From: Greg Kroah-Hartman Date: Sat, 2 May 2015 12:51:36 +0000 (+0200) Subject: 4.0-stable patches X-Git-Tag: v3.10.77~50 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=4cbecc487ee44dff26d16883eca441628e525f2d;p=thirdparty%2Fkernel%2Fstable-queue.git 4.0-stable patches added patches: arm-8320-1-fix-integer-overflow-in-elf_et_dyn_base.patch arm-at91-dt-sama5d3-xplained-add-phy-address-for-macb1.patch arm-dts-dove-fix-uart-reg-property.patch arm-dts-fix-mmc-node-updates-for-exynos5250-spring.patch arm-fix-broken-hibernation.patch arm-mvebu-disable-cpu-idle-on-armada-38x.patch arm-s3c64xx-use-fixed-irq-bases-to-avoid-conflicts-on-cragganmore.patch cdc-wdm-fix-endianness-bug-in-debug-statements.patch compal-laptop-check-return-value-of-power_supply_register.patch compal-laptop-fix-leaking-hwmon-device.patch drivers-base-cacheinfo-validate-device-node-for-all-the-caches.patch hid-add-hp-oem-mouse-to-quirk-always_poll.patch hid-add-quirk-for-pixart-oem-mouse-used-by-hp.patch md-raid0-fix-bug-with-chunksize-not-a-power-of-2.patch megaraid_sas-use-raw_smp_processor_id.patch mmc-sunxi-use-devm_reset_control_get_optional-for-reset-control.patch mmc-tmio-remove-bogus-un-initialization-in-tmio_mmc_host_free.patch nfs-fix-bug-crash-in-notify_change-with-patch-to-chown_common.patch power_supply-ipaq_micro_battery-check-return-values-in-probe.patch power_supply-ipaq_micro_battery-fix-leaking-workqueue.patch power_supply-lp8788-charger-fix-leaked-power-supply-on-probe-fail.patch power_supply-twl4030_madc-check-return-value-of-power_supply_register.patch ring-buffer-replace-this_cpu_-with-__this_cpu_.patch spi-imx-read-back-the-rx-tx-watermark-levels-earlier.patch spi-spidev-fix-possible-arithmetic-overflow-for-multi-transfer-message.patch staging-android-sync-fix-memory-corruption-in-sync_timeline_signal.patch staging-panel-fix-lcd-type.patch staging-vt6655-use-ieee80211_tx_info-to-select-packet-type.patch usb-define-a-generic-usb_resume_timeout-macro.patch usb-musb-core-fix-tx-rx-endpoint-order.patch usb-phy-find-the-right-match-in-devm_usb_phy_match.patch --- diff --git a/queue-4.0/arm-8320-1-fix-integer-overflow-in-elf_et_dyn_base.patch b/queue-4.0/arm-8320-1-fix-integer-overflow-in-elf_et_dyn_base.patch new file mode 100644 index 00000000000..383cc02a0a6 --- /dev/null +++ b/queue-4.0/arm-8320-1-fix-integer-overflow-in-elf_et_dyn_base.patch @@ -0,0 +1,48 @@ +From 8defb3367fcd19d1af64c07792aade0747b54e0f Mon Sep 17 00:00:00 2001 +From: Andrey Ryabinin +Date: Fri, 20 Mar 2015 15:42:27 +0100 +Subject: ARM: 8320/1: fix integer overflow in ELF_ET_DYN_BASE + +From: Andrey Ryabinin + +commit 8defb3367fcd19d1af64c07792aade0747b54e0f upstream. + +Usually ELF_ET_DYN_BASE is 2/3 of TASK_SIZE. With 3G/1G user/kernel +split this is not so, because 2*TASK_SIZE overflows 32 bits, +so the actual value of ELF_ET_DYN_BASE is: + (2 * TASK_SIZE / 3) = 0x2a000000 + +When ASLR is disabled PIE binaries will load at ELF_ET_DYN_BASE address. +On 32bit platforms AddressSanitzer uses addresses [0x20000000 - 0x40000000] +for shadow memory [1]. So ASan doesn't work for PIE binaries when ASLR disabled +as it fails to map shadow memory. +Also after Kees's 'split ET_DYN ASLR from mmap ASLR' patchset PIE binaries +has a high chance of loading somewhere in between [0x2a000000 - 0x40000000] +even if ASLR enabled. This makes ASan with PIE absolutely incompatible. + +Fix overflow by dividing TASK_SIZE prior to multiplying. +After this patch ELF_ET_DYN_BASE equals to (for CONFIG_VMSPLIT_3G=y): + (TASK_SIZE / 3 * 2) = 0x7f555554 + +[1] https://code.google.com/p/address-sanitizer/wiki/AddressSanitizerAlgorithm#Mapping + +Signed-off-by: Andrey Ryabinin +Reported-by: Maria Guseva +Signed-off-by: Russell King +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm/include/asm/elf.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/arm/include/asm/elf.h ++++ b/arch/arm/include/asm/elf.h +@@ -115,7 +115,7 @@ int dump_task_regs(struct task_struct *t + the loader. We need to make sure that it is out of the way of the program + that it will "exec", and that there is sufficient room for the brk. */ + +-#define ELF_ET_DYN_BASE (2 * TASK_SIZE / 3) ++#define ELF_ET_DYN_BASE (TASK_SIZE / 3 * 2) + + /* When the program starts, a1 contains a pointer to a function to be + registered with atexit, as per the SVR4 ABI. A value of 0 means we diff --git a/queue-4.0/arm-at91-dt-sama5d3-xplained-add-phy-address-for-macb1.patch b/queue-4.0/arm-at91-dt-sama5d3-xplained-add-phy-address-for-macb1.patch new file mode 100644 index 00000000000..75792bcf651 --- /dev/null +++ b/queue-4.0/arm-at91-dt-sama5d3-xplained-add-phy-address-for-macb1.patch @@ -0,0 +1,41 @@ +From 98b80987c940956da48f0c703f60340128bb8521 Mon Sep 17 00:00:00 2001 +From: Nicolas Ferre +Date: Tue, 31 Mar 2015 10:56:10 +0200 +Subject: ARM: at91/dt: sama5d3 xplained: add phy address for macb1 + +From: Nicolas Ferre + +commit 98b80987c940956da48f0c703f60340128bb8521 upstream. + +After 57a38effa598 (net: phy: micrel: disable broadcast for KSZ8081/KSZ8091) +the macb1 interface refuses to work properly because it tries +to cling to address 0 which isn't able to communicate in broadcast with +the mac anymore. The micrel phy on the board is actually configured +to show up at address 1. +Adding the phy node and its real address fixes the issue. + +Signed-off-by: Nicolas Ferre +Cc: Johan Hovold +Signed-off-by: Olof Johansson +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm/boot/dts/at91-sama5d3_xplained.dts | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/arch/arm/boot/dts/at91-sama5d3_xplained.dts ++++ b/arch/arm/boot/dts/at91-sama5d3_xplained.dts +@@ -167,7 +167,13 @@ + + macb1: ethernet@f802c000 { + phy-mode = "rmii"; ++ #address-cells = <1>; ++ #size-cells = <0>; + status = "okay"; ++ ++ ethernet-phy@1 { ++ reg = <0x1>; ++ }; + }; + + dbgu: serial@ffffee00 { diff --git a/queue-4.0/arm-dts-dove-fix-uart-reg-property.patch b/queue-4.0/arm-dts-dove-fix-uart-reg-property.patch new file mode 100644 index 00000000000..a6ae9148ad6 --- /dev/null +++ b/queue-4.0/arm-dts-dove-fix-uart-reg-property.patch @@ -0,0 +1,41 @@ +From a74cd13b807029397f7232449df929bac11fb228 Mon Sep 17 00:00:00 2001 +From: Sebastian Hesselbarth +Date: Tue, 17 Feb 2015 19:52:04 +0100 +Subject: ARM: dts: dove: Fix uart[23] reg property + +From: Sebastian Hesselbarth + +commit a74cd13b807029397f7232449df929bac11fb228 upstream. + +Fix Dove's register addresses of uart2 and uart3 nodes that seem to +be broken since ages due to a copy-and-paste error. + +Signed-off-by: Sebastian Hesselbarth +Acked-by: Gregory CLEMENT +Signed-off-by: Gregory CLEMENT +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm/boot/dts/dove.dtsi | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/arch/arm/boot/dts/dove.dtsi ++++ b/arch/arm/boot/dts/dove.dtsi +@@ -154,7 +154,7 @@ + + uart2: serial@12200 { + compatible = "ns16550a"; +- reg = <0x12000 0x100>; ++ reg = <0x12200 0x100>; + reg-shift = <2>; + interrupts = <9>; + clocks = <&core_clk 0>; +@@ -163,7 +163,7 @@ + + uart3: serial@12300 { + compatible = "ns16550a"; +- reg = <0x12100 0x100>; ++ reg = <0x12300 0x100>; + reg-shift = <2>; + interrupts = <10>; + clocks = <&core_clk 0>; diff --git a/queue-4.0/arm-dts-fix-mmc-node-updates-for-exynos5250-spring.patch b/queue-4.0/arm-dts-fix-mmc-node-updates-for-exynos5250-spring.patch new file mode 100644 index 00000000000..a115ef40b3a --- /dev/null +++ b/queue-4.0/arm-dts-fix-mmc-node-updates-for-exynos5250-spring.patch @@ -0,0 +1,72 @@ +From 7e9e20b1faab02357501553d7f4e3efec1b4cfd3 Mon Sep 17 00:00:00 2001 +From: Andreas Faerber +Date: Wed, 18 Mar 2015 01:25:18 +0900 +Subject: ARM: dts: fix mmc node updates for exynos5250-spring + +From: Andreas Faerber + +commit 7e9e20b1faab02357501553d7f4e3efec1b4cfd3 upstream. + +Resolve a merge conflict with mmc refactoring aaa25a5a33cb ("ARM: dts: +unuse the slot-node and deprecate the supports-highspeed for dw-mmc in +exynos") by dropping the slot@0 nodes, moving its bus-width property to +the mmc node and replacing supports-highspeed with cap-{mmc,sd}-highspeed, +matching exynos5250-snow. + +Cc: Jaehoon Chung +Fixes: 53dd4138bb0a ("ARM: dts: Add exynos5250-spring device tree") +Signed-off-by: Andreas Faerber +Reviewed-by: Javier Martinez Canillas +Signed-off-by: Kukjin Kim +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm/boot/dts/exynos5250-spring.dts | 16 ++++------------ + 1 file changed, 4 insertions(+), 12 deletions(-) + +--- a/arch/arm/boot/dts/exynos5250-spring.dts ++++ b/arch/arm/boot/dts/exynos5250-spring.dts +@@ -429,7 +429,6 @@ + &mmc_0 { + status = "okay"; + num-slots = <1>; +- supports-highspeed; + broken-cd; + card-detect-delay = <200>; + samsung,dw-mshc-ciu-div = <3>; +@@ -437,11 +436,8 @@ + samsung,dw-mshc-ddr-timing = <1 2>; + pinctrl-names = "default"; + pinctrl-0 = <&sd0_clk &sd0_cmd &sd0_cd &sd0_bus4 &sd0_bus8>; +- +- slot@0 { +- reg = <0>; +- bus-width = <8>; +- }; ++ bus-width = <8>; ++ cap-mmc-highspeed; + }; + + /* +@@ -451,7 +447,6 @@ + &mmc_1 { + status = "okay"; + num-slots = <1>; +- supports-highspeed; + broken-cd; + card-detect-delay = <200>; + samsung,dw-mshc-ciu-div = <3>; +@@ -459,11 +454,8 @@ + samsung,dw-mshc-ddr-timing = <1 2>; + pinctrl-names = "default"; + pinctrl-0 = <&sd1_clk &sd1_cmd &sd1_cd &sd1_bus4>; +- +- slot@0 { +- reg = <0>; +- bus-width = <4>; +- }; ++ bus-width = <4>; ++ cap-sd-highspeed; + }; + + &pinctrl_0 { diff --git a/queue-4.0/arm-fix-broken-hibernation.patch b/queue-4.0/arm-fix-broken-hibernation.patch new file mode 100644 index 00000000000..e28ca1fa5c5 --- /dev/null +++ b/queue-4.0/arm-fix-broken-hibernation.patch @@ -0,0 +1,150 @@ +From 767bf7e7a1e82a81c59778348d156993d0a6175d Mon Sep 17 00:00:00 2001 +From: Russell King +Date: Wed, 1 Apr 2015 16:20:39 +0100 +Subject: ARM: fix broken hibernation + +From: Russell King + +commit 767bf7e7a1e82a81c59778348d156993d0a6175d upstream. + +Normally, when a CPU wants to clear a cache line to zero in the external +L2 cache, it would generate bus cycles to write each word as it would do +with any other data access. + +However, a Cortex A9 connected to a L2C-310 has a specific feature where +the CPU can detect this operation, and signal that it wants to zero an +entire cache line. This feature, known as Full Line of Zeros (FLZ), +involves a non-standard AXI signalling mechanism which only the L2C-310 +can properly interpret. + +There are separate enable bits in both the L2C-310 and the Cortex A9 - +the L2C-310 needs to be enabled and have the FLZ enable bit set in the +auxiliary control register before the Cortex A9 has this feature +enabled. + +Unfortunately, the suspend code was not respecting this - it's not +obvious from the code: + +swsusp_arch_suspend() + cpu_suspend() /* saves the Cortex A9 auxiliary control register */ + arch_save_image() + soft_restart() /* turns off FLZ in Cortex A9, and disables L2C */ + cpu_resume() /* restores the Cortex A9 registers, inc auxcr */ + +At this point, we end up with the L2C disabled, but the Cortex A9 with +FLZ enabled - which means any memset() or zeroing of a full cache line +will fail to take effect. + +A similar issue exists in the resume path, but it's slightly more +complex: + +swsusp_arch_suspend() + cpu_suspend() /* saves the Cortex A9 auxiliary control register */ + arch_save_image() /* image with A9 auxcr saved */ +... +swsusp_arch_resume() + call_with_stack() + arch_restore_image() /* restores image with A9 auxcr saved above */ + soft_restart() /* turns off FLZ in Cortex A9, and disables L2C */ + cpu_resume() /* restores the Cortex A9 registers, inc auxcr */ + +Again, here we end up with the L2C disabled, but Cortex A9 FLZ enabled. + +There's no need to turn off the L2C in either of these two paths; there +are benefits from not doing so - for example, the page copies will be +faster with the L2C enabled. + +Hence, fix this by providing a variant of soft_restart() which can be +used without turning the L2 cache controller off, and use it in both +of these paths to keep the L2C enabled across the respective resume +transitions. + +Fixes: 8ef418c7178f ("ARM: l2c: trial at enabling some Cortex-A9 optimisations") +Reported-by: Sean Cross +Tested-by: Sean Cross +Signed-off-by: Russell King +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm/kernel/hibernate.c | 5 +++-- + arch/arm/kernel/process.c | 10 ++++++++-- + arch/arm/kernel/reboot.h | 6 ++++++ + 3 files changed, 17 insertions(+), 4 deletions(-) + +--- a/arch/arm/kernel/hibernate.c ++++ b/arch/arm/kernel/hibernate.c +@@ -22,6 +22,7 @@ + #include + #include + #include ++#include "reboot.h" + + int pfn_is_nosave(unsigned long pfn) + { +@@ -61,7 +62,7 @@ static int notrace arch_save_image(unsig + + ret = swsusp_save(); + if (ret == 0) +- soft_restart(virt_to_phys(cpu_resume)); ++ _soft_restart(virt_to_phys(cpu_resume), false); + return ret; + } + +@@ -86,7 +87,7 @@ static void notrace arch_restore_image(v + for (pbe = restore_pblist; pbe; pbe = pbe->next) + copy_page(pbe->orig_address, pbe->address); + +- soft_restart(virt_to_phys(cpu_resume)); ++ _soft_restart(virt_to_phys(cpu_resume), false); + } + + static u64 resume_stack[PAGE_SIZE/2/sizeof(u64)] __nosavedata; +--- a/arch/arm/kernel/process.c ++++ b/arch/arm/kernel/process.c +@@ -41,6 +41,7 @@ + #include + #include + #include ++#include "reboot.h" + + #ifdef CONFIG_CC_STACKPROTECTOR + #include +@@ -95,7 +96,7 @@ static void __soft_restart(void *addr) + BUG(); + } + +-void soft_restart(unsigned long addr) ++void _soft_restart(unsigned long addr, bool disable_l2) + { + u64 *stack = soft_restart_stack + ARRAY_SIZE(soft_restart_stack); + +@@ -104,7 +105,7 @@ void soft_restart(unsigned long addr) + local_fiq_disable(); + + /* Disable the L2 if we're the last man standing. */ +- if (num_online_cpus() == 1) ++ if (disable_l2) + outer_disable(); + + /* Change to the new stack and continue with the reset. */ +@@ -114,6 +115,11 @@ void soft_restart(unsigned long addr) + BUG(); + } + ++void soft_restart(unsigned long addr) ++{ ++ _soft_restart(addr, num_online_cpus() == 1); ++} ++ + /* + * Function pointers to optional machine specific functions + */ +--- /dev/null ++++ b/arch/arm/kernel/reboot.h +@@ -0,0 +1,6 @@ ++#ifndef REBOOT_H ++#define REBOOT_H ++ ++extern void _soft_restart(unsigned long addr, bool disable_l2); ++ ++#endif diff --git a/queue-4.0/arm-mvebu-disable-cpu-idle-on-armada-38x.patch b/queue-4.0/arm-mvebu-disable-cpu-idle-on-armada-38x.patch new file mode 100644 index 00000000000..e4290601e94 --- /dev/null +++ b/queue-4.0/arm-mvebu-disable-cpu-idle-on-armada-38x.patch @@ -0,0 +1,64 @@ +From 548ae94c1cc7fc120848757249b9a542b1080ffb Mon Sep 17 00:00:00 2001 +From: Gregory CLEMENT +Date: Fri, 30 Jan 2015 12:34:25 +0100 +Subject: ARM: mvebu: Disable CPU Idle on Armada 38x + +From: Gregory CLEMENT + +commit 548ae94c1cc7fc120848757249b9a542b1080ffb upstream. + +On Armada 38x SoCs, under heavy I/O load, the system hangs when CPU +Idle is enabled. Waiting for a solution to this issue, this patch +disables the CPU Idle support for this SoC. + +As CPU Hot plug support also uses some of the CPU Idle functions it is +also affected by the same issue. This patch disables it also for the +Armada 38x SoCs. + +Signed-off-by: Gregory CLEMENT +Tested-by: Thomas Petazzoni +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm/mach-mvebu/pmsu.c | 16 +++++++++++++++- + 1 file changed, 15 insertions(+), 1 deletion(-) + +--- a/arch/arm/mach-mvebu/pmsu.c ++++ b/arch/arm/mach-mvebu/pmsu.c +@@ -415,6 +415,9 @@ static __init int armada_38x_cpuidle_ini + void __iomem *mpsoc_base; + u32 reg; + ++ pr_warn("CPU idle is currently broken on Armada 38x: disabling"); ++ return 0; ++ + np = of_find_compatible_node(NULL, NULL, + "marvell,armada-380-coherency-fabric"); + if (!np) +@@ -476,6 +479,16 @@ static int __init mvebu_v7_cpu_pm_init(v + return 0; + of_node_put(np); + ++ /* ++ * Currently the CPU idle support for Armada 38x is broken, as ++ * the CPU hotplug uses some of the CPU idle functions it is ++ * broken too, so let's disable it ++ */ ++ if (of_machine_is_compatible("marvell,armada380")) { ++ cpu_hotplug_disable(); ++ pr_warn("CPU hotplug support is currently broken on Armada 38x: disabling"); ++ } ++ + if (of_machine_is_compatible("marvell,armadaxp")) + ret = armada_xp_cpuidle_init(); + else if (of_machine_is_compatible("marvell,armada370")) +@@ -489,7 +502,8 @@ static int __init mvebu_v7_cpu_pm_init(v + return ret; + + mvebu_v7_pmsu_enable_l2_powerdown_onidle(); +- platform_device_register(&mvebu_v7_cpuidle_device); ++ if (mvebu_v7_cpuidle_device.name) ++ platform_device_register(&mvebu_v7_cpuidle_device); + cpu_pm_register_notifier(&mvebu_v7_cpu_pm_notifier); + + return 0; diff --git a/queue-4.0/arm-s3c64xx-use-fixed-irq-bases-to-avoid-conflicts-on-cragganmore.patch b/queue-4.0/arm-s3c64xx-use-fixed-irq-bases-to-avoid-conflicts-on-cragganmore.patch new file mode 100644 index 00000000000..69b528e2dd5 --- /dev/null +++ b/queue-4.0/arm-s3c64xx-use-fixed-irq-bases-to-avoid-conflicts-on-cragganmore.patch @@ -0,0 +1,43 @@ +From 4e330ae4ab2915444f1e6dca1358a910aa259362 Mon Sep 17 00:00:00 2001 +From: Charles Keepax +Date: Fri, 27 Mar 2015 01:58:08 +0900 +Subject: ARM: S3C64XX: Use fixed IRQ bases to avoid conflicts on Cragganmore + +From: Charles Keepax + +commit 4e330ae4ab2915444f1e6dca1358a910aa259362 upstream. + +There are two PMICs on Cragganmore, currently one dynamically assign +its IRQ base and the other uses a fixed base. It is possible for the +statically assigned PMIC to fail if its IRQ is taken by the dynamically +assigned one. Fix this by statically assigning both the IRQ bases. + +Signed-off-by: Charles Keepax +Signed-off-by: Kukjin Kim +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm/mach-s3c64xx/crag6410.h | 1 + + arch/arm/mach-s3c64xx/mach-crag6410.c | 1 + + 2 files changed, 2 insertions(+) + +--- a/arch/arm/mach-s3c64xx/crag6410.h ++++ b/arch/arm/mach-s3c64xx/crag6410.h +@@ -14,6 +14,7 @@ + #include + + #define GLENFARCLAS_PMIC_IRQ_BASE IRQ_BOARD_START ++#define BANFF_PMIC_IRQ_BASE (IRQ_BOARD_START + 64) + + #define PCA935X_GPIO_BASE GPIO_BOARD_START + #define CODEC_GPIO_BASE (GPIO_BOARD_START + 8) +--- a/arch/arm/mach-s3c64xx/mach-crag6410.c ++++ b/arch/arm/mach-s3c64xx/mach-crag6410.c +@@ -554,6 +554,7 @@ static struct wm831x_touch_pdata touch_p + + static struct wm831x_pdata crag_pmic_pdata = { + .wm831x_num = 1, ++ .irq_base = BANFF_PMIC_IRQ_BASE, + .gpio_base = BANFF_PMIC_GPIO_BASE, + .soft_shutdown = true, + diff --git a/queue-4.0/cdc-wdm-fix-endianness-bug-in-debug-statements.patch b/queue-4.0/cdc-wdm-fix-endianness-bug-in-debug-statements.patch new file mode 100644 index 00000000000..28c3ab79e42 --- /dev/null +++ b/queue-4.0/cdc-wdm-fix-endianness-bug-in-debug-statements.patch @@ -0,0 +1,68 @@ +From 323ece54e0761198946ecd0c2091f1d2bfdfcb64 Mon Sep 17 00:00:00 2001 +From: Oliver Neukum +Date: Fri, 20 Mar 2015 14:29:34 +0100 +Subject: cdc-wdm: fix endianness bug in debug statements + +From: Oliver Neukum + +commit 323ece54e0761198946ecd0c2091f1d2bfdfcb64 upstream. + +Values directly from descriptors given in debug statements +must be converted to native endianness. + +Signed-off-by: Oliver Neukum +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/class/cdc-wdm.c | 12 +++++++----- + 1 file changed, 7 insertions(+), 5 deletions(-) + +--- a/drivers/usb/class/cdc-wdm.c ++++ b/drivers/usb/class/cdc-wdm.c +@@ -245,7 +245,7 @@ static void wdm_int_callback(struct urb + case USB_CDC_NOTIFY_RESPONSE_AVAILABLE: + dev_dbg(&desc->intf->dev, + "NOTIFY_RESPONSE_AVAILABLE received: index %d len %d", +- dr->wIndex, dr->wLength); ++ le16_to_cpu(dr->wIndex), le16_to_cpu(dr->wLength)); + break; + + case USB_CDC_NOTIFY_NETWORK_CONNECTION: +@@ -262,7 +262,9 @@ static void wdm_int_callback(struct urb + clear_bit(WDM_POLL_RUNNING, &desc->flags); + dev_err(&desc->intf->dev, + "unknown notification %d received: index %d len %d\n", +- dr->bNotificationType, dr->wIndex, dr->wLength); ++ dr->bNotificationType, ++ le16_to_cpu(dr->wIndex), ++ le16_to_cpu(dr->wLength)); + goto exit; + } + +@@ -408,7 +410,7 @@ static ssize_t wdm_write + USB_RECIP_INTERFACE); + req->bRequest = USB_CDC_SEND_ENCAPSULATED_COMMAND; + req->wValue = 0; +- req->wIndex = desc->inum; ++ req->wIndex = desc->inum; /* already converted */ + req->wLength = cpu_to_le16(count); + set_bit(WDM_IN_USE, &desc->flags); + desc->outbuf = buf; +@@ -422,7 +424,7 @@ static ssize_t wdm_write + rv = usb_translate_errors(rv); + } else { + dev_dbg(&desc->intf->dev, "Tx URB has been submitted index=%d", +- req->wIndex); ++ le16_to_cpu(req->wIndex)); + } + out: + usb_autopm_put_interface(desc->intf); +@@ -820,7 +822,7 @@ static int wdm_create(struct usb_interfa + desc->irq->bRequestType = (USB_DIR_IN | USB_TYPE_CLASS | USB_RECIP_INTERFACE); + desc->irq->bRequest = USB_CDC_GET_ENCAPSULATED_RESPONSE; + desc->irq->wValue = 0; +- desc->irq->wIndex = desc->inum; ++ desc->irq->wIndex = desc->inum; /* already converted */ + desc->irq->wLength = cpu_to_le16(desc->wMaxCommand); + + usb_fill_control_urb( diff --git a/queue-4.0/compal-laptop-check-return-value-of-power_supply_register.patch b/queue-4.0/compal-laptop-check-return-value-of-power_supply_register.patch new file mode 100644 index 00000000000..34c43fd9e7e --- /dev/null +++ b/queue-4.0/compal-laptop-check-return-value-of-power_supply_register.patch @@ -0,0 +1,42 @@ +From 1915a718b1872edffcb13e5436a9f7302d3d36f0 Mon Sep 17 00:00:00 2001 +From: Krzysztof Kozlowski +Date: Thu, 12 Mar 2015 08:44:00 +0100 +Subject: compal-laptop: Check return value of power_supply_register + +From: Krzysztof Kozlowski + +commit 1915a718b1872edffcb13e5436a9f7302d3d36f0 upstream. + +The return value of power_supply_register() call was not checked and +even on error probe() function returned 0. If registering failed then +during unbind the driver tried to unregister power supply which was not +actually registered. + +This could lead to memory corruption because power_supply_unregister() +unconditionally cleans up given power supply. + +Fix this by checking return status of power_supply_register() call. In +case of failure, clean up sysfs entries and fail the probe. + +Signed-off-by: Krzysztof Kozlowski +Fixes: 9be0fcb5ed46 ("compal-laptop: add JHL90, battery & hwmon interface") +Signed-off-by: Sebastian Reichel +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/platform/x86/compal-laptop.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/platform/x86/compal-laptop.c ++++ b/drivers/platform/x86/compal-laptop.c +@@ -1036,7 +1036,9 @@ static int compal_probe(struct platform_ + + /* Power supply */ + initialize_power_supply_data(data); +- power_supply_register(&compal_device->dev, &data->psy); ++ err = power_supply_register(&compal_device->dev, &data->psy); ++ if (err < 0) ++ goto remove; + + platform_set_drvdata(pdev, data); + diff --git a/queue-4.0/compal-laptop-fix-leaking-hwmon-device.patch b/queue-4.0/compal-laptop-fix-leaking-hwmon-device.patch new file mode 100644 index 00000000000..da0a7bccb49 --- /dev/null +++ b/queue-4.0/compal-laptop-fix-leaking-hwmon-device.patch @@ -0,0 +1,41 @@ +From ad774702f1705c04e5fa492b793d8d477a504fa6 Mon Sep 17 00:00:00 2001 +From: Krzysztof Kozlowski +Date: Thu, 12 Mar 2015 08:43:59 +0100 +Subject: compal-laptop: Fix leaking hwmon device + +From: Krzysztof Kozlowski + +commit ad774702f1705c04e5fa492b793d8d477a504fa6 upstream. + +The commit c2be45f09bb0 ("compal-laptop: Use +devm_hwmon_device_register_with_groups") wanted to change the +registering of hwmon device to resource-managed version. It mostly did +it except the main thing - it forgot to use devm-like function so the +hwmon device leaked after device removal or probe failure. + +Signed-off-by: Krzysztof Kozlowski +Fixes: c2be45f09bb0 ("compal-laptop: Use devm_hwmon_device_register_with_groups") +Acked-by: Guenter Roeck +Acked-by: Darren Hart +Signed-off-by: Sebastian Reichel +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/platform/x86/compal-laptop.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/platform/x86/compal-laptop.c ++++ b/drivers/platform/x86/compal-laptop.c +@@ -1026,9 +1026,9 @@ static int compal_probe(struct platform_ + if (err) + return err; + +- hwmon_dev = hwmon_device_register_with_groups(&pdev->dev, +- "compal", data, +- compal_hwmon_groups); ++ hwmon_dev = devm_hwmon_device_register_with_groups(&pdev->dev, ++ "compal", data, ++ compal_hwmon_groups); + if (IS_ERR(hwmon_dev)) { + err = PTR_ERR(hwmon_dev); + goto remove; diff --git a/queue-4.0/drivers-base-cacheinfo-validate-device-node-for-all-the-caches.patch b/queue-4.0/drivers-base-cacheinfo-validate-device-node-for-all-the-caches.patch new file mode 100644 index 00000000000..58fd80a044d --- /dev/null +++ b/queue-4.0/drivers-base-cacheinfo-validate-device-node-for-all-the-caches.patch @@ -0,0 +1,67 @@ +From 8a7d95f95c95f396decbd4cda6d4903fc4664946 Mon Sep 17 00:00:00 2001 +From: Sudeep Holla +Date: Tue, 17 Mar 2015 17:28:46 +0000 +Subject: drivers/base: cacheinfo: validate device node for all the caches + +From: Sudeep Holla + +commit 8a7d95f95c95f396decbd4cda6d4903fc4664946 upstream. + +On architectures that depend on DT for obtaining cache hierarcy, we need +to validate the device node for all the cache indices, failing to do so +might result in wrong information being exposed to the userspace. + +This is quite possible on initial/incomplete versions of the device +trees. In such cases, it's better to bail out if all the required device +nodes are not present. + +This patch adds checks for the validation of device node for all the +caches and doesn't initialise the cacheinfo if there's any error. + +Reported-by: Mark Rutland +Acked-by: Mark Rutland +Signed-off-by: Sudeep Holla +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/base/cacheinfo.c | 13 +++++++++++-- + 1 file changed, 11 insertions(+), 2 deletions(-) + +--- a/drivers/base/cacheinfo.c ++++ b/drivers/base/cacheinfo.c +@@ -62,15 +62,21 @@ static int cache_setup_of_node(unsigned + return -ENOENT; + } + +- while (np && index < cache_leaves(cpu)) { ++ while (index < cache_leaves(cpu)) { + this_leaf = this_cpu_ci->info_list + index; + if (this_leaf->level != 1) + np = of_find_next_cache_node(np); + else + np = of_node_get(np);/* cpu node itself */ ++ if (!np) ++ break; + this_leaf->of_node = np; + index++; + } ++ ++ if (index != cache_leaves(cpu)) /* not all OF nodes populated */ ++ return -ENOENT; ++ + return 0; + } + +@@ -189,8 +195,11 @@ static int detect_cache_attributes(unsig + * will be set up here only if they are not populated already + */ + ret = cache_shared_cpu_map_setup(cpu); +- if (ret) ++ if (ret) { ++ pr_warn("Unable to detect cache hierarcy from DT for CPU %d\n", ++ cpu); + goto free_ci; ++ } + return 0; + + free_ci: diff --git a/queue-4.0/hid-add-hp-oem-mouse-to-quirk-always_poll.patch b/queue-4.0/hid-add-hp-oem-mouse-to-quirk-always_poll.patch new file mode 100644 index 00000000000..614a74d6721 --- /dev/null +++ b/queue-4.0/hid-add-hp-oem-mouse-to-quirk-always_poll.patch @@ -0,0 +1,42 @@ +From 7a8e53c414c8183e8735e3b08d9a776200e6e665 Mon Sep 17 00:00:00 2001 +From: Oliver Neukum +Date: Wed, 25 Mar 2015 15:13:36 +0100 +Subject: HID: add HP OEM mouse to quirk ALWAYS_POLL + +From: Oliver Neukum + +commit 7a8e53c414c8183e8735e3b08d9a776200e6e665 upstream. + +This mouse needs QUIRK_ALWAYS_POLL. + +Signed-off-by: Oliver Neukum +Signed-off-by: Jiri Kosina +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/hid/hid-ids.h | 3 +++ + drivers/hid/usbhid/hid-quirks.c | 1 + + 2 files changed, 4 insertions(+) + +--- a/drivers/hid/hid-ids.h ++++ b/drivers/hid/hid-ids.h +@@ -459,6 +459,9 @@ + #define USB_DEVICE_ID_UGCI_FLYING 0x0020 + #define USB_DEVICE_ID_UGCI_FIGHTING 0x0030 + ++#define USB_VENDOR_ID_HP 0x03f0 ++#define USB_PRODUCT_ID_HP_LOGITECH_OEM_USB_OPTICAL_MOUSE 0x0a4a ++ + #define USB_VENDOR_ID_HUION 0x256c + #define USB_DEVICE_ID_HUION_TABLET 0x006e + +--- a/drivers/hid/usbhid/hid-quirks.c ++++ b/drivers/hid/usbhid/hid-quirks.c +@@ -78,6 +78,7 @@ static const struct hid_blacklist { + { USB_VENDOR_ID_ELO, USB_DEVICE_ID_ELO_TS2700, HID_QUIRK_NOGET }, + { USB_VENDOR_ID_FORMOSA, USB_DEVICE_ID_FORMOSA_IR_RECEIVER, HID_QUIRK_NO_INIT_REPORTS }, + { USB_VENDOR_ID_FREESCALE, USB_DEVICE_ID_FREESCALE_MX28, HID_QUIRK_NOGET }, ++ { USB_VENDOR_ID_HP, USB_PRODUCT_ID_HP_LOGITECH_OEM_USB_OPTICAL_MOUSE, HID_QUIRK_ALWAYS_POLL }, + { USB_VENDOR_ID_LOGITECH, USB_DEVICE_ID_LOGITECH_C077, HID_QUIRK_ALWAYS_POLL }, + { USB_VENDOR_ID_MGE, USB_DEVICE_ID_MGE_UPS, HID_QUIRK_NOGET }, + { USB_VENDOR_ID_MICROSOFT, USB_DEVICE_ID_MS_TYPE_COVER_3, HID_QUIRK_NO_INIT_REPORTS }, diff --git a/queue-4.0/hid-add-quirk-for-pixart-oem-mouse-used-by-hp.patch b/queue-4.0/hid-add-quirk-for-pixart-oem-mouse-used-by-hp.patch new file mode 100644 index 00000000000..3a31c4c414d --- /dev/null +++ b/queue-4.0/hid-add-quirk-for-pixart-oem-mouse-used-by-hp.patch @@ -0,0 +1,41 @@ +From b70b82580248b5393241c986082842ec05a2b7d7 Mon Sep 17 00:00:00 2001 +From: Oliver Neukum +Date: Wed, 25 Mar 2015 15:38:31 +0100 +Subject: HID: add quirk for PIXART OEM mouse used by HP + +From: Oliver Neukum + +commit b70b82580248b5393241c986082842ec05a2b7d7 upstream. + +This mouse is also known under other IDs. It needs the quirk or will disconnect +in runlevel 1 or 3. + +Signed-off-by: Oliver Neukum +Signed-off-by: Jiri Kosina +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/hid/hid-ids.h | 1 + + drivers/hid/usbhid/hid-quirks.c | 1 + + 2 files changed, 2 insertions(+) + +--- a/drivers/hid/hid-ids.h ++++ b/drivers/hid/hid-ids.h +@@ -461,6 +461,7 @@ + + #define USB_VENDOR_ID_HP 0x03f0 + #define USB_PRODUCT_ID_HP_LOGITECH_OEM_USB_OPTICAL_MOUSE 0x0a4a ++#define USB_PRODUCT_ID_HP_PIXART_OEM_USB_OPTICAL_MOUSE 0x134a + + #define USB_VENDOR_ID_HUION 0x256c + #define USB_DEVICE_ID_HUION_TABLET 0x006e +--- a/drivers/hid/usbhid/hid-quirks.c ++++ b/drivers/hid/usbhid/hid-quirks.c +@@ -79,6 +79,7 @@ static const struct hid_blacklist { + { USB_VENDOR_ID_FORMOSA, USB_DEVICE_ID_FORMOSA_IR_RECEIVER, HID_QUIRK_NO_INIT_REPORTS }, + { USB_VENDOR_ID_FREESCALE, USB_DEVICE_ID_FREESCALE_MX28, HID_QUIRK_NOGET }, + { USB_VENDOR_ID_HP, USB_PRODUCT_ID_HP_LOGITECH_OEM_USB_OPTICAL_MOUSE, HID_QUIRK_ALWAYS_POLL }, ++ { USB_VENDOR_ID_HP, USB_PRODUCT_ID_HP_PIXART_OEM_USB_OPTICAL_MOUSE, HID_QUIRK_ALWAYS_POLL }, + { USB_VENDOR_ID_LOGITECH, USB_DEVICE_ID_LOGITECH_C077, HID_QUIRK_ALWAYS_POLL }, + { USB_VENDOR_ID_MGE, USB_DEVICE_ID_MGE_UPS, HID_QUIRK_NOGET }, + { USB_VENDOR_ID_MICROSOFT, USB_DEVICE_ID_MS_TYPE_COVER_3, HID_QUIRK_NO_INIT_REPORTS }, diff --git a/queue-4.0/md-raid0-fix-bug-with-chunksize-not-a-power-of-2.patch b/queue-4.0/md-raid0-fix-bug-with-chunksize-not-a-power-of-2.patch new file mode 100644 index 00000000000..f91de395f17 --- /dev/null +++ b/queue-4.0/md-raid0-fix-bug-with-chunksize-not-a-power-of-2.patch @@ -0,0 +1,47 @@ +From 47d68979cc968535cb87f3e5f2e6a3533ea48fbd Mon Sep 17 00:00:00 2001 +From: NeilBrown +Date: Fri, 10 Apr 2015 13:19:04 +1000 +Subject: md/raid0: fix bug with chunksize not a power of 2. + +From: NeilBrown + +commit 47d68979cc968535cb87f3e5f2e6a3533ea48fbd upstream. + +Since commit 20d0189b1012a37d2533a87fb451f7852f2418d1 +in v3.14-rc1 RAID0 has performed incorrect calculations +when the chunksize is not a power of 2. + +This happens because "sector_div()" modifies its first argument, but +this wasn't taken into account in the patch. + +So restore that first arg before re-using the variable. + +Reported-by: Joe Landman +Reported-by: Dave Chinner +Fixes: 20d0189b1012a37d2533a87fb451f7852f2418d1 +Signed-off-by: NeilBrown +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/md/raid0.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/md/raid0.c ++++ b/drivers/md/raid0.c +@@ -313,7 +313,7 @@ static struct strip_zone *find_zone(stru + + /* + * remaps the bio to the target device. we separate two flows. +- * power 2 flow and a general flow for the sake of perfromance ++ * power 2 flow and a general flow for the sake of performance + */ + static struct md_rdev *map_sector(struct mddev *mddev, struct strip_zone *zone, + sector_t sector, sector_t *sector_offset) +@@ -524,6 +524,7 @@ static void raid0_make_request(struct md + split = bio; + } + ++ sector = bio->bi_iter.bi_sector; + zone = find_zone(mddev->private, §or); + tmp_dev = map_sector(mddev, zone, sector, §or); + split->bi_bdev = tmp_dev->bdev; diff --git a/queue-4.0/megaraid_sas-use-raw_smp_processor_id.patch b/queue-4.0/megaraid_sas-use-raw_smp_processor_id.patch new file mode 100644 index 00000000000..b041744003a --- /dev/null +++ b/queue-4.0/megaraid_sas-use-raw_smp_processor_id.patch @@ -0,0 +1,52 @@ +From 16b8528d20607925899b1df93bfd8fbab98d267c Mon Sep 17 00:00:00 2001 +From: Christoph Hellwig +Date: Wed, 15 Apr 2015 09:44:37 -0700 +Subject: megaraid_sas: use raw_smp_processor_id() + +From: Christoph Hellwig + +commit 16b8528d20607925899b1df93bfd8fbab98d267c upstream. + +We only want to steer the I/O completion towards a queue, but don't +actually access any per-CPU data, so the raw_ version is fine to use +and avoids the warnings when using smp_processor_id(). + +Signed-off-by: Christoph Hellwig +Reported-by: Andy Lutomirski +Tested-by: Andy Lutomirski +Acked-by: Sumit Saxena +Signed-off-by: James Bottomley +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/scsi/megaraid/megaraid_sas_fusion.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +--- a/drivers/scsi/megaraid/megaraid_sas_fusion.c ++++ b/drivers/scsi/megaraid/megaraid_sas_fusion.c +@@ -1584,11 +1584,11 @@ megasas_build_ldio_fusion(struct megasas + fp_possible = io_info.fpOkForIo; + } + +- /* Use smp_processor_id() for now until cmd->request->cpu is CPU ++ /* Use raw_smp_processor_id() for now until cmd->request->cpu is CPU + id by default, not CPU group id, otherwise all MSI-X queues won't + be utilized */ + cmd->request_desc->SCSIIO.MSIxIndex = instance->msix_vectors ? +- smp_processor_id() % instance->msix_vectors : 0; ++ raw_smp_processor_id() % instance->msix_vectors : 0; + + if (fp_possible) { + megasas_set_pd_lba(io_request, scp->cmd_len, &io_info, scp, +@@ -1693,7 +1693,10 @@ megasas_build_dcdb_fusion(struct megasas + << MR_RAID_CTX_RAID_FLAGS_IO_SUB_TYPE_SHIFT; + cmd->request_desc->SCSIIO.DevHandle = io_request->DevHandle; + cmd->request_desc->SCSIIO.MSIxIndex = +- instance->msix_vectors ? smp_processor_id() % instance->msix_vectors : 0; ++ instance->msix_vectors ? ++ raw_smp_processor_id() % ++ instance->msix_vectors : ++ 0; + os_timeout_value = scmd->request->timeout / HZ; + + if (instance->secure_jbod_support && diff --git a/queue-4.0/mmc-sunxi-use-devm_reset_control_get_optional-for-reset-control.patch b/queue-4.0/mmc-sunxi-use-devm_reset_control_get_optional-for-reset-control.patch new file mode 100644 index 00000000000..7ffd2aee5e4 --- /dev/null +++ b/queue-4.0/mmc-sunxi-use-devm_reset_control_get_optional-for-reset-control.patch @@ -0,0 +1,44 @@ +From 9e71c589e44ddf2b86f361c81e360c6b0d0354b1 Mon Sep 17 00:00:00 2001 +From: Chen-Yu Tsai +Date: Tue, 3 Mar 2015 09:44:40 +0800 +Subject: mmc: sunxi: Use devm_reset_control_get_optional() for reset control +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Chen-Yu Tsai + +commit 9e71c589e44ddf2b86f361c81e360c6b0d0354b1 upstream. + +The reset control for the sunxi mmc controller is optional. Some +newer platforms (sun6i, sun8i, sun9i) have it, while older ones +(sun4i, sun5i, sun7i) don't. + +Use the properly stubbed _optional version so the driver does not +fail to compile when RESET_CONTROLLER=n. + +This patch also adds a check for deferred probing on the reset +control. + +Signed-off-by: Chen-Yu Tsai +Acked-by: David Lanzendörfer +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/mmc/host/sunxi-mmc.