From: Greg Kroah-Hartman Date: Thu, 24 May 2018 08:59:27 +0000 (+0200) Subject: 4.16-stable patches X-Git-Tag: v3.18.110~5 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=372f9be8ddfaee6d0d943779238f0df7e6f5855c;p=thirdparty%2Fkernel%2Fstable-queue.git 4.16-stable patches added patches: rtc-goldfish-add-missing-module_license.patch rtc-hctosys-ensure-system-time-doesn-t-overflow-time_t.patch rtc-m41t80-fix-race-conditions.patch rtc-rk808-fix-possible-race-condition.patch rtc-rp5c01-fix-possible-race-condition.patch rtc-snvs-fix-usage-of-snvs_rtc_enable.patch rtc-tx4939-avoid-unintended-sign-extension-on-a-24-bit-shift.patch serial-8250-don-t-service-rx-fifo-if-interrupts-are-disabled.patch serial-altera-ensure-port-regshift-is-honored-consistently.patch serial-arc_uart-fix-out-of-bounds-access-through-dt-alias.patch serial-fsl_lpuart-fix-out-of-bounds-access-through-dt-alias.patch serial-imx-fix-out-of-bounds-access-through-serial-port-index.patch serial-mvebu-uart-fix-tx-lost-characters.patch serial-mxs-auart-fix-out-of-bounds-access-through-serial-port-index.patch serial-samsung-fix-out-of-bounds-access-through-serial-port-index.patch serial-sh-sci-fix-out-of-bounds-access-through-dt-alias.patch serial-xuartps-fix-out-of-bounds-access-through-dt-alias.patch --- diff --git a/queue-4.16/rtc-goldfish-add-missing-module_license.patch b/queue-4.16/rtc-goldfish-add-missing-module_license.patch new file mode 100644 index 00000000000..3edb6067731 --- /dev/null +++ b/queue-4.16/rtc-goldfish-add-missing-module_license.patch @@ -0,0 +1,36 @@ +From foo@baz Thu May 24 10:41:16 CEST 2018 +From: James Hogan +Date: Tue, 16 Jan 2018 14:45:21 +0000 +Subject: rtc: goldfish: Add missing MODULE_LICENSE + +From: James Hogan + +[ Upstream commit 82d632b85eb89f97051530f556cb49ee1c04bde7 ] + +Fix the following warning in MIPS allmodconfig by adding a +MODULE_LICENSE() at the end of rtc-goldfish.c, based on the file header +comment which says GNU General Public License version 2: + +WARNING: modpost: missing MODULE_LICENSE() in drivers/rtc/rtc-goldfish.o + +Fixes: f22d9cdcb5eb ("rtc: goldfish: Add RTC driver for Android emulator") +Signed-off-by: James Hogan +Cc: Miodrag Dinic +Cc: Alessandro Zummo +Cc: Alexandre Belloni +Cc: linux-rtc@vger.kernel.org +Signed-off-by: Alexandre Belloni +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/rtc/rtc-goldfish.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/rtc/rtc-goldfish.c ++++ b/drivers/rtc/rtc-goldfish.c +@@ -235,3 +235,5 @@ static struct platform_driver goldfish_r + }; + + module_platform_driver(goldfish_rtc); ++ ++MODULE_LICENSE("GPL v2"); diff --git a/queue-4.16/rtc-hctosys-ensure-system-time-doesn-t-overflow-time_t.patch b/queue-4.16/rtc-hctosys-ensure-system-time-doesn-t-overflow-time_t.patch new file mode 100644 index 00000000000..6d1deeb0caa --- /dev/null +++ b/queue-4.16/rtc-hctosys-ensure-system-time-doesn-t-overflow-time_t.patch @@ -0,0 +1,45 @@ +From foo@baz Thu May 24 10:41:16 CEST 2018 +From: Alexandre Belloni +Date: Thu, 8 Mar 2018 23:27:31 +0100 +Subject: rtc: hctosys: Ensure system time doesn't overflow time_t + +From: Alexandre Belloni + +[ Upstream commit b3a5ac42ab18b7d1a8f2f072ca0ee76a3b754a43 ] + +On 32bit platforms, time_t is still a signed 32bit long. If it is +overflowed, userspace and the kernel cant agree on the current system time. +This causes multiple issues, in particular with systemd: +https://github.com/systemd/systemd/issues/1143 + +A good workaround is to simply avoid using hctosys which is something I +greatly encourage as the time is better set by userspace. + +However, many distribution enable it and use systemd which is rendering the +system unusable in case the RTC holds a date after 2038 (and more so after +2106). Many drivers have workaround for this case and they should be +eliminated so there is only one place left to fix when userspace is able to +cope with dates after the 31bit overflow. + +Acked-by: Arnd Bergmann +Signed-off-by: Alexandre Belloni +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/rtc/hctosys.