--- /dev/null
+From f93a25b38cbd840f26c9fd2dd8a6611a57b259b7 Mon Sep 17 00:00:00 2001
+From: Arend van Spriel <arend@broadcom.com>
+Date: Fri, 20 Mar 2015 22:18:17 +0100
+Subject: brcmfmac: disable MBSS feature for BCM43362
+
+From: Arend van Spriel <arend@broadcom.com>
+
+commit f93a25b38cbd840f26c9fd2dd8a6611a57b259b7 upstream.
+
+The BCM43362 firmware falsely reports it is capable of providing
+MBSS. As a result AP mode no longer works for this device. Therefor
+disable MBSS in the driver for this chipset.
+
+Reported-by: Jorg Krause <jkrause@posteo.de>
+Reviewed-by: Hante Meuleman <meuleman@broadcom.com>
+Reviewed-by: Pieter-Paul Giesberts <pieterpg@broadcom.com>
+Signed-off-by: Arend van Spriel <arend@broadcom.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/brcm80211/brcmfmac/feature.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/wireless/brcm80211/brcmfmac/feature.c
++++ b/drivers/net/wireless/brcm80211/brcmfmac/feature.c
+@@ -126,7 +126,8 @@ void brcmf_feat_attach(struct brcmf_pub
+ brcmf_feat_iovar_int_get(ifp, BRCMF_FEAT_MCHAN, "mchan");
+ if (drvr->bus_if->wowl_supported)
+ brcmf_feat_iovar_int_get(ifp, BRCMF_FEAT_WOWL, "wowl");
+- brcmf_feat_iovar_int_set(ifp, BRCMF_FEAT_MBSS, "mbss", 0);
++ if (drvr->bus_if->chip != BRCM_CC_43362_CHIP_ID)
++ brcmf_feat_iovar_int_set(ifp, BRCMF_FEAT_MBSS, "mbss", 0);
+
+ /* set chip related quirks */
+ switch (drvr->bus_if->chip) {
--- /dev/null
+From e1e9bda22d7ddf88515e8fe401887e313922823e Mon Sep 17 00:00:00 2001
+From: David Disseldorp <ddiss@suse.de>
+Date: Fri, 13 Mar 2015 14:20:29 +0100
+Subject: cifs: fix use-after-free bug in find_writable_file
+
+From: David Disseldorp <ddiss@suse.de>
+
+commit e1e9bda22d7ddf88515e8fe401887e313922823e upstream.
+
+Under intermittent network outages, find_writable_file() is susceptible
+to the following race condition, which results in a user-after-free in
+the cifs_writepages code-path:
+
+Thread 1 Thread 2
+======== ========
+
+inv_file = NULL
+refind = 0
+spin_lock(&cifs_file_list_lock)
+
+// invalidHandle found on openFileList
+
+inv_file = open_file
+// inv_file->count currently 1
+
+cifsFileInfo_get(inv_file)
+// inv_file->count = 2
+
+spin_unlock(&cifs_file_list_lock);
+
+cifs_reopen_file() cifs_close()
+// fails (rc != 0) ->cifsFileInfo_put()
+ spin_lock(&cifs_file_list_lock)
+ // inv_file->count = 1
+ spin_unlock(&cifs_file_list_lock)
+
+spin_lock(&cifs_file_list_lock);
+list_move_tail(&inv_file->flist,
+ &cifs_inode->openFileList);
+spin_unlock(&cifs_file_list_lock);
+
+cifsFileInfo_put(inv_file);
+->spin_lock(&cifs_file_list_lock)
+
+ // inv_file->count = 0
+ list_del(&cifs_file->flist);
+ // cleanup!!
+ kfree(cifs_file);
+
+ spin_unlock(&cifs_file_list_lock);
+
+spin_lock(&cifs_file_list_lock);
+++refind;
+// refind = 1
+goto refind_writable;
+
+At this point we loop back through with an invalid inv_file pointer
+and a refind value of 1. On second pass, inv_file is not overwritten on
+openFileList traversal, and is subsequently dereferenced.
