--- /dev/null
+From 88960068f25fcc3759455d85460234dcc9d43fef Mon Sep 17 00:00:00 2001
+From: Martin Blumenstingl <martin.blumenstingl@googlemail.com>
+Date: Sat, 22 Dec 2018 11:22:26 +0100
+Subject: f2fs: fix validation of the block count in sanity_check_raw_super
+
+From: Martin Blumenstingl <martin.blumenstingl@googlemail.com>
+
+commit 88960068f25fcc3759455d85460234dcc9d43fef upstream.
+
+Treat "block_count" from struct f2fs_super_block as 64-bit little endian
+value in sanity_check_raw_super() because struct f2fs_super_block
+declares "block_count" as "__le64".
+
+This fixes a bug where the superblock validation fails on big endian
+devices with the following error:
+ F2FS-fs (sda1): Wrong segment_count / block_count (61439 > 0)
+ F2FS-fs (sda1): Can't find valid F2FS filesystem in 1th superblock
+ F2FS-fs (sda1): Wrong segment_count / block_count (61439 > 0)
+ F2FS-fs (sda1): Can't find valid F2FS filesystem in 2th superblock
+As result of this the partition cannot be mounted.
+
+With this patch applied the superblock validation works fine and the
+partition can be mounted again:
+ F2FS-fs (sda1): Mounted with checkpoint version = 7c84
+
+My little endian x86-64 hardware was able to mount the partition without
+this fix.
+To confirm that mounting f2fs filesystems works on big endian machines
+again I tested this on a 32-bit MIPS big endian (lantiq) device.
+
+Fixes: 0cfe75c5b01199 ("f2fs: enhance sanity_check_raw_super() to avoid potential overflows")
+Cc: stable@vger.kernel.org
+Signed-off-by: Martin Blumenstingl <martin.blumenstingl@googlemail.com>
+Reviewed-by: Chao Yu <yuchao0@huawei.com>
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/f2fs/super.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/fs/f2fs/super.c
++++ b/fs/f2fs/super.c
+@@ -1897,10 +1897,10 @@ static int sanity_check_raw_super(struct
+ return 1;
+ }
+
+- if (segment_count > (le32_to_cpu(raw_super->block_count) >> 9)) {
++ if (segment_count > (le64_to_cpu(raw_super->block_count) >> 9)) {
+ f2fs_msg(sb, KERN_INFO,
+- "Wrong segment_count / block_count (%u > %u)",
+- segment_count, le32_to_cpu(raw_super->block_count));
++ "Wrong segment_count / block_count (%u > %llu)",
++ segment_count, le64_to_cpu(raw_super->block_count));
+ return 1;
+ }
+
--- /dev/null
+From e5f71a27fa12c1a1b02ad478a568e76260f1815e Mon Sep 17 00:00:00 2001
+From: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Date: Thu, 8 Nov 2018 11:12:47 -0500
+Subject: media: v4l2-tpg: array index could become negative
+
+From: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+
+commit e5f71a27fa12c1a1b02ad478a568e76260f1815e upstream.
+
+text[s] is a signed char, so using that as index into the font8x16 array
+can result in negative indices. Cast it to u8 to be safe.
+
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Reported-by: syzbot+ccf0a61ed12f2a7313ee@syzkaller.appspotmail.com
+Cc: <stable@vger.kernel.org> # for v4.7 and up
+Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/media/common/v4l2-tpg/v4l2-tpg-core.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/media/common/v4l2-tpg/v4l2-tpg-core.c
++++ b/drivers/media/common/v4l2-tpg/v4l2-tpg-core.c
+@@ -1733,7 +1733,7 @@ typedef struct { u16 __; u8 _; } __packe
+ unsigned s; \
+ \
+ for (s = 0; s < len; s++) { \
+- u8 chr = font8x16[text[s] * 16 + line]; \
++ u8 chr = font8x16[(u8)text[s] * 16 + line]; \
+ \
+ if (hdiv == 2 && tpg->hflip) { \
+ pos[3] = (chr & (0x01 << 6) ? fg : bg); \
--- /dev/null
+From 560ccb75c2caa6b1039dec1a53cd2ef526f5bf03 Mon Sep 17 00:00:00 2001
+From: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Date: Fri, 9 Nov 2018 08:37:44 -0500
+Subject: media: vivid: free bitmap_cap when updating std/timings/etc.
+
+From: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+
+commit 560ccb75c2caa6b1039dec1a53cd2ef526f5bf03 upstream.
+
+When vivid_update_format_cap() is called it should free any overlay
+bitmap since the compose size will change.
