--- /dev/null
+From e4140819dadc3624accac8294881bca8a3cba4ed Mon Sep 17 00:00:00 2001
+From: Vineet Gupta <vgupta@synopsys.com>
+Date: Thu, 26 Mar 2015 11:14:41 +0530
+Subject: ARC: signal handling robustify
+
+From: Vineet Gupta <vgupta@synopsys.com>
+
+commit e4140819dadc3624accac8294881bca8a3cba4ed upstream.
+
+A malicious signal handler / restorer can DOS the system by fudging the
+user regs saved on stack, causing weird things such as sigreturn returning
+to user mode PC but cpu state still being kernel mode....
+
+Ensure that in sigreturn path status32 always has U bit; any other bogosity
+(gargbage PC etc) will be taken care of by normal user mode exceptions mechanisms.
+
+Reproducer signal handler:
+
+ void handle_sig(int signo, siginfo_t *info, void *context)
+ {
+ ucontext_t *uc = context;
+ struct user_regs_struct *regs = &(uc->uc_mcontext.regs);
+
+ regs->scratch.status32 = 0;
+ }
+
+Before the fix, kernel would go off to weeds like below:
+
+ --------->8-----------
+ [ARCLinux]$ ./signal-test
+ Path: /signal-test
+ CPU: 0 PID: 61 Comm: signal-test Not tainted 4.0.0-rc5+ #65
+ task: 8f177880 ti: 5ffe6000 task.ti: 8f15c000
+
+ [ECR ]: 0x00220200 => Invalid Write @ 0x00000010 by insn @ 0x00010698
+ [EFA ]: 0x00000010
+ [BLINK ]: 0x2007c1ee
+ [ERET ]: 0x10698
+ [STAT32]: 0x00000000 : <--------
+ BTA: 0x00010680 SP: 0x5ffe7e48 FP: 0x00000000
+ LPS: 0x20003c6c LPE: 0x20003c70 LPC: 0x00000000
+ ...
+ --------->8-----------
+
+Reported-by: Alexey Brodkin <abrodkin@synopsys.com>
+Signed-off-by: Vineet Gupta <vgupta@synopsys.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arc/kernel/signal.c | 20 ++++++++++++++++----
+ 1 file changed, 16 insertions(+), 4 deletions(-)
+
+--- a/arch/arc/kernel/signal.c
++++ b/arch/arc/kernel/signal.c
+@@ -131,6 +131,15 @@ SYSCALL_DEFINE0(rt_sigreturn)
+ /* Don't restart from sigreturn */
+ syscall_wont_restart(regs);
+
++ /*
++ * Ensure that sigreturn always returns to user mode (in case the
++ * regs saved on user stack got fudged between save and sigreturn)
++ * Otherwise it is easy to panic the kernel with a custom
++ * signal handler and/or restorer which clobberes the status32/ret
++ * to return to a bogus location in kernel mode.
++ */
++ regs->status32 |= STATUS_U_MASK;
++
+ return regs->r0;
+
+ badframe:
+@@ -234,8 +243,11 @@ setup_rt_frame(int signo, struct k_sigac
+
+ /*
+ * handler returns using sigreturn stub provided already by userpsace
++ * If not, nuke the process right away
+ */
+- BUG_ON(!(ka->sa.sa_flags & SA_RESTORER));
++ if(!(ka->sa.sa_flags & SA_RESTORER))
++ return 1;
++
+ regs->blink = (unsigned long)ka->sa.sa_restorer;
+
+ /* User Stack for signal handler will be above the frame just carved */
+@@ -302,12 +314,12 @@ handle_signal(unsigned long sig, struct
+ struct pt_regs *regs)
+ {
+ sigset_t *oldset = sigmask_to_save();
+- int ret;
++ int failed;
+
+ /* Set up the stack frame */
+- ret = setup_rt_frame(sig, ka, info, oldset, regs);
++ failed = setup_rt_frame(sig, ka, info, oldset, regs);
+
+- if (ret)
++ if (failed)
+ force_sigsegv(sig, current);
+ else
+ signal_delivered(sig, info, ka, regs, 0);
--- /dev/null
+From a74cd13b807029397f7232449df929bac11fb228 Mon Sep 17 00:00:00 2001
+From: Sebastian Hesselbarth <sebastian.hesselbarth@gmail.com>
+Date: Tue, 17 Feb 2015 19:52:04 +0100
+Subject: ARM: dts: dove: Fix uart[23] reg property
+
+From: Sebastian Hesselbarth <sebastian.hesselbarth@gmail.com>
+
+commit a74cd13b807029397f7232449df929bac11fb228 upstream.
