From c08aef147b5fd45d44ff75440a4a41171db068b1 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Sun, 22 Apr 2018 11:16:57 +0200 Subject: [PATCH] 4.4-stable patches added patches: alsa-hda-new-via-controller-suppor-no-snoop-path.patch alsa-line6-use-correct-endpoint-type-for-midi-output.patch alsa-rawmidi-fix-missing-input-substream-checks-in-compat-ioctls.patch hid-hidraw-fix-crash-on-hidiocgfeature-with-a-destroyed-device.patch mips-memset.s-eva-fault-support-for-small_memset.patch mips-memset.s-fix-clobber-of-v1-in-last_fixup.patch mips-memset.s-fix-return-of-__clear_user-from-lpartial_fixup.patch mips-uaccess-add-micromips-clobbers-to-bzero-invocation.patch powerpc-eeh-fix-enabling-bridge-mmio-windows.patch powerpc-lib-fix-off-by-one-in-alternate-feature-patching.patch --- ...-via-controller-suppor-no-snoop-path.patch | 35 +++++++ ...orrect-endpoint-type-for-midi-output.patch | 47 ++++++++++ ...ut-substream-checks-in-compat-ioctls.patch | 93 +++++++++++++++++++ ...diocgfeature-with-a-destroyed-device.patch | 40 ++++++++ ...s-eva-fault-support-for-small_memset.patch | 65 +++++++++++++ ...et.s-fix-clobber-of-v1-in-last_fixup.patch | 77 +++++++++++++++ ...-of-__clear_user-from-lpartial_fixup.patch | 57 ++++++++++++ ...cromips-clobbers-to-bzero-invocation.patch | 60 ++++++++++++ ...eeh-fix-enabling-bridge-mmio-windows.patch | 56 +++++++++++ ...by-one-in-alternate-feature-patching.patch | 53 +++++++++++ queue-4.4/series | 10 ++ 11 files changed, 593 insertions(+) create mode 100644 queue-4.4/alsa-hda-new-via-controller-suppor-no-snoop-path.patch create mode 100644 queue-4.4/alsa-line6-use-correct-endpoint-type-for-midi-output.patch create mode 100644 queue-4.4/alsa-rawmidi-fix-missing-input-substream-checks-in-compat-ioctls.patch create mode 100644 queue-4.4/hid-hidraw-fix-crash-on-hidiocgfeature-with-a-destroyed-device.patch create mode 100644 queue-4.4/mips-memset.s-eva-fault-support-for-small_memset.patch create mode 100644 queue-4.4/mips-memset.s-fix-clobber-of-v1-in-last_fixup.patch create mode 100644 queue-4.4/mips-memset.s-fix-return-of-__clear_user-from-lpartial_fixup.patch create mode 100644 queue-4.4/mips-uaccess-add-micromips-clobbers-to-bzero-invocation.patch create mode 100644 queue-4.4/powerpc-eeh-fix-enabling-bridge-mmio-windows.patch create mode 100644 queue-4.4/powerpc-lib-fix-off-by-one-in-alternate-feature-patching.patch diff --git a/queue-4.4/alsa-hda-new-via-controller-suppor-no-snoop-path.patch b/queue-4.4/alsa-hda-new-via-controller-suppor-no-snoop-path.patch new file mode 100644 index 00000000000..31f699ae8a2 --- /dev/null +++ b/queue-4.4/alsa-hda-new-via-controller-suppor-no-snoop-path.patch @@ -0,0 +1,35 @@ +From af52f9982e410edac21ca4b49563053ffc9da1eb Mon Sep 17 00:00:00 2001 +From: David Wang +Date: Mon, 16 Apr 2018 17:48:09 +0800 +Subject: ALSA: hda - New VIA controller suppor no-snoop path + +From: David Wang + +commit af52f9982e410edac21ca4b49563053ffc9da1eb upstream. + +This patch is used to tell kernel that new VIA HDAC controller also +support no-snoop path. + +[ minor coding style fix by tiwai ] + +Signed-off-by: David Wang +Cc: +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/pci/hda/hda_intel.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/sound/pci/hda/hda_intel.c ++++ b/sound/pci/hda/hda_intel.c +@@ -1549,7 +1549,8 @@ static void azx_check_snoop_available(st + */ + u8 val; + pci_read_config_byte(chip->pci, 0x42, &val); +- if (!(val & 0x80) && chip->pci->revision == 0x30) ++ if (!