--- /dev/null
+From 06f34e1c28f3608b0ce5b310e41102d3fe7b65a1 Mon Sep 17 00:00:00 2001
+From: Alexey Brodkin <abrodkin@synopsys.com>
+Date: Thu, 12 Feb 2015 21:10:11 +0300
+Subject: ARC: fix page address calculation if PAGE_OFFSET != LINUX_LINK_BASE
+
+From: Alexey Brodkin <abrodkin@synopsys.com>
+
+commit 06f34e1c28f3608b0ce5b310e41102d3fe7b65a1 upstream.
+
+We used to calculate page address differently in 2 cases:
+
+1. In virt_to_page(x) we do
+ --->8---
+ mem_map + (x - CONFIG_LINUX_LINK_BASE) >> PAGE_SHIFT
+ --->8---
+
+2. In in pte_page(x) we do
+ --->8---
+ mem_map + (pte_val(x) - PAGE_OFFSET) >> PAGE_SHIFT
+ --->8---
+
+That leads to problems in case PAGE_OFFSET != CONFIG_LINUX_LINK_BASE -
+different pages will be selected depending on where and how we calculate
+page address.
+
+In particular in the STAR 9000853582 when gdb attempted to read memory
+of another process it got improper page in get_user_pages() because this
+is exactly one of the places where we search for a page by pte_page().
+
+The fix is trivial - we need to calculate page address similarly in both
+cases.
+
+Signed-off-by: Alexey Brodkin <abrodkin@synopsys.com>
+Signed-off-by: Vineet Gupta <vgupta@synopsys.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arc/include/asm/pgtable.h | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/arch/arc/include/asm/pgtable.h
++++ b/arch/arc/include/asm/pgtable.h
+@@ -259,7 +259,8 @@ static inline void pmd_set(pmd_t *pmdp,
+ #define pmd_clear(xp) do { pmd_val(*(xp)) = 0; } while (0)
+
+ #define pte_page(x) (mem_map + \
+- (unsigned long)(((pte_val(x) - PAGE_OFFSET) >> PAGE_SHIFT)))
++ (unsigned long)(((pte_val(x) - CONFIG_LINUX_LINK_BASE) >> \
++ PAGE_SHIFT)))
+
+ #define mk_pte(page, pgprot) \
+ ({ \
--- /dev/null
+From ff34cae5b4fc7a84113d7c7e8611ba87a7c31dba Mon Sep 17 00:00:00 2001
+From: Arnd Bergmann <arnd@arndb.de>
+Date: Fri, 23 Jan 2015 20:59:10 +0100
+Subject: ARM: BCM: put back ARCH_MULTI_V7 dependency for mobile
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+commit ff34cae5b4fc7a84113d7c7e8611ba87a7c31dba upstream.
+
+A recent cleanup rearranged the Kconfig file for mach-bcm and
+accidentally dropped the dependency on ARCH_MULTI_V7, which
+makes it possible to now build the two mobile SoC platforms
+on an ARMv6-only kernel, resulting in a log of Kconfig
+warnings like
+
+warning: ARCH_BCM_MOBILE selects ARM_ERRATA_775420 which has unmet direct dependencies (CPU_V7)
+
+and which of course cannot work on any machine.
+
+This puts back the dependencies as before.
+
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Fixes: 64e74aa788f99 ("ARM: mach-bcm: ARCH_BCM_MOBILE: remove one level of menu from Kconfig")
+Acked-by: Florian Fainelli <f.fainelli@gmail.com>
+Acked-by: Scott Branden <sbranden@broadcom.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm/mach-bcm/Kconfig | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/arch/arm/mach-bcm/Kconfig
++++ b/arch/arm/mach-bcm/Kconfig
+@@ -68,7 +68,7 @@ config ARCH_BCM_MOBILE
+ This enables support for systems based on Broadcom mobile SoCs.
+
+ config ARCH_BCM_281XX
+- bool "Broadcom BCM281XX SoC family"
++ bool "Broadcom BCM281XX SoC family" if ARCH_MULTI_V7
+ select ARCH_BCM_MOBILE
+ select HAVE_SMP
+ help
+@@ -77,7 +77,7 @@ config ARCH_BCM_281XX
+ variants.
+
+ config ARCH_BCM_21664
+- bool "Broadcom BCM21664 SoC family"
++ bool "Broadcom BCM21664 SoC family" if ARCH_MULTI_V7
+ select ARCH_BCM_MOBILE
+ select HAVE_SMP
+ help
--- /dev/null
+From a1ad3b94a7661b643fef2efbc6fc217bd148f462 Mon Sep 17 00:00:00 2001
+From: Brian Norris <computersforpeace@gmail.com>
+Date: Tue, 16 Dec 2014 19:13:50 -0800
+Subject: ARM: brcmstb: update CPU power management sequence
+
+From: Brian Norris <computersforpeace@gmail.com>
+
+commit a1ad3b94a7661b643fef2efbc6fc217bd148f462 upstream.
+
+The automatic CPU power state machine for B15 CPUs does not work
+reliably as-is. This patch implements a manual sequence in software to
+replace it.
+
+This was tested successfully with over 10,000 hotplug cycles of
+something like this:
+
+ echo 0 > /sys/devices/system/cpu/cpu1/online
+ echo 1 > /sys/devices/system/cpu/cpu1/online
+
+whereas the existing sequence often locks up after a few hundred cycles.
+
+Fixes: 62639c2f5332 ("ARM: brcmstb: reintroduce SMP support")
+Acked-by: Gregory Fong <gregory.0xf0@gmail.com>
+Signed-off-by: Brian Norris <computersforpeace@gmail.com>
+Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm/mach-bcm/platsmp-brcmstb.c | 87 ++++++++++++++++++++++++++----------
+ 1 file changed, 64 insertions(+), 23 deletions(-)
+
+--- a/arch/arm/mach-bcm/platsmp-brcmstb.c
++++ b/arch/arm/mach-bcm/platsmp-brcmstb.c
+@@ -17,6 +17,7 @@
+ #include <linux/errno.h>
+ #include <linux/init.h>
+ #include <linux/io.h>
++#include <linux/jiffies.h>
+ #include <linux/of_address.h>
+ #include <linux/of_platform.h>
+ #include <linux/printk.h>
+@@ -94,10 +95,35 @@ static u32 pwr_ctrl_rd(u32 cpu)
+ return readl_relaxed(base);
+ }
+
+-static void pwr_ctrl_wr(u32 cpu, u32 val)
++static void pwr_ctrl_set(unsigned int cpu, u32 val, u32 mask)
+ {
+ void __iomem *base = pwr_ctrl_get_base(cpu);
+- writel(val, base);
++ writel((readl(base) & mask) | val, base);
++}
++
++static void pwr_ctrl_clr(unsigned int cpu, u32 val, u32 mask)
++{
++ void __iomem *base = pwr_ctrl_get_base(cpu);
++ writel((readl(base) & mask) & ~val, base);
++}
++
++#define POLL_TMOUT_MS 500
++static int pwr_ctrl_wait_tmout(unsigned int cpu, u32 set, u32 mask)
++{
++ const unsigned long timeo = jiffies + msecs_to_jiffies(POLL_TMOUT_MS);
++ u32 tmp;
++
++ do {
++ tmp = pwr_ctrl_rd(cpu) & mask;
++ if (!set == !tmp)
++ return 0;
++ } while (time_before(jiffies, timeo));
++
++ tmp = pwr_ctrl_rd(cpu) & mask;
++ if (!set == !tmp)
++ return 0;
++
++ return -ETIMEDOUT;
+ }
+
+ static void cpu_rst_cfg_set(u32 cpu, int set)
+@@ -139,15 +165,22 @@ static void brcmstb_cpu_power_on(u32 cpu
+ * The secondary cores power was cut, so we must go through
+ * power-on initialization.
+ */
+- u32 tmp;
++ pwr_ctrl_set(cpu, ZONE_MAN_ISO_CNTL_MASK, 0xffffff00);
++ pwr_ctrl_set(cpu, ZONE_MANUAL_CONTROL_MASK, -1);
++ pwr_ctrl_set(cpu, ZONE_RESERVED_1_MASK, -1);
+
+- /* Request zone power up */
+- pwr_ctrl_wr(cpu, ZONE_PWR_UP_REQ_MASK);
++ pwr_ctrl_set(cpu, ZONE_MAN_MEM_PWR_MASK, -1);
+
+- /* Wait for the power up FSM to complete */
+- do {
+- tmp = pwr_ctrl_rd(cpu);
+- } while (!(tmp & ZONE_PWR_ON_STATE_MASK));
++ if (pwr_ctrl_wait_tmout(cpu, 1, ZONE_MEM_PWR_STATE_MASK))
++ panic("ZONE_MEM_PWR_STATE_MASK set timeout");
++
++ pwr_ctrl_set(cpu, ZONE_MAN_CLKEN_MASK, -1);
++
++ if (pwr_ctrl_wait_tmout(cpu, 1, ZONE_DPG_PWR_STATE_MASK))
++ panic("ZONE_DPG_PWR_STATE_MASK set timeout");
++
++ pwr_ctrl_clr(cpu, ZONE_MAN_ISO_CNTL_MASK, -1);
++ pwr_ctrl_set(cpu, ZONE_MAN_RESET_CNTL_MASK, -1);
+ }
+
+ static int brcmstb_cpu_get_power_state(u32 cpu)
+@@ -174,25 +207,33 @@ static void brcmstb_cpu_die(u32 cpu)
+
+ static int brcmstb_cpu_kill(u32 cpu)
+ {
+- u32 tmp;
++ /*
++ * Ordinarily, the hardware forbids power-down of CPU0 (which is good
++ * because it is the boot CPU), but this is not true when using BPCM
++ * manual mode. Consequently, we must avoid turning off CPU0 here to
++ * ensure that TI2C master reset will work.
++ */
++ if (cpu == 0) {
++ pr_warn("SMP: refusing to power off CPU0\n");
++ return 1;
++ }
+
+ while (per_cpu_sw_state_rd(cpu))
+ ;
+
+- /* Program zone reset */
+- pwr_ctrl_wr(cpu, ZONE_RESET_STATE_MASK | ZONE_BLK_RST_ASSERT_MASK |
+- ZONE_PWR_DN_REQ_MASK);
+-
+- /* Verify zone reset */
+- tmp = pwr_ctrl_rd(cpu);
+- if (!(tmp & ZONE_RESET_STATE_MASK))
+- pr_err("%s: Zone reset bit for CPU %d not asserted!\n",
+- __func__, cpu);
++ pwr_ctrl_set(cpu, ZONE_MANUAL_CONTROL_MASK, -1);
++ pwr_ctrl_clr(cpu, ZONE_MAN_RESET_CNTL_MASK, -1);
++ pwr_ctrl_clr(cpu, ZONE_MAN_CLKEN_MASK, -1);
++ pwr_ctrl_set(cpu, ZONE_MAN_ISO_CNTL_MASK, -1);
++ pwr_ctrl_clr(cpu, ZONE_MAN_MEM_PWR_MASK, -1);
+
+- /* Wait for power down */
+- do {
+- tmp = pwr_ctrl_rd(cpu);
+- } while (!(tmp & ZONE_PWR_OFF_STATE_MASK));
++ if (pwr_ctrl_wait_tmout(cpu, 0, ZONE_MEM_PWR_STATE_MASK))
++ panic("ZONE_MEM_PWR_STATE_MASK clear timeout");
++
++ pwr_ctrl_clr(cpu, ZONE_RESERVED_1_MASK, -1);
++
++ if (pwr_ctrl_wait_tmout(cpu, 0, ZONE_DPG_PWR_STATE_MASK))
++ panic("ZONE_DPG_PWR_STATE_MASK clear timeout");
+
+ /* Flush pipeline before resetting CPU */
+ mb();
--- /dev/null
+From 165235180ff61f0012ea68a299e46daec43dcaa7 Mon Sep 17 00:00:00 2001
+From: Arnd Bergmann <arnd@arndb.de>
+Date: Mon, 2 Feb 2015 15:27:16 +0100
+Subject: ARM: mvebu: build armada375-smp code conditionally
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+commit 165235180ff61f0012ea68a299e46daec43dcaa7 upstream.
+
+mvebu_armada375_smp_wa_init is only used on armada 375 but is defined
+for all mvebu machines. As it calls a function that is only provided
+sometimes, this can result in a link error:
+
+arch/arm/mach-mvebu/built-in.o: In function `mvebu_armada375_smp_wa_init':
+:(.text+0x228): undefined reference to `mvebu_setup_boot_addr_wa'
+
+To solve this, we can just change the existing #ifdef around the
+function to also check for Armada375 SMP platforms.
+
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Fixes: 305969fb6292 ("ARM: mvebu: use the common function for Armada 375 SMP workaround")
+Cc: Andrew Lunn <andrew@lunn.ch>
+Cc: Jason Cooper <jason@lakedaemon.net>
+Cc: Gregory Clement <gregory.clement@free-electrons.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm/mach-mvebu/system-controller.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/arm/mach-mvebu/system-controller.c
++++ b/arch/arm/mach-mvebu/system-controller.c
+@@ -126,7 +126,7 @@ int mvebu_system_controller_get_soc_id(u
+ return -ENODEV;
+ }
+
+-#ifdef CONFIG_SMP
++#if defined(CONFIG_SMP) && defined(CONFIG_MACH_MVEBU_V7)
+ void mvebu_armada375_smp_wa_init(void)
+ {
+ u32 dev, rev;
--- /dev/null
+From 271e80176aae4e5b481f4bb92df9768c6075bbca Mon Sep 17 00:00:00 2001
+From: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
+Date: Thu, 4 Dec 2014 14:10:00 +0300
+Subject: ARM: pxa: add regulator_has_full_constraints to corgi board file
+
+From: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
+
+commit 271e80176aae4e5b481f4bb92df9768c6075bbca upstream.
