1. 11 Aug, 2017 21 commits
  2. 27 Jul, 2017 19 commits
    • Greg Kroah-Hartman's avatar
      Linux 3.18.63 · 8c13fcce
      Greg Kroah-Hartman authored
      8c13fcce
    • Maciej W. Rozycki's avatar
      MIPS: Send SIGILL for BPOSGE32 in `__compute_return_epc_for_insn' · 441bb57f
      Maciej W. Rozycki authored
      commit 7b82c105 upstream.
      
      Fix commit e50c0a8f ("Support the MIPS32 / MIPS64 DSP ASE.") and
      send SIGILL rather than SIGBUS whenever an unimplemented BPOSGE32 DSP
      ASE instruction has been encountered in `__compute_return_epc_for_insn'
      as our Reserved Instruction exception handler would in response to an
      attempt to actually execute the instruction.  Sending SIGBUS only makes
      sense for the unaligned PC case, since moved to `__compute_return_epc'.
      Adjust function documentation accordingly, correct formatting and use
      `pr_info' rather than `printk' as the other exit path already does.
      
      Fixes: e50c0a8f ("Support the MIPS32 / MIPS64 DSP ASE.")
      Signed-off-by: default avatarMaciej W. Rozycki <macro@imgtec.com>
      Cc: James Hogan <james.hogan@imgtec.com>
      Cc: linux-mips@linux-mips.org
      Cc: stable@vger.kernel.org # 2.6.14+
      Patchwork: https://patchwork.linux-mips.org/patch/16396/Signed-off-by: default avatarRalf Baechle <ralf@linux-mips.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      441bb57f
    • Greg Hackmann's avatar
      alarmtimer: don't rate limit one-shot timers · 711b4133
      Greg Hackmann authored
      Commit ff86bf0c ("alarmtimer: Rate limit periodic intervals") sets a
      minimum bound on the alarm timer interval.  This minimum bound shouldn't
      be applied if the interval is 0.  Otherwise, one-shot timers will be
      converted into periodic ones.
      
      Fixes: ff86bf0c ("alarmtimer: Rate limit periodic intervals")
      Reported-by: default avatarBen Fennema <fennema@google.com>
      Signed-off-by: default avatarGreg Hackmann <ghackmann@google.com>
      Cc: stable@vger.kernel.org
      Cc: John Stultz <john.stultz@linaro.org>
      Reviewed-by: default avatarThomas Gleixner <tglx@linutronix.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      711b4133
    • Chunyu Hu's avatar
      tracing: Fix kmemleak in instance_rmdir · d40d5121
      Chunyu Hu authored
      commit db9108e0 upstream.
      
      Hit the kmemleak when executing instance_rmdir, it forgot releasing
      mem of tracing_cpumask. With this fix, the warn does not appear any
      more.
      
      unreferenced object 0xffff93a8dfaa7c18 (size 8):
        comm "mkdir", pid 1436, jiffies 4294763622 (age 9134.308s)
        hex dump (first 8 bytes):
          ff ff ff ff ff ff ff ff                          ........
        backtrace:
          [<ffffffff88b6567a>] kmemleak_alloc+0x4a/0xa0
          [<ffffffff8861ea41>] __kmalloc_node+0xf1/0x280
          [<ffffffff88b505d3>] alloc_cpumask_var_node+0x23/0x30
          [<ffffffff88b5060e>] alloc_cpumask_var+0xe/0x10
          [<ffffffff88571ab0>] instance_mkdir+0x90/0x240
          [<ffffffff886e5100>] tracefs_syscall_mkdir+0x40/0x70
          [<ffffffff886565c9>] vfs_mkdir+0x109/0x1b0
          [<ffffffff8865b1d0>] SyS_mkdir+0xd0/0x100
          [<ffffffff88403857>] do_syscall_64+0x67/0x150
          [<ffffffff88b710e7>] return_from_SYSCALL_64+0x0/0x6a
          [<ffffffffffffffff>] 0xffffffffffffffff
      
      Link: http://lkml.kernel.org/r/1500546969-12594-1-git-send-email-chuhu@redhat.com
      
      Fixes: ccfe9e42 ("tracing: Make tracing_cpumask available for all instances")
      Signed-off-by: default avatarChunyu Hu <chuhu@redhat.com>
      Signed-off-by: default avatarSteven Rostedt (VMware) <rostedt@goodmis.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      d40d5121
    • Bjorn Andersson's avatar
      spmi: Include OF based modalias in device uevent · c0cb1831
      Bjorn Andersson authored
      commit d50daa2a upstream.
      
