--- /dev/null
+From foo@baz Thu May 24 10:41:16 CEST 2018
+From: James Hogan <jhogan@kernel.org>
+Date: Tue, 16 Jan 2018 14:45:21 +0000
+Subject: rtc: goldfish: Add missing MODULE_LICENSE
+
+From: James Hogan <jhogan@kernel.org>
+
+[ Upstream commit 82d632b85eb89f97051530f556cb49ee1c04bde7 ]
+
+Fix the following warning in MIPS allmodconfig by adding a
+MODULE_LICENSE() at the end of rtc-goldfish.c, based on the file header
+comment which says GNU General Public License version 2:
+
+WARNING: modpost: missing MODULE_LICENSE() in drivers/rtc/rtc-goldfish.o
+
+Fixes: f22d9cdcb5eb ("rtc: goldfish: Add RTC driver for Android emulator")
+Signed-off-by: James Hogan <jhogan@kernel.org>
+Cc: Miodrag Dinic <miodrag.dinic@mips.com>
+Cc: Alessandro Zummo <a.zummo@towertech.it>
+Cc: Alexandre Belloni <alexandre.belloni@free-electrons.com>
+Cc: linux-rtc@vger.kernel.org
+Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/rtc/rtc-goldfish.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/rtc/rtc-goldfish.c
++++ b/drivers/rtc/rtc-goldfish.c
+@@ -235,3 +235,5 @@ static struct platform_driver goldfish_r
+ };
+
+ module_platform_driver(goldfish_rtc);
++
++MODULE_LICENSE("GPL v2");
--- /dev/null
+From foo@baz Thu May 24 10:41:16 CEST 2018
+From: Alexandre Belloni <alexandre.belloni@bootlin.com>
+Date: Thu, 8 Mar 2018 23:27:31 +0100
+Subject: rtc: hctosys: Ensure system time doesn't overflow time_t
+
+From: Alexandre Belloni <alexandre.belloni@bootlin.com>
+
+[ Upstream commit b3a5ac42ab18b7d1a8f2f072ca0ee76a3b754a43 ]
+
+On 32bit platforms, time_t is still a signed 32bit long. If it is
+overflowed, userspace and the kernel cant agree on the current system time.
+This causes multiple issues, in particular with systemd:
+https://github.com/systemd/systemd/issues/1143
+
+A good workaround is to simply avoid using hctosys which is something I
+greatly encourage as the time is better set by userspace.
+
+However, many distribution enable it and use systemd which is rendering the
+system unusable in case the RTC holds a date after 2038 (and more so after
+2106). Many drivers have workaround for this case and they should be
+eliminated so there is only one place left to fix when userspace is able to
+cope with dates after the 31bit overflow.
+
+Acked-by: Arnd Bergmann <arnd@arndb.de>
+Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/rtc/hctosys.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/drivers/rtc/hctosys.c
++++ b/drivers/rtc/hctosys.c
+@@ -49,6 +49,11 @@ static int __init rtc_hctosys(void)
+
+ tv64.tv_sec = rtc_tm_to_time64(&tm);
+
++#if BITS_PER_LONG == 32
++ if (tv64.tv_sec > INT_MAX)
++ goto err_read;
++#endif
++
+ err = do_settimeofday64(&tv64);
+
+ dev_info(rtc->dev.parent,
--- /dev/null
+From foo@baz Thu May 24 10:41:16 CEST 2018
+From: Alexandre Belloni <alexandre.belloni@bootlin.com>
+Date: Sun, 25 Feb 2018 21:14:31 +0100
+Subject: rtc: m41t80: fix race conditions
+
+From: Alexandre Belloni <alexandre.belloni@bootlin.com>
+
+[ Upstream commit 10d0c768cc6d581523d673b9d1b54213f8a5eb24 ]
+
+The IRQ is requested before the struct rtc is allocated and registered, but
+this struct is used in the IRQ handler, leading to:
+
+Unable to handle kernel NULL pointer dereference at virtual address 0000017c
+pgd = a38a2f9b
+[0000017c] *pgd=00000000
+Internal error: Oops: 5 [#1] ARM
+Modules linked in:
+CPU: 0 PID: 613 Comm: irq/48-m41t80 Not tainted 4.16.0-rc1+ #42
+Hardware name: Atmel SAMA5
+PC is at mutex_lock+0x14/0x38
+LR is at m41t80_handle_irq+0x1c/0x9c
+pc : [<c06e864c>] lr : [<c04b70f0>] psr: 20000013
+sp : dec73f30 ip : 00000000 fp : dec56d98
+r10: df437cf0 r9 : c0a03008 r8 : c0145ffc
+r7 : df5c4300 r6 : dec568d0 r5 : df593000 r4 : 0000017c
+r3 : df592800 r2 : 60000013 r1 : df593000 r0 : 0000017c
+Flags: nzCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment none
+Control: 10c53c7d Table: 20004059 DAC: 00000051
+Process irq/48-m41t80 (pid: 613, stack limit = 0xb52d091e)
+Stack: (0xdec73f30 to 0xdec74000)
+3f20: dec56840 df5c4300 00000001 df5c4300
+3f40: c0145ffc c0146018 dec56840 ffffe000 00000001 c0146290 dec567c0 00000000
+3f60: c0146084 ed7c9a62 c014615c dec56d80 dec567c0 00000000 dec72000 dec56840
+3f80: c014615c c012ffc0 dec72000 dec567c0 c012fe80 00000000 00000000 00000000
+3fa0: 00000000 00000000 00000000 c01010e8 00000000 00000000 00000000 00000000