+
+Add regulator_has_full_constraints() call to corgi board file to let
+regulator core know that we do not have any additional regulators left.
+This lets it substitute unprovided regulators with dummy ones.
+
+This fixes the following warnings that can be seen on corgi if
+regulators are enabled:
+
+ads7846 spi1.0: unable to get regulator: -517
+spi spi1.0: Driver ads7846 requests probe deferral
+wm8731 0-001b: Failed to get supply 'AVDD': -517
+wm8731 0-001b: Failed to request supplies: -517
+wm8731 0-001b: ASoC: failed to probe component -517
+corgi-audio corgi-audio: ASoC: failed to instantiate card -517
+
+Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
+Acked-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Robert Jarzmik <robert.jarzmik@free.fr>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm/mach-pxa/corgi.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/arch/arm/mach-pxa/corgi.c
++++ b/arch/arm/mach-pxa/corgi.c
+@@ -26,6 +26,7 @@
+ #include <linux/i2c.h>
+ #include <linux/i2c/pxa-i2c.h>
+ #include <linux/io.h>
++#include <linux/regulator/machine.h>
+ #include <linux/spi/spi.h>
+ #include <linux/spi/ads7846.h>
+ #include <linux/spi/corgi_lcd.h>
+@@ -752,6 +753,8 @@ static void __init corgi_init(void)
+ sharpsl_nand_partitions[1].size = 53 * 1024 * 1024;
+
+ platform_add_devices(devices, ARRAY_SIZE(devices));
++
++ regulator_has_full_constraints();
+ }
+
+ static void __init fixup_corgi(struct tag *tags, char **cmdline)
--- /dev/null
+From 9bc78f32c2e430aebf6def965b316aa95e37a20c Mon Sep 17 00:00:00 2001
+From: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
+Date: Thu, 4 Dec 2014 14:10:01 +0300
+Subject: ARM: pxa: add regulator_has_full_constraints to poodle board file
+
+From: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
+
+commit 9bc78f32c2e430aebf6def965b316aa95e37a20c upstream.
+
+Add regulator_has_full_constraints() call to poodle board file to let
+regulator core know that we do not have any additional regulators left.
+This lets it substitute unprovided regulators with dummy ones.
+
+This fixes the following warnings that can be seen on poodle if
+regulators are enabled:
+
+ads7846 spi1.0: unable to get regulator: -517
+spi spi1.0: Driver ads7846 requests probe deferral
+wm8731 0-001b: Failed to get supply 'AVDD': -517
+wm8731 0-001b: Failed to request supplies: -517
+wm8731 0-001b: ASoC: failed to probe component -517
+
+Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
+Acked-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Robert Jarzmik <robert.jarzmik@free.fr>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm/mach-pxa/poodle.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/arch/arm/mach-pxa/poodle.c
++++ b/arch/arm/mach-pxa/poodle.c
+@@ -25,6 +25,7 @@
+ #include <linux/gpio.h>
+ #include <linux/i2c.h>
+ #include <linux/i2c/pxa-i2c.h>
++#include <linux/regulator/machine.h>
+ #include <linux/spi/spi.h>
+ #include <linux/spi/ads7846.h>
+ #include <linux/spi/pxa2xx_spi.h>
+@@ -455,6 +456,7 @@ static void __init poodle_init(void)
+ pxa_set_i2c_info(NULL);
+ i2c_register_board_info(0, ARRAY_AND_SIZE(poodle_i2c_devices));
+ poodle_init_spi();
++ regulator_has_full_constraints();
+ }
+
+ static void __init fixup_poodle(struct tag *tags, char **cmdline)
--- /dev/null
+From baad2dc49c5d970ea881d92981a1b76c94a7b7a1 Mon Sep 17 00:00:00 2001
+From: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
+Date: Thu, 4 Dec 2014 14:10:02 +0300
+Subject: ARM: pxa: add regulator_has_full_constraints to spitz board file
+
+From: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
+
+commit baad2dc49c5d970ea881d92981a1b76c94a7b7a1 upstream.
+
+Add regulator_has_full_constraints() call to spitz board file to let
+regulator core know that we do not have any additional regulators left.
+This lets it substitute unprovided regulators with dummy ones.
+
+This fixes the following warnings that can be seen on spitz if
+regulators are enabled:
+
+ads7846 spi2.0: unable to get regulator: -517
+spi spi2.0: Driver ads7846 requests probe deferral
+
+Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
+Acked-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Robert Jarzmik <robert.jarzmik@free.fr>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm/mach-pxa/spitz.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/arch/arm/mach-pxa/spitz.c
++++ b/arch/arm/mach-pxa/spitz.c
+@@ -979,6 +979,8 @@ static void __init spitz_init(void)
+ spitz_nand_init();
+ spitz_i2c_init();
+ spitz_audio_init();
++
++ regulator_has_full_constraints();
+ }
+
+ static void __init spitz_fixup(struct tag *tags, char **cmdline)
--- /dev/null
+From 95fcedb027a27f32bf2434f9271635c380e57fb5 Mon Sep 17 00:00:00 2001
+From: Arnd Bergmann <arnd@arndb.de>
+Date: Thu, 5 Feb 2015 13:42:43 +0100
+Subject: ARM: vexpress: use ARM_CPU_SUSPEND if needed
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+commit 95fcedb027a27f32bf2434f9271635c380e57fb5 upstream.
+
+The vexpress tc2 power management code calls mcpm_loopback, which
+is only available if ARM_CPU_SUSPEND is enabled, otherwise we
+get a link error:
+
+arch/arm/mach-vexpress/built-in.o: In function `tc2_pm_init':
+arch/arm/mach-vexpress/tc2_pm.c:389: undefined reference to `mcpm_loopback'
+
+This explicitly selects ARM_CPU_SUSPEND like other platforms that
+need it.
+
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Fixes: 3592d7e002438 ("ARM: 8082/1: TC2: test the MCPM loopback during boot")
+Acked-by: Nicolas Pitre <nico@linaro.org>
+Acked-by: Liviu Dudau <liviu.dudau@arm.com>
+Cc: Kevin Hilman <khilman@linaro.org>
+Cc: Sudeep Holla <sudeep.holla@arm.com>
+Cc: Lorenzo Pieralisi <lorenzo.pieralisi@arm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm/mach-vexpress/Kconfig | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/arch/arm/mach-vexpress/Kconfig
++++ b/arch/arm/mach-vexpress/Kconfig
+@@ -73,6 +73,7 @@ config ARCH_VEXPRESS_TC2_PM
+ depends on MCPM
+ select ARM_CCI
+ select ARCH_VEXPRESS_SPC
++ select ARM_CPU_SUSPEND
+ help
+ Support for CPU and cluster power management on Versatile Express
+ with a TC2 (A15x2 A7x3) big.LITTLE core tile.
--- /dev/null
+From 91117a20245b59f70b563523edbf998a62fc6383 Mon Sep 17 00:00:00 2001
+From: Matthew Wilcox <matthew.r.wilcox@intel.com>
+Date: Wed, 7 Jan 2015 18:04:18 +0200
+Subject: axonram: Fix bug in direct_access
+
+From: Matthew Wilcox <matthew.r.wilcox@intel.com>
+
+commit 91117a20245b59f70b563523edbf998a62fc6383 upstream.
+
+The 'pfn' returned by axonram was completely bogus, and has been since
+2008.
+
+Signed-off-by: Matthew Wilcox <matthew.r.wilcox@intel.com>
+Reviewed-by: Jan Kara <jack@suse.cz>
+Reviewed-by: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
+Signed-off-by: Jens Axboe <axboe@fb.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/powerpc/sysdev/axonram.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/powerpc/sysdev/axonram.c
++++ b/arch/powerpc/sysdev/axonram.c
+@@ -156,7 +156,7 @@ axon_ram_direct_access(struct block_devi
+ }
+
+ *kaddr = (void *)(bank->ph_addr + offset);
+- *pfn = virt_to_phys(kaddr) >> PAGE_SHIFT;
++ *pfn = virt_to_phys(*kaddr) >> PAGE_SHIFT;
+
+ return 0;
+ }
--- /dev/null
+From 7e860a6e7aa62b337a61110430cd633db5b0d2dd Mon Sep 17 00:00:00 2001
+From: Oliver Neukum <oneukum@suse.de>
+Date: Wed, 28 Jan 2015 11:14:55 +0100
+Subject: cdc-acm: add sanity checks
+
+From: Oliver Neukum <oneukum@suse.de>
+
+commit 7e860a6e7aa62b337a61110430cd633db5b0d2dd upstream.
+
+Check the special CDC headers for a plausible minimum length.
+Another big operating systems ignores such garbage.
+
+Signed-off-by: Oliver Neukum <oneukum@suse.de>
+Reviewed-by: Adam Lee <adam8157@gmail.com>
+Tested-by: Adam Lee <adam8157@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/class/cdc-acm.c | 21 ++++++++++++++++-----
+ 1 file changed, 16 insertions(+), 5 deletions(-)
+
+--- a/drivers/usb/class/cdc-acm.c
++++ b/drivers/usb/class/cdc-acm.c
+@@ -1091,6 +1091,7 @@ static int acm_probe(struct usb_interfac
+ unsigned long quirks;
+ int num_rx_buf;
+ int i;
++ unsigned int elength = 0;
+ int combined_interfaces = 0;
+ struct device *tty_dev;
+ int rv = -ENOMEM;
+@@ -1136,9 +1137,12 @@ static int acm_probe(struct usb_interfac
+ dev_err(&intf->dev, "skipping garbage\n");
+ goto next_desc;
+ }
++ elength = buffer[0];
+
+ switch (buffer[2]) {
+ case USB_CDC_UNION_TYPE: /* we've found it */
++ if (elength < sizeof(struct usb_cdc_union_desc))
++ goto next_desc;
+ if (union_header) {
+ dev_err(&intf->dev, "More than one "
+ "union descriptor, skipping ...\n");
+@@ -1147,29 +1151,36 @@ static int acm_probe(struct usb_interfac
+ union_header = (struct usb_cdc_union_desc *)buffer;
+ break;
+ case USB_CDC_COUNTRY_TYPE: /* export through sysfs*/
++ if (elength < sizeof(struct usb_cdc_country_functional_desc))
++ goto next_desc;
+ cfd = (struct usb_cdc_country_functional_desc *)buffer;
+ break;
+ case USB_CDC_HEADER_TYPE: /* maybe check version */
+ break; /* for now we ignore it */
+ case USB_CDC_ACM_TYPE:
++ if (elength < 4)
++ goto next_desc;
+ ac_management_function = buffer[3];
+ break;
+ case USB_CDC_CALL_MANAGEMENT_TYPE:
++ if (elength < 5)
++ goto next_desc;
+ call_management_function = buffer[3];
+ call_interface_num = buffer[4];
+ break;
+ default:
+- /* there are LOTS more CDC descriptors that
++ /*
++ * there are LOTS more CDC descriptors that
+ * could legitimately be found here.
+ */
+ dev_dbg(&intf->dev, "Ignoring descriptor: "
+- "type %02x, length %d\n",
+- buffer[2], buffer[0]);
++ "type %02x, length %ud\n",
++ buffer[2], elength);
+ break;
+ }
+ next_desc:
+- buflen -= buffer[0];
+- buffer += buffer[0];
++ buflen -= elength;
++ buffer += elength;
+ }
+
+ if (!union_header) {
--- /dev/null
+From f7d4ca8bbfda23b4f1eae9b6757ff64166b093d5 Mon Sep 17 00:00:00 2001
+From: Daniel Thompson <daniel.thompson@linaro.org>
+Date: Fri, 7 Nov 2014 18:37:57 +0000
+Subject: kdb: Avoid printing KERN_ levels to consoles
+
+From: Daniel Thompson <daniel.thompson@linaro.org>
+
+commit f7d4ca8bbfda23b4f1eae9b6757ff64166b093d5 upstream.
+
+Currently when kdb traps printk messages then the raw log level prefix
+(consisting of '\001' followed by a numeral) does not get stripped off
+before the message is issued to the various I/O handlers supported by
+kdb. This causes annoying visual noise as well as causing problems
+grepping for ^. It is also a change of behaviour compared to normal usage
+of printk() usage. For example <SysRq>-h ends up with different output to
+that of kdb's "sr h".
+
+This patch addresses the problem by stripping log levels from messages
+before they are issued to the I/O handlers. printk() which can also
+act as an i/o handler in some cases is special cased; if the caller
+provided a log level then the prefix will be preserved when sent to
+printk().
+
+The addition of non-printable characters to the output of kdb commands is a
+regression, albeit and extremely elderly one, introduced by commit
+04d2c8c83d0e ("printk: convert the format for KERN_<LEVEL> to a 2 byte
+pattern"). Note also that this patch does *not* restore the original
+behaviour from v3.5. Instead it makes printk() from within a kdb command
+display the message without any prefix (i.e. like printk() normally does).
