From 8e5336b35f7f10ee9fa97c0a5df510d08fa07c61 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Mon, 7 Jan 2019 09:54:22 +0100 Subject: [PATCH] 4.19-stable patches added patches: f2fs-fix-validation-of-the-block-count-in-sanity_check_raw_super.patch f2fs-read-page-index-before-freeing.patch f2fs-sanity-check-of-xattr-entry-size.patch media-cec-keep-track-of-outstanding-transmits.patch media-cec-pin-fix-broken-tx_ignore_nack_until_eom-error-injection.patch media-imx274-fix-stack-corruption-in-imx274_read_reg.patch media-rc-cec-devices-do-not-have-a-lirc-chardev.patch media-v4l2-tpg-array-index-could-become-negative.patch media-vb2-check-memory-model-for-vidioc_create_bufs.patch media-vivid-free-bitmap_cap-when-updating-std-timings-etc.patch mips-align-kernel-load-address-to-64kb.patch mips-c-r4k-add-r4k_blast_scache_node-for-loongson-3.patch mips-ensure-pmd_present-returns-false-after-pmd_mknotpresent.patch mips-expand-mips32-asids-to-64-bits.patch mips-fix-a-r10000_llsc_war-logic-in-atomic.h.patch mips-math-emu-write-protect-delay-slot-emulation-pages.patch mips-octeon-mark-rgmii-interface-disabled-on-octeon-iii.patch serial-uartps-fix-interrupt-mask-issue-to-handle-the-rx-interrupts-properly.patch tools-lib-traceevent-fix-processing-of-dereferenced-args-in-bprintk-events.patch --- ...lock-count-in-sanity_check_raw_super.patch | 57 ++++++ .../f2fs-read-page-index-before-freeing.patch | 47 +++++ ...2fs-sanity-check-of-xattr-entry-size.patch | 85 ++++++++ ...-keep-track-of-outstanding-transmits.patch | 163 +++++++++++++++ ...gnore_nack_until_eom-error-injection.patch | 43 ++++ ...-stack-corruption-in-imx274_read_reg.patch | 49 +++++ ...c-devices-do-not-have-a-lirc-chardev.patch | 79 ++++++++ ...pg-array-index-could-become-negative.patch | 33 +++ ...-memory-model-for-vidioc_create_bufs.patch | 35 ++++ ...ap_cap-when-updating-std-timings-etc.patch | 33 +++ ...ps-align-kernel-load-address-to-64kb.patch | 57 ++++++ ...r4k_blast_scache_node-for-loongson-3.patch | 191 ++++++++++++++++++ ...returns-false-after-pmd_mknotpresent.patch | 44 ++++ .../mips-expand-mips32-asids-to-64-bits.patch | 150 ++++++++++++++ ...-a-r10000_llsc_war-logic-in-atomic.h.patch | 40 ++++ ...e-protect-delay-slot-emulation-pages.patch | 125 ++++++++++++ ...mii-interface-disabled-on-octeon-iii.patch | 46 +++++ ...to-handle-the-rx-interrupts-properly.patch | 42 ++++ queue-4.19/series | 19 ++ ...-dereferenced-args-in-bprintk-events.patch | 38 ++++ 20 files changed, 1376 insertions(+) create mode 100644 queue-4.19/f2fs-fix-validation-of-the-block-count-in-sanity_check_raw_super.patch create mode 100644 queue-4.19/f2fs-read-page-index-before-freeing.patch create mode 100644 queue-4.19/f2fs-sanity-check-of-xattr-entry-size.patch create mode 100644 queue-4.19/media-cec-keep-track-of-outstanding-transmits.patch create mode 100644 queue-4.19/media-cec-pin-fix-broken-tx_ignore_nack_until_eom-error-injection.patch create mode 100644 queue-4.19/media-imx274-fix-stack-corruption-in-imx274_read_reg.patch create mode 100644 queue-4.19/media-rc-cec-devices-do-not-have-a-lirc-chardev.patch create mode 100644 queue-4.19/media-v4l2-tpg-array-index-could-become-negative.patch create mode 100644 queue-4.19/media-vb2-check-memory-model-for-vidioc_create_bufs.patch create mode 100644 queue-4.19/media-vivid-free-bitmap_cap-when-updating-std-timings-etc.patch create mode 100644 queue-4.19/mips-align-kernel-load-address-to-64kb.patch create mode 100644 queue-4.19/mips-c-r4k-add-r4k_blast_scache_node-for-loongson-3.patch create mode 100644 queue-4.19/mips-ensure-pmd_present-returns-false-after-pmd_mknotpresent.patch create mode 100644 queue-4.19/mips-expand-mips32-asids-to-64-bits.patch create mode 100644 queue-4.19/mips-fix-a-r10000_llsc_war-logic-in-atomic.h.patch create mode 100644 queue-4.19/mips-math-emu-write-protect-delay-slot-emulation-pages.patch create mode 100644 queue-4.19/mips-octeon-mark-rgmii-interface-disabled-on-octeon-iii.patch create mode 100644 queue-4.19/serial-uartps-fix-interrupt-mask-issue-to-handle-the-rx-interrupts-properly.patch create mode 100644 queue-4.19/tools-lib-traceevent-fix-processing-of-dereferenced-args-in-bprintk-events.patch diff --git a/queue-4.19/f2fs-fix-validation-of-the-block-count-in-sanity_check_raw_super.patch b/queue-4.19/f2fs-fix-validation-of-the-block-count-in-sanity_check_raw_super.patch new file mode 100644 index 00000000000..95c6f2b72dd --- /dev/null +++ b/queue-4.19/f2fs-fix-validation-of-the-block-count-in-sanity_check_raw_super.patch @@ -0,0 +1,57 @@ +From 88960068f25fcc3759455d85460234dcc9d43fef Mon Sep 17 00:00:00 2001 +From: Martin Blumenstingl +Date: Sat, 22 Dec 2018 11:22:26 +0100 +Subject: f2fs: fix validation of the block count in sanity_check_raw_super + +From: Martin Blumenstingl + +commit 88960068f25fcc3759455d85460234dcc9d43fef upstream. + +Treat "block_count" from struct f2fs_super_block as 64-bit little endian +value in sanity_check_raw_super() because struct f2fs_super_block +declares "block_count" as "__le64". + +This fixes a bug where the superblock validation fails on big endian +devices with the following error: + F2FS-fs (sda1): Wrong segment_count / block_count (61439 > 0) + F2FS-fs (sda1): Can't find valid F2FS filesystem in 1th superblock + F2FS-fs (sda1): Wrong segment_count / block_count (61439 > 0) + F2FS-fs (sda1): Can't find valid F2FS filesystem in 2th superblock +As result of this the partition cannot be mounted. + +With this patch applied the superblock validation works fine and the +partition can be mounted again: + F2FS-fs (sda1): Mounted with checkpoint version = 7c84 + +My little endian x86-64 hardware was able to mount the partition without +this fix. +To confirm that mounting f2fs filesystems works on big endian machines +again I tested this on a 32-bit MIPS big endian (lantiq) device. + +Fixes: 0cfe75c5b01199 ("f2fs: enhance sanity_check_raw_super() to avoid potential overflows") +Cc: stable@vger.kernel.org +Signed-off-by: Martin Blumenstingl +Reviewed-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Signed-off-by: Greg Kroah-Hartman + +--- + fs/f2fs/super.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/fs/f2fs/super.c ++++ b/fs/f2fs/super.c +@@ -2267,10 +2267,10 @@ static int sanity_check_raw_super(struct + return 1; + } + +- if (segment_count > (le32_to_cpu(raw_super->block_count) >> 9)) { ++ if (segment_count > (le64_to_cpu(raw_super->block_count) >> 9)) { + f2fs_msg(sb, KERN_INFO, +- "Wrong segment_count / block_count (%u > %u)", +- segment_count, le32_to_cpu(raw_super->block_count)); ++ "Wrong segment_count / block_count (%u > %llu)", ++ segment_count, le64_to_cpu(raw_super->block_count)); + return 1; + } + diff --git a/queue-4.19/f2fs-read-page-index-before-freeing.patch b/queue-4.19/f2fs-read-page-index-before-freeing.patch new file mode 100644 index 00000000000..32a25ad4f3c --- /dev/null +++ b/queue-4.19/f2fs-read-page-index-before-freeing.patch @@ -0,0 +1,47 @@ +From 0ea295dd853e0879a9a30ab61f923c26be35b902 Mon Sep 17 00:00:00 2001 +From: Pan Bian +Date: Thu, 22 Nov 2018 18:58:46 +0800 +Subject: f2fs: read page index before freeing + +From: Pan Bian + +commit 0ea295dd853e0879a9a30ab61f923c26be35b902 upstream. + +The function truncate_node frees the page with f2fs_put_page. However, +the page index is read after that. So, the patch reads the index before +freeing the page. + +Fixes: bf39c00a9a7f ("f2fs: drop obsolete node page when it is truncated") +Cc: +Signed-off-by: Pan Bian +Reviewed-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Signed-off-by: Greg Kroah-Hartman + +--- + fs/f2fs/node.