--- /dev/null
+From a31ab44ef5d07c6707df4a9ad2c8affd2d62ff4b Mon Sep 17 00:00:00 2001
+From: Stephen Warren <swarren@wwwdotorg.org>
+Date: Mon, 25 Nov 2013 20:35:42 -0700
+Subject: ARM: bcm2835: add missing #xxx-cells to I2C nodes
+
+From: Stephen Warren <swarren@wwwdotorg.org>
+
+commit a31ab44ef5d07c6707df4a9ad2c8affd2d62ff4b upstream.
+
+The I2C controller node needs #address-cells and #size-cells properties,
+but these are currently missing. Add them. This allows child nodes to be
+parsed correctly.
+
+Signed-off-by: Stephen Warren <swarren@wwwdotorg.org>
+Signed-off-by: Olof Johansson <olof@lixom.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm/boot/dts/bcm2835.dtsi | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/arch/arm/boot/dts/bcm2835.dtsi
++++ b/arch/arm/boot/dts/bcm2835.dtsi
+@@ -85,6 +85,8 @@
+ reg = <0x7e205000 0x1000>;
+ interrupts = <2 21>;
+ clocks = <&clk_i2c>;
++ #address-cells = <1>;
++ #size-cells = <0>;
+ status = "disabled";
+ };
+
+@@ -93,6 +95,8 @@
+ reg = <0x7e804000 0x1000>;
+ interrupts = <2 21>;
+ clocks = <&clk_i2c>;
++ #address-cells = <1>;
++ #size-cells = <0>;
+ status = "disabled";
+ };
+
--- /dev/null
+From c61248afa8190ae3f47ee67f46e3c9b584a73d31 Mon Sep 17 00:00:00 2001
+From: Doug Anderson <dianders@chromium.org>
+Date: Wed, 23 Oct 2013 06:11:01 -0700
+Subject: ARM: dts: Add max77686 RTC interrupt to cros5250-common
+
+From: Doug Anderson <dianders@chromium.org>
+
+commit c61248afa8190ae3f47ee67f46e3c9b584a73d31 upstream.
+
+Without the interrupt you'll get problems if you enable
+CONFIG_RTC_DRV_MAX77686. Setup the interrupt properly in the device
+tree.
+
+Signed-off-by: Doug Anderson <dianders@chromium.org>
+Tested-by: Marc Zyngier <marc.zyngier@arm.com>
+Signed-off-by: Olof Johansson <olof@lixom.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm/boot/dts/cros5250-common.dtsi | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+--- a/arch/arm/boot/dts/cros5250-common.dtsi
++++ b/arch/arm/boot/dts/cros5250-common.dtsi
+@@ -27,6 +27,13 @@
+ i2c2_bus: i2c2-bus {
+ samsung,pin-pud = <0>;
+ };
++
++ max77686_irq: max77686-irq {
++ samsung,pins = "gpx3-2";
++ samsung,pin-function = <0>;
++ samsung,pin-pud = <0>;
++ samsung,pin-drv = <0>;
++ };
+ };
+
+ i2c@12C60000 {
+@@ -35,6 +42,11 @@
+
+ max77686@09 {
+ compatible = "maxim,max77686";
++ interrupt-parent = <&gpx3>;
++ interrupts = <2 0>;
++ pinctrl-names = "default";
++ pinctrl-0 = <&max77686_irq>;
++ wakeup-source;
+ reg = <0x09>;
+
+ voltage-regulators {
--- /dev/null
+From 0d1862ea1a5bb876cf05555a7307080cb75bf379 Mon Sep 17 00:00:00 2001
+From: Marc Kleine-Budde <mkl@pengutronix.de>
+Date: Fri, 27 Sep 2013 12:15:05 +0200
+Subject: can: flexcan: fix flexcan_chip_start() on imx6
+
+From: Marc Kleine-Budde <mkl@pengutronix.de>
+
+commit 0d1862ea1a5bb876cf05555a7307080cb75bf379 upstream.
+
+In the flexcan_chip_start() function first the flexcan core is going through
+the soft reset sequence, then the RX FIFO is enabled.