+
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Reported-by: syzbot+0cc8e3cc63ca373722c6@syzkaller.appspotmail.com
+Cc: <stable@vger.kernel.org> # for v3.18 and up
+Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/media/platform/vivid/vivid-vid-cap.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/media/platform/vivid/vivid-vid-cap.c
++++ b/drivers/media/platform/vivid/vivid-vid-cap.c
+@@ -455,6 +455,8 @@ void vivid_update_format_cap(struct vivi
+ tpg_s_rgb_range(&dev->tpg, v4l2_ctrl_g_ctrl(dev->rgb_range_cap));
+ break;
+ }
++ vfree(dev->bitmap_cap);
++ dev->bitmap_cap = NULL;
+ vivid_update_quality(dev);
+ tpg_reset_source(&dev->tpg, dev->src_rect.width, dev->src_rect.height, dev->field_cap);
+ dev->crop_cap = dev->src_rect;
--- /dev/null
+From bec0de4cfad21bd284dbddee016ed1767a5d2823 Mon Sep 17 00:00:00 2001
+From: Huacai Chen <chenhc@lemote.com>
+Date: Thu, 15 Nov 2018 15:53:56 +0800
+Subject: MIPS: Align kernel load address to 64KB
+
+From: Huacai Chen <chenhc@lemote.com>
+
+commit bec0de4cfad21bd284dbddee016ed1767a5d2823 upstream.
+
+KEXEC needs the new kernel's load address to be aligned on a page
+boundary (see sanity_check_segment_list()), but on MIPS the default
+vmlinuz load address is only explicitly aligned to 16 bytes.
+
+Since the largest PAGE_SIZE supported by MIPS kernels is 64KB, increase
+the alignment calculated by calc_vmlinuz_load_addr to 64KB.
+
+Signed-off-by: Huacai Chen <chenhc@lemote.com>
+Signed-off-by: Paul Burton <paul.burton@mips.com>
+Patchwork: https://patchwork.linux-mips.org/patch/21131/
+Cc: Ralf Baechle <ralf@linux-mips.org>
+Cc: James Hogan <james.hogan@mips.com>
+Cc: Steven J . Hill <Steven.Hill@cavium.com>
+Cc: linux-mips@linux-mips.org
+Cc: Fuxin Zhang <zhangfx@lemote.com>
+Cc: Zhangjin Wu <wuzhangjin@gmail.com>
+Cc: <stable@vger.kernel.org> # 2.6.36+
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/mips/boot/compressed/calc_vmlinuz_load_addr.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+--- a/arch/mips/boot/compressed/calc_vmlinuz_load_addr.c
++++ b/arch/mips/boot/compressed/calc_vmlinuz_load_addr.c
+@@ -13,6 +13,7 @@
+ #include <stdint.h>
+ #include <stdio.h>
+ #include <stdlib.h>
++#include "../../../../include/linux/sizes.h"
+
+ int main(int argc, char *argv[])
+ {
+@@ -45,11 +46,11 @@ int main(int argc, char *argv[])
+ vmlinuz_load_addr = vmlinux_load_addr + vmlinux_size;
+
+ /*
+- * Align with 16 bytes: "greater than that used for any standard data
+- * types by a MIPS compiler." -- See MIPS Run Linux (Second Edition).
++ * Align with 64KB: KEXEC needs load sections to be aligned to PAGE_SIZE,
++ * which may be as large as 64KB depending on the kernel configuration.
+ */
+
+- vmlinuz_load_addr += (16 - vmlinux_size % 16);
++ vmlinuz_load_addr += (SZ_64K - vmlinux_size % SZ_64K);
+
+ printf("0x%llx\n", vmlinuz_load_addr);
+
--- /dev/null
+From bb53fdf395eed103f85061bfff3b116cee123895 Mon Sep 17 00:00:00 2001
+From: Huacai Chen <chenhc@lemote.com>
+Date: Thu, 15 Nov 2018 15:53:53 +0800
+Subject: MIPS: c-r4k: Add r4k_blast_scache_node for Loongson-3
+
+From: Huacai Chen <chenhc@lemote.com>
+
+commit bb53fdf395eed103f85061bfff3b116cee123895 upstream.
+
+For multi-node Loongson-3 (NUMA configuration), r4k_blast_scache() can
+only flush Node-0's scache. So we add r4k_blast_scache_node() by using
+(CAC_BASE | (node_id << NODE_ADDRSPACE_SHIFT)) instead of CKSEG0 as the
+start address.
+
+Signed-off-by: Huacai Chen <chenhc@lemote.com>
+[paul.burton@mips.com: Include asm/mmzone.h from asm/r4kcache.h for
+ nid_to_addrbase(). Add asm/mach-generic/mmzone.h
+ to allow inclusion for all platforms.]