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/fs/f2fs/node.c ++++ b/fs/f2fs/node.c +@@ -827,6 +827,7 @@ static int truncate_node(struct dnode_of + struct f2fs_sb_info *sbi = F2FS_I_SB(dn->inode); + struct node_info ni; + int err; ++ pgoff_t index; + + err = f2fs_get_node_info(sbi, dn->nid, &ni); + if (err) +@@ -846,10 +847,11 @@ static int truncate_node(struct dnode_of + clear_node_page_dirty(dn->node_page); + set_sbi_flag(sbi, SBI_IS_DIRTY); + ++ index = dn->node_page->index; + f2fs_put_page(dn->node_page, 1); + + invalidate_mapping_pages(NODE_MAPPING(sbi), +- dn->node_page->index, dn->node_page->index); ++ index, index); + + dn->node_page = NULL; + trace_f2fs_truncate_node(dn->inode, dn->nid, ni.blk_addr); diff --git a/queue-4.19/f2fs-sanity-check-of-xattr-entry-size.patch b/queue-4.19/f2fs-sanity-check-of-xattr-entry-size.patch new file mode 100644 index 00000000000..19f21dff29e --- /dev/null +++ b/queue-4.19/f2fs-sanity-check-of-xattr-entry-size.patch @@ -0,0 +1,85 @@ +From 64beba0558fce7b59e9a8a7afd77290e82a22163 Mon Sep 17 00:00:00 2001 +From: Jaegeuk Kim +Date: Wed, 26 Dec 2018 19:54:07 -0800 +Subject: f2fs: sanity check of xattr entry size + +From: Jaegeuk Kim + +commit 64beba0558fce7b59e9a8a7afd77290e82a22163 upstream. + +There is a security report where f2fs_getxattr() has a hole to expose wrong +memory region when the image is malformed like this. + +f2fs_getxattr: entry->e_name_len: 4, size: 12288, buffer_size: 16384, len: 4 + +Cc: +Signed-off-by: Jaegeuk Kim +Signed-off-by: Greg Kroah-Hartman + +--- + fs/f2fs/xattr.c | 18 +++++++++++++----- + 1 file changed, 13 insertions(+), 5 deletions(-) + +--- a/fs/f2fs/xattr.c ++++ b/fs/f2fs/xattr.c +@@ -291,7 +291,7 @@ static int read_xattr_block(struct inode + static int lookup_all_xattrs(struct inode *inode, struct page *ipage, + unsigned int index, unsigned int len, + const char *name, struct f2fs_xattr_entry **xe, +- void **base_addr) ++ void **base_addr, int *base_size) + { + void *cur_addr, *txattr_addr, *last_addr = NULL; + nid_t xnid = F2FS_I(inode)->i_xattr_nid; +@@ -302,8 +302,8 @@ static int lookup_all_xattrs(struct inod + if (!size && !inline_size) + return -ENODATA; + +- txattr_addr = f2fs_kzalloc(F2FS_I_SB(inode), +- inline_size + size + XATTR_PADDING_SIZE, GFP_NOFS); ++ *base_size = inline_size + size + XATTR_PADDING_SIZE; ++ txattr_addr = f2fs_kzalloc(F2FS_I_SB(inode), *base_size, GFP_NOFS); + if (!txattr_addr) + return -ENOMEM; + +@@ -315,8 +315,10 @@ static int lookup_all_xattrs(struct inod + + *xe = __find_inline_xattr(inode, txattr_addr, &last_addr, + index, len, name); +- if (*xe) ++ if (*xe) { ++ *base_size = inline_size; + goto check; ++ } + } + + /* read from xattr node block */ +@@ -477,6 +479,7 @@ int f2fs_getxattr(struct inode *inode, i + int error = 0; + unsigned int size, len; + void *base_addr = NULL; ++ int base_size; + + if (name == NULL) + return -EINVAL; +@@ -487,7 +490,7 @@ int f2fs_getxattr(struct inode *inode, i + + down_read(&F2FS_I(inode)->i_xattr_sem); + error = lookup_all_xattrs(inode, ipage, index, len, name, +- &entry, &base_addr); ++ &entry, &base_addr, &base_size); + up_read(&F2FS_I(inode)->i_xattr_sem); + if (error) + return error; +@@ -501,6 +504,11 @@ int f2fs_getxattr(struct inode *inode, i + + if (buffer) { + char *pval = entry->e_name + entry->e_name_len; ++ ++ if (base_size - (pval - (char *)base_addr) < size) { ++ error = -ERANGE; ++ goto out; ++ } + memcpy(buffer, pval, size); + } + error = size; diff --git a/queue-4.19/media-cec-keep-track-of-outstanding-transmits.patch b/queue-4.19/media-cec-keep-track-of-outstanding-transmits.patch new file mode 100644 index 00000000000..223f2d0763e --- /dev/null +++ b/queue-4.19/media-cec-keep-track-of-outstanding-transmits.patch @@ -0,0 +1,163 @@ +From 32804fcb612bf867034a093f459415e485cf044b Mon Sep 17 00:00:00 2001 +From: Hans Verkuil +Date: Fri, 19 Oct 2018 03:55:34 -0400 +Subject: media: cec: keep track of outstanding transmits + +From: Hans Verkuil + +commit 32804fcb612bf867034a093f459415e485cf044b upstream. + +I noticed that repeatedly running 'cec-ctl --playback' would occasionally +select 'Playback Device 2' instead of 'Playback Device 1', even though there +were no other Playback devices in the HDMI topology. This happened both with +'real' hardware and with the vivid CEC emulation, suggesting that this was an +issue in the core code that claims a logical address. + +What 'cec-ctl --playback' does is to first clear all existing logical addresses, +and immediately after that configure the new desired device type. + +The core code will poll the logical addresses trying to find a free address. +When found it will issue a few standard messages as per the CEC spec and return. +Those messages are queued up and will be transmitted asynchronously. + +What happens is that if you run two 'cec-ctl --playback' commands in quick +succession, there is still a message of the first cec-ctl command being transmitted +when you reconfigure the adapter again in the second cec-ctl command. + +When the logical addresses are cleared, then all information about outstanding +transmits inside the CEC core is also cleared, and the core is no longer aware +that there is still a transmit in flight. + +When the hardware finishes the transmit it calls transmit_done and the CEC core +thinks it is actually in response of a POLL messages that is trying to find a +free logical address. The result of all this is that the core thinks that the +logical address for Playback Device 1 is in use, when it is really an earlier +transmit that ended. + +The main transmit thread looks at adap->transmitting to check if a transmit +is in progress, but that is set to NULL when the adapter is unconfigured. +adap->transmitting represents the view of userspace, not that of the hardware. +So when unconfiguring the adapter the message is marked aborted from the point +of view of userspace, but seen from the PoV of the hardware it is still ongoing. + +So introduce a new bool transmit_in_progress that represents the hardware state +and use that instead of adap->transmitting. Now the CEC core waits until the +hardware finishes the transmit before starting a new transmit. + +Signed-off-by: Hans Verkuil +Cc: # for v4.18 and up +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/media/cec/cec-adap.c | 27 ++++++++++++++++++--------- + include/media/cec.h | 1 + + 2 files changed, 19 insertions(+), 9 deletions(-) + +--- a/drivers/media/cec/cec-adap.c ++++ b/drivers/media/cec/cec-adap.c +@@ -442,7 +442,7 @@ int cec_thread_func(void *_adap) + (adap->needs_hpd && + (!adap->is_configured && !adap->is_configuring)) || + kthread_should_stop() || +- (!adap->transmitting && ++ (!adap->transmit_in_progress && + !list_empty(&adap->transmit_queue)), + msecs_to_jiffies(CEC_XFER_TIMEOUT_MS)); + timeout = err == 0; +@@ -450,7 +450,7 @@ int cec_thread_func(void *_adap) + /* Otherwise we just wait for something to happen. */ + wait_event_interruptible(adap->kthread_waitq, + kthread_should_stop() || +- (!adap->transmitting && ++ (!adap->transmit_in_progress && + !list_empty(&adap->transmit_queue))); + } + +@@ -475,6 +475,7 @@ int cec_thread_func(void *_adap) + pr_warn("cec-%s: message %*ph timed out\n", adap->name, + adap->transmitting->msg.len, + adap->transmitting->msg.msg); ++ adap->transmit_in_progress = false; + adap->tx_timeouts++; + /* Just give up on this. */ + cec_data_cancel(adap->transmitting, +@@ -486,7 +487,7 @@ int cec_thread_func(void *_adap) + * If we are still transmitting, or there is nothing new to + * transmit, then just continue waiting. + */ +- if (adap->transmitting || list_empty(&adap->transmit_queue)) ++ if (adap->transmit_in_progress || list_empty(&adap->transmit_queue)) + goto unlock; + + /* Get a new message to transmit */ +@@ -532,6 +533,8 @@ int cec_thread_func(void *_adap) + if (adap->ops->adap_transmit(adap, data->attempts, + signal_free_time, &data->msg)) + cec_data_cancel(data, CEC_TX_STATUS_ABORTED); ++ else ++ adap->transmit_in_progress = true; + + unlock: + mutex_unlock(&adap->lock); +@@ -562,14 +565,17 @@ void cec_transmit_done_ts(struct cec_ada + data = adap->transmitting; + if (!data) { + /* +- * This can happen if a transmit was issued and the cable is ++ * This might happen if a transmit was issued and the cable is + * unplugged while the transmit is ongoing. Ignore this + * transmit in that case. + */ +- dprintk(1, "%s was called without an ongoing transmit!\n", +- __func__); +- goto unlock; ++ if (!adap->transmit_in_progress) ++ dprintk(1, "%s was called without an ongoing transmit!\n", ++ __func__); ++ adap->transmit_in_progress = false; ++ goto wake_thread; + } ++ adap->transmit_in_progress = false; + + msg = &data->msg; + +@@ -635,7 +641,6 @@ wake_thread: + * for transmitting or to retry the current message. + */ + wake_up_interruptible(&adap->kthread_waitq); +-unlock: + mutex_unlock(&adap->lock); + } + EXPORT_SYMBOL_GPL(cec_transmit_done_ts); +@@ -1483,8 +1488,11 @@ void __cec_s_phys_addr(struct cec_adapte + if (adap->monitor_all_cnt) + WARN_ON(call_op(adap, adap_monitor_all_enable, false)); + mutex_lock(&adap->devnode.lock); +- if (adap->needs_hpd || list_empty(&adap->devnode.fhs)) ++ if (adap->needs_hpd || list_empty(&adap->devnode.fhs)) { + WARN_ON(adap->ops->adap_enable(adap, false)); ++ adap->transmit_in_progress = false; ++ wake_up_interruptible(&adap->kthread_waitq); ++ } + mutex_unlock(&adap->devnode.lock); + if (phys_addr == CEC_PHYS_ADDR_INVALID) + return; +@@ -1492,6 +1500,7 @@ void __cec_s_phys_addr(struct cec_adapte + + mutex_lock(&adap->devnode.lock); + adap->last_initiator = 0xff; ++ adap->transmit_in_progress = false; + + if ((adap->needs_hpd || list_empty(&adap->devnode.fhs)) && + adap->ops->adap_enable(adap, true)) { +--- a/include/media/cec.h ++++ b/include/media/cec.h +@@ -155,6 +155,7 @@ struct cec_adapter { + unsigned int transmit_queue_sz; + struct list_head wait_queue; + struct cec_data *transmitting; ++ bool transmit_in_progress; + + struct task_struct *kthread_config; + struct completion config_completion; diff --git a/queue-4.19/media-cec-pin-fix-broken-tx_ignore_nack_until_eom-error-injection.patch b/queue-4.19/media-cec-pin-fix-broken-tx_ignore_nack_until_eom-error-injection.patch new file mode 100644 index 00000000000..793b62ffc29 --- /dev/null +++ b/queue-4.19/media-cec-pin-fix-broken-tx_ignore_nack_until_eom-error-injection.patch @@ -0,0 +1,43 @@ +From ac791f19a273a7fe254a7596f193af6534582a9f Mon Sep 17 00:00:00 2001 +From: Hans Verkuil +Date: Wed, 14 Nov 2018 03:37:53 -0500 +Subject: media: cec-pin: fix broken tx_ignore_nack_until_eom error injection + +From: Hans Verkuil + +commit ac791f19a273a7fe254a7596f193af6534582a9f upstream. + +If the tx_ignore_nack_until_eom error injection was activated, +then tx_nacked was never set instead of setting it when the last +byte of the message was transmitted. + +As a result the transmit was marked as OK, when it should have +been NACKed. + +Modify the condition so that it always sets tx_nacked when the +last byte of the message was transmitted. + +Signed-off-by: Hans Verkuil +Cc: # for v4.17 and up +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/media/cec/cec-pin.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/drivers/media/cec/cec-pin.c ++++ b/drivers/media/cec/cec-pin.c +@@ -601,8 +601,9 @@ static void cec_pin_tx_states(struct cec + break; + /* Was the message ACKed? */ + ack = cec_msg_is_broadcast(&pin->tx_msg) ? v : !v; +- if (!ack && !pin->tx_ignore_nack_until_eom && +- pin->tx_bit / 10 < pin->tx_msg.len && !pin->tx_post_eom) { ++ if (!ack && (!pin->tx_ignore_nack_until_eom || ++ pin->tx_bit / 10 == pin->tx_msg.len - 1) && ++ !pin->tx_post_eom) { + /* + * Note: the CEC spec is ambiguous regarding + * what action to take when a NACK appears diff --git a/queue-4.19/media-imx274-fix-stack-corruption-in-imx274_read_reg.patch b/queue-4.19/media-imx274-fix-stack-corruption-in-imx274_read_reg.patch new file mode 100644 index 00000000000..8164d24f889 --- /dev/null +++ b/queue-4.19/media-imx274-fix-stack-corruption-in-imx274_read_reg.patch @@ -0,0 +1,49 @@ +From cea8c0077d6cf3a0cea2f18a8e914af78d46b2ff Mon Sep 17 00:00:00 2001 +From: Luca Ceresoli +Date: Mon, 26 Nov 2018 11:35:07 -0500 +Subject: media: imx274: fix stack corruption in imx274_read_reg + +From: Luca Ceresoli + +commit cea8c0077d6cf3a0cea2f18a8e914af78d46b2ff upstream. + +imx274_read_reg() takes a u8 pointer ("reg") and casts it to pass it +to regmap_read(), which takes an unsigned int pointer. This results in +a corrupted stack and random crashes. + +Fixes: 0985dd306f72 ("media: imx274: V4l2 driver for Sony imx274 CMOS sensor") + +Cc: stable@vger.kernel.org # for 4.15 and up +Signed-off-by: Luca Ceresoli +Signed-off-by: Sakari Ailus +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/media/i2c/imx274.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +--- a/drivers/media/i2c/imx274.c ++++ b/drivers/media/i2c/imx274.c +@@ -636,16 +636,19 @@ static int imx274_write_table(struct sti + + static inline int imx274_read_reg(struct stimx274 *priv, u16 addr, u8 *val) + { ++ unsigned int uint_val; + int err; + +- err = regmap_read(priv->regmap, addr, (unsigned int *)val); ++ err = regmap_read(priv->regmap, addr, &uint_val); + if (err) + dev_err(&priv->client->dev, + "%s : i2c read failed, addr = %x\n", __func__, addr); + else + dev_dbg(&priv->client->dev, + "%s : addr 0x%x, val=0x%x\n", __func__, +- addr, *val); ++ addr, uint_val); ++ ++ *val = uint_val; + return err; + } + diff --git a/queue-4.19/media-rc-cec-devices-do-not-have-a-lirc-chardev.patch b/queue-4.19/media-rc-cec-devices-do-not-have-a-lirc-chardev.patch new file mode 100644 index 00000000000..3de64291eff --- /dev/null +++ b/queue-4.19/media-rc-cec-devices-do-not-have-a-lirc-chardev.patch @@ -0,0 +1,79 @@ +From e5bb9d3d755f128956ed467ae50b41d22bb680c6 Mon Sep 17 00:00:00 2001 +From: Sean Young +Date: Mon, 22 Oct 2018 05:01:50 -0400 +Subject: media: rc: cec devices do not have a lirc chardev +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Sean