+
+Signed-off-by: David Disseldorp <ddiss@suse.de>
+Reviewed-by: Jeff Layton <jlayton@samba.org>
+Signed-off-by: Steve French <smfrench@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/cifs/file.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/fs/cifs/file.c
++++ b/fs/cifs/file.c
+@@ -1829,6 +1829,7 @@ refind_writable:
+ cifsFileInfo_put(inv_file);
+ spin_lock(&cifs_file_list_lock);
+ ++refind;
++ inv_file = NULL;
+ goto refind_writable;
+ }
+ }
--- /dev/null
+From 2477bc58d49edb1c0baf59df7dc093dce682af2b Mon Sep 17 00:00:00 2001
+From: Sachin Prabhu <sprabhu@redhat.com>
+Date: Wed, 4 Feb 2015 13:10:26 +0000
+Subject: cifs: smb2_clone_range() - exit on unhandled error
+
+From: Sachin Prabhu <sprabhu@redhat.com>
+
+commit 2477bc58d49edb1c0baf59df7dc093dce682af2b upstream.
+
+While attempting to clone a file on a samba server, we receive a
+STATUS_INVALID_DEVICE_REQUEST. This is mapped to -EOPNOTSUPP which
+isn't handled in smb2_clone_range(). We end up looping in the while loop
+making same call to the samba server over and over again.
+
+The proposed fix is to exit and return the error value when encountered
+with an unhandled error.
+
+Signed-off-by: Sachin Prabhu <sprabhu@redhat.com>
+Signed-off-by: Steve French <steve.french@primarydata.com>
+Signed-off-by: Steve French <smfrench@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/cifs/smb2ops.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/fs/cifs/smb2ops.c
++++ b/fs/cifs/smb2ops.c
+@@ -684,7 +684,8 @@ smb2_clone_range(const unsigned int xid,
+
+ /* No need to change MaxChunks since already set to 1 */
+ chunk_sizes_updated = true;
+- }
++ } else
++ goto cchunk_out;
+ }
+
+ cchunk_out:
--- /dev/null
+From 41d9489319f28f06cf51731131bc353d5a6bce59 Mon Sep 17 00:00:00 2001
+From: Benjamin Herrenschmidt <benh@kernel.crashing.org>
+Date: Mon, 23 Mar 2015 14:16:38 +1100
+Subject: drivers/of: Add empty ranges quirk for PA-Semi
+
+From: Benjamin Herrenschmidt <benh@kernel.crashing.org>
+
+commit 41d9489319f28f06cf51731131bc353d5a6bce59 upstream.
+
+The "sdc" node is missing the ranges property, it needs to be treated
+as having an empty one otherwise translation fails for its children.
