--- /dev/null
+From 8defb3367fcd19d1af64c07792aade0747b54e0f Mon Sep 17 00:00:00 2001
+From: Andrey Ryabinin <a.ryabinin@samsung.com>
+Date: Fri, 20 Mar 2015 15:42:27 +0100
+Subject: ARM: 8320/1: fix integer overflow in ELF_ET_DYN_BASE
+
+From: Andrey Ryabinin <a.ryabinin@samsung.com>
+
+commit 8defb3367fcd19d1af64c07792aade0747b54e0f upstream.
+
+Usually ELF_ET_DYN_BASE is 2/3 of TASK_SIZE. With 3G/1G user/kernel
+split this is not so, because 2*TASK_SIZE overflows 32 bits,
+so the actual value of ELF_ET_DYN_BASE is:
+ (2 * TASK_SIZE / 3) = 0x2a000000
+
+When ASLR is disabled PIE binaries will load at ELF_ET_DYN_BASE address.
+On 32bit platforms AddressSanitzer uses addresses [0x20000000 - 0x40000000]
+for shadow memory [1]. So ASan doesn't work for PIE binaries when ASLR disabled
+as it fails to map shadow memory.
+Also after Kees's 'split ET_DYN ASLR from mmap ASLR' patchset PIE binaries
+has a high chance of loading somewhere in between [0x2a000000 - 0x40000000]
+even if ASLR enabled. This makes ASan with PIE absolutely incompatible.
+
+Fix overflow by dividing TASK_SIZE prior to multiplying.
+After this patch ELF_ET_DYN_BASE equals to (for CONFIG_VMSPLIT_3G=y):
+ (TASK_SIZE / 3 * 2) = 0x7f555554
+
+[1] https://code.google.com/p/address-sanitizer/wiki/AddressSanitizerAlgorithm#Mapping
+
+Signed-off-by: Andrey Ryabinin <a.ryabinin@samsung.com>
+Reported-by: Maria Guseva <m.guseva@samsung.com>
+Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm/include/asm/elf.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/arm/include/asm/elf.h
++++ b/arch/arm/include/asm/elf.h
+@@ -116,7 +116,7 @@ int dump_task_regs(struct task_struct *t
+ the loader. We need to make sure that it is out of the way of the program
+ that it will "exec", and that there is sufficient room for the brk. */
+
+-#define ELF_ET_DYN_BASE (2 * TASK_SIZE / 3)
++#define ELF_ET_DYN_BASE (TASK_SIZE / 3 * 2)
+
+ /* When the program starts, a1 contains a pointer to a function to be
+ registered with atexit, as per the SVR4 ABI. A value of 0 means we
--- /dev/null
+From 4e330ae4ab2915444f1e6dca1358a910aa259362 Mon Sep 17 00:00:00 2001
+From: Charles Keepax <ckeepax@opensource.wolfsonmicro.com>
+Date: Fri, 27 Mar 2015 01:58:08 +0900
+Subject: ARM: S3C64XX: Use fixed IRQ bases to avoid conflicts on Cragganmore
+
+From: Charles Keepax <ckeepax@opensource.wolfsonmicro.com>
+
+commit 4e330ae4ab2915444f1e6dca1358a910aa259362 upstream.
+
+There are two PMICs on Cragganmore, currently one dynamically assign
+its IRQ base and the other uses a fixed base. It is possible for the
+statically assigned PMIC to fail if its IRQ is taken by the dynamically
+assigned one. Fix this by statically assigning both the IRQ bases.