+3fc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
+3fe0: 00000000 00000000 00000000 00000000 00000013 00000000 29282726 2d2c2b2a
+[<c06e864c>] (mutex_lock) from [<c04b70f0>] (m41t80_handle_irq+0x1c/0x9c)
+[<c04b70f0>] (m41t80_handle_irq) from [<c0146018>] (irq_thread_fn+0x1c/0x54)
+[<c0146018>] (irq_thread_fn) from [<c0146290>] (irq_thread+0x134/0x1c0)
+[<c0146290>] (irq_thread) from [<c012ffc0>] (kthread+0x140/0x148)
+[<c012ffc0>] (kthread) from [<c01010e8>] (ret_from_fork+0x14/0x2c)
+Exception stack(0xdec73fb0 to 0xdec73ff8)
+3fa0: 00000000 00000000 00000000 00000000
+3fc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
+3fe0: 00000000 00000000 00000000 00000000 00000013 00000000
+Code: e3c33d7f e3c3303f f5d0f000 e593300c (e1901f9f)
+---[ end trace 22b027302eb7c604 ]---
+genirq: exiting task "irq/48-m41t80" (613) is an active IRQ thread (irq 48)
+
+Also, there is another possible race condition. The probe function is not
+allowed to fail after the RTC is registered because the following may
+happen:
+
+CPU0: CPU1:
+sys_load_module()
+ do_init_module()
+ do_one_initcall()
+ cmos_do_probe()
+ rtc_device_register()
+ __register_chrdev()
+ cdev->owner = struct module*
+ open("/dev/rtc0")
+ rtc_device_unregister()
+ module_put()
+ free_module()
+ module_free(mod->module_core)
+ /* struct module *module is now
+ freed */
+ chrdev_open()
+ spin_lock(cdev_lock)
+ cdev_get()
+ try_module_get()
+ module_is_live()
+ /* dereferences already
+ freed struct module* */
+
+Switch to devm_rtc_allocate_device/rtc_register_device to allocate the rtc
+before requesting the IRQ and register it as late as possible.
+
+Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
+
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/rtc/rtc-m41t80.c | 18 +++++++++++-------
+ 1 file changed, 11 insertions(+), 7 deletions(-)
+
+--- a/drivers/rtc/rtc-m41t80.c
++++ b/drivers/rtc/rtc-m41t80.c
+@@ -885,7 +885,6 @@ static int m41t80_probe(struct i2c_clien
+ {
+ struct i2c_adapter *adapter = to_i2c_adapter(client->dev.parent);
+ int rc = 0;
+- struct rtc_device *rtc = NULL;
+ struct rtc_time tm;
+ struct m41t80_data *m41t80_data = NULL;
+ bool wakeup_source = false;
+@@ -909,6 +908,10 @@ static int m41t80_probe(struct i2c_clien
+ m41t80_data->features = id->driver_data;
+ i2c_set_clientdata(client, m41t80_data);
+
++ m41t80_data->rtc = devm_rtc_allocate_device(&client->dev);
++ if (IS_ERR(m41t80_data->rtc))
++ return PTR_ERR(m41t80_data->rtc);
++
+ #ifdef CONFIG_OF
+ wakeup_source = of_property_read_bool(client->dev.of_node,
+ "wakeup-source");
+@@ -932,15 +935,11 @@ static int m41t80_probe(struct i2c_clien
+ device_init_wakeup(&client->dev, true);
+ }
+
+- rtc = devm_rtc_device_register(&client->dev, client->name,
+- &m41t80_rtc_ops, THIS_MODULE);
+- if (IS_ERR(rtc))
+- return PTR_ERR(rtc);
++ m41t80_data->rtc->ops = &m41t80_rtc_ops;
+
+- m41t80_data->rtc = rtc;
+ if (client->irq <= 0) {
+ /* We cannot support UIE mode if we do not have an IRQ line */
+- rtc->uie_unsupported = 1;
++ m41t80_data->rtc->uie_unsupported = 1;
+ }
+
+ /* Make sure HT (Halt Update) bit is cleared */
+@@ -993,6 +992,11 @@ static int m41t80_probe(struct i2c_clien
+ if (m41t80_data->features & M41T80_FEATURE_SQ)
+ m41t80_sqw_register_clk(m41t80_data);
+ #endif
++
++ rc = rtc_register_device(m41t80_data->rtc);
++ if (rc)
++ return rc;
++
+ return 0;
+ }
+
--- /dev/null
+From foo@baz Thu May 24 10:41:16 CEST 2018
+From: Alexandre Belloni <alexandre.belloni@bootlin.com>
+Date: Wed, 21 Feb 2018 11:57:05 +0100
+Subject: rtc: rk808: fix possible race condition
+
+From: Alexandre Belloni <alexandre.belloni@bootlin.com>
+
+[ Upstream commit 201fac95e799c3d0304ec724d555e1251b9f6e84 ]
+
+The probe function is not allowed to fail after registering the RTC because
+the following may happen:
+
+CPU0: CPU1:
+sys_load_module()
+ do_init_module()
+ do_one_initcall()
+ cmos_do_probe()
+ rtc_device_register()
+ __register_chrdev()
+ cdev->owner = struct module*
+ open("/dev/rtc0")
+ rtc_device_unregister()
+ module_put()
+ free_module()
+ module_free(mod->module_core)
+ /* struct module *module is now
+ freed */
+ chrdev_open()
+ spin_lock(cdev_lock)
+ cdev_get()
+ try_module_get()
+ module_is_live()
+ /* dereferences already
+ freed struct module* */
+
+Switch to devm_rtc_allocate_device/rtc_register_device to register the rtc
+as late as possible.