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/drivers/rtc/hctosys.c ++++ b/drivers/rtc/hctosys.c +@@ -49,6 +49,11 @@ static int __init rtc_hctosys(void) + + tv64.tv_sec = rtc_tm_to_time64(&tm); + ++#if BITS_PER_LONG == 32 ++ if (tv64.tv_sec > INT_MAX) ++ goto err_read; ++#endif ++ + err = do_settimeofday64(&tv64); + + dev_info(rtc->dev.parent, diff --git a/queue-4.16/rtc-m41t80-fix-race-conditions.patch b/queue-4.16/rtc-m41t80-fix-race-conditions.patch new file mode 100644 index 00000000000..fa896aaca7d --- /dev/null +++ b/queue-4.16/rtc-m41t80-fix-race-conditions.patch @@ -0,0 +1,139 @@ +From foo@baz Thu May 24 10:41:16 CEST 2018 +From: Alexandre Belloni +Date: Sun, 25 Feb 2018 21:14:31 +0100 +Subject: rtc: m41t80: fix race conditions + +From: Alexandre Belloni + +[ Upstream commit 10d0c768cc6d581523d673b9d1b54213f8a5eb24 ] + +The IRQ is requested before the struct rtc is allocated and registered, but +this struct is used in the IRQ handler, leading to: + +Unable to handle kernel NULL pointer dereference at virtual address 0000017c +pgd = a38a2f9b +[0000017c] *pgd=00000000 +Internal error: Oops: 5 [#1] ARM +Modules linked in: +CPU: 0 PID: 613 Comm: irq/48-m41t80 Not tainted 4.16.0-rc1+ #42 +Hardware name: Atmel SAMA5 +PC is at mutex_lock+0x14/0x38 +LR is at m41t80_handle_irq+0x1c/0x9c +pc : [] lr : [] psr: 20000013 +sp : dec73f30 ip : 00000000 fp : dec56d98 +r10: df437cf0 r9 : c0a03008 r8 : c0145ffc +r7 : df5c4300 r6 : dec568d0 r5 : df593000 r4 : 0000017c +r3 : df592800 r2 : 60000013 r1 : df593000 r0 : 0000017c +Flags: nzCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment none +Control: 10c53c7d Table: 20004059 DAC: 00000051 +Process irq/48-m41t80 (pid: 613, stack limit = 0xb52d091e) +Stack: (0xdec73f30 to 0xdec74000) +3f20: dec56840 df5c4300 00000001 df5c4300 +3f40: c0145ffc c0146018 dec56840 ffffe000 00000001 c0146290 dec567c0 00000000 +3f60: c0146084 ed7c9a62 c014615c dec56d80 dec567c0 00000000 dec72000 dec56840 +3f80: c014615c c012ffc0 dec72000 dec567c0 c012fe80 00000000 00000000 00000000 +3fa0: 00000000 00000000 00000000 c01010e8 00000000 00000000 00000000 00000000 +3fc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 +3fe0: 00000000 00000000 00000000 00000000 00000013 00000000 29282726 2d2c2b2a +[] (mutex_lock) from [] (m41t80_handle_irq+0x1c/0x9c) +[] (m41t80_handle_irq) from [] (irq_thread_fn+0x1c/0x54) +[] (irq_thread_fn) from [] (irq_thread+0x134/0x1c0) +[] (irq_thread) from [] (kthread+0x140/0x148) +[] (kthread) from [] (ret_from_fork+0x14/0x2c) +Exception stack(0xdec73fb0 to 0xdec73ff8) +3fa0: 00000000 00000000 00000000 00000000 +3fc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 +3fe0: 00000000 00000000 00000000 00000000 00000013 00000000 +Code: e3c33d7f e3c3303f f5d0f000 e593300c (e1901f9f) +---[ end trace 22b027302eb7c604 ]--- +genirq: exiting task "irq/48-m41t80" (613) is an active IRQ thread (irq 48) + +Also, there is another possible race condition. The probe function is not +allowed to fail after the RTC is registered because the following may +happen: + +CPU0: CPU1: +sys_load_module() + do_init_module() + do_one_initcall() + cmos_do_probe() + rtc_device_register() + __register_chrdev() + cdev->owner = struct module* + open("/dev/rtc0") + rtc_device_unregister() + module_put() + free_module() + module_free(mod->module_core) + /* struct module *module is now + freed */ + chrdev_open() + spin_lock(cdev_lock) + cdev_get() + try_module_get() + module_is_live() + /* dereferences already + freed struct module* */ + +Switch to devm_rtc_allocate_device/rtc_register_device to allocate the rtc +before requesting the IRQ and register it as late as possible. + +Signed-off-by: Alexandre Belloni + +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/rtc/rtc-m41t80.c | 18 +++++++++++------- + 1 file changed, 11 insertions(+), 7 deletions(-) + +--- a/drivers/rtc/rtc-m41t80.c ++++ b/drivers/rtc/rtc-m41t80.c +@@ -885,7 +885,6 @@ static int m41t80_probe(struct i2c_clien + { + struct i2c_adapter *adapter = to_i2c_adapter(client->dev.parent); + int rc = 0; +- struct rtc_device *rtc = NULL; + struct rtc_time tm; + struct m41t80_data *m41t80_data = NULL; + bool wakeup_source = false; +@@ -909,6 +908,10 @@ static int m41t80_probe(struct i2c_clien + m41t80_data->features = id->driver_data; + i2c_set_clientdata(client, m41t80_data); + ++ m41t80_data->rtc = devm_rtc_allocate_device(&client->dev); ++ if (IS_ERR(m41t80_data->rtc)) ++ return PTR_ERR(m41t80_data->rtc); ++ + #ifdef CONFIG_OF + wakeup_source = of_property_read_bool(client->dev.of_node, + "wakeup-source"); +@@ -932,15 +935,11 @@ static int m41t80_probe(struct i2c_clien + device_init_wakeup(&client->dev, true); + } + +- rtc = devm_rtc_device_register(&client->dev, client->name, +- &m41t80_rtc_ops, THIS_MODULE); +- if (IS_ERR(rtc)) +- return PTR_ERR(rtc); ++ m41t80_data->rtc->ops = &m41t80_rtc_ops; + +- m41t80_data->rtc = rtc; + if (client->irq <= 0) { + /* We cannot support UIE mode if we do not have an IRQ line */ +- rtc->uie_unsupported = 1; ++ m41t80_data->rtc->uie_unsupported = 1; + } + + /* Make sure HT (Halt Update) bit is cleared */ +@@ -993,6 +992,11 @@ static int m41t80_probe(struct i2c_clien + if (m41t80_data->features & M41T80_FEATURE_SQ) + m41t80_sqw_register_clk(m41t80_data); + #endif ++ ++ rc = rtc_register_device(m41t80_data->rtc); ++ if (rc) ++ return rc; ++ + return 0; + } + diff --git