      Include the OF-based modalias in the uevent sent when registering SPMI
      devices, so that user space has a chance to autoload the kernel module
      for the device.
      Tested-by: default avatarRob Clark <robdclark@gmail.com>
      Reported-by: default avatarRob Clark <robdclark@gmail.com>
      Reviewed-by: default avatarStephen Boyd <sboyd@codeaurora.org>
      Signed-off-by: default avatarBjorn Andersson <bjorn.andersson@linaro.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      c0cb1831
    • Stephen Boyd's avatar
      of: device: Export of_device_{get_modalias, uvent_modalias} to modules · 6da38240
      Stephen Boyd authored
      commit 7a3b7cd3 upstream.
      
      The ULPI bus can be built as a module, and it will soon be
      calling these functions when it supports probing devices from DT.
      Export them so they can be used by the ULPI module.
      Acked-by: default avatarRob Herring <robh@kernel.org>
      Cc: <devicetree@vger.kernel.org>
      Signed-off-by: default avatarStephen Boyd <stephen.boyd@linaro.org>
      Signed-off-by: default avatarPeter Chen <peter.chen@nxp.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      6da38240
    • Paul Mackerras's avatar
      KVM: PPC: Book3S HV: Context-switch EBB registers properly · 9ba44d17
      Paul Mackerras authored
      commit ca8efa1d upstream.
      
      This adds code to save the values of three SPRs (special-purpose
      registers) used by userspace to control event-based branches (EBBs),
      which are essentially interrupts that get delivered directly to
      userspace.  These registers are loaded up with guest values when
      entering the guest, and their values are saved when exiting the
      guest, but we were not saving the host values and restoring them
      before going back to userspace.
      
      On POWER8 this would only affect userspace programs which explicitly
      request the use of EBBs and also use the KVM_RUN ioctl, since the
      only source of EBBs on POWER8 is the PMU, and there is an explicit
      enable bit in the PMU registers (and those PMU registers do get
      properly context-switched between host and guest).  On POWER9 there
      is provision for externally-generated EBBs, and these are not subject
      to the control in the PMU registers.
      
      Since these registers only affect userspace, we can save them when
      we first come in from userspace and restore them before returning to
      userspace, rather than saving/restoring the host values on every
      guest entry/exit.  Similarly, we don't need to worry about their
      values on offline secondary threads since they execute in the context
      of the idle task, which never executes in userspace.
      
      Fixes: b005255e ("KVM: PPC: Book3S HV: Context-switch new POWER8 SPRs", 2014-01-08)
      Signed-off-by: default avatarPaul Mackerras <paulus@ozlabs.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      
      9ba44d17
    • Imre Deak's avatar
      drm/mst: Avoid processing partially received up/down message transactions · 8986074a
      Imre Deak authored
      commit 636c4c3e upstream.
      
      Currently we may process up/down message transactions containing
      uninitialized data. This can happen if there was an error during the
      reception of any message in the transaction, but we happened to receive
      the last message correctly with the end-of-message flag set.
      
      To avoid this abort the reception of the transaction when the first
      error is detected, rejecting any messages until a message with the
      start-of-message flag is received (which will start a new transaction).
      This is also what the DP 1.4 spec 2.11.8.2 calls for in this case.
      