+
+Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/rtc/rtc-rk808.c | 14 +++++++-------
+ 1 file changed, 7 insertions(+), 7 deletions(-)
+
+--- a/drivers/rtc/rtc-rk808.c
++++ b/drivers/rtc/rtc-rk808.c
+@@ -416,12 +416,11 @@ static int rk808_rtc_probe(struct platfo
+
+ device_init_wakeup(&pdev->dev, 1);
+
+- rk808_rtc->rtc = devm_rtc_device_register(&pdev->dev, "rk808-rtc",
+- &rk808_rtc_ops, THIS_MODULE);
+- if (IS_ERR(rk808_rtc->rtc)) {
+- ret = PTR_ERR(rk808_rtc->rtc);
+- return ret;
+- }
++ rk808_rtc->rtc = devm_rtc_allocate_device(&pdev->dev);
++ if (IS_ERR(rk808_rtc->rtc))
++ return PTR_ERR(rk808_rtc->rtc);
++
++ rk808_rtc->rtc->ops = &rk808_rtc_ops;
+
+ rk808_rtc->irq = platform_get_irq(pdev, 0);
+ if (rk808_rtc->irq < 0) {
+@@ -438,9 +437,10 @@ static int rk808_rtc_probe(struct platfo
+ if (ret) {
+ dev_err(&pdev->dev, "Failed to request alarm IRQ %d: %d\n",
+ rk808_rtc->irq, ret);
++ return ret;
+ }
+
+- return ret;
++ return rtc_register_device(rk808_rtc->rtc);
+ }
+
+ static struct platform_driver rk808_rtc_driver = {
--- /dev/null
+From foo@baz Thu May 24 10:41:16 CEST 2018
+From: Alexandre Belloni <alexandre.belloni@bootlin.com>
+Date: Mon, 12 Feb 2018 23:47:49 +0100
+Subject: rtc: rp5c01: fix possible race condition
+
+From: Alexandre Belloni <alexandre.belloni@bootlin.com>
+
+[ Upstream commit bcdd559268039d8340d38fa58668393596e29fdc ]
+
+The probe function is not allowed to fail after registering the RTC because
+the following may happen:
+
+CPU0: CPU1:
+sys_load_module()
+ do_init_module()
+ do_one_initcall()
+ cmos_do_probe()
+ rtc_device_register()
+ __register_chrdev()
+ cdev->owner = struct module*
+ open("/dev/rtc0")
+ rtc_device_unregister()
+ module_put()
+ free_module()
+ module_free(mod->module_core)
+ /* struct module *module is now
+ freed */
+ chrdev_open()
+ spin_lock(cdev_lock)
+ cdev_get()
+ try_module_get()
+ module_is_live()
+ /* dereferences already
+ freed struct module* */
+
+Switch to devm_rtc_allocate_device/rtc_register_device to register the rtc
+as late as possible.
+
+Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/rtc/rtc-rp5c01.c | 12 ++++++++++--
+ 1 file changed, 10 insertions(+), 2 deletions(-)
+
+--- a/drivers/rtc/rtc-rp5c01.c
++++ b/drivers/rtc/rtc-rp5c01.c
+@@ -249,16 +249,24 @@ static int __init rp5c01_rtc_probe(struc
+
+ platform_set_drvdata(dev, priv);
+
+- rtc = devm_rtc_device_register(&dev->dev, "rtc-rp5c01", &rp5c01_rtc_ops,
+- THIS_MODULE);
++ rtc = devm_rtc_allocate_device(&dev->dev);
+ if (IS_ERR(rtc))
+ return PTR_ERR(rtc);
++
++ rtc->ops = &rp5c01_rtc_ops;
++
+ priv->rtc = rtc;
+
+ error = sysfs_create_bin_file(&dev->dev.kobj, &priv->nvram_attr);
+ if (error)
+ return error;
+
++ error = rtc_register_device(rtc);
++ if (error) {
++ sysfs_remove_bin_file(&dev->dev.kobj, &priv->nvram_attr);
++ return error;
++ }
++
+ return 0;
+ }
+
--- /dev/null
+From foo@baz Thu May 24 10:41:16 CEST 2018
+From: Bryan O'Donoghue <pure.logic@nexus-software.ie>
+Date: Wed, 28 Mar 2018 20:14:05 +0100
+Subject: rtc: snvs: Fix usage of snvs_rtc_enable
+
+From: Bryan O'Donoghue <pure.logic@nexus-software.ie>
+
+[ Upstream commit 1485991c024603b2fb4ae77beb7a0d741128a48e ]
+
+commit 179a502f8c46 ("rtc: snvs: add Freescale rtc-snvs driver") introduces
+the SNVS RTC driver with a function snvs_rtc_enable().