a/queue-4.16/rtc-rk808-fix-possible-race-condition.patch b/queue-4.16/rtc-rk808-fix-possible-race-condition.patch new file mode 100644 index 00000000000..6a350faf531 --- /dev/null +++ b/queue-4.16/rtc-rk808-fix-possible-race-condition.patch @@ -0,0 +1,77 @@ +From foo@baz Thu May 24 10:41:16 CEST 2018 +From: Alexandre Belloni +Date: Wed, 21 Feb 2018 11:57:05 +0100 +Subject: rtc: rk808: fix possible race condition + +From: Alexandre Belloni + +[ Upstream commit 201fac95e799c3d0304ec724d555e1251b9f6e84 ] + +The probe function is not allowed to fail after registering the RTC because +the following may happen: + +CPU0: CPU1: +sys_load_module() + do_init_module() + do_one_initcall() + cmos_do_probe() + rtc_device_register() + __register_chrdev() + cdev->owner = struct module* + open("/dev/rtc0") + rtc_device_unregister() + module_put() + free_module() + module_free(mod->module_core) + /* struct module *module is now + freed */ + chrdev_open() + spin_lock(cdev_lock) + cdev_get() + try_module_get() + module_is_live() + /* dereferences already + freed struct module* */ + +Switch to devm_rtc_allocate_device/rtc_register_device to register the rtc +as late as possible. + +Signed-off-by: Alexandre Belloni +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/rtc/rtc-rk808.c | 14 +++++++------- + 1 file changed, 7 insertions(+), 7 deletions(-) + +--- a/drivers/rtc/rtc-rk808.c ++++ b/drivers/rtc/rtc-rk808.c +@@ -416,12 +416,11 @@ static int rk808_rtc_probe(struct platfo + + device_init_wakeup(&pdev->dev, 1); + +- rk808_rtc->rtc = devm_rtc_device_register(&pdev->dev, "rk808-rtc", +- &rk808_rtc_ops, THIS_MODULE); +- if (IS_ERR(rk808_rtc->rtc)) { +- ret = PTR_ERR(rk808_rtc->rtc); +- return ret; +- } ++ rk808_rtc->rtc = devm_rtc_allocate_device(&pdev->dev); ++ if (IS_ERR(rk808_rtc->rtc)) ++ return PTR_ERR(rk808_rtc->rtc); ++ ++ rk808_rtc->rtc->ops = &rk808_rtc_ops; + + rk808_rtc->irq = platform_get_irq(pdev, 0); + if (rk808_rtc->irq < 0) { +@@ -438,9 +437,10 @@ static int rk808_rtc_probe(struct platfo + if (ret) { + dev_err(&pdev->dev, "Failed to request alarm IRQ %d: %d\n", + rk808_rtc->irq, ret); ++ return ret; + } + +- return ret; ++ return rtc_register_device(rk808_rtc->rtc); + } + + static struct platform_driver rk808_rtc_driver = { diff --git a/queue-4.16/rtc-rp5c01-fix-possible-race-condition.patch b/queue-4.16/rtc-rp5c01-fix-possible-race-condition.patch new file mode 100644 index 00000000000..159d46f78fb --- /dev/null +++ b/queue-4.16/rtc-rp5c01-fix-possible-race-condition.patch @@ -0,0 +1,74 @@ +From foo@baz Thu May 24 10:41:16 CEST 2018 +From: Alexandre Belloni +Date: Mon, 12 Feb 2018 23:47:49 +0100 +Subject: rtc: rp5c01: fix possible race condition + +From: Alexandre Belloni + +[ Upstream commit bcdd559268039d8340d38fa58668393596e29fdc ] + +The probe function is not allowed to fail after registering the RTC because +the following may happen: + +CPU0: CPU1: +sys_load_module() + do_init_module() + do_one_initcall() + cmos_do_probe() + rtc_device_register() + __register_chrdev() + cdev->owner = struct module* + open("/dev/rtc0") + rtc_device_unregister() + module_put() + free_module() + module_free(mod->module_core) + /* struct module *module is now + freed */ + chrdev_open() + spin_lock(cdev_lock) + cdev_get() + try_module_get() + module_is_live() + /* dereferences already + freed struct module* */ + +Switch to devm_rtc_allocate_device/rtc_register_device to register the rtc +as late as possible. + +Signed-off-by: Alexandre Belloni +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/rtc/rtc-rp5c01.c | 12 ++++++++++-- + 1 file changed, 10 insertions(+), 2 deletions(-) + +--- a/drivers/rtc/rtc-rp5c01.c ++++ b/drivers/rtc/rtc-rp5c01.c +@@ -249,16 +249,24 @@ static int __init rp5c01_rtc_probe(struc + + platform_set_drvdata(dev, priv); + +- rtc = devm_rtc_device_register(&dev->dev, "rtc-rp5c01", &rp5c01_rtc_ops, +- THIS_MODULE); ++ rtc = devm_rtc_allocate_device(&dev->dev); + if (IS_ERR(rtc)) + return PTR_ERR(rtc); ++ ++ rtc->ops = &rp5c01_rtc_ops; ++ + priv->rtc = rtc; + + error = sysfs_create_bin_file(&dev->dev.kobj, &priv->nvram_attr); + if (error) + return error; + ++ error = rtc_register_device(rtc); ++ if (error) { ++ sysfs_remove_bin_file(&dev->dev.kobj, &priv->nvram_attr); ++ return error; ++ } ++ + return 0; + } + diff --git a/queue-4.16/rtc-snvs-fix-usage-of-snvs_rtc_enable.patch b/queue-4.16/rtc-snvs-fix-usage-of-snvs_rtc_enable.patch new file mode 100644 index 00000000000..41923b7fda8 --- /dev/null +++ b/queue-4.16/rtc-snvs-fix-usage-of-snvs_rtc_enable.patch @@ -0,0 +1,91 @@ +From foo@baz Thu May 24 10:41:16 CEST 2018 +From: Bryan O'Donoghue +Date: Wed, 28 Mar 2018 20:14:05 +0100 +Subject: rtc: snvs: Fix usage of snvs_rtc_enable + +From: Bryan