From 56694191a8a0d9c8cfc99aee4aa28154d0c6880c Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Wed, 6 May 2020 10:57:18 +0200 Subject: [PATCH] 4.4-stable patches added patches: alsa-fm801-detect-fm-only-card-earlier.patch alsa-fm801-explicitly-free-irq-line.patch alsa-fm801-propagate-tuner_only-bit-when-autodetected.patch arm-dts-armadillo800eva-correct-extal1-frequency-to-24-mhz.patch arm-dts-kirkwood-add-kirkwood-ds112.dtb-to-makefile.patch arm-dts-kirkwood-gpio-leds-fixes-for-linkstation-ls-wvl-vl.patch arm-dts-kirkwood-gpio-leds-fixes-for-linkstation-ls-wxl-wsxl.patch arm-dts-kirkwood-gpio-pin-fixes-for-linkstation-ls-wvl-vl.patch arm-dts-kirkwood-gpio-pin-fixes-for-linkstation-ls-wxl-wsxl.patch arm-dts-kirkwood-use-unique-machine-name-for-ds112.patch arm-dts-orion5x-fix-the-missing-mtd-flash-on-linkstation-lswtgl.patch arm-dts-orion5x-gpio-pin-fixes-for-linkstation-lswtgl.patch arm-imx-select-src-for-i.mx7.patch arm-omap2-hwmod-fix-_idle-hwmod-state-sanity-check-sequence.patch bpf-mips-fix-off-by-one-in-ctx-offset-allocation.patch drm-qxl-qxl_release-leak-in-qxl_draw_dirty_fb.patch drm-qxl-qxl_release-use-after-free.patch mips-bmips-adjust-mips-hpt-frequency-for-bcm7435.patch mips-bmips-bmips5000-has-i-cache-filing-from-d-cache.patch mips-bmips-clear-mips_cache_aliases-earlier.patch mips-bmips-fix-prid_imp_bmips5000-masking-for-bmips5200.patch mips-bmips-local_r4k___flush_cache_all-needs-to-blast-s-cache.patch mips-bmips-pretty-print-bmips5200-processor-name.patch mips-c-r4k-fix-protected_writeback_scache_line-for-eva.patch mips-define-at_vector_size_arch-for-arch_dlinfo.patch mips-fix-64-bit-htw-configuration.patch mips-fix-bc1-eq-ne-z-return-offset-calculation.patch mips-fix-htw-config-on-xpa-kernel-without-lpa-enabled.patch mips-fix-little-endian-micromips-msa-encodings.patch mips-fix-macro-typo.patch mips-kvm-fix-translation-of-mfc0-errctl.patch mips-math-emu-fix-bc1-eq-ne-z-emulation.patch mips-math-emu-fix-m-add-sub-.s-shifts.patch mips-octeon-off-by-one-in-octeon_irq_gpio_map.patch mips-panic-replace-smp_send_stop-with-kdump-friendly-version-in-panic-path.patch mips-perf-fix-i6400-event-numbers.patch mips-ptrace-drop-cp0_tcstatus-from-regoffset_table.patch mips-rm7000-double-locking-bug-in-rm7k_tc_disable.patch mips-scall-handle-seccomp-filters-which-redirect-syscalls.patch mips-smp-cps-stop-printing-ejtag-exceptions-to-uart.patch mips-smp-update-cpu_foreign_map-on-cpu-disable.patch mwifiex-fix-pcie-register-information-for-8997-chipset.patch netfilter-nfnetlink-use-original-skbuff-when-acking-batches.patch netlink-not-trim-skb-for-mmaped-socket-when-dump.patch perf-x86-fix-filter_events-bug-with-event-mappings.patch staging-rtl8192u-fix-crash-due-to-pointers-being-confusing.patch usb-gadged-pch_udc-get-rid-of-redundant-assignments.patch usb-gadget-f_acm-fix-configfs-attr-name.patch usb-gadget-pch_udc-reorder-spin_lock-to-avoid-deadlock.patch usb-gadget-udc-core-don-t-starve-dma-resources.patch x86-apic-uv-silence-a-shift-wrapping-warning.patch x86-ldt-print-the-real-ldt-base-address.patch xfrm-fix-crash-in-xfrm_msg_getsa-netlink-handler.patch --- ...sa-fm801-detect-fm-only-card-earlier.patch | 163 ++++++++++ .../alsa-fm801-explicitly-free-irq-line.patch | 34 ++ ...ate-tuner_only-bit-when-autodetected.patch | 57 ++++ ...a-correct-extal1-frequency-to-24-mhz.patch | 36 +++ ...d-add-kirkwood-ds112.dtb-to-makefile.patch | 32 ++ ...leds-fixes-for-linkstation-ls-wvl-vl.patch | 70 +++++ ...ds-fixes-for-linkstation-ls-wxl-wsxl.patch | 55 ++++ ...-pin-fixes-for-linkstation-ls-wvl-vl.patch | 119 +++++++ ...in-fixes-for-linkstation-ls-wxl-wsxl.patch | 143 +++++++++ ...od-use-unique-machine-name-for-ds112.patch | 44 +++ ...sing-mtd-flash-on-linkstation-lswtgl.patch | 62 ++++ ...pio-pin-fixes-for-linkstation-lswtgl.patch | 63 ++++ queue-4.4/arm-imx-select-src-for-i.mx7.patch | 36 +++ ...le-hwmod-state-sanity-check-sequence.patch | 100 ++++++ ...-off-by-one-in-ctx-offset-allocation.patch | 45 +++ ...xl_release-leak-in-qxl_draw_dirty_fb.patch | 37 +++ .../drm-qxl-qxl_release-use-after-free.patch | 145 +++++++++ ...djust-mips-hpt-frequency-for-bcm7435.patch | 37 +++ ...5000-has-i-cache-filing-from-d-cache.patch | 38 +++ ...ips-clear-mips_cache_aliases-earlier.patch | 54 ++++ ..._imp_bmips5000-masking-for-bmips5200.patch | 69 ++++ ...ush_cache_all-needs-to-blast-s-cache.patch | 39 +++ ...retty-print-bmips5200-processor-name.patch | 38 +++ ...tected_writeback_scache_line-for-eva.patch | 57 ++++ ...-at_vector_size_arch-for-arch_dlinfo.patch | 53 ++++ .../mips-fix-64-bit-htw-configuration.patch | 78 +++++ ...c1-eq-ne-z-return-offset-calculation.patch | 54 ++++ ...ig-on-xpa-kernel-without-lpa-enabled.patch | 48 +++ ...ittle-endian-micromips-msa-encodings.patch | 297 ++++++++++++++++++ queue-4.4/mips-fix-macro-typo.patch | 39 +++ ...s-kvm-fix-translation-of-mfc0-errctl.patch | 47 +++ ...s-math-emu-fix-bc1-eq-ne-z-emulation.patch | 61 ++++ ...ips-math-emu-fix-m-add-sub-.s-shifts.patch | 151 +++++++++ ...on-off-by-one-in-octeon_irq_gpio_map.patch | 37 +++ ...kdump-friendly-version-in-panic-path.patch | 144 +++++++++ .../mips-perf-fix-i6400-event-numbers.patch | 107 +++++++ ...op-cp0_tcstatus-from-regoffset_table.patch | 37 +++ ...ouble-locking-bug-in-rm7k_tc_disable.patch | 35 +++ ...comp-filters-which-redirect-syscalls.patch | 214 +++++++++++++ ...op-printing-ejtag-exceptions-to-uart.patch | 40 +++ ...pdate-cpu_foreign_map-on-cpu-disable.patch | 103 ++++++ ...egister-information-for-8997-chipset.patch | 46 +++ ...-original-skbuff-when-acking-batches.patch | 51 +++ ...trim-skb-for-mmaped-socket-when-dump.patch | 35 +++ ...ilter_events-bug-with-event-mappings.patch | 91 ++++++ queue-4.4/series | 53 ++++ ...rash-due-to-pointers-being-confusing.patch | 42 +++ ...udc-get-rid-of-redundant-assignments.patch | 140 +++++++++ ...-gadget-f_acm-fix-configfs-attr-name.patch | 36 +++ ...-reorder-spin_lock-to-avoid-deadlock.patch | 95 ++++++ ...-udc-core-don-t-starve-dma-resources.patch | 31 ++ ...-uv-silence-a-shift-wrapping-warning.patch | 49 +++ ...-ldt-print-the-real-ldt-base-address.patch | 34 ++ ...sh-in-xfrm_msg_getsa-netlink-handler.patch | 58 ++++ 54 files changed, 3879 insertions(+) create mode 100644 queue-4.4/alsa-fm801-detect-fm-only-card-earlier.patch create mode 100644 queue-4.4/alsa-fm801-explicitly-free-irq-line.patch create mode 100644 queue-4.4/alsa-fm801-propagate-tuner_only-bit-when-autodetected.patch create mode 100644 queue-4.4/arm-dts-armadillo800eva-correct-extal1-frequency-to-24-mhz.patch create mode 100644 queue-4.4/arm-dts-kirkwood-add-kirkwood-ds112.dtb-to-makefile.patch create mode 100644 queue-4.4/arm-dts-kirkwood-gpio-leds-fixes-for-linkstation-ls-wvl-vl.patch create mode 100644 queue-4.4/arm-dts-kirkwood-gpio-leds-fixes-for-linkstation-ls-wxl-wsxl.patch create mode 100644 queue-4.4/arm-dts-kirkwood-gpio-pin-fixes-for-linkstation-ls-wvl-vl.patch create mode 100644 queue-4.4/arm-dts-kirkwood-gpio-pin-fixes-for-linkstation-ls-wxl-wsxl.patch create mode 100644 queue-4.4/arm-dts-kirkwood-use-unique-machine-name-for-ds112.patch create mode 100644 queue-4.4/arm-dts-orion5x-fix-the-missing-mtd-flash-on-linkstation-lswtgl.patch create mode 100644 queue-4.4/arm-dts-orion5x-gpio-pin-fixes-for-linkstation-lswtgl.patch create mode 100644 queue-4.4/arm-imx-select-src-for-i.mx7.patch create mode 100644 queue-4.4/arm-omap2-hwmod-fix-_idle-hwmod-state-sanity-check-sequence.patch create mode 100644 queue-4.4/bpf-mips-fix-off-by-one-in-ctx-offset-allocation.patch create mode 100644 queue-4.4/drm-qxl-qxl_release-leak-in-qxl_draw_dirty_fb.patch create mode 100644 queue-4.4/drm-qxl-qxl_release-use-after-free.patch create mode 100644 queue-4.4/mips-bmips-adjust-mips-hpt-frequency-for-bcm7435.patch create mode 100644 queue-4.4/mips-bmips-bmips5000-has-i-cache-filing-from-d-cache.patch create mode 100644 queue-4.4/mips-bmips-clear-mips_cache_aliases-earlier.patch create mode 100644 queue-4.4/mips-bmips-fix-prid_imp_bmips5000-masking-for-bmips5200.patch create mode 100644 queue-4.4/mips-bmips-local_r4k___flush_cache_all-needs-to-blast-s-cache.patch create mode 100644 queue-4.4/mips-bmips-pretty-print-bmips5200-processor-name.patch create mode 100644 queue-4.4/mips-c-r4k-fix-protected_writeback_scache_line-for-eva.patch create mode 100644 queue-4.4/mips-define-at_vector_size_arch-for-arch_dlinfo.patch create mode 100644 queue-4.4/mips-fix-64-bit-htw-configuration.patch create mode 100644 queue-4.4/mips-fix-bc1-eq-ne-z-return-offset-calculation.patch create mode 100644 queue-4.4/mips-fix-htw-config-on-xpa-kernel-without-lpa-enabled.patch create mode 100644 queue-4.4/mips-fix-little-endian-micromips-msa-encodings.patch create mode 100644 queue-4.4/mips-fix-macro-typo.patch create mode 100644 queue-4.4/mips-kvm-fix-translation-of-mfc0-errctl.patch create mode 100644 queue-4.4/mips-math-emu-fix-bc1-eq-ne-z-emulation.patch create mode 100644 queue-4.4/mips-math-emu-fix-m-add-sub-.s-shifts.patch create mode 100644 queue-4.4/mips-octeon-off-by-one-in-octeon_irq_gpio_map.patch create mode 100644 queue-4.4/mips-panic-replace-smp_send_stop-with-kdump-friendly-version-in-panic-path.patch create mode 100644 queue-4.4/mips-perf-fix-i6400-event-numbers.patch create mode 100644 queue-4.4/mips-ptrace-drop-cp0_tcstatus-from-regoffset_table.patch create mode 100644 queue-4.4/mips-rm7000-double-locking-bug-in-rm7k_tc_disable.patch create mode 100644 queue-4.4/mips-scall-handle-seccomp-filters-which-redirect-syscalls.patch create mode 100644 queue-4.4/mips-smp-cps-stop-printing-ejtag-exceptions-to-uart.patch create mode 100644 queue-4.4/mips-smp-update-cpu_foreign_map-on-cpu-disable.patch create mode 100644 queue-4.4/mwifiex-fix-pcie-register-information-for-8997-chipset.patch create mode 100644 queue-4.4/netfilter-nfnetlink-use-original-skbuff-when-acking-batches.patch create mode 100644 queue-4.4/netlink-not-trim-skb-for-mmaped-socket-when-dump.patch create mode 100644 queue-4.4/perf-x86-fix-filter_events-bug-with-event-mappings.patch create mode 100644 queue-4.4/series create mode 100644 queue-4.4/staging-rtl8192u-fix-crash-due-to-pointers-being-confusing.patch create mode 100644 queue-4.4/usb-gadged-pch_udc-get-rid-of-redundant-assignments.patch create mode 100644 queue-4.4/usb-gadget-f_acm-fix-configfs-attr-name.patch create mode 100644 queue-4.4/usb-gadget-pch_udc-reorder-spin_lock-to-avoid-deadlock.patch create mode 100644 queue-4.4/usb-gadget-udc-core-don-t-starve-dma-resources.patch create mode 100644 queue-4.4/x86-apic-uv-silence-a-shift-wrapping-warning.patch create mode 100644 queue-4.4/x86-ldt-print-the-real-ldt-base-address.patch create mode 100644 queue-4.4/xfrm-fix-crash-in-xfrm_msg_getsa-netlink-handler.patch diff --git a/queue-4.4/alsa-fm801-detect-fm-only-card-earlier.patch b/queue-4.4/alsa-fm801-detect-fm-only-card-earlier.patch new file mode 100644 index 00000000000..2e12144c5fa --- /dev/null +++ b/queue-4.4/alsa-fm801-detect-fm-only-card-earlier.patch @@ -0,0 +1,163 @@ +From b56fa687e02b27f8bd9d282950a88c2ed23d766b Mon Sep 17 00:00:00 2001 +From: Andy Shevchenko +Date: Mon, 21 Dec 2015 19:09:53 +0200 +Subject: ALSA: fm801: detect FM-only card earlier + +From: Andy Shevchenko + +commit b56fa687e02b27f8bd9d282950a88c2ed23d766b upstream. + +If user does not supply tea575x_tuner parameter the driver tries to detect the +tuner type. The failed codec initialization is considered as FM-only card +present, however the driver still registers an IRQ handler for it. + +Move codec detection earlier to set tea575x_tuner parameter before check. + +Here the following functions are introduced + reset_coded() resets AC97 codec + snd_fm801_chip_multichannel_init() initializes cards with multichannel support + +Fixes: 5618955c4269 (ALSA: fm801: move to pcim_* and devm_* functions) +Signed-off-by: Andy Shevchenko +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/pci/fm801.c | 69 ++++++++++++++++++++++++++++++------------------------ + 1 file changed, 39 insertions(+), 30 deletions(-) + +--- a/sound/pci/fm801.c ++++ b/sound/pci/fm801.c +@@ -1088,26 +1088,20 @@ static int wait_for_codec(struct fm801 * + return -EIO; + } + +-static int snd_fm801_chip_init(struct fm801 *chip, int resume) ++static int reset_codec(struct fm801 *chip) + { +- unsigned short cmdw; +- +- if (chip->tea575x_tuner & TUNER_ONLY) +- goto __ac97_ok; +- + /* codec cold reset + AC'97 warm reset */ + fm801_writew(chip, CODEC_CTRL, (1 << 5) | (1 << 6)); + fm801_readw(chip, CODEC_CTRL); /* flush posting data */ + udelay(100); + fm801_writew(chip, CODEC_CTRL, 0); + +- if (wait_for_codec(chip, 0, AC97_RESET, msecs_to_jiffies(750)) < 0) +- if (!resume) { +- dev_info(chip->card->dev, +- "Primary AC'97 codec not found, assume SF64-PCR (tuner-only)\n"); +- chip->tea575x_tuner = 3 | TUNER_ONLY; +- goto __ac97_ok; +- } ++ return wait_for_codec(chip, 0, AC97_RESET, msecs_to_jiffies(750)); ++} ++ ++static void snd_fm801_chip_multichannel_init(struct fm801 *chip) ++{ ++ unsigned short cmdw; + + if (chip->multichannel) { + if (chip->secondary_addr) { +@@ -1134,8 +1128,11 @@ static int snd_fm801_chip_init(struct fm + /* cause timeout problems */ + wait_for_codec(chip, 0, AC97_VENDOR_ID1, msecs_to_jiffies(750)); + } ++} + +- __ac97_ok: ++static void snd_fm801_chip_init(struct fm801 *chip) ++{ ++ unsigned short cmdw; + + /* init volume */ + fm801_writew(chip, PCM_VOL, 0x0808); +@@ -1156,11 +1153,8 @@ static int snd_fm801_chip_init(struct fm + /* interrupt clear */ + fm801_writew(chip, IRQ_STATUS, + FM801_IRQ_PLAYBACK | FM801_IRQ_CAPTURE | FM801_IRQ_MPU); +- +- return 0; + } + +- + static int snd_fm801_free(struct fm801 *chip) + { + unsigned short cmdw; +@@ -1217,7 +1211,23 @@ static int snd_fm801_create(struct snd_c + if ((err = pci_request_regions(pci, "FM801")) < 0) + return err; + chip->port = pci_resource_start(pci, 0); +- if ((tea575x_tuner & TUNER_ONLY) == 0) { ++ ++ if (pci->revision >= 0xb1) /* FM801-AU */ ++ chip->multichannel = 1; ++ ++ if (!(chip->tea575x_tuner & TUNER_ONLY)) { ++ if (reset_codec(chip) < 0) { ++ dev_info(chip->card->dev, ++ "Primary AC'97 codec not found, assume SF64-PCR (tuner-only)\n"); ++ chip->tea575x_tuner = 3 | TUNER_ONLY; ++ } else { ++ snd_fm801_chip_multichannel_init(chip); ++ } ++ } ++ ++ snd_fm801_chip_init(chip); ++ ++ if ((chip->tea575x_tuner & TUNER_ONLY) == 0) { + if (devm_request_irq(&pci->dev, pci->irq, snd_fm801_interrupt, + IRQF_SHARED, KBUILD_MODNAME, chip)) { + dev_err(card->dev, "unable to grab IRQ %d\n", pci->irq); +@@ -1228,13 +1238,6 @@ static int snd_fm801_create(struct snd_c + pci_set_master(pci); + } + +- if (pci->revision >= 0xb1) /* FM801-AU */ +- chip->multichannel = 1; +- +- snd_fm801_chip_init(chip, 0); +- /* init might set tuner access method */ +- tea575x_tuner = chip->tea575x_tuner; +- + if ((err = snd_device_new(card, SNDRV_DEV_LOWLEVEL, chip, &ops)) < 0) { + snd_fm801_free(chip); + return err; +@@ -1251,15 +1254,15 @@ static int snd_fm801_create(struct snd_c + chip->tea.private_data = chip; + chip->tea.ops = &snd_fm801_tea_ops; + sprintf(chip->tea.bus_info, "PCI:%s", pci_name(pci)); +- if ((tea575x_tuner & TUNER_TYPE_MASK) > 0 && +- (tea575x_tuner & TUNER_TYPE_MASK) < 4) { ++ if ((chip->tea575x_tuner & TUNER_TYPE_MASK) > 0 && ++ (chip->tea575x_tuner & TUNER_TYPE_MASK) < 4) { + if (snd_tea575x_init(&chip->tea, THIS_MODULE)) { + dev_err(card->dev, "TEA575x radio not found\n"); + snd_fm801_free(chip); + return -ENODEV; + } +- } else if ((tea575x_tuner & TUNER_TYPE_MASK) == 0) { +- unsigned int tuner_only = tea575x_tuner & TUNER_ONLY; ++ } else if ((chip->tea575x_tuner & TUNER_TYPE_MASK) == 0) { ++ unsigned int tuner_only = chip->tea575x_tuner & TUNER_ONLY; + + /* autodetect tuner connection */ + for (tea575x_tuner = 1; tea575x_tuner <= 3; tea575x_tuner++) { +@@ -1395,7 +1398,13 @@ static int snd_fm801_resume(struct devic + struct fm801 *chip = card->private_data; + int i; + +- snd_fm801_chip_init(chip, 1); ++ if (chip->tea575x_tuner & TUNER_ONLY) { ++ snd_fm801_chip_init(chip); ++ } else { ++ reset_codec(chip); ++ snd_fm801_chip_multichannel_init(chip); ++ snd_fm801_chip_init(chip); ++ } + snd_ac97_resume(chip->ac97); + snd_ac97_resume(chip->ac97_sec); + for (i = 0; i < ARRAY_SIZE(saved_regs); i++) diff --git a/queue-4.4/alsa-fm801-explicitly-free-irq-line.patch b/queue-4.4/alsa-fm801-explicitly-free-irq-line.patch new file mode 100644 index 00000000000..37c7b010d0d --- /dev/null +++ b/queue-4.4/alsa-fm801-explicitly-free-irq-line.patch @@ -0,0 +1,34 @@ +From e97e98c63b43040732ad5d1f0b38ad4a8371c73a Mon Sep 17 00:00:00 2001 +From: Andy Shevchenko +Date: Fri, 18 Dec 2015 21:14:10 +0200 +Subject: ALSA: fm801: explicitly free IRQ line + +From: Andy Shevchenko + +commit e97e98c63b43040732ad5d1f0b38ad4a8371c73a upstream. + +Otherwise we will have a warning on ->remove() since device is a PCI one. + +WARNING: CPU: 4 PID: 1411 at /home/andy/prj/linux/fs/proc/generic.c:575 remove_proc_entry+0x137/0x160() +remove_proc_entry: removing non-empty directory 'irq/21', leaking at least 'snd_fm801' + +Fixes: 5618955c4269 (ALSA: fm801: move to pcim_* and devm_* functions) +Signed-off-by: Andy Shevchenko +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/pci/fm801.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/sound/pci/fm801.c ++++ b/sound/pci/fm801.c +@@ -1173,6 +1173,8 @@ static int snd_fm801_free(struct fm801 * + cmdw |= 0x00c3; + fm801_writew(chip, IRQ_MASK, cmdw); + ++ devm_free_irq(&chip->pci->dev, chip->irq, chip); ++ + __end_hw: + #ifdef CONFIG_SND_FM801_TEA575X_BOOL + if (!(chip->tea575x_tuner & TUNER_DISABLED)) { diff --git a/queue-4.4/alsa-fm801-propagate-tuner_only-bit-when-autodetected.patch b/queue-4.4/alsa-fm801-propagate-tuner_only-bit-when-autodetected.patch new file mode 100644 index 00000000000..fea3ad968b2 --- /dev/null +++ b/queue-4.4/alsa-fm801-propagate-tuner_only-bit-when-autodetected.patch @@ -0,0 +1,57 @@ +From dbec6719ac036f68568d8488805d41346c021eff Mon Sep 17 00:00:00 2001 +From: Andy Shevchenko +Date: Mon, 21 Dec 2015 19:09:52 +0200 +Subject: ALSA: fm801: propagate TUNER_ONLY bit when autodetected + +From: Andy Shevchenko + +commit dbec6719ac036f68568d8488805d41346c021eff upstream. + +The commit d7ba858a7f7a (ALSA: fm801: implement TEA575x tuner autodetection) +brings autodetection to the driver. However the autodetection algorithm misses +the TUNER_ONLY bit if it is supplied by the user. + +Thus, user gets weird messages and no card registered. + + snd_fm801 0000:0d:01.0: detected TEA575x radio type SF64-PCR + snd_fm801 0000:0d:01.0: AC'97 interface is busy (1) + snd_fm801 0000:0d:01.0: AC'97 interface is busy (1) +... + snd_fm801 0000:0d:01.0: AC'97 0 does not respond - RESET + snd_fm801 0000:0d:01.0: AC'97 interface is busy (1) + snd_fm801 0000:0d:01.0: AC'97 interface is busy (1) + snd_fm801 0000:0d:01.0: AC'97 0 access is not valid [0x0], removing mixer. + snd_fm801: probe of 0000:0d:01.0 failed with error -5 + +Do a copy of TUNER_ONLY bit to be applied after autodetection is done. + +Fixes: d7ba858a7f7a (ALSA: fm801: implement TEA575x tuner autodetection) +Signed-off-by: Andy Shevchenko +Cc: Ondrej Zary +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/pci/fm801.