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/mmc/host/sunxi-mmc.c ++++ b/drivers/mmc/host/sunxi-mmc.c +@@ -930,7 +930,9 @@ static int sunxi_mmc_resource_request(st + return PTR_ERR(host->clk_sample); + } + +- host->reset = devm_reset_control_get(&pdev->dev, "ahb"); ++ host->reset = devm_reset_control_get_optional(&pdev->dev, "ahb"); ++ if (PTR_ERR(host->reset) == -EPROBE_DEFER) ++ return PTR_ERR(host->reset); + + ret = clk_prepare_enable(host->clk_ahb); + if (ret) { diff --git a/queue-4.0/mmc-tmio-remove-bogus-un-initialization-in-tmio_mmc_host_free.patch b/queue-4.0/mmc-tmio-remove-bogus-un-initialization-in-tmio_mmc_host_free.patch new file mode 100644 index 00000000000..8b17fd554c6 --- /dev/null +++ b/queue-4.0/mmc-tmio-remove-bogus-un-initialization-in-tmio_mmc_host_free.patch @@ -0,0 +1,46 @@ +From 13a6a2ed1f5e77ae47c2b1a8e3bf22b2fa2d56ba Mon Sep 17 00:00:00 2001 +From: Geert Uytterhoeven +Date: Wed, 18 Feb 2015 17:34:59 +0100 +Subject: mmc: tmio: Remove bogus un-initialization in tmio_mmc_host_free() + +From: Geert Uytterhoeven + +commit 13a6a2ed1f5e77ae47c2b1a8e3bf22b2fa2d56ba upstream. + +If CONFIG_DEBUG_SLAB=y: + + sh_mobile_sdhi ee100000.sd: Got CD GPIO + sh_mobile_sdhi ee100000.sd: Got WP GPIO + platform ee100000.sd: Driver sh_mobile_sdhi requests probe deferral + ... + Slab corruption (Not tainted): kmalloc-1024 start=ed8b3c00, len=1024 + 2d0: 00 00 00 00 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b ....kkkkkkkkkkkk + Prev obj: start=ed8b3800, len=1024 + 000: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk + 010: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk + +Struct tmio_mmc_host is embedded inside struct mmc_host, and thus is +freed by the call to mmc_free_host(). Hence it must not be written to +afterwards, as that will corrupt freed (and perhaps already reused) +memory. + +Fixes: 94b110aff8679b14 ("mmc: tmio: add tmio_mmc_host_alloc/free()") +Signed-off-by: Geert Uytterhoeven +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/mmc/host/tmio_mmc_pio.c | 2 -- + 1 file changed, 2 deletions(-) + +--- a/drivers/mmc/host/tmio_mmc_pio.c ++++ b/drivers/mmc/host/tmio_mmc_pio.c +@@ -1073,8 +1073,6 @@ EXPORT_SYMBOL(tmio_mmc_host_alloc); + void tmio_mmc_host_free(struct tmio_mmc_host *host) + { + mmc_free_host(host->mmc); +- +- host->mmc = NULL; + } + EXPORT_SYMBOL(tmio_mmc_host_free); + diff --git a/queue-4.0/nfs-fix-bug-crash-in-notify_change-with-patch-to-chown_common.patch b/queue-4.0/nfs-fix-bug-crash-in-notify_change-with-patch-to-chown_common.patch new file mode 100644 index 00000000000..42d0d548da4 --- /dev/null +++ b/queue-4.0/nfs-fix-bug-crash-in-notify_change-with-patch-to-chown_common.patch @@ -0,0 +1,66 @@ +From c1b8940b42bb6487b10f2267a96b486276ce9ff7 Mon Sep 17 00:00:00 2001 +From: Andrew Elble +Date: Mon, 23 Feb 2015 08:51:24 -0500 +Subject: NFS: fix BUG() crash in notify_change() with patch to chown_common() + +From: Andrew Elble + +commit c1b8940b42bb6487b10f2267a96b486276ce9ff7 upstream. + +We have observed a BUG() crash in fs/attr.c:notify_change(). The crash +occurs during an rsync into a filesystem that is exported via NFS. + +1.) fs/attr.c:notify_change() modifies the caller's version of attr. +2.) 6de0ec00ba8d ("VFS: make notify_change pass ATTR_KILL_S*ID to + setattr operations") introduced a BUG() restriction such that "no + function will ever call notify_change() with both ATTR_MODE and + ATTR_KILL_S*ID set". Under some circumstances though, it will have + assisted in setting the caller's version of attr to this very + combination. +3.) 27ac0ffeac80 ("locks: break delegations on any attribute + modification") introduced code to handle breaking + delegations. This can result in notify_change() being re-called. attr + _must_ be explicitly reset to avoid triggering the BUG() established + in #2. +4.) The path that that triggers this is via fs/open.c:chmod_common(). + The combination of attr flags set here and in the first call to + notify_change() along with a later failed break_deleg_wait() + results in notify_change() being called again via retry_deleg + without resetting attr. + +Solution is to move retry_deleg in chmod_common() a bit further up to +ensure attr is completely reset. + +There are other places where this seemingly could occur, such as +fs/utimes.c:utimes_common(), but the attr flags are not initially +set in such a way to trigger this. + +Fixes: 27ac0ffeac80 ("locks: break delegations on any attribute modification") +Reported-by: Eric Meddaugh +Tested-by: Eric Meddaugh +Signed-off-by: Andrew Elble +Signed-off-by: Al Viro +Signed-off-by: Greg Kroah-Hartman + +--- + fs/open.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/open.c ++++ b/fs/open.c +@@ -570,6 +570,7 @@ static int chown_common(struct path *pat + uid = make_kuid(current_user_ns(), user); + gid = make_kgid(current_user_ns(), group); + ++retry_deleg: + newattrs.ia_valid = ATTR_CTIME; + if (user != (uid_t) -1) { + if (!uid_valid(uid)) +@@ -586,7 +587,6 @@ static int chown_common(struct path *pat + if (!S_ISDIR(inode->i_mode)) + newattrs.ia_valid |= + ATTR_KILL_SUID | ATTR_KILL_SGID | ATTR_KILL_PRIV; +-retry_deleg: + mutex_lock(&inode->i_mutex); + error = security_path_chown(path, uid, gid); + if (!error) diff --git a/queue-4.0/power_supply-ipaq_micro_battery-check-return-values-in-probe.patch b/queue-4.0/power_supply-ipaq_micro_battery-check-return-values-in-probe.patch new file mode 100644 index 00000000000..9feb0872d1f --- /dev/null +++ b/queue-4.0/power_supply-ipaq_micro_battery-check-return-values-in-probe.patch @@ -0,0 +1,75 @@ +From a2c1d531854c4319610f1d83351213b47a633969 Mon Sep 17 00:00:00 2001 +From: Krzysztof Kozlowski +Date: Fri, 20 Feb 2015 14:32:24 +0100 +Subject: power_supply: ipaq_micro_battery: Check return values in probe + +From: Krzysztof Kozlowski + +commit a2c1d531854c4319610f1d83351213b47a633969 upstream. + +The return values of create_singlethread_workqueue() and +power_supply_register() calls were not checked and even on error probe() +function returned 0. + +1. If allocation of workqueue failed (returning NULL) then further + accesses could lead to NULL pointer dereference. The + queue_delayed_work() expects workqueue to be non-NULL. + +2. If registration of power supply failed then during unbind the driver + tried to unregister power supply which was not actually registered. + This could lead to memory corruption because + power_supply_unregister() unconditionally cleans up given power + supply. + +Signed-off-by: Krzysztof Kozlowski +Fixes: 00a588f9d27f ("power: add driver for battery reading on iPaq h3xxx") +Signed-off-by: Sebastian Reichel +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/power/ipaq_micro_battery.c | 21 +++++++++++++++++++-- + 1 file changed, 19 insertions(+), 2 deletions(-) + +--- a/drivers/power/ipaq_micro_battery.c ++++ b/drivers/power/ipaq_micro_battery.c +@@ -226,6 +226,7 @@ static struct power_supply micro_ac_powe + static int micro_batt_probe(struct platform_device *pdev) + { + struct micro_battery *mb; ++ int ret; + + mb = devm_kzalloc(&pdev->dev, sizeof(*mb), GFP_KERNEL); + if (!mb) +@@ -233,14 +234,30 @@ static int micro_batt_probe(struct platf + + mb->micro = dev_get_drvdata(pdev->dev.parent); + mb->wq = create_singlethread_workqueue("ipaq-battery-wq"); ++ if (!mb->wq) ++ return -ENOMEM; ++ + INIT_DELAYED_WORK(&mb->update, micro_battery_work); + platform_set_drvdata(pdev, mb); + queue_delayed_work(mb->wq, &mb->update, 1); +- power_supply_register(&pdev->dev, µ_batt_power); +- power_supply_register(&pdev->dev, µ_ac_power); ++ ++ ret = power_supply_register(&pdev->dev, µ_batt_power); ++ if (ret < 0) ++ goto batt_err; ++ ++ ret = power_supply_register(&pdev->dev, µ_ac_power); ++ if (ret < 0) ++ goto ac_err; + + dev_info(&pdev->dev, "iPAQ micro battery driver\n"); + return 0; ++ ++ac_err: ++ power_supply_unregister(µ_ac_power); ++batt_err: ++ cancel_delayed_work_sync(&mb->update); ++ destroy_workqueue(mb->wq); ++ return ret; + } + + static int micro_batt_remove(struct platform_device *pdev) diff --git a/queue-4.0/power_supply-ipaq_micro_battery-fix-leaking-workqueue.patch b/queue-4.0/power_supply-ipaq_micro_battery-fix-leaking-workqueue.patch new file mode 100644 index 00000000000..3788f10b778 --- /dev/null +++ b/queue-4.0/power_supply-ipaq_micro_battery-fix-leaking-workqueue.patch @@ -0,0 +1,31 @@ +From f852ec461e24504690445e7d281cbe806df5ccef Mon Sep 17 00:00:00 2001 +From: Krzysztof Kozlowski +Date: Fri, 20 Feb 2015 14:32:23 +0100 +Subject: power_supply: ipaq_micro_battery: Fix leaking workqueue + +From: Krzysztof Kozlowski + +commit f852ec461e24504690445e7d281cbe806df5ccef upstream. + +Driver allocates singlethread workqueue in probe but it is not destroyed +during removal. + +Signed-off-by: Krzysztof Kozlowski +Fixes: 00a588f9d27f ("power: add driver for battery reading on iPaq h3xxx") +Signed-off-by: Sebastian Reichel +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/power/ipaq_micro_battery.