+
+Fix Dove's register addresses of uart2 and uart3 nodes that seem to
+be broken since ages due to a copy-and-paste error.
+
+Signed-off-by: Sebastian Hesselbarth <sebastian.hesselbarth@gmail.com>
+Acked-by: Gregory CLEMENT <gregory.clement@free-electrons.com>
+Signed-off-by: Gregory CLEMENT <gregory.clement@free-electrons.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm/boot/dts/dove.dtsi | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/arch/arm/boot/dts/dove.dtsi
++++ b/arch/arm/boot/dts/dove.dtsi
+@@ -75,7 +75,7 @@
+
+ uart2: serial@12200 {
+ compatible = "ns16550a";
+- reg = <0x12000 0x100>;
++ reg = <0x12200 0x100>;
+ reg-shift = <2>;
+ interrupts = <9>;
+ clocks = <&core_clk 0>;
+@@ -84,7 +84,7 @@
+
+ uart3: serial@12300 {
+ compatible = "ns16550a";
+- reg = <0x12100 0x100>;
++ reg = <0x12300 0x100>;
+ reg-shift = <2>;
+ interrupts = <10>;
+ clocks = <&core_clk 0>;
--- /dev/null
+From 73cffdb65e679b98893f484063462c045adcf212 Mon Sep 17 00:00:00 2001
+From: "K. Y. Srinivasan" <kys@microsoft.com>
+Date: Thu, 19 Mar 2015 08:11:34 -0700
+Subject: Drivers: hv: vmbus: Don't wait after requesting offers
+
+From: "K. Y. Srinivasan" <kys@microsoft.com>
+
+commit 73cffdb65e679b98893f484063462c045adcf212 upstream.
+
+Don't wait after sending request for offers to the host. This wait is
+unnecessary and simply adds 5 seconds to the boot time.
+
+Signed-off-by: K. Y. Srinivasan <kys@microsoft.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/hv/channel_mgmt.c | 12 +-----------
+ 1 file changed, 1 insertion(+), 11 deletions(-)
+
+--- a/drivers/hv/channel_mgmt.c
++++ b/drivers/hv/channel_mgmt.c
+@@ -648,7 +648,7 @@ int vmbus_request_offers(void)
+ {
+ struct vmbus_channel_message_header *msg;
+ struct vmbus_channel_msginfo *msginfo;
+- int ret, t;
++ int ret;
+
+ msginfo = kmalloc(sizeof(*msginfo) +
+ sizeof(struct vmbus_channel_message_header),
+@@ -656,8 +656,6 @@ int vmbus_request_offers(void)
+ if (!msginfo)
+ return -ENOMEM;
+
+- init_completion(&msginfo->waitevent);
+-
+ msg = (struct vmbus_channel_message_header *)msginfo->msg;
+
+ msg->msgtype = CHANNELMSG_REQUESTOFFERS;
+@@ -671,14 +669,6 @@ int vmbus_request_offers(void)
+ goto cleanup;
+ }
+
+- t = wait_for_completion_timeout(&msginfo->waitevent, 5*HZ);
+- if (t == 0) {
+- ret = -ETIMEDOUT;
+- goto cleanup;
+- }
+-
+-
+-
+ cleanup:
+ kfree(msginfo);
+
3w-9xxx-fix-command-completion-race.patch
3w-sas-fix-command-completion-race.patch
usb-host-oxu210hp-use-new-usb_resume_timeout.patch
+usb-gadget-printer-enqueue-printer-s-response-for-setup-request.patch
+staging-panel-fix-lcd-type.patch
+arm-dts-dove-fix-uart-reg-property.patch
+drivers-hv-vmbus-don-t-wait-after-requesting-offers.patch
+ubi-fix-soft-lockup-in-ubi_check_volume.patch
+arc-signal-handling-robustify.patch
--- /dev/null
+From 2c20d92dad5db6440cfa88d811b69fd605240ce4 Mon Sep 17 00:00:00 2001
+From: Sudip Mukherjee <sudipm.mukherjee@gmail.com>
+Date: Tue, 24 Mar 2015 16:29:32 +0530
+Subject: staging: panel: fix lcd type
+
+From: Sudip Mukherjee <sudipm.mukherjee@gmail.com>
+
+commit 2c20d92dad5db6440cfa88d811b69fd605240ce4 upstream.
+
+the lcd type as defined in the Kconfig is not matching in the code.
+as a result the rs, rw and en pins were getting interchanged.
+Kconfig defines the value of PANEL_LCD to be 1 if we select custom
+configuration but in the code LCD_TYPE_CUSTOM is defined as 5.