(val & 0x80) && (chip->pci->revision == 0x30 || ++ chip->pci->revision == 0x20)) + snoop = false; + } + diff --git a/queue-4.4/alsa-line6-use-correct-endpoint-type-for-midi-output.patch b/queue-4.4/alsa-line6-use-correct-endpoint-type-for-midi-output.patch new file mode 100644 index 00000000000..3f7bcc4e774 --- /dev/null +++ b/queue-4.4/alsa-line6-use-correct-endpoint-type-for-midi-output.patch @@ -0,0 +1,47 @@ +From 7ecb46e9ee9af18e304eb9e7d6804c59a408e846 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Fabi=C3=A1n=20Inostroza?= +Date: Thu, 12 Apr 2018 00:37:35 -0300 +Subject: ALSA: line6: Use correct endpoint type for midi output +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Fabián Inostroza + +commit 7ecb46e9ee9af18e304eb9e7d6804c59a408e846 upstream. + +Sending MIDI messages to a PODxt through the USB connection shows +"usb_submit_urb failed" in dmesg and the message is not received by +the POD. + +The error is caused because in the funcion send_midi_async() in midi.c +there is a call to usb_sndbulkpipe() for endpoint 3 OUT, but the PODxt +USB descriptor shows that this endpoint it's an interrupt endpoint. + +Patch tested with PODxt only. + +[ The bug has been present from the very beginning in the staging + driver time, but Fixes below points to the commit moving to sound/ + directory so that the fix can be cleanly applied -- tiwai ] + +Fixes: 61864d844c29 ("ALSA: move line6 usb driver into sound/usb") +Signed-off-by: Fabián Inostroza +Cc: +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/usb/line6/midi.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/sound/usb/line6/midi.c ++++ b/sound/usb/line6/midi.c +@@ -125,7 +125,7 @@ static int send_midi_async(struct usb_li + } + + usb_fill_int_urb(urb, line6->usbdev, +- usb_sndbulkpipe(line6->usbdev, ++ usb_sndintpipe(line6->usbdev, + line6->properties->ep_ctrl_w), + transfer_buffer, length, midi_sent, line6, + line6->interval); diff --git a/queue-4.4/alsa-rawmidi-fix-missing-input-substream-checks-in-compat-ioctls.patch b/queue-4.4/alsa-rawmidi-fix-missing-input-substream-checks-in-compat-ioctls.patch new file mode 100644 index 00000000000..00a75c29dbb --- /dev/null +++ b/queue-4.4/alsa-rawmidi-fix-missing-input-substream-checks-in-compat-ioctls.patch @@ -0,0 +1,93 @@ +From 8a56ef4f3ffba9ebf4967b61ef600b0a7ba10f11 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Thu, 19 Apr 2018 18:16:15 +0200 +Subject: ALSA: rawmidi: Fix missing input substream checks in compat ioctls + +From: Takashi Iwai + +commit 8a56ef4f3ffba9ebf4967b61ef600b0a7ba10f11 upstream. + +Some rawmidi compat ioctls lack of the input substream checks +(although they do check only for rfile->output). This many eventually +lead to an Oops as NULL substream is passed to the rawmidi core +functions. + +Fix it by adding the proper checks before each function call. + +The bug was spotted by syzkaller. + +Reported-by: syzbot+f7a0348affc3b67bc617@syzkaller.appspotmail.com +Cc: +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/core/rawmidi_compat.c | 18 ++++++++++++------ + 1 file changed, 12 insertions(+), 6 deletions(-) + +--- a/sound/core/rawmidi_compat.c ++++ b/sound/core/rawmidi_compat.c +@@ -36,8 +36,6 @@ static int snd_rawmidi_ioctl_params_comp + struct snd_rawmidi_params params; + unsigned int val; + +- if (rfile->output == NULL) +- return -EINVAL; + if (get_user(params.stream, &src->stream) || + get_user(params.buffer_size, &src->buffer_size) || + get_user(params.avail_min, &src->avail_min) || +@@ -46,8 +44,12 @@ static int snd_rawmidi_ioctl_params_comp + params.no_active_sensing = val; + switch (params.stream) { + case SNDRV_RAWMIDI_STREAM_OUTPUT: ++ if (!rfile->output) ++ return -EINVAL; + return snd_rawmidi_output_params(rfile->output, ¶ms); + case SNDRV_RAWMIDI_STREAM_INPUT: ++ if (!rfile->input) ++ return -EINVAL; + return snd_rawmidi_input_params(rfile->input, ¶ms); + } + return -EINVAL; +@@ -67,16 +69,18 @@ static int snd_rawmidi_ioctl_status_comp + int err; + struct snd_rawmidi_status status; + +- if (rfile->output == NULL) +- return -EINVAL; + if (get_user(status.stream, &src->stream)) + return -EFAULT; + + switch (status.stream) { + case SNDRV_RAWMIDI_STREAM_OUTPUT: ++ if (!rfile->output) ++ return -EINVAL; + err = snd_rawmidi_output_status(rfile->output, &status); + break; + case SNDRV_RAWMIDI_STREAM_INPUT: ++ if (!rfile->input) ++ return -EINVAL; + err = snd_rawmidi_input_status(rfile->input, &status); + break; + default: +@@ -113,16 +117,18 @@ static int snd_rawmidi_ioctl_status_x32( + int err; + struct snd_rawmidi_status status; + +- if (rfile->output == NULL) +- return -EINVAL; + if (get_user(status.stream, &src->stream)) + return -EFAULT; + + switch (status.stream) { + case SNDRV_RAWMIDI_STREAM_OUTPUT: ++ if (!rfile->output) ++ return -EINVAL; + err = snd_rawmidi_output_status(rfile->output, &status); + break; + case SNDRV_RAWMIDI_STREAM_INPUT: ++ if (!rfile->input) ++ return -EINVAL; + err = snd_rawmidi_input_status(rfile->input, &status); + break; + default: diff --git a/queue-4.4/hid-hidraw-fix-crash-on-hidiocgfeature-with-a-destroyed-device.patch b/queue-4.4/hid-hidraw-fix-crash-on-hidiocgfeature-with-a-destroyed-device.patch new file mode 100644 index 00000000000..f9fc47f417a --- /dev/null +++ b/queue-4.4/hid-hidraw-fix-crash-on-hidiocgfeature-with-a-destroyed-device.patch @@ -0,0 +1,40 @@ +From a955358d54695e4ad9f7d6489a7ac4d69a8fc711 Mon Sep 17 00:00:00 2001 +From: Rodrigo Rivas Costa +Date: Fri, 6 Apr 2018 01:09:36 +0200 +Subject: HID: hidraw: Fix crash on HIDIOCGFEATURE with a destroyed device + +From: Rodrigo Rivas Costa + +commit a955358d54695e4ad9f7d6489a7ac4d69a8fc711 upstream. + +Doing `ioctl(HIDIOCGFEATURE)` in a tight loop on a hidraw device +and then disconnecting the device, or unloading the driver, can +cause a NULL pointer dereference. + +When a hidraw device is destroyed it sets 0 to `dev->exist`. +Most functions check 'dev->exist' before doing its work, but +`hidraw_get_report()` was missing that check. + +Cc: stable@vger.kernel.org +Signed-off-by: Rodrigo Rivas Costa +Signed-off-by: Jiri Kosina +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/hid/hidraw.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/drivers/hid/hidraw.c ++++ b/drivers/hid/hidraw.c +@@ -197,6 +197,11 @@ static ssize_t hidraw_get_report(struct + int ret = 0, len; + unsigned char report_number; + ++ if (!hidraw_table[minor] || !hidraw_table[minor]->exist) { ++ ret = -ENODEV; ++ goto out; ++ } ++ + dev = hidraw_table[minor]->hid; + + if (!dev->ll_driver->raw_request) { diff --git a/queue-4.4/mips-memset.s-eva-fault-support-for-small_memset.patch b/queue-4.4/mips-memset.s-eva-fault-support-for-small_memset.patch new file mode 100644 index 00000000000..1e62b097bbd --- /dev/null +++ b/queue-4.4/mips-memset.s-eva-fault-support-for-small_memset.patch @@ -0,0 +1,65 @@ +From 8a8158c85e1e774a44fbe81106fa41138580dfd1 Mon Sep 17 00:00:00 2001 +From: Matt Redfearn +Date: Thu, 29 Mar 2018 10:28:23 +0100 +Subject: MIPS: memset.S: EVA & fault support for small_memset + +From: Matt Redfearn + +commit 8a8158c85e1e774a44fbe81106fa41138580dfd1 upstream. + +The MIPS kernel memset / bzero implementation includes a small_memset +branch which is used when the region to be set is smaller than a long (4 +bytes on 32bit, 8 bytes on 64bit). The current small_memset +implementation uses a simple store byte loop to write the destination. +There are 2 issues with this implementation: + +1. When EVA mode is active, user and kernel address spaces may overlap. +Currently the use of the sb instruction means kernel mode addressing is +always used and an intended write to userspace may actually overwrite +some critical kernel data. + +2. If the write triggers a page fault, for example by calling +__clear_user(NULL, 2), instead of gracefully handling the fault, an OOPS +is triggered. + +Fix these issues by replacing the sb instruction with the EX() macro, +which will emit EVA compatible instuctions as required. Additionally +implement a fault fixup for small_memset which sets a2 to the number of +bytes that could not be cleared (as defined by __clear_user). + +Reported-by: Chuanhua Lei +Signed-off-by: Matt Redfearn +Cc: Ralf Baechle +Cc: linux-mips@linux-mips.org +Cc: stable@vger.kernel.org +Patchwork: https://patchwork.linux-mips.org/patch/18975/ +Signed-off-by: James Hogan +Signed-off-by: Greg Kroah-Hartman + +--- + arch/mips/lib/memset.S | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +--- a/arch/mips/lib/memset.S ++++ b/arch/mips/lib/memset.S +@@ -218,7 +218,7 @@ + 1: PTR_ADDIU a0, 1 /* fill bytewise */ + R10KCBARRIER(0(ra)) + bne t1, a0, 1b +- sb a1, -1(a0) ++ EX(sb, a1, -1(a0), .Lsmall_fixup\@) + + 2: jr ra /* done */ + move a2, zero +@@ -257,6 +257,11 @@ + jr ra + andi v1, a2, STORMASK + ++.Lsmall_fixup\@: ++ PTR_SUBU a2, t1, a0 ++ jr ra ++ PTR_ADDIU a2, 1 ++ + .endm + + /* diff --git a/queue-4.4/mips-memset.s-fix-clobber-of-v1-in-last_fixup.patch b/queue-4.4/mips-memset.s-fix-clobber-of-v1-in-last_fixup.patch new file mode 100644 index 00000000000..fe2c2b7996e --- /dev/null +++ b/queue-4.4/mips-memset.s-fix-clobber-of-v1-in-last_fixup.patch @@ -0,0 +1,77 @@ +From c96eebf07692e53bf4dd5987510d8b550e793598 Mon Sep 17 00:00:00 2001 +From: Matt Redfearn +Date: Tue, 17 Apr 2018 16:40:00 +0100 +Subject: MIPS: memset.S: Fix clobber of v1 in last_fixup + +From: Matt Redfearn + +commit c96eebf07692e53bf4dd5987510d8b550e793598 upstream. + +The label .Llast_fixup\@ is jumped to on page fault within the final +byte set loop of memset (on < MIPSR6 architectures). For some reason, in +this fault handler, the v1 register is randomly set to a2 & STORMASK. +This clobbers v1 for the calling function. This can be observed with the +following test code: + +static int __init __attribute__((optimize("O0"))) test_clear_user(void) +{ + register int t asm("v1"); + char *test; + int j, k; + + pr_info("\n\n\nTesting clear_user\n"); + test = vmalloc(PAGE_SIZE); + + for (j = 256; j < 512; j++) { + t = 0xa5a5a5a5; + if ((k = clear_user(test + PAGE_SIZE - 256, j)) != j - 256) { + pr_err("clear_user (%px %d) returned %d\n", test + PAGE_SIZE - 256, j, k); + } + if (t != 0xa5a5a5a5) { + pr_err("v1 was clobbered to 0x%x!