--- /dev/null
+From 50b2b571c5f3df721fc81bf9a12c521dfbe019ba Mon Sep 17 00:00:00 2001
+From: Chuhong Yuan <hslester96@gmail.com>
+Date: Mon, 18 Nov 2019 10:48:33 +0800
+Subject: serial: ifx6x60: add missed pm_runtime_disable
+
+From: Chuhong Yuan <hslester96@gmail.com>
+
+commit 50b2b571c5f3df721fc81bf9a12c521dfbe019ba upstream.
+
+The driver forgets to call pm_runtime_disable in remove.
+Add the missed calls to fix it.
+
+Signed-off-by: Chuhong Yuan <hslester96@gmail.com>
+Cc: stable <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20191118024833.21587-1-hslester96@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/tty/serial/ifx6x60.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/tty/serial/ifx6x60.c
++++ b/drivers/tty/serial/ifx6x60.c
+@@ -1230,6 +1230,9 @@ static int ifx_spi_spi_remove(struct spi
+ struct ifx_spi_device *ifx_dev = spi_get_drvdata(spi);
+ /* stop activity */
+ tasklet_kill(&ifx_dev->io_work_tasklet);
++
++ pm_runtime_disable(&spi->dev);
++
+ /* free irq */
+ free_irq(gpio_to_irq(ifx_dev->gpio.reset_out), ifx_dev);
+ free_irq(gpio_to_irq(ifx_dev->gpio.srdy), ifx_dev);
--- /dev/null
+From f6a196477184b99a31d16366a8e826558aa11f6d Mon Sep 17 00:00:00 2001
+From: Vincent Whitchurch <vincent.whitchurch@axis.com>
+Date: Mon, 18 Nov 2019 10:25:47 +0100
+Subject: serial: pl011: Fix DMA ->flush_buffer()
+
+From: Vincent Whitchurch <vincent.whitchurch@axis.com>
+
+commit f6a196477184b99a31d16366a8e826558aa11f6d upstream.
+
+PL011's ->flush_buffer() implementation releases and reacquires the port
+lock. Due to a race condition here, data can end up being added to the
+circular buffer but neither being discarded nor being sent out. This
+leads to, for example, tcdrain(2) waiting indefinitely.
+
+Process A Process B
+
+uart_flush_buffer()
+ - acquire lock
+ - circ_clear
+ - pl011_flush_buffer()
+ -- release lock
+ -- dmaengine_terminate_all()
+
+ uart_write()
+ - acquire lock
+ - add chars to circ buffer
+ - start_tx()
+ -- start DMA
+ - release lock
+
+ -- acquire lock
+ -- turn off DMA
+ -- release lock
+
+ // Data in circ buffer but DMA is off
+
+According to the comment in the code, the releasing of the lock around
+dmaengine_terminate_all() is to avoid a deadlock with the DMA engine
+callback. However, since the time this code was written, the DMA engine
+API documentation seems to have been clarified to say that
+dmaengine_terminate_all() (in the identically implemented but
+differently named dmaengine_terminate_async() variant) does not wait for
+any running complete callback to be completed and can even be called
+from a complete callback. So there is no possibility of deadlock if the
+DMA engine driver implements this API correctly.
+
+So we should be able to just remove this release and reacquire of the
+lock to prevent the aforementioned race condition.
+
+Signed-off-by: Vincent Whitchurch <vincent.whitchurch@axis.com>
+Cc: stable <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20191118092547.32135-1-vincent.whitchurch@axis.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/tty/serial/amba-pl011.c | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+--- a/drivers/tty/serial/amba-pl011.c
++++ b/drivers/tty/serial/amba-pl011.c
+@@ -813,10 +813,8 @@ __acquires(&uap->port.lock)
+ if (!uap->using_tx_dma)
+ return;
+
+- /* Avoid deadlock with the DMA engine callback */
+- spin_unlock(&uap->port.lock);
+- dmaengine_terminate_all(uap->dmatx.chan);
+- spin_lock(&uap->port.lock);
++ dmaengine_terminate_async(uap->dmatx.chan);
++
+ if (uap->dmatx.queued) {
+ dma_unmap_sg(uap->dmatx.chan->device->dev, &uap->dmatx.sg, 1,
+ DMA_TO_DEVICE);
--- /dev/null
+From 7d73170e1c282576419f8b50a771f1fcd2b81a94 Mon Sep 17 00:00:00 2001
+From: Jiangfeng Xiao <xiaojiangfeng@huawei.com>
+Date: Wed, 20 Nov 2019 23:18:53 +0800
+Subject: serial: serial_core: Perform NULL checks for break_ctl ops
+
+From: Jiangfeng Xiao <xiaojiangfeng@huawei.com>
+
+commit 7d73170e1c282576419f8b50a771f1fcd2b81a94 upstream.