+
+my hardware is LCD_TYPE_CUSTOM, but the pins were assigned to it
+as pins of LCD_TYPE_OLD, and it was not working.
+Now values are corrected with referenece to the values defined in
+Kconfig and it is working.
+checked on JHD204A lcd with LCD_TYPE_CUSTOM configuration.
+
+Signed-off-by: Sudip Mukherjee <sudip@vectorindia.org>
+Acked-by: Willy Tarreau <w@1wt.eu>
+[wt: backport to 3.10 and 3.14]
+Signed-off-by: Willy Tarreau <w@1wt.eu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/staging/panel/panel.c | 13 ++++++-------
+ 1 file changed, 6 insertions(+), 7 deletions(-)
+
+--- a/drivers/staging/panel/panel.c
++++ b/drivers/staging/panel/panel.c
+@@ -275,11 +275,11 @@ static unsigned char lcd_bits[LCD_PORTS]
+ * LCD types
+ */
+ #define LCD_TYPE_NONE 0
+-#define LCD_TYPE_OLD 1
+-#define LCD_TYPE_KS0074 2
+-#define LCD_TYPE_HANTRONIX 3
+-#define LCD_TYPE_NEXCOM 4
+-#define LCD_TYPE_CUSTOM 5
++#define LCD_TYPE_CUSTOM 1
++#define LCD_TYPE_OLD 2
++#define LCD_TYPE_KS0074 3
++#define LCD_TYPE_HANTRONIX 4
++#define LCD_TYPE_NEXCOM 5
+
+ /*
+ * keypad types
+@@ -457,8 +457,7 @@ MODULE_PARM_DESC(keypad_enabled, "Deprec
+ static int lcd_type = -1;
+ module_param(lcd_type, int, 0000);
+ MODULE_PARM_DESC(lcd_type,
+- "LCD type: 0=none, 1=old //, 2=serial ks0074, "
+- "3=hantronix //, 4=nexcom //, 5=compiled-in");
++ "LCD type: 0=none, 1=compiled-in, 2=old, 3=serial ks0074, 4=hantronix, 5=nexcom");
+
+ static int lcd_proto = -1;
+ module_param(lcd_proto, int, 0000);
--- /dev/null
+From 9aa272b492e7551a9ee0e2c83c720ea013698485 Mon Sep 17 00:00:00 2001
+From: hujianyang <hujianyang@huawei.com>
+Date: Tue, 30 Dec 2014 11:56:09 +0800
+Subject: UBI: fix soft lockup in ubi_check_volume()
+
+From: hujianyang <hujianyang@huawei.com>
+
+commit 9aa272b492e7551a9ee0e2c83c720ea013698485 upstream.
+
+Running mtd-utils/tests/ubi-tests/io_basic.c could cause
+soft lockup or watchdog reset. It is because *updatevol*
+will perform ubi_check_volume() after updating finish
+and this function will full scan the updated lebs if the
+volume is initialized as STATIC_VOLUME.
+
+This patch adds *cond_resched()* in the loop of lebs scan
+to avoid soft lockup.
+
+Helped by Richard Weinberger <richard@nod.at>
+
+[ 2158.067096] INFO: rcu_sched self-detected stall on CPU { 1} (t=2101 jiffies g=1606 c=1605 q=56)
+[ 2158.172867] CPU: 1 PID: 2073 Comm: io_basic Tainted: G O 3.10.53 #21
+[ 2158.172898] [<c000f624>] (unwind_backtrace+0x0/0x120) from [<c000c294>] (show_stack+0x10/0x14)
+[ 2158.172918] [<c000c294>] (show_stack+0x10/0x14) from [<c008ac3c>] (rcu_check_callbacks+0x1c0/0x660)
+[ 2158.172936] [<c008ac3c>] (rcu_check_callbacks+0x1c0/0x660) from [<c002b480>] (update_process_times+0x38/0x64)
+[ 2158.172953] [<c002b480>] (update_process_times+0x38/0x64) from [<c005ff38>] (tick_sched_handle+0x54/0x60)
+[ 2158.172966] [<c005ff38>] (tick_sched_handle+0x54/0x60) from [<c00601ac>] (tick_sched_timer+0x44/0x74)
+[ 2158.172978] [<c00601ac>] (tick_sched_timer+0x44/0x74) from [<c003f348>] (__run_hrtimer+0xc8/0x1b8)
+[ 2158.172992] [<c003f348>] (__run_hrtimer+0xc8/0x1b8) from [<c003fd9c>] (hrtimer_interrupt+0x128/0x2a4)
+[ 2158.173007] [<c003fd9c>] (hrtimer_interrupt+0x128/0x2a4) from [<c0246f1c>] (arch_timer_handler_virt+0x28/0x30)
+[ 2158.173022] [<c0246f1c>] (arch_timer_handler_virt+0x28/0x30) from [<c0086214>] (handle_percpu_devid_irq+0x9c/0x124)