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/power/ipaq_micro_battery.c ++++ b/drivers/power/ipaq_micro_battery.c +@@ -251,6 +251,7 @@ static int micro_batt_remove(struct plat + power_supply_unregister(µ_ac_power); + power_supply_unregister(µ_batt_power); + cancel_delayed_work_sync(&mb->update); ++ destroy_workqueue(mb->wq); + + return 0; + } diff --git a/queue-4.0/power_supply-lp8788-charger-fix-leaked-power-supply-on-probe-fail.patch b/queue-4.0/power_supply-lp8788-charger-fix-leaked-power-supply-on-probe-fail.patch new file mode 100644 index 00000000000..b3996b0eac5 --- /dev/null +++ b/queue-4.0/power_supply-lp8788-charger-fix-leaked-power-supply-on-probe-fail.patch @@ -0,0 +1,36 @@ +From a7117f81e8391e035c49b3440792f7e6cea28173 Mon Sep 17 00:00:00 2001 +From: Krzysztof Kozlowski +Date: Fri, 20 Feb 2015 14:32:25 +0100 +Subject: power_supply: lp8788-charger: Fix leaked power supply on probe fail + +From: Krzysztof Kozlowski + +commit a7117f81e8391e035c49b3440792f7e6cea28173 upstream. + +Driver forgot to unregister charger power supply if registering of +battery supply failed in probe(). In such case the memory associated +with power supply leaked. + +Signed-off-by: Krzysztof Kozlowski +Fixes: 98a276649358 ("power_supply: Add new lp8788 charger driver") +Signed-off-by: Sebastian Reichel +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/power/lp8788-charger.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/power/lp8788-charger.c ++++ b/drivers/power/lp8788-charger.c +@@ -417,8 +417,10 @@ static int lp8788_psy_register(struct pl + pchg->battery.num_properties = ARRAY_SIZE(lp8788_battery_prop); + pchg->battery.get_property = lp8788_battery_get_property; + +- if (power_supply_register(&pdev->dev, &pchg->battery)) ++ if (power_supply_register(&pdev->dev, &pchg->battery)) { ++ power_supply_unregister(&pchg->charger); + return -EPERM; ++ } + + return 0; + } diff --git a/queue-4.0/power_supply-twl4030_madc-check-return-value-of-power_supply_register.patch b/queue-4.0/power_supply-twl4030_madc-check-return-value-of-power_supply_register.patch new file mode 100644 index 00000000000..1b205d4ceb2 --- /dev/null +++ b/queue-4.0/power_supply-twl4030_madc-check-return-value-of-power_supply_register.patch @@ -0,0 +1,50 @@ +From 68c3ed6fa7e0d69529ced772d650ab128916a81d Mon Sep 17 00:00:00 2001 +From: Krzysztof Kozlowski +Date: Fri, 20 Feb 2015 14:32:22 +0100 +Subject: power_supply: twl4030_madc: Check return value of power_supply_register + +From: Krzysztof Kozlowski + +commit 68c3ed6fa7e0d69529ced772d650ab128916a81d upstream. + +The return value of power_supply_register() call was not checked and +even on error probe() function returned 0. If registering failed then +during unbind the driver tried to unregister power supply which was not +actually registered. + +This could lead to memory corruption because power_supply_unregister() +unconditionally cleans up given power supply. + +Signed-off-by: Krzysztof Kozlowski +Fixes: da0a00ebc239 ("power: Add twl4030_madc battery driver.") +Signed-off-by: Sebastian Reichel +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/power/twl4030_madc_battery.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +--- a/drivers/power/twl4030_madc_battery.c ++++ b/drivers/power/twl4030_madc_battery.c +@@ -192,6 +192,7 @@ static int twl4030_madc_battery_probe(st + { + struct twl4030_madc_battery *twl4030_madc_bat; + struct twl4030_madc_bat_platform_data *pdata = pdev->dev.platform_data; ++ int ret = 0; + + twl4030_madc_bat = kzalloc(sizeof(*twl4030_madc_bat), GFP_KERNEL); + if (!twl4030_madc_bat) +@@ -216,9 +217,11 @@ static int twl4030_madc_battery_probe(st + + twl4030_madc_bat->pdata = pdata; + platform_set_drvdata(pdev, twl4030_madc_bat); +- power_supply_register(&pdev->dev, &twl4030_madc_bat->psy); ++ ret = power_supply_register(&pdev->dev, &twl4030_madc_bat->psy); ++ if (ret < 0) ++ kfree(twl4030_madc_bat); + +- return 0; ++ return ret; + } + + static int twl4030_madc_battery_remove(struct platform_device *pdev) diff --git a/queue-4.0/ring-buffer-replace-this_cpu_-with-__this_cpu_.patch b/queue-4.0/ring-buffer-replace-this_cpu_-with-__this_cpu_.patch new file mode 100644 index 00000000000..9b0abc7f2f0 --- /dev/null +++ b/queue-4.0/ring-buffer-replace-this_cpu_-with-__this_cpu_.patch @@ -0,0 +1,97 @@ +From 80a9b64e2c156b6523e7a01f2ba6e5d86e722814 Mon Sep 17 00:00:00 2001 +From: Steven Rostedt +Date: Tue, 17 Mar 2015 10:40:38 -0400 +Subject: ring-buffer: Replace this_cpu_*() with __this_cpu_*() + +From: Steven Rostedt + +commit 80a9b64e2c156b6523e7a01f2ba6e5d86e722814 upstream. + +It has come to my attention that this_cpu_read/write are horrible on +architectures other than x86. Worse yet, they actually disable +preemption or interrupts! This caused some unexpected tracing results +on ARM. + + 101.356868: preempt_count_add <-ring_buffer_lock_reserve + 101.356870: preempt_count_sub <-ring_buffer_lock_reserve + +The ring_buffer_lock_reserve has recursion protection that requires +accessing a per cpu variable. But since preempt_disable() is traced, it +too got traced while accessing the variable that is suppose to prevent +recursion like this. + +The generic version of this_cpu_read() and write() are: + + #define this_cpu_generic_read(pcp) \ + ({ typeof(pcp) ret__; \ + preempt_disable(); \ + ret__ = *this_cpu_ptr(&(pcp)); \ + preempt_enable(); \ + ret__; \ + }) + + #define this_cpu_generic_to_op(pcp, val, op) \ + do { \ + unsigned long flags; \ + raw_local_irq_save(flags); \ + *__this_cpu_ptr(&(pcp)) op val; \ + raw_local_irq_restore(flags); \ + } while (0) + +Which is unacceptable for locations that know they are within preempt +disabled or interrupt disabled locations. + +Paul McKenney stated that __this_cpu_() versions produce much better code on +other architectures than this_cpu_() does, if we know that the call is done in +a preempt disabled location. + +I also changed the recursive_unlock() to use two local variables instead +of accessing the per_cpu variable twice. + +Link: http://lkml.kernel.org/r/20150317114411.GE3589@linux.vnet.ibm.com +Link: http://lkml.kernel.org/r/20150317104038.312e73d1@gandalf.local.home + +Acked-by: Christoph Lameter +Reported-by: Uwe Kleine-Koenig +Tested-by: Uwe Kleine-Koenig +Signed-off-by: Steven Rostedt +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/trace/ring_buffer.c | 11 +++++------ + 1 file changed, 5 insertions(+), 6 deletions(-) + +--- a/kernel/trace/ring_buffer.c ++++ b/kernel/trace/ring_buffer.c +@@ -2679,7 +2679,7 @@ static DEFINE_PER_CPU(unsigned int, curr + + static __always_inline int trace_recursive_lock(void) + { +- unsigned int val = this_cpu_read(current_context); ++ unsigned int val = __this_cpu_read(current_context); + int bit; + + if (in_interrupt()) { +@@ -2696,18 +2696,17 @@ static __always_inline int trace_recursi + return 1; + + val |= (1 << bit); +- this_cpu_write(current_context, val); ++ __this_cpu_write(current_context, val); + + return 0; + } + + static __always_inline void trace_recursive_unlock(void) + { +- unsigned int val = this_cpu_read(current_context); ++ unsigned int val = __this_cpu_read(current_context); + +- val--; +- val &= this_cpu_read(current_context); +- this_cpu_write(current_context, val); ++ val &= val & (val - 1); ++ __this_cpu_write(current_context, val); + } + + #else diff --git a/queue-4.0/series b/queue-4.0/series index 6c622fe4f03..a1a69344496 100644 --- a/queue-4.0/series +++ b/queue-4.0/series @@ -41,3 +41,34 @@ mips-unaligned-surround-load-store-macros-in-do-while-statements.patch mips-unaligned-fix-regular-load-store-instruction-emulation-for-eva.patch mips-loongson-3-add-irqf_no_suspend-to-cascade-irqaction.patch mips-hibernate-flush-tlb-entries-earlier.patch +staging-panel-fix-lcd-type.patch +staging-android-sync-fix-memory-corruption-in-sync_timeline_signal.patch +staging-vt6655-use-ieee80211_tx_info-to-select-packet-type.patch +md-raid0-fix-bug-with-chunksize-not-a-power-of-2.patch +megaraid_sas-use-raw_smp_processor_id.patch +drivers-base-cacheinfo-validate-device-node-for-all-the-caches.patch +cdc-wdm-fix-endianness-bug-in-debug-statements.patch +mmc-tmio-remove-bogus-un-initialization-in-tmio_mmc_host_free.patch +mmc-sunxi-use-devm_reset_control_get_optional-for-reset-control.patch +spi-imx-read-back-the-rx-tx-watermark-levels-earlier.patch +spi-spidev-fix-possible-arithmetic-overflow-for-multi-transfer-message.patch +compal-laptop-fix-leaking-hwmon-device.patch +compal-laptop-check-return-value-of-power_supply_register.patch +ring-buffer-replace-this_cpu_-with-__this_cpu_.patch +power_supply-twl4030_madc-check-return-value-of-power_supply_register.patch +power_supply-lp8788-charger-fix-leaked-power-supply-on-probe-fail.patch +power_supply-ipaq_micro_battery-fix-leaking-workqueue.patch +power_supply-ipaq_micro_battery-check-return-values-in-probe.patch +hid-add-hp-oem-mouse-to-quirk-always_poll.patch +hid-add-quirk-for-pixart-oem-mouse-used-by-hp.patch +nfs-fix-bug-crash-in-notify_change-with-patch-to-chown_common.patch +arm-fix-broken-hibernation.patch +arm-8320-1-fix-integer-overflow-in-elf_et_dyn_base.patch +arm-mvebu-disable-cpu-idle-on-armada-38x.patch +arm-s3c64xx-use-fixed-irq-bases-to-avoid-conflicts-on-cragganmore.patch +arm-at91-dt-sama5d3-xplained-add-phy-address-for-macb1.patch +arm-dts-dove-fix-uart-reg-property.patch +arm-dts-fix-mmc-node-updates-for-exynos5250-spring.patch +usb-musb-core-fix-tx-rx-endpoint-order.patch +usb-phy-find-the-right-match-in-devm_usb_phy_match.patch +usb-define-a-generic-usb_resume_timeout-macro.patch diff --git a/queue-4.0/spi-imx-read-back-the-rx-tx-watermark-levels-earlier.patch b/queue-4.0/spi-imx-read-back-the-rx-tx-watermark-levels-earlier.patch new file mode 100644 index 00000000000..0bef997dc3f --- /dev/null +++ b/queue-4.0/spi-imx-read-back-the-rx-tx-watermark-levels-earlier.patch @@ -0,0 +1,50 @@ +From f511ab09dfb0fe7b2335eccac51ff9f001a32e4a Mon Sep 17 00:00:00 2001 +From: Lucas Stach +Date: Wed, 1 Apr 2015 10:46:15 +0200 +Subject: spi: imx: read back the RX/TX watermark levels earlier + +From: Lucas Stach + +commit f511ab09dfb0fe7b2335eccac51ff9f001a32e4a upstream. + +They are used to decide if the controller can do DMA on a buffer +of a specific length and thus are needed before any transfer is attempted. + +This fixes a memory leak where the SPI core uses the drivers can_dma() +callback to determine if a buffer needs to be mapped. As the watermark +levels aren't correct at that point the driver falsely claims to be able to +DMA the buffer when it fact it isn't. +After the transfer has been done the core uses the same callback to +determine if it needs to unmap the buffers. As the driver now correctly +claims to not being able to DMA the buffer the core doesn't attempt to +unmap the buffer which leaves the SGT leaking. + +Fixes: f62caccd12c17e4 (spi: spi-imx: add DMA support) +Signed-off-by: Lucas Stach +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/spi/spi-imx.