+
+With the hardware is put into FIFO mode, message buffers 1...7 are reserved by
+the FIFO engine. The remaining message buffers are in reset default values.
+This patch removes the bogus initialization of the message buffers, as it
+causes an imprecise external abort on imx6.
+
+Reported-by: Lothar Waßmann <LW@KARO-electronics.de>
+Tested-by: Lothar Waßmann <LW@KARO-electronics.de>
+[mkl: adjusted context for stable]
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/can/flexcan.c | 12 ------------
+ 1 file changed, 12 deletions(-)
+
+--- a/drivers/net/can/flexcan.c
++++ b/drivers/net/can/flexcan.c
+@@ -711,7 +711,6 @@ static int flexcan_chip_start(struct net
+ {
+ struct flexcan_priv *priv = netdev_priv(dev);
+ struct flexcan_regs __iomem *regs = priv->base;
+- unsigned int i;
+ int err;
+ u32 reg_mcr, reg_ctrl;
+
+@@ -783,17 +782,6 @@ static int flexcan_chip_start(struct net
+ netdev_dbg(dev, "%s: writing ctrl=0x%08x", __func__, reg_ctrl);
+ flexcan_write(reg_ctrl, ®s->ctrl);
+
+- for (i = 0; i < ARRAY_SIZE(regs->cantxfg); i++) {
+- flexcan_write(0, ®s->cantxfg[i].can_ctrl);
+- flexcan_write(0, ®s->cantxfg[i].can_id);
+- flexcan_write(0, ®s->cantxfg[i].data[0]);
+- flexcan_write(0, ®s->cantxfg[i].data[1]);
+-
+- /* put MB into rx queue */
+- flexcan_write(FLEXCAN_MB_CNT_CODE(0x4),
+- ®s->cantxfg[i].can_ctrl);
+- }
+-
+ /* Abort any pending TX, mark Mailbox as INACTIVE */
+ flexcan_write(FLEXCAN_MB_CNT_CODE(0x4),
+ ®s->cantxfg[FLEXCAN_TX_BUF_ID].can_ctrl);
--- /dev/null
+From 0523f037f65dba10191b0fa9c51266f90ba64630 Mon Sep 17 00:00:00 2001
+From: Shan Hai <shan.hai@windriver.com>
+Date: Mon, 28 Oct 2013 16:08:01 +0800
+Subject: drivers/libata: Set max sector to 65535 for Slimtype DVD A DS8A9SH drive
+
+From: Shan Hai <shan.hai@windriver.com>
+
+commit 0523f037f65dba10191b0fa9c51266f90ba64630 upstream.
+
+The "Slimtype DVD A DS8A9SH" drive locks up with following backtrace when
+the max sector is smaller than 65535 bytes, fix it by adding a quirk to set
+the max sector to 65535 bytes.
+
+INFO: task flush-11:0:663 blocked for more than 120 seconds.
+"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
+flush-11:0 D 00000000ffff5ceb 0 663 2 0x00000000
+ ffff88026d3b1710 0000000000000046 0000000000000001 0000000000000000
+ ffff88026f2530c0 ffff88026d365860 ffff88026d3b16e0 ffffffff812ffd52
+ ffff88026d4fd3d0 0000000100000001 ffff88026d3b16f0 ffff88026d3b1fd8
+Call Trace:
+ [<ffffffff812ffd52>] ? cfq_may_queue+0x52/0xf0
+ [<ffffffff81604338>] schedule+0x18/0x30
+ [<ffffffff81604392>] io_schedule+0x42/0x60
+ [<ffffffff812f22bb>] get_request_wait+0xeb/0x1f0
+ [<ffffffff81065660>] ? autoremove_wake_function+0x0/0x40
+ [<ffffffff812eb382>] ? elv_merge+0x42/0x210
+ [<ffffffff812f26ae>] __make_request+0x8e/0x4e0
+ [<ffffffff812f068e>] generic_make_request+0x21e/0x5e0
