--- /dev/null
+From e9490e93c1978b6669f3e993caa3189be13ce459 Mon Sep 17 00:00:00 2001
+From: Stanislav Kozina <skozina@redhat.com>
+Date: Thu, 16 Aug 2012 12:01:47 +0100
+Subject: Remove BUG_ON from n_tty_read()
+
+From: Stanislav Kozina <skozina@redhat.com>
+
+commit e9490e93c1978b6669f3e993caa3189be13ce459 upstream.
+
+Change the BUG_ON to WARN_ON and return in case of tty->read_buf==NULL. We want to track a
+couple of long standing reports of this but at the same time we can avoid killing the box.
+
+Signed-off-by: Stanislav Kozina <skozina@redhat.com>
+Signed-off-by: Alan Cox <alan@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/tty/n_tty.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/tty/n_tty.c
++++ b/drivers/tty/n_tty.c
+@@ -1728,7 +1728,8 @@ static ssize_t n_tty_read(struct tty_str
+
+ do_it_again:
+
+- BUG_ON(!tty->read_buf);
++ if (WARN_ON(!tty->read_buf))
++ return -EAGAIN;
+
+ c = job_control(tty, file);
+ if (c < 0)
--- /dev/null
+From c5dd553b9fd069892c9e2de734f4f604e280fa7a Mon Sep 17 00:00:00 2001
+From: Linus Walleij <linus.walleij@linaro.org>
+Date: Wed, 26 Sep 2012 17:21:36 +0200
+Subject: serial: pl011: handle corruption at high clock speeds
+
+From: Linus Walleij <linus.walleij@linaro.org>
+
+commit c5dd553b9fd069892c9e2de734f4f604e280fa7a upstream.
+
+This works around a few glitches in the ST version of the PL011
+serial driver when using very high baud rates, as we do in the
+Ux500: 3, 3.25, 4 and 4.05 Mbps.
+
+Problem Observed/rootcause:
+
+When using high baud-rates, and the baudrate*8 is getting close to
+the provided clock frequency (so a division factor close to 1), when
+using bursts of characters (so they are abutted), then it seems as if
+there is not enough time to detect the beginning of the start-bit which
+is a timing reference for the entire character, and thus the sampling
+moment of character bits is moving towards the end of each bit, instead
+of the middle.
+
+Fix:
+Increase slightly the RX baud rate of the UART above the theoretical
+baudrate by 5%. This will definitely give more margin time to the
+UART_RX to correctly sample the data at the middle of the bit period.
+
+Also fix the ages old copy-paste error in the very stressed comment,
+it's referencing the registers used in the PL010 driver rather than
+the PL011 ones.
+
+Signed-off-by: Guillaume Jaunet <guillaume.jaunet@stericsson.com>
+Signed-off-by: Christophe Arnal <christophe.arnal@stericsson.com>
+Signed-off-by: Matthias Locher <matthias.locher@stericsson.com>
+Signed-off-by: Rajanikanth HV <rajanikanth.hv@stericsson.com>
+Cc: Bibek Basu <bibek.basu@stericsson.com>
+Cc: Par-Gunnar Hjalmdahl <par-gunnar.hjalmdahl@stericsson.com>
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/tty/serial/amba-pl011.c | 15 ++++++++++++++-
+ 1 file changed, 14 insertions(+), 1 deletion(-)
+
+--- a/drivers/tty/serial/amba-pl011.c
++++ b/drivers/tty/serial/amba-pl011.c
+@@ -1620,13 +1620,26 @@ pl011_set_termios(struct uart_port *port
+ old_cr &= ~ST_UART011_CR_OVSFACT;
+ }
+
++ /*
++ * Workaround for the ST Micro oversampling variants to
++ * increase the bitrate slightly, by lowering the divisor,
++ * to avoid delayed sampling of start bit at high speeds,
++ * else we see data corruption.