+Signed-off-by: Paul Burton <paul.burton@mips.com>
+Patchwork: https://patchwork.linux-mips.org/patch/21129/
+Cc: Ralf Baechle <ralf@linux-mips.org>
+Cc: James Hogan <james.hogan@mips.com>
+Cc: Steven J . Hill <Steven.Hill@cavium.com>
+Cc: linux-mips@linux-mips.org
+Cc: Fuxin Zhang <zhangfx@lemote.com>
+Cc: Zhangjin Wu <wuzhangjin@gmail.com>
+Cc: <stable@vger.kernel.org> # 3.15+
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/mips/include/asm/mach-generic/mmzone.h | 2 +
+ arch/mips/include/asm/mach-loongson64/mmzone.h | 1
+ arch/mips/include/asm/mmzone.h | 8 ++++
+ arch/mips/include/asm/r4kcache.h | 22 ++++++++++++
+ arch/mips/mm/c-r4k.c | 44 +++++++++++++++++++++----
+ 5 files changed, 70 insertions(+), 7 deletions(-)
+
+--- /dev/null
++++ b/arch/mips/include/asm/mach-generic/mmzone.h
+@@ -0,0 +1,2 @@
++// SPDX-License-Identifier: GPL-2.0
++/* Intentionally empty */
+--- a/arch/mips/include/asm/mach-loongson64/mmzone.h
++++ b/arch/mips/include/asm/mach-loongson64/mmzone.h
+@@ -21,6 +21,7 @@
+ #define NODE3_ADDRSPACE_OFFSET 0x300000000000UL
+
+ #define pa_to_nid(addr) (((addr) & 0xf00000000000) >> NODE_ADDRSPACE_SHIFT)
++#define nid_to_addrbase(nid) ((nid) << NODE_ADDRSPACE_SHIFT)
+
+ #define LEVELS_PER_SLICE 128
+
+--- a/arch/mips/include/asm/mmzone.h
++++ b/arch/mips/include/asm/mmzone.h
+@@ -9,6 +9,14 @@
+ #include <asm/page.h>
+ #include <mmzone.h>
+
++#ifndef pa_to_nid
++#define pa_to_nid(addr) 0
++#endif
++
++#ifndef nid_to_addrbase
++#define nid_to_addrbase(nid) 0
++#endif
++
+ #ifdef CONFIG_DISCONTIGMEM
+
+ #define pfn_to_nid(pfn) pa_to_nid((pfn) << PAGE_SHIFT)
+--- a/arch/mips/include/asm/r4kcache.h
++++ b/arch/mips/include/asm/r4kcache.h
+@@ -20,6 +20,7 @@
+ #include <asm/cpu-features.h>
+ #include <asm/cpu-type.h>
+ #include <asm/mipsmtregs.h>
++#include <asm/mmzone.h>
+ #include <linux/uaccess.h> /* for uaccess_kernel() */
+
+ extern void (*r4k_blast_dcache)(void);
+@@ -747,4 +748,25 @@ __BUILD_BLAST_CACHE_RANGE(s, scache, Hit
+ __BUILD_BLAST_CACHE_RANGE(inv_d, dcache, Hit_Invalidate_D, , )
+ __BUILD_BLAST_CACHE_RANGE(inv_s, scache, Hit_Invalidate_SD, , )
+
++/* Currently, this is very specific to Loongson-3 */
++#define __BUILD_BLAST_CACHE_NODE(pfx, desc, indexop, hitop, lsize) \
++static inline void blast_##pfx##cache##lsize##_node(long node) \
++{ \
++ unsigned long start = CAC_BASE | nid_to_addrbase(node); \
++ unsigned long end = start + current_cpu_data.desc.waysize; \
++ unsigned long ws_inc = 1UL << current_cpu_data.desc.waybit; \
++ unsigned long ws_end = current_cpu_data.desc.ways << \
++ current_cpu_data.desc.waybit; \
++ unsigned long ws, addr; \
++ \
++ for (ws = 0; ws < ws_end; ws += ws_inc) \
++ for (addr = start; addr < end; addr += lsize * 32) \
++ cache##lsize##_unroll32(addr|ws, indexop); \
++}
++
++__BUILD_BLAST_CACHE_NODE(s, scache, Index_Writeback_Inv_SD, Hit_Writeback_Inv_SD, 16)
++__BUILD_BLAST_CACHE_NODE(s, scache, Index_Writeback_Inv_SD, Hit_Writeback_Inv_SD, 32)
++__BUILD_BLAST_CACHE_NODE(s, scache, Index_Writeback_Inv_SD, Hit_Writeback_Inv_SD, 64)
