From: Greg Kroah-Hartman Date: Wed, 8 Mar 2017 06:59:33 +0000 (+0100) Subject: 4.4-stable patches X-Git-Tag: v4.4.53~28 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=1d945d1e1cfc15fd5561da8bd6b958f43b091df5;p=thirdparty%2Fkernel%2Fstable-queue.git 4.4-stable patches added patches: am437x-vpfe-always-assign-bpp-variable.patch media-fix-dm1105.c-build-error.patch mips-bcm47xx-fix-button-inversion-for-asus-wl-500w.patch mips-calculate-micromips-ra-properly-when-unwinding-the-stack.patch mips-clear-isa-bit-correctly-in-get_frame_info.patch mips-fix-get_frame_info-handling-of-micromips-function-size.patch mips-fix-is_jump_ins-handling-of-16b-micromips-instructions.patch mips-fix-special-case-in-64-bit-ip-checksumming.patch mips-handle-micromips-jumps-in-the-same-way-as-mips32-mips64-jumps.patch mips-lantiq-keep-ethernet-enabled-during-boot.patch mips-octeon-fix-copy_from_user-fault-handling-for-large-buffers.patch mips-prevent-unaligned-accesses-during-stack-unwinding.patch uvcvideo-fix-a-wrong-macro.patch --- diff --git a/queue-4.4/am437x-vpfe-always-assign-bpp-variable.patch b/queue-4.4/am437x-vpfe-always-assign-bpp-variable.patch new file mode 100644 index 00000000000..4a73e08483b --- /dev/null +++ b/queue-4.4/am437x-vpfe-always-assign-bpp-variable.patch @@ -0,0 +1,41 @@ +From 6ebf75774f823ddbdbd10921006989d4df222f4a Mon Sep 17 00:00:00 2001 +From: Nicolas Iooss +Date: Tue, 27 Dec 2016 16:02:36 -0200 +Subject: [media] am437x-vpfe: always assign bpp variable + +From: Nicolas Iooss + +commit 6ebf75774f823ddbdbd10921006989d4df222f4a upstream. + +In vpfe_s_fmt(), when the sensor format and the requested format were +the same, bpp was assigned to vpfe->bpp without being initialized first. + +Grab the bpp value that is currently used by using __vpfe_get_format() +instead of its wrapper, vpfe_try_fmt(). + +This use of uninitialized variable has been found by compiling the +kernel with clang. + +Fixes: 417d2e507edc ("[media] media: platform: add VPFE capture driver +support for AM437X") + +Signed-off-by: Nicolas Iooss +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/media/platform/am437x/am437x-vpfe.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/media/platform/am437x/am437x-vpfe.c ++++ b/drivers/media/platform/am437x/am437x-vpfe.c +@@ -1576,7 +1576,7 @@ static int vpfe_s_fmt(struct file *file, + return -EBUSY; + } + +- ret = vpfe_try_fmt(file, priv, &format); ++ ret = __vpfe_get_format(vpfe, &format, &bpp); + if (ret) + return ret; + diff --git a/queue-4.4/media-fix-dm1105.c-build-error.patch b/queue-4.4/media-fix-dm1105.c-build-error.patch new file mode 100644 index 00000000000..e934084c046 --- /dev/null +++ b/queue-4.4/media-fix-dm1105.c-build-error.patch @@ -0,0 +1,36 @@ +From e3bb3cddd177550d63a3e4909cf1a7782f13414d Mon Sep 17 00:00:00 2001 +From: Randy Dunlap +Date: Sat, 7 Jan 2017 23:08:49 -0200 +Subject: [media] media: fix dm1105.c build error + +From: Randy Dunlap + +commit e3bb3cddd177550d63a3e4909cf1a7782f13414d upstream. + +Fix dm1105 build error when CONFIG_I2C_ALGOBIT=m and +CONFIG_DVB_DM1105=y. + +drivers/built-in.o: In function `dm1105_probe': +dm1105.c:(.text+0x2836e7): undefined reference to `i2c_bit_add_bus' + +Signed-off-by: Randy Dunlap +Reported-by: kbuild test robot +Cc: Javier Martinez Canillas +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/media/pci/dm1105/Kconfig | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/media/pci/dm1105/Kconfig ++++ b/drivers/media/pci/dm1105/Kconfig +@@ -1,6 +1,6 @@ + config DVB_DM1105 + tristate "SDMC DM1105 based PCI cards" +- depends on DVB_CORE && PCI && I2C ++ depends on DVB_CORE && PCI && I2C && I2C_ALGOBIT + select DVB_PLL if MEDIA_SUBDRV_AUTOSELECT + select DVB_STV0299 if MEDIA_SUBDRV_AUTOSELECT + select DVB_STV0288 if MEDIA_SUBDRV_AUTOSELECT diff --git a/queue-4.4/mips-bcm47xx-fix-button-inversion-for-asus-wl-500w.patch b/queue-4.4/mips-bcm47xx-fix-button-inversion-for-asus-wl-500w.patch new file mode 100644 index 00000000000..fcc117e302f --- /dev/null +++ b/queue-4.4/mips-bcm47xx-fix-button-inversion-for-asus-wl-500w.patch @@ -0,0 +1,54 @@ +From bdfdaf1a016ef09cb941f2edad485a713510b8d5 Mon Sep 17 00:00:00 2001 +From: Mirko Parthey +Date: Wed, 15 Feb 2017 23:31:30 +0100 +Subject: MIPS: BCM47XX: Fix button inversion for Asus WL-500W +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Mirko Parthey + +commit bdfdaf1a016ef09cb941f2edad485a713510b8d5 upstream. + +The Asus WL-500W buttons are active high, but the software treats them +as active low. Fix the inverted logic. + +Fixes: 3be972556fa1 ("MIPS: BCM47XX: Import buttons database from OpenWrt") +Signed-off-by: Mirko Parthey +Acked-by: Rafał Miłecki +Cc: Hauke Mehrtens +Cc: linux-mips@linux-mips.org +Patchwork: https://patchwork.linux-mips.org/patch/15295/ +Signed-off-by: James Hogan +Signed-off-by: Greg Kroah-Hartman + +--- + arch/mips/bcm47xx/buttons.