Young + +commit e5bb9d3d755f128956ed467ae50b41d22bb680c6 upstream. + +This fixes an oops in ir_lirc_scancode_event(). + +BUG: unable to handle kernel NULL pointer dereference at 0000000000000038 +PGD 0 P4D 0 +Oops: 0000 [#1] SMP PTI +CPU: 9 PID: 27687 Comm: kworker/9:2 Tainted: P           OE 4.18.12-200.fc28.x86_64 #1 +Hardware name: Supermicro C7X99-OCE-F/C7X99-OCE-F, BIOS 2.1a 06/15/2018 +Workqueue: events pulse8_irq_work_handler [pulse8_cec] +RIP: 0010:ir_lirc_scancode_event+0x3d/0xb0 [rc_core] +Code: 8d ae b4 07 00 00 49 81 c6 b8 07 00 00 53 e8 4a df c3 d5 48 89 ef 49 89 45 00 e8 4e 84 41 d6 49 8b 1e 49 89 c4 4c 39 f3 74 58 <8b> 43 38 8b 53 40 89 c1 2b 4b 3c 39 ca 72 41 21 d0 49 8b 7d 00 49 +RSP: 0018:ffffaa10e3c07d58 EFLAGS: 00010017 +RAX: 0000000000000002 RBX: 0000000000000000 RCX: 0000000000000018 +RDX: 0000000000000001 RSI: 00316245397fa93c RDI: ffff966d31c8d7b4 +RBP: ffff966d31c8d7b4 R08: 0000000000000000 R09: 0000000000000000 +R10: 0000000000000003 R11: ffffaa10e3c07e28 R12: 0000000000000002 +R13: ffffaa10e3c07d88 R14: ffff966d31c8d7b8 R15: 0000000000000073 +FS:  0000000000000000(0000) GS:ffff966d3f440000(0000) knlGS:0000000000000000 +CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 0000000000000038 CR3: 00000009d820a003 CR4: 00000000003606e0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +Call Trace: + ir_do_keydown+0x75/0x260 [rc_core] + rc_keydown+0x54/0xc0 [rc_core] + cec_received_msg_ts+0xaa8/0xaf0 [cec] + process_one_work+0x1a1/0x350 + worker_thread+0x30/0x380 + ? pwq_unbound_release_workfn+0xd0/0xd0 + kthread+0x112/0x130 + ? kthread_create_worker_on_cpu+0x70/0x70 + ret_from_fork+0x35/0x40 +Modules linked in: rc_tt_1500 dvb_usb_dvbsky dvb_usb_v2 uas usb_storage fuse vhost_net vhost tap xt_CHECKSUM iptable_mangle ip6t_REJECT nf_reject_ipv6 tun 8021q garp mrp xt_nat macvlan xfs devlink ebta + si2157 si2168 cx25840 cx23885 kvm altera_ci tda18271 joydev ir_rc6_decoder rc_rc6_mce crct10dif_pclmul crc32_pclmul ghash_clmulni_intel intel_cstate intel_uncore altera_stapl m88ds3103 tveeprom cx2341 + mxm_wmi igb crc32c_intel megaraid_sas dca i2c_algo_bit wmi vfio_pci irqbypass vfio_virqfd vfio_iommu_type1 vfio i2c_dev +CR2: 0000000000000038 + +Cc: # v4.16+ +Signed-off-by: Sean Young +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/media/rc/rc-main.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/drivers/media/rc/rc-main.c ++++ b/drivers/media/rc/rc-main.c +@@ -707,7 +707,8 @@ void rc_repeat(struct rc_dev *dev) + (dev->last_toggle ? LIRC_SCANCODE_FLAG_TOGGLE : 0) + }; + +- ir_lirc_scancode_event(dev, &sc); ++ if (dev->allowed_protocols != RC_PROTO_BIT_CEC) ++ ir_lirc_scancode_event(dev, &sc); + + spin_lock_irqsave(&dev->keylock, flags); + +@@ -747,7 +748,8 @@ static void ir_do_keydown(struct rc_dev + .keycode = keycode + }; + +- ir_lirc_scancode_event(dev, &sc); ++ if (dev->allowed_protocols != RC_PROTO_BIT_CEC) ++ ir_lirc_scancode_event(dev, &sc); + + if (new_event && dev->keypressed) + ir_do_keyup(dev, false); diff --git a/queue-4.19/media-v4l2-tpg-array-index-could-become-negative.patch b/queue-4.19/media-v4l2-tpg-array-index-could-become-negative.patch new file mode 100644 index 00000000000..c4231369eb5 --- /dev/null +++ b/queue-4.19/media-v4l2-tpg-array-index-could-become-negative.patch @@ -0,0 +1,33 @@ +From e5f71a27fa12c1a1b02ad478a568e76260f1815e Mon Sep 17 00:00:00 2001 +From: Hans Verkuil +Date: Thu, 8 Nov 2018 11:12:47 -0500 +Subject: media: v4l2-tpg: array index could become negative + +From: Hans Verkuil + +commit e5f71a27fa12c1a1b02ad478a568e76260f1815e upstream. + +text[s] is a signed char, so using that as index into the font8x16 array +can result in negative indices. Cast it to u8 to be safe. + +Signed-off-by: Hans Verkuil +Reported-by: syzbot+ccf0a61ed12f2a7313ee@syzkaller.appspotmail.com +Cc: # for v4.7 and up +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/media/common/v4l2-tpg/v4l2-tpg-core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/media/common/v4l2-tpg/v4l2-tpg-core.c ++++ b/drivers/media/common/v4l2-tpg/v4l2-tpg-core.c +@@ -1738,7 +1738,7 @@ typedef struct { u16 __; u8 _; } __packe + unsigned s; \ + \ + for (s = 0; s < len; s++) { \ +- u8 chr = font8x16[text[s] * 16 + line]; \ ++ u8 chr = font8x16[(u8)text[s] * 16 + line]; \ + \ + if (hdiv == 2 && tpg->hflip) { \ + pos[3] = (chr & (0x01 << 6) ? fg : bg); \ diff --git a/queue-4.19/media-vb2-check-memory-model-for-vidioc_create_bufs.patch b/queue-4.19/media-vb2-check-memory-model-for-vidioc_create_bufs.patch new file mode 100644 index 00000000000..5b95a06ea56 --- /dev/null +++ b/queue-4.19/media-vb2-check-memory-model-for-vidioc_create_bufs.patch @@ -0,0 +1,35 @@ +From 62dcb4f41836bd3c44b5b651bb6df07ea4cb1551 Mon Sep 17 00:00:00 2001 +From: Hans Verkuil +Date: Thu, 8 Nov 2018 07:23:37 -0500 +Subject: media: vb2: check memory model for VIDIOC_CREATE_BUFS + +From: Hans Verkuil + +commit 62dcb4f41836bd3c44b5b651bb6df07ea4cb1551 upstream. + +vb2_core_create_bufs did not check if the memory model for newly added +buffers is the same as for already existing buffers. It should return an +error if they aren't the same. + +Signed-off-by: Hans Verkuil +Reported-by: syzbot+e1fb118a2ebb88031d21@syzkaller.appspotmail.com +Cc: # for v4.16 and up +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/media/common/videobuf2/videobuf2-core.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/media/common/videobuf2/videobuf2-core.c ++++ b/drivers/media/common/videobuf2/videobuf2-core.c +@@ -800,6 +800,9 @@ int vb2_core_create_bufs(struct vb2_queu + memset(q->alloc_devs, 0, sizeof(q->alloc_devs)); + q->memory = memory; + q->waiting_for_buffers = !q->is_output; ++ } else if (q->memory != memory) { ++ dprintk(1, "memory model mismatch\n"); ++ return -EINVAL; + } + + num_buffers = min(*count, VB2_MAX_FRAME - q->num_buffers); diff --git a/queue-4.19/media-vivid-free-bitmap_cap-when-updating-std-timings-etc.patch b/queue-4.19/media-vivid-free-bitmap_cap-when-updating-std-timings-etc.patch new file mode 100644 index 00000000000..45c17b32a3b --- /dev/null +++ b/queue-4.19/media-vivid-free-bitmap_cap-when-updating-std-timings-etc.patch @@ -0,0 +1,33 @@ +From 560ccb75c2caa6b1039dec1a53cd2ef526f5bf03 Mon Sep 17 00:00:00 2001 +From: Hans Verkuil +Date: Fri, 9 Nov 2018 08:37:44 -0500 +Subject: media: vivid: free bitmap_cap when updating std/timings/etc. + +From: Hans Verkuil + +commit 560ccb75c2caa6b1039dec1a53cd2ef526f5bf03 upstream. + +When vivid_update_format_cap() is called it should free any overlay +bitmap since the compose size will change. + +Signed-off-by: Hans Verkuil +Reported-by: syzbot+0cc8e3cc63ca373722c6@syzkaller.appspotmail.com +Cc: # for v3.18 and up +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/media/platform/vivid/vivid-vid-cap.