+
+snvs_rtc_enable() can return an error on the enable path however this
+driver does not currently trap that failure on the probe() path and
+consequently if enabling the RTC fails we encounter a later error spinning
+forever in rtc_write_sync_lp().
+
+[ 36.093481] [<c010d630>] (__irq_svc) from [<c0c2e9ec>] (_raw_spin_unlock_irqrestore+0x34/0x44)
+[ 36.102122] [<c0c2e9ec>] (_raw_spin_unlock_irqrestore) from [<c072e32c>] (regmap_read+0x4c/0x5c)
+[ 36.110938] [<c072e32c>] (regmap_read) from [<c085d0f4>] (rtc_write_sync_lp+0x6c/0x98)
+[ 36.118881] [<c085d0f4>] (rtc_write_sync_lp) from [<c085d160>] (snvs_rtc_alarm_irq_enable+0x40/0x4c)
+[ 36.128041] [<c085d160>] (snvs_rtc_alarm_irq_enable) from [<c08567b4>] (rtc_timer_do_work+0xd8/0x1a8)
+[ 36.137291] [<c08567b4>] (rtc_timer_do_work) from [<c01441b8>] (process_one_work+0x28c/0x76c)
+[ 36.145840] [<c01441b8>] (process_one_work) from [<c01446cc>] (worker_thread+0x34/0x58c)
+[ 36.153961] [<c01446cc>] (worker_thread) from [<c014aee4>] (kthread+0x138/0x150)
+[ 36.161388] [<c014aee4>] (kthread) from [<c0107e14>] (ret_from_fork+0x14/0x20)
+[ 36.168635] rcu_sched kthread starved for 2602 jiffies! g496 c495 f0x2 RCU_GP_WAIT_FQS(3) ->state=0x0 ->cpu=0
+[ 36.178564] rcu_sched R running task 0 8 2 0x00000000
+[ 36.185664] [<c0c288b0>] (__schedule) from [<c0c29134>] (schedule+0x3c/0xa0)
+[ 36.192739] [<c0c29134>] (schedule) from [<c0c2db80>] (schedule_timeout+0x78/0x4e0)
+[ 36.200422] [<c0c2db80>] (schedule_timeout) from [<c01a7ab0>] (rcu_gp_kthread+0x648/0x1864)
+[ 36.208800] [<c01a7ab0>] (rcu_gp_kthread) from [<c014aee4>] (kthread+0x138/0x150)
+[ 36.216309] [<c014aee4>] (kthread) from [<c0107e14>] (ret_from_fork+0x14/0x20)
+
+This patch fixes by parsing the result of rtc_write_sync_lp() and
+propagating both in the probe and elsewhere. If the RTC doesn't start we
+don't proceed loading the driver and don't get into this loop mess later
+on.
+
+Fixes: 179a502f8c46 ("rtc: snvs: add Freescale rtc-snvs driver")
+Signed-off-by: Bryan O'Donoghue <pure.logic@nexus-software.ie>
+Acked-by: Shawn Guo <shawn.guo@linaro.org>
+Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/rtc/rtc-snvs.c | 15 +++++++++++----
+ 1 file changed, 11 insertions(+), 4 deletions(-)
+
+--- a/drivers/rtc/rtc-snvs.c
++++ b/drivers/rtc/rtc-snvs.c
+@@ -132,20 +132,23 @@ static int snvs_rtc_set_time(struct devi
+ {
+ struct snvs_rtc_data *data = dev_get_drvdata(dev);
+ unsigned long time;
++ int ret;
+
+ rtc_tm_to_time(tm, &time);
+
+ /* Disable RTC first */
+- snvs_rtc_enable(data, false);
++ ret = snvs_rtc_enable(data, false);
++ if (ret)
++ return ret;
+
+ /* Write 32-bit time to 47-bit timer, leaving 15 LSBs blank */
+ regmap_write(data->regmap, data->offset + SNVS_LPSRTCLR, time << CNTR_TO_SECS_SH);
+ regmap_write(data->regmap, data->offset + SNVS_LPSRTCMR, time >> (32 - CNTR_TO_SECS_SH));
+
+ /* Enable RTC again */
+- snvs_rtc_enable(data, true);
++ ret = snvs_rtc_enable(data, true);
+
+- return 0;
++ return ret;
+ }
+
+ static int snvs_rtc_read_alarm(struct device *dev, struct rtc_wkalrm *alrm)
+@@ -288,7 +291,11 @@ static int snvs_rtc_probe(struct platfor
+ regmap_write(data->regmap, data->offset + SNVS_LPSR, 0xffffffff);
+
+ /* Enable RTC */
+- snvs_rtc_enable(data, true);
++ ret = snvs_rtc_enable(data, true);
++ if (ret) {
++ dev_err(&pdev->dev, "failed to enable rtc %d\n", ret);
++ goto error_rtc_device_register;
++ }
+
+ device_init_wakeup(&pdev->dev, true);
+
--- /dev/null
+From foo@baz Thu May 24 10:41:16 CEST 2018
+From: Colin Ian King <colin.king@canonical.com>
+Date: Thu, 15 Feb 2018 19:36:14 +0000
+Subject: rtc: tx4939: avoid unintended sign extension on a 24 bit shift
+
+From: Colin Ian King <colin.king@canonical.com>
+
+[ Upstream commit 347876ad47b9923ce26e686173bbf46581802ffa ]
+
+The shifting of buf[5] by 24 bits to the left will be promoted to
+a 32 bit signed int and then sign-extended to an unsigned long. If
+the top bit of buf[5] is set then all then all the upper bits sec
+end up as also being set because of the sign-extension. Fix this by
+casting buf[5] to an unsigned long before the shift.