++ */
++ if (uap->vendor->oversampling) {
++ if ((baud >= 3000000) && (baud < 3250000) && (quot > 1))
++ quot -= 1;
++ else if ((baud > 3250000) && (quot > 2))
++ quot -= 2;
++ }
+ /* Set baud rate */
+ writew(quot & 0x3f, port->membase + UART011_FBRD);
+ writew(quot >> 6, port->membase + UART011_IBRD);
+
+ /*
+ * ----------v----------v----------v----------v-----
+- * NOTE: MUST BE WRITTEN AFTER UARTLCR_M & UARTLCR_L
++ * NOTE: lcrh_tx and lcrh_rx MUST BE WRITTEN AFTER
++ * UART011_FBRD & UART011_IBRD.
+ * ----------^----------^----------^----------^-----
+ */
+ writew(lcr_h, port->membase + uap->lcrh_rx);
--- /dev/null
+From 26e8220adb0aec43b7acafa0f1431760eee28522 Mon Sep 17 00:00:00 2001
+From: Flavio Leitner <fbl@redhat.com>
+Date: Fri, 21 Sep 2012 21:04:34 -0300
+Subject: serial: set correct baud_base for EXSYS EX-41092 Dual 16950
+
+From: Flavio Leitner <fbl@redhat.com>
+
+commit 26e8220adb0aec43b7acafa0f1431760eee28522 upstream.
+
+Apparently the same card model has two IDs, so this patch
+complements the commit 39aced68d664291db3324d0fcf0985ab5626aac2
+adding the missing one.
+
+Signed-off-by: Flavio Leitner <fbl@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/tty/serial/8250_pci.c | 9 +++++++--
+ include/linux/pci_ids.h | 1 -
+ 2 files changed, 7 insertions(+), 3 deletions(-)
+
+--- a/drivers/tty/serial/8250_pci.c
++++ b/drivers/tty/serial/8250_pci.c
+@@ -1011,6 +1011,8 @@ static int pci_eg20t_init(struct pci_dev
+ #define PCI_SUBDEVICE_ID_OCTPRO422 0x0208
+ #define PCI_SUBDEVICE_ID_POCTAL232 0x0308
+ #define PCI_SUBDEVICE_ID_POCTAL422 0x0408
++#define PCI_SUBDEVICE_ID_SIIG_DUAL_00 0x2500
++#define PCI_SUBDEVICE_ID_SIIG_DUAL_30 0x2530
+ #define PCI_VENDOR_ID_ADVANTECH 0x13fe
+ #define PCI_DEVICE_ID_INTEL_CE4100_UART 0x2e66
+ #define PCI_DEVICE_ID_ADVANTECH_PCI3620 0x3620
+@@ -3009,8 +3011,11 @@ static struct pci_device_id serial_pci_t
+ * For now just used the hex ID 0x950a.
