From: Greg Kroah-Hartman Date: Sat, 28 Feb 2015 23:18:17 +0000 (-0800) Subject: 3.19-stable patches X-Git-Tag: v3.10.71~31 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=7038c1c7cc2c20c7345921a895c1db1a48780300;p=thirdparty%2Fkernel%2Fstable-queue.git 3.19-stable patches added patches: arc-fix-page-address-calculation-if-page_offset-linux_link_base.patch arm-bcm-put-back-arch_multi_v7-dependency-for-mobile.patch arm-brcmstb-update-cpu-power-management-sequence.patch arm-mvebu-build-armada375-smp-code-conditionally.patch arm-pxa-add-regulator_has_full_constraints-to-corgi-board-file.patch arm-pxa-add-regulator_has_full_constraints-to-poodle-board-file.patch arm-pxa-add-regulator_has_full_constraints-to-spitz-board-file.patch arm-vexpress-use-arm_cpu_suspend-if-needed.patch axonram-fix-bug-in-direct_access.patch cdc-acm-add-sanity-checks.patch kdb-avoid-printing-kern_-levels-to-consoles.patch kdb-fix-incorrect-counts-in-kdb-summary-command-output.patch kdb-fix-off-by-one-error-in-kdb_cpu.patch mei-mask-interrupt-set-bit-on-clean-reset-bit.patch mei-me-release-hw-from-reset-only-during-the-reset-flow.patch ntp-fixup-adjtimex-freq-validation-on-32-bit-systems.patch ring-buffer-do-not-wake-up-a-splice-waiter-when-page-is-not-full.patch serial-fsl_lpuart-avoid-new-transfer-while-dma-is-running.patch serial-fsl_lpuart-delete-timer-on-shutdown.patch smack-fix-possible-use-after-frees-in-task_security-callers.patch tty-prevent-untrappable-signals-from-malicious-program.patch tty-remove-warning-in-tty_lock_slave.patch tty-serial-at91-enable-peripheral-clock-before-accessing-i-o-registers.patch tty-serial-at91-fix-error-handling-in-atmel_serial_probe.patch tty-serial-at91-use-correct-type-for-dma_sync_-_for_cpu-and-dma_sync_-_for_device.patch usb-add-flag-for-hcds-that-can-t-receive-wakeup-requests-isp1760-hcd.patch usb-core-buffer-smallest-buffer-should-start-at-arch_dma_minalign.patch usb-cp210x-add-id-for-ruggedcom-usb-serial-console.patch usb-don-t-cancel-queued-resets-when-unbinding-drivers.patch usb-dwc3-gadget-add-missing-spin_lock.patch usb-fix-use-after-free-bug-in-usb_hcd_unlink_urb.patch usb-musb-add-omap-control-dependency.patch vt-provide-notifications-on-selection-changes.patch --- diff --git a/queue-3.19/arc-fix-page-address-calculation-if-page_offset-linux_link_base.patch b/queue-3.19/arc-fix-page-address-calculation-if-page_offset-linux_link_base.patch new file mode 100644 index 00000000000..61e92166d34 --- /dev/null +++ b/queue-3.19/arc-fix-page-address-calculation-if-page_offset-linux_link_base.patch @@ -0,0 +1,52 @@ +From 06f34e1c28f3608b0ce5b310e41102d3fe7b65a1 Mon Sep 17 00:00:00 2001 +From: Alexey Brodkin +Date: Thu, 12 Feb 2015 21:10:11 +0300 +Subject: ARC: fix page address calculation if PAGE_OFFSET != LINUX_LINK_BASE + +From: Alexey Brodkin + +commit 06f34e1c28f3608b0ce5b310e41102d3fe7b65a1 upstream. + +We used to calculate page address differently in 2 cases: + +1. In virt_to_page(x) we do + --->8--- + mem_map + (x - CONFIG_LINUX_LINK_BASE) >> PAGE_SHIFT + --->8--- + +2. In in pte_page(x) we do + --->8--- + mem_map + (pte_val(x) - PAGE_OFFSET) >> PAGE_SHIFT + --->8--- + +That leads to problems in case PAGE_OFFSET != CONFIG_LINUX_LINK_BASE - +different pages will be selected depending on where and how we calculate +page address. + +In particular in the STAR 9000853582 when gdb attempted to read memory +of another process it got improper page in get_user_pages() because this +is exactly one of the places where we search for a page by pte_page(). + +The fix is trivial - we need to calculate page address similarly in both +cases. + +Signed-off-by: Alexey Brodkin +Signed-off-by: Vineet Gupta +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arc/include/asm/pgtable.h | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/arch/arc/include/asm/pgtable.h ++++ b/arch/arc/include/asm/pgtable.h +@@ -259,7 +259,8 @@ static inline void pmd_set(pmd_t *pmdp, + #define pmd_clear(xp) do { pmd_val(*(xp)) = 0; } while (0) + + #define pte_page(x) (mem_map + \ +- (unsigned long)(((pte_val(x) - PAGE_OFFSET) >> PAGE_SHIFT))) ++ (unsigned long)(((pte_val(x) - CONFIG_LINUX_LINK_BASE) >> \ ++ PAGE_SHIFT))) + + #define mk_pte(page, pgprot) \ + ({ \ diff --git a/queue-3.19/arm-bcm-put-back-arch_multi_v7-dependency-for-mobile.patch b/queue-3.19/arm-bcm-put-back-arch_multi_v7-dependency-for-mobile.patch new file mode 100644 index 00000000000..dbe9779a7f0 --- /dev/null +++ b/queue-3.19/arm-bcm-put-back-arch_multi_v7-dependency-for-mobile.patch @@ -0,0 +1,51 @@ +From ff34cae5b4fc7a84113d7c7e8611ba87a7c31dba Mon Sep 17 00:00:00 2001 +From: Arnd Bergmann +Date: Fri, 23 Jan 2015 20:59:10 +0100 +Subject: ARM: BCM: put back ARCH_MULTI_V7 dependency for mobile + +From: Arnd Bergmann + +commit ff34cae5b4fc7a84113d7c7e8611ba87a7c31dba upstream. + +A recent cleanup rearranged the Kconfig file for mach-bcm and +accidentally dropped the dependency on ARCH_MULTI_V7, which +makes it possible to now build the two mobile SoC platforms +on an ARMv6-only kernel, resulting in a log of Kconfig +warnings like + +warning: ARCH_BCM_MOBILE selects ARM_ERRATA_775420 which has unmet direct dependencies (CPU_V7) + +and which of course cannot work on any machine. + +This puts back the dependencies as before. + +Signed-off-by: Arnd Bergmann +Fixes: 64e74aa788f99 ("ARM: mach-bcm: ARCH_BCM_MOBILE: remove one level of menu from Kconfig") +Acked-by: Florian Fainelli +Acked-by: Scott Branden +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm/mach-bcm/Kconfig | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/arch/arm/mach-bcm/Kconfig ++++ b/arch/arm/mach-bcm/Kconfig +@@ -68,7 +68,7 @@ config ARCH_BCM_MOBILE + This enables support for systems based on Broadcom mobile SoCs. + + config ARCH_BCM_281XX +- bool "Broadcom BCM281XX SoC family" ++ bool "Broadcom BCM281XX SoC family" if ARCH_MULTI_V7 + select ARCH_BCM_MOBILE + select HAVE_SMP + help +@@ -77,7 +77,7 @@ config ARCH_BCM_281XX + variants. + + config ARCH_BCM_21664 +- bool "Broadcom BCM21664 SoC family" ++ bool "Broadcom BCM21664 SoC family" if ARCH_MULTI_V7 + select ARCH_BCM_MOBILE + select HAVE_SMP + help diff --git a/queue-3.19/arm-brcmstb-update-cpu-power-management-sequence.patch b/queue-3.19/arm-brcmstb-update-cpu-power-management-sequence.patch new file mode 100644 index 00000000000..b1b3891f5a4 --- /dev/null +++ b/queue-3.19/arm-brcmstb-update-cpu-power-management-sequence.patch @@ -0,0 +1,157 @@ +From a1ad3b94a7661b643fef2efbc6fc217bd148f462 Mon Sep 17 00:00:00 2001 +From: Brian Norris +Date: Tue, 16 Dec 2014 19:13:50 -0800 +Subject: ARM: brcmstb: update CPU power management sequence + +From: Brian Norris + +commit a1ad3b94a7661b643fef2efbc6fc217bd148f462 upstream. + +The automatic CPU power state machine for B15 CPUs does not work +reliably as-is. This patch implements a manual sequence in software to +replace it. + +This was tested successfully with over 10,000 hotplug cycles of +something like this: + + echo 0 > /sys/devices/system/cpu/cpu1/online + echo 1 > /sys/devices/system/cpu/cpu1/online + +whereas the existing sequence often locks up after a few hundred cycles. + +Fixes: 62639c2f5332 ("ARM: brcmstb: reintroduce SMP support") +Acked-by: Gregory Fong +Signed-off-by: Brian Norris +Signed-off-by: Florian Fainelli +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm/mach-bcm/platsmp-brcmstb.c | 87 ++++++++++++++++++++++++++---------- + 1 file changed, 64 insertions(+), 23 deletions(-) + +--- a/arch/arm/mach-bcm/platsmp-brcmstb.c ++++ b/arch/arm/mach-bcm/platsmp-brcmstb.c +@@ -17,6 +17,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -94,10 +95,35 @@ static u32 pwr_ctrl_rd(u32 cpu) + return readl_relaxed(base); + } + +-static void pwr_ctrl_wr(u32 cpu, u32 val) ++static void pwr_ctrl_set(unsigned int cpu, u32 val, u32 mask) + { + void __iomem *base = pwr_ctrl_get_base(cpu); +- writel(val, base); ++ writel((readl(base) & mask) | val, base); ++} ++ ++static void pwr_ctrl_clr(unsigned int cpu, u32 val, u32 mask) ++{ ++ void __iomem *base = pwr_ctrl_get_base(cpu); ++ writel((readl(base) & mask) & ~val, base); ++} ++ ++#define POLL_TMOUT_MS 500 ++static int pwr_ctrl_wait_tmout(unsigned int cpu, u32 set, u32 mask) ++{ ++ const unsigned long timeo = jiffies + msecs_to_jiffies(POLL_TMOUT_MS); ++ u32 tmp; ++ ++ do { ++ tmp = pwr_ctrl_rd(cpu) & mask; ++ if (!set == !tmp) ++ return 0; ++ } while (time_before(jiffies, timeo)); ++ ++ tmp = pwr_ctrl_rd(cpu) & mask; ++ if (!set == !tmp) ++ return 0; ++ ++ return -ETIMEDOUT; + } + + static void cpu_rst_cfg_set(u32 cpu, int set) +@@ -139,15 +165,22 @@ static void brcmstb_cpu_power_on(u32 cpu + * The secondary cores power was cut, so we must go through + * power-on initialization. + */ +- u32 tmp; ++ pwr_ctrl_set(cpu, ZONE_MAN_ISO_CNTL_MASK, 0xffffff00); ++ pwr_ctrl_set(cpu, ZONE_MANUAL_CONTROL_MASK, -1); ++ pwr_ctrl_set(cpu, ZONE_RESERVED_1_MASK, -1); + +- /* Request zone power up */ +- pwr_ctrl_wr(cpu, ZONE_PWR_UP_REQ_MASK); ++ pwr_ctrl_set(cpu, ZONE_MAN_MEM_PWR_MASK, -1); + +- /* Wait for the power up FSM to complete */ +- do { +- tmp = pwr_ctrl_rd(cpu); +- } while (!(tmp & ZONE_PWR_ON_STATE_MASK)); ++ if (pwr_ctrl_wait_tmout(cpu, 1, ZONE_MEM_PWR_STATE_MASK)) ++ panic("ZONE_MEM_PWR_STATE_MASK set timeout"); ++ ++ pwr_ctrl_set(cpu, ZONE_MAN_CLKEN_MASK, -1); ++ ++ if (pwr_ctrl_wait_tmout(cpu, 1, ZONE_DPG_PWR_STATE_MASK)) ++ panic("ZONE_DPG_PWR_STATE_MASK set timeout"); ++ ++ pwr_ctrl_clr(cpu, ZONE_MAN_ISO_CNTL_MASK, -1); ++ pwr_ctrl_set(cpu, ZONE_MAN_RESET_CNTL_MASK, -1); + } + + static int brcmstb_cpu_get_power_state(u32 cpu) +@@ -174,25 +207,33 @@ static void brcmstb_cpu_die(u32 cpu) + + static int brcmstb_cpu_kill(u32 cpu) + { +- u32 tmp; ++ /* ++ * Ordinarily, the hardware forbids power-down of CPU0 (which is good ++ * because it is the boot CPU), but this is not true when using BPCM ++ * manual mode. Consequently, we must avoid turning off CPU0 here to ++ * ensure that TI2C master reset will work. ++ */ ++ if (cpu == 0) { ++ pr_warn("SMP: refusing to power off CPU0\n"); ++ return 1; ++ } + + while (per_cpu_sw_state_rd(cpu)) + ; + +- /* Program zone reset */ +- pwr_ctrl_wr(cpu, ZONE_RESET_STATE_MASK | ZONE_BLK_RST_ASSERT_MASK | +- ZONE_PWR_DN_REQ_MASK); +- +- /* Verify zone reset */ +- tmp = pwr_ctrl_rd(cpu); +- if (!(tmp & ZONE_RESET_STATE_MASK)) +- pr_err("%s: Zone reset bit for CPU %d not asserted!\n", +- __func__, cpu); ++ pwr_ctrl_set(cpu, ZONE_MANUAL_CONTROL_MASK, -1); ++ pwr_ctrl_clr(cpu, ZONE_MAN_RESET_CNTL_MASK, -1); ++ pwr_ctrl_clr(cpu, ZONE_MAN_CLKEN_MASK, -1); ++ pwr_ctrl_set(cpu, ZONE_MAN_ISO_CNTL_MASK, -1); ++ pwr_ctrl_clr(cpu, ZONE_MAN_MEM_PWR_MASK, -1); + +- /* Wait for power down */ +- do { +- tmp = pwr_ctrl_rd(cpu); +- } while (!(tmp & ZONE_PWR_OFF_STATE_MASK)); ++ if (pwr_ctrl_wait_tmout(cpu, 0, ZONE_MEM_PWR_STATE_MASK)) ++ panic("ZONE_MEM_PWR_STATE_MASK clear timeout"); ++ ++ pwr_ctrl_clr(cpu, ZONE_RESERVED_1_MASK, -1); ++ ++ if (pwr_ctrl_wait_tmout(cpu, 0, ZONE_DPG_PWR_STATE_MASK)) ++ panic("ZONE_DPG_PWR_STATE_MASK clear timeout"); + + /* Flush pipeline before resetting CPU */ + mb(); diff --git a/queue-3.19/arm-mvebu-build-armada375-smp-code-conditionally.patch b/queue-3.19/arm-mvebu-build-armada375-smp-code-conditionally.patch new file mode 100644 index 00000000000..38ef8688b9b --- /dev/null +++ b/queue-3.19/arm-mvebu-build-armada375-smp-code-conditionally.patch @@ -0,0 +1,41 @@ +From 165235180ff61f0012ea68a299e46daec43dcaa7 Mon Sep 17 00:00:00 2001 +From: Arnd Bergmann +Date: Mon, 2 Feb 2015 15:27:16 +0100 +Subject: ARM: mvebu: build armada375-smp code conditionally + +From: Arnd Bergmann + +commit 165235180ff61f0012ea68a299e46daec43dcaa7 upstream. + +mvebu_armada375_smp_wa_init is only used on armada 375 but is defined +for all mvebu machines. As it calls a function that is only provided +sometimes, this can result in a link error: + +arch/arm/mach-mvebu/built-in.o: In function `mvebu_armada375_smp_wa_init': +:(.text+0x228): undefined reference to `mvebu_setup_boot_addr_wa' + +To solve this, we can just change the existing #ifdef around the +function to also check for Armada375 SMP platforms. + +Signed-off-by: Arnd Bergmann +Fixes: 305969fb6292 ("ARM: mvebu: use the common function for Armada 375 SMP workaround") +Cc: Andrew Lunn +Cc: Jason Cooper +Cc: Gregory Clement +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm/mach-mvebu/system-controller.