+
+Signed-off-by: Daniel Thompson <daniel.thompson@linaro.org>
+Cc: Joe Perches <joe@perches.com>
+Signed-off-by: Jason Wessel <jason.wessel@windriver.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ include/linux/kdb.h | 8 +++++++-
+ kernel/debug/kdb/kdb_io.c | 22 +++++++++++++---------
+ kernel/printk/printk.c | 2 +-
+ 3 files changed, 21 insertions(+), 11 deletions(-)
+
+--- a/include/linux/kdb.h
++++ b/include/linux/kdb.h
+@@ -156,8 +156,14 @@ typedef enum {
+ KDB_REASON_SYSTEM_NMI, /* In NMI due to SYSTEM cmd; regs valid */
+ } kdb_reason_t;
+
++enum kdb_msgsrc {
++ KDB_MSGSRC_INTERNAL, /* direct call to kdb_printf() */
++ KDB_MSGSRC_PRINTK, /* trapped from printk() */
++};
++
+ extern int kdb_trap_printk;
+-extern __printf(1, 0) int vkdb_printf(const char *fmt, va_list args);
++extern __printf(2, 0) int vkdb_printf(enum kdb_msgsrc src, const char *fmt,
++ va_list args);
+ extern __printf(1, 2) int kdb_printf(const char *, ...);
+ typedef __printf(1, 2) int (*kdb_printf_t)(const char *, ...);
+
+--- a/kernel/debug/kdb/kdb_io.c
++++ b/kernel/debug/kdb/kdb_io.c
+@@ -548,7 +548,7 @@ static int kdb_search_string(char *searc
+ return 0;
+ }
+
+-int vkdb_printf(const char *fmt, va_list ap)
++int vkdb_printf(enum kdb_msgsrc src, const char *fmt, va_list ap)
+ {
+ int diag;
+ int linecount;
+@@ -691,19 +691,20 @@ kdb_printit:
+ * Write to all consoles.
+ */
+ retlen = strlen(kdb_buffer);
++ cp = (char *) printk_skip_level(kdb_buffer);
+ if (!dbg_kdb_mode && kgdb_connected) {
+- gdbstub_msg_write(kdb_buffer, retlen);
++ gdbstub_msg_write(cp, retlen - (cp - kdb_buffer));
+ } else {
+ if (dbg_io_ops && !dbg_io_ops->is_console) {
+- len = retlen;
+- cp = kdb_buffer;
++ len = retlen - (cp - kdb_buffer);
++ cp2 = cp;
+ while (len--) {
+- dbg_io_ops->write_char(*cp);
+- cp++;
++ dbg_io_ops->write_char(*cp2);
++ cp2++;
+ }
+ }
+ while (c) {
+- c->write(c, kdb_buffer, retlen);
++ c->write(c, cp, retlen - (cp - kdb_buffer));
+ touch_nmi_watchdog();
+ c = c->next;
+ }
+@@ -711,7 +712,10 @@ kdb_printit:
+ if (logging) {
+ saved_loglevel = console_loglevel;
+ console_loglevel = CONSOLE_LOGLEVEL_SILENT;
+- printk(KERN_INFO "%s", kdb_buffer);
++ if (printk_get_level(kdb_buffer) || src == KDB_MSGSRC_PRINTK)
++ printk("%s", kdb_buffer);
++ else
++ pr_info("%s", kdb_buffer);
+ }
+
+ if (KDB_STATE(PAGER)) {
+@@ -844,7 +848,7 @@ int kdb_printf(const char *fmt, ...)
+ int r;
+
+ va_start(ap, fmt);
+- r = vkdb_printf(fmt, ap);
++ r = vkdb_printf(KDB_MSGSRC_INTERNAL, fmt, ap);
+ va_end(ap);
+
+ return r;
+--- a/kernel/printk/printk.c
++++ b/kernel/printk/printk.c
+@@ -1811,7 +1811,7 @@ int vprintk_default(const char *fmt, va_
+
+ #ifdef CONFIG_KGDB_KDB
+ if (unlikely(kdb_trap_printk)) {
+- r = vkdb_printf(fmt, args);
++ r = vkdb_printf(KDB_MSGSRC_PRINTK, fmt, args);
+ return r;
+ }
+ #endif
--- /dev/null
+From 146755923262037fc4c54abc28c04b1103f3cc51 Mon Sep 17 00:00:00 2001
+From: Jay Lan <jlan@sgi.com>
+Date: Mon, 29 Sep 2014 15:36:57 -0700
+Subject: kdb: fix incorrect counts in KDB summary command output
+
+From: Jay Lan <jlan@sgi.com>
+
+commit 146755923262037fc4c54abc28c04b1103f3cc51 upstream.
+
+The output of KDB 'summary' command should report MemTotal, MemFree
+and Buffers output in kB. Current codes report in unit of pages.
+
+A define of K(x) as
+is defined in the code, but not used.
+
+This patch would apply the define to convert the values to kB.
+Please include me on Cc on replies. I do not subscribe to linux-kernel.
+
+Signed-off-by: Jay Lan <jlan@sgi.com>
+Signed-off-by: Jason Wessel <jason.wessel@windriver.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/debug/kdb/kdb_main.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/kernel/debug/kdb/kdb_main.c
++++ b/kernel/debug/kdb/kdb_main.c
+@@ -2583,7 +2583,7 @@ static int kdb_summary(int argc, const c
+ #define K(x) ((x) << (PAGE_SHIFT - 10))
+ kdb_printf("\nMemTotal: %8lu kB\nMemFree: %8lu kB\n"
+ "Buffers: %8lu kB\n",
+- val.totalram, val.freeram, val.bufferram);
++ K(val.totalram), K(val.freeram), K(val.bufferram));
+ return 0;
+ }
+
--- /dev/null
+From df0036d117e6c9df36324e517728e33543065f9a Mon Sep 17 00:00:00 2001
+From: Jason Wessel <jason.wessel@windriver.com>
+Date: Thu, 8 Jan 2015 15:46:55 -0600
+Subject: kdb: Fix off by one error in kdb_cpu()
+
+From: Jason Wessel <jason.wessel@windriver.com>
+
+commit df0036d117e6c9df36324e517728e33543065f9a upstream.
+
+There was a follow on replacement patch against the prior
+"kgdb: Timeout if secondary CPUs ignore the roundup".
+
+See: https://lkml.org/lkml/2015/1/7/442
+
+This patch is the delta vs the patch that was committed upstream:
+ * Fix an off-by-one error in kdb_cpu().
+ * Replace NR_CPUS with CONFIG_NR_CPUS to tell checkpatch that we
+ really want a static limit.
+ * Removed the "KGDB: " prefix from the pr_crit() in debug_core.c
+ (kgdb-next contains a patch which introduced pr_fmt() to this file
+ to the tag will now be applied automatically).
+
+Cc: Daniel Thompson <daniel.thompson@linaro.org>
+Signed-off-by: Jason Wessel <jason.wessel@windriver.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/debug/debug_core.c | 2 +-
+ kernel/debug/kdb/kdb_main.c | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+--- a/kernel/debug/debug_core.c
++++ b/kernel/debug/debug_core.c
+@@ -604,7 +604,7 @@ return_normal:
+ online_cpus)
+ cpu_relax();
+ if (!time_left)
+- pr_crit("KGDB: Timed out waiting for secondary CPUs.\n");
++ pr_crit("Timed out waiting for secondary CPUs.\n");
+
+ /*
+ * At this point the primary processor is completely
+--- a/kernel/debug/kdb/kdb_main.c
++++ b/kernel/debug/kdb/kdb_main.c
+@@ -2256,7 +2256,7 @@ static int kdb_cpu(int argc, const char
+ /*
+ * Validate cpunum
+ */
+- if ((cpunum > NR_CPUS) || !kgdb_info[cpunum].enter_kgdb)
++ if ((cpunum >= CONFIG_NR_CPUS) || !kgdb_info[cpunum].enter_kgdb)
+ return KDB_BADCPUNUM;
+
+ dbg_switch_cpu = cpunum;
--- /dev/null
+From 1ab1e79b9fd4b01331490bbe2e630a0fc0b25449 Mon Sep 17 00:00:00 2001
+From: Alexander Usyskin <alexander.usyskin@intel.com>
+Date: Sun, 25 Jan 2015 23:45:27 +0200
+Subject: mei: mask interrupt set bit on clean reset bit
+
+From: Alexander Usyskin <alexander.usyskin@intel.com>
+
+commit 1ab1e79b9fd4b01331490bbe2e630a0fc0b25449 upstream.
+
+We should mask interrupt set bit when writing back
+hcsr value in reset bit clean-up.
+
+This is refinement for
+mei: clean reset bit before reset
+commit b13a65ef190e488e2761d65bdd2e1fe8a3a125f5
+
+Signed-off-by: Alexander Usyskin <alexander.usyskin@intel.com>
+Signed-off-by: Tomas Winkler <tomas.winkler@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/misc/mei/hw-me.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/misc/mei/hw-me.c
++++ b/drivers/misc/mei/hw-me.c
+@@ -242,7 +242,7 @@ static int mei_me_hw_reset(struct mei_de
+ if ((hcsr & H_RST) == H_RST) {
+ dev_warn(dev->dev, "H_RST is set = 0x%08X", hcsr);
+ hcsr &= ~H_RST;
+- mei_me_reg_write(hw, H_CSR, hcsr);
++ mei_hcsr_set(hw, hcsr);
+ hcsr = mei_hcsr_read(hw);
+ }
+
--- /dev/null
+From 663b7ee9517eec6deea9a48c7a1392a9a34f7809 Mon Sep 17 00:00:00 2001
+From: Alexander Usyskin <alexander.usyskin@intel.com>
+Date: Sun, 25 Jan 2015 23:45:28 +0200
+Subject: mei: me: release hw from reset only during the reset flow
+
+From: Alexander Usyskin <alexander.usyskin@intel.com>
+
+commit 663b7ee9517eec6deea9a48c7a1392a9a34f7809 upstream.
+
+We might enter the interrupt handler with hw_ready already set,
+but prior we actually started the reset flow.
+To soleve this we move the reset release from the interrupt handler
+to the HW start wait function which is part of the reset sequence.
+
+Signed-off-by: Alexander Usyskin <alexander.usyskin@intel.com>
+Signed-off-by: Tomas Winkler <tomas.winkler@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/misc/mei/hw-me.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/drivers/misc/mei/hw-me.c
++++ b/drivers/misc/mei/hw-me.c
+@@ -335,6 +335,7 @@ static int mei_me_hw_ready_wait(struct m
+ return -ETIME;
+ }
+
++ mei_me_hw_reset_release(dev);
+ dev->recvd_hw_ready = false;
+ return 0;
+ }
+@@ -731,9 +732,7 @@ irqreturn_t mei_me_irq_thread_handler(in
+ /* check if we need to start the dev */
+ if (!mei_host_is_ready(dev)) {
+ if (mei_hw_is_ready(dev)) {
+- mei_me_hw_reset_release(dev);
+ dev_dbg(dev->dev, "we need to start the dev.\n");
+-
+ dev->recvd_hw_ready = true;
+ wake_up(&dev->wait_hw_ready);
+ } else {
--- /dev/null
+From 29183a70b0b828500816bd794b3fe192fce89f73 Mon Sep 17 00:00:00 2001
+From: John Stultz <john.stultz@linaro.org>
+Date: Mon, 9 Feb 2015 23:30:36 -0800
+Subject: ntp: Fixup adjtimex freq validation on 32-bit systems
+
+From: John Stultz <john.stultz@linaro.org>
+
+commit 29183a70b0b828500816bd794b3fe192fce89f73 upstream.
+
+Additional validation of adjtimex freq values to avoid
+potential multiplication overflows were added in commit
+5e5aeb4367b (time: adjtimex: Validate the ADJ_FREQUENCY values)
+
+Unfortunately the patch used LONG_MAX/MIN instead of
+LLONG_MAX/MIN, which was fine on 64-bit systems, but being
+much smaller on 32-bit systems caused false positives
+resulting in most direct frequency adjustments to fail w/
+EINVAL.
+
+ntpd only does direct frequency adjustments at startup, so
+the issue was not as easily observed there, but other time
+sync applications like ptpd and chrony were more effected by
+the bug.
+
+See bugs:
+
+ https://bugzilla.kernel.org/show_bug.cgi?id=92481
+ https://bugzilla.redhat.com/show_bug.cgi?id=1188074
+
+This patch changes the checks to use LLONG_MAX for
+clarity, and additionally the checks are disabled
+on 32-bit systems since LLONG_MAX/PPM_SCALE is always
+larger then the 32-bit long freq value, so multiplication
+overflows aren't possible there.