O'Donoghue + +[ Upstream commit 1485991c024603b2fb4ae77beb7a0d741128a48e ] + +commit 179a502f8c46 ("rtc: snvs: add Freescale rtc-snvs driver") introduces +the SNVS RTC driver with a function snvs_rtc_enable(). + +snvs_rtc_enable() can return an error on the enable path however this +driver does not currently trap that failure on the probe() path and +consequently if enabling the RTC fails we encounter a later error spinning +forever in rtc_write_sync_lp(). + +[ 36.093481] [] (__irq_svc) from [] (_raw_spin_unlock_irqrestore+0x34/0x44) +[ 36.102122] [] (_raw_spin_unlock_irqrestore) from [] (regmap_read+0x4c/0x5c) +[ 36.110938] [] (regmap_read) from [] (rtc_write_sync_lp+0x6c/0x98) +[ 36.118881] [] (rtc_write_sync_lp) from [] (snvs_rtc_alarm_irq_enable+0x40/0x4c) +[ 36.128041] [] (snvs_rtc_alarm_irq_enable) from [] (rtc_timer_do_work+0xd8/0x1a8) +[ 36.137291] [] (rtc_timer_do_work) from [] (process_one_work+0x28c/0x76c) +[ 36.145840] [] (process_one_work) from [] (worker_thread+0x34/0x58c) +[ 36.153961] [] (worker_thread) from [] (kthread+0x138/0x150) +[ 36.161388] [] (kthread) from [] (ret_from_fork+0x14/0x20) +[ 36.168635] rcu_sched kthread starved for 2602 jiffies! g496 c495 f0x2 RCU_GP_WAIT_FQS(3) ->state=0x0 ->cpu=0 +[ 36.178564] rcu_sched R running task 0 8 2 0x00000000 +[ 36.185664] [] (__schedule) from [] (schedule+0x3c/0xa0) +[ 36.192739] [] (schedule) from [] (schedule_timeout+0x78/0x4e0) +[ 36.200422] [] (schedule_timeout) from [] (rcu_gp_kthread+0x648/0x1864) +[ 36.208800] [] (rcu_gp_kthread) from [] (kthread+0x138/0x150) +[ 36.216309] [] (kthread) from [] (ret_from_fork+0x14/0x20) + +This patch fixes by parsing the result of rtc_write_sync_lp() and +propagating both in the probe and elsewhere. If the RTC doesn't start we +don't proceed loading the driver and don't get into this loop mess later +on. + +Fixes: 179a502f8c46 ("rtc: snvs: add Freescale rtc-snvs driver") +Signed-off-by: Bryan O'Donoghue +Acked-by: Shawn Guo +Signed-off-by: Alexandre Belloni +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/rtc/rtc-snvs.c | 15 +++++++++++---- + 1 file changed, 11 insertions(+), 4 deletions(-) + +--- a/drivers/rtc/rtc-snvs.c ++++ b/drivers/rtc/rtc-snvs.c +@@ -132,20 +132,23 @@ static int snvs_rtc_set_time(struct devi + { + struct snvs_rtc_data *data = dev_get_drvdata(dev); + unsigned long time; ++ int ret; + + rtc_tm_to_time(tm, &time); + + /* Disable RTC first */ +- snvs_rtc_enable(data, false); ++ ret = snvs_rtc_enable(data, false); ++ if (ret) ++ return ret; + + /* Write 32-bit time to 47-bit timer, leaving 15 LSBs blank */ + regmap_write(data->regmap, data->offset + SNVS_LPSRTCLR, time << CNTR_TO_SECS_SH); + regmap_write(data->regmap, data->offset + SNVS_LPSRTCMR, time >> (32 - CNTR_TO_SECS_SH)); + + /* Enable RTC again */ +- snvs_rtc_enable(data, true); ++ ret = snvs_rtc_enable(data, true); + +- return 0; ++ return ret; + } + + static int snvs_rtc_read_alarm(struct device *dev, struct rtc_wkalrm *alrm) +@@ -288,7 +291,11 @@ static int snvs_rtc_probe(struct platfor + regmap_write(data->regmap, data->offset + SNVS_LPSR, 0xffffffff); + + /* Enable RTC */ +- snvs_rtc_enable(data, true); ++ ret = snvs_rtc_enable(data, true); ++ if (ret) { ++ dev_err(&pdev->dev, "failed to enable rtc %d\n", ret); ++ goto error_rtc_device_register; ++ } + + device_init_wakeup(&pdev->dev, true); + diff --git a/queue-4.16/rtc-tx4939-avoid-unintended-sign-extension-on-a-24-bit-shift.patch b/queue-4.16/rtc-tx4939-avoid-unintended-sign-extension-on-a-24-bit-shift.patch new file mode 100644 index 00000000000..7512931c6e3 --- /dev/null +++ b/queue-4.16/rtc-tx4939-avoid-unintended-sign-extension-on-a-24-bit-shift.patch @@ -0,0 +1,48 @@ +From foo@baz Thu May 24 10:41:16 CEST 2018 +From: Colin Ian King +Date: Thu, 15 Feb 2018 19:36:14 +0000 +Subject: rtc: tx4939: avoid unintended sign extension on a 24 bit shift + +From: Colin Ian King + +[ Upstream commit 347876ad47b9923ce26e686173bbf46581802ffa ] + +The shifting of buf[5] by 24 bits to the left will be promoted to +a 32 bit signed int and then sign-extended to an unsigned long. If +the top bit of buf[5] is set then all then all the upper bits sec +end up as also being set because of the sign-extension. Fix this by +casting buf[5] to an unsigned long before the shift. + +Detected by CoverityScan, CID#1465292 ("Unintended sign extension") + +Fixes: 0e1492330cd2 ("rtc: add rtc-tx4939 driver") +Signed-off-by: Colin Ian King +Signed-off-by: Alexandre Belloni +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/rtc/rtc-tx4939.