+ [<ffffffff812f0aad>] submit_bio+0x5d/0xd0
+ [<ffffffff81141422>] submit_bh+0xf2/0x130
+ [<ffffffff8114474c>] __block_write_full_page+0x1dc/0x3a0
+ [<ffffffff81143f60>] ? end_buffer_async_write+0x0/0x120
+ [<ffffffff811474e0>] ? blkdev_get_block+0x0/0x70
+ [<ffffffff811474e0>] ? blkdev_get_block+0x0/0x70
+ [<ffffffff81143f60>] ? end_buffer_async_write+0x0/0x120
+ [<ffffffff811449ee>] block_write_full_page_endio+0xde/0x100
+ [<ffffffff81144a20>] block_write_full_page+0x10/0x20
+ [<ffffffff81148703>] blkdev_writepage+0x13/0x20
+ [<ffffffff810d7525>] __writepage+0x15/0x40
+ [<ffffffff810d7c0f>] write_cache_pages+0x1cf/0x3e0
+ [<ffffffff810d7510>] ? __writepage+0x0/0x40
+ [<ffffffff810d7e42>] generic_writepages+0x22/0x30
+ [<ffffffff810d7e6f>] do_writepages+0x1f/0x40
+ [<ffffffff8113ae67>] writeback_single_inode+0xe7/0x3b0
+ [<ffffffff8113b574>] writeback_sb_inodes+0x184/0x280
+ [<ffffffff8113bedb>] writeback_inodes_wb+0x6b/0x1a0
+ [<ffffffff8113c24b>] wb_writeback+0x23b/0x2a0
+ [<ffffffff8113c42d>] wb_do_writeback+0x17d/0x190
+ [<ffffffff8113c48b>] bdi_writeback_task+0x4b/0xe0
+ [<ffffffff810e82a0>] ? bdi_start_fn+0x0/0x100
+ [<ffffffff810e8321>] bdi_start_fn+0x81/0x100
+ [<ffffffff810e82a0>] ? bdi_start_fn+0x0/0x100
+ [<ffffffff8106522e>] kthread+0x8e/0xa0
+ [<ffffffff81039274>] ? finish_task_switch+0x54/0xc0
+ [<ffffffff81003334>] kernel_thread_helper+0x4/0x10
+ [<ffffffff810651a0>] ? kthread+0x0/0xa0
+ [<ffffffff81003330>] ? kernel_thread_helper+0x0/0x10
+
+ The above trace was triggered by
+ "dd if=/dev/zero of=/dev/sr0 bs=2048 count=32768"
+
+Signed-off-by: Shan Hai <shan.hai@windriver.com>
+Signed-off-by: Tejun Heo <tj@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/ata/libata-core.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/ata/libata-core.c
++++ b/drivers/ata/libata-core.c
+@@ -4110,6 +4110,7 @@ static const struct ata_blacklist_entry
+ { "TORiSAN DVD-ROM DRD-N216", NULL, ATA_HORKAGE_MAX_SEC_128 },
+ { "QUANTUM DAT DAT72-000", NULL, ATA_HORKAGE_ATAPI_MOD16_DMA },
+ { "Slimtype DVD A DS8A8SH", NULL, ATA_HORKAGE_MAX_SEC_LBA48 },
++ { "Slimtype DVD A DS8A9SH", NULL, ATA_HORKAGE_MAX_SEC_LBA48 },
+
+ /* Devices we expect to fail diagnostics */
+
--- /dev/null
+From d535922691fc026479fcc03e78ac3d931a54e75a Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Thu, 7 Nov 2013 10:50:19 +0300
+Subject: gpio: mvebu: make mvchip->irqbase signed for error handling
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+commit d535922691fc026479fcc03e78ac3d931a54e75a upstream.
+
+There is a bug in mvebu_gpio_probe() where we do:
+
+ mvchip->irqbase = irq_alloc_descs(-1, 0, ngpios, -1);
+ if (mvchip->irqbase < 0) {
+
+The problem is that mvchip->irqbase is unsigned so the error handling
+doesn't work. I have changed it to be a regular int.