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/arm/mach-mvebu/system-controller.c ++++ b/arch/arm/mach-mvebu/system-controller.c +@@ -126,7 +126,7 @@ int mvebu_system_controller_get_soc_id(u + return -ENODEV; + } + +-#ifdef CONFIG_SMP ++#if defined(CONFIG_SMP) && defined(CONFIG_MACH_MVEBU_V7) + void mvebu_armada375_smp_wa_init(void) + { + u32 dev, rev; diff --git a/queue-3.19/arm-pxa-add-regulator_has_full_constraints-to-corgi-board-file.patch b/queue-3.19/arm-pxa-add-regulator_has_full_constraints-to-corgi-board-file.patch new file mode 100644 index 00000000000..5917d2746d3 --- /dev/null +++ b/queue-3.19/arm-pxa-add-regulator_has_full_constraints-to-corgi-board-file.patch @@ -0,0 +1,51 @@ +From 271e80176aae4e5b481f4bb92df9768c6075bbca Mon Sep 17 00:00:00 2001 +From: Dmitry Eremin-Solenikov +Date: Thu, 4 Dec 2014 14:10:00 +0300 +Subject: ARM: pxa: add regulator_has_full_constraints to corgi board file + +From: Dmitry Eremin-Solenikov + +commit 271e80176aae4e5b481f4bb92df9768c6075bbca upstream. + +Add regulator_has_full_constraints() call to corgi board file to let +regulator core know that we do not have any additional regulators left. +This lets it substitute unprovided regulators with dummy ones. + +This fixes the following warnings that can be seen on corgi if +regulators are enabled: + +ads7846 spi1.0: unable to get regulator: -517 +spi spi1.0: Driver ads7846 requests probe deferral +wm8731 0-001b: Failed to get supply 'AVDD': -517 +wm8731 0-001b: Failed to request supplies: -517 +wm8731 0-001b: ASoC: failed to probe component -517 +corgi-audio corgi-audio: ASoC: failed to instantiate card -517 + +Signed-off-by: Dmitry Eremin-Solenikov +Acked-by: Mark Brown +Signed-off-by: Robert Jarzmik +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm/mach-pxa/corgi.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/arch/arm/mach-pxa/corgi.c ++++ b/arch/arm/mach-pxa/corgi.c +@@ -26,6 +26,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -752,6 +753,8 @@ static void __init corgi_init(void) + sharpsl_nand_partitions[1].size = 53 * 1024 * 1024; + + platform_add_devices(devices, ARRAY_SIZE(devices)); ++ ++ regulator_has_full_constraints(); + } + + static void __init fixup_corgi(struct tag *tags, char **cmdline) diff --git a/queue-3.19/arm-pxa-add-regulator_has_full_constraints-to-poodle-board-file.patch b/queue-3.19/arm-pxa-add-regulator_has_full_constraints-to-poodle-board-file.patch new file mode 100644 index 00000000000..f01e09858f3 --- /dev/null +++ b/queue-3.19/arm-pxa-add-regulator_has_full_constraints-to-poodle-board-file.patch @@ -0,0 +1,49 @@ +From 9bc78f32c2e430aebf6def965b316aa95e37a20c Mon Sep 17 00:00:00 2001 +From: Dmitry Eremin-Solenikov +Date: Thu, 4 Dec 2014 14:10:01 +0300 +Subject: ARM: pxa: add regulator_has_full_constraints to poodle board file + +From: Dmitry Eremin-Solenikov + +commit 9bc78f32c2e430aebf6def965b316aa95e37a20c upstream. + +Add regulator_has_full_constraints() call to poodle board file to let +regulator core know that we do not have any additional regulators left. +This lets it substitute unprovided regulators with dummy ones. + +This fixes the following warnings that can be seen on poodle if +regulators are enabled: + +ads7846 spi1.0: unable to get regulator: -517 +spi spi1.0: Driver ads7846 requests probe deferral +wm8731 0-001b: Failed to get supply 'AVDD': -517 +wm8731 0-001b: Failed to request supplies: -517 +wm8731 0-001b: ASoC: failed to probe component -517 + +Signed-off-by: Dmitry Eremin-Solenikov +Acked-by: Mark Brown +Signed-off-by: Robert Jarzmik +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm/mach-pxa/poodle.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/arch/arm/mach-pxa/poodle.c ++++ b/arch/arm/mach-pxa/poodle.c +@@ -25,6 +25,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -455,6 +456,7 @@ static void __init poodle_init(void) + pxa_set_i2c_info(NULL); + i2c_register_board_info(0, ARRAY_AND_SIZE(poodle_i2c_devices)); + poodle_init_spi(); ++ regulator_has_full_constraints(); + } + + static void __init fixup_poodle(struct tag *tags, char **cmdline) diff --git a/queue-3.19/arm-pxa-add-regulator_has_full_constraints-to-spitz-board-file.patch b/queue-3.19/arm-pxa-add-regulator_has_full_constraints-to-spitz-board-file.patch new file mode 100644 index 00000000000..c078851695e --- /dev/null +++ b/queue-3.19/arm-pxa-add-regulator_has_full_constraints-to-spitz-board-file.patch @@ -0,0 +1,39 @@ +From baad2dc49c5d970ea881d92981a1b76c94a7b7a1 Mon Sep 17 00:00:00 2001 +From: Dmitry Eremin-Solenikov +Date: Thu, 4 Dec 2014 14:10:02 +0300 +Subject: ARM: pxa: add regulator_has_full_constraints to spitz board file + +From: Dmitry Eremin-Solenikov + +commit baad2dc49c5d970ea881d92981a1b76c94a7b7a1 upstream. + +Add regulator_has_full_constraints() call to spitz board file to let +regulator core know that we do not have any additional regulators left. +This lets it substitute unprovided regulators with dummy ones. + +This fixes the following warnings that can be seen on spitz if +regulators are enabled: + +ads7846 spi2.0: unable to get regulator: -517 +spi spi2.0: Driver ads7846 requests probe deferral + +Signed-off-by: Dmitry Eremin-Solenikov +Acked-by: Mark Brown +Signed-off-by: Robert Jarzmik +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm/mach-pxa/spitz.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/arch/arm/mach-pxa/spitz.c ++++ b/arch/arm/mach-pxa/spitz.c +@@ -979,6 +979,8 @@ static void __init spitz_init(void) + spitz_nand_init(); + spitz_i2c_init(); + spitz_audio_init(); ++ ++ regulator_has_full_constraints(); + } + + static void __init spitz_fixup(struct tag *tags, char **cmdline) diff --git a/queue-3.19/arm-vexpress-use-arm_cpu_suspend-if-needed.patch b/queue-3.19/arm-vexpress-use-arm_cpu_suspend-if-needed.patch new file mode 100644 index 00000000000..af71da79709 --- /dev/null +++ b/queue-3.19/arm-vexpress-use-arm_cpu_suspend-if-needed.patch @@ -0,0 +1,42 @@ +From 95fcedb027a27f32bf2434f9271635c380e57fb5 Mon Sep 17 00:00:00 2001 +From: Arnd Bergmann +Date: Thu, 5 Feb 2015 13:42:43 +0100 +Subject: ARM: vexpress: use ARM_CPU_SUSPEND if needed + +From: Arnd Bergmann + +commit 95fcedb027a27f32bf2434f9271635c380e57fb5 upstream. + +The vexpress tc2 power management code calls mcpm_loopback, which +is only available if ARM_CPU_SUSPEND is enabled, otherwise we +get a link error: + +arch/arm/mach-vexpress/built-in.o: In function `tc2_pm_init': +arch/arm/mach-vexpress/tc2_pm.c:389: undefined reference to `mcpm_loopback' + +This explicitly selects ARM_CPU_SUSPEND like other platforms that +need it. + +Signed-off-by: Arnd Bergmann +Fixes: 3592d7e002438 ("ARM: 8082/1: TC2: test the MCPM loopback during boot") +Acked-by: Nicolas Pitre +Acked-by: Liviu Dudau +Cc: Kevin Hilman +Cc: Sudeep Holla +Cc: Lorenzo Pieralisi +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm/mach-vexpress/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +--- a/arch/arm/mach-vexpress/Kconfig ++++ b/arch/arm/mach-vexpress/Kconfig +@@ -73,6 +73,7 @@ config ARCH_VEXPRESS_TC2_PM + depends on MCPM + select ARM_CCI + select ARCH_VEXPRESS_SPC ++ select ARM_CPU_SUSPEND + help + Support for CPU and cluster power management on Versatile Express + with a TC2 (A15x2 A7x3) big.LITTLE core tile. diff --git a/queue-3.19/axonram-fix-bug-in-direct_access.patch b/queue-3.19/axonram-fix-bug-in-direct_access.patch new file mode 100644 index 00000000000..a18c4c7f9a6 --- /dev/null +++ b/queue-3.19/axonram-fix-bug-in-direct_access.patch @@ -0,0 +1,33 @@ +From 91117a20245b59f70b563523edbf998a62fc6383 Mon Sep 17 00:00:00 2001 +From: Matthew Wilcox +Date: Wed, 7 Jan 2015 18:04:18 +0200 +Subject: axonram: Fix bug in direct_access + +From: Matthew Wilcox + +commit 91117a20245b59f70b563523edbf998a62fc6383 upstream. + +The 'pfn' returned by axonram was completely bogus, and has been since +2008. + +Signed-off-by: Matthew Wilcox +Reviewed-by: Jan Kara +Reviewed-by: Mathieu Desnoyers +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/sysdev/axonram.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/powerpc/sysdev/axonram.c ++++ b/arch/powerpc/sysdev/axonram.c +@@ -156,7 +156,7 @@ axon_ram_direct_access(struct block_devi + } + + *kaddr = (void *)(bank->ph_addr + offset); +- *pfn = virt_to_phys(kaddr) >> PAGE_SHIFT; ++ *pfn = virt_to_phys(*kaddr) >> PAGE_SHIFT; + + return 0; + } diff --git a/queue-3.19/cdc-acm-add-sanity-checks.patch b/queue-3.19/cdc-acm-add-sanity-checks.patch new file mode 100644 index 00000000000..ecdd73f7e0e --- /dev/null +++ b/queue-3.19/cdc-acm-add-sanity-checks.patch @@ -0,0 +1,86 @@ +From 7e860a6e7aa62b337a61110430cd633db5b0d2dd Mon Sep 17 00:00:00 2001 +From: Oliver Neukum +Date: Wed, 28 Jan 2015 11:14:55 +0100 +Subject: cdc-acm: add sanity checks + +From: Oliver Neukum + +commit 7e860a6e7aa62b337a61110430cd633db5b0d2dd upstream. + +Check the special CDC headers for a plausible minimum length. +Another big operating systems ignores such garbage. + +Signed-off-by: Oliver Neukum +Reviewed-by: Adam Lee +Tested-by: Adam Lee +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/class/cdc-acm.c | 21 ++++++++++++++++----- + 1 file changed, 16 insertions(+), 5 deletions(-) + +--- a/drivers/usb/class/cdc-acm.c ++++ b/drivers/usb/class/cdc-acm.c +@@ -1091,6 +1091,7 @@ static int acm_probe(struct usb_interfac + unsigned long quirks; + int num_rx_buf; + int i; ++ unsigned int elength = 0; + int combined_interfaces = 0; + struct device *tty_dev; + int rv = -ENOMEM; +@@ -1136,9 +1137,12 @@ static int acm_probe(struct usb_interfac + dev_err(&intf->dev, "skipping garbage\n"); + goto next_desc; + } ++ elength = buffer[0]; + + switch (buffer[2]) { + case USB_CDC_UNION_TYPE: /* we've found it */ ++ if (elength < sizeof(struct usb_cdc_union_desc)) ++ goto next_desc; + if (union_header) { + dev_err(&intf->dev, "More than one " + "union descriptor, skipping ...