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/sound/pci/fm801.c ++++ b/sound/pci/fm801.c +@@ -1259,6 +1259,8 @@ static int snd_fm801_create(struct snd_c + return -ENODEV; + } + } else if ((tea575x_tuner & TUNER_TYPE_MASK) == 0) { ++ unsigned int tuner_only = tea575x_tuner & TUNER_ONLY; ++ + /* autodetect tuner connection */ + for (tea575x_tuner = 1; tea575x_tuner <= 3; tea575x_tuner++) { + chip->tea575x_tuner = tea575x_tuner; +@@ -1273,6 +1275,8 @@ static int snd_fm801_create(struct snd_c + dev_err(card->dev, "TEA575x radio not found\n"); + chip->tea575x_tuner = TUNER_DISABLED; + } ++ ++ chip->tea575x_tuner |= tuner_only; + } + if (!(chip->tea575x_tuner & TUNER_DISABLED)) { + strlcpy(chip->tea.card, get_tea575x_gpio(chip)->name, diff --git a/queue-4.4/arm-dts-armadillo800eva-correct-extal1-frequency-to-24-mhz.patch b/queue-4.4/arm-dts-armadillo800eva-correct-extal1-frequency-to-24-mhz.patch new file mode 100644 index 00000000000..ad880230673 --- /dev/null +++ b/queue-4.4/arm-dts-armadillo800eva-correct-extal1-frequency-to-24-mhz.patch @@ -0,0 +1,36 @@ +From c61f30a255550bbfc6b83c1ca720661489cac4c0 Mon Sep 17 00:00:00 2001 +From: Geert Uytterhoeven +Date: Fri, 18 Dec 2015 11:51:36 +0100 +Subject: ARM: dts: armadillo800eva Correct extal1 frequency to 24 MHz + +From: Geert Uytterhoeven + +commit c61f30a255550bbfc6b83c1ca720661489cac4c0 upstream. + +On r8a7740/armadillo, actual clock rates are ca. 4% lower than reported +by /sys/kernel/debug/clk/clk_summary. Correct the extal1 frequency from +25 MHz to 24 MHz to fix this. + +This matches the Armadillo-800 EVA Product Manual, which claims the main +crystal runs at 24 MHz, and the old legacy/reference board code. + +Fixes: 25aa7ba3fdfb ("ARM: shmobile: armadillo800eva: Sync DTS") +Signed-off-by: Geert Uytterhoeven +Signed-off-by: Simon Horman +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm/boot/dts/r8a7740-armadillo800eva.dts | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/arm/boot/dts/r8a7740-armadillo800eva.dts ++++ b/arch/arm/boot/dts/r8a7740-armadillo800eva.dts +@@ -180,7 +180,7 @@ + }; + + &extal1_clk { +- clock-frequency = <25000000>; ++ clock-frequency = <24000000>; + }; + &extal2_clk { + clock-frequency = <48000000>; diff --git a/queue-4.4/arm-dts-kirkwood-add-kirkwood-ds112.dtb-to-makefile.patch b/queue-4.4/arm-dts-kirkwood-add-kirkwood-ds112.dtb-to-makefile.patch new file mode 100644 index 00000000000..beef5c0bc2e --- /dev/null +++ b/queue-4.4/arm-dts-kirkwood-add-kirkwood-ds112.dtb-to-makefile.patch @@ -0,0 +1,32 @@ +From fc5c796e12511a7c027b5a4438719dde2f796208 Mon Sep 17 00:00:00 2001 +From: Heinrich Schuchardt +Date: Mon, 28 Mar 2016 10:03:48 +0200 +Subject: ARM: dts: kirkwood: add kirkwood-ds112.dtb to Makefile + +From: Heinrich Schuchardt + +commit fc5c796e12511a7c027b5a4438719dde2f796208 upstream. + +Commit 2d0a7addbd10 ("ARM: Kirkwood: Add support for many Synology +NAS devices") created the new file kirkwood-ds112.dts but did not +add it to the Makefile. + +Fixes: 2d0a7addbd10 ("ARM: Kirkwood: Add support for many Synology NAS devices") +Signed-off-by: Heinrich Schuchardt +Signed-off-by: Gregory CLEMENT +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm/boot/dts/Makefile | 1 + + 1 file changed, 1 insertion(+) + +--- a/arch/arm/boot/dts/Makefile ++++ b/arch/arm/boot/dts/Makefile +@@ -166,6 +166,7 @@ dtb-$(CONFIG_MACH_KIRKWOOD) += \ + kirkwood-ds109.dtb \ + kirkwood-ds110jv10.dtb \ + kirkwood-ds111.dtb \ ++ kirkwood-ds112.dtb \ + kirkwood-ds209.dtb \ + kirkwood-ds210.dtb \ + kirkwood-ds212.dtb \ diff --git a/queue-4.4/arm-dts-kirkwood-gpio-leds-fixes-for-linkstation-ls-wvl-vl.patch b/queue-4.4/arm-dts-kirkwood-gpio-leds-fixes-for-linkstation-ls-wvl-vl.patch new file mode 100644 index 00000000000..2621f4d6523 --- /dev/null +++ b/queue-4.4/arm-dts-kirkwood-gpio-leds-fixes-for-linkstation-ls-wvl-vl.patch @@ -0,0 +1,70 @@ +From 0418138e2ffd90f4a00b263593f2e199db87321d Mon Sep 17 00:00:00 2001 +From: Roger Shimizu +Date: Thu, 21 Jan 2016 23:38:47 +0900 +Subject: ARM: dts: kirkwood: gpio-leds fixes for linkstation ls-wvl/vl + +From: Roger Shimizu + +commit 0418138e2ffd90f4a00b263593f2e199db87321d upstream. + +The GPIOs controlling the LEDs, listed below, are active high, not low: + - gpio-leds: "lswvl:red:alarm" pin + - gpio-leds: "lswvl:red:func" pin + - gpio-leds: "lswvl:amber:info" pin + - gpio-leds: "lswvl:blue:func" pin + - gpio-leds: "lswvl:red:hdderr{0,1}" pin + +Fixes: c43379e150aa ("ARM: dts: add buffalo linkstation ls-wvl/vl") +Signed-off-by: Roger Shimizu +Reviewed-by: Andrew Lunn +Signed-off-by: Gregory CLEMENT +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm/boot/dts/kirkwood-lswvl.dts | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +--- a/arch/arm/boot/dts/kirkwood-lswvl.dts ++++ b/arch/arm/boot/dts/kirkwood-lswvl.dts +@@ -186,22 +186,22 @@ + + led@1 { + label = "lswvl:red:alarm"; +- gpios = <&gpio1 4 GPIO_ACTIVE_LOW>; ++ gpios = <&gpio1 4 GPIO_ACTIVE_HIGH>; + }; + + led@2 { + label = "lswvl:red:func"; +- gpios = <&gpio1 5 GPIO_ACTIVE_LOW>; ++ gpios = <&gpio1 5 GPIO_ACTIVE_HIGH>; + }; + + led@3 { + label = "lswvl:amber:info"; +- gpios = <&gpio1 6 GPIO_ACTIVE_LOW>; ++ gpios = <&gpio1 6 GPIO_ACTIVE_HIGH>; + }; + + led@4 { + label = "lswvl:blue:func"; +- gpios = <&gpio1 7 GPIO_ACTIVE_LOW>; ++ gpios = <&gpio1 7 GPIO_ACTIVE_HIGH>; + }; + + led@5 { +@@ -212,12 +212,12 @@ + + led@6 { + label = "lswvl:red:hdderr0"; +- gpios = <&gpio1 2 GPIO_ACTIVE_LOW>; ++ gpios = <&gpio1 2 GPIO_ACTIVE_HIGH>; + }; + + led@7 { + label = "lswvl:red:hdderr1"; +- gpios = <&gpio1 3 GPIO_ACTIVE_LOW>; ++ gpios = <&gpio1 3 GPIO_ACTIVE_HIGH>; + }; + }; + diff --git a/queue-4.4/arm-dts-kirkwood-gpio-leds-fixes-for-linkstation-ls-wxl-wsxl.patch b/queue-4.4/arm-dts-kirkwood-gpio-leds-fixes-for-linkstation-ls-wxl-wsxl.patch new file mode 100644 index 00000000000..d011995ce01 --- /dev/null +++ b/queue-4.4/arm-dts-kirkwood-gpio-leds-fixes-for-linkstation-ls-wxl-wsxl.patch @@ -0,0 +1,55 @@ +From e98bd707e39d52d8bef8622e6e7b0ab4bd0ed8d0 Mon Sep 17 00:00:00 2001 +From: Roger Shimizu +Date: Thu, 21 Jan 2016 23:38:46 +0900 +Subject: ARM: dts: kirkwood: gpio-leds fixes for linkstation ls-wxl/wsxl + +From: Roger Shimizu + +commit e98bd707e39d52d8bef8622e6e7b0ab4bd0ed8d0 upstream. + +The GPIOs controlling the LEDs, listed below, are active high, not low: + - gpio-leds: "lswxl:blue:power" pin + - gpio-leds: "lswxl:red:func" pin + - gpio-leds: "lswxl:red:hdderr{0,1}" pin + +Fixes: e54e4b1b622e ("ARM: dts: add buffalo linkstation ls-wxl/wsxl") +Signed-off-by: Roger Shimizu +Reviewed-by: Andrew Lunn +Signed-off-by: Gregory CLEMENT +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm/boot/dts/kirkwood-lswxl.dts | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +--- a/arch/arm/boot/dts/kirkwood-lswxl.dts ++++ b/arch/arm/boot/dts/kirkwood-lswxl.dts +@@ -201,23 +201,23 @@ + + led@4 { + label = "lswxl:blue:power"; +- gpios = <&gpio1 7 GPIO_ACTIVE_LOW>; ++ gpios = <&gpio1 7 GPIO_ACTIVE_HIGH>; ++ default-state = "keep"; + }; + + led@5 { + label = "lswxl:red:func"; +- gpios = <&gpio1 2 GPIO_ACTIVE_LOW>; +- default-state = "keep"; ++ gpios = <&gpio1 2 GPIO_ACTIVE_HIGH>; + }; + + led@6 { + label = "lswxl:red:hdderr0"; +- gpios = <&gpio0 8 GPIO_ACTIVE_LOW>; ++ gpios = <&gpio0 8 GPIO_ACTIVE_HIGH>; + }; + + led@7 { + label = "lswxl:red:hdderr1"; +- gpios = <&gpio1 14 GPIO_ACTIVE_LOW>; ++ gpios = <&gpio1 14 GPIO_ACTIVE_HIGH>; + }; + }; + diff --git a/queue-4.4/arm-dts-kirkwood-gpio-pin-fixes-for-linkstation-ls-wvl-vl.patch b/queue-4.4/arm-dts-kirkwood-gpio-pin-fixes-for-linkstation-ls-wvl-vl.patch new file mode 100644 index 00000000000..5e1a0fee491 --- /dev/null +++ b/queue-4.4/arm-dts-kirkwood-gpio-pin-fixes-for-linkstation-ls-wvl-vl.patch @@ -0,0 +1,119 @@ +From 6f86e9adc53b4c0a2a4283692216d119019f0b8d Mon Sep 17 00:00:00 2001 +From: Roger Shimizu +Date: Thu, 21 Jan 2016 23:38:45 +0900 +Subject: ARM: dts: kirkwood: gpio pin fixes for linkstation ls-wvl/vl + +From: Roger Shimizu + +commit 6f86e9adc53b4c0a2a4283692216d119019f0b8d upstream. + +For kirkwood, gpio pins starts from 32 are in the 2nd bank, so it should be +converted to "gpio1 " in dts file. +e.g. gpio 40 should be "gpio1 8" + +The pin/bank issue was found when discussing Debian Bug #810894 + [https://bugs.debian.org/810894#47] + +Fixes: c43379e150aa ("ARM: dts: add buffalo linkstation ls-wvl/vl") +Reported-by: Arnaud Patard (Rtp) +Signed-off-by: Roger Shimizu +Reviewed-by: Andrew Lunn +Signed-off-by: Gregory CLEMENT +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm/boot/dts/kirkwood-lswvl.dts | 25 +++++++++++++------------ + 1 file changed, 13 insertions(+), 12 deletions(-) + +--- a/arch/arm/boot/dts/kirkwood-lswvl.dts ++++ b/arch/arm/boot/dts/kirkwood-lswvl.dts +@@ -1,7 +1,8 @@ + /* + * Device Tree file for Buffalo Linkstation LS-WVL/VL + * +- * Copyright (C) 2015, rogershimizu@gmail.com ++ * Copyright (C) 2015, 2016 ++ * Roger Shimizu + * + * This program is free software; you can redistribute it and/or + * modify it under the terms of the GNU General Public License +@@ -156,21 +157,21 @@ + button@1 { + label = "Function Button"; + linux,code = ; +- gpios = <&gpio0 45 GPIO_ACTIVE_LOW>; ++ gpios = <&gpio1 13 GPIO_ACTIVE_LOW>; + }; + + button@2 { + label = "Power-on Switch"; + linux,code = ; + linux,input-type = <5>; +- gpios = <&gpio0 46 GPIO_ACTIVE_LOW>; ++ gpios = <&gpio1 14 GPIO_ACTIVE_LOW>; + }; + + button@3 { + label = "Power-auto Switch"; + linux,code = ; + linux,input-type = <5>; +- gpios = <&gpio0 47 GPIO_ACTIVE_LOW>; ++ gpios = <&gpio1 15 GPIO_ACTIVE_LOW>; + }; + }; + +@@ -185,38 +186,38 @@ + + led@1 { + label = "lswvl:red:alarm"; +- gpios = <&gpio0 36 GPIO_ACTIVE_LOW>; ++ gpios = <&gpio1 4 GPIO_ACTIVE_LOW>; + }; + + led@2 { + label = "lswvl:red:func"; +- gpios = <&gpio0 37 GPIO_ACTIVE_LOW>; ++ gpios = <&gpio1 5 GPIO_ACTIVE_LOW>; + }; + + led@3 { + label = "lswvl:amber:info"; +- gpios = <&gpio0 38 GPIO_ACTIVE_LOW>; ++ gpios = <&gpio1 6 GPIO_ACTIVE_LOW>; + }; + + led@4 { + label = "lswvl:blue:func"; +- gpios = <&gpio0 39 GPIO_ACTIVE_LOW>; ++ gpios = <&gpio1 7 GPIO_ACTIVE_LOW>; + }; + + led@5 { + label = "lswvl:blue:power"; +- gpios = <&gpio0 40 GPIO_ACTIVE_LOW>; ++ gpios = <&gpio1 8 GPIO_ACTIVE_LOW>; + default-state = "keep"; + }; + + led@6 { + label = "lswvl:red:hdderr0"; +- gpios = <&gpio0 34 GPIO_ACTIVE_LOW>; ++ gpios = <&gpio1 2 GPIO_ACTIVE_LOW>; + }; + + led@7 { + label = "lswvl:red:hdderr1"; +- gpios = <&gpio0 35 GPIO_ACTIVE_LOW>; ++ gpios = <&gpio1 3 GPIO_ACTIVE_LOW>; + }; + }; + +@@ -233,7 +234,7 @@ + 3250 1 + 5000 0>; + +- alarm-gpios = <&gpio0 43 GPIO_ACTIVE_HIGH>; ++ alarm-gpios = <&gpio1 11 GPIO_ACTIVE_HIGH>; + }; + + restart_poweroff { diff --git a/queue-4.4/arm-dts-kirkwood-gpio-pin-fixes-for-linkstation-ls-wxl-wsxl.patch b/queue-4.4/arm-dts-kirkwood-gpio-pin-fixes-for-linkstation-ls-wxl-wsxl.patch new file mode 100644 index 00000000000..055410517c5 --- /dev/null +++ b/queue-4.4/arm-dts-kirkwood-gpio-pin-fixes-for-linkstation-ls-wxl-wsxl.patch @@ -0,0 +1,143 @@ +From 144e08abe80080c9c2cf0a06e40f1bc8150674eb Mon Sep 17 00:00:00 2001 +From: Roger Shimizu +Date: Thu, 21 Jan 2016 23:38:44 +0900 +Subject: ARM: dts: kirkwood: gpio pin fixes for linkstation ls-wxl/wsxl + +From: Roger Shimizu + +commit 144e08abe80080c9c2cf0a06e40f1bc8150674eb upstream. + +For kirkwood, gpio pins starts from 32 are in the 2nd bank, so it should be +converted to "gpio1 " in dts file. +e.g. gpio 40 should be "gpio1 8" + +Besides, a few other pin fixes for ls-wxl/wsxl, to match with mpp pin +definition: + - gpio-leds: "lswxl:blue:power" pin + - gpio-leds: "lswxl:red:func" pin + - gpio-leds: "lswxl:red:hdderr0" pin + - gpio-leds: "lswxl:red:hdderr1" pin + - gpio-fan: low/high/alarm pin + +The pin/bank issue was found when discussing Debian Bug #810894 + [https://bugs.debian.org/810894#47] + +Fixes: e54e4b1b622e ("ARM: dts: add buffalo linkstation ls-wxl/wsxl") +Reported-by: Arnaud Patard (Rtp) +Signed-off-by: Roger Shimizu +Reviewed-by: Andrew Lunn +Signed-off-by: Gregory CLEMENT +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm/boot/dts/kirkwood-lswxl.dts | 29 +++++++++++++++-------------- + 1 file changed, 15 insertions(+), 14 deletions(-) + +--- a/arch/arm/boot/dts/kirkwood-lswxl.dts ++++ b/arch/arm/boot/dts/kirkwood-lswxl.dts +@@ -1,7 +1,8 @@ + /* + * Device Tree file for Buffalo Linkstation LS-WXL/WSXL + * +- * Copyright (C) 2015, rogershimizu@gmail.com ++ * Copyright (C) 2015, 2016 ++ * Roger Shimizu + * + * This program is free software; you can redistribute it and/or + * modify it under the terms of the GNU General Public License +@@ -156,21 +157,21 @@ + button@1 { + label = "Function Button"; + linux,code = ; +- gpios = <&gpio1 41 GPIO_ACTIVE_LOW>; ++ gpios = <&gpio1 9 GPIO_ACTIVE_LOW>; + }; + + button@2 { + label = "Power-on Switch"; + linux,code = ; + linux,input-type = <5>; +- gpios = <&gpio1 42 GPIO_ACTIVE_LOW>; ++ gpios = <&gpio1 10 GPIO_ACTIVE_LOW>; + }; + + button@3 { + label = "Power-auto Switch"; + linux,code = ; + linux,input-type = <5>; +- gpios = <&gpio1 43 GPIO_ACTIVE_LOW>; ++ gpios = <&gpio1 11 GPIO_ACTIVE_LOW>; + }; + }; + +@@ -185,12 +186,12 @@ + + led@1 { + label = "lswxl:blue:func"; +- gpios = <&gpio1 36 GPIO_ACTIVE_LOW>; ++ gpios = <&gpio1 4 GPIO_ACTIVE_LOW>; + }; + + led@2 { + label = "lswxl:red:alarm"; +- gpios = <&gpio1 49 GPIO_ACTIVE_LOW>; ++ gpios = <&gpio1 17 GPIO_ACTIVE_LOW>; + }; + + led@3 { +@@ -200,23 +201,23 @@ + + led@4 { + label = "lswxl:blue:power"; +- gpios = <&gpio1 8 GPIO_ACTIVE_LOW>; ++ gpios = <&gpio1 7 GPIO_ACTIVE_LOW>; + }; + + led@5 { + label = "lswxl:red:func"; +- gpios = <&gpio1 5 GPIO_ACTIVE_LOW>; ++ gpios = <&gpio1 2 GPIO_ACTIVE_LOW>; + default-state = "keep"; + }; + + led@6 { + label = "lswxl:red:hdderr0"; +- gpios = <&gpio1 2 GPIO_ACTIVE_LOW>; ++ gpios = <&gpio0 8 GPIO_ACTIVE_LOW>; + }; + + led@7 { + label = "lswxl:red:hdderr1"; +- gpios = <&gpio1 3 GPIO_ACTIVE_LOW>; ++ gpios = <&gpio1 14 GPIO_ACTIVE_LOW>; + }; + }; + +@@ -225,15 +226,15 @@ + pinctrl-0 = <&pmx_fan_low &pmx_fan_high &pmx_fan_lock>; + pinctrl-names = "default"; + +- gpios = <&gpio0 47 GPIO_ACTIVE_LOW +- &gpio0 48 GPIO_ACTIVE_LOW>; ++ gpios = <&gpio1 16 GPIO_ACTIVE_LOW ++ &gpio1 15 GPIO_ACTIVE_LOW>; + + gpio-fan,speed-map = <0 3 + 1500 2 + 3250 1 + 5000 0>; + +- alarm-gpios = <&gpio1 49 GPIO_ACTIVE_HIGH>; ++ alarm-gpios = <&gpio1 8 GPIO_ACTIVE_HIGH>; + }; + + restart_poweroff { +@@ -256,7 +257,7 @@ + enable-active-high; + regulator-always-on; + regulator-boot-on; +- gpio = <&gpio0 37 GPIO_ACTIVE_HIGH>; ++ gpio = <&gpio1 5 GPIO_ACTIVE_HIGH>; + }; + hdd_power0: regulator@2 { + compatible = "regulator-fixed"; diff --git a/queue-4.4/arm-dts-kirkwood-use-unique-machine-name-for-ds112.patch b/queue-4.4/arm-dts-kirkwood-use-unique-machine-name-for-ds112.patch new file mode 100644 index 00000000000..d0b53615fb4 --- /dev/null +++ b/queue-4.4/arm-dts-kirkwood-use-unique-machine-name-for-ds112.patch @@ -0,0 +1,44 @@ +From 9d021c9d1b4b774a35d8a03d58dbf029544debda Mon Sep 17 00:00:00 2001 +From: Heinrich Schuchardt +Date: Sun, 7 Feb 2016 19:34:26 +0100 +Subject: ARM: dts: kirkwood: use unique machine name for ds112 + +From: Heinrich Schuchardt + +commit 9d021c9d1b4b774a35d8a03d58dbf029544debda upstream. + +Downstream packages like Debian flash-kernel use +/proc/device-tree/model +to determine which dtb file to install. + +Hence each dts in the Linux kernel should provide a unique model +identifier. + +Commit 2d0a7addbd10 ("ARM: Kirkwood: Add support for many Synology NAS +devices") created the new files kirkwood-ds111.dts and kirkwood-ds112.dts +using the same model identifier. + +This patch provides a unique model identifier for the +Synology DiskStation DS112. + +Fixes: 2d0a7addbd10 ("ARM: Kirkwood: Add support for many Synology NAS devices") +Signed-off-by: Heinrich Schuchardt +Reviewed-by: Andrew Lunn +Signed-off-by: Gregory CLEMENT +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm/boot/dts/kirkwood-ds112.dts | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/arm/boot/dts/kirkwood-ds112.dts ++++ b/arch/arm/boot/dts/kirkwood-ds112.dts +@@ -14,7 +14,7 @@ + #include "kirkwood-synology.dtsi" + + / { +- model = "Synology DS111"; ++ model = "Synology DS112"; + compatible = "synology,ds111", "marvell,kirkwood"; + + memory { diff --git a/queue-4.4/arm-dts-orion5x-fix-the-missing-mtd-flash-on-linkstation-lswtgl.patch b/queue-4.4/arm-dts-orion5x-fix-the-missing-mtd-flash-on-linkstation-lswtgl.patch new file mode 100644 index 00000000000..0ba196690ff --- /dev/null +++ b/queue-4.4/arm-dts-orion5x-fix-the-missing-mtd-flash-on-linkstation-lswtgl.patch @@ -0,0 +1,62 @@ +From 44361a2cc13493fc41216d33bb9a562ec3a9cc4e Mon Sep 17 00:00:00 2001 +From: Roger Shimizu +Date: Sat, 6 Feb 2016 14:59:51 +0900 +Subject: ARM: dts: orion5x: fix the missing mtd flash on linkstation lswtgl + +From: Roger Shimizu + +commit 44361a2cc13493fc41216d33bb9a562ec3a9cc4e upstream. + +MTD flash stores u-boot and u-boot environment on linkstation lswtgl. +The latter one can be easily read/write by u-boot-tools package in Debian. + +Fixes: dc57844a736f ("ARM: dts: orion5x: add buffalo linkstation ls-wtgl") +Signed-off-by: Roger Shimizu +Reviewed-by: Andrew Lunn +Signed-off-by: Gregory CLEMENT +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm/boot/dts/orion5x-linkstation-lswtgl.dts | 31 +++++++++++++++++++++++ + 1 file changed, 31 insertions(+) + +--- a/arch/arm/boot/dts/orion5x-linkstation-lswtgl.dts ++++ b/arch/arm/boot/dts/orion5x-linkstation-lswtgl.dts +@@ -228,6 +228,37 @@ + }; + }; + ++&devbus_bootcs { ++ status = "okay"; ++ devbus,keep-config; ++ ++ flash@0 { ++ compatible = "jedec-flash"; ++ reg = <0 0x40000>; ++ bank-width = <1>; ++ ++ partitions { ++ compatible = "fixed-partitions"; ++ #address-cells = <1>; ++ #size-cells = <1>; ++ ++ header@0 { ++ reg = <0 0x30000>; ++ read-only; ++ }; ++ ++ uboot@30000 { ++ reg = <0x30000 0xF000>; ++ read-only; ++ }; ++ ++ uboot_env@3F000 { ++ reg = <0x3F000 0x1000>; ++ }; ++ }; ++ }; ++}; ++ + &mdio { + status = "okay"; + diff --git a/queue-4.4/arm-dts-orion5x-gpio-pin-fixes-for-linkstation-lswtgl.patch b/queue-4.4/arm-dts-orion5x-gpio-pin-fixes-for-linkstation-lswtgl.patch new file mode 100644 index 00000000000..4201ed85699 --- /dev/null +++ b/queue-4.4/arm-dts-orion5x-gpio-pin-fixes-for-linkstation-lswtgl.patch @@ -0,0 +1,63 @@ +From ff61ee84e7aa5842d9e33c0b442f0b43a6a44eaf Mon Sep 17 00:00:00 2001 +From: Roger Shimizu +Date: Fri, 22 Jan 2016 00:00:36 +0900 +Subject: ARM: dts: orion5x: gpio pin fixes for linkstation lswtgl + +From: Roger Shimizu + +commit ff61ee84e7aa5842d9e33c0b442f0b43a6a44eaf upstream. + +Here're a few gpio pin related fixes: + - remove pinctrl-0 definition from pinctrl, since those pins are used + in other places such as gpio-fan and regulators. + - keep initial state of power led + - fix for alarm pin of gpio-fan. + +Fixes: dc57844a736f ("ARM: dts: orion5x: add buffalo linkstation ls-wtgl") +Signed-off-by: Roger Shimizu +Reviewed-by: Andrew Lunn +Signed-off-by: Gregory CLEMENT +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm/boot/dts/orion5x-linkstation-lswtgl.dts | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/arch/arm/boot/dts/orion5x-linkstation-lswtgl.dts ++++ b/arch/arm/boot/dts/orion5x-linkstation-lswtgl.dts +@@ -1,7 +1,8 @@ + /* + * Device Tree file for Buffalo Linkstation LS-WTGL + * +- * Copyright (C) 2015, Roger Shimizu ++ * Copyright (C) 2015, 2016 ++ * Roger Shimizu + * + * This file is dual-licensed: you can use it either under the terms + * of the GPL or the X11 license, at your option. Note that this dual +@@ -69,8 +70,6 @@ + + internal-regs { + pinctrl: pinctrl@10000 { +- pinctrl-0 = <&pmx_usb_power &pmx_power_hdd +- &pmx_fan_low &pmx_fan_high &pmx_fan_lock>; + pinctrl-names = "default"; + + pmx_led_power: pmx-leds { +@@ -162,6 +161,7 @@ + led@1 { + label = "lswtgl:blue:power"; + gpios = <&gpio0 0 GPIO_ACTIVE_LOW>; ++ default-state = "keep"; + }; + + led@2 { +@@ -188,7 +188,7 @@ + 3250 1 + 5000 0>; + +- alarm-gpios = <&gpio0 2 GPIO_ACTIVE_HIGH>; ++ alarm-gpios = <&gpio0 6 GPIO_ACTIVE_HIGH>; + }; + + restart_poweroff { diff --git a/queue-4.4/arm-imx-select-src-for-i.mx7.patch b/queue-4.4/arm-imx-select-src-for-i.mx7.patch new file mode 100644 index 00000000000..cbb051c5828 --- /dev/null +++ b/queue-4.4/arm-imx-select-src-for-i.mx7.patch @@ -0,0 +1,36 @@ +From f1858b0e801a45d801dc23bc1ff5be14805022c8 Mon Sep 17 00:00:00 2001 +From: Arnd Bergmann +Date: Fri, 18 Dec 2015 16:40:26 +0100 +Subject: ARM: imx: select SRC for i.MX7 + +From: Arnd Bergmann + +commit f1858b0e801a45d801dc23bc1ff5be14805022c8 upstream. + +The i.MX7 Kconfig option had a couple of missing select lines that +I fixed already, but I missed HAVE_IMX_SRC: + +arch/arm/mach-imx/built-in.o: In function `imx7d_init_irq': +platform-spi_imx.c:(.init.text+0x25a8): undefined reference to `imx_src_init' + +This adds that one as well. + +Signed-off-by: Arnd Bergmann +Fixes: 0be5da9dc249 ("ARM: imx: imx7d requires anatop") +Signed-off-by: Shawn Guo +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm/mach-imx/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +--- a/arch/arm/mach-imx/Kconfig ++++ b/arch/arm/mach-imx/Kconfig +@@ -562,6 +562,7 @@ config SOC_IMX7D + select ARM_GIC + select HAVE_IMX_ANATOP + select HAVE_IMX_MMDC ++ select HAVE_IMX_SRC + help + This enables support for Freescale i.MX7 Dual processor. + diff --git a/queue-4.4/arm-omap2-hwmod-fix-_idle-hwmod-state-sanity-check-sequence.patch b/queue-4.4/arm-omap2-hwmod-fix-_idle-hwmod-state-sanity-check-sequence.patch new file mode 100644 index 00000000000..33e2702bd90 --- /dev/null +++ b/queue-4.4/arm-omap2-hwmod-fix-_idle-hwmod-state-sanity-check-sequence.patch @@ -0,0 +1,100 @@ +From c20c8f750d9f8f8617f07ee2352d3ff560e66bc2 Mon Sep 17 00:00:00 2001 +From: Suman Anna +Date: Sun, 10 Apr 2016 13:20:11 -0600 +Subject: ARM: OMAP2+: hwmod: fix _idle() hwmod state sanity check sequence + +From: Suman Anna + +commit c20c8f750d9f8f8617f07ee2352d3ff560e66bc2 upstream. + +The omap_hwmod _enable() function can return success without setting +the hwmod state to _HWMOD_STATE_ENABLED for IPs with reset lines when +all of the reset lines are asserted. The omap_hwmod _idle() function +also performs a similar check, but after checking for the hwmod state +first. This triggers the WARN when pm_runtime_get and pm_runtime_put +are invoked on IPs with all reset lines asserted. Reverse the checks +for hwmod state and reset lines status to fix this. + +Issue found during a unbind operation on a device with reset lines +still asserted, example backtrace below + + ------------[ cut here ]------------ + WARNING: CPU: 1 PID: 879 at arch/arm/mach-omap2/omap_hwmod.c:2207 _idle+0x1e4/0x240() + omap_hwmod: mmu_dsp: idle state can only be entered from enabled state + Modules linked in: + CPU: 1 PID: 879 Comm: sh Not tainted 4.4.0-00008-ga989d951331a #3 + Hardware name: Generic OMAP5 (Flattened Device Tree) + [] (unwind_backtrace) from [] (show_stack+0x10/0x14) + [] (show_stack) from [] (dump_stack+0x90/0xc0) + [] (dump_stack) from [] (warn_slowpath_common+0x78/0xb4) + [] (warn_slowpath_common) from [] (warn_slowpath_fmt+0x30/0x40) + [] (warn_slowpath_fmt) from [] (_idle+0x1e4/0x240) + [] (_idle) from [] (omap_hwmod_idle+0x28/0x48) + [] (omap_hwmod_idle) from [] (omap_device_idle+0x3c/0x90) + [] (omap_device_idle) from [] (__rpm_callback+0x2c/0x60) + [] (__rpm_callback) from [] (rpm_callback+0x20/0x80) + [] (rpm_callback) from [] (rpm_suspend+0x138/0x74c) + [] (rpm_suspend) from [] (__pm_runtime_idle+0x78/0xa8) + [] (__pm_runtime_idle) from [] (__device_release_driver+0x64/0x100) + [] (__device_release_driver) from [] (device_release_driver+0x20/0x2c) + [] (device_release_driver) from [] (unbind_store+0x78/0xf8) + [] (unbind_store) from [] (kernfs_fop_write+0xc0/0x1c4) + [] (kernfs_fop_write) from [] (__vfs_write+0x20/0xdc) + [] (__vfs_write) from [] (vfs_write+0x90/0x164) + [] (vfs_write) from [] (SyS_write+0x44/0x9c) + [] (SyS_write) from [] (ret_fast_syscall+0x0/0x1c) + ---[ end trace a4182013c75a9f50 ]--- + +While at this, fix the sequence in _shutdown() as well, though there +is no easy reproducible scenario. + +Fixes: 747834ab8347 ("ARM: OMAP2+: hwmod: revise hardreset behavior") +Signed-off-by: Suman Anna +Signed-off-by: Paul Walmsley +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm/mach-omap2/omap_hwmod.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +--- a/arch/arm/mach-omap2/omap_hwmod.c ++++ b/arch/arm/mach-omap2/omap_hwmod.c +@@ -2207,15 +2207,15 @@ static int _idle(struct omap_hwmod *oh) + + pr_debug("omap_hwmod: %s: idling\n", oh->name); + ++ if (_are_all_hardreset_lines_asserted(oh)) ++ return 0; ++ + if (oh->_state != _HWMOD_STATE_ENABLED) { + WARN(1, "omap_hwmod: %s: idle state can only be entered from enabled state\n", + oh->name); + return -EINVAL; + } + +- if (_are_all_hardreset_lines_asserted(oh)) +- return 0; +- + if (oh->class->sysc) + _idle_sysc(oh); + _del_initiator_dep(oh, mpu_oh); +@@ -2262,6 +2262,9 @@ static int _shutdown(struct omap_hwmod * + int ret, i; + u8 prev_state; + ++ if (_are_all_hardreset_lines_asserted(oh)) ++ return 0; ++ + if (oh->_state != _HWMOD_STATE_IDLE && + oh->_state != _HWMOD_STATE_ENABLED) { + WARN(1, "omap_hwmod: %s: disabled state can only be entered from idle, or enabled state\n", +@@ -2269,9 +2272,6 @@ static int _shutdown(struct omap_hwmod * + return -EINVAL; + } + +- if (_are_all_hardreset_lines_asserted(oh)) +- return 0; +- + pr_debug("omap_hwmod: %s: disabling\n", oh->name); + + if (oh->class->pre_shutdown) { diff --git a/queue-4.4/bpf-mips-fix-off-by-one-in-ctx-offset-allocation.patch b/queue-4.4/bpf-mips-fix-off-by-one-in-ctx-offset-allocation.patch new file mode 100644 index 00000000000..6892a983293 --- /dev/null +++ b/queue-4.4/bpf-mips-fix-off-by-one-in-ctx-offset-allocation.patch @@ -0,0 +1,45 @@ +From b4e76f7e6d3200462c6354a6ad4ae167459e61f8 Mon Sep 17 00:00:00 2001 +From: Daniel Borkmann +Date: Thu, 14 Jul 2016 13:57:55 +0200 +Subject: bpf, mips: fix off-by-one in ctx offset allocation + +From: Daniel Borkmann + +commit b4e76f7e6d3200462c6354a6ad4ae167459e61f8 upstream. + +Dan Carpenter reported [1] a static checker warning that ctx->offsets[] +may be accessed off by one from build_body(), since it's allocated with +fp->len * sizeof(*ctx.offsets) as length. The cBPF arm and ppc code +doesn't have this issue as claimed, so only mips seems to be affected and +should like most other JITs allocate with fp->len + 1. A few number of +JITs (x86, sparc, arm64) handle this differently, where they only require +fp->len array elements. + + [1] http://www.spinics.net/lists/mips/msg64193.html + +Fixes: c6610de353da ("MIPS: net: Add BPF JIT") +Reported-by: Dan Carpenter +Signed-off-by: Daniel Borkmann +Cc: Alexei Starovoitov +Cc: ast@kernel.org +Cc: linux-mips@linux-mips.org +Cc: linux-mips@linux-mips.org +Patchwork: https://patchwork.linux-mips.org/patch/13814/ +Signed-off-by: Ralf Baechle +Signed-off-by: Greg Kroah-Hartman + +--- + arch/mips/net/bpf_jit.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/mips/net/bpf_jit.c ++++ b/arch/mips/net/bpf_jit.c +@@ -1207,7 +1207,7 @@ void bpf_jit_compile(struct bpf_prog *fp + + memset(&ctx, 0, sizeof(ctx)); + +- ctx.offsets = kcalloc(fp->len, sizeof(*ctx.offsets), GFP_KERNEL); ++ ctx.offsets = kcalloc(fp->len + 1, sizeof(*ctx.offsets), GFP_KERNEL); + if (ctx.offsets == NULL) + return; + diff --git a/queue-4.4/drm-qxl-qxl_release-leak-in-qxl_draw_dirty_fb.patch b/queue-4.4/drm-qxl-qxl_release-leak-in-qxl_draw_dirty_fb.patch new file mode 100644 index 00000000000..da519b8c469 --- /dev/null +++ b/queue-4.4/drm-qxl-qxl_release-leak-in-qxl_draw_dirty_fb.patch @@ -0,0 +1,37 @@ +From 85e9b88af1e6164f19ec71381efd5e2bcfc17620 Mon Sep 17 00:00:00 2001 +From: Vasily Averin +Date: Mon, 27 Apr 2020 08:32:46 +0300 +Subject: drm/qxl: qxl_release leak in qxl_draw_dirty_fb() + +From: Vasily Averin + +commit 85e9b88af1e6164f19ec71381efd5e2bcfc17620 upstream. + +ret should be changed to release allocated struct qxl_release + +Cc: stable@vger.kernel.org +Fixes: 8002db6336dd ("qxl: convert qxl driver to proper use for reservations") +Signed-off-by: Vasily Averin +Link: http://patchwork.freedesktop.org/patch/msgid/22cfd55f-07c8-95d0-a2f7-191b7153c3d4@virtuozzo.com +Signed-off-by: Gerd Hoffmann +Signed-off-by: Vasily Averin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/qxl/qxl_draw.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/drivers/gpu/drm/qxl/qxl_draw.c ++++ b/drivers/gpu/drm/qxl/qxl_draw.c +@@ -352,9 +352,10 @@ void qxl_draw_dirty_fb(struct qxl_device + goto out_release_backoff; + + rects = drawable_set_clipping(qdev, drawable, num_clips, clips_bo); +- if (!rects) ++ if (!rects) { ++ ret = -EINVAL; + goto out_release_backoff; +- ++ } + drawable = (struct qxl_drawable *)qxl_release_map(qdev, release); + + drawable->clip.type = SPICE_CLIP_TYPE_RECTS; diff --git a/queue-4.4/drm-qxl-qxl_release-use-after-free.patch b/queue-4.4/drm-qxl-qxl_release-use-after-free.patch new file mode 100644 index 00000000000..6238078f98b --- /dev/null +++ b/queue-4.4/drm-qxl-qxl_release-use-after-free.patch @@ -0,0 +1,145 @@ +From 933db73351d359f74b14f4af095808260aff11f9 Mon Sep 17 00:00:00 2001 +From: Vasily Averin +Date: Wed, 29 Apr 2020 12:01:24 +0300 +Subject: drm/qxl: qxl_release use after free + +From: Vasily Averin + +commit 933db73351d359f74b14f4af095808260aff11f9 upstream. + +qxl_release should not be accesses after qxl_push_*_ring_release() calls: +userspace driver can process submitted command quickly, move qxl_release +into release_ring, generate interrupt and trigger garbage collector. + +It can lead to crashes in qxl driver or trigger memory corruption +in some kmalloc-192 slab object + +Gerd Hoffmann proposes to swap the qxl_release_fence_buffer_objects() + +qxl_push_{cursor,command}_ring_release() calls to close that race window. + +cc: stable@vger.kernel.org +Fixes: f64122c1f6ad ("drm: add new QXL driver. (v1.4)") +Signed-off-by: Vasily Averin +Link: http://patchwork.freedesktop.org/patch/msgid/fa17b338-66ae-f299-68fe-8d32419d9071@virtuozzo.com +Signed-off-by: Gerd Hoffmann +Signed-off-by: Vasily Averin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/qxl/qxl_cmd.c | 5 ++--- + drivers/gpu/drm/qxl/qxl_display.c | 6 +++--- + drivers/gpu/drm/qxl/qxl_draw.c | 8 ++++---- + drivers/gpu/drm/qxl/qxl_ioctl.c | 5 +---- + 4 files changed, 10 insertions(+), 14 deletions(-) + +--- a/drivers/gpu/drm/qxl/qxl_cmd.c ++++ b/drivers/gpu/drm/qxl/qxl_cmd.c +@@ -529,8 +529,8 @@ int qxl_hw_surface_alloc(struct qxl_devi + /* no need to add a release to the fence for this surface bo, + since it is only released when we ask to destroy the surface + and it would never signal otherwise */ +- qxl_push_command_ring_release(qdev, release, QXL_CMD_SURFACE, false); + qxl_release_fence_buffer_objects(release); ++ qxl_push_command_ring_release(qdev, release, QXL_CMD_SURFACE, false); + + surf->hw_surf_alloc = true; + spin_lock(&qdev->surf_id_idr_lock); +@@ -572,9 +572,8 @@ int qxl_hw_surface_dealloc(struct qxl_de + cmd->surface_id = id; + qxl_release_unmap(qdev, release, &cmd->release_info); + +- qxl_push_command_ring_release(qdev, release, QXL_CMD_SURFACE, false); +- + qxl_release_fence_buffer_objects(release); ++ qxl_push_command_ring_release(qdev, release, QXL_CMD_SURFACE, false); + + return 0; + } +--- a/drivers/gpu/drm/qxl/qxl_display.c ++++ b/drivers/gpu/drm/qxl/qxl_display.c +@@ -292,8 +292,8 @@ qxl_hide_cursor(struct qxl_device *qdev) + cmd->type = QXL_CURSOR_HIDE; + qxl_release_unmap(qdev, release, &cmd->release_info); + +- qxl_push_cursor_ring_release(qdev, release, QXL_CMD_CURSOR, false); + qxl_release_fence_buffer_objects(release); ++ qxl_push_cursor_ring_release(qdev, release, QXL_CMD_CURSOR, false); + return 0; + } + +@@ -390,8 +390,8 @@ static int qxl_crtc_cursor_set2(struct d + cmd->u.set.visible = 1; + qxl_release_unmap(qdev, release, &cmd->release_info); + +- qxl_push_cursor_ring_release(qdev, release, QXL_CMD_CURSOR, false); + qxl_release_fence_buffer_objects(release); ++ qxl_push_cursor_ring_release(qdev, release, QXL_CMD_CURSOR, false); + + /* finish with the userspace bo */ + ret = qxl_bo_reserve(user_bo, false); +@@ -450,8 +450,8 @@ static int qxl_crtc_cursor_move(struct d + cmd->u.position.y = qcrtc->cur_y + qcrtc->hot_spot_y; + qxl_release_unmap(qdev, release, &cmd->release_info); + +- qxl_push_cursor_ring_release(qdev, release, QXL_CMD_CURSOR, false); + qxl_release_fence_buffer_objects(release); ++ qxl_push_cursor_ring_release(qdev, release, QXL_CMD_CURSOR, false); + + return 0; + } +--- a/drivers/gpu/drm/qxl/qxl_draw.c ++++ b/drivers/gpu/drm/qxl/qxl_draw.c +@@ -245,8 +245,8 @@ void qxl_draw_opaque_fb(const struct qxl + qxl_bo_physical_address(qdev, dimage->bo, 0); + qxl_release_unmap(qdev, release, &drawable->release_info); + +- qxl_push_command_ring_release(qdev, release, QXL_CMD_DRAW, false); + qxl_release_fence_buffer_objects(release); ++ qxl_push_command_ring_release(qdev, release, QXL_CMD_DRAW, false); + + out_free_palette: + if (palette_bo) +@@ -385,8 +385,8 @@ void qxl_draw_dirty_fb(struct qxl_device + } + qxl_bo_kunmap(clips_bo); + +- qxl_push_command_ring_release(qdev, release, QXL_CMD_DRAW, false); + qxl_release_fence_buffer_objects(release); ++ qxl_push_command_ring_release(qdev, release, QXL_CMD_DRAW, false); + + out_release_backoff: + if (ret) +@@ -436,8 +436,8 @@ void qxl_draw_copyarea(struct qxl_device + drawable->u.copy_bits.src_pos.y = sy; + qxl_release_unmap(qdev, release, &drawable->release_info); + +- qxl_push_command_ring_release(qdev, release, QXL_CMD_DRAW, false); + qxl_release_fence_buffer_objects(release); ++ qxl_push_command_ring_release(qdev, release, QXL_CMD_DRAW, false); + + out_free_release: + if (ret) +@@ -480,8 +480,8 @@ void qxl_draw_fill(struct qxl_draw_fill + + qxl_release_unmap(qdev, release, &drawable->release_info); + +- qxl_push_command_ring_release(qdev, release, QXL_CMD_DRAW, false); + qxl_release_fence_buffer_objects(release); ++ qxl_push_command_ring_release(qdev, release, QXL_CMD_DRAW, false); + + out_free_release: + if (ret) +--- a/drivers/gpu/drm/qxl/qxl_ioctl.c ++++ b/drivers/gpu/drm/qxl/qxl_ioctl.c +@@ -257,11 +257,8 @@ static int qxl_process_single_command(st + apply_surf_reloc(qdev, &reloc_info[i]); + } + ++ qxl_release_fence_buffer_objects(release); + ret = qxl_push_command_ring_release(qdev, release, cmd->type, true); +- if (ret) +- qxl_release_backoff_reserve_list(release); +- else +- qxl_release_fence_buffer_objects(release); + + out_free_bos: + out_free_release: diff --git a/queue-4.4/mips-bmips-adjust-mips-hpt-frequency-for-bcm7435.patch b/queue-4.4/mips-bmips-adjust-mips-hpt-frequency-for-bcm7435.patch new file mode 100644 index 00000000000..b74edeb8781 --- /dev/null +++ b/queue-4.4/mips-bmips-adjust-mips-hpt-frequency-for-bcm7435.patch @@ -0,0 +1,37 @@ +From 80fa40acaa1dad5a0a9c15ed2e5d2e72461843f5 Mon Sep 17 00:00:00 2001 +From: Florian Fainelli +Date: Tue, 19 Apr 2016 15:35:39 -0700 +Subject: MIPS: BMIPS: Adjust mips-hpt-frequency for BCM7435 + +From: Florian Fainelli + +commit 80fa40acaa1dad5a0a9c15ed2e5d2e72461843f5 upstream. + +The CPU actually runs at 1405Mhz which gives us a 175625000 Hz MIPS timer +frequency (CPU frequency / 8). + +Fixes: e4c7d009654a ("MIPS: BMIPS: Add BCM7435 dtsi") +Signed-off-by: Florian Fainelli +Cc: linux-mips@linux-mips.org +Cc: john@phrozen.org +Cc: cernekee@gmail.com +Cc: jaedon.shin@gmail.com +Patchwork: https://patchwork.linux-mips.org/patch/13132/ +Signed-off-by: Ralf Baechle +Signed-off-by: Greg Kroah-Hartman + +--- + arch/mips/boot/dts/brcm/bcm7435.dtsi | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/mips/boot/dts/brcm/bcm7435.dtsi ++++ b/arch/mips/boot/dts/brcm/bcm7435.dtsi +@@ -7,7 +7,7 @@ + #address-cells = <1>; + #size-cells = <0>; + +- mips-hpt-frequency = <163125000>; ++ mips-hpt-frequency = <175625000>; + + cpu@0 { + compatible = "brcm,bmips5200"; diff --git a/queue-4.4/mips-bmips-bmips5000-has-i-cache-filing-from-d-cache.patch b/queue-4.4/mips-bmips-bmips5000-has-i-cache-filing-from-d-cache.patch new file mode 100644 index 00000000000..a9ab14194e7 --- /dev/null +++ b/queue-4.4/mips-bmips-bmips5000-has-i-cache-filing-from-d-cache.patch @@ -0,0 +1,38 @@ +From c130d2fd3d59fbd5d269f7d5827bd4ed1d94aec6 Mon Sep 17 00:00:00 2001 +From: Florian Fainelli +Date: Mon, 4 Apr 2016 10:55:34 -0700 +Subject: MIPS: BMIPS: BMIPS5000 has I cache filing from D cache + +From: Florian Fainelli + +commit c130d2fd3d59fbd5d269f7d5827bd4ed1d94aec6 upstream. + +BMIPS5000 and BMIPS52000 processors have their I-cache filling from the +D-cache. Since BMIPS_GENERIC does not provide (yet) a +cpu-feature-overrides.h file, this was not set anywhere, so make sure +the R4K cache detection takes care of that. + +Fixes: d74b0172e4e2c ("MIPS: BMIPS: Add special cache handling in c-r4k.c") +Signed-off-by: Florian Fainelli +Cc: linux-mips@linux-mips.org +Patchwork: https://patchwork.linux-mips.org/patch/13010/ +Signed-off-by: Ralf Baechle +Signed-off-by: Greg Kroah-Hartman + +--- + arch/mips/mm/c-r4k.