+
+Signed-off-by: Charles Keepax <ckeepax@opensource.wolfsonmicro.com>
+Signed-off-by: Kukjin Kim <kgene@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm/mach-s3c64xx/crag6410.h | 1 +
+ arch/arm/mach-s3c64xx/mach-crag6410.c | 1 +
+ 2 files changed, 2 insertions(+)
+
+--- a/arch/arm/mach-s3c64xx/crag6410.h
++++ b/arch/arm/mach-s3c64xx/crag6410.h
+@@ -14,6 +14,7 @@
+ #include <linux/gpio.h>
+
+ #define GLENFARCLAS_PMIC_IRQ_BASE IRQ_BOARD_START
++#define BANFF_PMIC_IRQ_BASE (IRQ_BOARD_START + 64)
+
+ #define PCA935X_GPIO_BASE GPIO_BOARD_START
+ #define CODEC_GPIO_BASE (GPIO_BOARD_START + 8)
+--- a/arch/arm/mach-s3c64xx/mach-crag6410.c
++++ b/arch/arm/mach-s3c64xx/mach-crag6410.c
+@@ -558,6 +558,7 @@ static struct wm831x_touch_pdata touch_p
+
+ static struct wm831x_pdata crag_pmic_pdata = {
+ .wm831x_num = 1,
++ .irq_base = BANFF_PMIC_IRQ_BASE,
+ .gpio_base = BANFF_PMIC_GPIO_BASE,
+ .soft_shutdown = true,
+
--- /dev/null
+From 323ece54e0761198946ecd0c2091f1d2bfdfcb64 Mon Sep 17 00:00:00 2001
+From: Oliver Neukum <oneukum@suse.de>
+Date: Fri, 20 Mar 2015 14:29:34 +0100
+Subject: cdc-wdm: fix endianness bug in debug statements
+
+From: Oliver Neukum <oneukum@suse.de>
+
+commit 323ece54e0761198946ecd0c2091f1d2bfdfcb64 upstream.
+
+Values directly from descriptors given in debug statements
+must be converted to native endianness.
+
+Signed-off-by: Oliver Neukum <oneukum@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/class/cdc-wdm.c | 12 +++++++-----
+ 1 file changed, 7 insertions(+), 5 deletions(-)
+
+--- a/drivers/usb/class/cdc-wdm.c
++++ b/drivers/usb/class/cdc-wdm.c
+@@ -244,7 +244,7 @@ static void wdm_int_callback(struct urb
+ case USB_CDC_NOTIFY_RESPONSE_AVAILABLE:
+ dev_dbg(&desc->intf->dev,
+ "NOTIFY_RESPONSE_AVAILABLE received: index %d len %d",
+- dr->wIndex, dr->wLength);
++ le16_to_cpu(dr->wIndex), le16_to_cpu(dr->wLength));
+ break;
+
+ case USB_CDC_NOTIFY_NETWORK_CONNECTION:
+@@ -257,7 +257,9 @@ static void wdm_int_callback(struct urb
+ clear_bit(WDM_POLL_RUNNING, &desc->flags);
+ dev_err(&desc->intf->dev,
+ "unknown notification %d received: index %d len %d\n",
+- dr->bNotificationType, dr->wIndex, dr->wLength);
++ dr->bNotificationType,
++ le16_to_cpu(dr->wIndex),
++ le16_to_cpu(dr->wLength));
+ goto exit;
+ }
+
+@@ -403,7 +405,7 @@ static ssize_t wdm_write
+ USB_RECIP_INTERFACE);
+ req->bRequest = USB_CDC_SEND_ENCAPSULATED_COMMAND;
+ req->wValue = 0;
+- req->wIndex = desc->inum;
++ req->wIndex = desc->inum; /* already converted */
+ req->wLength = cpu_to_le16(count);
+ set_bit(WDM_IN_USE, &desc->flags);
+ desc->outbuf = buf;
+@@ -417,7 +419,7 @@ static ssize_t wdm_write
+ rv = usb_translate_errors(rv);
+ } else {
+ dev_dbg(&desc->intf->dev, "Tx URB has been submitted index=%d",
+- req->wIndex);
++ le16_to_cpu(req->wIndex));
+ }
+ out:
+ usb_autopm_put_interface(desc->intf);
+@@ -780,7 +782,7 @@ static int wdm_create(struct usb_interfa
+ desc->irq->bRequestType = (USB_DIR_IN | USB_TYPE_CLASS | USB_RECIP_INTERFACE);
+ desc->irq->bRequest = USB_CDC_GET_ENCAPSULATED_RESPONSE;
+ desc->irq->wValue = 0;
+- desc->irq->wIndex = desc->inum;
++ desc->irq->wIndex = desc->inum; /* already converted */
+ desc->irq->wLength = cpu_to_le16(desc->wMaxCommand);
+
+ usb_fill_control_urb(
--- /dev/null
+From a7117f81e8391e035c49b3440792f7e6cea28173 Mon Sep 17 00:00:00 2001
+From: Krzysztof Kozlowski <k.kozlowski@samsung.com>
+Date: Fri, 20 Feb 2015 14:32:25 +0100
+Subject: power_supply: lp8788-charger: Fix leaked power supply on probe fail
+
+From: Krzysztof Kozlowski <k.kozlowski@samsung.com>
+
+commit a7117f81e8391e035c49b3440792f7e6cea28173 upstream.