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/spi/spi-imx.c ++++ b/drivers/spi/spi-imx.c +@@ -370,8 +370,6 @@ static int __maybe_unused mx51_ecspi_con + if (spi_imx->dma_is_inited) { + dma = readl(spi_imx->base + MX51_ECSPI_DMA); + +- spi_imx->tx_wml = spi_imx_get_fifosize(spi_imx) / 2; +- spi_imx->rx_wml = spi_imx_get_fifosize(spi_imx) / 2; + spi_imx->rxt_wml = spi_imx_get_fifosize(spi_imx) / 2; + rx_wml_cfg = spi_imx->rx_wml << MX51_ECSPI_DMA_RX_WML_OFFSET; + tx_wml_cfg = spi_imx->tx_wml << MX51_ECSPI_DMA_TX_WML_OFFSET; +@@ -868,6 +866,8 @@ static int spi_imx_sdma_init(struct devi + master->max_dma_len = MAX_SDMA_BD_BYTES; + spi_imx->bitbang.master->flags = SPI_MASTER_MUST_RX | + SPI_MASTER_MUST_TX; ++ spi_imx->tx_wml = spi_imx_get_fifosize(spi_imx) / 2; ++ spi_imx->rx_wml = spi_imx_get_fifosize(spi_imx) / 2; + spi_imx->dma_is_inited = 1; + + return 0; diff --git a/queue-4.0/spi-spidev-fix-possible-arithmetic-overflow-for-multi-transfer-message.patch b/queue-4.0/spi-spidev-fix-possible-arithmetic-overflow-for-multi-transfer-message.patch new file mode 100644 index 00000000000..0c8c3e2f1fd --- /dev/null +++ b/queue-4.0/spi-spidev-fix-possible-arithmetic-overflow-for-multi-transfer-message.patch @@ -0,0 +1,45 @@ +From f20fbaad7620af2df36a1f9d1c9ecf48ead5b747 Mon Sep 17 00:00:00 2001 +From: Ian Abbott +Date: Mon, 23 Mar 2015 17:50:27 +0000 +Subject: spi: spidev: fix possible arithmetic overflow for multi-transfer message + +From: Ian Abbott + +commit f20fbaad7620af2df36a1f9d1c9ecf48ead5b747 upstream. + +`spidev_message()` sums the lengths of the individual SPI transfers to +determine the overall SPI message length. It restricts the total +length, returning an error if too long, but it does not check for +arithmetic overflow. For example, if the SPI message consisted of two +transfers and the first has a length of 10 and the second has a length +of (__u32)(-1), the total length would be seen as 9, even though the +second transfer is actually very long. If the second transfer specifies +a null `rx_buf` and a non-null `tx_buf`, the `copy_from_user()` could +overrun the spidev's pre-allocated tx buffer before it reaches an +invalid user memory address. Fix it by checking that neither the total +nor the individual transfer lengths exceed the maximum allowed value. + +Thanks to Dan Carpenter for reporting the potential integer overflow. + +Signed-off-by: Ian Abbott +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/spi/spidev.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/drivers/spi/spidev.c ++++ b/drivers/spi/spidev.c +@@ -245,7 +245,10 @@ static int spidev_message(struct spidev_ + k_tmp->len = u_tmp->len; + + total += k_tmp->len; +- if (total > bufsiz) { ++ /* Check total length of transfers. Also check each ++ * transfer length to avoid arithmetic overflow. ++ */ ++ if (total > bufsiz || k_tmp->len > bufsiz) { + status = -EMSGSIZE; + goto done; + } diff --git a/queue-4.0/staging-android-sync-fix-memory-corruption-in-sync_timeline_signal.patch b/queue-4.0/staging-android-sync-fix-memory-corruption-in-sync_timeline_signal.patch new file mode 100644 index 00000000000..5f486d05add --- /dev/null +++ b/queue-4.0/staging-android-sync-fix-memory-corruption-in-sync_timeline_signal.patch @@ -0,0 +1,45 @@ +From 8e43c9c75faf2902955bd2ecd7a50a8cc41cb00a Mon Sep 17 00:00:00 2001 +From: Alistair Strachan +Date: Tue, 24 Mar 2015 14:51:31 -0700 +Subject: staging: android: sync: Fix memory corruption in sync_timeline_signal(). + +From: Alistair Strachan + +commit 8e43c9c75faf2902955bd2ecd7a50a8cc41cb00a upstream. + +The android_fence_release() function checks for active sync points +by calling list_empty() on the list head embedded on the sync +point. However, it is only valid to use list_empty() on nodes that +have been initialized with INIT_LIST_HEAD() or list_del_init(). + +Because the list entry has likely been removed from the active list +by sync_timeline_signal(), there is a good chance that this +WARN_ON_ONCE() will be hit due to dangling pointers pointing at +freed memory (even though the sync drivers did nothing wrong) +and memory corruption will ensue as the list entry is removed for +a second time, corrupting the active list. + +This problem can be reproduced quite easily with CONFIG_DEBUG_LIST=y +and fences with more than one sync point. + +Signed-off-by: Alistair Strachan +Cc: Maarten Lankhorst +Cc: Greg Kroah-Hartman +Cc: Colin Cross +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/staging/android/sync.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/staging/android/sync.c ++++ b/drivers/staging/android/sync.c +@@ -114,7 +114,7 @@ void sync_timeline_signal(struct sync_ti + list_for_each_entry_safe(pt, next, &obj->active_list_head, + active_list) { + if (fence_is_signaled_locked(&pt->base)) +- list_del(&pt->active_list); ++ list_del_init(&pt->active_list); + } + + spin_unlock_irqrestore(&obj->child_list_lock, flags); diff --git a/queue-4.0/staging-panel-fix-lcd-type.patch b/queue-4.0/staging-panel-fix-lcd-type.patch new file mode 100644 index 00000000000..53f04b4c595 --- /dev/null +++ b/queue-4.0/staging-panel-fix-lcd-type.patch @@ -0,0 +1,56 @@ +From 2c20d92dad5db6440cfa88d811b69fd605240ce4 Mon Sep 17 00:00:00 2001 +From: Sudip Mukherjee +Date: Tue, 24 Mar 2015 16:29:32 +0530 +Subject: staging: panel: fix lcd type + +From: Sudip Mukherjee + +commit 2c20d92dad5db6440cfa88d811b69fd605240ce4 upstream. + +the lcd type as defined in the Kconfig is not matching in the code. +as a result the rs, rw and en pins were getting interchanged. +Kconfig defines the value of PANEL_LCD to be 1 if we select custom +configuration but in the code LCD_TYPE_CUSTOM is defined as 5. + +my hardware is LCD_TYPE_CUSTOM, but the pins were assigned to it +as pins of LCD_TYPE_OLD, and it was not working. +Now values are corrected with referenece to the values defined in +Kconfig and it is working. +checked on JHD204A lcd with LCD_TYPE_CUSTOM configuration. + +Signed-off-by: Sudip Mukherjee +Acked-by: Willy Tarreau +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/staging/panel/panel.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +--- a/drivers/staging/panel/panel.c ++++ b/drivers/staging/panel/panel.c +@@ -335,11 +335,11 @@ static unsigned char lcd_bits[LCD_PORTS] + * LCD types + */ + #define LCD_TYPE_NONE 0 +-#define LCD_TYPE_OLD 1 +-#define LCD_TYPE_KS0074 2 +-#define LCD_TYPE_HANTRONIX 3 +-#define LCD_TYPE_NEXCOM 4 +-#define LCD_TYPE_CUSTOM 5 ++#define LCD_TYPE_CUSTOM 1 ++#define LCD_TYPE_OLD 2 ++#define LCD_TYPE_KS0074 3 ++#define LCD_TYPE_HANTRONIX 4 ++#define LCD_TYPE_NEXCOM 5 + + /* + * keypad types +@@ -502,7 +502,7 @@ MODULE_PARM_DESC(keypad_type, + static int lcd_type = NOT_SET; + module_param(lcd_type, int, 0000); + MODULE_PARM_DESC(lcd_type, +- "LCD type: 0=none, 1=old //, 2=serial ks0074, 3=hantronix //, 4=nexcom //, 5=compiled-in"); ++ "LCD type: 0=none, 1=compiled-in, 2=old, 3=serial ks0074, 4=hantronix, 5=nexcom"); + + static int lcd_height = NOT_SET; + module_param(lcd_height, int, 0000); diff --git a/queue-4.0/staging-vt6655-use-ieee80211_tx_info-to-select-packet-type.patch b/queue-4.0/staging-vt6655-use-ieee80211_tx_info-to-select-packet-type.patch new file mode 100644 index 00000000000..554f44209fe --- /dev/null +++ b/queue-4.0/staging-vt6655-use-ieee80211_tx_info-to-select-packet-type.patch @@ -0,0 +1,48 @@ +From a6388e68321a1e0a0f408379c2a36396807745b3 Mon Sep 17 00:00:00 2001 +From: Malcolm Priestley +Date: Wed, 1 Apr 2015 22:32:52 +0100 +Subject: staging: vt6655: use ieee80211_tx_info to select packet type. + +From: Malcolm Priestley + +commit a6388e68321a1e0a0f408379c2a36396807745b3 upstream. + +Information for packet type is in ieee80211_tx_info + +band