From: Greg Kroah-Hartman Date: Wed, 3 Oct 2012 20:21:54 +0000 (-0700) Subject: 3.0-stable patches X-Git-Tag: v3.0.45~14 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=9d5ce16ff54172093cd5736615fd8db37ecb8f34;p=thirdparty%2Fkernel%2Fstable-queue.git 3.0-stable patches added patches: remove-bug_on-from-n_tty_read.patch serial-pl011-handle-corruption-at-high-clock-speeds.patch serial-set-correct-baud_base-for-exsys-ex-41092-dual-16950.patch staging-comedi-don-t-dereference-user-memory-for-insn_inttrig.patch staging-comedi-fix-memory-leak-for-saved-channel-list.patch staging-comedi-jr3_pci-fix-iomem-dereference.patch staging-comedi-s626-don-t-dereference-insn-data.patch staging-speakup_soft-fix-reading-of-init-string.patch tty-ttyprintk-don-t-touch-behind-tty-write_buf.patch --- diff --git a/queue-3.0/remove-bug_on-from-n_tty_read.patch b/queue-3.0/remove-bug_on-from-n_tty_read.patch new file mode 100644 index 00000000000..28b20230ad3 --- /dev/null +++ b/queue-3.0/remove-bug_on-from-n_tty_read.patch @@ -0,0 +1,32 @@ +From e9490e93c1978b6669f3e993caa3189be13ce459 Mon Sep 17 00:00:00 2001 +From: Stanislav Kozina +Date: Thu, 16 Aug 2012 12:01:47 +0100 +Subject: Remove BUG_ON from n_tty_read() + +From: Stanislav Kozina + +commit e9490e93c1978b6669f3e993caa3189be13ce459 upstream. + +Change the BUG_ON to WARN_ON and return in case of tty->read_buf==NULL. We want to track a +couple of long standing reports of this but at the same time we can avoid killing the box. + +Signed-off-by: Stanislav Kozina +Signed-off-by: Alan Cox +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/tty/n_tty.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/tty/n_tty.c ++++ b/drivers/tty/n_tty.c +@@ -1728,7 +1728,8 @@ static ssize_t n_tty_read(struct tty_str + + do_it_again: + +- BUG_ON(!tty->read_buf); ++ if (WARN_ON(!tty->read_buf)) ++ return -EAGAIN; + + c = job_control(tty, file); + if (c < 0) diff --git a/queue-3.0/serial-pl011-handle-corruption-at-high-clock-speeds.patch b/queue-3.0/serial-pl011-handle-corruption-at-high-clock-speeds.patch new file mode 100644 index 00000000000..102dcff3831 --- /dev/null +++ b/queue-3.0/serial-pl011-handle-corruption-at-high-clock-speeds.patch @@ -0,0 +1,75 @@ +From c5dd553b9fd069892c9e2de734f4f604e280fa7a Mon Sep 17 00:00:00 2001 +From: Linus Walleij +Date: Wed, 26 Sep 2012 17:21:36 +0200 +Subject: serial: pl011: handle corruption at high clock speeds + +From: Linus Walleij + +commit c5dd553b9fd069892c9e2de734f4f604e280fa7a upstream. + +This works around a few glitches in the ST version of the PL011 +serial driver when using very high baud rates, as we do in the +Ux500: 3, 3.25, 4 and 4.05 Mbps. + +Problem Observed/rootcause: + +When using high baud-rates, and the baudrate*8 is getting close to +the provided clock frequency (so a division factor close to 1), when +using bursts of characters (so they are abutted), then it seems as if +there is not enough time to detect the beginning of the start-bit which +is a timing reference for the entire character, and thus the sampling +moment of character bits is moving towards the end of each bit, instead +of the middle. + +Fix: +Increase slightly the RX baud rate of the UART above the theoretical +baudrate by 5%. This will definitely give more margin time to the +UART_RX to correctly sample the data at the middle of the bit period. + +Also fix the ages old copy-paste error in the very stressed comment, +it's referencing the registers used in the PL010 driver rather than +the PL011 ones. + +Signed-off-by: Guillaume Jaunet +Signed-off-by: Christophe Arnal +Signed-off-by: Matthias