++__BUILD_BLAST_CACHE_NODE(s, scache, Index_Writeback_Inv_SD, Hit_Writeback_Inv_SD, 128)
++
+ #endif /* _ASM_R4KCACHE_H */
+--- a/arch/mips/mm/c-r4k.c
++++ b/arch/mips/mm/c-r4k.c
+@@ -459,11 +459,28 @@ static void r4k_blast_scache_setup(void)
+ r4k_blast_scache = blast_scache128;
+ }
+
++static void (*r4k_blast_scache_node)(long node);
++
++static void r4k_blast_scache_node_setup(void)
++{
++ unsigned long sc_lsize = cpu_scache_line_size();
++
++ if (current_cpu_type() != CPU_LOONGSON3)
++ r4k_blast_scache_node = (void *)cache_noop;
++ else if (sc_lsize == 16)
++ r4k_blast_scache_node = blast_scache16_node;
++ else if (sc_lsize == 32)
++ r4k_blast_scache_node = blast_scache32_node;
++ else if (sc_lsize == 64)
++ r4k_blast_scache_node = blast_scache64_node;
++ else if (sc_lsize == 128)
++ r4k_blast_scache_node = blast_scache128_node;
++}
++
+ static inline void local_r4k___flush_cache_all(void * args)
+ {
+ switch (current_cpu_type()) {
+ case CPU_LOONGSON2:
+- case CPU_LOONGSON3:
+ case CPU_R4000SC:
+ case CPU_R4000MC:
+ case CPU_R4400SC:
+@@ -480,6 +497,11 @@ static inline void local_r4k___flush_cac
+ r4k_blast_scache();
+ break;
+
++ case CPU_LOONGSON3:
++ /* Use get_ebase_cpunum() for both NUMA=y/n */
++ r4k_blast_scache_node(get_ebase_cpunum() >> 2);
++ break;
++
+ case CPU_BMIPS5000:
+ r4k_blast_scache();
+ __sync();
+@@ -840,10 +862,14 @@ static void r4k_dma_cache_wback_inv(unsi
+
+ preempt_disable();
+ if (cpu_has_inclusive_pcaches) {
+- if (size >= scache_size)
+- r4k_blast_scache();
+- else
++ if (size >= scache_size) {
++ if (current_cpu_type() != CPU_LOONGSON3)
++ r4k_blast_scache();
++ else
++ r4k_blast_scache_node(pa_to_nid(addr));
++ } else {
+ blast_scache_range(addr, addr + size);
++ }
+ preempt_enable();
+ __sync();
+ return;
+@@ -877,9 +903,12 @@ static void r4k_dma_cache_inv(unsigned l
+
+ preempt_disable();
+ if (cpu_has_inclusive_pcaches) {
+- if (size >= scache_size)
+- r4k_blast_scache();
+- else {
++ if (size >= scache_size) {
++ if (current_cpu_type() != CPU_LOONGSON3)
++ r4k_blast_scache();
++ else
++ r4k_blast_scache_node(pa_to_nid(addr));
++ } else {
+ /*
+ * There is no clearly documented alignment requirement
+ * for the cache instruction on MIPS processors and
+@@ -1910,6 +1939,7 @@ void r4k_cache_init(void)
+ r4k_blast_scache_page_setup();
+ r4k_blast_scache_page_indexed_setup();
+ r4k_blast_scache_setup();
++ r4k_blast_scache_node_setup();
+ #ifdef CONFIG_EVA
+ r4k_blast_dcache_user_page_setup();
+ r4k_blast_icache_user_page_setup();
--- /dev/null
+From 92aa0718c9fa5160ad2f0e7b5bffb52f1ea1e51a Mon Sep 17 00:00:00 2001
+From: Huacai Chen <chenhc@lemote.com>
+Date: Thu, 15 Nov 2018 15:53:54 +0800
+Subject: MIPS: Ensure pmd_present() returns false after pmd_mknotpresent()
+
+From: Huacai Chen <chenhc@lemote.com>
+
+commit 92aa0718c9fa5160ad2f0e7b5bffb52f1ea1e51a upstream.
+
+This patch is borrowed from ARM64 to ensure pmd_present() returns false
+after pmd_mknotpresent(). This is needed for THP.