      In addtion this also prevents receiving bogus transactions without the
      first message with the the start-of-message flag set.
      
      v2:
      - unchanged
      v3:
      - git add the part that actually skips messages after an error in
        drm_dp_sideband_msg_build()
      
      Cc: Dave Airlie <airlied@redhat.com>
      Cc: Lyude <lyude@redhat.com>
      Cc: Daniel Vetter <daniel.vetter@ffwll.ch>
      Signed-off-by: default avatarImre Deak <imre.deak@intel.com>
      Reviewed-by: default avatarLyude <lyude@redhat.com>
      Signed-off-by: default avatarDaniel Vetter <daniel.vetter@ffwll.ch>
      Link: https://patchwork.freedesktop.org/patch/msgid/20170719134632.13366-1-imre.deak@intel.comSigned-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      8986074a
    • Imre Deak's avatar
      drm/mst: Avoid dereferencing a NULL mstb in drm_dp_mst_handle_up_req() · acdbd4bc
      Imre Deak authored
      commit 7f8b3987 upstream.
      
      In case of an unknown broadcast message is sent mstb will remain unset,
      so check for this.
      
      Cc: Dave Airlie <airlied@redhat.com>
      Cc: Lyude <lyude@redhat.com>
      Cc: Daniel Vetter <daniel.vetter@ffwll.ch>
      Signed-off-by: default avatarImre Deak <imre.deak@intel.com>
      Reviewed-by: default avatarLyude <lyude@redhat.com>
      Signed-off-by: default avatarDaniel Vetter <daniel.vetter@ffwll.ch>
      Link: https://patchwork.freedesktop.org/patch/msgid/20170719114330.26540-3-imre.deak@intel.comSigned-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      acdbd4bc
    • Imre Deak's avatar
      drm/mst: Fix error handling during MST sideband message reception · 36ad1e78
      Imre Deak authored
      commit 448421b5 upstream.
      
      Handle any error due to partial reads, timeouts etc. to avoid parsing
      uninitialized data subsequently. Also bail out if the parsing itself
      fails.
      
      Cc: Dave Airlie <airlied@redhat.com>
      Cc: Lyude <lyude@redhat.com>
      Cc: Daniel Vetter <daniel.vetter@ffwll.ch>
      Signed-off-by: default avatarImre Deak <imre.deak@intel.com>
      Reviewed-by: default avatarLyude <lyude@redhat.com>
      Signed-off-by: default avatarDaniel Vetter <daniel.vetter@ffwll.ch>
      Link: https://patchwork.freedesktop.org/patch/msgid/20170719114330.26540-2-imre.deak@intel.comSigned-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      36ad1e78
    • Michael Gugino's avatar
      staging: rtl8188eu: add TL-WN722N v2 support · 78f51034
      Michael Gugino authored
      commit 5a1d4c5d upstream.
      
      Add support for USB Device TP-Link TL-WN722N v2.
      VendorID: 0x2357, ProductID: 0x010c
      Signed-off-by: default avatarMichael Gugino <michael.gugino.2@gmail.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      78f51034
    • Ingo Molnar's avatar
      Revert "perf/core: Drop kernel samples even though :u is specified" · ad74bba6
      Ingo Molnar authored
      commit 6a8a75f3 upstream.
      
      This reverts commit cc1582c2.
      
      This commit introduced a regression that broke rr-project, which uses sampling
      events to receive a signal on overflow (but does not care about the contents
      of the sample). These signals are critical to the correct operation of rr.
      
      There's been some back and forth about how to fix it - but to not keep
      applications in limbo queue up a revert.
      Reported-by: default avatarKyle Huey <me@kylehuey.com>
      Acked-by: default avatarKyle Huey <me@kylehuey.com>
      Acked-by: default avatarPeter Zijlstra <a.p.zijlstra@chello.nl>
      Cc: Jin Yao <yao.jin@linux.intel.com>
      Cc: Vince Weaver <vincent.weaver@maine.edu>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Will Deacon <will.deacon@arm.com>
      Cc: Arnaldo Carvalho de Melo <acme@redhat.com>
      Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
      Cc: Stephane Eranian <eranian@google.com>
      Cc: Namhyung Kim <namhyung@kernel.org>
      Cc: Jiri Olsa <jolsa@redhat.com>
      Link: http://lkml.kernel.org/r/20170628105600.GC5981@leverpostejSigned-off-by: default avatarIngo Molnar <mingo@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      ad74bba6
    • Jin Yao's avatar
      perf annotate: Fix broken arrow at row 0 connecting jmp instruction to its target · 827ac4ce
      Jin Yao authored
      commit 80f62589 upstream.
      
