From: Greg Kroah-Hartman Date: Fri, 17 Apr 2015 12:39:39 +0000 (+0200) Subject: 3.19-stable patches X-Git-Tag: v3.10.75~9 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=739c541cd1f8eca60e2e6d95d5e1d6fd9b1e8abf;p=thirdparty%2Fkernel%2Fstable-queue.git 3.19-stable patches added patches: brcmfmac-disable-mbss-feature-for-bcm43362.patch cifs-fix-use-after-free-bug-in-find_writable_file.patch cifs-smb2_clone_range-exit-on-unhandled-error.patch drivers-of-add-empty-ranges-quirk-for-pa-semi.patch iommu-vt-d-detach-domain-only-from-attached-iommus.patch n_tty-fix-read-buffer-overwrite-when-no-newline.patch rtlwifi-fix-iommu-mapping-leak-in-ap-mode.patch tty-serial-fsl_lpuart-clear-receive-flag-on-fifo-flush.patch tty-serial-fsl_lpuart-specify-transmit-fifo-size.patch --- diff --git a/queue-3.19/brcmfmac-disable-mbss-feature-for-bcm43362.patch b/queue-3.19/brcmfmac-disable-mbss-feature-for-bcm43362.patch new file mode 100644 index 00000000000..d8e039f5131 --- /dev/null +++ b/queue-3.19/brcmfmac-disable-mbss-feature-for-bcm43362.patch @@ -0,0 +1,36 @@ +From f93a25b38cbd840f26c9fd2dd8a6611a57b259b7 Mon Sep 17 00:00:00 2001 +From: Arend van Spriel +Date: Fri, 20 Mar 2015 22:18:17 +0100 +Subject: brcmfmac: disable MBSS feature for BCM43362 + +From: Arend van Spriel + +commit f93a25b38cbd840f26c9fd2dd8a6611a57b259b7 upstream. + +The BCM43362 firmware falsely reports it is capable of providing +MBSS. As a result AP mode no longer works for this device. Therefor +disable MBSS in the driver for this chipset. + +Reported-by: Jorg Krause +Reviewed-by: Hante Meuleman +Reviewed-by: Pieter-Paul Giesberts +Signed-off-by: Arend van Spriel +Signed-off-by: Kalle Valo +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/brcm80211/brcmfmac/feature.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/net/wireless/brcm80211/brcmfmac/feature.c ++++ b/drivers/net/wireless/brcm80211/brcmfmac/feature.c +@@ -126,7 +126,8 @@ void brcmf_feat_attach(struct brcmf_pub + brcmf_feat_iovar_int_get(ifp, BRCMF_FEAT_MCHAN, "mchan"); + if (drvr->bus_if->wowl_supported) + brcmf_feat_iovar_int_get(ifp, BRCMF_FEAT_WOWL, "wowl"); +- brcmf_feat_iovar_int_set(ifp, BRCMF_FEAT_MBSS, "mbss", 0); ++ if (drvr->bus_if->chip != BRCM_CC_43362_CHIP_ID) ++ brcmf_feat_iovar_int_set(ifp, BRCMF_FEAT_MBSS, "mbss", 0); + + /* set chip related quirks */ + switch (drvr->bus_if->chip) { diff --git a/queue-3.19/cifs-fix-use-after-free-bug-in-find_writable_file.patch b/queue-3.19/cifs-fix-use-after-free-bug-in-find_writable_file.patch new file mode 100644 index 00000000000..416f2762fc2 --- /dev/null +++ b/queue-3.19/cifs-fix-use-after-free-bug-in-find_writable_file.patch @@ -0,0 +1,79 @@ +From e1e9bda22d7ddf88515e8fe401887e313922823e Mon Sep 17 00:00:00 2001 +From: David Disseldorp +Date: Fri, 13 Mar 2015 14:20:29 +0100 +Subject: cifs: fix use-after-free bug in find_writable_file + +From: David Disseldorp + +commit e1e9bda22d7ddf88515e8fe401887e313922823e upstream. + +Under intermittent network outages, find_writable_file() is susceptible +to the following race condition, which results in a user-after-free in +the cifs_writepages code-path: + +Thread 1 Thread 2 +======== ======== + +inv_file = NULL +refind = 0 +spin_lock(&cifs_file_list_lock) + +// invalidHandle found on openFileList + +inv_file = open_file +// inv_file->count currently 1 + +cifsFileInfo_get(inv_file) +// inv_file->count = 2 + +spin_unlock(&cifs_file_list_lock); + +cifs_reopen_file() cifs_close() +// fails (rc != 0) ->cifsFileInfo_put() + spin_lock(&cifs_file_list_lock) + // inv_file->count = 1 + spin_unlock(&cifs_file_list_lock) + +spin_lock(&cifs_file_list_lock); +list_move_tail(&inv_file->flist, + &cifs_inode->openFileList); +spin_unlock(&cifs_file_list_lock); + +cifsFileInfo_put(inv_file); +->spin_lock(&cifs_file_list_lock) + + // inv_file->count = 0 + list_del(&cifs_file->flist); + // cleanup!! + kfree(cifs_file); + + spin_unlock(&cifs_file_list_lock); + +spin_lock(&cifs_file_list_lock); +++refind; +// refind = 1 +goto refind_writable; + +At this point we loop back through with an invalid inv_file pointer +and a refind value of 1. On second pass, inv_file is not overwritten on +openFileList traversal, and is subsequently dereferenced. + +Signed-off-by: David Disseldorp +Reviewed-by: Jeff Layton +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman + +--- + fs/cifs/file.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/fs/cifs/file.c ++++ b/fs/cifs/file.c +@@ -1829,6 +1829,7 @@ refind_writable: + cifsFileInfo_put(inv_file); + spin_lock(&cifs_file_list_lock); + ++refind; ++ inv_file = NULL; + goto refind_writable; + } + } diff --git a/queue-3.19/cifs-smb2_clone_range-exit-on-unhandled-error.patch b/queue-3.19/cifs-smb2_clone_range-exit-on-unhandled-error.patch new file mode 100644 index 00000000000..a0f73c8bfbb --- /dev/null +++ b/queue-3.19/cifs-smb2_clone_range-exit-on-unhandled-error.patch @@ -0,0 +1,38 @@ +From 2477bc58d49edb1c0baf59df7dc093dce682af2b Mon Sep 17 00:00:00 2001 +From: Sachin Prabhu +Date: Wed, 4 Feb 2015 13:10:26 +0000 +Subject: cifs: smb2_clone_range() - exit on unhandled error + +From: Sachin Prabhu + +commit 2477bc58d49edb1c0baf59df7dc093dce682af2b upstream. + +While attempting to clone a file on a samba server, we receive a +STATUS_INVALID_DEVICE_REQUEST. This is mapped to -EOPNOTSUPP which +isn't handled in smb2_clone_range(). We end up looping in the while loop +making same call to the samba server over and over again. + +The proposed fix is to exit and return the error value when encountered +with an unhandled error. + +Signed-off-by: Sachin Prabhu +Signed-off-by: Steve French +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman + +--- + fs/cifs/smb2ops.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/fs/cifs/smb2ops.c ++++ b/fs/cifs/smb2ops.c +@@ -684,7 +684,8 @@ smb2_clone_range(const unsigned int xid, + + /* No need to change MaxChunks since already set to 1 */ + chunk_sizes_updated = true; +- } ++ } else ++ goto cchunk_out; + } + + cchunk_out: diff --git a/queue-3.19/drivers-of-add-empty-ranges-quirk-for-pa-semi.patch b/queue-3.19/drivers-of-add-empty-ranges-quirk-for-pa-semi.patch new file mode 100644 index 00000000000..f07519ac1d5 --- /dev/null +++ b/queue-3.19/drivers-of-add-empty-ranges-quirk-for-pa-semi.patch @@ -0,0 +1,54 @@ +From 41d9489319f28f06cf51731131bc353d5a6bce59 Mon Sep 17 00:00:00 2001 +From: Benjamin Herrenschmidt +Date: Mon, 23 Mar 2015 14:16:38 +1100 +Subject: drivers/of: Add empty ranges quirk for PA-Semi + +From: Benjamin Herrenschmidt + +commit 41d9489319f28f06cf51731131bc353d5a6bce59 upstream. + +The "sdc" node is missing the ranges property, it needs to be treated +as having an empty one otherwise translation fails for its children. + +Fixes 746c9e9f92dd, "of/base: Fix PowerPC address parsing hack" + +Tested-by: Steven Rostedt +Signed-off-by: Benjamin Herrenschmidt +Signed-off-by: Grant Likely +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/of/address.c | 11 ++++++++--- + 1 file changed, 8 insertions(+), 3 deletions(-) + +--- a/drivers/of/address.c ++++ b/drivers/of/address.c +@@ -450,12 +450,17 @@ static struct of_bus *of_match_bus(struc + return NULL; + } + +-static int of_empty_ranges_quirk(void) ++static int of_empty_ranges_quirk(struct device_node *np) + { + if (IS_ENABLED(CONFIG_PPC)) { +- /* To