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/arch/mips/mm/c-r4k.c ++++ b/arch/mips/mm/c-r4k.c +@@ -1308,6 +1308,10 @@ static void probe_pcache(void) + c->icache.flags |= MIPS_CACHE_IC_F_DC; + break; + ++ case CPU_BMIPS5000: ++ c->icache.flags |= MIPS_CACHE_IC_F_DC; ++ break; ++ + case CPU_LOONGSON2: + /* + * LOONGSON2 has 4 way icache, but when using indexed cache op, diff --git a/queue-4.4/mips-bmips-clear-mips_cache_aliases-earlier.patch b/queue-4.4/mips-bmips-clear-mips_cache_aliases-earlier.patch new file mode 100644 index 00000000000..5d9c7321fbc --- /dev/null +++ b/queue-4.4/mips-bmips-clear-mips_cache_aliases-earlier.patch @@ -0,0 +1,54 @@ +From 73c4ca047f440c79f545bc6133e3033f754cd239 Mon Sep 17 00:00:00 2001 +From: Florian Fainelli +Date: Mon, 4 Apr 2016 10:55:35 -0700 +Subject: MIPS: BMIPS: Clear MIPS_CACHE_ALIASES earlier + +From: Florian Fainelli + +commit 73c4ca047f440c79f545bc6133e3033f754cd239 upstream. + +BMIPS5000 and BMIPS5200 processor have no D cache aliases, and this is +properly handled by the per-CPU override added at the end of +r4k_cache_init(), the problem is that the output of probe_pcache() +disagrees with that, since this is too late: + +Primary instruction cache 32kB, VIPT, 4-way, linesize 64 bytes. +Primary data cache 32kB, 4-way, VIPT, cache aliases, linesize 32 bytes + +With the change moved earlier, we now have a consistent output with the +settings we are intending to have: + +Primary instruction cache 32kB, VIPT, 4-way, linesize 64 bytes. +Primary data cache 32kB, 4-way, VIPT, no aliases, linesize 32 bytes + +Fixes: d74b0172e4e2c ("MIPS: BMIPS: Add special cache handling in c-r4k.c") +Signed-off-by: Florian Fainelli +Cc: linux-mips@linux-mips.org +Patchwork: https://patchwork.linux-mips.org/patch/13011/ +Signed-off-by: Ralf Baechle +Signed-off-by: Greg Kroah-Hartman + +--- + arch/mips/mm/c-r4k.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/arch/mips/mm/c-r4k.c ++++ b/arch/mips/mm/c-r4k.c +@@ -1310,6 +1310,8 @@ static void probe_pcache(void) + + case CPU_BMIPS5000: + c->icache.flags |= MIPS_CACHE_IC_F_DC; ++ /* Cache aliases are handled in hardware; allow HIGHMEM */ ++ c->dcache.flags &= ~MIPS_CACHE_ALIASES; + break; + + case CPU_LOONGSON2: +@@ -1749,8 +1751,6 @@ void r4k_cache_init(void) + flush_icache_range = (void *)b5k_instruction_hazard; + local_flush_icache_range = (void *)b5k_instruction_hazard; + +- /* Cache aliases are handled in hardware; allow HIGHMEM */ +- current_cpu_data.dcache.flags &= ~MIPS_CACHE_ALIASES; + + /* Optimization: an L2 flush implicitly flushes the L1 */ + current_cpu_data.options |= MIPS_CPU_INCLUSIVE_CACHES; diff --git a/queue-4.4/mips-bmips-fix-prid_imp_bmips5000-masking-for-bmips5200.patch b/queue-4.4/mips-bmips-fix-prid_imp_bmips5000-masking-for-bmips5200.patch new file mode 100644 index 00000000000..269ee74890d --- /dev/null +++ b/queue-4.4/mips-bmips-fix-prid_imp_bmips5000-masking-for-bmips5200.patch @@ -0,0 +1,69 @@ +From cbbda6e7c9c3e4532bd70a73ff9d5e6655c894dc Mon Sep 17 00:00:00 2001 +From: Florian Fainelli +Date: Fri, 29 Jan 2016 21:17:26 -0800 +Subject: MIPS: BMIPS: Fix PRID_IMP_BMIPS5000 masking for BMIPS5200 + +From: Florian Fainelli + +commit cbbda6e7c9c3e4532bd70a73ff9d5e6655c894dc upstream. + +BMIPS5000 have a PrID value of 0x5A00 and BMIPS5200 have a PrID value of +0x5B00, which, masked with 0x5A00, returns 0x5A00. Update all conditionals on +the PrID to cover both variants since we are going to need this to enable +BMIPS5200 SMP. The existing check, masking with 0xFF00 would not cover +BMIPS5200 at all. + +Fixes: 68e6a78373a6d ("MIPS: BMIPS: Add PRId for BMIPS5200 (Whirlwind)") +Fixes: 6465460c92a85 ("MIPS: BMIPS: change compile time checks to runtime checks") +Signed-off-by: Florian Fainelli +Cc: john@phrozen.org +Cc: cernekee@gmail.com +Cc: jogo@openwrt.org +Cc: jaedon.shin@gmail.com +Cc: jfraser@broadcom.com +Cc: pgynther@google.com +Cc: dragan.stancevic@gmail.com +Cc: linux-mips@linux-mips.org +Patchwork: https://patchwork.linux-mips.org/patch/12279/ +Signed-off-by: Ralf Baechle +Signed-off-by: Greg Kroah-Hartman + +--- + arch/mips/kernel/bmips_vec.S | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +--- a/arch/mips/kernel/bmips_vec.S ++++ b/arch/mips/kernel/bmips_vec.S +@@ -93,7 +93,8 @@ NESTED(bmips_reset_nmi_vec, PT_SIZE, sp) + #if defined(CONFIG_CPU_BMIPS5000) + mfc0 k0, CP0_PRID + li k1, PRID_IMP_BMIPS5000 +- andi k0, 0xff00 ++ /* mask with PRID_IMP_BMIPS5000 to cover both variants */ ++ andi k0, PRID_IMP_BMIPS5000 + bne k0, k1, 1f + + /* if we're not on core 0, this must be the SMP boot signal */ +@@ -166,10 +167,12 @@ bmips_smp_entry: + 2: + #endif /* CONFIG_CPU_BMIPS4350 || CONFIG_CPU_BMIPS4380 */ + #if defined(CONFIG_CPU_BMIPS5000) +- /* set exception vector base */ ++ /* mask with PRID_IMP_BMIPS5000 to cover both variants */ + li k1, PRID_IMP_BMIPS5000 ++ andi k0, PRID_IMP_BMIPS5000 + bne k0, k1, 3f + ++ /* set exception vector base */ + la k0, ebase + lw k0, 0(k0) + mtc0 k0, $15, 1 +@@ -263,6 +266,8 @@ LEAF(bmips_enable_xks01) + #endif /* CONFIG_CPU_BMIPS4380 */ + #if defined(CONFIG_CPU_BMIPS5000) + li t1, PRID_IMP_BMIPS5000 ++ /* mask with PRID_IMP_BMIPS5000 to cover both variants */ ++ andi t2, PRID_IMP_BMIPS5000 + bne t2, t1, 2f + + mfc0 t0, $22, 5 diff --git a/queue-4.4/mips-bmips-local_r4k___flush_cache_all-needs-to-blast-s-cache.patch b/queue-4.4/mips-bmips-local_r4k___flush_cache_all-needs-to-blast-s-cache.patch new file mode 100644 index 00000000000..b2cc19118c6 --- /dev/null +++ b/queue-4.4/mips-bmips-local_r4k___flush_cache_all-needs-to-blast-s-cache.patch @@ -0,0 +1,39 @@ +From f675843ddfdfdf467d08cc922201614a149e439e Mon Sep 17 00:00:00 2001 +From: Florian Fainelli +Date: Mon, 4 Apr 2016 10:55:36 -0700 +Subject: MIPS: BMIPS: local_r4k___flush_cache_all needs to blast S-cache + +From: Florian Fainelli + +commit f675843ddfdfdf467d08cc922201614a149e439e upstream. + +local_r4k___flush_cache_all() is missing a special check for BMIPS5000 +processors, we need to blast the S-cache, just like other MTI processors +since we have an inclusive cache. We also need an additional __sync() to +make sure this is completed. + +Fixes: d74b0172e4e2c ("MIPS: BMIPS: Add special cache handling in c-r4k.c") +Signed-off-by: Florian Fainelli +Cc: linux-mips@linux-mips.org +Patchwork: https://patchwork.linux-mips.org/patch/13012/ +Signed-off-by: Ralf Baechle +Signed-off-by: Greg Kroah-Hartman + +--- + arch/mips/mm/c-r4k.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/arch/mips/mm/c-r4k.c ++++ b/arch/mips/mm/c-r4k.c +@@ -447,6 +447,11 @@ static inline void local_r4k___flush_cac + r4k_blast_scache(); + break; + ++ case CPU_BMIPS5000: ++ r4k_blast_scache(); ++ __sync(); ++ break; ++ + default: + r4k_blast_dcache(); + r4k_blast_icache(); diff --git a/queue-4.4/mips-bmips-pretty-print-bmips5200-processor-name.patch b/queue-4.4/mips-bmips-pretty-print-bmips5200-processor-name.patch new file mode 100644 index 00000000000..13c9b749024 --- /dev/null +++ b/queue-4.4/mips-bmips-pretty-print-bmips5200-processor-name.patch @@ -0,0 +1,38 @@ +From 37808d62afcdc420d98875c4b514c178d56f6815 Mon Sep 17 00:00:00 2001 +From: Florian Fainelli +Date: Mon, 4 Apr 2016 10:55:38 -0700 +Subject: MIPS: BMIPS: Pretty print BMIPS5200 processor name + +From: Florian Fainelli + +commit 37808d62afcdc420d98875c4b514c178d56f6815 upstream. + +Just to ease debugging of multiplatform kernel, make sure we print +"Broadcom BMIPS5200" for the BMIPS5200 implementation instead of +Broadcom BMIPS5000. + +Fixes: 68e6a78373a6d ("MIPS: BMIPS: Add PRId for BMIPS5200 (Whirlwind)") +Signed-off-by: Florian Fainelli +Cc: linux-mips@linux-mips.org +Patchwork: https://patchwork.linux-mips.org/patch/13014/ +Signed-off-by: Ralf Baechle +Signed-off-by: Greg Kroah-Hartman + +--- + arch/mips/kernel/cpu-probe.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/arch/mips/kernel/cpu-probe.c ++++ b/arch/mips/kernel/cpu-probe.c +@@ -1284,7 +1284,10 @@ static inline void cpu_probe_broadcom(st + case PRID_IMP_BMIPS5000: + case PRID_IMP_BMIPS5200: + c->cputype = CPU_BMIPS5000; +- __cpu_name[cpu] = "Broadcom BMIPS5000"; ++ if ((c->processor_id & PRID_IMP_MASK) == PRID_IMP_BMIPS5200) ++ __cpu_name[cpu] = "Broadcom BMIPS5200"; ++ else ++ __cpu_name[cpu] = "Broadcom BMIPS5000"; + set_elf_platform(cpu, "bmips5000"); + c->options |= MIPS_CPU_ULRI; + break; diff --git a/queue-4.4/mips-c-r4k-fix-protected_writeback_scache_line-for-eva.patch b/queue-4.4/mips-c-r4k-fix-protected_writeback_scache_line-for-eva.patch new file mode 100644 index 00000000000..5526881a260 --- /dev/null +++ b/queue-4.4/mips-c-r4k-fix-protected_writeback_scache_line-for-eva.patch @@ -0,0 +1,57 @@ +From 0758b116b4080d9a2a2a715bec6eee2cbd828215 Mon Sep 17 00:00:00 2001 +From: James Hogan +Date: Wed, 13 Jul 2016 14:12:47 +0100 +Subject: MIPS: c-r4k: Fix protected_writeback_scache_line for EVA + +From: James Hogan + +commit 0758b116b4080d9a2a2a715bec6eee2cbd828215 upstream. + +The protected_writeback_scache_line() function is used by +local_r4k_flush_cache_sigtramp() to flush an FPU delay slot emulation +trampoline on the userland stack from the caches so it is visible to +subsequent instruction fetches. + +Commit de8974e3f76c ("MIPS: asm: r4kcache: Add EVA cache flushing +functions") updated some protected_ cache flush functions to use EVA +CACHEE instructions via protected_cachee_op(), and commit 83fd43449baa +("MIPS: r4kcache: Add EVA case for protected_writeback_dcache_line") did +the same thing for protected_writeback_dcache_line(), but +protected_writeback_scache_line() never got updated. Lets fix that now +to flush the right user address from the secondary cache rather than +some arbitrary kernel unmapped address. + +This issue was spotted through code inspection, and it seems unlikely to +be possible to hit this in practice. It theoretically affect EVA kernels +on EVA capable cores with an L2 cache, where the icache fetches straight +from RAM (cpu_icache_snoops_remote_store == 0), running a hard float +userland with FPU disabled (nofpu). That both Malta and Boston platforms +override cpu_icache_snoops_remote_store to 1 suggests that all MIPS +cores fetch instructions into icache straight from L2 rather than RAM. + +Fixes: de8974e3f76c ("MIPS: asm: r4kcache: Add EVA cache flushing functions") +Signed-off-by: James Hogan +Cc: Leonid Yegoshin +Cc: linux-mips@linux-mips.org +Patchwork: https://patchwork.linux-mips.org/patch/13800/ +Signed-off-by: Ralf Baechle +Signed-off-by: Greg Kroah-Hartman + +--- + arch/mips/include/asm/r4kcache.h | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/arch/mips/include/asm/r4kcache.h ++++ b/arch/mips/include/asm/r4kcache.h +@@ -210,7 +210,11 @@ static inline void protected_writeback_d + + static inline void protected_writeback_scache_line(unsigned long addr) + { ++#ifdef CONFIG_EVA ++ protected_cachee_op(Hit_Writeback_Inv_SD, addr); ++#else + protected_cache_op(Hit_Writeback_Inv_SD, addr); ++#endif + } + + /* diff --git a/queue-4.4/mips-define-at_vector_size_arch-for-arch_dlinfo.patch b/queue-4.4/mips-define-at_vector_size_arch-for-arch_dlinfo.patch new file mode 100644 index 00000000000..2f0ded1cd40 --- /dev/null +++ b/queue-4.4/mips-define-at_vector_size_arch-for-arch_dlinfo.patch @@ -0,0 +1,53 @@ +From 233b2ca181f20674ecad11be90b00814911ce345 Mon Sep 17 00:00:00 2001 +From: James Hogan +Date: Mon, 25 Jul 2016 16:59:50 +0100 +Subject: MIPS: Define AT_VECTOR_SIZE_ARCH for ARCH_DLINFO + +From: James Hogan + +commit 233b2ca181f20674ecad11be90b00814911ce345 upstream. + +AT_VECTOR_SIZE_ARCH should be defined with the maximum number of +NEW_AUX_ENT entries that ARCH_DLINFO can contain, but it wasn't defined +for MIPS at all even though ARCH_DLINFO will contain one NEW_AUX_ENT for +the VDSO address. + +This shouldn't be a problem as AT_VECTOR_SIZE_BASE includes space for +AT_BASE_PLATFORM which MIPS doesn't use, but lets define it now and add +the comment above ARCH_DLINFO as found in several other architectures to +remind future modifiers of ARCH_DLINFO to keep AT_VECTOR_SIZE_ARCH up to +date. + +Fixes: ebb5e78cc634 ("MIPS: Initial implementation of a VDSO") +Signed-off-by: James Hogan +Cc: linux-mips@linux-mips.org +Cc: linux-arch@vger.kernel.org +Cc: linux-kernel@vger.kernel.org +Patchwork: https://patchwork.linux-mips.org/patch/13823/ +Signed-off-by: Ralf Baechle +Signed-off-by: Greg Kroah-Hartman + +--- + arch/mips/include/asm/elf.h | 1 + + arch/mips/include/uapi/asm/auxvec.h | 2 ++ + 2 files changed, 3 insertions(+) + +--- a/arch/mips/include/asm/elf.h ++++ b/arch/mips/include/asm/elf.h +@@ -420,6 +420,7 @@ extern const char *__elf_platform; + #define ELF_ET_DYN_BASE (TASK_SIZE / 3 * 2) + #endif + ++/* update AT_VECTOR_SIZE_ARCH if the number of NEW_AUX_ENT entries changes */ + #define ARCH_DLINFO \ + do { \ + NEW_AUX_ENT(AT_SYSINFO_EHDR, \ +--- a/arch/mips/include/uapi/asm/auxvec.h ++++ b/arch/mips/include/uapi/asm/auxvec.h +@@ -14,4 +14,6 @@ + /* Location of VDSO image. */ + #define AT_SYSINFO_EHDR 33 + ++#define AT_VECTOR_SIZE_ARCH 1 /* entries in ARCH_DLINFO */ ++ + #endif /* __ASM_AUXVEC_H */ diff --git a/queue-4.4/mips-fix-64-bit-htw-configuration.patch b/queue-4.4/mips-fix-64-bit-htw-configuration.patch new file mode 100644 index 00000000000..3b363703922 --- /dev/null +++ b/queue-4.4/mips-fix-64-bit-htw-configuration.patch @@ -0,0 +1,78 @@ +From aa76042a016474775ccd187c068669148c30c3bb Mon Sep 17 00:00:00 2001 +From: James Hogan +Date: Fri, 27 May 2016 22:25:23 +0100 +Subject: MIPS: Fix 64-bit HTW configuration + +From: James Hogan + +commit aa76042a016474775ccd187c068669148c30c3bb upstream. + +The Hardware page Table Walker (HTW) is being misconfigured on 64-bit +kernels. The PWSize.PS (pointer size) bit determines whether pointers +within directories are loaded as 32-bit or 64-bit addresses, but was +never being set to 1 for 64-bit kernels where the unsigned long in pgd_t +is 64-bits wide. + +This actually reduces rather than improves performance when the HTW is +enabled on P6600 since the HTW is initiated lots, but walks are all +aborted due I think to bad intermediate pointers. + +Since we were already taking the width of the PTEs into account by +setting PWSize.PTEW, which is the left shift applied to the page table +index *in addition to* the native pointer size, we also need to reduce +PTEW by 1 when PS=1. This is done by calculating PTEW based on the +relative size of pte_t compared to pgd_t. + +Finally in order for the HTW to be used when PS=1, the appropriate +XK/XS/XU bits corresponding to the different 64-bit segments need to be +set in PWCtl. We enable only XU for now to enable walking for XUSeg. + +Supporting walking for XKSeg would be a bit more involved so is left for +a future patch. It would either require the use of a per-CPU top level +base directory if supported by the HTW (a bit like pgd_current but with +a second entry pointing at swapper_pg_dir), or the HTW would prepend bit +63 of the address to the global directory index which doesn't really +match how we split user and kernel page directories. + +Fixes: cab25bc7537b ("MIPS: Extend hardware table walking support to MIPS64") +Signed-off-by: James Hogan +Cc: Paul Burton +Cc: linux-mips@linux-mips.org +Patchwork: https://patchwork.linux-mips.org/patch/13364/ +Signed-off-by: Ralf Baechle +Signed-off-by: Greg Kroah-Hartman + +--- + arch/mips/mm/tlbex.c | 14 ++++++++++++-- + 1 file changed, 12 insertions(+), 2 deletions(-) + +--- a/arch/mips/mm/tlbex.c ++++ b/arch/mips/mm/tlbex.c +@@ -2329,15 +2329,25 @@ static void config_htw_params(void) + if (CONFIG_PGTABLE_LEVELS >= 3) + pwsize |= ilog2(PTRS_PER_PMD) << MIPS_PWSIZE_MDW_SHIFT; + +- pwsize |= ilog2(sizeof(pte_t)/4) << MIPS_PWSIZE_PTEW_SHIFT; ++ /* Set pointer size to size of directory pointers */ ++ if (config_enabled(CONFIG_64BIT)) ++ pwsize |= MIPS_PWSIZE_PS_MASK; ++ /* PTEs may be multiple pointers long (e.g. with XPA) */ ++ pwsize |= ((PTE_T_LOG2 - PGD_T_LOG2) << MIPS_PWSIZE_PTEW_SHIFT) ++ & MIPS_PWSIZE_PTEW_MASK; + + write_c0_pwsize(pwsize); + + /* Make sure everything is set before we enable the HTW */ + back_to_back_c0_hazard(); + +- /* Enable HTW and disable the rest of the pwctl fields */ ++ /* ++ * Enable HTW (and only for XUSeg on 64-bit), and disable the rest of ++ * the pwctl fields. ++ */ + config = 1 << MIPS_PWCTL_PWEN_SHIFT; ++ if (config_enabled(CONFIG_64BIT)) ++ config |= MIPS_PWCTL_XU_MASK; + write_c0_pwctl(config); + pr_info("Hardware Page Table Walker enabled\n"); + diff --git a/queue-4.4/mips-fix-bc1-eq-ne-z-return-offset-calculation.patch b/queue-4.4/mips-fix-bc1-eq-ne-z-return-offset-calculation.patch new file mode 100644 index 00000000000..bcd78c3f41f --- /dev/null +++ b/queue-4.4/mips-fix-bc1-eq-ne-z-return-offset-calculation.patch @@ -0,0 +1,54 @@ +From ac1496980f1d2752f26769f5db63afbc9ac2b603 Mon Sep 17 00:00:00 2001 +From: Paul Burton +Date: Thu, 21 Apr 2016 14:04:46 +0100 +Subject: MIPS: Fix BC1{EQ,NE}Z return offset calculation + +From: Paul Burton + +commit ac1496980f1d2752f26769f5db63afbc9ac2b603 upstream. + +The conditions for branching when emulating the BC1EQZ & BC1NEZ +instructions were backwards, leading to each of those instructions being +treated as the other. Fix this by reversing the conditions, and clear up +the code a little for readability & checkpatch. + +Fixes: c8a34581ec09 ("MIPS: Emulate the BC1{EQ,NE}Z FPU instructions") +Signed-off-by: Paul Burton +Reviewed-by: James Hogan +Cc: linux-mips@linux-mips.org +Cc: linux-kernel@vger.kernel.org +Patchwork: https://patchwork.linux-mips.org/patch/13151/ +Signed-off-by: Ralf Baechle +Signed-off-by: Greg Kroah-Hartman + +--- + arch/mips/kernel/branch.c | 18 +++--------------- + 1 file changed, 3 insertions(+), 15 deletions(-) + +--- a/arch/mips/kernel/branch.c ++++ b/arch/mips/kernel/branch.c +@@ -685,21 +685,9 @@ int __compute_return_epc_for_insn(struct + } + lose_fpu(1); /* Save FPU state for the emulator. */ + reg = insn.i_format.rt; +- bit = 0; +- switch (insn.i_format.rs) { +- case bc1eqz_op: +- /* Test bit 0 */ +- if (get_fpr32(¤t->thread.fpu.fpr[reg], 0) +- & 0x1) +- bit = 1; +- break; +- case bc1nez_op: +- /* Test bit 0 */ +- if (!