+
+Driver forgot to unregister charger power supply if registering of
+battery supply failed in probe(). In such case the memory associated
+with power supply leaked.
+
+Signed-off-by: Krzysztof Kozlowski <k.kozlowski@samsung.com>
+Fixes: 98a276649358 ("power_supply: Add new lp8788 charger driver")
+Signed-off-by: Sebastian Reichel <sre@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/power/lp8788-charger.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/power/lp8788-charger.c
++++ b/drivers/power/lp8788-charger.c
+@@ -417,8 +417,10 @@ static int lp8788_psy_register(struct pl
+ pchg->battery.num_properties = ARRAY_SIZE(lp8788_battery_prop);
+ pchg->battery.get_property = lp8788_battery_get_property;
+
+- if (power_supply_register(&pdev->dev, &pchg->battery))
++ if (power_supply_register(&pdev->dev, &pchg->battery)) {
++ power_supply_unregister(&pchg->charger);
+ return -EPERM;
++ }
+
+ return 0;
+ }
--- /dev/null
+From 80a9b64e2c156b6523e7a01f2ba6e5d86e722814 Mon Sep 17 00:00:00 2001
+From: Steven Rostedt <rostedt@goodmis.org>
+Date: Tue, 17 Mar 2015 10:40:38 -0400
+Subject: ring-buffer: Replace this_cpu_*() with __this_cpu_*()
+
+From: Steven Rostedt <rostedt@goodmis.org>
+
+commit 80a9b64e2c156b6523e7a01f2ba6e5d86e722814 upstream.
+
+It has come to my attention that this_cpu_read/write are horrible on
+architectures other than x86. Worse yet, they actually disable
+preemption or interrupts! This caused some unexpected tracing results
+on ARM.
+
+ 101.356868: preempt_count_add <-ring_buffer_lock_reserve
+ 101.356870: preempt_count_sub <-ring_buffer_lock_reserve
+
+The ring_buffer_lock_reserve has recursion protection that requires
+accessing a per cpu variable. But since preempt_disable() is traced, it
+too got traced while accessing the variable that is suppose to prevent
+recursion like this.
+
+The generic version of this_cpu_read() and write() are:
+
+ #define this_cpu_generic_read(pcp) \
+ ({ typeof(pcp) ret__; \
+ preempt_disable(); \
+ ret__ = *this_cpu_ptr(&(pcp)); \
+ preempt_enable(); \
+ ret__; \
+ })
+
+ #define this_cpu_generic_to_op(pcp, val, op) \
+ do { \
+ unsigned long flags; \
+ raw_local_irq_save(flags); \
+ *__this_cpu_ptr(&(pcp)) op val; \
+ raw_local_irq_restore(flags); \
+ } while (0)
+
+Which is unacceptable for locations that know they are within preempt
+disabled or interrupt disabled locations.
+
+Paul McKenney stated that __this_cpu_() versions produce much better code on
+other architectures than this_cpu_() does, if we know that the call is done in
+a preempt disabled location.
+
+I also changed the recursive_unlock() to use two local variables instead
+of accessing the per_cpu variable twice.