+
+Fixes 746c9e9f92dd, "of/base: Fix PowerPC address parsing hack"
+
+Tested-by: Steven Rostedt <rostedt@goodmis.org>
+Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
+Signed-off-by: Grant Likely <grant.likely@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/of/address.c | 11 ++++++++---
+ 1 file changed, 8 insertions(+), 3 deletions(-)
+
+--- a/drivers/of/address.c
++++ b/drivers/of/address.c
+@@ -450,12 +450,17 @@ static struct of_bus *of_match_bus(struc
+ return NULL;
+ }
+
+-static int of_empty_ranges_quirk(void)
++static int of_empty_ranges_quirk(struct device_node *np)
+ {
+ if (IS_ENABLED(CONFIG_PPC)) {
+- /* To save cycles, we cache the result */
++ /* To save cycles, we cache the result for global "Mac" setting */
+ static int quirk_state = -1;
+
++ /* PA-SEMI sdc DT bug */
++ if (of_device_is_compatible(np, "1682m-sdc"))
++ return true;
++
++ /* Make quirk cached */
+ if (quirk_state < 0)
+ quirk_state =
+ of_machine_is_compatible("Power Macintosh") ||
+@@ -490,7 +495,7 @@ static int of_translate_one(struct devic
+ * This code is only enabled on powerpc. --gcl
+ */
+ ranges = of_get_property(parent, rprop, &rlen);
+- if (ranges == NULL && !of_empty_ranges_quirk()) {
++ if (ranges == NULL && !of_empty_ranges_quirk(parent)) {
+ pr_debug("OF: no ranges; cannot translate\n");
+ return 1;
+ }
--- /dev/null
+From 71684406905f98f86a85e008b51f5c4c5d83af5a Mon Sep 17 00:00:00 2001
+From: Alex Williamson <alex.williamson@redhat.com>
+Date: Wed, 4 Mar 2015 11:30:10 -0700
+Subject: iommu/vt-d: Detach domain *only* from attached iommus
+
+From: Alex Williamson <alex.williamson@redhat.com>
+
+commit 71684406905f98f86a85e008b51f5c4c5d83af5a upstream.
+
+Device domains never span IOMMU hardware units, which allows the
+domain ID space for each IOMMU to be an independent address space.
+Therefore we can have multiple, independent domains, each with the
+same domain->id, but attached to different hardware units. This is
+also why we need to do a heavy-weight search for VM domains since
+they can span multiple IOMMUs hardware units and we don't require a
+single global ID to use for all hardware units.
+
+Therefore, if we call iommu_detach_domain() across all active IOMMU
+hardware units for a non-VM domain, the result is that we clear domain
+IDs that are not associated with our domain, allowing them to be
+re-allocated and causing apparent coherency issues when the device
+cannot access IOVAs for the intended domain.
+
+This bug was introduced in commit fb170fb4c548 ("iommu/vt-d: Introduce
+helper functions to make code symmetric for readability"), but is
+significantly exacerbated by the more recent commit 62c22167dd70
+("iommu/vt-d: Fix dmar_domain leak in iommu_attach_device") which calls
+domain_exit() more frequently to resolve a domain leak.
+
+Fixes: fb170fb4c548 ("iommu/vt-d: Introduce helper functions to make code symmetric for readability")
+Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
+Cc: Jiang Liu <jiang.liu@linux.intel.com>
+Signed-off-by: Joerg Roedel <jroedel@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/iommu/intel-iommu.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/drivers/iommu/intel-iommu.c
++++ b/drivers/iommu/intel-iommu.c
+@@ -1749,8 +1749,8 @@ static int domain_init(struct dmar_domai
+ static void domain_exit(struct dmar_domain *domain)
+ {
+ struct dmar_drhd_unit *drhd;
+- struct intel_iommu *iommu;
+ struct page *freelist = NULL;
++ int i;
+
+ /* Domain 0 is reserved, so dont process it */
+ if (!domain)
+@@ -1770,8 +1770,8 @@ static void domain_exit(struct dmar_doma
+
+ /* clear attached or cached domains */
+ rcu_read_lock();
+- for_each_active_iommu(iommu, drhd)
+- iommu_detach_domain(domain, iommu);
++ for_each_set_bit(i, domain->iommu_bmp, g_num_of_iommus)
++ iommu_detach_domain(domain, g_iommus[i]);
+ rcu_read_unlock();
+
+ dma_free_pagelist(freelist);
--- /dev/null
+From fb5ef9e7da39968fec6d6f37f20a23d23740c75e Mon Sep 17 00:00:00 2001
+From: Peter Hurley <peter@hurleysoftware.com>
+Date: Fri, 16 Jan 2015 15:05:39 -0500
+Subject: n_tty: Fix read buffer overwrite when no newline
+
+From: Peter Hurley <peter@hurleysoftware.com>
+
+commit fb5ef9e7da39968fec6d6f37f20a23d23740c75e upstream.