+ */
+ { PCI_VENDOR_ID_OXSEMI, 0x950a,
+- PCI_SUBVENDOR_ID_SIIG, PCI_SUBDEVICE_ID_SIIG_DUAL_SERIAL, 0, 0,
+- pbn_b0_2_115200 },
++ PCI_SUBVENDOR_ID_SIIG, PCI_SUBDEVICE_ID_SIIG_DUAL_00,
++ 0, 0, pbn_b0_2_115200 },
++ { PCI_VENDOR_ID_OXSEMI, 0x950a,
++ PCI_SUBVENDOR_ID_SIIG, PCI_SUBDEVICE_ID_SIIG_DUAL_30,
++ 0, 0, pbn_b0_2_115200 },
+ { PCI_VENDOR_ID_OXSEMI, 0x950a,
+ PCI_ANY_ID, PCI_ANY_ID, 0, 0,
+ pbn_b0_2_1130000 },
+--- a/include/linux/pci_ids.h
++++ b/include/linux/pci_ids.h
+@@ -1818,7 +1818,6 @@
+ #define PCI_DEVICE_ID_SIIG_8S_20x_650 0x2081
+ #define PCI_DEVICE_ID_SIIG_8S_20x_850 0x2082
+ #define PCI_SUBDEVICE_ID_SIIG_QUARTET_SERIAL 0x2050
+-#define PCI_SUBDEVICE_ID_SIIG_DUAL_SERIAL 0x2530
+
+ #define PCI_VENDOR_ID_RADISYS 0x1331
+
usb-option-blacklist-qmi-interface-on-zte-mf683.patch
usb-ftdi_sio-add-tiao-usb-multi-protocol-adapter-tumpa-support.patch
usb-qcaux-add-pantech-vendor-class-match.patch
+staging-speakup_soft-fix-reading-of-init-string.patch
+staging-comedi-s626-don-t-dereference-insn-data.patch
+staging-comedi-jr3_pci-fix-iomem-dereference.patch
+staging-comedi-don-t-dereference-user-memory-for-insn_inttrig.patch
+staging-comedi-fix-memory-leak-for-saved-channel-list.patch
+remove-bug_on-from-n_tty_read.patch
+tty-ttyprintk-don-t-touch-behind-tty-write_buf.patch
+serial-pl011-handle-corruption-at-high-clock-speeds.patch
+serial-set-correct-baud_base-for-exsys-ex-41092-dual-16950.patch
--- /dev/null
+From 5d06e3df280bd230e2eadc16372e62818c63e894 Mon Sep 17 00:00:00 2001
+From: Ian Abbott <abbotti@mev.co.uk>
+Date: Tue, 18 Sep 2012 19:46:58 +0100
+Subject: staging: comedi: don't dereference user memory for INSN_INTTRIG
+
+From: Ian Abbott <abbotti@mev.co.uk>
+
+commit 5d06e3df280bd230e2eadc16372e62818c63e894 upstream.
+
+`parse_insn()` is dereferencing the user-space pointer `insn->data`
+directly when handling the `INSN_INTTRIG` comedi instruction. It
+shouldn't be using `insn->data` at all; it should be using the separate
+`data` pointer passed to the function. Fix it.
+
+Signed-off-by: Ian Abbott <abbotti@mev.co.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/staging/comedi/comedi_fops.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/staging/comedi/comedi_fops.c
++++ b/drivers/staging/comedi/comedi_fops.c
+@@ -843,7 +843,7 @@ static int parse_insn(struct comedi_devi
+ ret = -EAGAIN;
+ break;
+ }
+- ret = s->async->inttrig(dev, s, insn->data[0]);
++ ret = s->async->inttrig(dev, s, data[0]);
+ if (ret >= 0)
+ ret = 1;
+ break;
--- /dev/null
+From c8cad4c89ee3b15935c532210ae6ebb5c0a2734d Mon Sep 17 00:00:00 2001
+From: Ian Abbott <abbotti@mev.co.uk>
+Date: Wed, 19 Sep 2012 19:37:39 +0100
+Subject: staging: comedi: fix memory leak for saved channel list
+
+From: Ian Abbott <abbotti@mev.co.uk>
+
+commit c8cad4c89ee3b15935c532210ae6ebb5c0a2734d upstream.
+
+When `do_cmd_ioctl()` allocates memory for the kernel copy of a channel
+list, it frees any previously allocated channel list in
+`async->cmd.chanlist` and replaces it with the new one. However, if the
+device is ever removed (or "detached") the cleanup code in
+`cleanup_device()` in "drivers.c" does not free this memory so it is
+lost.
+
+A sensible place to free the kernel copy of the channel list is in
+`do_become_nonbusy()` as at that point the comedi asynchronous command
+associated with the channel list is no longer valid. Free the channel
+list in `do_become_nonbusy()` instead of `do_cmd_ioctl()` and clear the
+pointer to prevent it being freed more than once.