(get_fpr32(¤t->thread.fpu.fpr[reg], 0) +- & 0x1)) +- bit = 1; +- break; +- } ++ bit = get_fpr32(¤t->thread.fpu.fpr[reg], 0) & 0x1; ++ if (insn.i_format.rs == bc1eqz_op) ++ bit = !bit; + own_fpu(1); + if (bit) + epc = epc + 4 + diff --git a/queue-4.4/mips-fix-htw-config-on-xpa-kernel-without-lpa-enabled.patch b/queue-4.4/mips-fix-htw-config-on-xpa-kernel-without-lpa-enabled.patch new file mode 100644 index 00000000000..b0d9a229458 --- /dev/null +++ b/queue-4.4/mips-fix-htw-config-on-xpa-kernel-without-lpa-enabled.patch @@ -0,0 +1,48 @@ +From 14bc241443e126c62fcbf571b7d4c79740debc58 Mon Sep 17 00:00:00 2001 +From: James Hogan +Date: Tue, 19 Apr 2016 09:25:00 +0100 +Subject: MIPS: Fix HTW config on XPA kernel without LPA enabled + +From: James Hogan + +commit 14bc241443e126c62fcbf571b7d4c79740debc58 upstream. + +The hardware page table walker (HTW) configuration is broken on XPA +kernels where XPA couldn't be enabled (either nohtw or the hardware +doesn't support it). This is because the PWSize.PTEW field (PTE width) +was only set to 8 bytes (an extra shift of 1) in config_htw_params() if +PageGrain.ELPA (enable large physical addressing) is set. On an XPA +kernel though the size of PTEs is fixed at 8 bytes regardless of whether +XPA could actually be enabled. + +Fix the initialisation of this field based on sizeof(pte_t) instead. + +Fixes: c5b367835cfc ("MIPS: Add support for XPA.") +Signed-off-by: James Hogan +Cc: Steven J. Hill +Cc: Paul Burton +Cc: Paul Gortmaker +Cc: linux-mips@linux-mips.org +Cc: linux-kernel@vger.kernel.org +Patchwork: https://patchwork.linux-mips.org/patch/13113/ +Signed-off-by: Paul Burton +Signed-off-by: Ralf Baechle +Signed-off-by: Greg Kroah-Hartman + +--- + arch/mips/mm/tlbex.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +--- a/arch/mips/mm/tlbex.c ++++ b/arch/mips/mm/tlbex.c +@@ -2329,9 +2329,7 @@ static void config_htw_params(void) + if (CONFIG_PGTABLE_LEVELS >= 3) + pwsize |= ilog2(PTRS_PER_PMD) << MIPS_PWSIZE_MDW_SHIFT; + +- /* If XPA has been enabled, PTEs are 64-bit in size. */ +- if (config_enabled(CONFIG_64BITS) || (read_c0_pagegrain() & PG_ELPA)) +- pwsize |= 1; ++ pwsize |= ilog2(sizeof(pte_t)/4) << MIPS_PWSIZE_PTEW_SHIFT; + + write_c0_pwsize(pwsize); + diff --git a/queue-4.4/mips-fix-little-endian-micromips-msa-encodings.patch b/queue-4.4/mips-fix-little-endian-micromips-msa-encodings.patch new file mode 100644 index 00000000000..526e0ef34a1 --- /dev/null +++ b/queue-4.4/mips-fix-little-endian-micromips-msa-encodings.patch @@ -0,0 +1,297 @@ +From 6e1b29c3094688b6803fa1f9d5da676a7d0fbff9 Mon Sep 17 00:00:00 2001 +From: James Hogan +Date: Fri, 20 May 2016 23:28:39 +0100 +Subject: MIPS: Fix little endian microMIPS MSA encodings + +From: James Hogan + +commit 6e1b29c3094688b6803fa1f9d5da676a7d0fbff9 upstream. + +When the toolchain doesn't support MSA we encode MSA instructions +explicitly in assembly. Unfortunately we use .word for both MIPS and +microMIPS encodings which is wrong, since 32-bit microMIPS instructions +are made up from a pair of halfwords. + +- The most significant halfword always comes first, so for little endian + builds the halves will be emitted in the wrong order. + +- 32-bit alignment isn't guaranteed, so the assembler may insert a + 16-bit nop instruction to pad the instruction stream to a 32-bit + boundary. + +Use the new instruction encoding macros to encode microMIPS MSA +instructions correctly. + +Fixes: d96cc3d1ec5d ("MIPS: Add microMIPS MSA support.") +Signed-off-by: James Hogan +Cc: Paul Burton +Cc: linux-mips@linux-mips.org +Patchwork: https://patchwork.linux-mips.org/patch/13312/ +Signed-off-by: Ralf Baechle +Signed-off-by: Greg Kroah-Hartman + +--- + arch/mips/include/asm/asmmacro.h | 99 +++++++++++++++++++-------------------- + arch/mips/include/asm/msa.h | 21 +++----- + 2 files changed, 58 insertions(+), 62 deletions(-) + +--- a/arch/mips/include/asm/asmmacro.h ++++ b/arch/mips/include/asm/asmmacro.h +@@ -19,6 +19,28 @@ + #include + #endif + ++/* ++ * Helper macros for generating raw instruction encodings. ++ */ ++#ifdef CONFIG_CPU_MICROMIPS ++ .macro insn32_if_mm enc ++ .insn ++ .hword ((\enc) >> 16) ++ .hword ((\enc) & 0xffff) ++ .endm ++ ++ .macro insn_if_mips enc ++ .endm ++#else ++ .macro insn32_if_mm enc ++ .endm ++ ++ .macro insn_if_mips enc ++ .insn ++ .word (\enc) ++ .endm ++#endif ++ + #if defined(CONFIG_CPU_MIPSR2) || defined(CONFIG_CPU_MIPSR6) + .macro local_irq_enable reg=t0 + ei +@@ -336,38 +358,6 @@ + .endm + #else + +-#ifdef CONFIG_CPU_MICROMIPS +-#define CFC_MSA_INSN 0x587e0056 +-#define CTC_MSA_INSN 0x583e0816 +-#define LDB_MSA_INSN 0x58000807 +-#define LDH_MSA_INSN 0x58000817 +-#define LDW_MSA_INSN 0x58000827 +-#define LDD_MSA_INSN 0x58000837 +-#define STB_MSA_INSN 0x5800080f +-#define STH_MSA_INSN 0x5800081f +-#define STW_MSA_INSN 0x5800082f +-#define STD_MSA_INSN 0x5800083f +-#define COPY_SW_MSA_INSN 0x58b00056 +-#define COPY_SD_MSA_INSN 0x58b80056 +-#define INSERT_W_MSA_INSN 0x59300816 +-#define INSERT_D_MSA_INSN 0x59380816 +-#else +-#define CFC_MSA_INSN 0x787e0059 +-#define CTC_MSA_INSN 0x783e0819 +-#define LDB_MSA_INSN 0x78000820 +-#define LDH_MSA_INSN 0x78000821 +-#define LDW_MSA_INSN 0x78000822 +-#define LDD_MSA_INSN 0x78000823 +-#define STB_MSA_INSN 0x78000824 +-#define STH_MSA_INSN 0x78000825 +-#define STW_MSA_INSN 0x78000826 +-#define STD_MSA_INSN 0x78000827 +-#define COPY_SW_MSA_INSN 0x78b00059 +-#define COPY_SD_MSA_INSN 0x78b80059 +-#define INSERT_W_MSA_INSN 0x79300819 +-#define INSERT_D_MSA_INSN 0x79380819 +-#endif +- + /* + * Temporary until all toolchains in use include MSA support. + */ +@@ -375,8 +365,8 @@ + .set push + .set noat + SET_HARDFLOAT +- .insn +- .word CFC_MSA_INSN | (\cs << 11) ++ insn_if_mips 0x787e0059 | (\cs << 11) ++ insn32_if_mm 0x587e0056 | (\cs << 11) + move \rd, $1 + .set pop + .endm +@@ -386,7 +376,8 @@ + .set noat + SET_HARDFLOAT + move $1, \rs +- .word CTC_MSA_INSN | (\cd << 6) ++ insn_if_mips 0x783e0819 | (\cd << 6) ++ insn32_if_mm 0x583e0816 | (\cd << 6) + .set pop + .endm + +@@ -395,7 +386,8 @@ + .set noat + SET_HARDFLOAT + PTR_ADDU $1, \base, \off +- .word LDB_MSA_INSN | (\wd << 6) ++ insn_if_mips 0x78000820 | (\wd << 6) ++ insn32_if_mm 0x58000807 | (\wd << 6) + .set pop + .endm + +@@ -404,7 +396,8 @@ + .set noat + SET_HARDFLOAT + PTR_ADDU $1, \base, \off +- .word LDH_MSA_INSN | (\wd << 6) ++ insn_if_mips 0x78000821 | (\wd << 6) ++ insn32_if_mm 0x58000817 | (\wd << 6) + .set pop + .endm + +@@ -413,7 +406,8 @@ + .set noat + SET_HARDFLOAT + PTR_ADDU $1, \base, \off +- .word LDW_MSA_INSN | (\wd << 6) ++ insn_if_mips 0x78000822 | (\wd << 6) ++ insn32_if_mm 0x58000827 | (\wd << 6) + .set pop + .endm + +@@ -422,7 +416,8 @@ + .set noat + SET_HARDFLOAT + PTR_ADDU $1, \base, \off +- .word LDD_MSA_INSN | (\wd << 6) ++ insn_if_mips 0x78000823 | (\wd << 6) ++ insn32_if_mm 0x58000837 | (\wd << 6) + .set pop + .endm + +@@ -431,7 +426,8 @@ + .set noat + SET_HARDFLOAT + PTR_ADDU $1, \base, \off +- .word STB_MSA_INSN | (\wd << 6) ++ insn_if_mips 0x78000824 | (\wd << 6) ++ insn32_if_mm 0x5800080f | (\wd << 6) + .set pop + .endm + +@@ -440,7 +436,8 @@ + .set noat + SET_HARDFLOAT + PTR_ADDU $1, \base, \off +- .word STH_MSA_INSN | (\wd << 6) ++ insn_if_mips 0x78000825 | (\wd << 6) ++ insn32_if_mm 0x5800081f | (\wd << 6) + .set pop + .endm + +@@ -449,7 +446,8 @@ + .set noat + SET_HARDFLOAT + PTR_ADDU $1, \base, \off +- .word STW_MSA_INSN | (\wd << 6) ++ insn_if_mips 0x78000826 | (\wd << 6) ++ insn32_if_mm 0x5800082f | (\wd << 6) + .set pop + .endm + +@@ -458,7 +456,8 @@ + .set noat + SET_HARDFLOAT + PTR_ADDU $1, \base, \off +- .word STD_MSA_INSN | (\wd << 6) ++ insn_if_mips 0x78000827 | (\wd << 6) ++ insn32_if_mm 0x5800083f | (\wd << 6) + .set pop + .endm + +@@ -466,8 +465,8 @@ + .set push + .set noat + SET_HARDFLOAT +- .insn +- .word COPY_SW_MSA_INSN | (\n << 16) | (\ws << 11) ++ insn_if_mips 0x78b00059 | (\n << 16) | (\ws << 11) ++ insn32_if_mm 0x58b00056 | (\n << 16) | (\ws << 11) + .set pop + .endm + +@@ -475,8 +474,8 @@ + .set push + .set noat + SET_HARDFLOAT +- .insn +- .word COPY_SD_MSA_INSN | (\n << 16) | (\ws << 11) ++ insn_if_mips 0x78b80059 | (\n << 16) | (\ws << 11) ++ insn32_if_mm 0x58b80056 | (\n << 16) | (\ws << 11) + .set pop + .endm + +@@ -484,7 +483,8 @@ + .set push + .set noat + SET_HARDFLOAT +- .word INSERT_W_MSA_INSN | (\n << 16) | (\wd << 6) ++ insn_if_mips 0x79300819 | (\n << 16) | (\wd << 6) ++ insn32_if_mm 0x59300816 | (\n << 16) | (\wd << 6) + .set pop + .endm + +@@ -492,7 +492,8 @@ + .set push + .set noat + SET_HARDFLOAT +- .word INSERT_D_MSA_INSN | (\n << 16) | (\wd << 6) ++ insn_if_mips 0x79380819 | (\n << 16) | (\wd << 6) ++ insn32_if_mm 0x59380816 | (\n << 16) | (\wd << 6) + .set pop + .endm + #endif +--- a/arch/mips/include/asm/msa.h ++++ b/arch/mips/include/asm/msa.h +@@ -192,13 +192,6 @@ static inline void write_msa_##name(unsi + * allow compilation with toolchains that do not support MSA. Once all + * toolchains in use support MSA these can be removed. + */ +-#ifdef CONFIG_CPU_MICROMIPS +-#define CFC_MSA_INSN 0x587e0056 +-#define CTC_MSA_INSN 0x583e0816 +-#else +-#define CFC_MSA_INSN 0x787e0059 +-#define CTC_MSA_INSN 0x783e0819 +-#endif + + #define __BUILD_MSA_CTL_REG(name, cs) \ + static inline unsigned int read_msa_##name(void) \ +@@ -207,11 +200,12 @@ static inline unsigned int read_msa_##na + __asm__ __volatile__( \ + " .set push\n" \ + " .set noat\n" \ +- " .insn\n" \ +- " .word %1 | (" #cs " << 11)\n" \ ++ " # cfcmsa $1, $%1\n" \ ++ _ASM_INSN_IF_MIPS(0x787e0059 | %1 << 11) \ ++ _ASM_INSN32_IF_MM(0x587e0056 | %1 << 11) \ + " move %0, $1\n" \ + " .set pop\n" \ +- : "=r"(reg) : "i"(CFC_MSA_INSN)); \ ++ : "=r"(reg) : "i"(cs)); \ + return reg; \ + } \ + \ +@@ -221,10 +215,11 @@ static inline void write_msa_##name(unsi + " .set push\n" \ + " .set noat\n" \ + " move $1, %0\n" \ +- " .insn\n" \ +- " .word %1 | (" #cs " << 6)\n" \ ++ " # ctcmsa $%1, $1\n" \ ++ _ASM_INSN_IF_MIPS(0x783e0819 | %1 << 6) \ ++ _ASM_INSN32_IF_MM(0x583e0816 | %1 << 6) \ + " .set pop\n" \ +- : : "r"(val), "i"(CTC_MSA_INSN)); \ ++ : : "r"(val), "i"(cs)); \ + } + + #endif /* !TOOLCHAIN_SUPPORTS_MSA */ diff --git a/queue-4.4/mips-fix-macro-typo.patch b/queue-4.4/mips-fix-macro-typo.patch new file mode 100644 index 00000000000..2ba2b33d5b3 --- /dev/null +++ b/queue-4.4/mips-fix-macro-typo.patch @@ -0,0 +1,39 @@ +From 2549cc967ebb4043f3507b55e3dc579f44d3b516 Mon Sep 17 00:00:00 2001 +From: Jaedon Shin +Date: Mon, 21 Dec 2015 12:47:35 +0900 +Subject: MIPS: Fix macro typo + +From: Jaedon Shin + +commit 2549cc967ebb4043f3507b55e3dc579f44d3b516 upstream. + +Change the CONFIG_MIPS_CMDLINE_EXTEND to CONFIG_MIPS_CMDLINE_DTB_EXTEND +to resolve the EXTEND_WITH_PROM macro. + +Signed-off-by: Jaedon Shin +Fixes: 2024972ef533 ("MIPS: Make the kernel arguments from dtb available") +Reviewed-by: Alexander Sverdlin +Cc: Jonas Gorski +Cc: Masahiro Yamada +Cc: Paul Burton +Cc: Aaro Koskinen +Cc: linux-mips@linux-mips.org +Patchwork: https://patchwork.linux-mips.org/patch/11909/ +Signed-off-by: Ralf Baechle +Signed-off-by: Greg Kroah-Hartman + +--- + arch/mips/kernel/setup.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/mips/kernel/setup.c ++++ b/arch/mips/kernel/setup.c +@@ -695,7 +695,7 @@ static void __init request_crashkernel(s + + #define USE_PROM_CMDLINE IS_ENABLED(CONFIG_MIPS_CMDLINE_FROM_BOOTLOADER) + #define USE_DTB_CMDLINE IS_ENABLED(CONFIG_MIPS_CMDLINE_FROM_DTB) +-#define EXTEND_WITH_PROM IS_ENABLED(CONFIG_MIPS_CMDLINE_EXTEND) ++#define EXTEND_WITH_PROM IS_ENABLED(CONFIG_MIPS_CMDLINE_DTB_EXTEND) + + static void __init arch_mem_init(char **cmdline_p) + { diff --git a/queue-4.4/mips-kvm-fix-translation-of-mfc0-errctl.patch b/queue-4.4/mips-kvm-fix-translation-of-mfc0-errctl.patch new file mode 100644 index 00000000000..6ff7bd434a2 --- /dev/null +++ b/queue-4.4/mips-kvm-fix-translation-of-mfc0-errctl.patch @@ -0,0 +1,47 @@ +From 66ffc50c480e7ab6ad5642f47276435a8873c31a Mon Sep 17 00:00:00 2001 +From: James Hogan +Date: Wed, 15 Jun 2016 19:29:45 +0100 +Subject: MIPS: KVM: Fix translation of MFC0 ErrCtl +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: James Hogan + +commit 66ffc50c480e7ab6ad5642f47276435a8873c31a upstream. + +The MIPS KVM dynamic translation is meant to translate "MFC0 rt, ErrCtl" +instructions into "ADD rt, zero, zero" to zero the destination register, +however the rt register number was copied into rt of the ADD instruction +encoding, which is the 2nd source operand. This results in "ADD zero, +zero, rt" which is a no-op, so only the first execution of each such +MFC0 from ErrCtl will actually read 0. + +Fix the shift to put the rt from the MFC0 encoding into the rd field of +the ADD. + +Fixes: 50c8308538dc ("KVM/MIPS32: Binary patching of select privileged instructions.") +Signed-off-by: James Hogan +Cc: Paolo Bonzini +Cc: Radim Krčmář +Cc: Ralf Baechle +Cc: linux-mips@linux-mips.org +Cc: kvm@vger.kernel.org +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman + +--- + arch/mips/kvm/dyntrans.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/mips/kvm/dyntrans.c ++++ b/arch/mips/kvm/dyntrans.c +@@ -82,7 +82,7 @@ int kvm_mips_trans_mfc0(uint32_t inst, u + + if ((rd == MIPS_CP0_ERRCTL) && (sel == 0)) { + mfc0_inst = CLEAR_TEMPLATE; +- mfc0_inst |= ((rt & 0x1f) << 16); ++ mfc0_inst |= ((rt & 0x1f) << 11); + } else { + mfc0_inst = LW_TEMPLATE; + mfc0_inst |= ((rt & 0x1f) << 16); diff --git a/queue-4.4/mips-math-emu-fix-bc1-eq-ne-z-emulation.patch b/queue-4.4/mips-math-emu-fix-bc1-eq-ne-z-emulation.patch new file mode 100644 index 00000000000..d676cdd682d --- /dev/null +++ b/queue-4.4/mips-math-emu-fix-bc1-eq-ne-z-emulation.patch @@ -0,0 +1,61 @@ +From 93583e178ebfdd2fadf950eef1547f305cac12ca Mon Sep 17 00:00:00 2001 +From: Paul Burton +Date: Thu, 21 Apr 2016 14:04:45 +0100 +Subject: MIPS: math-emu: Fix BC1{EQ,NE}Z emulation + +From: Paul Burton + +commit 93583e178ebfdd2fadf950eef1547f305cac12ca upstream. + +The conditions for branching when emulating the BC1EQZ & BC1NEZ +instructions were backwards, leading to each of those instructions being +treated as the other. Fix this by reversing the conditions, and clear up +the code a little for readability & checkpatch. + +Fixes: c909ca718e8f ("MIPS: math-emu: Emulate missing BC1{EQ,NE}Z instructions") +Signed-off-by: Paul Burton +Reviewed-by: James Hogan +Cc: Maciej W. Rozycki +Cc: linux-mips@linux-mips.org +Cc: linux-kernel@vger.kernel.org +Patchwork: https://patchwork.linux-mips.org/patch/13150/ +Signed-off-by: Ralf Baechle +Signed-off-by: Greg Kroah-Hartman + +--- + arch/mips/math-emu/cp1emu.c | 11 ++++++----- + 1 file changed, 6 insertions(+), 5 deletions(-) + +--- a/arch/mips/math-emu/cp1emu.c ++++ b/arch/mips/math-emu/cp1emu.c +@@ -975,9 +975,10 @@ static int cop1Emulate(struct pt_regs *x + struct mm_decoded_insn dec_insn, void *__user *fault_addr) + { + unsigned long contpc = xcp->cp0_epc + dec_insn.pc_inc; +- unsigned int cond, cbit; ++ unsigned int cond, cbit, bit0; + mips_instruction ir; + int likely, pc_inc; ++ union fpureg *fpr; + u32 __user *wva; + u64 __user *dva; + u32 wval; +@@ -1189,14 +1190,14 @@ emul: + return SIGILL; + + cond = likely = 0; ++ fpr = ¤t->thread.fpu.fpr[MIPSInst_RT(ir)]; ++ bit0 = get_fpr32(fpr, 0) & 0x1; + switch (MIPSInst_RS(ir)) { + case bc1eqz_op: +- if (get_fpr32(¤t->thread.fpu.fpr[MIPSInst_RT(ir)], 0) & 0x1) +- cond = 1; ++ cond = bit0 == 0; + break; + case bc1nez_op: +- if (!