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +--- a/arch/mips/bcm47xx/buttons.c ++++ b/arch/mips/bcm47xx/buttons.c +@@ -17,6 +17,12 @@ + .active_low = 1, \ + } + ++#define BCM47XX_GPIO_KEY_H(_gpio, _code) \ ++ { \ ++ .code = _code, \ ++ .gpio = _gpio, \ ++ } ++ + /* Asus */ + + static const struct gpio_keys_button +@@ -79,8 +85,8 @@ bcm47xx_buttons_asus_wl500gpv2[] __initc + + static const struct gpio_keys_button + bcm47xx_buttons_asus_wl500w[] __initconst = { +- BCM47XX_GPIO_KEY(6, KEY_RESTART), +- BCM47XX_GPIO_KEY(7, KEY_WPS_BUTTON), ++ BCM47XX_GPIO_KEY_H(6, KEY_RESTART), ++ BCM47XX_GPIO_KEY_H(7, KEY_WPS_BUTTON), + }; + + static const struct gpio_keys_button diff --git a/queue-4.4/mips-calculate-micromips-ra-properly-when-unwinding-the-stack.patch b/queue-4.4/mips-calculate-micromips-ra-properly-when-unwinding-the-stack.patch new file mode 100644 index 00000000000..eb1864b2741 --- /dev/null +++ b/queue-4.4/mips-calculate-micromips-ra-properly-when-unwinding-the-stack.patch @@ -0,0 +1,169 @@ +From bb9bc4689b9c635714fbcd5d335bad9934a7ebfc Mon Sep 17 00:00:00 2001 +From: Paul Burton +Date: Mon, 7 Nov 2016 15:07:06 +0000 +Subject: MIPS: Calculate microMIPS ra properly when unwinding the stack + +From: Paul Burton + +commit bb9bc4689b9c635714fbcd5d335bad9934a7ebfc upstream. + +get_frame_info() calculates the offset of the return address within a +stack frame simply by dividing a the bottom 16 bits of the instruction, +treated as a signed integer, by the size of a long. Whilst this works +for MIPS32 & MIPS64 ISAs where the sw or sd instructions are used, it's +incorrect for microMIPS where encodings differ. The result is that we +typically completely fail to unwind the stack on microMIPS. + +Fix this by adjusting is_ra_save_ins() to calculate the return address +offset, and take into account the various different encodings there in +the same place as we consider whether an instruction is storing the +ra/$31 register. + +With this we are now able to unwind the stack for kernels targetting the +microMIPS ISA, for example we can produce: + + Call Trace: + [<80109e1f>] show_stack+0x63/0x7c + [<8011ea17>] __warn+0x9b/0xac + [<8011ea45>] warn_slowpath_fmt+0x1d/0x20 + [<8013fe53>] register_console+0x43/0x314 + [<8067c58d>] of_setup_earlycon+0x1dd/0x1ec + [<8067f63f>] early_init_dt_scan_chosen_stdout+0xe7/0xf8 + [<8066c115>] do_early_param+0x75/0xac + [<801302f9>] parse_args+0x1dd/0x308 + [<8066c459>] parse_early_options+0x25/0x28 + [<8066c48b>] parse_early_param+0x2f/0x38 + [<8066e8cf>] setup_arch+0x113/0x488 + [<8066c4f3>] start_kernel+0x57/0x328 + ---[ end trace 0000000000000000 ]--- + +Whereas previously we only produced: + + Call Trace: + [<80109e1f>] show_stack+0x63/0x7c + ---[ end trace 0000000000000000 ]--- + +Signed-off-by: Paul Burton +Fixes: 34c2f668d0f6 ("MIPS: microMIPS: Add unaligned access support.") +Cc: Leonid Yegoshin +Cc: linux-mips@linux-mips.org +Patchwork: https://patchwork.linux-mips.org/patch/14532/ +Signed-off-by: Ralf Baechle +Signed-off-by: Greg Kroah-Hartman + +--- + arch/mips/kernel/process.c | 85 +++++++++++++++++++++++++++++++++------------ + 1 file changed, 64 insertions(+), 21 deletions(-) + +--- a/arch/mips/kernel/process.c ++++ b/arch/mips/kernel/process.c +@@ -191,7 +191,7 @@ struct mips_frame_info { + #define J_TARGET(pc,target) \ + (((unsigned long)(pc) & 0xf0000000) | ((target) << 2)) + +-static inline int is_ra_save_ins(union mips_instruction *ip) ++static inline int is_ra_save_ins(union mips_instruction *ip, int *poff) + { + #ifdef CONFIG_CPU_MICROMIPS + /* +@@ -204,25 +204,70 @@ static inline int is_ra_save_ins(union m + * microMIPS is way more fun... + */ + if (mm_insn_16bit(ip->halfword[1])) { +- return (ip->mm16_r5_format.opcode == mm_swsp16_op && +- ip->mm16_r5_format.rt == 31) || +- (ip->mm16_m_format.opcode == mm_pool16c_op && +- ip->mm16_m_format.func == mm_swm16_op); +- } +- else { +- return (ip->mm_m_format.opcode == mm_pool32b_op && +- ip->mm_m_format.rd > 9 && +- ip->mm_m_format.base == 29 && +- ip->mm_m_format.func == mm_swm32_func) || +- (ip->i_format.opcode == mm_sw32_op && +- ip->i_format.rs == 29 && +- ip->i_format.rt == 31); ++ switch (ip->mm16_r5_format.opcode) { ++ case mm_swsp16_op: ++ if (ip->mm16_r5_format.rt != 31) ++ return 0; ++ ++ *poff = ip->mm16_r5_format.simmediate; ++ *poff = (*poff << 2) / sizeof(ulong); ++ return 1; ++ ++ case mm_pool16c_op: ++ switch (ip->mm16_m_format.func) { ++ case mm_swm16_op: ++ *poff = ip->mm16_m_format.imm; ++ *poff += 1 + ip->mm16_m_format.rlist; ++ *poff = (*poff << 2) / sizeof(ulong); ++ return 1; ++ ++ default: ++ return 0; ++ } ++ ++ default: ++ return 0; ++ } ++ } ++ ++ switch (ip->i_format.opcode) { ++ case mm_sw32_op: ++ if (ip->i_format.rs != 29) ++ return 0; ++ if (ip->i_format.rt != 31) ++ return 0; ++ ++ *poff = ip->i_format.simmediate / sizeof(ulong); ++ return 1; ++ ++ case mm_pool32b_op: ++ switch (ip->mm_m_format.func) { ++ case mm_swm32_func: ++ if (ip->mm_m_format.rd < 0x10) ++ return 0; ++ if (ip->mm_m_format.base != 29) ++ return 0; ++ ++ *poff = ip->mm_m_format.simmediate; ++ *poff += (ip->mm_m_format.rd & 0xf) * sizeof(u32); ++ *poff /= sizeof(ulong); ++ return 1; ++ default: ++ return 0; ++ } ++ ++ default: ++ return 0; + } + #else + /* sw / sd $ra, offset($sp) */ +- return (ip->i_format.opcode == sw_op || ip->i_format.opcode == sd_op) && +- ip->i_format.rs == 29 && +- ip->i_format.rt == 31; ++ if ((ip->i_format.opcode == sw_op || ip->i_format.opcode == sd_op) && ++ ip->i_format.rs == 29 && ip->i_format.rt == 31) { ++ *poff = ip->i_format.simmediate / sizeof(ulong); ++ return 1; ++ } ++ ++ return 0; + #endif + } + +@@ -345,11 +390,9 @@ static int get_frame_info(struct mips_fr + } + continue; + } +- if (info->pc_offset == -1 && is_ra_save_ins(&insn)) { +- info->pc_offset = +- ip->i_format.simmediate / sizeof(long); ++ if (info->pc_offset == -1 && ++ is_ra_save_ins(&insn, &info->pc_offset)) + break; +- } + } + if (info->frame_size && info->pc_offset >= 0) /* nested */ + return 0; diff --git a/queue-4.4/mips-clear-isa-bit-correctly-in-get_frame_info.patch b/queue-4.4/mips-clear-isa-bit-correctly-in-get_frame_info.patch new file mode 100644 index 00000000000..34ad9bf1f2a --- /dev/null +++ b/queue-4.4/mips-clear-isa-bit-correctly-in-get_frame_info.patch @@ -0,0 +1,55 @@ +From ccaf7caf2c73c6db920772bf08bf1d47b2170634 Mon Sep 17 00:00:00 2001 +From: Paul Burton +Date: Mon, 7 Nov 2016 15:07:02 +0000 +Subject: MIPS: Clear ISA bit correctly in get_frame_info() + +From: Paul Burton + +commit ccaf7caf2c73c6db920772bf08bf1d47b2170634 upstream. + +get_frame_info() can be called in microMIPS kernels with the ISA bit +already clear. For example this happens when unwind_stack_by_address() +is called because we begin with a PC that has the ISA bit set & subtract +the (odd) offset from the preceding symbol (which does not have the ISA +bit set). Since get_frame_info() unconditionally subtracts 1 from the PC +in microMIPS kernels it incorrectly misaligns the address it then +attempts to access code at, leading to an address error exception. + +Fix this by using msk_isa16_mode() to clear the ISA bit, which allows +get_frame_info() to function regardless of whether it is provided with a +PC that has the ISA bit set or not. + +Signed-off-by: Paul Burton +Fixes: 34c2f668d0f6 ("MIPS: microMIPS: Add unaligned access support.") +Cc: Leonid Yegoshin +Cc: linux-mips@linux-mips.org +Patchwork: https://patchwork.linux-mips.org/patch/14528/ +Signed-off-by: Ralf Baechle +Signed-off-by: Greg Kroah-Hartman + +--- + arch/mips/kernel/process.c | 7 ++----- + 1 file changed, 2 insertions(+), 5 deletions(-) + +--- a/arch/mips/kernel/process.c ++++ b/arch/mips/kernel/process.c +@@ -299,17 +299,14 @@ static inline int is_sp_move_ins(union m + + static int get_frame_info(struct mips_frame_info *info) + { +-#ifdef CONFIG_CPU_MICROMIPS +- union mips_instruction *ip = (void *) (((char *) info->func) - 1); +-#else +- union mips_instruction *ip = info->func; +-#endif ++ union mips_instruction *ip; + unsigned max_insns = info->func_size / sizeof(union mips_instruction); + unsigned i; + + info->pc_offset = -1; + info->frame_size = 