+
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpio/gpio-mvebu.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/gpio/gpio-mvebu.c
++++ b/drivers/gpio/gpio-mvebu.c
+@@ -79,7 +79,7 @@ struct mvebu_gpio_chip {
+ spinlock_t lock;
+ void __iomem *membase;
+ void __iomem *percpu_membase;
+- unsigned int irqbase;
++ int irqbase;
+ struct irq_domain *domain;
+ int soc_variant;
+ };
--- /dev/null
+From 0c8aab8e65e450f2bfea494c1b6a86ded653f88c Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Thu, 7 Nov 2013 10:56:51 +0300
+Subject: gpio: rcar: NULL dereference on error in probe()
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+commit 0c8aab8e65e450f2bfea494c1b6a86ded653f88c upstream.
+
+It's not obvious from the label name but "err1" tries to release
+"p->irq_domain" which leads to a NULL dereference.
+
+Fixes: 119f5e448d32 ('gpio: Renesas R-Car GPIO driver V3')
+
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Acked-by: Magnus Damm <damm@opensource.se>
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpio/gpio-rcar.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/gpio/gpio-rcar.c
++++ b/drivers/gpio/gpio-rcar.c
+@@ -329,7 +329,7 @@ static int gpio_rcar_probe(struct platfo
+ if (!p->irq_domain) {
+ ret = -ENXIO;
+ dev_err(&pdev->dev, "cannot initialize irq domain\n");
+- goto err1;
++ goto err0;
+ }
+
+ if (devm_request_irq(&pdev->dev, irq->start,
--- /dev/null
+From 0b2aa8bed3e13892fcac77e4f50ec6e80125469d Mon Sep 17 00:00:00 2001
+From: Tony Lindgren <tony@atomide.com>
+Date: Mon, 18 Nov 2013 15:22:49 -0800
+Subject: gpio: twl4030: Fix regression for twl gpio output
+
+From: Tony Lindgren <tony@atomide.com>
+
+commit 0b2aa8bed3e13892fcac77e4f50ec6e80125469d upstream.
+
+Commit c111feabe2e2 (gpio: twl4030: Cache the direction and output
+states in private data) improved things in general, but caused a
+regression for setting the GPIO output direction.
+
+The change reorganized twl_direction_out() and twl_set() and swapped
+the function names around in the process. While doing that, a bug got
+introduced that's not obvious while reading the patch as it appears
+as no change to the code.
+
+The bug is we now call function twl4030_set_gpio_dataout() twice in
+both twl_direction_out() and twl_set(). Instead, we should first
+call twl_direction_out() in twl_direction_out() followed by
+twl4030_set_gpio_dataout() in twl_set().
+
+This regression probably has gone unnoticed for a long time as the
+bootloader may have set the GPIO direction properly in many cases.
+This fixes at least the LCD panel not turning on omap3 LDP for
+example.
+
+Cc: linux-gpio@vger.kernel.org
+Reviewed-by: Peter Ujfalusi <peter.ujfalusi@ti.com>
+Acked-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Tony Lindgren <tony@atomide.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpio/gpio-twl4030.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/drivers/gpio/gpio-twl4030.c
++++ b/drivers/gpio/gpio-twl4030.c
+@@ -354,17 +354,18 @@ static void twl_set(struct gpio_chip *ch
+ static int twl_direction_out(struct gpio_chip *chip, unsigned offset, int value)
+ {
+ struct gpio_twl4030_priv *priv = to_gpio_twl4030(chip);
++ int ret = -EINVAL;
+
+ mutex_lock(&priv->mutex);
+ if (offset < TWL4030_GPIO_MAX)
+- twl4030_set_gpio_dataout(offset, value);
++ ret = twl4030_set_gpio_direction(offset, 0);
+
+ priv->direction |= BIT(offset);
+ mutex_unlock(&priv->mutex);
+
+ twl_set(chip, offset, value);
+
+- return 0;
++ return ret;
+ }
+
+ static int twl_to_irq(struct gpio_chip *chip, unsigned offset)
--- /dev/null
+From 250ad590d6f12d93f4d85be305b0a598d609232e Mon Sep 17 00:00:00 2001
+From: Ionut Nicu <ioan.nicu.ext@nsn.com>
+Date: Fri, 11 Oct 2013 14:17:10 +0200
+Subject: i2c: mux: gpio: use gpio_set_value_cansleep()
+
+From: Ionut Nicu <ioan.nicu.ext@nsn.com>
+
+commit 250ad590d6f12d93f4d85be305b0a598d609232e upstream.