+
+Link: http://lkml.kernel.org/r/20150317114411.GE3589@linux.vnet.ibm.com
+Link: http://lkml.kernel.org/r/20150317104038.312e73d1@gandalf.local.home
+
+Acked-by: Christoph Lameter <cl@linux.com>
+Reported-by: Uwe Kleine-Koenig <u.kleine-koenig@pengutronix.de>
+Tested-by: Uwe Kleine-Koenig <u.kleine-koenig@pengutronix.de>
+Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/trace/ring_buffer.c | 11 +++++------
+ 1 file changed, 5 insertions(+), 6 deletions(-)
+
+--- a/kernel/trace/ring_buffer.c
++++ b/kernel/trace/ring_buffer.c
+@@ -2650,7 +2650,7 @@ static DEFINE_PER_CPU(unsigned int, curr
+
+ static __always_inline int trace_recursive_lock(void)
+ {
+- unsigned int val = this_cpu_read(current_context);
++ unsigned int val = __this_cpu_read(current_context);
+ int bit;
+
+ if (in_interrupt()) {
+@@ -2667,18 +2667,17 @@ static __always_inline int trace_recursi
+ return 1;
+
+ val |= (1 << bit);
+- this_cpu_write(current_context, val);
++ __this_cpu_write(current_context, val);
+
+ return 0;
+ }
+
+ static __always_inline void trace_recursive_unlock(void)
+ {
+- unsigned int val = this_cpu_read(current_context);
++ unsigned int val = __this_cpu_read(current_context);
+
+- val--;
+- val &= this_cpu_read(current_context);
+- this_cpu_write(current_context, val);
++ val &= val & (val - 1);
++ __this_cpu_write(current_context, val);
+ }
+
+ #else
s390-hibernate-fix-save-and-restore-of-kernel-text-section.patch
kvm-use-slowpath-for-cross-page-cached-accesses.patch
mips-hibernate-flush-tlb-entries-earlier.patch
+cdc-wdm-fix-endianness-bug-in-debug-statements.patch
+spi-spidev-fix-possible-arithmetic-overflow-for-multi-transfer-message.patch
+ring-buffer-replace-this_cpu_-with-__this_cpu_.patch
+power_supply-lp8788-charger-fix-leaked-power-supply-on-probe-fail.patch
+arm-8320-1-fix-integer-overflow-in-elf_et_dyn_base.patch
+arm-s3c64xx-use-fixed-irq-bases-to-avoid-conflicts-on-cragganmore.patch
+usb-phy-find-the-right-match-in-devm_usb_phy_match.patch
+usb-define-a-generic-usb_resume_timeout-macro.patch
--- /dev/null
+From f20fbaad7620af2df36a1f9d1c9ecf48ead5b747 Mon Sep 17 00:00:00 2001
+From: Ian Abbott <abbotti@mev.co.uk>
+Date: Mon, 23 Mar 2015 17:50:27 +0000
+Subject: spi: spidev: fix possible arithmetic overflow for multi-transfer message
+
+From: Ian Abbott <abbotti@mev.co.uk>
+
+commit f20fbaad7620af2df36a1f9d1c9ecf48ead5b747 upstream.
+
+`spidev_message()` sums the lengths of the individual SPI transfers to
+determine the overall SPI message length. It restricts the total
+length, returning an error if too long, but it does not check for
+arithmetic overflow. For example, if the SPI message consisted of two
+transfers and the first has a length of 10 and the second has a length
+of (__u32)(-1), the total length would be seen as 9, even though the
+second transfer is actually very long. If the second transfer specifies
+a null `rx_buf` and a non-null `tx_buf`, the `copy_from_user()` could
+overrun the spidev's pre-allocated tx buffer before it reaches an
+invalid user memory address. Fix it by checking that neither the total
+nor the individual transfer lengths exceed the maximum allowed value.
+
+Thanks to Dan Carpenter for reporting the potential integer overflow.
+
+Signed-off-by: Ian Abbott <abbotti@mev.co.uk>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/spi/spidev.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/drivers/spi/spidev.c
++++ b/drivers/spi/spidev.c
+@@ -243,7 +243,10 @@ static int spidev_message(struct spidev_
+ k_tmp->len = u_tmp->len;
+
+ total += k_tmp->len;
+- if (total > bufsiz) {
++ /* Check total length of transfers. Also check each
++ * transfer length to avoid arithmetic overflow.
++ */
++ if (total > bufsiz || k_tmp->len > bufsiz) {
+ status = -EMSGSIZE;
+ goto done;
+ }
--- /dev/null
+From 62f0342de1f012f3e90607d39e20fce811391169 Mon Sep 17 00:00:00 2001
+From: Felipe Balbi <balbi@ti.com>
+Date: Fri, 13 Feb 2015 14:34:25 -0600
+Subject: usb: define a generic USB_RESUME_TIMEOUT macro
+
+From: Felipe Balbi <balbi@ti.com>
+
+commit 62f0342de1f012f3e90607d39e20fce811391169 upstream.