Locher +Signed-off-by: Rajanikanth HV +Cc: Bibek Basu +Cc: Par-Gunnar Hjalmdahl +Signed-off-by: Linus Walleij +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/tty/serial/amba-pl011.c | 15 ++++++++++++++- + 1 file changed, 14 insertions(+), 1 deletion(-) + +--- a/drivers/tty/serial/amba-pl011.c ++++ b/drivers/tty/serial/amba-pl011.c +@@ -1620,13 +1620,26 @@ pl011_set_termios(struct uart_port *port + old_cr &= ~ST_UART011_CR_OVSFACT; + } + ++ /* ++ * Workaround for the ST Micro oversampling variants to ++ * increase the bitrate slightly, by lowering the divisor, ++ * to avoid delayed sampling of start bit at high speeds, ++ * else we see data corruption. ++ */ ++ if (uap->vendor->oversampling) { ++ if ((baud >= 3000000) && (baud < 3250000) && (quot > 1)) ++ quot -= 1; ++ else if ((baud > 3250000) && (quot > 2)) ++ quot -= 2; ++ } + /* Set baud rate */ + writew(quot & 0x3f, port->membase + UART011_FBRD); + writew(quot >> 6, port->membase + UART011_IBRD); + + /* + * ----------v----------v----------v----------v----- +- * NOTE: MUST BE WRITTEN AFTER UARTLCR_M & UARTLCR_L ++ * NOTE: lcrh_tx and lcrh_rx MUST BE WRITTEN AFTER ++ * UART011_FBRD & UART011_IBRD. + * ----------^----------^----------^----------^----- + */ + writew(lcr_h, port->membase + uap->lcrh_rx); diff --git a/queue-3.0/serial-set-correct-baud_base-for-exsys-ex-41092-dual-16950.patch b/queue-3.0/serial-set-correct-baud_base-for-exsys-ex-41092-dual-16950.patch new file mode 100644 index 00000000000..bb418dd4c49 --- /dev/null +++ b/queue-3.0/serial-set-correct-baud_base-for-exsys-ex-41092-dual-16950.patch @@ -0,0 +1,56 @@ +From 26e8220adb0aec43b7acafa0f1431760eee28522 Mon Sep 17 00:00:00 2001 +From: Flavio Leitner +Date: Fri, 21 Sep 2012 21:04:34 -0300 +Subject: serial: set correct baud_base for EXSYS EX-41092 Dual 16950 + +From: Flavio Leitner + +commit 26e8220adb0aec43b7acafa0f1431760eee28522 upstream. + +Apparently the same card model has two IDs, so this patch +complements the commit 39aced68d664291db3324d0fcf0985ab5626aac2 +adding the missing one. + +Signed-off-by: Flavio Leitner +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/tty/serial/8250_pci.c | 9 +++++++-- + include/linux/pci_ids.h | 1 - + 2 files changed, 7 insertions(+), 3 deletions(-) + +--- a/drivers/tty/serial/8250_pci.c ++++ b/drivers/tty/serial/8250_pci.c +@@ -1011,6 +1011,8 @@ static int pci_eg20t_init(struct pci_dev + #define PCI_SUBDEVICE_ID_OCTPRO422 0x0208 + #define PCI_SUBDEVICE_ID_POCTAL232 0x0308 + #define PCI_SUBDEVICE_ID_POCTAL422 0x0408 ++#define PCI_SUBDEVICE_ID_SIIG_DUAL_00 0x2500 ++#define PCI_SUBDEVICE_ID_SIIG_DUAL_30 0x2530 + #define PCI_VENDOR_ID_ADVANTECH 0x13fe + #define PCI_DEVICE_ID_INTEL_CE4100_UART 0x2e66 + #define PCI_DEVICE_ID_ADVANTECH_PCI3620 0x3620 +@@ -3009,8 +3011,11 @@ static struct pci_device_id serial_pci_t + * For now just used the hex ID 0x950a. + */ + { PCI_VENDOR_ID_OXSEMI, 0x950a, +- PCI_SUBVENDOR_ID_SIIG, PCI_SUBDEVICE_ID_SIIG_DUAL_SERIAL, 0, 0, +- pbn_b0_2_115200 }, ++ PCI_SUBVENDOR_ID_SIIG, PCI_SUBDEVICE_ID_SIIG_DUAL_00, ++ 0, 0, pbn_b0_2_115200 }, ++ { PCI_VENDOR_ID_OXSEMI, 0x950a, ++ PCI_SUBVENDOR_ID_SIIG, PCI_SUBDEVICE_ID_SIIG_DUAL_30, ++ 0, 0, pbn_b0_2_115200 }, + { PCI_VENDOR_ID_OXSEMI, 0x950a, + PCI_ANY_ID, PCI_ANY_ID, 0, 0, + pbn_b0_2_1130000 }, +--- a/include/linux/pci_ids.h ++++ b/include/linux/pci_ids.h +@@ -1818,7 +1818,6 @@ + #define PCI_DEVICE_ID_SIIG_8S_20x_650 0x2081 + #define PCI_DEVICE_ID_SIIG_8S_20x_850 0x2082 + #define PCI_SUBDEVICE_ID_SIIG_QUARTET_SERIAL 0x2050 +-#define PCI_SUBDEVICE_ID_SIIG_DUAL_SERIAL 0x2530 + + #define PCI_VENDOR_ID_RADISYS 