+
+Note that `cleanup_device()` could be called at an inappropriate time
+while the comedi device is open, but that's a separate bug not related
+to this this patch.
+
+Signed-off-by: Ian Abbott <abbotti@mev.co.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/staging/comedi/comedi_fops.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/staging/comedi/comedi_fops.c
++++ b/drivers/staging/comedi/comedi_fops.c
+@@ -1088,7 +1088,6 @@ static int do_cmd_ioctl(struct comedi_de
+ goto cleanup;
+ }
+
+- kfree(async->cmd.chanlist);
+ async->cmd = user_cmd;
+ async->cmd.data = NULL;
+ /* load channel/gain list */
+@@ -1833,6 +1832,8 @@ void do_become_nonbusy(struct comedi_dev
+ if (async) {
+ comedi_reset_async_buf(async);
+ async->inttrig = NULL;
++ kfree(async->cmd.chanlist);
++ async->cmd.chanlist = NULL;
+ } else {
+ printk(KERN_ERR
+ "BUG: (?) do_become_nonbusy called with async=0\n");
--- /dev/null
+From e1878957b4676a17cf398f7f5723b365e9a2ca48 Mon Sep 17 00:00:00 2001
+From: Ian Abbott <abbotti@mev.co.uk>
+Date: Thu, 27 Sep 2012 17:45:27 +0100
+Subject: staging: comedi: jr3_pci: fix iomem dereference
+
+From: Ian Abbott <abbotti@mev.co.uk>
+
+commit e1878957b4676a17cf398f7f5723b365e9a2ca48 upstream.
+
+Correct a direct dereference of I/O memory to use an appropriate I/O
+memory access function. Note that the pointer being dereferenced is not
+currently tagged with `__iomem` but I plan to correct that for 3.7.
+
+Signed-off-by: Ian Abbott <abbotti@mev.co.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/staging/comedi/drivers/jr3_pci.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/staging/comedi/drivers/jr3_pci.c
++++ b/drivers/staging/comedi/drivers/jr3_pci.c
+@@ -913,7 +913,7 @@ static int jr3_pci_attach(struct comedi_
+ }
+
+ /* Reset DSP card */
+- devpriv->iobase->channel[0].reset = 0;
++ writel(0, &devpriv->iobase->channel[0].reset);
+
+ result = comedi_load_firmware(dev, "jr3pci.idm", jr3_download_firmware);
+ printk("Firmare load %d\n", result);
--- /dev/null
+From b655c2c4782ed3e2e71d2608154e295a3e860311 Mon Sep 17 00:00:00 2001
+From: Ian Abbott <abbotti@mev.co.uk>
+Date: Mon, 24 Sep 2012 17:20:52 +0100
+Subject: staging: comedi: s626: don't dereference insn->data
+
+From: Ian Abbott <abbotti@mev.co.uk>
+
+commit b655c2c4782ed3e2e71d2608154e295a3e860311 upstream.
+
+`s626_enc_insn_config()` is incorrectly dereferencing `insn->data` which
+is a pointer to user memory. It should be dereferencing the separate
+`data` parameter that points to a copy of the data in kernel memory.
+
+Signed-off-by: Ian Abbott <abbotti@mev.co.uk>
+Reviewed-by: H Hartley Sweeten <hsweeten@visionengravers.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/staging/comedi/drivers/s626.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/staging/comedi/drivers/s626.c
++++ b/drivers/staging/comedi/drivers/s626.c
+@@ -2370,7 +2370,7 @@ static int s626_enc_insn_config(struct c
+ /* (data==NULL) ? (Preloadvalue=0) : (Preloadvalue=data[0]); */
+
+ k->SetMode(dev, k, Setup, TRUE);
+- Preload(dev, k, *(insn->data));
++ Preload(dev, k, data[0]);
+ k->PulseIndex(dev, k);
+ SetLatchSource(dev, k, valueSrclatch);
+ k->SetEnable(dev, k, (uint16_t) (enab != 0));
--- /dev/null
+From 40fe4f89671fb3c7ded94190fb267402a38b0261 Mon Sep 17 00:00:00 2001
+From: Ben Hutchings <ben@decadent.org.uk>
+Date: Sun, 16 Sep 2012 04:18:50 +0100
+Subject: staging: speakup_soft: Fix reading of init string
+
+From: Ben Hutchings <ben@decadent.org.uk>
+
+commit 40fe4f89671fb3c7ded94190fb267402a38b0261 upstream.