+
+Every USB Host controller should use this new
+macro to define for how long resume signalling
+should be driven on the bus.
+
+Currently, almost every single USB controller
+is using a 20ms timeout for resume signalling.
+
+That's problematic for two reasons:
+
+a) sometimes that 20ms timer expires a little
+before 20ms, which makes us fail certification
+
+b) some (many) devices actually need more than
+20ms resume signalling.
+
+Sure, in case of (b) we can state that the device
+is against the USB spec, but the fact is that
+we have no control over which device the certification
+lab will use. We also have no control over which host
+they will use. Most likely they'll be using a Windows
+PC which, again, we have no control over how that
+USB stack is written and how long resume signalling
+they are using.
+
+At the end of the day, we must make sure Linux passes
+electrical compliance when working as Host or as Device
+and currently we don't pass compliance as host because
+we're driving resume signallig for exactly 20ms and
+that confuses certification test setup resulting in
+Certification failure.
+
+Acked-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Acked-by: Peter Chen <peter.chen@freescale.com>
+Signed-off-by: Felipe Balbi <balbi@ti.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ include/linux/usb.h | 26 ++++++++++++++++++++++++++
+ 1 file changed, 26 insertions(+)
+
+--- a/include/linux/usb.h
++++ b/include/linux/usb.h
+@@ -206,6 +206,32 @@ void usb_put_intf(struct usb_interface *
+ #define USB_MAXINTERFACES 32
+ #define USB_MAXIADS (USB_MAXINTERFACES/2)
+
++/*
++ * USB Resume Timer: Every Host controller driver should drive the resume
++ * signalling on the bus for the amount of time defined by this macro.
++ *
++ * That way we will have a 'stable' behavior among all HCDs supported by Linux.
++ *
++ * Note that the USB Specification states we should drive resume for *at least*
++ * 20 ms, but it doesn't give an upper bound. This creates two possible
++ * situations which we want to avoid:
++ *
++ * (a) sometimes an msleep(20) might expire slightly before 20 ms, which causes
++ * us to fail USB Electrical Tests, thus failing Certification
++ *
++ * (b) Some (many) devices actually need more than 20 ms of resume signalling,
++ * and while we can argue that's against the USB Specification, we don't have
++ * control over which devices a certification laboratory will be using for
++ * certification. If CertLab uses a device which was tested against Windows and
++ * that happens to have relaxed resume signalling rules, we might fall into
++ * situations where we fail interoperability and electrical tests.
++ *
++ * In order to avoid both conditions, we're using a 40 ms resume timeout, which
++ * should cope with both LPJ calibration errors and devices not following every
++ * detail of the USB Specification.
++ */
++#define USB_RESUME_TIMEOUT 40 /* ms */
++
+ /**
+ * struct usb_interface_cache - long-term representation of a device interface
+ * @num_altsetting: number of altsettings defined.
--- /dev/null
+From 869aee0f31429fa9d94d5aef539602b73ae0cf4b Mon Sep 17 00:00:00 2001
+From: Axel Lin <axel.lin@ingics.com>
+Date: Thu, 12 Mar 2015 09:15:28 +0800
+Subject: usb: phy: Find the right match in devm_usb_phy_match
+
+From: Axel Lin <axel.lin@ingics.com>
+
+commit 869aee0f31429fa9d94d5aef539602b73ae0cf4b upstream.
+
+The res parameter passed to devm_usb_phy_match() is the location where the
+pointer to the usb_phy is stored, hence it needs to be dereferenced before
+comparing to the match data in order to find the correct match.
+
+Fixes: 410219dcd2ba ("usb: otg: utils: devres: Add API's to associate a device with the phy")
+Signed-off-by: Axel Lin <axel.lin@ingics.com>
+Signed-off-by: Felipe Balbi <balbi@ti.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/phy/phy.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/usb/phy/phy.c
++++ b/drivers/usb/phy/phy.c
+@@ -78,7 +78,9 @@ static void devm_usb_phy_release(struct
+
+ static int devm_usb_phy_match(struct device *dev, void *res, void *match_data)
+ {
+- return res == match_data;
++ struct usb_phy **phy = res;
++
++ return *phy == match_data;
+ }
+
+ /**
projects / thirdparty / kernel / stable-queue.git / commitdiff
