From: James Hogan <james.hogan@xxxxxxxxxx> commit 0758b116b4080d9a2a2a715bec6eee2cbd828215 upstream. The protected_writeback_scache_line() function is used by local_r4k_flush_cache_sigtramp() to flush an FPU delay slot emulation trampoline on the userland stack from the caches so it is visible to subsequent instruction fetches. Commit de8974e3f76c ("MIPS: asm: r4kcache: Add EVA cache flushing functions") updated some protected_ cache flush functions to use EVA CACHEE instructions via protected_cachee_op(), and commit 83fd43449baa ("MIPS: r4kcache: Add EVA case for protected_writeback_dcache_line") did the same thing for protected_writeback_dcache_line(), but protected_writeback_scache_line() never got updated. Lets fix that now to flush the right user address from the secondary cache rather than some arbitrary kernel unmapped address. This issue was spotted through code inspection, and it seems unlikely to be possible to hit this in practice. It theoretically affect EVA kernels on EVA capable cores with an L2 cache, where the icache fetches straight from RAM (cpu_icache_snoops_remote_store == 0), running a hard float userland with FPU disabled (nofpu). That both Malta and Boston platforms override cpu_icache_snoops_remote_store to 1 suggests that all MIPS cores fetch instructions into icache straight from L2 rather than RAM. Fixes: de8974e3f76c ("MIPS: asm: r4kcache: Add EVA cache flushing functions") Signed-off-by: James Hogan <james.hogan@xxxxxxxxxx> Cc: Leonid Yegoshin <leonid.yegoshin@xxxxxxxxxx> Cc: linux-mips@xxxxxxxxxxxxxx Patchwork: https://patchwork.linux-mips.org/patch/13800/ Signed-off-by: Ralf Baechle <ralf@xxxxxxxxxxxxxx> Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx> --- arch/mips/include/asm/r4kcache.h | 4 ++++ 1 file changed, 4 insertions(+) --- a/arch/mips/include/asm/r4kcache.h +++ b/arch/mips/include/asm/r4kcache.h @@ -210,7 +210,11 @@ static inline void protected_writeback_d static inline void protected_writeback_scache_line(unsigned long addr) { +#ifdef CONFIG_EVA + protected_cachee_op(Hit_Writeback_Inv_SD, addr); +#else protected_cache_op(Hit_Writeback_Inv_SD, addr); +#endif } /* Patches currently in stable-queue which might be from jhogan@xxxxxxxxxx are queue-4.4/mips-ptrace-drop-cp0_tcstatus-from-regoffset_table.patch queue-4.4/mips-fix-htw-config-on-xpa-kernel-without-lpa-enabled.patch queue-4.4/mips-fix-64-bit-htw-configuration.patch queue-4.4/mips-perf-fix-i6400-event-numbers.patch queue-4.4/mips-kvm-fix-translation-of-mfc0-errctl.patch queue-4.4/mips-fix-little-endian-micromips-msa-encodings.patch queue-4.4/mips-define-at_vector_size_arch-for-arch_dlinfo.patch queue-4.4/mips-smp-update-cpu_foreign_map-on-cpu-disable.patch queue-4.4/mips-c-r4k-fix-protected_writeback_scache_line-for-eva.patch