+
+Reported-by: Josh Boyer <jwboyer@fedoraproject.org>
+Reported-by: George Joseph <george.joseph@fairview5.com>
+Tested-by: George Joseph <george.joseph@fairview5.com>
+Signed-off-by: John Stultz <john.stultz@linaro.org>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Sasha Levin <sasha.levin@oracle.com>
+Link: http://lkml.kernel.org/r/1423553436-29747-1-git-send-email-john.stultz@linaro.org
+[ Prettified the changelog and the comments a bit. ]
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/time/ntp.c | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+--- a/kernel/time/ntp.c
++++ b/kernel/time/ntp.c
+@@ -633,10 +633,14 @@ int ntp_validate_timex(struct timex *txc
+ if ((txc->modes & ADJ_SETOFFSET) && (!capable(CAP_SYS_TIME)))
+ return -EPERM;
+
+- if (txc->modes & ADJ_FREQUENCY) {
+- if (LONG_MIN / PPM_SCALE > txc->freq)
++ /*
++ * Check for potential multiplication overflows that can
++ * only happen on 64-bit systems:
++ */
++ if ((txc->modes & ADJ_FREQUENCY) && (BITS_PER_LONG == 64)) {
++ if (LLONG_MIN / PPM_SCALE > txc->freq)
+ return -EINVAL;
+- if (LONG_MAX / PPM_SCALE < txc->freq)
++ if (LLONG_MAX / PPM_SCALE < txc->freq)
+ return -EINVAL;
+ }
+
--- /dev/null
+From 1e0d6714aceb770b04161fbedd7765d0e1fc27bd Mon Sep 17 00:00:00 2001
+From: "Steven Rostedt (Red Hat)" <rostedt@goodmis.org>
+Date: Tue, 10 Feb 2015 22:14:53 -0500
+Subject: ring-buffer: Do not wake up a splice waiter when page is not full
+
+From: "Steven Rostedt (Red Hat)" <rostedt@goodmis.org>
+
+commit 1e0d6714aceb770b04161fbedd7765d0e1fc27bd upstream.
+
+When an application connects to the ring buffer via splice, it can only
+read full pages. Splice does not work with partial pages. If there is
+not enough data to fill a page, the splice command will either block
+or return -EAGAIN (if set to nonblock).
+
+Code was added where if the page is not full, to just sleep again.
+The problem is, it will get woken up again on the next event. That
+is, when something is written into the ring buffer, if there is a waiter
+it will wake it up. The waiter would then check the buffer, see that
+it still does not have enough data to fill a page and go back to sleep.
+To make matters worse, when the waiter goes back to sleep, it could
+cause another event, which would wake it back up again to see it
+doesn't have enough data and sleep again. This produces a tremendous
+overhead and fills the ring buffer with noise.
+
+For example, recording sched_switch on an idle system for 10 seconds
+produces 25,350,475 events!!!
+
+Create another wait queue for those waiters wanting full pages.
+When an event is written, it only wakes up waiters if there's a full
+page of data. It does not wake up the waiter if the page is not yet
+full.
+
+After this change, recording sched_switch on an idle system for 10
+seconds produces only 800 events. Getting rid of 25,349,675 useless
+events (99.9969% of events!!), is something to take seriously.
+
+Cc: Rabin Vincent <rabin@rab.in>
+Fixes: e30f53aad220 "tracing: Do not busy wait in buffer splice"
+Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/trace/ring_buffer.c | 40 +++++++++++++++++++++++++++++++++++-----
+ 1 file changed, 35 insertions(+), 5 deletions(-)
+
+--- a/kernel/trace/ring_buffer.c
++++ b/kernel/trace/ring_buffer.c
+@@ -447,7 +447,10 @@ int ring_buffer_print_page_header(struct
+ struct rb_irq_work {
+ struct irq_work work;
+ wait_queue_head_t waiters;
++ wait_queue_head_t full_waiters;
+ bool waiters_pending;
++ bool full_waiters_pending;
++ bool wakeup_full;
+ };
+
+ /*
+@@ -529,6 +532,10 @@ static void rb_wake_up_waiters(struct ir
+ struct rb_irq_work *rbwork = container_of(work, struct rb_irq_work, work);
+
+ wake_up_all(&rbwork->waiters);
++ if (rbwork->wakeup_full) {
++ rbwork->wakeup_full = false;
++ wake_up_all(&rbwork->full_waiters);
++ }
+ }
+
+ /**
+@@ -553,9 +560,11 @@ int ring_buffer_wait(struct ring_buffer
+ * data in any cpu buffer, or a specific buffer, put the
+ * caller on the appropriate wait queue.
+ */
+- if (cpu == RING_BUFFER_ALL_CPUS)
++ if (cpu == RING_BUFFER_ALL_CPUS) {
+ work = &buffer->irq_work;
+- else {
++ /* Full only makes sense on per cpu reads */
++ full = false;
++ } else {
+ if (!cpumask_test_cpu(cpu, buffer->cpumask))
+ return -ENODEV;
+ cpu_buffer = buffer->buffers[cpu];
+@@ -564,7 +573,10 @@ int ring_buffer_wait(struct ring_buffer
+
+
+ while (true) {
+- prepare_to_wait(&work->waiters, &wait, TASK_INTERRUPTIBLE);
++ if (full)
++ prepare_to_wait(&work->full_waiters, &wait, TASK_INTERRUPTIBLE);
++ else
++ prepare_to_wait(&work->waiters, &wait, TASK_INTERRUPTIBLE);
+
+ /*
+ * The events can happen in critical sections where
+@@ -586,7 +598,10 @@ int ring_buffer_wait(struct ring_buffer
+ * that is necessary is that the wake up happens after
+ * a task has been queued. It's OK for spurious wake ups.
+ */
+- work->waiters_pending = true;
++ if (full)
++ work->full_waiters_pending = true;
++ else
++ work->waiters_pending = true;
+
+ if (signal_pending(current)) {
+ ret = -EINTR;
+@@ -615,7 +630,10 @@ int ring_buffer_wait(struct ring_buffer
+ schedule();
+ }
+
+- finish_wait(&work->waiters, &wait);
++ if (full)
++ finish_wait(&work->full_waiters, &wait);
++ else
++ finish_wait(&work->waiters, &wait);
+
+ return ret;
+ }
+@@ -1230,6 +1248,7 @@ rb_allocate_cpu_buffer(struct ring_buffe
+ init_completion(&cpu_buffer->update_done);
+ init_irq_work(&cpu_buffer->irq_work.work, rb_wake_up_waiters);
+ init_waitqueue_head(&cpu_buffer->irq_work.waiters);
++ init_waitqueue_head(&cpu_buffer->irq_work.full_waiters);
+
+ bpage = kzalloc_node(ALIGN(sizeof(*bpage), cache_line_size()),
+ GFP_KERNEL, cpu_to_node(cpu));
+@@ -2801,6 +2820,8 @@ static void rb_commit(struct ring_buffer
+ static __always_inline void
+ rb_wakeups(struct ring_buffer *buffer, struct ring_buffer_per_cpu *cpu_buffer)
+ {
++ bool pagebusy;
++
+ if (buffer->irq_work.waiters_pending) {
+ buffer->irq_work.waiters_pending = false;
+ /* irq_work_queue() supplies it's own memory barriers */
+@@ -2812,6 +2833,15 @@ rb_wakeups(struct ring_buffer *buffer, s
+ /* irq_work_queue() supplies it's own memory barriers */
+ irq_work_queue(&cpu_buffer->irq_work.work);
+ }
++
++ pagebusy = cpu_buffer->reader_page == cpu_buffer->commit_page;
++
++ if (!pagebusy && cpu_buffer->irq_work.full_waiters_pending) {
++ cpu_buffer->irq_work.wakeup_full = true;
++ cpu_buffer->irq_work.full_waiters_pending = false;
++ /* irq_work_queue() supplies it's own memory barriers */
++ irq_work_queue(&cpu_buffer->irq_work.work);
++ }
+ }
+
+ /**
--- /dev/null
+From 5f1437f61a0b351d25b528c159360da3d5e8c77b Mon Sep 17 00:00:00 2001
+From: Stefan Agner <stefan@agner.ch>
+Date: Sat, 10 Jan 2015 01:08:59 +0100
+Subject: serial: fsl_lpuart: avoid new transfer while DMA is running
+
+From: Stefan Agner <stefan@agner.ch>
+
+commit 5f1437f61a0b351d25b528c159360da3d5e8c77b upstream.
+
+When the UART is in DMA receive mode (RDMAS set) and one character
+just arrived while another interrupt is handled (e.g. TX), the RDRF
+(receiver data register full flag) is set due to the water level of
+1. But since the DMA will take care of this character, there is no
+need to handle it by calling lpuart_prepare_rx. Handling it leads to
+adding the RX timeout timer twice:
+
+[ 74.336698] Kernel BUG at 80053070 [verbose debug info unavailable]
+[ 74.342999] Internal error: Oops - BUG: 0 [#1] ARM0:00.00 khungtaskd
+[ 74.347817] Modules linked in: 0 S 0.0 0.0 0:00.00 writeback
+[ 74.350926] CPU: 0 PID: 0 Comm: swapper Not tainted 3.19.0-rc3-00001-g39d78e2 #1788
+[ 74.358617] Hardware name: Freescale Vybrid VF610 (Device Tree)t
+[ 74.364563] task: 807a7678 ti: 8079c000 task.ti: 8079c000 kblockd
+[ 74.370002] PC is at add_timer+0x24/0x28.0 0.0 0:00.09 kworker/u2:1
+[ 74.373960] LR is at lpuart_int+0x15c/0x3d8
+[ 74.378171] pc : [<80053070>] lr : [<802e0d88>] psr: a0010193
+[ 74.378171] sp : 8079de10 ip : 8079de20 fp : 8079de1c
+[ 74.389694] r10: 807d44c0 r9 : 8688c300 r8 : 00000013
+[ 74.394943] r7 : 20010193 r6 : 00000000 r5 : 000000a0 r4 : 86997210
+[ 74.401498] r3 : ffffa7da r2 : 80817868 r1 : 86997210 r0 : 86997344
+[ 74.408052] Flags: NzCv IRQs off FIQs on Mode SVC_32 ISA ARM Segment kernel
+[ 74.415489] Control: 10c5387d Table: 8611c059 DAC: 00000015
+[ 74.421265] Process swapper (pid: 0, stack limit = 0x8079c230)
+...
+
+Solve this by only execute the receiver path (lpuart_prepare_rx) if
+the DMA receive mode (RDMAS) is not set. Also, make sure the flag is
+cleared on initialization, in case it has been left set.
+
+This can be best reproduced using UART as a serial console, then
+running top while dd'ing data into the terminal.
+
+Signed-off-by: Stefan Agner <stefan@agner.ch>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/tty/serial/fsl_lpuart.c | 9 +++++----
+ 1 file changed, 5 insertions(+), 4 deletions(-)
+
+--- a/drivers/tty/serial/fsl_lpuart.c
++++ b/drivers/tty/serial/fsl_lpuart.c
+@@ -755,18 +755,18 @@ out:
+ static irqreturn_t lpuart_int(int irq, void *dev_id)
+ {
+ struct lpuart_port *sport = dev_id;
+- unsigned char sts;
++ unsigned char sts, crdma;
+
+ sts = readb(sport->port.membase + UARTSR1);
++ crdma = readb(sport->port.membase + UARTCR5);
+
+- if (sts & UARTSR1_RDRF) {
++ if (sts & UARTSR1_RDRF && !(crdma & UARTCR5_RDMAS)) {
+ if (sport->lpuart_dma_use)
+ lpuart_prepare_rx(sport);
+ else
+ lpuart_rxint(irq, dev_id);
+ }
+- if (sts & UARTSR1_TDRE &&
+- !(readb(sport->port.membase + UARTCR5) & UARTCR5_TDMAS)) {
++ if (sts & UARTSR1_TDRE && !(crdma & UARTCR5_TDMAS)) {
+ if (sport->lpuart_dma_use)
+ lpuart_pio_tx(sport);
+ else
+@@ -1106,6 +1106,7 @@ static int lpuart_startup(struct uart_po
+ setup_timer(&sport->lpuart_timer, lpuart_timer_func,
+ (unsigned long)sport);
+ temp = readb(port->membase + UARTCR5);
++ temp &= ~UARTCR5_RDMAS;
+ writeb(temp | UARTCR5_TDMAS, port->membase + UARTCR5);
+ }
+
--- /dev/null
+From 4a8588a1cf867333187d9ff071e6fbdab587d194 Mon Sep 17 00:00:00 2001
+From: Stefan Agner <stefan@agner.ch>
+Date: Sat, 10 Jan 2015 01:08:58 +0100
+Subject: serial: fsl_lpuart: delete timer on shutdown
+
+From: Stefan Agner <stefan@agner.ch>
+
+commit 4a8588a1cf867333187d9ff071e6fbdab587d194 upstream.
+
+If the serial port gets closed while a RX transfer is in progress,
+the timer might fire after the serial port shutdown finished. This
+leads in a NULL pointer dereference:
+
+[ 7.508324] Unable to handle kernel NULL pointer dereference at virtual address 00000000
+[ 7.516590] pgd = 86348000
+[ 7.519445] [00000000] *pgd=86179831, *pte=00000000, *ppte=00000000
+[ 7.526145] Internal error: Oops: 17 [#1] ARM
+[ 7.530611] Modules linked in:
+[ 7.533876] CPU: 0 PID: 123 Comm: systemd Not tainted 3.19.0-rc3-00004-g5b11ea7 #1778
+[ 7.541827] Hardware name: Freescale Vybrid VF610 (Device Tree)
+[ 7.547862] task: 861c3400 ti: 86ac8000 task.ti: 86ac8000
+[ 7.553392] PC is at lpuart_timer_func+0x24/0xf8
+[ 7.558127] LR is at lpuart_timer_func+0x20/0xf8
+[ 7.562857] pc : [<802df99c>] lr : [<802df998>] psr: 600b0113
+[ 7.562857] sp : 86ac9b90 ip : 86ac9b90 fp : 86ac9bbc
+[ 7.574467] r10: 80817180 r9 : 80817b98 r8 : 80817998
+[ 7.579803] r7 : 807acee0 r6 : 86989000 r5 : 00000100 r4 : 86997210
+[ 7.586444] r3 : 86ac8000 r2 : 86ac9bc0 r1 : 86997210 r0 : 00000000
+[ 7.593085] Flags: nZCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment user
+[ 7.600341] Control: 10c5387d Table: 86348059 DAC: 00000015
+[ 7.606203] Process systemd (pid: 123, stack limit = 0x86ac8230)
+
+Setup the timer on UART startup which allows to delete the timer
+unconditionally on shutdown. This also saves the initialization
+on each transfer.