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/media/platform/vivid/vivid-vid-cap.c ++++ b/drivers/media/platform/vivid/vivid-vid-cap.c +@@ -438,6 +438,8 @@ void vivid_update_format_cap(struct vivi + tpg_s_rgb_range(&dev->tpg, v4l2_ctrl_g_ctrl(dev->rgb_range_cap)); + break; + } ++ vfree(dev->bitmap_cap); ++ dev->bitmap_cap = NULL; + vivid_update_quality(dev); + tpg_reset_source(&dev->tpg, dev->src_rect.width, dev->src_rect.height, dev->field_cap); + dev->crop_cap = dev->src_rect; diff --git a/queue-4.19/mips-align-kernel-load-address-to-64kb.patch b/queue-4.19/mips-align-kernel-load-address-to-64kb.patch new file mode 100644 index 00000000000..d33dbff0b7c --- /dev/null +++ b/queue-4.19/mips-align-kernel-load-address-to-64kb.patch @@ -0,0 +1,57 @@ +From bec0de4cfad21bd284dbddee016ed1767a5d2823 Mon Sep 17 00:00:00 2001 +From: Huacai Chen +Date: Thu, 15 Nov 2018 15:53:56 +0800 +Subject: MIPS: Align kernel load address to 64KB + +From: Huacai Chen + +commit bec0de4cfad21bd284dbddee016ed1767a5d2823 upstream. + +KEXEC needs the new kernel's load address to be aligned on a page +boundary (see sanity_check_segment_list()), but on MIPS the default +vmlinuz load address is only explicitly aligned to 16 bytes. + +Since the largest PAGE_SIZE supported by MIPS kernels is 64KB, increase +the alignment calculated by calc_vmlinuz_load_addr to 64KB. + +Signed-off-by: Huacai Chen +Signed-off-by: Paul Burton +Patchwork: https://patchwork.linux-mips.org/patch/21131/ +Cc: Ralf Baechle +Cc: James Hogan +Cc: Steven J . Hill +Cc: linux-mips@linux-mips.org +Cc: Fuxin Zhang +Cc: Zhangjin Wu +Cc: # 2.6.36+ +Signed-off-by: Greg Kroah-Hartman + +--- + arch/mips/boot/compressed/calc_vmlinuz_load_addr.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +--- a/arch/mips/boot/compressed/calc_vmlinuz_load_addr.c ++++ b/arch/mips/boot/compressed/calc_vmlinuz_load_addr.c +@@ -13,6 +13,7 @@ + #include + #include + #include ++#include "../../../../include/linux/sizes.h" + + int main(int argc, char *argv[]) + { +@@ -45,11 +46,11 @@ int main(int argc, char *argv[]) + vmlinuz_load_addr = vmlinux_load_addr + vmlinux_size; + + /* +- * Align with 16 bytes: "greater than that used for any standard data +- * types by a MIPS compiler." -- See MIPS Run Linux (Second Edition). ++ * Align with 64KB: KEXEC needs load sections to be aligned to PAGE_SIZE, ++ * which may be as large as 64KB depending on the kernel configuration. + */ + +- vmlinuz_load_addr += (16 - vmlinux_size % 16); ++ vmlinuz_load_addr += (SZ_64K - vmlinux_size % SZ_64K); + + printf("0x%llx\n", vmlinuz_load_addr); + diff --git a/queue-4.19/mips-c-r4k-add-r4k_blast_scache_node-for-loongson-3.patch b/queue-4.19/mips-c-r4k-add-r4k_blast_scache_node-for-loongson-3.patch new file mode 100644 index 00000000000..0f63a6ec9a0 --- /dev/null +++ b/queue-4.19/mips-c-r4k-add-r4k_blast_scache_node-for-loongson-3.patch @@ -0,0 +1,191 @@ +From bb53fdf395eed103f85061bfff3b116cee123895 Mon Sep 17 00:00:00 2001 +From: Huacai Chen +Date: Thu, 15 Nov 2018 15:53:53 +0800 +Subject: MIPS: c-r4k: Add r4k_blast_scache_node for Loongson-3 + +From: Huacai Chen + +commit bb53fdf395eed103f85061bfff3b116cee123895 upstream. + +For multi-node Loongson-3 (NUMA configuration), r4k_blast_scache() can +only flush Node-0's scache. So we add r4k_blast_scache_node() by using +(CAC_BASE | (node_id << NODE_ADDRSPACE_SHIFT)) instead of CKSEG0 as the +start address. + +Signed-off-by: Huacai Chen +[paul.burton@mips.com: Include asm/mmzone.h from asm/r4kcache.h for + nid_to_addrbase(). Add asm/mach-generic/mmzone.h + to allow inclusion for all platforms.] +Signed-off-by: Paul Burton +Patchwork: https://patchwork.linux-mips.org/patch/21129/ +Cc: Ralf Baechle +Cc: James Hogan +Cc: Steven J . Hill +Cc: linux-mips@linux-mips.org +Cc: Fuxin Zhang +Cc: Zhangjin Wu +Cc: # 3.15+ +Signed-off-by: Greg Kroah-Hartman + +--- + arch/mips/include/asm/mach-generic/mmzone.h | 2 + + arch/mips/include/asm/mach-loongson64/mmzone.h | 1 + arch/mips/include/asm/mmzone.h | 8 ++++ + arch/mips/include/asm/r4kcache.h | 22 ++++++++++++ + arch/mips/mm/c-r4k.c | 44 +++++++++++++++++++++---- + 5 files changed, 70 insertions(+), 7 deletions(-) + +--- /dev/null ++++ b/arch/mips/include/asm/mach-generic/mmzone.h +@@ -0,0 +1,2 @@ ++// SPDX-License-Identifier: GPL-2.0 ++/* Intentionally empty */ +--- a/arch/mips/include/asm/mach-loongson64/mmzone.h ++++ b/arch/mips/include/asm/mach-loongson64/mmzone.h +@@ -21,6 +21,7 @@ + #define NODE3_ADDRSPACE_OFFSET 0x300000000000UL + + #define pa_to_nid(addr) (((addr) & 0xf00000000000) >> NODE_ADDRSPACE_SHIFT) ++#define nid_to_addrbase(nid) ((nid) << NODE_ADDRSPACE_SHIFT) + + #define LEVELS_PER_SLICE 128 + +--- a/arch/mips/include/asm/mmzone.h ++++ b/arch/mips/include/asm/mmzone.h +@@ -9,6 +9,14 @@ + #include + #include + ++#ifndef pa_to_nid ++#define pa_to_nid(addr) 0 ++#endif ++ ++#ifndef nid_to_addrbase ++#define nid_to_addrbase(nid) 0 ++#endif ++ + #ifdef CONFIG_DISCONTIGMEM + + #define pfn_to_nid(pfn) pa_to_nid((pfn) << PAGE_SHIFT) +--- a/arch/mips/include/asm/r4kcache.h ++++ b/arch/mips/include/asm/r4kcache.h +@@ -20,6 +20,7 @@ + #include + #include + #include ++#include + #include /* for uaccess_kernel() */ + + extern void (*r4k_blast_dcache)(void); +@@ -747,4 +748,25 @@ __BUILD_BLAST_CACHE_RANGE(s, scache, Hit + __BUILD_BLAST_CACHE_RANGE(inv_d, dcache, Hit_Invalidate_D, , ) + __BUILD_BLAST_CACHE_RANGE(inv_s, scache, Hit_Invalidate_SD, , ) + ++/* Currently, this is very specific to Loongson-3 */ ++#define __BUILD_BLAST_CACHE_NODE(pfx, desc, indexop, hitop, lsize) \ ++static inline void blast_##pfx##cache##lsize##_node(long node) \ ++{ \ ++ unsigned long start = CAC_BASE | nid_to_addrbase(node); \ ++ unsigned long end = start + current_cpu_data.desc.waysize; \ ++ unsigned long ws_inc = 1UL << current_cpu_data.desc.waybit; \ ++ unsigned long ws_end = current_cpu_data.desc.ways << \ ++ current_cpu_data.desc.waybit; \ ++ unsigned long ws, addr; \ ++ \ ++ for (ws = 0; ws < ws_end; ws += ws_inc) \ ++ for (addr = start; addr < end; addr += lsize * 32) \ ++ cache##lsize##_unroll32(addr|ws, indexop); \ ++} ++ ++__BUILD_BLAST_CACHE_NODE(s, scache, Index_Writeback_Inv_SD, Hit_Writeback_Inv_SD, 16) ++__BUILD_BLAST_CACHE_NODE(s, scache, Index_Writeback_Inv_SD, Hit_Writeback_Inv_SD, 32) ++__BUILD_BLAST_CACHE_NODE(s, scache, Index_Writeback_Inv_SD, Hit_Writeback_Inv_SD, 64) ++__BUILD_BLAST_CACHE_NODE(s, scache, Index_Writeback_Inv_SD, Hit_Writeback_Inv_SD, 128) ++ + #endif /* _ASM_R4KCACHE_H */ +--- a/arch/mips/mm/c-r4k.c ++++ b/arch/mips/mm/c-r4k.c +@@ -459,11 +459,28 @@ static void r4k_blast_scache_setup(void) + r4k_blast_scache = blast_scache128; + } + ++static void (*r4k_blast_scache_node)(long node); ++ ++static void r4k_blast_scache_node_setup(void) ++{ ++ unsigned long sc_lsize = cpu_scache_line_size(); ++ ++ if (current_cpu_type() != CPU_LOONGSON3) ++ r4k_blast_scache_node = (void *)cache_noop; ++ else if (sc_lsize == 16) ++ r4k_blast_scache_node = blast_scache16_node; ++ else if (sc_lsize == 32) ++ r4k_blast_scache_node = blast_scache32_node; ++ else if (sc_lsize == 64) ++ r4k_blast_scache_node = blast_scache64_node; ++ else if (sc_lsize == 128) ++ r4k_blast_scache_node = blast_scache128_node; ++} ++ + static inline void local_r4k___flush_cache_all(void * args) + { + switch (current_cpu_type()) { + case CPU_LOONGSON2: +- case CPU_LOONGSON3: + case CPU_R4000SC: + case CPU_R4000MC: + case CPU_R4400SC: +@@ -480,6 +497,11 @@ static inline void local_r4k___flush_cac + r4k_blast_scache(); + break; + ++ case CPU_LOONGSON3: ++ /* Use get_ebase_cpunum() for both NUMA=y/n */ ++ r4k_blast_scache_node(get_ebase_cpunum() >> 2); ++ break; ++ + case CPU_BMIPS5000: + r4k_blast_scache(); + __sync(); +@@ -840,10 +862,14 @@ static void r4k_dma_cache_wback_inv(unsi + + preempt_disable(); + if (cpu_has_inclusive_pcaches) { +- if (size >= scache_size) +- r4k_blast_scache(); +- else ++ if (size >= scache_size) { ++ if (current_cpu_type() != CPU_LOONGSON3) ++ r4k_blast_scache(); ++ else ++ r4k_blast_scache_node(pa_to_nid(addr)); ++ } else { + blast_scache_range(addr, addr + size); ++ } + preempt_enable(); + __sync(); + return; +@@ -877,9 +903,12 @@ static void r4k_dma_cache_inv(unsigned l + + preempt_disable(); + if (cpu_has_inclusive_pcaches) { +- if (size >= scache_size) +- r4k_blast_scache(); +- else { ++ if (size >= scache_size) { ++ if (current_cpu_type() != CPU_LOONGSON3) ++ r4k_blast_scache(); ++ else ++ r4k_blast_scache_node(pa_to_nid(addr)); ++ } else { + /* + * There is no clearly documented alignment requirement + * for the cache instruction on MIPS processors and +@@ -1918,6 +1947,7 @@ void r4k_cache_init(void) + r4k_blast_scache_page_setup(); + r4k_blast_scache_page_indexed_setup(); + r4k_blast_scache_setup(); ++ r4k_blast_scache_node_setup(); + #ifdef CONFIG_EVA + r4k_blast_dcache_user_page_setup(); + r4k_blast_icache_user_page_setup(); diff --git a/queue-4.19/mips-ensure-pmd_present-returns-false-after-pmd_mknotpresent.patch b/queue-4.19/mips-ensure-pmd_present-returns-false-after-pmd_mknotpresent.patch new file mode 100644 index 00000000000..c0ddc2e50bf --- /dev/null +++ b/queue-4.19/mips-ensure-pmd_present-returns-false-after-pmd_mknotpresent.patch @@ -0,0 +1,44 @@ +From 92aa0718c9fa5160ad2f0e7b5bffb52f1ea1e51a Mon Sep 17 00:00:00 2001 +From: Huacai Chen +Date: Thu, 15 Nov 2018 15:53:54 +0800 +Subject: MIPS: Ensure pmd_present() returns false after pmd_mknotpresent() + +From: Huacai Chen + +commit 92aa0718c9fa5160ad2f0e7b5bffb52f1ea1e51a upstream. + +This patch is borrowed from ARM64 to ensure pmd_present() returns false +after pmd_mknotpresent(). This is needed for THP. + +References: 5bb1cc0ff9a6 ("arm64: Ensure pmd_present() returns false after pmd_mknotpresent()") +Reviewed-by: James Hogan +Signed-off-by: Huacai Chen +Signed-off-by: Paul Burton +Patchwork: https://patchwork.linux-mips.org/patch/21135/ +Cc: Ralf Baechle +Cc: James Hogan +Cc: Steven J . Hill +Cc: linux-mips@linux-mips.org +Cc: Fuxin Zhang +Cc: Zhangjin Wu +Cc: # 3.8+ +Signed-off-by: Greg Kroah-Hartman + +--- + arch/mips/include/asm/pgtable-64.h | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/arch/mips/include/asm/pgtable-64.h ++++ b/arch/mips/include/asm/pgtable-64.h +@@ -265,6 +265,11 @@ static inline int pmd_bad(pmd_t pmd) + + static inline int pmd_present(pmd_t pmd) + { ++#ifdef CONFIG_MIPS_HUGE_TLB_SUPPORT ++ if (unlikely(pmd_val(pmd) & _PAGE_HUGE)) ++ return pmd_val(pmd) & _PAGE_PRESENT; ++#endif ++ + return pmd_val(pmd) != (unsigned long) invalid_pte_table; + } + diff --git a/queue-4.19/mips-expand-mips32-asids-to-64-bits.patch b/queue-4.19/mips-expand-mips32-asids-to-64-bits.patch new file mode 100644 index 00000000000..8dfaefc3762 --- /dev/null +++ b/queue-4.19/mips-expand-mips32-asids-to-64-bits.patch @@ -0,0 +1,150 @@ +From ff4dd232ec45a0e45ea69f28f069f2ab22b4908a Mon Sep 17 00:00:00 2001 +From: Paul Burton +Date: Tue, 4 Dec 2018 23:44:12 +0000 +Subject: MIPS: Expand MIPS32 ASIDs to 64 bits + +From: Paul Burton + +commit ff4dd232ec45a0e45ea69f28f069f2ab22b4908a upstream. + +ASIDs have always been stored as unsigned longs, ie. 32 bits on MIPS32 +kernels. This is problematic because it is feasible for the ASID version +to overflow & wrap around to zero. + +We currently attempt to handle this overflow by simply setting the ASID +version to 1, using asid_first_version(), but we make no attempt to +account for the fact that there may be mm_structs with stale ASIDs that +have versions which we now reuse due to the overflow & wrap around. + +Encountering this requires that: + + 1) A struct mm_struct X is active on CPU A using ASID (V,n). + + 2) That mm is not used on CPU A for the length of time that it takes + for CPU A's asid_cache to overflow & wrap around to the same + version V that the mm had in step 1. During this time tasks using + the mm could either be sleeping or only scheduled on other CPUs. + + 3) Some other mm Y becomes active on CPU A and is allocated the same + ASID (V,n). + + 4) mm X now becomes active on CPU A again, and now incorrectly has the + same ASID as mm Y. + +Where struct mm_struct ASIDs are represented above in the format +(version, EntryHi.ASID), and on a typical MIPS32 system version will be +24 bits wide & EntryHi.ASID will be 8 bits wide. + +The length of time required in step 2 is highly dependent upon the CPU & +workload, but for a hypothetical 2GHz CPU running a workload which +generates a new ASID every 10000 cycles this period is around 248 days. +Due to this long period of time & the fact that tasks need to be +scheduled in just the right (or wrong, depending upon your inclination) +way, this is obviously a difficult bug to encounter but it's entirely +possible as evidenced by reports. + +In order to fix this, simply extend ASIDs to 64 bits even on MIPS32 +builds. This will extend the period of time required for the +hypothetical system above to encounter the problem from 28 days to +around 3 trillion years, which feels safely outside of the realms of +possibility. + +The cost of this is slightly more generated code in some commonly +executed paths, but this is pretty minimal: + + | Code Size Gain | Percentage + -----------------------|----------------|------------- + decstation_defconfig | +270 | +0.00% + 32r2el_defconfig | +652 | +0.01% + 32r6el_defconfig | +1000 | +0.01% + +I have been unable to measure any change in performance of the LMbench +lat_ctx or lat_proc tests resulting from the 64b ASIDs on either +32r2el_defconfig+interAptiv or 32r6el_defconfig+I6500 systems. + +Signed-off-by: Paul Burton +Suggested-by: James Hogan +References: https://lore.kernel.org/linux-mips/80B78A8B8FEE6145A87579E8435D78C30205D5F3@fzex.ruijie.com.cn/ +References: https://lore.kernel.org/linux-mips/1488684260-18867-1-git-send-email-jiwei.sun@windriver.com/ +Cc: Jiwei Sun +Cc: Yu Huabing +Cc: stable@vger.kernel.org # 2.6.12+ +Cc: linux-mips@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + arch/mips/include/asm/cpu-info.h | 2 +- + arch/mips/include/asm/mmu.h | 2 +- + arch/mips/include/asm/mmu_context.h | 10 ++++------ + arch/mips/mm/c-r3k.c | 2 +- + 4 files changed, 7 insertions(+), 9 deletions(-) + +--- a/arch/mips/include/asm/cpu-info.h ++++ b/arch/mips/include/asm/cpu-info.h +@@ -50,7 +50,7 @@ struct guest_info { + #define MIPS_CACHE_PINDEX 0x00000020 /* Physically indexed cache */ + + struct cpuinfo_mips { +- unsigned long asid_cache; ++ u64 asid_cache; + #ifdef CONFIG_MIPS_ASID_BITS_VARIABLE + unsigned long asid_mask; + #endif +--- a/arch/mips/include/asm/mmu.h ++++ b/arch/mips/include/asm/mmu.h +@@ -7,7 +7,7 @@ + #include + + typedef struct { +- unsigned long asid[NR_CPUS]; ++ u64 asid[NR_CPUS]; + void *vdso; + atomic_t fp_mode_switching; + +--- a/arch/mips/include/asm/mmu_context.h ++++ b/arch/mips/include/asm/mmu_context.h +@@ -76,14 +76,14 @@ extern unsigned long pgd_current[]; + * All unused by hardware upper bits will be considered + * as a software asid extension. + */ +-static unsigned long asid_version_mask(unsigned int cpu) ++static inline u64 asid_version_mask(unsigned int cpu) + { + unsigned long asid_mask = cpu_asid_mask(&cpu_data[cpu]); + +- return ~(asid_mask | (asid_mask - 1)); ++ return ~(u64)(asid_mask | (asid_mask - 1)); + } + +-static unsigned long asid_first_version(unsigned int cpu) ++static inline u64 asid_first_version(unsigned int cpu) + { + return ~asid_version_mask(cpu) + 1; + } +@@ -102,14 +102,12 @@ static inline void enter_lazy_tlb(struct + static inline void + get_new_mmu_context(struct mm_struct *mm, unsigned long cpu) + { +- unsigned long asid = asid_cache(cpu); ++ u64 asid = asid_cache(cpu); + + if (!