\n", t); + } + } + + return 0; +} +late_initcall(test_clear_user); + +Which demonstrates that v1 is indeed clobbered (MIPS64): + +Testing clear_user +v1 was clobbered to 0x1! +v1 was clobbered to 0x2! +v1 was clobbered to 0x3! +v1 was clobbered to 0x4! +v1 was clobbered to 0x5! +v1 was clobbered to 0x6! +v1 was clobbered to 0x7! + +Since the number of bytes that could not be set is already contained in +a2, the andi placing a value in v1 is not necessary and actively +harmful in clobbering v1. + +Reported-by: James Hogan +Signed-off-by: Matt Redfearn +Cc: Ralf Baechle +Cc: linux-mips@linux-mips.org +Cc: stable@vger.kernel.org +Patchwork: https://patchwork.linux-mips.org/patch/19109/ +Signed-off-by: James Hogan +Signed-off-by: Greg Kroah-Hartman + +--- + arch/mips/lib/memset.S | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/mips/lib/memset.S ++++ b/arch/mips/lib/memset.S +@@ -255,7 +255,7 @@ + + .Llast_fixup\@: + jr ra +- andi v1, a2, STORMASK ++ nop + + .Lsmall_fixup\@: + PTR_SUBU a2, t1, a0 diff --git a/queue-4.4/mips-memset.s-fix-return-of-__clear_user-from-lpartial_fixup.patch b/queue-4.4/mips-memset.s-fix-return-of-__clear_user-from-lpartial_fixup.patch new file mode 100644 index 00000000000..8f4ae4136a9 --- /dev/null +++ b/queue-4.4/mips-memset.s-fix-return-of-__clear_user-from-lpartial_fixup.patch @@ -0,0 +1,57 @@ +From daf70d89f80c6e1772233da9e020114b1254e7e0 Mon Sep 17 00:00:00 2001 +From: Matt Redfearn +Date: Tue, 17 Apr 2018 15:52:21 +0100 +Subject: MIPS: memset.S: Fix return of __clear_user from Lpartial_fixup + +From: Matt Redfearn + +commit daf70d89f80c6e1772233da9e020114b1254e7e0 upstream. + +The __clear_user function is defined to return the number of bytes that +could not be cleared. From the underlying memset / bzero implementation +this means setting register a2 to that number on return. Currently if a +page fault is triggered within the memset_partial block, the value +loaded into a2 on return is meaningless. + +The label .Lpartial_fixup\@ is jumped to on page fault. In order to work +out how many bytes failed to copy, the exception handler should find how +many bytes left in the partial block (andi a2, STORMASK), add that to +the partial block end address (a2), and subtract the faulting address to +get the remainder. Currently it incorrectly subtracts the partial block +start address (t1), which has additionally been clobbered to generate a +jump target in memset_partial. Fix this by adding the block end address +instead. + +This issue was found with the following test code: + int j, k; + for (j = 0; j < 512; j++) { + if ((k = clear_user(NULL, j)) != j) { + pr_err("clear_user (NULL %d) returned %d\n", j, k); + } + } +Which now passes on Creator Ci40 (MIPS32) and Cavium Octeon II (MIPS64). + +Suggested-by: James Hogan +Signed-off-by: Matt Redfearn +Cc: Ralf Baechle +Cc: linux-mips@linux-mips.org +Cc: stable@vger.kernel.org +Patchwork: https://patchwork.linux-mips.org/patch/19108/ +Signed-off-by: James Hogan +Signed-off-by: Greg Kroah-Hartman + +--- + arch/mips/lib/memset.S | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/mips/lib/memset.S ++++ b/arch/mips/lib/memset.S +@@ -249,7 +249,7 @@ + PTR_L t0, TI_TASK($28) + andi a2, STORMASK + LONG_L t0, THREAD_BUADDR(t0) +- LONG_ADDU a2, t1 ++ LONG_ADDU a2, a0 + jr ra + LONG_SUBU a2, t0 + diff --git a/queue-4.4/mips-uaccess-add-micromips-clobbers-to-bzero-invocation.patch b/queue-4.4/mips-uaccess-add-micromips-clobbers-to-bzero-invocation.patch new file mode 100644 index 00000000000..4dda22b2302 --- /dev/null +++ b/queue-4.4/mips-uaccess-add-micromips-clobbers-to-bzero-invocation.patch @@ -0,0 +1,60 @@ +From b3d7e55c3f886493235bfee08e1e5a4a27cbcce8 Mon Sep 17 00:00:00 2001 +From: Matt Redfearn +Date: Tue, 17 Apr 2018 16:40:01 +0100 +Subject: MIPS: uaccess: Add micromips clobbers to bzero invocation + +From: Matt Redfearn + +commit b3d7e55c3f886493235bfee08e1e5a4a27cbcce8 upstream. + +The micromips implementation of bzero additionally clobbers registers t7 +& t8. Specify this in the clobbers