+
+Signed-off-by: Stefan Agner <stefan@agner.ch>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/tty/serial/fsl_lpuart.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+--- a/drivers/tty/serial/fsl_lpuart.c
++++ b/drivers/tty/serial/fsl_lpuart.c
+@@ -506,9 +506,6 @@ static inline void lpuart_prepare_rx(str
+
+ spin_lock_irqsave(&sport->port.lock, flags);
+
+- init_timer(&sport->lpuart_timer);
+- sport->lpuart_timer.function = lpuart_timer_func;
+- sport->lpuart_timer.data = (unsigned long)sport;
+ sport->lpuart_timer.expires = jiffies + sport->dma_rx_timeout;
+ add_timer(&sport->lpuart_timer);
+
+@@ -1106,6 +1103,8 @@ static int lpuart_startup(struct uart_po
+ sport->lpuart_dma_use = false;
+ } else {
+ sport->lpuart_dma_use = true;
++ setup_timer(&sport->lpuart_timer, lpuart_timer_func,
++ (unsigned long)sport);
+ temp = readb(port->membase + UARTCR5);
+ writeb(temp | UARTCR5_TDMAS, port->membase + UARTCR5);
+ }
+@@ -1180,6 +1179,8 @@ static void lpuart_shutdown(struct uart_
+ devm_free_irq(port->dev, port->irq, sport);
+
+ if (sport->lpuart_dma_use) {
++ del_timer_sync(&sport->lpuart_timer);
++
+ lpuart_dma_tx_free(port);
+ lpuart_dma_rx_free(port);
+ }
cfq-iosched-handle-failure-of-cfq-group-allocation.patch
cfq-iosched-fix-incorrect-filing-of-rt-async-cfqq.patch
cipso-don-t-use-ipcb-to-locate-the-cipso-ip-option.patch
+ring-buffer-do-not-wake-up-a-splice-waiter-when-page-is-not-full.patch
+smack-fix-possible-use-after-frees-in-task_security-callers.patch
+axonram-fix-bug-in-direct_access.patch
+tty-remove-warning-in-tty_lock_slave.patch
+tty-prevent-untrappable-signals-from-malicious-program.patch
+tty-serial-at91-use-correct-type-for-dma_sync_-_for_cpu-and-dma_sync_-_for_device.patch
+tty-serial-at91-enable-peripheral-clock-before-accessing-i-o-registers.patch
+tty-serial-at91-fix-error-handling-in-atmel_serial_probe.patch
+mei-mask-interrupt-set-bit-on-clean-reset-bit.patch
+mei-me-release-hw-from-reset-only-during-the-reset-flow.patch
+usb-cp210x-add-id-for-ruggedcom-usb-serial-console.patch
+usb-fix-use-after-free-bug-in-usb_hcd_unlink_urb.patch
+usb-dwc3-gadget-add-missing-spin_lock.patch
+usb-musb-add-omap-control-dependency.patch
+usb-core-buffer-smallest-buffer-should-start-at-arch_dma_minalign.patch
+usb-don-t-cancel-queued-resets-when-unbinding-drivers.patch
+usb-add-flag-for-hcds-that-can-t-receive-wakeup-requests-isp1760-hcd.patch
+cdc-acm-add-sanity-checks.patch
+vt-provide-notifications-on-selection-changes.patch
+arm-pxa-add-regulator_has_full_constraints-to-corgi-board-file.patch
+arm-pxa-add-regulator_has_full_constraints-to-poodle-board-file.patch
+arm-pxa-add-regulator_has_full_constraints-to-spitz-board-file.patch
+arm-brcmstb-update-cpu-power-management-sequence.patch
+arm-bcm-put-back-arch_multi_v7-dependency-for-mobile.patch
+arm-vexpress-use-arm_cpu_suspend-if-needed.patch
+arm-mvebu-build-armada375-smp-code-conditionally.patch
+kdb-fix-incorrect-counts-in-kdb-summary-command-output.patch
+kdb-avoid-printing-kern_-levels-to-consoles.patch
+kdb-fix-off-by-one-error-in-kdb_cpu.patch
+ntp-fixup-adjtimex-freq-validation-on-32-bit-systems.patch
+serial-fsl_lpuart-delete-timer-on-shutdown.patch
+serial-fsl_lpuart-avoid-new-transfer-while-dma-is-running.patch
+arc-fix-page-address-calculation-if-page_offset-linux_link_base.patch
--- /dev/null
+From 6d1cff2a885850b78b40c34777b46cf5da5d1050 Mon Sep 17 00:00:00 2001
+From: Andrey Ryabinin <a.ryabinin@samsung.com>
+Date: Tue, 13 Jan 2015 18:52:40 +0300
+Subject: smack: fix possible use after frees in task_security() callers
+
+From: Andrey Ryabinin <a.ryabinin@samsung.com>
+
+commit 6d1cff2a885850b78b40c34777b46cf5da5d1050 upstream.
+
+We hit use after free on dereferncing pointer to task_smack struct in
+smk_of_task() called from smack_task_to_inode().
+
+task_security() macro uses task_cred_xxx() to get pointer to the task_smack.
+task_cred_xxx() could be used only for non-pointer members of task's
+credentials. It cannot be used for pointer members since what they point
+to may disapper after dropping RCU read lock.
+
+Mainly task_security() used this way:
+ smk_of_task(task_security(p))
+
+Intead of this introduce function smk_of_task_struct() which
+takes task_struct as argument and returns pointer to smk_known struct
+and do this under RCU read lock.
+Bogus task_security() macro is not used anymore, so remove it.
+
+KASan's report for this:
+
+ AddressSanitizer: use after free in smack_task_to_inode+0x50/0x70 at addr c4635600
+ =============================================================================
+ BUG kmalloc-64 (Tainted: PO): kasan error
+ -----------------------------------------------------------------------------
+
+ Disabling lock debugging due to kernel taint
+ INFO: Allocated in new_task_smack+0x44/0xd8 age=39 cpu=0 pid=1866
+ kmem_cache_alloc_trace+0x88/0x1bc
+ new_task_smack+0x44/0xd8
+ smack_cred_prepare+0x48/0x21c
+ security_prepare_creds+0x44/0x4c
+ prepare_creds+0xdc/0x110
+ smack_setprocattr+0x104/0x150
+ security_setprocattr+0x4c/0x54
+ proc_pid_attr_write+0x12c/0x194
+ vfs_write+0x1b0/0x370
+ SyS_write+0x5c/0x94
+ ret_fast_syscall+0x0/0x48
+ INFO: Freed in smack_cred_free+0xc4/0xd0 age=27 cpu=0 pid=1564
+ kfree+0x270/0x290
+ smack_cred_free+0xc4/0xd0
+ security_cred_free+0x34/0x3c
+ put_cred_rcu+0x58/0xcc
+ rcu_process_callbacks+0x738/0x998
+ __do_softirq+0x264/0x4cc
+ do_softirq+0x94/0xf4
+ irq_exit+0xbc/0x120
+ handle_IRQ+0x104/0x134
+ gic_handle_irq+0x70/0xac
+ __irq_svc+0x44/0x78
+ _raw_spin_unlock+0x18/0x48
+ sync_inodes_sb+0x17c/0x1d8
+ sync_filesystem+0xac/0xfc
+ vdfs_file_fsync+0x90/0xc0
+ vfs_fsync_range+0x74/0x7c
+ INFO: Slab 0xd3b23f50 objects=32 used=31 fp=0xc4635600 flags=0x4080
+ INFO: Object 0xc4635600 @offset=5632 fp=0x (null)
+
+ Bytes b4 c46355f0: 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a ZZZZZZZZZZZZZZZZ
+ Object c4635600: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk
+ Object c4635610: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk
+ Object c4635620: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk
+ Object c4635630: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b a5 kkkkkkkkkkkkkkk.
+ Redzone c4635640: bb bb bb bb ....
+ Padding c46356e8: 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a ZZZZZZZZZZZZZZZZ
+ Padding c46356f8: 5a 5a 5a 5a 5a 5a 5a 5a ZZZZZZZZ
+ CPU: 5 PID: 834 Comm: launchpad_prelo Tainted: PBO 3.10.30 #1
+ Backtrace:
+ [<c00233a4>] (dump_backtrace+0x0/0x158) from [<c0023dec>] (show_stack+0x20/0x24)
+ r7:c4634010 r6:d3b23f50 r5:c4635600 r4:d1002140
+ [<c0023dcc>] (show_stack+0x0/0x24) from [<c06d6d7c>] (dump_stack+0x20/0x28)
+ [<c06d6d5c>] (dump_stack+0x0/0x28) from [<c01c1d50>] (print_trailer+0x124/0x144)
+ [<c01c1c2c>] (print_trailer+0x0/0x144) from [<c01c1e88>] (object_err+0x3c/0x44)
+ r7:c4635600 r6:d1002140 r5:d3b23f50 r4:c4635600
+ [<c01c1e4c>] (object_err+0x0/0x44) from [<c01cac18>] (kasan_report_error+0x2b8/0x538)
+ r6:d1002140 r5:d3b23f50 r4:c6429cf8 r3:c09e1aa7
+ [<c01ca960>] (kasan_report_error+0x0/0x538) from [<c01c9430>] (__asan_load4+0xd4/0xf8)
+ [<c01c935c>] (__asan_load4+0x0/0xf8) from [<c031e168>] (smack_task_to_inode+0x50/0x70)
+ r5:c4635600 r4:ca9da000
+ [<c031e118>] (smack_task_to_inode+0x0/0x70) from [<c031af64>] (security_task_to_inode+0x3c/0x44)
+ r5:cca25e80 r4:c0ba9780
+ [<c031af28>] (security_task_to_inode+0x0/0x44) from [<c023d614>] (pid_revalidate+0x124/0x178)
+ r6:00000000 r5:cca25e80 r4:cbabe3c0 r3:00008124
+ [<c023d4f0>] (pid_revalidate+0x0/0x178) from [<c01db98c>] (lookup_fast+0x35c/0x43y4)
+ r9:c6429efc r8:00000101 r7:c079d940 r6:c6429e90 r5:c6429ed8 r4:c83c4148
+ [<c01db630>] (lookup_fast+0x0/0x434) from [<c01deec8>] (do_last.isra.24+0x1c0/0x1108)
+ [<c01ded08>] (do_last.isra.24+0x0/0x1108) from [<c01dff04>] (path_openat.isra.25+0xf4/0x648)
+ [<c01dfe10>] (path_openat.isra.25+0x0/0x648) from [<c01e1458>] (do_filp_open+0x3c/0x88)
+ [<c01e141c>] (do_filp_open+0x0/0x88) from [<c01ccb28>] (do_sys_open+0xf0/0x198)
+ r7:00000001 r6:c0ea2180 r5:0000000b r4:00000000
+ [<c01cca38>] (do_sys_open+0x0/0x198) from [<c01ccc00>] (SyS_open+0x30/0x34)
+ [<c01ccbd0>] (SyS_open+0x0/0x34) from [<c001db80>] (ret_fast_syscall+0x0/0x48)
+ Read of size 4 by thread T834:
+ Memory state around the buggy address:
+ c4635380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
+ c4635400: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc
+ c4635480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
+ c4635500: 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc
+ c4635580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
+ >c4635600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+ ^
+ c4635680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+ c4635700: 00 00 00 00 04 fc fc fc fc fc fc fc fc fc fc fc
+ c4635780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
+ c4635800: 00 00 00 00 00 00 04 fc fc fc fc fc fc fc fc fc
+ c4635880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
+ ==================================================================
+
+Signed-off-by: Andrey Ryabinin <a.ryabinin@samsung.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ security/smack/smack.h | 10 ++++++++++
+ security/smack/smack_lsm.c | 24 +++++++++++++-----------
+ 2 files changed, 23 insertions(+), 11 deletions(-)
+
+--- a/security/smack/smack.h
++++ b/security/smack/smack.h
+@@ -298,6 +298,16 @@ static inline struct smack_known *smk_of
+ return tsp->smk_task;
+ }
+
++static inline struct smack_known *smk_of_task_struct(const struct task_struct *t)
++{
++ struct smack_known *skp;
++
++ rcu_read_lock();
++ skp = smk_of_task(__task_cred(t)->security);
++ rcu_read_unlock();
++ return skp;
++}
++
+ /*
+ * Present a pointer to the forked smack label entry in an task blob.