+
+softsynth_read() reads a character at a time from the init string;
+when it finds the null terminator it sets the initialized flag but
+then repeats the last character.
+
+Additionally, if the read() buffer is not big enough for the init
+string, the next read() will start reading from the beginning again.
+So the caller may never progress to reading anything else.
+
+Replace the simple initialized flag with the current position in
+the init string, carried over between calls. Switch to reading
+real data once this reaches the null terminator.
+
+(This assumes that the length of the init string can't change, which
+seems to be the case. Really, the string and position belong together
+in a per-file private struct.)
+
+Tested-by: Samuel Thibault <sthibault@debian.org>
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/staging/speakup/speakup_soft.c | 13 ++++---------
+ 1 file changed, 4 insertions(+), 9 deletions(-)
+
+--- a/drivers/staging/speakup/speakup_soft.c
++++ b/drivers/staging/speakup/speakup_soft.c
+@@ -40,7 +40,7 @@ static int softsynth_is_alive(struct spk
+ static unsigned char get_index(void);
+
+ static struct miscdevice synth_device;
+-static int initialized;
++static int init_pos;
+ static int misc_registered;
+
+ static struct var_t vars[] = {
+@@ -194,7 +194,7 @@ static int softsynth_close(struct inode
+ unsigned long flags;
+ spk_lock(flags);
+ synth_soft.alive = 0;
+- initialized = 0;
++ init_pos = 0;
+ spk_unlock(flags);
+ /* Make sure we let applications go before leaving */
+ speakup_start_ttys();
+@@ -239,13 +239,8 @@ static ssize_t softsynth_read(struct fil
+ ch = '\x18';
+ } else if (synth_buffer_empty()) {
+ break;
+- } else if (!initialized) {
+- if (*init) {
+- ch = *init;
+- init++;
+- } else {
+- initialized = 1;
+- }
++ } else if (init[init_pos]) {
++ ch = init[init_pos++];
+ } else {
+ ch = synth_buffer_getc();
+ }
--- /dev/null
+From ee8b593affdf893012e57f4c54a21984d1b0d92e Mon Sep 17 00:00:00 2001
+From: Jiri Slaby <jslaby@suse.cz>
+Date: Tue, 7 Aug 2012 21:47:39 +0200
+Subject: TTY: ttyprintk, don't touch behind tty->write_buf
+
+From: Jiri Slaby <jslaby@suse.cz>
+
+commit ee8b593affdf893012e57f4c54a21984d1b0d92e upstream.
+
+If a user provides a buffer larger than a tty->write_buf chunk and
+passes '\r' at the end of the buffer, we touch an out-of-bound memory.
+
+Add a check there to prevent this.
+
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+Cc: Samo Pogacnik <samo_pogacnik@t-2.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/char/ttyprintk.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/char/ttyprintk.c
++++ b/drivers/char/ttyprintk.c
+@@ -66,7 +66,7 @@ static int tpk_printk(const unsigned cha
+ tmp[tpk_curr + 1] = '\0';
+ printk(KERN_INFO "%s%s", tpk_tag, tmp);
+ tpk_curr = 0;
+- if (buf[i + 1] == '\n')
++ if ((i + 1) < count && buf[i + 1] == '\n')
+ i++;
+ break;
+ case '\n':
projects / thirdparty / kernel / stable-queue.git / commitdiff