+
+In canon mode, the read buffer head will advance over the buffer tail
+if the input > 4095 bytes without receiving a line termination char.
+
+Discard additional input until a line termination is received.
+Before evaluating for overflow, the 'room' value is normalized for
+I_PARMRK and 1 byte is reserved for line termination (even in !icanon
+mode, in case the mode is switched). The following table shows the
+transform:
+
+ actual buffer | 'room' value before overflow calc
+ space avail | !I_PARMRK | I_PARMRK
+ --------------------------------------------------
+ 0 | -1 | -1
+ 1 | 0 | 0
+ 2 | 1 | 0
+ 3 | 2 | 0
+ 4+ | 3 | 1
+
+When !icanon or when icanon and the read buffer contains newlines,
+normalized 'room' values of -1 and 0 are clamped to 0, and
+'overflow' is 0, so read_head is not adjusted and the input i/o loop
+exits (setting no_room if called from flush_to_ldisc()). No input
+is discarded since the reader does have input available to read
+which ensures forward progress.
+
+When icanon and the read buffer does not contain newlines and the
+normalized 'room' value is 0, then overflow and room are reset to 1,
+so that the i/o loop will process the next input char normally
+(except for parity errors which are ignored). Thus, erasures, signalling
+chars, 7-bit mode, etc. will continue to be handled properly.
+
+If the input char processed was not a line termination char, then
+the canon_head index will not have advanced, so the normalized 'room'
+value will now be -1 and 'overflow' will be set, which indicates the
+read_head can safely be reset, effectively erasing the last char
+processed.
+
+If the input char processed was a line termination, then the
+canon_head index will have advanced, so 'overflow' is cleared to 0,
+the read_head is not reset, and 'room' is cleared to 0, which exits
+the i/o loop (because the reader now have input available to read
+which ensures forward progress).
+
+Note that it is possible for a line termination to be received, and
+for the reader to copy the line to the user buffer before the
+input i/o loop is ready to process the next input char. This is
+why the i/o loop recomputes the room/overflow state with every
+input char while handling overflow.
+
+Finally, if the input data was processed without receiving
+a line termination (so that overflow is still set), the pty
+driver must receive a write wakeup. A pty writer may be waiting
+to write more data in n_tty_write() but without unthrottling
+here that wakeup will not arrive, and forward progress will halt.
+(Normally, the pty writer is woken when the reader reads data out
+of the buffer and more space become available).
+
+Signed-off-by: Peter Hurley <peter@hurleysoftware.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+(backported from commit fb5ef9e7da39968fec6d6f37f20a23d23740c75e)
+Signed-off-by: Joseph Salisbury <joseph.salisbury@canonical.com>
+---
+ drivers/tty/n_tty.c | 106 ++++++++++++++++++++++++++++++++++++++--------------
+ 1 file changed, 79 insertions(+), 27 deletions(-)
+
+--- a/drivers/tty/n_tty.c
++++ b/drivers/tty/n_tty.c
+@@ -247,8 +247,6 @@ static void n_tty_write_wakeup(struct tt
+
+ static void n_tty_check_throttle(struct tty_struct *tty)
+ {
+- if (tty->driver->type == TTY_DRIVER_TYPE_PTY)
+- return;
+ /*
+ * Check the remaining room for the input canonicalization
+ * mode. We don't want to throttle the driver if we're in
+@@ -1512,23 +1510,6 @@ n_tty_receive_char_lnext(struct tty_stru
+ n_tty_receive_char_flagged(tty, c, flag);
+ }
+
+-/**
+- * n_tty_receive_buf - data receive
+- * @tty: terminal device
+- * @cp: buffer
+- * @fp: flag buffer
+- * @count: characters
+- *
+- * Called by the terminal driver when a block of characters has
+- * been received. This function must be called from soft contexts
+- * not from interrupt context. The driver is responsible for making
+- * calls one at a time and in order (or using flush_to_ldisc)
+- *
+- * n_tty_receive_buf()/producer path:
+- * claims non-exclusive termios_rwsem
+- * publishes read_head and canon_head
+- */
+-
+ static void
+ n_tty_receive_buf_real_raw(struct tty_struct *tty, const unsigned char *cp,
+ char *fp, int count)
+@@ -1684,24 +1665,85 @@ static void __receive_buf(struct tty_str
+ }
+ }
+
++/**
++ * n_tty_receive_buf_common - process input
++ * @tty: device to receive input
++ * @cp: input chars
++ * @fp: flags for each char (if NULL, all chars are TTY_NORMAL)
++ * @count: number of input chars in @cp
++ *
++ * Called by the terminal driver when a block of characters has
++ * been received. This function must be called from soft contexts
++ * not from interrupt context. The driver is responsible for making
++ * calls one at a time and in order (or using flush_to_ldisc)
++ *
++ * Returns the # of input chars from @cp which were processed.