+ */
+--- a/security/smack/smack_lsm.c
++++ b/security/smack/smack_lsm.c
+@@ -43,8 +43,6 @@
+ #include <linux/binfmts.h>
+ #include "smack.h"
+
+-#define task_security(task) (task_cred_xxx((task), security))
+-
+ #define TRANS_TRUE "TRUE"
+ #define TRANS_TRUE_SIZE 4
+
+@@ -120,7 +118,7 @@ static int smk_bu_current(char *note, st
+ static int smk_bu_task(struct task_struct *otp, int mode, int rc)
+ {
+ struct task_smack *tsp = current_security();
+- struct task_smack *otsp = task_security(otp);
++ struct smack_known *smk_task = smk_of_task_struct(otp);
+ char acc[SMK_NUM_ACCESS_TYPE + 1];
+
+ if (rc <= 0)
+@@ -128,7 +126,7 @@ static int smk_bu_task(struct task_struc
+
+ smk_bu_mode(mode, acc);
+ pr_info("Smack Bringup: (%s %s %s) %s to %s\n",
+- tsp->smk_task->smk_known, otsp->smk_task->smk_known, acc,
++ tsp->smk_task->smk_known, smk_task->smk_known, acc,
+ current->comm, otp->comm);
+ return 0;
+ }
+@@ -345,7 +343,8 @@ static int smk_ptrace_rule_check(struct
+ saip = &ad;
+ }
+
+- tsp = task_security(tracer);
++ rcu_read_lock();
++ tsp = __task_cred(tracer)->security;
+ tracer_known = smk_of_task(tsp);
+
+ if ((mode & PTRACE_MODE_ATTACH) &&
+@@ -365,11 +364,14 @@ static int smk_ptrace_rule_check(struct
+ tracee_known->smk_known,
+ 0, rc, saip);
+
++ rcu_read_unlock();
+ return rc;
+ }
+
+ /* In case of rule==SMACK_PTRACE_DEFAULT or mode==PTRACE_MODE_READ */
+ rc = smk_tskacc(tsp, tracee_known, smk_ptrace_mode(mode), saip);
++
++ rcu_read_unlock();
+ return rc;
+ }
+
+@@ -396,7 +398,7 @@ static int smack_ptrace_access_check(str
+ if (rc != 0)
+ return rc;
+
+- skp = smk_of_task(task_security(ctp));
++ skp = smk_of_task_struct(ctp);
+
+ rc = smk_ptrace_rule_check(current, skp, mode, __func__);
+ return rc;
+@@ -1826,7 +1828,7 @@ static int smk_curacc_on_task(struct tas
+ const char *caller)
+ {
+ struct smk_audit_info ad;
+- struct smack_known *skp = smk_of_task(task_security(p));
++ struct smack_known *skp = smk_of_task_struct(p);
+ int rc;
+
+ smk_ad_init(&ad, caller, LSM_AUDIT_DATA_TASK);
+@@ -1879,7 +1881,7 @@ static int smack_task_getsid(struct task
+ */
+ static void smack_task_getsecid(struct task_struct *p, u32 *secid)
+ {
+- struct smack_known *skp = smk_of_task(task_security(p));
++ struct smack_known *skp = smk_of_task_struct(p);
+
+ *secid = skp->smk_secid;
+ }
+@@ -1986,7 +1988,7 @@ static int smack_task_kill(struct task_s
+ {
+ struct smk_audit_info ad;
+ struct smack_known *skp;
+- struct smack_known *tkp = smk_of_task(task_security(p));
++ struct smack_known *tkp = smk_of_task_struct(p);
+ int rc;
+
+ smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_TASK);
+@@ -2040,7 +2042,7 @@ static int smack_task_wait(struct task_s
+ static void smack_task_to_inode(struct task_struct *p, struct inode *inode)
+ {
+ struct inode_smack *isp = inode->i_security;
+- struct smack_known *skp = smk_of_task(task_security(p));
++ struct smack_known *skp = smk_of_task_struct(p);
+
+ isp->smk_inode = skp;
+ }
+@@ -3200,7 +3202,7 @@ unlockandout:
+ */
+ static int smack_getprocattr(struct task_struct *p, char *name, char **value)
+ {
+- struct smack_known *skp = smk_of_task(task_security(p));
++ struct smack_known *skp = smk_of_task_struct(p);
+ char *cp;
+ int slen;
+
--- /dev/null
+From 37480a05685ed5b8e1b9bf5e5c53b5810258b149 Mon Sep 17 00:00:00 2001
+From: Peter Hurley <peter@hurleysoftware.com>
+Date: Mon, 19 Jan 2015 13:05:03 -0500
+Subject: tty: Prevent untrappable signals from malicious program
+
+From: Peter Hurley <peter@hurleysoftware.com>
+
+commit 37480a05685ed5b8e1b9bf5e5c53b5810258b149 upstream.
+
+Commit 26df6d13406d1a5 ("tty: Add EXTPROC support for LINEMODE")
+allows a process which has opened a pty master to send _any_ signal
+to the process group of the pty slave. Although potentially
+exploitable by a malicious program running a setuid program on
+a pty slave, it's unknown if this exploit currently exists.
+
+Limit to signals actually used.
+
+Cc: Theodore Ts'o <tytso@mit.edu>
+Cc: Howard Chu <hyc@symas.com>
+Cc: One Thousand Gnomes <gnomes@lxorguk.ukuu.org.uk>
+Cc: Jiri Slaby <jslaby@suse.cz>
+Signed-off-by: Peter Hurley <peter@hurleysoftware.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/tty/pty.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/tty/pty.c
++++ b/drivers/tty/pty.c
+@@ -210,6 +210,9 @@ static int pty_signal(struct tty_struct
+ {
+ struct pid *pgrp;
+
++ if (sig != SIGINT && sig != SIGQUIT && sig != SIGTSTP)
++ return -EINVAL;
++
+ if (tty->link) {
+ pgrp = tty_get_pgrp(tty->link);
+ if (pgrp)
--- /dev/null
+From eef15e2a54fad4c2ce3f0a81485dc591ce678f4f Mon Sep 17 00:00:00 2001
+From: Peter Hurley <peter@hurleysoftware.com>
+Date: Tue, 30 Dec 2014 07:11:11 -0500
+Subject: tty: Remove warning in tty_lock_slave()
+
+From: Peter Hurley <peter@hurleysoftware.com>
+
+commit eef15e2a54fad4c2ce3f0a81485dc591ce678f4f upstream.
+
+Commit 2aff5e2bc62db43e05c814461a08aff0fc2b7fe5 ('tty: Change
+tty lock order to master->slave') added a warning which is broken
+and unnecessary now that the tty lock has fixed lock subclasses,
+added in commit 2febdb632bb96235b94b8fccaf882a78f8f4b2bb
+('tty: Preset lock subclass for nested tty locks').
+
+Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Peter Hurley <peter@hurleysoftware.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/tty/tty_mutex.c | 6 +-----
+ 1 file changed, 1 insertion(+), 5 deletions(-)
+
+--- a/drivers/tty/tty_mutex.c
++++ b/drivers/tty/tty_mutex.c
+@@ -46,12 +46,8 @@ EXPORT_SYMBOL(tty_unlock);
+
+ void __lockfunc tty_lock_slave(struct tty_struct *tty)
+ {
+- if (tty && tty != tty->link) {
+- WARN_ON(!mutex_is_locked(&tty->link->legacy_mutex) ||
+- !tty->driver->type == TTY_DRIVER_TYPE_PTY ||
+- !tty->driver->type == PTY_TYPE_SLAVE);
++ if (tty && tty != tty->link)
+ tty_lock(tty);
+- }
+ }
+
+ void __lockfunc tty_unlock_slave(struct tty_struct *tty)
--- /dev/null
+From d4f641876a68d1961e30c202709cc2d484f69f6f Mon Sep 17 00:00:00 2001
+From: Cyrille Pitchen <cyrille.pitchen@atmel.com>
+Date: Tue, 9 Dec 2014 14:31:33 +0100
+Subject: tty/serial: at91: enable peripheral clock before accessing I/O registers
+
+From: Cyrille Pitchen <cyrille.pitchen@atmel.com>
+
+commit d4f641876a68d1961e30c202709cc2d484f69f6f upstream.
+
+atmel_serial_probe() calls atmel_init_port(). In turn, atmel_init_port() calls
+clk_disable_unprepare() to disable the peripheral clock before returning.
+
+Later atmel_serial_probe() accesses some I/O registers such as the Mode and
+Control registers for RS485 support then the Name and Version registers, through a call to
+atmel_get_ip_name(), but at that moment the peripheral clock was still
+disabled.
+
+Signed-off-by: Cyrille Pitchen <cyrille.pitchen@atmel.com>
+Acked-by: Nicolas Ferre <nicolas.ferre@atmel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/tty/serial/atmel_serial.c | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+--- a/drivers/tty/serial/atmel_serial.c
++++ b/drivers/tty/serial/atmel_serial.c
+@@ -2596,6 +2596,12 @@ static int atmel_serial_probe(struct pla
+ device_init_wakeup(&pdev->dev, 1);
+ platform_set_drvdata(pdev, port);
+
++ /*
++ * The peripheral clock has been disabled by atmel_init_port():
++ * enable it before accessing I/O registers
++ */
++ clk_prepare_enable(port->clk);
++
+ if (rs485_enabled) {
+ UART_PUT_MR(&port->uart, ATMEL_US_USMODE_NORMAL);
+ UART_PUT_CR(&port->uart, ATMEL_US_RTSEN);
+@@ -2606,6 +2612,12 @@ static int atmel_serial_probe(struct pla
+ */
+ atmel_get_ip_name(&port->uart);
+
++ /*
++ * The peripheral clock can now safely be disabled till the port
++ * is used
++ */
++ clk_disable_unprepare(port->clk);
++
+ return 0;
+
+ err_add_port:
--- /dev/null
+From 6fbb9bdf0f3fbe23aeff806489791aa876adaffb Mon Sep 17 00:00:00 2001
+From: Cyrille Pitchen <cyrille.pitchen@atmel.com>
+Date: Tue, 9 Dec 2014 14:31:34 +0100
+Subject: tty/serial: at91: fix error handling in atmel_serial_probe()
+
+From: Cyrille Pitchen <cyrille.pitchen@atmel.com>
+
+commit 6fbb9bdf0f3fbe23aeff806489791aa876adaffb upstream.
+
+-EDEFER error wasn't handle properly by atmel_serial_probe().
+As an example, when atmel_serial_probe() is called for the first time, we pass
+the test_and_set_bit() test to check whether the port has already been
+initalized. Then we call atmel_init_port(), which may return -EDEFER, possibly
+returned before by clk_get(). Consequently atmel_serial_probe() used to return
+this error code WITHOUT clearing the port bit in the "atmel_ports_in_use" mask.
+When atmel_serial_probe() was called for the second time, it used to fail on
+the test_and_set_bit() function then returning -EBUSY.
+
+When atmel_serial_probe() fails, this patch make it clear the port bit in the
+"atmel_ports_in_use" mask, if needed, before returning the error code.
+
+Signed-off-by: Cyrille Pitchen <cyrille.pitchen@atmel.com>
+Acked-by: Nicolas Ferre <nicolas.ferre@atmel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/tty/serial/atmel_serial.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/tty/serial/atmel_serial.c
++++ b/drivers/tty/serial/atmel_serial.c
+@@ -2565,7 +2565,7 @@ static int atmel_serial_probe(struct pla
+
+ ret = atmel_init_port(port, pdev);
+ if (ret)
+- goto err;
++ goto err_clear_bit;
+
+ if (!atmel_use_pdc_rx(&port->uart)) {
+ ret = -ENOMEM;
+@@ -2628,6 +2628,8 @@ err_alloc_ring:
+ clk_put(port->clk);
+ port->clk = NULL;
+ }
++err_clear_bit:
++ clear_bit(port->uart.line, atmel_ports_in_use);
+ err:
+ return ret;
+ }
--- /dev/null
+From 485819b5b9ed82372dacae775998f3c33717f7fe Mon Sep 17 00:00:00 2001
+From: Cyrille Pitchen <cyrille.pitchen@atmel.com>
+Date: Tue, 9 Dec 2014 14:31:32 +0100
+Subject: tty/serial: at91: use correct type for dma_sync_*_for_cpu() and dma_sync_*_for_device()
+
+From: Cyrille Pitchen <cyrille.pitchen@atmel.com>
+
+commit 485819b5b9ed82372dacae775998f3c33717f7fe upstream.
+
+dma_sync_*_for_cpu() and dma_sync_*_for_device() use 'enum dma_data_direction',
+not 'enum dma_transfer_direction'
+
+Signed-off-by: Cyrille Pitchen <cyrille.pitchen@atmel.com>
+Acked-by: Nicolas Ferre <nicolas.ferre@atmel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/tty/serial/atmel_serial.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/drivers/tty/serial/atmel_serial.c
++++ b/drivers/tty/serial/atmel_serial.c
+@@ -794,7 +794,7 @@ static void atmel_tx_dma(struct uart_por
+ return;
+ }
+
+- dma_sync_sg_for_device(port->dev, sg, 1, DMA_MEM_TO_DEV);
++ dma_sync_sg_for_device(port->dev, sg, 1, DMA_TO_DEVICE);
+
+ atmel_port->desc_tx = desc;
+ desc->callback = atmel_complete_tx_dma;
+@@ -927,7 +927,7 @@ static void atmel_rx_from_dma(struct uar
+ dma_sync_sg_for_cpu(port->dev,
+ &atmel_port->sg_rx,
+ 1,
+- DMA_DEV_TO_MEM);
++ DMA_FROM_DEVICE);
+
+ /*
+ * ring->head points to the end of data already written by the DMA.