+[ 2158.173036] [<c0086214>] (handle_percpu_devid_irq+0x9c/0x124) from [<c0082bd8>] (generic_handle_irq+0x20/0x30)
+[ 2158.173049] [<c0082bd8>] (generic_handle_irq+0x20/0x30) from [<c000969c>] (handle_IRQ+0x64/0x8c)
+[ 2158.173060] [<c000969c>] (handle_IRQ+0x64/0x8c) from [<c0008544>] (gic_handle_irq+0x3c/0x60)
+[ 2158.173074] [<c0008544>] (gic_handle_irq+0x3c/0x60) from [<c02f0f80>] (__irq_svc+0x40/0x50)
+[ 2158.173083] Exception stack(0xc4043c98 to 0xc4043ce0)
+[ 2158.173092] 3c80: c4043ce4 00000019
+[ 2158.173102] 3ca0: 1f8a865f c050ad10 1f8a864c 00000031 c04b5970 0003ebce 00000000 f3550000
+[ 2158.173113] 3cc0: bf00bc68 00000800 0003ebce c4043ce0 c0186d14 c0186cb8 80000013 ffffffff
+[ 2158.173130] [<c02f0f80>] (__irq_svc+0x40/0x50) from [<c0186cb8>] (read_current_timer+0x4/0x38)
+[ 2158.173145] [<c0186cb8>] (read_current_timer+0x4/0x38) from [<1f8a865f>] (0x1f8a865f)
+[ 2183.927097] BUG: soft lockup - CPU#1 stuck for 22s! [io_basic:2073]
+[ 2184.002229] Modules linked in: nandflash(O) [last unloaded: nandflash]
+
+Signed-off-by: Wang Kai <morgan.wang@huawei.com>
+Signed-off-by: hujianyang <hujianyang@huawei.com>
+Signed-off-by: Richard Weinberger <richard@nod.at>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/mtd/ubi/misc.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/mtd/ubi/misc.c
++++ b/drivers/mtd/ubi/misc.c
+@@ -74,6 +74,8 @@ int ubi_check_volume(struct ubi_device *
+ for (i = 0; i < vol->used_ebs; i++) {
+ int size;
+
++ cond_resched();
++
+ if (i == vol->used_ebs - 1)
+ size = vol->last_eb_bytes;
+ else
--- /dev/null
+From eb132ccbdec5df46e29c9814adf76075ce83576b Mon Sep 17 00:00:00 2001
+From: Andrzej Pietrasiewicz <andrzej.p@samsung.com>
+Date: Tue, 3 Mar 2015 10:52:05 +0100
+Subject: usb: gadget: printer: enqueue printer's response for setup request
+
+From: Andrzej Pietrasiewicz <andrzej.p@samsung.com>
+
+commit eb132ccbdec5df46e29c9814adf76075ce83576b upstream.
+
+Function-specific setup requests should be handled in such a way, that
+apart from filling in the data buffer, the requests are also actually
+enqueued: if function-specific setup is called from composte_setup(),
+the "usb_ep_queue()" block of code in composite_setup() is skipped.
+
+The printer function lacks this part and it results in e.g. get device id
+requests failing: the host expects some response, the device prepares it
+but does not equeue it for sending to the host, so the host finally asserts
+timeout.
+
+This patch adds enqueueing the prepared responses.
+
+Fixes: 2e87edf49227: "usb: gadget: make g_printer use composite"
+Signed-off-by: Andrzej Pietrasiewicz <andrzej.p@samsung.com>
+Signed-off-by: Felipe Balbi <balbi@ti.com>
+[ported to stable 3.10 and 3.14]
+Signed-off-by: Andrzej Pietrasiewicz <andrzej.p@samsung.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/gadget/printer.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+--- a/drivers/usb/gadget/printer.c
++++ b/drivers/usb/gadget/printer.c
+@@ -975,6 +975,15 @@ unknown:
+ break;
+ }
+ /* host either stalls (value < 0) or reports success */
++ if (value >= 0) {
++ req->length = value;
++ req->zero = value < wLength;
++ value = usb_ep_queue(cdev->gadget->ep0, req, GFP_ATOMIC);
++ if (value < 0) {
++ ERROR(dev, "%s:%d Error!\n", __func__, __LINE__);
++ req->status = 0;
++ }
++ }
+ return value;
+ }
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