+
+Doing fuzz test on sbsa uart device, causes a kernel crash
+due to NULL pointer dereference:
+
+------------[ cut here ]------------
+Unable to handle kernel paging request at virtual address fffffffffffffffc
+pgd = ffffffe331723000
+[fffffffffffffffc] *pgd=0000002333595003, *pud=0000002333595003, *pmd=00000
+Internal error: Oops: 96000005 [#1] PREEMPT SMP
+Modules linked in: ping(O) jffs2 rtos_snapshot(O) pramdisk(O) hisi_sfc(O)
+Drv_Nandc_K(O) Drv_SysCtl_K(O) Drv_SysClk_K(O) bsp_reg(O) hns3(O)
+hns3_uio_enet(O) hclgevf(O) hclge(O) hnae3(O) mdio_factory(O)
+mdio_registry(O) mdio_dev(O) mdio(O) hns3_info(O) rtos_kbox_panic(O)
+uart_suspend(O) rsm(O) stp llc tunnel4 xt_tcpudp ipt_REJECT nf_reject_ipv4
+iptable_filter ip_tables x_tables sd_mod xhci_plat_hcd xhci_pci xhci_hcd
+usbmon usbhid usb_storage ohci_platform ohci_pci ohci_hcd hid_generic hid
+ehci_platform ehci_pci ehci_hcd vfat fat usbcore usb_common scsi_mod
+yaffs2multi(O) ext4 jbd2 ext2 mbcache ofpart i2c_dev i2c_core uio ubi nand
+nand_ecc nand_ids cfi_cmdset_0002 cfi_cmdset_0001 cfi_probe gen_probe
+cmdlinepart chipreg mtdblock mtd_blkdevs mtd nfsd auth_rpcgss oid_registry
+nfsv3 nfs nfs_acl lockd sunrpc grace autofs4
+CPU: 2 PID: 2385 Comm: tty_fuzz_test Tainted: G O 4.4.193 #1
+task: ffffffe32b23f110 task.stack: ffffffe32bda4000
+PC is at uart_break_ctl+0x44/0x84
+LR is at uart_break_ctl+0x34/0x84
+pc : [<ffffff8393196098>] lr : [<ffffff8393196088>] pstate: 80000005
+sp : ffffffe32bda7cc0
+x29: ffffffe32bda7cc0 x28: ffffffe32b23f110
+x27: ffffff8393402000 x26: 0000000000000000
+x25: ffffffe32b233f40 x24: ffffffc07a8ec680
+x23: 0000000000005425 x22: 00000000ffffffff
+x21: ffffffe33ed73c98 x20: 0000000000000000
+x19: ffffffe33ed94168 x18: 0000000000000004
+x17: 0000007f92ae9d30 x16: ffffff8392fa6064
+x15: 0000000000000010 x14: 0000000000000000
+x13: 0000000000000000 x12: 0000000000000000
+x11: 0000000000000020 x10: 0000007ffdac1708
+x9 : 0000000000000078 x8 : 000000000000001d
+x7 : 0000000052a64887 x6 : ffffffe32bda7e08
+x5 : ffffffe32b23c000 x4 : 0000005fbc5b0000
+x3 : ffffff83938d5018 x2 : 0000000000000080
+x1 : ffffffe32b23c040 x0 : ffffff83934428f8
+virtual start addr offset is 38ac00000
+module base offset is 2cd4cf1000
+linear region base offset is : 0
+Process tty_fuzz_test (pid: 2385, stack limit = 0xffffffe32bda4000)
+Stack: (0xffffffe32bda7cc0 to 0xffffffe32bda8000)
+7cc0: ffffffe32bda7cf0 ffffff8393177718 ffffffc07a8ec680 ffffff8393196054
+7ce0: 000000001739f2e0 0000007ffdac1978 ffffffe32bda7d20 ffffff8393179a1c
+7d00: 0000000000000000 ffffff8393c0a000 ffffffc07a8ec680 cb88537fdc8ba600
+7d20: ffffffe32bda7df0 ffffff8392fa5a40 ffffff8393c0a000 0000000000005425
+7d40: 0000007ffdac1978 ffffffe32b233f40 ffffff8393178dcc 0000000000000003
+7d60: 000000000000011d 000000000000001d ffffffe32b23f110 000000000000029e