+@@ -974,7 +974,7 @@ static void atmel_rx_from_dma(struct uar
+ dma_sync_sg_for_device(port->dev,
+ &atmel_port->sg_rx,
+ 1,
+- DMA_DEV_TO_MEM);
++ DMA_FROM_DEVICE);
+
+ /*
+ * Drop the lock here since it might end up calling
--- /dev/null
+From 074f9dd55f9cab1b82690ed7e44bcf38b9616ce0 Mon Sep 17 00:00:00 2001
+From: Alan Stern <stern@rowland.harvard.edu>
+Date: Thu, 29 Jan 2015 15:05:04 -0500
+Subject: USB: add flag for HCDs that can't receive wakeup requests (isp1760-hcd)
+
+From: Alan Stern <stern@rowland.harvard.edu>
+
+commit 074f9dd55f9cab1b82690ed7e44bcf38b9616ce0 upstream.
+
+Currently the USB stack assumes that all host controller drivers are
+capable of receiving wakeup requests from downstream devices.
+However, this isn't true for the isp1760-hcd driver, which means that
+it isn't safe to do a runtime suspend of any device attached to a
+root-hub port if the device requires wakeup.
+
+This patch adds a "cant_recv_wakeups" flag to the usb_hcd structure
+and sets the flag in isp1760-hcd. The core is modified to prevent a
+direct child of the root hub from being put into runtime suspend with
+wakeup enabled if the flag is set.
+
+Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
+Tested-by: Nicolas Pitre <nico@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <greg@kroah.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/core/driver.c | 12 ++++++++++++
+ drivers/usb/host/isp1760-hcd.c | 3 +++
+ include/linux/usb/hcd.h | 2 ++
+ 3 files changed, 17 insertions(+)
+
+--- a/drivers/usb/core/driver.c
++++ b/drivers/usb/core/driver.c
+@@ -1780,6 +1780,18 @@ static int autosuspend_check(struct usb_
+ dev_dbg(&udev->dev, "remote wakeup needed for autosuspend\n");
+ return -EOPNOTSUPP;
+ }
++
++ /*
++ * If the device is a direct child of the root hub and the HCD
++ * doesn't handle wakeup requests, don't allow autosuspend when
++ * wakeup is needed.
++ */
++ if (w && udev->parent == udev->bus->root_hub &&
++ bus_to_hcd(udev->bus)->cant_recv_wakeups) {
++ dev_dbg(&udev->dev, "HCD doesn't handle wakeup requests\n");
++ return -EOPNOTSUPP;
++ }
++
+ udev->do_remote_wakeup = w;
+ return 0;
+ }
+--- a/drivers/usb/host/isp1760-hcd.c
++++ b/drivers/usb/host/isp1760-hcd.c
+@@ -2247,6 +2247,9 @@ struct usb_hcd *isp1760_register(phys_ad
+ hcd->rsrc_start = res_start;
+ hcd->rsrc_len = res_len;
+
++ /* This driver doesn't support wakeup requests */
++ hcd->cant_recv_wakeups = 1;
++
+ ret = usb_add_hcd(hcd, irq, irqflags);
+ if (ret)
+ goto err_unmap;
+--- a/include/linux/usb/hcd.h
++++ b/include/linux/usb/hcd.h
+@@ -146,6 +146,8 @@ struct usb_hcd {
+ unsigned amd_resume_bug:1; /* AMD remote wakeup quirk */
+ unsigned can_do_streams:1; /* HC supports streams */
+ unsigned tpl_support:1; /* OTG & EH TPL support */
++ unsigned cant_recv_wakeups:1;
++ /* wakeup requests from downstream aren't received */
+
+ unsigned int irq; /* irq allocated */
+ void __iomem *regs; /* device memory/io */
--- /dev/null
+From 5efd2ea8c9f4f12916ffc8ba636792ce052f6911 Mon Sep 17 00:00:00 2001
+From: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
+Date: Fri, 5 Dec 2014 15:13:54 +0100
+Subject: usb: core: buffer: smallest buffer should start at ARCH_DMA_MINALIGN
+
+From: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
+
+commit 5efd2ea8c9f4f12916ffc8ba636792ce052f6911 upstream.
+
+the following error pops up during "testusb -a -t 10"
+| musb-hdrc musb-hdrc.1.auto: dma_pool_free buffer-128, f134e000/be842000 (bad dma)
+hcd_buffer_create() creates a few buffers, the smallest has 32 bytes of
+size. ARCH_KMALLOC_MINALIGN is set to 64 bytes. This combo results in
+hcd_buffer_alloc() returning memory which is 32 bytes aligned and it
+might by identified by buffer_offset() as another buffer. This means the
+buffer which is on a 32 byte boundary will not get freed, instead it
+tries to free another buffer with the error message.
+
+This patch fixes the issue by creating the smallest DMA buffer with the
+size of ARCH_KMALLOC_MINALIGN (or 32 in case ARCH_KMALLOC_MINALIGN is
+smaller). This might be 32, 64 or even 128 bytes. The next three pools
+will have the size 128, 512 and 2048.
+In case the smallest pool is 128 bytes then we have only three pools
+instead of four (and zero the first entry in the array).
+The last pool size is always 2048 bytes which is the assumed PAGE_SIZE /
+2 of 4096. I doubt it makes sense to continue using PAGE_SIZE / 2 where
+we would end up with 8KiB buffer in case we have 16KiB pages.
+Instead I think it makes sense to have a common size(s) and extend them
+if there is need to.
+There is a BUILD_BUG_ON() now in case someone has a minalign of more than
+128 bytes.
+
+Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
+Acked-by: Alan Stern <stern@rowland.harvard.edu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/core/buffer.c | 26 +++++++++++++++++---------
+ drivers/usb/core/usb.c | 1 +
+ include/linux/usb/hcd.h | 1 +
+ 3 files changed, 19 insertions(+), 9 deletions(-)
+
+--- a/drivers/usb/core/buffer.c
++++ b/drivers/usb/core/buffer.c
+@@ -22,17 +22,25 @@
+ */
+
+ /* FIXME tune these based on pool statistics ... */
+-static const size_t pool_max[HCD_BUFFER_POOLS] = {
+- /* platforms without dma-friendly caches might need to
+- * prevent cacheline sharing...
+- */
+- 32,
+- 128,
+- 512,
+- PAGE_SIZE / 2
+- /* bigger --> allocate pages */
++static size_t pool_max[HCD_BUFFER_POOLS] = {
++ 32, 128, 512, 2048,
+ };
+
++void __init usb_init_pool_max(void)
++{
++ /*
++ * The pool_max values must never be smaller than
++ * ARCH_KMALLOC_MINALIGN.
++ */
++ if (ARCH_KMALLOC_MINALIGN <= 32)
++ ; /* Original value is okay */
++ else if (ARCH_KMALLOC_MINALIGN <= 64)
++ pool_max[0] = 64;
++ else if (ARCH_KMALLOC_MINALIGN <= 128)
++ pool_max[0] = 0; /* Don't use this pool */
++ else
++ BUILD_BUG(); /* We don't allow this */
++}
+
+ /* SETUP primitives */
+
+--- a/drivers/usb/core/usb.c
++++ b/drivers/usb/core/usb.c
+@@ -1049,6 +1049,7 @@ static int __init usb_init(void)
+ pr_info("%s: USB support disabled\n", usbcore_name);
+ return 0;
+ }
++ usb_init_pool_max();
+
+ retval = usb_debugfs_init();
+ if (retval)
+--- a/include/linux/usb/hcd.h
++++ b/include/linux/usb/hcd.h
+@@ -453,6 +453,7 @@ extern const struct dev_pm_ops usb_hcd_p
+ #endif /* CONFIG_PCI */
+
+ /* pci-ish (pdev null is ok) buffer alloc/mapping support */
++void usb_init_pool_max(void);
+ int hcd_buffer_create(struct usb_hcd *hcd);
+ void hcd_buffer_destroy(struct usb_hcd *hcd);
+
--- /dev/null
+From a6f0331236fa75afba14bbcf6668d42cebb55c43 Mon Sep 17 00:00:00 2001
+From: Lennart Sorensen <lsorense@csclub.uwaterloo.ca>
+Date: Wed, 21 Jan 2015 15:24:27 -0500
+Subject: USB: cp210x: add ID for RUGGEDCOM USB Serial Console
+
+From: Lennart Sorensen <lsorense@csclub.uwaterloo.ca>
+
+commit a6f0331236fa75afba14bbcf6668d42cebb55c43 upstream.
+
+Added the USB serial console device ID for Siemens Ruggedcom devices
+which have a USB port for their serial console.
+
+Signed-off-by: Len Sorensen <lsorense@csclub.uwaterloo.ca>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/serial/cp210x.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/usb/serial/cp210x.c
++++ b/drivers/usb/serial/cp210x.c
+@@ -56,6 +56,7 @@ static const struct usb_device_id id_tab
+ { USB_DEVICE(0x0846, 0x1100) }, /* NetGear Managed Switch M4100 series, M5300 series, M7100 series */
+ { USB_DEVICE(0x08e6, 0x5501) }, /* Gemalto Prox-PU/CU contactless smartcard reader */
+ { USB_DEVICE(0x08FD, 0x000A) }, /* Digianswer A/S , ZigBee/802.15.4 MAC Device */
++ { USB_DEVICE(0x0908, 0x01FF) }, /* Siemens RUGGEDCOM USB Serial Console */
+ { USB_DEVICE(0x0BED, 0x1100) }, /* MEI (TM) Cashflow-SC Bill/Voucher Acceptor */
+ { USB_DEVICE(0x0BED, 0x1101) }, /* MEI series 2000 Combo Acceptor */
+ { USB_DEVICE(0x0FCF, 0x1003) }, /* Dynastream ANT development board */
--- /dev/null
+From 524134d422316a59d5464ccbc12036bbe90c5563 Mon Sep 17 00:00:00 2001
+From: Alan Stern <stern@rowland.harvard.edu>
+Date: Wed, 21 Jan 2015 14:02:43 -0500
+Subject: USB: don't cancel queued resets when unbinding drivers
+
+From: Alan Stern <stern@rowland.harvard.edu>
+
+commit 524134d422316a59d5464ccbc12036bbe90c5563 upstream.
+
+The USB stack provides a mechanism for drivers to request an
+asynchronous device reset (usb_queue_reset_device()). The mechanism
+uses a work item (reset_ws) embedded in the usb_interface structure
+used by the driver, and the reset is carried out by a work queue
+routine.
+
+The asynchronous reset can race with driver unbinding. When this
+happens, we try to cancel the queued reset before unbinding the
+driver, on the theory that the driver won't care about any resets once
+it is unbound.
+
+However, thanks to the fact that lockdep now tracks work queue
+accesses, this can provoke a lockdep warning in situations where the
+device reset causes another interface's driver to be unbound; see
+
+ http://marc.info/?l=linux-usb&m=141893165203776&w=2
+
+for an example. The reason is that the work routine for reset_ws in
+one interface calls cancel_queued_work() for the reset_ws in another
+interface. Lockdep thinks this might lead to a work routine trying to
+cancel itself. The simplest solution is not to cancel queued resets
+when unbinding drivers.
+
+This means we now need to acquire a reference to the usb_interface
+when queuing a reset_ws work item and to drop the reference when the
+work routine finishes. We also need to make sure that the
+usb_interface structure doesn't outlive its parent usb_device; this
+means acquiring and dropping a reference when the interface is created
+and destroyed.
+
+In addition, cancelling a queued reset can fail (if the device is in
+the middle of an earlier reset), and this can cause usb_reset_device()
+to try to rebind an interface that has been deallocated (see
+http://marc.info/?l=linux-usb&m=142175717016628&w=2 for details).
+Acquiring the extra references prevents this failure.
+
+Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
+Reported-by: Russell King - ARM Linux <linux@arm.linux.org.uk>
+Reported-by: Olivier Sobrie <olivier@sobrie.be>
+Tested-by: Olivier Sobrie <olivier@sobrie.be>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/core/driver.c | 17 -----------------
+ drivers/usb/core/hub.c | 25 +++++++++----------------
+ drivers/usb/core/message.c | 23 +++--------------------
+ include/linux/usb.h | 5 -----
+ 4 files changed, 12 insertions(+), 58 deletions(-)
+
+--- a/drivers/usb/core/driver.c
++++ b/drivers/usb/core/driver.c
+@@ -275,21 +275,6 @@ static int usb_unbind_device(struct devi
+ return 0;
+ }
+
+-/*
+- * Cancel any pending scheduled resets
+- *
+- * [see usb_queue_reset_device()]
+- *
+- * Called after unconfiguring / when releasing interfaces. See
+- * comments in __usb_queue_reset_device() regarding
+- * udev->reset_running.
+- */
+-static void usb_cancel_queued_reset(struct usb_interface *iface)
+-{
+- if (iface->reset_running == 0)
+- cancel_work_sync(&iface->reset_ws);
+-}
+-
+ /* called from driver core with dev locked */
+ static int usb_probe_interface(struct device *dev)
+ {
+@@ -380,7 +365,6 @@ static int usb_probe_interface(struct de
+ usb_set_intfdata(intf, NULL);
+ intf->needs_remote_wakeup = 0;
+ intf->condition = USB_INTERFACE_UNBOUND;
+- usb_cancel_queued_reset(intf);
+
+ /* If the LPM disable succeeded, balance the ref counts. */
+ if (!lpm_disable_error)
+@@ -425,7 +409,6 @@ static int usb_unbind_interface(struct d
+ usb_disable_interface(udev, intf, false);
+
+ driver->disconnect(intf);
+- usb_cancel_queued_reset(intf);
+
+ /* Free streams */
+ for (i = 0, j = 0; i < intf->cur_altsetting->desc.bNumEndpoints; i++) {
+--- a/drivers/usb/core/hub.c
++++ b/drivers/usb/core/hub.c
+@@ -5589,26 +5589,19 @@ EXPORT_SYMBOL_GPL(usb_reset_device);
+ * possible; depending on how the driver attached to each interface
+ * handles ->pre_reset(), the second reset might happen or not.
