ~(asid_mask | (asid_mask - 1));
++ return ~(u64)(asid_mask | (asid_mask - 1));
+ }
+
+-static unsigned long asid_first_version(unsigned int cpu)
++static inline u64 asid_first_version(unsigned int cpu)
+ {
+ return ~asid_version_mask(cpu) + 1;
+ }
+@@ -102,14 +102,12 @@ static inline void enter_lazy_tlb(struct
+ static inline void
+ get_new_mmu_context(struct mm_struct *mm, unsigned long cpu)
+ {
+- unsigned long asid = asid_cache(cpu);
++ u64 asid = asid_cache(cpu);
+
+ if (!((asid += cpu_asid_inc()) & cpu_asid_mask(&cpu_data[cpu]))) {
+ if (cpu_has_vtag_icache)
+ flush_icache_all();
+ local_flush_tlb_all(); /* start new asid cycle */
+- if (!asid) /* fix version if needed */
+- asid = asid_first_version(cpu);
+ }
+
+ cpu_context(cpu, mm) = asid_cache(cpu) = asid;
+--- a/arch/mips/mm/c-r3k.c
++++ b/arch/mips/mm/c-r3k.c
+@@ -245,7 +245,7 @@ static void r3k_flush_cache_page(struct
+ pmd_t *pmdp;
+ pte_t *ptep;
+
+- pr_debug("cpage[%08lx,%08lx]\n",
++ pr_debug("cpage[%08llx,%08lx]\n",
+ cpu_context(smp_processor_id(), mm), addr);
+
+ /* No ASID => no such page in the cache. */
--- /dev/null
+From db1ce3f5d01d2d6d5714aefba0159d2cb5167a0b Mon Sep 17 00:00:00 2001
+From: Huacai Chen <chenhc@lemote.com>
+Date: Tue, 25 Dec 2018 08:51:01 +0800
+Subject: MIPS: Fix a R10000_LLSC_WAR logic in atomic.h
+
+From: Huacai Chen <chenhc@lemote.com>
+
+commit db1ce3f5d01d2d6d5714aefba0159d2cb5167a0b upstream.
+
+Commit 4936084c2ee2 ("MIPS: Cleanup R10000_LLSC_WAR logic in atomic.h")
+introduce a mistake in atomic64_fetch_##op##_relaxed(), because it
+forget to delete R10000_LLSC_WAR in the if-condition. So fix it.
+
+Fixes: 4936084c2ee2 ("MIPS: Cleanup R10000_LLSC_WAR logic in atomic.h")
+Signed-off-by: Huacai Chen <chenhc@lemote.com>
+Signed-off-by: Paul Burton <paul.burton@mips.com>
+Cc: Joshua Kinard <kumba@gentoo.org>
+Cc: Ralf Baechle <ralf@linux-mips.org>
+Cc: Steven J . Hill <Steven.Hill@cavium.com>
+Cc: Fuxin Zhang <zhangfx@lemote.com>
+Cc: Zhangjin Wu <wuzhangjin@gmail.com>
+Cc: linux-mips@linux-mips.org
+Cc: stable@vger.kernel.org # 4.19+
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/mips/include/asm/atomic.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/mips/include/asm/atomic.h
++++ b/arch/mips/include/asm/atomic.h
+@@ -306,7 +306,7 @@ static __inline__ long atomic64_fetch_##
+ { \
+ long result; \
+ \
+- if (kernel_uses_llsc && R10000_LLSC_WAR) { \
++ if (kernel_uses_llsc) { \
+ long temp; \
+ \
+ __asm__ __volatile__( \
--- /dev/null
+From adcc81f148d733b7e8e641300c5590a2cdc13bf3 Mon Sep 17 00:00:00 2001
+From: Paul Burton <paul.burton@mips.com>
+Date: Thu, 20 Dec 2018 17:45:43 +0000
+Subject: MIPS: math-emu: Write-protect delay slot emulation pages
+
+From: Paul Burton <paul.burton@mips.com>
+
+commit adcc81f148d733b7e8e641300c5590a2cdc13bf3 upstream.
+
+Mapping the delay slot emulation page as both writeable & executable
+presents a security risk, in that if an exploit can write to & jump into
+the page then it can be used as an easy way to execute arbitrary code.