(get_fpr32(¤t->thread.fpu.fpr[MIPSInst_RT(ir)], 0) & 0x1)) +- cond = 1; ++ cond = bit0 != 0; + break; + } + goto branch_common; diff --git a/queue-4.4/mips-math-emu-fix-m-add-sub-.s-shifts.patch b/queue-4.4/mips-math-emu-fix-m-add-sub-.s-shifts.patch new file mode 100644 index 00000000000..0ac4a5cc6a0 --- /dev/null +++ b/queue-4.4/mips-math-emu-fix-m-add-sub-.s-shifts.patch @@ -0,0 +1,151 @@ +From db57f29d50683afd75c7f8b9908af7669837c3a9 Mon Sep 17 00:00:00 2001 +From: Paul Burton +Date: Thu, 21 Apr 2016 14:04:54 +0100 +Subject: MIPS: math-emu: Fix m{add,sub}.s shifts + +From: Paul Burton + +commit db57f29d50683afd75c7f8b9908af7669837c3a9 upstream. + +The code in _sp_maddf (formerly ieee754sp_madd) appears to have been +copied verbatim from ieee754sp_add, and although it's adding the +unpacked "r" & "z" floats it kept using macros that operate on "x" & +"y". This led to the addition being carried out incorrectly on some +mismash of the product, accumulator & multiplicand fields. Typically +this would lead to the assertions "ze == re" & "ze <= SP_EMAX" failing +since ze & re hadn't been operated upon. + +Signed-off-by: Paul Burton +Fixes: e24c3bec3e8e ("MIPS: math-emu: Add support for the MIPS R6 MADDF FPU instruction") +Cc: Adam Buchbinder +Cc: Maciej W. Rozycki +Cc: linux-mips@linux-mips.org +Cc: linux-kernel@vger.kernel.org +Patchwork: https://patchwork.linux-mips.org/patch/13159/ +Signed-off-by: Ralf Baechle +Signed-off-by: Greg Kroah-Hartman + +--- + arch/mips/math-emu/ieee754sp.c | 3 ++- + arch/mips/math-emu/ieee754sp.h | 16 +++++++--------- + arch/mips/math-emu/sp_add.c | 6 ++++-- + arch/mips/math-emu/sp_maddf.c | 13 ++++++++----- + arch/mips/math-emu/sp_sub.c | 6 ++++-- + 5 files changed, 25 insertions(+), 19 deletions(-) + +--- a/arch/mips/math-emu/ieee754sp.c ++++ b/arch/mips/math-emu/ieee754sp.c +@@ -130,7 +130,8 @@ union ieee754sp ieee754sp_format(int sn, + } else { + /* sticky right shift es bits + */ +- SPXSRSXn(es); ++ xm = XSPSRS(xm, es); ++ xe += es; + assert((xm & (SP_HIDDEN_BIT << 3)) == 0); + assert(xe == SP_EMIN); + } +--- a/arch/mips/math-emu/ieee754sp.h ++++ b/arch/mips/math-emu/ieee754sp.h +@@ -46,19 +46,17 @@ static inline int ieee754sp_finite(union + } + + /* 3bit extended single precision sticky right shift */ +-#define SPXSRSXn(rs) \ +- (xe += rs, \ +- xm = (rs > (SP_FBITS+3))?1:((xm) >> (rs)) | ((xm) << (32-(rs)) != 0)) ++#define XSPSRS(v, rs) \ ++ ((rs > (SP_FBITS+3))?1:((v) >> (rs)) | ((v) << (32-(rs)) != 0)) + +-#define SPXSRSX1() \ +- (xe++, (xm = (xm >> 1) | (xm & 1))) ++#define XSPSRS1(m) \ ++ ((m >> 1) | (m & 1)) + +-#define SPXSRSYn(rs) \ +- (ye+=rs, \ +- ym = (rs > (SP_FBITS+3))?1:((ym) >> (rs)) | ((ym) << (32-(rs)) != 0)) ++#define SPXSRSX1() \ ++ (xe++, (xm = XSPSRS1(xm))) + + #define SPXSRSY1() \ +- (ye++, (ym = (ym >> 1) | (ym & 1))) ++ (ye++, (ym = XSPSRS1(ym))) + + /* convert denormal to normalized with extended exponent */ + #define SPDNORMx(m,e) \ +--- a/arch/mips/math-emu/sp_add.c ++++ b/arch/mips/math-emu/sp_add.c +@@ -132,13 +132,15 @@ union ieee754sp ieee754sp_add(union ieee + * Have to shift y fraction right to align. + */ + s = xe - ye; +- SPXSRSYn(s); ++ ym = XSPSRS(ym, s); ++ ye += s; + } else if (ye > xe) { + /* + * Have to shift x fraction right to align. + */ + s = ye - xe; +- SPXSRSXn(s); ++ xm = XSPSRS(xm, s); ++ xe += s; + } + assert(xe == ye); + assert(xe <= SP_EMAX); +--- a/arch/mips/math-emu/sp_maddf.c ++++ b/arch/mips/math-emu/sp_maddf.c +@@ -208,16 +208,18 @@ union ieee754sp ieee754sp_maddf(union ie + + if (ze > re) { + /* +- * Have to shift y fraction right to align. ++ * Have to shift r fraction right to align. + */ + s = ze - re; +- SPXSRSYn(s); ++ rm = XSPSRS(rm, s); ++ re += s; + } else if (re > ze) { + /* +- * Have to shift x fraction right to align. ++ * Have to shift z fraction right to align. + */ + s = re - ze; +- SPXSRSYn(s); ++ zm = XSPSRS(zm, s); ++ ze += s; + } + assert(ze == re); + assert(ze <= SP_EMAX); +@@ -230,7 +232,8 @@ union ieee754sp ieee754sp_maddf(union ie + zm = zm + rm; + + if (zm >> (SP_FBITS + 1 + 3)) { /* carry out */ +- SPXSRSX1(); ++ zm = XSPSRS1(zm); ++ ze++; + } + } else { + if (zm >= rm) { +--- a/arch/mips/math-emu/sp_sub.c ++++ b/arch/mips/math-emu/sp_sub.c +@@ -134,13 +134,15 @@ union ieee754sp ieee754sp_sub(union ieee + * have to shift y fraction right to align + */ + s = xe - ye; +- SPXSRSYn(s); ++ ym = XSPSRS(ym, s); ++ ye += s; + } else if (ye > xe) { + /* + * have to shift x fraction right to align + */ + s = ye - xe; +- SPXSRSXn(s); ++ xm = XSPSRS(xm, s); ++ xe += s; + } + assert(xe == ye); + assert(xe <= SP_EMAX); diff --git a/queue-4.4/mips-octeon-off-by-one-in-octeon_irq_gpio_map.patch b/queue-4.4/mips-octeon-off-by-one-in-octeon_irq_gpio_map.patch new file mode 100644 index 00000000000..a9203466096 --- /dev/null +++ b/queue-4.4/mips-octeon-off-by-one-in-octeon_irq_gpio_map.patch @@ -0,0 +1,37 @@ +From 008d0cf1ec69ec6d2c08f2d23aff2b67cbe5d2af Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Thu, 14 Jul 2016 13:14:29 +0300 +Subject: MIPS: Octeon: Off by one in octeon_irq_gpio_map() + +From: Dan Carpenter + +commit 008d0cf1ec69ec6d2c08f2d23aff2b67cbe5d2af upstream. + +It should be >= ARRAY_SIZE() instead of > ARRAY_SIZE(). + +Fixes: 64b139f97c01 ('MIPS: OCTEON: irq: add CIB and other fixes') +Signed-off-by: Dan Carpenter +Acked-by: David Daney +Cc: Rob Herring +Cc: Marc Zyngier +Cc: linux-mips@linux-mips.org +Cc: kernel-janitors@vger.kernel.org +Patchwork: https://patchwork.linux-mips.org/patch/13813/ +Signed-off-by: Ralf Baechle +Signed-off-by: Greg Kroah-Hartman + +--- + arch/mips/cavium-octeon/octeon-irq.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/mips/cavium-octeon/octeon-irq.c ++++ b/arch/mips/cavium-octeon/octeon-irq.c +@@ -1220,7 +1220,7 @@ static int octeon_irq_gpio_map(struct ir + + line = (hw + gpiod->base_hwirq) >> 6; + bit = (hw + gpiod->base_hwirq) & 63; +- if (line > ARRAY_SIZE(octeon_irq_ciu_to_irq) || ++ if (line >= ARRAY_SIZE(octeon_irq_ciu_to_irq) || + octeon_irq_ciu_to_irq[line][bit] != 0) + return -EINVAL; + diff --git a/queue-4.4/mips-panic-replace-smp_send_stop-with-kdump-friendly-version-in-panic-path.patch b/queue-4.4/mips-panic-replace-smp_send_stop-with-kdump-friendly-version-in-panic-path.patch new file mode 100644 index 00000000000..de03bbec8c0 --- /dev/null +++ b/queue-4.4/mips-panic-replace-smp_send_stop-with-kdump-friendly-version-in-panic-path.patch @@ -0,0 +1,144 @@ +From 54c721b857fd45f3ad3bda695ee4f472518db02a Mon Sep 17 00:00:00 2001 +From: Hidehiro Kawai +Date: Tue, 11 Oct 2016 13:54:26 -0700 +Subject: mips/panic: replace smp_send_stop() with kdump friendly version in panic path + +From: Hidehiro Kawai + +commit 54c721b857fd45f3ad3bda695ee4f472518db02a upstream. + +Daniel Walker reported problems which happens when +crash_kexec_post_notifiers kernel option is enabled +(https://lkml.org/lkml/2015/6/24/44). + +In that case, smp_send_stop() is called before entering kdump routines +which assume other CPUs are still online. As the result, kdump +routines fail to save other CPUs' registers. Additionally for MIPS +OCTEON, it misses to stop the watchdog timer. + +To fix this problem, call a new kdump friendly function, +crash_smp_send_stop(), instead of the smp_send_stop() when +crash_kexec_post_notifiers is enabled. crash_smp_send_stop() is a +weak function, and it just call smp_send_stop(). Architecture +codes should override it so that kdump can work appropriately. +This patch provides MIPS version. + +Fixes: f06e5153f4ae (kernel/panic.c: add "crash_kexec_post_notifiers" option) +Link: http://lkml.kernel.org/r/20160810080950.11028.28000.stgit@sysi4-13.yrl.intra.hitachi.co.jp +Signed-off-by: Hidehiro Kawai +Reported-by: Daniel Walker +Cc: Dave Young +Cc: Baoquan He +Cc: Vivek Goyal +Cc: Eric Biederman +Cc: Masami Hiramatsu +Cc: Daniel Walker +Cc: Xunlei Pang +Cc: Thomas Gleixner +Cc: Ingo Molnar +Cc: "H. Peter Anvin" +Cc: Borislav Petkov +Cc: David Vrabel +Cc: Toshi Kani +Cc: Ralf Baechle +Cc: David Daney +Cc: Aaro Koskinen +Cc: "Steven J. Hill" +Cc: Corey Minyard +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + arch/mips/cavium-octeon/setup.c | 14 ++++++++++++++ + arch/mips/include/asm/kexec.h | 1 + + arch/mips/kernel/crash.c | 18 +++++++++++++++++- + arch/mips/kernel/machine_kexec.c | 1 + + 4 files changed, 33 insertions(+), 1 deletion(-) + +--- a/arch/mips/cavium-octeon/setup.c ++++ b/arch/mips/cavium-octeon/setup.c +@@ -251,6 +251,17 @@ static void octeon_crash_shutdown(struct + default_machine_crash_shutdown(regs); + } + ++#ifdef CONFIG_SMP ++void octeon_crash_smp_send_stop(void) ++{ ++ int cpu; ++ ++ /* disable watchdogs */ ++ for_each_online_cpu(cpu) ++ cvmx_write_csr(CVMX_CIU_WDOGX(cpu_logical_map(cpu)), 0); ++} ++#endif ++ + #endif /* CONFIG_KEXEC */ + + #ifdef CONFIG_CAVIUM_RESERVE32 +@@ -864,6 +875,9 @@ void __init prom_init(void) + _machine_kexec_shutdown = octeon_shutdown; + _machine_crash_shutdown = octeon_crash_shutdown; + _machine_kexec_prepare = octeon_kexec_prepare; ++#ifdef CONFIG_SMP ++ _crash_smp_send_stop = octeon_crash_smp_send_stop; ++#endif + #endif + + octeon_user_io_init(); +--- a/arch/mips/include/asm/kexec.h ++++ b/arch/mips/include/asm/kexec.h +@@ -45,6 +45,7 @@ extern const unsigned char kexec_smp_wai + extern unsigned long secondary_kexec_args[4]; + extern void (*relocated_kexec_smp_wait) (void *); + extern atomic_t kexec_ready_to_reboot; ++extern void (*_crash_smp_send_stop)(void); + #endif + #endif + +--- a/arch/mips/kernel/crash.c ++++ b/arch/mips/kernel/crash.c +@@ -50,9 +50,14 @@ static void crash_shutdown_secondary(voi + + static void crash_kexec_prepare_cpus(void) + { ++ static int cpus_stopped; + unsigned int msecs; ++ unsigned int ncpus; + +- unsigned int ncpus = num_online_cpus() - 1;/* Excluding the panic cpu */ ++ if (cpus_stopped) ++ return; ++ ++ ncpus = num_online_cpus() - 1;/* Excluding the panic cpu */ + + dump_send_ipi(crash_shutdown_secondary); + smp_wmb(); +@@ -67,6 +72,17 @@ static void crash_kexec_prepare_cpus(voi + cpu_relax(); + mdelay(1); + } ++ ++ cpus_stopped = 1; ++} ++ ++/* Override the weak function in kernel/panic.c */ ++void crash_smp_send_stop(void) ++{ ++ if (_crash_smp_send_stop) ++ _crash_smp_send_stop(); ++ ++ crash_kexec_prepare_cpus(); + } + + #else /* !defined(CONFIG_SMP) */ +--- a/arch/mips/kernel/machine_kexec.c ++++ b/arch/mips/kernel/machine_kexec.c +@@ -25,6 +25,7 @@ void (*_machine_crash_shutdown)(struct p + #ifdef CONFIG_SMP + void (*relocated_kexec_smp_wait) (void *); + atomic_t kexec_ready_to_reboot = ATOMIC_INIT(0); ++void (*_crash_smp_send_stop)(void) = NULL; + #endif + + int diff --git a/queue-4.4/mips-perf-fix-i6400-event-numbers.patch b/queue-4.4/mips-perf-fix-i6400-event-numbers.patch new file mode 100644 index 00000000000..f3bd1a8aa10 --- /dev/null +++ b/queue-4.4/mips-perf-fix-i6400-event-numbers.patch @@ -0,0 +1,107 @@ +From fd716fca10fc3dc0f18b8c16d4ecfa6d93f010d2 Mon Sep 17 00:00:00 2001 +From: James Hogan +Date: Mon, 16 May 2016 19:32:35 +0100 +Subject: MIPS: perf: Fix I6400 event numbers + +From: James Hogan + +commit fd716fca10fc3dc0f18b8c16d4ecfa6d93f010d2 upstream. + +Fix perf hardware performance counter event numbers for I6400. This core +does not follow the performance event numbering scheme of previous MIPS +cores. All performance counters (both odd and even) are capable of +counting any of the available events. + +Fixes: 4e88a8621301 ("MIPS: Add cases for CPU_I6400") +Signed-off-by: James Hogan +Cc: Peter Zijlstra +Cc: Ingo Molnar +Cc: Arnaldo Carvalho de Melo +Cc: Alexander Shishkin +Cc: linux-mips@linux-mips.org +Cc: linux-kernel@vger.kernel.org +Patchwork: https://patchwork.linux-mips.org/patch/13259/ +Signed-off-by: Ralf Baechle +Signed-off-by: Greg Kroah-Hartman + +--- + arch/mips/kernel/perf_event_mipsxx.c | 54 +++++++++++++++++++++++++++++++++-- + 1 file changed, 52 insertions(+), 2 deletions(-) + +--- a/arch/mips/kernel/perf_event_mipsxx.c ++++ b/arch/mips/kernel/perf_event_mipsxx.c +@@ -825,6 +825,16 @@ static const struct mips_perf_event mips + [PERF_COUNT_HW_BRANCH_MISSES] = { 0x27, CNTR_ODD, T }, + }; + ++static const struct mips_perf_event i6400_event_map[PERF_COUNT_HW_MAX] = { ++ [PERF_COUNT_HW_CPU_CYCLES] = { 0x00, CNTR_EVEN | CNTR_ODD }, ++ [PERF_COUNT_HW_INSTRUCTIONS] = { 0x01, CNTR_EVEN | CNTR_ODD }, ++ /* These only count dcache, not icache */ ++ [PERF_COUNT_HW_CACHE_REFERENCES] = { 0x45, CNTR_EVEN | CNTR_ODD }, ++ [PERF_COUNT_HW_CACHE_MISSES] = { 0x48, CNTR_EVEN | CNTR_ODD }, ++ [PERF_COUNT_HW_BRANCH_INSTRUCTIONS] = { 0x15, CNTR_EVEN | CNTR_ODD }, ++ [PERF_COUNT_HW_BRANCH_MISSES] = { 0x16, CNTR_EVEN | CNTR_ODD }, ++}; ++ + static const struct mips_perf_event loongson3_event_map[PERF_COUNT_HW_MAX] = { + [PERF_COUNT_HW_CPU_CYCLES] = { 0x00, CNTR_EVEN }, + [PERF_COUNT_HW_INSTRUCTIONS] = { 0x00, CNTR_ODD }, +@@ -1015,6 +1025,46 @@ static const struct mips_perf_event mips + }, + }; + ++static const struct mips_perf_event i6400_cache_map ++ [PERF_COUNT_HW_CACHE_MAX] ++ [PERF_COUNT_HW_CACHE_OP_MAX] ++ [PERF_COUNT_HW_CACHE_RESULT_MAX] = { ++[C(L1D)] = { ++ [C(OP_READ)] = { ++ [C(RESULT_ACCESS)] = { 0x46, CNTR_EVEN | CNTR_ODD }, ++ [C(RESULT_MISS)] = { 0x49, CNTR_EVEN | CNTR_ODD }, ++ }, ++ [C(OP_WRITE)] = { ++ [C(RESULT_ACCESS)] = { 0x47, CNTR_EVEN | CNTR_ODD }, ++ [C(RESULT_MISS)] = { 0x4a, CNTR_EVEN | CNTR_ODD }, ++ }, ++}, ++[C(L1I)] = { ++ [C(OP_READ)] = { ++ [C(RESULT_ACCESS)] = { 0x84, CNTR_EVEN | CNTR_ODD }, ++ [C(RESULT_MISS)] = { 0x85, CNTR_EVEN | CNTR_ODD }, ++ }, ++}, ++[C(DTLB)] = { ++ /* Can't distinguish read & write */ ++ [C(OP_READ)] = { ++ [C(RESULT_ACCESS)] = { 0x40, CNTR_EVEN | CNTR_ODD }, ++ [C(RESULT_MISS)] = { 0x41, CNTR_EVEN | CNTR_ODD }, ++ }, ++ [C(OP_WRITE)] = { ++ [C(RESULT_ACCESS)] = { 0x40, CNTR_EVEN | CNTR_ODD }, ++ [C(RESULT_MISS)] = { 0x41, CNTR_EVEN | CNTR_ODD }, ++ }, ++}, ++[C(BPU)] = { ++ /* Conditional branches / mispredicted */ ++ [C(OP_READ)] = { ++ [C(RESULT_ACCESS)] = { 0x15, CNTR_EVEN | CNTR_ODD }, ++ [C(RESULT_MISS)] = { 0x16, CNTR_EVEN | CNTR_ODD }, ++ }, ++}, ++}; ++ + static const struct mips_perf_event loongson3_cache_map + [PERF_COUNT_HW_CACHE_MAX] + [PERF_COUNT_HW_CACHE_OP_MAX] +@@ -1720,8 +1770,8 @@ init_hw_perf_events(void) + break; + case CPU_I6400: + mipspmu.name = "mips/I6400"; +- mipspmu.general_event_map = &mipsxxcore_event_map2; +- mipspmu.cache_event_map = &mipsxxcore_cache_map2; ++ mipspmu.general_event_map = &i6400_event_map; ++ mipspmu.cache_event_map = &i6400_cache_map; + break; + case CPU_1004K: + mipspmu.name = "mips/1004K"; diff --git a/queue-4.4/mips-ptrace-drop-cp0_tcstatus-from-regoffset_table.patch b/queue-4.4/mips-ptrace-drop-cp0_tcstatus-from-regoffset_table.patch new file mode 100644 index 00000000000..6d45ec7c3be --- /dev/null +++ b/queue-4.4/mips-ptrace-drop-cp0_tcstatus-from-regoffset_table.patch @@ -0,0 +1,37 @@ +From 555fae60b2bbb2d6282d82c5321d3adfa85b22ae Mon Sep 17 00:00:00 2001 +From: James Hogan +Date: Tue, 22 Dec 2015 13:56:39 +0000 +Subject: MIPS: ptrace: Drop cp0_tcstatus from regoffset_table[] + +From: James Hogan + +commit 555fae60b2bbb2d6282d82c5321d3adfa85b22ae upstream. + +The cp0_tcstatus member of struct pt_regs was removed along with the +rest of SMTC in v3.16, commit b633648c5ad3 ("MIPS: MT: Remove SMTC +support"), however recent uprobes support in v4.3 added back a reference +to it in the regoffset_table[] in ptrace.c. Remove it. + +Signed-off-by: James Hogan +Fixes: 40e084a506eb ("MIPS: Add uprobes support.") +Cc: linux-mips@linux-mips.org +Patchwork: https://patchwork.linux-mips.org/patch/11920/ +Signed-off-by: Ralf Baechle +Signed-off-by: Greg Kroah-Hartman + +--- + arch/mips/kernel/ptrace.c | 3 --- + 1 file changed, 3 deletions(-) + +--- a/arch/mips/kernel/ptrace.c ++++ b/arch/mips/kernel/ptrace.c +@@ -670,9 +670,6 @@ static const struct pt_regs_offset regof + REG_OFFSET_NAME(c0_badvaddr, cp0_badvaddr), + REG_OFFSET_NAME(c0_cause, cp0_cause), + REG_OFFSET_NAME(c0_epc, cp0_epc), +-#ifdef CONFIG_MIPS_MT_SMTC +- REG_OFFSET_NAME(c0_tcstatus, cp0_tcstatus), +-#endif + #ifdef CONFIG_CPU_CAVIUM_OCTEON + REG_OFFSET_NAME(mpl0, mpl[0]), + REG_OFFSET_NAME(mpl1, mpl[1]), diff --git a/queue-4.4/mips-rm7000-double-locking-bug-in-rm7k_tc_disable.patch b/queue-4.4/mips-rm7000-double-locking-bug-in-rm7k_tc_disable.patch new file mode 100644 index 00000000000..c048815fd8d --- /dev/null +++ b/queue-4.4/mips-rm7000-double-locking-bug-in-rm7k_tc_disable.patch @@ -0,0 +1,35 @@ +From 58a7e1c140f3ad61646bc0cd9a1f6a9cafc0b225 Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Fri, 15 Jul 2016 14:16:44 +0300 +Subject: MIPS: RM7000: Double locking bug in rm7k_tc_disable() + +From: Dan Carpenter + +commit 58a7e1c140f3ad61646bc0cd9a1f6a9cafc0b225 upstream. + +We obviously intended to enable IRQs again at the end. + +Fixes: 745aef5df1e2 ('MIPS: RM7000: Add support for tertiary cache') +Signed-off-by: Dan Carpenter +Cc: linux-mips@linux-mips.org +Cc: linux-kernel@vger.kernel.org +Cc: kernel-janitors@vger.kernel.org +Patchwork: https://patchwork.linux-mips.org/patch/13815/ +Signed-off-by: Ralf Baechle +Signed-off-by: Greg Kroah-Hartman + +--- + arch/mips/mm/sc-rm7k.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/mips/mm/sc-rm7k.c ++++ b/arch/mips/mm/sc-rm7k.c +@@ -161,7 +161,7 @@ static void rm7k_tc_disable(void) + local_irq_save(flags); + blast_rm7k_tcache(); + clear_c0_config(RM7K_CONF_TE); +- local_irq_save(flags); ++ local_irq_restore(flags); + } + + static void rm7k_sc_disable(void) diff --git a/queue-4.4/mips-scall-handle-seccomp-filters-which-redirect-syscalls.patch b/queue-4.4/mips-scall-handle-seccomp-filters-which-redirect-syscalls.patch new file mode 100644 index 00000000000..a30de272920 --- /dev/null +++ b/queue-4.4/mips-scall-handle-seccomp-filters-which-redirect-syscalls.patch @@ -0,0 +1,214 @@ +From a400bed6d105c23d3673f763596e4b85de14e41a Mon Sep 17 00:00:00 2001 +From: Matt Redfearn +Date: Tue, 29 Mar 2016 09:35:31 +0100 +Subject: MIPS: scall: Handle seccomp filters which redirect syscalls + +From: Matt Redfearn + +commit a400bed6d105c23d3673f763596e4b85de14e41a upstream. + +Commit d218af78492a ("MIPS: scall: Always run the seccomp syscall +filters") modified the syscall code to always call the seccomp filters, +but missed the case where a filter may redirect the syscall, as +revealed by the seccomp_bpf self test. + +The syscall path now restores the syscall from the stack after the +filter rather than saving it locally. Syscall number checking and +syscall function table lookup is done after the filter may have run such +that redirected syscalls are also checked, and executed. + +The regular path of syscall number checking and pointer lookup is also +made more consistent between ABIs with scall64-64.S being the reference. + +With this patch in place, the seccomp_bpf self test now passes +TRACE_syscall.syscall_redirected and TRACE_syscall.syscall_dropped on +all MIPS ABIs. + +Fixes: d218af78492a ("MIPS: scall: Always run the seccomp syscall filters") +Signed-off-by: Matt Redfearn +Acked-by: Kees Cook +Cc: Eric B Munson +Cc: James Hogan +Cc: Andrew Morton +Cc: linux-mips@linux-mips.org +Cc: IMG-MIPSLinuxKerneldevelopers@imgtec.com +Cc: linux-kernel@vger.kernel.org +Patchwork: https://patchwork.linux-mips.org/patch/12916/ +Signed-off-by: Ralf Baechle +Signed-off-by: Greg Kroah-Hartman + +--- + arch/mips/kernel/scall32-o32.S | 11 +++++------ + arch/mips/kernel/scall64-64.S | 3 +-- + arch/mips/kernel/scall64-n32.S | 14 +++++++++----- + arch/mips/kernel/scall64-o32.S | 14 +++++++++----- + 4 files changed, 24 insertions(+), 18 deletions(-) + +--- a/arch/mips/kernel/scall32-o32.S ++++ b/arch/mips/kernel/scall32-o32.S +@@ -35,7 +35,6 @@ NESTED(handle_sys, PT_SIZE, sp) + + lw t1, PT_EPC(sp) # skip syscall on return + +- subu v0, v0, __NR_O32_Linux # check syscall number + addiu t1, 4 # skip to next instruction + sw t1, PT_EPC(sp) + +@@ -89,6 +88,7 @@ loads_done: + and t0, t1 + bnez t0, syscall_trace_entry # -> yes + syscall_common: ++ subu v0, v0, __NR_O32_Linux # check syscall number + sltiu t0, v0, __NR_O32_Linux_syscalls + 1 + beqz t0, illegal_syscall + +@@ -118,24 +118,23 @@ o32_syscall_exit: + + syscall_trace_entry: + SAVE_STATIC +- move s0, v0 + move a0, sp + + /* + * syscall number is in v0 unless we called syscall(__NR_###) + * where the real syscall number is in a0 + */ +- addiu a1, v0, __NR_O32_Linux +- bnez v0, 1f /* __NR_syscall at offset 0 */ ++ move a1, v0 ++ subu t2, v0, __NR_O32_Linux ++ bnez t2, 1f /* __NR_syscall at offset 0 */ + lw a1, PT_R4(sp) + + 1: jal syscall_trace_enter + + bltz v0, 1f # seccomp failed? Skip syscall + +- move v0, s0 # restore syscall +- + RESTORE_STATIC ++ lw v0, PT_R2(sp) # Restore syscall (maybe modified) + lw a0, PT_R4(sp) # Restore argument registers + lw a1, PT_R5(sp) + lw a2, PT_R6(sp) +--- a/arch/mips/kernel/scall64-64.S ++++ b/arch/mips/kernel/scall64-64.S +@@ -82,15 +82,14 @@ n64_syscall_exit: + + syscall_trace_entry: + SAVE_STATIC +- move s0, v0 + move a0, sp + move a1, v0 + jal syscall_trace_enter + + bltz v0, 1f # seccomp failed? Skip syscall + +- move v0, s0 + RESTORE_STATIC ++ ld v0, PT_R2(sp) # Restore syscall (maybe modified) + ld a0, PT_R4(sp) # Restore argument registers + ld a1, PT_R5(sp) + ld