+ *
+- * - If a driver is unbound and it had a pending reset, the reset will
+- * be cancelled.
++ * - If the reset is delayed so long that the interface is unbound from
++ * its driver, the reset will be skipped.
+ *
+- * - This function can be called during .probe() or .disconnect()
+- * times. On return from .disconnect(), any pending resets will be
+- * cancelled.
+- *
+- * There is no no need to lock/unlock the @reset_ws as schedule_work()
+- * does its own.
+- *
+- * NOTE: We don't do any reference count tracking because it is not
+- * needed. The lifecycle of the work_struct is tied to the
+- * usb_interface. Before destroying the interface we cancel the
+- * work_struct, so the fact that work_struct is queued and or
+- * running means the interface (and thus, the device) exist and
+- * are referenced.
++ * - This function can be called during .probe(). It can also be called
++ * during .disconnect(), but doing so is pointless because the reset
++ * will not occur. If you really want to reset the device during
++ * .disconnect(), call usb_reset_device() directly -- but watch out
++ * for nested unbinding issues!
+ */
+ void usb_queue_reset_device(struct usb_interface *iface)
+ {
+- schedule_work(&iface->reset_ws);
++ if (schedule_work(&iface->reset_ws))
++ usb_get_intf(iface);
+ }
+ EXPORT_SYMBOL_GPL(usb_queue_reset_device);
+
+--- a/drivers/usb/core/message.c
++++ b/drivers/usb/core/message.c
+@@ -1551,6 +1551,7 @@ static void usb_release_interface(struct
+ altsetting_to_usb_interface_cache(intf->altsetting);
+
+ kref_put(&intfc->ref, usb_release_interface_cache);
++ usb_put_dev(interface_to_usbdev(intf));
+ kfree(intf);
+ }
+
+@@ -1626,24 +1627,6 @@ static struct usb_interface_assoc_descri
+
+ /*
+ * Internal function to queue a device reset
+- *
+- * This is initialized into the workstruct in 'struct
+- * usb_device->reset_ws' that is launched by
+- * message.c:usb_set_configuration() when initializing each 'struct
+- * usb_interface'.
+- *
+- * It is safe to get the USB device without reference counts because
+- * the life cycle of @iface is bound to the life cycle of @udev. Then,
+- * this function will be ran only if @iface is alive (and before
+- * freeing it any scheduled instances of it will have been cancelled).
+- *
+- * We need to set a flag (usb_dev->reset_running) because when we call
+- * the reset, the interfaces might be unbound. The current interface
+- * cannot try to remove the queued work as it would cause a deadlock
+- * (you cannot remove your work from within your executing
+- * workqueue). This flag lets it know, so that
+- * usb_cancel_queued_reset() doesn't try to do it.
+- *
+ * See usb_queue_reset_device() for more details
+ */
+ static void __usb_queue_reset_device(struct work_struct *ws)
+@@ -1655,11 +1638,10 @@ static void __usb_queue_reset_device(str
+
+ rc = usb_lock_device_for_reset(udev, iface);
+ if (rc >= 0) {
+- iface->reset_running = 1;
+ usb_reset_device(udev);
+- iface->reset_running = 0;
+ usb_unlock_device(udev);
+ }
++ usb_put_intf(iface); /* Undo _get_ in usb_queue_reset_device() */
+ }
+
+
+@@ -1854,6 +1836,7 @@ free_interfaces:
+ dev_set_name(&intf->dev, "%d-%s:%d.%d",
+ dev->bus->busnum, dev->devpath,
+ configuration, alt->desc.bInterfaceNumber);
++ usb_get_dev(dev);
+ }
+ kfree(new_interfaces);
+
+--- a/include/linux/usb.h
++++ b/include/linux/usb.h
+@@ -127,10 +127,6 @@ enum usb_interface_condition {
+ * to the sysfs representation for that device.
+ * @pm_usage_cnt: PM usage counter for this interface
+ * @reset_ws: Used for scheduling resets from atomic context.
+- * @reset_running: set to 1 if the interface is currently running a
+- * queued reset so that usb_cancel_queued_reset() doesn't try to
+- * remove from the workqueue when running inside the worker
+- * thread. See __usb_queue_reset_device().
+ * @resetting_device: USB core reset the device, so use alt setting 0 as
+ * current; needs bandwidth alloc after reset.
+ *
+@@ -181,7 +177,6 @@ struct usb_interface {
+ unsigned needs_remote_wakeup:1; /* driver requires remote wakeup */
+ unsigned needs_altsetting0:1; /* switch to altsetting 0 is pending */
+ unsigned needs_binding:1; /* needs delayed unbind/rebind */
+- unsigned reset_running:1;
+ unsigned resetting_device:1; /* true: bandwidth alloc after reset */
+
+ struct device dev; /* interface specific device info */
--- /dev/null
+From 5c7b3b02de766a8634708953e805399e3544a290 Mon Sep 17 00:00:00 2001
+From: Felipe Balbi <balbi@ti.com>
+Date: Thu, 29 Jan 2015 10:29:18 -0600
+Subject: usb: dwc3: gadget: add missing spin_lock()
+
+From: Felipe Balbi <balbi@ti.com>
+
+commit 5c7b3b02de766a8634708953e805399e3544a290 upstream.
+
+commit 8e74475b0e0a (usb: dwc3: gadget: use udc-core's
+reset notifier) added support for the new UDC core's
+reset notifier to dwc3 but while at it, it removed
+a spin_lock() from dwc3_reset_gadget() which might
+cause an unbalanced spin_unlock() further down the line
+
+Fixes: 8e74475b0e0a (usb: dwc3: gadget: use udc-core's reset notifier)
+Signed-off-by: Felipe Balbi <balbi@ti.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/dwc3/gadget.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/usb/dwc3/gadget.c
++++ b/drivers/usb/dwc3/gadget.c
+@@ -2043,6 +2043,7 @@ static void dwc3_resume_gadget(struct dw
+ if (dwc->gadget_driver && dwc->gadget_driver->resume) {
+ spin_unlock(&dwc->lock);
+ dwc->gadget_driver->resume(&dwc->gadget);
++ spin_lock(&dwc->lock);
+ }
+ }
+
--- /dev/null
+From c99197902da284b4b723451c1471c45b18537cde Mon Sep 17 00:00:00 2001
+From: Alan Stern <stern@rowland.harvard.edu>
+Date: Fri, 30 Jan 2015 12:58:26 -0500
+Subject: USB: fix use-after-free bug in usb_hcd_unlink_urb()
+
+From: Alan Stern <stern@rowland.harvard.edu>
+
+commit c99197902da284b4b723451c1471c45b18537cde upstream.
+
+The usb_hcd_unlink_urb() routine in hcd.c contains two possible
+use-after-free errors. The dev_dbg() statement at the end of the
+routine dereferences urb and urb->dev even though both structures may
+have been deallocated.
+
+This patch fixes the problem by storing urb->dev in a local variable
+(avoiding the dereference of urb) and moving the dev_dbg() up before
+the usb_put_dev() call.
+
+Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
+Reported-by: Joe Lawrence <joe.lawrence@stratus.com>
+Tested-by: Joe Lawrence <joe.lawrence@stratus.com>
+Signed-off-by: Greg Kroah-Hartman <greg@kroah.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/core/hcd.c | 16 ++++++++--------
+ 1 file changed, 8 insertions(+), 8 deletions(-)
+
+--- a/drivers/usb/core/hcd.c
++++ b/drivers/usb/core/hcd.c
+@@ -1618,6 +1618,7 @@ static int unlink1(struct usb_hcd *hcd,
+ int usb_hcd_unlink_urb (struct urb *urb, int status)
+ {
+ struct usb_hcd *hcd;
++ struct usb_device *udev = urb->dev;
+ int retval = -EIDRM;
+ unsigned long flags;
+
+@@ -1629,20 +1630,19 @@ int usb_hcd_unlink_urb (struct urb *urb,
+ spin_lock_irqsave(&hcd_urb_unlink_lock, flags);
+ if (atomic_read(&urb->use_count) > 0) {
+ retval = 0;
+- usb_get_dev(urb->dev);
++ usb_get_dev(udev);
+ }
+ spin_unlock_irqrestore(&hcd_urb_unlink_lock, flags);
+ if (retval == 0) {
+ hcd = bus_to_hcd(urb->dev->bus);
+ retval = unlink1(hcd, urb, status);
+- usb_put_dev(urb->dev);
++ if (retval == 0)
++ retval = -EINPROGRESS;
++ else if (retval != -EIDRM && retval != -EBUSY)
++ dev_dbg(&udev->dev, "hcd_unlink_urb %p fail %d\n",
++ urb, retval);
++ usb_put_dev(udev);
+ }
+-
+- if (retval == 0)
+- retval = -EINPROGRESS;
+- else if (retval != -EIDRM && retval != -EBUSY)
+- dev_dbg(&urb->dev->dev, "hcd_unlink_urb %p fail %d\n",
+- urb, retval);
+ return retval;
+ }
+
--- /dev/null
+From fbba7db3990cb707ff91cd6507d53a0a730afe97 Mon Sep 17 00:00:00 2001
+From: Arnd Bergmann <arnd@arndb.de>
+Date: Wed, 28 Jan 2015 22:51:04 +0100
+Subject: usb: musb: add omap-control dependency
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+commit fbba7db3990cb707ff91cd6507d53a0a730afe97 upstream.
+
+The omap musb front-end calls into the phy driver directly
+instead of using a generic phy interface, which causes a link
+error when the specific driver is not built-in:
+
+drivers/built-in.o: In function `omap2430_musb_disable':
+usb/musb/omap2430.c:480: undefined reference to `omap_control_usb_set_mode'
+drivers/built-in.o: In function `omap2430_musb_enable':
+usb/musb/omap2430.c:466: undefined reference to `omap_control_usb_set_mode'
+usb/musb/omap2430.c:447: undefined reference to `omap_control_usb_set_mode'
+drivers/built-in.o: In function `omap_musb_set_mailbox':
+usb/musb/omap2430.c:273: undefined reference to `omap_control_usb_set_mode'
+usb/musb/omap2430.c:304: undefined reference to `omap_control_usb_set_mode'
+drivers/built-in.o:(.debug_addr+0xbd9e0): more undefined references to `omap_control_usb_set_mode' follow
+
+This adds an explicit dependency.
+
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Fixes: ca784be36cc725 ("usb: start using the control module driver")
+Signed-off-by: Felipe Balbi <balbi@ti.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/musb/Kconfig | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/usb/musb/Kconfig
++++ b/drivers/usb/musb/Kconfig
+@@ -77,7 +77,7 @@ config USB_MUSB_TUSB6010
+
+ config USB_MUSB_OMAP2PLUS
+ tristate "OMAP2430 and onwards"
+- depends on ARCH_OMAP2PLUS && USB
++ depends on ARCH_OMAP2PLUS && USB && OMAP_CONTROL_PHY
+ select GENERIC_PHY
+
+ config USB_MUSB_AM35X
--- /dev/null
+From 19e3ae6b4f07a87822c1c9e7ed99d31860e701af Mon Sep 17 00:00:00 2001
+From: Nicolas Pitre <nicolas.pitre@linaro.org>
+Date: Fri, 23 Jan 2015 17:07:21 -0500
+Subject: vt: provide notifications on selection changes
+
+From: Nicolas Pitre <nicolas.pitre@linaro.org>
+
+commit 19e3ae6b4f07a87822c1c9e7ed99d31860e701af upstream.
+
+The vcs device's poll/fasync support relies on the vt notifier to signal
+changes to the screen content. Notifier invocations were missing for
+changes that comes through the selection interface though. Fix that.
+
+Tested with BRLTTY 5.2.
+
+Signed-off-by: Nicolas Pitre <nico@linaro.org>
+Cc: Dave Mielke <dave@mielke.cc>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/tty/vt/vt.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/tty/vt/vt.c
++++ b/drivers/tty/vt/vt.c
+@@ -500,6 +500,7 @@ void invert_screen(struct vc_data *vc, i
+ #endif
+ if (DO_UPDATE(vc))
+ do_update_region(vc, (unsigned long) p, count);
++ notify_update(vc);
+ }
+
+ /* used by selection: complement pointer position */
+@@ -516,6 +517,7 @@ void complement_pos(struct vc_data *vc,
+ scr_writew(old, screenpos(vc, old_offset, 1));
+ if (DO_UPDATE(vc))
+ vc->vc_sw->con_putc(vc, old, oldy, oldx);
++ notify_update(vc);
+ }
+
+ old_offset = offset;
+@@ -533,8 +535,8 @@ void complement_pos(struct vc_data *vc,
+ oldy = (offset >> 1) / vc->vc_cols;
+ vc->vc_sw->con_putc(vc, new, oldy, oldx);
+ }
++ notify_update(vc);
+ }
+-
+ }
+
+ static void insert_char(struct vc_data *vc, unsigned int nr)
projects / thirdparty / kernel / stable-queue.git / commitdiff