\n"); +@@ -1147,29 +1151,36 @@ static int acm_probe(struct usb_interfac + union_header = (struct usb_cdc_union_desc *)buffer; + break; + case USB_CDC_COUNTRY_TYPE: /* export through sysfs*/ ++ if (elength < sizeof(struct usb_cdc_country_functional_desc)) ++ goto next_desc; + cfd = (struct usb_cdc_country_functional_desc *)buffer; + break; + case USB_CDC_HEADER_TYPE: /* maybe check version */ + break; /* for now we ignore it */ + case USB_CDC_ACM_TYPE: ++ if (elength < 4) ++ goto next_desc; + ac_management_function = buffer[3]; + break; + case USB_CDC_CALL_MANAGEMENT_TYPE: ++ if (elength < 5) ++ goto next_desc; + call_management_function = buffer[3]; + call_interface_num = buffer[4]; + break; + default: +- /* there are LOTS more CDC descriptors that ++ /* ++ * there are LOTS more CDC descriptors that + * could legitimately be found here. + */ + dev_dbg(&intf->dev, "Ignoring descriptor: " +- "type %02x, length %d\n", +- buffer[2], buffer[0]); ++ "type %02x, length %ud\n", ++ buffer[2], elength); + break; + } + next_desc: +- buflen -= buffer[0]; +- buffer += buffer[0]; ++ buflen -= elength; ++ buffer += elength; + } + + if (!union_header) { diff --git a/queue-3.19/kdb-avoid-printing-kern_-levels-to-consoles.patch b/queue-3.19/kdb-avoid-printing-kern_-levels-to-consoles.patch new file mode 100644 index 00000000000..efdf0547108 --- /dev/null +++ b/queue-3.19/kdb-avoid-printing-kern_-levels-to-consoles.patch @@ -0,0 +1,129 @@ +From f7d4ca8bbfda23b4f1eae9b6757ff64166b093d5 Mon Sep 17 00:00:00 2001 +From: Daniel Thompson +Date: Fri, 7 Nov 2014 18:37:57 +0000 +Subject: kdb: Avoid printing KERN_ levels to consoles + +From: Daniel Thompson + +commit f7d4ca8bbfda23b4f1eae9b6757ff64166b093d5 upstream. + +Currently when kdb traps printk messages then the raw log level prefix +(consisting of '\001' followed by a numeral) does not get stripped off +before the message is issued to the various I/O handlers supported by +kdb. This causes annoying visual noise as well as causing problems +grepping for ^. It is also a change of behaviour compared to normal usage +of printk() usage. For example -h ends up with different output to +that of kdb's "sr h". + +This patch addresses the problem by stripping log levels from messages +before they are issued to the I/O handlers. printk() which can also +act as an i/o handler in some cases is special cased; if the caller +provided a log level then the prefix will be preserved when sent to +printk(). + +The addition of non-printable characters to the output of kdb commands is a +regression, albeit and extremely elderly one, introduced by commit +04d2c8c83d0e ("printk: convert the format for KERN_ to a 2 byte +pattern"). Note also that this patch does *not* restore the original +behaviour from v3.5. Instead it makes printk() from within a kdb command +display the message without any prefix (i.e. like printk() normally does). + +Signed-off-by: Daniel Thompson +Cc: Joe Perches +Signed-off-by: Jason Wessel +Signed-off-by: Greg Kroah-Hartman + +--- + include/linux/kdb.h | 8 +++++++- + kernel/debug/kdb/kdb_io.c | 22 +++++++++++++--------- + kernel/printk/printk.c | 2 +- + 3 files changed, 21 insertions(+), 11 deletions(-) + +--- a/include/linux/kdb.h ++++ b/include/linux/kdb.h +@@ -156,8 +156,14 @@ typedef enum { + KDB_REASON_SYSTEM_NMI, /* In NMI due to SYSTEM cmd; regs valid */ + } kdb_reason_t; + ++enum kdb_msgsrc { ++ KDB_MSGSRC_INTERNAL, /* direct call to kdb_printf() */ ++ KDB_MSGSRC_PRINTK, /* trapped from printk() */ ++}; ++ + extern int kdb_trap_printk; +-extern __printf(1, 0) int vkdb_printf(const char *fmt, va_list args); ++extern __printf(2, 0) int vkdb_printf(enum kdb_msgsrc src, const char *fmt, ++ va_list args); + extern __printf(1, 2) int kdb_printf(const char *, ...); + typedef __printf(1, 2) int (*kdb_printf_t)(const char *, ...); + +--- a/kernel/debug/kdb/kdb_io.c ++++ b/kernel/debug/kdb/kdb_io.c +@@ -548,7 +548,7 @@ static int kdb_search_string(char *searc + return 0; + } + +-int vkdb_printf(const char *fmt, va_list ap) ++int vkdb_printf(enum kdb_msgsrc src, const char *fmt, va_list ap) + { + int diag; + int linecount; +@@ -691,19 +691,20 @@ kdb_printit: + * Write to all consoles. + */ + retlen = strlen(kdb_buffer); ++ cp = (char *) printk_skip_level(kdb_buffer); + if (!dbg_kdb_mode && kgdb_connected) { +- gdbstub_msg_write(kdb_buffer, retlen); ++ gdbstub_msg_write(cp, retlen - (cp - kdb_buffer)); + } else { + if (dbg_io_ops && !dbg_io_ops->is_console) { +- len = retlen; +- cp = kdb_buffer; ++ len = retlen - (cp - kdb_buffer); ++ cp2 = cp; + while (len--) { +- dbg_io_ops->write_char(*cp); +- cp++; ++ dbg_io_ops->write_char(*cp2); ++ cp2++; + } + } + while (c) { +- c->write(c, kdb_buffer, retlen); ++ c->write(c, cp, retlen - (cp - kdb_buffer)); + touch_nmi_watchdog(); + c = c->next; + } +@@ -711,7 +712,10 @@ kdb_printit: + if (logging) { + saved_loglevel = console_loglevel; + console_loglevel = CONSOLE_LOGLEVEL_SILENT; +- printk(KERN_INFO "%s", kdb_buffer); ++ if (printk_get_level(kdb_buffer) || src == KDB_MSGSRC_PRINTK) ++ printk("%s", kdb_buffer); ++ else ++ pr_info("%s", kdb_buffer); + } + + if (KDB_STATE(PAGER)) { +@@ -844,7 +848,7 @@ int kdb_printf(const char *fmt, ...) + int r; + + va_start(ap, fmt); +- r = vkdb_printf(fmt, ap); ++ r = vkdb_printf(KDB_MSGSRC_INTERNAL, fmt, ap); + va_end(ap); + + return r; +--- a/kernel/printk/printk.c ++++ b/kernel/printk/printk.c +@@ -1811,7 +1811,7 @@ int vprintk_default(const char *fmt, va_ + + #ifdef CONFIG_KGDB_KDB + if (unlikely(kdb_trap_printk)) { +- r = vkdb_printf(fmt, args); ++ r = vkdb_printf(KDB_MSGSRC_PRINTK, fmt, args); + return r; + } + #endif diff --git a/queue-3.19/kdb-fix-incorrect-counts-in-kdb-summary-command-output.patch b/queue-3.19/kdb-fix-incorrect-counts-in-kdb-summary-command-output.patch new file mode 100644 index 00000000000..88b96473c88 --- /dev/null +++ b/queue-3.19/kdb-fix-incorrect-counts-in-kdb-summary-command-output.patch @@ -0,0 +1,37 @@ +From 146755923262037fc4c54abc28c04b1103f3cc51 Mon Sep 17 00:00:00 2001 +From: Jay Lan +Date: Mon, 29 Sep 2014 15:36:57 -0700 +Subject: kdb: fix incorrect counts in KDB summary command output + +From: Jay Lan + +commit 146755923262037fc4c54abc28c04b1103f3cc51 upstream. + +The output of KDB 'summary' command should report MemTotal, MemFree +and Buffers output in kB. Current codes report in unit of pages. + +A define of K(x) as +is defined in the code, but not used. + +This patch would apply the define to convert the values to kB. +Please include me on Cc on replies. I do not subscribe to linux-kernel. + +Signed-off-by: Jay Lan +Signed-off-by: Jason Wessel +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/debug/kdb/kdb_main.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/kernel/debug/kdb/kdb_main.c ++++ b/kernel/debug/kdb/kdb_main.c +@@ -2583,7 +2583,7 @@ static int kdb_summary(int argc, const c + #define K(x) ((x) << (PAGE_SHIFT - 10)) + kdb_printf("\nMemTotal: %8lu kB\nMemFree: %8lu kB\n" + "Buffers: %8lu kB\n", +- val.totalram, val.freeram, val.bufferram); ++ K(val.totalram), K(val.freeram), K(val.bufferram)); + return 0; + } + diff --git a/queue-3.19/kdb-fix-off-by-one-error-in-kdb_cpu.patch b/queue-3.19/kdb-fix-off-by-one-error-in-kdb_cpu.patch new file mode 100644 index 00000000000..ccee582d705 --- /dev/null +++ b/queue-3.19/kdb-fix-off-by-one-error-in-kdb_cpu.patch @@ -0,0 +1,53 @@ +From df0036d117e6c9df36324e517728e33543065f9a Mon Sep 17 00:00:00 2001 +From: Jason Wessel +Date: Thu, 8 Jan 2015 15:46:55 -0600 +Subject: kdb: Fix off by one error in kdb_cpu() + +From: Jason Wessel + +commit df0036d117e6c9df36324e517728e33543065f9a upstream. + +There was a follow on replacement patch against the prior +"kgdb: Timeout if secondary CPUs ignore the roundup". + +See: https://lkml.org/lkml/2015/1/7/442 + +This patch is the delta vs the patch that was committed upstream: + * Fix an off-by-one error in kdb_cpu(). + * Replace NR_CPUS with CONFIG_NR_CPUS to tell checkpatch that we + really want a static limit. + * Removed the "KGDB: " prefix from the pr_crit() in debug_core.c + (kgdb-next contains a patch which introduced pr_fmt() to this file + to the tag will now be applied automatically). + +Cc: Daniel Thompson +Signed-off-by: Jason Wessel +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/debug/debug_core.c | 2 +- + kernel/debug/kdb/kdb_main.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +--- a/kernel/debug/debug_core.c ++++ b/kernel/debug/debug_core.c +@@ -604,7 +604,7 @@ return_normal: + online_cpus) + cpu_relax(); + if (!time_left) +- pr_crit("KGDB: Timed out waiting for secondary CPUs.\n"); ++ pr_crit("Timed out waiting for secondary CPUs.\n"); + + /* + * At this point the primary processor is completely +--- a/kernel/debug/kdb/kdb_main.c ++++ b/kernel/debug/kdb/kdb_main.c +@@ -2256,7 +2256,7 @@ static int kdb_cpu(int argc, const char + /* + * Validate cpunum + */ +- if ((cpunum > NR_CPUS) || !kgdb_info[cpunum].enter_kgdb) ++ if ((cpunum >= CONFIG_NR_CPUS) || !kgdb_info[cpunum].enter_kgdb) + return KDB_BADCPUNUM; + + dbg_switch_cpu = cpunum; diff --git a/queue-3.19/mei-mask-interrupt-set-bit-on-clean-reset-bit.patch b/queue-3.19/mei-mask-interrupt-set-bit-on-clean-reset-bit.patch new file mode 100644 index 00000000000..c56ed52c846 --- /dev/null +++ b/queue-3.19/mei-mask-interrupt-set-bit-on-clean-reset-bit.patch @@ -0,0 +1,35 @@ +From 1ab1e79b9fd4b01331490bbe2e630a0fc0b25449 Mon Sep 17 00:00:00 2001 +From: Alexander Usyskin +Date: Sun, 25 Jan 2015 23:45:27 +0200 +Subject: mei: mask interrupt set bit on clean reset bit + +From: Alexander Usyskin + +commit 1ab1e79b9fd4b01331490bbe2e630a0fc0b25449 upstream. + +We should mask interrupt set bit when writing back +hcsr value in reset bit clean-up. + +This is refinement for +mei: clean reset bit before reset +commit b13a65ef190e488e2761d65bdd2e1fe8a3a125f5 + +Signed-off-by: Alexander Usyskin +Signed-off-by: Tomas Winkler +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/misc/mei/hw-me.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/misc/mei/hw-me.c ++++ b/drivers/misc/mei/hw-me.c +@@ -242,7 +242,7 @@ static int mei_me_hw_reset(struct mei_de + if ((hcsr & H_RST) == H_RST) { + dev_warn(dev->dev, "H_RST is set = 0x%08X", hcsr); + hcsr &= ~H_RST; +- mei_me_reg_write(hw, H_CSR, hcsr); ++ mei_hcsr_set(hw, hcsr); + hcsr = mei_hcsr_read(hw); + } + diff --git a/queue-3.19/mei-me-release-hw-from-reset-only-during-the-reset-flow.patch b/queue-3.19/mei-me-release-hw-from-reset-only-during-the-reset-flow.patch new file mode 100644 index 00000000000..b038a24b1b9 --- /dev/null +++ b/queue-3.19/mei-me-release-hw-from-reset-only-during-the-reset-flow.patch @@ -0,0 +1,42 @@ +From 663b7ee9517eec6deea9a48c7a1392a9a34f7809 Mon Sep 17 00:00:00 2001 +From: Alexander Usyskin +Date: Sun, 25 Jan 2015 23:45:28 +0200 +Subject: mei: me: release hw from reset only during the reset flow + +From: Alexander Usyskin + +commit 663b7ee9517eec6deea9a48c7a1392a9a34f7809 upstream. + +We might enter the interrupt handler with hw_ready already set, +but prior we actually started the reset flow. +To soleve this we move the reset release from the interrupt handler +to the HW start wait function which is part of the reset sequence. + +Signed-off-by: Alexander Usyskin +Signed-off-by: Tomas Winkler +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/misc/mei/hw-me.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/drivers/misc/mei/hw-me.c ++++ b/drivers/misc/mei/hw-me.c +@@ -335,6 +335,7 @@ static int mei_me_hw_ready_wait(struct m + return -ETIME; + } + ++ mei_me_hw_reset_release(dev); + dev->recvd_hw_ready = false; + return 0; + } +@@ -731,9 +732,7 @@ irqreturn_t mei_me_irq_thread_handler(in + /* check if we need to start the dev */ + if (!mei_host_is_ready(dev)) { + if (mei_hw_is_ready(dev)) { +- mei_me_hw_reset_release(dev); + dev_dbg(dev->dev, "we need to start the dev.\n"); +- + dev->recvd_hw_ready = true; + wake_up(&dev->wait_hw_ready); + } else { diff --git a/queue-3.19/ntp-fixup-adjtimex-freq-validation-on-32-bit-systems.patch b/queue-3.19/ntp-fixup-adjtimex-freq-validation-on-32-bit-systems.patch new file mode 100644 index 00000000000..d7fc461b130 --- /dev/null +++ b/queue-3.19/ntp-fixup-adjtimex-freq-validation-on-32-bit-systems.patch @@ -0,0 +1,71 @@ +From 29183a70b0b828500816bd794b3fe192fce89f73 Mon Sep 17 00:00:00 2001 +From: John Stultz +Date: Mon, 9 Feb 2015 23:30:36 -0800 +Subject: ntp: Fixup adjtimex freq validation on 32-bit systems + +From: John Stultz + +commit 29183a70b0b828500816bd794b3fe192fce89f73 upstream. + +Additional validation of adjtimex freq values to avoid +potential multiplication overflows were added in commit +5e5aeb4367b (time: adjtimex: Validate the ADJ_FREQUENCY values) + +Unfortunately the patch used LONG_MAX/MIN instead of +LLONG_MAX/MIN, which was fine on 64-bit systems, but being +much smaller on 32-bit systems caused false positives +resulting in most direct frequency adjustments to fail w/ +EINVAL. + +ntpd only does direct frequency adjustments at startup, so +the issue was not as easily observed there, but other time +sync applications like ptpd and chrony were more effected by +the bug. + +See bugs: + + https://bugzilla.kernel.org/show_bug.cgi?id=92481 + https://bugzilla.redhat.com/show_bug.cgi?id=1188074 + +This patch changes the checks to use LLONG_MAX for +clarity, and additionally the checks are disabled +on 32-bit systems since LLONG_MAX/PPM_SCALE is always +larger then the 32-bit long freq value, so multiplication +overflows aren't possible there. + +Reported-by: Josh Boyer +Reported-by: George Joseph +Tested-by: George Joseph +Signed-off-by: John Stultz +Signed-off-by: Peter Zijlstra (Intel) +Cc: Linus Torvalds +Cc: Sasha Levin +Link: http://lkml.kernel.org/r/1423553436-29747-1-git-send-email-john.stultz@linaro.org +[ Prettified the changelog and the comments a bit. ] +Signed-off-by: Ingo Molnar +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/time/ntp.