++ *
++ * In canonical mode, the maximum line length is 4096 chars (including
++ * the line termination char); lines longer than 4096 chars are
++ * truncated. After 4095 chars, input data is still processed but
++ * not stored. Overflow processing ensures the tty can always
++ * receive more input until at least one line can be read.
++ *
++ * In non-canonical mode, the read buffer will only accept 4095 chars;
++ * this provides the necessary space for a newline char if the input
++ * mode is switched to canonical.
++ *
++ * Note it is possible for the read buffer to _contain_ 4096 chars
++ * in non-canonical mode: the read buffer could already contain the
++ * maximum canon line of 4096 chars when the mode is switched to
++ * non-canonical.
++ *
++ * n_tty_receive_buf()/producer path:
++ * claims non-exclusive termios_rwsem
++ * publishes commit_head or canon_head
++ */
+ static int
+ n_tty_receive_buf_common(struct tty_struct *tty, const unsigned char *cp,
+ char *fp, int count, int flow)
+ {
+ struct n_tty_data *ldata = tty->disc_data;
+- int room, n, rcvd = 0;
++ int room, n, rcvd = 0, overflow;
+
+ down_read(&tty->termios_rwsem);
+
+ while (1) {
+- room = receive_room(tty);
++ /*
++ * When PARMRK is set, each input char may take up to 3 chars
++ * in the read buf; reduce the buffer space avail by 3x
++ *
++ * If we are doing input canonicalization, and there are no
++ * pending newlines, let characters through without limit, so
++ * that erase characters will be handled. Other excess
++ * characters will be beeped.
++ *
++ * paired with store in *_copy_from_read_buf() -- guarantees
++ * the consumer has loaded the data in read_buf up to the new
++ * read_tail (so this producer will not overwrite unread data)
++ */
++ size_t tail = ldata->read_tail;
++
++ room = N_TTY_BUF_SIZE - (ldata->read_head - tail);
++ if (I_PARMRK(tty))
++ room = (room + 2) / 3;
++ room--;
++ if (room <= 0) {
++ overflow = ldata->icanon && ldata->canon_head == tail;
++ if (overflow && room < 0)
++ ldata->read_head--;
++ room = overflow;
++ ldata->no_room = flow && !room;
++ } else
++ overflow = 0;
++
+ n = min(count, room);
+- if (!n) {
+- if (flow && !room)
+- ldata->no_room = 1;
++ if (!n)
+ break;
+- }
+- __receive_buf(tty, cp, fp, n);
++
++ /* ignore parity errors if handling overflow */
++ if (!overflow || !fp || *fp != TTY_PARITY)
++ __receive_buf(tty, cp, fp, n);
++
+ cp += n;
+ if (fp)
+ fp += n;
+@@ -1710,7 +1752,17 @@ n_tty_receive_buf_common(struct tty_stru
+ }
+
+ tty->receive_room = room;
+- n_tty_check_throttle(tty);
++
++ /* Unthrottle if handling overflow on pty */
++ if (tty->driver->type == TTY_DRIVER_TYPE_PTY) {
++ if (overflow) {
++ tty_set_flow_change(tty, TTY_UNTHROTTLE_SAFE);
++ tty_unthrottle_safe(tty);
++ __tty_set_flow_change(tty, 0);
++ }
++ } else
++ n_tty_check_throttle(tty);
++
+ up_read(&tty->termios_rwsem);
+
+ return rcvd;
--- /dev/null
+From be0b5e635883678bfbc695889772fed545f3427d Mon Sep 17 00:00:00 2001
+From: Larry Finger <Larry.Finger@lwfinger.net>
+Date: Sat, 21 Mar 2015 15:16:05 -0500
+Subject: rtlwifi: Fix IOMMU mapping leak in AP mode
+
+From: Larry Finger <Larry.Finger@lwfinger.net>
+
+commit be0b5e635883678bfbc695889772fed545f3427d upstream.