+
+Some gpio chips may have get/set operations that
+can sleep. gpio_set_value() only works for chips
+which do not sleep, for the others we will get a
+kernel warning. Using gpio_set_value_cansleep()
+will work for both chips that do sleep and those
+who don't.
+
+Signed-off-by: Ionut Nicu <ioan.nicu.ext@nsn.com>
+Acked-by: Peter Korsgaard <peter.korsgaard@barco.com>
+Signed-off-by: Wolfram Sang <wsa@the-dreams.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/i2c/muxes/i2c-mux-gpio.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/i2c/muxes/i2c-mux-gpio.c
++++ b/drivers/i2c/muxes/i2c-mux-gpio.c
+@@ -31,8 +31,8 @@ static void i2c_mux_gpio_set(const struc
+ int i;
+
+ for (i = 0; i < mux->data.n_gpios; i++)
+- gpio_set_value(mux->gpio_base + mux->data.gpios[i],
+- val & (1 << i));
++ gpio_set_value_cansleep(mux->gpio_base + mux->data.gpios[i],
++ val & (1 << i));
+ }
+
+ static int i2c_mux_gpio_select(struct i2c_adapter *adap, void *data, u32 chan)
--- /dev/null
+From 8c0ec2500eeb89749341884a972860d7f9e56f9c Mon Sep 17 00:00:00 2001
+From: Ionut Nicu <ioan.nicu.ext@nsn.com>
+Date: Fri, 11 Oct 2013 12:09:57 +0200
+Subject: i2c: mux: gpio: use reg value for i2c_add_mux_adapter
+
+From: Ionut Nicu <ioan.nicu.ext@nsn.com>
+
+commit 8c0ec2500eeb89749341884a972860d7f9e56f9c upstream.
+
+The i2c-mux driver requires that the chan_id parameter
+passed to the i2c_add_mux_adapter() function is equal
+to the reg value for that adapter:
+
+for_each_child_of_node(mux_dev->of_node, child) {
+ ret = of_property_read_u32(child, "reg", ®);
+ if (ret)
+ continue;
+ if (chan_id == reg) {
+ priv->adap.dev.of_node = child;
+ break;
+ }
+}
+
+The i2c-mux-gpio driver uses an internal logical index
+for chan_id when calling i2c_add_mux_adapter() instead
+of using the reg value.
+
+Because of this, there will problems in selecting the
+right adapter when the i2c-mux-gpio's index into
+mux->data.values doesn't match the reg value.
+
+An example of such a case:
+
+mux->data.values = { 1, 0 }
+
+For chan_id = 0, i2c-mux will bind the adapter to the
+of_node with reg = <0>, but when it will call the
+select() callback with chan_id set to 0, the i2c-mux-gpio
+will use it as an index into mux->data.values and it will
+actually select the bus with reg = <1>.
+
+Signed-off-by: Ionut Nicu <ioan.nicu.ext@nsn.com>
+Acked-by: Alexander Sverdlin <alexander.sverdlin@nsn.com>
+Signed-off-by: Wolfram Sang <wsa@the-dreams.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/i2c/muxes/i2c-mux-gpio.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/i2c/muxes/i2c-mux-gpio.c
++++ b/drivers/i2c/muxes/i2c-mux-gpio.c
+@@ -39,7 +39,7 @@ static int i2c_mux_gpio_select(struct i2
+ {
+ struct gpiomux *mux = data;
+
+- i2c_mux_gpio_set(mux, mux->data.values[chan]);
++ i2c_mux_gpio_set(mux, chan);
+
+ return 0;
+ }
+@@ -223,7 +223,7 @@ static int i2c_mux_gpio_probe(struct pla
+ unsigned int class = mux->data.classes ? mux->data.classes[i] : 0;
+
+ mux->adap[i] = i2c_add_mux_adapter(parent, &pdev->dev, mux, nr,
+- i, class,
++ mux->data.values[i], class,
+ i2c_mux_gpio_select, deselect);
+ if (!mux->adap[i]) {
+ ret = -ENODEV;
--- /dev/null
+From 3e85c3ecbc520751324a191d23bb94873ed01b10 Mon Sep 17 00:00:00 2001
+From: Gwendal Grignou <gwendal@google.com>
+Date: Fri, 25 Oct 2013 16:28:57 -0700
+Subject: libata: Fix display of sata speed
+
+From: Gwendal Grignou <gwendal@google.com>
+
+commit 3e85c3ecbc520751324a191d23bb94873ed01b10 upstream.
