--- /dev/null
+From a34d0a0da1abae46a5f6ebd06fb0ec484ca099d9 Mon Sep 17 00:00:00 2001
+From: Felix Fietkau <nbd@nbd.name>
+Date: Thu, 2 Feb 2017 10:14:51 +0100
+Subject: ath9k_hw: check if the chip failed to wake up
+
+From: Felix Fietkau <nbd@nbd.name>
+
+commit a34d0a0da1abae46a5f6ebd06fb0ec484ca099d9 upstream.
+
+In an RFC patch, Sven Eckelmann and Simon Wunderlich reported:
+
+"QCA 802.11n chips (especially AR9330/AR9340) sometimes end up in a
+state in which a read of AR_CFG always returns 0xdeadbeef.
+This should not happen when when the power_mode of the device is
+ATH9K_PM_AWAKE."
+
+Include the check for the default register state in the existing MAC
+hang check.
+
+Signed-off-by: Felix Fietkau <nbd@nbd.name>
+Signed-off-by: Kalle Valo <kvalo@qca.qualcomm.com>
+Cc: Amit Pundir <amit.pundir@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/ath/ath9k/hw.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/net/wireless/ath/ath9k/hw.c
++++ b/drivers/net/wireless/ath/ath9k/hw.c
+@@ -1595,6 +1595,10 @@ bool ath9k_hw_check_alive(struct ath_hw
+ int count = 50;
+ u32 reg, last_val;
+
++ /* Check if chip failed to wake up */
++ if (REG_READ(ah, AR_CFG) == 0xdeadbeef)
++ return false;
++
+ if (AR_SREV_9300(ah))
+ return !ath9k_hw_detect_mac_hang(ah);
+
--- /dev/null
+From 74c82dae6c474933f2be401976e1530b5f623221 Mon Sep 17 00:00:00 2001
+From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Date: Sat, 10 Dec 2016 22:56:21 -0800
+Subject: Input: drv260x - fix initializing overdrive voltage
+
+From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+
+commit 74c82dae6c474933f2be401976e1530b5f623221 upstream.
+
+We were accidentally initializing haptics->rated_voltage twice, and did not
+initialize overdrive voltage.
+
+Acked-by: Dan Murphy <dmurphy@ti.com>
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Cc: Amit Pundir <amit.pundir@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/input/misc/drv260x.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/input/misc/drv260x.c
++++ b/drivers/input/misc/drv260x.c
+@@ -521,7 +521,7 @@ static int drv260x_probe(struct i2c_clie
+ if (!haptics)
+ return -ENOMEM;
+
+- haptics->rated_voltage = DRV260X_DEF_OD_CLAMP_VOLT;
++ haptics->overdrive_voltage = DRV260X_DEF_OD_CLAMP_VOLT;
+ haptics->rated_voltage = DRV260X_DEF_RATED_VOLT;
+
+ if (pdata) {
--- /dev/null
+From dbfcef6b0f4012c57bc0b6e0e660d5ed12a5eaed Mon Sep 17 00:00:00 2001
+From: Sahitya Tummala <stummala@codeaurora.org>
+Date: Wed, 1 Feb 2017 20:49:35 -0500
+Subject: jbd2: fix use after free in kjournald2()
+
+From: Sahitya Tummala <stummala@codeaurora.org>
+
+commit dbfcef6b0f4012c57bc0b6e0e660d5ed12a5eaed upstream.
+
+Below is the synchronization issue between unmount and kjournald2
+contexts, which results into use after free issue in kjournald2().
+Fix this issue by using journal->j_state_lock to synchronize the
+wait_event() done in journal_kill_thread() and the wake_up() done
+in kjournald2().
+
+TASK 1:
+umount cmd:
+ |--jbd2_journal_destroy() {
+ |--journal_kill_thread() {
+ write_lock(&journal->j_state_lock);
+ journal->j_flags |= JBD2_UNMOUNT;
+ ...
+ write_unlock(&journal->j_state_lock);
+ wake_up(&journal->j_wait_commit); TASK 2 wakes up here:
+ kjournald2() {
+ ...
+ checks JBD2_UNMOUNT flag and calls goto end-loop;
+ ...
+ end_loop:
+ write_unlock(&journal->j_state_lock);
+ journal->j_task = NULL; --> If this thread gets
+ pre-empted here, then TASK 1 wait_event will
+ exit even before this thread is completely
+ done.
+ wait_event(journal->j_wait_done_commit, journal->j_task == NULL);
+ ...
+ write_lock(&journal->j_state_lock);
+ write_unlock(&journal->j_state_lock);
+ }
+ |--kfree(journal);
+ }
+}
+ wake_up(&journal->j_wait_done_commit); --> this step
+ now results into use after free issue.
+ }
+
+Signed-off-by: Sahitya Tummala <stummala@codeaurora.org>
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Cc: Amit Pundir <amit.pundir@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/jbd2/journal.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/jbd2/journal.c
++++ b/fs/jbd2/journal.c
+@@ -275,11 +275,11 @@ loop:
+ goto loop;
+
+ end_loop:
+- write_unlock(&journal->j_state_lock);
+ del_timer_sync(&journal->j_commit_timer);
+ journal->j_task = NULL;
+ wake_up(&journal->j_wait_done_commit);
+ jbd_debug(1, "Journal thread exiting.\n");
++ write_unlock(&journal->j_state_lock);
+ return 0;
+ }
+
perf-return-proper-values-for-user-stack-errors.patch
staging-ion-donnot-wakeup-kswapd-in-ion-system-alloc.patch
r8152-add-linksys-usb3gigv1-id.patch
+input-drv260x-fix-initializing-overdrive-voltage.patch
+ath9k_hw-check-if-the-chip-failed-to-wake-up.patch
+jbd2-fix-use-after-free-in-kjournald2.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