+
+Prevent this by mapping the page read-only for userland, and using
+access_process_vm() with the FOLL_FORCE flag to write to it from
+mips_dsemul().
+
+This will likely be less efficient due to copy_to_user_page() performing
+cache maintenance on a whole page, rather than a single line as in the
+previous use of flush_cache_sigtramp(). However this delay slot
+emulation code ought not to be running in any performance critical paths
+anyway so this isn't really a problem, and we can probably do better in
+copy_to_user_page() anyway in future.
+
+A major advantage of this approach is that the fix is small & simple to
+backport to stable kernels.
+
+Reported-by: Andy Lutomirski <luto@kernel.org>
+Signed-off-by: Paul Burton <paul.burton@mips.com>
+Fixes: 432c6bacbd0c ("MIPS: Use per-mm page to execute branch delay slot instructions")
+Cc: stable@vger.kernel.org # v4.8+
+Cc: linux-mips@vger.kernel.org
+Cc: linux-kernel@vger.kernel.org
+Cc: Rich Felker <dalias@libc.org>
+Cc: David Daney <david.daney@cavium.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/mips/kernel/vdso.c | 4 ++--
+ arch/mips/math-emu/dsemul.c | 38 ++++++++++++++++++++------------------
+ 2 files changed, 22 insertions(+), 20 deletions(-)
+
+--- a/arch/mips/kernel/vdso.c
++++ b/arch/mips/kernel/vdso.c
+@@ -126,8 +126,8 @@ int arch_setup_additional_pages(struct l
+
+ /* Map delay slot emulation page */
+ base = mmap_region(NULL, STACK_TOP, PAGE_SIZE,
+- VM_READ|VM_WRITE|VM_EXEC|
+- VM_MAYREAD|VM_MAYWRITE|VM_MAYEXEC,
++ VM_READ | VM_EXEC |
++ VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC,
+ 0, NULL);
+ if (IS_ERR_VALUE(base)) {
+ ret = base;
+--- a/arch/mips/math-emu/dsemul.c
++++ b/arch/mips/math-emu/dsemul.c
+@@ -214,8 +214,9 @@ int mips_dsemul(struct pt_regs *regs, mi
+ {
+ int isa16 = get_isa16_mode(regs->cp0_epc);
+ mips_instruction break_math;
+- struct emuframe __user *fr;
+- int err, fr_idx;
++ unsigned long fr_uaddr;
++ struct emuframe fr;
++ int fr_idx, ret;
+
+ /* NOP is easy */
+ if (ir == 0)
+@@ -250,27 +251,31 @@ int mips_dsemul(struct pt_regs *regs, mi
+ fr_idx = alloc_emuframe();
+ if (fr_idx == BD_EMUFRAME_NONE)
+ return SIGBUS;
+- fr = &dsemul_page()[fr_idx];
+
+ /* Retrieve the appropriately encoded break instruction */
+ break_math = BREAK_MATH(isa16);
+
+ /* Write the instructions to the frame */
+ if (isa16) {
+- err = __put_user(ir >> 16,
+- (u16 __user *)(&fr->emul));
+- err |= __put_user(ir & 0xffff,
+- (u16 __user *)((long)(&fr->emul) + 2));
+- err |= __put_user(break_math >> 16,
+- (u16 __user *)(&fr->badinst));
+- err |= __put_user(break_math & 0xffff,
+- (u16 __user *)((long)(&fr->badinst) + 2));
++ union mips_instruction _emul = {
++ .halfword = { ir >> 16, ir }
++ };
++ union mips_instruction _badinst = {
++ .halfword = { break_math >> 16, break_math }
++ };
++
++ fr.emul = _emul.word;
++ fr.badinst = _badinst.word;
+ } else {
+- err = __put_user(ir, &fr->emul);
+- err |= __put_user(break_math, &fr->badinst);
++ fr.emul = ir;
++ fr.badinst = break_math;
+ }
+
+- if (unlikely(err)) {
++ /* Write the frame to user memory */
++ fr_uaddr = (unsigned long)&dsemul_page()[fr_idx];
++ ret = access_process_vm(current, fr_uaddr, &fr, sizeof(fr),
++ FOLL_FORCE | FOLL_WRITE);
++ if (unlikely(ret != sizeof(fr))) {
+ MIPS_FPU_EMU_INC_STATS(errors);
+ free_emuframe(fr_idx, current->mm);
+ return SIGBUS;
+@@ -282,10 +287,7 @@ int mips_dsemul(struct pt_regs *regs, mi
+ atomic_set(¤t->thread.bd_emu_frame, fr_idx);
+
+ /* Change user register context to execute the frame */
+- regs->cp0_epc = (unsigned long)&fr->emul | isa16;
+-
+- /* Ensure the icache observes our newly written frame */
+- flush_cache_sigtramp((unsigned long)&fr->emul);
++ regs->cp0_epc = fr_uaddr | isa16;
+
+ return 0;
+ }
--- /dev/null
+From edefae94b7b9f10d5efe32dece5a36e9d9ecc29e Mon Sep 17 00:00:00 2001
+From: Aaro Koskinen <aaro.koskinen@iki.fi>
+Date: Wed, 2 Jan 2019 20:43:01 +0200
+Subject: MIPS: OCTEON: mark RGMII interface disabled on OCTEON III
+
+From: Aaro Koskinen <aaro.koskinen@iki.fi>
+
+commit edefae94b7b9f10d5efe32dece5a36e9d9ecc29e upstream.