+
+References: 5bb1cc0ff9a6 ("arm64: Ensure pmd_present() returns false after pmd_mknotpresent()")
+Reviewed-by: James Hogan <jhogan@kernel.org>
+Signed-off-by: Huacai Chen <chenhc@lemote.com>
+Signed-off-by: Paul Burton <paul.burton@mips.com>
+Patchwork: https://patchwork.linux-mips.org/patch/21135/
+Cc: Ralf Baechle <ralf@linux-mips.org>
+Cc: James Hogan <james.hogan@mips.com>
+Cc: Steven J . Hill <Steven.Hill@cavium.com>
+Cc: linux-mips@linux-mips.org
+Cc: Fuxin Zhang <zhangfx@lemote.com>
+Cc: Zhangjin Wu <wuzhangjin@gmail.com>
+Cc: <stable@vger.kernel.org> # 3.8+
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/mips/include/asm/pgtable-64.h | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/arch/mips/include/asm/pgtable-64.h
++++ b/arch/mips/include/asm/pgtable-64.h
+@@ -271,6 +271,11 @@ static inline int pmd_bad(pmd_t pmd)
+
+ static inline int pmd_present(pmd_t pmd)
+ {
++#ifdef CONFIG_MIPS_HUGE_TLB_SUPPORT
++ if (unlikely(pmd_val(pmd) & _PAGE_HUGE))
++ return pmd_val(pmd) & _PAGE_PRESENT;
++#endif
++
+ return pmd_val(pmd) != (unsigned long) invalid_pte_table;
+ }
+
--- /dev/null
+From ff4dd232ec45a0e45ea69f28f069f2ab22b4908a Mon Sep 17 00:00:00 2001
+From: Paul Burton <paul.burton@mips.com>
+Date: Tue, 4 Dec 2018 23:44:12 +0000
+Subject: MIPS: Expand MIPS32 ASIDs to 64 bits
+
+From: Paul Burton <paul.burton@mips.com>
+
+commit ff4dd232ec45a0e45ea69f28f069f2ab22b4908a upstream.
+
+ASIDs have always been stored as unsigned longs, ie. 32 bits on MIPS32
+kernels. This is problematic because it is feasible for the ASID version
+to overflow & wrap around to zero.
+
+We currently attempt to handle this overflow by simply setting the ASID
+version to 1, using asid_first_version(), but we make no attempt to
+account for the fact that there may be mm_structs with stale ASIDs that
+have versions which we now reuse due to the overflow & wrap around.
+
+Encountering this requires that:
+
+ 1) A struct mm_struct X is active on CPU A using ASID (V,n).
+
+ 2) That mm is not used on CPU A for the length of time that it takes
+ for CPU A's asid_cache to overflow & wrap around to the same
+ version V that the mm had in step 1. During this time tasks using
+ the mm could either be sleeping or only scheduled on other CPUs.
+
+ 3) Some other mm Y becomes active on CPU A and is allocated the same
+ ASID (V,n).
+
+ 4) mm X now becomes active on CPU A again, and now incorrectly has the
+ same ASID as mm Y.
+
+Where struct mm_struct ASIDs are represented above in the format
+(version, EntryHi.ASID), and on a typical MIPS32 system version will be
+24 bits wide & EntryHi.ASID will be 8 bits wide.
+
+The length of time required in step 2 is highly dependent upon the CPU &
+workload, but for a hypothetical 2GHz CPU running a workload which
+generates a new ASID every 10000 cycles this period is around 248 days.
+Due to this long period of time & the fact that tasks need to be
+scheduled in just the right (or wrong, depending upon your inclination)
+way, this is obviously a difficult bug to encounter but it's entirely
+possible as evidenced by reports.
+
+In order to fix this, simply extend ASIDs to 64 bits even on MIPS32
+builds. This will extend the period of time required for the
+hypothetical system above to encounter the problem from 28 days to
+around 3 trillion years, which feels safely outside of the realms of
+possibility.
+
+The cost of this is slightly more generated code in some commonly
+executed paths, but this is pretty minimal:
+
+ | Code Size Gain | Percentage
+ -----------------------|----------------|-------------
+ decstation_defconfig | +270 | +0.00%
+ 32r2el_defconfig | +652 | +0.01%
+ 32r6el_defconfig | +1000 | +0.01%
+
+I have been unable to measure any change in performance of the LMbench
+lat_ctx or lat_proc tests resulting from the 64b ASIDs on either
+32r2el_defconfig+interAptiv or 32r6el_defconfig+I6500 systems.