IEEE80211_BAND_5GHZ for PK_TYPE_11A. + +IEEE80211_TX_RC_USE_CTS_PROTECT via tx_rate flags selects PK_TYPE_11GB + +This ensures that the packet is always the right type. + +Signed-off-by: Malcolm Priestley +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/staging/vt6655/rxtx.c | 14 +++++++++++--- + 1 file changed, 11 insertions(+), 3 deletions(-) + +--- a/drivers/staging/vt6655/rxtx.c ++++ b/drivers/staging/vt6655/rxtx.c +@@ -1308,10 +1308,18 @@ int vnt_generate_fifo_header(struct vnt_ + priv->hw->conf.chandef.chan->hw_value); + } + +- if (current_rate > RATE_11M) +- pkt_type = (u8)priv->byPacketType; +- else ++ if (current_rate > RATE_11M) { ++ if (info->band == IEEE80211_BAND_5GHZ) { ++ pkt_type = PK_TYPE_11A; ++ } else { ++ if (tx_rate->flags & IEEE80211_TX_RC_USE_CTS_PROTECT) ++ pkt_type = PK_TYPE_11GB; ++ else ++ pkt_type = PK_TYPE_11GA; ++ } ++ } else { + pkt_type = PK_TYPE_11B; ++ } + + /*Set fifo controls */ + if (pkt_type == PK_TYPE_11A) diff --git a/queue-4.0/usb-define-a-generic-usb_resume_timeout-macro.patch b/queue-4.0/usb-define-a-generic-usb_resume_timeout-macro.patch new file mode 100644 index 00000000000..2a73542cbcc --- /dev/null +++ b/queue-4.0/usb-define-a-generic-usb_resume_timeout-macro.patch @@ -0,0 +1,84 @@ +From 62f0342de1f012f3e90607d39e20fce811391169 Mon Sep 17 00:00:00 2001 +From: Felipe Balbi +Date: Fri, 13 Feb 2015 14:34:25 -0600 +Subject: usb: define a generic USB_RESUME_TIMEOUT macro + +From: Felipe Balbi + +commit 62f0342de1f012f3e90607d39e20fce811391169 upstream. + +Every USB Host controller should use this new +macro to define for how long resume signalling +should be driven on the bus. + +Currently, almost every single USB controller +is using a 20ms timeout for resume signalling. + +That's problematic for two reasons: + +a) sometimes that 20ms timer expires a little +before 20ms, which makes us fail certification + +b) some (many) devices actually need more than +20ms resume signalling. + +Sure, in case of (b) we can state that the device +is against the USB spec, but the fact is that +we have no control over which device the certification +lab will use. We also have no control over which host +they will use. Most likely they'll be using a Windows +PC which, again, we have no control over how that +USB stack is written and how long resume signalling +they are using. + +At the end of the day, we must make sure Linux passes +electrical compliance when working as Host or as Device +and currently we don't pass compliance as host because +we're driving resume signallig for exactly 20ms and +that confuses certification test setup resulting in +Certification failure. + +Acked-by: Greg Kroah-Hartman +Acked-by: Peter Chen +Signed-off-by: Felipe Balbi +Signed-off-by: Greg Kroah-Hartman + +--- + include/linux/usb.h | 26 ++++++++++++++++++++++++++ + 1 file changed, 26 insertions(+) + +--- a/include/linux/usb.h ++++ b/include/linux/usb.h +@@ -205,6 +205,32 @@ void usb_put_intf(struct usb_interface * + #define USB_MAXINTERFACES 32 + #define USB_MAXIADS (USB_MAXINTERFACES/2) + ++/* ++ * USB Resume Timer: Every Host controller driver should drive the resume ++ * signalling on the bus for the amount of time defined by this macro. ++ * ++ * That way we will have a 'stable' behavior among all HCDs supported by Linux. ++ * ++ * Note that the USB Specification states we should drive resume for *at least* ++ * 20 ms, but it doesn't give an upper bound. This creates two possible ++ * situations which we want to avoid: ++ * ++ * (a) sometimes an msleep(20) might expire slightly before 20 ms, which causes ++ * us to fail USB Electrical Tests, thus failing Certification ++ * ++ * (b) Some (many) devices actually need more than 20 ms of resume signalling, ++ * and while we can argue that's against the USB Specification, we don't have ++ * control over which devices a certification laboratory will be using for ++ * certification. If CertLab uses a device which was tested against Windows and ++ * that happens to have relaxed resume signalling rules, we might fall into ++ * situations where we fail interoperability and electrical tests. ++ * ++ * In order to avoid both conditions, we're using a 40 ms resume timeout, which ++ * should cope with both LPJ calibration errors and devices not following every ++ * detail of the USB Specification. ++ */ ++#define USB_RESUME_TIMEOUT 40 /* ms */ ++ + /** + * struct usb_interface_cache - long-term representation of a device interface + * @num_altsetting: number of altsettings defined. diff --git a/queue-4.0/usb-musb-core-fix-tx-rx-endpoint-order.patch b/queue-4.0/usb-musb-core-fix-tx-rx-endpoint-order.patch new file mode 100644 index 00000000000..e86c06911bd --- /dev/null +++ b/queue-4.0/usb-musb-core-fix-tx-rx-endpoint-order.patch @@ -0,0 +1,110 @@ +From e3c93e1a3f35be4cf1493d3ccfb0c6d9209e4922 Mon Sep 17 00:00:00 2001 +From: Felipe Balbi +Date: Mon, 30 Dec 2013 12:33:53 -0600 +Subject: usb: musb: core: fix TX/RX endpoint order + +From: Felipe Balbi + +commit e3c93e1a3f35be4cf1493d3ccfb0c6d9209e4922 upstream. + +As per Mentor Graphics' documentation, we should +always handle TX endpoints before RX endpoints. + +This patch fixes that error while also updating +some hard-to-read comments which were scattered +around musb_interrupt(). + +This patch should be backported as far back as +possible since this error has been in the driver +since it's conception. + +Signed-off-by: Felipe Balbi +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/musb/musb_core.c | 44 +++++++++++++++++++++++++------------------ + 1 file changed, 26 insertions(+), 18 deletions(-) + +--- a/drivers/usb/musb/musb_core.c ++++ b/drivers/usb/musb/musb_core.c +@@ -1597,16 +1597,30 @@ irqreturn_t musb_interrupt(struct musb * + is_host_active(musb) ? "host" : "peripheral", + musb->int_usb, musb->int_tx, musb->int_rx); + +- /* the core can interrupt us for multiple reasons; docs have +- * a generic interrupt flowchart to follow ++ /** ++ * According to Mentor Graphics' documentation, flowchart on page 98, ++ * IRQ should be handled as follows: ++ * ++ * . Resume IRQ ++ * . Session Request IRQ ++ * . VBUS Error IRQ ++ * . Suspend IRQ ++ * . Connect IRQ ++ * . Disconnect IRQ ++ * . Reset/Babble IRQ ++ * . SOF IRQ (we're not using this one) ++ * . Endpoint 0 IRQ ++ * . TX Endpoints ++ * . RX Endpoints ++ * ++ * We will be following that flowchart in order to avoid any problems ++ * that might arise with internal Finite State Machine. + */ ++ + if (musb->int_usb) + retval |= musb_stage0_irq(musb, musb->int_usb, + devctl); + +- /* "stage 1" is handling endpoint irqs */ +- +- /* handle endpoint 0 first */ + if (musb->int_tx & 1) { + if (is_host_active(musb)) + retval |= musb_h_ep0_irq(musb); +@@ -1614,37 +1628,31 @@ irqreturn_t musb_interrupt(struct musb * + retval |= musb_g_ep0_irq(musb); + } + +- /* RX on endpoints 1-15 */ +- reg = musb->int_rx >> 1; ++ reg = musb->int_tx >> 1; + ep_num = 1; + while (reg) { + if (reg & 1) { +- /* musb_ep_select(musb->mregs, ep_num); */ +- /* REVISIT just retval = ep->rx_irq(...) */ + retval = IRQ_HANDLED; + if (is_host_active(musb)) +- musb_host_rx(musb, ep_num); ++ musb_host_tx(musb, ep_num); + else +- musb_g_rx(musb, ep_num); ++ musb_g_tx(musb, ep_num); + } +- + reg >>= 1; + ep_num++; + } + +- /* TX on endpoints 1-15 */ +- reg = musb->int_tx >> 1; ++ reg = musb->int_rx >> 1; + ep_num = 1; + while (reg) { + if (reg & 1) { +- /* musb_ep_select(musb->mregs, ep_num); */ +- /* REVISIT just retval |= ep->tx_irq(...) */ + retval = IRQ_HANDLED; + if (is_host_active(musb)) +- musb_host_tx(musb, ep_num); ++ musb_host_rx(musb, ep_num); + else +- musb_g_tx(musb, ep_num); ++ musb_g_rx(musb, ep_num); + } ++ + reg >>= 1; + ep_num++; + } diff --git a/queue-4.0/usb-phy-find-the-right-match-in-devm_usb_phy_match.patch b/queue-4.0/usb-phy-find-the-right-match-in-devm_usb_phy_match.patch new file mode 100644 index 00000000000..088ca6857f9 --- /dev/null +++ b/queue-4.0/usb-phy-find-the-right-match-in-devm_usb_phy_match.patch @@ -0,0 +1,35 @@ +From 869aee0f31429fa9d94d5aef539602b73ae0cf4b Mon Sep 17 00:00:00 2001 +From: Axel Lin +Date: Thu, 12 Mar 2015 09:15:28 +0800 +Subject: usb: phy: Find the right match in devm_usb_phy_match + +From: Axel Lin + +commit 869aee0f31429fa9d94d5aef539602b73ae0cf4b upstream. + +The res parameter passed to devm_usb_phy_match() is the location where the +pointer to the usb_phy is stored, hence it needs to be dereferenced before +comparing to the match data in order to find the correct match. + +Fixes: 410219dcd2ba ("usb: otg: utils: devres: Add API's to associate a device with the phy") +Signed-off-by: Axel Lin +Signed-off-by: Felipe Balbi +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/phy/phy.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/usb/phy/phy.c ++++ b/drivers/usb/phy/phy.c +@@ -81,7 +81,9 @@ static void devm_usb_phy_release(struct + + static int devm_usb_phy_match(struct device *dev, void *res, void *match_data) + { +- return res == match_data; ++ struct usb_phy **phy = res; ++ ++ return *phy == match_data; + } + + /**