      When the jump instruction is displayed at the row 0 in annotate view,
      the arrow is broken. An example:
      
       16.86 │   ┌──je     82
        0.01 │      movsd  (%rsp),%xmm0
             │      movsd  0x8(%rsp),%xmm4
             │      movsd  0x8(%rsp),%xmm1
             │      movsd  (%rsp),%xmm3
             │      divsd  %xmm4,%xmm0
             │      divsd  %xmm3,%xmm1
             │      movsd  (%rsp),%xmm2
             │      addsd  %xmm1,%xmm0
             │      addsd  %xmm2,%xmm0
             │      movsd  %xmm0,(%rsp)
             │82:   sub    $0x1,%ebx
       83.03 │    ↑ jne    38
             │      add    $0x10,%rsp
             │      xor    %eax,%eax
             │      pop    %rbx
             │    ← retq
      
      The patch increments the row number before checking with 0.
      Signed-off-by: default avatarYao Jin <yao.jin@linux.intel.com>
      Tested-by: default avatarArnaldo Carvalho de Melo <acme@redhat.com>
      Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
      Cc: Andi Kleen <ak@linux.intel.com>
      Cc: Jiri Olsa <jolsa@kernel.org>
      Cc: Kan Liang <kan.liang@intel.com>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Fixes: 944e1abe ("perf ui browser: Add method to draw up/down arrow line")
      Link: http://lkml.kernel.org/r/1496901704-30275-1-git-send-email-yao.jin@linux.intel.comSigned-off-by: default avatarArnaldo Carvalho de Melo <acme@redhat.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      827ac4ce
    • Jiang Yi's avatar
      target: Fix COMPARE_AND_WRITE caw_sem leak during se_cmd quiesce · 414a7f66
      Jiang Yi authored
      commit 1d6ef276 upstream.
      
      This patch addresses a COMPARE_AND_WRITE se_device->caw_sem leak,
      that would be triggered during normal se_cmd shutdown or abort
      via __transport_wait_for_tasks().
      
      This would occur because target_complete_cmd() would catch this
      early and do complete_all(&cmd->t_transport_stop_comp), but since
      target_complete_ok_work() or target_complete_failure_work() are
      never called to invoke se_cmd->transport_complete_callback(),
      the COMPARE_AND_WRITE specific callbacks never release caw_sem.
      
      To address this special case, go ahead and release caw_sem
      directly from target_complete_cmd().
      
      (Remove '&& success' from check, to release caw_sem regardless
       of scsi_status - nab)
      Signed-off-by: default avatarJiang Yi <jiangyilism@gmail.com>
      Signed-off-by: default avatarNicholas Bellinger <nab@linux-iscsi.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      414a7f66
    • Jan Kara's avatar
      udf: Fix deadlock between writeback and udf_setsize() · 35b9dd2d
      Jan Kara authored
      commit f2e95355 upstream.
      
      udf_setsize() called truncate_setsize() with i_data_sem held. Thus
      truncate_pagecache() called from truncate_setsize() could lock a page
      under i_data_sem which can deadlock as page lock ranks below
      i_data_sem - e. g. writeback can hold page lock and try to acquire
      i_data_sem to map a block.
      
      Fix the problem by moving truncate_setsize() calls from under
      i_data_sem. It is safe for us to change i_size without holding
      i_data_sem as all the places that depend on i_size being stable already
      hold inode_lock.
      
      Fixes: 7e49b6f2Signed-off-by: default avatarJan Kara <jack@suse.cz>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      35b9dd2d
    • NeilBrown's avatar
      NFS: only invalidate dentrys that are clearly invalid. · c926ea02
      NeilBrown authored
      commit cc89684c upstream.
      