+
+Detected by CoverityScan, CID#1465292 ("Unintended sign extension")
+
+Fixes: 0e1492330cd2 ("rtc: add rtc-tx4939 driver")
+Signed-off-by: Colin Ian King <colin.king@canonical.com>
+Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/rtc/rtc-tx4939.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/drivers/rtc/rtc-tx4939.c
++++ b/drivers/rtc/rtc-tx4939.c
+@@ -86,7 +86,8 @@ static int tx4939_rtc_read_time(struct d
+ for (i = 2; i < 6; i++)
+ buf[i] = __raw_readl(&rtcreg->dat);
+ spin_unlock_irq(&pdata->lock);
+- sec = (buf[5] << 24) | (buf[4] << 16) | (buf[3] << 8) | buf[2];
++ sec = ((unsigned long)buf[5] << 24) | (buf[4] << 16) |
++ (buf[3] << 8) | buf[2];
+ rtc_time_to_tm(sec, tm);
+ return rtc_valid_tm(tm);
+ }
+@@ -147,7 +148,8 @@ static int tx4939_rtc_read_alarm(struct
+ alrm->enabled = (ctl & TX4939_RTCCTL_ALME) ? 1 : 0;
+ alrm->pending = (ctl & TX4939_RTCCTL_ALMD) ? 1 : 0;
+ spin_unlock_irq(&pdata->lock);
+- sec = (buf[5] << 24) | (buf[4] << 16) | (buf[3] << 8) | buf[2];
++ sec = ((unsigned long)buf[5] << 24) | (buf[4] << 16) |
++ (buf[3] << 8) | buf[2];
+ rtc_time_to_tm(sec, &alrm->time);
+ return rtc_valid_tm(&alrm->time);
+ }
--- /dev/null
+From foo@baz Thu May 24 10:41:16 CEST 2018
+From: Vignesh R <vigneshr@ti.com>
+Date: Thu, 8 Feb 2018 18:25:41 +0530
+Subject: serial: 8250: Don't service RX FIFO if interrupts are disabled
+
+From: Vignesh R <vigneshr@ti.com>
+
+[ Upstream commit 2e9fe539108320820016f78ca7704a7342788380 ]
+
+Currently, data in RX FIFO is read based on UART_LSR register state even
+if RDI and RLSI interrupts are disabled in UART_IER register.
+This is because when IRQ handler is called due to TX FIFO empty event,
+RX FIFO is serviced based on UART_LSR register status instead of
+UART_IIR status. This defeats the purpose of disabling UART RX
+FIFO interrupts during throttling(see, omap_8250_throttle()) as IRQ
+handler continues to drain UART RX FIFO resulting in overflow of buffer
+at tty layer.
+Fix this by making sure that driver drains UART RX FIFO only when
+UART_IIR_RDI is set along with UART_LSR_BI or UART_LSR_DR bits.
+
+Signed-off-by: Vignesh R <vigneshr@ti.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/tty/serial/8250/8250_port.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/tty/serial/8250/8250_port.c
++++ b/drivers/tty/serial/8250/8250_port.c
+@@ -1867,7 +1867,8 @@ int serial8250_handle_irq(struct uart_po
+
+ status = serial_port_in(port, UART_LSR);
+
+- if (status & (UART_LSR_DR | UART_LSR_BI)) {
++ if (status & (UART_LSR_DR | UART_LSR_BI) &&
++ iir & UART_IIR_RDI) {
+ if (!up->dma || handle_rx_dma(up, iir))
+ status = serial8250_rx_chars(up, status);
+ }
--- /dev/null
+From foo@baz Thu May 24 10:41:16 CEST 2018
+From: "Uwe Kleine-König" <u.kleine-koenig@pengutronix.de>
+Date: Thu, 25 Jan 2018 14:30:43 +0100
+Subject: serial: altera: ensure port->regshift is honored consistently
+
+From: "Uwe Kleine-König" <u.kleine-koenig@pengutronix.de>
+
+[ Upstream commit 0e254963b6ba4d63ac911e79537fea38dd03dc50 ]
+
+Most register accesses in the altera driver honor port->regshift by
+using altera_uart_writel(). There are a few accesses however that were
+missed when the driver was converted to use port->regshift and some
+others were added later in commit 4d9d7d896d77 ("serial: altera_uart:
+add earlycon support").
