From 91f5b73b469a5e963dffe566a78c8ae02ffb3d6f Mon Sep 17 00:00:00 2001
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Mon, 19 Jun 2017 09:15:28 +0800
Subject: [PATCH] 4.4-stable patches

added patches:
	alarmtimer-rate-limit-periodic-intervals.patch
	mips-fix-bnezc-jialc-return-address-calculation.patch
---
 ...mtimer-rate-limit-periodic-intervals.patch | 60 +++++++++++++++++++
 ...ezc-jialc-return-address-calculation.patch | 45 ++++++++++++++
 queue-4.4/series                              |  2 +
 3 files changed, 107 insertions(+)
 create mode 100644 queue-4.4/alarmtimer-rate-limit-periodic-intervals.patch
 create mode 100644 queue-4.4/mips-fix-bnezc-jialc-return-address-calculation.patch

diff --git a/queue-4.4/alarmtimer-rate-limit-periodic-intervals.patch b/queue-4.4/alarmtimer-rate-limit-periodic-intervals.patch
new file mode 100644
index 00000000000..7ab4ddab3b2
--- /dev/null
+++ b/queue-4.4/alarmtimer-rate-limit-periodic-intervals.patch
@@ -0,0 +1,60 @@
+From ff86bf0c65f14346bf2440534f9ba5ac232c39a0 Mon Sep 17 00:00:00 2001
+From: Thomas Gleixner <tglx@linutronix.de>
+Date: Tue, 30 May 2017 23:15:35 +0200
+Subject: alarmtimer: Rate limit periodic intervals
+
+From: Thomas Gleixner <tglx@linutronix.de>
+
+commit ff86bf0c65f14346bf2440534f9ba5ac232c39a0 upstream.
+
+The alarmtimer code has another source of potentially rearming itself too
+fast. Interval timers with a very samll interval have a similar CPU hog
+effect as the previously fixed overflow issue.
+
+The reason is that alarmtimers do not implement the normal protection
+against this kind of problem which the other posix timer use:
+
+  timer expires -> queue signal -> deliver signal -> rearm timer
+
+This scheme brings the rearming under scheduler control and prevents
+permanently firing timers which hog the CPU.
+
+Bringing this scheme to the alarm timer code is a major overhaul because it
+lacks all the necessary mechanisms completely.
+
+So for a quick fix limit the interval to one jiffie. This is not
+problematic in practice as alarmtimers are usually backed by an RTC for
+suspend which have 1 second resolution. It could be therefor argued that
+the resolution of this clock should be set to 1 second in general, but
+that's outside the scope of this fix.
+
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Kostya Serebryany <kcc@google.com>
+Cc: syzkaller <syzkaller@googlegroups.com>
+Cc: John Stultz <john.stultz@linaro.org>
+Cc: Dmitry Vyukov <dvyukov@google.com>
+Link: http://lkml.kernel.org/r/20170530211655.896767100@linutronix.de
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/time/alarmtimer.c |    8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+--- a/kernel/time/alarmtimer.c
++++ b/kernel/time/alarmtimer.c
+@@ -611,6 +611,14 @@ static int alarm_timer_set(struct k_itim
+ 
+ 	/* start the timer */
+ 	timr->it.alarm.interval = timespec_to_ktime(new_setting->it_interval);
++
++	/*
++	 * Rate limit to the tick as a hot fix to prevent DOS. Will be
++	 * mopped up later.
++	 */
++	if (timr->it.alarm.interval < TICK_NSEC)
++		timr->it.alarm.interval = TICK_NSEC;
++
+ 	exp = timespec_to_ktime(new_setting->it_value);
+ 	/* Convert (if necessary) to absolute time */
+ 	if (flags != TIMER_ABSTIME) {
diff --git a/queue-4.4/mips-fix-bnezc-jialc-return-address-calculation.patch b/queue-4.4/mips-fix-bnezc-jialc-return-address-calculation.patch
new file mode 100644
index 00000000000..555e652f6b4
--- /dev/null
+++ b/queue-4.4/mips-fix-bnezc-jialc-return-address-calculation.patch
@@ -0,0 +1,45 @@
+From 1a73d9310e093fc3adffba4d0a67b9fab2ee3f63 Mon Sep 17 00:00:00 2001
+From: Paul Burton <paul.burton@imgtec.com>
+Date: Fri, 2 Jun 2017 11:35:01 -0700
+Subject: MIPS: Fix bnezc/jialc return address calculation
+
+From: Paul Burton <paul.burton@imgtec.com>
+
+commit 1a73d9310e093fc3adffba4d0a67b9fab2ee3f63 upstream.
+
+The code handling the pop76 opcode (ie. bnezc & jialc instructions) in
+__compute_return_epc_for_insn() needs to set the value of $31 in the
+jialc case, which is encoded with rs = 0. However its check to
+differentiate bnezc (rs != 0) from jialc (rs = 0) was unfortunately
+backwards, meaning that if we emulate a bnezc instruction we clobber $31
+& if we emulate a jialc instruction it actually behaves like a jic
+instruction.
+
+Fix this by inverting the check of rs to match the way the instructions
+are actually encoded.
+
+Signed-off-by: Paul Burton <paul.burton@imgtec.com>
+Fixes: 28d6f93d201d ("MIPS: Emulate the new MIPS R6 BNEZC and JIALC instructions")
+Cc: linux-mips@linux-mips.org
+Patchwork: https://patchwork.linux-mips.org/patch/16178/
+Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/mips/kernel/branch.c |    4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/arch/mips/kernel/branch.c
++++ b/arch/mips/kernel/branch.c
+@@ -816,8 +816,10 @@ int __compute_return_epc_for_insn(struct
+ 			break;
+ 		}
+ 		/* Compact branch: BNEZC || JIALC */
+-		if (insn.i_format.rs)
++		if (!insn.i_format.rs) {
++			/* JIALC: set $31/ra */
+ 			regs->regs[31] = epc + 4;
++		}
+ 		regs->cp0_epc += 8;
+ 		break;
+ #endif
diff --git a/queue-4.4/series b/queue-4.4/series
index 1ffbc59f0ba..847d3356d1a 100644
--- a/queue-4.4/series
+++ b/queue-4.4/series
@@ -25,3 +25,5 @@ swap-cond_resched-in-swap_cgroup_prepare.patch
 genirq-release-resources-in-__setup_irq-error-path.patch
 alarmtimer-prevent-overflow-of-relative-timers.patch
 usb-dwc3-exynos-fix-axius-clock-error-path-to-do-cleanup.patch
+alarmtimer-rate-limit-periodic-intervals.patch
+mips-fix-bnezc-jialc-return-address-calculation.patch
-- 
2.47.3