0x1331 + diff --git a/queue-3.0/series b/queue-3.0/series index 4676855b511..c455af21b44 100644 --- a/queue-3.0/series +++ b/queue-3.0/series @@ -3,3 +3,12 @@ dm-handle-requests-beyond-end-of-device-instead-of-using-bug_on.patch usb-option-blacklist-qmi-interface-on-zte-mf683.patch usb-ftdi_sio-add-tiao-usb-multi-protocol-adapter-tumpa-support.patch usb-qcaux-add-pantech-vendor-class-match.patch +staging-speakup_soft-fix-reading-of-init-string.patch +staging-comedi-s626-don-t-dereference-insn-data.patch +staging-comedi-jr3_pci-fix-iomem-dereference.patch +staging-comedi-don-t-dereference-user-memory-for-insn_inttrig.patch +staging-comedi-fix-memory-leak-for-saved-channel-list.patch +remove-bug_on-from-n_tty_read.patch +tty-ttyprintk-don-t-touch-behind-tty-write_buf.patch +serial-pl011-handle-corruption-at-high-clock-speeds.patch +serial-set-correct-baud_base-for-exsys-ex-41092-dual-16950.patch diff --git a/queue-3.0/staging-comedi-don-t-dereference-user-memory-for-insn_inttrig.patch b/queue-3.0/staging-comedi-don-t-dereference-user-memory-for-insn_inttrig.patch new file mode 100644 index 00000000000..390bb59bc70 --- /dev/null +++ b/queue-3.0/staging-comedi-don-t-dereference-user-memory-for-insn_inttrig.patch @@ -0,0 +1,32 @@ +From 5d06e3df280bd230e2eadc16372e62818c63e894 Mon Sep 17 00:00:00 2001 +From: Ian Abbott +Date: Tue, 18 Sep 2012 19:46:58 +0100 +Subject: staging: comedi: don't dereference user memory for INSN_INTTRIG + +From: Ian Abbott + +commit 5d06e3df280bd230e2eadc16372e62818c63e894 upstream. + +`parse_insn()` is dereferencing the user-space pointer `insn->data` +directly when handling the `INSN_INTTRIG` comedi instruction. It +shouldn't be using `insn->data` at all; it should be using the separate +`data` pointer passed to the function. Fix it. + +Signed-off-by: Ian Abbott +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/staging/comedi/comedi_fops.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/staging/comedi/comedi_fops.c ++++ b/drivers/staging/comedi/comedi_fops.c +@@ -843,7 +843,7 @@ static int parse_insn(struct comedi_devi + ret = -EAGAIN; + break; + } +- ret = s->async->inttrig(dev, s, insn->data[0]); ++ ret = s->async->inttrig(dev, s, data[0]); + if (ret >= 0) + ret = 1; + break; diff --git a/queue-3.0/staging-comedi-fix-memory-leak-for-saved-channel-list.patch b/queue-3.0/staging-comedi-fix-memory-leak-for-saved-channel-list.patch new file mode 100644 index 00000000000..42d1c250051 --- /dev/null +++ b/queue-3.0/staging-comedi-fix-memory-leak-for-saved-channel-list.patch @@ -0,0 +1,52 @@ +From c8cad4c89ee3b15935c532210ae6ebb5c0a2734d Mon Sep 17 00:00:00 2001 +From: Ian Abbott +Date: Wed, 19 Sep 2012 19:37:39 +0100 +Subject: staging: comedi: fix memory leak for saved channel list + +From: Ian Abbott + +commit c8cad4c89ee3b15935c532210ae6ebb5c0a2734d upstream. + +When `do_cmd_ioctl()` allocates memory for the kernel copy of a channel +list, it frees any previously allocated channel list in +`async->cmd.chanlist` and replaces it with the new one. However, if the +device is ever removed (or "detached") the cleanup code in +`cleanup_device()` in "drivers.c" does not free this memory so it is +lost. + +A sensible place to free the kernel copy of the channel list is in +`do_become_nonbusy()` as at that point the comedi asynchronous command +associated with the channel list is no longer valid. Free the channel +list in `do_become_nonbusy()` instead of `do_cmd_ioctl()` and clear the +pointer to prevent it being freed more than once. + +Note that `cleanup_device()` could be called at an inappropriate time +while the comedi device is open, but that's a separate bug not related +to this this patch. + +Signed-off-by: Ian Abbott +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/staging/comedi/comedi_fops.