list when invoking bzero. + +Fixes: 26c5e07d1478 ("MIPS: microMIPS: Optimise 'memset' core library function.") +Reported-by: James Hogan +Signed-off-by: Matt Redfearn +Cc: Ralf Baechle +Cc: linux-mips@linux-mips.org +Cc: # 3.10+ +Patchwork: https://patchwork.linux-mips.org/patch/19110/ +Signed-off-by: James Hogan +Signed-off-by: Greg Kroah-Hartman + +--- + arch/mips/include/asm/uaccess.h | 11 +++++++++-- + 1 file changed, 9 insertions(+), 2 deletions(-) + +--- a/arch/mips/include/asm/uaccess.h ++++ b/arch/mips/include/asm/uaccess.h +@@ -1238,6 +1238,13 @@ __clear_user(void __user *addr, __kernel + { + __kernel_size_t res; + ++#ifdef CONFIG_CPU_MICROMIPS ++/* micromips memset / bzero also clobbers t7 & t8 */ ++#define bzero_clobbers "$4", "$5", "$6", __UA_t0, __UA_t1, "$15", "$24", "$31" ++#else ++#define bzero_clobbers "$4", "$5", "$6", __UA_t0, __UA_t1, "$31" ++#endif /* CONFIG_CPU_MICROMIPS */ ++ + if (eva_kernel_access()) { + __asm__ __volatile__( + "move\t$4, %1\n\t" +@@ -1247,7 +1254,7 @@ __clear_user(void __user *addr, __kernel + "move\t%0, $6" + : "=r" (res) + : "r" (addr), "r" (size) +- : "$4", "$5", "$6", __UA_t0, __UA_t1, "$31"); ++ : bzero_clobbers); + } else { + might_fault(); + __asm__ __volatile__( +@@ -1258,7 +1265,7 @@ __clear_user(void __user *addr, __kernel + "move\t%0, $6" + : "=r" (res) + : "r" (addr), "r" (size) +- : "$4", "$5", "$6", __UA_t0, __UA_t1, "$31"); ++ : bzero_clobbers); + } + + return res; diff --git a/queue-4.4/powerpc-eeh-fix-enabling-bridge-mmio-windows.patch b/queue-4.4/powerpc-eeh-fix-enabling-bridge-mmio-windows.patch new file mode 100644 index 00000000000..29ae849fe31 --- /dev/null +++ b/queue-4.4/powerpc-eeh-fix-enabling-bridge-mmio-windows.patch @@ -0,0 +1,56 @@ +From 13a83eac373c49c0a081cbcd137e79210fe78acd Mon Sep 17 00:00:00 2001 +From: Michael Neuling +Date: Wed, 11 Apr 2018 13:37:58 +1000 +Subject: powerpc/eeh: Fix enabling bridge MMIO windows + +From: Michael Neuling + +commit 13a83eac373c49c0a081cbcd137e79210fe78acd upstream. + +On boot we save the configuration space of PCIe bridges. We do this so +when we get an EEH event and everything gets reset that we can restore +them. + +Unfortunately we save this state before we've enabled the MMIO space +on the bridges. Hence if we have to reset the bridge when we come back +MMIO is not enabled and we end up taking an PE freeze when the driver +starts accessing again. + +This patch forces the memory/MMIO and bus mastering on when restoring +bridges on EEH. Ideally we'd do this correctly by saving the +configuration space writes later, but that will have to come later in +a larger EEH rewrite. For now we have this simple fix. + +The original bug can be triggered on a boston machine by doing: + echo 0x8000000000000000 > /sys/kernel/debug/powerpc/PCI0001/err_injct_outbound +On boston, this PHB has a PCIe switch on it. Without this patch, +you'll see two EEH events, 1 expected and 1 the failure we are fixing +here. The second EEH event causes the anything under the PHB to +disappear (i.e. the i40e eth). + +With this patch, only 1 EEH event occurs and devices properly recover. + +Fixes: 652defed4875 ("powerpc/eeh: Check PCIe link after reset") +Cc: stable@vger.kernel.org # v3.11+ +Reported-by: Pridhiviraj Paidipeddi +Signed-off-by: Michael Neuling +Acked-by: Russell Currey +Signed-off-by: Michael Ellerman +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/kernel/eeh_pe.