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +--- a/kernel/time/ntp.c ++++ b/kernel/time/ntp.c +@@ -633,10 +633,14 @@ int ntp_validate_timex(struct timex *txc + if ((txc->modes & ADJ_SETOFFSET) && (!capable(CAP_SYS_TIME))) + return -EPERM; + +- if (txc->modes & ADJ_FREQUENCY) { +- if (LONG_MIN / PPM_SCALE > txc->freq) ++ /* ++ * Check for potential multiplication overflows that can ++ * only happen on 64-bit systems: ++ */ ++ if ((txc->modes & ADJ_FREQUENCY) && (BITS_PER_LONG == 64)) { ++ if (LLONG_MIN / PPM_SCALE > txc->freq) + return -EINVAL; +- if (LONG_MAX / PPM_SCALE < txc->freq) ++ if (LLONG_MAX / PPM_SCALE < txc->freq) + return -EINVAL; + } + diff --git a/queue-3.19/ring-buffer-do-not-wake-up-a-splice-waiter-when-page-is-not-full.patch b/queue-3.19/ring-buffer-do-not-wake-up-a-splice-waiter-when-page-is-not-full.patch new file mode 100644 index 00000000000..9a0787533cb --- /dev/null +++ b/queue-3.19/ring-buffer-do-not-wake-up-a-splice-waiter-when-page-is-not-full.patch @@ -0,0 +1,152 @@ +From 1e0d6714aceb770b04161fbedd7765d0e1fc27bd Mon Sep 17 00:00:00 2001 +From: "Steven Rostedt (Red Hat)" +Date: Tue, 10 Feb 2015 22:14:53 -0500 +Subject: ring-buffer: Do not wake up a splice waiter when page is not full + +From: "Steven Rostedt (Red Hat)" + +commit 1e0d6714aceb770b04161fbedd7765d0e1fc27bd upstream. + +When an application connects to the ring buffer via splice, it can only +read full pages. Splice does not work with partial pages. If there is +not enough data to fill a page, the splice command will either block +or return -EAGAIN (if set to nonblock). + +Code was added where if the page is not full, to just sleep again. +The problem is, it will get woken up again on the next event. That +is, when something is written into the ring buffer, if there is a waiter +it will wake it up. The waiter would then check the buffer, see that +it still does not have enough data to fill a page and go back to sleep. +To make matters worse, when the waiter goes back to sleep, it could +cause another event, which would wake it back up again to see it +doesn't have enough data and sleep again. This produces a tremendous +overhead and fills the ring buffer with noise. + +For example, recording sched_switch on an idle system for 10 seconds +produces 25,350,475 events!!! + +Create another wait queue for those waiters wanting full pages. +When an event is written, it only wakes up waiters if there's a full +page of data. It does not wake up the waiter if the page is not yet +full. + +After this change, recording sched_switch on an idle system for 10 +seconds produces only 800 events. Getting rid of 25,349,675 useless +events (99.9969% of events!!), is something to take seriously. + +Cc: Rabin Vincent +Fixes: e30f53aad220 "tracing: Do not busy wait in buffer splice" +Signed-off-by: Steven Rostedt +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/trace/ring_buffer.c | 40 +++++++++++++++++++++++++++++++++++----- + 1 file changed, 35 insertions(+), 5 deletions(-) + +--- a/kernel/trace/ring_buffer.c ++++ b/kernel/trace/ring_buffer.c +@@ -447,7 +447,10 @@ int ring_buffer_print_page_header(struct + struct rb_irq_work { + struct irq_work work; + wait_queue_head_t waiters; ++ wait_queue_head_t full_waiters; + bool waiters_pending; ++ bool full_waiters_pending; ++ bool wakeup_full; + }; + + /* +@@ -529,6 +532,10 @@ static void rb_wake_up_waiters(struct ir + struct rb_irq_work *rbwork = container_of(work, struct rb_irq_work, work); + + wake_up_all(&rbwork->waiters); ++ if (rbwork->wakeup_full) { ++ rbwork->wakeup_full = false; ++ wake_up_all(&rbwork->full_waiters); ++ } + } + + /** +@@ -553,9 +560,11 @@ int ring_buffer_wait(struct ring_buffer + * data in any cpu buffer, or a specific buffer, put the + * caller on the appropriate wait queue. + */ +- if (cpu == RING_BUFFER_ALL_CPUS) ++ if (cpu == RING_BUFFER_ALL_CPUS) { + work = &buffer->irq_work; +- else { ++ /* Full only makes sense on per cpu reads */ ++ full = false; ++ } else { + if (!cpumask_test_cpu(cpu, buffer->cpumask)) + return -ENODEV; + cpu_buffer = buffer->buffers[cpu]; +@@ -564,7 +573,10 @@ int ring_buffer_wait(struct ring_buffer + + + while (true) { +- prepare_to_wait(&work->waiters, &wait, TASK_INTERRUPTIBLE); ++ if (full) ++ prepare_to_wait(&work->full_waiters, &wait, TASK_INTERRUPTIBLE); ++ else ++ prepare_to_wait(&work->waiters, &wait, TASK_INTERRUPTIBLE); + + /* + * The events can happen in critical sections where +@@ -586,7 +598,10 @@ int ring_buffer_wait(struct ring_buffer + * that is necessary is that the wake up happens after + * a task has been queued. It's OK for spurious wake ups. + */ +- work->waiters_pending = true; ++ if (full) ++ work->full_waiters_pending = true; ++ else ++ work->waiters_pending = true; + + if (signal_pending(current)) { + ret = -EINTR; +@@ -615,7 +630,10 @@ int ring_buffer_wait(struct ring_buffer + schedule(); + } + +- finish_wait(&work->waiters, &wait); ++ if (full) ++ finish_wait(&work->full_waiters, &wait); ++ else ++ finish_wait(&work->waiters, &wait); + + return ret; + } +@@ -1230,6 +1248,7 @@ rb_allocate_cpu_buffer(struct ring_buffe + init_completion(&cpu_buffer->update_done); + init_irq_work(&cpu_buffer->irq_work.work, rb_wake_up_waiters); + init_waitqueue_head(&cpu_buffer->irq_work.waiters); ++ init_waitqueue_head(&cpu_buffer->irq_work.full_waiters); + + bpage = kzalloc_node(ALIGN(sizeof(*bpage), cache_line_size()), + GFP_KERNEL, cpu_to_node(cpu)); +@@ -2801,6 +2820,8 @@ static void rb_commit(struct ring_buffer + static __always_inline void + rb_wakeups(struct ring_buffer *buffer, struct ring_buffer_per_cpu *cpu_buffer) + { ++ bool pagebusy; ++ + if (buffer->irq_work.waiters_pending) { + buffer->irq_work.waiters_pending = false; + /* irq_work_queue() supplies it's own memory barriers */ +@@ -2812,6 +2833,15 @@ rb_wakeups(struct ring_buffer *buffer, s + /* irq_work_queue() supplies it's own memory barriers */ + irq_work_queue(&cpu_buffer->irq_work.work); + } ++ ++ pagebusy = cpu_buffer->reader_page == cpu_buffer->commit_page; ++ ++ if (!pagebusy && cpu_buffer->irq_work.full_waiters_pending) { ++ cpu_buffer->irq_work.wakeup_full = true; ++ cpu_buffer->irq_work.full_waiters_pending = false; ++ /* irq_work_queue() supplies it's own memory barriers */ ++ irq_work_queue(&cpu_buffer->irq_work.work); ++ } + } + + /** diff --git a/queue-3.19/serial-fsl_lpuart-avoid-new-transfer-while-dma-is-running.patch b/queue-3.19/serial-fsl_lpuart-avoid-new-transfer-while-dma-is-running.patch new file mode 100644 index 00000000000..ebeb25c943c --- /dev/null +++ b/queue-3.19/serial-fsl_lpuart-avoid-new-transfer-while-dma-is-running.patch @@ -0,0 +1,81 @@ +From 5f1437f61a0b351d25b528c159360da3d5e8c77b Mon Sep 17 00:00:00 2001 +From: Stefan Agner +Date: Sat, 10 Jan 2015 01:08:59 +0100 +Subject: serial: fsl_lpuart: avoid new transfer while DMA is running + +From: Stefan Agner + +commit 5f1437f61a0b351d25b528c159360da3d5e8c77b upstream. + +When the UART is in DMA receive mode (RDMAS set) and one character +just arrived while another interrupt is handled (e.g. TX), the RDRF +(receiver data register full flag) is set due to the water level of +1. But since the DMA will take care of this character, there is no +need to handle it by calling lpuart_prepare_rx. Handling it leads to +adding the RX timeout timer twice: + +[ 74.336698] Kernel BUG at 80053070 [verbose debug info unavailable] +[ 74.342999] Internal error: Oops - BUG: 0 [#1] ARM0:00.00 khungtaskd +[ 74.347817] Modules linked in: 0 S 0.0 0.0 0:00.00 writeback +[ 74.350926] CPU: 0 PID: 0 Comm: swapper Not tainted 3.19.0-rc3-00001-g39d78e2 #1788 +[ 74.358617] Hardware name: Freescale Vybrid VF610 (Device Tree)t +[ 74.364563] task: 807a7678 ti: 8079c000 task.ti: 8079c000 kblockd +[ 74.370002] PC is at add_timer+0x24/0x28.0 0.0 0:00.09 kworker/u2:1 +[ 74.373960] LR is at lpuart_int+0x15c/0x3d8 +[ 74.378171] pc : [<80053070>] lr : [<802e0d88>] psr: a0010193 +[ 74.378171] sp : 8079de10 ip : 8079de20 fp : 8079de1c +[ 74.389694] r10: 807d44c0 r9 : 8688c300 r8 : 00000013 +[ 74.394943] r7 : 20010193 r6 : 00000000 r5 : 000000a0 r4 : 86997210 +[ 74.401498] r3 : ffffa7da r2 : 80817868 r1 : 86997210 r0 : 86997344 +[ 74.408052] Flags: NzCv IRQs off FIQs on Mode SVC_32 ISA ARM Segment kernel +[ 74.415489] Control: 10c5387d Table: 8611c059 DAC: 00000015 +[ 74.421265] Process swapper (pid: 0, stack limit = 0x8079c230) +... + +Solve this by only execute the receiver path (lpuart_prepare_rx) if +the DMA receive mode (RDMAS) is not set. Also, make sure the flag is +cleared on initialization, in case it has been left set. + +This can be best reproduced using UART as a serial console, then +running top while dd'ing data into the terminal. + +Signed-off-by: Stefan Agner +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/tty/serial/fsl_lpuart.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +--- a/drivers/tty/serial/fsl_lpuart.c ++++ b/drivers/tty/serial/fsl_lpuart.c +@@ -755,18 +755,18 @@ out: + static irqreturn_t lpuart_int(int irq, void *dev_id) + { + struct lpuart_port *sport = dev_id; +- unsigned char sts; ++ unsigned char sts, crdma; + + sts = readb(sport->port.membase + UARTSR1); ++ crdma = readb(sport->port.membase + UARTCR5); + +- if (sts & UARTSR1_RDRF) { ++ if (sts & UARTSR1_RDRF && !(crdma & UARTCR5_RDMAS)) { + if (sport->lpuart_dma_use) + lpuart_prepare_rx(sport); + else + lpuart_rxint(irq, dev_id); + } +- if (sts & UARTSR1_TDRE && +- !(readb(sport->port.membase + UARTCR5) & UARTCR5_TDMAS)) { ++ if (sts & UARTSR1_TDRE && !(crdma & UARTCR5_TDMAS)) { + if (sport->lpuart_dma_use) + lpuart_pio_tx(sport); + else +@@ -1106,6 +1106,7 @@ static int lpuart_startup(struct uart_po + setup_timer(&sport->lpuart_timer, lpuart_timer_func, + (unsigned long)sport); + temp = readb(port->membase + UARTCR5); ++ temp &= ~UARTCR5_RDMAS; + writeb(temp | UARTCR5_TDMAS, port->membase + UARTCR5); + } + diff --git a/queue-3.19/serial-fsl_lpuart-delete-timer-on-shutdown.patch b/queue-3.19/serial-fsl_lpuart-delete-timer-on-shutdown.patch new file mode 100644 index 00000000000..6102288feb6 --- /dev/null +++ b/queue-3.19/serial-fsl_lpuart-delete-timer-on-shutdown.patch @@ -0,0 +1,73 @@ +From 4a8588a1cf867333187d9ff071e6fbdab587d194 Mon Sep 17 00:00:00 2001 +From: Stefan Agner +Date: Sat, 10 Jan 2015 01:08:58 +0100 +Subject: serial: fsl_lpuart: delete timer on shutdown + +From: Stefan Agner + +commit 4a8588a1cf867333187d9ff071e6fbdab587d194 upstream. + +If the serial port gets closed while a RX transfer is in progress, +the timer might fire after the serial port shutdown finished. This +leads in a NULL pointer dereference: + +[ 7.508324] Unable to handle kernel NULL pointer dereference at virtual address 00000000 +[ 7.516590] pgd = 86348000 +[ 7.519445] [00000000] *pgd=86179831, *pte=00000000, *ppte=00000000 +[ 7.526145] Internal error: Oops: 17 [#1] ARM +[ 7.530611] Modules linked in: +[ 7.533876] CPU: 0 PID: 123 Comm: systemd Not tainted 3.19.0-rc3-00004-g5b11ea7 #1778 +[ 7.541827] Hardware name: Freescale Vybrid VF610 (Device Tree) +[ 7.547862] task: 861c3400 ti: 86ac8000 task.ti: 86ac8000 +[ 7.553392] PC is at lpuart_timer_func+0x24/0xf8 +[ 7.558127] LR is at lpuart_timer_func+0x20/0xf8 +[ 7.562857] pc : [<802df99c>] lr : [<802df998>] psr: 600b0113 +[ 7.562857] sp : 86ac9b90 ip : 86ac9b90 fp : 86ac9bbc +[ 7.574467] r10: 80817180 r9 : 80817b98 r8 : 80817998 +[ 7.579803] r7 : 807acee0 r6 : 86989000 r5 : 00000100 r4 : 86997210 +[ 7.586444] r3 : 86ac8000 r2 : 86ac9bc0 r1 : 86997210 r0 : 00000000 +[ 7.593085] Flags: nZCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment user +[ 7.600341] Control: 10c5387d Table: 86348059 DAC: 00000015 +[ 7.606203] Process systemd (pid: 123, stack limit = 0x86ac8230) + +Setup the timer on UART startup which allows to delete the timer +unconditionally on shutdown. This also saves the initialization +on each transfer. + +Signed-off-by: Stefan Agner +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/tty/serial/fsl_lpuart.