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/staging/comedi/comedi_fops.c ++++ b/drivers/staging/comedi/comedi_fops.c +@@ -1088,7 +1088,6 @@ static int do_cmd_ioctl(struct comedi_de + goto cleanup; + } + +- kfree(async->cmd.chanlist); + async->cmd = user_cmd; + async->cmd.data = NULL; + /* load channel/gain list */ +@@ -1833,6 +1832,8 @@ void do_become_nonbusy(struct comedi_dev + if (async) { + comedi_reset_async_buf(async); + async->inttrig = NULL; ++ kfree(async->cmd.chanlist); ++ async->cmd.chanlist = NULL; + } else { + printk(KERN_ERR + "BUG: (?) do_become_nonbusy called with async=0\n"); diff --git a/queue-3.0/staging-comedi-jr3_pci-fix-iomem-dereference.patch b/queue-3.0/staging-comedi-jr3_pci-fix-iomem-dereference.patch new file mode 100644 index 00000000000..eda564f80a5 --- /dev/null +++ b/queue-3.0/staging-comedi-jr3_pci-fix-iomem-dereference.patch @@ -0,0 +1,31 @@ +From e1878957b4676a17cf398f7f5723b365e9a2ca48 Mon Sep 17 00:00:00 2001 +From: Ian Abbott +Date: Thu, 27 Sep 2012 17:45:27 +0100 +Subject: staging: comedi: jr3_pci: fix iomem dereference + +From: Ian Abbott + +commit e1878957b4676a17cf398f7f5723b365e9a2ca48 upstream. + +Correct a direct dereference of I/O memory to use an appropriate I/O +memory access function. Note that the pointer being dereferenced is not +currently tagged with `__iomem` but I plan to correct that for 3.7. + +Signed-off-by: Ian Abbott +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/staging/comedi/drivers/jr3_pci.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/staging/comedi/drivers/jr3_pci.c ++++ b/drivers/staging/comedi/drivers/jr3_pci.c +@@ -913,7 +913,7 @@ static int jr3_pci_attach(struct comedi_ + } + + /* Reset DSP card */ +- devpriv->iobase->channel[0].reset = 0; ++ writel(0, &devpriv->iobase->channel[0].reset); + + result = comedi_load_firmware(dev, "jr3pci.idm", jr3_download_firmware); + printk("Firmare load %d\n", result); diff --git a/queue-3.0/staging-comedi-s626-don-t-dereference-insn-data.patch b/queue-3.0/staging-comedi-s626-don-t-dereference-insn-data.patch new file mode 100644 index 00000000000..649e27b22bc --- /dev/null +++ b/queue-3.0/staging-comedi-s626-don-t-dereference-insn-data.patch @@ -0,0 +1,32 @@ +From b655c2c4782ed3e2e71d2608154e295a3e860311 Mon Sep 17 00:00:00 2001 +From: Ian Abbott +Date: Mon, 24 Sep 2012 17:20:52 +0100 +Subject: staging: comedi: s626: don't dereference insn->data + +From: Ian Abbott + +commit b655c2c4782ed3e2e71d2608154e295a3e860311 upstream. + +`s626_enc_insn_config()` is incorrectly dereferencing `insn->data` which +is a pointer to user memory. It should be dereferencing the separate +`data` parameter that points to a copy of the data in kernel memory. + +Signed-off-by: Ian Abbott +Reviewed-by: H Hartley Sweeten +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/staging/comedi/drivers/s626.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/staging/comedi/drivers/s626.c ++++ b/drivers/staging/comedi/drivers/s626.c +@@ -2370,7 +2370,7 @@ static int s626_enc_insn_config(struct c + /* (data==NULL) ? (Preloadvalue=0) : (Preloadvalue=data[0]); */ + + k->SetMode(dev, k, Setup, TRUE); +- Preload(dev, k, *(insn->data)); ++ Preload(dev, k, data[0]); + k->PulseIndex(dev, k); + SetLatchSource(dev, k, valueSrclatch); + k->SetEnable(dev, k, (uint16_t) (enab != 0)); diff --git a/queue-3.0/staging-speakup_soft-fix-reading-of-init-string.patch