+
+Signed-off-by: Paul Burton <paul.burton@mips.com>
+Suggested-by: James Hogan <jhogan@kernel.org>
+References: https://lore.kernel.org/linux-mips/80B78A8B8FEE6145A87579E8435D78C30205D5F3@fzex.ruijie.com.cn/
+References: https://lore.kernel.org/linux-mips/1488684260-18867-1-git-send-email-jiwei.sun@windriver.com/
+Cc: Jiwei Sun <jiwei.sun@windriver.com>
+Cc: Yu Huabing <yhb@ruijie.com.cn>
+Cc: stable@vger.kernel.org # 2.6.12+
+Cc: linux-mips@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/mips/include/asm/cpu-info.h | 2 +-
+ arch/mips/include/asm/mmu.h | 2 +-
+ arch/mips/include/asm/mmu_context.h | 10 ++++------
+ arch/mips/mm/c-r3k.c | 2 +-
+ 4 files changed, 7 insertions(+), 9 deletions(-)
+
+--- a/arch/mips/include/asm/cpu-info.h
++++ b/arch/mips/include/asm/cpu-info.h
+@@ -50,7 +50,7 @@ struct guest_info {
+ #define MIPS_CACHE_PINDEX 0x00000020 /* Physically indexed cache */
+
+ struct cpuinfo_mips {
+- unsigned long asid_cache;
++ u64 asid_cache;
+ #ifdef CONFIG_MIPS_ASID_BITS_VARIABLE
+ unsigned long asid_mask;
+ #endif
+--- a/arch/mips/include/asm/mmu.h
++++ b/arch/mips/include/asm/mmu.h
+@@ -7,7 +7,7 @@
+ #include <linux/wait.h>
+
+ typedef struct {
+- unsigned long asid[NR_CPUS];
++ u64 asid[NR_CPUS];
+ void *vdso;
+ atomic_t fp_mode_switching;
+
+--- a/arch/mips/include/asm/mmu_context.h
++++ b/arch/mips/include/asm/mmu_context.h
+@@ -75,14 +75,14 @@ extern unsigned long pgd_current[];
+ * All unused by hardware upper bits will be considered
+ * as a software asid extension.
+ */
+-static unsigned long asid_version_mask(unsigned int cpu)
++static inline u64 asid_version_mask(unsigned int cpu)
+ {
+ unsigned long asid_mask = cpu_asid_mask(&cpu_data[cpu]);
+
+- return ~(asid_mask | (asid_mask - 1));
++ return ~(u64)(asid_mask | (asid_mask - 1));
+ }
+
+-static unsigned long asid_first_version(unsigned int cpu)
++static inline u64 asid_first_version(unsigned int cpu)
+ {
+ return ~asid_version_mask(cpu) + 1;
+ }
+@@ -101,14 +101,12 @@ static inline void enter_lazy_tlb(struct
+ static inline void
+ get_new_mmu_context(struct mm_struct *mm, unsigned long cpu)
+ {
+- unsigned long asid = asid_cache(cpu);
++ u64 asid = asid_cache(cpu);
+
+ if (!((asid += cpu_asid_inc()) & cpu_asid_mask(&cpu_data[cpu]))) {
+ if (cpu_has_vtag_icache)
+ flush_icache_all();
+ local_flush_tlb_all(); /* start new asid cycle */
+- if (!asid) /* fix version if needed */
+- asid = asid_first_version(cpu);
+ }
+
+ cpu_context(cpu, mm) = asid_cache(cpu) = asid;
+--- a/arch/mips/mm/c-r3k.c
++++ b/arch/mips/mm/c-r3k.c
+@@ -245,7 +245,7 @@ static void r3k_flush_cache_page(struct
+ pmd_t *pmdp;
+ pte_t *ptep;
+
+- pr_debug("cpage[%08lx,%08lx]\n",
++ pr_debug("cpage[%08llx,%08lx]\n",
+ cpu_context(smp_processor_id(), mm), addr);
+
+ /* No ASID => no such page in the cache. */
--- /dev/null
+From adcc81f148d733b7e8e641300c5590a2cdc13bf3 Mon Sep 17 00:00:00 2001
+From: Paul Burton <paul.burton@mips.com>
+Date: Thu, 20 Dec 2018 17:45:43 +0000
+Subject: MIPS: math-emu: Write-protect delay slot emulation pages
+
+From: Paul Burton <paul.burton@mips.com>
+
+commit adcc81f148d733b7e8e641300c5590a2cdc13bf3 upstream.
+
+Mapping the delay slot emulation page as both writeable & executable
+presents a security risk, in that if an exploit can write to & jump into
+the page then it can be used as an easy way to execute arbitrary code.
+
+Prevent this by mapping the page read-only for userland, and using
+access_process_vm() with the FOLL_FORCE flag to write to it from
+mips_dsemul().
+
+This will likely be less efficient due to copy_to_user_page() performing
+cache maintenance on a whole page, rather than a single line as in the
+previous use of flush_cache_sigtramp(). However this delay slot
+emulation code ought not to be running in any performance critical paths
+anyway so this isn't really a problem, and we can probably do better in
+copy_to_user_page() anyway in future.
+
+A major advantage of this approach is that the fix is small & simple to
+backport to stable kernels.