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/drivers/rtc/rtc-tx4939.c ++++ b/drivers/rtc/rtc-tx4939.c +@@ -86,7 +86,8 @@ static int tx4939_rtc_read_time(struct d + for (i = 2; i < 6; i++) + buf[i] = __raw_readl(&rtcreg->dat); + spin_unlock_irq(&pdata->lock); +- sec = (buf[5] << 24) | (buf[4] << 16) | (buf[3] << 8) | buf[2]; ++ sec = ((unsigned long)buf[5] << 24) | (buf[4] << 16) | ++ (buf[3] << 8) | buf[2]; + rtc_time_to_tm(sec, tm); + return rtc_valid_tm(tm); + } +@@ -147,7 +148,8 @@ static int tx4939_rtc_read_alarm(struct + alrm->enabled = (ctl & TX4939_RTCCTL_ALME) ? 1 : 0; + alrm->pending = (ctl & TX4939_RTCCTL_ALMD) ? 1 : 0; + spin_unlock_irq(&pdata->lock); +- sec = (buf[5] << 24) | (buf[4] << 16) | (buf[3] << 8) | buf[2]; ++ sec = ((unsigned long)buf[5] << 24) | (buf[4] << 16) | ++ (buf[3] << 8) | buf[2]; + rtc_time_to_tm(sec, &alrm->time); + return rtc_valid_tm(&alrm->time); + } diff --git a/queue-4.16/serial-8250-don-t-service-rx-fifo-if-interrupts-are-disabled.patch b/queue-4.16/serial-8250-don-t-service-rx-fifo-if-interrupts-are-disabled.patch new file mode 100644 index 00000000000..6ea5ca00dc5 --- /dev/null +++ b/queue-4.16/serial-8250-don-t-service-rx-fifo-if-interrupts-are-disabled.patch @@ -0,0 +1,39 @@ +From foo@baz Thu May 24 10:41:16 CEST 2018 +From: Vignesh R +Date: Thu, 8 Feb 2018 18:25:41 +0530 +Subject: serial: 8250: Don't service RX FIFO if interrupts are disabled + +From: Vignesh R + +[ Upstream commit 2e9fe539108320820016f78ca7704a7342788380 ] + +Currently, data in RX FIFO is read based on UART_LSR register state even +if RDI and RLSI interrupts are disabled in UART_IER register. +This is because when IRQ handler is called due to TX FIFO empty event, +RX FIFO is serviced based on UART_LSR register status instead of +UART_IIR status. This defeats the purpose of disabling UART RX +FIFO interrupts during throttling(see, omap_8250_throttle()) as IRQ +handler continues to drain UART RX FIFO resulting in overflow of buffer +at tty layer. +Fix this by making sure that driver drains UART RX FIFO only when +UART_IIR_RDI is set along with UART_LSR_BI or UART_LSR_DR bits. + +Signed-off-by: Vignesh R +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/tty/serial/8250/8250_port.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/tty/serial/8250/8250_port.c ++++ b/drivers/tty/serial/8250/8250_port.c +@@ -1867,7 +1867,8 @@ int serial8250_handle_irq(struct uart_po + + status = serial_port_in(port, UART_LSR); + +- if (status & (UART_LSR_DR | UART_LSR_BI)) { ++ if (status & (UART_LSR_DR | UART_LSR_BI) && ++ iir & UART_IIR_RDI) { + if (!up->dma || handle_rx_dma(up, iir)) + status = serial8250_rx_chars(up, status); + } diff --git a/queue-4.16/serial-altera-ensure-port-regshift-is-honored-consistently.patch b/queue-4.16/serial-altera-ensure-port-regshift-is-honored-consistently.patch new file mode 100644 index 00000000000..1c5aebf4859 --- /dev/null +++ b/queue-4.16/serial-altera-ensure-port-regshift-is-honored-consistently.patch @@ -0,0 +1,70 @@ +From foo@baz Thu May 24 10:41:16 CEST 2018 +From: "Uwe Kleine-König" +Date: Thu, 25 Jan 2018 14:30:43 +0100 +Subject: serial: altera: ensure port->regshift is honored consistently + +From: "Uwe Kleine-König" + +[ Upstream commit 0e254963b6ba4d63ac911e79537fea38dd03dc50 ] + +Most register accesses in the altera driver honor port->regshift by +using altera_uart_writel(). There are a few accesses however that were +missed when the driver was converted to use port->regshift and some +others were added later in commit 4d9d7d896d77 ("serial: altera_uart: +add earlycon support"). + +Fixes: 2780ad42f5fe ("tty: serial: altera_uart: Use port->regshift to store bus shift") +Signed-off-by: Uwe Kleine-König +Acked-by: Tobias Klauser +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/tty/serial/altera_uart.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +--- a/drivers/tty/serial/altera_uart.c ++++ b/drivers/tty/serial/altera_uart.c +@@ -327,7 +327,7 @@ static int altera_uart_startup(struct ua + + /* Enable RX interrupts now */ + pp->imr = ALTERA_UART_CONTROL_RRDY_MSK; +- writel(pp->imr, port->membase + ALTERA_UART_CONTROL_REG); ++ altera_uart_writel(port, pp->imr, ALTERA_UART_CONTROL_REG); + + spin_unlock_irqrestore(&port->lock, flags); + +@@ -343,7 +343,7 @@ static void altera_uart_shutdown(struct + + /* Disable all interrupts now */ + pp->imr = 0; +- writel(pp->imr, port->membase + ALTERA_UART_CONTROL_REG); ++ altera_uart_writel(port, pp->imr, ALTERA_UART_CONTROL_REG); + + spin_unlock_irqrestore(&port->lock, flags); + +@@ -432,7 +432,7 @@ static void altera_uart_console_putc(str + ALTERA_UART_STATUS_TRDY_MSK)) + cpu_relax(); + +- writel(c, port->membase + ALTERA_UART_TXDATA_REG); ++ altera_uart_writel(port, c, ALTERA_UART_TXDATA_REG); + } + + static void altera_uart_console_write(struct console *co, const char *s, +@@ -502,13 +502,13 @@ static int __init altera_uart_earlycon_s + return -ENODEV; + + /* Enable RX interrupts now */ +- writel(ALTERA_UART_CONTROL_RRDY_MSK, +- port->membase + ALTERA_UART_CONTROL_REG); ++ altera_uart_writel(port, ALTERA_UART_CONTROL_RRDY_MSK, ++ ALTERA_UART_CONTROL_REG); + + if (dev->baud) { + unsigned int baudclk = port->uartclk / dev->baud; + +- writel(baudclk, port->membase + ALTERA_UART_DIVISOR_REG); ++ altera_uart_writel(port, baudclk, ALTERA_UART_DIVISOR_REG); + } + + dev->con->write = altera_uart_earlycon_write; diff --git a/queue-4.16/serial-arc_uart-fix-out-of-bounds-access-through-dt-alias.patch b/queue-4.16/serial-arc_uart-fix-out-of-bounds-access-through-dt-alias.patch new file mode 100644 index 00000000000..458d9122957 --- /dev/null +++ b/queue-4.16/serial-arc_uart-fix-out-of-bounds-access-through-dt-alias.patch @@ -0,0 +1,40 @@ +From foo@baz Thu May 24 10:41:16 CEST 2018 +From: Geert Uytterhoeven +Date: Fri, 23 Feb 2018 14:38:29 +0100 +Subject: serial: arc_uart: Fix out-of-bounds access through DT alias + +From: Geert Uytterhoeven + +[ Upstream commit f9f5786987e81d166c60833edcb7d1836aa16944 ] + +The arc_uart_ports[] array is indexed using a value derived from the +"serialN" alias in DT, which may lead to an out-of-bounds access. + +Fix this by adding a range check. + +Note that the array size is defined by a Kconfig symbol +(CONFIG_SERIAL_ARC_NR_PORTS), so this can even be triggered using a +legitimate DTB. + +Fixes: ea28fd56fcde69af ("serial/arc-uart: switch to devicetree based probing") +Signed-off-by: Geert Uytterhoeven +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/tty/serial/arc_uart.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/drivers/tty/serial/arc_uart.c ++++ b/drivers/tty/serial/arc_uart.c +@@ -593,6 +593,11 @@ static int arc_serial_probe(struct platf + if (dev_id < 0) + dev_id = 0; + ++ if (dev_id >= ARRAY_SIZE(arc_uart_ports)) { ++ dev_err(&pdev->dev, "serial%d out of range\n", dev_id); ++ return -EINVAL; ++ } ++ + uart = &arc_uart_ports[dev_id]; + port = &uart->port; + diff --git a/queue-4.16/serial-fsl_lpuart-fix-out-of-bounds-access-through-dt-alias.patch b/queue-4.16/serial-fsl_lpuart-fix-out-of-bounds-access-through-dt-alias.patch new file mode 100644 index 00000000000..63f36fc9e58 --- /dev/null +++ b/queue-4.16/serial-fsl_lpuart-fix-out-of-bounds-access-through-dt-alias.patch @@ -0,0 +1,35 @@ +From foo@baz Thu May 24 10:41:16 CEST 2018 +From: Geert Uytterhoeven +Date: Fri, 23 Feb 2018 14:38:30 +0100 +Subject: serial: fsl_lpuart: Fix out-of-bounds access through DT alias + +From: Geert Uytterhoeven + +[ Upstream commit ffab87fdecc655cc676f8be8dd1a2c5e22bd6d47 ] + +The lpuart_ports[] array is indexed using a value derived from the +"serialN" alias in DT, which may lead to an out-of-bounds access. + +Fix this by adding a range check. + +Fixes: c9e2e946fb0ba5d2 ("tty: serial: add Freescale lpuart driver support") +Signed-off-by: Geert Uytterhoeven +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/tty/serial/fsl_lpuart.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/tty/serial/fsl_lpuart.c ++++ b/drivers/tty/serial/fsl_lpuart.c +@@ -2145,6 +2145,10 @@ static int lpuart_probe(struct platform_ + dev_err(&pdev->dev, "failed to get alias id, errno %d\n", ret); + return ret; + } ++ if (ret >= ARRAY_SIZE(lpuart_ports)) { ++ dev_err(&pdev->dev, "serial%d out of range\n", ret); ++ return -EINVAL; ++ } + sport->port.line = ret; + res = platform_get_resource(pdev, IORESOURCE_MEM, 0); + sport->port.membase = devm_ioremap_resource(&pdev->dev, res); diff --git a/queue-4.16/serial-imx-fix-out-of-bounds-access-through-serial-port-index.patch b/queue-4.16/serial-imx-fix-out-of-bounds-access-through-serial-port-index.patch new file mode 100644 index 00000000000..5e8606f493e --- /dev/null +++ b/queue-4.16/serial-imx-fix-out-of-bounds-access-through-serial-port-index.patch @@ -0,0 +1,39 @@ +From foo@baz Thu May 24 10:41:16 CEST 2018 +From: Geert Uytterhoeven +Date: Fri, 23 Feb 2018 14:38:31 +0100 +Subject: serial: imx: Fix out-of-bounds access through serial port index + +From: Geert Uytterhoeven + +[ Upstream commit 5673444821406dda5fc25e4b52aca419f8065a19 ] + +The imx_ports[] array is indexed using a value derived from the +"serialN" alias in DT, or from platform data, which may lead to an +out-of-bounds access. + +Fix this by adding a range check. + +Fixes: ff05967a07225ab6 ("serial/imx: add of_alias_get_id() reference back") +Signed-off-by: Geert Uytterhoeven +Reviewed-by: Uwe Kleine-König +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/tty/serial/imx.