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +--- a/drivers/tty/serial/fsl_lpuart.c ++++ b/drivers/tty/serial/fsl_lpuart.c +@@ -506,9 +506,6 @@ static inline void lpuart_prepare_rx(str + + spin_lock_irqsave(&sport->port.lock, flags); + +- init_timer(&sport->lpuart_timer); +- sport->lpuart_timer.function = lpuart_timer_func; +- sport->lpuart_timer.data = (unsigned long)sport; + sport->lpuart_timer.expires = jiffies + sport->dma_rx_timeout; + add_timer(&sport->lpuart_timer); + +@@ -1106,6 +1103,8 @@ static int lpuart_startup(struct uart_po + sport->lpuart_dma_use = false; + } else { + sport->lpuart_dma_use = true; ++ setup_timer(&sport->lpuart_timer, lpuart_timer_func, ++ (unsigned long)sport); + temp = readb(port->membase + UARTCR5); + writeb(temp | UARTCR5_TDMAS, port->membase + UARTCR5); + } +@@ -1180,6 +1179,8 @@ static void lpuart_shutdown(struct uart_ + devm_free_irq(port->dev, port->irq, sport); + + if (sport->lpuart_dma_use) { ++ del_timer_sync(&sport->lpuart_timer); ++ + lpuart_dma_tx_free(port); + lpuart_dma_rx_free(port); + } diff --git a/queue-3.19/series b/queue-3.19/series index f829af18528..5afa04f4864 100644 --- a/queue-3.19/series +++ b/queue-3.19/series @@ -107,3 +107,36 @@ iscsi-target-drop-problematic-active_ts_list-usage.patch cfq-iosched-handle-failure-of-cfq-group-allocation.patch cfq-iosched-fix-incorrect-filing-of-rt-async-cfqq.patch cipso-don-t-use-ipcb-to-locate-the-cipso-ip-option.patch +ring-buffer-do-not-wake-up-a-splice-waiter-when-page-is-not-full.patch +smack-fix-possible-use-after-frees-in-task_security-callers.patch +axonram-fix-bug-in-direct_access.patch +tty-remove-warning-in-tty_lock_slave.patch +tty-prevent-untrappable-signals-from-malicious-program.patch +tty-serial-at91-use-correct-type-for-dma_sync_-_for_cpu-and-dma_sync_-_for_device.patch +tty-serial-at91-enable-peripheral-clock-before-accessing-i-o-registers.patch +tty-serial-at91-fix-error-handling-in-atmel_serial_probe.patch +mei-mask-interrupt-set-bit-on-clean-reset-bit.patch +mei-me-release-hw-from-reset-only-during-the-reset-flow.patch +usb-cp210x-add-id-for-ruggedcom-usb-serial-console.patch +usb-fix-use-after-free-bug-in-usb_hcd_unlink_urb.patch +usb-dwc3-gadget-add-missing-spin_lock.patch +usb-musb-add-omap-control-dependency.patch +usb-core-buffer-smallest-buffer-should-start-at-arch_dma_minalign.patch +usb-don-t-cancel-queued-resets-when-unbinding-drivers.patch +usb-add-flag-for-hcds-that-can-t-receive-wakeup-requests-isp1760-hcd.patch +cdc-acm-add-sanity-checks.patch +vt-provide-notifications-on-selection-changes.patch +arm-pxa-add-regulator_has_full_constraints-to-corgi-board-file.patch +arm-pxa-add-regulator_has_full_constraints-to-poodle-board-file.patch +arm-pxa-add-regulator_has_full_constraints-to-spitz-board-file.patch +arm-brcmstb-update-cpu-power-management-sequence.patch +arm-bcm-put-back-arch_multi_v7-dependency-for-mobile.patch +arm-vexpress-use-arm_cpu_suspend-if-needed.patch +arm-mvebu-build-armada375-smp-code-conditionally.patch +kdb-fix-incorrect-counts-in-kdb-summary-command-output.patch +kdb-avoid-printing-kern_-levels-to-consoles.patch +kdb-fix-off-by-one-error-in-kdb_cpu.patch +ntp-fixup-adjtimex-freq-validation-on-32-bit-systems.patch +serial-fsl_lpuart-delete-timer-on-shutdown.patch +serial-fsl_lpuart-avoid-new-transfer-while-dma-is-running.patch +arc-fix-page-address-calculation-if-page_offset-linux_link_base.patch diff --git a/queue-3.19/smack-fix-possible-use-after-frees-in-task_security-callers.patch b/queue-3.19/smack-fix-possible-use-after-frees-in-task_security-callers.patch new file mode 100644 index 00000000000..e4612786119 --- /dev/null +++ b/queue-3.19/smack-fix-possible-use-after-frees-in-task_security-callers.patch @@ -0,0 +1,250 @@ +From 6d1cff2a885850b78b40c34777b46cf5da5d1050 Mon Sep 17 00:00:00 2001 +From: Andrey Ryabinin +Date: Tue, 13 Jan 2015 18:52:40 +0300 +Subject: smack: fix possible use after frees in task_security() callers + +From: Andrey Ryabinin + +commit 6d1cff2a885850b78b40c34777b46cf5da5d1050 upstream. + +We hit use after free on dereferncing pointer to task_smack struct in +smk_of_task() called from smack_task_to_inode(). + +task_security() macro uses task_cred_xxx() to get pointer to the task_smack. +task_cred_xxx() could be used only for non-pointer members of task's +credentials. It cannot be used for pointer members since what they point +to may disapper after dropping RCU read lock. + +Mainly task_security() used this way: + smk_of_task(task_security(p)) + +Intead of this introduce function smk_of_task_struct() which +takes task_struct as argument and returns pointer to smk_known struct +and do this under RCU read lock. +Bogus task_security() macro is not used anymore, so remove it. + +KASan's report for this: + + AddressSanitizer: use after free in smack_task_to_inode+0x50/0x70 at addr c4635600 + ============================================================================= + BUG kmalloc-64 (Tainted: PO): kasan error + ----------------------------------------------------------------------------- + + Disabling lock debugging due to kernel taint + INFO: Allocated in new_task_smack+0x44/0xd8 age=39 cpu=0 pid=1866 + kmem_cache_alloc_trace+0x88/0x1bc + new_task_smack+0x44/0xd8 + smack_cred_prepare+0x48/0x21c + security_prepare_creds+0x44/0x4c + prepare_creds+0xdc/0x110 + smack_setprocattr+0x104/0x150 + security_setprocattr+0x4c/0x54 + proc_pid_attr_write+0x12c/0x194 + vfs_write+0x1b0/0x370 + SyS_write+0x5c/0x94 + ret_fast_syscall+0x0/0x48 + INFO: Freed in smack_cred_free+0xc4/0xd0 age=27 cpu=0 pid=1564 + kfree+0x270/0x290 + smack_cred_free+0xc4/0xd0 + security_cred_free+0x34/0x3c + put_cred_rcu+0x58/0xcc + rcu_process_callbacks+0x738/0x998 + __do_softirq+0x264/0x4cc + do_softirq+0x94/0xf4 + irq_exit+0xbc/0x120 + handle_IRQ+0x104/0x134 + gic_handle_irq+0x70/0xac + __irq_svc+0x44/0x78 + _raw_spin_unlock+0x18/0x48 + sync_inodes_sb+0x17c/0x1d8 + sync_filesystem+0xac/0xfc + vdfs_file_fsync+0x90/0xc0 + vfs_fsync_range+0x74/0x7c + INFO: Slab 0xd3b23f50 objects=32 used=31 fp=0xc4635600 flags=0x4080 + INFO: Object 0xc4635600 @offset=5632 fp=0x (null) + + Bytes b4 c46355f0: 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a ZZZZZZZZZZZZZZZZ + Object c4635600: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk + Object c4635610: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk + Object c4635620: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk + Object c4635630: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b a5 kkkkkkkkkkkkkkk. + Redzone c4635640: bb bb bb bb .... + Padding c46356e8: 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a ZZZZZZZZZZZZZZZZ + Padding c46356f8: 5a 5a 5a 5a 5a 5a 5a 5a ZZZZZZZZ + CPU: 5 PID: 834 Comm: launchpad_prelo Tainted: PBO 3.10.30 #1 + Backtrace: + [] (dump_backtrace+0x0/0x158) from [] (show_stack+0x20/0x24) + r7:c4634010 r6:d3b23f50 r5:c4635600 r4:d1002140 + [] (show_stack+0x0/0x24) from [] (dump_stack+0x20/0x28) + [] (dump_stack+0x0/0x28) from [] (print_trailer+0x124/0x144) + [] (print_trailer+0x0/0x144) from [] (object_err+0x3c/0x44) + r7:c4635600 r6:d1002140 r5:d3b23f50 r4:c4635600 + [] (object_err+0x0/0x44) from [] (kasan_report_error+0x2b8/0x538) + r6:d1002140 r5:d3b23f50 r4:c6429cf8 r3:c09e1aa7 + [] (kasan_report_error+0x0/0x538) from [] (__asan_load4+0xd4/0xf8) + [] (__asan_load4+0x0/0xf8) from [] (smack_task_to_inode+0x50/0x70) + r5:c4635600 r4:ca9da000 + [] (smack_task_to_inode+0x0/0x70) from [] (security_task_to_inode+0x3c/0x44) + r5:cca25e80 r4:c0ba9780 + [] (security_task_to_inode+0x0/0x44) from [] (pid_revalidate+0x124/0x178) + r6:00000000 r5:cca25e80 r4:cbabe3c0 r3:00008124 + [] (pid_revalidate+0x0/0x178) from [] (lookup_fast+0x35c/0x43y4) + r9:c6429efc r8:00000101 r7:c079d940 r6:c6429e90 r5:c6429ed8 r4:c83c4148 + [] (lookup_fast+0x0/0x434) from [] (do_last.isra.24+0x1c0/0x1108) + [] (do_last.isra.24+0x0/0x1108) from [] (path_openat.isra.25+0xf4/0x648) + [] (path_openat.isra.25+0x0/0x648) from [] (do_filp_open+0x3c/0x88) + [] (do_filp_open+0x0/0x88) from [] (do_sys_open+0xf0/0x198) + r7:00000001 r6:c0ea2180 r5:0000000b r4:00000000 + [] (do_sys_open+0x0/0x198) from [] (SyS_open+0x30/0x34) + [] (SyS_open+0x0/0x34) from [] (ret_fast_syscall+0x0/0x48) + Read of size 4 by thread T834: + Memory state around the buggy address: + c4635380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc + c4635400: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc + c4635480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc + c4635500: 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc + c4635580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc + >c4635600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb + ^ + c4635680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb + c4635700: 00 00 00 00 04 fc fc fc fc fc fc fc fc fc fc fc + c4635780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc + c4635800: 00 00 00 00 00 00 04 fc fc fc fc fc fc fc fc fc + c4635880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc + ================================================================== + +Signed-off-by: Andrey Ryabinin +Signed-off-by: Greg Kroah-Hartman + +--- + security/smack/smack.h | 10 ++++++++++ + security/smack/smack_lsm.c | 24 +++++++++++++----------- + 2 files changed, 23 insertions(+), 11 deletions(-) + +--- a/security/smack/smack.h ++++ b/security/smack/smack.h +@@ -298,6 +298,16 @@ static inline struct smack_known *smk_of + return tsp->smk_task; + } + ++static inline struct smack_known *smk_of_task_struct(const struct task_struct *t) ++{ ++ struct smack_known *skp; ++ ++ rcu_read_lock(); ++ skp = smk_of_task(__task_cred(t)->security); ++ rcu_read_unlock(); ++ return skp; ++} ++ + /* + * Present a pointer to the forked smack label entry in an task blob. + */ +--- a/security/smack/smack_lsm.c ++++ b/security/smack/smack_lsm.c +@@ -43,8 +43,6 @@ + #include + #include "smack.h" + +-#define task_security(task) (task_cred_xxx((task), security)) +- + #define TRANS_TRUE "TRUE" + #define TRANS_TRUE_SIZE 4 + +@@ -120,7 +118,7 @@ static int smk_bu_current(char *note, st + static int smk_bu_task(struct task_struct *otp, int mode, int rc) + { + struct task_smack *tsp = current_security(); +- struct task_smack *otsp = task_security(otp); ++ struct smack_known *smk_task = smk_of_task_struct(otp); + char acc[SMK_NUM_ACCESS_TYPE + 1]; + + if (rc <= 0) +@@ -128,7 +126,7 @@ static int smk_bu_task(struct task_struc + + smk_bu_mode(mode, acc); + pr_info("Smack Bringup: (%s %s %s) %s to %s\n", +- tsp->smk_task->smk_known, otsp->smk_task->smk_known, acc, ++ tsp->smk_task->smk_known, smk_task->smk_known, acc, + current->comm, otp->comm); + return 0; + } +@@ -345,7 +343,8 @@ static int smk_ptrace_rule_check(struct + saip = &ad; + } + +- tsp = task_security(tracer); ++ rcu_read_lock(); ++ tsp = __task_cred(tracer)->security; + tracer_known = smk_of_task(tsp); + + if ((mode & PTRACE_MODE_ATTACH) && +@@ -365,11 +364,14 @@ static int smk_ptrace_rule_check(struct + tracee_known->smk_known, + 0, rc, saip); + ++ rcu_read_unlock(); + return rc; + } + + /* In case of rule==SMACK_PTRACE_DEFAULT or mode==PTRACE_MODE_READ */ + rc = smk_tskacc(tsp, tracee_known, smk_ptrace_mode(mode), saip); ++ ++ rcu_read_unlock(); + return rc; + } + +@@ -396,7 +398,7 @@ static int smack_ptrace_access_check(str + if (rc != 0) + return rc; + +- skp = smk_of_task(task_security(ctp)); ++ skp = smk_of_task_struct(ctp); + + rc = smk_ptrace_rule_check(current, skp, mode, __func__); + return rc; +@@ -1826,7 +1828,7 @@ static int smk_curacc_on_task(struct tas + const char *caller) + { + struct smk_audit_info ad; +- struct smack_known *skp = smk_of_task(task_security(p)); ++ struct smack_known *skp = smk_of_task_struct(p); + int rc; + + smk_ad_init(&ad, caller, LSM_AUDIT_DATA_TASK); +@@ -1879,7 +1881,7 @@ static int smack_task_getsid(struct task + */ + static void smack_task_getsecid(struct task_struct *p, u32 *secid) + { +- struct smack_known *skp = smk_of_task(task_security(p)); ++ struct smack_known *skp = smk_of_task_struct(p); + + *secid = skp->smk_secid; + } +@@ -1986,7 +1988,7 @@ static int smack_task_kill(struct task_s + { + struct smk_audit_info ad; + struct smack_known *skp; +- struct smack_known *tkp = smk_of_task(task_security(p)); ++ struct smack_known *tkp = smk_of_task_struct(p); + int rc; + + smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_TASK); +@@ -2040,7 +2042,7 @@ static int smack_task_wait(struct task_s + static void smack_task_to_inode(struct task_struct *p, struct inode *inode) + { + struct inode_smack *isp = inode->i_security; +- struct smack_known *skp = smk_of_task(task_security(p)); ++ struct smack_known *skp = smk_of_task_struct(p); + + isp->smk_inode = skp; + } +@@ -3200,7 +3202,7 @@ unlockandout: + */ + static int smack_getprocattr(struct task_struct *p, char *name, char **value) + { +- struct smack_known *skp = smk_of_task(task_security(p)); ++ struct smack_known *skp = smk_of_task_struct(p); + char *cp; + int slen; + diff --git a/queue-3.19/tty-prevent-untrappable-signals-from-malicious-program.patch b/queue-3.19/tty-prevent-untrappable-signals-from-malicious-program.patch new file mode 100644 index 00000000000..46cf314fd41 --- /dev/null +++ b/queue-3.19/tty-prevent-untrappable-signals-from-malicious-program.patch @@ -0,0 +1,41 @@ +From 37480a05685ed5b8e1b9bf5e5c53b5810258b149 Mon Sep 17 00:00:00 2001 +From: Peter Hurley +Date: Mon, 19 Jan 2015 13:05:03 -0500 +Subject: tty: Prevent untrappable signals from malicious program + +From: Peter Hurley + +commit 37480a05685ed5b8e1b9bf5e5c53b5810258b149 upstream. + +Commit 26df6d13406d1a5 ("tty: Add EXTPROC support for LINEMODE") +allows a process which has opened a pty master to send _any_ signal +to the process group of the pty slave. Although potentially +exploitable by a malicious program running a setuid program on +a pty slave, it's unknown if this exploit currently exists. + +Limit to signals actually used. + +Cc: Theodore Ts'o +Cc: Howard Chu +Cc: One Thousand Gnomes +Cc: Jiri Slaby +Signed-off-by: Peter Hurley +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/tty/pty.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/tty/pty.c ++++ b/drivers/tty/pty.c +@@ -210,6 +210,9 @@ static int pty_signal(struct tty_struct + { + struct pid *pgrp; + ++ if (sig != SIGINT && sig != SIGQUIT && sig != SIGTSTP) ++ return -EINVAL; ++ + if (tty->link) { + pgrp = tty_get_pgrp(tty->link); + if (pgrp) diff --git a/queue-3.19/tty-remove-warning-in-tty_lock_slave.patch b/queue-3.19/tty-remove-warning-in-tty_lock_slave.patch new file mode 100644 index 00000000000..728b49ad6cd --- /dev/null +++ b/queue-3.19/tty-remove-warning-in-tty_lock_slave.patch @@ -0,0 +1,39 @@ +From eef15e2a54fad4c2ce3f0a81485dc591ce678f4f Mon Sep 17 00:00:00 2001 +From: Peter Hurley +Date: Tue, 30 Dec 2014 07:11:11 -0500 +Subject: tty: Remove warning in tty_lock_slave() + +From: Peter Hurley + +commit eef15e2a54fad4c2ce3f0a81485dc591ce678f4f upstream. + +Commit 2aff5e2bc62db43e05c814461a08aff0fc2b7fe5 ('tty: Change +tty lock order to master->slave') added a warning which is broken +and unnecessary now that the tty lock has fixed lock subclasses, +added in commit 2febdb632bb96235b94b8fccaf882a78f8f4b2bb +('tty: Preset lock subclass for nested tty locks'). + +Reported-by: Dan Carpenter +Signed-off-by: Peter Hurley +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/tty/tty_mutex.c | 6 +----- + 1 file changed, 1 insertion(+), 5 deletions(-) + +--- a/drivers/tty/tty_mutex.c ++++ b/drivers/tty/tty_mutex.c +@@ -46,12 +46,8 @@ EXPORT_SYMBOL(tty_unlock); + + void __lockfunc tty_lock_slave(struct tty_struct *tty) + { +- if (tty && tty != tty->link) { +- WARN_ON(!mutex_is_locked(&tty->link->legacy_mutex) || +- !tty->driver->type == TTY_DRIVER_TYPE_PTY || +- !tty->driver->type == PTY_TYPE_SLAVE); ++ if (tty && tty != tty->link) + tty_lock(tty); +- } + } + + void __lockfunc tty_unlock_slave(struct tty_struct *tty) diff --git a/queue-3.19/tty-serial-at91-enable-peripheral-clock-before-accessing-i-o-registers.patch b/queue-3.19/tty-serial-at91-enable-peripheral-clock-before-accessing-i-o-registers.patch new file mode 100644 index 00000000000..2894349e4da --- /dev/null +++ b/queue-3.19/tty-serial-at91-enable-peripheral-clock-before-accessing-i-o-registers.patch @@ -0,0 +1,53 @@ +From d4f641876a68d1961e30c202709cc2d484f69f6f Mon Sep 17 00:00:00 2001 +From: Cyrille Pitchen +Date: Tue, 9 Dec 2014 14:31:33 +0100 +Subject: tty/serial: at91: enable peripheral clock before accessing I/O registers + +From: Cyrille Pitchen + +commit d4f641876a68d1961e30c202709cc2d484f69f6f upstream. + +atmel_serial_probe() calls atmel_init_port(). In turn, atmel_init_port() calls +clk_disable_unprepare() to disable the peripheral clock before returning. + +Later atmel_serial_probe() accesses some I/O registers such as the Mode and +Control registers for RS485 support then the Name and Version registers, through a call to +atmel_get_ip_name(), but at that moment the peripheral clock was still +disabled. + +Signed-off-by: Cyrille Pitchen +Acked-by: Nicolas Ferre +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/tty/serial/atmel_serial.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +--- a/drivers/tty/serial/atmel_serial.c ++++ b/drivers/tty/serial/atmel_serial.c +@@ -2596,6 +2596,12 @@ static int atmel_serial_probe(struct pla + device_init_wakeup(&pdev->dev, 1); + platform_set_drvdata(pdev, port); + ++ /* ++ * The peripheral clock has been disabled by atmel_init_port(): ++ * enable it before accessing I/O registers ++ */ ++ clk_prepare_enable(port->clk); ++ + if (rs485_enabled) { + UART_PUT_MR(&port->uart, ATMEL_US_USMODE_NORMAL); + UART_PUT_CR(&port->uart, ATMEL_US_RTSEN); +@@ -2606,6 +2612,12 @@ static int atmel_serial_probe(struct pla + */ + atmel_get_ip_name(&port->uart); + ++ /* ++ * The peripheral clock can now safely be disabled till the port ++ * is used ++ */ ++ clk_disable_unprepare(port->clk); ++ + return 0; + + err_add_port: diff --git a/queue-3.19/tty-serial-at91-fix-error-handling-in-atmel_serial_probe.patch b/queue-3.19/tty-serial-at91-fix-error-handling-in-atmel_serial_probe.patch new file mode 100644 index 00000000000..d86ea1f7b83 --- /dev/null +++ b/queue-3.19/tty-serial-at91-fix-error-handling-in-atmel_serial_probe.patch @@ -0,0 +1,49 @@ +From 6fbb9bdf0f3fbe23aeff806489791aa876adaffb Mon Sep 17 00:00:00 2001 +From: Cyrille Pitchen +Date: Tue, 9 Dec 2014 14:31:34 +0100 +Subject: tty/serial: at91: fix error handling in atmel_serial_probe() + +From: Cyrille Pitchen + +commit 6fbb9bdf0f3fbe23aeff806489791aa876adaffb upstream. + +-EDEFER error wasn't handle properly by atmel_serial_probe(). +As an example, when atmel_serial_probe() is called for the first time, we pass +the test_and_set_bit() test to check whether the port has already been +initalized. Then we call atmel_init_port(), which may return -EDEFER, possibly +returned before by clk_get(). Consequently atmel_serial_probe() used to return +this error code WITHOUT clearing the port bit in the "atmel_ports_in_use" mask. +When atmel_serial_probe() was called for the second time, it used to fail on +the test_and_set_bit() function then returning -EBUSY. + +When atmel_serial_probe() fails, this patch make it clear the port bit in the +"atmel_ports_in_use" mask, if needed, before returning the error code. + +Signed-off-by: Cyrille Pitchen +Acked-by: Nicolas Ferre +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/tty/serial/atmel_serial.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/tty/serial/atmel_serial.c ++++ b/drivers/tty/serial/atmel_serial.c +@@ -2565,7 +2565,7 @@ static int atmel_serial_probe(struct pla + + ret = atmel_init_port(port, pdev); + if (ret) +- goto err; ++ goto err_clear_bit; + + if (!atmel_use_pdc_rx(&port->uart)) { + ret = -ENOMEM; +@@ -2628,6 +2628,8 @@ err_alloc_ring: + clk_put(port->clk); + port->clk = NULL; + } ++err_clear_bit: ++ clear_bit(port->uart.line, atmel_ports_in_use); + err: + return ret; + } diff --git a/queue-3.19/tty-serial-at91-use-correct-type-for-dma_sync_-_for_cpu-and-dma_sync_-_for_device.patch b/queue-3.19/tty-serial-at91-use-correct-type-for-dma_sync_-_for_cpu-and-dma_sync_-_for_device.patch new file mode 100644 index 00000000000..edf65bfac9f --- /dev/null +++ b/queue-3.19/tty-serial-at91-use-correct-type-for-dma_sync_-_for_cpu-and-dma_sync_-_for_device.patch @@ -0,0 +1,49 @@ +From 485819b5b9ed82372dacae775998f3c33717f7fe Mon Sep 17 00:00:00 2001 +From: Cyrille Pitchen +Date: Tue, 9 Dec 2014 14:31:32 +0100 +Subject: tty/serial: at91: use correct type for dma_sync_*_for_cpu() and dma_sync_*_for_device() + +From: Cyrille Pitchen + +commit 485819b5b9ed82372dacae775998f3c33717f7fe upstream. + +dma_sync_*_for_cpu() and dma_sync_*_for_device() use 'enum dma_data_direction', +not 'enum dma_transfer_direction' + +Signed-off-by: Cyrille Pitchen +Acked-by: Nicolas Ferre +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/tty/serial/atmel_serial.