save cycles, we cache the result */ ++ /* To save cycles, we cache the result for global "Mac" setting */ + static int quirk_state = -1; + ++ /* PA-SEMI sdc DT bug */ ++ if (of_device_is_compatible(np, "1682m-sdc")) ++ return true; ++ ++ /* Make quirk cached */ + if (quirk_state < 0) + quirk_state = + of_machine_is_compatible("Power Macintosh") || +@@ -490,7 +495,7 @@ static int of_translate_one(struct devic + * This code is only enabled on powerpc. --gcl + */ + ranges = of_get_property(parent, rprop, &rlen); +- if (ranges == NULL && !of_empty_ranges_quirk()) { ++ if (ranges == NULL && !of_empty_ranges_quirk(parent)) { + pr_debug("OF: no ranges; cannot translate\n"); + return 1; + } diff --git a/queue-3.19/iommu-vt-d-detach-domain-only-from-attached-iommus.patch b/queue-3.19/iommu-vt-d-detach-domain-only-from-attached-iommus.patch new file mode 100644 index 00000000000..7171f526d00 --- /dev/null +++ b/queue-3.19/iommu-vt-d-detach-domain-only-from-attached-iommus.patch @@ -0,0 +1,62 @@ +From 71684406905f98f86a85e008b51f5c4c5d83af5a Mon Sep 17 00:00:00 2001 +From: Alex Williamson +Date: Wed, 4 Mar 2015 11:30:10 -0700 +Subject: iommu/vt-d: Detach domain *only* from attached iommus + +From: Alex Williamson + +commit 71684406905f98f86a85e008b51f5c4c5d83af5a upstream. + +Device domains never span IOMMU hardware units, which allows the +domain ID space for each IOMMU to be an independent address space. +Therefore we can have multiple, independent domains, each with the +same domain->id, but attached to different hardware units. This is +also why we need to do a heavy-weight search for VM domains since +they can span multiple IOMMUs hardware units and we don't require a +single global ID to use for all hardware units. + +Therefore, if we call iommu_detach_domain() across all active IOMMU +hardware units for a non-VM domain, the result is that we clear domain +IDs that are not associated with our domain, allowing them to be +re-allocated and causing apparent coherency issues when the device +cannot access IOVAs for the intended domain. + +This bug was introduced in commit fb170fb4c548 ("iommu/vt-d: Introduce +helper functions to make code symmetric for readability"), but is +significantly exacerbated by the more recent commit 62c22167dd70 +("iommu/vt-d: Fix dmar_domain leak in iommu_attach_device") which calls +domain_exit() more frequently to resolve a domain leak. + +Fixes: fb170fb4c548 ("iommu/vt-d: Introduce helper functions to make code symmetric for readability") +Signed-off-by: Alex Williamson +Cc: Jiang Liu +Signed-off-by: Joerg Roedel +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/iommu/intel-iommu.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/iommu/intel-iommu.c ++++ b/drivers/iommu/intel-iommu.c +@@ -1749,8 +1749,8 @@ static int domain_init(struct dmar_domai + static void domain_exit(struct dmar_domain *domain) + { + struct dmar_drhd_unit *drhd; +- struct intel_iommu *iommu; + struct page *freelist = NULL; ++ int i; + + /* Domain 0 is reserved, so dont process it */ + if (!domain) +@@ -1770,8 +1770,8 @@ static void domain_exit(struct dmar_doma + + /* clear attached or cached domains */ + rcu_read_lock(); +- for_each_active_iommu(iommu, drhd) +- iommu_detach_domain(domain, iommu); ++ for_each_set_bit(i, domain->iommu_bmp, g_num_of_iommus) ++ iommu_detach_domain(domain, g_iommus[i]); + rcu_read_unlock(); + + dma_free_pagelist(freelist); diff --git a/queue-3.19/n_tty-fix-read-buffer-overwrite-when-no-newline.patch b/queue-3.19/n_tty-fix-read-buffer-overwrite-when-no-newline.patch new file mode 100644 index 00000000000..4f68c846d24 --- /dev/null +++ b/queue-3.19/n_tty-fix-read-buffer-overwrite-when-no-newline.patch @@ -0,0 +1,221 @@ +From fb5ef9e7da39968fec6d6f37f20a23d23740c75e Mon Sep 17 00:00:00 2001 +From: Peter Hurley +Date: Fri, 16 Jan 2015 15:05:39 -0500 +Subject: n_tty: Fix read buffer overwrite when no newline + +From: Peter Hurley + +commit fb5ef9e7da39968fec6d6f37f20a23d23740c75e upstream. + +In canon mode, the read buffer head will advance over the buffer tail +if the input > 4095 bytes without receiving a line termination char. + +Discard additional input until a line termination is received. +Before evaluating for overflow, the 'room' value is normalized for +I_PARMRK and 1 byte is reserved for line termination (even in !icanon +mode, in case the mode is switched). The following table shows the +transform: + + actual buffer | 'room' value before overflow calc + space avail | !I_PARMRK | I_PARMRK + -------------------------------------------------- + 0 | -1 | -1 + 1 | 0 | 0 + 2 | 1 | 0 + 3 | 2 | 0 + 4+ | 3 | 1 + +When !icanon or when icanon and the read buffer contains newlines, +normalized 'room' values of -1 and 0 are clamped to 0, and +'overflow' is 0, so read_head is not adjusted and the input i/o loop +exits (setting no_room if called from flush_to_ldisc()). No input +is discarded since the reader does have input available to read +which ensures forward progress. + +When icanon and the read buffer does not contain newlines and the +normalized 'room' value is 0, then overflow and room are reset to 1, +so that the i/o loop will process the next input char normally +(except for parity errors which are ignored). Thus, erasures, signalling +chars, 7-bit mode, etc. will continue to be handled properly. + +If the input char processed was not a line termination char, then +the canon_head index will not have advanced, so the normalized 'room' +value will now be -1 and 'overflow' will be set, which indicates the +read_head can safely be reset, effectively erasing the last char +processed. + +If the input char processed was a line termination, then the +canon_head index will have advanced, so 'overflow' is cleared to 0, +the read_head is not reset, and 'room' is cleared to 0, which exits +the i/o loop (because the reader now have input available to read +which ensures forward progress). + +Note that it is possible for a line termination to be received, and +for the reader to copy the line to the user buffer before the +input i/o loop is ready to process the next input char. This is +why the i/o loop recomputes the room/overflow state with every +input char while handling overflow. + +Finally, if the input data was processed without receiving +a line termination (so that overflow is still set), the pty +driver must receive a write wakeup. A pty writer may be waiting +to write more data in n_tty_write() but without unthrottling +here that wakeup will not arrive, and forward progress will halt. +(Normally, the pty writer is woken when the reader reads data out +of the buffer and more space become available). + +Signed-off-by: Peter Hurley +Signed-off-by: Greg Kroah-Hartman +(backported from commit fb5ef9e7da39968fec6d6f37f20a23d23740c75e) +Signed-off-by: Joseph Salisbury +--- + drivers/tty/n_tty.c | 106 ++++++++++++++++++++++++++++++++++++++-------------- + 1 file changed, 79 insertions(+), 27 deletions(-) + +--- a/drivers/tty/n_tty.c ++++ b/drivers/tty/n_tty.c +@@ -247,8 +247,6 @@ static void n_tty_write_wakeup(struct tt + + static void n_tty_check_throttle(struct tty_struct *tty) + { +- if (tty->driver->type == TTY_DRIVER_TYPE_PTY) +- return; + /* + * Check the remaining room for the input canonicalization + * mode. We don't want to throttle the driver if we're