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/drivers/tty/serial/imx.c ++++ b/drivers/tty/serial/imx.c +@@ -2042,6 +2042,12 @@ static int serial_imx_probe(struct platf + else if (ret < 0) + return ret; + ++ if (sport->port.line >= ARRAY_SIZE(imx_ports)) { ++ dev_err(&pdev->dev, "serial%d out of range\n", ++ sport->port.line); ++ return -EINVAL; ++ } ++ + res = platform_get_resource(pdev, IORESOURCE_MEM, 0); + base = devm_ioremap_resource(&pdev->dev, res); + if (IS_ERR(base)) diff --git a/queue-4.16/serial-mvebu-uart-fix-tx-lost-characters.patch b/queue-4.16/serial-mvebu-uart-fix-tx-lost-characters.patch new file mode 100644 index 00000000000..6df0c9e2c7f --- /dev/null +++ b/queue-4.16/serial-mvebu-uart-fix-tx-lost-characters.patch @@ -0,0 +1,38 @@ +From foo@baz Thu May 24 10:41:16 CEST 2018 +From: Gabriel Matni +Date: Thu, 22 Mar 2018 19:15:12 +0000 +Subject: serial: mvebu-uart: fix tx lost characters + +From: Gabriel Matni + +[ Upstream commit c685af1108d7c303f0b901413405d68eaeac4477 ] + +Fixes missing characters on kernel console at low baud rates (i.e.9600). +The driver should poll TX_RDY or TX_FIFO_EMP instead of TX_EMP to ensure +that the transmitter holding register (THR) is ready to receive a new byte. + +TX_EMP tells us when it is possible to send a break sequence via +SND_BRK_SEQ. While this also indicates that both the THR and the TSR are +empty, it does not guarantee that a new byte can be written just yet. + +Fixes: 30530791a7a0 ("serial: mvebu-uart: initial support for Armada-3700 serial port") +Reviewed-by: Miquel Raynal +Acked-by: Gregory CLEMENT +Signed-off-by: Gabriel Matni +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/tty/serial/mvebu-uart.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/tty/serial/mvebu-uart.c ++++ b/drivers/tty/serial/mvebu-uart.c +@@ -617,7 +617,7 @@ static void wait_for_xmitr(struct uart_p + u32 val; + + readl_poll_timeout_atomic(port->membase + UART_STAT, val, +- (val & STAT_TX_EMP), 1, 10000); ++ (val & STAT_TX_RDY(port)), 1, 10000); + } + + static void mvebu_uart_console_putchar(struct uart_port *port, int ch) diff --git a/queue-4.16/serial-mxs-auart-fix-out-of-bounds-access-through-serial-port-index.patch b/queue-4.16/serial-mxs-auart-fix-out-of-bounds-access-through-serial-port-index.patch new file mode 100644 index 00000000000..a193085b6e8 --- /dev/null +++ b/queue-4.16/serial-mxs-auart-fix-out-of-bounds-access-through-serial-port-index.patch @@ -0,0 +1,36 @@ +From foo@baz Thu May 24 10:41:16 CEST 2018 +From: Geert Uytterhoeven +Date: Fri, 23 Feb 2018 14:38:32 +0100 +Subject: serial: mxs-auart: Fix out-of-bounds access through serial port index + +From: Geert Uytterhoeven + +[ Upstream commit dd345a31bfdec350d2593e6de5964e55c7f19c76 ] + +The auart_port[] array is indexed using a value derived from the +"serialN" alias in DT, or from platform data, which may lead to an +out-of-bounds access. + +Fix this by adding a range check. + +Fixes: 1ea6607d4cdc9179 ("serial: mxs-auart: Allow device tree probing") +Signed-off-by: Geert Uytterhoeven +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/tty/serial/mxs-auart.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/tty/serial/mxs-auart.c ++++ b/drivers/tty/serial/mxs-auart.c +@@ -1663,6 +1663,10 @@ static int mxs_auart_probe(struct platfo + s->port.line = pdev->id < 0 ? 0 : pdev->id; + else if (ret < 0) + return ret; ++ if (s->port.line >= ARRAY_SIZE(auart_port)) { ++ dev_err(&pdev->dev, "serial%d out of range\n", s->port.line); ++ return -EINVAL; ++ } + + if (of_id) { + pdev->id_entry = of_id->data; diff --git a/queue-4.16/serial-samsung-fix-out-of-bounds-access-through-serial-port-index.patch b/queue-4.16/serial-samsung-fix-out-of-bounds-access-through-serial-port-index.patch new file mode 100644 index 00000000000..c1dcbbe6a6f --- /dev/null +++ b/queue-4.16/serial-samsung-fix-out-of-bounds-access-through-serial-port-index.patch @@ -0,0 +1,40 @@ +From foo@baz Thu May 24 10:41:16 CEST 2018 +From: Geert Uytterhoeven +Date: Fri, 23 Feb 2018 14:38:34 +0100 +Subject: serial: samsung: Fix out-of-bounds access through serial port index + +From: Geert Uytterhoeven + +[ Upstream commit 49ee23b71877831ac087d6083f6f397dc19c9664 ] + +The s3c24xx_serial_ports[] array is indexed using a value derived from +the "serialN" alias in DT, or from an incrementing probe index, which +may lead to an out-of-bounds access. + +Fix this by adding a range check. + +Note that the array size is defined by a Kconfig symbol +(CONFIG_SERIAL_SAMSUNG_UARTS), so this can even be triggered using +a legitimate DTB or legitimate board code. + +Fixes: 13a9f6c64fdc55eb ("serial: samsung: Consider DT alias when probing ports") +Signed-off-by: Geert Uytterhoeven +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/tty/serial/samsung.