((asid += cpu_asid_inc()) & cpu_asid_mask(&cpu_data[cpu]))) { + if (cpu_has_vtag_icache) + flush_icache_all(); + local_flush_tlb_all(); /* start new asid cycle */ +- if (!asid) /* fix version if needed */ +- asid = asid_first_version(cpu); + } + + cpu_context(cpu, mm) = asid_cache(cpu) = asid; +--- a/arch/mips/mm/c-r3k.c ++++ b/arch/mips/mm/c-r3k.c +@@ -245,7 +245,7 @@ static void r3k_flush_cache_page(struct + pmd_t *pmdp; + pte_t *ptep; + +- pr_debug("cpage[%08lx,%08lx]\n", ++ pr_debug("cpage[%08llx,%08lx]\n", + cpu_context(smp_processor_id(), mm), addr); + + /* No ASID => no such page in the cache. */ diff --git a/queue-4.19/mips-fix-a-r10000_llsc_war-logic-in-atomic.h.patch b/queue-4.19/mips-fix-a-r10000_llsc_war-logic-in-atomic.h.patch new file mode 100644 index 00000000000..2669dc54212 --- /dev/null +++ b/queue-4.19/mips-fix-a-r10000_llsc_war-logic-in-atomic.h.patch @@ -0,0 +1,40 @@ +From db1ce3f5d01d2d6d5714aefba0159d2cb5167a0b Mon Sep 17 00:00:00 2001 +From: Huacai Chen +Date: Tue, 25 Dec 2018 08:51:01 +0800 +Subject: MIPS: Fix a R10000_LLSC_WAR logic in atomic.h + +From: Huacai Chen + +commit db1ce3f5d01d2d6d5714aefba0159d2cb5167a0b upstream. + +Commit 4936084c2ee2 ("MIPS: Cleanup R10000_LLSC_WAR logic in atomic.h") +introduce a mistake in atomic64_fetch_##op##_relaxed(), because it +forget to delete R10000_LLSC_WAR in the if-condition. So fix it. + +Fixes: 4936084c2ee2 ("MIPS: Cleanup R10000_LLSC_WAR logic in atomic.h") +Signed-off-by: Huacai Chen +Signed-off-by: Paul Burton +Cc: Joshua Kinard +Cc: Ralf Baechle +Cc: Steven J . Hill +Cc: Fuxin Zhang +Cc: Zhangjin Wu +Cc: linux-mips@linux-mips.org +Cc: stable@vger.kernel.org # 4.19+ +Signed-off-by: Greg Kroah-Hartman + +--- + arch/mips/include/asm/atomic.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/mips/include/asm/atomic.h ++++ b/arch/mips/include/asm/atomic.h +@@ -306,7 +306,7 @@ static __inline__ long atomic64_fetch_## + { \ + long result; \ + \ +- if (kernel_uses_llsc && R10000_LLSC_WAR) { \ ++ if (kernel_uses_llsc) { \ + long temp; \ + \ + __asm__ __volatile__( \ diff --git a/queue-4.19/mips-math-emu-write-protect-delay-slot-emulation-pages.patch b/queue-4.19/mips-math-emu-write-protect-delay-slot-emulation-pages.patch new file mode 100644 index 00000000000..0df4a0efb58 --- /dev/null +++ b/queue-4.19/mips-math-emu-write-protect-delay-slot-emulation-pages.patch @@ -0,0 +1,125 @@ +From adcc81f148d733b7e8e641300c5590a2cdc13bf3 Mon Sep 17 00:00:00 2001 +From: Paul Burton +Date: Thu, 20 Dec 2018 17:45:43 +0000 +Subject: MIPS: math-emu: Write-protect delay slot emulation pages + +From: Paul Burton + +commit adcc81f148d733b7e8e641300c5590a2cdc13bf3 upstream. + +Mapping the delay slot emulation page as both writeable & executable +presents a security risk, in that if an exploit can write to & jump into +the page then it can be used as an easy way to execute arbitrary code. + +Prevent this by mapping the page read-only for userland, and using +access_process_vm() with the FOLL_FORCE flag to write to it from +mips_dsemul(). + +This will likely be less efficient due to copy_to_user_page() performing +cache maintenance on a whole page, rather than a single line as in the +previous use of flush_cache_sigtramp(). However this delay slot +emulation code ought not to be running in any performance critical paths +anyway so this isn't really a problem, and we can probably do better in +copy_to_user_page() anyway in future. + +A major advantage of this approach is that the fix is small & simple to +backport to stable kernels. + +Reported-by: Andy Lutomirski +Signed-off-by: Paul Burton +Fixes: 432c6bacbd0c ("MIPS: Use per-mm page to execute branch delay slot instructions") +Cc: stable@vger.kernel.org # v4.8+ +Cc: linux-mips@vger.kernel.org +Cc: linux-kernel@vger.kernel.org +Cc: Rich Felker +Cc: David Daney +Signed-off-by: Greg Kroah-Hartman + +--- + arch/mips/kernel/vdso.c | 4 ++-- + arch/mips/math-emu/dsemul.c | 38 ++++++++++++++++++++------------------ + 2 files changed, 22 insertions(+), 20 deletions(-) + +--- a/arch/mips/kernel/vdso.c ++++ b/arch/mips/kernel/vdso.c +@@ -126,8 +126,8 @@ int arch_setup_additional_pages(struct l + + /* Map delay slot emulation page */ + base = mmap_region(NULL, STACK_TOP, PAGE_SIZE, +- VM_READ|VM_WRITE|VM_EXEC| +- VM_MAYREAD|VM_MAYWRITE|VM_MAYEXEC, ++ VM_READ | VM_EXEC | ++ VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC, + 0, NULL); + if (IS_ERR_VALUE(base)) { + ret = base; +--- a/arch/mips/math-emu/dsemul.c ++++ b/arch/mips/math-emu/dsemul.c +@@ -214,8 +214,9 @@ int mips_dsemul(struct pt_regs *regs, mi + { + int isa16 = get_isa16_mode(regs->cp0_epc); + mips_instruction break_math; +- struct emuframe __user *fr; +- int err, fr_idx; ++ unsigned long fr_uaddr; ++ struct emuframe fr; ++ int fr_idx, ret; + + /* NOP is easy */ + if (ir == 0) +@@ -250,27 +251,31 @@ int mips_dsemul(struct pt_regs *regs, mi + fr_idx = alloc_emuframe(); + if (fr_idx == BD_EMUFRAME_NONE) + return SIGBUS; +- fr = &dsemul_page()[fr_idx]; + + /* Retrieve the appropriately encoded break instruction */ + break_math = BREAK_MATH(isa16); + + /* Write the instructions to the frame */ + if (isa16) { +- err = __put_user(ir >> 16, +- (u16 __user *)(&fr->emul)); +- err |= __put_user(ir & 0xffff, +- (u16 __user *)((long)(&fr->emul) + 2)); +- err |= __put_user(break_math >> 16, +- (u16 __user *)(&fr->badinst)); +- err |= __put_user(break_math & 0xffff, +- (u16 __user *)((long)(&fr->badinst) + 2)); ++ union mips_instruction _emul = { ++ .halfword = { ir >> 16, ir } ++ }; ++ union mips_instruction _badinst = { ++ .halfword = { break_math >> 16, break_math } ++ }; ++ ++ fr.emul = _emul.word; ++ fr.badinst = _badinst.word; + } else { +- err = __put_user(ir, &fr->emul); +- err |= __put_user(break_math, &fr->badinst); ++ fr.emul = ir; ++ fr.badinst = break_math; + } + +- if (unlikely(err)) { ++ /* Write the frame to user memory */ ++ fr_uaddr = (unsigned long)&dsemul_page()[fr_idx]; ++ ret = access_process_vm(current, fr_uaddr, &fr, sizeof(fr), ++ FOLL_FORCE | FOLL_WRITE); ++ if (unlikely(ret != sizeof(fr))) { + MIPS_FPU_EMU_INC_STATS(errors); + free_emuframe(fr_idx, current->mm); + return SIGBUS; +@@ -282,10 +287,7 @@ int mips_dsemul(struct pt_regs *regs, mi + atomic_set(¤t->thread.bd_emu_frame, fr_idx); + + /* Change user register context to execute the frame */ +- regs->cp0_epc = (unsigned long)&fr->emul | isa16; +- +- /* Ensure the icache observes our newly written frame */ +- flush_cache_sigtramp((unsigned long)&fr->emul); ++ regs->cp0_epc = fr_uaddr | isa16; + + return 0; + } diff --git a/queue-4.19/mips-octeon-mark-rgmii-interface-disabled-on-octeon-iii.patch b/queue-4.19/mips-octeon-mark-rgmii-interface-disabled-on-octeon-iii.patch new file mode 100644 index 00000000000..85f85d07d4b --- /dev/null +++ b/queue-4.19/mips-octeon-mark-rgmii-interface-disabled-on-octeon-iii.patch @@ -0,0 +1,46 @@ +From edefae94b7b9f10d5efe32dece5a36e9d9ecc29e Mon Sep 17 00:00:00 2001 +From: Aaro Koskinen +Date: Wed, 2 Jan 2019 20:43:01 +0200 +Subject: MIPS: OCTEON: mark RGMII interface disabled on OCTEON III + +From: Aaro Koskinen + +commit edefae94b7b9f10d5efe32dece5a36e9d9ecc29e upstream. + +Commit 885872b722b7 ("MIPS: Octeon: Add Octeon III CN7xxx +interface detection") added RGMII interface detection for OCTEON III, +but it results in the following logs: + +[ 7.165984] ERROR: Unsupported Octeon model in __cvmx_helper_rgmii_probe +[ 7.173017] ERROR: Unsupported Octeon model in __cvmx_helper_rgmii_probe + +The current RGMII routines are valid only for older OCTEONS that +use GMX/ASX hardware blocks. On later chips AGL should be used, +but support for that is missing in the mainline. Until that is added, +mark the interface as disabled. + +Fixes: 885872b722b7 ("MIPS: Octeon: Add Octeon III CN7xxx interface detection") +Signed-off-by: Aaro Koskinen +Signed-off-by: Paul Burton +Cc: Ralf Baechle +Cc: James Hogan +Cc: linux-mips@vger.kernel.org +Cc: stable@vger.kernel.org # 4.7+ +Signed-off-by: Greg Kroah-Hartman + +--- + arch/mips/cavium-octeon/executive/cvmx-helper.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/arch/mips/cavium-octeon/executive/cvmx-helper.c ++++ b/arch/mips/cavium-octeon/executive/cvmx-helper.c +@@ -286,7 +286,8 @@ static cvmx_helper_interface_mode_t __cv + case 3: + return CVMX_HELPER_INTERFACE_MODE_LOOP; + case 4: +- return CVMX_HELPER_INTERFACE_MODE_RGMII; ++ /* TODO: Implement support for AGL (RGMII). */ ++ return CVMX_HELPER_INTERFACE_MODE_DISABLED; + default: + return CVMX_HELPER_INTERFACE_MODE_DISABLED; + } diff --git a/queue-4.19/serial-uartps-fix-interrupt-mask-issue-to-handle-the-rx-interrupts-properly.patch b/queue-4.19/serial-uartps-fix-interrupt-mask-issue-to-handle-the-rx-interrupts-properly.patch new file mode 100644 index 00000000000..8add4c7e1ae --- /dev/null +++ b/queue-4.19/serial-uartps-fix-interrupt-mask-issue-to-handle-the-rx-interrupts-properly.patch @@ -0,0 +1,42 @@ +From 260683137ab5276113fc322fdbbc578024185fee Mon Sep 17 00:00:00 2001 +From: Nava kishore Manne +Date: Tue, 18 Dec 2018 13:18:42 +0100 +Subject: serial: uartps: Fix interrupt mask issue to handle the RX interrupts properly + +From: Nava kishore Manne + +commit 260683137ab5276113fc322fdbbc578024185fee upstream. + +This patch Correct the RX interrupt mask value to handle the +RX interrupts properly. + +Fixes: c8dbdc842d30 ("serial: xuartps: Rewrite the interrupt handling logic") +Signed-off-by: Nava kishore Manne +Cc: stable +Signed-off-by: Michal Simek +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/tty/serial/xilinx_uartps.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/tty/serial/xilinx_uartps.c ++++ b/drivers/tty/serial/xilinx_uartps.c +@@ -125,7 +125,7 @@ MODULE_PARM_DESC(rx_timeout, "Rx timeout + #define CDNS_UART_IXR_RXTRIG 0x00000001 /* RX FIFO trigger interrupt */ + #define CDNS_UART_IXR_RXFULL 0x00000004 /* RX FIFO full interrupt. */ + #define CDNS_UART_IXR_RXEMPTY 0x00000002 /* RX FIFO empty interrupt. */ +-#define CDNS_UART_IXR_MASK 0x00001FFF /* Valid bit mask */ ++#define CDNS_UART_IXR_RXMASK 0x000021e7 /* Valid RX bit mask */ + + /* + * Do not enable parity error interrupt for the following +@@ -362,7 +362,7 @@ static irqreturn_t cdns_uart_isr(int irq + cdns_uart_handle_tx(dev_id); + isrstatus &= ~CDNS_UART_IXR_TXEMPTY; + } +- if (isrstatus & CDNS_UART_IXR_MASK) ++ if (isrstatus & CDNS_UART_IXR_RXMASK) + cdns_uart_handle_rx(dev_id, isrstatus); + + spin_unlock(&port->lock); diff --git a/queue-4.19/series b/queue-4.19/series index 35311f91caa..89f93f2110f 100644 --- a/queue-4.19/series +++ b/queue-4.19/series @@ -135,3 +135,22 @@ powerpc-tm-set-msr-just-prior-to-recheckpoint.patch powerpc-tm-unset-msr-if-not-recheckpointing.patch dax-don-t-access-a-freed-inode.patch dax-use-non-exclusive-wait-in-wait_entry_unlocked.patch +f2fs-read-page-index-before-freeing.patch +f2fs-fix-validation-of-the-block-count-in-sanity_check_raw_super.patch +f2fs-sanity-check-of-xattr-entry-size.patch +serial-uartps-fix-interrupt-mask-issue-to-handle-the-rx-interrupts-properly.patch +media-cec-keep-track-of-outstanding-transmits.patch +media-cec-pin-fix-broken-tx_ignore_nack_until_eom-error-injection.patch +media-rc-cec-devices-do-not-have-a-lirc-chardev.patch +media-imx274-fix-stack-corruption-in-imx274_read_reg.patch +media-vivid-free-bitmap_cap-when-updating-std-timings-etc.patch +media-vb2-check-memory-model-for-vidioc_create_bufs.patch +media-v4l2-tpg-array-index-could-become-negative.patch +tools-lib-traceevent-fix-processing-of-dereferenced-args-in-bprintk-events.patch +mips-math-emu-write-protect-delay-slot-emulation-pages.patch +mips-c-r4k-add-r4k_blast_scache_node-for-loongson-3.patch +mips-ensure-pmd_present-returns-false-after-pmd_mknotpresent.patch +mips-align-kernel-load-address-to-64kb.patch +mips-expand-mips32-asids-to-64-bits.patch +mips-octeon-mark-rgmii-interface-disabled-on-octeon-iii.patch +mips-fix-a-r10000_llsc_war-logic-in-atomic.h.patch diff --git a/queue-4.19/tools-lib-traceevent-fix-processing-of-dereferenced-args-in-bprintk-events.patch b/queue-4.19/tools-lib-traceevent-fix-processing-of-dereferenced-args-in-bprintk-events.patch new file mode 100644 index 00000000000..b16111c82da --- /dev/null +++ b/queue-4.19/tools-lib-traceevent-fix-processing-of-dereferenced-args-in-bprintk-events.patch @@ -0,0 +1,38 @@ +From f024cf085c423bac7512479f45c34ee9a24af7ce Mon Sep 17 00:00:00 2001 +From: "Steven Rostedt (VMware)" +Date: Mon, 10 Dec 2018 13:45:22 -0500 +Subject: tools lib traceevent: Fix processing of dereferenced args in bprintk events + +From: Steven Rostedt (VMware) + +commit f024cf085c423bac7512479f45c34ee9a24af7ce upstream. + +In the case that a bprintk event has a dereferenced pointer that is +stored as a string, and there's more values to process (more args), the +arg was not updated to point to the next arg after processing the +dereferenced pointer, and it screwed up what was to be displayed. + +Signed-off-by: Steven Rostedt (VMware) +Cc: Jiri Olsa +Cc: Namhyung Kim +Cc: linux-trace-devel@vger.kernel.org +Cc: stable@vger.kernel.org +Fixes: 37db96bb49629 ("tools lib traceevent: Handle new pointer processing of bprint strings") +Link: http://lkml.kernel.org/r/20181210134522.3f71e2ca@gandalf.local.home +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Greg Kroah-Hartman + +--- + tools/lib/traceevent/event-parse.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/tools/lib/traceevent/event-parse.c ++++ b/tools/lib/traceevent/event-parse.c +@@ -4968,6 +4968,7 @@ static void pretty_print(struct trace_se + + if (arg->type == PRINT_BSTRING) { + trace_seq_puts(s, arg->string.string); ++ arg = arg->next; + break; + } + -- 2.47.3