b/queue-3.0/staging-speakup_soft-fix-reading-of-init-string.patch new file mode 100644 index 00000000000..f7b65f44b6f --- /dev/null +++ b/queue-3.0/staging-speakup_soft-fix-reading-of-init-string.patch @@ -0,0 +1,69 @@ +From 40fe4f89671fb3c7ded94190fb267402a38b0261 Mon Sep 17 00:00:00 2001 +From: Ben Hutchings +Date: Sun, 16 Sep 2012 04:18:50 +0100 +Subject: staging: speakup_soft: Fix reading of init string + +From: Ben Hutchings + +commit 40fe4f89671fb3c7ded94190fb267402a38b0261 upstream. + +softsynth_read() reads a character at a time from the init string; +when it finds the null terminator it sets the initialized flag but +then repeats the last character. + +Additionally, if the read() buffer is not big enough for the init +string, the next read() will start reading from the beginning again. +So the caller may never progress to reading anything else. + +Replace the simple initialized flag with the current position in +the init string, carried over between calls. Switch to reading +real data once this reaches the null terminator. + +(This assumes that the length of the init string can't change, which +seems to be the case. Really, the string and position belong together +in a per-file private struct.) + +Tested-by: Samuel Thibault +Signed-off-by: Ben Hutchings +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/staging/speakup/speakup_soft.c | 13 ++++--------- + 1 file changed, 4 insertions(+), 9 deletions(-) + +--- a/drivers/staging/speakup/speakup_soft.c ++++ b/drivers/staging/speakup/speakup_soft.c +@@ -40,7 +40,7 @@ static int softsynth_is_alive(struct spk + static unsigned char get_index(void); + + static struct miscdevice synth_device; +-static int initialized; ++static int init_pos; + static int misc_registered; + + static struct var_t vars[] = { +@@ -194,7 +194,7 @@ static int softsynth_close(struct inode + unsigned long flags; + spk_lock(flags); + synth_soft.alive = 0; +- initialized = 0; ++ init_pos = 0; + spk_unlock(flags); + /* Make sure we let applications go before leaving */ + speakup_start_ttys(); +@@ -239,13 +239,8 @@ static ssize_t softsynth_read(struct fil + ch = '\x18'; + } else if (synth_buffer_empty()) { + break; +- } else if (!initialized) { +- if (*init) { +- ch = *init; +- init++; +- } else { +- initialized = 1; +- } ++ } else if (init[init_pos]) { ++ ch = init[init_pos++]; + } else { + ch = synth_buffer_getc(); + } diff --git a/queue-3.0/tty-ttyprintk-don-t-touch-behind-tty-write_buf.patch b/queue-3.0/tty-ttyprintk-don-t-touch-behind-tty-write_buf.patch new file mode 100644 index 00000000000..cd40cd6bd79 --- /dev/null +++ b/queue-3.0/tty-ttyprintk-don-t-touch-behind-tty-write_buf.patch @@ -0,0 +1,33 @@ +From ee8b593affdf893012e57f4c54a21984d1b0d92e Mon Sep 17 00:00:00 2001 +From: Jiri Slaby +Date: Tue, 7 Aug 2012 21:47:39 +0200 +Subject: TTY: ttyprintk, don't touch behind tty->write_buf + +From: Jiri Slaby + +commit ee8b593affdf893012e57f4c54a21984d1b0d92e upstream. + +If a user provides a buffer larger than a tty->write_buf chunk and +passes '\r' at the end of the buffer, we touch an out-of-bound memory. + +Add a check there to prevent this. + +Signed-off-by: Jiri Slaby +Cc: Samo Pogacnik +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/char/ttyprintk.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/char/ttyprintk.c ++++ b/drivers/char/ttyprintk.c +@@ -66,7 +66,7 @@ static int tpk_printk(const unsigned cha + tmp[tpk_curr + 1] = '\0'; + printk(KERN_INFO "%s%s", tpk_tag, tmp); + tpk_curr = 0; +- if (buf[i + 1] == '\n') ++ if ((i + 1) < count && buf[i + 1] == '\n') + i++; + break; + case '\n':