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/tty/serial/atmel_serial.c ++++ b/drivers/tty/serial/atmel_serial.c +@@ -794,7 +794,7 @@ static void atmel_tx_dma(struct uart_por + return; + } + +- dma_sync_sg_for_device(port->dev, sg, 1, DMA_MEM_TO_DEV); ++ dma_sync_sg_for_device(port->dev, sg, 1, DMA_TO_DEVICE); + + atmel_port->desc_tx = desc; + desc->callback = atmel_complete_tx_dma; +@@ -927,7 +927,7 @@ static void atmel_rx_from_dma(struct uar + dma_sync_sg_for_cpu(port->dev, + &atmel_port->sg_rx, + 1, +- DMA_DEV_TO_MEM); ++ DMA_FROM_DEVICE); + + /* + * ring->head points to the end of data already written by the DMA. +@@ -974,7 +974,7 @@ static void atmel_rx_from_dma(struct uar + dma_sync_sg_for_device(port->dev, + &atmel_port->sg_rx, + 1, +- DMA_DEV_TO_MEM); ++ DMA_FROM_DEVICE); + + /* + * Drop the lock here since it might end up calling diff --git a/queue-3.19/usb-add-flag-for-hcds-that-can-t-receive-wakeup-requests-isp1760-hcd.patch b/queue-3.19/usb-add-flag-for-hcds-that-can-t-receive-wakeup-requests-isp1760-hcd.patch new file mode 100644 index 00000000000..e6a29b812ad --- /dev/null +++ b/queue-3.19/usb-add-flag-for-hcds-that-can-t-receive-wakeup-requests-isp1760-hcd.patch @@ -0,0 +1,75 @@ +From 074f9dd55f9cab1b82690ed7e44bcf38b9616ce0 Mon Sep 17 00:00:00 2001 +From: Alan Stern +Date: Thu, 29 Jan 2015 15:05:04 -0500 +Subject: USB: add flag for HCDs that can't receive wakeup requests (isp1760-hcd) + +From: Alan Stern + +commit 074f9dd55f9cab1b82690ed7e44bcf38b9616ce0 upstream. + +Currently the USB stack assumes that all host controller drivers are +capable of receiving wakeup requests from downstream devices. +However, this isn't true for the isp1760-hcd driver, which means that +it isn't safe to do a runtime suspend of any device attached to a +root-hub port if the device requires wakeup. + +This patch adds a "cant_recv_wakeups" flag to the usb_hcd structure +and sets the flag in isp1760-hcd. The core is modified to prevent a +direct child of the root hub from being put into runtime suspend with +wakeup enabled if the flag is set. + +Signed-off-by: Alan Stern +Tested-by: Nicolas Pitre +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/core/driver.c | 12 ++++++++++++ + drivers/usb/host/isp1760-hcd.c | 3 +++ + include/linux/usb/hcd.h | 2 ++ + 3 files changed, 17 insertions(+) + +--- a/drivers/usb/core/driver.c ++++ b/drivers/usb/core/driver.c +@@ -1780,6 +1780,18 @@ static int autosuspend_check(struct usb_ + dev_dbg(&udev->dev, "remote wakeup needed for autosuspend\n"); + return -EOPNOTSUPP; + } ++ ++ /* ++ * If the device is a direct child of the root hub and the HCD ++ * doesn't handle wakeup requests, don't allow autosuspend when ++ * wakeup is needed. ++ */ ++ if (w && udev->parent == udev->bus->root_hub && ++ bus_to_hcd(udev->bus)->cant_recv_wakeups) { ++ dev_dbg(&udev->dev, "HCD doesn't handle wakeup requests\n"); ++ return -EOPNOTSUPP; ++ } ++ + udev->do_remote_wakeup = w; + return 0; + } +--- a/drivers/usb/host/isp1760-hcd.c ++++ b/drivers/usb/host/isp1760-hcd.c +@@ -2247,6 +2247,9 @@ struct usb_hcd *isp1760_register(phys_ad + hcd->rsrc_start = res_start; + hcd->rsrc_len = res_len; + ++ /* This driver doesn't support wakeup requests */ ++ hcd->cant_recv_wakeups = 1; ++ + ret = usb_add_hcd(hcd, irq, irqflags); + if (ret) + goto err_unmap; +--- a/include/linux/usb/hcd.h ++++ b/include/linux/usb/hcd.h +@@ -146,6 +146,8 @@ struct usb_hcd { + unsigned amd_resume_bug:1; /* AMD remote wakeup quirk */ + unsigned can_do_streams:1; /* HC supports streams */ + unsigned tpl_support:1; /* OTG & EH TPL support */ ++ unsigned cant_recv_wakeups:1; ++ /* wakeup requests from downstream aren't received */ + + unsigned int irq; /* irq allocated */ + void __iomem *regs; /* device memory/io */ diff --git a/queue-3.19/usb-core-buffer-smallest-buffer-should-start-at-arch_dma_minalign.patch b/queue-3.19/usb-core-buffer-smallest-buffer-should-start-at-arch_dma_minalign.patch new file mode 100644 index 00000000000..b69b6eb9411 --- /dev/null +++ b/queue-3.19/usb-core-buffer-smallest-buffer-should-start-at-arch_dma_minalign.patch @@ -0,0 +1,99 @@ +From 5efd2ea8c9f4f12916ffc8ba636792ce052f6911 Mon Sep 17 00:00:00 2001 +From: Sebastian Andrzej Siewior +Date: Fri, 5 Dec 2014 15:13:54 +0100 +Subject: usb: core: buffer: smallest buffer should start at ARCH_DMA_MINALIGN + +From: Sebastian Andrzej Siewior + +commit 5efd2ea8c9f4f12916ffc8ba636792ce052f6911 upstream. + +the following error pops up during "testusb -a -t 10" +| musb-hdrc musb-hdrc.1.auto: dma_pool_free buffer-128, f134e000/be842000 (bad dma) +hcd_buffer_create() creates a few buffers, the smallest has 32 bytes of +size. ARCH_KMALLOC_MINALIGN is set to 64 bytes. This combo results in +hcd_buffer_alloc() returning memory which is 32 bytes aligned and it +might by identified by buffer_offset() as another buffer. This means the +buffer which is on a 32 byte boundary will not get freed, instead it +tries to free another buffer with the error message. + +This patch fixes the issue by creating the smallest DMA buffer with the +size of ARCH_KMALLOC_MINALIGN (or 32 in case ARCH_KMALLOC_MINALIGN is +smaller). This might be 32, 64 or even 128 bytes. The next three pools +will have the size 128, 512 and 2048. +In case the smallest pool is 128 bytes then we have only three pools +instead of four (and zero the first entry in the array). +The last pool size is always 2048 bytes which is the assumed PAGE_SIZE / +2 of 4096. I doubt it makes sense to continue using PAGE_SIZE / 2 where +we would end up with 8KiB buffer in case we have 16KiB pages. +Instead I think it makes sense to have a common size(s) and extend them +if there is need to. +There is a BUILD_BUG_ON() now in case someone has a minalign of more than +128 bytes. + +Signed-off-by: Sebastian Andrzej Siewior +Acked-by: Alan Stern +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/core/buffer.c | 26 +++++++++++++++++--------- + drivers/usb/core/usb.c | 1 + + include/linux/usb/hcd.h | 1 + + 3 files changed, 19 insertions(+), 9 deletions(-) + +--- a/drivers/usb/core/buffer.c ++++ b/drivers/usb/core/buffer.c +@@ -22,17 +22,25 @@ + */ + + /* FIXME tune these based on pool statistics ... */ +-static const size_t pool_max[HCD_BUFFER_POOLS] = { +- /* platforms without dma-friendly caches might need to +- * prevent cacheline sharing... +- */ +- 32, +- 128, +- 512, +- PAGE_SIZE / 2 +- /* bigger --> allocate pages */ ++static size_t pool_max[HCD_BUFFER_POOLS] = { ++ 32, 128, 512, 2048, + }; + ++void __init usb_init_pool_max(void) ++{ ++ /* ++ * The pool_max values must never be smaller than ++ * ARCH_KMALLOC_MINALIGN. ++ */ ++ if (ARCH_KMALLOC_MINALIGN <= 32) ++ ; /* Original value is okay */ ++ else if (ARCH_KMALLOC_MINALIGN <= 64) ++ pool_max[0] = 64; ++ else if (ARCH_KMALLOC_MINALIGN <= 128) ++ pool_max[0] = 0; /* Don't use this pool */ ++ else ++ BUILD_BUG(); /* We don't allow this */ ++} + + /* SETUP primitives */ + +--- a/drivers/usb/core/usb.c ++++ b/drivers/usb/core/usb.c +@@ -1049,6 +1049,7 @@ static int __init usb_init(void) + pr_info("%s: USB support disabled\n", usbcore_name); + return 0; + } ++ usb_init_pool_max(); + + retval = usb_debugfs_init(); + if (retval) +--- a/include/linux/usb/hcd.h ++++ b/include/linux/usb/hcd.h +@@ -453,6 +453,7 @@ extern const struct dev_pm_ops usb_hcd_p + #endif /* CONFIG_PCI */ + + /* pci-ish (pdev null is ok) buffer alloc/mapping support */ ++void usb_init_pool_max(void); + int hcd_buffer_create(struct usb_hcd *hcd); + void hcd_buffer_destroy(struct usb_hcd *hcd); + diff --git a/queue-3.19/usb-cp210x-add-id-for-ruggedcom-usb-serial-console.patch b/queue-3.19/usb-cp210x-add-id-for-ruggedcom-usb-serial-console.patch new file mode 100644 index 00000000000..9ed89f0ace0 --- /dev/null +++ b/queue-3.19/usb-cp210x-add-id-for-ruggedcom-usb-serial-console.patch @@ -0,0 +1,30 @@ +From a6f0331236fa75afba14bbcf6668d42cebb55c43 Mon Sep 17 00:00:00 2001 +From: Lennart Sorensen +Date: Wed, 21 Jan 2015 15:24:27 -0500 +Subject: USB: cp210x: add ID for RUGGEDCOM USB Serial Console + +From: Lennart Sorensen + +commit a6f0331236fa75afba14bbcf6668d42cebb55c43 upstream. + +Added the USB serial console device ID for Siemens Ruggedcom devices +which have a USB port for their serial console. + +Signed-off-by: Len Sorensen +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/serial/cp210x.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/usb/serial/cp210x.c ++++ b/drivers/usb/serial/cp210x.c +@@ -56,6 +56,7 @@ static const struct usb_device_id id_tab + { USB_DEVICE(0x0846, 0x1100) }, /* NetGear Managed Switch M4100 series, M5300 series, M7100 series */ + { USB_DEVICE(0x08e6, 0x5501) }, /* Gemalto Prox-PU/CU contactless smartcard reader */ + { USB_DEVICE(0x08FD, 0x000A) }, /* Digianswer A/S , ZigBee/802.15.4 MAC Device */ ++ { USB_DEVICE(0x0908, 0x01FF) }, /* Siemens RUGGEDCOM USB Serial Console */ + { USB_DEVICE(0x0BED, 0x1100) }, /* MEI (TM) Cashflow-SC Bill/Voucher Acceptor */ + { USB_DEVICE(0x0BED, 0x1101) }, /* MEI series 2000 Combo Acceptor */ + { USB_DEVICE(0x0FCF, 0x1003) }, /* Dynastream ANT development board */ diff --git a/queue-3.19/usb-don-t-cancel-queued-resets-when-unbinding-drivers.patch b/queue-3.19/usb-don-t-cancel-queued-resets-when-unbinding-drivers.patch new file mode 100644 index 00000000000..f83c2419036 --- /dev/null +++ b/queue-3.19/usb-don-t-cancel-queued-resets-when-unbinding-drivers.patch @@ -0,0 +1,213 @@ +From 524134d422316a59d5464ccbc12036bbe90c5563 Mon Sep 17 00:00:00 2001 +From: Alan Stern +Date: Wed, 21 Jan 2015 14:02:43 -0500 +Subject: USB: don't cancel queued resets when unbinding drivers + +From: Alan Stern + +commit 524134d422316a59d5464ccbc12036bbe90c5563 upstream. + +The USB stack provides a mechanism for drivers to request an +asynchronous device reset (usb_queue_reset_device()). The mechanism +uses a work item (reset_ws) embedded in the usb_interface structure +used by the driver, and the reset is carried out by a work queue +routine. + +The asynchronous reset can race with driver unbinding. When this +happens, we try to cancel the queued reset before unbinding the +driver, on the theory that the driver won't care about any resets once +it is unbound. + +However, thanks to the fact that lockdep now tracks work queue +accesses, this can provoke a lockdep warning in situations where the +device reset causes another interface's driver to be unbound; see + + http://marc.info/?l=linux-usb&m=141893165203776&w=2 + +for an example. The reason is that the work routine for reset_ws in +one interface calls cancel_queued_work() for the reset_ws in another +interface. Lockdep thinks this might lead to a work routine trying to +cancel itself. The simplest solution is not to cancel queued resets +when unbinding drivers. + +This means we now need to acquire a reference to the usb_interface +when queuing a reset_ws work item and to drop the reference when the +work routine finishes. We also need to make sure that the +usb_interface structure doesn't outlive its parent usb_device; this +means acquiring and dropping a reference when the interface is created +and destroyed. + +In addition, cancelling a queued reset can fail (if the device is in +the middle of an earlier reset), and this can cause usb_reset_device() +to try to rebind an interface that has been deallocated (see +http://marc.info/?l=linux-usb&m=142175717016628&w=2 for details). +Acquiring the extra references prevents this failure. + +Signed-off-by: Alan Stern +Reported-by: Russell King - ARM Linux +Reported-by: Olivier Sobrie +Tested-by: Olivier Sobrie +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/core/driver.c | 17 ----------------- + drivers/usb/core/hub.c | 25 +++++++++---------------- + drivers/usb/core/message.c | 23 +++-------------------- + include/linux/usb.h | 5 ----- + 4 files changed, 12 insertions(+), 58 deletions(-) + +--- a/drivers/usb/core/driver.c ++++ b/drivers/usb/core/driver.c +@@ -275,21 +275,6 @@ static int usb_unbind_device(struct devi + return 0; + } + +-/* +- * Cancel any pending scheduled resets +- * +- * [see usb_queue_reset_device()] +- * +- * Called after unconfiguring / when releasing interfaces. See +- * comments in __usb_queue_reset_device() regarding +- * udev->reset_running. +- */ +-static void usb_cancel_queued_reset(struct usb_interface *iface) +-{ +- if (iface->reset_running == 0) +- cancel_work_sync(&iface->reset_ws); +-} +- + /* called from driver core with dev locked */ + static int usb_probe_interface(struct device *dev) + { +@@ -380,7 +365,6 @@ static int usb_probe_interface(struct de + usb_set_intfdata(intf, NULL); + intf->needs_remote_wakeup = 0; + intf->condition = USB_INTERFACE_UNBOUND; +- usb_cancel_queued_reset(intf); + + /* If the LPM disable succeeded, balance the ref counts. */ + if (!lpm_disable_error) +@@ -425,7 +409,6 @@ static int usb_unbind_interface(struct d + usb_disable_interface(udev, intf, false); + + driver->disconnect(intf); +- usb_cancel_queued_reset(intf); + + /* Free streams */ + for (i = 0, j = 0; i < intf->cur_altsetting->desc.bNumEndpoints; i++) { +--- a/drivers/usb/core/hub.c ++++ b/drivers/usb/core/hub.c +@@ -5589,26 +5589,19 @@ EXPORT_SYMBOL_GPL(usb_reset_device); + * possible; depending on how the driver attached to each interface + * handles ->pre_reset(), the second reset might happen or not. + * +- * - If a driver is unbound and it had a pending reset, the reset will +- * be cancelled. ++ * - If the reset is delayed so long that the interface is unbound from ++ * its driver, the reset will be skipped. + * +- * - This function can be called during .probe() or .disconnect() +- * times. On return from .disconnect(), any pending resets will be +- * cancelled. +- * +- * There is no no need to lock/unlock the @reset_ws as schedule_work() +- * does its own. +- * +- * NOTE: We don't do any reference count tracking because it is not +- * needed. The lifecycle of the work_struct is tied to the +- * usb_interface. Before destroying the interface we cancel the +- * work_struct, so the fact that work_struct is queued and or +- * running means the interface (and thus, the device) exist and +- * are referenced. ++ * - This function can be called during .probe(). It can also be called ++ * during .disconnect(), but doing so is pointless because the reset ++ * will not occur. If you really want to reset the device during ++ * .disconnect(), call usb_reset_device() directly -- but watch out ++ * for nested unbinding issues! + */ + void usb_queue_reset_device(struct usb_interface *iface) + { +- schedule_work(&iface->reset_ws); ++ if (schedule_work(&iface->reset_ws)) ++ usb_get_intf(iface); + } + EXPORT_SYMBOL_GPL(usb_queue_reset_device); + +--- a/drivers/usb/core/message.c ++++ b/drivers/usb/core/message.c +@@ -1551,6 +1551,7 @@ static void usb_release_interface(struct + altsetting_to_usb_interface_cache(intf->altsetting); + + kref_put(&intfc->ref, usb_release_interface_cache); ++ usb_put_dev(interface_to_usbdev(intf)); + kfree(intf); + } + +@@ -1626,24 +1627,6 @@ static struct usb_interface_assoc_descri + + /* + * Internal function to queue a device reset +- * +- * This is initialized into the workstruct in 'struct +- * usb_device->reset_ws' that is launched by +- * message.c:usb_set_configuration() when initializing each 'struct +- * usb_interface'. +- * +- * It is safe to get the USB device without reference counts because +- * the life cycle of @iface is bound to the life cycle of @udev. Then, +- * this function will be ran only if @iface is alive (and before +- * freeing it any scheduled instances of it will have been cancelled). +- * +- * We need to set a flag (usb_dev->reset_running) because when we call +- * the reset, the interfaces might be unbound. The current interface +- * cannot try to remove the queued work as it would cause a deadlock +- * (you cannot remove your work from within your executing +- * workqueue). This flag lets it know, so that +- * usb_cancel_queued_reset() doesn't try to do it. +- * + * See usb_queue_reset_device() for more details + */ + static void __usb_queue_reset_device(struct work_struct *ws) +@@ -1655,11 +1638,10 @@ static void __usb_queue_reset_device(str + + rc = usb_lock_device_for_reset(udev, iface); + if (rc >= 0) { +- iface->reset_running = 1; + usb_reset_device(udev); +- iface->reset_running = 0; + usb_unlock_device(udev); + } ++ usb_put_intf(iface); /* Undo _get_ in usb_queue_reset_device() */ + } + + +@@ -1854,6 +1836,7 @@ free_interfaces: + dev_set_name(&intf->dev, "%d-%s:%d.%d", + dev->bus->busnum, dev->devpath, + configuration, alt->desc.bInterfaceNumber); ++ usb_get_dev(dev); + } + kfree(new_interfaces); + +--- a/include/linux/usb.h ++++ b/include/linux/usb.h +@@ -127,10 +127,6 @@ enum usb_interface_condition { + * to the sysfs representation for that device. + * @pm_usage_cnt: PM usage counter for this interface + * @reset_ws: Used for scheduling resets from atomic context. +- * @reset_running: set to 1 if the interface is currently running a +- * queued reset so that usb_cancel_queued_reset() doesn't try to +- * remove from the workqueue when running inside the worker +- * thread. See __usb_queue_reset_device(). + * @resetting_device: USB core reset the device, so use alt setting 0 as + * current; needs bandwidth alloc after reset. + * +@@ -181,7 +177,6 @@ struct usb_interface { + unsigned needs_remote_wakeup:1; /* driver requires remote wakeup */ + unsigned needs_altsetting0:1; /* switch to altsetting 0 is pending */ + unsigned needs_binding:1; /* needs delayed unbind/rebind */ +- unsigned reset_running:1; + unsigned resetting_device:1; /* true: bandwidth alloc after reset */ + + struct device dev; /* interface specific device info */ diff --git a/queue-3.19/usb-dwc3-gadget-add-missing-spin_lock.patch b/queue-3.19/usb-dwc3-gadget-add-missing-spin_lock.patch new file mode 100644 index 00000000000..782d9bca43b --- /dev/null +++ b/queue-3.19/usb-dwc3-gadget-add-missing-spin_lock.patch @@ -0,0 +1,33 @@ +From 5c7b3b02de766a8634708953e805399e3544a290 Mon Sep 17 00:00:00 2001 +From: Felipe Balbi +Date: Thu, 29 Jan 2015 10:29:18 -0600 +Subject: usb: dwc3: gadget: add missing spin_lock() + +From: Felipe Balbi + +commit 5c7b3b02de766a8634708953e805399e3544a290 upstream. + +commit 8e74475b0e0a (usb: dwc3: gadget: use udc-core's +reset notifier) added support for the new UDC core's +reset notifier to dwc3 but while at it, it removed +a spin_lock() from dwc3_reset_gadget() which might +cause an unbalanced spin_unlock() further down the line + +Fixes: 8e74475b0e0a (usb: dwc3: gadget: use udc-core's reset notifier) +Signed-off-by: Felipe Balbi +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/dwc3/gadget.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/usb/dwc3/gadget.c ++++ b/drivers/usb/dwc3/gadget.c +@@ -2043,6 +2043,7 @@ static void dwc3_resume_gadget(struct dw + if (dwc->gadget_driver && dwc->gadget_driver->resume) { + spin_unlock(&dwc->lock); + dwc->gadget_driver->resume(&dwc->gadget); ++ spin_lock(&dwc->lock); + } + } + diff --git a/queue-3.19/usb-fix-use-after-free-bug-in-usb_hcd_unlink_urb.patch b/queue-3.19/usb-fix-use-after-free-bug-in-usb_hcd_unlink_urb.patch new file mode 100644 index 00000000000..c0877935bd7 --- /dev/null +++ b/queue-3.19/usb-fix-use-after-free-bug-in-usb_hcd_unlink_urb.patch @@ -0,0 +1,66 @@ +From c99197902da284b4b723451c1471c45b18537cde Mon Sep 17 00:00:00 2001 +From: Alan Stern +Date: Fri, 30 Jan 2015 12:58:26 -0500 +Subject: USB: fix use-after-free bug in usb_hcd_unlink_urb() + +From: Alan Stern + +commit c99197902da284b4b723451c1471c45b18537cde upstream. + +The usb_hcd_unlink_urb() routine in hcd.c contains two possible +use-after-free errors. The dev_dbg() statement at the end of the +routine dereferences urb and urb->dev even though both structures may +have been deallocated. + +This patch fixes the problem by storing urb->dev in a local variable +(avoiding the dereference of urb) and moving the dev_dbg() up before +the usb_put_dev() call. + +Signed-off-by: Alan Stern +Reported-by: Joe Lawrence +Tested-by: Joe Lawrence +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/core/hcd.c | 16 ++++++++-------- + 1 file changed, 8 insertions(+), 8 deletions(-) + +--- a/drivers/usb/core/hcd.c ++++ b/drivers/usb/core/hcd.c +@@ -1618,6 +1618,7 @@ static int unlink1(struct usb_hcd *hcd, + int usb_hcd_unlink_urb (struct urb *urb, int status) + { + struct usb_hcd *hcd; ++ struct usb_device *udev = urb->dev; + int retval = -EIDRM; + unsigned long flags; + +@@ -1629,20 +1630,19 @@ int usb_hcd_unlink_urb (struct urb *urb, + spin_lock_irqsave(&hcd_urb_unlink_lock, flags); + if (atomic_read(&urb->use_count) > 0) { + retval = 0; +- usb_get_dev(urb->dev); ++ usb_get_dev(udev); + } + spin_unlock_irqrestore(&hcd_urb_unlink_lock, flags); + if (retval == 0) { + hcd = bus_to_hcd(urb->dev->bus); + retval = unlink1(hcd, urb, status); +- usb_put_dev(urb->dev); ++ if (retval == 0) ++ retval = -EINPROGRESS; ++ else if (retval != -EIDRM && retval != -EBUSY) ++ dev_dbg(&udev->dev, "hcd_unlink_urb %p fail %d\n", ++ urb, retval); ++ usb_put_dev(udev); + } +- +- if (retval == 0) +- retval = -EINPROGRESS; +- else if (retval != -EIDRM && retval != -EBUSY) +- dev_dbg(&urb->dev->dev, "hcd_unlink_urb %p fail %d\n", +- urb, retval); + return retval; + } + diff --git a/queue-3.19/usb-musb-add-omap-control-dependency.patch b/queue-3.19/usb-musb-add-omap-control-dependency.patch new file mode 100644 index 00000000000..b60295b92ba --- /dev/null +++ b/queue-3.19/usb-musb-add-omap-control-dependency.patch @@ -0,0 +1,45 @@ +From fbba7db3990cb707ff91cd6507d53a0a730afe97 Mon Sep 17 00:00:00 2001 +From: Arnd Bergmann +Date: Wed, 28 Jan 2015 22:51:04 +0100 +Subject: usb: musb: add omap-control dependency + +From: Arnd Bergmann + +commit fbba7db3990cb707ff91cd6507d53a0a730afe97 upstream. + +The omap musb front-end calls into the phy driver directly +instead of using a generic phy interface, which causes a link +error when the specific driver is not built-in: + +drivers/built-in.o: In function `omap2430_musb_disable': +usb/musb/omap2430.c:480: undefined reference to `omap_control_usb_set_mode' +drivers/built-in.o: In function `omap2430_musb_enable': +usb/musb/omap2430.c:466: undefined reference to `omap_control_usb_set_mode' +usb/musb/omap2430.c:447: undefined reference to `omap_control_usb_set_mode' +drivers/built-in.o: In function `omap_musb_set_mailbox': +usb/musb/omap2430.c:273: undefined reference to `omap_control_usb_set_mode' +usb/musb/omap2430.c:304: undefined reference to `omap_control_usb_set_mode' +drivers/built-in.o:(.debug_addr+0xbd9e0): more undefined references to `omap_control_usb_set_mode' follow + +This adds an explicit dependency. + +Signed-off-by: Arnd Bergmann +Fixes: ca784be36cc725 ("usb: start using the control module driver") +Signed-off-by: Felipe Balbi +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/musb/Kconfig | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/usb/musb/Kconfig ++++ b/drivers/usb/musb/Kconfig +@@ -77,7 +77,7 @@ config USB_MUSB_TUSB6010 + + config USB_MUSB_OMAP2PLUS + tristate "OMAP2430 and onwards" +- depends on ARCH_OMAP2PLUS && USB ++ depends on ARCH_OMAP2PLUS && USB && OMAP_CONTROL_PHY + select GENERIC_PHY + + config USB_MUSB_AM35X diff --git a/queue-3.19/vt-provide-notifications-on-selection-changes.patch b/queue-3.19/vt-provide-notifications-on-selection-changes.patch new file mode 100644 index 00000000000..285d25c8354 --- /dev/null +++ b/queue-3.19/vt-provide-notifications-on-selection-changes.patch @@ -0,0 +1,51 @@ +From 19e3ae6b4f07a87822c1c9e7ed99d31860e701af Mon Sep 17 00:00:00 2001 +From: Nicolas Pitre +Date: Fri, 23 Jan 2015 17:07:21 -0500 +Subject: vt: provide notifications on selection changes + +From: Nicolas Pitre + +commit 19e3ae6b4f07a87822c1c9e7ed99d31860e701af upstream. + +The vcs device's poll/fasync support relies on the vt notifier to signal +changes to the screen content. Notifier invocations were missing for +changes that comes through the selection interface though. Fix that. + +Tested with BRLTTY 5.2. + +Signed-off-by: Nicolas Pitre +Cc: Dave Mielke +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/tty/vt/vt.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/tty/vt/vt.c ++++ b/drivers/tty/vt/vt.c +@@ -500,6 +500,7 @@ void invert_screen(struct vc_data *vc, i + #endif + if (DO_UPDATE(vc)) + do_update_region(vc, (unsigned long) p, count); ++ notify_update(vc); + } + + /* used by selection: complement pointer position */ +@@ -516,6 +517,7 @@ void complement_pos(struct vc_data *vc, + scr_writew(old, screenpos(vc, old_offset, 1)); + if (DO_UPDATE(vc)) + vc->vc_sw->con_putc(vc, old, oldy, oldx); ++ notify_update(vc); + } + + old_offset = offset; +@@ -533,8 +535,8 @@ void complement_pos(struct vc_data *vc, + oldy = (offset >> 1) / vc->vc_cols; + vc->vc_sw->con_putc(vc, new, oldy, oldx); + } ++ notify_update(vc); + } +- + } + + static void insert_char(struct vc_data *vc, unsigned int nr)