      Since commit bafc9b75 ("vfs: More precise tests in d_invalidate")
      in v3.18, a return of '0' from ->d_revalidate() will cause the dentry
      to be invalidated even if it has filesystems mounted on or it or on a
      descendant.  The mounted filesystem is unmounted.
      
      This means we need to be careful not to return 0 unless the directory
      referred to truly is invalid.  So -ESTALE or -ENOENT should invalidate
      the directory.  Other errors such a -EPERM or -ERESTARTSYS should be
      returned from ->d_revalidate() so they are propagated to the caller.
      
      A particular problem can be demonstrated by:
      
      1/ mount an NFS filesystem using NFSv3 on /mnt
      2/ mount any other filesystem on /mnt/foo
      3/ ls /mnt/foo
      4/ turn off network, or otherwise make the server unable to respond
      5/ ls /mnt/foo &
      6/ cat /proc/$!/stack # note that nfs_lookup_revalidate is in the call stack
      7/ kill -9 $! # this results in -ERESTARTSYS being returned
      8/ observe that /mnt/foo has been unmounted.
      
      This patch changes nfs_lookup_revalidate() to only treat
        -ESTALE from nfs_lookup_verify_inode() and
        -ESTALE or -ENOENT from ->lookup()
      as indicating an invalid inode.  Other errors are returned.
      
      Also nfs_check_inode_attributes() is changed to return -ESTALE rather
      than -EIO.  This is consistent with the error returned in similar
      circumstances from nfs_update_inode().
      
      As this bug allows any user to unmount a filesystem mounted on an NFS
      filesystem, this fix is suitable for stable kernels.
      
      Fixes: bafc9b75 ("vfs: More precise tests in d_invalidate")
      Signed-off-by: default avatarNeilBrown <neilb@suse.com>
      Signed-off-by: default avatarAnna Schumaker <Anna.Schumaker@Netapp.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      c926ea02
    • Chen Hong's avatar
      Input: i8042 - fix crash at boot time · f6be9443
      Chen Hong authored
      commit 340d394a upstream.
      
      The driver checks port->exists twice in i8042_interrupt(), first when
      trying to assign temporary "serio" variable, and second time when deciding
      whether it should call serio_interrupt(). The value of port->exists may
      change between the 2 checks, and we may end up calling serio_interrupt()
      with a NULL pointer:
      
      BUG: unable to handle kernel NULL pointer dereference at 0000000000000050
      IP: [<ffffffff8150feaf>] _spin_lock_irqsave+0x1f/0x40
      PGD 0
      Oops: 0002 [#1] SMP
      last sysfs file:
      CPU 0
      Modules linked in:
      