+
+6.0 Gbps link speed was not decoded properly:
+speed was reported at 3.0 Gbps only.
+
+Tested: On a machine where libata reports 6.0 Gbps in
+ /var/log/messages:
+ ata1: SATA link up 6.0 Gbps (SStatus 133 SControl 300)
+
+ Before:
+ cat /sys/class/ata_link/link1/sata_spd
+ 3.0 Gbps
+ After:
+ cat /sys/class/ata_link/link1/sata_spd
+ 6.0 Gbps
+
+Signed-off-by: Gwendal Grignou <gwendal@google.com>
+Signed-off-by: Tejun Heo <tj@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/ata/libata-transport.c | 16 ++++++++--------
+ 1 file changed, 8 insertions(+), 8 deletions(-)
+
+--- a/drivers/ata/libata-transport.c
++++ b/drivers/ata/libata-transport.c
+@@ -319,25 +319,25 @@ int ata_tport_add(struct device *parent,
+ /*
+ * ATA link attributes
+ */
++static int noop(int x) { return x; }
+
+-
+-#define ata_link_show_linkspeed(field) \
++#define ata_link_show_linkspeed(field, format) \
+ static ssize_t \
+ show_ata_link_##field(struct device *dev, \
+ struct device_attribute *attr, char *buf) \
+ { \
+ struct ata_link *link = transport_class_to_link(dev); \
+ \
+- return sprintf(buf,"%s\n", sata_spd_string(fls(link->field))); \
++ return sprintf(buf, "%s\n", sata_spd_string(format(link->field))); \
+ }
+
+-#define ata_link_linkspeed_attr(field) \
+- ata_link_show_linkspeed(field) \
++#define ata_link_linkspeed_attr(field, format) \
++ ata_link_show_linkspeed(field, format) \
+ static DEVICE_ATTR(field, S_IRUGO, show_ata_link_##field, NULL)
+
+-ata_link_linkspeed_attr(hw_sata_spd_limit);
+-ata_link_linkspeed_attr(sata_spd_limit);
+-ata_link_linkspeed_attr(sata_spd);
++ata_link_linkspeed_attr(hw_sata_spd_limit, fls);
++ata_link_linkspeed_attr(sata_spd_limit, fls);
++ata_link_linkspeed_attr(sata_spd, noop);
+
+
+ static DECLARE_TRANSPORT_CLASS(ata_link_class,
--- /dev/null
+From 38c7937379276a5ea8c54481205003af2f2b5694 Mon Sep 17 00:00:00 2001
+From: Helge Deller <deller@gmx.de>
+Date: Mon, 14 Oct 2013 21:04:13 +0200
+Subject: parisc: break out SOCK_NONBLOCK define to own asm header file
+
+From: Helge Deller <deller@gmx.de>
+
+commit 38c7937379276a5ea8c54481205003af2f2b5694 upstream.
+
+Break SOCK_NONBLOCK out to its own asm-file as other arches do. This
+fixes build errors with auditd and probably other packages.
+
+Signed-off-by: Helge Deller <deller@gmx.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/parisc/include/asm/socket.h | 11 +++++++++++
+ arch/parisc/include/uapi/asm/socket.h | 11 +++--------
+ 2 files changed, 14 insertions(+), 8 deletions(-)
+
+--- /dev/null
++++ b/arch/parisc/include/asm/socket.h
+@@ -0,0 +1,11 @@
++#ifndef _ASM_SOCKET_H
++#define _ASM_SOCKET_H
++
++#include <uapi/asm/socket.h>
++
++/* O_NONBLOCK clashes with the bits used for socket types. Therefore we
++ * have to define SOCK_NONBLOCK to a different value here.