+
+Transmission of an AP beacon does not call the TX interrupt service routine,
+which usually does the cleanup. Instead, cleanup is handled in a tasklet
+completion routine. Unfortunately, this routine has a serious bug in that it does
+not release the DMA mapping before it frees the skb, thus one IOMMU mapping is
+leaked for each beacon. The test system failed with no free IOMMU mapping slots
+approximately one hour after hostapd was used to start an AP.
+
+This issue was reported and tested at https://github.com/lwfinger/rtlwifi_new/issues/30.
+
+Reported-and-tested-by: Kevin Mullican <kevin@mullican.com>
+Cc: Kevin Mullican <kevin@mullican.com>
+Signed-off-by: Shao Fu <shaofu@realtek.com>
+Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/rtlwifi/pci.c | 12 +++++++++++-
+ 1 file changed, 11 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/wireless/rtlwifi/pci.c
++++ b/drivers/net/wireless/rtlwifi/pci.c
+@@ -1118,12 +1118,22 @@ static void _rtl_pci_prepare_bcn_tasklet
+ /*This is for new trx flow*/
+ struct rtl_tx_buffer_desc *pbuffer_desc = NULL;
+ u8 temp_one = 1;
++ u8 *entry;
+
+ memset(&tcb_desc, 0, sizeof(struct rtl_tcb_desc));
+ ring = &rtlpci->tx_ring[BEACON_QUEUE];
+ pskb = __skb_dequeue(&ring->queue);
+- if (pskb)
++ if (rtlpriv->use_new_trx_flow)
++ entry = (u8 *)(&ring->buffer_desc[ring->idx]);
++ else
++ entry = (u8 *)(&ring->desc[ring->idx]);
++ if (pskb) {
++ pci_unmap_single(rtlpci->pdev,
++ rtlpriv->cfg->ops->get_desc(
++ (u8 *)entry, true, HW_DESC_TXBUFF_ADDR),
++ pskb->len, PCI_DMA_TODEVICE);
+ kfree_skb(pskb);
++ }
+
+ /*NB: the beacon data buffer must be 32-bit aligned. */
+ pskb = ieee80211_beacon_get(hw, mac->vif);
cpuidle-acpi-do-not-overwrite-name-and-description-of-c0.patch
usb-xhci-handle-config-error-change-cec-in-xhci-driver.patch
usb-xhci-apply-xhci_avoid_bei-quirk-to-all-intel-xhci-controllers.patch
+tty-serial-fsl_lpuart-specify-transmit-fifo-size.patch
+tty-serial-fsl_lpuart-clear-receive-flag-on-fifo-flush.patch
+n_tty-fix-read-buffer-overwrite-when-no-newline.patch
+cifs-smb2_clone_range-exit-on-unhandled-error.patch
+cifs-fix-use-after-free-bug-in-find_writable_file.patch
+brcmfmac-disable-mbss-feature-for-bcm43362.patch
+iommu-vt-d-detach-domain-only-from-attached-iommus.patch
+rtlwifi-fix-iommu-mapping-leak-in-ap-mode.patch
+drivers-of-add-empty-ranges-quirk-for-pa-semi.patch
--- /dev/null
+From 8e4934c6d6c659e22b1b746af4196683e77ce6ca Mon Sep 17 00:00:00 2001
+From: Stefan Agner <stefan@agner.ch>
+Date: Fri, 13 Mar 2015 14:51:51 +0100
+Subject: tty: serial: fsl_lpuart: clear receive flag on FIFO flush
+
+From: Stefan Agner <stefan@agner.ch>
+
+commit 8e4934c6d6c659e22b1b746af4196683e77ce6ca upstream.