a2, PT_R6(sp) +--- a/arch/mips/kernel/scall64-n32.S ++++ b/arch/mips/kernel/scall64-n32.S +@@ -42,9 +42,6 @@ NESTED(handle_sysn32, PT_SIZE, sp) + #endif + beqz t0, not_n32_scall + +- dsll t0, v0, 3 # offset into table +- ld t2, (sysn32_call_table - (__NR_N32_Linux * 8))(t0) +- + sd a3, PT_R26(sp) # save a3 for syscall restarting + + li t1, _TIF_WORK_SYSCALL_ENTRY +@@ -53,6 +50,9 @@ NESTED(handle_sysn32, PT_SIZE, sp) + bnez t0, n32_syscall_trace_entry + + syscall_common: ++ dsll t0, v0, 3 # offset into table ++ ld t2, (sysn32_call_table - (__NR_N32_Linux * 8))(t0) ++ + jalr t2 # Do The Real Thing (TM) + + li t0, -EMAXERRNO - 1 # error? +@@ -71,21 +71,25 @@ syscall_common: + + n32_syscall_trace_entry: + SAVE_STATIC +- move s0, t2 + move a0, sp + move a1, v0 + jal syscall_trace_enter + + bltz v0, 1f # seccomp failed? Skip syscall + +- move t2, s0 + RESTORE_STATIC ++ ld v0, PT_R2(sp) # Restore syscall (maybe modified) + ld a0, PT_R4(sp) # Restore argument registers + ld a1, PT_R5(sp) + ld a2, PT_R6(sp) + ld a3, PT_R7(sp) + ld a4, PT_R8(sp) + ld a5, PT_R9(sp) ++ ++ dsubu t2, v0, __NR_N32_Linux # check (new) syscall number ++ sltiu t0, t2, __NR_N32_Linux_syscalls + 1 ++ beqz t0, not_n32_scall ++ + j syscall_common + + 1: j syscall_exit +--- a/arch/mips/kernel/scall64-o32.S ++++ b/arch/mips/kernel/scall64-o32.S +@@ -52,9 +52,6 @@ NESTED(handle_sys, PT_SIZE, sp) + sll a2, a2, 0 + sll a3, a3, 0 + +- dsll t0, v0, 3 # offset into table +- ld t2, (sys32_call_table - (__NR_O32_Linux * 8))(t0) +- + sd a3, PT_R26(sp) # save a3 for syscall restarting + + /* +@@ -88,6 +85,9 @@ loads_done: + bnez t0, trace_a_syscall + + syscall_common: ++ dsll t0, v0, 3 # offset into table ++ ld t2, (sys32_call_table - (__NR_O32_Linux * 8))(t0) ++ + jalr t2 # Do The Real Thing (TM) + + li t0, -EMAXERRNO - 1 # error? +@@ -112,7 +112,6 @@ trace_a_syscall: + sd a6, PT_R10(sp) + sd a7, PT_R11(sp) # For indirect syscalls + +- move s0, t2 # Save syscall pointer + move a0, sp + /* + * absolute syscall number is in v0 unless we called syscall(__NR_###) +@@ -133,8 +132,8 @@ trace_a_syscall: + + bltz v0, 1f # seccomp failed? Skip syscall + +- move t2, s0 + RESTORE_STATIC ++ ld v0, PT_R2(sp) # Restore syscall (maybe modified) + ld a0, PT_R4(sp) # Restore argument registers + ld a1, PT_R5(sp) + ld a2, PT_R6(sp) +@@ -143,6 +142,11 @@ trace_a_syscall: + ld a5, PT_R9(sp) + ld a6, PT_R10(sp) + ld a7, PT_R11(sp) # For indirect syscalls ++ ++ dsubu t0, v0, __NR_O32_Linux # check (new) syscall number ++ sltiu t0, t0, __NR_O32_Linux_syscalls + 1 ++ beqz t0, not_o32_scall ++ + j syscall_common + + 1: j syscall_exit diff --git a/queue-4.4/mips-smp-cps-stop-printing-ejtag-exceptions-to-uart.patch b/queue-4.4/mips-smp-cps-stop-printing-ejtag-exceptions-to-uart.patch new file mode 100644 index 00000000000..825619058e6 --- /dev/null +++ b/queue-4.4/mips-smp-cps-stop-printing-ejtag-exceptions-to-uart.patch @@ -0,0 +1,40 @@ +From 6609ccdc852f7bfbfa54300dd5b3cd89eb4ced6f Mon Sep 17 00:00:00 2001 +From: Paul Burton +Date: Wed, 3 Feb 2016 03:15:35 +0000 +Subject: MIPS: smp-cps: Stop printing EJTAG exceptions to UART + +From: Paul Burton + +commit 6609ccdc852f7bfbfa54300dd5b3cd89eb4ced6f upstream. + +When CONFIG_MIPS_CPS_NS16550 is enabled, some register state is dumped +to the UART when an exception is taken via the BEV on secondary cores. +EJTAG exceptions are architecturally expected to be handled by the BEV +even when Status.BEV is 0. This effectively means that if userland +executes an sdbbp instruction on a secondary core then the kernel dumps +register state to the UART even though the exception is perfectly normal +& expected. Prevent this by simply not dumping information to the UART +for EJTAG exceptions. + +Fixes: 609cf6f2291a ("MIPS: CPS: Early debug using an ns16550-compatible UART") +Signed-off-by: Paul Burton +Cc: linux-mips@linux-mips.org +Cc: linux-kernel@vger.kernel.org +Patchwork: https://patchwork.linux-mips.org/patch/12341/ +Signed-off-by: Ralf Baechle +Signed-off-by: Greg Kroah-Hartman + +--- + arch/mips/kernel/cps-vec.S | 1 - + 1 file changed, 1 deletion(-) + +--- a/arch/mips/kernel/cps-vec.S ++++ b/arch/mips/kernel/cps-vec.S +@@ -245,7 +245,6 @@ LEAF(excep_intex) + + .org 0x480 + LEAF(excep_ejtag) +- DUMP_EXCEP("EJTAG") + PTR_LA k0, ejtag_debug_handler + jr k0 + nop diff --git a/queue-4.4/mips-smp-update-cpu_foreign_map-on-cpu-disable.patch b/queue-4.4/mips-smp-update-cpu_foreign_map-on-cpu-disable.patch new file mode 100644 index 00000000000..ed731f40d9b --- /dev/null +++ b/queue-4.4/mips-smp-update-cpu_foreign_map-on-cpu-disable.patch @@ -0,0 +1,103 @@ +From 826e99be6ab5189dbfb096389016ffb8d20a683e Mon Sep 17 00:00:00 2001 +From: James Hogan +Date: Wed, 13 Jul 2016 14:12:45 +0100 +Subject: MIPS: SMP: Update cpu_foreign_map on CPU disable + +From: James Hogan + +commit 826e99be6ab5189dbfb096389016ffb8d20a683e upstream. + +When a CPU is disabled via CPU hotplug, cpu_foreign_map is not updated. +This could result in cache management SMP calls being sent to offline +CPUs instead of online siblings in the same core. + +Add a call to calculate_cpu_foreign_map() in the various MIPS cpu +disable callbacks after set_cpu_online(). All cases are updated for +consistency and to keep cpu_foreign_map strictly up to date, not just +those which may support hardware multithreading. + +Fixes: cccf34e9411c ("MIPS: c-r4k: Fix cache flushing for MT cores") +Signed-off-by: James Hogan +Cc: Paul Burton +Cc: David Daney +Cc: Kevin Cernekee +Cc: Florian Fainelli +Cc: Huacai Chen +Cc: Hongliang Tao +Cc: Hua Yan +Cc: linux-mips@linux-mips.org +Patchwork: https://patchwork.linux-mips.org/patch/13799/ +Signed-off-by: Ralf Baechle +Signed-off-by: Greg Kroah-Hartman + +--- + arch/mips/cavium-octeon/smp.c | 1 + + arch/mips/include/asm/smp.h | 2 ++ + arch/mips/kernel/smp-bmips.c | 1 + + arch/mips/kernel/smp-cps.c | 1 + + arch/mips/kernel/smp.c | 2 +- + arch/mips/loongson64/loongson-3/smp.c | 1 + + 6 files changed, 7 insertions(+), 1 deletion(-) + +--- a/arch/mips/cavium-octeon/smp.c ++++ b/arch/mips/cavium-octeon/smp.c +@@ -239,6 +239,7 @@ static int octeon_cpu_disable(void) + return -ENOTSUPP; + + set_cpu_online(cpu, false); ++ calculate_cpu_foreign_map(); + cpumask_clear_cpu(cpu, &cpu_callin_map); + octeon_fixup_irqs(); + +--- a/arch/mips/include/asm/smp.h ++++ b/arch/mips/include/asm/smp.h +@@ -63,6 +63,8 @@ extern cpumask_t cpu_coherent_mask; + + extern void asmlinkage smp_bootstrap(void); + ++extern void calculate_cpu_foreign_map(void); ++ + /* + * this function sends a 'reschedule' IPI to another CPU. + * it goes straight through and wastes no time serializing +--- a/arch/mips/kernel/smp-bmips.c ++++ b/arch/mips/kernel/smp-bmips.c +@@ -362,6 +362,7 @@ static int bmips_cpu_disable(void) + pr_info("SMP: CPU%d is offline\n", cpu); + + set_cpu_online(cpu, false); ++ calculate_cpu_foreign_map(); + cpumask_clear_cpu(cpu, &cpu_callin_map); + clear_c0_status(IE_IRQ5); + +--- a/arch/mips/kernel/smp-cps.c ++++ b/arch/mips/kernel/smp-cps.c +@@ -338,6 +338,7 @@ static int cps_cpu_disable(void) + atomic_sub(1 << cpu_vpe_id(¤t_cpu_data), &core_cfg->vpe_mask); + smp_mb__after_atomic(); + set_cpu_online(cpu, false); ++ calculate_cpu_foreign_map(); + cpumask_clear_cpu(cpu, &cpu_callin_map); + + return 0; +--- a/arch/mips/kernel/smp.c ++++ b/arch/mips/kernel/smp.c +@@ -118,7 +118,7 @@ static inline void set_cpu_core_map(int + * Calculate a new cpu_foreign_map mask whenever a + * new cpu appears or disappears. + */ +-static inline void calculate_cpu_foreign_map(void) ++void calculate_cpu_foreign_map(void) + { + int i, k, core_present; + cpumask_t temp_foreign_map; +--- a/arch/mips/loongson64/loongson-3/smp.c ++++ b/arch/mips/loongson64/loongson-3/smp.c +@@ -417,6 +417,7 @@ static int loongson3_cpu_disable(void) + return -EBUSY; + + set_cpu_online(cpu, false); ++ calculate_cpu_foreign_map(); + cpumask_clear_cpu(cpu, &cpu_callin_map); + local_irq_save(flags); + fixup_irqs(); diff --git a/queue-4.4/mwifiex-fix-pcie-register-information-for-8997-chipset.patch b/queue-4.4/mwifiex-fix-pcie-register-information-for-8997-chipset.patch new file mode 100644 index 00000000000..d0461242263 --- /dev/null +++ b/queue-4.4/mwifiex-fix-pcie-register-information-for-8997-chipset.patch @@ -0,0 +1,46 @@ +From ce0c58d998410fb91c63a70e749e98bb0e67eb67 Mon Sep 17 00:00:00 2001 +From: Amitkumar Karwar +Date: Wed, 16 Dec 2015 04:21:43 -0800 +Subject: mwifiex: fix PCIe register information for 8997 chipset + +From: Amitkumar Karwar + +commit ce0c58d998410fb91c63a70e749e98bb0e67eb67 upstream. + +This patch corrects some information in mwifiex_pcie_card_reg() +structure for 8997 chipset + +Fixes: 6d85ef00d9dfe ("mwifiex: add support for 8997 chipset") +Signed-off-by: Amitkumar Karwar +Signed-off-by: Shengzhen Li +Signed-off-by: Kalle Valo +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/mwifiex/pcie.h | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/drivers/net/wireless/mwifiex/pcie.h ++++ b/drivers/net/wireless/mwifiex/pcie.h +@@ -210,17 +210,17 @@ static const struct mwifiex_pcie_card_re + .cmdrsp_addr_lo = PCIE_SCRATCH_4_REG, + .cmdrsp_addr_hi = PCIE_SCRATCH_5_REG, + .tx_rdptr = 0xC1A4, +- .tx_wrptr = 0xC1A8, +- .rx_rdptr = 0xC1A8, ++ .tx_wrptr = 0xC174, ++ .rx_rdptr = 0xC174, + .rx_wrptr = 0xC1A4, + .evt_rdptr = PCIE_SCRATCH_10_REG, + .evt_wrptr = PCIE_SCRATCH_11_REG, + .drv_rdy = PCIE_SCRATCH_12_REG, + .tx_start_ptr = 16, + .tx_mask = 0x0FFF0000, +- .tx_wrap_mask = 0x01FF0000, ++ .tx_wrap_mask = 0x1FFF0000, + .rx_mask = 0x00000FFF, +- .rx_wrap_mask = 0x000001FF, ++ .rx_wrap_mask = 0x00001FFF, + .tx_rollover_ind = BIT(28), + .rx_rollover_ind = BIT(12), + .evt_rollover_ind = MWIFIEX_BD_FLAG_EVT_ROLLOVER_IND, diff --git a/queue-4.4/netfilter-nfnetlink-use-original-skbuff-when-acking-batches.patch b/queue-4.4/netfilter-nfnetlink-use-original-skbuff-when-acking-batches.patch new file mode 100644 index 00000000000..99ca1dc6932 --- /dev/null +++ b/queue-4.4/netfilter-nfnetlink-use-original-skbuff-when-acking-batches.patch @@ -0,0 +1,51 @@ +From 7c7bdf35991bb8f7cfaeaf22ea3a2f2d1967c166 Mon Sep 17 00:00:00 2001 +From: Pablo Neira Ayuso +Date: Sun, 24 Jan 2016 23:08:39 +0100 +Subject: netfilter: nfnetlink: use original skbuff when acking batches + +From: Pablo Neira Ayuso + +commit 7c7bdf35991bb8f7cfaeaf22ea3a2f2d1967c166 upstream. + +Since bd678e09dc17 ("netfilter: nfnetlink: fix splat due to incorrect +socket memory accounting in skbuff clones"), we don't manually attach +the sk to the skbuff clone anymore, so we have to use the original +skbuff from netlink_ack() which needs to access the sk pointer. + +Fixes: bd678e09dc17 ("netfilter: nfnetlink: fix splat due to incorrect socket memory accounting in skbuff clones") +Reported-by: Dmitry Vyukov +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Greg Kroah-Hartman + +--- + net/netfilter/nfnetlink.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/net/netfilter/nfnetlink.c ++++ b/net/netfilter/nfnetlink.c +@@ -309,14 +309,14 @@ replay: + #endif + { + nfnl_unlock(subsys_id); +- netlink_ack(skb, nlh, -EOPNOTSUPP); ++ netlink_ack(oskb, nlh, -EOPNOTSUPP); + return kfree_skb(skb); + } + } + + if (!ss->commit || !ss->abort) { + nfnl_unlock(subsys_id); +- netlink_ack(skb, nlh, -EOPNOTSUPP); ++ netlink_ack(oskb, nlh, -EOPNOTSUPP); + return kfree_skb(skb); + } + +@@ -406,7 +406,7 @@ ack: + * pointing to the batch header. + */ + nfnl_err_reset(&err_list); +- netlink_ack(skb, nlmsg_hdr(oskb), -ENOMEM); ++ netlink_ack(oskb, nlmsg_hdr(oskb), -ENOMEM); + status |= NFNL_BATCH_FAILURE; + goto done; + } diff --git a/queue-4.4/netlink-not-trim-skb-for-mmaped-socket-when-dump.patch b/queue-4.4/netlink-not-trim-skb-for-mmaped-socket-when-dump.patch new file mode 100644 index 00000000000..89ad6328c75 --- /dev/null +++ b/queue-4.4/netlink-not-trim-skb-for-mmaped-socket-when-dump.patch @@ -0,0 +1,35 @@ +From aa3a022094fac7f6e48050e139fa8a5a2e3265ce Mon Sep 17 00:00:00 2001 +From: Ken-ichirou MATSUZAWA +Date: Fri, 29 Jan 2016 10:45:50 +0900 +Subject: netlink: not trim skb for mmaped socket when dump + +From: Ken-ichirou MATSUZAWA + +commit aa3a022094fac7f6e48050e139fa8a5a2e3265ce upstream. + +We should not trim skb for mmaped socket since its buf size is fixed +and userspace will read as frame which data equals head. mmaped +socket will not call recvmsg, means max_recvmsg_len is 0, +skb_reserve was not called before commit: db65a3aaf29e. + +Fixes: db65a3aaf29e (netlink: Trim skb to alloc size to avoid MSG_TRUNC) +Signed-off-by: Ken-ichirou MATSUZAWA +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + net/netlink/af_netlink.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/net/netlink/af_netlink.c ++++ b/net/netlink/af_netlink.c +@@ -2179,7 +2179,8 @@ static int netlink_dump(struct sock *sk) + * reasonable static buffer based on the expected largest dump of a + * single netdev. The outcome is MSG_TRUNC error. + */ +- skb_reserve(skb, skb_tailroom(skb) - alloc_size); ++ if (!netlink_rx_is_mmaped(sk)) ++ skb_reserve(skb, skb_tailroom(skb) - alloc_size); + netlink_skb_set_owner_r(skb, sk); + + if (nlk->dump_done_errno > 0) diff --git a/queue-4.4/perf-x86-fix-filter_events-bug-with-event-mappings.patch b/queue-4.4/perf-x86-fix-filter_events-bug-with-event-mappings.patch new file mode 100644 index 00000000000..7963c13d5d8 --- /dev/null +++ b/queue-4.4/perf-x86-fix-filter_events-bug-with-event-mappings.patch @@ -0,0 +1,91 @@ +From 61b87cae6361ea6af161c1ffa549898892707b19 Mon Sep 17 00:00:00 2001 +From: Stephane Eranian +Date: Mon, 7 Dec 2015 20:33:25 +0100 +Subject: perf/x86: Fix filter_events() bug with event mappings + +From: Stephane Eranian + +commit 61b87cae6361ea6af161c1ffa549898892707b19 upstream. + +This patch fixes a bug in the filter_events() function. + +The patch fixes the bug whereby if some mappings did not +exist, e.g., STALLED_CYCLES_FRONTEND, then any event after it +in the attrs array would disappear from the published list of +events in /sys/devices/cpu/events. This could be verified +easily on any system post SNB (which do not publish +STALLED_CYCLES_FRONTEND): + + $ ./perf stat -e cycles,ref-cycles true + Performance counter stats for 'true': + 1,217,348 cycles + ref-cycles + +The problem is that in filter_events() there is an assumption +that the argument (attrs) is organized in increasing continuous +event indexes related to the event_map(). But if we remove the +non-supported events by shifing the position in the array, then +the lookup x86_pmu.event_map() needs to compensate for it, otherwise +we are looking up the wrong index. This patch corrects this problem +by compensating for the deleted events and with that ref-cycles +reappears (here shown on Haswell): + + $ perf stat -e ref-cycles,cycles true + Performance counter stats for 'true': + 4,525,910 ref-cycles + 1,064,920 cycles + 0.002943888 seconds time elapsed + +Signed-off-by: Stephane Eranian +Signed-off-by: Peter Zijlstra (Intel) +Cc: Arnaldo Carvalho de Melo +Cc: Jiri Olsa +Cc: Linus Torvalds +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Cc: Vince Weaver +Cc: jolsa@kernel.org +Cc: kan.liang@intel.com +Fixes: 8300daa26755 ("perf/x86: Filter out undefined events from sysfs events attribute") +Link: http://lkml.kernel.org/r/1449516805-6637-1-git-send-email-eranian@google.com +Signed-off-by: Ingo Molnar +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kernel/cpu/perf_event.c | 11 ++++++++++- + 1 file changed, 10 insertions(+), 1 deletion(-) + +--- a/arch/x86/kernel/cpu/perf_event.c ++++ b/arch/x86/kernel/cpu/perf_event.c +@@ -1550,6 +1550,7 @@ static void __init filter_events(struct + { + struct device_attribute *d; + struct perf_pmu_events_attr *pmu_attr; ++ int offset = 0; + int i, j; + + for (i = 0; attrs[i]; i++) { +@@ -1558,7 +1559,7 @@ static void __init filter_events(struct + /* str trumps id */ + if (pmu_attr->event_str) + continue; +- if (x86_pmu.event_map(i)) ++ if (x86_pmu.event_map(i + offset)) + continue; + + for (j = i; attrs[j]; j++) +@@ -1566,6 +1567,14 @@ static void __init filter_events(struct + + /* Check the shifted attr. */ + i--; ++ ++ /* ++ * event_map() is index based, the attrs array is organized ++ * by increasing event index. If we shift the events, then ++ * we need to compensate for the event_map(), otherwise ++ * we are looking up the wrong event in the map ++ */ ++ offset++; + } + } + diff --git a/queue-4.4/series b/queue-4.4/series new file mode 100644 index 00000000000..f2803513744 --- /dev/null +++ b/queue-4.4/series @@ -0,0 +1,53 @@ +mwifiex-fix-pcie-register-information-for-8997-chipset.patch +drm-qxl-qxl_release-use-after-free.patch +drm-qxl-qxl_release-leak-in-qxl_draw_dirty_fb.patch +staging-rtl8192u-fix-crash-due-to-pointers-being-confusing.patch +usb-gadget-f_acm-fix-configfs-attr-name.patch +usb-gadged-pch_udc-get-rid-of-redundant-assignments.patch +usb-gadget-pch_udc-reorder-spin_lock-to-avoid-deadlock.patch +usb-gadget-udc-core-don-t-starve-dma-resources.patch +mips-fix-macro-typo.patch +mips-ptrace-drop-cp0_tcstatus-from-regoffset_table.patch +mips-bmips-fix-prid_imp_bmips5000-masking-for-bmips5200.patch +mips-smp-cps-stop-printing-ejtag-exceptions-to-uart.patch +mips-scall-handle-seccomp-filters-which-redirect-syscalls.patch +mips-bmips-bmips5000-has-i-cache-filing-from-d-cache.patch +mips-bmips-clear-mips_cache_aliases-earlier.patch +mips-bmips-local_r4k___flush_cache_all-needs-to-blast-s-cache.patch +mips-bmips-pretty-print-bmips5200-processor-name.patch +mips-fix-htw-config-on-xpa-kernel-without-lpa-enabled.patch +mips-bmips-adjust-mips-hpt-frequency-for-bcm7435.patch +mips-math-emu-fix-bc1-eq-ne-z-emulation.patch +mips-fix-bc1-eq-ne-z-return-offset-calculation.patch +mips-math-emu-fix-m-add-sub-.s-shifts.patch +mips-perf-fix-i6400-event-numbers.patch +mips-fix-64-bit-htw-configuration.patch +mips-fix-little-endian-micromips-msa-encodings.patch +mips-kvm-fix-translation-of-mfc0-errctl.patch +mips-smp-update-cpu_foreign_map-on-cpu-disable.patch +mips-c-r4k-fix-protected_writeback_scache_line-for-eva.patch +mips-octeon-off-by-one-in-octeon_irq_gpio_map.patch +bpf-mips-fix-off-by-one-in-ctx-offset-allocation.patch +mips-rm7000-double-locking-bug-in-rm7k_tc_disable.patch +mips-define-at_vector_size_arch-for-arch_dlinfo.patch +mips-panic-replace-smp_send_stop-with-kdump-friendly-version-in-panic-path.patch +arm-dts-armadillo800eva-correct-extal1-frequency-to-24-mhz.patch +arm-imx-select-src-for-i.mx7.patch +arm-dts-kirkwood-gpio-pin-fixes-for-linkstation-ls-wxl-wsxl.patch +arm-dts-kirkwood-gpio-pin-fixes-for-linkstation-ls-wvl-vl.patch +arm-dts-kirkwood-gpio-leds-fixes-for-linkstation-ls-wxl-wsxl.patch +arm-dts-kirkwood-gpio-leds-fixes-for-linkstation-ls-wvl-vl.patch +arm-dts-orion5x-gpio-pin-fixes-for-linkstation-lswtgl.patch +arm-dts-orion5x-fix-the-missing-mtd-flash-on-linkstation-lswtgl.patch +arm-dts-kirkwood-use-unique-machine-name-for-ds112.patch +arm-dts-kirkwood-add-kirkwood-ds112.dtb-to-makefile.patch +arm-omap2-hwmod-fix-_idle-hwmod-state-sanity-check-sequence.patch +perf-x86-fix-filter_events-bug-with-event-mappings.patch +x86-ldt-print-the-real-ldt-base-address.patch +x86-apic-uv-silence-a-shift-wrapping-warning.patch +alsa-fm801-explicitly-free-irq-line.patch +alsa-fm801-propagate-tuner_only-bit-when-autodetected.patch +alsa-fm801-detect-fm-only-card-earlier.patch +netfilter-nfnetlink-use-original-skbuff-when-acking-batches.patch +netlink-not-trim-skb-for-mmaped-socket-when-dump.patch +xfrm-fix-crash-in-xfrm_msg_getsa-netlink-handler.patch diff --git a/queue-4.4/staging-rtl8192u-fix-crash-due-to-pointers-being-confusing.patch b/queue-4.4/staging-rtl8192u-fix-crash-due-to-pointers-being-confusing.patch new file mode 100644 index 00000000000..9cb6536f0b0 --- /dev/null +++ b/queue-4.4/staging-rtl8192u-fix-crash-due-to-pointers-being-confusing.patch @@ -0,0 +1,42 @@ +From c3f463484bdd0acd15abd5f92399041f79592d06 Mon Sep 17 00:00:00 2001 +From: Ben Hutchings +Date: Thu, 21 Apr 2016 00:19:25 +0100 +Subject: staging: rtl8192u: Fix crash due to pointers being "confusing" + +From: Ben Hutchings + +commit c3f463484bdd0acd15abd5f92399041f79592d06 upstream. + +There's no net_device stashed in skb->cb, there's a net_device * there. + +To make it *really* clear, also change the write of the dev pointer +into skb->cb from a memcpy() to an assignment. + +Fixes: 3fe563249374 ("staging: rtl8192u: r8192U_core.c: Cleaning up ...") +Signed-off-by: Ben Hutchings +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/staging/rtl8192u/r8192U_core.