0; + ++ ip = (void *)msk_isa16_mode((ulong)info->func); + if (!ip) + goto err; + diff --git a/queue-4.4/mips-fix-get_frame_info-handling-of-micromips-function-size.patch b/queue-4.4/mips-fix-get_frame_info-handling-of-micromips-function-size.patch new file mode 100644 index 00000000000..4eee8692ab8 --- /dev/null +++ b/queue-4.4/mips-fix-get_frame_info-handling-of-micromips-function-size.patch @@ -0,0 +1,61 @@ +From b6c7a324df37bf05ef7a2c1580683cf10d082d97 Mon Sep 17 00:00:00 2001 +From: Paul Burton +Date: Mon, 7 Nov 2016 15:07:04 +0000 +Subject: MIPS: Fix get_frame_info() handling of microMIPS function size + +From: Paul Burton + +commit b6c7a324df37bf05ef7a2c1580683cf10d082d97 upstream. + +get_frame_info() is meant to iterate over up to the first 128 +instructions within a function, but for microMIPS kernels it will not +reach that many instructions unless the function is 512 bytes long since +we calculate the maximum number of instructions to check by dividing the +function length by the 4 byte size of a union mips_instruction. In +microMIPS kernels this won't do since instructions are variable length. + +Fix this by instead checking whether the pointer to the current +instruction has reached the end of the function, and use max_insns as a +simple constant to check the number of iterations against. + +Signed-off-by: Paul Burton +Fixes: 34c2f668d0f6 ("MIPS: microMIPS: Add unaligned access support.") +Cc: Leonid Yegoshin +Cc: linux-mips@linux-mips.org +Patchwork: https://patchwork.linux-mips.org/patch/14530/ +Signed-off-by: Ralf Baechle +Signed-off-by: Greg Kroah-Hartman + +--- + arch/mips/kernel/process.c | 12 +++++------- + 1 file changed, 5 insertions(+), 7 deletions(-) + +--- a/arch/mips/kernel/process.c ++++ b/arch/mips/kernel/process.c +@@ -289,9 +289,9 @@ static inline int is_sp_move_ins(union m + static int get_frame_info(struct mips_frame_info *info) + { + bool is_mmips = IS_ENABLED(CONFIG_CPU_MICROMIPS); +- union mips_instruction insn, *ip; +- unsigned max_insns = info->func_size / sizeof(union mips_instruction); +- unsigned i; ++ union mips_instruction insn, *ip, *ip_end; ++ const unsigned int max_insns = 128; ++ unsigned int i; + + info->pc_offset = -1; + info->frame_size = 0; +@@ -300,11 +300,9 @@ static int get_frame_info(struct mips_fr + if (!ip) + goto err; + +- if (max_insns == 0) +- max_insns = 128U; /* unknown function size */ +- max_insns = min(128U, max_insns); ++ ip_end = (void *)ip + info->func_size; + +- for (i = 0; i < max_insns; i++, ip++) { ++ for (i = 0; i < max_insns && ip < ip_end; i++, ip++) { + if (is_mmips && mm_insn_16bit(ip->halfword[0])) { + insn.halfword[0] = 0; + insn.halfword[1] = ip->halfword[0]; diff --git a/queue-4.4/mips-fix-is_jump_ins-handling-of-16b-micromips-instructions.patch b/queue-4.4/mips-fix-is_jump_ins-handling-of-16b-micromips-instructions.patch new file mode 100644 index 00000000000..3d0ac04fb5a --- /dev/null +++ b/queue-4.4/mips-fix-is_jump_ins-handling-of-16b-micromips-instructions.patch @@ -0,0 +1,45 @@ +From 67c75057709a6d85c681c78b9b2f9b71191f01a2 Mon Sep 17 00:00:00 2001 +From: Paul Burton +Date: Mon, 7 Nov 2016 15:07:05 +0000 +Subject: MIPS: Fix is_jump_ins() handling of 16b microMIPS instructions + +From: Paul Burton + +commit 67c75057709a6d85c681c78b9b2f9b71191f01a2 upstream. + +is_jump_ins() checks 16b instruction fields without verifying that the +instruction is indeed 16b, as is done by is_ra_save_ins() & +is_sp_move_ins(). Add the appropriate check. + +Signed-off-by: Paul Burton +Fixes: 34c2f668d0f6 ("MIPS: microMIPS: Add unaligned access support.") +Cc: Leonid Yegoshin +Cc: linux-mips@linux-mips.org +Patchwork: https://patchwork.linux-mips.org/patch/14531/ +Signed-off-by: Ralf Baechle +Signed-off-by: Greg Kroah-Hartman + +--- + arch/mips/kernel/process.c | 11 ++++++++--- + 1 file changed, 8 insertions(+), 3 deletions(-) + +--- a/arch/mips/kernel/process.c ++++ b/arch/mips/kernel/process.c +@@ -237,9 +237,14 @@ static inline int is_jump_ins(union mips + * + * microMIPS is kind of more fun... + */ +- if ((ip->mm16_r5_format.opcode == mm_pool16c_op && +- (ip->mm16_r5_format.rt & mm_jr16_op) == mm_jr16_op) || +- ip->j_format.opcode == mm_jal32_op) ++ if (mm_insn_16bit(ip->halfword[1])) { ++ if ((ip->mm16_r5_format.opcode == mm_pool16c_op && ++ (ip->mm16_r5_format.rt & mm_jr16_op) == mm_jr16_op)) ++ return 1; ++ return 0; ++ } ++ ++ if (ip->j_format.opcode == mm_jal32_op) + return 1; + if (ip->r_format.opcode != mm_pool32a_op || + ip->r_format.func != mm_pool32axf_op) diff --git a/queue-4.4/mips-fix-special-case-in-64-bit-ip-checksumming.patch b/queue-4.4/mips-fix-special-case-in-64-bit-ip-checksumming.patch new file mode 100644 index 00000000000..cd86f73cae7 --- /dev/null +++ b/queue-4.4/mips-fix-special-case-in-64-bit-ip-checksumming.patch @@ -0,0 +1,37 @@ +From 66fd848cadaa6be974a8c780fbeb328f0af4d3bd Mon Sep 17 00:00:00 2001 +From: Ralf Baechle +Date: Thu, 26 Jan 2017 02:16:47 +0100 +Subject: MIPS: Fix special case in 64 bit IP checksumming. + +From: Ralf Baechle + +commit 66fd848cadaa6be974a8c780fbeb328f0af4d3bd upstream. + +For certain arguments such as saddr = 0xc0a8fd60, daddr = 0xc0a8fda1, +len = 80, proto = 17, sum = 0x7eae049d there will be a carry when +folding the intermediate 64 bit checksum to 32 bit but the code doesn't +add the carry back to the one's complement sum, thus an incorrect result +will be generated. + +Reported-by: Mark Zhang +Signed-off-by: Ralf Baechle +Reviewed-by: James Hogan +Signed-off-by: James Hogan +Signed-off-by: Greg Kroah-Hartman + +--- + arch/mips/include/asm/checksum.h | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/arch/mips/include/asm/checksum.h ++++ b/arch/mips/include/asm/checksum.h +@@ -186,7 +186,9 @@ static inline __wsum csum_tcpudp_nofold( + " daddu %0, %4 \n" + " dsll32 $1, %0, 0 \n" + " daddu %0, $1 \n" ++ " sltu $1, %0, $1 \n" + " dsra32 %0, %0, 0 \n" ++ " addu %0, $1 \n" + #endif + " .set pop" + : "=r" (sum) diff --git a/queue-4.4/mips-handle-micromips-jumps-in-the-same-way-as-mips32-mips64-jumps.patch b/queue-4.4/mips-handle-micromips-jumps-in-the-same-way-as-mips32-mips64-jumps.patch new file mode 100644 index 00000000000..f6783dd5d20 --- /dev/null +++ b/queue-4.4/mips-handle-micromips-jumps-in-the-same-way-as-mips32-mips64-jumps.patch @@ -0,0 +1,38 @@ +From 096a0de427ea333f56f0ee00328cff2a2731bcf1 Mon Sep 17 00:00:00 2001 +From: Paul Burton +Date: Mon, 7 Nov 2016 15:07:07 +0000 +Subject: MIPS: Handle microMIPS jumps in the same way as MIPS32/MIPS64 jumps + +From: Paul Burton + +commit 096a0de427ea333f56f0ee00328cff2a2731bcf1 upstream. + +is_jump_ins() checks for plain jump ("j") instructions since commit +e7438c4b893e ("MIPS: Fix sibling call handling in get_frame_info") but +that commit didn't make the same change to the microMIPS code, leaving +it inconsistent with the MIPS32/MIPS64 code. Handle the microMIPS +encoding of the jump instruction too such that it behaves consistently. + +Signed-off-by: Paul Burton +Fixes: e7438c4b893e ("MIPS: Fix sibling call handling in get_frame_info") +Cc: Tony Wu +Cc: linux-mips@linux-mips.org +Patchwork: https://patchwork.linux-mips.org/patch/14533/ +Signed-off-by: Ralf Baechle +Signed-off-by: Greg Kroah-Hartman + +--- + arch/mips/kernel/process.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/arch/mips/kernel/process.c ++++ b/arch/mips/kernel/process.c +@@ -289,6 +289,8 @@ static inline int is_jump_ins(union mips + return 0; + } + ++ if (ip->j_format.opcode == mm_j32_op) ++ return 1; + if (ip->j_format.opcode == mm_jal32_op) + return 1; + if (ip->r_format.opcode != mm_pool32a_op || diff --git a/queue-4.4/mips-lantiq-keep-ethernet-enabled-during-boot.patch b/queue-4.4/mips-lantiq-keep-ethernet-enabled-during-boot.patch new file mode 100644 index 00000000000..af51a506aa5 --- /dev/null +++ b/queue-4.4/mips-lantiq-keep-ethernet-enabled-during-boot.patch @@ -0,0 +1,64 @@ +From 774f0c6419bb8f9d83901d33582c7fe3ba6a6cb3 Mon Sep 17 00:00:00 2001 +From: Felix Fietkau +Date: Thu, 19 Jan 2017 14:20:09 +0100 +Subject: MIPS: Lantiq: Keep ethernet enabled during boot + +From: Felix Fietkau + +commit 774f0c6419bb8f9d83901d33582c7fe3ba6a6cb3 upstream. + +Disabling ethernet during reboot (only to enable it again when the +ethernet driver attaches) can put the chip into a faulty state where it +corrupts the header of all incoming packets. + +This happens if packets arrive during the time window where the core is +disabled, and it can be easily reproduced by rebooting while sending a +flood ping to the broadcast address. + +Fixes: 95135bfa7ead ("MIPS: Lantiq: Deactivate most of the devices by default") +Signed-off-by: Felix Fietkau +Acked-by: John Crispin +Cc: hauke.mehrtens@lantiq.com +Cc: linux-mips@linux-mips.org +Patchwork: https://patchwork.linux-mips.org/patch/15078/ +Signed-off-by: James Hogan +Signed-off-by: Greg Kroah-Hartman + +--- + arch/mips/lantiq/xway/sysctrl.