++ */
++#define SOCK_NONBLOCK 0x40000000
++
++#endif /* _ASM_SOCKET_H */
+--- a/arch/parisc/include/uapi/asm/socket.h
++++ b/arch/parisc/include/uapi/asm/socket.h
+@@ -1,5 +1,5 @@
+-#ifndef _ASM_SOCKET_H
+-#define _ASM_SOCKET_H
++#ifndef _UAPI_ASM_SOCKET_H
++#define _UAPI_ASM_SOCKET_H
+
+ #include <asm/sockios.h>
+
+@@ -73,9 +73,4 @@
+
+ #define SO_SELECT_ERR_QUEUE 0x4026
+
+-/* O_NONBLOCK clashes with the bits used for socket types. Therefore we
+- * have to define SOCK_NONBLOCK to a different value here.
+- */
+-#define SOCK_NONBLOCK 0x40000000
+-
+-#endif /* _ASM_SOCKET_H */
++#endif /* _UAPI_ASM_SOCKET_H */
alarmtimer-return-einval-instead-of-enotsupp-if-rtcdev-doesn-t-exist.patch
pinctrl-dove-unset-twsi-option3-for-gconfig-as-well.patch
devpts-plug-the-memory-leak-in-kill_sb.patch
+parisc-break-out-sock_nonblock-define-to-own-asm-header-file.patch
+can-flexcan-fix-flexcan_chip_start-on-imx6.patch
+i2c-mux-gpio-use-reg-value-for-i2c_add_mux_adapter.patch
+i2c-mux-gpio-use-gpio_set_value_cansleep.patch
+arm-dts-add-max77686-rtc-interrupt-to-cros5250-common.patch
+arm-bcm2835-add-missing-xxx-cells-to-i2c-nodes.patch
+gpio-twl4030-fix-regression-for-twl-gpio-output.patch
+gpio-mvebu-make-mvchip-irqbase-signed-for-error-handling.patch
+gpio-rcar-null-dereference-on-error-in-probe.patch
+libata-fix-display-of-sata-speed.patch
+drivers-libata-set-max-sector-to-65535-for-slimtype-dvd-a-ds8a9sh-drive.patch
+vsprintf-check-real-user-group-id-for-pk.patch
--- /dev/null
+From 312b4e226951f707e120b95b118cbc14f3d162b2 Mon Sep 17 00:00:00 2001
+From: Ryan Mallon <rmallon@gmail.com>
+Date: Tue, 12 Nov 2013 15:08:51 -0800
+Subject: vsprintf: check real user/group id for %pK
+
+From: Ryan Mallon <rmallon@gmail.com>
+
+commit 312b4e226951f707e120b95b118cbc14f3d162b2 upstream.
+
+Some setuid binaries will allow reading of files which have read
+permission by the real user id. This is problematic with files which
+use %pK because the file access permission is checked at open() time,
+but the kptr_restrict setting is checked at read() time. If a setuid
+binary opens a %pK file as an unprivileged user, and then elevates
+permissions before reading the file, then kernel pointer values may be
+leaked.
+
+This happens for example with the setuid pppd application on Ubuntu 12.04:
+
+ $ head -1 /proc/kallsyms
+ 00000000 T startup_32
+
+ $ pppd file /proc/kallsyms
+ pppd: In file /proc/kallsyms: unrecognized option 'c1000000'
+
+This will only leak the pointer value from the first line, but other
+setuid binaries may leak more information.
+
+Fix this by adding a check that in addition to the current process having
+CAP_SYSLOG, that effective user and group ids are equal to the real ids.
+If a setuid binary reads the contents of a file which uses %pK then the
+pointer values will be printed as NULL if the real user is unprivileged.
+
+Update the sysctl documentation to reflect the changes, and also correct
+the documentation to state the kptr_restrict=0 is the default.
+
+This is a only temporary solution to the issue. The correct solution is
+to do the permission check at open() time on files, and to replace %pK
+with a function which checks the open() time permission. %pK uses in
+printk should be removed since no sane permission check can be done, and
+instead protected by using dmesg_restrict.