+
+Fixes: 2780ad42f5fe ("tty: serial: altera_uart: Use port->regshift to store bus shift")
+Signed-off-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
+Acked-by: Tobias Klauser <tklauser@distanz.ch>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/tty/serial/altera_uart.c | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+--- a/drivers/tty/serial/altera_uart.c
++++ b/drivers/tty/serial/altera_uart.c
+@@ -327,7 +327,7 @@ static int altera_uart_startup(struct ua
+
+ /* Enable RX interrupts now */
+ pp->imr = ALTERA_UART_CONTROL_RRDY_MSK;
+- writel(pp->imr, port->membase + ALTERA_UART_CONTROL_REG);
++ altera_uart_writel(port, pp->imr, ALTERA_UART_CONTROL_REG);
+
+ spin_unlock_irqrestore(&port->lock, flags);
+
+@@ -343,7 +343,7 @@ static void altera_uart_shutdown(struct
+
+ /* Disable all interrupts now */
+ pp->imr = 0;
+- writel(pp->imr, port->membase + ALTERA_UART_CONTROL_REG);
++ altera_uart_writel(port, pp->imr, ALTERA_UART_CONTROL_REG);
+
+ spin_unlock_irqrestore(&port->lock, flags);
+
+@@ -432,7 +432,7 @@ static void altera_uart_console_putc(str
+ ALTERA_UART_STATUS_TRDY_MSK))
+ cpu_relax();
+
+- writel(c, port->membase + ALTERA_UART_TXDATA_REG);
++ altera_uart_writel(port, c, ALTERA_UART_TXDATA_REG);
+ }
+
+ static void altera_uart_console_write(struct console *co, const char *s,
+@@ -502,13 +502,13 @@ static int __init altera_uart_earlycon_s
+ return -ENODEV;
+
+ /* Enable RX interrupts now */
+- writel(ALTERA_UART_CONTROL_RRDY_MSK,
+- port->membase + ALTERA_UART_CONTROL_REG);
++ altera_uart_writel(port, ALTERA_UART_CONTROL_RRDY_MSK,
++ ALTERA_UART_CONTROL_REG);
+
+ if (dev->baud) {
+ unsigned int baudclk = port->uartclk / dev->baud;
+
+- writel(baudclk, port->membase + ALTERA_UART_DIVISOR_REG);
++ altera_uart_writel(port, baudclk, ALTERA_UART_DIVISOR_REG);
+ }
+
+ dev->con->write = altera_uart_earlycon_write;
--- /dev/null
+From foo@baz Thu May 24 10:41:16 CEST 2018
+From: Geert Uytterhoeven <geert+renesas@glider.be>
+Date: Fri, 23 Feb 2018 14:38:29 +0100
+Subject: serial: arc_uart: Fix out-of-bounds access through DT alias
+
+From: Geert Uytterhoeven <geert+renesas@glider.be>
+
+[ Upstream commit f9f5786987e81d166c60833edcb7d1836aa16944 ]
+
+The arc_uart_ports[] array is indexed using a value derived from the
+"serialN" alias in DT, which may lead to an out-of-bounds access.
+
+Fix this by adding a range check.
+
+Note that the array size is defined by a Kconfig symbol
+(CONFIG_SERIAL_ARC_NR_PORTS), so this can even be triggered using a
+legitimate DTB.
+
+Fixes: ea28fd56fcde69af ("serial/arc-uart: switch to devicetree based probing")
+Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/tty/serial/arc_uart.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/drivers/tty/serial/arc_uart.c
++++ b/drivers/tty/serial/arc_uart.c
+@@ -593,6 +593,11 @@ static int arc_serial_probe(struct platf
+ if (dev_id < 0)
+ dev_id = 0;
+
++ if (dev_id >= ARRAY_SIZE(arc_uart_ports)) {
++ dev_err(&pdev->dev, "serial%d out of range\n", dev_id);
++ return -EINVAL;
++ }
++
+ uart = &arc_uart_ports[dev_id];
+ port = &uart->port;
+
--- /dev/null
+From foo@baz Thu May 24 10:41:16 CEST 2018
+From: Geert Uytterhoeven <geert+renesas@glider.be>
+Date: Fri, 23 Feb 2018 14:38:30 +0100
+Subject: serial: fsl_lpuart: Fix out-of-bounds access through DT alias
+
+From: Geert Uytterhoeven <geert+renesas@glider.be>
+
+[ Upstream commit ffab87fdecc655cc676f8be8dd1a2c5e22bd6d47 ]
+
+The lpuart_ports[] array is indexed using a value derived from the
+"serialN" alias in DT, which may lead to an out-of-bounds access.
+
+Fix this by adding a range check.
+
+Fixes: c9e2e946fb0ba5d2 ("tty: serial: add Freescale lpuart driver support")
+Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/tty/serial/fsl_lpuart.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/tty/serial/fsl_lpuart.c
++++ b/drivers/tty/serial/fsl_lpuart.c
+@@ -2145,6 +2145,10 @@ static int lpuart_probe(struct platform_
+ dev_err(&pdev->dev, "failed to get alias id, errno %d\n", ret);
+ return ret;
+ }
++ if (ret >= ARRAY_SIZE(lpuart_ports)) {
++ dev_err(&pdev->dev, "serial%d out of range\n", ret);
++ return -EINVAL;
++ }
+ sport->port.line = ret;
+ res = platform_get_resource(pdev, IORESOURCE_MEM, 0);
+ sport->port.membase = devm_ioremap_resource(&pdev->dev, res);
--- /dev/null
+From foo@baz Thu May 24 10:41:16 CEST 2018
+From: Geert Uytterhoeven <geert+renesas@glider.be>
+Date: Fri, 23 Feb 2018 14:38:31 +0100
+Subject: serial: imx: Fix out-of-bounds access through serial port index
+
+From: Geert Uytterhoeven <geert+renesas@glider.be>
+
+[ Upstream commit 5673444821406dda5fc25e4b52aca419f8065a19 ]
+
+The imx_ports[] array is indexed using a value derived from the
+"serialN" alias in DT, or from platform data, which may lead to an
+out-of-bounds access.