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/arch/mips/lantiq/xway/sysctrl.c ++++ b/arch/mips/lantiq/xway/sysctrl.c +@@ -545,7 +545,7 @@ void __init ltq_soc_init(void) + clkdev_add_pmu("1a800000.pcie", "msi", 1, 1, PMU1_PCIE2_MSI); + clkdev_add_pmu("1a800000.pcie", "pdi", 1, 1, PMU1_PCIE2_PDI); + clkdev_add_pmu("1a800000.pcie", "ctl", 1, 1, PMU1_PCIE2_CTL); +- clkdev_add_pmu("1e108000.eth", NULL, 1, 0, PMU_SWITCH | PMU_PPE_DP); ++ clkdev_add_pmu("1e108000.eth", NULL, 0, 0, PMU_SWITCH | PMU_PPE_DP); + clkdev_add_pmu("1da00000.usif", "NULL", 1, 0, PMU_USIF); + clkdev_add_pmu("1e103100.deu", NULL, 1, 0, PMU_DEU); + } else if (of_machine_is_compatible("lantiq,ar10")) { +@@ -553,7 +553,7 @@ void __init ltq_soc_init(void) + ltq_ar10_fpi_hz(), ltq_ar10_pp32_hz()); + clkdev_add_pmu("1e101000.usb", "ctl", 1, 0, PMU_USB0); + clkdev_add_pmu("1e106000.usb", "ctl", 1, 0, PMU_USB1); +- clkdev_add_pmu("1e108000.eth", NULL, 1, 0, PMU_SWITCH | ++ clkdev_add_pmu("1e108000.eth", NULL, 0, 0, PMU_SWITCH | + PMU_PPE_DP | PMU_PPE_TC); + clkdev_add_pmu("1da00000.usif", "NULL", 1, 0, PMU_USIF); + clkdev_add_pmu("1f203000.rcu", "gphy", 1, 0, PMU_GPHY); +@@ -575,11 +575,11 @@ void __init ltq_soc_init(void) + clkdev_add_pmu(NULL, "ahb", 1, 0, PMU_AHBM | PMU_AHBS); + + clkdev_add_pmu("1da00000.usif", "NULL", 1, 0, PMU_USIF); +- clkdev_add_pmu("1e108000.eth", NULL, 1, 0, ++ clkdev_add_pmu("1e108000.eth", NULL, 0, 0, + PMU_SWITCH | PMU_PPE_DPLUS | PMU_PPE_DPLUM | + PMU_PPE_EMA | PMU_PPE_TC | PMU_PPE_SLL01 | + PMU_PPE_QSB | PMU_PPE_TOP); +- clkdev_add_pmu("1f203000.rcu", "gphy", 1, 0, PMU_GPHY); ++ clkdev_add_pmu("1f203000.rcu", "gphy", 0, 0, PMU_GPHY); + clkdev_add_pmu("1e103000.sdio", NULL, 1, 0, PMU_SDIO); + clkdev_add_pmu("1e103100.deu", NULL, 1, 0, PMU_DEU); + clkdev_add_pmu("1e116000.mei", "dfe", 1, 0, PMU_DFE); diff --git a/queue-4.4/mips-octeon-fix-copy_from_user-fault-handling-for-large-buffers.patch b/queue-4.4/mips-octeon-fix-copy_from_user-fault-handling-for-large-buffers.patch new file mode 100644 index 00000000000..0b3c93ecb6d --- /dev/null +++ b/queue-4.4/mips-octeon-fix-copy_from_user-fault-handling-for-large-buffers.patch @@ -0,0 +1,83 @@ +From 884b426917e4b3c85f33b382c792a94305dfdd62 Mon Sep 17 00:00:00 2001 +From: James Cowgill +Date: Mon, 9 Jan 2017 16:52:28 +0000 +Subject: MIPS: OCTEON: Fix copy_from_user fault handling for large buffers + +From: James Cowgill + +commit 884b426917e4b3c85f33b382c792a94305dfdd62 upstream. + +If copy_from_user is called with a large buffer (>= 128 bytes) and the +userspace buffer refers partially to unreadable memory, then it is +possible for Octeon's copy_from_user to report the wrong number of bytes +have been copied. In the case where the buffer size is an exact multiple +of 128 and the fault occurs in the last 64 bytes, copy_from_user will +report that all the bytes were copied successfully but leave some +garbage in the destination buffer. + +The bug is in the main __copy_user_common loop in octeon-memcpy.S where +in the middle of the loop, src and dst are incremented by 128 bytes. The +l_exc_copy fault handler is used after this but that assumes that +"src < THREAD_BUADDR($28)". This is not the case if src has already been +incremented. + +Fix by adding an extra fault handler which rewinds the src and dst +pointers 128 bytes before falling though to l_exc_copy. + +Thanks to the pwritev test from the strace test suite for originally +highlighting this bug! + +Fixes: 5b3b16880f40 ("MIPS: Add Cavium OCTEON processor support ...") +Signed-off-by: James Cowgill +Acked-by: David Daney +Reviewed-by: James Hogan +Cc: Ralf Baechle +Cc: linux-mips@linux-mips.org +Patchwork: https://patchwork.linux-mips.org/patch/14978/ +Signed-off-by: James Hogan +Signed-off-by: Greg Kroah-Hartman + +--- + arch/mips/cavium-octeon/octeon-memcpy.S | 20 ++++++++++++-------- + 1 file changed, 12 insertions(+), 8 deletions(-) + +--- a/arch/mips/cavium-octeon/octeon-memcpy.S ++++ b/arch/mips/cavium-octeon/octeon-memcpy.S +@@ -208,18 +208,18 @@ EXC( STORE t2, UNIT(6)(dst), s_exc_p10u) + ADD src, src, 16*NBYTES + EXC( STORE t3, UNIT(7)(dst), s_exc_p9u) + ADD