+
+Commit 885872b722b7 ("MIPS: Octeon: Add Octeon III CN7xxx
+interface detection") added RGMII interface detection for OCTEON III,
+but it results in the following logs:
+
+[ 7.165984] ERROR: Unsupported Octeon model in __cvmx_helper_rgmii_probe
+[ 7.173017] ERROR: Unsupported Octeon model in __cvmx_helper_rgmii_probe
+
+The current RGMII routines are valid only for older OCTEONS that
+use GMX/ASX hardware blocks. On later chips AGL should be used,
+but support for that is missing in the mainline. Until that is added,
+mark the interface as disabled.
+
+Fixes: 885872b722b7 ("MIPS: Octeon: Add Octeon III CN7xxx interface detection")
+Signed-off-by: Aaro Koskinen <aaro.koskinen@iki.fi>
+Signed-off-by: Paul Burton <paul.burton@mips.com>
+Cc: Ralf Baechle <ralf@linux-mips.org>
+Cc: James Hogan <jhogan@kernel.org>
+Cc: linux-mips@vger.kernel.org
+Cc: stable@vger.kernel.org # 4.7+
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/mips/cavium-octeon/executive/cvmx-helper.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/arch/mips/cavium-octeon/executive/cvmx-helper.c
++++ b/arch/mips/cavium-octeon/executive/cvmx-helper.c
+@@ -286,7 +286,8 @@ static cvmx_helper_interface_mode_t __cv
+ case 3:
+ return CVMX_HELPER_INTERFACE_MODE_LOOP;
+ case 4:
+- return CVMX_HELPER_INTERFACE_MODE_RGMII;
++ /* TODO: Implement support for AGL (RGMII). */
++ return CVMX_HELPER_INTERFACE_MODE_DISABLED;
+ default:
+ return CVMX_HELPER_INTERFACE_MODE_DISABLED;
+ }
--- /dev/null
+From 260683137ab5276113fc322fdbbc578024185fee Mon Sep 17 00:00:00 2001
+From: Nava kishore Manne <nava.manne@xilinx.com>
+Date: Tue, 18 Dec 2018 13:18:42 +0100
+Subject: serial: uartps: Fix interrupt mask issue to handle the RX interrupts properly
+
+From: Nava kishore Manne <nava.manne@xilinx.com>
+
+commit 260683137ab5276113fc322fdbbc578024185fee upstream.
+
+This patch Correct the RX interrupt mask value to handle the
+RX interrupts properly.