+
+Reported-by: Andy Lutomirski <luto@kernel.org>
+Signed-off-by: Paul Burton <paul.burton@mips.com>
+Fixes: 432c6bacbd0c ("MIPS: Use per-mm page to execute branch delay slot instructions")
+Cc: stable@vger.kernel.org # v4.8+
+Cc: linux-mips@vger.kernel.org
+Cc: linux-kernel@vger.kernel.org
+Cc: Rich Felker <dalias@libc.org>
+Cc: David Daney <david.daney@cavium.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/mips/kernel/vdso.c | 4 ++--
+ arch/mips/math-emu/dsemul.c | 38 ++++++++++++++++++++------------------
+ 2 files changed, 22 insertions(+), 20 deletions(-)
+
+--- a/arch/mips/kernel/vdso.c
++++ b/arch/mips/kernel/vdso.c
+@@ -126,8 +126,8 @@ int arch_setup_additional_pages(struct l
+
+ /* Map delay slot emulation page */
+ base = mmap_region(NULL, STACK_TOP, PAGE_SIZE,
+- VM_READ|VM_WRITE|VM_EXEC|
+- VM_MAYREAD|VM_MAYWRITE|VM_MAYEXEC,
++ VM_READ | VM_EXEC |
++ VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC,
+ 0, NULL);
+ if (IS_ERR_VALUE(base)) {
+ ret = base;
+--- a/arch/mips/math-emu/dsemul.c
++++ b/arch/mips/math-emu/dsemul.c
+@@ -214,8 +214,9 @@ int mips_dsemul(struct pt_regs *regs, mi
+ {
+ int isa16 = get_isa16_mode(regs->cp0_epc);
+ mips_instruction break_math;
+- struct emuframe __user *fr;
+- int err, fr_idx;
++ unsigned long fr_uaddr;
++ struct emuframe fr;
++ int fr_idx, ret;
+
+ /* NOP is easy */
+ if (ir == 0)
+@@ -250,27 +251,31 @@ int mips_dsemul(struct pt_regs *regs, mi
+ fr_idx = alloc_emuframe();
+ if (fr_idx == BD_EMUFRAME_NONE)
+ return SIGBUS;
+- fr = &dsemul_page()[fr_idx];
+
+ /* Retrieve the appropriately encoded break instruction */
+ break_math = BREAK_MATH(isa16);
+
+ /* Write the instructions to the frame */
+ if (isa16) {
+- err = __put_user(ir >> 16,
+- (u16 __user *)(&fr->emul));
+- err |= __put_user(ir & 0xffff,
+- (u16 __user *)((long)(&fr->emul) + 2));
+- err |= __put_user(break_math >> 16,
+- (u16 __user *)(&fr->badinst));
+- err |= __put_user(break_math & 0xffff,
+- (u16 __user *)((long)(&fr->badinst) + 2));
++ union mips_instruction _emul = {
++ .halfword = { ir >> 16, ir }
++ };
++ union mips_instruction _badinst = {
++ .halfword = { break_math >> 16, break_math }
++ };
++
++ fr.emul = _emul.word;
++ fr.badinst = _badinst.word;
+ } else {
+- err = __put_user(ir, &fr->emul);
+- err |= __put_user(break_math, &fr->badinst);
++ fr.emul = ir;
++ fr.badinst = break_math;
+ }
+
+- if (unlikely(err)) {
++ /* Write the frame to user memory */
++ fr_uaddr = (unsigned long)&dsemul_page()[fr_idx];
++ ret = access_process_vm(current, fr_uaddr, &fr, sizeof(fr),
++ FOLL_FORCE | FOLL_WRITE);
++ if (unlikely(ret != sizeof(fr))) {
+ MIPS_FPU_EMU_INC_STATS(errors);
+ free_emuframe(fr_idx, current->mm);
+ return SIGBUS;
+@@ -282,10 +287,7 @@ int mips_dsemul(struct pt_regs *regs, mi
+ atomic_set(¤t->thread.bd_emu_frame, fr_idx);
+
+ /* Change user register context to execute the frame */
+- regs->cp0_epc = (unsigned long)&fr->emul | isa16;
+-
+- /* Ensure the icache observes our newly written frame */
+- flush_cache_sigtramp((unsigned long)&fr->emul);
++ regs->cp0_epc = fr_uaddr | isa16;
+
+ return 0;
+ }
--- /dev/null
+From edefae94b7b9f10d5efe32dece5a36e9d9ecc29e Mon Sep 17 00:00:00 2001
+From: Aaro Koskinen <aaro.koskinen@iki.fi>
+Date: Wed, 2 Jan 2019 20:43:01 +0200
+Subject: MIPS: OCTEON: mark RGMII interface disabled on OCTEON III
+
+From: Aaro Koskinen <aaro.koskinen@iki.fi>
+
+commit edefae94b7b9f10d5efe32dece5a36e9d9ecc29e upstream.
+
+Commit 885872b722b7 ("MIPS: Octeon: Add Octeon III CN7xxx
+interface detection") added RGMII interface detection for OCTEON III,
+but it results in the following logs:
+
+[ 7.165984] ERROR: Unsupported Octeon model in __cvmx_helper_rgmii_probe
+[ 7.173017] ERROR: Unsupported Octeon model in __cvmx_helper_rgmii_probe
+
+The current RGMII routines are valid only for older OCTEONS that
+use GMX/ASX hardware blocks. On later chips AGL should be used,
+but support for that is missing in the mainline. Until that is added,
+mark the interface as disabled.