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/staging/rtl8192u/r8192U_core.c ++++ b/drivers/staging/rtl8192u/r8192U_core.c +@@ -1050,7 +1050,7 @@ static void rtl8192_hard_data_xmit(struc + + spin_lock_irqsave(&priv->tx_lock, flags); + +- memcpy((unsigned char *)(skb->cb), &dev, sizeof(dev)); ++ *(struct net_device **)(skb->cb) = dev; + tcb_desc->bTxEnableFwCalcDur = 1; + skb_push(skb, priv->ieee80211->tx_headroom); + ret = rtl8192_tx(dev, skb); +@@ -1092,7 +1092,7 @@ static int rtl8192_hard_start_xmit(struc + static void rtl8192_tx_isr(struct urb *tx_urb) + { + struct sk_buff *skb = (struct sk_buff *)tx_urb->context; +- struct net_device *dev = (struct net_device *)(skb->cb); ++ struct net_device *dev = *(struct net_device **)(skb->cb); + struct r8192_priv *priv = NULL; + cb_desc *tcb_desc = (cb_desc *)(skb->cb + MAX_DEV_ADDR_SIZE); + u8 queue_index = tcb_desc->queue_index; diff --git a/queue-4.4/usb-gadged-pch_udc-get-rid-of-redundant-assignments.patch b/queue-4.4/usb-gadged-pch_udc-get-rid-of-redundant-assignments.patch new file mode 100644 index 00000000000..d78ebbfb510 --- /dev/null +++ b/queue-4.4/usb-gadged-pch_udc-get-rid-of-redundant-assignments.patch @@ -0,0 +1,140 @@ +From 6b968737c3efe7cdaa5407afec972cd7c7d3ca35 Mon Sep 17 00:00:00 2001 +From: Andy Shevchenko +Date: Fri, 18 Mar 2016 16:55:37 +0200 +Subject: usb: gadged: pch_udc: get rid of redundant assignments +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Andy Shevchenko + +commit 6b968737c3efe7cdaa5407afec972cd7c7d3ca35 upstream. + +It seems there are leftovers of some assignments which are not used +anymore. Compiler even warns us about: + +drivers/usb/gadget/udc/pch_udc.c:2022:22: warning: variable ‘dev’ set \ +but not used [-Wunused-but-set-variable] + +drivers/usb/gadget/udc/pch_udc.c:2639:9: warning: variable ‘ret’ set \ +but not used [-Wunused-but-set-variable] + +Remove them and shut compiler about. + +Signed-off-by: Andy Shevchenko +Signed-off-by: Felipe Balbi +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/gadget/udc/pch_udc.c | 18 ++++-------------- + 1 file changed, 4 insertions(+), 14 deletions(-) + +--- a/drivers/usb/gadget/udc/pch_udc.c ++++ b/drivers/usb/gadget/udc/pch_udc.c +@@ -1731,14 +1731,12 @@ static int pch_udc_pcd_ep_enable(struct + static int pch_udc_pcd_ep_disable(struct usb_ep *usbep) + { + struct pch_udc_ep *ep; +- struct pch_udc_dev *dev; + unsigned long iflags; + + if (!usbep) + return -EINVAL; + + ep = container_of(usbep, struct pch_udc_ep, ep); +- dev = ep->dev; + if ((usbep->name == ep0_string) || !ep->ep.desc) + return -EINVAL; + +@@ -1769,12 +1767,10 @@ static struct usb_request *pch_udc_alloc + struct pch_udc_request *req; + struct pch_udc_ep *ep; + struct pch_udc_data_dma_desc *dma_desc; +- struct pch_udc_dev *dev; + + if (!usbep) + return NULL; + ep = container_of(usbep, struct pch_udc_ep, ep); +- dev = ep->dev; + req = kzalloc(sizeof *req, gfp); + if (!req) + return NULL; +@@ -1947,12 +1943,10 @@ static int pch_udc_pcd_dequeue(struct us + { + struct pch_udc_ep *ep; + struct pch_udc_request *req; +- struct pch_udc_dev *dev; + unsigned long flags; + int ret = -EINVAL; + + ep = container_of(usbep, struct pch_udc_ep, ep); +- dev = ep->dev; + if (!usbep || !usbreq || (!ep->ep.desc && ep->num)) + return ret; + req = container_of(usbreq, struct pch_udc_request, req); +@@ -1984,14 +1978,12 @@ static int pch_udc_pcd_dequeue(struct us + static int pch_udc_pcd_set_halt(struct usb_ep *usbep, int halt) + { + struct pch_udc_ep *ep; +- struct pch_udc_dev *dev; + unsigned long iflags; + int ret; + + if (!usbep) + return -EINVAL; + ep = container_of(usbep, struct pch_udc_ep, ep); +- dev = ep->dev; + if (!ep->ep.desc && !ep->num) + return -EINVAL; + if (!ep->dev->driver || (ep->dev->gadget.speed == USB_SPEED_UNKNOWN)) +@@ -2029,14 +2021,12 @@ static int pch_udc_pcd_set_halt(struct u + static int pch_udc_pcd_set_wedge(struct usb_ep *usbep) + { + struct pch_udc_ep *ep; +- struct pch_udc_dev *dev; + unsigned long iflags; + int ret; + + if (!usbep) + return -EINVAL; + ep = container_of(usbep, struct pch_udc_ep, ep); +- dev = ep->dev; + if (!ep->ep.desc && !ep->num) + return -EINVAL; + if (!ep->dev->driver || (ep->dev->gadget.speed == USB_SPEED_UNKNOWN)) +@@ -2646,7 +2636,7 @@ static void pch_udc_svc_enum_interrupt(s + static void pch_udc_svc_intf_interrupt(struct pch_udc_dev *dev) + { + u32 reg, dev_stat = 0; +- int i, ret; ++ int i; + + dev_stat = pch_udc_read_device_status(dev); + dev->cfg_data.cur_intf = (dev_stat & UDC_DEVSTS_INTF_MASK) >> +@@ -2675,7 +2665,7 @@ static void pch_udc_svc_intf_interrupt(s + } + dev->stall = 0; + spin_lock(&dev->lock); +- ret = dev->driver->setup(&dev->gadget, &dev->setup_data); ++ dev->driver->setup(&dev->gadget, &dev->setup_data); + spin_unlock(&dev->lock); + } + +@@ -2686,7 +2676,7 @@ static void pch_udc_svc_intf_interrupt(s + */ + static void pch_udc_svc_cfg_interrupt(struct pch_udc_dev *dev) + { +- int i, ret; ++ int i; + u32 reg, dev_stat = 0; + + dev_stat = pch_udc_read_device_status(dev); +@@ -2712,7 +2702,7 @@ static void pch_udc_svc_cfg_interrupt(st + + /* call gadget zero with setup data received */ + spin_lock(&dev->lock); +- ret = dev->driver->setup(&dev->gadget, &dev->setup_data); ++ dev->driver->setup(&dev->gadget, &dev->setup_data); + spin_unlock(&dev->lock); + } + diff --git a/queue-4.4/usb-gadget-f_acm-fix-configfs-attr-name.patch b/queue-4.4/usb-gadget-f_acm-fix-configfs-attr-name.patch new file mode 100644 index 00000000000..2fa89bbc04c --- /dev/null +++ b/queue-4.4/usb-gadget-f_acm-fix-configfs-attr-name.patch @@ -0,0 +1,36 @@ +From 0561f77e2db9e72dc32e4f82b56fca8ba6b31171 Mon Sep 17 00:00:00 2001 +From: Krzysztof Opasiak +Date: Tue, 1 Mar 2016 12:47:11 +0100 +Subject: usb: gadget: f_acm: Fix configfs attr name + +From: Krzysztof Opasiak + +commit 0561f77e2db9e72dc32e4f82b56fca8ba6b31171 upstream. + +Correct attribute name is port_num not num. + +Fixes: ea6bd6b ("usb-gadget/f_acm: use per-attribute show and store methods") +Reviewed-by: Christoph Hellwig +Signed-off-by: Krzysztof Opasiak +Signed-off-by: Felipe Balbi +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/gadget/function/f_acm.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/usb/gadget/function/f_acm.c ++++ b/drivers/usb/gadget/function/f_acm.c +@@ -779,10 +779,10 @@ static ssize_t f_acm_port_num_show(struc + return sprintf(page, "%u\n", to_f_serial_opts(item)->port_num); + } + +-CONFIGFS_ATTR_RO(f_acm_port_, num); ++CONFIGFS_ATTR_RO(f_acm_, port_num); + + static struct configfs_attribute *acm_attrs[] = { +- &f_acm_port_attr_num, ++ &f_acm_attr_port_num, + NULL, + }; + diff --git a/queue-4.4/usb-gadget-pch_udc-reorder-spin_lock-to-avoid-deadlock.patch b/queue-4.4/usb-gadget-pch_udc-reorder-spin_lock-to-avoid-deadlock.patch new file mode 100644 index 00000000000..50a55257956 --- /dev/null +++ b/queue-4.4/usb-gadget-pch_udc-reorder-spin_lock-to-avoid-deadlock.patch @@ -0,0 +1,95 @@ +From 1d23d16a88e6c8143b07339435ba061b131ebb8c Mon Sep 17 00:00:00 2001 +From: Iago Abal +Date: Tue, 21 Jun 2016 12:01:11 +0200 +Subject: usb: gadget: pch_udc: reorder spin_[un]lock to avoid deadlock + +From: Iago Abal + +commit 1d23d16a88e6c8143b07339435ba061b131ebb8c upstream. + +The above commit reordered spin_lock/unlock and now `&dev->lock' is acquired +(rather than released) before calling `dev->driver->disconnect', +`dev->driver->setup', `dev->driver->suspend', `usb_gadget_giveback_request', and +`usb_gadget_udc_reset'. + +But this *may* not be the right way to fix the problem pointed by d3cb25a12138. + +Note that the other usb/gadget/udc drivers do release the lock before calling +these functions. There are also inconsistencies within pch_udc.c, where +`dev->driver->disconnect' is called while holding `&dev->lock' in lines 613 and +1184, but not in line 2739. + +Finally, commit d3cb25a12138 may have introduced several potential deadlocks. + +For instance, EBA (https://github.com/models-team/eba) reports: + + Double lock in drivers/usb/gadget/udc/pch_udc.c + first at 2791: spin_lock(& dev->lock); [pch_udc_isr] + second at 2694: spin_lock(& dev->lock); [pch_udc_svc_cfg_interrupt] + after calling from 2793: pch_udc_dev_isr(dev, dev_intr); + after calling from 2724: pch_udc_svc_cfg_interrupt(dev); + +Similarly, other potential deadlocks are 2791 -> 2793 -> 2721 -> 2657; and +2791 -> 2793 -> 2711 -> 2573 -> 1499 -> 1480. + +Fixes: d3cb25a12138 ("usb: gadget: udc: fix spin_lock in pch_udc") +Signed-off-by: Iago Abal +Signed-off-by: Felipe Balbi +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/gadget/udc/pch_udc.c | 16 ++++++++-------- + 1 file changed, 8 insertions(+), 8 deletions(-) + +--- a/drivers/usb/gadget/udc/pch_udc.c ++++ b/drivers/usb/gadget/udc/pch_udc.c +@@ -1488,11 +1488,11 @@ static void complete_req(struct pch_udc_ + req->dma_mapped = 0; + } + ep->halted = 1; +- spin_lock(&dev->lock); ++ spin_unlock(&dev->lock); + if (!ep->in) + pch_udc_ep_clear_rrdy(ep); + usb_gadget_giveback_request(&ep->ep, &req->req); +- spin_unlock(&dev->lock); ++ spin_lock(&dev->lock); + ep->halted = halted; + } + +@@ -2583,9 +2583,9 @@ static void pch_udc_svc_ur_interrupt(str + empty_req_queue(ep); + } + if (dev->driver) { +- spin_lock(&dev->lock); +- usb_gadget_udc_reset(&dev->gadget, dev->driver); + spin_unlock(&dev->lock); ++ usb_gadget_udc_reset(&dev->gadget, dev->driver); ++ spin_lock(&dev->lock); + } + } + +@@ -2664,9 +2664,9 @@ static void pch_udc_svc_intf_interrupt(s + dev->ep[i].halted = 0; + } + dev->stall = 0; +- spin_lock(&dev->lock); +- dev->driver->setup(&dev->gadget, &dev->setup_data); + spin_unlock(&dev->lock); ++ dev->driver->setup(&dev->gadget, &dev->setup_data); ++ spin_lock(&dev->lock); + } + + /** +@@ -2701,9 +2701,9 @@ static void pch_udc_svc_cfg_interrupt(st + dev->stall = 0; + + /* call gadget zero with setup data received */ +- spin_lock(&dev->lock); +- dev->driver->setup(&dev->gadget, &dev->setup_data); + spin_unlock(&dev->lock); ++ dev->driver->setup(&dev->gadget, &dev->setup_data); ++ spin_lock(&dev->lock); + } + + /** diff --git a/queue-4.4/usb-gadget-udc-core-don-t-starve-dma-resources.patch b/queue-4.4/usb-gadget-udc-core-don-t-starve-dma-resources.patch new file mode 100644 index 00000000000..2693bfa4a15 --- /dev/null +++ b/queue-4.4/usb-gadget-udc-core-don-t-starve-dma-resources.patch @@ -0,0 +1,31 @@ +From 23fd537c9508fb6e3b93ddf23982f51afc087781 Mon Sep 17 00:00:00 2001 +From: Felipe Balbi +Date: Wed, 24 Aug 2016 14:33:27 +0300 +Subject: usb: gadget: udc: core: don't starve DMA resources + +From: Felipe Balbi + +commit 23fd537c9508fb6e3b93ddf23982f51afc087781 upstream. + +Always unmap all SG entries as required by DMA API + +Fixes: a698908d3b3b ("usb: gadget: add generic map/unmap request utilities") +Cc: # v3.4+ +Signed-off-by: Felipe Balbi +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/gadget/udc/udc-core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/usb/gadget/udc/udc-core.c ++++ b/drivers/usb/gadget/udc/udc-core.c +@@ -97,7 +97,7 @@ void usb_gadget_unmap_request(struct usb + return; + + if (req->num_mapped_sgs) { +- dma_unmap_sg(gadget->dev.parent, req->sg, req->num_mapped_sgs, ++ dma_unmap_sg(gadget->dev.parent, req->sg, req->num_sgs, + is_in ? DMA_TO_DEVICE : DMA_FROM_DEVICE); + + req->num_mapped_sgs = 0; diff --git a/queue-4.4/x86-apic-uv-silence-a-shift-wrapping-warning.patch b/queue-4.4/x86-apic-uv-silence-a-shift-wrapping-warning.patch new file mode 100644 index 00000000000..7092994149f --- /dev/null +++ b/queue-4.4/x86-apic-uv-silence-a-shift-wrapping-warning.patch @@ -0,0 +1,49 @@ +From c4597fd756836a5fb7900f2091797ab564390ad0 Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Thu, 24 Nov 2016 01:19:08 +0300 +Subject: x86/apic/uv: Silence a shift wrapping warning + +From: Dan Carpenter + +commit c4597fd756836a5fb7900f2091797ab564390ad0 upstream. + +'m_io' is stored in 6 bits so it's a number in the 0-63 range. Static +analysis tools complain that 1 << 63 will wrap so I have changed it to +1ULL << m_io. + +This code is over three years old so presumably the bug doesn't happen +very frequently in real life or someone would have complained by now. + +Signed-off-by: Dan Carpenter +Cc: Alex Thorlton +Cc: Dimitri Sivanich +Cc: Linus Torvalds +Cc: Mike Travis +Cc: Nathan Zimmer +Cc: Peter Zijlstra +Cc: Sebastian Andrzej Siewior +Cc: Thomas Gleixner +Cc: kernel-janitors@vger.kernel.org +Fixes: b15cc4a12bed ("x86, uv, uv3: Update x2apic Support for SGI UV3") +Link: http://lkml.kernel.org/r/20161123221908.GA23997@mwanda +Signed-off-by: Ingo Molnar +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kernel/apic/x2apic_uv_x.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/arch/x86/kernel/apic/x2apic_uv_x.c ++++ b/arch/x86/kernel/apic/x2apic_uv_x.c +@@ -648,9 +648,9 @@ static __init void map_mmioh_high_uv3(in + l = li; + } + addr1 = (base << shift) + +- f * (unsigned long)(1 << m_io); ++ f * (1ULL << m_io); + addr2 = (base << shift) + +- (l + 1) * (unsigned long)(1 << m_io); ++ (l + 1) * (1ULL << m_io); + pr_info("UV: %s[%03d..%03d] NASID 0x%04x ADDR 0x%016lx - 0x%016lx\n", + id, fi, li, lnasid, addr1, addr2); + if (max_io < l) diff --git a/queue-4.4/x86-ldt-print-the-real-ldt-base-address.patch b/queue-4.4/x86-ldt-print-the-real-ldt-base-address.patch new file mode 100644 index 00000000000..23e075a301e --- /dev/null +++ b/queue-4.4/x86-ldt-print-the-real-ldt-base-address.patch @@ -0,0 +1,34 @@ +From 0d430e3fb3f7cdc13c0d22078b820f682821b45a Mon Sep 17 00:00:00 2001 +From: Jan Beulich +Date: Tue, 22 Dec 2015 08:42:44 -0700 +Subject: x86/LDT: Print the real LDT base address + +From: Jan Beulich + +commit 0d430e3fb3f7cdc13c0d22078b820f682821b45a upstream. + +This was meant to print base address and entry count; make it do so +again. + +Fixes: 37868fe113ff "x86/ldt: Make modify_ldt synchronous" +Signed-off-by: Jan Beulich +Acked-by: Andy Lutomirski +Link: http://lkml.kernel.org/r/56797D8402000078000C24F0@prv-mh.provo.novell.com +Signed-off-by: Thomas Gleixner +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kernel/process_64.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/x86/kernel/process_64.c ++++ b/arch/x86/kernel/process_64.c +@@ -128,7 +128,7 @@ void release_thread(struct task_struct * + if (dead_task->mm->context.ldt) { + pr_warn("WARNING: dead process %s still has LDT? <%p/%d>\n", + dead_task->comm, +- dead_task->mm->context.ldt, ++ dead_task->mm->context.ldt->entries, + dead_task->mm->context.ldt->size); + BUG(); + } diff --git a/queue-4.4/xfrm-fix-crash-in-xfrm_msg_getsa-netlink-handler.patch b/queue-4.4/xfrm-fix-crash-in-xfrm_msg_getsa-netlink-handler.patch new file mode 100644 index 00000000000..fb4a99e8ff9 --- /dev/null +++ b/queue-4.4/xfrm-fix-crash-in-xfrm_msg_getsa-netlink-handler.patch @@ -0,0 +1,58 @@ +From 1ba5bf993c6a3142e18e68ea6452b347f9cb5635 Mon Sep 17 00:00:00 2001 +From: Vegard Nossum +Date: Tue, 5 Jul 2016 10:18:08 +0200 +Subject: xfrm: fix crash in XFRM_MSG_GETSA netlink handler + +From: Vegard Nossum + +commit 1ba5bf993c6a3142e18e68ea6452b347f9cb5635 upstream. + +If we hit any of the error conditions inside xfrm_dump_sa(), then +xfrm_state_walk_init() never gets called. However, we still call +xfrm_state_walk_done() from xfrm_dump_sa_done(), which will crash +because the state walk was never initialized properly. + +We can fix this by setting cb->args[0] only after we've processed the +first element and checking this before calling xfrm_state_walk_done(). + +Fixes: d3623099d3 ("ipsec: add support of limited SA dump") +Cc: Nicolas Dichtel +Cc: Steffen Klassert +Signed-off-by: Vegard Nossum +Acked-by: Nicolas Dichtel +Signed-off-by: Steffen Klassert +Signed-off-by: Greg Kroah-Hartman + +--- + net/xfrm/xfrm_user.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/net/xfrm/xfrm_user.c ++++ b/net/xfrm/xfrm_user.c +@@ -923,7 +923,8 @@ static int xfrm_dump_sa_done(struct netl + struct sock *sk = cb->skb->sk; + struct net *net = sock_net(sk); + +- xfrm_state_walk_done(walk, net); ++ if (cb->args[0]) ++ xfrm_state_walk_done(walk, net); + return 0; + } + +@@ -948,8 +949,6 @@ static int xfrm_dump_sa(struct sk_buff * + u8 proto = 0; + int err; + +- cb->args[0] = 1; +- + err = nlmsg_parse(cb->nlh, 0, attrs, XFRMA_MAX, + xfrma_policy); + if (err < 0) +@@ -966,6 +965,7 @@ static int xfrm_dump_sa(struct sk_buff * + proto = nla_get_u8(attrs[XFRMA_PROTO]); + + xfrm_state_walk_init(walk, proto, filter); ++ cb->args[0] = 1; + } + + (void) xfrm_state_walk(net, walk, dump_one_state, &info); -- 2.47.3