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/arch/powerpc/kernel/eeh_pe.c ++++ b/arch/powerpc/kernel/eeh_pe.c +@@ -788,7 +788,8 @@ static void eeh_restore_bridge_bars(stru + eeh_ops->write_config(pdn, 15*4, 4, edev->config_space[15]); + + /* PCI Command: 0x4 */ +- eeh_ops->write_config(pdn, PCI_COMMAND, 4, edev->config_space[1]); ++ eeh_ops->write_config(pdn, PCI_COMMAND, 4, edev->config_space[1] | ++ PCI_COMMAND_MEMORY | PCI_COMMAND_MASTER); + + /* Check the PCIe link is ready */ + eeh_bridge_check_link(edev); diff --git a/queue-4.4/powerpc-lib-fix-off-by-one-in-alternate-feature-patching.patch b/queue-4.4/powerpc-lib-fix-off-by-one-in-alternate-feature-patching.patch new file mode 100644 index 00000000000..d3a03a74526 --- /dev/null +++ b/queue-4.4/powerpc-lib-fix-off-by-one-in-alternate-feature-patching.patch @@ -0,0 +1,53 @@ +From b8858581febb050688e276b956796bc4a78299ed Mon Sep 17 00:00:00 2001 +From: Michael Ellerman +Date: Mon, 16 Apr 2018 23:25:19 +1000 +Subject: powerpc/lib: Fix off-by-one in alternate feature patching + +From: Michael Ellerman + +commit b8858581febb050688e276b956796bc4a78299ed upstream. + +When we patch an alternate feature section, we have to adjust any +relative branches that branch out of the alternate section. + +But currently we have a bug if we have a branch that points to past +the last instruction of the alternate section, eg: + + FTR_SECTION_ELSE + 1: b 2f + or 6,6,6 + 2: + ALT_FTR_SECTION_END(...) + nop + +This will result in a relative branch at 1 with a target that equals +the end of the alternate section. + +That branch does not need adjusting when it's moved to the non-else +location. Currently we do adjust it, resulting in a branch that goes +off into the link-time location of the else section, which is junk. + +The fix is to not patch branches that have a target == end of the +alternate section. + +Fixes: d20fe50a7b3c ("KVM: PPC: Book3S HV: Branch inside feature section") +Fixes: 9b1a735de64c ("powerpc: Add logic to patch alternative feature sections") +Cc: stable@vger.kernel.org # v2.6.27+ +Signed-off-by: Michael Ellerman +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/lib/feature-fixups.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/powerpc/lib/feature-fixups.c ++++ b/arch/powerpc/lib/feature-fixups.c +@@ -53,7 +53,7 @@ static int patch_alt_instruction(unsigne + unsigned int *target = (unsigned int *)branch_target(src); + + /* Branch within the section doesn't need translating */ +- if (target < alt_start || target >= alt_end) { ++ if (target < alt_start || target > alt_end) { + instr = translate_branch(dest, src); + if (!instr) + return 1; diff --git a/queue-4.4/series b/queue-4.4/series index e90355b5e58..ad17e481b2a 100644 --- a/queue-4.4/series +++ b/queue-4.4/series @@ -75,3 +75,13 @@ ext4-don-t-allow-r-w-mounts-if-metadata-blocks-overlap-the-superblock.patch drm-radeon-fix-pcie-lane-width-calculation.patch ext4-fix-crashes-in-dioread_nolock-mode.patch ext4-fix-deadlock-between-inline_data-and-ext4_expand_extra_isize_ea.patch +alsa-line6-use-correct-endpoint-type-for-midi-output.patch +alsa-rawmidi-fix-missing-input-substream-checks-in-compat-ioctls.patch +alsa-hda-new-via-controller-suppor-no-snoop-path.patch +hid-hidraw-fix-crash-on-hidiocgfeature-with-a-destroyed-device.patch +mips-uaccess-add-micromips-clobbers-to-bzero-invocation.patch +mips-memset.s-eva-fault-support-for-small_memset.patch +mips-memset.s-fix-return-of-__clear_user-from-lpartial_fixup.patch +mips-memset.s-fix-clobber-of-v1-in-last_fixup.patch +powerpc-eeh-fix-enabling-bridge-mmio-windows.patch +powerpc-lib-fix-off-by-one-in-alternate-feature-patching.patch -- 2.47.3