in +@@ -1512,23 +1510,6 @@ n_tty_receive_char_lnext(struct tty_stru + n_tty_receive_char_flagged(tty, c, flag); + } + +-/** +- * n_tty_receive_buf - data receive +- * @tty: terminal device +- * @cp: buffer +- * @fp: flag buffer +- * @count: characters +- * +- * Called by the terminal driver when a block of characters has +- * been received. This function must be called from soft contexts +- * not from interrupt context. The driver is responsible for making +- * calls one at a time and in order (or using flush_to_ldisc) +- * +- * n_tty_receive_buf()/producer path: +- * claims non-exclusive termios_rwsem +- * publishes read_head and canon_head +- */ +- + static void + n_tty_receive_buf_real_raw(struct tty_struct *tty, const unsigned char *cp, + char *fp, int count) +@@ -1684,24 +1665,85 @@ static void __receive_buf(struct tty_str + } + } + ++/** ++ * n_tty_receive_buf_common - process input ++ * @tty: device to receive input ++ * @cp: input chars ++ * @fp: flags for each char (if NULL, all chars are TTY_NORMAL) ++ * @count: number of input chars in @cp ++ * ++ * Called by the terminal driver when a block of characters has ++ * been received. This function must be called from soft contexts ++ * not from interrupt context. The driver is responsible for making ++ * calls one at a time and in order (or using flush_to_ldisc) ++ * ++ * Returns the # of input chars from @cp which were processed. ++ * ++ * In canonical mode, the maximum line length is 4096 chars (including ++ * the line termination char); lines longer than 4096 chars are ++ * truncated. After 4095 chars, input data is still processed but ++ * not stored. Overflow processing ensures the tty can always ++ * receive more input until at least one line can be read. ++ * ++ * In non-canonical mode, the read buffer will only accept 4095 chars; ++ * this provides the necessary space for a newline char if the input ++ * mode is switched to canonical. ++ * ++ * Note it is possible for the read buffer to _contain_ 4096 chars ++ * in non-canonical mode: the read buffer could already contain the ++ * maximum canon line of 4096 chars when the mode is switched to ++ * non-canonical. ++ * ++ * n_tty_receive_buf()/producer path: ++ * claims non-exclusive termios_rwsem ++ * publishes commit_head or canon_head ++ */ + static int + n_tty_receive_buf_common(struct tty_struct *tty, const unsigned char *cp, + char *fp, int count, int flow) + { + struct n_tty_data *ldata = tty->disc_data; +- int room, n, rcvd = 0; ++ int room, n, rcvd = 0, overflow; + + down_read(&tty->termios_rwsem); + + while (1) { +- room = receive_room(tty); ++ /* ++ * When PARMRK is set, each input char may take up to 3 chars ++ * in the read buf; reduce the buffer space avail by 3x ++ * ++ * If we are doing input canonicalization, and there are no ++ * pending newlines, let characters through without limit, so ++ * that erase characters will be handled. Other excess ++ * characters will be beeped. ++ * ++ * paired with store in *_copy_from_read_buf() -- guarantees ++ * the consumer has loaded the data in read_buf up to the new ++ * read_tail (so this producer will not overwrite unread data) ++ */ ++ size_t tail = ldata->read_tail; ++ ++ room = N_TTY_BUF_SIZE - (ldata->read_head - tail); ++ if (I_PARMRK(tty)) ++ room = (room + 2) / 3; ++ room--; ++ if (room <= 0) { ++ overflow = ldata->icanon && ldata->canon_head == tail; ++ if (overflow && room < 0) ++ ldata->read_head--; ++ room = overflow; ++ ldata->no_room = flow && !room; ++ } else ++ overflow = 0; ++ + n = min(count, room); +- if (!n) { +- if (flow && !room) +- ldata->no_room = 1; ++ if (!n) + break; +- } +- __receive_buf(tty, cp, fp, n); ++ ++ /* ignore parity errors if handling overflow */ ++ if (!overflow || !fp || *fp != TTY_PARITY) ++ __receive_buf(tty, cp, fp, n); ++ + cp += n; + if (fp) + fp += n; +@@ -1710,7 +1752,17 @@ n_tty_receive_buf_common(struct tty_stru + } + + tty->receive_room = room; +- n_tty_check_throttle(tty); ++ ++ /* Unthrottle if handling overflow on pty */ ++ if (tty->driver->type == TTY_DRIVER_TYPE_PTY) { ++ if (overflow) { ++ tty_set_flow_change(tty, TTY_UNTHROTTLE_SAFE); ++ tty_unthrottle_safe(tty); ++ __tty_set_flow_change(tty, 0); ++ } ++ } else ++ n_tty_check_throttle(tty); ++ + up_read(&tty->termios_rwsem); + + return rcvd; diff --git a/queue-3.19/rtlwifi-fix-iommu-mapping-leak-in-ap-mode.patch b/queue-3.19/rtlwifi-fix-iommu-mapping-leak-in-ap-mode.patch new file mode 100644 index 00000000000..533519b3a07 --- /dev/null +++ b/queue-3.19/rtlwifi-fix-iommu-mapping-leak-in-ap-mode.patch @@ -0,0 +1,55 @@ +From be0b5e635883678bfbc695889772fed545f3427d Mon Sep 17 00:00:00 2001 +From: Larry Finger +Date: Sat, 21 Mar 2015 15:16:05 -0500 +Subject: rtlwifi: Fix IOMMU mapping leak in AP mode + +From: Larry Finger + +commit be0b5e635883678bfbc695889772fed545f3427d upstream. + +Transmission of an AP beacon does not call the TX interrupt service routine, +which usually does the cleanup. Instead, cleanup is handled in a tasklet +completion routine. Unfortunately, this routine has a serious bug in that it does +not release the DMA mapping before it frees the skb, thus one IOMMU mapping is +leaked for each beacon. The test system failed with no free IOMMU mapping slots +approximately one hour after hostapd was used to start an AP. + +This issue was reported and tested at https://github.com/lwfinger/rtlwifi_new/issues/30. + +Reported-and-tested-by: Kevin Mullican +Cc: Kevin Mullican +Signed-off-by: Shao Fu +Signed-off-by: Larry Finger +Signed-off-by: Kalle Valo +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/rtlwifi/pci.c | 12 +++++++++++- + 1 file changed, 11 insertions(+), 1 deletion(-) + +--- a/drivers/net/wireless/rtlwifi/pci.c ++++ b/drivers/net/wireless/rtlwifi/pci.c +@@ -1118,12 +1118,22 @@ static void _rtl_pci_prepare_bcn_tasklet + /*This is for new trx flow*/ + struct rtl_tx_buffer_desc *pbuffer_desc = NULL; + u8 temp_one = 1; ++ u8 *entry; + + memset(&tcb_desc, 0, sizeof(struct rtl_tcb_desc)); + ring = &rtlpci->tx_ring[BEACON_QUEUE]; + pskb = __skb_dequeue(&ring->queue); +- if (pskb) ++ if (rtlpriv->use_new_trx_flow) ++ entry = (u8 *)(&ring->buffer_desc[ring->idx]); ++ else ++ entry = (u8 *)(&ring->desc[ring->idx]); ++ if (pskb) { ++ pci_unmap_single(rtlpci->pdev, ++ rtlpriv->cfg->ops->get_desc( ++ (u8 *)entry, true, HW_DESC_TXBUFF_ADDR), ++ pskb->len, PCI_DMA_TODEVICE); + kfree_skb(pskb); ++ } + + /*NB: the beacon data buffer must be 32-bit aligned. */ + pskb = ieee80211_beacon_get(hw, mac->vif); diff --git a/queue-3.19/series b/queue-3.19/series index f5be8bb8161..0ad0e6cf01a 100644 --- a/queue-3.19/series +++ b/queue-3.19/series @@ -70,3 +70,12 @@ cpuidle-remove-state_count-field-from-struct-cpuidle_device.patch cpuidle-acpi-do-not-overwrite-name-and-description-of-c0.patch usb-xhci-handle-config-error-change-cec-in-xhci-driver.patch usb-xhci-apply-xhci_avoid_bei-quirk-to-all-intel-xhci-controllers.patch +tty-serial-fsl_lpuart-specify-transmit-fifo-size.patch +tty-serial-fsl_lpuart-clear-receive-flag-on-fifo-flush.patch +n_tty-fix-read-buffer-overwrite-when-no-newline.patch +cifs-smb2_clone_range-exit-on-unhandled-error.patch +cifs-fix-use-after-free-bug-in-find_writable_file.patch +brcmfmac-disable-mbss-feature-for-bcm43362.patch +iommu-vt-d-detach-domain-only-from-attached-iommus.patch +rtlwifi-fix-iommu-mapping-leak-in-ap-mode.patch +drivers-of-add-empty-ranges-quirk-for-pa-semi.patch diff --git a/queue-3.19/tty-serial-fsl_lpuart-clear-receive-flag-on-fifo-flush.patch b/queue-3.19/tty-serial-fsl_lpuart-clear-receive-flag-on-fifo-flush.patch new file mode 100644 index 00000000000..35390a1c2f1 --- /dev/null +++ b/queue-3.19/tty-serial-fsl_lpuart-clear-receive-flag-on-fifo-flush.patch @@ -0,0 +1,43 @@ +From 8e4934c6d6c659e22b1b746af4196683e77ce6ca Mon Sep 17 00:00:00 2001 +From: Stefan Agner +Date: Fri, 13 Mar 2015 14:51:51 +0100 +Subject: tty: serial: fsl_lpuart: clear receive flag on FIFO flush + +From: Stefan Agner + +commit 8e4934c6d6c659e22b1b746af4196683e77ce6ca upstream. + +When the receiver was enabled during startup, a character could +have been in the FIFO when the UART get initially used. The +driver configures the (receive) watermark level, and flushes the +FIFO. However, the receive flag (RDRF) could still be set at that +stage (as mentioned in the register description of UARTx_RWFIFO). +This leads to an interrupt which won't be handled properly in +interrupt mode: The receive interrupt function lpuart_rxint checks +the FIFO count, which is 0 at that point (due to the flush +during initialization). The problem does not manifest when using +DMA to receive characters. + +Fix this situation by explicitly read the status register, which +leads to clearing of the RDRF flag. Due to the flush just after +the status flag read, a explicit data read is not to required. + +Signed-off-by: Stefan Agner +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/tty/serial/fsl_lpuart.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/tty/serial/fsl_lpuart.c ++++ b/drivers/tty/serial/fsl_lpuart.c +@@ -910,6 +910,9 @@ static void lpuart_setup_watermark(struc + writeb(val | UARTPFIFO_TXFE | UARTPFIFO_RXFE, + sport->port.membase + UARTPFIFO); + ++ /* explicitly clear RDRF */ ++ readb(sport->port.membase + UARTSR1); ++ + /* flush Tx and Rx FIFO */ + writeb(UARTCFIFO_TXFLUSH | UARTCFIFO_RXFLUSH, + sport->port.membase + UARTCFIFO); diff --git a/queue-3.19/tty-serial-fsl_lpuart-specify-transmit-fifo-size.patch b/queue-3.19/tty-serial-fsl_lpuart-specify-transmit-fifo-size.patch new file mode 100644 index 00000000000..6ca6e38066f --- /dev/null +++ b/queue-3.19/tty-serial-fsl_lpuart-specify-transmit-fifo-size.patch @@ -0,0 +1,36 @@ +From 4e8f245937091b2c9eebf3d4909c9ceda4f0a78e Mon Sep 17 00:00:00 2001 +From: Stefan Agner +Date: Fri, 13 Mar 2015 14:51:50 +0100 +Subject: tty: serial: fsl_lpuart: specify transmit FIFO size + +From: Stefan Agner + +commit 4e8f245937091b2c9eebf3d4909c9ceda4f0a78e upstream. + +Specify transmit FIFO size which might be different depending on +LPUART instance. This makes sure uart_wait_until_sent in serial +core getting called, which in turn waits and checks if the FIFO +is really empty on shutdown by using the tx_empty callback. +Without the call of this callback, the last several characters +might not yet be transmitted when closing the serial port. This +can be reproduced by simply using echo and redirect the output to +a ttyLP device. + +Signed-off-by: Stefan Agner +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/tty/serial/fsl_lpuart.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/tty/serial/fsl_lpuart.c ++++ b/drivers/tty/serial/fsl_lpuart.c +@@ -1095,6 +1095,8 @@ static int lpuart_startup(struct uart_po + sport->txfifo_size = 0x1 << (((temp >> UARTPFIFO_TXSIZE_OFF) & + UARTPFIFO_FIFOSIZE_MASK) + 1); + ++ sport->port.fifosize = sport->txfifo_size; ++ + sport->rxfifo_size = 0x1 << (((temp >> UARTPFIFO_RXSIZE_OFF) & + UARTPFIFO_FIFOSIZE_MASK) + 1); +