      Pid: 1, comm: swapper Not tainted 2.6.32-358.el6.x86_64 #1 QEMU Standard PC (i440FX + PIIX, 1996)
      RIP: 0010:[<ffffffff8150feaf>]  [<ffffffff8150feaf>] _spin_lock_irqsave+0x1f/0x40
      RSP: 0018:ffff880028203cc0  EFLAGS: 00010082
      RAX: 0000000000010000 RBX: 0000000000000000 RCX: 0000000000000000
      RDX: 0000000000000282 RSI: 0000000000000098 RDI: 0000000000000050
      RBP: ffff880028203cc0 R08: ffff88013e79c000 R09: ffff880028203ee0
      R10: 0000000000000298 R11: 0000000000000282 R12: 0000000000000050
      R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000098
      FS:  0000000000000000(0000) GS:ffff880028200000(0000) knlGS:0000000000000000
      CS:  0010 DS: 0018 ES: 0018 CR0: 000000008005003b
      CR2: 0000000000000050 CR3: 0000000001a85000 CR4: 00000000001407f0
      DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
      DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
      Process swapper (pid: 1, threadinfo ffff88013e79c000, task ffff88013e79b500)
      Stack:
      ffff880028203d00 ffffffff813de186 ffffffffffffff02 0000000000000000
      <d> 0000000000000000 0000000000000000 0000000000000000 0000000000000098
      <d> ffff880028203d70 ffffffff813e0162 ffff880028203d20 ffffffff8103b8ac
      Call Trace:
      <IRQ>
       [<ffffffff813de186>] serio_interrupt+0x36/0xa0
      [<ffffffff813e0162>] i8042_interrupt+0x132/0x3a0
      [<ffffffff8103b8ac>] ? kvm_clock_read+0x1c/0x20
      [<ffffffff8103b8b9>] ? kvm_clock_get_cycles+0x9/0x10
      [<ffffffff810e1640>] handle_IRQ_event+0x60/0x170
      [<ffffffff8103b154>] ? kvm_guest_apic_eoi_write+0x44/0x50
      [<ffffffff810e3d8e>] handle_edge_irq+0xde/0x180
      [<ffffffff8100de89>] handle_irq+0x49/0xa0
      [<ffffffff81516c8c>] do_IRQ+0x6c/0xf0
      [<ffffffff8100b9d3>] ret_from_intr+0x0/0x11
      [<ffffffff81076f63>] ? __do_softirq+0x73/0x1e0
      [<ffffffff8109b75b>] ? hrtimer_interrupt+0x14b/0x260
      [<ffffffff8100c1cc>] ? call_softirq+0x1c/0x30
      [<ffffffff8100de05>] ? do_softirq+0x65/0xa0
      [<ffffffff81076d95>] ? irq_exit+0x85/0x90
      [<ffffffff81516d80>] ? smp_apic_timer_interrupt+0x70/0x9b
      [<ffffffff8100bb93>] ? apic_timer_interrupt+0x13/0x20
      
      To avoid the issue let's change the second check to test whether serio is
      NULL or not.
      
      Also, let's take i8042_lock in i8042_start() and i8042_stop() instead of
      trying to be overly smart and using memory barriers.
      Signed-off-by: default avatarChen Hong <chenhong3@huawei.com>
      [dtor: take lock in i8042_start()/i8042_stop()]
      Signed-off-by: default avatarDmitry Torokhov <dmitry.torokhov@gmail.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      f6be9443
    • Maciej W. Rozycki's avatar
      MIPS: math-emu: Prevent wrong ISA mode instruction emulation · 3c4c392a
      Maciej W. Rozycki authored
      commit 13769eba upstream.
      
      Terminate FPU emulation immediately whenever an ISA mode switch has been
      observed.  This is so that we do not interpret machine code in the wrong
      mode, for example when a regular MIPS FPU instruction has been placed in
      a delay slot of a jump that switches into the MIPS16 mode, as with the
      following code (taken from a GCC test suite case):
      
      00400650 <set_fast_math>:
        400650:	3c020100 	lui	v0,0x100
        400654:	03e00008 	jr	ra
        400658:	44c2f800 	ctc1	v0,c1_fcsr
        40065c:	00000000 	nop
      
      [...]
      
      004012d0 <__libc_csu_init>:
        4012d0:	f000 6a02 	li	v0,2
        4012d4:	f150 0b1c 	la	v1,3f9430 <_DYNAMIC-0x6df0>
        4012d8:	f400 3240 	sll	v0,16
        4012dc:	e269      	addu	v0,v1
        4012de:	659a      	move	gp,v0
        4012e0:	f00c 64f6 	save	a0-a2,48,ra,s0-s1
        4012e4:	673c      	move	s1,gp
        4012e6:	f010 9978 	lw	v1,-32744(s1)
        4012ea:	d204      	sw	v0,16(sp)
        4012ec:	eb40      	jalr	v1
        4012ee:	653b      	move	t9,v1
        4012f0:	f010 997c 	lw	v1,-32740(s1)
        4012f4:	f030 9920 	lw	s1,-32736(s1)
        4012f8:	e32f      	subu	v1,s1
        4012fa:	326b      	sra	v0,v1,2
        4012fc:	d206      	sw	v0,24(sp)
        4012fe:	220c      	beqz	v0,401318 <__libc_csu_init+0x48>
        401300:	6800      	li	s0,0
        401302:	99e0      	lw	a3,0(s1)
        401304:	4801      	addiu	s0,1
        401306:	960e      	lw	a2,56(sp)
        401308:	4904      	addiu	s1,4
        40130a:	950d      	lw	a1,52(sp)
        40130c:	940c      	lw	a0,48(sp)
        40130e:	ef40      	jalr	a3
        401310:	653f      	move	t9,a3
        401312:	9206      	lw	v0,24(sp)
        401314:	ea0a      	cmp	v0,s0
        401316:	61f5      	btnez	401302 <__libc_csu_init+0x32>
        401318:	6476      	restore	48,ra,s0-s1
        40131a:	e8a0      	jrc	ra
      