+7d80: ffffffe34fe8d5d0 0000000000000000 ffffffe32bda7e14 cb88537fdc8ba600
+7da0: ffffffe32bda7e30 ffffff8393042cfc ffffff8393c41720 ffffff8393c46410
+7dc0: ffffff839304fa68 ffffffe32b233f40 0000000000005425 0000007ffdac1978
+7de0: 000000000000011d cb88537fdc8ba600 ffffffe32bda7e70 ffffff8392fa60cc
+7e00: 0000000000000000 ffffffe32b233f40 ffffffe32b233f40 0000000000000003
+7e20: 0000000000005425 0000007ffdac1978 ffffffe32bda7e70 ffffff8392fa60b0
+7e40: 0000000000000280 ffffffe32b233f40 ffffffe32b233f40 0000000000000003
+7e60: 0000000000005425 cb88537fdc8ba600 0000000000000000 ffffff8392e02e78
+7e80: 0000000000000280 0000005fbc5b0000 ffffffffffffffff 0000007f92ae9d3c
+7ea0: 0000000060000000 0000000000000015 0000000000000003 0000000000005425
+7ec0: 0000007ffdac1978 0000000000000000 00000000a54c910e 0000007f92b95014
+7ee0: 0000007f92b95090 0000000052a64887 000000000000001d 0000000000000078
+7f00: 0000007ffdac1708 0000000000000020 0000000000000000 0000000000000000
+7f20: 0000000000000000 0000000000000010 000000556acf0090 0000007f92ae9d30
+7f40: 0000000000000004 000000556acdef10 0000000000000000 000000556acdebd0
+7f60: 0000000000000000 0000000000000000 0000000000000000 0000000000000000
+7f80: 0000000000000000 0000000000000000 0000000000000000 0000007ffdac1840
+7fa0: 000000556acdedcc 0000007ffdac1840 0000007f92ae9d3c 0000000060000000
+7fc0: 0000000000000000 0000000000000000 0000000000000003 000000000000001d
+7fe0: 0000000000000000 0000000000000000 0000000000000000 0000000000000000
+Call trace:
+Exception stack(0xffffffe32bda7ab0 to 0xffffffe32bda7bf0)
+7aa0: 0000000000001000 0000007fffffffff
+7ac0: ffffffe32bda7cc0 ffffff8393196098 0000000080000005 0000000000000025
+7ae0: ffffffe32b233f40 ffffff83930d777c ffffffe32bda7b30 ffffff83930d777c
+7b00: ffffffe32bda7be0 ffffff83938d5000 ffffffe32bda7be0 ffffffe32bda7c20
+7b20: ffffffe32bda7b60 ffffff83930d777c ffffffe32bda7c10 ffffff83938d5000
+7b40: ffffffe32bda7c10 ffffffe32bda7c50 ffffff8393c0a000 ffffffe32b23f110
+7b60: ffffffe32bda7b70 ffffff8392e09df4 ffffffe32bda7bb0 cb88537fdc8ba600
+7b80: ffffff83934428f8 ffffffe32b23c040 0000000000000080 ffffff83938d5018
+7ba0: 0000005fbc5b0000 ffffffe32b23c000 ffffffe32bda7e08 0000000052a64887
+7bc0: 000000000000001d 0000000000000078 0000007ffdac1708 0000000000000020
+7be0: 0000000000000000 0000000000000000
+[<ffffff8393196098>] uart_break_ctl+0x44/0x84
+[<ffffff8393177718>] send_break+0xa0/0x114
+[<ffffff8393179a1c>] tty_ioctl+0xc50/0xe84
+[<ffffff8392fa5a40>] do_vfs_ioctl+0xc4/0x6e8
+[<ffffff8392fa60cc>] SyS_ioctl+0x68/0x9c
+[<ffffff8392e02e78>] __sys_trace_return+0x0/0x4
+Code: b9410ea0 34000160 f9408aa0 f9402814 (b85fc280)
+---[ end trace 8606094f1960c5e0 ]---
+Kernel panic - not syncing: Fatal exception
+
+Fix this problem by adding NULL checks prior to calling break_ctl ops.