+
+When the receiver was enabled during startup, a character could
+have been in the FIFO when the UART get initially used. The
+driver configures the (receive) watermark level, and flushes the
+FIFO. However, the receive flag (RDRF) could still be set at that
+stage (as mentioned in the register description of UARTx_RWFIFO).
+This leads to an interrupt which won't be handled properly in
+interrupt mode: The receive interrupt function lpuart_rxint checks
+the FIFO count, which is 0 at that point (due to the flush
+during initialization). The problem does not manifest when using
+DMA to receive characters.
+
+Fix this situation by explicitly read the status register, which
+leads to clearing of the RDRF flag. Due to the flush just after
+the status flag read, a explicit data read is not to required.
+
+Signed-off-by: Stefan Agner <stefan@agner.ch>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/tty/serial/fsl_lpuart.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/tty/serial/fsl_lpuart.c
++++ b/drivers/tty/serial/fsl_lpuart.c
+@@ -910,6 +910,9 @@ static void lpuart_setup_watermark(struc
+ writeb(val | UARTPFIFO_TXFE | UARTPFIFO_RXFE,
+ sport->port.membase + UARTPFIFO);
+
++ /* explicitly clear RDRF */
++ readb(sport->port.membase + UARTSR1);
++
+ /* flush Tx and Rx FIFO */
+ writeb(UARTCFIFO_TXFLUSH | UARTCFIFO_RXFLUSH,
+ sport->port.membase + UARTCFIFO);
--- /dev/null
+From 4e8f245937091b2c9eebf3d4909c9ceda4f0a78e Mon Sep 17 00:00:00 2001
+From: Stefan Agner <stefan@agner.ch>
+Date: Fri, 13 Mar 2015 14:51:50 +0100
+Subject: tty: serial: fsl_lpuart: specify transmit FIFO size
+
+From: Stefan Agner <stefan@agner.ch>
+
+commit 4e8f245937091b2c9eebf3d4909c9ceda4f0a78e upstream.
+
+Specify transmit FIFO size which might be different depending on
+LPUART instance. This makes sure uart_wait_until_sent in serial
+core getting called, which in turn waits and checks if the FIFO
+is really empty on shutdown by using the tx_empty callback.
+Without the call of this callback, the last several characters
+might not yet be transmitted when closing the serial port. This
+can be reproduced by simply using echo and redirect the output to
+a ttyLP device.
+
+Signed-off-by: Stefan Agner <stefan@agner.ch>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/tty/serial/fsl_lpuart.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/tty/serial/fsl_lpuart.c
++++ b/drivers/tty/serial/fsl_lpuart.c
+@@ -1095,6 +1095,8 @@ static int lpuart_startup(struct uart_po
+ sport->txfifo_size = 0x1 << (((temp >> UARTPFIFO_TXSIZE_OFF) &
+ UARTPFIFO_FIFOSIZE_MASK) + 1);
+
++ sport->port.fifosize = sport->txfifo_size;
++
+ sport->rxfifo_size = 0x1 << (((temp >> UARTPFIFO_RXSIZE_OFF) &
+ UARTPFIFO_FIFOSIZE_MASK) + 1);
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