+
+Fix this by adding a range check.
+
+Fixes: ff05967a07225ab6 ("serial/imx: add of_alias_get_id() reference back")
+Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Reviewed-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/tty/serial/imx.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/drivers/tty/serial/imx.c
++++ b/drivers/tty/serial/imx.c
+@@ -2042,6 +2042,12 @@ static int serial_imx_probe(struct platf
+ else if (ret < 0)
+ return ret;
+
++ if (sport->port.line >= ARRAY_SIZE(imx_ports)) {
++ dev_err(&pdev->dev, "serial%d out of range\n",
++ sport->port.line);
++ return -EINVAL;
++ }
++
+ res = platform_get_resource(pdev, IORESOURCE_MEM, 0);
+ base = devm_ioremap_resource(&pdev->dev, res);
+ if (IS_ERR(base))
--- /dev/null
+From foo@baz Thu May 24 10:41:16 CEST 2018
+From: Gabriel Matni <gabriel.matni@exfo.com>
+Date: Thu, 22 Mar 2018 19:15:12 +0000
+Subject: serial: mvebu-uart: fix tx lost characters
+
+From: Gabriel Matni <gabriel.matni@exfo.com>
+
+[ Upstream commit c685af1108d7c303f0b901413405d68eaeac4477 ]
+
+Fixes missing characters on kernel console at low baud rates (i.e.9600).
+The driver should poll TX_RDY or TX_FIFO_EMP instead of TX_EMP to ensure
+that the transmitter holding register (THR) is ready to receive a new byte.
+
+TX_EMP tells us when it is possible to send a break sequence via
+SND_BRK_SEQ. While this also indicates that both the THR and the TSR are
+empty, it does not guarantee that a new byte can be written just yet.
+
+Fixes: 30530791a7a0 ("serial: mvebu-uart: initial support for Armada-3700 serial port")
+Reviewed-by: Miquel Raynal <miquel.raynal@bootlin.com>
+Acked-by: Gregory CLEMENT <gregory.clement@bootlin.com>
+Signed-off-by: Gabriel Matni <gabriel.matni@exfo.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/tty/serial/mvebu-uart.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/tty/serial/mvebu-uart.c
++++ b/drivers/tty/serial/mvebu-uart.c
+@@ -617,7 +617,7 @@ static void wait_for_xmitr(struct uart_p
+ u32 val;
+
+ readl_poll_timeout_atomic(port->membase + UART_STAT, val,
+- (val & STAT_TX_EMP), 1, 10000);
++ (val & STAT_TX_RDY(port)), 1, 10000);
+ }
+
+ static void mvebu_uart_console_putchar(struct uart_port *port, int ch)
--- /dev/null
+From foo@baz Thu May 24 10:41:16 CEST 2018
+From: Geert Uytterhoeven <geert+renesas@glider.be>
+Date: Fri, 23 Feb 2018 14:38:32 +0100
+Subject: serial: mxs-auart: Fix out-of-bounds access through serial port index
+
+From: Geert Uytterhoeven <geert+renesas@glider.be>
+
+[ Upstream commit dd345a31bfdec350d2593e6de5964e55c7f19c76 ]
+
+The auart_port[] array is indexed using a value derived from the
+"serialN" alias in DT, or from platform data, which may lead to an
+out-of-bounds access.
+
+Fix this by adding a range check.
+
+Fixes: 1ea6607d4cdc9179 ("serial: mxs-auart: Allow device tree probing")
+Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/tty/serial/mxs-auart.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/tty/serial/mxs-auart.c
++++ b/drivers/tty/serial/mxs-auart.c
+@@ -1663,6 +1663,10 @@ static int mxs_auart_probe(struct platfo
+ s->port.line = pdev->id < 0 ? 0 : pdev->id;
+ else if (ret < 0)
+ return ret;
++ if (s->port.line >= ARRAY_SIZE(auart_port)) {
++ dev_err(&pdev->dev, "serial%d out of range\n", s->port.line);
++ return -EINVAL;
++ }
+
+ if (of_id) {
+ pdev->id_entry = of_id->data;
--- /dev/null
+From foo@baz Thu May 24 10:41:16 CEST 2018
+From: Geert Uytterhoeven <geert+renesas@glider.be>
+Date: Fri, 23 Feb 2018 14:38:34 +0100
+Subject: serial: samsung: Fix out-of-bounds access through serial port index
+
+From: Geert Uytterhoeven <geert+renesas@glider.be>
+
+[ Upstream commit 49ee23b71877831ac087d6083f6f397dc19c9664 ]
+
+The s3c24xx_serial_ports[] array is indexed using a value derived from
+the "serialN" alias in DT, or from an incrementing probe index, which
+may lead to an out-of-bounds access.
+
+Fix this by adding a range check.
+
+Note that the array size is defined by a Kconfig symbol
+(CONFIG_SERIAL_SAMSUNG_UARTS), so this can even be triggered using
+a legitimate DTB or legitimate board code.