      Here `set_fast_math' is called from `40130e' (`40130f' with the ISA bit)
      and emulation triggers for the CTC1 instruction.  As it is in a jump
      delay slot emulation continues from `401312' (`401313' with the ISA
      bit).  However we have no path to handle MIPS16 FPU code emulation,
      because there are no MIPS16 FPU instructions.  So the default emulation
      path is taken, interpreting a 32-bit word fetched by `get_user' from
      `401313' as a regular MIPS instruction, which is:
      
        401313:	f5ea0a92	sdc1	$f10,2706(t7)
      
      This makes the FPU emulator proceed with the supposed SDC1 instruction
      and consequently makes the program considered here terminate with
      SIGSEGV.
      
      A similar although less severe issue exists with pure-microMIPS
      processors in the case where similarly an FPU instruction is emulated in
      a delay slot of a register jump that (incorrectly) switches into the
      regular MIPS mode.  A subsequent instruction fetch from the jump's
      target is supposed to cause an Address Error exception, however instead
      we proceed with regular MIPS FPU emulation.
      
      For simplicity then, always terminate the emulation loop whenever a mode
      change is detected, denoted by an ISA mode bit flip.  As from commit
      377cb1b6 ("MIPS: Disable MIPS16/microMIPS crap for platforms not
      supporting these ASEs.") the result of `get_isa16_mode' can be hardcoded
      to 0, so we need to examine the ISA mode bit by hand.
      
      This complements commit 102cedc3 ("MIPS: microMIPS: Floating point
      support.") which added JALX decoding to FPU emulation.
      
      Fixes: 102cedc3 ("MIPS: microMIPS: Floating point support.")
      Signed-off-by: default avatarMaciej W. Rozycki <macro@imgtec.com>
      Cc: James Hogan <james.hogan@imgtec.com>
      Cc: linux-mips@linux-mips.org
      Patchwork: https://patchwork.linux-mips.org/patch/16393/Signed-off-by: default avatarRalf Baechle <ralf@linux-mips.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      3c4c392a
    • Maciej W. Rozycki's avatar
      MIPS: Fix unaligned PC interpretation in `compute_return_epc' · 4d9b4c69
      Maciej W. Rozycki authored
      commit 11a3799d upstream.
      
      Fix a regression introduced with commit fb6883e5 ("MIPS: microMIPS:
      Support handling of delay slots.") and defer to `__compute_return_epc'
      if the ISA bit is set in EPC with non-MIPS16, non-microMIPS hardware,
      which will then arrange for a SIGBUS due to an unaligned instruction
      reference.  Returning EPC here is never correct as the API defines this
      function's result to be either a negative error code on failure or one
      of 0 and BRANCH_LIKELY_TAKEN on success.
      
      Fixes: fb6883e5 ("MIPS: microMIPS: Support handling of delay slots.")
      Signed-off-by: default avatarMaciej W. Rozycki <macro@imgtec.com>
      Cc: James Hogan <james.hogan@imgtec.com>
      Cc: linux-mips@linux-mips.org
      Patchwork: https://patchwork.linux-mips.org/patch/16395/Signed-off-by: default avatarRalf Baechle <ralf@linux-mips.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      4d9b4c69