+
+Signed-off-by: Jiangfeng Xiao <xiaojiangfeng@huawei.com>
+Cc: stable <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/1574263133-28259-1-git-send-email-xiaojiangfeng@huawei.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/tty/serial/serial_core.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/tty/serial/serial_core.c
++++ b/drivers/tty/serial/serial_core.c
+@@ -1112,7 +1112,7 @@ static int uart_break_ctl(struct tty_str
+ if (!uport)
+ goto out;
+
+- if (uport->type != PORT_UNKNOWN)
++ if (uport->type != PORT_UNKNOWN && uport->ops->break_ctl)
+ uport->ops->break_ctl(uport, break_state);
+ ret = 0;
+ out:
arm64-tegra-fix-active-low-warning-for-jetson-tx1-regulator.patch
sparc64-implement-ioremap_uc.patch
lp-fix-sparc64-lpsettimeout-ioctl.patch
+usb-gadget-u_serial-add-missing-port-entry-locking.patch
+tty-serial-fsl_lpuart-use-the-sg-count-from-dma_map_sg.patch
+tty-serial-msm_serial-fix-flow-control.patch
+serial-pl011-fix-dma-flush_buffer.patch
+serial-serial_core-perform-null-checks-for-break_ctl-ops.patch
+serial-ifx6x60-add-missed-pm_runtime_disable.patch
--- /dev/null
+From 487ee861de176090b055eba5b252b56a3b9973d6 Mon Sep 17 00:00:00 2001
+From: Peng Fan <peng.fan@nxp.com>
+Date: Tue, 5 Nov 2019 05:51:10 +0000
+Subject: tty: serial: fsl_lpuart: use the sg count from dma_map_sg
+
+From: Peng Fan <peng.fan@nxp.com>
+
+commit 487ee861de176090b055eba5b252b56a3b9973d6 upstream.
+
+The dmaengine_prep_slave_sg needs to use sg count returned
+by dma_map_sg, not use sport->dma_tx_nents, because the return
+value of dma_map_sg is not always same with "nents".
+
+When enabling iommu for lpuart + edma, iommu framework may concatenate
+two sgs into one.
+
+Fixes: 6250cc30c4c4e ("tty: serial: fsl_lpuart: Use scatter/gather DMA for Tx")
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Peng Fan <peng.fan@nxp.com>
+Link: https://lore.kernel.org/r/1572932977-17866-1-git-send-email-peng.fan@nxp.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/tty/serial/fsl_lpuart.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/tty/serial/fsl_lpuart.c
++++ b/drivers/tty/serial/fsl_lpuart.c
+@@ -376,8 +376,8 @@ static void lpuart_dma_tx(struct lpuart_
+ }
+
+ sport->dma_tx_desc = dmaengine_prep_slave_sg(sport->dma_tx_chan, sgl,
+- sport->dma_tx_nents,
+- DMA_MEM_TO_DEV, DMA_PREP_INTERRUPT);
++ ret, DMA_MEM_TO_DEV,
++ DMA_PREP_INTERRUPT);
+ if (!sport->dma_tx_desc) {
+ dma_unmap_sg(dev, sgl, sport->dma_tx_nents, DMA_TO_DEVICE);
+ dev_err(dev, "Cannot prepare TX slave DMA!\n");
--- /dev/null
+From b027ce258369cbfa88401a691c23dad01deb9f9b Mon Sep 17 00:00:00 2001
+From: Jeffrey Hugo <jeffrey.l.hugo@gmail.com>
+Date: Mon, 21 Oct 2019 08:46:16 -0700
+Subject: tty: serial: msm_serial: Fix flow control
+
+From: Jeffrey Hugo <jeffrey.l.hugo@gmail.com>
+
+commit b027ce258369cbfa88401a691c23dad01deb9f9b upstream.
+
+hci_qca interfaces to the wcn3990 via a uart_dm on the msm8998 mtp and
+Lenovo Miix 630 laptop. As part of initializing the wcn3990, hci_qca
+disables flow, configures the uart baudrate, and then reenables flow - at
+which point an event is expected to be received over the uart from the
+wcn3990. It is observed that this event comes after the baudrate change
+but before hci_qca re-enables flow. This is unexpected, and is a result of
+msm_reset() being broken.