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/tty/serial/samsung.c ++++ b/drivers/tty/serial/samsung.c +@@ -1818,6 +1818,10 @@ static int s3c24xx_serial_probe(struct p + + dbg("s3c24xx_serial_probe(%p) %d\n", pdev, index); + ++ if (index >= ARRAY_SIZE(s3c24xx_serial_ports)) { ++ dev_err(&pdev->dev, "serial%d out of range\n", index); ++ return -EINVAL; ++ } + ourport = &s3c24xx_serial_ports[index]; + + ourport->drv_data = s3c24xx_get_driver_data(pdev); diff --git a/queue-4.16/serial-sh-sci-fix-out-of-bounds-access-through-dt-alias.patch b/queue-4.16/serial-sh-sci-fix-out-of-bounds-access-through-dt-alias.patch new file mode 100644 index 00000000000..3c9e96c3936 --- /dev/null +++ b/queue-4.16/serial-sh-sci-fix-out-of-bounds-access-through-dt-alias.patch @@ -0,0 +1,39 @@ +From foo@baz Thu May 24 10:41:16 CEST 2018 +From: Geert Uytterhoeven +Date: Fri, 23 Feb 2018 14:38:35 +0100 +Subject: serial: sh-sci: Fix out-of-bounds access through DT alias + +From: Geert Uytterhoeven + +[ Upstream commit 090fa4b0dccfa3d04e1c5ab0fe4eba16e6713895 ] + +The sci_ports[] array is indexed using a value derived from the +"serialN" alias in DT, which may lead to an out-of-bounds access. + +Fix this by adding a range check. + +Note that the array size is defined by a Kconfig symbol +(CONFIG_SERIAL_SH_SCI_NR_UARTS), so this can even be triggered using a +legitimate DTB. + +Fixes: 97ed9790c514066b ("serial: sh-sci: Remove unused platform data capabilities field") +Signed-off-by: Geert Uytterhoeven +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/tty/serial/sh-sci.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/tty/serial/sh-sci.c ++++ b/drivers/tty/serial/sh-sci.c +@@ -3098,6 +3098,10 @@ static struct plat_sci_port *sci_parse_d + dev_err(&pdev->dev, "failed to get alias id (%d)\n", id); + return NULL; + } ++ if (id >= ARRAY_SIZE(sci_ports)) { ++ dev_err(&pdev->dev, "serial%d out of range\n", id); ++ return NULL; ++ } + + sp = &sci_ports[id]; + *dev_id = id; diff --git a/queue-4.16/serial-xuartps-fix-out-of-bounds-access-through-dt-alias.patch b/queue-4.16/serial-xuartps-fix-out-of-bounds-access-through-dt-alias.patch new file mode 100644 index 00000000000..86b664fda87 --- /dev/null +++ b/queue-4.16/serial-xuartps-fix-out-of-bounds-access-through-dt-alias.patch @@ -0,0 +1,34 @@ +From foo@baz Thu May 24 10:41:16 CEST 2018 +From: Geert Uytterhoeven +Date: Fri, 23 Feb 2018 14:38:37 +0100 +Subject: serial: xuartps: Fix out-of-bounds access through DT alias + +From: Geert Uytterhoeven + +[ Upstream commit e7d75e18d0fc3f7193b65282b651f980c778d935 ] + +The cdns_uart_port[] array is indexed using a value derived from the +"serialN" alias in DT, which may lead to an out-of-bounds access. + +Fix this by adding a range check. + +Fixes: 928e9263492069ee ("tty: xuartps: Initialize ports according to aliases") +Signed-off-by: Geert Uytterhoeven +Reviewed-by: Michal Simek +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/tty/serial/xilinx_uartps.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/tty/serial/xilinx_uartps.c ++++ b/drivers/tty/serial/xilinx_uartps.c +@@ -1110,7 +1110,7 @@ static struct uart_port *cdns_uart_get_p + struct uart_port *port; + + /* Try the given port id if failed use default method */ +- if (cdns_uart_port[id].mapbase != 0) { ++ if (id < CDNS_UART_NR_PORTS && cdns_uart_port[id].mapbase != 0) { + /* Find the next unused port */ + for (id = 0; id < CDNS_UART_NR_PORTS; id++) + if (cdns_uart_port[id].mapbase == 0) diff --git a/queue-4.16/series b/queue-4.16/series index 811660e243c..61c1affac9b 100644 --- a/queue-4.16/series +++ b/queue-4.16/series @@ -142,3 +142,20 @@ media-i2c-adv748x-fix-hdmi-field-heights.patch media-vb2-fix-videobuf2-to-map-correct-area.patch media-vivid-fix-incorrect-capabilities-for-radio.patch media-cx25821-prevent-out-of-bounds-read-on-array-card.patch +serial-mvebu-uart-fix-tx-lost-characters.patch +serial-xuartps-fix-out-of-bounds-access-through-dt-alias.patch +serial-sh-sci-fix-out-of-bounds-access-through-dt-alias.patch +serial-samsung-fix-out-of-bounds-access-through-serial-port-index.patch +serial-mxs-auart-fix-out-of-bounds-access-through-serial-port-index.patch +serial-imx-fix-out-of-bounds-access-through-serial-port-index.patch +serial-fsl_lpuart-fix-out-of-bounds-access-through-dt-alias.patch +serial-arc_uart-fix-out-of-bounds-access-through-dt-alias.patch +serial-8250-don-t-service-rx-fifo-if-interrupts-are-disabled.patch +serial-altera-ensure-port-regshift-is-honored-consistently.patch +rtc-snvs-fix-usage-of-snvs_rtc_enable.patch +rtc-hctosys-ensure-system-time-doesn-t-overflow-time_t.patch +rtc-rk808-fix-possible-race-condition.patch +rtc-m41t80-fix-race-conditions.patch +rtc-tx4939-avoid-unintended-sign-extension-on-a-24-bit-shift.patch +rtc-rp5c01-fix-possible-race-condition.patch +rtc-goldfish-add-missing-module_license.patch