+
+Fixes: 885872b722b7 ("MIPS: Octeon: Add Octeon III CN7xxx interface detection")
+Signed-off-by: Aaro Koskinen <aaro.koskinen@iki.fi>
+Signed-off-by: Paul Burton <paul.burton@mips.com>
+Cc: Ralf Baechle <ralf@linux-mips.org>
+Cc: James Hogan <jhogan@kernel.org>
+Cc: linux-mips@vger.kernel.org
+Cc: stable@vger.kernel.org # 4.7+
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/mips/cavium-octeon/executive/cvmx-helper.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/arch/mips/cavium-octeon/executive/cvmx-helper.c
++++ b/arch/mips/cavium-octeon/executive/cvmx-helper.c
+@@ -286,7 +286,8 @@ static cvmx_helper_interface_mode_t __cv
+ case 3:
+ return CVMX_HELPER_INTERFACE_MODE_LOOP;
+ case 4:
+- return CVMX_HELPER_INTERFACE_MODE_RGMII;
++ /* TODO: Implement support for AGL (RGMII). */
++ return CVMX_HELPER_INTERFACE_MODE_DISABLED;
+ default:
+ return CVMX_HELPER_INTERFACE_MODE_DISABLED;
+ }
--- /dev/null
+From 260683137ab5276113fc322fdbbc578024185fee Mon Sep 17 00:00:00 2001
+From: Nava kishore Manne <nava.manne@xilinx.com>
+Date: Tue, 18 Dec 2018 13:18:42 +0100
+Subject: serial: uartps: Fix interrupt mask issue to handle the RX interrupts properly
+
+From: Nava kishore Manne <nava.manne@xilinx.com>
+
+commit 260683137ab5276113fc322fdbbc578024185fee upstream.
+
+This patch Correct the RX interrupt mask value to handle the
+RX interrupts properly.
+
+Fixes: c8dbdc842d30 ("serial: xuartps: Rewrite the interrupt handling logic")
+Signed-off-by: Nava kishore Manne <nava.manne@xilinx.com>
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Michal Simek <michal.simek@xilinx.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/tty/serial/xilinx_uartps.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/tty/serial/xilinx_uartps.c
++++ b/drivers/tty/serial/xilinx_uartps.c
+@@ -130,7 +130,7 @@ MODULE_PARM_DESC(rx_timeout, "Rx timeout
+ #define CDNS_UART_IXR_RXTRIG 0x00000001 /* RX FIFO trigger interrupt */
+ #define CDNS_UART_IXR_RXFULL 0x00000004 /* RX FIFO full interrupt. */
+ #define CDNS_UART_IXR_RXEMPTY 0x00000002 /* RX FIFO empty interrupt. */
+-#define CDNS_UART_IXR_MASK 0x00001FFF /* Valid bit mask */
++#define CDNS_UART_IXR_RXMASK 0x000021e7 /* Valid RX bit mask */
+
+ /*
+ * Do not enable parity error interrupt for the following
+@@ -366,7 +366,7 @@ static irqreturn_t cdns_uart_isr(int irq
+ cdns_uart_handle_tx(dev_id);
+ isrstatus &= ~CDNS_UART_IXR_TXEMPTY;
+ }
+- if (isrstatus & CDNS_UART_IXR_MASK)
++ if (isrstatus & CDNS_UART_IXR_RXMASK)
+ cdns_uart_handle_rx(dev_id, isrstatus);
+
+ spin_unlock(&port->lock);
netfilter-nf_conncount-fix-garbage-collection-with-z.patch
netfilter-nf_conncount-fix-garbage-collection-confir.patch
netfilter-nf_conncount-don-t-skip-eviction-when-age-.patch
+f2fs-fix-validation-of-the-block-count-in-sanity_check_raw_super.patch
+serial-uartps-fix-interrupt-mask-issue-to-handle-the-rx-interrupts-properly.patch
+media-vivid-free-bitmap_cap-when-updating-std-timings-etc.patch
+media-v4l2-tpg-array-index-could-become-negative.patch
+mips-math-emu-write-protect-delay-slot-emulation-pages.patch
+mips-c-r4k-add-r4k_blast_scache_node-for-loongson-3.patch
+mips-ensure-pmd_present-returns-false-after-pmd_mknotpresent.patch
+mips-align-kernel-load-address-to-64kb.patch
+mips-expand-mips32-asids-to-64-bits.patch
+mips-octeon-mark-rgmii-interface-disabled-on-octeon-iii.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