+
+According to the uart_dm hardware documentation, it is recommended that
+automatic hardware flow control be enabled by setting RX_RDY_CTL. Auto
+hw flow control will manage RFR based on the configured watermark. When
+there is space to receive data, the hw will assert RFR. When the watermark
+is hit, the hw will de-assert RFR.
+
+The hardware documentation indicates that RFR can me manually managed via
+CR when RX_RDY_CTL is not set. SET_RFR asserts RFR, and RESET_RFR
+de-asserts RFR.
+
+msm_reset() is broken because after resetting the hardware, it
+unconditionally asserts RFR via SET_RFR. This enables flow regardless of
+the current configuration, and would undo a previous flow disable
+operation. It should instead de-assert RFR via RESET_RFR to block flow
+until the hardware is reconfigured. msm_serial should rely on the client
+to specify that flow should be enabled, either via mctrl() or the termios
+structure, and only assert RFR in response to those triggers.
+
+Fixes: 04896a77a97b ("msm_serial: serial driver for MSM7K onboard serial peripheral.")
+Signed-off-by: Jeffrey Hugo <jeffrey.l.hugo@gmail.com>
+Reviewed-by: Bjorn Andersson <bjorn.andersson@linaro.org>
+Cc: stable <stable@vger.kernel.org>
+Reviewed-by: Andy Gross <agross@kernel.org>
+Link: https://lore.kernel.org/r/20191021154616.25457-1-jeffrey.l.hugo@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/tty/serial/msm_serial.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/drivers/tty/serial/msm_serial.c
++++ b/drivers/tty/serial/msm_serial.c
+@@ -980,6 +980,7 @@ static unsigned int msm_get_mctrl(struct
+ static void msm_reset(struct uart_port *port)
+ {
+ struct msm_port *msm_port = UART_TO_MSM(port);
++ unsigned int mr;
+
+ /* reset everything */
+ msm_write(port, UART_CR_CMD_RESET_RX, UART_CR);
+@@ -987,7 +988,10 @@ static void msm_reset(struct uart_port *
+ msm_write(port, UART_CR_CMD_RESET_ERR, UART_CR);
+ msm_write(port, UART_CR_CMD_RESET_BREAK_INT, UART_CR);
+ msm_write(port, UART_CR_CMD_RESET_CTS, UART_CR);
+- msm_write(port, UART_CR_CMD_SET_RFR, UART_CR);
++ msm_write(port, UART_CR_CMD_RESET_RFR, UART_CR);
++ mr = msm_read(port, UART_MR1);
++ mr &= ~UART_MR1_RX_RDY_CTL;
++ msm_write(port, mr, UART_MR1);
+
+ /* Disable DM modes */
+ if (msm_port->is_uartdm)
--- /dev/null
+From daf82bd24e308c5a83758047aff1bd81edda4f11 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Micha=C5=82=20Miros=C5=82aw?= <mirq-linux@rere.qmqm.pl>
+Date: Sat, 10 Aug 2019 10:42:48 +0200
+Subject: usb: gadget: u_serial: add missing port entry locking
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Michał Mirosław <mirq-linux@rere.qmqm.pl>
+
+commit daf82bd24e308c5a83758047aff1bd81edda4f11 upstream.
+
+gserial_alloc_line() misses locking (for a release barrier) while
+resetting port entry on TTY allocation failure. Fix this.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Michał Mirosław <mirq-linux@rere.qmqm.pl>
+Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Tested-by: Ladislav Michl <ladis@linux-mips.org>
+Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/gadget/function/u_serial.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/usb/gadget/function/u_serial.c
++++ b/drivers/usb/gadget/function/u_serial.c
+@@ -1246,8 +1246,10 @@ int gserial_alloc_line(unsigned char *li
+ __func__, port_num, PTR_ERR(tty_dev));
+
+ ret = PTR_ERR(tty_dev);
++ mutex_lock(&ports[port_num].lock);
+ port = ports[port_num].port;
+ ports[port_num].port = NULL;
++ mutex_unlock(&ports[port_num].lock);
+ gserial_free_port(port);
+ goto err;
+ }
projects / thirdparty / kernel / stable-queue.git / commitdiff