+
+Fixes: 13a9f6c64fdc55eb ("serial: samsung: Consider DT alias when probing ports")
+Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/tty/serial/samsung.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/tty/serial/samsung.c
++++ b/drivers/tty/serial/samsung.c
+@@ -1818,6 +1818,10 @@ static int s3c24xx_serial_probe(struct p
+
+ dbg("s3c24xx_serial_probe(%p) %d\n", pdev, index);
+
++ if (index >= ARRAY_SIZE(s3c24xx_serial_ports)) {
++ dev_err(&pdev->dev, "serial%d out of range\n", index);
++ return -EINVAL;
++ }
+ ourport = &s3c24xx_serial_ports[index];
+
+ ourport->drv_data = s3c24xx_get_driver_data(pdev);
--- /dev/null
+From foo@baz Thu May 24 10:41:16 CEST 2018
+From: Geert Uytterhoeven <geert+renesas@glider.be>
+Date: Fri, 23 Feb 2018 14:38:35 +0100
+Subject: serial: sh-sci: Fix out-of-bounds access through DT alias
+
+From: Geert Uytterhoeven <geert+renesas@glider.be>
+
+[ Upstream commit 090fa4b0dccfa3d04e1c5ab0fe4eba16e6713895 ]
+
+The sci_ports[] array is indexed using a value derived from the
+"serialN" alias in DT, which may lead to an out-of-bounds access.
+
+Fix this by adding a range check.
+
+Note that the array size is defined by a Kconfig symbol
+(CONFIG_SERIAL_SH_SCI_NR_UARTS), so this can even be triggered using a
+legitimate DTB.
+
+Fixes: 97ed9790c514066b ("serial: sh-sci: Remove unused platform data capabilities field")
+Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/tty/serial/sh-sci.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/tty/serial/sh-sci.c
++++ b/drivers/tty/serial/sh-sci.c
+@@ -3098,6 +3098,10 @@ static struct plat_sci_port *sci_parse_d
+ dev_err(&pdev->dev, "failed to get alias id (%d)\n", id);
+ return NULL;
+ }
++ if (id >= ARRAY_SIZE(sci_ports)) {
++ dev_err(&pdev->dev, "serial%d out of range\n", id);
++ return NULL;
++ }
+
+ sp = &sci_ports[id];
+ *dev_id = id;
--- /dev/null
+From foo@baz Thu May 24 10:41:16 CEST 2018
+From: Geert Uytterhoeven <geert+renesas@glider.be>
+Date: Fri, 23 Feb 2018 14:38:37 +0100
+Subject: serial: xuartps: Fix out-of-bounds access through DT alias
+
+From: Geert Uytterhoeven <geert+renesas@glider.be>
+
+[ Upstream commit e7d75e18d0fc3f7193b65282b651f980c778d935 ]
+
+The cdns_uart_port[] array is indexed using a value derived from the
+"serialN" alias in DT, which may lead to an out-of-bounds access.
+
+Fix this by adding a range check.
+
+Fixes: 928e9263492069ee ("tty: xuartps: Initialize ports according to aliases")
+Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Reviewed-by: Michal Simek <michal.simek@xilinx.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/tty/serial/xilinx_uartps.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/tty/serial/xilinx_uartps.c
++++ b/drivers/tty/serial/xilinx_uartps.c
+@@ -1110,7 +1110,7 @@ static struct uart_port *cdns_uart_get_p
+ struct uart_port *port;
+
+ /* Try the given port id if failed use default method */
+- if (cdns_uart_port[id].mapbase != 0) {
++ if (id < CDNS_UART_NR_PORTS && cdns_uart_port[id].mapbase != 0) {
+ /* Find the next unused port */
+ for (id = 0; id < CDNS_UART_NR_PORTS; id++)
+ if (cdns_uart_port[id].mapbase == 0)
media-vb2-fix-videobuf2-to-map-correct-area.patch
media-vivid-fix-incorrect-capabilities-for-radio.patch
media-cx25821-prevent-out-of-bounds-read-on-array-card.patch
+serial-mvebu-uart-fix-tx-lost-characters.patch
+serial-xuartps-fix-out-of-bounds-access-through-dt-alias.patch
+serial-sh-sci-fix-out-of-bounds-access-through-dt-alias.patch
+serial-samsung-fix-out-of-bounds-access-through-serial-port-index.patch
+serial-mxs-auart-fix-out-of-bounds-access-through-serial-port-index.patch
+serial-imx-fix-out-of-bounds-access-through-serial-port-index.patch
+serial-fsl_lpuart-fix-out-of-bounds-access-through-dt-alias.patch
+serial-arc_uart-fix-out-of-bounds-access-through-dt-alias.patch
+serial-8250-don-t-service-rx-fifo-if-interrupts-are-disabled.patch
+serial-altera-ensure-port-regshift-is-honored-consistently.patch
+rtc-snvs-fix-usage-of-snvs_rtc_enable.patch
+rtc-hctosys-ensure-system-time-doesn-t-overflow-time_t.patch
+rtc-rk808-fix-possible-race-condition.patch
+rtc-m41t80-fix-race-conditions.patch
+rtc-tx4939-avoid-unintended-sign-extension-on-a-24-bit-shift.patch
+rtc-rp5c01-fix-possible-race-condition.patch
+rtc-goldfish-add-missing-module_license.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