+
+Fixes: c8dbdc842d30 ("serial: xuartps: Rewrite the interrupt handling logic")
+Signed-off-by: Nava kishore Manne <nava.manne@xilinx.com>
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Michal Simek <michal.simek@xilinx.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/tty/serial/xilinx_uartps.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/tty/serial/xilinx_uartps.c
++++ b/drivers/tty/serial/xilinx_uartps.c
+@@ -125,7 +125,7 @@ MODULE_PARM_DESC(rx_timeout, "Rx timeout
+ #define CDNS_UART_IXR_RXTRIG 0x00000001 /* RX FIFO trigger interrupt */
+ #define CDNS_UART_IXR_RXFULL 0x00000004 /* RX FIFO full interrupt. */
+ #define CDNS_UART_IXR_RXEMPTY 0x00000002 /* RX FIFO empty interrupt. */
+-#define CDNS_UART_IXR_MASK 0x00001FFF /* Valid bit mask */
++#define CDNS_UART_IXR_RXMASK 0x000021e7 /* Valid RX bit mask */
+
+ /*
+ * Do not enable parity error interrupt for the following
+@@ -362,7 +362,7 @@ static irqreturn_t cdns_uart_isr(int irq
+ cdns_uart_handle_tx(dev_id);
+ isrstatus &= ~CDNS_UART_IXR_TXEMPTY;
+ }
+- if (isrstatus & CDNS_UART_IXR_MASK)
++ if (isrstatus & CDNS_UART_IXR_RXMASK)
+ cdns_uart_handle_rx(dev_id, isrstatus);
+
+ spin_unlock(&port->lock);
powerpc-tm-unset-msr-if-not-recheckpointing.patch
dax-don-t-access-a-freed-inode.patch
dax-use-non-exclusive-wait-in-wait_entry_unlocked.patch
+f2fs-read-page-index-before-freeing.patch
+f2fs-fix-validation-of-the-block-count-in-sanity_check_raw_super.patch
+f2fs-sanity-check-of-xattr-entry-size.patch
+serial-uartps-fix-interrupt-mask-issue-to-handle-the-rx-interrupts-properly.patch
+media-cec-keep-track-of-outstanding-transmits.patch
+media-cec-pin-fix-broken-tx_ignore_nack_until_eom-error-injection.patch
+media-rc-cec-devices-do-not-have-a-lirc-chardev.patch
+media-imx274-fix-stack-corruption-in-imx274_read_reg.patch
+media-vivid-free-bitmap_cap-when-updating-std-timings-etc.patch
+media-vb2-check-memory-model-for-vidioc_create_bufs.patch
+media-v4l2-tpg-array-index-could-become-negative.patch
+tools-lib-traceevent-fix-processing-of-dereferenced-args-in-bprintk-events.patch
+mips-math-emu-write-protect-delay-slot-emulation-pages.patch
+mips-c-r4k-add-r4k_blast_scache_node-for-loongson-3.patch
+mips-ensure-pmd_present-returns-false-after-pmd_mknotpresent.patch
+mips-align-kernel-load-address-to-64kb.patch
+mips-expand-mips32-asids-to-64-bits.patch
+mips-octeon-mark-rgmii-interface-disabled-on-octeon-iii.patch
+mips-fix-a-r10000_llsc_war-logic-in-atomic.h.patch
--- /dev/null
+From f024cf085c423bac7512479f45c34ee9a24af7ce Mon Sep 17 00:00:00 2001
+From: "Steven Rostedt (VMware)" <rostedt@goodmis.org>
+Date: Mon, 10 Dec 2018 13:45:22 -0500
+Subject: tools lib traceevent: Fix processing of dereferenced args in bprintk events
+
+From: Steven Rostedt (VMware) <rostedt@goodmis.org>
+
+commit f024cf085c423bac7512479f45c34ee9a24af7ce upstream.
+
+In the case that a bprintk event has a dereferenced pointer that is
+stored as a string, and there's more values to process (more args), the
+arg was not updated to point to the next arg after processing the
+dereferenced pointer, and it screwed up what was to be displayed.
+
+Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
+Cc: Jiri Olsa <jolsa@redhat.com>
+Cc: Namhyung Kim <namhyung@kernel.org>
+Cc: linux-trace-devel@vger.kernel.org
+Cc: stable@vger.kernel.org
+Fixes: 37db96bb49629 ("tools lib traceevent: Handle new pointer processing of bprint strings")
+Link: http://lkml.kernel.org/r/20181210134522.3f71e2ca@gandalf.local.home
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ tools/lib/traceevent/event-parse.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/tools/lib/traceevent/event-parse.c
++++ b/tools/lib/traceevent/event-parse.c
+@@ -4968,6 +4968,7 @@ static void pretty_print(struct trace_se
+
+ if (arg->type == PRINT_BSTRING) {
+ trace_seq_puts(s, arg->string.string);
++ arg = arg->next;
+ break;
+ }
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