+
+Signed-off-by: Ryan Mallon <rmallon@gmail.com>
+Cc: Kees Cook <keescook@chromium.org>
+Cc: Alexander Viro <viro@zeniv.linux.org.uk>
+Cc: Joe Perches <joe@perches.com>
+Cc: "Eric W. Biederman" <ebiederm@xmission.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ Documentation/sysctl/kernel.txt | 25 ++++++++++++++++++-------
+ lib/vsprintf.c | 33 ++++++++++++++++++++++++++++++---
+ 2 files changed, 48 insertions(+), 10 deletions(-)
+
+--- a/Documentation/sysctl/kernel.txt
++++ b/Documentation/sysctl/kernel.txt
+@@ -289,13 +289,24 @@ Default value is "/sbin/hotplug".
+ kptr_restrict:
+
+ This toggle indicates whether restrictions are placed on
+-exposing kernel addresses via /proc and other interfaces. When
+-kptr_restrict is set to (0), there are no restrictions. When
+-kptr_restrict is set to (1), the default, kernel pointers
+-printed using the %pK format specifier will be replaced with 0's
+-unless the user has CAP_SYSLOG. When kptr_restrict is set to
+-(2), kernel pointers printed using %pK will be replaced with 0's
+-regardless of privileges.
++exposing kernel addresses via /proc and other interfaces.
++
++When kptr_restrict is set to (0), the default, there are no restrictions.
++
++When kptr_restrict is set to (1), kernel pointers printed using the %pK
++format specifier will be replaced with 0's unless the user has CAP_SYSLOG
++and effective user and group ids are equal to the real ids. This is
++because %pK checks are done at read() time rather than open() time, so
++if permissions are elevated between the open() and the read() (e.g via
++a setuid binary) then %pK will not leak kernel pointers to unprivileged
++users. Note, this is a temporary solution only. The correct long-term
++solution is to do the permission checks at open() time. Consider removing
++world read permissions from files that use %pK, and using dmesg_restrict
++to protect against uses of %pK in dmesg(8) if leaking kernel pointer
++values to unprivileged users is a concern.
++
++When kptr_restrict is set to (2), kernel pointers printed using
++%pK will be replaced with 0's regardless of privileges.
+
+ ==============================================================
+
+--- a/lib/vsprintf.c
++++ b/lib/vsprintf.c
+@@ -26,6 +26,7 @@
+ #include <linux/math64.h>
+ #include <linux/uaccess.h>
+ #include <linux/ioport.h>
++#include <linux/cred.h>
+ #include <net/addrconf.h>
+
+ #include <asm/page.h> /* for PAGE_SIZE */
+@@ -1118,11 +1119,37 @@ char *pointer(const char *fmt, char *buf
+ spec.field_width = default_width;
+ return string(buf, end, "pK-error", spec);
+ }
+- if (!((kptr_restrict == 0) ||
+- (kptr_restrict == 1 &&
+- has_capability_noaudit(current, CAP_SYSLOG))))
++
++ switch (kptr_restrict) {
++ case 0:
++ /* Always print %pK values */
++ break;
++ case 1: {
++ /*
++ * Only print the real pointer value if the current
++ * process has CAP_SYSLOG and is running with the
++ * same credentials it started with. This is because
++ * access to files is checked at open() time, but %pK
++ * checks permission at read() time. We don't want to
++ * leak pointer values if a binary opens a file using
++ * %pK and then elevates privileges before reading it.
++ */
++ const struct cred *cred = current_cred();
++
++ if (!has_capability_noaudit(current, CAP_SYSLOG) ||
++ !uid_eq(cred->euid, cred->uid) ||
++ !gid_eq(cred->egid, cred->gid))
++ ptr = NULL;
++ break;
++ }
++ case 2:
++ default:
++ /* Always print 0's for %pK */
+ ptr = NULL;
++ break;
++ }
+ break;
++
+ case 'N':
+ switch (fmt[1]) {
+ case 'F':
projects / thirdparty / kernel / stable-queue.git / commitdiff