dst, dst, 16*NBYTES +-EXC( LOAD t0, UNIT(-8)(src), l_exc_copy) +-EXC( LOAD t1, UNIT(-7)(src), l_exc_copy) +-EXC( LOAD t2, UNIT(-6)(src), l_exc_copy) +-EXC( LOAD t3, UNIT(-5)(src), l_exc_copy) ++EXC( LOAD t0, UNIT(-8)(src), l_exc_copy_rewind16) ++EXC( LOAD t1, UNIT(-7)(src), l_exc_copy_rewind16) ++EXC( LOAD t2, UNIT(-6)(src), l_exc_copy_rewind16) ++EXC( LOAD t3, UNIT(-5)(src), l_exc_copy_rewind16) + EXC( STORE t0, UNIT(-8)(dst), s_exc_p8u) + EXC( STORE t1, UNIT(-7)(dst), s_exc_p7u) + EXC( STORE t2, UNIT(-6)(dst), s_exc_p6u) + EXC( STORE t3, UNIT(-5)(dst), s_exc_p5u) +-EXC( LOAD t0, UNIT(-4)(src), l_exc_copy) +-EXC( LOAD t1, UNIT(-3)(src), l_exc_copy) +-EXC( LOAD t2, UNIT(-2)(src), l_exc_copy) +-EXC( LOAD t3, UNIT(-1)(src), l_exc_copy) ++EXC( LOAD t0, UNIT(-4)(src), l_exc_copy_rewind16) ++EXC( LOAD t1, UNIT(-3)(src), l_exc_copy_rewind16) ++EXC( LOAD t2, UNIT(-2)(src), l_exc_copy_rewind16) ++EXC( LOAD t3, UNIT(-1)(src), l_exc_copy_rewind16) + EXC( STORE t0, UNIT(-4)(dst), s_exc_p4u) + EXC( STORE t1, UNIT(-3)(dst), s_exc_p3u) + EXC( STORE t2, UNIT(-2)(dst), s_exc_p2u) +@@ -383,6 +383,10 @@ done: + nop + END(memcpy) + ++l_exc_copy_rewind16: ++ /* Rewind src and dst by 16*NBYTES for l_exc_copy */ ++ SUB src, src, 16*NBYTES ++ SUB dst, dst, 16*NBYTES + l_exc_copy: + /* + * Copy bytes from src until faulting load address (or until a diff --git a/queue-4.4/mips-prevent-unaligned-accesses-during-stack-unwinding.patch b/queue-4.4/mips-prevent-unaligned-accesses-during-stack-unwinding.patch new file mode 100644 index 00000000000..6d64d02d674 --- /dev/null +++ b/queue-4.4/mips-prevent-unaligned-accesses-during-stack-unwinding.patch @@ -0,0 +1,164 @@ +From a3552dace7d1d0cabf573e88fc3025cb90c4a601 Mon Sep 17 00:00:00 2001 +From: Paul Burton +Date: Mon, 7 Nov 2016 15:07:03 +0000 +Subject: MIPS: Prevent unaligned accesses during stack unwinding + +From: Paul Burton + +commit a3552dace7d1d0cabf573e88fc3025cb90c4a601 upstream. + +During stack unwinding we call a number of functions to determine what +type of instruction we're looking at. The union mips_instruction pointer +provided to them may be pointing at a 2 byte, but not 4 byte, aligned +address & we thus cannot directly access the 4 byte wide members of the +union mips_instruction. To avoid this is_ra_save_ins() copies the +required half-words of the microMIPS instruction to a correctly aligned +union mips_instruction on the stack, which it can then access safely. +The is_jump_ins() & is_sp_move_ins() functions do not correctly perform +this temporary copy, and instead attempt to directly dereference 4 byte +fields which may be misaligned and lead to an address exception. + +Fix this by copying the instruction halfwords to a temporary union +mips_instruction in get_frame_info() such that we can provide a 4 byte +aligned union mips_instruction to the is_*_ins() functions and they do +not need to deal with misalignment themselves. + +Signed-off-by: Paul Burton +Fixes: 34c2f668d0f6 ("MIPS: microMIPS: Add unaligned access support.") +Cc: Leonid Yegoshin +Cc: linux-mips@linux-mips.org +Patchwork: https://patchwork.linux-mips.org/patch/14529/ +Signed-off-by: Ralf Baechle +Signed-off-by: Greg Kroah-Hartman + +--- + arch/mips/kernel/process.c | 70 ++++++++++++++++++++++----------------------- + 1 file changed, 35 insertions(+), 35 deletions(-) + +--- a/arch/mips/kernel/process.c ++++ b/arch/mips/kernel/process.c +@@ -194,8 +194,6 @@ struct mips_frame_info { + static inline int is_ra_save_ins(union mips_instruction *ip) + { + #ifdef CONFIG_CPU_MICROMIPS +- union mips_instruction mmi; +- + /* + * swsp ra,offset + * swm16 reglist,offset(sp) +@@ -205,23 +203,20 @@ static inline int is_ra_save_ins(union m + * + * microMIPS is way more fun... + */ +- if (mm_insn_16bit(ip->halfword[0])) { +- mmi.word = (ip->halfword[0] << 16); +- return (mmi.mm16_r5_format.opcode == mm_swsp16_op && +- mmi.mm16_r5_format.rt == 31) || +- (mmi.mm16_m_format.opcode == mm_pool16c_op && +- mmi.mm16_m_format.func == mm_swm16_op); ++ if (mm_insn_16bit(ip->halfword[1])) { ++ return (ip->mm16_r5_format.opcode == mm_swsp16_op && ++ ip->mm16_r5_format.rt == 31) || ++ (ip->mm16_m_format.opcode == mm_pool16c_op && ++ ip->mm16_m_format.func == mm_swm16_op); + } + else { +- mmi.halfword[0] = ip->halfword[1]; +- mmi.halfword[1] = ip->halfword[0]; +- return (mmi.mm_m_format.opcode == mm_pool32b_op && +- mmi.mm_m_format.rd > 9 && +- mmi.mm_m_format.base == 29 && +- mmi.mm_m_format.func == mm_swm32_func) || +- (mmi.i_format.opcode == mm_sw32_op && +- mmi.i_format.rs == 29 && +- mmi.i_format.rt == 31); ++ return (ip->mm_m_format.opcode == mm_pool32b_op && ++ ip->mm_m_format.rd > 9 && ++ ip->mm_m_format.base == 29 && ++ ip->mm_m_format.func == mm_swm32_func) || ++ (ip->i_format.opcode == mm_sw32_op && ++ ip->i_format.rs == 29 && ++ ip->i_format.rt == 31); + } + #else + /* sw / sd $ra, offset($sp) */ +@@ -242,12 +237,8 @@ static inline int is_jump_ins(union mips + * + * microMIPS is kind of more fun... + */ +- union mips_instruction mmi; +- +- mmi.word = (ip->halfword[0] << 16); +- +- if ((mmi.mm16_r5_format.opcode == mm_pool16c_op && +- (mmi.mm16_r5_format.rt & mm_jr16_op) == mm_jr16_op) || ++ if ((ip->mm16_r5_format.opcode == mm_pool16c_op && ++ (ip->mm16_r5_format.rt & mm_jr16_op) == mm_jr16_op) || + ip->j_format.opcode == mm_jal32_op) + return 1; + if (ip->r_format.opcode != mm_pool32a_op || +@@ -276,15 +267,13 @@ static inline int is_sp_move_ins(union m + * + * microMIPS is not more fun... + */ +- if (mm_insn_16bit(ip->halfword[0])) { +- union mips_instruction mmi; +- +- mmi.word = (ip->halfword[0] << 16); +- return (mmi.mm16_r3_format.opcode == mm_pool16d_op && +- mmi.mm16_r3_format.simmediate && mm_addiusp_func) || +- (mmi.mm16_r5_format.opcode == mm_pool16d_op && +- mmi.mm16_r5_format.rt == 29); ++ if (mm_insn_16bit(ip->halfword[1])) { ++ return (ip->mm16_r3_format.opcode == mm_pool16d_op && ++ ip->mm16_r3_format.simmediate && mm_addiusp_func) || ++ (ip->mm16_r5_format.opcode == mm_pool16d_op && ++ ip->mm16_r5_format.rt == 29); + } ++ + return ip->mm_i_format.opcode == mm_addiu32_op && + ip->mm_i_format.rt == 29 && ip->mm_i_format.rs == 29; + #else +@@ -299,7 +288,8 @@ static inline int is_sp_move_ins(union m + + static int get_frame_info(struct mips_frame_info *info) + { +- union mips_instruction *ip; ++ bool is_mmips = IS_ENABLED(CONFIG_CPU_MICROMIPS); ++ union mips_instruction insn, *ip; + unsigned max_insns = info->func_size / sizeof(union mips_instruction); + unsigned i; + +@@ -315,11 +305,21 @@ static int get_frame_info(struct mips_fr + max_insns = min(128U, max_insns); + + for (i = 0; i < max_insns; i++, ip++) { ++ if (is_mmips && mm_insn_16bit(ip->halfword[0])) { ++ insn.halfword[0] = 0; ++ insn.halfword[1] = ip->halfword[0]; ++ } else if (is_mmips) { ++ insn.halfword[0] = ip->halfword[1]; ++ insn.halfword[1] = ip->halfword[0]; ++ } else { ++ insn.word = ip->word; ++ } + +- if (is_jump_ins(ip)) ++ if (is_jump_ins(&insn)) + break; ++ + if (!info->frame_size) { +- if (is_sp_move_ins(ip)) ++ if (is_sp_move_ins(&insn)) + { + #ifdef CONFIG_CPU_MICROMIPS + if (mm_insn_16bit(ip->halfword[0])) +@@ -342,7 +342,7 @@ static int get_frame_info(struct mips_fr + } + continue; + } +- if (info->pc_offset == -1 && is_ra_save_ins(ip)) { ++ if (info->pc_offset == -1 && is_ra_save_ins(&insn)) { + info->pc_offset = + ip->i_format.simmediate / sizeof(long); + break; diff --git a/queue-4.4/uvcvideo-fix-a-wrong-macro.patch b/queue-4.4/uvcvideo-fix-a-wrong-macro.patch new file mode 100644 index 00000000000..749757855d9 --- /dev/null +++ b/queue-4.4/uvcvideo-fix-a-wrong-macro.patch @@ -0,0 +1,33 @@ +From 17c341ec0115837a610b2da15e32546e26068234 Mon Sep 17 00:00:00 2001 +From: Guennadi Liakhovetski +Date: Mon, 12 Dec 2016 09:16:51 -0200 +Subject: [media] uvcvideo: Fix a wrong macro + +From: Guennadi Liakhovetski + +commit 17c341ec0115837a610b2da15e32546e26068234 upstream. + +Don't mix up UVC_BUF_STATE_* and VB2_BUF_STATE_* codes. + +Fixes: 6998b6fb4b1c ("[media] uvcvideo: Use videobuf2-vmalloc") + +Signed-off-by: Guennadi Liakhovetski +Signed-off-by: Laurent Pinchart +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/media/usb/uvc/uvc_queue.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/media/usb/uvc/uvc_queue.c ++++ b/drivers/media/usb/uvc/uvc_queue.c +@@ -416,7 +416,7 @@ struct uvc_buffer *uvc_queue_next_buffer + nextbuf = NULL; + spin_unlock_irqrestore(&queue->irqlock, flags); + +- buf->state = buf->error ? VB2_BUF_STATE_ERROR : UVC_BUF_STATE_DONE; ++ buf->state = buf->error ? UVC_BUF_STATE_ERROR : UVC_BUF_STATE_DONE; + vb2_set_plane_payload(&buf->buf.vb2_buf, 0, buf->bytesused); + vb2_buffer_done(&buf->buf.vb2_buf, VB2_BUF_STATE_DONE); +